From 137e409c925c41b6c2d7a1f2dc26a6622e3f07c8 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Wed, 9 Jul 2025 07:33:54 +0000 Subject: [PATCH 001/505] Bring up docker containers for onprem and cloud --- .../cloud-envoy.yaml | 6 +++--- .../docker-compose.yaml | 19 +++++++++++++------ .../on-prem-envoy-custom-resolver.yaml | 12 ++++++------ 3 files changed, 22 insertions(+), 15 deletions(-) diff --git a/examples/reverse_connection_socket_interface/cloud-envoy.yaml b/examples/reverse_connection_socket_interface/cloud-envoy.yaml index dfca37d4a5a43..2ae6d8c4bc924 100644 --- a/examples/reverse_connection_socket_interface/cloud-envoy.yaml +++ b/examples/reverse_connection_socket_interface/cloud-envoy.yaml @@ -8,7 +8,7 @@ static_resources: - name: rev_conn_api_listener address: socket_address: - address: 127.0.0.1 + address: 0.0.0.0 port_value: 9000 filter_chains: - filters: @@ -41,7 +41,7 @@ static_resources: - name: egress_listener address: socket_address: - address: 127.0.0.1 + address: 0.0.0.0 port_value: 8085 filter_chains: - filters: @@ -87,7 +87,7 @@ admin: access_log_path: "/dev/stdout" address: socket_address: - address: 127.0.0.1 + address: 0.0.0.0 port_value: 8878 layered_runtime: layers: diff --git a/examples/reverse_connection_socket_interface/docker-compose.yaml b/examples/reverse_connection_socket_interface/docker-compose.yaml index 8d3f9500fdef2..b57bad13b9b84 100644 --- a/examples/reverse_connection_socket_interface/docker-compose.yaml +++ b/examples/reverse_connection_socket_interface/docker-compose.yaml @@ -16,15 +16,19 @@ services: - ./on-prem-envoy-custom-resolver.yaml:/etc/on-prem-envoy.yaml command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: - - "8080:80" - - "9000:9000" - - "8889:8888" + # Admin interface + - "8888:8888" + # Reverse connection API listener + - "9001:9001" + # Ingress HTTP listener + - "6060:6060" extra_hosts: - "host.docker.internal:host-gateway" networks: - envoy-network depends_on: - xds-server + - on-prem-service on-prem-service: image: nginxdemos/hello:plain-text @@ -37,9 +41,12 @@ services: - ./cloud-envoy.yaml:/etc/cloud-envoy.yaml command: envoy -c /etc/cloud-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: - - "8081:80" - - "9001:9000" - - "8888:8888" + # Admin interface + - "8878:8878" + # Reverse connection API listener + - "9000:9000" + # Egress listener + - "8085:8085" networks: - envoy-network diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml index 71ec377b8885c..e85295ca55eb1 100644 --- a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml +++ b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml @@ -16,7 +16,7 @@ static_resources: - name: rev_conn_api_listener address: socket_address: - address: 127.0.0.1 + address: 0.0.0.0 port_value: 9001 filter_chains: - filters: @@ -41,7 +41,7 @@ static_resources: - name: ingress_http_listener address: socket_address: - address: 127.0.0.1 + address: 0.0.0.0 port_value: 6060 filter_chains: - filters: @@ -116,7 +116,7 @@ static_resources: - endpoint: address: socket_address: - address: 127.0.0.1 # Container name of cloud-envoy in docker-compose + address: cloud-envoy # Container name of cloud-envoy in docker-compose port_value: 9000 # Port where cloud-envoy's rev_conn_api_listener listens # Backend HTTP service behind onprem which @@ -131,15 +131,15 @@ static_resources: - endpoint: address: socket_address: - address: 127.0.0.1 - port_value: 7070 + address: on-prem-service + port_value: 80 admin: access_log_path: "/dev/stdout" address: socket_address: protocol: TCP - address: 127.0.0.1 + address: 0.0.0.0 port_value: 8888 layered_runtime: From b93205dc6e65b1b6e442df5926d763bab4c3310e Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Sun, 13 Jul 2025 00:29:46 +0000 Subject: [PATCH 002/505] Nits to make test work Signed-off-by: Basundhara Chakrabarty --- .../cloud-envoy.yaml | 2 +- .../docker-compose.yaml | 6 +- .../test_reverse_connections.py | 32 ++++++++++- .../reverse_tunnel_initiator.cc | 57 ++++++++++--------- .../reverse_tunnel/reverse_tunnel_initiator.h | 6 ++ 5 files changed, 70 insertions(+), 33 deletions(-) diff --git a/examples/reverse_connection_socket_interface/cloud-envoy.yaml b/examples/reverse_connection_socket_interface/cloud-envoy.yaml index 2ae6d8c4bc924..a466695e707e3 100644 --- a/examples/reverse_connection_socket_interface/cloud-envoy.yaml +++ b/examples/reverse_connection_socket_interface/cloud-envoy.yaml @@ -88,7 +88,7 @@ admin: address: socket_address: address: 0.0.0.0 - port_value: 8878 + port_value: 8888 layered_runtime: layers: - name: layer diff --git a/examples/reverse_connection_socket_interface/docker-compose.yaml b/examples/reverse_connection_socket_interface/docker-compose.yaml index b57bad13b9b84..183448e22d5d6 100644 --- a/examples/reverse_connection_socket_interface/docker-compose.yaml +++ b/examples/reverse_connection_socket_interface/docker-compose.yaml @@ -19,7 +19,7 @@ services: # Admin interface - "8888:8888" # Reverse connection API listener - - "9001:9001" + - "9000:9000" # Ingress HTTP listener - "6060:6060" extra_hosts: @@ -42,9 +42,9 @@ services: command: envoy -c /etc/cloud-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: # Admin interface - - "8878:8878" + - "8889:8888" # Reverse connection API listener - - "9000:9000" + - "9001:9000" # Egress listener - "8085:8085" networks: diff --git a/examples/reverse_connection_socket_interface/test_reverse_connections.py b/examples/reverse_connection_socket_interface/test_reverse_connections.py index 56405e2d0240a..44351d639665b 100644 --- a/examples/reverse_connection_socket_interface/test_reverse_connections.py +++ b/examples/reverse_connection_socket_interface/test_reverse_connections.py @@ -35,10 +35,10 @@ 'cloud_config_file': os.path.join(os.path.dirname(os.path.abspath(__file__)), 'cloud-envoy.yaml'), # Ports - 'cloud_admin_port': 8888, + 'cloud_admin_port': 8889, 'cloud_api_port': 9001, - 'cloud_egress_port': 8081, - 'on_prem_admin_port': 8889, + 'cloud_egress_port': 8085, + 'on_prem_admin_port': 8888, 'xds_server_port': 18000, # Port for our xDS server # Container names @@ -329,6 +329,32 @@ def add_reverse_conn_listener_via_xds(self) -> bool: logger.error(f"Failed to add reverse_conn_listener via xDS: {e}") return False + def remove_reverse_conn_listener_via_xds(self) -> bool: + """Remove reverse_conn_listener via xDS.""" + logger.info("Removing reverse_conn_listener via xDS") + + try: + # Send request to xDS server running in Docker + import requests + response = requests.post( + f"http://localhost:{CONFIG['xds_server_port']}/remove_listener", + json={ + 'name': 'reverse_conn_listener' + }, + timeout=10 + ) + + if response.status_code == 200: + logger.info("✓ reverse_conn_listener removed via xDS") + return True + else: + logger.error(f"Failed to remove listener via xDS: {response.status_code}") + return False + + except Exception as e: + logger.error(f"Failed to remove reverse_conn_listener via xDS: {e}") + return False + def get_container_name(self, service_name: str) -> str: """Get the actual container name for a service, handling Docker Compose suffixes.""" try: diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index 8c213cc912869..c9fbc0ba3ef6c 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -510,25 +510,30 @@ Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { config_.remote_clusters.size()); if (!listening_initiated_) { - // Create trigger mechanism on worker thread where TLS is available + + // Create trigger mechanism on worker thread where TLS is available. The + // listening_initiated_ ensures that this is done only once for a given + // ReverseConnectionIOHandle instance. + createTriggerMechanism(); if (!trigger_mechanism_) { - createTriggerMechanism(); - if (!trigger_mechanism_) { - ENVOY_LOG(error, - "Failed to create trigger mechanism - cannot proceed with reverse connections"); - return Api::SysCallIntResult{-1, ENODEV}; - } + // If the trigger mechanism is not created, the reverse connections workflow + // cannot proceed. + ENVOY_LOG(error, + "Reverse connections failed. Failed to create trigger mechanism"); + return Api::SysCallIntResult{-1, ENODEV}; + } - // CRITICAL: Replace the monitored FD with trigger mechanism's FD - // This must happen before any event registration - int trigger_fd = trigger_mechanism_->getMonitorFd(); - if (trigger_fd != -1) { - ENVOY_LOG(info, "Replacing monitored FD from {} to trigger FD {}", fd_, trigger_fd); - fd_ = trigger_fd; - } else { - ENVOY_LOG(warn, - "Trigger mechanism does not provide a monitor FD - using original socket FD"); - } + // Replace the monitored FD with trigger mechanism's FD. This ensures that + // the platform's event notification system (eg., EPOLL for linux) monitors the trigger + // mechanism's FD and wakes up accept() when data is available on the trigger mechanism + // FD. + int trigger_fd = trigger_mechanism_->getMonitorFd(); + if (trigger_fd != -1) { + ENVOY_LOG(info, "Replacing monitored FD from {} to trigger FD {}", fd_, trigger_fd); + fd_ = trigger_fd; + } else { + ENVOY_LOG(error, " Reverse connections failed. Trigger mechanism does not provide a monitor FD"); + return Api::SysCallIntResult{-1, ENODEV}; } // Create the retry timer on first use with thread-local dispatcher. The timer is reset @@ -539,18 +544,18 @@ Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { rev_conn_retry_timer_ = getThreadLocalDispatcher().createTimer([this]() -> void { ENVOY_LOG(debug, "Reverse connection timer triggered - checking all clusters for " "missing connections"); - // Safety check before maintenance + // Prevent use-after-free by checking if the dispatcher is still available. if (isThreadLocalDispatcherAvailable()) { maintainReverseConnections(); } else { - ENVOY_LOG(debug, "Skipping maintenance - dispatcher not available"); + ENVOY_LOG(error, "Reverse connections failed. Skipping maintenance - dispatcher not available"); } }); // Trigger the reverse connection workflow. The function will reset rev_conn_retry_timer_. maintainReverseConnections(); ENVOY_LOG(debug, "Created retry timer for periodic connection checks"); } else { - ENVOY_LOG(warn, "Cannot create retry timer - dispatcher not available"); + ENVOY_LOG(error, "Reverse connections failed. Cannot create retry timer - dispatcher not available"); } } catch (const std::exception& e) { ENVOY_LOG(error, "Exception creating retry timer: {}", e.what()); @@ -683,8 +688,10 @@ ReverseConnectionIOHandle::connect(Envoy::Network::Address::InstanceConstSharedP Api::IoCallUint64Result ReverseConnectionIOHandle::close() { ENVOY_LOG(debug, "ReverseConnectionIOHandle::close() - performing graceful shutdown"); - // Clean up original socket FD if it's different from the current fd_ - if (original_socket_fd_ != -1 && original_socket_fd_ != fd_) { + // Clean up original socket FD . fd_ is + // the FD of the trigger mechanism and should not be closed until the + // ReverseConnectionIOHandle is destroyed. + if (original_socket_fd_ != -1) { ENVOY_LOG(debug, "Closing original socket FD: {}", original_socket_fd_); ::close(original_socket_fd_); original_socket_fd_ = -1; @@ -1602,9 +1609,6 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, Envoy::Network::Address::IpVersion version, const ReverseConnectionSocketConfig& config) const { - ENVOY_LOG(debug, "Creating reverse connection socket for cluster: {}", - config.remote_clusters.empty() ? "unknown" : config.remote_clusters[0].cluster_name); - // For stream sockets on IP addresses, create our reverse connection IOHandle. if (socket_type == Envoy::Network::Socket::Type::Stream && addr_type == Envoy::Network::Address::Type::Ip) { @@ -1626,7 +1630,8 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke } // Create ReverseConnectionIOHandle with cluster manager from context and scope - return std::make_unique(sock_fd, config, context_->clusterManager(), + return std::make_unique( + , config, context_->clusterManager(), *this, *scope_ptr); } diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index 91af5e23d9787..a2a93e1447ed7 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -417,6 +417,12 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // - Other Unix: pipe (fallback for compatibility) std::unique_ptr trigger_mechanism_; + // Track if trigger mechanism creation failed - prevents further reverse connection attempts + bool trigger_mechanism_failed_{false}; + + // Guard against multiple cleanup calls + bool cleanup_in_progress_{false}; + // Connection management : We store the established connections in a queue // and pop the last established connection when data is read on trigger_pipe_read_fd_ // to determine the connection that got established last. From 4db2872271ac9a757ba709239a60594e760b7133 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 14 Jul 2025 16:48:57 +0000 Subject: [PATCH 003/505] reverse conn cluster should get host for node_id and add logic to parse Host header Signed-off-by: Basundhara Chakrabarty --- .../v3/reverse_connection.proto | 4 + .../reverse_tunnel/reverse_tunnel_acceptor.cc | 89 ++++++++++------- .../reverse_tunnel/reverse_tunnel_acceptor.h | 12 ++- .../reverse_tunnel_initiator.cc | 4 +- .../reverse_tunnel/reverse_tunnel_initiator.h | 6 -- .../clusters/reverse_connection/BUILD | 3 + .../reverse_connection/reverse_connection.cc | 99 ++++++++++++++++++- .../reverse_connection/reverse_connection.h | 23 +++++ 8 files changed, 192 insertions(+), 48 deletions(-) diff --git a/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto b/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto index 7583d211d4daa..6784031157c4a 100644 --- a/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto +++ b/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto @@ -26,4 +26,8 @@ message RevConClusterConfig { // Time interval after which envoy attempts to clean the stale host entries. google.protobuf.Duration cleanup_interval = 2 [(validate.rules).duration = {gt {}}]; + + // Suffix expected in the host header when envoy acts as a L4 proxy and deduces + // the cluster from the host header. + string proxy_host_suffix = 3; } \ No newline at end of file diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc index cbf8aef6da369..87d2e9ca5d665 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc @@ -96,7 +96,7 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, const Envoy::Network::SocketCreationOptions& options) const { ENVOY_LOG(debug, "ReverseTunnelAcceptor::socket() called with address: {}. Finding socket for " - "cluster/node: {}", + "node: {}", addr->asString(), addr->logicalName()); // For upstream reverse connections, we need to get the thread-local socket manager @@ -105,17 +105,17 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, if (tls_registry && tls_registry->socketManager()) { auto* socket_manager = tls_registry->socketManager(); - // Get the cluster ID from the address's logical name - std::string cluster_id = addr->logicalName(); - ENVOY_LOG(debug, "ReverseTunnelAcceptor: Using cluster ID from logicalName: {}", cluster_id); + // The address's logical name should already be the node ID + std::string node_id = addr->logicalName(); + ENVOY_LOG(debug, "ReverseTunnelAcceptor: Using node_id from logicalName: {}", node_id); - // Try to get a cached socket for the specific cluster - auto [socket, expects_proxy_protocol] = socket_manager->getConnectionSocket(cluster_id); + // Try to get a cached socket for the specific node + auto [socket, expects_proxy_protocol] = socket_manager->getConnectionSocket(node_id); if (socket) { - ENVOY_LOG(info, "Reusing cached reverse connection socket for cluster: {}", cluster_id); + ENVOY_LOG(info, "Reusing cached reverse connection socket for node: {}", node_id); // Create IOHandle that properly owns the socket using RAII auto io_handle = - std::make_unique(std::move(socket), cluster_id); + std::make_unique(std::move(socket), node_id); return io_handle; } } @@ -525,30 +525,18 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, } std::pair -UpstreamSocketManager::getConnectionSocket(const std::string& key) { - - ENVOY_LOG(debug, "UpstreamSocketManager: getConnectionSocket() called with key: {}", key); - // The key can be cluster_id or node_id. If any worker has a socket for the key, treat it as a - // cluster ID. Otherwise treat it as a node ID. - std::string node_id = key; - std::string actual_cluster_id = ""; - - // If we have sockets for this key as a cluster ID, treat it as a cluster - if (getNumberOfSocketsByCluster(key) > 0) { - actual_cluster_id = key; - auto cluster_nodes_it = cluster_to_node_map_.find(actual_cluster_id); - if (cluster_nodes_it != cluster_to_node_map_.end() && !cluster_nodes_it->second.empty()) { - // Pick a random node for the cluster - auto node_idx = random_generator_->random() % cluster_nodes_it->second.size(); - node_id = cluster_nodes_it->second[node_idx]; - } else { - ENVOY_LOG(debug, "UpstreamSocketManager: No nodes found for cluster: {}", actual_cluster_id); - return {nullptr, false}; - } +UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { + + ENVOY_LOG(debug, "UpstreamSocketManager: getConnectionSocket() called with node_id: {}", node_id); + + if (node_to_cluster_map_.find(node_id) == node_to_cluster_map_.end()) { + ENVOY_LOG(error, "UpstreamSocketManager: cluster -> node mapping changed for node: {}", node_id); + return {nullptr, false}; } - ENVOY_LOG(debug, "UpstreamSocketManager: Looking for socket with node: {} cluster: {}", node_id, - actual_cluster_id); + const std::string& cluster_id = node_to_cluster_map_[node_id]; + + ENVOY_LOG(debug, "UpstreamSocketManager: Looking for socket with node: {} cluster: {}", node_id, cluster_id); // Find first available socket for the node auto node_sockets_it = accepted_reverse_connections_.find(node_id); @@ -567,9 +555,8 @@ UpstreamSocketManager::getConnectionSocket(const std::string& key) { ENVOY_LOG(debug, "UpstreamSocketManager: Reverse conn socket with FD:{} connection key:{} found for " - "node: {} and " - "cluster: {}", - fd, remoteConnectionKey, node_id, actual_cluster_id); + "node: {} cluster: {}", + fd, remoteConnectionKey, node_id, cluster_id); fd_to_event_map_.erase(fd); fd_to_timer_map_.erase(fd); @@ -581,8 +568,8 @@ UpstreamSocketManager::getConnectionSocket(const std::string& key) { node_stats->reverse_conn_cx_idle_.dec(); node_stats->reverse_conn_cx_used_.inc(); - if (!actual_cluster_id.empty()) { - USMStats* cluster_stats = this->getStatsByCluster(actual_cluster_id); + if (!cluster_id.empty()) { + USMStats* cluster_stats = this->getStatsByCluster(cluster_id); cluster_stats->reverse_conn_cx_idle_.dec(); cluster_stats->reverse_conn_cx_used_.inc(); } @@ -667,6 +654,38 @@ absl::flat_hash_map UpstreamSocketManager::getSocketCountMa return cluster_stats; } +std::string UpstreamSocketManager::getNodeID(const std::string& key) { + ENVOY_LOG(debug, "UpstreamSocketManager: getNodeID() called with key: {}", key); + + // First check if the key exists as a cluster ID by checking global stats + // This ensures we check across all threads, not just the current thread + if (auto extension = getUpstreamExtension()) { + // Check if any thread has sockets for this cluster by looking at global stats + std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", key); + auto& stats_store = extension->getStatsScope(); + auto& cluster_gauge = stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); + + if (cluster_gauge.value() > 0) { + // Key is a cluster ID with active connections, find a node from this cluster + auto cluster_nodes_it = cluster_to_node_map_.find(key); + if (cluster_nodes_it != cluster_to_node_map_.end() && !cluster_nodes_it->second.empty()) { + // Return a random existing node from this cluster + auto node_idx = random_generator_->random() % cluster_nodes_it->second.size(); + std::string node_id = cluster_nodes_it->second[node_idx]; + ENVOY_LOG(debug, "UpstreamSocketManager: key '{}' is cluster ID with {} connections, returning random node: {}", + key, cluster_gauge.value(), node_id); + return node_id; + } + // If cluster has connections but no local mapping, assume key is a node ID + } + } + + // Key is not a cluster ID, has no connections, or has no local mapping + // Treat it as a node ID and return it directly + ENVOY_LOG(debug, "UpstreamSocketManager: key '{}' is node ID, returning as-is", key); + return key; +} + void UpstreamSocketManager::markSocketDead(const int fd) { ENVOY_LOG(debug, "UpstreamSocketManager: markSocketDead called for fd {}", fd); diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h index 98a361126186a..fb09d60a5f4f5 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h @@ -320,6 +320,12 @@ class ReverseTunnelAcceptorExtension void updateConnectionStatsRegistry(const std::string& node_id, const std::string& cluster_id, bool increment); + /** + * Get the stats scope for accessing global stats. + * @return reference to the stats scope. + */ + Stats::Scope& getStatsScope() const { return context_.scope(); } + private: Server::Configuration::ServerFactoryContext& context_; // Thread-local slot for storing the socket manager per worker thread. @@ -375,7 +381,7 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, * @param key the remote cluster ID/ node ID. * @return pair containing the connection socket and whether proxy protocol is expected. */ - std::pair getConnectionSocket(const std::string& key); + std::pair getConnectionSocket(const std::string& node_id); /** * @return the number of reverse connections for the given cluster id. @@ -463,6 +469,10 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, */ ReverseTunnelAcceptorExtension* getUpstreamExtension() const { return extension_; } + + // Get node ID from key (cluster ID or node ID) + std::string getNodeID(const std::string& key); + private: // Pointer to the thread local Dispatcher instance. Event::Dispatcher& dispatcher_; diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index c9fbc0ba3ef6c..b0e52e9311596 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -1631,8 +1631,8 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke // Create ReverseConnectionIOHandle with cluster manager from context and scope return std::make_unique( - , config, context_->clusterManager(), - *this, *scope_ptr); + sock_fd, config, context_->clusterManager(), + *this, *scope_ptr); } // Fall back to regular socket for non-stream or non-IP sockets diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index a2a93e1447ed7..91af5e23d9787 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -417,12 +417,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // - Other Unix: pipe (fallback for compatibility) std::unique_ptr trigger_mechanism_; - // Track if trigger mechanism creation failed - prevents further reverse connection attempts - bool trigger_mechanism_failed_{false}; - - // Guard against multiple cleanup calls - bool cleanup_in_progress_{false}; - // Connection management : We store the established connections in a queue // and pop the last established connection when data is read on trigger_pipe_read_fd_ // to determine the connection that got established last. diff --git a/source/extensions/clusters/reverse_connection/BUILD b/source/extensions/clusters/reverse_connection/BUILD index 0ece2a98ba07d..bbe8ef293e2d3 100644 --- a/source/extensions/clusters/reverse_connection/BUILD +++ b/source/extensions/clusters/reverse_connection/BUILD @@ -15,9 +15,12 @@ envoy_cc_extension( visibility = ["//visibility:public"], deps = [ "//envoy/upstream:cluster_factory_interface", + "//source/common/http:header_utility_lib", "//source/common/network:address_lib", "//source/common/upstream:cluster_factory_lib", "//source/common/upstream:upstream_includes", + "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", + "//source/extensions/transport_sockets/raw_buffer:config", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/config/endpoint/v3:pkg_cc_proto", diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.cc b/source/extensions/clusters/reverse_connection/reverse_connection.cc index b2791024d54ad..fabeb685fcb16 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.cc +++ b/source/extensions/clusters/reverse_connection/reverse_connection.cc @@ -11,6 +11,7 @@ #include "envoy/config/endpoint/v3/endpoint_components.pb.h" #include "source/common/http/headers.h" +#include "source/common/http/header_utility.h" #include "source/common/network/address_impl.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" @@ -21,6 +22,43 @@ namespace Envoy { namespace Extensions { namespace ReverseConnection { +namespace BootstrapReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; + +// The default host header envoy expects when acting as a L4 proxy is of the format +// ".tcpproxy.envoy.remote:". +const std::string default_proxy_host_suffix = "tcpproxy.envoy.remote"; + +absl::optional +RevConCluster::LoadBalancer::getUUIDFromHost(const Http::RequestHeaderMap& headers) { + const absl::string_view original_host = headers.getHostValue(); + ENVOY_LOG(debug, "Host header value: {}", original_host); + absl::string_view::size_type port_start = Http::HeaderUtility::getPortStart(original_host); + if (port_start == absl::string_view::npos) { + ENVOY_LOG(warn, "Port not found in host {}", original_host); + port_start = original_host.size(); + } else { + // Extract the port from the host header. + const absl::string_view port_str = original_host.substr(port_start + 1); + uint32_t port = 0; + if (!absl::SimpleAtoi(port_str, &port)) { + ENVOY_LOG(error, "Port {} is not valid", port_str); + return absl::nullopt; + } + } + // Extract the URI from the host header. + const absl::string_view host = original_host.substr(0, port_start); + const absl::string_view::size_type uuid_start = host.find('.'); + if (uuid_start == absl::string_view::npos || + host.substr(uuid_start + 1) != parent_->proxy_host_suffix_) { + ENVOY_LOG(error, + "Malformed host {} in host header {}. Expected: " + ".tcpproxy.envoy.remote:", + host, original_host); + return absl::nullopt; + } + return host.substr(0, uuid_start); +} + Upstream::HostSelectionResponse RevConCluster::LoadBalancer::chooseHost(Upstream::LoadBalancerContext* context) { if (!context) { @@ -28,13 +66,15 @@ RevConCluster::LoadBalancer::chooseHost(Upstream::LoadBalancerContext* context) return {nullptr}; } - // Check if host_id is already set for the upstream cluster. If it is, use + // First, Check if host_id is already set for the upstream cluster. If it is, use // that host_id. if (!parent_->default_host_id_.empty()) { return parent_->checkAndCreateHost(parent_->default_host_id_); } - // Check if downstream headers are present, if yes use it to get host_id. + // Second, Check for the presence of headers in RevConClusterConfig's http_header_names in + // the request context. In the absence of http_header_names in RevConClusterConfig, this + // checks for the presence of EnvoyDstNodeUUID and EnvoyDstClusterUUID headers by default. if (context->downstreamHeaders() == nullptr) { ENVOY_LOG(error, "Found empty downstream headers for a request over connection with ID: {}", *(context->downstreamConnection()->connectionInfoProvider().connectionID())); @@ -55,7 +95,29 @@ RevConCluster::LoadBalancer::chooseHost(Upstream::LoadBalancerContext* context) ENVOY_LOG(debug, "Found no header match for incoming request"); return {nullptr}; } - return parent_->checkAndCreateHost(host_id); + + // Finally, check the Host header for the UUID. This is mandatory if neither the host_id + // nor any of the headers in RevConClusterConfig's http_header_names are set. + absl::optional uuid = getUUIDFromHost(*context->downstreamHeaders()); + if (!uuid.has_value()) { + ENVOY_LOG(error, "UUID not found in host header. Could not find host for request."); + return {nullptr}; + } + ENVOY_LOG(debug, "Found UUID in host header. Creating host with host_id: {}", uuid.value()); + return parent_->checkAndCreateHost(std::string(uuid.value())); + + // Get the SocketManager to resolve cluster ID to node ID + auto* socket_manager = parent_->getUpstreamSocketManager(); + if (!socket_manager) { + ENVOY_LOG(debug, "Socket manager not found"); + return {nullptr}; + } + + // Use SocketManager to resolve the key to a node ID + std::string node_id = socket_manager->getNodeID(host_id); + ENVOY_LOG(debug, "RevConCluster: Resolved key '{}' to node_id '{}'", host_id, node_id); + + return parent_->checkAndCreateHost(node_id); } Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::string host_id) { @@ -142,6 +204,30 @@ absl::string_view RevConCluster::getHostIdValue(const Http::RequestHeaderMap* re return absl::string_view(); } +BootstrapReverseConnection::UpstreamSocketManager* RevConCluster::getUpstreamSocketManager() const { + auto* upstream_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + if (!upstream_interface) { + ENVOY_LOG(debug, "Upstream reverse socket interface not found"); + return nullptr; + } + + auto* upstream_socket_interface = + dynamic_cast(upstream_interface); + if (!upstream_socket_interface) { + ENVOY_LOG(error, "Failed to cast to ReverseTunnelAcceptor"); + return nullptr; + } + + auto* tls_registry = upstream_socket_interface->getLocalRegistry(); + if (!tls_registry) { + ENVOY_LOG(error, "Thread local registry not found for upstream socket interface"); + return nullptr; + } + + return tls_registry->socketManager(); +} + RevConCluster::RevConCluster( const envoy::config::cluster::v3::Cluster& config, Upstream::ClusterFactoryContext& context, absl::Status& creation_status, @@ -154,6 +240,11 @@ RevConCluster::RevConCluster( default_host_id_ = Config::Metadata::metadataValue(&config.metadata(), "envoy.reverse_conn", "host_id") .string_value(); + if (rev_con_config.proxy_host_suffix().empty()) { + proxy_host_suffix_ = default_proxy_host_suffix; + } else { + proxy_host_suffix_ = rev_con_config.proxy_host_suffix(); + } // Parse HTTP header names. if (rev_con_config.http_header_names().size()) { for (const auto& header_name : rev_con_config.http_header_names()) { @@ -178,7 +269,7 @@ RevConClusterFactory::createClusterWithConfig( fmt::format("cluster: LB policy {} is not valid for Cluster type {}. Only " "'CLUSTER_PROVIDED' is allowed with cluster type 'REVERSE_CONNECTION'", envoy::config::cluster::v3::Cluster::LbPolicy_Name(cluster.lb_policy()), - envoy::config::cluster::v3::Cluster::DiscoveryType_Name(cluster.type()))); + cluster.cluster_type().name())); } if (cluster.has_load_assignment()) { diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.h b/source/extensions/clusters/reverse_connection/reverse_connection.h index ea355b7b9e92a..6487429e9f331 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.h +++ b/source/extensions/clusters/reverse_connection/reverse_connection.h @@ -18,6 +18,7 @@ #include "source/common/network/socket_interface.h" #include "source/common/upstream/cluster_factory_impl.h" #include "source/common/upstream/upstream_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" #include "absl/status/statusor.h" @@ -25,6 +26,8 @@ namespace Envoy { namespace Extensions { namespace ReverseConnection { +namespace BootstrapReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; + /** * Custom address type that uses the UpstreamReverseSocketInterface. * This address will be used by RevConHost to ensure socket creation goes through @@ -137,8 +140,23 @@ class RevConCluster : public Upstream::ClusterImplBase { public: LoadBalancer(const std::shared_ptr& parent) : parent_(parent) {} + // Chooses a host to send a downstream request over to a reverse connection endpoint. + // A request intended for a reverse connection has to have either of the below set and are + // checked in the given order: + // 1. If the host_id is set, it is used for creating the host. + // 2. The request should have either of the HTTP headers given in the RevConClusterConfig's + // http_header_names set. If any of the headers are set, the first found header is used to + // create the host. + // 3. The Host header should be set to ".tcpproxy.envoy.remote:". This is + // mandatory if none of fields in 1. or 2. are set. The uuid is extracted from the host header + // and is used to create the host. Upstream::HostSelectionResponse chooseHost(Upstream::LoadBalancerContext* context) override; + + // Helper function to verify that the host header is of the format + // ".tcpproxy.envoy.remote:" and extract the uuid from the header. + absl::optional getUUIDFromHost(const Http::RequestHeaderMap& headers); + // Virtual functions that are not supported by our custom load-balancer. Upstream::HostConstSharedPtr peekAnotherHost(Upstream::LoadBalancerContext*) override { return nullptr; @@ -193,6 +211,9 @@ class RevConCluster : public Upstream::ClusterImplBase { // If such header is present, it return that header value. absl::string_view getHostIdValue(const Http::RequestHeaderMap* request_headers); + // Get the upstream socket manager from the thread-local registry + BootstrapReverseConnection::UpstreamSocketManager* getUpstreamSocketManager() const; + // No pre-initialize work needs to be completed by REVERSE CONNECTION cluster. void startPreInit() override { onPreInitComplete(); } @@ -203,6 +224,8 @@ class RevConCluster : public Upstream::ClusterImplBase { absl::Mutex host_map_lock_; absl::flat_hash_map host_map_; std::vector> http_header_names_; + // Host header suffix expected by envoy when acting as a L4 proxy. + std::string proxy_host_suffix_; friend class RevConClusterFactory; }; From 05473a01cfeb0477c48c0443538c889a987c3a67 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 15 Jul 2025 21:02:55 +0000 Subject: [PATCH 004/505] REVERSE_CONNECTION cluster should be able to parse SNI along with Host header Signed-off-by: Basundhara Chakrabarty --- .../reverse_connection/reverse_connection.cc | 129 ++++++++++-------- .../reverse_connection/reverse_connection.h | 6 +- 2 files changed, 80 insertions(+), 55 deletions(-) diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.cc b/source/extensions/clusters/reverse_connection/reverse_connection.cc index fabeb685fcb16..36cc1bf7bb870 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.cc +++ b/source/extensions/clusters/reverse_connection/reverse_connection.cc @@ -59,74 +59,99 @@ RevConCluster::LoadBalancer::getUUIDFromHost(const Http::RequestHeaderMap& heade return host.substr(0, uuid_start); } -Upstream::HostSelectionResponse -RevConCluster::LoadBalancer::chooseHost(Upstream::LoadBalancerContext* context) { - if (!context) { - ENVOY_LOG(debug, "Invalid downstream connection or invalid downstream request"); - return {nullptr}; +absl::optional +RevConCluster::LoadBalancer::getUUIDFromSNI(const Network::Connection* connection) { + if (connection == nullptr) { + ENVOY_LOG(debug, "Connection is null, cannot extract SNI"); + return absl::nullopt; } - // First, Check if host_id is already set for the upstream cluster. If it is, use - // that host_id. - if (!parent_->default_host_id_.empty()) { - return parent_->checkAndCreateHost(parent_->default_host_id_); + absl::string_view sni = connection->requestedServerName(); + ENVOY_LOG(debug, "SNI value: {}", sni); + + if (sni.empty()) { + ENVOY_LOG(debug, "Empty SNI value"); + return absl::nullopt; } + + // Extract the UUID from SNI. SNI format is expected to be ".tcpproxy.envoy.remote" + const absl::string_view::size_type uuid_start = sni.find('.'); + if (uuid_start == absl::string_view::npos || + sni.substr(uuid_start + 1) != parent_->proxy_host_suffix_) { + ENVOY_LOG(error, + "Malformed SNI {}. Expected: .tcpproxy.envoy.remote", + sni); + return absl::nullopt; + } + return sni.substr(0, uuid_start); +} - // Second, Check for the presence of headers in RevConClusterConfig's http_header_names in - // the request context. In the absence of http_header_names in RevConClusterConfig, this - // checks for the presence of EnvoyDstNodeUUID and EnvoyDstClusterUUID headers by default. - if (context->downstreamHeaders() == nullptr) { - ENVOY_LOG(error, "Found empty downstream headers for a request over connection with ID: {}", - *(context->downstreamConnection()->connectionInfoProvider().connectionID())); +Upstream::HostSelectionResponse +RevConCluster::LoadBalancer::chooseHost(Upstream::LoadBalancerContext* context) { + if (context == nullptr) { + ENVOY_LOG(error, "RevConCluster::LoadBalancer::chooseHost called with null context"); return {nullptr}; } - // EnvoyDstClusterUUID is mandatory in each request. If this header is not - // present, we will issue a malformed request error message. - Http::HeaderMap::GetResult header_result = - context->downstreamHeaders()->get(Http::Headers::get().EnvoyDstClusterUUID); - if (header_result.empty()) { - ENVOY_LOG(error, "{} header not found in request context", - Http::Headers::get().EnvoyDstClusterUUID.get()); + // If downstream headers are not present, host ID cannot be obtained. + if (context->downstreamHeaders() == nullptr) { + if (context->downstreamConnection() == nullptr) { + ENVOY_LOG(error, "Found empty downstream headers and null downstream connection"); + } else { + ENVOY_LOG(error, "Found empty downstream headers for a request over connection with ID: {}", + *(context->downstreamConnection()->connectionInfoProvider().connectionID())); + } return {nullptr}; } + + // First, Check for the presence of headers in RevConClusterConfig's http_header_names in + // the request context. In the absence of http_header_names in RevConClusterConfig, this + // checks for the presence of EnvoyDstNodeUUID and EnvoyDstClusterUUID headers by default. const std::string host_id = std::string(parent_->getHostIdValue(context->downstreamHeaders())); - if (host_id.empty()) { - ENVOY_LOG(debug, "Found no header match for incoming request"); - return {nullptr}; + if (!host_id.empty()) { + ENVOY_LOG(debug, "Found header match. Creating host with host_id: {}", host_id); + return parent_->checkAndCreateHost(host_id); } - // Finally, check the Host header for the UUID. This is mandatory if neither the host_id - // nor any of the headers in RevConClusterConfig's http_header_names are set. + // Second, check the Host header for the UUID. absl::optional uuid = getUUIDFromHost(*context->downstreamHeaders()); - if (!uuid.has_value()) { - ENVOY_LOG(error, "UUID not found in host header. Could not find host for request."); - return {nullptr}; + if (uuid.has_value()) { + ENVOY_LOG(debug, "Found UUID in host header. Creating host with host_id: {}", uuid.value()); + return parent_->checkAndCreateHost(std::string(uuid.value())); } - ENVOY_LOG(debug, "Found UUID in host header. Creating host with host_id: {}", uuid.value()); - return parent_->checkAndCreateHost(std::string(uuid.value())); - + + // Third, check SNI (Server Name Indication) for the UUID if available. + if (context->downstreamConnection() != nullptr) { + absl::optional sni_uuid = getUUIDFromSNI(context->downstreamConnection()); + if (sni_uuid.has_value()) { + ENVOY_LOG(debug, "Found UUID in SNI. Creating host with host_id: {}", sni_uuid.value()); + return parent_->checkAndCreateHost(std::string(sni_uuid.value())); + } + } + + ENVOY_LOG(error, "UUID not found in host header or SNI. Could not find host for request."); + return {nullptr}; +} + +Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::string host_id) { + // Get the SocketManager to resolve cluster ID to node ID - auto* socket_manager = parent_->getUpstreamSocketManager(); - if (!socket_manager) { - ENVOY_LOG(debug, "Socket manager not found"); + auto* socket_manager = getUpstreamSocketManager(); + if (socket_manager == nullptr) { + ENVOY_LOG(error, "Socket manager not found"); return {nullptr}; } // Use SocketManager to resolve the key to a node ID std::string node_id = socket_manager->getNodeID(host_id); ENVOY_LOG(debug, "RevConCluster: Resolved key '{}' to node_id '{}'", host_id, node_id); - - return parent_->checkAndCreateHost(node_id); -} -Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::string host_id) { host_map_lock_.ReaderLock(); - // Check if host_id is already present in host_map_ or not. This ensures, + // Check if node_id is already present in host_map_ or not. This ensures, // that envoy reuses a conn_pool_container for an endpoint. - auto host_itr = host_map_.find(host_id); + auto host_itr = host_map_.find(node_id); if (host_itr != host_map_.end()) { - ENVOY_LOG(debug, "Found an existing host for {}.", host_id); + ENVOY_LOG(debug, "Found an existing host for {}.", node_id); Upstream::HostSharedPtr host = host_itr->second; host_map_lock_.ReaderUnlock(); return {host}; @@ -137,29 +162,28 @@ Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::str // Create a custom address that uses the UpstreamReverseSocketInterface Network::Address::InstanceConstSharedPtr host_address( - std::make_shared(host_id)); + std::make_shared(node_id)); // Create a standard HostImpl using the custom address auto host_result = Upstream::HostImpl::create( - info(), absl::StrCat(info()->name(), static_cast(host_id)), + info(), absl::StrCat(info()->name(), static_cast(node_id)), std::move(host_address), nullptr /* endpoint_metadata */, nullptr /* locality_metadata */, 1 /* initial_weight */, envoy::config::core::v3::Locality().default_instance(), envoy::config::endpoint::v3::Endpoint::HealthCheckConfig().default_instance(), 0 /* priority */, envoy::config::core::v3::UNKNOWN); if (!host_result.ok()) { - ENVOY_LOG(error, "Failed to create HostImpl for {}: {}", host_id, + ENVOY_LOG(error, "Failed to create HostImpl for {}: {}", node_id, host_result.status().ToString()); return {nullptr}; } // Convert unique_ptr to shared_ptr Upstream::HostSharedPtr host(std::move(host_result.value())); - // host->setHostId(host_id); ENVOY_LOG(trace, "Created a HostImpl {} for {} that will use UpstreamReverseSocketInterface.", - *host, host_id); + *host, node_id); - host_map_[host_id] = host; + host_map_[node_id] = host; return {host}; } @@ -207,8 +231,8 @@ absl::string_view RevConCluster::getHostIdValue(const Http::RequestHeaderMap* re BootstrapReverseConnection::UpstreamSocketManager* RevConCluster::getUpstreamSocketManager() const { auto* upstream_interface = Network::socketInterface( "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); - if (!upstream_interface) { - ENVOY_LOG(debug, "Upstream reverse socket interface not found"); + if (upstream_interface == nullptr) { + ENVOY_LOG(error, "Upstream reverse socket interface not found"); return nullptr; } @@ -237,9 +261,6 @@ RevConCluster::RevConCluster( cleanup_interval_(std::chrono::milliseconds( PROTOBUF_GET_MS_OR_DEFAULT(rev_con_config, cleanup_interval, 10000))), cleanup_timer_(dispatcher_.createTimer([this]() -> void { cleanup(); })) { - default_host_id_ = - Config::Metadata::metadataValue(&config.metadata(), "envoy.reverse_conn", "host_id") - .string_value(); if (rev_con_config.proxy_host_suffix().empty()) { proxy_host_suffix_ = default_proxy_host_suffix; } else { diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.h b/source/extensions/clusters/reverse_connection/reverse_connection.h index 6487429e9f331..a56d3694a3d2d 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.h +++ b/source/extensions/clusters/reverse_connection/reverse_connection.h @@ -157,6 +157,10 @@ class RevConCluster : public Upstream::ClusterImplBase { // ".tcpproxy.envoy.remote:" and extract the uuid from the header. absl::optional getUUIDFromHost(const Http::RequestHeaderMap& headers); + // Helper function to extract UUID from SNI (Server Name Indication) if it follows the format + // ".tcpproxy.envoy.remote". + absl::optional getUUIDFromSNI(const Network::Connection* connection); + // Virtual functions that are not supported by our custom load-balancer. Upstream::HostConstSharedPtr peekAnotherHost(Upstream::LoadBalancerContext*) override { return nullptr; @@ -219,7 +223,6 @@ class RevConCluster : public Upstream::ClusterImplBase { Event::Dispatcher& dispatcher_; std::chrono::milliseconds cleanup_interval_; - std::string default_host_id_; Event::TimerPtr cleanup_timer_; absl::Mutex host_map_lock_; absl::flat_hash_map host_map_; @@ -238,6 +241,7 @@ class RevConClusterFactory RevConClusterFactory() : ConfigurableClusterFactoryBase("envoy.clusters.reverse_connection") {} private: + friend class ReverseConnectionClusterTest; absl::StatusOr< std::pair> createClusterWithConfig( From acbba6450497db660ce878655cf9a44d74fcde02 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 15 Jul 2025 21:03:37 +0000 Subject: [PATCH 005/505] Backup config files to build envoy locally Signed-off-by: Basundhara Chakrabarty --- .../cloud-envoy.yaml | 102 ++++++++++++ .../on-prem-envoy-custom-resolver.yaml | 149 ++++++++++++++++++ 2 files changed, 251 insertions(+) create mode 100644 examples/reverse_connection_macos_config/cloud-envoy.yaml create mode 100644 examples/reverse_connection_macos_config/on-prem-envoy-custom-resolver.yaml diff --git a/examples/reverse_connection_macos_config/cloud-envoy.yaml b/examples/reverse_connection_macos_config/cloud-envoy.yaml new file mode 100644 index 0000000000000..dfca37d4a5a43 --- /dev/null +++ b/examples/reverse_connection_macos_config/cloud-envoy.yaml @@ -0,0 +1,102 @@ +--- +node: + id: cloud-node + cluster: cloud +static_resources: + listeners: + # Services reverse conn APIs + - name: rev_conn_api_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: rev_conn_api + # Any dummy route config works + route_config: + virtual_hosts: + - name: rev_conn_api_route + domains: + - "*" + routes: + - match: + prefix: '/on_prem_service' + route: + cluster: reverse_connection_cluster + http_filters: + # Filter that services reverse conn APIs + - name: envoy.filters.http.reverse_conn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + ping_interval: 30 + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Listener that will route the downstream request to the reverse connection cluster + - name: egress_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 8085 + filter_chains: + - filters: + - name: envoy.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: egress_http + route_config: + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: "/on_prem_service" + route: + cluster: reverse_connection_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + # Cluster used to write requests to cached sockets + clusters: + - name: reverse_connection_cluster + connect_timeout: 200s + lb_policy: CLUSTER_PROVIDED + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + # The following headers are expected in downstream requests + # to be sent over reverse connections + http_header_names: + - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., on-prem-node + - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., on-prem + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + # Right the moment, reverse connections are supported over HTTP/2 only + http2_protocol_options: {} +admin: + access_log_path: "/dev/stdout" + address: + socket_address: + address: 127.0.0.1 + port_value: 8878 +layered_runtime: + layers: + - name: layer + static_layer: + re2.max_program_size.error_level: 1000 +# Enable reverse connection bootstrap extension +bootstrap_extensions: +- name: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_reverse_connection" \ No newline at end of file diff --git a/examples/reverse_connection_macos_config/on-prem-envoy-custom-resolver.yaml b/examples/reverse_connection_macos_config/on-prem-envoy-custom-resolver.yaml new file mode 100644 index 0000000000000..71ec377b8885c --- /dev/null +++ b/examples/reverse_connection_macos_config/on-prem-envoy-custom-resolver.yaml @@ -0,0 +1,149 @@ +--- +node: + id: on-prem-node + cluster: on-prem + +# Enable reverse connection bootstrap extension which registers the custom resolver +bootstrap_extensions: +- name: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + +static_resources: + listeners: + # Services reverse conn APIs + - name: rev_conn_api_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 9001 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: rev_conn_api + codec_type: AUTO + route_config: + name: rev_conn_api_route + virtual_hosts: [] + http_filters: + - name: envoy.filters.http.reverse_conn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + ping_interval: 30 + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Forwards incoming http requests to backend + - name: ingress_http_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 6060 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: ingress_http_route + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/on_prem_service' + route: + cluster: on-prem-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Initiates reverse connections to cloud using custom resolver + - name: reverse_conn_listener + listener_filters_timeout: 0s + listener_filters: + # Filter that responds to keepalives on reverse connection sockets + - name: envoy.filters.listener.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection + ping_wait_timeout: 120 + # Use custom address with reverse connection metadata encoded in URL format + address: + socket_address: + # This encodes: src_node_id=on-prem-node, src_cluster_id=on-prem, src_tenant_id=on-prem + # and remote clusters: cloud with 1 connection + address: "rc://on-prem-node:on-prem:on-prem@cloud:10" + port_value: 0 + # Use custom resolver that can parse reverse connection metadata + resolver_name: "envoy.resolvers.reverse_connection" + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: reverse_conn_listener + route_config: + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/on_prem_service' + route: + cluster: on-prem-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Cluster designating cloud-envoy + clusters: + - name: cloud + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: cloud + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 # Container name of cloud-envoy in docker-compose + port_value: 9000 # Port where cloud-envoy's rev_conn_api_listener listens + + # Backend HTTP service behind onprem which + # we will access via reverse connections + - name: on-prem-service + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: on-prem-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 7070 + +admin: + access_log_path: "/dev/stdout" + address: + socket_address: + protocol: TCP + address: 127.0.0.1 + port_value: 8888 + +layered_runtime: + layers: + - name: layer + static_layer: + re2.max_program_size.error_level: 1000 \ No newline at end of file From 66c4cb5a77784b5042a5dedb18f76108b9194262 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 15 Jul 2025 21:04:16 +0000 Subject: [PATCH 006/505] WIP: Reverse connection cluster test Signed-off-by: Basundhara Chakrabarty --- .../clusters/reverse_connection/BUILD | 35 + .../reverse_connection_cluster_test.cc | 754 ++++++++++++++++++ 2 files changed, 789 insertions(+) create mode 100644 test/extensions/clusters/reverse_connection/BUILD create mode 100644 test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc diff --git a/test/extensions/clusters/reverse_connection/BUILD b/test/extensions/clusters/reverse_connection/BUILD new file mode 100644 index 0000000000000..500bc29a6cf38 --- /dev/null +++ b/test/extensions/clusters/reverse_connection/BUILD @@ -0,0 +1,35 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_mock", + "envoy_cc_test", + "envoy_package", +) + +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_cc_test( + name = "reverse_connection_cluster_test", + srcs = ["reverse_connection_cluster_test.cc"], + deps = [ + "//envoy/registry", + "//source/extensions/clusters/reverse_connection:reverse_connection_lib", + "//source/extensions/load_balancing_policies/cluster_provided:config", + "//test/common/upstream:utility_lib", + "//test/test_common:registry_lib", + "//test/mocks/protobuf:protobuf_mocks", + "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:admin_mocks", + "//test/mocks/server:instance_mocks", + "//test/mocks/ssl:ssl_mocks", + "//test/mocks/network:network_mocks", + "//test/mocks/upstream:cluster_manager_mocks", + "//test/test_common:utility_lib", + ], +) \ No newline at end of file diff --git a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc new file mode 100644 index 0000000000000..fe37cd07166a4 --- /dev/null +++ b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc @@ -0,0 +1,754 @@ +#include +#include +#include +#include + +#include "envoy/common/callback.h" +#include "envoy/config/cluster/v3/cluster.pb.h" +#include "envoy/extensions/clusters/reverse_connection/v3/reverse_connection.pb.h" +#include "envoy/server/bootstrap_extension_config.h" +#include "envoy/stats/scope.h" + +#include "source/common/config/utility.h" +#include "source/common/http/headers.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/singleton/manager_impl.h" +#include "source/common/upstream/upstream_impl.h" +#include "source/extensions/clusters/reverse_connection/reverse_connection.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/extensions/transport_sockets/raw_buffer/config.h" +#include "source/server/transport_socket_config_impl.h" + +#include "test/common/upstream/utility.h" +#include "test/mocks/common.h" +#include "test/mocks/network/mocks.h" +#include "test/mocks/protobuf/mocks.h" +#include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/admin.h" +#include "test/mocks/server/instance.h" +#include "test/mocks/ssl/mocks.h" +#include "test/mocks/upstream/cluster_manager.h" +#include "test/test_common/registry.h" +#include "test/test_common/utility.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace ReverseConnection { + +// Test socket manager that provides predictable getNodeID behavior +class TestUpstreamSocketManager : public BootstrapReverseConnection::UpstreamSocketManager { +public: + TestUpstreamSocketManager(Event::Dispatcher& dispatcher, Stats::Scope& scope) + : BootstrapReverseConnection::UpstreamSocketManager(dispatcher, scope, nullptr) { + std::cout << "TestUpstreamSocketManager: Constructor called" << std::endl; + } + + // This hides the base class's getNodeID method + std::string getNodeID(const std::string& key) { + std::cout << "TestUpstreamSocketManager::getNodeID() called with key: " << key << std::endl; + std::string result = "test-node-" + key; + std::cout << "TestUpstreamSocketManager::getNodeID() returning: " << result << std::endl; + return result; + } +}; + +// Test thread local registry that provides our test socket manager +class TestUpstreamSocketThreadLocal : public BootstrapReverseConnection::UpstreamSocketThreadLocal { +public: + TestUpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, Stats::Scope& scope) + : BootstrapReverseConnection::UpstreamSocketThreadLocal(dispatcher, scope, nullptr), + test_socket_manager_(dispatcher, scope) { + std::cout << "TestUpstreamSocketThreadLocal: Constructor called" << std::endl; + } + + // Override both const and non-const versions of socketManager + BootstrapReverseConnection::UpstreamSocketManager* socketManager() { + std::cout << "TestUpstreamSocketThreadLocal::socketManager() (non-const) called" << std::endl; + std::cout << "TestUpstreamSocketThreadLocal::socketManager() returning: " << &test_socket_manager_ << std::endl; + return &test_socket_manager_; + } + + const BootstrapReverseConnection::UpstreamSocketManager* socketManager() const { + std::cout << "TestUpstreamSocketThreadLocal::socketManager() (const) called" << std::endl; + std::cout << "TestUpstreamSocketThreadLocal::socketManager() returning: " << &test_socket_manager_ << std::endl; + return &test_socket_manager_; + } + +private: + TestUpstreamSocketManager test_socket_manager_; +}; + +// Forward declaration +class TestReverseTunnelAcceptor; + +// Simple test extension that just returns our registry +class SimpleTestExtension { +public: + SimpleTestExtension(TestUpstreamSocketThreadLocal& registry) : test_registry_(registry) {} + + BootstrapReverseConnection::UpstreamSocketThreadLocal* getLocalRegistry() const { + std::cout << "SimpleTestExtension::getLocalRegistry() called" << std::endl; + return &test_registry_; + } + +private: + TestUpstreamSocketThreadLocal& test_registry_; +}; + +// Test reverse tunnel acceptor that returns our test registry +class TestReverseTunnelAcceptor : public BootstrapReverseConnection::ReverseTunnelAcceptor { +public: + TestReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context) + : BootstrapReverseConnection::ReverseTunnelAcceptor(context), + test_registry_(context.mainThreadDispatcher(), context.scope()), + simple_extension_(test_registry_) { + std::cout << "TestReverseTunnelAcceptor: Constructor called" << std::endl; + + // This is a hack: we'll reinterpret_cast our simple extension to fool the type system + // This is unsafe but should work for testing since we only call getLocalRegistry() + extension_ = reinterpret_cast(&simple_extension_); + std::cout << "TestReverseTunnelAcceptor: extension_ set to: " << extension_ << std::endl; + } + + // Override the name to ensure it matches what the test expects + std::string name() const override { + return "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"; + } + +private: + mutable TestUpstreamSocketThreadLocal test_registry_; + SimpleTestExtension simple_extension_; +}; + +class TestLoadBalancerContext : public Upstream::LoadBalancerContextBase { +public: + TestLoadBalancerContext(const Network::Connection* connection) + : TestLoadBalancerContext(connection, nullptr) {} + TestLoadBalancerContext(const Network::Connection* connection, + StreamInfo::StreamInfo* request_stream_info) + : connection_(connection), request_stream_info_(request_stream_info) {} + TestLoadBalancerContext(const Network::Connection* connection, const std::string& key, + const std::string& value) + : TestLoadBalancerContext(connection) { + downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{{key, value}}}; + } + + // Upstream::LoadBalancerContext + absl::optional computeHashKey() override { return 0; } + const Network::Connection* downstreamConnection() const override { return connection_; } + StreamInfo::StreamInfo* requestStreamInfo() const override { return request_stream_info_; } + const Http::RequestHeaderMap* downstreamHeaders() const override { + return downstream_headers_.get(); + } + + absl::optional hash_key_; + const Network::Connection* connection_; + StreamInfo::StreamInfo* request_stream_info_; + Http::RequestHeaderMapPtr downstream_headers_; +}; + +class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, public testing::Test { +public: + ReverseConnectionClusterTest() { + // // Create our test acceptor FIRST + // test_acceptor_ = std::make_unique(server_context_); + + // // Inject our test acceptor as a BootstrapExtensionFactory (which is what socketInterface() looks for) + // factory_injection_ = std::make_unique>(*test_acceptor_); + + // // Print all registered factories for debugging AFTER injection + // printRegisteredFactories(); + } + + ~ReverseConnectionClusterTest() override = default; + + void printRegisteredFactories() { + std::cout << "=== Registered Bootstrap Extension Factories ===" << std::endl; + for (const auto& ext : Envoy::Registry::FactoryCategoryRegistry::registeredFactories()) { + if (ext.first == "envoy.bootstrap") { + std::cout << "Category: " << ext.first << std::endl; + for (const auto& name : ext.second->registeredNames()) { + std::cout << " - " << name << std::endl; + } + } + } + + std::cout << "=== Registered Socket Interface Factories ===" << std::endl; + auto& socket_factories = Registry::FactoryRegistry::factories(); + for (const auto& [name, factory] : socket_factories) { + std::cout << " - " << name << " (ptr: " << factory << ")" << std::endl; + } + + std::cout << "=== Testing socketInterface lookup ===" << std::endl; + + // Check what's in the BootstrapExtensionFactory registry + std::cout << "Checking BootstrapExtensionFactory registry:" << std::endl; + auto* factory = Registry::FactoryRegistry::getFactory( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + std::cout << "Factory from registry: " << factory << std::endl; + std::cout << "Our test acceptor: " << test_acceptor_.get() << std::endl; + + auto* found = Network::socketInterface("envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + std::cout << "Found socket interface: " << (found ? "YES" : "NO") << std::endl; + if (found) { + std::cout << "Socket interface ptr: " << found << std::endl; + std::cout << "Our test acceptor ptr: " << test_acceptor_.get() << std::endl; + + // Test the dynamic_cast + auto* cast_result = dynamic_cast(found); + std::cout << "Dynamic cast result: " << cast_result << std::endl; + if (cast_result) { + std::cout << "Cast succeeded, calling getLocalRegistry()" << std::endl; + auto* registry = cast_result->getLocalRegistry(); + std::cout << "getLocalRegistry() returned: " << registry << std::endl; + } else { + std::cout << "Cast failed!" << std::endl; + } + } + } + + void setupFromYaml(const std::string& yaml, bool expect_success = true) { + if (expect_success) { + cleanup_timer_ = new Event::MockTimer(&server_context_.dispatcher_); + EXPECT_CALL(*cleanup_timer_, enableTimer(_, _)); + } + setup(Upstream::parseClusterFromV3Yaml(yaml)); + } + + void setup(const envoy::config::cluster::v3::Cluster& cluster_config) { + + Envoy::Upstream::ClusterFactoryContextImpl factory_context(server_context_, nullptr, nullptr, + false); + + RevConClusterFactory factory; + + // Parse the RevConClusterConfig from the cluster's typed_config + envoy::extensions::clusters::reverse_connection::v3::RevConClusterConfig rev_con_config; + THROW_IF_NOT_OK(Config::Utility::translateOpaqueConfig( + cluster_config.cluster_type().typed_config(), + validation_visitor_, + rev_con_config)); + + auto status_or_pair = factory.createClusterWithConfig(cluster_config, rev_con_config, factory_context); + THROW_IF_NOT_OK_REF(status_or_pair.status()); + + cluster_ = std::dynamic_pointer_cast(status_or_pair.value().first); + priority_update_cb_ = cluster_->prioritySet().addPriorityUpdateCb( + [&](uint32_t, const Upstream::HostVector&, const Upstream::HostVector&) { + membership_updated_.ready(); + return absl::OkStatus(); + }); + ON_CALL(initialized_, ready()).WillByDefault(testing::Invoke([this] { + init_complete_ = true; + })); + cluster_->initialize([&]() { + initialized_.ready(); + return absl::OkStatus(); + }); + } + + void TearDown() override { + if (init_complete_) { + // EXPECT_CALL(server_context_.dispatcher_, post(_)); + EXPECT_CALL(*cleanup_timer_, disableTimer()); + } + } + + NiceMock server_context_; + NiceMock validation_visitor_; + Stats::TestUtil::TestStore& stats_store_ = server_context_.store_; + + std::shared_ptr cluster_; + ReadyWatcher membership_updated_; + ReadyWatcher initialized_; + Event::MockTimer* cleanup_timer_; + Common::CallbackHandlePtr priority_update_cb_; + bool init_complete_{false}; + + // Test factory injection + std::unique_ptr test_acceptor_; + std::unique_ptr> factory_injection_; +}; + +namespace { + +TEST(ReverseConnectionClusterConfigTest, GoodConfig) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + http_header_names: + - x-remote-node-id + - x-dst-cluster-uuid + )EOF"; + + envoy::config::cluster::v3::Cluster cluster_config = Upstream::parseClusterFromV3Yaml(yaml); + EXPECT_TRUE(cluster_config.has_cluster_type()); + EXPECT_EQ(cluster_config.cluster_type().name(), "envoy.clusters.reverse_connection"); +} + +TEST_F(ReverseConnectionClusterTest, BadConfigWithLoadAssignment) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + load_assignment: + cluster_name: name + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8000 + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_THROW_WITH_MESSAGE(setupFromYaml(yaml, false), EnvoyException, + "Reverse Conn clusters must have no load assignment configured"); +} + +TEST_F(ReverseConnectionClusterTest, BadConfigWithWrongLbPolicy) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: ROUND_ROBIN + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_THROW_WITH_MESSAGE(setupFromYaml(yaml, false), EnvoyException, + "cluster: LB policy ROUND_ROBIN is not valid for Cluster type envoy.clusters.reverse_connection. Only 'CLUSTER_PROVIDED' is allowed with cluster type 'REVERSE_CONNECTION'"); +} + +TEST_F(ReverseConnectionClusterTest, BasicSetup) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + http_header_names: + - x-remote-node-id + - x-dst-cluster-uuid + )EOF"; + + EXPECT_CALL(initialized_, ready()); + EXPECT_CALL(membership_updated_, ready()).Times(0); + setupFromYaml(yaml); + + EXPECT_EQ(0UL, cluster_->prioritySet().hostSetsPerPriority()[0]->hosts().size()); + EXPECT_EQ(0UL, cluster_->prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); +} + +TEST_F(ReverseConnectionClusterTest, NoContext) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + EXPECT_CALL(membership_updated_, ready()).Times(0); + setupFromYaml(yaml); + + EXPECT_EQ(0UL, cluster_->prioritySet().hostSetsPerPriority()[0]->hosts().size()); + EXPECT_EQ(0UL, cluster_->prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); + EXPECT_EQ(0UL, cluster_->prioritySet().hostSetsPerPriority()[0]->hostsPerLocality().get().size()); + EXPECT_EQ( + 0UL, + cluster_->prioritySet().hostSetsPerPriority()[0]->healthyHostsPerLocality().get().size()); + + // No downstream connection => no host. + { + TestLoadBalancerContext lb_context(nullptr); + RevConCluster::LoadBalancer lb(cluster_); + EXPECT_CALL(server_context_.dispatcher_, post(_)).Times(0); + Upstream::HostConstSharedPtr host = lb.chooseHost(&lb_context).host; + EXPECT_EQ(host, nullptr); + } +} + +TEST_F(ReverseConnectionClusterTest, NoHeaders) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Downstream connection but no headers => no host. + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + RevConCluster::LoadBalancer lb(cluster_); + EXPECT_CALL(server_context_.dispatcher_, post(_)).Times(0); + Upstream::HostConstSharedPtr host = lb.chooseHost(&lb_context).host; + EXPECT_EQ(host, nullptr); + } +} + +TEST_F(ReverseConnectionClusterTest, MissingRequiredHeaders) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Request with unsupported headers but missing all required headers (EnvoyDstNodeUUID, EnvoyDstClusterUUID, proper Host header) + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection, "x-random-header", "random-value"); + RevConCluster::LoadBalancer lb(cluster_); + EXPECT_CALL(server_context_.dispatcher_, post(_)).Times(0); + Upstream::HostConstSharedPtr host = lb.chooseHost(&lb_context).host; + EXPECT_EQ(host, nullptr); + } +} + +TEST_F(ReverseConnectionClusterTest, GetUUIDFromHostFunction) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + RevConCluster::LoadBalancer lb(cluster_); + + // Test valid Host header format + { + auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-node-uuid.tcpproxy.envoy.remote:8080"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_TRUE(result.has_value()); + EXPECT_EQ(result.value(), "test-node-uuid"); + } + + // Test valid Host header format with different UUID + { + auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "another-test-node-uuid.tcpproxy.envoy.remote:9090"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_TRUE(result.has_value()); + EXPECT_EQ(result.value(), "another-test-node-uuid"); + } + + // Test Host header without port + { + auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-node-uuid.tcpproxy.envoy.remote"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_TRUE(result.has_value()); + EXPECT_EQ(result.value(), "test-node-uuid"); + } + + // Test invalid Host header - wrong suffix + { + auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-node-uuid.wrong.suffix:8080"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_FALSE(result.has_value()); + } + + // Test invalid Host header - no dot separator + { + auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-node-uuidtcpproxy.envoy.remote:8080"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_FALSE(result.has_value()); + } + + // Test invalid Host header - empty UUID + { + auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", ".tcpproxy.envoy.remote:8080"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_EQ(result.value(), ""); + } +} + +TEST_F(ReverseConnectionClusterTest, GetUUIDFromSNIFunction) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + RevConCluster::LoadBalancer lb(cluster_); + + // Test valid SNI format + { + NiceMock connection; + EXPECT_CALL(connection, requestedServerName()) + .WillRepeatedly(Return("test-node-uuid.tcpproxy.envoy.remote")); + + auto result = lb.getUUIDFromSNI(&connection); + EXPECT_TRUE(result.has_value()); + EXPECT_EQ(result.value(), "test-node-uuid"); + } + + // Test valid SNI format with different UUID + { + NiceMock connection; + EXPECT_CALL(connection, requestedServerName()) + .WillRepeatedly(Return("another-test-node123.tcpproxy.envoy.remote")); + + auto result = lb.getUUIDFromSNI(&connection); + EXPECT_TRUE(result.has_value()); + EXPECT_EQ(result.value(), "another-test-node123"); + } + + // Test empty SNI + { + NiceMock connection; + EXPECT_CALL(connection, requestedServerName()) + .WillRepeatedly(Return("")); + + auto result = lb.getUUIDFromSNI(&connection); + EXPECT_FALSE(result.has_value()); + } + + // Test null connection + { + auto result = lb.getUUIDFromSNI(nullptr); + EXPECT_FALSE(result.has_value()); + } + + // Test SNI with wrong suffix + { + NiceMock connection; + EXPECT_CALL(connection, requestedServerName()) + .WillRepeatedly(Return("test-node-uuid.wrong.suffix")); + + auto result = lb.getUUIDFromSNI(&connection); + EXPECT_FALSE(result.has_value()); + } + + // Test SNI without suffix + { + NiceMock connection; + EXPECT_CALL(connection, requestedServerName()) + .WillRepeatedly(Return("test-node-uuid")); + + auto result = lb.getUUIDFromSNI(&connection); + EXPECT_FALSE(result.has_value()); + } + + // Test SNI with empty UUID + { + NiceMock connection; + EXPECT_CALL(connection, requestedServerName()) + .WillRepeatedly(Return(".tcpproxy.envoy.remote")); + + auto result = lb.getUUIDFromSNI(&connection); + EXPECT_EQ(result.value(), ""); + } +} + +// TEST_F(ReverseConnectionClusterTest, HostCreationWithSocketManager) { +// const std::string yaml = R"EOF( +// name: name +// connect_timeout: 0.25s +// lb_policy: CLUSTER_PROVIDED +// cleanup_interval: 1s +// cluster_type: +// name: envoy.clusters.reverse_connection +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig +// cleanup_interval: 10s +// )EOF"; + +// EXPECT_CALL(initialized_, ready()); +// setupFromYaml(yaml); + +// RevConCluster::LoadBalancer lb(cluster_); + +// // Test host creation with Host header +// { +// NiceMock connection; +// TestLoadBalancerContext lb_context(&connection); +// lb_context.downstream_headers_ = +// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ +// {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + +// auto result = lb.chooseHost(&lb_context); +// EXPECT_NE(result.host, nullptr); +// EXPECT_EQ(result.host->address()->logicalName(), "test-node-test-uuid-123"); +// } + +// // Test host creation with SNI +// { +// NiceMock connection; +// EXPECT_CALL(connection, requestedServerName()) +// .WillRepeatedly(Return("test-uuid-456.tcpproxy.envoy.remote")); + +// TestLoadBalancerContext lb_context(&connection); +// // No Host header, so it should fall back to SNI +// lb_context.downstream_headers_ = +// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{}}; + +// auto result = lb.chooseHost(&lb_context); +// EXPECT_NE(result.host, nullptr); +// EXPECT_EQ(result.host->address()->logicalName(), "test-node-test-uuid-456"); +// } + +// // Test host creation with HTTP headers +// { +// NiceMock connection; +// TestLoadBalancerContext lb_context(&connection, "x-dst-cluster-uuid", "cluster-123"); + +// auto result = lb.chooseHost(&lb_context); +// EXPECT_NE(result.host, nullptr); +// EXPECT_EQ(result.host->address()->logicalName(), "test-node-cluster-123"); +// } +// } + +// TEST_F(ReverseConnectionClusterTest, HostReuse) { +// const std::string yaml = R"EOF( +// name: name +// connect_timeout: 0.25s +// lb_policy: CLUSTER_PROVIDED +// cleanup_interval: 1s +// cluster_type: +// name: envoy.clusters.reverse_connection +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig +// cleanup_interval: 10s +// )EOF"; + +// EXPECT_CALL(initialized_, ready()); +// setupFromYaml(yaml); + +// RevConCluster::LoadBalancer lb(cluster_); + +// // Create first host +// { +// NiceMock connection; +// TestLoadBalancerContext lb_context(&connection); +// lb_context.downstream_headers_ = +// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ +// {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + +// auto result1 = lb.chooseHost(&lb_context); +// EXPECT_NE(result1.host, nullptr); + +// // Create second host with same UUID - should reuse the same host +// auto result2 = lb.chooseHost(&lb_context); +// EXPECT_NE(result2.host, nullptr); +// EXPECT_EQ(result1.host, result2.host); +// } +// } + +// TEST_F(ReverseConnectionClusterTest, DifferentHostsForDifferentUUIDs) { +// const std::string yaml = R"EOF( +// name: name +// connect_timeout: 0.25s +// lb_policy: CLUSTER_PROVIDED +// cleanup_interval: 1s +// cluster_type: +// name: envoy.clusters.reverse_connection +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig +// cleanup_interval: 10s +// )EOF"; + +// EXPECT_CALL(initialized_, ready()); +// setupFromYaml(yaml); + +// RevConCluster::LoadBalancer lb(cluster_); + +// // Create first host +// { +// NiceMock connection; +// TestLoadBalancerContext lb_context(&connection); +// lb_context.downstream_headers_ = +// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ +// {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + +// auto result1 = lb.chooseHost(&lb_context); +// EXPECT_NE(result1.host, nullptr); + +// // Create second host with different UUID - should be different host +// lb_context.downstream_headers_ = +// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ +// {"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; +// auto result2 = lb.chooseHost(&lb_context); +// EXPECT_NE(result2.host, nullptr); +// EXPECT_NE(result1.host, result2.host); +// } +// } + +} // namespace +} // namespace ReverseConnection +} // namespace Extensions +} // namespace Envoy \ No newline at end of file From c243f496f5ce3001eab5c1922a779f1be06a000b Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 17 Jul 2025 06:41:32 +0000 Subject: [PATCH 007/505] Reverse Conn Address should return the downstream socket interface Signed-off-by: Basundhara Chakrabarty --- .../listener_manager/listener_manager_impl.cc | 24 +++---- .../reverse_connection_address.h | 8 +++ .../listener_manager_impl_test.cc | 72 +++++++++++++++++++ 3 files changed, 89 insertions(+), 15 deletions(-) diff --git a/source/common/listener_manager/listener_manager_impl.cc b/source/common/listener_manager/listener_manager_impl.cc index fdaf61d492c84..b2ebc8e8c8a3f 100644 --- a/source/common/listener_manager/listener_manager_impl.cc +++ b/source/common/listener_manager/listener_manager_impl.cc @@ -319,25 +319,19 @@ absl::StatusOr ProdListenerComponentFactory::createLis ASSERT(socket_type == Network::Socket::Type::Stream || socket_type == Network::Socket::Type::Datagram); - // Check logicalName() for reverse connection addresses + // Addresses with the "rc://" prefix are reverse connection addresses. std::string logical_name = address->logicalName(); if (absl::StartsWith(logical_name, "rc://")) { - // Try to get a registered reverse connection socket interface + // Use the address's socket interface for reverse connections. If the + // reverse connection socket interface is not registered, the default + // socket interface is returned by socketInterface(). ENVOY_LOG(debug, "Creating reverse connection socket for logical name: {}", logical_name); - auto* socket_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); - if (socket_interface) { - ENVOY_LOG(debug, "Creating reverse connection socket for logical name: {}", logical_name); - auto io_handle = socket_interface->socket(socket_type, address, creation_options); - if (!io_handle) { - return absl::InvalidArgumentError("Failed to create reverse connection socket"); - } - return std::make_shared(std::move(io_handle), address, options); - } else { - ENVOY_LOG(warn, "Reverse connection address detected but socket interface not registered: {}", - logical_name); - return absl::InvalidArgumentError("Reverse connection socket interface not available"); + const auto& socket_interface = address->socketInterface(); + auto io_handle = socket_interface.socket(socket_type, address, creation_options); + if (!io_handle) { + return absl::InternalError("Failed to create reverse connection socket"); } + return std::make_shared(std::move(io_handle), address, options); } // First we try to get the socket from our parent if applicable in each case below. diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h index 858acc3b162aa..dcb2de1bf3557 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h @@ -49,6 +49,14 @@ class ReverseConnectionAddress : public Network::Address::Instance { socklen_t sockAddrLen() const override; absl::string_view addressType() const override { return "reverse_connection"; } const Network::SocketInterface& socketInterface() const override { + auto* socket_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + if (socket_interface) { + return *socket_interface; + } + // Fallback to default if reverse connection interface is not available + ENVOY_LOG_MISC(error, "Reverse connection address detected but socket interface not registered: {}", + logicalName()); return Network::SocketInterfaceSingleton::get(); } diff --git a/test/common/listener_manager/listener_manager_impl_test.cc b/test/common/listener_manager/listener_manager_impl_test.cc index df7d31e64c9de..7ad8925903724 100644 --- a/test/common/listener_manager/listener_manager_impl_test.cc +++ b/test/common/listener_manager/listener_manager_impl_test.cc @@ -8250,6 +8250,78 @@ INSTANTIATE_TEST_SUITE_P(Matcher, ListenerManagerImplForInPlaceFilterChainUpdate INSTANTIATE_TEST_SUITE_P(Matcher, ListenerManagerImplWithDispatcherStatsTest, ::testing::Values(false)); +// Test address implementation for reverse connection testing +class TestReverseConnectionAddress : public Network::Address::Instance { +public: + TestReverseConnectionAddress() + : address_string_("127.0.0.1:0"), // Dummy IP address + logical_name_("rc://test-node:test-cluster:test-tenant@remote-cluster:1"), // Address with the same format as reverse connection addresses + ipv4_instance_(std::make_shared("127.0.0.1", 0)) {} + + // Network::Address::Instance + bool operator==(const Instance& rhs) const override { + return address_string_ == rhs.asString(); + } + Network::Address::Type type() const override { return Network::Address::Type::Ip; } + const std::string& asString() const override { return address_string_; } + absl::string_view asStringView() const override { return address_string_; } + const std::string& logicalName() const override { return logical_name_; } + const Network::Address::Ip* ip() const override { return ipv4_instance_->ip(); } + const Network::Address::Pipe* pipe() const override { return nullptr; } + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { + return nullptr; + } + absl::optional networkNamespace() const override { return absl::nullopt; } + const sockaddr* sockAddr() const override { return ipv4_instance_->sockAddr(); } + socklen_t sockAddrLen() const override { return ipv4_instance_->sockAddrLen(); } + absl::string_view addressType() const override { return "test_reverse_connection"; } + const Network::SocketInterface& socketInterface() const override { + return Network::SocketInterfaceSingleton::get(); + } + +private: + std::string address_string_; + std::string logical_name_; + Network::Address::InstanceConstSharedPtr ipv4_instance_; +}; + +TEST_P(ListenerManagerImplTest, ReverseConnectionAddressUsesCorrectSocketInterface) { + auto reverse_connection_address = std::make_shared(); + + // Verify the address has the expected logical name format + EXPECT_TRUE(absl::StartsWith(reverse_connection_address->logicalName(), "rc://")); + EXPECT_EQ(reverse_connection_address->logicalName(), "rc://test-node:test-cluster:test-tenant@remote-cluster:1"); + // Verify asString() returns the localhost address + EXPECT_EQ(reverse_connection_address->asString(), "127.0.0.1:0"); + + // Create listener factory to test the actual implementation + ProdListenerComponentFactory real_listener_factory(server_); + + Network::Socket::OptionsSharedPtr options = nullptr; + Network::SocketCreationOptions creation_options; + + // This should use the default socket interface returned by the address's + // socketInterface() method. + auto socket_result = real_listener_factory.createListenSocket( + reverse_connection_address, + Network::Socket::Type::Stream, + options, + ListenerComponentFactory::BindType::NoBind, + creation_options, + 0 /* worker_index */ + ); + + // The socket creation should succeed and use the address's socket interface + EXPECT_TRUE(socket_result.ok()); + if (socket_result.ok()) { + auto socket = socket_result.value(); + EXPECT_NE(socket, nullptr); + // Verify the socket was created with the expected address + EXPECT_EQ(socket->connectionInfoProvider().localAddress()->logicalName(), + reverse_connection_address->logicalName()); + } +} + } // namespace } // namespace Server } // namespace Envoy From 85ac26d523cf8a1f154fcbbd182e803364e2ff3b Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Sat, 19 Jul 2025 00:57:25 +0000 Subject: [PATCH 008/505] Cleanup upstream stat collection Signed-off-by: Basundhara Chakrabarty --- .../reverse_tunnel/reverse_tunnel_acceptor.cc | 428 +++++------------- .../reverse_tunnel/reverse_tunnel_acceptor.h | 158 ++----- .../http/reverse_conn/reverse_conn_filter.cc | 146 ++---- .../http/reverse_conn/reverse_conn_filter.h | 3 +- 4 files changed, 194 insertions(+), 541 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc index 87d2e9ca5d665..9bde7775c5ca0 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc @@ -4,6 +4,7 @@ #include #include #include +#include #include "source/common/api/os_sys_calls_impl.h" #include "source/common/buffer/buffer_impl.h" @@ -176,7 +177,7 @@ void ReverseTunnelAcceptorExtension::onServerInitialized() { // Set up the thread local dispatcher and socket manager for each worker thread tls_slot_->set([this](Event::Dispatcher& dispatcher) { - return std::make_shared(dispatcher, context_.scope(), this); + return std::make_shared(dispatcher, this); }); } @@ -195,146 +196,14 @@ UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() co return nullptr; } -absl::flat_hash_map -ReverseTunnelAcceptorExtension::getAggregatedConnectionStats() { - absl::flat_hash_map aggregated_stats; - - if (!tls_slot_) { - ENVOY_LOG(debug, "No TLS slot available for connection stats aggregation"); - return aggregated_stats; - } - - // Get stats from current thread only - cross-thread aggregation in HTTP handler causes deadlock - if (auto opt = tls_slot_->get(); opt.has_value() && opt->socketManager()) { - auto thread_stats = opt->socketManager()->getConnectionStats(); - for (const auto& stat : thread_stats) { - aggregated_stats[stat.first] = stat.second; - } - ENVOY_LOG(debug, "Got connection stats from current thread: {} nodes", aggregated_stats.size()); - } else { - ENVOY_LOG(debug, "No socket manager available on current thread"); - } - - return aggregated_stats; -} - -absl::flat_hash_map -ReverseTunnelAcceptorExtension::getAggregatedSocketCountMap() { - absl::flat_hash_map aggregated_stats; - - if (!tls_slot_) { - ENVOY_LOG(debug, "No TLS slot available for socket count aggregation"); - return aggregated_stats; - } - - // Get stats from current thread only - cross-thread aggregation in HTTP handler causes deadlock - if (auto opt = tls_slot_->get(); opt.has_value() && opt->socketManager()) { - auto thread_stats = opt->socketManager()->getSocketCountMap(); - for (const auto& stat : thread_stats) { - aggregated_stats[stat.first] = stat.second; - } - ENVOY_LOG(debug, "Got socket count from current thread: {} clusters", aggregated_stats.size()); - } else { - ENVOY_LOG(debug, "No socket manager available on current thread"); - } - - return aggregated_stats; -} - -void ReverseTunnelAcceptorExtension::getMultiTenantConnectionStats( - std::function&, - const std::vector&)> - callback) { - - if (!tls_slot_) { - ENVOY_LOG(warn, "No TLS slot available for multi-tenant connection aggregation"); - callback({}, {}); - return; - } - - // Create aggregation state - shared across all threads - auto aggregation_state = std::make_shared(); - aggregation_state->completion_callback = std::move(callback); - - // Use Envoy's runOnAllThreads pattern for safe cross-thread data collection - tls_slot_->runOnAllThreads( - [aggregation_state](OptRef tls_instance) { - absl::flat_hash_map thread_stats; - std::vector thread_connected; - std::vector thread_accepted; - - if (tls_instance.has_value() && tls_instance->socketManager()) { - // Collect connection stats from this thread - auto connection_stats = tls_instance->socketManager()->getConnectionStats(); - for (const auto& [node_id, count] : connection_stats) { - if (count > 0) { - thread_connected.push_back(node_id); - thread_stats[node_id] = count; - } - } - - // Collect accepted connections from this thread - auto socket_count_map = tls_instance->socketManager()->getSocketCountMap(); - for (const auto& [cluster_id, count] : socket_count_map) { - if (count > 0) { - thread_accepted.push_back(cluster_id); - } - } - } - - // Thread-safe aggregation - { - absl::MutexLock lock(&aggregation_state->mutex); - - // Merge connection stats - for (const auto& [node_id, count] : thread_stats) { - aggregation_state->connection_stats[node_id] += count; - } - - // Merge connected nodes (de-duplicate) - for (const auto& node : thread_connected) { - if (std::find(aggregation_state->connected_nodes.begin(), - aggregation_state->connected_nodes.end(), - node) == aggregation_state->connected_nodes.end()) { - aggregation_state->connected_nodes.push_back(node); - } - } - - // Merge accepted connections (de-duplicate) - for (const auto& connection : thread_accepted) { - if (std::find(aggregation_state->accepted_connections.begin(), - aggregation_state->accepted_connections.end(), - connection) == aggregation_state->accepted_connections.end()) { - aggregation_state->accepted_connections.push_back(connection); - } - } - } - }, - [aggregation_state]() { - // Completion callback - called when all threads have finished - absl::MutexLock lock(&aggregation_state->mutex); - if (!aggregation_state->completed) { - aggregation_state->completed = true; - ENVOY_LOG(debug, - "Multi-tenant connection aggregation completed: {} connection stats, {} " - "connected nodes, {} accepted connections", - aggregation_state->connection_stats.size(), - aggregation_state->connected_nodes.size(), - aggregation_state->accepted_connections.size()); - - aggregation_state->completion_callback(aggregation_state->connection_stats, - aggregation_state->connected_nodes); - } - }); -} std::pair, std::vector> ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds /* timeout_ms */) { ENVOY_LOG(debug, "getConnectionStatsSync: using stats-based approach for production reliability"); - // Use Envoy's stats system for reliable cross-thread aggregation - auto connection_stats = getMultiTenantConnectionStatsViaStats(); + // Get all gauges with the reverse_connections prefix. + auto connection_stats = getCrossWorkerStatMap(); std::vector connected_nodes; std::vector accepted_connections; @@ -362,33 +231,30 @@ ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds } absl::flat_hash_map -ReverseTunnelAcceptorExtension::getMultiTenantConnectionStatsViaStats() { +ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { absl::flat_hash_map stats_map; - - // Use Envoy's proven stats aggregation - this automatically aggregates across all threads auto& stats_store = context_.scope(); - // Iterate through all gauges with the reverse_connections prefix using correct IterateFn - // signature + // Iterate through all gauges with the reverse_connections prefix. Stats::IterateFn gauge_callback = [&stats_map](const Stats::RefcountPtr& gauge) -> bool { if (gauge->name().find("reverse_connections.") == 0 && gauge->used()) { stats_map[gauge->name()] = gauge->value(); } - return true; // Continue iteration + return true; }; stats_store.iterate(gauge_callback); ENVOY_LOG(debug, - "getMultiTenantConnectionStatsViaStats: collected {} stats from Envoy's stats system", + "getCrossWorkerStatMap: collected {} stats for reverse connections across all worker threads", stats_map.size()); return stats_map; } -void ReverseTunnelAcceptorExtension::updateConnectionStatsRegistry(const std::string& node_id, - const std::string& cluster_id, - bool increment) { +void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& node_id, + const std::string& cluster_id, + bool increment) { // Register stats with Envoy's system for automatic cross-thread aggregation auto& stats_store = context_.scope(); @@ -400,12 +266,12 @@ void ReverseTunnelAcceptorExtension::updateConnectionStatsRegistry(const std::st stats_store.gaugeFromString(node_stat_name, Stats::Gauge::ImportMode::Accumulate); if (increment) { node_gauge.inc(); - ENVOY_LOG(trace, "updateConnectionStatsRegistry: incremented node stat {} to {}", - node_stat_name, node_gauge.value()); + ENVOY_LOG(trace, "updateConnectionStats: incremented node stat {} to {}", + node_stat_name, node_gauge.value()); } else { node_gauge.dec(); - ENVOY_LOG(trace, "updateConnectionStatsRegistry: decremented node stat {} to {}", - node_stat_name, node_gauge.value()); + ENVOY_LOG(trace, "updateConnectionStats: decremented node stat {} to {}", + node_stat_name, node_gauge.value()); } } @@ -416,21 +282,107 @@ void ReverseTunnelAcceptorExtension::updateConnectionStatsRegistry(const std::st stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); if (increment) { cluster_gauge.inc(); - ENVOY_LOG(trace, "updateConnectionStatsRegistry: incremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); + ENVOY_LOG(trace, "updateConnectionStats: incremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); } else { cluster_gauge.dec(); - ENVOY_LOG(trace, "updateConnectionStatsRegistry: decremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); + ENVOY_LOG(trace, "updateConnectionStats: decremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); } } + + // Also update per-worker stats for debugging + updatePerWorkerConnectionStats(node_id, cluster_id, increment); +} + +void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::string& node_id, + const std::string& cluster_id, + bool increment) { + auto& stats_store = context_.scope(); + + // Get dispatcher name from the thread local dispatcher + std::string dispatcher_name = "main_thread"; // Default for main thread + auto* local_registry = getLocalRegistry(); + if (local_registry) { + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + } + + // Create/update per-worker node connection stat + if (!node_id.empty()) { + std::string worker_node_stat_name = fmt::format("reverse_connections.{}.node.{}", + dispatcher_name, node_id); + auto& worker_node_gauge = + stats_store.gaugeFromString(worker_node_stat_name, Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_node_gauge.inc(); + ENVOY_LOG(trace, "updatePerWorkerConnectionStats: incremented worker node stat {} to {}", + worker_node_stat_name, worker_node_gauge.value()); + } else { + worker_node_gauge.dec(); + ENVOY_LOG(trace, "updatePerWorkerConnectionStats: decremented worker node stat {} to {}", + worker_node_stat_name, worker_node_gauge.value()); + } + } + + // Create/update per-worker cluster connection stat + if (!cluster_id.empty()) { + std::string worker_cluster_stat_name = fmt::format("reverse_connections.{}.cluster.{}", + dispatcher_name, cluster_id); + auto& worker_cluster_gauge = + stats_store.gaugeFromString(worker_cluster_stat_name, Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_cluster_gauge.inc(); + ENVOY_LOG(trace, "updatePerWorkerConnectionStats: incremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + worker_cluster_gauge.dec(); + ENVOY_LOG(trace, "updatePerWorkerConnectionStats: decremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } + } +} + +absl::flat_hash_map +ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Get the current dispatcher name + std::string dispatcher_name = "main_thread"; // Default for main thread + auto* local_registry = getLocalRegistry(); + if (local_registry) { + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + } + + // Iterate through all gauges and filter for the current dispatcher + Stats::IterateFn gauge_callback = + [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + if (gauge_name.find("reverse_connections.") == 0 && + gauge_name.find(dispatcher_name + ".") != std::string::npos && + (gauge_name.find(".node.") != std::string::npos || + gauge_name.find(".cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG(debug, + "getPerWorkerStatMap: collected {} stats for dispatcher '{}'", + stats_map.size(), dispatcher_name); + + return stats_map; } // UpstreamSocketManager implementation -UpstreamSocketManager::UpstreamSocketManager(Event::Dispatcher& dispatcher, Stats::Scope& scope, +UpstreamSocketManager::UpstreamSocketManager(Event::Dispatcher& dispatcher, ReverseTunnelAcceptorExtension* extension) : dispatcher_(dispatcher), random_generator_(std::make_unique()), - usm_scope_(scope.createScope("upstream_socket_manager.")), extension_(extension) { + extension_(extension) { ENVOY_LOG(debug, "UpstreamSocketManager: creating UpstreamSocketManager with stats integration"); ping_timer_ = dispatcher_.createTimer([this]() { pingConnections(); }); } @@ -451,14 +403,6 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, ENVOY_LOG(debug, "UpstreamSocketManager: Adding connection socket for node: {} and cluster: {}", node_id, cluster_id); - // Update stats for the node - USMStats* node_stats = this->getStatsByNode(node_id); - node_stats->reverse_conn_cx_total_.inc(); - node_stats->reverse_conn_cx_idle_.inc(); - ENVOY_LOG(debug, "UpstreamSocketManager: reverse conn count for node:{} idle: {} total:{}", - node_id, node_stats->reverse_conn_cx_idle_.value(), - node_stats->reverse_conn_cx_total_.value()); - ENVOY_LOG(debug, "UpstreamSocketManager: added socket to accepted_reverse_connections_ for node: {} " "cluster: {}", @@ -474,14 +418,8 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, node_to_cluster_map_[node_id] = cluster_id; cluster_to_node_map_[cluster_id].push_back(node_id); } - ENVOY_LOG(debug, "UpstreamSocketManager: node_to_cluster_map_ size: {}", - node_to_cluster_map_.size()); - ENVOY_LOG(debug, "UpstreamSocketManager: cluster_to_node_map_ size: {}", - cluster_to_node_map_.size()); - // Update stats for the cluster - USMStats* cluster_stats = this->getStatsByCluster(cluster_id); - cluster_stats->reverse_conn_cx_total_.inc(); - cluster_stats->reverse_conn_cx_idle_.inc(); + ENVOY_LOG(trace, "UpstreamSocketManager: node_to_cluster_map_ has {} entries, cluster_to_node_map_ has {} entries", + node_to_cluster_map_.size(), cluster_to_node_map_.size()); } else { ENVOY_LOG(error, "Found a reverse connection with an empty cluster uuid, and node uuid: {}", node_id); @@ -495,10 +433,9 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, ENVOY_LOG(debug, "UpstreamSocketManager: mapping fd {} to node '{}'", fd, node_id); fd_to_node_map_[fd] = node_id; - // Update Envoy's stats system for production multi-tenant tracking - // This integrates with Envoy's proven cross-thread stats aggregation + // Update stats registry if (auto extension = getUpstreamExtension()) { - extension->updateConnectionStatsRegistry(node_id, cluster_id, true /* increment */); + extension->updateConnectionStats(node_id, cluster_id, true /* increment */); ENVOY_LOG(debug, "UpstreamSocketManager: updated stats registry for node '{}' cluster '{}'", node_id, cluster_id); } @@ -545,6 +482,9 @@ UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { return {nullptr, false}; } + // Debugging: Print the number of free sockets on this worker thread + ENVOY_LOG(debug, "UpstreamSocketManager: Found {} sockets for node: {}", node_sockets_it->second.size(), node_id); + // Fetch the socket from the accepted_reverse_connections_ and remove it from the list Network::ConnectionSocketPtr socket(std::move(node_sockets_it->second.front())); node_sockets_it->second.pop_front(); @@ -563,97 +503,9 @@ UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { cleanStaleNodeEntry(node_id); - // Update stats - USMStats* node_stats = this->getStatsByNode(node_id); - node_stats->reverse_conn_cx_idle_.dec(); - node_stats->reverse_conn_cx_used_.inc(); - - if (!cluster_id.empty()) { - USMStats* cluster_stats = this->getStatsByCluster(cluster_id); - cluster_stats->reverse_conn_cx_idle_.dec(); - cluster_stats->reverse_conn_cx_used_.inc(); - } - return {std::move(socket), false}; } -size_t UpstreamSocketManager::getNumberOfSocketsByCluster(const std::string& cluster_id) { - USMStats* stats = this->getStatsByCluster(cluster_id); - if (!stats) { - ENVOY_LOG(error, "UpstreamSocketManager: No stats available for cluster: {}", cluster_id); - return 0; - } - ENVOY_LOG(debug, "UpstreamSocketManager: Number of sockets for cluster: {} is {}", cluster_id, - stats->reverse_conn_cx_idle_.value()); - return stats->reverse_conn_cx_idle_.value(); -} - -size_t UpstreamSocketManager::getNumberOfSocketsByNode(const std::string& node_id) { - USMStats* stats = this->getStatsByNode(node_id); - if (!stats) { - ENVOY_LOG(error, "UpstreamSocketManager: No stats available for node: {}", node_id); - return 0; - } - ENVOY_LOG(debug, "UpstreamSocketManager: Number of sockets for node: {} is {}", node_id, - stats->reverse_conn_cx_idle_.value()); - return stats->reverse_conn_cx_idle_.value(); -} - -bool UpstreamSocketManager::deleteStatsByNode(const std::string& node_id) { - const auto& iter = usm_node_stats_map_.find(node_id); - if (iter == usm_node_stats_map_.end()) { - return false; - } - usm_node_stats_map_.erase(iter); - return true; -} - -bool UpstreamSocketManager::deleteStatsByCluster(const std::string& cluster_id) { - const auto& iter = usm_cluster_stats_map_.find(cluster_id); - if (iter == usm_cluster_stats_map_.end()) { - return false; - } - usm_cluster_stats_map_.erase(iter); - return true; -} - -absl::flat_hash_map UpstreamSocketManager::getConnectionStats() { - absl::flat_hash_map node_stats; - for (const auto& node_entry : accepted_reverse_connections_) { - const std::string& node_id = node_entry.first; - size_t connection_count = node_entry.second.size(); - if (connection_count > 0) { - node_stats[node_id] = connection_count; - } - } - ENVOY_LOG(debug, "UpstreamSocketManager::getConnectionStats returning {} nodes", - node_stats.size()); - return node_stats; -} - -absl::flat_hash_map UpstreamSocketManager::getSocketCountMap() { - absl::flat_hash_map cluster_stats; - for (const auto& cluster_entry : cluster_to_node_map_) { - const std::string& cluster_id = cluster_entry.first; - size_t total_connections = 0; - - // Sum up connections for all nodes in this cluster - for (const std::string& node_id : cluster_entry.second) { - const auto& node_conn_iter = accepted_reverse_connections_.find(node_id); - if (node_conn_iter != accepted_reverse_connections_.end()) { - total_connections += node_conn_iter->second.size(); - } - } - - if (total_connections > 0) { - cluster_stats[cluster_id] = total_connections; - } - } - ENVOY_LOG(debug, "UpstreamSocketManager::getSocketCountMap returning {} clusters", - cluster_stats.size()); - return cluster_stats; -} - std::string UpstreamSocketManager::getNodeID(const std::string& key) { ENVOY_LOG(debug, "UpstreamSocketManager: getNodeID() called with key: {}", key); @@ -712,17 +564,12 @@ void UpstreamSocketManager::markSocketDead(const int fd) { // Update Envoy's stats system for production multi-tenant tracking // This ensures stats are decremented when connections are removed if (auto extension = getUpstreamExtension()) { - extension->updateConnectionStatsRegistry(node_id, cluster_id, false /* decrement */); + extension->updateConnectionStats(node_id, cluster_id, false /* decrement */); ENVOY_LOG(debug, "UpstreamSocketManager: decremented stats registry for node '{}' cluster '{}'", node_id, cluster_id); } - USMStats* stats = this->getStatsByNode(node_id); - if (stats) { - stats->reverse_conn_cx_used_.dec(); - stats->reverse_conn_cx_total_.dec(); - } return; } @@ -739,25 +586,10 @@ void UpstreamSocketManager::markSocketDead(const int fd) { fd_to_event_map_.erase(fd); fd_to_timer_map_.erase(fd); - // Update stats - USMStats* node_stats = this->getStatsByNode(node_id); - if (node_stats) { - node_stats->reverse_conn_cx_idle_.dec(); - node_stats->reverse_conn_cx_total_.dec(); - } - - if (!cluster_id.empty()) { - USMStats* cluster_stats = this->getStatsByCluster(cluster_id); - if (cluster_stats) { - cluster_stats->reverse_conn_cx_idle_.dec(); - cluster_stats->reverse_conn_cx_total_.dec(); - } - } - // Update Envoy's stats system for production multi-tenant tracking // This ensures stats are decremented when connections are removed if (auto extension = getUpstreamExtension()) { - extension->updateConnectionStatsRegistry(node_id, cluster_id, false /* decrement */); + extension->updateConnectionStats(node_id, cluster_id, false /* decrement */); ENVOY_LOG(debug, "UpstreamSocketManager: decremented stats registry for node '{}' cluster '{}'", node_id, cluster_id); @@ -902,34 +734,6 @@ void UpstreamSocketManager::pingConnections() { ping_timer_->enableTimer(ping_interval_); } -USMStats* UpstreamSocketManager::getStatsByNode(const std::string& node_id) { - auto iter = usm_node_stats_map_.find(node_id); - if (iter != usm_node_stats_map_.end()) { - USMStats* stats = iter->second.get(); - return stats; - } - - ENVOY_LOG(debug, "UpstreamSocketManager: Creating new stats for node: {}", node_id); - const std::string& final_prefix = "node." + node_id; - usm_node_stats_map_[node_id] = std::make_unique( - USMStats{ALL_USM_STATS(POOL_GAUGE_PREFIX(*usm_scope_, final_prefix))}); - return usm_node_stats_map_[node_id].get(); -} - -USMStats* UpstreamSocketManager::getStatsByCluster(const std::string& cluster_id) { - auto iter = usm_cluster_stats_map_.find(cluster_id); - if (iter != usm_cluster_stats_map_.end()) { - USMStats* stats = iter->second.get(); - return stats; - } - - ENVOY_LOG(debug, "UpstreamSocketManager: Creating new stats for cluster: {}", cluster_id); - const std::string& final_prefix = "cluster." + cluster_id; - usm_cluster_stats_map_[cluster_id] = std::make_unique( - USMStats{ALL_USM_STATS(POOL_GAUGE_PREFIX(*usm_scope_, final_prefix))}); - return usm_cluster_stats_map_[cluster_id].get(); -} - UpstreamSocketManager::~UpstreamSocketManager() { ENVOY_LOG(debug, "UpstreamSocketManager destructor called"); diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h index fb09d60a5f4f5..1176a2ce2041e 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h @@ -32,24 +32,6 @@ class ReverseTunnelAcceptor; class ReverseTunnelAcceptorExtension; class UpstreamSocketManager; -/** - * All UpstreamSocketManager stats. @see stats_macros.h - * This encompasses the stats for all accepted reverse connections by the responder envoy. - */ -#define ALL_USM_STATS(GAUGE) \ - GAUGE(reverse_conn_cx_idle, NeverImport) \ - GAUGE(reverse_conn_cx_used, NeverImport) \ - GAUGE(reverse_conn_cx_total, NeverImport) - -/** - * Struct definition for all UpstreamSocketManager stats. @see stats_macros.h - */ -struct USMStats { - ALL_USM_STATS(GENERATE_GAUGE_STRUCT) -}; - -using USMStatsPtr = std::unique_ptr; - /** * Custom IoHandle for upstream reverse connections that properly owns a ConnectionSocket. * This class uses RAII principles to manage socket lifetime without requiring external storage. @@ -106,15 +88,14 @@ class UpstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { public: /** * Constructor for UpstreamSocketThreadLocal. - * Creates a new socket manager instance for the given dispatcher and scope. + * Creates a new socket manager instance for the given dispatcher. * @param dispatcher the thread-local dispatcher. - * @param scope the stats scope for this thread's socket manager. * @param extension the upstream extension for stats integration. */ - UpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, Stats::Scope& scope, + UpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, ReverseTunnelAcceptorExtension* extension = nullptr) : dispatcher_(dispatcher), - socket_manager_(std::make_unique(dispatcher, scope, extension)) {} + socket_manager_(std::make_unique(dispatcher, extension)) {} /** * @return reference to the thread-local dispatcher. @@ -273,29 +254,7 @@ class ReverseTunnelAcceptorExtension const std::string& statPrefix() const { return stat_prefix_; } /** - * Aggregate connection statistics from all worker threads. - * @return map of node_id to total connection count across all threads. - */ - absl::flat_hash_map getAggregatedConnectionStats(); - - /** - * Aggregate socket count statistics from all worker threads. - * @return map of cluster_id to total socket count across all threads. - */ - absl::flat_hash_map getAggregatedSocketCountMap(); - - /** - * Production-ready cross-thread connection aggregation for multi-tenant reporting. - * Uses Envoy's runOnAllThreads pattern to safely collect data from all worker threads. - * @param callback function called with aggregated results when collection completes - */ - void - getMultiTenantConnectionStats(std::function&, - const std::vector&)> - callback); - - /** - * Synchronous version for admin API endpoints that require immediate response. + * Synchronous version for admin API endpoints that require immediate response on reverse connection stats. * Uses blocking aggregation with timeout for production reliability. * @param timeout_ms maximum time to wait for aggregation completion * @return pair of or empty if timeout @@ -304,21 +263,36 @@ class ReverseTunnelAcceptorExtension getConnectionStatsSync(std::chrono::milliseconds timeout_ms = std::chrono::milliseconds(5000)); /** - * Production-ready multi-tenant connection tracking using Envoy's stats system. - * This integrates with Envoy's proven cross-thread stats aggregation infrastructure. - * @return map of connection statistics across all worker threads + * Get cross-worker aggregated reverse connection stats. + * @return map of node/cluster -> connection count across all worker threads */ - absl::flat_hash_map getMultiTenantConnectionStatsViaStats(); + absl::flat_hash_map getCrossWorkerStatMap(); /** - * Register connection stats with Envoy's stats system for automatic cross-thread aggregation. - * This ensures consistent reporting across all threads without manual thread coordination. + * Update the cross-thread aggregated stats for the connection. * @param node_id the node identifier for the connection * @param cluster_id the cluster identifier for the connection * @param increment whether to increment (true) or decrement (false) the connection count */ - void updateConnectionStatsRegistry(const std::string& node_id, const std::string& cluster_id, - bool increment); + void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, + bool increment); + + /** + * Update per-worker connection stats for debugging purposes. + * Creates worker-specific stats "reverse_connections.{worker_name}.node.{node_id}". + * @param node_id the node identifier for the connection + * @param cluster_id the cluster identifier for the connection + * @param increment whether to increment (true) or decrement (false) the connection count + */ + void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, + bool increment); + + /** + * Get per-worker connection stats for debugging purposes. + * Returns stats like "reverse_connections.{worker_name}.node.{node_id}" for the current thread only. + * @return map of node/cluster -> connection count for the current worker thread + */ + absl::flat_hash_map getPerWorkerStatMap(); /** * Get the stats scope for accessing global stats. @@ -333,21 +307,6 @@ class ReverseTunnelAcceptorExtension ReverseTunnelAcceptor* socket_interface_; std::string stat_prefix_; - /** - * Internal helper for cross-thread data aggregation. - * Follows Envoy's thread-safe aggregation patterns. - */ - struct ConnectionAggregationState { - absl::flat_hash_map connection_stats; - std::vector connected_nodes; - std::vector accepted_connections; - std::atomic pending_threads{0}; - std::function&, - const std::vector&)> - completion_callback; - absl::Mutex mutex; - bool completed{false}; - }; }; /** @@ -357,7 +316,7 @@ class ReverseTunnelAcceptorExtension class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, public Logger::Loggable { public: - UpstreamSocketManager(Event::Dispatcher& dispatcher, Stats::Scope& scope, + UpstreamSocketManager(Event::Dispatcher& dispatcher, ReverseTunnelAcceptorExtension* extension = nullptr); ~UpstreamSocketManager(); @@ -383,28 +342,6 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, */ std::pair getConnectionSocket(const std::string& node_id); - /** - * @return the number of reverse connections for the given cluster id. - */ - size_t getNumberOfSocketsByCluster(const std::string& cluster_id); - - /** - * @return the number of reverse connections for the given node id. - */ - size_t getNumberOfSocketsByNode(const std::string& node_id); - - /** - * @return the cluster -> reverse conn count mapping. - */ - absl::flat_hash_map getSocketCountMap(); - absl::flat_hash_map getSocketCountMap() const; - - /** - * @return the node -> reverse conn count mapping. - */ - absl::flat_hash_map getConnectionStats(); - absl::flat_hash_map getConnectionStats() const; - /** Mark the connection socket dead and remove it from internal maps. * @param fd the FD for the socket to be marked dead. */ @@ -435,41 +372,12 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, */ void onPingResponse(Network::IoHandle& io_handle); - /** - * Get or create stats for a specific node. - * @param node_id the node ID to get stats for. - * @return pointer to the node stats. - */ - USMStats* getStatsByNode(const std::string& node_id); - - /** - * Get or create stats for a specific cluster. - * @param cluster_id the cluster ID to get stats for. - * @return pointer to the cluster stats. - */ - USMStats* getStatsByCluster(const std::string& cluster_id); - - /** - * Delete stats for a specific node. - * @param node_id the node ID to delete stats for. - * @return true if stats were deleted, false if not found. - */ - bool deleteStatsByNode(const std::string& node_id); - - /** - * Delete stats for a specific cluster. - * @param cluster_id the cluster ID to delete stats for. - * @return true if stats were deleted, false if not found. - */ - bool deleteStatsByCluster(const std::string& cluster_id); - /** * Get the upstream extension for stats integration. * @return pointer to the upstream extension or nullptr if not available. */ ReverseTunnelAcceptorExtension* getUpstreamExtension() const { return extension_; } - // Get node ID from key (cluster ID or node ID) std::string getNodeID(const std::string& key); @@ -495,16 +403,6 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, absl::flat_hash_map fd_to_event_map_; absl::flat_hash_map fd_to_timer_map_; - // A map of the remote node ID -> USMStatsPtr, used to log accepted - // reverse conn stats for every initiator node, by the local envoy as responder. - absl::flat_hash_map usm_node_stats_map_; - - // A map of the remote cluster ID -> USMStatsPtr, used to log accepted - // reverse conn stats for every initiator cluster, by the local envoy as responder. - absl::flat_hash_map usm_cluster_stats_map_; - - // The scope for UpstreamSocketManager stats. - Stats::ScopeSharedPtr usm_scope_; Event::TimerPtr ping_timer_; std::chrono::seconds ping_interval_{0}; diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index 8f36ccf16368b..a95dac5e674f5 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -177,15 +177,7 @@ Http::FilterHeadersStatus ReverseConnFilter::getReverseConnectionInfo() { // Handle based on role if (is_responder) { - auto* socket_manager = getUpstreamSocketManager(); - if (!socket_manager) { - ENVOY_LOG(error, "Failed to get upstream socket manager for responder role"); - decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, - "Failed to get socket manager", nullptr, absl::nullopt, - ""); - return Http::FilterHeadersStatus::StopIteration; - } - return handleResponderInfo(socket_manager, remote_node, remote_cluster); + return handleResponderInfo(remote_node, remote_cluster); } else if (is_initiator) { auto* downstream_interface = getDownstreamSocketInterface(); if (!downstream_interface) { @@ -205,110 +197,70 @@ Http::FilterHeadersStatus ReverseConnFilter::getReverseConnectionInfo() { } Http::FilterHeadersStatus -ReverseConnFilter::handleResponderInfo(ReverseConnection::UpstreamSocketManager* socket_manager, - const std::string& remote_node, +ReverseConnFilter::handleResponderInfo(const std::string& remote_node, const std::string& remote_cluster) { - size_t num_sockets = 0; - bool send_all_rc_info = true; - // With the local envoy as a responder, the API can be used to get the number - // of reverse connections by remote node ID or remote cluster ID. - if (!remote_node.empty() || !remote_cluster.empty()) { - send_all_rc_info = false; - if (!remote_node.empty()) { - ENVOY_LOG(debug, - "Getting number of reverse connections for remote node: {} with responder role", - remote_node); - num_sockets = socket_manager->getNumberOfSocketsByNode(remote_node); - } else { - ENVOY_LOG(debug, - "Getting number of reverse connections for remote cluster: {} with responder role", - remote_cluster); - num_sockets = socket_manager->getNumberOfSocketsByCluster(remote_cluster); - } - } - - // Send the reverse connection count filtered by node or cluster ID. - if (!send_all_rc_info) { - std::string response = fmt::format("{{\"available_connections\":{}}}", num_sockets); - absl::StatusOr response_or_error = - Json::Factory::loadFromString(response); - if (!response_or_error.ok()) { - decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, - "failed to form valid json response", nullptr, - absl::nullopt, ""); - } - ENVOY_LOG(info, "Sending reverse connection info response: {}", response); - decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); - return Http::FilterHeadersStatus::StopIteration; - } - ENVOY_LOG(debug, - "Getting all reverse connection info with responder role - production stats-based"); + "ReverseConnFilter: Received reverse connection info request with remote_node: {} remote_cluster: {}", + remote_node, remote_cluster); // Production-ready cross-thread aggregation for multi-tenant reporting - // First try the production stats-based approach for cross-thread aggregation auto* upstream_extension = getUpstreamSocketInterfaceExtension(); - if (upstream_extension) { - ENVOY_LOG(debug, - "Using production stats-based cross-thread aggregation for multi-tenant reporting"); - - // Use the production stats-based approach with Envoy's proven stats system - auto [connected_nodes, accepted_connections] = - upstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); - - // Convert vectors to lists for JSON serialization - std::list accepted_connections_list(accepted_connections.begin(), - accepted_connections.end()); - std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); - - ENVOY_LOG(debug, - "Stats-based aggregation completed: {} connected nodes, {} accepted connections", - connected_nodes.size(), accepted_connections.size()); - - // Create production-ready JSON response for multi-tenant environment - std::string response = fmt::format("{{\"accepted\":{},\"connected\":{}}}", - Json::Factory::listAsJsonString(accepted_connections_list), - Json::Factory::listAsJsonString(connected_nodes_list)); - - ENVOY_LOG(info, "handleResponderInfo production stats-based response: {}", response); + if (!upstream_extension) { + ENVOY_LOG(error, "No upstream extension available for stats collection"); + std::string response = R"({"accepted":[],"connected":[]})"; decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } - // Fallback to current thread approach (for backward compatibility) - ENVOY_LOG(warn, - "No upstream extension available, falling back to current thread data collection"); - - std::list accepted_rc_nodes; - std::list connected_rc_clusters; + // For specific node or cluster query + if (!remote_node.empty() || !remote_cluster.empty()) { + // Get connection count for specific remote node/cluster using stats + auto stats_map = upstream_extension->getCrossWorkerStatMap(); + size_t num_connections = 0; + + if (!remote_node.empty()) { + std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", remote_node); + auto it = stats_map.find(node_stat_name); + if (it != stats_map.end()) { + num_connections = it->second; + } + } else { + std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", remote_cluster); + auto it = stats_map.find(cluster_stat_name); + if (it != stats_map.end()) { + num_connections = it->second; + } + } + + std::string response = fmt::format("{{\"available_connections\":{}}}", num_connections); + ENVOY_LOG(info, "handleResponderInfo response for {}: {}", + remote_node.empty() ? remote_cluster : remote_node, response); + decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); + return Http::FilterHeadersStatus::StopIteration; + } - auto node_stats = socket_manager->getConnectionStats(); - auto cluster_stats = socket_manager->getSocketCountMap(); + ENVOY_LOG(debug, + "ReverseConnFilter: Using upstream socket manager to get connection stats"); - ENVOY_LOG(debug, "Fallback stats collected: {} nodes, {} clusters", node_stats.size(), - cluster_stats.size()); + // Use the production stats-based approach with Envoy's proven stats system + auto [connected_nodes, accepted_connections] = + upstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); - // Process current thread's data - for (const auto& [node_id, rc_conn_count] : node_stats) { - if (rc_conn_count > 0) { - accepted_rc_nodes.push_back(node_id); - ENVOY_LOG(trace, "Fallback: Node '{}' has {} connections", node_id, rc_conn_count); - } - } + // Convert vectors to lists for JSON serialization + std::list accepted_connections_list(accepted_connections.begin(), + accepted_connections.end()); + std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); - for (const auto& [cluster_id, rc_conn_count] : cluster_stats) { - if (rc_conn_count > 0) { - connected_rc_clusters.push_back(cluster_id); - ENVOY_LOG(trace, "Fallback: Cluster '{}' has {} connections", cluster_id, rc_conn_count); - } - } + ENVOY_LOG(debug, + "Stats aggregation completed: {} connected nodes, {} accepted connections", + connected_nodes.size(), accepted_connections.size()); - // Create fallback JSON response + // Create production-ready JSON response for multi-tenant environment std::string response = fmt::format("{{\"accepted\":{},\"connected\":{}}}", - Json::Factory::listAsJsonString(accepted_rc_nodes), - Json::Factory::listAsJsonString(connected_rc_clusters)); + Json::Factory::listAsJsonString(accepted_connections_list), + Json::Factory::listAsJsonString(connected_nodes_list)); - ENVOY_LOG(info, "handleResponderInfo fallback response: {}", response); + ENVOY_LOG(info, "handleResponderInfo production stats-based response: {}", response); decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index f86cf481b3f60..ff4050d3ed28c 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -100,8 +100,7 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str // Handle reverse connection info for responder role (uses upstream socket manager) Http::FilterHeadersStatus - handleResponderInfo(ReverseConnection::UpstreamSocketManager* socket_manager, - const std::string& remote_node, const std::string& remote_cluster); + handleResponderInfo(const std::string& remote_node, const std::string& remote_cluster); // Handle reverse connection info for initiator role (uses downstream socket interface) Http::FilterHeadersStatus handleInitiatorInfo(const std::string& remote_node, From f3f1a2faadeeef60b331b1d1974b4c0929320ceb Mon Sep 17 00:00:00 2001 From: "qero.9ram" Date: Sat, 19 Jul 2025 23:16:41 +0900 Subject: [PATCH 009/505] redis_proxy: Add support for ROLE (#39937) Signed-off-by: qero.9ram --- changelogs/current.yaml | 2 +- .../arch_overview/other_protocols/redis.rst | 1 + .../common/redis/supported_commands.cc | 2 +- .../network/common/redis/supported_commands.h | 5 + .../redis_proxy/command_splitter_impl.cc | 93 +++++- .../redis_proxy/command_splitter_impl.h | 20 ++ .../redis_proxy/command_splitter_impl_test.cc | 306 ++++++++++++++++++ 7 files changed, 426 insertions(+), 3 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 087adf526ea56..89d5acbc9bae6 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -221,7 +221,7 @@ new_features: Upgraded Envoy to build with C++20; Envoy developers can use C++20 features now. - area: redis change: | - Added support for ``SCAN`` and ``INFO``. + Added support for ``SCAN``, ``INFO`` and ``ROLE``. - area: http change: | Added :ref:`x-envoy-original-host ` that diff --git a/docs/root/intro/arch_overview/other_protocols/redis.rst b/docs/root/intro/arch_overview/other_protocols/redis.rst index 1192ac0ba6f80..04cdd322f5b8c 100644 --- a/docs/root/intro/arch_overview/other_protocols/redis.rst +++ b/docs/root/intro/arch_overview/other_protocols/redis.rst @@ -257,6 +257,7 @@ For details on each command's usage see the official INCRBY, String INCRBYFLOAT, String INFO, Server + ROLE, Server MGET, String MSET, String PSETEX, String diff --git a/source/extensions/filters/network/common/redis/supported_commands.cc b/source/extensions/filters/network/common/redis/supported_commands.cc index 069f544dd5128..f5c3352b44bfa 100644 --- a/source/extensions/filters/network/common/redis/supported_commands.cc +++ b/source/extensions/filters/network/common/redis/supported_commands.cc @@ -12,7 +12,7 @@ bool SupportedCommands::isSupportedCommand(const std::string& command) { transactionCommands().contains(command) || auth() == command || echo() == command || mget() == command || mset() == command || keys() == command || ping() == command || time() == command || quit() == command || select() == command || scan() == command || - info() == command); + info() == command || role() == command); } } // namespace Redis diff --git a/source/extensions/filters/network/common/redis/supported_commands.h b/source/extensions/filters/network/common/redis/supported_commands.h index 57177b60422cc..e1869627a9f14 100644 --- a/source/extensions/filters/network/common/redis/supported_commands.h +++ b/source/extensions/filters/network/common/redis/supported_commands.h @@ -122,6 +122,11 @@ struct SupportedCommands { */ static const std::string& info() { CONSTRUCT_ON_FIRST_USE(std::string, "info"); } + /** + * @return role command + */ + static const std::string& role() { CONSTRUCT_ON_FIRST_USE(std::string, "role"); } + /** * @return commands which alters the state of redis */ diff --git a/source/extensions/filters/network/redis_proxy/command_splitter_impl.cc b/source/extensions/filters/network/redis_proxy/command_splitter_impl.cc index 07d7bc2a52e82..5d1beb89e28d2 100644 --- a/source/extensions/filters/network/redis_proxy/command_splitter_impl.cc +++ b/source/extensions/filters/network/redis_proxy/command_splitter_impl.cc @@ -785,6 +785,79 @@ void SplitKeysSumResultRequest::onChildResponse(Common::Redis::RespValuePtr&& va } } +SplitRequestPtr RoleRequest::create(Router& router, Common::Redis::RespValuePtr&& incoming_request, + SplitCallbacks& callbacks, CommandStats& command_stats, + TimeSource& time_source, bool delay_command_latency, + const StreamInfo::StreamInfo& stream_info) { + std::string key = ""; + const auto route = router.upstreamPool(key, stream_info); + uint32_t shard_size = + route ? route->upstream(incoming_request->asArray()[0].asString())->shardSize() : 0; + if (shard_size == 0) { + command_stats.error_.inc(); + callbacks.onResponse(Common::Redis::Utility::makeError(Response::get().NoUpstreamHost)); + return nullptr; + } + + std::unique_ptr request_ptr{ + new RoleRequest(callbacks, command_stats, time_source, delay_command_latency)}; + request_ptr->num_pending_responses_ = shard_size; + request_ptr->pending_requests_.reserve(request_ptr->num_pending_responses_); + + request_ptr->pending_response_ = std::make_unique(); + request_ptr->pending_response_->type(Common::Redis::RespType::Array); + + Common::Redis::RespValueSharedPtr base_request = std::move(incoming_request); + for (uint32_t shard_index = 0; shard_index < shard_size; shard_index++) { + request_ptr->pending_requests_.emplace_back(*request_ptr, shard_index); + PendingRequest& pending_request = request_ptr->pending_requests_.back(); + + ENVOY_LOG(debug, "role request shard index {}: {}", shard_index, base_request->toString()); + pending_request.handle_ = + makeFragmentedRequestToShard(route, base_request->asArray()[0].asString(), shard_index, + *base_request, pending_request, callbacks.transaction()); + + if (!pending_request.handle_) { + pending_request.onResponse(Common::Redis::Utility::makeError(Response::get().NoUpstreamHost)); + } + } + + if (request_ptr->num_pending_responses_ > 0) { + return request_ptr; + } + + return nullptr; +} + +void RoleRequest::onChildResponse(Common::Redis::RespValuePtr&& value, uint32_t index) { + pending_requests_[index].handle_ = nullptr; + switch (value->type()) { + case Common::Redis::RespType::Array: { + pending_response_->asArray().push_back(std::move(*value)); + break; + } + case Common::Redis::RespType::BulkString: { + pending_response_->asArray().push_back(std::move(*value)); + break; + } + default: { + error_count_++; + break; + } + } + + ASSERT(num_pending_responses_ > 0); + if (--num_pending_responses_ == 0) { + updateStats(error_count_ == 0); + if (error_count_ == 0) { + callbacks_.onResponse(std::move(pending_response_)); + } else { + callbacks_.onResponse(Common::Redis::Utility::makeError( + fmt::format("finished with {} error(s)", error_count_))); + } + } +} + SplitRequestPtr TransactionRequest::create(Router& router, Common::Redis::RespValuePtr&& incoming_request, SplitCallbacks& callbacks, CommandStats& command_stats, @@ -928,7 +1001,7 @@ InstanceImpl::InstanceImpl(RouterPtr&& router, Stats::Scope& scope, const std::s : router_(std::move(router)), simple_command_handler_(*router_), eval_command_handler_(*router_), mget_handler_(*router_), mset_handler_(*router_), keys_handler_(*router_), scan_handler_(*router_), info_handler_(*router_), - select_handler_(*router_), split_keys_sum_result_handler_(*router_), + select_handler_(*router_), role_handler_(*router_), split_keys_sum_result_handler_(*router_), transaction_handler_(*router_), stats_{ALL_COMMAND_SPLITTER_STATS(POOL_COUNTER_PREFIX(scope, stat_prefix + "splitter."))}, time_source_(time_source), fault_manager_(std::move(fault_manager)), @@ -964,6 +1037,9 @@ InstanceImpl::InstanceImpl(RouterPtr&& router, Stats::Scope& scope, const std::s addHandler(scope, stat_prefix, Common::Redis::SupportedCommands::select(), latency_in_micros, select_handler_); + addHandler(scope, stat_prefix, Common::Redis::SupportedCommands::role(), latency_in_micros, + role_handler_); + for (const std::string& command : Common::Redis::SupportedCommands::transactionCommands()) { addHandler(scope, stat_prefix, command, latency_in_micros, transaction_handler_); } @@ -1098,6 +1174,21 @@ SplitRequestPtr InstanceImpl::makeRequest(Common::Redis::RespValuePtr&& request, } } + if (command_name == Common::Redis::SupportedCommands::role()) { + if (request->asArray().size() > 1) { + callbacks.onResponse(Common::Redis::Utility::makeError(fmt::format( + "ERR wrong number of arguments for '{}' command", request->asArray()[0].asString()))); + return nullptr; + } + + auto handler = handler_lookup_table_.find(command_name.c_str()); + ASSERT(handler != nullptr); + + handler->command_stats_.total_.inc(); + return handler->handler_.get().startRequest( + std::move(request), callbacks, handler->command_stats_, time_source_, false, stream_info); + } + if (command_name == Common::Redis::SupportedCommands::quit()) { callbacks.onQuit(); return nullptr; diff --git a/source/extensions/filters/network/redis_proxy/command_splitter_impl.h b/source/extensions/filters/network/redis_proxy/command_splitter_impl.h index a32ad9ed6a93f..f821cadd95b7c 100644 --- a/source/extensions/filters/network/redis_proxy/command_splitter_impl.h +++ b/source/extensions/filters/network/redis_proxy/command_splitter_impl.h @@ -392,6 +392,25 @@ class SplitKeysSumResultRequest : public FragmentedRequest { int64_t total_{0}; }; +/** + * RoleRequest sends the ROLE command to all Redis servers. The ROLE command is used to + * get the role of the Redis server. + */ +class RoleRequest : public FragmentedRequest { +public: + static SplitRequestPtr create(Router& router, Common::Redis::RespValuePtr&& incoming_request, + SplitCallbacks& callbacks, CommandStats& command_stats, + TimeSource& time_source, bool delay_command_latency, + const StreamInfo::StreamInfo& stream_info); + +private: + RoleRequest(SplitCallbacks& callbacks, CommandStats& command_stats, TimeSource& time_source, + bool delay_command_latency) + : FragmentedRequest(callbacks, command_stats, time_source, delay_command_latency) {} + // RedisProxy::CommandSplitter::FragmentedRequest + void onChildResponse(Common::Redis::RespValuePtr&& value, uint32_t index) override; +}; + /** * MSETRequest takes each key and value pair from the command and sends a SET for each to the * appropriate Redis server. The response is an OK if all commands succeeded or an ERR if any @@ -479,6 +498,7 @@ class InstanceImpl : public Instance, Logger::Loggable { CommandHandlerFactory scan_handler_; CommandHandlerFactory info_handler_; CommandHandlerFactory select_handler_; + CommandHandlerFactory role_handler_; CommandHandlerFactory split_keys_sum_result_handler_; CommandHandlerFactory transaction_handler_; TrieLookupTable handler_lookup_table_; diff --git a/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc b/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc index 907545706bf31..f18a7d7c1b78b 100644 --- a/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc +++ b/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc @@ -1959,6 +1959,312 @@ TEST_P(SelectHandlerTest, SingleShardErrorResponse) { } INSTANTIATE_TEST_SUITE_P(SelectHandlerTest, SelectHandlerTest, testing::Values("select")); + +class RoleHandlerTest : public FragmentedRequestCommandHandlerTest, + public testing::WithParamInterface { +public: + void setup(uint16_t shard_size, const std::list& null_handle_indexes, + bool mirrored = false) { + std::vector request_strings = {"role"}; + makeRequestToShard(shard_size, request_strings, null_handle_indexes, mirrored); + } + + Common::Redis::RespValuePtr masterResponse() { + Common::Redis::RespValuePtr response = std::make_unique(); + response->type(Common::Redis::RespType::Array); + std::vector elements(3); + elements[0].type(Common::Redis::RespType::BulkString); + elements[0].asString() = "master"; + elements[1].type(Common::Redis::RespType::Integer); + elements[1].asInteger() = 0; + elements[2].type(Common::Redis::RespType::Array); + response->asArray().swap(elements); + return response; + } + + Common::Redis::RespValuePtr slaveResponse() { + Common::Redis::RespValuePtr response = std::make_unique(); + response->type(Common::Redis::RespType::Array); + std::vector elements(5); + elements[0].type(Common::Redis::RespType::BulkString); + elements[0].asString() = "slave"; + elements[1].type(Common::Redis::RespType::BulkString); + elements[1].asString() = "127.0.0.1"; + elements[2].type(Common::Redis::RespType::Integer); + elements[2].asInteger() = 6379; + elements[3].type(Common::Redis::RespType::BulkString); + elements[3].asString() = "connected"; + elements[4].type(Common::Redis::RespType::Integer); + elements[4].asInteger() = 0; + response->asArray().swap(elements); + return response; + } + + Common::Redis::RespValuePtr bulkStringResponse() { + Common::Redis::RespValuePtr response = std::make_unique(); + response->type(Common::Redis::RespType::BulkString); + response->asString() = "master"; + return response; + } +}; + +TEST_P(RoleHandlerTest, Normal) { + InSequence s; + + setup(2, {}); + EXPECT_NE(nullptr, handle_); + + Common::Redis::RespValue expected_response; + expected_response.type(Common::Redis::RespType::Array); + std::vector elements(2); + // elements[0] corresponds to pool_callbacks_[0] (master) + elements[0].type(Common::Redis::RespType::Array); + std::vector master_elements(3); + master_elements[0].type(Common::Redis::RespType::BulkString); + master_elements[0].asString() = "master"; + master_elements[1].type(Common::Redis::RespType::Integer); + master_elements[1].asInteger() = 0; + master_elements[2].type(Common::Redis::RespType::Array); + elements[0].asArray().swap(master_elements); + // elements[1] corresponds to pool_callbacks_[1] (slave) + elements[1].type(Common::Redis::RespType::Array); + std::vector slave_elements(5); + slave_elements[0].type(Common::Redis::RespType::BulkString); + slave_elements[0].asString() = "slave"; + slave_elements[1].type(Common::Redis::RespType::BulkString); + slave_elements[1].asString() = "127.0.0.1"; + slave_elements[2].type(Common::Redis::RespType::Integer); + slave_elements[2].asInteger() = 6379; + slave_elements[3].type(Common::Redis::RespType::BulkString); + slave_elements[3].asString() = "connected"; + slave_elements[4].type(Common::Redis::RespType::Integer); + slave_elements[4].asInteger() = 0; + elements[1].asArray().swap(slave_elements); + expected_response.asArray().swap(elements); + + pool_callbacks_[0]->onResponse(masterResponse()); + time_system_.setMonotonicTime(std::chrono::milliseconds(10)); + EXPECT_CALL( + store_, + deliverHistogramToSinks( + Property(&Stats::Metric::name, "redis.foo.command." + GetParam() + ".latency"), 10)); + EXPECT_CALL(callbacks_, onResponse_(PointeesEq(&expected_response))); + pool_callbacks_[1]->onResponse(slaveResponse()); + + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".total").value()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".success").value()); +} + +TEST_P(RoleHandlerTest, Mirrored) { + InSequence s; + + setupMirrorPolicy(); + setup(2, {}, true); + EXPECT_NE(nullptr, handle_); + + Common::Redis::RespValue expected_response; + expected_response.type(Common::Redis::RespType::Array); + std::vector elements(2); + elements[0].type(Common::Redis::RespType::Array); + std::vector master_elements(3); + master_elements[0].type(Common::Redis::RespType::BulkString); + master_elements[0].asString() = "master"; + master_elements[1].type(Common::Redis::RespType::Integer); + master_elements[1].asInteger() = 0; + master_elements[2].type(Common::Redis::RespType::Array); + elements[0].asArray().swap(master_elements); + elements[1].type(Common::Redis::RespType::Array); + std::vector master_elements2(3); + master_elements2[0].type(Common::Redis::RespType::BulkString); + master_elements2[0].asString() = "master"; + master_elements2[1].type(Common::Redis::RespType::Integer); + master_elements2[1].asInteger() = 0; + master_elements2[2].type(Common::Redis::RespType::Array); + elements[1].asArray().swap(master_elements2); + expected_response.asArray().swap(elements); + + pool_callbacks_[0]->onResponse(masterResponse()); + mirror_pool_callbacks_[0]->onResponse(masterResponse()); + + time_system_.setMonotonicTime(std::chrono::milliseconds(10)); + EXPECT_CALL( + store_, + deliverHistogramToSinks( + Property(&Stats::Metric::name, "redis.foo.command." + GetParam() + ".latency"), 10)); + EXPECT_CALL(callbacks_, onResponse_(PointeesEq(&expected_response))); + pool_callbacks_[1]->onResponse(masterResponse()); + mirror_pool_callbacks_[1]->onResponse(masterResponse()); + + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".total").value()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".success").value()); +} + +TEST_P(RoleHandlerTest, BulkStringResponse) { + InSequence s; + + setup(1, {}); + EXPECT_NE(nullptr, handle_); + + Common::Redis::RespValue expected_response; + expected_response.type(Common::Redis::RespType::Array); + std::vector elements(1); + elements[0].type(Common::Redis::RespType::BulkString); + elements[0].asString() = "master"; + expected_response.asArray().swap(elements); + + time_system_.setMonotonicTime(std::chrono::milliseconds(5)); + EXPECT_CALL( + store_, + deliverHistogramToSinks( + Property(&Stats::Metric::name, "redis.foo.command." + GetParam() + ".latency"), 5)); + EXPECT_CALL(callbacks_, onResponse_(PointeesEq(&expected_response))); + pool_callbacks_[0]->onResponse(bulkStringResponse()); + + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".total").value()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".success").value()); +} + +TEST_P(RoleHandlerTest, NoUpstreamHostForAll) { + Common::Redis::RespValue expected_response; + expected_response.type(Common::Redis::RespType::Error); + expected_response.asString() = "no upstream host"; + + EXPECT_CALL(callbacks_, onResponse_(PointeesEq(&expected_response))); + setup(0, {}); + EXPECT_EQ(nullptr, handle_); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".total").value()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".error").value()); +} + +TEST_P(RoleHandlerTest, NoUpstreamHostForOne) { + InSequence s; + + setup(2, {0}); + EXPECT_NE(nullptr, handle_); + + Common::Redis::RespValue expected_response; + expected_response.type(Common::Redis::RespType::Error); + expected_response.asString() = "finished with 1 error(s)"; + + EXPECT_CALL(callbacks_, onResponse_(PointeesEq(&expected_response))); + pool_callbacks_[1]->onResponse(masterResponse()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".total").value()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".error").value()); +} + +TEST_P(RoleHandlerTest, UpstreamFailure) { + InSequence s; + + setup(2, {}); + EXPECT_NE(nullptr, handle_); + + Common::Redis::RespValue expected_response; + expected_response.type(Common::Redis::RespType::Error); + expected_response.asString() = "finished with 1 error(s)"; + + pool_callbacks_[1]->onFailure(); + + time_system_.setMonotonicTime(std::chrono::milliseconds(5)); + EXPECT_CALL( + store_, + deliverHistogramToSinks( + Property(&Stats::Metric::name, "redis.foo.command." + GetParam() + ".latency"), 5)); + EXPECT_CALL(callbacks_, onResponse_(PointeesEq(&expected_response))); + pool_callbacks_[0]->onResponse(masterResponse()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".total").value()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".error").value()); +} + +TEST_P(RoleHandlerTest, InvalidUpstreamResponse) { + InSequence s; + + setup(2, {}); + EXPECT_NE(nullptr, handle_); + + Common::Redis::RespValue expected_response; + expected_response.type(Common::Redis::RespType::Error); + expected_response.asString() = "finished with 1 error(s)"; + + pool_callbacks_[1]->onResponse(masterResponse()); + + Common::Redis::RespValuePtr invalid_response = std::make_unique(); + invalid_response->type(Common::Redis::RespType::Integer); + invalid_response->asInteger() = 123; + + time_system_.setMonotonicTime(std::chrono::milliseconds(10)); + EXPECT_CALL( + store_, + deliverHistogramToSinks( + Property(&Stats::Metric::name, "redis.foo.command." + GetParam() + ".latency"), 10)); + EXPECT_CALL(callbacks_, onResponse_(PointeesEq(&expected_response))); + pool_callbacks_[0]->onResponse(std::move(invalid_response)); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".total").value()); + EXPECT_EQ(1UL, store_.counter("redis.foo.command." + GetParam() + ".error").value()); +} + +TEST_P(RoleHandlerTest, Cancel) { + InSequence s; + + setup(2, {}); + EXPECT_NE(nullptr, handle_); + + EXPECT_CALL(pool_requests_[0], cancel()); + EXPECT_CALL(pool_requests_[1], cancel()); + handle_->cancel(); +} + +TEST_F(RoleHandlerTest, RoleWithMultipleArguments) { + InSequence s; + + Common::Redis::RespValuePtr request{new Common::Redis::RespValue()}; + makeBulkStringArray(*request, {"role", "1", "2"}); + + Common::Redis::RespValue response; + response.type(Common::Redis::RespType::Error); + response.asString() = "ERR wrong number of arguments for 'role' command"; + + EXPECT_CALL(callbacks_, connectionAllowed()).WillOnce(Return(true)); + EXPECT_CALL(callbacks_, onResponse_(PointeesEq(&response))); + handle_ = splitter_.makeRequest(std::move(request), callbacks_, dispatcher_, stream_info_); + EXPECT_EQ(nullptr, handle_); +} + +TEST_F(RoleHandlerTest, RoleNoArgs) { + InSequence s; + + // Test the special handling path for ROLE command in makeRequest + Common::Redis::RespValuePtr request{new Common::Redis::RespValue()}; + makeBulkStringArray(*request, {"role"}); + + // Set up the mock calls for the ROLE special handling path + EXPECT_CALL(callbacks_, connectionAllowed()).WillOnce(Return(true)); + EXPECT_CALL(*conn_pool_, shardSize_()).WillOnce(Return(1)); + + ConnPool::PoolCallbacks* pool_callback; + Common::Redis::Client::MockPoolRequest pool_request; + + EXPECT_CALL(*conn_pool_, makeRequestToShard_(0, _, _)) + .WillOnce(DoAll(WithArg<2>(SaveArgAddress(&pool_callback)), Return(&pool_request))); + + handle_ = splitter_.makeRequest(std::move(request), callbacks_, dispatcher_, stream_info_); + EXPECT_NE(nullptr, handle_); + + // Verify that the total counter is incremented in the special handling path + EXPECT_EQ(1UL, store_.counter("redis.foo.command.role.total").value()); + + // Complete the request successfully + Common::Redis::RespValuePtr role_response = std::make_unique(); + role_response->type(Common::Redis::RespType::Array); + std::vector elements(1); + elements[0].type(Common::Redis::RespType::BulkString); + elements[0].asString() = "master"; + role_response->asArray().swap(elements); + + EXPECT_CALL(callbacks_, onResponse_(_)); + pool_callback->onResponse(std::move(role_response)); +} + +INSTANTIATE_TEST_SUITE_P(RoleHandlerTest, RoleHandlerTest, testing::Values("role")); } // namespace CommandSplitter } // namespace RedisProxy } // namespace NetworkFilters From cdf3dd3b6e1f0a1274f097bd7f43350927b93f93 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Sat, 19 Jul 2025 19:42:34 -0400 Subject: [PATCH 010/505] test: Fix error message check to accommodate new protobuf (#40310) Signed-off-by: Yan Avlasov --- test/extensions/upstreams/http/config_test.cc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/test/extensions/upstreams/http/config_test.cc b/test/extensions/upstreams/http/config_test.cc index 4e443f8fcafe7..5571a6526df25 100644 --- a/test/extensions/upstreams/http/config_test.cc +++ b/test/extensions/upstreams/http/config_test.cc @@ -21,6 +21,7 @@ namespace Extensions { namespace Upstreams { namespace Http { +using ::testing::ContainsRegex; using ::testing::InvokeWithoutArgs; using ::testing::NiceMock; using ::testing::StrictMock; @@ -98,11 +99,11 @@ TEST_F(ConfigTest, KvStoreConcurrencyFail) { ->mutable_alternate_protocols_cache_options() ->mutable_key_value_store_config(); server_context_.options_.concurrency_ = 2; - EXPECT_EQ( - ProtocolOptionsConfigImpl::createProtocolOptionsConfig(options_, server_context_) - .status() - .message(), - "options has key value store but Envoy has concurrency = 2 : key_value_store_config {\n}\n"); + EXPECT_THAT(ProtocolOptionsConfigImpl::createProtocolOptionsConfig(options_, server_context_) + .status() + .message(), + ContainsRegex("(?s)options has key value store but Envoy has concurrency = 2 " + ":.*key_value_store_config {\n}\n")); } namespace { From 1f9ef63503119c3a1d9c8ad0364c8a65bedd9a13 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Sun, 20 Jul 2025 16:20:36 -0400 Subject: [PATCH 011/505] test: Fix error message to work with new protobuf (#40311) Risk Level: low Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- .../http/http_server_properties_cache_manager_test.cc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/test/common/http/http_server_properties_cache_manager_test.cc b/test/common/http/http_server_properties_cache_manager_test.cc index cfad02480867d..d94949eee65f7 100644 --- a/test/common/http/http_server_properties_cache_manager_test.cc +++ b/test/common/http/http_server_properties_cache_manager_test.cc @@ -109,9 +109,11 @@ TEST_F(HttpServerPropertiesCacheManagerTest, GetCacheForConflictingOptions) { initialize(); HttpServerPropertiesCacheSharedPtr cache1 = manager_->getCache(options1_, dispatcher_); options2_.set_name(options1_.name()); - EXPECT_ENVOY_BUG(manager_->getCache(options2_, dispatcher_), - "options specified alternate protocols cache 'name1' with different settings " - "first 'name: \"name1\""); + // Same as EXPECT_ENVOY_BUG + EXPECT_DEBUG_DEATH( + manager_->getCache(options2_, dispatcher_), + ::testing::ContainsRegex("(?s)options specified alternate protocols cache 'name1' with " + "different settings first '.*name: \"name1\"")); } } // namespace From 2705119d162ec317d674f4559a9f7ea7a1534fde Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Sun, 20 Jul 2025 22:12:43 +0000 Subject: [PATCH 012/505] deps: Bump `rules_fuzzing` -> 0.6.0 (#40312) ## Description This PR upgrades `rules_fuzzing` => v0.6.0. Fix https://github.com/envoyproxy/envoy/issues/40308 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 955b14b0be1b3..fec1f5d2cd1db 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -130,11 +130,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_desc = "Bazel rules for fuzz tests", project_url = "https://github.com/bazelbuild/rules_fuzzing", # Patch contains workaround for https://github.com/bazelbuild/rules_python/issues/1221 - version = "0.5.3", - sha256 = "08274422c4383416df5f982943e40d58141f749c09008bb780440eece6b113e4", + version = "0.6.0", + sha256 = "850897989ebc06567ea06c959eb4a6129fa509ed2dbbd0d147d62d2b986714a9", strip_prefix = "rules_fuzzing-{version}", urls = ["https://github.com/bazelbuild/rules_fuzzing/archive/v{version}.tar.gz"], - release_date = "2025-02-18", + release_date = "2025-07-18", use_category = ["test_only"], implied_untracked_deps = [ # This is a repository rule generated to define an OSS-Fuzz fuzzing From d790af29714d58896c7e0043bb7239382d670ee5 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 21 Jul 2025 06:11:36 +0000 Subject: [PATCH 013/505] Move reverse conn utility to extensions Signed-off-by: Basundhara Chakrabarty --- source/common/reverse_connection/BUILD | 23 ------------------- .../extensions/bootstrap/reverse_tunnel/BUILD | 17 ++++++++++++-- .../reverse_connection_utility.cc | 8 +++++-- .../reverse_connection_utility.h | 6 ++++- .../reverse_tunnel_initiator.cc | 6 ++--- .../filters/listener/reverse_connection/BUILD | 2 +- .../reverse_connection/reverse_connection.cc | 4 ++-- 7 files changed, 32 insertions(+), 34 deletions(-) delete mode 100644 source/common/reverse_connection/BUILD rename source/{common/reverse_connection => extensions/bootstrap/reverse_tunnel}/reverse_connection_utility.cc (93%) rename source/{common/reverse_connection => extensions/bootstrap/reverse_tunnel}/reverse_connection_utility.h (97%) diff --git a/source/common/reverse_connection/BUILD b/source/common/reverse_connection/BUILD deleted file mode 100644 index eb0b2331b9d9e..0000000000000 --- a/source/common/reverse_connection/BUILD +++ /dev/null @@ -1,23 +0,0 @@ -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_library", - "envoy_package", -) - -licenses(["notice"]) # Apache 2 - -envoy_package() - -envoy_cc_library( - name = "reverse_connection_utility_lib", - srcs = ["reverse_connection_utility.cc"], - hdrs = ["reverse_connection_utility.h"], - deps = [ - "//envoy/buffer:buffer_interface", - "//envoy/network:connection_interface", - "//source/common/buffer:buffer_lib", - "//source/common/common:assert_lib", - "//source/common/common:logger_lib", - "@com_google_absl//absl/strings", - ], -) diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index 42b8c04281497..1bc2d890c08eb 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -70,7 +70,7 @@ envoy_cc_extension( "//source/common/network:default_socket_interface_lib", "//source/common/network:filter_lib", "//source/common/protobuf", - "//source/common/reverse_connection:reverse_connection_utility_lib", + ":reverse_connection_utility_lib", "//source/common/upstream:load_balancer_context_base_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", @@ -78,6 +78,19 @@ envoy_cc_extension( alwayslink = 1, ) +envoy_cc_extension( + name = "reverse_connection_utility_lib", + srcs = ["reverse_connection_utility.cc"], + hdrs = ["reverse_connection_utility.h"], + visibility = ["//visibility:public"], + deps = [ + "//envoy/buffer:buffer_interface", + "//envoy/network:connection_interface", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + ], +) + envoy_cc_extension( name = "reverse_tunnel_acceptor_lib", srcs = ["reverse_tunnel_acceptor.cc"], @@ -99,7 +112,7 @@ envoy_cc_extension( "//source/common/network:address_lib", "//source/common/network:default_socket_interface_lib", "//source/common/protobuf", - "//source/common/reverse_connection:reverse_connection_utility_lib", + ":reverse_connection_utility_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", ], alwayslink = 1, diff --git a/source/common/reverse_connection/reverse_connection_utility.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc similarity index 93% rename from source/common/reverse_connection/reverse_connection_utility.cc rename to source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc index 5994f6632cedc..2b2772895be96 100644 --- a/source/common/reverse_connection/reverse_connection_utility.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc @@ -1,9 +1,11 @@ -#include "source/common/reverse_connection/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" #include "source/common/buffer/buffer_impl.h" #include "source/common/common/assert.h" namespace Envoy { +namespace Extensions { +namespace Bootstrap { namespace ReverseConnection { bool ReverseConnectionUtility::isPingMessage(absl::string_view data) { @@ -91,4 +93,6 @@ bool PingMessageHandler::processPingMessage(absl::string_view data, } } // namespace ReverseConnection -} // namespace Envoy +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/source/common/reverse_connection/reverse_connection_utility.h b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h similarity index 97% rename from source/common/reverse_connection/reverse_connection_utility.h rename to source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h index 3f6715138d896..633ab939dabcd 100644 --- a/source/common/reverse_connection/reverse_connection_utility.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h @@ -11,6 +11,8 @@ #include "absl/strings/string_view.h" namespace Envoy { +namespace Extensions { +namespace Bootstrap { namespace ReverseConnection { /** @@ -133,4 +135,6 @@ class PingMessageHandler : public std::enable_shared_from_thisconnection_); buffer.drain(buffer.length()); // Consume the ping message. return Network::FilterStatus::Continue; diff --git a/source/extensions/filters/listener/reverse_connection/BUILD b/source/extensions/filters/listener/reverse_connection/BUILD index b4e24d7cc4f38..4aba81cf47e12 100644 --- a/source/extensions/filters/listener/reverse_connection/BUILD +++ b/source/extensions/filters/listener/reverse_connection/BUILD @@ -30,7 +30,7 @@ envoy_cc_extension( "//envoy/network:filter_interface", "//source/common/api:os_sys_calls_lib", "//source/common/common:logger_lib", - "//source/common/reverse_connection:reverse_connection_utility_lib", + "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_utility_lib", ], ) diff --git a/source/extensions/filters/listener/reverse_connection/reverse_connection.cc b/source/extensions/filters/listener/reverse_connection/reverse_connection.cc index fbf41be225ab0..44dda591a0dcd 100644 --- a/source/extensions/filters/listener/reverse_connection/reverse_connection.cc +++ b/source/extensions/filters/listener/reverse_connection/reverse_connection.cc @@ -13,7 +13,7 @@ #include "source/common/api/os_sys_calls_impl.h" #include "source/common/buffer/buffer_impl.h" #include "source/common/common/assert.h" -#include "source/common/reverse_connection/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" // #include "source/common/network/io_socket_handle_impl.h" @@ -23,7 +23,7 @@ namespace ListenerFilters { namespace ReverseConnection { // Use centralized constants from utility -using ::Envoy::ReverseConnection::ReverseConnectionUtility; +using ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility; Filter::Filter(const Config& config) : config_(config) { ENVOY_LOG(debug, "reverse_connection: ping_wait_timeout is {}", From fb3aeaa5643b051bdf2b1f718bdd4590c17f0ce1 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 21 Jul 2025 06:14:13 +0000 Subject: [PATCH 014/505] Move reverse conn utility to extensions, some small bugfixes and nits Signed-off-by: Basundhara Chakrabarty --- .../reverse_tunnel/reverse_tunnel_acceptor.cc | 142 ++++++++++-------- .../reverse_tunnel/reverse_tunnel_acceptor.h | 31 +++- 2 files changed, 107 insertions(+), 66 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc index 9bde7775c5ca0..9283d03f7dec1 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc @@ -14,15 +14,13 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/protobuf/utility.h" -#include "source/common/reverse_connection/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" namespace Envoy { namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -// RPING message now handled by ReverseConnectionUtility - // UpstreamReverseConnectionIOHandle implementation UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( Network::ConnectionSocketPtr socket, const std::string& cluster_name) @@ -111,7 +109,7 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, ENVOY_LOG(debug, "ReverseTunnelAcceptor: Using node_id from logicalName: {}", node_id); // Try to get a cached socket for the specific node - auto [socket, expects_proxy_protocol] = socket_manager->getConnectionSocket(node_id); + auto socket = socket_manager->getConnectionSocket(node_id); if (socket) { ENVOY_LOG(info, "Reusing cached reverse connection socket for node: {}", node_id); // Create IOHandle that properly owns the socket using RAII @@ -121,6 +119,8 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, } } + // This is unexpected. This indicates that no sockets are available for the node. + // Fallback to standard socket interface. ENVOY_LOG(debug, "No available reverse connection, falling back to standard socket"); return Network::socketInterface( "envoy.extensions.network.socket_interface.default_socket_interface") @@ -185,7 +185,7 @@ void ReverseTunnelAcceptorExtension::onServerInitialized() { UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() const { ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension::getLocalRegistry()"); if (!tls_slot_) { - ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); + ENVOY_LOG(error, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); return nullptr; } @@ -200,7 +200,7 @@ UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() co std::pair, std::vector> ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds /* timeout_ms */) { - ENVOY_LOG(debug, "getConnectionStatsSync: using stats-based approach for production reliability"); + ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: obtaining reverse connection stats"); // Get all gauges with the reverse_connections prefix. auto connection_stats = getCrossWorkerStatMap(); @@ -212,19 +212,27 @@ ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds for (const auto& [stat_name, count] : connection_stats) { if (count > 0) { // Parse stat name to extract node/cluster information - // Format: "reverse_connections.nodes." or - // "reverse_connections.clusters." - if (stat_name.find("reverse_connections.nodes.") == 0) { - std::string node_id = stat_name.substr(strlen("reverse_connections.nodes.")); - connected_nodes.push_back(node_id); - } else if (stat_name.find("reverse_connections.clusters.") == 0) { - std::string cluster_id = stat_name.substr(strlen("reverse_connections.clusters.")); - accepted_connections.push_back(cluster_id); + // Format: ".reverse_connections.nodes." or + // ".reverse_connections.clusters." + if (stat_name.find("reverse_connections.nodes.") != std::string::npos) { + // Find the position after "reverse_connections.nodes." + size_t pos = stat_name.find("reverse_connections.nodes."); + if (pos != std::string::npos) { + std::string node_id = stat_name.substr(pos + strlen("reverse_connections.nodes.")); + connected_nodes.push_back(node_id); + } + } else if (stat_name.find("reverse_connections.clusters.") != std::string::npos) { + // Find the position after "reverse_connections.clusters." + size_t pos = stat_name.find("reverse_connections.clusters."); + if (pos != std::string::npos) { + std::string cluster_id = stat_name.substr(pos + strlen("reverse_connections.clusters.")); + accepted_connections.push_back(cluster_id); + } } } } - ENVOY_LOG(debug, "getConnectionStatsSync: found {} connected nodes, {} accepted connections", + ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: found {} connected nodes, {} accepted connections", connected_nodes.size(), accepted_connections.size()); return {connected_nodes, accepted_connections}; @@ -235,18 +243,25 @@ ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { absl::flat_hash_map stats_map; auto& stats_store = context_.scope(); - // Iterate through all gauges with the reverse_connections prefix. + // Iterate through all gauges and filter for cross-worker stats only. + // Cross-worker stats have the pattern "reverse_connections.nodes." or + // "reverse_connections.clusters." (no dispatcher name in the middle). Stats::IterateFn gauge_callback = [&stats_map](const Stats::RefcountPtr& gauge) -> bool { - if (gauge->name().find("reverse_connections.") == 0 && gauge->used()) { - stats_map[gauge->name()] = gauge->value(); + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && + (gauge_name.find("reverse_connections.nodes.") != std::string::npos || + gauge_name.find("reverse_connections.clusters.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); } return true; }; stats_store.iterate(gauge_callback); ENVOY_LOG(debug, - "getCrossWorkerStatMap: collected {} stats for reverse connections across all worker threads", + "ReverseTunnelAcceptorExtension: collected {} stats for reverse connections across all worker threads", stats_map.size()); return stats_map; @@ -266,11 +281,11 @@ void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& no stats_store.gaugeFromString(node_stat_name, Stats::Gauge::ImportMode::Accumulate); if (increment) { node_gauge.inc(); - ENVOY_LOG(trace, "updateConnectionStats: incremented node stat {} to {}", + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented node stat {} to {}", node_stat_name, node_gauge.value()); } else { node_gauge.dec(); - ENVOY_LOG(trace, "updateConnectionStats: decremented node stat {} to {}", + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented node stat {} to {}", node_stat_name, node_gauge.value()); } } @@ -282,11 +297,11 @@ void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& no stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); if (increment) { cluster_gauge.inc(); - ENVOY_LOG(trace, "updateConnectionStats: incremented cluster stat {} to {}", + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented cluster stat {} to {}", cluster_stat_name, cluster_gauge.value()); } else { cluster_gauge.dec(); - ENVOY_LOG(trace, "updateConnectionStats: decremented cluster stat {} to {}", + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented cluster stat {} to {}", cluster_stat_name, cluster_gauge.value()); } } @@ -316,11 +331,11 @@ void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::s stats_store.gaugeFromString(worker_node_stat_name, Stats::Gauge::ImportMode::NeverImport); if (increment) { worker_node_gauge.inc(); - ENVOY_LOG(trace, "updatePerWorkerConnectionStats: incremented worker node stat {} to {}", + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker node stat {} to {}", worker_node_stat_name, worker_node_gauge.value()); } else { worker_node_gauge.dec(); - ENVOY_LOG(trace, "updatePerWorkerConnectionStats: decremented worker node stat {} to {}", + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker node stat {} to {}", worker_node_stat_name, worker_node_gauge.value()); } } @@ -333,11 +348,11 @@ void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::s stats_store.gaugeFromString(worker_cluster_stat_name, Stats::Gauge::ImportMode::NeverImport); if (increment) { worker_cluster_gauge.inc(); - ENVOY_LOG(trace, "updatePerWorkerConnectionStats: incremented worker cluster stat {} to {}", + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker cluster stat {} to {}", worker_cluster_stat_name, worker_cluster_gauge.value()); } else { worker_cluster_gauge.dec(); - ENVOY_LOG(trace, "updatePerWorkerConnectionStats: decremented worker cluster stat {} to {}", + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker cluster stat {} to {}", worker_cluster_stat_name, worker_cluster_gauge.value()); } } @@ -360,7 +375,8 @@ ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { Stats::IterateFn gauge_callback = [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { const std::string& gauge_name = gauge->name(); - if (gauge_name.find("reverse_connections.") == 0 && + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && gauge_name.find(dispatcher_name + ".") != std::string::npos && (gauge_name.find(".node.") != std::string::npos || gauge_name.find(".cluster.") != std::string::npos) && @@ -372,7 +388,7 @@ ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { stats_store.iterate(gauge_callback); ENVOY_LOG(debug, - "getPerWorkerStatMap: collected {} stats for dispatcher '{}'", + "ReverseTunnelAcceptorExtension: collected {} stats for dispatcher '{}'", stats_map.size(), dispatcher_name); return stats_map; @@ -396,6 +412,13 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, "UpstreamSocketManager: addConnectionSocket called for node_id='{}' cluster_id='{}'", node_id, cluster_id); + // Both node_id and cluster_id are mandatory for consistent state management and stats tracking + if (node_id.empty() || cluster_id.empty()) { + ENVOY_LOG(error, "UpstreamSocketManager: addConnectionSocket called with empty node_id='{}' or cluster_id='{}'. Both are mandatory.", + node_id, cluster_id); + return; + } + (void)rebalanced; const int fd = socket->ioHandle().fdDoNotUse(); const std::string& connectionKey = socket->connectionInfoProvider().localAddress()->asString(); @@ -403,28 +426,23 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, ENVOY_LOG(debug, "UpstreamSocketManager: Adding connection socket for node: {} and cluster: {}", node_id, cluster_id); - ENVOY_LOG(debug, + // Store node -> cluster mapping + ENVOY_LOG(trace, + "UpstreamSocketManager: adding node: {} cluster: {} to node_to_cluster_map_ and " + "cluster_to_node_map_", + node_id, cluster_id); + if (node_to_cluster_map_.find(node_id) == node_to_cluster_map_.end()) { + node_to_cluster_map_[node_id] = cluster_id; + cluster_to_node_map_[cluster_id].push_back(node_id); + } + ENVOY_LOG(trace, "UpstreamSocketManager: node_to_cluster_map_ has {} entries, cluster_to_node_map_ has {} entries", + node_to_cluster_map_.size(), cluster_to_node_map_.size()); + + ENVOY_LOG(trace, "UpstreamSocketManager: added socket to accepted_reverse_connections_ for node: {} " "cluster: {}", node_id, cluster_id); - // Store node -> cluster mapping - if (!cluster_id.empty()) { - ENVOY_LOG(debug, - "UpstreamSocketManager: adding node: {} cluster: {} to node_to_cluster_map_ and " - "cluster_to_node_map_", - node_id, cluster_id); - if (node_to_cluster_map_.find(node_id) == node_to_cluster_map_.end()) { - node_to_cluster_map_[node_id] = cluster_id; - cluster_to_node_map_[cluster_id].push_back(node_id); - } - ENVOY_LOG(trace, "UpstreamSocketManager: node_to_cluster_map_ has {} entries, cluster_to_node_map_ has {} entries", - node_to_cluster_map_.size(), cluster_to_node_map_.size()); - } else { - ENVOY_LOG(error, "Found a reverse connection with an empty cluster uuid, and node uuid: {}", - node_id); - } - // If local envoy is responding to reverse connections, add the socket to // accepted_reverse_connections_. Thereafter, initiate ping keepalives on the socket. accepted_reverse_connections_[node_id].push_back(std::move(socket)); @@ -461,14 +479,14 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, node_id, connectionKey, fd); } -std::pair +Network::ConnectionSocketPtr UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { ENVOY_LOG(debug, "UpstreamSocketManager: getConnectionSocket() called with node_id: {}", node_id); if (node_to_cluster_map_.find(node_id) == node_to_cluster_map_.end()) { ENVOY_LOG(error, "UpstreamSocketManager: cluster -> node mapping changed for node: {}", node_id); - return {nullptr, false}; + return nullptr; } const std::string& cluster_id = node_to_cluster_map_[node_id]; @@ -479,7 +497,7 @@ UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { auto node_sockets_it = accepted_reverse_connections_.find(node_id); if (node_sockets_it == accepted_reverse_connections_.end() || node_sockets_it->second.empty()) { ENVOY_LOG(debug, "UpstreamSocketManager: No available sockets for node: {}", node_id); - return {nullptr, false}; + return nullptr; } // Debugging: Print the number of free sockets on this worker thread @@ -503,7 +521,7 @@ UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { cleanStaleNodeEntry(node_id); - return {std::move(socket), false}; + return socket; } std::string UpstreamSocketManager::getNodeID(const std::string& key) { @@ -558,7 +576,8 @@ void UpstreamSocketManager::markSocketDead(const int fd) { // Check if this is a used connection by looking for node_id in accepted_reverse_connections_ auto& sockets = accepted_reverse_connections_[node_id]; if (sockets.empty()) { - // This is a used connection (not in the idle pool) + // This is a used connection. Mark the stats and return. The socket will be closed by the + // owning UpstreamReverseConnectionIOHandle. ENVOY_LOG(debug, "UpstreamSocketManager: Marking used socket dead. node: {} cluster: {} FD: {}", node_id, cluster_id, fd); // Update Envoy's stats system for production multi-tenant tracking @@ -654,13 +673,16 @@ void UpstreamSocketManager::cleanStaleNodeEntry(const std::string& node_id) { } node_to_cluster_map_.erase(node_itr); } + + // Remove empty node entry from accepted_reverse_connections_ + accepted_reverse_connections_.erase(node_id); } void UpstreamSocketManager::onPingResponse(Network::IoHandle& io_handle) { const int fd = io_handle.fdDoNotUse(); Buffer::OwnedImpl buffer; - const auto ping_size = ::Envoy::ReverseConnection::ReverseConnectionUtility::PING_MESSAGE.size(); + const auto ping_size = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::PING_MESSAGE.size(); Api::IoCallUint64Result result = io_handle.read(buffer, absl::make_optional(ping_size)); if (!result.ok()) { ENVOY_LOG(debug, "UpstreamSocketManager: Read error on FD: {}: error - {}", fd, @@ -682,7 +704,7 @@ void UpstreamSocketManager::onPingResponse(Network::IoHandle& io_handle) { return; } - if (!::Envoy::ReverseConnection::ReverseConnectionUtility::isPingMessage(buffer.toString())) { + if (!::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::isPingMessage(buffer.toString())) { ENVOY_LOG(debug, "UpstreamSocketManager: FD: {}: response is not RPING", fd); markSocketDead(fd); return; @@ -697,7 +719,7 @@ void UpstreamSocketManager::pingConnections(const std::string& node_id) { ENVOY_LOG(debug, "UpstreamSocketManager: node:{} Number of sockets:{}", node_id, sockets.size()); for (auto itr = sockets.begin(); itr != sockets.end(); itr++) { int fd = itr->get()->ioHandle().fdDoNotUse(); - auto buffer = ::Envoy::ReverseConnection::ReverseConnectionUtility::createPingResponse(); + auto buffer = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::createPingResponse(); auto ping_response_timeout = ping_interval_ / 2; fd_to_timer_map_[fd]->enableTimer(ping_response_timeout); @@ -707,14 +729,12 @@ void UpstreamSocketManager::pingConnections(const std::string& node_id) { "UpstreamSocketManager: node:{} FD:{}: sending ping request. return_value: {}", node_id, fd, result.return_value_); if (result.return_value_ == 0) { - ENVOY_LOG(debug, "UpstreamSocketManager: node:{} FD:{}: sending ping rc {}, error - ", + ENVOY_LOG(trace, "UpstreamSocketManager: node:{} FD:{}: sending ping rc {}, error - ", node_id, fd, result.return_value_, result.err_->getErrorDetails()); if (result.err_->getErrorCode() != Api::IoError::IoErrorCode::Again) { - ENVOY_LOG(debug, "UpstreamSocketManager: node:{} FD:{}: failed to send ping", node_id, + ENVOY_LOG(error, "UpstreamSocketManager: node:{} FD:{}: failed to send ping", node_id, fd); - ::shutdown(fd, SHUT_RDWR); - sockets.erase(itr--); - cleanStaleNodeEntry(node_id); + markSocketDead(fd); break; } } @@ -727,7 +747,7 @@ void UpstreamSocketManager::pingConnections(const std::string& node_id) { } void UpstreamSocketManager::pingConnections() { - ENVOY_LOG(trace, "UpstreamSocketManager: Pinging connections"); + ENVOY_LOG(error, "UpstreamSocketManager: Pinging connections"); for (auto& itr : accepted_reverse_connections_) { pingConnections(itr.first); } diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h index 1176a2ce2041e..62f22d63a5719 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h @@ -210,6 +210,8 @@ class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, class ReverseTunnelAcceptorExtension : public Envoy::Network::SocketInterfaceExtension, public Envoy::Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelAcceptorExtensionTest; public: /** * @param sock_interface the socket interface to extend. @@ -300,6 +302,16 @@ class ReverseTunnelAcceptorExtension */ Stats::Scope& getStatsScope() const { return context_.scope(); } + /** + * Test-only method to set the thread local slot for testing purposes. + * This allows tests to inject a custom thread local registry without + * requiring friend class access. + * @param slot the thread local slot to set + */ + void setTestOnlyTLSRegistry(std::unique_ptr> slot) { + tls_slot_ = std::move(slot); + } + private: Server::Configuration::ServerFactoryContext& context_; // Thread-local slot for storing the socket manager per worker thread. @@ -315,6 +327,9 @@ class ReverseTunnelAcceptorExtension */ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, public Logger::Loggable { + // Friend class for testing + friend class TestUpstreamSocketManager; + public: UpstreamSocketManager(Event::Dispatcher& dispatcher, ReverseTunnelAcceptorExtension* extension = nullptr); @@ -337,10 +352,10 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, /** Called by the responder envoy when a request is received, that could be sent through a reverse * connection. This returns an accepted connection socket, if present. - * @param key the remote cluster ID/ node ID. - * @return pair containing the connection socket and whether proxy protocol is expected. + * @param node_id the node ID to get a socket for. + * @return the connection socket, or nullptr if none available. */ - std::pair getConnectionSocket(const std::string& node_id); + Network::ConnectionSocketPtr getConnectionSocket(const std::string& node_id); /** Mark the connection socket dead and remove it from internal maps. * @param fd the FD for the socket to be marked dead. @@ -377,8 +392,14 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, * @return pointer to the upstream extension or nullptr if not available. */ ReverseTunnelAcceptorExtension* getUpstreamExtension() const { return extension_; } - - // Get node ID from key (cluster ID or node ID) + /** + * Automatically discern whether the key is a node ID or a cluster ID. The key is a + * cluster ID if any worker has a reverse connection for that cluster, in which case + * return a node belonging to that cluster. Otherwise, it is a node ID, in which case + * return the node ID as-is. + * @param key the key to get the node ID for. + * @return the node ID or cluster ID. + */ std::string getNodeID(const std::string& key); private: From 5eebd84a199fe44303b30f769fd9b668ccfa95d6 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 21 Jul 2025 06:15:08 +0000 Subject: [PATCH 015/505] reverse tunnel acceptor test Signed-off-by: Basundhara Chakrabarty --- .../extensions/bootstrap/reverse_tunnel/BUILD | 28 + .../reverse_tunnel_acceptor_extension_test.cc | 1471 +++++++++++++++++ 2 files changed, 1499 insertions(+) create mode 100644 test/extensions/bootstrap/reverse_tunnel/BUILD create mode 100644 test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_extension_test.cc diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD new file mode 100644 index 0000000000000..ef3735fb680f5 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/BUILD @@ -0,0 +1,28 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "reverse_tunnel_acceptor_extension_test", + size = "large", + srcs = ["reverse_tunnel_acceptor_extension_test.cc"], + extension_names = ["envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"], + deps = [ + "//source/common/network:socket_interface_lib", + "//source/common/thread_local:thread_local_lib", + "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:test_runtime_lib", + ], +) \ No newline at end of file diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_extension_test.cc new file mode 100644 index 0000000000000..353291a5ec609 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_extension_test.cc @@ -0,0 +1,1471 @@ +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" + +#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/network/socket_interface.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/network/utility.h" +#include "source/common/thread_local/thread_local_impl.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/stats/mocks.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseTunnelAcceptorExtensionTest : public testing::Test { +protected: + ReverseTunnelAcceptorExtensionTest() { + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + + // Create the config + config_.set_stat_prefix("test_prefix"); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = std::make_unique( + *socket_interface_, context_, config_); + } + + // Helper function to set up thread local slot for tests + void setupThreadLocalSlot() { + // Create a thread local registry + thread_local_registry_ = std::make_shared(dispatcher_, extension_.get()); + + // Create the actual TypedSlot + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot directly in the extension + extension_->tls_slot_ = std::move(tls_slot_); + + // Set the extension reference in the socket interface + extension_->socket_interface_->extension_ = extension_.get(); + } + + // Helper function to set up a second thread local slot for multi-dispatcher testing + void setupAnotherThreadLocalSlot() { + // Create another thread local registry with a different dispatcher name + another_thread_local_registry_ = std::make_shared(another_dispatcher_, extension_.get()); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + // Real thread local slot and registry + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + + // Additional mock dispatcher and registry for multi-thread testing + NiceMock another_dispatcher_{"worker_1"}; + std::shared_ptr another_thread_local_registry_; +}; + +// Basic functionality tests +TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithDefaultStatPrefix) { + // Test with empty config (should use default stat prefix) + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface empty_config; + + auto extension_with_default = std::make_unique( + *socket_interface_, context_, empty_config); + + EXPECT_EQ(extension_with_default->statPrefix(), "upstream_reverse_connection"); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithCustomStatPrefix) { + // Test with custom stat prefix + EXPECT_EQ(extension_->statPrefix(), "test_prefix"); + +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetStatsScope) { + // Test that getStatsScope returns the correct scope + EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, OnWorkerThreadInitialized) { + // This should be a no-op + extension_->onWorkerThreadInitialized(); +} + +// Thread local initialization tests +TEST_F(ReverseTunnelAcceptorExtensionTest, OnServerInitializedSetsExtensionReference) { + // Call onServerInitialized to set the extension reference in the socket interface + extension_->onServerInitialized(); + + // Verify that the socket interface extension reference is set + EXPECT_EQ(socket_interface_->getExtension(), extension_.get()); +} + +// Thread local registry access tests +TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryBeforeInitialization) { + // Before tls_slot_ is set, getLocalRegistry should return nullptr + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryAfterInitialization) { + // Initialize the thread local slot + setupThreadLocalSlot(); + + // Now getLocalRegistry should return the actual registry + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + + // Verify we can access the socket manager from the registry + auto* socket_manager = registry->socketManager(); + EXPECT_NE(socket_manager, nullptr); + + // Verify the socket manager has the correct extension reference + EXPECT_EQ(socket_manager->getUpstreamExtension(), extension_.get()); +} + +// Test stats aggregation for one thread only (test thread) +TEST_F(ReverseTunnelAcceptorExtensionTest, GetPerWorkerStatMapSingleThread) { + + // Set up thread local slot first + setupThreadLocalSlot(); + + // Update per-worker stats for the current (test) thread + extension_->updatePerWorkerConnectionStats("node1", "cluster1", true); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); + + // Get the per-worker stat map + auto stat_map = extension_->getPerWorkerStatMap(); + + // Verify the stats are collected correctly for worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); + + // Verify that only worker_0 stats are included + for (const auto& [stat_name, value] : stat_map) { + EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); + } +} + +// Test cross-thread stat map functions using multiple dispatchers +TEST_F(ReverseTunnelAcceptorExtensionTest, GetCrossWorkerStatMapMultiThread) { + // Set up thread local slot for the test thread (dispatcher name: "worker_0") + setupThreadLocalSlot(); + + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") + setupAnotherThreadLocalSlot(); + + // Simulate stats updates from worker_0 + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); // Increment twice + extension_->updateConnectionStats("node2", "cluster2", true); + + // Simulate stats updates from worker_1 + // Temporarily switch the thread local registry to simulate the other dispatcher + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + // Update stats from worker_1 + extension_->updateConnectionStats("node1", "cluster1", true); // Increment from worker_1 + extension_->updateConnectionStats("node3", "cluster3", true); // New node from worker_1 + + // Restore the original registry + thread_local_registry_ = original_registry; + + // Get the cross-worker stat map + auto stat_map = extension_->getCrossWorkerStatMap(); + + // Verify that cross-worker stats are collected correctly across multiple dispatchers + // node1: incremented 3 times total (2 from worker_0 + 1 from worker_1) + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 3); + // node2: incremented 1 time from worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 1); + // node3: incremented 1 time from worker_1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); + + // cluster1: incremented 3 times total (2 from worker_0 + 1 from worker_1) + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 3); + // cluster2: incremented 1 time from worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 1); + // cluster3: incremented 1 time from worker_1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); +} + +// Test getConnectionStatsSync using multiple dispatchers +TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncMultiThread) { + // Set up thread local slot for the test thread (dispatcher name: "worker_0") + setupThreadLocalSlot(); + + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") + setupAnotherThreadLocalSlot(); + + // Simulate stats updates from worker_0 + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); // Increment twice + extension_->updateConnectionStats("node2", "cluster2", true); + + // Simulate stats updates from worker_1 + // Temporarily switch the thread local registry to simulate the other dispatcher + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + // Update stats from worker_1 + extension_->updateConnectionStats("node1", "cluster1", true); // Increment from worker_1 + extension_->updateConnectionStats("node3", "cluster3", true); // New node from worker_1 + + // Restore the original registry + thread_local_registry_ = original_registry; + + // Get connection stats synchronously + auto result = extension_->getConnectionStatsSync(); + auto& [connected_nodes, accepted_connections] = result; + + // Verify the result contains the expected data + EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); + + // Verify that we have the expected node and cluster data + // node1: should be present (incremented 3 times total) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node1") != connected_nodes.end()); + // node2: should be present (incremented 1 time) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node2") != connected_nodes.end()); + // node3: should be present (incremented 1 time) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node3") != connected_nodes.end()); + + // cluster1: should be present (incremented 3 times total) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != accepted_connections.end()); + // cluster2: should be present (incremented 1 time) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != accepted_connections.end()); + // cluster3: should be present (incremented 1 time) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != accepted_connections.end()); +} + +// Test getConnectionStatsSync with timeouts +TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncTimeout) { + // Test with a very short timeout to verify timeout behavior + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); + + // With no connections and short timeout, should return empty results + auto& [connected_nodes, accepted_connections] = result; + EXPECT_TRUE(connected_nodes.empty()); + EXPECT_TRUE(accepted_connections.empty()); +} + +// ============================================================================ +// TestUpstreamSocketManager Test Class +// ============================================================================ + +class TestUpstreamSocketManager : public testing::Test { +protected: + TestUpstreamSocketManager() { + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + + // Create the config + config_.set_stat_prefix("test_prefix"); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = std::make_unique( + *socket_interface_, context_, config_); + + // Set up mock dispatcher with default expectations + EXPECT_CALL(dispatcher_, createTimer_(_)).WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)).WillRepeatedly(testing::ReturnNew>()); + + // Create the socket manager with real extension + socket_manager_ = std::make_unique(dispatcher_, extension_.get()); + } + + void TearDown() override { + socket_manager_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + // Helper methods to access private members (friend class works for these methods) + void verifyInitialState() { + EXPECT_EQ(socket_manager_->accepted_reverse_connections_.size(), 0); + EXPECT_EQ(socket_manager_->fd_to_node_map_.size(), 0); + EXPECT_EQ(socket_manager_->node_to_cluster_map_.size(), 0); + EXPECT_EQ(socket_manager_->cluster_to_node_map_.size(), 0); + } + + bool verifyFDToNodeMap(int fd) { + return socket_manager_->fd_to_node_map_.find(fd) != socket_manager_->fd_to_node_map_.end(); + } + + bool verifyFDToEventMap(int fd) { + return socket_manager_->fd_to_event_map_.find(fd) != socket_manager_->fd_to_event_map_.end(); + } + + bool verifyFDToTimerMap(int fd) { + return socket_manager_->fd_to_timer_map_.find(fd) != socket_manager_->fd_to_timer_map_.end(); + } + + size_t verifyAcceptedReverseConnectionsMap(const std::string& node) { + auto it = socket_manager_->accepted_reverse_connections_.find(node); + return (it != socket_manager_->accepted_reverse_connections_.end()) ? it->second.size() : 0; + } + + std::string getNodeToClusterMapping(const std::string& node) { + auto it = socket_manager_->node_to_cluster_map_.find(node); + return (it != socket_manager_->node_to_cluster_map_.end()) ? it->second : ""; + } + + std::vector getClusterToNodeMapping(const std::string& cluster) { + auto it = socket_manager_->cluster_to_node_map_.find(cluster); + return (it != socket_manager_->cluster_to_node_map_.end()) ? it->second : std::vector{}; + } + + size_t getAcceptedReverseConnectionsSize() { + return socket_manager_->accepted_reverse_connections_.size(); + } + + size_t getFDToNodeMapSize() { + return socket_manager_->fd_to_node_map_.size(); + } + + size_t getNodeToClusterMapSize() { + return socket_manager_->node_to_cluster_map_.size(); + } + + size_t getClusterToNodeMapSize() { + return socket_manager_->cluster_to_node_map_.size(); + } + + size_t getFDToEventMapSize() { + return socket_manager_->fd_to_event_map_.size(); + } + + size_t getFDToTimerMapSize() { + return socket_manager_->fd_to_timer_map_.size(); + } + + // Helper to create a mock socket with proper address setup + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { + auto socket = std::make_unique>(); + + // Parse local address (IP:port format) + auto local_colon_pos = local_addr.find(':'); + std::string local_ip = local_addr.substr(0, local_colon_pos); + uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); + auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); + + // Parse remote address (IP:port format) + auto remote_colon_pos = remote_addr.find(':'); + std::string remote_ip = remote_addr.substr(0, remote_colon_pos); + uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); + auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); + + // Create a mock IO handle and set it up + auto mock_io_handle = std::make_unique>(); + auto* mock_io_handle_ptr = mock_io_handle.get(); + EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + + // Store the mock_io_handle in the socket + socket->io_handle_ = std::move(mock_io_handle); + + // Set up connection info provider with the desired addresses + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + return socket; + } + + // Helper to create a mock timer + Event::MockTimer* createMockTimer() { + auto timer = new NiceMock(); + EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(timer)); + return timer; + } + + // Helper to create a mock file event + Event::MockFileEvent* createMockFileEvent() { + auto file_event = new NiceMock(); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)).WillOnce(Return(file_event)); + return file_event; + } + + // Helper to get sockets for a node + std::list& getSocketsForNode(const std::string& node_id) { + return socket_manager_->accepted_reverse_connections_[node_id]; + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_; + + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr socket_manager_; +}; + +TEST_F(TestUpstreamSocketManager, CreateUpstreamSocketManager) { + // Test that constructor doesn't crash and creates a valid instance + EXPECT_NE(socket_manager_, nullptr); + + // Test constructor with nullptr extension + auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); + EXPECT_NE(socket_manager_no_extension, nullptr); +} + +TEST_F(TestUpstreamSocketManager, GetUpstreamExtension) { + // Test that getUpstreamExtension returns the correct extension + EXPECT_EQ(socket_manager_->getUpstreamExtension(), extension_.get()); + + // Test with nullptr extension + auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); + EXPECT_EQ(socket_manager_no_extension->getUpstreamExtension(), nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyClusterId) { + // Test adding a socket with empty cluster_id (should log error and return early without adding socket) + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = ""; + const std::chrono::seconds ping_interval(30); + + // Verify initial state + verifyInitialState(); + + // Add the socket - should return early and not add anything + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Verify nothing was added - all maps should remain empty + verifyInitialState(); // Should still be in initial state + + // Verify no file events or timers were created + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); + + // Verify no socket can be retrieved + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket, nullptr); // Should return nullptr because nothing was added +} + +TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyNodeId) { + // Test adding a socket with empty node_id (should log error and return early without adding socket) + auto socket = createMockSocket(456); + const std::string node_id = ""; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Verify initial state + verifyInitialState(); + + // Add the socket - should return early and not add anything + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Verify nothing was added - all maps should remain empty + verifyInitialState(); // Should still be in initial state + + // Verify no file events or timers were created + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); + + // Verify no socket can be retrieved + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket, nullptr); // Should return nullptr because nothing was added +} + +TEST_F(TestUpstreamSocketManager, AddAndGetMultipleSocketsSameNode) { + // Test adding multiple sockets for the same node + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + auto socket3 = createMockSocket(789); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Verify initial state + verifyInitialState(); + + // Add first socket + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); + + // Verify maps after first socket + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_TRUE(verifyFDToNodeMap(123)); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); + EXPECT_EQ(cluster_nodes[0], node_id); + + // Add second socket for same node + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); + + // Verify maps after second socket (should have 2 sockets for same node, but cluster maps unchanged) + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_TRUE(verifyFDToNodeMap(456)); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); // Should still be same cluster + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); // Still 1 node per cluster + + // Add third socket for same node + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, false); + + // Verify maps after third socket + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); + EXPECT_TRUE(verifyFDToNodeMap(789)); + + // Verify file events and timers were created for all sockets + EXPECT_EQ(getFDToEventMapSize(), 3); + EXPECT_EQ(getFDToTimerMapSize(), 3); + + // Get sockets in FIFO order + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket1, nullptr); + + // Verify socket count decreased + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket2, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + + auto retrieved_socket3 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket3, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + + // No more sockets should be available + auto retrieved_socket4 = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket4, nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddAndGetSocketsMultipleNodes) { + // Test adding sockets for different nodes + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node1 = "node1"; + const std::string node2 = "node2"; + const std::string cluster1 = "cluster1"; + const std::string cluster2 = "cluster2"; + const std::chrono::seconds ping_interval(30); + + // Verify initial state + verifyInitialState(); + + // Add socket for first node + socket_manager_->addConnectionSocket(node1, cluster1, std::move(socket1), ping_interval, false); + + // Verify maps after first node + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); + EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); + auto cluster1_nodes = getClusterToNodeMapping(cluster1); + EXPECT_EQ(cluster1_nodes.size(), 1); + EXPECT_EQ(cluster1_nodes[0], node1); + + // Add socket for second node + socket_manager_->addConnectionSocket(node2, cluster2, std::move(socket2), ping_interval, false); + + // Verify maps after second node + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 1); + EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); + EXPECT_EQ(getNodeToClusterMapping(node2), cluster2); + cluster1_nodes = getClusterToNodeMapping(cluster1); + EXPECT_EQ(cluster1_nodes.size(), 1); + EXPECT_EQ(cluster1_nodes[0], node1); + auto cluster2_nodes = getClusterToNodeMapping(cluster2); + EXPECT_EQ(cluster2_nodes.size(), 1); + EXPECT_EQ(cluster2_nodes[0], node2); + + // Verify file events and timers were created for both sockets + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + + // Verify both nodes have their sockets + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); + EXPECT_NE(retrieved_socket1, nullptr); + + // Verify first node's socket count decreased + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 0); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); + EXPECT_NE(retrieved_socket2, nullptr); + + // Verify second node's socket count decreased + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 0); +} + +TEST_F(TestUpstreamSocketManager, TestGetNodeID) { + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Call getNodeID with a cluster ID that has active connections + // First add a socket to create the cluster mapping and update stats + auto socket1 = createMockSocket(123); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); + + // Verify the socket was added and mappings are correct + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); + EXPECT_EQ(cluster_nodes[0], node_id); + + // Now call getNodeID with the cluster_id - should return the node_id that was added for this cluster + std::string result_for_cluster = socket_manager_->getNodeID(cluster_id); + EXPECT_EQ(result_for_cluster, node_id); + + // Call getNodeID with a node ID - should return the same node ID + std::string result_for_node = socket_manager_->getNodeID(node_id); + EXPECT_EQ(result_for_node, node_id); + + // Call getNodeID with a non-existent cluster ID - should return the key as-is + // assuming it to be the node ID. A subsequent call to getConnectionSocket with + // this node ID should return nullptr. + const std::string non_existent_cluster = "non-existent-cluster"; + std::string result_for_non_existent = socket_manager_->getNodeID(non_existent_cluster); + EXPECT_EQ(result_for_non_existent, non_existent_cluster); +} + +TEST_F(TestUpstreamSocketManager, GetConnectionSocketEmpty) { + // Test getting a socket when none exists + auto socket = socket_manager_->getConnectionSocket("non-existent-node"); + EXPECT_EQ(socket, nullptr); +} + + +TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryWithActiveSockets) { + // Test cleanStaleNodeEntry when node still has active sockets (should be no-op) + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add sockets and verify initial state + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); + + // Call cleanStaleNodeEntry while sockets exist - should be no-op + socket_manager_->cleanStaleNodeEntry(node_id); + + // Verify no cleanup happened (all mappings should remain unchanged) + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); +} + +TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryClusterCleanup) { + // Test that cluster entry is removed when last node is cleaned up + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node1 = "node1"; + const std::string node2 = "node2"; + const std::string cluster_id = "shared-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add two nodes to the same cluster + socket_manager_->addConnectionSocket(node1, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node2, cluster_id, std::move(socket2), ping_interval, false); + + // Verify both nodes are in the cluster + EXPECT_EQ(getNodeToClusterMapping(node1), cluster_id); + EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 2); + EXPECT_EQ(getClusterToNodeMapSize(), 1); // One cluster + + // Get socket from first node (should trigger cleanup for node1) + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); + EXPECT_NE(retrieved_socket1, nullptr); + + // Verify node1 is cleaned up but cluster still exists for node2 + EXPECT_EQ(getNodeToClusterMapping(node1), ""); // node1 removed + EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); // node2 still there + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); // Only node2 remains + EXPECT_EQ(cluster_nodes[0], node2); + EXPECT_EQ(getClusterToNodeMapSize(), 1); // Cluster still exists + + // Get socket from second node (should trigger cleanup for node2 and remove cluster) + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); + EXPECT_NE(retrieved_socket2, nullptr); + + // Verify both nodes and cluster are cleaned up + EXPECT_EQ(getNodeToClusterMapping(node1), ""); + EXPECT_EQ(getNodeToClusterMapping(node2), ""); + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); // No nodes in cluster + EXPECT_EQ(getClusterToNodeMapSize(), 0); // Cluster completely removed +} + +TEST_F(TestUpstreamSocketManager, FileEventAndTimerCleanup) { + // Test that file events and timers are properly cleaned up when getting sockets + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add sockets + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); + + // Verify file events and timers are created + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + + // Get first socket - should clean up its file event and timer + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket1, nullptr); + + // Verify that the entry for the fd is removed from the maps + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + + // Get second socket - should clean up remaining file event and timer + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket2, nullptr); + + // Verify all file events and timers are cleaned up + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); +} + +// ============================================================================ +// MarkSocketDead Tests +// ============================================================================ + +TEST_F(TestUpstreamSocketManager, MarkSocketNotPresentDead) { + // Test MarkSocketDead with an fd which isn't in the fd_to_node_map_ + // Should log debug and return early + socket_manager_->markSocketDead(999); + + // Test with negative fd + socket_manager_->markSocketDead(-1); + + // Test with zero fd + socket_manager_->markSocketDead(0); +} + +TEST_F(TestUpstreamSocketManager, MarkIdleSocketDead) { + // Test MarkSocketDead with an idle socket (in the pool) + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add sockets to the pool + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); + + // Verify initial state + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_TRUE(verifyFDToNodeMap(123)); + + // Mark first idle socket as dead + socket_manager_->markSocketDead(123); + + // Verify markSocketDead touched the right maps: + // 1. Socket removed from pool + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + // 2. FD mapping removed + EXPECT_FALSE(verifyFDToNodeMap(123)); + // 3. File event and timer cleaned up for this specific FD + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + + // Verify remaining socket is still accessible + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, MarkUsedSocketDead) { + // Test MarkSocketDead with a used socket + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add socket to pool + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Verify socket is in pool + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_TRUE(verifyFDToNodeMap(123)); + + // Get the socket (removes it from pool, simulating "used" state) + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); + + // Verify socket is no longer in pool but FD mapping might still exist until cleanup + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + + // Mark the used socket as dead - should only update stats and return + socket_manager_->markSocketDead(123); + + // Verify FD mapping is removed + EXPECT_FALSE(verifyFDToNodeMap(123)); + + // Verify all mappings are cleaned up since no sockets remain + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadTriggerCleanup) { + // Test that marking the last socket dead triggers cleanStaleNodeEntry + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add socket + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Verify mappings exist + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); + + // Mark the socket as dead + socket_manager_->markSocketDead(123); + + // Verify complete cleanup occurred + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadMultipleSockets) { + // Test marking sockets dead when multiple exist for the same node + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + auto socket3 = createMockSocket(789); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add multiple sockets + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, false); + + // Verify all sockets are added + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); + EXPECT_EQ(getFDToEventMapSize(), 3); + EXPECT_EQ(getFDToTimerMapSize(), 3); + + // Mark first socket as dead + socket_manager_->markSocketDead(123); + + // Verify specific socket removed, others remain + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + // FD mapping removed + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + // other socket still mapped + EXPECT_TRUE(verifyFDToNodeMap(456)); + EXPECT_TRUE(verifyFDToNodeMap(789)); + + // Node mappings should still exist + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + + // Mark second socket as dead + socket_manager_->markSocketDead(456); + + // Verify specific socket removed + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + // FD mapping removed + EXPECT_FALSE(verifyFDToNodeMap(456)); + EXPECT_FALSE(verifyFDToEventMap(456)); + EXPECT_FALSE(verifyFDToTimerMap(456)); + // other socket still mapped + EXPECT_TRUE(verifyFDToNodeMap(789)); + + // Mark last socket as dead - should trigger cleanup + socket_manager_->markSocketDead(789); + + // Verify complete cleanup + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, PingConnectionsWriteSuccess) { + // Test pingConnections when writing RPING succeeds + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add sockets first (this will trigger pingConnections via tryEnablePingTimer) + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); + + // Verify sockets are added + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + // Now get the IoHandles from the socket manager and set up mock expectations + auto& sockets = getSocketsForNode(node_id); + auto* mock_io_handle1 = dynamic_cast*>(&sockets.front()->ioHandle()); + auto* mock_io_handle2 = dynamic_cast*>(&sockets.back()->ioHandle()); + + EXPECT_CALL(*mock_io_handle1, write(_)) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(EAGAIN)}; + })); + EXPECT_CALL(*mock_io_handle2, write(_)) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(EAGAIN)}; + })); + + // Manually call pingConnections to test the functionality + socket_manager_->pingConnections(node_id); + + // Verify sockets are still there (no cleanup occurred) + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); +} + +TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { + // Test pingConnections when writing RPING fails - should trigger cleanup + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add sockets first (this will trigger pingConnections via tryEnablePingTimer) + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); + + // Verify sockets are added + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + // Now get the IoHandles from the socket manager and set up mock expectations + auto& sockets = getSocketsForNode(node_id); + auto* mock_io_handle1 = dynamic_cast*>(&sockets.front()->ioHandle()); + auto* mock_io_handle2 = dynamic_cast*>(&sockets.back()->ioHandle()); + + // Send failed ping on mock_io_handle1 and successful one on mock_io_handle2 + EXPECT_CALL(*mock_io_handle1, write(_)) + .Times(1) // Called once + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate write attempt + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; + })); + EXPECT_CALL(*mock_io_handle2, write(_)) + .Times(1) // Called once + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(EAGAIN)}; // Second socket succeeds + })); + + // Manually call pingConnections to test the functionality + socket_manager_->pingConnections(node_id); + + // Verify first socket was cleaned up but second socket remains (node not cleaned up) + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); // Second socket still there + EXPECT_FALSE(verifyFDToNodeMap(123)); // First socket removed + EXPECT_TRUE(verifyFDToNodeMap(456)); // Second socket still there + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); // Node mapping still exists + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 1); // One node still exists + + // Now send failed ping on mock_io_handle2 to trigger ping failure and node cleanup + EXPECT_CALL(*mock_io_handle2, write(_)) + .Times(1) // Called once during second ping + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate write attempt + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(EPIPE)}; + })); + + // Manually call pingConnections again. This should ping once socket2, fail and trigger node cleanup + socket_manager_->pingConnections(node_id); + + // Verify complete cleanup occurred (both sockets removed due to node cleanup) + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_FALSE(verifyFDToNodeMap(456)); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseValidResponse) { + // Test onPingResponse with valid ping response + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add socket + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Create mock IoHandle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock successful read with valid ping response + const std::string ping_response = "RPING"; + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { + buffer.add(ping_response); + return Api::IoCallUint64Result{ping_response.size(), Api::IoError::none()}; + }); + + // Call onPingResponse - should succeed and not mark socket dead + socket_manager_->onPingResponse(*mock_io_handle); + + // Socket should still be alive + EXPECT_TRUE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseReadError) { + // Test onPingResponse with read error + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add socket + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Create mock IoHandle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock read error + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce(Return(Api::IoCallUint64Result{0, Network::IoSocketError::create(EAGAIN)})); + + // Call onPingResponse - should mark socket dead due to read error + socket_manager_->onPingResponse(*mock_io_handle); + + // Socket should be marked dead and removed + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseConnectionClosed) { + // Test onPingResponse when connection is closed (0 bytes read) + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add socket + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Create mock IoHandle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock connection closed (0 bytes read) + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce(Return(Api::IoCallUint64Result{0, Api::IoError::none()})); + + // Call onPingResponse - should mark socket dead due to connection closed + socket_manager_->onPingResponse(*mock_io_handle); + + // Socket should be marked dead and removed + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseInvalidData) { + // Test onPingResponse with invalid ping response data + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add socket + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Create mock IoHandle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock successful read but with invalid ping response + const std::string invalid_response = "INVALID_DATA"; + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { + buffer.add(invalid_response); + return Api::IoCallUint64Result{invalid_response.size(), Api::IoError::none()}; + }); + + // Call onPingResponse - should mark socket dead due to invalid response + socket_manager_->onPingResponse(*mock_io_handle); + + // Socket should be marked dead and removed + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +class TestReverseTunnelAcceptor : public testing::Test { +protected: + TestReverseTunnelAcceptor() { + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + + // Create the config + config_.set_stat_prefix("test_prefix"); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = std::make_unique( + *socket_interface_, context_, config_); + + // Set up mock dispatcher with default expectations + EXPECT_CALL(dispatcher_, createTimer_(_)).WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)).WillRepeatedly(testing::ReturnNew>()); + + // Create the socket manager with real extension + socket_manager_ = std::make_unique(dispatcher_, extension_.get()); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + + socket_manager_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + // Helper to set up thread local slot for tests + void setupThreadLocalSlot() { + // First, call onServerInitialized to set up the extension reference properly + extension_->onServerInitialized(); + + // Create a thread local registry with the properly initialized extension + thread_local_registry_ = std::make_shared(dispatcher_, extension_.get()); + + // Create the actual TypedSlot + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + // Helper to create a mock socket with proper address setup + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { + auto socket = std::make_unique>(); + + // Parse local address (IP:port format) + auto local_colon_pos = local_addr.find(':'); + std::string local_ip = local_addr.substr(0, local_colon_pos); + uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); + auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); + + // Parse remote address (IP:port format) + auto remote_colon_pos = remote_addr.find(':'); + std::string remote_ip = remote_addr.substr(0, remote_colon_pos); + uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); + auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); + + // Create a mock IO handle and set it up + auto mock_io_handle = std::make_unique>(); + auto* mock_io_handle_ptr = mock_io_handle.get(); + EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + + // Store the mock_io_handle in the socket + socket->io_handle_ = std::move(mock_io_handle); + + // Set up connection info provider with the desired addresses + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + return socket; + } + + // Helper to create an address with a specific logical name for testing. This allows us to test + // reverse connection address socket creation. + Network::Address::InstanceConstSharedPtr createAddressWithLogicalName(const std::string& logical_name) { + // Create a simple address that returns the specified logical name + class TestAddress : public Network::Address::Instance { + public: + TestAddress(const std::string& logical_name) : logical_name_(logical_name) { + address_string_ = "127.0.0.1:8080"; // Dummy address string + } + + bool operator==(const Instance& rhs) const override { return logical_name_ == rhs.logicalName(); } + Network::Address::Type type() const override { return Network::Address::Type::Ip; } + const std::string& asString() const override { return address_string_; } + absl::string_view asStringView() const override { return address_string_; } + const std::string& logicalName() const override { return logical_name_; } + const Network::Address::Ip* ip() const override { return nullptr; } + const Network::Address::Pipe* pipe() const override { return nullptr; } + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { return nullptr; } + const sockaddr* sockAddr() const override { return nullptr; } + socklen_t sockAddrLen() const override { return 0; } + absl::string_view addressType() const override { return "test"; } + absl::optional networkNamespace() const override { return absl::nullopt; } + const Network::SocketInterface& socketInterface() const override { + return Network::SocketInterfaceSingleton::get(); + } + + private: + std::string logical_name_; + std::string address_string_; + }; + + return std::make_shared(logical_name); + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_; + + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr socket_manager_; + + // Real thread local slot and registry + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; +}; + +TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryNoExtension) { + // Test getLocalRegistry when extension is not set + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryWithExtension) { + // Test getLocalRegistry when extension is set + setupThreadLocalSlot(); + + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); +} + +TEST_F(TestReverseTunnelAcceptor, CreateBootstrapExtension) { + // Test createBootstrapExtension function + auto extension = socket_interface_->createBootstrapExtension(config_, context_); + EXPECT_NE(extension, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, CreateEmptyConfigProto) { + // Test createEmptyConfigProto function + auto config = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(config, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithoutAddress) { + // Test socket() without address - should return nullptr + Network::SocketCreationOptions options; + auto result = socket_interface_->socket(Network::Socket::Type::Stream, + Network::Address::Type::Ip, + Network::Address::IpVersion::v4, + false, + options); + EXPECT_EQ(result, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressNoThreadLocal) { + // Test socket() with address but no thread local slot initialized - should fall back to default + auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); + + Network::SocketCreationOptions options; + auto result = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(result, nullptr); // Should return default socket interface +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalNoSockets) { + // Test socket() with address and thread local slot but no cached sockets + setupThreadLocalSlot(); + + auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); + + Network::SocketCreationOptions options; + auto result = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(result, nullptr); // Should fall back to default socket interface +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalWithSockets) { + // Test socket() with address and thread local slot with cached sockets + setupThreadLocalSlot(); + + // Get the socket manager from the thread local registry + auto* tls_socket_manager = socket_interface_->getLocalRegistry()->socketManager(); + EXPECT_NE(tls_socket_manager, nullptr); + + // Add a socket to the thread local socket manager (not the test's socket_manager_) + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + tls_socket_manager->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); + + // Create address with the same logical name as the node_id + auto address = createAddressWithLogicalName(node_id); + + Network::SocketCreationOptions options; + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); // Should return cached socket + + // Verify that we got an UpstreamReverseConnectionIOHandle + auto* upstream_io_handle = dynamic_cast(io_handle.get()); + EXPECT_NE(upstream_io_handle, nullptr); + + // Try to get another socket for the same node. This will return a default IoHandle, not an UpstreamReverseConnectionIOHandle + auto another_io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(another_io_handle, nullptr); + // This should be a default IoHandle, not an UpstreamReverseConnectionIOHandle + EXPECT_EQ(dynamic_cast(another_io_handle.get()), nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, IpFamilySupported) { + // Reverse connection sockets support standard IP families. (IPv4 and IPv6) + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); +} + +class TestUpstreamReverseConnectionIOHandle : public testing::Test { +protected: + TestUpstreamReverseConnectionIOHandle() { + // Create a mock socket for testing + mock_socket_ = std::make_unique>(); + + // Create a mock IO handle + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Store the mock IO handle in the socket + mock_socket_->io_handle_ = std::move(mock_io_handle); + + // Create the IO handle under test + io_handle_ = std::make_unique( + std::move(mock_socket_), "test-cluster"); + } + + void TearDown() override { + io_handle_.reset(); + } + + std::unique_ptr> mock_socket_; + std::unique_ptr io_handle_; +}; + +TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { + // Test that connect() returns success immediately for reverse connections + auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); + + // For UpstreamReverseConnectionIOHandle, connect() is a no-op. + auto result = io_handle_->connect(address); + + // Should return success (0) with no error + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + +TEST_F(TestUpstreamReverseConnectionIOHandle, CloseCleansUpSocket) { + // Test that close() properly cleans up the owned socket + auto result = io_handle_->close(); + + // Should successfully close the socket and return + EXPECT_EQ(result.err_, nullptr); +} + +TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { + // Test that getSocket() returns a const reference to the owned socket + const auto& socket = io_handle_->getSocket(); + + // Should return a valid reference + EXPECT_NE(&socket, nullptr); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy \ No newline at end of file From c26287d1b9b62fcddc0f45d58998c1c648c6d258 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 21 Jul 2025 06:22:39 +0000 Subject: [PATCH 016/505] reverse conn cluster test Signed-off-by: Basundhara Chakrabarty --- .../reverse_connection/reverse_connection.h | 1 + .../reverse_connection_cluster_test.cc | 600 ++++++++++-------- 2 files changed, 326 insertions(+), 275 deletions(-) diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.h b/source/extensions/clusters/reverse_connection/reverse_connection.h index a56d3694a3d2d..c12ed55a200ae 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.h +++ b/source/extensions/clusters/reverse_connection/reverse_connection.h @@ -125,6 +125,7 @@ class UpstreamReverseConnectionAddress * Also, the RevConCluster cleans these hosts if no connection pool is using them. */ class RevConCluster : public Upstream::ClusterImplBase { +friend class ReverseConnectionClusterTest; public: RevConCluster(const envoy::config::cluster::v3::Cluster& config, Upstream::ClusterFactoryContext& context, absl::Status& creation_status, diff --git a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc index fe37cd07166a4..c5d2882c038d7 100644 --- a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc +++ b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc @@ -44,91 +44,6 @@ namespace Envoy { namespace Extensions { namespace ReverseConnection { -// Test socket manager that provides predictable getNodeID behavior -class TestUpstreamSocketManager : public BootstrapReverseConnection::UpstreamSocketManager { -public: - TestUpstreamSocketManager(Event::Dispatcher& dispatcher, Stats::Scope& scope) - : BootstrapReverseConnection::UpstreamSocketManager(dispatcher, scope, nullptr) { - std::cout << "TestUpstreamSocketManager: Constructor called" << std::endl; - } - - // This hides the base class's getNodeID method - std::string getNodeID(const std::string& key) { - std::cout << "TestUpstreamSocketManager::getNodeID() called with key: " << key << std::endl; - std::string result = "test-node-" + key; - std::cout << "TestUpstreamSocketManager::getNodeID() returning: " << result << std::endl; - return result; - } -}; - -// Test thread local registry that provides our test socket manager -class TestUpstreamSocketThreadLocal : public BootstrapReverseConnection::UpstreamSocketThreadLocal { -public: - TestUpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, Stats::Scope& scope) - : BootstrapReverseConnection::UpstreamSocketThreadLocal(dispatcher, scope, nullptr), - test_socket_manager_(dispatcher, scope) { - std::cout << "TestUpstreamSocketThreadLocal: Constructor called" << std::endl; - } - - // Override both const and non-const versions of socketManager - BootstrapReverseConnection::UpstreamSocketManager* socketManager() { - std::cout << "TestUpstreamSocketThreadLocal::socketManager() (non-const) called" << std::endl; - std::cout << "TestUpstreamSocketThreadLocal::socketManager() returning: " << &test_socket_manager_ << std::endl; - return &test_socket_manager_; - } - - const BootstrapReverseConnection::UpstreamSocketManager* socketManager() const { - std::cout << "TestUpstreamSocketThreadLocal::socketManager() (const) called" << std::endl; - std::cout << "TestUpstreamSocketThreadLocal::socketManager() returning: " << &test_socket_manager_ << std::endl; - return &test_socket_manager_; - } - -private: - TestUpstreamSocketManager test_socket_manager_; -}; - -// Forward declaration -class TestReverseTunnelAcceptor; - -// Simple test extension that just returns our registry -class SimpleTestExtension { -public: - SimpleTestExtension(TestUpstreamSocketThreadLocal& registry) : test_registry_(registry) {} - - BootstrapReverseConnection::UpstreamSocketThreadLocal* getLocalRegistry() const { - std::cout << "SimpleTestExtension::getLocalRegistry() called" << std::endl; - return &test_registry_; - } - -private: - TestUpstreamSocketThreadLocal& test_registry_; -}; - -// Test reverse tunnel acceptor that returns our test registry -class TestReverseTunnelAcceptor : public BootstrapReverseConnection::ReverseTunnelAcceptor { -public: - TestReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context) - : BootstrapReverseConnection::ReverseTunnelAcceptor(context), - test_registry_(context.mainThreadDispatcher(), context.scope()), - simple_extension_(test_registry_) { - std::cout << "TestReverseTunnelAcceptor: Constructor called" << std::endl; - - // This is a hack: we'll reinterpret_cast our simple extension to fool the type system - // This is unsafe but should work for testing since we only call getLocalRegistry() - extension_ = reinterpret_cast(&simple_extension_); - std::cout << "TestReverseTunnelAcceptor: extension_ set to: " << extension_ << std::endl; - } - - // Override the name to ensure it matches what the test expects - std::string name() const override { - return "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"; - } - -private: - mutable TestUpstreamSocketThreadLocal test_registry_; - SimpleTestExtension simple_extension_; -}; - class TestLoadBalancerContext : public Upstream::LoadBalancerContextBase { public: TestLoadBalancerContext(const Network::Connection* connection) @@ -160,62 +75,28 @@ class TestLoadBalancerContext : public Upstream::LoadBalancerContextBase { class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, public testing::Test { public: ReverseConnectionClusterTest() { - // // Create our test acceptor FIRST - // test_acceptor_ = std::make_unique(server_context_); + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - // // Inject our test acceptor as a BootstrapExtensionFactory (which is what socketInterface() looks for) - // factory_injection_ = std::make_unique>(*test_acceptor_); + // Set up the mock context + EXPECT_CALL(server_context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(server_context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - // // Print all registered factories for debugging AFTER injection - // printRegisteredFactories(); - } - - ~ReverseConnectionClusterTest() override = default; - - void printRegisteredFactories() { - std::cout << "=== Registered Bootstrap Extension Factories ===" << std::endl; - for (const auto& ext : Envoy::Registry::FactoryCategoryRegistry::registeredFactories()) { - if (ext.first == "envoy.bootstrap") { - std::cout << "Category: " << ext.first << std::endl; - for (const auto& name : ext.second->registeredNames()) { - std::cout << " - " << name << std::endl; - } - } - } + // Create the config + config_.set_stat_prefix("test_prefix"); - std::cout << "=== Registered Socket Interface Factories ===" << std::endl; - auto& socket_factories = Registry::FactoryRegistry::factories(); - for (const auto& [name, factory] : socket_factories) { - std::cout << " - " << name << " (ptr: " << factory << ")" << std::endl; - } + // Create the socket interface + socket_interface_ = std::make_unique(server_context_); - std::cout << "=== Testing socketInterface lookup ===" << std::endl; + // Create the extension + extension_ = std::make_unique( + *socket_interface_, server_context_, config_); - // Check what's in the BootstrapExtensionFactory registry - std::cout << "Checking BootstrapExtensionFactory registry:" << std::endl; - auto* factory = Registry::FactoryRegistry::getFactory( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); - std::cout << "Factory from registry: " << factory << std::endl; - std::cout << "Our test acceptor: " << test_acceptor_.get() << std::endl; - - auto* found = Network::socketInterface("envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); - std::cout << "Found socket interface: " << (found ? "YES" : "NO") << std::endl; - if (found) { - std::cout << "Socket interface ptr: " << found << std::endl; - std::cout << "Our test acceptor ptr: " << test_acceptor_.get() << std::endl; - - // Test the dynamic_cast - auto* cast_result = dynamic_cast(found); - std::cout << "Dynamic cast result: " << cast_result << std::endl; - if (cast_result) { - std::cout << "Cast succeeded, calling getLocalRegistry()" << std::endl; - auto* registry = cast_result->getLocalRegistry(); - std::cout << "getLocalRegistry() returned: " << registry << std::endl; - } else { - std::cout << "Cast failed!" << std::endl; - } - } + // Set up thread local slot + setupThreadLocalSlot(); } + + ~ReverseConnectionClusterTest() override = default; void setupFromYaml(const std::string& yaml, bool expect_success = true) { if (expect_success) { @@ -262,11 +143,83 @@ class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, publi // EXPECT_CALL(server_context_.dispatcher_, post(_)); EXPECT_CALL(*cleanup_timer_, disableTimer()); } + + // Clean up thread local resources + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + // Helper function to set up thread local slot for tests + void setupThreadLocalSlot() { + // First, call onServerInitialized to set up the extension reference properly + extension_->onServerInitialized(); + + // Create a thread local registry with the properly initialized extension + thread_local_registry_ = std::make_shared( + server_context_.dispatcher_, extension_.get()); + + // Create the actual TypedSlot + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&server_context_.dispatcher_); + + // Set up the slot to return our registry + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + + // Get the registered socket interface from the global registry and set up its extension + auto* registered_socket_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + if (registered_socket_interface) { + auto* registered_acceptor = dynamic_cast( + const_cast(registered_socket_interface)); + if (registered_acceptor) { + // Set up the extension for the registered socket interface + registered_acceptor->extension_ = extension_.get(); + } + } + } + + // Helper to add a socket to the manager for testing + void addTestSocket(const std::string& node_id, const std::string& cluster_id) { + if (!thread_local_registry_ || !thread_local_registry_->socketManager()) { + return; + } + + // Set up mock expectations for timer and file event creation + auto mock_timer = new NiceMock(); + auto mock_file_event = new NiceMock(); + EXPECT_CALL(server_context_.dispatcher_, createTimer_(_)) + .WillOnce(Return(mock_timer)); + EXPECT_CALL(server_context_.dispatcher_, createFileEvent_(_, _, _, _)) + .WillOnce(Return(mock_file_event)); + + // Create a mock socket + auto socket = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + socket->io_handle_ = std::move(mock_io_handle); + + // Get the socket manager from the thread local registry + auto* tls_socket_manager = socket_interface_->getLocalRegistry()->socketManager(); + EXPECT_NE(tls_socket_manager, nullptr); + + // Add the socket to the manager + tls_socket_manager->addConnectionSocket( + node_id, cluster_id, std::move(socket), std::chrono::seconds(30), false); + } + + // Helper method to call cleanup since this class is a friend of RevConCluster + void callCleanup() { + cluster_->cleanup(); } NiceMock server_context_; NiceMock validation_visitor_; - Stats::TestUtil::TestStore& stats_store_ = server_context_.store_; std::shared_ptr cluster_; ReadyWatcher membership_updated_; @@ -275,13 +228,27 @@ class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, publi Common::CallbackHandlePtr priority_update_cb_; bool init_complete_{false}; - // Test factory injection - std::unique_ptr test_acceptor_; - std::unique_ptr> factory_injection_; + // Real thread local slot and registry for reverse connection testing + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + + // Real socket interface and extension + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + // Mock thread local instance + NiceMock thread_local_; + + // Mock dispatcher + NiceMock dispatcher_{"worker_0"}; + + // Stats and config + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; }; -namespace { - TEST(ReverseConnectionClusterConfigTest, GoodConfig) { const std::string yaml = R"EOF( name: name @@ -615,140 +582,223 @@ TEST_F(ReverseConnectionClusterTest, GetUUIDFromSNIFunction) { } } -// TEST_F(ReverseConnectionClusterTest, HostCreationWithSocketManager) { -// const std::string yaml = R"EOF( -// name: name -// connect_timeout: 0.25s -// lb_policy: CLUSTER_PROVIDED -// cleanup_interval: 1s -// cluster_type: -// name: envoy.clusters.reverse_connection -// typed_config: -// "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig -// cleanup_interval: 10s -// )EOF"; - -// EXPECT_CALL(initialized_, ready()); -// setupFromYaml(yaml); - -// RevConCluster::LoadBalancer lb(cluster_); - -// // Test host creation with Host header -// { -// NiceMock connection; -// TestLoadBalancerContext lb_context(&connection); -// lb_context.downstream_headers_ = -// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ -// {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; - -// auto result = lb.chooseHost(&lb_context); -// EXPECT_NE(result.host, nullptr); -// EXPECT_EQ(result.host->address()->logicalName(), "test-node-test-uuid-123"); -// } - -// // Test host creation with SNI -// { -// NiceMock connection; -// EXPECT_CALL(connection, requestedServerName()) -// .WillRepeatedly(Return("test-uuid-456.tcpproxy.envoy.remote")); - -// TestLoadBalancerContext lb_context(&connection); -// // No Host header, so it should fall back to SNI -// lb_context.downstream_headers_ = -// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{}}; - -// auto result = lb.chooseHost(&lb_context); -// EXPECT_NE(result.host, nullptr); -// EXPECT_EQ(result.host->address()->logicalName(), "test-node-test-uuid-456"); -// } - -// // Test host creation with HTTP headers -// { -// NiceMock connection; -// TestLoadBalancerContext lb_context(&connection, "x-dst-cluster-uuid", "cluster-123"); - -// auto result = lb.chooseHost(&lb_context); -// EXPECT_NE(result.host, nullptr); -// EXPECT_EQ(result.host->address()->logicalName(), "test-node-cluster-123"); -// } -// } - -// TEST_F(ReverseConnectionClusterTest, HostReuse) { -// const std::string yaml = R"EOF( -// name: name -// connect_timeout: 0.25s -// lb_policy: CLUSTER_PROVIDED -// cleanup_interval: 1s -// cluster_type: -// name: envoy.clusters.reverse_connection -// typed_config: -// "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig -// cleanup_interval: 10s -// )EOF"; - -// EXPECT_CALL(initialized_, ready()); -// setupFromYaml(yaml); - -// RevConCluster::LoadBalancer lb(cluster_); - -// // Create first host -// { -// NiceMock connection; -// TestLoadBalancerContext lb_context(&connection); -// lb_context.downstream_headers_ = -// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ -// {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; - -// auto result1 = lb.chooseHost(&lb_context); -// EXPECT_NE(result1.host, nullptr); - -// // Create second host with same UUID - should reuse the same host -// auto result2 = lb.chooseHost(&lb_context); -// EXPECT_NE(result2.host, nullptr); -// EXPECT_EQ(result1.host, result2.host); -// } -// } - -// TEST_F(ReverseConnectionClusterTest, DifferentHostsForDifferentUUIDs) { -// const std::string yaml = R"EOF( -// name: name -// connect_timeout: 0.25s -// lb_policy: CLUSTER_PROVIDED -// cleanup_interval: 1s -// cluster_type: -// name: envoy.clusters.reverse_connection -// typed_config: -// "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig -// cleanup_interval: 10s -// )EOF"; - -// EXPECT_CALL(initialized_, ready()); -// setupFromYaml(yaml); - -// RevConCluster::LoadBalancer lb(cluster_); - -// // Create first host -// { -// NiceMock connection; -// TestLoadBalancerContext lb_context(&connection); -// lb_context.downstream_headers_ = -// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ -// {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; - -// auto result1 = lb.chooseHost(&lb_context); -// EXPECT_NE(result1.host, nullptr); - -// // Create second host with different UUID - should be different host -// lb_context.downstream_headers_ = -// Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ -// {"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; -// auto result2 = lb.chooseHost(&lb_context); -// EXPECT_NE(result2.host, nullptr); -// EXPECT_NE(result1.host, result2.host); -// } -// } - -} // namespace +TEST_F(ReverseConnectionClusterTest, HostCreationWithSocketManager) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Add test sockets to the socket manager + addTestSocket("test-uuid-123", "cluster-123"); + addTestSocket("test-uuid-456", "cluster-456"); + + RevConCluster::LoadBalancer lb(cluster_); + + // Test host creation with Host header + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result = lb.chooseHost(&lb_context); + EXPECT_NE(result.host, nullptr); + EXPECT_EQ(result.host->address()->logicalName(), "test-uuid-123"); + } + + // Test host creation with SNI + { + NiceMock connection; + EXPECT_CALL(connection, requestedServerName()) + .WillRepeatedly(Return("test-uuid-456.tcpproxy.envoy.remote")); + + TestLoadBalancerContext lb_context(&connection); + // No Host header, so it should fall back to SNI + lb_context.downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{}}; + + auto result = lb.chooseHost(&lb_context); + EXPECT_NE(result.host, nullptr); + EXPECT_EQ(result.host->address()->logicalName(), "test-uuid-456"); + } + + // Test host creation with HTTP headers + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection, "x-dst-cluster-uuid", "cluster-123"); + + auto result = lb.chooseHost(&lb_context); + EXPECT_NE(result.host, nullptr); + EXPECT_EQ(result.host->address()->logicalName(), "test-uuid-123"); + } +} + +TEST_F(ReverseConnectionClusterTest, HostReuse) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Add test socket to the socket manager + addTestSocket("test-uuid-123", "cluster-123"); + + RevConCluster::LoadBalancer lb(cluster_); + + // Create first host + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result1 = lb.chooseHost(&lb_context); + EXPECT_NE(result1.host, nullptr); + + // Create second host with same UUID - should reuse the same host + auto result2 = lb.chooseHost(&lb_context); + EXPECT_NE(result2.host, nullptr); + EXPECT_EQ(result1.host, result2.host); + } +} + +TEST_F(ReverseConnectionClusterTest, DifferentHostsForDifferentUUIDs) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Add test sockets to the socket manager + addTestSocket("test-uuid-123", "cluster-123"); + addTestSocket("test-uuid-456", "cluster-456"); + + RevConCluster::LoadBalancer lb(cluster_); + + // Create first host + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result1 = lb.chooseHost(&lb_context); + EXPECT_NE(result1.host, nullptr); + + // Create second host with different UUID - should be different host + lb_context.downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; + auto result2 = lb.chooseHost(&lb_context); + EXPECT_NE(result2.host, nullptr); + EXPECT_NE(result1.host, result2.host); + } +} + +TEST_F(ReverseConnectionClusterTest, TestCleanup) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Add test sockets to the socket manager + addTestSocket("test-uuid-123", "cluster-123"); + addTestSocket("test-uuid-456", "cluster-456"); + + RevConCluster::LoadBalancer lb(cluster_); + + // Create two hosts + Upstream::HostSharedPtr host1, host2; + + // Create first host + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result1 = lb.chooseHost(&lb_context); + EXPECT_NE(result1.host, nullptr); + host1 = std::const_pointer_cast(result1.host); + } + + // Create second host + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; + + auto result2 = lb.chooseHost(&lb_context); + EXPECT_NE(result2.host, nullptr); + host2 = std::const_pointer_cast(result2.host); + } + + // Verify hosts are different + EXPECT_NE(host1, host2); + + // Expect the cleanup timer to be enabled after cleanup + EXPECT_CALL(*cleanup_timer_, enableTimer(std::chrono::milliseconds(10000), nullptr)); + + // Call cleanup via the helper method + callCleanup(); + + // Verify that hosts can still be accessed after cleanup + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = + Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result = lb.chooseHost(&lb_context); + EXPECT_NE(result.host, nullptr); + } +} + } // namespace ReverseConnection } // namespace Extensions } // namespace Envoy \ No newline at end of file From 09456abc0780ce04e41568988ee98c0d19803358 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 13:18:28 +0100 Subject: [PATCH 017/505] build(deps): bump envoyproxy/toolshed from actions-v0.3.22 to 0.3.23 (#40326) Signed-off-by: dependabot[bot] Signed-off-by: Ryan Northey Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/_check_coverage.yml | 2 +- .github/workflows/_finish.yml | 8 +++---- .github/workflows/_load.yml | 10 ++++---- .github/workflows/_load_env.yml | 8 +++---- .github/workflows/_precheck_publish.yml | 2 +- .github/workflows/_publish_publish.yml | 4 ++-- .github/workflows/_request.yml | 22 ++++++++--------- .github/workflows/_request_cache_bazel.yml | 8 +++---- .github/workflows/_request_cache_docker.yml | 10 ++++---- .github/workflows/_request_checks.yml | 10 ++++---- .github/workflows/_run.yml | 24 +++++++++---------- .github/workflows/codeql-daily.yml | 2 +- .github/workflows/codeql-push.yml | 2 +- .github/workflows/command.yml | 6 ++--- .github/workflows/envoy-dependency.yml | 18 +++++++------- .github/workflows/envoy-release.yml | 26 ++++++++++----------- .github/workflows/envoy-sync.yml | 8 +++---- .github/workflows/mobile-android_build.yml | 12 +++++----- .github/workflows/mobile-ios_build.yml | 4 ++-- 19 files changed, 93 insertions(+), 93 deletions(-) diff --git a/.github/workflows/_check_coverage.yml b/.github/workflows/_check_coverage.yml index 756ff79bda3ac..12b7c6380fc63 100644 --- a/.github/workflows/_check_coverage.yml +++ b/.github/workflows/_check_coverage.yml @@ -53,7 +53,7 @@ jobs: request: ${{ inputs.request }} runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }} steps-post: | - - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.23 with: bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }} path: generated/${{ matrix.target }}/html diff --git a/.github/workflows/_finish.yml b/.github/workflows/_finish.yml index 8340b7e3fd2fa..fd01ca27761aa 100644 --- a/.github/workflows/_finish.yml +++ b/.github/workflows/_finish.yml @@ -36,7 +36,7 @@ jobs: actions: read contents: read steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 name: Incoming data id: needs with: @@ -87,7 +87,7 @@ jobs: summary: "Check has finished", text: $text}}}} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 name: Print summary with: input: ${{ toJSON(steps.needs.outputs.value).summary-title }} @@ -95,13 +95,13 @@ jobs: "## \(.)" options: -Rr output-path: GITHUB_STEP_SUMMARY - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 name: Update check with: action: update diff --git a/.github/workflows/_load.yml b/.github/workflows/_load.yml index 6b211c323a502..3fe651821c320 100644 --- a/.github/workflows/_load.yml +++ b/.github/workflows/_load.yml @@ -100,7 +100,7 @@ jobs: # Handle any failure in triggering job # Remove any `checks` we dont care about # Prepare a check request - - uses: envoyproxy/toolshed/gh-actions/github/env/load@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/env/load@actions-v0.3.23 name: Load env id: data with: @@ -111,13 +111,13 @@ jobs: GH_TOKEN: ${{ github.token }} # Update the check - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 name: Update check if: ${{ fromJSON(steps.data.outputs.data).data.check.action == 'RUN' }} with: @@ -125,7 +125,7 @@ jobs: checks: ${{ toJSON(fromJSON(steps.data.outputs.data).checks) }} token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 name: Print request summary with: input: | @@ -145,7 +145,7 @@ jobs: | $summary.summary as $summary | "${{ inputs.template-request-summary }}" - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 id: request-output name: Load request with: diff --git a/.github/workflows/_load_env.yml b/.github/workflows/_load_env.yml index 32a7f3f04132c..f82003f9ecc5b 100644 --- a/.github/workflows/_load_env.yml +++ b/.github/workflows/_load_env.yml @@ -63,18 +63,18 @@ jobs: request: ${{ steps.env.outputs.data }} trusted: true steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 id: started name: Create timestamp with: options: -r filter: | now - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 id: checkout name: Checkout Envoy repository - name: Generate environment variables - uses: envoyproxy/toolshed/gh-actions/envoy/ci/env@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/envoy/ci/env@actions-v0.3.23 id: env with: branch-name: ${{ inputs.branch-name }} @@ -86,7 +86,7 @@ jobs: - name: Request summary id: summary - uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.23 with: actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} diff --git a/.github/workflows/_precheck_publish.yml b/.github/workflows/_precheck_publish.yml index c12dffc1c92b6..a4de52c443d23 100644 --- a/.github/workflows/_precheck_publish.yml +++ b/.github/workflows/_precheck_publish.yml @@ -78,7 +78,7 @@ jobs: --config=docs-ci rbe: true steps-post: | - - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.23 with: bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }} path: generated/docs diff --git a/.github/workflows/_publish_publish.yml b/.github/workflows/_publish_publish.yml index 01179c0af456a..ccdd4f353c787 100644 --- a/.github/workflows/_publish_publish.yml +++ b/.github/workflows/_publish_publish.yml @@ -78,12 +78,12 @@ jobs: needs: - publish steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 with: ref: main repository: ${{ fromJSON(inputs.request).request.version.dev && 'envoyproxy/envoy-website' || 'envoyproxy/archive' }} diff --git a/.github/workflows/_request.yml b/.github/workflows/_request.yml index 3094c75babc5c..523bf4eb02278 100644 --- a/.github/workflows/_request.yml +++ b/.github/workflows/_request.yml @@ -56,14 +56,14 @@ jobs: caches: ${{ steps.caches.outputs.value }} config: ${{ steps.config.outputs.config }} steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 id: started name: Create timestamp with: options: -r filter: | now - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 id: checkout name: Checkout Envoy repository (requested) with: @@ -77,7 +77,7 @@ jobs: # *ALL* variables collected should be treated as untrusted and should be sanitized before # use - name: Generate environment variables from commit - uses: envoyproxy/toolshed/gh-actions/envoy/ci/request@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/envoy/ci/request@actions-v0.3.23 id: env with: branch-name: ${{ steps.checkout.outputs.branch-name }} @@ -88,7 +88,7 @@ jobs: vars: ${{ toJSON(vars) }} working-directory: requested - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 id: checkout-target name: Checkout Envoy repository (target branch) with: @@ -96,7 +96,7 @@ jobs: config: | fetch-depth: 1 path: target - - uses: envoyproxy/toolshed/gh-actions/hashfiles@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/hashfiles@actions-v0.3.23 id: bazel-cache-hash name: Bazel cache hash with: @@ -105,7 +105,7 @@ jobs: - name: Request summary id: summary - uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.23 with: actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} @@ -121,7 +121,7 @@ jobs: target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - name: Environment data - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 id: data with: input: | @@ -164,18 +164,18 @@ jobs: path: /tmp/cache key: ${{ fromJSON(steps.data.outputs.value).request.build-image.default }}-arm64 - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 name: Setup GCP with: key: ${{ secrets.gcs-cache-key }} - - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.23 name: Check GCS bucket cache (x64) id: cache-exists-bazel-x64 with: bucket: ${{ inputs.gcs-cache-bucket }} key: ${{ fromJSON(steps.data.outputs.value).config.ci.cache.bazel }}-x64 - - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.23 name: Check GCS bucket cache (arm64) id: cache-exists-bazel-arm64 with: @@ -183,7 +183,7 @@ jobs: key: ${{ fromJSON(steps.data.outputs.value).config.ci.cache.bazel }}-arm64 - name: Caches - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 id: caches with: input-format: yaml diff --git a/.github/workflows/_request_cache_bazel.yml b/.github/workflows/_request_cache_bazel.yml index c69a5549b380c..3c0f9b3facc73 100644 --- a/.github/workflows/_request_cache_bazel.yml +++ b/.github/workflows/_request_cache_bazel.yml @@ -51,7 +51,7 @@ jobs: name: "[${{ inputs.arch }}] Prime Bazel cache" if: ${{ ! fromJSON(inputs.caches).bazel[inputs.arch] }} steps: - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 id: checkout-target name: Checkout Envoy repository (target branch) with: @@ -59,14 +59,14 @@ jobs: config: | fetch-depth: 1 - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 id: appauth name: Appauth (mutex lock) with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 name: Setup GCP with: key: ${{ secrets.gcs-cache-key }} @@ -76,7 +76,7 @@ jobs: sudo mkdir /build sudo chown runner:docker /build echo "GITHUB_TOKEN=${{ github.token }}" >> $GITHUB_ENV - - uses: envoyproxy/toolshed/gh-actions/cache/prime@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/cache/prime@actions-v0.3.23 id: bazel-cache name: Prime Bazel cache with: diff --git a/.github/workflows/_request_cache_docker.yml b/.github/workflows/_request_cache_docker.yml index 4cff18840480f..ae8314e331c45 100644 --- a/.github/workflows/_request_cache_docker.yml +++ b/.github/workflows/_request_cache_docker.yml @@ -39,7 +39,7 @@ on: # For a job that does, you can restore with something like: # # steps: -# - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.22 +# - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.23 # with: # key: "${{ needs.env.outputs.build-image }}" # @@ -51,13 +51,13 @@ jobs: name: "[${{ inputs.arch }}] Prime Docker cache" if: ${{ ! fromJSON(inputs.caches).docker[inputs.arch] }} steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 id: appauth name: Appauth (mutex lock) with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/docker/cache/prime@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/docker/cache/prime@actions-v0.3.23 id: docker name: Prime Docker cache (${{ inputs.image-tag }}${{ inputs.cache-suffix }}) with: @@ -65,7 +65,7 @@ jobs: key-suffix: ${{ inputs.cache-suffix }} lock-token: ${{ steps.appauth.outputs.token }} lock-repository: ${{ inputs.lock-repository }} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 id: data name: Cache data with: @@ -73,7 +73,7 @@ jobs: input: | cached: ${{ steps.docker.outputs.cached }} key: ${{ inputs.image-tag }}${{ inputs.cache-suffix }} - - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.23 name: Summary with: json: ${{ steps.data.outputs.value }} diff --git a/.github/workflows/_request_checks.yml b/.github/workflows/_request_checks.yml index 3b412dcb4c9fa..ab9748555ffe7 100644 --- a/.github/workflows/_request_checks.yml +++ b/.github/workflows/_request_checks.yml @@ -55,7 +55,7 @@ jobs: runs-on: ${{ fromJSON(inputs.env).config.ci.agent-ubuntu }} name: Start checks steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 id: check-config name: Prepare check data with: @@ -78,13 +78,13 @@ jobs: | .skipped.output.summary = "${{ inputs.skipped-summary }}" | .skipped.output.text = "" - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 name: Start checks id: checks with: @@ -95,7 +95,7 @@ jobs: ${{ fromJSON(inputs.env).summary.summary }} token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.23 name: Summary with: collapse-open: true @@ -119,7 +119,7 @@ jobs: output-path: GITHUB_STEP_SUMMARY title: Checks started/skipped - - uses: envoyproxy/toolshed/gh-actions/github/env/save@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/env/save@actions-v0.3.23 name: Save env id: data with: diff --git a/.github/workflows/_run.yml b/.github/workflows/_run.yml index d0ac0c8fdd4a6..8440c03855865 100644 --- a/.github/workflows/_run.yml +++ b/.github/workflows/_run.yml @@ -155,7 +155,7 @@ on: summary-post: type: string default: | - - uses: envoyproxy/toolshed/gh-actions/envoy/run/summary@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/run/summary@actions-v0.3.23 with: context: %{{ inputs.context }} steps-pre: @@ -217,7 +217,7 @@ jobs: name: ${{ inputs.target-suffix && format('[{0}] ', inputs.target-suffix) || '' }}${{ inputs.command }} ${{ inputs.target }} timeout-minutes: ${{ inputs.timeout-minutes }} steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 id: started name: Create timestamp with: @@ -225,7 +225,7 @@ jobs: filter: | now # This controls which input vars are exposed to the run action (and related steps) - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 name: Context id: context with: @@ -257,13 +257,13 @@ jobs: if: ${{ inputs.docker-ipv6 }} # Caches - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 name: Setup GCP (cache) if: ${{ inputs.gcs-cache-bucket }} with: key: ${{ secrets.gcs-cache-key }} force-install: ${{ contains(fromJSON('["envoy-arm64-medium", "github-arm64-2c-8gb"]'), inputs.runs-on) }} - - uses: envoyproxy/toolshed/gh-actions/cache/restore@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/cache/restore@actions-v0.3.23 if: ${{ inputs.gcs-cache-bucket }} name: >- Restore Bazel cache @@ -283,12 +283,12 @@ jobs: key: ${{ inputs.cache-build-image }}${{ inputs.cache-build-image-key-suffix }} - if: ${{ inputs.cache-build-image && steps.cache-lookup.outputs.cache-hit == 'true' }} name: Restore Docker cache ${{ inputs.cache-build-image && format('({0})', inputs.cache-build-image) || '' }} - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.23 with: image-tag: ${{ inputs.cache-build-image }} key-suffix: ${{ inputs.cache-build-image-key-suffix }} - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 id: appauth name: Appauth if: ${{ inputs.trusted }} @@ -299,7 +299,7 @@ jobs: # - the workaround is to allow the token to be passed through. token: ${{ github.token }} token-ok: true - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 id: checkout name: Checkout Envoy repository with: @@ -316,7 +316,7 @@ jobs: token: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }} # This is currently only use by mobile-docs and can be removed once they are updated to the newer website - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 id: checkout-extra name: Checkout extra repository (for publishing) if: ${{ inputs.checkout-extra }} @@ -325,7 +325,7 @@ jobs: ssh-key: ${{ inputs.trusted && inputs.ssh-key-extra || '' }} - name: Import GPG key - uses: envoyproxy/toolshed/gh-actions/gpg/import@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/gpg/import@actions-v0.3.23 if: ${{ inputs.import-gpg }} with: key: ${{ secrets.gpg-key }} @@ -338,7 +338,7 @@ jobs: name: Configure PR Bazel settings if: >- ${{ fromJSON(inputs.request).request.pr != '' }} - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 name: Setup GCP (artefacts/rbe) id: gcp with: @@ -356,7 +356,7 @@ jobs: if: ${{ vars.ENVOY_CI_BAZELRC }} name: Configure repo Bazel settings - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 name: Run CI ${{ inputs.command }} ${{ inputs.target }} with: args: ${{ inputs.args != '--' && inputs.args || inputs.target }} diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml index 407484c317679..fb09e96cffbca 100644 --- a/.github/workflows/codeql-daily.yml +++ b/.github/workflows/codeql-daily.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Free disk space - uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.23 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index 9d59b4594bcbf..60104adf03224 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -63,7 +63,7 @@ jobs: - name: Free disk space if: ${{ env.BUILD_TARGETS != '' }} - uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.23 - name: Initialize CodeQL if: ${{ env.BUILD_TARGETS != '' }} diff --git a/.github/workflows/command.yml b/.github/workflows/command.yml index 9f5262495e396..3e24c99bfc139 100644 --- a/.github/workflows/command.yml +++ b/.github/workflows/command.yml @@ -28,7 +28,7 @@ jobs: && github.actor != 'dependabot[bot]' }} steps: - - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.3.23 name: Parse command from comment id: command with: @@ -37,14 +37,14 @@ jobs: ^/(retest) # /retest - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 if: ${{ steps.command.outputs.command == 'retest' }} id: appauth-retest name: Appauth (retest) with: key: ${{ secrets.ENVOY_CI_APP_KEY }} app_id: ${{ secrets.ENVOY_CI_APP_ID }} - - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.3.23 if: ${{ steps.command.outputs.command == 'retest' }} name: Retest with: diff --git a/.github/workflows/envoy-dependency.yml b/.github/workflows/envoy-dependency.yml index 30e9d21982048..a511a6e45fcde 100644 --- a/.github/workflows/envoy-dependency.yml +++ b/.github/workflows/envoy-dependency.yml @@ -53,16 +53,16 @@ jobs: steps: - id: appauth name: Appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 with: app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 with: token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.3.23 id: update name: Update dependency (${{ inputs.dependency }}) with: @@ -97,13 +97,13 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.3.23 name: Upload diff with: name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }} - name: Create a PR if: ${{ inputs.pr }} - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 with: base: main body: | @@ -134,11 +134,11 @@ jobs: steps: - id: appauth name: Appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 with: app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 id: checkout name: Checkout Envoy repository with: @@ -180,7 +180,7 @@ jobs: - name: Check Docker SHAs id: build-images - uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.3.23 with: images: | sha: envoyproxy/envoy-build-ubuntu:${{ steps.build-tools.outputs.tag }} @@ -209,7 +209,7 @@ jobs: name: Update SHAs working-directory: envoy - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 with: base: main body: Created by Envoy dependency bot diff --git a/.github/workflows/envoy-release.yml b/.github/workflows/envoy-release.yml index 42aac79e066f4..886423e7dda9b 100644 --- a/.github/workflows/envoy-release.yml +++ b/.github/workflows/envoy-release.yml @@ -59,14 +59,14 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} @@ -87,10 +87,10 @@ jobs: name: Check changelog summary - if: ${{ inputs.author }} name: Validate signoff email - uses: envoyproxy/toolshed/gh-actions/email/validate@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/email/validate@actions-v0.3.23 with: email: ${{ inputs.author }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 name: Create release with: source: | @@ -115,7 +115,7 @@ jobs: name: Release version id: release - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 with: base: ${{ github.ref_name }} commit: false @@ -140,20 +140,20 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} strip-prefix: release/ token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 name: Sync version histories with: command: >- @@ -163,7 +163,7 @@ jobs: -- --signoff="${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>" - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 with: append-commit-message: true base: ${{ github.ref_name }} @@ -190,13 +190,13 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 with: config: | fetch-depth: 0 @@ -226,13 +226,13 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - name: Checkout repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.22 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} diff --git a/.github/workflows/envoy-sync.yml b/.github/workflows/envoy-sync.yml index 3d25bd2cbac28..5b13acb212563 100644 --- a/.github/workflows/envoy-sync.yml +++ b/.github/workflows/envoy-sync.yml @@ -34,12 +34,12 @@ jobs: - data-plane-api - mobile-website steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 with: repository: "envoyproxy/${{ matrix.downstream }}" ref: main @@ -61,12 +61,12 @@ jobs: downstream: - envoy-openssl steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 with: repository: "envoyproxy/${{ matrix.downstream }}" ref: release/v1.28 diff --git a/.github/workflows/mobile-android_build.yml b/.github/workflows/mobile-android_build.yml index 23c3065e380d3..88625eb4b0554 100644 --- a/.github/workflows/mobile-android_build.yml +++ b/.github/workflows/mobile-android_build.yml @@ -82,9 +82,9 @@ jobs: target: kotlin-hello-world runs-on: ubuntu-22.04 steps-pre: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.23 steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.23 with: apk: bazel-bin/examples/kotlin/hello_world/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoykotlin/.MainActivity @@ -111,7 +111,7 @@ jobs: target: ${{ matrix.target }} runs-on: ubuntu-22.04 steps-pre: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.23 steps-post: ${{ matrix.steps-post }} timeout-minutes: 50 trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} @@ -122,7 +122,7 @@ jobs: include: - name: java-hello-world steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.23 with: apk: bazel-bin/examples/java/hello_world/hello_envoy.apk app: io.envoyproxy.envoymobile.helloenvoy/.MainActivity @@ -141,7 +141,7 @@ jobs: --config=mobile-remote-release-clang-android //test/kotlin/apps/baseline:hello_envoy_kt steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.23 with: apk: bazel-bin/test/kotlin/apps/baseline/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoybaselinetest/.MainActivity @@ -156,7 +156,7 @@ jobs: --config=mobile-remote-release-clang-android //test/kotlin/apps/experimental:hello_envoy_kt steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.23 with: apk: bazel-bin/test/kotlin/apps/experimental/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoyexperimentaltest/.MainActivity diff --git a/.github/workflows/mobile-ios_build.yml b/.github/workflows/mobile-ios_build.yml index 57ca2fa629e27..4ce906bff547d 100644 --- a/.github/workflows/mobile-ios_build.yml +++ b/.github/workflows/mobile-ios_build.yml @@ -97,7 +97,7 @@ jobs: source ./ci/mac_ci_setup.sh ./bazelw shutdown steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.23 with: app: ${{ matrix.app }} args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} @@ -142,7 +142,7 @@ jobs: source: | source ./ci/mac_ci_setup.sh steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.22 + - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.23 with: app: ${{ matrix.app }} args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} From 05dec4a4868e422b3342b27daccdb36bbd492479 Mon Sep 17 00:00:00 2001 From: "publish-envoy[bot]" <140627008+publish-envoy[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 12:27:08 +0000 Subject: [PATCH 018/505] repo: Sync version histories (#40317) Signed-off-by: publish-envoy[bot] Signed-off-by: Ryan Northey Co-authored-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com> --- changelogs/1.31.10.yaml | 10 ++++++++++ changelogs/1.32.8.yaml | 10 ++++++++++ changelogs/1.33.5.yaml | 17 +++++++++++++++++ changelogs/1.34.3.yaml | 20 ++++++++++++++++++++ docs/inventories/v1.31/objects.inv | Bin 176135 -> 176162 bytes docs/inventories/v1.32/objects.inv | Bin 178987 -> 179031 bytes docs/inventories/v1.33/objects.inv | Bin 181556 -> 181632 bytes docs/inventories/v1.34/objects.inv | Bin 186551 -> 186627 bytes docs/versions.yaml | 8 ++++---- 9 files changed, 61 insertions(+), 4 deletions(-) create mode 100644 changelogs/1.31.10.yaml create mode 100644 changelogs/1.32.8.yaml create mode 100644 changelogs/1.33.5.yaml create mode 100644 changelogs/1.34.3.yaml diff --git a/changelogs/1.31.10.yaml b/changelogs/1.31.10.yaml new file mode 100644 index 0000000000000..b6f30a929f7f9 --- /dev/null +++ b/changelogs/1.31.10.yaml @@ -0,0 +1,10 @@ +date: July 18, 2025 + +bug_fixes: +- area: release + change: | + Container (Ubuntu/distroless) updates, and fixed permissions for distroless config directory. +- area: dynatrace + change: | + Fixed a division by zero bug in the Dynatrace sampling controller that occurred when ``total_wanted`` was less than + ``top_k_size``. The calculation was refactored to avoid the intermediate division that could result in zero. diff --git a/changelogs/1.32.8.yaml b/changelogs/1.32.8.yaml new file mode 100644 index 0000000000000..b6f30a929f7f9 --- /dev/null +++ b/changelogs/1.32.8.yaml @@ -0,0 +1,10 @@ +date: July 18, 2025 + +bug_fixes: +- area: release + change: | + Container (Ubuntu/distroless) updates, and fixed permissions for distroless config directory. +- area: dynatrace + change: | + Fixed a division by zero bug in the Dynatrace sampling controller that occurred when ``total_wanted`` was less than + ``top_k_size``. The calculation was refactored to avoid the intermediate division that could result in zero. diff --git a/changelogs/1.33.5.yaml b/changelogs/1.33.5.yaml new file mode 100644 index 0000000000000..fed61d514fd2e --- /dev/null +++ b/changelogs/1.33.5.yaml @@ -0,0 +1,17 @@ +date: July 18, 2025 + +bug_fixes: +- area: tls + change: | + Fixed an issue with incorrectly cached connection properties on TLS connections. + If TLS connection data was queried before it was available, an empty value was being incorrectly cached, preventing later calls from + getting the correct value. This could be triggered with a ``tcp_proxy`` access log configured to emit a log upon connection + establishment if the log contains fields of the the TLS peer certificate. Then a later use of the data, such as the network RBAC + filter validating a peer certificate SAN, may incorrectly fail due to the empty cached value. +- area: release + change: | + Container (Ubuntu/distroless) updates, and fixed permissions for distroless config directory. +- area: dynatrace + change: | + Fixed a division by zero bug in the Dynatrace sampling controller that occurred when ``total_wanted`` was less than + ``top_k_size``. The calculation was refactored to avoid the intermediate division that could result in zero. diff --git a/changelogs/1.34.3.yaml b/changelogs/1.34.3.yaml new file mode 100644 index 0000000000000..e01bff77426c0 --- /dev/null +++ b/changelogs/1.34.3.yaml @@ -0,0 +1,20 @@ +date: July 18, 2025 + +bug_fixes: +- area: tls + change: | + Fixed an issue with incorrectly cached connection properties on TLS connections. + If TLS connection data was queried before it was available, an empty value was being incorrectly cached, preventing later calls from + getting the correct value. This could be triggered with a ``tcp_proxy`` access log configured to emit a log upon connection + establishment if the log contains fields of the the TLS peer certificate. Then a later use of the data, such as the network RBAC + filter validating a peer certificate SAN, may incorrectly fail due to the empty cached value. +- area: http2 + change: | + Fixed an issue where http/2 connections using the default codec of ``oghttp2`` could get stuck due to a window buffer leak. +- area: release + change: | + Container (Ubuntu/distroless) updates, and fixed permissions for distroless config directory. +- area: dynatrace + change: | + Fixed a division by zero bug in the Dynatrace sampling controller that occurred when ``total_wanted`` was less than + ``top_k_size``. The calculation was refactored to avoid the intermediate division that could result in zero. diff --git a/docs/inventories/v1.31/objects.inv b/docs/inventories/v1.31/objects.inv index b65d7aa97c45d8a030b3359c9c46c72142cdabd0..054d6f7874152a37766ce53ab692f0bef9d8d749 100644 GIT binary patch delta 4389 zcmXX{c|6nqAJ4HI!?N0hZ)@b+H?~|;Ip!GBlpHxSA?G$n_~xb>Gq*DRkRuw(O>Fc< zh&d8tQzS>35}M=dNQvaPzV+Yd^Le~q&-e57d_6y}XCha;m@7^-5!6tRHH|kFXfzdE zEhIq*lbVlu-{_E*f1nKe(}0@C4x@hLyLZn!-`DBP4W5=b*2*nLiuRLt@P}tms{OJU zoz$BsW>)qf)@>+q+T>VNXHOISuuN-uk#yUvhch_s!sx>m?!H#8U@LqdUWFGgBJkI` ziT8PLI%LGd(WWj;b6n!0bNa}HxHhM$o7DWoy524qIm~cBizz;yuaGhT@L&6)(W6YU ze&LXde6_*j0`%WYr#^?3TV&7o)D^?6{x`TfvT=yxn7`j=|1{Myu)SRUd;!&MmDD;)C=RlCn5+;Esko5w5Q=|F>cEk&1O1j$M zx-am>%VJv?vjIb#OBVTXNVm94NvcfuxK|$9s_>j}DCFWH zhoeMe_ynUENsGm?J8<9YOGH?Q9-7h^NzLDr`d*0 z*23tr8(F=(m2iwzTir6Lu1xh!?sW|{xk|XZHLl4Pw32!Bs6Dl#966OM5)PHt zu%}vAAi2#V5kqN3D%e#!=mJxyg?rW>qI6#cxWS5x>`h~+U}Nl|3(X>*@5@BmQ>j%* z77#Rd)&l8(VU|W^Ovc)}^aXFeTz_974#sB1>uqu^bEO>sVm1AOq=HBzLTe76^c8RS zA^n_S{2_kPW4e(Hi~~?pt%3{Sa5)4Ri;;t^AybIn3J;>GY)_AW#K8?&@i%5L?c8(0 z5T!H(@axOC=ojh#s$fqzs0HX9t^$S^`KAV?Ibg^Px_TLmrHt~eg3mbNXeiJ^n#^;1 z>b_bet678;Je0Pig2i6`)mBdwM5zz)Ut7?FyY|$&$H>`W(7KKxtQsEchHH|6O#uTa zju>)tl+EOfvr9RFcTL~3t%h*_pT;BH(c3z=lXq0G9haf&tT=RPvM>TG>Ihw*ibKyo zPk<<$Kmx;OI$eTFdc?uUv*V-YF#4nqJ?Rjokt!L+k)_f2$lCLoi2c>@&a1dOThNl0 zqDnP<#tqkj0-#bSPB=fepez z=a_NLZs!UhN>fPSmnorWm~^58m0Iu04dXbaEIjV|ZgqM=w!aWT$6J|lErrH`mt5DxRcBT8U0 z!_9^2dp=bL?m+FUL%yjH36qo7bf7xcBe}UE5m0GU2kHX<`KMB1eS$^E|7kjRyNIndZGcz0fH6)D0B@x!>f(9>_}I&K6R8O!SBu=2VEJ7)4MII zi@-MEpsOq)^oN8Zh|&)vFmwe|up#(L9GsCI-@NLknp5NpNVXXe)Zd6H)QB4s2RCK| zqE-a-(?tmg>?}?#NbgHE(2?Y+qu>KbK09DcDu}W!YlSzG&B{K;Zu=J)%=gwnwA@aD z-uSI#9_e?W9)9w(sqkKj00h?V3UpygNSBcC6rwbA5*RWg;G!CxDaTvj+3LP$+=SO8h?01%Oyd!e zvG_{p^&sX4aj?uifbM3D<+wmF;CALf*CtNyCjZw*5LcaHwPRf6Gu5@UwUEdT)X~*6 zd7sPF15c68N0-u$Mqj4Vp8m3DdM^Td*cH0MjC;y`J`Yh+R|9@!#YID<>n~HS+mPH~ z(5lXvgvapCXdJ0r1~vl3+g-&lztN4<^lA5|w4afMx4etmS845BvmX#8>|;K^(x3cz z>Lp*r!B6h}w?V$G-2h0=4hVh0p>GaJt|5s2S7CKyvp%LHe5_qMjR2dKHI%A@3&h}> zfF9=y4;YfvdB1ces|I4DH>fr8iINCgn6C8kc#|VlstkuxvGE<^m zWC|2tNGgGq(@hpWhL0W6rv(R)GCeTNgA8lF z3IJ3wI+^%B`mYNMdA`pi6|23~Ql}OgW2>EsQi`Z>`-0h-I>v`d_()8^=xn!MeHe(KDTG z+~;;sr5w#)yEcuE#2R_=RZybyRhXPLJr7kf)dYs{1o$fa1q5s5#_Mfxhqi_@0b(UA zWWguw^2thSi)Iw2^d8K zM%_&g3V(u#@i6+u1Et*nw<*HW_)CQ>uj)kA9{%Y!o~&9-13aSymopDz1>>dd32*Sx(e z-{{$3LU`t;Zc_C7nL-O};-Fb%U0g>QY}JQI_CMX9cEnVF!l+*g`t3I1o?a{ zHKWe$Oi0@>@rr7dX~GW8d3sJjftXZlQw0XNU^*JiG;2o-UGkgU<*U> z!5cH+u`z?FPv;Kab=DpYB_?q=2QF^;wAx-xOc0fn9HvY+>TV9sbf&W@(@34o-v=Ug z-c~#|F`*o>Q`FKjJ^0SU9Eg_gqhs`WlEBulPEldga{5IQ35l8%huOnY{kDB+4-7v$B(LQlmoZXPac0#kNGv zWY+{WYpZ-k@_3t3>P+2fuO9tMyEyX)`K0wzR?fYP4;?jJORK>bY?9H?C)!%WUm~C~ z-!xqYw_!VyaSMCrvNqwLIm-r7;C#uQ0vRiv3t>9!mpR_X>y!%tuOvz;KZiQU)e4hQuEG1?1?gfp}iod6Y5-pCMVjd$A z+81_bE&tt{Uo(^**k15y^Yj@seFxQZNJX1(K(1WCnFW!375pX}|J*}e==Nkd#lBtY z87c@|JaW;ma*#+cYm{9+3|c&5?sxqW5=+3eznh+BDSB8K%oLXDNGQ+C_aIVRp|5uJ zGgl+t%D;+D+$_`sujHSD)W`KY)i(!6)qDsF)ZJ%A>zKJ?p}&yvE(Z}#dX(eM6F{om-0s<5rYkAAQQW5~YIAuKoYc}Z8D98U zt{pu4wrBL~*N2Nv(VxsS*0eyuZvK8Znhrut^^46WKD26WBID+<<9)gkk(^Gsr%|gJ zes6g_rQU~Y{y|X}^JyBP`R>94Z`^Ku{G9M|xc|A+1$; zzPkG~RWm2-P~)+rO9SGCx7>5;uZ3@Z(huOIo*6>~s7S28lnMurbNS~{z_liez^989Plk&D59A!vI>xKqcO?cU3dSud&Hk>DH=^Bj!KG}k>AH5JwhIl@D(@p*#On#kQJv%3ivs=)lg%L)SDzNyW&LtG+fb5f!BP2HjYYU&cYHzt*gdg_w|ZUw8`)?NUbjvv}`=YL)*NcXrR~ znXdG5N=k9vI_2sAa^6a*SAWy|xHs9?)_;rhR!Uyn1{c(rUsI{M5?Hn_IkxJWp>oz2 z@ow|>aWwAs6VFTSs-l-h*M9tXTJw4~P~wnh?A4uXr>NfcUbRNUj-c#7VT73cZjad> JXwo{;^Zz0EI*I@Q delta 4361 zcmX|Cdpy(a|IT4KtQylM)J*LWHimf;rZ&eFIiDuvxS{eW5u;}eC5Kv}ki$qhGh1nd zvXC++QF5p`M9E=JrINmTs^9Ow`}29-@9Vy<>wVq#yF?&+Ngzu%7c)w*OtuueZz(P; zq{$TVzlDc*0R)NL)n9s^^*pfZN(ZyVx5ba8 zl*e%@zklQ(#+yrQ-(vp?ePRjuNh-~PdhCGt&i%`$mp{w?Tr}`7~DRyM>v3y?n}?x8nX2fRQ>qv7UC6?FXc~*EBn4z z=@ZdjJCL%Jwm=N_xWq#s$Z>8Yc~&g@8Tf);wFY4z5My!Tp3jzlp7obF!?^eG)L>G$ z)IMqBiH03&2TK|*mfTBKubvGz7_##n3_}bB=3(s%t&@&Jj>WmC1|!WXCC;TXc$^Aa z(!n)aLt=iDZ+3nDP#G;rQ}ij3-GsYepT2&FCaDvYU}ws3j_Mlg^uSNJE`rjzEny;wfO7|^C@qnOdOWQ0Lym%hv+KAdQ z@2-fo{^h*|vfzoVWRo?4U2eTSK!);MydVZgZVoP|CE}K^tCA*ZAEZ_kOXmlaRLX+wvXkS+@vVZVLKL}z&>z6F3!cA9td^Kt+0<>&&*r^Jx=1Jrz!bX8%b8dKUHN|lx!OgpzJbT(S zprwYK|KR=}%3y|3#^o+8f`%J(nU{!7yZl0n5H4DeCSqr-PeTx1NZ|SLHt+CBjx6|b zb~0reZ#roi1wlwxDYExm989Lh)E?DG8dt&nh(x9{XwG1-PZd1DllT||5~i!Ri8$Aw zMjNHh_hx+5BIvq9XSs<@0?QZ(q8a(S6IZ@#5mMaHr%VV{z|UroKpzoRS_3P*3^p2K zVc?GEa#-w^( z!*VEt4QLv&L>`EWFre9Vl~1m8cpYk>Q7W=GZBvUd)x4qX^XG|7;bLK1d+K!rRB?Bv!I2tpqPj9kDM zteADmf{{0p8->0)Iru=pWmvbk=}LT|-jnCDVEY>Y%7U2bRcQkx!PWyEZlYBU^q>Y9 zwfO@sgS*WNC=O-K!g^X~#`}bC)KdkAW~{Ox23aW3(8-0YJ%MiY53K)0o$uUcf+RE( zp&v#ijLBO|AP8}7;JI-zZ(Z}3vfxb78Pj5>0a8^E#8K@(?zg(pIrmWlAV>%}%&381 zJ4NK&gpGEm$UUI7Hw1}25^i}U*xCX?9I8>gzo+Rh@i#GM|_`5n)z znMgvs7j%J}_)uWo3qb_x0Kf1OW1;dk?sRw)N)Q1O8W}d#!u=wN<%+NYAgS3KFFw!0 zQPHN1o1@arw4}E|#jQd{tDtiVf{3dX5yZU~5uDYXoRtMT-2C-|e7zP0*k0c)@tKId z(7U}A89d+(W4@jWvB3J^#g|wNGHgoeuvs0vIEKiH04-qmlIq}X6yjr%AvBc^ce=0z zH6V(z5~j8eE_Q*)n1S_CBf?5g;LSEz4rpw-;^@#Ln&gk5VjqeFI_5<@Kt_VcjT>)^ zYfA^A2pT8Q!6rF%Ko{*U|IT#?f`bO0pKU8xzP%}{yl_)$jvf6CyH}3MkdKcU@~JA5 zuTKET$nt1~F?2F7xQ&)1LrUm1WkiH+_~ON-*bX8W0GJXg6JDG|6fy6^gr)o8X+X9E z-?V&YwEPJzNrhDG6YYSGK9d5F!ST4wtG+(^`xJoS>p6gLT#0Wqr790Plk3wLE--Q$U$Ep427=Rbl8wIj_U1aK0%YuY;@;6XMINVv zCP_t+5(;B*{Pk<;02x0X*Yt~^a3w$m2p-5ujva4n5m=i*5j?%$Z*4jiMJV?dx!_SR za$#huT^EXo)&riK6%)Cj3^8v+jRI6o)uTIHYXNC(JJ zMPQWhvJFlbP11ri-izg6NTq>zGXxta>YHKh z;0f8k`n-~p(oIY9B&nTKn|YxRL!y)LC79nlFsIn?r92`7 z2>L)%=_1mldw=H*eUA;-D_-ICOxx84xU! zm%PDE+}NvbaWB~4_dCB>2adjFfYs9-z|$Nn{K zF~-z;aKGYT`D5oqzo1E`l75fdy#yfGIPcH6&4MCw4E~H;eQiQ?2y_7mT1ZRbyrd{M5f#>RdKR~v$}j5+_|BLN=vR+A zVVv7uK%yAsA`0>iGsIav6^%P38y@{29`U8O?A;p^qT%^t6RDFHI5*})3q=ohiw)Ym z;|*5dWDVOy9$*-+JP+!j9I0+W%t&01cr^E_+J}isGVSe2$HQ1uR`M}zd-91gVd~=#xE!m>4Iew{YOHb1%A4YM0@OA*R z-{8~rgCH5tkbHUkO2U2jv*cGn0Wha~%X<4#r*9wNqk5{l`E$iaktgkbEFWM~W{cdE zAXU^sTm0VvA1eM?4pgL6_Brn~-D}OttTio~sJ+@{J2$2B<;+j(sm{n{i5`%{W=eIQ z-Dcx-(d`ZSkfr<$P~K0m_g4ue@298(8&@@cau2s$%cK^6Rn+*|fA~#CCbi=0O%3XF zQA+!>qL9sP@A*G6oeqAD=qU==cx)(^46LoYKwa$zSxx1I_eTax_w~u8uO~NU)|s2f zU%cqs&bKLui-;CZVkXMW?OJzi7gJWI$)7Mgzx;oD&))w3y^0s}&@t|;jacQKU0i8PVt45XVq0(KCNj!$UOWM`Ghrm(t8YI(k_?@23SyEW$$18=F)lO zrwaObR}Yw)YR8v0r&a+kK7fc6R9{LpnjMf`L1drvG{PwoeLiG?0*-t$J+W7 zgSBC9-%*!mHdFJH{mfx<#~5-~V)4w~RNjs5@I67u&XpX9 zzozW9i`M>)#8D3()5 z0XJX&RGspEv(5{2+r2a7F)u4zd7}9x_3d#_zuk~0`UM>oW_46US^fbPj;gB*qypu$ z3lx@-GT|~R#_>OY{e83G$k*!|724`o5GctpEe-Z2L8uwS%!%rPwzLb9S+)-&wDl)>4#1kcQ=V z3xkBapCO6gjuf6_cGkk;rraLvc;4AqnI)#;d`x zd4`V|nYdoDW}ESqr%Ow1CyAH8k$-<_44R=Q`jD;;*Q?X@2=3~-+=>%%rLhC?Xt4&uYeg;xV0*r_umyB%&PLuX zw72+xteOdkLWNVdXh&h688RN}B&}Oe4ovy7lZ-|drW2|c7HhLTLSdWa9|>2Cp_lAZ zDUYI~2cDWuj;I5Bqg`5$##df(uY!!8(=ACEZ4b(6Ya9FIvF)Y9adq&m$?W_(`bWww zuA05CQ~TPGoH4R$MjtgnUfQ~67!S+Sjy(A!i1NyXZG0l(ritH*B5 z6LPwzv!6ZyyoBYz5)?DGe|#f1()szb?tYIal$q=+_qT=aI>FZVnxG}!+Lf;sq+_|HIVOV*)x)S^P=Ua0(VO1ple6xu&4d8o$n=)wH|pjR{nba^MU4rtS5|Hdm1z> zg4zbd8nl*~Ed|SlUQeX|%Ps192x6job}=xLr%l&qLtUtb@)>-tee!ctZEiCMFi bg<`csG_<;xGq|#THq`n%Kc%W%|6ctc;(sY; diff --git a/docs/inventories/v1.32/objects.inv b/docs/inventories/v1.32/objects.inv index 57c54bd292cc335df9e806b920053325721bff12..a124ffb64b78e57d9da9eb8930e3bec073444fb6 100644 GIT binary patch delta 4789 zcmYLKc{tQv*fvvBnR!VWGx1j1sFAU2ObQ{d$T|vRFUw>dgc5#(hBv9~%#57|*|!G6 zSjrY7vM*!HzC>BG_4W2$*Z2K*uJb(CxzBx{^W1mtCbWMO8leVK2vjGlgUZ#x3E6;- z=hvnaAu9(03Zh3%sP#S)sQ8+Kib(~tQ792T#s4xY=t%Z68J4j@bI( z8Kxc_@vw%*JIlxYQj;rEKl;I#jNJ*;IYU>&C7QkX#X}lRcffOc`P1uh}4F>iXC+vWW8N`H665kn}hjFho?=dPO2y24DHJq=>dM(k$e98`}k|Y z6T6dM_WBpiYcnYICUFly4_*io2nj{c4LLZb` z3%~d1@NWsGe@hS@(_6yUGgKSbFLbbwT{xjSHc$jV1pn~5f+bz!Dy}cCIJwirt$l|S z)p@bNEvX~{E``EO?$8C>T1b&R;fXd=;unu<=!RFYEb75fE;vkMWG_?tFgVTD+n>Y1 zdZv`YgpNGEo<#7L1Ga4ZlQ=pdqbtuYcbsCv<~(UHVM0(gou7>u3f&-kZ*lQl)XXho zN+>Y8DpS+G_+9UEe(P^y_2^(Zw_62wWN}F%yWNE;LC7vm(3LZD5bo=LTC+Wn97q|I zak#vyQlx3#zn9Hh8>kpGXhX$yLf`@?6;s0)!cdYQu6O_ zkrs>L>On6K^$-uso@}Bii%w^Nrq|%-&-o?u-)JM)CL`|DddSqqX*P?pUb!I?sCGtI zo%HnzPLrs-T4M2#r53TCt&5>W1*PHFOzVhws{YOH$9$K?)07azvpD?>6&|!2qUapX zB-a`ZX=74pugC!(8$^(0-tXaAh zVpRe+Wqy8E`*}N9)IQAo%2bfC9IS$Za?K%XTMmhj8{e;F*UhTc-Mo__!Cn z<%O#5lZjH&JY|v&#n=gSg14xy zl2JwX>f+*+VJ0ak*K{JlfBz_YJdmE9qpE|wRYnq|{zpC|whQd-Ah5Wbq&Cpt(vrAo zTDNuA{Z)fJOuZ9)gaCCGD6;GA1nUyQs8@QPN8g5-q@(QLN#XFqXlvj5#jHi_b2JCh zcqJ7w@)_QH#pr`p8pOF1-YaI*=9muI>x9c2WOHABjgZm+aP3Am^fE1c-FY1wPY6vi zLL2rZ^VEkjL{&zue6<>J^KYdD2I=W{=hHHv-yIKE6_v6S?U(jWwJLOe-@9PWel1 z{z9idrvr5_z`7>JWu!~gbUIXidZ`OML#;a4TGIt?AcQ%=3rww}5c--p>s%6gF%A)-h3ipI6HRo%tH|m|PwU)3bna)wsy)t} z$LVR>d(s`+q$m_KAutSfbqS-1jl{&e!Uo=>T$Dj*EL9o0I?&i5)wWFFW1k8 zJljRcA)E@}q6C5Eo0xh|PDDuUPs85K(9*=>O-JpqL<1qpxSVAqzk*+Um z$SpAr&PuHWvrX?*kj^BgBcSEh+y*SP5suSs&!9d{7P1~Mw-xlO9^XqR`&fgysm@9xO7&+i-xBxd{(vs%ugE>71SN2Wyyd4YiI zf4GG8Lc$mRaLK|WiFvqoRU1U6pG94CfvP{w_t?U>FcHWCc;@kc<1i7s0G99ya}p>J z5m^L#dqJsJI-mCzz_$BPj_>qwx*sL1t+Ns+4egrp0FxA*6f^^sv%27fEGolIsh&q_ zuP=k?Ua?EeJ~dk(VW}KzB(V@@oJjh>if^)Ae!4)Cyc4mo4Z(Mt0WY+Rbfd zGJ(sMDtvmkU=V!7%oC8^4G3C*Q29|r@?2zAORQ=^+`zP5PrZ}1-ZA02s=v)<7er5Q$PCSMCsSqwzu+Y^?0*;1fBr5QW~{Ht>`cn1 zJA@zS<1})8xhR=&E7_X*h(6K&-ko@5?is6d-xAwXynlB8-lW#H?wS5h z)S1suLBqBO)om$9*O1k(on(NnY003U+Lp0$l-i{q@%4KGg=|W@mDkT){eU(x4|fEPzXyGM1mbx?{TfwW)QF(_X2rJcCA)=ZUt5$rY~?ex!sO zvR2#;hbmNa+QxB}QN`S6w z-!6xv4XA_gM(EQI&PsXpZXm*?HMwvw$&fn7I{%owCXF{91 zm#Y}d)Fs(iCz<`~%K=`6pU(&MUH;rzu3Ai6I`FXmuR*oRnGADwvb+~zo+ffe12AAs)|UH{#;;IEO$yqY&JLn@5VR3zdzXPLoE zw9oGQ`pUidX_xV}d7)F;h1y7r!FSfrDU0icMf+*4j4XQDzQm5+-q(ZeM_wa6wC#O& zU=*{F+_B-vzr2!OYe8Fi)3xSp(Y#EwkXz{UyUG)2_gv%fA8#?<4!kKvsN( z*=fwnhw*Fp-EQq3^b4wp0b^=q%x^T2Iyhl6CRh4#!6RTmm@ymgcH9Cpe#=`c;n}}Q zakG*fWnjZ(ad{^DVbi~i!-O+;S%9B&(?iAFKIWP`U3p@TOD<8~T&1)zK&j2f%lu~2 z%&OZ%wN;fSzAEl_KFep-vRKe(0L(Ax@<+#zuLmCH{ntOe@zwT?y?vockt=X zH_1n8KfObAE(NxHQ_T(v@oRDMal`C>_3b^v_;pRb;2JyAcR={FjZ&9wUU2K1jYKQn z4L0tXioP(DT^#V2v9#daz}QMkG8MJPnN=%2Qk7+SP(8%4y1(VM9=|fSzX$Zs4XtN> z!R%)BdN&J@iVH%HZxmC=8Q$zIh1kAtX0-jG2@fUr77R}{i=j9u+A8pRcxX)(=FnroPgDb!aJ-^;pxcs+K;p+|meM)9{nz7dI zk=xj$H|)`b57tXwi;JU_BLJJXK=PE)`IeE(CwDFdR6a&(R&52}83r)y!1eDXN{f|a z8n2_Hqj*wF@V^G{rYtItC4ZNz?$-JH%WcfAiw~)%njiDsy?>6m^6TlE_S$8<{87#Q z$EV9%zOClpyfdfAzCKi?luUDB4I1>YC;BTDX`Q-qx*I!R&K@e4e7ylY&Eq=RsFv=N zVyqY19P*2pw^)0dkDo`{hb=udE3BlxRm=LtA}^2Bw_pakZZAF{^w{rja6;d3s^-3I zy{w)p8A@aw<74pDGHczASafITtbf=n8^v7RdP{pr`|v=xG)LGf#kAyH|9X~1>8BKG zaM`_nhKe`V;y@w)&9E}CP&oeaVbt+{?Pf=Q9jo`FXa zgO$oRfHRe!WghSBgdBIVpZ4u#p|_epR0->b77m1jhP%_GH)R9nkX7@oW^+hyC1CK< zDF%;nz~10z??M0RbLxTI0e@RE&QvOXOQDN~y+r69a zITod7goYp>3^71hr9ik}{9+jv`Kd2-;#uDIg&(6|0ufz7cZO=AyD zg%)7+fIMLr%ak40F-dcbf+ps3X2+y#^GHnG?c#HVyVsnRqP!pM8(MvO{?ggQcA9C$ z5Y%(?O%2(UblN(okp@U|$|a&;f#h>}yO{E>aQ?q{2UZ1pG`&qu30%`Ue%1Iq)*6x< z-G^s;3sKOCdb(R{SVAJV zO!;*5#1C~gHodV^nGM&QzogO9mAj9rtTmI&gNkSc4^+okiEQGeHtIGqd+v_-f9_5x zlcaMqw26|}Emer7T99A-0=AIr{x>B#`>l1&&}&wi|aUGZC~ja%bq~P#;8i} z0L~ta-9`S&&yj7>4bFwZG6m5s8S&TR_!lJ-NbAzdXOseNb1;JUU#i&JNGkbu439V} z!%p=Fy}ef#O}u}-6dD(yJE5!YWZ5T?WB7JR$OH$l8jt9%f# zH9jDyM_=8e-6n5tNdI-aO2VS@bVD@%6Y1eIQnIlbf!AF4?@OdmwjTpUiXrgq0`mXL zaNH6D(Y$>NYRPq--0fQkh~pYW3r)SFYwkkH6#=bENa=Y}Vg4KhxSp)NEf$G=)|E_kWzIH_~h$?oMdCOPCh?{pB9cCM2Zy_IV5Ll%l17 z2etC9KRkRr>h^M!@wzGR?BZ+A>_DjkiZDH1_;^KKPIff{;SwOU5}pIQH04Rrfy4RL z%rdlNxMvc@AY4FKPMDLDiRhXj7<>}b=+%pSs|ts+sUb2rW4P-XsxPU%l-s>1K@T3E zoX%{VO*W`OjGT(TfXC}d0HoO?Ov)k9TM!O=j?ipL46Zf@6s!tyrRl@rI{c>R*ogsR z2m~u2m%v9&$CcpmW|tKAh2INKlTGuV<=|{`Kn=oV-c|wNI6uru-9(!y4+hI&@Rt5k zG;28Ag5MO#PV_HCAmUJnTmmmO0rwP-Z;((30qA>wfP%pg%-}PVk=Pa}^Z}Hj&Jl&~ zEX0N3EE>*&Ps9Rsy{Y?oI9wj6S{To(B>{95|3je#2A}&w5eJ7y|Dkvnh?NDH_j#zE?jGnnYBhY= z&zVuMmk~o0t)bt-Jnb!q!%O+mPuV7GoC$ba$to!{5;C9(eWpo)a|8ptOK?0z7LT4- zp9tVp1Gnd|y!%UkSSNxfRUZ!G+xc)d|&bZK(r+>M*LgKe!Q1z^6(+ z4+iLXqZWd|)sA9)-6r}R8jOqlDR*!@cR)456}-Q8a#e#}I_*CU*wuu7(&TX9h{>M8 zyGW6WXq6ZqI?tM%k3$rtcnk%c&nu?K$!m8WD`J4CW^C(PZ4T zfi0@}PV@CL*&UnLOc|QcQB8_Fz(ZXS0z7y2=(u%3U?u`nV_6{ue*>qE@I!%ULe@+$ zqWc#DFHJ;5A9zj=MuTSs^U+5rYE*@{yAW(I!$@rG9B@k$1#?q!5(P(qqmVBvT>K`K zR${;!(Jy-u$)b-E!OVC}uh#<7=^LE-ncuX4O}m0cz;8)rg8^FXS7;P9nxK|wg~}r= zn3;oVBxDVXao@)gsz5OsS@Av~d#bEJEFaoi?WQfT#Rj(E!d6lfOvDR${ljut7Mx%V zqHC&fDE+FVYu~j3wp#}J)V8k(f3pFK+XVVF_4B&Jfys7({_1FLWEr@cgdq!GT$Dp1 z0La{Mj)uNrI^{N9P*;e|vrz{I*J8-Ez4qd7>v3WApcru0IeLgaJV?Mf9!ol)`sJ2gErCw6Q7xM+0Q*IXnJwEo>M0ZAr-~_n6sJdaE?Nm6QpxHU6bm>)pmf8 z3Qj=Udwcjh0aI6YV%5cHgh6yJk%!K|oel)1!{|O0O#B`R|5X|x254dPU7#o~2)2q; zD1{zZMuESIRd&BJjmRI<)8P0xmRxMcBq3DeAjOQCvJyG*n)>S{7ST%VzH^uMZW{ zHy`FeVkBSTYKK6<8jyIJrvv<~hFL~m3irxJ9%t7ga$SX=~i zI&C6={7bo71zUqNv4^1ap|ScDIA<`g)G)4=3JL|IOj?u*;}LQ3xutv`({bCS_zEAz z{k*S&(~RT%#Md~L*MB@g0G8m7JQ0U}S4y6e3C!=h$aj5-;=Ux|Z5PpHp6x)*Jkg}o z%Jp=alD_;~n`3!zaFTC8p$aBIw=xGR;e@j*nuyR$M2IEk5_qWm^m^b{9SlYD$zoQ- zl;OiT600f9|0np;*i%8q}XLSGZq2M$gPhZsUV4b4Y5;|jg!aGz#DQJ@&Uxm5@F z@`+eGw6_MN3s~Ho@9+0o4$wItd8#c5K}_PVxtgpL*+D5}pH#`(QpwF``j884kVs*a2C7I__7~`0Aa{V!dw1;CO8tfO0)7X}~wKyNGYq4h7?-7|Q zv_*&eDZYTzmF-{UKg7W^9i~1KdoSL{Nt<9Cy|vVLz^QSPNcC&o z%lH2wEItHho}E3oa;C@f0n~M9Hqw~Ey=$LY-_Wjv>(2pb}t*_Sf?DzMB|38yKS2a{3h}v*x`duGse~9Ljc;R& z@Ehhg3ZSRb|NsA_pVKDv@EaSK$yJ00ES^TghU`D<_h}hX#5;-%2#1;nF@93zc|5+T zpLpt%=Z>%c`O`umsJpM4m(wBqg^35YP6@ZA!d}1|Kw#RtQ!O(m2i<`%4XtL}fU3*@(3Oig^NP6!hFfngD7LaT- z(aI=WPECH-fENAHd}}Ia{~_5|X7)wX>*_+|%|F8L2#R zxDmsZ1?W4n?ev)UOWT8u6{3{FNxKcvKMYE|H3YCr@p2Y8S+U#dS z!nQVNWfSFuY5%5>GMoW+^(B2PGb2SZhgHz@U>9f-dZ|xcXoqqs2e!@ogDe? zHEI6rk7iWWE4fqKfz-sPLNrkv z%hI~oEBpdhRX?zji3-_k$9DWsK|sd@<0Ef?_rFGk1NNlm=pG!#6hRYE*CdX!nW1qJCwOd=3zaG$Z!*eQmbX3jx zW;iP<++(lnf_42&H)r$smxKSv1`*x#`99o$qI{>vFs+UB2^*DWz*=VYO(wJ{TkVV+ z&TL&xBOZRd{3IOJKApbES_clO#U7}AaTf|v*FdQI7#)w-*ss1y6{#-%&+O#&w+7r}vRAqQ{ICX5%i)6T9X zu-a@OQBs+#Z`ktne-B4+*~;J3QWyyzS&g0L#4{t8KPG3BM2uJ-@`osFqnqge0IE*= AcK`qY diff --git a/docs/inventories/v1.33/objects.inv b/docs/inventories/v1.33/objects.inv index f5ec3fff47eaa4774a2659f4b3bc15939ea9138f..699a73b388336b826807400ed54fc91c35144d42 100644 GIT binary patch delta 7251 zcmX|lc|4T;_r4i3mKiZJ86?rh$eOJY8ALsZ5!u%WA^X1FWACvgiLx~)V_&ip8uLgc zjO_cqWX%?h@E!H}{r+T|PgDiTgx-q01**OUmMs80om^(` zy!+7zKrh&xpL-G+(Xa#EzBXMxe{SQeA8*Q)_paO$!#NUHKsIwMTc88<>LreFqVekKXs>zS64pzT!njPN$u!0b|L|N=@QGEVsl{5_wLCubis=si& zetqM7zhZ4I(0yQFYAYM9?y<53%s=w7ZaptmmwuR55FHR}=bQsc9y_hE_B27JbB?u*GRM;zTz$EcVhX-(ovtd~MLpp(@dQ*R{^ z^z;3r-ssmQQQgfA3VrQB=k}MCj{e}lqZ8EbHN)eB>u``D(j)lR^H`~>fPc;Pd zi7=S5kwz9Ep8IBS($b zSGTf)uNU<15|28)pCGClsmH+Xg(v<^k1T&^uNCY1PS*T#x`{Yj$Oa7fzYj1Rw=8V5 zT)A((3Y4vWoU_ys&^kz>^HP^IlsYf;%1HuVFUwaJQcN^TFC29!aA_DsX3L%ZHtx`4 z(YqOyF?#BE=iwuu@ykd=Z7;KL_+6Lr3FkXQ4n5zPZ&4sy~yy`0gxHezSP*mo~7o8-M3Tj zv)8$-`pHOzA);8&OHDNLlkqLqC+{u$p{hbgDxe7P-X)(RceA}TAcvMO$&;2ZDK<*d zY0#i?eA?P@qiike6Q*e{M*znnqZv+o$j*sKdG(g`Y+{F%DIx7Gskf4ejj8+Vx2cyE z5iCr@GsbBau04qBzdW=_9LaGbHb8VPenZ^oPvv%ZGK+~x~9Ne0p@a0zb z8TT^g=RSNM?&r*ar`)4^%d}l+=_D0b9C(*KpwhbJA*}`zS`D*trcR_ksAPal8h^(N z=WWcGHAs=xxKOOf==q?AejcI;$PN*YljR zX~tyP7TlNF=iz)n7q)0bb$|GyM&u*-o-zn@H2JBNHfKbA0K|e?Q{dO)K&Ry zH*>;wdEP8p=slTmepwjFDXMrs*IKLo!*h;cGQ^&Ij|I0}PYvE(DY(J-g)8o%B&S45 zx*9<0uV7(hY5$rtwPYN|7$#`1JKU6qXd0G?)etoa;8Y{O^uU;f_Q?gg$%v5Y$RajI zDb}IZsgk@MZXXC&aBe#yBzo&iXu$XhXCqhj*c2M0B(6BCxA&xc`X!TD4T{M&RQWT6D|`&YVb<4Ert#A+ zUm$oDHGg24oI3p&o>e?yK^VWx;|~ABc3z!r%~QQ=)k&6qG~zMPI#Cuy>qL!s7voM` zuaf`|m@L5o2+4mVOI&B=VEoo8kV^PL&mC`jy;_nb>L^AO+xqZmUESX?5W_i5H{I$e z#1&!B&W8wLzhJ}8%^wweJwSl183X?eN@`K?(6EAW>e1!l57kIoB}s3Sv1s?QTcXLL zvBO}yvk9aF#Yq;jcNtp6RW@0fsHT}pa^RBkA%6$*OrYU^hT_)nU5H5$5q?oJy*WrC zJu5#v{Ibf|{T&6h3hA~BZ3(_3%&=3+3<_L!umz`VVi7%TVyc3rtrE$G>>fy*%BVHBtw~g~{77WnGRH0_lFFXK++>G5*NOHEK^JOR-Egy zTVa(pXjY-zj-1Qk*^4ENaf>l`+&Yca8RDFGw0vRDDxdHoFow6noJiMTR>;_xI}Kdw zs#eKgv;T1$dlw;!sOfY6XP_yM4rm(2F-wV>G@Mqad8KRv&;8RF;#F&DNQ^bg+bfUJ z#!cFeJdnTC_0(RPUnB}c|4yVG{4t7Z%@tw8&WhN4<$V|=QWuai9Xefb`i#PN?`NP3 zvl{wtoyO{{aleP#x*)k$+)xQv-YsZ*(&c2VP-=3%*O|B|{LsDji~cnK1Mk?Wp7}~s zy)f4)n^ufjq{x%FUKt4*ITRYz(yUI@#x6Fl3u!;ii)ejuW0w052R6T$cky52q$RWQ z!PSJF!seNlxHh5Y40hL7n()LX_n61qB0wu0_$i1*wL+u~-1hD^4{5jp$%t(4%9&aL+rMpe&6i+xBe$9p z;Cq$Qe)1sqzQvq@Jna#(C^-KXrPZ!wX>-jnizO zNmJ+jKPNgMJXV(q$jH_TCPt>)_uHnv8%HokEEYcaOO&{R7?LDl&x}E|_JqDQuq9o9 zVUhaNr~a}v0d`?Gv-h$)JVVsnZ`4$$pkS1{EoWtc{_<593HaxR_2CKPk*&)@k3}ub zGe|Tu>iug*cTjT{eVM9Wf9w+Hn_skMW|KR{Irk3>?+$)L3cexQA#? zfIlT4+tX74VT82n6PEs*&|Vm~^VR4U!;`pDY>%Qn2IJ<@42JH7%_BdcKjo$`nVoF5 z%YhCYO|>F+@Ry>2X0uv*X<;-XDN37Ec`3$4Nj}0oA34q3lBXw&m-ziAetpM?h4sqB z?uHzYrzZlh_)z})8`FBi{Pii|y3ZqsefK>DoWfUQyDxbi2GS6X8n1_Mif9*FU2BN& zzX}?gkf=)$$%Uv7pVK?TV$}hzp<|NEt>Gd0lojmLH1wvJCgL}=3HiQhwChui_#Xib z&D`>8 zE$mFH7*7v^>2meTiuP2JUZLDs&g$NrwCV6X3EBeN(aS!r-1rcoXNFugrEg?Q{ zTa%yr*T@~->#vrI@#my{;(r1Mguk!9W0myiN|CO_*&MbOS$B>7pW0fEY!vRc5*%%b zxkOrVZt;%S?r7w!z3Awhwzo%ejCTQy8drF}s^pCJfN}N)8;;k*xS7cG8kOLBj(2mO z5zM+<$xQVuh11&)7Q4O3ui=?xodJ~-A~=pznxT_owmZ`F;#ov>QtcDGIJ3Rq*92NE{t_2h$tH-Y_ z*w#UJYSE>-by27VPTX8xox$`7^xim_XB;_%wz?hT3(xn_!B40fN zPlCTpAf*in7{Onngx$N6@JM43b`XlPV({6fZ5{n?g;P{;PLwcp*FC;f=1o;CK2Hu> z4eRrGFbNi(ME0V!Zhrv)_)^GUU?wpFMEe9-^cfS1!a)2~uhNzJBnqA%sW+!0fO;QS zhYz{lCVIx@GdvdVfG--WfbAm(efuwnvWgL4+LH0D(r?V_@Y>h^gu-1R)@e`60|xKRutga;0g=lX zc2Cf*N6ahq*SHiJ6pr7p!sgT#+PUYht#+Cj_Ibt(Poxv)lNa#(WId}Qyy#U+F@mYK zZl;QN2B99GglXG>_4b}#1Ut^r=6d^Pq-Y~|+oxps(sMoiT->RvW?}>*ZQT-;>f+>j zd=y5_8`keWvj7GP7m&SIwRAc%;Y%5MLuRA}ID`VN`f~q=QArT&{hFPmzymRYh4vr* z6xZXkFp=J{0a1iJ3U{6O!2%R$KsCc|XXMzyWM==PJj96)CSE+;Vz%-<8-|lXA@~hL zZJ4*vw!WINdRI`1mx$%+q%^3>Jov&qa!A;!5eqb#VQVtLH=wIVik=_=&zR*ig^S28 z=$lToU7m#0y=^n>YDU-sOj__h1v=M_cF4xU@1e}Gt!9x4YF~+j@k6V7qh{E?zun2t zgn!ET)14wfj6djacP=#Gk@6?qdCv14JhOz9)+2Biq>1sTYAbs}fi!W7E-F#MkYv-d zjdp8!`ml-uy+uJ6>gGr3-9{y=EfPkII-|~Lq4YHtKPMp2@F(!7IqVt2iCuGWeZRJ&IPST@_~|p6Nzp=Nac_Y^FIjB@>K-)lKb=KqE%b zE(LBKP}n;7+ZurME5g?n=QZMgH)x!Lm+R;@GGe&QeL%`SFh^v5_KOkdR$%nOZ|Ejv(Sap>0qM9hu5g=)d z!W~BR`tD_?WDGUozbLki34awu1L6ezGL?3dT|LTrsK~um3v6T7i2(d`1C?b0S&QR` zoH>`q;IJ`IXYW3{(48jyf?{M1Y&hw`K3I4k*@wopf0>0Z&FJZu;S|v?#RRO8u9Y(eK3xbvnwmFfUDwO?dtS%|>00 zkX3=@iAlXEN)It#J)6hC$`Wh*I>#i^5%W11R1zHX9hrAgZ6DgVht4-7WF^m|D6>Su zD{!Y@b_ggkBqsgpSVrnPin2)H{RdWalEo3+Ca;6hYAvobeD^sYEz^KU^j$Kb-_KLri4 zVhLH7@P?a^2kn%y)4QAX#nNVxhvt(9(%kJ z!&k5bCAu~l*x-+NddLk1H>=10*;Nu!@m3t5gp!02kw@bELx%Wp(^D>~Uc3kg8El12 z)#X40lk|B4K|53)cy~1vdjkwxK9g^MfMk*uBILhP>8$I5f<@s%cBK-Y?@~jt9P}^~ zAxhY)3qNH5AC>~EGW)iHCG>#QCWPnKl31CpRf$kOjw=tvB#rl#2~Nr3DW*jdZI2$N)Zf zN+?h7WrDLeKV=pl764uTyub)HXA^SB!&Y8iLqMqfxH&U{MNOVdOkV1QPmwBO`zg%e zrqe=yG<_EdX%NIsm4GM29E$iUAZ6&&Kz^;zMoSlo5_U+y1spCH+nHp?9Azs52mqTt0UOVuHqSL$`oTP{55HnU4YW19GP%dUQ79)(y_EV92?Gf;uO|5 zl$ff52>AxtCN-!CEC*A}GO{qYL6xa0l8|Vj98hW*fz4$)S#?0%D!+hg2V*?Okt(6Q zn&m77E_F8LAIZ!5B0c{08x@{S{nMG?W2_sX89 zR4z<`r`elyX%(ozpj>Ze!5$AWKs~eXa*Sw2Sx};_WCPOcUug%2QjeW~iyeOdjausN z{#g4s=ms|s>apt_H2Bf?`6lX4ch|?g$3aT8o49%B-^KB-?|$s|XC@8r`=3>M9cTF? z%%gHMRyIVEyJfDe*={!V@o$f7M=7X~wD^|Cv#!J$Qv+b`k(l3&Jwal#Ibl)yY?J6I zpLfzjP+^J6&CzdGf|}vx{L>O=TSgUnN9{@7p7yh~Z%NuI42@IK7XSZ^AM|0v`;Q-$ zKYvRS^Aqxw4Kd|ewS80$&nifdpG;x6Va((FS&2^iY|H<^<&yp%O#1{NmIa^a>ik^r zopVeyGrswiOOUuK*?EJfc15Zj* ztn5d%F2&KBoA#iJ1*#Dj%=1wTXy%_dx_)U8yYN*z2q$t zyqgy_s~auODHR`$HJ;ZgYCpVR?UJ%BW(VwDA_BAIw@Kv93+EHqqMaUuw|McKnqGf2 z9`e3a$--CiU~D7HU`?=y`uzUEXUk@4P;hAxxgbE#@ZWLr{Oo2`i$YVgYc!~Y?@VQB zXD;XB{e$koiv#^f)HgN^v8j+BSu7#%n@R?4^zIjt=aad*t9Bt?^2=V}-MGV`X9wet ze0>4!Y0D99lHdjHY^U61%BrN-vQ%a2heh{1qg@Y$n;E6T=VWRE{-OPdr2o9O>1epY zfSDQ!;QK97n1*d)ybuk~gYnD=)DAZ_VX{hn;@!7hGiTQu#0qIGc$lVB$Ko%sDfzmi zH+XlU6vLmdz2;TyLacl#vpO`%x3RvQ^b7d89oz&RX)XsQ&$;mV$n`Jx*Sa1b?H2kf z7VWIej=KO;r?I1A(Z2l!rL9GF9gGA>sw4kiDL*bRD>Xb`GM@as6aM8!|D;D-&xb0T!?E|u@yq(-`mce1 zzF3XurO63>`Q=f#_mP+3@xkz5vlN?#SgBHZeja~;tL<|7{$_R)sJB^(yXx0o!_CB- zie~0JL*k;*GjDFu=dYHA6m=~2yNY-FIZph#YxB)y@L+A7t{}wTe6-Az=-PZZntpyI zwZHTx7B=tK&p%48UAQEWkyc$*wCq&?ECw~@<}Z`WGy`R`GaWLDilP^|@_)_hn@6$m zQ{))}4*Y3DGTm0nDqQZqT5hbC&bBK#x41D;;u3Q7eU!mxiB-M1HB@Ybv!~!+>h`Gb z#^~doD7N$QVIAw#-_dj{A2-v}(*t_?FE&^N*D6__TZupD8oKnBIqQ?mu>|1gG~8*=0OdQ2%B08aO2VrxNFlnk{SB z*+rHa7}g%hzv}Ew0Yx!p+il_Q^=L z#w}^8TgK4*R(s4;gL}~N(Z;L;TeP?cl55IxbHk4RymotIy~?J=ezYZ(`jc4C$H}~UK=^3CI*qKa{&5$q-SE^~rR&@B zHYc8YFbv+lt@HWd^oZ3sXExLy;$`+@r;M`(hAv_<2l*JJNVlbndK?IR-! z`e0|%d9+&1!PV)l`67TsW@ubKdf!A@tA9IWPZzWY_<1KC|2-nSmu&(`o-{y&{kjz<@iyeVY`IL867}46@TGK2> zYjcL8I$5QmcA)3*-_`Bm;GiS9uU)^oo!^*wmrs@M@=mTCN-0$|94yrnxcM1J0lx2x z?yr6>HA`JQRO)}eg^k2*`mf#}-F+F&(u7P|?szFQH8^@my%%(@b&KBMGT<5PKenkq zEYBG7>|f>{e{QfCIiiBw$ZNX7b~NzFoN>JR))e8m;b>*}ZOWaW$#v4p zEBhM9-(>CSHVTi9i>z*lxC>35`;uy zjcdFCBnZOmD&Rgyt69(Ebo&Bc#L&d2fI}5Z>x4cf(`e<eCkd z&H=%|S4v@N#Y~S+6QzxB7so9L$9}>tKe59g$ds<*1CN7Gq7nRm7%WRc;W@jVEn2}x zwW2YhCd_~>$kw>%IM`QF{6pptPeqU>?|!k(sJWnd;AnfJiPs>1+#0=}ci?6_DwUP> zUU%|8Dw`azw}HEWx#iCGzc<4?5pAHh0;}V^!(q(itF_FSEkrYQvlMl@V$f~2yKR?5 zdF&O^h(r2MlhnT9I}Y?Lg~OlRgroSk-h9T1$E*TZ(Qg&8tX|q(aaX-WgpJlG#&I>k z*htFg@7LKf3g2vbbm@mRR5ZG-A$Smj8Y(J*qjEgbx$zNk$!Yd-gHML2>)r41THl#i;%>4P&l?>%#VX_udn^=Ct*b*Uxd)p|L0`4tznU610` z_G}>NrnoqwiK;1FrRKG=39}7I`Nc|KUkS}Q8k|97+%LIR&}@9|<g7Dr*iC0;)ewrj6T2V7sKwAF+$h||8u!QqGxmtS zU6fNe`vROjFm5KaxR^TgCEAV$<;6L$t`_V{5+QDgK$cq~LaO^qGY_2UpR2h?z^{qLIam(^jXEG=CbLp4P#7fyWe?^Gm1rj^V1RNr1iAo2&30r6j3^On2xsP1U@ zE`8Q6TLcC%IcewGZp(?86Upvji*RJS%9^~qo@R5pn&CeH`|KATrm7d7KE9Zaxd`Ej z3Q4cHr}F-U`H7%E98NrRvQ>6X4nCZ2&l0Em3^`I+18;3?UoA(#s90Nof4>`@Rv4xCPG=%Bc{y2J)WJFV+dkN$LxqCWTFL}Z`Mok(; z7G{Ui&YFgw3%3sMFj1v_I(scf@l|An46GCMx zlF*ezI8eXWlBV5M+H+tn4AQ)K;&OH$vkKssI4iYXD^8kX;MmkRP)tWnCr$Bzhfgtu zncE5-EQgKne3qA1z4rOJPA?j+fkx=B{ZWxqPUG#sbF^qS)e8Ff`=XkV0SJ{Jh*s*> zGVcdYNhNRT`Pshk!ucFUWH3LaBXuqFF>DZF=*oNEPY6@h^G`*u3hT~$wunkLjsfy= zT*)>k);u-P@`&sBz@Qub^D9BM3pPU;&3$9VaB4Vp#uq(!pdCH#Mb*cJoUyp+_x&TR zW6tsP9i^Nw)-LU9X(e_77x*)}(r<>P9Tc2Fsoh9l)71)6#LQkZ-JBMdKB*@6U^!L?7St(2^Ofk3{Yb z7wz6~5hnf!uAvf5R9lHJ@9%F@iUR2Mf*M|<1v zqI*T5NR}bfhzkb_1-5U zOiUar0XH`P;{fqK;lO;#fwS-~vuf+Ij4&;@MgAa4yr~$`0={lhok16KQ<^9Ij(?jN zUGFt{p1F55N&hWgTZm?On-8)l^mT)DrH(E%PM-==^woD!)Qa>Lkx8R2qiFa+8BVc- z_C+$NRQCa;nUOy9&mk;7q7tW~?`pJMqvzRTZ4`!g=_7OzK_4%&%f-#%=f_KsJ zp>y%S(tq{EgyLB*(5OeeI=$7btDDQ6rG8y1-mA3P9D05)1yJ0Q^p*N2fsPXqX10ha z%+6lCm{wvVK+7Moo|#tiNPw9?ZY47<)9&I0CLm@tGcD)Tlp#LCu{`z&Uh3wulqfzX zndlCX$o{e!(2+QEn&@Aa&Sl(NH$TY~wUbQIt31h+`{CfL$ySjwo*8ZNuwK8l4f`Q0$of(sIA7S z!t!F&t#NG8C;QYdri)E3OX8H4QKBX+K)M9*=-B&GC7zx7>Zxzn(zLL3HX^%#o#FFRqtfuzg=&w7n$q0MdekS-qVEk0N!q*GsHXqhc2agHQCB+FU z%-Le{{cotQDrxK_4qg|c1wWErlA>=ZrH9dX`KI)}ojSO{8ndLB_Q4T!l`45jaotic zXU$S~O*TYPuXH-RSl1!QdvVEsSnSry`U@D4lamUIA~>9ANQfxbbqd-vOyVk6pWL)V zUsh*<-|1PreDe;2P1?ZUp0YA`wD!n&$g6jW@ztp&jv^`irjB$l-{02zlDF#lOdY&( z>1PLOP!g$8MvE9 z?5ENVGMXOppb=w=AmSV{i!SG`%QS~O$=w`@YYJCDZiOr~hX`$25qG}tdxi3v(`J^_ zay=}#m6}C(o$Cs^Qx4?{${`g~+C-~eKxLnxTs4`b)Wfz*|2l(4#UT>Vp}tElpaXG2 zIdo*e%mozoDT+((BdNGzvNg#JFl!Xh@_f-OQHwQe6xH%9XfB8S8U#-{L)YNN*9k*l zJ{Rc9mFz|MFc{|&l_1dl{H+meELXs(5aq3HCpc4-^`6j-hm3NS`Dtx z%gY6HN1{~%IvRVzNJj!v4ju9WyMnwWT795{uhd;Z@e+_7=#ckoR{&Ha(b^4ns89_O zoT zkyP`8j{it^1GPxD?m$P&R@^{~l4?D0m$ptaq;~waH}*@i?SiFFR`>*%&kgDd&o@mS zWA<=GWAgBVND6bY8`^^8!Id}5yycEIDAHB9wZJUwg$BAcZ5%%3nm6Va*tT1(3t;s;$5>f#jD^FE~W~V_;_NvEMZ03rV^h+v<)OII}A(P2wJ-wD8hTjNjC$09vb$;L)Uj_1&&WkGSaY))ak`o~*z-5S!T{uFQWbA)hDVW4AFijU9ri zb6JhrAi0r#L7v5|Y^$`uFB5`5>T1^egy!xCFDvnl#3u_-@moDpV0Cw>8GqjspJ13% zmEn>}w*q9no{=w@0#3(8xxx!gFK{%4b2{ly&n588mF%jLMo+!ut_ED}~&K4fMJ zLHB8fI($5DfdXkOdqWbD9$_%2TEi`qZwinNB|El;O8nUAtN<73`O4H4VwlUMi;(Gg za_S+GI*;h;ge2pclECH!*N12_{#w!#S;)!*e==S?=}91DKuKta!XOq~7ra1w(yfA5a8-@!LaEnDjU13#8-?#+bXFiI4{Xppiw2-P+cE8sTocd~xTCrkhi-v?K!@zfvY*a@xyGS#V9K2W=wV}(qu zt5f+uoQwj?%s&MAx(uJVZQrFa48g9P5~xI#3C$Rj8m&MNDas*WVJt_>oezLuHNjgk}Osr%R*{Mq&U` zY67^&M6edmn4G=NU0oXSxs9;_Z@8b)Wyf4IcR? zig@R1(r7;{U`YU%<^i+PMPjl@yAXDfM0`yOk;u zlS(2R&6-(hA!k04$bj~&td$WGlS3j~%?9dQBWDW!yGvRfzVqxZi|}1AE-1>Bzx&DC zDcGN7!=*7@CCK_l)Xml%a9iN1A7%}IgD(U{xn3!}`TaN8ComK!Z@zvEl2cR@0^nXHszfA)Y}{$reh9CsVSH~e4U^s!DAXfI z#LvRawq%McS{J-Rxvh1d_m&J7NNT*@ds6uL0#1T#Y1_}zw}{3vxIHYY$Lpq?nPjjY zZ<}&DEYsb3yidwmT44Wz*+Zfd?sO;p+J-&d6L3mH!3M^VsVk&ZAQLPYFZ~zt?GXM? zMy!-Z{*kEDABn98pOr$_H?R*^_aK`4x82tUQm*;!Zlj}uL6wSX642q|fneoH#mM1` z5sQJVA<7`7`$m;xeJ&xOTS_NsIqFp!0@6@AE1Ufgkh{`p*}S<6fZixUdf-kKsy~o3 zze#6Z13Wl}V2{trrhy)hKTes8gH~D;3*#H3sNew^cqv#Ml&N_CBqB!v=+{H9u>M0> zz>z?y8#FDNn zbopqMo;M*84P&Ltw?Og2Af_G~>~#5xsiN(xjG7_`+nNB*6dbxkcXqgCHVQ)kN4Z?d zeH1UmWKxDd?TzeKdKx2<)L1L!K-@pnY$MnEVl%Fs=fhJ9Mu%h}q6kFl#rqmCO{SVj zXcgp~y$LT$C1!-~J<4ylNBGXUj@128{Ppo;n&Jc6WD_uoc2B8EY+GJM2+9-IYE2y@ z4;)=?+~CmocLNy~V|_g){O{$@8#T=OgUGPd6inhjS+k!He>w#e9o<+fk=JL2*HOZKwkw*PmX(FRnEB5}H6Z{7X~V)lLfZ(+|S-!^h9 z{ma6xTZmEu5US=W35+cC@@+5HPU9qjDPW=Z);3G+I#v?sUqJG0$Jah{kp#vUkhiwo z1Mc)=kF{l+L&WO5is&^0^ht+hd+Waj zl0^|F4?e)YEcg$?*#5ol{hgh;oT$EW%eeZ@{e?Mkgo@NVS)v6|`)UHv)mx1FYOwOy zOGM@$`$CZxeRp(Dbmz|Ww^voM^s6MTOrcvWh9_S=5y=mbd>1$<81~yasD3{nnEYz} zP&;Nga>Zo5DA)7ne&$X_4OwcIH~P>0NV;QlseYAo>wS`Sa4ydMd*$KmpjBbY z@5vgpQ<|xdvr{?iSCW!aMb2R!X>4`B4`2gL=FyhC-WvfcK^OtKU$ue}8*o zWpbl@xM6>^xR|kK(%bj#;6Fiyam)laYxqzddE=6b$aHyc(NuZw@xkb^f$`#Co(^}4 zz5i>M=fz!_Pj+i;$*}>BJdlz5!L|D)6hpJ`S~K%Gj7ix=T9t(vBa!3=jUDwhFFS z94>1qsm^wMw%)QgKTDQVs;hFBq8{NjXs(u^E0-^t1nSv=l0v`H`&?qGwKq_!o!=rS zCj;dr%UsHpxGztNaVda4e37+8QS6jbzJ~;To%*2vC%y!|_3Sx%Nj7^zDuq>c$8=0% zW?LSeA1HnGYK-x_820;hHx#xf-Znr^MMi_&B{&_uL!qRT(9UF^hi>NZA)#W9KVp*^0%qA1!$J z8|x&vD@~6ErCNUal`?tQ)ABpZtnO%GU8%urM@#4S;l4*DWxWb4T#+|x>6`C3Ygo2O zt(_^6Qn0f)aoDo=nb%sJ)h%dSxpu!k*syhDL&ogsD!?;+{J;%;eCs|d#Q%NDZVhA2 zO5jdW^3Kl7>AYIILm^{MhP!ejIz5+%jJWcMD`F4X?gpuE)2PXOc)3FoiEJ9H-!1R$ z4tpK8%1ECp@L+{2A@Ej6fKvnBIVDAN;%|^8_XBS3!Y_dv@vmCGeYB^}#ukO-k$Ur{ zt&)EX)eZt`mj~{Rrc6>m`iI@sG1iqY>W>z}myvi%Jit=sN2!Z5yP|5 z*Z|-V@ncfa0V0y;*-f4Zc>c3Q@pwOsK;T>zYM*9ISrM`-D8%{uisTIj`wl;jNis@N z#Pxc@lM^jXUM57&hh(KMbd&bKVn6S&j0`8;AZYeH3*M$Z`dKnjRIx++bD%O@&ouRA zxH7Vu%)L@Zs?>UuFn4vM$l4;@#KJh`qo8MIg4(LsY@knJHOaAYM`p@2=NJ+!?O-9rHah=&vpJgbOFYoiVr=hkJ71IU;MU;*5L2eG o*5HxeNTbx=KxEkSkpJ4F1!v6YK+;GFv@LD6Eghe`!I2>LKg8nOq5uE@ diff --git a/docs/inventories/v1.34/objects.inv b/docs/inventories/v1.34/objects.inv index 41d63ef51a4abefdade5b962f5114c4937322ed8..268bf7066a9b7d90c4f42b1cde5188023fb10311 100644 GIT binary patch delta 13669 zcmYMabwHcV6DdK-!j2m~ zEJCMOGi#7pxkKaQ5n_;KU^X+@ILfe94~p{&q2cQ+YFRS61|5*Q+yYOacOrJBK)2D# zKfJ2nia<rnz{dD96o~Fc4+%}w#J~QW zc9{B+$q_cB#23cThXAdLgP(p7!%v6a&Bc{PmE&;ZhvTCF_(_s^ltasfB`QDIVZOo0 zjzozau?UQ%0gbD$@v8v=MFI~^%4u#6KS|Pj zZpY-u6f7wGaKStEOd=)E`Q*(Fm@CBu5JvV(pVgLl#dsOQh=}^9O%I966N|~WaY(0A z@|%mbuKafh_Nk^);FZhNsUgJMIdI2wmLxq;_l6&ji=AQz%1GxYo$x-K6bttJi)&b5 zmuQNmWt( z1OEKZN+FrNH!2CNv#rf=(>8Bl$V!1j5KCZ;nF=#pO`d@QBMqODQ~tfbsi;k!7Vkqm z8NNGH1N+Q1-~bin@b;lj!W>$Ax0Fws(vnC5#|;CJkSwC?9#TZ>&3z=a<|JX>K{EHq zR(=kEi-rLhFk-%LSs*dw_l?2r!vHjLC1=J6)5!+*d~ukAQojNlSxj+tsc{oxCLKe zgK7ej(SiU6D1R^Nr*H~$Nxs3-U|uXCVz z`_NqPTaa8P0*?&`P{PzV$a6WT67}-01Ij};F{BIYkm^qabDEo)XppTx=2n5I_}wHb zPQ6~;8aG3>K7v9>abQV5IprAIYL-LLJNd|9 zMP`ARdi#g2YKc0(V-9GfIrWr~$)jzivLuskN(JDB)Ej|gU~xnW6AjYQ{_lpSpk z%gl1Ak{aRf&Uv%##OfhU#t%Mm^LANZisW6U(ekm~{C>#2y02W5aQ$VhVqv$<53+O2ktJXZl82$&8sAb^0c{{+z`6On506|5va7X|2GZdFA&1ABA zSAD|Px>{zUCj(Xhy|X0TKRlIPI>Js9!78!{Av5vXH0;Lw#BYIUS5K!;?m%6-OvP9~ z;#h_>^||1!6xp*e1kGQ+dHwU~B5h~_>s1SGud9gQv&NT1tV-+0aAnJ|+RsapZIMfe z2xJ4}e0;tcD#(AVaS^6}2!FmAKKZdoOaKM3J{$p5GN{A{qG(_SlDjdua@BtomC+1@ zcOvE$!UXh>KUrkv;&U@&IuaF@im2!{b1D@X$#`Mqi8c)}oi1&D4+Idvogx5WVl87F zeF?@ze3YP1{h(?k{SLbBW>I)i1b~s$^^>7On@NvP@S8G$87<3Vu)-UOaT8JaRs=wd zsGcq%^(~UGnZjnMkAK0vEXGJGE1WwLz(87?Xhql+`I`Q8xZUUM@Ovzlf5E6yY;Leox2IwicWI*BJ6|bZh+nWN`;6!j*!P)qfBk&`ygd?N zNb{*}G&qIfamO^|x6f$xKg^X_&0)#3H~DrAVdrqRSS*8bdxH-2!A$yei+^EKI)5sQ%3{TP$Hk~ zQ4Qf9(EwsZ4R~}kKnq=NbsVJXE`JH%iUzPD`oM8w01yEFAY3a3z=>!K4~qd10X^`F zt-B@KtI@tB80CriOT&v}0B-;aKj45^z#GI2xM?iF8nEL8?~eu00U)&S!BpE|-%sfG1|>A`JxprYWZI@$ZQEJf&&hu5A~2o8J>vkvtOvb!`7 z^~V@l;2n+83T0;-gUT0Ccv?Il8IcvvkN~&_5H2=Rya!BD!0Kx`=KVTCozyU~6CteL zLVusvCtO-Qz|fid0L%>C6{B=jKJ762%*IA50YlxjIg{vBExiSUjR+ojMawU8-~5xc z0tKpgs)W>QW9X@*yLZrvPbrm<>Hc_z;v@EtJezeotgCe;iZN#UY?-RA2V>ybeQ(a% zRp!isrEI%g!BVqqwApe$`p|hDB)nS~7kDLwYDa4JL-(D>^@n8#&^lvRriJKJ_hat! z!$okFzU3FD=ORA!_JWFI`JhWIULsG41GiMH4(7pMPDG#3_d;%Ds2;Z4-L?fzV#$^qRrjuY=l*QQrlpJ@dh9_1Oz`^t8cVx zdmgtvga&-e#WkDIwOU`@Y#M1ZsgO_|Yh3KNzj4h*E6XCREg_&Mb$uKN{3Bbrkj>=} z`rh7|{HKDVEKsKmZOkV@_h~aeUQMXy;Oz3J{3pG;hK0G6{hp9dr5CnynQzIx>yHwu z67@tzjUQm7*Ddnn>`HB2hZ{G7CYIL3YAxwCpT|ed;uw$EGP?v!r~^<&JB{TSkGDl<}Lb*a2WJ0o=+gHo>ZZ;?J^v(h^5dbF%(#HNN7 z(#yo6CN@mR3CG-z+v{KL^&7UTkGjQ>z5UNYt>T25EXfq?=o%E8%DVE9ot*em0tH#Dr z7gLizfBF`7{7kq9l!bZt(gW0+)o*8>-gfYv@MSL?QZDRQHu^fsHm;YSH=X>9An@i1 z<{^b?KldWcC-6M<1f%(x|FDp=;PzXcyv?HqO02_)I1etG})4EU}D=4VaV$L$8VJ?(PY&1?sd}P z5yS0+AE~{N!=ZsF>rA$LNhq5ufg;}iQQAW@#aoR}yw}#+(S+X32U$mdXvPXeXB*s0 zlAUb%H_i2S8!9tB5bFRIvjQEYHc%vl!oNHs5Vfpbus!$Xjcl&+pO(tD=rzH5A2}GT zu?!FQukK;OM}41XFH#u<@-eztx6>x{-Mn-X{w7$GRS*f*)rNmsI%IK!-JAb3>2|B8 zQphz75Bng2%$IX)L=MYik*HBKLB!t9?jmdBz^51IXs_-K#wl{SgrA@)l+qUOEyY8w zvvhLq>2%$Z?E06sO`C2BQyfE8@16=6Vqg@_gxn-~oAK!dV*o@NN>PV%+B5*RA>sZM15*3U$`=vkg4s7cP=>>w{AqLyy zx#wh;1Qsvs3MM5#kXU>38GaVaIDBU}GrvCA{Xw_QMJSW)7DCVD9w?nL+m2!SSz3Du zxP4bhQTHaqxUA(y$Tmg#eUzy-lEC{>CmMjQ>@+nJ)nQQf;6)JMFSA2XXyv;Gw&JZP zey{Aw&b{9k2>iexqzUV?k1bCv$Z(u#fTcNNni@!_Ia7;AFN$d1fi9x^C! z-URdH(JKL)D!fjpKM?2@xrlE4N@NU44)U$igHM`q8 zf0zGUKl@d)eS^*TMO?_WM~k6ErG7MJ9U}TyV;-cz!e{p(LSHJ6*Dg-F9_F_s6}Llc zw2KR01y4J7?{uzpYQ6xw%H5sVA|##^B2^aGVMUUuhnWj3LQcVMz73q-yYFNF-n?B= zdR$k-%y<_=dX|-^eWB7F9{lqpb8Y0l_|dz7Z>_44_r#v$oNPOM2~X%r?^nTU`H|MS=JoGQ~4{DKL#Zim(&>$IYXZrzH@<%E@#c0^i>Y=tyjVyZRix|1-sirQ8tFM1E@h4oh*T+@yDKepv*pE}==^<|$QgEvg z8E0|~^M22mvzbrfH}5|?QA-$nx@_KY$_SGfncV;Bx#o=f&Qy?vNqFffRbnR!_pJIH zH#PV4dPKX-*gyk&25CtIT4Z7J^S&iH;uz) zhb*NEFORuMyZ)4?(vYPP+be zShpyzZ*!eYU&yYYhzU0#7n)8deziTo<;y#6$HlYzW$mn@0PE{3cD9yfN!RjIwVCHL z#{gA#>ISh8`BIcq-X?gpYKz*O4K|0kEB*Tt{rBq za|1X8SDJGLWoDyggoT*jojoqQ;Sc{MX}SQkzC!@UmTY(Fka@X4tl-C+YXW#jhLEYt*%xLnY{gwB_Z z4q1CuT7Syu3H2Wyw4ZsbN6y(+SqZLDe-MfK;Ouj=e-OWa+xKdxhH_%!h|@UvP??I=9qk<`A_9u{k)oIR1nI(6AxRX!)=%v zRAs;Bw{G{(G(f+RM_*@$%aryQZ0Tt=DM0=9$kcl*dD{L~Jkaa0p$)%+Nu+hHqH3X) zuuf`8*|9HCV40qkZYBRW(>m^rsvyR>?@F|{^y;37&oZRa`qQoJLF9fVOGB@m?pAt zdxa|+mdm8GrrP~i!(HTblU1!WJ2q9X_kY!J0X$^yWSqVN*s`@#+Z_g!)Vxa@%!3{t zrDv?;AU|A;rKVry=C0=5$;kT*46#QQmUZLe)Dpr%ZZEYt11`16%El|&P1OBl8joE1 zEcvRAA;IJ@ZUeaP&rM}-7)e#%yPQfXyT0ePK5?3}XgprBWjD^YGw>-7MJuZtzg5yY zPUmip!Q6e*3R44_9`)yQU2yGs7)UZ}pyRorCcUgf{oiXaVBsa!UH z1DmDH&<9VfW-vVso3+z}Z!>5{g0JJX%?5`nbB<{T=;tVh`H#_H&==UIz8ncZ2}Y8{^e&Mwh=pWx!Y0#1{>wfry{f+q88r6C!U<4|}5EVot^c4gbK zAa;v(7l4t_(3SaaBzIiK>EzOuJbev4=R6Lj`4CH$m%QAs<4N9N?oo;9bHjn{;AWme zl$%o$d1sB;*FIJl^4Sl0KHSw~89g@YhHqR=Wj&004#Kb2IY0Sp4>&Q26bpKqF`mnH zV>A#qh`8)1OO9eRkbcbgZhErTCW#BPY*KH8PAspX{c!%N&-M1Hx^k_1vGZ$JTc>AB z0;HlQQ$(C^a5!tJ?V)SrZHSqDB6w&SSlx+mxtUJ;4j*Poqq)4#@+b+osd zm?rt}slBlP!H5Nx<#1GQw(5TVSUZp3Fv#iwZ0tVGY?ZV`CW#d{H;Bb^whoXiUUgl? zD5?oZo~<>YP5g?i`5<4--&C2|qiS9l`+&8%(y(Ne9aW{em~*yxL8x{b9Y3Pw4!go$ z%}W460<(r1+1_O*8M4=z`8%^+rAZ91i#3vFu33mz!{*O*Xm*a&#g+>Ho-HnNR8`LU zDQRB>Kpb|y{s}?%=B`1D)%|*sb91(3Pq@}tY}WAF?%}X}9EZOyxIo9{_^6pO`6nCSn~{D# ziK!Li^MQS7-XT&nohNs@CDOma{xkZlW$IMSBXw!_#_fhGwOs#^^k&596H8e+TR`9( zU(X35QTY#v~nqC!Y&$l$%rsZNMW7W+yC`5sH=3Pg#_`Pwdt7m%X7n30&wl zNlTf^=knH8wN|b4$%@Nk{5!7uIQ6}(YW0vMjyud(==^AL9yf`;%`z9UPS1cS*hT8q zUO6pu!%y4b+Z*2gOo730F{~W5*8zO^8PrV%Zk3Ib`$sZZF0rq1hZIZt>fhtqPPyP2 z(s-@16j_0m^WpGd)lbs!PODBR&C!-}1-XsrSy34cotNk%QQ>V-LTn~a&wJ$IEk)@V zL8{kSdBgjs;^fCD|XynHlsC{s(MgS*lO8qQWF{PnMjMS=%huaBztUau2UOo1) zV0>k;;ct6;+r?;o7{baoQNoR-uIQn&mEG+XEK&m>v$EKJ(;Kniv2psN>x+-Zk+a8s!09xVfu#j$`(OVduwv-|L!R1_N-#o=_A^24qeK7O!f6&k&@?q2`!hmb(aYBAvVMMu%FuQqLQ{9 zq9=|yQy=m|({uEBMBIAo56JKK4aJ z`Q~}h>&czgBl^r|v{Y1jXlY3P$V{R=45!WuU#8-SqwB?WR)HPXzPmJy(f3ryx7Kq@`!Y zIkX+%G#(|)<&HP@?FV+-Un6AWloV%Lhum4#|H=NMR=S5?T=2*g@bTOGrDKIeXV@pb z&ju}fC5#~y;Zr%Nf4hWMcB>^<=bsPQ+091~WBQA=Yq7s+zZEq4{k>AsMlmp@VW*x& zj4lln2Az*1%sXXPRRDuU-hmoM!b-qj2uCO`PN1^kA2gp{laLd|BS+E}wk8q|>j$Q* zpisZ|rW7&OU-bwNwUYbr!78esatKyLPTnC;GM#F3iq6IB7?(5Nd1$Gq_kmOixm+7M zfIlFofcgRDW|lxKAO=(cna`M!aZe z#hC0tRQi(Z#!9KLETiy$^L-Z4QKBr(5962XkAQ&@=@nk{ zBfqXkd{+yj%AZ3yJ$|l93CZcnzuSmu+{mz{u@fiji@sdOI()x)edS-RW~%X+D1Xz7 z@V-@P?pQc5c(2XFp)G7UZXVal`2_hK$FNve!hnf%uKjyuHX58-I`Qy(bwVgI4qdcR zC0XB()>dB7QAX$@n%(8*LOtv!fTw(48F`8@IyR;&q4Z-vnc5VX^MZG{qeJ}E@vg=) zRZdJ??a8`7VMcOGS52WvS-4MU%{tGFmsPpf=+qvr5u8$eg>DybpL)ZfD0@X$&cY;R z>7_92XH2W#7RDy5$TTvg?-r4S9THreWN>C-4ptGZc<*uY>XOiE{RrOE0+54wclQ=b zr^~6~4n>yQEa3|C-i=@%c6Vl???ur?iz`TZQOvVM9CP6tnb!>PCEJcfn(8i|2f(s{ zv!!BTzY9{SczjSf5Bm^>eJ0ziyb&7(cF-;fo{WX!5`9-pjo0%@!RGY=pwzQXz8xab zKUD5Q;)@a<8KQnD=T&cJ8lPdL#*vRJylAG})b~+8nA(;pRqXzNi&*H-EvoKa@(s_r znhzfD;12d@?>{$CvV+Xro{Kxz?}Bbmin#4^4WrcG{_f{(hf^|q`MvivOLp7i=h@1Z z`b}axF4O!0-l%{oQaD_Rhv@sXK5-!auKq*U*I>@GwnH2HS2M{~`%Ts`F}y*)>1+(F zW|{rjhZ*ZvC0MUOO#Y>T&1eyEigVRI=zQf2ZT>ho|AeXg1f znp{&xEeZ*ppYvB1k2W>dMrO1AxG4jk=8D|}9#vw@U8W9_E6Twxs}^hPaA zB4y4U`uRb6-=|mlj5vI>Dk*fAgKNbXKQy!%eZ^$gXJcqL|I_*FcXUiHSFqbhuL=PN zr24PfEzW`H$yPoKi{?1Xd{p#|&$fRnzP@?BHhb>4_|rLJr7hc04a=frKWbg6>D`1A7aeN?%nmi<7lFT;J|3nBYG+`lOYbTP%TZu@BcNthpgxZuHy?JM?IdaS_yul+sx$K zr>g$D*hin3&`G7XNlAI(s%u<+x3|hkvVMYb_+<22i2POt|i z-rV-*%PrXf&2tcA3D3_YSRz^1qgU7J1&#isoFCtLF8*qXBtK03(5|-}|Jn|@$Trtx zac2fP5%=U|i0I;DJJ}}S!khVY(XS#D3guFg)rsw(WC}}Ztx>nFSgSF>Ch&#(3upKnm>4W?8`u;ILUCT_CTI|_;*Q3<5O+5;=>o0RX3kunz^r@>^|_m_;xOJwW>>S~KquvYd!vJHUL%_m_?rzh=a*J-W?t*=`Q3VI_t%##i5wia{7%4kuAN`= zoLF{RG(CaUb@ptmUd%T^^Iw@pyb>g(>}V4-JgMF+A9!_#(b4z7`Ml@%n1+rh{D;EF z5Ex;9K62T5B*jDrp=H5@Vt`dmpWgZ}e(U8up#Azg0pwhJH~%H4;a9~yM#m^?s;>xP z=;USF1tCEk?HqawU)5G%DuI&cV^;;2OWWH-b6z4?D!xj3`vdgi%`6Iw!~woY+%N{6 zK5@a3#5lfe7y+g%GkXueBad7xol-cnOGPD6Hj;o!0$goX-d@#VulA%U96C++;4ICs_`W3s+3iCX&+ylzghQx`m6(Y4=RlUprX zyNpkWI9+C)5eDRXK2!It6T>z0kY&(&JC?`s<>KhH!b2S!MlC#}|KeD}9P#}x^FD;Fg#5oOqCf67pLnwL+ z#tLBs$RPATq&`d9X{iKiqMuUpa}wNn>%lE!B1$6|3>P24J$#$BIzWZ|br)k_j|7dZ z$&BFaa*i?vI}TI5VA%^dsFh6u1Af1ALrjaI8Y3- zkJ({crZ(((^%%y(wR5M$I_%Lt^PP7#=K$oywAnV#Bs+1b+qPna<9x9aSJeLmYYMkf=A zgYu53vxdK)XY@5HS+4z2F!7P;Q0r`XRN^eP!lBbY&OPmz8R^NMakJ9V>HmwFqJu9v zR+{%vEGC- z%zQIfm;op>=EnHl>YfdPPcCC!DG1X+r+bYrBD0$cM2TZYFL>3zMfn!qBnM&$OY0N* zf?guaL)@dY>#qrtclxgyzNj;l7O-oKg`1O{zgm_2tw5IfKj@N=2|HcdPBGn3+qw9r zx}cb-h0!6)B%j-&%4}lc-zfFBxJV|y!K;7gqJ)XRcJ7~$(wmm11^aOh5t9uArOA*) z#bW+8+}zH>$NaPj#aBwydMi6JE!c0vsi7ppjN$^JRf)A!3TFwX1Q6F?+UP`R%3NS` z9#F}TVOXAx!!OOs>u8r-z@(I>p%4qec2W%VEKJWmJ%k~~HCL5oeYaKk(z8RqcW zR_uaqQu@QW7*AN~rz`)<_#@-@v_fZ8h{eoI3>ic&a>o1E#nur&$VooYlQpmIBd1!u zj~RVo>~QY5iL7(70y%sJnKT3X?OHwNLb?P;EqVes>|oj64EicY&K&>)JGup82b^f1 z54Cz^IsG4*zL9-_t+AIv;rIfX81lZj^P2jTWs26TBu zdqv2pt#=UG7;JfKnEQ7zeF_%_uls27SP53oC=KR32f3LH1ANw=o9{n2S_z- zRQNT9r)-A0L&0`Mp1L9s>oB;8KbI#|b-pqDg%j2>A0pPbQW9kKLWeE|U%bGEO=r`+ z=hjO5KoCXQ`VO63X&Ald{c0?g%q}w>6S~w}eYzNcJQ1>HUJ?eJoU@oAKkZ#-aD-NV zTAaq=@Ta5EU2&WLU~%E2`x^Md7>LfbjY|42VgL9~JwDQC?kIm4WzmSBMSsAh1uDg9 zX~{yTg>c{^5Ek-$YkL;h+f2{26hbA*Vxobv#utyz;=8FV(wGau*g_RJCMd>~tg=6= z5KraD#_h1pQyb=7CJf{CgUlX)tYkHM_o2^U?X2O8qA$CnPV0T%TOup9_f9sf_C(2Z3wiE9?0N4jJ8 zbauw&rxYjq!t|HlwrcH|ndoz{D=0WU|5Z3_1e*Es<7E5N6$VCeh7sR(MfwYWGu%mg z8M38m;wwZ-;F!#de9s^pTy59ZMK^!>PY&`XV<8C@NFbNz@ukKUi(m3ZzegAV6Z2R= zevI4X#Y&??m(LTJu!*`*Rbpl_+WB8Gr}PL+>`iE@sBw$v?HJDkY=|N>{S;ua+)8Ph z1PU0l!tg3tL}El8LPz8F>7N)F7Pt}*DrlTWMK6ffvU@qC_#dJ_4ZGeIhu({rehrqD zbqM4FSQIhSGb9kP<#VzH-ShPhhY}oL?J?6bg;KHPb6Wk^!Q>HSWlxfIGdd~TzknC6 z@dDl)JVDD#>Y>puFm**Tz%LV%P9l^d|FZWo@#UrSs}EYE z3?sPC%MIWax|`*XZO@&1naO>bnc)o5cqc`74705#X|t}l^&!<9%vj)au3>6}?q2l% zJCn27dSY@S$ZJCQ+v_5$HO$muu~sr6BJWuS&qPj9;!qAl!Ln}j0)~35Nd+VtwBGR~ zd_d2>RnMLcB~FNVOfVO9kW}cC%GiY60bxP^s9?Dm+8MGBo^)hX_|`f@?AU~CTg?&- zV&GY$IP3#0D65-t4Y~!+nz93ZOj7(#fI8e7h-j8@FhDFqmE0LK+7=Fu6OBI`)WoyU z_KdIjd7RR(8{Hhfg(<$-3jQz;a{cZ;g8^D(i0!})<3r5}lUZVj9mJLKM9s3YSZ0Ww z#O1+?G7Jq{VTfJCl~G1Dvdmv)h=pz8@~}l2s$!gTLaBVxSKs$j)7h2$uta>Z7{m2I z=_59Oan7;7Es&|4uziC(UnpHWWGvi*L|e8?nc(^r z9UQwQhXC6&h50A2#d4UKn%Xp_`6tkK!u`On+Yf5lR=4Wvbq^F0s*s0?AGU#~*Fh!b z831e~F6bX$^eo;fA}nk!sGMI+CeIi)HZd18!4Ex)Z;A?wnhQGX7h}jhW~n6X58WPy z?52R=exd$Qx>3k#+?JmGus^h*uWr^g=oheoyP+Y}(J5?p-nIW1x3&rfm!oDx54HRb*-Zf1!ThRUOvWIqIa~Yozh3s7fXs&HlNd+`ynHoXH|Bct3s}d`K#s}E z1?BfgXCo`m0NR?S{JH`P+jO%~`h?bP0KH_k9l!)1~QwF zZ)-3W04*CALfDHHTlho@uLBf|<`+?%Hk*Tb#{?5rshWPOhGc{dZCXDdmT zV8{in4v1kRtIPlnn5O)^{V(Pe3#KWdcR&HFQgV_b(-h!6kk2kdgzV8YCGQ?sZ=Q!j zhGUk({R>!cowpb9>sLxdtzFNW`5mY_c#w|goB_l2zX%%4215JRtTfJHMgt-g=w?6A zf01Q$7$Xi1!okdv$ZF)Sm9)er0qlm=3A z0$3u+evc{0%P(1gy`%xqRg{0v!|B_wO@;lP%Yi>6Vbru*dgn%&B98{?3ze`u#Lt z0^W@R0PCW5cdru1d+P8>Ytv9R0J|E144!p0cq`fq_K1;WC&D|V~lub z35b=GW1ctAdSnkpg_Gy{yWe(REA&= zCFTw9DgoR&SuP%NTMxUbSDpf_X&2h;86}2hLkZS2csb;KPZY&KFSpo@kbR*uWw{aQ~U`+gf6h23EgbvlAHh8Ol0Fo0t36=Sc2KAz$ ztu${2kVYiyU;vOj_1Pzw?Bx_$al>ks%1E@W>A`dH-J2|E>R*_ligX~v8WAr{M`cAi zRzw*-)T}T^!jxeZ=_%NYfRz4?0QV9C8_Y{lN)$n{L@532k9jBKEt9!o}y?i{ZEdXeWJhx8LFIwIf?JE6%~s4d-IqTmm+=9wm%?}0O?V~7ocVEm>3VIUYn zu!Qp;1{QXb=RSCMWN@n5%4S`ZD^q6P}sl(Kxg z1jRO^{Zlp6uOW(b_lO`*)J!W;+7$Fq>3_{a9&Zeo4o1yh&$fdfo<)3~+!_t8r3UJ9 z>mVKlE7IK{g0xXHEiq|R6k*c;T8=!%7-xBLVcXY(^wRuYjNo(78v)$J#pxY%;JA^o zN-?CdmV&C5z8qgVYrr;UHOl#xN7(!|h#rA|R1aYddx_N+L7ZoTFfS#_xtQx^<_{eL z{|xL;GC0avfL++~^#GkTKVe#4W2Cb#2SN#%9j3~etR%W|0v&pwMj_j=*KoZw1Jj@i zmW>gzs=7uxSwp1+sl@`*p-95A(0TMzZXPqYqtx8pOx_bl&G73pyX6p)dMQxG&(bI3 zmC1K^OcB(t8qDk;<)=bo(ITlD%p4zWrb1wm(daK@hezG1zf^b|f{w7tvzNuBe#}*x zk611+{My_Ci?+dplUf?~hocB|lfrrLnPk-LC@)##T+PQ;2gP@)5K$2GP-(DdVDG(M zZ`8^EeQI&CUK+f{U({0q`c%zeJ=^I@@xy#3SenPFs?;PE^i;*IFF!yZU!D>+L9eNR$exOphY$ zcc{uZkY_0Qh`017Gfnbu(t<8BUK12~@;xNp5m`ALNXdarG2~@c36Q)u`6zOlG02#j z(@k&1sioa))FfE<;&|L$XOlcT@5 zs@$e+{dMW2H*3YpL9Od3RQGXDzmH8_vo|iUN;=C#CUtwGJ53*hIXw2S~vfFU;O&W!*eKQ?jzi5nh*}3?u!KFWP$LjA?=jJ=o_fY%!>v8+d z`i8{F+MQqNo^4>V{>qLm%IZ&xk_m=YiSe5wL(c$PXQPda&ji7Y4in&qv98=;)3fY( z3;iw!qu9Mm_qw$TJoT!JTN|K<24f~Z>fUMl4_N1UHRnRvt0V_)Yz#2Wck0*OUE|lJ zZ@Lvi(I&eAyT6D|aoLU1S!!QHJ;+#QNTad-D1!KDyrgKLo%DDLiV#flbb@j#0^m$%=& z_gB`Leb&t0^T_O#B(e^xxfUx$29Y;hHcA$;Q5H}b3SQvmHiVZ)5&o!?9G&5A-AGVd zevJUSs*ls|^?{W*QO?gG_GBx&)L_OTFaQwyUteif9ObldWLb!PV!FY3!&r-CUCFBT z$^DG_(~bXBfuIniQrNjqt(V)tAl)d0RBMRvu!01a1l^lnCM;PC@BCZZKI9{lV~a9h zI6ohP61X}DcAP4P_etq$A-*EI@)b9p7aj_LpE!j_C9G0d{9CFWW;RN8teub3WCXHc z$7T#Avpq&iiPjr_5}p?7MiN6Ez3dguS)Ak9BJ%?G#4TH`)Gi1=2@y^ngXhx~ohSrh z(Auy7A-RnKDNl*+P}s?J!HR7{gryOUtH0sPCK&H^A`dn6I6sG<_`_m;=k!M?mJ)1# z#3v0d4lQs#GQI$DK}`XvBsco3wnVEYD>96Ts1NOWNEBXJc3w@xx?K`qU98{9jp<+= zYbghvxy&3J%J?`t?|97DD5k$nG`{S1%AHa8W9-bxw_N6o^E{P z09T=YcPucZluST$KP~1TGpEY5-N5&a_h7*utzbtP`;H)7OKr*x}Pr$=ImY+@#bGi<;8K&f}OH@|beY zNnSMX>`)j|7m$b%1UOg$u{l3u1a0TS z@FD<=7|!OxDoi+&TcI$?2mp!bQA&R}O2c^=5-rbRG&vQdmnSjGBnIy*-^V_gz+YTH zek9N{I*Dypm`;(m)D$r&@K%A`dJU!pGunAvbduPV1`?bff3Qmu(j3}SV$rLEzWqg{u>?zT=7T&Yr zc8F}=-ytYDv+*W2p92aUy)tGPE2?lLgW|^?&3n9FQT{UB0t9hdMI!Ki)!Y+BZ@*l6 zkjYK9a6Ht6V{yizj0M`>AM077A(#^iO;4;@@ZxQyi6F?T?D&7DuU4_rR|G|s@0VdI zb6a>4l7~K6+@{cr0(;*3A=P=a#@Xls=9JL!5_C}4RI z03*rCM??8`(_Y_@pf3V*+Lk3Cd1LWO7ZKPh1RzFOLYJ84iRAZQelyHB0CFvjFaA+f4A~D3E0S(`pX0%IyV75^J5WAY|bZmz%0TR?C-uJV6Q=VH42+AtI|$^{^;Rx3`t25zi*icjMbV2mL@8 zX$(M}eDKy@{#{D@QPg8-fuaMU!o%M{h>iF1u7M;WEIbCFjV`b@Nvq~AhX`AZ0k9z& zz|dj=G632^m})G5lYxetMVCvI2;=I{=Vc!M8pj${)?Erq+!AYuct;IdS)x&aSO79C zKNesNh@OHyynG^>zzpI5)_`+ISXUf?4xmE~+kSaw!tkK)5%74`{^=02d+dns*O0g- zo`-2In^gNun{5Yc#|i28UkD0^Fqe3MFe_T`RpA^8VnL|OD+0)TZ4JF*;iO+81v!DX zqJV%+gn+D#FE*8{f*zAUY&sqgiiiPIPXI8JQV3i3Sv6vQvHln<4ZO~aHTdDVGk4W^%FHd#8c#tuENmE8d08kOUG`=VfgTV$ciL$^ z8ugS{embe96}fX*e&G6WrgrXo=d;GM+< zSF-_{^!a?wo&g| z-6}zxT7D+%p0q-KwWwzzCt#z5K z@(00y=8DF$xMkw(4ARck-QKUekjgIu5Ul3MZShdrrK3q$2hhgsz2cKz(t`Nc1teRs zp|7ET2Ib1KH_xy9Z;I5}?pKZuUCzzB)#v@{4^>+eMOVCs^cBcO#=$0cB5pSdAh4Y;4aIA*_V+< z>7PHCy6QJ(>8_aU;I443WuysqIP`H{2)&b>AKCHj zX6<}XU&z<|6WCF%Vg7Q5{LdCazs61-g1SpvpKj9_ru6cJg9LDE#vKW2O*Hn^r|T`X z2%eg;d*eCQBeJxk^)t?ZQ&~l`$1C{#3~upNw{)&(r_+^ZgVz@gW3g_w))l|!E4LlW z_Tf7#dzuMR1QJXU zx(})W4tn3@YE$dW;C$7w&2v6Ten27IK6yW1D*P}^n zE4?ma|AN4MNS(&_>$8%&Y-C&+$(_mew9mTuaZ_O<{T;a8G{pT+wX~hHzs;77J$gY;=IalGp9sNGLM6dtJfST$kaEJJ&$9*c+W3Mkq)td$< zyH7Bl2MvCFYGzfiI*3G-`A4+qI7%o7Zq&eTxbRGKl@IE2*nM^yOfN8Eku;;Y2- z8}{fq!#Ngdka|68HjTtWWzFmR+?gUVCl6n?Bn2~x{=ywWsI#*2f zt%PP67!mxK6=`tSG9I7mMV_n$hgBQq;qa?F44D*c)Qdv#9uL>7laFR;t8b(ajZ+pT ztpiTXi*WPQjDyIL6!hRt>(<}qag%a-;D{F5=ZyXV05uz#*wqh?6Rx)&RlDDRW+(v! zUI*&Dn&;=N4nfbrkPE_gFF1F3-F-f}2`-F5Xd`ygPmR8wn{ko2|FqYQG!u4%nlq|L z`|}pt+UcIW!t`7@JSE!j*tqzS7{!Mezb&o-V_q|KCjuYFUIkzVC+v~+H$1C{H9oJb ze1CoWem$FFP-xiu=g*F^<5J<-aYxfy1$e?V=Wf`7Yj%&1w&&~Xib))khLyTqKe_JP zmbFT%rHcNfWdw-sw+zIcS#ZlvoLF*8aZ@8Jr9r2h)1!wF@LqHwdL6cw=a|QOMYs)n zwYGxVmls+r&FJg~*3MVDm^ez$ZtQAqH-Z@jSQWkPTxKP?fxt{;6cF9FxFOTfEt9Vs8XT73?4 zcdRjD@1zoGOY_APhpW<$qP4vyqT7CHQYW)G|(_8+oYNU>LCQ5xM4{LHZ zu--9iVmIJS4?dQ?Dc|mCUPlkV+vm~uj>nk#Aubr0FzFzng;nXqzlDsu&{IEE?E5Kq z-)af<$VTV@tQ0C3lYeCEMS4-EB+@&oo_|ax7CvN&qvD$zL?V0vg@S$-IVDm(cd~-$#9J`yXltR`s!xm#*TdpKitSw_Nz`)u*Q>b z$GdSxc+>>|eUWGZZo%P}wB=vN*5d6ZNaM8p+D(EWr0%;~d9Irv2#3IiPd-YdG_dj~)ar zhO_uwp{;2S5r036(A(?`gH~=tGQpIKA#`d5XLV zlCujt!J{O@Mpm40lh*)}vyOahp^!rc_2;eRY>jNj`+29@<)Oz0j3No_Uuy-}O{Y%X zay0kGYh47M&wqAM+}=%}Q`BS@nltk9d7GC;1tXOH_L88|60o2|1{XHg*kJ=SXXEtNF4YDTyPQ%BflpS9_T?d&-dmBCuCcSz0joP5SQV3I zPJ-)HsUp#-&b}ABdkMRj{ggYk@}7F4qlOu)<91~PZFh}tTB~`=7R-0XYb+P`x0BdTH&XV&I*x=jsEdjg_qls zz7es{0mL^36;)|1Vv?;YvTZ&B)(Fn8^LY9-8CdOihy{mqt+Sr`C(FSL3fX<*3iKnv5ZkOs>To{2Po1@ptp^C&fMkC3`j4`vL^>(wE zx3#NGs~|i036g{0O$AA7SEZ9a>8jAB-;y6E%%faDkT1q=h}4iTNT2#spn9QI+V94D z=e_`r)x4Zb>}Tr_eo2DK<@sQ%f|=lFelMoA*JOmT z#uwHD=hm>>fvMIDcJ?9ge6Q7`azp~*W5)nP9i7Sh6N`|N-G(-eiBynp@HcVj!@R3< zVSwwB)netJZ$=9KWkjNjlR@8->QvQC;J+8(XMq!Jek-WN+Fxho1^B_UG1Gl2e(hYL zRt~6G!D-hTG1;N^Xd(;&qfowuUU2 zRo;!zWtuJCMlPTF+@PuXN~l6M6OJ(@%vh)JTgvPu~OM|@3R}O zLiT7uSMJI6;Y{&h_-pRALfYLM>(U9yEuH%Jyr#-Z_|YdIZT{g;_f^ z80t6vSO$}smJs~lZ{rbjX=UBFefYa+WO8!$p$XBfrZwcjVB*w_YzHsy;QIrV z*;Ng#KaVQ>N}^#(9a3!$W>S7f)7ofPsn!>8GHWZ(Qnjf{rA3TJ@G-+T!)3&8%R6S} z7*__Bh$kmQ;*_i4l`Riz{bN4!Ma+bvYIs?34iRz*@kV8Jo>{bT{g8pXUHIIAq8lS% zZio12a^Y(EjktXw$KR1H(oye>rrBQXHaP83WU^S4H@mFZ#aSJ-4%1A@X@=W(g}@u_ z;Y8kC-|q{!c%r!>@w0zFC&p#+^d=#XY$-~{3Q}MdjO-puS2iNP!pGiTk1l_ldSmnb zVM{_nZbX5Bo-ekEFIV6^I<)y&)3P$4Xa|#U^Xyg3Yq~}T?jcF|l>$&E5{Gxb5PJ-U z*#zJO$L6nK(J3uLPjZILtjrflGXjvnRr&bWa@oyEPLBZrem`;NPyx;rhpNGL&s0>+ zZfOZ_TsbwzU3vs@;+J9}6O;4@=cn&lFpoZBTsrkFpG>YLv$)9aTO1R6(c!)~gvC8( z*1x5{s$$=57tGY&UmTqpvA@F#;6un~5#enFaomyU zOA`t${1BAMBh(ct$SHZGA02#&_7+b=;O6E<#F053|CthI7i}ZfCo# z-nT(KMo*JEO!J-)?b%0yPUQv1rnXdiuyNT(Cc!mN9fG&7r0ms^o_}V$cp6Z<9zA;z zkD#ogijPjD^LhEOvtB;4uum|(3;VnPXb7|5G5z;D&NW$s}9C-1ip?swAf+Ddj zql0nQN!L3{(unlMf2j?vxeY+1=)A9&JOH_?*emnL$khISEZV^W11%inxpsh?F&Ar+r+me{7*aOeGHq z)-1C4aXwW5=nDVGUWAzc5Sq-d36ws@t71A-Bq~qA)!5kekr)GPnJHd^%M@H&QVj4A zUrg$E)Y+Myo(QceMfN^_NU!7@@LOWrVyy4N5t@oUv9qb95%jf)krvOw(&QvHl99n1Vb zTI%xBF!yK&?=-0g=xhzBa!~yk|8+iyA^=h^XPI^(lLF~Ws3|qM!6UGPBo3o^Hj=kQ zM0!K9LoVfSMmCr9?_!h0aj_F2N+eEJYk^ERaXhEnu-aCDEO;j@N+Fy*E{7r+OKZH2 z(%t$vjcg`7gb#1*l^jlh>cfnK0ST=xIBo`zz>ycuuflopwa<6yeic$6zm73MlKU&R zmd{;^8mFf=XoIo>tEP(VZ7ghmuPtuhzZrgThSNzCF?$%L+7vmRsI&jat7rX>`SpOs z;U-Z_x2xLf6ZpM5(TUqQg@3RA8o6@*v7;Mz?%%YO(!`dS&W+|M+s5bZywlb9rGayk(2|j7QwL z=)?8ZtK?^|sdif{hC7QtYz)0wmc65RyAsg7VPY1ulsRtYp1a(EFu97Mc7YOi2QRvn zyW)z<3y2KuZ(qKGmmt3DUS-&R(@u_I69m;?F__C%KS_?+`R@Jn{>$yx>V>Q0K(EGk zN6%btOO9Y2PD7P)CW}~Q+ky8E937um`JBAwgV@Au&A4JfZcFZEQD^BQp4=$NDGY@BPbHCUl`)7oG14ovM`BW=dUm>)^DK z$;+lzkplM9?ui)>*|*K5u8-5;$Lp^1d&UoH7?lVG0dXC?6GZqi3^Y?Vl{<$^g;a1_Q?MD z7IIhZ-xIw9%SNs}-`YQB8j`0=M(ft|Xbg8g{$1oliT8HMex0G5N`~%!w;D%0Q*WPc zRaLDvsh=r$Laz@(TYtX&mKXQOcI_>Fi&}_1IB#YeVo1L`jjlK;A-23Tr!*D+=wulF z<9H&^&uPV)_x@*G=C?2<4F=lRah(-ul1irVG(#spRh2CUy|U-R&;zWLi;P% zS|VhQiQhu?!vP1apT+%rg#}N+j)ND+?g7>J-EhaRd0*Ap51qVhsB;>B^|xOK?!_6R zfoHUnD`1}=t~g5GSi3UzJ^fw5?j&#Pct1_WYb>#WjgR|*^h{<~pD63?K-aro`wu|3 zhrH8vxGm**X}-UE!D+(JGkDeWp55L=cb{hh<+6kX zostedIy@n#vbnNXRp)Fv(eu{g!K3u97d+|Xj zkaMhB2EFht9YWg3J?qdbxe%YxoNCtLiu`Q4Qq##P5&h{&yF~M}#*;j+MYH}ZqkQn? ztEb)2<}Ni%_#e9Cn${ot>y4vEF(`H%Cp8-Tl#711T*IqnvgkcqOEu#WG_qbA$xCX_ zB6wr~B`rl|8i%t(*m%Dl(I*i!rAa$%i?qgOiQkojZk-zYrh1tjy^>=NRz`q2wHtuOI5vSsT$cGUvS#@CRSD@OdLoyIE zT@xs6fl;cJK&wosg)i&iM zCXeq19ivhQ?(Cy`a7#GoxEbSNSfh zr0d|T$1MuNTBTWt3U$HXOqSaO`TVsh=!eEqBNgdBAOi$DV^HvhJR*H;`V9@7l#&7?g zX97X`a790hpnaM6ho@ZQcI9Bg*B3m$+3!KRc{uAOSt2yE>h3}wJ?!ozQ6iMIRF%0| z^x{nxv2Cm&sk9{{HWOOX>gXZ{@w>Zx(KVwh+WdQ!gDR;nDe{`>Qy!B13{l2_5ZY26 z?etVIzPxBsYGGm`cLCrR?=CYf6C@6W`6=&^0AEq5qJe5&V~*R_Lc$7|UCB{~HD%P1 za|hWtkQ4ip<8eLsn~+%=2tjb`8qY3FNtCSnBJ|cQC0IJ*@2PLoWHL8qx)v~+Ji~+= zS)7=(Vumr5OX8rV(0R@C|%p?sbrLBpd%5j(hmbM@tQPFIAd zTIMvHW-JYmCxauwLYpuRUp4-dZ@!oe4_WVx-%Nun>A#*SD7TLr6hI281-oBBPtj&LIK-OQ9O{T#l)B?(G#XE%4{8NBZ`>hv_Ri4o-_1X&&WyW5J zh?+kmmWy+T)G_?GZIb{$S`ss58vT8A!4mC5R0eOl9P>?-_qWgR6?9~z=K+@R7K>0m zEvokSWbq^DbY6{xU}>O8{0IhJK7?6QRtgBG!TFie-ob#$g7KN6OGJ*FDEvR zeCUApu?6~cQ!eM>Yk>un&N|w$`@Yjw>4c@9)1hEr>J>ap>_Y51ZdKipX#mMmqUJub zM!cqHI+Q>;xrvt3D_k2>n#G-l(nTs&EuSL; zhNn*_yjR_GL~eE1LuZx~Vd?#BPruD;$IL*VK2@_%(cAM|kST-0N!DZ$U_%Je@?P{F z1~SAmV-yX%#)CCVlMz|yroB$}x7sJbAEF2l@E{{$wva-{+VA|#ozD}dw%7!DG1CqF z7us$W@x2y63r=o^NYECdH)!8a{22tJ2MTOcxD*HbJ_L%A$ddQtBbG2TF=Wg)QUj!{ znd#`!yKQq%Km1>b#$++W2)>b^ND&$k{I2`NTntLA6Z%1Bq5H2N4n-zIBFY&AeZk5E zL~bY{(h&xdr}QPaiHOd1O+@T3o}f3wbb$l2CaeRzNp238ptXnvZxA{_Qi~GPxz}bW zWk)on<QEjqj|^P= zl~t}@FCNf#`_jw+JJ~3>Ld*XkwP*3k)cG$t=0|N9p9~(El(hkikD*t3DuMh)09ow+ zW{F#cJ+f9&ER;sncAMjF#1PSqAc zRqe7TQ6a)Nl>i&`KA>i+-Tp`P?#dNcb2d8C2P09EokqN48a3p!qV#l0?E;iD zGQRW_Jn85LNeMgf{{|uP$R7KD`bSv<+#WNGv0#)97}LNyrA3IgbT?O%rr#*Acu8j# zR|`s90|wdAZNs~ktowq8Xao&csW4v<5x>CboRd{^L==8_?P~~x^k7x}Z)jP_j$qIz z#B02e^U9^J>E>5XqyOK(7@gg>=3aQG9vy#fAQ0NH?31$+W*UYt!j=Qk_s5^IWuKz= zcA|^?RvElp!CA&?LiHaKllK?sYOh`}PbPj@N`8S{t8;VmEmT{q= z%|Gnj%YcU*lY!FDE?MHP1nQ%;AC**56*Iw~b&oaVnQ)BHY612AWN&4Aq@=Se{cah* z2~`aLm%1E}Gfr3-S&hs-{!6q99hd}%hc7xaTyz_X9xF4G6TX{K*8+lW1MAH*1_`S? zlw^l!Jx5cD8SmK&g8l}I z*o+(ya(F4pPSAP|rSO@oo8TLI#b)!ZQ7nkTWcMkGh_M@c2xl1Z*z7V*ThD;?{0wB; zJTTcViatzKHpcxd6*_w`PPh(g&bIO%R53?p?d6Y!a}oT#Lv65w^anrZ`OYgaS~8EiC8rQc5zWoJ?kt+s0c7 zG)rqc#qDLlX8N)#;#DF+T#LO@S=zuoD0;4pZm%ZF*D%hw3$Tc+8ku9fW04A7G>#Tu zbe09{0d%BTW+KO8x5l*%6mbA-vab1!%;2LWJ8kH$fAt30EJGW+yikQM5=ROJiKs@R z4b-;}6tt>YMjrH5`uv^NeJadLSH=|ouXn5w_dG!79jpplH0Bt+5G~C1H6TR+COevg z;@dbOqsUhh1y;&YDRRNFK#3$Gkez1G5{v0!K~iTLDNreTX$>E0PGR3Zl(|S|KBsUu zL$?j|`rtoipfKlg#yN^2bCB6%jD1llD#npwLp2Hq96{|1>u0{b4n%j{jg(6DR+^us z{bt@`8R6Up3OoP`+w`!oe&&pe5S5)Ib&OW3cq#G)hsP^AGt%-1T3#tL6A?~a@X!Wo zI|4RX7yL$+@>Ob>dpWhZIC9gpfvm16zJO0GE9uuB>qUkI{o#VO#&|E?08{NzAM6RU zZ()N!7_=;24$!YA72vDny-aIAB*~{)V~Stmi=M?dLy_(dlWnJrAjWP8lUrxd@`|Zp z07r5#jdZ9Ko#KSEp_**~L<0@5eP6-TD+H zJb#$%GGzoNDy#XZpHkxn52s(_Hid3DO!tX$r;dbO)52egXp6^vEL=yI%?v-)KX%+g z$3)x=f7w4an`aGsDGes8_#zl=pn}oA{ zS7DX=5Z=m0yjQN+`T6jIG^5j+N2=Kjzc&y)m-iQ;ejQA_(C|;?bX_3r8(^blInmctt~g-{*<8MPkGtXTPfo5D6TkkiT`A=d3XaI+qN=4i66X0?hRJ@c*Y|bv|t$# z-38jd1&Z2?u#|u0ip!Be22YaOM;{)m(AD5-c|~VMj@?5QPyX?soVXiA_W*3PE@${U z#TCc?RD{~XAj#8hxJBty#}XoJdTglz|Y-M*6L12Tc)Q7-72xxCloP-xa}<7`q-}2dIc2h7j=yyCDZZQxckj3~aR=Sx7fP zfkKGPN7s7*v~`AP*hAzgpc#aJIDzrdL9fKa{t<>C0$=fU5`tB|K1b;QOA5avBC3Xn zzbJ!uIEV*}MleRb*Blip%M(^WhBVpp2NgOX5LO_9G&viF29*^JD@T#xr~#rw2PDEW z82Z_J3(%pmGGPToNL4-D7|;QQumUes(R_SiDQGMPFrYVuL`RxsL=b$1h;}0T7TtVu z?32GLvQi&OO@}K&ByhHJFJ}9-BK{0Q5oR>&j3OE|TDYfXZ6V%E_$K_b7A`k$&>$c= zhDM1789j%0jW8jFM#&yIHj`%pJ28_+sRsF<;1i2zlx~pGjksqll}%8T0IZU~ptLX@ zIu1pAOGG+-?AAW86_+BuH{$jb*-5Z8KdMq6x8x=Yl9_7kG>sB73h~;jQXn8Zms~Ls zMJa+!QnOcbFufcL3Na2FVUbZU8?Zyc8mJ6{LN7Nl8ufpW*Y*NRSp4!3P%kZwq~(#8Xb0Dh;yX4`-pl=48qKs0W&(pxmeJBKz%J5VYYI4ph#py@Bt8W zjBJihGg$-zu}3=ZFuV7F)j?4RGwf~%+iW9(b$}j%oi~W`CMhnl$T&YRpg@GI19N8Y z2xlwGmrM8R>prt79|a880OnFQ<~!X7yhP*1 zwCp~MxTW~N{;qw@r1V|8{k z{}2Ap1Wo=);FTpcnb*#*zhfAq$-|FIXfWQ z5gmp-CI0{Sbw>W*JJ`9*RD9pYZENgp33infs$Q~S3BFo}h(v4M(@`WCHAy)X@_f{~ zcMvwHa+YzIri5$V8w&H6Ia~2dgF_~@?gNBrw_hF_@*x#inPwTJ zz8}W>e@{9Falo#fS}Up#O*>mF+lR7s>SK;4fBSkhc7^VE-hi?DLbAVr=c@{T!nf*& z@2>PhSDdMZJTDszH>$XPn}!&C`xIjXv*jLMKb!G?ux$-A5cJh^%XnA}XY5sF%2-C` z!@cPgfjzv-Rp}DggXSNL9R66iyV5-U^;Gj_UMIIG01YQIjn67W_`Fjh&t!k6JNQ8% zB;ZHB_{N*jOS8r77WEmsh#NZ1Y`DrHQ)Hn<1UNgY1*l7{6MMV)5BK(y^w!*l3o(YAVE&6|5nb)xaT-hQVLN8EZ{M$vyPS)eZOr=#?6oT2fNPpDke(d8>KPZD zS0B!XOonUWAys2KJ1f3v4|~V=@Dq<#wWIrWouX;bWTtHX?REWh zMaZ1!@u83!TkRVvuxnHM<<`MvXBRfUEL6!Bpy=sqcJTJSp8@P>A$hogB^ntjW*;0B zv^uY_@O3e}pVL!(YaY@5hvSd%(t%Kkk^A4S0nHz_VjN`tgbf1Qlyu$Z2_nm`ps&J1 z#Ax+&D4U1ZZ6=G`zC?e{BfHN(btd14XUzYO<^S5zWRsuG}gm_XB|2!hfpsNCF| z+Q&=1Y`k_={BgN{tv3|#&7@t diff --git a/docs/versions.yaml b/docs/versions.yaml index 2f24bc759d9e0..bb882a49ec819 100644 --- a/docs/versions.yaml +++ b/docs/versions.yaml @@ -24,7 +24,7 @@ "1.28": 1.28.7 "1.29": 1.29.12 "1.30": 1.30.11 -"1.31": 1.31.9 -"1.32": 1.32.7 -"1.33": 1.33.4 -"1.34": 1.34.2 +"1.31": 1.31.10 +"1.32": 1.32.8 +"1.33": 1.33.5 +"1.34": 1.34.3 From ccaa1f18e69cfaee9b049b4bd2e496a410be6c7a Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 13:51:41 +0100 Subject: [PATCH 019/505] deps: Bump `envoy_examples` -> 0.1.1 (#40325) Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index fec1f5d2cd1db..7fd96f3c1164c 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -97,12 +97,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "envoy_examples", project_desc = "Envoy proxy examples", project_url = "https://github.com/envoyproxy/examples", - version = "0.0.18", - sha256 = "093b6598a1498445eea071065fd276ab0b9b0e127bbfabc437b8f6d7ec5116b5", + version = "0.1.1", + sha256 = "fe8bfa1530c57c7da321eeb5fe0c7ef15789ab8793a82b7e206cefb2f98916b0", strip_prefix = "examples-{version}", urls = ["https://github.com/envoyproxy/examples/archive/v{version}.tar.gz"], use_category = ["test_only"], - release_date = "2025-07-08", + release_date = "2025-07-21", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/envoyproxy/examples/blob/v{version}/LICENSE", From 69b26409e012865fd957799470aa6f5a4d068d95 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Mon, 21 Jul 2025 10:29:12 -0400 Subject: [PATCH 020/505] tests: Fix proxy_protocol_fuzz_test config validation (#40282) Signed-off-by: Yan Avlasov --- .../listener/proxy_protocol/proxy_protocol_fuzz_test.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/extensions/filters/listener/proxy_protocol/proxy_protocol_fuzz_test.cc b/test/extensions/filters/listener/proxy_protocol/proxy_protocol_fuzz_test.cc index f8400374608b4..193abf44c5c11 100644 --- a/test/extensions/filters/listener/proxy_protocol/proxy_protocol_fuzz_test.cc +++ b/test/extensions/filters/listener/proxy_protocol/proxy_protocol_fuzz_test.cc @@ -11,15 +11,17 @@ namespace ProxyProtocol { DEFINE_PROTO_FUZZER( const test::extensions::filters::listener::proxy_protocol::ProxyProtocolTestCase& input) { + Stats::IsolatedStoreImpl store; + ConfigSharedPtr cfg; try { TestUtility::validate(input); + // Config constructor can throw as it validates proto config. + cfg = std::make_shared(*store.rootScope(), input.config()); } catch (const ProtoValidationException& e) { ENVOY_LOG_MISC(debug, "ProtoValidationException: {}", e.what()); return; } - Stats::IsolatedStoreImpl store; - ConfigSharedPtr cfg = std::make_shared(*store.rootScope(), input.config()); auto filter = std::make_unique(std::move(cfg)); ListenerFilterWithDataFuzzer fuzzer; From 947a550abce69759dc4b182a2b359bf52bfe5409 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Mon, 21 Jul 2025 18:57:30 -0400 Subject: [PATCH 021/505] rbac: reserve internal vector sizes (#40234) Minor internal refactor to reserve the size of the vectors. Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- source/extensions/filters/common/rbac/matchers.cc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/source/extensions/filters/common/rbac/matchers.cc b/source/extensions/filters/common/rbac/matchers.cc index 2f866bc1ba3cc..29dfde6fb80aa 100644 --- a/source/extensions/filters/common/rbac/matchers.cc +++ b/source/extensions/filters/common/rbac/matchers.cc @@ -113,15 +113,17 @@ MatcherConstPtr Matcher::create(const envoy::config::rbac::v3::Principal& princi AndMatcher::AndMatcher(const envoy::config::rbac::v3::Permission::Set& set, ProtobufMessage::ValidationVisitor& validation_visitor, Server::Configuration::CommonFactoryContext& context) { + matchers_.reserve(set.rules_size()); for (const auto& rule : set.rules()) { - matchers_.push_back(Matcher::create(rule, validation_visitor, context)); + matchers_.emplace_back(Matcher::create(rule, validation_visitor, context)); } } AndMatcher::AndMatcher(const envoy::config::rbac::v3::Principal::Set& set, Server::Configuration::CommonFactoryContext& context) { + matchers_.reserve(set.ids_size()); for (const auto& id : set.ids()) { - matchers_.push_back(Matcher::create(id, context)); + matchers_.emplace_back(Matcher::create(id, context)); } } @@ -140,15 +142,17 @@ bool AndMatcher::matches(const Network::Connection& connection, OrMatcher::OrMatcher(const Protobuf::RepeatedPtrField& rules, ProtobufMessage::ValidationVisitor& validation_visitor, Server::Configuration::CommonFactoryContext& context) { + matchers_.reserve(rules.size()); for (const auto& rule : rules) { - matchers_.push_back(Matcher::create(rule, validation_visitor, context)); + matchers_.emplace_back(Matcher::create(rule, validation_visitor, context)); } } OrMatcher::OrMatcher(const Protobuf::RepeatedPtrField& ids, Server::Configuration::CommonFactoryContext& context) { + matchers_.reserve(ids.size()); for (const auto& id : ids) { - matchers_.push_back(Matcher::create(id, context)); + matchers_.emplace_back(Matcher::create(id, context)); } } From c34a837e680f906962b66673c44cb1f4ba0568f1 Mon Sep 17 00:00:00 2001 From: code Date: Tue, 22 Jul 2025 07:02:10 +0800 Subject: [PATCH 022/505] matcher: refactor the matcher to avoid unnecessary wrapper and heap allocation (#40249) In the previous matcher tree implementation. The action is parsed and stored with format of a ActionFactoryCb. And once the action is hit we will call the ActionFactoryCb to create Action instance. However, if we review all these cases, we will find in most cases, the actual action content is parsed into a shared pointer. Then the ActionFactoryCb will capture the shared pointer. When the action is hit, the ActionFactoryCb will create a temporary object in the heap and copy the shared pointer into the new temporary object. It's make no sense except complex logic and low efficient memory usage. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. --------- Signed-off-by: wangbaiping(wbpcode) --- envoy/matcher/matcher.h | 43 +++--- .../filter_chain_manager_impl.cc | 15 +- source/common/matcher/matcher.h | 8 +- source/common/router/config_impl.cc | 27 ++-- source/common/router/config_impl.h | 13 +- .../filters/common/rbac/engine_impl.cc | 13 +- .../filters/common/rbac/engine_impl.h | 6 +- .../filters/http/composite/action.cc | 74 +++++---- .../filters/http/composite/action.h | 64 ++++---- .../filters/http/composite/filter.cc | 5 +- .../filters/http/composite/filter.h | 5 +- .../filters/http/custom_response/config.cc | 2 +- .../filters/http/custom_response/policy.h | 19 +-- .../filters/http/match_delegate/config.cc | 12 +- .../http/proto_api_scrubber/filter_config.h | 8 +- .../filters/http/rate_limit_quota/filter.cc | 9 +- .../filters/http/rate_limit_quota/filter.h | 3 +- .../filters/http/rate_limit_quota/matcher.h | 10 +- .../network/generic_proxy/route_impl.cc | 20 +-- .../network/generic_proxy/route_impl.h | 19 +-- .../filters/network/match_delegate/config.cc | 13 +- .../udp/udp_proxy/router/router_impl.cc | 9 +- .../udp/udp_proxy/router/router_impl.h | 6 +- .../matching/actions/format_string/config.cc | 10 +- .../matching/actions/format_string/config.h | 9 +- .../matcher/matcher_cluster_specifier.cc | 14 +- .../matcher/matcher_cluster_specifier.h | 12 +- test/common/matcher/exact_map_matcher_test.cc | 12 +- test/common/matcher/list_matcher_test.cc | 28 ++-- test/common/matcher/matcher_test.cc | 18 +-- test/common/matcher/test_utility.h | 53 +++---- .../common/matcher/domain_matcher_test.cc | 5 +- .../common/matcher/trie_matcher_test.cc | 10 +- .../filters/http/composite/filter_test.cc | 142 ++++++++++++------ .../http/match_delegate/config_test.cc | 12 +- .../http/rate_limit_quota/filter_test.cc | 4 +- .../network/generic_proxy/route_test.cc | 20 +-- .../network/match_delegate/config_test.cc | 4 +- .../actions/format_string/config_test.cc | 6 +- test/mocks/http/mocks.h | 4 +- 40 files changed, 377 insertions(+), 389 deletions(-) diff --git a/envoy/matcher/matcher.h b/envoy/matcher/matcher.h index 223ed538e5952..531f99cf15bc4 100644 --- a/envoy/matcher/matcher.h +++ b/envoy/matcher/matcher.h @@ -91,22 +91,20 @@ class Action { } }; -using ActionPtr = std::unique_ptr; -using ActionFactoryCb = std::function; +using ActionConstSharedPtr = std::shared_ptr; template class ActionFactory : public Config::TypedFactory { public: - virtual ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, - ActionFactoryContext& action_factory_context, - ProtobufMessage::ValidationVisitor& validation_visitor) PURE; + virtual ActionConstSharedPtr + createAction(const Protobuf::Message& config, ActionFactoryContext& action_factory_context, + ProtobufMessage::ValidationVisitor& validation_visitor) PURE; std::string category() const override { return "envoy.matching.action"; } }; // On match, we either return the action to perform or another match tree to match against. template struct OnMatch { - const ActionFactoryCb action_cb_; + const ActionConstSharedPtr action_; const MatchTreeSharedPtr matcher_; bool keep_matching_{}; }; @@ -130,30 +128,39 @@ template class OnMatchFactory { // - The match could not be completed due to lack of data (isInsufficientData() will return true.) // - The match was completed, no match found (isNoMatch() will return true.) // - The match was completed, match found (isMatch() will return true, action() will return the -// ActionFactoryCb.) +// ActionConstSharedPtr.) struct MatchResult { public: - MatchResult(ActionFactoryCb cb) : result_(std::move(cb)) {} + MatchResult(ActionConstSharedPtr cb) : result_(std::move(cb)) {} static MatchResult noMatch() { return MatchResult(NoMatch{}); } static MatchResult insufficientData() { return MatchResult(InsufficientData{}); } bool isInsufficientData() const { return absl::holds_alternative(result_); } bool isComplete() const { return !isInsufficientData(); } bool isNoMatch() const { return absl::holds_alternative(result_); } - bool isMatch() const { return absl::holds_alternative(result_); } - ActionFactoryCb actionFactory() const { return absl::get(result_); } - ActionPtr action() const { return actionFactory()(); } + bool isMatch() const { return absl::holds_alternative(result_); } + const ActionConstSharedPtr& action() const { + ASSERT(isMatch()); + return absl::get(result_); + } + // Returns the action by move. The caller must ensure that the MatchResult is not used after + // this call. + ActionConstSharedPtr actionByMove() { + ASSERT(isMatch()); + return absl::get(std::move(result_)); + } private: struct InsufficientData {}; struct NoMatch {}; - using Result = absl::variant; + using Result = absl::variant; Result result_; MatchResult(NoMatch) : result_(NoMatch{}) {} MatchResult(InsufficientData) : result_(InsufficientData{}) {} }; // Callback to execute against skipped matches' actions. -using SkippedMatchCb = std::function; +using SkippedMatchCb = std::function; + /** * MatchTree provides the interface for performing matches against the data provided by DataType. */ @@ -187,19 +194,19 @@ template class MatchTree { // Parent result's keep_matching skips the nested result. if (on_match->keep_matching_ && nested_result.isMatch()) { if (skipped_match_cb) { - skipped_match_cb(nested_result.actionFactory()); + skipped_match_cb(nested_result.action()); } return MatchResult::noMatch(); } return nested_result; } - if (on_match->action_cb_ && on_match->keep_matching_) { + if (on_match->action_ && on_match->keep_matching_) { if (skipped_match_cb) { - skipped_match_cb(on_match->action_cb_); + skipped_match_cb(on_match->action_); } return MatchResult::noMatch(); } - return MatchResult{on_match->action_cb_}; + return MatchResult{on_match->action_}; } }; diff --git a/source/common/listener_manager/filter_chain_manager_impl.cc b/source/common/listener_manager/filter_chain_manager_impl.cc index 7261bea02234a..b9f6d9eede3ba 100644 --- a/source/common/listener_manager/filter_chain_manager_impl.cc +++ b/source/common/listener_manager/filter_chain_manager_impl.cc @@ -49,11 +49,11 @@ class FilterChainNameActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "filter-chain-name"; } - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, - FilterChainActionFactoryContext&, - ProtobufMessage::ValidationVisitor&) override { - const auto& name = dynamic_cast(config); - return [value = name.value()]() { return std::make_unique(value); }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message& config, + FilterChainActionFactoryContext&, + ProtobufMessage::ValidationVisitor&) override { + return std::make_shared( + dynamic_cast(config).value()); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -573,9 +573,8 @@ FilterChainManagerImpl::findFilterChainUsingMatcher(const Network::ConnectionSoc Matcher::evaluateMatch(*matcher_, data); ASSERT(match_result.isComplete(), "Matching must complete for network streams."); if (match_result.isMatch()) { - const Matcher::ActionPtr action = match_result.action(); - return action->getTyped().get(filter_chains_by_name_, - info); + return match_result.action()->getTyped().get( + filter_chains_by_name_, info); } return default_filter_chain_.get(); } diff --git a/source/common/matcher/matcher.h b/source/common/matcher/matcher.h index a7aef43c642de..5cc9b0059b42c 100644 --- a/source/common/matcher/matcher.h +++ b/source/common/matcher/matcher.h @@ -324,10 +324,10 @@ class MatchTreeFactory : public OnMatchFactory { on_match.action().typed_config(), server_factory_context_.messageValidationVisitor(), factory); - auto action_factory = factory.createActionFactoryCb( - *message, action_factory_context_, server_factory_context_.messageValidationVisitor()); - return [action_factory, keep_matching = on_match.keep_matching()] { - return OnMatch{action_factory, {}, keep_matching}; + auto action = factory.createAction(*message, action_factory_context_, + server_factory_context_.messageValidationVisitor()); + return [action, keep_matching = on_match.keep_matching()] { + return OnMatch{action, {}, keep_matching}; }; } diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 5ac7fe53a144c..7c970149f0aff 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -1825,14 +1825,13 @@ RouteConstSharedPtr VirtualHostImpl::getRouteFromEntries(const RouteCallback& cb Matcher::evaluateMatch(*matcher_, data); if (match_result.isMatch()) { - const Matcher::ActionPtr result = match_result.action(); + const auto result = match_result.actionByMove(); if (result->typeUrl() == RouteMatchAction::staticTypeUrl()) { - const RouteMatchAction& route_action = result->getTyped(); - - return getRouteFromRoutes(cb, headers, stream_info, random_value, {route_action.route()}); + return getRouteFromRoutes( + cb, headers, stream_info, random_value, + {std::dynamic_pointer_cast(std::move(result))}); } else if (result->typeUrl() == RouteListMatchAction::staticTypeUrl()) { const RouteListMatchAction& action = result->getTyped(); - return getRouteFromRoutes(cb, headers, stream_info, random_value, action.routes()); } PANIC("Action in router matcher should be Route or RouteList"); @@ -2140,9 +2139,9 @@ const Envoy::Config::TypedMetadata& NullConfigImpl::typedMetadata() const { return DefaultRouteMetadataPack::get().typed_metadata_; } -Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( - const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionConstSharedPtr +RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate(config, validation_visitor); @@ -2150,14 +2149,14 @@ Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( RouteCreator::createAndValidateRoute(route_config, context.vhost, context.factory_context, validation_visitor, false), RouteEntryImplBaseConstSharedPtr); - - return [route]() { return std::make_unique(route); }; + return route; } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); -Matcher::ActionFactoryCb RouteListMatchActionFactory::createActionFactoryCb( - const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionConstSharedPtr +RouteListMatchActionFactory::createAction(const Protobuf::Message& config, + RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate( config, validation_visitor); @@ -2169,7 +2168,7 @@ Matcher::ActionFactoryCb RouteListMatchActionFactory::createActionFactoryCb( validation_visitor, false), RouteEntryImplBaseConstSharedPtr)); } - return [routes]() { return std::make_unique(routes); }; + return std::make_shared(std::move(routes)); } REGISTER_FACTORY(RouteListMatchActionFactory, Matcher::ActionFactory); diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index c4106e056b8bf..5571df3e437b6 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -619,6 +619,7 @@ class RouteEntryImplBase : public RouteEntryAndRoute, public Matchable, public DirectResponseEntry, public PathMatchCriterion, + public Matcher::ActionBase, public std::enable_shared_from_this, Logger::Loggable { protected: @@ -1191,9 +1192,9 @@ class RouteMatchAction : public Matcher::ActionBase { public: - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -1217,9 +1218,9 @@ class RouteListMatchAction : public Matcher::ActionBase { public: - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route_match_action"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/common/rbac/engine_impl.cc b/source/extensions/filters/common/rbac/engine_impl.cc index e53f2265fc974..9abe4c961df3b 100644 --- a/source/extensions/filters/common/rbac/engine_impl.cc +++ b/source/extensions/filters/common/rbac/engine_impl.cc @@ -11,9 +11,9 @@ namespace Filters { namespace Common { namespace RBAC { -Envoy::Matcher::ActionFactoryCb -ActionFactory::createActionFactoryCb(const Protobuf::Message& config, ActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Envoy::Matcher::ActionConstSharedPtr +ActionFactory::createAction(const Protobuf::Message& config, ActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& action_config = MessageUtil::downcastAndValidate(config, validation_visitor); @@ -25,7 +25,7 @@ ActionFactory::createActionFactoryCb(const Protobuf::Message& config, ActionCont context.has_log_ = true; } - return [name, action]() { return std::make_unique(name, action); }; + return std::make_shared(name, action); } REGISTER_FACTORY(ActionFactory, Envoy::Matcher::ActionFactory); @@ -138,18 +138,17 @@ bool RoleBasedAccessControlMatcherEngineImpl::handleAction( Envoy::Matcher::evaluateMatch(*matcher_, data); ASSERT(result.isComplete()); if (result.isMatch()) { - auto action = result.action()->getTyped(); + const auto& action = result.action()->getTyped(); if (effective_policy_id != nullptr) { *effective_policy_id = action.name(); } // If there is at least an LOG action in matchers, we have to turn on and off for shared log // metadata every time when there is a connection or request. - auto rbac_action = action.action(); + const auto rbac_action = action.action(); if (has_log_) { generateLog(info, mode_, rbac_action == envoy::config::rbac::v3::RBAC::LOG); } - switch (rbac_action) { PANIC_ON_PROTO_ENUM_SENTINEL_VALUES; case envoy::config::rbac::v3::RBAC::ALLOW: diff --git a/source/extensions/filters/common/rbac/engine_impl.h b/source/extensions/filters/common/rbac/engine_impl.h index ad22de9ed5553..80a5781ed9e71 100644 --- a/source/extensions/filters/common/rbac/engine_impl.h +++ b/source/extensions/filters/common/rbac/engine_impl.h @@ -50,9 +50,9 @@ class Action : public Envoy::Matcher::ActionBase { public: - Envoy::Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, ActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Envoy::Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, ActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "envoy.filters.rbac.action"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/http/composite/action.cc b/source/extensions/filters/http/composite/action.cc index 9d70c9c10671f..da6941c88b90c 100644 --- a/source/extensions/filters/http/composite/action.cc +++ b/source/extensions/filters/http/composite/action.cc @@ -6,23 +6,30 @@ namespace HttpFilters { namespace Composite { void ExecuteFilterAction::createFilters(Http::FilterChainFactoryCallbacks& callbacks) const { - cb_(callbacks); -} + if (actionSkip()) { + return; + } -bool ExecuteFilterActionFactory::isSampled( - const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, - Envoy::Runtime::Loader& runtime) { - if (composite_action.has_sample_percent() && - !runtime.snapshot().featureEnabled(composite_action.sample_percent().runtime_key(), - composite_action.sample_percent().default_value())) { - return false; + if (auto config_value = config_provider_(); config_value.has_value()) { + (*config_value)(callbacks); + return; } - return true; + // There is no dynamic config available. Apply missing config filter. + Envoy::Http::MissingConfigFilterFactory(callbacks); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCb( - const Protobuf::Message& config, Http::Matching::HttpFilterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +const std::string& ExecuteFilterAction::actionName() const { return name_; } + +bool ExecuteFilterAction::actionSkip() const { + return sample_.has_value() + ? !runtime_.snapshot().featureEnabled(sample_->runtime_key(), sample_->default_value()) + : false; +} + +Matcher::ActionConstSharedPtr +ExecuteFilterActionFactory::createAction(const Protobuf::Message& config, + Http::Matching::HttpFilterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& composite_action = MessageUtil::downcastAndValidate< const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction&>( config, validation_visitor); @@ -34,20 +41,20 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCb( if (composite_action.has_dynamic_config()) { if (context.is_downstream_) { - return createDynamicActionFactoryCbDownstream(composite_action, context); + return createDynamicActionDownstream(composite_action, context); } else { - return createDynamicActionFactoryCbUpstream(composite_action, context); + return createDynamicActionUpstream(composite_action, context); } } if (context.is_downstream_) { - return createStaticActionFactoryCbDownstream(composite_action, context, validation_visitor); + return createStaticActionDownstream(composite_action, context, validation_visitor); } else { - return createStaticActionFactoryCbUpstream(composite_action, context, validation_visitor); + return createStaticActionUpstream(composite_action, context, validation_visitor); } } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryCbDownstream( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createDynamicActionDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context) { if (!context.factory_context_.has_value() || !context.server_factory_context_.has_value()) { @@ -57,11 +64,11 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryC auto provider_manager = Envoy::Http::FilterChainUtility::createSingletonDownstreamFilterConfigProviderManager( context.server_factory_context_.value()); - return createDynamicActionFactoryCbTyped( + return createDynamicActionTyped( composite_action, context, "http", context.factory_context_.value(), provider_manager); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryCbUpstream( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createDynamicActionUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context) { if (!context.upstream_factory_context_.has_value() || @@ -72,12 +79,12 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryC auto provider_manager = Envoy::Http::FilterChainUtility::createSingletonUpstreamFilterConfigProviderManager( context.server_factory_context_.value()); - return createDynamicActionFactoryCbTyped( + return createDynamicActionTyped( composite_action, context, "router upstream http", context.upstream_factory_context_.value(), provider_manager); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCbCommon( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createActionCommon( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, Envoy::Http::FilterFactoryCb& callback, bool is_downstream) { @@ -90,16 +97,17 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCbCommon std::string name = composite_action.typed_config().name(); ASSERT(context.server_factory_context_ != absl::nullopt); Envoy::Runtime::Loader& runtime = context.server_factory_context_->runtime(); - return [cb = std::move(callback), n = std::move(name), - composite_action = std::move(composite_action), &runtime, this]() -> Matcher::ActionPtr { - if (!isSampled(composite_action, runtime)) { - return nullptr; - } - return std::make_unique(cb, n); - }; + + return std::make_shared( + [cb = std::move(callback)]() mutable -> OptRef { return cb; }, name, + composite_action.has_sample_percent() + ? absl::make_optional( + composite_action.sample_percent()) + : absl::nullopt, + runtime); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCbDownstream( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createStaticActionDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor) { @@ -126,10 +134,10 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCb *message, context.stat_prefix_, context.server_factory_context_.value()); } - return createActionFactoryCbCommon(composite_action, context, callback, true); + return createActionCommon(composite_action, context, callback, true); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCbUpstream( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createStaticActionUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor) { @@ -150,7 +158,7 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCb callback = callback_or_status.value(); } - return createActionFactoryCbCommon(composite_action, context, callback, false); + return createActionCommon(composite_action, context, callback, false); } REGISTER_FACTORY(ExecuteFilterActionFactory, diff --git a/source/extensions/filters/http/composite/action.h b/source/extensions/filters/http/composite/action.h index 834b757a573fa..ecd9ad9bb076c 100644 --- a/source/extensions/filters/http/composite/action.h +++ b/source/extensions/filters/http/composite/action.h @@ -18,16 +18,26 @@ class ExecuteFilterAction : public Matcher::ActionBase< envoy::extensions::filters::http::composite::v3::ExecuteFilterAction> { public: - explicit ExecuteFilterAction(Http::FilterFactoryCb cb, const std::string& name) - : cb_(std::move(cb)), name_(name) {} + using FilterConfigProvider = std::function()>; + + explicit ExecuteFilterAction( + FilterConfigProvider config_provider, const std::string& name, + const absl::optional& sample, + Runtime::Loader& runtime) + : config_provider_(std::move(config_provider)), name_(name), sample_(sample), + runtime_(runtime) {} void createFilters(Http::FilterChainFactoryCallbacks& callbacks) const; - const std::string& actionName() const { return name_; } + const std::string& actionName() const; + + bool actionSkip() const; private: - Http::FilterFactoryCb cb_; + FilterConfigProvider config_provider_; const std::string name_; + const absl::optional sample_; + Runtime::Loader& runtime_; }; class ExecuteFilterActionFactory @@ -36,29 +46,22 @@ class ExecuteFilterActionFactory public: std::string name() const override { return "composite-action"; } - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, - Http::Matching::HttpFilterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, Http::Matching::HttpFilterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); } - // Rolling the dice to decide whether the action will be sampled. - // By default, if sample_percent is not specified, then it is sampled. - bool isSampled( - const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, - Envoy::Runtime::Loader& runtime); - private: - Matcher::ActionFactoryCb createActionFactoryCbCommon( + Matcher::ActionConstSharedPtr createActionCommon( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, Envoy::Http::FilterFactoryCb& callback, bool is_downstream); template - Matcher::ActionFactoryCb createDynamicActionFactoryCbTyped( + Matcher::ActionConstSharedPtr createDynamicActionTyped( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, const std::string& filter_chain_type, FactoryCtx& factory_context, std::shared_ptr& provider_manager) { @@ -73,35 +76,30 @@ class ExecuteFilterActionFactory server_factory_context.clusterManager(), false, filter_chain_type, nullptr); Envoy::Runtime::Loader& runtime = context.server_factory_context_->runtime(); - return - [provider = std::move(provider), n = std::move(name), - composite_action = std::move(composite_action), &runtime, this]() -> Matcher::ActionPtr { - if (!isSampled(composite_action, runtime)) { - return nullptr; - } - - if (auto config_value = provider->config(); config_value.has_value()) { - return std::make_unique(config_value.ref(), n); - } - // There is no dynamic config available. Apply missing config filter. - return std::make_unique(Envoy::Http::MissingConfigFilterFactory, n); - }; + + return std::make_shared( + [provider]() -> OptRef { return provider->config(); }, name, + composite_action.has_sample_percent() + ? absl::make_optional( + composite_action.sample_percent()) + : absl::nullopt, + runtime); } - Matcher::ActionFactoryCb createDynamicActionFactoryCbDownstream( + Matcher::ActionConstSharedPtr createDynamicActionDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context); - Matcher::ActionFactoryCb createDynamicActionFactoryCbUpstream( + Matcher::ActionConstSharedPtr createDynamicActionUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context); - Matcher::ActionFactoryCb createStaticActionFactoryCbDownstream( + Matcher::ActionConstSharedPtr createStaticActionDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor); - Matcher::ActionFactoryCb createStaticActionFactoryCbUpstream( + Matcher::ActionConstSharedPtr createStaticActionUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor); diff --git a/source/extensions/filters/http/composite/filter.cc b/source/extensions/filters/http/composite/filter.cc index 3075685da05b1..fd12f0946ecd7 100644 --- a/source/extensions/filters/http/composite/filter.cc +++ b/source/extensions/filters/http/composite/filter.cc @@ -96,7 +96,6 @@ void Filter::encodeComplete() { void Filter::onMatchCallback(const Matcher::Action& action) { const auto& composite_action = action.getTyped(); - FactoryCallbacksWrapper wrapper(*this, dispatcher_); composite_action.createFilters(wrapper); @@ -107,11 +106,12 @@ void Filter::onMatchCallback(const Matcher::Action& action) { wrapper.errors_, [](const auto& status) { return status.ToString(); })); return; } - const std::string& action_name = composite_action.actionName(); if (wrapper.filter_to_inject_.has_value()) { stats_.filter_delegation_success_.inc(); + const std::string& action_name = composite_action.actionName(); + auto createDelegatedFilterFn = Overloaded{ [this, action_name](Http::StreamDecoderFilterSharedPtr filter) { delegated_filter_ = std::make_shared(std::move(filter)); @@ -137,7 +137,6 @@ void Filter::onMatchCallback(const Matcher::Action& action) { access_loggers_.insert(access_loggers_.end(), wrapper.access_loggers_.begin(), wrapper.access_loggers_.end()); } - // TODO(snowp): Make it possible for onMatchCallback to fail the stream by issuing a local reply, // either directly or via some return status. } diff --git a/source/extensions/filters/http/composite/filter.h b/source/extensions/filters/http/composite/filter.h index acc86f447bf57..551744416fc5b 100644 --- a/source/extensions/filters/http/composite/filter.h +++ b/source/extensions/filters/http/composite/filter.h @@ -57,8 +57,7 @@ class Filter : public Http::StreamFilter, Logger::Loggable { public: Filter(FilterStats& stats, Event::Dispatcher& dispatcher, bool is_upstream) - : dispatcher_(dispatcher), decoded_headers_(false), stats_(stats), is_upstream_(is_upstream) { - } + : dispatcher_(dispatcher), stats_(stats), is_upstream_(is_upstream) {} // Http::StreamDecoderFilter Http::FilterHeadersStatus decodeHeaders(Http::RequestHeaderMap& headers, @@ -124,7 +123,7 @@ class Filter : public Http::StreamFilter, // time will result in various FM assertions firing. // We should be protected against this by the match tree validation that only allows request // headers, this just provides some additional sanity checking. - bool decoded_headers_ : 1; + bool decoded_headers_{false}; // Wraps a stream encoder OR a stream decoder filter into a stream filter, making it easier to // delegate calls. diff --git a/source/extensions/filters/http/custom_response/config.cc b/source/extensions/filters/http/custom_response/config.cc index 4aa4ec67746fc..84d5c1533b20d 100644 --- a/source/extensions/filters/http/custom_response/config.cc +++ b/source/extensions/filters/http/custom_response/config.cc @@ -61,7 +61,7 @@ PolicySharedPtr FilterConfig::getPolicy(const ::Envoy::Http::ResponseHeaderMap& if (!match_result.isMatch()) { return PolicySharedPtr{}; } - return match_result.action()->getTyped().policy_; + return std::dynamic_pointer_cast(match_result.actionByMove()); } } // namespace CustomResponse diff --git a/source/extensions/filters/http/custom_response/policy.h b/source/extensions/filters/http/custom_response/policy.h index 8a4d98080421d..8a18f647ea2e3 100644 --- a/source/extensions/filters/http/custom_response/policy.h +++ b/source/extensions/filters/http/custom_response/policy.h @@ -19,9 +19,9 @@ namespace CustomResponse { class CustomResponseFilter; // Base class for custom response policies. -class Policy : public std::enable_shared_from_this { +class Policy : public std::enable_shared_from_this, + public Matcher::ActionBase { public: - virtual ~Policy() = default; virtual Http::FilterHeadersStatus encodeHeaders(Http::ResponseHeaderMap&, bool, CustomResponseFilter&) const PURE; @@ -42,11 +42,6 @@ struct CustomResponseFilterState : public std::enable_shared_from_this { - explicit CustomResponseMatchAction(PolicySharedPtr policy) : policy_(policy) {} - const PolicySharedPtr policy_; -}; - struct CustomResponseActionFactoryContext { Server::Configuration::ServerFactoryContext& server_; Stats::StatName stats_prefix_; @@ -57,12 +52,10 @@ template class PolicyMatchActionFactory : public Matcher::ActionFactory, Logger::Loggable { public: - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, - CustomResponseActionFactoryContext& context, - ProtobufMessage::ValidationVisitor&) override { - return [policy = createPolicy(config, context.server_, context.stats_prefix_)] { - return std::make_unique(policy); - }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message& config, + CustomResponseActionFactoryContext& context, + ProtobufMessage::ValidationVisitor&) override { + return createPolicy(config, context.server_, context.stats_prefix_); } std::string category() const override { return "envoy.http.custom_response"; } diff --git a/source/extensions/filters/http/match_delegate/config.cc b/source/extensions/filters/http/match_delegate/config.cc index 86d32d5e63222..c80e56c9fc92f 100644 --- a/source/extensions/filters/http/match_delegate/config.cc +++ b/source/extensions/filters/http/match_delegate/config.cc @@ -24,10 +24,10 @@ class SkipActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "skip"; } - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, - Envoy::Http::Matching::HttpFilterActionContext&, - ProtobufMessage::ValidationVisitor&) override { - return []() { return std::make_unique(); }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, + Envoy::Http::Matching::HttpFilterActionContext&, + ProtobufMessage::ValidationVisitor&) override { + return std::make_shared(); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -120,8 +120,8 @@ void DelegatingStreamFilter::FilterMatchState::evaluateMatchTree( match_tree_evaluated_ = match_result.isComplete(); if (match_tree_evaluated_ && match_result.isMatch()) { - const Matcher::ActionPtr result = match_result.action(); - if ((result == nullptr) || (SkipAction().typeUrl() == result->typeUrl())) { + const auto& result = match_result.action(); + if (result == nullptr || SkipAction().typeUrl() == result->typeUrl()) { skip_filter_ = true; } else { ASSERT(base_filter_ != nullptr); diff --git a/source/extensions/filters/http/proto_api_scrubber/filter_config.h b/source/extensions/filters/http/proto_api_scrubber/filter_config.h index bb246bfcb8224..6fa6245a78683 100644 --- a/source/extensions/filters/http/proto_api_scrubber/filter_config.h +++ b/source/extensions/filters/http/proto_api_scrubber/filter_config.h @@ -118,10 +118,10 @@ class RemoveFieldAction : public Matcher::ActionBase { public: - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, - ProtoApiScrubberRemoveFieldAction&, - ProtobufMessage::ValidationVisitor&) override { - return []() { return std::make_unique(); }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, + ProtoApiScrubberRemoveFieldAction&, + ProtobufMessage::ValidationVisitor&) override { + return std::make_shared(); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { diff --git a/source/extensions/filters/http/rate_limit_quota/filter.cc b/source/extensions/filters/http/rate_limit_quota/filter.cc index 34c74d7e4a6e6..cb297c5d0dd90 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter.cc +++ b/source/extensions/filters/http/rate_limit_quota/filter.cc @@ -56,8 +56,9 @@ inline Envoy::Http::Code getDenyResponseCode(const DenyResponseSettings& setting inline std::function addDenyResponseHeadersCb(const DenyResponseSettings& settings) { - if (settings.response_headers_to_add().empty()) + if (settings.response_headers_to_add().empty()) { return nullptr; + } // Headers copied from settings for thread-safety. return [headers_to_add = settings.response_headers_to_add()](Http::ResponseHeaderMap& headers) { for (const envoy::config::core::v3::HeaderValueOption& header : headers_to_add) { @@ -79,7 +80,7 @@ Http::FilterHeadersStatus RateLimitQuotaFilter::decodeHeaders(Http::RequestHeade bool end_stream) { ENVOY_LOG(trace, "decodeHeaders: end_stream = {}", end_stream); // First, perform the request matching. - absl::StatusOr match_result = requestMatching(headers); + absl::StatusOr match_result = requestMatching(headers); if (!match_result.ok()) { // When the request is not matched by any matchers, it is ALLOWED by default // (i.e., fail-open) and its quota usage will not be reported to RLQS @@ -184,7 +185,7 @@ Http::FilterHeadersStatus RateLimitQuotaFilter::decodeHeaders(Http::RequestHeade // TODO(tyxia) Currently request matching is only performed on the request // header. -absl::StatusOr +absl::StatusOr RateLimitQuotaFilter::requestMatching(const Http::RequestHeaderMap& headers) { // Initialize the data pointer on first use and reuse it for subsequent // requests. This avoids creating the data object for every request, which @@ -215,7 +216,7 @@ RateLimitQuotaFilter::requestMatching(const Http::RequestHeaderMap& headers) { return absl::NotFoundError("Matching completed but no match result was found."); } // Return the matched result for `on_match` case. - return match_result.action(); + return match_result.actionByMove(); } void RateLimitQuotaFilter::onDestroy() { diff --git a/source/extensions/filters/http/rate_limit_quota/filter.h b/source/extensions/filters/http/rate_limit_quota/filter.h index dcaf8b45a8d51..2920594c5d5f3 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter.h +++ b/source/extensions/filters/http/rate_limit_quota/filter.h @@ -65,7 +65,8 @@ class RateLimitQuotaFilter : public Http::PassThroughFilter, // Perform request matching. It returns the generated bucket ids if the // matching succeeded, error status otherwise. - absl::StatusOr requestMatching(const Http::RequestHeaderMap& headers); + absl::StatusOr + requestMatching(const Http::RequestHeaderMap& headers); Http::Matching::HttpMatchingDataImpl matchingData() { ASSERT(data_ptr_ != nullptr); diff --git a/source/extensions/filters/http/rate_limit_quota/matcher.h b/source/extensions/filters/http/rate_limit_quota/matcher.h index 38eb7ee3921c7..ee6fc0a21bdc1 100644 --- a/source/extensions/filters/http/rate_limit_quota/matcher.h +++ b/source/extensions/filters/http/rate_limit_quota/matcher.h @@ -51,17 +51,15 @@ class RateLimitOnMatchActionFactory : public Matcher::ActionFactory(config, validation_visitor); - return [bucket_settings = std::move(bucket_settings)]() { - return std::make_unique(std::move(bucket_settings)); - }; + return std::make_shared(std::move(bucket_settings)); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { diff --git a/source/extensions/filters/network/generic_proxy/route_impl.cc b/source/extensions/filters/network/generic_proxy/route_impl.cc index 60fd548e078f3..d70a3a99fc9d6 100644 --- a/source/extensions/filters/network/generic_proxy/route_impl.cc +++ b/source/extensions/filters/network/generic_proxy/route_impl.cc @@ -61,13 +61,12 @@ RouteEntryImpl::RouteEntryImpl(const ProtoRouteAction& route_action, } } -Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( - const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionConstSharedPtr +RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_action = MessageUtil::downcastAndValidate(config, validation_visitor); - auto route = std::make_shared(route_action, context.factory_context); - return [route]() { return std::make_unique(route); }; + return std::make_shared(route_action, context.factory_context); } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); @@ -92,15 +91,12 @@ RouteEntryConstSharedPtr VirtualHostImpl::routeEntry(const MatchInput& request) Matcher::MatchResult match_result = Matcher::evaluateMatch(*matcher_, request); if (match_result.isMatch()) { - Matcher::ActionPtr action = match_result.action(); - + Matcher::ActionConstSharedPtr action = match_result.actionByMove(); // The only possible action that can be used within the route matching context // is the RouteMatchAction, so this must be true. - ASSERT(action->typeUrl() == RouteMatchAction::staticTypeUrl()); - ASSERT(dynamic_cast(action.get())); - const RouteMatchAction& route_action = static_cast(*action); - - return route_action.route(); + ASSERT(action->typeUrl() == RouteEntryImpl::staticTypeUrl()); + ASSERT(dynamic_cast(action.get())); + return std::dynamic_pointer_cast(std::move(action)); } ENVOY_LOG(debug, "failed to match incoming request: {}", diff --git a/source/extensions/filters/network/generic_proxy/route_impl.h b/source/extensions/filters/network/generic_proxy/route_impl.h index 62118b8856f6e..ef81c9818d7a3 100644 --- a/source/extensions/filters/network/generic_proxy/route_impl.h +++ b/source/extensions/filters/network/generic_proxy/route_impl.h @@ -32,7 +32,7 @@ using ProtoRouteConfiguration = using ProtoVirtualHost = envoy::extensions::filters::network::generic_proxy::v3::VirtualHost; using ProtoRetryPolicy = envoy::config::core::v3::RetryPolicy; -class RouteEntryImpl : public RouteEntry { +class RouteEntryImpl : public RouteEntry, public Matcher::ActionBase { public: RouteEntryImpl(const ProtoRouteAction& route, Envoy::Server::Configuration::ServerFactoryContext& context); @@ -76,17 +76,6 @@ struct RouteActionContext { Server::Configuration::ServerFactoryContext& factory_context; }; -// Action used with the matching tree to specify route to use for an incoming stream. -class RouteMatchAction : public Matcher::ActionBase { -public: - explicit RouteMatchAction(RouteEntryConstSharedPtr route) : route_(std::move(route)) {} - - RouteEntryConstSharedPtr route() const { return route_; } - -private: - RouteEntryConstSharedPtr route_; -}; - class RouteActionValidationVisitor : public Matcher::MatchTreeValidationVisitor { public: absl::Status performDataInputValidation(const Matcher::DataInputFactory&, @@ -98,9 +87,9 @@ class RouteActionValidationVisitor : public Matcher::MatchTreeValidationVisitor< // Registered factory for RouteMatchAction. class RouteMatchActionFactory : public Matcher::ActionFactory { public: - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "envoy.matching.action.generic_proxy.route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/network/match_delegate/config.cc b/source/extensions/filters/network/match_delegate/config.cc index b176034ad65ff..adfa6938a7e8f 100644 --- a/source/extensions/filters/network/match_delegate/config.cc +++ b/source/extensions/filters/network/match_delegate/config.cc @@ -18,10 +18,9 @@ namespace Factory { class SkipActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "skip"; } - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, - NetworkFilterActionContext&, - ProtobufMessage::ValidationVisitor&) override { - return []() { return std::make_unique(); }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, NetworkFilterActionContext&, + ProtobufMessage::ValidationVisitor&) override { + return std::make_shared(); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -107,8 +106,8 @@ void DelegatingNetworkFilter::FilterMatchState::evaluateMatchTree() { match_tree_evaluated_ = match_result.isComplete(); if (match_tree_evaluated_ && match_result.isMatch()) { - const Matcher::ActionPtr result = match_result.action(); - if ((result == nullptr) || (SkipAction().typeUrl() == result->typeUrl())) { + const auto& result = match_result.action(); + if (result == nullptr || SkipAction().typeUrl() == result->typeUrl()) { skip_filter_ = true; } else { // TODO(botengyao) this would be similar to `base_filter_->onMatchCallback(*result);` @@ -192,7 +191,7 @@ Envoy::Network::FilterFactoryCb MatchDelegateConfig::createFilterFactory( auto message = Config::Utility::translateAnyToFactoryConfig( proto_config.extension_config().typed_config(), validation, factory); auto filter_factory_or_error = factory.createFilterFactoryFromProto(*message, context); - THROW_IF_NOT_OK(filter_factory_or_error.status()); + THROW_IF_NOT_OK_REF(filter_factory_or_error.status()); auto filter_factory = filter_factory_or_error.value(); Factory::MatchTreeValidationVisitor validation_visitor(*factory.matchingRequirements()); diff --git a/source/extensions/filters/udp/udp_proxy/router/router_impl.cc b/source/extensions/filters/udp/udp_proxy/router/router_impl.cc index 0fa2a904e1e5b..8ab3a80a569b1 100644 --- a/source/extensions/filters/udp/udp_proxy/router/router_impl.cc +++ b/source/extensions/filters/udp/udp_proxy/router/router_impl.cc @@ -15,17 +15,16 @@ namespace UdpFilters { namespace UdpProxy { namespace Router { -Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( - const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionConstSharedPtr +RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate< const envoy::extensions::filters::udp::udp_proxy::v3::Route&>(config, validation_visitor); const auto& cluster = route_config.cluster(); // Emplace cluster names to context to get all cluster names. context.cluster_name_.emplace(cluster); - - return [cluster]() { return std::make_unique(cluster); }; + return std::make_shared(cluster); } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); diff --git a/source/extensions/filters/udp/udp_proxy/router/router_impl.h b/source/extensions/filters/udp/udp_proxy/router/router_impl.h index f506778db6af2..04bb887fde713 100644 --- a/source/extensions/filters/udp/udp_proxy/router/router_impl.h +++ b/source/extensions/filters/udp/udp_proxy/router/router_impl.h @@ -32,9 +32,9 @@ class RouteMatchAction class RouteMatchActionFactory : public Matcher::ActionFactory { public: - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/matching/actions/format_string/config.cc b/source/extensions/matching/actions/format_string/config.cc index 962082481b1f3..9476c572ecee7 100644 --- a/source/extensions/matching/actions/format_string/config.cc +++ b/source/extensions/matching/actions/format_string/config.cc @@ -23,10 +23,10 @@ ActionImpl::get(const Server::Configuration::FilterChainsByName& filter_chains_b return nullptr; } -Matcher::ActionFactoryCb -ActionFactory::createActionFactoryCb(const Protobuf::Message& proto_config, - FilterChainActionFactoryContext& context, - ProtobufMessage::ValidationVisitor& validator) { +Matcher::ActionConstSharedPtr +ActionFactory::createAction(const Protobuf::Message& proto_config, + FilterChainActionFactoryContext& context, + ProtobufMessage::ValidationVisitor& validator) { const auto& config = MessageUtil::downcastAndValidate( proto_config, validator); @@ -35,7 +35,7 @@ ActionFactory::createActionFactoryCb(const Protobuf::Message& proto_config, Formatter::FormatterConstSharedPtr formatter = THROW_OR_RETURN_VALUE( Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config, generic_context), Formatter::FormatterPtr); - return [formatter]() { return std::make_unique(formatter); }; + return std::make_shared(std::move(formatter)); } REGISTER_FACTORY(ActionFactory, Matcher::ActionFactory); diff --git a/source/extensions/matching/actions/format_string/config.h b/source/extensions/matching/actions/format_string/config.h index 359490c375238..0b893e2903031 100644 --- a/source/extensions/matching/actions/format_string/config.h +++ b/source/extensions/matching/actions/format_string/config.h @@ -17,7 +17,7 @@ namespace FormatString { class ActionImpl : public Matcher::ActionBase { public: - ActionImpl(const Formatter::FormatterConstSharedPtr& formatter) : formatter_(formatter) {} + ActionImpl(Formatter::FormatterConstSharedPtr formatter) : formatter_(std::move(formatter)) {} const Network::FilterChain* get(const Server::Configuration::FilterChainsByName& filter_chains_by_name, const StreamInfo::StreamInfo& info) const override; @@ -30,10 +30,9 @@ using FilterChainActionFactoryContext = Server::Configuration::ServerFactoryCont class ActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "envoy.matching.actions.format_string"; } - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& proto_config, - FilterChainActionFactoryContext& context, - ProtobufMessage::ValidationVisitor& validator) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& proto_config, FilterChainActionFactoryContext& context, + ProtobufMessage::ValidationVisitor& validator) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); } diff --git a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc index 70d35193631e2..8553f75f0cde9 100644 --- a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc +++ b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc @@ -10,14 +10,12 @@ namespace Extensions { namespace Router { namespace Matcher { -Envoy::Matcher::ActionFactoryCb ClusterActionFactory::createActionFactoryCb( - const Protobuf::Message& config, ClusterActionContext&, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Envoy::Matcher::ActionConstSharedPtr +ClusterActionFactory::createAction(const Protobuf::Message& config, ClusterActionContext&, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& proto_config = MessageUtil::downcastAndValidate(config, validation_visitor); - auto cluster = std::make_shared(proto_config.cluster()); - - return [cluster]() { return std::make_unique(cluster); }; + return std::make_shared(proto_config.cluster()); } REGISTER_FACTORY(ClusterActionFactory, Envoy::Matcher::ActionFactory); @@ -43,9 +41,7 @@ class MatcherRouteEntry : public Envoy::Router::DelegatingRouteEntry { if (!match_result.isMatch()) { return; } - - const Envoy::Matcher::ActionPtr result = match_result.action(); - cluster_name_.emplace(result->getTyped().cluster()); + cluster_name_.emplace(match_result.action()->getTyped().cluster()); } private: diff --git a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h index 52562d728cb0f..88e7746cea02b 100644 --- a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h +++ b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h @@ -26,21 +26,21 @@ struct ClusterActionContext {}; */ class ClusterAction : public Envoy::Matcher::ActionBase { public: - explicit ClusterAction(std::shared_ptr cluster) : cluster_(cluster) {} + explicit ClusterAction(absl::string_view cluster) : cluster_(cluster) {} - const std::string& cluster() const { return *cluster_; } + const std::string& cluster() const { return cluster_; } private: - const std::shared_ptr cluster_; + const std::string cluster_; }; // Registered factory for ClusterAction. This factory will be used to load proto configuration // from opaque config. class ClusterActionFactory : public Envoy::Matcher::ActionFactory { public: - Envoy::Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, ClusterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Envoy::Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, ClusterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "cluster"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/test/common/matcher/exact_map_matcher_test.cc b/test/common/matcher/exact_map_matcher_test.cc index b635a25b3bf93..2dc71b5e0c4c1 100644 --- a/test/common/matcher/exact_map_matcher_test.cc +++ b/test/common/matcher/exact_map_matcher_test.cc @@ -109,7 +109,7 @@ TEST(ExactMapMatcherTest, RecursiveMatching) { std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "match"}), stringOnMatch("no_match")); - matcher->addChild("match", OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher, + matcher->addChild("match", OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher, /*.keep_matching=*/false}); TestData data; @@ -127,7 +127,7 @@ TEST(ExactMapMatcherTest, RecursiveMatchingOnNoMatch) { std::unique_ptr> matcher = *ExactMapMatcher::create( std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "blah"}), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher, /*.keep_matching=*/false}); matcher->addChild("match", stringOnMatch("match")); @@ -156,14 +156,14 @@ TEST(ExactMapMatcherTest, RecursiveMatchingWithKeepMatching) { std::unique_ptr> matcher = *ExactMapMatcher::create( std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "match"}), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/top_on_no_match_matcher, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/top_on_no_match_matcher, /*.keep_matching=*/false}); - matcher->addChild("match", OnMatch{/*.action_cb=*/nullptr, + matcher->addChild("match", OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_match_keeps_matching, /*.keep_matching=*/true}); - std::vector skipped_results{}; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results{}; + SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionConstSharedPtr& cb) { skipped_results.push_back(cb); }; TestData data; diff --git a/test/common/matcher/list_matcher_test.cc b/test/common/matcher/list_matcher_test.cc index 42246922f1ccd..aa83f429e4bae 100644 --- a/test/common/matcher/list_matcher_test.cc +++ b/test/common/matcher/list_matcher_test.cc @@ -40,8 +40,8 @@ TEST(ListMatcherTest, KeepMatching) { matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), stringOnMatch("matched", /*keep_matching=*/false)); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; auto result = matcher.match(TestData(), skipped_match_cb); @@ -56,8 +56,8 @@ TEST(ListMatcherTest, KeepMatchingOnNoMatch) { matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), stringOnMatch("keep matching 2", /*keep_matching=*/true)); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; auto result = matcher.match(TestData(), skipped_match_cb); @@ -84,17 +84,17 @@ TEST(ListMatcherTest, KeepMatchingWithRecursion) { Envoy::Matcher::ListMatcher matcher(stringOnMatch("top_level on_no_match")); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_1, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_1, /*.keep_matching=*/false}); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_2, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_2, /*.keep_matching=*/true}); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_3, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_3, /*.keep_matching=*/false}); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = matcher.match(TestData(), skipped_match_cb); @@ -120,17 +120,17 @@ TEST(ListMatcherTest, KeepMatchingWithRecursiveOnNoMatch) { stringOnMatch("on_no_match sub match", /*keep_matching=*/true)); Envoy::Matcher::ListMatcher matcher( - OnMatch{/*action_cb=*/nullptr, + OnMatch{/*action_=*/nullptr, /*matcher=*/on_no_match_sub_matcher, /*keep_matching=*/false}); matcher.addMatcher( createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*action_cb=*/nullptr, /*matcher=*/sub_matcher_1, /*keep_matching=*/true}); + OnMatch{/*action_=*/nullptr, /*matcher=*/sub_matcher_1, /*keep_matching=*/true}); matcher.addMatcher( createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*action_cb=*/nullptr, /*matcher=*/sub_matcher_2, /*keep_matching=*/false}); + OnMatch{/*action_=*/nullptr, /*matcher=*/sub_matcher_2, /*keep_matching=*/false}); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = matcher.match(TestData(), skipped_match_cb); diff --git a/test/common/matcher/matcher_test.cc b/test/common/matcher/matcher_test.cc index d4072671da910..09b31e650f582 100644 --- a/test/common/matcher/matcher_test.cc +++ b/test/common/matcher/matcher_test.cc @@ -907,8 +907,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingSupportInEvaluation) { validation_visitor_.setSupportKeepMatching(true); std::shared_ptr> matcher = createMatcherFromYaml(yaml)(); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; const auto result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1020,8 +1020,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithRecursiveMatcher) { // Expect the nested matchers with keep_matching to be skipped and also the top-level // keep_matching setting to skip the result of the first sub-matcher. - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1056,8 +1056,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithUnsupportedReentry) { validation_visitor_.setSupportKeepMatching(true); std::shared_ptr> matcher = createMatcherFromYaml(yaml)(); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1130,12 +1130,12 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithFailingNestedMatcher) { stringOnMatch("fail")); matcher->addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/nested_matcher, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/nested_matcher, /*.keep_matching=*/true}); // Expect re-entry to fail due to the nested matcher. - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); diff --git a/test/common/matcher/test_utility.h b/test/common/matcher/test_utility.h index 808decee787bc..7eeec55e96897 100644 --- a/test/common/matcher/test_utility.h +++ b/test/common/matcher/test_utility.h @@ -162,10 +162,10 @@ struct StringAction : public ActionBase { // Factory for StringAction. class StringActionFactory : public ActionFactory { public: - ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, absl::string_view&, - ProtobufMessage::ValidationVisitor&) override { + ActionConstSharedPtr createAction(const Protobuf::Message& config, absl::string_view&, + ProtobufMessage::ValidationVisitor&) override { const auto& string = dynamic_cast(config); - return [string]() { return std::make_unique(string.value()); }; + return std::make_shared(string.value()); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { @@ -273,14 +273,9 @@ void PrintTo(const FieldMatchResult& result, std::ostream* os) { } } -// Creates a StringAction from a provided string. -std::unique_ptr stringValue(absl::string_view value) { - return std::make_unique(std::string(value)); -} - // Creates an OnMatch that evaluates to a StringValue with the provided value. template OnMatch stringOnMatch(absl::string_view value, bool keep_matching = false) { - return OnMatch{[s = std::string(value)]() { return stringValue(s); }, nullptr, keep_matching}; + return OnMatch{std::make_shared(std::string(value)), nullptr, keep_matching}; } inline void PrintTo(const Action& action, std::ostream* os) { @@ -291,23 +286,14 @@ inline void PrintTo(const Action& action, std::ostream* os) { *os << "{type=" << action.typeUrl() << "}"; } -inline void PrintTo(const ActionFactoryCb& action_cb, std::ostream* os) { - if (action_cb == nullptr) { - *os << "nullptr"; - return; - } - ActionPtr action = action_cb(); - PrintTo(*action, os); -} - inline void PrintTo(const MatchResult& result, std::ostream* os) { if (result.isInsufficientData()) { *os << "InsufficientData"; } else if (result.isNoMatch()) { *os << "NoMatch"; } else if (result.isMatch()) { - *os << "Match{ActionFactoryCb="; - PrintTo(result.actionFactory(), os); + *os << "Match{Action="; + PrintTo(*result.action(), os); *os << "}"; } else { *os << "UnknownState"; @@ -319,9 +305,9 @@ inline void PrintTo(const MatchTree& matcher, std::ostream* os) { } inline void PrintTo(const OnMatch& on_match, std::ostream* os) { - if (on_match.action_cb_) { - *os << "{action_cb_="; - PrintTo(on_match.action_cb_, os); + if (on_match.action_) { + *os << "{action_="; + PrintTo(on_match.action_, os); *os << "}"; } else if (on_match.matcher_) { *os << "{matcher_="; @@ -339,26 +325,25 @@ MATCHER(HasInsufficientData, "") { } MATCHER_P(IsActionWithType, matcher, "") { - // Takes an ActionFactoryCb argument, and compares its action type against matcher. + // Takes an ActionConstSharedPtr argument, and compares its action type against matcher. if (arg == nullptr) { return false; } - ActionPtr action = arg(); - return ::testing::ExplainMatchResult(testing::Matcher(matcher), - action->typeUrl(), result_listener); + return ::testing::ExplainMatchResult(testing::Matcher(matcher), arg->typeUrl(), + result_listener); } MATCHER_P(IsStringAction, matcher, "") { - // Takes an ActionFactoryCb argument, and compares its StringAction's string against matcher. + // Takes an ActionConstSharedPtr argument, and compares its StringAction's string against matcher. if (arg == nullptr) { return false; } - ActionPtr action = arg(); - if (action->typeUrl() != "google.protobuf.StringValue") { + + if (arg->typeUrl() != "google.protobuf.StringValue") { return false; } return ::testing::ExplainMatchResult(testing::Matcher(matcher), - action->template getTyped().string_, + arg->template getTyped().string_, result_listener); } @@ -368,8 +353,7 @@ MATCHER_P(HasStringAction, matcher, "") { if (!arg.isMatch()) { return false; } - return ::testing::ExplainMatchResult(IsStringAction(matcher), arg.actionFactory(), - result_listener); + return ::testing::ExplainMatchResult(IsStringAction(matcher), arg.action(), result_listener); } MATCHER_P(HasActionWithType, matcher, "") { @@ -378,8 +362,7 @@ MATCHER_P(HasActionWithType, matcher, "") { if (!arg.isMatch()) { return false; } - return ::testing::ExplainMatchResult(IsActionWithType(matcher), arg.actionFactory(), - result_listener); + return ::testing::ExplainMatchResult(IsActionWithType(matcher), arg.action(), result_listener); } MATCHER(HasNoMatch, "") { diff --git a/test/extensions/common/matcher/domain_matcher_test.cc b/test/extensions/common/matcher/domain_matcher_test.cc index 1ea833d294e1c..20e57359201d7 100644 --- a/test/extensions/common/matcher/domain_matcher_test.cc +++ b/test/extensions/common/matcher/domain_matcher_test.cc @@ -38,7 +38,6 @@ using ::Envoy::Matcher::MatchResult; using ::Envoy::Matcher::MatchTreeFactory; using ::Envoy::Matcher::MockMatchTreeValidationVisitor; using ::Envoy::Matcher::SkippedMatchCb; -using ::Envoy::Matcher::StringAction; using ::Envoy::Matcher::StringActionFactory; using ::Envoy::Matcher::TestData; using ::Envoy::Matcher::TestDataInputBoolFactory; @@ -625,8 +624,8 @@ TEST_F(DomainMatcherTest, KeepMatchingSupport) { loadConfig(yaml); validation_visitor_.setSupportKeepMatching(true); - std::vector skipped_results; - skipped_match_cb_ = [&skipped_results](Envoy::Matcher::ActionFactoryCb cb) { + std::vector skipped_results; + skipped_match_cb_ = [&skipped_results](const Envoy::Matcher::ActionConstSharedPtr& cb) { skipped_results.push_back(cb); }; diff --git a/test/extensions/common/matcher/trie_matcher_test.cc b/test/extensions/common/matcher/trie_matcher_test.cc index 02f40777e9db2..d7a4536b5fba9 100644 --- a/test/extensions/common/matcher/trie_matcher_test.cc +++ b/test/extensions/common/matcher/trie_matcher_test.cc @@ -27,8 +27,8 @@ namespace Common { namespace Matcher { namespace { +using ::Envoy::Matcher::ActionConstSharedPtr; using ::Envoy::Matcher::ActionFactory; -using ::Envoy::Matcher::ActionFactoryCb; using ::Envoy::Matcher::CustomMatcherFactory; using ::Envoy::Matcher::DataInputGetResult; using ::Envoy::Matcher::HasInsufficientData; @@ -36,12 +36,10 @@ using ::Envoy::Matcher::HasNoMatch; using ::Envoy::Matcher::HasStringAction; using ::Envoy::Matcher::IsStringAction; using ::Envoy::Matcher::MatchResult; -using ::Envoy::Matcher::MatchTree; using ::Envoy::Matcher::MatchTreeFactory; using ::Envoy::Matcher::MatchTreePtr; using ::Envoy::Matcher::MatchTreeSharedPtr; using ::Envoy::Matcher::MockMatchTreeValidationVisitor; -using ::Envoy::Matcher::StringAction; using ::Envoy::Matcher::StringActionFactory; using ::Envoy::Matcher::TestData; using ::Envoy::Matcher::TestDataInputBoolFactory; @@ -604,8 +602,10 @@ TEST_F(TrieMatcherTest, ExerciseKeepMatching) { // Skip baz because the nested matcher is set with keep_matching. // Skip bag because the nested matcher returns on_no_match, but the top-level matcher is set to // keep_matching. - std::vector skipped_results{}; - skipped_match_cb_ = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; + std::vector skipped_results{}; + skipped_match_cb_ = [&skipped_results](const ActionConstSharedPtr& cb) { + skipped_results.push_back(cb); + }; auto input = TestDataInputStringFactory("192.101.0.1"); auto nested = TestDataInputBoolFactory("baz"); diff --git a/test/extensions/filters/http/composite/filter_test.cc b/test/extensions/filters/http/composite/filter_test.cc index d37bd319eae93..03ecafba79106 100644 --- a/test/extensions/filters/http/composite/filter_test.cc +++ b/test/extensions/filters/http/composite/filter_test.cc @@ -86,6 +86,8 @@ class CompositeFilterTest : public ::testing::Test { EXPECT_TRUE(MessageDifferencer::Equals(expected, *(info->serializeAsProto()))); } + testing::NiceMock context_; + testing::NiceMock decoder_callbacks_; testing::NiceMock encoder_callbacks_; Stats::MockCounter error_counter_; @@ -114,12 +116,13 @@ TEST_F(FilterTest, StreamEncoderFilterDelegation) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -143,12 +146,13 @@ TEST_F(FilterTest, StreamDecoderFilterDelegation) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamDecoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setDecoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -171,14 +175,15 @@ TEST_F(FilterTest, StreamFilterDelegation) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setDecoderFilterCallbacks(_)); EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); EXPECT_CALL(success_counter_, inc()); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); filter_.onMatchCallback(action); expectFilterStateInfo(filter_state); @@ -200,12 +205,13 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamFilters) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamFilter(stream_filter); cb.addStreamFilter(stream_filter); }; - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -225,12 +231,13 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamDecoderFilters) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamDecoderFilter(decoder_filter); cb.addStreamDecoderFilter(decoder_filter); }; - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -250,12 +257,13 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamEncoderFilters) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(encode_filter); cb.addStreamEncoderFilter(encode_filter); }; - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -278,13 +286,14 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleAccessLoggers) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(encode_filter); cb.addAccessLogHandler(access_log_1); cb.addAccessLogHandler(access_log_2); }; - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(*encode_filter, setEncoderFilterCallbacks(_)); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -340,8 +349,7 @@ TEST(ConfigTest, TestConfig) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Error: Only one of `dynamic_config` or `typed_config` can be set."); } } @@ -371,8 +379,7 @@ TEST(ConfigTest, TestDynamicConfigInDownstream) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get downstream factory context or server factory context."); } @@ -400,8 +407,7 @@ TEST(ConfigTest, TestDynamicConfigInUpstream) { .server_factory_context_ = absl::nullopt}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get upstream factory context or server factory context."); } @@ -428,8 +434,7 @@ TEST(ConfigTest, CreateFilterFromServerContextDual) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "DualFactoryBase: creating filter factory from server factory context is not supported"); } @@ -456,8 +461,7 @@ TEST(ConfigTest, DualFilterNoUpstreamFactoryContext) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get upstream filter factory creation function"); } @@ -482,8 +486,7 @@ TEST(ConfigTest, DownstreamFilterNoFactoryContext) { .server_factory_context_ = absl::nullopt}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get downstream filter factory creation function"); } @@ -510,8 +513,7 @@ TEST(ConfigTest, TestDownstreamFilterNoOverridingServerContext) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Creating filter factory from server factory context is not supported"); } @@ -526,12 +528,23 @@ TEST(ConfigTest, TestSamplePercentNotSpecifiedl) { http_status: 503 )EOF"; - testing::NiceMock server_factory_context; - NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); + + testing::NiceMock server_factory_context; + testing::NiceMock factory_context; + testing::NiceMock upstream_factory_context; + Envoy::Http::Matching::HttpFilterActionContext action_context{ + .is_downstream_ = true, + .stat_prefix_ = "test", + .factory_context_ = absl::nullopt, + .upstream_factory_context_ = absl::nullopt, + .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - EXPECT_TRUE(factory.isSampled(config, runtime)); + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); + + EXPECT_FALSE(action->getTyped().actionSkip()); } // Config test to check if sample_percent config is in place and feature enabled. @@ -549,15 +562,27 @@ TEST(ConfigTest, TestSamplePercentInPlaceFeatureEnabled) { denominator: HUNDRED )EOF"; - testing::NiceMock server_factory_context; - NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); + + testing::NiceMock server_factory_context; + testing::NiceMock factory_context; + testing::NiceMock upstream_factory_context; + Envoy::Http::Matching::HttpFilterActionContext action_context{ + .is_downstream_ = true, + .stat_prefix_ = "test", + .factory_context_ = absl::nullopt, + .upstream_factory_context_ = absl::nullopt, + .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - EXPECT_CALL(runtime.snapshot_, + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); + + EXPECT_CALL(server_factory_context.runtime_loader_.snapshot_, featureEnabled(_, testing::A())) .WillOnce(testing::Return(true)); - EXPECT_TRUE(factory.isSampled(config, runtime)); + + EXPECT_FALSE(action->getTyped().actionSkip()); } // Config test to check if sample_percent config is in place and feature not enabled. @@ -570,18 +595,32 @@ TEST(ConfigTest, TestSamplePercentInPlaceFeatureNotEnabled) { abort: http_status: 503 sample_percent: - runtime_key: + default_value: + numerator: 30 + denominator: HUNDRED )EOF"; - testing::NiceMock server_factory_context; - NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); + + testing::NiceMock server_factory_context; + testing::NiceMock factory_context; + testing::NiceMock upstream_factory_context; + Envoy::Http::Matching::HttpFilterActionContext action_context{ + .is_downstream_ = true, + .stat_prefix_ = "test", + .factory_context_ = absl::nullopt, + .upstream_factory_context_ = absl::nullopt, + .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - EXPECT_CALL(runtime.snapshot_, + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); + + EXPECT_CALL(server_factory_context.runtime_loader_.snapshot_, featureEnabled(_, testing::A())) .WillOnce(testing::Return(false)); - EXPECT_FALSE(factory.isSampled(config, runtime)); + + EXPECT_TRUE(action->getTyped().actionSkip()); } TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForDynamicConfig) { @@ -608,8 +647,8 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForDynamicConf .upstream_factory_context_ = upstream_factory_context, .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor())(); + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); EXPECT_EQ("actionName", action->getTyped().actionName()); } @@ -639,8 +678,8 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForTypedConfig .upstream_factory_context_ = upstream_factory_context, .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor())(); + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); EXPECT_EQ("actionName", action->getTyped().actionName()); } @@ -658,12 +697,13 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingAction) { StreamInfo::FilterState::StateType::Mutable, StreamInfo::FilterState::LifeSpan::FilterChain); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -688,12 +728,13 @@ TEST_F(FilterTest, MatchingActionShouldNotCollitionWithOtherRootFilter) { StreamInfo::FilterState::StateType::Mutable, StreamInfo::FilterState::LifeSpan::FilterChain); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -724,12 +765,13 @@ TEST_F(UpstreamFilterTest, StreamEncoderFilterDelegationUpstream) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); diff --git a/test/extensions/filters/http/match_delegate/config_test.cc b/test/extensions/filters/http/match_delegate/config_test.cc index 0b63d20d77450..2e032c3953952 100644 --- a/test/extensions/filters/http/match_delegate/config_test.cc +++ b/test/extensions/filters/http/match_delegate/config_test.cc @@ -302,7 +302,7 @@ createMatchingTree(const std::string& name, const std::string& value) { std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - []() { return std::make_unique(); }, nullptr, false}); + std::make_shared(), nullptr, false}); return tree; } @@ -315,7 +315,7 @@ Matcher::MatchTreeSharedPtr createRequestAndRespo tree->addChild( "match", Matcher::OnMatch{ - []() { return std::make_unique(); }, + std::make_shared(), createMatchingTree( "match-header", "match"), false}); @@ -369,13 +369,11 @@ template Matcher::MatchTreeSharedPtr createMatchTreeWithOnNoMatch(const std::string& name, const std::string& value) { auto tree = *Matcher::ExactMapMatcher::create( - std::make_unique(name), - Matcher::OnMatch{ - []() { return std::make_unique(); }, nullptr, false}); + std::make_unique(name), Matcher::OnMatch{ + std::make_shared(), nullptr, false}); // No action is set on match. i.e., nullptr action factory cb. - tree->addChild(value, Matcher::OnMatch{[]() { return nullptr; }, - nullptr, false}); + tree->addChild(value, Matcher::OnMatch{nullptr, nullptr, false}); return tree; } diff --git a/test/extensions/filters/http/rate_limit_quota/filter_test.cc b/test/extensions/filters/http/rate_limit_quota/filter_test.cc index 96cdd58b18195..20b860a1a3704 100644 --- a/test/extensions/filters/http/rate_limit_quota/filter_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/filter_test.cc @@ -150,7 +150,7 @@ class FilterTest : public testing::Test { ASSERT_TRUE(match_result.ok()); // Retrieve the matched action. const RateLimitOnMatchAction* match_action = - dynamic_cast(match_result.value().get()); + dynamic_cast(match_result.value().get()); RateLimitQuotaValidationVisitor visitor = {}; // Generate the bucket ids. @@ -277,7 +277,7 @@ TEST_F(FilterTest, RequestMatchingWithInvalidOnNoMatch) { ASSERT_TRUE(match_result.ok()); // Retrieve the matched action. const RateLimitOnMatchAction* match_action = - dynamic_cast(match_result.value().get()); + dynamic_cast(match_result.value().get()); RateLimitQuotaValidationVisitor visitor = {}; // Generate the bucket ids. diff --git a/test/extensions/filters/network/generic_proxy/route_test.cc b/test/extensions/filters/network/generic_proxy/route_test.cc index 56aa14d4e114b..1ee03a8bdd915 100644 --- a/test/extensions/filters/network/generic_proxy/route_test.cc +++ b/test/extensions/filters/network/generic_proxy/route_test.cc @@ -279,16 +279,6 @@ TEST_F(RouteEntryImplTest, NullRouteSpecificConfig) { EXPECT_EQ(route_->perFilterConfig("envoy.filters.generic.mock_filter"), nullptr); }; -/** - * Test the simple route action wrapper. - */ -TEST(RouteMatchActionTest, SimpleRouteMatchActionTest) { - auto entry = std::make_shared>(); - RouteMatchAction action(entry); - - EXPECT_EQ(action.route().get(), entry.get()); -} - /** * Test the simple data input validator. */ @@ -321,13 +311,11 @@ TEST(RouteMatchActionFactoryTest, SimpleRouteMatchActionFactoryTest) { TestUtility::loadFromYaml(yaml_config, proto_config); RouteActionContext context{server_context}; - auto factory_cb = factory.createActionFactoryCb(proto_config, context, - server_context.messageValidationVisitor()); - - EXPECT_EQ(factory_cb()->getTyped().route().get(), - factory_cb()->getTyped().route().get()); + auto action = + factory.createAction(proto_config, context, server_context.messageValidationVisitor()); - EXPECT_EQ(factory_cb()->getTyped().route()->clusterName(), "cluster_0"); + EXPECT_NE(action, nullptr); + EXPECT_EQ(action->getTyped().clusterName(), "cluster_0"); } class RouteMatcherImplTest : public testing::Test { diff --git a/test/extensions/filters/network/match_delegate/config_test.cc b/test/extensions/filters/network/match_delegate/config_test.cc index 574b886536cef..fd283fb15e51c 100644 --- a/test/extensions/filters/network/match_delegate/config_test.cc +++ b/test/extensions/filters/network/match_delegate/config_test.cc @@ -243,7 +243,7 @@ createMatchingTree(const std::string& name, const std::string& value) { std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - []() { return std::make_unique(); }, nullptr, false}); + std::make_shared(), nullptr, false}); return tree; } @@ -394,7 +394,7 @@ createMatchingTreeWithTestAction(const std::string& name, const std::string& val std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - []() { return std::make_unique(); }, nullptr, false}); + std::make_shared(), nullptr, false}); return tree; } diff --git a/test/extensions/matching/actions/format_string/config_test.cc b/test/extensions/matching/actions/format_string/config_test.cc index 8bbb3027572fe..7028674e75f2d 100644 --- a/test/extensions/matching/actions/format_string/config_test.cc +++ b/test/extensions/matching/actions/format_string/config_test.cc @@ -23,10 +23,8 @@ TEST(ConfigTest, TestConfig) { testing::NiceMock factory_context; ActionFactory factory; - auto action_cb = factory.createActionFactoryCb(config, factory_context, - ProtobufMessage::getStrictValidationVisitor()); - ASSERT_NE(nullptr, action_cb); - auto action = action_cb(); + auto action = + factory.createAction(config, factory_context, ProtobufMessage::getStrictValidationVisitor()); ASSERT_NE(nullptr, action); const auto& typed_action = action->getTyped(); diff --git a/test/mocks/http/mocks.h b/test/mocks/http/mocks.h index b419480bd4c25..a1dc887af4abb 100644 --- a/test/mocks/http/mocks.h +++ b/test/mocks/http/mocks.h @@ -141,7 +141,7 @@ class MockStreamCallbacks : public StreamCallbacks { class MockCodecEventCallbacks : public CodecEventCallbacks { public: MockCodecEventCallbacks(); - ~MockCodecEventCallbacks(); + ~MockCodecEventCallbacks() override; MOCK_METHOD(void, onCodecEncodeComplete, ()); MOCK_METHOD(void, onCodecLowLevelReset, ()); @@ -343,7 +343,7 @@ class MockStreamDecoderFilterCallbacks : public StreamDecoderFilterCallbacks, MOCK_METHOD(bool, shouldLoadShed, (), (const)); Buffer::InstancePtr buffer_; - std::list callbacks_{}; + std::list callbacks_; testing::NiceMock downstream_callbacks_; testing::NiceMock active_span_; testing::NiceMock tracing_config_; From 30c7579f4b9661f15c8342508c88d160c8d55ffc Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 21 Jul 2025 19:10:28 -0400 Subject: [PATCH 023/505] listener: add generic socket interface selection and filter cleanup (#40304) This PR introduces a mechanism for custom address types to specify their preferred socket interface. It also adds cleanup capabilities for listener filters. We need this change for custom connection types (like reverse tunnels) to integrate cleanly without requiring any hardcoded logic in any of the core components. --- **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- envoy/network/filter.h | 6 + .../listener_manager/active_tcp_socket.cc | 1 + .../listener_manager/active_tcp_socket.h | 2 + .../listener_manager/listener_manager_impl.cc | 18 ++ .../listener_manager_impl_test.cc | 222 ++++++++++++++++++ test/mocks/network/mocks.h | 1 + 6 files changed, 250 insertions(+) diff --git a/envoy/network/filter.h b/envoy/network/filter.h index 8684036d18b35..8aef12ca5a628 100644 --- a/envoy/network/filter.h +++ b/envoy/network/filter.h @@ -440,6 +440,12 @@ class ListenerFilter { */ virtual FilterStatus onData(Network::ListenerFilterBuffer& buffer) PURE; + /** + * Called when the connection is closed. Only the current filter that has stopped filter + * chain iteration will get the callback. + */ + virtual void onClose() {}; + /** * Return the size of data the filter want to inspect from the connection. * The size can be increased after filter need to inspect more data. diff --git a/source/common/listener_manager/active_tcp_socket.cc b/source/common/listener_manager/active_tcp_socket.cc index 0db63c47199e3..d40267d8debeb 100644 --- a/source/common/listener_manager/active_tcp_socket.cc +++ b/source/common/listener_manager/active_tcp_socket.cc @@ -74,6 +74,7 @@ void ActiveTcpSocket::createListenerFilterBuffer() { listener_filter_buffer_ = std::make_unique( socket_->ioHandle(), listener_.dispatcher(), [this](bool error) { + (*iter_)->onClose(); socket_->ioHandle().close(); if (error) { listener_.stats_.downstream_listener_filter_error_.inc(); diff --git a/source/common/listener_manager/active_tcp_socket.h b/source/common/listener_manager/active_tcp_socket.h index 6423f3ba54bdc..9491a2d38713e 100644 --- a/source/common/listener_manager/active_tcp_socket.h +++ b/source/common/listener_manager/active_tcp_socket.h @@ -53,6 +53,8 @@ class ActiveTcpSocket : public Network::ListenerFilterManager, } size_t maxReadBytes() const override { return listener_filter_->maxReadBytes(); } + + void onClose() override { return listener_filter_->onClose(); } }; using ListenerFilterWrapperPtr = std::unique_ptr; diff --git a/source/common/listener_manager/listener_manager_impl.cc b/source/common/listener_manager/listener_manager_impl.cc index 70d80ec81ed80..d7c453aab7ca6 100644 --- a/source/common/listener_manager/listener_manager_impl.cc +++ b/source/common/listener_manager/listener_manager_impl.cc @@ -21,6 +21,7 @@ #include "source/common/network/filter_matcher.h" #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/listen_socket_impl.h" +#include "source/common/network/socket_interface.h" #include "source/common/network/socket_option_factory.h" #include "source/common/network/utility.h" #include "source/common/protobuf/utility.h" @@ -316,6 +317,22 @@ absl::StatusOr ProdListenerComponentFactory::createLis ASSERT(socket_type == Network::Socket::Type::Stream || socket_type == Network::Socket::Type::Datagram); + // Use the address's socket interface for socket creation. + const Network::SocketInterface& socket_interface = address->socketInterface(); + const Network::SocketInterface& default_interface = Network::SocketInterfaceSingleton::get(); + + // Check if this address specifies a custom socket interface. + if (&socket_interface != &default_interface) { + ENVOY_LOG(debug, "creating socket using custom interface for address: {}", + address->logicalName()); + auto io_handle = socket_interface.socket(socket_type, address, creation_options); + if (!io_handle) { + return absl::InvalidArgumentError("failed to create socket using custom interface"); + } + return std::make_shared(std::move(io_handle), address, options); + } + + // Continue with standard socket creation for addresses using the default interface. // First we try to get the socket from our parent if applicable in each case below. if (address->type() == Network::Address::Type::Pipe) { if (socket_type != Network::Socket::Type::Stream) { @@ -401,6 +418,7 @@ ListenerManagerImpl::ListenerManagerImpl(Instance& server, for (uint32_t i = 0; i < server.options().concurrency(); i++) { workers_.emplace_back(worker_factory.createWorker( i, server.overloadManager(), server.nullOverloadManager(), absl::StrCat("worker_", i))); + ENVOY_LOG(debug, "starting worker: {}", i); } } diff --git a/test/common/listener_manager/listener_manager_impl_test.cc b/test/common/listener_manager/listener_manager_impl_test.cc index df7d31e64c9de..f99806c67c91f 100644 --- a/test/common/listener_manager/listener_manager_impl_test.cc +++ b/test/common/listener_manager/listener_manager_impl_test.cc @@ -8242,6 +8242,228 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, EmptyConnectionBalanceConfig) { #endif } +// Test mock socket interface for custom address testing. +class TestCustomSocketInterface : public Network::SocketInterfaceBase { +public: + TestCustomSocketInterface() = default; + + // Network::SocketInterface + Network::IoHandlePtr socket(Network::Socket::Type socket_type, Network::Address::Type addr_type, + Network::Address::IpVersion version, bool socket_v6only, + const Network::SocketCreationOptions& options) const override { + UNREFERENCED_PARAMETER(socket_v6only); + UNREFERENCED_PARAMETER(options); + // Create a regular socket for testing + if (socket_type == Network::Socket::Type::Stream && addr_type == Network::Address::Type::Ip) { + int domain = (version == Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; + int sock_fd = ::socket(domain, SOCK_STREAM, 0); + if (sock_fd == -1) { + return nullptr; + } + was_called_ = true; + return std::make_unique(sock_fd); + } + return nullptr; + } + + Network::IoHandlePtr socket(Network::Socket::Type socket_type, + const Network::Address::InstanceConstSharedPtr addr, + const Network::SocketCreationOptions& options) const override { + // Delegate to the other socket method + return socket(socket_type, addr->type(), + addr->ip() ? addr->ip()->version() : Network::Address::IpVersion::v4, false, + options); + } + + bool ipFamilySupported(int domain) override { return domain == AF_INET || domain == AF_INET6; } + + // Server::Configuration::BootstrapExtensionFactory + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override { + UNREFERENCED_PARAMETER(config); + UNREFERENCED_PARAMETER(context); + return nullptr; // Not used in test + } + + ProtobufTypes::MessagePtr createEmptyConfigProto() override { + return nullptr; // Not used in test + } + + std::string name() const override { return "test.custom.socket.interface"; } + + // Test helper + bool wasCalled() const { return was_called_; } + void resetCalled() { was_called_ = false; } + +private: + mutable bool was_called_{false}; +}; + +// Test address that returns a custom socket interface +class TestCustomAddress : public Network::Address::Instance { +public: + TestCustomAddress(const Network::SocketInterface& custom_interface) + : address_string_("127.0.0.1:0"), logical_name_("custom://test-address"), + custom_interface_(custom_interface), + ipv4_instance_(std::make_shared("127.0.0.1", 0)) {} + + // Network::Address::Instance + bool operator==(const Instance& rhs) const override { return address_string_ == rhs.asString(); } + Network::Address::Type type() const override { return Network::Address::Type::Ip; } + const std::string& asString() const override { return address_string_; } + absl::string_view asStringView() const override { return address_string_; } + const std::string& logicalName() const override { return logical_name_; } + const Network::Address::Ip* ip() const override { return ipv4_instance_->ip(); } + const Network::Address::Pipe* pipe() const override { return nullptr; } + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { + return nullptr; + } + absl::optional networkNamespace() const override { return absl::nullopt; } + const sockaddr* sockAddr() const override { return ipv4_instance_->sockAddr(); } + socklen_t sockAddrLen() const override { return ipv4_instance_->sockAddrLen(); } + absl::string_view addressType() const override { return "test_custom"; } + + // Return the custom socket interface + const Network::SocketInterface& socketInterface() const override { return custom_interface_; } + +private: + std::string address_string_; + std::string logical_name_; + const Network::SocketInterface& custom_interface_; + Network::Address::InstanceConstSharedPtr ipv4_instance_; +}; + +// Test address that returns the default socket interface +class TestDefaultAddress : public Network::Address::Instance { +public: + TestDefaultAddress() + : address_string_("127.0.0.1:0"), logical_name_("default://test-address"), + ipv4_instance_(std::make_shared("127.0.0.1", 0)) {} + + // Network::Address::Instance + bool operator==(const Instance& rhs) const override { return address_string_ == rhs.asString(); } + Network::Address::Type type() const override { return Network::Address::Type::Ip; } + const std::string& asString() const override { return address_string_; } + absl::string_view asStringView() const override { return address_string_; } + const std::string& logicalName() const override { return logical_name_; } + const Network::Address::Ip* ip() const override { return ipv4_instance_->ip(); } + const Network::Address::Pipe* pipe() const override { return nullptr; } + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { + return nullptr; + } + absl::optional networkNamespace() const override { return absl::nullopt; } + const sockaddr* sockAddr() const override { return ipv4_instance_->sockAddr(); } + socklen_t sockAddrLen() const override { return ipv4_instance_->sockAddrLen(); } + absl::string_view addressType() const override { return "test_default"; } + + // Return the default socket interface + const Network::SocketInterface& socketInterface() const override { + return Network::SocketInterfaceSingleton::get(); + } + +private: + std::string address_string_; + std::string logical_name_; + Network::Address::InstanceConstSharedPtr ipv4_instance_; +}; + +TEST_P(ListenerManagerImplTest, CustomSocketInterfaceIsUsedWhenAddressSpecifiesIt) { + auto custom_interface = std::make_unique(); + TestCustomSocketInterface* custom_interface_ptr = custom_interface.get(); + + auto custom_address = std::make_shared(*custom_interface); + + // Create listener factory to test the implementation + ProdListenerComponentFactory real_listener_factory(server_); + + Network::Socket::OptionsSharedPtr options = nullptr; + Network::SocketCreationOptions creation_options; + + // Verify that the custom address returns the custom interface + EXPECT_NE(&custom_address->socketInterface(), &Network::SocketInterfaceSingleton::get()); + + // The listener factory should use the custom socket interface + auto socket_result = real_listener_factory.createListenSocket( + custom_address, Network::Socket::Type::Stream, options, + ListenerComponentFactory::BindType::NoBind, creation_options, 0 /* worker_index */); + + // The socket creation should succeed + EXPECT_TRUE(socket_result.ok()); + if (socket_result.ok()) { + auto socket = socket_result.value(); + EXPECT_NE(socket, nullptr); + // Verify the socket was created with the expected address + EXPECT_EQ(socket->connectionInfoProvider().localAddress()->logicalName(), + custom_address->logicalName()); + } + + // Verify the custom interface was actually called + EXPECT_TRUE(custom_interface_ptr->wasCalled()); +} + +TEST_P(ListenerManagerImplTest, DefaultSocketInterfaceIsUsedWhenAddressUsesDefault) { + auto default_address = std::make_shared(); + + // Create listener factory to test the implementation + ProdListenerComponentFactory real_listener_factory(server_); + + Network::Socket::OptionsSharedPtr options = nullptr; + Network::SocketCreationOptions creation_options; + + // Verify that the default address returns the default interface + EXPECT_EQ(&default_address->socketInterface(), &Network::SocketInterfaceSingleton::get()); + + // The listener factory should use the standard socket creation path + auto socket_result = real_listener_factory.createListenSocket( + default_address, Network::Socket::Type::Stream, options, + ListenerComponentFactory::BindType::NoBind, creation_options, 0 /* worker_index */); + + // The socket creation should succeed + EXPECT_TRUE(socket_result.ok()); + if (socket_result.ok()) { + auto socket = socket_result.value(); + EXPECT_NE(socket, nullptr); + // Verify the socket was created with the expected address + EXPECT_EQ(socket->connectionInfoProvider().localAddress()->logicalName(), + default_address->logicalName()); + } +} + +TEST_P(ListenerManagerImplTest, CustomSocketInterfaceFailureIsHandledGracefully) { + // Create a failing custom socket interface + class FailingCustomSocketInterface : public TestCustomSocketInterface { + public: + Network::IoHandlePtr socket(Network::Socket::Type socket_type, + const Network::Address::InstanceConstSharedPtr addr, + const Network::SocketCreationOptions& options) const override { + UNREFERENCED_PARAMETER(socket_type); + UNREFERENCED_PARAMETER(addr); + UNREFERENCED_PARAMETER(options); + // Always return nullptr to simulate failure + return nullptr; + } + }; + + auto failing_interface = std::make_unique(); + auto custom_address = std::make_shared(*failing_interface); + + // Create listener factory to test the implementation + ProdListenerComponentFactory real_listener_factory(server_); + + Network::Socket::OptionsSharedPtr options = nullptr; + Network::SocketCreationOptions creation_options; + + // The listener factory should handle the failure gracefully + auto socket_result = real_listener_factory.createListenSocket( + custom_address, Network::Socket::Type::Stream, options, + ListenerComponentFactory::BindType::NoBind, creation_options, 0 /* worker_index */); + + // The socket creation should fail with the expected error + EXPECT_FALSE(socket_result.ok()); + EXPECT_EQ(socket_result.status().message(), "failed to create socket using custom interface"); +} + INSTANTIATE_TEST_SUITE_P(Matcher, ListenerManagerImplTest, ::testing::Values(false)); INSTANTIATE_TEST_SUITE_P(Matcher, ListenerManagerImplWithRealFiltersTest, ::testing::Values(false, true)); diff --git a/test/mocks/network/mocks.h b/test/mocks/network/mocks.h index 3674c6fe3a4e7..e0b8287a8edc9 100644 --- a/test/mocks/network/mocks.h +++ b/test/mocks/network/mocks.h @@ -273,6 +273,7 @@ class MockListenerFilter : public ListenerFilter { MOCK_METHOD(void, destroy_, ()); MOCK_METHOD(Network::FilterStatus, onAccept, (ListenerFilterCallbacks&)); MOCK_METHOD(Network::FilterStatus, onData, (Network::ListenerFilterBuffer&)); + MOCK_METHOD(void, onClose, ()); size_t listener_filter_max_read_bytes_{0}; }; From 140a56078fb5ee51e75e100b21a6860cbb059291 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 21 Jul 2025 07:28:40 +0000 Subject: [PATCH 024/505] Nits for formatting errors Signed-off-by: Basundhara Chakrabarty --- .../bootstrap/reverse_tunnel/reverse_connection_utility.h | 1 - .../bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h | 8 ++++---- tools/spelling/spelling_dictionary.txt | 3 ++- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h index 633ab939dabcd..286454693cd5a 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h @@ -85,7 +85,6 @@ class ReverseConnectionUtility : public Logger::Loggable static bool extractPingFromHttpData(absl::string_view http_data); private: - // Make this utility class non-instantiable like other Envoy utilities ReverseConnectionUtility() = delete; }; diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h index 62f22d63a5719..feb6c868100b8 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h @@ -408,17 +408,17 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, Random::RandomGeneratorPtr random_generator_; // Map of node IDs to connection sockets, stored on the accepting(remote) envoy. - std::unordered_map> + absl::flat_hash_map> accepted_reverse_connections_; // Map from file descriptor to node ID - std::unordered_map fd_to_node_map_; + absl::flat_hash_map fd_to_node_map_; // Map of node ID to the corresponding cluster it belongs to. - std::unordered_map node_to_cluster_map_; + absl::flat_hash_map node_to_cluster_map_; // Map of cluster IDs to list of node IDs - std::unordered_map> cluster_to_node_map_; + absl::flat_hash_map> cluster_to_node_map_; // File events and timers for ping functionality absl::flat_hash_map fd_to_event_map_; diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 4d9fa4cf18fc6..fc814fe3f58f9 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -5,6 +5,7 @@ ABI ACK ACL +ACCEPTOR AES AJAX AllMuxes @@ -1570,4 +1571,4 @@ NAT NXDOMAIN DNAT RSP -EWMA +EWMA \ No newline at end of file From c50a39bf077645d4a91fed5d08e596e0facf1153 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 21 Jul 2025 19:51:23 +0000 Subject: [PATCH 025/505] Rename test file, use getIoSocketEagainError() in test Signed-off-by: Basundhara Chakrabarty --- .../reverse_tunnel/reverse_tunnel_acceptor.cc | 2 +- .../extensions/bootstrap/reverse_tunnel/BUILD | 4 +- ...est.cc => reverse_tunnel_acceptor_test.cc} | 42 ++++++++++--------- 3 files changed, 25 insertions(+), 23 deletions(-) rename test/extensions/bootstrap/reverse_tunnel/{reverse_tunnel_acceptor_extension_test.cc => reverse_tunnel_acceptor_test.cc} (98%) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc index 9283d03f7dec1..25a838111b4d1 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc @@ -185,7 +185,7 @@ void ReverseTunnelAcceptorExtension::onServerInitialized() { UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() const { ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension::getLocalRegistry()"); if (!tls_slot_) { - ENVOY_LOG(error, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); + ENVOY_LOG(warn, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); return nullptr; } diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD index ef3735fb680f5..f0480ca27dbff 100644 --- a/test/extensions/bootstrap/reverse_tunnel/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/BUILD @@ -12,9 +12,9 @@ licenses(["notice"]) # Apache 2 envoy_package() envoy_extension_cc_test( - name = "reverse_tunnel_acceptor_extension_test", + name = "reverse_tunnel_acceptor_test", size = "large", - srcs = ["reverse_tunnel_acceptor_extension_test.cc"], + srcs = ["reverse_tunnel_acceptor_test.cc"], extension_names = ["envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"], deps = [ "//source/common/network:socket_interface_lib", diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc similarity index 98% rename from test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_extension_test.cc rename to test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc index 353291a5ec609..2131a3c23bce9 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_extension_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc @@ -976,18 +976,18 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteSuccess) { auto* mock_io_handle2 = dynamic_cast*>(&sockets.back()->ioHandle()); EXPECT_CALL(*mock_io_handle1, write(_)) - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::create(EAGAIN)}; - })); + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; + })); EXPECT_CALL(*mock_io_handle2, write(_)) - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::create(EAGAIN)}; - })); - + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; + })); + // Manually call pingConnections to test the functionality socket_manager_->pingConnections(node_id); @@ -1024,13 +1024,14 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; })); EXPECT_CALL(*mock_io_handle2, write(_)) - .Times(1) // Called once - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::create(EAGAIN)}; // Second socket succeeds - })); - + .Times(1) // Called once + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{ + 0, Network::IoSocketError::getIoSocketEagainError()}; // Second socket succeeds + })); + // Manually call pingConnections to test the functionality socket_manager_->pingConnections(node_id); @@ -1106,8 +1107,9 @@ TEST_F(TestUpstreamSocketManager, OnPingResponseReadError) { // Mock read error EXPECT_CALL(*mock_io_handle, read(_, _)) - .WillOnce(Return(Api::IoCallUint64Result{0, Network::IoSocketError::create(EAGAIN)})); - + .WillOnce( + Return(Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()})); + // Call onPingResponse - should mark socket dead due to read error socket_manager_->onPingResponse(*mock_io_handle); From 7dc789e219e3b3c063e35fac1ea0c9b72a405ddc Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 22 Jul 2025 00:21:14 +0000 Subject: [PATCH 026/505] format api Signed-off-by: Basundhara Chakrabarty --- .../bootstrap/reverse_connection_socket_interface/v3/BUILD | 4 +--- .../v3/upstream_reverse_connection_socket_interface.proto | 3 +-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD index b514f18ab81a3..29ebf0741406e 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD +++ b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD @@ -5,7 +5,5 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 api_proto_package( - deps = [ - "@com_github_cncf_xds//udpa/annotations:pkg", - ], + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], ) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto index 8d650f2e8efed..b86c1d49f110a 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto @@ -10,7 +10,6 @@ option java_outer_classname = "UpstreamReverseConnectionSocketInterfaceProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3;reverse_connection_socket_interfacev3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -option (udpa.annotations.file_status).work_in_progress = true; // [#protodoc-title: Bootstrap settings for Upstream Reverse Connection Socket Interface] // [#extension: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface] @@ -19,4 +18,4 @@ option (udpa.annotations.file_status).work_in_progress = true; message UpstreamReverseConnectionSocketInterface { // Stat prefix to be used for upstream reverse connection socket interface stats. string stat_prefix = 1; -} \ No newline at end of file +} From 4f6163953639e33b78ace06747b9a3925f662025 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 22 Jul 2025 00:22:01 +0000 Subject: [PATCH 027/505] fixes in reverse conn utility and add unit tests Signed-off-by: Basundhara Chakrabarty --- .../reverse_connection_utility.cc | 15 +- .../extensions/bootstrap/reverse_tunnel/BUILD | 16 +- .../reverse_connection_utility_test.cc | 236 ++++++++++++++++++ 3 files changed, 254 insertions(+), 13 deletions(-) create mode 100644 test/extensions/bootstrap/reverse_tunnel/reverse_connection_utility_test.cc diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc index 2b2772895be96..572dde306bbe4 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc @@ -13,18 +13,9 @@ bool ReverseConnectionUtility::isPingMessage(absl::string_view data) { return false; } - // Check for exact RPING match (raw) - if (data.length() >= PING_MESSAGE.length() && - !memcmp(data.data(), PING_MESSAGE.data(), PING_MESSAGE.length())) { - return true; - } - - // Check for HTTP-embedded RPING - if (data.find(PING_MESSAGE) != absl::string_view::npos) { - return true; - } - - return false; + // Check for exact RPING match + return (data.length() == PING_MESSAGE.length() && + !memcmp(data.data(), PING_MESSAGE.data(), PING_MESSAGE.length())); } Buffer::InstancePtr ReverseConnectionUtility::createPingResponse() { diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD index f0480ca27dbff..b23fec5f051c1 100644 --- a/test/extensions/bootstrap/reverse_tunnel/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/BUILD @@ -1,5 +1,6 @@ load( "//bazel:envoy_build_system.bzl", + "envoy_cc_test", "envoy_package", ) load( @@ -25,4 +26,17 @@ envoy_extension_cc_test( "//test/mocks/thread_local:thread_local_mocks", "//test/test_common:test_runtime_lib", ], -) \ No newline at end of file +) + +envoy_cc_test( + name = "reverse_connection_utility_test", + size = "medium", + srcs = ["reverse_connection_utility_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/network:connection_lib", + "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_utility_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_utility_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_utility_test.cc new file mode 100644 index 0000000000000..1f961997fc5ec --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_utility_test.cc @@ -0,0 +1,236 @@ +#include "source/common/buffer/buffer_impl.h" +#include "source/common/network/connection_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" + +#include "test/mocks/network/mocks.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; +using testing::Return; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseConnectionUtilityTest : public testing::Test { +protected: + ReverseConnectionUtilityTest() = default; +}; + +// Test isPingMessage functionality +TEST_F(ReverseConnectionUtilityTest, IsPingMessageEmptyData) { + // Test with empty data + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("")); + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage(absl::string_view())); +} + +TEST_F(ReverseConnectionUtilityTest, IsPingMessageExactMatch) { + // Test with exact RPING match + EXPECT_TRUE(ReverseConnectionUtility::isPingMessage("RPING")); + EXPECT_TRUE(ReverseConnectionUtility::isPingMessage(absl::string_view("RPING"))); +} + +TEST_F(ReverseConnectionUtilityTest, IsPingMessageInvalidData) { + // Test with non-RPING data. isPingMessage should return false for these cases. + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("PING")); + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("RPIN")); + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("RPINGG")); + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("Hello World")); +} + +// Test createPingResponse functionality +TEST_F(ReverseConnectionUtilityTest, CreatePingResponse) { + auto ping_buffer = ReverseConnectionUtility::createPingResponse(); + + EXPECT_NE(ping_buffer, nullptr); + EXPECT_EQ(ping_buffer->toString(), "RPING"); + EXPECT_EQ(ping_buffer->length(), 5); +} + +// Test sendPingResponse with Connection +TEST_F(ReverseConnectionUtilityTest, SendPingResponseConnection) { + auto connection = std::make_unique>(); + + // Set up mock expectations + EXPECT_CALL(*connection, write(_, false)); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = ReverseConnectionUtility::sendPingResponse(*connection); + + EXPECT_TRUE(result); +} + +// Test sendPingResponse with IoHandle +TEST_F(ReverseConnectionUtilityTest, SendPingResponseIoHandleSuccess) { + auto io_handle = std::make_unique>(); + + EXPECT_CALL(*io_handle, write(_)) + .WillOnce(Return(Api::IoCallUint64Result{5, Api::IoError::none()})); + + Api::IoCallUint64Result result = ReverseConnectionUtility::sendPingResponse(*io_handle); + + EXPECT_TRUE(result.ok()); + EXPECT_EQ(result.return_value_, 5); + EXPECT_EQ(result.err_, nullptr); +} + +TEST_F(ReverseConnectionUtilityTest, SendPingResponseIoHandleFailure) { + auto io_handle = std::make_unique>(); + + // Set up mock expectations for failed write + EXPECT_CALL(*io_handle, write(_)) + .WillOnce(Return(Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)})); + + Api::IoCallUint64Result result = ReverseConnectionUtility::sendPingResponse(*io_handle); + + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.return_value_, 0); + EXPECT_NE(result.err_, nullptr); +} + +// Test handlePingMessage functionality +TEST_F(ReverseConnectionUtilityTest, HandlePingMessageValidPing) { + auto connection = std::make_unique>(); + + // should call sendPingResponse and return true since it is a valid RPING message + EXPECT_CALL(*connection, write(_, false)); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = ReverseConnectionUtility::handlePingMessage("RPING", *connection); + + EXPECT_TRUE(result); +} + +TEST_F(ReverseConnectionUtilityTest, HandlePingMessageInvalidData) { + auto connection = std::make_unique>(); + + // Should not call sendPingResponse for invalid data + EXPECT_CALL(*connection, write(_, _)).Times(0); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = ReverseConnectionUtility::handlePingMessage("INVALID", *connection); + + EXPECT_FALSE(result); +} + +TEST_F(ReverseConnectionUtilityTest, HandlePingMessageEmptyData) { + auto connection = std::make_unique>(); + + // Should not call sendPingResponse for empty data + EXPECT_CALL(*connection, write(_, _)).Times(0); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = ReverseConnectionUtility::handlePingMessage("", *connection); + + EXPECT_FALSE(result); +} + +// Test extractPingFromHttpData functionality +TEST_F(ReverseConnectionUtilityTest, ExtractPingFromHttpDataValid) { + // Test with RPING in HTTP response body + EXPECT_TRUE(ReverseConnectionUtility::extractPingFromHttpData("HTTP/1.1 200 OK\r\n\r\nRPING")); + EXPECT_TRUE(ReverseConnectionUtility::extractPingFromHttpData( + "GET /ping HTTP/1.1\r\nHost: example.com\r\n\r\nRPING")); + EXPECT_TRUE(ReverseConnectionUtility::extractPingFromHttpData( + "POST /data HTTP/1.1\r\nContent-Length: 5\r\n\r\nRPING")); +} + +TEST_F(ReverseConnectionUtilityTest, ExtractPingFromHttpDataInvalid) { + // Test with no RPING in HTTP data + EXPECT_FALSE(ReverseConnectionUtility::extractPingFromHttpData("HTTP/1.1 200 OK\r\n\r\nHello")); + EXPECT_FALSE(ReverseConnectionUtility::extractPingFromHttpData( + "GET /ping HTTP/1.1\r\nHost: example.com\r\n\r\nPING")); + EXPECT_FALSE(ReverseConnectionUtility::extractPingFromHttpData("")); +} + +// Test ReverseConnectionMessageHandlerFactory functionality +TEST_F(ReverseConnectionUtilityTest, CreatePingHandler) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + + EXPECT_NE(handler, nullptr); + EXPECT_EQ(handler->getPingCount(), 0); +} + +// Test PingMessageHandler functionality +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerProcessValidPing) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + auto connection = std::make_unique>(); + + // Set up mock expectations + EXPECT_CALL(*connection, write(_, false)); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = handler->processPingMessage("RPING", *connection); + + EXPECT_TRUE(result); + EXPECT_EQ(handler->getPingCount(), 1); +} + +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerProcessInvalidPing) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + auto connection = std::make_unique>(); + + // Set up mock expectations - should not call write for invalid data + EXPECT_CALL(*connection, write(_, _)).Times(0); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = handler->processPingMessage("INVALID", *connection); + + EXPECT_FALSE(result); + EXPECT_EQ(handler->getPingCount(), 0); +} + +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerProcessMultiplePings) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + auto connection = std::make_unique>(); + + // Set up mock expectations for multiple writes + EXPECT_CALL(*connection, write(_, false)).Times(3); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + // Process multiple valid pings + EXPECT_TRUE(handler->processPingMessage("RPING", *connection)); + EXPECT_TRUE(handler->processPingMessage("RPING", *connection)); + EXPECT_TRUE(handler->processPingMessage("RPING", *connection)); + + EXPECT_EQ(handler->getPingCount(), 3); +} + +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerProcessEmptyPing) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + auto connection = std::make_unique>(); + + // Set up mock expectations - should not call write for empty data + EXPECT_CALL(*connection, write(_, _)).Times(0); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = handler->processPingMessage("", *connection); + + EXPECT_FALSE(result); + EXPECT_EQ(handler->getPingCount(), 0); +} + +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerGetPingCount) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + + // Initially should be 0 + EXPECT_EQ(handler->getPingCount(), 0); + + // After processing a ping, should be 1 + auto connection = std::make_unique>(); + EXPECT_CALL(*connection, write(_, false)); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + handler->processPingMessage("RPING", *connection); + EXPECT_EQ(handler->getPingCount(), 1); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy From 94d03f0981e67f2a65544ff1569a0aa0fe8eb650 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Mon, 21 Jul 2025 18:23:58 -0700 Subject: [PATCH 028/505] Make BackwardsTrace::addrMapping a string_view type (#40331) Commit Message: Make BackwardsTrace::addrMapping a string_view type Additional Description: This makes it so in the event of it being triggered in a tsan context without having been initialized, it still doesn't malloc anything - it is a tsan error to malloc during a signal. Risk Level: Only crash-related so pretty safe. --------- Signed-off-by: Raven Black --- source/server/backtrace.cc | 10 ++++++---- source/server/backtrace.h | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/source/server/backtrace.cc b/source/server/backtrace.cc index 7a1254c1f8b6c..b21d9a0411264 100644 --- a/source/server/backtrace.cc +++ b/source/server/backtrace.cc @@ -8,8 +8,8 @@ namespace Envoy { bool BackwardsTrace::log_to_stderr_ = false; -const std::string& BackwardsTrace::addrMapping(bool setup) { - CONSTRUCT_ON_FIRST_USE(std::string, [setup]() -> std::string { +absl::string_view BackwardsTrace::addrMapping(bool setup) { + static absl::string_view value = [setup]() -> absl::string_view { if (!setup) { return ""; } @@ -23,12 +23,14 @@ const std::string& BackwardsTrace::addrMapping(bool setup) { while (std::getline(maps, line)) { std::vector parts = absl::StrSplit(line, ' '); if (parts[1] == "r-xp") { - return absl::StrCat(parts[0], " ", parts.back()); + static std::string result = absl::StrCat(parts[0], " ", parts.back()); + return result; } } #endif return ""; - }()); + }(); + return value; } void BackwardsTrace::setLogToStderr(bool log_to_stderr) { log_to_stderr_ = log_to_stderr; } diff --git a/source/server/backtrace.h b/source/server/backtrace.h index fcd41f59df80c..b8c27cf8b00db 100644 --- a/source/server/backtrace.h +++ b/source/server/backtrace.h @@ -58,7 +58,7 @@ class BackwardsTrace : Logger::Loggable { * e.g. * `7d34c0e28000-7d34c1e0d000 /build/foo/bar/source/exe/envoy-static` */ - static const std::string& addrMapping(bool setup = false); + static absl::string_view addrMapping(bool setup = false); /** * Directs the output of logTrace() to directly stderr rather than the From f2006890d395f9329264199c3a91cb46b8663677 Mon Sep 17 00:00:00 2001 From: danzh Date: Mon, 21 Jul 2025 22:12:29 -0400 Subject: [PATCH 029/505] mobile: simplify ConnectivityManager interface (#40329) Commit Message: decouple `DnsCache::UpdateCallbacks` and `ConnectivityManager` interface. Extract `DnsCache::UpdateCallbacks` implementation from `ConnectivityManagerImpl` into a stand-alone class `RefreshDnsWithPostDrainHandler` which is created and owned by `ConnectivityManagerImpl`. Also remove `clusterManager()` and `getUpstreamSocketOptions()` from `ConnectivityManager` interface. The caller of `clusterManager()` has other way to access the global cluster manager. `getUpstreamSocketOptions()` is only called inside of `ConnectivityManagerImpl`. Additional Description: a few refactories: Refactor `InternalEngine::handleNetworkChange()`; Rename `NetworkState` to `DefaultNetworkState` and move its member `mutex_` from the struct to its parent `ConnectivityManagerImpl` to guard the entire network_state_ and possibly more states of non-default networks in the future. Risk Level: low Testing: existing tests passed Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- mobile/library/common/internal_engine.cc | 31 +++--- .../common/network/connectivity_manager.cc | 101 ++++++++++-------- .../common/network/connectivity_manager.h | 84 ++++++++------- .../network/connectivity_manager_test.cc | 24 +++-- 4 files changed, 136 insertions(+), 104 deletions(-) diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index 75f09af7bff12..c59f636e2b442 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -415,26 +415,29 @@ void InternalEngine::handleNetworkChange(const int network_type, const bool has_ } Http::HttpServerPropertiesCacheManager& cache_manager = server_->httpServerPropertiesCacheManager(); - - Http::HttpServerPropertiesCacheManager::CacheFn clear_brokenness = - [](Http::HttpServerPropertiesCache& cache) { cache.resetBrokenness(); }; - cache_manager.forEachThreadLocalCache(clear_brokenness); if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.quic_no_tcp_delay")) { - Http::HttpServerPropertiesCacheManager& cache_manager = - server_->httpServerPropertiesCacheManager(); - + // Reset HTTP/3 status for all origins. Http::HttpServerPropertiesCacheManager::CacheFn reset_status = [](Http::HttpServerPropertiesCache& cache) { cache.resetStatus(); }; cache_manager.forEachThreadLocalCache(reset_status); + } else { + // Reset HTTP/3 status only for origins marked as broken. + Http::HttpServerPropertiesCacheManager::CacheFn clear_brokenness = + [](Http::HttpServerPropertiesCache& cache) { cache.resetBrokenness(); }; + cache_manager.forEachThreadLocalCache(clear_brokenness); } - if (!disable_dns_refresh_on_network_change_) { - connectivity_manager_->refreshDns(configuration, /*drain_connections=*/true); - } else if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.drain_pools_on_network_change")) { - ENVOY_LOG_EVENT(debug, "netconf_immediate_drain", "DrainAllHosts"); - connectivity_manager_->clusterManager().drainConnections( - [](const Upstream::Host&) { return true; }); + + if (disable_dns_refresh_on_network_change_) { + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.drain_pools_on_network_change")) { + // Since DNS refreshing is disabled, explicitly drain all connections. + ENVOY_LOG_EVENT(debug, "netconf_immediate_drain", "DrainAllHosts"); + getClusterManager().drainConnections([](const Upstream::Host&) { return true; }); + } + return; } + // Refresh DNS upon network changes. + // This call will possibly drain all connections asynchronously. + connectivity_manager_->refreshDns(configuration, /*drain_connections=*/true); } envoy_status_t InternalEngine::recordCounterInc(absl::string_view elements, envoy_stats_tags tags, diff --git a/mobile/library/common/network/connectivity_manager.cc b/mobile/library/common/network/connectivity_manager.cc index 9e1d6e30260be..02091ac65b9cd 100644 --- a/mobile/library/common/network/connectivity_manager.cc +++ b/mobile/library/common/network/connectivity_manager.cc @@ -2,6 +2,8 @@ #include +#include + #include "envoy/common/platform.h" #include "source/common/api/os_sys_calls_impl.h" @@ -79,11 +81,13 @@ constexpr unsigned int InitialFaultThreshold = 1; // L7 bytes) before switching socket mode. constexpr unsigned int MaxFaultThreshold = 3; -ConnectivityManagerImpl::NetworkState ConnectivityManagerImpl::network_state_{ - 1, 0, MaxFaultThreshold, SocketMode::DefaultPreferredNetworkMode, Thread::MutexBasicLockable{}}; +ConnectivityManagerImpl::DefaultNetworkState ConnectivityManagerImpl::network_state_{ + 1, 0, MaxFaultThreshold, SocketMode::DefaultPreferredNetworkMode}; + +Thread::MutexBasicLockable ConnectivityManagerImpl::network_mutex_{}; envoy_netconf_t ConnectivityManagerImpl::setPreferredNetwork(int network) { - Thread::LockGuard lock{network_state_.mutex_}; + Thread::LockGuard lock{network_mutex_}; // TODO(goaway): Re-enable this guard. There's some concern that this will miss network updates // moving from offline to online states. We should address this then re-enable this guard to @@ -120,17 +124,17 @@ void ConnectivityManagerImpl::setProxySettings(ProxySettingsConstSharedPtr new_p ProxySettingsConstSharedPtr ConnectivityManagerImpl::getProxySettings() { return proxy_settings_; } int ConnectivityManagerImpl::getPreferredNetwork() { - Thread::LockGuard lock{network_state_.mutex_}; + Thread::LockGuard lock{network_mutex_}; return network_state_.network_; } SocketMode ConnectivityManagerImpl::getSocketMode() { - Thread::LockGuard lock{network_state_.mutex_}; + Thread::LockGuard lock{network_mutex_}; return network_state_.socket_mode_; } envoy_netconf_t ConnectivityManagerImpl::getConfigurationKey() { - Thread::LockGuard lock{network_state_.mutex_}; + Thread::LockGuard lock{network_mutex_}; return network_state_.configuration_key_; } @@ -152,7 +156,7 @@ void ConnectivityManagerImpl::reportNetworkUsage(envoy_netconf_t configuration_k bool configuration_updated = false; { - Thread::LockGuard lock{network_state_.mutex_}; + Thread::LockGuard lock{network_mutex_}; // If the configuration_key isn't current, don't do anything. if (configuration_key != network_state_.configuration_key_) { @@ -200,40 +204,55 @@ void ConnectivityManagerImpl::reportNetworkUsage(envoy_netconf_t configuration_k } } -void ConnectivityManagerImpl::onDnsResolutionComplete( +void RefreshDnsWithPostDrainHandler::refreshDnsAndDrainHosts() { + Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dns_cache = + dns_cache_manager_->lookUpCacheByName(BaseDnsCache); + if (!dns_cache) { + // There may not be a DNS cache during initialization, but if one is available, it should always + // exist by the time this handler is instantiated from the NetworkConfigurationFilter. + ENVOY_LOG_EVENT(warn, "netconf_dns_cache_missing", "{}", std::string(BaseDnsCache)); + return; + } + if (dns_callbacks_handle_ == nullptr) { + // Register callbacks once, on demand, using the handler as a sentinel. + dns_callbacks_handle_ = dns_cache->addUpdateCallbacks(*this); + } + dns_cache->iterateHostMap( + [&](absl::string_view host, + const Extensions::Common::DynamicForwardProxy::DnsHostInfoSharedPtr&) { + hosts_to_drain_.emplace(host); + }); + + dns_cache->forceRefreshHosts(); +} + +void RefreshDnsWithPostDrainHandler::onDnsResolutionComplete( const std::string& resolved_host, const Extensions::Common::DynamicForwardProxy::DnsHostInfoSharedPtr&, Network::DnsResolver::ResolutionStatus) { - if (enable_drain_post_dns_refresh_) { - // Check if the set of hosts pending drain contains the current resolved host. - if (hosts_to_drain_.erase(resolved_host) == 0) { - return; - } + // Check if the set of hosts pending drain contains the current resolved host. + if (hosts_to_drain_.erase(resolved_host) == 0) { + return; + } - // We ignore whether DNS resolution has succeeded here. If it failed, we may be offline and - // should probably drain connections. If it succeeds, we may have new DNS entries and so we - // drain connections. It may be possible to refine this logic in the future. - // TODO(goaway): check the set of cached hosts from the last triggered DNS refresh for this - // host, and if present, remove it and trigger connection drain for this host specifically. - ENVOY_LOG_EVENT(debug, "netconf_post_dns_drain_cx", "{}", resolved_host); + // We ignore whether DNS resolution has succeeded here. If it failed, we may be offline and + // should probably drain connections. If it succeeds, we may have new DNS entries and so we + // drain connections. It may be possible to refine this logic in the future. + // TODO(goaway): check the set of cached hosts from the last triggered DNS refresh for this + // host, and if present, remove it and trigger connection drain for this host specifically. + ENVOY_LOG_EVENT(debug, "netconf_post_dns_drain_cx", "{}", resolved_host); - // Pass predicate to only drain connections to the resolved host (for any cluster). - cluster_manager_.drainConnections( - [resolved_host](const Upstream::Host& host) { return host.hostname() == resolved_host; }); - } + // Pass predicate to only drain connections to the resolved host (for any cluster). + cluster_manager_.drainConnections( + [resolved_host](const Upstream::Host& host) { return host.hostname() == resolved_host; }); } void ConnectivityManagerImpl::setDrainPostDnsRefreshEnabled(bool enabled) { - enable_drain_post_dns_refresh_ = enabled; if (!enabled) { - hosts_to_drain_.clear(); - } else if (!dns_callbacks_handle_) { - // Register callbacks once, on demand, using the handle as a sentinel. There may not be - // a DNS cache during initialization, but if one is available, it should always exist by the - // time this function is called from the NetworkConfigurationFilter. - if (auto dns_cache = dnsCache()) { - dns_callbacks_handle_ = dns_cache->addUpdateCallbacks(*this); - } + dns_refresh_handler_ = nullptr; + } else if (!dns_refresh_handler_) { + dns_refresh_handler_ = + std::make_unique(dns_cache_manager_, cluster_manager_); } } @@ -244,7 +263,7 @@ void ConnectivityManagerImpl::setInterfaceBindingEnabled(bool enabled) { void ConnectivityManagerImpl::refreshDns(envoy_netconf_t configuration_key, bool drain_connections) { { - Thread::LockGuard lock{network_state_.mutex_}; + Thread::LockGuard lock{network_mutex_}; // refreshDns must be queued on Envoy's event loop, whereas network_state_ is updated // synchronously. In the event that multiple refreshes become queued on the event loop, @@ -260,15 +279,11 @@ void ConnectivityManagerImpl::refreshDns(envoy_netconf_t configuration_key, if (auto dns_cache = dnsCache()) { ENVOY_LOG_EVENT(debug, "netconf_refresh_dns", "{}", std::to_string(configuration_key)); - if (drain_connections && enable_drain_post_dns_refresh_) { - dns_cache->iterateHostMap( - [&](absl::string_view host, - const Extensions::Common::DynamicForwardProxy::DnsHostInfoSharedPtr&) { - hosts_to_drain_.emplace(host); - }); + if (drain_connections && (dns_refresh_handler_ != nullptr)) { + dns_refresh_handler_->refreshDnsAndDrainHosts(); + } else { + dns_cache->forceRefreshHosts(); } - - dns_cache->forceRefreshHosts(); } } @@ -283,7 +298,7 @@ Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr ConnectivityManagerIm void ConnectivityManagerImpl::resetConnectivityState() { envoy_netconf_t configuration_key; { - Thread::LockGuard lock{network_state_.mutex_}; + Thread::LockGuard lock{network_mutex_}; network_state_.network_ = 0; network_state_.remaining_faults_ = 1; network_state_.socket_mode_ = SocketMode::DefaultPreferredNetworkMode; @@ -359,7 +374,7 @@ ConnectivityManagerImpl::addUpstreamSocketOptions(Socket::OptionsSharedPtr optio SocketMode socket_mode; { - Thread::LockGuard lock{network_state_.mutex_}; + Thread::LockGuard lock{network_mutex_}; configuration_key = network_state_.configuration_key_; network = network_state_.network_; socket_mode = network_state_.socket_mode_; diff --git a/mobile/library/common/network/connectivity_manager.h b/mobile/library/common/network/connectivity_manager.h index c6e8074134190..43da8e0466990 100644 --- a/mobile/library/common/network/connectivity_manager.h +++ b/mobile/library/common/network/connectivity_manager.h @@ -78,8 +78,7 @@ using InterfacePair = std::pair { +public: + RefreshDnsWithPostDrainHandler(DnsCacheManagerSharedPtr dns_cache_manager, + Upstream::ClusterManager& cluster_manager) + : dns_cache_manager_(std::move(dns_cache_manager)), cluster_manager_(cluster_manager) {} + + // Extensions::Common::DynamicForwardProxy::DnsCache::UpdateCallbacks + absl::Status onDnsHostAddOrUpdate( + const std::string& /*host*/, + const Extensions::Common::DynamicForwardProxy::DnsHostInfoSharedPtr&) override { + return absl::OkStatus(); + } + void onDnsHostRemove(const std::string& /*host*/) override {} + void onDnsResolutionComplete(const std::string& /*host*/, + const Extensions::Common::DynamicForwardProxy::DnsHostInfoSharedPtr&, + Network::DnsResolver::ResolutionStatus) override; + + // Refresh DNS and drain all hosts upon completion. + // No-op if the default DNS cache in base configuration is not available. + void refreshDnsAndDrainHosts(); + +private: + DnsCacheManagerSharedPtr dns_cache_manager_; + Upstream::ClusterManager& cluster_manager_; + absl::flat_hash_set hosts_to_drain_; + Extensions::Common::DynamicForwardProxy::DnsCache::AddUpdateCallbacksHandlePtr + dns_callbacks_handle_; }; class ConnectivityManagerImpl : public ConnectivityManager, @@ -210,17 +233,6 @@ class ConnectivityManagerImpl : public ConnectivityManager, DnsCacheManagerSharedPtr dns_cache_manager) : cluster_manager_(cluster_manager), dns_cache_manager_(dns_cache_manager) {} - // Extensions::Common::DynamicForwardProxy::DnsCache::UpdateCallbacks - absl::Status onDnsHostAddOrUpdate( - const std::string& /*host*/, - const Extensions::Common::DynamicForwardProxy::DnsHostInfoSharedPtr&) override { - return absl::OkStatus(); - } - void onDnsHostRemove(const std::string& /*host*/) override {} - void onDnsResolutionComplete(const std::string& /*host*/, - const Extensions::Common::DynamicForwardProxy::DnsHostInfoSharedPtr&, - Network::DnsResolver::ResolutionStatus) override; - // ConnectivityManager std::vector enumerateV4Interfaces() override; std::vector enumerateV6Interfaces() override; @@ -236,33 +248,31 @@ class ConnectivityManagerImpl : public ConnectivityManager, void setInterfaceBindingEnabled(bool enabled) override; void refreshDns(envoy_netconf_t configuration_key, bool drain_connections) override; void resetConnectivityState() override; - Socket::OptionsSharedPtr getUpstreamSocketOptions(int network, SocketMode socket_mode) override; envoy_netconf_t addUpstreamSocketOptions(Socket::OptionsSharedPtr options) override; Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dnsCache() override; - Upstream::ClusterManager& clusterManager() override { return cluster_manager_; } private: - struct NetworkState { + // The states of the current default network picked by the platform. + struct DefaultNetworkState { // The configuration key is passed through calls dispatched on the run loop to determine if // they're still valid/relevant at time of execution. - envoy_netconf_t configuration_key_ ABSL_GUARDED_BY(mutex_); - int network_ ABSL_GUARDED_BY(mutex_); - uint8_t remaining_faults_ ABSL_GUARDED_BY(mutex_); - SocketMode socket_mode_ ABSL_GUARDED_BY(mutex_); - Thread::MutexBasicLockable mutex_; + envoy_netconf_t configuration_key_; + int network_; + uint8_t remaining_faults_; + SocketMode socket_mode_; }; Socket::OptionsSharedPtr getAlternateInterfaceSocketOptions(int network); InterfacePair getActiveAlternateInterface(int network, unsigned short family); + Socket::OptionsSharedPtr getUpstreamSocketOptions(int network, SocketMode socket_mode); - bool enable_drain_post_dns_refresh_{false}; bool enable_interface_binding_{false}; - absl::flat_hash_set hosts_to_drain_; - Extensions::Common::DynamicForwardProxy::DnsCache::AddUpdateCallbacksHandlePtr - dns_callbacks_handle_{nullptr}; Upstream::ClusterManager& cluster_manager_; + // nullptr if draining hosts after refreshing DNS is disabled via setDrainPostDnsRefreshEnabled(). + std::unique_ptr dns_refresh_handler_; DnsCacheManagerSharedPtr dns_cache_manager_; ProxySettingsConstSharedPtr proxy_settings_; - static NetworkState network_state_; + static DefaultNetworkState network_state_ ABSL_GUARDED_BY(network_mutex_); + static Thread::MutexBasicLockable network_mutex_; }; using ConnectivityManagerSharedPtr = std::shared_ptr; diff --git a/mobile/test/common/network/connectivity_manager_test.cc b/mobile/test/common/network/connectivity_manager_test.cc index dd086bda6c3b7..6ef1c37fb7c67 100644 --- a/mobile/test/common/network/connectivity_manager_test.cc +++ b/mobile/test/common/network/connectivity_manager_test.cc @@ -30,7 +30,7 @@ class ConnectivityManagerTest : public testing::Test { dns_cache_manager_; std::shared_ptr dns_cache_; NiceMock cm_{}; - ConnectivityManagerSharedPtr connectivity_manager_; + std::shared_ptr connectivity_manager_; }; TEST_F(ConnectivityManagerTest, SetPreferredNetworkWithNewNetworkChangesConfigurationKey) { @@ -61,7 +61,14 @@ TEST_F(ConnectivityManagerTest, RefreshDnsForStaleConfigurationDoesntTriggerDnsR } TEST_F(ConnectivityManagerTest, WhenDrainPostDnsRefreshEnabledDrainsPostDnsRefresh) { - EXPECT_CALL(*dns_cache_, addUpdateCallbacks_(Ref(*connectivity_manager_))); + Extensions::Common::DynamicForwardProxy::DnsCache::UpdateCallbacks* dns_completion_callback{ + nullptr}; + EXPECT_CALL(*dns_cache_, addUpdateCallbacks_(_)) + .WillOnce(Invoke([&dns_completion_callback]( + Extensions::Common::DynamicForwardProxy::DnsCache::UpdateCallbacks& cb) { + dns_completion_callback = &cb; + return nullptr; + })); connectivity_manager_->setDrainPostDnsRefreshEnabled(true); auto host_info = std::make_shared(); @@ -78,31 +85,28 @@ TEST_F(ConnectivityManagerTest, WhenDrainPostDnsRefreshEnabledDrainsPostDnsRefre connectivity_manager_->refreshDns(configuration_key, true); EXPECT_CALL(cm_, drainConnections(_)); - connectivity_manager_->onDnsResolutionComplete( + dns_completion_callback->onDnsResolutionComplete( "cached.example.com", std::make_shared(), Network::DnsResolver::ResolutionStatus::Completed); - connectivity_manager_->onDnsResolutionComplete( + dns_completion_callback->onDnsResolutionComplete( "not-cached.example.com", std::make_shared(), Network::DnsResolver::ResolutionStatus::Completed); - connectivity_manager_->onDnsResolutionComplete( + dns_completion_callback->onDnsResolutionComplete( "not-cached2.example.com", std::make_shared(), Network::DnsResolver::ResolutionStatus::Completed); } TEST_F(ConnectivityManagerTest, WhenDrainPostDnsNotEnabledDoesntDrainPostDnsRefresh) { + EXPECT_CALL(*dns_cache_, addUpdateCallbacks_(_)).Times(0); connectivity_manager_->setDrainPostDnsRefreshEnabled(false); + EXPECT_CALL(*dns_cache_, iterateHostMap(_)).Times(0); EXPECT_CALL(*dns_cache_, forceRefreshHosts()); envoy_netconf_t configuration_key = connectivity_manager_->getConfigurationKey(); connectivity_manager_->refreshDns(configuration_key, true); - - EXPECT_CALL(cm_, drainConnections(_)).Times(0); - connectivity_manager_->onDnsResolutionComplete( - "example.com", std::make_shared(), - Network::DnsResolver::ResolutionStatus::Completed); } TEST_F(ConnectivityManagerTest, From dd9c321bcd95d3970b1c8356f185a3585a5dede1 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 22 Jul 2025 02:32:15 +0000 Subject: [PATCH 030/505] Nits to test Signed-off-by: Basundhara Chakrabarty --- .../reverse_tunnel/reverse_tunnel_acceptor.cc | 122 +-- .../reverse_tunnel/reverse_tunnel_acceptor.h | 17 +- .../reverse_tunnel_acceptor_test.cc | 745 ++++++++++-------- 3 files changed, 473 insertions(+), 411 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc index 25a838111b4d1..5f3d5b3f3f565 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc @@ -3,8 +3,8 @@ #include #include #include -#include #include +#include #include "source/common/api/os_sys_calls_impl.h" #include "source/common/buffer/buffer_impl.h" @@ -27,25 +27,25 @@ UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), owned_socket_(std::move(socket)) { - ENVOY_LOG(debug, "Created UpstreamReverseConnectionIOHandle for cluster: {} with FD: {}", + ENVOY_LOG(trace, "Created UpstreamReverseConnectionIOHandle for cluster: {} with FD: {}", cluster_name_, fd_); } UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { - ENVOY_LOG(debug, "Destroying UpstreamReverseConnectionIOHandle for cluster: {} with FD: {}", + ENVOY_LOG(trace, "Destroying UpstreamReverseConnectionIOHandle for cluster: {} with FD: {}", cluster_name_, fd_); // The owned_socket_ will be automatically destroyed via RAII } Api::SysCallIntResult UpstreamReverseConnectionIOHandle::connect( Envoy::Network::Address::InstanceConstSharedPtr address) { - ENVOY_LOG(debug, + ENVOY_LOG(trace, "UpstreamReverseConnectionIOHandle::connect() to {} - connection already established " "through reverse tunnel", address->asString()); - // For reverse connections, the connection is already established. - // We should return success immediately since the reverse tunnel provides the connection. + // For reverse connections, the connection is already established, therefore + // connect() is a no-op return Api::SysCallIntResult{0, 0}; } @@ -53,7 +53,6 @@ Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { ENVOY_LOG(debug, "UpstreamReverseConnectionIOHandle::close() called for FD: {}", fd_); // Reset the owned socket to properly close the connection - // This ensures proper cleanup without requiring external storage if (owned_socket_) { ENVOY_LOG(debug, "Releasing owned socket for cluster: {}", cluster_name_); owned_socket_.reset(); @@ -183,9 +182,8 @@ void ReverseTunnelAcceptorExtension::onServerInitialized() { // Get thread local registry for the current thread UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() const { - ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension::getLocalRegistry()"); if (!tls_slot_) { - ENVOY_LOG(warn, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); + ENVOY_LOG(error, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); return nullptr; } @@ -196,7 +194,6 @@ UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() co return nullptr; } - std::pair, std::vector> ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds /* timeout_ms */) { @@ -232,14 +229,14 @@ ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds } } - ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: found {} connected nodes, {} accepted connections", + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension: found {} connected nodes, {} accepted connections", connected_nodes.size(), accepted_connections.size()); return {connected_nodes, accepted_connections}; } -absl::flat_hash_map -ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { +absl::flat_hash_map ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { absl::flat_hash_map stats_map; auto& stats_store = context_.scope(); @@ -249,9 +246,10 @@ ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { Stats::IterateFn gauge_callback = [&stats_map](const Stats::RefcountPtr& gauge) -> bool { const std::string& gauge_name = gauge->name(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, gauge->value()); - if (gauge_name.find("reverse_connections.") != std::string::npos && - (gauge_name.find("reverse_connections.nodes.") != std::string::npos || + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && + (gauge_name.find("reverse_connections.nodes.") != std::string::npos || gauge_name.find("reverse_connections.clusters.") != std::string::npos) && gauge->used()) { stats_map[gauge_name] = gauge->value(); @@ -261,7 +259,8 @@ ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { stats_store.iterate(gauge_callback); ENVOY_LOG(debug, - "ReverseTunnelAcceptorExtension: collected {} stats for reverse connections across all worker threads", + "ReverseTunnelAcceptorExtension: collected {} stats for reverse connections across all " + "worker threads", stats_map.size()); return stats_map; @@ -281,12 +280,12 @@ void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& no stats_store.gaugeFromString(node_stat_name, Stats::Gauge::ImportMode::Accumulate); if (increment) { node_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented node stat {} to {}", - node_stat_name, node_gauge.value()); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented node stat {} to {}", + node_stat_name, node_gauge.value()); } else { node_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented node stat {} to {}", - node_stat_name, node_gauge.value()); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented node stat {} to {}", + node_stat_name, node_gauge.value()); } } @@ -297,12 +296,12 @@ void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& no stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); if (increment) { cluster_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); } else { cluster_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); } } @@ -314,7 +313,7 @@ void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::s const std::string& cluster_id, bool increment) { auto& stats_store = context_.scope(); - + // Get dispatcher name from the thread local dispatcher std::string dispatcher_name = "main_thread"; // Default for main thread auto* local_registry = getLocalRegistry(); @@ -322,11 +321,11 @@ void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::s // Dispatcher name is of the form "worker_x" where x is the worker index dispatcher_name = local_registry->dispatcher().name(); } - + // Create/update per-worker node connection stat if (!node_id.empty()) { - std::string worker_node_stat_name = fmt::format("reverse_connections.{}.node.{}", - dispatcher_name, node_id); + std::string worker_node_stat_name = + fmt::format("reverse_connections.{}.node.{}", dispatcher_name, node_id); auto& worker_node_gauge = stats_store.gaugeFromString(worker_node_stat_name, Stats::Gauge::ImportMode::NeverImport); if (increment) { @@ -342,10 +341,10 @@ void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::s // Create/update per-worker cluster connection stat if (!cluster_id.empty()) { - std::string worker_cluster_stat_name = fmt::format("reverse_connections.{}.cluster.{}", - dispatcher_name, cluster_id); - auto& worker_cluster_gauge = - stats_store.gaugeFromString(worker_cluster_stat_name, Stats::Gauge::ImportMode::NeverImport); + std::string worker_cluster_stat_name = + fmt::format("reverse_connections.{}.cluster.{}", dispatcher_name, cluster_id); + auto& worker_cluster_gauge = stats_store.gaugeFromString(worker_cluster_stat_name, + Stats::Gauge::ImportMode::NeverImport); if (increment) { worker_cluster_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker cluster stat {} to {}", @@ -358,8 +357,7 @@ void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::s } } -absl::flat_hash_map -ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { +absl::flat_hash_map ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { absl::flat_hash_map stats_map; auto& stats_store = context_.scope(); @@ -375,11 +373,12 @@ ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { Stats::IterateFn gauge_callback = [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { const std::string& gauge_name = gauge->name(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, gauge->value()); - if (gauge_name.find("reverse_connections.") != std::string::npos && + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && gauge_name.find(dispatcher_name + ".") != std::string::npos && - (gauge_name.find(".node.") != std::string::npos || - gauge_name.find(".cluster.") != std::string::npos) && + (gauge_name.find(".node.") != std::string::npos || + gauge_name.find(".cluster.") != std::string::npos) && gauge->used()) { stats_map[gauge_name] = gauge->value(); } @@ -387,8 +386,7 @@ ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { }; stats_store.iterate(gauge_callback); - ENVOY_LOG(debug, - "ReverseTunnelAcceptorExtension: collected {} stats for dispatcher '{}'", + ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: collected {} stats for dispatcher '{}'", stats_map.size(), dispatcher_name); return stats_map; @@ -414,7 +412,9 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, // Both node_id and cluster_id are mandatory for consistent state management and stats tracking if (node_id.empty() || cluster_id.empty()) { - ENVOY_LOG(error, "UpstreamSocketManager: addConnectionSocket called with empty node_id='{}' or cluster_id='{}'. Both are mandatory.", + ENVOY_LOG(error, + "UpstreamSocketManager: addConnectionSocket called with empty node_id='{}' or " + "cluster_id='{}'. Both are mandatory.", node_id, cluster_id); return; } @@ -435,7 +435,9 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, node_to_cluster_map_[node_id] = cluster_id; cluster_to_node_map_[cluster_id].push_back(node_id); } - ENVOY_LOG(trace, "UpstreamSocketManager: node_to_cluster_map_ has {} entries, cluster_to_node_map_ has {} entries", + ENVOY_LOG(trace, + "UpstreamSocketManager: node_to_cluster_map_ has {} entries, cluster_to_node_map_ has " + "{} entries", node_to_cluster_map_.size(), cluster_to_node_map_.size()); ENVOY_LOG(trace, @@ -485,13 +487,15 @@ UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { ENVOY_LOG(debug, "UpstreamSocketManager: getConnectionSocket() called with node_id: {}", node_id); if (node_to_cluster_map_.find(node_id) == node_to_cluster_map_.end()) { - ENVOY_LOG(error, "UpstreamSocketManager: cluster -> node mapping changed for node: {}", node_id); + ENVOY_LOG(error, "UpstreamSocketManager: cluster -> node mapping changed for node: {}", + node_id); return nullptr; } const std::string& cluster_id = node_to_cluster_map_[node_id]; - - ENVOY_LOG(debug, "UpstreamSocketManager: Looking for socket with node: {} cluster: {}", node_id, cluster_id); + + ENVOY_LOG(debug, "UpstreamSocketManager: Looking for socket with node: {} cluster: {}", node_id, + cluster_id); // Find first available socket for the node auto node_sockets_it = accepted_reverse_connections_.find(node_id); @@ -501,7 +505,8 @@ UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { } // Debugging: Print the number of free sockets on this worker thread - ENVOY_LOG(debug, "UpstreamSocketManager: Found {} sockets for node: {}", node_sockets_it->second.size(), node_id); + ENVOY_LOG(debug, "UpstreamSocketManager: Found {} sockets for node: {}", + node_sockets_it->second.size(), node_id); // Fetch the socket from the accepted_reverse_connections_ and remove it from the list Network::ConnectionSocketPtr socket(std::move(node_sockets_it->second.front())); @@ -526,15 +531,16 @@ UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { std::string UpstreamSocketManager::getNodeID(const std::string& key) { ENVOY_LOG(debug, "UpstreamSocketManager: getNodeID() called with key: {}", key); - + // First check if the key exists as a cluster ID by checking global stats // This ensures we check across all threads, not just the current thread if (auto extension = getUpstreamExtension()) { // Check if any thread has sockets for this cluster by looking at global stats std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", key); auto& stats_store = extension->getStatsScope(); - auto& cluster_gauge = stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); - + auto& cluster_gauge = + stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); + if (cluster_gauge.value() > 0) { // Key is a cluster ID with active connections, find a node from this cluster auto cluster_nodes_it = cluster_to_node_map_.find(key); @@ -542,14 +548,16 @@ std::string UpstreamSocketManager::getNodeID(const std::string& key) { // Return a random existing node from this cluster auto node_idx = random_generator_->random() % cluster_nodes_it->second.size(); std::string node_id = cluster_nodes_it->second[node_idx]; - ENVOY_LOG(debug, "UpstreamSocketManager: key '{}' is cluster ID with {} connections, returning random node: {}", + ENVOY_LOG(debug, + "UpstreamSocketManager: key '{}' is cluster ID with {} connections, returning " + "random node: {}", key, cluster_gauge.value(), node_id); return node_id; } // If cluster has connections but no local mapping, assume key is a node ID } } - + // Key is not a cluster ID, has no connections, or has no local mapping // Treat it as a node ID and return it directly ENVOY_LOG(debug, "UpstreamSocketManager: key '{}' is node ID, returning as-is", key); @@ -682,7 +690,9 @@ void UpstreamSocketManager::onPingResponse(Network::IoHandle& io_handle) { const int fd = io_handle.fdDoNotUse(); Buffer::OwnedImpl buffer; - const auto ping_size = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::PING_MESSAGE.size(); + const auto ping_size = + ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::PING_MESSAGE + .size(); Api::IoCallUint64Result result = io_handle.read(buffer, absl::make_optional(ping_size)); if (!result.ok()) { ENVOY_LOG(debug, "UpstreamSocketManager: Read error on FD: {}: error - {}", fd, @@ -704,7 +714,8 @@ void UpstreamSocketManager::onPingResponse(Network::IoHandle& io_handle) { return; } - if (!::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::isPingMessage(buffer.toString())) { + if (!::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::isPingMessage( + buffer.toString())) { ENVOY_LOG(debug, "UpstreamSocketManager: FD: {}: response is not RPING", fd); markSocketDead(fd); return; @@ -719,7 +730,8 @@ void UpstreamSocketManager::pingConnections(const std::string& node_id) { ENVOY_LOG(debug, "UpstreamSocketManager: node:{} Number of sockets:{}", node_id, sockets.size()); for (auto itr = sockets.begin(); itr != sockets.end(); itr++) { int fd = itr->get()->ioHandle().fdDoNotUse(); - auto buffer = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::createPingResponse(); + auto buffer = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility:: + createPingResponse(); auto ping_response_timeout = ping_interval_ / 2; fd_to_timer_map_[fd]->enableTimer(ping_response_timeout); diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h index feb6c868100b8..cdb791a781926 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h @@ -34,7 +34,7 @@ class UpstreamSocketManager; /** * Custom IoHandle for upstream reverse connections that properly owns a ConnectionSocket. - * This class uses RAII principles to manage socket lifetime without requiring external storage. + * This class uses RAII principles to manage socket lifetime. */ class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { public: @@ -76,7 +76,6 @@ class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { // The name of the cluster this reverse connection belongs to. std::string cluster_name_; // The socket that this IOHandle owns and manages lifetime for. - // This eliminates the need for external storage hacks. Network::ConnectionSocketPtr owned_socket_; }; @@ -212,6 +211,7 @@ class ReverseTunnelAcceptorExtension public Envoy::Logger::Loggable { // Friend class for testing friend class ReverseTunnelAcceptorExtensionTest; + public: /** * @param sock_interface the socket interface to extend. @@ -256,8 +256,8 @@ class ReverseTunnelAcceptorExtension const std::string& statPrefix() const { return stat_prefix_; } /** - * Synchronous version for admin API endpoints that require immediate response on reverse connection stats. - * Uses blocking aggregation with timeout for production reliability. + * Synchronous version for admin API endpoints that require immediate response on reverse + * connection stats. Uses blocking aggregation with timeout for production reliability. * @param timeout_ms maximum time to wait for aggregation completion * @return pair of or empty if timeout */ @@ -265,7 +265,7 @@ class ReverseTunnelAcceptorExtension getConnectionStatsSync(std::chrono::milliseconds timeout_ms = std::chrono::milliseconds(5000)); /** - * Get cross-worker aggregated reverse connection stats. + * Get cross-worker aggregated reverse connection stats. * @return map of node/cluster -> connection count across all worker threads */ absl::flat_hash_map getCrossWorkerStatMap(); @@ -291,7 +291,8 @@ class ReverseTunnelAcceptorExtension /** * Get per-worker connection stats for debugging purposes. - * Returns stats like "reverse_connections.{worker_name}.node.{node_id}" for the current thread only. + * Returns stats like "reverse_connections.{worker_name}.node.{node_id}" for the current thread + * only. * @return map of node/cluster -> connection count for the current worker thread */ absl::flat_hash_map getPerWorkerStatMap(); @@ -308,7 +309,8 @@ class ReverseTunnelAcceptorExtension * requiring friend class access. * @param slot the thread local slot to set */ - void setTestOnlyTLSRegistry(std::unique_ptr> slot) { + void + setTestOnlyTLSRegistry(std::unique_ptr> slot) { tls_slot_ = std::move(slot); } @@ -318,7 +320,6 @@ class ReverseTunnelAcceptorExtension std::unique_ptr> tls_slot_; ReverseTunnelAcceptor* socket_interface_; std::string stat_prefix_; - }; /** diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc index 2131a3c23bce9..6a570114a8f0c 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc @@ -1,5 +1,3 @@ -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" - #include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/network/socket_interface.h" #include "envoy/server/factory_context.h" @@ -9,11 +7,12 @@ #include "source/common/network/socket_interface.h" #include "source/common/network/utility.h" #include "source/common/thread_local/thread_local_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" #include "test/mocks/event/mocks.h" #include "test/mocks/server/factory_context.h" -#include "test/mocks/thread_local/mocks.h" #include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" #include "test/test_common/test_runtime.h" #include "gmock/gmock.h" @@ -35,37 +34,38 @@ class ReverseTunnelAcceptorExtensionTest : public testing::Test { ReverseTunnelAcceptorExtensionTest() { // Set up the stats scope stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - + // Set up the mock context EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - + // Create the config config_.set_stat_prefix("test_prefix"); - + // Create the socket interface socket_interface_ = std::make_unique(context_); - + // Create the extension - extension_ = std::make_unique( - *socket_interface_, context_, config_); + extension_ = + std::make_unique(*socket_interface_, context_, config_); } // Helper function to set up thread local slot for tests void setupThreadLocalSlot() { // Create a thread local registry - thread_local_registry_ = std::make_shared(dispatcher_, extension_.get()); - + thread_local_registry_ = + std::make_shared(dispatcher_, extension_.get()); + // Create the actual TypedSlot tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); thread_local_.setDispatcher(&dispatcher_); - + // Set up the slot to return our registry tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - + // Set the slot directly in the extension extension_->tls_slot_ = std::move(tls_slot_); - + // Set the extension reference in the socket interface extension_->socket_interface_->extension_ = extension_.get(); } @@ -73,7 +73,8 @@ class ReverseTunnelAcceptorExtensionTest : public testing::Test { // Helper function to set up a second thread local slot for multi-dispatcher testing void setupAnotherThreadLocalSlot() { // Create another thread local registry with a different dispatcher name - another_thread_local_registry_ = std::make_shared(another_dispatcher_, extension_.get()); + another_thread_local_registry_ = + std::make_shared(another_dispatcher_, extension_.get()); } void TearDown() override { @@ -88,17 +89,17 @@ class ReverseTunnelAcceptorExtensionTest : public testing::Test { Stats::IsolatedStoreImpl stats_store_; Stats::ScopeSharedPtr stats_scope_; NiceMock dispatcher_{"worker_0"}; - + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: UpstreamReverseConnectionSocketInterface config_; - + std::unique_ptr socket_interface_; std::unique_ptr extension_; - + // Real thread local slot and registry std::unique_ptr> tls_slot_; std::shared_ptr thread_local_registry_; - + // Additional mock dispatcher and registry for multi-thread testing NiceMock another_dispatcher_{"worker_1"}; std::shared_ptr another_thread_local_registry_; @@ -109,17 +110,16 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithDefaultStatPrefix) { // Test with empty config (should use default stat prefix) envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: UpstreamReverseConnectionSocketInterface empty_config; - - auto extension_with_default = std::make_unique( - *socket_interface_, context_, empty_config); - + + auto extension_with_default = + std::make_unique(*socket_interface_, context_, empty_config); + EXPECT_EQ(extension_with_default->statPrefix(), "upstream_reverse_connection"); } TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithCustomStatPrefix) { // Test with custom stat prefix EXPECT_EQ(extension_->statPrefix(), "test_prefix"); - } TEST_F(ReverseTunnelAcceptorExtensionTest, GetStatsScope) { @@ -136,7 +136,7 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, OnWorkerThreadInitialized) { TEST_F(ReverseTunnelAcceptorExtensionTest, OnServerInitializedSetsExtensionReference) { // Call onServerInitialized to set the extension reference in the socket interface extension_->onServerInitialized(); - + // Verify that the socket interface extension reference is set EXPECT_EQ(socket_interface_->getExtension(), extension_.get()); } @@ -150,15 +150,15 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryBeforeInitialization) TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryAfterInitialization) { // Initialize the thread local slot setupThreadLocalSlot(); - + // Now getLocalRegistry should return the actual registry auto* registry = extension_->getLocalRegistry(); EXPECT_NE(registry, nullptr); - + // Verify we can access the socket manager from the registry auto* socket_manager = registry->socketManager(); EXPECT_NE(socket_manager, nullptr); - + // Verify the socket manager has the correct extension reference EXPECT_EQ(socket_manager->getUpstreamExtension(), extension_.get()); } @@ -168,7 +168,7 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetPerWorkerStatMapSingleThread) { // Set up thread local slot first setupThreadLocalSlot(); - + // Update per-worker stats for the current (test) thread extension_->updatePerWorkerConnectionStats("node1", "cluster1", true); extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); @@ -176,13 +176,13 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetPerWorkerStatMapSingleThread) { // Get the per-worker stat map auto stat_map = extension_->getPerWorkerStatMap(); - + // Verify the stats are collected correctly for worker_0 EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); - + // Verify that only worker_0 stats are included for (const auto& [stat_name, value] : stat_map) { EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); @@ -193,30 +193,30 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetPerWorkerStatMapSingleThread) { TEST_F(ReverseTunnelAcceptorExtensionTest, GetCrossWorkerStatMapMultiThread) { // Set up thread local slot for the test thread (dispatcher name: "worker_0") setupThreadLocalSlot(); - + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") setupAnotherThreadLocalSlot(); - + // Simulate stats updates from worker_0 extension_->updateConnectionStats("node1", "cluster1", true); extension_->updateConnectionStats("node1", "cluster1", true); // Increment twice extension_->updateConnectionStats("node2", "cluster2", true); - + // Simulate stats updates from worker_1 // Temporarily switch the thread local registry to simulate the other dispatcher auto original_registry = thread_local_registry_; thread_local_registry_ = another_thread_local_registry_; - + // Update stats from worker_1 extension_->updateConnectionStats("node1", "cluster1", true); // Increment from worker_1 extension_->updateConnectionStats("node3", "cluster3", true); // New node from worker_1 - + // Restore the original registry thread_local_registry_ = original_registry; - + // Get the cross-worker stat map auto stat_map = extension_->getCrossWorkerStatMap(); - + // Verify that cross-worker stats are collected correctly across multiple dispatchers // node1: incremented 3 times total (2 from worker_0 + 1 from worker_1) EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 3); @@ -224,7 +224,7 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetCrossWorkerStatMapMultiThread) { EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 1); // node3: incremented 1 time from worker_1 EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); - + // cluster1: incremented 3 times total (2 from worker_0 + 1 from worker_1) EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 3); // cluster2: incremented 1 time from worker_0 @@ -237,55 +237,61 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetCrossWorkerStatMapMultiThread) { TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncMultiThread) { // Set up thread local slot for the test thread (dispatcher name: "worker_0") setupThreadLocalSlot(); - + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") setupAnotherThreadLocalSlot(); - + // Simulate stats updates from worker_0 extension_->updateConnectionStats("node1", "cluster1", true); extension_->updateConnectionStats("node1", "cluster1", true); // Increment twice extension_->updateConnectionStats("node2", "cluster2", true); - + // Simulate stats updates from worker_1 // Temporarily switch the thread local registry to simulate the other dispatcher auto original_registry = thread_local_registry_; thread_local_registry_ = another_thread_local_registry_; - + // Update stats from worker_1 extension_->updateConnectionStats("node1", "cluster1", true); // Increment from worker_1 extension_->updateConnectionStats("node3", "cluster3", true); // New node from worker_1 - + // Restore the original registry thread_local_registry_ = original_registry; - + // Get connection stats synchronously auto result = extension_->getConnectionStatsSync(); auto& [connected_nodes, accepted_connections] = result; - + // Verify the result contains the expected data EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); - + // Verify that we have the expected node and cluster data // node1: should be present (incremented 3 times total) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node1") != connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node1") != + connected_nodes.end()); // node2: should be present (incremented 1 time) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node2") != connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node2") != + connected_nodes.end()); // node3: should be present (incremented 1 time) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node3") != connected_nodes.end()); - + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node3") != + connected_nodes.end()); + // cluster1: should be present (incremented 3 times total) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != + accepted_connections.end()); // cluster2: should be present (incremented 1 time) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); // cluster3: should be present (incremented 1 time) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != + accepted_connections.end()); } // Test getConnectionStatsSync with timeouts TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncTimeout) { // Test with a very short timeout to verify timeout behavior auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); - + // With no connections and short timeout, should return empty results auto& [connected_nodes, accepted_connections] = result; EXPECT_TRUE(connected_nodes.empty()); @@ -301,25 +307,27 @@ class TestUpstreamSocketManager : public testing::Test { TestUpstreamSocketManager() { // Set up the stats scope stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - + // Set up the mock context EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - + // Create the config config_.set_stat_prefix("test_prefix"); - + // Create the socket interface socket_interface_ = std::make_unique(context_); - + // Create the extension - extension_ = std::make_unique( - *socket_interface_, context_, config_); - + extension_ = + std::make_unique(*socket_interface_, context_, config_); + // Set up mock dispatcher with default expectations - EXPECT_CALL(dispatcher_, createTimer_(_)).WillRepeatedly(testing::ReturnNew>()); - EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)).WillRepeatedly(testing::ReturnNew>()); - + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + // Create the socket manager with real extension socket_manager_ = std::make_unique(dispatcher_, extension_.get()); } @@ -362,64 +370,55 @@ class TestUpstreamSocketManager : public testing::Test { std::vector getClusterToNodeMapping(const std::string& cluster) { auto it = socket_manager_->cluster_to_node_map_.find(cluster); - return (it != socket_manager_->cluster_to_node_map_.end()) ? it->second : std::vector{}; + return (it != socket_manager_->cluster_to_node_map_.end()) ? it->second + : std::vector{}; } size_t getAcceptedReverseConnectionsSize() { return socket_manager_->accepted_reverse_connections_.size(); } - size_t getFDToNodeMapSize() { - return socket_manager_->fd_to_node_map_.size(); - } + size_t getFDToNodeMapSize() { return socket_manager_->fd_to_node_map_.size(); } - size_t getNodeToClusterMapSize() { - return socket_manager_->node_to_cluster_map_.size(); - } + size_t getNodeToClusterMapSize() { return socket_manager_->node_to_cluster_map_.size(); } - size_t getClusterToNodeMapSize() { - return socket_manager_->cluster_to_node_map_.size(); - } + size_t getClusterToNodeMapSize() { return socket_manager_->cluster_to_node_map_.size(); } - size_t getFDToEventMapSize() { - return socket_manager_->fd_to_event_map_.size(); - } + size_t getFDToEventMapSize() { return socket_manager_->fd_to_event_map_.size(); } - size_t getFDToTimerMapSize() { - return socket_manager_->fd_to_timer_map_.size(); - } + size_t getFDToTimerMapSize() { return socket_manager_->fd_to_timer_map_.size(); } // Helper to create a mock socket with proper address setup - Network::ConnectionSocketPtr createMockSocket(int fd = 123, - const std::string& local_addr = "127.0.0.1:8080", - const std::string& remote_addr = "127.0.0.1:9090") { + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { auto socket = std::make_unique>(); - + // Parse local address (IP:port format) auto local_colon_pos = local_addr.find(':'); std::string local_ip = local_addr.substr(0, local_colon_pos); uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); - + // Parse remote address (IP:port format) auto remote_colon_pos = remote_addr.find(':'); std::string remote_ip = remote_addr.substr(0, remote_colon_pos); uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); - + // Create a mock IO handle and set it up auto mock_io_handle = std::make_unique>(); auto* mock_io_handle_ptr = mock_io_handle.get(); EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); - + // Store the mock_io_handle in the socket socket->io_handle_ = std::move(mock_io_handle); - + // Set up connection info provider with the desired addresses socket->connection_info_provider_->setLocalAddress(local_address); socket->connection_info_provider_->setRemoteAddress(remote_address); - + return socket; } @@ -447,10 +446,10 @@ class TestUpstreamSocketManager : public testing::Test { Stats::IsolatedStoreImpl stats_store_; Stats::ScopeSharedPtr stats_scope_; NiceMock dispatcher_; - + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: UpstreamReverseConnectionSocketInterface config_; - + std::unique_ptr socket_interface_; std::unique_ptr extension_; std::unique_ptr socket_manager_; @@ -459,7 +458,7 @@ class TestUpstreamSocketManager : public testing::Test { TEST_F(TestUpstreamSocketManager, CreateUpstreamSocketManager) { // Test that constructor doesn't crash and creates a valid instance EXPECT_NE(socket_manager_, nullptr); - + // Test constructor with nullptr extension auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); EXPECT_NE(socket_manager_no_extension, nullptr); @@ -468,57 +467,61 @@ TEST_F(TestUpstreamSocketManager, CreateUpstreamSocketManager) { TEST_F(TestUpstreamSocketManager, GetUpstreamExtension) { // Test that getUpstreamExtension returns the correct extension EXPECT_EQ(socket_manager_->getUpstreamExtension(), extension_.get()); - + // Test with nullptr extension auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); EXPECT_EQ(socket_manager_no_extension->getUpstreamExtension(), nullptr); } TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyClusterId) { - // Test adding a socket with empty cluster_id (should log error and return early without adding socket) + // Test adding a socket with empty cluster_id (should log error and return early without adding + // socket) auto socket = createMockSocket(123); const std::string node_id = "test-node"; const std::string cluster_id = ""; const std::chrono::seconds ping_interval(30); - + // Verify initial state verifyInitialState(); - + // Add the socket - should return early and not add anything - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Verify nothing was added - all maps should remain empty verifyInitialState(); // Should still be in initial state - + // Verify no file events or timers were created EXPECT_EQ(getFDToEventMapSize(), 0); EXPECT_EQ(getFDToTimerMapSize(), 0); - + // Verify no socket can be retrieved auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); EXPECT_EQ(retrieved_socket, nullptr); // Should return nullptr because nothing was added } TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyNodeId) { - // Test adding a socket with empty node_id (should log error and return early without adding socket) + // Test adding a socket with empty node_id (should log error and return early without adding + // socket) auto socket = createMockSocket(456); const std::string node_id = ""; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Verify initial state verifyInitialState(); - + // Add the socket - should return early and not add anything - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Verify nothing was added - all maps should remain empty verifyInitialState(); // Should still be in initial state - + // Verify no file events or timers were created EXPECT_EQ(getFDToEventMapSize(), 0); EXPECT_EQ(getFDToTimerMapSize(), 0); - + // Verify no socket can be retrieved auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); EXPECT_EQ(retrieved_socket, nullptr); // Should return nullptr because nothing was added @@ -532,13 +535,14 @@ TEST_F(TestUpstreamSocketManager, AddAndGetMultipleSocketsSameNode) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Verify initial state verifyInitialState(); - + // Add first socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + // Verify maps after first socket EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); EXPECT_TRUE(verifyFDToNodeMap(123)); @@ -546,43 +550,46 @@ TEST_F(TestUpstreamSocketManager, AddAndGetMultipleSocketsSameNode) { auto cluster_nodes = getClusterToNodeMapping(cluster_id); EXPECT_EQ(cluster_nodes.size(), 1); EXPECT_EQ(cluster_nodes[0], node_id); - + // Add second socket for same node - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); - - // Verify maps after second socket (should have 2 sockets for same node, but cluster maps unchanged) + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + // Verify maps after second socket (should have 2 sockets for same node, but cluster maps + // unchanged) EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); EXPECT_TRUE(verifyFDToNodeMap(456)); EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); // Should still be same cluster cluster_nodes = getClusterToNodeMapping(cluster_id); EXPECT_EQ(cluster_nodes.size(), 1); // Still 1 node per cluster - + // Add third socket for same node - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, + false); + // Verify maps after third socket EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); EXPECT_TRUE(verifyFDToNodeMap(789)); - + // Verify file events and timers were created for all sockets EXPECT_EQ(getFDToEventMapSize(), 3); EXPECT_EQ(getFDToTimerMapSize(), 3); - + // Get sockets in FIFO order auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); EXPECT_NE(retrieved_socket1, nullptr); - + // Verify socket count decreased EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); EXPECT_NE(retrieved_socket2, nullptr); EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - + auto retrieved_socket3 = socket_manager_->getConnectionSocket(node_id); EXPECT_NE(retrieved_socket3, nullptr); EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); - + // No more sockets should be available auto retrieved_socket4 = socket_manager_->getConnectionSocket(node_id); EXPECT_EQ(retrieved_socket4, nullptr); @@ -597,23 +604,23 @@ TEST_F(TestUpstreamSocketManager, AddAndGetSocketsMultipleNodes) { const std::string cluster1 = "cluster1"; const std::string cluster2 = "cluster2"; const std::chrono::seconds ping_interval(30); - + // Verify initial state verifyInitialState(); - + // Add socket for first node socket_manager_->addConnectionSocket(node1, cluster1, std::move(socket1), ping_interval, false); - + // Verify maps after first node EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); auto cluster1_nodes = getClusterToNodeMapping(cluster1); EXPECT_EQ(cluster1_nodes.size(), 1); EXPECT_EQ(cluster1_nodes[0], node1); - + // Add socket for second node socket_manager_->addConnectionSocket(node2, cluster2, std::move(socket2), ping_interval, false); - + // Verify maps after second node EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 1); @@ -625,21 +632,21 @@ TEST_F(TestUpstreamSocketManager, AddAndGetSocketsMultipleNodes) { auto cluster2_nodes = getClusterToNodeMapping(cluster2); EXPECT_EQ(cluster2_nodes.size(), 1); EXPECT_EQ(cluster2_nodes[0], node2); - + // Verify file events and timers were created for both sockets EXPECT_EQ(getFDToEventMapSize(), 2); EXPECT_EQ(getFDToTimerMapSize(), 2); - + // Verify both nodes have their sockets auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); EXPECT_NE(retrieved_socket1, nullptr); - + // Verify first node's socket count decreased EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 0); - + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); EXPECT_NE(retrieved_socket2, nullptr); - + // Verify second node's socket count decreased EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 0); } @@ -648,27 +655,29 @@ TEST_F(TestUpstreamSocketManager, TestGetNodeID) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Call getNodeID with a cluster ID that has active connections // First add a socket to create the cluster mapping and update stats auto socket1 = createMockSocket(123); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + // Verify the socket was added and mappings are correct EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); auto cluster_nodes = getClusterToNodeMapping(cluster_id); EXPECT_EQ(cluster_nodes.size(), 1); EXPECT_EQ(cluster_nodes[0], node_id); - - // Now call getNodeID with the cluster_id - should return the node_id that was added for this cluster + + // Now call getNodeID with the cluster_id - should return the node_id that was added for this + // cluster std::string result_for_cluster = socket_manager_->getNodeID(cluster_id); EXPECT_EQ(result_for_cluster, node_id); - + // Call getNodeID with a node ID - should return the same node ID std::string result_for_node = socket_manager_->getNodeID(node_id); EXPECT_EQ(result_for_node, node_id); - + // Call getNodeID with a non-existent cluster ID - should return the key as-is // assuming it to be the node ID. A subsequent call to getConnectionSocket with // this node ID should return nullptr. @@ -683,7 +692,6 @@ TEST_F(TestUpstreamSocketManager, GetConnectionSocketEmpty) { EXPECT_EQ(socket, nullptr); } - TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryWithActiveSockets) { // Test cleanStaleNodeEntry when node still has active sockets (should be no-op) auto socket1 = createMockSocket(123); @@ -691,18 +699,20 @@ TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryWithActiveSockets) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add sockets and verify initial state - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); - + // Call cleanStaleNodeEntry while sockets exist - should be no-op socket_manager_->cleanStaleNodeEntry(node_id); - + // Verify no cleanup happened (all mappings should remain unchanged) EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); @@ -714,42 +724,42 @@ TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryClusterCleanup) { auto socket1 = createMockSocket(123); auto socket2 = createMockSocket(456); const std::string node1 = "node1"; - const std::string node2 = "node2"; + const std::string node2 = "node2"; const std::string cluster_id = "shared-cluster"; const std::chrono::seconds ping_interval(30); - + // Add two nodes to the same cluster socket_manager_->addConnectionSocket(node1, cluster_id, std::move(socket1), ping_interval, false); socket_manager_->addConnectionSocket(node2, cluster_id, std::move(socket2), ping_interval, false); - + // Verify both nodes are in the cluster EXPECT_EQ(getNodeToClusterMapping(node1), cluster_id); EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); auto cluster_nodes = getClusterToNodeMapping(cluster_id); EXPECT_EQ(cluster_nodes.size(), 2); EXPECT_EQ(getClusterToNodeMapSize(), 1); // One cluster - + // Get socket from first node (should trigger cleanup for node1) auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); EXPECT_NE(retrieved_socket1, nullptr); - + // Verify node1 is cleaned up but cluster still exists for node2 - EXPECT_EQ(getNodeToClusterMapping(node1), ""); // node1 removed + EXPECT_EQ(getNodeToClusterMapping(node1), ""); // node1 removed EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); // node2 still there cluster_nodes = getClusterToNodeMapping(cluster_id); EXPECT_EQ(cluster_nodes.size(), 1); // Only node2 remains EXPECT_EQ(cluster_nodes[0], node2); EXPECT_EQ(getClusterToNodeMapSize(), 1); // Cluster still exists - + // Get socket from second node (should trigger cleanup for node2 and remove cluster) auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); EXPECT_NE(retrieved_socket2, nullptr); - + // Verify both nodes and cluster are cleaned up EXPECT_EQ(getNodeToClusterMapping(node1), ""); EXPECT_EQ(getNodeToClusterMapping(node2), ""); cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 0); // No nodes in cluster + EXPECT_EQ(cluster_nodes.size(), 0); // No nodes in cluster EXPECT_EQ(getClusterToNodeMapSize(), 0); // Cluster completely removed } @@ -760,27 +770,29 @@ TEST_F(TestUpstreamSocketManager, FileEventAndTimerCleanup) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add sockets - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + // Verify file events and timers are created EXPECT_EQ(getFDToEventMapSize(), 2); EXPECT_EQ(getFDToTimerMapSize(), 2); - + // Get first socket - should clean up its file event and timer auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); EXPECT_NE(retrieved_socket1, nullptr); - + // Verify that the entry for the fd is removed from the maps EXPECT_FALSE(verifyFDToEventMap(123)); EXPECT_FALSE(verifyFDToTimerMap(123)); - + // Get second socket - should clean up remaining file event and timer auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); EXPECT_NE(retrieved_socket2, nullptr); - + // Verify all file events and timers are cleaned up EXPECT_EQ(getFDToEventMapSize(), 0); EXPECT_EQ(getFDToTimerMapSize(), 0); @@ -794,10 +806,10 @@ TEST_F(TestUpstreamSocketManager, MarkSocketNotPresentDead) { // Test MarkSocketDead with an fd which isn't in the fd_to_node_map_ // Should log debug and return early socket_manager_->markSocketDead(999); - + // Test with negative fd socket_manager_->markSocketDead(-1); - + // Test with zero fd socket_manager_->markSocketDead(0); } @@ -809,27 +821,29 @@ TEST_F(TestUpstreamSocketManager, MarkIdleSocketDead) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add sockets to the pool - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + // Verify initial state EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); EXPECT_TRUE(verifyFDToNodeMap(123)); - + // Mark first idle socket as dead socket_manager_->markSocketDead(123); - + // Verify markSocketDead touched the right maps: // 1. Socket removed from pool EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - // 2. FD mapping removed + // 2. FD mapping removed EXPECT_FALSE(verifyFDToNodeMap(123)); // 3. File event and timer cleaned up for this specific FD EXPECT_FALSE(verifyFDToEventMap(123)); EXPECT_FALSE(verifyFDToTimerMap(123)); - + // Verify remaining socket is still accessible auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); EXPECT_NE(retrieved_socket, nullptr); @@ -841,27 +855,28 @@ TEST_F(TestUpstreamSocketManager, MarkUsedSocketDead) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add socket to pool - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Verify socket is in pool EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); EXPECT_TRUE(verifyFDToNodeMap(123)); - + // Get the socket (removes it from pool, simulating "used" state) auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); EXPECT_NE(retrieved_socket, nullptr); - + // Verify socket is no longer in pool but FD mapping might still exist until cleanup EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); - + // Mark the used socket as dead - should only update stats and return socket_manager_->markSocketDead(123); - + // Verify FD mapping is removed EXPECT_FALSE(verifyFDToNodeMap(123)); - + // Verify all mappings are cleaned up since no sockets remain EXPECT_EQ(getNodeToClusterMapping(node_id), ""); auto cluster_nodes = getClusterToNodeMapping(cluster_id); @@ -874,19 +889,20 @@ TEST_F(TestUpstreamSocketManager, MarkSocketDeadTriggerCleanup) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Verify mappings exist EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); auto cluster_nodes = getClusterToNodeMapping(cluster_id); EXPECT_EQ(cluster_nodes.size(), 1); - + // Mark the socket as dead socket_manager_->markSocketDead(123); - + // Verify complete cleanup occurred EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); EXPECT_EQ(getNodeToClusterMapping(node_id), ""); @@ -903,20 +919,23 @@ TEST_F(TestUpstreamSocketManager, MarkSocketDeadMultipleSockets) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add multiple sockets - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, + false); + // Verify all sockets are added EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); EXPECT_EQ(getFDToEventMapSize(), 3); EXPECT_EQ(getFDToTimerMapSize(), 3); - + // Mark first socket as dead socket_manager_->markSocketDead(123); - + // Verify specific socket removed, others remain EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); EXPECT_EQ(getFDToEventMapSize(), 2); @@ -928,13 +947,13 @@ TEST_F(TestUpstreamSocketManager, MarkSocketDeadMultipleSockets) { // other socket still mapped EXPECT_TRUE(verifyFDToNodeMap(456)); EXPECT_TRUE(verifyFDToNodeMap(789)); - + // Node mappings should still exist EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); - + // Mark second socket as dead socket_manager_->markSocketDead(456); - + // Verify specific socket removed EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); // FD mapping removed @@ -943,10 +962,10 @@ TEST_F(TestUpstreamSocketManager, MarkSocketDeadMultipleSockets) { EXPECT_FALSE(verifyFDToTimerMap(456)); // other socket still mapped EXPECT_TRUE(verifyFDToNodeMap(789)); - + // Mark last socket as dead - should trigger cleanup socket_manager_->markSocketDead(789); - + // Verify complete cleanup EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); EXPECT_EQ(getNodeToClusterMapping(node_id), ""); @@ -963,17 +982,21 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteSuccess) { const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - // Add sockets first (this will trigger pingConnections via tryEnablePingTimer) - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); - + // Add sockets first + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + // Verify sockets are added EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - + // Now get the IoHandles from the socket manager and set up mock expectations auto& sockets = getSocketsForNode(node_id); - auto* mock_io_handle1 = dynamic_cast*>(&sockets.front()->ioHandle()); - auto* mock_io_handle2 = dynamic_cast*>(&sockets.back()->ioHandle()); + auto* mock_io_handle1 = + dynamic_cast*>(&sockets.front()->ioHandle()); + auto* mock_io_handle2 = + dynamic_cast*>(&sockets.back()->ioHandle()); EXPECT_CALL(*mock_io_handle1, write(_)) .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { @@ -988,9 +1011,9 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteSuccess) { return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; })); - // Manually call pingConnections to test the functionality - socket_manager_->pingConnections(node_id); - + // Manually call pingConnections + socket_manager_->pingConnections(); + // Verify sockets are still there (no cleanup occurred) EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); } @@ -1004,25 +1027,29 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { const std::chrono::seconds ping_interval(30); // Add sockets first (this will trigger pingConnections via tryEnablePingTimer) - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + // Verify sockets are added EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - + // Now get the IoHandles from the socket manager and set up mock expectations auto& sockets = getSocketsForNode(node_id); - auto* mock_io_handle1 = dynamic_cast*>(&sockets.front()->ioHandle()); - auto* mock_io_handle2 = dynamic_cast*>(&sockets.back()->ioHandle()); - + auto* mock_io_handle1 = + dynamic_cast*>(&sockets.front()->ioHandle()); + auto* mock_io_handle2 = + dynamic_cast*>(&sockets.back()->ioHandle()); + // Send failed ping on mock_io_handle1 and successful one on mock_io_handle2 EXPECT_CALL(*mock_io_handle1, write(_)) - .Times(1) // Called once - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate write attempt - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; - })); + .Times(1) // Called once + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate write attempt + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; + })); EXPECT_CALL(*mock_io_handle2, write(_)) .Times(1) // Called once .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { @@ -1034,26 +1061,27 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { // Manually call pingConnections to test the functionality socket_manager_->pingConnections(node_id); - + // Verify first socket was cleaned up but second socket remains (node not cleaned up) EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); // Second socket still there - EXPECT_FALSE(verifyFDToNodeMap(123)); // First socket removed - EXPECT_TRUE(verifyFDToNodeMap(456)); // Second socket still there - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); // Node mapping still exists - EXPECT_EQ(getAcceptedReverseConnectionsSize(), 1); // One node still exists - + EXPECT_FALSE(verifyFDToNodeMap(123)); // First socket removed + EXPECT_TRUE(verifyFDToNodeMap(456)); // Second socket still there + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); // Node mapping still exists + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 1); // One node still exists + // Now send failed ping on mock_io_handle2 to trigger ping failure and node cleanup EXPECT_CALL(*mock_io_handle2, write(_)) - .Times(1) // Called once during second ping - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate write attempt - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::create(EPIPE)}; - })); - - // Manually call pingConnections again. This should ping once socket2, fail and trigger node cleanup + .Times(1) // Called once during second ping + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate write attempt + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(EPIPE)}; + })); + + // Manually call pingConnections again. This should ping once socket2, fail and trigger node + // cleanup socket_manager_->pingConnections(node_id); - + // Verify complete cleanup occurred (both sockets removed due to node cleanup) EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); EXPECT_FALSE(verifyFDToNodeMap(123)); @@ -1068,25 +1096,26 @@ TEST_F(TestUpstreamSocketManager, OnPingResponseValidResponse) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Create mock IoHandle for ping response auto mock_io_handle = std::make_unique>(); EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - + // Mock successful read with valid ping response const std::string ping_response = "RPING"; EXPECT_CALL(*mock_io_handle, read(_, _)) - .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { - buffer.add(ping_response); - return Api::IoCallUint64Result{ping_response.size(), Api::IoError::none()}; - }); - + .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { + buffer.add(ping_response); + return Api::IoCallUint64Result{ping_response.size(), Api::IoError::none()}; + }); + // Call onPingResponse - should succeed and not mark socket dead socket_manager_->onPingResponse(*mock_io_handle); - + // Socket should still be alive EXPECT_TRUE(verifyFDToNodeMap(123)); } @@ -1097,14 +1126,15 @@ TEST_F(TestUpstreamSocketManager, OnPingResponseReadError) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Create mock IoHandle for ping response auto mock_io_handle = std::make_unique>(); EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - + // Mock read error EXPECT_CALL(*mock_io_handle, read(_, _)) .WillOnce( @@ -1112,7 +1142,7 @@ TEST_F(TestUpstreamSocketManager, OnPingResponseReadError) { // Call onPingResponse - should mark socket dead due to read error socket_manager_->onPingResponse(*mock_io_handle); - + // Socket should be marked dead and removed EXPECT_FALSE(verifyFDToNodeMap(123)); } @@ -1123,21 +1153,22 @@ TEST_F(TestUpstreamSocketManager, OnPingResponseConnectionClosed) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Create mock IoHandle for ping response auto mock_io_handle = std::make_unique>(); EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - + // Mock connection closed (0 bytes read) EXPECT_CALL(*mock_io_handle, read(_, _)) - .WillOnce(Return(Api::IoCallUint64Result{0, Api::IoError::none()})); - + .WillOnce(Return(Api::IoCallUint64Result{0, Api::IoError::none()})); + // Call onPingResponse - should mark socket dead due to connection closed socket_manager_->onPingResponse(*mock_io_handle); - + // Socket should be marked dead and removed EXPECT_FALSE(verifyFDToNodeMap(123)); } @@ -1148,25 +1179,26 @@ TEST_F(TestUpstreamSocketManager, OnPingResponseInvalidData) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - + // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Create mock IoHandle for ping response auto mock_io_handle = std::make_unique>(); EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - + // Mock successful read but with invalid ping response const std::string invalid_response = "INVALID_DATA"; EXPECT_CALL(*mock_io_handle, read(_, _)) - .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { - buffer.add(invalid_response); - return Api::IoCallUint64Result{invalid_response.size(), Api::IoError::none()}; - }); - + .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { + buffer.add(invalid_response); + return Api::IoCallUint64Result{invalid_response.size(), Api::IoError::none()}; + }); + // Call onPingResponse - should mark socket dead due to invalid response socket_manager_->onPingResponse(*mock_io_handle); - + // Socket should be marked dead and removed EXPECT_FALSE(verifyFDToNodeMap(123)); } @@ -1176,25 +1208,27 @@ class TestReverseTunnelAcceptor : public testing::Test { TestReverseTunnelAcceptor() { // Set up the stats scope stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - + // Set up the mock context EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - + // Create the config config_.set_stat_prefix("test_prefix"); - + // Create the socket interface socket_interface_ = std::make_unique(context_); - + // Create the extension - extension_ = std::make_unique( - *socket_interface_, context_, config_); - + extension_ = + std::make_unique(*socket_interface_, context_, config_); + // Set up mock dispatcher with default expectations - EXPECT_CALL(dispatcher_, createTimer_(_)).WillRepeatedly(testing::ReturnNew>()); - EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)).WillRepeatedly(testing::ReturnNew>()); - + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + // Create the socket manager with real extension socket_manager_ = std::make_unique(dispatcher_, extension_.get()); } @@ -1202,7 +1236,7 @@ class TestReverseTunnelAcceptor : public testing::Test { void TearDown() override { tls_slot_.reset(); thread_local_registry_.reset(); - + socket_manager_.reset(); extension_.reset(); socket_interface_.reset(); @@ -1212,73 +1246,79 @@ class TestReverseTunnelAcceptor : public testing::Test { void setupThreadLocalSlot() { // First, call onServerInitialized to set up the extension reference properly extension_->onServerInitialized(); - + // Create a thread local registry with the properly initialized extension - thread_local_registry_ = std::make_shared(dispatcher_, extension_.get()); - + thread_local_registry_ = + std::make_shared(dispatcher_, extension_.get()); + // Create the actual TypedSlot tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); thread_local_.setDispatcher(&dispatcher_); - + // Set up the slot to return our registry tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - + // Override the TLS slot with our test version extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); } // Helper to create a mock socket with proper address setup - Network::ConnectionSocketPtr createMockSocket(int fd = 123, - const std::string& local_addr = "127.0.0.1:8080", - const std::string& remote_addr = "127.0.0.1:9090") { + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { auto socket = std::make_unique>(); - + // Parse local address (IP:port format) auto local_colon_pos = local_addr.find(':'); std::string local_ip = local_addr.substr(0, local_colon_pos); uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); - + // Parse remote address (IP:port format) auto remote_colon_pos = remote_addr.find(':'); std::string remote_ip = remote_addr.substr(0, remote_colon_pos); uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); - + // Create a mock IO handle and set it up auto mock_io_handle = std::make_unique>(); auto* mock_io_handle_ptr = mock_io_handle.get(); EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); - + // Store the mock_io_handle in the socket socket->io_handle_ = std::move(mock_io_handle); - + // Set up connection info provider with the desired addresses socket->connection_info_provider_->setLocalAddress(local_address); socket->connection_info_provider_->setRemoteAddress(remote_address); - + return socket; } // Helper to create an address with a specific logical name for testing. This allows us to test // reverse connection address socket creation. - Network::Address::InstanceConstSharedPtr createAddressWithLogicalName(const std::string& logical_name) { + Network::Address::InstanceConstSharedPtr + createAddressWithLogicalName(const std::string& logical_name) { // Create a simple address that returns the specified logical name class TestAddress : public Network::Address::Instance { public: TestAddress(const std::string& logical_name) : logical_name_(logical_name) { address_string_ = "127.0.0.1:8080"; // Dummy address string } - - bool operator==(const Instance& rhs) const override { return logical_name_ == rhs.logicalName(); } + + bool operator==(const Instance& rhs) const override { + return logical_name_ == rhs.logicalName(); + } Network::Address::Type type() const override { return Network::Address::Type::Ip; } const std::string& asString() const override { return address_string_; } absl::string_view asStringView() const override { return address_string_; } const std::string& logicalName() const override { return logical_name_; } const Network::Address::Ip* ip() const override { return nullptr; } const Network::Address::Pipe* pipe() const override { return nullptr; } - const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { return nullptr; } + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { + return nullptr; + } const sockaddr* sockAddr() const override { return nullptr; } socklen_t sockAddrLen() const override { return 0; } absl::string_view addressType() const override { return "test"; } @@ -1286,12 +1326,12 @@ class TestReverseTunnelAcceptor : public testing::Test { const Network::SocketInterface& socketInterface() const override { return Network::SocketInterfaceSingleton::get(); } - + private: std::string logical_name_; std::string address_string_; }; - + return std::make_shared(logical_name); } @@ -1300,14 +1340,14 @@ class TestReverseTunnelAcceptor : public testing::Test { Stats::IsolatedStoreImpl stats_store_; Stats::ScopeSharedPtr stats_scope_; NiceMock dispatcher_; - + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: UpstreamReverseConnectionSocketInterface config_; - + std::unique_ptr socket_interface_; std::unique_ptr extension_; std::unique_ptr socket_manager_; - + // Real thread local slot and registry std::unique_ptr> tls_slot_; std::shared_ptr thread_local_registry_; @@ -1322,7 +1362,7 @@ TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryNoExtension) { TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryWithExtension) { // Test getLocalRegistry when extension is set setupThreadLocalSlot(); - + auto* registry = socket_interface_->getLocalRegistry(); EXPECT_NE(registry, nullptr); EXPECT_EQ(registry, thread_local_registry_.get()); @@ -1343,63 +1383,74 @@ TEST_F(TestReverseTunnelAcceptor, CreateEmptyConfigProto) { TEST_F(TestReverseTunnelAcceptor, SocketWithoutAddress) { // Test socket() without address - should return nullptr Network::SocketCreationOptions options; - auto result = socket_interface_->socket(Network::Socket::Type::Stream, - Network::Address::Type::Ip, - Network::Address::IpVersion::v4, - false, - options); - EXPECT_EQ(result, nullptr); + auto io_handle = + socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v4, false, options); + EXPECT_EQ(io_handle, nullptr); } TEST_F(TestReverseTunnelAcceptor, SocketWithAddressNoThreadLocal) { - // Test socket() with address but no thread local slot initialized - should fall back to default - auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); - + // Test socket() with reverse connection address but no thread local slot initialized - should + // fall back to default socket interface Do not setup thread local slot + const std::string node_id = "test-node"; + auto address = createAddressWithLogicalName(node_id); Network::SocketCreationOptions options; - auto result = socket_interface_->socket(Network::Socket::Type::Stream, address, options); - EXPECT_NE(result, nullptr); // Should return default socket interface + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); // Should return default socket interface + + // Verify that the io_handle is a default IoHandle, not an UpstreamReverseConnectionIOHandle + EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); } -TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalNoSockets) { - // Test socket() with address and thread local slot but no cached sockets +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalNoCachedSockets) { + // Test socket() with reverse connection address and thread local slot but no cached sockets - + // should fall back to default socket interface setupThreadLocalSlot(); - - auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); - + + const std::string node_id = "test-node"; + auto address = createAddressWithLogicalName(node_id); + + // Call socket() before calling addConnectionSocket() so that no sockets are cacheds Network::SocketCreationOptions options; - auto result = socket_interface_->socket(Network::Socket::Type::Stream, address, options); - EXPECT_NE(result, nullptr); // Should fall back to default socket interface + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); // Should fall back to default socket interface + + // Verify that the io_handle is a default IoHandle, not an UpstreamReverseConnectionIOHandle + EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); } -TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalWithSockets) { +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalWithCachedSockets) { // Test socket() with address and thread local slot with cached sockets setupThreadLocalSlot(); - + // Get the socket manager from the thread local registry auto* tls_socket_manager = socket_interface_->getLocalRegistry()->socketManager(); EXPECT_NE(tls_socket_manager, nullptr); - - // Add a socket to the thread local socket manager (not the test's socket_manager_) + + // Add a socket to the thread local socket manager auto socket = createMockSocket(123); const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; const std::chrono::seconds ping_interval(30); - - tls_socket_manager->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, false); - + + tls_socket_manager->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + // Create address with the same logical name as the node_id auto address = createAddressWithLogicalName(node_id); - + Network::SocketCreationOptions options; auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); EXPECT_NE(io_handle, nullptr); // Should return cached socket - + // Verify that we got an UpstreamReverseConnectionIOHandle auto* upstream_io_handle = dynamic_cast(io_handle.get()); EXPECT_NE(upstream_io_handle, nullptr); - // Try to get another socket for the same node. This will return a default IoHandle, not an UpstreamReverseConnectionIOHandle - auto another_io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + // Try to get another socket for the same node. This will return a default IoHandle, not an + // UpstreamReverseConnectionIOHandle + auto another_io_handle = + socket_interface_->socket(Network::Socket::Type::Stream, address, options); EXPECT_NE(another_io_handle, nullptr); // This should be a default IoHandle, not an UpstreamReverseConnectionIOHandle EXPECT_EQ(dynamic_cast(another_io_handle.get()), nullptr); @@ -1417,23 +1468,21 @@ class TestUpstreamReverseConnectionIOHandle : public testing::Test { TestUpstreamReverseConnectionIOHandle() { // Create a mock socket for testing mock_socket_ = std::make_unique>(); - + // Create a mock IO handle auto mock_io_handle = std::make_unique>(); EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - + // Store the mock IO handle in the socket mock_socket_->io_handle_ = std::move(mock_io_handle); - + // Create the IO handle under test - io_handle_ = std::make_unique( - std::move(mock_socket_), "test-cluster"); + io_handle_ = std::make_unique(std::move(mock_socket_), + "test-cluster"); } - void TearDown() override { - io_handle_.reset(); - } + void TearDown() override { io_handle_.reset(); } std::unique_ptr> mock_socket_; std::unique_ptr io_handle_; @@ -1442,10 +1491,10 @@ class TestUpstreamReverseConnectionIOHandle : public testing::Test { TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { // Test that connect() returns success immediately for reverse connections auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); - + // For UpstreamReverseConnectionIOHandle, connect() is a no-op. auto result = io_handle_->connect(address); - + // Should return success (0) with no error EXPECT_EQ(result.return_value_, 0); EXPECT_EQ(result.errno_, 0); @@ -1454,7 +1503,7 @@ TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { TEST_F(TestUpstreamReverseConnectionIOHandle, CloseCleansUpSocket) { // Test that close() properly cleans up the owned socket auto result = io_handle_->close(); - + // Should successfully close the socket and return EXPECT_EQ(result.err_, nullptr); } @@ -1462,7 +1511,7 @@ TEST_F(TestUpstreamReverseConnectionIOHandle, CloseCleansUpSocket) { TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { // Test that getSocket() returns a const reference to the owned socket const auto& socket = io_handle_->getSocket(); - + // Should return a valid reference EXPECT_NE(&socket, nullptr); } @@ -1470,4 +1519,4 @@ TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy From b435b2d2192c8d713fdff22e94c0e354fc8ff153 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 22 Jul 2025 09:06:35 +0000 Subject: [PATCH 031/505] draft changes for listener filter test Signed-off-by: Basundhara Chakrabarty --- .../filters/listener/reverse_connection/BUILD | 48 ++ .../reverse_connection_config_test.cc | 233 ++++++ .../reverse_connection_test.cc | 668 ++++++++++++++++++ 3 files changed, 949 insertions(+) create mode 100644 test/extensions/filters/listener/reverse_connection/BUILD create mode 100644 test/extensions/filters/listener/reverse_connection/reverse_connection_config_test.cc create mode 100644 test/extensions/filters/listener/reverse_connection/reverse_connection_test.cc diff --git a/test/extensions/filters/listener/reverse_connection/BUILD b/test/extensions/filters/listener/reverse_connection/BUILD new file mode 100644 index 0000000000000..805d0baee29e4 --- /dev/null +++ b/test/extensions/filters/listener/reverse_connection/BUILD @@ -0,0 +1,48 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "reverse_connection_test", + srcs = ["reverse_connection_test.cc"], + extension_names = ["envoy.filters.listener.reverse_connection"], + rbe_pool = "6gig", + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/network:listener_filter_buffer_lib", + "//source/common/network:utility_lib", + "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_utility_lib", + "//source/extensions/filters/listener/reverse_connection:config_lib", + "//source/extensions/filters/listener/reverse_connection:reverse_connection_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", + "//test/test_common:utility_lib", + "@envoy_api//envoy/config/listener/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/listener/reverse_connection/v3:pkg_cc_proto", + ], +) + +envoy_extension_cc_test( + name = "reverse_connection_config_test", + srcs = ["reverse_connection_config_test.cc"], + extension_names = ["envoy.filters.listener.reverse_connection"], + rbe_pool = "6gig", + deps = [ + "//source/extensions/filters/listener/reverse_connection:config_factory_lib", + "//source/extensions/filters/listener/reverse_connection:config_lib", + "//source/extensions/filters/listener/reverse_connection:reverse_connection_lib", + "//test/mocks/server:listener_factory_context_mocks", + "//test/test_common:utility_lib", + "@envoy_api//envoy/extensions/filters/listener/reverse_connection/v3:pkg_cc_proto", + ], +) \ No newline at end of file diff --git a/test/extensions/filters/listener/reverse_connection/reverse_connection_config_test.cc b/test/extensions/filters/listener/reverse_connection/reverse_connection_config_test.cc new file mode 100644 index 0000000000000..45b3d0ce86e39 --- /dev/null +++ b/test/extensions/filters/listener/reverse_connection/reverse_connection_config_test.cc @@ -0,0 +1,233 @@ +#include "source/extensions/filters/listener/reverse_connection/config.h" +#include "source/extensions/filters/listener/reverse_connection/config_factory.h" +#include "source/extensions/filters/listener/reverse_connection/reverse_connection.h" + +#include "test/mocks/server/listener_factory_context.h" +#include "test/test_common/utility.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::Invoke; +using testing::NiceMock; + +namespace Envoy { +namespace Extensions { +namespace ListenerFilters { +namespace ReverseConnection { +namespace { + +TEST(ReverseConnectionConfigTest, DefaultConfig) { + envoy::extensions::filters::listener::reverse_connection::v3::ReverseConnection proto_config; + + Config config(proto_config); + + // Test default ping wait timeout (10 seconds) + EXPECT_EQ(config.pingWaitTimeout().count(), 10); +} + +TEST(ReverseConnectionConfigTest, CustomConfig) { + envoy::extensions::filters::listener::reverse_connection::v3::ReverseConnection proto_config; + proto_config.set_ping_wait_timeout(google::protobuf::Duration()); + proto_config.mutable_ping_wait_timeout()->set_seconds(30); + + Config config(proto_config); + + // Test custom ping wait timeout (30 seconds) + EXPECT_EQ(config.pingWaitTimeout().count(), 30); +} + +TEST(ReverseConnectionConfigTest, ZeroTimeout) { + envoy::extensions::filters::listener::reverse_connection::v3::ReverseConnection proto_config; + proto_config.set_ping_wait_timeout(google::protobuf::Duration()); + proto_config.mutable_ping_wait_timeout()->set_seconds(0); + + Config config(proto_config); + + // Test zero ping wait timeout + EXPECT_EQ(config.pingWaitTimeout().count(), 0); +} + +TEST(ReverseConnectionConfigFactoryTest, TestCreateFactory) { + const std::string yaml = R"EOF( + ping_wait_timeout: + seconds: 15 + )EOF"; + + ReverseConnectionConfigFactory factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); + TestUtility::loadFromYaml(yaml, *proto_config); + + NiceMock context; + + Network::ListenerFilterFactoryCb cb = + factory.createListenerFilterFactoryFromProto(*proto_config, nullptr, context); + Network::MockListenerFilterManager manager; + Network::ListenerFilterPtr added_filter; + EXPECT_CALL(manager, addAcceptFilter_(_, _)) + .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, + Network::ListenerFilterPtr& filter) { + added_filter = std::move(filter); + })); + cb(manager); + + // Make sure we actually create the correct type! + EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); +} + +TEST(ReverseConnectionConfigFactoryTest, TestCreateFactoryWithDefaultConfig) { + const std::string yaml = R"EOF( + {} + )EOF"; + + ReverseConnectionConfigFactory factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); + TestUtility::loadFromYaml(yaml, *proto_config); + + NiceMock context; + + Network::ListenerFilterFactoryCb cb = + factory.createListenerFilterFactoryFromProto(*proto_config, nullptr, context); + Network::MockListenerFilterManager manager; + Network::ListenerFilterPtr added_filter; + EXPECT_CALL(manager, addAcceptFilter_(_, _)) + .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, + Network::ListenerFilterPtr& filter) { + added_filter = std::move(filter); + })); + cb(manager); + + // Make sure we actually create the correct type! + EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); +} + +TEST(ReverseConnectionConfigFactoryTest, TestCreateFactoryWithZeroTimeout) { + const std::string yaml = R"EOF( + ping_wait_timeout: + seconds: 0 + )EOF"; + + ReverseConnectionConfigFactory factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); + TestUtility::loadFromYaml(yaml, *proto_config); + + NiceMock context; + + Network::ListenerFilterFactoryCb cb = + factory.createListenerFilterFactoryFromProto(*proto_config, nullptr, context); + Network::MockListenerFilterManager manager; + Network::ListenerFilterPtr added_filter; + EXPECT_CALL(manager, addAcceptFilter_(_, _)) + .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, + Network::ListenerFilterPtr& filter) { + added_filter = std::move(filter); + })); + cb(manager); + + // Make sure we actually create the correct type! + EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); +} + +TEST(ReverseConnectionConfigFactoryTest, TestCreateFactoryWithMatcher) { + const std::string yaml = R"EOF( + ping_wait_timeout: + seconds: 20 + )EOF"; + + ReverseConnectionConfigFactory factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); + TestUtility::loadFromYaml(yaml, *proto_config); + + NiceMock context; + + // Create a mock filter matcher + auto matcher = std::make_shared(); + + Network::ListenerFilterFactoryCb cb = + factory.createListenerFilterFactoryFromProto(*proto_config, matcher, context); + Network::MockListenerFilterManager manager; + Network::ListenerFilterPtr added_filter; + EXPECT_CALL(manager, addAcceptFilter_(_, _)) + .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, + Network::ListenerFilterPtr& filter) { + added_filter = std::move(filter); + })); + cb(manager); + + // Make sure we actually create the correct type! + EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); +} + +TEST(ReverseConnectionConfigFactoryTest, TestCreateEmptyConfigProto) { + ReverseConnectionConfigFactory factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); + + EXPECT_NE(proto_config, nullptr); + + // Verify it's the correct type + auto* reverse_connection_config = + dynamic_cast( + proto_config.get()); + EXPECT_NE(reverse_connection_config, nullptr); +} + +TEST(ReverseConnectionConfigFactoryTest, TestFactoryRegistration) { + const std::string filter_name = "envoy.filters.listener.reverse_connection"; + + // Test that the factory is registered + Server::Configuration::NamedListenerFilterConfigFactory* factory = + Registry::FactoryRegistry:: + getFactory(filter_name); + + EXPECT_NE(factory, nullptr); + EXPECT_EQ(factory->name(), filter_name); +} + +TEST(ReverseConnectionConfigFactoryTest, TestFactoryWithValidation) { + const std::string yaml = R"EOF( + ping_wait_timeout: + seconds: 25 + nanos: 500000000 + )EOF"; + + ReverseConnectionConfigFactory factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); + TestUtility::loadFromYaml(yaml, *proto_config); + + NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()) + .WillRepeatedly(ReturnRef(ProtobufMessage::getStrictValidationVisitor())); + + Network::ListenerFilterFactoryCb cb = + factory.createListenerFilterFactoryFromProto(*proto_config, nullptr, context); + Network::MockListenerFilterManager manager; + Network::ListenerFilterPtr added_filter; + EXPECT_CALL(manager, addAcceptFilter_(_, _)) + .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, + Network::ListenerFilterPtr& filter) { + added_filter = std::move(filter); + })); + cb(manager); + + // Make sure we actually create the correct type! + EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); +} + +TEST(ReverseConnectionConfigFactoryTest, TestFactoryWithInvalidConfig) { + // Create an invalid config by using a different message type + auto invalid_config = std::make_unique(); + + ReverseConnectionConfigFactory factory; + NiceMock context; + + // This should throw an exception due to invalid message type + EXPECT_THROW( + factory.createListenerFilterFactoryFromProto(*invalid_config, nullptr, context), + EnvoyException); +} + +} // namespace +} // namespace ReverseConnection +} // namespace ListenerFilters +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/test/extensions/filters/listener/reverse_connection/reverse_connection_test.cc b/test/extensions/filters/listener/reverse_connection/reverse_connection_test.cc new file mode 100644 index 0000000000000..4ba61e3c16799 --- /dev/null +++ b/test/extensions/filters/listener/reverse_connection/reverse_connection_test.cc @@ -0,0 +1,668 @@ +#include +#include +#include + +#include "envoy/network/connection.h" +#include "envoy/network/filter.h" +#include "envoy/network/listen_socket.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/utility.h" +#include "source/extensions/filters/listener/reverse_connection/reverse_connection.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/network/mocks.h" +#include "test/test_common/utility.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace ListenerFilters { +namespace ReverseConnection { + +class ReverseConnectionFilterTest : public testing::Test { +protected: + ReverseConnectionFilterTest() = default; + + // Helper to create a mock socket with proper address setup + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { + auto socket = std::make_unique>(); + + // Parse local address (IP:port format) + auto local_colon_pos = local_addr.find(':'); + std::string local_ip = local_addr.substr(0, local_colon_pos); + uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); + auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); + + // Parse remote address (IP:port format) + auto remote_colon_pos = remote_addr.find(':'); + std::string remote_ip = remote_addr.substr(0, remote_colon_pos); + uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); + auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); + + // Create a mock IO handle and set it up + auto mock_io_handle = std::make_unique>(); + auto* mock_io_handle_ptr = mock_io_handle.get(); + EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + + // Store the mock_io_handle in the socket + socket->io_handle_ = std::move(mock_io_handle); + + // Set up connection info provider with the desired addresses + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + return socket; + } + + // Helper to create a mock timer + Event::MockTimer* createMockTimer() { + auto timer = new NiceMock(); + EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(timer)); + return timer; + } + + NiceMock dispatcher_{"worker_0"}; +}; + +TEST_F(ReverseConnectionFilterTest, Constructor) { + // Test that constructor doesn't crash and creates a valid instance + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + EXPECT_EQ(config.pingWaitTimeout().count(), 1000); +} + +TEST_F(ReverseConnectionFilterTest, OnAccept) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept + Network::FilterStatus status = filter.onAccept(callbacks); + + // Should return StopIteration to wait for data + EXPECT_EQ(status, Network::FilterStatus::StopIteration); +} + +TEST_F(ReverseConnectionFilterTest, OnAcceptWithZeroTimeout) { + Config config(std::chrono::milliseconds(0)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(0), nullptr)); + + // Call onAccept + Network::FilterStatus status = filter.onAccept(callbacks); + + // Should return StopIteration to wait for data + EXPECT_EQ(status, Network::FilterStatus::StopIteration); +} + +TEST_F(ReverseConnectionFilterTest, OnDataWithValidPingMessage) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create mock IO handle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock successful write for ping response + EXPECT_CALL(*mock_io_handle, write(_)) + .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{5, Api::IoError::none()}; + })); + + // Set up the socket's IO handle + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Create buffer with valid ping message + Buffer::OwnedImpl buffer("RPING"); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + EXPECT_CALL(filter_buffer, drain(buffer.length())).WillOnce(Return(true)); + + // Call onData with valid ping message + Network::FilterStatus status = filter.onData(filter_buffer); + + // Should return TryAgainLater to wait for more data + EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); +} + +TEST_F(ReverseConnectionFilterTest, OnDataWithHttpEmbeddedPingMessage) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create mock IO handle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock successful write for ping response + EXPECT_CALL(*mock_io_handle, write(_)) + .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{5, Api::IoError::none()}; + })); + + // Set up the socket's IO handle + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Create buffer with HTTP-embedded ping message + std::string http_ping = "GET /ping HTTP/1.1\r\nHost: example.com\r\n\r\nRPING"; + Buffer::OwnedImpl buffer(http_ping); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + EXPECT_CALL(filter_buffer, drain(buffer.length())).WillOnce(Return(true)); + + // Call onData with HTTP-embedded ping message + Network::FilterStatus status = filter.onData(filter_buffer); + + // Should return TryAgainLater to wait for more data + EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); +} + +TEST_F(ReverseConnectionFilterTest, OnDataWithNonPingMessage) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create buffer with non-ping message + Buffer::OwnedImpl buffer("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + + // Call onData with non-ping message + Network::FilterStatus status = filter.onData(filter_buffer); + + // Should return Continue to proceed with normal processing + EXPECT_EQ(status, Network::FilterStatus::Continue); +} + +TEST_F(ReverseConnectionFilterTest, OnDataWithEmptyBuffer) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create empty buffer + Buffer::OwnedImpl buffer(""); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + + // Call onData with empty buffer + Network::FilterStatus status = filter.onData(filter_buffer); + + // Should return Error due to remote connection closed + EXPECT_EQ(status, Network::FilterStatus::StopIteration); +} + +TEST_F(ReverseConnectionFilterTest, OnDataWithPartialPingMessage) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create buffer with partial ping message + Buffer::OwnedImpl buffer("RPI"); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + + // Call onData with partial ping message + Network::FilterStatus status = filter.onData(filter_buffer); + + // Should return TryAgainLater to wait for more data + EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); +} + +TEST_F(ReverseConnectionFilterTest, OnDataWithPingResponseWriteFailure) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create mock IO handle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock failed write for ping response + EXPECT_CALL(*mock_io_handle, write(_)) + .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate write attempt + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; + })); + + // Set up the socket's IO handle + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Create buffer with valid ping message + Buffer::OwnedImpl buffer("RPING"); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + EXPECT_CALL(filter_buffer, drain(buffer.length())).WillOnce(Return(true)); + + // Call onData with valid ping message + Network::FilterStatus status = filter.onData(filter_buffer); + + // Should return TryAgainLater even if write fails (logs error but continues) + EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); +} + +TEST_F(ReverseConnectionFilterTest, OnDataWithBufferDrainFailure) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create mock IO handle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock successful write for ping response + EXPECT_CALL(*mock_io_handle, write(_)) + .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{5, Api::IoError::none()}; + })); + + // Set up the socket's IO handle + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Create buffer with valid ping message + Buffer::OwnedImpl buffer("RPING"); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + EXPECT_CALL(filter_buffer, drain(buffer.length())).WillOnce(Return(false)); + + // Call onData with valid ping message + Network::FilterStatus status = filter.onData(filter_buffer); + + // Should return TryAgainLater even if drain fails (logs error but continues) + EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); +} + +TEST_F(ReverseConnectionFilterTest, OnPingWaitTimeout) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Expect continueFilterChain to be called with false + EXPECT_CALL(callbacks, continueFilterChain(false)); + + // Call onPingWaitTimeout + filter.onPingWaitTimeout(); +} + +TEST_F(ReverseConnectionFilterTest, OnClose) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create mock IO handle + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Set up the socket's IO handle + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Expect close to be called on the IO handle + EXPECT_CALL(*mock_io_handle, close()); + + // Call onClose + filter.onClose(); +} + +TEST_F(ReverseConnectionFilterTest, OnCloseWithUsedConnection) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Create mock IO handle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock successful write for ping response + EXPECT_CALL(*mock_io_handle, write(_)) + .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{5, Api::IoError::none()}; + })); + + // Set up the socket's IO handle + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Create buffer with non-ping message to mark connection as used + Buffer::OwnedImpl buffer("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + + // Call onData to mark connection as used + filter.onData(filter_buffer); + + // Call onClose - should not close the IO handle since connection was used + filter.onClose(); +} + +TEST_F(ReverseConnectionFilterTest, DestructorWithUnusedConnection) { + Config config(std::chrono::milliseconds(1000)); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Create filter and call onAccept + { + Filter filter(config); + filter.onAccept(callbacks); + + // Expect socket close to be called in destructor for unused connection + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_socket_ptr, close()); + } + // Filter goes out of scope here, destructor should be called +} + +TEST_F(ReverseConnectionFilterTest, DestructorWithUsedConnection) { + Config config(std::chrono::milliseconds(1000)); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Create filter and call onAccept + { + Filter filter(config); + filter.onAccept(callbacks); + + // Create mock IO handle for ping response + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + // Mock successful write for ping response + EXPECT_CALL(*mock_io_handle, write(_)) + .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + // Drain the buffer to simulate successful write + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{5, Api::IoError::none()}; + })); + + // Set up the socket's IO handle + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Create buffer with non-ping message to mark connection as used + Buffer::OwnedImpl buffer("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"); + NiceMock filter_buffer; + EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ + const_cast(static_cast(buffer.toString().data())), buffer.length()})); + + // Call onData to mark connection as used + filter.onData(filter_buffer); + + // Expect socket close NOT to be called in destructor for used connection + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + // No EXPECT_CALL for close() since connection was used + } + // Filter goes out of scope here, destructor should be called +} + +TEST_F(ReverseConnectionFilterTest, DestructorWithClosedSocket) { + Config config(std::chrono::milliseconds(1000)); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Create filter and call onAccept + { + Filter filter(config); + filter.onAccept(callbacks); + + // Expect socket close NOT to be called in destructor for closed socket + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(false)); + // No EXPECT_CALL for close() since socket is already closed + } + // Filter goes out of scope here, destructor should be called +} + +TEST_F(ReverseConnectionFilterTest, MaxReadBytes) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Test that maxReadBytes returns the correct value + size_t max_bytes = filter.maxReadBytes(); + EXPECT_EQ(max_bytes, 5); // "RPING" is 5 bytes +} + +TEST_F(ReverseConnectionFilterTest, Fd) { + Config config(std::chrono::milliseconds(1000)); + Filter filter(config); + + // Create mock socket + auto socket = createMockSocket(123); + auto* mock_socket_ptr = socket.get(); + + // Create mock callbacks + NiceMock callbacks; + EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); + + // Create mock timer + auto* mock_timer = createMockTimer(); + EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); + + // Call onAccept first + filter.onAccept(callbacks); + + // Test that fd() returns the correct file descriptor + int fd = filter.fd(); + EXPECT_EQ(fd, 123); +} + +} // namespace ReverseConnection +} // namespace ListenerFilters +} // namespace Extensions +} // namespace Envoy \ No newline at end of file From 81df680930711039976d7a59bdd5ea7829d072e1 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 22 Jul 2025 08:36:49 -0400 Subject: [PATCH 032/505] tests: avoid flakes in xds_failover_integration_test-GoogleGrpc case by waiting for a stream before disconnecting (#40327) Signed-off-by: Adi Suissa-Peleg --- .../grpc/xds_failover_integration_test.cc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc b/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc index eb02ed99510a6..e8756253c4670 100644 --- a/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc +++ b/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc @@ -179,6 +179,15 @@ class XdsFailoverAdsIntegrationTest : public AdsDeltaSotwIntegrationSubStatePara void primaryConnectionFailure() { AssertionResult result = xds_upstream_->waitForHttpConnection(*dispatcher_, xds_connection_); RELEASE_ASSERT(result, result.message()); + // When GoogleGrpc is used, there may be cases where the connection will be + // disconnected before the gRPC library observes the TLS handshake, which will + // end up in a fast retry without notifying Envoy that the connection was + // disconnected. We wait for a stream to ensure that the gRPC library + // observed a successful connection. + if (clientType() == Grpc::ClientType::GoogleGrpc) { + result = xds_connection_->waitForNewStream(*dispatcher_, xds_stream_); + RELEASE_ASSERT(result, result.message()); + } result = xds_connection_->close(); RELEASE_ASSERT(result, result.message()); } From ad6af72b4fcd7bf5fcb65f79676c2ee02116fe47 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 22 Jul 2025 08:50:55 -0400 Subject: [PATCH 033/505] docs: clean up the header validator docs and make it consistent (#40332) Signed-off-by: Rohit Agrawal --- .../envoy_default/v3/header_validator.proto | 146 +++++++++++++----- 1 file changed, 111 insertions(+), 35 deletions(-) diff --git a/api/envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto b/api/envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto index b0dc6ce84991e..0a1e88fb56db7 100644 --- a/api/envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto +++ b/api/envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto @@ -15,25 +15,33 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // This extension validates that HTTP request and response headers are well formed according to respective RFCs. // -// #. HTTP/1 header map validity according to `RFC 7230 section 3.2 `_ -// #. Syntax of HTTP/1 request target URI and response status -// #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2 `_ -// #. Syntax of HTTP/2 pseudo headers -// #. HTTP/3 header map validity according to `RFC 9114 section 4.3 `_ -// #. Syntax of HTTP/3 pseudo headers -// #. Syntax of Content-Length and Transfer-Encoding -// #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers +// The validator performs comprehensive HTTP header validation including: +// +// #. HTTP/1 header map validity according to `RFC 7230 section 3.2 `_. +// #. Syntax of HTTP/1 request target URI and response status. +// #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2 `_. +// #. Syntax of HTTP/2 pseudo headers. +// #. HTTP/3 header map validity according to `RFC 9114 section 4.3 `_. +// #. Syntax of HTTP/3 pseudo headers. +// #. Syntax of Content-Length and Transfer-Encoding. +// #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers. // #. Normalization of the URI path according to `Normalization and Comparison `_ -// without `case normalization `_ +// without `case normalization `_. +// +// This validator ensures that HTTP traffic processed by Envoy conforms to established +// standards and helps prevent issues caused by malformed headers or invalid HTTP syntax. // // [#comment:TODO(yanavlasov): Put #extension: envoy.http.header_validators.envoy_default after it is not hidden any more] // [#next-free-field: 6] message HeaderValidatorConfig { // Action to take when Envoy receives client request with header names containing underscore // characters. - // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented - // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore - // characters. + // + // Underscore character is allowed in header names by RFC-7230, and this behavior is implemented + // as a security measure due to systems that treat ``_`` and ``-`` as interchangeable. Envoy by + // default allows client request headers with underscore characters. + // + // This setting provides control over how to handle such headers for security and compatibility reasons. enum HeadersWithUnderscoresAction { // Allow headers with underscores. This is the default behavior. ALLOW = 0; @@ -51,102 +59,170 @@ message HeaderValidatorConfig { DROP_HEADER = 2; } + // Configuration options for URI path normalization and transformation. + // + // These options control how Envoy processes and normalizes incoming request URI paths + // to ensure consistent behavior and security. Path normalization helps prevent + // path traversal attacks and ensures that equivalent paths are handled consistently. message UriPathNormalizationOptions { // Determines the action for requests that contain ``%2F``, ``%2f``, ``%5C`` or ``%5c`` sequences in the URI path. // This operation occurs before URL normalization and the merge slashes transformations if they were enabled. + // + // Escaped slash sequences in URLs can be used for path confusion attacks, so proper handling + // is important for security. enum PathWithEscapedSlashesAction { // Default behavior specific to implementation (i.e. Envoy) of this configuration option. // Envoy, by default, takes the ``KEEP_UNCHANGED`` action. - // NOTE: the implementation may change the default behavior at-will. + // + // .. note:: + // + // The implementation may change the default behavior at-will. + // IMPLEMENTATION_SPECIFIC_DEFAULT = 0; - // Keep escaped slashes. + // Keep escaped slashes unchanged in the URI path. + // This preserves the original request path without any modifications to escaped sequences. KEEP_UNCHANGED = 1; // Reject client request with the 400 status. gRPC requests will be rejected with the ``INTERNAL`` (13) error code. - // The ``http#.downstream_rq_failed_path_normalization`` counter is incremented for each rejected request. + // The :ref:`httpN.downstream_rq_failed_path_normalization ` counter is incremented for each rejected request. + // + // This is the safest option when security is a primary concern, as it prevents any potential + // path confusion attacks by rejecting requests with escaped slashes entirely. REJECT_REQUEST = 2; // Unescape ``%2F`` and ``%5C`` sequences and redirect the request to the new path if these sequences were present. // The redirect occurs after path normalization and merge slashes transformations if they were configured. - // NOTE: gRPC requests will be rejected with the ``INTERNAL`` (13) error code. - // This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to - // traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. - // The ``http#.downstream_rq_redirected_with_normalized_path`` counter is incremented for each + // + // .. note:: + // + // gRPC requests will be rejected with the ``INTERNAL`` (13) error code. + // This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to + // traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. + // + // The :ref:`httpN.downstream_rq_redirected_with_normalized_path ` counter is incremented for each // redirected request. UNESCAPE_AND_REDIRECT = 3; // Unescape ``%2F`` and ``%5C`` sequences. - // Note: this option should not be enabled if intermediaries perform path based access control as - // it may lead to path confusion vulnerabilities. + // + // .. attention:: + // + // This option should not be enabled if intermediaries perform path based access control as + // it may lead to path confusion vulnerabilities. + // UNESCAPE_AND_FORWARD = 4; } // Should paths be normalized according to RFC 3986? + // // This operation overwrites the original request URI path and the new path is used for processing of // the request by HTTP filters and proxied to the upstream service. // Envoy will respond with 400 to requests with malformed paths that fail path normalization. // The default behavior is to normalize the path. + // // This value may be overridden by the runtime variable // :ref:`http_connection_manager.normalize_path`. // See `Normalization and Comparison `_ // for details of normalization. - // Note that Envoy does not perform - // `case normalization `_ - // URI path normalization can be applied to a portion of requests by setting the - // ``envoy_default_header_validator.path_normalization`` runtime value. + // + // .. note:: + // + // Envoy does not perform + // `case normalization `_. + // URI path normalization can be applied to a portion of requests by setting the + // ``envoy_default_header_validator.path_normalization`` runtime value. + // bool skip_path_normalization = 1; // Determines if adjacent slashes in the path are merged into one. + // // This operation overwrites the original request URI path and the new path is used for processing of // the request by HTTP filters and proxied to the upstream service. - // Setting this option to true will cause incoming requests with path ``//dir///file`` to not match against - // route with ``prefix`` match set to ``/dir``. Defaults to ``false``. Note that slash merging is not part of - // `HTTP spec `_ and is provided for convenience. - // Merging of slashes in URI path can be applied to a portion of requests by setting the - // ``envoy_default_header_validator.merge_slashes`` runtime value. + // Setting this option to ``true`` will cause incoming requests with path ``//dir///file`` to not match against + // route with ``prefix`` match set to ``/dir``. Defaults to ``false``. + // + // .. note:: + // + // Slash merging is not part of the + // `HTTP spec `_ and is provided for convenience. + // Merging of slashes in URI path can be applied to a portion of requests by setting the + // ``envoy_default_header_validator.merge_slashes`` runtime value. + // bool skip_merging_slashes = 2; // The action to take when request URL path contains escaped slash sequences (``%2F``, ``%2f``, ``%5C`` and ``%5c``). + // // This operation may overwrite the original request URI path and the new path is used for processing of // the request by HTTP filters and proxied to the upstream service. + // + // The handling of escaped slashes is important for security as these sequences can be used + // in path confusion attacks to bypass access controls. PathWithEscapedSlashesAction path_with_escaped_slashes_action = 3 [(validate.rules).enum = {defined_only: true}]; } + // HTTP/1 protocol specific options for header validation. + // + // These options control how Envoy handles HTTP/1 specific behaviors and edge cases + // that may not apply to HTTP/2 or HTTP/3 protocols. message Http1ProtocolOptions { // Allows Envoy to process HTTP/1 requests/responses with both ``Content-Length`` and ``Transfer-Encoding`` // headers set. By default such messages are rejected, but if option is enabled - Envoy will // remove the ``Content-Length`` header and process the message. + // // See `RFC7230, sec. 3.3.3 `_ for details. // // .. attention:: + // // Enabling this option might lead to request smuggling vulnerabilities, especially if traffic // is proxied via multiple layers of proxies. + // bool allow_chunked_length = 1; } + // HTTP/1 protocol specific options. + // These settings control HTTP/1 specific validation behaviors. Http1ProtocolOptions http1_protocol_options = 1; // The URI path normalization options. + // // By default Envoy normalizes URI path using the default values of the :ref:`UriPathNormalizationOptions // `. // URI path transformations specified by the ``uri_path_normalization_options`` configuration can be applied to a portion // of requests by setting the ``envoy_default_header_validator.uri_path_transformations`` runtime value. - // Caution: disabling path normalization may lead to path confusion vulnerabilities in access control or incorrect service - // selection. + // + // .. attention:: + // + // Disabling path normalization may lead to path confusion vulnerabilities in access control or incorrect service + // selection. + // UriPathNormalizationOptions uri_path_normalization_options = 2; - // Restrict HTTP methods to these defined in the `RFC 7231 section 4.1 `_ + // Restrict HTTP methods to these defined in the `RFC 7231 section 4.1 `_. + // // Envoy will respond with 400 to requests with disallowed methods. // By default methods with arbitrary names are accepted. + // + // This setting helps enforce HTTP compliance and can prevent attacks that rely on + // non-standard HTTP methods. bool restrict_http_methods = 3; // Action to take when a client request with a header name containing underscore characters is received. - // If this setting is not specified, the value defaults to ALLOW. + // + // If this setting is not specified, the value defaults to ``ALLOW``. + // + // This setting provides security control over headers with underscores, which can be a source + // of security issues when different systems interpret underscores and hyphens differently. HeadersWithUnderscoresAction headers_with_underscores_action = 4; // Allow requests with fragment in URL path and strip the fragment before request processing. - // By default Envoy rejects requests with fragment in URL path. + // + // By default Envoy rejects requests with fragment in URL path. When this option is enabled, + // the fragment portion (everything after ``#``) will be removed from the path before + // further processing. + // + // Fragments are typically used by client-side applications and should not normally + // be sent to the server, so stripping them can help normalize requests. bool strip_fragment_from_path = 5; } From 49a2a8700988b7847d6a40cd42bc3f92bb3a4203 Mon Sep 17 00:00:00 2001 From: Ashesh Vidyut <134911583+asheshvidyut@users.noreply.github.com> Date: Tue, 22 Jul 2025 22:02:09 +0530 Subject: [PATCH 034/505] Using Radix tree instead of Trie (#40160) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Using Radix Tree instead of Trie ### Benchmarking Command - _Both the commands have been run on same machine_ ``` bazel run -c opt test/common/common:trie_lookup_table_speed_test -- --benchmark_repetitions=10 bazel run -c opt test/common/common:radix_tree_speed_test -- --benchmark_repetitions=10 ``` #### Lookups | Benchmark | Trie Mean | RadixTree Mean | % Diff (RadixTree vs. Trie) | | --------------------------------------- | --------- | -------------- | --------------------------------- | | bmLookupsRequestHeaders_mean | 82.7 ns | 37.2 ns | ⚡ 54.99% faster | | bmLookupsResponseHeaders_mean | 74.3 ns | 19.8 ns | ⚡ 73.35% faster | | bmLookups/10/0_mean | 299.0 ns | 10.4 ns | ⚡ 96.52% faster | | bmLookups/100/0_mean | 365.0 ns | 23.5 ns | ⚡ 93.56% faster | | bmLookups/1000/0_mean | 447.0 ns | 39.2 ns | ⚡ 91.23% faster | | bmLookups/10000/0_mean | 541.0 ns | 74.5 ns | ⚡ 86.23% faster | | bmLookups/10/8_mean | 22.3 ns | 14.3 ns | ⚡ 35.87% faster | | bmLookups/100/8_mean | 24.5 ns | 24.0 ns | ⚡ 2.04% faster | | bmLookups/1000/8_mean | 35.3 ns | 35.8 ns | 🐢 1.42% slower | | bmLookups/10000/8_mean | 74.1 ns | 56.0 ns | ⚡ 24.43% faster | | bmLookups/10/128_mean | 631.0 ns | 22.2 ns | ⚡ 96.48% faster | | bmLookups/100/128_mean | 764.0 ns | 23.8 ns | ⚡ 96.88% faster | | bmLookups/1000/128_mean | 799.0 ns | 43.1 ns | ⚡ 94.61% faster | | bmLookups/10000/128_mean | 1080.0 ns | 76.4 ns | ⚡ 92.93% faster | #### findMatchingPrefixes | Benchmark Name | TrieLookupTable (ns) | RadixTree (ns) | Performance | | ---------------------------------- | -------------------- | -------------- | ---------------- | | PrefixMatching/100/3/1000_mean | 1955 | 1740 | 10.99% Faster ⚡️ | | PrefixMatching/100/5/1000_mean | 1907 | 1764 | 7.50% Faster ⚡️ | | PrefixMatching/100/8/1000_mean | 1860 | 1812 | 2.58% Faster ⚡️ | | PrefixMatching/1000/3/1000_mean | 2480 | 2146 | 13.47% Faster ⚡️ | | PrefixMatching/1000/5/1000_mean | 2265 | 2146 | 5.25% Faster ⚡️ | | PrefixMatching/1000/8/1000_mean | 2551 | 2146 | 15.88% Faster ⚡️ | | PrefixMatching/10000/3/1000_mean | 3266 | 3004 | 8.02% Faster ⚡️ | | PrefixMatching/10000/5/1000_mean | 4005 | 3338 | 16.65% Faster ⚡️ | | PrefixMatching/10000/8/1000_mean | 6533 | 4435 | 32.11% Faster ⚡️ | | RequestHeadersPrefixMatching_mean | 1788 | 1764 | 1.34% Faster ⚡️ | | ResponseHeadersPrefixMatching_mean | 1597 | 1645 | 3.01% Slower 🐢 | Commit Message: Using Radix Tree instead of Trie Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Ashesh Vidyut Signed-off-by: Rohit Agrawal Signed-off-by: Ashesh Vidyut <134911583+asheshvidyut@users.noreply.github.com> Co-authored-by: Rohit Agrawal --- changelogs/current.yaml | 3 + source/common/common/BUILD | 10 + source/common/common/radix_tree.h | 302 +++++++++++++++ source/common/matcher/BUILD | 2 +- source/common/matcher/prefix_map_matcher.h | 4 +- .../redis_proxy/command_splitter_impl.h | 4 +- .../filters/network/redis_proxy/router_impl.h | 4 +- .../extensions/filters/udp/dns_filter/BUILD | 2 +- .../filters/udp/dns_filter/dns_filter.h | 8 +- test/common/common/BUILD | 41 ++ .../common/prefix_matching_benchmark.cc | 162 ++++++++ test/common/common/radix_tree_speed_test.cc | 89 +++++ test/common/common/radix_tree_test.cc | 357 ++++++++++++++++++ tools/spelling/spelling_dictionary.txt | 4 + 14 files changed, 979 insertions(+), 13 deletions(-) create mode 100644 source/common/common/radix_tree.h create mode 100644 test/common/common/prefix_matching_benchmark.cc create mode 100644 test/common/common/radix_tree_speed_test.cc create mode 100644 test/common/common/radix_tree_test.cc diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 89d5acbc9bae6..588cc40a11c4a 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -387,6 +387,9 @@ new_features: - area: alts change: | Added environment variable-protected gRPC keepalive params to the ALTS handshaker client. +- area: dns_filter, redis_proxy and prefix_matcher_map + change: | + Using Radix Tree instead of Trie for performance improvements. - area: wasm change: | Added support for returning ``StopIteration`` from plugin ``onRequestHeader`` and ``onResponseHeader`` callbacks. See diff --git a/source/common/common/BUILD b/source/common/common/BUILD index 9382613088bb3..b5d6cbe6aca19 100644 --- a/source/common/common/BUILD +++ b/source/common/common/BUILD @@ -483,6 +483,16 @@ envoy_cc_library( hdrs = ["trie_lookup_table.h"], ) +envoy_cc_library( + name = "radix_tree_lib", + hdrs = ["radix_tree.h"], + deps = [ + ":assert_lib", + "@com_google_absl//absl/container:flat_hash_map", + "@com_google_absl//absl/strings", + ], +) + envoy_cc_library( name = "utility_lib", srcs = ["utility.cc"], diff --git a/source/common/common/radix_tree.h b/source/common/common/radix_tree.h new file mode 100644 index 0000000000000..aae80fd3edbb0 --- /dev/null +++ b/source/common/common/radix_tree.h @@ -0,0 +1,302 @@ +#pragma once + +#include +#include + +#include "envoy/common/optref.h" + +#include "source/common/common/assert.h" + +#include "absl/container/flat_hash_map.h" +#include "absl/strings/string_view.h" +#include "absl/types/optional.h" + +namespace Envoy { +template class RadixTree { + static constexpr int32_t NoNode = -1; + struct RadixTreeNode { + std::string prefix_; + Value value_{}; + // Hash map for O(1) child lookup by first character + absl::flat_hash_map children_; + + /** + * Insert a key-value pair into this node + * @param key the full key being inserted + * @param search the remaining search key + * @param value the value to insert + */ + void insert(absl::string_view search, Value value) { + // Handle key exhaustion + if (search.empty()) { + value_ = std::move(value); + return; + } + + // Look for the edge + uint8_t firstChar = static_cast(search[0]); + auto childIt = children_.find(firstChar); + + // No edge, create one + if (childIt == children_.end()) { + // Create a new child node + RadixTreeNode newChild; + newChild.prefix_ = std::string(search); + newChild.value_ = std::move(value); + + // Add the child to the current node + children_[firstChar] = std::move(newChild); + return; + } + + // Get the child node + RadixTreeNode& child = childIt->second; + + // Determine longest prefix length of the search key on match + size_t cpl = commonPrefixLength(search, child.prefix_); + if (cpl == child.prefix_.size()) { + // The search key is longer than the child prefix, continue down + absl::string_view remaining_search = search.substr(cpl); + child.insert(remaining_search, std::move(value)); + return; + } + + // Split the node - create a new intermediate node + RadixTreeNode split_node; + split_node.prefix_ = std::string(search.substr(0, cpl)); + + // Update the child's prefix + child.prefix_ = std::string(child.prefix_.substr(cpl)); + + // If the search key is exactly the common prefix, set the value on the split node + if (cpl == search.size()) { + split_node.value_ = std::move(value); + } else { + // Create a new leaf for the current key + RadixTreeNode new_leaf; + new_leaf.prefix_ = std::string(search.substr(cpl)); + new_leaf.value_ = std::move(value); + split_node.children_[static_cast(new_leaf.prefix_[0])] = std::move(new_leaf); + } + + // Add the child to the split node + split_node.children_[static_cast(child.prefix_[0])] = std::move(child); + + // Replace the original child with the split node + children_[firstChar] = std::move(split_node); + } + + /** + * Recursive helper for find operation. + * @param search the remaining search key. + * @param result the value to return if found. + * @return true if the key was found, false otherwise. + */ + bool findRecursive(absl::string_view search, Value& result) const { + if (search.empty()) { + if (has_value(*this)) { + result = value_; + return true; + } + return false; + } + + uint8_t firstChar = static_cast(search[0]); + auto childIt = children_.find(firstChar); + if (childIt == children_.end()) { + return false; + } + + const RadixTreeNode& child = childIt->second; + + // Check if the child's prefix matches the search + if (search.size() >= child.prefix_.size() && + search.substr(0, child.prefix_.size()) == child.prefix_) { + absl::string_view new_search = search.substr(child.prefix_.size()); + return child.findRecursive(new_search, result); + } + + return false; + } + + /** + * Get a child node by character key + */ + Envoy::OptRef getChild(uint8_t char_key) const { + auto it = children_.find(char_key); + if (it != children_.end()) { + return {it->second}; + } + return {}; + } + }; + + /** + * Check if a node has a value (is a leaf node) + */ + static bool has_value(const RadixTreeNode& node) { + // For pointer types, check if the pointer is not null + if constexpr (std::is_pointer_v) { + return node.value_ != nullptr; + } else { + return static_cast(node.value_); + } + } + + /** + * Find the longest common prefix between two strings + */ + static size_t commonPrefixLength(absl::string_view a, absl::string_view b) { + size_t len = std::min(a.size(), b.size()); + for (size_t i = 0; i < len; i++) { + if (a[i] != b[i]) { + return i; + } + } + return len; + } + +public: + /** + * Adds an entry to the RadixTree at the given Key. + * @param key the key used to add the entry. + * @param value the value to be associated with the key. + * @param overwrite_existing will overwrite the value when the value for a given key already + * exists. + * @return false when a value already exists for the given key. + */ + bool add(absl::string_view key, Value value, bool overwrite_existing = true) { + // Check if the key already exists + Value existing; + bool found = root_.findRecursive(key, existing); + + // If a value exists and we shouldn't overwrite, return false + if (found && !overwrite_existing) { + return false; + } + + root_.insert(key, std::move(value)); + return true; + } + + /** + * Finds the entry associated with the key. + * @param key the key used to find. + * @return the Value associated with the key, or an empty-initialized Value + * if there is no matching key. + */ + Value find(absl::string_view key) const { + Value result; + if (root_.findRecursive(key, result)) { + return result; + } + return Value{}; + } + + /** + * Returns the set of entries that are prefixes of the specified key, longest last. + * Complexity is O(min(longest key prefix, key length)). + * @param key the key used to find. + * @return a vector of values whose keys are a prefix of the specified key, longest last. + */ + absl::InlinedVector findMatchingPrefixes(absl::string_view key) const { + absl::InlinedVector result; + absl::string_view search = key; + const RadixTreeNode* node = &root_; + + // Special case: if searching for empty string, check root node + if (search.empty()) { + if (has_value(*node)) { + result.push_back(node->value_); + } + return result; + } + + while (true) { + // Check if current node has a value (is a leaf) and we've consumed some prefix + if (has_value(*node)) { + result.push_back(node->value_); + } + + // Check for key exhaustion + if (search.empty()) { + break; + } + + // Look for an edge + uint8_t firstChar = static_cast(search[0]); + auto child = node->getChild(firstChar); + if (!child) { + break; + } + + const RadixTreeNode& child_node = *child; + node = &child_node; + + // Consume the search prefix + if (search.size() < child->prefix_.size() || + search.substr(0, child->prefix_.size()) != child->prefix_) { + break; + } + // Consume the search prefix + search = search.substr(child->prefix_.size()); + } + + return result; + } + + /** + * Finds the entry with the longest key that is a prefix of the specified key. + * Complexity is O(min(longest key prefix, key length)). + * @param key the key used to find. + * @return a value whose key is a prefix of the specified key. If there are + * multiple such values, the one with the longest key. If there are + * no keys that are a prefix of the input key, an empty-initialized Value. + */ + Value findLongestPrefix(absl::string_view key) const { + absl::string_view search = key; + const RadixTreeNode* node = &root_; + const RadixTreeNode* last_node_with_value = nullptr; + + while (true) { + // Look for a leaf node + if (has_value(*node)) { + last_node_with_value = node; + } + + // Check for key exhaustion + if (search.empty()) { + break; + } + + // Look for an edge + uint8_t firstChar = static_cast(search[0]); + auto child = node->getChild(firstChar); + if (!child) { + break; + } + + const RadixTreeNode& child_node = *child; + node = &child_node; + + // Consume the search prefix + if (search.size() < child->prefix_.size() || + search.substr(0, child->prefix_.size()) != child->prefix_) { + break; + } + // Consume the search prefix + search = search.substr(child->prefix_.size()); + } + + // Return the value from the last node that had a value, or empty value if none found + if (last_node_with_value != nullptr) { + return last_node_with_value->value_; + } + return nullptr; + } + +private: + // Initialized with a single empty node as the root node. + RadixTreeNode root_ = RadixTreeNode(); +}; +} // namespace Envoy diff --git a/source/common/matcher/BUILD b/source/common/matcher/BUILD index 82cd7e7f137d4..22234d5a0fb85 100644 --- a/source/common/matcher/BUILD +++ b/source/common/matcher/BUILD @@ -29,7 +29,7 @@ envoy_cc_library( hdrs = ["prefix_map_matcher.h"], deps = [ ":map_matcher_lib", - "//source/common/common:trie_lookup_table_lib", + "//source/common/common:radix_tree_lib", "//source/common/runtime:runtime_features_lib", ], ) diff --git a/source/common/matcher/prefix_map_matcher.h b/source/common/matcher/prefix_map_matcher.h index 4a597d8322813..a70a7e28593e7 100644 --- a/source/common/matcher/prefix_map_matcher.h +++ b/source/common/matcher/prefix_map_matcher.h @@ -1,6 +1,6 @@ #pragma once -#include "source/common/common/trie_lookup_table.h" +#include "source/common/common/radix_tree.h" #include "source/common/matcher/map_matcher.h" #include "source/common/runtime/runtime_features.h" @@ -52,7 +52,7 @@ template class PrefixMapMatcher : public MapMatcher { } private: - TrieLookupTable>> children_; + RadixTree>> children_; }; } // namespace Matcher diff --git a/source/extensions/filters/network/redis_proxy/command_splitter_impl.h b/source/extensions/filters/network/redis_proxy/command_splitter_impl.h index f821cadd95b7c..936e3d832cc96 100644 --- a/source/extensions/filters/network/redis_proxy/command_splitter_impl.h +++ b/source/extensions/filters/network/redis_proxy/command_splitter_impl.h @@ -9,7 +9,7 @@ #include "envoy/stats/timespan.h" #include "source/common/common/logger.h" -#include "source/common/common/trie_lookup_table.h" +#include "source/common/common/radix_tree.h" #include "source/common/stats/timespan_impl.h" #include "source/extensions/filters/network/common/redis/client_impl.h" #include "source/extensions/filters/network/common/redis/fault_impl.h" @@ -501,7 +501,7 @@ class InstanceImpl : public Instance, Logger::Loggable { CommandHandlerFactory role_handler_; CommandHandlerFactory split_keys_sum_result_handler_; CommandHandlerFactory transaction_handler_; - TrieLookupTable handler_lookup_table_; + RadixTree handler_lookup_table_; InstanceStats stats_; TimeSource& time_source_; Common::Redis::FaultManagerPtr fault_manager_; diff --git a/source/extensions/filters/network/redis_proxy/router_impl.h b/source/extensions/filters/network/redis_proxy/router_impl.h index 8a7b841ca7b48..4d353fb629e12 100644 --- a/source/extensions/filters/network/redis_proxy/router_impl.h +++ b/source/extensions/filters/network/redis_proxy/router_impl.h @@ -13,7 +13,7 @@ #include "envoy/type/v3/percent.pb.h" #include "envoy/upstream/cluster_manager.h" -#include "source/common/common/trie_lookup_table.h" +#include "source/common/common/radix_tree.h" #include "source/common/http/header_map_impl.h" #include "source/common/stream_info/stream_info_impl.h" #include "source/extensions/filters/network/common/redis/supported_commands.h" @@ -86,7 +86,7 @@ class PrefixRoutes : public Router, public Logger::Loggable { const StreamInfo::StreamInfo& stream_info); private: - TrieLookupTable prefix_lookup_table_; + RadixTree prefix_lookup_table_; const bool case_insensitive_; Upstreams upstreams_; PrefixSharedPtr catch_all_route_; diff --git a/source/extensions/filters/udp/dns_filter/BUILD b/source/extensions/filters/udp/dns_filter/BUILD index e4315f1acc15d..f327a12d84d3b 100644 --- a/source/extensions/filters/udp/dns_filter/BUILD +++ b/source/extensions/filters/udp/dns_filter/BUILD @@ -34,8 +34,8 @@ envoy_cc_library( "//envoy/network:listener_interface", "//source/common/buffer:buffer_lib", "//source/common/common:empty_string", + "//source/common/common:radix_tree_lib", "//source/common/common:safe_memcpy_lib", - "//source/common/common:trie_lookup_table_lib", "//source/common/config:config_provider_lib", "//source/common/config:datasource_lib", "//source/common/network:address_lib", diff --git a/source/extensions/filters/udp/dns_filter/dns_filter.h b/source/extensions/filters/udp/dns_filter/dns_filter.h index d1e5262d1146e..726120b21b41d 100644 --- a/source/extensions/filters/udp/dns_filter/dns_filter.h +++ b/source/extensions/filters/udp/dns_filter/dns_filter.h @@ -6,7 +6,7 @@ #include "envoy/network/filter.h" #include "source/common/buffer/buffer_impl.h" -#include "source/common/common/trie_lookup_table.h" +#include "source/common/common/radix_tree.h" #include "source/common/config/config_provider_impl.h" #include "source/common/network/utility.h" #include "source/extensions/filters/udp/dns_filter/dns_filter_resolver.h" @@ -97,9 +97,7 @@ class DnsFilterEnvoyConfig : public Logger::Loggable { } const Network::DnsResolverFactory& dnsResolverFactory() const { return *dns_resolver_factory_; } Api::Api& api() const { return api_; } - const TrieLookupTable& getDnsTrie() const { - return dns_lookup_trie_; - } + const RadixTree& getDnsTrie() const { return dns_lookup_trie_; } private: static DnsFilterStats generateStats(const std::string& stat_prefix, Stats::Scope& scope) { @@ -123,7 +121,7 @@ class DnsFilterEnvoyConfig : public Logger::Loggable { mutable DnsFilterStats stats_; - TrieLookupTable dns_lookup_trie_; + RadixTree dns_lookup_trie_; absl::flat_hash_map domain_ttl_; bool forward_queries_; uint64_t retry_count_; diff --git a/test/common/common/BUILD b/test/common/common/BUILD index 07ca8a1b96919..b4d3f54f0455f 100644 --- a/test/common/common/BUILD +++ b/test/common/common/BUILD @@ -313,6 +313,13 @@ envoy_cc_test( deps = ["//source/common/common:trie_lookup_table_lib"], ) +envoy_cc_test( + name = "radix_tree_test", + srcs = ["radix_tree_test.cc"], + rbe_pool = "6gig", + deps = ["//source/common/common:radix_tree_lib"], +) + envoy_cc_test( name = "utility_test", srcs = ["utility_test.cc"], @@ -463,6 +470,40 @@ envoy_benchmark_test( benchmark_binary = "trie_lookup_table_speed_test", ) +envoy_cc_benchmark_binary( + name = "radix_tree_speed_test", + srcs = ["radix_tree_speed_test.cc"], + rbe_pool = "6gig", + deps = [ + "//source/common/common:radix_tree_lib", + "@com_github_google_benchmark//:benchmark", + "@com_google_absl//absl/strings", + ], +) + +envoy_benchmark_test( + name = "radix_tree_speed_test_benchmark_test", + benchmark_binary = "radix_tree_speed_test", +) + +envoy_cc_benchmark_binary( + name = "prefix_matching_benchmark", + srcs = ["prefix_matching_benchmark.cc"], + rbe_pool = "6gig", + deps = [ + "//source/common/common:radix_tree_lib", + "//source/common/common:trie_lookup_table_lib", + "//source/common/http:headers_lib", + "@com_github_google_benchmark//:benchmark", + "@com_google_absl//absl/strings", + ], +) + +envoy_benchmark_test( + name = "prefix_matching_benchmark_test", + benchmark_binary = "prefix_matching_benchmark", +) + envoy_cc_test( name = "lock_guard_test", srcs = ["lock_guard_test.cc"], diff --git a/test/common/common/prefix_matching_benchmark.cc b/test/common/common/prefix_matching_benchmark.cc new file mode 100644 index 0000000000000..c89ad5138f3a3 --- /dev/null +++ b/test/common/common/prefix_matching_benchmark.cc @@ -0,0 +1,162 @@ +// Note: this should be run with --compilation_mode=opt, and would benefit from a +// quiescent system with disabled cstate power management. + +#include + +#include "source/common/common/radix_tree.h" +#include "source/common/common/trie_lookup_table.h" +#include "source/common/http/headers.h" + +#include "benchmark/benchmark.h" + +namespace Envoy { + +// NOLINT(namespace-envoy) + +#define ADD_HEADER_TO_KEYS(name) keys.emplace_back(Http::Headers::get().name); + +// Helper function to generate test data with hierarchical prefixes +std::vector generateHierarchicalKeys(int num_keys, int max_depth) { + std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability + std::uniform_int_distribution char_distribution('a', 'z'); + std::uniform_int_distribution depth_distribution(1, max_depth); + + std::vector keys; + for (int i = 0; i < num_keys; i++) { + int depth = depth_distribution(prng); + std::string key; + for (int j = 0; j < depth; j++) { + for (int k = 0; k < 3; k++) { // Each level has 3 characters + key.push_back(static_cast(char_distribution(prng))); + } + if (j < depth - 1) { + key.push_back('/'); // Use '/' as separator for hierarchical structure + } + } + keys.push_back(key); + } + return keys; +} + +// Helper function to generate search keys with various prefix lengths +std::vector generateSearchKeys(const std::vector& keys, + int num_searches) { + std::mt19937 prng(2); // Different seed for search keys + std::uniform_int_distribution keyindex_distribution(0, keys.size() - 1); + std::uniform_int_distribution length_distribution(1, 20); // Random prefix length + + std::vector search_keys; + for (int i = 0; i < num_searches; i++) { + const std::string& base_key = keys[keyindex_distribution(prng)]; + size_t prefix_len = std::min(length_distribution(prng), base_key.length()); + search_keys.push_back(base_key.substr(0, prefix_len)); + } + return search_keys; +} + +template +static void typedBmPrefixMatching(benchmark::State& state, const std::vector& keys, + const std::vector& search_keys) { + TableType table; + for (const std::string& key : keys) { + table.add(key, nullptr); + } + + size_t search_index = 0; + for (auto _ : state) { + UNREFERENCED_PARAMETER(_); + auto result = table.findMatchingPrefixes(search_keys[search_index++]); + // Reset search_index to 0 whenever it reaches the end + search_index %= search_keys.size(); + benchmark::DoNotOptimize(result); + } +} + +// Range args are: +// 0 - num_keys (number of keys in the tree) +// 1 - max_depth (maximum depth of hierarchical keys) +// 2 - num_searches (number of search operations to perform) +template static void typedBmPrefixMatching(benchmark::State& state) { + int num_keys = state.range(0); + int max_depth = state.range(1); + int num_searches = state.range(2); + + std::vector keys = generateHierarchicalKeys(num_keys, max_depth); + std::vector search_keys = generateSearchKeys(keys, num_searches); + + typedBmPrefixMatching(state, keys, search_keys); +} + +// Benchmark for TrieLookupTable +static void bmTrieLookupTablePrefixMatching(benchmark::State& s) { + typedBmPrefixMatching>(s); +} + +// Benchmark for RadixTree +static void bmRadixTreePrefixMatching(benchmark::State& s) { + typedBmPrefixMatching>(s); +} + +// Real-world scenario benchmarks using HTTP headers +static void bmTrieLookupTableRequestHeadersPrefixMatching(benchmark::State& s) { + std::vector keys; + INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); + + // Generate search keys based on the headers + std::vector search_keys = generateSearchKeys(keys, 1000); + + typedBmPrefixMatching>(s, keys, search_keys); +} + +static void bmRadixTreeRequestHeadersPrefixMatching(benchmark::State& s) { + std::vector keys; + INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); + + // Generate search keys based on the headers + std::vector search_keys = generateSearchKeys(keys, 1000); + + typedBmPrefixMatching>(s, keys, search_keys); +} + +static void bmTrieLookupTableResponseHeadersPrefixMatching(benchmark::State& s) { + std::vector keys; + INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); + + // Generate search keys based on the headers + std::vector search_keys = generateSearchKeys(keys, 1000); + + typedBmPrefixMatching>(s, keys, search_keys); +} + +static void bmRadixTreeResponseHeadersPrefixMatching(benchmark::State& s) { + std::vector keys; + INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); + + // Generate search keys based on the headers + std::vector search_keys = generateSearchKeys(keys, 1000); + + typedBmPrefixMatching>(s, keys, search_keys); +} + +// Register benchmarks for synthetic data +BENCHMARK(bmTrieLookupTablePrefixMatching) + ->ArgsProduct({{100, 1000, 10000}, {3, 5, 8}, {1000}}) + ->Name("TrieLookupTable/PrefixMatching"); + +BENCHMARK(bmRadixTreePrefixMatching) + ->ArgsProduct({{100, 1000, 10000}, {3, 5, 8}, {1000}}) + ->Name("RadixTree/PrefixMatching"); + +// Register benchmarks for real-world HTTP headers +BENCHMARK(bmTrieLookupTableRequestHeadersPrefixMatching) + ->Name("TrieLookupTable/RequestHeadersPrefixMatching"); + +BENCHMARK(bmRadixTreeRequestHeadersPrefixMatching)->Name("RadixTree/RequestHeadersPrefixMatching"); + +BENCHMARK(bmTrieLookupTableResponseHeadersPrefixMatching) + ->Name("TrieLookupTable/ResponseHeadersPrefixMatching"); + +BENCHMARK(bmRadixTreeResponseHeadersPrefixMatching) + ->Name("RadixTree/ResponseHeadersPrefixMatching"); + +} // namespace Envoy diff --git a/test/common/common/radix_tree_speed_test.cc b/test/common/common/radix_tree_speed_test.cc new file mode 100644 index 0000000000000..5f0af98ad4a5c --- /dev/null +++ b/test/common/common/radix_tree_speed_test.cc @@ -0,0 +1,89 @@ +// Note: this should be run with --compilation_mode=opt, and would benefit from a +// quiescent system with disabled cstate power management. + +#include + +#include "envoy/http/header_map.h" + +#include "source/common/common/radix_tree.h" +#include "source/common/http/headers.h" + +#include "benchmark/benchmark.h" + +namespace Envoy { + +// NOLINT(namespace-envoy) + +template +static void typedBmRadixTreeLookups(benchmark::State& state, std::vector& keys) { + std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability + std::uniform_int_distribution keyindex_distribution(0, keys.size() - 1); + TableType radixtree; + for (const std::string& key : keys) { + radixtree.add(key, nullptr); + } + std::vector key_selections; + for (size_t i = 0; i < 1024; i++) { + key_selections.push_back(keyindex_distribution(prng)); + } + + // key_index indexes into key_selections which is a pre-selected + // random ordering of 1024 indexes into the existing keys. This + // way we read from all over the radixtree, without spending time during + // the performance test generating these random choices. + size_t key_index = 0; + for (auto _ : state) { + UNREFERENCED_PARAMETER(_); + auto v = radixtree.find(keys[key_selections[key_index++]]); + // Reset key_index to 0 whenever it reaches 1024. + key_index &= 1023; + benchmark::DoNotOptimize(v); + } +} + +// Range args are: +// 0 - num_keys +// 1 - key_length (0 is a special case that generates mixed-length keys) +template static void typedBmRadixTreeLookups(benchmark::State& state) { + std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability + int num_keys = state.range(0); + int key_length = state.range(1); + std::uniform_int_distribution char_distribution('a', 'z'); + std::uniform_int_distribution key_length_distribution(key_length == 0 ? 8 : key_length, + key_length == 0 ? 128 : key_length); + auto make_key = [&](size_t len) { + std::string ret; + for (size_t i = 0; i < len; i++) { + ret.push_back(static_cast(char_distribution(prng))); + } + return ret; + }; + std::vector keys; + for (int i = 0; i < num_keys; i++) { + std::string key = make_key(key_length_distribution(prng)); + keys.push_back(std::move(key)); + } + typedBmRadixTreeLookups(state, keys); +} + +static void bmRadixTreeLookups(benchmark::State& s) { + typedBmRadixTreeLookups>(s); +} + +#define ADD_HEADER_TO_KEYS(name) keys.emplace_back(Http::Headers::get().name); +static void bmRadixTreeLookupsRequestHeaders(benchmark::State& s) { + std::vector keys; + INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); + typedBmRadixTreeLookups>(s, keys); +} +static void bmRadixTreeLookupsResponseHeaders(benchmark::State& s) { + std::vector keys; + INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); + typedBmRadixTreeLookups>(s, keys); +} + +BENCHMARK(bmRadixTreeLookupsRequestHeaders); +BENCHMARK(bmRadixTreeLookupsResponseHeaders); +BENCHMARK(bmRadixTreeLookups)->ArgsProduct({{10, 100, 1000, 10000}, {0, 8, 128}}); + +} // namespace Envoy diff --git a/test/common/common/radix_tree_test.cc b/test/common/common/radix_tree_test.cc new file mode 100644 index 0000000000000..2b5a10904a3bc --- /dev/null +++ b/test/common/common/radix_tree_test.cc @@ -0,0 +1,357 @@ +#include "source/common/common/radix_tree.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::ElementsAre; + +namespace Envoy { + +TEST(RadixTree, AddItems) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + + EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("bar"), cstr_b)); + EXPECT_EQ(cstr_a, radixtree.find("foo")); + EXPECT_EQ(cstr_b, radixtree.find("bar")); + + // overwrite_existing = false + EXPECT_FALSE(radixtree.add(std::string("foo"), cstr_c, false)); + EXPECT_EQ(cstr_a, radixtree.find("foo")); + + // overwrite_existing = true + EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_c)); + EXPECT_EQ(cstr_c, radixtree.find("foo")); +} + +TEST(RadixTree, LongestPrefix) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + const char* cstr_e = "e"; + const char* cstr_f = "f"; + + EXPECT_TRUE(radixtree.add(std::string("foo/bar"), cstr_d)); + EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_a)); + // Verify that prepending and appending branches to a node both work. + EXPECT_TRUE(radixtree.add(std::string("barn"), cstr_e)); + EXPECT_TRUE(radixtree.add(std::string("barp"), cstr_f)); + EXPECT_TRUE(radixtree.add(std::string("bar"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("baro"), cstr_c)); + + EXPECT_EQ(cstr_a, radixtree.find("foo")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foo")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foo"), ElementsAre(cstr_a)); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foosball")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foosball"), ElementsAre(cstr_a)); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foo/")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foo/"), ElementsAre(cstr_a)); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("foo/bar")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foo/bar"), ElementsAre(cstr_a, cstr_d)); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("foo/bar/zzz")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foo/bar/zzz"), ElementsAre(cstr_a, cstr_d)); + + EXPECT_EQ(cstr_b, radixtree.find("bar")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("bar")); + EXPECT_THAT(radixtree.findMatchingPrefixes("bar"), ElementsAre(cstr_b)); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("baritone")); + EXPECT_THAT(radixtree.findMatchingPrefixes("baritone"), ElementsAre(cstr_b)); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("barometer")); + EXPECT_THAT(radixtree.findMatchingPrefixes("barometer"), ElementsAre(cstr_b, cstr_c)); + + EXPECT_EQ(cstr_e, radixtree.find("barn")); + EXPECT_EQ(cstr_e, radixtree.findLongestPrefix("barnacle")); + EXPECT_THAT(radixtree.findMatchingPrefixes("barnacle"), ElementsAre(cstr_b, cstr_e)); + + EXPECT_EQ(cstr_f, radixtree.find("barp")); + EXPECT_EQ(cstr_f, radixtree.findLongestPrefix("barpomus")); + EXPECT_THAT(radixtree.findMatchingPrefixes("barpomus"), ElementsAre(cstr_b, cstr_f)); + + EXPECT_EQ(nullptr, radixtree.find("toto")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("toto")); + EXPECT_THAT(radixtree.findMatchingPrefixes("toto"), ElementsAre()); + EXPECT_EQ(nullptr, radixtree.find(" ")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix(" ")); + EXPECT_THAT(radixtree.findMatchingPrefixes(" "), ElementsAre()); +} + +TEST(RadixTree, VeryDeepRadixTreeDoesNotStackOverflowOnDestructor) { + RadixTree radixtree; + const char* cstr_a = "a"; + + std::string key_a(20960, 'a'); + EXPECT_TRUE(radixtree.add(key_a, cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find(key_a)); +} + +TEST(RadixTree, RadixTreeSpecificTests) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + + // Test radix tree compression + EXPECT_TRUE(radixtree.add(std::string("test"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("testing"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("tester"), cstr_c)); + EXPECT_TRUE(radixtree.add(std::string("tested"), cstr_d)); + + EXPECT_EQ(cstr_a, radixtree.find("test")); + EXPECT_EQ(cstr_b, radixtree.find("testing")); + EXPECT_EQ(cstr_c, radixtree.find("tester")); + EXPECT_EQ(cstr_d, radixtree.find("tested")); + + // Test prefix matching + EXPECT_THAT(radixtree.findMatchingPrefixes("test"), ElementsAre(cstr_a)); + EXPECT_THAT(radixtree.findMatchingPrefixes("testing"), ElementsAre(cstr_a, cstr_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("tester"), ElementsAre(cstr_a, cstr_c)); + EXPECT_THAT(radixtree.findMatchingPrefixes("tested"), ElementsAre(cstr_a, cstr_d)); + + // Test longest prefix + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("test")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("testing")); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("tester")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("tested")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("testx")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("tex")); +} + +TEST(RadixTree, EmptyAndSingleNode) { + RadixTree radixtree; + const char* cstr_a = "a"; + + // Test empty radixtree + EXPECT_EQ(nullptr, radixtree.find("anything")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("anything")); + EXPECT_THAT(radixtree.findMatchingPrefixes("anything"), ElementsAre()); + + // Test single node + EXPECT_TRUE(radixtree.add(std::string("a"), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("a")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a")); + EXPECT_THAT(radixtree.findMatchingPrefixes("a"), ElementsAre(cstr_a)); + EXPECT_EQ(nullptr, radixtree.find("b")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("b")); + EXPECT_THAT(radixtree.findMatchingPrefixes("b"), ElementsAre()); +} + +TEST(RadixTree, InsertAndFindEdgeCases) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + + // Test empty string + EXPECT_TRUE(radixtree.add(std::string(""), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("")); + EXPECT_THAT(radixtree.findMatchingPrefixes(""), ElementsAre(cstr_a)); + + // Test single character + EXPECT_TRUE(radixtree.add(std::string("x"), cstr_b)); + EXPECT_EQ(cstr_b, radixtree.find("x")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("x")); + EXPECT_THAT(radixtree.findMatchingPrefixes("x"), ElementsAre(cstr_a, cstr_b)); + + // Test very long string + std::string long_key(1000, 'a'); + EXPECT_TRUE(radixtree.add(long_key, cstr_c)); + EXPECT_EQ(cstr_c, radixtree.find(long_key)); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix(long_key)); + EXPECT_THAT(radixtree.findMatchingPrefixes(long_key), ElementsAre(cstr_a, cstr_c)); + + // Test special characters + EXPECT_TRUE(radixtree.add(std::string("test/key"), cstr_d)); + EXPECT_EQ(cstr_d, radixtree.find("test/key")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("test/key")); + EXPECT_THAT(radixtree.findMatchingPrefixes("test/key"), ElementsAre(cstr_a, cstr_d)); + + // Test non-existent keys + EXPECT_EQ(nullptr, radixtree.find("nonexistent")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("nonexistent")); + EXPECT_THAT(radixtree.findMatchingPrefixes("nonexistent"), ElementsAre(cstr_a)); +} + +TEST(RadixTree, InsertAndFindComplexScenarios) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + const char* cstr_e = "e"; + const char* cstr_f = "f"; + + // Test overlapping prefixes + EXPECT_TRUE(radixtree.add(std::string("test"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("testing"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("tester"), cstr_c)); + EXPECT_TRUE(radixtree.add(std::string("tested"), cstr_d)); + + // Verify all can be found + EXPECT_EQ(cstr_a, radixtree.find("test")); + EXPECT_EQ(cstr_b, radixtree.find("testing")); + EXPECT_EQ(cstr_c, radixtree.find("tester")); + EXPECT_EQ(cstr_d, radixtree.find("tested")); + + // Test prefix matching + EXPECT_THAT(radixtree.findMatchingPrefixes("test"), ElementsAre(cstr_a)); + EXPECT_THAT(radixtree.findMatchingPrefixes("testing"), ElementsAre(cstr_a, cstr_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("tester"), ElementsAre(cstr_a, cstr_c)); + EXPECT_THAT(radixtree.findMatchingPrefixes("tested"), ElementsAre(cstr_a, cstr_d)); + + // Test longest prefix + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("test")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("testing")); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("tester")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("tested")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("testx")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("tex")); + + // Test branching scenarios + EXPECT_TRUE(radixtree.add(std::string("hello"), cstr_e)); + EXPECT_TRUE(radixtree.add(std::string("world"), cstr_f)); + + EXPECT_EQ(cstr_e, radixtree.find("hello")); + EXPECT_EQ(cstr_f, radixtree.find("world")); + EXPECT_EQ(cstr_e, radixtree.findLongestPrefix("hello")); + EXPECT_EQ(cstr_f, radixtree.findLongestPrefix("world")); +} + +TEST(RadixTree, InsertAndFindOverwriteBehavior) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + + // Test overwrite_existing = true (default) + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("key")); + + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_b)); + EXPECT_EQ(cstr_b, radixtree.find("key")); + + // Test overwrite_existing = false + EXPECT_FALSE(radixtree.add(std::string("key"), cstr_c, false)); + EXPECT_EQ(cstr_b, radixtree.find("key")); // Should still be cstr_b + + // Test overwrite_existing = true explicitly + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_c, true)); + EXPECT_EQ(cstr_c, radixtree.find("key")); +} + +TEST(RadixTree, InsertAndFindDeepNesting) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + + // Test deep nesting + EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/f"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/g"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/h"), cstr_c)); + + EXPECT_EQ(cstr_a, radixtree.find("a/b/c/d/e/f")); + EXPECT_EQ(cstr_b, radixtree.find("a/b/c/d/e/g")); + EXPECT_EQ(cstr_c, radixtree.find("a/b/c/d/e/h")); + + // Test prefix matching on deep paths + EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/f"), ElementsAre(cstr_a)); + EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/g"), ElementsAre(cstr_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/h"), ElementsAre(cstr_c)); + + // Test longest prefix on deep paths + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a/b/c/d/e/f")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("a/b/c/d/e/g")); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("a/b/c/d/e/h")); +} + +TEST(RadixTree, InsertAndFindMixedLengths) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + + // Test mixed length keys + EXPECT_TRUE(radixtree.add(std::string("a"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("aa"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("aaa"), cstr_c)); + EXPECT_TRUE(radixtree.add(std::string("aaaa"), cstr_d)); + + EXPECT_EQ(cstr_a, radixtree.find("a")); + EXPECT_EQ(cstr_b, radixtree.find("aa")); + EXPECT_EQ(cstr_c, radixtree.find("aaa")); + EXPECT_EQ(cstr_d, radixtree.find("aaaa")); + + // Test prefix matching + EXPECT_THAT(radixtree.findMatchingPrefixes("a"), ElementsAre(cstr_a)); + EXPECT_THAT(radixtree.findMatchingPrefixes("aa"), ElementsAre(cstr_a, cstr_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("aaa"), ElementsAre(cstr_a, cstr_b, cstr_c)); + EXPECT_THAT(radixtree.findMatchingPrefixes("aaaa"), ElementsAre(cstr_a, cstr_b, cstr_c, cstr_d)); + + // Test longest prefix + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("aa")); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("aaa")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("aaaa")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("aaaaa")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("b")); +} + +TEST(RadixTree, InsertAndFindSpecialCharacters) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + + // Test special characters + EXPECT_TRUE(radixtree.add(std::string("test-key"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("test_key"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("test.key"), cstr_c)); + + EXPECT_EQ(cstr_a, radixtree.find("test-key")); + EXPECT_EQ(cstr_b, radixtree.find("test_key")); + EXPECT_EQ(cstr_c, radixtree.find("test.key")); + + // Test with spaces + EXPECT_TRUE(radixtree.add(std::string("test key"), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("test key")); + + // Test with numbers + EXPECT_TRUE(radixtree.add(std::string("test123"), cstr_b)); + EXPECT_EQ(cstr_b, radixtree.find("test123")); +} + +TEST(RadixTree, InsertAndFindBooleanInterface) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + + // Test boolean find interface + const char* result; + + result = radixtree.find("nonexistent"); + EXPECT_EQ(nullptr, result); + + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_a)); + result = radixtree.find("key"); + EXPECT_EQ(cstr_a, result); + + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_b)); + result = radixtree.find("key"); + EXPECT_EQ(cstr_b, result); + + // Test with empty string + EXPECT_TRUE(radixtree.add(std::string(""), cstr_a)); + result = radixtree.find(""); + EXPECT_EQ(cstr_a, result); +} + +} // namespace Envoy diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 4d9fa4cf18fc6..a3efd5dd18bae 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -37,6 +37,7 @@ Millicores NID NIST NORMALISATION +Radix SQLSTATE bm BSON @@ -47,6 +48,7 @@ CIO cbegin cend constness +cstr deadcode DFP Dynatrace @@ -1184,6 +1186,8 @@ querydetails quiesce quitquitquit qvalue +radix +radixtree rapidjson ratelimit ratelimited From 5abd18b91133020e36b50db0065eb91b62279832 Mon Sep 17 00:00:00 2001 From: Ali Beyad Date: Tue, 22 Jul 2025 12:47:14 -0400 Subject: [PATCH 035/505] network: Adds methods to IP address to check if they are in reserved ranges (#40272) This commit adds the following two methods to the `Ip` interface: * `isLinkLocalAddress()` * `isTeredoAddress()` * `isUniqueLocalAddress()` * `isSiteLocalAddress()` These methods will be used by Envoy Mobile to determine IPv6 connectivity on the current network. --------- Signed-off-by: Ali Beyad --- envoy/network/address.h | 40 ++++++++ source/common/network/address_impl.h | 39 ++++++++ test/common/network/address_impl_test.cc | 113 +++++++++++++++++++++++ test/mocks/network/mocks.h | 4 + tools/spelling/spelling_dictionary.txt | 2 + 5 files changed, 198 insertions(+) diff --git a/envoy/network/address.h b/envoy/network/address.h index 0b2d22fd607f4..c7a9c51b8c5fa 100644 --- a/envoy/network/address.h +++ b/envoy/network/address.h @@ -100,6 +100,46 @@ class Ip { */ virtual bool isUnicastAddress() const PURE; + /** + * Determines whether the address is a link-local address. For IPv6, the prefix is fe80::/10. For + * IPv4, the prefix is 169.254.0.0/16. + * + * See https://datatracker.ietf.org/doc/html/rfc3513#section-2.4 for details. + * + * @return true if the address is a link-local address, false otherwise. + */ + virtual bool isLinkLocalAddress() const PURE; + + /** + * Determines whether the address is a Unique Local Address. Applies to IPv6 addresses only, where + * the prefix is fc00::/7. + * + * See https://datatracker.ietf.org/doc/html/rfc4193 for details. + * + * @return true if the address is a Unique Local Address, false otherwise. + */ + virtual bool isUniqueLocalAddress() const PURE; + + /** + * Determines whether the address is a Site-Local Address. Applies to IPv6 addresses only, where + * the prefix is fec0::/10. + * + * See https://datatracker.ietf.org/doc/html/rfc3513#section-2.4 for details. + * + * @return true if the address is a Site-Local Address, false otherwise. + */ + virtual bool isSiteLocalAddress() const PURE; + + /** + * Determines whether the address is a Teredo address. Applies to IPv6 addresses only, where the + * prefix is 2001:0000::/32. + * + * See https://datatracker.ietf.org/doc/html/rfc4380 for details. + * + * @return true if the address is a Teredo address, false otherwise. + */ + virtual bool isTeredoAddress() const PURE; + /** * @return Ipv4 address data IFF version() == IpVersion::v4, otherwise nullptr. */ diff --git a/source/common/network/address_impl.h b/source/common/network/address_impl.h index b61a1dd8b0598..97dbf2e817c04 100644 --- a/source/common/network/address_impl.h +++ b/source/common/network/address_impl.h @@ -179,6 +179,22 @@ class Ipv4Instance : public InstanceBase { // inlined IN_MULTICAST() to avoid byte swapping !((ipv4_.address_.sin_addr.s_addr & htonl(0xf0000000)) == htonl(0xe0000000)); } + bool isLinkLocalAddress() const override { + // Check if the address is in the link-local range: 169.254.0.0/16. + return (ipv4_.address_.sin_addr.s_addr & htonl(0xffff0000)) == htonl(0xa9fe0000); + } + bool isUniqueLocalAddress() const override { + // Unique Local Addresses (ULA) are not applicable to IPv4. + return false; + } + bool isSiteLocalAddress() const override { + // Site-Local Addresses are not applicable to IPv4. + return false; + } + bool isTeredoAddress() const override { + // Teredo addresses are not applicable to IPv4. + return false; + } const Ipv4* ipv4() const override { return &ipv4_; } const Ipv6* ipv6() const override { return nullptr; } uint32_t port() const override { return ntohs(ipv4_.address_.sin_port); } @@ -291,6 +307,29 @@ class Ipv6Instance : public InstanceBase { bool isUnicastAddress() const override { return !isAnyAddress() && !IN6_IS_ADDR_MULTICAST(&ipv6_.address_.sin6_addr); } + bool isLinkLocalAddress() const override { + // Check if the address is in the link-local range: fe80::/10 or in the v4 mapped link-local + // range: [::ffff:169.254.0.0]. + return IN6_IS_ADDR_LINKLOCAL(&ipv6_.address_.sin6_addr) || + (IN6_IS_ADDR_V4MAPPED(&ipv6_.address_.sin6_addr) && + (ipv6_.address_.sin6_addr.s6_addr[12] == 0xa9 && + ipv6_.address_.sin6_addr.s6_addr[13] == 0xfe)); + } + bool isUniqueLocalAddress() const override { + // Unique Local Addresses (ULA) are in the range fc00::/7. + return (ipv6_.address_.sin6_addr.s6_addr[0] & 0xfe) == 0xfc; + } + bool isSiteLocalAddress() const override { + // Site-Local Addresses are in the range fec0::/10. + return IN6_IS_ADDR_SITELOCAL(&ipv6_.address_.sin6_addr); + } + bool isTeredoAddress() const override { + // Teredo addresses have the prefix 2001:0000::/32. + return ipv6_.address_.sin6_addr.s6_addr[0] == 0x20 && + ipv6_.address_.sin6_addr.s6_addr[1] == 0x01 && + ipv6_.address_.sin6_addr.s6_addr[2] == 0x00 && + ipv6_.address_.sin6_addr.s6_addr[3] == 0x00; + } const Ipv4* ipv4() const override { return nullptr; } const Ipv6* ipv6() const override { return &ipv6_; } uint32_t port() const override { return ipv6_.port(); } diff --git a/test/common/network/address_impl_test.cc b/test/common/network/address_impl_test.cc index d3210aa76331a..32ac28be4bb53 100644 --- a/test/common/network/address_impl_test.cc +++ b/test/common/network/address_impl_test.cc @@ -29,6 +29,10 @@ namespace Network { namespace Address { namespace { +Ipv6Instance v4MappedV6Instance(const std::string& address) { + return Ipv6Instance(address, /*port=*/0, /*sock_interface=*/nullptr, /*v6only=*/false); +} + bool addressesEqual(const InstanceConstSharedPtr& a, const Instance& b) { if (a == nullptr || a->type() != Type::Ip || b.type() != Type::Ip) { return false; @@ -228,6 +232,36 @@ TEST(Ipv4InstanceTest, Broadcast) { EXPECT_FALSE(address.ip()->isUnicastAddress()); } +TEST(Ipv4InstanceTest, LinkLocal) { + // Link-local addresses. + EXPECT_TRUE(Ipv4Instance("169.254.0.0").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv4Instance("169.254.42.43").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv4Instance("169.254.255.255").ip()->isLinkLocalAddress()); + + // Not link-local addresses. + EXPECT_FALSE(Ipv4Instance("169.255.0.0").ip()->isLinkLocalAddress()); + EXPECT_FALSE(Ipv4Instance("169.255.255.255").ip()->isLinkLocalAddress()); + EXPECT_FALSE(Ipv4Instance("170.254.0.0").ip()->isLinkLocalAddress()); +} + +TEST(Ipv4InstanceTest, Teredo) { + // Teredo addresses are not applicable to IPv4. + EXPECT_FALSE(Ipv4Instance("20.1.1.1").ip()->isTeredoAddress()); + EXPECT_FALSE(Ipv4Instance("200.1.1.1").ip()->isTeredoAddress()); +} + +TEST(Ipv4InstanceTest, SiteLocal) { + // Site-local addresses are not applicable to IPv4. + EXPECT_FALSE(Ipv4Instance("1.2.3.4").ip()->isSiteLocalAddress()); + EXPECT_FALSE(Ipv4Instance("200.1.1.1").ip()->isSiteLocalAddress()); +} + +TEST(Ipv4InstanceTest, UniqueLocal) { + // Unique Local Addresses (ULA) are not applicable to IPv4. + EXPECT_FALSE(Ipv4Instance("1.2.3.4").ip()->isUniqueLocalAddress()); + EXPECT_FALSE(Ipv4Instance("200.1.1.1").ip()->isUniqueLocalAddress()); +} + TEST(Ipv4InstanceTest, BadAddress) { EXPECT_THROW(Ipv4Instance("foo"), EnvoyException); EXPECT_THROW(Ipv4Instance("bar", 1), EnvoyException); @@ -341,6 +375,85 @@ TEST(Ipv6InstanceTest, Broadcast) { EXPECT_FALSE(address.ip()->isUnicastAddress()); } +TEST(Ipv6InstanceTest, LinkLocal) { + // Link-local addresses are in the range "fe80::0" to "febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff". + EXPECT_TRUE(Ipv6Instance("fe80:0:0:0:0:0:0:0").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fe80::0").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fe80::1").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fe80::42:43").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fe80::ffff:ffff:ffff:ffff").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fe81::1").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fe90::1").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv6Instance("febf::0").ip()->isLinkLocalAddress()); + EXPECT_TRUE(Ipv6Instance("febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff").ip()->isLinkLocalAddress()); + + // Not link-local addresses. + EXPECT_FALSE(Ipv6Instance("::fe80").ip()->isLinkLocalAddress()); + EXPECT_FALSE(Ipv6Instance("fec0::0").ip()->isLinkLocalAddress()); + EXPECT_FALSE(Ipv6Instance("ff00::0").ip()->isLinkLocalAddress()); + EXPECT_FALSE(Ipv6Instance("ab80::0").ip()->isLinkLocalAddress()); + EXPECT_FALSE(Ipv6Instance("abcd::0").ip()->isLinkLocalAddress()); + EXPECT_FALSE(Ipv6Instance("::ffff").ip()->isLinkLocalAddress()); +} + +TEST(Ipv6InstanceTest, V4MappedLinkLocal) { + // Link-local addresses in the range ::ffff:169.254.0.0/16. + EXPECT_TRUE(v4MappedV6Instance("::ffff:169.254.0.0").ip()->isLinkLocalAddress()); + EXPECT_TRUE(v4MappedV6Instance("::ffff:169.254.42.42").ip()->isLinkLocalAddress()); + EXPECT_TRUE(v4MappedV6Instance("::ffff:169.254.255.255").ip()->isLinkLocalAddress()); + + // Not link-local addresses. + EXPECT_FALSE(v4MappedV6Instance("::ffff:169.255.0.0").ip()->isLinkLocalAddress()); + EXPECT_FALSE(v4MappedV6Instance("::ffff:170.254.0.0").ip()->isLinkLocalAddress()); + EXPECT_FALSE(v4MappedV6Instance("::ffff:0.0.0.0").ip()->isLinkLocalAddress()); + EXPECT_FALSE(v4MappedV6Instance("::ffff:192.168.1.1").ip()->isLinkLocalAddress()); + EXPECT_FALSE(v4MappedV6Instance("::ffff:10.54.1.1").ip()->isLinkLocalAddress()); +} + +TEST(Ipv6InstanceTest, Teredo) { + // Teredo addresses are in the range 2001::/32. + EXPECT_TRUE(Ipv6Instance("2001:0:0:0:0:0:0:0").ip()->isTeredoAddress()); + EXPECT_TRUE(Ipv6Instance("2001::1").ip()->isTeredoAddress()); + EXPECT_TRUE(Ipv6Instance("2001::42:43").ip()->isTeredoAddress()); + EXPECT_TRUE(Ipv6Instance("2001::ffff:ffff:ffff:ffff").ip()->isTeredoAddress()); + + // Not Teredo addresses. + EXPECT_FALSE(Ipv6Instance("2002::0").ip()->isTeredoAddress()); + EXPECT_FALSE(Ipv6Instance("2002::1").ip()->isTeredoAddress()); + EXPECT_FALSE(Ipv6Instance("3001::1").ip()->isTeredoAddress()); +} + +TEST(Ipv6InstanceTest, UniqueLocal) { + // Unique Local Addresses (ULA) are in the range fc00::/7. + EXPECT_TRUE(Ipv6Instance("fc00:0:0:0:0:0:0:0").ip()->isUniqueLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fc00::1").ip()->isUniqueLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fc00::42:43").ip()->isUniqueLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fdff::ffff:ffff:ffff:ffff:ffff:ffff").ip()->isUniqueLocalAddress()); + + // Not ULA addresses. + EXPECT_FALSE(Ipv6Instance("fec0:0:0:0:0:0:0:0").ip()->isUniqueLocalAddress()); + EXPECT_FALSE( + Ipv6Instance("feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff").ip()->isUniqueLocalAddress()); + EXPECT_FALSE(Ipv6Instance("fe00::0").ip()->isUniqueLocalAddress()); + EXPECT_FALSE(Ipv6Instance("fe80::0").ip()->isUniqueLocalAddress()); + EXPECT_FALSE(Ipv6Instance("ff00::0").ip()->isUniqueLocalAddress()); +} + +TEST(Ipv6InstanceTest, SiteLocal) { + // Site-local addresses are in the range fec0::/10. + EXPECT_TRUE(Ipv6Instance("fec0:0:0:0:0:0:0:0").ip()->isSiteLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fec0::1").ip()->isSiteLocalAddress()); + EXPECT_TRUE(Ipv6Instance("fec0::42:43").ip()->isSiteLocalAddress()); + EXPECT_TRUE(Ipv6Instance("feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff").ip()->isSiteLocalAddress()); + + // Not site-local addresses. + EXPECT_FALSE(Ipv6Instance("fc00:0:0:0:0:0:0:0").ip()->isSiteLocalAddress()); + EXPECT_FALSE(Ipv6Instance("fdff::ffff:ffff:ffff:ffff:ffff:ffff").ip()->isSiteLocalAddress()); + EXPECT_FALSE(Ipv6Instance("ff00::0").ip()->isSiteLocalAddress()); + EXPECT_FALSE(Ipv6Instance("2002::1").ip()->isSiteLocalAddress()); + EXPECT_FALSE(Ipv6Instance("3001::1").ip()->isSiteLocalAddress()); +} + TEST(Ipv6InstanceTest, BadAddress) { EXPECT_THROW(Ipv6Instance("foo"), EnvoyException); EXPECT_THROW(Ipv6Instance("bar", 1), EnvoyException); diff --git a/test/mocks/network/mocks.h b/test/mocks/network/mocks.h index e0b8287a8edc9..05700f0390528 100644 --- a/test/mocks/network/mocks.h +++ b/test/mocks/network/mocks.h @@ -588,6 +588,10 @@ class MockIp : public Address::Ip { MOCK_METHOD(const std::string&, addressAsString, (), (const)); MOCK_METHOD(bool, isAnyAddress, (), (const)); MOCK_METHOD(bool, isUnicastAddress, (), (const)); + MOCK_METHOD(bool, isLinkLocalAddress, (), (const)); + MOCK_METHOD(bool, isUniqueLocalAddress, (), (const)); + MOCK_METHOD(bool, isSiteLocalAddress, (), (const)); + MOCK_METHOD(bool, isTeredoAddress, (), (const)); MOCK_METHOD(const Address::Ipv4*, ipv4, (), (const)); MOCK_METHOD(const Address::Ipv6*, ipv6, (), (const)); MOCK_METHOD(uint32_t, port, (), (const)); diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index a3efd5dd18bae..ad594752b72f4 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -115,6 +115,7 @@ STX SkyWalking TIDs Timedout +ULA WRSQ WASI ceil @@ -1418,6 +1419,7 @@ templating templatize templatized templatizing +teredo testability testcase testcases From 48a49826f65841fb1e6a055c6b574a3d97bb1ca2 Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 22 Jul 2025 19:23:13 +0100 Subject: [PATCH 036/505] Temporary Revert "Using Radix tree instead of Trie (#40160)" (#40341) This reverts commit 49a2a8700988b7847d6a40cd42bc3f92bb3a4203. We want to wait until after the release to give this more testing time before it is included in a release. Signed-off-by: Ryan Northey --- changelogs/current.yaml | 3 - source/common/common/BUILD | 10 - source/common/common/radix_tree.h | 302 --------------- source/common/matcher/BUILD | 2 +- source/common/matcher/prefix_map_matcher.h | 4 +- .../redis_proxy/command_splitter_impl.h | 4 +- .../filters/network/redis_proxy/router_impl.h | 4 +- .../extensions/filters/udp/dns_filter/BUILD | 2 +- .../filters/udp/dns_filter/dns_filter.h | 8 +- test/common/common/BUILD | 41 -- .../common/prefix_matching_benchmark.cc | 162 -------- test/common/common/radix_tree_speed_test.cc | 89 ----- test/common/common/radix_tree_test.cc | 357 ------------------ tools/spelling/spelling_dictionary.txt | 4 - 14 files changed, 13 insertions(+), 979 deletions(-) delete mode 100644 source/common/common/radix_tree.h delete mode 100644 test/common/common/prefix_matching_benchmark.cc delete mode 100644 test/common/common/radix_tree_speed_test.cc delete mode 100644 test/common/common/radix_tree_test.cc diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 588cc40a11c4a..89d5acbc9bae6 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -387,9 +387,6 @@ new_features: - area: alts change: | Added environment variable-protected gRPC keepalive params to the ALTS handshaker client. -- area: dns_filter, redis_proxy and prefix_matcher_map - change: | - Using Radix Tree instead of Trie for performance improvements. - area: wasm change: | Added support for returning ``StopIteration`` from plugin ``onRequestHeader`` and ``onResponseHeader`` callbacks. See diff --git a/source/common/common/BUILD b/source/common/common/BUILD index b5d6cbe6aca19..9382613088bb3 100644 --- a/source/common/common/BUILD +++ b/source/common/common/BUILD @@ -483,16 +483,6 @@ envoy_cc_library( hdrs = ["trie_lookup_table.h"], ) -envoy_cc_library( - name = "radix_tree_lib", - hdrs = ["radix_tree.h"], - deps = [ - ":assert_lib", - "@com_google_absl//absl/container:flat_hash_map", - "@com_google_absl//absl/strings", - ], -) - envoy_cc_library( name = "utility_lib", srcs = ["utility.cc"], diff --git a/source/common/common/radix_tree.h b/source/common/common/radix_tree.h deleted file mode 100644 index aae80fd3edbb0..0000000000000 --- a/source/common/common/radix_tree.h +++ /dev/null @@ -1,302 +0,0 @@ -#pragma once - -#include -#include - -#include "envoy/common/optref.h" - -#include "source/common/common/assert.h" - -#include "absl/container/flat_hash_map.h" -#include "absl/strings/string_view.h" -#include "absl/types/optional.h" - -namespace Envoy { -template class RadixTree { - static constexpr int32_t NoNode = -1; - struct RadixTreeNode { - std::string prefix_; - Value value_{}; - // Hash map for O(1) child lookup by first character - absl::flat_hash_map children_; - - /** - * Insert a key-value pair into this node - * @param key the full key being inserted - * @param search the remaining search key - * @param value the value to insert - */ - void insert(absl::string_view search, Value value) { - // Handle key exhaustion - if (search.empty()) { - value_ = std::move(value); - return; - } - - // Look for the edge - uint8_t firstChar = static_cast(search[0]); - auto childIt = children_.find(firstChar); - - // No edge, create one - if (childIt == children_.end()) { - // Create a new child node - RadixTreeNode newChild; - newChild.prefix_ = std::string(search); - newChild.value_ = std::move(value); - - // Add the child to the current node - children_[firstChar] = std::move(newChild); - return; - } - - // Get the child node - RadixTreeNode& child = childIt->second; - - // Determine longest prefix length of the search key on match - size_t cpl = commonPrefixLength(search, child.prefix_); - if (cpl == child.prefix_.size()) { - // The search key is longer than the child prefix, continue down - absl::string_view remaining_search = search.substr(cpl); - child.insert(remaining_search, std::move(value)); - return; - } - - // Split the node - create a new intermediate node - RadixTreeNode split_node; - split_node.prefix_ = std::string(search.substr(0, cpl)); - - // Update the child's prefix - child.prefix_ = std::string(child.prefix_.substr(cpl)); - - // If the search key is exactly the common prefix, set the value on the split node - if (cpl == search.size()) { - split_node.value_ = std::move(value); - } else { - // Create a new leaf for the current key - RadixTreeNode new_leaf; - new_leaf.prefix_ = std::string(search.substr(cpl)); - new_leaf.value_ = std::move(value); - split_node.children_[static_cast(new_leaf.prefix_[0])] = std::move(new_leaf); - } - - // Add the child to the split node - split_node.children_[static_cast(child.prefix_[0])] = std::move(child); - - // Replace the original child with the split node - children_[firstChar] = std::move(split_node); - } - - /** - * Recursive helper for find operation. - * @param search the remaining search key. - * @param result the value to return if found. - * @return true if the key was found, false otherwise. - */ - bool findRecursive(absl::string_view search, Value& result) const { - if (search.empty()) { - if (has_value(*this)) { - result = value_; - return true; - } - return false; - } - - uint8_t firstChar = static_cast(search[0]); - auto childIt = children_.find(firstChar); - if (childIt == children_.end()) { - return false; - } - - const RadixTreeNode& child = childIt->second; - - // Check if the child's prefix matches the search - if (search.size() >= child.prefix_.size() && - search.substr(0, child.prefix_.size()) == child.prefix_) { - absl::string_view new_search = search.substr(child.prefix_.size()); - return child.findRecursive(new_search, result); - } - - return false; - } - - /** - * Get a child node by character key - */ - Envoy::OptRef getChild(uint8_t char_key) const { - auto it = children_.find(char_key); - if (it != children_.end()) { - return {it->second}; - } - return {}; - } - }; - - /** - * Check if a node has a value (is a leaf node) - */ - static bool has_value(const RadixTreeNode& node) { - // For pointer types, check if the pointer is not null - if constexpr (std::is_pointer_v) { - return node.value_ != nullptr; - } else { - return static_cast(node.value_); - } - } - - /** - * Find the longest common prefix between two strings - */ - static size_t commonPrefixLength(absl::string_view a, absl::string_view b) { - size_t len = std::min(a.size(), b.size()); - for (size_t i = 0; i < len; i++) { - if (a[i] != b[i]) { - return i; - } - } - return len; - } - -public: - /** - * Adds an entry to the RadixTree at the given Key. - * @param key the key used to add the entry. - * @param value the value to be associated with the key. - * @param overwrite_existing will overwrite the value when the value for a given key already - * exists. - * @return false when a value already exists for the given key. - */ - bool add(absl::string_view key, Value value, bool overwrite_existing = true) { - // Check if the key already exists - Value existing; - bool found = root_.findRecursive(key, existing); - - // If a value exists and we shouldn't overwrite, return false - if (found && !overwrite_existing) { - return false; - } - - root_.insert(key, std::move(value)); - return true; - } - - /** - * Finds the entry associated with the key. - * @param key the key used to find. - * @return the Value associated with the key, or an empty-initialized Value - * if there is no matching key. - */ - Value find(absl::string_view key) const { - Value result; - if (root_.findRecursive(key, result)) { - return result; - } - return Value{}; - } - - /** - * Returns the set of entries that are prefixes of the specified key, longest last. - * Complexity is O(min(longest key prefix, key length)). - * @param key the key used to find. - * @return a vector of values whose keys are a prefix of the specified key, longest last. - */ - absl::InlinedVector findMatchingPrefixes(absl::string_view key) const { - absl::InlinedVector result; - absl::string_view search = key; - const RadixTreeNode* node = &root_; - - // Special case: if searching for empty string, check root node - if (search.empty()) { - if (has_value(*node)) { - result.push_back(node->value_); - } - return result; - } - - while (true) { - // Check if current node has a value (is a leaf) and we've consumed some prefix - if (has_value(*node)) { - result.push_back(node->value_); - } - - // Check for key exhaustion - if (search.empty()) { - break; - } - - // Look for an edge - uint8_t firstChar = static_cast(search[0]); - auto child = node->getChild(firstChar); - if (!child) { - break; - } - - const RadixTreeNode& child_node = *child; - node = &child_node; - - // Consume the search prefix - if (search.size() < child->prefix_.size() || - search.substr(0, child->prefix_.size()) != child->prefix_) { - break; - } - // Consume the search prefix - search = search.substr(child->prefix_.size()); - } - - return result; - } - - /** - * Finds the entry with the longest key that is a prefix of the specified key. - * Complexity is O(min(longest key prefix, key length)). - * @param key the key used to find. - * @return a value whose key is a prefix of the specified key. If there are - * multiple such values, the one with the longest key. If there are - * no keys that are a prefix of the input key, an empty-initialized Value. - */ - Value findLongestPrefix(absl::string_view key) const { - absl::string_view search = key; - const RadixTreeNode* node = &root_; - const RadixTreeNode* last_node_with_value = nullptr; - - while (true) { - // Look for a leaf node - if (has_value(*node)) { - last_node_with_value = node; - } - - // Check for key exhaustion - if (search.empty()) { - break; - } - - // Look for an edge - uint8_t firstChar = static_cast(search[0]); - auto child = node->getChild(firstChar); - if (!child) { - break; - } - - const RadixTreeNode& child_node = *child; - node = &child_node; - - // Consume the search prefix - if (search.size() < child->prefix_.size() || - search.substr(0, child->prefix_.size()) != child->prefix_) { - break; - } - // Consume the search prefix - search = search.substr(child->prefix_.size()); - } - - // Return the value from the last node that had a value, or empty value if none found - if (last_node_with_value != nullptr) { - return last_node_with_value->value_; - } - return nullptr; - } - -private: - // Initialized with a single empty node as the root node. - RadixTreeNode root_ = RadixTreeNode(); -}; -} // namespace Envoy diff --git a/source/common/matcher/BUILD b/source/common/matcher/BUILD index 22234d5a0fb85..82cd7e7f137d4 100644 --- a/source/common/matcher/BUILD +++ b/source/common/matcher/BUILD @@ -29,7 +29,7 @@ envoy_cc_library( hdrs = ["prefix_map_matcher.h"], deps = [ ":map_matcher_lib", - "//source/common/common:radix_tree_lib", + "//source/common/common:trie_lookup_table_lib", "//source/common/runtime:runtime_features_lib", ], ) diff --git a/source/common/matcher/prefix_map_matcher.h b/source/common/matcher/prefix_map_matcher.h index a70a7e28593e7..4a597d8322813 100644 --- a/source/common/matcher/prefix_map_matcher.h +++ b/source/common/matcher/prefix_map_matcher.h @@ -1,6 +1,6 @@ #pragma once -#include "source/common/common/radix_tree.h" +#include "source/common/common/trie_lookup_table.h" #include "source/common/matcher/map_matcher.h" #include "source/common/runtime/runtime_features.h" @@ -52,7 +52,7 @@ template class PrefixMapMatcher : public MapMatcher { } private: - RadixTree>> children_; + TrieLookupTable>> children_; }; } // namespace Matcher diff --git a/source/extensions/filters/network/redis_proxy/command_splitter_impl.h b/source/extensions/filters/network/redis_proxy/command_splitter_impl.h index 936e3d832cc96..f821cadd95b7c 100644 --- a/source/extensions/filters/network/redis_proxy/command_splitter_impl.h +++ b/source/extensions/filters/network/redis_proxy/command_splitter_impl.h @@ -9,7 +9,7 @@ #include "envoy/stats/timespan.h" #include "source/common/common/logger.h" -#include "source/common/common/radix_tree.h" +#include "source/common/common/trie_lookup_table.h" #include "source/common/stats/timespan_impl.h" #include "source/extensions/filters/network/common/redis/client_impl.h" #include "source/extensions/filters/network/common/redis/fault_impl.h" @@ -501,7 +501,7 @@ class InstanceImpl : public Instance, Logger::Loggable { CommandHandlerFactory role_handler_; CommandHandlerFactory split_keys_sum_result_handler_; CommandHandlerFactory transaction_handler_; - RadixTree handler_lookup_table_; + TrieLookupTable handler_lookup_table_; InstanceStats stats_; TimeSource& time_source_; Common::Redis::FaultManagerPtr fault_manager_; diff --git a/source/extensions/filters/network/redis_proxy/router_impl.h b/source/extensions/filters/network/redis_proxy/router_impl.h index 4d353fb629e12..8a7b841ca7b48 100644 --- a/source/extensions/filters/network/redis_proxy/router_impl.h +++ b/source/extensions/filters/network/redis_proxy/router_impl.h @@ -13,7 +13,7 @@ #include "envoy/type/v3/percent.pb.h" #include "envoy/upstream/cluster_manager.h" -#include "source/common/common/radix_tree.h" +#include "source/common/common/trie_lookup_table.h" #include "source/common/http/header_map_impl.h" #include "source/common/stream_info/stream_info_impl.h" #include "source/extensions/filters/network/common/redis/supported_commands.h" @@ -86,7 +86,7 @@ class PrefixRoutes : public Router, public Logger::Loggable { const StreamInfo::StreamInfo& stream_info); private: - RadixTree prefix_lookup_table_; + TrieLookupTable prefix_lookup_table_; const bool case_insensitive_; Upstreams upstreams_; PrefixSharedPtr catch_all_route_; diff --git a/source/extensions/filters/udp/dns_filter/BUILD b/source/extensions/filters/udp/dns_filter/BUILD index f327a12d84d3b..e4315f1acc15d 100644 --- a/source/extensions/filters/udp/dns_filter/BUILD +++ b/source/extensions/filters/udp/dns_filter/BUILD @@ -34,8 +34,8 @@ envoy_cc_library( "//envoy/network:listener_interface", "//source/common/buffer:buffer_lib", "//source/common/common:empty_string", - "//source/common/common:radix_tree_lib", "//source/common/common:safe_memcpy_lib", + "//source/common/common:trie_lookup_table_lib", "//source/common/config:config_provider_lib", "//source/common/config:datasource_lib", "//source/common/network:address_lib", diff --git a/source/extensions/filters/udp/dns_filter/dns_filter.h b/source/extensions/filters/udp/dns_filter/dns_filter.h index 726120b21b41d..d1e5262d1146e 100644 --- a/source/extensions/filters/udp/dns_filter/dns_filter.h +++ b/source/extensions/filters/udp/dns_filter/dns_filter.h @@ -6,7 +6,7 @@ #include "envoy/network/filter.h" #include "source/common/buffer/buffer_impl.h" -#include "source/common/common/radix_tree.h" +#include "source/common/common/trie_lookup_table.h" #include "source/common/config/config_provider_impl.h" #include "source/common/network/utility.h" #include "source/extensions/filters/udp/dns_filter/dns_filter_resolver.h" @@ -97,7 +97,9 @@ class DnsFilterEnvoyConfig : public Logger::Loggable { } const Network::DnsResolverFactory& dnsResolverFactory() const { return *dns_resolver_factory_; } Api::Api& api() const { return api_; } - const RadixTree& getDnsTrie() const { return dns_lookup_trie_; } + const TrieLookupTable& getDnsTrie() const { + return dns_lookup_trie_; + } private: static DnsFilterStats generateStats(const std::string& stat_prefix, Stats::Scope& scope) { @@ -121,7 +123,7 @@ class DnsFilterEnvoyConfig : public Logger::Loggable { mutable DnsFilterStats stats_; - RadixTree dns_lookup_trie_; + TrieLookupTable dns_lookup_trie_; absl::flat_hash_map domain_ttl_; bool forward_queries_; uint64_t retry_count_; diff --git a/test/common/common/BUILD b/test/common/common/BUILD index b4d3f54f0455f..07ca8a1b96919 100644 --- a/test/common/common/BUILD +++ b/test/common/common/BUILD @@ -313,13 +313,6 @@ envoy_cc_test( deps = ["//source/common/common:trie_lookup_table_lib"], ) -envoy_cc_test( - name = "radix_tree_test", - srcs = ["radix_tree_test.cc"], - rbe_pool = "6gig", - deps = ["//source/common/common:radix_tree_lib"], -) - envoy_cc_test( name = "utility_test", srcs = ["utility_test.cc"], @@ -470,40 +463,6 @@ envoy_benchmark_test( benchmark_binary = "trie_lookup_table_speed_test", ) -envoy_cc_benchmark_binary( - name = "radix_tree_speed_test", - srcs = ["radix_tree_speed_test.cc"], - rbe_pool = "6gig", - deps = [ - "//source/common/common:radix_tree_lib", - "@com_github_google_benchmark//:benchmark", - "@com_google_absl//absl/strings", - ], -) - -envoy_benchmark_test( - name = "radix_tree_speed_test_benchmark_test", - benchmark_binary = "radix_tree_speed_test", -) - -envoy_cc_benchmark_binary( - name = "prefix_matching_benchmark", - srcs = ["prefix_matching_benchmark.cc"], - rbe_pool = "6gig", - deps = [ - "//source/common/common:radix_tree_lib", - "//source/common/common:trie_lookup_table_lib", - "//source/common/http:headers_lib", - "@com_github_google_benchmark//:benchmark", - "@com_google_absl//absl/strings", - ], -) - -envoy_benchmark_test( - name = "prefix_matching_benchmark_test", - benchmark_binary = "prefix_matching_benchmark", -) - envoy_cc_test( name = "lock_guard_test", srcs = ["lock_guard_test.cc"], diff --git a/test/common/common/prefix_matching_benchmark.cc b/test/common/common/prefix_matching_benchmark.cc deleted file mode 100644 index c89ad5138f3a3..0000000000000 --- a/test/common/common/prefix_matching_benchmark.cc +++ /dev/null @@ -1,162 +0,0 @@ -// Note: this should be run with --compilation_mode=opt, and would benefit from a -// quiescent system with disabled cstate power management. - -#include - -#include "source/common/common/radix_tree.h" -#include "source/common/common/trie_lookup_table.h" -#include "source/common/http/headers.h" - -#include "benchmark/benchmark.h" - -namespace Envoy { - -// NOLINT(namespace-envoy) - -#define ADD_HEADER_TO_KEYS(name) keys.emplace_back(Http::Headers::get().name); - -// Helper function to generate test data with hierarchical prefixes -std::vector generateHierarchicalKeys(int num_keys, int max_depth) { - std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability - std::uniform_int_distribution char_distribution('a', 'z'); - std::uniform_int_distribution depth_distribution(1, max_depth); - - std::vector keys; - for (int i = 0; i < num_keys; i++) { - int depth = depth_distribution(prng); - std::string key; - for (int j = 0; j < depth; j++) { - for (int k = 0; k < 3; k++) { // Each level has 3 characters - key.push_back(static_cast(char_distribution(prng))); - } - if (j < depth - 1) { - key.push_back('/'); // Use '/' as separator for hierarchical structure - } - } - keys.push_back(key); - } - return keys; -} - -// Helper function to generate search keys with various prefix lengths -std::vector generateSearchKeys(const std::vector& keys, - int num_searches) { - std::mt19937 prng(2); // Different seed for search keys - std::uniform_int_distribution keyindex_distribution(0, keys.size() - 1); - std::uniform_int_distribution length_distribution(1, 20); // Random prefix length - - std::vector search_keys; - for (int i = 0; i < num_searches; i++) { - const std::string& base_key = keys[keyindex_distribution(prng)]; - size_t prefix_len = std::min(length_distribution(prng), base_key.length()); - search_keys.push_back(base_key.substr(0, prefix_len)); - } - return search_keys; -} - -template -static void typedBmPrefixMatching(benchmark::State& state, const std::vector& keys, - const std::vector& search_keys) { - TableType table; - for (const std::string& key : keys) { - table.add(key, nullptr); - } - - size_t search_index = 0; - for (auto _ : state) { - UNREFERENCED_PARAMETER(_); - auto result = table.findMatchingPrefixes(search_keys[search_index++]); - // Reset search_index to 0 whenever it reaches the end - search_index %= search_keys.size(); - benchmark::DoNotOptimize(result); - } -} - -// Range args are: -// 0 - num_keys (number of keys in the tree) -// 1 - max_depth (maximum depth of hierarchical keys) -// 2 - num_searches (number of search operations to perform) -template static void typedBmPrefixMatching(benchmark::State& state) { - int num_keys = state.range(0); - int max_depth = state.range(1); - int num_searches = state.range(2); - - std::vector keys = generateHierarchicalKeys(num_keys, max_depth); - std::vector search_keys = generateSearchKeys(keys, num_searches); - - typedBmPrefixMatching(state, keys, search_keys); -} - -// Benchmark for TrieLookupTable -static void bmTrieLookupTablePrefixMatching(benchmark::State& s) { - typedBmPrefixMatching>(s); -} - -// Benchmark for RadixTree -static void bmRadixTreePrefixMatching(benchmark::State& s) { - typedBmPrefixMatching>(s); -} - -// Real-world scenario benchmarks using HTTP headers -static void bmTrieLookupTableRequestHeadersPrefixMatching(benchmark::State& s) { - std::vector keys; - INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); - - // Generate search keys based on the headers - std::vector search_keys = generateSearchKeys(keys, 1000); - - typedBmPrefixMatching>(s, keys, search_keys); -} - -static void bmRadixTreeRequestHeadersPrefixMatching(benchmark::State& s) { - std::vector keys; - INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); - - // Generate search keys based on the headers - std::vector search_keys = generateSearchKeys(keys, 1000); - - typedBmPrefixMatching>(s, keys, search_keys); -} - -static void bmTrieLookupTableResponseHeadersPrefixMatching(benchmark::State& s) { - std::vector keys; - INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); - - // Generate search keys based on the headers - std::vector search_keys = generateSearchKeys(keys, 1000); - - typedBmPrefixMatching>(s, keys, search_keys); -} - -static void bmRadixTreeResponseHeadersPrefixMatching(benchmark::State& s) { - std::vector keys; - INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); - - // Generate search keys based on the headers - std::vector search_keys = generateSearchKeys(keys, 1000); - - typedBmPrefixMatching>(s, keys, search_keys); -} - -// Register benchmarks for synthetic data -BENCHMARK(bmTrieLookupTablePrefixMatching) - ->ArgsProduct({{100, 1000, 10000}, {3, 5, 8}, {1000}}) - ->Name("TrieLookupTable/PrefixMatching"); - -BENCHMARK(bmRadixTreePrefixMatching) - ->ArgsProduct({{100, 1000, 10000}, {3, 5, 8}, {1000}}) - ->Name("RadixTree/PrefixMatching"); - -// Register benchmarks for real-world HTTP headers -BENCHMARK(bmTrieLookupTableRequestHeadersPrefixMatching) - ->Name("TrieLookupTable/RequestHeadersPrefixMatching"); - -BENCHMARK(bmRadixTreeRequestHeadersPrefixMatching)->Name("RadixTree/RequestHeadersPrefixMatching"); - -BENCHMARK(bmTrieLookupTableResponseHeadersPrefixMatching) - ->Name("TrieLookupTable/ResponseHeadersPrefixMatching"); - -BENCHMARK(bmRadixTreeResponseHeadersPrefixMatching) - ->Name("RadixTree/ResponseHeadersPrefixMatching"); - -} // namespace Envoy diff --git a/test/common/common/radix_tree_speed_test.cc b/test/common/common/radix_tree_speed_test.cc deleted file mode 100644 index 5f0af98ad4a5c..0000000000000 --- a/test/common/common/radix_tree_speed_test.cc +++ /dev/null @@ -1,89 +0,0 @@ -// Note: this should be run with --compilation_mode=opt, and would benefit from a -// quiescent system with disabled cstate power management. - -#include - -#include "envoy/http/header_map.h" - -#include "source/common/common/radix_tree.h" -#include "source/common/http/headers.h" - -#include "benchmark/benchmark.h" - -namespace Envoy { - -// NOLINT(namespace-envoy) - -template -static void typedBmRadixTreeLookups(benchmark::State& state, std::vector& keys) { - std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability - std::uniform_int_distribution keyindex_distribution(0, keys.size() - 1); - TableType radixtree; - for (const std::string& key : keys) { - radixtree.add(key, nullptr); - } - std::vector key_selections; - for (size_t i = 0; i < 1024; i++) { - key_selections.push_back(keyindex_distribution(prng)); - } - - // key_index indexes into key_selections which is a pre-selected - // random ordering of 1024 indexes into the existing keys. This - // way we read from all over the radixtree, without spending time during - // the performance test generating these random choices. - size_t key_index = 0; - for (auto _ : state) { - UNREFERENCED_PARAMETER(_); - auto v = radixtree.find(keys[key_selections[key_index++]]); - // Reset key_index to 0 whenever it reaches 1024. - key_index &= 1023; - benchmark::DoNotOptimize(v); - } -} - -// Range args are: -// 0 - num_keys -// 1 - key_length (0 is a special case that generates mixed-length keys) -template static void typedBmRadixTreeLookups(benchmark::State& state) { - std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability - int num_keys = state.range(0); - int key_length = state.range(1); - std::uniform_int_distribution char_distribution('a', 'z'); - std::uniform_int_distribution key_length_distribution(key_length == 0 ? 8 : key_length, - key_length == 0 ? 128 : key_length); - auto make_key = [&](size_t len) { - std::string ret; - for (size_t i = 0; i < len; i++) { - ret.push_back(static_cast(char_distribution(prng))); - } - return ret; - }; - std::vector keys; - for (int i = 0; i < num_keys; i++) { - std::string key = make_key(key_length_distribution(prng)); - keys.push_back(std::move(key)); - } - typedBmRadixTreeLookups(state, keys); -} - -static void bmRadixTreeLookups(benchmark::State& s) { - typedBmRadixTreeLookups>(s); -} - -#define ADD_HEADER_TO_KEYS(name) keys.emplace_back(Http::Headers::get().name); -static void bmRadixTreeLookupsRequestHeaders(benchmark::State& s) { - std::vector keys; - INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); - typedBmRadixTreeLookups>(s, keys); -} -static void bmRadixTreeLookupsResponseHeaders(benchmark::State& s) { - std::vector keys; - INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); - typedBmRadixTreeLookups>(s, keys); -} - -BENCHMARK(bmRadixTreeLookupsRequestHeaders); -BENCHMARK(bmRadixTreeLookupsResponseHeaders); -BENCHMARK(bmRadixTreeLookups)->ArgsProduct({{10, 100, 1000, 10000}, {0, 8, 128}}); - -} // namespace Envoy diff --git a/test/common/common/radix_tree_test.cc b/test/common/common/radix_tree_test.cc deleted file mode 100644 index 2b5a10904a3bc..0000000000000 --- a/test/common/common/radix_tree_test.cc +++ /dev/null @@ -1,357 +0,0 @@ -#include "source/common/common/radix_tree.h" - -#include "gmock/gmock.h" -#include "gtest/gtest.h" - -using testing::ElementsAre; - -namespace Envoy { - -TEST(RadixTree, AddItems) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - - EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_a)); - EXPECT_TRUE(radixtree.add(std::string("bar"), cstr_b)); - EXPECT_EQ(cstr_a, radixtree.find("foo")); - EXPECT_EQ(cstr_b, radixtree.find("bar")); - - // overwrite_existing = false - EXPECT_FALSE(radixtree.add(std::string("foo"), cstr_c, false)); - EXPECT_EQ(cstr_a, radixtree.find("foo")); - - // overwrite_existing = true - EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_c)); - EXPECT_EQ(cstr_c, radixtree.find("foo")); -} - -TEST(RadixTree, LongestPrefix) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - const char* cstr_d = "d"; - const char* cstr_e = "e"; - const char* cstr_f = "f"; - - EXPECT_TRUE(radixtree.add(std::string("foo/bar"), cstr_d)); - EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_a)); - // Verify that prepending and appending branches to a node both work. - EXPECT_TRUE(radixtree.add(std::string("barn"), cstr_e)); - EXPECT_TRUE(radixtree.add(std::string("barp"), cstr_f)); - EXPECT_TRUE(radixtree.add(std::string("bar"), cstr_b)); - EXPECT_TRUE(radixtree.add(std::string("baro"), cstr_c)); - - EXPECT_EQ(cstr_a, radixtree.find("foo")); - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foo")); - EXPECT_THAT(radixtree.findMatchingPrefixes("foo"), ElementsAre(cstr_a)); - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foosball")); - EXPECT_THAT(radixtree.findMatchingPrefixes("foosball"), ElementsAre(cstr_a)); - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foo/")); - EXPECT_THAT(radixtree.findMatchingPrefixes("foo/"), ElementsAre(cstr_a)); - EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("foo/bar")); - EXPECT_THAT(radixtree.findMatchingPrefixes("foo/bar"), ElementsAre(cstr_a, cstr_d)); - EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("foo/bar/zzz")); - EXPECT_THAT(radixtree.findMatchingPrefixes("foo/bar/zzz"), ElementsAre(cstr_a, cstr_d)); - - EXPECT_EQ(cstr_b, radixtree.find("bar")); - EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("bar")); - EXPECT_THAT(radixtree.findMatchingPrefixes("bar"), ElementsAre(cstr_b)); - EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("baritone")); - EXPECT_THAT(radixtree.findMatchingPrefixes("baritone"), ElementsAre(cstr_b)); - EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("barometer")); - EXPECT_THAT(radixtree.findMatchingPrefixes("barometer"), ElementsAre(cstr_b, cstr_c)); - - EXPECT_EQ(cstr_e, radixtree.find("barn")); - EXPECT_EQ(cstr_e, radixtree.findLongestPrefix("barnacle")); - EXPECT_THAT(radixtree.findMatchingPrefixes("barnacle"), ElementsAre(cstr_b, cstr_e)); - - EXPECT_EQ(cstr_f, radixtree.find("barp")); - EXPECT_EQ(cstr_f, radixtree.findLongestPrefix("barpomus")); - EXPECT_THAT(radixtree.findMatchingPrefixes("barpomus"), ElementsAre(cstr_b, cstr_f)); - - EXPECT_EQ(nullptr, radixtree.find("toto")); - EXPECT_EQ(nullptr, radixtree.findLongestPrefix("toto")); - EXPECT_THAT(radixtree.findMatchingPrefixes("toto"), ElementsAre()); - EXPECT_EQ(nullptr, radixtree.find(" ")); - EXPECT_EQ(nullptr, radixtree.findLongestPrefix(" ")); - EXPECT_THAT(radixtree.findMatchingPrefixes(" "), ElementsAre()); -} - -TEST(RadixTree, VeryDeepRadixTreeDoesNotStackOverflowOnDestructor) { - RadixTree radixtree; - const char* cstr_a = "a"; - - std::string key_a(20960, 'a'); - EXPECT_TRUE(radixtree.add(key_a, cstr_a)); - EXPECT_EQ(cstr_a, radixtree.find(key_a)); -} - -TEST(RadixTree, RadixTreeSpecificTests) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - const char* cstr_d = "d"; - - // Test radix tree compression - EXPECT_TRUE(radixtree.add(std::string("test"), cstr_a)); - EXPECT_TRUE(radixtree.add(std::string("testing"), cstr_b)); - EXPECT_TRUE(radixtree.add(std::string("tester"), cstr_c)); - EXPECT_TRUE(radixtree.add(std::string("tested"), cstr_d)); - - EXPECT_EQ(cstr_a, radixtree.find("test")); - EXPECT_EQ(cstr_b, radixtree.find("testing")); - EXPECT_EQ(cstr_c, radixtree.find("tester")); - EXPECT_EQ(cstr_d, radixtree.find("tested")); - - // Test prefix matching - EXPECT_THAT(radixtree.findMatchingPrefixes("test"), ElementsAre(cstr_a)); - EXPECT_THAT(radixtree.findMatchingPrefixes("testing"), ElementsAre(cstr_a, cstr_b)); - EXPECT_THAT(radixtree.findMatchingPrefixes("tester"), ElementsAre(cstr_a, cstr_c)); - EXPECT_THAT(radixtree.findMatchingPrefixes("tested"), ElementsAre(cstr_a, cstr_d)); - - // Test longest prefix - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("test")); - EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("testing")); - EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("tester")); - EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("tested")); - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("testx")); - EXPECT_EQ(nullptr, radixtree.findLongestPrefix("tex")); -} - -TEST(RadixTree, EmptyAndSingleNode) { - RadixTree radixtree; - const char* cstr_a = "a"; - - // Test empty radixtree - EXPECT_EQ(nullptr, radixtree.find("anything")); - EXPECT_EQ(nullptr, radixtree.findLongestPrefix("anything")); - EXPECT_THAT(radixtree.findMatchingPrefixes("anything"), ElementsAre()); - - // Test single node - EXPECT_TRUE(radixtree.add(std::string("a"), cstr_a)); - EXPECT_EQ(cstr_a, radixtree.find("a")); - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a")); - EXPECT_THAT(radixtree.findMatchingPrefixes("a"), ElementsAre(cstr_a)); - EXPECT_EQ(nullptr, radixtree.find("b")); - EXPECT_EQ(nullptr, radixtree.findLongestPrefix("b")); - EXPECT_THAT(radixtree.findMatchingPrefixes("b"), ElementsAre()); -} - -TEST(RadixTree, InsertAndFindEdgeCases) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - const char* cstr_d = "d"; - - // Test empty string - EXPECT_TRUE(radixtree.add(std::string(""), cstr_a)); - EXPECT_EQ(cstr_a, radixtree.find("")); - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("")); - EXPECT_THAT(radixtree.findMatchingPrefixes(""), ElementsAre(cstr_a)); - - // Test single character - EXPECT_TRUE(radixtree.add(std::string("x"), cstr_b)); - EXPECT_EQ(cstr_b, radixtree.find("x")); - EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("x")); - EXPECT_THAT(radixtree.findMatchingPrefixes("x"), ElementsAre(cstr_a, cstr_b)); - - // Test very long string - std::string long_key(1000, 'a'); - EXPECT_TRUE(radixtree.add(long_key, cstr_c)); - EXPECT_EQ(cstr_c, radixtree.find(long_key)); - EXPECT_EQ(cstr_c, radixtree.findLongestPrefix(long_key)); - EXPECT_THAT(radixtree.findMatchingPrefixes(long_key), ElementsAre(cstr_a, cstr_c)); - - // Test special characters - EXPECT_TRUE(radixtree.add(std::string("test/key"), cstr_d)); - EXPECT_EQ(cstr_d, radixtree.find("test/key")); - EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("test/key")); - EXPECT_THAT(radixtree.findMatchingPrefixes("test/key"), ElementsAre(cstr_a, cstr_d)); - - // Test non-existent keys - EXPECT_EQ(nullptr, radixtree.find("nonexistent")); - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("nonexistent")); - EXPECT_THAT(radixtree.findMatchingPrefixes("nonexistent"), ElementsAre(cstr_a)); -} - -TEST(RadixTree, InsertAndFindComplexScenarios) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - const char* cstr_d = "d"; - const char* cstr_e = "e"; - const char* cstr_f = "f"; - - // Test overlapping prefixes - EXPECT_TRUE(radixtree.add(std::string("test"), cstr_a)); - EXPECT_TRUE(radixtree.add(std::string("testing"), cstr_b)); - EXPECT_TRUE(radixtree.add(std::string("tester"), cstr_c)); - EXPECT_TRUE(radixtree.add(std::string("tested"), cstr_d)); - - // Verify all can be found - EXPECT_EQ(cstr_a, radixtree.find("test")); - EXPECT_EQ(cstr_b, radixtree.find("testing")); - EXPECT_EQ(cstr_c, radixtree.find("tester")); - EXPECT_EQ(cstr_d, radixtree.find("tested")); - - // Test prefix matching - EXPECT_THAT(radixtree.findMatchingPrefixes("test"), ElementsAre(cstr_a)); - EXPECT_THAT(radixtree.findMatchingPrefixes("testing"), ElementsAre(cstr_a, cstr_b)); - EXPECT_THAT(radixtree.findMatchingPrefixes("tester"), ElementsAre(cstr_a, cstr_c)); - EXPECT_THAT(radixtree.findMatchingPrefixes("tested"), ElementsAre(cstr_a, cstr_d)); - - // Test longest prefix - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("test")); - EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("testing")); - EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("tester")); - EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("tested")); - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("testx")); - EXPECT_EQ(nullptr, radixtree.findLongestPrefix("tex")); - - // Test branching scenarios - EXPECT_TRUE(radixtree.add(std::string("hello"), cstr_e)); - EXPECT_TRUE(radixtree.add(std::string("world"), cstr_f)); - - EXPECT_EQ(cstr_e, radixtree.find("hello")); - EXPECT_EQ(cstr_f, radixtree.find("world")); - EXPECT_EQ(cstr_e, radixtree.findLongestPrefix("hello")); - EXPECT_EQ(cstr_f, radixtree.findLongestPrefix("world")); -} - -TEST(RadixTree, InsertAndFindOverwriteBehavior) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - - // Test overwrite_existing = true (default) - EXPECT_TRUE(radixtree.add(std::string("key"), cstr_a)); - EXPECT_EQ(cstr_a, radixtree.find("key")); - - EXPECT_TRUE(radixtree.add(std::string("key"), cstr_b)); - EXPECT_EQ(cstr_b, radixtree.find("key")); - - // Test overwrite_existing = false - EXPECT_FALSE(radixtree.add(std::string("key"), cstr_c, false)); - EXPECT_EQ(cstr_b, radixtree.find("key")); // Should still be cstr_b - - // Test overwrite_existing = true explicitly - EXPECT_TRUE(radixtree.add(std::string("key"), cstr_c, true)); - EXPECT_EQ(cstr_c, radixtree.find("key")); -} - -TEST(RadixTree, InsertAndFindDeepNesting) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - - // Test deep nesting - EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/f"), cstr_a)); - EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/g"), cstr_b)); - EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/h"), cstr_c)); - - EXPECT_EQ(cstr_a, radixtree.find("a/b/c/d/e/f")); - EXPECT_EQ(cstr_b, radixtree.find("a/b/c/d/e/g")); - EXPECT_EQ(cstr_c, radixtree.find("a/b/c/d/e/h")); - - // Test prefix matching on deep paths - EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/f"), ElementsAre(cstr_a)); - EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/g"), ElementsAre(cstr_b)); - EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/h"), ElementsAre(cstr_c)); - - // Test longest prefix on deep paths - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a/b/c/d/e/f")); - EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("a/b/c/d/e/g")); - EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("a/b/c/d/e/h")); -} - -TEST(RadixTree, InsertAndFindMixedLengths) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - const char* cstr_d = "d"; - - // Test mixed length keys - EXPECT_TRUE(radixtree.add(std::string("a"), cstr_a)); - EXPECT_TRUE(radixtree.add(std::string("aa"), cstr_b)); - EXPECT_TRUE(radixtree.add(std::string("aaa"), cstr_c)); - EXPECT_TRUE(radixtree.add(std::string("aaaa"), cstr_d)); - - EXPECT_EQ(cstr_a, radixtree.find("a")); - EXPECT_EQ(cstr_b, radixtree.find("aa")); - EXPECT_EQ(cstr_c, radixtree.find("aaa")); - EXPECT_EQ(cstr_d, radixtree.find("aaaa")); - - // Test prefix matching - EXPECT_THAT(radixtree.findMatchingPrefixes("a"), ElementsAre(cstr_a)); - EXPECT_THAT(radixtree.findMatchingPrefixes("aa"), ElementsAre(cstr_a, cstr_b)); - EXPECT_THAT(radixtree.findMatchingPrefixes("aaa"), ElementsAre(cstr_a, cstr_b, cstr_c)); - EXPECT_THAT(radixtree.findMatchingPrefixes("aaaa"), ElementsAre(cstr_a, cstr_b, cstr_c, cstr_d)); - - // Test longest prefix - EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a")); - EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("aa")); - EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("aaa")); - EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("aaaa")); - EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("aaaaa")); - EXPECT_EQ(nullptr, radixtree.findLongestPrefix("b")); -} - -TEST(RadixTree, InsertAndFindSpecialCharacters) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - - // Test special characters - EXPECT_TRUE(radixtree.add(std::string("test-key"), cstr_a)); - EXPECT_TRUE(radixtree.add(std::string("test_key"), cstr_b)); - EXPECT_TRUE(radixtree.add(std::string("test.key"), cstr_c)); - - EXPECT_EQ(cstr_a, radixtree.find("test-key")); - EXPECT_EQ(cstr_b, radixtree.find("test_key")); - EXPECT_EQ(cstr_c, radixtree.find("test.key")); - - // Test with spaces - EXPECT_TRUE(radixtree.add(std::string("test key"), cstr_a)); - EXPECT_EQ(cstr_a, radixtree.find("test key")); - - // Test with numbers - EXPECT_TRUE(radixtree.add(std::string("test123"), cstr_b)); - EXPECT_EQ(cstr_b, radixtree.find("test123")); -} - -TEST(RadixTree, InsertAndFindBooleanInterface) { - RadixTree radixtree; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - - // Test boolean find interface - const char* result; - - result = radixtree.find("nonexistent"); - EXPECT_EQ(nullptr, result); - - EXPECT_TRUE(radixtree.add(std::string("key"), cstr_a)); - result = radixtree.find("key"); - EXPECT_EQ(cstr_a, result); - - EXPECT_TRUE(radixtree.add(std::string("key"), cstr_b)); - result = radixtree.find("key"); - EXPECT_EQ(cstr_b, result); - - // Test with empty string - EXPECT_TRUE(radixtree.add(std::string(""), cstr_a)); - result = radixtree.find(""); - EXPECT_EQ(cstr_a, result); -} - -} // namespace Envoy diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index ad594752b72f4..d8ce66a8ad7d1 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -37,7 +37,6 @@ Millicores NID NIST NORMALISATION -Radix SQLSTATE bm BSON @@ -48,7 +47,6 @@ CIO cbegin cend constness -cstr deadcode DFP Dynatrace @@ -1187,8 +1185,6 @@ querydetails quiesce quitquitquit qvalue -radix -radixtree rapidjson ratelimit ratelimited From 86e62323fca8c46c927a020d7301383c83aceb93 Mon Sep 17 00:00:00 2001 From: Matt Leon Date: Tue, 22 Jul 2025 14:28:52 -0400 Subject: [PATCH 037/505] deps: update `v8` to 13.8.258.26 (#40305) Commit Message: deps: update `v8` to 13.8.258.26 Additional Description: Includes the requisite updates to proxy_wasm_cpp_host and new v8 dependencies. Tested with `bazel test test/extensions/filters/http/wasm/... --define wasm=v8` (and `--define wasm=wasmtime` and `--define wasm=wamr` for defense in depth). Proxy-wasm-cpp-host patches come from https://github.com/proxy-wasm/proxy-wasm-cpp-host/pull/442 Fix #28336 --------- Signed-off-by: Matt Leon Signed-off-by: Ryan Northey Signed-off-by: Rohit Agrawal --- bazel/external/dragonbox.BUILD | 12 + bazel/external/fp16.BUILD | 15 + bazel/external/intel_ittapi.BUILD | 21 + bazel/external/simdutf.BUILD | 11 + bazel/proxy_wasm_cpp_host.patch | 303 +++++++++++++- bazel/repositories.bzl | 54 ++- bazel/repository_locations.bzl | 98 ++++- bazel/v8.patch | 383 +++++++++++++++--- bazel/v8_include.patch | 41 -- changelogs/current.yaml | 3 + test/extensions/filters/http/wasm/BUILD | 6 +- .../http/wasm/wasm_filter_integration_test.cc | 2 +- test/extensions/filters/network/wasm/BUILD | 8 +- 13 files changed, 819 insertions(+), 138 deletions(-) create mode 100644 bazel/external/dragonbox.BUILD create mode 100644 bazel/external/fp16.BUILD create mode 100644 bazel/external/intel_ittapi.BUILD create mode 100644 bazel/external/simdutf.BUILD delete mode 100644 bazel/v8_include.patch diff --git a/bazel/external/dragonbox.BUILD b/bazel/external/dragonbox.BUILD new file mode 100644 index 0000000000000..d0bdf231e94b2 --- /dev/null +++ b/bazel/external/dragonbox.BUILD @@ -0,0 +1,12 @@ +load("@rules_cc//cc:defs.bzl", "cc_library") + +licenses(["notice"]) # Apache 2 + +package(default_visibility = ["//visibility:public"]) + +cc_library( + name = "dragonbox", + srcs = [], + hdrs = ["include/dragonbox/dragonbox.h"], + includes = ["include/"], +) diff --git a/bazel/external/fp16.BUILD b/bazel/external/fp16.BUILD new file mode 100644 index 0000000000000..f3fbfda1f59f6 --- /dev/null +++ b/bazel/external/fp16.BUILD @@ -0,0 +1,15 @@ +load("@rules_cc//cc:defs.bzl", "cc_library") + +licenses(["notice"]) # MIT + +package(default_visibility = ["//visibility:public"]) + +cc_library( + name = "FP16", + hdrs = [ + "include/fp16.h", + "include/fp16/bitcasts.h", + "include/fp16/fp16.h", + ], + includes = ["include/"], +) diff --git a/bazel/external/intel_ittapi.BUILD b/bazel/external/intel_ittapi.BUILD new file mode 100644 index 0000000000000..13351d38abb66 --- /dev/null +++ b/bazel/external/intel_ittapi.BUILD @@ -0,0 +1,21 @@ +load("@rules_cc//cc:defs.bzl", "cc_library") + +licenses(["notice"]) + +package(default_visibility = ["//visibility:public"]) + +cc_library( + name = "lib_ittapi", + srcs = [ + "include/ittnotify.h", + "include/jitprofiling.h", + "src/ittnotify/ittnotify_config.h", + "src/ittnotify/jitprofiling.c", + ], + hdrs = [ + "include/ittnotify.h", + "src/ittnotify/ittnotify_types.h", + ], + includes = ["include/"], + visibility = ["//visibility:public"], +) diff --git a/bazel/external/simdutf.BUILD b/bazel/external/simdutf.BUILD new file mode 100644 index 0000000000000..ee48964946afc --- /dev/null +++ b/bazel/external/simdutf.BUILD @@ -0,0 +1,11 @@ +load("@rules_cc//cc:defs.bzl", "cc_library") + +licenses(["notice"]) # Apache 2 + +package(default_visibility = ["//visibility:public"]) + +cc_library( + name = "simdutf", + srcs = ["simdutf.cpp"], + hdrs = ["simdutf.h"], +) diff --git a/bazel/proxy_wasm_cpp_host.patch b/bazel/proxy_wasm_cpp_host.patch index ce159af5ed429..b626f431e03ef 100644 --- a/bazel/proxy_wasm_cpp_host.patch +++ b/bazel/proxy_wasm_cpp_host.patch @@ -1,8 +1,304 @@ +From d6e7129f1d3f52fd1eca3bdaf91d06bb8a14e70d Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Wed, 16 Jul 2025 20:05:48 -0400 +Subject: [PATCH 1/3] chore: Update v8 to use 13.8 interface + +Signed-off-by: Matt Leon +--- + src/v8/v8.cc | 84 ++++++++++++++++++++++++++-------------------------- + 1 file changed, 42 insertions(+), 42 deletions(-) + +diff --git a/src/v8/v8.cc b/src/v8/v8.cc +index 61779c1..1047f5c 100644 +--- a/src/v8/v8.cc ++++ b/src/v8/v8.cc +@@ -140,20 +140,20 @@ private: + + static std::string printValue(const wasm::Val &value) { + switch (value.kind()) { +- case wasm::I32: ++ case wasm::ValKind::I32: + return std::to_string(value.get()); +- case wasm::I64: ++ case wasm::ValKind::I64: + return std::to_string(value.get()); +- case wasm::F32: ++ case wasm::ValKind::F32: + return std::to_string(value.get()); +- case wasm::F64: ++ case wasm::ValKind::F64: + return std::to_string(value.get()); + default: + return "unknown"; + } + } + +-static std::string printValues(const wasm::Val values[], size_t size) { ++static std::string printValues(const wasm::vec &values, size_t size) { + if (size == 0) { + return ""; + } +@@ -170,17 +170,17 @@ static std::string printValues(const wasm::Val values[], size_t size) { + + static const char *printValKind(wasm::ValKind kind) { + switch (kind) { +- case wasm::I32: ++ case wasm::ValKind::I32: + return "i32"; +- case wasm::I64: ++ case wasm::ValKind::I64: + return "i64"; +- case wasm::F32: ++ case wasm::ValKind::F32: + return "f32"; +- case wasm::F64: ++ case wasm::ValKind::F64: + return "f64"; +- case wasm::ANYREF: +- return "anyref"; +- case wasm::FUNCREF: ++ case wasm::ValKind::EXTERNREF: ++ return "externref"; ++ case wasm::ValKind::FUNCREF: + return "funcref"; + default: + return "unknown"; +@@ -229,11 +229,11 @@ template wasm::Val makeVal(T t) { return wasm::Val::make(t); } + template <> wasm::Val makeVal(Word t) { return wasm::Val::make(static_cast(t.u64_)); } + + template constexpr auto convertArgToValKind(); +-template <> constexpr auto convertArgToValKind() { return wasm::I32; }; +-template <> constexpr auto convertArgToValKind() { return wasm::I32; }; +-template <> constexpr auto convertArgToValKind() { return wasm::I64; }; +-template <> constexpr auto convertArgToValKind() { return wasm::I64; }; +-template <> constexpr auto convertArgToValKind() { return wasm::F64; }; ++template <> constexpr auto convertArgToValKind() { return wasm::ValKind::I32; }; ++template <> constexpr auto convertArgToValKind() { return wasm::ValKind::I32; }; ++template <> constexpr auto convertArgToValKind() { return wasm::ValKind::I64; }; ++template <> constexpr auto convertArgToValKind() { return wasm::ValKind::I64; }; ++template <> constexpr auto convertArgToValKind() { return wasm::ValKind::F64; }; + + template + constexpr auto convertArgsTupleToValTypesImpl(std::index_sequence /*comptime*/) { +@@ -343,7 +343,8 @@ bool V8::link(std::string_view /*debug_name*/) { + assert(module_ != nullptr); + + const auto import_types = module_.get()->imports(); +- std::vector imports; ++ wasm::vec imports = ++ wasm::vec::make_uninitialized(import_types.size()); + + for (size_t i = 0; i < import_types.size(); i++) { + std::string_view module(import_types[i]->module().get(), import_types[i]->module().size()); +@@ -352,7 +353,7 @@ bool V8::link(std::string_view /*debug_name*/) { + + switch (import_type->kind()) { + +- case wasm::EXTERN_FUNC: { ++ case wasm::ExternKind::FUNC: { + auto it = host_functions_.find(std::string(module) + "." + std::string(name)); + if (it == host_functions_.end()) { + fail(FailState::UnableToInitializeCode, +@@ -372,10 +373,10 @@ bool V8::link(std::string_view /*debug_name*/) { + printValTypes(func->type()->results())); + return false; + } +- imports.push_back(func); ++ imports[i] = func; + } break; + +- case wasm::EXTERN_GLOBAL: { ++ case wasm::ExternKind::GLOBAL: { + // TODO(PiotrSikora): add support when/if needed. + fail(FailState::UnableToInitializeCode, + "Failed to load Wasm module due to a missing import: " + std::string(module) + "." + +@@ -383,7 +384,7 @@ bool V8::link(std::string_view /*debug_name*/) { + return false; + } break; + +- case wasm::EXTERN_MEMORY: { ++ case wasm::ExternKind::MEMORY: { + assert(memory_ == nullptr); + auto type = wasm::MemoryType::make(import_type->memory()->limits()); + if (type == nullptr) { +@@ -393,10 +394,10 @@ bool V8::link(std::string_view /*debug_name*/) { + if (memory_ == nullptr) { + return false; + } +- imports.push_back(memory_.get()); ++ imports[i] = memory_.get(); + } break; + +- case wasm::EXTERN_TABLE: { ++ case wasm::ExternKind::TABLE: { + assert(table_ == nullptr); + auto type = + wasm::TableType::make(wasm::ValType::make(import_type->table()->element()->kind()), +@@ -408,16 +409,12 @@ bool V8::link(std::string_view /*debug_name*/) { + if (table_ == nullptr) { + return false; + } +- imports.push_back(table_.get()); ++ imports[i] = table_.get(); + } break; + } + } + +- if (import_types.size() != imports.size()) { +- return false; +- } +- +- instance_ = wasm::Instance::make(store_.get(), module_.get(), imports.data()); ++ instance_ = wasm::Instance::make(store_.get(), module_.get(), imports); + if (instance_ == nullptr) { + fail(FailState::UnableToInitializeCode, "Failed to create new Wasm instance"); + return false; +@@ -435,16 +432,16 @@ bool V8::link(std::string_view /*debug_name*/) { + + switch (export_type->kind()) { + +- case wasm::EXTERN_FUNC: { ++ case wasm::ExternKind::FUNC: { + assert(export_item->func() != nullptr); + module_functions_.insert_or_assign(std::string(name), export_item->func()->copy()); + } break; + +- case wasm::EXTERN_GLOBAL: { ++ case wasm::ExternKind::GLOBAL: { + // TODO(PiotrSikora): add support when/if needed. + } break; + +- case wasm::EXTERN_MEMORY: { ++ case wasm::ExternKind::MEMORY: { + assert(export_item->memory() != nullptr); + assert(memory_ == nullptr); + memory_ = exports[i]->memory()->copy(); +@@ -453,7 +450,7 @@ bool V8::link(std::string_view /*debug_name*/) { + } + } break; + +- case wasm::EXTERN_TABLE: { ++ case wasm::ExternKind::TABLE: { + // TODO(PiotrSikora): add support when/if needed. + } break; + } +@@ -531,7 +528,8 @@ void V8::registerHostFunctionImpl(std::string_view module_name, std::string_view + convertArgsTupleToValTypes>()); + auto func = wasm::Func::make( + store_.get(), type.get(), +- [](void *data, const wasm::Val params[], wasm::Val /*results*/[]) -> wasm::own { ++ [](void *data, const wasm::vec ¶ms, ++ wasm::vec & /*results*/) -> wasm::own { + auto *func_data = reinterpret_cast(data); + const bool log = func_data->vm_->cmpLogLevel(LogLevel::trace); + if (log) { +@@ -567,7 +565,8 @@ void V8::registerHostFunctionImpl(std::string_view module_name, std::string_view + convertArgsTupleToValTypes>()); + auto func = wasm::Func::make( + store_.get(), type.get(), +- [](void *data, const wasm::Val params[], wasm::Val results[]) -> wasm::own { ++ [](void *data, const wasm::vec ¶ms, ++ wasm::vec &results) -> wasm::own { + auto *func_data = reinterpret_cast(data); + const bool log = func_data->vm_->cmpLogLevel(LogLevel::trace); + if (log) { +@@ -621,20 +620,21 @@ void V8::getModuleFunctionImpl(std::string_view function_name, + const bool log = cmpLogLevel(LogLevel::trace); + SaveRestoreContext saved_context(context); + wasm::own trap = nullptr; ++ wasm::vec results = wasm::vec::make_uninitialized(); + + // Workaround for MSVC++ not supporting zero-sized arrays. + if constexpr (sizeof...(args) > 0) { +- wasm::Val params[] = {makeVal(args)...}; ++ wasm::vec params = wasm::vec::make(makeVal(args)...); + if (log) { + integration()->trace("[host->vm] " + std::string(function_name) + "(" + + printValues(params, sizeof...(Args)) + ")"); + } +- trap = func->call(params, nullptr); ++ trap = func->call(params, results); + } else { + if (log) { + integration()->trace("[host->vm] " + std::string(function_name) + "()"); + } +- trap = func->call(nullptr, nullptr); ++ trap = func->call(wasm::vec::make_uninitialized(), results); + } + + if (trap) { +@@ -671,12 +671,12 @@ void V8::getModuleFunctionImpl(std::string_view function_name, + *function = [func, function_name, this](ContextBase *context, Args... args) -> R { + const bool log = cmpLogLevel(LogLevel::trace); + SaveRestoreContext saved_context(context); +- wasm::Val results[1]; ++ wasm::vec results = wasm::vec::make_uninitialized(1); + wasm::own trap = nullptr; + + // Workaround for MSVC++ not supporting zero-sized arrays. + if constexpr (sizeof...(args) > 0) { +- wasm::Val params[] = {makeVal(args)...}; ++ wasm::vec params = wasm::vec::make(makeVal(args)...); + if (log) { + integration()->trace("[host->vm] " + std::string(function_name) + "(" + + printValues(params, sizeof...(Args)) + ")"); +@@ -686,7 +686,7 @@ void V8::getModuleFunctionImpl(std::string_view function_name, + if (log) { + integration()->trace("[host->vm] " + std::string(function_name) + "()"); + } +- trap = func->call(nullptr, results); ++ trap = func->call(wasm::vec::make_uninitialized(), results); + } + + if (trap) { +-- +2.50.0.727.gbf7dc18ff4-goog + + +From 6c2ffcb9d797d86e817dc29e0dea53e8bd53bdcf Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Fri, 18 Jul 2025 09:29:26 -0400 +Subject: [PATCH 2/3] fix: remove racy call to + isolate->IsExecutionTerminating() + +Signed-off-by: Matt Leon +--- + src/v8/v8.cc | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/v8/v8.cc b/src/v8/v8.cc +index 1047f5c..bc5b828 100644 +--- a/src/v8/v8.cc ++++ b/src/v8/v8.cc +@@ -706,9 +706,6 @@ void V8::terminate() { + auto *store_impl = reinterpret_cast(store_.get()); + auto *isolate = store_impl->isolate(); + isolate->TerminateExecution(); +- while (isolate->IsExecutionTerminating()) { +- std::this_thread::yield(); +- } + } + + std::string V8::getFailMessage(std::string_view function_name, wasm::own trap) { +-- +2.50.0.727.gbf7dc18ff4-goog + + +From 23327ea30f714a6ac25f197e47764d1f8960986e Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Tue, 22 Jul 2025 10:45:41 -0400 +Subject: [PATCH 3/3] Use Envoy boringssl + +Signed-off-by: Matt Leon +--- + BUILD | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + diff --git a/BUILD b/BUILD -index 69c9bda..d293092 100644 +index 6db5fd9..aaf7bd2 100644 --- a/BUILD +++ b/BUILD -@@ -88,7 +88,7 @@ cc_library( +@@ -91,7 +91,7 @@ cc_library( ":headers", ] + select({ "//bazel:crypto_system": [], @@ -11,3 +307,6 @@ index 69c9bda..d293092 100644 }), alwayslink = 1, ) +-- +2.50.0.727.gbf7dc18ff4-goog + diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index b7b3e75711744..211e9d80606ea 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -186,7 +186,12 @@ def envoy_dependencies(skip_targets = []): _com_google_protobuf() _com_github_envoyproxy_sqlparser() _v8() - _com_googlesource_chromium_base_trace_event_common() + _fast_float() + _highway() + _dragonbox() + _fp16() + _simdutf() + _intel_ittapi() _com_github_google_quiche() _com_googlesource_googleurl() _io_hyperscan() @@ -710,10 +715,19 @@ def _v8(): name = "v8", patches = [ "@envoy//bazel:v8.patch", - "@envoy//bazel:v8_include.patch", "@envoy//bazel:v8_ppc64le.patch", ], patch_args = ["-p1"], + patch_cmds = [ + "find ./src ./include -type f -exec sed -i.bak -e 's!#include \"third_party/simdutf/simdutf.h\"!#include \"simdutf.h\"!' {} \\;", + "find ./src ./include -type f -exec sed -i.bak -e 's!#include \"third_party/fp16/src/include/fp16.h\"!#include \"fp16.h\"!' {} \\;", + "find ./src ./include -type f -exec sed -i.bak -e 's!#include \"third_party/dragonbox/src/include/dragonbox/dragonbox.h\"!#include \"dragonbox/dragonbox.h\"!' {} \\;", + "find ./src ./include -type f -exec sed -i.bak -e 's!#include \"third_party/fast_float/src/include/fast_float/!#include \"fast_float/!' {} \\;", + ], + repo_mapping = { + "@abseil-cpp": "@com_google_absl", + "@icu": "@com_github_unicode_org_icu", + }, ) # Needed by proxy_wasm_cpp_host. @@ -722,16 +736,38 @@ def _v8(): actual = "@v8//:wee8", ) -def _com_googlesource_chromium_base_trace_event_common(): +def _fast_float(): external_http_archive( - name = "com_googlesource_chromium_base_trace_event_common", - build_file = "@v8//:bazel/BUILD.trace_event_common", + name = "fast_float", ) - # Needed by v8. - native.bind( - name = "base_trace_event_common", - actual = "@com_googlesource_chromium_base_trace_event_common//:trace_event_common", +def _highway(): + external_http_archive( + name = "highway", + ) + +def _dragonbox(): + external_http_archive( + name = "dragonbox", + build_file = "@envoy//bazel/external:dragonbox.BUILD", + ) + +def _fp16(): + external_http_archive( + name = "fp16", + build_file = "@envoy//bazel/external:fp16.BUILD", + ) + +def _simdutf(): + external_http_archive( + name = "simdutf", + build_file = "@envoy//bazel/external:simdutf.BUILD", + ) + +def _intel_ittapi(): + external_http_archive( + name = "intel_ittapi", + build_file = "@envoy//bazel/external:intel_ittapi.BUILD", ) def _com_github_google_quiche(): diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 7fd96f3c1164c..2572cbabb0541 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1177,31 +1177,99 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "V8", project_desc = "Google’s open source high-performance JavaScript and WebAssembly engine, written in C++", project_url = "https://v8.dev", - # NOTE: Update together with com_googlesource_chromium_base_trace_event_common. + # NOTE: Update together with proxy_wasm_cpp_host, highway, fast_float, dragonbox, simdutf, and fp16. # Patch contains workaround for https://github.com/bazelbuild/rules_python/issues/1221 - version = "10.7.193.13", + version = "13.8.258.26", # Follow this guide to pick next stable release: https://v8.dev/docs/version-numbers#which-v8-version-should-i-use%3F strip_prefix = "v8-{version}", - sha256 = "6fb91b839e9c36ca4c151268f772e7a6a888a75bcb947f37be9758e49f485db7", + sha256 = "4ffc27074d3f79e8e6401e390443dcf02755349002be4a1b01e72a3cd9457d15", urls = ["https://github.com/v8/v8/archive/refs/tags/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = ["envoy.wasm.runtime.v8"], - release_date = "2022-09-28", + release_date = "2025-07-09", cpe = "cpe:2.3:a:google:v8:*", ), - com_googlesource_chromium_base_trace_event_common = dict( - project_name = "Chromium's trace event headers", - project_desc = "Chromium's trace event headers", - project_url = "https://chromium.googlesource.com/chromium/src/base/trace_event/common/", - # NOTE: Update together with v8. - # Use version and sha256 from https://storage.googleapis.com/envoyproxy-wee8/v8--deps.sha256. - version = "521ac34ebd795939c7e16b37d9d3ddb40e8ed556", - # Static snapshot created using https://storage.googleapis.com/envoyproxy-wee8/wee8-fetch-deps.sh. - sha256 = "d99726bd452d1dd6cd50ab33060774e8437d9f0fc6079589f657fe369c66ec09", - urls = ["https://storage.googleapis.com/envoyproxy-wee8/chromium-base_trace_event_common-{version}.tar.gz"], + fast_float = dict( + project_name = "fast_float number parsing library", + project_desc = "Fast and exact implementation of the C++ from_chars functions for number types: 4x to 10x faster than strtod, part of GCC 12, Chromium, Redis and WebKit/Safari", + project_url = "https://github.com/fastfloat/fast_float", + # NOTE: Update together with v8 and proxy_wasm_cpp_host. + version = "7.0.0", + # Follow this guide to pick next stable release: https://v8.dev/docs/version-numbers#which-v8-version-should-i-use%3F + strip_prefix = "fast_float-{version}", + sha256 = "d2a08e722f461fe699ba61392cd29e6b23be013d0f56e50c7786d0954bffcb17", + urls = ["https://github.com/fastfloat/fast_float/archive/refs/tags/v{version}.tar.gz"], + use_category = ["dataplane_ext"], + extensions = ["envoy.wasm.runtime.v8"], + release_date = "2024-11-21", + cpe = "N/A", + ), + highway = dict( + project_name = "Efficient and performance-portable vector software", + project_desc = "Performance-portable, length-agnostic SIMD with runtime dispatch", + project_url = "https://github.com/google/highway", + # NOTE: Update together with v8 and proxy_wasm_cpp_host. + version = "1.2.0", + strip_prefix = "highway-{version}", + sha256 = "7e0be78b8318e8bdbf6fa545d2ecb4c90f947df03f7aadc42c1967f019e63343", + urls = ["https://github.com/google/highway/archive/refs/tags/{version}.tar.gz"], + use_category = ["dataplane_ext"], + extensions = ["envoy.wasm.runtime.v8"], + release_date = "2024-05-31", + cpe = "N/A", + ), + dragonbox = dict( + project_name = "Dragonbox", + project_desc = "Reference implementation of dragonbox, a float-to-string conversion algorithm based on a beautiful algorithm Schubfach, developed by Raffaello Giulietti in 2017-2018. Dragonbox is further inspired by Grisu and Grisu-Exact.", + project_url = "https://github.com/jk-jeon/dragonbox", + # NOTE: Update together with v8 and proxy_wasm_cpp_host. + version = "6c7c925b571d54486b9ffae8d9d18a822801cbda", + strip_prefix = "dragonbox-{version}", + sha256 = "2f10448d665355b41f599e869ac78803f82f13b070ce7ef5ae7b5cceb8a178f3", + urls = ["https://github.com/jk-jeon/dragonbox/archive/{version}.zip"], + use_category = ["dataplane_ext"], + extensions = ["envoy.wasm.runtime.v8"], + release_date = "2024-10-28", + cpe = "N/A", + ), + fp16 = dict( + project_name = "Conversion to/from half-precision floating point formats", + project_desc = "Header-only library for conversion to/from half-precision floating point formats.", + project_url = "https://github.com/Maratyszcza/FP16", + # NOTE: Update together with v8 and proxy_wasm_cpp_host. + version = "0a92994d729ff76a58f692d3028ca1b64b145d91", + strip_prefix = "FP16-{version}", + sha256 = "e66e65515fa09927b348d3d584c68be4215cfe664100d01c9dbc7655a5716d70", + urls = ["https://github.com/Maratyszcza/FP16/archive/{version}.zip"], + use_category = ["dataplane_ext"], + extensions = ["envoy.wasm.runtime.v8"], + release_date = "2021-03-20", + cpe = "N/A", + ), + simdutf = dict( + project_name = "Unicode validation and transcoding at billions of characters per second", + project_desc = "Unicode routines (UTF8, UTF16, UTF32) and Base64: billions of characters per second using SSE2, AVX2, NEON, AVX-512, RISC-V Vector Extension, LoongArch64, POWER. Part of Node.js, WebKit/Safari, Ladybird, Chromium, Cloudflare Workers and Bun.", + project_url = "https://github.com/simdutf/simdutf", + # NOTE: Update together with v8 and proxy_wasm_cpp_host. + version = "7.3.0", + sha256 = "512374f8291d3daf102ccd0ad223b1a8318358f7c1295efd4d9a3abbb8e4b6ff", + urls = ["https://github.com/simdutf/simdutf/releases/download/v{version}/singleheader.zip"], + use_category = ["dataplane_ext"], + extensions = ["envoy.wasm.runtime.v8"], + release_date = "2025-05-28", + cpe = "N/A", + ), + intel_ittapi = dict( + project_name = "Intel ITT API", + project_desc = "Intel Instrumentation and Tracing Technology API", + project_url = "https://github.com/intel/ittapi", + version = "a3911fff01a775023a06af8754f9ec1e5977dd97", + sha256 = "1d0dddfc5abb786f2340565c82c6edd1cff10c917616a18ce62ee0b94dbc2ed4", + urls = ["https://github.com/intel/ittapi/archive/{version}.tar.gz"], + strip_prefix = "ittapi-{version}", use_category = ["dataplane_ext"], extensions = ["envoy.wasm.runtime.v8"], - release_date = "2022-10-12", + release_date = "2021-05-25", cpe = "N/A", ), com_github_google_quiche = dict( diff --git a/bazel/v8.patch b/bazel/v8.patch index f94a21235b772..dc42c96b0c98d 100644 --- a/bazel/v8.patch +++ b/bazel/v8.patch @@ -1,62 +1,151 @@ -# 1. Use already imported python dependencies -# 2. Disable pointer compression (limits the maximum number of WasmVMs). -# 3. Add support for --define=no_debug_info=1. -# 4. Allow compiling v8 on macOS 10.15 to 13.0. TODO(dio): Will remove this patch when https://bugs.chromium.org/p/v8/issues/detail?id=13428 is fixed. -# 5. Don't expose Wasm C API (only Wasm C++ API). +From bc2a85e39fd55879b9baed51429c08b27d5514c8 Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Wed, 16 Jul 2025 16:55:02 -0400 +Subject: [PATCH 1/8] Disable pointer compression + +Pointer compression limits the maximum number of WasmVMs. + +Signed-off-by: Matt Leon +--- + BUILD.bazel | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BUILD.bazel b/BUILD.bazel -index 4e89f90..0df4f67 100644 +index 3f5a87d054e..0a693b7ee10 100644 +--- a/BUILD.bazel ++++ b/BUILD.bazel +@@ -292,7 +292,7 @@ v8_int( + # If no explicit value for v8_enable_pointer_compression, we set it to 'none'. + v8_string( + name = "v8_enable_pointer_compression", +- default = "none", ++ default = "False", + ) + + # Default setting for v8_enable_pointer_compression. +-- +2.50.0.727.gbf7dc18ff4-goog + + +From e9fb84e11334342ee8fcb50d7322412ab35e2ad0 Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Tue, 22 Jul 2025 10:53:33 -0400 +Subject: [PATCH 2/8] Use already imported python dependencies + +Signed-off-by: Matt Leon +--- + BUILD.bazel | 2 +- + third_party/inspector_protocol/code_generator.py | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/BUILD.bazel b/BUILD.bazel +index 0a693b7ee10..522f00555e0 100644 --- a/BUILD.bazel +++ b/BUILD.bazel @@ -4,7 +4,7 @@ load("@bazel_skylib//lib:selects.bzl", "selects") - load("@rules_python//python:defs.bzl", "py_binary") + load("@rules_python//python:defs.bzl", "py_binary", "py_test") -load("@v8_python_deps//:requirements.bzl", "requirement") +load("@base_pip3//:requirements.bzl", "requirement") load( "@v8//:bazel/defs.bzl", "v8_binary", -@@ -157,7 +157,7 @@ v8_int( - # If no explicit value for v8_enable_pointer_compression, we set it to 'none'. - v8_string( - name = "v8_enable_pointer_compression", -- default = "none", -+ default = "False", - ) +diff --git a/third_party/inspector_protocol/code_generator.py b/third_party/inspector_protocol/code_generator.py +index b1bedb58951..e85fe664618 100755 +--- a/third_party/inspector_protocol/code_generator.py ++++ b/third_party/inspector_protocol/code_generator.py +@@ -16,6 +16,8 @@ try: + except ImportError: + import simplejson as json - # Default setting for v8_enable_pointer_compression. ++sys.path += [os.path.dirname(__file__)] ++ + import pdl + + try: +-- +2.50.0.727.gbf7dc18ff4-goog + + +From 251ef6027d97bade5e5d8eb5b173baa849c163b8 Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Wed, 16 Jul 2025 20:29:10 -0400 +Subject: [PATCH 3/8] Add build flags to make V8 compile with GCC + +Signed-off-by: Matt Leon +--- + bazel/defs.bzl | 3 +++ + 1 file changed, 3 insertions(+) + diff --git a/bazel/defs.bzl b/bazel/defs.bzl -index e957c0f..0327669 100644 +index 0539ea176ac..92c7aeb904f 100644 --- a/bazel/defs.bzl +++ b/bazel/defs.bzl -@@ -116,6 +116,7 @@ def _default_args(): - }) + select({ - "@v8//bazel/config:is_clang": [ - "-Wno-invalid-offsetof", -+ "-Wno-unneeded-internal-declaration", - "-std=c++17", - ], - "@v8//bazel/config:is_gcc": [ -@@ -131,6 +132,9 @@ def _default_args(): - "-Wno-redundant-move", - "-Wno-return-type", - "-Wno-stringop-overflow", -+ "-Wno-nonnull", -+ "-Wno-pessimizing-move", +@@ -117,6 +117,9 @@ def _default_args(): + "-Wno-implicit-int-float-conversion", + "-Wno-deprecated-copy", + "-Wno-non-virtual-dtor", ++ "-Wno-invalid-offsetof", + "-Wno-dangling-pointer", - # Use GNU dialect, because GCC doesn't allow using - # ##__VA_ARGS__ when in standards-conforming mode. - "-std=gnu++17", -@@ -151,6 +154,23 @@ def _default_args(): - "-fno-integrated-as", ++ "-Wno-dangling-reference", + "-isystem .", ], "//conditions:default": [], +-- +2.50.0.727.gbf7dc18ff4-goog + + +From e85e6b017a4843f660bf5331b389a57945a2c21d Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Tue, 22 Jul 2025 10:55:14 -0400 +Subject: [PATCH 4/8] Add support for --define=no_debug_info=1 + +Signed-off-by: Matt Leon +--- + bazel/defs.bzl | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/bazel/defs.bzl b/bazel/defs.bzl +index 92c7aeb904f..937157ccb06 100644 +--- a/bazel/defs.bzl ++++ b/bazel/defs.bzl +@@ -184,6 +184,11 @@ def _default_args(): + }) + select({ + ":should_add_rdynamic": ["-rdynamic"], + "//conditions:default": [], + }) + select({ + "@envoy//bazel:no_debug_info": [ + "-g0", + ], + "//conditions:default": [], + }), + ) + +-- +2.50.0.727.gbf7dc18ff4-goog + + +From b1d40bf065bb46a47cfe2eaf5d3477934f5f8c29 Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Tue, 22 Jul 2025 10:55:51 -0400 +Subject: [PATCH 5/8] Allow compiling v8 on macOS 10.15 to 13.0. TODO(dio): + Will remove this patch when + https://bugs.chromium.org/p/v8/issues/detail?id=13428 is fixed. + +Signed-off-by: Matt Leon +--- + bazel/defs.bzl | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/bazel/defs.bzl b/bazel/defs.bzl +index 937157ccb06..39663c97df4 100644 +--- a/bazel/defs.bzl ++++ b/bazel/defs.bzl +@@ -189,6 +189,18 @@ def _default_args(): + "-g0", + ], + "//conditions:default": [], + }) + select({ + "@v8//bazel/config:is_macos": [ + # The clang available on macOS catalina has a warning that isn't clean on v8 code. @@ -70,27 +159,27 @@ index e957c0f..0327669 100644 + ], + "//conditions:default": [], }), - includes = ["include"], - linkopts = select({ -diff --git a/src/compiler/control-equivalence.cc b/src/compiler/control-equivalence.cc -index 4649cf0..6fc6e57 100644 ---- a/src/compiler/control-equivalence.cc -+++ b/src/compiler/control-equivalence.cc -@@ -157,8 +157,8 @@ void ControlEquivalence::RunUndirectedDFS(Node* exit) { - // Pop node from stack when done with all inputs and uses. - DCHECK(entry.input == node->input_edges().end()); - DCHECK(entry.use == node->use_edges().end()); -- DFSPop(stack, node); - VisitPost(node, entry.parent_node, entry.direction); -+ DFSPop(stack, node); - } - } + ) +-- +2.50.0.727.gbf7dc18ff4-goog + + +From 9ed4744c3aecf18f0cc546ea7f4ba7d8cca1f0e7 Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Wed, 16 Jul 2025 16:56:52 -0400 +Subject: [PATCH 6/8] Don't expose Wasm C API (only Wasm C++ API). + +Signed-off-by: Matt Leon +--- + src/wasm/c-api.cc | 4 ++++ + 1 file changed, 4 insertions(+) + diff --git a/src/wasm/c-api.cc b/src/wasm/c-api.cc -index 4473e20..65a6ec7 100644 +index 05e4029f183..d705be96a16 100644 --- a/src/wasm/c-api.cc +++ b/src/wasm/c-api.cc -@@ -2247,6 +2247,8 @@ auto Instance::exports() const -> ownvec { +@@ -2472,6 +2472,8 @@ WASM_EXPORT auto Instance::exports() const -> ownvec { } // namespace wasm @@ -99,22 +188,188 @@ index 4473e20..65a6ec7 100644 // BEGIN FILE wasm-c.cc extern "C" { -@@ -3274,3 +3276,5 @@ wasm_instance_t* wasm_frame_instance(const wasm_frame_t* frame) { +@@ -3518,3 +3520,5 @@ wasm_instance_t* wasm_frame_instance(const wasm_frame_t* frame) { #undef WASM_DEFINE_SHARABLE_REF } // extern "C" + +#endif -diff --git a/third_party/inspector_protocol/code_generator.py b/third_party/inspector_protocol/code_generator.py -index c3768b8..d4a1dda 100755 ---- a/third_party/inspector_protocol/code_generator.py -+++ b/third_party/inspector_protocol/code_generator.py -@@ -16,6 +16,8 @@ try: - except ImportError: - import simplejson as json +-- +2.50.0.727.gbf7dc18ff4-goog + + +From 2d4bb2b8bff5a45fd0452912b936e2f9f463b001 Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Wed, 16 Jul 2025 20:04:05 -0400 +Subject: [PATCH 7/8] Stub out vendored dependencies for bazel-sourced versions + +Signed-off-by: Matt Leon +--- + BUILD.bazel | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/BUILD.bazel b/BUILD.bazel +index 522f00555e0..f775a934c17 100644 +--- a/BUILD.bazel ++++ b/BUILD.bazel +@@ -4437,10 +4437,10 @@ v8_library( + ":noicu/generated_torque_definitions", + ], + deps = [ +- ":lib_dragonbox", +- "//third_party/fast_float/src:fast_float", +- ":lib_fp16", +- ":simdutf", ++ "@dragonbox//:dragonbox", ++ "@fast_float//:fast_float", ++ "@fp16//:FP16", ++ "@simdutf//:simdutf", + ":v8_libbase", + "@abseil-cpp//absl/container:btree", + "@abseil-cpp//absl/container:flat_hash_map", +-- +2.50.0.727.gbf7dc18ff4-goog + + +From 5c0418f72733f62242d0c83eaacdb5bfd91c1e67 Mon Sep 17 00:00:00 2001 +From: Matt Leon +Date: Fri, 18 Jul 2025 17:28:42 -0400 +Subject: [PATCH 8/8] Hack out atomic simd support in V8. + +Atomic simdutf requires __cpp_lib_atomic_ref >= 201806, which is only +supported in clang libc++ 19+. The version of LLVM used in Envoy as of +2025-07-18 is libc++ 18, so this is not supported. + +The simdutf documentation indicates this atomic form is not tested and +is not recommended for use: +https://github.com/simdutf/simdutf/blob/5d1b6248f29a8ed0eb90f79be268be41730e39f8/include/simdutf/implementation.h#L3066-L3068 + +In addition, this is in the implementation of a JS array buffer. Since +proxy-wasm-cpp-host does not make use of JS array buffers or shared +memory between web workers, we're stubbing it out. + +Mostly reverts +https://github.com/v8/v8/commit/6d6c1e680c7b8ea5f62a76e9c3d88d3fb0a88df0. + +Signed-off-by: Matt Leon +--- + bazel/defs.bzl | 2 +- + src/builtins/builtins-typed-array.cc | 8 ++++++++ + src/objects/simd.cc | 10 ++++++++++ + 3 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/bazel/defs.bzl b/bazel/defs.bzl +index 39663c97df4..14b90ec6905 100644 +--- a/bazel/defs.bzl ++++ b/bazel/defs.bzl +@@ -180,7 +180,7 @@ def _default_args(): + "Advapi32.lib", + ], + "@v8//bazel/config:is_macos": ["-pthread"], +- "//conditions:default": ["-Wl,--no-as-needed -ldl -latomic -pthread"], ++ "//conditions:default": ["-Wl,--no-as-needed -ldl -pthread"], + }) + select({ + ":should_add_rdynamic": ["-rdynamic"], + "//conditions:default": [], +diff --git a/src/builtins/builtins-typed-array.cc b/src/builtins/builtins-typed-array.cc +index 918cb873481..bc933e8dc1d 100644 +--- a/src/builtins/builtins-typed-array.cc ++++ b/src/builtins/builtins-typed-array.cc +@@ -520,17 +520,21 @@ simdutf::result ArrayBufferSetFromBase64( + DirectHandle typed_array, size_t& output_length) { + output_length = array_length; + simdutf::result simd_result; ++#ifdef WANT_ATOMIC_REF + if (typed_array->buffer()->is_shared()) { + simd_result = simdutf::atomic_base64_to_binary_safe( + reinterpret_cast(input_vector), input_length, + reinterpret_cast(typed_array->DataPtr()), output_length, + alphabet, last_chunk_handling, /*decode_up_to_bad_char*/ true); + } else { ++#endif + simd_result = simdutf::base64_to_binary_safe( + reinterpret_cast(input_vector), input_length, + reinterpret_cast(typed_array->DataPtr()), output_length, + alphabet, last_chunk_handling, /*decode_up_to_bad_char*/ true); ++#ifdef WANT_ATOMIC_REF + } ++#endif -+sys.path += [os.path.dirname(__file__)] -+ - import pdl + return simd_result; + } +@@ -833,15 +837,19 @@ BUILTIN(Uint8ArrayPrototypeToBase64) { + // 11. Return CodePointsToString(outAscii). - try: + size_t simd_result_size; ++#ifdef WANT_ATOMIC_REF + if (uint8array->buffer()->is_shared()) { + simd_result_size = simdutf::atomic_binary_to_base64( + std::bit_cast(uint8array->DataPtr()), length, + reinterpret_cast(output->GetChars(no_gc)), alphabet); + } else { ++#endif + simd_result_size = simdutf::binary_to_base64( + std::bit_cast(uint8array->DataPtr()), length, + reinterpret_cast(output->GetChars(no_gc)), alphabet); ++#ifdef WANT_ATOMIC_REF + } ++#endif + DCHECK_EQ(simd_result_size, output_length); + USE(simd_result_size); + } +diff --git a/src/objects/simd.cc b/src/objects/simd.cc +index 0ef570ceb7d..9217fa76072 100644 +--- a/src/objects/simd.cc ++++ b/src/objects/simd.cc +@@ -477,6 +477,7 @@ void Uint8ArrayToHexSlow(const char* bytes, size_t length, + } + } + ++#ifdef WANT_ATOMIC_REF + void AtomicUint8ArrayToHexSlow(const char* bytes, size_t length, + DirectHandle string_output) { + int index = 0; +@@ -492,6 +493,7 @@ void AtomicUint8ArrayToHexSlow(const char* bytes, size_t length, + index += 2; + } + } ++#endif + + inline uint16_t ByteToHex(uint8_t byte) { + const uint16_t correction = (('a' - '0' - 10) << 8) + ('a' - '0' - 10); +@@ -645,11 +647,15 @@ Tagged Uint8ArrayToHex(const char* bytes, size_t length, bool is_shared, + } + #endif + ++#ifdef WANT_ATOMIC_REF + if (is_shared) { + AtomicUint8ArrayToHexSlow(bytes, length, string_output); + } else { ++#endif + Uint8ArrayToHexSlow(bytes, length, string_output); ++#ifdef WANT_ATOMIC_REF + } ++#endif + return *string_output; + } + +@@ -1082,12 +1088,16 @@ bool ArrayBufferFromHex(const base::Vector& input_vector, bool is_shared, + for (uint32_t i = 0; i < output_length * 2; i += 2) { + result = HandleRemainingHexValues(input_vector, i); + if (result.has_value()) { ++#ifdef WANT_ATOMIC_REF + if (is_shared) { + std::atomic_ref(buffer[index++]) + .store(result.value(), std::memory_order_relaxed); + } else { ++#endif + buffer[index++] = result.value(); ++#ifdef WANT_ATOMIC_REF + } ++#endif + } else { + return false; + } +-- +2.50.0.727.gbf7dc18ff4-goog + diff --git a/bazel/v8_include.patch b/bazel/v8_include.patch deleted file mode 100644 index 3e6b492bf05d8..0000000000000 --- a/bazel/v8_include.patch +++ /dev/null @@ -1,41 +0,0 @@ -# fix include types for late clang (15.0.7) / gcc (13.2.1) -# for Arch linux / Fedora, like in -# In file included from external/v8/src/torque/torque.cc:5: -# In file included from external/v8/src/torque/source-positions.h:10: -# In file included from external/v8/src/torque/contextual.h:10: -# In file included from external/v8/src/base/macros.h:12: -# external/v8/src/base/logging.h:154:26: error: use of undeclared identifier 'uint16_t' - -diff --git a/src/base/logging.h b/src/base/logging.h ---- a/src/base/logging.h -+++ b/src/base/logging.h -@@ -5,6 +5,7 @@ - #ifndef V8_BASE_LOGGING_H_ - #define V8_BASE_LOGGING_H_ - -+#include - #include - #include - #include -diff --git a/src/base/macros.h b/src/base/macros.h ---- a/src/base/macros.h -+++ b/src/base/macros.h -@@ -5,6 +5,7 @@ - #ifndef V8_BASE_MACROS_H_ - #define V8_BASE_MACROS_H_ - -+#include - #include - #include - -diff --git a/src/inspector/v8-string-conversions.h b/src/inspector/v8-string-conversions.h ---- a/src/inspector/v8-string-conversions.h -+++ b/src/inspector/v8-string-conversions.h -@@ -5,6 +5,7 @@ - #ifndef V8_INSPECTOR_V8_STRING_CONVERSIONS_H_ - #define V8_INSPECTOR_V8_STRING_CONVERSIONS_H_ - -+#include - #include - - // Conversion routines between UT8 and UTF16, used by string-16.{h,cc}. You may diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 89d5acbc9bae6..5c9d955cae13a 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -29,6 +29,9 @@ behavior_changes: change: | The Squash HTTP filter in ``contrib`` has been deleted. The project it provided integration with has been idle for five years and appears abandoned. +- area: wasm + change: | + Bumped up V8 version to ``13.8.258.26`` to address multiple CVEs. minor_behavior_changes: # *Changes that may cause incompatibilities for some users, but should not for most* diff --git a/test/extensions/filters/http/wasm/BUILD b/test/extensions/filters/http/wasm/BUILD index 79553cc3ae90f..b719e4b6a65d7 100644 --- a/test/extensions/filters/http/wasm/BUILD +++ b/test/extensions/filters/http/wasm/BUILD @@ -18,6 +18,7 @@ envoy_package() envoy_extension_cc_test( name = "wasm_filter_test", + size = "large", srcs = ["wasm_filter_test.cc"], data = envoy_select_wasm_cpp_tests([ "//test/extensions/filters/http/wasm/test_data:test_cpp.wasm", @@ -55,13 +56,13 @@ envoy_extension_cc_test( envoy_extension_cc_test( name = "config_test", - size = "large", + size = "enormous", srcs = ["config_test.cc"], data = envoy_select_wasm_cpp_tests([ "//test/extensions/filters/http/wasm/test_data:test_cpp.wasm", ]), extension_names = ["envoy.filters.http.wasm"], - rbe_pool = "2core", + rbe_pool = "4core", shard_count = 16, tags = ["skip_on_windows"], deps = [ @@ -81,6 +82,7 @@ envoy_extension_cc_test( envoy_extension_cc_test( name = "wasm_filter_integration_test", + size = "large", srcs = ["wasm_filter_integration_test.cc"], data = envoy_select_wasm_cpp_tests([ "//test/extensions/filters/http/wasm/test_data:test_cpp.wasm", diff --git a/test/extensions/filters/http/wasm/wasm_filter_integration_test.cc b/test/extensions/filters/http/wasm/wasm_filter_integration_test.cc index 844068cca9e4c..d9d69b6f4ad63 100644 --- a/test/extensions/filters/http/wasm/wasm_filter_integration_test.cc +++ b/test/extensions/filters/http/wasm/wasm_filter_integration_test.cc @@ -28,7 +28,7 @@ class WasmFilterIntegrationTest } // Wasm filters are expensive to setup and sometime default is not enough, // It needs to increase timeout to avoid flaky tests - setListenersBoundTimeout(10 * TestUtility::DefaultTimeout); + setListenersBoundTimeout(30 * TestUtility::DefaultTimeout); } void TearDown() override { fake_upstream_connection_.reset(); } diff --git a/test/extensions/filters/network/wasm/BUILD b/test/extensions/filters/network/wasm/BUILD index ad56dd8ec8527..b561b390e23bb 100644 --- a/test/extensions/filters/network/wasm/BUILD +++ b/test/extensions/filters/network/wasm/BUILD @@ -18,13 +18,13 @@ envoy_package() envoy_extension_cc_test( name = "config_test", - size = "enormous", + size = "large", srcs = ["config_test.cc"], data = envoy_select_wasm_cpp_tests([ "//test/extensions/filters/network/wasm/test_data:test_cpp.wasm", ]), extension_names = ["envoy.filters.network.wasm"], - rbe_pool = "6gig", + rbe_pool = "4core", tags = ["skip_on_windows"], deps = [ "//source/common/common:base64_lib", @@ -42,7 +42,7 @@ envoy_extension_cc_test( envoy_extension_cc_test( name = "wasm_filter_test", - size = "enormous", + size = "large", srcs = ["wasm_filter_test.cc"], data = envoy_select_wasm_cpp_tests([ "//test/extensions/filters/network/wasm/test_data:test_cpp.wasm", @@ -53,7 +53,7 @@ envoy_extension_cc_test( "//test/extensions/filters/network/wasm/test_data:resume_call_rust.wasm", ]), extension_names = ["envoy.filters.network.wasm"], - rbe_pool = "6gig", + rbe_pool = "4core", tags = ["skip_on_windows"], deps = [ "//source/extensions/filters/network/wasm:wasm_filter_lib", From 92762ea23e3a78d49d300e5cb4584d1acc07ed8d Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 22 Jul 2025 21:16:10 +0100 Subject: [PATCH 038/505] wasm/ci: Set all HTTP tests to enormous to prevent timeout flakes (#40346) Signed-off-by: Ryan Northey --- test/extensions/filters/http/wasm/BUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/extensions/filters/http/wasm/BUILD b/test/extensions/filters/http/wasm/BUILD index b719e4b6a65d7..aeec85283107c 100644 --- a/test/extensions/filters/http/wasm/BUILD +++ b/test/extensions/filters/http/wasm/BUILD @@ -18,7 +18,7 @@ envoy_package() envoy_extension_cc_test( name = "wasm_filter_test", - size = "large", + size = "enormous", srcs = ["wasm_filter_test.cc"], data = envoy_select_wasm_cpp_tests([ "//test/extensions/filters/http/wasm/test_data:test_cpp.wasm", @@ -82,7 +82,7 @@ envoy_extension_cc_test( envoy_extension_cc_test( name = "wasm_filter_integration_test", - size = "large", + size = "enormous", srcs = ["wasm_filter_integration_test.cc"], data = envoy_select_wasm_cpp_tests([ "//test/extensions/filters/http/wasm/test_data:test_cpp.wasm", From 6becd01689f0301f34e58d803e8b605e12076bff Mon Sep 17 00:00:00 2001 From: Ali Beyad Date: Tue, 22 Jul 2025 17:28:52 -0400 Subject: [PATCH 039/505] mobile: Filter reserved IP address ranges in IPv6 probing (#40345) IPv6 probing will now filter out: * Link-local IP addresses * Site-local IPv6 addresses * Unique Local IPv6 addresses * Teredo addresses This is the same as Chromium's logic for IPv6 connectivity probing: https://source.chromium.org/chromium/chromium/src/+/main:net/dns/host_resolver_manager.cc;l=1572-1581;drc=d0260a368e65b2be56d179d21fab90976fd494b8. Though it doesn't seem like Chromium filters out site-local addresses, local testing has shown that the IPv6 probe socket will successfully connect but the local address will be site-local on non-IPv6 networks/machines. --------- Signed-off-by: Ali Beyad --- mobile/library/common/internal_engine.cc | 50 +++++++++++++++++------- 1 file changed, 36 insertions(+), 14 deletions(-) diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index c59f636e2b442..1a891b27834be 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -27,6 +27,8 @@ MobileProcessWide& initOnceMobileProcessWide(const OptionsImplBase& options) { Network::Address::InstanceConstSharedPtr ipv6ProbeAddr() { // Use Google DNS IPv6 address for IPv6 probes. + // Same as Chromium: + // https://source.chromium.org/chromium/chromium/src/+/main:net/dns/host_resolver_manager.cc;l=155;drc=7b232da0f22e8cdf555d43c52b6491baeb87f729. CONSTRUCT_ON_FIRST_USE(Network::Address::InstanceConstSharedPtr, new Network::Address::Ipv6Instance("2001:4860:4860::8888", 53)); } @@ -545,9 +547,6 @@ void InternalEngine::logInterfaces(absl::string_view event, Network::Address::InstanceConstSharedPtr InternalEngine::probeAndGetLocalAddr(int domain) { // This probing logic is borrowed from Chromium. - // - - // https://source.chromium.org/chromium/chromium/src/+/main:net/dns/host_resolver_manager.cc;l=154-157;drc=7b232da0f22e8cdf555d43c52b6491baeb87f729 - // - // https://source.chromium.org/chromium/chromium/src/+/main:net/dns/host_resolver_manager.cc;l=1467-1488;drc=7b232da0f22e8cdf555d43c52b6491baeb87f729 ENVOY_LOG(trace, "Checking for {} connectivity.", domain == AF_INET6 ? "IPv6" : "IPv4"); const Api::SysCallSocketResult socket_result = @@ -560,18 +559,41 @@ Network::Address::InstanceConstSharedPtr InternalEngine::probeAndGetLocalAddr(in /* socket_v6only= */ domain == AF_INET6, {domain}); Api::SysCallIntResult connect_result = socket_handle.connect(domain == AF_INET6 ? ipv6ProbeAddr() : ipv4ProbeAddr()); - if (connect_result.return_value_ == 0) { - auto address_or_error = socket_handle.localAddress(); - if (!address_or_error.status().ok()) { - ENVOY_LOG(trace, "Local address error: {}", address_or_error.status().message()); - return nullptr; - } - ENVOY_LOG(trace, "Found {} connectivity.", domain == AF_INET6 ? "IPv6" : "IPv4"); - return *address_or_error; + if (connect_result.return_value_ != 0) { + ENVOY_LOG(trace, "No {} connectivity found with errno: {}.", + domain == AF_INET6 ? "IPv6" : "IPv4", connect_result.errno_); + return nullptr; + } + + absl::StatusOr address = socket_handle.localAddress(); + if (!address.status().ok()) { + ENVOY_LOG(trace, "Local address error: {}", address.status().message()); + return nullptr; } - ENVOY_LOG(trace, "No {} connectivity found with errno: {}.", domain == AF_INET6 ? "IPv6" : "IPv4", - connect_result.errno_); - return nullptr; + + if ((*address)->ip() == nullptr) { + ENVOY_LOG(trace, "Local address is not an IP address: {}.", (*address)->asString()); + return nullptr; + } + if ((*address)->ip()->isLinkLocalAddress()) { + ENVOY_LOG(trace, "Ignoring link-local address: {}.", (*address)->asString()); + return nullptr; + } + if ((*address)->ip()->isUniqueLocalAddress()) { + ENVOY_LOG(trace, "Ignoring unique-local address: {}.", (*address)->asString()); + return nullptr; + } + if ((*address)->ip()->isSiteLocalAddress()) { + ENVOY_LOG(trace, "Ignoring site-local address: {}.", (*address)->asString()); + return nullptr; + } + if ((*address)->ip()->isTeredoAddress()) { + ENVOY_LOG(trace, "Ignoring teredo address: {}.", (*address)->asString()); + return nullptr; + } + + ENVOY_LOG(trace, "Found {} connectivity.", domain == AF_INET6 ? "IPv6" : "IPv4"); + return *address; } } // namespace Envoy From 82a438f2b92ffe5c3b111d74c3c29764aea78e29 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 23 Jul 2025 03:36:37 +0000 Subject: [PATCH 040/505] Merge reverse connection changes from agrawroh/feat-rev-conns-new Signed-off-by: Rohit Agrawal --- .../v3/BUILD | 5 +- .../reverse_connection_socket_interface.proto | 14 + api/envoy/service/reverse_tunnel/v3/BUILD | 15 + .../v3/reverse_tunnel_handshake.proto | 232 ++++++++ .../cloud-envoy-grpc.yaml | 112 ++++ .../on-prem-envoy-grpc.yaml | 112 ++++ .../test_grpc_handshake.sh | 213 +++++++ .../extensions/bootstrap/reverse_tunnel/BUILD | 52 +- .../bootstrap/reverse_tunnel/factory_base.h | 128 ++++ .../grpc_reverse_tunnel_client.cc | 268 +++++++++ .../grpc_reverse_tunnel_client.h | 145 +++++ .../grpc_reverse_tunnel_service.cc | 426 +++++++++++++ .../grpc_reverse_tunnel_service.h | 160 +++++ .../reverse_connection_address.h | 11 +- .../reverse_tunnel_initiator.cc | 560 ++++++++++-------- .../reverse_tunnel/reverse_tunnel_initiator.h | 278 +++++---- .../filters/http/reverse_conn/BUILD | 1 + .../http/reverse_conn/reverse_conn_filter.cc | 292 +++++++-- .../http/reverse_conn/reverse_conn_filter.h | 23 +- .../reverse_tunnel/reverse_tunnel_test.cc | 89 +++ 20 files changed, 2707 insertions(+), 429 deletions(-) create mode 100644 api/envoy/service/reverse_tunnel/v3/BUILD create mode 100644 api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto create mode 100644 examples/reverse_connection_socket_interface/cloud-envoy-grpc.yaml create mode 100644 examples/reverse_connection_socket_interface/on-prem-envoy-grpc.yaml create mode 100755 examples/reverse_connection_socket_interface/test_grpc_handshake.sh create mode 100644 source/extensions/bootstrap/reverse_tunnel/factory_base.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h create mode 100644 test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_test.cc diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD index 29ebf0741406e..6a2fd1ac4cc8e 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD +++ b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD @@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 api_proto_package( - deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], + deps = [ + "//envoy/service/reverse_tunnel/v3:pkg", + "@com_github_cncf_xds//udpa/annotations:pkg", + ], ) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto index 1d4e81ce148dd..7d0772135e102 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package envoy.extensions.bootstrap.reverse_connection_socket_interface.v3; +import "envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto"; + import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -16,6 +18,8 @@ option (udpa.annotations.file_status).work_in_progress = true; // [#extension: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface] // Configuration for the downstream reverse connection socket interface. +// This interface initiates reverse connections to upstream Envoys and provides +// them as socket connections for downstream requests. message DownstreamReverseConnectionSocketInterface { // Stat prefix to be used for downstream reverse connection socket interface stats. string stat_prefix = 1; @@ -31,6 +35,16 @@ message DownstreamReverseConnectionSocketInterface { // Map of remote clusters to connection counts repeated RemoteClusterConnectionCount remote_cluster_to_conn_count = 5; + + // Optional: gRPC service configuration for reverse tunnel handshake. + // When specified, the initiator will use gRPC for tunnel establishment + // instead of the legacy HTTP-based handshake protocol. + envoy.service.reverse_tunnel.v3.ReverseTunnelGrpcConfig grpc_service_config = 6; + + // Optional: Legacy HTTP-based handshake support. + // When grpc_service_config is not specified, the initiator will fall back to + // HTTP-based handshake requests for backward compatibility. + bool enable_legacy_http_handshake = 7; } // Configuration for remote cluster connection count diff --git a/api/envoy/service/reverse_tunnel/v3/BUILD b/api/envoy/service/reverse_tunnel/v3/BUILD new file mode 100644 index 0000000000000..4f64fe2f9ee5e --- /dev/null +++ b/api/envoy/service/reverse_tunnel/v3/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + has_services = True, + deps = [ + "//envoy/annotations:pkg", + "//envoy/config/core/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_xds//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto b/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto new file mode 100644 index 0000000000000..bcf7d73705619 --- /dev/null +++ b/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto @@ -0,0 +1,232 @@ +syntax = "proto3"; + +package envoy.service.reverse_tunnel.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.reverse_tunnel.v3"; +option java_outer_classname = "ReverseTunnelHandshakeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/reverse_tunnel/v3;reverse_tunnelv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Reverse Tunnel Handshake Service] +// Service definition for establishing reverse tunnel connections between Envoy instances. +// This service replaces the previous HTTP-based handshake protocol with a robust gRPC-based approach. + +// The ReverseTunnelHandshakeService provides secure, reliable handshake protocol for establishing +// reverse tunnel connections. It supports custom metadata, timeouts, retries, and authentication. +service ReverseTunnelHandshakeService { + // Establishes a reverse tunnel connection between two Envoy instances. + // The initiator (typically on-premises Envoy) calls this method to request + // a reverse tunnel connection with the acceptor (typically cloud Envoy). + rpc EstablishTunnel(EstablishTunnelRequest) returns (EstablishTunnelResponse); +} + +// Request message for establishing a reverse tunnel connection. +// Contains all necessary information for the acceptor to validate and configure the tunnel. +message EstablishTunnelRequest { + // Required: Identity information of the tunnel initiator. + TunnelInitiatorIdentity initiator = 1 [(validate.rules).message = {required: true}]; + + // Optional: Custom metadata and properties for the tunnel connection. + // This allows for extensible configuration and feature negotiation. + google.protobuf.Struct custom_metadata = 2; + + // Optional: Requested tunnel configuration parameters. + TunnelConfiguration tunnel_config = 3; + + // Optional: Authentication and authorization information. + TunnelAuthentication auth = 4; + + // Optional: Connection-specific attributes for debugging and monitoring. + ConnectionAttributes connection_attributes = 5; +} + +// Response message for reverse tunnel establishment. +// Indicates success/failure and provides configuration for the established tunnel. +message EstablishTunnelResponse { + // Status of the tunnel establishment attempt. + TunnelStatus status = 1; + + // Human-readable status message providing additional context. + // Required for rejected tunnels, optional for accepted tunnels. + string status_message = 2; + + // Optional: Accepted tunnel configuration (may differ from requested). + // Present only when status is ACCEPTED. + TunnelConfiguration accepted_config = 3; + + // Optional: Custom response metadata from the acceptor. + google.protobuf.Struct response_metadata = 4; + + // Optional: Connection monitoring and debugging information. + ConnectionInfo connection_info = 5; +} + +// Identity information for the tunnel initiator. +message TunnelInitiatorIdentity { + // Required: Tenant identifier of the initiating Envoy instance. + string tenant_id = 1 [(validate.rules).string = {min_len: 1 max_len: 128}]; + + // Required: Cluster identifier of the initiating Envoy instance. + string cluster_id = 2 [(validate.rules).string = {min_len: 1 max_len: 128}]; + + // Required: Node identifier of the initiating Envoy instance. + string node_id = 3 [(validate.rules).string = {min_len: 1 max_len: 128}]; + + // Optional: Additional identity attributes for advanced routing/filtering. + map identity_attributes = 4; +} + +// Configuration parameters for the tunnel connection. +message TunnelConfiguration { + // Optional: Preferred ping/keepalive interval for the tunnel. + google.protobuf.Duration ping_interval = 1 [(validate.rules).duration = {gt: {seconds: 1}}]; + + // Optional: Maximum allowed idle time before tunnel cleanup. + google.protobuf.Duration max_idle_time = 2 [(validate.rules).duration = {gt: {seconds: 30}}]; + + // Optional: Protocol-specific configuration options. + map protocol_options = 3; + + // Optional: Quality of Service parameters. + QualityOfService qos = 4; +} + +// Quality of Service configuration for tunnel connections. +message QualityOfService { + // Optional: Maximum bandwidth limit in bytes per second. + google.protobuf.UInt64Value max_bandwidth_bps = 1; + + // Optional: Connection priority level (higher = more important). + google.protobuf.UInt32Value priority_level = 2 [(validate.rules).uint32 = {lte: 10}]; + + // Optional: Connection reliability requirements. + ReliabilityLevel reliability = 3; +} + +// Authentication and authorization information for tunnel establishment. +message TunnelAuthentication { + // Optional: Authentication token or credential. + string auth_token = 1; + + // Optional: Certificate-based authentication information. + CertificateAuth certificate_auth = 2; + + // Optional: Custom authentication attributes. + map auth_attributes = 3; +} + +// Certificate-based authentication information. +message CertificateAuth { + // Certificate fingerprint or identifier. + string cert_fingerprint = 1; + + // Optional: Certificate chain validation information. + repeated string cert_chain = 2; + + // Optional: Certificate-based attributes (e.g., from SAN extensions). + map cert_attributes = 3; +} + +// Connection-specific attributes for monitoring and debugging. +message ConnectionAttributes { + // Optional: Source IP address and port of the connection. + string source_address = 1; + + // Optional: Target/destination information. + string target_address = 2; + + // Optional: Connection tracing and correlation identifiers. + string trace_id = 3; + + // Optional: Additional debugging attributes. + map debug_attributes = 4; +} + +// Status enumeration for tunnel establishment results. +enum TunnelStatus { + // Invalid/unspecified status. + TUNNEL_STATUS_UNSPECIFIED = 0; + + // Tunnel establishment was successful. + ACCEPTED = 1; + + // Tunnel establishment was rejected due to policy. + REJECTED = 2; + + // Authentication failed. + AUTHENTICATION_FAILED = 3; + + // Authorization failed (authenticated but not authorized). + AUTHORIZATION_FAILED = 4; + + // Rate limiting or quota exceeded. + RATE_LIMITED = 5; + + // Internal server error on acceptor side. + INTERNAL_ERROR = 6; + + // Requested configuration not supported. + UNSUPPORTED_CONFIG = 7; +} + +// Reliability level enumeration for QoS configuration. +enum ReliabilityLevel { + // Best effort reliability (default). + BEST_EFFORT = 0; + + // Standard reliability with basic retry logic. + STANDARD = 1; + + // High reliability with aggressive retry and failover. + HIGH = 2; + + // Critical reliability for mission-critical connections. + CRITICAL = 3; +} + +// Information about the established connection. +message ConnectionInfo { + // Assigned connection identifier for tracking. + string connection_id = 1; + + // Connection establishment timestamp. + google.protobuf.Timestamp established_at = 2; + + // Expected connection lifetime or expiration. + google.protobuf.Timestamp expires_at = 3; + + // Monitoring and metrics endpoint information. + string metrics_endpoint = 4; +} + +// Configuration for gRPC client options when establishing tunnels. +message ReverseTunnelGrpcConfig { + // Required: gRPC service configuration for the tunnel handshake service. + envoy.config.core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; + + // Optional: Timeout for tunnel handshake requests. + google.protobuf.Duration handshake_timeout = 2 [(validate.rules).duration = {gt: {seconds: 1} lte: {seconds: 30}}]; + + // Optional: Number of retry attempts for failed handshakes. + google.protobuf.UInt32Value max_retries = 3 [(validate.rules).uint32 = {lte: 10}]; + + // Optional: Base interval for exponential backoff retry strategy. + google.protobuf.Duration retry_base_interval = 4 [(validate.rules).duration = {gt: {nanos: 100000000}}]; // 100ms minimum + + // Optional: Maximum interval for exponential backoff retry strategy. + google.protobuf.Duration retry_max_interval = 5 [(validate.rules).duration = {lte: {seconds: 60}}]; + + // Optional: Initial metadata to include with gRPC requests. + repeated envoy.config.core.v3.HeaderValue initial_metadata = 6; +} \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/cloud-envoy-grpc.yaml b/examples/reverse_connection_socket_interface/cloud-envoy-grpc.yaml new file mode 100644 index 0000000000000..74f0fe153c404 --- /dev/null +++ b/examples/reverse_connection_socket_interface/cloud-envoy-grpc.yaml @@ -0,0 +1,112 @@ +--- +node: + id: cloud-node + cluster: cloud +static_resources: + listeners: + # Listener for both HTTP and gRPC reverse tunnel handshake requests + - name: reverse_tunnel_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: reverse_tunnel + codec_type: AUTO + route_config: + name: reverse_tunnel_route + virtual_hosts: + - name: reverse_tunnel_service + domains: ["*"] + routes: + # gRPC reverse tunnel handshake + - match: + prefix: "/envoy.service.reverse_tunnel.v3.ReverseTunnelHandshakeService" + headers: + - name: "content-type" + string_match: + exact: "application/grpc" + route: + cluster: local_service + timeout: 30s + # Legacy HTTP reverse tunnel handshake + - match: + prefix: "/reverse_connections" + route: + cluster: local_service + timeout: 30s + http_filters: + # Enhanced reverse connection filter with gRPC support + - name: reverse_conn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + ping_interval: 2 + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + http2_protocol_options: {} + + # Listener that will route the downstream request to the reverse connection cluster + - name: egress_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 8085 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: egress_http + codec_type: AUTO + route_config: + name: egress_route + virtual_hosts: + - name: reverse_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: reverse_connection_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + - name: local_service + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: local_service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 9000 + + - name: reverse_connection_cluster + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: reverse_connection_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8080 + +bootstrap_extensions: + - name: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_reverse_connection" \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-grpc.yaml b/examples/reverse_connection_socket_interface/on-prem-envoy-grpc.yaml new file mode 100644 index 0000000000000..42aeb028c74c4 --- /dev/null +++ b/examples/reverse_connection_socket_interface/on-prem-envoy-grpc.yaml @@ -0,0 +1,112 @@ +--- +node: + id: on-prem-node + cluster: on-prem +static_resources: + listeners: + # Frontend listener accepting requests + - name: frontend_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: frontend_http + codec_type: AUTO + route_config: + name: frontend_route + virtual_hosts: + - name: frontend_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: backend_service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + # Cloud cluster for reverse tunnel handshakes (gRPC) + - name: cloud + type: STATIC + lb_policy: ROUND_ROBIN + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + load_assignment: + cluster_name: cloud + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 9000 + + # Backend service cluster + - name: backend_service + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: backend_service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8081 + +admin: + access_log_path: "/dev/stdout" + address: + socket_address: + address: 127.0.0.1 + port_value: 8879 + +layered_runtime: + layers: + - name: layer + static_layer: + re2.max_program_size.error_level: 1000 + +# Enable reverse connection bootstrap extension with gRPC client +bootstrap_extensions: + - name: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface + src_cluster_id: "on-prem" + src_node_id: "on-prem-node" + src_tenant_id: "tenant-1" + remote_cluster_to_conn_count: + - cluster_name: "cloud" + reverse_connection_count: 2 + # gRPC handshake configuration + grpc_service_config: + grpc_service: + envoy_grpc: + cluster_name: cloud + timeout: 10s + retry_policy: + retry_back_off: + base_interval: 0.15s + max_interval: 5s + num_retries: 3 + handshake_timeout: 10s + max_retries: 3 + retry_base_interval: 0.15s + retry_max_interval: 5s + initial_metadata: + - key: "x-service-version" + value: "grpc-v1" + - key: "x-envoy-node-id" + value: "on-prem-node" \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/test_grpc_handshake.sh b/examples/reverse_connection_socket_interface/test_grpc_handshake.sh new file mode 100755 index 0000000000000..14be4e7b75001 --- /dev/null +++ b/examples/reverse_connection_socket_interface/test_grpc_handshake.sh @@ -0,0 +1,213 @@ +#!/bin/bash + +# Test script for gRPC reverse tunnel handshake demonstration +# This script automates the testing process for the new gRPC-based handshake + +set -e + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +ENVOY_BINARY="${ENVOY_BINARY:-bazel-bin/source/exe/envoy-static}" + +echo "🚀 gRPC Reverse Tunnel Handshake Test" +echo "======================================" + +# Check if envoy binary exists +if [ ! -f "${ENVOY_BINARY}" ]; then + echo "❌ Error: Envoy binary not found at ${ENVOY_BINARY}" + echo " Please build Envoy first: bazel build //source/exe:envoy-static" + echo " Or set ENVOY_BINARY environment variable to the correct path" + exit 1 +fi + +# Kill any existing envoy processes +echo "🧹 Cleaning up existing processes..." +pkill -f "envoy-static.*cloud-envoy" || true +pkill -f "envoy-static.*on-prem-envoy" || true +sleep 2 + +# Start Python backend server in background +echo "🐍 Starting Python backend server..." +cd "${SCRIPT_DIR}/../" +python3 -c " +import http.server +import socketserver +import json +import urllib.parse +from datetime import datetime + +class BackendHandler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + self.send_response(200) + self.send_header('Content-type', 'application/json') + self.end_headers() + + response = { + 'message': 'Hello from on-premises backend service!', + 'timestamp': datetime.now().isoformat(), + 'path': self.path, + 'method': 'GET', + 'headers': dict(self.headers) + } + + self.wfile.write(json.dumps(response, indent=2).encode()) + + def log_message(self, format, *args): + print(f'[BACKEND] {format % args}') + +PORT = 3000 +with socketserver.TCPServer(('', PORT), BackendHandler) as httpd: + print(f'Backend server running on port {PORT}') + httpd.serve_forever() +" & +BACKEND_PID=$! +echo " Backend server started with PID: ${BACKEND_PID}" + +# Wait for backend to start +sleep 2 + +# Start Cloud Envoy (Acceptor) +echo "☁️ Starting Cloud Envoy (gRPC Acceptor)..." +cd "${SCRIPT_DIR}/../../" +"${ENVOY_BINARY}" \ + -c examples/reverse_connection_socket_interface/cloud-envoy-grpc.yaml \ + --concurrency 1 --use-dynamic-base-id -l trace \ + > /tmp/cloud-envoy.log 2>&1 & +CLOUD_PID=$! +echo " Cloud Envoy started with PID: ${CLOUD_PID}" + +# Wait for Cloud Envoy to start +echo " Waiting for Cloud Envoy to initialize..." +sleep 5 + +# Check if Cloud Envoy started successfully +if ! kill -0 $CLOUD_PID 2>/dev/null; then + echo "❌ Cloud Envoy failed to start. Check logs:" + tail -20 /tmp/cloud-envoy.log + kill $BACKEND_PID 2>/dev/null || true + exit 1 +fi + +# Start On-Premises Envoy (Initiator) +echo "🏢 Starting On-Premises Envoy (gRPC Initiator)..." +"${ENVOY_BINARY}" \ + -c examples/reverse_connection_socket_interface/on-prem-envoy-grpc.yaml \ + --concurrency 1 --use-dynamic-base-id -l trace \ + > /tmp/on-prem-envoy.log 2>&1 & +ONPREM_PID=$! +echo " On-Premises Envoy started with PID: ${ONPREM_PID}" + +# Wait for On-Premises Envoy to start and establish connections +echo " Waiting for gRPC handshake to complete..." +sleep 10 + +# Check if On-Premises Envoy started successfully +if ! kill -0 $ONPREM_PID 2>/dev/null; then + echo "❌ On-Premises Envoy failed to start. Check logs:" + tail -20 /tmp/on-prem-envoy.log + kill $CLOUD_PID $BACKEND_PID 2>/dev/null || true + exit 1 +fi + +# Test the end-to-end flow +echo "🧪 Testing end-to-end reverse tunnel flow..." +echo " Sending test request via reverse tunnel..." + +HTTP_RESPONSE=$(curl -s -w "%{http_code}" \ + -H "x-remote-node-id: on-prem-node" \ + -H "x-dst-cluster-uuid: on-prem" \ + http://localhost:8085/on_prem_service) + +HTTP_STATUS="${HTTP_RESPONSE: -3}" +RESPONSE_BODY="${HTTP_RESPONSE%???}" + +echo " HTTP Status: ${HTTP_STATUS}" + +if [ "${HTTP_STATUS}" = "200" ]; then + echo "✅ SUCCESS: Reverse tunnel working correctly!" + echo " Response received:" + echo "${RESPONSE_BODY}" | jq . 2>/dev/null || echo "${RESPONSE_BODY}" +else + echo "❌ FAILED: Unexpected HTTP status: ${HTTP_STATUS}" + echo " Response: ${RESPONSE_BODY}" +fi + +# Check logs for gRPC handshake evidence +echo "" +echo "📋 Checking logs for gRPC handshake evidence..." + +echo " Cloud Envoy (Acceptor) logs:" +if grep -q "EstablishTunnel gRPC request" /tmp/cloud-envoy.log; then + echo " ✅ Found gRPC handshake requests in Cloud Envoy logs" + grep "EstablishTunnel gRPC request" /tmp/cloud-envoy.log | tail -3 +else + echo " ⚠️ No gRPC handshake requests found in Cloud Envoy logs" +fi + +echo "" +echo " On-Premises Envoy (Initiator) logs:" +if grep -q "gRPC reverse tunnel handshake" /tmp/on-prem-envoy.log; then + echo " ✅ Found gRPC handshake initiation in On-Premises Envoy logs" + grep "gRPC reverse tunnel handshake" /tmp/on-prem-envoy.log | tail -3 +else + echo " ⚠️ No gRPC handshake initiation found in On-Premises Envoy logs" +fi + +# Performance test +echo "" +echo "🏃 Performance test (10 requests)..." +start_time=$(date +%s%N) +for i in {1..10}; do + curl -s -H "x-remote-node-id: on-prem-node" \ + -H "x-dst-cluster-uuid: on-prem" \ + http://localhost:8085/on_prem_service > /dev/null +done +end_time=$(date +%s%N) +duration_ms=$(( (end_time - start_time) / 1000000 )) +avg_latency_ms=$(( duration_ms / 10 )) + +echo " Total time: ${duration_ms}ms" +echo " Average latency: ${avg_latency_ms}ms per request" + +# Cleanup function +cleanup() { + echo "" + echo "🧹 Cleaning up..." + kill $ONPREM_PID $CLOUD_PID $BACKEND_PID 2>/dev/null || true + sleep 2 + + echo " Log files available at:" + echo " - Cloud Envoy: /tmp/cloud-envoy.log" + echo " - On-Premises Envoy: /tmp/on-prem-envoy.log" + echo "" + echo " To view detailed logs, run:" + echo " tail -f /tmp/cloud-envoy.log" + echo " tail -f /tmp/on-prem-envoy.log" +} + +# Set trap for cleanup +trap cleanup EXIT INT TERM + +echo "" +echo "🎉 Test completed! Press Ctrl+C to cleanup and exit." +echo " Envoys will continue running for further testing..." + +# Keep the script running +while true; do + sleep 10 + + # Check if processes are still running + if ! kill -0 $CLOUD_PID 2>/dev/null; then + echo "❌ Cloud Envoy died unexpectedly" + break + fi + + if ! kill -0 $ONPREM_PID 2>/dev/null; then + echo "❌ On-Premises Envoy died unexpectedly" + break + fi + + if ! kill -0 $BACKEND_PID 2>/dev/null; then + echo "❌ Backend server died unexpectedly" + break + fi +done \ No newline at end of file diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index 1bc2d890c08eb..ea55a4df04387 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -32,29 +32,23 @@ envoy_cc_extension( ], ) -envoy_cc_extension( - name = "trigger_mechanism_lib", - srcs = ["trigger_mechanism.cc"], - hdrs = ["trigger_mechanism.h"], - visibility = ["//visibility:public"], - deps = [ - "//envoy/event:dispatcher_interface", - "//envoy/event:file_event_interface", - "//source/common/common:assert_lib", - "//source/common/common:logger_lib", - ], -) - envoy_cc_extension( name = "reverse_tunnel_initiator_lib", - srcs = ["reverse_tunnel_initiator.cc"], - hdrs = ["reverse_tunnel_initiator.h"], + srcs = [ + "grpc_reverse_tunnel_client.cc", + "reverse_tunnel_initiator.cc", + ], + hdrs = [ + "factory_base.h", + "grpc_reverse_tunnel_client.h", + "reverse_tunnel_initiator.h", + ], visibility = ["//visibility:public"], deps = [ ":reverse_connection_address_lib", ":reverse_connection_resolver_lib", - ":trigger_mechanism_lib", "//envoy/api:io_error_interface", + "//envoy/grpc:async_client_interface", "//envoy/network:address_interface", "//envoy/network:io_handle_interface", "//envoy/network:socket_interface", @@ -62,39 +56,33 @@ envoy_cc_extension( "//envoy/server:bootstrap_extension_config_interface", "//envoy/stats:stats_interface", "//envoy/stats:stats_macros", + "//envoy/tracing:trace_driver_interface", "//envoy/upstream:cluster_manager_interface", "//source/common/buffer:buffer_lib", "//source/common/common:logger_lib", + "//source/common/grpc:typed_async_client_lib", "//source/common/http:headers_lib", "//source/common/network:address_lib", "//source/common/network:default_socket_interface_lib", "//source/common/network:filter_lib", "//source/common/protobuf", - ":reverse_connection_utility_lib", + "//source/common/reverse_connection:reverse_connection_utility_lib", "//source/common/upstream:load_balancer_context_base_lib", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", + "@envoy_api//envoy/service/reverse_tunnel/v3:pkg_cc_proto", ], alwayslink = 1, ) -envoy_cc_extension( - name = "reverse_connection_utility_lib", - srcs = ["reverse_connection_utility.cc"], - hdrs = ["reverse_connection_utility.h"], - visibility = ["//visibility:public"], - deps = [ - "//envoy/buffer:buffer_interface", - "//envoy/network:connection_interface", - "//source/common/buffer:buffer_lib", - "//source/common/common:logger_lib", - ], -) - envoy_cc_extension( name = "reverse_tunnel_acceptor_lib", srcs = ["reverse_tunnel_acceptor.cc"], - hdrs = ["reverse_tunnel_acceptor.h"], + hdrs = [ + "factory_base.h", + "reverse_tunnel_acceptor.h", + ], visibility = ["//visibility:public"], deps = [ "//envoy/common:random_generator_interface", @@ -112,7 +100,7 @@ envoy_cc_extension( "//source/common/network:address_lib", "//source/common/network:default_socket_interface_lib", "//source/common/protobuf", - ":reverse_connection_utility_lib", + "//source/common/reverse_connection:reverse_connection_utility_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", ], alwayslink = 1, diff --git a/source/extensions/bootstrap/reverse_tunnel/factory_base.h b/source/extensions/bootstrap/reverse_tunnel/factory_base.h new file mode 100644 index 0000000000000..564e00b7d8b29 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/factory_base.h @@ -0,0 +1,128 @@ +#pragma once + +#include "envoy/server/bootstrap_extension_config.h" + +#include "source/common/common/logger.h" +#include "source/common/protobuf/utility.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +/** + * Common base class for reverse connection bootstrap factory registrations. + * Removes a substantial amount of boilerplate and follows Envoy's factory patterns. + * Template parameters: + * ConfigProto: Protobuf message type for the bootstrap configuration + * ExtensionImpl: The actual bootstrap extension implementation class + */ +template +class ReverseConnectionBootstrapFactoryBase + : public Server::Configuration::BootstrapExtensionFactory { +public: + // Server::Configuration::BootstrapExtensionFactory implementation + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override { + return createBootstrapExtensionTyped(MessageUtil::downcastAndValidate( + config, context.messageValidationVisitor()), + context); + } + + ProtobufTypes::MessagePtr createEmptyConfigProto() override { + return std::make_unique(); + } + + std::string name() const override { return name_; } + +protected: + /** + * Constructor for the factory base. + * @param name the name of the bootstrap extension factory + */ + explicit ReverseConnectionBootstrapFactoryBase(const std::string& name) : name_(name) {} + +private: + /** + * Create the typed bootstrap extension from the validated protobuf configuration. + * This method is implemented by derived classes to create the specific extension. + * @param proto_config the validated protobuf configuration + * @param context the server factory context + * @return unique pointer to the created bootstrap extension + */ + virtual Server::BootstrapExtensionPtr + createBootstrapExtensionTyped(const ConfigProto& proto_config, + Server::Configuration::ServerFactoryContext& context) PURE; + + const std::string name_; +}; + +/** + * Thread-safe factory utilities for reverse connection extensions. + * Provides common thread safety patterns and validation helpers. + */ +class ReverseConnectionFactoryUtils { +public: + /** + * Validate thread-local slot availability before using it. + * Follows Envoy's patterns for safe TLS access. + * @param tls_slot the thread-local slot to validate + * @param extension_name name of the extension for error messages + * @return true if the slot is safe to use, false otherwise + */ + template + static bool + validateThreadLocalSlot(const std::unique_ptr>& tls_slot, + const std::string& /* extension_name */) { + return tls_slot != nullptr; + } + + /** + * Safe access to thread-local registry with proper error handling. + * @param tls_slot the thread-local slot to access + * @param extension_name name of the extension for error messages + * @return pointer to the thread-local object, or nullptr if not available + */ + template + static TlsType* + safeGetThreadLocal(const std::unique_ptr>& tls_slot, + const std::string& extension_name) { + if (!validateThreadLocalSlot(tls_slot, extension_name)) { + return nullptr; + } + + try { + if (auto opt = tls_slot->get(); opt.has_value()) { + return &opt.value().get(); + } + } catch (const std::exception&) { + // Exception during TLS access - return nullptr for safety + } + + return nullptr; + } + + /** + * Create thread-local slot with proper error handling and validation. + * @param thread_local_manager the thread local manager + * @param extension_name name of the extension for logging + * @return unique pointer to the created slot, or nullptr on failure + */ + template + static std::unique_ptr> + createThreadLocalSlot(ThreadLocal::SlotAllocator& thread_local_manager, + const std::string& /* extension_name */) { + try { + return ThreadLocal::TypedSlot::makeUnique(thread_local_manager); + } catch (const std::exception&) { + // Failed to create slot - return nullptr + return nullptr; + } + } +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc new file mode 100644 index 0000000000000..34d2068070e16 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc @@ -0,0 +1,268 @@ +#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h" + +#include +#include + +#include "envoy/grpc/async_client.h" +#include "envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.pb.h" + +#include "source/common/common/logger.h" +#include "source/common/grpc/typed_async_client.h" +#include "source/common/protobuf/utility.h" + +#include "absl/strings/str_cat.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +GrpcReverseTunnelClient::GrpcReverseTunnelClient( + Upstream::ClusterManager& cluster_manager, + const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig& config, + GrpcReverseTunnelCallbacks& callbacks) + : cluster_manager_(cluster_manager), config_(config), callbacks_(callbacks), + service_method_(Protobuf::DescriptorPool::generated_pool()->FindMethodByName( + "envoy.service.reverse_tunnel.v3.ReverseTunnelHandshakeService.EstablishTunnel")) { + + // Generate unique correlation ID for this handshake session + correlation_id_ = + absl::StrCat("handshake_", std::chrono::duration_cast( + std::chrono::steady_clock::now().time_since_epoch()) + .count()); + + ENVOY_LOG(debug, "Created GrpcReverseTunnelClient with correlation ID: {}", correlation_id_); + + // Create gRPC client immediately + if (auto status = createGrpcClient(); !status.ok()) { + ENVOY_LOG(error, "Failed to create gRPC client for reverse tunnel handshake: {}", + status.message()); + throw EnvoyException(fmt::format( + "Failed to create gRPC client for reverse tunnel handshake: {}", status.message())); + } +} + +GrpcReverseTunnelClient::~GrpcReverseTunnelClient() { + ENVOY_LOG(debug, "Destroying GrpcReverseTunnelClient with correlation ID: {}", correlation_id_); + cancel(); +} + +absl::Status GrpcReverseTunnelClient::createGrpcClient() { + try { + // Verify cluster exists in cluster manager + if (!config_.has_grpc_service() || !config_.grpc_service().has_envoy_grpc()) { + return absl::InvalidArgumentError( + "Invalid gRPC service configuration - missing envoy_grpc configuration"); + } + + const std::string& cluster_name = config_.grpc_service().envoy_grpc().cluster_name(); + auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); + if (!thread_local_cluster) { + return absl::NotFoundError( + fmt::format("Cluster '{}' not found for gRPC reverse tunnel handshake", cluster_name)); + } + + // Create raw gRPC client + auto result = cluster_manager_.grpcAsyncClientManager().getOrCreateRawAsyncClient( + config_.grpc_service(), thread_local_cluster->info()->statsScope(), + false); // skip_cluster_check = false + + if (!result.ok()) { + return absl::InternalError( + fmt::format("Failed to create gRPC async client for cluster '{}': {}", cluster_name, + result.status().message())); + } + + auto raw_client = result.value(); + + if (!raw_client) { + return absl::InternalError( + fmt::format("Failed to create gRPC async client for cluster '{}'", cluster_name)); + } + + // Create typed client from raw client + client_ = + Grpc::AsyncClient(raw_client); + + ENVOY_LOG(debug, "Successfully created gRPC client for cluster '{}'", cluster_name); + return absl::OkStatus(); + + } catch (const std::exception& e) { + return absl::InternalError(fmt::format("Exception creating gRPC client: {}", e.what())); + } +} + +bool GrpcReverseTunnelClient::initiateHandshake( + const std::string& tenant_id, const std::string& cluster_id, const std::string& node_id, + const absl::optional& metadata, Tracing::Span& span) { + + if (current_request_) { + ENVOY_LOG(warn, "Handshake already in progress - cancelling previous request."); + cancel(); + } + + // Check if client is available - typed client doesn't have a direct null check + // so we'll proceed with the request and let any errors be handled in the catch block + + try { + // Build the handshake request + auto request = buildHandshakeRequest(tenant_id, cluster_id, node_id, metadata); + + // Record handshake start time for metrics + handshake_start_time_ = std::chrono::steady_clock::now(); + + ENVOY_LOG(info, + "Initiating gRPC reverse tunnel handshake: tenant='{}', cluster='{}', node='{}', " + "correlation='{}'", + tenant_id, cluster_id, node_id, correlation_id_); + + // Create gRPC request with timeout options + Http::AsyncClient::RequestOptions options; + options.setTimeout(std::chrono::milliseconds(config_.handshake_timeout().seconds() * 1000 + + config_.handshake_timeout().nanos() / 1000000)); + + current_request_ = client_->send(*service_method_, request, *this, span, options); + + if (!current_request_) { + ENVOY_LOG(error, "Failed to send gRPC handshake request."); + callbacks_.onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, + "Failed to send gRPC request"); + return false; + } + + ENVOY_LOG(debug, "gRPC handshake request sent successfully with correlation ID: {}", + correlation_id_); + return true; + + } catch (const std::exception& e) { + ENVOY_LOG(error, "Exception initiating gRPC handshake: {}", e.what()); + callbacks_.onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, + absl::StrCat("Exception initiating handshake: ", e.what())); + return false; + } +} + +void GrpcReverseTunnelClient::cancel() { + if (current_request_) { + ENVOY_LOG(debug, "Cancelling gRPC handshake request with correlation ID: {}", correlation_id_); + current_request_->cancel(); + current_request_ = nullptr; + } +} + +void GrpcReverseTunnelClient::onCreateInitialMetadata(Http::RequestHeaderMap& metadata) { + // Add correlation ID and handshake version to request headers + metadata.addCopy(Http::LowerCaseString("x-correlation-id"), correlation_id_); + metadata.addCopy(Http::LowerCaseString("x-handshake-version"), "grpc-v1"); + metadata.addCopy(Http::LowerCaseString("x-reverse-tunnel-handshake"), "true"); + + ENVOY_LOG(debug, "Added initial metadata for gRPC handshake request."); +} + +envoy::service::reverse_tunnel::v3::EstablishTunnelRequest +GrpcReverseTunnelClient::buildHandshakeRequest( + const std::string& tenant_id, const std::string& cluster_id, const std::string& node_id, + const absl::optional& metadata) { + + envoy::service::reverse_tunnel::v3::EstablishTunnelRequest request; + + // Set initiator identity (required) + auto* initiator = request.mutable_initiator(); + initiator->set_tenant_id(tenant_id); + initiator->set_cluster_id(cluster_id); + initiator->set_node_id(node_id); + + // Add custom metadata if provided + if (metadata.has_value()) { + *request.mutable_custom_metadata() = metadata.value(); + } + + // Set tunnel configuration with reasonable defaults + auto* tunnel_config = request.mutable_tunnel_config(); + tunnel_config->mutable_ping_interval()->set_seconds(30); // 30 second ping interval + tunnel_config->mutable_max_idle_time()->set_seconds(300); // 5 minute idle timeout + + // Set QoS configuration for production reliability + auto* qos = tunnel_config->mutable_qos(); + qos->mutable_max_bandwidth_bps()->set_value(10485760); // 10MB/s default + qos->mutable_priority_level()->set_value(5); // Medium priority + qos->set_reliability(envoy::service::reverse_tunnel::v3::ReliabilityLevel::HIGH); + + // Set authentication + auto* auth = request.mutable_auth(); + auth->set_auth_token("reverse-tunnel-token"); // Would come from config + + // Set connection attributes + auto* conn_attrs = request.mutable_connection_attributes(); + conn_attrs->set_trace_id(correlation_id_); + (*conn_attrs->mutable_debug_attributes())["handshake_version"] = "grpc-v1"; + (*conn_attrs->mutable_debug_attributes())["correlation_id"] = correlation_id_; + + ENVOY_LOG(debug, "Built handshake request: {}", request.DebugString()); + return request; +} + +void GrpcReverseTunnelClient::onSuccess( + std::unique_ptr&& response, + Tracing::Span& span) { + + // Calculate handshake duration for metrics + auto handshake_duration = std::chrono::steady_clock::now() - handshake_start_time_; + auto duration_ms = + std::chrono::duration_cast(handshake_duration).count(); + + ENVOY_LOG(info, "gRPC handshake completed successfully in {}ms, correlation: {}, status: {}", + duration_ms, correlation_id_, + envoy::service::reverse_tunnel::v3::TunnelStatus_Name(response->status())); + + // Add success span attributes + span.setTag("handshake.correlation_id", correlation_id_); + span.setTag("handshake.duration_ms", std::to_string(duration_ms)); + span.setTag("handshake.status", + envoy::service::reverse_tunnel::v3::TunnelStatus_Name(response->status())); + + // Clear current request + current_request_ = nullptr; + + // Validate response status + if (response->status() != envoy::service::reverse_tunnel::v3::TunnelStatus::ACCEPTED) { + const std::string error_msg = + absl::StrCat("Handshake rejected by server: ", response->status_message()); + ENVOY_LOG(error, "{}", error_msg); + callbacks_.onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::PermissionDenied, error_msg); + return; + } + + // Forward successful response to callbacks + callbacks_.onHandshakeSuccess(std::move(response)); +} + +void GrpcReverseTunnelClient::onFailure(Grpc::Status::GrpcStatus status, const std::string& message, + Tracing::Span& span) { + + // Calculate handshake duration for metrics + auto handshake_duration = std::chrono::steady_clock::now() - handshake_start_time_; + auto duration_ms = + std::chrono::duration_cast(handshake_duration).count(); + + ENVOY_LOG(error, "gRPC handshake failed after {}ms, correlation: {}, status: {}, message: '{}'", + duration_ms, correlation_id_, static_cast(status), message); + + // Add failure span attributes + span.setTag("handshake.correlation_id", correlation_id_); + span.setTag("handshake.duration_ms", std::to_string(duration_ms)); + span.setTag("handshake.error_status", std::to_string(static_cast(status))); + span.setTag("handshake.error_message", message); + + // Clear current request + current_request_ = nullptr; + + // Forward failure to callbacks + callbacks_.onHandshakeFailure(status, message); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h new file mode 100644 index 0000000000000..0926b0ee2b9d0 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h @@ -0,0 +1,145 @@ +#pragma once + +#include +#include + +#include "envoy/config/core/v3/grpc_service.pb.h" +#include "envoy/grpc/async_client.h" +#include "envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.pb.h" +#include "envoy/tracing/trace_driver.h" +#include "envoy/upstream/cluster_manager.h" + +#include "source/common/common/logger.h" +#include "source/common/grpc/typed_async_client.h" +#include "source/common/protobuf/protobuf.h" + +#include "absl/status/status.h" +#include "absl/types/optional.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declaration for callback interface +class GrpcReverseTunnelCallbacks; + +/** + * Configuration for gRPC reverse tunnel client. + */ +struct GrpcReverseTunnelConfig { + envoy::config::core::v3::GrpcService grpc_service; + std::chrono::milliseconds handshake_timeout{10000}; // 10 seconds default + uint32_t max_retries{3}; + std::chrono::milliseconds retry_base_interval{100}; // 100ms + std::chrono::milliseconds retry_max_interval{5000}; // 5 seconds +}; + +/** + * Callback interface for gRPC reverse tunnel handshake results. + */ +class GrpcReverseTunnelCallbacks { +public: + virtual ~GrpcReverseTunnelCallbacks() = default; + + /** + * Called when handshake completes successfully. + * @param response the handshake response from the server + */ + virtual void onHandshakeSuccess( + std::unique_ptr response) = 0; + + /** + * Called when handshake fails. + * @param status the gRPC status code + * @param message error message describing the failure + */ + virtual void onHandshakeFailure(Grpc::Status::GrpcStatus status, const std::string& message) = 0; +}; + +/** + * gRPC client for reverse tunnel handshake operations. + * This class provides a robust gRPC-based handshake mechanism to replace + * the legacy HTTP string-parsing approach. + */ +class GrpcReverseTunnelClient : public Grpc::AsyncRequestCallbacks< + envoy::service::reverse_tunnel::v3::EstablishTunnelResponse>, + public Logger::Loggable { +public: + /** + * Constructor for GrpcReverseTunnelClient. + * @param cluster_manager the cluster manager for gRPC client creation + * @param config the gRPC configuration for the handshake service + * @param callbacks the callback interface for handshake results + */ + GrpcReverseTunnelClient(Upstream::ClusterManager& cluster_manager, + const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig& config, + GrpcReverseTunnelCallbacks& callbacks); + + ~GrpcReverseTunnelClient() override; + + /** + * Initiate the reverse tunnel handshake. + * @param tenant_id the tenant identifier + * @param cluster_id the cluster identifier + * @param node_id the node identifier + * @param metadata optional custom metadata + * @param span the tracing span for request tracking + * @return true if handshake was initiated successfully, false otherwise + */ + bool initiateHandshake(const std::string& tenant_id, const std::string& cluster_id, + const std::string& node_id, + const absl::optional& metadata, + Tracing::Span& span); + + /** + * Cancel the ongoing handshake request. + */ + void cancel(); + + // Grpc::AsyncRequestCallbacks implementation + void onCreateInitialMetadata(Http::RequestHeaderMap& metadata) override; + void + onSuccess(std::unique_ptr&& response, + Tracing::Span& span) override; + void onFailure(Grpc::Status::GrpcStatus status, const std::string& message, + Tracing::Span& span) override; + +private: + /** + * Create the gRPC async client. + * @return absl::OkStatus() if client creation was successful, error status otherwise + */ + absl::Status createGrpcClient(); + + /** + * Build the handshake request. + * @param tenant_id the tenant identifier + * @param cluster_id the cluster identifier + * @param node_id the node identifier + * @param metadata optional custom metadata + * @return the constructed handshake request + */ + envoy::service::reverse_tunnel::v3::EstablishTunnelRequest + buildHandshakeRequest(const std::string& tenant_id, const std::string& cluster_id, + const std::string& node_id, + const absl::optional& metadata); + + Upstream::ClusterManager& cluster_manager_; + const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig config_; + GrpcReverseTunnelCallbacks& callbacks_; + + Grpc::AsyncClient + client_; + const Protobuf::MethodDescriptor* service_method_; + Grpc::AsyncRequest* current_request_{nullptr}; + + std::string correlation_id_; + std::chrono::steady_clock::time_point handshake_start_time_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc new file mode 100644 index 0000000000000..9244d42d93840 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc @@ -0,0 +1,426 @@ +#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h" + +#include +#include + +#include "envoy/network/connection.h" +#include "envoy/ssl/connection_info.h" + +#include "source/common/common/logger.h" +#include "source/common/network/address_impl.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" + +#include "absl/strings/str_cat.h" +#include "grpc++/grpc++.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +GrpcReverseTunnelService::GrpcReverseTunnelService( + ReverseTunnelAcceptorExtension& acceptor_extension) + : acceptor_extension_(acceptor_extension) { + ENVOY_LOG(info, "Created gRPC reverse tunnel handshake service."); +} + +grpc::Status GrpcReverseTunnelService::EstablishTunnel( + grpc::ServerContext* context, + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest* request, + envoy::service::reverse_tunnel::v3::EstablishTunnelResponse* response) { + + stats_.total_requests++; + + ENVOY_LOG(info, "Received EstablishTunnel gRPC request from tenant='{}', cluster='{}', node='{}'", + request->initiator().tenant_id(), request->initiator().cluster_id(), + request->initiator().node_id()); + + // Validate the request + if (auto validation_status = validateTunnelRequest(*request); !validation_status.ok()) { + ENVOY_LOG(error, "Invalid tunnel establishment request: {}", validation_status.message()); + stats_.failed_handshakes++; + + response->set_status(envoy::service::reverse_tunnel::v3::REJECTED); + response->set_status_message(validation_status.message()); + return grpc::Status::OK; // Return OK with error status in response + } + + // Authenticate and authorize the request + auto [auth_success, auth_status, auth_message] = authenticateRequest(*request, context); + if (!auth_success) { + ENVOY_LOG(warn, "Authentication/authorization failed for tunnel request: {}", auth_message); + + if (auth_status == envoy::service::reverse_tunnel::v3::AUTHENTICATION_FAILED) { + stats_.authentication_failures++; + } else if (auth_status == envoy::service::reverse_tunnel::v3::AUTHORIZATION_FAILED) { + stats_.authorization_failures++; + } else if (auth_status == envoy::service::reverse_tunnel::v3::RATE_LIMITED) { + stats_.rate_limited_requests++; + } + + stats_.failed_handshakes++; + response->set_status(auth_status); + response->set_status_message(auth_message); + return grpc::Status::OK; + } + + // Process the tunnel request + try { + *response = processTunnelRequest(*request, context); + + if (response->status() == envoy::service::reverse_tunnel::v3::ACCEPTED) { + stats_.successful_handshakes++; + ENVOY_LOG(info, "Successfully established tunnel for node='{}' cluster='{}'", + request->initiator().node_id(), request->initiator().cluster_id()); + } else { + stats_.failed_handshakes++; + ENVOY_LOG(warn, "Failed to establish tunnel for node='{}' cluster='{}': {}", + request->initiator().node_id(), request->initiator().cluster_id(), + response->status_message()); + } + + } catch (const std::exception& e) { + ENVOY_LOG(error, "Exception processing tunnel request: {}", e.what()); + stats_.failed_handshakes++; + + response->set_status(envoy::service::reverse_tunnel::v3::INTERNAL_ERROR); + response->set_status_message( + absl::StrCat("Internal error processing tunnel request: ", e.what())); + } + + return grpc::Status::OK; +} + +absl::Status GrpcReverseTunnelService::validateTunnelRequest( + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request) { + + // Validate required initiator identity + if (!request.has_initiator()) { + return absl::InvalidArgumentError("Tunnel request missing initiator identity"); + } + + const auto& initiator = request.initiator(); + + // Validate required identity fields + if (initiator.tenant_id().empty() || initiator.cluster_id().empty() || + initiator.node_id().empty()) { + return absl::InvalidArgumentError(fmt::format( + "Tunnel request has empty required identity fields: tenant='{}', cluster='{}', node='{}'", + initiator.tenant_id(), initiator.cluster_id(), initiator.node_id())); + } + + // Validate identity field lengths + if (initiator.tenant_id().length() > 128 || initiator.cluster_id().length() > 128 || + initiator.node_id().length() > 128) { + return absl::InvalidArgumentError(fmt::format("Tunnel request has identity fields exceeding " + "maximum length: tenant={}, cluster={}, node={}", + initiator.tenant_id().length(), + initiator.cluster_id().length(), + initiator.node_id().length())); + } + + // Validate tunnel configuration if present + if (request.has_tunnel_config()) { + const auto& config = request.tunnel_config(); + + if (config.has_ping_interval()) { + auto ping_seconds = config.ping_interval().seconds(); + if (ping_seconds < 1 || ping_seconds > 3600) { + return absl::InvalidArgumentError(fmt::format( + "Invalid ping interval in tunnel request: {} seconds (must be 1-3600)", ping_seconds)); + } + } + + if (config.has_max_idle_time()) { + auto idle_seconds = config.max_idle_time().seconds(); + if (idle_seconds < 30 || idle_seconds > 86400) { // 30 seconds to 24 hours + return absl::InvalidArgumentError( + fmt::format("Invalid max idle time in tunnel request: {} seconds (must be 30-86400)", + idle_seconds)); + } + } + } + + ENVOY_LOG(debug, "Tunnel request validation successful."); + return absl::OkStatus(); +} + +envoy::service::reverse_tunnel::v3::EstablishTunnelResponse +GrpcReverseTunnelService::processTunnelRequest( + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request, + grpc::ServerContext* context) { + + envoy::service::reverse_tunnel::v3::EstablishTunnelResponse response; + + // Extract the underlying TCP connection + Network::Connection* tcp_connection = extractTcpConnection(context); + if (!tcp_connection) { + ENVOY_LOG(error, "Failed to extract TCP connection from gRPC context."); + response.set_status(envoy::service::reverse_tunnel::v3::INTERNAL_ERROR); + response.set_status_message("Failed to access underlying TCP connection"); + return response; + } + + // Register the tunnel connection with the acceptor + if (!registerTunnelConnection(tcp_connection, request)) { + ENVOY_LOG(error, "Failed to register tunnel connection with acceptor."); + response.set_status(envoy::service::reverse_tunnel::v3::INTERNAL_ERROR); + response.set_status_message("Failed to register tunnel connection"); + return response; + } + + // Create accepted configuration + *response.mutable_accepted_config() = createAcceptedConfiguration(request); + + // Set connection information + auto* conn_info = response.mutable_connection_info(); + conn_info->set_connection_id(absl::StrCat("tunnel_", request.initiator().node_id(), "_", + std::chrono::duration_cast( + std::chrono::system_clock::now().time_since_epoch()) + .count())); + + // Set establishment timestamp + auto now = std::chrono::system_clock::now(); + auto timestamp = conn_info->mutable_established_at(); + auto duration = now.time_since_epoch(); + auto seconds = std::chrono::duration_cast(duration); + auto nanos = std::chrono::duration_cast(duration - seconds); + timestamp->set_seconds(seconds.count()); + timestamp->set_nanos(static_cast(nanos.count())); + + // Set expiration time (default: 24 hours from now) + auto expiry_time = now + std::chrono::hours(24); + auto expiry_timestamp = conn_info->mutable_expires_at(); + auto expiry_duration = expiry_time.time_since_epoch(); + auto expiry_seconds = std::chrono::duration_cast(expiry_duration); + auto expiry_nanos = + std::chrono::duration_cast(expiry_duration - expiry_seconds); + expiry_timestamp->set_seconds(expiry_seconds.count()); + expiry_timestamp->set_nanos(static_cast(expiry_nanos.count())); + + // Extract connection attributes from gRPC context + *response.mutable_connection_info()->mutable_connection_attributes() = + extractConnectionAttributes(context); + + // Set successful status + response.set_status(envoy::service::reverse_tunnel::v3::ACCEPTED); + response.set_status_message("Tunnel established successfully"); + + ENVOY_LOG(debug, "Created tunnel response: {}", response.DebugString()); + return response; +} + +envoy::service::reverse_tunnel::v3::ConnectionAttributes +GrpcReverseTunnelService::extractConnectionAttributes(grpc::ServerContext* context) { + + envoy::service::reverse_tunnel::v3::ConnectionAttributes attributes; + + // Extract peer address from gRPC context + std::string peer = context->peer(); + if (!peer.empty()) { + attributes.set_source_address(peer); + ENVOY_LOG(debug, "Extracted peer address: {}", peer); + } + + // Extract metadata from gRPC context + const auto& client_metadata = context->client_metadata(); + for (const auto& [key, value] : client_metadata) { + std::string key_str(key.data(), key.size()); + std::string value_str(value.data(), value.size()); + + if (key_str == "x-connection-id") { + attributes.set_trace_id(value_str); + } else if (key_str.find("x-") == 0) { + // Store custom debug attributes + auto& debug_attrs = *attributes.mutable_debug_attributes(); + debug_attrs[key_str] = value_str; + } + + ENVOY_LOG(trace, "gRPC metadata: {}={}", key_str, value_str); + } + + return attributes; +} + +std::tuple +GrpcReverseTunnelService::authenticateRequest( + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request, + grpc::ServerContext* context) { + + // Basic authentication based on identity fields + const auto& initiator = request.initiator(); + + // For now, implement a simple allow-list based authentication + // In production, this should integrate with proper authentication systems + + // Allow specific tenant/cluster combinations + if (initiator.tenant_id() == "on-prem-tenant" && initiator.cluster_id() == "on-prem" && + !initiator.node_id().empty()) { + + ENVOY_LOG(debug, "Authentication successful for tenant='{}' cluster='{}' node='{}'", + initiator.tenant_id(), initiator.cluster_id(), initiator.node_id()); + return {true, envoy::service::reverse_tunnel::v3::ACCEPTED, ""}; + } + + // Check for certificate-based authentication if available + if (request.has_auth() && request.auth().has_certificate_auth()) { + const auto& cert_auth = request.auth().certificate_auth(); + if (!cert_auth.cert_fingerprint().empty()) { + // In a real implementation, validate the certificate fingerprint + ENVOY_LOG(debug, "Certificate-based authentication for fingerprint: {}", + cert_auth.cert_fingerprint()); + return {true, envoy::service::reverse_tunnel::v3::ACCEPTED, ""}; + } + } + + // Check for token-based authentication + if (request.has_auth() && !request.auth().auth_token().empty()) { + // In a real implementation, validate the auth token + ENVOY_LOG(debug, "Token-based authentication attempted."); + // For demo purposes, accept any non-empty token + return {true, envoy::service::reverse_tunnel::v3::ACCEPTED, ""}; + } + + ENVOY_LOG(warn, "Authentication failed for tenant='{}' cluster='{}' node='{}'", + initiator.tenant_id(), initiator.cluster_id(), initiator.node_id()); + + return {false, envoy::service::reverse_tunnel::v3::AUTHENTICATION_FAILED, + "Authentication failed: invalid credentials or unauthorized tenant/cluster"}; +} + +envoy::service::reverse_tunnel::v3::TunnelConfiguration +GrpcReverseTunnelService::createAcceptedConfiguration( + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request) { + + envoy::service::reverse_tunnel::v3::TunnelConfiguration accepted_config; + + // Set ping interval (use requested value or default) + if (request.has_tunnel_config() && request.tunnel_config().has_ping_interval()) { + auto requested_ping = request.tunnel_config().ping_interval().seconds(); + // Clamp to reasonable range + auto accepted_ping = std::clamp(requested_ping, int64_t(10), int64_t(300)); // 10s to 5min + accepted_config.mutable_ping_interval()->set_seconds(accepted_ping); + + if (requested_ping != accepted_ping) { + ENVOY_LOG(debug, "Adjusted ping interval from {} to {} seconds", requested_ping, + accepted_ping); + } + } else { + // Default ping interval + accepted_config.mutable_ping_interval()->set_seconds(30); + } + + // Set max idle time (use requested value or default) + if (request.has_tunnel_config() && request.tunnel_config().has_max_idle_time()) { + auto requested_idle = request.tunnel_config().max_idle_time().seconds(); + // Clamp to reasonable range + auto accepted_idle = std::clamp(requested_idle, int64_t(300), int64_t(3600)); // 5min to 1hour + accepted_config.mutable_max_idle_time()->set_seconds(accepted_idle); + } else { + // Default max idle time + accepted_config.mutable_max_idle_time()->set_seconds(1800); // 30 minutes + } + + // Set QoS configuration + auto* qos = accepted_config.mutable_qos(); + qos->set_reliability(envoy::service::reverse_tunnel::v3::STANDARD); + + // Set default priority level + qos->mutable_priority_level()->set_value(5); + + ENVOY_LOG(debug, "Created accepted configuration with ping_interval={}s, max_idle={}s", + accepted_config.ping_interval().seconds(), accepted_config.max_idle_time().seconds()); + + return accepted_config; +} + +Network::Connection* GrpcReverseTunnelService::extractTcpConnection(grpc::ServerContext* context) { + // This is a simplified implementation - in a real Envoy integration, + // we would need to access the underlying Envoy connection through the gRPC context + // For now, we'll return nullptr and handle this in the integration layer + + ENVOY_LOG(debug, "Extracting TCP connection from gRPC context (simplified implementation)."); + + // TODO: Implement proper Envoy-specific connection extraction + // This would involve accessing Envoy's gRPC server implementation details + // to get the underlying Network::Connection + + return nullptr; // Placeholder - to be implemented in full integration +} + +bool GrpcReverseTunnelService::registerTunnelConnection( + Network::Connection* connection, + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request) { + + if (!connection) { + ENVOY_LOG(error, "Cannot register null connection."); + return false; + } + + const auto& initiator = request.initiator(); + + // Get ping interval from accepted configuration + std::chrono::seconds ping_interval(30); // Default + if (request.has_tunnel_config() && request.tunnel_config().has_ping_interval()) { + ping_interval = std::chrono::seconds(request.tunnel_config().ping_interval().seconds()); + } + + try { + // Get the thread-local socket manager from the acceptor extension + auto* local_registry = acceptor_extension_.getLocalRegistry(); + if (!local_registry || !local_registry->socketManager()) { + ENVOY_LOG(error, "Failed to get socket manager from acceptor extension."); + return false; + } + + auto* socket_manager = local_registry->socketManager(); + + // Create a connection socket from the TCP connection + // This is a simplified approach - in full implementation we'd need proper socket management + Network::ConnectionSocketPtr socket = connection->moveSocket(); + + // Register the connection with the socket manager + socket_manager->addConnectionSocket(initiator.node_id(), initiator.cluster_id(), + std::move(socket), ping_interval, + false // not rebalanced + ); + + ENVOY_LOG(info, "Successfully registered tunnel connection for node='{}' cluster='{}'", + initiator.node_id(), initiator.cluster_id()); + + return true; + + } catch (const std::exception& e) { + ENVOY_LOG(error, "Exception registering tunnel connection: {}", e.what()); + return false; + } +} + +// Factory implementation +std::unique_ptr +GrpcReverseTunnelServiceFactory::createService(ReverseTunnelAcceptorExtension& acceptor_extension) { + + ENVOY_LOG(info, "Creating gRPC reverse tunnel service."); + return std::make_unique(acceptor_extension); +} + +bool GrpcReverseTunnelServiceFactory::registerService( + grpc::Server& grpc_server, std::unique_ptr service) { + + ENVOY_LOG(info, "Registering gRPC reverse tunnel service with server."); + + // Register the service with the gRPC server + grpc_server.RegisterService(service.get()); + + // Note: In a real implementation, we'd need to manage the service lifetime properly + // This is a simplified version for demonstration purposes + + ENVOY_LOG(info, "Successfully registered gRPC reverse tunnel service."); + return true; +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h new file mode 100644 index 0000000000000..bd4b5ba98de9d --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h @@ -0,0 +1,160 @@ +#pragma once + +#include + +#include "envoy/grpc/async_client.h" +#include "envoy/server/filter_config.h" +#include "envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.pb.h" +#include "envoy/singleton/instance.h" + +#include "source/common/common/logger.h" +#include "source/common/grpc/common.h" +#include "source/common/singleton/const_singleton.h" + +#include "absl/status/status.h" +#include "grpc++/grpc++.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class ReverseTunnelAcceptorExtension; + +/** + * gRPC service implementation for reverse tunnel handshake operations. + * This class implements the ReverseTunnelHandshakeService and handles + * EstablishTunnel requests from reverse connection initiators. + */ +class GrpcReverseTunnelService final + : public envoy::service::reverse_tunnel::v3::ReverseTunnelHandshakeService::Service, + public Logger::Loggable { +public: + /** + * Constructor for the gRPC reverse tunnel service. + * @param acceptor_extension reference to the acceptor extension for connection management + */ + explicit GrpcReverseTunnelService(ReverseTunnelAcceptorExtension& acceptor_extension); + + ~GrpcReverseTunnelService() override = default; + + // ReverseTunnelHandshakeService::Service implementation + /** + * Handle EstablishTunnel gRPC requests from reverse connection initiators. + * @param context the gRPC server context + * @param request the tunnel establishment request + * @param response the tunnel establishment response + * @return gRPC status indicating success or failure + */ + grpc::Status + EstablishTunnel(grpc::ServerContext* context, + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest* request, + envoy::service::reverse_tunnel::v3::EstablishTunnelResponse* response) override; + +private: + /** + * Validate the tunnel establishment request. + * @param request the request to validate + * @return absl::OkStatus() if request is valid, error status with details otherwise + */ + absl::Status + validateTunnelRequest(const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request); + + /** + * Process the authenticated tunnel request and establish the reverse connection. + * @param request the validated tunnel request + * @param context the gRPC server context for extracting connection information + * @return response indicating success or failure with details + */ + envoy::service::reverse_tunnel::v3::EstablishTunnelResponse + processTunnelRequest(const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request, + grpc::ServerContext* context); + + /** + * Extract connection information from the gRPC context. + * @param context the gRPC server context + * @return connection attributes for the tunnel + */ + envoy::service::reverse_tunnel::v3::ConnectionAttributes + extractConnectionAttributes(grpc::ServerContext* context); + + /** + * Authenticate and authorize the tunnel request. + * @param request the tunnel request to authenticate + * @param context the gRPC server context + * @return tuple of (success, error_status, error_message) + */ + std::tuple + authenticateRequest(const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request, + grpc::ServerContext* context); + + /** + * Create the response configuration based on the request and acceptor policies. + * @param request the original tunnel request + * @return accepted tunnel configuration + */ + envoy::service::reverse_tunnel::v3::TunnelConfiguration createAcceptedConfiguration( + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request); + + /** + * Extract the underlying TCP connection from the gRPC context. + * This is Envoy-specific functionality to access the raw connection. + * @param context the gRPC server context + * @return pointer to the underlying Network::Connection, or nullptr if not available + */ + Network::Connection* extractTcpConnection(grpc::ServerContext* context); + + /** + * Register the established tunnel connection with the acceptor. + * @param connection the underlying TCP connection + * @param request the tunnel establishment request + * @return true if connection was successfully registered, false otherwise + */ + bool registerTunnelConnection( + Network::Connection* connection, + const envoy::service::reverse_tunnel::v3::EstablishTunnelRequest& request); + + // Reference to the acceptor extension for connection management + ReverseTunnelAcceptorExtension& acceptor_extension_; + + // Service statistics and metrics + struct ServiceStats { + uint64_t total_requests{0}; + uint64_t successful_handshakes{0}; + uint64_t failed_handshakes{0}; + uint64_t authentication_failures{0}; + uint64_t authorization_failures{0}; + uint64_t rate_limited_requests{0}; + }; + ServiceStats stats_; +}; + +/** + * Factory for creating and managing the gRPC reverse tunnel service. + * This integrates with Envoy's gRPC server infrastructure. + */ +class GrpcReverseTunnelServiceFactory : public Logger::Loggable { +public: + /** + * Create a new gRPC reverse tunnel service instance. + * @param acceptor_extension reference to the acceptor extension + * @return unique pointer to the created service + */ + static std::unique_ptr + createService(ReverseTunnelAcceptorExtension& acceptor_extension); + + /** + * Register the service with Envoy's gRPC server. + * @param grpc_server reference to the Envoy gRPC server + * @param service the service to register + * @return true if registration was successful, false otherwise + */ + static bool registerService(grpc::Server& grpc_server, + std::unique_ptr service); +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h index dcb2de1bf3557..bd737a17086d8 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h @@ -49,14 +49,13 @@ class ReverseConnectionAddress : public Network::Address::Instance { socklen_t sockAddrLen() const override; absl::string_view addressType() const override { return "reverse_connection"; } const Network::SocketInterface& socketInterface() const override { - auto* socket_interface = Network::socketInterface( + // Return the appropriate reverse connection socket interface for downstream connections + auto* reverse_socket_interface = Network::socketInterface( "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); - if (socket_interface) { - return *socket_interface; + if (reverse_socket_interface) { + return *reverse_socket_interface; } - // Fallback to default if reverse connection interface is not available - ENVOY_LOG_MISC(error, "Reverse connection address detected but socket interface not registered: {}", - logicalName()); + // Fallback to default socket interface if reverse connection interface is not available return Network::SocketInterfaceSingleton::get(); } diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index f81de5baf3738..c4e3ea9886942 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -1,7 +1,5 @@ #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" -#include - #include #include #include @@ -21,7 +19,7 @@ #include "source/common/protobuf/message_validator_impl.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" +#include "source/common/reverse_connection/reverse_connection_utility.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" #include "google/protobuf/empty.pb.h" @@ -44,26 +42,26 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { ReverseConnectionIOHandle* parent) : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), owned_socket_(std::move(socket)), connection_key_(connection_key), parent_(parent) { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {}", + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {}.", fd_, connection_key_); } ~DownstreamReverseConnectionIOHandle() override { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: destroying handle for FD: {}", fd_); + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: destroying handle for FD: {}.", fd_); } // Network::IoHandle overrides. Api::IoCallUint64Result close() override { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {}", fd_); + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {}.", fd_); - // Safely notify parent of connection closure + // Safely notify parent of connection closure. try { if (parent_) { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: Marking connection as closed"); + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: Marking connection as closed."); parent_->onDownstreamConnectionClosed(connection_key_); } } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception notifying parent of connection closure (continuing): {}", + ENVOY_LOG(debug, "Exception notifying parent of connection closure (continuing): {}.", e.what()); } @@ -73,7 +71,7 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { owned_socket_.reset(); } } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception resetting owned socket (continuing): {}", e.what()); + ENVOY_LOG(debug, "Exception resetting owned socket (continuing): {}.", e.what()); } return IoSocketHandleImpl::close(); @@ -87,9 +85,9 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { private: // The socket that this IOHandle owns and manages lifetime for. Network::ConnectionSocketPtr owned_socket_; - // Connection key for identifying this connection + // Connection key for identifying this connection. std::string connection_key_; - // Pointer to parent ReverseConnectionIOHandle + // Pointer to parent ReverseConnectionIOHandle. ReverseConnectionIOHandle* parent_; }; @@ -99,7 +97,8 @@ class ReverseTunnelInitiator; /** * RCConnectionWrapper manages the lifecycle of a ClientConnectionPtr for reverse connections. - * It handles connection callbacks, sends the handshake request, and processes the response. + * It handles connection callbacks, sends the HTTP handshake request, and processes the response. + * This class uses HTTP requests with protobuf payloads for robust handshake communication. */ class RCConnectionWrapper : public Network::ConnectionCallbacks, public Event::DeferredDeletable, @@ -118,11 +117,14 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, void onEvent(Network::ConnectionEvent event) override; void onAboveWriteBufferHighWatermark() override {} void onBelowWriteBufferLowWatermark() override {} - // Initiate the reverse connection handshake. + + // Initiate the reverse connection handshake using HTTP requests with protobuf payloads. std::string connect(const std::string& src_tenant_id, const std::string& src_cluster_id, const std::string& src_node_id); - // Process the handshake response. + + // Handle handshake response parsing void onData(const std::string& error); + // Clean up on failure. Use graceful shutdown. void onFailure() { ENVOY_LOG(debug, @@ -191,9 +193,9 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, const std::string data = buffer.toString(); // Handle ping messages. - if (::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::isPingMessage(data)) { - ENVOY_LOG(debug, "Received RPING message, using utility to echo back"); - ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::sendPingResponse( + if (::Envoy::ReverseConnection::ReverseConnectionUtility::isPingMessage(data)) { + ENVOY_LOG(debug, "Received RPING message, using utility to echo back."); + ::Envoy::ReverseConnection::ReverseConnectionUtility::sendPingResponse( *parent_->connection_); buffer.drain(buffer.length()); // Consume the ping message. return Network::FilterStatus::Continue; @@ -201,8 +203,8 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, // Handle HTTP response parsing for handshake. response_buffer_string_ += buffer.toString(); - ENVOY_LOG(debug, "Current response buffer: '{}'", response_buffer_string_); - const size_t headers_end_index = response_buffer_string_.find(DOUBLE_CRLF); + ENVOY_LOG(debug, "Current response buffer: '{}'.", response_buffer_string_); + const size_t headers_end_index = response_buffer_string_.find(kDoubleCrlf); if (headers_end_index == std::string::npos) { ENVOY_LOG(debug, "Received {} bytes, but not all the headers.", response_buffer_string_.length()); @@ -211,7 +213,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, const std::string headers_section = response_buffer_string_.substr(0, headers_end_index); ENVOY_LOG(debug, "Headers section: '{}'", headers_section); const std::vector& headers = StringUtil::splitToken( - headers_section, CRLF, false /* keep_empty_string */, true /* trim_whitespace */); + headers_section, kCrlf, false /* keep_empty_string */, true /* trim_whitespace */); ENVOY_LOG(debug, "Split into {} headers", headers.size()); const absl::string_view content_length_str = Http::Headers::get().ContentLength.get(); absl::string_view length_header; @@ -222,7 +224,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, } if (!StringUtil::CaseInsensitiveCompare()(header.substr(0, content_length_str.length()), content_length_str)) { - ENVOY_LOG(debug, "Header doesn't start with Content-Length"); + ENVOY_LOG(debug, "Header doesn't start with Content-Length."); continue; // Header doesn't start with Content-Length } // Check if it's exactly "Content-Length:" followed by value. @@ -233,7 +235,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, } if (length_header.empty()) { - ENVOY_LOG(error, "Content-Length header not found in response"); + ENVOY_LOG(error, "Content-Length header not found in response."); return Network::FilterStatus::StopIteration; } @@ -252,7 +254,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, uint32_t body_size = std::stoi(std::string(header_val[1])); ENVOY_LOG(debug, "Decoding a Response of length {}", body_size); - const size_t expected_response_size = headers_end_index + strlen(DOUBLE_CRLF) + body_size; + const size_t expected_response_size = headers_end_index + kDoubleCrlf.size() + body_size; if (response_buffer_string_.length() < expected_response_size) { // We have not received the complete body yet. ENVOY_LOG(trace, "Received {} of {} expected response bytes.", @@ -262,7 +264,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, // Handle case where body_size is 0. if (body_size == 0) { - ENVOY_LOG(debug, "Received response with zero-length body - treating as empty protobuf"); + ENVOY_LOG(debug, "Received response with zero-length body - treating as empty protobuf."); envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; parent_->onData("Empty response received from server"); return Network::FilterStatus::StopIteration; @@ -270,10 +272,10 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; const std::string response_body = - response_buffer_string_.substr(headers_end_index + strlen(DOUBLE_CRLF), body_size); - ENVOY_LOG(debug, "Attempting to parse response body: '{}'", response_body); + response_buffer_string_.substr(headers_end_index + kDoubleCrlf.size(), body_size); + ENVOY_LOG(debug, "Attempting to parse response body: '{}'.", response_body); if (!ret.ParseFromString(response_body)) { - ENVOY_LOG(error, "Failed to parse protobuf response body"); + ENVOY_LOG(error, "Failed to parse protobuf response body."); parent_->onData("Failed to parse response protobuf"); return Network::FilterStatus::StopIteration; } @@ -289,16 +291,17 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, Network::ClientConnectionPtr connection_; Upstream::HostDescriptionConstSharedPtr host_; }; + void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { if (event == Network::ConnectionEvent::RemoteClose) { if (!connection_) { - ENVOY_LOG(debug, "RCConnectionWrapper: connection is null, skipping event handling"); + ENVOY_LOG(debug, "RCConnectionWrapper: connection is null, skipping event handling."); return; } const std::string& connectionKey = connection_->connectionInfoProvider().localAddress()->asString(); - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, found connection {} remote closed", + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, found connection {} remote closed.", connection_->id(), connectionKey); onFailure(); // Notify parent of connection closure. @@ -313,60 +316,72 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, adding connection callbacks", connection_->id()); connection_->addConnectionCallbacks(*this); - // Add read filter to handle response. - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, adding read filter", connection_->id()); - connection_->addReadFilter(Network::ReadFilterSharedPtr{new ConnReadFilter(this)}); connection_->connect(); - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, sending reverse connection creation " - "request through TCP", - connection_->id()); - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; - arg.set_tenant_uuid(src_tenant_id); - arg.set_cluster_uuid(src_cluster_id); - arg.set_node_uuid(src_node_id); - ENVOY_LOG(debug, - "RCConnectionWrapper: Creating protobuf with tenant='{}', cluster='{}', node='{}'", - src_tenant_id, src_cluster_id, src_node_id); - std::string body = arg.SerializeAsString(); - ENVOY_LOG(debug, "RCConnectionWrapper: Serialized protobuf body length: {}, debug: '{}'", - body.length(), arg.DebugString()); - std::string host_value; - const auto& remote_address = connection_->connectionInfoProvider().remoteAddress(); - if (remote_address->type() == Network::Address::Type::EnvoyInternal) { - const auto& internal_address = - std::dynamic_pointer_cast(remote_address); - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, remote address is internal " - "listener {}, using endpoint ID in host header", - connection_->id(), internal_address->envoyInternalAddress()->addressId()); - host_value = internal_address->envoyInternalAddress()->endpointId(); - } else { - host_value = remote_address->asString(); - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, remote address is external, " - "using address as host header", - connection_->id()); - } - // Build HTTP request with protobuf body. - Buffer::OwnedImpl reverse_connection_request( + ENVOY_LOG(info, + "RCConnectionWrapper: connection: {}, initiating HTTP handshake " + "for tenant='{}', cluster='{}', node='{}'", + connection_->id(), src_tenant_id, src_cluster_id, src_node_id); + + // Get the connection key for tracking + const std::string connection_key = + connection_->connectionInfoProvider().localAddress()->asString(); + + // Create protobuf request message using the existing message type + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg request; + request.set_tenant_uuid(src_tenant_id); + request.set_cluster_uuid(src_cluster_id); + request.set_node_uuid(src_node_id); + + // Serialize the protobuf message + std::string request_body = request.SerializeAsString(); + + ENVOY_LOG(debug, "Created protobuf request - tenant='{}', cluster='{}', node='{}', body_size={}", + src_tenant_id, src_cluster_id, src_node_id, request_body.size()); + + // Create HTTP request + std::string http_request = fmt::format("POST /reverse_connections/request HTTP/1.1\r\n" "Host: {}\r\n" - "Accept: */*\r\n" - "Content-length: {}\r\n" - "\r\n{}", - host_value, body.length(), body)); - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, writing request to connection: {}", - connection_->id(), reverse_connection_request.toString()); - // Send reverse connection request over TCP connection. - connection_->write(reverse_connection_request, false); - - return connection_->connectionInfoProvider().localAddress()->asString(); + "Content-Type: application/octet-stream\r\n" + "Content-Length: {}\r\n" + "Connection: close\r\n" + "\r\n" + "{}", + connection_->connectionInfoProvider().remoteAddress()->asString(), + request_body.size(), request_body); + + ENVOY_LOG(debug, "Sending HTTP handshake request (size: {} bytes)", http_request.size()); + + // Send the HTTP request over the TCP connection using the socket's write method + Buffer::OwnedImpl buffer(http_request); + Api::IoCallUint64Result result = connection_->getSocket()->ioHandle().write(buffer); + + if (!result.ok()) { + ENVOY_LOG(error, "Failed to send HTTP handshake request: {}", result.err_->getErrorDetails()); + onFailure(); + return ""; + } + + ENVOY_LOG(debug, "Successfully sent HTTP handshake request ({} bytes written)", + result.return_value_); + + // Install read filter to handle the response + connection_->addReadFilter(std::make_shared(this)); + + return connection_key; } void RCConnectionWrapper::onData(const std::string& error) { - parent_.onConnectionDone(error, this, false); + if (!error.empty()) { + ENVOY_LOG(error, "Reverse connection handshake failed: {}.", error); + // Notify parent of handshake failure + parent_.onConnectionDone(error, this, true); + } else { + ENVOY_LOG(info, "Reverse connection handshake succeeded."); + // Notify parent of handshake success + parent_.onConnectionDone("", this, false); + } } ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, @@ -389,46 +404,42 @@ ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, } ReverseConnectionIOHandle::~ReverseConnectionIOHandle() { - ENVOY_LOG(info, "Destroying ReverseConnectionIOHandle - performing cleanup"); + ENVOY_LOG(info, "Destroying ReverseConnectionIOHandle - performing cleanup."); cleanup(); } void ReverseConnectionIOHandle::cleanup() { - ENVOY_LOG(debug, "Starting cleanup of reverse connection resources"); + ENVOY_LOG(debug, "Starting cleanup of reverse connection resources."); - // CRITICAL: Clean up trigger mechanism FIRST to prevent use-after-free - if (trigger_mechanism_) { - ENVOY_LOG(debug, "Cleaning up trigger mechanism during cleanup"); - trigger_mechanism_.reset(); - ENVOY_LOG(debug, "Trigger mechanism cleaned up during cleanup"); - } + // CRITICAL: Clean up pipe trigger mechanism FIRST to prevent use-after-free + cleanupPipeTrigger(); // Cancel the retry timer safely. if (rev_conn_retry_timer_) { try { rev_conn_retry_timer_->disableTimer(); rev_conn_retry_timer_.reset(); - ENVOY_LOG(debug, "Cancelled and reset retry timer"); + ENVOY_LOG(debug, "Cancelled and reset retry timer."); } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception during timer cleanup (expected during shutdown): {}", e.what()); + ENVOY_LOG(debug, "Exception during timer cleanup (expected during shutdown): {}.", e.what()); // Reset the timer pointer anyway to prevent further access rev_conn_retry_timer_.reset(); } } // Graceful shutdown of connection wrappers with exception safety. - ENVOY_LOG(debug, "Gracefully shutting down {} connection wrappers", connection_wrappers_.size()); + ENVOY_LOG(debug, "Gracefully shutting down {} connection wrappers.", connection_wrappers_.size()); // Step 1: Signal all connections to close gracefully with exception handling. std::vector> wrappers_to_delete; for (auto& wrapper : connection_wrappers_) { if (wrapper) { try { - ENVOY_LOG(debug, "Initiating graceful shutdown for connection wrapper"); + ENVOY_LOG(debug, "Initiating graceful shutdown for connection wrapper."); wrapper->shutdown(); // Move wrapper for deferred cleanup wrappers_to_delete.push_back(std::move(wrapper)); } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception during wrapper shutdown (continuing cleanup): {}", e.what()); + ENVOY_LOG(debug, "Exception during wrapper shutdown (continuing cleanup): {}.", e.what()); // Still move the wrapper to ensure it gets cleaned up wrappers_to_delete.push_back(std::move(wrapper)); } @@ -461,7 +472,7 @@ void ReverseConnectionIOHandle::cleanup() { // Clear established connections queue safely. try { size_t queue_size = established_connections_.size(); - ENVOY_LOG(debug, "Cleaning up {} established connections", queue_size); + ENVOY_LOG(debug, "Cleaning up {} established connections.", queue_size); while (!established_connections_.empty()) { try { @@ -473,25 +484,25 @@ void ReverseConnectionIOHandle::cleanup() { auto state = connection->state(); if (state == Envoy::Network::Connection::State::Open) { connection->close(Envoy::Network::ConnectionCloseType::FlushWrite); - ENVOY_LOG(debug, "Closed established connection"); + ENVOY_LOG(debug, "Closed established connection."); } else { - ENVOY_LOG(debug, "Connection already in state: {}", static_cast(state)); + ENVOY_LOG(debug, "Connection already in state: {}.", static_cast(state)); } } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception closing connection (continuing): {}", e.what()); + ENVOY_LOG(debug, "Exception closing connection (continuing): {}.", e.what()); } } } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception processing connection queue item (continuing): {}", e.what()); + ENVOY_LOG(debug, "Exception processing connection queue item (continuing): {}.", e.what()); // Skip this item and continue with the next if (!established_connections_.empty()) { established_connections_.pop(); } } } - ENVOY_LOG(debug, "Completed established connections cleanup"); + ENVOY_LOG(debug, "Completed established connections cleanup."); } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception during established connections cleanup: {}", e.what()); + ENVOY_LOG(error, "Exception during established connections cleanup: {}.", e.what()); // Force clear the queue while (!established_connections_.empty()) { established_connections_.pop(); @@ -500,7 +511,7 @@ void ReverseConnectionIOHandle::cleanup() { // Trigger mechanism already cleaned up at the beginning of cleanup() - ENVOY_LOG(debug, "Completed cleanup of reverse connection resources"); + ENVOY_LOG(debug, "Completed cleanup of reverse connection resources."); } Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { @@ -510,30 +521,27 @@ Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { config_.remote_clusters.size()); if (!listening_initiated_) { - - // Create trigger mechanism on worker thread where TLS is available. The - // listening_initiated_ ensures that this is done only once for a given - // ReverseConnectionIOHandle instance. - createTriggerMechanism(); - if (!trigger_mechanism_) { - // If the trigger mechanism is not created, the reverse connections workflow - // cannot proceed. - ENVOY_LOG(error, - "Reverse connections failed. Failed to create trigger mechanism"); - return Api::SysCallIntResult{-1, ENODEV}; - } + // Create pipe trigger mechanism on worker thread where TLS is available + if (!isPipeTriggerReady()) { + if (auto status = initializePipeTrigger(); !status.ok()) { + ENVOY_LOG( + error, + "Failed to create pipe trigger mechanism - cannot proceed with reverse connections: {}", + status.message()); + return Api::SysCallIntResult{-1, ENODEV}; + } - // Replace the monitored FD with trigger mechanism's FD. This ensures that - // the platform's event notification system (eg., EPOLL for linux) monitors the trigger - // mechanism's FD and wakes up accept() when data is available on the trigger mechanism - // FD. - int trigger_fd = trigger_mechanism_->getMonitorFd(); - if (trigger_fd != -1) { - ENVOY_LOG(info, "Replacing monitored FD from {} to trigger FD {}", fd_, trigger_fd); - fd_ = trigger_fd; - } else { - ENVOY_LOG(error, " Reverse connections failed. Trigger mechanism does not provide a monitor FD"); - return Api::SysCallIntResult{-1, ENODEV}; + // CRITICAL: Replace the monitored FD with pipe read FD + // This must happen before any event registration + int trigger_fd = getPipeMonitorFd(); + if (trigger_fd != -1) { + ENVOY_LOG(info, "Replacing monitored FD from {} to pipe read FD {}", fd_, trigger_fd); + fd_ = trigger_fd; + } else { + ENVOY_LOG( + warn, + "Pipe trigger mechanism does not provide a monitor FD - using original socket FD"); + } } // Create the retry timer on first use with thread-local dispatcher. The timer is reset @@ -543,22 +551,22 @@ Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { if (isThreadLocalDispatcherAvailable()) { rev_conn_retry_timer_ = getThreadLocalDispatcher().createTimer([this]() -> void { ENVOY_LOG(debug, "Reverse connection timer triggered - checking all clusters for " - "missing connections"); - // Prevent use-after-free by checking if the dispatcher is still available. + "missing connections."); + // Safety check before maintenance if (isThreadLocalDispatcherAvailable()) { maintainReverseConnections(); } else { - ENVOY_LOG(error, "Reverse connections failed. Skipping maintenance - dispatcher not available"); + ENVOY_LOG(debug, "Skipping maintenance - dispatcher not available."); } }); // Trigger the reverse connection workflow. The function will reset rev_conn_retry_timer_. maintainReverseConnections(); - ENVOY_LOG(debug, "Created retry timer for periodic connection checks"); + ENVOY_LOG(debug, "Created retry timer for periodic connection checks."); } else { - ENVOY_LOG(error, "Reverse connections failed. Cannot create retry timer - dispatcher not available"); + ENVOY_LOG(warn, "Cannot create retry timer - dispatcher not available."); } } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception creating retry timer: {}", e.what()); + ENVOY_LOG(error, "Exception creating retry timer: {}.", e.what()); } } listening_initiated_ = true; @@ -569,22 +577,22 @@ Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* addr, socklen_t* addrlen) { - // Trigger mechanism is created lazily in listen() - if not ready, no connections available - if (!isTriggerReady()) { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - trigger mechanism not ready"); + // Pipe trigger mechanism is created lazily in listen() - if not ready, no connections available + if (!isPipeTriggerReady()) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - pipe trigger mechanism not ready."); return nullptr; } - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - checking trigger mechanism"); + ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - checking pipe trigger mechanism."); try { - if (trigger_mechanism_->wait()) { + if (waitForPipeTrigger()) { ENVOY_LOG(debug, - "ReverseConnectionIOHandle::accept() - received trigger, processing connection"); + "ReverseConnectionIOHandle::accept() - received trigger, processing connection."); // When a connection is established, a byte is written to the trigger_pipe_write_fd_ and the // connection is inserted into the established_connections_ queue. The last connection in the // queue is therefore the one that got established last. if (!established_connections_.empty()) { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - getting connection from queue"); + ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - getting connection from queue."); auto connection = std::move(established_connections_.front()); established_connections_.pop(); // Fill in address information for the reverse tunnel "client" @@ -646,18 +654,18 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a auto io_handle = std::make_unique( std::move(socket), connection_key, this); ENVOY_LOG(debug, - "ReverseConnectionIOHandle::accept() - RAII IoHandle created with owned socket"); + "ReverseConnectionIOHandle::accept() - RAII IoHandle created with owned socket."); connection->close(Network::ConnectionCloseType::NoFlush); - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - returning io_handle"); + ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - returning io_handle."); return io_handle; } } else { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - no trigger detected"); + ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - no trigger detected."); } } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception in accept() trigger mechanism: {}", e.what()); + ENVOY_LOG(error, "Exception in accept() trigger mechanism: {}.", e.what()); } return nullptr; } @@ -686,21 +694,21 @@ ReverseConnectionIOHandle::connect(Envoy::Network::Address::InstanceConstSharedP // Note: This close method is called when the ReverseConnectionIOHandle itself is closed. // Individual connections are managed via DownstreamReverseConnectionIOHandle RAII ownership. Api::IoCallUint64Result ReverseConnectionIOHandle::close() { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::close() - performing graceful shutdown"); + ENVOY_LOG(debug, "ReverseConnectionIOHandle::close() - performing graceful shutdown."); - // Clean up original socket FD . fd_ is - // the FD of the trigger mechanism and should not be closed until the - // ReverseConnectionIOHandle is destroyed. - if (original_socket_fd_ != -1) { - ENVOY_LOG(debug, "Closing original socket FD: {}", original_socket_fd_); + // Clean up original socket FD if it's different from the current fd_ + if (original_socket_fd_ != -1 && original_socket_fd_ != fd_) { + ENVOY_LOG(debug, "Closing original socket FD: {}.", original_socket_fd_); ::close(original_socket_fd_); original_socket_fd_ = -1; } - // CRITICAL: If we're using trigger mechanism FD, don't let IoSocketHandleImpl close it - // because the trigger mechanism destructor will handle it - if (trigger_mechanism_ && trigger_mechanism_->getMonitorFd() == fd_) { - ENVOY_LOG(debug, "Skipping close of trigger FD {} - will be handled by trigger mechanism", fd_); + // CRITICAL: If we're using pipe trigger FD, don't let IoSocketHandleImpl close it + // because cleanupPipeTrigger() will handle it + if (isPipeTriggerReady() && getPipeMonitorFd() == fd_) { + ENVOY_LOG(debug, + "Skipping close of pipe trigger FD {} - will be handled by cleanupPipeTrigger().", + fd_); // Reset fd_ to prevent double-close fd_ = -1; } @@ -715,7 +723,7 @@ void ReverseConnectionIOHandle::onEvent(Network::ConnectionEvent event) { } bool ReverseConnectionIOHandle::isTriggerReady() const { - bool ready = trigger_mechanism_ != nullptr; + bool ready = isPipeTriggerReady(); ENVOY_LOG(debug, "isTriggerReady() returning: {}", ready); return ready; } @@ -733,7 +741,7 @@ Event::Dispatcher& ReverseConnectionIOHandle::getThreadLocalDispatcher() const { } // CRITICAL SAFETY: During shutdown, TLS might be destroyed - ENVOY_LOG(warn, "Thread-local registry not available - likely during shutdown"); + ENVOY_LOG(warn, "Thread-local registry not available - likely during shutdown."); throw EnvoyException( "Failed to get dispatcher from thread-local registry - TLS destroyed during shutdown"); } @@ -1031,7 +1039,9 @@ ReverseConnectionIOHandle::getStatsByCluster(const std::string& cluster_name) { ENVOY_LOG(debug, "ReverseConnectionIOHandle: Creating new stats for cluster: {}", cluster_name); cluster_stats_map_[cluster_name] = std::make_unique( ReverseConnectionDownstreamStats{ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS( - POOL_GAUGE_PREFIX(*reverse_conn_scope_, cluster_name))}); + POOL_COUNTER_PREFIX(*reverse_conn_scope_, cluster_name), + POOL_GAUGE_PREFIX(*reverse_conn_scope_, cluster_name), + POOL_HISTOGRAM_PREFIX(*reverse_conn_scope_, cluster_name))}); return cluster_stats_map_[cluster_name].get(); } @@ -1049,7 +1059,9 @@ ReverseConnectionIOHandle::getStatsByHost(const std::string& host_address, host_address, cluster_name); host_stats_map_[host_key] = std::make_unique( ReverseConnectionDownstreamStats{ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS( - POOL_GAUGE_PREFIX(*reverse_conn_scope_, host_key))}); + POOL_COUNTER_PREFIX(*reverse_conn_scope_, host_key), + POOL_GAUGE_PREFIX(*reverse_conn_scope_, host_key), + POOL_HISTOGRAM_PREFIX(*reverse_conn_scope_, host_key))}); return host_stats_map_[host_key].get(); } @@ -1160,7 +1172,7 @@ void ReverseConnectionIOHandle::incrementStateGauge(ReverseConnectionDownstreamS // CRITICAL SAFETY: Handle stats access during/after shutdown try { if (!cluster_stats || !host_stats) { - ENVOY_LOG(debug, "Stats objects null during increment - likely during shutdown"); + ENVOY_LOG(debug, "Stats objects null during increment - likely during shutdown."); return; } @@ -1191,7 +1203,7 @@ void ReverseConnectionIOHandle::incrementStateGauge(ReverseConnectionDownstreamS break; } } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception during stats increment (expected during shutdown): {}", e.what()); + ENVOY_LOG(debug, "Exception during stats increment (expected during shutdown): {}.", e.what()); } } @@ -1201,7 +1213,7 @@ void ReverseConnectionIOHandle::decrementStateGauge(ReverseConnectionDownstreamS // CRITICAL SAFETY: Handle stats access during/after shutdown try { if (!cluster_stats || !host_stats) { - ENVOY_LOG(debug, "Stats objects null during decrement - likely during shutdown"); + ENVOY_LOG(debug, "Stats objects null during decrement - likely during shutdown."); return; } @@ -1232,27 +1244,27 @@ void ReverseConnectionIOHandle::decrementStateGauge(ReverseConnectionDownstreamS break; } } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception during stats decrement (expected during shutdown): {}", e.what()); + ENVOY_LOG(debug, "Exception during stats decrement (expected during shutdown): {}.", e.what()); } } void ReverseConnectionIOHandle::maintainReverseConnections() { - ENVOY_LOG(debug, "Maintaining reverse tunnels for {} clusters", config_.remote_clusters.size()); + ENVOY_LOG(debug, "Maintaining reverse tunnels for {} clusters.", config_.remote_clusters.size()); for (const auto& cluster_config : config_.remote_clusters) { const std::string& cluster_name = cluster_config.cluster_name; - ENVOY_LOG(debug, "Processing cluster: {} with {} requested connections per host", cluster_name, + ENVOY_LOG(debug, "Processing cluster: {} with {} requested connections per host.", cluster_name, cluster_config.reverse_connection_count); // Maintain connections for this cluster maintainClusterConnections(cluster_name, cluster_config); } - ENVOY_LOG(debug, "Completed reverse TCP connection maintenance for all clusters"); + ENVOY_LOG(debug, "Completed reverse TCP connection maintenance for all clusters."); // Enable the retry timer to periodically check for missing connections (like maintainConnCount) if (rev_conn_retry_timer_) { const std::chrono::milliseconds retry_timeout(10000); // 10 seconds rev_conn_retry_timer_->enableTimer(retry_timeout); - ENVOY_LOG(debug, "Enabled retry timer for next connection check in 10 seconds"); + ENVOY_LOG(debug, "Enabled retry timer for next connection check in 10 seconds."); } } @@ -1332,40 +1344,114 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& } } -// Cross-platform trigger mechanism used to wake up accept() when a connection is established. -void ReverseConnectionIOHandle::createTriggerMechanism() { - ENVOY_LOG(debug, "Creating cross-platform trigger mechanism"); +// Pipe trigger mechanism implementation - inlined for simplicity +absl::Status ReverseConnectionIOHandle::initializePipeTrigger() { + ENVOY_LOG(debug, "Creating pipe trigger mechanism."); // Check if TLS is available before proceeding if (!isThreadLocalDispatcherAvailable()) { - ENVOY_LOG(error, "Cannot create trigger mechanism - thread-local dispatcher not available"); - return; + return absl::FailedPreconditionError( + "Cannot create pipe trigger mechanism - thread-local dispatcher not available"); } - // Create the optimal trigger mechanism for the current platform - trigger_mechanism_ = TriggerMechanism::create(); + // Create pipe + int pipe_fds[2]; + if (::pipe(pipe_fds) == -1) { + return absl::InternalError(fmt::format("Failed to create pipe: {}", strerror(errno))); + } - if (!trigger_mechanism_) { - ENVOY_LOG(error, "Failed to create trigger mechanism"); - return; + trigger_pipe_read_fd_ = pipe_fds[0]; + trigger_pipe_write_fd_ = pipe_fds[1]; + + // Make both ends non-blocking for optimal performance + int flags = ::fcntl(trigger_pipe_read_fd_, F_GETFL, 0); + if (flags == -1) { + return absl::InternalError(fmt::format("Failed to get pipe read flags: {}", strerror(errno))); + } + if (::fcntl(trigger_pipe_read_fd_, F_SETFL, flags | O_NONBLOCK) == -1) { + return absl::InternalError( + fmt::format("Failed to set pipe read non-blocking: {}", strerror(errno))); } - try { - // Initialize with thread-local dispatcher - if (!trigger_mechanism_->initialize(getThreadLocalDispatcher())) { - ENVOY_LOG(error, "Failed to initialize trigger mechanism"); - trigger_mechanism_.reset(); - return; + flags = ::fcntl(trigger_pipe_write_fd_, F_GETFL, 0); + if (flags == -1) { + return absl::InternalError(fmt::format("Failed to get pipe write flags: {}", strerror(errno))); + } + if (::fcntl(trigger_pipe_write_fd_, F_SETFL, flags | O_NONBLOCK) == -1) { + return absl::InternalError( + fmt::format("Failed to set pipe write non-blocking: {}", strerror(errno))); + } + + ENVOY_LOG(info, "Created pipe trigger mechanism with read FD: {}, write FD: {}", + trigger_pipe_read_fd_, trigger_pipe_write_fd_); + return absl::OkStatus(); +} + +void ReverseConnectionIOHandle::cleanupPipeTrigger() { + ENVOY_LOG(debug, "Cleaning up pipe trigger mechanism - read FD: {}, write FD: {}.", + trigger_pipe_read_fd_, trigger_pipe_write_fd_); + + if (trigger_pipe_read_fd_ != -1) { + ::close(trigger_pipe_read_fd_); + trigger_pipe_read_fd_ = -1; + } + if (trigger_pipe_write_fd_ != -1) { + ::close(trigger_pipe_write_fd_); + trigger_pipe_write_fd_ = -1; + } + + ENVOY_LOG(debug, "Pipe trigger mechanism cleanup complete."); +} + +bool ReverseConnectionIOHandle::triggerPipe() { + if (trigger_pipe_write_fd_ == -1) { + ENVOY_LOG(error, "pipe not initialized."); + return false; + } + + // Write single byte to pipe to trigger it + char trigger_byte = 1; + ssize_t result = ::write(trigger_pipe_write_fd_, &trigger_byte, 1); + if (result != 1) { + if (errno != EAGAIN && errno != EWOULDBLOCK) { + ENVOY_LOG(error, "Failed to write to pipe: {}.", strerror(errno)); + return false; } + // EAGAIN means pipe buffer is full, which is fine for trigger purposes + ENVOY_LOG(debug, "Pipe buffer full but trigger still effective."); + } - ENVOY_LOG(info, "Created trigger mechanism: {} with monitor FD: {}", - trigger_mechanism_->getType(), trigger_mechanism_->getMonitorFd()); - } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception creating trigger mechanism: {}", e.what()); - trigger_mechanism_.reset(); + ENVOY_LOG(debug, "Successfully triggered pipe - wrote {} byte(s).", result > 0 ? result : 0); + return true; +} + +bool ReverseConnectionIOHandle::waitForPipeTrigger() { + if (trigger_pipe_read_fd_ == -1) { + ENVOY_LOG(debug, "pipe wait called but read FD not initialized."); + return false; + } + + // Read from pipe to check if triggered - this also clears the trigger + char buffer[64]; // Read multiple bytes if available + ssize_t result = ::read(trigger_pipe_read_fd_, buffer, sizeof(buffer)); + if (result > 0) { + ENVOY_LOG(debug, "pipe triggered - read {} bytes.", result); + return true; } + + if (result == -1 && errno != EAGAIN && errno != EWOULDBLOCK) { + ENVOY_LOG(error, "Failed to read from pipe: {}.", strerror(errno)); + } + + return false; } +bool ReverseConnectionIOHandle::isPipeTriggerReady() const { + return trigger_pipe_read_fd_ != -1 && trigger_pipe_write_fd_ != -1; +} + +int ReverseConnectionIOHandle::getPipeMonitorFd() const { return trigger_pipe_read_fd_; } + void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, RCConnectionWrapper* wrapper, bool closed) { ENVOY_LOG(debug, "Connection wrapper done - error: '{}', closed: {}", error, closed); @@ -1377,7 +1463,7 @@ void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, // Get the host for which the wrapper holds the connection. auto wrapper_it = conn_wrapper_to_host_map_.find(wrapper); if (wrapper_it == conn_wrapper_to_host_map_.end()) { - ENVOY_LOG(error, "Internal error: wrapper not found in conn_wrapper_to_host_map_"); + ENVOY_LOG(error, "Internal error: wrapper not found in conn_wrapper_to_host_map_."); return; } host_address = wrapper_it->second; @@ -1396,13 +1482,13 @@ void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, // The connection should not be null. if (!wrapper->getConnection()) { - ENVOY_LOG(error, "Connection wrapper has null connection"); + ENVOY_LOG(error, "Connection wrapper has null connection."); return; } ENVOY_LOG(debug, "Got response from initiated reverse connection for host '{}', " - "cluster '{}', error '{}'", + "cluster '{}', error '{}'.", host_address, cluster_name, error); const std::string connection_key = wrapper->getConnection()->connectionInfoProvider().localAddress()->asString(); @@ -1411,11 +1497,11 @@ void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, // Connection failed if (!error.empty()) { ENVOY_LOG(error, - "Reverse connection failed: Received error '{}' from remote envoy for host {}", + "Reverse connection failed: Received error '{}' from remote envoy for host {}.", error, host_address); wrapper->onFailure(); } - ENVOY_LOG(error, "Reverse connection failed: Removing connection to host {}", host_address); + ENVOY_LOG(error, "Reverse connection failed: Removing connection to host {}.", host_address); // Track handshake failure - get connection key and update to failed state ENVOY_LOG(debug, "Updating connection state to Failed for host {} connection key {}", @@ -1471,37 +1557,37 @@ void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, if (released_conn) { // Move connection to established queue - ENVOY_LOG(trace, "Adding connection to established_connections_"); + ENVOY_LOG(trace, "Adding connection to established_connections_."); established_connections_.push(std::move(released_conn)); // Trigger the accept mechanism if (isTriggerReady()) { ENVOY_LOG(debug, - "Triggering accept mechanism for reverse connection from host {} of cluster {}", + "Triggering accept mechanism for reverse connection from host {} of cluster {}.", host_address, cluster_name); try { - if (trigger_mechanism_->trigger()) { + if (triggerPipe()) { ENVOY_LOG(info, "Successfully triggered accept() for reverse connection from host {} " - "of cluster {} - trigger FD: {}", - host_address, cluster_name, trigger_mechanism_->getMonitorFd()); + "of cluster {} - pipe read FD: {}.", + host_address, cluster_name, getPipeMonitorFd()); } else { - ENVOY_LOG(error, "Failed to trigger accept mechanism for host {} of cluster {}", + ENVOY_LOG(error, "Failed to trigger accept mechanism for host {} of cluster {}.", host_address, cluster_name); } } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception during trigger: {} for host {} of cluster {}", e.what(), + ENVOY_LOG(error, "Exception during trigger: {} for host {} of cluster {}.", e.what(), host_address, cluster_name); } } else { ENVOY_LOG(error, - "Cannot trigger accept mechanism - trigger not ready for host {} of cluster {}", + "Cannot trigger accept mechanism - trigger not ready for host {} of cluster {}.", host_address, cluster_name); } } } - ENVOY_LOG(trace, "Removing wrapper from connection_wrappers_ vector"); + ENVOY_LOG(trace, "Removing wrapper from connection_wrappers_ vector."); conn_wrapper_to_host_map_.erase(wrapper); @@ -1519,14 +1605,14 @@ void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, if (isThreadLocalDispatcherAvailable()) { try { getThreadLocalDispatcher().deferredDelete(std::move(wrapper_to_delete)); - ENVOY_LOG(debug, "Deferred delete of connection wrapper"); + ENVOY_LOG(debug, "Deferred delete of connection wrapper."); } catch (const std::exception& e) { - ENVOY_LOG(warn, "Deferred deletion failed, using direct cleanup: {}", e.what()); + ENVOY_LOG(warn, "Deferred deletion failed, using direct cleanup: {}.", e.what()); // Direct cleanup as fallback wrapper_to_delete.reset(); } } else { - ENVOY_LOG(debug, "Dispatcher not available during shutdown - using direct wrapper cleanup"); + ENVOY_LOG(debug, "Dispatcher not available during shutdown - using direct wrapper cleanup."); // Direct cleanup when dispatcher is not available (during shutdown) wrapper_to_delete.reset(); } @@ -1549,30 +1635,32 @@ DownstreamSocketThreadLocal* ReverseTunnelInitiator::getLocalRegistry() const { // ReverseTunnelInitiatorExtension implementation void ReverseTunnelInitiatorExtension::onServerInitialized() { ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::onServerInitialized - creating " - "thread local slot"); + "thread local slot with enhanced safety"); - // Create thread local slot to store dispatcher for each worker thread - tls_slot_ = - ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); + // Create thread local slot using the enhanced factory utilities for better error handling + tls_slot_ = ReverseConnectionFactoryUtils::createThreadLocalSlot( + context_.threadLocal(), "ReverseTunnelInitiatorExtension"); + + if (!tls_slot_) { + ENVOY_LOG(error, "Failed to create thread-local slot for ReverseTunnelInitiatorExtension"); + return; + } // Set up the thread local dispatcher for each worker thread tls_slot_->set([this](Event::Dispatcher& dispatcher) { return std::make_shared(dispatcher, context_.scope()); }); + + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension thread-local setup completed successfully"); } DownstreamSocketThreadLocal* ReverseTunnelInitiatorExtension::getLocalRegistry() const { - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::getLocalRegistry()"); - if (!tls_slot_) { - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::getLocalRegistry() - no thread local slot"); - return nullptr; - } - - if (auto opt = tls_slot_->get(); opt.has_value()) { - return &opt.value().get(); - } + ENVOY_LOG(debug, + "ReverseTunnelInitiatorExtension::getLocalRegistry() - using enhanced thread safety."); - return nullptr; + // Use the enhanced factory utilities for safe thread-local access + return ReverseConnectionFactoryUtils::safeGetThreadLocal(tls_slot_, + "ReverseTunnelInitiatorExtension"); } Envoy::Network::IoHandlePtr @@ -1609,6 +1697,9 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, Envoy::Network::Address::IpVersion version, const ReverseConnectionSocketConfig& config) const { + ENVOY_LOG(debug, "Creating reverse connection socket for cluster: {}", + config.remote_clusters.empty() ? "unknown" : config.remote_clusters[0].cluster_name); + // For stream sockets on IP addresses, create our reverse connection IOHandle. if (socket_type == Envoy::Network::Socket::Type::Stream && addr_type == Envoy::Network::Address::Type::Ip) { @@ -1630,9 +1721,8 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke } // Create ReverseConnectionIOHandle with cluster manager from context and scope - return std::make_unique( - sock_fd, config, context_->clusterManager(), - *this, *scope_ptr); + return std::make_unique(sock_fd, config, context_->clusterManager(), + *this, *scope_ptr); } // Fall back to regular socket for non-stream or non-IP sockets @@ -1678,23 +1768,7 @@ bool ReverseTunnelInitiator::ipFamilySupported(int domain) { return domain == AF_INET || domain == AF_INET6; } -Server::BootstrapExtensionPtr ReverseTunnelInitiator::createBootstrapExtension( - const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { - ENVOY_LOG(debug, "ReverseTunnelInitiator::createBootstrapExtension()"); - const auto& message = MessageUtil::downcastAndValidate< - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); - context_ = &context; - // Create the bootstrap extension and store reference to it - auto extension = std::make_unique(context, message); - extension_ = extension.get(); - return extension; -} - -ProtobufTypes::MessagePtr ReverseTunnelInitiator::createEmptyConfigProto() { - return std::make_unique(); -} +// Factory implementation moved to ReverseTunnelInitiatorFactory class // ReverseTunnelInitiatorExtension constructor implementation ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( @@ -1702,10 +1776,24 @@ ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: DownstreamReverseConnectionSocketInterface& config) : context_(context), config_(config) { - ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension"); + ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension."); +} + +// ReverseTunnelInitiatorFactory implementation +Server::BootstrapExtensionPtr ReverseTunnelInitiatorFactory::createBootstrapExtensionTyped( + const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface& proto_config, + Server::Configuration::ServerFactoryContext& context) { + ENVOY_LOG(debug, "ReverseTunnelInitiatorFactory::createBootstrapExtensionTyped()."); + + // Create the bootstrap extension using the new factory pattern + auto extension = std::make_unique(context, proto_config); + + ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension with factory-based approach."); + return extension; } -REGISTER_FACTORY(ReverseTunnelInitiator, Server::Configuration::BootstrapExtensionFactory); +REGISTER_FACTORY(ReverseTunnelInitiatorFactory, Server::Configuration::BootstrapExtensionFactory); size_t ReverseTunnelInitiator::getConnectionCount(const std::string& target) const { // For the downstream (initiator) side, we need to check the number of active connections @@ -1728,7 +1816,7 @@ size_t ReverseTunnelInitiator::getConnectionCount(const std::string& target) con } std::vector ReverseTunnelInitiator::getEstablishedConnections() const { - ENVOY_LOG(debug, "Getting list of established connections"); + ENVOY_LOG(debug, "Getting list of established connections."); // For the downstream (initiator) side, return the list of clusters we have // established reverse connections to. In our case, this would be the "cloud" cluster @@ -1744,7 +1832,7 @@ std::vector ReverseTunnelInitiator::getEstablishedConnections() con established_clusters.push_back("cloud"); } - ENVOY_LOG(debug, "Established connections count: {}", established_clusters.size()); + ENVOY_LOG(debug, "Established connections count: {}.", established_clusters.size()); return established_clusters; } diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index 91af5e23d9787..7d274e29a0ffe 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -1,8 +1,5 @@ #pragma once -#include -#include - #include #include #include @@ -27,10 +24,11 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/upstream/load_balancer_context_base.h" -#include "source/extensions/bootstrap/reverse_tunnel/trigger_mechanism.h" +#include "source/extensions/bootstrap/reverse_tunnel/factory_base.h" #include "absl/container/flat_hash_map.h" #include "absl/container/flat_hash_set.h" +#include "absl/status/status.h" #include "absl/synchronization/mutex.h" namespace Envoy { @@ -38,42 +36,62 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -// Forward declarations +// Forward declarations. class RCConnectionWrapper; class ReverseTunnelInitiator; class ReverseTunnelInitiatorExtension; -static const char CRLF[] = "\r\n"; -static const char DOUBLE_CRLF[] = "\r\n\r\n"; +namespace { +// HTTP protocol constants. +static constexpr absl::string_view kCrlf = "\r\n"; +static constexpr absl::string_view kDoubleCrlf = "\r\n\r\n"; + +// Connection timing constants. +static constexpr uint32_t kDefaultReconnectIntervalMs = 5000; // 5 seconds. +static constexpr uint32_t kDefaultMaxReconnectAttempts = 10; +static constexpr uint32_t kDefaultHealthCheckIntervalMs = 30000; // 30 seconds. +static constexpr uint32_t kDefaultConnectionTimeoutMs = 10000; // 10 seconds. +} // namespace /** * All reverse connection downstream stats. @see stats_macros.h + * These stats track the performance and health of outgoing reverse connections + * from the initiator (on-premises) to the acceptor (cloud). */ -#define ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS(GAUGE) \ - GAUGE(reverse_conn_connecting, NeverImport) \ - GAUGE(reverse_conn_connected, NeverImport) \ - GAUGE(reverse_conn_failed, NeverImport) \ - GAUGE(reverse_conn_recovered, NeverImport) \ - GAUGE(reverse_conn_backoff, NeverImport) \ - GAUGE(reverse_conn_cannot_connect, NeverImport) +#define ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS(COUNTER, GAUGE, HISTOGRAM) \ + COUNTER(reverse_conn_connect_attempts) \ + COUNTER(reverse_conn_connect_failures) \ + COUNTER(reverse_conn_handshake_failures) \ + COUNTER(reverse_conn_timeout_failures) \ + COUNTER(reverse_conn_retries) \ + GAUGE(reverse_conn_connecting, Accumulate) \ + GAUGE(reverse_conn_connected, Accumulate) \ + GAUGE(reverse_conn_failed, Accumulate) \ + GAUGE(reverse_conn_recovered, Accumulate) \ + GAUGE(reverse_conn_backoff, Accumulate) \ + GAUGE(reverse_conn_cannot_connect, Accumulate) \ + HISTOGRAM(reverse_conn_establishment_time, Milliseconds) \ + HISTOGRAM(reverse_conn_handshake_time, Milliseconds) \ + HISTOGRAM(reverse_conn_retry_backoff_time, Milliseconds) /** * Connection state tracking for reverse connections. */ enum class ReverseConnectionState { - Connecting, // Connection is being established (handshake initiated) - Connected, // Connection has been successfully established - Recovered, // Connection has recovered from a previous failure - Failed, // Connection establishment failed during handshake - CannotConnect, // Connection cannot be initiated (early failure) - Backoff // Connection is in backoff state due to failures + Connecting, // Connection is being established (handshake initiated). + Connected, // Connection has been successfully established. + Recovered, // Connection has recovered from a previous failure. + Failed, // Connection establishment failed during handshake. + CannotConnect, // Connection cannot be initiated (early failure). + Backoff // Connection is in backoff state due to failures. }; /** * Struct definition for all reverse connection downstream stats. @see stats_macros.h */ struct ReverseConnectionDownstreamStats { - ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS(GENERATE_GAUGE_STRUCT) + ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS(GENERATE_COUNTER_STRUCT, GENERATE_GAUGE_STRUCT, + GENERATE_HISTOGRAM_STRUCT) }; using ReverseConnectionDownstreamStatsPtr = std::unique_ptr; @@ -84,14 +102,15 @@ using ReverseConnectionDownstreamStatsPtr = std::unique_ptr - remote_clusters; // List of remote cluster configurations - uint32_t health_check_interval_ms; // Interval for health checks in milliseconds - uint32_t connection_timeout_ms; // Connection timeout in milliseconds - bool enable_metrics; // Whether to enable metrics collection - bool enable_circuit_breaker; // Whether to enable circuit breaker functionality + remote_clusters; // List of remote cluster configurations. + uint32_t health_check_interval_ms; // Interval for health checks in milliseconds. + uint32_t connection_timeout_ms; // Connection timeout in milliseconds. + bool enable_metrics; // Whether to enable metrics collection. + bool enable_circuit_breaker; // Whether to enable circuit breaker functionality. ReverseConnectionSocketConfig() - : health_check_interval_ms(30000), connection_timeout_ms(10000), enable_metrics(true), + : health_check_interval_ms(kDefaultHealthCheckIntervalMs), + connection_timeout_ms(kDefaultConnectionTimeoutMs), enable_metrics(true), enable_circuit_breaker(true) {} }; @@ -125,11 +145,11 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, public: /** * Constructor for ReverseConnectionIOHandle. - * @param fd the file descriptor for listener socket - * @param config the configuration for reverse connections - * @param cluster_manager the cluster manager for accessing upstream clusters - * @param socket_interface reference to the parent socket interface - * @param scope the stats scope for metrics collection + * @param fd the file descriptor for listener socket. + * @param config the configuration for reverse connections. + * @param cluster_manager the cluster manager for accessing upstream clusters. + * @param socket_interface reference to the parent socket interface. + * @param scope the stats scope for metrics collection. */ ReverseConnectionIOHandle(os_fd_t fd, const ReverseConnectionSocketConfig& config, Upstream::ClusterManager& cluster_manager, @@ -137,12 +157,12 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, ~ReverseConnectionIOHandle() override; - // Network::IoHandle overrides + // Network::IoHandle overrides. /** * Override of listen method for reverse connections. * Initiates reverse connection establishment to configured remote clusters. - * @param backlog the listen backlog (unused for reverse connections) - * @return SysCallIntResult with success status + * @param backlog the listen backlog (unused for reverse connections). + * @return SysCallIntResult with success status. */ Api::SysCallIntResult listen(int backlog) override; @@ -150,25 +170,25 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, * Override of accept method for reverse connections. * Returns established reverse connections when they become available. This is woken up using the * trigger pipe when a tcp connection to an upstream cluster is established. - * @param addr pointer to store the client address information - * @param addrlen pointer to the length of the address structure - * @return IoHandlePtr for the accepted reverse connection, or nullptr if none available + * @param addr pointer to store the client address information. + * @param addrlen pointer to the length of the address structure. + * @return IoHandlePtr for the accepted reverse connection, or nullptr if none available. */ Network::IoHandlePtr accept(struct sockaddr* addr, socklen_t* addrlen) override; /** * Override of read method for reverse connections. - * @param buffer the buffer to read data into - * @param max_length optional maximum number of bytes to read - * @return IoCallUint64Result indicating the result of the read operation + * @param buffer the buffer to read data into. + * @param max_length optional maximum number of bytes to read. + * @return IoCallUint64Result indicating the result of the read operation. */ Api::IoCallUint64Result read(Buffer::Instance& buffer, absl::optional max_length) override; /** * Override of write method for reverse connections. - * @param buffer the buffer containing data to write - * @return IoCallUint64Result indicating the result of the write operation + * @param buffer the buffer containing data to write. + * @return IoCallUint64Result indicating the result of the write operation. */ Api::IoCallUint64Result write(Buffer::Instance& buffer) override; @@ -176,22 +196,22 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, * Override of connect method for reverse connections. * For reverse connections, this is not used since we connect to the upstream clusters in * listen(). - * @param address the target address (unused for reverse connections) - * @return SysCallIntResult with success status + * @param address the target address (unused for reverse connections). + * @return SysCallIntResult with success status. */ Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; /** * Override of close method for reverse connections. - * @return IoCallUint64Result indicating the result of the close operation + * @return IoCallUint64Result indicating the result of the close operation. */ Api::IoCallUint64Result close() override; - // Network::ConnectionCallbacks + // Network::ConnectionCallbacks. /** * Called when connection events occur. * For reverse connections, we handle these events through RCConnectionWrapper. - * @param event the connection event that occurred + * @param event the connection event that occurred. */ void onEvent(Network::ConnectionEvent event) override; @@ -207,89 +227,95 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, /** * Check if trigger mechanism is ready for accepting connections. - * @return true if the trigger mechanism is initialized and ready + * @return true if the trigger mechanism is initialized and ready. */ bool isTriggerReady() const; - // Callbacks from RCConnectionWrapper + // Callbacks from RCConnectionWrapper. /** * Called when a reverse connection handshake completes. - * @param error error message if the handshake failed, empty string if successful - * @param wrapper pointer to the connection wrapper that wraps over the established connection - * @param closed whether the connection was closed during handshake + * @param error error message if the handshake failed, empty string if successful. + * @param wrapper pointer to the connection wrapper that wraps over the established connection. + * @param closed whether the connection was closed during handshake. */ void onConnectionDone(const std::string& error, RCConnectionWrapper* wrapper, bool closed); - // Backoff logic for connection failures + // Backoff logic for connection failures. /** * Determine if connections should be initiated to a host, i.e., if host is in backoff period. - * @param host_address the address of the host to check - * @param cluster_name the name of the cluster the host belongs to - * @return true if connection attempt should be made, false if in backoff + * @param host_address the address of the host to check. + * @param cluster_name the name of the cluster the host belongs to. + * @return true if connection attempt should be made, false if in backoff. */ bool shouldAttemptConnectionToHost(const std::string& host_address, const std::string& cluster_name); /** * Track a connection failure for a specific host and cluster and apply backoff logic. - * @param host_address the address of the host that failed - * @param cluster_name the name of the cluster the host belongs to + * @param host_address the address of the host that failed. + * @param cluster_name the name of the cluster the host belongs to. */ void trackConnectionFailure(const std::string& host_address, const std::string& cluster_name); /** * Reset backoff state for a specific host. Called when a connection is established successfully. - * @param host_address the address of the host to reset backoff for + * @param host_address the address of the host to reset backoff for. */ void resetHostBackoff(const std::string& host_address); /** * Initialize stats collection for reverse connections. - * @param scope the stats scope to use for metrics collection + * @param scope the stats scope to use for metrics collection. */ void initializeStats(Stats::Scope& scope); /** * Get or create stats for a specific cluster. - * @param cluster_name the name of the cluster to get stats for - * @return pointer to the cluster stats + * @param cluster_name the name of the cluster to get stats for. + * @return pointer to the cluster stats. */ ReverseConnectionDownstreamStats* getStatsByCluster(const std::string& cluster_name); /** * Get or create stats for a specific host within a cluster. - * @param host_address the address of the host to get stats for - * @param cluster_name the name of the cluster the host belongs to - * @return pointer to the host stats + * @param host_address the address of the host to get stats for. + * @param cluster_name the name of the cluster the host belongs to. + * @return pointer to the host stats. */ ReverseConnectionDownstreamStats* getStatsByHost(const std::string& host_address, const std::string& cluster_name); /** * Update the connection state for a specific connection and update metrics. - * @param host_address the address of the host - * @param cluster_name the name of the cluster - * @param connection_key the unique key identifying the connection - * @param new_state the new state to set for the connection + * @param host_address the address of the host. + * @param cluster_name the name of the cluster. + * @param connection_key the unique key identifying the connection. + * @param new_state the new state to set for the connection. */ void updateConnectionState(const std::string& host_address, const std::string& cluster_name, const std::string& connection_key, ReverseConnectionState new_state); /** * Remove connection state tracking for a specific connection. - * @param host_address the address of the host - * @param cluster_name the name of the cluster - * @param connection_key the unique key identifying the connection + * @param host_address the address of the host. + * @param cluster_name the name of the cluster. + * @param connection_key the unique key identifying the connection. */ void removeConnectionState(const std::string& host_address, const std::string& cluster_name, const std::string& connection_key); /** * Handle downstream connection closure and trigger re-initiation. - * @param connection_key the unique key identifying the closed connection + * @param connection_key the unique key identifying the closed connection. */ void onDownstreamConnectionClosed(const std::string& connection_key); + /** + * Get reference to the cluster manager. + * @return reference to the cluster manager + */ + Upstream::ClusterManager& getClusterManager() { return cluster_manager_; } + /** * Increment the gauge for a specific connection state. * @param cluster_stats pointer to cluster-level stats @@ -360,6 +386,42 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, */ void cleanup(); + // Pipe trigger mechanism helpers + /** + * Initialize the pipe trigger mechanism for waking up accept(). + * @return absl::OkStatus() if successful, error status otherwise + */ + absl::Status initializePipeTrigger(); + + /** + * Clean up pipe trigger mechanism resources. + */ + void cleanupPipeTrigger(); + + /** + * Trigger the pipe to wake up accept(). + * @return true if successful, false otherwise + */ + bool triggerPipe(); + + /** + * Check if pipe was triggered (non-blocking) and consume trigger data. + * @return true if triggered, false if no trigger pending + */ + bool waitForPipeTrigger(); + + /** + * Check if pipe trigger mechanism is ready for use. + * @return true if initialized and ready + */ + bool isPipeTriggerReady() const; + + /** + * Get the pipe read file descriptor for event loop monitoring. + * @return file descriptor, or -1 if not initialized + */ + int getPipeMonitorFd() const; + // Host/cluster mapping management /** * Update cluster -> host mappings from the cluster manager. Called before connection initiation @@ -410,12 +472,10 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // Mapping from wrapper to host. This designates the number of successful connections to a host. std::unordered_map conn_wrapper_to_host_map_; - // Cross-platform trigger mechanism to wake up accept() when a connection is established. - // This replaces the legacy pipe-based approach with optimal implementations for each platform: - // - macOS: kqueue EVFILT_USER (no file descriptor overhead) - // - Linux: eventfd (single FD, 64-bit counter) - // - Other Unix: pipe (fallback for compatibility) - std::unique_ptr trigger_mechanism_; + // Simple pipe-based trigger mechanism to wake up accept() when a connection is established. + // Inlined directly for simplicity and reduced test coverage requirements. + int trigger_pipe_read_fd_{-1}; + int trigger_pipe_write_fd_{-1}; // Connection management : We store the established connections in a queue // and pop the last established connection when data is read on trigger_pipe_read_fd_ @@ -504,7 +564,7 @@ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, bool ipFamilySupported(int domain) override; /** - * @return pointer to the thread-local registry, or nullptr if not available + * @return pointer to the thread-local registry, or nullptr if not available. */ DownstreamSocketThreadLocal* getLocalRegistry() const; @@ -522,15 +582,7 @@ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, Envoy::Network::Address::IpVersion version, const ReverseConnectionSocketConfig& config) const; - // Server::Configuration::BootstrapExtensionFactory - Server::BootstrapExtensionPtr - createBootstrapExtension(const Protobuf::Message& config, - Server::Configuration::ServerFactoryContext& context) override; - - ProtobufTypes::MessagePtr createEmptyConfigProto() override; - std::string name() const override { - return "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"; - } + // Socket interface functionality only - factory methods moved to ReverseTunnelInitiatorFactory /** * Get the number of established reverse connections to a specific target (cluster or node). @@ -565,7 +617,7 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, void onWorkerThreadInitialized() override {} /** - * @return pointer to the thread-local registry, or nullptr if not available + * @return pointer to the thread-local registry, or nullptr if not available. */ DownstreamSocketThreadLocal* getLocalRegistry() const; @@ -576,7 +628,29 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, ThreadLocal::TypedSlotPtr tls_slot_; }; -DECLARE_FACTORY(ReverseTunnelInitiator); +/** + * Factory for creating ReverseTunnelInitiator bootstrap extensions. + * Uses the new factory base pattern for better consistency with Envoy conventions. + */ +class ReverseTunnelInitiatorFactory + : public ReverseConnectionBootstrapFactoryBase< + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface, + ReverseTunnelInitiatorExtension>, + public Logger::Loggable { +public: + ReverseTunnelInitiatorFactory() + : ReverseConnectionBootstrapFactoryBase( + "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface") {} + +private: + Server::BootstrapExtensionPtr createBootstrapExtensionTyped( + const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface& proto_config, + Server::Configuration::ServerFactoryContext& context) override; +}; + +DECLARE_FACTORY(ReverseTunnelInitiatorFactory); /** * Custom load balancer context for reverse connections. This class enables the @@ -586,7 +660,7 @@ DECLARE_FACTORY(ReverseTunnelInitiator); */ class ReverseConnectionLoadBalancerContext : public Upstream::LoadBalancerContextBase { public: - ReverseConnectionLoadBalancerContext(const std::string& host_to_select) { + explicit ReverseConnectionLoadBalancerContext(const std::string& host_to_select) { host_to_select_ = std::make_pair(host_to_select, false); } diff --git a/source/extensions/filters/http/reverse_conn/BUILD b/source/extensions/filters/http/reverse_conn/BUILD index 82cec3f4d2689..fbad05047085e 100644 --- a/source/extensions/filters/http/reverse_conn/BUILD +++ b/source/extensions/filters/http/reverse_conn/BUILD @@ -39,5 +39,6 @@ envoy_cc_extension( "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", + "@envoy_api//envoy/service/reverse_tunnel/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index a95dac5e674f5..d73dbb37bdbb1 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -22,6 +22,8 @@ namespace ReverseConn { const std::string ReverseConnFilter::reverse_connections_path = "/reverse_connections"; const std::string ReverseConnFilter::reverse_connections_request_path = "/reverse_connections/request"; +const std::string ReverseConnFilter::grpc_service_path = + "/envoy.service.reverse_tunnel.v3.ReverseTunnelHandshakeService/EstablishTunnel"; const std::string ReverseConnFilter::node_id_param = "node_id"; const std::string ReverseConnFilter::cluster_id_param = "cluster_id"; const std::string ReverseConnFilter::tenant_id_param = "tenant_id"; @@ -177,7 +179,15 @@ Http::FilterHeadersStatus ReverseConnFilter::getReverseConnectionInfo() { // Handle based on role if (is_responder) { - return handleResponderInfo(remote_node, remote_cluster); + auto* socket_manager = getUpstreamSocketManager(); + if (!socket_manager) { + ENVOY_LOG(error, "Failed to get upstream socket manager for responder role"); + decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, + "Failed to get socket manager", nullptr, absl::nullopt, + ""); + return Http::FilterHeadersStatus::StopIteration; + } + return handleResponderInfo(socket_manager, remote_node, remote_cluster); } else if (is_initiator) { auto* downstream_interface = getDownstreamSocketInterface(); if (!downstream_interface) { @@ -197,70 +207,110 @@ Http::FilterHeadersStatus ReverseConnFilter::getReverseConnectionInfo() { } Http::FilterHeadersStatus -ReverseConnFilter::handleResponderInfo(const std::string& remote_node, +ReverseConnFilter::handleResponderInfo(ReverseConnection::UpstreamSocketManager* socket_manager, + const std::string& remote_node, const std::string& remote_cluster) { - ENVOY_LOG(debug, - "ReverseConnFilter: Received reverse connection info request with remote_node: {} remote_cluster: {}", - remote_node, remote_cluster); - - // Production-ready cross-thread aggregation for multi-tenant reporting - auto* upstream_extension = getUpstreamSocketInterfaceExtension(); - if (!upstream_extension) { - ENVOY_LOG(error, "No upstream extension available for stats collection"); - std::string response = R"({"accepted":[],"connected":[]})"; - decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); - return Http::FilterHeadersStatus::StopIteration; - } - - // For specific node or cluster query + size_t num_sockets = 0; + bool send_all_rc_info = true; + // With the local envoy as a responder, the API can be used to get the number + // of reverse connections by remote node ID or remote cluster ID. if (!remote_node.empty() || !remote_cluster.empty()) { - // Get connection count for specific remote node/cluster using stats - auto stats_map = upstream_extension->getCrossWorkerStatMap(); - size_t num_connections = 0; - + send_all_rc_info = false; if (!remote_node.empty()) { - std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", remote_node); - auto it = stats_map.find(node_stat_name); - if (it != stats_map.end()) { - num_connections = it->second; - } + ENVOY_LOG(debug, + "Getting number of reverse connections for remote node: {} with responder role", + remote_node); + num_sockets = socket_manager->getNumberOfSocketsByNode(remote_node); } else { - std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", remote_cluster); - auto it = stats_map.find(cluster_stat_name); - if (it != stats_map.end()) { - num_connections = it->second; - } + ENVOY_LOG(debug, + "Getting number of reverse connections for remote cluster: {} with responder role", + remote_cluster); + num_sockets = socket_manager->getNumberOfSocketsByCluster(remote_cluster); } - - std::string response = fmt::format("{{\"available_connections\":{}}}", num_connections); - ENVOY_LOG(info, "handleResponderInfo response for {}: {}", - remote_node.empty() ? remote_cluster : remote_node, response); + } + + // Send the reverse connection count filtered by node or cluster ID. + if (!send_all_rc_info) { + std::string response = fmt::format("{{\"available_connections\":{}}}", num_sockets); + absl::StatusOr response_or_error = + Json::Factory::loadFromString(response); + if (!response_or_error.ok()) { + decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, + "failed to form valid json response", nullptr, + absl::nullopt, ""); + } + ENVOY_LOG(info, "Sending reverse connection info response: {}", response); decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } ENVOY_LOG(debug, - "ReverseConnFilter: Using upstream socket manager to get connection stats"); + "Getting all reverse connection info with responder role - production stats-based"); + + // Production-ready cross-thread aggregation for multi-tenant reporting + // First try the production stats-based approach for cross-thread aggregation + auto* upstream_extension = getUpstreamSocketInterfaceExtension(); + if (upstream_extension) { + ENVOY_LOG(debug, + "Using production stats-based cross-thread aggregation for multi-tenant reporting"); - // Use the production stats-based approach with Envoy's proven stats system - auto [connected_nodes, accepted_connections] = - upstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); + // Use the production stats-based approach with Envoy's proven stats system + auto [connected_nodes, accepted_connections] = + upstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); - // Convert vectors to lists for JSON serialization - std::list accepted_connections_list(accepted_connections.begin(), - accepted_connections.end()); - std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); + // Convert vectors to lists for JSON serialization + std::list accepted_connections_list(accepted_connections.begin(), + accepted_connections.end()); + std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); - ENVOY_LOG(debug, - "Stats aggregation completed: {} connected nodes, {} accepted connections", - connected_nodes.size(), accepted_connections.size()); + ENVOY_LOG(debug, + "Stats-based aggregation completed: {} connected nodes, {} accepted connections", + connected_nodes.size(), accepted_connections.size()); + + // Create production-ready JSON response for multi-tenant environment + std::string response = fmt::format("{{\"accepted\":{},\"connected\":{}}}", + Json::Factory::listAsJsonString(accepted_connections_list), + Json::Factory::listAsJsonString(connected_nodes_list)); + + ENVOY_LOG(info, "handleResponderInfo production stats-based response: {}", response); + decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); + return Http::FilterHeadersStatus::StopIteration; + } + + // Fallback to current thread approach (for backward compatibility) + ENVOY_LOG(warn, + "No upstream extension available, falling back to current thread data collection"); - // Create production-ready JSON response for multi-tenant environment + std::list accepted_rc_nodes; + std::list connected_rc_clusters; + + auto node_stats = socket_manager->getConnectionStats(); + auto cluster_stats = socket_manager->getSocketCountMap(); + + ENVOY_LOG(debug, "Fallback stats collected: {} nodes, {} clusters", node_stats.size(), + cluster_stats.size()); + + // Process current thread's data + for (const auto& [node_id, rc_conn_count] : node_stats) { + if (rc_conn_count > 0) { + accepted_rc_nodes.push_back(node_id); + ENVOY_LOG(trace, "Fallback: Node '{}' has {} connections", node_id, rc_conn_count); + } + } + + for (const auto& [cluster_id, rc_conn_count] : cluster_stats) { + if (rc_conn_count > 0) { + connected_rc_clusters.push_back(cluster_id); + ENVOY_LOG(trace, "Fallback: Cluster '{}' has {} connections", cluster_id, rc_conn_count); + } + } + + // Create fallback JSON response std::string response = fmt::format("{{\"accepted\":{},\"connected\":{}}}", - Json::Factory::listAsJsonString(accepted_connections_list), - Json::Factory::listAsJsonString(connected_nodes_list)); + Json::Factory::listAsJsonString(accepted_rc_nodes), + Json::Factory::listAsJsonString(connected_rc_clusters)); - ENVOY_LOG(info, "handleResponderInfo production stats-based response: {}", response); + ENVOY_LOG(info, "handleResponderInfo fallback response: {}", response); decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } @@ -310,6 +360,25 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, Http::FilterHeadersStatus ReverseConnFilter::decodeHeaders(Http::RequestHeaderMap& request_headers, bool) { + // Check for gRPC reverse tunnel requests first + if (isGrpcReverseTunnelRequest(request_headers)) { + ENVOY_STREAM_LOG(info, "Handling gRPC reverse tunnel handshake request", *decoder_callbacks_); + request_headers_ = &request_headers; + is_accept_request_ = true; // Reuse this flag for gRPC requests + + // Read content length for gRPC request + const auto content_length_header = request_headers.getContentLengthValue(); + if (!content_length_header.empty()) { + expected_proto_size_ = static_cast(std::stoi(std::string(content_length_header))); + ENVOY_STREAM_LOG(info, "Expecting gRPC request with {} bytes", *decoder_callbacks_, + expected_proto_size_); + } else { + expected_proto_size_ = 0; // Will handle streaming + } + + return Http::FilterHeadersStatus::StopIteration; + } + // check that request path starts with "/reverse_connections" const absl::string_view request_path = request_headers.Path()->value().getStringView(); const bool should_intercept_request = @@ -350,6 +419,18 @@ bool ReverseConnFilter::matchRequestPath(const absl::string_view& request_path, return false; } +bool ReverseConnFilter::isGrpcReverseTunnelRequest(const Http::RequestHeaderMap& headers) { + // Check for gRPC content type + const auto content_type = headers.getContentTypeValue(); + if (content_type != "application/grpc") { + return false; + } + + // Check for gRPC reverse tunnel service path + const absl::string_view request_path = headers.Path()->value().getStringView(); + return request_path == grpc_service_path; +} + void ReverseConnFilter::saveDownstreamConnection(Network::Connection& downstream_connection, const std::string& node_id, const std::string& cluster_id) { @@ -372,18 +453,127 @@ void ReverseConnFilter::saveDownstreamConnection(Network::Connection& downstream Http::FilterDataStatus ReverseConnFilter::decodeData(Buffer::Instance& data, bool) { if (is_accept_request_) { accept_rev_conn_proto_.move(data); - if (accept_rev_conn_proto_.length() < expected_proto_size_) { + if (expected_proto_size_ > 0 && accept_rev_conn_proto_.length() < expected_proto_size_) { ENVOY_STREAM_LOG(debug, "Waiting for more data, expected_proto_size_={}, current_buffer_size={}", *decoder_callbacks_, expected_proto_size_, accept_rev_conn_proto_.length()); return Http::FilterDataStatus::StopIterationAndBuffer; } else { - return acceptReverseConnection(); + // Check if this is a gRPC request by examining headers + if (isGrpcReverseTunnelRequest(*request_headers_)) { + return processGrpcRequest(); + } else { + return acceptReverseConnection(); + } } } return Http::FilterDataStatus::Continue; } +Http::FilterDataStatus ReverseConnFilter::processGrpcRequest() { + ENVOY_STREAM_LOG(info, "Processing gRPC request body with {} bytes", *decoder_callbacks_, + accept_rev_conn_proto_.length()); + + try { + // Parse gRPC request from buffer + envoy::service::reverse_tunnel::v3::EstablishTunnelRequest grpc_request; + const std::string request_body = accept_rev_conn_proto_.toString(); + + // For gRPC over HTTP/2, we need to handle the gRPC frame format + // Skip the first 5 bytes (compression flag + message length) + if (request_body.length() >= 5) { + const std::string grpc_message = request_body.substr(5); + if (!grpc_request.ParseFromString(grpc_message)) { + ENVOY_STREAM_LOG(error, "Failed to parse gRPC request from body", *decoder_callbacks_); + decoder_callbacks_->sendLocalReply(Http::Code::BadRequest, "Invalid gRPC request format", + nullptr, absl::nullopt, ""); + return Http::FilterDataStatus::StopIterationNoBuffer; + } + } else { + ENVOY_STREAM_LOG(error, "gRPC request too short: {} bytes", *decoder_callbacks_, + request_body.length()); + decoder_callbacks_->sendLocalReply(Http::Code::BadRequest, "gRPC request too short", nullptr, + absl::nullopt, ""); + return Http::FilterDataStatus::StopIterationNoBuffer; + } + + ENVOY_STREAM_LOG(debug, "Parsed gRPC request: {}", *decoder_callbacks_, + grpc_request.DebugString()); + + // Process the gRPC request directly (without standalone service) + envoy::service::reverse_tunnel::v3::EstablishTunnelResponse grpc_response; + + // Validate the request + const auto& initiator = grpc_request.initiator(); + if (initiator.node_id().empty() || initiator.cluster_id().empty()) { + grpc_response.set_status(envoy::service::reverse_tunnel::v3::TunnelStatus::REJECTED); + grpc_response.set_status_message("Missing required initiator fields"); + } else { + // Accept the tunnel request + grpc_response.set_status(envoy::service::reverse_tunnel::v3::TunnelStatus::ACCEPTED); + grpc_response.set_status_message("Tunnel established successfully"); + + ENVOY_STREAM_LOG(info, "Accepting gRPC reverse tunnel for node='{}', cluster='{}'", + *decoder_callbacks_, initiator.node_id(), initiator.cluster_id()); + } + + ENVOY_STREAM_LOG(info, "gRPC EstablishTunnel processed: {}", *decoder_callbacks_, + grpc_response.DebugString()); + + // Send gRPC response + sendGrpcResponse(grpc_response); + + // Handle connection acceptance if successful + if (grpc_response.status() == envoy::service::reverse_tunnel::v3::TunnelStatus::ACCEPTED) { + Network::Connection* connection = + &const_cast(*decoder_callbacks_->connection()); + + ENVOY_STREAM_LOG(info, "Saving downstream connection for gRPC request", *decoder_callbacks_); + + saveDownstreamConnection(*connection, initiator.node_id(), initiator.cluster_id()); + connection->setSocketReused(true); + connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn_grpc"); + } + + return Http::FilterDataStatus::StopIterationNoBuffer; + + } catch (const std::exception& e) { + ENVOY_STREAM_LOG(error, "Exception processing gRPC request: {}", *decoder_callbacks_, e.what()); + decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, "Internal server error", + nullptr, absl::nullopt, ""); + return Http::FilterDataStatus::StopIterationNoBuffer; + } +} + +void ReverseConnFilter::sendGrpcResponse( + const envoy::service::reverse_tunnel::v3::EstablishTunnelResponse& response) { + // Serialize the gRPC response + std::string response_body = response.SerializeAsString(); + + // Add gRPC frame header (compression flag + message length) + std::string grpc_frame; + grpc_frame.reserve(5 + response_body.size()); + grpc_frame.append(1, 0); // No compression + + // Message length in big-endian format + uint32_t msg_len = htonl(response_body.size()); + grpc_frame.append(reinterpret_cast(&msg_len), 4); + grpc_frame.append(response_body); + + ENVOY_STREAM_LOG(info, "Sending gRPC response: {} total bytes", *decoder_callbacks_, + grpc_frame.size()); + + // Send gRPC response with proper headers + decoder_callbacks_->sendLocalReply( + Http::Code::OK, grpc_frame, + [](Http::ResponseHeaderMap& headers) { + headers.setContentType("application/grpc"); + headers.addCopy(Http::LowerCaseString("grpc-status"), "0"); // OK + headers.addCopy(Http::LowerCaseString("grpc-message"), ""); + }, + absl::nullopt, ""); +} + Http::FilterTrailersStatus ReverseConnFilter::decodeTrailers(Http::RequestTrailerMap&) { return Http::FilterTrailersStatus::Continue; } diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index ff4050d3ed28c..e18957f19018e 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -1,6 +1,7 @@ #pragma once #include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" +#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.validate.h" #include "envoy/http/async_client.h" #include "envoy/http/filter.h" #include "envoy/upstream/cluster_manager.h" @@ -14,6 +15,9 @@ #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" +// Add gRPC support +#include "envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.pb.h" + #include "absl/types/optional.h" namespace Envoy { @@ -53,6 +57,11 @@ using ReverseConnFilterConfigSharedPtr = std::shared_ptr, public Http::StreamDecoderFilter { public: ReverseConnFilter(ReverseConnFilterConfigSharedPtr config); @@ -70,6 +79,7 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str static const std::string reverse_connections_path; static const std::string reverse_connections_request_path; + static const std::string grpc_service_path; // Add gRPC service path static const std::string stats_path; static const std::string tenant_path; static const std::string node_id_param; @@ -79,6 +89,16 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str static const std::string rc_accepted_response; private: + // Check if request is a gRPC reverse tunnel request + bool isGrpcReverseTunnelRequest(const Http::RequestHeaderMap& headers); + + // Process gRPC request body and handle the tunnel establishment + Http::FilterDataStatus processGrpcRequest(); + + // Send gRPC response with proper framing and headers + void + sendGrpcResponse(const envoy::service::reverse_tunnel::v3::EstablishTunnelResponse& response); + void saveDownstreamConnection(Network::Connection& downstream_connection, const std::string& node_id, const std::string& cluster_id); std::string getQueryParam(const std::string& key); @@ -100,7 +120,8 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str // Handle reverse connection info for responder role (uses upstream socket manager) Http::FilterHeadersStatus - handleResponderInfo(const std::string& remote_node, const std::string& remote_cluster); + handleResponderInfo(ReverseConnection::UpstreamSocketManager* socket_manager, + const std::string& remote_node, const std::string& remote_cluster); // Handle reverse connection info for initiator role (uses downstream socket interface) Http::FilterHeadersStatus handleInitiatorInfo(const std::string& remote_node, diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_test.cc new file mode 100644 index 0000000000000..0f283efd37e27 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_test.cc @@ -0,0 +1,89 @@ +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" + +#include "test/test_common/utility.h" + +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { +namespace { + +/** + * Test ReverseTunnelAcceptor factory creation and basic functionality. + */ +TEST(ReverseTunnelTest, AcceptorFactoryCreation) { + ReverseTunnelAcceptorFactory factory; + EXPECT_EQ(factory.name(), + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + + // Test factory creation through public interface + auto empty_config = factory.createEmptyConfigProto(); + EXPECT_NE(empty_config, nullptr); +} + +/** + * Test ReverseTunnelInitiator factory creation and basic functionality. + */ +TEST(ReverseTunnelTest, InitiatorFactoryCreation) { + ReverseTunnelInitiatorFactory factory; + EXPECT_EQ(factory.name(), + "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + + // Test factory creation through public interface + auto empty_config = factory.createEmptyConfigProto(); + EXPECT_NE(empty_config, nullptr); +} + +/** + * Test basic configuration validation. + */ +TEST(ReverseTunnelTest, ConfigurationValidation) { + // Test acceptor configuration + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface acceptor_config; + const std::string acceptor_yaml = R"EOF( +stat_prefix: "reverse_connection_test" +)EOF"; + TestUtility::loadFromYaml(acceptor_yaml, acceptor_config); + EXPECT_EQ(acceptor_config.stat_prefix(), "reverse_connection_test"); + + // Test initiator configuration + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface initiator_config; + const std::string initiator_yaml = R"EOF( +stat_prefix: "reverse_connection_test" +)EOF"; + TestUtility::loadFromYaml(initiator_yaml, initiator_config); + EXPECT_EQ(initiator_config.stat_prefix(), "reverse_connection_test"); +} + +/** + * Test factory pattern implementation. + */ +TEST(ReverseTunnelTest, FactoryPatternImplementation) { + // Test acceptor factory + ReverseTunnelAcceptorFactory acceptor_factory; + EXPECT_EQ(acceptor_factory.name(), + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + + // Test initiator factory + ReverseTunnelInitiatorFactory initiator_factory; + EXPECT_EQ(initiator_factory.name(), + "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + + // Test empty config creation + auto acceptor_config = acceptor_factory.createEmptyConfigProto(); + auto initiator_config = initiator_factory.createEmptyConfigProto(); + + EXPECT_NE(acceptor_config, nullptr); + EXPECT_NE(initiator_config, nullptr); +} + +} // namespace +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy From 0d341b982a24f3ddb9f4fd3a9bdd8880561103be Mon Sep 17 00:00:00 2001 From: code Date: Wed, 23 Jul 2025 14:25:44 +0800 Subject: [PATCH 041/505] Temporary revert for release "matcher: refactor the matcher to avoid unnecessary wrapper and heap allocation (envoyproxy#40249) (#40349) This reverts commit c34a837e680f906962b66673c44cb1f4ba0568f1. --- envoy/matcher/matcher.h | 43 +++--- .../filter_chain_manager_impl.cc | 15 +- source/common/matcher/matcher.h | 8 +- source/common/router/config_impl.cc | 27 ++-- source/common/router/config_impl.h | 13 +- .../filters/common/rbac/engine_impl.cc | 13 +- .../filters/common/rbac/engine_impl.h | 6 +- .../filters/http/composite/action.cc | 74 ++++----- .../filters/http/composite/action.h | 64 ++++---- .../filters/http/composite/filter.cc | 5 +- .../filters/http/composite/filter.h | 5 +- .../filters/http/custom_response/config.cc | 2 +- .../filters/http/custom_response/policy.h | 19 ++- .../filters/http/match_delegate/config.cc | 12 +- .../http/proto_api_scrubber/filter_config.h | 8 +- .../filters/http/rate_limit_quota/filter.cc | 9 +- .../filters/http/rate_limit_quota/filter.h | 3 +- .../filters/http/rate_limit_quota/matcher.h | 10 +- .../network/generic_proxy/route_impl.cc | 20 ++- .../network/generic_proxy/route_impl.h | 19 ++- .../filters/network/match_delegate/config.cc | 13 +- .../udp/udp_proxy/router/router_impl.cc | 9 +- .../udp/udp_proxy/router/router_impl.h | 6 +- .../matching/actions/format_string/config.cc | 10 +- .../matching/actions/format_string/config.h | 9 +- .../matcher/matcher_cluster_specifier.cc | 14 +- .../matcher/matcher_cluster_specifier.h | 12 +- test/common/matcher/exact_map_matcher_test.cc | 12 +- test/common/matcher/list_matcher_test.cc | 28 ++-- test/common/matcher/matcher_test.cc | 18 +-- test/common/matcher/test_utility.h | 53 ++++--- .../common/matcher/domain_matcher_test.cc | 5 +- .../common/matcher/trie_matcher_test.cc | 10 +- .../filters/http/composite/filter_test.cc | 142 ++++++------------ .../http/match_delegate/config_test.cc | 12 +- .../http/rate_limit_quota/filter_test.cc | 4 +- .../network/generic_proxy/route_test.cc | 20 ++- .../network/match_delegate/config_test.cc | 4 +- .../actions/format_string/config_test.cc | 6 +- test/mocks/http/mocks.h | 4 +- 40 files changed, 389 insertions(+), 377 deletions(-) diff --git a/envoy/matcher/matcher.h b/envoy/matcher/matcher.h index 531f99cf15bc4..223ed538e5952 100644 --- a/envoy/matcher/matcher.h +++ b/envoy/matcher/matcher.h @@ -91,20 +91,22 @@ class Action { } }; -using ActionConstSharedPtr = std::shared_ptr; +using ActionPtr = std::unique_ptr; +using ActionFactoryCb = std::function; template class ActionFactory : public Config::TypedFactory { public: - virtual ActionConstSharedPtr - createAction(const Protobuf::Message& config, ActionFactoryContext& action_factory_context, - ProtobufMessage::ValidationVisitor& validation_visitor) PURE; + virtual ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& config, + ActionFactoryContext& action_factory_context, + ProtobufMessage::ValidationVisitor& validation_visitor) PURE; std::string category() const override { return "envoy.matching.action"; } }; // On match, we either return the action to perform or another match tree to match against. template struct OnMatch { - const ActionConstSharedPtr action_; + const ActionFactoryCb action_cb_; const MatchTreeSharedPtr matcher_; bool keep_matching_{}; }; @@ -128,39 +130,30 @@ template class OnMatchFactory { // - The match could not be completed due to lack of data (isInsufficientData() will return true.) // - The match was completed, no match found (isNoMatch() will return true.) // - The match was completed, match found (isMatch() will return true, action() will return the -// ActionConstSharedPtr.) +// ActionFactoryCb.) struct MatchResult { public: - MatchResult(ActionConstSharedPtr cb) : result_(std::move(cb)) {} + MatchResult(ActionFactoryCb cb) : result_(std::move(cb)) {} static MatchResult noMatch() { return MatchResult(NoMatch{}); } static MatchResult insufficientData() { return MatchResult(InsufficientData{}); } bool isInsufficientData() const { return absl::holds_alternative(result_); } bool isComplete() const { return !isInsufficientData(); } bool isNoMatch() const { return absl::holds_alternative(result_); } - bool isMatch() const { return absl::holds_alternative(result_); } - const ActionConstSharedPtr& action() const { - ASSERT(isMatch()); - return absl::get(result_); - } - // Returns the action by move. The caller must ensure that the MatchResult is not used after - // this call. - ActionConstSharedPtr actionByMove() { - ASSERT(isMatch()); - return absl::get(std::move(result_)); - } + bool isMatch() const { return absl::holds_alternative(result_); } + ActionFactoryCb actionFactory() const { return absl::get(result_); } + ActionPtr action() const { return actionFactory()(); } private: struct InsufficientData {}; struct NoMatch {}; - using Result = absl::variant; + using Result = absl::variant; Result result_; MatchResult(NoMatch) : result_(NoMatch{}) {} MatchResult(InsufficientData) : result_(InsufficientData{}) {} }; // Callback to execute against skipped matches' actions. -using SkippedMatchCb = std::function; - +using SkippedMatchCb = std::function; /** * MatchTree provides the interface for performing matches against the data provided by DataType. */ @@ -194,19 +187,19 @@ template class MatchTree { // Parent result's keep_matching skips the nested result. if (on_match->keep_matching_ && nested_result.isMatch()) { if (skipped_match_cb) { - skipped_match_cb(nested_result.action()); + skipped_match_cb(nested_result.actionFactory()); } return MatchResult::noMatch(); } return nested_result; } - if (on_match->action_ && on_match->keep_matching_) { + if (on_match->action_cb_ && on_match->keep_matching_) { if (skipped_match_cb) { - skipped_match_cb(on_match->action_); + skipped_match_cb(on_match->action_cb_); } return MatchResult::noMatch(); } - return MatchResult{on_match->action_}; + return MatchResult{on_match->action_cb_}; } }; diff --git a/source/common/listener_manager/filter_chain_manager_impl.cc b/source/common/listener_manager/filter_chain_manager_impl.cc index b9f6d9eede3ba..7261bea02234a 100644 --- a/source/common/listener_manager/filter_chain_manager_impl.cc +++ b/source/common/listener_manager/filter_chain_manager_impl.cc @@ -49,11 +49,11 @@ class FilterChainNameActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "filter-chain-name"; } - Matcher::ActionConstSharedPtr createAction(const Protobuf::Message& config, - FilterChainActionFactoryContext&, - ProtobufMessage::ValidationVisitor&) override { - return std::make_shared( - dynamic_cast(config).value()); + Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, + FilterChainActionFactoryContext&, + ProtobufMessage::ValidationVisitor&) override { + const auto& name = dynamic_cast(config); + return [value = name.value()]() { return std::make_unique(value); }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -573,8 +573,9 @@ FilterChainManagerImpl::findFilterChainUsingMatcher(const Network::ConnectionSoc Matcher::evaluateMatch(*matcher_, data); ASSERT(match_result.isComplete(), "Matching must complete for network streams."); if (match_result.isMatch()) { - return match_result.action()->getTyped().get( - filter_chains_by_name_, info); + const Matcher::ActionPtr action = match_result.action(); + return action->getTyped().get(filter_chains_by_name_, + info); } return default_filter_chain_.get(); } diff --git a/source/common/matcher/matcher.h b/source/common/matcher/matcher.h index 5cc9b0059b42c..a7aef43c642de 100644 --- a/source/common/matcher/matcher.h +++ b/source/common/matcher/matcher.h @@ -324,10 +324,10 @@ class MatchTreeFactory : public OnMatchFactory { on_match.action().typed_config(), server_factory_context_.messageValidationVisitor(), factory); - auto action = factory.createAction(*message, action_factory_context_, - server_factory_context_.messageValidationVisitor()); - return [action, keep_matching = on_match.keep_matching()] { - return OnMatch{action, {}, keep_matching}; + auto action_factory = factory.createActionFactoryCb( + *message, action_factory_context_, server_factory_context_.messageValidationVisitor()); + return [action_factory, keep_matching = on_match.keep_matching()] { + return OnMatch{action_factory, {}, keep_matching}; }; } diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 7c970149f0aff..5ac7fe53a144c 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -1825,13 +1825,14 @@ RouteConstSharedPtr VirtualHostImpl::getRouteFromEntries(const RouteCallback& cb Matcher::evaluateMatch(*matcher_, data); if (match_result.isMatch()) { - const auto result = match_result.actionByMove(); + const Matcher::ActionPtr result = match_result.action(); if (result->typeUrl() == RouteMatchAction::staticTypeUrl()) { - return getRouteFromRoutes( - cb, headers, stream_info, random_value, - {std::dynamic_pointer_cast(std::move(result))}); + const RouteMatchAction& route_action = result->getTyped(); + + return getRouteFromRoutes(cb, headers, stream_info, random_value, {route_action.route()}); } else if (result->typeUrl() == RouteListMatchAction::staticTypeUrl()) { const RouteListMatchAction& action = result->getTyped(); + return getRouteFromRoutes(cb, headers, stream_info, random_value, action.routes()); } PANIC("Action in router matcher should be Route or RouteList"); @@ -2139,9 +2140,9 @@ const Envoy::Config::TypedMetadata& NullConfigImpl::typedMetadata() const { return DefaultRouteMetadataPack::get().typed_metadata_; } -Matcher::ActionConstSharedPtr -RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( + const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate(config, validation_visitor); @@ -2149,14 +2150,14 @@ RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActi RouteCreator::createAndValidateRoute(route_config, context.vhost, context.factory_context, validation_visitor, false), RouteEntryImplBaseConstSharedPtr); - return route; + + return [route]() { return std::make_unique(route); }; } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); -Matcher::ActionConstSharedPtr -RouteListMatchActionFactory::createAction(const Protobuf::Message& config, - RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionFactoryCb RouteListMatchActionFactory::createActionFactoryCb( + const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate( config, validation_visitor); @@ -2168,7 +2169,7 @@ RouteListMatchActionFactory::createAction(const Protobuf::Message& config, validation_visitor, false), RouteEntryImplBaseConstSharedPtr)); } - return std::make_shared(std::move(routes)); + return [routes]() { return std::make_unique(routes); }; } REGISTER_FACTORY(RouteListMatchActionFactory, Matcher::ActionFactory); diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index 5571df3e437b6..c4106e056b8bf 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -619,7 +619,6 @@ class RouteEntryImplBase : public RouteEntryAndRoute, public Matchable, public DirectResponseEntry, public PathMatchCriterion, - public Matcher::ActionBase, public std::enable_shared_from_this, Logger::Loggable { protected: @@ -1192,9 +1191,9 @@ class RouteMatchAction : public Matcher::ActionBase { public: - Matcher::ActionConstSharedPtr - createAction(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -1218,9 +1217,9 @@ class RouteListMatchAction : public Matcher::ActionBase { public: - Matcher::ActionConstSharedPtr - createAction(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route_match_action"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/common/rbac/engine_impl.cc b/source/extensions/filters/common/rbac/engine_impl.cc index 9abe4c961df3b..e53f2265fc974 100644 --- a/source/extensions/filters/common/rbac/engine_impl.cc +++ b/source/extensions/filters/common/rbac/engine_impl.cc @@ -11,9 +11,9 @@ namespace Filters { namespace Common { namespace RBAC { -Envoy::Matcher::ActionConstSharedPtr -ActionFactory::createAction(const Protobuf::Message& config, ActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Envoy::Matcher::ActionFactoryCb +ActionFactory::createActionFactoryCb(const Protobuf::Message& config, ActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& action_config = MessageUtil::downcastAndValidate(config, validation_visitor); @@ -25,7 +25,7 @@ ActionFactory::createAction(const Protobuf::Message& config, ActionContext& cont context.has_log_ = true; } - return std::make_shared(name, action); + return [name, action]() { return std::make_unique(name, action); }; } REGISTER_FACTORY(ActionFactory, Envoy::Matcher::ActionFactory); @@ -138,17 +138,18 @@ bool RoleBasedAccessControlMatcherEngineImpl::handleAction( Envoy::Matcher::evaluateMatch(*matcher_, data); ASSERT(result.isComplete()); if (result.isMatch()) { - const auto& action = result.action()->getTyped(); + auto action = result.action()->getTyped(); if (effective_policy_id != nullptr) { *effective_policy_id = action.name(); } // If there is at least an LOG action in matchers, we have to turn on and off for shared log // metadata every time when there is a connection or request. - const auto rbac_action = action.action(); + auto rbac_action = action.action(); if (has_log_) { generateLog(info, mode_, rbac_action == envoy::config::rbac::v3::RBAC::LOG); } + switch (rbac_action) { PANIC_ON_PROTO_ENUM_SENTINEL_VALUES; case envoy::config::rbac::v3::RBAC::ALLOW: diff --git a/source/extensions/filters/common/rbac/engine_impl.h b/source/extensions/filters/common/rbac/engine_impl.h index 80a5781ed9e71..ad22de9ed5553 100644 --- a/source/extensions/filters/common/rbac/engine_impl.h +++ b/source/extensions/filters/common/rbac/engine_impl.h @@ -50,9 +50,9 @@ class Action : public Envoy::Matcher::ActionBase { public: - Envoy::Matcher::ActionConstSharedPtr - createAction(const Protobuf::Message& config, ActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Envoy::Matcher::ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& config, ActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "envoy.filters.rbac.action"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/http/composite/action.cc b/source/extensions/filters/http/composite/action.cc index da6941c88b90c..9d70c9c10671f 100644 --- a/source/extensions/filters/http/composite/action.cc +++ b/source/extensions/filters/http/composite/action.cc @@ -6,30 +6,23 @@ namespace HttpFilters { namespace Composite { void ExecuteFilterAction::createFilters(Http::FilterChainFactoryCallbacks& callbacks) const { - if (actionSkip()) { - return; - } - - if (auto config_value = config_provider_(); config_value.has_value()) { - (*config_value)(callbacks); - return; - } - // There is no dynamic config available. Apply missing config filter. - Envoy::Http::MissingConfigFilterFactory(callbacks); + cb_(callbacks); } -const std::string& ExecuteFilterAction::actionName() const { return name_; } - -bool ExecuteFilterAction::actionSkip() const { - return sample_.has_value() - ? !runtime_.snapshot().featureEnabled(sample_->runtime_key(), sample_->default_value()) - : false; +bool ExecuteFilterActionFactory::isSampled( + const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, + Envoy::Runtime::Loader& runtime) { + if (composite_action.has_sample_percent() && + !runtime.snapshot().featureEnabled(composite_action.sample_percent().runtime_key(), + composite_action.sample_percent().default_value())) { + return false; + } + return true; } -Matcher::ActionConstSharedPtr -ExecuteFilterActionFactory::createAction(const Protobuf::Message& config, - Http::Matching::HttpFilterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCb( + const Protobuf::Message& config, Http::Matching::HttpFilterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& composite_action = MessageUtil::downcastAndValidate< const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction&>( config, validation_visitor); @@ -41,20 +34,20 @@ ExecuteFilterActionFactory::createAction(const Protobuf::Message& config, if (composite_action.has_dynamic_config()) { if (context.is_downstream_) { - return createDynamicActionDownstream(composite_action, context); + return createDynamicActionFactoryCbDownstream(composite_action, context); } else { - return createDynamicActionUpstream(composite_action, context); + return createDynamicActionFactoryCbUpstream(composite_action, context); } } if (context.is_downstream_) { - return createStaticActionDownstream(composite_action, context, validation_visitor); + return createStaticActionFactoryCbDownstream(composite_action, context, validation_visitor); } else { - return createStaticActionUpstream(composite_action, context, validation_visitor); + return createStaticActionFactoryCbUpstream(composite_action, context, validation_visitor); } } -Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createDynamicActionDownstream( +Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryCbDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context) { if (!context.factory_context_.has_value() || !context.server_factory_context_.has_value()) { @@ -64,11 +57,11 @@ Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createDynamicActionDow auto provider_manager = Envoy::Http::FilterChainUtility::createSingletonDownstreamFilterConfigProviderManager( context.server_factory_context_.value()); - return createDynamicActionTyped( + return createDynamicActionFactoryCbTyped( composite_action, context, "http", context.factory_context_.value(), provider_manager); } -Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createDynamicActionUpstream( +Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryCbUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context) { if (!context.upstream_factory_context_.has_value() || @@ -79,12 +72,12 @@ Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createDynamicActionUps auto provider_manager = Envoy::Http::FilterChainUtility::createSingletonUpstreamFilterConfigProviderManager( context.server_factory_context_.value()); - return createDynamicActionTyped( + return createDynamicActionFactoryCbTyped( composite_action, context, "router upstream http", context.upstream_factory_context_.value(), provider_manager); } -Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createActionCommon( +Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCbCommon( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, Envoy::Http::FilterFactoryCb& callback, bool is_downstream) { @@ -97,17 +90,16 @@ Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createActionCommon( std::string name = composite_action.typed_config().name(); ASSERT(context.server_factory_context_ != absl::nullopt); Envoy::Runtime::Loader& runtime = context.server_factory_context_->runtime(); - - return std::make_shared( - [cb = std::move(callback)]() mutable -> OptRef { return cb; }, name, - composite_action.has_sample_percent() - ? absl::make_optional( - composite_action.sample_percent()) - : absl::nullopt, - runtime); + return [cb = std::move(callback), n = std::move(name), + composite_action = std::move(composite_action), &runtime, this]() -> Matcher::ActionPtr { + if (!isSampled(composite_action, runtime)) { + return nullptr; + } + return std::make_unique(cb, n); + }; } -Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createStaticActionDownstream( +Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCbDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor) { @@ -134,10 +126,10 @@ Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createStaticActionDown *message, context.stat_prefix_, context.server_factory_context_.value()); } - return createActionCommon(composite_action, context, callback, true); + return createActionFactoryCbCommon(composite_action, context, callback, true); } -Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createStaticActionUpstream( +Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCbUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor) { @@ -158,7 +150,7 @@ Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createStaticActionUpst callback = callback_or_status.value(); } - return createActionCommon(composite_action, context, callback, false); + return createActionFactoryCbCommon(composite_action, context, callback, false); } REGISTER_FACTORY(ExecuteFilterActionFactory, diff --git a/source/extensions/filters/http/composite/action.h b/source/extensions/filters/http/composite/action.h index ecd9ad9bb076c..834b757a573fa 100644 --- a/source/extensions/filters/http/composite/action.h +++ b/source/extensions/filters/http/composite/action.h @@ -18,26 +18,16 @@ class ExecuteFilterAction : public Matcher::ActionBase< envoy::extensions::filters::http::composite::v3::ExecuteFilterAction> { public: - using FilterConfigProvider = std::function()>; - - explicit ExecuteFilterAction( - FilterConfigProvider config_provider, const std::string& name, - const absl::optional& sample, - Runtime::Loader& runtime) - : config_provider_(std::move(config_provider)), name_(name), sample_(sample), - runtime_(runtime) {} + explicit ExecuteFilterAction(Http::FilterFactoryCb cb, const std::string& name) + : cb_(std::move(cb)), name_(name) {} void createFilters(Http::FilterChainFactoryCallbacks& callbacks) const; - const std::string& actionName() const; - - bool actionSkip() const; + const std::string& actionName() const { return name_; } private: - FilterConfigProvider config_provider_; + Http::FilterFactoryCb cb_; const std::string name_; - const absl::optional sample_; - Runtime::Loader& runtime_; }; class ExecuteFilterActionFactory @@ -46,22 +36,29 @@ class ExecuteFilterActionFactory public: std::string name() const override { return "composite-action"; } - Matcher::ActionConstSharedPtr - createAction(const Protobuf::Message& config, Http::Matching::HttpFilterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& config, + Http::Matching::HttpFilterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); } + // Rolling the dice to decide whether the action will be sampled. + // By default, if sample_percent is not specified, then it is sampled. + bool isSampled( + const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, + Envoy::Runtime::Loader& runtime); + private: - Matcher::ActionConstSharedPtr createActionCommon( + Matcher::ActionFactoryCb createActionFactoryCbCommon( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, Envoy::Http::FilterFactoryCb& callback, bool is_downstream); template - Matcher::ActionConstSharedPtr createDynamicActionTyped( + Matcher::ActionFactoryCb createDynamicActionFactoryCbTyped( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, const std::string& filter_chain_type, FactoryCtx& factory_context, std::shared_ptr& provider_manager) { @@ -76,30 +73,35 @@ class ExecuteFilterActionFactory server_factory_context.clusterManager(), false, filter_chain_type, nullptr); Envoy::Runtime::Loader& runtime = context.server_factory_context_->runtime(); - - return std::make_shared( - [provider]() -> OptRef { return provider->config(); }, name, - composite_action.has_sample_percent() - ? absl::make_optional( - composite_action.sample_percent()) - : absl::nullopt, - runtime); + return + [provider = std::move(provider), n = std::move(name), + composite_action = std::move(composite_action), &runtime, this]() -> Matcher::ActionPtr { + if (!isSampled(composite_action, runtime)) { + return nullptr; + } + + if (auto config_value = provider->config(); config_value.has_value()) { + return std::make_unique(config_value.ref(), n); + } + // There is no dynamic config available. Apply missing config filter. + return std::make_unique(Envoy::Http::MissingConfigFilterFactory, n); + }; } - Matcher::ActionConstSharedPtr createDynamicActionDownstream( + Matcher::ActionFactoryCb createDynamicActionFactoryCbDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context); - Matcher::ActionConstSharedPtr createDynamicActionUpstream( + Matcher::ActionFactoryCb createDynamicActionFactoryCbUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context); - Matcher::ActionConstSharedPtr createStaticActionDownstream( + Matcher::ActionFactoryCb createStaticActionFactoryCbDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor); - Matcher::ActionConstSharedPtr createStaticActionUpstream( + Matcher::ActionFactoryCb createStaticActionFactoryCbUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor); diff --git a/source/extensions/filters/http/composite/filter.cc b/source/extensions/filters/http/composite/filter.cc index fd12f0946ecd7..3075685da05b1 100644 --- a/source/extensions/filters/http/composite/filter.cc +++ b/source/extensions/filters/http/composite/filter.cc @@ -96,6 +96,7 @@ void Filter::encodeComplete() { void Filter::onMatchCallback(const Matcher::Action& action) { const auto& composite_action = action.getTyped(); + FactoryCallbacksWrapper wrapper(*this, dispatcher_); composite_action.createFilters(wrapper); @@ -106,12 +107,11 @@ void Filter::onMatchCallback(const Matcher::Action& action) { wrapper.errors_, [](const auto& status) { return status.ToString(); })); return; } + const std::string& action_name = composite_action.actionName(); if (wrapper.filter_to_inject_.has_value()) { stats_.filter_delegation_success_.inc(); - const std::string& action_name = composite_action.actionName(); - auto createDelegatedFilterFn = Overloaded{ [this, action_name](Http::StreamDecoderFilterSharedPtr filter) { delegated_filter_ = std::make_shared(std::move(filter)); @@ -137,6 +137,7 @@ void Filter::onMatchCallback(const Matcher::Action& action) { access_loggers_.insert(access_loggers_.end(), wrapper.access_loggers_.begin(), wrapper.access_loggers_.end()); } + // TODO(snowp): Make it possible for onMatchCallback to fail the stream by issuing a local reply, // either directly or via some return status. } diff --git a/source/extensions/filters/http/composite/filter.h b/source/extensions/filters/http/composite/filter.h index 551744416fc5b..acc86f447bf57 100644 --- a/source/extensions/filters/http/composite/filter.h +++ b/source/extensions/filters/http/composite/filter.h @@ -57,7 +57,8 @@ class Filter : public Http::StreamFilter, Logger::Loggable { public: Filter(FilterStats& stats, Event::Dispatcher& dispatcher, bool is_upstream) - : dispatcher_(dispatcher), stats_(stats), is_upstream_(is_upstream) {} + : dispatcher_(dispatcher), decoded_headers_(false), stats_(stats), is_upstream_(is_upstream) { + } // Http::StreamDecoderFilter Http::FilterHeadersStatus decodeHeaders(Http::RequestHeaderMap& headers, @@ -123,7 +124,7 @@ class Filter : public Http::StreamFilter, // time will result in various FM assertions firing. // We should be protected against this by the match tree validation that only allows request // headers, this just provides some additional sanity checking. - bool decoded_headers_{false}; + bool decoded_headers_ : 1; // Wraps a stream encoder OR a stream decoder filter into a stream filter, making it easier to // delegate calls. diff --git a/source/extensions/filters/http/custom_response/config.cc b/source/extensions/filters/http/custom_response/config.cc index 84d5c1533b20d..4aa4ec67746fc 100644 --- a/source/extensions/filters/http/custom_response/config.cc +++ b/source/extensions/filters/http/custom_response/config.cc @@ -61,7 +61,7 @@ PolicySharedPtr FilterConfig::getPolicy(const ::Envoy::Http::ResponseHeaderMap& if (!match_result.isMatch()) { return PolicySharedPtr{}; } - return std::dynamic_pointer_cast(match_result.actionByMove()); + return match_result.action()->getTyped().policy_; } } // namespace CustomResponse diff --git a/source/extensions/filters/http/custom_response/policy.h b/source/extensions/filters/http/custom_response/policy.h index 8a18f647ea2e3..8a4d98080421d 100644 --- a/source/extensions/filters/http/custom_response/policy.h +++ b/source/extensions/filters/http/custom_response/policy.h @@ -19,9 +19,9 @@ namespace CustomResponse { class CustomResponseFilter; // Base class for custom response policies. -class Policy : public std::enable_shared_from_this, - public Matcher::ActionBase { +class Policy : public std::enable_shared_from_this { public: + virtual ~Policy() = default; virtual Http::FilterHeadersStatus encodeHeaders(Http::ResponseHeaderMap&, bool, CustomResponseFilter&) const PURE; @@ -42,6 +42,11 @@ struct CustomResponseFilterState : public std::enable_shared_from_this { + explicit CustomResponseMatchAction(PolicySharedPtr policy) : policy_(policy) {} + const PolicySharedPtr policy_; +}; + struct CustomResponseActionFactoryContext { Server::Configuration::ServerFactoryContext& server_; Stats::StatName stats_prefix_; @@ -52,10 +57,12 @@ template class PolicyMatchActionFactory : public Matcher::ActionFactory, Logger::Loggable { public: - Matcher::ActionConstSharedPtr createAction(const Protobuf::Message& config, - CustomResponseActionFactoryContext& context, - ProtobufMessage::ValidationVisitor&) override { - return createPolicy(config, context.server_, context.stats_prefix_); + Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, + CustomResponseActionFactoryContext& context, + ProtobufMessage::ValidationVisitor&) override { + return [policy = createPolicy(config, context.server_, context.stats_prefix_)] { + return std::make_unique(policy); + }; } std::string category() const override { return "envoy.http.custom_response"; } diff --git a/source/extensions/filters/http/match_delegate/config.cc b/source/extensions/filters/http/match_delegate/config.cc index c80e56c9fc92f..86d32d5e63222 100644 --- a/source/extensions/filters/http/match_delegate/config.cc +++ b/source/extensions/filters/http/match_delegate/config.cc @@ -24,10 +24,10 @@ class SkipActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "skip"; } - Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, - Envoy::Http::Matching::HttpFilterActionContext&, - ProtobufMessage::ValidationVisitor&) override { - return std::make_shared(); + Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, + Envoy::Http::Matching::HttpFilterActionContext&, + ProtobufMessage::ValidationVisitor&) override { + return []() { return std::make_unique(); }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -120,8 +120,8 @@ void DelegatingStreamFilter::FilterMatchState::evaluateMatchTree( match_tree_evaluated_ = match_result.isComplete(); if (match_tree_evaluated_ && match_result.isMatch()) { - const auto& result = match_result.action(); - if (result == nullptr || SkipAction().typeUrl() == result->typeUrl()) { + const Matcher::ActionPtr result = match_result.action(); + if ((result == nullptr) || (SkipAction().typeUrl() == result->typeUrl())) { skip_filter_ = true; } else { ASSERT(base_filter_ != nullptr); diff --git a/source/extensions/filters/http/proto_api_scrubber/filter_config.h b/source/extensions/filters/http/proto_api_scrubber/filter_config.h index 6fa6245a78683..bb246bfcb8224 100644 --- a/source/extensions/filters/http/proto_api_scrubber/filter_config.h +++ b/source/extensions/filters/http/proto_api_scrubber/filter_config.h @@ -118,10 +118,10 @@ class RemoveFieldAction : public Matcher::ActionBase { public: - Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, - ProtoApiScrubberRemoveFieldAction&, - ProtobufMessage::ValidationVisitor&) override { - return std::make_shared(); + Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, + ProtoApiScrubberRemoveFieldAction&, + ProtobufMessage::ValidationVisitor&) override { + return []() { return std::make_unique(); }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { diff --git a/source/extensions/filters/http/rate_limit_quota/filter.cc b/source/extensions/filters/http/rate_limit_quota/filter.cc index cb297c5d0dd90..34c74d7e4a6e6 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter.cc +++ b/source/extensions/filters/http/rate_limit_quota/filter.cc @@ -56,9 +56,8 @@ inline Envoy::Http::Code getDenyResponseCode(const DenyResponseSettings& setting inline std::function addDenyResponseHeadersCb(const DenyResponseSettings& settings) { - if (settings.response_headers_to_add().empty()) { + if (settings.response_headers_to_add().empty()) return nullptr; - } // Headers copied from settings for thread-safety. return [headers_to_add = settings.response_headers_to_add()](Http::ResponseHeaderMap& headers) { for (const envoy::config::core::v3::HeaderValueOption& header : headers_to_add) { @@ -80,7 +79,7 @@ Http::FilterHeadersStatus RateLimitQuotaFilter::decodeHeaders(Http::RequestHeade bool end_stream) { ENVOY_LOG(trace, "decodeHeaders: end_stream = {}", end_stream); // First, perform the request matching. - absl::StatusOr match_result = requestMatching(headers); + absl::StatusOr match_result = requestMatching(headers); if (!match_result.ok()) { // When the request is not matched by any matchers, it is ALLOWED by default // (i.e., fail-open) and its quota usage will not be reported to RLQS @@ -185,7 +184,7 @@ Http::FilterHeadersStatus RateLimitQuotaFilter::decodeHeaders(Http::RequestHeade // TODO(tyxia) Currently request matching is only performed on the request // header. -absl::StatusOr +absl::StatusOr RateLimitQuotaFilter::requestMatching(const Http::RequestHeaderMap& headers) { // Initialize the data pointer on first use and reuse it for subsequent // requests. This avoids creating the data object for every request, which @@ -216,7 +215,7 @@ RateLimitQuotaFilter::requestMatching(const Http::RequestHeaderMap& headers) { return absl::NotFoundError("Matching completed but no match result was found."); } // Return the matched result for `on_match` case. - return match_result.actionByMove(); + return match_result.action(); } void RateLimitQuotaFilter::onDestroy() { diff --git a/source/extensions/filters/http/rate_limit_quota/filter.h b/source/extensions/filters/http/rate_limit_quota/filter.h index 2920594c5d5f3..dcaf8b45a8d51 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter.h +++ b/source/extensions/filters/http/rate_limit_quota/filter.h @@ -65,8 +65,7 @@ class RateLimitQuotaFilter : public Http::PassThroughFilter, // Perform request matching. It returns the generated bucket ids if the // matching succeeded, error status otherwise. - absl::StatusOr - requestMatching(const Http::RequestHeaderMap& headers); + absl::StatusOr requestMatching(const Http::RequestHeaderMap& headers); Http::Matching::HttpMatchingDataImpl matchingData() { ASSERT(data_ptr_ != nullptr); diff --git a/source/extensions/filters/http/rate_limit_quota/matcher.h b/source/extensions/filters/http/rate_limit_quota/matcher.h index ee6fc0a21bdc1..38eb7ee3921c7 100644 --- a/source/extensions/filters/http/rate_limit_quota/matcher.h +++ b/source/extensions/filters/http/rate_limit_quota/matcher.h @@ -51,15 +51,17 @@ class RateLimitOnMatchActionFactory : public Matcher::ActionFactory(config, validation_visitor); - return std::make_shared(std::move(bucket_settings)); + return [bucket_settings = std::move(bucket_settings)]() { + return std::make_unique(std::move(bucket_settings)); + }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { diff --git a/source/extensions/filters/network/generic_proxy/route_impl.cc b/source/extensions/filters/network/generic_proxy/route_impl.cc index d70a3a99fc9d6..60fd548e078f3 100644 --- a/source/extensions/filters/network/generic_proxy/route_impl.cc +++ b/source/extensions/filters/network/generic_proxy/route_impl.cc @@ -61,12 +61,13 @@ RouteEntryImpl::RouteEntryImpl(const ProtoRouteAction& route_action, } } -Matcher::ActionConstSharedPtr -RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( + const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_action = MessageUtil::downcastAndValidate(config, validation_visitor); - return std::make_shared(route_action, context.factory_context); + auto route = std::make_shared(route_action, context.factory_context); + return [route]() { return std::make_unique(route); }; } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); @@ -91,12 +92,15 @@ RouteEntryConstSharedPtr VirtualHostImpl::routeEntry(const MatchInput& request) Matcher::MatchResult match_result = Matcher::evaluateMatch(*matcher_, request); if (match_result.isMatch()) { - Matcher::ActionConstSharedPtr action = match_result.actionByMove(); + Matcher::ActionPtr action = match_result.action(); + // The only possible action that can be used within the route matching context // is the RouteMatchAction, so this must be true. - ASSERT(action->typeUrl() == RouteEntryImpl::staticTypeUrl()); - ASSERT(dynamic_cast(action.get())); - return std::dynamic_pointer_cast(std::move(action)); + ASSERT(action->typeUrl() == RouteMatchAction::staticTypeUrl()); + ASSERT(dynamic_cast(action.get())); + const RouteMatchAction& route_action = static_cast(*action); + + return route_action.route(); } ENVOY_LOG(debug, "failed to match incoming request: {}", diff --git a/source/extensions/filters/network/generic_proxy/route_impl.h b/source/extensions/filters/network/generic_proxy/route_impl.h index ef81c9818d7a3..62118b8856f6e 100644 --- a/source/extensions/filters/network/generic_proxy/route_impl.h +++ b/source/extensions/filters/network/generic_proxy/route_impl.h @@ -32,7 +32,7 @@ using ProtoRouteConfiguration = using ProtoVirtualHost = envoy::extensions::filters::network::generic_proxy::v3::VirtualHost; using ProtoRetryPolicy = envoy::config::core::v3::RetryPolicy; -class RouteEntryImpl : public RouteEntry, public Matcher::ActionBase { +class RouteEntryImpl : public RouteEntry { public: RouteEntryImpl(const ProtoRouteAction& route, Envoy::Server::Configuration::ServerFactoryContext& context); @@ -76,6 +76,17 @@ struct RouteActionContext { Server::Configuration::ServerFactoryContext& factory_context; }; +// Action used with the matching tree to specify route to use for an incoming stream. +class RouteMatchAction : public Matcher::ActionBase { +public: + explicit RouteMatchAction(RouteEntryConstSharedPtr route) : route_(std::move(route)) {} + + RouteEntryConstSharedPtr route() const { return route_; } + +private: + RouteEntryConstSharedPtr route_; +}; + class RouteActionValidationVisitor : public Matcher::MatchTreeValidationVisitor { public: absl::Status performDataInputValidation(const Matcher::DataInputFactory&, @@ -87,9 +98,9 @@ class RouteActionValidationVisitor : public Matcher::MatchTreeValidationVisitor< // Registered factory for RouteMatchAction. class RouteMatchActionFactory : public Matcher::ActionFactory { public: - Matcher::ActionConstSharedPtr - createAction(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "envoy.matching.action.generic_proxy.route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/network/match_delegate/config.cc b/source/extensions/filters/network/match_delegate/config.cc index adfa6938a7e8f..b176034ad65ff 100644 --- a/source/extensions/filters/network/match_delegate/config.cc +++ b/source/extensions/filters/network/match_delegate/config.cc @@ -18,9 +18,10 @@ namespace Factory { class SkipActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "skip"; } - Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, NetworkFilterActionContext&, - ProtobufMessage::ValidationVisitor&) override { - return std::make_shared(); + Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, + NetworkFilterActionContext&, + ProtobufMessage::ValidationVisitor&) override { + return []() { return std::make_unique(); }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -106,8 +107,8 @@ void DelegatingNetworkFilter::FilterMatchState::evaluateMatchTree() { match_tree_evaluated_ = match_result.isComplete(); if (match_tree_evaluated_ && match_result.isMatch()) { - const auto& result = match_result.action(); - if (result == nullptr || SkipAction().typeUrl() == result->typeUrl()) { + const Matcher::ActionPtr result = match_result.action(); + if ((result == nullptr) || (SkipAction().typeUrl() == result->typeUrl())) { skip_filter_ = true; } else { // TODO(botengyao) this would be similar to `base_filter_->onMatchCallback(*result);` @@ -191,7 +192,7 @@ Envoy::Network::FilterFactoryCb MatchDelegateConfig::createFilterFactory( auto message = Config::Utility::translateAnyToFactoryConfig( proto_config.extension_config().typed_config(), validation, factory); auto filter_factory_or_error = factory.createFilterFactoryFromProto(*message, context); - THROW_IF_NOT_OK_REF(filter_factory_or_error.status()); + THROW_IF_NOT_OK(filter_factory_or_error.status()); auto filter_factory = filter_factory_or_error.value(); Factory::MatchTreeValidationVisitor validation_visitor(*factory.matchingRequirements()); diff --git a/source/extensions/filters/udp/udp_proxy/router/router_impl.cc b/source/extensions/filters/udp/udp_proxy/router/router_impl.cc index 8ab3a80a569b1..0fa2a904e1e5b 100644 --- a/source/extensions/filters/udp/udp_proxy/router/router_impl.cc +++ b/source/extensions/filters/udp/udp_proxy/router/router_impl.cc @@ -15,16 +15,17 @@ namespace UdpFilters { namespace UdpProxy { namespace Router { -Matcher::ActionConstSharedPtr -RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( + const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate< const envoy::extensions::filters::udp::udp_proxy::v3::Route&>(config, validation_visitor); const auto& cluster = route_config.cluster(); // Emplace cluster names to context to get all cluster names. context.cluster_name_.emplace(cluster); - return std::make_shared(cluster); + + return [cluster]() { return std::make_unique(cluster); }; } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); diff --git a/source/extensions/filters/udp/udp_proxy/router/router_impl.h b/source/extensions/filters/udp/udp_proxy/router/router_impl.h index 04bb887fde713..f506778db6af2 100644 --- a/source/extensions/filters/udp/udp_proxy/router/router_impl.h +++ b/source/extensions/filters/udp/udp_proxy/router/router_impl.h @@ -32,9 +32,9 @@ class RouteMatchAction class RouteMatchActionFactory : public Matcher::ActionFactory { public: - Matcher::ActionConstSharedPtr - createAction(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/matching/actions/format_string/config.cc b/source/extensions/matching/actions/format_string/config.cc index 9476c572ecee7..962082481b1f3 100644 --- a/source/extensions/matching/actions/format_string/config.cc +++ b/source/extensions/matching/actions/format_string/config.cc @@ -23,10 +23,10 @@ ActionImpl::get(const Server::Configuration::FilterChainsByName& filter_chains_b return nullptr; } -Matcher::ActionConstSharedPtr -ActionFactory::createAction(const Protobuf::Message& proto_config, - FilterChainActionFactoryContext& context, - ProtobufMessage::ValidationVisitor& validator) { +Matcher::ActionFactoryCb +ActionFactory::createActionFactoryCb(const Protobuf::Message& proto_config, + FilterChainActionFactoryContext& context, + ProtobufMessage::ValidationVisitor& validator) { const auto& config = MessageUtil::downcastAndValidate( proto_config, validator); @@ -35,7 +35,7 @@ ActionFactory::createAction(const Protobuf::Message& proto_config, Formatter::FormatterConstSharedPtr formatter = THROW_OR_RETURN_VALUE( Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config, generic_context), Formatter::FormatterPtr); - return std::make_shared(std::move(formatter)); + return [formatter]() { return std::make_unique(formatter); }; } REGISTER_FACTORY(ActionFactory, Matcher::ActionFactory); diff --git a/source/extensions/matching/actions/format_string/config.h b/source/extensions/matching/actions/format_string/config.h index 0b893e2903031..359490c375238 100644 --- a/source/extensions/matching/actions/format_string/config.h +++ b/source/extensions/matching/actions/format_string/config.h @@ -17,7 +17,7 @@ namespace FormatString { class ActionImpl : public Matcher::ActionBase { public: - ActionImpl(Formatter::FormatterConstSharedPtr formatter) : formatter_(std::move(formatter)) {} + ActionImpl(const Formatter::FormatterConstSharedPtr& formatter) : formatter_(formatter) {} const Network::FilterChain* get(const Server::Configuration::FilterChainsByName& filter_chains_by_name, const StreamInfo::StreamInfo& info) const override; @@ -30,9 +30,10 @@ using FilterChainActionFactoryContext = Server::Configuration::ServerFactoryCont class ActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "envoy.matching.actions.format_string"; } - Matcher::ActionConstSharedPtr - createAction(const Protobuf::Message& proto_config, FilterChainActionFactoryContext& context, - ProtobufMessage::ValidationVisitor& validator) override; + Matcher::ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& proto_config, + FilterChainActionFactoryContext& context, + ProtobufMessage::ValidationVisitor& validator) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); } diff --git a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc index 8553f75f0cde9..70d35193631e2 100644 --- a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc +++ b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc @@ -10,12 +10,14 @@ namespace Extensions { namespace Router { namespace Matcher { -Envoy::Matcher::ActionConstSharedPtr -ClusterActionFactory::createAction(const Protobuf::Message& config, ClusterActionContext&, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Envoy::Matcher::ActionFactoryCb ClusterActionFactory::createActionFactoryCb( + const Protobuf::Message& config, ClusterActionContext&, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& proto_config = MessageUtil::downcastAndValidate(config, validation_visitor); - return std::make_shared(proto_config.cluster()); + auto cluster = std::make_shared(proto_config.cluster()); + + return [cluster]() { return std::make_unique(cluster); }; } REGISTER_FACTORY(ClusterActionFactory, Envoy::Matcher::ActionFactory); @@ -41,7 +43,9 @@ class MatcherRouteEntry : public Envoy::Router::DelegatingRouteEntry { if (!match_result.isMatch()) { return; } - cluster_name_.emplace(match_result.action()->getTyped().cluster()); + + const Envoy::Matcher::ActionPtr result = match_result.action(); + cluster_name_.emplace(result->getTyped().cluster()); } private: diff --git a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h index 88e7746cea02b..52562d728cb0f 100644 --- a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h +++ b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h @@ -26,21 +26,21 @@ struct ClusterActionContext {}; */ class ClusterAction : public Envoy::Matcher::ActionBase { public: - explicit ClusterAction(absl::string_view cluster) : cluster_(cluster) {} + explicit ClusterAction(std::shared_ptr cluster) : cluster_(cluster) {} - const std::string& cluster() const { return cluster_; } + const std::string& cluster() const { return *cluster_; } private: - const std::string cluster_; + const std::shared_ptr cluster_; }; // Registered factory for ClusterAction. This factory will be used to load proto configuration // from opaque config. class ClusterActionFactory : public Envoy::Matcher::ActionFactory { public: - Envoy::Matcher::ActionConstSharedPtr - createAction(const Protobuf::Message& config, ClusterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Envoy::Matcher::ActionFactoryCb + createActionFactoryCb(const Protobuf::Message& config, ClusterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "cluster"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/test/common/matcher/exact_map_matcher_test.cc b/test/common/matcher/exact_map_matcher_test.cc index 2dc71b5e0c4c1..b635a25b3bf93 100644 --- a/test/common/matcher/exact_map_matcher_test.cc +++ b/test/common/matcher/exact_map_matcher_test.cc @@ -109,7 +109,7 @@ TEST(ExactMapMatcherTest, RecursiveMatching) { std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "match"}), stringOnMatch("no_match")); - matcher->addChild("match", OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher, + matcher->addChild("match", OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher, /*.keep_matching=*/false}); TestData data; @@ -127,7 +127,7 @@ TEST(ExactMapMatcherTest, RecursiveMatchingOnNoMatch) { std::unique_ptr> matcher = *ExactMapMatcher::create( std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "blah"}), - OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher, + OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher, /*.keep_matching=*/false}); matcher->addChild("match", stringOnMatch("match")); @@ -156,14 +156,14 @@ TEST(ExactMapMatcherTest, RecursiveMatchingWithKeepMatching) { std::unique_ptr> matcher = *ExactMapMatcher::create( std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "match"}), - OnMatch{/*.action_=*/nullptr, /*.matcher=*/top_on_no_match_matcher, + OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/top_on_no_match_matcher, /*.keep_matching=*/false}); - matcher->addChild("match", OnMatch{/*.action_=*/nullptr, + matcher->addChild("match", OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_match_keeps_matching, /*.keep_matching=*/true}); - std::vector skipped_results{}; - SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionConstSharedPtr& cb) { + std::vector skipped_results{}; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; TestData data; diff --git a/test/common/matcher/list_matcher_test.cc b/test/common/matcher/list_matcher_test.cc index aa83f429e4bae..42246922f1ccd 100644 --- a/test/common/matcher/list_matcher_test.cc +++ b/test/common/matcher/list_matcher_test.cc @@ -40,8 +40,8 @@ TEST(ListMatcherTest, KeepMatching) { matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), stringOnMatch("matched", /*keep_matching=*/false)); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; auto result = matcher.match(TestData(), skipped_match_cb); @@ -56,8 +56,8 @@ TEST(ListMatcherTest, KeepMatchingOnNoMatch) { matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), stringOnMatch("keep matching 2", /*keep_matching=*/true)); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionConstSharedPtr cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionFactoryCb cb) { skipped_results.push_back(cb); }; auto result = matcher.match(TestData(), skipped_match_cb); @@ -84,17 +84,17 @@ TEST(ListMatcherTest, KeepMatchingWithRecursion) { Envoy::Matcher::ListMatcher matcher(stringOnMatch("top_level on_no_match")); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_1, + OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_1, /*.keep_matching=*/false}); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_2, + OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_2, /*.keep_matching=*/true}); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_3, + OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_3, /*.keep_matching=*/false}); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; MatchResult result = matcher.match(TestData(), skipped_match_cb); @@ -120,17 +120,17 @@ TEST(ListMatcherTest, KeepMatchingWithRecursiveOnNoMatch) { stringOnMatch("on_no_match sub match", /*keep_matching=*/true)); Envoy::Matcher::ListMatcher matcher( - OnMatch{/*action_=*/nullptr, + OnMatch{/*action_cb=*/nullptr, /*matcher=*/on_no_match_sub_matcher, /*keep_matching=*/false}); matcher.addMatcher( createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*action_=*/nullptr, /*matcher=*/sub_matcher_1, /*keep_matching=*/true}); + OnMatch{/*action_cb=*/nullptr, /*matcher=*/sub_matcher_1, /*keep_matching=*/true}); matcher.addMatcher( createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*action_=*/nullptr, /*matcher=*/sub_matcher_2, /*keep_matching=*/false}); + OnMatch{/*action_cb=*/nullptr, /*matcher=*/sub_matcher_2, /*keep_matching=*/false}); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; MatchResult result = matcher.match(TestData(), skipped_match_cb); diff --git a/test/common/matcher/matcher_test.cc b/test/common/matcher/matcher_test.cc index 09b31e650f582..d4072671da910 100644 --- a/test/common/matcher/matcher_test.cc +++ b/test/common/matcher/matcher_test.cc @@ -907,8 +907,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingSupportInEvaluation) { validation_visitor_.setSupportKeepMatching(true); std::shared_ptr> matcher = createMatcherFromYaml(yaml)(); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; const auto result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1020,8 +1020,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithRecursiveMatcher) { // Expect the nested matchers with keep_matching to be skipped and also the top-level // keep_matching setting to skip the result of the first sub-matcher. - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1056,8 +1056,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithUnsupportedReentry) { validation_visitor_.setSupportKeepMatching(true); std::shared_ptr> matcher = createMatcherFromYaml(yaml)(); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1130,12 +1130,12 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithFailingNestedMatcher) { stringOnMatch("fail")); matcher->addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_=*/nullptr, /*.matcher=*/nested_matcher, + OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/nested_matcher, /*.keep_matching=*/true}); // Expect re-entry to fail due to the nested matcher. - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); diff --git a/test/common/matcher/test_utility.h b/test/common/matcher/test_utility.h index 7eeec55e96897..808decee787bc 100644 --- a/test/common/matcher/test_utility.h +++ b/test/common/matcher/test_utility.h @@ -162,10 +162,10 @@ struct StringAction : public ActionBase { // Factory for StringAction. class StringActionFactory : public ActionFactory { public: - ActionConstSharedPtr createAction(const Protobuf::Message& config, absl::string_view&, - ProtobufMessage::ValidationVisitor&) override { + ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, absl::string_view&, + ProtobufMessage::ValidationVisitor&) override { const auto& string = dynamic_cast(config); - return std::make_shared(string.value()); + return [string]() { return std::make_unique(string.value()); }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { @@ -273,9 +273,14 @@ void PrintTo(const FieldMatchResult& result, std::ostream* os) { } } +// Creates a StringAction from a provided string. +std::unique_ptr stringValue(absl::string_view value) { + return std::make_unique(std::string(value)); +} + // Creates an OnMatch that evaluates to a StringValue with the provided value. template OnMatch stringOnMatch(absl::string_view value, bool keep_matching = false) { - return OnMatch{std::make_shared(std::string(value)), nullptr, keep_matching}; + return OnMatch{[s = std::string(value)]() { return stringValue(s); }, nullptr, keep_matching}; } inline void PrintTo(const Action& action, std::ostream* os) { @@ -286,14 +291,23 @@ inline void PrintTo(const Action& action, std::ostream* os) { *os << "{type=" << action.typeUrl() << "}"; } +inline void PrintTo(const ActionFactoryCb& action_cb, std::ostream* os) { + if (action_cb == nullptr) { + *os << "nullptr"; + return; + } + ActionPtr action = action_cb(); + PrintTo(*action, os); +} + inline void PrintTo(const MatchResult& result, std::ostream* os) { if (result.isInsufficientData()) { *os << "InsufficientData"; } else if (result.isNoMatch()) { *os << "NoMatch"; } else if (result.isMatch()) { - *os << "Match{Action="; - PrintTo(*result.action(), os); + *os << "Match{ActionFactoryCb="; + PrintTo(result.actionFactory(), os); *os << "}"; } else { *os << "UnknownState"; @@ -305,9 +319,9 @@ inline void PrintTo(const MatchTree& matcher, std::ostream* os) { } inline void PrintTo(const OnMatch& on_match, std::ostream* os) { - if (on_match.action_) { - *os << "{action_="; - PrintTo(on_match.action_, os); + if (on_match.action_cb_) { + *os << "{action_cb_="; + PrintTo(on_match.action_cb_, os); *os << "}"; } else if (on_match.matcher_) { *os << "{matcher_="; @@ -325,25 +339,26 @@ MATCHER(HasInsufficientData, "") { } MATCHER_P(IsActionWithType, matcher, "") { - // Takes an ActionConstSharedPtr argument, and compares its action type against matcher. + // Takes an ActionFactoryCb argument, and compares its action type against matcher. if (arg == nullptr) { return false; } - return ::testing::ExplainMatchResult(testing::Matcher(matcher), arg->typeUrl(), - result_listener); + ActionPtr action = arg(); + return ::testing::ExplainMatchResult(testing::Matcher(matcher), + action->typeUrl(), result_listener); } MATCHER_P(IsStringAction, matcher, "") { - // Takes an ActionConstSharedPtr argument, and compares its StringAction's string against matcher. + // Takes an ActionFactoryCb argument, and compares its StringAction's string against matcher. if (arg == nullptr) { return false; } - - if (arg->typeUrl() != "google.protobuf.StringValue") { + ActionPtr action = arg(); + if (action->typeUrl() != "google.protobuf.StringValue") { return false; } return ::testing::ExplainMatchResult(testing::Matcher(matcher), - arg->template getTyped().string_, + action->template getTyped().string_, result_listener); } @@ -353,7 +368,8 @@ MATCHER_P(HasStringAction, matcher, "") { if (!arg.isMatch()) { return false; } - return ::testing::ExplainMatchResult(IsStringAction(matcher), arg.action(), result_listener); + return ::testing::ExplainMatchResult(IsStringAction(matcher), arg.actionFactory(), + result_listener); } MATCHER_P(HasActionWithType, matcher, "") { @@ -362,7 +378,8 @@ MATCHER_P(HasActionWithType, matcher, "") { if (!arg.isMatch()) { return false; } - return ::testing::ExplainMatchResult(IsActionWithType(matcher), arg.action(), result_listener); + return ::testing::ExplainMatchResult(IsActionWithType(matcher), arg.actionFactory(), + result_listener); } MATCHER(HasNoMatch, "") { diff --git a/test/extensions/common/matcher/domain_matcher_test.cc b/test/extensions/common/matcher/domain_matcher_test.cc index 20e57359201d7..1ea833d294e1c 100644 --- a/test/extensions/common/matcher/domain_matcher_test.cc +++ b/test/extensions/common/matcher/domain_matcher_test.cc @@ -38,6 +38,7 @@ using ::Envoy::Matcher::MatchResult; using ::Envoy::Matcher::MatchTreeFactory; using ::Envoy::Matcher::MockMatchTreeValidationVisitor; using ::Envoy::Matcher::SkippedMatchCb; +using ::Envoy::Matcher::StringAction; using ::Envoy::Matcher::StringActionFactory; using ::Envoy::Matcher::TestData; using ::Envoy::Matcher::TestDataInputBoolFactory; @@ -624,8 +625,8 @@ TEST_F(DomainMatcherTest, KeepMatchingSupport) { loadConfig(yaml); validation_visitor_.setSupportKeepMatching(true); - std::vector skipped_results; - skipped_match_cb_ = [&skipped_results](const Envoy::Matcher::ActionConstSharedPtr& cb) { + std::vector skipped_results; + skipped_match_cb_ = [&skipped_results](Envoy::Matcher::ActionFactoryCb cb) { skipped_results.push_back(cb); }; diff --git a/test/extensions/common/matcher/trie_matcher_test.cc b/test/extensions/common/matcher/trie_matcher_test.cc index d7a4536b5fba9..02f40777e9db2 100644 --- a/test/extensions/common/matcher/trie_matcher_test.cc +++ b/test/extensions/common/matcher/trie_matcher_test.cc @@ -27,8 +27,8 @@ namespace Common { namespace Matcher { namespace { -using ::Envoy::Matcher::ActionConstSharedPtr; using ::Envoy::Matcher::ActionFactory; +using ::Envoy::Matcher::ActionFactoryCb; using ::Envoy::Matcher::CustomMatcherFactory; using ::Envoy::Matcher::DataInputGetResult; using ::Envoy::Matcher::HasInsufficientData; @@ -36,10 +36,12 @@ using ::Envoy::Matcher::HasNoMatch; using ::Envoy::Matcher::HasStringAction; using ::Envoy::Matcher::IsStringAction; using ::Envoy::Matcher::MatchResult; +using ::Envoy::Matcher::MatchTree; using ::Envoy::Matcher::MatchTreeFactory; using ::Envoy::Matcher::MatchTreePtr; using ::Envoy::Matcher::MatchTreeSharedPtr; using ::Envoy::Matcher::MockMatchTreeValidationVisitor; +using ::Envoy::Matcher::StringAction; using ::Envoy::Matcher::StringActionFactory; using ::Envoy::Matcher::TestData; using ::Envoy::Matcher::TestDataInputBoolFactory; @@ -602,10 +604,8 @@ TEST_F(TrieMatcherTest, ExerciseKeepMatching) { // Skip baz because the nested matcher is set with keep_matching. // Skip bag because the nested matcher returns on_no_match, but the top-level matcher is set to // keep_matching. - std::vector skipped_results{}; - skipped_match_cb_ = [&skipped_results](const ActionConstSharedPtr& cb) { - skipped_results.push_back(cb); - }; + std::vector skipped_results{}; + skipped_match_cb_ = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; auto input = TestDataInputStringFactory("192.101.0.1"); auto nested = TestDataInputBoolFactory("baz"); diff --git a/test/extensions/filters/http/composite/filter_test.cc b/test/extensions/filters/http/composite/filter_test.cc index 03ecafba79106..d37bd319eae93 100644 --- a/test/extensions/filters/http/composite/filter_test.cc +++ b/test/extensions/filters/http/composite/filter_test.cc @@ -86,8 +86,6 @@ class CompositeFilterTest : public ::testing::Test { EXPECT_TRUE(MessageDifferencer::Equals(expected, *(info->serializeAsProto()))); } - testing::NiceMock context_; - testing::NiceMock decoder_callbacks_; testing::NiceMock encoder_callbacks_; Stats::MockCounter error_counter_; @@ -116,13 +114,12 @@ TEST_F(FilterTest, StreamEncoderFilterDelegation) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -146,13 +143,12 @@ TEST_F(FilterTest, StreamDecoderFilterDelegation) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamDecoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setDecoderFilterCallbacks(_)); - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -175,15 +171,14 @@ TEST_F(FilterTest, StreamFilterDelegation) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setDecoderFilterCallbacks(_)); EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); EXPECT_CALL(success_counter_, inc()); - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); filter_.onMatchCallback(action); expectFilterStateInfo(filter_state); @@ -205,13 +200,12 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamFilters) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamFilter(stream_filter); cb.addStreamFilter(stream_filter); }; - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -231,13 +225,12 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamDecoderFilters) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamDecoderFilter(decoder_filter); cb.addStreamDecoderFilter(decoder_filter); }; - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -257,13 +250,12 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamEncoderFilters) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(encode_filter); cb.addStreamEncoderFilter(encode_filter); }; - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -286,14 +278,13 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleAccessLoggers) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(encode_filter); cb.addAccessLogHandler(access_log_1); cb.addAccessLogHandler(access_log_2); }; - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(*encode_filter, setEncoderFilterCallbacks(_)); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -349,7 +340,8 @@ TEST(ConfigTest, TestConfig) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), + factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Error: Only one of `dynamic_config` or `typed_config` can be set."); } } @@ -379,7 +371,8 @@ TEST(ConfigTest, TestDynamicConfigInDownstream) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), + factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get downstream factory context or server factory context."); } @@ -407,7 +400,8 @@ TEST(ConfigTest, TestDynamicConfigInUpstream) { .server_factory_context_ = absl::nullopt}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), + factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get upstream factory context or server factory context."); } @@ -434,7 +428,8 @@ TEST(ConfigTest, CreateFilterFromServerContextDual) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), + factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "DualFactoryBase: creating filter factory from server factory context is not supported"); } @@ -461,7 +456,8 @@ TEST(ConfigTest, DualFilterNoUpstreamFactoryContext) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), + factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get upstream filter factory creation function"); } @@ -486,7 +482,8 @@ TEST(ConfigTest, DownstreamFilterNoFactoryContext) { .server_factory_context_ = absl::nullopt}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), + factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get downstream filter factory creation function"); } @@ -513,7 +510,8 @@ TEST(ConfigTest, TestDownstreamFilterNoOverridingServerContext) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), + factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Creating filter factory from server factory context is not supported"); } @@ -528,23 +526,12 @@ TEST(ConfigTest, TestSamplePercentNotSpecifiedl) { http_status: 503 )EOF"; + testing::NiceMock server_factory_context; + NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); - - testing::NiceMock server_factory_context; - testing::NiceMock factory_context; - testing::NiceMock upstream_factory_context; - Envoy::Http::Matching::HttpFilterActionContext action_context{ - .is_downstream_ = true, - .stat_prefix_ = "test", - .factory_context_ = absl::nullopt, - .upstream_factory_context_ = absl::nullopt, - .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); - - EXPECT_FALSE(action->getTyped().actionSkip()); + EXPECT_TRUE(factory.isSampled(config, runtime)); } // Config test to check if sample_percent config is in place and feature enabled. @@ -562,27 +549,15 @@ TEST(ConfigTest, TestSamplePercentInPlaceFeatureEnabled) { denominator: HUNDRED )EOF"; + testing::NiceMock server_factory_context; + NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); - - testing::NiceMock server_factory_context; - testing::NiceMock factory_context; - testing::NiceMock upstream_factory_context; - Envoy::Http::Matching::HttpFilterActionContext action_context{ - .is_downstream_ = true, - .stat_prefix_ = "test", - .factory_context_ = absl::nullopt, - .upstream_factory_context_ = absl::nullopt, - .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); - - EXPECT_CALL(server_factory_context.runtime_loader_.snapshot_, + EXPECT_CALL(runtime.snapshot_, featureEnabled(_, testing::A())) .WillOnce(testing::Return(true)); - - EXPECT_FALSE(action->getTyped().actionSkip()); + EXPECT_TRUE(factory.isSampled(config, runtime)); } // Config test to check if sample_percent config is in place and feature not enabled. @@ -595,32 +570,18 @@ TEST(ConfigTest, TestSamplePercentInPlaceFeatureNotEnabled) { abort: http_status: 503 sample_percent: - default_value: - numerator: 30 - denominator: HUNDRED + runtime_key: )EOF"; + testing::NiceMock server_factory_context; + NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); - - testing::NiceMock server_factory_context; - testing::NiceMock factory_context; - testing::NiceMock upstream_factory_context; - Envoy::Http::Matching::HttpFilterActionContext action_context{ - .is_downstream_ = true, - .stat_prefix_ = "test", - .factory_context_ = absl::nullopt, - .upstream_factory_context_ = absl::nullopt, - .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); - - EXPECT_CALL(server_factory_context.runtime_loader_.snapshot_, + EXPECT_CALL(runtime.snapshot_, featureEnabled(_, testing::A())) .WillOnce(testing::Return(false)); - - EXPECT_TRUE(action->getTyped().actionSkip()); + EXPECT_FALSE(factory.isSampled(config, runtime)); } TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForDynamicConfig) { @@ -647,8 +608,8 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForDynamicConf .upstream_factory_context_ = upstream_factory_context, .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); + auto action = factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor())(); EXPECT_EQ("actionName", action->getTyped().actionName()); } @@ -678,8 +639,8 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForTypedConfig .upstream_factory_context_ = upstream_factory_context, .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = - factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); + auto action = factory.createActionFactoryCb(config, action_context, + ProtobufMessage::getStrictValidationVisitor())(); EXPECT_EQ("actionName", action->getTyped().actionName()); } @@ -697,13 +658,12 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingAction) { StreamInfo::FilterState::StateType::Mutable, StreamInfo::FilterState::LifeSpan::FilterChain); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -728,13 +688,12 @@ TEST_F(FilterTest, MatchingActionShouldNotCollitionWithOtherRootFilter) { StreamInfo::FilterState::StateType::Mutable, StreamInfo::FilterState::LifeSpan::FilterChain); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -765,13 +724,12 @@ TEST_F(UpstreamFilterTest, StreamEncoderFilterDelegationUpstream) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, - "actionName", absl::nullopt, context_.runtime_loader_); + ExecuteFilterAction action(factory_callback, "actionName"); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); diff --git a/test/extensions/filters/http/match_delegate/config_test.cc b/test/extensions/filters/http/match_delegate/config_test.cc index 2e032c3953952..0b63d20d77450 100644 --- a/test/extensions/filters/http/match_delegate/config_test.cc +++ b/test/extensions/filters/http/match_delegate/config_test.cc @@ -302,7 +302,7 @@ createMatchingTree(const std::string& name, const std::string& value) { std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - std::make_shared(), nullptr, false}); + []() { return std::make_unique(); }, nullptr, false}); return tree; } @@ -315,7 +315,7 @@ Matcher::MatchTreeSharedPtr createRequestAndRespo tree->addChild( "match", Matcher::OnMatch{ - std::make_shared(), + []() { return std::make_unique(); }, createMatchingTree( "match-header", "match"), false}); @@ -369,11 +369,13 @@ template Matcher::MatchTreeSharedPtr createMatchTreeWithOnNoMatch(const std::string& name, const std::string& value) { auto tree = *Matcher::ExactMapMatcher::create( - std::make_unique(name), Matcher::OnMatch{ - std::make_shared(), nullptr, false}); + std::make_unique(name), + Matcher::OnMatch{ + []() { return std::make_unique(); }, nullptr, false}); // No action is set on match. i.e., nullptr action factory cb. - tree->addChild(value, Matcher::OnMatch{nullptr, nullptr, false}); + tree->addChild(value, Matcher::OnMatch{[]() { return nullptr; }, + nullptr, false}); return tree; } diff --git a/test/extensions/filters/http/rate_limit_quota/filter_test.cc b/test/extensions/filters/http/rate_limit_quota/filter_test.cc index 20b860a1a3704..96cdd58b18195 100644 --- a/test/extensions/filters/http/rate_limit_quota/filter_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/filter_test.cc @@ -150,7 +150,7 @@ class FilterTest : public testing::Test { ASSERT_TRUE(match_result.ok()); // Retrieve the matched action. const RateLimitOnMatchAction* match_action = - dynamic_cast(match_result.value().get()); + dynamic_cast(match_result.value().get()); RateLimitQuotaValidationVisitor visitor = {}; // Generate the bucket ids. @@ -277,7 +277,7 @@ TEST_F(FilterTest, RequestMatchingWithInvalidOnNoMatch) { ASSERT_TRUE(match_result.ok()); // Retrieve the matched action. const RateLimitOnMatchAction* match_action = - dynamic_cast(match_result.value().get()); + dynamic_cast(match_result.value().get()); RateLimitQuotaValidationVisitor visitor = {}; // Generate the bucket ids. diff --git a/test/extensions/filters/network/generic_proxy/route_test.cc b/test/extensions/filters/network/generic_proxy/route_test.cc index 1ee03a8bdd915..56aa14d4e114b 100644 --- a/test/extensions/filters/network/generic_proxy/route_test.cc +++ b/test/extensions/filters/network/generic_proxy/route_test.cc @@ -279,6 +279,16 @@ TEST_F(RouteEntryImplTest, NullRouteSpecificConfig) { EXPECT_EQ(route_->perFilterConfig("envoy.filters.generic.mock_filter"), nullptr); }; +/** + * Test the simple route action wrapper. + */ +TEST(RouteMatchActionTest, SimpleRouteMatchActionTest) { + auto entry = std::make_shared>(); + RouteMatchAction action(entry); + + EXPECT_EQ(action.route().get(), entry.get()); +} + /** * Test the simple data input validator. */ @@ -311,11 +321,13 @@ TEST(RouteMatchActionFactoryTest, SimpleRouteMatchActionFactoryTest) { TestUtility::loadFromYaml(yaml_config, proto_config); RouteActionContext context{server_context}; - auto action = - factory.createAction(proto_config, context, server_context.messageValidationVisitor()); + auto factory_cb = factory.createActionFactoryCb(proto_config, context, + server_context.messageValidationVisitor()); + + EXPECT_EQ(factory_cb()->getTyped().route().get(), + factory_cb()->getTyped().route().get()); - EXPECT_NE(action, nullptr); - EXPECT_EQ(action->getTyped().clusterName(), "cluster_0"); + EXPECT_EQ(factory_cb()->getTyped().route()->clusterName(), "cluster_0"); } class RouteMatcherImplTest : public testing::Test { diff --git a/test/extensions/filters/network/match_delegate/config_test.cc b/test/extensions/filters/network/match_delegate/config_test.cc index fd283fb15e51c..574b886536cef 100644 --- a/test/extensions/filters/network/match_delegate/config_test.cc +++ b/test/extensions/filters/network/match_delegate/config_test.cc @@ -243,7 +243,7 @@ createMatchingTree(const std::string& name, const std::string& value) { std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - std::make_shared(), nullptr, false}); + []() { return std::make_unique(); }, nullptr, false}); return tree; } @@ -394,7 +394,7 @@ createMatchingTreeWithTestAction(const std::string& name, const std::string& val std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - std::make_shared(), nullptr, false}); + []() { return std::make_unique(); }, nullptr, false}); return tree; } diff --git a/test/extensions/matching/actions/format_string/config_test.cc b/test/extensions/matching/actions/format_string/config_test.cc index 7028674e75f2d..8bbb3027572fe 100644 --- a/test/extensions/matching/actions/format_string/config_test.cc +++ b/test/extensions/matching/actions/format_string/config_test.cc @@ -23,8 +23,10 @@ TEST(ConfigTest, TestConfig) { testing::NiceMock factory_context; ActionFactory factory; - auto action = - factory.createAction(config, factory_context, ProtobufMessage::getStrictValidationVisitor()); + auto action_cb = factory.createActionFactoryCb(config, factory_context, + ProtobufMessage::getStrictValidationVisitor()); + ASSERT_NE(nullptr, action_cb); + auto action = action_cb(); ASSERT_NE(nullptr, action); const auto& typed_action = action->getTyped(); diff --git a/test/mocks/http/mocks.h b/test/mocks/http/mocks.h index a1dc887af4abb..b419480bd4c25 100644 --- a/test/mocks/http/mocks.h +++ b/test/mocks/http/mocks.h @@ -141,7 +141,7 @@ class MockStreamCallbacks : public StreamCallbacks { class MockCodecEventCallbacks : public CodecEventCallbacks { public: MockCodecEventCallbacks(); - ~MockCodecEventCallbacks() override; + ~MockCodecEventCallbacks(); MOCK_METHOD(void, onCodecEncodeComplete, ()); MOCK_METHOD(void, onCodecLowLevelReset, ()); @@ -343,7 +343,7 @@ class MockStreamDecoderFilterCallbacks : public StreamDecoderFilterCallbacks, MOCK_METHOD(bool, shouldLoadShed, (), (const)); Buffer::InstancePtr buffer_; - std::list callbacks_; + std::list callbacks_{}; testing::NiceMock downstream_callbacks_; testing::NiceMock active_span_; testing::NiceMock tracing_config_; From 6b7268ade21191af8516d6d2d387abcd892b002e Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 23 Jul 2025 09:37:45 +0000 Subject: [PATCH 042/505] deps: Bump `com_github_wasmtime` -> 24.0.4 (#40360) fix https://app.opencve.io/cve/CVE-2025-53901 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 2572cbabb0541..1293e432c8150 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1162,11 +1162,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "wasmtime", project_desc = "A standalone runtime for WebAssembly", project_url = "https://github.com/bytecodealliance/wasmtime", - version = "24.0.2", - sha256 = "76a5eedf3d57de8a97492006cfa9c2c5eedf81ad82ba173f0615e85695cecdf7", + version = "24.0.4", + sha256 = "d714d987a50cfc7d0b384ef4720e7c757cf4f5b7df617cbf38e432a3dc6c400d", strip_prefix = "wasmtime-{version}", urls = ["https://github.com/bytecodealliance/wasmtime/archive/v{version}.tar.gz"], - release_date = "2024-11-05", + release_date = "2025-07-18", use_category = ["dataplane_ext"], extensions = ["envoy.wasm.runtime.wasmtime"], cpe = "cpe:2.3:a:bytecodealliance:wasmtime:*", From 55703ae40228d08e11c7ec99de9ffc4200074a9c Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Wed, 23 Jul 2025 10:20:38 +0000 Subject: [PATCH 043/505] fixes for gRPC handshake build Signed-off-by: Basundhara Chakrabarty --- .../v3/reverse_tunnel_handshake.proto | 3 - ci/Dockerfile-ntnx | 90 ++ .../cloud-envoy-grpc-enhanced.yaml | 146 ++ .../docker-compose.yaml | 4 +- .../on-prem-envoy-custom-resolver-grpc.yaml | 169 +++ .../extensions/bootstrap/reverse_tunnel/BUILD | 16 +- .../grpc_reverse_tunnel_client.cc | 30 +- .../grpc_reverse_tunnel_client.h | 37 +- .../reverse_tunnel_initiator.cc | 1193 +++++++++-------- .../reverse_tunnel/reverse_tunnel_initiator.h | 106 +- .../reverse_tunnel_acceptor_test.cc | 106 ++ 11 files changed, 1218 insertions(+), 682 deletions(-) create mode 100644 ci/Dockerfile-ntnx create mode 100644 examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml create mode 100644 examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml diff --git a/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto b/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto index bcf7d73705619..4d6b3f02b2609 100644 --- a/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto +++ b/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto @@ -212,9 +212,6 @@ message ConnectionInfo { // Configuration for gRPC client options when establishing tunnels. message ReverseTunnelGrpcConfig { - // Required: gRPC service configuration for the tunnel handshake service. - envoy.config.core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; - // Optional: Timeout for tunnel handshake requests. google.protobuf.Duration handshake_timeout = 2 [(validate.rules).duration = {gt: {seconds: 1} lte: {seconds: 30}}]; diff --git a/ci/Dockerfile-ntnx b/ci/Dockerfile-ntnx new file mode 100644 index 0000000000000..42b507dc5ee9f --- /dev/null +++ b/ci/Dockerfile-ntnx @@ -0,0 +1,90 @@ +ARG BUILD_OS=ubuntu +ARG BUILD_TAG=20.04 +ARG ENVOY_VRP_BASE_IMAGE=envoy + + +FROM scratch AS binary + +ARG TARGETPLATFORM +ENV TARGETPLATFORM=${TARGETPLATFORM:-linux/amd64} +ARG ENVOY_BINARY=envoy +ARG ENVOY_BINARY_SUFFIX=_stripped +ADD ${TARGETPLATFORM}/build_${ENVOY_BINARY}_release${ENVOY_BINARY_SUFFIX}/envoy* /usr/local/bin/ +ADD configs/envoyproxy_io_proxy.yaml /etc/envoy/envoy.yaml +COPY ${TARGETPLATFORM}/build_${ENVOY_BINARY}_release/schema_validator_tool /usr/local/bin/schema_validator_tool +COPY ci/docker-entrypoint.sh / + + +# STAGE: envoy +FROM ${BUILD_OS}:${BUILD_TAG} AS envoy + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update && apt-get upgrade -qq -y \ + && apt-get install -qq --no-install-recommends -y ca-certificates iproute2 iputils-ping curl wget \ + && apt-get autoremove -y -qq && apt-get clean \ + && rm -rf /tmp/* /var/tmp/* \ + && rm -rf /var/lib/apt/lists/* + +RUN mkdir -p /etc/envoy + +COPY --from=binary /usr/local/bin/envoy* /usr/local/bin/ +COPY --from=binary /etc/envoy/envoy.yaml /etc/envoy/envoy.yaml +COPY --from=binary /docker-entrypoint.sh / + +RUN adduser --group --system envoy + +EXPOSE 10000 + +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["envoy", "-c", "/etc/envoy/envoy.yaml"] + + +# STAGE: envoy-distroless +# gcr.io/distroless/base-nossl-debian11:nonroot +FROM gcr.io/distroless/base-nossl-debian11:nonroot@sha256:f10e1fbf558c630a4b74a987e6c754d45bf59f9ddcefce090f6b111925996767 AS envoy-distroless + +COPY --from=binary /usr/local/bin/envoy* /usr/local/bin/ +COPY --from=binary /etc/envoy/envoy.yaml /etc/envoy/envoy.yaml + +EXPOSE 10000 + +ENTRYPOINT ["/usr/local/bin/envoy"] +CMD ["-c", "/etc/envoy/envoy.yaml"] + + +# STAGE: envoy-google-vrp +FROM ${ENVOY_VRP_BASE_IMAGE} AS envoy-google-vrp + +RUN apt-get update \ + && apt-get upgrade -y -qq \ + && apt-get install -y -qq libc++1 supervisor gdb strace tshark \ + && apt-get autoremove -y \ + && apt-get clean \ + && rm -rf /tmp/* /var/tmp/* \ + && rm -rf /var/lib/apt/lists/* + +ADD configs/google-vrp/envoy-edge.yaml /etc/envoy/envoy-edge.yaml +ADD configs/google-vrp/envoy-origin.yaml /etc/envoy/envoy-origin.yaml +ADD configs/google-vrp/launch_envoy.sh /usr/local/bin/launch_envoy.sh +ADD configs/google-vrp/supervisor.conf /etc/supervisor.conf +ADD test/config/integration/certs/serverkey.pem /etc/envoy/certs/serverkey.pem +ADD test/config/integration/certs/servercert.pem /etc/envoy/certs/servercert.pem +# ADD %local envoy bin% /usr/local/bin/envoy +RUN chmod 777 /var/log/supervisor +RUN chmod a+r /etc/supervisor.conf /etc/envoy/* /etc/envoy/certs/* +RUN chmod a+rx /usr/local/bin/launch_envoy.sh + +EXPOSE 10000 +EXPOSE 10001 + +CMD ["supervisord", "-c", "/etc/supervisor.conf"] + +# STAGE: envoy-tools +FROM ${BUILD_OS}:${BUILD_TAG} AS envoy-tools + +COPY --from=binary /usr/local/bin/schema_validator_tool /usr/local/bin/ + + +# Make envoy image as last stage so it is built by default +FROM envoy \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml b/examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml new file mode 100644 index 0000000000000..931c003e62b65 --- /dev/null +++ b/examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml @@ -0,0 +1,146 @@ +--- +node: + id: cloud-node + cluster: cloud +static_resources: + listeners: + # Enhanced listener for both HTTP and gRPC reverse tunnel handshake requests + - name: reverse_tunnel_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: reverse_tunnel + codec_type: AUTO + route_config: + name: reverse_tunnel_route + virtual_hosts: + - name: reverse_tunnel_service + domains: ["*"] + routes: + # gRPC reverse tunnel handshake service + - match: + prefix: "/envoy.service.reverse_tunnel.v3.ReverseTunnelHandshakeService" + headers: + - name: "content-type" + string_match: + exact: "application/grpc" + route: + cluster: local_service + timeout: 30s + # Legacy HTTP reverse tunnel handshake for backward compatibility + - match: + prefix: "/reverse_connections" + route: + cluster: local_service + timeout: 30s + # Generic route for other services + - match: + prefix: "/" + route: + cluster: local_service + http_filters: + # Enhanced reverse connection filter with gRPC support + - name: envoy.filters.http.reverse_conn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + ping_interval: 30 + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + # Enable HTTP/2 for gRPC support + http2_protocol_options: {} + + # Listener that will route the downstream request to the reverse connection cluster + - name: egress_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 8085 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: egress_http + codec_type: AUTO + route_config: + name: egress_route + virtual_hosts: + - name: reverse_service + domains: ["*"] + routes: + - match: + prefix: "/on_prem_service" + route: + cluster: reverse_connection_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Cluster used to write requests to cached sockets + clusters: + - name: reverse_connection_cluster + connect_timeout: 200s + lb_policy: CLUSTER_PROVIDED + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + # The following headers are expected in downstream requests + # to be sent over reverse connections + http_header_names: + - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., on-prem-node + - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., on-prem + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + # Right the moment, reverse connections are supported over HTTP/2 only + http2_protocol_options: {} + + # Local service cluster for handling gRPC and HTTP handshake requests + - name: local_service + type: STATIC + lb_policy: ROUND_ROBIN + # Enable HTTP/2 for gRPC support + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + load_assignment: + cluster_name: local_service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + +admin: + access_log_path: "/dev/stdout" + address: + socket_address: + address: 0.0.0.0 + port_value: 8888 + +layered_runtime: + layers: + - name: layer + static_layer: + re2.max_program_size.error_level: 1000 + +# Enable reverse connection bootstrap extension for upstream (acceptor) +bootstrap_extensions: +- name: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_reverse_connection" \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/docker-compose.yaml b/examples/reverse_connection_socket_interface/docker-compose.yaml index 183448e22d5d6..a9b9642701c0d 100644 --- a/examples/reverse_connection_socket_interface/docker-compose.yaml +++ b/examples/reverse_connection_socket_interface/docker-compose.yaml @@ -13,7 +13,7 @@ services: on-prem-envoy: image: debug/envoy:latest volumes: - - ./on-prem-envoy-custom-resolver.yaml:/etc/on-prem-envoy.yaml + - ./on-prem-envoy-custom-resolver-grpc.yaml:/etc/on-prem-envoy.yaml command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: # Admin interface @@ -38,7 +38,7 @@ services: cloud-envoy: image: debug/envoy:latest volumes: - - ./cloud-envoy.yaml:/etc/cloud-envoy.yaml + - ./cloud-envoy-grpc-enhanced.yaml:/etc/cloud-envoy.yaml command: envoy -c /etc/cloud-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: # Admin interface diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml new file mode 100644 index 0000000000000..db6c1a8fb5ba0 --- /dev/null +++ b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml @@ -0,0 +1,169 @@ +--- +node: + id: on-prem-node + cluster: on-prem + +# Enable reverse connection bootstrap extension with gRPC configuration +bootstrap_extensions: +- name: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + src_cluster_id: "on-prem" + src_node_id: "on-prem-node" + src_tenant_id: "on-prem" + # gRPC handshake configuration (without grpc_service - cluster comes from listener) + grpc_service_config: + handshake_timeout: 10s + max_retries: 3 + retry_base_interval: 0.15s + retry_max_interval: 5s + initial_metadata: + - key: "x-service-version" + value: "grpc-v1" + - key: "x-envoy-node-id" + value: "on-prem-node" + +static_resources: + listeners: + # Services reverse conn APIs + - name: rev_conn_api_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9001 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: rev_conn_api + codec_type: AUTO + route_config: + name: rev_conn_api_route + virtual_hosts: [] + http_filters: + - name: envoy.filters.http.reverse_conn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + ping_interval: 30 + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Forwards incoming http requests to backend + - name: ingress_http_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 6060 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: ingress_http_route + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/on_prem_service' + route: + cluster: on-prem-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Initiates reverse connections to cloud using custom resolver AND gRPC handshake + - name: reverse_conn_listener + listener_filters_timeout: 0s + listener_filters: + # Filter that responds to keepalives on reverse connection sockets + - name: envoy.filters.listener.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection + ping_wait_timeout: 120 + # Use custom address with reverse connection metadata encoded in URL format + address: + socket_address: + # This encodes: src_node_id=on-prem-node, src_cluster_id=on-prem, src_tenant_id=on-prem + # and remote clusters: cloud with 10 connections (gRPC will be used automatically from bootstrap config) + address: "rc://on-prem-node:on-prem:on-prem@cloud:10" + port_value: 0 + # Use custom resolver that can parse reverse connection metadata + resolver_name: "envoy.resolvers.reverse_connection" + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: reverse_conn_listener + route_config: + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/on_prem_service' + route: + cluster: on-prem-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Cluster designating cloud-envoy (must support HTTP/2 for gRPC) + clusters: + - name: cloud + type: STRICT_DNS + connect_timeout: 30s + # Enable HTTP/2 for gRPC support + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + load_assignment: + cluster_name: cloud + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: cloud-envoy # Container name of cloud-envoy in docker-compose + port_value: 9000 # Port where cloud-envoy's reverse_tunnel_listener listens + + # Backend HTTP service behind onprem which + # we will access via reverse connections + - name: on-prem-service + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: on-prem-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: on-prem-service + port_value: 80 + +admin: + access_log_path: "/dev/stdout" + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 8888 + +layered_runtime: + layers: + - name: layer + static_layer: + re2.max_program_size.error_level: 1000 \ No newline at end of file diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index ea55a4df04387..a108e08622b81 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -8,6 +8,19 @@ licenses(["notice"]) # Apache 2 envoy_extension_package() +envoy_cc_extension( + name = "reverse_connection_utility_lib", + srcs = ["reverse_connection_utility.cc"], + hdrs = ["reverse_connection_utility.h"], + visibility = ["//visibility:public"], + deps = [ + "//envoy/buffer:buffer_interface", + "//envoy/network:connection_interface", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + ], +) + envoy_cc_extension( name = "reverse_connection_address_lib", srcs = ["reverse_connection_address.cc"], @@ -66,7 +79,6 @@ envoy_cc_extension( "//source/common/network:default_socket_interface_lib", "//source/common/network:filter_lib", "//source/common/protobuf", - "//source/common/reverse_connection:reverse_connection_utility_lib", "//source/common/upstream:load_balancer_context_base_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", @@ -100,7 +112,7 @@ envoy_cc_extension( "//source/common/network:address_lib", "//source/common/network:default_socket_interface_lib", "//source/common/protobuf", - "//source/common/reverse_connection:reverse_connection_utility_lib", + ":reverse_connection_utility_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", ], alwayslink = 1, diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc index 34d2068070e16..9f7ab54745986 100644 --- a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc +++ b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc @@ -19,9 +19,10 @@ namespace ReverseConnection { GrpcReverseTunnelClient::GrpcReverseTunnelClient( Upstream::ClusterManager& cluster_manager, + const std::string& cluster_name, const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig& config, GrpcReverseTunnelCallbacks& callbacks) - : cluster_manager_(cluster_manager), config_(config), callbacks_(callbacks), + : cluster_manager_(cluster_manager), cluster_name_(cluster_name), config_(config), callbacks_(callbacks), service_method_(Protobuf::DescriptorPool::generated_pool()->FindMethodByName( "envoy.service.reverse_tunnel.v3.ReverseTunnelHandshakeService.EstablishTunnel")) { @@ -49,27 +50,32 @@ GrpcReverseTunnelClient::~GrpcReverseTunnelClient() { absl::Status GrpcReverseTunnelClient::createGrpcClient() { try { - // Verify cluster exists in cluster manager - if (!config_.has_grpc_service() || !config_.grpc_service().has_envoy_grpc()) { - return absl::InvalidArgumentError( - "Invalid gRPC service configuration - missing envoy_grpc configuration"); + // Verify cluster name is provided + if (cluster_name_.empty()) { + return absl::InvalidArgumentError("Cluster name cannot be empty for gRPC reverse tunnel handshake"); } - const std::string& cluster_name = config_.grpc_service().envoy_grpc().cluster_name(); - auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); + auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name_); if (!thread_local_cluster) { return absl::NotFoundError( - fmt::format("Cluster '{}' not found for gRPC reverse tunnel handshake", cluster_name)); + fmt::format("Cluster '{}' not found for gRPC reverse tunnel handshake", cluster_name_)); + } + + // Create a basic gRPC service config for this cluster + envoy::config::core::v3::GrpcService grpc_service; + grpc_service.mutable_envoy_grpc()->set_cluster_name(cluster_name_); + if (config_.has_handshake_timeout()) { + *grpc_service.mutable_timeout() = config_.handshake_timeout(); } // Create raw gRPC client auto result = cluster_manager_.grpcAsyncClientManager().getOrCreateRawAsyncClient( - config_.grpc_service(), thread_local_cluster->info()->statsScope(), + grpc_service, thread_local_cluster->info()->statsScope(), false); // skip_cluster_check = false if (!result.ok()) { return absl::InternalError( - fmt::format("Failed to create gRPC async client for cluster '{}': {}", cluster_name, + fmt::format("Failed to create gRPC async client for cluster '{}': {}", cluster_name_, result.status().message())); } @@ -77,7 +83,7 @@ absl::Status GrpcReverseTunnelClient::createGrpcClient() { if (!raw_client) { return absl::InternalError( - fmt::format("Failed to create gRPC async client for cluster '{}'", cluster_name)); + fmt::format("Failed to create gRPC async client for cluster '{}'", cluster_name_)); } // Create typed client from raw client @@ -85,7 +91,7 @@ absl::Status GrpcReverseTunnelClient::createGrpcClient() { Grpc::AsyncClient(raw_client); - ENVOY_LOG(debug, "Successfully created gRPC client for cluster '{}'", cluster_name); + ENVOY_LOG(debug, "Successfully created gRPC client for cluster '{}'", cluster_name_); return absl::OkStatus(); } catch (const std::exception& e) { diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h index 0926b0ee2b9d0..b502c73e08f4f 100644 --- a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h +++ b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h @@ -67,12 +67,14 @@ class GrpcReverseTunnelClient : public Grpc::AsyncRequestCallbacks< public Logger::Loggable { public: /** - * Constructor for GrpcReverseTunnelClient. - * @param cluster_manager the cluster manager for gRPC client creation - * @param config the gRPC configuration for the handshake service - * @param callbacks the callback interface for handshake results + * Constructor for gRPC reverse tunnel client. + * @param cluster_manager reference to the cluster manager + * @param cluster_name name of the cluster to connect to for gRPC handshake + * @param config gRPC configuration for timeouts, retries, etc. + * @param callbacks callback interface for handshake results */ GrpcReverseTunnelClient(Upstream::ClusterManager& cluster_manager, + const std::string& cluster_name, const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig& config, GrpcReverseTunnelCallbacks& callbacks); @@ -97,6 +99,19 @@ class GrpcReverseTunnelClient : public Grpc::AsyncRequestCallbacks< */ void cancel(); + /** + * Build the handshake request. + * @param tenant_id the tenant identifier + * @param cluster_id the cluster identifier + * @param node_id the node identifier + * @param metadata optional custom metadata + * @return the constructed handshake request + */ + envoy::service::reverse_tunnel::v3::EstablishTunnelRequest + buildHandshakeRequest(const std::string& tenant_id, const std::string& cluster_id, + const std::string& node_id, + const absl::optional& metadata); + // Grpc::AsyncRequestCallbacks implementation void onCreateInitialMetadata(Http::RequestHeaderMap& metadata) override; void @@ -112,20 +127,8 @@ class GrpcReverseTunnelClient : public Grpc::AsyncRequestCallbacks< */ absl::Status createGrpcClient(); - /** - * Build the handshake request. - * @param tenant_id the tenant identifier - * @param cluster_id the cluster identifier - * @param node_id the node identifier - * @param metadata optional custom metadata - * @return the constructed handshake request - */ - envoy::service::reverse_tunnel::v3::EstablishTunnelRequest - buildHandshakeRequest(const std::string& tenant_id, const std::string& cluster_id, - const std::string& node_id, - const absl::optional& metadata); - Upstream::ClusterManager& cluster_manager_; + const std::string cluster_name_; const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig config_; GrpcReverseTunnelCallbacks& callbacks_; diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index c4e3ea9886942..78be8fc73546d 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -10,6 +10,9 @@ #include "envoy/network/connection.h" #include "envoy/registry/registry.h" #include "envoy/upstream/cluster_manager.h" +#include "envoy/http/async_client.h" +#include "envoy/grpc/async_client.h" +#include "envoy/tracing/tracer.h" #include "source/common/buffer/buffer_impl.h" #include "source/common/common/logger.h" @@ -19,8 +22,8 @@ #include "source/common/protobuf/message_validator_impl.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" -#include "source/common/reverse_connection/reverse_connection_utility.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h" #include "google/protobuf/empty.pb.h" @@ -37,43 +40,23 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { /** * Constructor that takes ownership of the socket. */ - explicit DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, - const std::string& connection_key, - ReverseConnectionIOHandle* parent) - : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), owned_socket_(std::move(socket)), - connection_key_(connection_key), parent_(parent) { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {}.", - fd_, connection_key_); + explicit DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), owned_socket_(std::move(socket)) { + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {}", + fd_); } ~DownstreamReverseConnectionIOHandle() override { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: destroying handle for FD: {}.", fd_); + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: destroying handle for FD: {}", fd_); } // Network::IoHandle overrides. Api::IoCallUint64Result close() override { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {}.", fd_); - - // Safely notify parent of connection closure. - try { - if (parent_) { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: Marking connection as closed."); - parent_->onDownstreamConnectionClosed(connection_key_); - } - } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception notifying parent of connection closure (continuing): {}.", - e.what()); - } - + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {}", fd_); // Reset the owned socket to properly close the connection. - try { - if (owned_socket_) { - owned_socket_.reset(); - } - } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception resetting owned socket (continuing): {}.", e.what()); + if (owned_socket_) { + owned_socket_.reset(); } - return IoSocketHandleImpl::close(); } @@ -85,10 +68,6 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { private: // The socket that this IOHandle owns and manages lifetime for. Network::ConnectionSocketPtr owned_socket_; - // Connection key for identifying this connection. - std::string connection_key_; - // Pointer to parent ReverseConnectionIOHandle. - ReverseConnectionIOHandle* parent_; }; // Forward declaration. @@ -97,20 +76,103 @@ class ReverseTunnelInitiator; /** * RCConnectionWrapper manages the lifecycle of a ClientConnectionPtr for reverse connections. - * It handles connection callbacks, sends the HTTP handshake request, and processes the response. - * This class uses HTTP requests with protobuf payloads for robust handshake communication. + * It handles connection callbacks, sends the gRPC handshake request, and processes the response. */ class RCConnectionWrapper : public Network::ConnectionCallbacks, public Event::DeferredDeletable, + public ReverseConnection::GrpcReverseTunnelCallbacks, Logger::Loggable { public: RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, - Upstream::HostDescriptionConstSharedPtr host) - : parent_(parent), connection_(std::move(connection)), host_(std::move(host)) {} + Upstream::HostDescriptionConstSharedPtr host, + const std::string& cluster_name) + : parent_(parent), connection_(std::move(connection)), host_(std::move(host)), + cluster_name_(cluster_name) { + + reverse_tunnel_client_ = nullptr; + const auto* grpc_config = parent.getGrpcConfig(); + if (grpc_config != nullptr) { + ENVOY_LOG(debug, "RCConnectionWrapper: gRPC config available, creating gRPC client"); + reverse_tunnel_client_ = std::make_unique( + parent.getClusterManager(), cluster_name_, *grpc_config, *this); + } else { + ENVOY_LOG(debug, "RCConnectionWrapper: gRPC config not available, using HTTP fallback"); + } + } ~RCConnectionWrapper() override { - ENVOY_LOG(debug, "Performing graceful connection cleanup."); - shutdown(); + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Starting safe RCConnectionWrapper destruction"); + + // Use atomic flag to prevent recursive destruction + static thread_local std::atomic destruction_in_progress{false}; + bool expected = false; + if (!destruction_in_progress.compare_exchange_strong(expected, true)) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Wrapper destruction already in progress, skipping"); + return; + } + + // RAII guard to ensure flag is reset + struct DestructionGuard { + std::atomic& flag; + DestructionGuard(std::atomic& f) : flag(f) {} + ~DestructionGuard() { flag = false; } + } guard(destruction_in_progress); + + try { + // STEP 1: Cancel gRPC client first to prevent callback access + if (reverse_tunnel_client_) { + try { + reverse_tunnel_client_->cancel(); + reverse_tunnel_client_.reset(); + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: gRPC client safely canceled"); + } catch (const std::exception& e) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: gRPC client cleanup exception: {}", e.what()); + } catch (...) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Unknown gRPC client cleanup exception"); + } + } + + // STEP 2: Safely remove connection callbacks + if (connection_) { + try { + // Check if connection is still valid before accessing + auto state = connection_->state(); + + // Only remove callbacks if connection is in valid state + if (state != Network::Connection::State::Closed) { + connection_->removeConnectionCallbacks(*this); + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection callbacks safely removed"); + } + + // Don't call close() here - let Envoy's cleanup handle it + // This prevents double-close and access after free issues + connection_.reset(); + + } catch (const std::exception& e) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection cleanup exception: {}", e.what()); + // Still try to reset the connection pointer to prevent further access + try { + connection_.reset(); + } catch (...) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection reset failed"); + } + } catch (...) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Unknown connection cleanup exception"); + try { + connection_.reset(); + } catch (...) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection reset failed"); + } + } + } + + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: RCConnectionWrapper destruction completed safely"); + + } catch (const std::exception& e) { + ENVOY_LOG(error, "DEFENSIVE CLEANUP: Top-level wrapper destruction exception: {}", e.what()); + } catch (...) { + ENVOY_LOG(error, "DEFENSIVE CLEANUP: Unknown top-level wrapper destruction exception"); + } } // Network::ConnectionCallbacks. @@ -118,13 +180,16 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, void onAboveWriteBufferHighWatermark() override {} void onBelowWriteBufferLowWatermark() override {} - // Initiate the reverse connection handshake using HTTP requests with protobuf payloads. + // ::Envoy::ReverseConnection::HandshakeCallbacks + void onHandshakeSuccess( + std::unique_ptr response) + override; + void onHandshakeFailure(Grpc::Status::GrpcStatus status, const std::string& message) override; + + // Initiate the reverse connection gRPC handshake. std::string connect(const std::string& src_tenant_id, const std::string& src_cluster_id, const std::string& src_node_id); - // Handle handshake response parsing - void onData(const std::string& error); - // Clean up on failure. Use graceful shutdown. void onFailure() { ENVOY_LOG(debug, @@ -141,8 +206,14 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, ENVOY_LOG(debug, "Connection ID: {}, state: {}.", connection_->id(), static_cast(connection_->state())); + // Cancel any ongoing gRPC handshake + if (reverse_tunnel_client_) { + reverse_tunnel_client_->cancel(); + } + + // Remove callbacks first to prevent recursive calls during shutdown connection_->removeConnectionCallbacks(*this); - connection_->getSocket()->ioHandle().resetFileEvents(); + if (connection_->state() == Network::Connection::State::Open) { ENVOY_LOG(debug, "Closing open connection gracefully."); connection_->close(Network::ConnectionCloseType::FlushWrite); @@ -152,6 +223,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, ENVOY_LOG(debug, "Connection already closed."); } + // Clear the connection pointer to prevent further access connection_.reset(); ENVOY_LOG(debug, "Completed graceful shutdown."); } @@ -163,148 +235,118 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, private: /** - * Read filter that is added to each connection initiated by the RCInitiator. Upon receiving a - * response from remote envoy, the Read filter parses it and calls its parent RCConnectionWrapper - * onData(). + * Simplified read filter for HTTP fallback during gRPC migration. */ - struct ConnReadFilter : public Network::ReadFilterBaseImpl { - /** - * expected response will be something like: - * 'HTTP/1.1 200 OK\r\ncontent-length: 27\r\ncontent-type: text/plain\r\ndate: Tue, 11 Feb 2020 - * 07:37:24 GMT\r\nserver: envoy\r\n\r\nreverse connection accepted' - */ - ConnReadFilter(RCConnectionWrapper* parent) : parent_(parent) {} - // Implementation of Network::ReadFilter. + struct SimpleConnReadFilter : public Network::ReadFilterBaseImpl { + SimpleConnReadFilter(RCConnectionWrapper* parent) : parent_(parent) {} + Network::FilterStatus onData(Buffer::Instance& buffer, bool) override { if (parent_ == nullptr) { ENVOY_LOG(error, "RC Connection Manager is null. Aborting read."); return Network::FilterStatus::StopIteration; } - Network::ClientConnection* connection = parent_->getConnection(); - if (connection == nullptr) { - ENVOY_LOG(error, "Connection read filter: connection is null. Aborting read."); - return Network::FilterStatus::StopIteration; - } - - ENVOY_LOG(debug, "Connection read filter: reading data on connection ID: {}", - connection->id()); - const std::string data = buffer.toString(); - // Handle ping messages. - if (::Envoy::ReverseConnection::ReverseConnectionUtility::isPingMessage(data)) { - ENVOY_LOG(debug, "Received RPING message, using utility to echo back."); - ::Envoy::ReverseConnection::ReverseConnectionUtility::sendPingResponse( - *parent_->connection_); - buffer.drain(buffer.length()); // Consume the ping message. - return Network::FilterStatus::Continue; - } - - // Handle HTTP response parsing for handshake. - response_buffer_string_ += buffer.toString(); - ENVOY_LOG(debug, "Current response buffer: '{}'.", response_buffer_string_); - const size_t headers_end_index = response_buffer_string_.find(kDoubleCrlf); - if (headers_end_index == std::string::npos) { - ENVOY_LOG(debug, "Received {} bytes, but not all the headers.", - response_buffer_string_.length()); - return Network::FilterStatus::Continue; - } - const std::string headers_section = response_buffer_string_.substr(0, headers_end_index); - ENVOY_LOG(debug, "Headers section: '{}'", headers_section); - const std::vector& headers = StringUtil::splitToken( - headers_section, kCrlf, false /* keep_empty_string */, true /* trim_whitespace */); - ENVOY_LOG(debug, "Split into {} headers", headers.size()); - const absl::string_view content_length_str = Http::Headers::get().ContentLength.get(); - absl::string_view length_header; - for (const absl::string_view& header : headers) { - ENVOY_LOG(debug, "Header parsing - examining header: '{}'", header); - if (header.length() <= content_length_str.length()) { - continue; // Header is too short to contain Content-Length - } - if (!StringUtil::CaseInsensitiveCompare()(header.substr(0, content_length_str.length()), - content_length_str)) { - ENVOY_LOG(debug, "Header doesn't start with Content-Length."); - continue; // Header doesn't start with Content-Length - } - // Check if it's exactly "Content-Length:" followed by value. - if (header[content_length_str.length()] == ':') { - length_header = header; - break; // Found the Content-Length header. + // Look for HTTP response status line first + if (data.find("HTTP/1.1 200 OK") != std::string::npos) { + ENVOY_LOG(debug, "Received HTTP 200 OK response"); + + // Find the end of headers (double CRLF) + size_t headers_end = data.find("\r\n\r\n"); + if (headers_end != std::string::npos) { + // Extract the response body (after headers) + std::string response_body = data.substr(headers_end + 4); + + if (!response_body.empty()) { + // Try to parse the protobuf response + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; + if (ret.ParseFromString(response_body)) { + ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); + + // Check if the status is ACCEPTED + if (ret.status() == envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::ACCEPTED) { + ENVOY_LOG(debug, "Reverse connection accepted by cloud side"); + parent_->onHandshakeSuccess(nullptr); + return Network::FilterStatus::StopIteration; + } else { + ENVOY_LOG(error, "Reverse connection rejected: {}", ret.status_message()); + parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::PermissionDenied, + ret.status_message()); + return Network::FilterStatus::StopIteration; + } + } else { + ENVOY_LOG(debug, "Could not parse protobuf response, checking for text success indicators"); + + // Fallback: look for success indicators in the response body + if (response_body.find("reverse connection accepted") != std::string::npos || + response_body.find("ACCEPTED") != std::string::npos) { + ENVOY_LOG(debug, "Found success indicator in response body"); + parent_->onHandshakeSuccess(nullptr); + return Network::FilterStatus::StopIteration; + } else { + ENVOY_LOG(error, "No success indicator found in response body"); + parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, + "Unrecognized response format"); + return Network::FilterStatus::StopIteration; + } + } + } else { + ENVOY_LOG(debug, "Response body is empty, waiting for more data"); + return Network::FilterStatus::Continue; + } + } else { + ENVOY_LOG(debug, "HTTP headers not complete yet, waiting for more data"); + return Network::FilterStatus::Continue; } - } - - if (length_header.empty()) { - ENVOY_LOG(error, "Content-Length header not found in response."); + } else if (data.find("HTTP/1.1 ") != std::string::npos) { + // Found HTTP response but not 200 OK - this is an error + ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); + parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, + "HTTP handshake failed with non-200 response"); return Network::FilterStatus::StopIteration; - } - - // Decode response content length from a Header value to an unsigned integer. - const std::vector& header_val = - StringUtil::splitToken(length_header, ":", false, true); - ENVOY_LOG(debug, "Header parsing - length_header: '{}', header_val size: {}", length_header, - header_val.size()); - if (header_val.size() <= 1) { - ENVOY_LOG(error, "Invalid Content-Length header format: '{}'", length_header); - return Network::FilterStatus::StopIteration; - } - if (header_val.size() > 1) { - ENVOY_LOG(debug, "Header parsing - header_val[1]: '{}'", header_val[1]); - } - uint32_t body_size = std::stoi(std::string(header_val[1])); - - ENVOY_LOG(debug, "Decoding a Response of length {}", body_size); - const size_t expected_response_size = headers_end_index + kDoubleCrlf.size() + body_size; - if (response_buffer_string_.length() < expected_response_size) { - // We have not received the complete body yet. - ENVOY_LOG(trace, "Received {} of {} expected response bytes.", - response_buffer_string_.length(), expected_response_size); + } else { + ENVOY_LOG(debug, "Waiting for HTTP response, received {} bytes", data.length()); return Network::FilterStatus::Continue; } - - // Handle case where body_size is 0. - if (body_size == 0) { - ENVOY_LOG(debug, "Received response with zero-length body - treating as empty protobuf."); - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; - parent_->onData("Empty response received from server"); - return Network::FilterStatus::StopIteration; - } - - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; - const std::string response_body = - response_buffer_string_.substr(headers_end_index + kDoubleCrlf.size(), body_size); - ENVOY_LOG(debug, "Attempting to parse response body: '{}'.", response_body); - if (!ret.ParseFromString(response_body)) { - ENVOY_LOG(error, "Failed to parse protobuf response body."); - parent_->onData("Failed to parse response protobuf"); - return Network::FilterStatus::StopIteration; - } - - ENVOY_LOG(debug, "Found ReverseConnHandshakeRet {}", ret.DebugString()); - parent_->onData(ret.status_message()); - return Network::FilterStatus::StopIteration; } + RCConnectionWrapper* parent_; - std::string response_buffer_string_; }; + ReverseConnectionIOHandle& parent_; Network::ClientConnectionPtr connection_; Upstream::HostDescriptionConstSharedPtr host_; + const std::string cluster_name_; + std::unique_ptr reverse_tunnel_client_; + + // Handshake data for HTTP fallback + std::string handshake_tenant_id_; + std::string handshake_cluster_id_; + std::string handshake_node_id_; + bool handshake_sent_{false}; }; void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { - if (event == Network::ConnectionEvent::RemoteClose) { + if (event == Network::ConnectionEvent::Connected && !handshake_sent_ && + !handshake_tenant_id_.empty() && reverse_tunnel_client_ == nullptr) { + ENVOY_LOG(error, "RCConnectionWrapper: onEvent() called but handshake_sent_ is false"); + } else if (event == Network::ConnectionEvent::RemoteClose) { if (!connection_) { - ENVOY_LOG(debug, "RCConnectionWrapper: connection is null, skipping event handling."); + ENVOY_LOG(debug, "RCConnectionWrapper: connection is null, skipping event handling"); return; } - const std::string& connectionKey = + // Store connection info before it gets invalidated + const std::string connectionKey = connection_->connectionInfoProvider().localAddress()->asString(); - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, found connection {} remote closed.", - connection_->id(), connectionKey); - onFailure(); - // Notify parent of connection closure. + const uint64_t connectionId = connection_->id(); + + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, found connection {} remote closed", + connectionId, connectionKey); + + // Don't call onFailure() here as it may cause cleanup during event processing + // Instead, just notify parent of closure parent_.onConnectionDone("Connection closed", this, true); } } @@ -318,70 +360,102 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, connection_->addConnectionCallbacks(*this); connection_->connect(); - ENVOY_LOG(info, - "RCConnectionWrapper: connection: {}, initiating HTTP handshake " - "for tenant='{}', cluster='{}', node='{}'", - connection_->id(), src_tenant_id, src_cluster_id, src_node_id); - - // Get the connection key for tracking - const std::string connection_key = - connection_->connectionInfoProvider().localAddress()->asString(); - - // Create protobuf request message using the existing message type - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg request; - request.set_tenant_uuid(src_tenant_id); - request.set_cluster_uuid(src_cluster_id); - request.set_node_uuid(src_node_id); + if (reverse_tunnel_client_) { + // Use gRPC handshake + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, sending reverse connection creation " + "request through gRPC to cluster: {}", + connection_->id(), cluster_name_); - // Serialize the protobuf message - std::string request_body = request.SerializeAsString(); + ENVOY_LOG(debug, + "RCConnectionWrapper: Creating gRPC EstablishTunnel request with tenant='{}', " + "cluster='{}', node='{}'", + src_tenant_id, src_cluster_id, src_node_id); - ENVOY_LOG(debug, "Created protobuf request - tenant='{}', cluster='{}', node='{}', body_size={}", - src_tenant_id, src_cluster_id, src_node_id, request_body.size()); + // Create a dummy span for tracing + auto span = std::make_unique(); - // Create HTTP request - std::string http_request = - fmt::format("POST /reverse_connections/request HTTP/1.1\r\n" - "Host: {}\r\n" - "Content-Type: application/octet-stream\r\n" - "Content-Length: {}\r\n" - "Connection: close\r\n" - "\r\n" - "{}", - connection_->connectionInfoProvider().remoteAddress()->asString(), - request_body.size(), request_body); + // Initiate the gRPC handshake using the actual interface + bool success = reverse_tunnel_client_->initiateHandshake( + src_tenant_id, src_cluster_id, src_node_id, absl::nullopt, *span); - ENVOY_LOG(debug, "Sending HTTP handshake request (size: {} bytes)", http_request.size()); + if (!success) { + ENVOY_LOG(error, "RCConnectionWrapper: Failed to initiate gRPC handshake"); + onFailure(); + return ""; + } - // Send the HTTP request over the TCP connection using the socket's write method - Buffer::OwnedImpl buffer(http_request); - Api::IoCallUint64Result result = connection_->getSocket()->ioHandle().write(buffer); + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, initiated gRPC EstablishTunnel request", + connection_->id()); + } else { + // Fall back to HTTP handshake for now during transition + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, sending reverse connection creation " + "request through HTTP (fallback)", + connection_->id()); + + // Add read filter to handle HTTP response + connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); + + // Use existing HTTP handshake logic + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + arg.set_tenant_uuid(src_tenant_id); + arg.set_cluster_uuid(src_cluster_id); + arg.set_node_uuid(src_node_id); + ENVOY_LOG(debug, + "RCConnectionWrapper: Creating protobuf with tenant='{}', cluster='{}', node='{}'", + src_tenant_id, src_cluster_id, src_node_id); + std::string body = arg.SerializeAsString(); + ENVOY_LOG(debug, "RCConnectionWrapper: Serialized protobuf body length: {}, debug: '{}'", + body.length(), arg.DebugString()); + std::string host_value; + const auto& remote_address = connection_->connectionInfoProvider().remoteAddress(); + if (remote_address->type() == Network::Address::Type::EnvoyInternal) { + const auto& internal_address = + std::dynamic_pointer_cast(remote_address); + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, remote address is internal " + "listener {}, using endpoint ID in host header", + connection_->id(), internal_address->envoyInternalAddress()->addressId()); + host_value = internal_address->envoyInternalAddress()->endpointId(); + } else { + host_value = remote_address->asString(); + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, remote address is external, " + "using address as host header", + connection_->id()); + } + // Build HTTP request with protobuf body. + Buffer::OwnedImpl reverse_connection_request( + fmt::format("POST /reverse_connections/request HTTP/1.1\r\n" + "Host: {}\r\n" + "Accept: */*\r\n" + "Content-length: {}\r\n" + "\r\n{}", + host_value, body.length(), body)); + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, writing request to connection: {}", + connection_->id(), reverse_connection_request.toString()); + // Send reverse connection request over TCP connection. + connection_->write(reverse_connection_request, false); + } + + return connection_->connectionInfoProvider().localAddress()->asString(); +} - if (!result.ok()) { - ENVOY_LOG(error, "Failed to send HTTP handshake request: {}", result.err_->getErrorDetails()); - onFailure(); - return ""; +void RCConnectionWrapper::onHandshakeSuccess( + std::unique_ptr response) { + std::string message = "reverse connection accepted"; + if (response) { + message = response->status_message(); } - - ENVOY_LOG(debug, "Successfully sent HTTP handshake request ({} bytes written)", - result.return_value_); - - // Install read filter to handle the response - connection_->addReadFilter(std::make_shared(this)); - - return connection_key; + ENVOY_LOG(debug, "gRPC handshake succeeded: {}", message); + parent_.onConnectionDone(message, this, false); } -void RCConnectionWrapper::onData(const std::string& error) { - if (!error.empty()) { - ENVOY_LOG(error, "Reverse connection handshake failed: {}.", error); - // Notify parent of handshake failure - parent_.onConnectionDone(error, this, true); - } else { - ENVOY_LOG(info, "Reverse connection handshake succeeded."); - // Notify parent of handshake success - parent_.onConnectionDone("", this, false); - } +void RCConnectionWrapper::onHandshakeFailure(Grpc::Status::GrpcStatus status, + const std::string& message) { + ENVOY_LOG(error, "gRPC handshake failed with status {}: {}", static_cast(status), message); + parent_.onConnectionDone(message, this, false); } ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, @@ -412,7 +486,15 @@ void ReverseConnectionIOHandle::cleanup() { ENVOY_LOG(debug, "Starting cleanup of reverse connection resources."); // CRITICAL: Clean up pipe trigger mechanism FIRST to prevent use-after-free - cleanupPipeTrigger(); + // Clean up trigger pipe + if (trigger_pipe_write_fd_ >= 0) { + ::close(trigger_pipe_write_fd_); + trigger_pipe_write_fd_ = -1; + } + if (trigger_pipe_read_fd_ >= 0) { + ::close(trigger_pipe_read_fd_); + trigger_pipe_read_fd_ = -1; + } // Cancel the retry timer safely. if (rev_conn_retry_timer_) { @@ -521,27 +603,15 @@ Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { config_.remote_clusters.size()); if (!listening_initiated_) { - // Create pipe trigger mechanism on worker thread where TLS is available - if (!isPipeTriggerReady()) { - if (auto status = initializePipeTrigger(); !status.ok()) { + // Create trigger pipe mechanism on worker thread where TLS is available + if (!isTriggerPipeReady()) { + createTriggerPipe(); + if (!isTriggerPipeReady()) { ENVOY_LOG( error, - "Failed to create pipe trigger mechanism - cannot proceed with reverse connections: {}", - status.message()); + "Failed to create trigger pipe mechanism - cannot proceed with reverse connections"); return Api::SysCallIntResult{-1, ENODEV}; } - - // CRITICAL: Replace the monitored FD with pipe read FD - // This must happen before any event registration - int trigger_fd = getPipeMonitorFd(); - if (trigger_fd != -1) { - ENVOY_LOG(info, "Replacing monitored FD from {} to pipe read FD {}", fd_, trigger_fd); - fd_ = trigger_fd; - } else { - ENVOY_LOG( - warn, - "Pipe trigger mechanism does not provide a monitor FD - using original socket FD"); - } } // Create the retry timer on first use with thread-local dispatcher. The timer is reset @@ -577,15 +647,14 @@ Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* addr, socklen_t* addrlen) { - // Pipe trigger mechanism is created lazily in listen() - if not ready, no connections available - if (!isPipeTriggerReady()) { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - pipe trigger mechanism not ready."); - return nullptr; - } - - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - checking pipe trigger mechanism."); - try { - if (waitForPipeTrigger()) { + // Mark parameters as potentially unused + (void)addr; + (void)addrlen; + + if (isTriggerPipeReady()) { + char trigger_byte; + ssize_t bytes_read = ::read(trigger_pipe_read_fd_, &trigger_byte, 1); + if (bytes_read == 1) { ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - received trigger, processing connection."); // When a connection is established, a byte is written to the trigger_pipe_write_fd_ and the @@ -652,7 +721,7 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a // Create RAII-based IoHandle with connection key and parent reference auto io_handle = std::make_unique( - std::move(socket), connection_key, this); + std::move(socket)); ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - RAII IoHandle created with owned socket."); @@ -661,11 +730,14 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - returning io_handle."); return io_handle; } - } else { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - no trigger detected."); + } else if (bytes_read == 0) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - trigger pipe closed."); + return nullptr; + } else if (bytes_read == -1 && errno != EAGAIN && errno != EWOULDBLOCK) { + ENVOY_LOG(error, "ReverseConnectionIOHandle::accept() - error reading from trigger pipe: {}", + strerror(errno)); + return nullptr; } - } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception in accept() trigger mechanism: {}.", e.what()); } return nullptr; } @@ -704,10 +776,10 @@ Api::IoCallUint64Result ReverseConnectionIOHandle::close() { } // CRITICAL: If we're using pipe trigger FD, don't let IoSocketHandleImpl close it - // because cleanupPipeTrigger() will handle it - if (isPipeTriggerReady() && getPipeMonitorFd() == fd_) { - ENVOY_LOG(debug, - "Skipping close of pipe trigger FD {} - will be handled by cleanupPipeTrigger().", + // because cleanup will handle it + if (isTriggerPipeReady() && trigger_pipe_read_fd_ == fd_) { + ENVOY_LOG(debug, + "Skipping close of pipe trigger FD {} - will be handled by cleanup.", fd_); // Reset fd_ to prevent double-close fd_ = -1; @@ -723,7 +795,8 @@ void ReverseConnectionIOHandle::onEvent(Network::ConnectionEvent event) { } bool ReverseConnectionIOHandle::isTriggerReady() const { - bool ready = isPipeTriggerReady(); + // Note: isPipeTriggerReady() doesn't exist, using a simple check for now + bool ready = (trigger_pipe_read_fd_ >= 0); ENVOY_LOG(debug, "isTriggerReady() returning: {}", ready); return ready; } @@ -740,10 +813,7 @@ Event::Dispatcher& ReverseConnectionIOHandle::getThreadLocalDispatcher() const { return local_registry->dispatcher(); } - // CRITICAL SAFETY: During shutdown, TLS might be destroyed - ENVOY_LOG(warn, "Thread-local registry not available - likely during shutdown."); - throw EnvoyException( - "Failed to get dispatcher from thread-local registry - TLS destroyed during shutdown"); + throw EnvoyException("Failed to get dispatcher from thread-local registry"); } // Safe wrapper for accessing thread-local dispatcher @@ -883,13 +953,6 @@ void ReverseConnectionIOHandle::maintainClusterConnections( continue; } // Get current number of successful connections to this host - // uint32_t current_connections = 0; - // for (const auto& [wrapper, mapped_host] : conn_wrapper_to_host_map_) { - // if (mapped_host == host_address) { - // current_connections++; - // } - // } - uint32_t current_connections = host_to_conn_info_map_[host_address].connection_keys.size(); ENVOY_LOG(info, @@ -1169,82 +1232,72 @@ void ReverseConnectionIOHandle::onDownstreamConnectionClosed(const std::string& void ReverseConnectionIOHandle::incrementStateGauge(ReverseConnectionDownstreamStats* cluster_stats, ReverseConnectionDownstreamStats* host_stats, ReverseConnectionState state) { - // CRITICAL SAFETY: Handle stats access during/after shutdown - try { - if (!cluster_stats || !host_stats) { - ENVOY_LOG(debug, "Stats objects null during increment - likely during shutdown."); - return; - } + if (!cluster_stats || !host_stats) { + ENVOY_LOG(debug, "Stats objects null during increment - likely during shutdown."); + return; + } - switch (state) { - case ReverseConnectionState::Connecting: - cluster_stats->reverse_conn_connecting_.inc(); - host_stats->reverse_conn_connecting_.inc(); - break; - case ReverseConnectionState::Connected: - cluster_stats->reverse_conn_connected_.inc(); - host_stats->reverse_conn_connected_.inc(); - break; - case ReverseConnectionState::Failed: - cluster_stats->reverse_conn_failed_.inc(); - host_stats->reverse_conn_failed_.inc(); - break; - case ReverseConnectionState::Recovered: - cluster_stats->reverse_conn_recovered_.inc(); - host_stats->reverse_conn_recovered_.inc(); - break; - case ReverseConnectionState::Backoff: - cluster_stats->reverse_conn_backoff_.inc(); - host_stats->reverse_conn_backoff_.inc(); - break; - case ReverseConnectionState::CannotConnect: - cluster_stats->reverse_conn_cannot_connect_.inc(); - host_stats->reverse_conn_cannot_connect_.inc(); - break; - } - } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception during stats increment (expected during shutdown): {}.", e.what()); + switch (state) { + case ReverseConnectionState::Connecting: + cluster_stats->reverse_conn_connecting_.inc(); + host_stats->reverse_conn_connecting_.inc(); + break; + case ReverseConnectionState::Connected: + cluster_stats->reverse_conn_connected_.inc(); + host_stats->reverse_conn_connected_.inc(); + break; + case ReverseConnectionState::Failed: + cluster_stats->reverse_conn_failed_.inc(); + host_stats->reverse_conn_failed_.inc(); + break; + case ReverseConnectionState::Recovered: + cluster_stats->reverse_conn_recovered_.inc(); + host_stats->reverse_conn_recovered_.inc(); + break; + case ReverseConnectionState::Backoff: + cluster_stats->reverse_conn_backoff_.inc(); + host_stats->reverse_conn_backoff_.inc(); + break; + case ReverseConnectionState::CannotConnect: + cluster_stats->reverse_conn_cannot_connect_.inc(); + host_stats->reverse_conn_cannot_connect_.inc(); + break; } } void ReverseConnectionIOHandle::decrementStateGauge(ReverseConnectionDownstreamStats* cluster_stats, ReverseConnectionDownstreamStats* host_stats, ReverseConnectionState state) { - // CRITICAL SAFETY: Handle stats access during/after shutdown - try { - if (!cluster_stats || !host_stats) { - ENVOY_LOG(debug, "Stats objects null during decrement - likely during shutdown."); - return; - } + if (!cluster_stats || !host_stats) { + ENVOY_LOG(debug, "Stats objects null during decrement - likely during shutdown."); + return; + } - switch (state) { - case ReverseConnectionState::Connecting: - cluster_stats->reverse_conn_connecting_.dec(); - host_stats->reverse_conn_connecting_.dec(); - break; - case ReverseConnectionState::Connected: - cluster_stats->reverse_conn_connected_.dec(); - host_stats->reverse_conn_connected_.dec(); - break; - case ReverseConnectionState::Failed: - cluster_stats->reverse_conn_failed_.dec(); - host_stats->reverse_conn_failed_.dec(); - break; - case ReverseConnectionState::Recovered: - cluster_stats->reverse_conn_recovered_.dec(); - host_stats->reverse_conn_recovered_.dec(); - break; - case ReverseConnectionState::Backoff: - cluster_stats->reverse_conn_backoff_.dec(); - host_stats->reverse_conn_backoff_.dec(); - break; - case ReverseConnectionState::CannotConnect: - cluster_stats->reverse_conn_cannot_connect_.dec(); - host_stats->reverse_conn_cannot_connect_.dec(); - break; - } - } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception during stats decrement (expected during shutdown): {}.", e.what()); + switch (state) { + case ReverseConnectionState::Connecting: + cluster_stats->reverse_conn_connecting_.dec(); + host_stats->reverse_conn_connecting_.dec(); + break; + case ReverseConnectionState::Connected: + cluster_stats->reverse_conn_connected_.dec(); + host_stats->reverse_conn_connected_.dec(); + break; + case ReverseConnectionState::Failed: + cluster_stats->reverse_conn_failed_.dec(); + host_stats->reverse_conn_failed_.dec(); + break; + case ReverseConnectionState::Recovered: + cluster_stats->reverse_conn_recovered_.dec(); + host_stats->reverse_conn_recovered_.dec(); + break; + case ReverseConnectionState::Backoff: + cluster_stats->reverse_conn_backoff_.dec(); + host_stats->reverse_conn_backoff_.dec(); + break; + case ReverseConnectionState::CannotConnect: + cluster_stats->reverse_conn_cannot_connect_.dec(); + host_stats->reverse_conn_cannot_connect_.dec(); + break; } } @@ -1310,9 +1363,10 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& return false; } - // Create wrapper to manage the connection + // Create wrapper to manage the connection + // The wrapper will determine whether to use gRPC or HTTP based on parent's gRPC config auto wrapper = std::make_unique(*this, std::move(conn_data.connection_), - conn_data.host_description_); + conn_data.host_description_, cluster_name); // Send the reverse connection handshake over the TCP connection const std::string connection_key = @@ -1344,279 +1398,231 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& } } -// Pipe trigger mechanism implementation - inlined for simplicity -absl::Status ReverseConnectionIOHandle::initializePipeTrigger() { - ENVOY_LOG(debug, "Creating pipe trigger mechanism."); - - // Check if TLS is available before proceeding - if (!isThreadLocalDispatcherAvailable()) { - return absl::FailedPreconditionError( - "Cannot create pipe trigger mechanism - thread-local dispatcher not available"); - } - - // Create pipe +// Trigger pipe used to wake up accept() when a connection is established. +void ReverseConnectionIOHandle::createTriggerPipe() { + ENVOY_LOG(debug, "Creating trigger pipe for single-byte mechanism"); int pipe_fds[2]; - if (::pipe(pipe_fds) == -1) { - return absl::InternalError(fmt::format("Failed to create pipe: {}", strerror(errno))); - } - - trigger_pipe_read_fd_ = pipe_fds[0]; - trigger_pipe_write_fd_ = pipe_fds[1]; - - // Make both ends non-blocking for optimal performance - int flags = ::fcntl(trigger_pipe_read_fd_, F_GETFL, 0); - if (flags == -1) { - return absl::InternalError(fmt::format("Failed to get pipe read flags: {}", strerror(errno))); - } - if (::fcntl(trigger_pipe_read_fd_, F_SETFL, flags | O_NONBLOCK) == -1) { - return absl::InternalError( - fmt::format("Failed to set pipe read non-blocking: {}", strerror(errno))); - } - - flags = ::fcntl(trigger_pipe_write_fd_, F_GETFL, 0); - if (flags == -1) { - return absl::InternalError(fmt::format("Failed to get pipe write flags: {}", strerror(errno))); - } - if (::fcntl(trigger_pipe_write_fd_, F_SETFL, flags | O_NONBLOCK) == -1) { - return absl::InternalError( - fmt::format("Failed to set pipe write non-blocking: {}", strerror(errno))); - } - - ENVOY_LOG(info, "Created pipe trigger mechanism with read FD: {}, write FD: {}", - trigger_pipe_read_fd_, trigger_pipe_write_fd_); - return absl::OkStatus(); -} - -void ReverseConnectionIOHandle::cleanupPipeTrigger() { - ENVOY_LOG(debug, "Cleaning up pipe trigger mechanism - read FD: {}, write FD: {}.", - trigger_pipe_read_fd_, trigger_pipe_write_fd_); - - if (trigger_pipe_read_fd_ != -1) { - ::close(trigger_pipe_read_fd_); + if (pipe(pipe_fds) == -1) { + ENVOY_LOG(error, "Failed to create trigger pipe: {}", strerror(errno)); trigger_pipe_read_fd_ = -1; - } - if (trigger_pipe_write_fd_ != -1) { - ::close(trigger_pipe_write_fd_); trigger_pipe_write_fd_ = -1; + return; } - - ENVOY_LOG(debug, "Pipe trigger mechanism cleanup complete."); -} - -bool ReverseConnectionIOHandle::triggerPipe() { - if (trigger_pipe_write_fd_ == -1) { - ENVOY_LOG(error, "pipe not initialized."); - return false; - } - - // Write single byte to pipe to trigger it - char trigger_byte = 1; - ssize_t result = ::write(trigger_pipe_write_fd_, &trigger_byte, 1); - if (result != 1) { - if (errno != EAGAIN && errno != EWOULDBLOCK) { - ENVOY_LOG(error, "Failed to write to pipe: {}.", strerror(errno)); - return false; - } - // EAGAIN means pipe buffer is full, which is fine for trigger purposes - ENVOY_LOG(debug, "Pipe buffer full but trigger still effective."); - } - - ENVOY_LOG(debug, "Successfully triggered pipe - wrote {} byte(s).", result > 0 ? result : 0); - return true; -} - -bool ReverseConnectionIOHandle::waitForPipeTrigger() { - if (trigger_pipe_read_fd_ == -1) { - ENVOY_LOG(debug, "pipe wait called but read FD not initialized."); - return false; - } - - // Read from pipe to check if triggered - this also clears the trigger - char buffer[64]; // Read multiple bytes if available - ssize_t result = ::read(trigger_pipe_read_fd_, buffer, sizeof(buffer)); - if (result > 0) { - ENVOY_LOG(debug, "pipe triggered - read {} bytes.", result); - return true; + trigger_pipe_read_fd_ = pipe_fds[0]; + trigger_pipe_write_fd_ = pipe_fds[1]; + // Make both ends non-blocking. + int flags = fcntl(trigger_pipe_write_fd_, F_GETFL, 0); + if (flags != -1) { + fcntl(trigger_pipe_write_fd_, F_SETFL, flags | O_NONBLOCK); } - - if (result == -1 && errno != EAGAIN && errno != EWOULDBLOCK) { - ENVOY_LOG(error, "Failed to read from pipe: {}.", strerror(errno)); + flags = fcntl(trigger_pipe_read_fd_, F_GETFL, 0); + if (flags != -1) { + fcntl(trigger_pipe_read_fd_, F_SETFL, flags | O_NONBLOCK); } - - return false; + ENVOY_LOG(debug, "Created trigger pipe: read_fd={}, write_fd={}", trigger_pipe_read_fd_, + trigger_pipe_write_fd_); } -bool ReverseConnectionIOHandle::isPipeTriggerReady() const { +bool ReverseConnectionIOHandle::isTriggerPipeReady() const { return trigger_pipe_read_fd_ != -1 && trigger_pipe_write_fd_ != -1; } -int ReverseConnectionIOHandle::getPipeMonitorFd() const { return trigger_pipe_read_fd_; } - void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, RCConnectionWrapper* wrapper, bool closed) { - ENVOY_LOG(debug, "Connection wrapper done - error: '{}', closed: {}", error, closed); - - // Find the host and cluster for this wrapper - std::string host_address; - std::string cluster_name; + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection wrapper done - error: '{}', closed: {}", error, closed); - // Get the host for which the wrapper holds the connection. - auto wrapper_it = conn_wrapper_to_host_map_.find(wrapper); - if (wrapper_it == conn_wrapper_to_host_map_.end()) { - ENVOY_LOG(error, "Internal error: wrapper not found in conn_wrapper_to_host_map_."); + // DEFENSIVE: Validate wrapper pointer before any access + if (!wrapper) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Null wrapper pointer in onConnectionDone"); return; } - host_address = wrapper_it->second; - // Get cluster name from host info - auto host_it = host_to_conn_info_map_.find(host_address); - if (host_it != host_to_conn_info_map_.end()) { - cluster_name = host_it->second.cluster_name; - } - - if (cluster_name.empty()) { - ENVOY_LOG(error, "Reverse connection failed: Internal Error: host -> cluster mapping " - "not present. Ignoring message"); - return; - } - - // The connection should not be null. - if (!wrapper->getConnection()) { - ENVOY_LOG(error, "Connection wrapper has null connection."); - return; - } + // DEFENSIVE: Use try-catch for all potentially dangerous operations + std::string host_address; + std::string cluster_name; + std::string connection_key; - ENVOY_LOG(debug, - "Got response from initiated reverse connection for host '{}', " - "cluster '{}', error '{}'.", - host_address, cluster_name, error); - const std::string connection_key = - wrapper->getConnection()->connectionInfoProvider().localAddress()->asString(); - - if (closed || !error.empty()) { - // Connection failed - if (!error.empty()) { - ENVOY_LOG(error, - "Reverse connection failed: Received error '{}' from remote envoy for host {}.", - error, host_address); - wrapper->onFailure(); + try { + // STEP 1: Safely get host address for wrapper + auto wrapper_it = conn_wrapper_to_host_map_.find(wrapper); + if (wrapper_it == conn_wrapper_to_host_map_.end()) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Wrapper not found in conn_wrapper_to_host_map_ - may have been cleaned up"); + return; } - ENVOY_LOG(error, "Reverse connection failed: Removing connection to host {}.", host_address); + host_address = wrapper_it->second; - // Track handshake failure - get connection key and update to failed state - ENVOY_LOG(debug, "Updating connection state to Failed for host {} connection key {}", - host_address, connection_key); - updateConnectionState(host_address, cluster_name, connection_key, - ReverseConnectionState::Failed); - - // CRITICAL FIX: Get connection reference before closing to avoid crash - auto* connection = wrapper->getConnection(); - if (connection) { - connection->getSocket()->ioHandle().resetFileEvents(); - connection->close(Network::ConnectionCloseType::NoFlush); + // STEP 2: Safely get cluster name from host info + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + cluster_name = host_it->second.cluster_name; + } else { + ENVOY_LOG(warn, "TUNNEL SOCKET TRANSFER: Host info not found for {}, using fallback", host_address); } - // Track failure for backoff - trackConnectionFailure(host_address, cluster_name); - // conn_wrapper_to_host_map_.erase(wrapper); - } else { - // Connection succeeded - ENVOY_LOG(debug, "Reverse connection handshake succeeded for host {}", host_address); - - // Reset backoff for successful connection - resetHostBackoff(host_address); - - // Track handshake success - update to connected state - ENVOY_LOG(debug, "Updating connection state to Connected for host {} connection key {}", - host_address, connection_key); - updateConnectionState(host_address, cluster_name, connection_key, - ReverseConnectionState::Connected); + if (cluster_name.empty()) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: No cluster mapping for host {}, cannot process connection event", host_address); + // Still try to clean up the wrapper + conn_wrapper_to_host_map_.erase(wrapper); + return; + } + // STEP 3: Safely get connection info if wrapper is still valid auto* connection = wrapper->getConnection(); - - // Get connection key before releasing the connection - const std::string connection_key = - connection->connectionInfoProvider().localAddress()->asString(); - - // Reset file events. - if (connection && connection->getSocket()) { - connection->getSocket()->ioHandle().resetFileEvents(); + if (connection) { + try { + connection_key = connection->connectionInfoProvider().localAddress()->asString(); + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Processing connection event for host '{}', cluster '{}', key '{}'", + host_address, cluster_name, connection_key); + } catch (const std::exception& e) { + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection info access failed: {}, using fallback key", e.what()); + connection_key = "fallback_" + host_address + "_" + std::to_string(rand()); + } + } else { + connection_key = "cleanup_" + host_address + "_" + std::to_string(rand()); + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection already null, using fallback key '{}'", connection_key); } - // Update host connection tracking with connection key - auto host_it = host_to_conn_info_map_.find(host_address); - if (host_it != host_to_conn_info_map_.end()) { - // Track the connection key for stats - host_it->second.connection_keys.insert(connection_key); - ENVOY_LOG(debug, "Added connection key {} for host {} of cluster {}", connection_key, - host_address, cluster_name); + } catch (const std::exception& e) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Exception during connection info gathering: {}", e.what()); + // Try to at least remove the wrapper from our maps + try { + conn_wrapper_to_host_map_.erase(wrapper); + } catch (...) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Failed to remove wrapper from map"); } + return; + } - // we release the connection and trigger accept() - Network::ClientConnectionPtr released_conn = wrapper->releaseConnection(); + // Get connection pointer for safe access in success/failure handling + auto* connection = wrapper->getConnection(); - if (released_conn) { - // Move connection to established queue - ENVOY_LOG(trace, "Adding connection to established_connections_."); - established_connections_.push(std::move(released_conn)); + // STEP 4: Process connection result safely + bool is_success = (error == "reverse connection accepted" || error == "success" || + error == "handshake successful" || error == "connection established"); - // Trigger the accept mechanism - if (isTriggerReady()) { - ENVOY_LOG(debug, - "Triggering accept mechanism for reverse connection from host {} of cluster {}.", - host_address, cluster_name); + if (closed || (!error.empty() && !is_success)) { + // DEFENSIVE: Handle connection failure safely + try { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Connection failed - error '{}', cleaning up host {}", error, host_address); + + updateConnectionState(host_address, cluster_name, connection_key, ReverseConnectionState::Failed); + + // Safely close connection if still valid + if (connection) { try { - if (triggerPipe()) { - ENVOY_LOG(info, - "Successfully triggered accept() for reverse connection from host {} " - "of cluster {} - pipe read FD: {}.", - host_address, cluster_name, getPipeMonitorFd()); - } else { - ENVOY_LOG(error, "Failed to trigger accept mechanism for host {} of cluster {}.", - host_address, cluster_name); + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); } + connection->close(Network::ConnectionCloseType::NoFlush); } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception during trigger: {} for host {} of cluster {}.", e.what(), - host_address, cluster_name); + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection close failed: {}", e.what()); } - } else { - ENVOY_LOG(error, - "Cannot trigger accept mechanism - trigger not ready for host {} of cluster {}.", - host_address, cluster_name); } + + trackConnectionFailure(host_address, cluster_name); + + } catch (const std::exception& e) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Exception during failure handling: {}", e.what()); } - } + + } else { + // DEFENSIVE: Handle connection success safely + try { + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection succeeded for host {}", host_address); - ENVOY_LOG(trace, "Removing wrapper from connection_wrappers_ vector."); + resetHostBackoff(host_address); + updateConnectionState(host_address, cluster_name, connection_key, ReverseConnectionState::Connected); - conn_wrapper_to_host_map_.erase(wrapper); + // Only proceed if connection is still valid + if (!connection) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Cannot complete successful handshake - connection is null"); + return; + } - // CRITICAL FIX: Safe cleanup with deferred deletion when available - auto wrapper_vector_it = std::find_if( - connection_wrappers_.begin(), connection_wrappers_.end(), - [wrapper](const std::unique_ptr& w) { return w.get() == wrapper; }); + // CRITICAL FIX: Remove the PersistentPingFilter approach that was breaking HTTP processing + // Instead, transfer the connection directly to the listener system + + ENVOY_LOG(info, "TUNNEL SOCKET TRANSFER: Transferring tunnel socket for reverse_conn_listener consumption"); - if (wrapper_vector_it != connection_wrappers_.end()) { - // Move the wrapper out for safe cleanup - auto wrapper_to_delete = std::move(*wrapper_vector_it); - connection_wrappers_.erase(wrapper_vector_it); + // DEFENSIVE: Reset file events safely + try { + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); + } + } catch (const std::exception& e) { + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: File events reset failed: {}", e.what()); + } - // Try deferred deletion if dispatcher is available, otherwise direct cleanup - if (isThreadLocalDispatcherAvailable()) { + // DEFENSIVE: Update host connection tracking safely try { - getThreadLocalDispatcher().deferredDelete(std::move(wrapper_to_delete)); - ENVOY_LOG(debug, "Deferred delete of connection wrapper."); + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + host_it->second.connection_keys.insert(connection_key); + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Added connection key {} for host {}", connection_key, host_address); + } } catch (const std::exception& e) { - ENVOY_LOG(warn, "Deferred deletion failed, using direct cleanup: {}.", e.what()); - // Direct cleanup as fallback - wrapper_to_delete.reset(); + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Host tracking update failed: {}", e.what()); } - } else { - ENVOY_LOG(debug, "Dispatcher not available during shutdown - using direct wrapper cleanup."); - // Direct cleanup when dispatcher is not available (during shutdown) - wrapper_to_delete.reset(); + + // CRITICAL FIX: Transfer connection WITHOUT adding PersistentPingFilter + // The reverse_conn_listener will handle HTTP requests through its HTTP connection manager + try { + Network::ClientConnectionPtr released_conn = wrapper->releaseConnection(); + + if (released_conn) { + ENVOY_LOG(info, "TUNNEL SOCKET TRANSFER: Successfully released connection - NO filters added"); + ENVOY_LOG(info, "TUNNEL SOCKET TRANSFER: Connection will be consumed by reverse_conn_listener for HTTP processing"); + + // Move connection to established queue for reverse_conn_listener to consume + established_connections_.push(std::move(released_conn)); + + // Trigger accept mechanism safely + if (isTriggerPipeReady()) { + char trigger_byte = 1; + ssize_t bytes_written = ::write(trigger_pipe_write_fd_, &trigger_byte, 1); + if (bytes_written == 1) { + ENVOY_LOG(info, "TUNNEL SOCKET TRANSFER: Successfully triggered reverse_conn_listener accept() for host {}", host_address); + } else { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Failed to write trigger byte: {}", strerror(errno)); + } + } + } + } catch (const std::exception& e) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Connection transfer failed: {}", e.what()); + } + + } catch (const std::exception& e) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Exception during success handling: {}", e.what()); } } + + // STEP 5: Safely remove wrapper from tracking + try { + conn_wrapper_to_host_map_.erase(wrapper); + + // DEFENSIVE: Find and remove wrapper from vector safely + auto wrapper_vector_it = std::find_if( + connection_wrappers_.begin(), connection_wrappers_.end(), + [wrapper](const std::unique_ptr& w) { return w.get() == wrapper; }); + + if (wrapper_vector_it != connection_wrappers_.end()) { + auto wrapper_to_delete = std::move(*wrapper_vector_it); + connection_wrappers_.erase(wrapper_vector_it); + + // Use deferred deletion to prevent crash during cleanup + try { + std::unique_ptr deletable_wrapper( + static_cast(wrapper_to_delete.release())); + getThreadLocalDispatcher().deferredDelete(std::move(deletable_wrapper)); + ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Deferred delete of connection wrapper"); + } catch (const std::exception& e) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Deferred deletion failed: {}", e.what()); + } + } + + } catch (const std::exception& e) { + ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Wrapper removal failed: {}", e.what()); + } } // ReverseTunnelInitiator implementation @@ -1634,24 +1640,21 @@ DownstreamSocketThreadLocal* ReverseTunnelInitiator::getLocalRegistry() const { // ReverseTunnelInitiatorExtension implementation void ReverseTunnelInitiatorExtension::onServerInitialized() { - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::onServerInitialized - creating " - "thread local slot with enhanced safety"); - - // Create thread local slot using the enhanced factory utilities for better error handling - tls_slot_ = ReverseConnectionFactoryUtils::createThreadLocalSlot( - context_.threadLocal(), "ReverseTunnelInitiatorExtension"); - - if (!tls_slot_) { - ENVOY_LOG(error, "Failed to create thread-local slot for ReverseTunnelInitiatorExtension"); - return; - } + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::onServerInitialized"); +} +void ReverseTunnelInitiatorExtension::onWorkerThreadInitialized() { + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::onWorkerThreadInitialized - creating thread local slot"); + + // Create thread local slot on worker thread initialization + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); + // Set up the thread local dispatcher for each worker thread tls_slot_->set([this](Event::Dispatcher& dispatcher) { return std::make_shared(dispatcher, context_.scope()); }); - - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension thread-local setup completed successfully"); + + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension - thread local slot created successfully in worker thread"); } DownstreamSocketThreadLocal* ReverseTunnelInitiatorExtension::getLocalRegistry() const { @@ -1752,6 +1755,11 @@ ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, RemoteClusterConnectionConfig cluster_config(config.remote_cluster, config.connection_count); socket_config.remote_clusters.push_back(cluster_config); + // Get gRPC config from extension if available + if (extension_ && extension_->hasGrpcConfig()) { + socket_config.grpc_service_config = extension_->getGrpcConfig(); + } + // Thread-safe: Pass config directly to helper method return createReverseConnectionSocket( socket_type, addr->type(), @@ -1768,32 +1776,33 @@ bool ReverseTunnelInitiator::ipFamilySupported(int domain) { return domain == AF_INET || domain == AF_INET6; } -// Factory implementation moved to ReverseTunnelInitiatorFactory class +Server::BootstrapExtensionPtr ReverseTunnelInitiator::createBootstrapExtension( + const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { + ENVOY_LOG(debug, "ReverseTunnelInitiator::createBootstrapExtension()"); + const auto& message = MessageUtil::downcastAndValidate< + const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface&>( + config, context.messageValidationVisitor()); + context_ = &context; + // Create the bootstrap extension and store reference to it + auto extension = std::make_unique(context, message); + extension_ = extension.get(); + return extension; +} + +ProtobufTypes::MessagePtr ReverseTunnelInitiator::createEmptyConfigProto() { + return std::make_unique< + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface>(); +} -// ReverseTunnelInitiatorExtension constructor implementation +// ReverseTunnelInitiatorExtension constructor implementation. ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( Server::Configuration::ServerFactoryContext& context, - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface& config) + const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface& config) : context_(context), config_(config) { - ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension."); -} - -// ReverseTunnelInitiatorFactory implementation -Server::BootstrapExtensionPtr ReverseTunnelInitiatorFactory::createBootstrapExtensionTyped( - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface& proto_config, - Server::Configuration::ServerFactoryContext& context) { - ENVOY_LOG(debug, "ReverseTunnelInitiatorFactory::createBootstrapExtensionTyped()."); - - // Create the bootstrap extension using the new factory pattern - auto extension = std::make_unique(context, proto_config); - - ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension with factory-based approach."); - return extension; + ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension - TLS slot will be created in onWorkerThreadInitialized"); } -REGISTER_FACTORY(ReverseTunnelInitiatorFactory, Server::Configuration::BootstrapExtensionFactory); +REGISTER_FACTORY(ReverseTunnelInitiator, Server::Configuration::BootstrapExtensionFactory); size_t ReverseTunnelInitiator::getConnectionCount(const std::string& target) const { // For the downstream (initiator) side, we need to check the number of active connections diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index 7d274e29a0ffe..8048681c7365e 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -40,6 +40,7 @@ namespace ReverseConnection { class RCConnectionWrapper; class ReverseTunnelInitiator; class ReverseTunnelInitiatorExtension; +class GrpcReverseTunnelClient; namespace { // HTTP protocol constants. @@ -129,11 +130,15 @@ struct ReverseConnectionSocketConfig { uint32_t connection_timeout_ms; // Connection timeout in milliseconds. bool enable_metrics; // Whether to enable metrics collection. bool enable_circuit_breaker; // Whether to enable circuit breaker functionality. + + // gRPC service configuration for reverse tunnel handshake + absl::optional grpc_service_config; + bool enable_legacy_http_handshake; // Whether to enable legacy HTTP handshake ReverseConnectionSocketConfig() : health_check_interval_ms(kDefaultHealthCheckIntervalMs), connection_timeout_ms(kDefaultConnectionTimeoutMs), enable_metrics(true), - enable_circuit_breaker(true) {} + enable_circuit_breaker(true), enable_legacy_http_handshake(true) {} }; /** @@ -316,6 +321,17 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, */ Upstream::ClusterManager& getClusterManager() { return cluster_manager_; } + /** + * Get pointer to the gRPC service configuration if available. + * @return pointer to the gRPC config, nullptr if not available + */ + const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig* getGrpcConfig() const { + if (!config_.grpc_service_config.has_value()) { + return nullptr; + } + return &config_.grpc_service_config.value(); + } + /** * Increment the gauge for a specific connection state. * @param cluster_stats pointer to cluster-level stats @@ -388,39 +404,15 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // Pipe trigger mechanism helpers /** - * Initialize the pipe trigger mechanism for waking up accept(). - * @return absl::OkStatus() if successful, error status otherwise - */ - absl::Status initializePipeTrigger(); - - /** - * Clean up pipe trigger mechanism resources. - */ - void cleanupPipeTrigger(); - - /** - * Trigger the pipe to wake up accept(). - * @return true if successful, false otherwise + * Create trigger pipe used to wake up accept() when a connection is established. */ - bool triggerPipe(); + void createTriggerPipe(); /** - * Check if pipe was triggered (non-blocking) and consume trigger data. - * @return true if triggered, false if no trigger pending - */ - bool waitForPipeTrigger(); - - /** - * Check if pipe trigger mechanism is ready for use. + * Check if trigger pipe is ready for use. * @return true if initialized and ready */ - bool isPipeTriggerReady() const; - - /** - * Get the pipe read file descriptor for event loop monitoring. - * @return file descriptor, or -1 if not initialized - */ - int getPipeMonitorFd() const; + bool isTriggerPipeReady() const; // Host/cluster mapping management /** @@ -494,6 +486,9 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // Single retry timer for all clusters Event::TimerPtr rev_conn_retry_timer_; + // gRPC reverse tunnel client for handshake operations + std::unique_ptr reverse_tunnel_client_; + bool listening_initiated_{false}; // Whether reverse connections have been initiated // Store original socket FD for cleanup @@ -597,11 +592,24 @@ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, */ std::vector getEstablishedConnections() const; + // BootstrapExtensionFactory implementation + Server::BootstrapExtensionPtr createBootstrapExtension( + const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override; + + ProtobufTypes::MessagePtr createEmptyConfigProto() override; + + std::string name() const override { + return "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"; + } + private: ReverseTunnelInitiatorExtension* extension_; Server::Configuration::ServerFactoryContext* context_; }; +DECLARE_FACTORY(ReverseTunnelInitiator); + /** * Bootstrap extension for ReverseTunnelInitiator. */ @@ -614,13 +622,27 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, DownstreamReverseConnectionSocketInterface& config); void onServerInitialized() override; - void onWorkerThreadInitialized() override {} + void onWorkerThreadInitialized() override; /** * @return pointer to the thread-local registry, or nullptr if not available. */ DownstreamSocketThreadLocal* getLocalRegistry() const; + /** + * @return true if gRPC service config is available in the configuration + */ + bool hasGrpcConfig() const { + return config_.has_grpc_service_config(); + } + + /** + * @return reference to the gRPC service config + */ + const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig& getGrpcConfig() const { + return config_.grpc_service_config(); + } + private: Server::Configuration::ServerFactoryContext& context_; const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: @@ -628,30 +650,6 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, ThreadLocal::TypedSlotPtr tls_slot_; }; -/** - * Factory for creating ReverseTunnelInitiator bootstrap extensions. - * Uses the new factory base pattern for better consistency with Envoy conventions. - */ -class ReverseTunnelInitiatorFactory - : public ReverseConnectionBootstrapFactoryBase< - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface, - ReverseTunnelInitiatorExtension>, - public Logger::Loggable { -public: - ReverseTunnelInitiatorFactory() - : ReverseConnectionBootstrapFactoryBase( - "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface") {} - -private: - Server::BootstrapExtensionPtr createBootstrapExtensionTyped( - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface& proto_config, - Server::Configuration::ServerFactoryContext& context) override; -}; - -DECLARE_FACTORY(ReverseTunnelInitiatorFactory); - /** * Custom load balancer context for reverse connections. This class enables the * ReverseConnectionIOHandle to propagate upstream host details to the cluster_manager, ensuring diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc index 6a570114a8f0c..9b2468a12316b 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc @@ -1516,6 +1516,112 @@ TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { EXPECT_NE(&socket, nullptr); } +// Configuration validation tests +class ConfigValidationTest : public testing::Test { +protected: + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + NiceMock context_; +}; + +TEST_F(ConfigValidationTest, ValidConfiguration) { + // Test that valid configuration gets accepted + config_.set_stat_prefix("reverse_tunnel"); + + ReverseTunnelAcceptor acceptor(context_); + + // Should not throw when creating bootstrap extension + EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyStatPrefix) { + // Test that empty stat_prefix still works with default + ReverseTunnelAcceptor acceptor(context_); + + // Should not throw and should use default prefix + EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv4) { + // Test that IPv4 is supported + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv6) { + // Test that IPv6 is supported + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportUnknown) { + // Test that unknown families are not supported + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(-1)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, ExtensionNotInitialized) { + // Test that we handle calls before onServerInitialized + ReverseTunnelAcceptor acceptor(context_); + + auto registry = acceptor.getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, CreateEmptyConfigProto) { + // Test that createEmptyConfigProto returns valid proto + auto proto = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(proto, nullptr); + + // Should be able to cast to the correct type + auto* typed_proto = + dynamic_cast(proto.get()); + EXPECT_NE(typed_proto, nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, FactoryName) { + // Test that factory returns correct name + EXPECT_EQ(socket_interface_->name(), + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); +} + +TEST_F(TestUpstreamSocketManager, GetConnectionSocketNoSocketsButValidMapping) { + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + + // Manually add mapping without adding any actual sockets + socket_manager_->node_to_cluster_map_[node_id] = cluster_id; + socket_manager_->cluster_to_node_map_[cluster_id].push_back(node_id); + + // Try to get a socket - should hit the "No available sockets" log and return nullptr + auto socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadInvalidSocketNotInPool) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + // Add socket to create mappings + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + // Get the socket (removes it from pool but keeps fd mapping temporarily) + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); + + // Manually add the fd back to fd_to_node_map to simulate the edge case + socket_manager_->fd_to_node_map_[123] = node_id; + + // Now mark socket dead - it should find the node but not find the socket in the pool + // This will trigger the "Marking an invalid socket dead" error log + socket_manager_->markSocketDead(123); + + // Verify the fd mapping was cleaned up + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions From abac90d552f52d25b866e533ae132e6c52484730 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Wed, 23 Jul 2025 10:21:01 +0000 Subject: [PATCH 044/505] get reverse conn cluster to compile Signed-off-by: Basundhara Chakrabarty --- .../clusters/reverse_connection/reverse_connection.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.h b/source/extensions/clusters/reverse_connection/reverse_connection.h index c12ed55a200ae..b153de39c5f34 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.h +++ b/source/extensions/clusters/reverse_connection/reverse_connection.h @@ -108,6 +108,12 @@ class UpstreamReverseConnectionAddress const Network::Address::Ipv6* ipv6() const override { return nullptr; } uint32_t port() const override { return 0; } Network::Address::IpVersion version() const override { return Network::Address::IpVersion::v4; } + + // Additional pure virtual methods that need implementation + bool isLinkLocalAddress() const override { return false; } + bool isUniqueLocalAddress() const override { return false; } + bool isSiteLocalAddress() const override { return false; } + bool isTeredoAddress() const override { return false; } std::string address_string_{"0.0.0.0:0"}; }; From 2cbb4a6cd9fe42aacdcde888f3f62e5bab18e4d6 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Wed, 23 Jul 2025 10:21:29 +0000 Subject: [PATCH 045/505] tmp: fixes in reverse conn filter Signed-off-by: Basundhara Chakrabarty --- .../http/reverse_conn/reverse_conn_filter.cc | 159 +++++++----------- .../http/reverse_conn/reverse_conn_filter.h | 3 +- 2 files changed, 61 insertions(+), 101 deletions(-) diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index d73dbb37bdbb1..af02ed1344b13 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -104,6 +104,7 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { ret.set_status_message("Failed to parse request message or required fields missing"); decoder_callbacks_->sendLocalReply(Http::Code::BadGateway, ret.SerializeAsString(), nullptr, absl::nullopt, ""); + decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; } @@ -179,15 +180,7 @@ Http::FilterHeadersStatus ReverseConnFilter::getReverseConnectionInfo() { // Handle based on role if (is_responder) { - auto* socket_manager = getUpstreamSocketManager(); - if (!socket_manager) { - ENVOY_LOG(error, "Failed to get upstream socket manager for responder role"); - decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, - "Failed to get socket manager", nullptr, absl::nullopt, - ""); - return Http::FilterHeadersStatus::StopIteration; - } - return handleResponderInfo(socket_manager, remote_node, remote_cluster); + return handleResponderInfo(remote_node, remote_cluster); } else if (is_initiator) { auto* downstream_interface = getDownstreamSocketInterface(); if (!downstream_interface) { @@ -207,110 +200,70 @@ Http::FilterHeadersStatus ReverseConnFilter::getReverseConnectionInfo() { } Http::FilterHeadersStatus -ReverseConnFilter::handleResponderInfo(ReverseConnection::UpstreamSocketManager* socket_manager, - const std::string& remote_node, +ReverseConnFilter::handleResponderInfo(const std::string& remote_node, const std::string& remote_cluster) { - size_t num_sockets = 0; - bool send_all_rc_info = true; - // With the local envoy as a responder, the API can be used to get the number - // of reverse connections by remote node ID or remote cluster ID. - if (!remote_node.empty() || !remote_cluster.empty()) { - send_all_rc_info = false; - if (!remote_node.empty()) { - ENVOY_LOG(debug, - "Getting number of reverse connections for remote node: {} with responder role", - remote_node); - num_sockets = socket_manager->getNumberOfSocketsByNode(remote_node); - } else { - ENVOY_LOG(debug, - "Getting number of reverse connections for remote cluster: {} with responder role", - remote_cluster); - num_sockets = socket_manager->getNumberOfSocketsByCluster(remote_cluster); - } - } - - // Send the reverse connection count filtered by node or cluster ID. - if (!send_all_rc_info) { - std::string response = fmt::format("{{\"available_connections\":{}}}", num_sockets); - absl::StatusOr response_or_error = - Json::Factory::loadFromString(response); - if (!response_or_error.ok()) { - decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, - "failed to form valid json response", nullptr, - absl::nullopt, ""); - } - ENVOY_LOG(info, "Sending reverse connection info response: {}", response); - decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); - return Http::FilterHeadersStatus::StopIteration; - } - ENVOY_LOG(debug, - "Getting all reverse connection info with responder role - production stats-based"); + "ReverseConnFilter: Received reverse connection info request with remote_node: {} remote_cluster: {}", + remote_node, remote_cluster); // Production-ready cross-thread aggregation for multi-tenant reporting - // First try the production stats-based approach for cross-thread aggregation auto* upstream_extension = getUpstreamSocketInterfaceExtension(); - if (upstream_extension) { - ENVOY_LOG(debug, - "Using production stats-based cross-thread aggregation for multi-tenant reporting"); - - // Use the production stats-based approach with Envoy's proven stats system - auto [connected_nodes, accepted_connections] = - upstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); - - // Convert vectors to lists for JSON serialization - std::list accepted_connections_list(accepted_connections.begin(), - accepted_connections.end()); - std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); - - ENVOY_LOG(debug, - "Stats-based aggregation completed: {} connected nodes, {} accepted connections", - connected_nodes.size(), accepted_connections.size()); - - // Create production-ready JSON response for multi-tenant environment - std::string response = fmt::format("{{\"accepted\":{},\"connected\":{}}}", - Json::Factory::listAsJsonString(accepted_connections_list), - Json::Factory::listAsJsonString(connected_nodes_list)); - - ENVOY_LOG(info, "handleResponderInfo production stats-based response: {}", response); + if (!upstream_extension) { + ENVOY_LOG(error, "No upstream extension available for stats collection"); + std::string response = R"({"accepted":[],"connected":[]})"; decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } - // Fallback to current thread approach (for backward compatibility) - ENVOY_LOG(warn, - "No upstream extension available, falling back to current thread data collection"); - - std::list accepted_rc_nodes; - std::list connected_rc_clusters; + // For specific node or cluster query + if (!remote_node.empty() || !remote_cluster.empty()) { + // Get connection count for specific remote node/cluster using stats + auto stats_map = upstream_extension->getCrossWorkerStatMap(); + size_t num_connections = 0; + + if (!remote_node.empty()) { + std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", remote_node); + auto it = stats_map.find(node_stat_name); + if (it != stats_map.end()) { + num_connections = it->second; + } + } else { + std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", remote_cluster); + auto it = stats_map.find(cluster_stat_name); + if (it != stats_map.end()) { + num_connections = it->second; + } + } + + std::string response = fmt::format("{{\"available_connections\":{}}}", num_connections); + ENVOY_LOG(info, "handleResponderInfo response for {}: {}", + remote_node.empty() ? remote_cluster : remote_node, response); + decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); + return Http::FilterHeadersStatus::StopIteration; + } - auto node_stats = socket_manager->getConnectionStats(); - auto cluster_stats = socket_manager->getSocketCountMap(); + ENVOY_LOG(debug, + "ReverseConnFilter: Using upstream socket manager to get connection stats"); - ENVOY_LOG(debug, "Fallback stats collected: {} nodes, {} clusters", node_stats.size(), - cluster_stats.size()); + // Use the production stats-based approach with Envoy's proven stats system + auto [connected_nodes, accepted_connections] = + upstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); - // Process current thread's data - for (const auto& [node_id, rc_conn_count] : node_stats) { - if (rc_conn_count > 0) { - accepted_rc_nodes.push_back(node_id); - ENVOY_LOG(trace, "Fallback: Node '{}' has {} connections", node_id, rc_conn_count); - } - } + // Convert vectors to lists for JSON serialization + std::list accepted_connections_list(accepted_connections.begin(), + accepted_connections.end()); + std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); - for (const auto& [cluster_id, rc_conn_count] : cluster_stats) { - if (rc_conn_count > 0) { - connected_rc_clusters.push_back(cluster_id); - ENVOY_LOG(trace, "Fallback: Cluster '{}' has {} connections", cluster_id, rc_conn_count); - } - } + ENVOY_LOG(debug, + "Stats aggregation completed: {} connected nodes, {} accepted connections", + connected_nodes.size(), accepted_connections.size()); - // Create fallback JSON response + // Create production-ready JSON response for multi-tenant environment std::string response = fmt::format("{{\"accepted\":{},\"connected\":{}}}", - Json::Factory::listAsJsonString(accepted_rc_nodes), - Json::Factory::listAsJsonString(connected_rc_clusters)); + Json::Factory::listAsJsonString(accepted_connections_list), + Json::Factory::listAsJsonString(connected_nodes_list)); - ENVOY_LOG(info, "handleResponderInfo fallback response: {}", response); + ENVOY_LOG(info, "handleResponderInfo production stats-based response: {}", response); decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } @@ -474,6 +427,8 @@ Http::FilterDataStatus ReverseConnFilter::processGrpcRequest() { ENVOY_STREAM_LOG(info, "Processing gRPC request body with {} bytes", *decoder_callbacks_, accept_rev_conn_proto_.length()); + decoder_callbacks_->setReverseConnForceLocalReply(true); + try { // Parse gRPC request from buffer envoy::service::reverse_tunnel::v3::EstablishTunnelRequest grpc_request; @@ -487,6 +442,7 @@ Http::FilterDataStatus ReverseConnFilter::processGrpcRequest() { ENVOY_STREAM_LOG(error, "Failed to parse gRPC request from body", *decoder_callbacks_); decoder_callbacks_->sendLocalReply(Http::Code::BadRequest, "Invalid gRPC request format", nullptr, absl::nullopt, ""); + decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; } } else { @@ -494,6 +450,7 @@ Http::FilterDataStatus ReverseConnFilter::processGrpcRequest() { request_body.length()); decoder_callbacks_->sendLocalReply(Http::Code::BadRequest, "gRPC request too short", nullptr, absl::nullopt, ""); + decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; } @@ -530,17 +487,21 @@ Http::FilterDataStatus ReverseConnFilter::processGrpcRequest() { ENVOY_STREAM_LOG(info, "Saving downstream connection for gRPC request", *decoder_callbacks_); - saveDownstreamConnection(*connection, initiator.node_id(), initiator.cluster_id()); connection->setSocketReused(true); - connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn_grpc"); + // connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn_grpc"); + ENVOY_STREAM_LOG(info, "DEBUG: About to save connection with node_uuid='{}' cluster_uuid='{}'", + *decoder_callbacks_, initiator.node_id(), initiator.cluster_id()); + saveDownstreamConnection(*connection, initiator.node_id(), initiator.cluster_id()); } + decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; } catch (const std::exception& e) { ENVOY_STREAM_LOG(error, "Exception processing gRPC request: {}", *decoder_callbacks_, e.what()); decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, "Internal server error", nullptr, absl::nullopt, ""); + decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; } } diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index e18957f19018e..73e52429703a5 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -120,8 +120,7 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str // Handle reverse connection info for responder role (uses upstream socket manager) Http::FilterHeadersStatus - handleResponderInfo(ReverseConnection::UpstreamSocketManager* socket_manager, - const std::string& remote_node, const std::string& remote_cluster); + handleResponderInfo(const std::string& remote_node, const std::string& remote_cluster); // Handle reverse connection info for initiator role (uses downstream socket interface) Http::FilterHeadersStatus handleInitiatorInfo(const std::string& remote_node, From 1bf057b418e6c783c8e7a9f3e0d25a8b2f161e9d Mon Sep 17 00:00:00 2001 From: Leonardo da Mata Date: Wed, 23 Jul 2025 12:32:42 +0000 Subject: [PATCH 046/505] Fix a bug on Geoip maxmind apple_private_relay to check if apple_private_relay is set instead of isp header. (#40338) The geoip filter should check for the correct field when setting the header, the apple_private_relay is a special header that sets true or false when the isp is iCloud Private Relay, but we were checking the wrong field with a potential bug when using the filter with only apple_private_relay header set. Signed-off-by: Leonardo da Mata --- changelogs/current.yaml | 3 ++ .../geoip_providers/maxmind/geoip_provider.cc | 2 +- .../geoip/geoip_filter_integration_test.cc | 37 +++++++++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 5c9d955cae13a..10e74defffb3e 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -116,6 +116,9 @@ minor_behavior_changes: bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* +- area: geoip + change: | + Fixed a bug where the ``apple_private_relay`` header was not populated correctly when isp header wasn't set. - area: conn_pool change: | Fixed an issue that could lead to too many connections when using diff --git a/source/extensions/geoip_providers/maxmind/geoip_provider.cc b/source/extensions/geoip_providers/maxmind/geoip_provider.cc index 4bc0f8fb2e7d8..7b6c8065a2879 100644 --- a/source/extensions/geoip_providers/maxmind/geoip_provider.cc +++ b/source/extensions/geoip_providers/maxmind/geoip_provider.cc @@ -72,7 +72,7 @@ GeoipProviderConfig::GeoipProviderConfig( : absl::nullopt; isp_header_ = !geo_headers_to_add.isp().empty() ? absl::make_optional(geo_headers_to_add.isp()) : absl::nullopt; - apple_private_relay_header_ = !geo_headers_to_add.isp().empty() + apple_private_relay_header_ = !geo_headers_to_add.apple_private_relay().empty() ? absl::make_optional(geo_headers_to_add.apple_private_relay()) : absl::nullopt; if (!city_db_path_ && !anon_db_path_ && !asn_db_path_ && !isp_db_path_) { diff --git a/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc b/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc index dd4515de406d2..23721d881b4ab 100644 --- a/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc +++ b/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc @@ -99,6 +99,22 @@ const std::string ConfigIspAndCity = R"EOF( isp_db_path: "{{ test_rundir }}/test/extensions/geoip_providers/maxmind/test_data/GeoIP2-ISP-Test.mmdb" )EOF"; +const std::string ConfigIsApplePrivateRelayOnly = R"EOF( + name: envoy.filters.http.geoip + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.geoip.v3.Geoip + xff_config: + xff_num_trusted_hops: 1 + provider: + name: envoy.geoip_providers.maxmind + typed_config: + "@type": type.googleapis.com/envoy.extensions.geoip_providers.maxmind.v3.MaxMindConfig + common_provider_config: + geo_headers_to_add: + apple_private_relay: "x-geo-apple-private-relay" + isp_db_path: "{{ test_rundir }}/test/extensions/geoip_providers/maxmind/test_data/GeoIP2-ISP-Test.mmdb" + )EOF"; + class GeoipFilterIntegrationTest : public testing::TestWithParam, public HttpIntegrationTest { public: @@ -295,6 +311,27 @@ TEST_P(GeoipFilterIntegrationTest, GeoipFilterNoCrashOnLdsUpdate) { EXPECT_EQ(2, test_server_->counter("http.config_test.maxmind.city_db.hit")->value()); } +TEST_P(GeoipFilterIntegrationTest, OnlyApplePrivateRelayHeaderIsPopulated) { + config_helper_.prependFilter(TestEnvironment::substitute(ConfigIsApplePrivateRelayOnly)); + initialize(); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "host"}, + {"x-forwarded-for", "81.2.69.142,9.10.11.12"}, + {"x-geo-city", "Berlin"}, + {"x-geo-country", "Germany"}}; + auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); + + EXPECT_EQ("false", headerValue("x-geo-apple-private-relay")); + ASSERT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().getStatusValue()); + test_server_->waitForCounterEq("http.config_test.geoip.total", 1); + EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.isp_db.total")->value()); + EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.isp_db.hit")->value()); +} + } // namespace } // namespace Geoip } // namespace HttpFilters From 161d47b5d600d47cccab8d5df7d65e01c849153d Mon Sep 17 00:00:00 2001 From: phlax Date: Wed, 23 Jul 2025 15:24:43 +0100 Subject: [PATCH 047/505] wasm/deps: Add changelog for wasmtime bump (#40362) Signed-off-by: Ryan Northey --- changelogs/current.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 10e74defffb3e..b25188a83b6db 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -172,6 +172,9 @@ bug_fixes: change: | Fixed a division by zero bug in the Dynatrace sampling controller that occurred when ``total_wanted`` was less than ``top_k_size``. The calculation was refactored to avoid the intermediate division that could result in zero. +- area: wasm + change: | + Bumped wasmtime version to 24.0.2 to address CVE. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` From 569075a9774126273807ed282de08696d732e658 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 23 Jul 2025 10:32:03 -0700 Subject: [PATCH 048/505] dfp: fixes a bug which broke requests using IPv6 literals as hosts (#40347) ## Description This PR fixes a bug in Dynamic Forward Proxy which break requests using IPv6 literals as hosts. The regression was caused by a [new change](https://github.com/envoyproxy/envoy/pull/39605) where the code strips off the brackets from IPv6 hostnames, which confuses the `normalizeHostForDfp` function in the DFP cluster. Fix https://github.com/envoyproxy/envoy/issues/40344 --- **Commit Message:** dfp: fixes a bug which broke requests using IPv6 literals as hosts **Additional Description:** Fixes a bug in Dynamic Forward Proxy which break requests using IPv6 literals as hosts. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal --- .../dynamic_forward_proxy/proxy_filter.cc | 6 +- .../proxy_filter_test.cc | 87 ++++++++++++++++++- 2 files changed, 90 insertions(+), 3 deletions(-) diff --git a/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc b/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc index 4373f1bf13809..8ea907b340680 100644 --- a/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc +++ b/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc @@ -320,7 +320,11 @@ Http::FilterHeadersStatus ProxyFilter::decodeHeaders(Http::RequestHeaderMap& hea // Get host value from the request headers. const auto host_attributes = Http::Utility::parseAuthority(headers.Host()->value().getStringView()); - absl::string_view host = host_attributes.host_; + std::string host_str(!host_attributes.is_ip_address_ || + !absl::StrContains(host_attributes.host_, ":") + ? host_attributes.host_ + : absl::StrCat("[", host_attributes.host_, "]")); + absl::string_view host = host_str; uint16_t port = host_attributes.port_.value_or(default_port); // Apply filter state overrides for host and port. diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_test.cc index 047f893ff26fa..f1bfd6b5e0447 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_test.cc @@ -813,8 +813,6 @@ TEST_F(ProxyFilterWithFilterStateHostTest, NoFilterStatePresent) { .Times(AnyNumber()) .WillRepeatedly(Return(false)); - // Use empty filter state (no filter state values set). - // Should use "foo" from host header when no filter state found. Common::DynamicForwardProxy::MockLoadDnsCacheEntryHandle* handle = new Common::DynamicForwardProxy::MockLoadDnsCacheEntryHandle(); @@ -1089,6 +1087,91 @@ TEST_F(ProxyFilterWithFilterStateHostDisabledTest, IgnoresFilterStatePortWhenFla filter_->onDestroy(); } +// Test for IPv6. +TEST_F(ProxyFilterTest, IPv6BracketStrippingBug) { + Upstream::ResourceAutoIncDec* circuit_breakers_( + new Upstream::ResourceAutoIncDec(pending_requests_)); + InSequence s; + + EXPECT_CALL(callbacks_, route()); + EXPECT_CALL(factory_context_.server_factory_context_.cluster_manager_, getThreadLocalCluster(_)); + EXPECT_CALL(*transport_socket_factory_, implementsSecureTransport()).WillOnce(Return(false)); + EXPECT_CALL(callbacks_, route()); + EXPECT_CALL(*dns_cache_manager_->dns_cache_, canCreateDnsRequest_()) + .WillOnce(Return(circuit_breakers_)); + EXPECT_CALL(callbacks_, streamInfo()); + EXPECT_CALL(callbacks_, dispatcher()); + EXPECT_CALL(callbacks_, streamInfo()); + + // We expect IPv6 address with brackets to be preserved and port to be detected. + Common::DynamicForwardProxy::MockLoadDnsCacheEntryHandle* handle = + new Common::DynamicForwardProxy::MockLoadDnsCacheEntryHandle(); + EXPECT_CALL(*dns_cache_manager_->dns_cache_, loadDnsCacheEntry_(Eq("[::1]"), 8080, _, _)) + .WillOnce(Return( + MockLoadDnsCacheEntryResult{LoadDnsCacheEntryStatus::Loading, handle, absl::nullopt})); + + // Test with IPv6 literal host header. + Http::TestRequestHeaderMapImpl headers{{":authority", "[::1]:8080"}}; + EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, + filter_->decodeHeaders(headers, false)); + + EXPECT_CALL(*handle, onDestroy()); + filter_->onDestroy(); +} + +// Parameterized test for IPv6 bracket variations. +struct IPv6TestCase { + std::string host_header; + std::string expected_host; + uint16_t expected_port; + std::string test_name; +}; + +class ProxyFilterIPv6ParameterizedTest : public ProxyFilterTest, + public testing::WithParamInterface {}; + +TEST_P(ProxyFilterIPv6ParameterizedTest, IPv6BracketVariations) { + const auto& test_case = GetParam(); + + Upstream::ResourceAutoIncDec* circuit_breakers_( + new Upstream::ResourceAutoIncDec(pending_requests_)); + InSequence s; + + EXPECT_CALL(callbacks_, route()); + EXPECT_CALL(factory_context_.server_factory_context_.cluster_manager_, getThreadLocalCluster(_)); + EXPECT_CALL(*transport_socket_factory_, implementsSecureTransport()).WillOnce(Return(false)); + EXPECT_CALL(callbacks_, route()); + EXPECT_CALL(*dns_cache_manager_->dns_cache_, canCreateDnsRequest_()) + .WillOnce(Return(circuit_breakers_)); + EXPECT_CALL(callbacks_, streamInfo()); + EXPECT_CALL(callbacks_, dispatcher()); + EXPECT_CALL(callbacks_, streamInfo()); + + Common::DynamicForwardProxy::MockLoadDnsCacheEntryHandle* handle = + new Common::DynamicForwardProxy::MockLoadDnsCacheEntryHandle(); + EXPECT_CALL(*dns_cache_manager_->dns_cache_, + loadDnsCacheEntry_(Eq(test_case.expected_host), test_case.expected_port, _, _)) + .WillOnce(Return( + MockLoadDnsCacheEntryResult{LoadDnsCacheEntryStatus::Loading, handle, absl::nullopt})); + + Http::TestRequestHeaderMapImpl headers{{":authority", test_case.host_header}}; + EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, + filter_->decodeHeaders(headers, false)); + + EXPECT_CALL(*handle, onDestroy()); + filter_->onDestroy(); +} + +INSTANTIATE_TEST_SUITE_P( + IPv6Formats, ProxyFilterIPv6ParameterizedTest, + testing::Values( + IPv6TestCase{"[::1]:8080", "[::1]", 8080, "IPv6LoopbackWithPort"}, + IPv6TestCase{"[2001:db8::1]:443", "[2001:db8::1]", 443, "IPv6AddressWithHTTPSPort"}, + IPv6TestCase{"[::1]", "[::1]", 80, "IPv6LoopbackDefaultPort"}, + IPv6TestCase{"[2001:db8:85a3::8a2e:370:7334]:9999", "[2001:db8:85a3::8a2e:370:7334]", 9999, + "IPv6FullAddressWithCustomPort"}), + [](const testing::TestParamInfo& info) { return info.param.test_name; }); + } // namespace } // namespace DynamicForwardProxy } // namespace HttpFilters From 729aeec7bfc049c12b4f7dafc0c41d22a274c8a5 Mon Sep 17 00:00:00 2001 From: botengyao Date: Wed, 23 Jul 2025 13:43:29 -0400 Subject: [PATCH 049/505] docs: fix network ext_proc service format (#40367) Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Boteng Yao --- .../network_ext_proc/v3/network_external_processor.proto | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/api/envoy/service/network_ext_proc/v3/network_external_processor.proto b/api/envoy/service/network_ext_proc/v3/network_external_processor.proto index bc5d8d73488e9..c148baf31c494 100644 --- a/api/envoy/service/network_ext_proc/v3/network_external_processor.proto +++ b/api/envoy/service/network_ext_proc/v3/network_external_processor.proto @@ -31,10 +31,11 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // 3. Control connection lifecycle (continue, close gracefully, or reset) // // Use cases include: -// * Custom protocol inspection and modification -// * Advanced traffic manipulation -// * Security scanning and filtering -// * Dynamic connection management +// +// 1. Custom protocol inspection and modification +// 2. Advanced traffic manipulation +// 3. Security scanning and filtering +// 4. Dynamic connection management // // The service uses a bidirectional gRPC stream, maintaining state throughout // the connection lifetime while allowing asynchronous processing. From 84305a6cb64bd55aaf606bdd53de7cd6080427a1 Mon Sep 17 00:00:00 2001 From: "publish-envoy[bot]" <140627008+publish-envoy[bot]@users.noreply.github.com> Date: Wed, 23 Jul 2025 17:37:03 +0000 Subject: [PATCH 050/505] repo: Release v1.35.0 **Summary of changes**: * Security: - Fixed TLS inspector handling of client hello messages larger than 16KB. - Fixed bug where empty trusted CA files were accepted, causing validation of any certificate chain. * Build: - **Major**: Upgraded to C++20, enabling modern C++ features throughout the codebase. - Consolidated clang/gcc toolchains using ``--config=clang`` or ``--config=gcc``. - **Breaking**: Removed ``grpc_credentials/aws_iam`` extension and contrib squash filter. * HTTP: - Added ``x-envoy-original-host`` header to record original host values before mutation. - Added HTTP/3 pseudo header validation (disable via ``envoy.restart_features.validate_http3_pseudo_headers``). - Fixed HTTP/1 parser to properly handle newlines between requests per RFC 9112. - Added request/response trailer mutations support in header mutation filter. * Load balancing: - Added override host load balancing policy. - Added hash policy configuration directly to ring hash and maglev load balancers. - Added matcher-based cluster specifier plugin for dynamic cluster selection. * External processing: - Added ``FULL_DUPLEX_STREAMED`` body mode for bidirectional streaming. - Implemented graceful gRPC side stream closing with timeout. - Added per-route ``failure_mode_allow`` override support. * Authentication: - Added OAuth2 token encryption, configurable token expiration, and OIDC logout support. - Added API key auth filter with forwarding configuration. - Added AWS IAM Roles Anywhere support. * Observability: - Added TLS certificate expiration metrics. - Enhanced transport tap with streaming trace capability. - Added JA4 fingerprinting to TLS inspector. - Added TCP tunneling access log substitution strings. * New features: - Dynamic modules: Added support for ``LocalityLbEndpoints`` metadata and SSL connection info attributes. - Stateful session cookie attributes and envelope mode support. - Redis proxy AWS IAM authentication and ``scan``/``info`` command support. - Lua filter access to filter context and typed metadata. - ``ServerNameMatcher`` for trie-based domain matching. * Notable fixes: - Fixed Wasm hang after VM crash in request callbacks. - Fixed Lua filter crash when removing status header. - Fixed connection pool capacity calculation issues. - Improved TCP proxy retry logic to avoid connection issues. **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.0 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.35.0/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.35.0/version_history/v1.35/v1.35.0 **Full changelog**: https://github.com/envoyproxy/envoy/compare/v1.34.0...v1.35.0 --- VERSION.txt | 2 +- changelogs/current.yaml | 14 ++++---------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/VERSION.txt b/VERSION.txt index 0ce1104204d7a..2aeaa11ee27ed 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -1.35.0-dev +1.35.0 diff --git a/changelogs/current.yaml b/changelogs/current.yaml index b25188a83b6db..71562fafc19cb 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -1,7 +1,6 @@ -date: Pending +date: July 23, 2025 behavior_changes: -# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* - area: aws_iam change: | As announced in November 2024 (see https://github.com/envoyproxy/envoy/issues/37621), the @@ -34,7 +33,6 @@ behavior_changes: Bumped up V8 version to ``13.8.258.26`` to address multiple CVEs. minor_behavior_changes: -# *Changes that may cause incompatibilities for some users, but should not for most* - area: geoip change: | The lookup for ASN information is fetched from ``asn_db`` if ``asn_db_path`` is defined and from ``isp_db`` if @@ -110,12 +108,11 @@ minor_behavior_changes: Extension status changed from ``alpha`` to ``stable``. - area: oauth2 change: | - Starting from this release, these cookies: oauth_hmac,oauth_expires,refresh_token,oauth_nonce,code_verifier will - not be forwarded to the upstream. This behavior can be reverted by setting the runtime guard - ``envoy.reloadable_features.oauth2_cleanup_cookies`` to ``false``. + Starting from this release, these cookies: oauth_hmac,oauth_expires,refresh_token,oauth_nonce,code_verifier will + not be forwarded to the upstream. This behavior can be reverted by setting the runtime guard + ``envoy.reloadable_features.oauth2_cleanup_cookies`` to ``false``. bug_fixes: -# *Changes expected to improve the state of the world and are unlikely to have negative effects* - area: geoip change: | Fixed a bug where the ``apple_private_relay`` header was not populated correctly when isp header wasn't set. @@ -177,7 +174,6 @@ bug_fixes: Bumped wasmtime version to 24.0.2 to address CVE. removed_config_or_runtime: -# *Normally occurs at the end of the* :ref:`deprecation period ` - area: websocket change: | Removed runtime guard ``envoy.reloadable_features.switch_protocol_websocket_handshake`` and legacy code paths. @@ -405,5 +401,3 @@ new_features: change: | Added ``assume_role_credential_provider`` to add support for role chaining in AWS filters. This allows envoy to assume an additional role before SigV4 signing occurs. - -deprecated: From d35038d000e04f98011b89132c3fddf3f735d36e Mon Sep 17 00:00:00 2001 From: phlax Date: Wed, 23 Jul 2025 20:57:19 +0100 Subject: [PATCH 051/505] repo: Dev v1.36.0 (#40369) Signed-off-by: Ryan Northey --- VERSION.txt | 2 +- changelogs/1.35.0.yaml | 403 ++++++++++++++++++++++++++++++++++++++++ changelogs/current.yaml | 400 +-------------------------------------- 3 files changed, 411 insertions(+), 394 deletions(-) create mode 100644 changelogs/1.35.0.yaml diff --git a/VERSION.txt b/VERSION.txt index 2aeaa11ee27ed..feba387a7d6e9 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -1.35.0 +1.36.0-dev diff --git a/changelogs/1.35.0.yaml b/changelogs/1.35.0.yaml new file mode 100644 index 0000000000000..71562fafc19cb --- /dev/null +++ b/changelogs/1.35.0.yaml @@ -0,0 +1,403 @@ +date: July 23, 2025 + +behavior_changes: +- area: aws_iam + change: | + As announced in November 2024 (see https://github.com/envoyproxy/envoy/issues/37621), the + ``grpc_credentials/aws_iam`` extension is being deleted. Any configuration referencing this extension + will fail to load. +- area: prefix_match_map + change: | + :ref:`prefix_match_map ` + now continues to search for a match with a shorter prefix if a longer match + does not find an action. This brings it in line with the behavior of ``matcher_list``. + This change can temporarily be reverted by setting the runtime guard + ``envoy.reloadable_features.prefix_map_matcher_resume_after_subtree_miss`` to ``false``. + If the old behavior is desired more permanently, this can be achieved in config by setting + an ``on_no_match`` action that responds with ``404`` for each subtree. +- area: server + change: | + Envoy will automatically raise the soft limit on the file descriptors to the hard limit. This behavior + can be reverted using the runtime guard ``envoy_restart_features_raise_file_limits``. +- area: build + change: | + Removed the ``clang-libstdc++`` toolchain setup as this is no longer used or tested by the project. + Consolidated Clang and GCC toolchains which can be used with ``--config=clang`` or ``--config=gcc``. + These use ``libc++`` and ``libstdc++`` respectively. +- area: squash_filter + change: | + The Squash HTTP filter in ``contrib`` has been deleted. The project it provided integration with has been idle for + five years and appears abandoned. +- area: wasm + change: | + Bumped up V8 version to ``13.8.258.26`` to address multiple CVEs. + +minor_behavior_changes: +- area: geoip + change: | + The lookup for ASN information is fetched from ``asn_db`` if ``asn_db_path`` is defined and from ``isp_db`` if + ``asn_db_path`` is not defined. +- area: lua + change: | + The ``metadata()`` of the Lua filter now will search the metadata by the :ref:`filter config name + ` first. + And if not found, it will search by the canonical name of the filter ``envoy.filters.http.lua``. +- area: grpc-json + change: | + Made the :ref:`gRPC JSON transcoder filter's ` JSON print options configurable. +- area: oauth2 + change: | + Reset CSRF token when token validation fails during redirection. + If the CSRF token cookie is present during the redirection to the authorization server, it will be validated. + Previously, if this validation failed, the OAuth flow would fail. Now the CSRF token will simply be reset. This fixes + the case where an HMAC secret change causes a redirect flow, but the CSRF token cookie hasn't yet expired + causing a CSRF token validation failure. +- area: cel + change: | + Precompile regexes in CEL expressions. This can be disabled by setting the runtime guard + ``envoy.reloadable_features.enable_cel_regex_precompilation`` to ``false``. +- area: dns + change: | + Allow ``getaddrinfo`` to be configured to run by a thread pool, controlled by :ref:`num_resolver_threads + `. +- area: dns + change: | + Honor the default DNS resolver configuration in the bootstrap config + :ref:`typed_dns_resolver_config ` + if the DNS cache configuration in the dynamic forward proxy filter is empty + :ref:`dns_cache_config `. +- area: grpc-json-transcoding + change: | + Added SSE style message framing for streamed responses in :ref:`gRPC JSON transcoder filter `. +- area: http + change: | + :ref:`response_headers_to_add ` and + :ref:`response_headers_to_remove ` + will also be applied to the local responses from the ``envoy.filters.http.router`` filter. +- area: tracing + change: | + Added :ref:`max_cache_size ` + to the OpenTelemetry tracer config. This limits the number of spans that can be cached before flushing. +- area: aws + change: | + :ref:`AwsCredentialProvider ` now supports all defined credential + providers, allowing complete customization of the credential provider chain when using AWS request signing extension. +- area: ext_proc + change: | + If the ext_proc server sends a spurious response message to Envoy, Envoy now performs fail-open or fail-close action based on + :ref:`failure_mode_allow ` + configuration. This change can be reverted by setting the runtime guard + ``envoy.reloadable_features.ext_proc_fail_close_spurious_resp`` to ``false``. +- area: filters + change: | + :ref:`Credential injector filter ` is no longer + a work in progress field. +- area: oauth2 + change: | + The access token, ID token and refresh token in the cookies are now encrypted using the HMAC secret. This behavior can + be reverted by setting the runtime guard ``envoy.reloadable_features.oauth2_encrypt_tokens`` to ``false``. +- area: http3 + change: | + Validate HTTP/3 pseudo headers. Can be disabled by setting ``envoy.restart_features.validate_http3_pseudo_headers`` to ``false``. +- area: formatter + change: | + Now the ``METADATA`` and ``CEL`` substitution formatters can access or log the metadata of + the virtual host in case the route is not matched but the virtual host is found. +- area: oauth2 + change: | + Extension status changed from ``alpha`` to ``stable``. +- area: oauth2 + change: | + Starting from this release, these cookies: oauth_hmac,oauth_expires,refresh_token,oauth_nonce,code_verifier will + not be forwarded to the upstream. This behavior can be reverted by setting the runtime guard + ``envoy.reloadable_features.oauth2_cleanup_cookies`` to ``false``. + +bug_fixes: +- area: geoip + change: | + Fixed a bug where the ``apple_private_relay`` header was not populated correctly when isp header wasn't set. +- area: conn_pool + change: | + Fixed an issue that could lead to too many connections when using + :ref:`AutoHttpConfig ` if the + established connection is HTTP/2 and Envoy predicted it would have lower concurrent capacity. +- area: conn_pool + change: | + Fixed an issue that could lead to insufficient connections for current pending requests. If a connection starts draining while it + has negative unused capacity (which happens if an HTTP/2 ``SETTINGS`` frame reduces allowed concurrency to below the current number + of requests), that connection's unused capacity will be included in total pool capacity even though it is unusable because it is + draining. This can result in not enough connections being established for current pending requests. This is most problematic for + long-lived requests (such as streaming gRPC requests or long-poll requests) because a connection could be in the draining state + for a long time. +- area: hcm + change: | + Fixed a bug where the lifetime of the ``HttpConnectionManager``'s ``ActiveStream`` can be out of sync + with the lifetime of the codec stream. +- area: config_validation + change: | + Fixed a bug where the config validation server will crash when the configuration contains + ``%CEL%`` or ``%METADATA%`` substitution formatter. +- area: tls + change: | + Fixed an issue with incorrectly cached connection properties on TLS connections. + If TLS connection data was queried before it was available, an empty value was being incorrectly cached, preventing later calls from + getting the correct value. This could be triggered with a ``tcp_proxy`` access log configured to emit a log upon connection + establishment if the log contains fields of the TLS peer certificate. Then a later use of the data, such as the network RBAC + filter validating a peer certificate SAN, may incorrectly fail due to the empty cached value. +- area: quic + change: | + Fixed a bug in Envoy's HTTP/3-to-HTTP/1 proxying when a ``transfer-encoding`` header is incorrectly appended. + Protected by runtime guard ``envoy.reloadable_features.quic_signal_headers_only_to_http1_backend``. +- area: runtime + change: | + Fixed a bug which resulted in an ``ENVOY_BUG`` being incorrectly triggered when runtime settings + ``envoy.reloadable_features.max_request_headers_count``, ``envoy.reloadable_features.max_response_headers_count``, + ``envoy.reloadable_features.max_request_headers_size_kb``, or ``envoy.reloadable_features.max_response_headers_size_kb`` were set. +- area: tls + change: | + Fixed a bug where empty trusted CA file or inline string is accepted and causes Envoy to successfully validate any certificate + chain. This fix addresses this issue by rejecting such configuration with empty value. This behavior can be reverted by setting + the runtime guard ``envoy.reloadable_features.reject_empty_trusted_ca_file`` to ``false``. +- area: tls_inspector + change: | + Fixed a bug where the TLS inspector filter would not correctly report ``client_hello_too_large`` stat for too big client + hello messages, i.e., bigger than 16 KB. +- area: wasm + change: | + Fixed a bug where the Wasm filter hangs when the VM is crashed in the request callbacks. +- area: dynatrace + change: | + Fixed a division by zero bug in the Dynatrace sampling controller that occurred when ``total_wanted`` was less than + ``top_k_size``. The calculation was refactored to avoid the intermediate division that could result in zero. +- area: wasm + change: | + Bumped wasmtime version to 24.0.2 to address CVE. + +removed_config_or_runtime: +- area: websocket + change: | + Removed runtime guard ``envoy.reloadable_features.switch_protocol_websocket_handshake`` and legacy code paths. +- area: http2 + change: | + Removed runtime guard ``envoy.reloadable_features.http2_no_protocol_error_upon_clean_close`` and legacy code paths. +- area: access_log + change: | + Removed runtime guard ``envoy.reloadable_features.sanitize_sni_in_access_log`` and legacy code paths. +- area: quic + change: | + Removed runtime guard ``envoy.reloadable_features.quic_connect_client_udp_sockets`` and legacy code paths. +- area: quic + change: | + Removed runtime guard ``envoy.reloadable_features.quic_support_certificate_compression`` and legacy code paths. +- area: http + change: | + Removed runtime guard ``envoy.reloadable_features.internal_authority_header_validator`` and legacy code paths. +- area: http + change: | + Removed runtime guard ``envoy_reloadable_features_filter_access_loggers_first`` and legacy code paths. +- area: tcp_proxy + change: | + Removed runtime guard ``envoy.reloadable_features.tcp_tunneling_send_downstream_fin_on_upstream_trailers`` and legacy code paths. +- area: runtime + change: | + Removed runtime guard ``envoy_reloadable_features_boolean_to_string_fix`` and legacy code paths. +- area: logging + change: | + Removed runtime guard ``envoy.reloadable_features.logging_with_fast_json_formatter`` and legacy code paths. +- area: sni + change: | + Removed runtime guard ``envoy.reloadable_features.use_route_host_mutation_for_auto_sni_san`` and legacy code paths. +- area: ext_proc + change: | + Removed runtime guard ``envoy.reloadable_features.ext_proc_timeout_error`` and legacy code paths. +- area: quic + change: | + Removed runtime guard ``envoy.reloadable_features.extend_h3_accept_untrusted`` and legacy code paths. +- area: lua + change: | + Removed runtime guard ``envoy.reloadable_features.lua_flow_control_while_http_call`` and legacy code paths. +- area: http1 + change: | + Removed runtime guard ``envoy.reloadable_features.envoy_reloadable_features_http1_use_balsa_parser`` and legacy code paths. + +new_features: +- area: build + change: | + Upgraded Envoy to build with C++20; Envoy developers can use C++20 features now. +- area: redis + change: | + Added support for ``SCAN``, ``INFO`` and ``ROLE``. +- area: http + change: | + Added :ref:`x-envoy-original-host ` that + is used to record the original host header value before it is mutated by the router filter. +- area: stateful_session + change: | + Support for envelope stateful session extension to keep the existing session header value + from upstream server. See :ref:`mode + ` + for more details. +- area: transport_tap + change: | + Added counter in transport tap for streaming and buffer trace. + Streamed trace can send tapped message based on configured size. +- area: udp_sink + change: | + Enhanced UDP sink to support a single message whose size is bigger than 64 KB. +- area: load_balancing + change: | + Added Override Host Load Balancing policy. See + :ref:`load balancing policies overview ` for more details. +- area: load_balancing + change: | + Added :ref:`hash policy support + ` + to the ring hash and maglev load balancing policies. If the hash policy in the load balancer is + configured, the + :ref:`route level hash policy ` + will be ignored. +- area: lua + change: | + Added support for accessing filter context. + See :ref:`filterContext() ` for more details. +- area: resource_monitors + change: | + Added new cgroup memory resource monitor that reads memory usage/limit from cgroup v1/v2 subsystems and calculates + memory pressure, with configurable ``max_memory_bytes`` limit + :ref:`existing extension `. +- area: ext_authz + change: | + Added ``grpc_status`` to ``ExtAuthzLoggingInfo`` in ``ext_authz`` HTTP filter. +- area: http + change: | + Added :ref:`response trailers mutations + ` and + :ref:`request trailers mutations + ` + to :ref:`Header Mutation Filter ` + for adding/removing trailers from the request and the response. +- area: postgres + change: | + Added support for requiring downstream SSL. +- area: url_template + change: | + Included the asterisk ``*`` in the match pattern when using the ``*`` or ``**`` operators in the URL template. + This behavioral change can be temporarily reverted by setting runtime guard + ``envoy.reloadable_features.uri_template_match_on_asterisk`` to ``false``. +- area: socket + change: | + Added ``network_namespace_filepath`` to ``SocketAddress``. Currently only used by listeners. +- area: rbac_filter + change: | + Allow-listed ``FilterStateInput`` to be used with the xDS matcher in the HTTP RBAC filter. +- area: rbac_filter + change: | + Allow-listed ``FilterStateInput`` to be used with the xDS matcher in the Network RBAC filter. +- area: tls_inspector_filter + change: | + Added :ref:`enable_ja4_fingerprinting + ` to create + a JA4 fingerprint hash from the Client Hello message. +- area: local_ratelimit + change: | + ``local_ratelimit`` will return ``x-ratelimit-reset`` header when the rate limit is exceeded. +- area: oauth2 + change: | + Added :ref:`end_session_endpoint ` + to the ``oauth2`` filter to support OIDC RP initiated logout. This field is only used when + ``openid`` is in the :ref:`auth_scopes ` field. + If configured, the OAuth2 filter will redirect users to this endpoint when they access the + :ref:`signout_path `. This allows users to + be logged out of the Authorization server. +- area: tcp_access_logs + change: | + Added support for ``%BYTES_RECEIVED%``, ``%BYTES_SENT%``, ``%UPSTREAM_HEADER_BYTES_SENT%``, ``%UPSTREAM_HEADER_BYTES_RECEIVED%``, + ``%UPSTREAM_WIRE_BYTES_SENT%``, ``%UPSTREAM_WIRE_BYTES_RECEIVED%`` access log substitution strings for TCP tunneling flows. +- area: oauth2 + change: | + Added configurable :ref:`csrf_token_expires_in + ` + and :ref:`code_verifier_token_expires_in + ` + fields to the ``oauth2`` filter. Both default to ``600s`` (10 minutes) if not specified, keeping backward compatibility. +- area: load_shed_point + change: | + Added load shed point ``envoy.load_shed_points.connection_pool_new_connection`` in the connection pool, and it will not + create new connections when Envoy is under pressure, and the pending downstream requests will be cancelled. +- area: api_key_auth + change: | + Added :ref:`forwarding configuration ` + to the API Key Auth filter, which allows forwarding the authenticated client identity + using a custom header, and also offers the option to remove the API key from the request + before forwarding. +- area: lua + change: | + Added a new ``dynamicTypedMetadata()`` on ``connectionStreamInfo()`` which can be used to access the typed metadata from + network filters, such as the Proxy Protocol, etc. +- area: aws + change: | + Implementation of `IAM Roles Anywhere support `_ in the + AWS common components, providing this capability to the AWS Lambda and AWS Request Signing extensions. +- area: redis + change: | + ``redis_proxy`` filter now supports AWS IAM Authentication. +- area: router + change: | + Added matcher based router cluster specifier plugin to support selecting cluster dynamically based on a matcher tree. + See + :ref:`matcher cluster specifier plugin ` + for more details. +- area: router + change: | + Added new ``refreshRouteCluster()`` method to stream filter callbacks to support refreshing the route cluster and + does not need to update the route cache. See :ref:`http route mutation ` for + more details. +- area: lua + change: | + Added a new ``dynamicTypedMetadata()`` on ``streamInfo()`` which can be used to access the typed metadata from + HTTP filters, such as the Set Metadata filter, etc. +- area: ratelimit + change: | + Added a new ``failure_mode_deny_percent`` field of type ``Envoy::Runtime::FractionalPercent`` attached to the rate + limit filter to configure the failure mode for rate limit service errors in runtime. + It acts as an override for the existing ``failure_mode_deny`` field in the filter config. +- area: tls + change: | + Added new metric for emitting seconds since UNIX epoch of expirations of TLS and CA certificates. + They are rooted at ``cluster..ssl.certificate..`` + and at ``listener.
.ssl.certificate..`` namespace. +- area: ext_proc + change: | + The :ref:`failure_mode_allow ` + setting may now be overridden on a per-route basis. +- area: matcher + change: | + Added support for :ref:`ServerNameMatcher ` trie-based matching. +- area: stateful_session + change: | + Added support for cookie attributes to stateful session cookie. +- area: http3 + change: | + Added :ref:`disable_connection_flow_control_for_streams + `, an experimental + option for disabling connection level flow control for streams. This is useful in situations where the streams share the same + connection but originate from different end-clients, so that each stream can make progress independently at non-front-line proxies. +- area: dfp + change: | + Added :ref:`allow_dynamic_host_from_filter_state + ` + flag to HTTP Dynamic Forward Proxy filter. When enabled, the filter will check for ``envoy.upstream.dynamic_host`` and + ``envoy.upstream.dynamic_port`` filter state values before using the HTTP Host header, providing consistency with SNI + and UDP DFP filters. When disabled (default), maintains backward compatibility by using the HTTP Host header directly. +- area: alts + change: | + Added environment variable-protected gRPC keepalive params to the ALTS handshaker client. +- area: wasm + change: | + Added support for returning ``StopIteration`` from plugin ``onRequestHeader`` and ``onResponseHeader`` callbacks. See + :ref:`allow_on_headers_stop_iteration ` + for more details. By default, current behavior is maintained. +- area: aws + change: | + Added ``assume_role_credential_provider`` to add support for role chaining in AWS filters. This allows envoy to + assume an additional role before SigV4 signing occurs. diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 71562fafc19cb..9ecf0d6e48ce5 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -1,403 +1,17 @@ -date: July 23, 2025 +date: Pending behavior_changes: -- area: aws_iam - change: | - As announced in November 2024 (see https://github.com/envoyproxy/envoy/issues/37621), the - ``grpc_credentials/aws_iam`` extension is being deleted. Any configuration referencing this extension - will fail to load. -- area: prefix_match_map - change: | - :ref:`prefix_match_map ` - now continues to search for a match with a shorter prefix if a longer match - does not find an action. This brings it in line with the behavior of ``matcher_list``. - This change can temporarily be reverted by setting the runtime guard - ``envoy.reloadable_features.prefix_map_matcher_resume_after_subtree_miss`` to ``false``. - If the old behavior is desired more permanently, this can be achieved in config by setting - an ``on_no_match`` action that responds with ``404`` for each subtree. -- area: server - change: | - Envoy will automatically raise the soft limit on the file descriptors to the hard limit. This behavior - can be reverted using the runtime guard ``envoy_restart_features_raise_file_limits``. -- area: build - change: | - Removed the ``clang-libstdc++`` toolchain setup as this is no longer used or tested by the project. - Consolidated Clang and GCC toolchains which can be used with ``--config=clang`` or ``--config=gcc``. - These use ``libc++`` and ``libstdc++`` respectively. -- area: squash_filter - change: | - The Squash HTTP filter in ``contrib`` has been deleted. The project it provided integration with has been idle for - five years and appears abandoned. -- area: wasm - change: | - Bumped up V8 version to ``13.8.258.26`` to address multiple CVEs. +# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* minor_behavior_changes: -- area: geoip - change: | - The lookup for ASN information is fetched from ``asn_db`` if ``asn_db_path`` is defined and from ``isp_db`` if - ``asn_db_path`` is not defined. -- area: lua - change: | - The ``metadata()`` of the Lua filter now will search the metadata by the :ref:`filter config name - ` first. - And if not found, it will search by the canonical name of the filter ``envoy.filters.http.lua``. -- area: grpc-json - change: | - Made the :ref:`gRPC JSON transcoder filter's ` JSON print options configurable. -- area: oauth2 - change: | - Reset CSRF token when token validation fails during redirection. - If the CSRF token cookie is present during the redirection to the authorization server, it will be validated. - Previously, if this validation failed, the OAuth flow would fail. Now the CSRF token will simply be reset. This fixes - the case where an HMAC secret change causes a redirect flow, but the CSRF token cookie hasn't yet expired - causing a CSRF token validation failure. -- area: cel - change: | - Precompile regexes in CEL expressions. This can be disabled by setting the runtime guard - ``envoy.reloadable_features.enable_cel_regex_precompilation`` to ``false``. -- area: dns - change: | - Allow ``getaddrinfo`` to be configured to run by a thread pool, controlled by :ref:`num_resolver_threads - `. -- area: dns - change: | - Honor the default DNS resolver configuration in the bootstrap config - :ref:`typed_dns_resolver_config ` - if the DNS cache configuration in the dynamic forward proxy filter is empty - :ref:`dns_cache_config `. -- area: grpc-json-transcoding - change: | - Added SSE style message framing for streamed responses in :ref:`gRPC JSON transcoder filter `. -- area: http - change: | - :ref:`response_headers_to_add ` and - :ref:`response_headers_to_remove ` - will also be applied to the local responses from the ``envoy.filters.http.router`` filter. -- area: tracing - change: | - Added :ref:`max_cache_size ` - to the OpenTelemetry tracer config. This limits the number of spans that can be cached before flushing. -- area: aws - change: | - :ref:`AwsCredentialProvider ` now supports all defined credential - providers, allowing complete customization of the credential provider chain when using AWS request signing extension. -- area: ext_proc - change: | - If the ext_proc server sends a spurious response message to Envoy, Envoy now performs fail-open or fail-close action based on - :ref:`failure_mode_allow ` - configuration. This change can be reverted by setting the runtime guard - ``envoy.reloadable_features.ext_proc_fail_close_spurious_resp`` to ``false``. -- area: filters - change: | - :ref:`Credential injector filter ` is no longer - a work in progress field. -- area: oauth2 - change: | - The access token, ID token and refresh token in the cookies are now encrypted using the HMAC secret. This behavior can - be reverted by setting the runtime guard ``envoy.reloadable_features.oauth2_encrypt_tokens`` to ``false``. -- area: http3 - change: | - Validate HTTP/3 pseudo headers. Can be disabled by setting ``envoy.restart_features.validate_http3_pseudo_headers`` to ``false``. -- area: formatter - change: | - Now the ``METADATA`` and ``CEL`` substitution formatters can access or log the metadata of - the virtual host in case the route is not matched but the virtual host is found. -- area: oauth2 - change: | - Extension status changed from ``alpha`` to ``stable``. -- area: oauth2 - change: | - Starting from this release, these cookies: oauth_hmac,oauth_expires,refresh_token,oauth_nonce,code_verifier will - not be forwarded to the upstream. This behavior can be reverted by setting the runtime guard - ``envoy.reloadable_features.oauth2_cleanup_cookies`` to ``false``. +# *Changes that may cause incompatibilities for some users, but should not for most* bug_fixes: -- area: geoip - change: | - Fixed a bug where the ``apple_private_relay`` header was not populated correctly when isp header wasn't set. -- area: conn_pool - change: | - Fixed an issue that could lead to too many connections when using - :ref:`AutoHttpConfig ` if the - established connection is HTTP/2 and Envoy predicted it would have lower concurrent capacity. -- area: conn_pool - change: | - Fixed an issue that could lead to insufficient connections for current pending requests. If a connection starts draining while it - has negative unused capacity (which happens if an HTTP/2 ``SETTINGS`` frame reduces allowed concurrency to below the current number - of requests), that connection's unused capacity will be included in total pool capacity even though it is unusable because it is - draining. This can result in not enough connections being established for current pending requests. This is most problematic for - long-lived requests (such as streaming gRPC requests or long-poll requests) because a connection could be in the draining state - for a long time. -- area: hcm - change: | - Fixed a bug where the lifetime of the ``HttpConnectionManager``'s ``ActiveStream`` can be out of sync - with the lifetime of the codec stream. -- area: config_validation - change: | - Fixed a bug where the config validation server will crash when the configuration contains - ``%CEL%`` or ``%METADATA%`` substitution formatter. -- area: tls - change: | - Fixed an issue with incorrectly cached connection properties on TLS connections. - If TLS connection data was queried before it was available, an empty value was being incorrectly cached, preventing later calls from - getting the correct value. This could be triggered with a ``tcp_proxy`` access log configured to emit a log upon connection - establishment if the log contains fields of the TLS peer certificate. Then a later use of the data, such as the network RBAC - filter validating a peer certificate SAN, may incorrectly fail due to the empty cached value. -- area: quic - change: | - Fixed a bug in Envoy's HTTP/3-to-HTTP/1 proxying when a ``transfer-encoding`` header is incorrectly appended. - Protected by runtime guard ``envoy.reloadable_features.quic_signal_headers_only_to_http1_backend``. -- area: runtime - change: | - Fixed a bug which resulted in an ``ENVOY_BUG`` being incorrectly triggered when runtime settings - ``envoy.reloadable_features.max_request_headers_count``, ``envoy.reloadable_features.max_response_headers_count``, - ``envoy.reloadable_features.max_request_headers_size_kb``, or ``envoy.reloadable_features.max_response_headers_size_kb`` were set. -- area: tls - change: | - Fixed a bug where empty trusted CA file or inline string is accepted and causes Envoy to successfully validate any certificate - chain. This fix addresses this issue by rejecting such configuration with empty value. This behavior can be reverted by setting - the runtime guard ``envoy.reloadable_features.reject_empty_trusted_ca_file`` to ``false``. -- area: tls_inspector - change: | - Fixed a bug where the TLS inspector filter would not correctly report ``client_hello_too_large`` stat for too big client - hello messages, i.e., bigger than 16 KB. -- area: wasm - change: | - Fixed a bug where the Wasm filter hangs when the VM is crashed in the request callbacks. -- area: dynatrace - change: | - Fixed a division by zero bug in the Dynatrace sampling controller that occurred when ``total_wanted`` was less than - ``top_k_size``. The calculation was refactored to avoid the intermediate division that could result in zero. -- area: wasm - change: | - Bumped wasmtime version to 24.0.2 to address CVE. +# *Changes expected to improve the state of the world and are unlikely to have negative effects* removed_config_or_runtime: -- area: websocket - change: | - Removed runtime guard ``envoy.reloadable_features.switch_protocol_websocket_handshake`` and legacy code paths. -- area: http2 - change: | - Removed runtime guard ``envoy.reloadable_features.http2_no_protocol_error_upon_clean_close`` and legacy code paths. -- area: access_log - change: | - Removed runtime guard ``envoy.reloadable_features.sanitize_sni_in_access_log`` and legacy code paths. -- area: quic - change: | - Removed runtime guard ``envoy.reloadable_features.quic_connect_client_udp_sockets`` and legacy code paths. -- area: quic - change: | - Removed runtime guard ``envoy.reloadable_features.quic_support_certificate_compression`` and legacy code paths. -- area: http - change: | - Removed runtime guard ``envoy.reloadable_features.internal_authority_header_validator`` and legacy code paths. -- area: http - change: | - Removed runtime guard ``envoy_reloadable_features_filter_access_loggers_first`` and legacy code paths. -- area: tcp_proxy - change: | - Removed runtime guard ``envoy.reloadable_features.tcp_tunneling_send_downstream_fin_on_upstream_trailers`` and legacy code paths. -- area: runtime - change: | - Removed runtime guard ``envoy_reloadable_features_boolean_to_string_fix`` and legacy code paths. -- area: logging - change: | - Removed runtime guard ``envoy.reloadable_features.logging_with_fast_json_formatter`` and legacy code paths. -- area: sni - change: | - Removed runtime guard ``envoy.reloadable_features.use_route_host_mutation_for_auto_sni_san`` and legacy code paths. -- area: ext_proc - change: | - Removed runtime guard ``envoy.reloadable_features.ext_proc_timeout_error`` and legacy code paths. -- area: quic - change: | - Removed runtime guard ``envoy.reloadable_features.extend_h3_accept_untrusted`` and legacy code paths. -- area: lua - change: | - Removed runtime guard ``envoy.reloadable_features.lua_flow_control_while_http_call`` and legacy code paths. -- area: http1 - change: | - Removed runtime guard ``envoy.reloadable_features.envoy_reloadable_features_http1_use_balsa_parser`` and legacy code paths. +# *Normally occurs at the end of the* :ref:`deprecation period ` new_features: -- area: build - change: | - Upgraded Envoy to build with C++20; Envoy developers can use C++20 features now. -- area: redis - change: | - Added support for ``SCAN``, ``INFO`` and ``ROLE``. -- area: http - change: | - Added :ref:`x-envoy-original-host ` that - is used to record the original host header value before it is mutated by the router filter. -- area: stateful_session - change: | - Support for envelope stateful session extension to keep the existing session header value - from upstream server. See :ref:`mode - ` - for more details. -- area: transport_tap - change: | - Added counter in transport tap for streaming and buffer trace. - Streamed trace can send tapped message based on configured size. -- area: udp_sink - change: | - Enhanced UDP sink to support a single message whose size is bigger than 64 KB. -- area: load_balancing - change: | - Added Override Host Load Balancing policy. See - :ref:`load balancing policies overview ` for more details. -- area: load_balancing - change: | - Added :ref:`hash policy support - ` - to the ring hash and maglev load balancing policies. If the hash policy in the load balancer is - configured, the - :ref:`route level hash policy ` - will be ignored. -- area: lua - change: | - Added support for accessing filter context. - See :ref:`filterContext() ` for more details. -- area: resource_monitors - change: | - Added new cgroup memory resource monitor that reads memory usage/limit from cgroup v1/v2 subsystems and calculates - memory pressure, with configurable ``max_memory_bytes`` limit - :ref:`existing extension `. -- area: ext_authz - change: | - Added ``grpc_status`` to ``ExtAuthzLoggingInfo`` in ``ext_authz`` HTTP filter. -- area: http - change: | - Added :ref:`response trailers mutations - ` and - :ref:`request trailers mutations - ` - to :ref:`Header Mutation Filter ` - for adding/removing trailers from the request and the response. -- area: postgres - change: | - Added support for requiring downstream SSL. -- area: url_template - change: | - Included the asterisk ``*`` in the match pattern when using the ``*`` or ``**`` operators in the URL template. - This behavioral change can be temporarily reverted by setting runtime guard - ``envoy.reloadable_features.uri_template_match_on_asterisk`` to ``false``. -- area: socket - change: | - Added ``network_namespace_filepath`` to ``SocketAddress``. Currently only used by listeners. -- area: rbac_filter - change: | - Allow-listed ``FilterStateInput`` to be used with the xDS matcher in the HTTP RBAC filter. -- area: rbac_filter - change: | - Allow-listed ``FilterStateInput`` to be used with the xDS matcher in the Network RBAC filter. -- area: tls_inspector_filter - change: | - Added :ref:`enable_ja4_fingerprinting - ` to create - a JA4 fingerprint hash from the Client Hello message. -- area: local_ratelimit - change: | - ``local_ratelimit`` will return ``x-ratelimit-reset`` header when the rate limit is exceeded. -- area: oauth2 - change: | - Added :ref:`end_session_endpoint ` - to the ``oauth2`` filter to support OIDC RP initiated logout. This field is only used when - ``openid`` is in the :ref:`auth_scopes ` field. - If configured, the OAuth2 filter will redirect users to this endpoint when they access the - :ref:`signout_path `. This allows users to - be logged out of the Authorization server. -- area: tcp_access_logs - change: | - Added support for ``%BYTES_RECEIVED%``, ``%BYTES_SENT%``, ``%UPSTREAM_HEADER_BYTES_SENT%``, ``%UPSTREAM_HEADER_BYTES_RECEIVED%``, - ``%UPSTREAM_WIRE_BYTES_SENT%``, ``%UPSTREAM_WIRE_BYTES_RECEIVED%`` access log substitution strings for TCP tunneling flows. -- area: oauth2 - change: | - Added configurable :ref:`csrf_token_expires_in - ` - and :ref:`code_verifier_token_expires_in - ` - fields to the ``oauth2`` filter. Both default to ``600s`` (10 minutes) if not specified, keeping backward compatibility. -- area: load_shed_point - change: | - Added load shed point ``envoy.load_shed_points.connection_pool_new_connection`` in the connection pool, and it will not - create new connections when Envoy is under pressure, and the pending downstream requests will be cancelled. -- area: api_key_auth - change: | - Added :ref:`forwarding configuration ` - to the API Key Auth filter, which allows forwarding the authenticated client identity - using a custom header, and also offers the option to remove the API key from the request - before forwarding. -- area: lua - change: | - Added a new ``dynamicTypedMetadata()`` on ``connectionStreamInfo()`` which can be used to access the typed metadata from - network filters, such as the Proxy Protocol, etc. -- area: aws - change: | - Implementation of `IAM Roles Anywhere support `_ in the - AWS common components, providing this capability to the AWS Lambda and AWS Request Signing extensions. -- area: redis - change: | - ``redis_proxy`` filter now supports AWS IAM Authentication. -- area: router - change: | - Added matcher based router cluster specifier plugin to support selecting cluster dynamically based on a matcher tree. - See - :ref:`matcher cluster specifier plugin ` - for more details. -- area: router - change: | - Added new ``refreshRouteCluster()`` method to stream filter callbacks to support refreshing the route cluster and - does not need to update the route cache. See :ref:`http route mutation ` for - more details. -- area: lua - change: | - Added a new ``dynamicTypedMetadata()`` on ``streamInfo()`` which can be used to access the typed metadata from - HTTP filters, such as the Set Metadata filter, etc. -- area: ratelimit - change: | - Added a new ``failure_mode_deny_percent`` field of type ``Envoy::Runtime::FractionalPercent`` attached to the rate - limit filter to configure the failure mode for rate limit service errors in runtime. - It acts as an override for the existing ``failure_mode_deny`` field in the filter config. -- area: tls - change: | - Added new metric for emitting seconds since UNIX epoch of expirations of TLS and CA certificates. - They are rooted at ``cluster..ssl.certificate..`` - and at ``listener.
.ssl.certificate..`` namespace. -- area: ext_proc - change: | - The :ref:`failure_mode_allow ` - setting may now be overridden on a per-route basis. -- area: matcher - change: | - Added support for :ref:`ServerNameMatcher ` trie-based matching. -- area: stateful_session - change: | - Added support for cookie attributes to stateful session cookie. -- area: http3 - change: | - Added :ref:`disable_connection_flow_control_for_streams - `, an experimental - option for disabling connection level flow control for streams. This is useful in situations where the streams share the same - connection but originate from different end-clients, so that each stream can make progress independently at non-front-line proxies. -- area: dfp - change: | - Added :ref:`allow_dynamic_host_from_filter_state - ` - flag to HTTP Dynamic Forward Proxy filter. When enabled, the filter will check for ``envoy.upstream.dynamic_host`` and - ``envoy.upstream.dynamic_port`` filter state values before using the HTTP Host header, providing consistency with SNI - and UDP DFP filters. When disabled (default), maintains backward compatibility by using the HTTP Host header directly. -- area: alts - change: | - Added environment variable-protected gRPC keepalive params to the ALTS handshaker client. -- area: wasm - change: | - Added support for returning ``StopIteration`` from plugin ``onRequestHeader`` and ``onResponseHeader`` callbacks. See - :ref:`allow_on_headers_stop_iteration ` - for more details. By default, current behavior is maintained. -- area: aws - change: | - Added ``assume_role_credential_provider`` to add support for role chaining in AWS filters. This allows envoy to - assume an additional role before SigV4 signing occurs. + +deprecated: From 2fd5d3c8a400e64b3ef1abd31bd83dc98b4e607a Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 23 Jul 2025 22:35:54 +0000 Subject: [PATCH 052/505] deps: Bump `aws_lc` -> 1.56.0 (#40391) ## Description This PR bumps `aws_lc` -> 1.56.0 Fix https://github.com/envoyproxy/envoy/issues/40354 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 1293e432c8150..9a159cc5aa1e6 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -164,12 +164,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "AWS libcrypto (AWS-LC)", project_desc = "OpenSSL compatible general-purpose crypto library", project_url = "https://github.com/aws/aws-lc", - version = "1.54.0", - sha256 = "d491b6d6b233e88314a15170d435e28259f7cf4f950a427acc80a0e977aa683a", + version = "1.56.0", + sha256 = "b7c5a91551ee067932a237ce6fdb5293d34d621e7e4b49f3974080b91be50bc2", strip_prefix = "aws-lc-{version}", urls = ["https://github.com/aws/aws-lc/archive/v{version}.tar.gz"], use_category = ["controlplane", "dataplane_core"], - release_date = "2025-06-27", + release_date = "2025-07-22", cpe = "cpe:2.3:a:google:boringssl:*", ), aspect_bazel_lib = dict( From add95334c7a1e6c0088008145954dcfa39cb18af Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 23 Jul 2025 19:20:31 -0700 Subject: [PATCH 053/505] health_check: add request payload support for HTTP health checks (#40322) ## Description This PR implements support for request payloads in HTTP health checks. Users would now be able to specify a request body to be sent during HTTP health checking using the existing send field in the `HttpHealthCheck` configuration. Fix https://github.com/envoyproxy/envoy/issues/40265 --- **Commit Message:** health_check: add request payload support for HTTP health checks **Additional Description:** Added support for request payloads in HTTP health checks. **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal --- api/envoy/config/core/v3/health_check.proto | 6 +- changelogs/current.yaml | 9 + source/common/upstream/health_checker_impl.cc | 45 +- source/common/upstream/health_checker_impl.h | 6 + .../http/health_checker_impl.cc | 43 +- .../http/health_checker_impl.h | 1 + .../tcp/health_checker_impl.cc | 9 +- .../upstream/health_checker_impl_test.cc | 424 ++++++++++++++++++ .../health_check_integration_test.cc | 109 +++++ 9 files changed, 630 insertions(+), 22 deletions(-) diff --git a/api/envoy/config/core/v3/health_check.proto b/api/envoy/config/core/v3/health_check.proto index fd4440d8fa5fd..a4ed6e9181898 100644 --- a/api/envoy/config/core/v3/health_check.proto +++ b/api/envoy/config/core/v3/health_check.proto @@ -102,7 +102,8 @@ message HealthCheck { // ``/healthcheck``. string path = 2 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE}]; - // [#not-implemented-hide:] HTTP specific payload. + // HTTP specific payload to be sent as the request body during health checking. + // If specified, the method should support a request body (POST, PUT, PATCH, etc.). Payload send = 3; // Specifies a list of HTTP expected responses to match in the first ``response_buffer_size`` bytes of the response body. @@ -161,7 +162,8 @@ message HealthCheck { type.matcher.v3.StringMatcher service_name_matcher = 11; // HTTP Method that will be used for health checking, default is "GET". - // GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PATCH methods are supported, but making request body is not supported. + // GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PATCH methods are supported. + // Request body payloads are supported for POST, PUT, PATCH, and OPTIONS methods only. // CONNECT method is disallowed because it is not appropriate for health check request. // If a non-200 response is expected by the method, it needs to be set in :ref:`expected_statuses `. RequestMethod method = 13 [(validate.rules).enum = {defined_only: true not_in: 6}]; diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 9ecf0d6e48ce5..4e97986149815 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -13,5 +13,14 @@ removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` new_features: +- area: health_check + change: | + Added support for request payloads in HTTP health checks. The ``send`` field in ``HttpHealthCheck`` can now be + used to specify a request body to be sent during health checking. This feature supports both hex-encoded text + and binary payloads, similar to TCP health checks. The payload can only be used with HTTP methods that support + request bodies (POST, PUT, PATCH, OPTIONS). Methods that must not have request bodies (GET, HEAD, DELETE, TRACE) + are validated and will throw an error if combined with payloads. The implementation is optimized to process the + payload once during configuration and reuse it for all health check requests. See :ref:`HttpHealthCheck + ` for configuration details. deprecated: diff --git a/source/common/upstream/health_checker_impl.cc b/source/common/upstream/health_checker_impl.cc index 86f08d1467308..f66786a63a5b7 100644 --- a/source/common/upstream/health_checker_impl.cc +++ b/source/common/upstream/health_checker_impl.cc @@ -26,6 +26,7 @@ #include "source/common/runtime/runtime_features.h" #include "source/common/upstream/host_utility.h" +#include "absl/status/statusor.h" #include "absl/strings/match.h" #include "absl/strings/str_cat.h" @@ -91,26 +92,42 @@ HealthCheckerFactory::create(const envoy::config::core::v3::HealthCheck& health_ return factory->createCustomHealthChecker(health_check_config, *context); } +absl::StatusOr> +PayloadMatcher::decodePayload(const envoy::config::core::v3::HealthCheck::Payload& payload) { + std::vector decoded; + if (payload.has_text()) { + decoded = Hex::decode(payload.text()); + if (decoded.empty()) { + return absl::InvalidArgumentError(fmt::format("invalid hex string '{}'", payload.text())); + } + } else { + decoded.assign(payload.binary().begin(), payload.binary().end()); + } + return decoded; +} + absl::StatusOr PayloadMatcher::loadProtoBytes( const Protobuf::RepeatedPtrField& byte_array) { - MatchSegments result; - - for (const auto& entry : byte_array) { - std::vector decoded; - if (entry.has_text()) { - decoded = Hex::decode(entry.text()); - if (decoded.empty()) { - return absl::InvalidArgumentError(fmt::format("invalid hex string '{}'", entry.text())); - } - } else { - decoded.assign(entry.binary().begin(), entry.binary().end()); + MatchSegments segments; + for (const auto& payload : byte_array) { + auto decoded_or_error = decodePayload(payload); + if (!decoded_or_error.ok()) { + return decoded_or_error.status(); } - if (!decoded.empty()) { - result.push_back(decoded); + if (!decoded_or_error.value().empty()) { + segments.emplace_back(std::move(decoded_or_error.value())); } } + return segments; +} - return result; +absl::StatusOr PayloadMatcher::loadProtoBytes( + const envoy::config::core::v3::HealthCheck::Payload& single_payload) { + auto decoded_or_error = decodePayload(single_payload); + if (!decoded_or_error.ok()) { + return decoded_or_error.status(); + } + return MatchSegments{std::move(decoded_or_error.value())}; } bool PayloadMatcher::match(const MatchSegments& expected, const Buffer::Instance& buffer) { diff --git a/source/common/upstream/health_checker_impl.h b/source/common/upstream/health_checker_impl.h index 040173b0d95a4..259e9df96198f 100644 --- a/source/common/upstream/health_checker_impl.h +++ b/source/common/upstream/health_checker_impl.h @@ -161,7 +161,13 @@ class PayloadMatcher { static absl::StatusOr loadProtoBytes( const Protobuf::RepeatedPtrField& byte_array); + static absl::StatusOr + loadProtoBytes(const envoy::config::core::v3::HealthCheck::Payload& single_payload); static bool match(const MatchSegments& expected, const Buffer::Instance& buffer); + +private: + static absl::StatusOr> + decodePayload(const envoy::config::core::v3::HealthCheck::Payload& payload); }; } // namespace Upstream diff --git a/source/extensions/health_checkers/http/health_checker_impl.cc b/source/extensions/health_checkers/http/health_checker_impl.cc index bcbed8bd861e8..5c08c5e0d4083 100644 --- a/source/extensions/health_checkers/http/health_checker_impl.cc +++ b/source/extensions/health_checkers/http/health_checker_impl.cc @@ -75,6 +75,31 @@ HttpHealthCheckerImpl::HttpHealthCheckerImpl( random_generator_(context.api().randomGenerator()) { // TODO(boteng): introduce additional validation for the authority and path headers // based on the default UHV when it is available. + + // Process send payload. + if (config.http_health_check().has_send()) { + // Validate that the method supports a request body when payload is specified. + // Use the same logic as HeaderUtility::requestShouldHaveNoBody(), except CONNECT is already + // disallowed by proto validation. + if (method_ == envoy::config::core::v3::GET || method_ == envoy::config::core::v3::HEAD || + method_ == envoy::config::core::v3::DELETE || method_ == envoy::config::core::v3::TRACE) { + throw EnvoyException( + fmt::format("HTTP health check cannot specify a request payload with method '{}'. " + "Only methods that support a request body (POST, PUT, PATCH, OPTIONS) can be " + "used with payload.", + envoy::config::core::v3::RequestMethod_Name(method_))); + } + + // Process the payload and store it in the buffer once during construction. + auto send_bytes_or_error = PayloadMatcher::loadProtoBytes(config.http_health_check().send()); + THROW_IF_NOT_OK_REF(send_bytes_or_error.status()); + + // Copy the processed payload into the buffer once. + for (const auto& segment : send_bytes_or_error.value()) { + request_payload_.add(segment.data(), segment.size()); + } + } + auto bytes_or_error = PayloadMatcher::loadProtoBytes(config.http_health_check().receive()); THROW_IF_NOT_OK_REF(bytes_or_error.status()); receive_bytes_ = bytes_or_error.value(); @@ -275,9 +300,25 @@ void HttpHealthCheckerImpl::HttpActiveHealthCheckSession::onInterval() { stream_info.setUpstreamInfo(std::make_shared()); stream_info.upstreamInfo()->setUpstreamHost(host_); parent_.request_headers_parser_->evaluateHeaders(*request_headers, stream_info); - auto status = request_encoder->encodeHeaders(*request_headers, true); + + // Check if we have a payload to send. + const bool has_payload = parent_.request_payload_.length() > 0; + if (has_payload) { + // Set Content-Length header for the payload. + request_headers->setContentLength(parent_.request_payload_.length()); + } + + auto status = request_encoder->encodeHeaders(*request_headers, !has_payload); // Encoding will only fail if required request headers are missing. ASSERT(status.ok()); + + // Send the payload as request body if specified. + if (has_payload) { + // Copy the payload buffer to send (we need to preserve the original for reuse). + Buffer::OwnedImpl payload_copy; + payload_copy.add(parent_.request_payload_); + request_encoder->encodeData(payload_copy, true); + } } void HttpHealthCheckerImpl::HttpActiveHealthCheckSession::onResetStream(Http::StreamResetReason, diff --git a/source/extensions/health_checkers/http/health_checker_impl.h b/source/extensions/health_checkers/http/health_checker_impl.h index a92226471a7d6..81fae53f73330 100644 --- a/source/extensions/health_checkers/http/health_checker_impl.h +++ b/source/extensions/health_checkers/http/health_checker_impl.h @@ -166,6 +166,7 @@ class HttpHealthCheckerImpl : public HealthCheckerImplBase { const std::string path_; const std::string host_value_; + Buffer::OwnedImpl request_payload_; PayloadMatcher::MatchSegments receive_bytes_; const envoy::config::core::v3::RequestMethod method_; uint64_t response_buffer_size_; diff --git a/source/extensions/health_checkers/tcp/health_checker_impl.cc b/source/extensions/health_checkers/tcp/health_checker_impl.cc index d1c75e45531b1..a0365718b7349 100644 --- a/source/extensions/health_checkers/tcp/health_checker_impl.cc +++ b/source/extensions/health_checkers/tcp/health_checker_impl.cc @@ -50,13 +50,12 @@ TcpHealthCheckerImpl::TcpHealthCheckerImpl(const Cluster& cluster, HealthCheckEventLoggerPtr&& event_logger) : HealthCheckerImplBase(cluster, config, dispatcher, runtime, random, std::move(event_logger)), send_bytes_([&config] { - Protobuf::RepeatedPtrField send_repeated; if (!config.tcp_health_check().send().text().empty()) { - send_repeated.Add()->CopyFrom(config.tcp_health_check().send()); + auto bytes_or_error = PayloadMatcher::loadProtoBytes(config.tcp_health_check().send()); + THROW_IF_NOT_OK_REF(bytes_or_error.status()); + return bytes_or_error.value(); } - auto bytes_or_error = PayloadMatcher::loadProtoBytes(send_repeated); - THROW_IF_NOT_OK_REF(bytes_or_error.status()); - return bytes_or_error.value(); + return PayloadMatcher::MatchSegments{}; }()), proxy_protocol_config_(config.tcp_health_check().has_proxy_protocol_config() ? std::make_unique( diff --git a/test/common/upstream/health_checker_impl_test.cc b/test/common/upstream/health_checker_impl_test.cc index 18aa228dff752..3cb2753c28cd6 100644 --- a/test/common/upstream/health_checker_impl_test.cc +++ b/test/common/upstream/health_checker_impl_test.cc @@ -4173,6 +4173,34 @@ TEST(PayloadMatcher, loadJsonBytes) { } } +TEST(PayloadMatcher, loadSinglePayload) { + // Test the single payload overload with text. + { + envoy::config::core::v3::HealthCheck::Payload single_payload; + single_payload.set_text("39000000"); + + PayloadMatcher::MatchSegments segments = PayloadMatcher::loadProtoBytes(single_payload).value(); + EXPECT_EQ(1U, segments.size()); + } + + // Test the single payload overload with binary. + { + envoy::config::core::v3::HealthCheck::Payload single_payload; + single_payload.set_binary(std::string({0x01, 0x02})); + + PayloadMatcher::MatchSegments segments = PayloadMatcher::loadProtoBytes(single_payload).value(); + EXPECT_EQ(1U, segments.size()); + } + + // Test the single payload overload with invalid hex. + { + envoy::config::core::v3::HealthCheck::Payload single_payload; + single_payload.set_text("gg"); + + EXPECT_FALSE(PayloadMatcher::loadProtoBytes(single_payload).status().ok()); + } +} + static void addUint8(Buffer::Instance& buffer, uint8_t addend) { buffer.add(&addend, sizeof(addend)); } @@ -6825,6 +6853,402 @@ TEST(HealthCheckProto, Validation) { } } +// Tests for HTTP health check payload functionality. +TEST_F(HttpHealthCheckerImplTest, PayloadPostMethod) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + method: POST + send: + text: "48656C6C6F20576F726C64" # "Hello World" in hex + )EOF"; + + allocHealthChecker(yaml); + addCompletionCallback(); + + EXPECT_CALL(*this, onHostStatus(_, HealthTransition::Unchanged)); + + cluster_->prioritySet().getMockHostSet(0)->hosts_ = { + makeTestHost(cluster_->info_, "tcp://127.0.0.1:80")}; + cluster_->info_->trafficStats()->upstream_cx_total_.inc(); + expectSessionCreate(); + expectStreamCreate(0); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, enableTimer(_, _)); + + // Verify that POST method is used and body is sent. + Buffer::OwnedImpl expected_payload; + expected_payload.add("Hello World"); + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeHeaders(_, false)) + .WillOnce(Invoke([&](const Http::RequestHeaderMap& headers, bool end_stream) -> Http::Status { + EXPECT_EQ(headers.getMethodValue(), "POST"); + EXPECT_EQ(headers.getPathValue(), "/healthcheck"); + EXPECT_EQ(headers.getContentLengthValue(), "11"); // "Hello World" is 11 bytes + EXPECT_FALSE(end_stream); // Should not end stream yet as we have body to send + return Http::okStatus(); + })); + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeData(_, true)) + .WillOnce(Invoke([&](Buffer::Instance& data, bool end_stream) -> void { + EXPECT_EQ(data.toString(), "Hello World"); + EXPECT_TRUE(end_stream); // Should end stream after sending body + })); + + health_checker_->start(); + + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.max_interval", _)); + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.min_interval", _)) + .WillOnce(Return(45000)); + EXPECT_CALL(*test_sessions_[0]->interval_timer_, + enableTimer(std::chrono::milliseconds(45000), _)); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, disableTimer()); + respond(0, "200", false, false, true); + EXPECT_EQ(Host::Health::Healthy, + cluster_->prioritySet().getMockHostSet(0)->hosts_[0]->coarseHealth()); +} + +TEST_F(HttpHealthCheckerImplTest, PayloadPutMethod) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /api/health + method: PUT + send: + text: "7B0A20202270696E67223A20226F6B220A7D" # {"ping": "ok"} in hex + )EOF"; + + allocHealthChecker(yaml); + addCompletionCallback(); + + EXPECT_CALL(*this, onHostStatus(_, HealthTransition::Unchanged)); + + cluster_->prioritySet().getMockHostSet(0)->hosts_ = { + makeTestHost(cluster_->info_, "tcp://127.0.0.1:80")}; + cluster_->info_->trafficStats()->upstream_cx_total_.inc(); + expectSessionCreate(); + expectStreamCreate(0); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, enableTimer(_, _)); + + // Verify that PUT method is used and JSON body is sent. + const std::string expected_json = "{\n \"ping\": \"ok\"\n}"; + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeHeaders(_, false)) + .WillOnce(Invoke([&](const Http::RequestHeaderMap& headers, bool end_stream) -> Http::Status { + EXPECT_EQ(headers.getMethodValue(), "PUT"); + EXPECT_EQ(headers.getPathValue(), "/api/health"); + EXPECT_EQ(headers.getContentLengthValue(), std::to_string(expected_json.length())); + EXPECT_FALSE(end_stream); + return Http::okStatus(); + })); + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeData(_, true)) + .WillOnce(Invoke([&](Buffer::Instance& data, bool end_stream) -> void { + EXPECT_EQ(data.toString(), expected_json); + EXPECT_TRUE(end_stream); + })); + + health_checker_->start(); + + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.max_interval", _)); + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.min_interval", _)) + .WillOnce(Return(45000)); + EXPECT_CALL(*test_sessions_[0]->interval_timer_, + enableTimer(std::chrono::milliseconds(45000), _)); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, disableTimer()); + respond(0, "200", false, false, true); + EXPECT_EQ(Host::Health::Healthy, + cluster_->prioritySet().getMockHostSet(0)->hosts_[0]->coarseHealth()); +} + +TEST_F(HttpHealthCheckerImplTest, PayloadGetMethodThrowsError) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + method: GET + send: + text: "48656C6C6F" # "Hello" in hex + )EOF"; + + EXPECT_THROW_WITH_MESSAGE( + allocHealthChecker(yaml), EnvoyException, + "HTTP health check cannot specify a request payload with method 'GET'. " + "Only methods that support a request body (POST, PUT, PATCH, OPTIONS) can " + "be used with payload."); +} + +TEST_F(HttpHealthCheckerImplTest, PayloadHeadMethodThrowsError) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + method: HEAD + send: + text: "48656C6C6F" # "Hello" in hex + )EOF"; + + EXPECT_THROW_WITH_MESSAGE( + allocHealthChecker(yaml), EnvoyException, + "HTTP health check cannot specify a request payload with method 'HEAD'. " + "Only methods that support a request body (POST, PUT, PATCH, OPTIONS) can be used with " + "payload."); +} + +TEST_F(HttpHealthCheckerImplTest, PayloadDeleteMethodThrowsError) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + method: DELETE + send: + text: "48656C6C6F" # "Hello" in hex + )EOF"; + + EXPECT_THROW_WITH_MESSAGE( + allocHealthChecker(yaml), EnvoyException, + "HTTP health check cannot specify a request payload with method 'DELETE'. " + "Only methods that support a request body (POST, PUT, PATCH, OPTIONS) can be used with " + "payload."); +} + +TEST_F(HttpHealthCheckerImplTest, PayloadTraceMethodThrowsError) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + method: TRACE + send: + text: "48656C6C6F" # "Hello" in hex + )EOF"; + + EXPECT_THROW_WITH_MESSAGE( + allocHealthChecker(yaml), EnvoyException, + "HTTP health check cannot specify a request payload with method 'TRACE'. " + "Only methods that support a request body (POST, PUT, PATCH, OPTIONS) can be used with " + "payload."); +} + +TEST_F(HttpHealthCheckerImplTest, PayloadOptionsMethodSuccess) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + method: OPTIONS + send: + text: "48656C6C6F" # "Hello" in hex + )EOF"; + + allocHealthChecker(yaml); + addCompletionCallback(); + + EXPECT_CALL(*this, onHostStatus(_, HealthTransition::Unchanged)); + + cluster_->prioritySet().getMockHostSet(0)->hosts_ = { + makeTestHost(cluster_->info_, "tcp://127.0.0.1:80")}; + cluster_->info_->trafficStats()->upstream_cx_total_.inc(); + expectSessionCreate(); + expectStreamCreate(0); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, enableTimer(_, _)); + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeHeaders(_, false)) + .WillOnce(Invoke([&](const Http::RequestHeaderMap& headers, bool end_stream) -> Http::Status { + EXPECT_EQ(headers.getMethodValue(), "OPTIONS"); + EXPECT_EQ(headers.getContentLengthValue(), "5"); // "Hello" is 5 bytes + EXPECT_FALSE(end_stream); + return Http::okStatus(); + })); + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeData(_, true)) + .WillOnce(Invoke([&](Buffer::Instance& data, bool end_stream) -> void { + EXPECT_EQ(data.toString(), "Hello"); + EXPECT_TRUE(end_stream); + })); + + health_checker_->start(); + + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.max_interval", _)); + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.min_interval", _)) + .WillOnce(Return(45000)); + EXPECT_CALL(*test_sessions_[0]->interval_timer_, + enableTimer(std::chrono::milliseconds(45000), _)); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, disableTimer()); + respond(0, "200", false, false, true); + EXPECT_EQ(Host::Health::Healthy, + cluster_->prioritySet().getMockHostSet(0)->hosts_[0]->coarseHealth()); +} + +TEST_F(HttpHealthCheckerImplTest, PayloadPatchMethodSuccess) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + method: PATCH + send: + text: "7B2274657374223A2274727565227D" # {"test":"true"} in hex + )EOF"; + + allocHealthChecker(yaml); + addCompletionCallback(); + + EXPECT_CALL(*this, onHostStatus(_, HealthTransition::Unchanged)); + + cluster_->prioritySet().getMockHostSet(0)->hosts_ = { + makeTestHost(cluster_->info_, "tcp://127.0.0.1:80")}; + cluster_->info_->trafficStats()->upstream_cx_total_.inc(); + expectSessionCreate(); + expectStreamCreate(0); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, enableTimer(_, _)); + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeHeaders(_, false)) + .WillOnce(Invoke([&](const Http::RequestHeaderMap& headers, bool end_stream) -> Http::Status { + EXPECT_EQ(headers.getMethodValue(), "PATCH"); + EXPECT_EQ(headers.getContentLengthValue(), "15"); // {"test":"true"} is 15 bytes + EXPECT_FALSE(end_stream); + return Http::okStatus(); + })); + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeData(_, true)) + .WillOnce(Invoke([&](Buffer::Instance& data, bool end_stream) -> void { + EXPECT_EQ(data.toString(), "{\"test\":\"true\"}"); + EXPECT_TRUE(end_stream); + })); + + health_checker_->start(); + + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.max_interval", _)); + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.min_interval", _)) + .WillOnce(Return(45000)); + EXPECT_CALL(*test_sessions_[0]->interval_timer_, + enableTimer(std::chrono::milliseconds(45000), _)); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, disableTimer()); + respond(0, "200", false, false, true); + EXPECT_EQ(Host::Health::Healthy, + cluster_->prioritySet().getMockHostSet(0)->hosts_[0]->coarseHealth()); +} + +TEST_F(HttpHealthCheckerImplTest, NoPayloadGetMethodDefault) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + )EOF"; + + allocHealthChecker(yaml); + addCompletionCallback(); + + EXPECT_CALL(*this, onHostStatus(_, HealthTransition::Unchanged)); + + cluster_->prioritySet().getMockHostSet(0)->hosts_ = { + makeTestHost(cluster_->info_, "tcp://127.0.0.1:80")}; + cluster_->info_->trafficStats()->upstream_cx_total_.inc(); + expectSessionCreate(); + expectStreamCreate(0); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, enableTimer(_, _)); + + // Verify that when no payload is specified, GET method works normally and no body is sent. + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeHeaders(_, true)) + .WillOnce(Invoke([&](const Http::RequestHeaderMap& headers, bool end_stream) -> Http::Status { + EXPECT_EQ(headers.getMethodValue(), "GET"); + EXPECT_EQ(headers.getPathValue(), "/healthcheck"); + EXPECT_EQ(headers.ContentLength(), nullptr); // No Content-Length header should be set + EXPECT_TRUE(end_stream); // Should end stream as there's no body to send + return Http::okStatus(); + })); + + health_checker_->start(); + + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.max_interval", _)); + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.min_interval", _)) + .WillOnce(Return(45000)); + EXPECT_CALL(*test_sessions_[0]->interval_timer_, + enableTimer(std::chrono::milliseconds(45000), _)); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, disableTimer()); + respond(0, "200", false, false, true); + EXPECT_EQ(Host::Health::Healthy, + cluster_->prioritySet().getMockHostSet(0)->hosts_[0]->coarseHealth()); +} + +TEST_F(HttpHealthCheckerImplTest, MinimalPayloadPostMethod) { + const std::string yaml = R"EOF( + timeout: 1s + interval: 1s + unhealthy_threshold: 2 + healthy_threshold: 2 + http_health_check: + path: /healthcheck + method: POST + send: + text: "31" # "1" in hex - minimal valid payload + )EOF"; + + allocHealthChecker(yaml); + addCompletionCallback(); + + EXPECT_CALL(*this, onHostStatus(_, HealthTransition::Unchanged)); + + cluster_->prioritySet().getMockHostSet(0)->hosts_ = { + makeTestHost(cluster_->info_, "tcp://127.0.0.1:80")}; + cluster_->info_->trafficStats()->upstream_cx_total_.inc(); + expectSessionCreate(); + expectStreamCreate(0); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, enableTimer(_, _)); + + // Verify that minimal payload is sent correctly. + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeHeaders(_, false)) + .WillOnce(Invoke([&](const Http::RequestHeaderMap& headers, bool end_stream) -> Http::Status { + EXPECT_EQ(headers.getMethodValue(), "POST"); + EXPECT_EQ(headers.getContentLengthValue(), "1"); // "1" is 1 byte + EXPECT_FALSE(end_stream); + return Http::okStatus(); + })); + + EXPECT_CALL(test_sessions_[0]->request_encoder_, encodeData(_, true)) + .WillOnce(Invoke([&](Buffer::Instance& data, bool end_stream) -> void { + EXPECT_EQ(data.toString(), "1"); + EXPECT_TRUE(end_stream); + })); + + health_checker_->start(); + + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.max_interval", _)); + EXPECT_CALL(runtime_.snapshot_, getInteger("health_check.min_interval", _)) + .WillOnce(Return(45000)); + EXPECT_CALL(*test_sessions_[0]->interval_timer_, + enableTimer(std::chrono::milliseconds(45000), _)); + EXPECT_CALL(*test_sessions_[0]->timeout_timer_, disableTimer()); + respond(0, "200", false, false, true); + EXPECT_EQ(Host::Health::Healthy, + cluster_->prioritySet().getMockHostSet(0)->hosts_[0]->coarseHealth()); +} + } // namespace } // namespace Upstream } // namespace Envoy diff --git a/test/integration/health_check_integration_test.cc b/test/integration/health_check_integration_test.cc index bda97baab3ac8..631621558562d 100644 --- a/test/integration/health_check_integration_test.cc +++ b/test/integration/health_check_integration_test.cc @@ -950,5 +950,114 @@ TEST_P(ExternalHealthCheckIntegrationTest, SingleEndpointTimeoutExternal) { EXPECT_EQ(1, test_server_->counter("cluster.cluster_1.health_check.failure")->value()); } +// Test HTTP health check with POST method and payload +TEST_P(HttpHealthCheckIntegrationTest, SingleEndpointHealthyHttpWithPayload) { + const uint32_t cluster_idx = 0; + initialize(); + + // Setup HTTP health check with POST method and payload + const envoy::type::v3::CodecClientType codec_client_type = + (Http::CodecType::HTTP1 == upstream_protocol_) ? envoy::type::v3::CodecClientType::HTTP1 + : envoy::type::v3::CodecClientType::HTTP2; + + auto& cluster_data = clusters_[cluster_idx]; + auto* health_check = addHealthCheck(cluster_data.cluster_); + health_check->mutable_http_health_check()->set_path("/api/health"); + health_check->mutable_http_health_check()->set_method(envoy::config::core::v3::POST); + health_check->mutable_http_health_check()->set_codec_client_type(codec_client_type); + + // Set request payload + health_check->mutable_http_health_check()->mutable_send()->set_text( + "48656C6C6F20576F726C64"); // "Hello World" in hex + + health_check->mutable_unhealthy_threshold()->set_value(1); + + // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. + EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse( + Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + + // Wait for upstream to receive health check request. + ASSERT_TRUE(cluster_data.host_upstream_->waitForHttpConnection( + *dispatcher_, cluster_data.host_fake_connection_)); + ASSERT_TRUE(cluster_data.host_fake_connection_->waitForNewStream(*dispatcher_, + cluster_data.host_stream_)); + ASSERT_TRUE(cluster_data.host_stream_->waitForEndStream(*dispatcher_)); + + // Verify the health check request + EXPECT_EQ(cluster_data.host_stream_->headers().getPathValue(), "/api/health"); + EXPECT_EQ(cluster_data.host_stream_->headers().getMethodValue(), "POST"); + EXPECT_EQ(cluster_data.host_stream_->headers().getHostValue(), cluster_data.name_); + EXPECT_EQ(cluster_data.host_stream_->headers().getContentLengthValue(), + "11"); // "Hello World" is 11 bytes + + // Verify the request body + EXPECT_EQ(cluster_data.host_stream_->body().toString(), "Hello World"); + + // Endpoint responds with healthy status to the health check. + cluster_data.host_stream_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, + false); + cluster_data.host_stream_->encodeData(1024, true); + + // Verify that Envoy detected the health check response. + test_server_->waitForCounterGe("cluster.cluster_1.health_check.success", 1); + EXPECT_EQ(1, test_server_->counter("cluster.cluster_1.health_check.success")->value()); + EXPECT_EQ(0, test_server_->counter("cluster.cluster_1.health_check.failure")->value()); +} + +// Test HTTP health check with PUT method and binary payload +TEST_P(HttpHealthCheckIntegrationTest, SingleEndpointHealthyHttpWithBinaryPayload) { + const uint32_t cluster_idx = 0; + initialize(); + + const envoy::type::v3::CodecClientType codec_client_type = + (Http::CodecType::HTTP1 == upstream_protocol_) ? envoy::type::v3::CodecClientType::HTTP1 + : envoy::type::v3::CodecClientType::HTTP2; + + auto& cluster_data = clusters_[cluster_idx]; + auto* health_check = addHealthCheck(cluster_data.cluster_); + health_check->mutable_http_health_check()->set_path("/health"); + health_check->mutable_http_health_check()->set_method(envoy::config::core::v3::PUT); + health_check->mutable_http_health_check()->set_codec_client_type(codec_client_type); + + // Set hex payload - JSON + const std::string json_payload = "{\"check\":\"health\"}"; + health_check->mutable_http_health_check()->mutable_send()->set_text( + "7B22636865636B223A226865616C7468227D"); // {"check":"health"} in hex + + health_check->mutable_unhealthy_threshold()->set_value(1); + + // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. + EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse( + Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + + // Wait for upstream to receive health check request. + ASSERT_TRUE(cluster_data.host_upstream_->waitForHttpConnection( + *dispatcher_, cluster_data.host_fake_connection_)); + ASSERT_TRUE(cluster_data.host_fake_connection_->waitForNewStream(*dispatcher_, + cluster_data.host_stream_)); + ASSERT_TRUE(cluster_data.host_stream_->waitForEndStream(*dispatcher_)); + + // Verify the health check request + EXPECT_EQ(cluster_data.host_stream_->headers().getPathValue(), "/health"); + EXPECT_EQ(cluster_data.host_stream_->headers().getMethodValue(), "PUT"); + EXPECT_EQ(cluster_data.host_stream_->headers().getContentLengthValue(), + std::to_string(json_payload.length())); + + // Verify the request body + EXPECT_EQ(cluster_data.host_stream_->body().toString(), json_payload); + + // Endpoint responds with healthy status to the health check. + cluster_data.host_stream_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, + false); + cluster_data.host_stream_->encodeData(1024, true); + + // Verify that Envoy detected the health check response. + test_server_->waitForCounterGe("cluster.cluster_1.health_check.success", 1); + EXPECT_EQ(1, test_server_->counter("cluster.cluster_1.health_check.success")->value()); + EXPECT_EQ(0, test_server_->counter("cluster.cluster_1.health_check.failure")->value()); +} + } // namespace } // namespace Envoy From 0089fe6cf8d3bddd869b8bfdc5e4619ee99ee5c6 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 23 Jul 2025 19:50:04 -0700 Subject: [PATCH 054/505] lua: adds filterState() on streamInfo() (#40023) ## Description This PR adds support for accessing `filter_state` through the stream info API. This allows Lua scripts to safely access filter state data, with proper unpacking of **Any** messages into Lua tables. The implementation uses same building blocks as that of `dynamicTypedMetadata()` for which we added the protobuf conversion utils in the earlier PRs. --- **Commit Message:** lua: adds `filterState()` on `streamInfo()` **Additional Description:** Added a new ``filterState()`` on ``streamInfo()`` which could be used to access the filter state from HTTP filters, such as the ExtProc, etc. **Risk Level:** Low **Testing:** Unit tests and integration tests added **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 6 + .../http/http_filters/lua_filter.rst | 84 ++++ .../extensions/filters/http/lua/lua_filter.cc | 1 + .../extensions/filters/http/lua/wrappers.cc | 65 +++ source/extensions/filters/http/lua/wrappers.h | 32 ++ test/extensions/filters/http/lua/BUILD | 3 + .../filters/http/lua/lua_integration_test.cc | 57 +++ .../filters/http/lua/wrappers_test.cc | 431 ++++++++++++++++++ 8 files changed, 679 insertions(+) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 4e97986149815..b189f82472727 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -22,5 +22,11 @@ new_features: are validated and will throw an error if combined with payloads. The implementation is optimized to process the payload once during configuration and reuse it for all health check requests. See :ref:`HttpHealthCheck ` for configuration details. +- area: lua + change: | + Added a new ``filterState()`` on ``streamInfo()`` which provides access to filter state objects stored during request processing. + This allows Lua scripts to retrieve string, boolean, and numeric values stored by various filters for use in routing decisions, + header modifications, and other processing logic. See :ref:`Filter State API ` + for more details. deprecated: diff --git a/docs/root/configuration/http/http_filters/lua_filter.rst b/docs/root/configuration/http/http_filters/lua_filter.rst index b4b7160ada9ba..76f03e5c7de4f 100644 --- a/docs/root/configuration/http/http_filters/lua_filter.rst +++ b/docs/root/configuration/http/http_filters/lua_filter.rst @@ -1020,6 +1020,37 @@ Returns dynamic typed metadata for a given filter name. This provides type-safe end end +``filterState()`` +^^^^^^^^^^^^^^^^^ + +.. code-block:: lua + + streamInfo:filterState() + +Returns a :ref:`filter state object ` that provides access to objects stored by filters during request processing. + +Filter state contains data shared between filters, such as routing decisions, authentication results, rate limiting state, and other processing information. + +Example usage: + +.. code-block:: lua + + function envoy_on_request(request_handle) + local filter_state = request_handle:streamInfo():filterState() + + -- Get authentication result + local auth_result = filter_state:get("auth.result") + if auth_result then + request_handle:headers():add("x-auth-result", auth_result) + end + + -- Check rate limiting decision + local rate_limit_remaining = filter_state:get("rate_limit.remaining") + if rate_limit_remaining and rate_limit_remaining < 10 then + request_handle:headers():add("x-rate-limit-warning", "low") + end + end + ``downstreamSslConnection()`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -1190,6 +1221,59 @@ its keys can only be ``string`` or ``numeric``. Iterates through every ``dynamicMetadata`` entry. ``key`` is a string that supplies a ``dynamicMetadata`` key. ``value`` is a ``dynamicMetadata`` entry value. +.. _config_http_filters_lua_stream_info_filter_state_wrapper: + +Filter state object API +------------------------ + +.. include:: ../../../_include/lua_common.rst + +``get()`` +^^^^^^^^^ + +.. code-block:: lua + + filterState:get(objectName) + filterState:get(objectName, fieldName) + +Gets a filter state object by name with optional field access. ``objectName`` is a string that specifies the name of the filter state object to retrieve. ``fieldName`` is an optional string that specifies a field name for objects that support field access. + +Returns the filter state value as a string. Returns ``nil`` if the object does not exist, cannot be serialized, or if the specified field doesn't exist. + +Objects that support field access can have specific fields retrieved using the optional second parameter. + +.. code-block:: lua + + function envoy_on_request(request_handle) + local filter_state = request_handle:streamInfo():filterState() + + -- All values returned as strings + local auth_token = filter_state:get("auth.token") + if auth_token then + request_handle:headers():add("x-auth-token", auth_token) + end + + -- Boolean-like string values + local is_authenticated = filter_state:get("auth.authenticated") + if is_authenticated == "true" then + request_handle:headers():add("x-authenticated", "yes") + end + + -- Access specific fields from objects that support field access + local user_name = filter_state:get("user.info", "name") + if user_name then + request_handle:headers():add("x-user-name", user_name) + end + + local user_id_str = filter_state:get("user.info", "id") + if user_id_str then + local user_id = tonumber(user_id_str) + if user_id and user_id > 1000 then + request_handle:headers():add("x-premium-user", "true") + end + end + end + .. _config_http_filters_lua_connection_wrapper: Connection object API diff --git a/source/extensions/filters/http/lua/lua_filter.cc b/source/extensions/filters/http/lua/lua_filter.cc index e6de884b1cedc..b742d4284f404 100644 --- a/source/extensions/filters/http/lua/lua_filter.cc +++ b/source/extensions/filters/http/lua/lua_filter.cc @@ -206,6 +206,7 @@ PerLuaCodeSetup::PerLuaCodeSetup(const std::string& lua_code, ThreadLocal::SlotA lua_state_.registerType(); lua_state_.registerType(); lua_state_.registerType(); + lua_state_.registerType(); lua_state_.registerType(); lua_state_.registerType(); lua_state_.registerType(); diff --git a/source/extensions/filters/http/lua/wrappers.cc b/source/extensions/filters/http/lua/wrappers.cc index 8462fec213e07..7e8e7aca64a6f 100644 --- a/source/extensions/filters/http/lua/wrappers.cc +++ b/source/extensions/filters/http/lua/wrappers.cc @@ -180,6 +180,15 @@ int StreamInfoWrapper::luaDynamicTypedMetadata(lua_State* state) { state, typed_metadata); } +int StreamInfoWrapper::luaFilterState(lua_State* state) { + if (filter_state_wrapper_.get() != nullptr) { + filter_state_wrapper_.pushStack(); + } else { + filter_state_wrapper_.reset(FilterStateWrapper::create(state, *this), true); + } + return 1; +} + int ConnectionStreamInfoWrapper::luaConnectionDynamicMetadata(lua_State* state) { if (connection_dynamic_metadata_wrapper_.get() != nullptr) { connection_dynamic_metadata_wrapper_.pushStack(); @@ -380,6 +389,62 @@ int PublicKeyWrapper::luaGet(lua_State* state) { return 1; } +StreamInfo::StreamInfo& FilterStateWrapper::streamInfo() { return parent_.stream_info_; } + +int FilterStateWrapper::luaGet(lua_State* state) { + const char* object_name = luaL_checkstring(state, 2); + const StreamInfo::FilterStateSharedPtr filter_state = streamInfo().filterState(); + + // Check if filter state exists. + if (filter_state == nullptr) { + return 0; // Return nil if filter state is null. + } + + // Get the filter state object by name. + const StreamInfo::FilterState::Object* object = filter_state->getDataReadOnlyGeneric(object_name); + if (object == nullptr) { + return 0; // Return nil if object not found. + } + + // Check if there's an optional third parameter for field access. + if (lua_gettop(state) >= 3 && !lua_isnil(state, 3)) { + const char* field_name = luaL_checkstring(state, 3); + if (object->hasFieldSupport()) { + auto field_value = object->getField(field_name); + + // Convert the field value to the appropriate Lua type. + if (absl::holds_alternative(field_value)) { + const auto& str_value = absl::get(field_value); + lua_pushlstring(state, str_value.data(), str_value.size()); + return 1; + } + + if (absl::holds_alternative(field_value)) { + lua_pushnumber(state, absl::get(field_value)); + return 1; + } + + // Return nil if field is not found. + return 0; + } + + // Object doesn't support field access, return nil. + return 0; + } + + absl::optional string_value = object->serializeAsString(); + if (string_value.has_value()) { + const std::string& value = string_value.value(); + + // Return the filter state value as a string. + lua_pushlstring(state, value.data(), value.size()); + return 1; + } + + // If string serialization is not supported, return nil. + return 0; +} + } // namespace Lua } // namespace HttpFilters } // namespace Extensions diff --git a/source/extensions/filters/http/lua/wrappers.h b/source/extensions/filters/http/lua/wrappers.h index ddaae767f1f69..498cd24bcb409 100644 --- a/source/extensions/filters/http/lua/wrappers.h +++ b/source/extensions/filters/http/lua/wrappers.h @@ -260,6 +260,28 @@ class ConnectionDynamicMetadataMapWrapper friend class ConnectionDynamicMetadataMapIterator; }; +/** + * Lua wrapper for accessing filter state objects. + */ +class FilterStateWrapper : public Filters::Common::Lua::BaseLuaObject { +public: + FilterStateWrapper(StreamInfoWrapper& parent) : parent_(parent) {} + static ExportedFunctions exportedFunctions() { return {{"get", static_luaGet}}; } + +private: + /** + * Get a filter state object by name, with an optional field name. + * @param 1 (string): object name. + * @param 2 (string, optional): field name for objects that support field access. + * @return filter state value as string, or nil if not found. + */ + DECLARE_LUA_FUNCTION(FilterStateWrapper, luaGet); + + StreamInfo::StreamInfo& streamInfo(); + + StreamInfoWrapper& parent_; +}; + /** * Lua wrapper for a stream info. */ @@ -270,6 +292,7 @@ class StreamInfoWrapper : public Filters::Common::Lua::BaseLuaObject dynamic_metadata_wrapper_; + Filters::Common::Lua::LuaDeathRef filter_state_wrapper_; Filters::Common::Lua::LuaDeathRef downstream_ssl_connection_; friend class DynamicMetadataMapWrapper; + friend class FilterStateWrapper; }; /** diff --git a/test/extensions/filters/http/lua/BUILD b/test/extensions/filters/http/lua/BUILD index cc595699d2647..b4cbe06e32c2f 100644 --- a/test/extensions/filters/http/lua/BUILD +++ b/test/extensions/filters/http/lua/BUILD @@ -41,7 +41,10 @@ envoy_extension_cc_test( rbe_pool = "6gig", deps = [ "//source/common/network:address_lib", + "//source/common/router:string_accessor_lib", + "//source/common/stream_info:bool_accessor_lib", "//source/common/stream_info:stream_info_lib", + "//source/common/stream_info:uint64_accessor_lib", "//source/extensions/filters/http/lua:wrappers_lib", "//test/extensions/filters/common/lua:lua_wrappers_lib", "//test/mocks/stream_info:stream_info_mocks", diff --git a/test/extensions/filters/http/lua/lua_integration_test.cc b/test/extensions/filters/http/lua/lua_integration_test.cc index 9cb250c1b2e1d..1073e232ac89c 100644 --- a/test/extensions/filters/http/lua/lua_integration_test.cc +++ b/test/extensions/filters/http/lua/lua_integration_test.cc @@ -2026,6 +2026,63 @@ name: lua cleanup(); } +// Test ``filterState()`` functionality with simple string values. +TEST_P(LuaIntegrationTest, FilterStateBasic) { + const std::string FILTER_AND_CODE = R"EOF( +name: lua +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + default_source_code: + inline_string: | + function envoy_on_request(request_handle) + local stream_info = request_handle:streamInfo() + + -- Test filterState() function with non-existent key + local missing_state = stream_info:filterState():get("nonexistent_key") + if missing_state == nil then + request_handle:headers():add("missing_state", "nil") + else + request_handle:headers():add("missing_state", "unexpected") + end + + -- Test with another non-existent key + local another_missing = stream_info:filterState():get("another_missing") + if another_missing == nil then + request_handle:headers():add("another_missing", "nil") + else + request_handle:headers():add("another_missing", "unexpected") + end + end +)EOF"; + + initializeFilter(FILTER_AND_CODE); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/test/long/url"}, {":scheme", "http"}, {":authority", "host"}}; + + auto response = codec_client_->makeHeaderOnlyRequest(request_headers); + waitForNextUpstreamRequest(); + + // Verify both calls return nil as expected for non-existent keys. + EXPECT_EQ("nil", upstream_request_->headers() + .get(Http::LowerCaseString("missing_state"))[0] + ->value() + .getStringView()); + + EXPECT_EQ("nil", upstream_request_->headers() + .get(Http::LowerCaseString("another_missing"))[0] + ->value() + .getStringView()); + + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + + EXPECT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().getStatusValue()); + + cleanup(); +} + #ifdef NDEBUG // This test is only run in release mode because in debug mode, // the code reaches ENVOY_BUG() which triggers a forced abort diff --git a/test/extensions/filters/http/lua/wrappers_test.cc b/test/extensions/filters/http/lua/wrappers_test.cc index 239589cdd52b5..0662d0d3165a7 100644 --- a/test/extensions/filters/http/lua/wrappers_test.cc +++ b/test/extensions/filters/http/lua/wrappers_test.cc @@ -2,7 +2,10 @@ #include "source/common/http/utility.h" #include "source/common/network/address_impl.h" +#include "source/common/router/string_accessor_impl.h" +#include "source/common/stream_info/bool_accessor_impl.h" #include "source/common/stream_info/stream_info_impl.h" +#include "source/common/stream_info/uint64_accessor_impl.h" #include "source/extensions/filters/http/lua/wrappers.h" #include "test/extensions/filters/common/lua/lua_wrappers.h" @@ -302,6 +305,7 @@ class LuaStreamInfoWrapperTest Filters::Common::Lua::LuaWrappersTestBase::setup(script); state_->registerType(); state_->registerType(); + state_->registerType(); } protected: @@ -984,6 +988,433 @@ TEST_F(LuaStreamInfoWrapperTest, IterateDynamicTypedMetadata) { wrapper.reset(); } +// Test for ``filterState()`` basic functionality. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateBasic) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local filter_state_obj = object:filterState():get("test_key") + if filter_state_obj then + testPrint("found_filter_state") + testPrint(filter_state_obj) + else + testPrint("no_filter_state") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Create a simple string accessor for testing. + stream_info.filterState()->setData( + "test_key", std::make_shared("test_value"), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("found_filter_state")); + EXPECT_CALL(printer_, testPrint("test_value")); + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` with missing object. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateMissing) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local filter_state_obj = object:filterState():get("missing_key") + if filter_state_obj == nil then + testPrint("filter_state_not_found") + else + testPrint("filter_state_found") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("filter_state_not_found")); + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` with multiple objects. +TEST_F(LuaStreamInfoWrapperTest, GetMultipleFilterStateObjects) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local obj1 = object:filterState():get("key1") + local obj2 = object:filterState():get("key2") + local obj3 = object:filterState():get("nonexistent") + + if obj1 then + testPrint("found_key1") + testPrint(obj1) + end + + if obj2 then + testPrint("found_key2") + testPrint(obj2) + end + + if obj3 == nil then + testPrint("key3_not_found") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Add multiple filter state objects. + stream_info.filterState()->setData("key1", std::make_shared("value1"), + StreamInfo::FilterState::StateType::ReadOnly, + StreamInfo::FilterState::LifeSpan::FilterChain); + + stream_info.filterState()->setData("key2", std::make_shared("value2"), + StreamInfo::FilterState::StateType::ReadOnly, + StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("found_key1")); + EXPECT_CALL(printer_, testPrint("value1")); + EXPECT_CALL(printer_, testPrint("found_key2")); + EXPECT_CALL(printer_, testPrint("value2")); + EXPECT_CALL(printer_, testPrint("key3_not_found")); + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` with numeric accessor. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateNumericAccessor) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local numeric_obj = object:filterState():get("numeric_key") + if numeric_obj then + testPrint("found_numeric") + testPrint(numeric_obj) + -- Test that it's returned as a string (new behavior) + if type(numeric_obj) == "string" then + testPrint("correct_string_type") + end + else + testPrint("numeric_not_found") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Add numeric filter state object. + stream_info.filterState()->setData( + "numeric_key", std::make_shared(12345), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("found_numeric")); + EXPECT_CALL(printer_, testPrint("12345")); + EXPECT_CALL(printer_, testPrint("correct_string_type")); + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` with boolean accessor. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateBooleanAccessor) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local bool_obj = object:filterState():get("bool_key") + if bool_obj ~= nil then + testPrint("found_boolean") + testPrint(bool_obj) + -- Test that it's returned as a string (new behavior) + if type(bool_obj) == "string" then + testPrint("correct_string_type") + end + else + testPrint("boolean_not_found") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Add boolean filter state object. + stream_info.filterState()->setData( + "bool_key", std::make_shared(true), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("found_boolean")); + EXPECT_CALL(printer_, testPrint("true")); + EXPECT_CALL(printer_, testPrint("correct_string_type")); + start("callMe"); + wrapper.reset(); +} + +// Test filter state object that supports field access. +class TestFieldSupportingFilterState : public StreamInfo::FilterState::Object { +public: + TestFieldSupportingFilterState(std::string base_value) : base_value_(base_value) {} + + absl::optional serializeAsString() const override { return base_value_; } + + bool hasFieldSupport() const override { return true; } + + FieldType getField(absl::string_view field_name) const override { + if (field_name == "string_field") { + return absl::string_view("field_string_value"); + } else if (field_name == "numeric_field") { + return int64_t(42); + } else if (field_name == "base_value") { + return absl::string_view(base_value_); + } + // Return empty variant for non-existent fields. + return {}; + } + +private: + std::string base_value_; +}; + +// Test for ``filterState()`` field access with string field. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateFieldAccessString) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local field_value = object:filterState():get("field_key", "string_field") + if field_value then + testPrint("found_string_field") + testPrint(field_value) + -- Verify it's returned as a string + if type(field_value) == "string" then + testPrint("correct_string_type") + end + else + testPrint("string_field_not_found") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Add field-supporting filter state object. + stream_info.filterState()->setData( + "field_key", std::make_shared("base_value"), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("found_string_field")); + EXPECT_CALL(printer_, testPrint("field_string_value")); + EXPECT_CALL(printer_, testPrint("correct_string_type")); + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` field access with numeric field. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateFieldAccessNumeric) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local field_value = object:filterState():get("field_key", "numeric_field") + if field_value then + testPrint("found_numeric_field") + testPrint(field_value) + -- Verify it's returned as a number + if type(field_value) == "number" then + testPrint("correct_number_type") + end + else + testPrint("numeric_field_not_found") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Add field-supporting filter state object. + stream_info.filterState()->setData( + "field_key", std::make_shared("base_value"), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("found_numeric_field")); + EXPECT_CALL(printer_, testPrint("42")); + EXPECT_CALL(printer_, testPrint("correct_number_type")); + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` field access with non-existent field. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateFieldAccessNonExistent) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local field_value = object:filterState():get("field_key", "nonexistent_field") + if field_value == nil then + testPrint("nonexistent_field_returned_nil") + else + testPrint("nonexistent_field_found") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Add field-supporting filter state object. + stream_info.filterState()->setData( + "field_key", std::make_shared("base_value"), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("nonexistent_field_returned_nil")); + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` field access on object without field support. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateFieldAccessNoSupport) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local field_value = object:filterState():get("no_field_key", "any_field") + if field_value == nil then + testPrint("no_field_support_returned_nil") + else + testPrint("no_field_support_found") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Add regular string accessor without field support. + stream_info.filterState()->setData( + "no_field_key", std::make_shared("test_value"), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("no_field_support_returned_nil")); + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` field access fallback to string serialization. +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateFieldAccessFallback) { + const std::string SCRIPT{R"EOF( + function callMe(object) + -- Test accessing the whole object without field parameter first + local whole_obj = object:filterState():get("field_key") + if whole_obj then + testPrint("found_whole_object") + testPrint(whole_obj) + end + + -- Test field access that matches the base_value + local field_value = object:filterState():get("field_key", "base_value") + if field_value then + testPrint("found_base_value_field") + testPrint(field_value) + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Add field-supporting filter state object. + stream_info.filterState()->setData( + "field_key", std::make_shared("test_base"), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain); + + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("found_whole_object")); + EXPECT_CALL(printer_, testPrint("test_base")); // String serialization result + EXPECT_CALL(printer_, testPrint("found_base_value_field")); + EXPECT_CALL(printer_, testPrint("test_base")); // Field access result + start("callMe"); + wrapper.reset(); +} + +// Test for ``filterState()`` with null filter state object (covers lines 398-401). +TEST_F(LuaStreamInfoWrapperTest, GetFilterStateNullObject) { + const std::string SCRIPT{R"EOF( + function callMe(object) + -- Test accessing non-existent key which will return nullptr from getDataReadOnly + local null_obj = object:filterState():get("completely_nonexistent_key") + if null_obj == nil then + testPrint("null_filter_state_returned_nil") + else + testPrint("null_filter_state_found_something") + end + + -- Test field access on non-existent key + local null_field = object:filterState():get("completely_nonexistent_key", "any_field") + if null_field == nil then + testPrint("null_filter_state_field_returned_nil") + else + testPrint("null_filter_state_field_found_something") + end + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + StreamInfo::StreamInfoImpl stream_info(Http::Protocol::Http2, test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain); + + // Here we are deliberately not adding any filter state data, so ``getDataReadOnly`` + // will return nullptr. + Filters::Common::Lua::LuaDeathRef wrapper( + StreamInfoWrapper::create(coroutine_->luaState(), stream_info), true); + EXPECT_CALL(printer_, testPrint("null_filter_state_returned_nil")); + EXPECT_CALL(printer_, testPrint("null_filter_state_field_returned_nil")); + start("callMe"); + wrapper.reset(); +} + } // namespace } // namespace Lua } // namespace HttpFilters From b3a34c108c025600e87af128f586cc428b7850fe Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Wed, 23 Jul 2025 23:17:42 -0400 Subject: [PATCH 055/505] tests: rename TypeUrl to TestTypeUrl (#40342) Commit Message: tests: rename TypeUrl to TestTypeUrl Additional Description: Tests only - rename the type `TypeUrl` to `TestTypeUrl`. The reason is that we are going to introduce a TypeUrl class in [resource_name.h](https://github.com/envoyproxy/envoy/blob/main/source/common/config/resource_name.h) and it conflicts with the tests type. This was done by running `grep -rlZ "TypeUrl::get" test | xargs -0 sed -i 's/TypeUrl::get/TestTypeUrl::get/g'`. Risk Level: low - tests only Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Adi Suissa-Peleg --- .../kv_store_xds_delegate_integration_test.cc | 16 +- .../config/test/kv_store_xds_delegate_test.cc | 16 +- .../config/grpc_subscription_test_harness.h | 9 +- test/config/utility.cc | 4 +- .../aggregate/cluster_integration_test.cc | 44 +- .../redis/redis_cluster_integration_test.cc | 23 +- ...mum_clusters_validator_integration_test.cc | 20 +- .../common/subscription_factory_impl_test.cc | 7 +- .../grpc/delta_subscription_impl_test.cc | 11 +- .../grpc/delta_subscription_test_harness.h | 6 +- .../grpc/grpc_mux_impl_test.cc | 26 +- .../grpc/new_grpc_mux_impl_test.cc | 24 +- .../grpc/xds_failover_integration_test.cc | 12 +- .../grpc/xds_grpc_mux_impl_test.cc | 26 +- .../rest/http_subscription_test_harness.h | 2 +- .../local_ratelimit_integration_test.cc | 12 +- .../filters/http/lua/lua_integration_test.cc | 6 +- .../http/oauth2/oauth_integration_test.cc | 2 +- .../http/on_demand/odcds_integration_test.cc | 76 +- .../on_demand/on_demand_integration_test.cc | 66 +- ...on_extension_discovery_integration_test.cc | 2 +- .../integration_test.cc | 26 +- test/integration/ads_integration.cc | 52 +- test/integration/ads_integration_test.cc | 817 +++++++++--------- ...s_xdstp_config_sources_integration_test.cc | 88 +- test/integration/cds_integration_test.cc | 44 +- .../extension_discovery_integration_test.cc | 2 +- test/integration/header_integration_test.cc | 2 +- .../health_check_integration_test.cc | 35 +- test/integration/leds_integration_test.cc | 14 +- .../listener_lds_integration_test.cc | 6 +- ...rk_extension_discovery_integration_test.cc | 2 +- test/integration/rtds_integration_test.cc | 18 +- .../sds_dynamic_integration_test.cc | 40 +- .../sds_generic_secret_integration_test.cc | 2 +- .../tcp_proxy_odcds_integration_test.cc | 30 +- .../upstream_http_filter_integration_test.cc | 2 +- ...pstream_network_filter_integration_test.cc | 2 +- test/integration/vhds.h | 16 +- test/integration/vhds_integration_test.cc | 18 +- .../xds_config_tracker_integration_test.cc | 16 +- ...xds_delegate_extension_integration_test.cc | 10 +- test/integration/xds_integration_test.cc | 8 +- .../xdstp_config_sources_integration_test.cc | 22 +- test/server/config_validation/xds_fuzz.cc | 18 +- test/test_common/resources.h | 2 +- 46 files changed, 874 insertions(+), 828 deletions(-) diff --git a/contrib/config/test/kv_store_xds_delegate_integration_test.cc b/contrib/config/test/kv_store_xds_delegate_integration_test.cc index 912d7a2ad4d6a..a383cf93a30d7 100644 --- a/contrib/config/test/kv_store_xds_delegate_integration_test.cc +++ b/contrib/config/test/kv_store_xds_delegate_integration_test.cc @@ -308,19 +308,19 @@ TEST_P(KeyValueStoreXdsDelegateIntegrationTest, BasicSuccess) { // SDS. initXdsStream(*getSdsUpstream(), sds_connection_, sds_stream_); EXPECT_TRUE(compareSotwDiscoveryRequest( - /*expected_type_url=*/Config::TypeUrl::get().Secret, /*expected_version=*/"", + /*expected_type_url=*/Config::TestTypeUrl::get().Secret, /*expected_version=*/"", /*expected_resource_names=*/{std::string(CLIENT_CERT_NAME)}, /*expect_node=*/true, /*expected_error_code=*/Grpc::Status::WellKnownGrpcStatus::Ok, /*expected_error_message=*/"", sds_stream_.get())); auto sds_resource = getClientSecret(); sendSotwDiscoveryResponse( - Config::TypeUrl::get().Secret, {sds_resource}, "1", sds_stream_.get()); + Config::TestTypeUrl::get().Secret, {sds_resource}, "1", sds_stream_.get()); } { // RTDS. initXdsStream(*getRtdsUpstream(), rtds_connection_, rtds_stream_); EXPECT_TRUE(compareSotwDiscoveryRequest( - /*expected_type_url=*/Config::TypeUrl::get().Runtime, + /*expected_type_url=*/Config::TestTypeUrl::get().Runtime, /*expected_version=*/"", /*expected_resource_names=*/{"some_rtds_layer"}, /*expect_node=*/true, /*expected_error_code=*/Grpc::Status::WellKnownGrpcStatus::Ok, @@ -332,7 +332,7 @@ TEST_P(KeyValueStoreXdsDelegateIntegrationTest, BasicSuccess) { baz: meh )EOF"); sendSotwDiscoveryResponse( - Config::TypeUrl::get().Runtime, {rtds_resource}, "1", rtds_stream_.get()); + Config::TestTypeUrl::get().Runtime, {rtds_resource}, "1", rtds_stream_.get()); } }; @@ -351,7 +351,7 @@ TEST_P(KeyValueStoreXdsDelegateIntegrationTest, BasicSuccess) { // Send an update to the RTDS resource, from the RTDS cluster to the Envoy test server. EXPECT_TRUE(compareSotwDiscoveryRequest( - /*expected_type_url=*/Config::TypeUrl::get().Runtime, /*expected_version=*/"1", + /*expected_type_url=*/Config::TestTypeUrl::get().Runtime, /*expected_version=*/"1", /*expected_resource_names=*/{"some_rtds_layer"}, /*expect_node=*/false, /*expected_error_code=*/Grpc::Status::WellKnownGrpcStatus::Ok, /*expected_error_message=*/"", rtds_stream_.get())); @@ -361,7 +361,7 @@ TEST_P(KeyValueStoreXdsDelegateIntegrationTest, BasicSuccess) { baz: saz )EOF"); sendSotwDiscoveryResponse( - Config::TypeUrl::get().Runtime, {rtds_resource}, "2", rtds_stream_.get()); + Config::TestTypeUrl::get().Runtime, {rtds_resource}, "2", rtds_stream_.get()); test_server_->waitForCounterGe("runtime.load_success", 3); EXPECT_EQ("whatevs", getRuntimeKey("foo")); @@ -399,7 +399,7 @@ TEST_P(KeyValueStoreXdsDelegateIntegrationTest, BasicSuccess) { baz: jazz )EOF"); sendSotwDiscoveryResponse( - Config::TypeUrl::get().Runtime, {rtds_resource_v2}, /*version=*/"3", rtds_stream_.get()); + Config::TestTypeUrl::get().Runtime, {rtds_resource_v2}, /*version=*/"3", rtds_stream_.get()); test_server_->waitForCounterGe("runtime.load_success", 3); @@ -421,7 +421,7 @@ class InvalidProtoKeyValueStore : public KeyValueStore { // We only have a cds_config making wildcard requests, so we only need to implement the iterate // function. void iterate(ConstIterateCb cb) const override { - const Config::XdsConfigSourceId source_id{CDS_CLUSTER_NAME, Config::TypeUrl::get().Cluster}; + const Config::XdsConfigSourceId source_id{CDS_CLUSTER_NAME, Config::TestTypeUrl::get().Cluster}; const std::string cluster_name = "cluster_A"; const std::string key = absl::StrCat(source_id.toKey(), "+", cluster_name); diff --git a/contrib/config/test/kv_store_xds_delegate_test.cc b/contrib/config/test/kv_store_xds_delegate_test.cc index a73b9b3470382..3f364c55f9478 100644 --- a/contrib/config/test/kv_store_xds_delegate_test.cc +++ b/contrib/config/test/kv_store_xds_delegate_test.cc @@ -108,7 +108,7 @@ TEST_F(KeyValueStoreXdsDelegateTest, SaveAndRetrieve) { )EOF"); const auto saved_resources = TestUtility::decodeResources({runtime_resource_1, runtime_resource_2}); - const XdsConfigSourceId source_id{authority_1, Config::TypeUrl::get().Runtime}; + const XdsConfigSourceId source_id{authority_1, Config::TestTypeUrl::get().Runtime}; // Save xDS resources. xds_delegate_->onConfigUpdated(source_id, saved_resources.refvec_); @@ -146,9 +146,9 @@ TEST_F(KeyValueStoreXdsDelegateTest, MultipleAuthoritiesAndTypes) { const auto authority_2_runtime_resources = TestUtility::decodeResources({runtime_resource_2}); const auto authority_2_cluster_resources = TestUtility::decodeResources({cluster_resource_1}); - const XdsConfigSourceId source_id_1{authority_1, Config::TypeUrl::get().Runtime}; - const XdsConfigSourceId source_id_2_runtime{authority_2, Config::TypeUrl::get().Runtime}; - const XdsConfigSourceId source_id_2_cluster{authority_2, Config::TypeUrl::get().Cluster}; + const XdsConfigSourceId source_id_1{authority_1, Config::TestTypeUrl::get().Runtime}; + const XdsConfigSourceId source_id_2_runtime{authority_2, Config::TestTypeUrl::get().Runtime}; + const XdsConfigSourceId source_id_2_cluster{authority_2, Config::TestTypeUrl::get().Cluster}; // Save xDS resources. xds_delegate_->onConfigUpdated(source_id_1, authority_1_runtime_resources.refvec_); @@ -184,7 +184,7 @@ TEST_F(KeyValueStoreXdsDelegateTest, UpdatedSotwResources) { abc: xyz )EOF"); - const XdsConfigSourceId source_id{authority_1, Config::TypeUrl::get().Runtime}; + const XdsConfigSourceId source_id{authority_1, Config::TestTypeUrl::get().Runtime}; // Save xDS resources. const auto saved_resources = @@ -232,7 +232,7 @@ TEST_F(KeyValueStoreXdsDelegateTest, Wildcard) { )EOF"); const auto saved_resources = TestUtility::decodeResources({runtime_resource_1, runtime_resource_2}); - const XdsConfigSourceId source_id{authority_1, Config::TypeUrl::get().Runtime}; + const XdsConfigSourceId source_id{authority_1, Config::TestTypeUrl::get().Runtime}; // Save xDS resources. xds_delegate_->onConfigUpdated(source_id, saved_resources.refvec_); @@ -257,7 +257,7 @@ TEST_F(KeyValueStoreXdsDelegateTest, ResourceNotFound) { baz: meh )EOF"); const auto saved_resources = TestUtility::decodeResources({runtime_resource_1}); - const XdsConfigSourceId source_id{authority_1, Config::TypeUrl::get().Runtime}; + const XdsConfigSourceId source_id{authority_1, Config::TestTypeUrl::get().Runtime}; // Save xDS resources. xds_delegate_->onConfigUpdated(source_id, saved_resources.refvec_); @@ -309,7 +309,7 @@ TEST_F(KeyValueStoreXdsDelegateTest, ResourcesWithTTL) { resources, /*version=*/"1"); // Save xDS resources. - const XdsConfigSourceId source_id{authority_1, Config::TypeUrl::get().Runtime}; + const XdsConfigSourceId source_id{authority_1, Config::TestTypeUrl::get().Runtime}; xds_delegate_->onConfigUpdated(source_id, decoded_resources.refvec_); // TTL hasn't expired, so we should have all three xDS resources. diff --git a/test/common/config/grpc_subscription_test_harness.h b/test/common/config/grpc_subscription_test_harness.h index 13c02090c0f21..8c265f7e0f9ef 100644 --- a/test/common/config/grpc_subscription_test_harness.h +++ b/test/common/config/grpc_subscription_test_harness.h @@ -80,8 +80,9 @@ class GrpcSubscriptionTestHarness : public SubscriptionTestHarness { mux_ = std::make_shared(grpc_mux_context, true); } subscription_ = std::make_unique( - mux_, callbacks_, resource_decoder_, stats_, Config::TypeUrl::get().ClusterLoadAssignment, - dispatcher_, init_fetch_timeout, false, SubscriptionOptions()); + mux_, callbacks_, resource_decoder_, stats_, + Config::TestTypeUrl::get().ClusterLoadAssignment, dispatcher_, init_fetch_timeout, false, + SubscriptionOptions()); } ~GrpcSubscriptionTestHarness() override { @@ -111,7 +112,7 @@ class GrpcSubscriptionTestHarness : public SubscriptionTestHarness { expected_request.set_version_info(version); } expected_request.set_response_nonce(last_response_nonce_); - expected_request.set_type_url(Config::TypeUrl::get().ClusterLoadAssignment); + expected_request.set_type_url(Config::TestTypeUrl::get().ClusterLoadAssignment); if (error_code != Grpc::Status::WellKnownGrpcStatus::Ok) { ::google::rpc::Status* error_detail = expected_request.mutable_error_detail(); error_detail->set_code(error_code); @@ -159,7 +160,7 @@ class GrpcSubscriptionTestHarness : public SubscriptionTestHarness { response->set_version_info(version); last_response_nonce_ = std::to_string(HashUtil::xxHash64(version)); response->set_nonce(last_response_nonce_); - response->set_type_url(Config::TypeUrl::get().ClusterLoadAssignment); + response->set_type_url(Config::TestTypeUrl::get().ClusterLoadAssignment); response->mutable_control_plane()->set_identifier("ground_control_foo123"); Protobuf::RepeatedPtrField typed_resources; for (const auto& cluster : cluster_names) { diff --git a/test/config/utility.cc b/test/config/utility.cc index 381a9a31adf02..ace3c2c698b80 100644 --- a/test/config/utility.cc +++ b/test/config/utility.cc @@ -1823,7 +1823,7 @@ void CdsHelper::setCds(const std::vector& c // Write to file the DiscoveryResponse and trigger inotify watch. envoy::service::discovery::v3::DiscoveryResponse cds_response; cds_response.set_version_info(std::to_string(cds_version_++)); - cds_response.set_type_url(Config::TypeUrl::get().Cluster); + cds_response.set_type_url(Config::TestTypeUrl::get().Cluster); for (const auto& cluster : clusters) { cds_response.add_resources()->PackFrom(cluster); } @@ -1845,7 +1845,7 @@ void EdsHelper::setEds(const std::vectorPackFrom(cluster_load_assignment); } diff --git a/test/extensions/clusters/aggregate/cluster_integration_test.cc b/test/extensions/clusters/aggregate/cluster_integration_test.cc index 5d8af67437583..9f19d85f254fc 100644 --- a/test/extensions/clusters/aggregate/cluster_integration_test.cc +++ b/test/extensions/clusters/aggregate/cluster_integration_test.cc @@ -230,8 +230,8 @@ class AggregateIntegrationTest acceptXdsConnection(); // Do the initial compareDiscoveryRequest / sendDiscoveryResponse for cluster_1. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, "55"); test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); @@ -265,9 +265,9 @@ TEST_P(AggregateIntegrationTest, ClusterUpDownUp) { testRouterHeaderOnlyRequestAndResponse(nullptr, FirstUpstreamIndex, "/aggregatecluster"); // Tell Envoy that cluster_1 is gone. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {FirstClusterName}, "42"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {FirstClusterName}, "42"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of // the DiscoveryResponse that says cluster_1 is gone. test_server_->waitForCounterGe("cluster_manager.cluster_removed", 1); @@ -283,8 +283,8 @@ TEST_P(AggregateIntegrationTest, ClusterUpDownUp) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is back. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "42", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "42", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, "413"); test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); @@ -302,9 +302,9 @@ TEST_P(AggregateIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_2 is here. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); // The '4' includes the fake CDS server and aggregate cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 4); @@ -314,9 +314,9 @@ TEST_P(AggregateIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is gone. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "42", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "42", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster2_}, {}, {FirstClusterName}, "43"); + Config::TestTypeUrl::get().Cluster, {cluster2_}, {}, {FirstClusterName}, "43"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of // the DiscoveryResponse that says cluster_1 is gone. test_server_->waitForCounterGe("cluster_manager.cluster_removed", 1); @@ -326,9 +326,9 @@ TEST_P(AggregateIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is back. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "43", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "43", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_}, {}, "413"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_}, {}, "413"); test_server_->waitForGaugeGe("cluster_manager.active_clusters", 4); testRouterHeaderOnlyRequestAndResponse(nullptr, FirstUpstreamIndex, "/aggregatecluster"); @@ -344,7 +344,7 @@ TEST_P(AggregateIntegrationTest, PreviousPrioritiesRetryPredicate) { // Tell Envoy that cluster_2 is here. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); // The '4' includes the fake CDS server and aggregate cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 4); @@ -398,8 +398,8 @@ TEST_P(AggregateIntegrationTest, CircuitBreakerTestMaxConnections) { setCircuitBreakerLimits(cluster1_, CircuitBreakerLimits{}.withMaxConnections(1)); setMaxConcurrentStreams(cluster1_, 1); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, "56"); test_server_->waitForGaugeEq("cluster_manager.active_clusters", 3); @@ -518,8 +518,8 @@ TEST_P(AggregateIntegrationTest, CircuitBreakerTestMaxRequests) { setCircuitBreakerLimits(cluster1_, CircuitBreakerLimits{}.withMaxRequests(1)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, "56"); test_server_->waitForGaugeEq("cluster_manager.active_clusters", 3); @@ -642,8 +642,8 @@ TEST_P(AggregateIntegrationTest, CircuitBreakerTestMaxPendingRequests) { CircuitBreakerLimits{}.withMaxConnections(1).withMaxPendingRequests(1)); setMaxConcurrentStreams(cluster1_, 1); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, "56"); test_server_->waitForGaugeEq("cluster_manager.active_clusters", 3); @@ -794,8 +794,8 @@ TEST_P(AggregateIntegrationTest, CircuitBreakerMaxRetriesTest) { setCircuitBreakerLimits(cluster1_, CircuitBreakerLimits{}.withMaxRetries(1)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, "56"); test_server_->waitForGaugeEq("cluster_manager.active_clusters", 3); diff --git a/test/extensions/clusters/redis/redis_cluster_integration_test.cc b/test/extensions/clusters/redis/redis_cluster_integration_test.cc index a2ea2415615e6..56bede0437984 100644 --- a/test/extensions/clusters/redis/redis_cluster_integration_test.cc +++ b/test/extensions/clusters/redis/redis_cluster_integration_test.cc @@ -677,34 +677,35 @@ TEST_P(RedisAdsIntegrationTest, RedisClusterRemoval) { initialize(); // Send initial configuration with a redis cluster and a redis proxy listener. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildRedisCluster("redis_cluster")}, + Config::TestTypeUrl::get().Cluster, {buildRedisCluster("redis_cluster")}, {buildRedisCluster("redis_cluster")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"redis_cluster"}, {"redis_cluster"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("redis_cluster")}, - {buildClusterLoadAssignment("redis_cluster")}, {}, "1"); + Config::TestTypeUrl::get().ClusterLoadAssignment, + {buildClusterLoadAssignment("redis_cluster")}, {buildClusterLoadAssignment("redis_cluster")}, + {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildRedisListener("listener_0", "redis_cluster")}, + Config::TestTypeUrl::get().Listener, {buildRedisListener("listener_0", "redis_cluster")}, {buildRedisListener("listener_0", "redis_cluster")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"redis_cluster"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); // Validate that redis listener is successfully created. test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); // Now send a CDS update, removing redis cluster added above. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("cluster_2")}, {buildCluster("cluster_2")}, + Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_2")}, {buildCluster("cluster_2")}, {"redis_cluster"}, "2"); // Validate that the cluster is removed successfully. diff --git a/test/extensions/config/validators/minimum_clusters/minimum_clusters_validator_integration_test.cc b/test/extensions/config/validators/minimum_clusters/minimum_clusters_validator_integration_test.cc index 087b5833d39fa..42ac0309d646a 100644 --- a/test/extensions/config/validators/minimum_clusters/minimum_clusters_validator_integration_test.cc +++ b/test/extensions/config/validators/minimum_clusters/minimum_clusters_validator_integration_test.cc @@ -91,8 +91,8 @@ class MinimumClustersValidatorIntegrationTest : public Grpc::DeltaSotwIntegratio acceptXdsConnection(); // Do the initial compareDiscoveryRequest / sendDiscoveryResponse for the clusters. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, clusters_, clusters_, {}, "7"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of @@ -164,12 +164,12 @@ TEST_P(MinimumClustersValidatorIntegrationTest, RemoveAllClustersThreshold0) { return cluster.name(); }); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "7", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {removed_clusters_names}, "8"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "7", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {removed_clusters_names}, "8"); // Receive ACK. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "8", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "8", {}, {}, {})); EXPECT_EQ(1, test_server_->gauge("cluster_manager.active_clusters")->value()); } @@ -187,13 +187,13 @@ TEST_P(MinimumClustersValidatorIntegrationTest, RemoveAllClustersThreshold1) { return cluster.name(); }); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "7", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {removed_clusters_names}, "8"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "7", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {removed_clusters_names}, "8"); // Receive NACK. EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "7", {}, {}, {}, false, + compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "7", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Internal, "CDS update attempts to reduce clusters below configured minimum.")); EXPECT_EQ(3, test_server_->gauge("cluster_manager.active_clusters")->value()); diff --git a/test/extensions/config_subscription/common/subscription_factory_impl_test.cc b/test/extensions/config_subscription/common/subscription_factory_impl_test.cc index 0c1138c604640..6477abf3cbcd2 100644 --- a/test/extensions/config_subscription/common/subscription_factory_impl_test.cc +++ b/test/extensions/config_subscription/common/subscription_factory_impl_test.cc @@ -57,7 +57,7 @@ class SubscriptionFactoryTest : public testing::Test { SubscriptionPtr subscriptionFromConfigSource(const envoy::config::core::v3::ConfigSource& config) { return THROW_OR_RETURN_VALUE(subscription_factory_.subscriptionFromConfigSource( - config, Config::TypeUrl::get().ClusterLoadAssignment, + config, Config::TestTypeUrl::get().ClusterLoadAssignment, *stats_store_.rootScope(), callbacks_, resource_decoder_, {}), SubscriptionPtr); } @@ -65,7 +65,8 @@ class SubscriptionFactoryTest : public testing::Test { SubscriptionPtr subscriptionOverAdsGrpcMux(GrpcMuxSharedPtr grpc_mux, const envoy::config::core::v3::ConfigSource& config) { return THROW_OR_RETURN_VALUE(subscription_factory_.subscriptionOverAdsGrpcMux( - grpc_mux, config, Config::TypeUrl::get().ClusterLoadAssignment, + grpc_mux, config, + Config::TestTypeUrl::get().ClusterLoadAssignment, *stats_store_.rootScope(), callbacks_, resource_decoder_, {}), SubscriptionPtr); } @@ -659,7 +660,7 @@ TEST_F(SubscriptionFactoryTest, LogWarningOnDeprecatedV2Transport) { EXPECT_THAT(subscription_factory_ .subscriptionFromConfigSource( - config, Config::TypeUrl::get().ClusterLoadAssignment, + config, Config::TestTypeUrl::get().ClusterLoadAssignment, *stats_store_.rootScope(), callbacks_, resource_decoder_, {}) .status() .message(), diff --git a/test/extensions/config_subscription/grpc/delta_subscription_impl_test.cc b/test/extensions/config_subscription/grpc/delta_subscription_impl_test.cc index 05c6fd03eb557..f378c4bec1727 100644 --- a/test/extensions/config_subscription/grpc/delta_subscription_impl_test.cc +++ b/test/extensions/config_subscription/grpc/delta_subscription_impl_test.cc @@ -82,7 +82,7 @@ TEST_P(DeltaSubscriptionImplTest, PauseQueuesAcks) { resource->set_version("version1A"); const std::string nonce = std::to_string(HashUtil::xxHash64("version1A")); message->set_nonce(nonce); - message->set_type_url(Config::TypeUrl::get().ClusterLoadAssignment); + message->set_type_url(Config::TestTypeUrl::get().ClusterLoadAssignment); nonce_acks_required_.push(nonce); onDiscoveryResponse(std::move(message)); } @@ -95,7 +95,7 @@ TEST_P(DeltaSubscriptionImplTest, PauseQueuesAcks) { resource->set_version("version2A"); const std::string nonce = std::to_string(HashUtil::xxHash64("version2A")); message->set_nonce(nonce); - message->set_type_url(Config::TypeUrl::get().ClusterLoadAssignment); + message->set_type_url(Config::TestTypeUrl::get().ClusterLoadAssignment); nonce_acks_required_.push(nonce); onDiscoveryResponse(std::move(message)); } @@ -108,7 +108,7 @@ TEST_P(DeltaSubscriptionImplTest, PauseQueuesAcks) { resource->set_version("version1B"); const std::string nonce = std::to_string(HashUtil::xxHash64("version1B")); message->set_nonce(nonce); - message->set_type_url(Config::TypeUrl::get().ClusterLoadAssignment); + message->set_type_url(Config::TestTypeUrl::get().ClusterLoadAssignment); nonce_acks_required_.push(nonce); onDiscoveryResponse(std::move(message)); } @@ -175,8 +175,9 @@ TEST_P(DeltaSubscriptionNoGrpcStreamTest, NoGrpcStream) { } GrpcSubscriptionImplPtr subscription = std::make_unique( - xds_context, callbacks, resource_decoder, stats, Config::TypeUrl::get().ClusterLoadAssignment, - dispatcher, std::chrono::milliseconds(12345), false, SubscriptionOptions()); + xds_context, callbacks, resource_decoder, stats, + Config::TestTypeUrl::get().ClusterLoadAssignment, dispatcher, + std::chrono::milliseconds(12345), false, SubscriptionOptions()); EXPECT_CALL(*async_client, startRaw(_, _, _, _)).WillOnce(Return(nullptr)); diff --git a/test/extensions/config_subscription/grpc/delta_subscription_test_harness.h b/test/extensions/config_subscription/grpc/delta_subscription_test_harness.h index 57196a1ff8c1d..6e91199b7e05f 100644 --- a/test/extensions/config_subscription/grpc/delta_subscription_test_harness.h +++ b/test/extensions/config_subscription/grpc/delta_subscription_test_harness.h @@ -71,7 +71,7 @@ class DeltaSubscriptionTestHarness : public SubscriptionTestHarness { } subscription_ = std::make_unique( xds_context_, callbacks_, resource_decoder_, stats_, - Config::TypeUrl::get().ClusterLoadAssignment, dispatcher_, init_fetch_timeout, false, + Config::TestTypeUrl::get().ClusterLoadAssignment, dispatcher_, init_fetch_timeout, false, SubscriptionOptions()); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); } @@ -128,7 +128,7 @@ class DeltaSubscriptionTestHarness : public SubscriptionTestHarness { nonce_acks_required_.push(last_response_nonce_); last_response_nonce_ = ""; } - expected_request.set_type_url(Config::TypeUrl::get().ClusterLoadAssignment); + expected_request.set_type_url(Config::TestTypeUrl::get().ClusterLoadAssignment); for (auto const& resource : initial_resource_versions) { (*expected_request.mutable_initial_resource_versions())[resource.first] = resource.second; @@ -169,7 +169,7 @@ class DeltaSubscriptionTestHarness : public SubscriptionTestHarness { last_response_nonce_ = std::to_string(HashUtil::xxHash64(version)); response->set_nonce(last_response_nonce_); response->set_system_version_info(version); - response->set_type_url(Config::TypeUrl::get().ClusterLoadAssignment); + response->set_type_url(Config::TestTypeUrl::get().ClusterLoadAssignment); Protobuf::RepeatedPtrField typed_resources; for (const auto& cluster : cluster_names) { diff --git a/test/extensions/config_subscription/grpc/grpc_mux_impl_test.cc b/test/extensions/config_subscription/grpc/grpc_mux_impl_test.cc index a87b7b9844799..40628e31ddaba 100644 --- a/test/extensions/config_subscription/grpc/grpc_mux_impl_test.cc +++ b/test/extensions/config_subscription/grpc/grpc_mux_impl_test.cc @@ -308,7 +308,7 @@ TEST_P(GrpcMuxImplTest, ReconnectionResetsNonceAndAcks) { .WillRepeatedly(Return(ttl_mgr_timer)); setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto foo_sub = grpc_mux_->addWatch(type_url, {"x", "y"}, callbacks_, resource_decoder, {}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); // Send on connection. @@ -481,7 +481,7 @@ TEST_P(GrpcMuxImplTest, ResourceTTL) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; auto* ttl_timer = new Event::MockTimer(&dispatcher_); auto eds_sub = grpc_mux_->addWatch(type_url, {"x"}, callbacks_, resource_decoder, {}); @@ -642,7 +642,7 @@ TEST_P(GrpcMuxImplTest, WildcardWatch) { setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); @@ -680,7 +680,7 @@ TEST_P(GrpcMuxImplTest, WatchDemux) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; NiceMock foo_callbacks; auto foo_sub = grpc_mux_->addWatch(type_url, {"x", "y"}, foo_callbacks, resource_decoder, {}); NiceMock bar_callbacks; @@ -765,7 +765,7 @@ TEST_P(GrpcMuxImplTest, WatchDemux) { TEST_P(GrpcMuxImplTest, MultipleWatcherWithEmptyUpdates) { setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; NiceMock foo_callbacks; auto foo_sub = grpc_mux_->addWatch(type_url, {"x", "y"}, foo_callbacks, resource_decoder_, {}); @@ -787,7 +787,7 @@ TEST_P(GrpcMuxImplTest, MultipleWatcherWithEmptyUpdates) { // Validate behavior when we have Single Watcher that sends Empty updates. TEST_P(GrpcMuxImplTest, SingleWatcherWithEmptyUpdates) { setup(); - const std::string& type_url = Config::TypeUrl::get().Cluster; + const std::string& type_url = Config::TestTypeUrl::get().Cluster; NiceMock foo_callbacks; auto foo_sub = grpc_mux_->addWatch(type_url, {}, foo_callbacks, resource_decoder_, {}); @@ -972,7 +972,7 @@ TEST_P(GrpcMuxImplTest, UnwatchedTypeAcceptsEmptyResources) { EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; grpc_mux_->start(); { @@ -1008,7 +1008,7 @@ TEST_P(GrpcMuxImplTest, UnwatchedTypeRejectsResources) { EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; grpc_mux_->start(); // subscribe and unsubscribe (by not keeping the return watch) so that the type is known to envoy @@ -1107,7 +1107,7 @@ TEST_P(GrpcMuxImplTest, CacheEdsResource) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; auto eds_sub = grpc_mux_->addWatch(type_url, {"x"}, callbacks_, resource_decoder, {}); @@ -1149,7 +1149,7 @@ TEST_P(GrpcMuxImplTest, UpdateCacheEdsResource) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; auto eds_sub = grpc_mux_->addWatch(type_url, {"x"}, callbacks_, resource_decoder, {}); @@ -1197,7 +1197,7 @@ TEST_P(GrpcMuxImplTest, AddRemoveSubscriptions) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; { @@ -1275,7 +1275,7 @@ TEST_P(GrpcMuxImplTest, RemoveCachedResourceOnLastSubscription) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; NiceMock eds_sub1_callbacks; @@ -1397,7 +1397,7 @@ TEST_P(GrpcMuxImplTest, MuxDynamicReplacementFetchingResources) { setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); diff --git a/test/extensions/config_subscription/grpc/new_grpc_mux_impl_test.cc b/test/extensions/config_subscription/grpc/new_grpc_mux_impl_test.cc index 49a9b6e62dedd..d25687bbe469c 100644 --- a/test/extensions/config_subscription/grpc/new_grpc_mux_impl_test.cc +++ b/test/extensions/config_subscription/grpc/new_grpc_mux_impl_test.cc @@ -243,7 +243,7 @@ TEST_P(NewGrpcMuxImplTest, ReconnectionResetsNonceAndAcks) { .WillRepeatedly(Return(ttl_mgr_timer)); setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto foo_sub = grpc_mux_->addWatch(type_url, {"x", "y"}, callbacks_, resource_decoder_, {}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); // Send on connection. @@ -303,7 +303,7 @@ TEST_P(NewGrpcMuxImplTest, ReconnectionResetsWildcardSubscription) { .WillRepeatedly(Return(ttl_mgr_timer)); setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto foo_sub = grpc_mux_->addWatch(type_url, {}, callbacks_, resource_decoder_, {}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); // Send a wildcard request on new connection. @@ -388,7 +388,7 @@ TEST_P(NewGrpcMuxImplTest, ReconnectionResetsWildcardSubscription) { TEST_P(NewGrpcMuxImplTest, DiscoveryResponseNonexistentSub) { setup(); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto watch = grpc_mux_->addWatch(type_url, {}, callbacks_, resource_decoder_, {}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); @@ -428,7 +428,7 @@ TEST_P(NewGrpcMuxImplTest, DiscoveryResponseNonexistentSub) { TEST_P(NewGrpcMuxImplTest, ConfigUpdateWithAliases) { setup(); - const std::string& type_url = Config::TypeUrl::get().VirtualHost; + const std::string& type_url = Config::TestTypeUrl::get().VirtualHost; SubscriptionOptions options; options.use_namespace_matching_ = true; auto watch = grpc_mux_->addWatch(type_url, {"prefix"}, callbacks_, resource_decoder_, options); @@ -465,7 +465,7 @@ TEST_P(NewGrpcMuxImplTest, ConfigUpdateWithAliases) { TEST_P(NewGrpcMuxImplTest, ConfigUpdateWithNotFoundResponse) { setup(); - const std::string& type_url = Config::TypeUrl::get().VirtualHost; + const std::string& type_url = Config::TestTypeUrl::get().VirtualHost; SubscriptionOptions options; options.use_namespace_matching_ = true; auto watch = grpc_mux_->addWatch(type_url, {"prefix"}, callbacks_, resource_decoder_, options); @@ -486,7 +486,7 @@ TEST_P(NewGrpcMuxImplTest, ConfigUpdateWithNotFoundResponse) { TEST_P(NewGrpcMuxImplTest, XdsTpGlobCollection) { setup(); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; xds::core::v3::ContextParams context_params; (*context_params.mutable_params())["foo"] = "bar"; EXPECT_CALL(local_info_.context_provider_, nodeContext()).WillOnce(ReturnRef(context_params)); @@ -526,7 +526,7 @@ TEST_P(NewGrpcMuxImplTest, XdsTpGlobCollection) { TEST_P(NewGrpcMuxImplTest, XdsTpSingleton) { setup(); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; EXPECT_CALL(local_info_.context_provider_, nodeContext()).Times(0); // We verify that the gRPC mux normalizes the context parameter order below. Node context // parameters are skipped. @@ -627,7 +627,7 @@ TEST_P(NewGrpcMuxImplTest, CacheEdsResource) { eds_resources_cache_ = new NiceMock(); setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto watch = grpc_mux_->addWatch(type_url, {"x"}, callbacks_, resource_decoder_, {}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); @@ -672,7 +672,7 @@ TEST_P(NewGrpcMuxImplTest, UpdateCacheEdsResource) { eds_resources_cache_ = new NiceMock(); setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto watch = grpc_mux_->addWatch(type_url, {"x"}, callbacks_, resource_decoder_, {}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); @@ -722,7 +722,7 @@ TEST_P(NewGrpcMuxImplTest, AddRemoveSubscriptions) { eds_resources_cache_ = new NiceMock(); setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; { auto watch1 = grpc_mux_->addWatch(type_url, {"x"}, callbacks_, resource_decoder_, {}); @@ -846,7 +846,7 @@ TEST_P(NewGrpcMuxImplTest, MuxDynamicReplacementFetchingResources) { setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto foo_sub = grpc_mux_->addWatch(type_url, {"x", "y"}, callbacks_, resource_decoder_, {}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); expectSendMessage(type_url, {"x", "y"}, {}); @@ -934,7 +934,7 @@ TEST_P(NewGrpcMuxImplTest, RejectMuxDynamicReplacementRateLimitSettingsError) { setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto foo_sub = grpc_mux_->addWatch(type_url, {"x", "y"}, callbacks_, resource_decoder_, {}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); expectSendMessage(type_url, {"x", "y"}, {}); diff --git a/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc b/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc index e8756253c4670..d5ff3093dfc0b 100644 --- a/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc +++ b/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc @@ -272,17 +272,17 @@ class XdsFailoverAdsIntegrationTest : public AdsDeltaSotwIntegrationSubStatePara EXPECT_TRUE(compareDiscoveryRequest(CdsTypeUrl, "1", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", xds_stream)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {}, false, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", xds_stream)); sendDiscoveryResponse( LdsTypeUrl, {buildSimpleListener("listener_0", "cluster_0")}, {buildSimpleListener("listener_0", "cluster_0")}, {}, "1", {}, xds_stream); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", xds_stream)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {}, false, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", xds_stream)); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -638,7 +638,7 @@ TEST_P(XdsFailoverAdsIntegrationTest, PrimaryUseAfterFailoverResponseAndDisconne EXPECT_TRUE(compareDiscoveryRequest(CdsTypeUrl, "failover1", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", failover_xds_stream_.get())); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {}, false, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", failover_xds_stream_.get())); @@ -757,7 +757,7 @@ TEST_P(XdsFailoverAdsIntegrationTest, FailoverUseAfterFailoverResponseAndDisconn EXPECT_TRUE(compareDiscoveryRequest(CdsTypeUrl, "failover1", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", failover_xds_stream_.get())); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {}, false, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", failover_xds_stream_.get())); @@ -881,7 +881,7 @@ TEST_P(XdsFailoverAdsIntegrationTest, EXPECT_TRUE(compareDiscoveryRequest(CdsTypeUrl, "failover1", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", failover_xds_stream_.get())); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {}, false, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", failover_xds_stream_.get())); diff --git a/test/extensions/config_subscription/grpc/xds_grpc_mux_impl_test.cc b/test/extensions/config_subscription/grpc/xds_grpc_mux_impl_test.cc index 7f555470011e3..b63f3003c5f5c 100644 --- a/test/extensions/config_subscription/grpc/xds_grpc_mux_impl_test.cc +++ b/test/extensions/config_subscription/grpc/xds_grpc_mux_impl_test.cc @@ -373,7 +373,7 @@ TEST_P(GrpcMuxImplTest, ResourceTTL) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; auto* ttl_timer = new Event::MockTimer(&dispatcher_); auto eds_sub = makeWatch(type_url, {"x"}, callbacks_, resource_decoder); @@ -538,7 +538,7 @@ TEST_P(GrpcMuxImplTest, LogsControlPlaneIndentifier) { TEST_P(GrpcMuxImplTest, WildcardWatch) { setup(); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto foo_sub = makeWatch(type_url, {}, callbacks_, resource_decoder_); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); expectSendMessage(type_url, {}, "", true); @@ -571,7 +571,7 @@ TEST_P(GrpcMuxImplTest, WatchDemux) { setup(); // We will not require InSequence here: an update that causes multiple onConfigUpdates // causes them in an indeterminate order, based on the whims of the hash map. - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; NiceMock foo_callbacks; auto foo_sub = makeWatch(type_url, {"x", "y"}, foo_callbacks, resource_decoder_); @@ -660,7 +660,7 @@ TEST_P(GrpcMuxImplTest, WatchDemux) { TEST_P(GrpcMuxImplTest, MultipleWatcherWithEmptyUpdates) { setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; NiceMock foo_callbacks; auto foo_sub = makeWatch(type_url, {"x", "y"}, foo_callbacks, resource_decoder_); @@ -682,7 +682,7 @@ TEST_P(GrpcMuxImplTest, MultipleWatcherWithEmptyUpdates) { // Validate behavior when we have Single Watcher that sends Empty updates. TEST_P(GrpcMuxImplTest, SingleWatcherWithEmptyUpdates) { setup(); - const std::string& type_url = Config::TypeUrl::get().Cluster; + const std::string& type_url = Config::TestTypeUrl::get().Cluster; NiceMock foo_callbacks; auto foo_sub = makeWatch(type_url, {}, foo_callbacks, resource_decoder_); @@ -867,7 +867,7 @@ TEST_P(GrpcMuxImplTest, UnwatchedTypeAcceptsEmptyResources) { EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; grpc_mux_->start(); { @@ -905,7 +905,7 @@ TEST_P(GrpcMuxImplTest, UnwatchedTypeAcceptsEmptyResources) { TEST_P(GrpcMuxImplTest, UnwatchedTypeAcceptsResources) { setup(); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; grpc_mux_->start(); // subscribe and unsubscribe so that the type is known to envoy @@ -980,7 +980,7 @@ TEST_P(GrpcMuxImplTest, BadLocalInfoEmptyNodeName) { // Validate that a valid resource decoder is used after removing a subscription. TEST_P(GrpcMuxImplTest, ValidResourceDecoderAfterRemoval) { setup(); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; { // Subscribe to resource "x" with some callbacks and resource decoder. @@ -1127,7 +1127,7 @@ TEST_P(GrpcMuxImplTest, CacheEdsResource) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; auto eds_sub = makeWatch(type_url, {"x"}); @@ -1169,7 +1169,7 @@ TEST_P(GrpcMuxImplTest, UpdateCacheEdsResource) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; auto eds_sub = makeWatch(type_url, {"x"}); @@ -1216,7 +1216,7 @@ TEST_P(GrpcMuxImplTest, AddRemoveSubscriptions) { OpaqueResourceDecoderSharedPtr resource_decoder( std::make_shared>("cluster_name")); - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; InSequence s; { @@ -1329,7 +1329,7 @@ TEST_P(GrpcMuxImplTest, MuxDynamicReplacementFetchingResources) { setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto foo_sub = makeWatch(type_url, {"x", "y"}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); expectSendMessage(type_url, {"x", "y"}, "", true); @@ -1410,7 +1410,7 @@ TEST_P(GrpcMuxImplTest, RejectMuxDynamicReplacementRateLimitSettingsError) { setup(); InSequence s; - const std::string& type_url = Config::TypeUrl::get().ClusterLoadAssignment; + const std::string& type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; auto foo_sub = makeWatch(type_url, {"x", "y"}); EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); expectSendMessage(type_url, {"x", "y"}, "", true); diff --git a/test/extensions/config_subscription/rest/http_subscription_test_harness.h b/test/extensions/config_subscription/rest/http_subscription_test_harness.h index ce53d19a5c8a7..36059d460535d 100644 --- a/test/extensions/config_subscription/rest/http_subscription_test_harness.h +++ b/test/extensions/config_subscription/rest/http_subscription_test_harness.h @@ -57,7 +57,7 @@ class HttpSubscriptionTestHarness : public SubscriptionTestHarness { subscription_ = std::make_unique( local_info_, cm_, "eds_cluster", dispatcher_, random_gen_, std::chrono::milliseconds(1), std::chrono::milliseconds(1000), *method_descriptor_, - Config::TypeUrl::get().ClusterLoadAssignment, callbacks_, resource_decoder_, stats_, + Config::TestTypeUrl::get().ClusterLoadAssignment, callbacks_, resource_decoder_, stats_, init_fetch_timeout, validation_visitor_); } diff --git a/test/extensions/filters/http/local_ratelimit/local_ratelimit_integration_test.cc b/test/extensions/filters/http/local_ratelimit/local_ratelimit_integration_test.cc index 60c0b2885b6e8..0a88798f24131 100644 --- a/test/extensions/filters/http/local_ratelimit/local_ratelimit_integration_test.cc +++ b/test/extensions/filters/http/local_ratelimit/local_ratelimit_integration_test.cc @@ -54,10 +54,10 @@ class LocalRateLimitFilterIntegrationTest : public Event::TestUsingSimulatedTime RELEASE_ASSERT(result, result.message()); xds_stream_->startGrpcStream(); - EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {route_config_name}, true)); sendSotwDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {TestUtility::parseYaml( initial_route_config)}, "1"); @@ -86,10 +86,10 @@ class LocalRateLimitFilterIntegrationTest : public Event::TestUsingSimulatedTime RELEASE_ASSERT(result, result.message()); xds_stream_->startGrpcStream(); - EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"local_cluster"}, true)); sendSotwDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {TestUtility::parseYaml( initial_local_cluster_endpoints)}, "1"); @@ -633,7 +633,7 @@ TEST_P(LocalRateLimitFilterIntegrationTest, BasicTestPerRouteAndRds) { // Update route config by RDS when request is sending. Test whether RDS can work normally. sendSotwDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {TestUtility::parseYaml(update_route_config_)}, "2"); test_server_->waitForCounterGe("http.config_test.rds.basic_routes.update_success", 2); @@ -683,7 +683,7 @@ TEST_P(LocalRateLimitFilterIntegrationTest, TestLocalClusterRateLimit) { EXPECT_EQ(1.0, share_provider->getTokensShareFactor()); sendSotwDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {TestUtility::parseYaml( update_local_cluster_endpoints_)}, "2"); diff --git a/test/extensions/filters/http/lua/lua_integration_test.cc b/test/extensions/filters/http/lua/lua_integration_test.cc index 1073e232ac89c..e9ab87fc8c4eb 100644 --- a/test/extensions/filters/http/lua/lua_integration_test.cc +++ b/test/extensions/filters/http/lua/lua_integration_test.cc @@ -184,10 +184,10 @@ class LuaIntegrationTest : public UpstreamDownstreamIntegrationTest { RELEASE_ASSERT(result, result.message()); xds_stream_->startGrpcStream(); - EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {route_config_name}, true)); sendSotwDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {TestUtility::parseYaml( initial_route_config)}, "1"); @@ -1244,7 +1244,7 @@ TEST_P(LuaIntegrationTest, RdsTestOfLuaPerRoute) { // Update route config by RDS. Test whether RDS can work normally. sendSotwDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {TestUtility::parseYaml(UPDATE_ROUTE_CONFIG)}, "2"); test_server_->waitForCounterGe("http.config_test.rds.basic_lua_routes.update_success", 2); diff --git a/test/extensions/filters/http/oauth2/oauth_integration_test.cc b/test/extensions/filters/http/oauth2/oauth_integration_test.cc index 5b8dd1005ba71..9d297acd32f97 100644 --- a/test/extensions/filters/http/oauth2/oauth_integration_test.cc +++ b/test/extensions/filters/http/oauth2/oauth_integration_test.cc @@ -132,7 +132,7 @@ class OauthIntegrationTest : public HttpIntegrationTest, const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().Listener); + response.set_type_url(Config::TestTypeUrl::get().Listener); for (const auto& listener_config : listener_configs) { response.add_resources()->PackFrom(listener_config); } diff --git a/test/extensions/filters/http/on_demand/odcds_integration_test.cc b/test/extensions/filters/http/on_demand/odcds_integration_test.cc index 8f37dbd8b8370..0c96b90e678ae 100644 --- a/test/extensions/filters/http/on_demand/odcds_integration_test.cc +++ b/test/extensions/filters/http/on_demand/odcds_integration_test.cc @@ -316,12 +316,12 @@ TEST_P(OdCdsIntegrationTest, OnDemandClusterDiscoveryWorksWithClusterHeader) { RELEASE_ASSERT(result, result.message()); odcds_stream_->startGrpcStream(); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {}, {}, odcds_stream_.get())); + Config::TestTypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {}, {}, + odcds_stream_.get())); waitForNextUpstreamRequest(new_cluster_upstream_idx_); // Send response headers, and end_stream if there is no response body. @@ -359,12 +359,12 @@ TEST_P(OdCdsIntegrationTest, OnDemandClusterDiscoveryRemembersDiscoveredCluster) RELEASE_ASSERT(result, result.message()); odcds_stream_->startGrpcStream(); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {}, {}, odcds_stream_.get())); + Config::TestTypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {}, {}, + odcds_stream_.get())); waitForNextUpstreamRequest(new_cluster_upstream_idx_); // Send response headers, and end_stream if there is no response body. @@ -407,7 +407,7 @@ TEST_P(OdCdsIntegrationTest, OnDemandClusterDiscoveryTimesOut) { RELEASE_ASSERT(result, result.message()); odcds_stream_->startGrpcStream(); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); // not sending a response to trigger the timeout @@ -441,12 +441,12 @@ TEST_P(OdCdsIntegrationTest, OnDemandClusterDiscoveryForNonexistentCluster) { RELEASE_ASSERT(result, result.message()); odcds_stream_->startGrpcStream(); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().Cluster, {}, {"new_cluster"}, "1", odcds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {}, {}, odcds_stream_.get())); + Config::TestTypeUrl::get().Cluster, {}, {"new_cluster"}, "1", odcds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {}, {}, + odcds_stream_.get())); ASSERT_TRUE(response->waitForEndStream()); verifyResponse(std::move(response), "503", {}, {}); @@ -544,19 +544,19 @@ class OdCdsAdsIntegrationTest : public AdsIntegrationTest { void doInitialCommunications() { // initial cluster query - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {}, {}, true)); - sendDeltaDiscoveryResponse(Config::TypeUrl::get().Cluster, - {}, {}, "1"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {}, true)); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {}, {}, "1"); // initial listener query - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Listener, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); auto odcds_listener = buildListener(); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().Listener, {odcds_listener}, {}, "2"); + Config::TestTypeUrl::get().Listener, {odcds_listener}, {}, "2"); // acks - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {}, {})); - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Listener, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); // listener got acked, so register the http port now. test_server_->waitUntilListenersReady(); @@ -590,10 +590,10 @@ TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterDiscoveryWorksWithClusterHeader) {"Pick-This-Cluster", "new_cluster"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {})); - sendDeltaDiscoveryResponse(Config::TypeUrl::get().Cluster, - {new_cluster_}, {}, "3"); - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {})); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster_}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); waitForNextUpstreamRequest(new_cluster_upstream_idx_); // Send response headers, and end_stream if there is no response body. @@ -623,10 +623,10 @@ TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterDiscoveryRemembersDiscoveredClust {"Pick-This-Cluster", "new_cluster"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {})); - sendDeltaDiscoveryResponse(Config::TypeUrl::get().Cluster, - {new_cluster_}, {}, "3"); - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {})); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster_}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); waitForNextUpstreamRequest(new_cluster_upstream_idx_); // Send response headers, and end_stream if there is no response body. @@ -661,7 +661,7 @@ TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterDiscoveryTimesOut) { {"Pick-This-Cluster", "new_cluster"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {})); // not sending a response ASSERT_TRUE(response->waitForEndStream()); @@ -686,10 +686,10 @@ TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterDiscoveryAsksForNonexistentCluste {"Pick-This-Cluster", "new_cluster"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {})); - sendDeltaDiscoveryResponse(Config::TypeUrl::get().Cluster, - {}, {"new_cluster"}, "3"); - EXPECT_TRUE(compareRequest(Config::TypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {})); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {}, {"new_cluster"}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); ASSERT_TRUE(response->waitForEndStream()); verifyResponse(std::move(response), "503", {}, {}); @@ -864,12 +864,12 @@ on_demand: true RELEASE_ASSERT(result, result.message()); odcds_stream_->startGrpcStream(); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, - odcds_stream_.get())); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, + {}, odcds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {}, {}, odcds_stream_.get())); + Config::TestTypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {}, {}, + odcds_stream_.get())); waitForNextUpstreamRequest(new_cluster_upstream_idx_); // Send response headers, and end_stream if there is no response body. diff --git a/test/extensions/filters/http/on_demand/on_demand_integration_test.cc b/test/extensions/filters/http/on_demand/on_demand_integration_test.cc index bdaa4d013cbae..a64e69cfc7bdc 100644 --- a/test/extensions/filters/http/on_demand/on_demand_integration_test.cc +++ b/test/extensions/filters/http/on_demand/on_demand_integration_test.cc @@ -362,9 +362,9 @@ TEST_P(OnDemandVhdsIntegrationTest, VhdsVirtualHostAddUpdateRemove) { // A spontaneous VHDS DiscoveryResponse adds two virtual hosts sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, buildVirtualHost1(), {}, "2", vhds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); + Config::TestTypeUrl::get().VirtualHost, buildVirtualHost1(), {}, "2", vhds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, + vhds_stream_.get())); testRouterHeaderOnlyRequestAndResponse(nullptr, 1, "/one", "vhost.first"); cleanupUpstreamAndDownstream(); @@ -375,10 +375,10 @@ TEST_P(OnDemandVhdsIntegrationTest, VhdsVirtualHostAddUpdateRemove) { // A spontaneous VHDS DiscoveryResponse removes newly added virtual hosts sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, {}, {"my_route/vhost_1", "my_route/vhost_2"}, "3", + Config::TestTypeUrl::get().VirtualHost, {}, {"my_route/vhost_1", "my_route/vhost_2"}, "3", vhds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, + vhds_stream_.get())); // an upstream request to an (now) unknown domain codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); @@ -388,11 +388,11 @@ TEST_P(OnDemandVhdsIntegrationTest, VhdsVirtualHostAddUpdateRemove) { {":authority", "vhost.first"}, {"x-lyft-user-id", "123"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {vhdsRequestResourceName("vhost.first")}, {}, vhds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, {buildVirtualHost2()}, {}, "4", vhds_stream_.get(), + Config::TestTypeUrl::get().VirtualHost, {buildVirtualHost2()}, {}, "4", vhds_stream_.get(), {"my_route/vhost.first"}); waitForNextUpstreamRequest(1); @@ -422,9 +422,9 @@ TEST_P(OnDemandVhdsIntegrationTest, RdsWithVirtualHostsVhdsVirtualHostAddUpdateR // A spontaneous VHDS DiscoveryResponse adds two virtual hosts sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, buildVirtualHost1(), {}, "2", vhds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); + Config::TestTypeUrl::get().VirtualHost, buildVirtualHost1(), {}, "2", vhds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, + vhds_stream_.get())); // verify that rds-based virtual host can be resolved testRouterHeaderOnlyRequestAndResponse(nullptr, 1, "/rdsone", "vhost.rds.first"); @@ -439,10 +439,10 @@ TEST_P(OnDemandVhdsIntegrationTest, RdsWithVirtualHostsVhdsVirtualHostAddUpdateR // A spontaneous VHDS DiscoveryResponse removes virtual hosts added via vhds sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, {}, {"my_route/vhost_1", "my_route/vhost_2"}, "3", + Config::TestTypeUrl::get().VirtualHost, {}, {"my_route/vhost_1", "my_route/vhost_2"}, "3", vhds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, + vhds_stream_.get())); // verify rds-based virtual host is still present testRouterHeaderOnlyRequestAndResponse(nullptr, 1, "/rdsone", "vhost.rds.first"); @@ -456,11 +456,11 @@ TEST_P(OnDemandVhdsIntegrationTest, RdsWithVirtualHostsVhdsVirtualHostAddUpdateR {":authority", "vhost.first"}, {"x-lyft-user-id", "123"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {vhdsRequestResourceName("vhost.first")}, {}, vhds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, {buildVirtualHost2()}, {}, "4", vhds_stream_.get(), + Config::TestTypeUrl::get().VirtualHost, {buildVirtualHost2()}, {}, "4", vhds_stream_.get(), {"my_route/vhost.first"}); waitForNextUpstreamRequest(1); @@ -497,7 +497,7 @@ TEST_P(OnDemandVhdsIntegrationTest, VhdsOnDemandUpdateWithResourceNameAsAlias) { {":authority", "vhost_1"}, {"x-lyft-user-id", "123"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {vhdsRequestResourceName("vhost_1")}, {}, vhds_stream_.get())); @@ -543,7 +543,7 @@ TEST_P(OnDemandVhdsIntegrationTest, VhdsOnDemandUpdateFailToResolveTheAlias) { {":authority", "vhost.third"}, {"x-lyft-user-id", "123"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {vhdsRequestResourceName("vhost.third")}, {}, vhds_stream_.get())); // Send an empty response back (the management server isn't aware of vhost.third) @@ -582,7 +582,7 @@ TEST_P(OnDemandVhdsIntegrationTest, VhdsOnDemandUpdateFailToResolveOneAliasOutOf {":authority", "vhost.third"}, {"x-lyft-user-id", "123"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {vhdsRequestResourceName("vhost.third")}, {}, vhds_stream_.get())); // Send an empty response back (the management server isn't aware of vhost.third) @@ -615,7 +615,7 @@ TEST_P(OnDemandVhdsIntegrationTest, VhdsOnDemandUpdateHttpConnectionCloses) { auto encoder_decoder = codec_client_->startRequest(request_headers); Http::RequestEncoder& encoder = encoder_decoder.first; IntegrationStreamDecoderPtr response = std::move(encoder_decoder.second); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {vhdsRequestResourceName("vhost_1")}, {}, vhds_stream_.get())); @@ -654,13 +654,13 @@ TEST_P(OnDemandVhdsIntegrationTest, MultipleUpdates) { {":authority", "vhost.first"}, {"x-lyft-user-id", "123"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {vhdsRequestResourceName("vhost.first")}, {}, vhds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, {buildVirtualHost2()}, {}, "4", vhds_stream_.get(), + Config::TestTypeUrl::get().VirtualHost, {buildVirtualHost2()}, {}, "4", vhds_stream_.get(), {"my_route/vhost.first"}); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); waitForNextUpstreamRequest(1); @@ -682,15 +682,15 @@ TEST_P(OnDemandVhdsIntegrationTest, MultipleUpdates) { {":authority", "vhost.second"}, {"x-lyft-user-id", "123"}}; IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {vhdsRequestResourceName("vhost.second")}, {}, vhds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, + Config::TestTypeUrl::get().VirtualHost, {TestUtility::parseYaml( virtualHostYaml("my_route/vhost_2", "vhost.second"))}, {}, "4", vhds_stream_.get(), {"my_route/vhost.second"}); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); waitForNextUpstreamRequest(1); @@ -706,13 +706,13 @@ TEST_P(OnDemandVhdsIntegrationTest, MultipleUpdates) { { // Attempt to push updates for both vhost.first and vhost.second sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, + Config::TestTypeUrl::get().VirtualHost, {TestUtility::parseYaml( fmt::format(VhostTemplateAfterUpdate, "my_route/vhost_1", "vhost.first")), TestUtility::parseYaml( fmt::format(VhostTemplateAfterUpdate, "my_route/vhost_2", "vhost.second"))}, {}, "5", vhds_stream_.get()); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); // verify that both virtual hosts have been updated @@ -739,24 +739,24 @@ TEST_P(OnDemandVhdsIntegrationTest, AttemptAddingDuplicateDomainNames) { // A spontaneous VHDS DiscoveryResponse with duplicate domains that results in an error in the // ack. sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, + Config::TestTypeUrl::get().VirtualHost, {TestUtility::parseYaml( virtualHostYaml("my_route/vhost_1", "vhost.duplicate")), TestUtility::parseYaml( virtualHostYaml("my_route/vhost_2", "vhost.duplicate"))}, {}, "2", vhds_stream_.get()); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get(), 13, "Only unique values for domains are permitted")); // Another update, this time valid, should result in no errors sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, + Config::TestTypeUrl::get().VirtualHost, {TestUtility::parseYaml( virtualHostYaml("my_route/vhost_3", "vhost.third"))}, {}, "2", vhds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, + vhds_stream_.get())); cleanupUpstreamAndDownstream(); } diff --git a/test/extensions/filters/udp/udp_proxy/udp_session_extension_discovery_integration_test.cc b/test/extensions/filters/udp/udp_proxy/udp_session_extension_discovery_integration_test.cc index adc539a23aca9..15e39ca37d720 100644 --- a/test/extensions/filters/udp/udp_proxy/udp_session_extension_discovery_integration_test.cc +++ b/test/extensions/filters/udp/udp_proxy/udp_session_extension_discovery_integration_test.cc @@ -207,7 +207,7 @@ name: udp_proxy void sendLdsResponse(const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().Listener); + response.set_type_url(Config::TestTypeUrl::get().Listener); response.add_resources()->PackFrom(listener_config_); lds_stream_->sendGrpcMessage(response); } diff --git a/test/extensions/load_balancing_policies/client_side_weighted_round_robin/integration_test.cc b/test/extensions/load_balancing_policies/client_side_weighted_round_robin/integration_test.cc index 98da83e1c2008..a4a587d7267fb 100644 --- a/test/extensions/load_balancing_policies/client_side_weighted_round_robin/integration_test.cc +++ b/test/extensions/load_balancing_policies/client_side_weighted_round_robin/integration_test.cc @@ -217,8 +217,8 @@ class ClientSideWeightedRoundRobinXdsIntegrationTest // Do the initial compareDiscoveryRequest / sendDiscoveryResponse for // cluster_1. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, "55"); test_server_->waitForGaugeGe("cluster_manager.active_clusters", 2); @@ -329,9 +329,9 @@ TEST_P(ClientSideWeightedRoundRobinXdsIntegrationTest, ClusterUpDownUp) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is gone. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {FirstClusterName}, "42"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {FirstClusterName}, "42"); // We can continue the test once we're sure that Envoy's ClusterManager has // made use of the DiscoveryResponse that says cluster_1 is gone. test_server_->waitForCounterGe("cluster_manager.cluster_removed", 1); @@ -347,8 +347,8 @@ TEST_P(ClientSideWeightedRoundRobinXdsIntegrationTest, ClusterUpDownUp) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is back. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "42", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "42", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, "413"); test_server_->waitForGaugeGe("cluster_manager.active_clusters", 2); @@ -368,9 +368,9 @@ TEST_P(ClientSideWeightedRoundRobinXdsIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_2 is here. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); // Wait for the cluster to be active (two upstream clusters plus the CDS // cluster). test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); @@ -381,9 +381,9 @@ TEST_P(ClientSideWeightedRoundRobinXdsIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is gone. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "42", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "42", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster2_}, {}, {FirstClusterName}, "43"); + Config::TestTypeUrl::get().Cluster, {cluster2_}, {}, {FirstClusterName}, "43"); // We can continue the test once we're sure that Envoy's ClusterManager has // made use of the DiscoveryResponse that says cluster_1 is gone. test_server_->waitForCounterGe("cluster_manager.cluster_removed", 1); @@ -393,9 +393,9 @@ TEST_P(ClientSideWeightedRoundRobinXdsIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is back. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "43", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "43", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_}, {}, "413"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_}, {}, "413"); test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); testRouterHeaderOnlyRequestAndResponse(nullptr, FirstUpstreamIndex, "/cluster1"); cleanupUpstreamAndDownstream(); diff --git a/test/integration/ads_integration.cc b/test/integration/ads_integration.cc index 41c82b5565633..335e7f014e35e 100644 --- a/test/integration/ads_integration.cc +++ b/test/integration/ads_integration.cc @@ -178,33 +178,34 @@ void AdsIntegrationTest::initializeAds(const bool rate_limiting) { void AdsIntegrationTest::testBasicFlow() { // Send initial configuration, validate we can process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -218,25 +219,26 @@ void AdsIntegrationTest::testBasicFlow() { // Upgrade RDS/CDS/EDS to a newer config, validate we can process a request. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("cluster_1"), buildCluster("cluster_2")}, + Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_1"), buildCluster("cluster_2")}, {buildCluster("cluster_1"), buildCluster("cluster_2")}, {"cluster_0"}, "2"); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 2); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_1"), buildClusterLoadAssignment("cluster_2")}, {buildClusterLoadAssignment("cluster_1"), buildClusterLoadAssignment("cluster_2")}, {"cluster_0"}, "2"); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 0); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_2", "cluster_1"}, {"cluster_2", "cluster_1"}, {"cluster_0"})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "2", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "2", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "2", {"cluster_2", "cluster_1"}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_1")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_1")}, {buildRouteConfig("route_config_0", "cluster_1")}, {}, "2"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "2", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "2", {"route_config_0"}, {}, {})); makeSingleRequest(); @@ -249,27 +251,27 @@ void AdsIntegrationTest::testBasicFlow() { // Upgrade LDS/RDS, validate we can process a request. sendDiscoveryResponse( - Config::TypeUrl::get().Listener, + Config::TestTypeUrl::get().Listener, {buildListener("listener_1", "route_config_1"), buildListener("listener_2", "route_config_2")}, {buildListener("listener_1", "route_config_1"), buildListener("listener_2", "route_config_2")}, {"listener_0"}, "2"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "2", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "2", {"route_config_2", "route_config_1", "route_config_0"}, {"route_config_2", "route_config_1"}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "2", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "2", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "2", {"route_config_2", "route_config_1"}, {}, {"route_config_0"})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_1", "cluster_1"), buildRouteConfig("route_config_2", "cluster_1")}, {buildRouteConfig("route_config_1", "cluster_1"), buildRouteConfig("route_config_2", "cluster_1")}, {"route_config_0"}, "3"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "3", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "3", {"route_config_2", "route_config_1"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 2); diff --git a/test/integration/ads_integration_test.cc b/test/integration/ads_integration_test.cc index dfb00421efd85..0ecb723633caf 100644 --- a/test/integration/ads_integration_test.cc +++ b/test/integration/ads_integration_test.cc @@ -455,68 +455,69 @@ TEST_P(AdsIntegrationTest, Failure) { // Send initial configuration, failing each xDS once (via a type mismatch), validate we can // process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().Cluster, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().Cluster, "", {}, {}, {}, false, - Grpc::Status::WellKnownGrpcStatus::Internal, - fmt::format("does not match the message-wide type URL {}", Config::TypeUrl::get().Cluster))); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, false, + Grpc::Status::WellKnownGrpcStatus::Internal, + fmt::format("does not match the message-wide type URL {}", + Config::TestTypeUrl::get().Cluster))); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildCluster("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", - {"cluster_0"}, {}, {}, false, - Grpc::Status::WellKnownGrpcStatus::Internal, - fmt::format("does not match the message-wide type URL {}", - Config::TypeUrl::get().ClusterLoadAssignment))); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE( + compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, + {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Internal, + fmt::format("does not match the message-wide type URL {}", + Config::TestTypeUrl::get().ClusterLoadAssignment))); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildRouteConfig("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildRouteConfig("listener_0", "route_config_0")}, {buildRouteConfig("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().Listener, "", {}, {}, {}, false, - Grpc::Status::WellKnownGrpcStatus::Internal, - fmt::format("does not match the message-wide type URL {}", Config::TypeUrl::get().Listener))); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, false, + Grpc::Status::WellKnownGrpcStatus::Internal, + fmt::format("does not match the message-wide type URL {}", + Config::TestTypeUrl::get().Listener))); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildListener("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, {buildListener("route_config_0", "cluster_0")}, {buildListener("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Internal, fmt::format("does not match the message-wide type URL {}", - Config::TypeUrl::get().RouteConfiguration))); + Config::TestTypeUrl::get().RouteConfiguration))); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -527,19 +528,19 @@ TEST_P(AdsIntegrationTest, Failure) { // Regression test for https://github.com/envoyproxy/envoy/issues/9682. TEST_P(AdsIntegrationTest, ResendNodeOnStreamReset) { initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); // A second CDS request should be sent so that the node is cleared in the cached request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); xds_stream_->finishGrpcStream(Grpc::Status::Internal); AssertionResult result = xds_connection_->waitForNewStream(*dispatcher_, xds_stream_); @@ -549,8 +550,8 @@ TEST_P(AdsIntegrationTest, ResendNodeOnStreamReset) { // In SotW cluster_0 will be in the resource_names, but in delta-xDS // resource_names_subscribe and resource_names_unsubscribe must be empty for // a wildcard request (cluster_0 will appear in initial_resource_versions). - EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {"cluster_0"}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {"cluster_0"}, {}, + {}, true)); } // Verifies that upon stream reconnection: @@ -559,24 +560,24 @@ TEST_P(AdsIntegrationTest, ResendNodeOnStreamReset) { // Regression test for https://github.com/envoyproxy/envoy/issues/16063. TEST_P(AdsIntegrationTest, ResourceNamesOnStreamReset) { initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); // A second CDS request should be sent so that the node is cleared in the cached request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); // The LDS request, which returns no resources in the DiscoveryResponse. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Listener, {}, - {}, {}, "1"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Listener, + {}, {}, {}, "1"); xds_stream_->finishGrpcStream(Grpc::Status::Internal); AssertionResult result = xds_connection_->waitForNewStream(*dispatcher_, xds_stream_); @@ -589,11 +590,11 @@ TEST_P(AdsIntegrationTest, ResourceNamesOnStreamReset) { // In SotW cluster_0 will be in the resource_names, but in delta-xDS // resource_names_subscribe and resource_names_unsubscribe must be empty for // a wildcard request (cluster_0 will appear in initial_resource_versions). - EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {"cluster_0"}, {}, {}, true)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {"cluster_0"}, {}, + {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {"cluster_0"}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); } // Validate that the request with duplicate listeners is rejected. @@ -601,23 +602,23 @@ TEST_P(AdsIntegrationTest, DuplicateWarmingListeners) { initialize(); // Send initial configuration, validate we can process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); // Send duplicate listeners and validate that the update is rejected. sendDiscoveryResponse( - Config::TypeUrl::get().Listener, + Config::TestTypeUrl::get().Listener, {buildListener("duplicae_listener", "route_config_0"), buildListener("duplicae_listener", "route_config_0")}, {buildListener("duplicae_listener", "route_config_0"), @@ -630,7 +631,7 @@ TEST_P(AdsIntegrationTest, DuplicateWarmingListeners) { TEST_P(AdsIntegrationTest, DEPRECATED_FEATURE_TEST(RejectV2TransportConfigByDefault)) { initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); auto cluster = buildCluster("cluster_0"); auto* api_config_source = cluster.mutable_eds_cluster_config()->mutable_eds_config()->mutable_api_config_source(); @@ -638,7 +639,7 @@ TEST_P(AdsIntegrationTest, DEPRECATED_FEATURE_TEST(RejectV2TransportConfigByDefa api_config_source->set_transport_api_version(envoy::config::core::v3::V2); envoy::config::core::v3::GrpcService* grpc_service = api_config_source->add_grpc_services(); setGrpcService(*grpc_service, "ads_cluster", xds_upstream_->localAddress()); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster}, {cluster}, {}, "1"); test_server_->waitForCounterGe("cluster_manager.cds.update_rejected", 1); } @@ -648,17 +649,18 @@ TEST_P(AdsIntegrationTest, RdsAfterLdsWithNoRdsChanges) { initialize(); // Send initial configuration. - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -667,13 +669,15 @@ TEST_P(AdsIntegrationTest, RdsAfterLdsWithNoRdsChanges) { // Update existing LDS (change stat_prefix). sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0", "rds_crash")}, + Config::TestTypeUrl::get().Listener, + {buildListener("listener_0", "route_config_0", "rds_crash")}, {buildListener("listener_0", "route_config_0", "rds_crash")}, {}, "2"); test_server_->waitForCounterGe("listener_manager.listener_create_success", 2); // Update existing RDS (no changes). sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "2"); // Validate that we can process a request again @@ -684,54 +688,56 @@ TEST_P(AdsIntegrationTest, RdsAfterLdsWithNoRdsChanges) { // an active cluster is replaced by a newer cluster undergoing warming. TEST_P(AdsIntegrationTest, CdsEdsReplacementWarming) { initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); makeSingleRequest(); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildTlsCluster("cluster_0")}, + Config::TestTypeUrl::get().Cluster, {buildTlsCluster("cluster_0")}, {buildTlsCluster("cluster_0")}, {}, "2"); // Inconsistent SotW and delta behaviors for warming, see // https://github.com/envoyproxy/envoy/issues/11477#issuecomment-657855029. // TODO (dmitri-d) this should be remove when legacy mux implementations have been removed. if (sotw_or_delta_ == Grpc::SotwOrDelta::Sotw) { - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); } sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildTlsClusterLoadAssignment("cluster_0")}, - {buildTlsClusterLoadAssignment("cluster_0")}, {}, "2"); + Config::TestTypeUrl::get().ClusterLoadAssignment, + {buildTlsClusterLoadAssignment("cluster_0")}, {buildTlsClusterLoadAssignment("cluster_0")}, + {}, "2"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "2", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "2", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "2", {"cluster_0"}, {}, {})); } @@ -742,38 +748,39 @@ TEST_P(AdsIntegrationTest, CdsKeepEdsAfterWarmingFailure) { // (only the runtime guard should be removed). config_helper_.addRuntimeOverride("envoy.restart_features.use_eds_cache_for_ads", "true"); initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); envoy::config::cluster::v3::Cluster cluster = buildCluster("cluster_0"); // Set a small EDS subscription expiration. cluster.mutable_eds_cluster_config() ->mutable_eds_config() ->mutable_initial_fetch_timeout() ->set_nanos(100 * 1000 * 1000); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster}, {cluster}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -781,13 +788,13 @@ TEST_P(AdsIntegrationTest, CdsKeepEdsAfterWarmingFailure) { // Update a cluster's field (connect_timeout) so the cluster in Envoy will be explicitly updated. cluster.mutable_connect_timeout()->set_seconds(7); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster}, {cluster}, {}, "2"); // Inconsistent SotW and delta behaviors for warming, see // https://github.com/envoyproxy/envoy/issues/11477#issuecomment-657855029. // TODO (dmitri-d) this should be remove when legacy mux implementations have been removed. if (sotw_or_delta_ == Grpc::SotwOrDelta::Sotw) { - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); } @@ -796,10 +803,10 @@ TEST_P(AdsIntegrationTest, CdsKeepEdsAfterWarmingFailure) { test_server_->waitForCounterGe("cluster.cluster_0.init_fetch_timeout", 1); if (sotw_or_delta_ == Grpc::SotwOrDelta::Sotw) { // Expect another EDS request after the previous one wasn't answered and timed out. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); } - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "2", {}, {}, {})); // Envoy uses the cached resource. EXPECT_EQ(1, test_server_->counter("cluster.cluster_0.assignment_use_cached")->value()); @@ -815,7 +822,7 @@ TEST_P(AdsIntegrationTest, DoubleClustersCachedLoadAssignment) { // (only the runtime guard should be removed). config_helper_.addRuntimeOverride("envoy.restart_features.use_eds_cache_for_ads", "true"); initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); envoy::config::cluster::v3::Cluster cluster0 = buildCluster("cluster_0"); envoy::config::cluster::v3::Cluster cluster1 = buildCluster("cluster_1"); // Set a small EDS subscription expiration. @@ -831,30 +838,31 @@ TEST_P(AdsIntegrationTest, DoubleClustersCachedLoadAssignment) { cluster0.mutable_eds_cluster_config()->set_service_name("same_eds"); cluster1.mutable_eds_cluster_config()->set_service_name("same_eds"); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster0, cluster1}, {cluster0, cluster1}, {}, "1"); + Config::TestTypeUrl::get().Cluster, {cluster0, cluster1}, {cluster0, cluster1}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"same_eds"}, {"same_eds"}, {})); auto cla_0 = buildClusterLoadAssignment("same_eds"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {cla_0}, {cla_0}, {}, "1"); + Config::TestTypeUrl::get().ClusterLoadAssignment, {cla_0}, {cla_0}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"same_eds"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); makeSingleRequest(); @@ -864,12 +872,12 @@ TEST_P(AdsIntegrationTest, DoubleClustersCachedLoadAssignment) { cluster0.mutable_connect_timeout()->set_seconds(7); cluster1.mutable_connect_timeout()->set_seconds(7); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster0, cluster1}, {cluster0, cluster1}, {}, "2"); + Config::TestTypeUrl::get().Cluster, {cluster0, cluster1}, {cluster0, cluster1}, {}, "2"); // Inconsistent SotW and delta behaviors for warming, see // https://github.com/envoyproxy/envoy/issues/11477#issuecomment-657855029. // TODO (dmitri-d) this should be remove when legacy mux implementations have been removed. if (sotw_or_delta_ == Grpc::SotwOrDelta::Sotw) { - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"same_eds"}, {}, {})); } @@ -879,12 +887,12 @@ TEST_P(AdsIntegrationTest, DoubleClustersCachedLoadAssignment) { if (sotw_or_delta_ == Grpc::SotwOrDelta::Sotw) { // Expect another EDS request after the previous one wasn't answered and timed out. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"same_eds"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"same_eds"}, {}, {})); } - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "2", {}, {}, {})); // Envoy uses the cached resource. EXPECT_EQ(1, test_server_->counter("cluster.cluster_0.assignment_use_cached")->value()); @@ -894,7 +902,7 @@ TEST_P(AdsIntegrationTest, DoubleClustersCachedLoadAssignment) { // Now send an EDS update. cla_0.mutable_policy()->mutable_overprovisioning_factor()->set_value(141); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {cla_0}, {cla_0}, {}, "2"); + Config::TestTypeUrl::get().ClusterLoadAssignment, {cla_0}, {cla_0}, {}, "2"); // Wait for ingesting the update. test_server_->waitForCounterEq("cluster.cluster_0.update_success", 2); @@ -910,9 +918,9 @@ TEST_P(AdsIntegrationTest, DuplicateInitialClusters) { // Send initial configuration, failing each xDS once (via a type mismatch), validate we can // process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, + Config::TestTypeUrl::get().Cluster, {buildCluster("duplicate_cluster"), buildCluster("duplicate_cluster")}, {buildCluster("duplicate_cluster"), buildCluster("duplicate_cluster")}, {}, "1"); @@ -925,33 +933,34 @@ TEST_P(AdsIntegrationTest, DuplicateWarmingClusters) { initialize(); // Send initial configuration, validate we can process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -959,7 +968,7 @@ TEST_P(AdsIntegrationTest, DuplicateWarmingClusters) { // Send duplicate warming clusters and validate that the update is rejected. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, + Config::TestTypeUrl::get().Cluster, {buildCluster("duplicate_cluster"), buildCluster("duplicate_cluster")}, {buildCluster("duplicate_cluster"), buildCluster("duplicate_cluster")}, {}, "2"); test_server_->waitForCounterGe("cluster_manager.cds.update_rejected", 1); @@ -970,33 +979,34 @@ TEST_P(AdsIntegrationTest, CdsPausedDuringWarming) { initialize(); // Send initial configuration, validate we can process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -1004,31 +1014,31 @@ TEST_P(AdsIntegrationTest, CdsPausedDuringWarming) { // Send the first warming cluster. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("warming_cluster_1")}, + Config::TestTypeUrl::get().Cluster, {buildCluster("warming_cluster_1")}, {buildCluster("warming_cluster_1")}, {"cluster_0"}, "2"); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 1); test_server_->waitForGaugeEq("cluster.warming_cluster_1.warming_state", 1); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"warming_cluster_1"}, {"warming_cluster_1"}, {"cluster_0"})); // Send the second warming cluster. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, + Config::TestTypeUrl::get().Cluster, {buildCluster("warming_cluster_1"), buildCluster("warming_cluster_2")}, {buildCluster("warming_cluster_1"), buildCluster("warming_cluster_2")}, {}, "3"); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 2); test_server_->waitForGaugeEq("cluster.warming_cluster_2.warming_state", 1); // We would've got a Cluster discovery request with version 2 here, had the CDS not been paused. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"warming_cluster_2", "warming_cluster_1"}, {"warming_cluster_2"}, {})); // Finish warming the clusters. sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("warming_cluster_1"), buildClusterLoadAssignment("warming_cluster_2")}, {buildClusterLoadAssignment("warming_cluster_1"), @@ -1046,10 +1056,10 @@ TEST_P(AdsIntegrationTest, CdsPausedDuringWarming) { // Envoy will ACK both Cluster messages. Since they arrived while CDS was paused, they aren't // sent until CDS is unpaused. Since version 3 has already arrived by the time the version 2 // ACK goes out, they're both acknowledging version 3. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "3", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "3", {}, {}, {})); } - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "3", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "2", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "3", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "2", {"warming_cluster_2", "warming_cluster_1"}, {}, {})); } @@ -1057,33 +1067,34 @@ TEST_P(AdsIntegrationTest, RemoveWarmingCluster) { initialize(); // Send initial configuration, validate we can process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -1091,16 +1102,16 @@ TEST_P(AdsIntegrationTest, RemoveWarmingCluster) { // Send the first warming cluster. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("warming_cluster_1")}, + Config::TestTypeUrl::get().Cluster, {buildCluster("warming_cluster_1")}, {buildCluster("warming_cluster_1")}, {"cluster_0"}, "2"); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 1); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"warming_cluster_1"}, {"warming_cluster_1"}, {"cluster_0"})); // Send the second warming cluster and remove the first cluster. - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("warming_cluster_2")}, {buildCluster("warming_cluster_2")}, // Delta: remove warming_cluster_1. @@ -1108,14 +1119,14 @@ TEST_P(AdsIntegrationTest, RemoveWarmingCluster) { test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 1); // We would've got a Cluster discovery request with version 2 here, had the CDS not been paused. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"warming_cluster_2"}, {"warming_cluster_2"}, {"warming_cluster_1"})); // Finish warming the clusters. Note that the first warming cluster is not included in the // response. sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("warming_cluster_2")}, {buildClusterLoadAssignment("warming_cluster_2")}, {"cluster_0"}, "2"); @@ -1129,10 +1140,10 @@ TEST_P(AdsIntegrationTest, RemoveWarmingCluster) { // Envoy will ACK both Cluster messages. Since they arrived while CDS was paused, they aren't // sent until CDS is unpaused. Since version 3 has already arrived by the time the version 2 // ACK goes out, they're both acknowledging version 3. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "3", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "3", {}, {}, {})); } - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "3", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "2", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "3", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "2", {"warming_cluster_2"}, {}, {})); } // Validate that warming listeners are removed when left out of SOTW update. @@ -1140,33 +1151,34 @@ TEST_P(AdsIntegrationTest, RemoveWarmingListener) { initialize(); // Send initial configuration to start workers, validate we can process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -1174,23 +1186,23 @@ TEST_P(AdsIntegrationTest, RemoveWarmingListener) { // Send a listener without its route, so it will be added as warming. sendDiscoveryResponse( - Config::TypeUrl::get().Listener, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0"), buildListener("warming_listener_1", "nonexistent_route")}, {buildListener("warming_listener_1", "nonexistent_route")}, {}, "2"); test_server_->waitForGaugeEq("listener_manager.total_listeners_warming", 1); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"nonexistent_route", "route_config_0"}, {"nonexistent_route"}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "2", {}, {}, {})); // Send a request removing the warming listener. sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {"warming_listener_1"}, "3"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {"nonexistent_route"})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "3", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "3", {}, {}, {})); // The warming listener should be successfully removed. test_server_->waitForCounterEq("listener_manager.listener_removed", 1); @@ -1202,33 +1214,34 @@ TEST_P(AdsIntegrationTest, ClusterWarmingOnNamedResponse) { initialize(); // Send initial configuration, validate we can process a request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -1236,27 +1249,27 @@ TEST_P(AdsIntegrationTest, ClusterWarmingOnNamedResponse) { // Send the first warming cluster. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("warming_cluster_1")}, + Config::TestTypeUrl::get().Cluster, {buildCluster("warming_cluster_1")}, {buildCluster("warming_cluster_1")}, {"cluster_0"}, "2"); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 1); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"warming_cluster_1"}, {"warming_cluster_1"}, {"cluster_0"})); // Send the second warming cluster. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, + Config::TestTypeUrl::get().Cluster, {buildCluster("warming_cluster_1"), buildCluster("warming_cluster_2")}, {buildCluster("warming_cluster_1"), buildCluster("warming_cluster_2")}, {}, "3"); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 2); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"warming_cluster_2", "warming_cluster_1"}, {"warming_cluster_2"}, {})); // Finish warming the first cluster. sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("warming_cluster_1")}, {buildClusterLoadAssignment("warming_cluster_1")}, {}, "2"); @@ -1277,7 +1290,7 @@ TEST_P(AdsIntegrationTest, ClusterWarmingOnNamedResponse) { // Finish warming the second cluster. sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("warming_cluster_2")}, {buildClusterLoadAssignment("warming_cluster_2")}, {}, "3"); @@ -1291,17 +1304,18 @@ TEST_P(AdsIntegrationTest, ListenerWarmingOnNamedResponse) { initialize(); // Send initial configuration. - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -1311,13 +1325,14 @@ TEST_P(AdsIntegrationTest, ListenerWarmingOnNamedResponse) { // Update existing listener - update stat prefix, use the same route name. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("cluster_1")}, {buildCluster("cluster_1")}, + Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_1")}, {buildCluster("cluster_1")}, {"cluster_0"}, "2"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_1")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_1")}, {buildClusterLoadAssignment("cluster_1")}, {"cluster_0"}, "2"); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0", "rds_test")}, + Config::TestTypeUrl::get().Listener, + {buildListener("listener_0", "route_config_0", "rds_test")}, {buildListener("listener_0", "route_config_0", "rds_test")}, {}, "2"); // Validate that listener is updated correctly and does not get in to warming state. @@ -1326,7 +1341,8 @@ TEST_P(AdsIntegrationTest, ListenerWarmingOnNamedResponse) { // Update listener with a new route. sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_1", "rds_test")}, + Config::TestTypeUrl::get().Listener, + {buildListener("listener_0", "route_config_1", "rds_test")}, {buildListener("listener_0", "route_config_1", "rds_test")}, {}, "2"); // Validate that the listener gets in to warming state waiting for RDS. @@ -1335,7 +1351,8 @@ TEST_P(AdsIntegrationTest, ListenerWarmingOnNamedResponse) { // Send the new route and validate that listener finishes warming. sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_1", "cluster_1")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_1", "cluster_1")}, {buildRouteConfig("route_config_1", "cluster_1")}, {}, "2"); test_server_->waitForGaugeEq("listener_manager.total_listeners_warming", 0); test_server_->waitForCounterGe("listener_manager.listener_create_success", 3); @@ -1346,17 +1363,18 @@ TEST_P(AdsIntegrationTest, RdsAfterLdsWithRdsChange) { initialize(); // Send initial configuration. - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -1365,19 +1383,21 @@ TEST_P(AdsIntegrationTest, RdsAfterLdsWithRdsChange) { // Update existing LDS (change stat_prefix). sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("cluster_1")}, {buildCluster("cluster_1")}, + Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_1")}, {buildCluster("cluster_1")}, {"cluster_0"}, "2"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_1")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_1")}, {buildClusterLoadAssignment("cluster_1")}, {"cluster_0"}, "2"); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0", "rds_crash")}, + Config::TestTypeUrl::get().Listener, + {buildListener("listener_0", "route_config_0", "rds_crash")}, {buildListener("listener_0", "route_config_0", "rds_crash")}, {}, "2"); test_server_->waitForCounterGe("listener_manager.listener_create_success", 2); // Update existing RDS (migrate traffic to cluster_1). sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_1")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_1")}, {buildRouteConfig("route_config_0", "cluster_1")}, {}, "2"); // Validate that we can process a request after RDS update @@ -1395,36 +1415,37 @@ TEST_P(AdsIntegrationTest, RdsAfterLdsInvalidated) { // --------------------- // Initial request for any cluster, respond with cluster_0 version 1 - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); // Initial request for load assignment for cluster_0, respond with version 1 - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); // Request for updates to cluster_0 version 1, no response - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); // Initial request for any listener, respond with listener_0 version 1 - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); // Request for updates to load assignment version 1, no response - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); // Initial request for route_config_0 (referenced by listener_0), respond with version 1 - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_0", "cluster_0")}, {buildRouteConfig("route_config_0", "cluster_0")}, {}, "1"); // Wait for initial listener to be created successfully. Any subsequent listeners will then use @@ -1436,16 +1457,16 @@ TEST_P(AdsIntegrationTest, RdsAfterLdsInvalidated) { // Request for updates to listener_0 version 1, respond with version 2. Under the hood, this // registers RdsRouteConfigSubscription's init target with the new ListenerImpl instance. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_1")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_1")}, {buildListener("listener_0", "route_config_1")}, {}, "2"); // Request for updates to route_config_0 version 1, and initial request for route_config_1 // (referenced by listener_0), don't respond yet! - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_1", "route_config_0"}, {"route_config_1"}, {})); @@ -1455,16 +1476,17 @@ TEST_P(AdsIntegrationTest, RdsAfterLdsInvalidated) { // Request for updates to listener_0 version 2, respond with version 3 (updated stats prefix). // This should blow away the previous ListenerImpl instance, which is still waiting for // route_config_1... - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "2", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_1", "omg")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_1", "omg")}, {buildListener("listener_0", "route_config_1", "omg")}, {}, "3"); // Respond to prior request for route_config_1. Under the hood, this invokes // RdsRouteConfigSubscription::runInitializeCallbackIfAny, which references the defunct // ListenerImpl instance. We should not crash in this event! sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_1", "cluster_0")}, + Config::TestTypeUrl::get().RouteConfiguration, + {buildRouteConfig("route_config_1", "cluster_0")}, {buildRouteConfig("route_config_1", "cluster_0")}, {"route_config_0"}, "1"); test_server_->waitForCounterGe("listener_manager.listener_create_success", 2); @@ -1594,20 +1616,20 @@ TEST_P(AdsIntegrationTest, XdsBatching) { ASSERT_TRUE(xds_connection_->waitForNewStream(*dispatcher_, xds_stream_)); xds_stream_->startGrpcStream(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"eds_cluster2", "eds_cluster"}, {"eds_cluster2", "eds_cluster"}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("eds_cluster"), buildClusterLoadAssignment("eds_cluster2")}, {buildClusterLoadAssignment("eds_cluster"), buildClusterLoadAssignment("eds_cluster2")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config2", "route_config"}, {"route_config2", "route_config"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config2", "eds_cluster2"), buildRouteConfig("route_config", "dummy_cluster")}, {buildRouteConfig("route_config2", "eds_cluster2"), @@ -1623,32 +1645,32 @@ TEST_P(AdsIntegrationTest, ListenerDrainBeforeServerStart) { initialize(); // Initial request for cluster, response for cluster_0. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); // Initial request for load assignment for cluster_0, respond with version 1 - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); // Request for updates to cluster_0 version 1, no response - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); // Initial request for any listener, respond with listener_0 version 1 - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); // Request for updates to load assignment version 1, no response - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {})); // Initial request for route_config_0 (referenced by listener_0), respond with version 1 - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); test_server_->waitForGaugeGe("listener_manager.total_listeners_active", 1); @@ -1658,9 +1680,9 @@ TEST_P(AdsIntegrationTest, ListenerDrainBeforeServerStart) { EXPECT_TRUE(getListenersConfigDump().dynamic_listeners(0).has_warming_state()); // Remove listener. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - sendDiscoveryResponse(Config::TypeUrl::get().Listener, {}, - {}, {"listener_0"}, "2"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + sendDiscoveryResponse(Config::TestTypeUrl::get().Listener, + {}, {}, {"listener_0"}, "2"); test_server_->waitForGaugeEq("listener_manager.total_listeners_active", 0); } @@ -1696,19 +1718,19 @@ TEST_P(AdsIntegrationTest, SetNodeAlways) { initialize(); // Check that the node is sent in each request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {}, true)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, true)); }; // Check if EDS cluster defined in file is loaded before ADS request and used as xDS server @@ -1797,15 +1819,16 @@ TEST_P(AdsClusterFromFileIntegrationTest, BasicTestWidsAdsEndpointLoadedFromFile ASSERT_TRUE(xds_connection_->waitForNewStream(*dispatcher_, xds_stream_)); xds_stream_->startGrpcStream(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"ads_eds_cluster"}, {"ads_eds_cluster"}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("ads_eds_cluster")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, + {buildClusterLoadAssignment("ads_eds_cluster")}, {buildClusterLoadAssignment("ads_eds_cluster")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"ads_eds_cluster"}, {}, {})); } @@ -1831,7 +1854,7 @@ class AdsIntegrationTestWithRtds : public AdsIntegrationTest { void testBasicFlow() { // Test that runtime discovery request comes first and cluster discovery request comes after // runtime was loaded. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "", {"ads_rtds_layer"}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "", {"ads_rtds_layer"}, {"ads_rtds_layer"}, {}, true)); auto some_rtds_layer = TestUtility::parseYaml(R"EOF( name: ads_rtds_layer @@ -1840,12 +1863,12 @@ class AdsIntegrationTestWithRtds : public AdsIntegrationTest { baz: meh )EOF"); sendDiscoveryResponse( - Config::TypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); + Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); test_server_->waitForCounterGe("runtime.load_success", 1); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {})); - EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "1", {"ads_rtds_layer"}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "1", {"ads_rtds_layer"}, + {}, {})); } }; @@ -1876,7 +1899,7 @@ class AdsIntegrationTestWithRtdsAndSecondaryClusters : public AdsIntegrationTest void testBasicFlow() { // Test that runtime discovery request comes first followed by the cluster load assignment // discovery request for secondary cluster and then CDS discovery request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "", {"ads_rtds_layer"}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "", {"ads_rtds_layer"}, {"ads_rtds_layer"}, {}, true)); auto some_rtds_layer = TestUtility::parseYaml(R"EOF( name: ads_rtds_layer @@ -1885,21 +1908,22 @@ class AdsIntegrationTestWithRtdsAndSecondaryClusters : public AdsIntegrationTest baz: meh )EOF"); sendDiscoveryResponse( - Config::TypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); + Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); test_server_->waitForCounterGe("runtime.load_success", 1); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"eds_cluster"}, {"eds_cluster"}, {}, false)); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("eds_cluster")}, - {buildClusterLoadAssignment("eds_cluster")}, {}, "1"); + Config::TestTypeUrl::get().ClusterLoadAssignment, + {buildClusterLoadAssignment("eds_cluster")}, {buildClusterLoadAssignment("eds_cluster")}, + {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "1", {"ads_rtds_layer"}, {}, - {}, false)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, false)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "1", {"ads_rtds_layer"}, + {}, {}, false)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, false)); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, - {}, "1"); + Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, + {buildCluster("cluster_0")}, {}, "1"); } }; @@ -1916,53 +1940,58 @@ TEST_P(AdsIntegrationTest, ContextParameterUpdate) { initialize(); // Check that the node is sent in each request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {}, false)); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {}, false)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {}, false)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {}, false)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, false)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {}, false)); // Set a Cluster DCP. - test_server_->setDynamicContextParam(Config::TypeUrl::get().Cluster, "foo", "bar"); + test_server_->setDynamicContextParam(Config::TestTypeUrl::get().Cluster, "foo", "bar"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {}, true)); - EXPECT_EQ("bar", - last_node_.dynamic_parameters().at(Config::TypeUrl::get().Cluster).params().at("foo")); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {}, true)); + EXPECT_EQ( + "bar", + last_node_.dynamic_parameters().at(Config::TestTypeUrl::get().Cluster).params().at("foo")); // Modify Cluster DCP. - test_server_->setDynamicContextParam(Config::TypeUrl::get().Cluster, "foo", "baz"); + test_server_->setDynamicContextParam(Config::TestTypeUrl::get().Cluster, "foo", "baz"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {}, true)); - EXPECT_EQ("baz", - last_node_.dynamic_parameters().at(Config::TypeUrl::get().Cluster).params().at("foo")); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {}, true)); + EXPECT_EQ( + "baz", + last_node_.dynamic_parameters().at(Config::TestTypeUrl::get().Cluster).params().at("foo")); // Modify CLA DCP (some other resource type URL). - test_server_->setDynamicContextParam(Config::TypeUrl::get().ClusterLoadAssignment, "foo", "b"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", + test_server_->setDynamicContextParam(Config::TestTypeUrl::get().ClusterLoadAssignment, "foo", + "b"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"cluster_0"}, {}, {}, true)); EXPECT_EQ("b", last_node_.dynamic_parameters() - .at(Config::TypeUrl::get().ClusterLoadAssignment) + .at(Config::TestTypeUrl::get().ClusterLoadAssignment) .params() .at("foo")); - EXPECT_EQ("baz", - last_node_.dynamic_parameters().at(Config::TypeUrl::get().Cluster).params().at("foo")); + EXPECT_EQ( + "baz", + last_node_.dynamic_parameters().at(Config::TestTypeUrl::get().Cluster).params().at("foo")); // Clear Cluster DCP. - test_server_->unsetDynamicContextParam(Config::TypeUrl::get().Cluster, "foo"); + test_server_->unsetDynamicContextParam(Config::TestTypeUrl::get().Cluster, "foo"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {}, true)); EXPECT_EQ( - 0, last_node_.dynamic_parameters().at(Config::TypeUrl::get().Cluster).params().count("foo")); + 0, + last_node_.dynamic_parameters().at(Config::TestTypeUrl::get().Cluster).params().count("foo")); } class XdsTpAdsIntegrationTest : public AdsIntegrationTest { @@ -2015,7 +2044,7 @@ TEST_P(XdsTpAdsIntegrationTest, Basic) { // Basic CDS/EDS xDS initialization (CDS via xdstp:// glob collection). const std::string cluster_wildcard = "xdstp://test/envoy.config.cluster.v3.Cluster/foo-cluster/" "*?xds.node.cluster=cluster_name&xds.node.id=node_name"; - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {cluster_wildcard}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {cluster_wildcard}, {cluster_wildcard}, {}, /*expect_node=*/true)); const std::string cluster_name = "xdstp://test/envoy.config.cluster.v3.Cluster/foo-cluster/" "baz?xds.node.cluster=cluster_name&xds.node.id=node_name"; @@ -2024,21 +2053,21 @@ TEST_P(XdsTpAdsIntegrationTest, Basic) { "xdstp://test/envoy.config.endpoint.v3.ClusterLoadAssignment/foo-cluster/baz"; cluster_resource.mutable_eds_cluster_config()->set_service_name(endpoints_name); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster_resource}, {cluster_resource}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + Config::TestTypeUrl::get().Cluster, {cluster_resource}, {cluster_resource}, {}, "1"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {endpoints_name}, {endpoints_name}, {})); const auto cluster_load_assignments = {buildClusterLoadAssignment(endpoints_name)}; sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, cluster_load_assignments, + Config::TestTypeUrl::get().ClusterLoadAssignment, cluster_load_assignments, cluster_load_assignments, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); // LDS/RDS xDS initialization (LDS via xdstp:// glob collection) const std::string listener_wildcard = "xdstp://test/envoy.config.listener.v3.Listener/foo-listener/" "*?xds.node.cluster=cluster_name&xds.node.id=node_name"; - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {listener_wildcard}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {listener_wildcard}, {listener_wildcard}, {})); const std::string route_name_0 = "xdstp://test/envoy.config.route.v3.RouteConfiguration/route_config_0"; @@ -2057,19 +2086,20 @@ TEST_P(XdsTpAdsIntegrationTest, Basic) { "baz?xds.node.cluster=cluster_name&xds.node.id=other_name", route_name_0), }; - sendDiscoveryResponse(Config::TypeUrl::get().Listener, + sendDiscoveryResponse(Config::TestTypeUrl::get().Listener, listeners, listeners, {}, "1"); EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", {}, {}, {})); + compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", {route_name_0}, - {route_name_0}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", + {route_name_0}, {route_name_0}, {})); const auto route_config = buildRouteConfig(route_name_0, cluster_name); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {route_config}, {route_config}, {}, "1"); + Config::TestTypeUrl::get().RouteConfiguration, {route_config}, {route_config}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE( + compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {}, {}, {})); test_server_->waitForCounterEq("listener_manager.listener_create_success", 1); makeSingleRequest(); @@ -2080,17 +2110,18 @@ TEST_P(XdsTpAdsIntegrationTest, Basic) { "baz?xds.node.cluster=cluster_name&xds.node.id=node_name", route_name_1); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {baz_listener}, {baz_listener}, {}, "2"); + Config::TestTypeUrl::get().Listener, {baz_listener}, {baz_listener}, {}, "2"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {route_name_1}, {route_name_1}, {})); const auto second_route_config = buildRouteConfig(route_name_1, cluster_name); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {second_route_config}, {second_route_config}, {}, - "2"); + Config::TestTypeUrl::get().RouteConfiguration, {second_route_config}, {second_route_config}, + {}, "2"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "2", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "2", {}, {}, {})); + EXPECT_TRUE( + compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "2", {}, {}, {})); test_server_->waitForCounterEq("listener_manager.listener_create_success", 2); makeSingleRequest(); @@ -2101,23 +2132,24 @@ TEST_P(XdsTpAdsIntegrationTest, Basic) { if (isSotw()) { // In SotW, removal consists of sending the other listeners, except for the one to be removed. - sendDiscoveryResponse(Config::TypeUrl::get().Listener, - {baz_listener}, {}, {}, "3"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "3", {}, {}, {})); + sendDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {baz_listener}, {}, {}, "3"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "3", {}, {}, {})); test_server_->waitForCounterEq("listener_manager.listener_removed", 1); makeSingleRequest(); } else { // Update bar listener in the foo namespace. sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {}, {buildListener(bar_listener, route_name_1)}, {}, "3"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "3", {}, {}, {})); + Config::TestTypeUrl::get().Listener, {}, {buildListener(bar_listener, route_name_1)}, {}, + "3"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "3", {}, {}, {})); test_server_->waitForCounterEq("listener_manager.listener_in_place_updated", 1); makeSingleRequest(); // Remove bar listener from the foo namespace. - sendDiscoveryResponse(Config::TypeUrl::get().Listener, - {}, {}, {bar_listener}, "3"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "4", {}, {}, {})); + sendDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {}, {}, {bar_listener}, "3"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "4", {}, {}, {})); test_server_->waitForCounterEq("listener_manager.listener_removed", 1); makeSingleRequest(); } @@ -2160,7 +2192,7 @@ TEST_P(XdsTpAdsIntegrationTest, BasicWithLeds) { {buildClusterLoadAssignmentWithLeds(endpoints_name, absl::StrCat(leds_resource_prefix, "*"))}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 1); @@ -2174,7 +2206,7 @@ TEST_P(XdsTpAdsIntegrationTest, BasicWithLeds) { const auto endpoint2_name = absl::StrCat(leds_resource_prefix, "endpoint_1", "?xds.node.cluster=cluster_name&xds.node.id=node_name"); sendExplicitResourcesDeltaDiscoveryResponse( - Config::TypeUrl::get().LbEndpoint, + Config::TestTypeUrl::get().LbEndpoint, {buildLbEndpointResource(endpoint1_name, "2"), buildLbEndpointResource(endpoint2_name, "2")}, {}); @@ -2186,7 +2218,7 @@ TEST_P(XdsTpAdsIntegrationTest, BasicWithLeds) { // LDS/RDS xDS initialization (LDS via xdstp:// glob collection) EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, + compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {"xdstp://test/envoy.config.listener.v3.Listener/foo-listener/" "*?xds.node.cluster=cluster_name&xds.node.id=node_name"}, {})); @@ -2236,7 +2268,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingEds) { absl::StrCat(leds_resource_prefix_foo, "*"))}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 1); @@ -2261,7 +2293,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingEds) { const auto endpoint2_name_foo = absl::StrCat(leds_resource_prefix_foo, "endpoint_1", "?xds.node.cluster=cluster_name&xds.node.id=node_name"); - sendExplicitResourcesDeltaDiscoveryResponse(Config::TypeUrl::get().LbEndpoint, + sendExplicitResourcesDeltaDiscoveryResponse(Config::TestTypeUrl::get().LbEndpoint, {buildLbEndpointResource(endpoint1_name_foo, "2"), buildLbEndpointResource(endpoint2_name_foo, "2")}, {}); @@ -2282,7 +2314,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingEds) { const auto endpoint2_name_bar = absl::StrCat(leds_resource_prefix_bar, "endpoint_1", "?xds.node.cluster=cluster_name&xds.node.id=node_name"); - sendExplicitResourcesDeltaDiscoveryResponse(Config::TypeUrl::get().LbEndpoint, + sendExplicitResourcesDeltaDiscoveryResponse(Config::TestTypeUrl::get().LbEndpoint, {buildLbEndpointResource(endpoint1_name_bar, "3"), buildLbEndpointResource(endpoint2_name_bar, "3")}, {}); @@ -2296,7 +2328,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingEds) { // LDS/RDS xDS initialization (LDS via xdstp:// glob collection) EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, + compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {"xdstp://test/envoy.config.listener.v3.Listener/foo-listener/" "*?xds.node.cluster=cluster_name&xds.node.id=node_name"}, {})); @@ -2344,7 +2376,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingCds) { absl::StrCat(leds_resource_prefix1, "*"))}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 1); @@ -2373,7 +2405,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingCds) { const auto endpoint2_name_cluster1 = absl::StrCat( leds_resource_prefix1, "endpoint_1", "?xds.node.cluster=cluster_name&xds.node.id=node_name"); sendExplicitResourcesDeltaDiscoveryResponse( - Config::TypeUrl::get().LbEndpoint, + Config::TestTypeUrl::get().LbEndpoint, {buildLbEndpointResource(endpoint1_name_cluster1, "2"), buildLbEndpointResource(endpoint2_name_cluster1, "2")}, {}); @@ -2395,7 +2427,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingCds) { "*?xds.node.cluster=cluster_name&xds.node.id=node_name")})); // Receive CDS ack. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "2", {}, {}, {})); // Receive the EDS ack. EXPECT_TRUE(compareDiscoveryRequest(leds_type_url, "2", {}, {}, {})); @@ -2414,7 +2446,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingCds) { const auto endpoint2_name_cluster2 = absl::StrCat( leds_resource_prefix2, "endpoint_1", "?xds.node.cluster=cluster_name&xds.node.id=node_name"); sendExplicitResourcesDeltaDiscoveryResponse( - Config::TypeUrl::get().LbEndpoint, + Config::TestTypeUrl::get().LbEndpoint, {buildLbEndpointResource(endpoint1_name_cluster2, "2"), buildLbEndpointResource(endpoint2_name_cluster2, "2")}, {}); @@ -2424,7 +2456,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsClusterWarmingUpdatingCds) { // LDS/RDS xDS initialization (LDS via xdstp:// glob collection) EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, + compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {"xdstp://test/envoy.config.listener.v3.Listener/foo-listener/" "*?xds.node.cluster=cluster_name&xds.node.id=node_name"}, {})); @@ -2477,7 +2509,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsTimeout) { sendDiscoveryResponse( eds_type_url, {}, {cla_with_leds}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); // Receive LEDS request, and wait for the initial fetch timeout. EXPECT_TRUE(compareDiscoveryRequest( leds_type_url, "", {}, @@ -2501,7 +2533,7 @@ TEST_P(XdsTpAdsIntegrationTest, LedsTimeout) { // LDS/RDS xDS initialization (LDS via xdstp:// glob collection) EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, + compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {"xdstp://test/envoy.config.listener.v3.Listener/foo-listener/" "*?xds.node.cluster=cluster_name&xds.node.id=node_name"}, {})); @@ -2537,39 +2569,40 @@ TEST_P(XdsTpAdsIntegrationTest, EdsAlternatingLedsUsage) { // Receive EDS request, and send ClusterLoadAssignment with one locality, // that doesn't use LEDS. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", {}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {}, {endpoints_name}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {}, {buildClusterLoadAssignment(endpoints_name)}, {}, "1"); EXPECT_TRUE(compareDiscoveryRequest(cds_type_url, "1", {}, {}, {})); // LDS/RDS xDS initialization (LDS via xdstp:// glob collection) EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, + compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {"xdstp://test/envoy.config.listener.v3.Listener/foo-listener/" "*?xds.node.cluster=cluster_name&xds.node.id=node_name"}, {})); const std::string route_name_0 = "xdstp://test/envoy.config.route.v3.RouteConfiguration/route_config_0"; sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {}, + Config::TestTypeUrl::get().Listener, {}, {buildListener("xdstp://test/envoy.config.listener.v3.Listener/foo-listener/" "bar?xds.node.cluster=cluster_name&xds.node.id=node_name", route_name_0)}, {}, "1"); EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", {}, + compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {}, {route_name_0}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {}, {buildRouteConfig(route_name_0, cluster_name)}, - {}, "1"); + Config::TestTypeUrl::get().RouteConfiguration, {}, + {buildRouteConfig(route_name_0, cluster_name)}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE( + compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {}, {}, {})); test_server_->waitForCounterEq("listener_manager.listener_create_success", 1); makeSingleRequest(); @@ -2601,7 +2634,7 @@ TEST_P(XdsTpAdsIntegrationTest, EdsAlternatingLedsUsage) { const auto endpoint2_name = absl::StrCat(leds_resource_prefix, "endpoint_1", "?xds.node.cluster=cluster_name&xds.node.id=node_name"); sendExplicitResourcesDeltaDiscoveryResponse( - Config::TypeUrl::get().LbEndpoint, + Config::TestTypeUrl::get().LbEndpoint, {buildLbEndpointResource(endpoint1_name, "1"), buildLbEndpointResource(endpoint2_name, "1")}, {}); @@ -2614,7 +2647,7 @@ TEST_P(XdsTpAdsIntegrationTest, EdsAlternatingLedsUsage) { // Send a new EDS update that doesn't use LEDS. sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {}, {buildClusterLoadAssignment(endpoints_name)}, {}, "3"); // The server should remove interest in the old LEDS. @@ -2627,7 +2660,7 @@ TEST_P(XdsTpAdsIntegrationTest, EdsAlternatingLedsUsage) { EXPECT_TRUE(compareDiscoveryRequest(eds_type_url, "3", {}, {}, {})); // Remove the LEDS endpoints. - sendExplicitResourcesDeltaDiscoveryResponse(Config::TypeUrl::get().LbEndpoint, {}, + sendExplicitResourcesDeltaDiscoveryResponse(Config::TestTypeUrl::get().LbEndpoint, {}, {endpoint1_name, endpoint2_name}); // Receive the LEDS ack. @@ -2641,14 +2674,14 @@ TEST_P(XdsTpAdsIntegrationTest, EdsAlternatingLedsUsage) { // Make sure two listeners send only a single SRDS request. TEST_P(AdsIntegrationTest, SrdsPausedDuringLds) { initialize(); - const auto lds_type_url = Config::TypeUrl::get().Listener; - const auto cds_type_url = Config::TypeUrl::get().Cluster; - const auto eds_type_url = Config::TypeUrl::get().ClusterLoadAssignment; - const auto srds_type_url = Config::TypeUrl::get().ScopedRouteConfiguration; - const auto rds_type_url = Config::TypeUrl::get().RouteConfiguration; + const auto lds_type_url = Config::TestTypeUrl::get().Listener; + const auto cds_type_url = Config::TestTypeUrl::get().Cluster; + const auto eds_type_url = Config::TestTypeUrl::get().ClusterLoadAssignment; + const auto srds_type_url = Config::TestTypeUrl::get().ScopedRouteConfiguration; + const auto rds_type_url = Config::TestTypeUrl::get().RouteConfiguration; EXPECT_TRUE(compareDiscoveryRequest(cds_type_url, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1"); EXPECT_TRUE(compareDiscoveryRequest(eds_type_url, "", {"cluster_0"}, {"cluster_0"}, {})); @@ -2852,21 +2885,21 @@ TEST_P(AdsReplacementIntegrationTest, ReplaceAdsConfig) { initializeTwoAds(); // Check that the node is sent in each request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, - "original1"); + Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, + {}, "original1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {}, false)); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "original1"); EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "original1", {}, {}, {}, false)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {}, false)); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "original1", + compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "original1", {}, {}, {}, false)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, false)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "original1", {"cluster_0"}, {}, {}, false)); // Prepare the second ADS server config. @@ -2902,59 +2935,61 @@ TEST_P(AdsReplacementIntegrationTest, ReplaceAdsConfig) { const absl::flat_hash_map cds_eds_initial_resource_versions_map{ {"cluster_0", "original1"}}; const absl::flat_hash_map empty_initial_resource_versions_map; + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true, + Grpc::Status::WellKnownGrpcStatus::Ok, "", + second_xds_stream_.get(), + makeOptRef(cds_eds_initial_resource_versions_map))); EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().Cluster, "", {}, {}, {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, - "", second_xds_stream_.get(), makeOptRef(cds_eds_initial_resource_versions_map))); - EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {}, false, + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", second_xds_stream_.get(), makeOptRef(cds_eds_initial_resource_versions_map))); - EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().Listener, "", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, - "", second_xds_stream_.get(), makeOptRef(empty_initial_resource_versions_map))); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {}, false, + Grpc::Status::WellKnownGrpcStatus::Ok, "", + second_xds_stream_.get(), + makeOptRef(empty_initial_resource_versions_map))); // Send a CDS response with new resources. sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {buildCluster("replaced_cluster")}, + Config::TestTypeUrl::get().Cluster, {buildCluster("replaced_cluster")}, {buildCluster("replaced_cluster")}, {}, "replaced1", {}, second_xds_stream_.get()); // Wait for an updated EDS request. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "original1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "original1", {"replaced_cluster"}, {"replaced_cluster"}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", second_xds_stream_.get())); // Send an EDS response. sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("replaced_cluster")}, {buildClusterLoadAssignment("replaced_cluster")}, {}, "replaced1", {}, second_xds_stream_.get()); // Wait for a CDS and EDS ACKs. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "replaced1", {}, {}, {}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "replaced1", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", second_xds_stream_.get())); EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "replaced1", {"replaced_cluster_1"}, {}, {}, + Config::TestTypeUrl::get().ClusterLoadAssignment, "replaced1", {"replaced_cluster_1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", second_xds_stream_.get())); // Continue with LDS and RDS, and send a request-response. sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "replaced1", {}, second_xds_stream_.get()); EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {}, + Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", second_xds_stream_.get())); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {buildRouteConfig("route_config_0", "replaced_cluster")}, {buildRouteConfig("route_config_0", "replaced_cluster")}, {}, "replaced1", {}, second_xds_stream_.get()); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "replaced1", {}, {}, {}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "replaced1", {}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", second_xds_stream_.get())); EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().RouteConfiguration, "replaced1", {"route_config_0"}, {}, {}, false, + Config::TestTypeUrl::get().RouteConfiguration, "replaced1", {"route_config_0"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", second_xds_stream_.get())); makeSingleRequest(); diff --git a/test/integration/ads_xdstp_config_sources_integration_test.cc b/test/integration/ads_xdstp_config_sources_integration_test.cc index 8e2e45ee7c9c1..35a595b5f4cd6 100644 --- a/test/integration/ads_xdstp_config_sources_integration_test.cc +++ b/test/integration/ads_xdstp_config_sources_integration_test.cc @@ -233,22 +233,22 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, CdsPointsToAuthorityEds) { // Wait for ADS clusters request and send a cluster that points to load // assignment in authority1.com. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); auto cluster1 = ConfigHelper::buildCluster("cluster_1"); cluster1.mutable_eds_cluster_config()->set_service_name( "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"); cluster1.mutable_eds_cluster_config()->clear_eds_config(); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1}, {cluster1}, {}, "1"); // Authority1 receives an EDS request, and sends a response. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment( "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1")}, @@ -258,27 +258,27 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, CdsPointsToAuthorityEds) { {}, "1", {}, authority1_xds_stream_.get()); // Old ADS receives a CDS ACK. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); // Authority1 receives an EDS ACK. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "1", + Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); // Send the Listener and route config using the old ADS. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {ConfigHelper::buildRouteConfig("route_config_0", "cluster_1")}, {ConfigHelper::buildRouteConfig("route_config_0", "cluster_1")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -293,49 +293,49 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, UpdateAuthorityEds) { // Wait for ADS clusters request and send a cluster that points to load // assignment in authority1.com. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); auto cluster1 = ConfigHelper::buildCluster("cluster_1"); cluster1.mutable_eds_cluster_config()->set_service_name( "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"); cluster1.mutable_eds_cluster_config()->clear_eds_config(); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1}, {cluster1}, {}, "1"); // Authority1 receives an EDS request, and sends a response. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); envoy::config::endpoint::v3::ClusterLoadAssignment cla = buildClusterLoadAssignment( "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {cla}, {cla}, {}, "1", {}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {cla}, {cla}, {}, "1", {}, authority1_xds_stream_.get()); // Old ADS receives a CDS ACK. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); // Authority1 receives an EDS ACK. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "1", + Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); test_server_->waitForCounterGe("cluster.cluster_1.update_success", 1); // Send the Listener and route config using the old ADS. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {ConfigHelper::buildRouteConfig("route_config_0", "cluster_1")}, {ConfigHelper::buildRouteConfig("route_config_0", "cluster_1")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -343,12 +343,12 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, UpdateAuthorityEds) { // Update the EDS config. cla.mutable_endpoints(0)->mutable_load_balancing_weight()->set_value(50); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {cla}, {cla}, {}, "2", {}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {cla}, {cla}, {}, "2", {}, authority1_xds_stream_.get()); // Expect an EDS ACK. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "2", + Config::TestTypeUrl::get().ClusterLoadAssignment, "2", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); @@ -367,22 +367,22 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, UpdateAuthorityToFetchEds) { // Wait for ADS clusters request and send a cluster that points to load // assignment in authority1.com. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); auto cluster1 = ConfigHelper::buildCluster("cluster_1"); cluster1.mutable_eds_cluster_config()->set_service_name( "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"); cluster1.mutable_eds_cluster_config()->clear_eds_config(); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1}, {cluster1}, {}, "1"); // Authority1 receives an EDS request, and sends a response. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment( "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1")}, @@ -392,28 +392,28 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, UpdateAuthorityToFetchEds) { {}, "1", {}, authority1_xds_stream_.get()); // Old ADS receives a CDS ACK. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {}, {}, {})); // Authority1 receives an EDS ACK. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "1", + Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); test_server_->waitForCounterGe("cluster.cluster_1.update_success", 1); // Send the Listener and route config using the old ADS. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, + Config::TestTypeUrl::get().Listener, {buildListener("listener_0", "route_config_0")}, {buildListener("listener_0", "route_config_0")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"route_config_0"}, {"route_config_0"}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {ConfigHelper::buildRouteConfig("route_config_0", "cluster_1")}, {ConfigHelper::buildRouteConfig("route_config_0", "cluster_1")}, {}, "1"); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Listener, "1", {}, {}, {})); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "1", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "1", {"route_config_0"}, {}, {})); test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); @@ -424,19 +424,19 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, UpdateAuthorityToFetchEds) { "xdstp://default_authority.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1"); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {cluster1}, {cluster1}, {}, "2"); // Default-authority receives an EDS request, and sends a response. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"xdstp://default_authority.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1"}, {"xdstp://default_authority.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1"}, {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", default_authority_xds_stream_.get())); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment( "xdstp://default_authority.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1")}, @@ -446,11 +446,11 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, UpdateAuthorityToFetchEds) { {}, "2", {}, default_authority_xds_stream_.get()); // Old ADS receives a CDS ACK. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "2", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "2", {}, {}, {})); // Default-authority receives an EDS ACK. EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "2", + compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "2", {"xdstp://default_authority.com/" "envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", @@ -459,7 +459,7 @@ TEST_P(AdsXdsTpConfigsIntegrationTest, UpdateAuthorityToFetchEds) { // Authority1 subscription is removed. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", {}, {}, + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {}, {}, {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); diff --git a/test/integration/cds_integration_test.cc b/test/integration/cds_integration_test.cc index aa3fb252c749e..3f237e19ce33f 100644 --- a/test/integration/cds_integration_test.cc +++ b/test/integration/cds_integration_test.cc @@ -102,7 +102,7 @@ class CdsIntegrationTest : public Grpc::DeltaSotwDeferredClustersIntegrationPara acceptXdsConnection(); // Do the initial compareDiscoveryRequest / sendDiscoveryResponse for cluster_1. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendClusterDiscoveryResponse({cluster1_}, {cluster1_}, {}, "55"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of @@ -121,7 +121,7 @@ class CdsIntegrationTest : public Grpc::DeltaSotwDeferredClustersIntegrationPara const std::vector& added_or_updated, const std::vector& removed, const std::string& version) { sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, state_of_the_world, added_or_updated, removed, version); + Config::TestTypeUrl::get().Cluster, state_of_the_world, added_or_updated, removed, version); } // Regression test to catch the code declaring a gRPC service method for {SotW,delta} @@ -191,7 +191,7 @@ TEST_P(CdsIntegrationTest, CdsClusterUpDownUp) { } // Tell Envoy that cluster_1 is gone. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); sendClusterDiscoveryResponse({}, {}, {ClusterName1}, "42"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of // the DiscoveryResponse that says cluster_1 is gone. @@ -215,7 +215,7 @@ TEST_P(CdsIntegrationTest, CdsClusterUpDownUp) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is back. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "42", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "42", {}, {}, {})); sendClusterDiscoveryResponse({cluster1_}, {cluster1_}, {}, "413"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of @@ -255,7 +255,7 @@ TEST_P(CdsIntegrationTest, CdsClusterTeardownWhileConnecting) { {":method", "GET"}, {":path", "/cluster1"}, {":scheme", "http"}, {":authority", "host"}}); // Tell Envoy that cluster_1 is gone. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); sendClusterDiscoveryResponse({}, {}, {ClusterName1}, "42"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of // the DiscoveryResponse that says cluster_1 is gone. @@ -294,7 +294,7 @@ class DeferredCreationClusterStatsTest : public CdsIntegrationTest { envoy::config::cluster::v3::Cluster::ROUND_ROBIN); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_updated}, {cluster1_updated}, {}, "42"); + Config::TestTypeUrl::get().Cluster, {cluster1_updated}, {cluster1_updated}, {}, "42"); } void removeClusters(const std::vector& removed) { @@ -444,7 +444,7 @@ TEST_P(CdsIntegrationTest, CdsClusterWithThreadAwareLbCycleUpDownUp) { test_server_->waitForCounterGe("cluster_manager.cluster_added", 1); // Tell Envoy that cluster_1 is gone. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); sendClusterDiscoveryResponse({}, {}, {ClusterName1}, "42"); // Make sure that Envoy's ClusterManager has made use of the DiscoveryResponse that says // cluster_1 is gone. @@ -459,13 +459,13 @@ TEST_P(CdsIntegrationTest, CdsClusterWithThreadAwareLbCycleUpDownUp) { // Cyclically add and remove cluster with ThreadAwareLb. for (int i = 42; i < 142; i += 2) { EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Cluster, absl::StrCat(i), {}, {}, {})); + compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, absl::StrCat(i), {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, absl::StrCat(i + 1)); - EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Cluster, absl::StrCat(i + 1), {}, {}, {})); + Config::TestTypeUrl::get().Cluster, {cluster1_}, {cluster1_}, {}, absl::StrCat(i + 1)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, absl::StrCat(i + 1), {}, + {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {}, {}, {ClusterName1}, absl::StrCat(i + 2)); + Config::TestTypeUrl::get().Cluster, {}, {}, {ClusterName1}, absl::StrCat(i + 2)); } cleanupUpstreamAndDownstream(); @@ -480,9 +480,9 @@ TEST_P(CdsIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_2 is here. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); // The '3' includes the fake CDS server. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); @@ -492,7 +492,7 @@ TEST_P(CdsIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is gone. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "42", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "42", {}, {}, {})); sendClusterDiscoveryResponse({cluster2_}, {}, {ClusterName1}, "43"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of // the DiscoveryResponse that says cluster_1 is gone. @@ -504,9 +504,9 @@ TEST_P(CdsIntegrationTest, TwoClusters) { ASSERT_TRUE(codec_client_->waitForDisconnect()); // Tell Envoy that cluster_1 is back. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "43", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "43", {}, {}, {})); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_}, {}, "413"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_}, {}, "413"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of // the DiscoveryResponse describing cluster_1 that we sent. Again, 3 includes CDS server. @@ -534,7 +534,7 @@ TEST_P(CdsIntegrationTest, TwoClustersAndRedirects) { // Tell Envoy that cluster_2 is here. initialize(); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster2_}, {}, "42"); // The '3' includes the fake CDS server. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); // Tell Envoy that cluster_1 is gone. @@ -594,8 +594,8 @@ TEST_P(CdsIntegrationTest, VersionsRememberedAfterReconnect) { // Tell Envoy that cluster_2 is here. This update does *not* need to include cluster_1, // which Envoy should already know about despite the disconnect. - sendDeltaDiscoveryResponse(Config::TypeUrl::get().Cluster, - {cluster2_}, {}, "42"); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {cluster2_}, {}, "42"); // The '3' includes the fake CDS server. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); @@ -679,7 +679,7 @@ TEST_P(CdsIntegrationTest, CdsClusterDownWithLotsOfIdleConnections) { test_server_->waitForCounterGe("cluster_manager.cluster_added", 1); // Tell Envoy that cluster_1 is gone. Envoy will try to close all idle connections - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); sendClusterDiscoveryResponse({}, {}, {ClusterName1}, "42"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of // the DiscoveryResponse that says cluster_1 is gone. @@ -750,7 +750,7 @@ TEST_P(CdsIntegrationTest, DISABLED_CdsClusterDownWithLotsOfConnectingConnection test_server_->waitForCounterEq("cluster.cluster_1.upstream_cx_total", num_requests); // Tell Envoy that cluster_1 is gone. Envoy will try to close all pending connections - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "55", {}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "55", {}, {}, {})); sendClusterDiscoveryResponse({}, {}, {ClusterName1}, "42"); // We can continue the test once we're sure that Envoy's ClusterManager has made use of // the DiscoveryResponse that says cluster_1 is gone. diff --git a/test/integration/extension_discovery_integration_test.cc b/test/integration/extension_discovery_integration_test.cc index 1761424dc7faa..bbe2f039a9395 100644 --- a/test/integration/extension_discovery_integration_test.cc +++ b/test/integration/extension_discovery_integration_test.cc @@ -276,7 +276,7 @@ class ExtensionDiscoveryIntegrationTest : public Grpc::GrpcClientIntegrationPara void sendLdsResponse(const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().Listener); + response.set_type_url(Config::TestTypeUrl::get().Listener); response.add_resources()->PackFrom(listener_config_); lds_stream_->sendGrpcMessage(response); } diff --git a/test/integration/header_integration_test.cc b/test/integration/header_integration_test.cc index f3b316444dda0..bb4cd7b191a66 100644 --- a/test/integration/header_integration_test.cc +++ b/test/integration/header_integration_test.cc @@ -391,7 +391,7 @@ class HeaderIntegrationTest envoy::service::discovery::v3::DiscoveryResponse discovery_response; discovery_response.set_version_info("1"); - discovery_response.set_type_url(Config::TypeUrl::get().ClusterLoadAssignment); + discovery_response.set_type_url(Config::TestTypeUrl::get().ClusterLoadAssignment); auto cluster_load_assignment = TestUtility::parseYaml(fmt::format( diff --git a/test/integration/health_check_integration_test.cc b/test/integration/health_check_integration_test.cc index 631621558562d..6234359dcbcfa 100644 --- a/test/integration/health_check_integration_test.cc +++ b/test/integration/health_check_integration_test.cc @@ -196,9 +196,10 @@ class HttpHealthCheckIntegrationTestBase } // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {cluster_data.cluster_}, + {cluster_data.cluster_}, {}, "55"); // Wait for upstream to receive health check request. ASSERT_TRUE(cluster_data.host_upstream_->waitForHttpConnection( @@ -560,9 +561,10 @@ class TcpHealthCheckIntegrationTest : public Event::TestUsingSimulatedTime, health_check->mutable_tcp_health_check()->add_receive()->set_text("506F6E67"); // "Pong" // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {cluster_data.cluster_}, + {cluster_data.cluster_}, {}, "55"); // Wait for upstream to receive TCP HC request. ASSERT_TRUE( @@ -582,9 +584,10 @@ class TcpHealthCheckIntegrationTest : public Event::TestUsingSimulatedTime, proxy_protocol_config); // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {cluster_data.cluster_}, + {cluster_data.cluster_}, {}, "55"); // Wait for upstream to receive TCP HC request. ASSERT_TRUE( @@ -713,9 +716,10 @@ class GrpcHealthCheckIntegrationTest : public Event::TestUsingSimulatedTime, health_check->mutable_grpc_health_check(); // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {cluster_data.cluster_}, + {cluster_data.cluster_}, {}, "55"); // Wait for upstream to receive HC request. grpc::health::v1::HealthCheckRequest request; @@ -886,9 +890,10 @@ class ExternalHealthCheckIntegrationTest cluster_data.external_host_upstream_->localAddress()->ip()->port()); // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {cluster_data.cluster_}, + {cluster_data.cluster_}, {}, "55"); // Wait for upstream to receive EXTERNAL HC request. ASSERT_TRUE(cluster_data.external_host_upstream_->waitForRawConnection( diff --git a/test/integration/leds_integration_test.cc b/test/integration/leds_integration_test.cc index 45a39644fbbf4..6e2fb32115e10 100644 --- a/test/integration/leds_integration_test.cc +++ b/test/integration/leds_integration_test.cc @@ -98,7 +98,7 @@ class LedsIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, if (await_update) { // Receive LEDS ack. EXPECT_TRUE(compareDeltaDiscoveryRequest( - Config::TypeUrl::get().LbEndpoint, {}, {}, + Config::TestTypeUrl::get().LbEndpoint, {}, {}, leds_upstream_info_.stream_by_resource_name_[localities_prefixes_[locality_idx]].get())); } } @@ -116,7 +116,7 @@ class LedsIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, ASSERT(locality_stream != nullptr); envoy::service::discovery::v3::DeltaDiscoveryResponse response; response.set_system_version_info(version); - response.set_type_url(Config::TypeUrl::get().LbEndpoint); + response.set_type_url(Config::TestTypeUrl::get().LbEndpoint); for (const auto& endpoint_name : to_delete_list) { *response.add_removed_resources() = endpoint_name; @@ -317,16 +317,16 @@ class LedsIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, // Do the initial compareDiscoveryRequest / sendDiscoveryResponse for cluster_'s localities // (ClusterLoadAssignment). - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, {"cluster_0"}, {}, eds_upstream_info_.defaultStream().get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {cluster_load_assignment_}, {}, "2", + Config::TestTypeUrl::get().ClusterLoadAssignment, {cluster_load_assignment_}, {}, "2", eds_upstream_info_.defaultStream().get()); // Receive EDS ack. - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, {}, {}, - eds_upstream_info_.defaultStream().get())); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, {}, + {}, eds_upstream_info_.defaultStream().get())); EXPECT_EQ(1, test_server_->gauge("cluster_manager.warming_clusters")->value()); EXPECT_EQ(2, test_server_->gauge("cluster_manager.active_clusters")->value()); @@ -797,7 +797,7 @@ TEST_P(LedsIntegrationTest, LedsSameAddressEndpoints) { // Await for update (LEDS Ack). EXPECT_TRUE(compareDeltaDiscoveryRequest( - Config::TypeUrl::get().LbEndpoint, {}, {}, + Config::TestTypeUrl::get().LbEndpoint, {}, {}, leds_upstream_info_.stream_by_resource_name_[localities_prefixes_[0]].get())); // Verify that the update is successful. diff --git a/test/integration/listener_lds_integration_test.cc b/test/integration/listener_lds_integration_test.cc index cc34e9c08224c..8c01a129627d6 100644 --- a/test/integration/listener_lds_integration_test.cc +++ b/test/integration/listener_lds_integration_test.cc @@ -172,7 +172,7 @@ class ListenerIntegrationTestBase : public HttpIntegrationTest { const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().Listener); + response.set_type_url(Config::TestTypeUrl::get().Listener); for (const auto& listener_config : listener_configs) { response.add_resources()->PackFrom(listener_config); } @@ -194,7 +194,7 @@ class ListenerIntegrationTestBase : public HttpIntegrationTest { void sendRdsResponse(const std::string& route_config, const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().RouteConfiguration); + response.set_type_url(Config::TestTypeUrl::get().RouteConfiguration); const auto route_configuration = TestUtility::parseYaml(route_config); response.add_resources()->PackFrom(route_configuration); @@ -1223,7 +1223,7 @@ class ListenerFilterIntegrationTest : public BaseIntegrationTest, const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().Listener); + response.set_type_url(Config::TestTypeUrl::get().Listener); for (const auto& listener_config : listener_configs) { response.add_resources()->PackFrom(listener_config); } diff --git a/test/integration/network_extension_discovery_integration_test.cc b/test/integration/network_extension_discovery_integration_test.cc index 2ea3f018d93d2..d1df64e133baa 100644 --- a/test/integration/network_extension_discovery_integration_test.cc +++ b/test/integration/network_extension_discovery_integration_test.cc @@ -212,7 +212,7 @@ class NetworkExtensionDiscoveryIntegrationTest : public Grpc::GrpcClientIntegrat void sendLdsResponse(const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().Listener); + response.set_type_url(Config::TestTypeUrl::get().Listener); response.add_resources()->PackFrom(listener_config_); lds_stream_->sendGrpcMessage(response); } diff --git a/test/integration/rtds_integration_test.cc b/test/integration/rtds_integration_test.cc index 39846e7c92194..377422073d6b0 100644 --- a/test/integration/rtds_integration_test.cc +++ b/test/integration/rtds_integration_test.cc @@ -223,7 +223,7 @@ TEST_P(RtdsIntegrationTest, RtdsReload) { EXPECT_EQ("yar", getRuntimeKey("bar")); EXPECT_EQ("", getRuntimeKey("baz")); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "", {"some_rtds_layer"}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "", {"some_rtds_layer"}, {"some_rtds_layer"}, {}, true)); auto some_rtds_layer = TestUtility::parseYaml(R"EOF( name: some_rtds_layer @@ -232,7 +232,7 @@ TEST_P(RtdsIntegrationTest, RtdsReload) { baz: meh )EOF"); sendDiscoveryResponse( - Config::TypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); + Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); test_server_->waitForCounterGe("runtime.load_success", initial_load_success_ + 1); EXPECT_EQ("bar", getRuntimeKey("foo")); @@ -244,15 +244,15 @@ TEST_P(RtdsIntegrationTest, RtdsReload) { EXPECT_EQ(initial_keys_ + 1, test_server_->gauge("runtime.num_keys")->value()); EXPECT_EQ(3, test_server_->gauge("runtime.num_layers")->value()); - EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "1", {"some_rtds_layer"}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "1", {"some_rtds_layer"}, + {}, {})); some_rtds_layer = TestUtility::parseYaml(R"EOF( name: some_rtds_layer layer: baz: saz )EOF"); sendDiscoveryResponse( - Config::TypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "2"); + Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "2"); test_server_->waitForCounterGe("runtime.load_success", initial_load_success_ + 2); EXPECT_EQ("whatevs", getRuntimeKey("foo")); @@ -276,7 +276,7 @@ TEST_P(RtdsIntegrationTest, RtdsUpdate) { EXPECT_EQ("yar", getRuntimeKey("bar")); EXPECT_EQ("", getRuntimeKey("baz")); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "", {"some_rtds_layer"}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "", {"some_rtds_layer"}, {"some_rtds_layer"}, {}, true)); auto some_rtds_layer = TestUtility::parseYaml(R"EOF( name: some_rtds_layer @@ -287,7 +287,7 @@ TEST_P(RtdsIntegrationTest, RtdsUpdate) { // Use the Resource wrapper no matter if it is Sotw or Delta. sendDiscoveryResponse( - Config::TypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1", + Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1", {{"test", ProtobufWkt::Any()}}); test_server_->waitForCounterGe("runtime.load_success", initial_load_success_ + 1); @@ -337,7 +337,7 @@ TEST_P(RtdsIntegrationTest, RtdsAfterAsyncPrimaryClusterInitialization) { // After this xDS connection should be established. Verify that dynamic runtime values are loaded. acceptXdsConnection(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "", {"some_rtds_layer"}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "", {"some_rtds_layer"}, {"some_rtds_layer"}, {}, true)); auto some_rtds_layer = TestUtility::parseYaml(R"EOF( name: some_rtds_layer @@ -346,7 +346,7 @@ TEST_P(RtdsIntegrationTest, RtdsAfterAsyncPrimaryClusterInitialization) { baz: meh )EOF"); sendDiscoveryResponse( - Config::TypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); + Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); test_server_->waitForCounterGe("runtime.load_success", initial_load_success_ + 1); EXPECT_EQ("bar", getRuntimeKey("foo")); diff --git a/test/integration/sds_dynamic_integration_test.cc b/test/integration/sds_dynamic_integration_test.cc index 8bd076a522765..881e09be4d4be 100644 --- a/test/integration/sds_dynamic_integration_test.cc +++ b/test/integration/sds_dynamic_integration_test.cc @@ -189,7 +189,7 @@ class SdsDynamicIntegrationBaseTest : public Grpc::BaseGrpcClientIntegrationPara void sendSdsResponse(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) { envoy::service::discovery::v3::DiscoveryResponse discovery_response; discovery_response.set_version_info("1"); - discovery_response.set_type_url(Config::TypeUrl::get().Secret); + discovery_response.set_type_url(Config::TestTypeUrl::get().Secret); discovery_response.add_resources()->PackFrom(secret); xds_stream_->sendGrpcMessage(discovery_response); @@ -1063,16 +1063,16 @@ class SdsCdsIntegrationTest : public SdsDynamicIntegrationBaseTest { std::unique_ptr& sdsUpstream() override { return fake_upstreams_[1]; } void sendCdsResponse() { - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {dynamic_cluster_}, {dynamic_cluster_}, {}, "55"); + Config::TestTypeUrl::get().Cluster, {dynamic_cluster_}, {dynamic_cluster_}, {}, "55"); } void sendSdsResponse2(const envoy::extensions::transport_sockets::tls::v3::Secret& secret, FakeStream& sds_stream) { envoy::service::discovery::v3::DiscoveryResponse discovery_response; discovery_response.set_version_info("1"); - discovery_response.set_type_url(Config::TypeUrl::get().Secret); + discovery_response.set_type_url(Config::TestTypeUrl::get().Secret); discovery_response.add_resources()->PackFrom(secret); sds_stream.sendGrpcMessage(discovery_response); } @@ -1114,8 +1114,8 @@ TEST_P(SdsCdsIntegrationTest, BasicSuccess) { // The 4 clusters are CDS,SDS,static and dynamic cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 4); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {}, "42"); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {}, "42"); // Successfully removed the dynamic cluster. test_server_->waitForGaugeEq("cluster_manager.active_clusters", 3); } @@ -1233,14 +1233,14 @@ class SdsDynamicClusterIntegrationTest : public SdsDynamicIntegrationBaseTest { std::unique_ptr& cdsUpstream() { return fake_upstreams_[0]; } void sendCdsResponse(bool do_not_send_sds_cluster = false) { - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); if (!do_not_send_sds_cluster) { sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {sds_cluster_, dynamic_cluster_}, + Config::TestTypeUrl::get().Cluster, {sds_cluster_, dynamic_cluster_}, {sds_cluster_, dynamic_cluster_}, {}, "55"); } else { sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {dynamic_cluster_}, {dynamic_cluster_}, {}, "55"); + Config::TestTypeUrl::get().Cluster, {dynamic_cluster_}, {dynamic_cluster_}, {}, "55"); } } @@ -1248,7 +1248,7 @@ class SdsDynamicClusterIntegrationTest : public SdsDynamicIntegrationBaseTest { FakeStream& sds_stream) { envoy::service::discovery::v3::DiscoveryResponse discovery_response; discovery_response.set_version_info("1"); - discovery_response.set_type_url(Config::TypeUrl::get().Secret); + discovery_response.set_type_url(Config::TestTypeUrl::get().Secret); discovery_response.add_resources()->PackFrom(secret); sds_stream.sendGrpcMessage(discovery_response); } @@ -1303,8 +1303,8 @@ TEST_P(SdsDynamicClusterIntegrationTest, BasicSuccess) { // The 4 clusters are CDS,SDS,static and dynamic cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 4); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {}, "42"); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {}, "42"); // Successfully removed the dynamic cluster. test_server_->waitForGaugeEq("cluster_manager.active_clusters", 2); } @@ -1347,8 +1347,8 @@ TEST_P(SdsDynamicClusterIntegrationTest, EdsBootStrapCluster) { // The 4 clusters are CDS,SDS,static and dynamic cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 4); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {}, "42"); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {}, "42"); // Successfully removed the dynamic cluster. test_server_->waitForGaugeEq("cluster_manager.active_clusters", 3); } @@ -1410,8 +1410,8 @@ TEST_P(SdsDynamicClusterIntegrationTest, ClusterRefersNonExistentSdsCluster) { // The 3 clusters are CDS, static and dynamic cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {}, "42"); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {}, "42"); // Successfully removed the dynamic cluster. test_server_->waitForGaugeEq("cluster_manager.active_clusters", 2); } @@ -1442,8 +1442,8 @@ TEST_P(SdsDynamicClusterIntegrationTest, CdsSdsCyclicDependency) { // The 3 clusters are CDS, static and dynamic cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {}, "42"); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {}, "42"); // Successfully removed the dynamic cluster. test_server_->waitForGaugeEq("cluster_manager.active_clusters", 2); } @@ -1580,8 +1580,8 @@ TEST_P(SdsCdsPrivateKeyIntegrationTest, BasicSdsCdsPrivateKeyProvider) { // The 4 clusters are CDS,SDS,static and dynamic cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 4); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, {}, {}, - {}, "42"); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {}, "42"); // Successfully removed the dynamic cluster. test_server_->waitForGaugeEq("cluster_manager.active_clusters", 3); } diff --git a/test/integration/sds_generic_secret_integration_test.cc b/test/integration/sds_generic_secret_integration_test.cc index 539157d499d40..3b3629bc14924 100644 --- a/test/integration/sds_generic_secret_integration_test.cc +++ b/test/integration/sds_generic_secret_integration_test.cc @@ -134,7 +134,7 @@ class SdsGenericSecretApiConfigSourceIntegrationTest : public Grpc::GrpcClientIn generic_secret->mutable_secret()->set_inline_string("DUMMY_AES_128_KEY"); envoy::service::discovery::v3::DiscoveryResponse discovery_response; discovery_response.set_version_info("0"); - discovery_response.set_type_url(Config::TypeUrl::get().Secret); + discovery_response.set_type_url(Config::TestTypeUrl::get().Secret); discovery_response.add_resources()->PackFrom(secret); xds_stream_->sendGrpcMessage(discovery_response); } diff --git a/test/integration/tcp_proxy_odcds_integration_test.cc b/test/integration/tcp_proxy_odcds_integration_test.cc index c36feede0ff2b..5fa53b90b8606 100644 --- a/test/integration/tcp_proxy_odcds_integration_test.cc +++ b/test/integration/tcp_proxy_odcds_integration_test.cc @@ -139,15 +139,15 @@ TEST_P(TcpProxyOdcdsIntegrationTest, SingleTcpClient) { odcds_stream_->startGrpcStream(); test_server_->waitForCounterEq("tcp.tcpproxy_stats.on_demand_cluster_attempt", 1); // Verify the on-demand CDS request and respond with the prepared `new_cluster`. - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); // The on demand cluster request is received and the response is not sent. The tcp proxy must not ASSERT_TRUE(fake_upstreams_.back()->assertPendingConnectionsEmpty()); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {}, {}, odcds_stream_.get())); + Config::TestTypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {}, {}, + odcds_stream_.get())); // This upstream is listening on the endpoint of `new_cluster`. It starts to serve tcp_proxy. FakeRawConnectionPtr fake_upstream_connection; @@ -184,12 +184,12 @@ TEST_P(TcpProxyOdcdsIntegrationTest, RepeatedRequest) { odcds_stream_->startGrpcStream(); // Verify the on-demand CDS request and respond without providing the cluster. - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {}, {}, odcds_stream_.get())); + Config::TestTypeUrl::get().Cluster, {new_cluster_}, {}, "1", odcds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {}, {}, + odcds_stream_.get())); test_server_->waitForCounterEq("tcp.tcpproxy_stats.on_demand_cluster_attempt", expected_upstream_connections); @@ -243,7 +243,7 @@ TEST_P(TcpProxyOdcdsIntegrationTest, ShutdownConnectionOnTimeout) { odcds_stream_->startGrpcStream(); // Verify the on-demand CDS request and respond without providing the cluster. - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); EXPECT_EQ(1, test_server_->counter("tcp.tcpproxy_stats.on_demand_cluster_attempt")->value()); @@ -266,12 +266,12 @@ TEST_P(TcpProxyOdcdsIntegrationTest, ShutdownConnectionOnClusterMissing) { odcds_stream_->startGrpcStream(); // Verify the on-demand CDS request and respond the required cluster is missing. - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().Cluster, {}, {"new_cluster"}, "1", odcds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {}, {}, odcds_stream_.get())); + Config::TestTypeUrl::get().Cluster, {}, {"new_cluster"}, "1", odcds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {}, {}, + odcds_stream_.get())); EXPECT_EQ(1, test_server_->counter("tcp.tcpproxy_stats.on_demand_cluster_attempt")->value()); @@ -295,7 +295,7 @@ TEST_P(TcpProxyOdcdsIntegrationTest, ShutdownAllConnectionsOnClusterLookupTimeou odcds_stream_->startGrpcStream(); // Verify the on-demand CDS request and respond without providing the cluster. - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); EXPECT_EQ(1, test_server_->counter("tcp.tcpproxy_stats.on_demand_cluster_attempt")->value()); @@ -326,7 +326,7 @@ TEST_P(TcpProxyOdcdsIntegrationTest, ShutdownTcpClientBeforeOdcdsResponse) { odcds_stream_->startGrpcStream(); // Verify the on-demand CDS request and stall the response before tcp client close. - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().Cluster, {"new_cluster"}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {}, odcds_stream_.get())); EXPECT_EQ(1, test_server_->counter("tcp.tcpproxy_stats.on_demand_cluster_attempt")->value()); // Client disconnect when the tcp proxy is waiting for the on demand response. diff --git a/test/integration/upstream_http_filter_integration_test.cc b/test/integration/upstream_http_filter_integration_test.cc index 1ce734a75b03f..8adaecebcc421 100644 --- a/test/integration/upstream_http_filter_integration_test.cc +++ b/test/integration/upstream_http_filter_integration_test.cc @@ -475,7 +475,7 @@ class UpstreamHttpExtensionDiscoveryIntegrationTestBase void sendLdsResponse(const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().Listener); + response.set_type_url(Config::TestTypeUrl::get().Listener); response.add_resources()->PackFrom(listener_config_); lds_stream_->sendGrpcMessage(response); } diff --git a/test/integration/upstream_network_filter_integration_test.cc b/test/integration/upstream_network_filter_integration_test.cc index 2dbb46ad52972..399ce5be2acdb 100644 --- a/test/integration/upstream_network_filter_integration_test.cc +++ b/test/integration/upstream_network_filter_integration_test.cc @@ -282,7 +282,7 @@ class UpstreamNetworkExtensionDiscoveryIntegrationTest void sendLdsResponse(const std::string& version) { envoy::service::discovery::v3::DiscoveryResponse response; response.set_version_info(version); - response.set_type_url(Config::TypeUrl::get().Listener); + response.set_type_url(Config::TestTypeUrl::get().Listener); response.add_resources()->PackFrom(listener_config_); lds_stream_->sendGrpcMessage(response); } diff --git a/test/integration/vhds.h b/test/integration/vhds.h index d09d5abfe513e..ccef3b90cef5d 100644 --- a/test/integration/vhds.h +++ b/test/integration/vhds.h @@ -201,20 +201,20 @@ class VhdsIntegrationTest : public HttpIntegrationTest, RELEASE_ASSERT(result, result.message()); xds_stream_->startGrpcStream(); - EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"my_route"}, true)); sendSotwDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, {rdsConfig()}, "1"); + Config::TestTypeUrl::get().RouteConfiguration, {rdsConfig()}, "1"); result = xds_connection_->waitForNewStream(*dispatcher_, vhds_stream_); RELEASE_ASSERT(result, result.message()); vhds_stream_->startGrpcStream(); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, {buildVirtualHost()}, {}, "1", vhds_stream_.get()); - EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, + Config::TestTypeUrl::get().VirtualHost, {buildVirtualHost()}, {}, "1", vhds_stream_.get()); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); // Wait for our statically specified listener to become ready, and register its port in the @@ -233,7 +233,7 @@ class VhdsIntegrationTest : public HttpIntegrationTest, const std::vector& aliases = {}) { envoy::service::discovery::v3::DeltaDiscoveryResponse response; response.set_system_version_info("system_version_info_this_is_a_test"); - response.set_type_url(Config::TypeUrl::get().VirtualHost); + response.set_type_url(Config::TestTypeUrl::get().VirtualHost); auto* resource = response.add_resources(); resource->set_name("my_route/cannot-resolve-alias"); resource->set_version(version); @@ -249,7 +249,7 @@ class VhdsIntegrationTest : public HttpIntegrationTest, const std::vector& removed, const std::string& version, FakeStreamPtr& stream, const std::vector& aliases, const std::vector& unresolved_aliases) { auto response = createDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, added_or_updated, removed, version, aliases, {}); + Config::TestTypeUrl::get().VirtualHost, added_or_updated, removed, version, aliases, {}); for (const auto& unresolved_alias : unresolved_aliases) { auto* resource = response.add_resources(); resource->set_name(unresolved_alias); @@ -266,7 +266,7 @@ class VhdsIntegrationTest : public HttpIntegrationTest, createDeltaDiscoveryResponseWithResourceNameUsedAsAlias() { envoy::service::discovery::v3::DeltaDiscoveryResponse ret; ret.set_system_version_info("system_version_info_this_is_a_test"); - ret.set_type_url(Config::TypeUrl::get().VirtualHost); + ret.set_type_url(Config::TestTypeUrl::get().VirtualHost); auto* resource = ret.add_resources(); resource->set_name("my_route/vhost_1"); diff --git a/test/integration/vhds_integration_test.cc b/test/integration/vhds_integration_test.cc index 959f627ca9b15..dc27c6d7f19fb 100644 --- a/test/integration/vhds_integration_test.cc +++ b/test/integration/vhds_integration_test.cc @@ -78,10 +78,10 @@ class VhdsInitializationTest : public HttpIntegrationTest, RELEASE_ASSERT(result, result.message()); xds_stream_->startGrpcStream(); - EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TypeUrl::get().RouteConfiguration, "", + EXPECT_TRUE(compareSotwDiscoveryRequest(Config::TestTypeUrl::get().RouteConfiguration, "", {"my_route"}, true)); sendSotwDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {TestUtility::parseYaml( RdsWithoutVhdsConfig)}, "1"); @@ -110,7 +110,7 @@ TEST_P(VhdsInitializationTest, InitializeVhdsAfterRdsHasBeenInitialized) { // Update RouteConfig, this time include VHDS config sendSotwDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {TestUtility::parseYaml(RdsConfigWithVhosts)}, "2"); @@ -118,15 +118,15 @@ TEST_P(VhdsInitializationTest, InitializeVhdsAfterRdsHasBeenInitialized) { RELEASE_ASSERT(result, result.message()); vhds_stream_->startGrpcStream(); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, + vhds_stream_.get())); sendDeltaDiscoveryResponse( - Config::TypeUrl::get().VirtualHost, + Config::TestTypeUrl::get().VirtualHost, {TestUtility::parseYaml( fmt::format(VhostTemplate, "my_route/vhost_0", "vhost.first"))}, {}, "1", vhds_stream_.get()); - EXPECT_TRUE( - compareDeltaDiscoveryRequest(Config::TypeUrl::get().VirtualHost, {}, {}, vhds_stream_.get())); + EXPECT_TRUE(compareDeltaDiscoveryRequest(Config::TestTypeUrl::get().VirtualHost, {}, {}, + vhds_stream_.get())); // Confirm vhost.first that was configured via VHDS is reachable testRouterHeaderOnlyRequestAndResponse(nullptr, 1, "/", "vhost.first"); @@ -144,7 +144,7 @@ TEST_P(VhdsIntegrationTest, RdsUpdateWithoutVHDSChangesDoesNotRestartVHDS) { // Update RouteConfig, but don't change VHDS config sendSotwDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, + Config::TestTypeUrl::get().RouteConfiguration, {TestUtility::parseYaml(RdsConfigWithVhosts)}, "2"); diff --git a/test/integration/xds_config_tracker_integration_test.cc b/test/integration/xds_config_tracker_integration_test.cc index b80eae8717fcf..8acc3fa99853b 100644 --- a/test/integration/xds_config_tracker_integration_test.cc +++ b/test/integration/xds_config_tracker_integration_test.cc @@ -197,10 +197,10 @@ TEST_P(XdsConfigTrackerIntegrationTest, XdsConfigTrackerSuccessCount) { Registry::InjectFactory registered(factory); initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_, cluster2_}, {}, "1"); + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_, cluster2_}, {}, "1"); // 3 because the statically specified CDS server itself counts as a cluster. test_server_->waitForGaugeGe("cluster_manager.active_clusters", 3); @@ -217,14 +217,14 @@ TEST_P(XdsConfigTrackerIntegrationTest, XdsConfigTrackerSuccessCountWithWrapper) Registry::InjectFactory registered(factory); initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); // Add a typed metadata to the Resource wrapper. test::envoy::config::xds::TestTrackerMetadata test_metadata; ProtobufWkt::Any packed_value; packed_value.PackFrom(test_metadata); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_, cluster2_}, {}, "1", + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_, cluster2_}, {}, "1", {{kTestKey, packed_value}}); // 3 because the statically specified CDS server itself counts as a cluster. @@ -241,7 +241,7 @@ TEST_P(XdsConfigTrackerIntegrationTest, XdsConfigTrackerFailureCount) { Registry::InjectFactory registered(factory); initialize(); - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); const auto route_config = TestUtility::parseYaml(R"EOF( @@ -256,7 +256,7 @@ TEST_P(XdsConfigTrackerIntegrationTest, XdsConfigTrackerFailureCount) { )EOF"); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {route_config}, {route_config}, {}, "3"); + Config::TestTypeUrl::get().Cluster, {route_config}, {route_config}, {}, "3"); // Resources are rejected because Message's TypeUrl != Resource's test_server_->waitForCounterEq("test_xds_tracker.on_config_rejected", 1); @@ -270,9 +270,9 @@ TEST_P(XdsConfigTrackerIntegrationTest, XdsConfigTrackerPartialUpdate) { initialize(); // The first of duplicates has already been successfully applied, // and a duplicate exception should be threw. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster1_, cluster1_, cluster2_}, + Config::TestTypeUrl::get().Cluster, {cluster1_, cluster1_, cluster2_}, {cluster1_, cluster1_, cluster2_}, {}, "5"); // For Delta, the response will be rejected when checking the message due to the duplication. diff --git a/test/integration/xds_delegate_extension_integration_test.cc b/test/integration/xds_delegate_extension_integration_test.cc index 2b021b854c1ab..b17c8f3c06cab 100644 --- a/test/integration/xds_delegate_extension_integration_test.cc +++ b/test/integration/xds_delegate_extension_integration_test.cc @@ -209,7 +209,7 @@ TEST_P(XdsDelegateExtensionIntegrationTest, XdsResourcesDelegateOnConfigUpdated) acceptXdsConnection(); int current_on_config_updated_count = TestXdsResourcesDelegate::OnConfigUpdatedCount; - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "", {"some_rtds_layer"}, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "", {"some_rtds_layer"}, {"some_rtds_layer"}, {}, true)); auto some_rtds_layer = TestUtility::parseYaml(R"EOF( name: some_rtds_layer @@ -218,7 +218,7 @@ TEST_P(XdsDelegateExtensionIntegrationTest, XdsResourcesDelegateOnConfigUpdated) baz: meh )EOF"); sendDiscoveryResponse( - Config::TypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); + Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1"); test_server_->waitForCounterGe("runtime.load_success", initial_load_success_ + 1); int expected_on_config_updated_count = ++current_on_config_updated_count; waitforOnConfigUpdatedCount(expected_on_config_updated_count); @@ -227,15 +227,15 @@ TEST_P(XdsDelegateExtensionIntegrationTest, XdsResourcesDelegateOnConfigUpdated) EXPECT_EQ("bar", getRuntimeKey("foo")); EXPECT_EQ("meh", getRuntimeKey("baz")); - EXPECT_TRUE( - compareDiscoveryRequest(Config::TypeUrl::get().Runtime, "1", {"some_rtds_layer"}, {}, {})); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Runtime, "1", {"some_rtds_layer"}, + {}, {})); some_rtds_layer = TestUtility::parseYaml(R"EOF( name: some_rtds_layer layer: baz: saz )EOF"); sendDiscoveryResponse( - Config::TypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "2"); + Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "2"); test_server_->waitForCounterGe("runtime.load_success", initial_load_success_ + 2); expected_on_config_updated_count = ++current_on_config_updated_count; waitforOnConfigUpdatedCount(expected_on_config_updated_count); diff --git a/test/integration/xds_integration_test.cc b/test/integration/xds_integration_test.cc index afb04e806a062..7064e8f157e9c 100644 --- a/test/integration/xds_integration_test.cc +++ b/test/integration/xds_integration_test.cc @@ -941,27 +941,27 @@ TEST_P(XdsSotwMultipleAuthoritiesTest, SameResourceNameAndTypeFromMultipleAuthor // SDS for the first cluster. initXdsStream(getXdsUpstream1(), xds_connection_1_, xds_stream_1_); EXPECT_TRUE(compareSotwDiscoveryRequest( - /*expected_type_url=*/Config::TypeUrl::get().Secret, + /*expected_type_url=*/Config::TestTypeUrl::get().Secret, /*expected_version=*/"", /*expected_resource_names=*/{cert_name}, /*expect_node=*/true, Grpc::Status::WellKnownGrpcStatus::Ok, /*expected_error_message=*/"", xds_stream_1_.get())); auto sds_resource = getClientSecret(cert_name); sendSotwDiscoveryResponse( - Config::TypeUrl::get().Secret, {sds_resource}, "1", xds_stream_1_.get()); + Config::TestTypeUrl::get().Secret, {sds_resource}, "1", xds_stream_1_.get()); } { // SDS for the second cluster. initXdsStream(getXdsUpstream2(), xds_connection_2_, xds_stream_2_); EXPECT_TRUE(compareSotwDiscoveryRequest( - /*expected_type_url=*/Config::TypeUrl::get().Secret, + /*expected_type_url=*/Config::TestTypeUrl::get().Secret, /*expected_version=*/"", /*expected_resource_names=*/{cert_name}, /*expect_node=*/true, Grpc::Status::WellKnownGrpcStatus::Ok, /*expected_error_message=*/"", xds_stream_2_.get())); auto sds_resource = getClientSecret(cert_name); sendSotwDiscoveryResponse( - Config::TypeUrl::get().Secret, {sds_resource}, "1", xds_stream_2_.get()); + Config::TestTypeUrl::get().Secret, {sds_resource}, "1", xds_stream_2_.get()); } }; diff --git a/test/integration/xdstp_config_sources_integration_test.cc b/test/integration/xdstp_config_sources_integration_test.cc index 8ff2f3d6529e7..8296e516d9f0d 100644 --- a/test/integration/xdstp_config_sources_integration_test.cc +++ b/test/integration/xdstp_config_sources_integration_test.cc @@ -207,12 +207,12 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigAuthority1) { // Authority1 should receive the EDS request. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment( "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1")}, @@ -223,7 +223,7 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigAuthority1) { // Expect an EDS ACK. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "1", + Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); }; @@ -274,7 +274,7 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigAuthority1Update) { // Authority1 should receive the EDS request. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); @@ -282,12 +282,12 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigAuthority1Update) { auto cla = buildClusterLoadAssignment( "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {cla}, {cla}, {}, "1", {}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {cla}, {cla}, {}, "1", {}, authority1_xds_stream_.get()); // Expect an EDS ACK. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "1", + Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); }; @@ -312,12 +312,12 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigAuthority1Update) { // Send an update to the load-assignment. cla.mutable_endpoints(0)->mutable_locality()->set_sub_zone("new_sub_zone"); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {cla}, {cla}, {}, "2", {}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {cla}, {cla}, {}, "2", {}, authority1_xds_stream_.get()); // Expect an EDS ACK. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "2", + Config::TestTypeUrl::get().ClusterLoadAssignment, "2", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); @@ -365,14 +365,14 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigDefaultSource) { // Default Authority should receive the EDS request. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "", + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"xdstp://default_authority.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1"}, {"xdstp://default_authority.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1"}, {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", default_authority_xds_stream_.get())); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment( "xdstp://default_authority.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" "cluster1")}, @@ -383,7 +383,7 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigDefaultSource) { // Expect an EDS ACK. EXPECT_TRUE(compareDiscoveryRequest( - Config::TypeUrl::get().ClusterLoadAssignment, "1", + Config::TestTypeUrl::get().ClusterLoadAssignment, "1", {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1"}, {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", default_authority_xds_stream_.get())); diff --git a/test/server/config_validation/xds_fuzz.cc b/test/server/config_validation/xds_fuzz.cc index d05ba8e0048e4..6f949486a7c14 100644 --- a/test/server/config_validation/xds_fuzz.cc +++ b/test/server/config_validation/xds_fuzz.cc @@ -39,7 +39,7 @@ void XdsFuzzTest::updateListener( const std::vector& added_or_updated, const std::vector& removed) { ENVOY_LOG_MISC(debug, "Sending Listener DiscoveryResponse version {}", version_); - sendDiscoveryResponse(Config::TypeUrl::get().Listener, + sendDiscoveryResponse(Config::TestTypeUrl::get().Listener, listeners, added_or_updated, removed, std::to_string(version_)); } @@ -50,7 +50,7 @@ void XdsFuzzTest::updateRoute( const std::vector& removed) { ENVOY_LOG_MISC(debug, "Sending Route DiscoveryResponse version {}", version_); sendDiscoveryResponse( - Config::TypeUrl::get().RouteConfiguration, routes, added_or_updated, removed, + Config::TestTypeUrl::get().RouteConfiguration, routes, added_or_updated, removed, std::to_string(version_)); } @@ -161,7 +161,7 @@ void XdsFuzzTest::addListener(const std::string& listener_name, const std::strin // Use waitForAck instead of compareDiscoveryRequest as the client makes additional // DiscoveryRequests at launch that we might not want to respond to yet. - EXPECT_TRUE(waitForAck(Config::TypeUrl::get().Listener, std::to_string(version_))); + EXPECT_TRUE(waitForAck(Config::TestTypeUrl::get().Listener, std::to_string(version_))); if (removed) { verifier_.listenerUpdated(listener); } else { @@ -179,7 +179,7 @@ void XdsFuzzTest::removeListener(const std::string& listener_name) { if (removed) { lds_update_success_++; updateListener(listeners_, {}, {listener_name}); - EXPECT_TRUE(waitForAck(Config::TypeUrl::get().Listener, std::to_string(version_))); + EXPECT_TRUE(waitForAck(Config::TestTypeUrl::get().Listener, std::to_string(version_))); verifier_.listenerRemoved(listener_name); } } @@ -198,7 +198,7 @@ void XdsFuzzTest::addRoute(const std::string& route_name) { updateRoute(routes_, {route}, {}); verifier_.routeAdded(route); - EXPECT_TRUE(waitForAck(Config::TypeUrl::get().RouteConfiguration, std::to_string(version_))); + EXPECT_TRUE(waitForAck(Config::TestTypeUrl::get().RouteConfiguration, std::to_string(version_))); } /** @@ -237,17 +237,17 @@ void XdsFuzzTest::replay() { initialize(); // Set up cluster. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse(Config::TypeUrl::get().Cluster, + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "0"); // TODO (dmitri-d) legacy delta sends node with every DiscoveryRequest, other mux implementations // follow set_node_on_first_message_only config flag - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().ClusterLoadAssignment, "", + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().ClusterLoadAssignment, "", {"cluster_0"}, {"cluster_0"}, {}, sotw_or_delta_ == Grpc::SotwOrDelta::Delta)); sendDiscoveryResponse( - Config::TypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, + Config::TestTypeUrl::get().ClusterLoadAssignment, {buildClusterLoadAssignment("cluster_0")}, {buildClusterLoadAssignment("cluster_0")}, {}, "0"); // The client will not subscribe to the RouteConfiguration type URL until it receives a listener, diff --git a/test/test_common/resources.h b/test/test_common/resources.h index 323bbd9971a36..c83998242c1cf 100644 --- a/test/test_common/resources.h +++ b/test/test_common/resources.h @@ -26,7 +26,7 @@ class TypeUrlValues { const std::string Runtime{"type.googleapis.com/envoy.service.runtime.v3.Runtime"}; }; -using TypeUrl = ConstSingleton; +using TestTypeUrl = ConstSingleton; } // namespace Config } // namespace Envoy From 2d9abe2d01605465863796ad2b37c59c66e2ef03 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 24 Jul 2025 04:16:05 +0000 Subject: [PATCH 056/505] Temp: duplicate FDs and some more fixes Signed-off-by: Basundhara Chakrabarty --- .../cloud-envoy-grpc-enhanced.yaml | 5 +- .../docker-compose.yaml | 6 +- .../on-prem-envoy-custom-resolver-grpc.yaml | 2 +- .../on-prem-envoy-custom-resolver.yaml | 4 +- source/common/network/connection_impl.cc | 22 ++- source/common/network/connection_impl.h | 5 +- .../common/network/io_socket_handle_impl.cc | 27 +++- source/common/network/socket_impl.h | 6 + .../extensions/bootstrap/reverse_tunnel/BUILD | 1 + .../reverse_tunnel_initiator.cc | 142 +++++++++++------- .../reverse_tunnel/reverse_tunnel_initiator.h | 13 +- .../filters/http/reverse_conn/BUILD | 1 + .../http/reverse_conn/reverse_conn_filter.cc | 46 +++++- 13 files changed, 206 insertions(+), 74 deletions(-) diff --git a/examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml b/examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml index 931c003e62b65..79930b9d2a44c 100644 --- a/examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml +++ b/examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml @@ -49,7 +49,7 @@ static_resources: - name: envoy.filters.http.reverse_conn typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - ping_interval: 30 + ping_interval: 2 - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router @@ -129,6 +129,7 @@ admin: access_log_path: "/dev/stdout" address: socket_address: + protocol: TCP address: 0.0.0.0 port_value: 8888 @@ -143,4 +144,4 @@ bootstrap_extensions: - name: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface typed_config: "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.UpstreamReverseConnectionSocketInterface - stat_prefix: "upstream_reverse_connection" \ No newline at end of file + stat_prefix: "upstream_reverse_connection" diff --git a/examples/reverse_connection_socket_interface/docker-compose.yaml b/examples/reverse_connection_socket_interface/docker-compose.yaml index a9b9642701c0d..28b0d99528c8a 100644 --- a/examples/reverse_connection_socket_interface/docker-compose.yaml +++ b/examples/reverse_connection_socket_interface/docker-compose.yaml @@ -13,8 +13,8 @@ services: on-prem-envoy: image: debug/envoy:latest volumes: - - ./on-prem-envoy-custom-resolver-grpc.yaml:/etc/on-prem-envoy.yaml - command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 + - ./on-prem-envoy-custom-resolver.yaml:/etc/on-prem-envoy.yaml + command: envoy -c /etc/on-prem-envoy.yaml --concurrency 2 -l trace --drain-time-s 3 ports: # Admin interface - "8888:8888" @@ -38,7 +38,7 @@ services: cloud-envoy: image: debug/envoy:latest volumes: - - ./cloud-envoy-grpc-enhanced.yaml:/etc/cloud-envoy.yaml + - ./cloud-envoy.yaml:/etc/cloud-envoy.yaml command: envoy -c /etc/cloud-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: # Admin interface diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml index db6c1a8fb5ba0..5e5bb69a891a3 100644 --- a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml +++ b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml @@ -166,4 +166,4 @@ layered_runtime: layers: - name: layer static_layer: - re2.max_program_size.error_level: 1000 \ No newline at end of file + re2.max_program_size.error_level: 1000 diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml index e85295ca55eb1..586cb760b013b 100644 --- a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml +++ b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml @@ -73,13 +73,13 @@ static_resources: - name: envoy.filters.listener.reverse_connection typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection - ping_wait_timeout: 120 + ping_wait_timeout: 10 # Use custom address with reverse connection metadata encoded in URL format address: socket_address: # This encodes: src_node_id=on-prem-node, src_cluster_id=on-prem, src_tenant_id=on-prem # and remote clusters: cloud with 1 connection - address: "rc://on-prem-node:on-prem:on-prem@cloud:10" + address: "rc://on-prem-node:on-prem:on-prem@cloud:1" port_value: 0 # Use custom resolver that can parse reverse connection metadata resolver_name: "envoy.resolvers.reverse_connection" diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc index a94db640e59b6..1666d03f49003 100644 --- a/source/common/network/connection_impl.cc +++ b/source/common/network/connection_impl.cc @@ -120,6 +120,15 @@ ConnectionImpl::ConnectionImpl(Event::Dispatcher& dispatcher, ConnectionSocketPt } ConnectionImpl::~ConnectionImpl() { + ENVOY_CONN_LOG(trace, "ConnectionImpl destructor called, socket_={}, socket_isOpen={}, delayed_close_timer_={}, reuse_socket_={}", + *this, socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, + delayed_close_timer_ ? "not_null" : "null", static_cast(reuse_socket_)); + + if (reuse_socket_) { + ENVOY_CONN_LOG(trace, "ConnectionImpl destructor called, reuse_socket_=true, skipping close", *this); + return; + } + ASSERT((socket_ == nullptr || !socket_->isOpen()) && delayed_close_timer_ == nullptr, "ConnectionImpl destroyed with open socket and/or active timer"); @@ -339,7 +348,11 @@ void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_actio } void ConnectionImpl::closeSocket(ConnectionEvent close_type) { + ENVOY_CONN_LOG(trace, "closeSocket called, socket_={}, socket_isOpen={}, reuse_socket_={}", + *this, socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, static_cast(reuse_socket_)); + if (socket_ == nullptr || !socket_->isOpen()) { + ENVOY_CONN_LOG(trace, "closeSocket: socket is null or not open, returning", *this); return; } @@ -382,9 +395,14 @@ void ConnectionImpl::closeSocket(ConnectionEvent close_type) { } // It is safe to call close() since there is an IO handle check. + ENVOY_CONN_LOG(trace, "closeSocket: about to close socket, reuse_socket_={}", *this, static_cast(reuse_socket_)); if (!reuse_socket_) { - ENVOY_LOG(debug, "closeSocket:"); + ENVOY_LOG_MISC(debug, "closeSocket:"); + ENVOY_CONN_LOG(trace, "closeSocket: calling socket_->close()", *this); socket_->close(); + ENVOY_CONN_LOG(trace, "closeSocket: socket_->close() completed", *this); + } else { + ENVOY_CONN_LOG(trace, "closeSocket: skipping socket close due to reuse_socket_=true", *this); } // Call the base class directly as close() is called in the destructor. @@ -971,7 +989,7 @@ bool ConnectionImpl::setSocketOption(Network::SocketOptionName name, absl::Span< Api::SysCallIntResult result = SocketOptionImpl::setSocketOption(*socket_, name, value.data(), value.size()); if (result.return_value_ != 0) { - ENVOY_LOG(warn, "Setting option on socket failed, errno: {}, message: {}", result.errno_, + ENVOY_LOG_MISC(warn, "Setting option on socket failed, errno: {}, message: {}", result.errno_, errorDetails(result.errno_)); return false; } diff --git a/source/common/network/connection_impl.h b/source/common/network/connection_impl.h index 42af2f28de344..befd614e8b9cd 100644 --- a/source/common/network/connection_impl.h +++ b/source/common/network/connection_impl.h @@ -68,7 +68,10 @@ class ConnectionImpl : public ConnectionImplBase, public TransportSocketCallback RELEASE_ASSERT(socket_ != nullptr, "socket is null."); return socket_; } - void setSocketReused(bool value) override { reuse_socket_ = value; } + void setSocketReused(bool value) override { + ENVOY_LOG_MISC(trace, "setSocketReused called with value={}", value); + reuse_socket_ = value; + } bool isSocketReused() override { return reuse_socket_; } // Network::Connection diff --git a/source/common/network/io_socket_handle_impl.cc b/source/common/network/io_socket_handle_impl.cc index 2509e3fbd391f..e0df4130cbe3b 100644 --- a/source/common/network/io_socket_handle_impl.cc +++ b/source/common/network/io_socket_handle_impl.cc @@ -60,13 +60,20 @@ IoSocketHandleImpl::~IoSocketHandleImpl() { } Api::IoCallUint64Result IoSocketHandleImpl::close() { + ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() called, fd_={}, SOCKET_VALID={}", + fd_, SOCKET_VALID(fd_)); + if (file_event_) { + ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() resetting file_event_"); file_event_.reset(); } ASSERT(SOCKET_VALID(fd_)); + ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() calling system close(fd_={})", fd_); const int rc = Api::OsSysCallsSingleton::get().close(fd_).return_value_; + ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() system close returned rc={}", rc); SET_SOCKET_INVALID(fd_); + ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() completed, fd_ set to invalid"); return {static_cast(rc), Api::IoError::none()}; } @@ -223,7 +230,7 @@ Api::IoCallUint64Result IoSocketHandleImpl::sendmsg(const Buffer::RawSlice* slic } const Api::SysCallSizeResult result = os_syscalls.sendmsg(fd_, &message, flags); if (result.return_value_ < 0 && result.errno_ == SOCKET_ERROR_INVAL) { - ENVOY_LOG(error, fmt::format("EINVAL error. Socket is open: {}, IPv{}.", isOpen(), + ENVOY_LOG_MISC(error, fmt::format("EINVAL error. Socket is open: {}, IPv{}.", isOpen(), self_ip->version() == Address::IpVersion::v6 ? 6 : 4)); } return sysCallResultToIoCallResult(result); @@ -600,7 +607,25 @@ void IoSocketHandleImpl::initializeFileEvent(Event::Dispatcher& dispatcher, Even Event::FileTriggerType trigger, uint32_t events) { ASSERT(file_event_ == nullptr, "Attempting to initialize two `file_event_` for the same " "file descriptor. This is not allowed."); + + // Add trace logging to identify thread + ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::initializeFileEvent() called for fd={} on thread: {} (isThreadSafe={})", + fd_, dispatcher.name(), dispatcher.isThreadSafe()); + + // Log additional thread info + if (dispatcher.isThreadSafe()) { + ENVOY_LOG_MISC(trace, "initializeFileEvent: Called on MAIN thread for fd={}", fd_); + } else { + ENVOY_LOG_MISC(trace, "initializeFileEvent: Called on WORKER thread '{}' for fd={}", + dispatcher.name(), fd_); + } + + ENVOY_LOG_MISC(trace, "initializeFileEvent: Creating file event with trigger={}, events={} for fd={}", + static_cast(trigger), events, fd_); + file_event_ = dispatcher.createFileEvent(fd_, cb, trigger, events); + + ENVOY_LOG_MISC(trace, "initializeFileEvent: File event created successfully for fd={}", fd_); } void IoSocketHandleImpl::activateFileEvents(uint32_t events) { diff --git a/source/common/network/socket_impl.h b/source/common/network/socket_impl.h index 0892f81984cad..5166aeb352248 100644 --- a/source/common/network/socket_impl.h +++ b/source/common/network/socket_impl.h @@ -133,8 +133,14 @@ class SocketImpl : public virtual Socket { IoHandle& ioHandle() override { return *io_handle_; } const IoHandle& ioHandle() const override { return *io_handle_; } void close() override { + ENVOY_LOG_MISC(trace, "SocketImpl::close() called, io_handle_={}, io_handle_isOpen={}", + io_handle_ ? "not_null" : "null", io_handle_ ? io_handle_->isOpen() : false); if (io_handle_ && io_handle_->isOpen()) { + ENVOY_LOG_MISC(trace, "SocketImpl::close() calling io_handle_->close()"); io_handle_->close(); + ENVOY_LOG_MISC(trace, "SocketImpl::close() io_handle_->close() completed"); + } else { + ENVOY_LOG_MISC(trace, "SocketImpl::close() skipping close - io_handle is null or not open"); } } bool isOpen() const override { return io_handle_ && io_handle_->isOpen(); } diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index a108e08622b81..350ca9b982fe1 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -76,6 +76,7 @@ envoy_cc_extension( "//source/common/grpc:typed_async_client_lib", "//source/common/http:headers_lib", "//source/common/network:address_lib", + "//source/common/network:connection_socket_lib", "//source/common/network:default_socket_interface_lib", "//source/common/network:filter_lib", "//source/common/protobuf", diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index 78be8fc73546d..0dd69c2469f69 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -18,6 +18,7 @@ #include "source/common/common/logger.h" #include "source/common/http/headers.h" #include "source/common/network/address_impl.h" +#include "source/common/network/connection_socket_impl.h" #include "source/common/network/socket_interface_impl.h" #include "source/common/protobuf/message_validator_impl.h" #include "source/common/protobuf/protobuf.h" @@ -247,9 +248,11 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, } const std::string data = buffer.toString(); + ENVOY_LOG(debug, "SimpleConnReadFilter: Received data: {}", data); - // Look for HTTP response status line first - if (data.find("HTTP/1.1 200 OK") != std::string::npos) { + // Look for HTTP response status line first (supports both HTTP/1.1 and HTTP/2) + if (data.find("HTTP/1.1 200 OK") != std::string::npos || + data.find("HTTP/2 200") != std::string::npos) { ENVOY_LOG(debug, "Received HTTP 200 OK response"); // Find the end of headers (double CRLF) @@ -299,7 +302,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, ENVOY_LOG(debug, "HTTP headers not complete yet, waiting for more data"); return Network::FilterStatus::Continue; } - } else if (data.find("HTTP/1.1 ") != std::string::npos) { + } else if (data.find("HTTP/1.1 ") != std::string::npos || data.find("HTTP/2 ") != std::string::npos) { // Found HTTP response but not 200 OK - this is an error ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, @@ -375,6 +378,8 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, // Create a dummy span for tracing auto span = std::make_unique(); + connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); + // Initiate the gRPC handshake using the actual interface bool success = reverse_tunnel_client_->initiateHandshake( src_tenant_id, src_cluster_id, src_node_id, absl::nullopt, *span); @@ -448,13 +453,13 @@ void RCConnectionWrapper::onHandshakeSuccess( if (response) { message = response->status_message(); } - ENVOY_LOG(debug, "gRPC handshake succeeded: {}", message); + ENVOY_LOG(debug, "handshake succeeded: {}", message); parent_.onConnectionDone(message, this, false); } void RCConnectionWrapper::onHandshakeFailure(Grpc::Status::GrpcStatus status, const std::string& message) { - ENVOY_LOG(error, "gRPC handshake failed with status {}: {}", static_cast(status), message); + ENVOY_LOG(error, "handshake failed with status {}: {}", static_cast(status), message); parent_.onConnectionDone(message, this, false); } @@ -598,51 +603,51 @@ void ReverseConnectionIOHandle::cleanup() { Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { (void)backlog; - ENVOY_LOG(debug, - "ReverseConnectionIOHandle::listen() - initiating reverse connections to {} clusters", - config_.remote_clusters.size()); + // No-op for reverse connections. + return Api::SysCallIntResult{0, 0}; +} - if (!listening_initiated_) { - // Create trigger pipe mechanism on worker thread where TLS is available +void ReverseConnectionIOHandle::initializeFileEvent(Event::Dispatcher& dispatcher, + Event::FileReadyCb cb, + Event::FileTriggerType trigger, + uint32_t events) { + // CRITICAL FIX: listen() is called on the main thread, but the reverse connections should be + // initialized on a worker thread. initializeFileEvent() is called on a worker thread. + ENVOY_LOG(debug, "ReverseConnectionIOHandle::initializeFileEvent() called on thread: {} for fd={}", + dispatcher.name(), fd_); + + if (!is_reverse_conn_started_) { + ENVOY_LOG(info, "ReverseConnectionIOHandle: Starting reverse connections on worker thread '{}'", + dispatcher.name()); + + // Store worker dispatcher + worker_dispatcher_ = &dispatcher; + + // Create trigger pipe on worker thread if (!isTriggerPipeReady()) { createTriggerPipe(); if (!isTriggerPipeReady()) { - ENVOY_LOG( - error, - "Failed to create trigger pipe mechanism - cannot proceed with reverse connections"); - return Api::SysCallIntResult{-1, ENODEV}; + ENVOY_LOG(error, "Failed to create trigger pipe on worker thread"); + return; } } - - // Create the retry timer on first use with thread-local dispatcher. The timer is reset - // on each invocation of maintainReverseConnections(). + + // Initialize reverse connections on worker thread if (!rev_conn_retry_timer_) { - try { - if (isThreadLocalDispatcherAvailable()) { - rev_conn_retry_timer_ = getThreadLocalDispatcher().createTimer([this]() -> void { - ENVOY_LOG(debug, "Reverse connection timer triggered - checking all clusters for " - "missing connections."); - // Safety check before maintenance - if (isThreadLocalDispatcherAvailable()) { - maintainReverseConnections(); - } else { - ENVOY_LOG(debug, "Skipping maintenance - dispatcher not available."); - } - }); - // Trigger the reverse connection workflow. The function will reset rev_conn_retry_timer_. - maintainReverseConnections(); - ENVOY_LOG(debug, "Created retry timer for periodic connection checks."); - } else { - ENVOY_LOG(warn, "Cannot create retry timer - dispatcher not available."); - } - } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception creating retry timer: {}.", e.what()); - } + rev_conn_retry_timer_ = dispatcher.createTimer([this]() { + ENVOY_LOG(debug, "Reverse connection timer triggered on worker thread"); + maintainReverseConnections(); + }); + maintainReverseConnections(); } - listening_initiated_ = true; + + is_reverse_conn_started_ = true; + ENVOY_LOG(info, "ReverseConnectionIOHandle: Reverse connections started on thread '{}'", + dispatcher.name()); } - - return Api::SysCallIntResult{0, 0}; + + // Call parent implementation + IoSocketHandleImpl::initializeFileEvent(dispatcher, cb, trigger, events); } Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* addr, @@ -714,17 +719,42 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - got connection key: {}", connection_key); - auto socket = connection->moveSocket(); - os_fd_t conn_fd = socket->ioHandle().fdDoNotUse(); - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - got fd: {}. Creating IoHandle", - conn_fd); + // Instead of moving the socket, duplicate the file descriptor + const Network::ConnectionSocketPtr& original_socket = connection->getSocket(); + if (!original_socket || !original_socket->isOpen()) { + ENVOY_LOG(error, "Original socket is not available or not open"); + return nullptr; + } + + // Duplicate the file descriptor + Network::IoHandlePtr duplicated_handle = original_socket->ioHandle().duplicate(); + if (!duplicated_handle || !duplicated_handle->isOpen()) { + ENVOY_LOG(error, "Failed to duplicate file descriptor"); + return nullptr; + } + + os_fd_t original_fd = original_socket->ioHandle().fdDoNotUse(); + os_fd_t duplicated_fd = duplicated_handle->fdDoNotUse(); + ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - duplicated fd: original_fd={}, duplicated_fd={}", + original_fd, duplicated_fd); + + // Create a new socket with the duplicated handle + Network::ConnectionSocketPtr duplicated_socket = + std::make_unique( + std::move(duplicated_handle), + original_socket->connectionInfoProvider().localAddress(), + original_socket->connectionInfoProvider().remoteAddress()); - // Create RAII-based IoHandle with connection key and parent reference + // Reset file events on the duplicated socket to clear any inherited events + duplicated_socket->ioHandle().resetFileEvents(); + + // Create RAII-based IoHandle with duplicated socket auto io_handle = std::make_unique( - std::move(socket)); + std::move(duplicated_socket)); ENVOY_LOG(debug, - "ReverseConnectionIOHandle::accept() - RAII IoHandle created with owned socket."); - + "ReverseConnectionIOHandle::accept() - RAII IoHandle created with duplicated socket."); + connection->setSocketReused(true); + // Close the original connection connection->close(Network::ConnectionCloseType::NoFlush); ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - returning io_handle."); @@ -1658,12 +1688,16 @@ void ReverseTunnelInitiatorExtension::onWorkerThreadInitialized() { } DownstreamSocketThreadLocal* ReverseTunnelInitiatorExtension::getLocalRegistry() const { - ENVOY_LOG(debug, - "ReverseTunnelInitiatorExtension::getLocalRegistry() - using enhanced thread safety."); + if (!tls_slot_) { + ENVOY_LOG(error, "ReverseTunnelInitiatorExtension::getLocalRegistry() - no thread local slot"); + return nullptr; + } + + if (auto opt = tls_slot_->get(); opt.has_value()) { + return &opt.value().get(); + } - // Use the enhanced factory utilities for safe thread-local access - return ReverseConnectionFactoryUtils::safeGetThreadLocal(tls_slot_, - "ReverseTunnelInitiatorExtension"); + return nullptr; } Envoy::Network::IoHandlePtr diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index 8048681c7365e..a4bbbe8c6e61f 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -212,6 +212,16 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, */ Api::IoCallUint64Result close() override; + /** + * Override of initializeFileEvent to defer work to worker thread. + * @param dispatcher the event dispatcher. + * @param cb the file ready callback. + * @param trigger the file trigger type. + * @param events the events to monitor. + */ + void initializeFileEvent(Event::Dispatcher& dispatcher, Event::FileReadyCb cb, + Event::FileTriggerType trigger, uint32_t events) override; + // Network::ConnectionCallbacks. /** * Called when connection events occur. @@ -489,7 +499,8 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // gRPC reverse tunnel client for handshake operations std::unique_ptr reverse_tunnel_client_; - bool listening_initiated_{false}; // Whether reverse connections have been initiated + bool is_reverse_conn_started_{false}; // Whether reverse connections have been started on worker thread + Event::Dispatcher* worker_dispatcher_{nullptr}; // Dispatcher for the worker thread // Store original socket FD for cleanup os_fd_t original_socket_fd_{-1}; diff --git a/source/extensions/filters/http/reverse_conn/BUILD b/source/extensions/filters/http/reverse_conn/BUILD index fbad05047085e..b247d514e3dd5 100644 --- a/source/extensions/filters/http/reverse_conn/BUILD +++ b/source/extensions/filters/http/reverse_conn/BUILD @@ -34,6 +34,7 @@ envoy_cc_extension( "//source/common/http:headers_lib", "//source/common/http:utility_lib", "//source/common/json:json_loader_lib", + "//source/common/network:connection_socket_lib", "//source/common/network:filter_lib", "//source/common/protobuf:utility_lib", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index af02ed1344b13..864be88b63712 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -11,6 +11,7 @@ #include "source/common/http/message_impl.h" #include "source/common/http/utility.h" #include "source/common/json/json_loader.h" +#include "source/common/network/connection_socket_impl.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" @@ -151,11 +152,13 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { }, absl::nullopt, ""); - connection->setSocketReused(true); - connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); + // connection->setSocketReused(true); + // connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); ENVOY_STREAM_LOG(info, "DEBUG: About to save connection with node_uuid='{}' cluster_uuid='{}'", *decoder_callbacks_, node_uuid, cluster_uuid); saveDownstreamConnection(*connection, node_uuid, cluster_uuid); + connection->setSocketReused(true); + connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; } @@ -396,11 +399,40 @@ void ReverseConnFilter::saveDownstreamConnection(Network::Connection& downstream return; } - Network::ConnectionSocketPtr downstream_socket = downstream_connection.moveSocket(); - downstream_socket->ioHandle().resetFileEvents(); + // Instead of moving the socket, duplicate the file descriptor + const Network::ConnectionSocketPtr& original_socket = downstream_connection.getSocket(); + if (!original_socket || !original_socket->isOpen()) { + ENVOY_STREAM_LOG(error, "Original socket is not available or not open", *decoder_callbacks_); + return; + } + + // Duplicate the file descriptor + Network::IoHandlePtr duplicated_handle = original_socket->ioHandle().duplicate(); + if (!duplicated_handle || !duplicated_handle->isOpen()) { + ENVOY_STREAM_LOG(error, "Failed to duplicate file descriptor", *decoder_callbacks_); + return; + } + + ENVOY_STREAM_LOG(debug, "Successfully duplicated file descriptor: original_fd={}, duplicated_fd={}", + *decoder_callbacks_, original_socket->ioHandle().fdDoNotUse(), + duplicated_handle->fdDoNotUse()); + + // Create a new socket with the duplicated handle + Network::ConnectionSocketPtr duplicated_socket = + std::make_unique( + std::move(duplicated_handle), + original_socket->connectionInfoProvider().localAddress(), + original_socket->connectionInfoProvider().remoteAddress()); - socket_manager->addConnectionSocket(node_id, cluster_id, std::move(downstream_socket), + // Reset file events on the duplicated socket to clear any inherited events + duplicated_socket->ioHandle().resetFileEvents(); + + // Add the duplicated socket to the manager + socket_manager->addConnectionSocket(node_id, cluster_id, std::move(duplicated_socket), config_->pingInterval(), false /* rebalanced */); + + ENVOY_STREAM_LOG(debug, "Successfully added duplicated socket to upstream socket manager. Original connection remains functional.", + *decoder_callbacks_); } Http::FilterDataStatus ReverseConnFilter::decodeData(Buffer::Instance& data, bool) { @@ -487,11 +519,11 @@ Http::FilterDataStatus ReverseConnFilter::processGrpcRequest() { ENVOY_STREAM_LOG(info, "Saving downstream connection for gRPC request", *decoder_callbacks_); - connection->setSocketReused(true); - // connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn_grpc"); + // connection->setSocketReused(true); ENVOY_STREAM_LOG(info, "DEBUG: About to save connection with node_uuid='{}' cluster_uuid='{}'", *decoder_callbacks_, initiator.node_id(), initiator.cluster_id()); saveDownstreamConnection(*connection, initiator.node_id(), initiator.cluster_id()); + connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn_grpc"); } decoder_callbacks_->setReverseConnForceLocalReply(false); From 468787dd655a5fa85b8510d132d1b53e7ba1b201 Mon Sep 17 00:00:00 2001 From: Vanessa Reimer Date: Thu, 24 Jul 2025 07:15:11 +0200 Subject: [PATCH 057/505] Update QUICHE from 377a484ce to a157f7072 (#40337) https://github.com/google/quiche/compare/377a484ce..a157f7072 ``` $ git log 377a484ce..a157f7072 --date=short --no-merges --format="%ad %al %s" 2025-07-21 quiche-dev Fix build error in Chromium 2025-07-21 vasilvv Simplify the way bitrate adjuster provides bitrate feedback. 2025-07-21 elburrito BlindSignAuth: Serialize `AndroidAttestationData` into an `Any` proto instead of using `PackFrom`. QUICHE uses lite protos and doesn't have reflection or descriptors. 2025-07-21 abhisinghx Modify Masque Client to create a CONNECT-UDP-Bind client 2025-07-18 martinduke Terminate MoQT subscription with TooFarBehind if largest group is abandoned and DELIVERY_TIMEOUT is infinite. 2025-07-18 martinduke Update version number to MoQT draft-12. 2025-07-18 martinduke Update MoQT AuthorizationTag parameter to draft-12. 2025-07-17 martinduke Remove `kGroupDoesNotExist` Moqt status. 2025-07-16 rch Remove unused method QuicSpdySession::CreateOutgoingUnidirectionalStream and QuicSpdySession::ShouldCreateOutgoingUnidirectionalStream. 2025-07-16 vasilvv Use C++20 default operators in MoQT code. ``` Commit Message: Weekly merge. Additional Description: N/A Risk Level: Low Testing: Presubmits Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Vanessa Reimer --- bazel/repository_locations.bzl | 6 +++--- source/common/quic/envoy_quic_server_session.cc | 5 ----- source/common/quic/envoy_quic_server_session.h | 1 - 3 files changed, 3 insertions(+), 9 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 9a159cc5aa1e6..da66225a4bb18 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1276,12 +1276,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "QUICHE", project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols", project_url = "https://github.com/google/quiche", - version = "377a484ce2b0d00bd1dd5a6cc0fa7a7032603bba", - sha256 = "7c7cb027e611e5e5cb14e18da0f6d643674646425bebaab7a8915afc9cd62009", + version = "a157f7072c266d79938bc3c5d24631749e98db68", + sha256 = "88414c5d8ab2e6e20aaf2c7f7054033f494f9681f2894547e34aadb6a39d8404", urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"], strip_prefix = "quiche-{version}", use_category = ["controlplane", "dataplane_core"], - release_date = "2025-07-15", + release_date = "2025-07-22", cpe = "N/A", license = "BSD-3-Clause", license_url = "https://github.com/google/quiche/blob/{version}/LICENSE", diff --git a/source/common/quic/envoy_quic_server_session.cc b/source/common/quic/envoy_quic_server_session.cc index f3faca03eaf36..b56d38743f759 100644 --- a/source/common/quic/envoy_quic_server_session.cc +++ b/source/common/quic/envoy_quic_server_session.cc @@ -115,11 +115,6 @@ quic::QuicSpdyStream* EnvoyQuicServerSession::CreateOutgoingBidirectionalStream( return nullptr; } -quic::QuicSpdyStream* EnvoyQuicServerSession::CreateOutgoingUnidirectionalStream() { - IS_ENVOY_BUG("Unexpected function call"); - return nullptr; -} - void EnvoyQuicServerSession::setUpRequestDecoder(EnvoyQuicServerStream& stream) { ASSERT(http_connection_callbacks_ != nullptr); Http::RequestDecoder& decoder = http_connection_callbacks_->newStream(stream); diff --git a/source/common/quic/envoy_quic_server_session.h b/source/common/quic/envoy_quic_server_session.h index 27e9bf9cfd626..f0dbf5bba63ff 100644 --- a/source/common/quic/envoy_quic_server_session.h +++ b/source/common/quic/envoy_quic_server_session.h @@ -118,7 +118,6 @@ class EnvoyQuicServerSession : public quic::QuicServerSessionBase, quic::QuicSpdyStream* CreateIncomingStream(quic::QuicStreamId id) override; quic::QuicSpdyStream* CreateIncomingStream(quic::PendingStream* pending) override; quic::QuicSpdyStream* CreateOutgoingBidirectionalStream() override; - quic::QuicSpdyStream* CreateOutgoingUnidirectionalStream() override; quic::HttpDatagramSupport LocalHttpDatagramSupport() override { return http_datagram_support_; } From 3333b8c55d629270f6eea5b39fb90e26b85c45b0 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 23 Jul 2025 23:50:14 -0700 Subject: [PATCH 058/505] router: deprecate flag shadow_policy_inherit_trace_sampling and remove legacy code paths (#40394) ## Description This PR removes the deprecated reloadable flag `shadow_policy_inherit_trace_sampling` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/40381 --- **Commit Message:** router: deprecate flag shadow_policy_inherit_trace_sampling and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `shadow_policy_inherit_trace_sampling` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 4 +++- source/common/router/config_impl.cc | 11 ++------- source/common/runtime/runtime_features.cc | 1 - test/common/router/config_impl_test.cc | 29 ----------------------- 4 files changed, 5 insertions(+), 40 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index b189f82472727..d9a93c26c7b68 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -10,7 +10,9 @@ bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* removed_config_or_runtime: -# *Normally occurs at the end of the* :ref:`deprecation period ` +- area: router + change: | + Removed runtime guard ``envoy.reloadable_features.shadow_policy_inherit_trace_sampling`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 5ac7fe53a144c..d9e3fd2ae124e 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -449,15 +449,8 @@ ShadowPolicyImpl::ShadowPolicyImpl(const RequestMirrorPolicy& config, absl::Stat // If trace sampling is not explicitly configured in shadow_policy, we pass null optional to // inherit the parent's sampling decision. This prevents oversampling when runtime sampling is // disabled. - if (config.has_trace_sampled()) { - trace_sampled_ = config.trace_sampled().value(); - } else { - // If the shadow policy does not specify trace_sampled, we will inherit the parent's sampling - // decision. - const bool user_parent_sampling_decision = Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.shadow_policy_inherit_trace_sampling"); - trace_sampled_ = user_parent_sampling_decision ? absl::nullopt : absl::make_optional(true); - } + trace_sampled_ = config.has_trace_sampled() ? absl::optional(config.trace_sampled().value()) + : absl::nullopt; } DecoratorImpl::DecoratorImpl(const envoy::config::route::v3::Decorator& decorator) diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index c1af2c754ac8d..1203f8a09ac98 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -87,7 +87,6 @@ RUNTIME_GUARD(envoy_reloadable_features_reject_empty_trusted_ca_file); RUNTIME_GUARD(envoy_reloadable_features_report_load_with_rq_issued); RUNTIME_GUARD(envoy_reloadable_features_report_stream_reset_error_code); RUNTIME_GUARD(envoy_reloadable_features_router_filter_resetall_on_local_reply); -RUNTIME_GUARD(envoy_reloadable_features_shadow_policy_inherit_trace_sampling); RUNTIME_GUARD(envoy_reloadable_features_skip_dns_lookup_for_proxied_requests); RUNTIME_GUARD(envoy_reloadable_features_skip_ext_proc_on_local_reply); RUNTIME_GUARD(envoy_reloadable_features_streaming_shadow); diff --git a/test/common/router/config_impl_test.cc b/test/common/router/config_impl_test.cc index dba82528815cc..79bc1825d7469 100644 --- a/test/common/router/config_impl_test.cc +++ b/test/common/router/config_impl_test.cc @@ -11665,37 +11665,8 @@ TEST_F(RouteMatcherTest, RequestMirrorPoliciesWithTraceSampled) { factory_context_.cluster_manager_.initializeClusters( {"www2", "some_cluster", "some_cluster2", "some_cluster3"}, {}); - // Test with runtime flag disabled (old behavior) - { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.shadow_policy_inherit_trace_sampling", "false"}}); - - TestConfigImpl config(parseRouteConfigurationFromYaml(yaml), factory_context_, true, - creation_status_); - - Http::TestRequestHeaderMapImpl headers = genHeaders("www.databricks.com", "/foo", "GET"); - const auto& shadow_policies = config.route(headers, 0)->routeEntry()->shadowPolicies(); - - // First policy should have trace sampled = false - EXPECT_TRUE(shadow_policies[0]->traceSampled().has_value()); - EXPECT_FALSE(shadow_policies[0]->traceSampled().value()); - - // Second policy should have trace sampled = true - EXPECT_TRUE(shadow_policies[1]->traceSampled().has_value()); - EXPECT_TRUE(shadow_policies[1]->traceSampled().value()); - - // With flag disabled, unspecified should default to true - EXPECT_TRUE(shadow_policies[2]->traceSampled().has_value()); - EXPECT_TRUE(shadow_policies[2]->traceSampled().value()); - } - // Test with runtime flag enabled (new behavior) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.shadow_policy_inherit_trace_sampling", "true"}}); - TestConfigImpl config(parseRouteConfigurationFromYaml(yaml), factory_context_, true, creation_status_); From 6aa642c5ba73ef9237db61761102696319dc0827 Mon Sep 17 00:00:00 2001 From: ohadvano <49730675+ohadvano@users.noreply.github.com> Date: Thu, 24 Jul 2025 10:28:31 +0300 Subject: [PATCH 059/505] filter_chain_manager: prepare draining filter chains in advance (#40121) Additional Description: splitting some logic from #39990 for safe changes purposes. This change calculates the diff between filter chains of the new listener with previous one during the ``addFilterChains`` process. Risk Level: medium Testing: unit test Docs Changes: none Release Notes: none Platform Specific Features: none --------- Signed-off-by: ohadvano <49730675+ohadvano@users.noreply.github.com> --- .../filter_chain_manager_impl.cc | 9 +++++ .../filter_chain_manager_impl.h | 7 ++++ .../common/listener_manager/listener_impl.cc | 10 ++--- .../filter_chain_manager_impl_test.cc | 37 +++++++++++++++++++ 4 files changed, 56 insertions(+), 7 deletions(-) diff --git a/source/common/listener_manager/filter_chain_manager_impl.cc b/source/common/listener_manager/filter_chain_manager_impl.cc index 7261bea02234a..d8c01b920ab5e 100644 --- a/source/common/listener_manager/filter_chain_manager_impl.cc +++ b/source/common/listener_manager/filter_chain_manager_impl.cc @@ -150,6 +150,15 @@ absl::Status FilterChainManagerImpl::addFilterChains( filter_chain_factory_builder, context_creator)); maybeConstructMatcher(filter_chain_matcher, filter_chains_by_name, parent_context_); + const auto* origin = getOriginFilterChainManager(); + if (origin != nullptr) { + for (const auto& message_and_filter_chain : origin->fc_contexts_) { + if (fc_contexts_.find(message_and_filter_chain.first) == fc_contexts_.end()) { + origin->draining_filter_chains_.push_back(message_and_filter_chain.second); + } + } + } + ENVOY_LOG(debug, "new fc_contexts has {} filter chains, including {} newly built", fc_contexts_.size(), new_filter_chain_size); return absl::OkStatus(); diff --git a/source/common/listener_manager/filter_chain_manager_impl.h b/source/common/listener_manager/filter_chain_manager_impl.h index 2161513de10a3..012047d6315f0 100644 --- a/source/common/listener_manager/filter_chain_manager_impl.h +++ b/source/common/listener_manager/filter_chain_manager_impl.h @@ -165,6 +165,10 @@ class FilterChainManagerImpl : public Network::FilterChainManager, static bool isWildcardServerName(const std::string& name); + const std::vector& drainingFilterChains() const { + return draining_filter_chains_; + } + // Return the current view of filter chains, keyed by filter chain message. Used by the owning // listener to calculate the intersection of filter chains with another listener. const FcContextMap& filterChainsByMessage() const { return fc_contexts_; } @@ -350,6 +354,9 @@ class FilterChainManagerImpl : public Network::FilterChainManager, // Index filter chains by name, used by the matcher actions. FilterChainsByName filter_chains_by_name_; + + // Used to hint listener which filter chains it should drain. + mutable std::vector draining_filter_chains_; }; namespace FilterChain { diff --git a/source/common/listener_manager/listener_impl.cc b/source/common/listener_manager/listener_impl.cc index f3bec6b49beeb..2dc08259640c1 100644 --- a/source/common/listener_manager/listener_impl.cc +++ b/source/common/listener_manager/listener_impl.cc @@ -1072,14 +1072,10 @@ ListenerImpl::newListenerWithFilterChain(const envoy::config::listener::v3::List void ListenerImpl::diffFilterChain(const ListenerImpl& another_listener, std::function callback) { - for (const auto& message_and_filter_chain : filter_chain_manager_->filterChainsByMessage()) { - if (another_listener.filter_chain_manager_->filterChainsByMessage().find( - message_and_filter_chain.first) == - another_listener.filter_chain_manager_->filterChainsByMessage().end()) { - // The filter chain exists in `this` listener but not in the listener passed in. - callback(*message_and_filter_chain.second); - } + for (const auto& draining_filter_chain : filter_chain_manager_->drainingFilterChains()) { + callback(*draining_filter_chain); } + // Filter chain manager maintains an optional default filter chain besides the filter chains // indexed by message. if (auto eq = MessageUtil(); diff --git a/test/common/listener_manager/filter_chain_manager_impl_test.cc b/test/common/listener_manager/filter_chain_manager_impl_test.cc index b0b8d0cf41f69..ef90051de934a 100644 --- a/test/common/listener_manager/filter_chain_manager_impl_test.cc +++ b/test/common/listener_manager/filter_chain_manager_impl_test.cc @@ -264,6 +264,43 @@ TEST_P(FilterChainManagerImplTest, DuplicateContextsAreNotBuilt) { .ok()); } +TEST_P(FilterChainManagerImplTest, UpdateFilterChainsBetweenVersions) { + std::vector filter_chain_messages; + + for (int i = 0; i < 2; i++) { + envoy::config::listener::v3::FilterChain new_filter_chain = filter_chain_template_; + new_filter_chain.set_name(absl::StrCat("filter_chain_", i)); + new_filter_chain.mutable_filter_chain_match()->mutable_destination_port()->set_value(10000 + i); + filter_chain_messages.push_back(std::move(new_filter_chain)); + } + + auto filter_chain = std::make_shared(); + EXPECT_CALL(filter_chain_factory_builder_, buildFilterChain(_, _, _)) + .WillOnce(Return(filter_chain)); + EXPECT_TRUE(filter_chain_manager_ + ->addFilterChains(GetParam() ? &matcher_ : nullptr, + std::vector{ + &filter_chain_messages[0]}, + nullptr, filter_chain_factory_builder_, *filter_chain_manager_) + .ok()); + + FilterChainManagerImpl new_filter_chain_manager{addresses_, parent_context_, init_manager_, + *filter_chain_manager_}; + EXPECT_CALL(filter_chain_factory_builder_, buildFilterChain(_, _, _)); + EXPECT_TRUE(new_filter_chain_manager + .addFilterChains(GetParam() ? &matcher_ : nullptr, + std::vector{ + &filter_chain_messages[1]}, + nullptr, filter_chain_factory_builder_, new_filter_chain_manager) + .ok()); + + // The new filter chain manager is based on the previous filter chain manager, but it has a new + // filter chain that is not in the previous filter chain manager, so we expect the previous + // filter chains to be drained. + EXPECT_EQ(filter_chain_manager_->drainingFilterChains().size(), 1); + EXPECT_EQ(filter_chain_manager_->drainingFilterChains()[0], filter_chain); +} + TEST_P(FilterChainManagerImplTest, CreatedFilterChainFactoryContextHasIndependentDrainClose) { std::vector filter_chain_messages; for (int i = 0; i < 3; i++) { From 5539171f98839b7aea8278c7329fa0c5dde473da Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 24 Jul 2025 02:20:29 -0700 Subject: [PATCH 060/505] ci: fix health check integration test compilation (#40406) ## Description This PR fixes the compilation issue for `health_check_integration_test` which is complaining about, ``` error: no member named 'TypeUrl' in namespace 'Envoy::Config'; did you mean 'TypeUtil'? ``` This happened due to a race condition when the PR with additional tests using `TypeUrl` and a PR to change `TypeUrl` => `TestTypeUrl` went in side by side and the cache was probably stale. --- **Commit Message:** ci: fix health check integration test compilation **Additional Description:** Fixes compilation for `health_check_integration_test` by switching `TypeUrl` to use new `TestTypeUrl`. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal --- test/integration/health_check_integration_test.cc | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/test/integration/health_check_integration_test.cc b/test/integration/health_check_integration_test.cc index 6234359dcbcfa..03b13d1aaf19b 100644 --- a/test/integration/health_check_integration_test.cc +++ b/test/integration/health_check_integration_test.cc @@ -978,9 +978,10 @@ TEST_P(HttpHealthCheckIntegrationTest, SingleEndpointHealthyHttpWithPayload) { health_check->mutable_unhealthy_threshold()->set_value(1); // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {cluster_data.cluster_}, + {cluster_data.cluster_}, {}, "55"); // Wait for upstream to receive health check request. ASSERT_TRUE(cluster_data.host_upstream_->waitForHttpConnection( @@ -1033,9 +1034,10 @@ TEST_P(HttpHealthCheckIntegrationTest, SingleEndpointHealthyHttpWithBinaryPayloa health_check->mutable_unhealthy_threshold()->set_value(1); // Introduce the cluster using compareDiscoveryRequest / sendDiscoveryResponse. - EXPECT_TRUE(compareDiscoveryRequest(Config::TypeUrl::get().Cluster, "", {}, {}, {}, true)); - sendDiscoveryResponse( - Config::TypeUrl::get().Cluster, {cluster_data.cluster_}, {cluster_data.cluster_}, {}, "55"); + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {cluster_data.cluster_}, + {cluster_data.cluster_}, {}, "55"); // Wait for upstream to receive health check request. ASSERT_TRUE(cluster_data.host_upstream_->waitForHttpConnection( From 534e71da126b6f83d65a88aa366dad260c46a036 Mon Sep 17 00:00:00 2001 From: phlax Date: Thu, 24 Jul 2025 10:39:53 +0100 Subject: [PATCH 061/505] release: Update expected/actual release date (#40241) Signed-off-by: Ryan Northey --- RELEASES.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/RELEASES.md b/RELEASES.md index f5e1b90fe0bce..cab2bbe82ee5f 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -100,7 +100,8 @@ deadline of 3 weeks. | 1.32.0 | 2024/10/15 | 2024/10/15 | 0 days | 2025/10/15 | | 1.33.0 | 2025/01/14 | 2025/01/14 | 0 days | 2026/01/14 | | 1.34.0 | 2025/04/15 | 2025/04/15 | 0 days | 2026/04/15 | -| 1.35.0 | 2025/07/15 | | | | +| 1.35.0 | 2025/07/15 | 2025/07/23 | 8 days | 2025/07/23 | +| 1.36.0 | 2025/10/14 | | | | ### Cutting a major release From 0ea0022296e3f31aedc66c556b6112803e4b1b60 Mon Sep 17 00:00:00 2001 From: Anirban Nandi Date: Thu, 24 Jul 2025 15:25:45 +0530 Subject: [PATCH 062/505] http ratelimit: Add rate_limits to filter config (#40118) --- .../http/ratelimit/v3/rate_limit.proto | 28 ++++- changelogs/current.yaml | 9 ++ .../filters/http/ratelimit/config.cc | 2 +- .../filters/http/ratelimit/ratelimit.cc | 6 + .../filters/http/ratelimit/ratelimit.h | 19 ++- .../filters/http/ratelimit/ratelimit_test.cc | 111 +++++++++++++++++- 6 files changed, 168 insertions(+), 7 deletions(-) diff --git a/api/envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto b/api/envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto index e59217b9f6ce4..495bc84f838a1 100644 --- a/api/envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto +++ b/api/envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto @@ -23,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Rate limit :ref:`configuration overview `. // [#extension: envoy.filters.http.ratelimit] -// [#next-free-field: 17] +// [#next-free-field: 18] message RateLimit { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.rate_limit.v2.RateLimit"; @@ -167,6 +167,27 @@ message RateLimit { // This means that when the rate limit service is unavailable, 50% of requests will be denied // (fail closed) and 50% will be allowed (fail open). config.core.v3.RuntimeFractionalPercent failure_mode_deny_percent = 16; + + // Rate limit configuration that is used to generate a list of descriptor entries based on + // the request context. The generated entries will be sent to the rate limit service. + // If this is set, then + // :ref:`VirtualHost.rate_limits` or + // :ref:`RouteAction.rate_limits` fields + // will be ignored. However, :ref:`RateLimitPerRoute.rate_limits` + // will take precedence over this field. + // + // .. note:: + // Not all configuration fields of + // :ref:`rate limit config ` is supported at here. + // Following fields are not supported: + // + // 1. :ref:`rate limit stage `. + // 2. :ref:`dynamic metadata `. + // 3. :ref:`disable_key `. + // 4. :ref:`override limit `. + // 5. :ref:`hits_addend `. + // 6. :ref:`apply_on_stream_done `. + repeated config.route.v3.RateLimit rate_limits = 17; } message RateLimitPerRoute { @@ -210,8 +231,9 @@ message RateLimitPerRoute { // the request context. The generated entries will be used to find one or multiple matched rate // limit rule from the ``descriptors``. // If this is set, then - // :ref:`VirtualHost.rate_limits` or - // :ref:`RouteAction.rate_limits` fields + // :ref:`VirtualHost.rate_limits`, + // :ref:`RouteAction.rate_limits` and + // :ref:`RateLimit.rate_limits` fields // will be ignored. // // .. note:: diff --git a/changelogs/current.yaml b/changelogs/current.yaml index d9a93c26c7b68..1dca98679460a 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -30,5 +30,14 @@ new_features: This allows Lua scripts to retrieve string, boolean, and numeric values stored by various filters for use in routing decisions, header modifications, and other processing logic. See :ref:`Filter State API ` for more details. +- area: ratelimit + change: | + Add the :ref:`rate_limits + ` + field to generate rate limit descriptors. If this field is set, the + :ref:`VirtualHost.rate_limits` or + :ref:`RouteAction.rate_limits` fields will be ignored. However, + :ref:`RateLimitPerRoute.rate_limits` + will take precedence over this field. deprecated: diff --git a/source/extensions/filters/http/ratelimit/config.cc b/source/extensions/filters/http/ratelimit/config.cc index 0f07f356ee907..d69d2d6d44bfd 100644 --- a/source/extensions/filters/http/ratelimit/config.cc +++ b/source/extensions/filters/http/ratelimit/config.cc @@ -26,7 +26,7 @@ absl::StatusOr RateLimitFilterConfig::createFilterFactory absl::Status status = absl::OkStatus(); FilterConfigSharedPtr filter_config(new FilterConfig(proto_config, server_context.localInfo(), context.scope(), server_context.runtime(), - server_context.httpContext(), status)); + server_context, status)); RETURN_IF_NOT_OK_REF(status); const std::chrono::milliseconds timeout = std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(proto_config, timeout, 20)); diff --git a/source/extensions/filters/http/ratelimit/ratelimit.cc b/source/extensions/filters/http/ratelimit/ratelimit.cc index 96e2f0b6f3369..45aa5b31b164f 100644 --- a/source/extensions/filters/http/ratelimit/ratelimit.cc +++ b/source/extensions/filters/http/ratelimit/ratelimit.cc @@ -96,6 +96,12 @@ void Filter::populateRateLimitDescriptors(std::vectorhasRateLimitConfigs()) { + config_.get()->populateDescriptors(headers, callbacks_->streamInfo(), descriptors); + return; + } + // Get all applicable rate limit policy entries for the route. populateRateLimitDescriptorsForPolicy(route_entry->rateLimitPolicy(), descriptors, headers, on_stream_done); diff --git a/source/extensions/filters/http/ratelimit/ratelimit.h b/source/extensions/filters/http/ratelimit/ratelimit.h index 688cc85a0338c..ec35b7aa83da6 100644 --- a/source/extensions/filters/http/ratelimit/ratelimit.h +++ b/source/extensions/filters/http/ratelimit/ratelimit.h @@ -44,7 +44,8 @@ class FilterConfig { public: FilterConfig(const envoy::extensions::filters::http::ratelimit::v3::RateLimit& config, const LocalInfo::LocalInfo& local_info, Stats::Scope& scope, - Runtime::Loader& runtime, Http::Context& http_context, absl::Status& creation_status) + Runtime::Loader& runtime, Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status) : domain_(config.domain()), stage_(static_cast(config.stage())), request_type_(config.request_type().empty() ? stringToType("both") : stringToType(config.request_type())), @@ -58,7 +59,8 @@ class FilterConfig { config.rate_limited_as_resource_exhausted() ? absl::make_optional(Grpc::Status::WellKnownGrpcStatus::ResourceExhausted) : absl::nullopt), - http_context_(http_context), stat_names_(scope.symbolTable(), config.stat_prefix()), + http_context_(context.httpContext()), + stat_names_(scope.symbolTable(), config.stat_prefix()), rate_limited_status_(toErrorCode(config.rate_limited_status().code())), status_on_error_(toRatelimitServerErrorCode(config.status_on_error().code())), filter_enabled_( @@ -80,6 +82,8 @@ class FilterConfig { Envoy::Router::HeaderParser::configure(config.response_headers_to_add()); SET_AND_RETURN_IF_NOT_OK(response_headers_parser_or_.status(), creation_status); response_headers_parser_ = std::move(response_headers_parser_or_.value()); + rate_limit_config_ = std::make_unique( + config.rate_limits(), context, creation_status); } const std::string& domain() const { return domain_; } @@ -106,6 +110,16 @@ class FilterConfig { Http::Code statusOnError() const { return status_on_error_; } bool enabled() const; bool enforced() const; + bool hasRateLimitConfigs() const { + ASSERT(rate_limit_config_ != nullptr); + return !rate_limit_config_->empty(); + } + void populateDescriptors(const Http::RequestHeaderMap& headers, + const StreamInfo::StreamInfo& info, + Filters::Common::RateLimit::RateLimitDescriptors& descriptors) const { + ASSERT(rate_limit_config_ != nullptr); + rate_limit_config_->populateDescriptors(headers, info, local_info_.clusterName(), descriptors); + } private: static FilterRequestType stringToType(const std::string& request_type) { @@ -153,6 +167,7 @@ class FilterConfig { const absl::optional filter_enabled_; const absl::optional filter_enforced_; const absl::optional failure_mode_deny_percent_; + std::unique_ptr rate_limit_config_; }; using FilterConfigSharedPtr = std::shared_ptr; diff --git a/test/extensions/filters/http/ratelimit/ratelimit_test.cc b/test/extensions/filters/http/ratelimit/ratelimit_test.cc index 53bdc75f661e4..ba8c4c46a9e15 100644 --- a/test/extensions/filters/http/ratelimit/ratelimit_test.cc +++ b/test/extensions/filters/http/ratelimit/ratelimit_test.cc @@ -62,7 +62,7 @@ class HttpRateLimitFilterTest : public testing::Test { auto status = absl::OkStatus(); config_ = std::make_shared( proto_config, factory_context_.local_info_, *factory_context_.store_.rootScope(), - factory_context_.runtime_loader_, factory_context_.http_context_, status); + factory_context_.runtime_loader_, factory_context_, status); EXPECT_TRUE(status.ok()); client_ = new Filters::Common::RateLimit::MockClient(); @@ -177,6 +177,15 @@ class HttpRateLimitFilterTest : public testing::Test { denominator: HUNDRED )EOF"; + const std::string inlined_rate_limit_actions_config_ = R"EOF( + domain: "bar" + rate_limits: + - actions: + - request_headers: + header_name: "x-header-name" + descriptor_key: "header-name" + )EOF"; + Filters::Common::RateLimit::MockClient* client_; NiceMock filter_callbacks_; Stats::StatNamePool pool_{filter_callbacks_.clusterInfo()->statsScope().symbolTable()}; @@ -2110,6 +2119,106 @@ TEST_F(HttpRateLimitFilterTest, FailureModeHundredPercentFailsClose) { .value()); } +TEST_F(HttpRateLimitFilterTest, InlinedRateLimitAction) { + setUpTest(inlined_rate_limit_actions_config_); + request_headers_.addCopy("x-header-name", "header-value"); + + EXPECT_CALL(*client_, limit(_, _, _, _, _, 0)) + .WillOnce(Invoke( + [this](Filters::Common::RateLimit::RequestCallbacks& callbacks, const std::string& domain, + const std::vector& descriptors, Tracing::Span&, + OptRef, uint32_t) -> void { + request_callbacks_ = &callbacks; + EXPECT_EQ("bar", domain); + EXPECT_EQ(1, descriptors.size()); + EXPECT_EQ("header-name", descriptors[0].entries_[0].key_); + EXPECT_EQ("header-value", descriptors[0].entries_[0].value_); + })); + + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); + + EXPECT_CALL(filter_callbacks_.stream_info_, + setResponseFlag(StreamInfo::CoreResponseFlag::RateLimited)); + + Http::TestResponseHeaderMapImpl response_headers{ + {":status", "429"}, + {"x-envoy-ratelimited", Http::Headers::get().EnvoyRateLimitedValues.True}}; + EXPECT_CALL(filter_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true)); + EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); + + request_callbacks_->complete(Filters::Common::RateLimit::LimitStatus::OverLimit, nullptr, + std::make_unique(), nullptr, "", + nullptr); + + EXPECT_EQ(1U, filter_callbacks_.clusterInfo() + ->statsScope() + .counterFromStatName(ratelimit_over_limit_) + .value()); + + EXPECT_EQ( + 1U, + filter_callbacks_.clusterInfo()->statsScope().counterFromStatName(upstream_rq_4xx_).value()); + EXPECT_EQ( + 1U, + filter_callbacks_.clusterInfo()->statsScope().counterFromStatName(upstream_rq_429_).value()); + EXPECT_EQ("request_rate_limited", filter_callbacks_.details()); +} + +TEST_F(HttpRateLimitFilterTest, PerRouteOverridesInlinedRateLimit) { + const std::string route_config_yaml = R"EOF( + domain: "foo" + rate_limits: + - actions: + - request_headers: + header_name: "x-header-name-route" + descriptor_key: "header-name-route" + )EOF"; + setUpTest(inlined_rate_limit_actions_config_, route_config_yaml); + request_headers_.addCopy("x-header-name-route", "header-value"); + + EXPECT_CALL(*client_, limit(_, _, _, _, _, 0)) + .WillOnce(Invoke( + [this](Filters::Common::RateLimit::RequestCallbacks& callbacks, const std::string& domain, + const std::vector& descriptors, Tracing::Span&, + OptRef, uint32_t) -> void { + request_callbacks_ = &callbacks; + EXPECT_EQ("foo", domain); + EXPECT_EQ(1, descriptors.size()); + EXPECT_EQ("header-name-route", descriptors[0].entries_[0].key_); + EXPECT_EQ("header-value", descriptors[0].entries_[0].value_); + })); + + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); + + EXPECT_CALL(filter_callbacks_.stream_info_, + setResponseFlag(StreamInfo::CoreResponseFlag::RateLimited)); + + Http::TestResponseHeaderMapImpl response_headers{ + {":status", "429"}, + {"x-envoy-ratelimited", Http::Headers::get().EnvoyRateLimitedValues.True}}; + EXPECT_CALL(filter_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true)); + EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); + + request_callbacks_->complete(Filters::Common::RateLimit::LimitStatus::OverLimit, nullptr, + std::make_unique(), nullptr, "", + nullptr); + + EXPECT_EQ(1U, filter_callbacks_.clusterInfo() + ->statsScope() + .counterFromStatName(ratelimit_over_limit_) + .value()); + + EXPECT_EQ( + 1U, + filter_callbacks_.clusterInfo()->statsScope().counterFromStatName(upstream_rq_4xx_).value()); + EXPECT_EQ( + 1U, + filter_callbacks_.clusterInfo()->statsScope().counterFromStatName(upstream_rq_429_).value()); + EXPECT_EQ("request_rate_limited", filter_callbacks_.details()); +} + } // namespace } // namespace RateLimitFilter } // namespace HttpFilters From 4c44af6f07eae1fed5f0e677641c92b8a2a4ff9d Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 24 Jul 2025 03:08:51 -0700 Subject: [PATCH 063/505] dfp: deprecate flag avoid_dfp_cluster_removal_on_cds_update and remove legacy code paths (#40396) ## Description This PR removes the deprecated reloadable flag `avoid_dfp_cluster_removal_on_cds_update` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/40370 --- **Commit Message:** dfp: deprecate flag avoid_dfp_cluster_removal_on_cds_update and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `avoid_dfp_cluster_removal_on_cds_update` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 + source/common/runtime/runtime_features.cc | 1 - .../clusters/dynamic_forward_proxy/cluster.cc | 8 +-- .../dynamic_forward_proxy/proxy_filter.cc | 7 +- .../proxy_filter_integration_test.cc | 64 ------------------- 5 files changed, 6 insertions(+), 77 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 1dca98679460a..e807e80d7e32d 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -13,6 +13,9 @@ removed_config_or_runtime: - area: router change: | Removed runtime guard ``envoy.reloadable_features.shadow_policy_inherit_trace_sampling`` and legacy code paths. +- area: dynamic_forward_proxy + change: | + Removed runtime guard ``envoy.reloadable_features.avoid_dfp_cluster_removal_on_cds_update`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 1203f8a09ac98..73368fbcff06f 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -33,7 +33,6 @@ // problem of the bugs being found after the old code path has been removed. RUNTIME_GUARD(envoy_reloadable_features_allow_alt_svc_for_ips); RUNTIME_GUARD(envoy_reloadable_features_async_host_selection); -RUNTIME_GUARD(envoy_reloadable_features_avoid_dfp_cluster_removal_on_cds_update); RUNTIME_GUARD(envoy_reloadable_features_dfp_cluster_resolves_hosts); RUNTIME_GUARD(envoy_reloadable_features_dfp_fail_on_empty_host_header); RUNTIME_GUARD(envoy_reloadable_features_disallow_quic_client_udp_mmsg); diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc index 6764ce5ecf36e..67f05373f42ee 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc +++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc @@ -105,9 +105,7 @@ Cluster::~Cluster() { auto cluster_name = it->first; ENVOY_LOG(debug, "cluster='{}' removing from cluster_map & cluster manager", cluster_name); cluster_map_.erase(it++); - cm_.removeCluster(cluster_name, - Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.avoid_dfp_cluster_removal_on_cds_update")); + cm_.removeCluster(cluster_name, true); } } @@ -148,9 +146,7 @@ void Cluster::checkIdleSubCluster() { auto cluster_name = it->first; ENVOY_LOG(debug, "cluster='{}' removing from cluster_map & cluster manager", cluster_name); cluster_map_.erase(it++); - cm_.removeCluster(cluster_name, - Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.avoid_dfp_cluster_removal_on_cds_update")); + cm_.removeCluster(cluster_name, true); } else { ++it; } diff --git a/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc b/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc index 8ea907b340680..b987ce1c64a13 100644 --- a/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc +++ b/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc @@ -122,12 +122,7 @@ LoadClusterEntryHandlePtr ProxyFilterConfig::addDynamicCluster( // update. As this cluster lifecycle is managed by DFP cluster, it should not be removed by // CDS. https://github.com/envoyproxy/envoy/issues/35171 absl::Status status = - cluster_manager_ - .addOrUpdateCluster( - cluster, version_info, - Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.avoid_dfp_cluster_removal_on_cds_update")) - .status(); + cluster_manager_.addOrUpdateCluster(cluster, version_info, true).status(); ENVOY_BUG(status.ok(), absl::StrCat("Failed to update DFP cluster due to ", status.message())); }); diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc index f8d259e268936..d75453fa894a8 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -1515,68 +1515,6 @@ TEST_P(ProxyFilterIntegrationTest, SubClusterReloadCluster) { test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 0); } -// Verify that we expire sub clusters and not remove on CDS. -TEST_P(ProxyFilterWithSimtimeIntegrationTest, RemoveViaTTLAndDFPUpdateWithoutAvoidCDSRemoval) { - const std::string cluster_yaml = R"EOF( - name: fake_cluster - connect_timeout: 0.250s - type: STATIC - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: fake_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 11001 - )EOF"; - auto cluster = Upstream::parseClusterFromV3Yaml(cluster_yaml); - // make runtime guard false - config_helper_.addRuntimeOverride( - "envoy.reloadable_features.avoid_dfp_cluster_removal_on_cds_update", "false"); - initializeWithArgs(1024, 1024, "", typed_dns_resolver_config_, true); - codec_client_ = makeHttpConnection(lookupPort("http")); - const Http::TestRequestHeaderMapImpl request_headers{ - {":method", "POST"}, - {":path", "/test/long/url"}, - {":scheme", "http"}, - {":authority", - fmt::format("localhost:{}", fake_upstreams_[0]->localAddress()->ip()->port())}}; - - auto response = - sendRequestAndWaitForResponse(request_headers, 1024, default_response_headers_, 1024); - checkSimpleRequestSuccess(1024, 1024, response.get()); - // one more cluster - test_server_->waitForCounterEq("cluster_manager.cluster_added", 2); - test_server_->waitForCounterEq("cluster_manager.cluster_removed", 0); - cleanupUpstreamAndDownstream(); - - // Sub cluster expected to be removed after ttl - // > 5m - simTime().advanceTimeWait(std::chrono::milliseconds(300001)); - test_server_->waitForCounterEq("cluster_manager.cluster_added", 2); - test_server_->waitForCounterEq("cluster_manager.cluster_removed", 1); - - codec_client_ = makeHttpConnection(lookupPort("http")); - response = sendRequestAndWaitForResponse(request_headers, 1024, default_response_headers_, 1024); - checkSimpleRequestSuccess(1024, 1024, response.get()); - - // sub cluster added again - test_server_->waitForCounterEq("cluster_manager.cluster_added", 3); - test_server_->waitForCounterEq("cluster_manager.cluster_removed", 1); - cleanupUpstreamAndDownstream(); - - // Make update to DFP cluster - cluster_.mutable_circuit_breakers()->add_thresholds()->mutable_max_connections()->set_value(100); - cds_helper_.setCds({cluster_}); - - // sub cluster removed due to dfp cluster update - test_server_->waitForCounterEq("cluster_manager.cluster_added", 3); - test_server_->waitForCounterEq("cluster_manager.cluster_removed", 2); -} - // Verify that we expire sub clusters. TEST_P(ProxyFilterWithSimtimeIntegrationTest, RemoveSubClusterViaTTL) { initializeWithArgs(1024, 1024, "", typed_dns_resolver_config_, true); @@ -1655,8 +1593,6 @@ TEST_P(ProxyFilterIntegrationTest, SubClusterWithIpHost) { // Verify that no DFP clusters are removed when CDS Reload is triggered. TEST_P(ProxyFilterIntegrationTest, CDSReloadNotRemoveDFPCluster) { - config_helper_.addRuntimeOverride( - "envoy.reloadable_features.avoid_dfp_cluster_removal_on_cds_update", "true"); const std::string cluster_yaml = R"EOF( name: fake_cluster connect_timeout: 0.250s From 9e2ca7cf0dbcdd68ac0d7a1db215bbf944f5453f Mon Sep 17 00:00:00 2001 From: code Date: Thu, 24 Jul 2025 20:41:46 +0800 Subject: [PATCH 064/505] Re-apply "matcher: refactor the matcher to avoid unnecessary wrapper and heap allocation (#40249)" (#40404) This reverts commit 0d341b982a24f3ddb9f4fd3a9bdd8880561103be. --- envoy/matcher/matcher.h | 43 +++--- .../filter_chain_manager_impl.cc | 15 +- source/common/matcher/matcher.h | 8 +- source/common/router/config_impl.cc | 27 ++-- source/common/router/config_impl.h | 13 +- .../filters/common/rbac/engine_impl.cc | 13 +- .../filters/common/rbac/engine_impl.h | 6 +- .../filters/http/composite/action.cc | 74 +++++---- .../filters/http/composite/action.h | 64 ++++---- .../filters/http/composite/filter.cc | 5 +- .../filters/http/composite/filter.h | 5 +- .../filters/http/custom_response/config.cc | 2 +- .../filters/http/custom_response/policy.h | 19 +-- .../filters/http/match_delegate/config.cc | 12 +- .../http/proto_api_scrubber/filter_config.h | 8 +- .../filters/http/rate_limit_quota/filter.cc | 9 +- .../filters/http/rate_limit_quota/filter.h | 3 +- .../filters/http/rate_limit_quota/matcher.h | 10 +- .../network/generic_proxy/route_impl.cc | 20 +-- .../network/generic_proxy/route_impl.h | 19 +-- .../filters/network/match_delegate/config.cc | 13 +- .../udp/udp_proxy/router/router_impl.cc | 9 +- .../udp/udp_proxy/router/router_impl.h | 6 +- .../matching/actions/format_string/config.cc | 10 +- .../matching/actions/format_string/config.h | 9 +- .../matcher/matcher_cluster_specifier.cc | 14 +- .../matcher/matcher_cluster_specifier.h | 12 +- test/common/matcher/exact_map_matcher_test.cc | 12 +- test/common/matcher/list_matcher_test.cc | 28 ++-- test/common/matcher/matcher_test.cc | 18 +-- test/common/matcher/test_utility.h | 53 +++---- .../common/matcher/domain_matcher_test.cc | 5 +- .../common/matcher/trie_matcher_test.cc | 10 +- .../filters/http/composite/filter_test.cc | 142 ++++++++++++------ .../http/match_delegate/config_test.cc | 12 +- .../http/rate_limit_quota/filter_test.cc | 4 +- .../network/generic_proxy/route_test.cc | 20 +-- .../network/match_delegate/config_test.cc | 4 +- .../actions/format_string/config_test.cc | 6 +- test/mocks/http/mocks.h | 4 +- 40 files changed, 377 insertions(+), 389 deletions(-) diff --git a/envoy/matcher/matcher.h b/envoy/matcher/matcher.h index 223ed538e5952..531f99cf15bc4 100644 --- a/envoy/matcher/matcher.h +++ b/envoy/matcher/matcher.h @@ -91,22 +91,20 @@ class Action { } }; -using ActionPtr = std::unique_ptr; -using ActionFactoryCb = std::function; +using ActionConstSharedPtr = std::shared_ptr; template class ActionFactory : public Config::TypedFactory { public: - virtual ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, - ActionFactoryContext& action_factory_context, - ProtobufMessage::ValidationVisitor& validation_visitor) PURE; + virtual ActionConstSharedPtr + createAction(const Protobuf::Message& config, ActionFactoryContext& action_factory_context, + ProtobufMessage::ValidationVisitor& validation_visitor) PURE; std::string category() const override { return "envoy.matching.action"; } }; // On match, we either return the action to perform or another match tree to match against. template struct OnMatch { - const ActionFactoryCb action_cb_; + const ActionConstSharedPtr action_; const MatchTreeSharedPtr matcher_; bool keep_matching_{}; }; @@ -130,30 +128,39 @@ template class OnMatchFactory { // - The match could not be completed due to lack of data (isInsufficientData() will return true.) // - The match was completed, no match found (isNoMatch() will return true.) // - The match was completed, match found (isMatch() will return true, action() will return the -// ActionFactoryCb.) +// ActionConstSharedPtr.) struct MatchResult { public: - MatchResult(ActionFactoryCb cb) : result_(std::move(cb)) {} + MatchResult(ActionConstSharedPtr cb) : result_(std::move(cb)) {} static MatchResult noMatch() { return MatchResult(NoMatch{}); } static MatchResult insufficientData() { return MatchResult(InsufficientData{}); } bool isInsufficientData() const { return absl::holds_alternative(result_); } bool isComplete() const { return !isInsufficientData(); } bool isNoMatch() const { return absl::holds_alternative(result_); } - bool isMatch() const { return absl::holds_alternative(result_); } - ActionFactoryCb actionFactory() const { return absl::get(result_); } - ActionPtr action() const { return actionFactory()(); } + bool isMatch() const { return absl::holds_alternative(result_); } + const ActionConstSharedPtr& action() const { + ASSERT(isMatch()); + return absl::get(result_); + } + // Returns the action by move. The caller must ensure that the MatchResult is not used after + // this call. + ActionConstSharedPtr actionByMove() { + ASSERT(isMatch()); + return absl::get(std::move(result_)); + } private: struct InsufficientData {}; struct NoMatch {}; - using Result = absl::variant; + using Result = absl::variant; Result result_; MatchResult(NoMatch) : result_(NoMatch{}) {} MatchResult(InsufficientData) : result_(InsufficientData{}) {} }; // Callback to execute against skipped matches' actions. -using SkippedMatchCb = std::function; +using SkippedMatchCb = std::function; + /** * MatchTree provides the interface for performing matches against the data provided by DataType. */ @@ -187,19 +194,19 @@ template class MatchTree { // Parent result's keep_matching skips the nested result. if (on_match->keep_matching_ && nested_result.isMatch()) { if (skipped_match_cb) { - skipped_match_cb(nested_result.actionFactory()); + skipped_match_cb(nested_result.action()); } return MatchResult::noMatch(); } return nested_result; } - if (on_match->action_cb_ && on_match->keep_matching_) { + if (on_match->action_ && on_match->keep_matching_) { if (skipped_match_cb) { - skipped_match_cb(on_match->action_cb_); + skipped_match_cb(on_match->action_); } return MatchResult::noMatch(); } - return MatchResult{on_match->action_cb_}; + return MatchResult{on_match->action_}; } }; diff --git a/source/common/listener_manager/filter_chain_manager_impl.cc b/source/common/listener_manager/filter_chain_manager_impl.cc index d8c01b920ab5e..d1aed994ab478 100644 --- a/source/common/listener_manager/filter_chain_manager_impl.cc +++ b/source/common/listener_manager/filter_chain_manager_impl.cc @@ -49,11 +49,11 @@ class FilterChainNameActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "filter-chain-name"; } - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, - FilterChainActionFactoryContext&, - ProtobufMessage::ValidationVisitor&) override { - const auto& name = dynamic_cast(config); - return [value = name.value()]() { return std::make_unique(value); }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message& config, + FilterChainActionFactoryContext&, + ProtobufMessage::ValidationVisitor&) override { + return std::make_shared( + dynamic_cast(config).value()); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -582,9 +582,8 @@ FilterChainManagerImpl::findFilterChainUsingMatcher(const Network::ConnectionSoc Matcher::evaluateMatch(*matcher_, data); ASSERT(match_result.isComplete(), "Matching must complete for network streams."); if (match_result.isMatch()) { - const Matcher::ActionPtr action = match_result.action(); - return action->getTyped().get(filter_chains_by_name_, - info); + return match_result.action()->getTyped().get( + filter_chains_by_name_, info); } return default_filter_chain_.get(); } diff --git a/source/common/matcher/matcher.h b/source/common/matcher/matcher.h index a7aef43c642de..5cc9b0059b42c 100644 --- a/source/common/matcher/matcher.h +++ b/source/common/matcher/matcher.h @@ -324,10 +324,10 @@ class MatchTreeFactory : public OnMatchFactory { on_match.action().typed_config(), server_factory_context_.messageValidationVisitor(), factory); - auto action_factory = factory.createActionFactoryCb( - *message, action_factory_context_, server_factory_context_.messageValidationVisitor()); - return [action_factory, keep_matching = on_match.keep_matching()] { - return OnMatch{action_factory, {}, keep_matching}; + auto action = factory.createAction(*message, action_factory_context_, + server_factory_context_.messageValidationVisitor()); + return [action, keep_matching = on_match.keep_matching()] { + return OnMatch{action, {}, keep_matching}; }; } diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index d9e3fd2ae124e..b09a5f678de76 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -1818,14 +1818,13 @@ RouteConstSharedPtr VirtualHostImpl::getRouteFromEntries(const RouteCallback& cb Matcher::evaluateMatch(*matcher_, data); if (match_result.isMatch()) { - const Matcher::ActionPtr result = match_result.action(); + const auto result = match_result.actionByMove(); if (result->typeUrl() == RouteMatchAction::staticTypeUrl()) { - const RouteMatchAction& route_action = result->getTyped(); - - return getRouteFromRoutes(cb, headers, stream_info, random_value, {route_action.route()}); + return getRouteFromRoutes( + cb, headers, stream_info, random_value, + {std::dynamic_pointer_cast(std::move(result))}); } else if (result->typeUrl() == RouteListMatchAction::staticTypeUrl()) { const RouteListMatchAction& action = result->getTyped(); - return getRouteFromRoutes(cb, headers, stream_info, random_value, action.routes()); } PANIC("Action in router matcher should be Route or RouteList"); @@ -2133,9 +2132,9 @@ const Envoy::Config::TypedMetadata& NullConfigImpl::typedMetadata() const { return DefaultRouteMetadataPack::get().typed_metadata_; } -Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( - const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionConstSharedPtr +RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate(config, validation_visitor); @@ -2143,14 +2142,14 @@ Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( RouteCreator::createAndValidateRoute(route_config, context.vhost, context.factory_context, validation_visitor, false), RouteEntryImplBaseConstSharedPtr); - - return [route]() { return std::make_unique(route); }; + return route; } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); -Matcher::ActionFactoryCb RouteListMatchActionFactory::createActionFactoryCb( - const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionConstSharedPtr +RouteListMatchActionFactory::createAction(const Protobuf::Message& config, + RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate( config, validation_visitor); @@ -2162,7 +2161,7 @@ Matcher::ActionFactoryCb RouteListMatchActionFactory::createActionFactoryCb( validation_visitor, false), RouteEntryImplBaseConstSharedPtr)); } - return [routes]() { return std::make_unique(routes); }; + return std::make_shared(std::move(routes)); } REGISTER_FACTORY(RouteListMatchActionFactory, Matcher::ActionFactory); diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index c4106e056b8bf..5571df3e437b6 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -619,6 +619,7 @@ class RouteEntryImplBase : public RouteEntryAndRoute, public Matchable, public DirectResponseEntry, public PathMatchCriterion, + public Matcher::ActionBase, public std::enable_shared_from_this, Logger::Loggable { protected: @@ -1191,9 +1192,9 @@ class RouteMatchAction : public Matcher::ActionBase { public: - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -1217,9 +1218,9 @@ class RouteListMatchAction : public Matcher::ActionBase { public: - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route_match_action"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/common/rbac/engine_impl.cc b/source/extensions/filters/common/rbac/engine_impl.cc index e53f2265fc974..9abe4c961df3b 100644 --- a/source/extensions/filters/common/rbac/engine_impl.cc +++ b/source/extensions/filters/common/rbac/engine_impl.cc @@ -11,9 +11,9 @@ namespace Filters { namespace Common { namespace RBAC { -Envoy::Matcher::ActionFactoryCb -ActionFactory::createActionFactoryCb(const Protobuf::Message& config, ActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Envoy::Matcher::ActionConstSharedPtr +ActionFactory::createAction(const Protobuf::Message& config, ActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& action_config = MessageUtil::downcastAndValidate(config, validation_visitor); @@ -25,7 +25,7 @@ ActionFactory::createActionFactoryCb(const Protobuf::Message& config, ActionCont context.has_log_ = true; } - return [name, action]() { return std::make_unique(name, action); }; + return std::make_shared(name, action); } REGISTER_FACTORY(ActionFactory, Envoy::Matcher::ActionFactory); @@ -138,18 +138,17 @@ bool RoleBasedAccessControlMatcherEngineImpl::handleAction( Envoy::Matcher::evaluateMatch(*matcher_, data); ASSERT(result.isComplete()); if (result.isMatch()) { - auto action = result.action()->getTyped(); + const auto& action = result.action()->getTyped(); if (effective_policy_id != nullptr) { *effective_policy_id = action.name(); } // If there is at least an LOG action in matchers, we have to turn on and off for shared log // metadata every time when there is a connection or request. - auto rbac_action = action.action(); + const auto rbac_action = action.action(); if (has_log_) { generateLog(info, mode_, rbac_action == envoy::config::rbac::v3::RBAC::LOG); } - switch (rbac_action) { PANIC_ON_PROTO_ENUM_SENTINEL_VALUES; case envoy::config::rbac::v3::RBAC::ALLOW: diff --git a/source/extensions/filters/common/rbac/engine_impl.h b/source/extensions/filters/common/rbac/engine_impl.h index ad22de9ed5553..80a5781ed9e71 100644 --- a/source/extensions/filters/common/rbac/engine_impl.h +++ b/source/extensions/filters/common/rbac/engine_impl.h @@ -50,9 +50,9 @@ class Action : public Envoy::Matcher::ActionBase { public: - Envoy::Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, ActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Envoy::Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, ActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "envoy.filters.rbac.action"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/http/composite/action.cc b/source/extensions/filters/http/composite/action.cc index 9d70c9c10671f..da6941c88b90c 100644 --- a/source/extensions/filters/http/composite/action.cc +++ b/source/extensions/filters/http/composite/action.cc @@ -6,23 +6,30 @@ namespace HttpFilters { namespace Composite { void ExecuteFilterAction::createFilters(Http::FilterChainFactoryCallbacks& callbacks) const { - cb_(callbacks); -} + if (actionSkip()) { + return; + } -bool ExecuteFilterActionFactory::isSampled( - const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, - Envoy::Runtime::Loader& runtime) { - if (composite_action.has_sample_percent() && - !runtime.snapshot().featureEnabled(composite_action.sample_percent().runtime_key(), - composite_action.sample_percent().default_value())) { - return false; + if (auto config_value = config_provider_(); config_value.has_value()) { + (*config_value)(callbacks); + return; } - return true; + // There is no dynamic config available. Apply missing config filter. + Envoy::Http::MissingConfigFilterFactory(callbacks); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCb( - const Protobuf::Message& config, Http::Matching::HttpFilterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +const std::string& ExecuteFilterAction::actionName() const { return name_; } + +bool ExecuteFilterAction::actionSkip() const { + return sample_.has_value() + ? !runtime_.snapshot().featureEnabled(sample_->runtime_key(), sample_->default_value()) + : false; +} + +Matcher::ActionConstSharedPtr +ExecuteFilterActionFactory::createAction(const Protobuf::Message& config, + Http::Matching::HttpFilterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& composite_action = MessageUtil::downcastAndValidate< const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction&>( config, validation_visitor); @@ -34,20 +41,20 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCb( if (composite_action.has_dynamic_config()) { if (context.is_downstream_) { - return createDynamicActionFactoryCbDownstream(composite_action, context); + return createDynamicActionDownstream(composite_action, context); } else { - return createDynamicActionFactoryCbUpstream(composite_action, context); + return createDynamicActionUpstream(composite_action, context); } } if (context.is_downstream_) { - return createStaticActionFactoryCbDownstream(composite_action, context, validation_visitor); + return createStaticActionDownstream(composite_action, context, validation_visitor); } else { - return createStaticActionFactoryCbUpstream(composite_action, context, validation_visitor); + return createStaticActionUpstream(composite_action, context, validation_visitor); } } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryCbDownstream( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createDynamicActionDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context) { if (!context.factory_context_.has_value() || !context.server_factory_context_.has_value()) { @@ -57,11 +64,11 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryC auto provider_manager = Envoy::Http::FilterChainUtility::createSingletonDownstreamFilterConfigProviderManager( context.server_factory_context_.value()); - return createDynamicActionFactoryCbTyped( + return createDynamicActionTyped( composite_action, context, "http", context.factory_context_.value(), provider_manager); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryCbUpstream( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createDynamicActionUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context) { if (!context.upstream_factory_context_.has_value() || @@ -72,12 +79,12 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createDynamicActionFactoryC auto provider_manager = Envoy::Http::FilterChainUtility::createSingletonUpstreamFilterConfigProviderManager( context.server_factory_context_.value()); - return createDynamicActionFactoryCbTyped( + return createDynamicActionTyped( composite_action, context, "router upstream http", context.upstream_factory_context_.value(), provider_manager); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCbCommon( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createActionCommon( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, Envoy::Http::FilterFactoryCb& callback, bool is_downstream) { @@ -90,16 +97,17 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createActionFactoryCbCommon std::string name = composite_action.typed_config().name(); ASSERT(context.server_factory_context_ != absl::nullopt); Envoy::Runtime::Loader& runtime = context.server_factory_context_->runtime(); - return [cb = std::move(callback), n = std::move(name), - composite_action = std::move(composite_action), &runtime, this]() -> Matcher::ActionPtr { - if (!isSampled(composite_action, runtime)) { - return nullptr; - } - return std::make_unique(cb, n); - }; + + return std::make_shared( + [cb = std::move(callback)]() mutable -> OptRef { return cb; }, name, + composite_action.has_sample_percent() + ? absl::make_optional( + composite_action.sample_percent()) + : absl::nullopt, + runtime); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCbDownstream( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createStaticActionDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor) { @@ -126,10 +134,10 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCb *message, context.stat_prefix_, context.server_factory_context_.value()); } - return createActionFactoryCbCommon(composite_action, context, callback, true); + return createActionCommon(composite_action, context, callback, true); } -Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCbUpstream( +Matcher::ActionConstSharedPtr ExecuteFilterActionFactory::createStaticActionUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor) { @@ -150,7 +158,7 @@ Matcher::ActionFactoryCb ExecuteFilterActionFactory::createStaticActionFactoryCb callback = callback_or_status.value(); } - return createActionFactoryCbCommon(composite_action, context, callback, false); + return createActionCommon(composite_action, context, callback, false); } REGISTER_FACTORY(ExecuteFilterActionFactory, diff --git a/source/extensions/filters/http/composite/action.h b/source/extensions/filters/http/composite/action.h index 834b757a573fa..ecd9ad9bb076c 100644 --- a/source/extensions/filters/http/composite/action.h +++ b/source/extensions/filters/http/composite/action.h @@ -18,16 +18,26 @@ class ExecuteFilterAction : public Matcher::ActionBase< envoy::extensions::filters::http::composite::v3::ExecuteFilterAction> { public: - explicit ExecuteFilterAction(Http::FilterFactoryCb cb, const std::string& name) - : cb_(std::move(cb)), name_(name) {} + using FilterConfigProvider = std::function()>; + + explicit ExecuteFilterAction( + FilterConfigProvider config_provider, const std::string& name, + const absl::optional& sample, + Runtime::Loader& runtime) + : config_provider_(std::move(config_provider)), name_(name), sample_(sample), + runtime_(runtime) {} void createFilters(Http::FilterChainFactoryCallbacks& callbacks) const; - const std::string& actionName() const { return name_; } + const std::string& actionName() const; + + bool actionSkip() const; private: - Http::FilterFactoryCb cb_; + FilterConfigProvider config_provider_; const std::string name_; + const absl::optional sample_; + Runtime::Loader& runtime_; }; class ExecuteFilterActionFactory @@ -36,29 +46,22 @@ class ExecuteFilterActionFactory public: std::string name() const override { return "composite-action"; } - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, - Http::Matching::HttpFilterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, Http::Matching::HttpFilterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); } - // Rolling the dice to decide whether the action will be sampled. - // By default, if sample_percent is not specified, then it is sampled. - bool isSampled( - const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, - Envoy::Runtime::Loader& runtime); - private: - Matcher::ActionFactoryCb createActionFactoryCbCommon( + Matcher::ActionConstSharedPtr createActionCommon( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, Envoy::Http::FilterFactoryCb& callback, bool is_downstream); template - Matcher::ActionFactoryCb createDynamicActionFactoryCbTyped( + Matcher::ActionConstSharedPtr createDynamicActionTyped( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, const std::string& filter_chain_type, FactoryCtx& factory_context, std::shared_ptr& provider_manager) { @@ -73,35 +76,30 @@ class ExecuteFilterActionFactory server_factory_context.clusterManager(), false, filter_chain_type, nullptr); Envoy::Runtime::Loader& runtime = context.server_factory_context_->runtime(); - return - [provider = std::move(provider), n = std::move(name), - composite_action = std::move(composite_action), &runtime, this]() -> Matcher::ActionPtr { - if (!isSampled(composite_action, runtime)) { - return nullptr; - } - - if (auto config_value = provider->config(); config_value.has_value()) { - return std::make_unique(config_value.ref(), n); - } - // There is no dynamic config available. Apply missing config filter. - return std::make_unique(Envoy::Http::MissingConfigFilterFactory, n); - }; + + return std::make_shared( + [provider]() -> OptRef { return provider->config(); }, name, + composite_action.has_sample_percent() + ? absl::make_optional( + composite_action.sample_percent()) + : absl::nullopt, + runtime); } - Matcher::ActionFactoryCb createDynamicActionFactoryCbDownstream( + Matcher::ActionConstSharedPtr createDynamicActionDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context); - Matcher::ActionFactoryCb createDynamicActionFactoryCbUpstream( + Matcher::ActionConstSharedPtr createDynamicActionUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context); - Matcher::ActionFactoryCb createStaticActionFactoryCbDownstream( + Matcher::ActionConstSharedPtr createStaticActionDownstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor); - Matcher::ActionFactoryCb createStaticActionFactoryCbUpstream( + Matcher::ActionConstSharedPtr createStaticActionUpstream( const envoy::extensions::filters::http::composite::v3::ExecuteFilterAction& composite_action, Http::Matching::HttpFilterActionContext& context, ProtobufMessage::ValidationVisitor& validation_visitor); diff --git a/source/extensions/filters/http/composite/filter.cc b/source/extensions/filters/http/composite/filter.cc index 3075685da05b1..fd12f0946ecd7 100644 --- a/source/extensions/filters/http/composite/filter.cc +++ b/source/extensions/filters/http/composite/filter.cc @@ -96,7 +96,6 @@ void Filter::encodeComplete() { void Filter::onMatchCallback(const Matcher::Action& action) { const auto& composite_action = action.getTyped(); - FactoryCallbacksWrapper wrapper(*this, dispatcher_); composite_action.createFilters(wrapper); @@ -107,11 +106,12 @@ void Filter::onMatchCallback(const Matcher::Action& action) { wrapper.errors_, [](const auto& status) { return status.ToString(); })); return; } - const std::string& action_name = composite_action.actionName(); if (wrapper.filter_to_inject_.has_value()) { stats_.filter_delegation_success_.inc(); + const std::string& action_name = composite_action.actionName(); + auto createDelegatedFilterFn = Overloaded{ [this, action_name](Http::StreamDecoderFilterSharedPtr filter) { delegated_filter_ = std::make_shared(std::move(filter)); @@ -137,7 +137,6 @@ void Filter::onMatchCallback(const Matcher::Action& action) { access_loggers_.insert(access_loggers_.end(), wrapper.access_loggers_.begin(), wrapper.access_loggers_.end()); } - // TODO(snowp): Make it possible for onMatchCallback to fail the stream by issuing a local reply, // either directly or via some return status. } diff --git a/source/extensions/filters/http/composite/filter.h b/source/extensions/filters/http/composite/filter.h index acc86f447bf57..551744416fc5b 100644 --- a/source/extensions/filters/http/composite/filter.h +++ b/source/extensions/filters/http/composite/filter.h @@ -57,8 +57,7 @@ class Filter : public Http::StreamFilter, Logger::Loggable { public: Filter(FilterStats& stats, Event::Dispatcher& dispatcher, bool is_upstream) - : dispatcher_(dispatcher), decoded_headers_(false), stats_(stats), is_upstream_(is_upstream) { - } + : dispatcher_(dispatcher), stats_(stats), is_upstream_(is_upstream) {} // Http::StreamDecoderFilter Http::FilterHeadersStatus decodeHeaders(Http::RequestHeaderMap& headers, @@ -124,7 +123,7 @@ class Filter : public Http::StreamFilter, // time will result in various FM assertions firing. // We should be protected against this by the match tree validation that only allows request // headers, this just provides some additional sanity checking. - bool decoded_headers_ : 1; + bool decoded_headers_{false}; // Wraps a stream encoder OR a stream decoder filter into a stream filter, making it easier to // delegate calls. diff --git a/source/extensions/filters/http/custom_response/config.cc b/source/extensions/filters/http/custom_response/config.cc index 4aa4ec67746fc..84d5c1533b20d 100644 --- a/source/extensions/filters/http/custom_response/config.cc +++ b/source/extensions/filters/http/custom_response/config.cc @@ -61,7 +61,7 @@ PolicySharedPtr FilterConfig::getPolicy(const ::Envoy::Http::ResponseHeaderMap& if (!match_result.isMatch()) { return PolicySharedPtr{}; } - return match_result.action()->getTyped().policy_; + return std::dynamic_pointer_cast(match_result.actionByMove()); } } // namespace CustomResponse diff --git a/source/extensions/filters/http/custom_response/policy.h b/source/extensions/filters/http/custom_response/policy.h index 8a4d98080421d..8a18f647ea2e3 100644 --- a/source/extensions/filters/http/custom_response/policy.h +++ b/source/extensions/filters/http/custom_response/policy.h @@ -19,9 +19,9 @@ namespace CustomResponse { class CustomResponseFilter; // Base class for custom response policies. -class Policy : public std::enable_shared_from_this { +class Policy : public std::enable_shared_from_this, + public Matcher::ActionBase { public: - virtual ~Policy() = default; virtual Http::FilterHeadersStatus encodeHeaders(Http::ResponseHeaderMap&, bool, CustomResponseFilter&) const PURE; @@ -42,11 +42,6 @@ struct CustomResponseFilterState : public std::enable_shared_from_this { - explicit CustomResponseMatchAction(PolicySharedPtr policy) : policy_(policy) {} - const PolicySharedPtr policy_; -}; - struct CustomResponseActionFactoryContext { Server::Configuration::ServerFactoryContext& server_; Stats::StatName stats_prefix_; @@ -57,12 +52,10 @@ template class PolicyMatchActionFactory : public Matcher::ActionFactory, Logger::Loggable { public: - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, - CustomResponseActionFactoryContext& context, - ProtobufMessage::ValidationVisitor&) override { - return [policy = createPolicy(config, context.server_, context.stats_prefix_)] { - return std::make_unique(policy); - }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message& config, + CustomResponseActionFactoryContext& context, + ProtobufMessage::ValidationVisitor&) override { + return createPolicy(config, context.server_, context.stats_prefix_); } std::string category() const override { return "envoy.http.custom_response"; } diff --git a/source/extensions/filters/http/match_delegate/config.cc b/source/extensions/filters/http/match_delegate/config.cc index 86d32d5e63222..c80e56c9fc92f 100644 --- a/source/extensions/filters/http/match_delegate/config.cc +++ b/source/extensions/filters/http/match_delegate/config.cc @@ -24,10 +24,10 @@ class SkipActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "skip"; } - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, - Envoy::Http::Matching::HttpFilterActionContext&, - ProtobufMessage::ValidationVisitor&) override { - return []() { return std::make_unique(); }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, + Envoy::Http::Matching::HttpFilterActionContext&, + ProtobufMessage::ValidationVisitor&) override { + return std::make_shared(); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -120,8 +120,8 @@ void DelegatingStreamFilter::FilterMatchState::evaluateMatchTree( match_tree_evaluated_ = match_result.isComplete(); if (match_tree_evaluated_ && match_result.isMatch()) { - const Matcher::ActionPtr result = match_result.action(); - if ((result == nullptr) || (SkipAction().typeUrl() == result->typeUrl())) { + const auto& result = match_result.action(); + if (result == nullptr || SkipAction().typeUrl() == result->typeUrl()) { skip_filter_ = true; } else { ASSERT(base_filter_ != nullptr); diff --git a/source/extensions/filters/http/proto_api_scrubber/filter_config.h b/source/extensions/filters/http/proto_api_scrubber/filter_config.h index bb246bfcb8224..6fa6245a78683 100644 --- a/source/extensions/filters/http/proto_api_scrubber/filter_config.h +++ b/source/extensions/filters/http/proto_api_scrubber/filter_config.h @@ -118,10 +118,10 @@ class RemoveFieldAction : public Matcher::ActionBase { public: - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, - ProtoApiScrubberRemoveFieldAction&, - ProtobufMessage::ValidationVisitor&) override { - return []() { return std::make_unique(); }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, + ProtoApiScrubberRemoveFieldAction&, + ProtobufMessage::ValidationVisitor&) override { + return std::make_shared(); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { diff --git a/source/extensions/filters/http/rate_limit_quota/filter.cc b/source/extensions/filters/http/rate_limit_quota/filter.cc index 34c74d7e4a6e6..cb297c5d0dd90 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter.cc +++ b/source/extensions/filters/http/rate_limit_quota/filter.cc @@ -56,8 +56,9 @@ inline Envoy::Http::Code getDenyResponseCode(const DenyResponseSettings& setting inline std::function addDenyResponseHeadersCb(const DenyResponseSettings& settings) { - if (settings.response_headers_to_add().empty()) + if (settings.response_headers_to_add().empty()) { return nullptr; + } // Headers copied from settings for thread-safety. return [headers_to_add = settings.response_headers_to_add()](Http::ResponseHeaderMap& headers) { for (const envoy::config::core::v3::HeaderValueOption& header : headers_to_add) { @@ -79,7 +80,7 @@ Http::FilterHeadersStatus RateLimitQuotaFilter::decodeHeaders(Http::RequestHeade bool end_stream) { ENVOY_LOG(trace, "decodeHeaders: end_stream = {}", end_stream); // First, perform the request matching. - absl::StatusOr match_result = requestMatching(headers); + absl::StatusOr match_result = requestMatching(headers); if (!match_result.ok()) { // When the request is not matched by any matchers, it is ALLOWED by default // (i.e., fail-open) and its quota usage will not be reported to RLQS @@ -184,7 +185,7 @@ Http::FilterHeadersStatus RateLimitQuotaFilter::decodeHeaders(Http::RequestHeade // TODO(tyxia) Currently request matching is only performed on the request // header. -absl::StatusOr +absl::StatusOr RateLimitQuotaFilter::requestMatching(const Http::RequestHeaderMap& headers) { // Initialize the data pointer on first use and reuse it for subsequent // requests. This avoids creating the data object for every request, which @@ -215,7 +216,7 @@ RateLimitQuotaFilter::requestMatching(const Http::RequestHeaderMap& headers) { return absl::NotFoundError("Matching completed but no match result was found."); } // Return the matched result for `on_match` case. - return match_result.action(); + return match_result.actionByMove(); } void RateLimitQuotaFilter::onDestroy() { diff --git a/source/extensions/filters/http/rate_limit_quota/filter.h b/source/extensions/filters/http/rate_limit_quota/filter.h index dcaf8b45a8d51..2920594c5d5f3 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter.h +++ b/source/extensions/filters/http/rate_limit_quota/filter.h @@ -65,7 +65,8 @@ class RateLimitQuotaFilter : public Http::PassThroughFilter, // Perform request matching. It returns the generated bucket ids if the // matching succeeded, error status otherwise. - absl::StatusOr requestMatching(const Http::RequestHeaderMap& headers); + absl::StatusOr + requestMatching(const Http::RequestHeaderMap& headers); Http::Matching::HttpMatchingDataImpl matchingData() { ASSERT(data_ptr_ != nullptr); diff --git a/source/extensions/filters/http/rate_limit_quota/matcher.h b/source/extensions/filters/http/rate_limit_quota/matcher.h index 38eb7ee3921c7..ee6fc0a21bdc1 100644 --- a/source/extensions/filters/http/rate_limit_quota/matcher.h +++ b/source/extensions/filters/http/rate_limit_quota/matcher.h @@ -51,17 +51,15 @@ class RateLimitOnMatchActionFactory : public Matcher::ActionFactory(config, validation_visitor); - return [bucket_settings = std::move(bucket_settings)]() { - return std::make_unique(std::move(bucket_settings)); - }; + return std::make_shared(std::move(bucket_settings)); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { diff --git a/source/extensions/filters/network/generic_proxy/route_impl.cc b/source/extensions/filters/network/generic_proxy/route_impl.cc index 60fd548e078f3..d70a3a99fc9d6 100644 --- a/source/extensions/filters/network/generic_proxy/route_impl.cc +++ b/source/extensions/filters/network/generic_proxy/route_impl.cc @@ -61,13 +61,12 @@ RouteEntryImpl::RouteEntryImpl(const ProtoRouteAction& route_action, } } -Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( - const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionConstSharedPtr +RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_action = MessageUtil::downcastAndValidate(config, validation_visitor); - auto route = std::make_shared(route_action, context.factory_context); - return [route]() { return std::make_unique(route); }; + return std::make_shared(route_action, context.factory_context); } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); @@ -92,15 +91,12 @@ RouteEntryConstSharedPtr VirtualHostImpl::routeEntry(const MatchInput& request) Matcher::MatchResult match_result = Matcher::evaluateMatch(*matcher_, request); if (match_result.isMatch()) { - Matcher::ActionPtr action = match_result.action(); - + Matcher::ActionConstSharedPtr action = match_result.actionByMove(); // The only possible action that can be used within the route matching context // is the RouteMatchAction, so this must be true. - ASSERT(action->typeUrl() == RouteMatchAction::staticTypeUrl()); - ASSERT(dynamic_cast(action.get())); - const RouteMatchAction& route_action = static_cast(*action); - - return route_action.route(); + ASSERT(action->typeUrl() == RouteEntryImpl::staticTypeUrl()); + ASSERT(dynamic_cast(action.get())); + return std::dynamic_pointer_cast(std::move(action)); } ENVOY_LOG(debug, "failed to match incoming request: {}", diff --git a/source/extensions/filters/network/generic_proxy/route_impl.h b/source/extensions/filters/network/generic_proxy/route_impl.h index 62118b8856f6e..ef81c9818d7a3 100644 --- a/source/extensions/filters/network/generic_proxy/route_impl.h +++ b/source/extensions/filters/network/generic_proxy/route_impl.h @@ -32,7 +32,7 @@ using ProtoRouteConfiguration = using ProtoVirtualHost = envoy::extensions::filters::network::generic_proxy::v3::VirtualHost; using ProtoRetryPolicy = envoy::config::core::v3::RetryPolicy; -class RouteEntryImpl : public RouteEntry { +class RouteEntryImpl : public RouteEntry, public Matcher::ActionBase { public: RouteEntryImpl(const ProtoRouteAction& route, Envoy::Server::Configuration::ServerFactoryContext& context); @@ -76,17 +76,6 @@ struct RouteActionContext { Server::Configuration::ServerFactoryContext& factory_context; }; -// Action used with the matching tree to specify route to use for an incoming stream. -class RouteMatchAction : public Matcher::ActionBase { -public: - explicit RouteMatchAction(RouteEntryConstSharedPtr route) : route_(std::move(route)) {} - - RouteEntryConstSharedPtr route() const { return route_; } - -private: - RouteEntryConstSharedPtr route_; -}; - class RouteActionValidationVisitor : public Matcher::MatchTreeValidationVisitor { public: absl::Status performDataInputValidation(const Matcher::DataInputFactory&, @@ -98,9 +87,9 @@ class RouteActionValidationVisitor : public Matcher::MatchTreeValidationVisitor< // Registered factory for RouteMatchAction. class RouteMatchActionFactory : public Matcher::ActionFactory { public: - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "envoy.matching.action.generic_proxy.route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/filters/network/match_delegate/config.cc b/source/extensions/filters/network/match_delegate/config.cc index b176034ad65ff..adfa6938a7e8f 100644 --- a/source/extensions/filters/network/match_delegate/config.cc +++ b/source/extensions/filters/network/match_delegate/config.cc @@ -18,10 +18,9 @@ namespace Factory { class SkipActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "skip"; } - Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&, - NetworkFilterActionContext&, - ProtobufMessage::ValidationVisitor&) override { - return []() { return std::make_unique(); }; + Matcher::ActionConstSharedPtr createAction(const Protobuf::Message&, NetworkFilterActionContext&, + ProtobufMessage::ValidationVisitor&) override { + return std::make_shared(); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -107,8 +106,8 @@ void DelegatingNetworkFilter::FilterMatchState::evaluateMatchTree() { match_tree_evaluated_ = match_result.isComplete(); if (match_tree_evaluated_ && match_result.isMatch()) { - const Matcher::ActionPtr result = match_result.action(); - if ((result == nullptr) || (SkipAction().typeUrl() == result->typeUrl())) { + const auto& result = match_result.action(); + if (result == nullptr || SkipAction().typeUrl() == result->typeUrl()) { skip_filter_ = true; } else { // TODO(botengyao) this would be similar to `base_filter_->onMatchCallback(*result);` @@ -192,7 +191,7 @@ Envoy::Network::FilterFactoryCb MatchDelegateConfig::createFilterFactory( auto message = Config::Utility::translateAnyToFactoryConfig( proto_config.extension_config().typed_config(), validation, factory); auto filter_factory_or_error = factory.createFilterFactoryFromProto(*message, context); - THROW_IF_NOT_OK(filter_factory_or_error.status()); + THROW_IF_NOT_OK_REF(filter_factory_or_error.status()); auto filter_factory = filter_factory_or_error.value(); Factory::MatchTreeValidationVisitor validation_visitor(*factory.matchingRequirements()); diff --git a/source/extensions/filters/udp/udp_proxy/router/router_impl.cc b/source/extensions/filters/udp/udp_proxy/router/router_impl.cc index 0fa2a904e1e5b..8ab3a80a569b1 100644 --- a/source/extensions/filters/udp/udp_proxy/router/router_impl.cc +++ b/source/extensions/filters/udp/udp_proxy/router/router_impl.cc @@ -15,17 +15,16 @@ namespace UdpFilters { namespace UdpProxy { namespace Router { -Matcher::ActionFactoryCb RouteMatchActionFactory::createActionFactoryCb( - const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Matcher::ActionConstSharedPtr +RouteMatchActionFactory::createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& route_config = MessageUtil::downcastAndValidate< const envoy::extensions::filters::udp::udp_proxy::v3::Route&>(config, validation_visitor); const auto& cluster = route_config.cluster(); // Emplace cluster names to context to get all cluster names. context.cluster_name_.emplace(cluster); - - return [cluster]() { return std::make_unique(cluster); }; + return std::make_shared(cluster); } REGISTER_FACTORY(RouteMatchActionFactory, Matcher::ActionFactory); diff --git a/source/extensions/filters/udp/udp_proxy/router/router_impl.h b/source/extensions/filters/udp/udp_proxy/router/router_impl.h index f506778db6af2..04bb887fde713 100644 --- a/source/extensions/filters/udp/udp_proxy/router/router_impl.h +++ b/source/extensions/filters/udp/udp_proxy/router/router_impl.h @@ -32,9 +32,9 @@ class RouteMatchAction class RouteMatchActionFactory : public Matcher::ActionFactory { public: - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, RouteActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, RouteActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "route"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/source/extensions/matching/actions/format_string/config.cc b/source/extensions/matching/actions/format_string/config.cc index 962082481b1f3..9476c572ecee7 100644 --- a/source/extensions/matching/actions/format_string/config.cc +++ b/source/extensions/matching/actions/format_string/config.cc @@ -23,10 +23,10 @@ ActionImpl::get(const Server::Configuration::FilterChainsByName& filter_chains_b return nullptr; } -Matcher::ActionFactoryCb -ActionFactory::createActionFactoryCb(const Protobuf::Message& proto_config, - FilterChainActionFactoryContext& context, - ProtobufMessage::ValidationVisitor& validator) { +Matcher::ActionConstSharedPtr +ActionFactory::createAction(const Protobuf::Message& proto_config, + FilterChainActionFactoryContext& context, + ProtobufMessage::ValidationVisitor& validator) { const auto& config = MessageUtil::downcastAndValidate( proto_config, validator); @@ -35,7 +35,7 @@ ActionFactory::createActionFactoryCb(const Protobuf::Message& proto_config, Formatter::FormatterConstSharedPtr formatter = THROW_OR_RETURN_VALUE( Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config, generic_context), Formatter::FormatterPtr); - return [formatter]() { return std::make_unique(formatter); }; + return std::make_shared(std::move(formatter)); } REGISTER_FACTORY(ActionFactory, Matcher::ActionFactory); diff --git a/source/extensions/matching/actions/format_string/config.h b/source/extensions/matching/actions/format_string/config.h index 359490c375238..0b893e2903031 100644 --- a/source/extensions/matching/actions/format_string/config.h +++ b/source/extensions/matching/actions/format_string/config.h @@ -17,7 +17,7 @@ namespace FormatString { class ActionImpl : public Matcher::ActionBase { public: - ActionImpl(const Formatter::FormatterConstSharedPtr& formatter) : formatter_(formatter) {} + ActionImpl(Formatter::FormatterConstSharedPtr formatter) : formatter_(std::move(formatter)) {} const Network::FilterChain* get(const Server::Configuration::FilterChainsByName& filter_chains_by_name, const StreamInfo::StreamInfo& info) const override; @@ -30,10 +30,9 @@ using FilterChainActionFactoryContext = Server::Configuration::ServerFactoryCont class ActionFactory : public Matcher::ActionFactory { public: std::string name() const override { return "envoy.matching.actions.format_string"; } - Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& proto_config, - FilterChainActionFactoryContext& context, - ProtobufMessage::ValidationVisitor& validator) override; + Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& proto_config, FilterChainActionFactoryContext& context, + ProtobufMessage::ValidationVisitor& validator) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); } diff --git a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc index 70d35193631e2..8553f75f0cde9 100644 --- a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc +++ b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.cc @@ -10,14 +10,12 @@ namespace Extensions { namespace Router { namespace Matcher { -Envoy::Matcher::ActionFactoryCb ClusterActionFactory::createActionFactoryCb( - const Protobuf::Message& config, ClusterActionContext&, - ProtobufMessage::ValidationVisitor& validation_visitor) { +Envoy::Matcher::ActionConstSharedPtr +ClusterActionFactory::createAction(const Protobuf::Message& config, ClusterActionContext&, + ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& proto_config = MessageUtil::downcastAndValidate(config, validation_visitor); - auto cluster = std::make_shared(proto_config.cluster()); - - return [cluster]() { return std::make_unique(cluster); }; + return std::make_shared(proto_config.cluster()); } REGISTER_FACTORY(ClusterActionFactory, Envoy::Matcher::ActionFactory); @@ -43,9 +41,7 @@ class MatcherRouteEntry : public Envoy::Router::DelegatingRouteEntry { if (!match_result.isMatch()) { return; } - - const Envoy::Matcher::ActionPtr result = match_result.action(); - cluster_name_.emplace(result->getTyped().cluster()); + cluster_name_.emplace(match_result.action()->getTyped().cluster()); } private: diff --git a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h index 52562d728cb0f..88e7746cea02b 100644 --- a/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h +++ b/source/extensions/router/cluster_specifiers/matcher/matcher_cluster_specifier.h @@ -26,21 +26,21 @@ struct ClusterActionContext {}; */ class ClusterAction : public Envoy::Matcher::ActionBase { public: - explicit ClusterAction(std::shared_ptr cluster) : cluster_(cluster) {} + explicit ClusterAction(absl::string_view cluster) : cluster_(cluster) {} - const std::string& cluster() const { return *cluster_; } + const std::string& cluster() const { return cluster_; } private: - const std::shared_ptr cluster_; + const std::string cluster_; }; // Registered factory for ClusterAction. This factory will be used to load proto configuration // from opaque config. class ClusterActionFactory : public Envoy::Matcher::ActionFactory { public: - Envoy::Matcher::ActionFactoryCb - createActionFactoryCb(const Protobuf::Message& config, ClusterActionContext& context, - ProtobufMessage::ValidationVisitor& validation_visitor) override; + Envoy::Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, ClusterActionContext& context, + ProtobufMessage::ValidationVisitor& validation_visitor) override; std::string name() const override { return "cluster"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); diff --git a/test/common/matcher/exact_map_matcher_test.cc b/test/common/matcher/exact_map_matcher_test.cc index b635a25b3bf93..2dc71b5e0c4c1 100644 --- a/test/common/matcher/exact_map_matcher_test.cc +++ b/test/common/matcher/exact_map_matcher_test.cc @@ -109,7 +109,7 @@ TEST(ExactMapMatcherTest, RecursiveMatching) { std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "match"}), stringOnMatch("no_match")); - matcher->addChild("match", OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher, + matcher->addChild("match", OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher, /*.keep_matching=*/false}); TestData data; @@ -127,7 +127,7 @@ TEST(ExactMapMatcherTest, RecursiveMatchingOnNoMatch) { std::unique_ptr> matcher = *ExactMapMatcher::create( std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "blah"}), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher, /*.keep_matching=*/false}); matcher->addChild("match", stringOnMatch("match")); @@ -156,14 +156,14 @@ TEST(ExactMapMatcherTest, RecursiveMatchingWithKeepMatching) { std::unique_ptr> matcher = *ExactMapMatcher::create( std::make_unique( DataInputGetResult{DataInputGetResult::DataAvailability::AllDataAvailable, "match"}), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/top_on_no_match_matcher, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/top_on_no_match_matcher, /*.keep_matching=*/false}); - matcher->addChild("match", OnMatch{/*.action_cb=*/nullptr, + matcher->addChild("match", OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_match_keeps_matching, /*.keep_matching=*/true}); - std::vector skipped_results{}; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results{}; + SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionConstSharedPtr& cb) { skipped_results.push_back(cb); }; TestData data; diff --git a/test/common/matcher/list_matcher_test.cc b/test/common/matcher/list_matcher_test.cc index 42246922f1ccd..aa83f429e4bae 100644 --- a/test/common/matcher/list_matcher_test.cc +++ b/test/common/matcher/list_matcher_test.cc @@ -40,8 +40,8 @@ TEST(ListMatcherTest, KeepMatching) { matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), stringOnMatch("matched", /*keep_matching=*/false)); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; auto result = matcher.match(TestData(), skipped_match_cb); @@ -56,8 +56,8 @@ TEST(ListMatcherTest, KeepMatchingOnNoMatch) { matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), stringOnMatch("keep matching 2", /*keep_matching=*/true)); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](const ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; auto result = matcher.match(TestData(), skipped_match_cb); @@ -84,17 +84,17 @@ TEST(ListMatcherTest, KeepMatchingWithRecursion) { Envoy::Matcher::ListMatcher matcher(stringOnMatch("top_level on_no_match")); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_1, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_1, /*.keep_matching=*/false}); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_2, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_2, /*.keep_matching=*/true}); matcher.addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/sub_matcher_3, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/sub_matcher_3, /*.keep_matching=*/false}); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = matcher.match(TestData(), skipped_match_cb); @@ -120,17 +120,17 @@ TEST(ListMatcherTest, KeepMatchingWithRecursiveOnNoMatch) { stringOnMatch("on_no_match sub match", /*keep_matching=*/true)); Envoy::Matcher::ListMatcher matcher( - OnMatch{/*action_cb=*/nullptr, + OnMatch{/*action_=*/nullptr, /*matcher=*/on_no_match_sub_matcher, /*keep_matching=*/false}); matcher.addMatcher( createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*action_cb=*/nullptr, /*matcher=*/sub_matcher_1, /*keep_matching=*/true}); + OnMatch{/*action_=*/nullptr, /*matcher=*/sub_matcher_1, /*keep_matching=*/true}); matcher.addMatcher( createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*action_cb=*/nullptr, /*matcher=*/sub_matcher_2, /*keep_matching=*/false}); + OnMatch{/*action_=*/nullptr, /*matcher=*/sub_matcher_2, /*keep_matching=*/false}); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = matcher.match(TestData(), skipped_match_cb); diff --git a/test/common/matcher/matcher_test.cc b/test/common/matcher/matcher_test.cc index d4072671da910..09b31e650f582 100644 --- a/test/common/matcher/matcher_test.cc +++ b/test/common/matcher/matcher_test.cc @@ -907,8 +907,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingSupportInEvaluation) { validation_visitor_.setSupportKeepMatching(true); std::shared_ptr> matcher = createMatcherFromYaml(yaml)(); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; const auto result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1020,8 +1020,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithRecursiveMatcher) { // Expect the nested matchers with keep_matching to be skipped and also the top-level // keep_matching setting to skip the result of the first sub-matcher. - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1056,8 +1056,8 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithUnsupportedReentry) { validation_visitor_.setSupportKeepMatching(true); std::shared_ptr> matcher = createMatcherFromYaml(yaml)(); - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); @@ -1130,12 +1130,12 @@ TEST_P(MatcherAmbiguousTest, KeepMatchingWithFailingNestedMatcher) { stringOnMatch("fail")); matcher->addMatcher(createSingleMatcher("string", [](auto) { return true; }), - OnMatch{/*.action_cb=*/nullptr, /*.matcher=*/nested_matcher, + OnMatch{/*.action_=*/nullptr, /*.matcher=*/nested_matcher, /*.keep_matching=*/true}); // Expect re-entry to fail due to the nested matcher. - std::vector skipped_results; - SkippedMatchCb skipped_match_cb = [&skipped_results](ActionFactoryCb cb) { + std::vector skipped_results; + SkippedMatchCb skipped_match_cb = [&skipped_results](ActionConstSharedPtr cb) { skipped_results.push_back(cb); }; MatchResult result = evaluateMatch(*matcher, TestData(), skipped_match_cb); diff --git a/test/common/matcher/test_utility.h b/test/common/matcher/test_utility.h index 808decee787bc..7eeec55e96897 100644 --- a/test/common/matcher/test_utility.h +++ b/test/common/matcher/test_utility.h @@ -162,10 +162,10 @@ struct StringAction : public ActionBase { // Factory for StringAction. class StringActionFactory : public ActionFactory { public: - ActionFactoryCb createActionFactoryCb(const Protobuf::Message& config, absl::string_view&, - ProtobufMessage::ValidationVisitor&) override { + ActionConstSharedPtr createAction(const Protobuf::Message& config, absl::string_view&, + ProtobufMessage::ValidationVisitor&) override { const auto& string = dynamic_cast(config); - return [string]() { return std::make_unique(string.value()); }; + return std::make_shared(string.value()); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { @@ -273,14 +273,9 @@ void PrintTo(const FieldMatchResult& result, std::ostream* os) { } } -// Creates a StringAction from a provided string. -std::unique_ptr stringValue(absl::string_view value) { - return std::make_unique(std::string(value)); -} - // Creates an OnMatch that evaluates to a StringValue with the provided value. template OnMatch stringOnMatch(absl::string_view value, bool keep_matching = false) { - return OnMatch{[s = std::string(value)]() { return stringValue(s); }, nullptr, keep_matching}; + return OnMatch{std::make_shared(std::string(value)), nullptr, keep_matching}; } inline void PrintTo(const Action& action, std::ostream* os) { @@ -291,23 +286,14 @@ inline void PrintTo(const Action& action, std::ostream* os) { *os << "{type=" << action.typeUrl() << "}"; } -inline void PrintTo(const ActionFactoryCb& action_cb, std::ostream* os) { - if (action_cb == nullptr) { - *os << "nullptr"; - return; - } - ActionPtr action = action_cb(); - PrintTo(*action, os); -} - inline void PrintTo(const MatchResult& result, std::ostream* os) { if (result.isInsufficientData()) { *os << "InsufficientData"; } else if (result.isNoMatch()) { *os << "NoMatch"; } else if (result.isMatch()) { - *os << "Match{ActionFactoryCb="; - PrintTo(result.actionFactory(), os); + *os << "Match{Action="; + PrintTo(*result.action(), os); *os << "}"; } else { *os << "UnknownState"; @@ -319,9 +305,9 @@ inline void PrintTo(const MatchTree& matcher, std::ostream* os) { } inline void PrintTo(const OnMatch& on_match, std::ostream* os) { - if (on_match.action_cb_) { - *os << "{action_cb_="; - PrintTo(on_match.action_cb_, os); + if (on_match.action_) { + *os << "{action_="; + PrintTo(on_match.action_, os); *os << "}"; } else if (on_match.matcher_) { *os << "{matcher_="; @@ -339,26 +325,25 @@ MATCHER(HasInsufficientData, "") { } MATCHER_P(IsActionWithType, matcher, "") { - // Takes an ActionFactoryCb argument, and compares its action type against matcher. + // Takes an ActionConstSharedPtr argument, and compares its action type against matcher. if (arg == nullptr) { return false; } - ActionPtr action = arg(); - return ::testing::ExplainMatchResult(testing::Matcher(matcher), - action->typeUrl(), result_listener); + return ::testing::ExplainMatchResult(testing::Matcher(matcher), arg->typeUrl(), + result_listener); } MATCHER_P(IsStringAction, matcher, "") { - // Takes an ActionFactoryCb argument, and compares its StringAction's string against matcher. + // Takes an ActionConstSharedPtr argument, and compares its StringAction's string against matcher. if (arg == nullptr) { return false; } - ActionPtr action = arg(); - if (action->typeUrl() != "google.protobuf.StringValue") { + + if (arg->typeUrl() != "google.protobuf.StringValue") { return false; } return ::testing::ExplainMatchResult(testing::Matcher(matcher), - action->template getTyped().string_, + arg->template getTyped().string_, result_listener); } @@ -368,8 +353,7 @@ MATCHER_P(HasStringAction, matcher, "") { if (!arg.isMatch()) { return false; } - return ::testing::ExplainMatchResult(IsStringAction(matcher), arg.actionFactory(), - result_listener); + return ::testing::ExplainMatchResult(IsStringAction(matcher), arg.action(), result_listener); } MATCHER_P(HasActionWithType, matcher, "") { @@ -378,8 +362,7 @@ MATCHER_P(HasActionWithType, matcher, "") { if (!arg.isMatch()) { return false; } - return ::testing::ExplainMatchResult(IsActionWithType(matcher), arg.actionFactory(), - result_listener); + return ::testing::ExplainMatchResult(IsActionWithType(matcher), arg.action(), result_listener); } MATCHER(HasNoMatch, "") { diff --git a/test/extensions/common/matcher/domain_matcher_test.cc b/test/extensions/common/matcher/domain_matcher_test.cc index 1ea833d294e1c..20e57359201d7 100644 --- a/test/extensions/common/matcher/domain_matcher_test.cc +++ b/test/extensions/common/matcher/domain_matcher_test.cc @@ -38,7 +38,6 @@ using ::Envoy::Matcher::MatchResult; using ::Envoy::Matcher::MatchTreeFactory; using ::Envoy::Matcher::MockMatchTreeValidationVisitor; using ::Envoy::Matcher::SkippedMatchCb; -using ::Envoy::Matcher::StringAction; using ::Envoy::Matcher::StringActionFactory; using ::Envoy::Matcher::TestData; using ::Envoy::Matcher::TestDataInputBoolFactory; @@ -625,8 +624,8 @@ TEST_F(DomainMatcherTest, KeepMatchingSupport) { loadConfig(yaml); validation_visitor_.setSupportKeepMatching(true); - std::vector skipped_results; - skipped_match_cb_ = [&skipped_results](Envoy::Matcher::ActionFactoryCb cb) { + std::vector skipped_results; + skipped_match_cb_ = [&skipped_results](const Envoy::Matcher::ActionConstSharedPtr& cb) { skipped_results.push_back(cb); }; diff --git a/test/extensions/common/matcher/trie_matcher_test.cc b/test/extensions/common/matcher/trie_matcher_test.cc index 02f40777e9db2..d7a4536b5fba9 100644 --- a/test/extensions/common/matcher/trie_matcher_test.cc +++ b/test/extensions/common/matcher/trie_matcher_test.cc @@ -27,8 +27,8 @@ namespace Common { namespace Matcher { namespace { +using ::Envoy::Matcher::ActionConstSharedPtr; using ::Envoy::Matcher::ActionFactory; -using ::Envoy::Matcher::ActionFactoryCb; using ::Envoy::Matcher::CustomMatcherFactory; using ::Envoy::Matcher::DataInputGetResult; using ::Envoy::Matcher::HasInsufficientData; @@ -36,12 +36,10 @@ using ::Envoy::Matcher::HasNoMatch; using ::Envoy::Matcher::HasStringAction; using ::Envoy::Matcher::IsStringAction; using ::Envoy::Matcher::MatchResult; -using ::Envoy::Matcher::MatchTree; using ::Envoy::Matcher::MatchTreeFactory; using ::Envoy::Matcher::MatchTreePtr; using ::Envoy::Matcher::MatchTreeSharedPtr; using ::Envoy::Matcher::MockMatchTreeValidationVisitor; -using ::Envoy::Matcher::StringAction; using ::Envoy::Matcher::StringActionFactory; using ::Envoy::Matcher::TestData; using ::Envoy::Matcher::TestDataInputBoolFactory; @@ -604,8 +602,10 @@ TEST_F(TrieMatcherTest, ExerciseKeepMatching) { // Skip baz because the nested matcher is set with keep_matching. // Skip bag because the nested matcher returns on_no_match, but the top-level matcher is set to // keep_matching. - std::vector skipped_results{}; - skipped_match_cb_ = [&skipped_results](ActionFactoryCb cb) { skipped_results.push_back(cb); }; + std::vector skipped_results{}; + skipped_match_cb_ = [&skipped_results](const ActionConstSharedPtr& cb) { + skipped_results.push_back(cb); + }; auto input = TestDataInputStringFactory("192.101.0.1"); auto nested = TestDataInputBoolFactory("baz"); diff --git a/test/extensions/filters/http/composite/filter_test.cc b/test/extensions/filters/http/composite/filter_test.cc index d37bd319eae93..03ecafba79106 100644 --- a/test/extensions/filters/http/composite/filter_test.cc +++ b/test/extensions/filters/http/composite/filter_test.cc @@ -86,6 +86,8 @@ class CompositeFilterTest : public ::testing::Test { EXPECT_TRUE(MessageDifferencer::Equals(expected, *(info->serializeAsProto()))); } + testing::NiceMock context_; + testing::NiceMock decoder_callbacks_; testing::NiceMock encoder_callbacks_; Stats::MockCounter error_counter_; @@ -114,12 +116,13 @@ TEST_F(FilterTest, StreamEncoderFilterDelegation) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -143,12 +146,13 @@ TEST_F(FilterTest, StreamDecoderFilterDelegation) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamDecoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setDecoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -171,14 +175,15 @@ TEST_F(FilterTest, StreamFilterDelegation) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setDecoderFilterCallbacks(_)); EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); EXPECT_CALL(success_counter_, inc()); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); filter_.onMatchCallback(action); expectFilterStateInfo(filter_state); @@ -200,12 +205,13 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamFilters) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamFilter(stream_filter); cb.addStreamFilter(stream_filter); }; - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -225,12 +231,13 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamDecoderFilters) { ON_CALL(decoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamDecoderFilter(decoder_filter); cb.addStreamDecoderFilter(decoder_filter); }; - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -250,12 +257,13 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleStreamEncoderFilters) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(encode_filter); cb.addStreamEncoderFilter(encode_filter); }; - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(error_counter_, inc()); filter_.onMatchCallback(action); @@ -278,13 +286,14 @@ TEST_F(FilterTest, StreamFilterDelegationMultipleAccessLoggers) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(encode_filter); cb.addAccessLogHandler(access_log_1); cb.addAccessLogHandler(access_log_2); }; - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(*encode_filter, setEncoderFilterCallbacks(_)); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -340,8 +349,7 @@ TEST(ConfigTest, TestConfig) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Error: Only one of `dynamic_config` or `typed_config` can be set."); } } @@ -371,8 +379,7 @@ TEST(ConfigTest, TestDynamicConfigInDownstream) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get downstream factory context or server factory context."); } @@ -400,8 +407,7 @@ TEST(ConfigTest, TestDynamicConfigInUpstream) { .server_factory_context_ = absl::nullopt}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get upstream factory context or server factory context."); } @@ -428,8 +434,7 @@ TEST(ConfigTest, CreateFilterFromServerContextDual) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "DualFactoryBase: creating filter factory from server factory context is not supported"); } @@ -456,8 +461,7 @@ TEST(ConfigTest, DualFilterNoUpstreamFactoryContext) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get upstream filter factory creation function"); } @@ -482,8 +486,7 @@ TEST(ConfigTest, DownstreamFilterNoFactoryContext) { .server_factory_context_ = absl::nullopt}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Failed to get downstream filter factory creation function"); } @@ -510,8 +513,7 @@ TEST(ConfigTest, TestDownstreamFilterNoOverridingServerContext) { .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; EXPECT_THROW_WITH_MESSAGE( - factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor()), + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()), EnvoyException, "Creating filter factory from server factory context is not supported"); } @@ -526,12 +528,23 @@ TEST(ConfigTest, TestSamplePercentNotSpecifiedl) { http_status: 503 )EOF"; - testing::NiceMock server_factory_context; - NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); + + testing::NiceMock server_factory_context; + testing::NiceMock factory_context; + testing::NiceMock upstream_factory_context; + Envoy::Http::Matching::HttpFilterActionContext action_context{ + .is_downstream_ = true, + .stat_prefix_ = "test", + .factory_context_ = absl::nullopt, + .upstream_factory_context_ = absl::nullopt, + .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - EXPECT_TRUE(factory.isSampled(config, runtime)); + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); + + EXPECT_FALSE(action->getTyped().actionSkip()); } // Config test to check if sample_percent config is in place and feature enabled. @@ -549,15 +562,27 @@ TEST(ConfigTest, TestSamplePercentInPlaceFeatureEnabled) { denominator: HUNDRED )EOF"; - testing::NiceMock server_factory_context; - NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); + + testing::NiceMock server_factory_context; + testing::NiceMock factory_context; + testing::NiceMock upstream_factory_context; + Envoy::Http::Matching::HttpFilterActionContext action_context{ + .is_downstream_ = true, + .stat_prefix_ = "test", + .factory_context_ = absl::nullopt, + .upstream_factory_context_ = absl::nullopt, + .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - EXPECT_CALL(runtime.snapshot_, + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); + + EXPECT_CALL(server_factory_context.runtime_loader_.snapshot_, featureEnabled(_, testing::A())) .WillOnce(testing::Return(true)); - EXPECT_TRUE(factory.isSampled(config, runtime)); + + EXPECT_FALSE(action->getTyped().actionSkip()); } // Config test to check if sample_percent config is in place and feature not enabled. @@ -570,18 +595,32 @@ TEST(ConfigTest, TestSamplePercentInPlaceFeatureNotEnabled) { abort: http_status: 503 sample_percent: - runtime_key: + default_value: + numerator: 30 + denominator: HUNDRED )EOF"; - testing::NiceMock server_factory_context; - NiceMock& runtime = server_factory_context.runtime_loader_; envoy::extensions::filters::http::composite::v3::ExecuteFilterAction config; TestUtility::loadFromYaml(yaml_string, config); + + testing::NiceMock server_factory_context; + testing::NiceMock factory_context; + testing::NiceMock upstream_factory_context; + Envoy::Http::Matching::HttpFilterActionContext action_context{ + .is_downstream_ = true, + .stat_prefix_ = "test", + .factory_context_ = absl::nullopt, + .upstream_factory_context_ = absl::nullopt, + .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - EXPECT_CALL(runtime.snapshot_, + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); + + EXPECT_CALL(server_factory_context.runtime_loader_.snapshot_, featureEnabled(_, testing::A())) .WillOnce(testing::Return(false)); - EXPECT_FALSE(factory.isSampled(config, runtime)); + + EXPECT_TRUE(action->getTyped().actionSkip()); } TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForDynamicConfig) { @@ -608,8 +647,8 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForDynamicConf .upstream_factory_context_ = upstream_factory_context, .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor())(); + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); EXPECT_EQ("actionName", action->getTyped().actionName()); } @@ -639,8 +678,8 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingActionForTypedConfig .upstream_factory_context_ = upstream_factory_context, .server_factory_context_ = server_factory_context}; ExecuteFilterActionFactory factory; - auto action = factory.createActionFactoryCb(config, action_context, - ProtobufMessage::getStrictValidationVisitor())(); + auto action = + factory.createAction(config, action_context, ProtobufMessage::getStrictValidationVisitor()); EXPECT_EQ("actionName", action->getTyped().actionName()); } @@ -658,12 +697,13 @@ TEST_F(FilterTest, FilterStateShouldBeUpdatedWithTheMatchingAction) { StreamInfo::FilterState::StateType::Mutable, StreamInfo::FilterState::LifeSpan::FilterChain); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -688,12 +728,13 @@ TEST_F(FilterTest, MatchingActionShouldNotCollitionWithOtherRootFilter) { StreamInfo::FilterState::StateType::Mutable, StreamInfo::FilterState::LifeSpan::FilterChain); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); @@ -724,12 +765,13 @@ TEST_F(UpstreamFilterTest, StreamEncoderFilterDelegationUpstream) { ON_CALL(encoder_callbacks_.stream_info_, filterState()) .WillByDefault(testing::ReturnRef(filter_state)); - auto factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { + Http::FilterFactoryCb factory_callback = [&](Http::FilterChainFactoryCallbacks& cb) { cb.addStreamEncoderFilter(stream_filter); }; EXPECT_CALL(*stream_filter, setEncoderFilterCallbacks(_)); - ExecuteFilterAction action(factory_callback, "actionName"); + ExecuteFilterAction action([&]() -> OptRef { return factory_callback; }, + "actionName", absl::nullopt, context_.runtime_loader_); EXPECT_CALL(success_counter_, inc()); filter_.onMatchCallback(action); diff --git a/test/extensions/filters/http/match_delegate/config_test.cc b/test/extensions/filters/http/match_delegate/config_test.cc index 0b63d20d77450..2e032c3953952 100644 --- a/test/extensions/filters/http/match_delegate/config_test.cc +++ b/test/extensions/filters/http/match_delegate/config_test.cc @@ -302,7 +302,7 @@ createMatchingTree(const std::string& name, const std::string& value) { std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - []() { return std::make_unique(); }, nullptr, false}); + std::make_shared(), nullptr, false}); return tree; } @@ -315,7 +315,7 @@ Matcher::MatchTreeSharedPtr createRequestAndRespo tree->addChild( "match", Matcher::OnMatch{ - []() { return std::make_unique(); }, + std::make_shared(), createMatchingTree( "match-header", "match"), false}); @@ -369,13 +369,11 @@ template Matcher::MatchTreeSharedPtr createMatchTreeWithOnNoMatch(const std::string& name, const std::string& value) { auto tree = *Matcher::ExactMapMatcher::create( - std::make_unique(name), - Matcher::OnMatch{ - []() { return std::make_unique(); }, nullptr, false}); + std::make_unique(name), Matcher::OnMatch{ + std::make_shared(), nullptr, false}); // No action is set on match. i.e., nullptr action factory cb. - tree->addChild(value, Matcher::OnMatch{[]() { return nullptr; }, - nullptr, false}); + tree->addChild(value, Matcher::OnMatch{nullptr, nullptr, false}); return tree; } diff --git a/test/extensions/filters/http/rate_limit_quota/filter_test.cc b/test/extensions/filters/http/rate_limit_quota/filter_test.cc index 96cdd58b18195..20b860a1a3704 100644 --- a/test/extensions/filters/http/rate_limit_quota/filter_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/filter_test.cc @@ -150,7 +150,7 @@ class FilterTest : public testing::Test { ASSERT_TRUE(match_result.ok()); // Retrieve the matched action. const RateLimitOnMatchAction* match_action = - dynamic_cast(match_result.value().get()); + dynamic_cast(match_result.value().get()); RateLimitQuotaValidationVisitor visitor = {}; // Generate the bucket ids. @@ -277,7 +277,7 @@ TEST_F(FilterTest, RequestMatchingWithInvalidOnNoMatch) { ASSERT_TRUE(match_result.ok()); // Retrieve the matched action. const RateLimitOnMatchAction* match_action = - dynamic_cast(match_result.value().get()); + dynamic_cast(match_result.value().get()); RateLimitQuotaValidationVisitor visitor = {}; // Generate the bucket ids. diff --git a/test/extensions/filters/network/generic_proxy/route_test.cc b/test/extensions/filters/network/generic_proxy/route_test.cc index 56aa14d4e114b..1ee03a8bdd915 100644 --- a/test/extensions/filters/network/generic_proxy/route_test.cc +++ b/test/extensions/filters/network/generic_proxy/route_test.cc @@ -279,16 +279,6 @@ TEST_F(RouteEntryImplTest, NullRouteSpecificConfig) { EXPECT_EQ(route_->perFilterConfig("envoy.filters.generic.mock_filter"), nullptr); }; -/** - * Test the simple route action wrapper. - */ -TEST(RouteMatchActionTest, SimpleRouteMatchActionTest) { - auto entry = std::make_shared>(); - RouteMatchAction action(entry); - - EXPECT_EQ(action.route().get(), entry.get()); -} - /** * Test the simple data input validator. */ @@ -321,13 +311,11 @@ TEST(RouteMatchActionFactoryTest, SimpleRouteMatchActionFactoryTest) { TestUtility::loadFromYaml(yaml_config, proto_config); RouteActionContext context{server_context}; - auto factory_cb = factory.createActionFactoryCb(proto_config, context, - server_context.messageValidationVisitor()); - - EXPECT_EQ(factory_cb()->getTyped().route().get(), - factory_cb()->getTyped().route().get()); + auto action = + factory.createAction(proto_config, context, server_context.messageValidationVisitor()); - EXPECT_EQ(factory_cb()->getTyped().route()->clusterName(), "cluster_0"); + EXPECT_NE(action, nullptr); + EXPECT_EQ(action->getTyped().clusterName(), "cluster_0"); } class RouteMatcherImplTest : public testing::Test { diff --git a/test/extensions/filters/network/match_delegate/config_test.cc b/test/extensions/filters/network/match_delegate/config_test.cc index 574b886536cef..fd283fb15e51c 100644 --- a/test/extensions/filters/network/match_delegate/config_test.cc +++ b/test/extensions/filters/network/match_delegate/config_test.cc @@ -243,7 +243,7 @@ createMatchingTree(const std::string& name, const std::string& value) { std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - []() { return std::make_unique(); }, nullptr, false}); + std::make_shared(), nullptr, false}); return tree; } @@ -394,7 +394,7 @@ createMatchingTreeWithTestAction(const std::string& name, const std::string& val std::make_unique(name), absl::nullopt); tree->addChild(value, Matcher::OnMatch{ - []() { return std::make_unique(); }, nullptr, false}); + std::make_shared(), nullptr, false}); return tree; } diff --git a/test/extensions/matching/actions/format_string/config_test.cc b/test/extensions/matching/actions/format_string/config_test.cc index 8bbb3027572fe..7028674e75f2d 100644 --- a/test/extensions/matching/actions/format_string/config_test.cc +++ b/test/extensions/matching/actions/format_string/config_test.cc @@ -23,10 +23,8 @@ TEST(ConfigTest, TestConfig) { testing::NiceMock factory_context; ActionFactory factory; - auto action_cb = factory.createActionFactoryCb(config, factory_context, - ProtobufMessage::getStrictValidationVisitor()); - ASSERT_NE(nullptr, action_cb); - auto action = action_cb(); + auto action = + factory.createAction(config, factory_context, ProtobufMessage::getStrictValidationVisitor()); ASSERT_NE(nullptr, action); const auto& typed_action = action->getTyped(); diff --git a/test/mocks/http/mocks.h b/test/mocks/http/mocks.h index b419480bd4c25..a1dc887af4abb 100644 --- a/test/mocks/http/mocks.h +++ b/test/mocks/http/mocks.h @@ -141,7 +141,7 @@ class MockStreamCallbacks : public StreamCallbacks { class MockCodecEventCallbacks : public CodecEventCallbacks { public: MockCodecEventCallbacks(); - ~MockCodecEventCallbacks(); + ~MockCodecEventCallbacks() override; MOCK_METHOD(void, onCodecEncodeComplete, ()); MOCK_METHOD(void, onCodecLowLevelReset, ()); @@ -343,7 +343,7 @@ class MockStreamDecoderFilterCallbacks : public StreamDecoderFilterCallbacks, MOCK_METHOD(bool, shouldLoadShed, (), (const)); Buffer::InstancePtr buffer_; - std::list callbacks_{}; + std::list callbacks_; testing::NiceMock downstream_callbacks_; testing::NiceMock active_span_; testing::NiceMock tracing_config_; From d6f08b6ff60d37a5d4f1b59b1cb742526ac4f8a9 Mon Sep 17 00:00:00 2001 From: phlax Date: Thu, 24 Jul 2025 14:47:28 +0100 Subject: [PATCH 065/505] bazel: Bump -> 7.6.1 (#40413) Signed-off-by: Ryan Northey --- .bazelversion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bazelversion b/.bazelversion index 93c8ddab9fef3..e8be68404bcb3 100644 --- a/.bazelversion +++ b/.bazelversion @@ -1 +1 @@ -7.6.0 +7.6.1 From 547d8474d471d8ec89409e0c257a8937d637fd83 Mon Sep 17 00:00:00 2001 From: code Date: Thu, 24 Jul 2025 21:58:03 +0800 Subject: [PATCH 066/505] opentelemetry: clean up the code to avoid unnecessary copy/constructing (#40405) Minor optimization. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. --------- Signed-off-by: wangbaiping(wbpcode) --- .../tracers/opentelemetry/span_context.h | 14 +++---- .../opentelemetry/span_context_extractor.cc | 12 +++--- .../tracers/opentelemetry/tracer.cc | 40 ++++++++++--------- .../extensions/tracers/opentelemetry/tracer.h | 12 +++--- .../opentelemetry/samplers/sampler_test.cc | 4 +- .../span_context_extractor_test.cc | 4 +- 6 files changed, 44 insertions(+), 42 deletions(-) diff --git a/source/extensions/tracers/opentelemetry/span_context.h b/source/extensions/tracers/opentelemetry/span_context.h index d9699e7571a03..1247237f1a62b 100644 --- a/source/extensions/tracers/opentelemetry/span_context.h +++ b/source/extensions/tracers/opentelemetry/span_context.h @@ -24,10 +24,10 @@ class SpanContext { /* * Constructor that creates a context object from the supplied attributes. */ - SpanContext(const absl::string_view& version, const absl::string_view& trace_id, - const absl::string_view& parent_id, bool sampled, const absl::string_view& tracestate) - : version_(version), trace_id_(trace_id), parent_id_(parent_id), sampled_(sampled), - tracestate_(tracestate) {} + SpanContext(absl::string_view version, absl::string_view trace_id, absl::string_view span_id, + bool sampled, std::string tracestate) + : version_(version), trace_id_(trace_id), span_id_(span_id), sampled_(sampled), + tracestate_(std::move(tracestate)) {} /** * @return the span's version as a hex string. @@ -35,9 +35,9 @@ class SpanContext { const std::string& version() const { return version_; } /** - * @return the span's parent id as a hex string. + * @return the span's id as a hex string. */ - const std::string& parentId() const { return parent_id_; } + const std::string& spanId() const { return span_id_; } /** * @return the trace id as an integer. @@ -57,7 +57,7 @@ class SpanContext { private: const std::string version_; const std::string trace_id_; - const std::string parent_id_; + const std::string span_id_; const bool sampled_{false}; const std::string tracestate_; }; diff --git a/source/extensions/tracers/opentelemetry/span_context_extractor.cc b/source/extensions/tracers/opentelemetry/span_context_extractor.cc index 0fc913cdb2b61..00f9b58327e75 100644 --- a/source/extensions/tracers/opentelemetry/span_context_extractor.cc +++ b/source/extensions/tracers/opentelemetry/span_context_extractor.cc @@ -61,13 +61,13 @@ absl::StatusOr SpanContextExtractor::extractSpanContext() { } absl::string_view version = propagation_header_components[0]; absl::string_view trace_id = propagation_header_components[1]; - absl::string_view parent_id = propagation_header_components[2]; + absl::string_view span_id = propagation_header_components[2]; absl::string_view trace_flags = propagation_header_components[3]; if (version.size() != kVersionHexSize || trace_id.size() != kTraceIdHexSize || - parent_id.size() != kParentIdHexSize || trace_flags.size() != kTraceFlagsHexSize) { + span_id.size() != kParentIdHexSize || trace_flags.size() != kTraceFlagsHexSize) { return absl::InvalidArgumentError("Invalid traceparent field sizes"); } - if (!isValidHex(version) || !isValidHex(trace_id) || !isValidHex(parent_id) || + if (!isValidHex(version) || !isValidHex(trace_id) || !isValidHex(span_id) || !isValidHex(trace_flags)) { return absl::InvalidArgumentError("Invalid header hex"); } @@ -76,7 +76,7 @@ absl::StatusOr SpanContextExtractor::extractSpanContext() { if (isAllZeros(trace_id)) { return absl::InvalidArgumentError("Invalid trace id"); } - if (isAllZeros(parent_id)) { + if (isAllZeros(span_id)) { return absl::InvalidArgumentError("Invalid parent id"); } @@ -102,8 +102,8 @@ absl::StatusOr SpanContextExtractor::extractSpanContext() { }); std::string tracestate = absl::StrJoin(tracestate_values, ","); - SpanContext span_context(version, trace_id, parent_id, sampled, tracestate); - return span_context; + SpanContext parent_context(version, trace_id, span_id, sampled, std::move(tracestate)); + return parent_context; } } // namespace OpenTelemetry diff --git a/source/extensions/tracers/opentelemetry/tracer.cc b/source/extensions/tracers/opentelemetry/tracer.cc index 9dd7e9a05dd40..cb46e183737cb 100644 --- a/source/extensions/tracers/opentelemetry/tracer.cc +++ b/source/extensions/tracers/opentelemetry/tracer.cc @@ -73,7 +73,8 @@ Span::Span(const std::string& name, const StreamInfo::StreamInfo& stream_info, Tracing::SpanPtr Span::spawnChild(const Tracing::Config&, const std::string& name, SystemTime start_time) { // Build span_context from the current span, then generate the child span from that context. - SpanContext span_context(kDefaultVersion, getTraceId(), spanId(), sampled(), tracestate()); + SpanContext span_context(kDefaultVersion, getTraceId(), spanId(), sampled(), + std::string(tracestate())); return parent_tracer_.startSpan(name, stream_info_, start_time, span_context, {}, ::opentelemetry::proto::trace::v1::Span::SPAN_KIND_CLIENT); } @@ -270,46 +271,47 @@ Tracing::SpanPtr Tracer::startSpan(const std::string& operation_name, OptRef trace_context, OTelSpanKind span_kind) { // Create an Tracers::OpenTelemetry::Span class that will contain the OTel span. - Span new_span(operation_name, stream_info, start_time, time_source_, *this, span_kind); + auto new_span = std::make_unique(operation_name, stream_info, start_time, time_source_, + *this, span_kind); uint64_t trace_id_high = random_.random(); uint64_t trace_id = random_.random(); - new_span.setTraceId(absl::StrCat(Hex::uint64ToHex(trace_id_high), Hex::uint64ToHex(trace_id))); + new_span->setTraceId(absl::StrCat(Hex::uint64ToHex(trace_id_high), Hex::uint64ToHex(trace_id))); uint64_t span_id = random_.random(); - new_span.setId(Hex::uint64ToHex(span_id)); + new_span->setId(Hex::uint64ToHex(span_id)); if (sampler_) { - callSampler(sampler_, stream_info, absl::nullopt, new_span, operation_name, trace_context); + callSampler(sampler_, stream_info, absl::nullopt, *new_span, operation_name, trace_context); } else { - new_span.setSampled(tracing_decision.traced); + new_span->setSampled(tracing_decision.traced); } - return std::make_unique(new_span); + return new_span; } Tracing::SpanPtr Tracer::startSpan(const std::string& operation_name, const StreamInfo::StreamInfo& stream_info, SystemTime start_time, - const SpanContext& previous_span_context, + const SpanContext& parent_context, OptRef trace_context, OTelSpanKind span_kind) { // Create a new span and populate details from the span context. - Span new_span(operation_name, stream_info, start_time, time_source_, *this, span_kind); - new_span.setTraceId(previous_span_context.traceId()); - if (!previous_span_context.parentId().empty()) { - new_span.setParentId(previous_span_context.parentId()); + auto new_span = std::make_unique(operation_name, stream_info, start_time, time_source_, + *this, span_kind); + new_span->setTraceId(parent_context.traceId()); + if (!parent_context.spanId().empty()) { + new_span->setParentId(parent_context.spanId()); } // Generate a new identifier for the span id. uint64_t span_id = random_.random(); - new_span.setId(Hex::uint64ToHex(span_id)); + new_span->setId(Hex::uint64ToHex(span_id)); if (sampler_) { // Sampler should make a sampling decision and set tracestate - callSampler(sampler_, stream_info, previous_span_context, new_span, operation_name, - trace_context); + callSampler(sampler_, stream_info, parent_context, *new_span, operation_name, trace_context); } else { // Respect the previous span's sampled flag. - new_span.setSampled(previous_span_context.sampled()); - if (!previous_span_context.tracestate().empty()) { - new_span.setTracestate(std::string{previous_span_context.tracestate()}); + new_span->setSampled(parent_context.sampled()); + if (!parent_context.tracestate().empty()) { + new_span->setTracestate(parent_context.tracestate()); } } - return std::make_unique(new_span); + return new_span; } } // namespace OpenTelemetry diff --git a/source/extensions/tracers/opentelemetry/tracer.h b/source/extensions/tracers/opentelemetry/tracer.h index 11ae574f9e32b..ecc3b44908ae3 100644 --- a/source/extensions/tracers/opentelemetry/tracer.h +++ b/source/extensions/tracers/opentelemetry/tracer.h @@ -116,7 +116,7 @@ class Span : Logger::Loggable, public Tracing::Span { /** * Sets the span's trace id attribute. */ - void setTraceId(const absl::string_view& trace_id_hex) { + void setTraceId(absl::string_view trace_id_hex) { span_.set_trace_id(absl::HexStringToBytes(trace_id_hex)); } @@ -129,12 +129,12 @@ class Span : Logger::Loggable, public Tracing::Span { /** * @return the operation name set on the span */ - std::string name() const { return span_.name(); } + absl::string_view name() const { return span_.name(); } /** * Sets the span's id. */ - void setId(const absl::string_view& span_id_hex) { + void setId(absl::string_view span_id_hex) { span_.set_span_id(absl::HexStringToBytes(span_id_hex)); } @@ -143,16 +143,16 @@ class Span : Logger::Loggable, public Tracing::Span { /** * Sets the span's parent id. */ - void setParentId(const absl::string_view& parent_span_id_hex) { + void setParentId(absl::string_view parent_span_id_hex) { span_.set_parent_span_id(absl::HexStringToBytes(parent_span_id_hex)); } - std::string tracestate() const { return span_.trace_state(); } + absl::string_view tracestate() const { return span_.trace_state(); } /** * Sets the span's tracestate. */ - void setTracestate(const absl::string_view& tracestate) { + void setTracestate(absl::string_view tracestate) { span_.set_trace_state(std::string{tracestate}); } diff --git a/test/extensions/tracers/opentelemetry/samplers/sampler_test.cc b/test/extensions/tracers/opentelemetry/samplers/sampler_test.cc index 7b67d8fe88ab5..747d0ded66034 100644 --- a/test/extensions/tracers/opentelemetry/samplers/sampler_test.cc +++ b/test/extensions/tracers/opentelemetry/samplers/sampler_test.cc @@ -156,7 +156,7 @@ TEST_F(SamplerFactoryTest, TestWithSampler) { // So the dynamic_cast should be safe. std::unique_ptr span(dynamic_cast(tracing_span.release())); EXPECT_TRUE(span->sampled()); - EXPECT_STREQ(span->tracestate().c_str(), "this_is=tracesate"); + EXPECT_EQ(span->tracestate(), "this_is=tracesate"); // shouldSamples return a result containing additional attributes and Decision::Drop EXPECT_CALL(*test_sampler, shouldSample(_, _, _, _, _, _, _)) @@ -184,7 +184,7 @@ TEST_F(SamplerFactoryTest, TestWithSampler) { {Tracing::Reason::Sampling, true}); std::unique_ptr unsampled_span(dynamic_cast(tracing_span.release())); EXPECT_FALSE(unsampled_span->sampled()); - EXPECT_STREQ(unsampled_span->tracestate().c_str(), "this_is=another_tracesate"); + EXPECT_EQ(unsampled_span->tracestate(), "this_is=another_tracesate"); auto proto_span = unsampled_span->spanForTest(); auto get_attr_value = diff --git a/test/extensions/tracers/opentelemetry/span_context_extractor_test.cc b/test/extensions/tracers/opentelemetry/span_context_extractor_test.cc index b87f984768ebe..5515d760d6bd9 100644 --- a/test/extensions/tracers/opentelemetry/span_context_extractor_test.cc +++ b/test/extensions/tracers/opentelemetry/span_context_extractor_test.cc @@ -30,7 +30,7 @@ TEST(SpanContextExtractorTest, ExtractSpanContext) { EXPECT_OK(span_context); EXPECT_EQ(span_context->traceId(), trace_id); - EXPECT_EQ(span_context->parentId(), parent_id); + EXPECT_EQ(span_context->spanId(), parent_id); EXPECT_EQ(span_context->version(), version); EXPECT_TRUE(span_context->sampled()); } @@ -45,7 +45,7 @@ TEST(SpanContextExtractorTest, ExtractSpanContextNotSampled) { EXPECT_OK(span_context); EXPECT_EQ(span_context->traceId(), trace_id); - EXPECT_EQ(span_context->parentId(), parent_id); + EXPECT_EQ(span_context->spanId(), parent_id); EXPECT_EQ(span_context->version(), version); EXPECT_FALSE(span_context->sampled()); } From 1f780d1a73c869e046598907c6175efcaca16861 Mon Sep 17 00:00:00 2001 From: "publish-envoy[bot]" <140627008+publish-envoy[bot]@users.noreply.github.com> Date: Thu, 24 Jul 2025 14:14:16 +0000 Subject: [PATCH 067/505] repo: Sync version histories (#40421) Signed-off-by: publish-envoy[bot] Co-authored-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com> --- changelogs/1.32.9.yaml | 6 ++++++ changelogs/1.33.6.yaml | 11 +++++++++++ changelogs/1.34.4.yaml | 11 +++++++++++ docs/inventories/v1.32/objects.inv | Bin 179031 -> 179051 bytes docs/inventories/v1.33/objects.inv | Bin 181632 -> 181675 bytes docs/inventories/v1.34/objects.inv | Bin 186627 -> 186689 bytes docs/inventories/v1.35/objects.inv | Bin 0 -> 189384 bytes docs/versions.yaml | 7 ++++--- 8 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 changelogs/1.32.9.yaml create mode 100644 changelogs/1.33.6.yaml create mode 100644 changelogs/1.34.4.yaml create mode 100644 docs/inventories/v1.35/objects.inv diff --git a/changelogs/1.32.9.yaml b/changelogs/1.32.9.yaml new file mode 100644 index 0000000000000..c44dc2829743d --- /dev/null +++ b/changelogs/1.32.9.yaml @@ -0,0 +1,6 @@ +date: July 24, 2025 + +behavior_changes: +- area: wasm + change: | + Bumped up V8 version to ``12.9.202.27`` to address multiple CVEs. diff --git a/changelogs/1.33.6.yaml b/changelogs/1.33.6.yaml new file mode 100644 index 0000000000000..01eef0de2069f --- /dev/null +++ b/changelogs/1.33.6.yaml @@ -0,0 +1,11 @@ +date: July 24, 2025 + +behavior_changes: +- area: wasm + change: | + Bumped up V8 version to ``12.9.202.27`` to address multiple CVEs. + +bug_fixes: +- area: wasm + change: | + Bumped wasmtime version to 24.0.2 to address CVE. diff --git a/changelogs/1.34.4.yaml b/changelogs/1.34.4.yaml new file mode 100644 index 0000000000000..01eef0de2069f --- /dev/null +++ b/changelogs/1.34.4.yaml @@ -0,0 +1,11 @@ +date: July 24, 2025 + +behavior_changes: +- area: wasm + change: | + Bumped up V8 version to ``12.9.202.27`` to address multiple CVEs. + +bug_fixes: +- area: wasm + change: | + Bumped wasmtime version to 24.0.2 to address CVE. diff --git a/docs/inventories/v1.32/objects.inv b/docs/inventories/v1.32/objects.inv index a124ffb64b78e57d9da9eb8930e3bec073444fb6..4a6ef2c722362ee9446e66add3c3faccbbfbc997 100644 GIT binary patch delta 4736 zcmYLKcU049ur<-2B>`lYP!tf^6)-5prGr3_DiDgH7XfJ@bWo7`3n)bt7C{39lz>Qr z6zRRQG^s*DQ6fcpcSDcBbM?LR{`t;)bLPyMJ9F;6qdTyb9ay3|L?J>WN&`}%0d1o| zPwb_f%Y*(2uAH}Yl?Qr|_^*fdRLW)EE|%7lPY>8?Mzn9~ZH*=k)SU(hlBv5z&c;B_dseX(h! zu?Tjg9Fh$!MR*SR(^0rR%c1{wzsoFV&JZpp0#CuKCyb34>w~3EzX@H|^;XGI@ekH2 zz+*l#yaMOkyoMjBea%SM7a_j#i7Cz+`-lFCIh5Iho)}M`sBQA^W){1@t+J~0UJ4!c zYuU+O=k3UicIL6?!S&uvAL73;#v%2^lztp8mfo@%_Dxah-ERjQSQkmcTMN9!z0((Y zg|7>OkXx<2D94@`nmKr#vyc?2RN~S@fbo9RLJ>9PTmoD!Kn1@pN`=}7f(Wx z{h4i9ZY_Vo>=6_FK3J>LXTS5jRmu_NLA66gPq3t9i^kj2Cu_ckjXg*zwW{2|jbq_k z*)DL`QohA=k(Y1}e{bwJIqBTdcp%PMdty-D0eQ~o_uzk63o%^DP~kbPi9u<{3l}88 z(&x{mo@F@CHg`SwO|JZ!1qy<{*AknaDcym({DNBKjkPR^g|UC-Ts2X#uOKoJxjAhWf$BEi}ySGDUeWn4UT<@q!^Q;cf{ba1Z06} zF+o-m-j!rp@LrG2q0qWLL(>wKsqY)#DpPN6iK6KH7PeNv^?RUk&ajNDQ;+XUz;#lP z*mo#Qf5&x_LvCtXYp;%K8Hi6!i=2l^FFfmmzH^DQyxM#3Nt-3Asvs$B+AlVvTCFE2 z^~X?%(W^G<#5CYVFM=v+)KfzQuJj?Kj8o6Kd2u-@i!}+@8bDN;R10lHaT&?y+t|(U&E$e!m8pSBaGh7kT;tT} za%DL7HIiaVA~00pv6)DhY)Ouxvtp#kTv8qst)N|w=Of;8fk|24i{~2D#LU_VF4SvV zp)R9+;ZfGbE^d%><+|H4gMzquEqAT>k!KeQ8+jCarS(ETLbI`P9-O7N_Y%2`v@x?9 zf+F=8E0i!A^uo0lwk?R#1mh5wm}l+x!G- zV8LI3k0EB~!er)7(V#B4xHM$%GZQm-^*bcC2<3n0o|ygnTv8NNOsB8{A7K@Bz_!dz zwLLFPqe2aEaqbAP$ntVNSFs7kJ|8cZ|DJ2p3`5n(63!U3YIZ{3z(l1b#koVOWPm;d zR!jFi;4zAjHYe>vSu61+RsgeqnZ0_l^Dj|%NQ{i842{Ls{2i)5;f{8qOtY zMO?Hh7sHOtS6g}ai7kEMdg0}7Q_&Vp^MwajD-_e32{QNLlp17FbVYrcHEIOy%Mk^p zZ*qAcnQsYdUiZt+HD+n0B zUK|C-wj#?-y9m26@Ypt_S2pOA3~2d6UdjUooIW2EJAm04gbapq!Hu7LFdj2#6ER;9 zV}n8&7{jBiie3C5LJFEgrhBo@p@ag2D0lVr%0yj$qo zlQsCoj7S%lv?J>xblE?Sc#WFzARFE_h{ROo+8QbGVkL8)B^Ho7?y0I^kSuYipvT?&Lm zC;?~$wv|W+UaTWzOex5PVD7|vOs~F!OU|J!ifN$c4-h53wZLPikbYT-Plci%LelDV zcOI+@me!q5Ew6_!(vd~R)zQ0+aM+|m@ra{;9SV?G#4n8D-uFS3>Om6MYe(yN&y=%Y z0sU_XYjx{8f)Y~+WYQBTS|_g_kA5AQ3zK%1VL-!!;)qD70)HGTg&Wc1Z&6q^PcZ9;*Ul@HesWZ|UIexnKeWcCCuj+Hy!Fd#-fWqH_u-+et}1-Pf2{RZgoAry?e&b{yA z_W6pLFqzJ+m$qvr82U;@rHc(N!uJ?RpCY`!S%HK-l}w4cC1ycu#5-nY6JQlNvrOnn z7|asc6*v41p2{%I-RM7mgTCRX^R^MMm-&+*-HmwLOmN03$~|bU5$~NjBMg(Xygb7# zx%o?=iFVE1hQ>eixui54qNl3a$B8poVgmJth*G0OKxB(sav#%s$AOSDW7oW9sCEso zdOif!SRKgZE-amAr?YmyXs|1)4U1nqw|i0}u#BHPosutSrye~2{lpL*-MY6mC)zv; z;$K5mPuw4Ud+tV~&C9)01Nsb>ybme)pYNUw4q%=bwC#M8vFrDe>aJmk5x87?jXkIS zZqcXUNVnXy=;866vT09-+L(U`lqSyhR<-~WE?VJ+Nw;4HmiM|>ZRdn-4xkQ9r*QM| z>LcL8X7~5X9`8r{++EQk3=!L-E2&@vD0crZ@Y9^(k8Cv{!f>@cx}K`KQ0Se!&kzSM z_1bN+6?cEvOldkhFA=0V>~vJxV|SWiUZ3y!7f73Xe`{ZCWiCzkizl-MJt=OqsqeCp zdzv@n;wsd))9J_ySKN}4?gh{0bU<;mpz zy1bUtTRAx zzDU_*bf%2hXiWK?$u0ePx#^gy58L~3)b3AC;k@DN**B%^LR;UA-Rd5mVvNtGf%{$@ zmtJ$}z5+5S!UMfkDVybGM$0$%&PoTlG-f|O^CIdFcMF-&EyYm2a&!CIi&_>HnEvau z4c=)5+brtKkcXpWTF_zf_+-y=@k_@rbAc6l?M|}X)0u@?mxf8Y=Z1GQ*H?H9&k=Xk z$5D-@U2l+)7asaTHIQkjG+w`I1{!{@xJg@}xjeYLFCA0EXTFd-lTMotqRoy^TwP;A ziTG-GEEE6m)b}sfpB{~iKMnWk$p*K3ii_*kzSgLGSgKbX)qC1n=?(LPJEri&?U#h8 z9t<`dZ>SzwzaJobt0>oZ?OfSj4?6yX99%WNzCJe{sxmfzQjxZhZ1;)241#j$2Y>e* zhH(T+eXf4LHZAn!^^ExS^|t?>3r(u^8lN#+Me(r*v5Nu%s*O!0&*A$a)kAAVOG94U zWB;-->3MhWZhS`Q($sxI=Kyzsnd}?urf0;-gv0&y%glLy8&#@dg;@~qUg+}4liLrL zW`sq*$Ys{+EpS$Wj)r&EqHFgn(*cLV7Sqlj`~aGxy7I&0WvzL))#Y#{DB6 zW$)1k6Ko4Ki^Jike7h>pLm*Xp3oY-XPnD!B6Vieaqwn6quhf?`C`5re1$i zD+C_TGv=wiY@G+WX+mZxjJBg{<)+Y(#af8r0H$>!nNfZdTsi{x^E<7)<+SE6Z>VN&>D290_cwHp@0Z+In@NjL)o-HtfcBEGv8Jyc0`SIw^Q`{l@*} z{Nk$S(V$xeF7oRVoev7%e5X|9m|IFG-drEecaiIY94@+T<`>`~eV1Za#UG1eyJ98+ zb_2>(i_ATJnBE}fD{ff-UCiM(zIhIG(F4i-lGlu$ti~YR`LoN8RSF}2Pm2nl{)J1IQsXnF7x=}Hrh}$tPHgB477pptl;*H1kx?#aiiby z7`L^?it+dS;tL!xp~KB9A$5NygfA1`jjctzVfAJEcNh$LXLzWWFa;>}de^PdE5B$Q zFI!GF9N(VfPdBWY$FeV5G*x;VH7JhkZo4M=v92N4coB2=Rb)dP*&dY~j*K=)u@d=h z>?A3-5^D^vY~B9uwYZGKA=U+uX^KMa#vBwq5& z7N{g|H(J(6&}}C8xR|Nv!@YyvB%mf&b&Y6xMCHpVtZf8JdzSv~bPJm}G6n&WM&bRz zCR|KFS=!MjZ$l9QTU9w3TVnE?`C%oQ1xBCS&eM>FJh}@bY9&yIPkm<3bS5xN|J04= zpuksirAu#aN-x;iS&SwA8K7`fa!mD@c~BlcA=|D&R&Vgy{gb>n+_ro(p%qgHOTXc- zur4f$8wgz<@D!1?vosG$l6Jxwu6{nhxf>JAT}V9t4NR%EmJH4Kc%GSCZAUC42YMzy znGuiaOP3Jj8l{OW>AJaooY$|u@alO;h$D0&|mHpm~;^;bYG*cKyO=GTCmBrv}^ zD6^2;%stv1JF5G5m={!8;PkCou`Re#W|PP7&pt;Bs2;7l)~z=BWjCK{ihut(VS<0x a5W~^l{`9-9PkO8N@#34~^Nx5vo&N#q97qBH delta 4716 zcmYLKc{tQ-*fvvBnK|SfVtL+lVy};vJOHCzd^%E%D&8uod(&r z2E$m&79+ARW6QqFnys(XcU|B2-+R5!bG`R_-_LR{ZbSRGp%LmJg#Zn*2B=&E{2?2B zd@Y_k2YeY|o-gSjLgTPp&HMG)hK&4Ahe;XcADRqJ9uLm^!{Jjfws>a0s%W@zko_k( zKrOr~O`0PZR8wE--4?KW^z>YVtDO$i=5fUBh@B4}p&CIEk7{VVvwYmIw74P-q92aQ z*#3^XVB})7M6(mWd`z?HZm8dfM3E`gxzoJj@)uwTz>q6Fb%w*TZM~$e8Z+vvK>sl1_mo)D0*^A6Wi8)#V?uVJJUWA7&m)Y_r;?Qk=o$bv7-)ythXDl zrvsO7b1=W@^0Z0SN%bV0qkTCiJ-{zJa?kJZ5O+OjVt>-p&fv0nZ3d;@H0~kj;Y&dR zA))96aQqav>@glR77+=)WNVk2X4`a0M%8BXH#xb_W_rAdi75elGmthE2^(<|qy9DO zZHy|a^)fBZt}BJb-sXa5^#!6E7OBKLlW06OtbT-LkJUIe|J zM!bEn<57Qa$~?SHO#ojnu~t z3hgaq7k*b88z_PwgMWBa!IG|V5jPN5n%ryR*11E9>bzXwnpBbimqKAC_vnIcEhHe4 zCoIu=O8oLkO}(%RmPI`n$_0mMjvQo49|xz|c=>TSiXJItFrgDqZX^-Bu3fUri?Qrp2*2*noN+>Y8DpS+G_}=Jpdh2Iu_4sHx zw_6o^VsS|#yWN>7LC7vm(35*$4+!`5KdadtNDiP3%Gh67Q+8@s9&JszI?r^ioNbDS z3H7Nd{=`LZ{=^-XPcuf9?c)e8vnzqYYPs_orR1Mokrs>L>On6K^$?HC{?SBJ5uMHe zO>e+2Uhqxkzu88xNk-hMb(g7)(`puFy>>+=P;HH`IU48}oF!3twE?ks$Wn_~&(7tL zqJq+}>t=PtJT<>&w^KgL;%UkV;(4q=hAIzQ9Z_@vYnqEk=l_F{63jInvpw5@V}vR; z7L$e(CWXk3Pv?tC%L$V>vLliZ0Xb-fD;U;sqcjmxm$0420rW&Mv%1K;(z0Yq!AlJi8vm#-A;HW<_ODOzDY^y4MgIjGh(r|_Rs{Em!gixj+4oZ8 z_))MkF(|uqDSo4T@o{5%Y7SUeaj=ABOL=Gqm3@$Ig;i@I+jD?<0khjS=NdlbvaJbl9mW53GCerDS#*EA%ZA{HON&(U$I9N$zaZ+WSv_jIC^G*6kNLov1jo!}Mw zP%41x35!;P?b7biU5UKX9t;ueLwit$ELk4fCvNaJOd%OnbgwQhUIk{Ff^tbG^4~v+ z9uJ^r=cwr_-YO#rQvV~L5!(g!vKLs~Pf{OfaBfN5HmlpY>-M@q9;VR=K0$yw2^87( zc7pW?q13BAFQRY5Ow&cex@D+o@|m+hFfSL!_Ef_e z^abzx0jyEQ7f<5L6c$TKE0hKyh$G@@D&%-4d_WA(tosd}`hs5f60B!xQbziVnoftx zPcLmBx}OQAdwK>v9k_oS-R`12OJ_%bBEp z2mez}(!)Xa)#mwjtHNz>c7p>ShdRLDO|*9hetOLNZmV~sM8@G3O#bA3rXxY6oRmNX zKOj5ac~nk%M-3E(%3VCy2ma;&rHXaNl;L1=c_;#1RTdcXKwqe!7gYwbkqL#6n0|PL zK^-^C?@4!PlcG?}gupP^#W|EF zHWCBGyTAtCqg?33QizZX=*M+PhXAo7v=S0F0xvhnhU6?Dh)=McMgeho)eq{1bPcbO zam6=WK^yP2w>ZNW-!TnCjNM@s6~Bfx{t0ZTQn9G-kw=>k6GG;kHC-+-OZ|o*KE)Dp zBhZpNh$0{Ch{l8{?8z87*%g{7HV(uHkYEY5CUuz)V!YZ8X z^Ko)PDtv@YPn>jNkuq*NHTQzJk$&&Rw@QO^)d2B=Xo?jV@rf5mQE zXoXZy!R1Y|6|adSrDCx?YH5hX2J<=#J!u`XS(K3nh^7e1hZAl)bU?zU#Cp7=LQ+?n z)U@wOj9<;l)=U$+Zz+LCXJy|{!|B;ej7w)Fyll9uRbNROObnz$rDylOq zJ{30b8Rb$y1UxKXNsOy!RgfFdPYtU`7n3IApp3tI=fQCv0t?SO)D66cMKe^8YstSB zv7`o4Dh+F%OGFoHA&D8k#H^OHsEgBc!;)!HLY^St#xE+Ny^yelUsSSiNMatgUCkPi z>1$CJU7+TN^*Ob$5-I{&0M9%D{+ox1*afhJXQ-nenVABWpi*jd|OhuMnqoxU69UcTOa7t@)RQWtv*n zUDdxO3!$P7*)W9}lzTzMhRC;Ppv9ZFCE)J$i*t~hn{bA4g@|M}QmPv}qCIgR7PAHR zdM2>6Kdp}6Ve)7yNsiO9QZ)mpBA0w_9s4_^?*`!HVuq<9#UxMSAdc|^3lO<2xT0YT z_i7=MuOB;NJVCGSvQ)LzcatU4(8Li~%QA{sK=SDGkxXS~Ws}v=rl(mXu9WmRXnAJ) zE?C-}XpyTiGl19G+b76m93B9?=A!fJQ%==O&fh@vOQeWy)BrZ~+id^IWEO z`P(r52r@d>dT=LRg?q;8!b)O$ir4qr^S z01O~MFy4bljzs>1{NHCpfc=mEpTvuy)IwFZEt7L3$D6JwhD2SdZ&qsCU9w$x{{maqzGs9|6@0(ur{N0z7a8uTbyWv=cT29+IwsMN{ec|+Z zih#C7sQZi@NZ)-Zh*M%Zs| z^v90ykNp1GZcNH~OPl9WK0DPwB(`SQ$$RG;QCZk&1C+F|(JHy@vQ1e(dh9AHIHV-ZJ(f*2P;l-Yd5` z&U;{0Z|j@S7~SCAO3>FxWL{19tKbTga}|lW?OA5f6793wp@B*-ZrXW#V_xV?cA*Xu zW4O-xK4o#Eu;?(&g^@)sJCxYdKlpmI``B}&hqim@28;rjt>lg^2ma;N^jZtrYIxU% zmqqh3(UPZErKZIVQ0y-mPMLNA2A%&EIC>x1PtJ<3cyJc;>QVd#ZogZn2mO*NV#t_U z9rGPcqz+D)j>(mNTyXav5N6EAyPmedjNkIoPI&%rQrxU0M+Mk2U0j~Ye$@0Y<2d2m zT^8W$)C4?I%I#xrxY1Q6=D6e%<;_(~8~v5rtUb;DPMTSBeWbpo+Qe7I{my&&ym}T3 z`W)t)bmgN%@Yf@E^Zpy3!hLjnVs9U7{pw%i;1zVXGd%f3?WcE$&ZU5s6}9ZZVBZ#J zZ&%FzSD)S!j33wK3$C*>eFlU-TPt_jMugEOmMdZH@J@~C=h+U*Ynf#)WUT{0=FZVQD7X`zLNICWW&{6F%UVJQo*7DJR&x z1(IisFSd+a`D5=d|H>ywt*V`%JHr5m9k97xqP$o+ruim1I*KQ?1ova`Zpxy{Sn|4D zb+_)HUv6XeoxMpt)%=)sxBfZi>W^m|IvZC2ocu|x!zX9UTUOTc|GqP)&%QBKrJPK2 zW(^wluqXN}m1v!Ma(Y{PU(O#ZmwdDJERXAtM)h>>6chcB=HMU1yv5qveEdAp-fZcq zSz%?3om$op7I}H3z6CSTb$jt4p~voUixU#gshaz;^QwBPWGIn!ijTol%dB-hVbPrd z=x%=4E*r&M+j&cSMf>njxHL!DD#fhiLjPu#Md_y$YEap|euk=-qQ#Lye)zD;LgDzw zM^UHyO_n=du6J7%4tKZy)BjmlH-2U+`}?LI`@63P^>EVC)qyeSJF&OS-yEUfAG^zu z7Y$5k3181W_r~x%b)!&HJn!@G%(FiR0Knn;`VE|l3+-WgcbX+*KN7n+Z|!+rb0Wur z%uc90>&-7vZm+yG`<|axn3wzaodwzQE8EK_clXt6UfpMh?AGdV&~qvsb0L1%5lQx7 zH}id~hFkoH8FoD1tHmnOdF{vcT{Cwp1d}44KL?K_1}T?s0p}_|%RJfJ3qI{^H?8l} z%R=uof2b1H3n?534heIkNpH*g&mpVkTOZ6Jy_A8$zs@jtRQwMHKYI=OO=|>j`~PXl fI9I8(l0p{^eTDoUJAR!Ue$@5P4`FxZ!O{N#KX^40 diff --git a/docs/inventories/v1.33/objects.inv b/docs/inventories/v1.33/objects.inv index 699a73b388336b826807400ed54fc91c35144d42..d2f78b035fb9cb616597d56a9533c1b7c4d342e4 100644 GIT binary patch delta 7286 zcmYLLcRbX8{CCG0cg9thEk_ww#@U-gG?cwVHtCXiM(J}DN^}|4!e>@Av!T9*_5Z9-q(a{eHck>y3X7D|ilz(+0_hUJkzus=N$V&jTJo1YP-m zJ`Mj^w*}dho++8*Tk8qrCGdW)W=_N!alWEq!6*D(tG;g*lDzUo`Q9$%Exz!ejN5G3 zB6V{``NyyE8QGGM?JckTBgDG$1sG(DvUR@?A^pIs20u0TcfQIfi<|Y!{uO_N)zzuN zqG9%=_oSB-%0Lj8ZSr~-^KZa)C+nTC_UPy1@|4+wg&oQEA*Q3v{TqMkr+!!G4CX9L zUT&A2iRGI3pgi*6m*f-5wK~8R)7vI*uee;NHy1G{FQINYfBIL^U%Bp@@l3WSa@-h|4|jU z`UC$*xv|H|3$I5O3ih`T0s;w(N!d3)`&RxQ+mE|PIZELtPlfme%rJazqhws$-M#fr zwa!cA?Xk$k^QvSbd4F>6D`j@}ht7I;fbyTr=Y3oL$Cx9#$Buyv`OlhaKB%k&{_GF}p(yHh7d$q)fkeSE{Rg1?l%)nyV`$+60&syv8ZGhr&J>$}!^bp0oVal7M zUjL8qiu%3drr?+D4Yk-wu$!+@!(-Mi|iQt}PHRR$gw)oEA+Gy&hrTSt%W#`InR za^dJzJ#asy!@Bq3Tj%!zVngEIiS>{VFJIR7u4%)SEtg96KK9J^dv_J?j zF#egX&oZ}oXJ)P?6|rx zVz5%0(t?rW56b+>K#Q>loZOfV4;d|4d`}Q>Ty(M*tG$EJ!$ssOHBy|AhRiq4yLLB_ zs$W2^H|{pQFWU2;i*He6pQV{KFFqbV@+jfEx@~+VkbMR;lfq<_q4t_tz=??qUY6c3 z?t!}eMbHQH^RQ5YQ>*1P6p5%2Ddl-FTQ`EpV&ln99W2WNa%`BR&FXQLNl%sLG z({ee~M|4pn-8=4gte!xgxKI~Y?*}u`U3oFkKTyud#@H7<(2xGNM@Oct+LR;G>(5+j z*c_r6WuKH)W&O$cIx(S5Ols9TT5b?A)tJp0GKwy5B#5h(JJ}bGbv4}~{= z;yv6~$))?PF`JQEc|=(sKt3#!j)|Nw?=*3Fxq7j1D>C>DS#CU3*l;^-j&*{q5R>lltu8*FvjG(2L!)s~x zomPdjvl6$wJ(%gP#+cMK=H6eGbscQXMpDP3uV7uZrT8MW^jELf%-9{WP=%~mD@|)0 zk4A;RSUad)eDd#ND1sIMorzuDlT&H=XsJsd?d9N;2_L^3n#VK=>6md^I3v`h&j@p= zded89aCcQ84wc>AuwrL2wqHUT(i121C{G!#37re`(6hqcwR{SC8suFq7G5gW3GOV* zRI9>?b%KP?JswYW2qese&Ln+3$L%U6K&zE#5V7UF$vBcOqdRZ&nIs% z3p$XSO=L0eCZw}aReA4rD%-EKISX3MbP*2p zhS;kCK%2eBjg_kk5jJ710nS6OW`;V^oO_q5XqevY*7MBetd8{On#a@1f zvteqp7j5&;KH8*zRbUrg(Da>AlU{XsMPUFb%i$C~+^cR;lyUOZV>PKahkshI!H#^q zf~Ooia~4ohStxcCu3=E$(4A3wx&>{5z712e;WJ#Pk984E&k7_4;#ino$PnT|LTz$S zT7QZOGu${g0{3`&RxFc7SCdcX2|?(&D9EUjmfl0%)3TGEGsP{ZO@^7OOR9QGfQewL zd}^sYaf}^NjSe>D_Og~! zmocxQ?i(FFdhOU-Y@B`Kf}}g0($e2vT#yyF)CEO5eie+jV|GHK zug~{ikew)b!UC5c^1enDFbzOG!)aG4Rj+f>I<<`b@-V$NlxoLx;(IE2PEK_)^bedQ z#^f%_FYL=K!6hP;Xv@U9z?~74HZ)_GATRQV%<|r@rTdaq1Vcm)A-6w1or4Q0?fDFP z)0gm)_B?SeWF|S)icc9(qib=ES0Ef%P?B48Xq^+$LnIPw1RfE-CUPD1*I|0 zE1rU~*;nqcCLDCshJ+cHB!EQ&=ZaL`Y$#_rql64UZ{#g8zx`!rf~Qh(Ae`!hSyYd& zd1^7VWrP5%x!E0PLc3@pNR|Z0P{*oG&B9%Iz=tU#=vPh*aD0Wc- zcNQtj=@ctGh9`@Z=f-u8^N}Aq4hc9@71>&z5hV;)dj1h4wYO*ud`zB3h~?0H`Nfc_ z%Xcf~x17#mTZC2h*Rm`(TWVO`*L7P{GV%@n)`21RmrKZJt2mV?1a5mO!KX5eB6XXd zPG2PmTU~hZD9BFw0{0VMmEa|GxR+QfsMV;z(S6bC3B!{G^NxO5CoV3uG~jB+%;HOk zqZQ!gv-Hqq7kf){SyQ}$RzHN1ih_6iSc3t;xxz`PBJQo{>${IZsQzsESlA2X_#-o`0ly z`Sp?^HoZKRS5c`696k@}M&V83t|*jx{|mYm(oJlmgA`9Qc6658jhd|Q*m%BaQ!T7G zl8Ob3hcVCFX$8Me^zaD&ic+OXj>l=w0uJ|kGZqouT4HE1KtoQ;x66mui&sTX%c;*; z)lfCs%JpORoA;cI3E0J+tHst*aI{jjHuFsw!H6bvdOL!2=ackx`-Dj;vlbe8F?(9P zmyAc|DeQka_B>&@EQ=$LlXIDGv51QT7m$?~>!9f9p;)5#qRx4GFzFpGgfthSgQYpO z=J0^!Yub6?EBE;23wiXr33dvO_F{n-&bcKf4=(F6(|z^|bLNb2;bP|`q|lL2jTAmK zuN0G(N*`F2MpcGMt1Vi{8S^ps8r*tbOb}qW{N+a2wo=WI{8HEty7kRx@tGP=!j;Kg zL06jIWz@B&*{S9HBT5Y2fRv`%A%}PuVU7m4yfgnJnc0M`)x&o~kAOm0 z)Gbn~LBa%-df`*5+h2OEMP4q>Yjog1z$SY{uCsHuYLQaD(ivVcpBnO_lYvKc6}q}S z5@{b^U_3LhghKgqRrD%AaY4AU68F#RH0c3fnAWJpV^|+X?Pt~ zxGFCtA}m1^)c1bTD%a3ZgD+C-sDzG4z!Hkb#gVZo3kB_kh@oKI8| zswX-D#nCU4L#ze&D$V$SI((w6M0*^cCDh`VYObGKjxl&?t8hn2$p--O`9$4C6bV2+ zLlQora?OZ@S7IFf7jqKz9h8mRZ7_}h6}IvPsrjB1#y;z>#kVTyd^zj$;qsmhW;0cg z16n)X(GM~0M|tLX>DisL#eA}vi>d6%srhhAeBkr~czhl)D0)LXDjk-aW@1=?5f^zZ zK?L-r(pvq1cj!92pfZF49r86^1amJUWK0srPH*^uhW(;aFa1n?W5UsIlv5MlDsCC- z4-)r#t!%EH@z!+`+nYOt$jDeK^%V;ciY;N&I5 z$R(S;sQ0kkLX)8zB-hk~I=pe+XWqM622z`z7fgWDOW^TE#5YmPa*U}h=4KlB76coV z#-dZKR_bm1UrqdSV zZ3~H&8_8)-@kE?4UIBBjAcjN@wV#*6a?4CCbL=OGx@#>|By&M7C?jufn)V~ZiCIl4k+&c7x@E|5{~MHpY>Zd*)yS{OUD0y#Vh zc`|DD%Q7kiIzGuJe0Ci2ZtTD5xYpw>RsK!q;&1Su)syJ}U5j-v#=3vw$=i}ZZs=>u zK$2gMuYupLA!IFxyI{FM&^)%$dG^)g`hAW3;Di`!v@(@*qq?T}h55SonYk2X)>h>OoD z0cyi~Iox|-PrFT~wLlyVOAYu5)eiBqp0$`rI}AP@d>^qMVV2DSe`!IzukWHfc90C2 z5|YSE2AVIxauweji2bTv!@+kYt}z8`t_H;v;6_XGx59k3ct<_#yP?A{(IFEXmb*cV z!JyvY6GqK;tUydxP(>Cs>2Inz`hm)vnxxiVcE;~8(MgkO8_+@_-3R=(nvOWaLo@0J zEO*AF-#C;|c;f?JU0r8Vbcp3rswC07*tqNBj>*t(O+MoTI}9cL2Y2}0K&6M8d=FU* zDWf)J(A}_sztn-0Ss{}pi39`Ed#$R5=nwcu>K*>j5pno84#T0GW;@UWz}(|D#)&E@ zsNDIE9f;}9KQzr_Zet=d-m*h0?IC-R1ZvxPhI;yCw=o47j-H752*d_QKbh)i9fv6Q z9Sl3FU6R;r@Xw!Qn~1_14BvvW5*)b{*yk-@Y~_e+D832rqY+*O9gB}Y0$U#;hERrG zQ3tTxeG|a6*ia3%FG<`nI03#?mj=vAgOIbxRl3W9oMyrp!NRS*TtQ$75Te{PQRogo za+(LDsQ~rU=7uu59~bnO?j0j49+bpML*QPt#9Unx_cvioGe7>Vb-0JpEDflOCTbCp zef~WiohqGZt_3k&mILl}mPkwj_XgI3KtKj4D&^8dssa-3b&hyqGl6QDG-pbEi*u;*?fo(n}^EYc6^SU zj>No#h1-ZpU5BsB8h&!Jc#QJd;YHuUA*X#X|8O}BC9Z+~!$nb$(OSUk1ea&m!T_QQ zn4y|`LSo}49DRd0$~_*h4+XPBPawJye2FpfqM>0iMs2wYXpk_k`tK7xTeVF($E zM5V=#Nc#?qCJbU7ca8--&y1)rCC;55p$FB|M>QCIOc7FNmFARmpMFVcrK@^SCUoy3 zaypIpr}H3I1?sgcwT zF^7ZC!4ZL(cm-IG0Nq1g)Ai9$4$z51pT~eyAlwT_BCAepjPw)bC|MEot6qx{D{SHd9rl8#R}tR#+ik68%dmf< z;S-@N6c#-Z&F9Bj%@4!0JP|)5e6!%_IKw0-*fW&tPB-s>l~%KH81PTI#Y~`AOi_2w z7R^nH&|yVHi%e=fL;1t;ry!7R=x90XS@1UmLe3z2cF9uIX-9Bbm6w1Z1Z_A{@b^lSkQwfS~g_uK(%zfJi3CfZ3R>hjA^dq4vo^ z*)ulCpI_I7SzeWN&F5=xZkT$sSxfa~$=~#lNeT{~ZN+X^`N-JrfioVD9oX&;QX~z> zGkWin4{*}Q;1|Eg4vKo$gf}JOV`;r>&T7%8e$g`9_5W*N@bUltsrt$9pZtF{J(K$8@4ul}sg+gS?)*zV0al;&X7%)k zb?i3oju*B5EiVHX`KBcKBSK5co4Qu1lqvlO+n=XruB9=5nGYEJp8n_K#0#3p_Pn2u z2IP&-CGoIM-%)(6oFc27aAlqVPK4`ceGy3mnC4#A-lzExYLfT-nv7%YQvHH;V+3I)_u16l;{0| zM_&b6kH6jAiu?8EXw@PkpL}cg9`Lu~&2rA+wr7A)z;MumMz#B06|9?H6Y0xQl2s$I zWI(x(55R|1@1K4%p|}4OE{Z@4=MK76xl7 z*vM0oMFqF{Jw2Cdo;%NesERdMp1d;&M7-ZG@#m@f&DHeqq4lbMLG{h{{8-Dw!^3@k z$(4NAF4-@uK4dcMaJy<|l7BnLBdAf*MAR&Dn$nz7sMh}8aiW}6HI;jNfo;bpx2dZj zcGxz{>^q%$`d;(1y>Y)~Wsi{Drd^52+>*AC;pm*Yind1-V0n$T%YZ!V@85U?Yy>Lu zF9jPccsyuSerS1EdH<1O(YXMN;ku+RWXr?JSG;U&3)ixuU*Z)X(i78XoWjJlXlNiy{Z1Jb)Q+g0hYz4_LweO;G<>`W2jpj8em_sYsb`NaKL za=i)kSQ-aaf9VaiWiZ=!jU}06gg4Tu_sMkR=giK`1ez`8dJpLhl#6j+^<=Xk2P=F8 zb$#8OcC#7=FR8)DY#Gh^230VL0%3vYSiHE8+`Z{_+-fNiho&2 zW72{npcka+kBxNlSF!ED+IJnzdj(iXCf(PV8o5REZ$4bW0h=X_dFI7ULHm8h<{^Wx zt~aSq+zWV6L=(O05op1;Y!*0--Nl>S>HSdoy?9b1)qwYp&SRsg6uyn6{cV%8_4Nzx z0!5D>9-kl1IWmYrLw}<+fVBXA+%RS7w%YPCf0IQ}*WRrnMeZlK!i;2vTsyvklqH#K zTv`vVZ_?{1rNvUdC$`yRHTK2><~2WkqA&;#BQ8*0+z2_Np<1C}KfWXKO8(exgkhj7 zvYN0=`i+~a+?wClCly~QkLp!0`BPRS8^Cha*O94%*&mU6 zE|u@u;#z$gJmOYoZu!Q;^?R+y&HPnIoIZRvGNsIn)T*WQ>&xm74{Q4}4;^?He$j@+ zx$~WAJZxyJZ+gGWA8SS#Ion?7*b}+O`De3w&0Im_@b67pasb2m;*!kgRXW%q=flO- z`kmD(_rb_m-A^tLLiPY{y#L_(a!N|@z_41KT}Zu(E#K0M{h^``io*t{ukEC|M!B=5 z?cmxDMYySeZJ_GjlyF)1;>^h4u=mbg3M7>h_tW;+LZ))rVb4S(UEj%%VmY#9n87S zs}E~8SldqiUUD?g*Zi%m7pQ1|TfW=~JPY1x+)Ir}L4?R-zp-h|(eJ=n5`e!N!p zeEWx8FtBU6YC+!9J2)hHXfWPhSR!lNPOwqN2FclybfDMdB@!!1@u<@jypN6i$4!n1>N$D*|Bg?o&;JrW4K0cc2X2)>(?Es zRbQy{a^TdDOLe>^Wgi|NWz1sP_9bmZ(Jg%&YuV@dVxlNtCTY8T*o*5c3u# zjO_cqWX%?h@SW=O`~7#H`+1)0-1j-xb)DDiDT;;TW8sM^AnDNCk+(tBx52jx004T? z?!v;8$cTnL=Xf=Ig>wxs*)TA^9>uaaIAql%%(=7-+`on`Q$=0oq#_7!7 z*QG58R#Jqbom=#(?pAgSVu=3R$t#fbK}h(@_X`4%g2yciPC1J8JF&aByp{)!DLid) ziz-=f&n}n;<&_=L&mC|hNjDSk{c7Kz+%DIC zxI1y!ey-Q^U&XqFK7d&f&awqa)k{5f+gFTutc9IBW^ybHZobu_rgWwum{*w2l%;iS zxowV~kHhTF7~q$*d$L5Xq3EyEBHpi z;6CxB+xrQks*!RE>|cE1-}K1xyVgdrj_-8MPp4ambA>EJ{_g_}CoKzsM$5JP*6Tpo z`o{%JZGO$8BpNR@2}8*Xg0Gy!;q@}SWg*2xqx8aYhXR*|VPv-Kxv!HBeHQ)OQ5oZB zesv!|0vbP$Mb!2)`i9?gnVfRIJL1symGKVgrCZ~R(}UR`j~+5T`|c$7kd{Hu^?7tU z<(L0M9@+}w|G@v1S{(1LdH~K>H42oR57LzP>_~aFCRKZRPopFjKce&2nVxwDtld!| za2lz7N%6nudJdi(unQQP?|VNaS@FcWjk)6i3nV-D39E7R}8YzP!zz3Ioirmc((sHQjk~~eSfW4&HC<&)wgT~2O zYs0Owji^pc(?SkEj!9Z0ocNHH1CjFTZR@kCJ!Xc4w70GOl?*Hly zPP1_BL)`f3q1EaEn?d623Q7##C7%^sELYbI7?fjtqE;F3nqp-9k$z$++Ucd#nMK)+G$?3AZl`TmO#esCp6rRHRU6_NkLYj5C{F=Rd28&TXJey$r4Qt-yjlsWudoiWl(q3ipH?{GVvfGjl?KHKe_@O|z# zD;9cBrkr0EMskQK+|RYvtpD(wEtmwcC+RZbR_iIj`)dU^=|6MEJ(S=OPf1s89jsuY zXX^L@f3a5*9{v7Ml2V#-M292($uAIi~5 zDuN1(pK>;GRf|obGD`favsy=AO6O1M%xX|fwxRN$CS2vE8x6C*kur;)efa{xqoDB} z%iz@QNB6Aa2@}HjWgb`fAGY&o?`oXs->6Qq^rI4wj#`PbC~75Y#CquW;`*KVxxplH zHbJ?sB=H-}Yykb&ZvIrlcUrD^+Z)vqOi?E>BG|TvC!1>ij)54CS(@24M?uaAdsbdV z2S(R4}zyB3Y2VLy0pP70FD3Ttf)h z^U9Yz;{L__1ITMeYM{6vfnFGB)OJ1E-pbRq~hY zf7~YCMTj732HgJ{YRaRb9)M9&#H0Z@t48%onFj9rXEDTU)>4odYm~QF9=(m5lpSd( zf2HTCy%e8t6o&Sla0mEf6vdh|!iJR@vHi;XI7qlIAZ0dmw%{zg{5S7spo{bB`flCE zYRqxJM%#NJxmH|Iaai7MXh+hOWUOFna=sUPToispx8sukK^l0^PKEtTwFB@?i1Un1 z8^$bB_(@#9v^bR<@{Ou#R=?H8DmtkH={U=SXnS#Up6d?>wm+Nq@LlJiCbRKnYkigV z7K7VCE&pItZ`FknW?nRIntfbL{=4#!YVUgBu7zF14QP9##?K zV*`RKgE$&~Ub_5n!Ny@ELH1mVX@RPSSgivmo9G=w{ej&lGtNdapcrfWM{YI0fpsgT z{N#RFOby@1OsHJ*F zE7gqp|C-TV)Plu8ri#}eyTm#9xV@!+;CA`yErZEZyoiR?VMQDrTQw^sR*Et1A)13P zB_G?@R{;U&AszaJl|Lu67sBm*F}h9nB(4B->5f4zy{+%sZgzB;wP zB@5)~3BxNsl>hq5u$i!UW9Ej>BZz&kt~`K~|6*+SIj_q=3Zh=)_3%v*b)ng_fe8Pr zpouB*x)kADh}!6RJ$5FmE^rMEgKTaMcdJiX!68*dZ;GiZenah$@0&)u0hNgV5x~&Q zEw45n8uO64@DXkYwf9{U^$X;f2hG>Bqs$~zo`EjK#${M92m_bs)wGK1W(>>mV4C(Y z_Eb^sJ_N&+>a{hknIyeJ*>fD#{W)(@-coUlPm?Dp;b4X3y_|$7ELV>O6RBL71SWY% zO4WTeod%IuC8ZAiIc7jJuei8*BvTSW{5EzDM-XF2noOOH%#d3+4@bJnMEfJY^%dC_ zNtECx399r1HHEG;tb>W4qHG#y#UTJW2@ zwBp#|nXKJY&)ImSQdMpnayzMh=|JB|za6xS+5R!?4CvaJK4 zd$s6Now_L05(jP}ug+k045~W`=AJ~3psnu2_`>sj^l)WZ1%YJ|!u&l6$;emFz|-K* zQ%EU80!HAc2x0%81U%AMm=%N~uNi!@Y2QS@TjLNBSP&u1+;fj_lYUcGi_epVR>KB7 z9!!IUrjh+<%{!j~_)5qhTtI+9lmOBC4J`7E0Y#=GcGfHRq&|s)=SS)-DD$J<$JOCO zZnTTAyL^Jj!X5BM6BV#SJ%KRMK6;12)( zJ^OW0g6RKJoJWz*{Yl}^?*W2(!~mv(6Jal|qHwH+1vclm(T+nULvbc0T$LsrpXd5D zD{s4*VIO5&G>vply_*Pkc&cYhOgt~9E=o|-a&KzeFV?Kb-@>SNBOO07rotWKioR5Q zK151x*pFT5B5AWD$IE5ji4c)rf5}!`5VgZ$g1}BLzr5sk>{2UC#(xf=LP7Cqox{(GJ;IxGu^Z+h!J-p!$VKm^`-99XG=c{H;!YCcHD_ zPj!j_QNEzR)w$S!N6P)K&U5Z>;JFo~lpcYrAWf7nRZGbenkGipK_$u?0M~)>s5^>X6Q!@d{9)DYOi8vVUzS#ANn7=s!UlYX9Ml^& z@JwzE3|>PHT*GM#mBH_p>X9`=?W#B$@eDU3yV;$av6<%BluR%RRyVUh28|d)yA-%} zL1CNVuNz3eB7ALeUL%12)u4VJUaqavNRQz(_W>#Sz#NhJ*)PVRSH>`n< zeVHrhN8#-vCd*Pz=G2P%bGQ3 z2a`4BV;3W^YKMA4Gb-n{!G+t%YFs`PEg(j?q^+a@HF*bscfp@`klsbO+Tw-xc)9oL z=hsNT5957z)DP6;7vqF1osC?8vM*rDWgb*oS1&?U7cu2>wv|{H3#@&XGF2J=pa9UK zf6N-P)RgZZF@magXcPEH@!cl8oWgHqsC^!SuMFyu%|e%o6Pxg13aTPV$5!=mxWky< z0HB+lk}=YR|E$nHA@oHA4Tur+%al7z_Vvh{p~AXt7TCtD-vaQ{2~?5}WG;>$apqW= zfWsy{oxKO_Lid{ROA3)Su+gLkhhU*YSD@j7rD$Y{C zV?UA7hWVIlg<^y}Z5?=|iQDxfFhHRoEA?MqLBAIx)M+c#!n`!px8eCqR2y|UK~@Ep zCnoiy$bH0owQOz!D@&~L>l~9vN6e>SP)TsiH)P%=)kEmO0XpB1kd?fMBF_^EufW}Y z*&(3FkeKvq6B((SDDpb7F0xI;PXYk312LvT6G_PjDBPT3wvEUM8gMumxq7KjjL@z9 zTWaqeTJR={?bWd1o$DuH$}w^nZPo!lf(ugg%*xyp(EDP9?Y|eAI|Ub>{<+XFGnT+Y z(=Lp(Q<7mokawuS(x+&L1ASriju>H6`?m|fUvI%r{lQI&r-8`P;BZ9j`EhP60T7^3 z-G>c&c7q`e5Zo6{YdhN`n$Tv@Z-4)p6a@xnLIgds6JxK4&_NnN`3vrfc(lg>kND_S zEJ2Z`T^ct0J)RbFlg`cR@qc!egjBp08z`Y9VNCdu7~hB?KHT(-OR5(S!a*8aAzgJP z5WygIfk4m-m3wzB6nhg4TLswj?T?TQQi6p1SIXUWJy5U+T+psm-1A*(D3*;DW+F%q zTX*3j58=a7U{z*cx3Gjhkm{7s!bTD^!}Tg*@`v0!DBH;9rxdSiw4tT6Lar0ORxu+A zz1r265GyKJop@zw=WuXq4}{0yT*)X|0S-xLceC~WFUrM+kKBR>z^0K-^&jcL=g$b{ z>Ag&F_U0qcc8p=>XKz%=SXEjd z2{1@$5$X(p*0C$+*&!xq-0#6MZKFh}2e3=(g^-V>F zsvttXLAFT^Dgw*K5VMLb%xzF%sEQ;cS||mST1H@V8UBpAbv}NTF8X)?<46%#TF-JJ znkaRW8RikJz-5#EA56!TXcl~`r~6X@@Qq_a zBs0GGl}nJA3dvzLXVy7La`LW8lttMl*+jU0Y zO>tBc$NQ@5JNcWdkeAHpi8k*m_y#$R8r&K!qXtFa$oHs$#OMQRps_^GaS`&ujMi#V zgL$&Pi_l)pn$*D~U!b1i7ySO&M_l&&TPnlUy zYF&z>u`PS9z^j5n-q7$j{1P7YgVSlf2GicJOHTTLsDFb;rY#DeX8>Z28r4$hz2IlKgV_c+ z)2E>6=9Ylr=F?uwQ*(3k9?M|L;pL-B{pgPQ=NUz${S&uK7sOHnO#!9lRS#a`59@=Y z^tILD==Ail&3j+#dpG9$0|1L!yR|9j$+VKdk75^I8yxMfKDMb?6)^yUPfv)lK7+4* zJ(TM|&gT7U?F)>5-+UVFSuH=E%AZ^uz8x@gZ;5x^pl@@OhPUU;(Qb4gW@vhTuw%9K z>vdPA3%yOVw?iJ+c|WecH8dTBa!DT9ZgyPK%N*M-r?l)Jbo3J^zcn;ioO;PwBzQM3 zYg9K{oL4M9nP|MAUDR=WzuF~bSJVzTxJ;ZUy-gx*U%UV$utYmO2ygM?J~O-dXfot| zsiK9i#L>i7mcfQV5#{;)qfeI2l%U|!B2qzsp5ecfq{aE|suuaCX4hy?2`_tPX?HHi z^8KUU;Y&kW# zW-Z6GS_LiwTG>vytK@YFuT{y))DO$AMWcNO3rgFH?7HYP)SZ5m?1yZe%z7*(it(t~xcdB8bYV>U{`yH)F0_$( zhon95lA?%d>#QUFS}Q*-FDo@XT``{iwHN;R=HRqPd*6pDo8yW1O7W}ullrg!`D`_& zmnJI+eE#WCc<_;j?(xy+aI++fx@f6ld43*WfvfFm`r&qV6R5vgk*n(GLBp-YTMB08 zdm~~Z(Q|KZ)8?<2h7@%z54wu=`Z-Shyl3;(WcX-flcpfV-h8~wl<3-gJf41GEp@Q; z78bVXH^?_ms$IIwpOIEwRkZ3=upHEso4-mb12h6zhY0@sZ`| z0*?HBeF4*5#jL{B-fQK?s_88I5(~>)Qzb4TC*Q{Dd{&s%n%hD}$2j^5{-x}W`)-Xt z?u%l%5FggHN%<8`v-WX2Jv}|3Z}3usMR2X6<@vSvqk*A0O1WQLeW}aq*T(M%J^Rrr zO~9wE)$l6wn>GKgc!V782YHX3ngoOF6(Ih@r-Q;90cj@_y~JHkbA=&{!hpb?{aWAB z-sQFab>imMT4A~j;C2-C!HMC02*=@L*Gh2u;D}wuV|lfoMz4Y6*8h~_yixOI9oqZI zG6TcfBe_?DKbspIe_UD~BtC7_FpFHaV*`eqmS(+Pe#*z}7Tl5zuRCdbpZ5F>q5xCj z+Wf)tmO=Dj>B(6D$RA^A8?L8p8VMZO1pnBpaewvC=IjZjUG+)3|Gv_gewvWUYsTRs z&%q`I+R|R7t+Zb)aXdNyDIK`RWqaQ*_30k>@N8&-b$vU5FS*6lxm+ymV4aR+Y21;K zqPS&@Eber~%rv+Mot|vXJFrBH2_rdYEVsAp_%3L5G}bF`i@*D&?8f#W?j$7c1nADP GHu*nI?%-Si diff --git a/docs/inventories/v1.34/objects.inv b/docs/inventories/v1.34/objects.inv index 268bf7066a9b7d90c4f42b1cde5188023fb10311..48ccb98994b12701ec9845c0d89c41a057ad2715 100644 GIT binary patch delta 14516 zcmX}TbzIcl^F9nq_tGE@OG`IOFDcz1-Q6Mi2Bf=m>6Au5x;v$%8>CaEQyy+V-{14s z?w&noX3oqt*EO$=kF^**wHS#~@Vvp$FerQj6qFwb%yDw+otB0XEY^yTOmViX$0#km zf`eSwMXC3A!iwxEW~bo0GZh?b(4*k!LGXRAu2n0Jvzpm5Oy7KFyv2UY@D0JDl11&a z%Q@BO+Yb|Y`~snsf)2e(J)F9_srmsVYJ&tv6~s8is2+4uLGfz17gZ?-p`RG-niY70 zd3oUEfoeb4NzxnK&+^xE(G}s9Se&@-xJV#gqC~EDL6w3cRY}(9nMj$D)}Hp`A&C6# zn-LUDHfV`OYHxXoxtggOi1jqIGnZATu}`K8O!8b}x2)8XIzxGh39)nN-Tq$F3WvfC zSm@=!#kbNU2;}Y<*6xi%nw_HMjuu+d-!(8! z)D-;A9j8w8q&yuQw%uomK4)rN^5Ss3*58n4kn|E)jSC^h0G@9-hWUoMuJ1K(CL5mE zfUn3u?DF&|#AD!Heiib5H=#_oTF3K>c4fvKsd$a_{Rf=jH!3T}!HRzNOoqn&<`XCB zL<~7L6L~VXJcY#?33|Ks2^ktABI(ZP=y563q3%j4>v1^blofde~tQ2ouFZo%=q91O$5w0+Fy|&;RQ*T#>Hd^F}*7jOvA?+Nz8d9J8gm1x4#I%iI;%fZv83dCI2GOJ0m2H_K(C7DQ z!d!wuRM5y%1Gwo#T|J&?^g*#(zeZ*wY%NM`%;3qecuZsqP7t-_L9q zZU~40&A~+Q9V7PmRv=6~1Vk)+oY)tPRDThKK*MzuPDUBp!xbB55P@6H^Ql+LcZXwf zF@}!8{>{${!wItHngV(S9Gs-)dhde7Q2|&|2#5?wSRu`2pPEq5NARr-+DsBFtV7`S zAyHl(TfqURmriw5Z z94k6dSL)1#wg`{gIy5fzp{vr2`D2sH17rry-6^WNtRLQVDzUO_uEEEe_`3}tx0D{t zTG;23$uYn^k;~m=l=90C%kmAl5n;R$f3K%Vc?LPQjoOh&aO-;p>Uo5qg6UfDg3f63 z36JXD>%{OoQ;+Fj zYj{?VAE8KD)6oW&UwrcH+|#BQD!yWi`$d0$GU;~5qS!Iq0{O9aH4I70%t-XFgdnr%8k2~A_ND0xBcM0Kh7Fu3QQj*Y@(D;8g$3<){6TQvZIVwx}P&&uat-?!+sWV-X1O4VWu z_Bi#_1PhAvB|I?lgqwyKPnI^n`_Y17mZ2aB;qrSd9TA2_TqOVOewrEuoetXWW^!0g zD2Rdh?312Mn_-VvfL|HkjJjD7MCQH7xT6qkB^30Apolg$#SOvRSY|WG%O~_k5^bcA z8O9O@q9;y`H^=V^lVwv!xI&)AfA#xRf`=xZwsHylI`j}2oF2kD_WrZ!ii z;K0G+!$EAgxo^ULdR}cRF0Pa=EdCA6V}Ol?g9Hf8N0fuY(4EC9e}z07Jl~K0>^|%R z!$=}P%47p~HZod?ZO36xfq8Pa1hS8Rd_yfgmiBbT31GnyAazu})o~gn7ioCdN(6`% zUKfTE36cWQ48Rm4LG1L@oXnaW!h~qozrQSTeW&8vPUq-XpkTaO3!uv3=(`^pd%K3=|IwCFW&KrgfS6e$V5&Q)I_>ujS} z91?`Z$AA*y$zW8mpbHS)LK8t8Xz~^C_}r1b;R^bfU}~p;dQ1}F-Vr%(Q(MG zw!F2X4ZEeNvg%tWnt60$zjBo31$EK2osqebbB+bBtYA>k5RSrdR1xRTn(?W58|r^j=p3$J_6Rj#Faj2pZ2vv(f^H3sJ(#%|M(DFn_yO786I zO#Qpcdi?x1*5vI@Rfo4+f^E0SRj*<*6K0h${_x+8W6m6+tUo_40Kfb?@ZN~rF=qSx zBy`l`_!(oIn4fkm1Y{Zqxw{BIh zF7}YSl-5t}PHoK^2N+}uy;t7q&SfR?eIjXbS>agUCU)ys_aDJf+q(+eah}s%E7TV; zX*91qLNPY*XhjosPKe+*s;{l?s9NX8xju#l2vkg@j+PcGS^Im|f7jasesrZxve{Xw zEk8*=7dIW^(N(y7Z-~8eF#4;`D{nmV`1SC7idFY)?x*o3x>tkI=evQ&#_NVAOAUv4 z96PmSQLh%mIXiV*_c$?|E*Ep<<=@3dm8qK z1yA1Xg`B9i)3W8wgmkYz0ZoQwZf*YR&fQLEa}_vZ$Pec%>K5*oqF_Dhpq#revG|S! zP%Me(&8{aKM&{GY?MQ)-VMsJ$k3T|cP`-zo86UJ(d$*Mx)-)J8T^#+~r|P5}Iu2nr z>WxbOHtW|LP@a1RJI>b2U22!vXy*5B=+MBgy|VJ`GK^qMEsZ&h0b0`TiIHogYU%RuGz0yw{IQj^qcEDv|Y&wLJ1!V5zNv=;Kl*dzRUNs zoKIG)M(#FW3pUH?^UgFAcM$jom_$w6W@7}>dWh=gcQP?OU`~Y1@0~KL5^<(usr!~j zSQ@YWf8-=IBR1-O#6%ozka6tv`UW3r3nM3qbo?~?z6Ds`I9woc;Rn4R%Ev^sPl){( ze`Duu7`G-4OM_d@rw)GWVt)NFxp$kgM9yPZwz6`1g&$5$ig_UA7qq>~yT;nV(Bu<3 z+eBTFIdZ<*1EqSK*?7&59ACNY*fwHNM)gW4cm<*N%bwEjbHt4A;ov5!xwN(OZT<10 zF0K?rJ6_=ORjI9k(F2$hKl++vQ+$7gH*i0*=UEa5-h-mjkQwV&N&breHQOYBk{7&5 z=ECqk%zvLJ@$0E`rPnwslH@C^Z_aVo?+Ir0|z|+}{V1s-n z0JzAh&HM@FsPG)1Y~T=WOGDuIT0yMBpf7RlT0ZHPu3)nd)Va(|7#%-y?GRo~!xER< zjV9%!e2RFJ)4Uz|#_oMZG(ts_%~!EAI?YLk0iRyPp&WMH9b`EUw|3pUJqvncLzF*OL2 z^sYJzETnKKSl4dj9U1>l_T4B^_uH`D`hx<{hzYa8F$zxU;U5tFHI?fKcVwwHB((nA zfh6yw{cUYgoY9(O*+!;KY1}dJHry#Nvel$O>+5hW_f(kjU=GIkv~QhV#@L?Ex%TPz z%uSg#H*$3te$j6ofhw^~{ ze?;!Fl{?90t-Mgrh;r@;sep$~gr|4fqeZStXA1%k{@a`nDOdQLyo_4f>s+7ALU)(sxicQsF%&dEB!-BaJfJ+7XB zVgI{L(z5wk70UL9DywrCrse?R;itX? z;&v^ON%wB6@R0Q3v8mv6qH~bq=y7qO*H;umg7wnb%eiU_w*O6mfu@-fO z0%FFz)l_FB34AoxMHoUD?tXVC9+CoqY$|6%X*1I%+oLsRcc*MF^9SX+tGZ7u%o>v} zgS*~rB@JE~JUgtM#xZ)|lqzsM6wJ62#;ZZ$B?Q#-(PY=BjvsT(CeHSOz*)a?m78+& z@K~9O{iVW{>a{o-EbA;raAuyB>fE$Tl zi=+RJP7S++{?Z=+h$`BOe^12Tc0OgLylMvb84T`-x z8!`XHo~c0hB}Ycngy|_QpF&cE#tMT ziNZ`-wk}?*CN_NA1jLL}9O>2XKdRVt!0W~CtVJOrI$ zV__yYBW3CcV;`xbv{yboq|V)?2po5;mxwvBQK0#o#=0s-GL+5q3 zw6RU{h{?e5DMxSlx{mOlN)Z7bWE4Jb|Mz}lzvG@1D70y8U;ulD>!vnNt^S`nIBu9izv#`I9RmsITg)xF&b@T zv=-?TTiP}(j05P7_DP^Noj^tlzEfQ6vb3c+-_2*UaQ?qnL`H#ED6N<34UeO9YrZq9 zm~G%Bi#cnXfYV&}mE%%)I&!au_R6xdy?~pVPIY(vHO4(Tyf>l?l=6Xg0!34An~u5c z`F~gG%YG=K^Qg?cF{r3jR5Cc-ojX1E9b@%gM#m^Cody`}YzlC4!(eA##*c$PFo|v% ze&u2djI;T#G7o%R)AN{SYwZ5~{7Dw-*30bht4hRWkRvwkbx2W*=QySlh)ikL7;d9# zoN|TN-?4YkVJI-y#Z1gV@pH&SiuES4Whlw=%-cpo(pCR4v-GF$=I@hAPMEEhzI6&N#A}2aRk` zu&?u)V1_)Zw4rU67loei4PSe%>~w*#(!bw`mAwx zQDQ5;h5Kn19m`#LD)UE*dX|RMD-}6t{QSDH>7KlfEw}^zL`i9xw(gw%4~Iz8D=KQg zpWgAx>vu!esn>X`^V+Vg%fbR6qyc`&OKDlQDLnSco|30jeo^+?UP1QP&BS&gB1HB< zZEdcA%21=%2l6Gt2h6mF-hu=BheIZ7B#E*xf#Zr27|lc_7tyNTribv4%&6|m<^f;# zh5&vQ9DSR2Z`}lCxG9PqJvcu)`3>LaZ7b7IU`%6ow4c}?A+}ypTqxbk;TYSEGtJmC z8a{#ZXO>DxzA{=Wj>V!mLBz3TL6Y@bx^U6}zqR#OESp4=Ja4js>o*sv@)r>gw*)j) zS|sVg%M%{+V`TShf2E?n?M212ss@b;klRJhe(okgXjq|=z{COFVo@!C%2Q$J0S}*?Ex@=K3vp3OM0QmG?zv@pDMHoh9q>s4xQz;p#B2eiJI2RdJyd8EfTW;3*a6ZU!=}Kia7FV4chmv>2 zD%E-aF*ju957+UWp3Zh?JR(y4PJ8r-p5`md)gNi`3W~G?x?D@)^W&~>hB_8{Y@Ls) z(y1azSzaxElcE#BMnX`^04Nufs74;e(s)VaC9g1)a=f7SX+^9DiqOtk(N9Yz0LG3y zGN`cKIiRd{+3{C$d^zcfWd*NSbd2L!GvK&f>fU;0r0hDpgDRX)6%K>n6K{2cM18vl z=1fx{CiaE(vzm%4BF;5R)|G!98Y%cU5M(k@79BX*#vvDV#D%*XZ#^a1WSI!p#HK4W z9mli<+$@gk&-=f#3Gn@y0f+7ZyuY72mKY+gwi^G6S)0PY!xo3IXD3^#W+&H8f7kK4 zVwPG?siY`TTEfl8L{qHQ&VsX)wdJOz86m|iQ^Mw@7s{5K|6r_whZh@rBvw0|rwd_1 zB%Slj67O8DvtaoxSiUm6)%r6YACa6cI+mOVvM$IlK77Dd8=3RkT=qi}pr*0oa4k(N zRU6%|N^6p>z!J~Iz|9@`I?m8 zRDf20-X@K8ofh~QX%v3&JqaV#tXqF6VXdem+7kMJU5L{@W1 zW%1MyG!ic10vf>rERxhGU>o%-yNS+o!l%n^Ozehdnfj+e-Uq?$9um>m1tW3i{v6ok zN6+(+W$)Jo#K<`mx0LQ_d9A%|zJzmw z>V#V<tc7?XCkPpXcX3p~(*+_KOO}pmY_75l5Qx8Pf*k2r5D!0ZZst$e>FIgR2ir z;_P(SRHrV1FcY%8<$As=pXRiLYFnQ_wPL z(P!R50=91kCdHtS{)c`QU+lliljSL`jajZp1(Daa4Irgf@s zY$1MkJbbYZr3RFJE^26qbDn;?d#xWnrK(^}0-eE&_(Z3&ryr!ZdZv^zs|5i0u*Ijv z=Vs(Ks;6HoeD8DV(e=&1P~PI@VGmEE*Yj7QOJ>UjLtzuKmZoB)hgt?-JzYIp?-Cu@Re zsk3nb-1evO1L_~5<_>|pEkn&YuJ4K~09NaD0B;s1pNviyYreQIyX|B)Mf~_fu0EH@ z8-w-Zzs_wL<-}Ty#rMkwODNWCcfZd%)_u(8;pq-RFe0R9f)>sW^C z)z&!aY*fz3Q4zA3cQh9j=;Kso8!|mM31H{PoL_CHRumV-xgT8ee#LB@pMHHl0{DyD z=)My-M23m!O`_Z!a z>FMTI8_hJcseD#$?X9K1aIV&dfMV^)%LI8}_V3kFsQF^Fa4EwNEQ46m0iGjS)ht65 zxtX-ZhT{`LI+Nqpu_h@EXF2ZkMt#@%xmQ?!_X3+bmC#Rr)1K6{EFP>ijOa%oS+kwh zs2ottd*5*kt&~7fySEl9wJH3509nL>~BOo_X6|qcaINJwnBQsSsW98W~z;@-6J7P+HTC7R! z&YX(xMghCrp-{rG8dMqFQVv%7Wg8DhPgMm=nxYk}#n31asNq3v?LEW5EUBuvlG3@5 z!;o!@Jsz2FBg-r>*ZH4-)&%3Fk#%dsd#Cu(J)i6x1ks_2EEPE>5K9rebu_Jdh+LBT z5qEEsC|xM#e@pSSZXv_}EfF#0Q-_+lF~=ek)eO~0vLb4=cTeSJO!ayH zE;KMfUOFu~bCRTw!QS3$LN8{)A$RH_>*0pvx~e%AM2{*7fY0Wf;;GdMlJF2UD+~uQ z=`BKo=Imhje=XfZhD#ptkQA6uO(nm2Exk+Cz*CNz=ZCdOG85)&Rv9d{^7k^0{i}-S z*Uid-;|!Gp5%!waJ#O?=YE+5MuA0%Df~-`RABS0(yB47-`Sc@}6KV>|Og_~Rv>bR? zQ3xmc72vep8e<;%!+-E(#llgKP00RF?Ge5&@NRj;?7bFDCl4$^U7s+}rPI2~94(K= zApI_BG%G(fR+YPwprumi`!E_^u4?qp-C0IRXfKZN7a^3gv47>1ZunU_5L5nA&MKSz z&@L|aI&tO@)r{KvfG1b$dvT-?c{N1^PG&$m+F%~j(jqj8rfAr5OifZ5RY*5_Z;vOu zW@K5NcfWGrUDAt@fPCAXJGOa_{xsF<3lOEgzW@J96fOo)i^wF zf#xwRjXPDE={C%x>dWaeDk8#jKXY)iX&{dpWt%Z+^e`%|dqch?SSWfJjW#!wNfjyq zKBdOqNNj7TM`uR+Lf$DP%}E$thFVNJ8H3KO|F0W_0$3ynErZR75bIoiZC;NE^bY@n zF3>P;GN>0L@KH4XM$o=3(}DHC4V{1nHN-=J2Nh%-nWsZL;dl|e>YGR5prIal;5BKU zN>KbIHQ9@585bQhAG4NIQFC|_M7$8IdVr`Bt?HJVjIR*iNW<E7jMOe4348q9+%2}0F8<~@eM^wCUc1^usZVGWX`gr=G)uabZd<_GwA zgXBJZuB60FrV^+a2OVEHbGd?)<{Lv_*mNE51-DxTJg@jr{NtNKMQQR;>(w8|eh;Af z^8F-tEcEw!^c5zClJ()i7cnu?r_DA{fg~)LXz5V9tg?S4{9lVkWH7<-tB8>#2z2px zYdI z)RCY7#pW>=W;V1U^2<}YRP-XvP)XS{MPr72=Kql-&{QEDQu;y}FWREj`a&5M^)K>K z^%(ieINCrtm=;lD${Q|NRXsHsPa(R~wt0+HVFZ<4>OU4LOwCd~XD(tgYIq6Q#u#xA zwGc{5Z`y3@c)+r`tcn`~V3}~3If?x{)mGV4C1k^d7D=L#D{wSvfGYT@?_C#?3N8u?k#F2ZCo zNbeho{wF5-O)m^=pRIDxVdUZai+H9&oxIJZg8(E@AzSM?Q_Q6N$XIIbQY{Z5cY-8*XnaF7yL~V>dM{I=_O#_|HA#8Y zvs3CYJBu({mXOlC@P*y1!bl;Bu{T(>mzjM^KSNxIT>2_Xa?GR`Am?#T{7y{EKU*y( zmc}Yi18TEdl8QQ(TJB;=n@03iCWY*)P5r*MK~^yyT!7#IFgXw!wpaa7d=+BQLIEw7NP-KA33OdhEYKll}nRW&P`ZS$*o^XoCcx`fAF+c(?AX~E=+RIoNXC{_NC}Z{S=h|Eq`Uvu;>zD&t6OZ3 ze}0kbf!PdP=Y|*hX8wj!Fsh#)8_mgbVtY_Kp*EPsxwn^HE(wQ0P(uwTK-#d0T6Pz^ z)HJdz!}2n1kTK^1Qx7XqZ48S#h%mi80tqJ2S66l(e`j?``RP~t|LbPVDpz*zcr&+< zk#Dc|Yl)Z&sbhP26hhSsVv{))@&;S{3DHYY^DDxKhHm(i7T-U4brH#BphS2)=KeTP(<0-5F5_qU|(xl9$Uv%kR^tRe^ab=J- zK`;(kcp>;5IeHgTjQ@ricr6gD4vI@Jk*Z2R{4y@RG|MOI7mi{Lerc8ol$DVW3ENuT zj1WwC0ty(1G(0o>7rALyQl8XATuEd?ivOD?k_rlW2FEg?or^o$;RTk1^zMNf07&X1 z=gUV2hg!V)MO30_e+gR4~^XfRjz)<=~@azwU_KR=a-hSr(e|juaTAG zU*zTb&cC_#HO2E0t9Usg_Hv}ekfuOp1UfrzBej*>Fu!uDO=@nWB0XpntVjzG@4fi+ z?s@U)#c<|6s3zh;<(I@A1+*9bKaU3m8t{wBmUZZ{)cTTblFq!69@Om5BsAbpVnkua zjiwhvg-M>tIzCK6)fWbpOtda{1eP(I?A{ze!C zQv~A_xd2DvbO7|{kRDADM*<0f(52s3UUE)qF}0`I1=A0Z?;WpObn3nX^Yb;4#7J?- z!}&(Cl2mom&Ah`)ru4fzBp>Z2Y9A#F! zphtt@B(a7YY`I?2qvhea?qhn#%g)0fsG_5%;XOF6?lb!Rh1>7&h^Wla!yL+X27+`k5cY>GnJN!_Ak zf5IS$V*Ou9oWch8V31hRcc;idaMUm~-eZ(D63IE9hR@^h45UWB9A1tXW|mSe>EDDw zZbhLJByQodyD$j3SpPVwQ~cl|3?eQDWh1c*mOg_)hDAqD!k2Kk-f1M~AH1Ah10rfd zdZN+(+|r}<;{jm@{xg#z-DcT!_n zrh6{2FZKTOQg89UU@s>H0=yEyI2rB>lvpSmse_ONym+$7)9YrkDltT(G<8hq9~i`643Q91^IvoaIHo+v znM#qD9P*I>Y8KBXdE66+{1gzW&p8XyKuC1F4a8nT+oXcaumw=5E4v`Lw|XW5$N;Ks zaed9yV{-q_|FY6^PapN;UsjY+H#p>115vZMHZiddIOHKfWCqVHImRCjc?Td;k8=!! zdCwtV51{IEPvND)Cqn*;A$}#XK|)86!|Tfp^D4ZJ$g>h9!93%T*988{Vz?tn~@}NkAAZjQ=as`ZV5) zq7%PPgqFemoFF~(4+#y1EF*zG^aK%?mIg!a5neY`h=U6cEtNzlKYW2UW&`Mo0D`L?l;@5t zEK5iPNzx7~#RzW|=OczB$(ocI28V*@UeCgN;zMv1gPKFO&<*4z)X|VI#|*y-$_@}h zw6warPv~RNd@+(y*~Ec^RGN}z&_~D*46uNC^Ae&GvV1=YwaY}1yJnFDo)7Xr%*;9_ zLTlhdK4aEHKaoR{T!KmorM{{Dp4v>y#qUHoVg1gS^2}V>Ax$@sZ-BK&$P2yQ^o)JqRb@S)0E zP*d9sit}hvN#dEJ{sWn2Y$B8e6heeqFU|*n;3fo>(o34TTSvXRAVIZmQab73FA>E#(O2@R3!0e&>~q#%Ebv8AW5HtN|~jU zxW>@{`F;j!t3gg4)i6oCJ2cb`o+RK?^1ET+vZkNJ_i4SRqLjLCws4O0Epb+4{Yt3;$k~;ofi%SGkK9rN%YJihfl|~AW3xjC+ zQ{9W{a$VJ3Njx8nf70N|0l{tmXIg?DQy#+kzl4!V;i+N%OPI!JB9sBaj0m$1?urM3 zI}wyekHA*KWG6>k1pgm(D@`vZLa{&6dn0j40v2`HB(o!lP-=vq=;5p`yO{FyJe-`~ z13&#k(!#&6yduf$u;Y?8mQpvx!pw2|?Ge2b4$&tAXG)dip+-QC$iTejd8ACEG*Of& z|AYhGQ?6hNUJWB$-{c2HvW=JcShDHoytD`i3njSTERT@s7fn@FMH4mrFD&eGK#ukS zUIGJIUvU~C35tqH3&U*5DgXntQM{1@&wutaU}s}n@&K>=KM-qHLh(M~MG9M& zy32J!@z(HATTBu$6sMqgr?{V&w5ZUy#wW;CQ=xc#c>ge9sQ{T~4E_hNEj)RGcmKhw z4o#gQ*(ObVGYfvdv^fe=&H!#ODMe!Orj43FgR+s@p`qo;75IZ_SdsNilbMoj^2Nsh zp}wq-w9Lt+h2m342!=tm%*jkyHB(iC@~C!g=V_NwkPOEEMuy<%e7S-UkeWt#M!`8# z@xXc&CNmYhm}5{twVOYe zQfE%K`SOpgAvv^BcIcss0I5avNSRzgA&847JUtlnvcKXVG3V_>JMgIsTFKJWi}OmO z{!mW(x`-xwGMtSVX;sF<5JLNY4i9^2nhlM5TwfGA4sATABd?(o$Ainzk_dVo<$xp) zmqW6TrdkSZ{7y?=Q^@w;I|PY8BOT}^1qQXf%C1$;)*P$fcay1+PW8M`cS7V(rzy~t@NHg`Rf_k@P69DZ1W&J6&N+NO5R{>_h2~{7$$4-^3?W0Yw9m~ zLcD+-Pz9X6Y$pEjrC#j;!x6x(%`H%y9*jM%rFwmT7z$@oIPW==h@2VjA-VWP?V;6H z?xT{FFwNdbX@I+5?~QeD;PwB%YHGbx8nDLurKgxCyJp*Jw$tg=50jZhW!(W$J7WPX z+ZtOr#@CV*4b_?9yo-nVvQSQX);+R`MiG)Nk9!{)*)S*OrF`DIV{O}Dh~f)q1wX(ki@ye&Or zrb_hTqU|8%HblG<+(qENkgn&JDjv-XD)tvIZi)ojEr&e_XWLV8hRKPhV=>cnP{JTD z+jOKgDW!^uW$ypD`ZTxeIacqU2eNrzX?0Wxz&sZ|xZ7PPcC@TIRn0Fr8(=>tNHjb1 zd}`&pY!mUn*4U z$XMWT9m?~5!zst=_(_p5bIF1y+rf&oYXf*oe;jb0t&p@xFp?|g|KXWINii9~@oQb@ zh1Kh=v#dXP)m4`~yy5NnaEdpnZ#3l%WB+sLOYE}Bdc9xa*WwsBG@5x|wf9yBjp~}; zv|G&4Y5q%wW2W(X+Oc3`N41uZoxzGz@^e-|*O~~scZDyXU)Ks{V_esRREGimN(Hd< zb-Z(p9_M(}x48V`haYeQ@m|@^|D1U$VdR*QN$AoSkuD5#x#68Du^vB6|7IJ|<)?6& z{zWL|faf{z+NZ%;Kf>^-*p~kDP~W&$ljz%y&IOo6y-vD?jQ6Ly3x(&q*1lGQYOlA& zN?ee{Rf+ADm6c-Aa_xq7a<8Ogv=RVYyidFD<$L7o3yF0O@6omZOff~W5R}*9Q%VKC zg*hZ|8(*GLD)>&e-iK=al#$SCuZ*K5ZQa{0S16i%KHcXL^cN0 zXjl(x*Jo9>++7d;8>{eavyaXvq;IOe@$!&v zJI`iUIA1-C`kOK2^4+8VEdJa34^yT0ZFWXqyoW{+oc+>j9kWR65m{ic+>E`8^O>5V zncvsWnt0i*K2Dj$U-pJ8<;7;wJAG~z1jGcWMrwT|+{RrC67R2+Jn;a71;rWme|55+0T!i#LMk(=D65l6;JX(>ECb1uRJvlGg$TM zH>z%6D|>sQhmFlXY-fO(_LXCobySGrJQe>qTbI4jkI(nZp!waux2{0Td!RD6C%r+2 z{RAkt6BxMEd7pD_=){|QJ6_%7e1D-N@G$b&Rj%|+=+9r_J|43V^E{8)N-2rF z@&ZZ=@1Nt{W-hywJ;s*ONXdY8QGV%mWp?LJKNddt5hq|}7`pr5`HDx?Q zYgYYqa~EY|6*0OZGaPgBZl5)WjGltJHfA#|mL4OY-_GBMJ_w~aH^sS&33QbF()^6O zAAeKPL)~xDRf&5VZ6}?XZQc5)aOaMH>`gPPJ`L&Z9g3s3BRuPzJXN< zuZb06`o-{Ay3RMe`LLy&u~+6^d%U>iqE9ENK`Q2d`_2Be*~dys0_$<_S%=uIVP!pz Zk6=joyLHH?DE9jY_WNf9m-oNV{y(BEZ`=R? delta 14473 zcmYMabwHcV6D8-=~P=}Eu1J4sG8zBqdC=197h6drkA&ZzG8hRt~bBO!Wh7&b3 zT&qtbbBIZ)Q~mQXe4u$i78BSoQol_Hf<+0}ST=`To`kAS3*@XY!{O_jj9JasZnE$T zs~)hx6OkOs#J56Yd@+kjJjAs3kQs^XXILY^w1|=`oA<%9GW-ewqI%NFgd}L--h53x zO8Lxa4;@zI3FYO1gH*@D&OV9Yra|uKW6L8eusCtUaFGDKL`hsqAr*pRRiA9o-=k$k z+ju#wg&{WeZ$(iu*^(p`X^8UjakYpw66I&!OBgCd+ zbN_olCmaqpxTc>Am(WJPn**Uesc~?gw_rIDf-*Ova1=C^>EV&Zb5SRs1_aAVAwPMzck<|mm zSqx2wEoT?XNv9AtQwX{Hn&MK86uo`NWEaSoNUke3c0vZVWL%8l%#Ls{am|gWy0GC9 zcVTz6fJDv9ic8Ke_tDQ-*edrO_hTFh zt}A0B>+B8S5E<#{?y+9X6jFD;oJXA8nm`1@4h0YqEg|h4kwxjuf5x|DCt}(~Fm=mP zdhv$|hXUx)qRY0;5a{#z$6>ai0BYIdb3?e9Bt2W6So9%@Uja?b#@O0a*zwU*5eb;c zmYgKi7>nxC1&(9r8}jIKr5`Wu&54~%+2|)mHokTuShxc;DM;NBzexpn4lkwli~_SH!{j z)Y9OSpHwaciwOgeL)A7(bJ(X7bnh8czAMTbi4x5iLLGRD&pZUBoKS zJSp!CTV%FBg#`W9wrgFh$w!|jOXM0M>BZU!zF}ag(A#6SV@^9gV;kOXk%iMa{Y-B` zVg{db_lLH6nJTYy9%!I3<_@hk#>gt!p!H15in4`f zWI9z#jPmwmzu$3q<0eVM3qE!6a@tsq;9jAA=WV_9{fKkzK&dwVrewTwaj)H1W*IyD zT(bT=+|PA?wgG;ZT_NjEwPl(i><=j6ou1Fu-5?M9vxpv?3^Ib5E9#e@A=n(LMpHF= zYLnKMHBytk>Ck-0y*d8D(V6t}F=na|Mxj|SiIL})eh>N=UNd-`23lQGJF3zZ3WkPJ z`*MWoulep0Brk?CD1N#v8(+tkXhP!OT(@HPIScW>sFx&QR9QZSDVc}XeO(rBk64C> zBN?3F;qggVM*L%m4L9>c@ayf!>5nBsJP7E`<1s)vokDalk{YTfz88%xTk}^z2}MtE zH+(@plu!5Mi&;hvE+-SZJwZXKkg`q-yJDe%lqW{6aPu(Z+49!+0017$AshfEd}oNI zE5@*dixl`}092!>+ezEgA`B}G2QUyjf63jO_RD{eMjK6e1LKSU&=c1sSm1X@yk&cbaECx2b%?7kVU*r3&I5Cd z0DxJ=TpqG_dEJ&OO3JN5u<_9!))4{F zr~cAD7L-i?v}+vvTk)xk4=>X(?+V62=<|&`0?>*HVEpg#b&91hC;& ziA3yp-EAo^t(Gn>{S7B!g#CyF2oTDQsfI+LyGT@AhP@cRJdW-39QQ}VsGND$7lY|vT1KtDVf4~4SfcNm}Fyk12C1BS9HV^}#1<26Aj$S`AhPu)9 z@VQ~Nr=6g8e?O($9}-i?bu+4Ek!qiAv+j7)aY6E9503E+<`D}Jd~?`$pErvHpBwCi zg&#i0TuY~rH{lacL5}}UfsfBBj8E3e8X|2HsN}tde)N(<_$8ML8}ZNaxQ#6cAuGePE! zm%!hbjY+3gH!x)O!5=+cd(|LKg-0`#E~BZ*f=^$2ecmW)?VZk|-ex$LoPv3Y>^Hxp zcL99WT-5?+Mqf<2>^4-p6GRxYytj>2HiFP_Y`(W- z?kTZnLX&r#uAwQJR+=n1pS@{4592>9PViAmAlnd|{Lud3cJpb)4z$70ona>Y-1C(4 z@^~3kt!rMw_)^HD){$R%A{Tgt!A;;HcIc9V(aALQ%R%uw`CS&P*ZNmqcol@wKhHa` zEx`lYx@MIafoib5j^5{|A;ld$ui-&jVs{T>2b!GSt|n;J7u8J$D7QaiqkqujjoN01 zrpHP9V~GE^9Bh+GZHtYyt>)2oqe?NA@usB#+gs->l=4jcx?(&!V&|v9fIrezi&-3g zpzj@BNq;KI$^*2@QO3RFwV$`*;#38C56`cD%6-wfZ(N*TJ?IVoQhI4UpW#mG)o>hN zouDH$X7~stzG;=4U{!4IKH9wHH!`;*RBcVG{W>vb63cMRlF`j)MCFe()@kr3&bYT~ zVT`*weRHAfzR59m;!%oC@y9TGbGd=a8>gx(lyhR|aR~Va?>6yc)*Bl8J-614^q7>; z0y?P}7Kf^G3xN{cZqikv# zb22vi^QV7t*Vl-1P)U%BC(U22MeT0(*}aqJlqYNPh#P*x@n{0qWSb^IGz_* z5En62^Q8}NA*pxcTD$|oiLB!Xbuh3JvvBWxzd?U#1WeZL4tf&5?Js?isU{QJ`^ZX;>xgK{_GkSM zsf*R$&A&iD$x?y>g3nKv6H(29OU^D=5YrT>!BlIOo{@E9xc(czKfY@e2}Wbi_iq!A zj_L0neTi)a?2hz=-^^yY7KgAn<0;@A9H&0Ekh!aW;l8odjKcS7Im|r%Lp`1^JlE)2 zoaA85yJf1g*I1R|244>_o8#*wwt^tQ75wEAl2Ogv1KV<5-Ad;u{b{Xgk6Pz%@Ro%_ zo62#p|7st_f7bPW@g$alBORxWaXD*7-OEiQ;%$Z|S_BedTyOfNrpYXAvU>5JCEjh< zRtY$V;$R-ellZWYkIG`WEfF+n#0%Nl*j#3A9(wm-9q-q_M>|8T5cB0%fsk9{xRX8R zI7%kvoXyl9OK+64Z&~$-8Dr_Ic=c97;R7P6CuOHd+YQgY7_c|#<{_?S8Sd#`a~S3rAba32u-0Y1nU z$2B{vIG|{8k3TW#k;u}ENB^rx`q2lQ*@cavo=@8CP68P$cQSO0t^tzia~){LUnMn{ zfjjpFWcBZZ4a-|^1+0@LKSmlu5%@liIZy+vrDv!RD2@WNhAsnnewiGBLaIJAvJ`DU z^Ll1Yb?yJYgyRJUB1~GACtU_2*EK$WoUigLl2qtty|0`JjtdjUKwFnxL9}P;c9TL9 zJIU1ccz<@2Nz%1UC9G+XE&_(F#`(LZXmFW(bQkApxi4;1&ncfjq-VLwQEG?GtpLOlsYu#womH@je zTpd`##h&FOl$SON#Z!);8H>yU4nZzHjqF}~A7lRBy00oeZK$HBe~2bN&&<`lRPG52 z`gxkMKKfAfyUQmn`%4iv(Z4i%(6=^7TZkya4uJJO z3Cyy^8kPOV@}2RzW}4B7H%;W^M|+qu z3|w?nQkF&4Hoh78;jh{1Vk>(W8c~ZK#Hw=jlC}@ayVMFzFxrQDePqbq$|Lh#@SB^g z!w))JG3`8K5F4F3fd2GYcf|f+%+JgyxO|)bQWp%! zJ}CVDU8MM(vg^UL=hJQ1)hxyJvVKY6o3+|!$lo(k0pI&O@A5Qav9k*^*Q~*==F`j3 z&4gzA8lxb{lc&nxpW$|zY`T35uKE6!ABU(W6QRa~hWMS|r@k1h>ng1I+o2!!(zrS&eg>&9=d84Gh@IcM=Uml1YV; zymhq&|2owtp~z2;-nR#baR+z(l)JSIdljA_8#8B)oG+?JL)H7E&mhw zHOH5q*Ak)rYIn!RUgJqKws)cdo==VKxRs1TZR?fQi*5Mz63a^V{Rw<4bZ=-^^L{gK zVBf0nqh0u{MtMoD?F)IYKxz~2E*lkhEOC5Jwb`^4&JJ4+KQ?rg$q3KgTP7yaTi5=n zq%Pp;wO~kh-J9aHc>8I-cYr$kV9~i#&KTa}cO@fqG84N`u(ENbTrzXI!*4CjNme^a z#X_TVOXcR^S1kv?P5NHSp$x#1rJ2%UH>jxURoZA8`1m9_YZ)u^!^u!$hB7B-E%#nZ z&Ua2SNZi2c+RN6Pe`sE1Y$Va4`g)-a zuGIe?PSG`znm4aUbe-*HK`plh#M{xm=VF&{o$ zp&L~@FDA%5^cJ(8K;FY$xg7E|8Y(Pm_v=(n%>-V8*@w;~J0Qn}r( z|M_G6B5qSJvlpRD9W=sQ>FHRf7wJWwVebGV7+Lsp_bYrTn| zBg=KF*dVJ&6LH46nP|= zveWF_^KD!F^`;_|#xTy!Ao(T23c_{nj#Sxh%MvcJB?7dHVa6wP$AjphmhmA>Jy6D1oG3TXz@IF zoUkKZBsyvQpP13RpfL;(jPwEW!mI;A&*s0ZjWvnj0+%To@)RB?cWae8)zW7R4!4Q# z*sc>)57H_%!{%77J^~lV(4__JM7nnK9Qb-2J%S)73CjHn8m7jd)QKZja0f+Y%#>V|meiI8MAfuY}Gyd`9`rrcM5UuD0E{7zz~~l{8I#sN~SrZ9g~qp~3f|)A93=s$1;@|WFZzm_l!wJ9t;-x0BRf!Ee4n1kCI)U zLZrh!X*|CrA|;4JjG!rKOTZt|4M+;zJOzXrlzGNcw-YwQ+-v(?ga}Y_7Hz8-4<~Dh`wor}3j= zqPydvrJn~#RHwo0m)s+rouX&<_qFCJvLd3Y&z1x6v*O#@s`7WhWL>br3eYR8<57ge+ znhK^ShI5eyTYWx^@yxQ5{9ESN_3VC?LzIUiI^@;US0I@ttBO4wQEIh}Ey#U8ih0!2 zm4Uh+NgE|9FX2hHz#M+Ufoot|JIIq{JsM%Gy>#IZ%>vGqiiG~oPod!QMrJ?ihZlr; zPqkZk!8h^kqFmuU8w$iG_^cWmZsZYzO&k0{Dd$@}y9C02C|m_Zm&DxCg?*7Os^8Bx zy$~BlJgsu07;{oRME+oGUm;hv`2#Lwrn@k!esIduKksfie7c9(*`9y=+DOg{GI4n+ z>e{#uygM!Aw8_zrRCE75z}*2Or!Rs2-hZAWx$E`yXk$tFCbkosVfqMbl1COQ7^%X6 z_j%r!JQV%V@Tt2ji2c0%$jX*-HmUlc*-`{&$af|S4WmWsVD53&lCl`1@9OOIJ~9v! z=VonwcVp(Qi^W$*+MopL^9~ai_UiuA@qMnANk`+5gY$5P$1vGv@0mZePcUidREJde z_PXQKeIC4a_bUC4Xgm3*Ibb!AMf(8n&eoN0cQ3GJhel>t z1^rwKCs@&Xz{HNNqi~hS!DB9f+?10;fa`huNs&+Ht5<`bX}2PRaW6T;$-c6^rw#9oh6%;NI9E7Fy>RE$z-iCS#u+^x>Vnt*6@goVYWd zF9(zbLLeN9(poW{dHGwj->po?9JktumYM<+h? z1PW91=dJbqwSF&}EX6iaV*%?gPP&?R`6mNfCRr>`TNU)w8?Q~T+PH8?n!8~qc)!_& zc^~A#gL|KtI5FLxH}-UQ2CCoRouIk;84Z%K4A##3EpxWYL~@S1^KtVgsCm7@V&fJc z2m3bY>U~$|oyqzT)YC`ycRtal<;s?C2s?*7x%u~gjSuhS&?|Kd{VeJi(v33?)RJ5W zKNj81r>s?13mD|a_hS=e%zvl)hIaM2mfxW=1A+MBsl0kh8n;ih+J~Ej?TjVB^?vEF7e%SUf0vo92EW2UoOa$+;1;b(Cu49 zQ#?PD!Ir$zYW9p9?S0=n56yvw@@1jJlh)tyxQ=xT>mHLU4ok+T^02N7A(W=C&SVu#s!_c;FBdzyAAu?n#4=@6g}j8>h<6-eVJP%c9k@9zBP? zpKs96pOYlN?Y{Q>VLH;zF6aRFac97J|kws0jTumYEkH z&&gd#&>AnKID!U3QJPr`90I;ZDE8oW59aIFJ#M@ale@3j%Oy#}I0ty;W4Yh;DU@(= zr+&gk)(SBkqM+Xk=d6Vr+|&$`1~A)wUik26M>fPdZi8u_(zx&0s~-o`%$XMHv_<*K zbJ5k34Uj_(18zZ(^U-}oV+<08@` z*IRKZ$C|$jgUtN6@UUTGpd)#~&P+q4`wue(J0DVvRCQojIaCeM7L6yDim0I~t;Lj2 z8~vSsu51g~7dQm>iohn~Yd|&wr7vraI^LFqOjVmzBjusCFtn`wgKwxCxrnfDL|tB< zg!CQ$|6tfU$sECz4W&g7V>0Ao1O6`q>;#~bX5*SHj~`YootzY2iMXlmpx3?yzQA5PfKBzd#9Uu{0N9uhyQQ21w4~zicQ`qc6>8 zRUZ#CCAy$o6aOtwlJP(4LP^I39j>gW8E>g{#$=*CleR_%N7JzG2xxN^ym!# zfEByCq7)O7lMIb=jJaYMa}YUzuom4)D_leB5|jOqLT((*{KAAJ7y8&DNs7^@ciYxa z7yrsTRDS){wST5k^3Jxae^`(4Ey8-An_ zIH!OwVq&CECvcKAJisin4F5q&^o5S3W$gel#o}Z1*sEZNamG$&UXbL=;?hf{>e21g z=`a=0#@oN6!*hXR21)m&(^WID?*iyqQO)2xVFU*}$Tg!YY5&ypz4R+@4L#)x4qgQ@ zZJH5G5UOLJL)t|mRV|-g;FLO*V4`*yW^18Gn@g}?h?vrLFGCZJDQAhey;yPc%=Q1L zs5<_>d*59?O*FtE-*5rXDm7f=9$ADg{uK{sxCTfibxiOrnum0{nqB@*Wv-e65aTGQ zkT-`bL}j5V>{Sys&>zD$wv*$fbwY-(_+P!ioXMj7$oVey6J8{F+Xqxq#Szrrk83d$ zQhQ9ajHnXsy0p;%IRZqD+(a}ODSHupUh0RgpzwEjsj=!uBVUfk_C&4zqs65+RQoOP zRWjfm>zWjGUt$0JuY7!_*4S10G{&qRPJ{Z0O#@VnefLfpG9!Qm6Ov&j&9nTcLLRBf z_=@611cT*GuMVHb^-!3lG8KR^1uC(OkPOM+NdK&cKa(4uu)#DPKs<5Vv@5d#wzg>#bBw+s$>`u`DT zdLtk<^ylfZp}NgmM0rKCcZ!fNUk*LO5kEkg7|$z&<3Zd6pKxW78)MmR5@_ASMrw6t ztk~4$rAUx|ylIQ4S7bu#?W8PJ|5%|eD+eT;``MQ5LBPcr?N=fd9_-NqF$7KmoPF=+ zG%JoWWxHl3hOp$`8^XqgvN9Sw)tYz&>KX(@1ai1`Uu*QSkj*)tW3?A7Jiv?^TO9hI zrXp(DtXBMtK=r5Z<0x+;Uy4OV?oOK={I!JYox~6Z(NI*RVV(y3j{g^Ekc+$zHQgpFfr0) zV^)%}d;FK;kc`*gNjsLW(a?(04S04c(_ZD9{$A2kpCwfTS3W`v%V$b*n^S&+1}T>uBbtdNP0KAwOj56aFG_`uUQ z5`uSfz0X9$7(&6E$8Pao3zLhNnKeby!{DG~`^sLJ`YU_0arn)zsD{T%)D%bnzl@B! z2#^X9lW4ok|JONi@A=G=T6BMd>_KM(*VJ!OyhgKg4i*b*k>rufZ+E`v{pOG9DEQak z6};9mt!jzeDX8F5&GF|JxS!*V>ByOXoymEf znPm@D{~$qoV%C z^7y39A%6bA7=MKb$~mGpj$}k+*!Bi}%=n~qd+oA}o=2_1h&Lp^ynfm_@D4a<%nI~2 zO7=YkYH_N=qnN|M0FiJNQb+VCYZy3IIPQE%1IJ9$Bd+%6N%DYpR7==4y69FL_|pOu zGlVVWft+b!wn85>h0TQ#sUH%$N*}X?Ev1BPV4k-| zAG3|k#S*Enf_A|Uq3}*y`#3;FYg7Eg9R78|IJO&7KcVTXbLNdQ)2X4wdO#mYezVMY zyqUGBo)2WFRc1On^gu7y2SVE+104@DBhr-aR>HfXq=jL&X5(QRCo}y7wwjL+Qc)Qv zxBLY9Ou8QW_V_}~+w0eyJs*Gq0+n*2NA2L54N$RZIsg-a1M4a@;S^o!2s-t$zn^@Esym)VO4+4$DHt{9hD z%icb){q?%%q|97c9+94;|La%a_2bUBzkv0;^rYx-I3T=!s4OHE=|F4aOyN1~`QP9C{tZ6bd!9$u*|H6%T$ zgy%rDgC5DkfS3mZKZ+u%lDfu57Qw(&VzLt?_K`^6U|?ynfpJo6?5HXj_`B$9z%y{n z4vS?$+lTZqA~+gIGK99T-qFs;%%$cP+eW`SIx905p9i(poA!s~&&!Nwn;p241VDBc zWtNhA)9?YSN_Zc>BKZ_dNA+N6#)fX)Cd(E@<%Wf#3%DW2 zz3Zm;pqii|TCNLvH0S>y)SC-{^sif}UlbCM-f0LwJOl$XiN6NL8C`x1 z238hFoFK799-4xIU0;W!w%GD>FmS3kA{&V<{O}SC+#(*%M(QX8I_UyKx9>r&gCQ)U z*xg|GU!aTZ?MX)20~i=AfoRORg+x|vl3er1+DNV^AAoY9Su>^B9O%6gNrucnnO=TOOmCA3!5Z8q9DXh zlI4QSXD2xUe8x)xpGYX34?W{(Oh{9zV@u*u!ueR)|k9d z87my{j7UhSkj#V>2oXX6q_ORl#Lyy>!c#$vHsGGaBUDO~rH9Yg!EEf?!w1i(grs{! z3ZWnof;HZS zunB4Lh!jDwA_r^ey`J(h;`NkO*+OFQjA6*XbTo{Y!XreE&f;DpfY~I;!r*tTF$MaO zUd`=8T7>#1q|i_x4dnm3)tnR_AIg8XO7TmQ-Gn#SfnwGJBB;SLwy#@%js(tC#3Bv8 zE_Dj|S0W52rSK?G{@a?sH%WFG{vTp8^snar{{hB@iwc>erm^nj#84-a#uGzDHQ=6h zk5vx`qvQTl@Ogq`REQRpp1bZLNS6OJMCvyR#FLt)%CrSQ9G;|w20-wD>atEU+R7@t z!49omE+^8oqyx{#^=vVtsFg556lg*4wL+fg_DTx0Z{VePkTXN=@smfCCI1zW(!b&0 zK73%KX(>{%0w{(6X@Hf~8qHoyfmRh>iUrvq^c!LFh_>Xk5W*L=nc5`T9sn%|$+dZG zU4&y1lc4L{c-jy?miN#dJi_EsNKHr8SJ`OWg&P@e{Ny7gNv&RWq&K3VvK_?8{VJX8 zeglH!Sanm&`&cAaHBbyY(!X4fMblBp*MjHbiOdMaBTBZ_{m-r3(g?6U(LYHUB*?&k z+_KTQk0y;V_Yo&E8B6ZPf^=I5BEe)N|5Y{o0WK(5V=$x#1Gyue1_p|$L&CVQe;?js zeTYo!2Z~uhLL|i0QpW8~(s~BSco4HrY8YWc5V>faznji7E0QKFSW5n@MlIfv;Cxb` zfK7`~RWT?g9(jO`#F&L!uiB~?X%!>E9D=1GLbx1g8-l!0uXaiP*@P>eDP z#yPrIcy5#K$73G_TId@5zjmQCKMMSg3dm|1}G_+|giKD%J*;UEHut!i%J~C~zGWP@7W={y0d1_7)zbiJW1MPLr$vmHgLo z_Jc3Yxziq?P2wPt9$L zaMWglD<-i)S3Z{(M>UM6MGa6dU^(#|X^^C698$)xGC)*OQ%@sltP&$OTVy;EieC}9 zh<5<$^u zV*g|{9UKvb`Z~0G(w_cHfwReP53M?XwI%jts@8bIaDw92<>Z^S55=F>QL{cChoc%5 zEO^Z(A!kK;N*m^AJhj;=d{B`Q1~CnnLW4X4`W|fhB2WMCW3$tZ(x7$T!ro%gml}G@ zxh`k2AEvWOs(RL9_9g;Yb~Sbij1|cgjn!F^yi2@=9)Xa>|7Xu@`hV>6FyQ_;Lz2)x#(qASt zp8WLgHN|P_g=OuyEk$v@t9?hY+=;Z6iBu+*>Q(q1qC5fQ8csUqF8#?wo%EYHzng^H z2uY4~AAx&RS{6&D_)w}y=GCegNZOZl95KTXXh_BGqO$g6r_E5GGVpOw~-Ca z6ti?;Z_X;eyCaA7zgPe-R+WpKv7ViAa>N#zo3CfBpISbZmrPtc2Qgos^t(5TvbOVn z5V}Z<8rl^YoA0lyt@rQWYsTh9vli|hXGr(!xtwU-t3ENjt`vg(v7FKvu3Bi0@@IUA z+RyuXLNFoXI+C4D+CPwSd3UuZP5lDh-<3ES>;HRpbpWY)sM`>A%-QSOs94By@beH{ zE1AG)sK$A!a?l-vcInSkCoV3kvG*44_ykVjr!*Vmb?S= z%UvJhP;YcY@Kg3S`@dEROwc=}HOKmNub-VB|HW3}G;SZLPb0ovFH#C@+dzU+Jj6c# zJ~4LA+Pu0h?kX3W((a4uR3Z7PmX*aev+3fKIJW-H zcw*zSDavX0@~=9F?&$p+KZkl3pV9uuy02v?9k&~sVx#N#zNP!t0ZF>6yVgi+Kh26K z>DR<2Zjbdn{H+}gHZQ;81u@t`C&7>7-8n(V=UEG8y4`jLG5c4p_3M>5YSou_RzNp( zh74Tf{j-iA(5{Ob_Qi6_L_1APG_cR~ulxI^vczxNl>$*ld;Wc82-7w5H3%v(&w)t~ zW9!$>)crWKkz4R_AkUQ2jZ#KrwR3uMz>~LhMX|7RV*6O;TQ5y4h!_i$LSe(112$m+ zMDW&3{1Bj{kCMp<^lb$*e_*(0(iPj-aP)yGeb#$+3N)*rgc6 z3d3pKM;YDl4sr5UvIRYk2r?P8s+MYj6wZjzp7A88?+_Eksd%B^{#IoYAFp3s_pDMC zJCZXFk%fNW-!Cct-SLO_?25PJnf$YCiSyUh1Eew`ZigRJp2aR3&vz436L0Grjgt&L zvY85lgEYS&F7nMbjQRW6eh<9KEzMf2{&1n(_7H|cKwm3tY%f2ryf zKelfV#WOAD4)zFI*J?Y6)fsI*eco?sZB=Vyb2g4^PuC7wz0}XANx6$s@ff?zgf$d( zHHCP!N(8T&Tr5zZ+PGR*e!_Ul`L?3M^*oIX%z%8#p@=%>7br zuj#1T(LMPyp5*HtCe&sY3|9G}GJChsU9iUcT#ZlZ!EZe@l+&E3f?J(3w(7O3T-ROA zG4ElSBf7zg(?xVK&*peC?$%6trEnK`GIc_$Gj*%vm7GmKU#lyzbt!PipwBO{BazrB zz8yTdx9YSDU7J$5JQn$EHPE{IY|n|xwanol+n#SQQ_Q$FH#tB-1uqaZEwcY|Gcp<5 zZ5xn_;bgGyUxqz)y8c{LuKF;=)W5N#te@@0X55le?01rVChRSky?{EYHH1SQd}bix p{B>Df9ijX8%Y204d6SO?)?jVQb%v=`e%#-#xW6y02&o)b{~wBDb9Mj# diff --git a/docs/inventories/v1.35/objects.inv b/docs/inventories/v1.35/objects.inv new file mode 100644 index 0000000000000000000000000000000000000000..e81f4ca2ce7171c5ffd464a38cfe6ed14e644632 GIT binary patch literal 189384 zcmV)SK(fChAX9K?X>NERX>N99Zgg*Qc_4OWa&u{KZXhxWBOp+6Z)#;@bUGkqZgy{Z z3L_v^WpZ_Ab7^j8AbMY}V<`r+D%-vbRLjePP`&T^vJI9K#TC&%-#6_h@BjVRuGvPy zj6?yl+1^*{tk`dMp-76v7~s#SqtSq{Cu#vO|yve)AfB(P!?-`&dsl#paO_{aj zy8Jp1RFT)A+p=r+?W&vyETtW=|2+R;NR)q8A4^|uK{Oms2!Qx*AKi>p83s|bd9}^z zioKp&*(?HJbh#C=pj^|nh5og%{m-QzqBzwRPw2PJzApjd7A`Er zG4D96-TKmzK0DdPiggGDFJ|Ga7CA0+m-5u0d|Hh?`?hTOQ{b1j=gxDFL*J`39V?yC z?#fkLVryC8mF>Y}=5e06Ph~n*$tXXRdEGy(9?I3@*?nGxe-;(N6a_V~=5ZDj6XQU; znDOUOo`jf{Q3vD{>ZOChO>-^W`v*`jT9NJjY40yJx%RIbWHUOs_ z!2-_)-1)LD4^kj7EGo+F!5RocDEKq`?6CIm@3?#r^T@}7103(#@>O3wl_|)?flkGB z=((6iu!!z^DrW-w=LgoyH*5yI$(H-oBOB`c`)a@0*Ev*Zt|m8VAdRBz*;uJ8jz~g6 zhEk}yUtw-`ObPFjCA5 zHd8vV&Kj0O=^?+L2}Y_qS}P4}nMZ1kAuaGotuCac&H8oJ-=fcV!QV0{%S4{O=i3}O z5af+vryo;^HQHSnDJc(JP8(?{)g`i#n)<+HuaTP3#A&3aJ!Gk8q@xwx)0FHbt|;{ejW@#eRJbD)UVMh+EgqbGqL?Zky+AdS8`w(ZwR0 zAg0*RK&sU-RE&{8(=zYMv??M|g_MFY=gE#l0c+K4cFmSGKbXs=b@^1*k&q??j=Wv% z+qT@UUZN2PNkU?8D6JNJM5|MVS)9lm!0X~_rFNP)zcr?jK*;lyS!irBU zrU5|3eQ5fW)|6%fs|bh;`$p`oW}@Xf_J`Gk2RxW)r`;?x5(O+ip<+K;Tc)^N6^Azw zS1|9ZZJDl7p;+^o1#ZAmv}{-x`ZZ;bXEj^F7y__iH8Z_upR>Pmi4RY;n^_qv4A-$v`M@|D zRSJ%A(z09SyRw*#CjkWRobNy_rDt^1QVcLQO;JY5qX@|E@)kZt-NU{w;76X-vsgd? zzb$_)SN(C`M>iJN##=%Q;lD_Ke@;?TMdY@-(+`pk}>kvaWhhS~zzkU1NAPzHqI{}$%*Wa&p z4gi^J2Y9ZwtY`1CZok_#tiEg_PTx-*%vf>)oG;n*H)FCRMnftWcnkMQ|4=3@ZNFh{ z4}Y<5*t{CW>U;^4CnmV7&g5kK56Rn`D=3o!5>CW-ZPPcarXDFX72tZmUM!N^%f(%i zZ;NDodvl(Me1v`akuUP_|8>l9E>#3B$Fl4K*J$1#v=wArjH8{igzCP6ezr@##f(YvH6;~|L zsX(qT`4wnIxq`ve%BF#DnET44FJTF& z6k^M!>0#+$H(VKD45c{iJ8>)UL^my$RSYA(}RR zVMSt~w(M&$LnBBTwI<*G{bKRmpc{IdvwXE;+3d4ETp3l`3e#5vZ(($>9z9G=ina+t z6i`teK9S2~36=0Eo1ydw%Apy^M`UYh0aBwMG9Q@qFT3d%mhgs#qqZU+3zwAE?ksw# zWu2*$Qll!Z;HV{9Fd?OCS9|tNTefBX$fP{=@kx?ao|RBm=c(Gzk;JH1B}SDU@6h;l z({@_8YE^)1{=6gWLE5?#Z?a!G8}QZ@``{F1U#@^}1P_ZWr}T+uCNk5_CF^$OiVZS{ z7idWFl5q)-e;S#rv%t1^Hk~s$im9#G4EI>RWN3Oe3=_SN*CWZ5{6{g{px}LfOHwi$tFmz;1-^1k$m7;I7V>u*z?&{*6wTez2ieHB_)(q z5De$|bD0;6nkbN90XxebEDu-w_ZHVqJ|+SAmWYIj9{A&e#UCG0F6Azg5d_|ts>s>9 z&`nc(8l1xFR3;gcr!3fjdwF1!4hIQs+62h|259DgWt~x~bUb=4)xPZdW;0v_DAGkp zCEk5lCcCzJg7H4<3}8XvsVc0MD{B1b*GUDrrVA#)GPcw~FY`KQ1A3bdFha;+?Pl3l z#k$n*{klB>)JE^_Zj!t6o8%oP+PJWhQroR^*((KT*F{L5NKPo(s}b!uvvSLN+A>D1 zDyQq_wxK-FLg2T&hkt&JRB*ZmW-Q%RJNV~^rGhjcy}E%{^6QHQmCZ7an@M57js-PJ?is zl*p}jpTe#T*Cxu2W*x4nh7hIC06*jys?Q*#em%sfSe%@6GoX_(eETR19YOhIIUhWf z6`|0>RJ@hJ^u_|(2R>{LK~U>7&^#}JybucFfLo0Ek&L36 z(tR%oKb4l@v9wUVQyDorWa$Z}`_#ghE3&#%8Rdf)T3x`{w^fu*S$?W7`Fwkocy!9G zia?#?@?7VQ*bm{`U7cU$*OzRD;)#@0|Mf-gsd$uwuZ8+4WL9J<&lTQMnnxAiO3hZA zZk;{g+$8w3Wfi6GGiE2}9~M6)lpV%}|3Hx}RH2c6+Wqus-Y+{gMA_q>_t^xNNpsw84ws4em{u3Sq;B$p{W`E&9>ZWFMq7g{nRR!NY|+h^BF~Eba@p|z z?Fy%5>GeS|^YT2&@IPK?lG9%^XMo_@&d-9!F8-TPkaa181* zF~$9Q6Bz#!s+#|yIWCuU)|!1!&N|;Z!1RUE0N6vWI@VwD3*S!}AS~uAEW!2@!G~wH@A_r~ z13NYX=^RU+rqZ+qgo%lS*fn*vs>;r!uFTu|h2}Py+_G^iHOeR-OU$PUk=zC{D*xI; z%U}8QQL$n5rrqW^--J#IW){{h8~!clOoxulqi<4PsT7M@?H~kb z+G<^~XOgk5bl3`ZD>cd}ibZ~Mbu(-)o0Oxu)cwBBydO1m3Kj#pR^p_g7_?%)cIMKwZlY{|{Zq<2GK z7v`3uVZqJSF#a%iVk*oW)h4xaTpThVG=W9T2ZO{Xv_y6Qr{DI~DsY9vDaJYc^7-m~ z_(_~g94Z>DnJBf3C1Vvg3{%~lV7|+DL|H$ci7%Bc-N7ynNSRj4Oxt&oY+e=f*U&|2 zpXAtpR;(7ApOk{-wxxBJr!_j0B`wLpId*txXnI7~K3#ShvQnb7dJK}8AWGYRKoh90B zBw$k$*Bo)Zy!O5!=JJyTO!sTqF7uVx>UY#>RE$)-dwVW^pU#DPwkNwgc@d~*DyZ4< zeQ;=p|2%r&zo9NB5O}aq$oET3%8DfsIlH3?IU35q<_c*1&i0#>zwOJe&#FSXbZ9pf z7qb<-Pp&Q|D)`oNwrRE%8sK~_0@smZjYmoH)_(??SX}%H-d0MhVeJH34)#Qj z)G*13rX7u~jWR`MXkGM#2&#I*u%m_qD0R{@*hl5%tYO_kwqjj*%VvR1*LP>-X4f0i zU3{W|=raP{(K#k3KSOdLJ2nrWB6@$@SS$-iHch30y7gBDO>8*-R5kl<^c=>CKC%H2 zVxyL)IUb^h#cHhq1wFnn6ceeyr-uLgSm6KS{f6?^sS_?rV@He*n|*aOlvXCQm>M)= z83RSkRXlJwY z<6No=lc#QwmAVt9hR@1{C>21h%Qw5aj3p$bOf(jhXH<^=`*h*|%1e#+7C`VYmiKw# zKg47%PkXXFi8MKXSpeWC^RuQ8*Qtq+TArHM^-BUXH}uhpPm_G=gz@3F$5=F&&_sq_ zc2exoSXb+ZzU#|fus%&fEbXww1xpO9=;$R3R&9_ny|-Z$0@ozW<%efnCJX0;Z;*d{ zdCu#{00Sbc2=$bYFJE|SU`=@|3{|R>HkhOuK|T7vwt4t(JQSuS)Gv$V@9Ay+!k>1l zS?qdL|6c9bg9=uz7U$~!3sbxgdfTC!2W~kvNpNa*i^>;`r;=@!-h;}CJNl5y$V5Er zSd)Oy2liX#eZH^z%v{3vgpQ}P>60%WbAGhgKEw&x} zv&!>q{rqFnEMaA;n?S+!w##}L7P=pYx%6PJD(a5|%nMuHVG7h6Jzc2Ta#l2v_0P3z zMJF?@!o`t>uR&Udg6f2VDe`HMpVS~VT50|J8=~;J&38M;2;N$DczCFS@+K{9*wLU~ zHzQ{lXbvUJqO9s;#HC4Usd|Kn;lmxFlr{I^RL^5&1QD%I9AT!W5l*h&vwjRW;plP> zISU9qIG!}?*@3kiepnqlQxVe22bsnI*NlyvyS%+#d>76Q@{?7F!xfVX@*Ob@ z0ip<6q=%uyn9n_%X{{{&?M(2>z+}$jvxzJ8<~}yDBFAd<%o<#VC+_C{%wb@oMZbi~ z@}uYT>p@1aKk|!NPuT^b+S7_@(|IUI{%+;n%XS5UHn>ZZ;WpcFLzN)1QCQTtAQwg< z!XRc9N&Fd=3|5JQ0eu8x56G}y6|%`N#kanC*l2P#2a6yZ3gXH^4tb=Wj1^#?GUp&dx!IO8e)miLnfz-@|nPAu6lJhC^$l=vqLNQ{t8Nf$OVor5^=W=ZkH zr#jB&uyw-FKFoZ6`kOYJp&dx!82rlO^1tHVY*THk&3==~!5mmYYiVJ$=OdGWHP5rU zzgCoqVaBE@grhqxDTHz;%6PEyfoH`IQ}}5tT!T|~t%g)?^ZpXTI|@p*E+R8ge((#| z`glnPZMh0Y&8j3=4 zi?B=1p-^y5cU1;{Z6SuJILasP(O?qI3f(h(Q zGYz;y9n6?dX5sG)g1WFYv+9Bg40{25!a={tG&!DLB((6-Egkw?QFd@$y7nG5u)pza zC&I*Mar-`)z}Pnn!fEbWqG<&}j{Lyf3O_J$U8KG`q~1pp_k#&j+EsKrw{H!ZGUBPv zfOqXeMb_%Dm8e;e6Tf%3xlTnBDjHRfM(S$jv7P`ZPq+!C0)B*G;P*Ri!SS1DLM|B1 zMG*`ro3{ErbWv&K?nuC+>!Ud&%^-F!N^$*zs$nNV;7uwIVr#@Y7U}uRbyjg&P{dWb zE4fM+$_EStx|gmmH`y>Dn5M=vjRGFbA{Us+=O6sho*VtQ*z~SfJ8TcQGAM7N>APTP zKkfV`fkYS`tfJZ%dK^StxQM4_5SMNXt6eaQrp|HV&u0z%HlB8S=pa1Bs`EV*g(go$qjQ$)&aF})uv)S7u1Vz)tGIEada5iqBFcO) zf2b52cD2j;9FMi3-MPGrCg}zu%XK)g#Lv(L(&Ihf_@~p;qN#?1a@v1kc?Y};zdrZF z*mP#UYQ-RiU+!@37(cjutm;~9BLTL0AI;JaMu9R}y7UzmNEC*p`y7WPeC#R`qFH*7 z$e{zJ1=GV*-y^fwA!+8eSum#XP6@}!6;FJj)c4o|*q?ZYnkW(32XC7;@KXPPr;KOq z)fwgKpj6E69BceVxyiTOC8fBDr{jPjR@>wP6O)UIjnCLfGkAqhI$-WvT=-D$|ZG++ZssMKy(ZKh7jK z6jH6q2VQ!{RCnk%vfuU%|M2N)(NzcsRa}K$V+ZvMXq9T;B!I>hMs#pT*q`HgKLf#?+nU z3pdUq$NAB`gFy$cd8#}9$OXji>##7%uH)&NLUuNTdViL&7Uj2Fp{}@r_fWYY_%Gc7k*c8KI10kDz;m zl>_L00`gcm`njvNV0TWo5aW~>Vv(TA2Je-~3IEZD;AO7)O!UV*8g?>E;)9U*ddRVI z!KbfQL*Xq?&OE*@#fIhl9F&Fh$g$ue)(88zs!*9|B1o z_Vr>;vlU?gS9OJfxw=}~#A-<~{9{ptn={D5nnds6N{!sk4o(WlenL;1Rg+-ck-Z-} zNei4}2vt0k&)A$RdfpibMg}uHc#sSY7Qq#QgOc&nA(NAEyvVtV2^frqhTB7Fn$Xn9 zsW*Z4T^4M&v+Y?pQ+D_`gZ*Uan#$D!T4KT9IZUVWWZ1**V`v;~$Q6P#4wP!K>5621 zh+UT-=Ll9(LJ0-frMGHW#EL&R7=t*D=c~T4d}(j?i#t}1vxtrYAd6Ogc%2-uYD2_g z2Jc1VY9ClPwEhs||L>1hHxukIoA~~9>h_r5KjOp|FOF6>6D;j-LBfgaCeGCki{FP= z%!X-iW@07%IPL5h(chFCQHhxON;q=Xjrk~>g&a=l6E+qRaGy7FJ z)BrL7Xk-Jq9fdrPV2Vp9$`pVcddbz5Y1W)-%+;bS<_txWjXBbuLqGO<*|KdOxl;9h zPJR4%oH-uzu9j!qE&pKzV{5x9y9fE=3`z5=>jYFkCLdU81l=Q>BSgchYi(`JZko`v zX|`)+j-uSo;q5~szb}v+{SDZ>bidUK_Ha9ksRxaizAS#Zj%K=Rx_-^3@)DlEcH`tZ zq$7Z7L5*^vt8j!(;2@|O`@j-+=2oy>K592u!k`Dt;nO_a&LZVOQ=MzZ4oF%I>9P4u z9Y?4sv-k#Kig6(1eE8)k#AgnroKPyw&2L8;OdWfVJ|6ebZF;G(+Ua9`-uuj-LIgq1 zTx}e%`!<)r?D{aGMlf3bzkNH4->A}uu`@u4efiySUgwD_nQ|QF8l28Pg6X!(l-MfD z?JS}mG~)U3N_sqwZ(j`4dZgK!Ikz%%H4POlW*(vzEc(^(+YdK$>f=J9rg?r7{Q{A3 z1_zdg1}8W?aYTiOAF6PY+2t<~b5LhvNIqKqV^xZn@0fjpM{vY(aXkJ3gXNL3V=Vs# z0M7h!kB|=;>p6f_3#+4i7^pL1+}tM{OXx$R`nLQnd#?Hi_UdH6?aP+du(ZUuD#c(1R#LddCWHhL5*{qx zQBU+MB4e>gFUC>fGr}-Nj+%ce8(90t26#h)!Q&KN-zNXMsra!ux}3w>hC++x`PUCD z$xPf%b#(d~Lw{ynwS9~aHW&dkI?s*HAThQZ#vxoVnLxVJkVvsSZ3yamZ#Wk|S{%lW zbJ&e`6DiR9MQoD;owt$^mQkTw_Tmcj`ryN=_G@Y)?g&FD0NFps_AQ4FA0 z*PSUw)*RXz+UE{rw4~X!4TT=sINAWuuNw~tp}Q72j`xxyC>RH2=P@ZBG|wi(7u#1? zVQe|PG~B8ZysdWmle`Cib*k;PEie2boJKP>aaKmP50yXteal{iQdp2mjcVIHtJ=fN`)$Pn*{>~0~{xYz$7;&BDb=^GkIL}3fi(5P%>@+zGAHyF_ zjR-QsN+rA$Ux4cpp&}6~*vFq;t#W5PfGII1^#n^h3Mnn=pn6Bb%W(jfICfpT{GJUu z+NSHWj!ls^H2l&M5327B6=H;UU!Fse1(ujuX9)I#v9I_v7h6i)^fLs33}ed|9+nH1 zs>@Wg%BC&DXPvlPyUgo+yMm!FPJgPhlV?$@qRgJlYW+a%V+;Q;tF3xo)mA2?wx`#x z9-vJZtZedy%EH#-7XD{t*+e!kl6QiLnC#7YaA;>D7Uc>hbhu1A?7@WMi;8o*7h32m zj#tqctE_QYqt({wF{1vtVZ)eY1MfQkClXi$QyetUs9#;?U9URx8zmf4+Yn@0U4abg zDDYUn+$LYwW{OXWen6YTQgelRq@mwW1$>lwLR&96t9#?a!w%KmrgARM0`I2u5VRlFr z=HtpqnJAcuf(e$2uZ%EwVTI|Eat^472XpkT6bJVN6t71YUy-iEJ$CR&a&QGKSR>+# z#q}K0STds%yBGkwLoYEsb|2)Cd72tknS*pl$0wAVP;NqaGb;J;vSWW%`Bs`}%alXv z<%Ok%0Fih=4Y>dJFxT;67}Cl1d{T2wJ>u~=S!u>GpK`n3_7$7b-Yc$C^|V8(5ROkD zHJ%qxBZCJa{t+tAih3#EKz1F%KNgL)z3QcU445RsefUeCGFym7+cotQ#QNUt_-6($ zGBq!zCUKa&KA4N9i6S?a{3>txIuTwRhrAb)jy9)|eGvOKG^m1&9q${yeQzcFO$eJ!Of-F_jOga!yZM(zWWt! z=nabiY>w5m8JfC_KkG6UOKv;-Y3?kc?UEgem@2E%!s>K{g5zrRWJ}eW$NEk-4^II*NRsNRu zQX9LT&)o>b8UOP3E|%J2_ zx=5t-fz{#r*=TjczWbYMi$TmXOYwuNI!B%Pm!0zru;0nJvuqxCTS*A7TL6sO&cOPL zQN%(CFBC|aW)`HWf2QCp3LO4Qw?yIjX!B!$-llz#Ol&64F2Rr~J#z|3jtG3#4yS%SE z-gMdDklF>qOitMj#g!91F2dkgMlNee7x{34qG|h)+k8sPB0LKoimo`h5d~o>3nC>! zVY!^*-O@)QaHeKe?Z7l|1CFs3uhD$Zc$ykq$=TRS6+hh7of@%?y?8eQ)>XH1U4G5V zEqemx!E2zAVEW2uC`(u+Xqt5mL-Zfwc^Slomp({MZZCguQo+4r_N6@A?<@Ru;BOcW zhbT=jKC>^YOF8d=m8s&oZT7otQ*Ii5U~H5S#%c~G%_T4+`G6U5ym$MIO=WBHVvJhG zNi(?z;u8Ox&xw*1RfD2=-pZIDVqnBSl*XKS^_i!I)|O-mW$4yLRg!-QA4(o?X1JSI z88@0ZsstZVNR1*YZKy>S-;>l5=h2SArX3T?Ohl%$E)4%qyLdb&!u8o4r=rbZ0e4nAE3WOJ6vIRxe(%x8o=rr z9fe-E`R<`&Ga_7ZD|o2(QBp`1W&qMFKw1BNfmvakn_aohdiJhwuvJ0tHcE+P90o@{ zB+E(eL=Fbv>wE{q6;-kBcATO?o_4r112OZ9Y&Ra^p|LEm;0Nype4p>AI^f6yu4MNh z5<++d!_cgu*d>q_ylDtwUZMTn*LyZy#CMo3gV=ebX&}dw5?(rh47`-XTPlZPe1DAg zz`#!qmd_^nG0cymiU!%D7@T0`W4#M1=3nuN;iDSfoxJh^%BEI+Cw>6XSMb$phI#r& z5TtGhQwrxtd2NsO7`hz1AhdL>>N$VuvSyo6>ip^kz=}g!kO=|C7d-PA6o^tlq&Ku_C*?g{F-soQ_);JF@Ut3HdapJ7SIa z^Q(#sKYpjEnO_6>jKLr4s(_XCs+m#KZHJ55+$5-DZM3Jh8aA;EL7)bHeYc3Bf__`R z|6XxdCRX4@4lOjz;~5D*j=zh(=FYx<^S#$cP8b=c+bf@OpPMi{lJ6A|B%n4rpsFl-2xOxvF`J>?`tte!|R#+tw?fM*Y>cj7DF#C zs=Hr4B(%E$Wwjg3kmSuwMh>jO>o{L2xRWhr!3|oU+kCf+d@t!IVV~of&3gh6{ANy7 z&mkUsd^ZSUbf5HS(hJzRSz9G*;&t{m36y{ z^|FIUq=*Ib`MC6WZ?4|Izf8{An_1oS75~B2lD#_UPc}#UbF@}%g_BufoX%6T`y6Jf zK`V>1AQeZpIdu$B$Uh#oYFl?O2Jcr7$E<=Ibg0Bni%$ubi>?lhgveRU)G?K6jkjyU zMrkuaHSbr0b>B_n9GhwC@IOP0z?tm*aAY^a^5>Ig-?8~SLUCAudqDy&SiZ&F*t-u45;c8W$NbS8ovf}Fi4SpcHgwZ z+D|?aGY2IM+N$vX7N+7fb-P&DbQD#$0^c~e+L;GvF$+-b*6X%hqv`L3D8{B`;%C3G z|Lh}Fc@sxQ6C2H1WnS|3=8FCHn_aVI?WwczDYwP0VVxuXm;q14Se`a0?GK-O%x_DW zm65**Eh(d-egctDN)x?&;(Mo5Zur40q=i#v^*tZFBzuVlh|`19TrdN-&dZJW`Gb4C zEc|T>kRF(Ex0p2D8eT6+@bcX8y7LGCIBpAgxeTR8(G(2Ye|9Jr9|N>B2~ck=KmL$d zRe={GxpY^z0m{r0!Zm#k7Omn%m9@RTwbvH5(W+HP-a6nixJ~&)$w-W6`Cd)o;zxb| zm9*GqGzX6J{Yb8aWb;ydpnICWaEuj&?5jsaccF`!?d%s}S$`WO4} zI}YPlhjEz-OpYRTgLa2<3>q!I`ur|##1M#}1}BlO>6P<10iy{VOQMp1Ha{&)4D25> zDbhtL=rj!rmkREO26^=%N=)U)E^Q2b=k1-N^W@9UNIZamp|rYIZ5kyloXUA2mqOk@ zkrKR_jPjv--Sbucph_5ut1eg*UcmGy&t0_%*r>7<9rmQq>d^A$gEtSkK;m&?ZY`_K z#&|N0AYGck!2{pZ<#85VlhiOlVYtG+^>?G}&PqlxY^LL%ZVtBcG_a==q!#;A9U&;> zx?ji;rf?HR0B6%4|8`!P(F6it0JHx(9mwls%q<{C6;3Z=I>xps!XNcen1%%GK3LIy zvvimexQdf9ObJy7Z6a9NP*`a(fr{{mX0RruwD>f$giu|)!^~Ffv1e{~n1PbhSM@6B zRpsXA5!zeL0U|d`53hH-U&T~*C@$5plu&i(Nj+GbQks@Y(Gj~-SBz^xkA&9jP3pk@ zPq?Mzu}u2h^W!;0MzK%s^0iSV^ox1-;ET^?ElXcd@a}8&BP%6Y@9T$`g_N(d12E&w zB?xy^R)MF%4Yate}F>KT=zE{Z4FklELMU3zhqQqnE-y0l}`1PEM~u7A@1u|f3R0=_Wmzj^c$SEt0lNQ*=cFVg7wEb% zS|;}^T)4xghP*N;Ne8UAa+6~{Y^qFDDgoSF+J|_&^2(__RbU4qLyR|_4{Ut2)zb4| zp@{fvQZG=>>2GO!;#xpkm)dbr?bbvBOQZv~8U|OUYJ9-oiS&f)Vl(poV$u!;Qi+5< zP{bYRJY)Z~h6G78p}M&eWwLI+gB8uP5WP)j5Hpk#PTMIRr-C96!6}-`eaXIH?WB{? zv#AZ2tXckb+dOZ@?EXFFf8*e)K0+5;e1bABl^FI)WbBtyblwsGeXOppJjDBHW zD8)i47D~BBT5-pW1T%02f>CW(4;id}JXPg0wfPJiJrA@#=322v)0~ZD&YC4GW8}-K zhV$zK!WxF$oE$5kit^L}q}T(H4z>C7Bs(uQ7O9$oea22nOe(n%7sGzAgB#jHpOhHa zfcDi8dR@dj3t@NCpHlq|p|qWasR_urOzid@>ufZ_|J?9q-H<_ZW`}|eta7`EZKN@C!^>Hg-=|O>> zOCOo~mB@geYaf~RmB@geTOXP3wb-Ddg`Ll)DfV^Lyi${NaS-4a{63+36O|@(>?jV| z&?9NA`Wvpcxp=4P1N%s@llwhlL?~q(!$MXj<+#$0a%9^-rNK@5igMS*Q5obcJg`8D zz>*8QE4M|tT}{Wxv_!LdV4sTa*k55qYabaRY_^HGf z2gp89g3hOImJoGbTB=6RZzc#fW>_wTay0t;2~(0*TAv!|afjhg?JnZ&8H9{HFgFEA zay!UVg=xQ)~pG_=L0bXqMpl zxOytPQ}9vHKgmlwnKrDujpxCEZw(!+q8&F|d+58%`V=HMe#-Ih@Fu|hS}w!|FX16~pLad`ud3OX@3aI#Qz|sQ#SWJ!4hv0CCZRGu;(?0~ z2T|ra(0pt{)wC|5ldK9j*3rM5mZsD)YAqsFr`Vt$*1(O~VJf4@896n5Dqw$Z`h>1^ z<$b^V(XUo|@A%QE3PI3E-;cJ12rQEgfh~@rGga_N{gC1z06VMTaHqrL-^Zqtj?szS zDAC7nxw}6)E5Lkr^FG;k`MUHG;BgF(O@X6cs4oIbFmjN3qXMZ^lN#BC zvj}-2``!4x754_!d`W+kZzD9T>+FM*0~;N_q7NGAG>%*{R~;lwiHS9g`=*5n4fhfm z!x9Coti<{U!KWM^DN)Rm&H(Mk)k#tizc z`J#)T_-5bdVVfay=}Hasnv0Hd16SKx9WlB6d0i zDV^q6Iv2{yimGLGg@Ne~Vw#_TO3GEFQpE+{C*rI7^A^ez2$|b@$S7_ zvANhu_+a18;pv+R*M3HQzN}Bkh{JP6c&#z2wpCx{GTvg$R2D={EHucg(d|S%?dO1} z2j~z^(?<(6>7YjXbeBmwwH-MkhxiDqm+0*eP2NarmyT3i-H^X#e(xs4MyM6*s@SvZ z+7-T8uRt*sN>ip3-?!uwr6d$@8oxR3P0KpY3W(jbSFeOrtXD)j^D$QD*Jr*d8e>`~ zWgHu+tW3&r|FZb>G5Jz1>CoG^fBACvof=Sh+M4to$z$(kiZXICB_EM_LN#{A7fHm) zpi_PJnRRCUYIl6SDWKk+-&nQoi&JO?)Xx_at>7GLnb)ul+-BW=*_D0FK8GR?+s6c8 zWWq|OLQ^U;6!5SE9iPmLnPb2?`w1E)f#9cP*j5l8@;VR8 zs-pu6MOH6g*%+NvlqOz>gVkT8LDfbuD-{X};dSlP{Ymv159&I21r zJv8+JZB+vb;EWRKp!x>x6M6694bC%y4qaFXON0=nLfQ4`)lNjZhbm2%v$}jL>jOT| z0w{zr6-`N}oU-$KH{q^soh+`aP=^=2UJE+A@2d# zH=NB@dOE{6)WDU!0$?Z5(pu9iGfz=_Dztx*9X2EEKbw2yn0ClRY4dH-Y+k)NlG7@N#EEs8Sv~?fzjkNyju&Q#B^uF@B?>1WaW`TEHVDIsWv+{4?H!o zR4PnKp|Y%=T#3x&3NvlY!`IXuYz2suveYCWC{aDbWm{lE3uSGUUp>RoRJ&Jd|jT3CTU6)P4CGB`$i^t`G%eQn8(m| z3S`P6{?tJf5dklMPuFn+xWLa|uwN5p|5+C{@}n}+x5+0;usAo-G1H!n(7}me8aSUg zke{wkA7p?Ppm3uyI!h926BuJ457vOfAIyeZZi}^L7EGZ8+u(aM#qSL z%qV75iFg=u!=y>Rmk=tMO$tLT(c|>X7m~D)WqRslL>?AT#zo-scqGDSk@*A|F&nvp zI6AKp`nkgZQLLSuz{#3e_fVjPkzHEF(Xm=MAs{JC4Xi;^acD0 z(WK{2p+o3q+=2Wnu}(=F`KMnQT_xI>2Khxf4o!58LR;^~FmM->wFnz)He{?|k)hbW z8hcU+-iwlJehsdR0tp|u-*6D~xf>0(y1-|(TD=x~(zd`q!3^7K)xYN3!8PK`vA|2y zyV1qC7GR}~1Q^KOwE-Hf2ZPV-2B<+(LvcWNY+GnPnhPXWW!tl#r7lC(!9qv?U`l}J zaMto3IIv*=CK+B@Ai=|TJg_lf_mDpx>v?e4RDq=)S4ok+-3_$LZN9|gk1UZ_BhLGx zgPMR&N6?p)nyi!ur{vYWN23^gn!&oA_I%v@$L@7X~ z67tje;s$z-oxuwv5MVm?%No2dH%)&u4uqOY)H|M#hy+cNTK5g7Dq!AJU-+IYTRlp1E#~L5PzOu8T&LIgd^y= z@H8pFeaRS=OUyfYW%30x(p{HiiYAL#lDjyX4FiGcl@tep9n<`Km0CVht7f{ zIi#c|RkZ-GA=rG|k?uhiVOxq@w?UCoa+eCC&P~4;*VZN~czFES8#||Cwu5fas?;DJk3C_mF z&!9NRhm2Haq=+NdT5tt?`_#N7d6(pDq70e*xVxqvE%JVdAbK&HoZ6 zE4b{ddfM@!{oR?!<7)npyrcVXOkq?;0Z&YURQ`!4rc%lgSY?HA`^IZz=AP<4|Ltu2 zutvQC2O2Mj$qwr0<~b>vc(p1VY}X;)KVjpI~o)D+b7$G7L_my1Pq{pqLd?murX|7fQuqeh5O zpr_&}!(a$Se>}hbytuo(%|2Y-y}fvQ_x9V5Z$DfvZr+|>0BS&$zy9g3m;d?SzWdXE zxp?z_uP|=%9FsQh0HvNko`3rA;nTyQ@zhzg^tDy}kR><;ROZ-P~TDUoBYL zcTV2&P<2(DkhS#q&$KYkA3t861KsTEB8(jSsW!p{xL`k7Rd=t!R#BS@wJLq~zI?d) zh)+JdVDHV<^}Q@U?Mm3%g_XajtlXaN#Za7%fl9tM z_>_XmKVE$L@^Nu@d-?W5c5}(v<@x39UG}$(z1n|_u7lx#%js*umD=io4K=JL{5U&= z9Ti4UEV(;jFQZgQ>Xv3vq+6}m-R;|tijY@$$pfU3Pc%;WC5}H#$B& zEpBwIkYl5a^S9RyiuNNTN8~p;`0>a0SJyDIU`_t+@>}++{^|Xn-d|l_U;Nqq>$c@@ zCnE^hf4sf?<=emi`9FOuxYMQ#qJW?L<14hKpl$f(-m)g~>Eq%uJO6ZXDL%E|{{6cU z-uHFBeg(o@&A{~i_1m8oe@xEwB=&-S{K>%^KO3iQ)Tn}5HGYSD&3fQ;;&weS6AgRd z=WW^axjf-OmOhFwh^0@Ta{$}nbg(-m9mF5aJ{==GxpMnD!+yC4td0La-_XMgod`(Y z(}VV>po>}tmOp=5+=Y@m{Rm>jQW-}`y0Zon<4UkGO8H6^Kvm;sodNMEuGw?dKQ#M3 zn;L$elz2*dQ`BpyMfT=I?f0&r{apXJbL&Tuqh>Q|@-ZfF}kDrnBuJXLwk_ulqpb#lvCYi47XvV2XFDN~xF(ziAG1O`{ha67Yc z@|wT^^i`jA$~E3yFA~@hKYy!Q1c#D7=I1k-zw^t<*~I+@Vhw-l9Qnjm5o`LW_~MY) zh&#QSczQfBf36k$J92MZV^?R3MY*efFJHI0i1U?lwV6{8 zXDn|;poIlXj<28a)%4nLo^;g&FQ4?*bm05P{T07SQC|$ z^x#<``8d{PQ{g#`r>X!l+}JJ79+zVn^kYUU!O46L7zV&mE2&ui9$YH*Lm0E-@4(C@$Kf)VgmHQHTfVN`^uZKWti|wtQk_N|nP&>S)m8tSgmIhw?|PzPg$g+Sh6_ z`u(UH>Y5owKUCJsl-EjwFu9HiB%^pHF;f`1k+G=nAKL1^pQWFRItdW^9sfg5)qD1?$_%c6(bxvQYY zS||52vUfaDH5@9xrX?I2b`*)O%@(?{SF8%^bJPR!-Id_SD^K_Q1wQ?Clj+z8b91@} zNbrB+e?3FlK#5%BoO!{qsYoQ?)yKmQLmfqe(N`|F7lz9aHbRQzd|_YZDDU(Fx- zC{b@hxV^#yR3BaNL&F#J)Xanu^~T4I++(~#!__rSQhZdwxV&iA^uC^!>{OQ_EtD|6 zzoSs*rzbwu>BtMM$Sb@h6IIhBA6q{30%v&`dON^;`asSWg|>_^{`XD0DtVnxPF>Yy zNDCt@Vx6CytyH8Zgz@B|VT1$xlYYo73T+u-{0EP#FbDLULOMzXrW&m|zACV{>N#&& zT}9^)wqhr&fLWgrGP(?uvcP0vu-@gP`!E zrShbtIJ#=-lan4PQ>o)Sxeejo7SY>Wh3j1eJnjJ4aHi{4In$-l0FkWE!F4mg79NOW z*^Puju_wk%3@`1ETE*WK)Py+oiWM#L?cWge<)p-Y2Px)%b zS24UUpcox8q@*|{#VIMa)y~KGu=<|-ZS&PzzK3(`ANI!b2;rGn<~&(-xgNQkDqEMP z-%QqPQE#9&wV@vqvz>i3Xr67j6U4!2rqc!UGRF@-A~mT1*eTj#33^ZX9fc)7&W8pv zyCd-Z@pTCQ$PJ->oXa`DT5&E<1`R(vY;h-I7u`+k=^=V{0wNAJi1@dvg)nx>&#;Pf zF$vK3?caXZ=P3avG^R%A>dlmrfW#L}JCdPFW_gkC`sxX6_O`2i3ogK4;)s|KOjhtJ zuT%)7s@k`d2xnSEqJ{LP>L6$m#{OuVI+n2}9zd5QQlapzNRg3RjYM}<_E^4PsI5qj zilm?3u1Z;948R4^=M#35z>S&IbC=cmW?AHsl%$-W&~ulPinm`D$u(Yj$YiUwEFff9 zUU#oRELGK=57$Fk_gK9NpR?Q_{XR`?4-^(L zpocR2R3#}r7iqUQ=gB)vvk-2h1Msw603|Tl|8%=BE0u$btlIv{Xh#2bQvg3DDU(X2 z!zd>aX=cJ*dmqV=N%$!N?D^vMy;-R^cR?o|;`EP&{Zz!M3vo7zAGeTar5p{gDCago zRnp6Fq~=1oF_R+aM6|(e3O49vXM*t4BEa5l}w zJ0k%I90{X>-{Uw)F)s;-8Oaq~lFc9vJ({-qeY$ZvVHFiR;wUtyF(gtCMX^MpL=!tX zNwMyt==9MP@lJti2aXW9&yLe`6^c_$@q*If>!qaosu8}%d=Tle1D6RI)}&YQEI=xV z1j5S(bHnaf=VzPj@{nx&lNSBonYa_N*;n=+Gkj(=DsTH0zMOMKBGrALWHqJsZ>#n zyx&7Ad`;Ti-diirM|kx)@G*~J!YY80(oK-@;ZvsfN3b|3I<2dtX^kv?kFZkdUlyM} z$_fpco=P2FnOT)Ek`Ez0<7+g?g%RW`@I~=_j1c*`T+ZObq{7$$JU*f?<zB*nhMeU9NM;wTMrUP9F_6)M=L{4O5_zZj9>J;2;wR+sh?<9)~ESN#hl z2mYqNKKFCRWKzt}@wull*a z%_caSab2QO+laG1(=yfp27dcIcGMxHynH46HC>oV@UsHoEpf)yrY`L##Sa~T6GX0# z4jX{OL;LRLM9tt8v3q60sjB)jI*b~~Cu$}f{;Rdx+4`votyz=q!z&ju0k8Lw-6#|A zGvWT{YzoC(__@t@yVzD9sGla!snEeE&R}B`$O=t>z+w3ErH?hen8y*VfxuZfX)OD9 zaPjSTR>q3a?n$4e;>B3#QM?y7OITEKKHAk+8H96t-<+82R~e3z=`s=K*$HHakf$Nx zNlDWfQs|(OZU8wsnmH*wp+ypugP#D3yPQoD3vckq`Rup?9y0OqK1za_cshMw!x`a;gR5W-9O;iItA(}AM zCHvNr0a`diFiR@`&wr(33$MgCaO+6<$j`TS8a9Z%zm zF$GUOqWMu&H7J^T)Cugv>pHNRE`q+W{QoX7+o#Mxg7 z{J;*b4zr?a!BB^fCZl{e%&ZN5broNWoB)kZ1%V;|0<&@A@Rn!Ju48zJ)>Bnd3)-sJ z@)omaSMwiOKWoKiRY^0AIPKVFR3ptqLXKx>C7>)8=yCER8$JY9hWFH`8{DY$dFPC} z@G^qt6F=M{oqoR#VbUtSfTLDQqPZXMXBWM))!Ap)Ke}c8WAIz%3 z0r)15jY%TKvi+`r=zxAE;Q1RBeUevjDC%F5#o6rzMI2;*KXW`YS#na9b#0^>iYn=+ zDtuvqnoo3-ESi10G7ltqa1r*ch49w1cR+0@UcNkr2nnkDpf~6N=L661ZH3NV_={L% zQWpDe-OGFmD49xc*K~5Ydj)!_RGJE<=OQI}yRutsDcaxwU|WGp{DX}7=J6NGL+$z$ zEx+xX1302|3{$QSUx#aaGk(E@Z@)C{V|uks**m<3;lX!4-iAm28c*8r(AC;}qBJXe zTE%|NcZ6221K*5g9@*D|gr5h%-Zpg!2Xo4TH7c<66DDiPx3}-!o`2`s9YZY#KDJPz z(`O}YoyAg?nW8uDnSqlv*4dbqDb$%k`4HfM^;r8&S)7o~5ZyrNQVk4~Z)Ng*+ia9s zfURkdD-a#8YaVwDzXi0#{-X>9!7|tnIV{{641$taf6G`DBHt+j#vxBkGetXikXjW)U4dD%kY8bPo zO=Td^*I;i_>&OeKN%?ihrjcclw!g_hwVUoWDr3>?&JL+kwP9a`3dT^XZBcrkSM_Vu z%cVY`Oi&Gnpu*TOze=@qowkgS3T*PPShy-*GYpL&=!)rcduX>thdR~n9))EUx(7(*LC?~kiI2a{)QqLV!Vm! zfi)T_cIL*_hqmO2_iO)72K51Dj5P%FQ!=E1o+$Fy(WUKG0i#ngo#A>GEP*fFrVC8K z^)$y)F6f%Kf~!h;pE(efY8XlP;w{$YeqS?o+~Z#yF-_V}js#MnZb1nNC74NmjWjM| z0)8qCbn*9}j0*ca@-QwF@G1n*yL@L;h>jn(WMI{vL_NBC+@?YWxOvKeW|-KmSP6RNhYuMGVK9?s!Jv!6wm@#ds|itjDrm#U=dkBlZ zGLn1FyGY+-AmJr~uwU4JBc=Un7kb`!D5_je^|3s0fEc^oyYm~Zm5dqdVyc&n(`Bk_7_b8s7jIGOPlGbqF+awTr9G-J-_ zxgKJ`@vsTw-~)SJ*8c6TQ**cO(oMKa%dw)H`?OVvAhv2S#=!vXqGU|Bqs<~aTaSfY z2wRJ(oSm)1Ty8>?JDNkwwUyhGw}a{!#LW`Rrc&Vzx~#jQTPw}J?hfu1Mi_3Atf?egh-phxzxt8^p;5b#-6kbZlpjZ_w-It*7!c9(NXk-<1y2?YPTwYwz~h;f zHvMp*Ghp@+!2%Y}1mcZyEuT9)6C0i1_SNc0JP_)a&sXP$unC%0Hn=;IQb2;ipkHNu ztY00F;5YZG+!x2HB_MsiaMd#M18CMZwACqoRu`c<3JZD)5b~`wgx|YX!deW91J0}u z%1vQ<1_G9I=y)(#7|*aCk~LvCF-BHEzRAo)5-k141mG~RFqsjhM2aw*Q4RXdgd&gs z&gB()0(e{Y&rSOnHw4#&^!pJ#%9G>okNjRAerpgS+8Z3G^&N$<^U^>}V;7B{2>%9W zY*Fty-t*6c(H)A1IQSy&edkV5i9i3agrDN+hhy#RECM{%lk`iS>`FpCn+e;k-(1Hn4^R-tcCB6A!8r>Q9CKKTtwK2_bbj z&iw0uN(7%0chw>ytj$R(VUBrI=`n9yRft;sKO%L@R)LG^Kc)qT4x=_N-EZ|lef|It z#1V>%KL2I$%eAM^SI`d`M9pUzHH=c#9I3CEPkeq~q3HDa<~Rv+?z!XL+w?CfWMJZyfGCftI2JP8v4_x5SDyQkyOpWlbIWl0nKHd8=zaTTkzBp~V2MEEVt$m#(g8IH3=rz7!VXv5H|R_A zknVYYC3d*jjtr=?_DrBuUH=%$!QT{goWJ?)pmsRI2x3YSqBY{}hhIDma;)Z%=XxOF z;HMjN!qiUJdD2v8>OX86_BrXcRfw^mgY^Iq@`PD&X*@U_LZbxqhqw56)lN~ zIPSZtBIfY#tO7~l3IVTI3r>_BPz@;_LK}{zaa~|}97an%q=R0Rc{JrS7P`f-Lvkr= z_cvzH+m@@cdMdMJ$$pkn7^1yuZHPk3DF|D%->cc76(U*gPk1& zGgvZm53uCmulNCd=*)VC_M8ewHfm=bV7+`@o~SitTET-ThKgtsHk`)fq`6PPV^skA ze$Rdzh%b&VckvM2tJXv6N6$}qrY^Y?Y1q^u9S_%8E5naLAJP#i2toAuVQK1)@W$OE z`Hm#pso9Pu>y+f_Gn!n<``vK~j4q2=|oORTq zwXW_sQ{W?1V)n#X*Ilzw+jezOZ+(R75DR5Twb_BsfP^vv_EU8h|JVxIK1ISso;W|~ zJnt=>lXhpi*d$>@PGpK>h3Ezy67&OwI!d-$x6OXXUhhrgc9nTFZYfuplFDuO^Fzr;Hgy3CRl&>At8TF`Z7Uim2XDw;mhX#`xQKL@>KOo zgoWBvs=cL@M5H(vdbMbMWPPAx}jv_^HT=)@9T5>?d*i zPLjH1X|whL?47(?nT8TlJ)2Uw2MS@;<}erdf4MDoO||VOKOWfVms@ms6@08fs+Y26 z0y0}WFK{W+JEa4&2lFwV#C9NLvWmQ-G%Y;?m*M~n20D%W^ zcXurm{Fe8>SGx!oH(X$ZPZ+=OKM)qE9i0n-e5N2$2`fF(0w}-G->IHS&>e9mJ6!Pq zG19F^=Mml%mA&SKq6Cd!Zgr>m1Y`^}bOL_MGvz~OI(TleAroOR&`;dq@Z8@V`I&>b zC`~<8)i-Q9#ahQP)Jd$j;!0N+_KgZtH(=rXW0lART`QS+c1KVuq0Z?-*Hx6P1+DyF zqcC+U+Gn&`6|as61J%JYcp}O{+#7n;bz*D^S7zM{n+$G_Kn&1QLVM4y6S}VR7dBYc zb;Dw-*X>uBVhMFk7ZY7*CeJ>SkH^r4_VWnFP5$xneyFfrdp7(+$K;U?up;VL=O95{ z*Wff_zbvZu$drU1Tu+3E?9Qus%3LcIRXv&05h3=%RU8XTzEu~Ck-Q7 z`SD#~hRGGoLV0Kqv7UQ9ywBM?{VLJ~4)-$?M@Z1v4!Jk7)`=KvNIB+$E61L$6kq zUH*bgI>)Jt0WF|1BxR`04dnz^C(Jz8Qwz6crbgarqHARrwZC&3x()+aJ8kb?$BDSw zb~$vW-bkE2epa{sIyX~b&c0!gBIE!@55uIu@dHYqsnTNtkSziV@X%xkjues}4`pC- z0?C5XzSzz5$P1Fv8~1QM;>6OYzIeeKUTyKmYoe1CTMpExcC(sixpXMYc$+0pEn2coc^&pb8(G8zavaBZ=w68{ zX_ZZDK|v!zT9v{*e1rOM#+HuSLvgl&(ZPgGrbW;U2lJwdX%Xnr-iJf%Hq|O4Y_NzI1w}(0BVP-*x-CJiHbvnwLDff)}dM5&SvbjD46q z@u0o9UU=|wA%Ud|m0+kodYN~ot6cr|K>COf$CqAS6ETpK+#*#dBHL+2gi( z-kPTxZYBI~AuG=P~wJ1tk($!cC$SVPQg4mm(UBR0y9aK3mSaB;O_or}pg@q`G`6>#Ton zf^|y?7l8yzC4g%pF*O!2Y98I09&lUUmuL=u`wpx)=v z+J)!sH1(*$7rDVj*&sOV2=VY>VWe z^6dLJ-wPk*=egqE#}C!z+p4dApGjnpR^DlzmkfEKWV#s?x~XE8S?%_{UfVE-Ad3Q*A{U< zc1!UTXc5k^S#~>Ymbq|*zico?&k8n@s_IB4CIsRpJZnQRyySvs1#p5YW!OW-Hp8)~ z`h-MUfO=&T60BF5|7eyy4yj>68>(jr3NoE^I>g9O`6oxFfHqi-+nS zQqLA5-%sf2A@Y3(0j^feA%AYzK-aLf{)kPyeFE!Xa8TbR6Pf@{NM&4B<>M#Rjkf7z8qrc4eun`S$Umlu_@{WowaT=jMN zA6~*tcn2pD;1yZz+ZIpwC~NtF3>`3H(#;FNEII1@h!_I}p+W?AHODCojO;L9Sp#^fON&>t@O&?`Wxg$*tAagSb&oQJl^KCEdMENmo5U`xjy2SoZ^}eiaA3*k zfyJ+We}69*>!Vbwf}|Fcyee^~JVT=@NBusejMr5i;>9+rn`Sph^H`LWUwlljSt1Sn z{rX|sw%c#!=pT!ceoFK!ZZ^9HUHHz>tjUU18cH2+uexEl!TU@OBjJI>$cWyBfU}}( z-R@Q*Qt})gHWayb1^Mav_U3#X9NC50cC)Co-B|ah+l615943*MrFlPx6-6J6B_iL? ztZVP*P#MHX_u}@wU)jFvn~fg6C`zvpfhb_!FdqwSAw_vm8!?D;Iu}ZYpM=AaOcWcR zLmKBcr3beumUAf$q6&-V;+#cQO*LnTqsnm( zS2xK|Wdnb}nN#+(0^| z(=43uP%wh@k;r;U#**Wal4nvsKUY{RkC>sgV9x}XiKloK{v!X;F&wDuDS+AxU7Hs!eqY_a`IvN*fF zSm3$ZbN2T$m+{gDI$KR%PXL0pounfn@0 zfcE{q)-3U(h?pS;3k=9iDAP~q>ztw5AVq5b{*zZzpU+uu8KlU51IeO0h@JsQ8<1YG zSsJ@A4E91`Lx#z5I3eR@2OyoBNR1)n_!xrGQCc{izU~fejUxp5@Lew=+G13j z)7qB3QRyC=S9OK19J@NqFees?c8W0%A3*L}>~Nqdn^*|=3-tV^1|8em&+z_uR8{XSV6jRf7^~#t{$2Ls3_tzsACD?%7gd1!!aWE zyxpKdd*8tj<~{Hx{KZ~Fa)M-B>%qV}Adbv+-v07%)AL zf}w?3$Y6tI$S|7#`am~j_i!*X1w`fbfhEVXI$$Ih2o*Vy^9RYE!_5+EJNW?Vk?;95 zaPTZf=J3OYsM&rj?S2j&?VfWHpWTx0-Q6a_VkTEWm&TRM-A1}xLk7Bbn?phQv2+KEW*^2m4$88+Su2-z%>lx6 zB#{sHuA6lis^8z)ctxFkk5$^!Ww_-$J&09!k7gP1N>Og~j9IF|eoh0}?P^+A&8U2^ z?x`rLA2NbCjP63UkM8K_Rg=Cs)a7|7kzn`fUgzku-JQ>%>hzrMag6Q-A1-Gw8!m?y zl;Hh0vwW`4pkQ#?ZuZV@N8)WhMmLx6^%{etL*Xbfud70J7^b8+)JNf{&c~9!$z%t) z;WCKBa4Fxv)~mu7nlDUqP=G&MOi#Q2$spwc<5#C|>>wo;m)dTh*%sH61;y?*>ztIO z!Qu5gb&Kp>UV}@+)~)H`h1H;2x%@uaBxtB7Zryq?)CTNI%OP2)zKJB+ty8kxSM}&` zvVH6R=$Zw%HgV@xGQJH~HNK^W0BL%3CucypV0B9TIcvl@cT~A3RU!(VJ?xw}cw4YO zE#8|ws+&c=>)}Vvye{^fV&c<+uNyhq`^FcXCRmpUWaA1~<8WvjtVg=pHM!Ic@R%E= zXyj(sqQXjr-+kkYYaE2E#z6LjT%Jf*u!~vjSACc=wYVHX%9L;X zVTl8D=s}F9L5jcegdPu261LPPO2b)kmf#-wP7BizL*9Sm4wf8%t%g;$#*nr|5wydb z!VQLn6Eq>A;>%MLOr5?;Uet%x0hAtA)6?BEICxh&LJ`J4p?Q(Ri{)MV2t{x$hIh`+z|iaPsGT{@zo<7R5Dk?M#*cT5nb&x0_1@gvxvUCs;+D5se4gzDpC zrWp#k;AoIVRX*oMYz)LjfKG9t*|MyZUl_g!=u~#i2ExzzOLm`EHJjd!!_D9r1&KqqaRV{T*>l)-8TZg@ z9N308A)j5~KS6{~)RdB@RB94K-glJnO$nQu%5kq z^Yr5z_LJg)LiEwsv~N20O!Ur{m4`1udB$oZ%4b3VS5gdYK~>5mQ;>v2O;bvmE?K!` zMCq0aUXz9e7Bo}@T&{0Hf}fBR3ZUcNn|}+GIFmn0R_r&stb54W$j4m~6oeF`Dy)NK z!_VZ2S}d@LlYO%RH!XFwEt?(R-!0m_+QN!ZU#?%=HQ_53tbe#~LaQ**myY#m)#1gj zS@BOq?*fW1sCZ=6svY$QuTZT)m$yn+J6bP^tj-2PrJTMdsK#4~53H1nKc|9B221uM z5+CqWjz4D1SJAEj56#`3R4Z7i1k;*o^#;CHZmzsw7s^us$4{Y76!SlD<##OKz?AnO zZ@6t481C`+W0$v82U+;7X?Ctpf|P|C3_#90&__U)ruSu}Hf3tDLMD#qvM}F^c=Kr& zSUYf*$U8i$oui{Yat(FWsoL?Hxc#X?}+}lt1YxZzE$-`y|KQI zRBMR^wH|;&YAs9S?>eE8PH3o4U{nY0L;MQM^PRLe>W%xY9w9x$E_lJ7tGM8vu;gv| z1WV+v@H~XVbW9{26R|##FQOje;w`U-xV;2%`!k^x13up1m-JU|CW&z7u7^P~I0zw_ zkOx6!`4EI(TD7ZBKw(XbTH>$p-LQ~B*kh_L7qESe;du2OtMpV-Mw)WJ=%$)&Strsw z?sxZW4pG0nQr$GAzS?cOYb^dAi$~S3{{PAQ*6l`-EbCYC3xu=FRb4aRPo<1AH6=?P zNzSV5KP)W57HtF!AZNOs{)=4~nQi1%17GlF{yPXy7+$V7loID@A0l%hs2qXjHgj6f` z@K<*K{7HxfCwJoET1v>7gv5uA>|s7TA#3g0HVnS;uR~P_x-(r$0g-Y*B`V2Dmt=jj z?6BTJQWKsO|CE*Y!ezQ*l!#sDSNJdsoS$rph%qcN_#+;yrHdHD${8inXok1|I0+nH z7`VqSI6u)ANto5i;V#G&W?X{5c4qJn$(!XK#E6BsVg&*9Z0q!EEXX`rksgO5!=%7) z5j)-s`UVg3!YHmx@WIKc7dPSU#=Fz~V975%0jkS0F;v2b-EgXxt8mA0Ao~rno)Ph= ze>m~(;K32x9M#V||*yVy2f*MfV%72e^}=-seX| zFktQRop1M2%Ci=VIEi2h_jpGQ$o>K1SO=lwt3`mFgU;C~gw5}H5cix09^n=c(U!W- zIO#lrKl4mY3K?reSu0|~_oj%J*|l=>S(A`x1MrjbnT8xCe!D3i)+Z(!0BNh`)Wk=h zpOno;JIMl{aIxQ;mcqNYV(EF6DqH>u`n};d;(Qnv_H#2i}C2 z>XWGP@9740W61copy4d-gBQK)Qw`)S*n{oF!eNK(I^i{TGyAt+BFDB#&UQITxNpv% zm7OHKHkHp-2mt%BPyzOxE9t+EC<%21jI=hq!)_pt5HLNHz$k_ zmb>$#_&RnY=+CkQU}5d4c1K6-QvgT-fI{Zq_%mMt^u~==$urdrjF_*UV95lB7+w9G ze%oWd)&mx@)$Gc}e2GV5g%rHg0?HC^0uMvir`}=++lK7_c7j*OQ{5<+Pg%(=j5UV2 zFeMsS_o`E0I)=8=L3{?sIU-+nK4^HKyhIq7m)C<4LnKe=Bq_mL2GmX}4;rBPQ zVk>J5nH?kIF4$P3q@)BMKLO*#>H;jpeaA~x`PU(-W9uYsy@VzBQ&db1#0-~ovQAd- z&#v_nT^~G41V5lQ`-!#3duN^jK+*t+08m0+ep~Jk`C}US3LmV+pVe^;aKL&~ur!{X z4V2*-yCh||gzaX&en@b#vlE$|nk23Gaw4JBjIP*hX4*6s;Z|_vTMcrl`Q7wKGLNP7 zLzur&Aff-}II1g_t{D^=FQl{NHyYx`s>&uiu_rbvo}g7Qw^yG|W_~YiFU2G?#V2+~ zYLXD!4~J!vHd;wXY=A7`q&!VT*J_upXj#}EjwIDtvX`Wy_WFwU3HTKT+K^Z!&m;+1 z3?ssmfc1NDYvD4!)A&y>=S!!-A5FUA&>-EZ(?|>qoD_j`SI=RiRHa#42TnifltbgR z0L+mP1th-hR4+XeBNX~d{8VRR8aaI4R(&i6QKSk~9cBJf!iZ_@)!nrG%aTnDcalPH z=ZO(;o$F+CDWoheQV%+gVd)@oRwbF_C;s%OBuSj{;7MxeCDSAPQIgt3%N`OJ(+~?Z ztETyxUo?0cC1cGc3BG{8y=-!sOY9z(Rg$ibaF9SwHcYdLXz*Z8vdkrguS&H7l3(D` zG`VLEiF7Jko8?Lp6^YLKSN#cx7Mr6 z6Ui!x$x9EDO$6nSW+lZ$BOS=eh8~5L zSnM12j_uXtEIBM~o2P_I{BrPyt9lsQuSu$P#S-bMR;)?^8?(t-4rN}pO0u`fS#o%~ zsh>;p**dt`7QzFYy4HK@uz_~?Fv!MJZm1YOj7u357LtQ?LM%n>4i0XSSaPVX(@~%) zweAB?aXH~N-|>zMEYps3>Wi1R0y^@f8|ugsB&n^PG+7;zz$OK-Pl#Kj246OUOMY;X z%_s5QRrs`X& zOZ*D;z}LNYvCSpSSH5L!HPTuoLR4ou3z(z;SIS#J{jm)3|u~H5hd;R3w?-6S`Xcx=0gh`qvCfZubEJ%_8SzE#fl?W8P>(4BaHA|#LDa>gn zMx4%Fy&TM@`tk9x1`2|Q3G?5P@0qN5??pIHB%NNs<ax+FSzyL`LbcPYj{*o zV;I=b9T&=~31byy<7oKk3DpFl!XdP4c(em`>UORN(x$XeT}v6gPBkWV977=00>=&m zA2Qa`=QvR@A(l7QNIT)gCH9j=i%GLQ4Y^XoV&ZZe6r{q(xjWTTr-ywON>=v0YwB3P z_l*fUff-vo#2-t@3FHYL2|q$&d#ZkGFi9MAOqpt=AA5Jj^KiR@N>Wfs25O~}S>m&Y zjX0SF>_|8t65DHaTZLtsik^~ou^dLmG`dF0i7uaJ0puU*YbS1#m*du8b}mn=cY>9PnNAUe%vfk7BBY>( zBw!nHf|2AllGUa82Rj#q@VaW7Sy_5MEcCkJUlIS+q2gN-S$i5ev0mxpY2msdIBKR5 zPlSIZ5uqzgZi&gh#Gq2< zDslK8X(PEN4sT`B9c2RkCVonO5rT;e+9M2OIU68_>tsesN>(u$kimFLxr*5U*x;)- z7a$YGa1x0(3KaoNY(YwXkw3tI+qOwzEU|=xWhEe*DvmW?k{%K1$(>C{q)0;QR3=pD z1>U(5&m8yS2iR-6)i2oE`65Dq@URVA8pbxOt{pe}NZC}%vGZKJuIwKcb`O5cy`` z50;%3EIZFk9$Q2B_RrYrIV+(z3nSLB>k;jF*8W3%1O-8oCD?feZiJ3YX=Y*VH9wB8 z*7K_cV-h>HrW-He6$nar*kibWpYKf?e@W_UL3_$z)9k<`V5DZJ*0U?jo)xjAy31w@_Y zWRutELi4fKyVp7wJ9--f>m7rX=4^_~z2#zoSzL%*fTq)Y6bAAcc|^BuPL{~}z%O^4 zmn~-&G8vRizqI>aWz^T5T*$L)KD&@l347{+AI4`ZR2HGGQXBcSzEpqv{wt*cL_C(M zxmJwZLU*j`zw=!iyxWG3O|Si+$#*$t0eAoAj5bwKrIQF*2A&A;r=%^=W6qP@$Rw9i zk7aQBlbT+Z%ExbbO#z-R!#8Sf!I?O|%KQSHtNX-y33U#I1AGfIdt$=5ZVv+9cZATCVV`JKE^EY?ux@UAQX(LgT0 zJp=5C)dux*l6@x}8zNap*Zdiqs!hKteht4vM!(Vx#Zr=qiRDij%cfh<})6Av9<>u(Spv}OF8*+^nxVw>pE}rGEgQ- zQb``I@+@E9S%)cK>{)Y}CpL1QEZ6d2eA~oP9`KInQY(tnOOEk^JXg_dE8@_k#4IuL zDPsiVHDs*T6&5=LDtRK4Czx7#<#n0^$#cj{U0azsT#&1=RlMHP=r}b@K(s>>A{^rQ zmI!@#I_hE##Z}5UtfkDfRT@&lkc>FAB>)%1Xw>B{BR8Ik*jOW79%~a!$(H6(b5mAjzcV$j%rVew+kH|~ad51c5wiPzobV@>n3|4+gzIL7>~^Q7+C`Ft zC8Opb;rN8sHCf-XV;wPBUjRdYn0w!Iu!Xq|4(1_tWUCQ3F9nCx71_W~U)cwTnAY8k zePr`f&L(br$ib+qxJ;bL#0g7@q*B7oPX&ZX1)+Rq)KYC493GP^vSFUSf=23X`c|V| zriknY{=YGAz|Hovv*rGwpcB9u#q44B)FFy7ve+99`CT;{HAl8SFKHV;xJ@+w*{^;u!BX|htd?B9IDZm{Q0=H5PyPt9RK{|V zb&qjP6I>PLQa&e|zh?2C9+knV(5a`hIG-kPPF-u1<<#5>UQ$FZ2i_6qLZv~5>HW3kaM?J`NPU={^Q8rclN+x@yVA-9pZq4_rc*|?5Fv(fk zLYQj*YO3HA&cW6snf!cUouA?9CO@Nn9pcHp=|}cxg#^4nVfD%P6JhVI#v8$J!G=Io zxBBGIVD))yEJH7WB{m=7ohM6eip@Yg>M*Fr4()1=*rr>qOKC>{evrE)s-eQ29AGw8 z#3)VTt~@SqNwZwu`7FE|SZ+YWErbZNspsz<52oTy!j;d|LVRS3TkDW2t+b9w zz^$4Dk}By4a7mRT@8fSq=@%qj#!c}S)q<8vH-n46c_p6$T-9e@|Fk0&sY;G{x#0Dh zeas`)b=^}~4U_}S9#TQH)IgbhsuD7HaL%4rakO$q2{%g6=-q5?w1N&&4h|iSLgd3% z(Ag~`VCPo!21-W8-s)#~af=>{&TSr}TBukSy^vd|(M`OKdoH4Ppr~YAt zH$)oV%v&YItFuGPQ7(wDUqZ`1 zSZ*~HzB}7=yk}pJ!;y88u}-A*FZ^!@e4PEB+KyG?HnD$3iT#;8YQ)Nsp^~rPejAL6 zGD?`yx8K?V|9uSLzhAxm-Uv9l{BdBW)+>pN+6QuU;-jq2*ul~(3~O4G074rUJvWJ7 z6`JD~Q@jI1S60O&a18<+0wUmXlJNa^yqA8EC+0-7CuQz-HJL4Di!TizLwQ4=S;N83 zm}Iy&v&nq+uV(OFr>`P@1RG7wS);81%pj!Z2ud@vS+yTlhN-EzvkzR>my1JZdyPW@ zTmRt2^h6VyKM?7`PnqJQ5z^Fj`MB5^t0rh)tiuZ(0xLK4W%Br?ynslz#aoy?aQzoi z3kFu`MDP>rle+eUYx;kMi2386)Z-YROQlr}a1C?#L{d{ka|sh(5zR34(7e8}D3SqnH<_^#ZL*frbh)@?O{e9e69F8LFLxN9wL&t3M%H37?}#7vs7xz-Ie-JF zbKr@Hh(a`5d}Hn4TXVAd@_277Hl6T>G5=@QZasr{8HWEk6d3uxV~yx;-d+E7d~OWG z@{exV9AeXdHbcuBvcX!)>kt$FnQ%1A$BntXGgp(vmu{MX0S)&KhK@6B>N)4|!AT$y z0qMb5-Otu*R?(Wb#$wjd2S-hD(w{r)5S>LsSnWMYFs+RB@^LkVukF{#7+x_Z|sW>@rloZumZ!#eq+sw$>)xGb_Y)kM|fwF zw`n+!i`o6d+<*^kXZcz_=Qc3WdUJ4s+>`I)f+dXQxn=J=tgnK`wuo|=KEc5&8Q7d( zs^Y7X#u(ztPJO=W861Z=!bbAg)b@RWO-uuuUs-RVVx+FE66_h)L_bq0Bsi(XW(9qR zKE&Y5Q_r+qh-J5`V5}dOi?z{T$q-_kY0(gBBxOU$(WG$vfc;-KtH}W}=Ix?AIX`q>9N5}tNAY;sf){!~$1k6w7^Dc-SVt-U7V1M$s zS$4qX?KiV@q2)ky-hLwp;oEQKaxwqj4XGfc&om6HhvWuemf&FY9#+Pkv09xTimSu% z_wh6Ccad?wH_bTriTja|7oaiq=GepLngpRPC=k;*%mS>Sx%6#z+bG)RIdT|CH|R+C%v^JG3*OlONP=EHJ6n|>EPhBhkf ztrwTRjlx%$zMp)V8{gV+2rbX{_oHwSrdN~2?ee}A2k9zx92(N+>(vTM*VoDVYb!Fa zfWQp>C&wFy4%jE${tA{bn5*UI*`g68?q^cmQS7(%+Vb96a(3W5-oRC48eNH3S;Ei} zg>JI=ZW@c*hvjUs=}iyeI^5(xo}VJp!@9tCYurs9=NohV_<3#gr;6vB^2+&1;`z!s z=+$Cr-mxCX=gIVs?!+ke!mGTenywR_LrE!ysk9*oQ>tUmXX{Px63NTvc@>}%rBu+S zbcwn*HWOS1+e^`^=_C2vs_B{@k%y?i>neD56?iA0EqstQ!P)h~>Fut!x zlkdDL!n*SH{)w$GUkuS*9B=6Hik9+$J1UME)+V!ec(!OXwjqOBxKA<)R4TZ|_5KjD z|FAD+-VCWv9#$si2H~)HV2+!s`^Odg4?Ak+P3IE){5g16w3__SpS*Ya*I&AQ(?h_g z6ccBda^Lu~6Gp75Vuv(}_`sm_JRm+6L(ngUM@r$zZ<+jv^(;n-|A;ftfg$_$Ti@(| zKU?;{Uw!-iBzxiEi~TCxCF0s~ILB!_o4TxD0ZUaYX$p^D!X=GJLxZXC_?1IJ1PX#E zaKS7q({t8K__BJKwx5L z>yY{rvd3`WZUzR+41T+50`%9Rf&O~+?bo_MRfNZba4jRQSV6%0{9-{L`v92EvuUx` zu~(~nKb;I0TS(#v3^@iv7#QL_69Hy&duz__%n9oVE;ikg#uMPp_rsfhXfoTQ)5jA~ zfWsoJ=K`=M4-duywcz{p&E?8u;&dtrtabSjIx$UD8CwnoDN*EV`OR4UxteW^M2)^> zIFrIrpoT0T1)}H|5jWl`Hvr)Lj@Dw#A2hc+x_xcNT-hbc?yd1X4JEHX(Klsxr4eM8_*`@bg)#{RRusj%&_BHFV)re&#&dRnVK;Fw(ebwK!KTA=%t0eZ z(1?UKTTJJVw?@ALn5Qv`t+a)4?zcbGOFa*ciCk&ey-zfwI)B< zr$FmYvGmL_!NPgMt_eeD_T>cEAf!*uS>&cf!g)TdjL)l)s&1y8C`Rm2kIC5W;+nwcj*ilXg ztH-4+*s-^~%1JbtAaIk%Cd8TWJ?h0eRl0l{gA3=Nks@fY*#-8vbkA9aia%H43ZL;; zJ&)@85=7RXnoa;Cu&(b1r?yXwsRlqLP5@)F3hH`tZu1Smk)LJPNX$b$G8YU ztPwrg@GTOdA#-)C0O+=ZPte)>w)6ac(!EB%lsE|PVB>yyJG=W{%gKfes06c)EK&a@ zWF=tl#2DR8U8$laQb*nO-&fPNPWFu!9w{<|l|CT^oo^0`|LS?Wf1lZiip928lFy`+YIFKkc-!1U8In(&0dJb1T*-H|he$zjap?wnU46^%n~k zLA7ahx4J{5XzJED-A^vU>H04N!30b5Q6LyYN zHUoL=7}d*fsNPWrE2gf)x?QrGk>7!9jn5?{hP>gR*;o@kiXuorvNlqli5h-RYcu8O z8Sd)7{jhBLog5T?jZI^*Io;n+SW`YwtyX&TQyHve3;q9-F$}w!>e1eix zpj5${2}emdN*TG?TpO!z#>zBStL3V5g=&R19z~S~k&d<5i^&YLW>nEpbPyOb!A7A- z%%+B^5p=Xr8(H#lUymK@aJbY|Z_n_biV`F^uHXZ1%k~E zrr7;(-ZBAFB9In{^)Okl&COTV;rQ~kg=B9|7#}Qm=ST5%>_)HxmZcBDV)=TO>J2KL zYLbFNj-k|z)>4<5TorP1Qh!K}5)_~0m+Mt(P4m~~eR7CzK)SWZ`C=ZHk0l!%;>ht{ zuSHAg-;wW`Prm(bT9Ntm9@EN(Va((3F;07}HHtA0zn7RNqD=(m3798VM7a6?SuYpn z=jH8pbFwx+f8QAEZpc9lrs_4P{jwAGGxQ)B)akXRrTh@0`Q&&fmTGiP43i+jFh;&J zKhG95)@anCV!G6OiFc;WhmERd>w4uzI1-W|Ns~3_#^TH7t9fh8XZN!j;lNL@k6GHr#lJHe~tsRgSpca1CEfhQhITRJ;Ld%&C9)8P$I!p~`>qzvhh zUJo@j#1#@ynVf}AxCR2z;ED&R(E8wu_|Jzhhl7mqT`8rE!|m2~OQXp3U(n;9JmD)l z)#?#i()ENCKB21y)RS5M##X#gY(;8vX(p4|bdfQF85mrSM%#!R6|=sk!_ z9dL|dD~!h_$RQ-`)^OedwfNw9)Qt}K^Yg)V-(k4w$#tR~9l5ktLrbLC;C<`VeMWL$ zV~JS(UltOfX9a}ig&(hJ^DK_HL9*6wq?+dl!)6;y)rB_o4@-H>iYINJacW)Fu=H|{ zx9M0Jc8r4&d=wX_@?vAA2Yb|vOPhbR+h-h0FJh zW`)Gu?J!bgaFH}F!f_=NLlT#o8xj-BovOh93|}Np>mdH5k*$mg%tsb){RS^5N z3u5B$@HI>+N%=R8=$o-x&vdGmR7f(J1&X)N~N(l_>1tW7f& z^h_)u;kMBgw=V31Hzsgt{c)iOULe7TSvuIK+Tv=gL+rd!^PfL|4$Y_l5=lWK0BO2h ztc~g8X7CdBjwe2^*l!K?{KgH)LI{AE#4ey*5{qjnNs)v&;T8 zU??UG}9t%4+zWKVE-EFiPh>rqapuL4g!_YKR2#7#1 znL^{F6&H`jKm71@OfnL}!r1(|T>a4n9kVJj+_1D%v^YV}JQX#r4o%pnFme%;5MWP4 zRUw2?R4+mw0^-BV4)}6Z+e6Q5?2qgFuZMt#1TWqHkfbDA1CdzR`iUh0Y$3rK^pb>R zTYw#4LWHFN59A=7+y~KsWLbRVF63r^t$e4;h{WH1<9l7c z{Z_rpr4ivEq|Y=A&o8?f>jWF4{;)FcjMb{!4FCN+GyHdv;lJ0Y z8C~d{CvAldqTQ`#&58e1XCm}w_`FrSQbOxFHsvhJKYkrshzhI(v8wqMhV^zex!ag> za^)Yt_92k}{Cv)u0KDbhT}|de$QMCgKQU0Qqb~V4s3k5^5B8jg=q%vkW1y( z8(7cv<$Is9@i2iG&^1+ZDa3cP`NmlF(lbrT^YgN_`H8~()vqeM!}Igr^6Jefo{cyH zHJ@<&`gnJDKUwI^IyRCjbm`?N1YlQlLsyUgv*IH~EH~I$@|T?z+CQw2KCv8tIgh^^ zO-k^@vg)82@kNiT3Nw zg=+=`m}I}+45ip_7cSUusMl{p$@R})F1>^y111^!JCta@UwR??otLuT2P_d0nhYS*%_Zw}BZcbqjceHBISZjW=Dh`d zR3t=xdpBA4D$vF1gTVV%=Ov`ne!ob41oST}!?^w4r$*4oxJZQ%I5ds=R_Eqo<+-_P z)O0*n=el*X`dE}tEyXxif^^z|uAzcvt9cX+8n=&Y@Yik>kD@@U=5JjUZZ1QH=B?Y4 zLNsX7j-W%!#_MSnbX#O&XwbZEdXoPI&~M!IJV{=^y*UE?RxQhu66iK3M-ZTK!?70m zn+ssC(Jtf*ERqeyG@zbMz3n^hD^AXmLmqbJ-Lv-2*4)$B0yhn(L=k4xPGglCZa7ZN z=m{fIRojkLI=K5dIm?140z6URZ@(`l_p_;aZ)_&Flg*?@;rL@_6ob#HSNeWY!tuul zf+ql;ugWpk8*oMShw;5f;rLFRRuqLs6V+ELqBl zf=PfLJpEQu@WpKGi3AtPLeyQRl+z%hv6+5nP!4_zoZ{ox(as8~{lkfOGK4{StkZH` z@}@u{o_;HdShCp{2h_?jAjb@9L`dykHQ(D_xN68?xtI>A8vFFJ1WTQ9U5s`q9;^qs zSkE>!Jt|2Z!6V+a^&>J}YyV_hpq~hs=&(e#7Pv{kZMIhQ?rnFW@A-$Qu4a(0KKe>+=4yx`k@ku_+3y&NDCV9Yw1D?)}$*ON{YR;ORlR6EiP}(RI(%5pmOA<&RUKyLo zY|%;{VT83$u;zL4?e~a!Hb24Dw3>~Ev@%KJCMMXCKv~QrjhQISpC9k;>TcI-rH&a` zVeDA$C8|UucBz*6Fj;M8lX-8dK}>PeJ_IiPX^QZy7gfFhKjHX^!hiQTpPRRj4|C%$ z*hOnh?t3hEI^&Axpje|(L@h-wu^cJPeUumB^HJ*4wgoVZJXz44wgIZ;iOS+rpRG2C zcx^2DEHu%p6I_@ofO!4K>_J-I$Ta&J%sMTqtVt1C^$_A zAN}TbXN9a`#*)(#tjH>em$KGEH%Og8>Lf`IcVi!MA~{arn`sdlzW?1y?X5HdPW+Dej_hPdIAW4Ip@h=f)jpxx@TX* zanCr+HJtQh81u%t8T)F5W@@zoKFa-wUq4w9{atU?{5Wk9;wx{lg)lrd68mbAW@`08 z3O^C}KTp=i@4xjYllHLBS&7tq5a_f(Jl@@5|3t$J6o`k&s~P83I`ADWh}*RV;9f@&!UE!1KkIFSlGq==9d5t1fCI1%DJ z6HbKqAps(jhX-SEYtHUiKXA6*tj*=hoZQ~_uWV#_PVD?mFHcH^d_7srHnV>jorxuu zY~XA9bBZ<8z1#R)c?)##WteVSaOX#YI~?=AjTJdt6HdqHpGHU|LV^hK z6b3_QQ*-jzpo4QthePO^d{EIgVMW!ss=;uINSQXS{JMHv%}rx5UEUhE=I7<@cWq@5 zENk#Yk@bRi$zcJe6>F&Mn5pENI20eEH!3e^$yH_%1QhwwLP30#h}21vIwXxmzYd|J|NMM`(gEt_-Cail1vJDh zT-R?qbuIFP7@v1uJU^u8sgVRu3V;&+e{&+ixSUxMt zp>vUHDdjkyuP0v&bMyVd=vW?T(wm;Ozch6KH$mL@ z#^&qt)?7^PyVVAvZ+-Wogi)Yz5^TDhcPdFp1NZ&%-X(<1-=vlCF#q2DdlbP;iMOSu zV_%dq5;t*R2j2fa8jGo6&Tc!^2KT50ei&brG6`yQ-S)6tY4y`Q8vpRa*K7Om^yI@v z!k_P|JIr2B?(-FXt1F5~@KY*5bitWQznKyuVS*_UOi6WZ1ycUo)h+znfd~-|9m{q8 zMt^6*7iknZmUnZmVjLkR3h`HQ&_tJt?W<528*N^d(sbz3LyA(dcQp;S+0IpMO*D7O zpMx%KHpxqUpyD#OzUT27d2?@hteJ?r9^t3t7x@Fs*=+GGvktL#byH#v7yp(ZX(uLD z%t@+5qzZ`?@*|2LL4K3R&2nH};rCxYvap=s*UjePml34B`RLN#ptLt5Nc-zYm-bhb z_SZqAefGm2R%mZshkEgrhOrH9t=#C^a(`Iwktu#Reb0UWc)FLdC!D?fogn+k{Ljhv zwRyK({W)3Pn#;xf`^Z_uH+hKP|C4fuZwisb#ai4bk1K^8s?A z)h?g@a=?se{2!PL;Dul1gt<00gXBhF#XIon&mF7S=stx;Vts?N4_vxucyV076e}yX zrl#wM%gLlFHAq$sBGpj7CT8~!bK~AvY$h9+uNUi0re*^l6#Zo9E2V*X@U}b4d!hD! zSndINl92zyFdodu#q{fB@nxWaipsnR>Axv1P}JH=@tjYWlV>8 zz0f;e$X7(*#1kt*dn@ODz_v2zF3_WTH)nEpp) zOTrqKH2t}nZH%!qBCw*!jCY}bc-j3&RHPlI^W1uJ6a{ zOjQ#k?kDSwo-?a<+65tfrlI*EB;;JAk`F86&RCfv2?`78ovrmT6qRIzq_8t!Hk}No z>BkULvgk!VJjB_<)FEFxPhIO0J}C)ol4U?RgIi-h`973ruuCz#Xwf(WW3^f~s{F+E z5sqGMU@3H(EC$$Ne@4aejkO>{W1s9hI-M$I=-NLZD&D8ZtP$+P+kGhLy zd`7+e#$f=R_#}Y6d1e#G1hoWuay%=1zZ7Kz+RwAaWc9ssEgGJ+z z(rnFDr5vvH)4Z(W!4S(LGN1fq_Eb#bA5I*%{ALa)iiErQbGF%Z@SS6FC^rvD9jooH zVgy+-uz4+;z{YB}mDh@Dm7c>U8}CO`N5H*XHQjPwtp;xzUyK?8E_b-qy&4Da!b*n% z{J3adLjLxB*gwH~XG#{=Vs~%fnQR|~y93E+Q>QOMc#Xke7$72P51oZ?H1OE)9-V2Sb z?T2`O1(Po{o^0I#)pOnL&T;LKdd=qd&Q;4JUZAY&PQ}FqUK~zm3Fd>ytLQLQrKH1) zdGo>4yh+P>Gn}3<&-y{6L@G?hTlRN20co(Kdm379^g(1y5n^H*>TDoM_Xjt2K7y2- z$UXc!kaR(VJE_y0s#1aJa}-l^+ViQw-QE;0T1GC-|$;+1=$jSwl zx2(*Y^;cQ;m<4*SlP^CPT6;@wmluc70pGJ8)QvJ^oQz`Jr#JbF$hZn|Mt3ehQnu@P zo&VUm+}a8KNO|}HtJubQc&XKI6EF53J10AJYJU#7TG!kCe^9ozcYco<>v-_eQ`_9K z1ld>GvE1m|hXLUm$W(Cz|MIQ6R>T@Mb%wq%D~eM8#M6Xq5UDp1UnWda2@{?iJS~nS zY=W@y6dd5N*2Uy;^R+LH4xwvupD(ugF#kpH`$B37*0^n-0pm5dwRy;f&}%5 z}Xb4~+2o9q(!?q%wn!*_6$01cdYmq=(Mg z1P7AlpuSPaLG-lDuaouHp0(Q_LiQitWZqn=c$@^k>E`PGamD^a@ywf^<@@>bqD$S+ zpS-~R^;he%79E}6ik@%ED;FxE z=M%+Xu{7@{^ZDn=^p9S|lMb44BFaMiay!{f%)W~*Z=L$#(S;B2S&~#pHMfDkS9KM?%nw;z&4>TO)z$r#zDFNa zbf6{`|HJscJ_orkup+N3_mEAH`f|rGtn7HF=l?EG?wCkwi{%F9V`qzcb9r+4U@8C| zM@X-2_en*0g5#W?^ry9rlgGqUr=*qZ2#@W3Vm4I7C$Og{u3SHuig_mzCM+=(<_V5- z>Xi^N;PO;m{>(4;t7#p7>u0DScbCro>06!PBb2v78Vf&YRMtWo`G;^z&AsnAIN7%i z4(1_t8ca%BBe&N|eUc|dwPOA|zzAS^wS zN)H|{B1p;!l9bbt-ChC%Rn>ox3BDDcOAPCDoVo` z)*-Pp#r!Nc9(t?pSWV(U9MTYf!ga8pP(o!{1MT@{f#vV#ZNbf4|ojQ>8{k zYJ{bR0#;BV#Z(BVLJ}&I>C|}Gn2(Fi>T$iP_nq%lTs(O<@mCXnzF>Jd8U8EbWWE`z z+1+;&Gp5C>q|QAuNcELeYGxiQ4P-s5Jh@H(mHS07aaE@ zwBSgM`^jwHqaIFRTDDy$Ec{uB;siv(ojsV7+uOR4-5bi|$L!36UoJu(gi8?aa`V+# znTyH2(W5-<1112N2*7ugW%V{WiIjjbID**X0B8mn$pRw^7|eRi78QY9o0ArMzyjCWp05C6 zR~82;#Soja9_EwjX<>Ghwe)fM_tpxmC&zW-cNO*xw<1-N=a1v|HapVc${$3g%C3sv zhP#NazHT-TE%9SO_%R4@!>}`M-I7AQ9VG|A>}Gmee=&V*re82o_#N*>y=2Kmv3$)+ zL*Pha`ILcT>ROBUOip>H-?wATB#&7}yMga`zq*)V$yDl@YeN7x>SL}d=1N;@ROh>N zh7xIiwQ33kYmdccY733_zFpodIU9`%kQ0UcetBE3Mbkp2gZJwBKfKFRNdkXd{IOX6 zx#(A;%PmYP?2n7u1qxPuxX#|eWt!?FRUv`z!PiPP)Kj?c&DHuct7marTi!fDUxCd0 z@{ewaywT9a>*Eq)FbIdS{AR4o`RsnS>4adNcf42c@rPLKLC=X&8TWO!1vs=Tg%ml<&smbWJPT zsW5=z!U8_No>z6KaW$f~eLc~B<@e(}N2E8BBHEfTl5%8UTq4~5bdKu@C(}P_v_k99 z^2X-nWr!`hV;0gab>66L(lGSH5gAG#gaZ*wSH{$seKT%NW3^hYI%16OW=74<1cTy< zuJ}62)H+{_ehEqhf?nMZMT%US)<9)5&4ZiNE_G?tu!At7UOX&t*xZL!VQ1gkSZtcY zXMbEeEOu^ky_w97#;D)D?GUea1~#|3{=S&%y})VUgT1q9(O!p8g5w%*EaQh z)&~UtksR;Av%`|YD-p|QH9#L3CON}I8vgpYxLs8g;rdkej_a};hNmJ8-_Pdr*>ceV zm6&>Fyz>u{<&BUv%sNrlH^#!;d|f`SCyUdWq}usv>)?}Xd9O4M4=&|F7fkkVB_)-H zsS?p(cZ7hX5b$^i@Gp;vV6uN(a$?%Ok4gyuAfsDj@m-HlrrPmkwFfV>Teb2og?@QJ1eGy>gbVF*{@31g08~|$0+Jv94 z#JLXeC(C|eS@h#X<=!51%Ft)a{=yG6kyeFE=oG0m#E`D|p$<~$#kkJ4Z=A}^R2*nx zEMGs)z*r&_4X9A0&Z6-<1oa!yr%3(UUJ5cUyxejFWwLE0!~R$)Bq z8^6Br%)h1xHj&g~E_H!{aR zdg%PXrZI+g=^bOr)SR8%iW42YJX{B>fpA2xcg#oT?(qVv=_dSw7Ir7%v6kpSJ)Z)D z_sOLOJ)yn-M(u!xd&^_>klS}N?#SFdTzE(>XkkCNu@ktoDt1kW&~w)A#rc$s-4F)~f<$pYW&>5()wUP>*GcBrCKbBpqX#Ij@3%Lxv+$?(debRnWr^Xv7sonaOE$!G zhp~FgO97(53L*61Fg0+_*aJUpP!|W*J2)taec!dh-usVvYY+T<0Sgnu44vnU2?`B{&O;i}c$jZ=#?%T<8hoE4O3}4u&sde2HKj{9 z(8GwUYY(3F#wz0hUeyAFYkui5xunA&ru)DTt?+%IZ}PFdjl9z2o6KHq_CbFaFG=5H zF?nmO^0;T`;+@nQlR3!l_}{&MvofY0Qzv?O#g>04VDN$KeNw*2;$!-nf!Fj%s5!Dd zD{L0r(mRU+laI;8d$_n^7qxfl>#u^B7TVKk8t7vqH!6V#|$ukG}Y<9~}2ShF)y*8^1bXR~PDPmI^k- z%v_!SC~iX4!9zdm;M&F=dI_W|nUzB0_1IAPBacm}V^XSio>_~#^^tz(DS7QPn# z&P~>Pd3Ju5BZDV2Kq&*#p*j%;vi3B9@&`;ezYwMqkUVjib-haLoCfE+F89X-J@5Bx z$8#Nzns`zHQa#1*)B&6|NVq}54W_L(gwBtvi)iQY`LRaXt$;2=H4P458I}jFXo!_A zgR_u!#b0d>uD^xdJcHntw#45WSTSx2ItY%g`JXDFc(*BU*MONaLxdUr=Ojc~c22y3 z>bCl*R0y;BubHxP`kiV6NdLuA)=s`9ZE)$n3i3fw9Fs5pX?Ui5MjxhlGHC-`sUvN~ zyi4l5!S;iA5Y);d0gLSa7MM?bbbCR~ZPxqXmLiXa1sz=_huWYq9;_*STOCA0<52 zsy0Tu_1~~IFr^jU_X%y*dYRgw(|e83lI}ay240)D2X3;JH+~TZx4O-z?$*FtWJaR_ zScnoYn*3w{w0KeY@wiIcE=3P6Td)0aYXJrL3u_Pf*2Zfq2wX8;nGOeh%mWhn1P=ol z_-kU^dy&j(PVhW|=isL-2$BMkjt_iQ0-16_xo>SmA|az?#f>gqe07G5wT9nUlp?f z%3l?)hUG7iCr*%ILw|1FL*%^C(}bL$2^(pcWDS$VusUkbrhcjGmQ0JnRz{_6G3%B{ z+tQ_5tF=VmO;zSP5qNiWycc;fuwrnMP=f$}t^tW7qeK~%2ek>vL-E&yv`<48Jz~6zZrI z#rjoOx1^L^?b@q|h0@|0g6)c5hNh%IU@%WHErj?d6n zKU^hnI^w5}ve(BWn*r2$C6f?`IEyYd&ww#UlA@Z2)+yuUe0zvue?QKrGS5Ca=cvTD zGYzpP6&x=(#OFhw!@+-hBFy(VoLR2(O%NPZ3Sd(SpglQO`3BqFmtthZm!IJk_HQsW zDZUmCuMjYwgVT!I(61p9>fmKV@OaD=xE>)>q;1TRwz(koo{Uz)#5S0uh~)ukvtzw4 z&mXQ1V7)%iPda|mbOYFUbj>G64r;E!w*o>VfFk;BrORrYKQZrL-*usde;#|(R;)_lY;JA@9)sq5uZ z<016y@Bni_jK8@uC=Z$f$9D2?u(>(@ry*o)0uP3mTf=`F;&om;Kcwc?is)ddxlMvL zQ}!D&DBCCA6L?|n#BT9w$dUC7U&2}+w2okdN%37vtT%-Zp4SJ2F3jPdYRG(P9xRQc z5w7-UXC|(cV<{cG9ao_B*5>gwd5IM`<4g0TmAu)er~@mEdIv3xO;l?Brf%a7)z}*lD2pfZ)y?dHT5d$0m28uv>YObZe`Vg3_@#DKMJai1lloYa`Ot(MCe)UKzo~Teez{f3=R-%@@XPsPz>dE&p0B^weJ=%wTkX$SDfQ63= zA13Sx6CbGtiI2dg0&B^&D|Mue*tMeAJOp-W0KTq4gFzwO%U||yCJVyjgl9b6pAi8XlCr$88+b@sA7(rt> z+F2pBb%~_fb^-z62-F={CCHi*{9%Rcrk61p3JAv(^Vk}46u-zjhG!^CrvxDWwxrXj zx6wJLhFy@8?1V=`6XKeU$4;Oih$0P1mmSnYtVECSmT}7@WjTYS8Ikc`sf_)$Z&a4d zNH0{DQD^VdNH0*kH->vMw``l*=9^=|t^KqZ&=5gGgc*WcuQFye;BK98dvId&DWulx z>6g0|VquFYTY2LexTzhPBL0YZ?3b-u+{~7Yb;6yq<&A6L-udjU=(j=1L4%>BNtrRL z0T*04x~3mGFOFwMhb@G=Fj;?_n)KhoOEkp5j&{Cl_sIrv5RQWg90YI>iGw6KbUUKsNb!ogbU*<8i!Zp&t&yENjn#gHCR?07^qPu&hh?GmZvi z11rmv*#aoqY(m(~05j|{eHoxA z$=z|I%{+*PB%UEC)eB0&K7TJxNkF`Q*nn|@#)&ju3acT%{UN45O;}wxEH$)Cq}?Jg zx`dt`(1mqmb_`++9j`$?fMAxOS)$AqK+$C*wmQi6x|}%~t}h|>UC7RaoYN5iD&gsJ zmNeS45b3EF{wbO8od2>sS*cZhAMriN-o zal1s?2t--i%A22yBmfZ8YJ9c#=I_eIRR2@8nqkr zauPR#s^DpJ^|!AyHi!E9 zb91~AkTTs6^-zr~fts63OlzZt3^HSDkghozBixuUtBdy#QT5p$aGHpjRc#SDWmEv= z1RJ%)h95?qZ}mwnr;#Sa-%4b3Yo`|g!701N?Q^|Z)+C-1X)7jq60rIbc1o#wr)L_% zUQ+X29U*8&K(=Q>y7y1c%yvdYHm{`B5;P|%CHog(Hn4l}$+iVdU;M2LtLHC@Tr{8g zj_7?uQVaaMUx%H>C=JMiy2whG#rFoabk%LLq5hw` z>LRN#P}>5QO#ReoYZ}lHg)md@niRDk)Op#(z2Otd^FNiCAVLK7z=}Moxsxb)uqHh9 zfI3RH5*^vDhq+)-LjBfP53azt`dlW)kKi;VB!7~9I1q@Az)j_uXyI@iX;7^h;=)O2 zWsJ^IA`vXJz*_U9Vd#hBlSCMTVG2@fdNmp26{4tdb5PIFJmiwj?o; zL5ALI5JfNz$KdO86=&n~ltAP`H~fZ}Y^cq#*{nkmS26lK%J*H2NT+RQ!8Bx}YMQa$ zzbuRn-@H7(5#G5xx7KglST9z~cSsGvI56kWddQg-+Wj^2)zFNvn_V(aakQock`A%V zqy2Kp5Xdfc*Fk)`fz%dgy(Z9}?)~r`_g-&LS3KhGnt=G-BuQHx)q%957JG4=ziAJU zAZ>zaD=T#%1=b722cC~2c6S0xrcW^aj5RHI2XAi$K`)u9ASxS2R_j2G{g}Ns!R|eB z;01bmKk2Nm5n41uq#44^6xptinQwA6x7Kz?dqd2P5N_nyZZ%ri2Zp0%*L?GKZ2qvE z*xbHv-IF5Y9y0!LUEInX5#|V(Bf?w(gu3Wm=b6Gp@lf!ky$t>$5OoQ7hds>Hvr0KW zy$!e>c4msCP325iA`X3)PSG$L{?Pa0kG%C{+6jI*TGErj)QA>dA8@r<8Nn2ehHdUT z4AXjz$uOOpS7}hK84l4Rufwoe3;l?p=v9vM?ukBb_SGvw)P&RMFWwQ1uHL(2extm0 z$NZYTbu3NRj4S;t@Sle%p~XhhxpuTYtii6Tf*J(V0X+pRC63jaZXpDY)<;T>bNpY-Bxj> z%txruO%d;}dZXKr#uYIP#0{PARy#7B4_zP)7vpJ2O3exn&PvTr=V;{+ zHRHv9=r@vBDK-8>(>mt_C9OK9D=IZBlM~SSpTWUPv-qbKfkrKvu4puDu^dqno%7*d zcriqf7);x51b&>iJ8iqOmpemfpm#e%r0J`j0Y2E9oq?|NV#Bs~-1RQDvzyo!78}|- z-!q@sliTMBw#%ixA`o>6r2R_t<+&||Kkei~nk#@%7kw`dZc=bD{gaMtQh;i#(rbrE z8aTD;E`{k3-~^K8y4)X9uLYDFgE@C1j2)TR#4Ts=`f(+73|-D5a(hJ}>Jk{>eUc_> zy*JK2aOs}Lp|h>=ao{)Bo(xQeeC%pz=}1zr?9 z_SS={*S6PXXu%>A1Weecz9U80oS@!9sP+(@K&^vHjOqhEgihZ`!36ui5?gEqA^pDt z`w&Vu@Tc7GuqW!GN)ne&-&x|yOkG^;u-2SXGhpmcP8B7FDxn=bSd;S3S`II)VFyjR zNM19=MQkCSD2a~e#9A%M0=x1W5f=%!TZpD9r_{9?^>>%7QrBwM?KNre<2nIp`=Y~- zMU2`soN9X5J%cUc2W+~=tWK^K>ALaw<*`K-@w!g1>jJ=HgFAKeua#wan|CV?>u zVLn09l#4AYf-wn643bq2Q&VaxGRm0T6bR)^FNdlryO%K7irv&>@&gz|x_aR-j*&Ix zxMK|p)_)(79!DUVW$-j51y1Fm78;Y5tQIA)9Hyq!SohmvA7X1vY7&E_mc!JPn&-zE zze{6MWLPrpp(NE3j7=%~qrQ2*dh7hQZyakr2EG?T(ZjQ0y{@n(`7~ldW%$%1wr(W-y3?kw?~)BSd$iB8Jsy3>65;FORA=JI@xpsvI(R zPDff*KA9`rF&Dvxn4VVXMDP=@1cO0<=j{?^*AE(_E+1d-9r%f{_agYRy)VEgNe;pw zYduBiDmkpnL^bYZt6``jIbkHrchb;_c3Kp3PVKZbC=r**|#pAXKtQ2qGcQGhs-uE5?x&18l=~pjV`b9`u{} z-?{|+aD?WbG}^SaC%azI^OEq{;V|HjjT3Gh|E*1d_pb!{fQDNPUu3~*h+$rj3<4q$ z5Q!j%s2MHUiDa+V2$W=x7Oba`G@}B+cO1{A;BXmq30arL-+N^%I{IY>(ScH6ND53j z&bqvL69GELr^(;XcoFoxKweh+hP&<`CdM zk8lWO*z_1OSQyfK;6f$L@)DKCpodePbt}&`(o)1D+p{XAey%|%U-u1sDnCm_# z(ju5T0F(SvAUhWzra$Ae6aaup0a76K1yDz(8pVqSrkWh3AQa)!XD8hBn|sT%UaC9g zJrEPtiL{#$T+P{uZ>r-lt)8vzSPaFN zK7mn&uMtxkhSbKTHiI@|GBgnbcD7V|rVv?kf{=;~qf0%Ui&Pf2A?2Uy@-QX+vrhpe z9AF}h1Sle%RO4@;kr%=KKHoiHDx)-{7zUDHknN~KWDN+afK-ux2)A_bJXV3Sr2QjA zjY+8#SPMQHDerPfSi3$_Enx+!1BTnPVYp2gZo6dYo()4cVd%DCDC;UG3iw>WD3z?N zP!)XS-O-YN50JWUy;x@#gd=_t%neKiR~9<*mx9barXY6*_YAY*#u zs$9hlM@^w9cN}+`)<|tS5$!~pPH;43@ytr@j*s(}g?I0p4MHF(2*B12{j-fMn^McdlSd?$c6qX94jfp$nYcvi`VOgQjryxG?1H+eA z#oq?7agT!GLVdEZyfEGdFyo8~y1xH<2!<|lu>O&ufH`m^ zEK!u8)2I0Zh9+%)=qyxbQn6e>PBaceKa1&jPE;&uP?%1EZm0!zWCw3c=E!6BI@78=g4LKF zggBI1o!V;HA3un`D6-@okiek^JK~Udp`8cN1n4|;sd^< zM@X^*JqErI4t^l%(J`I(lvS^~gCylICEwR$;_;9y(4g3<#EqwbG$LX<(d$?|z_y@~ zz-Y`uWK00tVsX&b*;3il8Hbz5Ekr~FBH7TrDhAq;{aE!wo^w~##Sy=eYL6p+omM7; zbv-g{>i8il#~j9XG*-O>z-Y{3%sf!`JIIYxz6{tIDxrf}Bm-c_+AHuf?F|jRHjnR^Fy55doqEoIXkVV(pzM8Yi=)b(LXxIQo3X#;>lS-zt;UiMQurxd+QzTW7nw;c>S%)kVSa3`L2}vO-K-Y}s=e60OBY(; zCzg~CBLo5>37{OnnuNun1%8OYMbD{m=`=U-tTrccXn|8Ca2A9%GYIs+=R}SM!Y|Ac zWj2pPlZ8ty?-0~l-O(irZZ=uLk;kFS!jEXWsR%o7uu`L~uMDT3FE?;)_Qn3{VUzEJar zd{ z_1fnmgMdXOtQ<^T5wMd|XJJaG9MP&;kCH>th=QEXgwbS^)s3Fm{h0hbEIB#niZkj7 zp487*wUKKIf*T3N8H}A=4>&A(WW3f|-C8W_Msn?yO_OM@1?<2XhZvJHL;4I&cr#?5 z_knnUj}T#=2=fHZm*LW9cY4)m$9#mr#I`PG6*=!6uT~1$?b9je*cen$(?*0Lkf@{w;IuSJ7iHm3~vEcG3B=1(e3L{fW>^E zu$e)i2|kX4o3ZB1(D?CeSurMkUSrZKX4R6E7yuR7Ehm{my7z~hffs|cq5#U-Fo~fO zp&nWHiS?3PXFF8G%zYxlp0cbBI66Gxl;4nF7KWRfRinc>9J(y{!{QDV_6si#Mk$RU ziAlyWWFfU;_iVZD6D&j;xTIz1Nf5I5MhSq93*7@|;swr9c{p};@gGK^r3Sxg+ku-jP`d=8F(NCWO40>KqxZl{a$|H*q3 z?O1VT4f9p}0&?{|cUb*4ES%spWfJlLX>Zrlw_=bGQz8i=@aeUxcH$g}?+=8~5DLk2 zrEQW{N0oC4AktOg=NfNxjywyQ>|PhJQ6(&byhN*78kkD~ z0-*?mB6vdQCi9lcR{mG?M+BKQo(*FT9~HXB=rAvS#Au?SeS!8VYN$tXRn)I6#{O6I z$P#m*GjfSbBm`vLh>MaEDv1YSt*v?w@MhEx| z)DIAu;^hNq*MCK^fWjB(L!ZvL{G9zU8oJ-yw@9*-Rvbe!AW=LWm zN!ajNEQmuO2W8iPStWH8-sCD~Hfr0xx2xLq6B1t`^lQAN{q5YJ9QRa@u9Bee`u0^% z?*oE*ioDewO`a7rPH`G%XrvieEaSR5g5x4+xGi2CrNcCO!&4SFEgS?1F_5@3MC=?1 zhJD;9qED9aX1U45iYVxN9Hap{ZYlN5XKOsQbP=oHp-J_x41oS2|6y~Sjj{pgV0r_ zrB-9Ktx}8XBvJ{)lsZOplv+QkENSYuB7Rm5v@OuKc^}RZd5FR@96kpyMF~Fx06)iH ztI4eERo2UGyh>*TAPj*1aGNGrJjw9~j;Z1TYlCH-93G)Srfl1^8pR>%s_wB=qo68| zF`1iC%9^Ivz`|Cnk)%=nHZ2q_&(QeDQK|hYOJjW~k8(W_NKpJ20-vDwV4#>}{@ti-I)pGPb zW$Frjqs2?Mho;<<>(Q!bb0uNi79cIbHrF){*JIC+`3Te-*dMiQh;(X<=?bDXPB+!A zn^^}`8e;$IXNryyGuE+Hf|@*tTMA7%YJx)%JfZWHdE_!Zt#p39-g8Dry=|U!mpkUI z>zDgS6WZoNTE}#Hefoj+Wr4~~+IL!Xc!uw^xxtFRqAFrNpTRb&0^6__5pB;B*@>d{ zzr4Lsk`?U*CYNnz+xXY6YUpR`gWl+v!byTd>u(#jV>6G9dE|E4hPg413xqT3Xht>7f^Y=l2uP8KIJ1zRf^q&2&jh}MQI6x(;>@IC!EuynypS2qprCx)X0eii~Y zyXI`(Sa3i9%`=5eMVesp`s38k+$bt4hRD{?!+Aul#r>+w$B~_p8JDP~!;H2HAI>SR z+fc;uM^E((+0zS-(WE;l)&y?Bq!T3&kE*+{Zha}s|N?og1l+$b9LJ={{2)j-E`=d-asfw9_ zHhEMuT7B$rdJn0x!I(*N1w+yxyMrJ*mthxX?`}iii=pIYGc>Z90zyAxx=! z^{KlG7PP>a42IIj*QjoMg&_!Ip3YZm+=$hw$Vt?yPrRy%Z|Gw=IJDvQBfZ~$lKdxs zOUp7+p7cc;fiyzVsENQ?#vsDgIaP{S++8lsGKj+G4H}|kds^|x5R*5_V@%#zf|Efl zD~RSV*nMFC)f53dra+&m*y=UNDo1Tm>}$#=F(t@{P?ebotM)LjK|VZcS8GrV_kc*7 znJ_U4>Zok1Cn0$0Gtcj7DIeK~xd}q6dWr$lGl9787o^@zzS8oMgHrhi9=Eb-miJq_ zuGPMHroZ%={?Z>=iln`rXX*6w{4q z5GW;rg*rYPXj3P45y!uQugt+v)&|Pp@M3^%SIKX5vKPv-iz;n?lJ&&~QFM>-1mW>g z1e0|KSI8R*2HVf-3c?c#uV>xvihBy9GAmVk6xEtU9XN}lj5I9?<3FP7G9iS5;8!O_ z>X2U(NKzeDjXG4X2w>7|k|Q5s`Jr+Uz@*tC2i)q@ zg%wR%Sk`7#qpR+*^wDPBeB2(cRD-C4&C;}!UehY$WsS|@IyIG$RO*u#gD{}(s_ssx zTT*G=24O(mb#p@5wf^9x=L;xW9}V9>kp~8ZyVPdAH+Zj)GrECyCo#}Qtij#T|4sYx zp5&1}c1iy?Ve&KHWZuy=MRk94C-w>P;lDe20S75gUp{D9g(wZ;Eq;Nf^J#7mfZ69J zK$-cU^uo_w`S1O3rN|>x&W8KTh;Osr!*6X=8R!N^MR+V-^LmEMr(p2fg}7ewMt?8< zoTz{jkWoU%gkF+m=e4R2tZd}FRo!=_6^o}98m~&%Qw#1VhprDJq^lVPSH-}z1NlTg ze-70IBtnx6xHc&~vYVu|DF*K@(M(4_zMz?Yec!9!rs?MlntrsVpY5731B418;UV+{ z#?X&fin%LP&4PBEK<@x-eu;v^wL=NByj<7oA zeZoOu%Qwm*d^pFP?N(u*%-$<=$l*M3y1Rv4F@L+vLT_;f{@Lc;Yx5}c_DK1PL=Xx7 zyG5BECqGh@9=Pv^?YC%Bqu@tMQiJk(NZvxwqf2o)2wqg2w8xuSz5klt?|GHks2ZFJ z#SPExq>+D0B@UP20pl7ik21$p4=-%OUoT!Cg8z6(*Cqveml887;*&t)E5l~UvsekD}56K*kRQu zzx`ZwgF)Bo43_E|jI>q@5a^rAta|%pp2k7Wy;#XF9RePWz&{RPoWDJme>so5HaDjqa7aBKWSq3P7Y&fb7j>F4wW zlEFXQJ)l=(B)EjaW)a<^VJqc7VWp^ff)LGQHnqq*epce1+80*m9M%lu0>g+sIWMKr7I zd!Vb$b>ND(k@?My(A$>*iH{NjleJBerQKTUkR8;}$AIn5V2B;`@z* z;3qa~n)^1O7Pk^S_vqsOzjSuWd$@^ z(~|E%HHwh$H;U1l7rl9*8k*Yt6EruC`5)=DL*$|5sj_(>H&OD@o5P7kw6FM&kDDx@;HZMj1W4&D)+`$k|ws&uIICPW2v$S=ll;0X4L}ixW8q^#w6C77P zuyI-;tNr&J){VsJa}G2yfItA9{l42dR(aj>!V^d1#*=HyS388 zELy*JG>&21Gs^xPl%24ysmptrR`Q0)@~SK3_nLhkUZyc&80!x$h>dQq{BqIM)lL37 z`AVB2eJgkB1RMQd!>G_k=SbYNychDhVmURliC-I12X352RTfpAV3x7nS;-isH+wNH zdofcItXR-&ZD89C`x^skvm`4T?5_Omj?NZEZ*jt4BcW<>L+c0hQ~0yNF4qoSDD@jh zNmGL14%~`h4$D)aI!$C*y;*(aAV7Xy&kNT{mcOTu66Pw>Mm9~d`j!^e{&IQKv~U;C*i zbctZ;$sm3rc{F9aHy#)gXh@rM0^N1+s>gI6xzfKK4O!gFAN^$D4%T!f@c!>>#}{u@1n=$;XluR*tKY19HQ&s6w2ZBZFt8TUH#Mk(SaklH~+t+yfwV`=hB4trLqaI`Y7 zu6C0fq4hz84b$k@Ii^_#_150xUGtON>$12UQZmuLVEZPFx1#p5xYNSl#43~iKDvN{ zYY!~ zr;yI~FOvx-o8=Aejv~FC$p?VblLc3+)+LN@(T4Vgbnl=FREc|Il*(vz4cLhY_rLs!RohbD0W>G~R$LD0-pj=S2nd zYu75}=kQdgz4cyBi~9CbpRYhL6#To7 z=*QdNva@>P2M80IkB}*J1mB#ox)}O~2q)0H_=ZlO|G9j?(lezuc{Ih@d_=xcq`Jcd zq{|{U_)MOw%F85et_L;S2|yr#NwZzk;qx&pZ7?M>W!o$iy!CqY1qAza5rbSj)Px!6 zUJG3LBaaT3M~U(ZT%H6xnk=MT-cbHbih09(h1BzH);%-hz)^okN}ri-P*g+6p!zA3 z!bvJE(*>0I!33M226aT+p3)5xYv6Q*ZoDeY3g2`>_T6$2ru|0!YpbFkT4vnpMzBUoOM9@32=-C>* zc=6(f*!k_={Y1L|m>jp|M!Q_j#~^lU%I@RxkzYPv)ABq0fdmWJgx*f@ec9_O%12|@ zH8OwbtWS{$A`y~=-xl<~CRsxbq`ZAt2Vw0iT!E~BI?BF0+OED0&J<5786U`enE~>W zWWHlNq7hP+`Ho9?<#Q#jag%!~+7b|H>dC(#Js6Z_+bQ8NiqJ0JV`z7X;j7_l_rwaU z0IZq_j`Y~*Kj!wwzUJWOpTKyC8C2>n%Ur{W8dT?Ai(Q|I^66Rcqb)>F`q2#qp<+b9-xdOS`aT8Do&s-PSl$LV1E^s-S)+y?DfiA!?oXDT?s!*N0s0KaaQ zL;G9t$Zyisu>Hc3>S+Hh<`G>Dxtm_*F~e(z9gB{=xD)w|vL(gC<&QLTh?`Y+lz{sL&qB@8KMbdM8}*v4^yG&5nw#Skn;i(DX=V@|Rjc0C-$mEO z)Tg?AYL$;M)_lV<${`H>*t%QzgCPPk#mg^Lx%KRKC;^bW-mpAIaa01??vELSg8ch~ zF{m+$yOP1((bRu_618J|^qH(7jX)ZqXw-bxEaNuW(Yw(jq1$@VBQdRIJj^ai$hdWI zOs~N{4lWS4PaIs2TedElmjfY}txmdZ0Jx*8O-0i3Ug;Ytt`N1S2q1_aVMyevOmCvi zDXFpFmRy=bwsMMy6LI|>-<&ENL4*cb0d?&qf-`#m_5aw2P-k!yFk@Vh zahhP1#)mB4ipsM7PSQ8reG4~8h^-0$gaUxQ8eXPM+tgh?9@S@_IV9i?u8$E^*6lei zUyW*?4w$*a&9#mxooe?Gz`(t~R5@MZ^VOSIILIuYjzwv?%pjmlvM#js5sj}XnjwM3 zV&EeAppPtz>_d-Tu>A?qHfi!abQ*w#g^-t2cCEkbCTkCos(A$Q2;dRKGa(Em9UedV z`=ex!S`Iw#s9gaG6KKrntG>8a@?*Z;|0{XiuZ^@GSusIyW%OS{LCmxHDy_frrYW*q zt?re7$$GA?WaCe^{ECe1@b(Ik9iZ6Mx@2S%btRaMT%*{Wl=!*}I{t|)V&zZr?}t3A z{AG4P%L6b3VhD|a?T;lsOTGVEXob));=UsPwb1-v+XE6`IsJHO0t;27gTC^}s(J*` zBg}F6YW%pTm(Qf5>1@mBf`Izayy$3x9n6n;e08a5Uc*=4MU}}yaezuS1#MhSf+5Y% zS+{zCE4bs;bGccJ8^bv)a4j1v@}U_L>7xRoZa1yp>_inh2;o&4Suv_An`>2sGH;4kGP z1*M$Tr(1ckV-MjOz8fF+4AOfTCSa`u{hhRyK^QyviR%(VG@S*A^tV7nA6;8~sFsu* zQQv}tlzpmZCq!GM)sK$+D1Xp3b;%w)K%^oOOu_}=;Zy{F*yE^l57Ocx~2&_wpm1VtDq{b4wz)+qya73r8LV^-RF0kPbDJfza~ zGEPu7?3SMS@A-~A?lhgzV(I;R^#48IqgN24uKk$JS7}zX*w-}rUhh0~K#z^OiPMRg z$Y(OM)A-Iq9Q3fO8{M;TP~q#S6FngQ`+N_GiM#&&C@y_amP2ezK(_!xA1=DjLP$~0_*95B7<2m`*5vrdcm@e+cGgcm2mf4 zRUp};N#kEc9yL%ko`zU}+aOgH2i&(QzDQMC$@~OpgD_rU2C4kuI_?hT=j`C_96?#iQwbdLnQNIr6u;}0`O&aQ zZ33{UOgj>9SezS#Klox?d2Z>2*Gu_mZC8r1=iEie9|>iMUmXx#qN6tfDDY_qdm9M+q>B@*;BlO}zCmR>Z zKXsMw%qPtVGQ;*<7$fkZ2}>?DrTh9`l#qMCCB>pUqMlMFYkeBUk#!ev%EcNNpOV3j zMa+^|NU7>9f8{K2?|ItUrk!>d0G3n+I&EoW*&f)skLL~Q+POop?59d^Fg~s3`Sx@s z8xw}HseM~=oRDg5NBKR84I}-bEn$)ENG4BSWVR$_Api2biQd`_ zfi*l=)q4^v6Y9X0ZQm*s*|Z7QO7hXlnl-&bb@lcr#JpNaaFi-56Br__`a;BU;7mL*vs zyOOXGU~GB@5Iw*I$wpV+z@kQeSJs&F_g(pAJD+W&CvlWx+7)P5pxqw9hQ7GVnz6Q9 zk;RV#M^0%$pauBH7Rk0W`y)A(UARu_GR42rQ|tcMdq&AUZChB+Uq7xNhY11*!4RZt zg5@dCp-vAiN||=3*3Gkk2iO6i|CLgI*e3f9CT4`e8A=eNC)%n_{&T!C`48z*G#0A< z{m7f2J^*yLLAaqEhhex8;En@vBSg2MI0(I(n*^anQ2S5g%-YxMvy3U7A&|E+T6J-Z zDq1GOwoMRAHIv1lG}2;B-0dFJH-n)DfQ*Sng|P_eD>&-v*IBIr7r(A3Jmy-?T*OdU z4`-FDy!)=3&;7#_=hWeZHxmrQ6h~OT3J+T0JF9i)1-{Sp$6Vk0Ond0%y>pslukM}G z8+vi?l1^9%pLe_Ga$1r|=2af236Q6->Ty%IJ%*-rO#!>WC7Av1R$TWEXq;0knN;Zai2PP}IgDU4hf4^md&gmH&MW?O!tA=+djRe&TfI;C+mG~L|NDQD$dxgC zv7(jYNE_~0m9%-uk8jcqpR7rDm^*rl|sq zIwF%^q$-(4EM9GIXx@h%u9Ln@ulvnNPDBh0J8c}jqQQ0N=-^tmY#BY#rmk(wOQTcB zY`Q9%{D2Fh6>Pc|j|v*?S^an`bDctV#{uGjL7gm?3=YgY!}DLsZo}_Gbp8uR;SJOF z*c_DhUZ&TGjyJ4^@xCb|)+I1SY`+c-Mck()Z%!5SYK(0Mx+W7z(XPxy(B|tC|EdJN z7O}5DFuy;Fs{8MMMRYqE4C8f%kL7em_xE{w`N(fMElS1xK4<|TtUjR$_Q!qitb5A{ zJl(GmhD6)c(MK>~2zf`oVNa7oB+^GPzG-kw*=)q(CM_x|iC=dMWExmg5xg(_>P%bQ zzy3#l<94@8JRg7;2bKggO47AK_~{AryUS^X)5!tygWz?*~Wjp z*lk1dc0i{%)?W-FG=bw5Y(=TD$cdl}@c~|Z%Z!b-8x1Hn-MQ)lk zj$P@Cs*CUSqEZ#THt)*qdUtMS_PHh5sBOg_3e{zJbO1_!z|H##bBx!x)6Tiy;2s6?bQNNgz7eSU(h}p8fDuMDKEddDzqRVE|ZBePWxoS_L(ZJ~sx9EecQVx5{ z?Jf{_)E;vNTOf%}cVa}T`u3b*-6Fld6&-K>flZ)u2nQ#*3tTRj{Gw=-CRBg?dtcC@LR6HBfImsBfXE=sQ)BtsK9y< zTAn9SBcQyd-bL34gOX+c(L)#gK2>8j4~h3Cf6trb+SCUKBjW;$_Z&7Nc(!>i=Xd(( z>ZDDp1ox-dd5O#u5CI@Uf(Qd-1}=!)syI@kw5~8Vs?pnxsPpmU!7=LeXo`}_`NLn9 zFfG(`N*SF|#yYc!`?G0m$|}W4US;=MwsV1%^U=ZXk!jl&*XjnbOZ@KYtfD#-R`BYq zRsz(w;lo)5^)5ZBOrTB5)Hm9rWc2|0Xp^AzwN87gVe6|4o@{lzW=(y^=o|RBJywFDD#tLc?35K-JYIeSZG;-a73zyg+oh#^ z*1WG|A&uYy{Y69)gfzz)LO=Lg;(ry;x`*_W?5swmbtNC*t-Dx#+>;m?!sqb(B|5B@h@sPcImME`L)C0y zr{-I7`N%Jy7Q_1c=^zk+AZm<%2F_0(o}tg?d)(EU;Dot;rarX^HZ0Km$`jLvXVI+o z^d`i?rGI&Xzuh;G+`wmWb1z3|9(Ax?qTLdlm?B-*=*$Z}_R4L%PS6^;K_Z_EHE!rQ zUN>=pL(nmG6b+`0>L_gyZ*2TtR7DG!_Hn;)`r4tIDZvtVKolMAmd z)2+ITL#QdwMS*apgqD)aH~p77hL&BBwC2NE>t4CfOE&=q4VR z*25=9T-7PEzfx(eEmGDeSIUjNOJABn_Clg%+qH^l=ow3 zMwCrz$S9&Th()$YQ`Dov6dvd9w>*c8*nL^?)0av#DSbTo|~Pb9!__Z~&Yz!80c6ly;7QbBX?3@SO!X zUe1Uas(a3$x?x#w@#nnKnQuTF#sO_Ezt<&eLkS1TCptlNJ?RtaW{g$dyu#)$?d#XS z_+X`c4}bg@{^qZ*f6;-RI5Yk$hiA9^rTF?6AFOYGT^4PZSFqvrfBVInsuN)Cq)ujq zuD*>QZip*=F2O$Q++Iq2lgaVI`7{o z3+V-xi2b-;80UErQx7qSKBAHt#!zmO)?y0wl3|mVWCqtZ8_8bSJ{d`-GAuOm{>!IMF`-AZPZW035*^D^J%V8ok2tQL^#$*A+ zsU5~`c6^U2R_%(+e=f(C1iz5=jBnFnZG%f^?Ht=9+TvUm~z}hP9JVkT%ZVY)F z^10UXi$+sQAU%|?uD;b_v-8pZ^7>|y=9wZ|itUFOaL_v`>+AjlCjH0)8Wmu)x9?2u zxFkHZh5+lpmvqG$i8G~m48Uy~r3yj4ad=7}zZF#m+Zy_`7&q{PS=eC_&6*6({6F_p z-a;xfS8_|M^cwY25P?nxCltW~nX5qV?Lo7dBI$KU%&vO=mw&|fhp>dTnolc1QSf5UCNb_?{TXeMt32FyQ zoEyFGO`b!eEhfD(sSaG3i)&Rkd2%gl`QXAabXk?(ikLSEAqYair>!7_B{pY`kTnka zUkCI^l^|x&BMVjXf>>5*UF9Fr+%wvF{tdj?A#3_LM5J1;qDwoAK-bU` zq*bA- zDu56GArL|^#4?|=(k6X>FD?nqDz7Xa3N4Uqi{AEx#zRik-qR*-yTG(+9J|89o><0= zSLA_NX?-x11=eSXoJGkRy>5zY0j>9}jd@w%xuQ%9Fg<2*)N+P6+#yS_c-)ah?$L8{ z)a*!w{Gw4tXny*l$5oC*`8H6Gjzb>F*cy*KJY7FSe}|~z)Du1#JzwbS0Q zrs5ecbFc-u1ar;AC(Ln&@ko&+SNLjrE{7DE&{#A6n4#X{j^^jy)yao^w6-7VXYM+_ z9o`WLBs5SznZH1~T|6%&Ke_~va9-`MuKNt(2EjDBn;oW6+2_{{N{XyJzN`X-E}tgR z24VLUMm2E~Ltb-?uQP6b+&@b;dgLF6sb)f$kpV(@HEJ&;6hvsPWsAR>x_(zHG!DLn zkwryxGs_I$2DON+-gF&;53U#9({bH;Tz-~ugXSjx8y4YI`L{XCcbI6x5faCopM068 z+#tJ6zhr^Awb!FdHGl{JQAK)8wnZdFB#!n4x)s+Zbr~KHuNcB6M>`oARL__<`2rUy z!HiJe$lid8#y|Y}(@HAMr9$s@ad^&c>5)fvSAVMAuIlfK8$SICS_enW45+(1WP&An zEMw&_U@h@_I{>ewV;#SfXsqc66}(%$J{1R`)ILxz-%ZguPsZ$|7ba*3OT7@CIa%|B z{)tyOqcu1stFM@|Dr<}C(`E?`{}yypx-KiF{44luV9{X-%_1~}-eC9xhT1^5imV53 z5j8-V5CUKfhX$DE@=>@RA`n;+8(a+xFo-{7;jKa7+XEZidDj)ywSDD3cZFZDEtGA3 z-6mvpm~J;2WO;2E&Xn*Yp8>@mEIW{{Kgu=eZQ>>Z%BEr84xSHrLvgjP1!A1!4b&!S zo1g?+HGHTxD0kL1ha&(-0FFpo!8kLB8w6u^H-76#rI;B`ahOmWwCQr5pwDh~cBn*+ zLzfkCW)L?B=8d^=umNIZWdX_ZvP%yw!@PyKf`XFFP>Z-5T+lDLhM&r|db`rO+FO3V zC>-rF&@85%Y^*jXC7i0hMAhZHR>1~=QK*SPXo5vHcbRx>v%V&%G|oJ&tr`rz5}?|S z%+Ds3b$4K{e95vW^a5d}EQXdC|*kku#D&tQkD|DIn8`8h0Pw(X@@xJl9ypo9e?4I3AN$ws177(D*XnHg3AIXS0@$>C={>!4b)&Z5 zy%kk)d)#2@98S!3bs}5jm(S#0f6He@{hoB+PbZy~0nnz6S;^BmSmcK@XoArMqrr?b zq6tJ3^}7HxD*=`cf>+pEk+w@%yQpE54{TahSj)t+xLmI*OKiES#rMReL1sTcYnHQ2_|G4f+tsQrnjO4A1 zLz!-M1p&G35z;uqN+V35EXAqc@y{YXc1Bj6pF3mfxE1%9erwI$UeYqp_|f&+rrm=A zX_D>(%4=O_`)e97h@L?h3^QPU3So1r>Uy9&0x-3Wkz9m9#B0+IALnX(SAPzjiv<6S zq;{Fg_#FBb^yiD_+ef-Zpz#n-U0aUsiYGT{u@XxencgR8%FK%ib*VfODL!r zP)ir++CkN1tAk2mRF3WPxYF8)(g2-_<2>ILr|Wawd_v?|JWgc~UmRH@KE)JnZ_?&@ zC7;7F;YqHWP*RhFzSZuW=kE#b0# zvZQUgqW(mH{DBqrZeZpj^y0odqq!7bnj2d8CtpiF7M$I6J0T1H_0$EssPIijFr$d} zu-#n&o1qssLW>ZiAc)G&dN|P>q(!2}Fq97I8D}^li2+oFyK_R`1T>^9x^dP`q^CsP z@IyjbbmQbr&+{xXws_hdT3a=DnR=OJag$?}dL)Ph`#d6Zm^cF1Z*;vsEg9_ZzA=Ft z|D!3AF2CJN*;L(~T^bYGm}%LSxlHcq^Q4G@cuRqXltmlPx-2d~kXwVc650t8t%%-= zKC(ybg|@pwns$t12hgUdF2y}9cjoNP^oKT->dV-pD6+jMl^N_#fEhODi1@QVo^?l} z$9i-hdDUUopKN!)fw93~{?PsVdp>yQH5l)s?IDVjrpu%4>f7G*Y=vH&_;?%ACco8P zzF(J9lk%3RWDonCBLF9Q&LRonZo8KdPL@cvOv6sZyLQSnt8<@B^X=U3(u7`}9Zd;6 zk7D;Z9-zB-t46#VdsUi#=MIXd_UWJC>zzk>JP5jlH_=`;#Z&^BG6r{&%Lf`~~&nZUOn9Bpd0NA|m%8V2jXB8E!O_Jp5 z6YVqgiTZ%gAlr=jYFB3LuZb1ywyAwT@2T_jpC~8J>kwLpI(X)_`qAZZtMIx&y}smL zKCVSY8=J1q9K%WQW`P6e6uI~-_+*|z^bGoFgQBA4{6)`0b9dHMv_exDL{_?Lc{Um- zO3SkTPA*NJLDzU~yeO0+ZC{{$VcMS%c`2fP(J^Y2?E#6G3R%&A)Y&mAlAb*L_OQ~#Uex;JR%DeBn`NWOn+G8#sqX9PicVuoq(oEis#}qs=t_$9f#YRXbTZ@=S{p53LNzi6RZ&n|aTr~;)TRA4=Sab~I{S%2KVw{=arnm@ zA4b<7?O_76d3doALDjQ;{AeI})2#hK(GZ&7U0>-H7MkDfccOT{xN9ETW_z<;u(e@} zUCiduBX<@D^c%W})RIy;V&tbCY#AS~@jkFGlzncr4{_Y(lq_?h>AS&GZJKu_qY!6jD$Si54`cox)NfbxC?=e z2IQRvafQ+w^ciG}&2RVaC%!Vo5sbs1L0VhFc?xT%J-g=I=f>j%)?CPwbj^>=>gsT! zH3uCFSQ3KzfAnhVB|saYn4Uwn@L)GU=>eS00W``#K5{XMTOc4Kc|+NMTdzc`*p`pmVOJRKiHTE8+rRlD8xOGy>S44a?EA6cf0i(UNS zZUPCS4=Nl}ZIPyfxKx_+)f^;y>(qf=DjPcy4fp~nZZA!7hfRM!^PiJQR!9PnhJ-;x z>oB>qNY)1cWYT%bjT%@r(dHRaHBo`PQOg_rsB6Ub@sb!UTeQfZpW%kOE3>R;0fY2ZYDZ;Yy>g5bu%T~AP~=jCpkkA9y9Gwke|sut~fsv9=uQ+ z;`2ZEJm%Ecx^N=W^JP6=7{L*v*VeTv7>6*niNagjeqzKpuEnz0lV>-1M55M*DUw;f z4NB=me4f{@|4H|?$iO*0^85xo)qs%`UV4t$4UeiQM?PqGCb%b>ZKl92_rA^nmH%JsRW@nrG0pdBPe(dwT}K?O0{&FReev8S2&%(hgPZSoFBO z#F{8tl|C-y2sTF>#0@8?kH-!OUo8(UoNL@-iEZ~=;B4a+hd z%`(!S% zC7FbYj1L3?R~Z68Ocimrv{UtVQ#>A|pI!v=&qJ^c>W z+RL^}d<|q?uz7m%7EwKJZ?P*ULj;?r7dH|3Z(MLPiT}E>!ahVzk>v-6*eQ(AL3U$# zCm8o0OAS2$-gc2vP4tqKNy{t~DmYusd)I9jbW%@8kD9K#w};9B07K7! z$3qY#qC8R$*ze^GXnfS*ZZ-$1!A*9w8k5FH4NXip`FB&q$rLh{LzCqSV94Vkh?a65 zr-#;-D*FQ(FEz%JnnTnWOMPAjG#+XWSe-Z0GhT`3vHEVTscU3!8b|bw&;!3EhRkFHjl z7Rt1N;i^C_sVy?uca6C4*Oa2x`vQYr^g9RUEAC)jV@aNBpyiuj(-)%!;Y@GoLfg;m7pbm_tdX$ezGsG-*Lfw8@JFAx>*^ha%(y1&1_`Dsu|JC|@Hae@#bB z8qR8)&Kxcv`fH_Re(`bv%nKz7z5ag=&PU>b55duMZ`-2|e~k@PoeJU@LD-D$8Ro$J z#6?<`IT0l7DgaM#%o5lpadU>u2q6wLZO9U!pU`_#)J@U-93xL#AHsM^QH`dzw9Sue zDw-`NAn6;31FlU94{ZzY(*TBJsBm;~KBy5j#@N=D8cFJY?z#HW38W#8%1LXoc}Z3G z?r|4R5p29>TFBv-OAFd|rSL!}-j1RK4|2*h4Nyf9llAanLX zv&0y44xTW*76{@&w2B1}+$s?~fWbc1gL`|tzso;y0L5bau%PHL2&wv*#6bghydT(e zOnbRe=V$OhTXdR;Vc0>>8q%+&Sr!w0(C3G|aA1EPYm+Ppul~vpRmKR5a4!0$Y4ajq zw`oE@x^S~#+myw>bW?Hq+AZNZNQ8eQszG!3uRSA-Me(xxc%)!dXrmgyp1Nz&OHp0p z5i5iI>OhLERe0p^rcM#t(?pJKXLuy?CR2lE^aRXWncDv3e$T5c`IGQQPO!tL>}5sM zr?x{u4Dm;33>?&ZS-^8v`H;6i2du@5m@)N902Mz+023rvO)(cG7)q2`mlX(8YOa9n&R!z9b9aIMHnpo;dY5p#~>HQxsOdQ3W8-0 z#|uIV_-DJIt}Bn%0}%56&1!VfJx9UQH~~vwFEL(%7CVi^W1oj*UL}t%z%b8|;&||b zFifV+((o*=u~s)eQ->tDsL^&Ua-RmNY@^;GB9 z1zz)7M=600lsU>)G)`8uRii%9(NDf1O^^p4?9fw0+6s9=l}1np&T?>rzJvPSxND&5 zd>bInB8=hVgGN-%F>PJ%Pq8*BD+|~+y*yN!VweNlB#zf<%j)$|eY|)aFc$D!RYqT) zXGj|?%X40iXNssU#XwAj*leUX}p23q9uHHx17J_^oJ~x}jU@ zfG7tQvQ8L6V=Ul#s-&~1$*yCf4QEicMj$>>chDHx6Omye73U%j26*mzamoH6jWy05K(C6KBI3@KY;|ADL@68=(` zXS(G47Xk_esLH`C_BOxd6+DHrW3?*?e%+=>RSK}q>R4H-xs!Q;nM~O$Rwh^wBkdSe&zJ7uTZr$}O%{-SFgWzrR*eRP+{(VL7d@ z+%BGwXc)@aGO*y0DUD=_zR@v|E?k}xy8}mh1Cp2*Jk>sN!5pNoZZ!o{SLKg;hQI)V z)zlCG=*)n#Se_DL#Cep=Bzdc|pQJ7R$z4-aY!?iJ;-g$E0&oQ2aHa|iWM5}ECq476u%?dT}p7y#H5Y?EHBacTGK3nZXz^QtYnB4U;)+T0q9i{AK<#Z?H8!{T2NryE%b z4+<;mBN|67hwO&fiwUy}VlU^A)s7@(`wB;r0O4to(a|LQw`j84@nJc-U8M<3bfl;@H?_nFS0ZMFzH zLE_W%Te9tvAL1GRtE^S7H|cHM+OxVQ2Wt|FM-Y!79)%W6ZhH!m?TbFzq|AEyU=Kk~ za|w$Q>MF_P-D??ex`z(=9}{SnO^Q@?X1sTpHu}bpWri=b-sI4NIU|}1>k_Grd`=zx zdMOKe+fvkNq#V|4T99d>O^;BVR6N?Qz9n56C;U0ZVN#YP1ToxjqX2_=)p=F=Z zrxAOsghC^5r>8yt7G@=)B~UhOx+PFHVdZU*It8GF;Z#Q#K=0gi2?^ zJKM|eJ}L~5i@AxGsZ6C^VIYA(5YDH8R*`*uP_%l5Iqzl~ZDrb=2Z~m&h36et315Pzqk2qPpsiI1y+nRAwD!{sz<$r~C%kK5>X9c;p8tLVG_wkKdHd zl(GBPY^L)uVB8`ixK6dbl|+dxd{h{+X+@wNe5Q5hm!a!%_3%m3$;28@*)t1Oy4 z>B>WtNz*Wl|6*XcD>!V|y`h@mp`L3hkGl1Cit`-Gjk{iZC~(7i?SY7BF?R!e*Qh%a z`M@3UObt5(*P1F-9A(Uc`h+{f5_Pl@tSGQ zo(R!rTJy(Yt@AZ+1aGgqd*VDrW2ZL#bC(?0+I;Sh9onDIJwY$W3ug{`@sSmI`<}6y z4IB21m8gK+&-^E1?D<%biW7!-GNzb<`N-?)PIfqsD|cvLl{XXSiI^_EgA^KU&a*VT z6;)eQpO`KJ^TR#u{m7sHg@4^{m?72zU;YH%pIF3<5NxqG?t^ZT)GZ{peKI#DmK9wN zJBp@v#HCa&tG9zc^3Wcqm@$@Jtd@A@{^+{W2^!wthkni~O_$IF z!;3-Sse#|nVb8B`MU^%`>;0y{s>U3GIJm!LLWL5_0m6q1<(Or~(L;F(y~BKRQ?(H_ zX_M-}4xQV8)(iT!QJdBrLaCS+e|CpmDlV|+V_Icq1F~%*Wm`u+qmNUm?9a&@ zvia)d9`CUwn0w^QMR<{NqwK>9@n{TUPHd23%;!3;9JA2*f;>y-EEWH3^G4Ad~p7Gj~;Y5wC}|#?IGvor&uvB5>U>ud=$1D|>nOhe~1$eO1*dOqxIIab^DG zrd{kVE4!lkW28)+&}>oE9i*t6Rn&PZDk|P>NuC4N>BiGkR6<#X{5LAnZ-K~B7xd?2 zs9-zruPY&HTv?tIiqf#fN4B&$5Ti>Oj_vFTjN>r6sFS&&btiCM2?oczQ}YTmv}M?J z;)MYz9P*bR?G6maaNYronU>v<>qb5t_J<`i^x_1li+rTgtL+J8Z(x6&UB2k&&2Gj?0UxpmcGTOZPD&k)WHcJ=6WUvtc(NI}^)qACsWq#>ox5Q%e zI4y(E;izF?S!m1sUU6fVEpi~*&HA#0)uT;MY1|b-%!W>f5KRnORdw!w!Civ$T@pe; zh+;1zw}TMB*GQODHsb|v6VsOPP)@qvJUH6G~D20&Brk1OA+^&K1r(rTf?JSm0j zI^3gyh$)145I1apd;V!sRcB_YY`s;9?B?I=;(1~WEdhS+$lhBNWKn2~BLYW$m1Zh| z`M~6sR>gbX#*m>5<8-9x4bSqpipnvaBYm-rA%+YJWpH5M6W;nB4uj6m+}^eyHc5U> zzazSxYznX`|KG%2H^sH6qNB4}da)7kPjQ!z=uLw=bP7iWrrl6OI}2Kzs??BTwBadB z06EE5-n1)ONOzSb6u>gu2ANLdaUtbx9E}^uX+Kh!JZ%kS%`pfv)&_4ey;8V0e;_(y3 z+ZsWJU-?Y96%}Rs&GIfS782X+sj;1TzU{vf$qAkZ;HaMvLX-EtMBv3%iR%@&(}VIzEl_oHnEf zAms8S>Jep`(o^-bjT3g&s0?RMwnkXzH#hK0>bJk;Ga!DoWo{`b6vP~vpGKS>zU5hg z2{L7COjtL68b zwoA;`3@zA*t_(ALbhSXBK@*JDmAtGGhw#JWu9~)|@PfiotA$>k(+2fGcP@i2IbA1+$NaD)7Ngmpxg@A5!WZgTAJ`rhkaELEB1(g57l)c?zDVCYb7hKu!Gyju^gD;fUE* znnDOJp$5bR%UdAgUFz~_n9$Dp6oZZw8bf)jdlq)GvnXZyNsNi5geMyy?yiAtKikr9 zUIoiGDu(pYebi0S{X|hRu`hc2`e=(BW3YiU3rBu%&#N@XNI3cN@-*cv_ZFYL*Ufj@ zWb!E@j}CHxW`LuY0nrv|6e=tGIFNPrAZdyLv*5lAh_*;OP!XEm%rD#FNAZJc_-6}$ zlSA&DqwW`FonN;J;oTo0^pzMHeK6^Cv><^ z^ftl70Xh(A&?=bVg^_!yv;1(O2r)nkCobAz3LBAnDa9;e7}0T?ddqtI#@-MtsLGSv zspA&k9Ap^XD!umMk~PQ#ZIjUXM|b40s)_3Pw#Ia}X~RI3vWnrRuUTHEKS@zR;By4o z1LFdX3vGPJ;-#hnZ?tv!zy)JG6&YJqg{7Av)QsuNJe!xwzHKtUQZBaOz9BWguH~3L5VpDMJlo8eAy}`;e+6g@?2*8(hZ;7&s5zkE_#9qm5;bb#eqrxxnj8{6vsKnB(%&cb|6hj~RpM*PiqP5{l#rWhl|djm69fH)&RA zH#q=Om8(2Is?RL{k`-KbloueGy2?$Y`t=IQhI^AgpcV37*55~o*Y+nwn`9k2*rvse zhT0bBHVHj&m~Fh|iWp|eHcI4efe&dqOcq%wj3vH}TD#_lTg>^NOP*)P)l102&3eu9 zl+;docR7B&#)Ki!T^orkqEJ`ltw!2P`F z1c^RFLZ`4$q^22ZW9KP`U<`WkSEFVxpBJ=9n$#C)-vNWnUtf-`oC|c?E|0GG$_e*y zsmLV^E>-XB(@yd{0xW@8 zl;%xg&C>d-hoQr^OK2R$E6dAJ@uJ_|4=nS(yO zVfp#fKYm`JEj*}<M}c#dxq_cztzmLCbd+w#c5}`gG~2qx_9aZH_|e~tj)UAPY_h13P@Z!xp~Ibw5{IAB%x>oGd%4XP7$JwhnUl-m@`!XLZ3oJf^- zBQnfzd5AmW9z>&lcNk6~JC(3{f92fy zWzlx8t9kzAuK*u13ec}D*dZ%{d{-G1hC!Xse=ULk7+M~vjms5u0w>&;+_0+11zI%` zyfoN#d_rq*@9{j-pw@!Ly$)(=8d)_ETr}|SbO!F-@fEc;s1AInmFg&kN0F;nGHMX` zDCpAWns;q9cx8`Yy^y)Hxa-@t0Hm2J>MKr4&9I*lyOVOVSUtm^M7X&>+J z#h<-fK4?p5TSL><#C+8fx@$||hiZaB%vkZbi#Rs?yIXI+!ZZsTk|%2fey9tZr1+4)47^T{#Y zHQl5qAkYj7;{H>PCYcvPQz(9fA3 z?qfuzr!<>|?N}o{Rpq*Ek*%IR@8PF{jNI)*k`0o~{V8G>K6AeeRr)48+qK0nf4*BO zSW7yf2>S0Iu%-(Cc)D&luo$YrVXZJ*UPEu|%V*vVA2kjwUA>#P1N@9hvz2S#w4Gze z5Q8=vH=CmuA6|J4Wy8z5w;75X%o?50A%%|)>yjQyL6DOE-4tDZfcw#|;r|hbofH*= zUAMcEt7vO9LoZHzF)9;g^shvS6>fvwDbWc0<4X4WJXR?n9)9@pG%RU`(IQAM5Ti>_ z-V7+-ZM#E~75vv3F3zQbLgzrb+Bo31yN#dYQp+m!aH4zfagfQRFDod^MEmCsdw9bl~dfJZP7y@U|>cMI9uPo@%}lvD#SgkJgo>Es$0w#N%0_MUbh z=aGpt@J|S7v`plbrI!}8m}PhZ>+FFJUN3nGj>!MO&ZqEA`oMU@-3f5wzvPKAz(AgV zgDc=vLY@PDGG;X1cK0tq5Z?b+GqBPLgd%b9-ykK zTbgt_i4zRU{xGyFn*35X*_qwIg!B?#K7_8;_vIXar||*=-YU=m_AWl*bHBc&m(TkB z{nxmNIR$fTkBxNf>ND6ih)2*8xNC3s?)Nwj_C;cNq2cEgg?3@vrClQ1Pw&N_Gdl|~ zg~rs#p}o~%?hAkI(aeSOV$$!j^>zT9gW`-ANcU^sT06TXyg^l zD>_K7bA5TDCA8b%J+)u%DgA`sP=F@wKAtc)9J|+Larrs1SIoWB73+qbWsgnLWq0@M8 zP39ZW`Z=PzoZ1ibc;Vbo-*eazyUcIUn!tSI@*VxghdS}!ocqjcXim}^3=1t>gh_?VD8y+o1Mc?N8O28(Lz#%O6o^*$&+9HU{E^DC&Y}lU47|4S8xs= z2AM>lu?>s`?qq+V2@ncKrv$I?$$kC712PaVJY)+I5;hQCKf2QjH`zi6|4v(!4X?du zuNDEE0)trLl)hr&$MD?&Pyc+kc(A|KHN=vq_g9=PfzBIbr_3wb@JGF=-!tbBKHt_f z>$CqgIXh^dnzVL=KC@6K5$YuHn=$ubHbim{Wvuv!gJ5K7xL%w53L755kQ}``jOkf@ zqNwlvrO$=oalFNnwS09Np-+QjZzhudjtb&wZDsa}w-lFjq{`@%w~1`uv_*B5&7G(D z=H^rzsk!_$_qn?C4q>HEnUuHk;tS&I6Vt5;@OKSJQTg5FGXyr%THXOGqD$Z%mBF34 zXcw#{;B7AWyXY)J+G2=ik{)WCu(GZ{A9v}oTT%X;K_3AL2AUvlQ+u`&JSn+hN-UoR z_pWY&L|urpfr~WxkYw+huA613E7=ME#lxOfHT7L z*GbC(=tgPl@=LaH>{_RLE2fnTbW0PMYNjqCTYKTBk~QB28uZ_3lgX}J{pV-eLX%B^ z`dgklE%WvwE%r-n?Hg^grnWWU_>_WADe#oj#vIZMO)pIPC(3s5VS)SE%jSd1I&K-8 zdKxz>0Xm1e67XDKU}xejmR>$`=UenJ_rd*($m-@DYY6P3_VK1JLi>BXB&qw~DC((_ z&AyW7R9{k|FmINTLWg*1!Yj%*6)dF5ckl`{Ax!`O66ZiO$Sg`PV;wuV>fYr16#i}A z>dAYD&8XSIXT~LQYg-=bFQa5(6Lh4))=y2I71#*HgV`}LzfL8d54?c~8``4yd-&Rv zP>gyX!=2@Qx|%NTfJ{pDqdT`p6yySY2)~R6qxzlePvx2MU|Ns4C?JG)a7P@ykLk&M zgd6$j%~+?NS`ib%U+`7~eQ9-e=Mj!5o>G|FNg8uez%Jf7X+fH}r{`Rju;w7z(ignz$AgMte-WhOK<(K76e$M6?pjJL2YEy!xm%iCM?ck)yOk{cv&)^e?lJjkqCQT#`ZKRE^8Kc7AS!dII@K23f&z0-Ojj>SQETvr)uEL(XwZ$%+0lOR@4Oc7hK(BaD{$>+W>l4 z>Sn#StSx{Osrmj3%9|P_oNG`oY6#XOTcyewyP66GtIDMx~E*YpH%nLI<$)D>hs{slLmK|6cWWI{;cJ=vnXCX$#@Rs+4u4aq_eI3;7Hmy-bLMc%kjm z>Vh>O)`Y*HAThFFI1X zzpTfw8dJ5{T!G1(u6QplHX#dpIbj`Bn3%@#j@~%9q2%Th)l3@WhxX6CDZb$3pZU+3 zJ;Rs+Fb(AJ-k@sz$RSNDZ_pzOFb(9;-Z*@8*TNOs26b(naEh^9TW%W?Uro3r0Z$SQ~x@2D}nn{%*NF*oc=i^*l>edHYT5}sP7F7aT7 zc>o(me+zF)x9T&W&j*BPxZ-639m*GU`{8uR8T~-j1>>2pcKR1Xv0-@`tUb9D&E-*a zZ%v+lLI51Z$=~xTE2^tXjo4cHWicjOFLZJC&tgpW0zSt5GrrLHbDBcAZ{(l~3Umt_zxR z!QF9g$qG*4v5n~r+JB=xjVjirQlmVD4OKh`T%PT?s;*6UU#BEtLV_Z6m1 zSv7nd)Yjz#dWN=Zcu(Rbg>9~Oo`?zSFI*vGvx@L=7vWkTAXUg=9RamcY6fa}}ydj@(mgsP##`odvE@jy2qrTyrkt$1UVGq@HE{DLxJtk>?T z=cI&nmVbhr!#%b`3LQ7!Js_d~AKp?-_lL_GLkko!4$@clju) zEA5-ipF)@@e!#1M@J+W8rq279`Dvm~>gpnOHrhFPO4+}u3ey-nkT>}CoK8@1{2EB| zpR7$zEn5O==>}{V`S-kOWPd9^y&DwhHg`bRsVr_q2mUDQOIqr8vb?=C#l5Q`nzCyO z>&LS`11`7L23#GWe+ge)LK6y&Uqh;<%V*x5Q97+NVLlVq!wKiS>ib;qC9OZN z_A_!Z)&Af#ob|+;rB>|Xol-54;lF_te-vE{iInpyJDFl26HI1M2GWgxpG+|^;lF`Y z>i25dg=mT_e^pbBiF`;VkLq+jm=Nn3Qz3~35>GVj=B;1hAcVAcLzmt$LOr_`mEH&m zmwH(Tp2$;RumPRWRigYgex(NxeF_wf;v|Ot(jV)c`CvZ9sjn79*(?p|RedrOEr3$k z@kI8-&mxs@bf!!bZe8rXp@@>#H;Ggh`mGxGuTXD(JgQIJ?ZHB=I^$pTyb4J2R1K9oh5H)#pJ?c`~aTb;?up}L;dDJrIe!3Bd0 z4ZfxqRQ&;bC&>Oq>FFxx_cnY!#_{Va|UvPdCKt5lm#cKy0?Lt zMBY%T$svXM#WsfhIM=8r3&5+*p$714>Kxp7{inE(?j?H5s}#XcN4F84&C5yf%h4@F zZ*43&i<0~ABxU}Um*-P%e1`}p%z^y?+n9Cv_2<;C(2#TF0UUD6Z*}u?(lSACTpUc& z0Kz>Vr%`loe~cp2`1!H5@*6)THVPjm zQ-Zb`R$cUwHraRD9JsQuUIX@FVXETYi1XL2zPk56K@dxd=ZBP-(CEWNWp3lxu=l z-7AjDD;!pU;Ka}Nar-51B5I+jM=Ex4k^D1(zkipD@{>>sj0fElbz$A;GxTzx&kS7WftRT(UN=0}U+vBG9_yiyDd+IIy?NQXBDB zHdO$a`>Qwi*Vr65XoBG2ER2Eb&oB5~{YGi>r%Q4$FM$3c$QkQf@upgpb*r-nZ;8ck z(K~7xcb!yqCr@0rt2ffi)0LVqwkXX~iNO z{If+YeW>4)H7hO|1 zjQIEQ&aWvu>>bTJ;@{#Owce7?1$!;Xdka#P(*y>@P<d@PvEcdCeu&?p#(u0fZNr6w|SS)TM4Xe%lq~t{)vmTr8_Pi1eIDWn;$t~e0uN&ozvGB@{IfzF3ijO z24oK`7#P>n8}NI$rfy{O0z!=~7OI`ZIfyJ6c_3g12i0$X=a=sH6dmHllGCH_;1}HT zzOKq&;ugRah^xVOa7z1;%HAFAX8O2Opw#d150TS$tv&gSoISkuS=^K2J;`tP?w1rN zKo-TjU}RH(rGq}Y?*5u)>AfqyFoWgg(KG;_Kw-bCzpCCh-!_h^Z6MEj$@5HJAOL$< zH|fCgUvrkhce6y!t^^Z8ok|#|qErJDaf7c=+dzpEEN)f)UVf)J;_NqjS4rU4y*zbo z(yYL(KkKS%>aw)X{&;5RDOI9ZrE)1O3l8C8b@u+`eS(nDt#D79^!95ifF)rwwEzoS zQXI?8X!DYmmq&@KQ_1?^LOkvnEZr$8Y4Iy9|C6r8y!yeJNWIYNpLpirYXrr+8(N}<#3Q{`Iy{q@z^md1Rk+0V#zd~1m zCxc-B`QPqu(k8SvVQO2}?dI=W(W)Ho8yfDAbR|;P!{Gps3{MG#4g4H%gxiW?9;HC%d z4}NJNr)`n`I#&_D==n#2c5|6BARBV`%WwCe!WST>cjiD^98V72s;;Kjl>`U;L>SGmsX?lS8-uXO&-5ADw4ZerGg0c^!@`?D~PKOI@nH`gEL( z+C5?En@N3#R;#0{m(GSRUxe~>y*i)J=M#9oKC(t_%CPuNC34jbPTrT_fK6o6NB4on z{a(mF@vlphXV4Q*OGn2Vr$k?xCOq9IzX5yS!YTL{OesuC<2aBHc-u#ZxX=S!U_kbV zfgAvDxAmjB_ z6^Hi8Z>T`DOLnYCv_pPHg`z#OL&egUwO6_g&*p|6kn4>XdI==jVHLpvitTo9e5$p- zb$GSa+2rd&&QP!kO)P0IB4mZh}WAN9l=#~D<85|r7W(o^JjE9eBY z;~#aLC6oMrvo`OVD}u%lZPpddFsShE9CZ*^yHJcX+?##zQMX;vioKSEk z>1Nr5{5@?uWwixibmcuC?LIi--K_tf{*-l^CHJ&#yARp=zkZy~2h1o;#u@GnzUc3# z*OUfy;dxYKCvt^R4G?IE)Y4T>jN1{h80{2f{Sm@iGAq>2iX?a3c7eOwDaAnUC;T={wk;p zXpOUPMuwD=#`gWarQ$pJO!&jG5_3F2E16NZix)RFKhEL4V2uYuv@1*go_{q6C#2#niK(!|434`Ja2yP@}XfZuxKaA1M;O zB7urV3U~2nlV6=fv`^zahNqWZ+|%aGS8>S`mt4vxa}rCSjLW8;eH=!wNm^cO`55}R z{Z_B>tD$48Y#0AM+B|tw@K+A~Ozdy|QWr`oLP=5G>6bZudpNQWB$)o-clxsrG?@P2 zWd>(guR`dVY@6rr#h+j9O;94V60OR`dv9r#eHU5xLFo*@bNVfMhxdJP9_$;P8C*3s z=I17T7S4Mje>6l^Th}16fxnAin!LTsU*}2Jq($l4qd4A4ieG5{C1GLRC%<0$Wq>)* zX8_%=Egwh->mB#xvq!sTOD;N^ztxT-0+n)KVH*7diB?qm0o&Pmw~3&VE~$*)S2Vm>;$iC zy`S*#SGl-Wb(8C=fEK>-+C`s7_I}!lw9hDn-%+b9nbbnfW{<&6NSRNt!hWtnBo&!p z@;Qmks-&#zJL=6UI8@<`@)O6HC3P~Ct4{2xII9Hw97UU4_=)5qyf9MXv8XDN`oig$ z93SFQw8Il!Rf8tzf&eG)@YdC@yqUdzLlp=0`8|~#H=Ij%tt9vif3bzX`cwM3iGMEm zd}2u4e-6Y#5u5nC_^16y|MkEB_d7hJSn*{KZ?wO{5ABOS3h4yO1eH80DsI`SeL=9I zhaJ;9d8WSI>$ae6I(SRuKC!lZNn}&zQh&Lw_0Z?VT2>qJ^oaVsv2Syq1)CdQ3^}F_ zCGoX57Zw4K52XzUjZsdfGCw2+v zpVXiO?w~I5Z)!(%NSNlgv;v7J>xNcQ=)W!>b=~Ij*G=nQD(D=_3w%a@H_!=a35EWP z00jY>v|;4q7D`#sP%6d#+0nr+DK2}$$92jawqR`9E#B0yqpN(TvX1rAhWw+BzTt$> zcp1vPx^^GG$W5Hx8VeM|PxXXy9v>!U@z$gsZM8^lQilq2N*>4|zo5(vO2#gw;`DX! zp0zCx!6tQ;|Tf`~Kwh=>Id z3q`D4^;AzFkI|U5uH}8(y>XmHgYX(wwSJdWgmlrgEeKD?U*N83YY=w_W$=NFK>p&0 zsb5m2IPPnvP%Y>P>ZRXUtY*ohm8-GGe$f+g$#q9ODd(N}8=s)_K0W@)I`82}rM^@Q z0=XrD>x|#Q9v&*`Yf@73RA(3uZ-| zX;c#%=g6P{qnAbMAl|q)#TV>ZQ03is-F$Lts?#`x@dV>>F0Gem>>J&Z|GC4&<9Y6U z0@AnskZ+?{`rNafeQYoIX0Ex#Z@RsabT=42`GH`b2N)Ov8MF`dxZTsA&Y&Wqk2vP53_U{{4#$y06fj;@ifs%@5K1@!-<3TpT{KAq&5&>3)MPxbPrC|5&?9!e;v zDd$GvTN)(0hz{2vnTp-=VA@4&xChgt?dqEzB1YZ#mVRgS4Zr0d!*ifNMut6IgJI{(>wQ-(~r5SZnZixX?WFwBWgc89%p~r@#R4e9sU)4?pp;zN&`YA5|-x z(>I?nz;n2c*D+SL&|*f*7iV+^bFle`S1?~}Cl3Blz;h~sxhO~^PHZ>r8j)k;uJJva zX0lDy742kn`!~38e9vkz zDoU*YQ)7Bk!JnU*y_I43LVXvLw!b&Bfyw<4$U)`SZJsrY?wsZE^eZoRQ{$OB zVeCeI7qioYHr3@KZ8i=F@Aj-}`=k%f1@$~GmOA4b3s|yR{)aeHshN`)#Fet7b3s>4ATIVrRdl#pgGBp9&K&E} zcQ)t|O3$1~A9vpB>`~^ek?4Tlp)ZfVwxyb6L#7**?QIU^vltl>Oa-H_jq?KxbnW0j zZbtn=zwrx`4|MG3C+F-MC-D+;8ydoUsE@tsCTONn>atcqiDwki%0@lZ$ zy3p{rs46vtJSjXwB~jc3D+AkydkpS5JO|4i75%Edo&2fCWqwlu)I&_;A~;qP$!S(E zL>4{rb47vN2I27o3#arHP!8PmGU4|2hx~(%&)N4?c)Rs?wf?ud?qrK8z4s4%l;0+w z`On$Bp<(;B3&9G2eJW+Ur!F69bItW+rVg!v(1g>K8-mqSHoEOcuur7~@Kl+nde91j z5KiYE090db2slCB?ga=klJ_Xzs>$uq(Uxfqj0K*}BMi&+j8L$GV4q3};i>8;Ng?DE zpMB@^P4y$v|Bt z{YZ>4h~6JgIu3RE&HXZx>%qTDDDKx#udpvCPDHNflMyTxF9~PDrH^9U+up5}g;LlL`=5wj58{~0 z;?mG$-89)xY#>-6PAyJ(-j}K95Fqp`EuQwBUzq5(Gl>1wiU(5e<1@EF<7=?yJ?71` zDQ*hpA^UPgzBewB^B8mR=l`Rr4@sLhU-A%LCKa>^t<4s?-ZuOct8M&AYqN!}w=GLm zKF(mG8tBFXgSL(^>vePpSf>D;!q$1sfIl={(JJ0;8(|JqQ&AFymN+AOJqwd_)s@`P zKc}tJLwtpNlMUBZ^p@0LY^-NQ^(s3eMO8z;@w#cr7d4t6YIp2tj;q@QZ`xbW5enfL zJxl(HjTJ}}Mw*f7$MXey;Xv=gCPv>E>_(*J4dkx(kMR)ds_8I=FST`q?6Gy}ZNzX?epG7}q;=kc zKSWu6R0-qo3Wx^oGKzdNL|Usrt!9MyyakVlxX0xBUPs$d;{Ko0K1f%M_-7^0=RA{8 zL~wpVZwkxk?cdYat@y*`q2YWJOhKB@f5Eb{9dH{aep>^7p}|2o-1_xx!-8Xbki>yt ze;ih|j&6d%TN~+h2&>vkH-X@-#q>G^7zV^cqT-vaqgJak=d|hAg>nN&scr2ywvXI>m=3?T+G0=$_u$QTH zk66ltzrd70acADuHPUPCGw$;i{2{UukN2{%z@W&HXn!m-YGI{)9o(#bzjWfeZ$?l&*FOyrL|URA zVhCBF9^#0zC@`cEt|S19>pSU$W8klY&Nb79a*VEfac0TYH|55-USC}~SQoQ8v`GL4 zvqF6bIr*K6hr#xnfeA9~UgObEU4H1k_6J|nDL4R|kxJGSi+ErX0D}^B zLxB6@Txv!TR~3;UOWazYIz$Y7iNmN4X@iPvd8@5rt#m}ElDmrKewXG6~=4%cHMXqlB+h_X~97DY5SDq)|l?dCueUX+MR8R(Dmm7arD)5g`xj z79R1K(d~r?-$D_xU}Yl?BfTpbWO6??%D zE58|^Dka77#*Vdw*?60B;X)3@)a zp7Im_=1G55_evh7;-X1$=IOJHqex?_SwNQ{T{Bw!yN~kiKSN`Z7r4XAN?K+XGk%js zfyT_frbUfaE;21umZAMoyPbJ@n||7-_xzN8$*OsM|Ebf36C_U4MH17aIbu->2}+13 z?dhk2(y|51rVsB>j+dg)Qv&S{4T|TLFSe7Qn3A;2lC=0vf7(Qr|IQB`1q)O6Ymt{9 z-D%exg>omzogjCD-3fNLh=unvF?*Cm9+NVM>i)F(*&Y5_%t9VTZ|Syc@1Xf<{C&#H zq^{alE}cvz2DJQ+0TaS9F?F^cAFQR7w2pS6X|`4NwM;+UCS-pI#^1~cHlyceA9@Q6 z(j_!nd<3-%hfrxw%p3+1#R!dUxQr8Wz}9wE10&V>O$SlTc21BT>CM^E#N~Rf^n_)O z`e7VDJX^Lfvh{*zEa&`OH6|a0Q@gs9;~&n6eCS`%2bcS=I`m9(bP4Yl<>>yjSzh-T z7N&YXUGn54KTgSasuDV<&8Ne}$l5Wt{{usitq{-b$k^o8S&)J*$g3E(fDUG6b$oz&gJg1WffU{0pv}YU+ z^>AC0V2KWuaku?r|AwXETQ>%Pn}J3x)-Qr4@6@ZYt_pehi5Uax6s*%0?H7kj2&;`r zXo(JitM2e$edZ;1(v2Dd=;S8N7hAM54on0ewS#v>EC0zO0Wns{ZwXY`i(LnRAilyt znV4L2e_E6U|Gb#|N(+^ta)`>YjaihZV{+J97n#p1S>xS~3rgabTzqT8u4q-K;bIf^ z#oHMdj1axB!qlJR(J4z8z?PDtb8WqQjq5uth=g#3BzKBdDVmHJ-{4jFGEX#`B`TwdH;b<(x)ohCr0~1eg6?`W!9h!e zPgt1CWLsCQ#NV?Y^(Il7M5mtd8zcSAh+rdqclxoj#VldzU&(tTvyU7&vMKpdR!t6V zBADfB)Qh-V+R=WJz8`3qqM#IEH@@IVu|UPbQhddUFHo2Iqe)@9bTIUOIVN3&!yF?f z#gc`VEV>G}f4SzxkyVq!G_<+JY}h!$ecT|Bjw`L3CiFhI19v;rg?z;Nu7)cL(xXZBp= z`qrMB-3GFiWq+6D(vIR0Gq#E*Y;0n6bHdB34R^s8ZH;Vh!xjb-4kE`bZy}ABFpQrZ z1j<8mvzE7{ZO0XRKHPR7HH-Jy^ftijMwXopd&vWea9xs@mvft>Futg3pXChLcJ*j0 zTqn@3NMZ0*2f>T4k$CiJQUA}9#x=vS|AI4P91C{*D~|`9pGyn#)s$5!4{5=NEZvGT zJ2*GWtuSu+kmU9%hi%S@er4g#baA*$pb+tS(64ITnQjj4@Va?7`18>1qSK|Tl5<+u zvixx58;t8bPrG!a#0xFnb`l8IA+0-@P3BU5meqIZp&s|a0NIdWL(^*BTaJT)R`;t^ z`KYp`mjb-I;jrx+MEH{`*5!%hKUPJM%O7&10L=M~^Rq`;1&N|~O5J7JLc$y~x zxARjKJ=N&O z$b5^c+hycy^?1*lFYZ+3p|Um-?AjOgA{$i8Ubnmja2-!M|1M;iCs~fcGhDi=#DrUi zjV4#Zb~SHzL)0zw-s*meXM^2BS2gf8#XVy=7;w0U`kn|oBn!_6%fQ&tM&O`>%akwzuoBj)&l1{+Kqpr{24bp9&R=OEGnyP@uVpe_HPBm` zv=2^QhQ-<+ub*2LL#nEq1gH7MQZ^m+P!)x2_e_4`R*+l4ZmFt)j%vBR2g!p@ldiXS z9s3mddC|=lY;V@|gURo{3FF>#Flpkr0V2?OfwGc3?65r83+IJEfG$nZznI%PKkSZ_ za?ocw(80u$4|aUv;&qFcZTtF}|HMses#$<$^%sZ;j;YiiyJJJL`GcYsEx+w>g00E; zs2nCF;pv%R3x`T>OxVw89!zR7{0TJbDWyo`M71v(B~DLfCM#J!wc18RP-j2O3hA6x z?}-d#8oy+ANej-e&~`~$6xFxNJa!RM>NRuDi?{1F-*n}PUX#~FdVqQFI;j5V4nXt* zb%@Hc2|d;Fj#UHag-=wBcO|V=I^hZvz0Mi+YspmakZCow z3TK!lU3B_|b6xfH9jn{fprI!!hsR^Keqx3WrV< z|8R7>f82xH{ll^C;1gwVY)zxc-BfjkRwo>4TI64O@mO!Y8bN9%`n)(*FL#yU`S^*( ztPwP)a<%29jUR!GDjEHvvnif4;qezMPwPNJY*o(IzExhT`cB^E(hRd_XQV@*4olM# zUo>nzIbXU|2O6SPX3e=$uPrFR%cDFbqwU*79d{XoQ3}9gEW!;9N4?dl;3SO$D*~(t zZDqWDE6~avc0KdeY43)j5p0&c5-~A2_D06U-tbSzr1LtevrXcM)ZbvE`e=*ORaf4) znGE=jc$uPv(L8bCosY`P$U^P1OHf+;46&&%kLYyyWmm{_S=`1#?5k|Ln{Q|Xa0i~;dLsT*Sv)4a~En>;ubjjkgM3i0ANnYip6JZ7p$E=!r)oj z9uy55heo0Msp#LSm+ImU{?R}(zxO_-*1{lc@{jyaLepq8`FA6`oiaotJUNIqGGi_b z#l^8OqrryCmj=MR9}F(-lMG46|K8Y`L86x;Z+C;mjC)1Z0}md_aE4=VXgCk0+1M`p z!BMHHh%bmOK#T?muO{X;C7EDz>C^C}7U7qxMnkjB&vo~c zIM0?C8CrBRoIdfI&2V6sw+%)^k=qBCHVfXt$GuJYv2Z-KD&IxOxo!E;h&;6}-vfzT z#h|x$vnNK}97ejefk1Fv+E(MhV>PQfw5KjW3tI@b!lJUTM&Cf~3IrW2tCx>F(8!PXA8d3!sOK%bmyU(} zICXK*7)cc*Re)5{OPw{~5s)24$R&%v6&*YN5$EWq(mirfCcfn2ZYG=I=;fIukLLMd zeTGVjb6UrVz!C|w48Dv+`@|9NZQ)uo^1ETUrSNGZ|HNq<1PUY2i1mt~k#z#^XqaG8 zS02PlLunPPRajc*EUaOKy&>5N{6@Va7l+je2gVYJzfn(46gbrDlLE|V)K#B(88Zo( ziwQ;cG={oY5h+r6?ket-g5Q!@%3ou70>4o)tXJyKJ$KQL);@orK1=Hw0PH*>%eF~R z?r0!nR4+w#Ny9c-nJsgTYn`opO)r_u%R@97AT3Pv!pxEv!}L(-s>G$A`3An}`PEgX zllfS%CklDm(0rWq+Kdl_5=gU&(rf-@BH0s&>hPJgpZRyv!V5Kv@PbeZ1t=6+;Z(F2 z7F=aTQ#V7%Q(cW48xpQ_BcTwz)d;<6!4IIS`A(ZGIvgyEKYdzF>h!0m(#&N5#&*sH ztJGbQ=f(Ts(p2Y!#_UG-qyTL~YqN#=a~|nS6P;^qworf0DOi1!##x#r(~E5`K1BQ; z;2g630+@>S!a}y~CBDZWtD+AtKKp7EQXHG(zSf8JjRkw5pt4tKkwA-9Z2nOhwza+V zBE5Kq>Y_p(^TngLH*gKLTSl8L)Qj`7YR+jP|H(~$A>v1#5o_{1_S5fID}G_|0bX%D zNZJ!5-ICUlt z=GyLyKtn#XzJb~x2$HHvs8%a>7^2cOb1zpM_yVM_!Xz!TB(@d|n@``GQD#<)#=L&- zbRuf8n}ve<25NmF(A`mCQmP0EXnAn|yx3a(`!9c@_OImGT0Qw!w-t0YwL7{+_;g^E zVxZFg;)zDp>;MLd48TH9(ZRwq*}^oEQM^ot(u9$w7kqiPyH3XPP8fN&pAJ0x;!v|Y z3x2)>j;~kl?6=7#Q@*1S%7x%u?yY zG*y|$G_1z*O%?n`+)%3z_wZwKX=G%+@kfxQ_4)AHejR2A~@6PaI>CRm!SbA@m7 z*1)lI7-S$0*8^b`{on=vdovs3YkurI+Gdl-_kX<(B+HNKrRWm9B2peK z)2w(I>-IyVz0`HpK+CUQ)kX@$C>55{srp4&uty2ZY>my|@c6)0{hGA+PJdvya@k(a z&`wV0fQA{pUk;!7veDP0Bf`U_UzN}?9l>Eo8Iv;XH1s0Ki(oJ20;5q>?Bx!>egS8B zduU|6I0niiLE4(FWxrtZ5~{?KKmA5deNi9Di7bde)<)XGb$5O#@|b!$T(%o>934Q* z9=Zrb=vXy}JtAV=BOiVt(H43>klx*HXwepW!V_38$iOvcA^7#F!!#;MR(+Rk*W@X5 z+b>Ipa@^yI_9UT#U-XuQW$AwReyKyp(d?&8&+?G$@jVN@U|Ij*oqNTXUwFMgmAgzK zOl(_S)RRRec}n4K+0Uc0zerW)ImNl2(TeD;+;$s^Zo5N_t;NgtWjCk@X<-;_nq|rN zN#(!Gs@vatdRW`j!a!eTNPr=s4D~PYd!75{&0$oBhuslgjtV>E`*OvXUwCb|xc=mU zsI=Opbtm^=a0)NIv74&4Xl((Z~0%7qWVBz9S0G^iO0R|WKSO7@r?_&N=81Va~# z2wgD#Eqtu3tiNEeTS&;!^aVrO!iVqb_}-(gQ{)WhVd=DwK3(cMP|gpdmKlAHPGwoh z^1%*C139zwI6AVJv=6gnoh&87QsipN_4V!3lZV%_aiqH%y7m3^XiE!O*VA*x7+3b; zL?eH?huh=2NG)fmZl%@59a};ebP7B+VTyiu@snF!-y(9sW1WD53)*EeK-&K|X=WmC+A^qeMM7uk=g8JGq2kR5nNA0YV$T)EVy2< z$`PAi9QXrtI;V%o>43ypG*j*VxRh0iud$fHpvGA;GwOYyQ8{UKDV`#K)Ue9g=glt; z+yL=X1Q2-1yl>We;w%_mPwk;vIwxotdz=Zw%b!JA0)5$CJga1QvotlN7U#)m)yRKv zWK5EmSzXD6^NR&{ZS)DFZ(gWY8Js!-nlU|8a{+(KwY!qftJc0 zs|4FN&J4a%Bv@Uay`PipfrO4bY1dN6LqZ44w5!)&<|KO{fpbQ7r>44moZ@>g;XIeD z&b*f9B>Nx%lTkNcc`__gIt={{i-cv43dB07>Tf1IKr*?3I_)C7UQ8ASqs#Ykaa`*f%Jks-(vC9K@mN>Vh6RF`iP%*D`WnF3Lm?q9j?7|k z-|G^jOBEeoj6!dgsmeF2&S@OgQMPTWon~zVrJn6W-?BDN_ax2M>DN0Z`5IdpZ^8j( z4hwtU3VBzU3|fUEhB9c}8n$JHz@jUuA||5i*i28U5F7?QjUt9I=q)wu9~BM@^fHQ` z35x9XhNFQ!i=xLtDlNq!fJB$cynrHjz3R>q&sZbu>hW4f6~q5WNN=|+CY zGA)v}IpFE#@9_1UHlNGPT8W`wJ8?(LoP6#RS zAc6UF-knrAs$Zw0gY>JC_a8dIA~4qux;p+b?j<;3(I*UhkKLG{DAua?A3DIxFHQr} z&u*z4v~R#nO&2rN*m&2u1cVdF;o`$&XP>@4f_hQ?99Q3wpVDi={ zhE5KJcG%ku3Y|OXbFN#j-YsDsg}@~YV`tuFaIpG_X5~jy9}6R zZci8|D|@f9pXcI>Nue!c@Ih>!@#@8-*qCKuTpCUyJQGvbznvq~D02sy2c5HHS`_c; z;nQ`pjeVRW?b4o+W5)S|&OwtyN8ciCJL>{@!n1%r1^BdXmX}%gLC-{4J=II1tY+U2 z^DYB}eex&FoWUp_E=>;e^Fcj>ELAdJX|Y?z#)>djrtbX0q|Ld$pQ|T%VBn65N45)H z?P^?%Tm|IkFv21pY%G5H*o%dbR?L?d4=iu9=efdjn4%{_dg~|FTgWfS+(+?%edtU` zOHW1dpEkiU`psTxD+hudSZ@3>t5k}O%<}!doV9~(U(ANv-d@TE*Qyt?nF+_52blxw z{7EP+^Glw&1os$BiL-h#oWV3W);!1@E$EM+v@Fd!(#LIEKG?ZkMB({(zD7Jv3B8H; z;B!A;VRTGoacS}ddVM9(HV_{gmWaL6u=(O;B02;Jn05BxQh~QU5TT`BHQ@u$x}r{a zDn3gwzxj8}RBs2sPeEh`ft785+@U<=@lmkyBwFKCwpSKj<~!b)%|;U&-^0$a_rkWY zSmcawA2_)Dx;P;HHXOJZj_PcwUYz^sT(JR!pdBP;&@7)TcoPtglLB8i=@hJME30dR zcKu@e(k2l7v}vj)PV1KzMr~?=1Hm2;xb`CnZhgi0+j*<~?2>U7yZcEe{T9ECZ`a9+ zH#KihP3$-?@eK?srfuGogtvK`oA(q4X5*(zP+8a!9YX?+Ue&H>6F#*Dhgh)#FU_S` z7(mIl6He@Q z33hGJ6fI>xWqOtems5xdpfgI!(HriJ?r4b>@i`pmTjdnW#1Nc3{{tU+mNfry>oy+9 zH|rBxpJ@JLa{a$(U&TaGZMx)el4_^6PRl4jpeTW&1dAG~Txq$H2S_bf&jzP6Yx+L@ToZ#p;-ZlzOS{ePUmCfq)L!hWW;xZ0`Y<1pjCRGg~MB3== z3N36-trz<=+nP$16Ma1vm-dtlk5~5J=_4voV+#T;j5wD4ceZes(J+h$2PGYD;|{ha zJ77wfjqqPgEujdLv~d$UJk4{OD4l{SmdU8k=^|R=l!4piXl?{y>N)NQfXUFj=@e$M z9QUYwnfh1?NQW!3;5fx^veVKyOxo@!bP^T@BhMw$(hbWr-9eo$>=&`UdC?1bGU>*E04uE$HE=P?DxdYxXSr#Qv+%K(g0M+oC1I)dP2%&e?xuaR)` z6AQO(cxQz5F1v!G6~l*T9DQE_8V8W=2u$CPKx@|vp&*U7-6O2=wl8B1i{SlHS+D<2 zi~5w}^5MN|l1sC!ET?vS<3wQDmBAmC)1p*x8Kel1qBX7Zl{cL{%ERKvY8Y#l8f$r# zL7Fx1kd`^e4A(0cgYpVD!DR0EPmI?S<0yV?G^)OVn z0qf7|R5q_mb2kq`VJpTQ(88S09UN9xg+CsP_X_empe?T|emp0~3gmej(0}%I`7~k= zp@1ELN$cXtz;3xu^mA%Y7=#f$^xz2$&1IGB<7IyFVDvCvj=Kl83_3f_v@jVbEHbmTS;FugXOo)Jj6zW*a}Du?udzXBUE8%s30i zFF)7a&)`_Qg@{%LC||C541g029;#x8_>6SD5CD(vj<$R#TO5pZ4?7;9X}bwRi=$8M z7Z-=s(7bFv0f2Q)TDA~_dWWof?Pke8p?>t;zHh{S@ZOd;q(yJvH>QQp(+&Eawr4}BZ`s1yDzHLv9S`AKy4 zn+E*Z5K1KD1_F!Ew}4_~xZ6l2zJEE0bd&rmK~ee7kDdauWm?q`#y>G#XUE z359D1A@H<&!?G-_+TASH6mT9$#8cs>E80Ys7+R;of$3^R|D7i|_;>o>Dyi}#Z|X*t z-GX*KLuzmwtT!1P*qxI~N0@Z5#>6t9CvQ*&#K^!^Yk>&<&)y0C&sBo|6O^DVWhbFH zoTr&8njViZ5Pw03^hX0^{Q~q0(og-@uNk`&UzvB`Rr9Gwq_l03q?hi5W4&>eT7xU# zA0~AuAWZz-9XI#@Z=(YMx$!X39>a0r-$S6^MuM|0|7;K%c&J4N3U8+W|Sg>ffSu_P?CLXZyznkh|~*9?O)#C zE2@eI>sgbv>_4H2g%-Q-69ngW`tJ525iSd>eL$r4&msqsJs`l=bsny^s7LSC7^oWn z!$6@E=__%-SK4M_zkn@K^dg;l4&32A){DS$zI4dYZ?5SZTw<}Brf;Ya{`vEazbqW* z{~+`DiINO85>CMJLu_AonT-ECB`E#9y$1KZcR03sQNPm2{3)v-I9&QaD z3j+Tmv`M<~zXzKsR-C>%HvWdUOZrUvu3NM2FUC!8#z?Pf_TPuUri*-_+8>SYTz;Hj z`Yh($MhiqM6-Mbqy9X@8H^GNmSI0+W_~<8*_}@DKoQ~s|9`e{B^g_*&cNo#-lEUSV zuH}l_*!{Cg`tZ(x2V2ArLCfS%4;ZNQv~UWY?d(&zNy}R{L(Xm6R5pv%HLIhKg`U+< z*n8+7aIC)2@_SWvZP%o=8N!^P?{-N*T#dmT;*GZB<2i#+KVd(me_#(SSs2NEzKJB` z@Sk4|c|oS96g)$0S{#}cCnr5eBIu+sdoNSzeu&T%S=?hKSvuF$##pG?l*RTlPhBzL z1rSb2+2+lcT%Nnyh6>KEsTJCCz4(`<%C@UZuFe%l1t4ArTQ_A|z-sj{ubR~vm@sUv$@Q9>xyi905hFdiO5k@_nRV0^I^`{%G|p4NwfAe95n3sHQ) zxKVlF+9z(B@zY>8NcxS^0y3PcGZ#*mtE9M%#%mkiJy2Y$6&^{&bzbWwTwIze9?8VD z+2S4+wJMl%MUGpajz@w~;>B<{!^BPiWKG^RKS^B`^6;}KTBuvFZrelvMlc{xecclt zEtx-8L4jG=4iqxpN*qIv{tJ>ATfq^m zcBF=pwXhr^yHVuH5qeBwCHRI67t;p#EIDIHj z=r}oh(wbhmr}yLUbYPzB^24oLR2-DZfzS?mJHDu?73%fd{opED)|bw#N_KK_O)Z#J zbd?PZ`2xowKlPeZ)pk2zHB>E7HT(-i#jT&g-cV6$CePjokT0}+dp6l?zE;sw z*m#95^q8Yk@ZrCuoV+j+{Z!a<$LAgI70q0 zNVHhD(eb~7(7!swN_Y$m{VNEz#CwIZW;E4fsQ4O7^*fgpO<#|};-~fNcPL$x9u@>c zeJl_ymOnj#SRHq1YZ!iGF#U#Qbu6Ywpz$Auek$~J*O8#q%I?XegDru)X}^4Asqaeu+d={KWng_g;CyiApQ z0aD2KCT)HanMDbL5^#F> zZ|I+zp?a+gy+fn3RVkXB(=z>_dSOiHT)oR8hpqaJ^fqo6$CV@M=Jh!-&g5`{R4XVl zCx|02Zn#?&5cLGXT~ESsOYH z&b9bXe_%vxrzgTy`Fr(1OI&9eh#NJ!70Rt{|5pVY^7EhyA7MNS^mxU4XynxH?-Fe~YRc5N z0d4gT!?Qe})pod_c{4v_&XA1KekPlujs8X<^clcuwlL;j)#i!gAdINdvqOOn&6tf@ z-@#!wsd^DVC1h~c!?k^ehMK2M@sm)HvgCZ}D3pGGgs0++W;rsO&}OY8yxgJ@`fN~r zf?et@lQRF-dC{jj8C0uc7y3(;*tgD^zuaIE{8Ui3DB-CsA(&E<==6QWOl0ncB*n_s?|Pli5|X_hsRAKP`Org_}jqhOD^Ytt3) zTOsG8a(BCf%$fwJv1^|a{=lsOw}RbT&L4yRQp!I`TOB_0?r&fZc7?WUdk;;Y8jqX2 zR;7X`e9TabIoi`tn5pB?j3Jk=tEYHsljQULsW?MfN7u@+MWHOtI}gq~Z$9#*EmBp! zeXfTGIuqL2z-MTvW!0Qv-ss$E^g+~AjWrs#FmxK4Yt_gP93UfWXeZ#^p0qJhn-#Ja z#;o0#c#B5pvjJy3`IhQm-X79A&-Cq;q=%=gs{*qE%nCNEpDY}G^5qtd;AcbSkn-j$ zPjn>jXKmTiMuj$NH*x(&A^aJDF3kV>fBz5m>STGzpNu>7;#T&Au{U+R4P)pMetF8G zejj|~Vv6}Qo;SfvM>NAJRf_6%A~7z5>f+~a8y0Ms&j=cxGT8n+H2Jyu%I!pW)G#%Q zJYfft>8T+Gb|Mx7)4Aj>QV%%4>!0!GilA@ujoP7I9_GT!?$MBaZRv;B#>s3Vs!XX?`xCIHYtFTcj8ML8AV6iO48 z>(Iy@q9{fU7W^y^uDBfAsKWFad+(3yinYfp-nT+7tz@5)x3rRdnRC4r>1V#E#~1Tf z7x9WXt#Nbp6wY-q(e`l4&$%Akf)n2!p>g2pYJ$nA9_2GO`U{2dXP|;=XScX-ks}9Z zI$YeqXK<)co80^jmo*x_c3J;IVWTtfbXATFoP6~j!{h9d!=-6(z}1tFJ%b`Pdz~GB zc7w$Rr-F}82Zv+xp25{(mI&tZe@pGDu{~GMzRs99W{VD6@&+(X0tfA+^tGo&2O=xdJuffr}&({(+ zRxi`KIN-#|%krkF8W?9P%dfPM83h$O=WVODdNR&9jT;(QfIrdun|R&;vwD7|{wAKc!OXMWempg6ZE^y9>V6yQ zU8C|o=D1n)jL@}5f=(W1y@y8bICWaoh}X@q=8Eu@E56$FTo+G@R9F5Pk0Z~Up}w?T zbxyix>vd)@qd$TEEU#PPg%NZ(3_~3>Df05;$;Mu3%rJlu$D=5pf_=_--wHcKQ%;NG zxt}0xvVVk(U2jEOS^tvR@_DUxLD`to3tLfb(lS#|tEaw%$zy*7k34UMx~nv?rfa?^|J4kE{3U$>v+osI@o#42|?se>7>PJ61hcR*t<1?QP_BBedM> zJTKGt;>iLQ4jc;YkUzJ@`;1Y)hIqBZjUs;y@#HxOy{c0 zbpWjAqTJ?!?CH2)FH^^%8Gp(2si1-%^%oi&G}M-tbJ8`Jw#&2RRMpRQaYDLjXB-@%lb{L!xV-s?Q`@PD35*nAV zQ-EVj0xSu(WZ4S{@eCczc3UW%0MvH)(;v7dYjr-PtuD=Bug^E-L+3u&$H0|eVD^B- zJ&))CX!b};dNoYkd4xy9V`XM`e}?zP)YTU64IN5@9trr?*eyTX3BD}wEfJIzzk+ZQ z-A3*Nj@yIIMelqb$V1N#YB5q?^CE|B{+@F*^e?o3 z{*3U{ByC=&>gN8NZlw8>Bzh7PHZh$zS!Vg4zxHI2d;A~MN%{QZYvxt$`PZHtLjiKV zFX}JOQ}ln2y#7R4EMk1vJxhIr(^(2#iE-_Ww9ibueKAW5v3{n<&op^&s!w7mv-h;k zGg{H)-wn(lb1Cvy7$?6Jp`AEz8yw6T7N#O771-&TWE}GU0{=oWSw6MEgNZ1?izf!S zn}$o+jtBEV$qoTG?qSl_`Qa6g((VTeXcnXy|F6V?-}x&fpq^Z9k`_hvokx1-Sc)+L zP%O0Kv4s$Hvb>bLg2RGG20WrUR?Weh_lK|4_z9uzevTZid)|&mUNTGY#^#^(xEp<> z1n%+p>B&r>3;i>@&=>`}xW}qTvMWLiZV%8;+(6QK&fAlMkrwqSh5PY4Z8BMY;9I{- zn-2&|UBC#M#*GW4|HkQCtJZ>nGz2FrhO!087Fzbug?~s@Ef1?Mokt)7(fSgy9jwQL zs~C2sk}M?@dtTqGs%uq2u}&zwd>b#Tc?ZHc5Zb}SQ!skG#;KR`!@=cSl)l_2>J^`7iSNt&C1tAl@%ZQ%XSjY%RC?-wX<%K-U zt{;PG)->w9DbIQ082xB;04N{#s}eedGb~I=n8f=bmu3yCH<67-ZoJcKPicc4CU?dO zbz>vAap0egdlk#0>3FGcxlO36KJzkpzZ^dEZfA&4x?t(HkA;xVRryiTOA!F!SNfJ7 z4p9GBREx9MR+@mtK7=z7OoU(PYM)-GAe{nq_L99(fH~OHa(O@LZ5bGqdcm9jEHBcZ zxXqJ9{O`?nuI{lU`zh12Jg6K-mu6{~#*G0a3zjU5}& zz}NL4`a}_gbqse9kcb7s2=xS_R>km-CT|T3%I@pc{OG8@OC9RAT^urLcnFi{A0645 zkWR-yqP+jWf#@9wa4<9!0vTnK6TAY_rgex#9RoIUA@CAp7gJ*)@U6HDW8k*oy{Yy% z%Mx;`JH0iH0lYH@c0%y#gLdx|S09L6>9@@+gf%El^gdCd;bSU`OOs6Jg}fCFKQG-Y{vGF(+{(L_=Qa&w^PV2iE_`C~+wDo9c1NF( zjJrd%H=2V_6hn7=uWOCFyu_}CIOfkKpnCw1mLv+kKGwL#FV3R4ya!qUn_3Bft}*4* zFc-j*d!O)uo%WQf0%;P@sUktyrLLixALN3%XVu)>-$?%e=Et96y@+;9NiP zNO~aLR9Dz8Jdi^5hpM1SFxpo<7j@dUYL6^dN+Z#9T^Z2>3!xBQS~ySVd{>B!=z)b0 zh`!rIJu7zu=erdkmu33_f*ojdB!<3P%nJ8l)jZaDqi*U$#K5qp&BTr!Y{IHr#X!W$ z&aY;@Vy>&IX!EX<si{J(c`QyTM%Sn&R1}Xr?fqF z>Bomd&zd+G+6Jbcg7bq-8hUK(lb>y1>M0z*bNVOYS63_l$&>f|ST#Al#&$+hS<$a% zup-C`y{2D&^BI<|>D6*6Kg;U7w1SGYJ0xs+?64hS+qva89OrkcXe0fdb`%m0K?Sp}MqPbxvFdR%}cM#aiPlhT^?JvAP!TrS@sqKYCdGbj?n1 zUhO`CwO5ISyTo=-dpASOsJ>>$8!ufA&F3TDMoNp8*34Iz);w>;8>wS@DPk{^vPSyw z=DbMNPKTdFmdRNjnksS#ELX@(?dA?zt#UoRskVQ}Hct79C&2g2ehhgi2; z1i?j!V5%*e;&qRpVCt}5{lH5|XpY_U9!-m7`{=^=J0C1H>w4`y)B()E!dd`bVQ<$4 z41I;h$Va1t?e>8-akAwjuF22USDx(jrX}_I-W_-e3k~O{SDE6bsha)X#OOkhi~csA z@wNd>I^OPY<%ySVZ{{h={Es?t2JKk=~ziX7phe4tL zTJ^v~I7m(-b{|U!CHLyRvC*x(apUM!@`6AAD~1p~=;Oxi%NDbt;L)lyuT>Drpm;6b|E#M%KdQBu!M(fm)%}@@D`ZE@9gr1Oufy zL}#DJkmW_bpUYyPHppc$iLUJ4?`8Yo7 zq5(C41UL2P? z+vgLVgqzD}=)*fK&WW4%27TWJF3y#kHy}$NSqVkVygc?t%)AC!`p8NsV(PrKyU3Lq zP^_3f!eQz5#RT&K0cq$g#{OECi6M{B#tLO3SZKlg8G?ygQ71)}X32Y6q~#&s4;_#$K)UFqkIV!h2Iu1E zHR^}Xyk>s#czW1e;X-}Kb_Rw;(?>8g5Z}b5Pw0c;K#&%ct@Q^3gzv+h(IL(FKNuHN zK-(D`OSfKH&8VmjX~AU?$7!oKqGBsuHHGyJ2zA=1o3e}cp*!Hvi#1EDX{;D?Gexkn zhw;?@+A%lR{5p-f+03u|n42qp*NwT^%D0y>H&+O(A6&8(1wVsJ?!w?Uxa2V))(kGW z0)qxu_<9Y7fk2}x{JsDuBWvO|@3(wmnfLha59vR|TVJiAjb0-zQyGySpMt${Xqm_y z$M7q$Fm^skDM*PXE$pq z1idzI+kJv#<0~#|06Dk)*`OruhSXG_lG@xHH-4iL6EkL$qAq*q+4%BC1Cl6p774$C9 z)rdM9IWZIrT-j3HPO^Gf)I-Q=`TZcNsU?r>+(T<^&dEzat+td&_M?h-@&Hp9e5Xy; zhrytYdHmSgd4#VX2?Il1mEn%Al!B8KoMaz8!*=FfkHw7BHYLlej7k*D5X zFoJFRmG={Jrdigg{QvX71bh92q{iNy>4k{9L;nzjFSMKGrZOD>D`J^1$HRV4!D(eRG)UtsyG-Z-%@eJEiIX zZgaY90|*4_=~^tYUd+p^$X!ce+qegXrl4iZ_2M79Nz>(&z*K4Hx{LI2iT%4tsW3|C zTNvH9t@$CiDxB*^v^+*}ou>d)bC?4pP5^LSkUS&Q zlWj`uwaN}z>sULn6#|kfP^zwOuyuPOg8viURF-tbSESEb^B;u@6gnf`3zQXAd)vV9 zQ=vC+UM*0zPUY%!qwmg2yfYRaRtlcOxx>=H9MVUZ5W0&>t&rtM)DLo_(lqFdWcy{o zm7N^k8U|jbSr$1NuEAu@Fn$y?4=seDRJEN;&$f zn+G^No7y@({B;+;S=$qsLV48bY4VT!4|P{l`TXxjc7NUZK?Kx!PiO=)SRQqTT%s`U z{gk*ya`Xn>se9_)sgr4!uB&UfbI`%0xfIKX&Fm1lnM45n4%}}^T^-MHF#aByE4QnL z^{+-zO7Thq0FFWqdKLC5(@z3v!PCAIM++o$!@y z`AFA$QA$i0NuF_p!o$&+)H7EJuiTzCfnw|NVGhfawA5px`BGW8w9Vs3!(+%my3o=EO22B# zBRGgc&eaa;AnIs+9P;?lL6mhZUewUC)r-9biexkfS1WkzWu8W{WSUVXgqU$0oj}| zM@InfggjOC9`I)pn3ylX+18piq>TLF})OB!XlErKpWZ+Y(ulO z&|Nj?9c5mo??pa65RBStc`Wqt$bx+CTLPnWmP0$ukSMN_{(pEbV;be_BA$*A*eHMg(M zKDB!zznJt66xw*|^zfPU9kVZr(0WDc=>mNj+wsn8MRogQQLU?bzhw1mR<>L*4P4YW z`ognH9SWJ3-NL3BmF!!eED*5{vKWR+O=RXfY(5exNTewR+LAqkP+vN=JFkO1)V*94 z7o44X50C~1aF5=A1~_XgC`i1&^D={}Fbj2oU+Q*G81Z>U@`aW^V<{*?JYioD(|6f; z$nLGFDtDccO~^xLqYk;vXEuIPkN-?VmCJ9kKFS7>*jz~=Ty}n zXQq3z8$>wd|Q0ireP^|PoDx>xeLb2DTIwR5WgJB0Dr^8szf zA5D7xJI_h)ejdsO=LVj&hxBmD9kNaPIuGzxK&N)`(zd<%9DGRJqkK9Dokpm!|0(5G{ zo?ytV$X%*Ww}JrrOckju){}qiLmKC^PfO!ZPlj$$mj_MHu(Y&t!Xm*7~1_xp38+E_NBkV+%nzE$JQpI5tbWgfC;@62RecEY`+v zxXEU1nL98Hzoq4o`R-Ddc>!&|@m>x_qqzu1qCK%tU+Hb7URJs?(kj0lRdME&$Wo>C zl@>9AnlWIPNzs5X2CiBQh?5Rv7mCY-&ZZvRpJ#g^OE~Q^f614s=)K%y*dK3mV|Z*( z3J!K8Iza2t0#?2og&ssNd<)N7rYjqEV&WR4mF6zKdgw}*HXpgl87vrI|6rVYI1VWn zsC>pvICLBt5#~%vvur2SSTsz-1fqu?!m+BWR-KNtJM9D$=oP5fC=UonJrvRph%;)& zAS?_I`e<6(KtI|-8@TRmQ=VOu%3{|*je}p@1x5PjCpoEmVLt>RtQrXJwTI@jqqipq zx&pzy_HcZfylZ}TR*FE)rVuf35Ezus?!Kpo&+2&GBR8GRWea^-Y-njCkdUk9!g7*! zU4E{+UDAX?1N#uh$DFxvTsdpKqgMeJ5KytDJ{+QpdL`HU;iKeYe)mP|_C-cd71vfc zoH5?&VKeU?Db@%*Am|6(Ksi+P(>jxjJQ>P|-P0QN>j~`BK zPPstk@NZ*U_$IyM-i();&<<=nTT{eG%8nV5{@%*g{JPtd?nX=x)N31Cll!W7{KONW zUfbA`TwO!#m_~k4HC&PI_2va5f{h3=GGlH_wC!H6MKVkE3#VQsy9T{7TPKGl0g6 zdZZd;XtMXan#;#nI3?hs({~2L3BdLPft2;i-l=`uR_l#G8##d1^51&54{ye({ewUQ zz*g&x0N#ma%R8%%AH#wkA9~9^KKGmhUwqUPI_e8V=`+`drS*n=^=K`+Q*t=vhtJpi z3nJUKvi!vA;~XH+2KYPv4C`SF-WWQ^-h;$G&YN`{s6oyF3?A=pDwLeSvUy|Z_=~cKE*8LoYo*CE+2UY!Tu8s$M5gB@DB$YAopCTbrsBi^t_<8A2eadX zQX@bOt6FF6j)AKi*}89l>evp=V9?L%vt(-Eu`x=apUTDE8qcd>X7O>H3;3qlduM^$ z(CO0Y-fnuld#b7pO)j64>eO}hD@HHD2XNB^VW z$7;_v-283+K>C?HBjJ8PY99{Hg3o12%3e)DM&{k{CY0eZ#=-(Tr)Bzacjjjg5ZRH= zBMl9PhWUph@#Ij0l3-2Bb1?nGo1rnPDteife!Iw1zW^DE@yqC7C z&Zg(?E7U3!eMer7PXRN|zz=#ouYRwxpZkaokMcHq6hJ$F_=RNgV0}krOtb&Wp)6ny znyDp$mf+te@E~N>Iqja1p;qaO?PtiG(p@8~(UqwMQ_>1W_ z)3tA-2sm!~+PO4xube=-`n!iqo;Jk~Uw_H@(qY5t>-alW=&My`jb6B~+&FubxAAwi z6iHq!E4Nwr&z*o z{ZHl>>dBtKm7QY+Zqi)C8mkJOARa-w&hZ;w^#4)DCYD z*ybGId^1g+w$Qcm)TDRb7txc)scy)ZU|+Lt7f}963z?-IJcno}j*Zt>yO=FT@$9~3 zcS5e@i(c*h zuS9o0yEooX^u)oH>0M_+0L_~X&sQJO1ZFOZ>N`1{F6C#QB}HC-+}TwvcH|?Y0*wkb zD%j|p`=IAQ-AY{}4;}U4p&q5Xzr?jEN=BQSwHg#I9IsA}P5N<$KIF%yI^W;*GGe~y zOK4vLd6k7`QW!?cdFZ<_{$n^ex`jaw!;=No!anGrd<-c)4hUC!XnR+qFw18oKWv;RVa9;Fc|MOjd=aPNn zw1BQob{SNis<2WOoD}S-7cH^UKbah0=#JfhxUpr~d)~ymTleWMZss+*weP zfPxeEK!Q?&9eIfa+uOWMJ^1EhZvyMFB5D_)>`h=jRxRzL9K4_bSu>OA&GlNN~|{=9e9XAV`~SzXC8_Ui-13L|!?-8YkC-W^T} zg-5@4YO^T#pm2`zZiHX=bPqQZ6<1{-v%Jf(kfpncQmz4mFt}ruP~x6I&(IxSIg>V?SPsgy%ti zJyg}F%qc)0EWM{~p7D>kF|WT1#5nag+Lway;c=Fc(CL|3&nXoO$v3N(*T2w*6A`sf zUZ^qxFwx5cAPXv`CO~w8fW#bVB@~?w>^3KOdF7NVlh?a*LNS54dq(tmHhunvmZo=* zJC!~weA&HnhRIcT3TtBYxI_w)4chx zogDLR=9mC$W_8lf$95k;eK2c`FBVTIRY9rZ-tz_p8>B4-8JsbFgY#$p18pN04!wdW zOov;+FKPq)U1dWX9dQMIyyv1biNE!U)5CfhE0vDGbSRDrrlVu0ToWmbNWBn*#G;AS zAIoDnh5Dj-)1BBrs2T_YByZn&4+R5pcC=1Q^9>}!Idy0(tlG;|=gKTkzH|9;;%7t& z|KBCWD#mSK6TJm)K)=5iFjL*7g9&_Ob+fp2MaSDM9f zB+3^;Pk&(`*(dqsK9-L<)9}oo#|5VQe=o!mpRNXpek;y#dek|iRq9Z+Z1m&e|IQol zBzi3R++E}K;PZE>GYD|-f9I}0cZ6hg-Uggp&zUugiP}^Z^~>&*wkNew@vhqf)py=E zPmbx~j+y7Ko)zaQOs*2PrZTx=K)`q2R~665z>KNT2q~!04$-l2%S1p_Fo7&gNr@3@ zAX~s2?28*rlB-={9!R^mW^Xl73@<6W9|Kaa=pSvx`<;QcAHj00->m2#oW;8iqy39F z{~-UV$~;NG(1DkVS z3!zm{jd*7T-xFMse9JPczW0C%z6)F-wCJ%7M^Htcww;buhz~AUp})hxW-FB8yG&bG zT!RDQ6bXYPuZD-onNW=I?6QmqGGcy4BQxfLKs=l(sq#U0O_CHRJ#xUaA=!3<@G=?3 z)n($xQZw1&nc9W51?1lews}E4U^!gMKKU6JLc18*3d62{ule0!I5N>s`Bm`=L4c8e+33g5GMqpq*qg-bZ`bBS_)YzXy6;mz<^gY z0rLIZg4(tSFc0yZ{*mX)Il*7o6bH6N$Fk{HYIzzP@ry~8yTnAYZA@b$UNQOZ8n!L1 zt-6GbdfZz5Ydz+`h8=0W_L&`ZkF`3(2F;XRrRJ@w@iEZCRWY`g_cq5u5--u<{2K)=42=1her82vSN9p1(lUE~k#2`AL+ z^C>+c0`qefTtiz!&$Hd#h~$8(0Bh(>#|~zVdE+QmvT2*7Wz_ebgnlQj0F{_VcjTk|z)8YhHY@!XX98xytg$Zz~ikKq%f>L*2e; zwCbv~dal#O88H;pJHEwUW?gtggdb2kj{c@HFE4#FjkSAbqTh~f{7fvVBkebsoYU?A zRY}~_Hj!n0>2U58*;FM?BlVRw5_&)Is7&a5dryEZo$}it<+r(%fe`+DKOmjD?rck` z3oCV@Q|ED*(Es+{2ya)YlzI1EHJ<3dge>AA30{f}oEy*Wf=lC|4;QhM}~mPpP%0$v^TxdM1l= z-Tk-%G)cbkLHaf8nVF;nCvL4l2YP}EbYQs&MhqqeFY>nCDJ~;lFN6bCo!@17S6I1N zSy>LO>?N?ne7yi5-!6%$s2R%11NQptNojHPZ&h0msu!%_#}YSCF}qI>BRqz_M1!DN$C9B zq%?6C^gyL`X4QBbS1{vruq*2L_^Uy2ibAJ|ol=L6CfmG>Wdx+TrkXGwg7;Pr>MHm{ zRhAr^fd>`6X2rXC)57w?P8hlxewy-|O3l1zA?3S?=nD8gO*1S?rDNW&u)MC5+yX4O zi^~rtaZj;$fnS)72Id03V+NfE8;3b`v{Fm;ohY)hReQ8mpQ-8co>}33l@@rmc^*l-a_v!FhSa7&WT_rqIV*U zlV4oAKs}@lO_zoXQ>gaFNmawScB6^uW2*x!_@s#mVk^U}h2h59!kn)V{HTr6+co(( ziezN=lDzIQ1kwLo^5!Rj7cI>8)WT$4+1_BH2f-eM_Au)#Ai`#US0RH#<(7*Oko4ER zA?kITr671J=yyT$1Le&gIaOxfQEg!ADFnGoRws}Zg6nsGcc4;_nL4e0Cl!7oRU?HJh+QXZ)jum)f0>)?Q$b zq2zQi{pTVNb`xNhzh6F*FWE{6b^*UaaHy`e281q}krz^UyO#c2pFX@FtfSpc4EC`b z1~GlX>C>;6qBSsdIDPJtd2`3GWR`s7W!|KQ6*in|PKTf5bHmN#WcT`)Bf!W7+ z<6{_DOIlIKq+}*c!t^7yrD{sOcwvd3wd9%FpIU90X9?Ab!sbO@e%u~Y8Vxx%Ajkl0 z&IYbp^GmR-AV4gooV@>Z`ED*cRL-;nDW9703(K5}y)ZIY)r*ntm&m1T(<8L_^UbcV zS4ABsh=Z6Nd*MVjgk?jp4U9zca>M35O!)*rch9_OR02?knYZ||gwB8*!5_CW8}T-J zYCQUeE!aQ9b$5ZjCIO4_M#4hKe2JMv1t*F%k9YYJGrsh?7yf)8;jB!%1G{9kLY-)S(vgEW0Gj+e0I3h(`!@c@6cq(d(?md+OKc z(|v<<-*C%%K}RG=OkiTdN(}1j8tPM{*V&68a;VuGiaKrD+XK%Ygn-4-hd0aZr>qls zOw@&UdnT?2IR}kG9tCT(6?@~*sl6h#kJ8}ZEwk_G;nfVYywos{ae7V^EhrLW*8*NA zYgogZ+FRZvpbqh7Mp}*!fn5ql>-4zH1z^-M`f-*zJs8#v>0#f3IUDwtFP4hX(9k3f zrhf`}xEa}*v3L*6x{>8U)@jkcp1Yz=(o1*B%T6BD1)o{9+G(j0N(%|CeOYoSB*dXR zVsfm6Zy2Bfg{;{Fu)apxefmmk$q&l2~T4k-#&)jRuE5%-Xf+R0 zRr+<)cxjU9D+#>Z#IpGGP;vj1r?shSfG^f*fUnpy-1UC%57E~z-~m?v##CTN_1e@S z^s*5o{sywG+k9kYF)UgBn|jOWpRm_Euhi@Maqsy(6BSH(O^!kn6pRnOf}T#S{|P$5 z&-xI?hhDfzty2$invNa{ia2|d9X|=y!b-hPUut@48qDzArlyYahI7(SkAlR5YKSU`A@H|ifUdarvc^d5)kiUYHkb}({u10F_j zZDsk{zJ4@meS*QLID`aix%4Vp1DoC3_o+|!ZImvCSr{GaZc-S07Lye^4I1%+bzM`r z3p+0@rU4~CEbrkYvXB*58=dz82ggP@QMt5Ie<5*C!+Ph*MTPUhJFOx1W z@-r5`U?N7fUXT5Oa-@QbL21&iYvlXoj#>~4$uM~=n+^}?0tAu}CJCI8(P$Q+S%7Ao zIJnn*#fv9WA5DG0ek1abM~w%B3N6%D?Fq!Z^YI@;b@3tKiwaGh)5&DYH3Go~S{imwJT3u82E~~G&X${*m?wo{R z6Mx*mLV|2{Yn?8b;bs$~Zgbn*w5eXjQP=|=>hDfFkn!lVE~YIx%e(x5P1cZmQjp|< zlGj`44Rlw;y9>6O!QjAe(*pw>IxsgCCX;QJLmM2lZ@e}K#f;ZYw|0^E?o#kPaO`Q7 z6Xru+@YgVRjRmCrzKUAo@IIIcFGQ{ z2(*ILz-(pKU?`d@g|zJUiI26@$7(=z+Nhu2(>BkBh`yV&u3_{XtzFNGj+Ee`Lg2dQ zM6eUR@yp2BYJ|9j%o^xpIs;PoV1~>3pwdV`JlwZ*(a9{qqlSa}yEoH+TiD*Fes3c# zTdZuOfVS;xT2M?p{5+*))}GQ&D9+ve&KM^61_|NpPsNh(cP1TcJ+7wp&>tFa)4`niYP4-_7 zXmGs2=q>#VcT8SG4>Jw_`j^0iz<$4(n(Y5FR=pT1)&Z4ik?4a_mtR^rrK&r7;%uAT zQTJ1p*>bv*15+>Hv6>ZVbz=S4H|zy`#hRG0CeRxEdj!{eD*kuM6|LRT9I%>eowjXv zYO2e}$#j%{0;ZNN!}n#*YiPdfpR&=h_5X~;hk1ey4pl)N+|?SrVoLSC)~+eb;eiIP ztdWKlIO$ELQ=(q&zqwh|c;*4#`b#oSjQ+1njLf2d!e>9+swZg;!Gh7j>IB{sL}AJk zW3uS@qt>(89UewqQJY^;ZVxYmvB+Baydm%0cmkU|ZHk}7?TxcNGM<$OMPoO-mx+y4 zpr$vfxv3()xTd$Ed5PE;)|{2awAwChI+XyoY2dP{Nmge864evLxV|BDy4-w0$6LWl zr@<`~mS$lz>nUmUdtly+Ph4;o_5%vm4iQcCuY#j5&OKgJ^V&DPwyxld{2IFgF2uFg z(b#JG+L^J{Ev2Y~l0yZ4{*{*wkNA#8R(DH=R8Q%2G?scKQ?!Iahd77U2bOt7zc)V6 zvHSjx2b(g%`8%vW2<_dS5azwZ$Dul(6-U>b#j9cXAU%EQ#8S7$Cf`fYzbzW8e8-b( z(ll1N#`5|Smv_hh3rpRhp3KYR!MIKp?VCfafpDlN^Y3g!W6>-{k3!)-710cYf;+~T z5MLbri{i>aKIAnmit1Y>Q%i_4x*+=53?RxW(35Hvmx4RTT-Pm7w_x4FFlW~s1>tvS zipWWULiHEM{iW@yvyLiPHSVvJO^KjtVN{!U?7W*G6w69>+m&;V80auKpFO_Q^G4s2!RvZgXpCqSL()eXgZ zW1v>N%TnR(PlbDvVOStqs_3PfcEVq5ct`c?{ib7H?FZ+tx1$c}HG}-R(`|`QkDs(z zo3#0%SakZ8F#?0CcWnX95(72O@FWC@VP^1Rud@EqTq(d9cPSIGF8)4tp`6^dW%v?gr) zlBiRNjT0jSR@RI3<~#nJ)J*0mV5Vq~`JIPnWvq^wgX|@AO<2`S(kr()mAX5H-79h` z+$)z%w%9=xnt1c$rBJ5;hx0=uhReBLRRtOl6w4M`wqV)9l6{A@a3~9y2XlukLHA9V zSIl{(sZN+WV~4cFH*A}zBekVW&a%C0?uSQ!1jzy z)j7L60MX{eK&2p+Ix5jrxK}PTeXN;SPS!95V2o%;sF@;vR)rrvjka+*ZP}{xL!)lwmwFtl8%GKJl3Cuo z9@CnGzT*a?|QAx$aFSND)|YT#PaUqM>)&VFR!7> zm6jv9lF8`$3s}FB{pI(4dkmb(XSt(Rk7(SFnrFtXGb>$tY?|+-Fm0(UFDR?-4rK=>G_FMSw< zYg;?|N^#l-a(x4I5q1_H5yAoHm29ESDZM%?Xj5SN+}BFX!JXlAStYNIwgM&()*}2R zuD|*A_0c6*^s^RK8k~YI-Rt8^*q{r#({QfOJd^`-uh|4@>~v>BzLHU1;qCxkK%&2& zo<%OW-$(oiljh}NpOzG zl)XY5D2RcAXn?(rJ<>RN4C8b4^!n@o&;o|0!CZ%TogIp(IalHp%MWFhHIK(vX8?sU z&@mc-uVWGz$T>z|v*Y=wHj#o4fcjOqGw7NI5*e%J#+k8B5n0hxS@G8~6=5AQ)d-OV zrsByXnmdB2qy3`!t~D()fJW0@OXjzfpJIL6IQZ$R(jq;SO%}a^CEP=h>}ISB(g1u- zvz(hUd@Sn*7BIg;g9vy5z=QSIyAIg3jQ|U{VdSozaC@cZfR*Sl)~Ep;A+Vx}Ufr%6 zgLN*t=f+@@w0I~X!f91UI1F&EqpNpf3}#`Nfq;oa7zEP@ensPeuPnJ@;T0^UHrNH+ zd&zYch_DZNMQgmu$`wJ)R;0>xHU=02SEu_!nTy`9ig(Xbi+OfmMb(Q%d{-qBgNlK7 z(>Eki1-)kt*0hyGiXaBAPDw<-5~aga1_?o2TfA#qz-G|q71#h_>X_HE!zn)>GF#u) zS2P6SlnVqqs8=?H&H9Jy8-msYw}{=0z##}_r=`T5gf%s;ydDK{5km{AZjcn|YXFWX z*h5IIDn_WGU5!1Y%gF0F#@PZV%hD-S7)SAAD!IL46SXt~MWc0f6(Eg3(wHTB3G2e) zw*y=JHB5@w+u;C--Aw6H#{2FsY`pKx#`|tFmc5x4ysj2Q7RZo@6V3Mly@ zgI42fwGv*F5Out(7@!+X{V($1sOXR8$7Pz+I%ccWP>W-#biC@%qyVkQWL0)!(9@jO zGFz+RuloHQA#sI|=#)9X`#-^)+kQ@`%=v$UHP`;I!tf(Z^Tz{AW=WpfIvHsV1w)S< zb!-hY!MGz#^$*|$08cp>(Xq}@e~#)Sx><})(S4R@%}bREZCT8om}#gjFP||i1n03> zSO#)|Im)+Y3c1mN;y9Xs(F7edCWw~IMXszWi(^_ePf?YDM>p|K!PL08Vm0BmjH^jM zP1K7kG@aH#vxF8*Pd-KYIlTram@#GLEe=aIG?cDCkKifpF^v+@Y7Fb9JcXHPKw2#} zSVm1p!mCVRK!cD3fFx*<%pmn4-@Y25_HJ0V(pIG2;s`VxDk9qyN-x^@bKd+8clCD8 zd}usG8GHcJEh&J`0Cg(uzR+Q5rk&@+mGQ$uQC8f=;lspc3UNjJwi}*}SgSNIqh$Nn zoAk=pxr4%sMp-r%%Nf=rAT+|-1lH^W`suj6-Jg!i9rV%7-gJ)`I(XtLA093XT-O*# zjr?l~`svvDrk|=5b^~O2df`V!>g6xEu6KaMl}cPD=|<>L75sC@xY_4a1H1H7s^Dww z%TP5iH=?2G4qDwtM6R?7@$Q7!OiEIo<3DEgR>VMifK9k02;n@iU^I%G|y zJemdG#E(gd3&bA8Hz16#|3dy5F(uLmNMN}ur(3+NB>GKPG%)QcbKp!O0~QdF0CLti zK#Qw&6$bwGAV4Da3sWmobpd8rRoj9NM|8K{pvizU)yPr*#dxl))Db z4q~dL`Y3**LrP=OkYF?di+ZEV0q1CTA-8<@RWbB7V@5zD$%sH1fOzi})2*jgC6u&<=X}gt)Jm|hx=Av7azTf&Uj%s-oxcb+jx55^7yYNQ=4E@nbsI)!c%a#DPD{S!I8|22O}V{PW@? z>dq*MnrPCW$HnvTob6t^+LO{P>RJfkJ4hyNAf0q!zPtR3Z;AaP? z85Z#vok`z}2O=1oTA$}p0;JdR;Y2LM&!-up7u&i#SJ$coq;CB2LXSaE$eGi1D1hH3 z2|xqmONNV&dXn0LkMx!`;W(;KMYOl$FY^6YGVQ+kFbZ82;8Pofxxv@<2AbaX&;fmY zDvLVZCuxzTNhr^^;y~I0(jF-7Jv1J4UW(|L#j3K{nh&X0RoJeN$DL96}x`~=|y)k;F6n<<7Ak5i9|$D?Eh9yVnNkq(~HD^UoVGGG7$NFKCsgf?uQZ(ole zA_;Ui;EL!t$dwq^Y4aNB0*n!O9z^9qs68i9l59=X^Z)~l5qMKXldO)#O|M?4s?S9& zBvWJ)I<2a*3KLO5Wz(ZgswB{D1=~?o`KjhN00|ICz(90V3khaL)@0(w2=ig*Px`*E zugaED1rk-DP>teUXouOwYnP^MwQ9|Rh%yW;?-SkN^L-tQF4%R+sr!haf)>;m+I5X^ zE?%V>bXenvmz#p>#iA_YtJ9~do1k=&Eu;wnK*Mu&-AWoj1OP&!@g~LJ+-u&m&b?Z8 zi&P5&+E_{0eb%o_k1_RL&7B$Q+6H)K+=sMRVEjs$whUKdR=?CudX&wNFe@I)>vAMO zvZWLdpdrYmysuo*GT8++?Q3Y_U!Zk=%?9lXZQ1D-+_i`dz6yR{gV)g}yHIoN+AXma z8)1Da*Qnh4bUO99UqwEs!(ooGD)aD^N5vH$KYr{OML;Mzm=t_#V#Oi863iS8uoIcock`r%@GNnF4|!A}t;-I^;vic4Ne4SxGE`hNXwjh2vnY;r7%9 z>kN0UL?}RIXQ6&54Yn*W zqV#PfvGlNcGPKy$aA{)J+Z%Kmhw2nliK|d()%(Gxo2ROFT7DDSY-(7YN*4;R4N@B& zy2w1~)oJr8xCtDJn1;!XRej};RS$*#_X<|m!^hwXjXbH^y@97dr$rK$4u7qA- z2+9X;4DC9IT=?)Ey*4GeuVQ6Z*Lm?ZJ`Q`f`W&FgmjelTussW@IZzPffi02jD4OM2 zB=A`8Azhux0E7FRKcqn`Kx5x|IG}ZDR^2xA@$GJto8<6cF3J}o{ zq(5Ps5ab)O?FSdPh$e2wlYg%;jyWXR@rJ82gv=tb>ny0qczUc#8f$HmdaOK+G_Q~x*^kM7cE9IhW*KnRPLsm5? zuQa7(psOIY<61+M3n)XIBZQgKDod`<7SIF=O$XZoj#5O(QC325#8{r2tJ9Uh0u}y+ zfsG+vV1(DvY*J&iE4G_@1h4)H>Tz7L<Z)z0zPFuM^5Cx8dK&R4^m=Hn z*?#JieMOJ&nk^{o<#ysVck15j3`GnoiDiGq`2fB=S4Rb^& z>p5#4#b-Nwj?*y}ErmeGZ#gXPeok(@B!ZOmLlTQlHW|6ZtAt2XECLHGxpo zZ?|P?gtmaHFfgo6%C}~x^vVM}4zm5Ks^$ntwrtFkRB3{DVyR~O67qk`d-^{ zgOB$JgtfljV+^lxmwKZKR`)6|qXe6wHL-~jJW(wXu0Akvl1nQH_~ex>A1H^d;+i;h z0jOGy0CeCipf%exxeyzx2FfV*Zi|28+tF?0t6NboVS?AI6nfn-RbcgPxfC(HuCTP< zn-PplXp=P69SRRsRGjmunyW4@MV;`ptw)e%s9s-P_$3=0M``B zW7dF0+|Mr7?3V;iTAJT{91G~o%i#tOTB%0!W|gsZY9k^AUA zDiZPSc!f3~NC6|17U=@Mgh|-uS@IgK!H9_*>=V#!3IrgsGZGjfww+})Y2f{}Ne?f79jj{6 z6nF!nW!5~yC=Lyz*0MsQ7Xq);*EN@pPS$9YmC+dxuWpYv{k7Ei2D7y3>(~6#HYv_W zxlEyk;py@@ebwd>c;#A)I*@oxBsMczk`~!t$Yu=JK;e=W!w*QBN2mIAn+iXG5~mJ& zMdKvpG0KWpWCaF9KXXJ;Mu(vsSWHrgoPKJ`YW}-}1&NglDdMEFkz$;XnDRE*#StKmcxKwnncTUm zpxKStUIj}6M0Lup18+^<32zY%&qb5vu%Z!8Qu`Hm}UY_0WcNtRcWvd`7)^t>> z_>@-S-M&f%++J4gc7Y~9Gy{CAu)aD`1hAOS^StAhOA&cyFD;B=35~Ar9vFBN4XA67 z>N*vIkwE}r#sxB zIjad*lvCKKuAj?l=Ef<3ND9x?6e;SlBnc%0C_quSCV&MBm^@gEv9Mk>|NXlHV+Bke zEN3h?tbILY)x5)vZAr`RYAv?*a5d(Fv=TkMuSw1R3hK>xul&#|s*DP^+-SpX;-vpLW@13u+CPqI!j_;vun$GJR318HHaH53#~BgtrFiJQBT) z^C=N6+2ne30YxBD=#bW+I9uail-iQ7z<^5ga!SKk(|fhr1Sz2f5kJRco@a+B`J^^a@5_Y-2jN-t)W)_Kr?Jiw|M5 zFRrS-2L3=P??CZk)b4QEi9mCusPb973pD>P7bt;^e^Jr3kR;PSViM}oW<$Xn1s z;Xy-f$KIHS+9J++dpJCpIggtVE;S`ufl_L zcj*}L_^{fxx|$vIg2pb!O{GBN<(Dj-i!BI6-arwANJXYWV$&K*P$+RIVIMZogmARu zvktb&o{b65DH?Gav<@B=5C3fOG);a%I3Qj8S%Oh__riBg>2bb&EyAZLKW_q&6yg6_ zkZ|MC9qdC{9m##asEOE-|1qr&X;|k`{b=*Lf~>G7%z?%bN}!+w2qlnEI>453EFdk< z{!BxJUp>U(cmL1-{qNUht3YA4K!6Gm)Ckx`7P#(>t#|F=C=Kq10Fx+5L?geJDMIRD z>e1wUK!Qu!0OwM8rK2xkee`34H!08ec`6gquTk7sp)JnG`?PWd+ff#fGW_q36d7)X zl$7Cr8>A0e4(^IXvqQn<+eAH9E7&9idsnF=_@RFJm{6`=2aPAAFX_t_cz{;%=ZU!% zU!dY}wVOcd1F62nVnYWiD;^4=6*YJ*D^BM|hV__kVraBLR)|GitD6ZFGMopZ&=5J2 z6aT80Q&dGqjUXn5n7SQ76OsTE145#qawN&2P_BIo2QZf3LmJ<@`V(q~u@=4S-@XwX zO9;ZKi##ohG%O#im|!#Bk%Oix5UK*9iZt5dq{>q!iuM~Ud9iC|QBe=T9i4&FDGzL* z%XRTGiM|n5uw_w4;607}Roc;y59F+PN~>l|$gGimd>~JcPpl7ke!yY|Y@HrpTfB7> zYen3w+NGV0D8mu(h+g?Ul%K;T6x89^g6T{0=qlGv+!%@TLs=ejhynlY1|-Be=?g$# ztJ)K_C@FG$1^;UY(Yp!j?9X&d7DB(s@ik!m0qXAqa^{97+t46Y_}>O*w>=w|MH6M0 zY|nPvvPz#k@PK@-oAS6BVA4iE?qKalIak2yILg^YnjMO=O2as+)2;B5$^cbr>fN!6 zUg|^kbt~Acjegw0*3kphm$vo83V=Z)R}-yr58&sA4XrG-;g2QQbKE$$q^OuX)K-^U zYibD7wGXxuVvqh;7rTA$YX!uPJul2C&+p4JcNmHH=@01o0?@}p@2zTQ)HE-&C2rEl z$aVG3*kKTBOXQ%Bakr|SQ5WZY)8_>AG3r*eGwQP15_4HGVyV^{FAOQeV$Kagvr0zZ z0pJYZd17xddXKq0IohR-nTaZX<_p6aorlXfuRdNT6wQBEMnKMdxmQMM@$H_#Y4_>A z0A%Zrw+Vb!ByvUcMyN3mHEZNwcgT-r-E4>#)xke^q*IYlF9TL;oCs<<0~wavZV4Fm z;r~&vO%=t^jerG&*#B-KSOfo*RV6y}9f!*$aSb7s456q6UM`4B38l(FSE(I);8t}9jz6pE8R^TBnO}x#gidqT*SQxwcfQ(fU@lwU0e$-4-S~Od zfTOdmz)E%e>xFf{=@Y_At@^!2)RWHoE&$jn1lT;>>%5QZGqu_qsrbOxZgU!_6#jXF zmIvWv!}dbpTNXmOj>L^j*Ad!QEV^FVdfwRF2#CL}P=hM*H;PZKiN=M=`*iA&hB+5?s@q=A4BqT(E$ZGh55P52sETc532~q^V4VT#)B(6b?|4eaU>>7hjxRu> zGD^PyKgb0uT0$vGO4bj#Hcom#mnx4#>@=IET6G1pHKm>Kl$eTKVDd=^2 zjEW|U*$37B82ziPLfW1<30xKoWl1~OJ$(V{3s|47+zE76YzrFnDbSj77tp8adBOG2 zlA_b(JfOgbPYgXU&{EAq@%2lqr>UVg_|={>OMIFlXsPCbQq)mvixpO2;(2{Zps?_h zwX_OtAyRIvDS_f8agr*mt5H=?wF&VvJQ+!eV+zrIS#jt?c8~HLiMmM!Niiaq<#E3_ zl;_x;Gw5Y8Ozo=;K&=Ycvg?58bI8&83;1z(gIC^wv*7|B{rXK@9$^w6PTu?xHGgI& zl~lr~2)H-M`_5 zzb!GAu*4WQammkIHZm6*Oh_8D7+h*iCe9YxjJw+8^&x&t<1h93sA$OqJ6pNPa<&l* zC;t*smNJb>AfPvVy8G$w?h_AnEVd2?;whn)pd$~Xm_;nJ1xdnjJvt&-@9<C}Vygq&scNs@XH_>=(th$pK)1R(Gn9a6f)^W7deuiw0ci?Q0m!2RqVRV(#$nr-9hb^BC!uv|}I4bo(@VTFf<|Qt+6g^8MvVFGroItN>fYr==OzTJW z?6gTs>^v!QB}0Qi^;l|2`pf)LB&=bm<4gTV&XpA`Mr=?0tTZQYv58P3*LkoCQadHU zA75_&@nLsbt1>&4b#oA1AH|7oeK*<9Rt};Un@tK;mZPVumrOK1apHPLtV$SnIsVZ; z7~K><``JldY&t2ledu~A1pYH7e*DLJ-%%64bCa%TtaFoI&_?K7Kr_wp4>rwbT&#T4 zX^5;~t~xt0In>>bo6xDB*{p;vHeXF+RKjv3R=uBmD$RIasTI<)YN|+4630u8WE8ie zd4x=58#pGocc0&`Yn9GTUTPDAuoW%Rc~Vpt^t9Ehrn=NJWi4y<1YW>mZA#y29u{Ix zZihGM%}sf%dGq*k5Fc1>}%UY6_HGWw|zmDEuVPcU;KFf@&b5 zEQ%CoIl}u$^uprwO_JX$mg3mXaIW&4?WG1Zl!Aa21VX4X798_vX@0+JGw(Qa)$5Xb znC?_%Pf?S?qF#7so-zpA`zEelPEC1ismcU9`*{g^Ya3`MB5=f!#(7R0Fp&>l| zc)#P~uy}7Li?3(FKcYsTd|6^Qqo|dvCFJSTH*)Ic?cHkTK^GTcS{$+>U7=2M6z6Ov zlpnBsr~1psHq zWRWO2W(7{gq?PnHY$R>UIL3=oumn!NKneL>h2?z@FwK(I4&bN;vBTHNYYUMJsfi&v zbwEg=X_NEuWCgOH-4-V;%YkwdDyF;>30`2s`Z21~#1V6+lm~PwzJNhi;7TMrWA`#! z;)PPWp??GONe7m)R1eDkZ1G<+(k|V|pyB7aNFrPD^}LM2?%|i3>7OJI1vg zG%c$&HY}sS;h6(E(YE=D+g$7r_OsifgmSpqNg;)lTS%}63(?R-GY>-B+JGHow**V& zFr2O&^1zfGZPv1eE1F3*FjY27c+mRd@w{mMJ*EolO%%szUFW>8Ql3n}vnV%>mupH@ z2D7LWS!o`R;`2_)JCTmjnQL28_hpGI)-gnqI+-UmRnCf(Dg#;C6H@%WJh!F6pKbg) zWmS9@_58hPJx6eIp?O3z7GUQg@tM`!J(JH%59HXC{2uX$v{FD~FJ1 zxYUV-Uc{9I?-J$C6!$86%PoBFhUn7fq6-@)X_IQ}t1TIgly)V@VgeM>1-+TFcH~e94m**9_O`{yixSe8H*z~)S3y9%w*$ zxwE4=R@8;195re$8!)x|dsM0~eylJ+E0+y_*REx65=zrk~hEv^<-$(J6^5MZAd8dFA zaxN)9zI3*e8`<1}*QpEYI`x8Fr`;BiQ?o~E=dLX6e76T}DCUG-#vZ1v_j>PFZS28I z&V14*Tt-VFk3;*4d#Uc`TC$)~&WL~)4Sv46#>V|NCFa;`k& zVwet_uQ+*3oE*7`R#urm*)`xzC7kffqH?($pSoh^S)%w@AK1~DLrZnEuoDxWQ35IK z`b@T9Z)rm5=Hu;;944~%GEKNb*lS%Dq7h#E5gQ2b=h#Z>(XD+L=4F(GReCBb z$6Gci=*$Qt1SCODv56E>^FxX)7aDDR(>zw$L!*{?e~a_`-^?!_ca~zsk_SjhoLUvm z;vAQSci3WcKd#aQ_ESbV59FpH^xc!N>x_JguZtWj#@LZ)1@b6yih~MC>&28;mWa%| z8RFCXG0@ zWd&Ro!O2Z|%yXK2y89Rv(ZRklSDyK>&!1Zu-dw^8zbcBO1iAW}!m1Zc zcYSQC`zS^j;@1NCAh#WAksSfUuWah6R?b^mTXF-7RAF4^^Y?FW{$`CoWw*k|vdEgU z5>2<3$JhoXc*CBJN(x%KL#6q1&>%yTkix8l;!f=OOU)2?Bq z1W)Ky6r+7%C?m01(rPYYM*xbVcRwmBH>}dx4lh^k$iX|H=(LrM3;13kNBmSeC>y7> z4N5ysVG>;j%!5*HplL4^7MBkXMU`>3c%B^|8_~l%Ie_n#af7Z3`YMd5-cgRhxu@HIakI1teCyJ4pTuZR9?6}dd?ZFV<=P)?4v{(igr&){?PLeEHL?GVIF z;Lq$N?vVopy?`4DD#CE+)agYJ#w;7>bc+I@gbySJ1{R34OR*0>nF)_L#EY^iAz;QY_zz8hS5 z*6zBg?RZS>00?p2-w2|htUP|XRq!DhI|_EtZF^*6nJqxi^u`ibtk68SMA~Mx$BC_ft=}t>-7$)9 zVo}emz?jHyk5(0I8=Z9Shx@sTPN&Jf)@W{f%v?-+6c8sT&(|cHM+y42gisZMS0BhE zS3cOeq?i>jO-u7aL6QQNM49B82{{ffUQKNe>LQ-#t}RY;ax#(ovNeiXz!}{_2tnk@ zB3GLPWT=Z-$Lq7y^RxKe;LI5x`cWSd<4v7};2q~fzUg$f&V7e9IoM2_oS<_k?@JdK z2SEWfd529so&@_KNUDDC+Yh&YTR<5`20}G7K+Dt)Hq+h9MEV*AWC!g?2Cj)a^e4x= zBOCt)ru&<2JAZ3&#|J0F;mFHAW+A>7;rT?n zUoZYc0lwTp0)Fw}m!SME4m~S_)|~+QFDgXORbR6*NVFsGC)L^_t=9r6sk1z0m?&pH zDZO3hzKS}8_KrhZ0z!WJ!|oD;P2?b^BI{E;%*sUS^OOzbnQVajHOqR8*l#f zDo6E85n~pF-=2m?S}tZCAJ0LWy+x>+KslHNtAAS3=K8)hW)X5aK;#^HKTA5&F3v#EclXZ-x zT!HJ{!+94eUXol*q`ZfB_Uv~ZsI+_c=lz6_8KJujRGv7opAz9pySubhophXFRP8!b zhvhj#+_qzO8@|qh6Y=Vfm}J)$yScFMPyr>OY5sTWm31T{gF}^x3bfy%3ng9 zZ`4-ow5j2#%(K`sz>$+MYujLXn%mSC`e>;nwX-Zd{o|b0%?>ls#3yBPF^!tI<8D@Z zN(<3BjHz#>&fH=@SqZZ?jhYMO9-ERwmQrVGYP7+%GctY0;V)w6$EHUIZwXHG!GV`W zOd@>kKu-wF65>Ip-A*gOXfIG^?W}Jcw{*T4p*UI}nw`RE&JpV(iN1!BJyViJ%TYz! zB+?zWvYjyNj;<`RPn|X)C84Kr9N|Z&sb033k>+a`Ayzt{K(SDme7;JT;Y~nqPjHKF z!#OrG`4A@`upTDDa3xU^oto?ky&T5ps*;t0DcvIkyt{a3BjREnDKF6EkuOq1IuEJw zB^Ys)mll}um|@$C;;WST8+OayN%S(Hy;9G&*}xZdbZ#D{dl7l= zW6xP}o>mjtz}q#*k;T-xa$)lK^kw%}r1)FoxeoK_c%NV^u|4y##H1)sD?HZ$Nx?$x zSvwE#0TUJ(fLo|xogE4ulQtxKn#4u8zmZs6z~ZE}`pImz=lU~UxTSP&>)l61@|-2j zW2lC+dr2NvvlZ%REhQ>Yqvri2>F}CUdF0&RMz!dQ%KD)_^Rmp8C|`RBDXN;$&ZHGY z!m>K%{`~MjOKa%JhqzIMCt;L;Wa)^B;)yp&^$qp?Fq;JU5mX;n{X>dfar$z)uSo3z zO^PrtOPbH&V;{bwVmw(VMF298xIEUmzxyTlAkr4ohY7Sg$ih44HX zpQx@RoiAeE4$8J?p4`Vp`Ll1wceS&Yzx(iR4>g8P4$<@AeU&8#yFe%lo(X7)D>4MoGRmmT`WeQDERHU3JLRqao!UC=^fRQ$LOlYK}#3imWg zyM{)J>n*KO$uh9Dyu!YCmb@=@^?;njuaAWW#XW5x$|Gs`WtO*}-}}=#*G+i@2T3P! zjb7Pqk`Gx+p`Io{QGpbN*61a%VK5aumt*SEk7a)*Pe1oC(!4l7^YkYNJLht{a=iQl zGQK*@biv0!9tu27Ho73qcwuUB+EQySoj~*wy3A^`Q;XPS<$-NjBF?#XoXgv0A{~2- zfAYdRI`Od6lpsIbh;;0D{>cmY_@rI9hr1)7Ct6n7pWd@%3cV;AOYm^)X#}$ve-nTV zX#qU$8Q_yhgM|&nVQJ;8qdzIB@R+9yZDEwQ+$617cw5rTS!T%;>Zkxe{>JIk_c(9* zvzj;c<_THqm%2%hVLQY!O!cvVlW0%dKo*jwjp`Uu+ug{wm`-Co^pM=x`5_+Td5BL~ z_2JyGI`J^rlpsIz2q9R9;@on3!i(Q-KJDNf+WPUb%Jh(y84ly%fe&?q08h#w0O{fZ zQ-x!HcF;M0$kIFsMV6{v2;klAx02||A3FRfI%q`?y8hVLe-F8!^5k603NU2neGf3y1@Gp%8hDt!{k>B_d5mb%zREZ)vmpDFVyHv3l%0c4pR zy84L4m%dUSL-5SkbPmE7SP--*1GaLN?-Dv|4H^8$?XSP=xWKN>vVtKmV!+E9&e~vW z844ZYFMlnKVip*K{PP=MJh+tA4Fnrl#QZtESK&9su`hF@m<7y*3>DTBjy2}Lr}zGp z|Kv8tpMGtWL2*xte{ut*w-3RW7KPvoWjJj1ho&cakhK-+X95z{M)xNFYn>!>sBaz* z@m^nT;@FhR#hOM_OZ7LOrRYUQY|7TjTWd!>RX1gDR|d+_+rmDw?sd;0Y_7jJZ#%V~ z{ZS*+SA2v1_1v^Qe(%=Ds1#3oJU8v2L8tBUAHUz>=<5n224Au~ zmn+}^wtntmf_ZU%wg5S537sg`IVYHZ7fCx_Oy_M5^2yuT6y7FzFQc=T>Sr8s?%UaY z-X?Vx(vgQ>E!L5@ozD3Biyt3z^a^{jK4T35KTPiIzxK3*7wud0+3UF=&?v!=8Hqx# zzuNM@Ul*B0^z5Q2==39~MC@9=#0E)#uB(KGj-r7WvV zd{@P5S64VUqM!R%Vpg1|Jy=d49-GyVdgrn&iD5;n7~`2czc!4 z^sR$jKRaPj%q$h)_Snu|t~O+mj5K=7d3PV#?Z{jIy<8g4V_MhIAzf==+E(Zi%dzyS z;ptBtPZ2Y&F+$yb@WMaNCAA^@X&&aX7wcy*?L&&Pq=T1Enifd#1Abip0m+L@)$vT@ z-Tau8%Tlx#sdFtK9;zf2v2$(OZ+>pDB@!X zO}kP1X&%Jw#rhe;wA*!%HnQ<`;Wrp)=-q1l+|yFi;`}Y7_s%=#t!38gm7~QU&Z0rZ zE=f4fuAb&&9c!_kR$^HJ%aSpEJ85mWUr63@vK&|SwV3qiANh={_Y3>6m$3m<1lGIA ze@MM~tg?ruKj<_}^xWay82Co9-Zjd&z9+N+;?T5MjV zzpd0jN^3o>sCG>u)J-FGWnA zNqQ+$alV$=tI6wb9o$Lqw3dxfe_IJ*-DS{|x2sg@McO=<)fc&=6MWIAy0@R^ zW-WKg&L(3OK`X9xjW9^-Y#zm!f4(Cwl39{funD%a^UY%f(^8zbbx3Y^3!Oe{`3|q| z+@+oJV*)8$L$7BL zH1{f|&?K#81QcnYkB^0agoi$nG=3~`BbNB}GsRGXw+TQ5?&5-9-lrrE7x7zR>z<7) zf6h}I_q{|Y=erl>7)i+`d^Gyg|$%dqXt6}{sq$*&{VTeT4HS^lG#JweQ z1m~L-ZD|s`t}SU>3=a-{qm2oDv$ZXyN7{B-!y1Mhle&@><@yM1sl@nuE!Rj~=*3>A zMQtNTXeQAjp9QDC^F%^0*-cYJk;kyl?R>@3*Z zjIPUtt3|7MB(Gyx9JJ1@cIs!RIeFgZK}qdvtDkbD4MEmw-)6qL7TI&u&D;3J*4D{d z?%t#sn)uYxRwsTYos#8kG9jlmQG3FZjW?f`S7f|ajF79fK^NJ}yrN2fgVO3WGNW3; zbj7{TlSVm3FL@ayeXAIfSG*IhO4q#?tfqf6Ov$`Bfv;?EJ63J%x@%b1&|5T%I~>;; zC$kW_j-4(x_uOHyY|Lju)H+7!jrh>o-pdU5^ttHg>sV(faWx}#&JDI&U>E-tzT*eGK|Z91pfE|Bk8t4c2pVdXp42cLH&i zPo24$XI_%CL4?R4QRg^8*q-q$;V-ufKFWYu{PB&H8(uEy{CYi&Ue<&^dV=Im8!z|R z@AW{2t972twxPlD=v1Hcv>iOB^EGTgFMlOVbI2PM+z!g~Id9!~_esXT!Q=%Sp1NfH zS_4xu78<4Z{RiUo++gZ*&shWL>SUn_dUBSVp*`uF!i9EO9is;7-8jYN+~UWQ=x9lM zYEncX%Hndew+tBRaw!%GNPLwK8Q;)0($MoS?^6c_FFAvc-TSjVD@^I zvle-Zs;oTM9Adb9*hv9?wyDxT!so1c6t7kI$2qNdSiG0$YAqM39`+NG0+tk@BpPz> zCt6xm#`WgHJ1i`?R*qi8&{Z?M{7+e;MHi;HP)FM(Yj#qsji&rZlQ-U6D`U2n$({D_*RcvIyugwAL}JC5MOwhjNN$4B56 zGe?CqU$HdAQU&%lYU5ApVHmn$DMzmKgEagkE@8k*_XrId;W|5>M3ydBm;FU9vV81B zLi>?B^_@kxm_wO^qIjylVp)Ngq*H!AWQDtpdQr!C(GQ=7r!vndLcQ^Vivd?q$igyf1PKj~+LXK?I;k4^pM?6&=0Cb-cK&?*mfr z!9yk9id60tQp)zuw~il5)f=qe!0}_QLB4 zaw|Ng?I2CQ2ug^r5uc(wOQHrIJSv%_D&ki^i@P1&rF)sORm1sMjaI9uEON&hZ=@4I^tv}N~N zWZhM))ARlN?NZyA<*i_uo@e22b=Sh*E-{O8LXw@tJJQfPd)fG*M_7xaO9>8E@)z%B zH0AFkgGjWjN4BoyoA_NXp%bo`>oq9|-1#d(3%>Sd1AKkJsLbMLu`Tb_&Z6%8b^ zrFnTmTJm^_k;dgMG?WyE8@A=K`uySPMGe(fEY1~{rL2VpYHOrURm3fUHJ_xcpk{9< zyOD3AJTIR^^zoB~IH!ptmxkofWsGMvMb@U38rvQ+iYE6(2~FbSII1bRGdlDZGVCY= zP4m_}DSaoUi;jahieX*BBKr$5PcV(9nWUGr(C&^37T8;g)ok5Q>Ukxnix;M1VYz|~v4xR$-Yq%Y8WI`dFC zR#&b=!ZtFjttEs7D2%S7u)z@U-_w^jm}%E$!m;0U!3Z!e55JG{sEA=$1c&G{@y^A0 zM$= zTZ^*Yifp^zIUB6XE#SY%w)-G3?7o*6w6NEr1vhESEjPJ{Vd%l6c`ilIX?KKb24wD(%pHyAx6QhG4I}1h zR5yAcuTH`;liJ8$Y+#hBM-1yG@SGB)shD9Gdm@j~Ay1!Zu?HM2GoM-7VuO(|T0nwF za{UOLT+TKS(W!zD$79J3fAxfAma>t(*ltp005Wl8t&_k5Y@D|Hsl4QaRz*cp9%%y< z94#}SS=wTQkucgig-3GR6r5bpHgNVB)sIL>o-DM`gv{l3f-{hZrcx(tEilec;{1XJ z>o)RMYf;Y0U2eE;lW^Gj+oYjapYQ7wYaKdTW;C<3#ik-**af5`?(pHsa@(MTF$kVZ zjhrwmPUi-v(z2>7j?ig<#lX=$t^32vc6RcYY;7~CLblLIMWCq&qzVk=3zyr`NttIS z^XxFg3f7amv;-|a6%!$vU^UA6Bsp77f|^A9Qg<25{Bh;OC2jT@Ov+sGY)%@MnNX8Wi=o<6gE_U!i)~t$@t3p-ai-`Y zit&Zwg=%5{nwu@%B|F=Y!~{wVZWiYid4p@+Rlan2r!M>N^DWO!o~2d0L?;wYzzmln zwqw$1Rh3nU8!7Fq=qJ_Mf-GKJ10=<3Bi<-JK=Ew7vN}CR#bT=zbsC?W>`9aZ6}4<& zc2id{l#8NuY^P+C^=jFe?WMY!^At6Y)QWg>uClO6kEfg+C+g?avamCphe&G^foy7e z1VUCIW#J}s{hYG!Zu2VJ-SGwTXTEda#e}4)^ts9elSx{f$-!3cV%_Y;MW-z$GZ}35 znJ#%)?T>R7>yfdN^!|JZpRyXBYP^a*Iq~&r&+JUMM7Fj4prGzm8kGdB0FXd$zl5%$ zSdgNf5rKdF_VW#{zN$S|Vo%fS1{~{LgC!8Qi?dfzvXU{o0nWPDP@8U5&6PLi+;Pqw z=3K$tSrX#P@kl*P`Mr9Q@_Rq?S_$xFudh#3>SfJW+BOek{qyP?1U-Fx`Ez_ z)LSwSKQ^lHjtgJHZV%a4kua9SX;J8!y4JHcDjm8p4_Y^_qCT(VDm&3u zyssy!>BX;|fvp8uTTgTQs!0q$62+H0RYQNUZBET4l#@Xq)PWl2J)fvzgq=L6vcl=% zep=`hnQEzgd-Fkn1vQ8)h2m_45Q^QCep)wL6^3Pyd0_G)Dv}-KQ^U*dt8kG$I8}=~pw*w$ORn`K)y0SF8_0&$vSn5xT)4fg4`otC=HWJ&p4@W-U>0#OUnc*WO%etH&|vlXj#|EK|LzQS_|>Y~;qte4rC z8jg=?bZVQCaOP{vX?Y85MvYAn)iyoxO!}gNrX?gSvxnMlFE7#RuwJ6CbzGz`u$9`{ zuP)*GvwkA4>)`aAOm{P2BPwTHK3ziNIgW~`dcoz>_yP?QZ7t^|*1=>#KCQn7Q2~j< z1bhvLiM&i38tFHfjw`hx+Lgz~wmv;L>I4KCraE;Om&*6HBOd9iWelmEZXp^JuD1(m zP^RC8L5;WCiK?ENZi=%Z?F9N*PHkmXk6$mPx2bjUgC`pQWtBBAEdx%;db@brWRJ&h zsTN05N_DOATDcvYYRTqJ!)*qB7V9(@HDu|u&Vj?H$bEJ7DUGv-3_8vE8DBy1V`)um zN%j__s4H?OUMn&XvT!fdS*~yUaE{iY?Hdc*UE&I67>$7~<6VD`yL#oG#amg@#Z)l! z$9`=ORdjmHnv~`sv76URva^+kNNZz3A$FN71<`CK_9y#E++*g{|LYc0J*`uo(jsic zJ9xx;1wLP$6ldGm3G}fH$O)7j`~Y@S_^T%pcXu*zht_fSFRT%Ak7F}g*oXNF(QC*Z zxg0Nat|w=TJCMS?RPwzy)`+*5=cD^N)uxJKsJkBWb6Pa`TJoVC$+_~@ELl*%rLj-N zhuoo}vmIsh;Rug@`uv^FMVYhpI$GO~mC`Ds$YB2Ab=j|% zIlz@9b-~_o4v#qz7mMiIp*FYy7V0i?3-m2nV>dzHlC|}1fO?b`AqXW~+z2a$7r7Or zS+=~#ZpJOIg=q~T6c1s@D_q_no}#$~T)K2pN&qPiCRgqOHGc}XME1Ck{nZZx=zG3RxxXjFP0 zvm`)eM&sV$qxo|JD=e~d4I>vdE@_}m9JQ#~8?NDP2NZ2&xEP6q@urhH03q~2P{W3A zKiu6eV~H^|zWGKA04JAt$SXV>&-tVzy|%k?7=lJLzp z`)}N1&JO7+4}VfQO#<~2eU0fNeSsyF<3MFWoMP%H$|)xH2dM11$bfkFLX;4fdFO%Y zUh=h}qk;uy)WRMLah)f!cd7S4(sTHUuP(DEt}c}8%++OI<4s9hU@2UUD3`0ZmkA^! z?o{G3YgEy5cz=F);Na)#%-0^%@)lS`hzdv)`ASk}a#`W??t4sFW{>(?97q#Cz82_9 zSio7xz+U9Hk@HqI1Fj~jnkJV$Vm$WdI4WxiTNcC}XF66rC$_v z3t3K{q{(^=PwERWUr?F%B`oLMR@`u#+m;Hu16YY~Sf4WS!EZwjIW61pm%NUBNQD;2 zsOw|=)6ehU|FF9eRYUeb3t!quMh^DF=;aZ*fxvCcl?-VveMC@d_z=NJv*qNnmr!e~ zVSIFy9*`UvG+p|f;8d2bM^TUXQvugKhCD`j9cmcgY2wFq%{47{xxs||0OgOH?8n<* zcbH|l@wl(X5kH3Utn^){r_#2&>M7RVcv3!%i5OyKXDD#vQNw=_ z5Cwy{u3)QqfxcG4e-LH`gKZk^13_U|G>&K~%68})rkNAxYZz$Ia=X@Smb-XOtB99e z)+K9LWlo&0RiG~7D#>h>-;y=0A|H7!h9_v-yJpH#Zu+Vb9eWt9qsz{ z_+R`gO63R1X`$`*WR|SgRP8K0dReJPpJ3%gCbxUFaoGj{D-e1uN=SSVs2@ zjhCc6z$iB6Xk9#ZQ*6mNiF05|as!qUwC*8$Dbfs-fA^N2=;kqMc1fAmxaW+DfOptg zQ^EH0EKc7*?Wy>X`oQT13A7+h}sSI0Y(`u=%bNau`rgf;~|UUP6^iv14EjqiM714 z!fGyKi57yLs42HxxkbfrCaMZ(?f&7jgWX}JS{B#rg&qzas=K+ucKo;~d#lI8ZguvN zQk~y*8Tdo5rnEHo`p!q7oeiX`X1yNN(#-YYFC1M&)r+6ndhyoLR+>ktKh7m>yRPy- zY##3EqIUc>_fseXmxu@%y3eT(=yU2HaJi-T`NKaPo_0`!S_q>pyI~P~RzwQv)I$$i zb<4wrMk=b?P<9#U%(cT|DZ`Q|6jxmkIx}@dKEsuryt30AHu-c+a6>GjxB6fVvs;pb za>&c|Q=v50jtFaCh_yRLieiCwY3xv%N?79LNE%?wMj@4fGz@Ks&v!132%4%#16naL z-x@I!@&8>^ct(IhsWwxU+SZFn4 zY4F6a#{T27{E|(zWkz#PgM(sfDu9aVWB-(bz2`Ygb^w5fb6SP^P*%q|KU;Q19f+WV z^{x!H^FuW9?>bj%dwQDh1NNRd$7-yE1sTm7g7odl!(i;V({>|tABebwJ{`oXlRDrZ z7IPy(!WK-tv;5bOkAF)HoF^aC?|Uk;?N)N`FKCMzI>{HBV;ToLF0)xY^d8DK)2c5AY&D( z)tSC<(ZQz!UM;^HVDcm?+vnog8#1*i!dN_9;au!f%d&1%xWNNLI`K>OD&}XuDu&!_ zI1#EWqdyK=RBa$fa^11umQ?51?LM>xoME5UPPAJ*@rL~r%EIrpvc?_Fq_VJ!5WPzPaV}lt>izdB_SBeR{yXasC z9~vT2{YU|&U*>R|a$5j~<_d-=$6~U14?)T;Lq{v+qS0f6QDw6Pr&b_Q)#d^xq`J}) zRVTLtIIfU2jNI>pD!R4?d`hcWbXqOIc5>PQk6~^*7Q8|Z%NaQs zVAwHGiy`K~_cGexZWme%A@}v#p`CK8KAz78YtPsDgi<%8VP3{#5$WdhJ0a(i6AXG_ z9GMi+(c17@W+x6%Y>I$}VH!R5^U5kFFXrMm#FZelXk(0pMWHD+*d>Hw=+6~?aRCVx z*I3zLn`YPVg~w?=#%VO`6q9~u9bBPx26TRCgHC-AP2_U~t>l{@KKxDg;%i3+NqLO2 z!j^=d+l2>}Q!O+MF9wg4#n^)h#>_arRS_5X(?j^P<7*~7*~u1pc5(-t$zJl$pFB-G z;R1X%y9?5;_ioYOc*xR3%~wrNx0!&9_D*LqyI>x6RQ+r`I^aE%*$J!1Shq?2_-OE4 zZWpwE1HlS`MUCuK6T8*Gb^zxeP{#+e_dxQTQ8hDwqHBX+SgbiVa6X;a1|XK|j+f5> zFd{$Jhj1?n?xB6MfBJ5(dT2}fghHyhOStRkdMlG>FhRGBtnb(T>%(c~b=2I5WUPGV z;HZ8UcC%LK?F|6-G<0FAi$B0cH?aGx$g?8d2za1tnFAqCt zbxjf2zmwT4sbI@|VOMhuI?6Vp{Y6}v0f^rTHG;toKNgIf^g$ZscM#k`jvr(Wa(_Mo z8fQ77mkH(I7do5N*IcUyEb$LIz?!NdmS4p$?4MHZkxvO6xSu;FBj-np(Z1s4)-T5G~8Ebba?+oR1N=9YWV z1>tUq_Gsb5-`WLsMCa+XpNgOl!^1YWC}QDL(^TnpHb7-IOz%WSe?D}4j82;p3zSw{ zhIITfIyq7;3p~0!JE>@r(60p^S#rQxH~S{^}b15^LAR=1{rKj;a<^-;B=`& ze0Y^?I0I1|c=Vkj@8i=&c64dul{2W?k*2jkX%ah{+VQD*NIZ(NA|xrX4~fTKW+34d z3eDs%Ttv`^rc3Uq#5oz-em4XcB}Y-+iCp((3D0J9qG_Gvd^{N!%VPoE)tSgRi4hAx zf=Po?|Gm6Ob4KsP#R;&n7DQnhq{vv?!P8|bMOw55J2*+&L|I;60+keP0{4!tIbqzF zaecZx-auC~fqnn0$mhi4BB;$6ClQg0(m6Do%My^3*@EE|3m_hEa9BS^q6_H;&h#Ej zn0Bx6K+ql{^&YdBuWW@s=&7Bcvwuff`HCAm3Ld^SxvthJZWOlMo*Hf4yufo$g8NW! zF?kACc|1l%0;`YMhx#-)YPN@2@laag8!Bi)(zOrb8hdGXd z)1h?#AksZR;wd@9F)env4C-K@bc6<;l3$*&g)l8Ic36D*J77@M;+Gfg?!{1)tiI)? zi{6!?`oOGyil3~`rRPs#s?=TiXAP5Kp`md}8Id^4emyGUBWEgDF}xWf~O&`0jY>&1Z6dJ9^c4pN#iN8|1%c_a&5Qv@dPldXIMh4Nkm?3Ifj(4H+fJ5cEBiw$KA<+mj0 zlHHTr7o#3pyl`pIL08*21@$cA1t&sOV{OEzqili>RgD&GU_|?20bkay!M{1jr3PZ z?_R~b#Etaw#0Z&6^rCC3;!~hG%vU$IrqX3X@)l1%lm|!P57I&WX7E|#BncWGx1>@e z+mTSZjPQ%Z1vo@YjH;}LOB>-Is5IfaQJGxWBaA6_ZY`+U}=5SOf4$BlqpR5r}@9*5>RoDu0)(6&9i*$dun6G zedRNBd6H3PcjXFQnW%m#;ur&A9-|^UOfD$A6z@qO(>8#f)>|k_!8|`wQNL<{r$4W9 z>-)N=S@Yzp+l}W%U~JtD*!2{eF!B0kzHL4{_T{+|x4uf!hCDHDPAnK8m}k2GmCC%6 zWh|*U86y@wfa=Th$M6n4YEwy?pvpUrp+ufk4JL7aqSPrt1xU8&k}qmvikCaNcC6Y*D9Xn_gQ3h;3wl) zZNNyWGU1Q`v)oXtgUvpmD(+WL^Asm_;PPRW^6L#r)sr;F+u7V8Broq(e9oHtDviF3 z?Sx?PT#6jOW2umf*%08;_0=n@3EkjH6}Lc8t8ICN1Cj|z+-F+?kG^)`&t(H{rtei zTDXIr%2677iVgDNer7;omKAK9t#QXg195o4_1X3K2IF9CEde`oS;S8yVg(yPw;<1& zm*+G)JT_@^O%sh`v9{0$mhd}ESiwMlmPHypM^$=F%M3wSo8-Sl(YH|4%N963!Dp~) zU>ouStrKi9FQ37x1s8g0QuE=4w|1a(oZJsd&4=!{F2AqO_jTHA$gHPwoY#l@TgWbN+)QEtkB~1c?hfWTqIR_ zpKaUOF{qv32bn)ZW*>%iUOv}NRBidC@9P}rb}Mq;LQZ#LO%)Y2L{+NG_)FRt92j4S zol)^P#XFh(7PF7IHXfFrUu&i@qRftjx@*fc)iVpqw44z9>ORV&A{H;<2KBf}-w+i< z-1=VTvah`j!uQwV6u3~^+cR{T*w=V*u~3zBWH>gPuOYLZyw}RWBFQhBm$&+&w`r(t zhzOQse$gDvS&fyRPtanHj@;T1Ts&MgJAp|^jGPN$djB^3{U zUT^Su8buPAkT{rO{}Yt|fy>W*%5VT?|0NX{qx_6+b;SuD*P@%3T37-_yip?B9gbEO z!P0>!9bjq5VgfLM_wVV;KjHWmvfJ_PMVvc;qnRweFO!$~FE`P33`5Xm+lxClP(KP5 zg3kR&xxW{=XFlInT=$#+L1SM7`Cx#@$r^i3xD&;F%tH&H>T6h{qk57wEx)Q=`59g5 zUzC>AI0|Xhss0>^@mN+{5b6ZCnj<$I;L3&QM3AekS$CsextL%k@|BZ4M&cZ8Zj2U( zlO-mC8~K@GDlFFZjM9sfY~%02;=iv~z;G1ojF=^70I#bsW{k$97Bh6I_HEa*gOT5F%0%>7B` zzJc7cgMwBR$1bNuQ@vb=e=rHj$v9(|e*jVQmOEwJJ>@-JeVV7t?YV{>rQmPH9{PP$ zyCLqW=p%;9@5E(G#P?DBrF?jRHS0}!c(Fr_MO;Alwe&!IPnU1`@;vCQNNfg>y{l_Y zK_9BPGCLN`D9>4*Jf&4V+m7&i5<2qxFyY!i>DnyNI7=!+(7)BJ*~;%Jz7ZEjVgU9b zZdD;n)do&gfjDidGC$=}aglnUBYy}Ku6=@Qvp_FfU5(dN4wY0=)Ud-nKf~9>{>8^K zPqtkU#%oa32VT^lRTj&-K#CP;92z-G2xyu{@QWO_jTyY275GulFWXW!s_Mb{0rLFJ zd2HLz%9-FL9`jasAF8}yk8iWO&a82afK%;))ac$dRV|w$w$08Gd^vCj=sV(yT@of3W3x*Nd;YtXBN*Add_s@ z!TDV|OaS*lOVuVMY=k>#6^=8Y+7l9-xE#vzkf&Rc(KJr5`4Mw1ptFyoJddk15gpwu z%Iodv1$_ioboV!+)J%_m!bI5&u>3ozv~8nK>C@Ov%Dq2|MB}BIfTE! z16()twjbL`d$wRa?bg&jA8y?~k5N&ic~l*)@_=dDEiFJL-d2Zt1z5%2Co`;2KhPm=OTVryMu6DagAQ?P{0cUy>nq!$2f)q-x3v>@o_L*G ztl~Fb(hBcs<*D1rRVF$<>-xzLp|R>AjCQq)CWeONE{v6xj3cHYKO5ZA6~7H)${u2V zN90P)5VQ30?}C>7HEfSR7%CoT#6BB*IYK3H1%`dK6a1jY@ny%0*0*NYS3ALu7t4FG zJ4G+B8Ez|9Qr!fbPn5-p1+28HuW*wFdM9{&hP=MFsfn-g4ED56kh_b$pTH)s9VVex zq19@fqLkOR6H+9cqG8OgOk9IUtI9}#LT*eiIAr9a>i9;ku(|MpC!?-De#j%2=~$cJ zAefsvU(%QP@CR#?3i`S&NOGg-@9E1-m;)EmK;)EGv1q_OmsL_<(+EKyi-%G6pHRk) zknuanurkuO8$RCOT0Gw0`aIr!!F%!UH(7D0Pf-;e(>bpNE7J;w+AWCgZ@JVbS;~s~ zcN^Zn?=0@$cRu%TLk<=cd>A+k!$NkS;RRid0k!SWDTp~&nKe?8*A*p*Hz542%4X61 z3xaxLZRYSSfIqV)YjBNENTtKN0f#*<$cL(X*!}}ziDCxZC*w<+o}xT^N@b03sV94= zsE6e5GJ~vTEU?oC{OEK_i{ug`Aw3NP#I&RTEnc;TYquF>8Q|d-k1k}3Jsn-przoo~ z2^i&%fc+${%>tF4PA>sc$?oZtzENkv$!XF{fK#%2I^{I#EV!afE;8haa(lXd5oxo4 zPLb&7ZMAA`psWYxleq4*R!y{TAIrM2Uso!?etijj>eQ~PKJc{qNnEsCQF_Wwms+ol zqWj>olZ7S0Fw!oY*wdh}4;-?{=9jH)b+MH(h*(7j3aVq)~IOFe>>40qa`KsNYi#2zzb~y`qRmQ4WK$Y0+Gg zz(Cgs4VCW`<+CMoc?#3O9pRp{qWSLI3!-HOX0X5g3>Rmy*70L{d55BG{HIj&wnMG8=7WP4I!HbAkt-Oov&Sri5E=52EXH z4Q_!_ZbuUL=|X;Qw&YLtDqLB$CDU8X?ZmS#pVF$zlI|1=p`S~f8eKwrcXTBZ-!KO))RT#zUA|nC=9X$-c)Ae`q z`Y7nMNKU2buxNosVEt!Q*V&;s&UEW!VSG8HAPW{UuNGvar__LsqYOYih_@=EKQD_w z7Z;<~i*_-~axUP7E!llil_zL3%q=>;H1nVX#L*1`2>CSGyL#oiToV$&W^7364;Qe#ETy6;6JCg;!8hYJl|N-sv^W+pw~70np~pm$NEO`fIZ$+7OE3!tt zCXSp@l60pgpPQ|zb@fhAlTYk4HI7BtJXYC50}(bceAc&7etL|);qxhWRQ?T>e?$4- z$ntz{LzUzNBqyM9ft17NJ1fke@qCmp?qF{>opbQU6gshqaw;=h+xDbzRL3+#F`<-W zL!A60C`laZ(THc9!Fy5Sdnln?*i2Wy`W`ZjfSY8supk{w@$MFUgZahnrUM(gBp_e` zv<*_+XFAx;z{8D@qolxP8w9sP2gY%eiC$Lpd`?a>eg3Y>oN~NLo;!><$s%}Z9E1V# zTg?4Adj2grec<$&+t^|3(qz|(Dj}}y#+v6HQr4~V4wq9VPi;WN<{+E#Z~t79)p z(1c}{b6XeBFQ0WXgH^Dpt?e<0KjmbY`CwGKIL93Vx+$QjXOnwkvw#lHWy648?wY*` zt4@S{-+>2#(5ZiUz|n-H&WcG7FXg)xmoY(L4I-($|%Z5=wT7g#y;^}=^U*J6NAS8eYEAMzgj`FBIZ z&WA4B{xudx#Y22FfGK^b+P@lTSSLC@w?fx4#DMRFBjiiJ%9HQ0+e?h1EMhjVfw&is zxsQ1+=yD(R7Dk@3v8{=l=un^1ID5!0YT}NXA&R@`a4Rp5qLvFQDDc$7gJ{h}xC&_g zC6q-0z7k`>K<1@bR6~^pWZz@9_mpks)zr(uZ~d6gPfxDFrK`+<24;3{MTSq4Gn0A= zc}%-)E={1P&45R)q2j-Pjw;jJ&2Q*-bkJ%0`fa)%)qNDp`OE1KEaXJ|P{M|Q$R{Ty+mET#H}e6N z*-mM7%Lcj=Ra#6HFSJfEy{aZbo1CvWVt_r{DX;s>79#;6h z1VohE)AjlLw>MUR#1oKYO!{PmKb1h zSbTJni^_sNKnHH`A?YWPGWRv_%gTy>rLm|LLU~1rlvm^h533D?E8`8-`q)rPX|G6A zj(~T!!q0p~b|z=-+f*<6QnaqZSahDNmk`|M;8HP2q%=&jnw~^)ZwBIEecMonl?8>o z0Ez}wG{B;;+-(%zJhNX#;ti&O*PnWR-jZYq6;D}tu3JGe#nnJvNno9xY-`iVa;;rP zFwHRe#3{B0ffb_q-Xu9HIUn5+i(<_S2aa>KSVrHJ)YIFCC-)-BY%_rfTUwRZe zhf1q!0AF01Yi`QCiKsI~ziE0TYaPU`sy>K!@`?ps+?*=vFM*&=EqZI~KsRX}u)s{8 zIn!LnPL`rI16vX4XzN3v1qg1yEk2hk0`Gm_y1?hYSu(c_9X31hwGQ&Gx;_{gu55b# zOT(TV(ygi(UD*(~xMo|)$aP=vfq-{pD*_{W`|#u%v(KE(mR8q6>1GdQ zt1{e(@?rl{M8_<)>W^QDdJn-oZz=#C_;-^X_)*daSULu7gI}(|S5rPq^+(G4_w>bs zr50#%cAvn7xDFu9GS-4$PVXKV=Y5RoFVIZ~ue}!Agf2wggkqNcM=V4Rhv)VZO&H*M zFSGqyyx{fiew43qbNdKp*>+n9^IIGSP6TYl~L+wsj_`cAVu7YjG17vtLj zU_lu3&$&PyXUwClS8I}W_0RI9X$6ml*kjhz;xU?uv9vZxP3t(dpG2m&n8}5ZjhD@} z>Gb_<8pzCg*_@zq&1SO1;LuQ(RQ0BEV)w1(Zuw>%yso|hCBAIkxwDJBuom_~90m>e zd>{rB>h{@#wxdYCkK!-o!^5U*f-w*iEZe6K+OHz{dr{`shX+UY5W$5$F&i`16i>2* zeDqCoWp=fjX?+J5+%}i+As3=(3??#8)GnIHI9;1?A{S!X4=yrJayGh1%MT7V;DTxf zxZ%JO<7QtbO_>p|^*5;%w1151$IU)Zt=>S>JHciDlgMWM(K6D~yaG@_>n2O#=5>nXq+Z&dk+5G~-1%o8vdmakq@?XtcpG`bsYNl5-Vp z{z(po>Zdq=jJ{I5kawKhjVq6R9kZ$`t809}O#r6&^5EM?%Kc5a&l%!j&IMKOw zRZp?}jdI$qMH%HM8!cC78+3tKbC-=3CrePG^ULebw5!NS>PF9Ei61DT6JtVbYB(7wyTMF^B|<1O?+LILJ zfICW`NBZ=b)E8<=pyn?V7Zv6fKO+O zkt1L59r<0=zv88tF`o|1OI4JbbQ46I3X%qMMJw~7A0dO5E{t25!TK}Q*lhmy#oP2Z z?z7Un*4Uhzi?)zqsajGV958bU zC%|1TeGKpDsv~4t6ub@aj;;~-wCdQFgy^jnO`50R&ho{9M5mk+6_dt3s$WH(JDJCp zO8XFB{>dNc>Vvuc^71=nu!WBY)~>!<0`}g86?%iJJ{su%r*^KrIt*q8Efj2M2ZeZ6 zIYZaRD>`_m#w+?Dv9Y%WQf%>!!NvC8Jm#-e#!$WI;4!YXLDeP}4<9p0FPw3C=B;H^L%Toa-8XX;d0RM#-XY4Nn=uy1MkhiCV zwWvSAjW2njc!aEAasB(zRZspyu98|61_=*CNmf5@Z5rRj8a4Y5cD@8P;L`2D#6|Bq#r z{W;=i@o0A;KQxkYtj+8kKy+L z2ivYgDKI0LA-cb5ORY|SU!U*6H(-=E5S{w^)(Colyo|HIB_VI~<`*Gk#8z^ejRq_8 zEUl8Xp=Ln(G&aGH#^91T5#eDb82T@`%`Y-P`=NDGc_bwlsaf3E;Nnl zxaybDWeDV%62fs3=WJ`XM@p7DczuH{MDKKlUns-ydW4n)sX{cWGpH4x){9}2EmVa6 z3bLp!sP=~M36}RUKesm>vtu6NQ}(;bCh%&eu3y<1r*0qcVX98=L)R6}*}xlnWAJrV z#&%1+;mfTnkds$cgBDwuel0#?4qIo5H z>I)?DP;K<6-{>xZbr1%wnIW_rJ-Rr&QD6|c`jO-lr>Cui+%+?ZT>W^jGw_k?nWPf~ zH&(`Q>&YrH>{CB29ZNItWzUROYz_uKj~mw7j4S3GVzE1QRNg0NDidvM#+5Iai|>eD zQX3chD9umoNZZz!BYGk4JIpoWh*=t1#1lc zIa>(V>5R2tPIbfj@HV@wsHP?_)<79(BO_opS9qI`Sv^IkMvNxL@P1Y|`DmZYv`$V8 zmu!sT{S)r80avHRT8+W1I0(IJGhe*3l^UU!S8J&7sf-SXk-a`HdYzAry`|i>iunGd z8-0AqbDiXHMq#C=EJ8TbEGaA8I%2kv*x8Ih*o}^DTgMh;!5P#wJLPrn3O1@12~ z`%D@b^RQv-iJdzX`VH}5HmdspdXi_D8Hb#7L(Twb+bV6?@KQ>>c>qO$(f|TISZs&h zTS*FIBjP4Is;3-JX4OBPWjCXXz9!fqCHRPF)t>B-G(IT9z*tWGL_eLCLcyT3KE{c;8IP-pd*)3%R_6>y1mV@rzg=Gx2l>=Am z4lEy?UtB*<8Ym5{(%#+&K8bzTTN@-6kg6BW;%2NkDNEm$kzOYZ`w>W^A7gqYFz(uF z!{NAagEC&Nq!tgwvA!f8T5y;=C>bvvo}vm>z+YbuKo*<)pv%vH5XBAgEg18#|5Sf@ ze%}@a^o&%W!W?22!tgxo7j0*PvHVc#Qp*fW8 zqfVP-%be@EiSF;q_kdP5Gltr8f}`J`E^j{Br6vSg>8Rn?~klV)fF(x@YEQR=gjy0TK&TFQ%$r?h@}N^VosRli&yJ@W_|Z2hT}{F&T-&`Oq( z_f%aDO@mm*33;j(xlXU~#dtpoXVd|zM3!<;N2%)nToMhVh^Ckzp=D%P;R-75%b{cz z*ElhaD13bu(W7#vWs$?o=*3VojcL@C_l?*hO44W#wR#ohFHa9ic{z^^1K6ljAKrd~ zuT1q;%PwOm&(wQ)IlPR)8D|3}7IIM4QI0D|FREUd$2GwUiC&YaA3dX;P8bD=V0%JZ z?v81Fs~X8)$BuyQ(=^(*#_<`@E2L|*Z#{-n;3^E?fQl;Z zi{0VG$cGSV2-kk-yU+-q3hmz~$Eex5cSEg1$cxcM>plh`O?&a)+=X7iXzYJE6NjW6 zKM?PA8L`mh%v>ks$Vq#BUCkM|N*Tt{(PKjP29q0`9|y0jRv9VHX}BueFq#<`Fw&16 zzp_V_`VnDM;zV`P(!*Hbq_c4`1c*b2<>8%`6Ekv2WO(p!A__L+QAS>gh=35u>DY_} zC-ES~rcIs@{#pd}(Rq+%)5cF5?`zeoSurN9sF}jw^3vx+udQ{Bjv~Wgxcqj8-LwN& z_V&3w8#X_RmX@#C&nC}Xv)puZs}N?XO`;%kl*sVdsM(UlwowBlXx)4gjJkj%gGL>0 zzamr;M}EXaDH(98*(!9nidG@SRmi5K>yD6=`)}!?Ln|an=z#p4X9Kl*5CL+X=K|62 z!T+q1WX^X9^m4!ZEG#0R`y9+t&~-sX!e3F{qcO@350Snj;esUE4+HAbcYG)z$@Wu$ zI`y45V!!@{cSHm!4#pT#x1|-2N{1xV1l9cEeOMp@C-M{D-o2b5?jg*}}HCtaw z`g{aaJPd&UZ?W^;7tzc8Ze6m7fNotfOF`EK1_?M#{upIx9I3`;wNb6Ibbs83cDV)| ztU+le$>yGC2gCd}+P7WpKvB;kn=V`>&}a{|reG2{uD* z`yxK-r3yNUQg|)cjusp>>?mfEW(Ezl7!DT>;FPn~Gx(jL41s&@7JtV@h2xG?~I|}T!GCc&F9Fjav z@*NE*+p9Sm>;^eKsB8s^6|0mlhm@@XV#T83I`Yn5`IA96ZQ57}&sQR403Fvc z+Cccu5%nj@jLSlB<+M!pqg#?+iKan(T<1P%;m?lnx>VueDrtT=)=`!fPopt{47sr66wym0=EzL#Mi?TB4xCC4yeJACa{L*^y#Dk^);uUcE_?bEdi76By(v4z1tzZxFul7o{&c{5Ew;)qlhMz`oN{m zzt!niP4aR^AqcBJrm!xHEaPrLxeQuI(MxIgSu47-iWma}iwNF0`LM2rB^<{r!oz@~ zGTK+)cM$~h{;gF=8|RI{57$*=>KaX*uo(4NTUr0@3UJD^)rw9JOMd?HWl^E+QyfPQ zwG(FXK&9uoAx&5s9gS2JT{C{=ptS^Ai&=Eg0xNR$tx44MuFTv<$0XlDjJYz6zAGk! zF8D>vZglMRE3NIsOk;qUzXk0<%ac{hU<09Z&Q%~F`u8Z1mM7~L2t;`DD3A5K`N+F-dOnQ}r(H2;30cvadQghAIDGI1NC2p6h`(Kln5YC6gC;X7A zOSqEJ=%_*FT(w?gsryPn019+|gNy6R+e7-#Of7v` z4?+hO&lU64@Od!wsmWoL-sgJ%l}gsBI#EncN2y_{Ys;4|ttZfWbjXPgW}(w>pDKMY z^bIAhPvb^ilrL3Xey5ZMF8-zTZvF+zZcy3!RQoj%FN5a!<|C70d1LZ6%HyXrt{+0X zQ^+QXW>1mNjyBx>&@te{qty}EJy9Ky0{4D2N&I-pBMf-GdFNna_O%*e#N#c(vuThO{3W9TMUVzk<3$0AqWgqk9x5HE z`GW2^EiYj^(jy4Z&~n_4Yx$31+3~887!1RJxnURD(s3SUML|0w;~aka z_^h>{+eV|8=W!l@Fgo9Y!*Sp$&OfT3Vh-rY*S+2NViJ6q(4uxzk5%qPhZeS*c{<40 z9$o2#m8r3pm&=j8^d-w)3Ro-lhoVY#2x@a7-CX zkG^~!M}Ufn)I$WPV6r->+{yPqk3`h^YSX}!cG#qv>Q9a?DDScxv7t?focQ;hG1&tycD*?X(3j1zAY-y10xc?+M;sfZ zZ!G-ScszkIM_aMT1aSof#CeTsy()pTqg^~A@$JRN+rhVRgQts5=l$px+DxFjmth*(bGf|G?r zs0;jk5gb@BEa>l_Yj{1rE%e;$lY43gX1}U~Ovpc?Ej5r*CFNtfy9_d1JS+!bEAtHr z$S6=ycjhpqGRH&HcJk3Yqsh>KT76jnVRML58xqHn_gd=ONO|)CKbJfhry!(@iOC3% zvBo0;KmDdwPf5u9RO$d79@D1-WO!Ghr{aQDeRinut2~VoisRR8=`EqJ^ZI-Y!{RtZ zp#_@_$DcvckDGl`M-WlAI6y1*0$Aw+;yCe1%lt+%t1w}&Ri{w3?W0|CdE^8G7(Mv1 z*S}gdeiZ8Opn4+rMeJYWG-_aAB3aB@2NuVZYb)}phy~S7JHlynTa>a?yu>^6Cb9#diCysr>>=$r8(MX3o$O>ZxnMJscahBnzFdg}bgV ziug&d)+&^@dHfcQ(CW7qih zsxFgg|MZaLheEYEZ?oh(D~SOI7O{VW`u0Uj6*6VQkwTlmscQr61$9spH%7% zCKBU*t6zq7(?jrmP};&ObCaG;DP{M&0}h4fG#d&boQ31HRs$YQYSsC0qNH&kKc@*$ z4Tc5%t8V{cb8ch&TkQ6D#!oVLg$3X&}Mjc)bgCxEaXnhvs&+x<7xy|$4ozKI* zwwpnNgXi$(zwYkDk9Lto7z<2?;qdSqHQ1ONTA`QwDB8r^nDM=hd=UW zP7P8~$tS2fdeCTj$d31Eei?+c5HY<#4$5nk5l{i!A@9;8iy=$doDqd-O_FR-Y*6dM z&7ZjG6LkiSPHLlfkcxf%3DVv-8djhWZghb8)H&zmaU8PPdpOLXL#nvm8q=-UQQ|E; z&?`AQAOBo4h%XV%Hb1 zXO5JV$s;VlTw@>nsMhsp(t4$P;wSy}>{M|n^lO2D6fUJ6trk%I@2beHW>qER z)vkzXbOi3hZGE@7DW`bE3b5?h^ky2=TcR6<<|8!hgfA`dE&9(2R*B=?FZSjcm{$~~ zdF`{l=TeIyXnC}HnQX2>y?8BAV{f=%7QYK8B7c~4(L+B>?6RkPj>I({>sMk_`uxt( zd-4a?w0BjbF^zG%%lFCqs2eMkfo=}}VRf%o9>@G^UOeR(-QVLp%rnzIfL7}8@1z1x zAdsG5$tQ7xU7+ub%Rqx(PU!~wY*J?7Na|{NPXyJh(OyPHvc86OVL|7jLql;3s|7BH z28~BT!*3`eq~R&KH6IN1Q|`YK!a;na%iDh?Y^r^D^i`;ka$XHL7eML5j}<&FO{v zV;!0CElM&eA}%`GfR?TSABIRrV01KlNGwQ!do(HeNvEvHl-HojYcV!EmNLtnd<WC)t zhtDWlI6|xRG%LuvfLLD85bX^J37;xg%fFw#R#Ekm@9q-ycE3Iq9Xu=_{!_`k1(}~f z#+wKXnEe4 zg@{cCNPQ{9ZSxKt7sP{*fTf-*$dBoz_-?^)y}#B1%l+TvMY)f%^qXp^zhp%eUlbuh z51o{u&96qoHEHmt3>KKAWwKWl@A3Sk<_a7A;SpU&7>9+ z+l!AnK|n;Yixizvon+}gMM5#jrpO3sYlCN`Nean=7d4>~(b^ZdXFTD<8+{*DHFg0n8))4Td8B;qT+C zKhiB2Tz~x^X>HCPep|i1>kbyS|BcKlBI9ah>^1U*D8FJ|hSgb5*nYW)&9z&44-O1)Z zN#Py>y51+9&?ft&ekhy}G#(uG6)zlfAp*79PGFZFULU7Fp^_$8&N@`$J$-9Y7@}98 zbrQP|8P{;{6W#KUO4JNMgnu0iS~X)w1u*6Ixci#aUPtJ4l>@y!gFZxql7NOhPzk>N zQ>Z2G+aZvDLCTM)NPhU9l-Lbjrt$4D&7>2>7ejQ=^=`Pw3t59GhWBJ zTu$MP`?FdJy(bfItqJ+DFzXeQYW^RqB#WxLx%YP~x?sr1(-)`eYbdiHmD%Rr35z%{ z{x&b+pew5t*ssNDUp?e;^K;cL^d1w`!`^$%@1CB8*@@p_Hsq7QRG&ndqGUemexvUHsEC_xO6j_%?wnWHFzu96xrXHgX0B?R+ODXP1_lbhp# z4%~@$aDY};-1~$NJc;+gC^RlDo8PsDx2WM`aW4-1r&>xOC16x8-w@bcH9%EQwGU}Z ziB7;kW1LXfLoP`h5};#Y7#LTDp<~gmN1#Fw^rh>p+0F1>H{@I3@gcf9 zW?@C)z39L(O4CU)PCELKm#z&jZnTm>E1}cI+CU{v-srR&N?MgMudnTEGB^8iW-uuK zW>?S60VnFWjIHP9Xco}pMa*+^C=1x<;Jo>-pZN~f5r)uHe?-2i{22Q*@{9MUfx2S`vp^d;{EXG^ZI&U z0FARBaUPxW@3`seg%A}R`|u_O6GS|=bpeMR?LPb&6#=Ti0N^cve8)_m^a>LA3_V5F z9>n3Vhz<|{5>SDU>mUgE(DEF-KhQuOV5>n%ADHDOWxARatd* zac4}M`pk7)$vJa%wN|Ufl|Nf{#cE7D6IWB>}Y`$ zx%VZjWNnT-sh^7S>t>gwNnVFlm0_F!9P-B`l>!M|uC%^wM;|T}@0bwMr8NhnCQxcH z3<6FBw2;cYyuzfLn~$((Oh#Fe=Ls$%4{h6}NfWixENdN=dVPJ{j4y9iPhcBrUARJT zuWTB>sb=)WX{kg*vwBlL$7DF`DDvNuV2C1xfl)X;(=_3ZV7|#}Io{qDAy$Llv(=WD zM%Uu$TT2b-)b%`PE_>Q9!PNGUBBdcN`Fj$Fcu_fBjVrLCBoGwehj%4&TjCf8a7lSC zj|vByfDyQ)^>2%b!K=&Ug`f#(!3NP1R%p8#?kZeJ3%qJxqV`#l7+*})NczI*AEu!|A)#)KioUO{oQWW<09E^^G6cDME zI2)|Bk|q3!CK=8^)#&8G2!8%7!4v_qjlk!kVSKyq6d8i8(o>XN>btb)9Xi3gb7>zs z2b7Q(`DZTKJrp1gf29IJp#>I;fbwTwAG6MJ#LD-NTr5y3^maCNjr@HeO5Rwh2n2m3y+J zwd${S6O)A5>>KmbxBb`FhwDr#Y9iQS4ovhLKW$S;+NlL($3E8KkyPsjkr@PWfqPSc zBO|!n#$(KNP&F*)_`xhy`C)B#QK?zD^24g^qDHfH<%cEgS_)tx%MYuv`!%}zN^4x< z$J*?oQVc7NX4YgEHR6KTE^u!O{s}+UVONI=!^gI$YP?MI!?9jQt5)j-BU^`4tqdR5 zHe4T%e^Dy1i}V3htiz&N0YFK4UA|mAlLL@_JU2@gkkR*`W*tVI!OQRC$?O64@!A<= zUGeEWMD@dW#AFAqkH^~lhP(ovMOcFJCAiK zZB@LN^HaWg*m*~by8L1YhP+#` zXg0s>{K8Rr7gw6oL}e7mr84VR*I#gf4g0rdk$un>-jaoNKQ+UJhF^FHnRER667&6PcHjz zcv4G>KD>Kx#Mfh*HUjUX!{IxvU^_1OGE7Q7p^~-ORo#k15`V8%L4)4U`x}&Bv0Bi8 zdSm$&1e*AsDIW1?5$(Mxi|S)49GvGBMfJTiUo9v46pwgC7hjVX;URSw%X83mXgTk6 z@z3N%avt5na@gFJ(LEki^fxV+pzGlJ<+S-pn|Q@?+dL$yvs&UhRDA|(@%JyxV9@K+ zm+7wUJpe)D|0_KTn}0sOCj_F00yijxw`K8_aHR2V zR3$Mbl*v<>s_cUBbEa5by>^p^vEx~Qv@L^lfXFCTfxjQ(A3?{DnDCi&u;b53NQ9^z z-wTO|bs>omS7Z^1cukj=$eRmK;1%uzBBDIl*(cS5T`6-{luuC^r}@4A3knMD!XL-R zB9cIZT>#WUDRc2BEA07BwzSc1uIyN;jB#?8=Bdw8yK@mYf>!1-Z95|+@2rwlh=i1j z<_-aR(Dg~Bh!|Qej<=y{GK}}K@Q_|%yeAy>h~jOu?Th^0jUfe>UJI!mMYvMm(d)?) zs&FDlHPHC}e1c2);_3ZM^;hPw0+)WQG>VWFN3Sm{pu%CLfyVde)631jKFV1+6jgm+ zCY4o0@2g4nBB-s?R!ALFo?IC%mM*H8+JNN_U+ZK!gUimkHJq(<(5qpIf8y<+8-DeU z&k3*A{{`ouTBm2udF|q4AN6VllQ?Z2oK5sprO{sOX`=)kc69ps4Jw-IL&M_x@%E|u z5bc*RftMy;3`Ap6cOFxZA;^=HGmez+?Ps_&(QP2!)V0>Jm_ie}-E-0KdD!cM6cT5m z(fcgz9pOy=i8>oo(;uS|exzTZF;<+Qv_3#&Jm*GkKc*0K_jhf?*LpZz9k&q-nnrx$_OsKH}8mPejnjN8|ua6SSqk4TTm zxDqG@fT>A48PEw=b>aiTIUEc9&tKH=vfrM z;XEv{BRGtZXpdnqVOW7TYF(6KH$Q6y>pgA_q>FywdN3DI zx7tHj9dD~$nciObQ`dtjcJ#(*Sns)WKwb2M*T=bpz11E)^;-uE_3Ry-hrJ$5v7=wg zNXIi>)KwVf?y}$8KF$T~t@q}-urB)59RRwBz|~&f;~~EI?pGV5*u~#be7%Rxz`5uL zt^?AWv_%h^?XX6>hXq6#k{ZQ}sj|IPL?&|P3PhF?a;)lNpMFc?=nfaZzg#9eeV8(; zto&OozdCPT$D+Ivd9&xCa2S-IhSJxH>*e+L=pwmm0Tj80>;Cm;av@7zGi`l(7EJ>5 zshOQ=>pLQ!X&WKKZ>H@$l+4exjS%B8(>6lSqM5eyu*9Be8zIYorfq~XubH;~a*z*&4 z4%WI5#jO3Q75IEMS*&gJUrPQCI1Ji=momE1e<@kU??aj1)!Kx)NrA$`x(N449mP?N zCxKIHU6?d6&yFd3vu_FmsPzH(76%&DC1P%p`k*cXqaFjccl}$3Hi~)nrTC=N&Q(12 zbnruzmVfuM3R=#drr_+MDkf-IBbddxsFH@Qn4oWQl!`%07cEpdJ&Wu`DucxNFHsrf%4>nj={cHR zoHEFbd}&Ho4PE=KP3f}I(!CNnEqnsMzTmaT@|0nM7Oqb@A5(%AD#Mg5S)ww^-Sf*u zGxq%A#nbb$s=M|$aPBO$%p4`xtLZY`Qeo2F>t4B8n96HJ{= z)3;#K>?x}DNTT{H~bOo`!hRj`1EKlC$m3WccEFY={ zPm{b>7qt?_n-6f^4ANrk@Nzit3-4fdT zh{`4X+hJ>T%3^e=j#;wq%i?No4ye?YRw)KLqmnfGzY$#q7QP75*@HHDz8#r1K~wVu zJ+%CZf}W_lz~4(A7nP^cxzy_pAdU~e$F#n2NrAV`ZXTlQK{gq1HcA2qo1C4^FG^Z4 z-aki_eg$O%x98)k4bOwF8&V(`z@1}EUHWbrI3I6AAU)VqmtI>27#w=;8#pV4jEw^f z27Pu9$O&AdL3ds{rL8j#xr-ZREUF>W-^=&JbPMo0L_@5?7Z%S&xsPfbY)&$a6|Jb6 zBhAQcRc0UyM7cB>*+2VxCLQI8H5oi?ws-TlB+9>({eNO)R zlhXbLNt0CFCk5@G#sliA4V($1Ix-ju9e&|`bDQ^t>!{q4B7FEsIg=mM6IeX~NmKaq zF=#B$uJG5-aNnHF$M~XoFa5yZN8&~nxQ4F7Z9BM%WOnOLJfXV_?7N9ct;wO6J%rHuc ztG{4|E4cq2ZmTX)a-(vv3B=W~aJY{>)=0t_@QldY(J*D)u!*7S2N7B}za2TS%#~VzPvxXrKLldf$f)m=ykVepOi2~d(>AXQd zVz6ysJ7@s-9JVZ?7fl651;sIJE=ePe0rm>kjrVj7#!qu<`bua$@~>!h13mrPaAN9#qNSu5RSnWwWT)B7}!vM@cU zSH4bYzp?HgQ{8~GH<&=zg2uz3_H9c$4q>&-N%%Deg7gqr17?80)Sv$m48Zp!f{x;# z8j;(67*_p!cLxg9pT&eK9Y7;!Tuz?S0zwTgkvso&cefTTbqQOy;$0e-)#Z`XLMNr@ z3khF=@H|m?Huc>x3(X4JT~T~Z^-0|D>sIv|Vto@cv*_xo-I6jIQ$_<4zKk}zSeSIs zJnAq=fuC3S>qk(b*ZAE)W)JR^M50=*sMY*lPMy&Ngvs;94gwptXwb64kCR zsw%8@56NB+c;6+MMoGTR_H@%=b|-N$yPz>ZjR9$-QR^WWOel;aJ^ zGpNE4gSSx@QqJ=)YI4XZRxLKB<;9{U{rzfEaLALfB9CI@D~`*U=T*xki_ehZGu-zqR1Ah; z*4f2Wh?r)Q{L8Jan#!qTZgII#a1f)9%ApP4lLZ|nM6bt;{n&NZx~i;7UtYuRFO?~~ z?`?tPD(2OSqy zE`rTZpdRzVy@e%GseYyE>zDPVKI2`0BJXaL@C^trczUxWs_Ib3g2jgz67;n%UoEA$ zXtiZ!A$zFIgs;Vi)`jfj^G8U~L2SKP+(-9W@<^Ln;Fm9PBu$%IP~$?XNDFOkL0lqV zKH)DfLQIge@Sz}zO#)o|veQzEGoCFg3%N4N0#JstpDtt{pG}CiUkcC1YLdm)MO7SC zwfP+q8w_}{lENei7MfVf1ye8yjXguoSa z#E=tp0l&RjG0Kn_t9dCma0QBx9s^P8+h=tFJw-p3+QTHv2c0_OODhf~bw-V3V?-T4 z7Y_bZ$J;8wSDAkKl10)uj!YUCQbby?twy*+zTDuiRS4N+xAcR1V$^Ff6!d_4P`3Ga zOFvl0IANf9rB64G!!$n}Yg{UrmPNjYq0GmqOrzUOFH7L`28_~eOX+q=6F_R~eCWfratbZDt%Sbd4 zWKn1YvB>YYjTW=|_XA{FNN22i8)=Se)5C=mIe=B<>$^t&!}ZGK9g4F4e&}n^`Vx4p zG^|1)PHIw{`|=;a0kARxQ33S^R(b>}FsF%ZbLj*Qp_MU68cg(_Q&G5qy#ZBn58trw zi_XABzL?q#Y+tw`Z3}7Ek+onQ(}h2!J)|N(DX=20*IMK0q`=myWGMw|6m|Po zCAKn4qp?ajNqx{30ooK(kK*!gvV zq_mK+{kb8jrL-K&^fDh67Z}@{-^*0?sGxX=mlRvjtiB5MDz3p*Xl$n1>bHIMdf{u= zsFXo!)Ehg_TC_lG99*IH#+#AeDm5>*AJjLatacF$%17DZA!<^58MX?xT4j^6lvJxI z(5jo1H(t*EVp7&7Z&N1s$@BL`VL+Id5xMycO1$Vy5Aa;42Vd6G1CFd8mQs`+KtSPO zWBzdPa@Z#*^O*BXLNt#NF&D6z;}Pf>SP+Dvq1=!>sy~}P{#K1vgWl|N{V^ZS0RbnQv5_QYm;mrdYid>yr zRE1ma;78c9CnO3^S2MCWW0jbxs{yQRUt!WJQH}i1`VM0Ta8ThcDrqYj{#b`RRE3Q+ z_^}>&s16%t!&uqAUcrwQ$h(KCGA`5nuAs0n_HrE}9fcH1#$K*Rs-u)b%S`wnng;9SDb5VA8;uGrPMHiUVUJc=wAL1N}h{~rZ4*P6J%h#j;O6np1|xB zWjc$1G%Ybro3Sh*PRmSD*G9{A*P-t-W#JH5rjOtW?4NbcWGG(_b+K<+KPEwESGiTY z{GnhTp)hDYpUKN7ROn6jUr}w9 ztKVyqtkhY4!OS9Rl>*D^I8Kqf|B7l48vi<`JGa3eC%4D@@G-4Y2qg%2Lzu~}_)G3U zW;>>F+h~L;z|qg76C~Vj32G0tcDjrDhF9E4yj@J5(s3JA>23|$XfSl}UWi84;ZMo9 zkR`7E2yz~rrE!SC3nN2Q?7dktBDzRrU{wZMCBBtBMq)+*~|A{ z2*Hpy>le&MU;Tt;)+nsI^cmv5o$$p#3*lG}VVtVj;+pqI!p={i?R0O-EZCF0Bo|g7 zi(j4DLK43JwS@iI!lgHyR|csU9~u3)k!mx zfo#r{g=QYoXoHz;(1t@-gTO_;|E|+M9ALHPC(1g{=b=pVU3!3^-}^eNLJ0f~A-;F2 z$YOqn3`uNsZTq@#D!gw&LSdsn08K$l({R6x=OgD`goPAglHaF!vS^`BOVJu@OHg5; z6>=Bl%(=r`iqqBtvt&hapCx7T4;c$E|AmsF67};Nrnju|DTqH~uFvoPG2^W0Y_x1a8tW3!#`cinq^NE(h+#!B0Ad>U@9M9PkMbdAJ?PZT4EL(z zjn(w-zATQ1aG&f8I^dcT=$cDJN9neu6uZAID{O{z56|cgNKHU$uukZMm3e!G37_!V zkH5n)Jl3f>$pjfZ9Gw(z4%>>6#f~k19uLRBQG`qmftGrHbvXXsq2;u&-;dUI%xnX$KE z8h;qPoP`fM@v}~2@ms5UnW88`heEYcqVffU3E}e%iIj#(2Z#W@V??`0y<3c;)YFS` zm3qe5oGQf>KnZjNqyrQ19UlcOaQZiuc!g;YH>tWdIz&vuuh3mB3aOB2(zwrPo5+@0 z%VaB6*xBzgioe|Du_M4Gz5}DcrCBj6dopb}cUwXx#rvUbt84|b_kA2~{t8w0#&rlPY-@jrQ$;_7;&%vey%7>@>tS3SD-4UWoZHL|@xf z&hrTe36wTSb#+K~>0Js-`-&{WZ7h1J3XfXUw(V)#k~Z6))ylaVw?1+_v`m>CrYO7RWbj@S5l$t6~N-&n@G2+u=effBd7Exlx!kU2ZysZG^ z)M$+qN>et_HcF9JbD-B)NJ0EJd=dN z5}mM0^RLzBzKjkJX`Rrr9USK{Nt6QF=16SxZ9DpKK&oSc$s*(qP-$Q^(8?qnz8L_? zcJODNbb~23DjS!r;*jKFon*-#KQ6HMSEci6Fo&eJ8f?k670W3C1%Xw7dw&~bTxWm^ zMiu7hc#0}q?ErrT1VDCh8^z_$f*9mNtJA>#RDWlj!JwDsjcUG2^X|BU9-kpnVC#hD z+w*1?p8C{GI#ovp&BHOKU-ql55;(84)vz@hY&*oNWcsO8>2gz&_{%mv3>Y5t-{ZsV z%UY|?5!8@(*)hp$I#Gyz^4?M{ztuuGfTC4#-6aiy7Q+FP7J_NCKhaOdYiNYwJ#JoO zJ6=F%TEc*Vjxj~~^=)%k#!Ac7wr>i@^o*&ncV9|j%Um;VV$GQtR8yXL686rhH3KT| z^xc&U#)(yV`l4|IW1gjO=DqWz?R}&8#03Q36tkZ9^d&^rbf5V=WyEmMle!z!Oy#j! zDOJ(_kR_!)N%ARrsZ?G{TT&cGEgc{UYQrKAb?P$OjcPhDatN`=>9?rjxBQ0ERv~hi zWGi#1G_KEH52nb;tM?z*t>Fa4L#tybv++1#*0dKZ7ng-4sYo@8+%4 z$EVgGp}Jy_*_Pgd6n$&>6Ao63-Vs~{AWff@x_ZMx`&RuGItqtHhd=xPyXKy8m;e%f z_yI4?`Z+5lXQHLPwMfw1(ev*9G~tQaKl~7&2|OZu$^#i0zo4pXxHJm~ZO}a-(e|ue zgNdfMDRBj+d-`dHyKB^&W_#waU6_e8+++CVTzt@p=Ox<4{h>pDS%(Z=I{CqnPb(IP zjgLeJ9nT*>)HjH4SZHEj>Wxs(FD7Ay_n~c}RrPd?dzT8;I7W}&J~icpkP@tSOl;4k zuLUm5S4!b;v+QXB!MJn5Y#wdiCvP@!Z-UA^29V|5ztrDm>DC%tt?($Gk}2Us=JK@k zi7KO~@b-9jM^jbmiZ0~*G>Yg1F{{>_A*CZA9dw46fhO?hbM*8hUIG=h-rp?SR)QC8E+O1iAM zt48}Y)wEo+=C2d&lT*_I(JmGaehT08g|#wtREhfYs*Zzw4o>B!)WO|B8b@TnQ=z^6)9Msu1)n))ycjriW;(2mrP&K#k!Qv%?&F2tQ11F%9CF7oIU`Hp1?(4Cc|GB z42vTaqEFC*$E;%-5^mExiBIyno`S4^h1iEtNI=c&zuit(=rSI`K|mZ&oPOEDM-d~} zq`NBFm5DzYB)*uBHW&{4pGo2dCHxp@LZX>)XRlqe4H5P@KfQLWJoTwS2s-V%(G?HGMk`5Y<1JHPBM7&8*AIhw_f7O;;gM#U| z`bvK+?!8?;M5TIqU_-HW2p@MfS&D#%o)a6@r_2}JZUG5NS5!7nJN9t}@g z>l7{eVSXycTFO4L#1DeW$T#gs2|bo6xLWT#3rA?hhL z)atkl!FqmD8;}BIX9VJ$Yrn?_9m)SsO#6xCyg0hAid*;stwWO17NWY9X&Oe!;OXb8 z_z?sJM46ciT)<*_$4*DNiEVKxiVPi_<;&>AB|KZLh>qaEpKg#_(8}h^D5ixwTAS06 z9s9CwySEQ(tyV9~V{E z>B@UKJ4%VEyVqd{YH+HvW$b9DRF%Du9bMa)r9aHWX*#r+O2%jjwHi-SbOqDJH0cD? zD`vS8=M)+i4V&m#7rL&K*Dq&bCFnqulC*iNv=&&kf73{i)cudU%(k}FZ{b;XO2W1m)o<@Z*p#eoCk~((!TZN9lblCqq803- zLv)*FY5h_ru=9V%4{GTXQo+Pgm@+$n^2%oa++=6e1V-N375o^LX>^+<)hXQ@v^Rju z*;M?8$;Wc&kR9*SGn7-y&H#>Uye}w;GRcZ4K0WZ3odF!5@xB0f73FCy3i`SP{(!Xs zOgBz0fh&*u(>w6EABX+NUH}&ULg@Z7=|LCV)M(FFV{BpJ!x3TPZ~pv|Iuh_r)R|lAmQSJm0QSwYQSE|12Tw2!pWDb zwH^=ERy?T6=-d@VW0vFgXPtY($7B6~`?zaG#_bW$x*eTjv~DRO^vDQ>X2~ndKP8Rn zJ(C?wZ%u~L3Bx%ruyWIf8N7l=LCgG%cR1vrPgwBq^pMO|P^WQ`?9TaiolMq3V@|zd z(XorozsQ=k1+U?tYkkhgFCTC8VupD)cMr+#tEAwdWrusKQG>*%wy6$|E4axn9Ic8| zr>_OOTamYMb1QE3kx!GDDw?yPA2Qg%^bWI7ea7{p_EL- z=`}C9uFN+qTnXAV@EXo^Ef0XBJ=HRY?#sgtLQWj3b2{T%9RT&Sx_yJUc}_eeQJj>o z@wRj=4}kjxv&h~UQd_;obJjCG>QW_p(x5{PZ{%5>u{MXiP&c6l;KSG4oZACycEkx? z9DF~Zb(6hodLyiw&3W(Tap)dG^oI2!LT1G3S+=ljkMPI41FHHS31$4*T!-opZW#I^-kf`d(1R_a@^nct_w7CEyg#sl92L8uNr4z)2;J7lxq|mq*u34~HoL zKL2f%tXF$I4|;F&m?x4q+9_X7J7I}8L#BFooJVQ4Q8492QJ%T1BoG*0|5mP2rqic% zuI#sCY|6ul6EypBFt!Kvy{%PG=E#7h9-5CjkFC1BTsU#PH)?O*ow=G2){r;hMd1oB zI5kHjiibFsJg-2i34q!+IEd?`y26u3XKRpAe;Ad;$_{nvhEb2^ssT8YCEZm`D_bXU z)*9=qcpxwRv}!rNX_=;h-8J2ZNbT!SlrX#2c*ZyGGTPI+Ikc8`#$(np+A-%@59^6s z?mf0+j?O=~c~UdqQLPMlWui|z&|I=ryr%oTm31*F#+_Q${=%1Hav4CKgWk{ zhFlN~-^?+`jJ-WY}n*q>F}M@ae?r1+KPuvuNiw0-Cj zcnI2n#H8p4gSJ1d&d?^hjq#MYugKWrSKB;fq4<7AE_pNnmN?lqKwnJ zvzdtyJ|9GfOGLNb)&gbSoNcd-`NI5~ujb6amwU(?&ewX}olTrnyD~k%q1yAySWe(y z&|lTrK;635jVl0B@qlqTrt6t2+i`jR(c?=@b+AcgJIAn zJkxVrozsh;Z+6lx6FTa@;!5f#U2|%Z6};;h8}W(01G81bm?wz(0=%Y_CYC#;UuR%3+LJPXDGhm-e+5}1%*gwi$8H4X*OMp`EK$unL@d0ZWDt2(VG$A=u$C@X?JX040rGvq@b-sbU* z%_nh($@~%@2Dop4%g9&P_eF89K3mB@&VV~;j7@p4`5Ci)e*ceoU(WJPn*JUMzeP&f zaaRiwD+wuL$H)L;b=MEE_zScY{p8oD<%#UugLU+2EA^I%uKhpYCc6w=Rh#^nW%&CH zxP!*nln0w%RW|%R=8I{FIE|XG$;*TXI+L&!qjS2=7%Va=m%bb zVNW=3z>rsI9-qY(urrQd-4%j1`&Z8e-fUu>cEappl{)iKRQ1_BL1WWy{8CiXr)V0eq(Ihfsd3!;(>XE&f|i$HtvIYk4K!a^M7TO-%nIJ&V$lD{0YulpPWXB3MrX(s@{r`kIZ+pX{A$x-$;%A*vn@MV9VfCUHTwkn*vx zIckliUsTdHCUMZX6QUkZ!faF_sE*N2HU)D|C% z_Ujc>EPRbx3ri)9EqXS2(!BnUf2{d_Itq=A50EtTb}F&|`9D_1VH7$z{^$Rg!LfGT z(5(?>>jAs88-nB3$^FX=A3Aqvva?Y2jTrNG>G+MlBS30e%9U~&mhc|)v_1>^V94;O zN2cjqsj~Q@a{r#E6Xj7Q`zWu|-J`0YCfA(d(n-o2>dY)}x(1Bl8=d|KrH>=5i?2ye zdwC|&VZM+uvXHrojj=C~MjL+mi0pxIuwLo5DC^mS?d)lGuv`fwIEUBS6YC(YXT}Bb z7VeH8LRTht5Q}OgmbCga0HBe1{Es(puRpx83I7)!jTfs{Qd^x(-r8TJ_y2zL-b%a& z8*lE4@(s1X-W;ps%`U27DL4aCK6O1(fiJYV4sUXG%C3DI4Bo>iC?_xEEVEQ#>W z;ac_>EVl%Wk-!)Uh*QcP7$X4}&Zfzy+YV;|*c_W^nk-Y0Z;JwJsKXRCn+dSl3l_FU z{{#p=H1%7TYHNK2gL&zTO?D{uwY39 z*3stoNI-Vy=uKVbw8FFzBb?@ni`Cc<9Q#bfapH;D6~tKV$pYLh6qCrY2vwP+F+`W2 zeiVz+Dff_C+DvG;v&Atpfl0H1ZE-GxI+C{}v0sHiPYWE_8di zx#%gtK{=ZG#9v}~_6T+kPFVZ`yN9Mq-Q>X_QTlfXPgjw{Ru~aLYmb3V7wH^(6bvlH z_-(*q{ZOWNxWSWtiSQYl40y-*u$elTZlHjb2>c6i*B~IY7b1{KDlnFLK*MvFGeBgO zH7-M`r-7Mj$1bG6mIX?N1C#5c*sQGyKzi?;E)`sNSxM`lmJR^kR?5MuB?6QPGz>QE zsaDrHaWk4>_eqiBJMfss0?1fZqAcN5KbZJb&Y&?jg{(a6!d;nQV6!M=eHc+@C@k41 z9wiXCMy3EAqcT=qC*29FPSkKUW&&eo0+L(zZjwjkL|CQyR~A<-Sq?BA9})!uG!~FC zCcvaTJ+7H&3Y!JHNM)6^WAa+4^(zxw3L0>Czp!elp)91BzSUq9;X}-lq^HLVcy;q)v91_K+EXf%>jB z0O#Do*_^v$W?moLHeywg=7a@4N@LHw4URoFRAFNqpQEm@*_`60d3eESeW$q&F9HET zN>wcC{Zqdn*CfZ->$BZIY5Ut)4UE;mu{wbkgZ17S?T@e-(4NJpt240p%aUab7`N zvdA8jQZmj0a&(PjsrE_)S&0SK_ykzo*D}69dX=gjY*5k9A}N!nGOd#nV=-1H(EN2w zckW{rC%4D@@G-5@u@hDY9yU-C3Z@z$zx%ME(ZCoLpiSct$1|ccf=%O~u{noT87S_; zi34}n0*Hq6%9>eJF#e(5vt9XesEcr72z)JcWH2Cu!TjL2gAy8LcS)(*NTH6caSo)` zs0rvXh1Lo8=|ovP-Mj6CDRu2lA-s)to8h)Z2bju;xIln~MP+0)AhgC*H7XA?V|9KY z9NkkeU{jg;t$Jk1smABfMqq4Ag29C};Ye)u^Y>RZAXUdr!=`#BRL$^o?oo#Z74#?o zn)%JdLRJE6WfD@Ye!~WavvlIn9PXE3_TC7edPEELK~7H(&9O9v3JmB`I#`DsPAs5Z z2OJ3LQ8(Q1pbgGpEX_KM(4PMk9@`NB)~7fI;%Fjq^v``sACQ?hHQhNn8kjJ zNq`4L>z+3c;r;SD$r5<`oKG?hFc(aGZ6yMPK})jvRyXFwE>zL}kTD(rE#1bxHPZNE zK@R8}V!*)gHmX$TL1$Rtqy;$bTKfgs#KluC>tXq>?69^2Z98ymi!e_vi&{3g+y}{7 z427$3BFG=&hz7f}@2;$o^aWvc3>gfx!6|gw13HD#bW_7hJvqCXfeABTGZboa6q`0j zhcKEBYGBPVkcP!!c7cLt0b6v&1Ov|OJ8v`6oKd|yENH(qRwtl6Mb&;Xkh_Bp@@{c4 zzLMb}fQ&YTy9s_g&(%;Hv=6FJO8M*~d+0MXJs zp6saV(pUJ0hSsG(SZooA6X@Ug|ky=Z59}O0z>-^6ryVjb9?;lWDmrwem8hd)UGk)a7BFxr^zPFO_RzzzPH z!cnHX`oxb58NsLJ27eAeEY60wTg7pf3U=~2!dnvV?B~-OrwY&63P-uecJhtlmF(ji zK-}HU=Y@H67hfOs{kQbs$uWp_7)EVOtdKX5;q>Jek#?CCV->LaS5*7+O2TbssV$_{ zGC@=BKm=OBT!30-AA?;@cTu~zRdzn`1*rRww-TrxIDMaCMB06Z#aL&b;m)?+%|6Z3 z{c&%;d=-D%Mt{y5UE8iMTp`*?oA#!&8#vI?&1YtKddGDx+#jD+A!K!golCe3Ri8qM z4754pVpnaS<0`aE*QbCfRRLa)f-o=V!6;TzbfR0V=rQ1w77av zmDqk&RF2x891CL78a<~f^2UN&+KWK1UdE_!@dH>6#+_XN3l)BTfAb~y&zs+VeRELs zVK|{lWX+e_*}&43}z?3wm%LODUIStJzkHnoHDfz? zQ496SHHul_!tf&?K+vWK13SRVY8FX92*_DuiwwcGvVny(=S5ZC$zUr1#Hs%Bfq|7d zB(D(vX9(&<_@4pPXAHAB0Cr~hy^YjoSwtK1*wTo>8+<32izNoV*%$FKODZovw5;oa zP7-4`FgU0SIoQHtEM(A%IYbbV30iXB#4(*v$^>=73pO+e>O@8v=pf#ccfctfEDE<* zbyo(g?@HY? z7;rBYM4m0>-i#>H+voI^%qdW5eR8m|{aWnLihc<3<922_Y83N*h{z@f-BWTa$EJjA zz+ClPh7ByvAoC0hiU2#ZIw-80#D+T+{Bs<2U4)aT$;|+F#2xHTsuX@*H0RCDdtjsI zO0io(UKrkCyfzf?9Mbdv$M4-s$ITlt+-PC1*cj78VC>Eyq*}-GS?CG_+HM*fGgVsr zr{LdDwMT2xN_o^-N|x7@{F-K2ICW_37&=!F0J_&~m>^`2kexvaZN6h9Y)lv-+tf4( zY>3wE96a2PY)|`=p=`_2-aV5foV%fY$__`FYGe}XV zs$i>1y+XeIurVbb^&;jAv?@Vw%!xYp*Rc?Od%D8rG(k6w?ST`Ij*u{r%WI@oUF1;< zvFjg*CMQES8?SB%4p^B(B3hXwIGkt*4{H@tmDD;4K{$S*?P#d)jxZhh*iK{PRf0N! zf_`(5do|NsL4#P_JOi}crr9fnQy)S-6-|8z`LnF0uJSi=%%1sGCfJ#QQb)4U$eIE@ z))9XsvW{lQA$5o^-yT9=+=(0J(@W41#032W8!-k?I1-_6i()jMRtg)n4JktyW)O4s znzwLrH=egJjqE+|p4vu%J<=S41PW%sZKQy_J%glf4M` z=i55K??_k=X1795!FPpQZPU1t0iW41J&sz?n(m|aY*F`7Pq(Vw2o}#TcFn37cUxRf zQ93Ci>=Y!?Vqu`KvueSM+LFdv+D#BahiHVHx6~dIkfnI6SCxqtJeq~<9dQZ<&`RQ< zw?_z|D4u&TvkG$Hi~~_6WAS(7br-CaCi0*O^*&e2*b@-w_!#N>9OFSpT-JxQ2O-d5 zGK|GJ7WMJ=wverLv4|T{Tz=79iXem7?3xw>H`zTDQk)=z>oC+`2{N?BfP{yk?~B{i z?po=^-F~ge-Xo6D@g#`2wa^em3}S}k(xoxBK)hGSSPvKrWL%h%H8L(r-nne!7-yEq z7>KQHMCUjTbQp2#R8S6V(Ezt3mfGn9PFi@p) z1qRy8bb*2Ntx&D$b>X8oQK&U1iX(HTPM1F4Q<9tK~U?byplXir zuVXTQ{6~YVCrbU@P9hJh5(~6gKrs5C+XLUYPNbp`d1b?AAa!Em)~& zqKk_f_lB*48a0_0{Rc5>0>VU%W2>v6Moo5LT8x^2452Qltw|^RZT8XgKAm4o-4WYr zF?{3b=QP5CI^ZN77^4I5FvO<~QbDID>7(l=D+V3=wUMY6s&G>*1@#!xv~Y_oMf$*Vx;q@kut#GeQAJAlOtDJ=$vs zK*C)))ed4Zpm{r{8OL%*?#&aS*K;^esBh7MPP|vod z#|g1T3A6s#g|>L~iB@VV77b41*Yn-o0&kQw_@MrHA_wy$c*wnQ=T)uojW8;t3lxxAH5l* z(blZMWV>0uS!sY<3S;NWl7Y@a_hy6LkzgDXMj2b@<&1quBI^KSFt}8Z9UG3kv7fG zRn!q!e0n8YkgbF6&hm5(ikM6VN(bo@>ra?*g<%3)!;6sKX zml7WQhr+)ET1v1B;3oL^VH5-ii|4km2efnqN{qirOeZ z;O4>$J6s_Y0sQ54bf-FASo8W-vT*oM;{5`UG=Ayvmk(}@pbuGfUUm;K_(>r}Dm}Ru z!V$6E?HfabsZso>Y^nO*D6&67<>4?$lOxbJbtfv&HYY&tiv3=trupGmSI`?t%OZ!v zy;QrROrzWR`2-8IrD{8*iVk5{x2FiVzL36v^aYN-z(SjHj79_S8js;F_EDOf>k}7) z9!4<612S%|C9qWiCa(kNd}pXMcF`=EM(4W6le)m=AsNfyG?Az3`}W22!en*rFQ zYX-u<0x$2e+ zs+TtEs=|qS*k|v7Hiy1ErzWux{Fw`kPRg-46<~ZtK^MMc3&<&<&usnZ!p5aa;UOxc z{qT5Ktv&`@{b_I_yGUW7oj}`}hh>fqqmj##A~PqA8B=_4bs44Enb28V9C&)d@hs%& zsYVHV8s2&6)A$7Z;RH$9m%5?|v;A0xE-SkJhxNl*54Qdwj-{#g0I;N!R@sGK`)&=EA#=g;(EPS?X0mTBY; zKNWnC(sllQz(z{+u$0HVPWMT8$Bd9X2EVHZM`}B1GIz9ea5o++c_6$PjhrT%IGa5V zV<5Pgmfk99I~b&XPXQkYDW-IO1oh~8EFd>X;_#dt-8K9$K+nRXm$ zd!=*m+|rq+9WyrPT+{g`oU_>a-u-n>by#Pnza?Ey(m1fH=;q)Tg}f+V4s{XI#t7XD$2;@qeUk^SJe|brDx5`)xdR=< zS@*uR`4PmhmbBcbxoQh4W=0rX#6GQ3EM7vEsaYReTE@z0%v+_rxYJ|cX1H_r5Y11E zqld1vj+)zOo5PKnO}AH%aFXc}ta=RRP$qXtStfA^U#Fz1Hqg8zJuK8?dT^JeRW*xW zKTTFmpw$Ep9H}RF>GS+jsaYpbOE{K;v5IfnKLXiz%{j#*PO4p*s#j07<&)>b?E5k- zx&={+gn5{J51eB_9Pt1x58#C8T(+xWBg4aHOUA$z#`v-wjIMMm*1S$Lt)NK{l-8z` zVZ+YD7S7>OEFEGj&3EYmc0%kS>ND&^fK3Uo+%jf4(rDQBHDIT&mpbc4qcZ^Mpp9z4 zmE=BoR=@AlJgGMKMRA`&i)eORM@tS{zE*S+BZviBEFhTx%*`QVPwBUTc~0cFVNOlo zo2iR5-W-qVe7W1~TgZ-2tol2Rg(fW27X>X0VbH^<`yx;Awcp*B#qkjClYKG2eZMEZ zZHeQD-%XeXtG_8mS3shHhQb1WIEKeM&C+kI&2R(o+X~Quc9PJA!!d9Hah#yfz(X>B z9!Vd6BinpX;7W!XWri(_kEQ&I%Qx|-b#`8euf7uRbXt~lPvkRvYX*_c94Y&mxe)NWH zd<^u??>M=Oj@fKmv=PJ_jfBF!x+&m*K<~H4VR{k?41y8NrQP5Gr-h_U#MxqZ$N#%Z8qUR2DZLFcd!pB6d?oH^<`4&GU#!Rfoq zI59rn3Ikv|W=mY$)0kR36>CP-ab>!z%+Yd_H4S9YAz762Kr5dFabHG+pBpqMgN@7AaQY^d=FR--z`2>s^&6DP}ZX9VyN182t7#%4lAT1RbTa&4jfDMPnS?1+N?fypaSg%X0ICd@b(FAeBuir)39b(5 z-Q8^OpjmZOVc7Eu4g@pjf{}_wC!=WtLpT5=utI?bG7K7a<2J$0Xas&gJ71xiNsllH z*pl8FX-lt3m;($Odz;{A76b?JUs3G`RtZ|1>bDFcSRFuDMmyZLqgrO_BQ{k_U{*7P zt@2KqC$)i5J8t+cJ0^J@GoCrfzSY@r%z%D!U>GCgFrY%6uFtzHv?Mqn+9sG#n%+Ex zAc5{YtTV^VT+&(^w|$K!7A)oud-ui8HGO?+B4|J_@Z8y)wx;jy9=g+b?*d=oKYaFR zB2PVvYckMMd?F6WMxeoSS*W7@0hVBIqU|lPzSJLg3LSRYFoiCQa2hx zWX3gOH;v(tuC!Ro#UZULxQe%7G6>bqx?FvId5W^HV=I2UU+yM52cn~V9KmxL@mdX# zkz*AVj@$c|9=?t&q3BwqtQ?zK>7dnigI`s~^W(YwZURVA{X5;qY!=dM$pGzffZ>jx zAAaD)V(%ktiMOWO%^f}WB7=_swto0wG)jBl4;w+r0Fe9AQ$bTUokW=d=*PFB(}2Kw_?BxRqR>5pV#jrb=0>E|eUuk<^VU{4IlOZF7Lu^HZ+_y>*&% zt*0kj`^f6SS=Iqiy8~}cjDlQ_9VFhY%XGSZ%E%J9fSg zw14jWh-#T1cKOikQS^AKMFdhIEgR;}JoN<485w30ic-V72znQj-&8yw162hiG%@$o z$9rED-dL5aY7^DFhec=s!2nWIfm66@v-Yl1ttsrX8J>o3Pc{Nx zbSOTyS@LH@P0@_pp5TGL{oH87R*J%B_CpN2t7Q+x^b2B@(T9FK&Tt27KP>(%Q2cM; zh-M+gkzn})_-qXk76;Z6nGRrswW~%5*48nBfia7|7gB!~tCBF^9e-+v!|eC5F{iNy zAc`lj`v}M9tUEweZ6rhp2OH_?&!0pvJB1DTlfLQ5-AXSya>#hk0jNHp((^5H9!kG= z2%zfYF6Z7LoOaV25I6ZTn{9D$=j-6U-PwqWXN*7oualToYG({TMf>t3rcv>%@oEo0 zP6R+J9|ED;D0)f^=+lELh=!2?qwO5V=*yd^q@tm+0*{oL%Fvs{|EI;nt*UnKQtj>S zG0o!bZJI}=S)k__ZQnHp6J-vclKZ57V{W$875{&4XSduolH~h)Jq03q;)FYP&=$T( z%5masblcrMJ>%~7TAt~Ry{Vu`Na9!`IRt50b2YEAueVQf>Kh55koAY;-V4(rkd?m# zSSVB#3i($L^_%8y#Gl*U9)YeBCVW-TzS9<$mv5=pW?$PW*MUd9E9mXG{3w6TFB0R|)pD}}d|mGk^{QP?PAH>>ZKYPfLB}j1W=(Rt+^+BBFA?C@>zkSf zDvQVkx@;0z!L%zqrVN3uRrYte>3G=P@jz-h3RXsmH45SG>QD8ZI6mxnmNx^AFww?| z@;Q2x{^6T`-KgQ=J>y;*Wx#5osCw?GWy9LHmt^yFyF4{V-#&FcH`@)5mIk9oeEG{y z$+bi{iOMEKQ1_zUDRzX;YLw*+f(Y3p2il^b(Kx{D5BdM6Y@NjNL0&sLQGXOQv>&A^ z(?pvl*3<-`-}1dtnJ8{$9Y5~G`gFh7Z%znz&)r>{+j>8i2}RqmWSgVR68(;aHB zUAOunsRn-27#E^EFV%V~+r4&)$D8q}kkV}|_h6cK6YrulM3pNBAO$>zDjP<5biK)eEb6A}=M{y;Gx*r40 zFIa4Fh8~uB%wX*kYo9p#U`%&cV!zyOR^oUo>+$XGZXJncSir_1FO1_!H@SCmFyU1m zRo8VZ_g*hIvj4M_RYbqc@<(?ysRu`myIZL6mvWpfE0jE_`($~u+-#ML$6)Y>`bG^0 zm1~v8D-wCnx_1-1SAA9!lMYooRN=^LOfAzlrR8nKBx<+ot=IL;1fH2;Ffbugt?~ ztFQq7v=z(l`xs*pbSzB_ua~O%Qn10VEpNQCWw?C(^N`up@+Pu5K5{f?6PPt|r4O~z zuhGLxC19KOLZXdShxzOqd=J zov{a<=I)HVI(%mAr9S7P%h!IJADIP$`BD*hKe2(~2w(IcnSZH(1`o}X4{k$p zsW<4T`g1l6xj$>8;k5k3SscOkp*n#~=|!2aj74fKQtx_V7fblLCFaEV*(HtEC8kX? z373|LcBwnSu}-xny39hZ^wT=pVlcbK9P(g(%LJmN44nsL!b^lZDjjgVtD@O*SE_cU zo5sxRk91&!?SkkYu5gn~%%QqzCQnh>wp8I%6^7@Ygr0fJW3=vMo@UyD)93X>rvur6 zcDj(7;%#kz(ib*~;-)DXX}-}-slT%&*|iaIeqVX8<6 zEvccq>-eNIV?O$))152lia;aZbax#i}WNM<#$+ul8j(|$b=l?Wwk_ScF3 z%eIFuB9b^QRi0Dp`3KXMnT%>`M`CuI-PBvzHLH7X4ZE#&jH~{XmdB%>$Exr4p-Aa| z6OG-H>JmSiFNykchE0c#{3_Ul=vTJ=QD!>njDKdiyC$t(WXe=8aImBF<52l)u-lFk z)a~QF9ov6U+qENM7jMUxg6mIv7Z~A6$R+14vg?be`RDKJ1s&7kGE5b>H}CLwlq8RflAAzr3j%?_b~W zHdnBFXaCy%uY2FEyTJ&o=Tn>e&X9B3DfM=^C_t5defj=}aX|2u**?P>rSu_F0Ox$YvHx515OsG_ zeeb~g4Fj~cG)r_xxx_|ZKkAF=!6YyALWcVfZ!eR2t6y)H*ZbF@fUE+OeRr_G=xz{| z6-hGY>1sb3THi2vW481LI4@j}cQ3~$H4x!-GbzIB28>Yp9f?rg0Gda6bG;9RCkGcg z|KUIRu)Nt=IMN_Be!l-~pQos=yMs&V_QJdPdc0Pfb-gAv*I-oIkI5|6^~Ph7^~{nV z^y2IG`*<)1`P(9OT^sUMotPv)sJ~4`4^Yk8NHJWU+ou}C)UK5cQi)0OqgiuF27=>o zn=c*WyPWTQ2+pI8!hIbN%8!8Ozc1?>*|()j0!A6eHr8l&t&%_MuT0bZae4i5$%D1Y7|)ddi~f{%^pC-x zP0!UFYBkZMdd|VjIen_u-t}ctI%gXQBW#_#RnPJKX8%~{#oPCnUkBq{=}e5O%Vy?8 zx!%;vq4{`tE1fY>S(>TS zn_KnRq5Fh16z(ZftyB`5u`p!WxANa;J0K0jAcI#FH%!*W1TZw#A=#~o-x`SS{;~PT z9UqN08Kax>KR;gn$J_B!z$6Fh!@6%@k3hTrewE)o_;2IQ$9~rwZw_^&_u{O^*xt)K z^9Ot2D($tN=mBbeYdnT-z3Doh`0pX|)pEr{b$;qGk}CavCp)v>=~u_UU8zStW=JP{ ziZ9-O_wDPilT_b|L-2aNX`tbdwj7N@?R3MT_v#CCru7E~}>t7qzm`iMrV?+(9TsK&iH!LO3nhgwIPnAc(xqkFBgva4r8 z)>X2S9gE$)9TzwFf!u7izvqD{_xeD}S8A^AL9HGzuVbw1PrkZny9qJxPRHLhXyso= zJ%1%{>^F(}ZdRSCkkLTpV0?YDYINq%f47)hRBBN={EPlcZ|xEzRq~W$85`Mr`9skp zeI$!lX2?U2VA-g}zvvMhYCY)q-Qu?Xb+j{CZ8o3Oq9na-wOiNfq0;sSztR5AjX7z< zWfOj>zo`nMW*(QDt$A=V2y`SV(IBuk8_`%yt*6WO&+&o6Af-hgsq$8guvFQ0rOMmo zqgs{amQcO;@HRM>S9w3>)_oweKmeV3QznSkC{a_;?Kk(3a=a_8vyg5#@i_d_f^Y=N zhhksqYd`r#NoxPJ)d}VGZ0hANKYcxp*A+AS5<#TKQ|}J)4AZNd+fXo&e23o-W{2Ji|Qyj$LfOM@}6D*IR2D(fdEH;3hY^3Ek8dGXgb z??OL}djAy~)G5Q&=-5)fQ)}J)rg9Iz{qqV;RhL;TVOC0> zu1?$Isq5K2{LvG7dPTk7-UZrsG;}H*Rp@27P#_fd3`o!AX-mCb%{ZtrnYpp4&57FF z3(buEk7i9B8d|teC^Rz}a5M|@+R)6jfLVYr8k&9;Wl6I+qwz5%LqQsIk^!1Tda3s% zeqT4-<6#$CI-)<@#Ro^<6FOrR%iSN{H4s1nvqs`u`z-=Fs+9%u^fx%h7qKA!okwYr zj^=i$Q=4Da$A`M!y7fIUoO5ErximWyEe~TYY@-+p&_0~Km%q>5gcH&$XWt~S&tL7v zvuWb=Fndta(0{b~Kz_DcC*u8l){{a|rA-(PuV$>KhTwZwPmja7=mld}i@jE>#Tu1K z;H_JC#>eOd1dwQSJ`D2;fcz`$n0|{orr+#^CpT?WN@KMG)a?qAe7>d_#T&LOy?BQO z?6GKFzAV6S>6-%g%dH#<`Fz_5GF+T2Vr%y&?fyteV2d>&$@a8yFfMD&GanNb6UaqUL6X=Wyz-=_R@H7E<4VtZpI8a~l)A@od`C+ZZ^qXxBHcY^@(Uc>=cw zgh{d|xOxIj6+?)-D>Y@eyxOQo=`YPQ0yP1JFS34Y-iKg#6$$P^=wqtPiqFfslqpY_HLNi-J1q2;FnE z3Di(|6N1Wl)OD*KZL#-j;`nxV>^#xJ!Xc&HtEfl!EGkBn=W7Z|nY;FWbKESQ%4`hN z{y72G{%Nn4*2(|rp5!QAZqs9b(@!}}38GijhGMtcj?W<$fKA;tf$K8KY215T95`t8 z#+rXA`sLMfyMEZLkGJOiALQbSIWQ4@=e8$qI}(n1t5v0e)o*BRt`37-Ur+U6UrTOx z$-9c(g~Vm$gj;R-=_e}W!j2~O9=%9r(#hKF?Mtmoop@tnJiXHPqJ3wd37CyY6z!6r zr=FRB2Yci9i-#tim+sez!F0dci&-bLaNCd&%b+WeiF!4u&xIyY0>7gVKfUyoCA_Jfzz`e38%nm#E`x%s(a%FSSu(sDwOoiW)nPUz4N8}88j$uU3q%H!i&GX*Gm)_w|{>ycem}-+hV_Swjj4jFM+42wBhtUn6Fzwm$X1h}pQE({Z zF50@HGrahOQKtFq8AEZ}m%UYTA@u^wTC8^uTdTSw$G=@kuL;4Ue#egp^?)7b?n*jQ zX%kM{p})xo$9iK9i7od94&-@18SeV2hdBL*J8eI1W$~%UVvCK(X$_(=46?aF1?Uc@}+`?^6 zUYpH4pUbW~si2)_>!tXL!0kJS;N0t2Ig7UEkDGUGJ#+osGDN+&%Et+K7{qQ z(J7nmPRKKckz#iC=9f#^{cziOtjRblT*g_L+bd@uCv?--^5lMsIh_nPz6>i?-kt*I zjV_ACoz^@EHY~RAx<1yc_>IAata1mh)L#4=9+Y(BIh+08 zZRYvtIDAmR(EjR*+d)Eu(a=?SqXm2PZtf))#Jb+!?H<))SaE#Zt3+hI4MTjii0l8l zt%=?`3hd{Wi@=C^_t!k`T>hUwCf9AQtv~Abm)9iC+*l<2#9w?M#Cj}_WG{bl8p{~j z)l;3Lc;xa13XR4==D%HP?$F4h-RFNo`~7T~8g*EFkT|uQE0tZb%dgJ8+g$6cs7se; zcj#bX;udUP>ollKo$s>t{V6N+CvG>5eo=qmuV-Mq{mpDl{$w^!~y|1)!+U`q@!@(69KCL}w_{4stHmeM@OP9YTtBO8H!rqt>hEvvT`3b#>nt^!Q{#-RnZ2)%OZ`lt7{DBXIkAm=7@=%pKG@yKesQX&@y+MF>f~S zu3ATUuM>1^WIxx6EK?WPjkvyB-i$@%c3WK`l{DHU4Ndgsv+&a0ZpUxTX0X6FdG~m{ zm8bCGpai!LXVFEs*aBPrS02&G30v6FUAy6oUlL{K*r-u|0erhQd+ep* z8H}?C4js0{nSqkoVo`EkYBgD`<&10`CgD)SmSmu4@u~(6&yi?4wWA7rfZx|1} zwQs7A@${#C*rWdJ_&6-Duho2tyzY8aY2#M@eF(KNu^Wk3p|3gN+r!Z&x@}9pYPY6( zYuc6un%O>4s5Z5E9yc{UQWj$eZqFq-H$2Q-Dmt0}GkGRGfcAtU#nq#@Up61V96G&{ zw|M1oN(f5jTi!@+`rU=+2BQ3?#_yDHoB+v}4aR$YN+|jX{Fncwywr+xKk;YVZ1poH zQLmdX7?bsyDz9uP`t_=3f{hOrW1c#iw%ll9K8r})rP>_~-+lao=-tOCc>g7uB&}Z( zZ;)p?-+a8SGPx zmXk6rQsaV~2@u1XfDmms7eJA6Z`%5RCJ6>|w;^hOFi)AZe0Ypc5#m9mkr{~XOlPIu z(Qoz-N{ls6bY6i1T)E*?L*!}+%rQ{E{Tam2q=N_zD1&La0z*m)v-?x$r$5>x(}R(D zLtAS)(}%7(j?b`;oNm_yyQZUAH{xS0JK?)yKt8pnAxYMf9$bz+=^&L3Qt#j|^<(0` zX!o{ptv@gC_kEQ%5MWzX=i+<&|M6k>D!F`f>GH}pwR(`)%YLV~x#viF|2w5tVWToi zzedfrG0%2PZ6k>u#!fMpub++QpYKdHgb$){vJFu7%`#pg{Dk9qctqj)pI5qU+O)Tbnpt~lN?t9(rQ`9nw$b49wY!=UkSP%iLf;Hm0p>uta>T@V{SUR-m;`)nm6V!FY1{A) zTRY?R7xUVo{2p*BZ(!-*u{2}mpI(gCe{Mn-OtMf6k|JGzUEm?G!1uelgfRpfON0q;~%aYQhYQ9)z@ zJ+Z`&9AZf7kagyy5RK+xfA`2Ov1efK3vS~XuZ76D3#cacMG=E~hn&w=5V0$Kh)Ec7 zo*B_YUdu3|e#SG0LTLjrG*DMC${CR&jK8rGkn>|aK<^NbkKhEJ$`fo(qZ%nd}a~{m$!$j@%^G5u6^*mT6FDQM-B6?|nMnk1yb)3Jx z@ZGqw-9TeSONTMOwSns)D_b>!b!t(vE4z_5ENnG7!P;>Jmz z@FFK+(KZ>VmyC*%uns%QB~+axtUJQ_BFZFv0g{lo2KW+5jHHK-os7rG4Ote$aOi<|L zb0FOCRQJS5>fjN$|J{nV=6~TR-2W|e5Cs!)Zz6qisJ*FlCQd?{GT$DKx@jxTy7}EB zZ`xl*(%KW9wy#%0vEKc!#(LL_)vuDmf_-Kkep1L!tiz4iDlN_5KTeHNA51h)4`tG2 zkAz|#Fa58!Mh2NuWH*LDxc<$~=iGy|lfS9AT-v_qDzu7e$X8FdMEewsiK6!$ED#2H zqSk*%)?vC79M3*(@5pEHF!xm9xIO84Xy(&xm{KK1K8$?NbsPx2UC=UHBW=KX{o z^96~zcOid~=1ZYd@6f;QZeIHKi2>E9+Zl0@-H+(lJ}D~gOpc|K`_u8XG(-Ov>P>xj zR1;6swm<@b1lb@}T0)H|QX*myA&n|vK$IfABSngUpi%;cP(+&kkX}>}1yOnz>Ae>b zkrIkDl_DS@Z`AL7&-dTVoVl~l-g}?t&N;g~>oPL7Jii)vx9;kzBV&JoZJo2G+W8`l zae`0d?>yN4F43f4*f+4`J}5s_Cn(H#H$gMpJCp16#D8cxVDpgAeTO@TDd02hCqh*X+RNQ@gPzTQ-kd(=wdKC=B$exXf$?Lq z%729x`H$euyWR63ty_{M=)3&P%VlqBUi=oF9>(}EjNe&Zh{tMNj5x8|+O~4>G54#r zv`^1JJPbORbi3`5IKXGr`DSjjNzP+ZM65Ek$49#}>|&RiN9%>)qc*hsVB?n~`PqZt zb3q@^ajZCr)(Y&jK|F4V%nSW`D!0;npu}j{mtiqDmzS8vyWijdPWt#%X{ylmYJ2UW z{^aeU|F*oviN51Crktpkse9t?hp`TZyPU2=N7%%g{L5`i3Tx#{ojU{e3d8&s`$hJQ zU+bTJ_V-ii_?>Acn=VX0Ug)>`nBlhfa`QQ>`S|;uQwbbzzI@%$@0JdE;%yeJ-D&lO z)S36;Qe^SbUN@}nMD^sY!7C36MPyl8n`9^lFTcC8^#nIJ^n?z0AP07p>c9Da(mRt< z|HGP~#&h(cV(0f%-IMk5e3M~Lg?-VYlOel{{G@C9wH~#kc>Kz?^OWg?^3clQ!SRIG zCV>;?YEh0pB_kX5f__eM$e6{Xvb=gq6X$=0hv=UFyur+Tf6ir=iZ4hMKv z(chIQ2~Av0^*O|4az8rxRH|+HjhANr>6PxJJ6@*W9&H~!u9bdw@JKr-qo@8jQsEHJ zz$Yf+dVU>s@)g?WZ2_ljQ2aIB2(vVw?2ObtzQ&ZYnGBz)`q0BN`IQp~Yrl)DE=vo2 zSHEEGQ#?@O+A|S??!BR6eQSwn)M>9Tucl4BDBPhJ99zHL)8xAI-2n-ZIefBd#XR;HQQcXG>nP~`dNp}wx=oJd%KmsS9P$e zXZ%*$?kqpO2zh~(2RCwcL}zZ_h^`i$UsTB6kTPj$eTP3wA$=P)%}H^z3-ZJ?)wHEZx*Bv z(XUIA@s;r5ia$Y&9X2!uRJXxMu0KPUxePdok@TTrJS#WSDACpBAaIisj!x};nwy51 z>DER=)62j*ra)&-osPoiM;#?{&(CGbQxsj_tR~Pe_pUDcQPtKV-_O^TWPY7?2-3%* z225@@AnF7C*Vfp0P}vC3YJs1`j8(Zf)w@&HAUiw?kTf4D+J((`L!2m*V8`a=@ycYw1ZF;xxT3W?!*#i6hW^TX2s(&jt1=|>_Xksukv>^<*^Ascx>zZ)d zJSQoE)M=^Ld578jKj{zoMqgUldD|f9P5#YWJrmW+bG0oi1xi~#dY2HPuFP_&& zFpDyl*Xpu40`ys=4kEoCppz2dQLkUA4I8tdnF|2jSX*y$$6GU66b~vF5ySXWy~sL} zQwNV~G%KYCC|uFib$}kAH|q41sC9Ni?49@)<%kj!i*Y+if3lCUp$+kYJ5dm(0_;D# zWRuX@L!(<-2y~$KiuR!jhuzt3Czx%|L||ZJK=jzvTT5Z}&QclB_1ek={-}0{DASet z(>Jo>$k?ctQfij*waCWZ`gHdau^2W7qwpC?Nm)K}1~kT^zqQ>s^WLOE>G}mU?~9D{ zN+qt<(4?Lw8#*JB{ar^XfxQ9y%snT48R>fI3A^Q`ika36B=CyH|41)`&>-7(iu z%Uk@5GC_3#1QE~CubPY4?l12RoWc_tjmf9ebCc7o?g3VvC8%~TA z)ghy#kkVWRaN@7N#u zFx%LR<7S3hqe2;ND2#5$DT!}WrD9xscz$~ulk=KEJeAcv;dqhnG{|$}DT(YPXMtHZ zW7Koeq^NQv;7GA`1fe(GAx13=C_8;VpZvaQowKB7GJ>bR>6pbMUep{}?rdPw3|zxS z)ehu3dcHzpQD$l~kRalvy{Mv4ZoI_igpv?TiZS;E6GJ&9b2Ssw32RBR(IUEw&I;ax zy>L>jH$9sNG@7~3l5}vWbe91zIdsKcTTWt>TA9P$nGeZbe*HBT>4>t`0MM`DUh0c~ zkZfu{)T))=qJ+Q2R!bI5gLNtq;m~|5!>4_G?^DWTY+3@ME5fJxS0d2H6#?#(YK3(fFtAtv}(Nf5huS@8r|Bx*b<}P!2d$^g78GB(Iby zA3~SpuXND}(!NU&`99f~|D&w^aW{#m0hDsYA(I53)4~&SFR>d}Vo!myxtwLZA6!l{ zc1L{19yh25IN*5)6VJfOWd4!k!hs?+LD z8V`gtD?jk-bU-8st}jogS9#> zsAM>CaYXTx!$Z#nl#~92bY2Z~xraq^A74vKnek^Z9sCHLtlR2NTdGX9u~xoQair;2 zy}Xn^DMQfwhGG8jD9;C*t|TgFcs$WtXSp_@9;+os_1@?$XyVJk!ofH$(yJw%C#W28 zDyJ*A#lRmeGC&sQoW4L{MdLl|!UU^D7g4tQfKUF6uLLj376(M@hd~Y(JQMHWF7SFb zy%M?9Qcxtn@z6tl9W^nljOKN-8U3j`(Ky*YI5j(YuQlyP$@xK_-cL%!4d=}h)*sYi zc60bU+aY3MMIXyi_YnM-61rtymCF`igTsQ(q=)^eg0G6}ffDI1!g^l@%YS{^~yw<%#d&(3v7`Z9nH*af{c0DeoC`(C>y3W0LJUp8DiEMl{il1mDSdkS zC`@2W)d#T7DaiAXHy4bniSiPSN#op$QP)wqqA{IlM~K~DA~6+RF!qRLTmZ>sdbYF( zu;0>xK$k|Hm^}xi9eO6BtEX#QWN*@UMeFu{CFzW+3%lxT?5xj)>g*x^Dwzqpulh`h z6`;W|OfoJaGDt8aX|el)PbZP!c<@O7;Jwykqpu6I>6&Copcm9i!CGpIrr?{*sW>@> zX@B2&Z?3o#*w}-jBI`daL}h&`Q}|1#;IXJpo+FDtCOs4f<17l(sOHI6l-72Z8?hIo zG?u%~(_Z`z@|Ti8f9Mj@^M;pBpPMA<77t@OMm#!;91G7 zz^jfQMfviAehJp}2#AR+(re>6eW!)l($k8=Zr6C&(G#l|N=EPQPh4%R9D4+^vw+*t z`aalB8f=}RS5T)#hQJO`L0-Sz9Kw#qRLAGf#XkJB3M;G3d+bJu+W<_=UMAb(lv2t| zOq@t?4A34c(nXP-*xH^m-MP!Uy3fBebmr2PKB;GAyzat*$0s_7A|Z|^*%tD6#UHCc z*CZ1;YkNT(w-}po2glh==#L3?^jx@uGi)V{r!_8ko(;ea)|ZTX z%6Fqqk-+Kp_&_b9dGw@pT&<)xM{RyE@Oe_O% zoSlU3D4XlnF9L9e-GqLArgWRCMXaFB^k7}MA&C`XF)shbQ zyLz|0td@5GBn90s*rhD1RUJSzmFs5gCdg_r213jf`Z>FFWwmqysiyMXH+6~vaS6i& z8b2XJuftMSYa)=U;?(Y=l1X2E6}e8HIr|;9Ll)0dsr zXgw8(;~XXQr-d$S&_ySGX6&CH|+ko{^ z=~(YkFFIBFoYSmFd|frYsg!-6YWDP18M$bbt;($C)Ou65o6Z7#%_#yc4Y_#Ldj^^S z5)tKvRlP5ngC_8Z%szot5I5(c2`G`A>#(v93QN$0)eHx}q0bS?=&Om@XLiZY8X}7M z!+IoXExh7LRZuU#XRK2vueiEuvkad{=t3{AxQi-LhW}=y!w|3dL)GTje2(D7F9Y(?&=twyft9^~w+cbB{`k zx%SAk)_-0R@8K1{@z*P=$cOcay-lQNV+i!z+j<25Hu7c%>GGM8dIaVt(y>MEwA@}j z!gL3@6cgI}{`LWxHWQKM!>r75VhfsZIrD*E$=8Uig#fu^d#kwBUx1Qb<;U>SeKPG+ z#Cr@=?*Q?DY(E{54<^VI57TXF5y=uwXBzDf$@X+JZl=QbTZd%YT0|C_SvfVX-zsi$ z|4e1-eKk<|j*0lG2E@l*we+;7H z^xnt(0v2dFMy;`~jAk`tBs)W}(@^Gnp;1ss4%2(X8l7Xv0@L)Fp5-jkR5u#%E9&OZu1@;)J%1-${q%kajV}ev$XF-j= zVu45|YG5NtmbAu%vu888X`GKBDnfm+hm5#zD8i%F6Ky_#C7oh|bqjg<#YPE23OqtW zKN5N+mxLjrcaCNIP}1gfAY?7XUmPb&;UKtr$a@KN!7l)A@4)6j~tF7~)y1qD|3QP@Xl#|5@G2_Hfm^d4sLxL2c@31mp9FglE z4htN~6#N&5D$Wx}dJc~15%xWg3&R0Fz>st_P0+{zAjUF~d0?ej-;*G?b4b1fK?XNZ zUr+$y+=4xA)P)1!EL3H?e6-PL9AHXs(*2?P4F_biP^+wyp(F-8{a>t*z(%YrRu6)s z3D9x8|APaHv|z!3gb;sH#po*zh-9IrpoayAf&k(cgDnrN|-Ik>)W<1&EG}vyL#Orfn$@JR_tM)6|1g zXTv>1A)FhrP@`Nt;KfEYQyAvFS_lw}7;Ue^N*I05fZ)X;f4P(6hNM0N6Eo1XJ+4A1 z&i<5%w{fy4@%%~%u8s{CF8wb?jd;>mw*MESVLV9@`Zq@Ei+EBf6qe!h{a)1814Ifh zkV;t0;-es>`G8XEEHLU3l6saIB*X6<$>s>jNn-dbHk>EP&Q92F{-(6hoRj2y7i>R< zDLqUl^iYll%ZhGNbmG}q3sy@X2UJg^(I6#xN)PJkq?<; z+Q;$L79vVzFhEmMvUT{$I`-BkfB0phLLiO6V!DOBm{(jNqR$vYeJH7RYyxC0SL~ls zleIuW*a`rp_E{47ACS}o=07}FRR50v;Eq#O?Al9C=?IavZewW}LdM*L5Si+Sodh>o z=#n-8Vk;A)mE3eR>n~xlmRIp~5uYZ+ZE6yGP8kGW49VhW>Uojx2az5N&8}kV?KMDh z;J8!}9=+C^rv`<|&Vg7O8Od8Y9)XY+`Ah1vM@Z^A%Rf>BL_h-gM`}?b;12vF(>Wqg z2K*(HmIe_x1Rw#82w6EBIPM(Q#L*Zm-hA%XLdYzFoKMD1#>_ZYno|+VNI=P{5_1+I zO7({PDO&P4Ln0sphnOo&b8_>;i58$gwGZ#02^tUx%|}y|!@{*d28hr&A7)J3Gi}g- zcxW<|Qgy6F2Q#J#7A3u|ziBCcJ1(-sc_+`+5 zbZ9cT=?oTr0=K0>r>B=VNb!{&9LYH#9pTv>>!%gsTmU>niJGwjvEy(CR-gxIJBY{` z*_e(KQhao5@U{ za*gQJD5@V>tA zidxOX|DCY|{{Pw}jsF`j`}}{F9|pS(j;dYS!}JLC@5kaF{usqUR6)nyAMcJ*Qxl%z`W$?Z3(6w&c>TqhPRG!GYT^jrrzm+(Gpxxb@} zYm1!KN!jrA{3C@kvC?Mp`p$9}mmAokZ%18e&y^O<_-1n7Va+wqEt@Sl8UU%jo1Gn}8&EgL#pf%=66c%P(r#u_vERAj+6uvK&b6NCX?~ zCnz~uZIpc0WU85(6j}*$j_tC$q=+)}1L8hDJ=rFnEVA{JW_aspd->b;@_5>%N!2Jl zvE{YA&$-UaYk?(o@QSuM)&JB;S4C1ioX5I?Yt6@u^HK#|b`;FUTmANvJyMKPpO2my zaeV1;K<~Px(C#|Kn?%#Dh^W@yeJa&T`_dHeQN9sZ-gU9%)3e`)``*1U&@zvTz+a#l$V-2HvHx>+4x*pwY~>PF=J*E=;A z-C`eoS>3h)TCTQs=cjuISuP#buNPlW-41OlE=IRTgu?QEc2nNhX9AZkV{3+Nu5IQQjl>Oa zeh6*;>`|6ffrE{g3A60fzGG;=2;8Y`PQslCPI~2WOV&SP#E}2hkwZ*ZnVZp0O_O{# zOH`>B;RVi7^ z;G>@_%{=ZVzXJUmCf(j1%P)+ad8gWb{epqh)Qm|=bw%g?#P8c~a7)y zPW^?}a?z7fcMn1J{6Ktb<)chYOypI>gyry#oj6+ni2sZZ4~n$X|HY6nC49T!w^di{ z)=a7LMt#H+_qpafVx+g`_mg@Sm*+g2#R7URJLDA3-~V(wj`qZ8BCoo?;?2><2Jc?{ z83&dQ#kNTN@_On?@yhI{FAA5N3`PS2a`PQ_R`NAZOk#6i8cU6^7zPV2+X*muB?W4J z3AUX2_D%fgCu!^rr)}b$RM(FY2L}rZRRKrqWn_0fCt8f~(lehK=&3i~8X69=`X2aw z^YcxMp05tzL|g+m)K$gvrmN)mZa5CT_S>MTE|;75Mb{+z-X9Y&%|Tq<$}3cv-+7l< zKHSFhoqp`iwGw5wqGcz~!O@QAhnFoT-lf!6Y`^@PvvNh@MWUc!ht-?-xd2Re(7E6@ zu2pF literal 0 HcmV?d00001 diff --git a/docs/versions.yaml b/docs/versions.yaml index bb882a49ec819..b1a5a2a34e1b0 100644 --- a/docs/versions.yaml +++ b/docs/versions.yaml @@ -25,6 +25,7 @@ "1.29": 1.29.12 "1.30": 1.30.11 "1.31": 1.31.10 -"1.32": 1.32.8 -"1.33": 1.33.5 -"1.34": 1.34.3 +"1.32": 1.32.9 +"1.33": 1.33.6 +"1.34": 1.34.4 +"1.35": 1.35.0 From d39ce1544941672d2ee217f33c8433ed18db0861 Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Thu, 24 Jul 2025 11:20:20 -0400 Subject: [PATCH 068/505] ext_proc: Adding detail gRPC error message in the logging for debugging (#40387) Signed-off-by: Yanjun Xiang --- source/extensions/filters/http/ext_proc/ext_proc.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/extensions/filters/http/ext_proc/ext_proc.cc b/source/extensions/filters/http/ext_proc/ext_proc.cc index 81158f9c1ba12..dcad82a88a002 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.cc +++ b/source/extensions/filters/http/ext_proc/ext_proc.cc @@ -1646,7 +1646,8 @@ void Filter::onReceiveMessage(std::unique_ptr&& r) { } void Filter::onGrpcError(Grpc::Status::GrpcStatus status, const std::string& message) { - ENVOY_STREAM_LOG(debug, "Received gRPC error on stream: {}", *decoder_callbacks_, status); + ENVOY_STREAM_LOG(warn, "Received gRPC error on stream: {}, message {}", *decoder_callbacks_, + status, message); stats_.streams_failed_.inc(); if (processing_complete_) { From 6592881fed782d79597d64222f03995d05552271 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 24 Jul 2025 08:35:11 -0700 Subject: [PATCH 069/505] oauth2: deprecate flag oauth2_use_refresh_token and remove legacy code paths (#40397) --- changelogs/current.yaml | 4 ++++ source/common/runtime/runtime_features.cc | 1 - source/extensions/filters/http/oauth2/filter.cc | 6 +----- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index e807e80d7e32d..654545b716750 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -10,12 +10,16 @@ bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* removed_config_or_runtime: +# *Normally occurs at the end of the* :ref:`deprecation period ` - area: router change: | Removed runtime guard ``envoy.reloadable_features.shadow_policy_inherit_trace_sampling`` and legacy code paths. - area: dynamic_forward_proxy change: | Removed runtime guard ``envoy.reloadable_features.avoid_dfp_cluster_removal_on_cds_update`` and legacy code paths. +- area: oauth2 + change: | + Removed runtime guard ``envoy.reloadable_features.oauth2_use_refresh_token`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 73368fbcff06f..66e8c52475195 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -67,7 +67,6 @@ RUNTIME_GUARD(envoy_reloadable_features_no_extension_lookup_by_name); RUNTIME_GUARD(envoy_reloadable_features_normalize_rds_provider_config); RUNTIME_GUARD(envoy_reloadable_features_oauth2_cleanup_cookies); RUNTIME_GUARD(envoy_reloadable_features_oauth2_encrypt_tokens); -RUNTIME_GUARD(envoy_reloadable_features_oauth2_use_refresh_token); RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); RUNTIME_GUARD(envoy_reloadable_features_original_src_fix_port_exhaustion); RUNTIME_GUARD(envoy_reloadable_features_prefer_ipv6_dns_on_macos); diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index e4d9ab6e2646d..d1f9b1c621e93 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -508,11 +508,7 @@ FilterStats FilterConfig::generateStats(const std::string& prefix, bool FilterConfig::shouldUseRefreshToken( const envoy::extensions::filters::http::oauth2::v3::OAuth2Config& proto_config) const { - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.oauth2_use_refresh_token")) { - return PROTOBUF_GET_WRAPPED_OR_DEFAULT(proto_config, use_refresh_token, true); - } - - return proto_config.use_refresh_token().value(); + return PROTOBUF_GET_WRAPPED_OR_DEFAULT(proto_config, use_refresh_token, true); } void OAuth2CookieValidator::setParams(const Http::RequestHeaderMap& headers, From 35696257099072798d4e1a9a6661928c16d18c5b Mon Sep 17 00:00:00 2001 From: phlax Date: Thu, 24 Jul 2025 16:46:44 +0100 Subject: [PATCH 070/505] release/docker: Bump Ubuntu -> 1ec65b2 (#40422) Signed-off-by: Ryan Northey --- ci/Dockerfile-envoy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/Dockerfile-envoy b/ci/Dockerfile-envoy index 1386990b4617e..a94f1656e89cc 100644 --- a/ci/Dockerfile-envoy +++ b/ci/Dockerfile-envoy @@ -1,6 +1,6 @@ ARG BUILD_OS=ubuntu ARG BUILD_TAG=22.04 -ARG BUILD_SHA=59ccd419c0dc0edf9e3bff1a3b2b073ea15a2ce4bc45ce7c989278b225b09af3 +ARG BUILD_SHA=1ec65b2719518e27d4d25f104d93f9fac60dc437f81452302406825c46fcc9cb ARG ENVOY_VRP_BASE_IMAGE=envoy-base From 54721848c12341abfba13182bf29d8a365b701c3 Mon Sep 17 00:00:00 2001 From: code Date: Fri, 25 Jul 2025 02:19:57 +0800 Subject: [PATCH 071/505] upstream: clean up the constructor of cm (#40055) Commit Message: upstream: clean up the constructor of cm Additional Description: Clean up the constructor of cluster manager and cluster manager factory. To eliminate the ambiguity of the constructor parameters. If the ServerFactoryContext is used as the input parameter, then all the `Api::Api`, `Runtime::Loader`, etc should be accessed by the server factory context to avoid the ambiguirty. Risk Level: low, no any logic change. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. --------- Signed-off-by: wangbaiping(wbpcode) --- .../common/upstream/cluster_manager_impl.cc | 71 +++++++++---------- source/common/upstream/cluster_manager_impl.h | 29 ++------ .../config_validation/cluster_manager.cc | 7 +- .../config_validation/cluster_manager.h | 9 +-- source/server/config_validation/server.cc | 5 +- source/server/server.cc | 4 +- .../upstream/cluster_manager_impl_test.cc | 9 +-- .../cluster_manager_impl_test_common.cc | 45 +++++------- .../cluster_manager_impl_test_common.h | 7 -- .../cluster_manager_lifecycle_test.cc | 3 +- .../upstream/cluster_manager_misc_test.cc | 3 +- .../deferred_cluster_initialization_test.cc | 23 ++---- test/common/upstream/test_cluster_manager.h | 55 +++++--------- test/config_test/config_test.cc | 11 ++- .../clusters/aggregate/cluster_update_test.cc | 25 ++----- .../config_validation/cluster_manager_test.cc | 23 +++--- test/server/configuration_impl_test.cc | 4 +- 17 files changed, 117 insertions(+), 216 deletions(-) diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 7d0a3dc6d14d8..1b82dfd04c74e 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -301,52 +301,50 @@ void ClusterManagerInitHelper::setPrimaryClustersInitializedCb( } } -ClusterManagerImpl::ClusterManagerImpl( - const envoy::config::bootstrap::v3::Bootstrap& bootstrap, ClusterManagerFactory& factory, - Server::Configuration::CommonFactoryContext& context, Stats::Store& stats, - ThreadLocal::Instance& tls, Runtime::Loader& runtime, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Event::Dispatcher& main_thread_dispatcher, - OptRef admin, Api::Api& api, Http::Context& http_context, - Grpc::Context& grpc_context, Router::Context& router_context, Server::Instance& server, - Config::XdsManager& xds_manager, absl::Status& creation_status) - : server_(server), factory_(factory), runtime_(runtime), stats_(stats), tls_(tls), - xds_manager_(xds_manager), random_(api.randomGenerator()), +ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v3::Bootstrap& bootstrap, + ClusterManagerFactory& factory, + Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status) + : context_(context), factory_(factory), runtime_(context.runtime()), + stats_(context.serverScope().store()), tls_(context.threadLocal()), + xds_manager_(context.xdsManager()), random_(context.api().randomGenerator()), deferred_cluster_creation_(bootstrap.cluster_manager().enable_deferred_cluster_creation()), bind_config_(bootstrap.cluster_manager().has_upstream_bind_config() ? absl::make_optional(bootstrap.cluster_manager().upstream_bind_config()) : absl::nullopt), - local_info_(local_info), cm_stats_(generateStats(*stats.rootScope())), + local_info_(context.localInfo()), cm_stats_(generateStats(*stats_.rootScope())), init_helper_(*this, [this](ClusterManagerCluster& cluster) { return onClusterInit(cluster); }), - time_source_(main_thread_dispatcher.timeSource()), dispatcher_(main_thread_dispatcher), - http_context_(http_context), router_context_(router_context), - cluster_stat_names_(stats.symbolTable()), - cluster_config_update_stat_names_(stats.symbolTable()), - cluster_lb_stat_names_(stats.symbolTable()), - cluster_endpoint_stat_names_(stats.symbolTable()), - cluster_load_report_stat_names_(stats.symbolTable()), - cluster_circuit_breakers_stat_names_(stats.symbolTable()), - cluster_request_response_size_stat_names_(stats.symbolTable()), - cluster_timeout_budget_stat_names_(stats.symbolTable()), + time_source_(context.timeSource()), dispatcher_(context.mainThreadDispatcher()), + http_context_(context.httpContext()), router_context_(context.routerContext()), + cluster_stat_names_(stats_.symbolTable()), + cluster_config_update_stat_names_(stats_.symbolTable()), + cluster_lb_stat_names_(stats_.symbolTable()), + cluster_endpoint_stat_names_(stats_.symbolTable()), + cluster_load_report_stat_names_(stats_.symbolTable()), + cluster_circuit_breakers_stat_names_(stats_.symbolTable()), + cluster_request_response_size_stat_names_(stats_.symbolTable()), + cluster_timeout_budget_stat_names_(stats_.symbolTable()), common_lb_config_pool_( std::make_shared>( - main_thread_dispatcher)), + dispatcher_)), shutdown_(false) { - if (admin.has_value()) { + if (auto admin = context.admin(); admin.has_value()) { config_tracker_entry_ = admin->getConfigTracker().add( "clusters", [this](const Matchers::StringMatcher& name_matcher) { return dumpClusterConfigs(name_matcher); }); } async_client_manager_ = std::make_unique( - *this, tls, context, grpc_context.statNames(), bootstrap.grpc_async_client_manager_config()); + *this, context.threadLocal(), context, context.grpcContext().statNames(), + bootstrap.grpc_async_client_manager_config()); const auto& cm_config = bootstrap.cluster_manager(); if (cm_config.has_outlier_detection()) { const std::string event_log_file_path = cm_config.outlier_detection().event_log_path(); if (!event_log_file_path.empty()) { - auto outlier_or_error = - Outlier::EventLoggerImpl::create(log_manager, event_log_file_path, time_source_); + auto outlier_or_error = Outlier::EventLoggerImpl::create(context.accessLogManager(), + event_log_file_path, time_source_); SET_AND_RETURN_IF_NOT_OK(outlier_or_error.status(), creation_status); outlier_event_logger_ = std::move(*outlier_or_error); } @@ -1464,7 +1462,7 @@ ClusterManagerImpl::ThreadLocalClusterManagerImpl::ClusterEntry::httpAsyncClient if (lazy_http_async_client_ == nullptr) { lazy_http_async_client_ = std::make_unique( cluster_info_, parent_.parent_.stats_, parent_.thread_local_dispatcher_, parent_.parent_, - parent_.parent_.server_.serverFactoryContext(), + parent_.parent_.context_, Router::ShadowWriterPtr{new Router::ShadowWriterImpl(parent_.parent_)}, parent_.parent_.http_context_, parent_.parent_.router_context_); } @@ -2146,11 +2144,8 @@ void ClusterManagerImpl::ThreadLocalClusterManagerImpl::tcpConnPoolIsIdle( absl::StatusOr ProdClusterManagerFactory::clusterManagerFromProto( const envoy::config::bootstrap::v3::Bootstrap& bootstrap) { absl::Status creation_status = absl::OkStatus(); - auto cluster_manager_impl = std::unique_ptr{new ClusterManagerImpl( - bootstrap, *this, context_, stats_, tls_, context_.runtime(), context_.localInfo(), - context_.accessLogManager(), context_.mainThreadDispatcher(), context_.admin(), - context_.api(), http_context_, context_.grpcContext(), context_.routerContext(), server_, - context_.xdsManager(), creation_status)}; + auto cluster_manager_impl = std::unique_ptr{ + new ClusterManagerImpl(bootstrap, *this, context_, creation_status)}; RETURN_IF_NOT_OK(creation_status); return cluster_manager_impl; } @@ -2201,7 +2196,7 @@ Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( dispatcher, context_.api().randomGenerator(), host, priority, options, transport_socket_options, state, source, alternate_protocols_cache, coptions, quic_stat_names_, *stats_.rootScope(), *quic_info, network_observer_registry, - server_.overloadManager()); + context_.overloadManager()); #else (void)quic_info; (void)network_observer_registry; @@ -2221,13 +2216,13 @@ Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( return std::make_unique( dispatcher, context_.api().randomGenerator(), host, priority, options, transport_socket_options, state, origin, alternate_protocols_cache, - server_.overloadManager()); + context_.overloadManager()); } if (protocols.size() == 1 && protocols[0] == Http::Protocol::Http2 && context_.runtime().snapshot().featureEnabled("upstream.use_http2", 100)) { return Http::Http2::allocateConnPool(dispatcher, context_.api().randomGenerator(), host, priority, options, transport_socket_options, state, - server_.overloadManager(), origin, + context_.overloadManager(), origin, alternate_protocols_cache); } if (protocols.size() == 1 && protocols[0] == Http::Protocol::Http3 && @@ -2239,7 +2234,7 @@ Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( return Http::Http3::allocateConnPool( dispatcher, context_.api().randomGenerator(), host, priority, options, transport_socket_options, state, quic_stat_names_, {}, *stats_.rootScope(), {}, *quic_info, - network_observer_registry, server_.overloadManager(), false); + network_observer_registry, context_.overloadManager(), false); #else UNREFERENCED_PARAMETER(source); // Should be blocked by configuration checking at an earlier point. @@ -2249,7 +2244,7 @@ Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( ASSERT(protocols.size() == 1 && protocols[0] == Http::Protocol::Http11); return Http::Http1::allocateConnPool(dispatcher, context_.api().randomGenerator(), host, priority, options, transport_socket_options, state, - server_.overloadManager()); + context_.overloadManager()); } Tcp::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateTcpConnPool( @@ -2261,7 +2256,7 @@ Tcp::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateTcpConnPool( ENVOY_LOG_MISC(debug, "Allocating TCP conn pool"); return std::make_unique(dispatcher, host, priority, options, transport_socket_options, state, tcp_pool_idle_timeout, - server_.overloadManager()); + context_.overloadManager()); } absl::StatusOr> diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h index 4081b53e36488..b90dd96a4654a 100644 --- a/source/common/upstream/cluster_manager_impl.h +++ b/source/common/upstream/cluster_manager_impl.h @@ -53,15 +53,11 @@ class ProdClusterManagerFactory : public ClusterManagerFactory { using LazyCreateDnsResolver = std::function; ProdClusterManagerFactory(Server::Configuration::ServerFactoryContext& context, - Stats::Store& stats, ThreadLocal::Instance& tls, - Http::Context& http_context, LazyCreateDnsResolver dns_resolver_fn, - Ssl::ContextManager& ssl_context_manager, - Quic::QuicStatNames& quic_stat_names, Server::Instance& server) - : context_(context), stats_(stats), tls_(tls), http_context_(http_context), - dns_resolver_fn_(dns_resolver_fn), ssl_context_manager_(ssl_context_manager), + LazyCreateDnsResolver dns_resolver_fn, + Quic::QuicStatNames& quic_stat_names) + : context_(context), stats_(context.serverScope().store()), dns_resolver_fn_(dns_resolver_fn), quic_stat_names_(quic_stat_names), - alternate_protocols_cache_manager_(context.httpServerPropertiesCacheManager()), - server_(server) {} + alternate_protocols_cache_manager_(context.httpServerPropertiesCacheManager()) {} // Upstream::ClusterManagerFactory absl::StatusOr @@ -93,14 +89,9 @@ class ProdClusterManagerFactory : public ClusterManagerFactory { protected: Server::Configuration::ServerFactoryContext& context_; Stats::Store& stats_; - ThreadLocal::Instance& tls_; - Http::Context& http_context_; - LazyCreateDnsResolver dns_resolver_fn_; - Ssl::ContextManager& ssl_context_manager_; Quic::QuicStatNames& quic_stat_names_; Http::HttpServerPropertiesCacheManager& alternate_protocols_cache_manager_; - Server::Instance& server_; }; // For friend declaration in ClusterManagerInitHelper. @@ -398,14 +389,8 @@ class ClusterManagerImpl : public ClusterManager, // clusterManagerFromProto() static method. The init() method must be called after construction. ClusterManagerImpl(const envoy::config::bootstrap::v3::Bootstrap& bootstrap, ClusterManagerFactory& factory, - Server::Configuration::CommonFactoryContext& context, Stats::Store& stats, - ThreadLocal::Instance& tls, Runtime::Loader& runtime, - const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, - Event::Dispatcher& main_thread_dispatcher, OptRef admin, - Api::Api& api, Http::Context& http_context, Grpc::Context& grpc_context, - Router::Context& router_context, Server::Instance& server, - Config::XdsManager& xds_manager, absl::Status& creation_status); + Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status); virtual void postThreadLocalRemoveHosts(const Cluster& cluster, const HostVector& hosts_removed); @@ -922,7 +907,7 @@ class ClusterManagerImpl : public ClusterManager, bool deferralIsSupportedForCluster(const ClusterInfoConstSharedPtr& info) const; - Server::Instance& server_; + Server::Configuration::ServerFactoryContext& context_; ClusterManagerFactory& factory_; Runtime::Loader& runtime_; Stats::Store& stats_; diff --git a/source/server/config_validation/cluster_manager.cc b/source/server/config_validation/cluster_manager.cc index 199ccb8a634b4..e476194bbad07 100644 --- a/source/server/config_validation/cluster_manager.cc +++ b/source/server/config_validation/cluster_manager.cc @@ -11,11 +11,8 @@ namespace Upstream { absl::StatusOr ValidationClusterManagerFactory::clusterManagerFromProto( const envoy::config::bootstrap::v3::Bootstrap& bootstrap) { absl::Status creation_status = absl::OkStatus(); - auto cluster_manager = std::unique_ptr{new ValidationClusterManager( - bootstrap, *this, context_, stats_, tls_, context_.runtime(), context_.localInfo(), - context_.accessLogManager(), context_.mainThreadDispatcher(), context_.admin(), - context_.api(), http_context_, context_.grpcContext(), context_.routerContext(), server_, - context_.xdsManager(), creation_status)}; + auto cluster_manager = std::unique_ptr{ + new ValidationClusterManager(bootstrap, *this, context_, creation_status)}; RETURN_IF_NOT_OK(creation_status); return cluster_manager; } diff --git a/source/server/config_validation/cluster_manager.h b/source/server/config_validation/cluster_manager.h index edc12ec3488db..a6f98effc68b9 100644 --- a/source/server/config_validation/cluster_manager.h +++ b/source/server/config_validation/cluster_manager.h @@ -21,12 +21,9 @@ class ValidationClusterManagerFactory : public ProdClusterManagerFactory { using ProdClusterManagerFactory::ProdClusterManagerFactory; explicit ValidationClusterManagerFactory( - Server::Configuration::ServerFactoryContext& server_context, Stats::Store& stats, - ThreadLocal::Instance& tls, Http::Context& http_context, - LazyCreateDnsResolver dns_resolver_fn, Ssl::ContextManager& ssl_context_manager, - Quic::QuicStatNames& quic_stat_names, Server::Instance& server) - : ProdClusterManagerFactory(server_context, stats, tls, http_context, dns_resolver_fn, - ssl_context_manager, quic_stat_names, server) {} + Server::Configuration::ServerFactoryContext& server_context, + LazyCreateDnsResolver dns_resolver_fn, Quic::QuicStatNames& quic_stat_names) + : ProdClusterManagerFactory(server_context, dns_resolver_fn, quic_stat_names) {} absl::StatusOr clusterManagerFromProto(const envoy::config::bootstrap::v3::Bootstrap& bootstrap) override; diff --git a/source/server/config_validation/server.cc b/source/server/config_validation/server.cc index df5c8d643ce83..92c1101ef8a0d 100644 --- a/source/server/config_validation/server.cc +++ b/source/server/config_validation/server.cc @@ -161,9 +161,8 @@ void ValidationInstance::initialize(const Options& options, *local_info_, validation_context_, *this); cluster_manager_factory_ = std::make_unique( - server_contexts_, stats(), threadLocal(), http_context_, - [this]() -> Network::DnsResolverSharedPtr { return this->dnsResolver(); }, - sslContextManager(), quic_stat_names_, *this); + server_contexts_, [this]() -> Network::DnsResolverSharedPtr { return this->dnsResolver(); }, + quic_stat_names_); THROW_IF_NOT_OK(config_.initialize(bootstrap_, *this, *cluster_manager_factory_)); THROW_IF_NOT_OK(runtime().initialize(clusterManager())); clusterManager().setInitializedCb([this]() -> void { init_manager_.initialize(init_watcher_); }); diff --git a/source/server/server.cc b/source/server/server.cc index c4ed0c43d7e76..264f95d64d32f 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -794,9 +794,9 @@ absl::Status InstanceBase::initializeOrThrow(Network::Address::InstanceConstShar *local_info_, validation_context_, *this); cluster_manager_factory_ = std::make_unique( - serverFactoryContext(), stats_store_, thread_local_, http_context_, + serverFactoryContext(), [this]() -> Network::DnsResolverSharedPtr { return this->getOrCreateDnsResolver(); }, - *ssl_context_manager_, quic_stat_names_, *this); + quic_stat_names_); // Now that the worker thread are initialized, notify the bootstrap extensions. for (auto&& bootstrap_extension : bootstrap_extensions_) { diff --git a/test/common/upstream/cluster_manager_impl_test.cc b/test/common/upstream/cluster_manager_impl_test.cc index c82c5728f8837..3ff203f79519f 100644 --- a/test/common/upstream/cluster_manager_impl_test.cc +++ b/test/common/upstream/cluster_manager_impl_test.cc @@ -183,8 +183,9 @@ TEST_F(ClusterManagerImplTest, OutlierEventLog) { } )EOF"; - EXPECT_CALL(log_manager_, createAccessLog(Filesystem::FilePathAndType{ - Filesystem::DestinationType::File, "foo"})); + EXPECT_CALL( + factory_.server_context_.access_log_manager_, + createAccessLog(Filesystem::FilePathAndType{Filesystem::DestinationType::File, "foo"})); create(parseBootstrapFromV3Json(json)); } @@ -193,7 +194,7 @@ TEST_F(ClusterManagerImplTest, AdsCluster) { // can be set on. std::shared_ptr> ads_mux = std::make_shared>(); - ON_CALL(xds_manager_, adsMux()).WillByDefault(Return(ads_mux)); + ON_CALL(factory_.server_context_.xds_manager_, adsMux()).WillByDefault(Return(ads_mux)); const std::string yaml = R"EOF( dynamic_resources: @@ -229,7 +230,7 @@ TEST_F(ClusterManagerImplTest, AdsClusterStartsMuxOnlyOnce) { // can be set on. std::shared_ptr> ads_mux = std::make_shared>(); - ON_CALL(xds_manager_, adsMux()).WillByDefault(Return(ads_mux)); + ON_CALL(factory_.server_context_.xds_manager_, adsMux()).WillByDefault(Return(ads_mux)); const std::string yaml = R"EOF( dynamic_resources: diff --git a/test/common/upstream/cluster_manager_impl_test_common.cc b/test/common/upstream/cluster_manager_impl_test_common.cc index 9a5c3f12b316b..32418735c8764 100644 --- a/test/common/upstream/cluster_manager_impl_test_common.cc +++ b/test/common/upstream/cluster_manager_impl_test_common.cc @@ -36,18 +36,13 @@ class MockedUpdatedClusterManagerImpl : public TestClusterManagerImpl { public: using TestClusterManagerImpl::TestClusterManagerImpl; - MockedUpdatedClusterManagerImpl( - const envoy::config::bootstrap::v3::Bootstrap& bootstrap, ClusterManagerFactory& factory, - Server::Configuration::CommonFactoryContext& factory_context, Stats::Store& stats, - ThreadLocal::Instance& tls, Runtime::Loader& runtime, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Event::Dispatcher& main_thread_dispatcher, - Server::Admin& admin, Api::Api& api, MockLocalClusterUpdate& local_cluster_update, - MockLocalHostsRemoved& local_hosts_removed, Http::Context& http_context, - Grpc::Context& grpc_context, Router::Context& router_context, Server::Instance& server, - Config::XdsManager& xds_manager, absl::Status& creation_status) - : TestClusterManagerImpl(bootstrap, factory, factory_context, stats, tls, runtime, local_info, - log_manager, main_thread_dispatcher, admin, api, http_context, - grpc_context, router_context, server, xds_manager, creation_status), + MockedUpdatedClusterManagerImpl(const envoy::config::bootstrap::v3::Bootstrap& bootstrap, + ClusterManagerFactory& factory, + Server::Configuration::ServerFactoryContext& factory_context, + MockLocalClusterUpdate& local_cluster_update, + MockLocalHostsRemoved& local_hosts_removed, + absl::Status& creation_status) + : TestClusterManagerImpl(bootstrap, factory, factory_context, creation_status), local_cluster_update_(local_cluster_update), local_hosts_removed_(local_hosts_removed) {} protected: @@ -67,22 +62,16 @@ class MockedUpdatedClusterManagerImpl : public TestClusterManagerImpl { MockLocalHostsRemoved& local_hosts_removed_; }; -ClusterManagerImplTest::ClusterManagerImplTest() - : http_context_(factory_.stats_.symbolTable()), grpc_context_(factory_.stats_.symbolTable()), - router_context_(factory_.stats_.symbolTable()), - registered_dns_factory_(dns_resolver_factory_) { +ClusterManagerImplTest::ClusterManagerImplTest() : registered_dns_factory_(dns_resolver_factory_) { // Using the NullGrpcMuxImpl by default making the calls a no-op. - ON_CALL(xds_manager_, adsMux()) + ON_CALL(factory_.server_context_.xds_manager_, adsMux()) .WillByDefault(Return(std::make_shared())); } void ClusterManagerImplTest::create(const Bootstrap& bootstrap) { // Override the bootstrap used by the mock Server::Instance object. - server_.bootstrap_.CopyFrom(bootstrap); - cluster_manager_ = TestClusterManagerImpl::createTestClusterManager( - bootstrap, factory_, factory_.server_context_, factory_.stats_, factory_.tls_, - factory_.runtime_, factory_.local_info_, log_manager_, factory_.dispatcher_, admin_, - *factory_.api_, http_context_, grpc_context_, router_context_, server_, xds_manager_); + cluster_manager_ = TestClusterManagerImpl::createTestClusterManager(bootstrap, factory_, + factory_.server_context_); ON_CALL(factory_.server_context_, clusterManager()).WillByDefault(ReturnRef(*cluster_manager_)); THROW_IF_NOT_OK(cluster_manager_->initialize(bootstrap)); @@ -150,11 +139,9 @@ void ClusterManagerImplTest::createWithLocalClusterUpdate(const bool enable_merg const auto& bootstrap = parseBootstrapFromV3Yaml(yaml); absl::Status creation_status = absl::OkStatus(); cluster_manager_ = std::make_unique( - bootstrap, factory_, factory_.server_context_, factory_.stats_, factory_.tls_, - factory_.runtime_, factory_.local_info_, log_manager_, factory_.dispatcher_, admin_, - *factory_.api_, local_cluster_update_, local_hosts_removed_, http_context_, grpc_context_, - router_context_, server_, xds_manager_, creation_status); - THROW_IF_NOT_OK(creation_status); + bootstrap, factory_, factory_.server_context_, local_cluster_update_, local_hosts_removed_, + creation_status); + THROW_IF_NOT_OK_REF(creation_status); THROW_IF_NOT_OK(cluster_manager_->initialize(bootstrap)); } @@ -175,7 +162,9 @@ void ClusterManagerImplTest::checkStats(uint64_t added, uint64_t modified, uint6 void ClusterManagerImplTest::checkConfigDump(const std::string& expected_dump_yaml, const Matchers::StringMatcher& name_matcher) { - auto message_ptr = admin_.config_tracker_.config_tracker_callbacks_["clusters"](name_matcher); + auto message_ptr = + factory_.server_context_.admin_.config_tracker_.config_tracker_callbacks_["clusters"]( + name_matcher); const auto& clusters_config_dump = dynamic_cast(*message_ptr); diff --git a/test/common/upstream/cluster_manager_impl_test_common.h b/test/common/upstream/cluster_manager_impl_test_common.h index 679517814dd02..82af10104e511 100644 --- a/test/common/upstream/cluster_manager_impl_test_common.h +++ b/test/common/upstream/cluster_manager_impl_test_common.h @@ -83,16 +83,9 @@ class ClusterManagerImplTest : public testing::Test { Event::SimulatedTimeSystem time_system_; NiceMock factory_; - NiceMock xds_manager_; std::unique_ptr cluster_manager_; - AccessLog::MockAccessLogManager log_manager_; - NiceMock admin_; MockLocalClusterUpdate local_cluster_update_; MockLocalHostsRemoved local_hosts_removed_; - Http::ContextImpl http_context_; - Grpc::ContextImpl grpc_context_; - Router::ContextImpl router_context_; - NiceMock server_; NiceMock dns_resolver_factory_; Registry::InjectFactory registered_dns_factory_; }; diff --git a/test/common/upstream/cluster_manager_lifecycle_test.cc b/test/common/upstream/cluster_manager_lifecycle_test.cc index 0c0aa6f44ca31..7c65f5eab1ab2 100644 --- a/test/common/upstream/cluster_manager_lifecycle_test.cc +++ b/test/common/upstream/cluster_manager_lifecycle_test.cc @@ -110,8 +110,7 @@ TEST_P(ClusterManagerLifecycleTest, InitializeOrder) { "envoy.load_balancing_policies.ring_hash"); auto proto_message = cluster2->info_->lb_factory_->createEmptyConfigProto(); cluster2->info_->typed_lb_config_ = - cluster2->info_->lb_factory_->loadConfig(*server_.server_factory_context_, *proto_message) - .value(); + cluster2->info_->lb_factory_->loadConfig(factory_.server_context_, *proto_message).value(); // This part tests static init. InSequence s; diff --git a/test/common/upstream/cluster_manager_misc_test.cc b/test/common/upstream/cluster_manager_misc_test.cc index 237a6cc5adcf2..fa7ad8985fc34 100644 --- a/test/common/upstream/cluster_manager_misc_test.cc +++ b/test/common/upstream/cluster_manager_misc_test.cc @@ -131,8 +131,7 @@ class ClusterManagerImplThreadAwareLbTest : public ClusterManagerImplTest { Config::Utility::getFactoryByName(factory_name); auto proto_message = cluster1->info_->lb_factory_->createEmptyConfigProto(); cluster1->info_->typed_lb_config_ = - cluster1->info_->lb_factory_->loadConfig(*server_.server_factory_context_, *proto_message) - .value(); + cluster1->info_->lb_factory_->loadConfig(factory_.server_context_, *proto_message).value(); InSequence s; EXPECT_CALL(factory_, clusterFromProto_(_, _, _)) diff --git a/test/common/upstream/deferred_cluster_initialization_test.cc b/test/common/upstream/deferred_cluster_initialization_test.cc index cc05ec547a005..fb713f3087ce4 100644 --- a/test/common/upstream/deferred_cluster_initialization_test.cc +++ b/test/common/upstream/deferred_cluster_initialization_test.cc @@ -21,8 +21,6 @@ namespace Envoy { namespace Upstream { namespace { -using testing::_; - using ClusterType = absl::variant; @@ -59,19 +57,15 @@ envoy::config::cluster::v3::Cluster parseClusterFromV3Yaml(const std::string& ya class DeferredClusterInitializationTest : public testing::TestWithParam { protected: DeferredClusterInitializationTest() - : ads_mux_(std::make_shared>()), - http_context_(factory_.stats_.symbolTable()), grpc_context_(factory_.stats_.symbolTable()), - router_context_(factory_.stats_.symbolTable()) {} + : ads_mux_(std::make_shared>()) {} void create(const envoy::config::bootstrap::v3::Bootstrap& bootstrap) { // Replace the adsMux to have mocked GrpcMux object that will allow invoking // methods when creating the cluster-manager. - ON_CALL(xds_manager_, adsMux()).WillByDefault(Return(ads_mux_)); + ON_CALL(factory_.server_context_.xds_manager_, adsMux()).WillByDefault(Return(ads_mux_)); - cluster_manager_ = TestClusterManagerImpl::createTestClusterManager( - bootstrap, factory_, factory_.server_context_, factory_.stats_, factory_.tls_, - factory_.runtime_, factory_.local_info_, log_manager_, factory_.dispatcher_, admin_, - *factory_.api_, http_context_, grpc_context_, router_context_, server_, xds_manager_); + cluster_manager_ = TestClusterManagerImpl::createTestClusterManager(bootstrap, factory_, + factory_.server_context_); ON_CALL(factory_.server_context_, clusterManager()).WillByDefault(ReturnRef(*cluster_manager_)); THROW_IF_NOT_OK(cluster_manager_->initialize(bootstrap)); @@ -121,14 +115,7 @@ class DeferredClusterInitializationTest : public testing::TestWithParam { NiceMock factory_; NiceMock validation_context_; std::shared_ptr> ads_mux_; - NiceMock xds_manager_; std::unique_ptr cluster_manager_; - AccessLog::MockAccessLogManager log_manager_; - NiceMock admin_; - Http::ContextImpl http_context_; - Grpc::ContextImpl grpc_context_; - Router::ContextImpl router_context_; - NiceMock server_; }; class StaticClusterTest : public DeferredClusterInitializationTest {}; @@ -438,7 +425,7 @@ class EdsTest : public DeferredClusterInitializationTest { const envoy::config::endpoint::v3::ClusterLoadAssignment& cluster_load_assignment) { const auto decoded_resources = TestUtility::decodeResources({cluster_load_assignment}, "cluster_name"); - EXPECT_TRUE(xds_manager_.subscription_factory_.callbacks_ + EXPECT_TRUE(factory_.server_context_.xds_manager_.subscription_factory_.callbacks_ ->onConfigUpdate(decoded_resources.refvec_, {}, "") .ok()); } diff --git a/test/common/upstream/test_cluster_manager.h b/test/common/upstream/test_cluster_manager.h index fa5df9d518403..da938f4d28471 100644 --- a/test/common/upstream/test_cluster_manager.h +++ b/test/common/upstream/test_cluster_manager.h @@ -63,9 +63,11 @@ namespace Upstream { // the expectations when needed. class TestClusterManagerFactory : public ClusterManagerFactory { public: - TestClusterManagerFactory() : api_(Api::createApiForTest(stats_, random_)) { - + TestClusterManagerFactory() + : api_(Api::createApiForTest(server_context_.store_, server_context_.api_.random_)) { ON_CALL(server_context_, api()).WillByDefault(testing::ReturnRef(*api_)); + ON_CALL(server_context_, sslContextManager()).WillByDefault(ReturnRef(ssl_context_manager_)); + ON_CALL(*this, clusterFromProto_(_, _, _)) .WillByDefault(Invoke( [&](const envoy::config::cluster::v3::Cluster& cluster, @@ -83,7 +85,7 @@ class TestClusterManagerFactory : public ClusterManagerFactory { })); } - ~TestClusterManagerFactory() override { dispatcher_.to_delete_.clear(); } + ~TestClusterManagerFactory() override { server_context_.dispatcher_.to_delete_.clear(); } Http::ConnectionPool::InstancePtr allocateConnPool( Event::Dispatcher&, HostConstSharedPtr host, ResourcePriority, std::vector&, @@ -95,7 +97,7 @@ class TestClusterManagerFactory : public ClusterManagerFactory { OptRef network_observer_registry) override { return Http::ConnectionPool::InstancePtr{ allocateConnPool_(host, alternate_protocol_options, options, transport_socket_options, - state, network_observer_registry, overload_manager_)}; + state, network_observer_registry, server_context_.overloadManager())}; } Tcp::ConnectionPool::InstancePtr @@ -145,38 +147,27 @@ class TestClusterManagerFactory : public ClusterManagerFactory { NiceMock server_context_; Stats::TestUtil::TestStore& stats_ = server_context_.store_; NiceMock& tls_ = server_context_.thread_local_; + NiceMock& dispatcher_ = server_context_.dispatcher_; + testing::NiceMock& random_ = server_context_.api_.random_; + std::shared_ptr> dns_resolver_{ new NiceMock}; - NiceMock& runtime_ = server_context_.runtime_loader_; - NiceMock& dispatcher_ = server_context_.dispatcher_; Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{server_context_}; - NiceMock& local_info_ = server_context_.local_info_; - NiceMock& admin_ = server_context_.admin_; - NiceMock& log_manager_ = server_context_.access_log_manager_; - NiceMock validation_visitor_; - NiceMock random_; Api::ApiPtr api_; - Server::MockOptions& options_ = server_context_.options_; - NiceMock overload_manager_; }; // A test version of ClusterManagerImpl that provides a way to get a non-const handle to the // clusters, which is necessary in order to call updateHosts on the priority set. class TestClusterManagerImpl : public ClusterManagerImpl { public: - static std::unique_ptr createTestClusterManager( - const envoy::config::bootstrap::v3::Bootstrap& bootstrap, ClusterManagerFactory& factory, - Server::Configuration::CommonFactoryContext& context, Stats::Store& stats, - ThreadLocal::Instance& tls, Runtime::Loader& runtime, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Event::Dispatcher& main_thread_dispatcher, - Server::Admin& admin, Api::Api& api, Http::Context& http_context, Grpc::Context& grpc_context, - Router::Context& router_context, Server::Instance& server, Config::XdsManager& xds_manager) { + static std::unique_ptr + createTestClusterManager(const envoy::config::bootstrap::v3::Bootstrap& bootstrap, + ClusterManagerFactory& factory, + Server::Configuration::ServerFactoryContext& context) { absl::Status creation_status = absl::OkStatus(); - auto cluster_manager = std::unique_ptr{new TestClusterManagerImpl( - bootstrap, factory, context, stats, tls, runtime, local_info, log_manager, - main_thread_dispatcher, admin, api, http_context, grpc_context, router_context, server, - xds_manager, creation_status)}; - THROW_IF_NOT_OK(creation_status); + auto cluster_manager = std::unique_ptr{ + new TestClusterManagerImpl(bootstrap, factory, context, creation_status)}; + THROW_IF_NOT_OK_REF(creation_status); return cluster_manager; } @@ -209,17 +200,9 @@ class TestClusterManagerImpl : public ClusterManagerImpl { TestClusterManagerImpl(const envoy::config::bootstrap::v3::Bootstrap& bootstrap, ClusterManagerFactory& factory, - Server::Configuration::CommonFactoryContext& context, Stats::Store& stats, - ThreadLocal::Instance& tls, Runtime::Loader& runtime, - const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, - Event::Dispatcher& main_thread_dispatcher, Server::Admin& admin, - Api::Api& api, Http::Context& http_context, Grpc::Context& grpc_context, - Router::Context& router_context, Server::Instance& server, - Config::XdsManager& xds_manager, absl::Status& creation_status) - : ClusterManagerImpl(bootstrap, factory, context, stats, tls, runtime, local_info, - log_manager, main_thread_dispatcher, admin, api, http_context, - grpc_context, router_context, server, xds_manager, creation_status) {} + Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status) + : ClusterManagerImpl(bootstrap, factory, context, creation_status) {} }; } // namespace Upstream diff --git a/test/config_test/config_test.cc b/test/config_test/config_test.cc index 7d811c65ed991..beb105ba50baa 100644 --- a/test/config_test/config_test.cc +++ b/test/config_test/config_test.cc @@ -61,9 +61,8 @@ class ConfigTest { ConfigTest(OptionsImplBase& options) : api_(Api::createApiForTest(time_system_)), ads_mux_(std::make_shared>()), options_(options) { - ON_CALL(server_.server_factory_context_->xds_manager_, adsMux()) - .WillByDefault(Return(ads_mux_)); - ON_CALL(*server_.server_factory_context_, api()).WillByDefault(ReturnRef(server_.api_)); + ON_CALL(server_, serverFactoryContext()).WillByDefault(ReturnRef(server_factory_context_)); + ON_CALL(server_.xds_manager_, adsMux()).WillByDefault(Return(ads_mux_)); ON_CALL(server_, options()).WillByDefault(ReturnRef(options_)); ON_CALL(server_, sslContextManager()).WillByDefault(ReturnRef(ssl_context_manager_)); ON_CALL(server_.api_, fileSystem()).WillByDefault(ReturnRef(file_system_)); @@ -124,10 +123,9 @@ class ConfigTest { } cluster_manager_factory_ = std::make_unique( - *server_.server_factory_context_, server_.stats(), server_.threadLocal(), - server_.httpContext(), + server_factory_context_, [this]() -> Network::DnsResolverSharedPtr { return this->server_.dnsResolver(); }, - ssl_context_manager_, server_.quic_stat_names_, server_); + server_.quic_stat_names_); ON_CALL(server_, clusterManager()).WillByDefault(Invoke([&]() -> Upstream::ClusterManager& { return *main_config.clusterManager(); @@ -158,7 +156,6 @@ class ConfigTest { return Server::ProdListenerComponentFactory::createUdpListenerFilterFactoryListImpl( filters, context); })); - ON_CALL(server_, serverFactoryContext()).WillByDefault(ReturnRef(server_factory_context_)); try { THROW_IF_NOT_OK(main_config.initialize(bootstrap, server_, *cluster_manager_factory_)); diff --git a/test/extensions/clusters/aggregate/cluster_update_test.cc b/test/extensions/clusters/aggregate/cluster_update_test.cc index 4be27c4897ffc..ba73c4becd92a 100644 --- a/test/extensions/clusters/aggregate/cluster_update_test.cc +++ b/test/extensions/clusters/aggregate/cluster_update_test.cc @@ -35,10 +35,7 @@ envoy::config::bootstrap::v3::Bootstrap parseBootstrapFromV2Yaml(const std::stri class AggregateClusterUpdateTest : public Event::TestUsingSimulatedTime, public testing::TestWithParam { public: - AggregateClusterUpdateTest() - : ads_mux_(std::make_shared>()), - http_context_(stats_store_.symbolTable()), grpc_context_(stats_store_.symbolTable()), - router_context_(stats_store_.symbolTable()) {} + AggregateClusterUpdateTest() : ads_mux_(std::make_shared>()) {} void initialize(const std::string& yaml_config) { auto bootstrap = parseBootstrapFromV2Yaml(yaml_config); @@ -46,11 +43,9 @@ class AggregateClusterUpdateTest : public Event::TestUsingSimulatedTime, bootstrap.mutable_cluster_manager()->set_enable_deferred_cluster_creation(use_deferred_cluster); // Replace the adsMux to have mocked GrpcMux object that will allow invoking // methods when creating the cluster-manager. - ON_CALL(xds_manager_, adsMux()).WillByDefault(Return(ads_mux_)); + ON_CALL(factory_.server_context_.xds_manager_, adsMux()).WillByDefault(Return(ads_mux_)); cluster_manager_ = Upstream::TestClusterManagerImpl::createTestClusterManager( - bootstrap, factory_, factory_.server_context_, factory_.stats_, factory_.tls_, - factory_.runtime_, factory_.local_info_, log_manager_, factory_.dispatcher_, admin_, - *factory_.api_, http_context_, grpc_context_, router_context_, server_, xds_manager_); + bootstrap, factory_, factory_.server_context_); ON_CALL(factory_.server_context_, clusterManager()).WillByDefault(ReturnRef(*cluster_manager_)); THROW_IF_NOT_OK(cluster_manager_->initialize(bootstrap)); @@ -59,18 +54,10 @@ class AggregateClusterUpdateTest : public Event::TestUsingSimulatedTime, cluster_ = cluster_manager_->getThreadLocalCluster("aggregate_cluster"); } - Stats::IsolatedStoreImpl stats_store_; - NiceMock admin_; NiceMock factory_; Upstream::ThreadLocalCluster* cluster_; std::shared_ptr> ads_mux_; - NiceMock xds_manager_; std::unique_ptr cluster_manager_; - AccessLog::MockAccessLogManager log_manager_; - Http::ContextImpl http_context_; - Grpc::ContextImpl grpc_context_; - Router::ContextImpl router_context_; - NiceMock server_; const std::string default_yaml_config_ = R"EOF( static_resources: @@ -279,11 +266,9 @@ TEST_P(AggregateClusterUpdateTest, InitializeAggregateClusterAfterOtherClusters) auto bootstrap = parseBootstrapFromV2Yaml(config); // Replace the adsMux to have mocked GrpcMux object that will allow invoking // methods when creating the cluster-manager. - ON_CALL(xds_manager_, adsMux()).WillByDefault(Return(ads_mux_)); + ON_CALL(factory_.server_context_.xds_manager_, adsMux()).WillByDefault(Return(ads_mux_)); cluster_manager_ = Upstream::TestClusterManagerImpl::createTestClusterManager( - bootstrap, factory_, factory_.server_context_, factory_.stats_, factory_.tls_, - factory_.runtime_, factory_.local_info_, log_manager_, factory_.dispatcher_, admin_, - *factory_.api_, http_context_, grpc_context_, router_context_, server_, xds_manager_); + bootstrap, factory_, factory_.server_context_); ON_CALL(factory_.server_context_, clusterManager()).WillByDefault(ReturnRef(*cluster_manager_)); THROW_IF_NOT_OK(cluster_manager_->initialize(bootstrap)); diff --git a/test/server/config_validation/cluster_manager_test.cc b/test/server/config_validation/cluster_manager_test.cc index 9c88b384fa86b..3063c33deacdd 100644 --- a/test/server/config_validation/cluster_manager_test.cc +++ b/test/server/config_validation/cluster_manager_test.cc @@ -29,27 +29,22 @@ namespace Upstream { namespace { TEST(ValidationClusterManagerTest, MockedMethods) { - NiceMock server; + testing::NiceMock server_context; - Stats::TestUtil::TestStore& stats_store = server.server_factory_context_->store_; - Event::GlobalTimeSystem& time_system = server.server_factory_context_->time_system_; + Stats::TestUtil::TestStore& stats_store = server_context.store_; + Event::GlobalTimeSystem& time_system = server_context.time_system_; Api::ApiPtr api(Api::createApiForTest(stats_store, time_system)); - ON_CALL(*server.server_factory_context_, api()).WillByDefault(testing::ReturnRef(*api)); + ON_CALL(server_context, api()).WillByDefault(testing::ReturnRef(*api)); + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager{server_context}; + ON_CALL(server_context, sslContextManager()) + .WillByDefault(testing::ReturnRef(ssl_context_manager)); - NiceMock& tls = server.server_factory_context_->thread_local_; - - testing::NiceMock secret_manager; auto dns_resolver = std::make_shared>(); - Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager{ - *server.server_factory_context_}; - - Http::ContextImpl http_context(stats_store.symbolTable()); Quic::QuicStatNames quic_stat_names(stats_store.symbolTable()); ValidationClusterManagerFactory factory( - *server.server_factory_context_, stats_store, tls, http_context, - [dns_resolver]() -> Network::DnsResolverSharedPtr { return dns_resolver; }, - ssl_context_manager, quic_stat_names, server); + server_context, [dns_resolver]() -> Network::DnsResolverSharedPtr { return dns_resolver; }, + quic_stat_names); const envoy::config::bootstrap::v3::Bootstrap bootstrap; ClusterManagerPtr cluster_manager = *factory.clusterManagerFromProto(bootstrap); diff --git a/test/server/configuration_impl_test.cc b/test/server/configuration_impl_test.cc index 3e051873ce700..5ce86dc719cea 100644 --- a/test/server/configuration_impl_test.cc +++ b/test/server/configuration_impl_test.cc @@ -63,9 +63,9 @@ class ConfigurationImplTest : public testing::Test { ConfigurationImplTest() : api_(Api::createApiForTest()), ads_mux_(std::make_shared>()), cluster_manager_factory_( - server_context_, server_.stats(), server_.threadLocal(), server_.httpContext(), + server_context_, [this]() -> Network::DnsResolverSharedPtr { return this->server_.dnsResolver(); }, - server_.sslContextManager(), server_.quic_stat_names_, server_) { + server_.quic_stat_names_) { ON_CALL(server_context_.api_, threadFactory()) .WillByDefault( Invoke([this]() -> Thread::ThreadFactory& { return api_->threadFactory(); })); From ca73fe4aef97a06340ef8e74cabe6aa8af3a5928 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 24 Jul 2025 12:19:46 -0700 Subject: [PATCH 072/505] hcm: deprecate flag explicit_internal_address_config and remove legacy code paths (#40398) ## Description This PR removes the deprecated reloadable flag `explicit_internal_address_config` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/40373 --- **Commit Message:** hcm: deprecate flag explicit_internal_address_config and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `explicit_internal_address_config` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/http/conn_manager_config.h | 8 +------ source/common/runtime/runtime_features.cc | 1 - .../network/http_connection_manager/config.cc | 9 -------- .../http_connection_manager/config_test.cc | 22 ------------------- 5 files changed, 4 insertions(+), 39 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 654545b716750..541106147f582 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -20,6 +20,9 @@ removed_config_or_runtime: - area: oauth2 change: | Removed runtime guard ``envoy.reloadable_features.oauth2_use_refresh_token`` and legacy code paths. +- area: http_connection_manager + change: | + Removed runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/http/conn_manager_config.h b/source/common/http/conn_manager_config.h index 406b06332a04b..d5054042c180b 100644 --- a/source/common/http/conn_manager_config.h +++ b/source/common/http/conn_manager_config.h @@ -190,13 +190,7 @@ class InternalAddressConfig { */ class DefaultInternalAddressConfig : public Http::InternalAddressConfig { public: - bool isInternalAddress(const Network::Address::Instance& address) const override { - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.explicit_internal_address_config")) { - return false; - } - return Network::Utility::isInternalAddress(address); - } + bool isInternalAddress(const Network::Address::Instance&) const override { return false; } }; /** diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 66e8c52475195..6ef25df359248 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -41,7 +41,6 @@ RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms); RUNTIME_GUARD(envoy_reloadable_features_enable_new_query_param_present_match_behavior); RUNTIME_GUARD(envoy_reloadable_features_enable_udp_proxy_outlier_detection); -RUNTIME_GUARD(envoy_reloadable_features_explicit_internal_address_config); RUNTIME_GUARD(envoy_reloadable_features_ext_proc_fail_close_spurious_resp); RUNTIME_GUARD(envoy_reloadable_features_filter_chain_aborted_can_not_continue); RUNTIME_GUARD(envoy_reloadable_features_gcp_authn_use_fixed_url); diff --git a/source/extensions/filters/network/http_connection_manager/config.cc b/source/extensions/filters/network/http_connection_manager/config.cc index 8d1942464bf00..1c65702f13398 100644 --- a/source/extensions/filters/network/http_connection_manager/config.cc +++ b/source/extensions/filters/network/http_connection_manager/config.cc @@ -80,15 +80,6 @@ std::unique_ptr createInternalAddressConfig( creation_status); } - if (!Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.explicit_internal_address_config")) { - ENVOY_LOG_ONCE_MISC(warn, - "internal_address_config is not configured. The prior default behaviour " - "trusted RFC1918 IP addresses, but this was changed in the 1.32 release. " - "Please explictily config internal address config if you need it before " - "envoy.reloadable_features.explicit_internal_address_config is removed."); - } - return std::make_unique(); } diff --git a/test/extensions/filters/network/http_connection_manager/config_test.cc b/test/extensions/filters/network/http_connection_manager/config_test.cc index f471b6664c9de..f5d0ea8d68f1e 100644 --- a/test/extensions/filters/network/http_connection_manager/config_test.cc +++ b/test/extensions/filters/network/http_connection_manager/config_test.cc @@ -727,28 +727,6 @@ TEST_F(HttpConnectionManagerConfigTest, DefaultInternalAddress) { EXPECT_FALSE(config.internalAddressConfig().isInternalAddress(default_ip_address)); } -TEST_F(HttpConnectionManagerConfigTest, LegacyDefaultInternalAddress) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.explicit_internal_address_config", "false"}}); - const std::string yaml_string = R"EOF( - stat_prefix: ingress_http - route_config: - name: local_route - http_filters: - - name: envoy.filters.http.router - )EOF"; - - HttpConnectionManagerConfig config(parseHttpConnectionManagerFromYaml(yaml_string), context_, - date_provider_, route_config_provider_manager_, - &scoped_routes_config_provider_manager_, tracer_manager_, - filter_config_provider_manager_, creation_status_); - ASSERT_TRUE(creation_status_.ok()); - // Previously, Envoy considered RFC1918 IP addresses to be internal, by default. - Network::Address::Ipv4Instance default_ip_address{"10.48.179.130", 0, nullptr}; - EXPECT_TRUE(config.internalAddressConfig().isInternalAddress(default_ip_address)); -} - TEST_F(HttpConnectionManagerConfigTest, CidrRangeBasedInternalAddress) { const std::string yaml_string = R"EOF( stat_prefix: ingress_http From abc31a81e099b5adaac9f72eff560c53aa1f1020 Mon Sep 17 00:00:00 2001 From: Kevin Baichoo Date: Thu, 24 Jul 2025 15:43:10 -0400 Subject: [PATCH 073/505] Docs: Clang 18 should be the suggested used version. (#40429) Commit Message: Docs: Clang 18 should be the suggested used version. Additional Description: Risk Level: n/a Testing: n/a Docs Changes: yes Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Kevin Baichoo --- bazel/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bazel/README.md b/bazel/README.md index b99d1f10704fd..7224e63792e86 100644 --- a/bazel/README.md +++ b/bazel/README.md @@ -98,7 +98,7 @@ for how to update or override dependencies. ``` ### Linux - On Linux, we recommend using the prebuilt Clang+LLVM package from [LLVM official site](http://releases.llvm.org/download.html) for Clang 14. + On Linux, we recommend using the prebuilt Clang+LLVM package from [LLVM official site](http://releases.llvm.org/download.html) for Clang 18. Extract the tar.xz and run the following: ```console @@ -365,7 +365,7 @@ for more details. ## Supported compiler versions We now require Clang >= 18 due to C++20 support (for Clang >= 14, your mileage may vary) and tcmalloc requirement. GCC >= 13 is also known to work for C++20. -Currently the CI is running with Clang 14. +Currently the CI is running with Clang 18. ## Clang STL debug symbols From c5505765a5871cd314f159cb8e4b978c9eed3302 Mon Sep 17 00:00:00 2001 From: David Vilaverde Date: Thu, 24 Jul 2025 18:42:26 -0400 Subject: [PATCH 074/505] router_check: add support for dynamic_metadata in router_check tool tests (#40131) Commit Message: add support for dynamic_metadata in router_check tool tests Additional Description: Risk Level: low Testing: unit test Docs Changes: Updated router_check tool docs to reflect the updated ValidationInput message and included an example Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: dvilaverde Signed-off-by: David Vilaverde Co-authored-by: dvilaverde --- changelogs/current.yaml | 6 + .../operations/tools/router_check.rst | 65 ++++++ test/tools/router_check/BUILD | 2 + test/tools/router_check/router.cc | 46 ++++ test/tools/router_check/router.h | 8 + .../config/DynamicMetadata.golden.proto.json | 218 ++++++++++++++++++ .../test/config/DynamicMetadata.yaml | 88 +++++++ test/tools/router_check/test/router_test.cc | 15 ++ test/tools/router_check/validation.proto | 4 + 9 files changed, 452 insertions(+) create mode 100644 test/tools/router_check/test/config/DynamicMetadata.golden.proto.json create mode 100644 test/tools/router_check/test/config/DynamicMetadata.yaml diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 541106147f582..3740b24f29997 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -34,6 +34,12 @@ new_features: are validated and will throw an error if combined with payloads. The implementation is optimized to process the payload once during configuration and reuse it for all health check requests. See :ref:`HttpHealthCheck ` for configuration details. +- area: router_check_tool + change: | + Added support for testing routes with :ref:`dynamic metadata matchers ` + in the router check tool. The tool now accepts a ``dynamic_metadata`` field in test input to set metadata + that can be matched by route configuration. This allows comprehensive testing of routes that depend on + dynamic metadata for routing decisions. - area: lua change: | Added a new ``filterState()`` on ``streamInfo()`` which provides access to filter state objects stored during request processing. diff --git a/docs/root/configuration/operations/tools/router_check.rst b/docs/root/configuration/operations/tools/router_check.rst index a8eb4013e6dd4..b02522e30c8b6 100644 --- a/docs/root/configuration/operations/tools/router_check.rst +++ b/docs/root/configuration/operations/tools/router_check.rst @@ -47,6 +47,49 @@ This test case asserts that GET requests to ``api.lyft.com/api/locations`` are r validate: cluster_name: instant-server +Dynamic metadata example +------------------------ + +This test case demonstrates how to test routes that use dynamic metadata matchers. The test sets dynamic metadata +and verifies that the route with the matching dynamic metadata condition is selected. + +.. code-block:: yaml + + tests: + - test_name: dynamic_metadata_test + input: + authority: api.lyft.com + path: /example + method: GET + dynamic_metadata: + - metadata_namespace: example.meta + value: + foo: bar + validate: + cluster_name: cluster2 + virtual_host_name: default + +The corresponding route configuration would need to include a dynamic metadata matcher: + +.. code-block:: yaml + + virtual_hosts: + - name: default + domains: + - 'api.lyft.com' + routes: + - route: + cluster: cluster2 + match: + path: /example + dynamic_metadata: + - filter: example.meta + path: + - key: foo + value: + string_match: + exact: bar + Available test parameters ------------------------- @@ -68,6 +111,11 @@ Available test parameters additional_response_headers: - key: ... value: ... + dynamic_metadata: + - metadata_namespace: ... + value: ... + typed_value: ... + allow_overwrite: ... validate: cluster_name: ... virtual_cluster_name: ... @@ -137,6 +185,23 @@ input value *(required, string)* The value of the header field to add. + dynamic_metadata + *(optional, array)* Dynamic metadata to be added to the request as input for route determination. + This allows testing routes that use :ref:`dynamic metadata matchers `. + Each metadata entry follows the :ref:`set_metadata filter schema `. + + metadata_namespace + *(required, string)* The namespace for the metadata (e.g., "example.meta"). + + value + *(optional, object)* The metadata value as a JSON object (e.g., {"foo": "bar"}). + + typed_value + *(optional, object)* The typed metadata value (alternative to value). + + allow_overwrite + *(optional, boolean)* Whether to allow overwriting existing metadata. Defaults to false. + validate *(required, object)* The validate object specifies the returned route parameters to match. At least one test parameter must be specified. Use "" (empty string) to indicate that no return value is expected. diff --git a/test/tools/router_check/BUILD b/test/tools/router_check/BUILD index b50a1feac0787..07a5c7178d4c0 100644 --- a/test/tools/router_check/BUILD +++ b/test/tools/router_check/BUILD @@ -58,6 +58,7 @@ envoy_cc_test_library( "@com_github_mirror_tclap//:tclap", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/config/route/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/http/set_metadata/v3:pkg_cc_proto", "@envoy_api//envoy/type/v3:pkg_cc_proto", ], ) @@ -68,5 +69,6 @@ envoy_proto_library( deps = [ "@envoy_api//envoy/config/core/v3:pkg", "@envoy_api//envoy/config/route/v3:pkg", + "@envoy_api//envoy/extensions/filters/http/set_metadata/v3:pkg", ], ) diff --git a/test/tools/router_check/router.cc b/test/tools/router_check/router.cc index db27f4ad97c5f..26cf81a734abd 100644 --- a/test/tools/router_check/router.cc +++ b/test/tools/router_check/router.cc @@ -7,6 +7,7 @@ #include "envoy/config/core/v3/base.pb.h" #include "envoy/config/route/v3/route.pb.h" +#include "envoy/extensions/filters/http/set_metadata/v3/set_metadata.pb.h" #include "envoy/type/v3/percent.pb.h" #include "source/common/common/enum_to_int.h" @@ -234,6 +235,47 @@ Json::ObjectSharedPtr loadFromFile(const std::string& file_path, Api::Api& api) return Json::Factory::loadFromString(contents).value(); } +void RouterCheckTool::applyDynamicMetadata( + Envoy::StreamInfo::StreamInfoImpl& stream_info, + const Envoy::Protobuf::RepeatedPtrField< + envoy::extensions::filters::http::set_metadata::v3::Metadata>& dynamic_metadata) { + if (dynamic_metadata.empty()) { + return; + } + + for (const auto& metadata : dynamic_metadata) { + if (metadata.has_value()) { + auto& mut_untyped_metadata = *stream_info.dynamicMetadata().mutable_filter_metadata(); + const std::string& metadata_namespace = metadata.metadata_namespace(); + + if (!mut_untyped_metadata.contains(metadata_namespace)) { + // Insert the new entry. + mut_untyped_metadata[metadata_namespace] = metadata.value(); + } else if (metadata.allow_overwrite()) { + // Get the existing metadata at this key for merging. + ProtobufWkt::Struct& orig_fields = mut_untyped_metadata[metadata_namespace]; + const auto& to_merge = metadata.value(); + + // Merge the new metadata into the existing metadata. + StructUtil::update(orig_fields, to_merge); + } + // If allow_overwrite is false and entry exists, we skip it + } else if (metadata.has_typed_value()) { + auto& mut_typed_metadata = *stream_info.dynamicMetadata().mutable_typed_filter_metadata(); + const std::string& metadata_namespace = metadata.metadata_namespace(); + + if (!mut_typed_metadata.contains(metadata_namespace)) { + // Insert the new entry. + mut_typed_metadata[metadata_namespace] = metadata.typed_value(); + } else if (metadata.allow_overwrite()) { + // Overwrite the existing typed metadata at this key. + mut_typed_metadata[metadata_namespace] = metadata.typed_value(); + } + // If allow_overwrite is false and entry exists, we skip it + } + } +} + std::vector RouterCheckTool::compareEntries(const std::string& expected_routes) { envoy::RouterCheckToolSchema::Validation validation_config; @@ -254,6 +296,10 @@ RouterCheckTool::compareEntries(const std::string& expected_routes) { Envoy::Http::Protocol::Http11, factory_context_->mainThreadDispatcher().timeSource(), connection_info_provider, StreamInfo::FilterState::LifeSpan::FilterChain); ToolConfig tool_config = ToolConfig::create(check_config); + + // Apply dynamic metadata to stream_info before routing + applyDynamicMetadata(stream_info, check_config.input().dynamic_metadata()); + tool_config.route_ = config_->route(*tool_config.request_headers_, stream_info, tool_config.random_value_); diff --git a/test/tools/router_check/router.h b/test/tools/router_check/router.h index 6bab804167fc5..2bf32757a99cd 100644 --- a/test/tools/router_check/router.h +++ b/test/tools/router_check/router.h @@ -123,6 +123,14 @@ class RouterCheckTool : Logger::Loggable { */ void sendLocalReply(ToolConfig& tool_config, const Router::DirectResponseEntry& entry); + /** + * Apply dynamic metadata to stream_info, similar to how the set_metadata filter works. + */ + void applyDynamicMetadata( + Envoy::StreamInfo::StreamInfoImpl& stream_info, + const Envoy::Protobuf::RepeatedPtrField< + envoy::extensions::filters::http::set_metadata::v3::Metadata>& dynamic_metadata); + bool compareCluster(ToolConfig& tool_config, const envoy::RouterCheckToolSchema::ValidationAssert& expected, envoy::RouterCheckToolSchema::ValidationFailure& failure); diff --git a/test/tools/router_check/test/config/DynamicMetadata.golden.proto.json b/test/tools/router_check/test/config/DynamicMetadata.golden.proto.json new file mode 100644 index 0000000000000..0e8bb562b02e6 --- /dev/null +++ b/test/tools/router_check/test/config/DynamicMetadata.golden.proto.json @@ -0,0 +1,218 @@ +{ + "tests": [ + { + "test_name": "dynamic_metadata_basic_match", + "input": { + "authority": "edge.example.net", + "path": "/example", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "example.meta", + "value": { + "foo": "bar" + } + } + ] + }, + "validate": { + "cluster_name": "cluster2", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_fallback_no_metadata", + "input": { + "authority": "edge.example.net", + "path": "/example", + "method": "GET" + }, + "validate": { + "cluster_name": "cluster1", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_different_value", + "input": { + "authority": "edge.example.net", + "path": "/example", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "example.meta", + "value": { + "foo": "baz" + } + } + ] + }, + "validate": { + "cluster_name": "cluster3", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_nested_structure", + "input": { + "authority": "edge.example.net", + "path": "/nested", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "nested.meta", + "value": { + "level1": { + "level2": "value" + } + } + } + ] + }, + "validate": { + "cluster_name": "cluster4", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_inverted_match", + "input": { + "authority": "edge.example.net", + "path": "/inverted", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "example.meta", + "value": { + "foo": "different" + } + } + ] + }, + "validate": { + "cluster_name": "cluster5", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_inverted_no_match", + "input": { + "authority": "edge.example.net", + "path": "/inverted", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "example.meta", + "value": { + "foo": "bar" + } + } + ] + }, + "validate": { + "cluster_name": "cluster1", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_multiple_matchers_match", + "input": { + "authority": "edge.example.net", + "path": "/multiple", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "example.meta", + "value": { + "foo": "bar" + } + }, + { + "metadata_namespace": "other.meta", + "value": { + "status": "active" + } + } + ] + }, + "validate": { + "cluster_name": "cluster6", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_multiple_matchers_partial_match", + "input": { + "authority": "edge.example.net", + "path": "/multiple", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "example.meta", + "value": { + "foo": "bar" + } + } + ] + }, + "validate": { + "cluster_name": "cluster1", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_allow_overwrite", + "input": { + "authority": "edge.example.net", + "path": "/example", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "example.meta", + "value": { + "foo": "initial" + } + }, + { + "metadata_namespace": "example.meta", + "value": { + "foo": "bar" + }, + "allow_overwrite": true + } + ] + }, + "validate": { + "cluster_name": "cluster2", + "virtual_host_name": "default" + } + }, + { + "test_name": "dynamic_metadata_no_overwrite", + "input": { + "authority": "edge.example.net", + "path": "/example", + "method": "GET", + "dynamic_metadata": [ + { + "metadata_namespace": "example.meta", + "value": { + "foo": "bar" + } + }, + { + "metadata_namespace": "example.meta", + "value": { + "foo": "different" + }, + "allow_overwrite": false + } + ] + }, + "validate": { + "cluster_name": "cluster2", + "virtual_host_name": "default" + } + } + ] +} diff --git a/test/tools/router_check/test/config/DynamicMetadata.yaml b/test/tools/router_check/test/config/DynamicMetadata.yaml new file mode 100644 index 0000000000000..2173c4b55bb6a --- /dev/null +++ b/test/tools/router_check/test/config/DynamicMetadata.yaml @@ -0,0 +1,88 @@ +virtual_hosts: +- name: default + domains: + - 'edge.example.net' + routes: + # Route with different dynamic metadata value - more specific path + - route: + cluster: cluster3 + match: + path: /example + dynamic_metadata: + - filter: example.meta + path: + - key: foo + value: + string_match: + exact: baz + # More specific route with dynamic metadata - should match first for foo=bar + - route: + cluster: cluster2 + match: + path: /example + dynamic_metadata: + - filter: example.meta + path: + - key: foo + value: + string_match: + exact: bar + # Route with nested metadata structure + - route: + cluster: cluster4 + match: + path: /nested + dynamic_metadata: + - filter: nested.meta + path: + - key: level1 + - key: level2 + value: + string_match: + exact: value + # Route with inverted dynamic metadata matcher - more specific path + - route: + cluster: cluster5 + match: + path: /inverted + dynamic_metadata: + - filter: example.meta + path: + - key: foo + value: + string_match: + exact: bar + invert: true + # Fallback route for /inverted path + - route: + cluster: cluster1 + match: + path: /inverted + # Route with multiple dynamic metadata matchers - more specific path + - route: + cluster: cluster6 + match: + path: /multiple + dynamic_metadata: + - filter: example.meta + path: + - key: foo + value: + string_match: + exact: bar + - filter: other.meta + path: + - key: status + value: + string_match: + exact: active + # Fallback route for /multiple path + - route: + cluster: cluster1 + match: + path: /multiple + # Fallback route without dynamic metadata - should be last + - route: + cluster: cluster1 + match: + path: /example diff --git a/test/tools/router_check/test/router_test.cc b/test/tools/router_check/test/router_test.cc index 4905ed78cca8c..8fb592c927dc9 100644 --- a/test/tools/router_check/test/router_test.cc +++ b/test/tools/router_check/test/router_test.cc @@ -117,5 +117,20 @@ TEST(RouterCheckTest, RouterCheckTestRoutesFailuresTest) { EXPECT_TRUE(TestUtility::protoEqual(expected_result_proto, test_result, true)); } +TEST(RouterCheckTest, DynamicMetadataTest) { + const std::string config_filename_ = + TestEnvironment::runfilesPath(absl::StrCat(kDir, "DynamicMetadata.yaml")); + const std::string tests_filename_ = + TestEnvironment::runfilesPath(absl::StrCat(kDir, "DynamicMetadata.golden.proto.json")); + RouterCheckTool checktool = RouterCheckTool::create(config_filename_, false); + const std::vector test_results = + checktool.compareEntries(tests_filename_); + EXPECT_EQ(test_results.size(), 10); + for (const auto& test_result : test_results) { + EXPECT_TRUE(test_result.test_passed()) << "Test " << test_result.test_name() << " failed"; + EXPECT_FALSE(test_result.has_failure()) << "Test " << test_result.test_name() << " has failure"; + } +} + } // namespace } // namespace Envoy diff --git a/test/tools/router_check/validation.proto b/test/tools/router_check/validation.proto index 1d90144d6c976..e7fb0704607be 100644 --- a/test/tools/router_check/validation.proto +++ b/test/tools/router_check/validation.proto @@ -4,6 +4,7 @@ package envoy.RouterCheckToolSchema; import "envoy/config/core/v3/base.proto"; import "envoy/config/route/v3/route_components.proto"; +import "envoy/extensions/filters/http/set_metadata/v3/set_metadata.proto"; import "google/protobuf/wrappers.proto"; import "validate/validate.proto"; @@ -70,6 +71,9 @@ message ValidationInput { repeated envoy.config.core.v3.HeaderValue additional_request_headers = 10; repeated envoy.config.core.v3.HeaderValue additional_response_headers = 11; + // Metadata to be added to the request as input for route determination. + repeated envoy.extensions.filters.http.set_metadata.v3.Metadata dynamic_metadata = 12; + // Runtime setting key to enable for the test case. // If a route depends on the runtime, the route will be enabled based on the random_value defined // in the test. Only a random_value less than the fractional percentage will enable the route. From ee2bab9e40e7d7649cc88c5e1098c74e0c79501d Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 24 Jul 2025 19:12:28 -0700 Subject: [PATCH 075/505] Re-apply "Using Radix tree instead of Trie (#40160)" (#40428) This reverts commit 48a49826f65841fb1e6a055c6b574a3d97bb1ca2. Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 + source/common/common/BUILD | 10 + source/common/common/radix_tree.h | 302 +++++++++++++++ source/common/matcher/BUILD | 2 +- source/common/matcher/prefix_map_matcher.h | 4 +- .../redis_proxy/command_splitter_impl.h | 4 +- .../filters/network/redis_proxy/router_impl.h | 4 +- .../extensions/filters/udp/dns_filter/BUILD | 2 +- .../filters/udp/dns_filter/dns_filter.h | 8 +- test/common/common/BUILD | 41 ++ .../common/prefix_matching_benchmark.cc | 162 ++++++++ test/common/common/radix_tree_speed_test.cc | 89 +++++ test/common/common/radix_tree_test.cc | 357 ++++++++++++++++++ tools/spelling/spelling_dictionary.txt | 4 + 14 files changed, 979 insertions(+), 13 deletions(-) create mode 100644 source/common/common/radix_tree.h create mode 100644 test/common/common/prefix_matching_benchmark.cc create mode 100644 test/common/common/radix_tree_speed_test.cc create mode 100644 test/common/common/radix_tree_test.cc diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 3740b24f29997..de0d6210bf19d 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -55,5 +55,8 @@ new_features: :ref:`RouteAction.rate_limits` fields will be ignored. However, :ref:`RateLimitPerRoute.rate_limits` will take precedence over this field. +- area: dns_filter, redis_proxy and prefix_matcher_map + change: | + Switch to using Radix Tree instead of Trie for performance improvements. deprecated: diff --git a/source/common/common/BUILD b/source/common/common/BUILD index 9382613088bb3..b5d6cbe6aca19 100644 --- a/source/common/common/BUILD +++ b/source/common/common/BUILD @@ -483,6 +483,16 @@ envoy_cc_library( hdrs = ["trie_lookup_table.h"], ) +envoy_cc_library( + name = "radix_tree_lib", + hdrs = ["radix_tree.h"], + deps = [ + ":assert_lib", + "@com_google_absl//absl/container:flat_hash_map", + "@com_google_absl//absl/strings", + ], +) + envoy_cc_library( name = "utility_lib", srcs = ["utility.cc"], diff --git a/source/common/common/radix_tree.h b/source/common/common/radix_tree.h new file mode 100644 index 0000000000000..aae80fd3edbb0 --- /dev/null +++ b/source/common/common/radix_tree.h @@ -0,0 +1,302 @@ +#pragma once + +#include +#include + +#include "envoy/common/optref.h" + +#include "source/common/common/assert.h" + +#include "absl/container/flat_hash_map.h" +#include "absl/strings/string_view.h" +#include "absl/types/optional.h" + +namespace Envoy { +template class RadixTree { + static constexpr int32_t NoNode = -1; + struct RadixTreeNode { + std::string prefix_; + Value value_{}; + // Hash map for O(1) child lookup by first character + absl::flat_hash_map children_; + + /** + * Insert a key-value pair into this node + * @param key the full key being inserted + * @param search the remaining search key + * @param value the value to insert + */ + void insert(absl::string_view search, Value value) { + // Handle key exhaustion + if (search.empty()) { + value_ = std::move(value); + return; + } + + // Look for the edge + uint8_t firstChar = static_cast(search[0]); + auto childIt = children_.find(firstChar); + + // No edge, create one + if (childIt == children_.end()) { + // Create a new child node + RadixTreeNode newChild; + newChild.prefix_ = std::string(search); + newChild.value_ = std::move(value); + + // Add the child to the current node + children_[firstChar] = std::move(newChild); + return; + } + + // Get the child node + RadixTreeNode& child = childIt->second; + + // Determine longest prefix length of the search key on match + size_t cpl = commonPrefixLength(search, child.prefix_); + if (cpl == child.prefix_.size()) { + // The search key is longer than the child prefix, continue down + absl::string_view remaining_search = search.substr(cpl); + child.insert(remaining_search, std::move(value)); + return; + } + + // Split the node - create a new intermediate node + RadixTreeNode split_node; + split_node.prefix_ = std::string(search.substr(0, cpl)); + + // Update the child's prefix + child.prefix_ = std::string(child.prefix_.substr(cpl)); + + // If the search key is exactly the common prefix, set the value on the split node + if (cpl == search.size()) { + split_node.value_ = std::move(value); + } else { + // Create a new leaf for the current key + RadixTreeNode new_leaf; + new_leaf.prefix_ = std::string(search.substr(cpl)); + new_leaf.value_ = std::move(value); + split_node.children_[static_cast(new_leaf.prefix_[0])] = std::move(new_leaf); + } + + // Add the child to the split node + split_node.children_[static_cast(child.prefix_[0])] = std::move(child); + + // Replace the original child with the split node + children_[firstChar] = std::move(split_node); + } + + /** + * Recursive helper for find operation. + * @param search the remaining search key. + * @param result the value to return if found. + * @return true if the key was found, false otherwise. + */ + bool findRecursive(absl::string_view search, Value& result) const { + if (search.empty()) { + if (has_value(*this)) { + result = value_; + return true; + } + return false; + } + + uint8_t firstChar = static_cast(search[0]); + auto childIt = children_.find(firstChar); + if (childIt == children_.end()) { + return false; + } + + const RadixTreeNode& child = childIt->second; + + // Check if the child's prefix matches the search + if (search.size() >= child.prefix_.size() && + search.substr(0, child.prefix_.size()) == child.prefix_) { + absl::string_view new_search = search.substr(child.prefix_.size()); + return child.findRecursive(new_search, result); + } + + return false; + } + + /** + * Get a child node by character key + */ + Envoy::OptRef getChild(uint8_t char_key) const { + auto it = children_.find(char_key); + if (it != children_.end()) { + return {it->second}; + } + return {}; + } + }; + + /** + * Check if a node has a value (is a leaf node) + */ + static bool has_value(const RadixTreeNode& node) { + // For pointer types, check if the pointer is not null + if constexpr (std::is_pointer_v) { + return node.value_ != nullptr; + } else { + return static_cast(node.value_); + } + } + + /** + * Find the longest common prefix between two strings + */ + static size_t commonPrefixLength(absl::string_view a, absl::string_view b) { + size_t len = std::min(a.size(), b.size()); + for (size_t i = 0; i < len; i++) { + if (a[i] != b[i]) { + return i; + } + } + return len; + } + +public: + /** + * Adds an entry to the RadixTree at the given Key. + * @param key the key used to add the entry. + * @param value the value to be associated with the key. + * @param overwrite_existing will overwrite the value when the value for a given key already + * exists. + * @return false when a value already exists for the given key. + */ + bool add(absl::string_view key, Value value, bool overwrite_existing = true) { + // Check if the key already exists + Value existing; + bool found = root_.findRecursive(key, existing); + + // If a value exists and we shouldn't overwrite, return false + if (found && !overwrite_existing) { + return false; + } + + root_.insert(key, std::move(value)); + return true; + } + + /** + * Finds the entry associated with the key. + * @param key the key used to find. + * @return the Value associated with the key, or an empty-initialized Value + * if there is no matching key. + */ + Value find(absl::string_view key) const { + Value result; + if (root_.findRecursive(key, result)) { + return result; + } + return Value{}; + } + + /** + * Returns the set of entries that are prefixes of the specified key, longest last. + * Complexity is O(min(longest key prefix, key length)). + * @param key the key used to find. + * @return a vector of values whose keys are a prefix of the specified key, longest last. + */ + absl::InlinedVector findMatchingPrefixes(absl::string_view key) const { + absl::InlinedVector result; + absl::string_view search = key; + const RadixTreeNode* node = &root_; + + // Special case: if searching for empty string, check root node + if (search.empty()) { + if (has_value(*node)) { + result.push_back(node->value_); + } + return result; + } + + while (true) { + // Check if current node has a value (is a leaf) and we've consumed some prefix + if (has_value(*node)) { + result.push_back(node->value_); + } + + // Check for key exhaustion + if (search.empty()) { + break; + } + + // Look for an edge + uint8_t firstChar = static_cast(search[0]); + auto child = node->getChild(firstChar); + if (!child) { + break; + } + + const RadixTreeNode& child_node = *child; + node = &child_node; + + // Consume the search prefix + if (search.size() < child->prefix_.size() || + search.substr(0, child->prefix_.size()) != child->prefix_) { + break; + } + // Consume the search prefix + search = search.substr(child->prefix_.size()); + } + + return result; + } + + /** + * Finds the entry with the longest key that is a prefix of the specified key. + * Complexity is O(min(longest key prefix, key length)). + * @param key the key used to find. + * @return a value whose key is a prefix of the specified key. If there are + * multiple such values, the one with the longest key. If there are + * no keys that are a prefix of the input key, an empty-initialized Value. + */ + Value findLongestPrefix(absl::string_view key) const { + absl::string_view search = key; + const RadixTreeNode* node = &root_; + const RadixTreeNode* last_node_with_value = nullptr; + + while (true) { + // Look for a leaf node + if (has_value(*node)) { + last_node_with_value = node; + } + + // Check for key exhaustion + if (search.empty()) { + break; + } + + // Look for an edge + uint8_t firstChar = static_cast(search[0]); + auto child = node->getChild(firstChar); + if (!child) { + break; + } + + const RadixTreeNode& child_node = *child; + node = &child_node; + + // Consume the search prefix + if (search.size() < child->prefix_.size() || + search.substr(0, child->prefix_.size()) != child->prefix_) { + break; + } + // Consume the search prefix + search = search.substr(child->prefix_.size()); + } + + // Return the value from the last node that had a value, or empty value if none found + if (last_node_with_value != nullptr) { + return last_node_with_value->value_; + } + return nullptr; + } + +private: + // Initialized with a single empty node as the root node. + RadixTreeNode root_ = RadixTreeNode(); +}; +} // namespace Envoy diff --git a/source/common/matcher/BUILD b/source/common/matcher/BUILD index 82cd7e7f137d4..22234d5a0fb85 100644 --- a/source/common/matcher/BUILD +++ b/source/common/matcher/BUILD @@ -29,7 +29,7 @@ envoy_cc_library( hdrs = ["prefix_map_matcher.h"], deps = [ ":map_matcher_lib", - "//source/common/common:trie_lookup_table_lib", + "//source/common/common:radix_tree_lib", "//source/common/runtime:runtime_features_lib", ], ) diff --git a/source/common/matcher/prefix_map_matcher.h b/source/common/matcher/prefix_map_matcher.h index 4a597d8322813..a70a7e28593e7 100644 --- a/source/common/matcher/prefix_map_matcher.h +++ b/source/common/matcher/prefix_map_matcher.h @@ -1,6 +1,6 @@ #pragma once -#include "source/common/common/trie_lookup_table.h" +#include "source/common/common/radix_tree.h" #include "source/common/matcher/map_matcher.h" #include "source/common/runtime/runtime_features.h" @@ -52,7 +52,7 @@ template class PrefixMapMatcher : public MapMatcher { } private: - TrieLookupTable>> children_; + RadixTree>> children_; }; } // namespace Matcher diff --git a/source/extensions/filters/network/redis_proxy/command_splitter_impl.h b/source/extensions/filters/network/redis_proxy/command_splitter_impl.h index f821cadd95b7c..936e3d832cc96 100644 --- a/source/extensions/filters/network/redis_proxy/command_splitter_impl.h +++ b/source/extensions/filters/network/redis_proxy/command_splitter_impl.h @@ -9,7 +9,7 @@ #include "envoy/stats/timespan.h" #include "source/common/common/logger.h" -#include "source/common/common/trie_lookup_table.h" +#include "source/common/common/radix_tree.h" #include "source/common/stats/timespan_impl.h" #include "source/extensions/filters/network/common/redis/client_impl.h" #include "source/extensions/filters/network/common/redis/fault_impl.h" @@ -501,7 +501,7 @@ class InstanceImpl : public Instance, Logger::Loggable { CommandHandlerFactory role_handler_; CommandHandlerFactory split_keys_sum_result_handler_; CommandHandlerFactory transaction_handler_; - TrieLookupTable handler_lookup_table_; + RadixTree handler_lookup_table_; InstanceStats stats_; TimeSource& time_source_; Common::Redis::FaultManagerPtr fault_manager_; diff --git a/source/extensions/filters/network/redis_proxy/router_impl.h b/source/extensions/filters/network/redis_proxy/router_impl.h index 8a7b841ca7b48..4d353fb629e12 100644 --- a/source/extensions/filters/network/redis_proxy/router_impl.h +++ b/source/extensions/filters/network/redis_proxy/router_impl.h @@ -13,7 +13,7 @@ #include "envoy/type/v3/percent.pb.h" #include "envoy/upstream/cluster_manager.h" -#include "source/common/common/trie_lookup_table.h" +#include "source/common/common/radix_tree.h" #include "source/common/http/header_map_impl.h" #include "source/common/stream_info/stream_info_impl.h" #include "source/extensions/filters/network/common/redis/supported_commands.h" @@ -86,7 +86,7 @@ class PrefixRoutes : public Router, public Logger::Loggable { const StreamInfo::StreamInfo& stream_info); private: - TrieLookupTable prefix_lookup_table_; + RadixTree prefix_lookup_table_; const bool case_insensitive_; Upstreams upstreams_; PrefixSharedPtr catch_all_route_; diff --git a/source/extensions/filters/udp/dns_filter/BUILD b/source/extensions/filters/udp/dns_filter/BUILD index e4315f1acc15d..f327a12d84d3b 100644 --- a/source/extensions/filters/udp/dns_filter/BUILD +++ b/source/extensions/filters/udp/dns_filter/BUILD @@ -34,8 +34,8 @@ envoy_cc_library( "//envoy/network:listener_interface", "//source/common/buffer:buffer_lib", "//source/common/common:empty_string", + "//source/common/common:radix_tree_lib", "//source/common/common:safe_memcpy_lib", - "//source/common/common:trie_lookup_table_lib", "//source/common/config:config_provider_lib", "//source/common/config:datasource_lib", "//source/common/network:address_lib", diff --git a/source/extensions/filters/udp/dns_filter/dns_filter.h b/source/extensions/filters/udp/dns_filter/dns_filter.h index d1e5262d1146e..726120b21b41d 100644 --- a/source/extensions/filters/udp/dns_filter/dns_filter.h +++ b/source/extensions/filters/udp/dns_filter/dns_filter.h @@ -6,7 +6,7 @@ #include "envoy/network/filter.h" #include "source/common/buffer/buffer_impl.h" -#include "source/common/common/trie_lookup_table.h" +#include "source/common/common/radix_tree.h" #include "source/common/config/config_provider_impl.h" #include "source/common/network/utility.h" #include "source/extensions/filters/udp/dns_filter/dns_filter_resolver.h" @@ -97,9 +97,7 @@ class DnsFilterEnvoyConfig : public Logger::Loggable { } const Network::DnsResolverFactory& dnsResolverFactory() const { return *dns_resolver_factory_; } Api::Api& api() const { return api_; } - const TrieLookupTable& getDnsTrie() const { - return dns_lookup_trie_; - } + const RadixTree& getDnsTrie() const { return dns_lookup_trie_; } private: static DnsFilterStats generateStats(const std::string& stat_prefix, Stats::Scope& scope) { @@ -123,7 +121,7 @@ class DnsFilterEnvoyConfig : public Logger::Loggable { mutable DnsFilterStats stats_; - TrieLookupTable dns_lookup_trie_; + RadixTree dns_lookup_trie_; absl::flat_hash_map domain_ttl_; bool forward_queries_; uint64_t retry_count_; diff --git a/test/common/common/BUILD b/test/common/common/BUILD index 07ca8a1b96919..b4d3f54f0455f 100644 --- a/test/common/common/BUILD +++ b/test/common/common/BUILD @@ -313,6 +313,13 @@ envoy_cc_test( deps = ["//source/common/common:trie_lookup_table_lib"], ) +envoy_cc_test( + name = "radix_tree_test", + srcs = ["radix_tree_test.cc"], + rbe_pool = "6gig", + deps = ["//source/common/common:radix_tree_lib"], +) + envoy_cc_test( name = "utility_test", srcs = ["utility_test.cc"], @@ -463,6 +470,40 @@ envoy_benchmark_test( benchmark_binary = "trie_lookup_table_speed_test", ) +envoy_cc_benchmark_binary( + name = "radix_tree_speed_test", + srcs = ["radix_tree_speed_test.cc"], + rbe_pool = "6gig", + deps = [ + "//source/common/common:radix_tree_lib", + "@com_github_google_benchmark//:benchmark", + "@com_google_absl//absl/strings", + ], +) + +envoy_benchmark_test( + name = "radix_tree_speed_test_benchmark_test", + benchmark_binary = "radix_tree_speed_test", +) + +envoy_cc_benchmark_binary( + name = "prefix_matching_benchmark", + srcs = ["prefix_matching_benchmark.cc"], + rbe_pool = "6gig", + deps = [ + "//source/common/common:radix_tree_lib", + "//source/common/common:trie_lookup_table_lib", + "//source/common/http:headers_lib", + "@com_github_google_benchmark//:benchmark", + "@com_google_absl//absl/strings", + ], +) + +envoy_benchmark_test( + name = "prefix_matching_benchmark_test", + benchmark_binary = "prefix_matching_benchmark", +) + envoy_cc_test( name = "lock_guard_test", srcs = ["lock_guard_test.cc"], diff --git a/test/common/common/prefix_matching_benchmark.cc b/test/common/common/prefix_matching_benchmark.cc new file mode 100644 index 0000000000000..c89ad5138f3a3 --- /dev/null +++ b/test/common/common/prefix_matching_benchmark.cc @@ -0,0 +1,162 @@ +// Note: this should be run with --compilation_mode=opt, and would benefit from a +// quiescent system with disabled cstate power management. + +#include + +#include "source/common/common/radix_tree.h" +#include "source/common/common/trie_lookup_table.h" +#include "source/common/http/headers.h" + +#include "benchmark/benchmark.h" + +namespace Envoy { + +// NOLINT(namespace-envoy) + +#define ADD_HEADER_TO_KEYS(name) keys.emplace_back(Http::Headers::get().name); + +// Helper function to generate test data with hierarchical prefixes +std::vector generateHierarchicalKeys(int num_keys, int max_depth) { + std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability + std::uniform_int_distribution char_distribution('a', 'z'); + std::uniform_int_distribution depth_distribution(1, max_depth); + + std::vector keys; + for (int i = 0; i < num_keys; i++) { + int depth = depth_distribution(prng); + std::string key; + for (int j = 0; j < depth; j++) { + for (int k = 0; k < 3; k++) { // Each level has 3 characters + key.push_back(static_cast(char_distribution(prng))); + } + if (j < depth - 1) { + key.push_back('/'); // Use '/' as separator for hierarchical structure + } + } + keys.push_back(key); + } + return keys; +} + +// Helper function to generate search keys with various prefix lengths +std::vector generateSearchKeys(const std::vector& keys, + int num_searches) { + std::mt19937 prng(2); // Different seed for search keys + std::uniform_int_distribution keyindex_distribution(0, keys.size() - 1); + std::uniform_int_distribution length_distribution(1, 20); // Random prefix length + + std::vector search_keys; + for (int i = 0; i < num_searches; i++) { + const std::string& base_key = keys[keyindex_distribution(prng)]; + size_t prefix_len = std::min(length_distribution(prng), base_key.length()); + search_keys.push_back(base_key.substr(0, prefix_len)); + } + return search_keys; +} + +template +static void typedBmPrefixMatching(benchmark::State& state, const std::vector& keys, + const std::vector& search_keys) { + TableType table; + for (const std::string& key : keys) { + table.add(key, nullptr); + } + + size_t search_index = 0; + for (auto _ : state) { + UNREFERENCED_PARAMETER(_); + auto result = table.findMatchingPrefixes(search_keys[search_index++]); + // Reset search_index to 0 whenever it reaches the end + search_index %= search_keys.size(); + benchmark::DoNotOptimize(result); + } +} + +// Range args are: +// 0 - num_keys (number of keys in the tree) +// 1 - max_depth (maximum depth of hierarchical keys) +// 2 - num_searches (number of search operations to perform) +template static void typedBmPrefixMatching(benchmark::State& state) { + int num_keys = state.range(0); + int max_depth = state.range(1); + int num_searches = state.range(2); + + std::vector keys = generateHierarchicalKeys(num_keys, max_depth); + std::vector search_keys = generateSearchKeys(keys, num_searches); + + typedBmPrefixMatching(state, keys, search_keys); +} + +// Benchmark for TrieLookupTable +static void bmTrieLookupTablePrefixMatching(benchmark::State& s) { + typedBmPrefixMatching>(s); +} + +// Benchmark for RadixTree +static void bmRadixTreePrefixMatching(benchmark::State& s) { + typedBmPrefixMatching>(s); +} + +// Real-world scenario benchmarks using HTTP headers +static void bmTrieLookupTableRequestHeadersPrefixMatching(benchmark::State& s) { + std::vector keys; + INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); + + // Generate search keys based on the headers + std::vector search_keys = generateSearchKeys(keys, 1000); + + typedBmPrefixMatching>(s, keys, search_keys); +} + +static void bmRadixTreeRequestHeadersPrefixMatching(benchmark::State& s) { + std::vector keys; + INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); + + // Generate search keys based on the headers + std::vector search_keys = generateSearchKeys(keys, 1000); + + typedBmPrefixMatching>(s, keys, search_keys); +} + +static void bmTrieLookupTableResponseHeadersPrefixMatching(benchmark::State& s) { + std::vector keys; + INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); + + // Generate search keys based on the headers + std::vector search_keys = generateSearchKeys(keys, 1000); + + typedBmPrefixMatching>(s, keys, search_keys); +} + +static void bmRadixTreeResponseHeadersPrefixMatching(benchmark::State& s) { + std::vector keys; + INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); + + // Generate search keys based on the headers + std::vector search_keys = generateSearchKeys(keys, 1000); + + typedBmPrefixMatching>(s, keys, search_keys); +} + +// Register benchmarks for synthetic data +BENCHMARK(bmTrieLookupTablePrefixMatching) + ->ArgsProduct({{100, 1000, 10000}, {3, 5, 8}, {1000}}) + ->Name("TrieLookupTable/PrefixMatching"); + +BENCHMARK(bmRadixTreePrefixMatching) + ->ArgsProduct({{100, 1000, 10000}, {3, 5, 8}, {1000}}) + ->Name("RadixTree/PrefixMatching"); + +// Register benchmarks for real-world HTTP headers +BENCHMARK(bmTrieLookupTableRequestHeadersPrefixMatching) + ->Name("TrieLookupTable/RequestHeadersPrefixMatching"); + +BENCHMARK(bmRadixTreeRequestHeadersPrefixMatching)->Name("RadixTree/RequestHeadersPrefixMatching"); + +BENCHMARK(bmTrieLookupTableResponseHeadersPrefixMatching) + ->Name("TrieLookupTable/ResponseHeadersPrefixMatching"); + +BENCHMARK(bmRadixTreeResponseHeadersPrefixMatching) + ->Name("RadixTree/ResponseHeadersPrefixMatching"); + +} // namespace Envoy diff --git a/test/common/common/radix_tree_speed_test.cc b/test/common/common/radix_tree_speed_test.cc new file mode 100644 index 0000000000000..5f0af98ad4a5c --- /dev/null +++ b/test/common/common/radix_tree_speed_test.cc @@ -0,0 +1,89 @@ +// Note: this should be run with --compilation_mode=opt, and would benefit from a +// quiescent system with disabled cstate power management. + +#include + +#include "envoy/http/header_map.h" + +#include "source/common/common/radix_tree.h" +#include "source/common/http/headers.h" + +#include "benchmark/benchmark.h" + +namespace Envoy { + +// NOLINT(namespace-envoy) + +template +static void typedBmRadixTreeLookups(benchmark::State& state, std::vector& keys) { + std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability + std::uniform_int_distribution keyindex_distribution(0, keys.size() - 1); + TableType radixtree; + for (const std::string& key : keys) { + radixtree.add(key, nullptr); + } + std::vector key_selections; + for (size_t i = 0; i < 1024; i++) { + key_selections.push_back(keyindex_distribution(prng)); + } + + // key_index indexes into key_selections which is a pre-selected + // random ordering of 1024 indexes into the existing keys. This + // way we read from all over the radixtree, without spending time during + // the performance test generating these random choices. + size_t key_index = 0; + for (auto _ : state) { + UNREFERENCED_PARAMETER(_); + auto v = radixtree.find(keys[key_selections[key_index++]]); + // Reset key_index to 0 whenever it reaches 1024. + key_index &= 1023; + benchmark::DoNotOptimize(v); + } +} + +// Range args are: +// 0 - num_keys +// 1 - key_length (0 is a special case that generates mixed-length keys) +template static void typedBmRadixTreeLookups(benchmark::State& state) { + std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability + int num_keys = state.range(0); + int key_length = state.range(1); + std::uniform_int_distribution char_distribution('a', 'z'); + std::uniform_int_distribution key_length_distribution(key_length == 0 ? 8 : key_length, + key_length == 0 ? 128 : key_length); + auto make_key = [&](size_t len) { + std::string ret; + for (size_t i = 0; i < len; i++) { + ret.push_back(static_cast(char_distribution(prng))); + } + return ret; + }; + std::vector keys; + for (int i = 0; i < num_keys; i++) { + std::string key = make_key(key_length_distribution(prng)); + keys.push_back(std::move(key)); + } + typedBmRadixTreeLookups(state, keys); +} + +static void bmRadixTreeLookups(benchmark::State& s) { + typedBmRadixTreeLookups>(s); +} + +#define ADD_HEADER_TO_KEYS(name) keys.emplace_back(Http::Headers::get().name); +static void bmRadixTreeLookupsRequestHeaders(benchmark::State& s) { + std::vector keys; + INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); + typedBmRadixTreeLookups>(s, keys); +} +static void bmRadixTreeLookupsResponseHeaders(benchmark::State& s) { + std::vector keys; + INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); + typedBmRadixTreeLookups>(s, keys); +} + +BENCHMARK(bmRadixTreeLookupsRequestHeaders); +BENCHMARK(bmRadixTreeLookupsResponseHeaders); +BENCHMARK(bmRadixTreeLookups)->ArgsProduct({{10, 100, 1000, 10000}, {0, 8, 128}}); + +} // namespace Envoy diff --git a/test/common/common/radix_tree_test.cc b/test/common/common/radix_tree_test.cc new file mode 100644 index 0000000000000..2b5a10904a3bc --- /dev/null +++ b/test/common/common/radix_tree_test.cc @@ -0,0 +1,357 @@ +#include "source/common/common/radix_tree.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::ElementsAre; + +namespace Envoy { + +TEST(RadixTree, AddItems) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + + EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("bar"), cstr_b)); + EXPECT_EQ(cstr_a, radixtree.find("foo")); + EXPECT_EQ(cstr_b, radixtree.find("bar")); + + // overwrite_existing = false + EXPECT_FALSE(radixtree.add(std::string("foo"), cstr_c, false)); + EXPECT_EQ(cstr_a, radixtree.find("foo")); + + // overwrite_existing = true + EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_c)); + EXPECT_EQ(cstr_c, radixtree.find("foo")); +} + +TEST(RadixTree, LongestPrefix) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + const char* cstr_e = "e"; + const char* cstr_f = "f"; + + EXPECT_TRUE(radixtree.add(std::string("foo/bar"), cstr_d)); + EXPECT_TRUE(radixtree.add(std::string("foo"), cstr_a)); + // Verify that prepending and appending branches to a node both work. + EXPECT_TRUE(radixtree.add(std::string("barn"), cstr_e)); + EXPECT_TRUE(radixtree.add(std::string("barp"), cstr_f)); + EXPECT_TRUE(radixtree.add(std::string("bar"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("baro"), cstr_c)); + + EXPECT_EQ(cstr_a, radixtree.find("foo")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foo")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foo"), ElementsAre(cstr_a)); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foosball")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foosball"), ElementsAre(cstr_a)); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("foo/")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foo/"), ElementsAre(cstr_a)); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("foo/bar")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foo/bar"), ElementsAre(cstr_a, cstr_d)); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("foo/bar/zzz")); + EXPECT_THAT(radixtree.findMatchingPrefixes("foo/bar/zzz"), ElementsAre(cstr_a, cstr_d)); + + EXPECT_EQ(cstr_b, radixtree.find("bar")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("bar")); + EXPECT_THAT(radixtree.findMatchingPrefixes("bar"), ElementsAre(cstr_b)); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("baritone")); + EXPECT_THAT(radixtree.findMatchingPrefixes("baritone"), ElementsAre(cstr_b)); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("barometer")); + EXPECT_THAT(radixtree.findMatchingPrefixes("barometer"), ElementsAre(cstr_b, cstr_c)); + + EXPECT_EQ(cstr_e, radixtree.find("barn")); + EXPECT_EQ(cstr_e, radixtree.findLongestPrefix("barnacle")); + EXPECT_THAT(radixtree.findMatchingPrefixes("barnacle"), ElementsAre(cstr_b, cstr_e)); + + EXPECT_EQ(cstr_f, radixtree.find("barp")); + EXPECT_EQ(cstr_f, radixtree.findLongestPrefix("barpomus")); + EXPECT_THAT(radixtree.findMatchingPrefixes("barpomus"), ElementsAre(cstr_b, cstr_f)); + + EXPECT_EQ(nullptr, radixtree.find("toto")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("toto")); + EXPECT_THAT(radixtree.findMatchingPrefixes("toto"), ElementsAre()); + EXPECT_EQ(nullptr, radixtree.find(" ")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix(" ")); + EXPECT_THAT(radixtree.findMatchingPrefixes(" "), ElementsAre()); +} + +TEST(RadixTree, VeryDeepRadixTreeDoesNotStackOverflowOnDestructor) { + RadixTree radixtree; + const char* cstr_a = "a"; + + std::string key_a(20960, 'a'); + EXPECT_TRUE(radixtree.add(key_a, cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find(key_a)); +} + +TEST(RadixTree, RadixTreeSpecificTests) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + + // Test radix tree compression + EXPECT_TRUE(radixtree.add(std::string("test"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("testing"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("tester"), cstr_c)); + EXPECT_TRUE(radixtree.add(std::string("tested"), cstr_d)); + + EXPECT_EQ(cstr_a, radixtree.find("test")); + EXPECT_EQ(cstr_b, radixtree.find("testing")); + EXPECT_EQ(cstr_c, radixtree.find("tester")); + EXPECT_EQ(cstr_d, radixtree.find("tested")); + + // Test prefix matching + EXPECT_THAT(radixtree.findMatchingPrefixes("test"), ElementsAre(cstr_a)); + EXPECT_THAT(radixtree.findMatchingPrefixes("testing"), ElementsAre(cstr_a, cstr_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("tester"), ElementsAre(cstr_a, cstr_c)); + EXPECT_THAT(radixtree.findMatchingPrefixes("tested"), ElementsAre(cstr_a, cstr_d)); + + // Test longest prefix + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("test")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("testing")); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("tester")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("tested")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("testx")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("tex")); +} + +TEST(RadixTree, EmptyAndSingleNode) { + RadixTree radixtree; + const char* cstr_a = "a"; + + // Test empty radixtree + EXPECT_EQ(nullptr, radixtree.find("anything")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("anything")); + EXPECT_THAT(radixtree.findMatchingPrefixes("anything"), ElementsAre()); + + // Test single node + EXPECT_TRUE(radixtree.add(std::string("a"), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("a")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a")); + EXPECT_THAT(radixtree.findMatchingPrefixes("a"), ElementsAre(cstr_a)); + EXPECT_EQ(nullptr, radixtree.find("b")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("b")); + EXPECT_THAT(radixtree.findMatchingPrefixes("b"), ElementsAre()); +} + +TEST(RadixTree, InsertAndFindEdgeCases) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + + // Test empty string + EXPECT_TRUE(radixtree.add(std::string(""), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("")); + EXPECT_THAT(radixtree.findMatchingPrefixes(""), ElementsAre(cstr_a)); + + // Test single character + EXPECT_TRUE(radixtree.add(std::string("x"), cstr_b)); + EXPECT_EQ(cstr_b, radixtree.find("x")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("x")); + EXPECT_THAT(radixtree.findMatchingPrefixes("x"), ElementsAre(cstr_a, cstr_b)); + + // Test very long string + std::string long_key(1000, 'a'); + EXPECT_TRUE(radixtree.add(long_key, cstr_c)); + EXPECT_EQ(cstr_c, radixtree.find(long_key)); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix(long_key)); + EXPECT_THAT(radixtree.findMatchingPrefixes(long_key), ElementsAre(cstr_a, cstr_c)); + + // Test special characters + EXPECT_TRUE(radixtree.add(std::string("test/key"), cstr_d)); + EXPECT_EQ(cstr_d, radixtree.find("test/key")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("test/key")); + EXPECT_THAT(radixtree.findMatchingPrefixes("test/key"), ElementsAre(cstr_a, cstr_d)); + + // Test non-existent keys + EXPECT_EQ(nullptr, radixtree.find("nonexistent")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("nonexistent")); + EXPECT_THAT(radixtree.findMatchingPrefixes("nonexistent"), ElementsAre(cstr_a)); +} + +TEST(RadixTree, InsertAndFindComplexScenarios) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + const char* cstr_e = "e"; + const char* cstr_f = "f"; + + // Test overlapping prefixes + EXPECT_TRUE(radixtree.add(std::string("test"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("testing"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("tester"), cstr_c)); + EXPECT_TRUE(radixtree.add(std::string("tested"), cstr_d)); + + // Verify all can be found + EXPECT_EQ(cstr_a, radixtree.find("test")); + EXPECT_EQ(cstr_b, radixtree.find("testing")); + EXPECT_EQ(cstr_c, radixtree.find("tester")); + EXPECT_EQ(cstr_d, radixtree.find("tested")); + + // Test prefix matching + EXPECT_THAT(radixtree.findMatchingPrefixes("test"), ElementsAre(cstr_a)); + EXPECT_THAT(radixtree.findMatchingPrefixes("testing"), ElementsAre(cstr_a, cstr_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("tester"), ElementsAre(cstr_a, cstr_c)); + EXPECT_THAT(radixtree.findMatchingPrefixes("tested"), ElementsAre(cstr_a, cstr_d)); + + // Test longest prefix + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("test")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("testing")); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("tester")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("tested")); + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("testx")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("tex")); + + // Test branching scenarios + EXPECT_TRUE(radixtree.add(std::string("hello"), cstr_e)); + EXPECT_TRUE(radixtree.add(std::string("world"), cstr_f)); + + EXPECT_EQ(cstr_e, radixtree.find("hello")); + EXPECT_EQ(cstr_f, radixtree.find("world")); + EXPECT_EQ(cstr_e, radixtree.findLongestPrefix("hello")); + EXPECT_EQ(cstr_f, radixtree.findLongestPrefix("world")); +} + +TEST(RadixTree, InsertAndFindOverwriteBehavior) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + + // Test overwrite_existing = true (default) + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("key")); + + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_b)); + EXPECT_EQ(cstr_b, radixtree.find("key")); + + // Test overwrite_existing = false + EXPECT_FALSE(radixtree.add(std::string("key"), cstr_c, false)); + EXPECT_EQ(cstr_b, radixtree.find("key")); // Should still be cstr_b + + // Test overwrite_existing = true explicitly + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_c, true)); + EXPECT_EQ(cstr_c, radixtree.find("key")); +} + +TEST(RadixTree, InsertAndFindDeepNesting) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + + // Test deep nesting + EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/f"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/g"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("a/b/c/d/e/h"), cstr_c)); + + EXPECT_EQ(cstr_a, radixtree.find("a/b/c/d/e/f")); + EXPECT_EQ(cstr_b, radixtree.find("a/b/c/d/e/g")); + EXPECT_EQ(cstr_c, radixtree.find("a/b/c/d/e/h")); + + // Test prefix matching on deep paths + EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/f"), ElementsAre(cstr_a)); + EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/g"), ElementsAre(cstr_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("a/b/c/d/e/h"), ElementsAre(cstr_c)); + + // Test longest prefix on deep paths + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a/b/c/d/e/f")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("a/b/c/d/e/g")); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("a/b/c/d/e/h")); +} + +TEST(RadixTree, InsertAndFindMixedLengths) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + const char* cstr_d = "d"; + + // Test mixed length keys + EXPECT_TRUE(radixtree.add(std::string("a"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("aa"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("aaa"), cstr_c)); + EXPECT_TRUE(radixtree.add(std::string("aaaa"), cstr_d)); + + EXPECT_EQ(cstr_a, radixtree.find("a")); + EXPECT_EQ(cstr_b, radixtree.find("aa")); + EXPECT_EQ(cstr_c, radixtree.find("aaa")); + EXPECT_EQ(cstr_d, radixtree.find("aaaa")); + + // Test prefix matching + EXPECT_THAT(radixtree.findMatchingPrefixes("a"), ElementsAre(cstr_a)); + EXPECT_THAT(radixtree.findMatchingPrefixes("aa"), ElementsAre(cstr_a, cstr_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("aaa"), ElementsAre(cstr_a, cstr_b, cstr_c)); + EXPECT_THAT(radixtree.findMatchingPrefixes("aaaa"), ElementsAre(cstr_a, cstr_b, cstr_c, cstr_d)); + + // Test longest prefix + EXPECT_EQ(cstr_a, radixtree.findLongestPrefix("a")); + EXPECT_EQ(cstr_b, radixtree.findLongestPrefix("aa")); + EXPECT_EQ(cstr_c, radixtree.findLongestPrefix("aaa")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("aaaa")); + EXPECT_EQ(cstr_d, radixtree.findLongestPrefix("aaaaa")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("b")); +} + +TEST(RadixTree, InsertAndFindSpecialCharacters) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + const char* cstr_c = "c"; + + // Test special characters + EXPECT_TRUE(radixtree.add(std::string("test-key"), cstr_a)); + EXPECT_TRUE(radixtree.add(std::string("test_key"), cstr_b)); + EXPECT_TRUE(radixtree.add(std::string("test.key"), cstr_c)); + + EXPECT_EQ(cstr_a, radixtree.find("test-key")); + EXPECT_EQ(cstr_b, radixtree.find("test_key")); + EXPECT_EQ(cstr_c, radixtree.find("test.key")); + + // Test with spaces + EXPECT_TRUE(radixtree.add(std::string("test key"), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("test key")); + + // Test with numbers + EXPECT_TRUE(radixtree.add(std::string("test123"), cstr_b)); + EXPECT_EQ(cstr_b, radixtree.find("test123")); +} + +TEST(RadixTree, InsertAndFindBooleanInterface) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + + // Test boolean find interface + const char* result; + + result = radixtree.find("nonexistent"); + EXPECT_EQ(nullptr, result); + + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_a)); + result = radixtree.find("key"); + EXPECT_EQ(cstr_a, result); + + EXPECT_TRUE(radixtree.add(std::string("key"), cstr_b)); + result = radixtree.find("key"); + EXPECT_EQ(cstr_b, result); + + // Test with empty string + EXPECT_TRUE(radixtree.add(std::string(""), cstr_a)); + result = radixtree.find(""); + EXPECT_EQ(cstr_a, result); +} + +} // namespace Envoy diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index d8ce66a8ad7d1..ad594752b72f4 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -37,6 +37,7 @@ Millicores NID NIST NORMALISATION +Radix SQLSTATE bm BSON @@ -47,6 +48,7 @@ CIO cbegin cend constness +cstr deadcode DFP Dynatrace @@ -1185,6 +1187,8 @@ querydetails quiesce quitquitquit qvalue +radix +radixtree rapidjson ratelimit ratelimited From 15d18cce817e02e49f28844de4da0f0a2ff119ee Mon Sep 17 00:00:00 2001 From: code Date: Fri, 25 Jul 2025 17:43:50 +0800 Subject: [PATCH 076/505] remove stale entries in the code owner fils (#40437) Commit Message: remove stale entries in the code owner fils Additional Description: Risk Level: n/a. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. Signed-off-by: wangbaiping(wbpcode) --- CODEOWNERS | 2 -- 1 file changed, 2 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 0fba4b66f8cfb..04b46ae4222a7 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -295,9 +295,7 @@ extensions/upstreams/tcp @ggreenway @mattklein123 /*/extensions/filters/http/stateful_session @wbpcode @cpakulski @adisuissa # tracers /*/extensions/tracers/zipkin @wbpcode @Shikugawa @basvanbeek -/*/extensions/tracers/dynamic_ot @wbpcode @Shikugawa @basvanbeek /*/extensions/tracers/common @wbpcode @Shikugawa @basvanbeek -/*/extensions/tracers/common/ot @wbpcode @Shikugawa @basvanbeek # ext_authz /*/extensions/filters/common/ext_authz @esmet @tyxia @ggreenway /*/extensions/filters/http/ext_authz @esmet @tyxia @ggreenway From 0a83ae98121d46625735bcdfc84b8669d6d04577 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 25 Jul 2025 08:50:24 -0400 Subject: [PATCH 077/505] Match different versions of proto DebugString (#40434) Risk Level: low Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- .../fixed_server_preferred_address_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/quic/server_preferred_address/fixed_server_preferred_address_test.cc b/test/extensions/quic/server_preferred_address/fixed_server_preferred_address_test.cc index 9c86871ff79a9..ba870b0b65463 100644 --- a/test/extensions/quic/server_preferred_address/fixed_server_preferred_address_test.cc +++ b/test/extensions/quic/server_preferred_address/fixed_server_preferred_address_test.cc @@ -25,7 +25,7 @@ TEST_F(FixedServerPreferredAddressConfigTest, Validation) { cfg.mutable_ipv4_config()->mutable_address()->set_address("not an address"); cfg.mutable_ipv4_config()->mutable_address()->set_port_value(1); EXPECT_THROW_WITH_REGEX(factory_.createServerPreferredAddressConfig(cfg, visitor_, context_), - EnvoyException, ".*Invalid address socket_address.*"); + EnvoyException, "(?s).*Invalid address.*socket_address.*"); } { // Bad address. From 3f45d4e40284c6f08f86cd6c9b4918cf44f653f7 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Fri, 25 Jul 2025 07:20:30 -0700 Subject: [PATCH 078/505] Avoid an unnecessary string copy in ProxyFilter (#40431) Commit Message: Avoid an unnecessary string copy in ProxyFilter Additional Description: This code was changed recently to fix an issue, but it gained a string-copy that's avoidable for any addresses that are not numeric IPv6 addresses. Risk Level: Negligible. Testing: Existing tests cover it. Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Raven Black --- .../http/dynamic_forward_proxy/proxy_filter.cc | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc b/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc index b987ce1c64a13..f96af1630070f 100644 --- a/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc +++ b/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc @@ -315,11 +315,16 @@ Http::FilterHeadersStatus ProxyFilter::decodeHeaders(Http::RequestHeaderMap& hea // Get host value from the request headers. const auto host_attributes = Http::Utility::parseAuthority(headers.Host()->value().getStringView()); - std::string host_str(!host_attributes.is_ip_address_ || - !absl::StrContains(host_attributes.host_, ":") - ? host_attributes.host_ - : absl::StrCat("[", host_attributes.host_, "]")); - absl::string_view host = host_str; + // For IPv6 numeric addresses, use a copy with square brackets added around the host. + // For any other address type just use the existing unmodified host string. + std::string host_str; + absl::string_view host; + if (host_attributes.is_ip_address_ && absl::StrContains(host_attributes.host_, ":")) { + host_str = absl::StrCat("[", host_attributes.host_, "]"); + host = host_str; + } else { + host = host_attributes.host_; + } uint16_t port = host_attributes.port_.value_or(default_port); // Apply filter state overrides for host and port. From 08b0409d48a7ec8872faa82c9c57980f923cae8e Mon Sep 17 00:00:00 2001 From: Kevin Baichoo Date: Fri, 25 Jul 2025 16:09:02 -0400 Subject: [PATCH 079/505] Bump compiler requirements for C++20 (#40433) Compiler require C++20 to fail with a nicer error message if using an older compiler. Used https://en.cppreference.com/w/cpp/compiler_support.html#:~:text=Apple%20Clang*-,C%2B%2B20%20features,-C%2B%2B20%20core for reference Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Kevin Baichoo --- source/common/common/compiler_requirements.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/common/common/compiler_requirements.h b/source/common/common/compiler_requirements.h index ad14111af9186..912cf0c447d0b 100644 --- a/source/common/common/compiler_requirements.h +++ b/source/common/common/compiler_requirements.h @@ -2,8 +2,8 @@ namespace Envoy { -#if __cplusplus < 201402L -#error "Your compiler does not support C++14. GCC 5+, Clang, or MSVC 2017+ is required." +#if __cplusplus < 202002L +#error "Your compiler does not support C++20. GCC 12+, Clang, or MSVC 2019+ is required." #endif // See: From c4c9a880ff38d849eeb0022ab751d5e5227a5ef9 Mon Sep 17 00:00:00 2001 From: code Date: Sat, 26 Jul 2025 04:15:38 +0800 Subject: [PATCH 080/505] tracing: support get all to avoid full interation (#40423) Added `getAll()` method to the `TraceContextHandler`. Then the opentelemtry/fluentd needn't to iterate the whole header map to find all `tracestate` headers/values. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Signed-off-by: wangbaiping(wbpcode) --- source/common/tracing/trace_context_impl.cc | 30 +++++++++++++ source/common/tracing/trace_context_impl.h | 10 +++++ .../extensions/tracers/datadog/dict_util.cc | 3 +- .../tracers/fluentd/fluentd_tracer_impl.cc | 20 +++------ .../tracers/opentelemetry/span_context.h | 10 ++--- .../opentelemetry/span_context_extractor.cc | 18 ++------ .../common/tracing/trace_context_impl_test.cc | 42 ++++++++++++++++--- 7 files changed, 92 insertions(+), 41 deletions(-) diff --git a/source/common/tracing/trace_context_impl.cc b/source/common/tracing/trace_context_impl.cc index 5eb4075dac59f..8dd85e1906807 100644 --- a/source/common/tracing/trace_context_impl.cc +++ b/source/common/tracing/trace_context_impl.cc @@ -79,6 +79,36 @@ TraceContextHandler::get(const TraceContext& trace_context) const { } } +TraceContextHandler::GetAllResult +TraceContextHandler::getAll(const TraceContext& trace_context) const { + auto header_map = trace_context.requestHeaders(); + if (!header_map.has_value()) { + if (const auto value = trace_context.get(key_); value.has_value()) { + return {value.value()}; + } + return {}; + } + + if (handle_.has_value()) { + auto* entry = header_map->getInline(handle_.value()); + if (entry == nullptr) { + return {}; + } + return {entry->value().getStringView()}; + } else { + auto results = header_map->get(key_); + if (results.empty()) { + return {}; + } + GetAllResult all_values; + all_values.reserve(results.size()); + for (size_t i = 0; i < results.size(); ++i) { + all_values.push_back(results[i]->value().getStringView()); + } + return all_values; + } +} + void TraceContextHandler::remove(TraceContext& trace_context) const { auto header_map = trace_context.requestHeaders(); if (!header_map.has_value()) { diff --git a/source/common/tracing/trace_context_impl.h b/source/common/tracing/trace_context_impl.h index 8ee2c4aeb83f3..31f6892726a8a 100644 --- a/source/common/tracing/trace_context_impl.h +++ b/source/common/tracing/trace_context_impl.h @@ -43,6 +43,16 @@ class TraceContextHandler { */ absl::optional get(const TraceContext& trace_context) const; + using GetAllResult = absl::InlinedVector; + + /** + * Get all values from the trace context by the key. If the underlying trace context is HTTP + * header map, then there may be multiple values for the same key and the get() method will + * return the first value only. This method will return all values for the key. + * @param trace_context the trace context to get the values. + */ + GetAllResult getAll(const TraceContext& trace_context) const; + /* * Set the key/value pair in the trace context. * @param trace_context the trace context to set the key/value pair. diff --git a/source/extensions/tracers/datadog/dict_util.cc b/source/extensions/tracers/datadog/dict_util.cc index 7932e7e8779f0..b8c42bcd76491 100644 --- a/source/extensions/tracers/datadog/dict_util.cc +++ b/source/extensions/tracers/datadog/dict_util.cc @@ -70,8 +70,7 @@ void TraceContextReader::visit( visitor) const { context_.forEach([&](absl::string_view key, absl::string_view value) { visitor(key, value); - const bool continue_iterating = true; - return continue_iterating; + return true; }); } diff --git a/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc b/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc index d4513c22cad9a..9f843583a3c25 100644 --- a/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc +++ b/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc @@ -89,21 +89,11 @@ absl::StatusOr SpanContextExtractor::extractSpanContext() { // it is invalid and MUST be discarded. Because we're already checking for the // traceparent header above, we don't need to check here. // See https://www.w3.org/TR/trace-context/#processing-model-for-working-with-trace-context - absl::string_view tracestate_key = FluentdConstants::get().TRACE_STATE.key(); - std::vector tracestate_values; - // Multiple tracestate header fields MUST be handled as specified by RFC7230 Section 3.2.2 Field - // Order. - trace_context_.forEach( - [&tracestate_key, &tracestate_values](absl::string_view key, absl::string_view value) { - if (key == tracestate_key) { - tracestate_values.push_back(std::string{value}); - } - return true; - }); - std::string tracestate = absl::StrJoin(tracestate_values, ","); - - SpanContext span_context(version, trace_id, parent_id, sampled, tracestate); - return span_context; + const auto tracestate_values = FluentdConstants::get().TRACE_STATE.getAll(trace_context_); + + SpanContext parent_context(version, trace_id, parent_id, sampled, + absl::StrJoin(tracestate_values, ",")); + return parent_context; } // Define default version and trace context construction// Define default version and trace context diff --git a/source/extensions/tracers/opentelemetry/span_context.h b/source/extensions/tracers/opentelemetry/span_context.h index 1247237f1a62b..d0dba70725442 100644 --- a/source/extensions/tracers/opentelemetry/span_context.h +++ b/source/extensions/tracers/opentelemetry/span_context.h @@ -55,11 +55,11 @@ class SpanContext { const std::string& tracestate() const { return tracestate_; } private: - const std::string version_; - const std::string trace_id_; - const std::string span_id_; - const bool sampled_{false}; - const std::string tracestate_; + std::string version_; + std::string trace_id_; + std::string span_id_; + bool sampled_{false}; + std::string tracestate_; }; } // namespace OpenTelemetry diff --git a/source/extensions/tracers/opentelemetry/span_context_extractor.cc b/source/extensions/tracers/opentelemetry/span_context_extractor.cc index 00f9b58327e75..d2caa9e1f9796 100644 --- a/source/extensions/tracers/opentelemetry/span_context_extractor.cc +++ b/source/extensions/tracers/opentelemetry/span_context_extractor.cc @@ -89,20 +89,10 @@ absl::StatusOr SpanContextExtractor::extractSpanContext() { // it is invalid and MUST be discarded. Because we're already checking for the // traceparent header above, we don't need to check here. // See https://www.w3.org/TR/trace-context/#processing-model-for-working-with-trace-context - absl::string_view tracestate_key = OpenTelemetryConstants::get().TRACE_STATE.key(); - std::vector tracestate_values; - // Multiple tracestate header fields MUST be handled as specified by RFC7230 Section 3.2.2 Field - // Order. - trace_context_.forEach( - [&tracestate_key, &tracestate_values](absl::string_view key, absl::string_view value) { - if (key == tracestate_key) { - tracestate_values.push_back(std::string{value}); - } - return true; - }); - std::string tracestate = absl::StrJoin(tracestate_values, ","); - - SpanContext parent_context(version, trace_id, span_id, sampled, std::move(tracestate)); + const auto tracestate_values = OpenTelemetryConstants::get().TRACE_STATE.getAll(trace_context_); + + SpanContext parent_context(version, trace_id, span_id, sampled, + absl::StrJoin(tracestate_values, ",")); return parent_context; } diff --git a/test/common/tracing/trace_context_impl_test.cc b/test/common/tracing/trace_context_impl_test.cc index 531112c53a4b0..5a57da0b247db 100644 --- a/test/common/tracing/trace_context_impl_test.cc +++ b/test/common/tracing/trace_context_impl_test.cc @@ -18,22 +18,54 @@ TEST(TraceContextHandlerTest, TraceContextHandlerGetTest) { } TraceContextHandler normal_key("key"); - TraceContextHandler inline_key("content-type"); // This key is inline key for HTTP. + TraceContextHandler inline_key("x-forwarded-for"); // This key is inline key for HTTP. + + TraceContextHandler unknown_normal_key("unknown_normal_key"); + TraceContextHandler unknown_inline_key("x-envoy-original-path"); // Test get. { auto headers = Http::RequestHeaderMapImpl::create(); - headers->setContentType("text/plain"); headers->addCopy(Http::LowerCaseString("key"), "value"); + headers->addCopy(Http::LowerCaseString("x-forwarded-for"), "127.0.0.1"); HttpTraceContext http_tracer_context(*headers); - TestTraceContextImpl trace_context{{"key", "value"}, {"content-type", "text/plain"}}; + TestTraceContextImpl trace_context{{"key", "value"}, {"x-forwarded-for", "127.0.0.1"}}; EXPECT_EQ("value", normal_key.get(trace_context).value()); - EXPECT_EQ("text/plain", inline_key.get(trace_context).value()); + EXPECT_EQ("127.0.0.1", inline_key.get(trace_context).value()); EXPECT_EQ("value", normal_key.get(http_tracer_context).value()); - EXPECT_EQ("text/plain", inline_key.get(http_tracer_context).value()); + EXPECT_EQ("127.0.0.1", inline_key.get(http_tracer_context).value()); + } + + // Test get all. + { + + Http::TestRequestHeaderMapImpl headers{{"key", "value1"}, + {"key", "value2"}, + {"x-forwarded-for", "127.0.0.1"}, + {"x-forwarded-for", "127.0.0.2"}, + {"other", "other_value"}}; + HttpTraceContext http_tracer_context(headers); + TestTraceContextImpl trace_context{{"key", "value"}, {"x-forwarded-for", "127.0.0.1"}}; + + EXPECT_EQ(normal_key.getAll(trace_context)[0], "value"); + EXPECT_EQ(inline_key.getAll(trace_context)[0], "127.0.0.1"); + + auto multiple_values_of_normal_key = normal_key.getAll(http_tracer_context); + EXPECT_EQ(multiple_values_of_normal_key.size(), 2); + EXPECT_EQ(multiple_values_of_normal_key[0], "value1"); + EXPECT_EQ(multiple_values_of_normal_key[1], "value2"); + + auto multiple_values_of_inline_key = inline_key.getAll(http_tracer_context); + EXPECT_EQ(multiple_values_of_inline_key.size(), 1); + EXPECT_EQ(multiple_values_of_inline_key[0], "127.0.0.1,127.0.0.2"); + + EXPECT_TRUE(unknown_normal_key.getAll(http_tracer_context).empty()); + EXPECT_TRUE(unknown_inline_key.getAll(http_tracer_context).empty()); + EXPECT_TRUE(!unknown_normal_key.get(trace_context).has_value()); + EXPECT_TRUE(!unknown_inline_key.get(trace_context).has_value()); } } From 51aa49768d882a9a58e1ae060ce6df1dd020dc5f Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 25 Jul 2025 17:57:05 -0400 Subject: [PATCH 081/505] Add ENVOY_NOTIFICATION macro (#40298) Add macro for tracking specific conditions in production environments. This macro does not fail in debug builds and does not impact CI or integration tests. There is also no backoff so that every condition is accurately tracked. Risk Level: low Testing: unit tests Docs Changes: yes Release Notes: yes Platform Specific Features: n/a --------- Signed-off-by: Yan Avlasov --- STYLE.md | 3 + changelogs/current.yaml | 3 + .../observability/statistics.rst | 1 + source/common/common/BUILD | 10 ++++ source/common/common/logger.h | 1 + source/common/common/notification.cc | 60 +++++++++++++++++++ source/common/common/notification.h | 57 ++++++++++++++++++ source/server/BUILD | 1 + source/server/server.cc | 3 + source/server/server.h | 2 + test/common/common/BUILD | 10 ++++ test/common/common/notification_test.cc | 45 ++++++++++++++ test/server/BUILD | 1 + test/server/server_test.cc | 5 ++ 14 files changed, 202 insertions(+) create mode 100644 source/common/common/notification.cc create mode 100644 source/common/common/notification.h create mode 100644 test/common/common/notification_test.cc diff --git a/STYLE.md b/STYLE.md index b508ebff378a1..7eef23b3ca57c 100644 --- a/STYLE.md +++ b/STYLE.md @@ -160,6 +160,9 @@ A few general notes on our error handling philosophy: should be used where it may be useful to detect if an efficient condition is violated in production (and fatal check in debug-only builds). This will also log a stack trace of the previous calls leading up to `ENVOY_BUG`. + - `ENVOY_NOTIFICATION`: logs and increments the ``envoy_notifications`` counter. These should be + used where it may be useful to detect if an efficient condition is met in production, for + example before rolling out a potentially disruptive configuration change. * Sub-macros alias the macros above and can be used to annotate specific situations: - `ENVOY_BUG_ALPHA` (alias `ENVOY_BUG`): Used for alpha or rapidly changing protocols that need diff --git a/changelogs/current.yaml b/changelogs/current.yaml index de0d6210bf19d..7aa670ec5273b 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -55,6 +55,9 @@ new_features: :ref:`RouteAction.rate_limits` fields will be ignored. However, :ref:`RateLimitPerRoute.rate_limits` will take precedence over this field. +- area: observability + change: | + Added ENVOY_NOTIFICATION macro to track specific conditions in produiction environments. - area: dns_filter, redis_proxy and prefix_matcher_map change: | Switch to using Radix Tree instead of Trie for performance improvements. diff --git a/docs/root/configuration/observability/statistics.rst b/docs/root/configuration/observability/statistics.rst index 930414a929581..fb01aaadab0d2 100644 --- a/docs/root/configuration/observability/statistics.rst +++ b/docs/root/configuration/observability/statistics.rst @@ -31,6 +31,7 @@ Server related statistics are rooted at *server.* with following statistics: initialization_time_ms, Histogram, Total time taken for Envoy initialization in milliseconds. This is the time from server start-up until the worker threads are ready to accept new connections debug_assertion_failures, Counter, Number of debug assertion failures detected in a release build if compiled with ``--define log_debug_assert_in_release=enabled`` or zero otherwise envoy_bug_failures, Counter, Number of envoy bug failures detected in a release build. File or report the issue if this increments as this may be serious. + envoy_notifications, Counter, Number of envoy notifications detected. File or report the issue if this increments as this may be serious. Please include logs from the ``notification`` component at the debug level. See :ref:`command line option --component-log-level ` for details. static_unknown_fields, Counter, Number of messages in static configuration with unknown fields dynamic_unknown_fields, Counter, Number of messages in dynamic configuration with unknown fields wip_protos, Counter, Number of messages and fields marked as work-in-progress being used diff --git a/source/common/common/BUILD b/source/common/common/BUILD index b5d6cbe6aca19..6d70887e501e1 100644 --- a/source/common/common/BUILD +++ b/source/common/common/BUILD @@ -386,6 +386,16 @@ envoy_cc_library( hdrs = ["non_copyable.h"], ) +envoy_cc_library( + name = "notification_lib", + srcs = ["notification.cc"], + hdrs = ["notification.h"], + deps = [ + ":assert_lib", + ":minimal_logger_lib", + ], +) + envoy_cc_library( name = "phantom", hdrs = ["phantom.h"], diff --git a/source/common/common/logger.h b/source/common/common/logger.h index 8db5f52bc52b1..08fed3a27b5cb 100644 --- a/source/common/common/logger.h +++ b/source/common/common/logger.h @@ -77,6 +77,7 @@ const static bool should_log = true; FUNCTION(misc) \ FUNCTION(mongo) \ FUNCTION(multi_connection) \ + FUNCTION(notification) \ FUNCTION(oauth2) \ FUNCTION(quic) \ FUNCTION(quic_stream) \ diff --git a/source/common/common/notification.cc b/source/common/common/notification.cc new file mode 100644 index 0000000000000..da1749065acc7 --- /dev/null +++ b/source/common/common/notification.cc @@ -0,0 +1,60 @@ +#include "source/common/common/notification.h" + +#include "source/common/common/assert.h" + +namespace Envoy { +namespace Notification { + +// This class implements the logic for triggering ENVOY_NOTIFICATION logs and actions. +class EnvoyNotificationRegistrationImpl : public Assert::ActionRegistration { +public: + EnvoyNotificationRegistrationImpl(std::function action) + : action_(action) { + next_action_ = envoy_notification_record_action_; + envoy_notification_record_action_ = this; + } + + ~EnvoyNotificationRegistrationImpl() override { + ASSERT(envoy_notification_record_action_ == this); + envoy_notification_record_action_ = next_action_; + } + + void invoke(absl::string_view name) { + action_(name); + if (next_action_) { + next_action_->invoke(name); + } + } + + static void invokeAction(absl::string_view name) { + if (envoy_notification_record_action_ != nullptr) { + envoy_notification_record_action_->invoke(name); + } + } + +private: + std::function action_; + EnvoyNotificationRegistrationImpl* next_action_ = nullptr; + + // Pointer to the first action in the chain or nullptr if no action is currently registered. + static EnvoyNotificationRegistrationImpl* envoy_notification_record_action_; +}; + +EnvoyNotificationRegistrationImpl* + EnvoyNotificationRegistrationImpl::envoy_notification_record_action_ = nullptr; + +Assert::ActionRegistrationPtr +addEnvoyNotificationRecordAction(const std::function& action) { + return std::make_unique(action); +} + +namespace details { + +void invokeEnvoyNotification(absl::string_view name) { + EnvoyNotificationRegistrationImpl::invokeAction(name); +} + +} // namespace details + +} // namespace Notification +} // namespace Envoy diff --git a/source/common/common/notification.h b/source/common/common/notification.h new file mode 100644 index 0000000000000..18df95c2f739f --- /dev/null +++ b/source/common/common/notification.h @@ -0,0 +1,57 @@ +#pragma once + +#include "source/common/common/assert.h" +#include "source/common/common/logger.h" + +namespace Envoy { +namespace Notification { + +/** + * Sets an action to be invoked when an ENVOY_NOTIFICATION is encountered. + * + * This function is not thread-safe; concurrent calls to set the action are not allowed. + * + * The action may be invoked concurrently if two ENVOY_NOTIFICATION in different threads run at the + * same time, so the action must be thread-safe. + * + * The action will be invoked in all build types (debug or release). + * + * @param action The action to take when an envoy bug fails. + * @return A registration object. The registration is removed when the object is destructed. + */ +Assert::ActionRegistrationPtr +addEnvoyNotificationRecordAction(const std::function& action); + +namespace details { +/** + * Invokes the action set by addEnvoyNotificationRecordAction, or does nothing if + * no action has been set. + * + * @param location Unique identifier for the ENVOY_NOTIFICATION. + * + * This should only be called by ENVOY_NOTIFICATION macros in this file. + */ +void invokeEnvoyNotification(absl::string_view name); +} // namespace details + +#define _ENVOY_NOTIFICATION_IMPL(NAME, DETAILS) \ + do { \ + const std::string& details = (DETAILS); \ + ENVOY_LOG_TO_LOGGER(Envoy::Logger::Registry::getLog(Envoy::Logger::Id::notification), debug, \ + "envoy notification: {}.{}{}", NAME, \ + details.empty() ? "" : " Details: ", details); \ + Envoy::Notification::details::invokeEnvoyNotification((NAME)); \ + } while (false) + +/** + * Invoke a notification of a specific condition. In contrast to ENVOY_BUG it does not ASSERT in + * debug builds and as such has no impact on continuous integration or system tests. If a condition + * is met it is logged at the debug verbosity and a stat is incremented. There is no exponential + * backoff, so the notification will be invoked every time the condition is met. As such + * notification handler must have low overhead if the condition is expected to be encountered + * frequently. ENVOY_NOTIFICATION must be called with three arguments for verbose logging. + */ +#define ENVOY_NOTIFICATION(...) PASS_ON(PASS_ON(_ENVOY_NOTIFICATION_IMPL)(__VA_ARGS__)) + +} // namespace Notification +} // namespace Envoy diff --git a/source/server/BUILD b/source/server/BUILD index b0abef48337ef..8c7a660d22170 100644 --- a/source/server/BUILD +++ b/source/server/BUILD @@ -400,6 +400,7 @@ envoy_cc_library( "//source/common/common:cleanup_lib", "//source/common/common:logger_lib", "//source/common/common:mutex_tracer_lib", + "//source/common/common:notification_lib", "//source/common/common:perf_tracing_lib", "//source/common/common:utility_lib", "//source/common/config:utility_lib", diff --git a/source/server/server.cc b/source/server/server.cc index 264f95d64d32f..bd0d57c06461b 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -28,6 +28,7 @@ #include "source/common/api/os_sys_calls_impl.h" #include "source/common/common/enum_to_int.h" #include "source/common/common/mutex_tracer_impl.h" +#include "source/common/common/notification.h" #include "source/common/common/utility.h" #include "source/common/config/utility.h" #include "source/common/config/well_known_names.h" @@ -752,6 +753,8 @@ absl::Status InstanceBase::initializeOrThrow(Network::Address::InstanceConstShar [this](const char*) { server_stats_->debug_assertion_failures_.inc(); }); envoy_bug_action_registration_ = Assert::addEnvoyBugFailureRecordAction( [this](const char*) { server_stats_->envoy_bug_failures_.inc(); }); + envoy_notification_registration_ = Notification::addEnvoyNotificationRecordAction( + [this](absl::string_view) { server_stats_->envoy_notifications_.inc(); }); } if (initial_config.admin().address()) { diff --git a/source/server/server.h b/source/server/server.h index 2df13ded91d63..7a2ff1e91236a 100644 --- a/source/server/server.h +++ b/source/server/server.h @@ -72,6 +72,7 @@ struct ServerCompilationSettingsStats { #define ALL_SERVER_STATS(COUNTER, GAUGE, HISTOGRAM) \ COUNTER(debug_assertion_failures) \ COUNTER(envoy_bug_failures) \ + COUNTER(envoy_notifications) \ COUNTER(dynamic_unknown_fields) \ COUNTER(static_unknown_fields) \ COUNTER(wip_protos) \ @@ -392,6 +393,7 @@ class InstanceBase : Logger::Loggable, server_compilation_settings_stats_; Assert::ActionRegistrationPtr assert_action_registration_; Assert::ActionRegistrationPtr envoy_bug_action_registration_; + Assert::ActionRegistrationPtr envoy_notification_registration_; ThreadLocal::Instance& thread_local_; Random::RandomGeneratorPtr random_generator_; envoy::config::bootstrap::v3::Bootstrap bootstrap_; diff --git a/test/common/common/BUILD b/test/common/common/BUILD index b4d3f54f0455f..a78e7566e5706 100644 --- a/test/common/common/BUILD +++ b/test/common/common/BUILD @@ -661,3 +661,13 @@ envoy_cc_test( "//test/mocks/stream_info:stream_info_mocks", ], ) + +envoy_cc_test( + name = "notification_test", + srcs = ["notification_test.cc"], + rbe_pool = "6gig", + deps = [ + "//source/common/common:notification_lib", + "//test/test_common:logging_lib", + ], +) diff --git a/test/common/common/notification_test.cc b/test/common/common/notification_test.cc new file mode 100644 index 0000000000000..9e0373220187e --- /dev/null +++ b/test/common/common/notification_test.cc @@ -0,0 +1,45 @@ +#include "source/common/common/notification.h" + +#include "test/test_common/logging.h" + +#include "gtest/gtest.h" + +namespace Envoy { + +TEST(EnvoyNotification, CallbackInvoked) { + // Use 2 envoy notification action registrations to verify that action chaining is working + // correctly. + int envoy_notification_count = 0; + int envoy_notification_count2 = 0; + std::string name1; + std::string name2; + auto envoy_notification_action_registration = + Notification::addEnvoyNotificationRecordAction([&](absl::string_view name) { + name1 = name; + envoy_notification_count++; + }); + auto envoy_notification_action_registration2 = + Notification::addEnvoyNotificationRecordAction([&](absl::string_view name) { + name2 = name; + envoy_notification_count2++; + }); + + EXPECT_LOG_CONTAINS("debug", "envoy notification: id1.", { ENVOY_NOTIFICATION("id1", ""); }); + EXPECT_EQ(envoy_notification_count, 1); + EXPECT_EQ(envoy_notification_count2, 1); + EXPECT_EQ(name1, "id1"); + EXPECT_EQ(name2, "id1"); + EXPECT_LOG_CONTAINS("debug", "envoy notification: .", { ENVOY_NOTIFICATION("", ""); }); + EXPECT_EQ(envoy_notification_count, 2); + EXPECT_EQ(envoy_notification_count2, 2); + EXPECT_EQ(name1, ""); + EXPECT_EQ(name2, ""); + EXPECT_LOG_CONTAINS("debug", "envoy notification: id2. Details: with some logs", + { ENVOY_NOTIFICATION("id2", "with some logs"); }); + EXPECT_EQ(envoy_notification_count, 3); + EXPECT_EQ(envoy_notification_count2, 3); + EXPECT_EQ(name1, "id2"); + EXPECT_EQ(name2, "id2"); +} + +} // namespace Envoy diff --git a/test/server/BUILD b/test/server/BUILD index b597bb661b0be..62d92eed64f4e 100644 --- a/test/server/BUILD +++ b/test/server/BUILD @@ -361,6 +361,7 @@ envoy_cc_test( ], rbe_pool = "6gig", deps = [ + "//source/common/common:notification_lib", "//source/common/version:version_lib", "//source/extensions/access_loggers/file:config", "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", diff --git a/test/server/server_test.cc b/test/server/server_test.cc index 7307ae5cc861a..775f05a7bf6cb 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -9,6 +9,7 @@ #include "envoy/server/fatal_action_config.h" #include "source/common/common/assert.h" +#include "source/common/common/notification.h" #include "source/common/network/address_impl.h" #include "source/common/network/listen_socket_impl.h" #include "source/common/network/socket_option_impl.h" @@ -846,6 +847,10 @@ TEST_P(ServerInstanceImplTest, Stats) { EXPECT_EQ(2L, TestUtility::findGauge(stats_store_, "server.concurrency")->value()); EXPECT_EQ(3L, TestUtility::findGauge(stats_store_, "server.hot_restart_epoch")->value()); + ENVOY_NOTIFICATION("name", "stuff"); + ENVOY_NOTIFICATION("name1", "stuff1"); + ENVOY_NOTIFICATION("name3", "stuff3"); + EXPECT_EQ(3L, TestUtility::findCounter(stats_store_, "server.envoy_notifications")->value()); // The ENVOY_BUG stat works in release mode. #if defined(NDEBUG) // Test exponential back-off on a fixed line ENVOY_BUG. From b96ae07e8d7f8dec0d636270bb3e1dd9c71939a4 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 25 Jul 2025 17:59:58 -0400 Subject: [PATCH 082/505] Downgrade HTTP cache filter security posture (#40442) Per notification in the envoy-announce@googlegroups.com the HTTP cache filter security posture is downgraded to unknown to match its work-in-progress status. This removes the filter from the security release process. Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/extensions/extensions_metadata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 8398b376ea8cd..6bf97f2dfb0cc 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -270,7 +270,7 @@ envoy.filters.http.buffer: envoy.filters.http.cache: categories: - envoy.filters.http - security_posture: robust_to_untrusted_downstream_and_upstream + security_posture: unknown status: wip type_urls: - envoy.extensions.filters.http.cache.v3.CacheConfig From 59047d5fdc8888970300a79e15df0ec04edf9f17 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Fri, 25 Jul 2025 19:30:58 -0400 Subject: [PATCH 083/505] rbac: only allocate protobuf arena if it CEL is used (#40240) Prior to this PR, the protobuf arena would've been allocated for each RBAC configuration, even if CEL wasn't used. Wrapped the arena and the builder around a single wrapper that will only be allocated if CEL is used. Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- source/extensions/filters/common/rbac/engine_impl.cc | 8 ++++++-- source/extensions/filters/common/rbac/engine_impl.h | 9 +++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/source/extensions/filters/common/rbac/engine_impl.cc b/source/extensions/filters/common/rbac/engine_impl.cc index 9abe4c961df3b..7c6a272406d91 100644 --- a/source/extensions/filters/common/rbac/engine_impl.cc +++ b/source/extensions/filters/common/rbac/engine_impl.cc @@ -45,16 +45,20 @@ RoleBasedAccessControlEngineImpl::RoleBasedAccessControlEngineImpl( ProtobufMessage::ValidationVisitor& validation_visitor, Server::Configuration::CommonFactoryContext& context, const EnforcementMode mode) : action_(rules.action()), mode_(mode) { + // A pointer to the builder, if one will be created. + Expr::Builder* builder = nullptr; // guard expression builder by presence of a condition in policies for (const auto& policy : rules.policies()) { if (policy.second.has_condition()) { - builder_ = Expr::createBuilder(&constant_arena_); + builder_with_arena_ = std::make_unique(); + builder_with_arena_->builder_ = Expr::createBuilder(&builder_with_arena_->constant_arena_); + builder = builder_with_arena_->builder_.get(); break; } } for (const auto& policy : rules.policies()) { - policies_.emplace(policy.first, std::make_unique(policy.second, builder_.get(), + policies_.emplace(policy.first, std::make_unique(policy.second, builder, validation_visitor, context)); } } diff --git a/source/extensions/filters/common/rbac/engine_impl.h b/source/extensions/filters/common/rbac/engine_impl.h index 80a5781ed9e71..bc659958fdad7 100644 --- a/source/extensions/filters/common/rbac/engine_impl.h +++ b/source/extensions/filters/common/rbac/engine_impl.h @@ -88,8 +88,13 @@ class RoleBasedAccessControlEngineImpl : public RoleBasedAccessControlEngine, No std::map> policies_; - Protobuf::Arena constant_arena_; - Expr::BuilderPtr builder_; + // Encapsulated the CEL expression builder with the arena, that will only be + // allocated if CEL is configured. + struct ExprBuilderWithArena { + Protobuf::Arena constant_arena_; + Expr::BuilderPtr builder_; + }; + std::unique_ptr builder_with_arena_; }; class RoleBasedAccessControlMatcherEngineImpl : public RoleBasedAccessControlEngine, NonCopyable { From 895d0b59e30e5434b5f9182ac5e73944402e166b Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 25 Jul 2025 16:45:00 -0700 Subject: [PATCH 084/505] radix_tree: refactor the code to make it cleaner (#40435) ## Description This PR refactors the Radix Tree code to make it cleaner. It also add some more tests to improve the overall coverage. --- **Commit Message:** radix_tree: refactor the code to make it cleaner **Additional Description:** Refactors the Radix Tree implementation to make it cleaner. **Risk Level:** Low **Testing:** Unit Tests **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- source/common/common/BUILD | 2 + source/common/common/radix_tree.h | 357 ++++++++++++++------------ test/common/common/radix_tree_test.cc | 82 ++++++ 3 files changed, 272 insertions(+), 169 deletions(-) diff --git a/source/common/common/BUILD b/source/common/common/BUILD index 6d70887e501e1..f6314bcd96629 100644 --- a/source/common/common/BUILD +++ b/source/common/common/BUILD @@ -498,7 +498,9 @@ envoy_cc_library( hdrs = ["radix_tree.h"], deps = [ ":assert_lib", + "//envoy/common:optref_lib", "@com_google_absl//absl/container:flat_hash_map", + "@com_google_absl//absl/container:inlined_vector", "@com_google_absl//absl/strings", ], ) diff --git a/source/common/common/radix_tree.h b/source/common/common/radix_tree.h index aae80fd3edbb0..a7655f8503d29 100644 --- a/source/common/common/radix_tree.h +++ b/source/common/common/radix_tree.h @@ -8,169 +8,33 @@ #include "source/common/common/assert.h" #include "absl/container/flat_hash_map.h" +#include "absl/container/inlined_vector.h" #include "absl/strings/string_view.h" #include "absl/types/optional.h" namespace Envoy { -template class RadixTree { - static constexpr int32_t NoNode = -1; - struct RadixTreeNode { - std::string prefix_; - Value value_{}; - // Hash map for O(1) child lookup by first character - absl::flat_hash_map children_; - - /** - * Insert a key-value pair into this node - * @param key the full key being inserted - * @param search the remaining search key - * @param value the value to insert - */ - void insert(absl::string_view search, Value value) { - // Handle key exhaustion - if (search.empty()) { - value_ = std::move(value); - return; - } - - // Look for the edge - uint8_t firstChar = static_cast(search[0]); - auto childIt = children_.find(firstChar); - - // No edge, create one - if (childIt == children_.end()) { - // Create a new child node - RadixTreeNode newChild; - newChild.prefix_ = std::string(search); - newChild.value_ = std::move(value); - - // Add the child to the current node - children_[firstChar] = std::move(newChild); - return; - } - - // Get the child node - RadixTreeNode& child = childIt->second; - - // Determine longest prefix length of the search key on match - size_t cpl = commonPrefixLength(search, child.prefix_); - if (cpl == child.prefix_.size()) { - // The search key is longer than the child prefix, continue down - absl::string_view remaining_search = search.substr(cpl); - child.insert(remaining_search, std::move(value)); - return; - } - - // Split the node - create a new intermediate node - RadixTreeNode split_node; - split_node.prefix_ = std::string(search.substr(0, cpl)); - - // Update the child's prefix - child.prefix_ = std::string(child.prefix_.substr(cpl)); - - // If the search key is exactly the common prefix, set the value on the split node - if (cpl == search.size()) { - split_node.value_ = std::move(value); - } else { - // Create a new leaf for the current key - RadixTreeNode new_leaf; - new_leaf.prefix_ = std::string(search.substr(cpl)); - new_leaf.value_ = std::move(value); - split_node.children_[static_cast(new_leaf.prefix_[0])] = std::move(new_leaf); - } - - // Add the child to the split node - split_node.children_[static_cast(child.prefix_[0])] = std::move(child); - - // Replace the original child with the split node - children_[firstChar] = std::move(split_node); - } - - /** - * Recursive helper for find operation. - * @param search the remaining search key. - * @param result the value to return if found. - * @return true if the key was found, false otherwise. - */ - bool findRecursive(absl::string_view search, Value& result) const { - if (search.empty()) { - if (has_value(*this)) { - result = value_; - return true; - } - return false; - } - - uint8_t firstChar = static_cast(search[0]); - auto childIt = children_.find(firstChar); - if (childIt == children_.end()) { - return false; - } - - const RadixTreeNode& child = childIt->second; - - // Check if the child's prefix matches the search - if (search.size() >= child.prefix_.size() && - search.substr(0, child.prefix_.size()) == child.prefix_) { - absl::string_view new_search = search.substr(child.prefix_.size()); - return child.findRecursive(new_search, result); - } - - return false; - } - - /** - * Get a child node by character key - */ - Envoy::OptRef getChild(uint8_t char_key) const { - auto it = children_.find(char_key); - if (it != children_.end()) { - return {it->second}; - } - return {}; - } - }; - - /** - * Check if a node has a value (is a leaf node) - */ - static bool has_value(const RadixTreeNode& node) { - // For pointer types, check if the pointer is not null - if constexpr (std::is_pointer_v) { - return node.value_ != nullptr; - } else { - return static_cast(node.value_); - } - } - - /** - * Find the longest common prefix between two strings - */ - static size_t commonPrefixLength(absl::string_view a, absl::string_view b) { - size_t len = std::min(a.size(), b.size()); - for (size_t i = 0; i < len; i++) { - if (a[i] != b[i]) { - return i; - } - } - return len; - } +/** + * A radix tree implementation for efficient prefix-based lookups. + * + * Template parameter Value must be default-constructible and moveable. + */ +template class RadixTree { public: /** - * Adds an entry to the RadixTree at the given Key. + * Adds an entry to the RadixTree at the given key. * @param key the key used to add the entry. * @param value the value to be associated with the key. * @param overwrite_existing will overwrite the value when the value for a given key already * exists. - * @return false when a value already exists for the given key. + * @return false when a value already exists for the given key and overwrite_existing is false. */ bool add(absl::string_view key, Value value, bool overwrite_existing = true) { - // Check if the key already exists + // Check if the key already exists. Value existing; bool found = root_.findRecursive(key, existing); - // If a value exists and we shouldn't overwrite, return false + // If a value exists and we shouldn't overwrite, return false. if (found && !overwrite_existing) { return false; } @@ -204,28 +68,28 @@ template class RadixTree { absl::string_view search = key; const RadixTreeNode* node = &root_; - // Special case: if searching for empty string, check root node + // Special case: if searching for empty string, check root node. if (search.empty()) { - if (has_value(*node)) { + if (hasValue(*node)) { result.push_back(node->value_); } return result; } while (true) { - // Check if current node has a value (is a leaf) and we've consumed some prefix - if (has_value(*node)) { + // Check if current node has a value (is a leaf) and we've consumed some prefix. + if (hasValue(*node)) { result.push_back(node->value_); } - // Check for key exhaustion + // Check for key exhaustion. if (search.empty()) { break; } - // Look for an edge - uint8_t firstChar = static_cast(search[0]); - auto child = node->getChild(firstChar); + // Look for an edge. + uint8_t first_char = static_cast(search[0]); + auto child = node->getChild(first_char); if (!child) { break; } @@ -233,12 +97,12 @@ template class RadixTree { const RadixTreeNode& child_node = *child; node = &child_node; - // Consume the search prefix + // Consume the search prefix. if (search.size() < child->prefix_.size() || search.substr(0, child->prefix_.size()) != child->prefix_) { break; } - // Consume the search prefix + // Consume the search prefix. search = search.substr(child->prefix_.size()); } @@ -259,19 +123,19 @@ template class RadixTree { const RadixTreeNode* last_node_with_value = nullptr; while (true) { - // Look for a leaf node - if (has_value(*node)) { + // Look for a leaf node. + if (hasValue(*node)) { last_node_with_value = node; } - // Check for key exhaustion + // Check for key exhaustion. if (search.empty()) { break; } - // Look for an edge - uint8_t firstChar = static_cast(search[0]); - auto child = node->getChild(firstChar); + // Look for an edge. + uint8_t first_char = static_cast(search[0]); + auto child = node->getChild(first_char); if (!child) { break; } @@ -279,24 +143,179 @@ template class RadixTree { const RadixTreeNode& child_node = *child; node = &child_node; - // Consume the search prefix + // Consume the search prefix. if (search.size() < child->prefix_.size() || search.substr(0, child->prefix_.size()) != child->prefix_) { break; } - // Consume the search prefix + // Consume the search prefix. search = search.substr(child->prefix_.size()); } - // Return the value from the last node that had a value, or empty value if none found + // Return the value from the last node that had a value, or empty value if none found. if (last_node_with_value != nullptr) { return last_node_with_value->value_; } - return nullptr; + return Value{}; } private: - // Initialized with a single empty node as the root node. - RadixTreeNode root_ = RadixTreeNode(); + static constexpr int32_t NoNode = -1; + + /** + * Internal node structure for the radix tree. + */ + struct RadixTreeNode { + std::string prefix_; + Value value_{}; + + // Hash map for O(1) child lookup by first character. + absl::flat_hash_map children_; + + /** + * Insert a key-value pair into this node. + * @param search the remaining search key. + * @param value the value to insert. + */ + void insert(absl::string_view search, Value value) { + // Handle key exhaustion. + if (search.empty()) { + value_ = std::move(value); + return; + } + + // Look for the edge. + uint8_t first_char = static_cast(search[0]); + auto child_it = children_.find(first_char); + + // No edge, create one. + if (child_it == children_.end()) { + // Create a new child node. + RadixTreeNode new_child; + new_child.prefix_ = std::string(search); + new_child.value_ = std::move(value); + + // Add the child to the current node. + children_[first_char] = std::move(new_child); + return; + } + + // Get the child node. + RadixTreeNode& child = child_it->second; + + // Determine longest prefix length of the search key on match. + size_t cpl = commonPrefixLength(search, child.prefix_); + if (cpl == child.prefix_.size()) { + // The search key is longer than the child prefix, continue down. + absl::string_view remaining_search = search.substr(cpl); + child.insert(remaining_search, std::move(value)); + return; + } + + // Split the node. We create a new intermediate node. + RadixTreeNode split_node; + split_node.prefix_ = std::string(search.substr(0, cpl)); + + // Update the child's prefix. + child.prefix_ = std::string(child.prefix_.substr(cpl)); + + // If the search key is exactly the common prefix, set the value on the split node. + if (cpl == search.size()) { + split_node.value_ = std::move(value); + } else { + // Create a new leaf for the current key. + RadixTreeNode new_leaf; + new_leaf.prefix_ = std::string(search.substr(cpl)); + new_leaf.value_ = std::move(value); + split_node.children_[static_cast(new_leaf.prefix_[0])] = std::move(new_leaf); + } + + // Add the child to the split node. + split_node.children_[static_cast(child.prefix_[0])] = std::move(child); + + // Replace the original child with the split node. + children_[first_char] = std::move(split_node); + } + + /** + * Recursive helper for find operation. + * @param search the remaining search key. + * @param result the value to return if found. + * @return true if the key was found, false otherwise. + */ + bool findRecursive(absl::string_view search, Value& result) const { + if (search.empty()) { + if (hasValue(*this)) { + result = value_; + return true; + } + return false; + } + + uint8_t first_char = static_cast(search[0]); + auto child_it = children_.find(first_char); + if (child_it == children_.end()) { + return false; + } + + const RadixTreeNode& child = child_it->second; + + // Check if the child's prefix matches the search. + if (search.size() >= child.prefix_.size() && + search.substr(0, child.prefix_.size()) == child.prefix_) { + absl::string_view new_search = search.substr(child.prefix_.size()); + return child.findRecursive(new_search, result); + } + + return false; + } + + /** + * Get a child node by character key. + * @param char_key the character to look up. + * @return optional reference to the child node. + */ + Envoy::OptRef getChild(uint8_t char_key) const { + auto it = children_.find(char_key); + if (it != children_.end()) { + return {it->second}; + } + return {}; + } + }; + + /** + * Find the longest common prefix between two strings. + * @param a first string. + * @param b second string. + * @return length of the common prefix. + */ + static size_t commonPrefixLength(absl::string_view a, absl::string_view b) { + size_t len = std::min(a.size(), b.size()); + for (size_t i = 0; i < len; i++) { + if (a[i] != b[i]) { + return i; + } + } + return len; + } + + /** + * Check if a node has a value (is a leaf node). + * @param node the node to check. + * @return true if the node has a value. + */ + static bool hasValue(const RadixTreeNode& node) { + // For pointer types, check if the pointer is not null. + if constexpr (std::is_pointer_v) { + return node.value_ != nullptr; + } else { + return static_cast(node.value_); + } + } + + // Root node of the radix tree. + RadixTreeNode root_; }; + } // namespace Envoy diff --git a/test/common/common/radix_tree_test.cc b/test/common/common/radix_tree_test.cc index 2b5a10904a3bc..521a401bf2a35 100644 --- a/test/common/common/radix_tree_test.cc +++ b/test/common/common/radix_tree_test.cc @@ -354,4 +354,86 @@ TEST(RadixTree, InsertAndFindBooleanInterface) { EXPECT_EQ(cstr_a, result); } +TEST(RadixTree, BasicFunctionality) { + RadixTree radixtree; + const char* cstr_a = "a"; + const char* cstr_b = "b"; + + // Test simple insertion + EXPECT_TRUE(radixtree.add(std::string("test"), cstr_a)); + EXPECT_EQ(cstr_a, radixtree.find("test")); + + // Test second insertion + EXPECT_TRUE(radixtree.add(std::string("hello"), cstr_b)); + EXPECT_EQ(cstr_b, radixtree.find("hello")); + EXPECT_EQ(cstr_a, radixtree.find("test")); // Make sure first one still works +} + +TEST(RadixTree, StringOperations) { + RadixTree radixtree; + const char* value_a = "value_a"; + const char* value_b = "value_b"; + const char* value_c = "value_c"; + const char* value_d = "value_d"; + + // Test string operations with various scenarios. + EXPECT_TRUE(radixtree.add("test", value_a)); + EXPECT_TRUE(radixtree.add("testing", value_b)); + EXPECT_TRUE(radixtree.add("hello", value_c)); + EXPECT_TRUE(radixtree.add("world", value_d)); + + // Verify all insertions work correctly. + EXPECT_EQ(value_a, radixtree.find("test")); + EXPECT_EQ(value_b, radixtree.find("testing")); + EXPECT_EQ(value_c, radixtree.find("hello")); + EXPECT_EQ(value_d, radixtree.find("world")); + + // Test prefix matching. + EXPECT_EQ(value_a, radixtree.findLongestPrefix("test")); + EXPECT_EQ(value_b, radixtree.findLongestPrefix("testing")); + EXPECT_EQ(value_a, radixtree.findLongestPrefix("test_other")); + EXPECT_EQ(nullptr, radixtree.findLongestPrefix("xyz")); + + // Test that prefix matching works correctly. + EXPECT_THAT(radixtree.findMatchingPrefixes("testing"), ElementsAre(value_a, value_b)); + EXPECT_THAT(radixtree.findMatchingPrefixes("test"), ElementsAre(value_a)); +} + +TEST(RadixTree, PerformanceCharacteristics) { + RadixTree radixtree; + + // Test with a larger number of keys to verify performance characteristics. + const size_t num_keys = 100; // Reduced for clearer testing + std::vector keys; + keys.reserve(num_keys); + + // Generate keys with common prefixes to test radix tree compression. + for (size_t i = 0; i < num_keys; ++i) { + keys.push_back("prefix_" + std::to_string(i)); + } + + // Insert all keys. + for (size_t i = 0; i < keys.size(); ++i) { + int value = static_cast(i + 1); + EXPECT_TRUE(radixtree.add(keys[i], value)); + } + + // Verify all keys can be found. + for (size_t i = 0; i < keys.size(); ++i) { + int expected_value = static_cast(i + 1); + EXPECT_EQ(expected_value, radixtree.find(keys[i])); + } + + // Test prefix matching: "prefix_50_extra" should match "prefix_5" and "prefix_50". + auto prefix_matches = radixtree.findMatchingPrefixes("prefix_50_extra"); + EXPECT_GE(prefix_matches.size(), 1); // Should match at least "prefix_50" + + // Test longest prefix match. + int longest_match = radixtree.findLongestPrefix("prefix_50_extra"); + EXPECT_EQ(51, longest_match); // prefix_50 + 1 + + // Test non-matching prefix. + EXPECT_EQ(0, radixtree.findLongestPrefix("different_prefix")); // int default value is 0 +} + } // namespace Envoy From d93f0405ae6cdc816bed5cbee93684e619ae5273 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Sat, 26 Jul 2025 07:20:59 -0400 Subject: [PATCH 085/505] Add missing include to ssl_socket_extended_info_interface.h (#40451) For `CertificateSelectionCallbackPtr` type. Risk Level: low Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- envoy/ssl/BUILD | 1 + envoy/ssl/ssl_socket_extended_info.h | 1 + test/common/tls/cert_validator/BUILD | 4 ++-- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/envoy/ssl/BUILD b/envoy/ssl/BUILD index cc840247281c4..fa337b2f15bb2 100644 --- a/envoy/ssl/BUILD +++ b/envoy/ssl/BUILD @@ -76,6 +76,7 @@ envoy_cc_library( envoy_cc_library( name = "ssl_socket_extended_info_interface", hdrs = ["ssl_socket_extended_info.h"], + deps = [":handshaker_interface"], ) envoy_cc_library( diff --git a/envoy/ssl/ssl_socket_extended_info.h b/envoy/ssl/ssl_socket_extended_info.h index 192f395c204e0..228cb937edf04 100644 --- a/envoy/ssl/ssl_socket_extended_info.h +++ b/envoy/ssl/ssl_socket_extended_info.h @@ -7,6 +7,7 @@ #include "envoy/common/pure.h" #include "envoy/event/dispatcher.h" +#include "envoy/ssl/handshaker.h" namespace Envoy { namespace Ssl { diff --git a/test/common/tls/cert_validator/BUILD b/test/common/tls/cert_validator/BUILD index 67ef47884e38c..6176cb47fd79e 100644 --- a/test/common/tls/cert_validator/BUILD +++ b/test/common/tls/cert_validator/BUILD @@ -19,9 +19,9 @@ envoy_cc_test( ], rbe_pool = "6gig", deps = [ + ":test_common", "//source/common/tls/cert_validator:cert_validator_lib", "//test/common/tls:ssl_test_utils", - "//test/common/tls/cert_validator:test_common", "//test/mocks/server:server_factory_context_mocks", "//test/test_common:environment_lib", "//test/test_common:test_runtime_lib", @@ -35,8 +35,8 @@ envoy_cc_test( ], rbe_pool = "6gig", deps = [ + ":test_common", "//source/common/tls/cert_validator:cert_validator_lib", - "//test/common/tls/cert_validator:test_common", ], ) From d7f5e8cba923b8e3662d2beb617afcc2b8df8391 Mon Sep 17 00:00:00 2001 From: Tony Allen Date: Sat, 26 Jul 2025 07:25:21 -0700 Subject: [PATCH 086/505] upstream: Add network namespace for upstream binding (#39782) ## Add network namespace for upstream binding This change builds upon #39517 to add network namespace support for client/outbound connections via the upstream bind config. The UpstreamBindConfig (both at the bootstrap/cluster_manager level and per-cluster) now supports network_namespace_filepath within its source_address. When specified on Linux, connections initiated by the cluster to upstream hosts will attempt to bind to the source_address within the designated network namespace. Validation has also been added to prevent individual Host definitions (e.g., in static clusters or EDS) from specifying a network namespace directly with their address. Network namespace configuration is intended to be set in the listener or bind configuration- it is meaningless for hosts. Risk Level: Low. Testing: Unit tests Docs Changes: Proto description updated. Release Notes: Done. Platform Specific Features: Linux. Fixes https://github.com/envoyproxy/envoy/issues/38947 --------- Signed-off-by: Tony Allen Signed-off-by: Tony Allen --- changelogs/current.yaml | 3 + source/common/event/dispatcher_impl.cc | 21 +++++++ source/common/network/utility.cc | 4 +- source/common/upstream/upstream_impl.cc | 25 ++++++++ .../listener_manager_impl_test.cc | 30 ++++++++++ test/common/upstream/upstream_impl_test.cc | 58 +++++++++++++++++++ test/coverage.yaml | 2 +- 7 files changed, 140 insertions(+), 3 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 7aa670ec5273b..ca318c957369b 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -46,6 +46,9 @@ new_features: This allows Lua scripts to retrieve string, boolean, and numeric values stored by various filters for use in routing decisions, header modifications, and other processing logic. See :ref:`Filter State API ` for more details. +- area: socket + change: | + Added ``network_namespace_filepath`` to ``SocketAddress``. - area: ratelimit change: | Add the :ref:`rate_limits diff --git a/source/common/event/dispatcher_impl.cc b/source/common/event/dispatcher_impl.cc index 5295f7eb67f8d..50ce9aa45f731 100644 --- a/source/common/event/dispatcher_impl.cc +++ b/source/common/event/dispatcher_impl.cc @@ -26,6 +26,7 @@ #include "source/common/filesystem/watcher_impl.h" #include "source/common/network/address_impl.h" #include "source/common/network/connection_impl.h" +#include "source/common/network/utility.h" #include "source/common/runtime/runtime_features.h" #include "event2/event.h" @@ -167,11 +168,31 @@ Network::ClientConnectionPtr DispatcherImpl::createClientConnection( auto* factory = Config::Utility::getFactoryByName( std::string(address->addressType())); + // The target address is usually offered by EDS and the EDS api should reject the unsupported // address. // TODO(lambdai): Return a closed connection if the factory is not found. Note that the caller // expects a non-null connection as of today so we cannot gracefully handle unsupported address // type. +#if defined(__linux__) + // For Linux, the source address' network namespace is relevant for client connections, since that + // is where the netns would be specified. + if (source_address && source_address->networkNamespace().has_value()) { + auto f = [&]() -> Network::ClientConnectionPtr { + return factory->createClientConnection( + *this, address, source_address, std::move(transport_socket), options, transport_options); + }; + auto result = Network::Utility::execInNetworkNamespace( + std::move(f), source_address->networkNamespace()->c_str()); + if (!result.ok()) { + ENVOY_LOG(error, "failed to create connection in network namespace {}: {}", + source_address->networkNamespace().value(), result.status().ToString()); + return nullptr; + } + return *std::move(result); + } +#endif + return factory->createClientConnection(*this, address, source_address, std::move(transport_socket), options, transport_options); } diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc index 9a0ba0d082f3a..5abbda13d11d2 100644 --- a/source/common/network/utility.cc +++ b/source/common/network/utility.cc @@ -220,8 +220,8 @@ Utility::parseInternetAddressAndPortNoThrow(const std::string& ip_address, bool } StatusOr sa4 = parseV4Address(ip_str, port64); if (sa4.ok()) { - return instanceOrNull( - Address::InstanceFactory::createInstancePtr(&sa4.value())); + return instanceOrNull(Address::InstanceFactory::createInstancePtr( + &sa4.value(), nullptr, network_namespace)); } return nullptr; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 0b7f10d06dc5e..9de375074669a 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -360,6 +360,28 @@ createUpstreamLocalAddressSelector( !(cluster_name.has_value()) ? "Bootstrap" : fmt::format("Cluster {}", cluster_name.value()))); } + +#if !defined(__linux__) + auto fail_status = absl::InvalidArgumentError(fmt::format( + "{}'s upstream binding config contains addresses with network namespace filepaths, but the " + "OS is not Linux. Network namespaces can only be used on Linux.", + !(cluster_name.has_value()) ? "Bootstrap" + : fmt::format("Cluster {}", cluster_name.value()))); + if (bind_config->has_source_address() && + !bind_config->source_address().network_namespace_filepath().empty()) { + return fail_status; + }; + for (const auto& addr : bind_config->extra_source_addresses()) { + if (addr.has_address() && !addr.address().network_namespace_filepath().empty()) { + return fail_status; + } + } + for (const auto& addr : bind_config->additional_source_addresses()) { + if (!addr.network_namespace_filepath().empty()) { + return fail_status; + } + } +#endif } UpstreamLocalAddressSelectorFactory* local_address_selector_factory; const envoy::config::core::v3::TypedExtensionConfig* const local_address_selector_config = @@ -473,6 +495,9 @@ HostDescriptionImplBase::HostDescriptionImplBase( // for a pipe address is a misconfiguration. creation_status = absl::InvalidArgumentError( fmt::format("Invalid host configuration: non-zero port for non-IP address")); + } else if (dest_address && dest_address->networkNamespace().has_value()) { + creation_status = absl::InvalidArgumentError( + "Invalid host configuration: hosts cannot specify network namespaces with their address"); } } diff --git a/test/common/listener_manager/listener_manager_impl_test.cc b/test/common/listener_manager/listener_manager_impl_test.cc index f99806c67c91f..77b51da017c59 100644 --- a/test/common/listener_manager/listener_manager_impl_test.cc +++ b/test/common/listener_manager/listener_manager_impl_test.cc @@ -858,6 +858,36 @@ bind_to_port: false EXPECT_EQ(1UL, server_.stats_store_.counterFromString("listener.127.0.0.1_1234.foo").value()); } +TEST_P(ListenerManagerImplTest, ListenerWithTargetNetworkNamespace) { + constexpr absl::string_view listener_yaml_tmpl = R"EOF( +name: listener_with_ns +address: + socket_address: + address: 127.0.0.1 + port_value: 0 + network_namespace_filepath: "{}" +filter_chains: +- filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + cluster: cluster_0 +)EOF"; + + const std::string namespace_path = "/var/run/netns/test_listener_ns"; + envoy::config::listener::v3::Listener listener_config = + parseListenerFromV3Yaml(fmt::format(listener_yaml_tmpl, namespace_path)); + + auto status = manager_->addOrUpdateListener(listener_config, "", true); +#if defined(__linux__) + // On Linux, adding the listener should succeed. + EXPECT_TRUE(status.ok()); +#else + EXPECT_FALSE(status.ok()); +#endif +} + TEST_P(ListenerManagerImplTest, MultipleSocketTypeSpecifiedInAddresses) { const std::string yaml = R"EOF( name: "foo" diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index 6e114d0fecd19..f74ecd620351e 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -2215,6 +2215,21 @@ TEST_F(HostImplTest, HealthPipeAddress) { "Invalid host configuration: non-zero port for non-IP address"); } +// Test that a network namespace specified for a host is invalid. +TEST_F(HostImplTest, NetnsInvalid) { + std::shared_ptr info{new NiceMock()}; + envoy::config::endpoint::v3::Endpoint::HealthCheckConfig config; + config.set_port_value(8000); + auto dest_addr = + Network::Utility::parseInternetAddressAndPortNoThrow("1.2.3.4:9999", true, "/netns/filepath"); + EXPECT_EQ( + HostDescriptionImpl::create(info, "", dest_addr, nullptr, nullptr, + envoy::config::core::v3::Locality().default_instance(), config, 1) + .status() + .message(), + "Invalid host configuration: hosts cannot specify network namespaces with their address"); +} + TEST_F(HostImplTest, HostAddressList) { MockClusterMockPrioritySet cluster; HostSharedPtr host = makeTestHost(cluster.info_, "tcp://10.0.0.1:1234", 1); @@ -2302,6 +2317,49 @@ TEST_F(StaticClusterImplTest, LoadAssignmentEmptyHostname) { EXPECT_FALSE(cluster->info()->addedViaApi()); } +TEST_F(StaticClusterImplTest, UpstreamBindConfigWithNetns) { + const std::string yaml_base = R"EOF( + name: staticcluster_with_ns_bind + connect_timeout: 0.25s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 10.0.0.1 + port_value: 443 + upstream_bind_config: + source_address: + address: 1.2.3.4 + port_value: 5678 + network_namespace_filepath: "/var/run/netns/test_ns" + )EOF"; + + envoy::config::cluster::v3::Cluster cluster_config = parseClusterFromV3Yaml(yaml_base); + Envoy::Upstream::ClusterFactoryContextImpl factory_context(server_context_, nullptr, nullptr, + false); + +#if defined(__linux__) + constexpr bool is_linux = true; +#else + constexpr bool is_linux = false; +#endif + + if (is_linux) { + // On Linux, this configuration should be valid. + std::shared_ptr cluster = createCluster(cluster_config, factory_context); + EXPECT_NE(nullptr, cluster); + } else { + // On non-Linux, this should fail validation. + EXPECT_THAT_THROWS_MESSAGE( + createCluster(cluster_config, factory_context), EnvoyException, + testing::HasSubstr("network namespace filepaths, but the OS is not Linux")); + } +} + TEST_F(StaticClusterImplTest, LoadAssignmentNonEmptyHostname) { const std::string yaml = R"EOF( name: staticcluster diff --git a/test/coverage.yaml b/test/coverage.yaml index 236ae348bd744..1035b99a70792 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -9,7 +9,7 @@ directories: source/common/common/posix: 96.2 # flaky due to posix: be careful adjusting source/common/config: 96.5 source/common/crypto: 95.5 - source/common/event: 98.3 # Emulated edge events guards don't report LCOV + source/common/event: 96.5 # Emulated edge events guards don't report LCOV and setns requires Linux CAP_NET_ADMIN privileges. source/common/filesystem/posix: 96.4 # FileReadToEndNotReadable fails in some env; createPath can't test all failure branches. source/common/http: 96.5 source/common/http/http1: 93.4 # To be removed when http_inspector_use_balsa_parser is retired. From 18fe3124e88eb9ca2ad63a2ecf1ec6c8542441ee Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Sat, 26 Jul 2025 11:00:23 -0700 Subject: [PATCH 087/505] deps: Bump `simdutf` -> 7.3.3 (#40393) ## Description This PR bumps `simdutf` -> 7.3.3 Fix https://github.com/envoyproxy/envoy/issues/40358 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index da66225a4bb18..727ff5474ddbd 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1251,12 +1251,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_desc = "Unicode routines (UTF8, UTF16, UTF32) and Base64: billions of characters per second using SSE2, AVX2, NEON, AVX-512, RISC-V Vector Extension, LoongArch64, POWER. Part of Node.js, WebKit/Safari, Ladybird, Chromium, Cloudflare Workers and Bun.", project_url = "https://github.com/simdutf/simdutf", # NOTE: Update together with v8 and proxy_wasm_cpp_host. - version = "7.3.0", - sha256 = "512374f8291d3daf102ccd0ad223b1a8318358f7c1295efd4d9a3abbb8e4b6ff", + version = "7.3.3", + sha256 = "ebe033a48a3ea4a46205710f3dfdc98587dae3f9937d00d509773798b8243e60", urls = ["https://github.com/simdutf/simdutf/releases/download/v{version}/singleheader.zip"], use_category = ["dataplane_ext"], extensions = ["envoy.wasm.runtime.v8"], - release_date = "2025-05-28", + release_date = "2025-07-13", cpe = "N/A", ), intel_ittapi = dict( From eab3a3de8efbe31ae34e4d8b71ac9be7d6df4206 Mon Sep 17 00:00:00 2001 From: phlax Date: Sat, 26 Jul 2025 21:11:33 +0100 Subject: [PATCH 088/505] bazel/ci: Add remote cache compression (#40459) Signed-off-by: Ryan Northey --- .bazelrc | 1 + 1 file changed, 1 insertion(+) diff --git a/.bazelrc b/.bazelrc index 20ea75c04d65f..fcbba3f03831f 100644 --- a/.bazelrc +++ b/.bazelrc @@ -539,6 +539,7 @@ common:common-envoy-engflow --google_default_credentials=false common:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh common:common-envoy-engflow --grpc_keepalive_time=60s common:common-envoy-engflow --grpc_keepalive_timeout=30s +common:common-envoy-engflow --remote_cache_compression common:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com common:cache-envoy-engflow --remote_timeout=3600s From 716965433b92e3589fd6ff459196b06c13a9b172 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Sat, 26 Jul 2025 13:31:02 -0700 Subject: [PATCH 089/505] deps: Bump `com_google_absl` -> 20250512.1 (#40457) ## Description This PR upgrades `com_google_absl` to v20250512.1 Fix https://github.com/envoyproxy/envoy/issues/39941 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 727ff5474ddbd..993cca81aed10 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -190,12 +190,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Abseil", project_desc = "Open source collection of C++ libraries drawn from the most fundamental pieces of Google’s internal codebase", project_url = "https://abseil.io/", - version = "20250512.0", - sha256 = "7262daa7c1711406248c10f41026d685e88223bc92817d16fb93c19adb57f669", + version = "20250512.1", + sha256 = "9b7a064305e9fd94d124ffa6cc358592eb42b5da588fb4e07d09254aa40086db", strip_prefix = "abseil-cpp-{version}", urls = ["https://github.com/abseil/abseil-cpp/archive/{version}.tar.gz"], use_category = ["dataplane_core", "controlplane"], - release_date = "2025-05-12", + release_date = "2025-06-17", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/abseil/abseil-cpp/blob/{version}/LICENSE", From 6105147948e25e7f0cfe4dc21a505bed0bb2d32a Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Sat, 26 Jul 2025 13:31:10 -0700 Subject: [PATCH 090/505] deps: Bump `com_github_google_perfetto` -> 51.2 (#40455) ## Description This PR upgrades `com_github_google_perfetto` to v51.2 Fix https://github.com/envoyproxy/envoy/issues/40109 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 993cca81aed10..7938ec3ce71d2 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -249,12 +249,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Perfetto", project_desc = "Perfetto Tracing SDK", project_url = "https://perfetto.dev/", - version = "50.1", - sha256 = "c2230d04790eb50231a58616a3f1ff6dcf772d8e220333a7711605f99c5c6db9", + version = "51.2", + sha256 = "4f917887dc577587d318c6be01799ec072244b5720c6ee627ab7f224c3b0a890", strip_prefix = "perfetto-{version}/sdk", urls = ["https://github.com/google/perfetto/archive/v{version}.tar.gz"], use_category = ["dataplane_core", "controlplane"], - release_date = "2025-04-22", + release_date = "2025-07-03", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/google/perfetto/blob/v{version}/LICENSE", From 73bfd3fb0940e22df25ec3f989144c0e92a0d629 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Sat, 26 Jul 2025 13:31:20 -0700 Subject: [PATCH 091/505] deps: Bump `io_opentelemetry_cpp` -> 1.22.0 (#40454) ## Description This PR upgrades `io_opentelemetry_cpp` to v1.22.0 Fix https://github.com/envoyproxy/envoy/issues/40214 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 7938ec3ce71d2..819754a99d853 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -600,8 +600,8 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "OpenTelemetry", project_desc = "Observability framework and toolkit designed to create and manage telemetry data such as traces, metrics, and logs.", project_url = "https://opentelemetry.io", - version = "1.21.0", - sha256 = "98e5546f577a11b52a57faed1f4cc60d8c1daa44760eba393f43eab5a8ec46a2", + version = "1.22.0", + sha256 = "3428f433f4b435ed1fad64cbdbe75b7288c06f6297786a7036d65d5b9a1d215b", strip_prefix = "opentelemetry-cpp-{version}", urls = ["https://github.com/open-telemetry/opentelemetry-cpp/archive/refs/tags/v{version}.tar.gz"], use_category = ["observability_ext"], @@ -613,7 +613,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( "envoy.tracers.opentelemetry.samplers.parent_based", "envoy.tracers.opentelemetry.samplers.trace_id_ratio_based", ], - release_date = "2025-05-29", + release_date = "2025-07-11", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/open-telemetry/opentelemetry-cpp/blob/v{version}/LICENSE", From c6a80d1b578961cd99dacf827a51bd5d145d6faa Mon Sep 17 00:00:00 2001 From: phlax Date: Sat, 26 Jul 2025 21:31:41 +0100 Subject: [PATCH 092/505] ci/docker: Update run_envoy_docker.sh to use docker compose (#40453) also removes no longer used/tested windows container support Signed-off-by: Ryan Northey --- ci/docker-compose.yml | 112 +++++++++++++++++++++++++ ci/run_envoy_docker.sh | 182 ++++++++--------------------------------- 2 files changed, 145 insertions(+), 149 deletions(-) create mode 100644 ci/docker-compose.yml diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml new file mode 100644 index 0000000000000..a434e258527eb --- /dev/null +++ b/ci/docker-compose.yml @@ -0,0 +1,112 @@ +x-envoy-build-base: &envoy-build-base + image: >- + ${ENVOY_BUILD_IMAGE:-envoyproxy/envoy-build-ubuntu:f4a881a1205e8e6db1a57162faf3df7aed88eae8@sha256:b10346fe2eee41733dbab0e02322c47a538bf3938d093a5daebad9699860b814} + user: root:root + working_dir: ${ENVOY_DOCKER_SOURCE_DIR:-/source} + stdin_open: true + tty: true + platform: ${ENVOY_DOCKER_PLATFORM:-} + environment: + # Core build environment + - BUILD_DIR=/build + - ENVOY_DOCKER_SOURCE_DIR=${ENVOY_DOCKER_SOURCE_DIR:-/source} + - ENVOY_DOCKER_BUILD_DIR="${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}" + + # Proxy settings + - HTTP_PROXY + - HTTPS_PROXY + - NO_PROXY + - GOPROXY + + # Bazel configuration + - BAZEL_STARTUP_OPTIONS + - BAZEL_BUILD_EXTRA_OPTIONS + - BAZEL_EXTRA_TEST_OPTIONS + - BAZEL_REMOTE_CACHE + - BAZEL_STARTUP_EXTRA_OPTIONS + - BAZEL_REMOTE_INSTANCE + - BAZELISK_BASE_URL + + # CI/CD variables + - CI_BRANCH + - CI_SHA1 + - CI_TARGET_BRANCH + - BUILD_REASON + - GITHUB_REF_NAME + - GITHUB_REF_TYPE + - GITHUB_TOKEN + - GITHUB_APP_ID + - GITHUB_INSTALL_ID + + # Build configuration + - NUM_CPUS + - ENVOY_BRANCH + - ENVOY_RBE + - ENVOY_BUILD_IMAGE + - ENVOY_SRCDIR + - ENVOY_BUILD_TARGET + - ENVOY_BUILD_DEBUG_INFORMATION + - ENVOY_BUILD_FILTER_EXAMPLE + - ENVOY_COMMIT + - ENVOY_HEAD_REF + - ENVOY_REPO + - ENVOY_BUILD_ARCH + - ENVOY_GEN_COMPDB_OPTIONS + + # Publishing and artifacts + - DOCKERHUB_USERNAME + - DOCKERHUB_PASSWORD + - ENVOY_DOCKER_SAVE_IMAGE + - ENVOY_PUBLISH_DRY_RUN + - ENVOY_TARBALL_DIR + - GCS_ARTIFACT_BUCKET + - GCS_REDIRECT_PATH + - GCP_SERVICE_ACCOUNT_KEY + - GCP_SERVICE_ACCOUNT_KEY_PATH + + - MOBILE_DOCS_CHECKOUT_DIR + - SYSTEM_STAGEDISPLAYNAME + - SYSTEM_JOBDISPLAYNAME + - SSH_AUTH_SOCK + + entrypoint: + - "/bin/bash" + - "-c" + - | + groupadd --gid ${DOCKER_GID:-${USER_GID:-$(id -g)}} -f envoygroup + useradd -o \ + --uid ${USER_UID:-$(id -u)} \ + --gid ${DOCKER_GID:-${USER_GID:-$(id -g)}} \ + --no-create-home \ + -s /bin/bash \ + --home-dir /build envoybuild + usermod -a -G pcap envoybuild + chown envoybuild:envoygroup /build + chown envoybuild /proc/self/fd/2 2>/dev/null || true + [[ -e /entrypoint-extra.sh ]] && /entrypoint-extra.sh + sudo -EHs -u envoybuild bash -c 'cd ${ENVOY_DOCKER_SOURCE_DIR:-/source} && exec ${DOCKER_COMMAND:-bash}' + +services: + envoy-build: + <<: *envoy-build-base + volumes: + - ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build + - ${SOURCE_DIR:-..}:/source + - ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared} + + envoy-build-gpg: + <<: *envoy-build-base + volumes: + - ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build + - ${SOURCE_DIR:-..}:/source + - ${ENVOY_GPG_DIR-${HOME}/.gnupg}:/build/.gnupg + - ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared} + + envoy-build-dind: + privileged: true + <<: *envoy-build-base + volumes: + - ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build + - ${SOURCE_DIR:-..}:/source + - /var/run/docker.sock:/var/run/docker.sock + - ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared} diff --git a/ci/run_envoy_docker.sh b/ci/run_envoy_docker.sh index a27186d37b5ab..1ff8dec096f9a 100755 --- a/ci/run_envoy_docker.sh +++ b/ci/run_envoy_docker.sh @@ -2,172 +2,56 @@ set -e -CURRENT_SCRIPT_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")" +# TODO(phlax): Add a check that a usable version of docker compose is available -# shellcheck source=ci/envoy_build_sha.sh -. "${CURRENT_SCRIPT_DIR}"/envoy_build_sha.sh -function is_windows() { - [[ "$(uname -s)" == *NT* ]] -} +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Source build SHA information +# shellcheck source=ci/envoy_build_sha.sh +source "${SCRIPT_DIR}/envoy_build_sha.sh" -read -ra ENVOY_DOCKER_OPTIONS <<< "${ENVOY_DOCKER_OPTIONS:-}" +# User/group IDs +USER_UID="$(id -u)" +USER_GID="$(id -g)" +export USER_UID +export USER_GID +# These should probably go in users .env as docker compose will pick that up export HTTP_PROXY="${HTTP_PROXY:-${http_proxy:-}}" export HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}" export NO_PROXY="${NO_PROXY:-${no_proxy:-}}" export GOPROXY="${GOPROXY:-${go_proxy:-}}" -if is_windows; then - [[ -z "${IMAGE_NAME}" ]] && IMAGE_NAME="envoyproxy/envoy-build-windows2019" - # TODO(sunjayBhatia): Currently ENVOY_DOCKER_OPTIONS is ignored on Windows because - # CI sets it to a Linux-specific value. Undo this once https://github.com/envoyproxy/envoy/issues/13272 - # is resolved. - ENVOY_DOCKER_OPTIONS=() - # Replace MSYS style drive letter (/c/) with Windows drive letter designation (C:/) - DEFAULT_ENVOY_DOCKER_BUILD_DIR=$(echo "${TEMP}" | sed -E "s#^/([a-zA-Z])/#\1:/#")/envoy-docker-build - BUILD_DIR_MOUNT_DEST=C:/build - SOURCE_DIR=$(echo "${PWD}" | sed -E "s#^/([a-zA-Z])/#\1:/#") - SOURCE_DIR_MOUNT_DEST=C:/source - START_COMMAND=("bash" "-c" "cd /c/source && export HOME=/c/build && $*") -else - [[ -z "${IMAGE_NAME}" ]] && IMAGE_NAME="envoyproxy/envoy-build-ubuntu" - # We run as root and later drop permissions. This is required to setup the USER - # in useradd below, which is need for correct Python execution in the Docker - # environment. - ENVOY_DOCKER_OPTIONS+=(-u root:root) - DOCKER_USER_ARGS=() - DOCKER_GROUP_ARGS=() - DEFAULT_ENVOY_DOCKER_BUILD_DIR=/tmp/envoy-docker-build - USER_UID="$(id -u)" - USER_GID="$(id -g)" - if [[ -n "$ENVOY_DOCKER_IN_DOCKER" ]]; then - ENVOY_DOCKER_OPTIONS+=(-v /var/run/docker.sock:/var/run/docker.sock) - DOCKER_GID="$(stat -c %g /var/run/docker.sock 2>/dev/null || stat -f %g /var/run/docker.sock)" - DOCKER_USER_ARGS=(--gid "${DOCKER_GID}") - DOCKER_GROUP_ARGS=(--gid "${DOCKER_GID}") - else - DOCKER_GROUP_ARGS+=(--gid "${USER_GID}") - DOCKER_USER_ARGS+=(--gid "${USER_GID}") - fi - BUILD_DIR_MOUNT_DEST=/build - SOURCE_DIR="${PWD}" - SOURCE_DIR_MOUNT_DEST=/source - ENVOY_DOCKER_SOURCE_DIR="${ENVOY_DOCKER_SOURCE_DIR:-${SOURCE_DIR_MOUNT_DEST}}" - START_COMMAND=( - "/bin/bash" - "-lc" - "groupadd ${DOCKER_GROUP_ARGS[*]} -f envoygroup \ - && useradd -o --uid ${USER_UID} ${DOCKER_USER_ARGS[*]} --no-create-home --home-dir /build envoybuild \ - && usermod -a -G pcap envoybuild \ - && chown envoybuild:envoygroup /build \ - && chown envoybuild /proc/self/fd/2 \ - && sudo -EHs -u envoybuild bash -c 'cd ${ENVOY_DOCKER_SOURCE_DIR} && $*'") +# Docker-in-Docker handling +if [[ -n "$ENVOY_DOCKER_IN_DOCKER" ]]; then + DOCKER_GID="$(stat -c %g /var/run/docker.sock 2>/dev/null || echo "$USER_GID")" + export DOCKER_GID +fi + +if [[ -n "$ENVOY_DOCKER_IN_DOCKER" || -n "$ENVOY_SHARED_TMP_DIR" ]]; then + export SHARED_TMP_DIR="${ENVOY_SHARED_TMP_DIR:-/tmp/bazel-shared}" + mkdir -p "${SHARED_TMP_DIR}" + chmod 777 "${SHARED_TMP_DIR}" fi if [[ -n "$ENVOY_DOCKER_PLATFORM" ]]; then echo "Setting Docker platform: ${ENVOY_DOCKER_PLATFORM}" docker run --rm --privileged multiarch/qemu-user-static --reset -p yes - ENVOY_DOCKER_OPTIONS+=(--platform "$ENVOY_DOCKER_PLATFORM") fi -# The IMAGE_ID defaults to the CI hash but can be set to an arbitrary image ID (found with 'docker -# images'). -if [[ -z "${IMAGE_ID}" ]]; then - IMAGE_ID="${ENVOY_BUILD_SHA}" - if ! is_windows && [[ -n "$ENVOY_BUILD_CONTAINER_SHA" ]]; then - IMAGE_ID="${ENVOY_BUILD_SHA}@sha256:${ENVOY_BUILD_CONTAINER_SHA}" - fi -fi -[[ -z "${ENVOY_DOCKER_BUILD_DIR}" ]] && ENVOY_DOCKER_BUILD_DIR="${DEFAULT_ENVOY_DOCKER_BUILD_DIR}" -# Replace backslash with forward slash for Windows style paths -ENVOY_DOCKER_BUILD_DIR="${ENVOY_DOCKER_BUILD_DIR//\\//}" -mkdir -p "${ENVOY_DOCKER_BUILD_DIR}" - -[[ -t 1 ]] && ENVOY_DOCKER_OPTIONS+=("-it") -[[ -f .git ]] && [[ ! -d .git ]] && ENVOY_DOCKER_OPTIONS+=(-v "$(git rev-parse --git-common-dir):$(git rev-parse --git-common-dir)") -[[ -n "${SSH_AUTH_SOCK}" ]] && ENVOY_DOCKER_OPTIONS+=(-v "${SSH_AUTH_SOCK}:${SSH_AUTH_SOCK}" -e SSH_AUTH_SOCK) - -export ENVOY_BUILD_IMAGE="${IMAGE_NAME}:${IMAGE_ID}" - -VOLUMES=( - -v "${ENVOY_DOCKER_BUILD_DIR}":"${BUILD_DIR_MOUNT_DEST}" - -v "${SOURCE_DIR}":"${SOURCE_DIR_MOUNT_DEST}") +export DOCKER_COMMAND="${*:-bash}" +COMPOSE_SERVICE="envoy-build" if [[ -n "$MOUNT_GPG_HOME" ]]; then - VOLUMES+=( - -v "${HOME}/.gnupg:${BUILD_DIR_MOUNT_DEST}/.gnupg") -fi - -if ! is_windows; then - export BUILD_DIR="${BUILD_DIR_MOUNT_DEST}" -fi - -if [[ -n "$ENVOY_DOCKER_IN_DOCKER" || -n "$ENVOY_SHARED_TMP_DIR" ]]; then - # Create a "shared" directory that has the same path in/outside the container - # This allows the host docker engine to see artefacts using a temporary path created inside the container, - # at the same path. - # For example, a directory created with `mktemp -d --tmpdir /tmp/bazel-shared` can be mounted as a volume - # from within the build container. - SHARED_TMP_DIR="${ENVOY_SHARED_TMP_DIR:-/tmp/bazel-shared}" - mkdir -p "${SHARED_TMP_DIR}" - chmod +rwx "${SHARED_TMP_DIR}" - VOLUMES+=(-v "${SHARED_TMP_DIR}":"${SHARED_TMP_DIR}") -fi - -if [[ -n "${ENVOY_DOCKER_PULL}" ]]; then - time docker pull "${ENVOY_BUILD_IMAGE}" + COMPOSE_SERVICE="envoy-build-gpg" +elif [[ -n "$ENVOY_DOCKER_IN_DOCKER" ]]; then + COMPOSE_SERVICE="envoy-build-dind" fi -# Since we specify an explicit hash, docker-run will pull from the remote repo if missing. -docker run --rm \ - "${ENVOY_DOCKER_OPTIONS[@]}" \ - "${VOLUMES[@]}" \ - -e BUILD_DIR \ - -e HTTP_PROXY \ - -e HTTPS_PROXY \ - -e NO_PROXY \ - -e GOPROXY \ - -e BAZEL_STARTUP_OPTIONS \ - -e BAZEL_BUILD_EXTRA_OPTIONS \ - -e BAZEL_EXTRA_TEST_OPTIONS \ - -e BAZEL_REMOTE_CACHE \ - -e BAZEL_STARTUP_EXTRA_OPTIONS \ - -e CI_BRANCH \ - -e CI_SHA1 \ - -e CI_TARGET_BRANCH \ - -e DOCKERHUB_USERNAME \ - -e DOCKERHUB_PASSWORD \ - -e ENVOY_DOCKER_SAVE_IMAGE \ - -e BUILD_REASON \ - -e BAZEL_REMOTE_INSTANCE \ - -e GCP_SERVICE_ACCOUNT_KEY \ - -e GCP_SERVICE_ACCOUNT_KEY_PATH \ - -e NUM_CPUS \ - -e ENVOY_BRANCH \ - -e ENVOY_RBE \ - -e ENVOY_BUILD_IMAGE \ - -e ENVOY_SRCDIR \ - -e ENVOY_BUILD_TARGET \ - -e ENVOY_BUILD_DEBUG_INFORMATION \ - -e ENVOY_BUILD_FILTER_EXAMPLE \ - -e ENVOY_COMMIT \ - -e ENVOY_HEAD_REF \ - -e ENVOY_PUBLISH_DRY_RUN \ - -e ENVOY_REPO \ - -e ENVOY_TARBALL_DIR \ - -e ENVOY_GEN_COMPDB_OPTIONS \ - -e GCS_ARTIFACT_BUCKET \ - -e GCS_REDIRECT_PATH \ - -e GITHUB_REF_NAME \ - -e GITHUB_REF_TYPE \ - -e GITHUB_TOKEN \ - -e GITHUB_APP_ID \ - -e GITHUB_INSTALL_ID \ - -e MOBILE_DOCS_CHECKOUT_DIR \ - -e BAZELISK_BASE_URL \ - -e ENVOY_BUILD_ARCH \ - -e SYSTEM_STAGEDISPLAYNAME \ - -e SYSTEM_JOBDISPLAYNAME \ - "${ENVOY_BUILD_IMAGE}" \ - "${START_COMMAND[@]}" +exec docker compose \ + -f "${SCRIPT_DIR}/docker-compose.yml" \ + ${ENVOY_DOCKER_PLATFORM:+-p "$ENVOY_DOCKER_PLATFORM"} \ + run \ + --rm \ + "${COMPOSE_SERVICE}" From ad9c987e86ebe8d527f46654692cf564aa560840 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Sat, 26 Jul 2025 21:20:08 +0000 Subject: [PATCH 093/505] changes to RCInitiator and add unit tests Signed-off-by: Basundhara Chakrabarty --- ..._reverse_connection_socket_interface.proto | 1 - .../cloud-envoy.yaml | 2 +- .../docker-compose.yaml | 2 +- .../test_logs.txt | 52 + .../common/network/io_socket_handle_impl.cc | 10 +- .../reverse_tunnel/reverse_tunnel_acceptor.cc | 228 +- .../reverse_tunnel/reverse_tunnel_acceptor.h | 128 +- .../reverse_tunnel_initiator.cc | 944 +++--- .../reverse_tunnel/reverse_tunnel_initiator.h | 284 +- .../http/reverse_conn/reverse_conn_filter.cc | 67 +- .../http/reverse_conn/reverse_conn_filter.h | 20 + .../extensions/bootstrap/reverse_tunnel/BUILD | 21 + .../reverse_tunnel_acceptor_test.cc | 307 +- .../reverse_tunnel_initiator_test.cc | 2742 +++++++++++++++++ 14 files changed, 4029 insertions(+), 779 deletions(-) create mode 100644 examples/reverse_connection_socket_interface/test_logs.txt create mode 100644 test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto index b86c1d49f110a..80210fe008d9c 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto @@ -3,7 +3,6 @@ syntax = "proto3"; package envoy.extensions.bootstrap.reverse_connection_socket_interface.v3; import "udpa/annotations/status.proto"; -import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_connection_socket_interface.v3"; option java_outer_classname = "UpstreamReverseConnectionSocketInterfaceProto"; diff --git a/examples/reverse_connection_socket_interface/cloud-envoy.yaml b/examples/reverse_connection_socket_interface/cloud-envoy.yaml index a466695e707e3..45d811daba6dc 100644 --- a/examples/reverse_connection_socket_interface/cloud-envoy.yaml +++ b/examples/reverse_connection_socket_interface/cloud-envoy.yaml @@ -32,7 +32,7 @@ static_resources: - name: envoy.filters.http.reverse_conn typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - ping_interval: 30 + ping_interval: 2 - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/examples/reverse_connection_socket_interface/docker-compose.yaml b/examples/reverse_connection_socket_interface/docker-compose.yaml index 28b0d99528c8a..183448e22d5d6 100644 --- a/examples/reverse_connection_socket_interface/docker-compose.yaml +++ b/examples/reverse_connection_socket_interface/docker-compose.yaml @@ -14,7 +14,7 @@ services: image: debug/envoy:latest volumes: - ./on-prem-envoy-custom-resolver.yaml:/etc/on-prem-envoy.yaml - command: envoy -c /etc/on-prem-envoy.yaml --concurrency 2 -l trace --drain-time-s 3 + command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: # Admin interface - "8888:8888" diff --git a/examples/reverse_connection_socket_interface/test_logs.txt b/examples/reverse_connection_socket_interface/test_logs.txt new file mode 100644 index 0000000000000..1ea2c4207d8f6 --- /dev/null +++ b/examples/reverse_connection_socket_interface/test_logs.txt @@ -0,0 +1,52 @@ +#0 building with "default" instance using docker driver + +#1 [xds-server internal] load .dockerignore +#1 transferring context: 2B done +#1 DONE 0.0s + +#2 [xds-server internal] load build definition from Dockerfile.xds +#2 transferring dockerfile: 6.20kB done +#2 DONE 0.0s + +#3 [xds-server internal] load metadata for docker.io/library/ubuntu:20.04 +#3 DONE 0.0s + +#4 [xds-server 1/6] FROM docker.io/library/ubuntu:20.04 +#4 DONE 0.0s + +#5 [xds-server 3/6] RUN apt-get update && apt-get install -y python3 python3-pip && rm -rf /var/lib/apt/lists/* +#5 CACHED + +#6 [xds-server 4/6] RUN pip3 install requests pyyaml +#6 CACHED + +#7 [xds-server 2/6] WORKDIR /app +#7 CACHED + +#8 [xds-server 5/6] RUN echo '#!/usr/bin/env python3\nimport json\nimport time\nimport threading\nimport http.server\nimport socketserver\nimport logging\n\nlogging.basicConfig(level=logging.INFO)\nlogger = logging.getLogger(__name__)\n\nclass XDSServer:\n def __init__(self):\n self.listeners = {}\n self.version = 1\n self._lock = threading.Lock()\n self.server = None\n \n def start(self, port):\n class XDSHandler(http.server.BaseHTTPRequestHandler):\n def do_POST(self):\n if self.path == "/v3/discovery:listeners":\n content_length = int(self.headers["Content-Length"])\n post_data = self.rfile.read(content_length)\n response_data = self.server.xds_server.handle_lds_request(post_data)\n self.send_response(200)\n self.send_header("Content-type", "application/json")\n self.end_headers()\n self.wfile.write(response_data.encode())\n elif self.path == "/add_listener":\n content_length = int(self.headers["Content-Length"])\n post_data = self.rfile.read(content_length)\n data = json.loads(post_data.decode())\n self.server.xds_server.add_listener(data["name"], data["config"])\n self.send_response(200)\n self.send_header("Content-type", "application/json")\n self.end_headers()\n self.wfile.write(json.dumps({"status": "success"}).encode())\n elif self.path == "/remove_listener":\n content_length = int(self.headers["Content-Length"])\n post_data = self.rfile.read(content_length)\n data = json.loads(post_data.decode())\n success = self.server.xds_server.remove_listener(data["name"])\n if success:\n self.send_response(200)\n self.send_header("Content-type", "application/json")\n self.end_headers()\n self.wfile.write(json.dumps({"status": "success"}).encode())\n else:\n self.send_response(404)\n self.send_header("Content-type", "application/json")\n self.end_headers()\n self.wfile.write(json.dumps({"status": "not_found"}).encode())\n elif self.path == "/state":\n state = self.server.xds_server.get_state()\n self.send_response(200)\n self.send_header("Content-type", "application/json")\n self.end_headers()\n self.wfile.write(json.dumps(state).encode())\n else:\n self.send_response(404)\n self.end_headers()\n \n def log_message(self, format, *args):\n pass\n \n class XDSServer(socketserver.TCPServer):\n def __init__(self, server_address, RequestHandlerClass, xds_server):\n self.xds_server = xds_server\n super().__init__(server_address, RequestHandlerClass)\n \n self.server = XDSServer(("0.0.0.0", port), XDSHandler, self)\n self.server_thread = threading.Thread(target=self.server.serve_forever)\n self.server_thread.daemon = True\n self.server_thread.start()\n logger.info(f"xDS server started on port {port}")\n \n def handle_lds_request(self, request_data):\n with self._lock:\n response = {\n "version_info": str(self.version),\n "resources": [],\n "type_url": "type.googleapis.com/envoy.config.listener.v3.Listener"\n }\n for listener_name, listener_config in self.listeners.items():\n wrapped_config = {\n "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",\n **listener_config\n }\n response["resources"].append(wrapped_config)\n return json.dumps(response)\n \n def add_listener(self, listener_name, listener_config):\n with self._lock:\n self.listeners[listener_name] = listener_config\n self.version += 1\n logger.info(f"Added listener {listener_name}, version {self.version}")\n \n def remove_listener(self, listener_name):\n with self._lock:\n if listener_name in self.listeners:\n del self.listeners[listener_name]\n self.version += 1\n logger.info(f"Removed listener {listener_name}, version {self.version}")\n return True\n return False\n\n def get_state(self):\n with self._lock:\n return {\n "version": self.version,\n "listeners": list(self.listeners.keys())\n }\n\nif __name__ == "__main__":\n xds_server = XDSServer()\n xds_server.start(18000)\n try:\n while True:\n time.sleep(1)\n except KeyboardInterrupt:\n print("Shutting down xDS server...")\n' > /app/xds_server.py +#8 CACHED + +#9 [xds-server 6/6] RUN chmod +x /app/xds_server.py +#9 CACHED + +#10 [xds-server] exporting to image +#10 exporting layers done +#10 writing image sha256:cc765ad92907541f91a22ed321919acbeafeb018ce196b355b62788d3344fb2f done +#10 naming to docker.io/library/tmp0sqi5eqk-xds-server done +#10 DONE 0.0s +Attaching to cloud-envoy-1, on-prem-envoy-1, on-prem-service-1, xds-server-1 +on-prem-service-1 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration +on-prem-service-1 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ +on-prem-service-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh +on-prem-service-1 | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist +on-prem-service-1 | /docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh +on-prem-service-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh +on-prem-service-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh +on-prem-service-1 | /docker-entrypoint.sh: Configuration complete; ready for start up +cloud-envoy-1 | [2025-07-26T00:52:10.565Z] "GET /ready HTTP/1.1" 200 - 0 5 3 - "172.26.0.1" "python-requests/2.27.1" "-" "localhost:8889" "-" +on-prem-envoy-1 | [2025-07-26T00:52:10.573Z] "GET /ready HTTP/1.1" 200 - 0 5 2 - "172.26.0.1" "python-requests/2.27.1" "-" "localhost:8888" "-" +on-prem-service-1 | 172.26.0.1 - - [26/Jul/2025:00:52:17 +0000] "GET /on_prem_service HTTP/1.1" 200 156 "-" "python-requests/2.27.1" "-" +cloud-envoy-1 exited with code 0 +cloud-envoy-1 exited with code 0 +cloud-envoy-1 | [2025-07-26T00:52:38.503Z] "GET /ready HTTP/1.1" 200 - 0 5 3 - "172.26.0.1" "python-requests/2.27.1" "-" "localhost:8889" "-" +on-prem-envoy-1 exited with code 139 diff --git a/source/common/network/io_socket_handle_impl.cc b/source/common/network/io_socket_handle_impl.cc index e0df4130cbe3b..4bb69ea53b4d6 100644 --- a/source/common/network/io_socket_handle_impl.cc +++ b/source/common/network/io_socket_handle_impl.cc @@ -60,20 +60,20 @@ IoSocketHandleImpl::~IoSocketHandleImpl() { } Api::IoCallUint64Result IoSocketHandleImpl::close() { - ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() called, fd_={}, SOCKET_VALID={}", + ENVOY_LOG_MISC(error, "IoSocketHandleImpl::close() called, fd_={}, SOCKET_VALID={}", fd_, SOCKET_VALID(fd_)); if (file_event_) { - ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() resetting file_event_"); + ENVOY_LOG_MISC(error, "IoSocketHandleImpl::close() resetting file_event_"); file_event_.reset(); } ASSERT(SOCKET_VALID(fd_)); - ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() calling system close(fd_={})", fd_); + ENVOY_LOG_MISC(error, "IoSocketHandleImpl::close() calling system close(fd_={})", fd_); const int rc = Api::OsSysCallsSingleton::get().close(fd_).return_value_; - ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() system close returned rc={}", rc); + ENVOY_LOG_MISC(error, "IoSocketHandleImpl::close() system close returned rc={}", rc); SET_SOCKET_INVALID(fd_); - ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::close() completed, fd_ set to invalid"); + ENVOY_LOG_MISC(error, "IoSocketHandleImpl::close() completed, fd_ set to invalid"); return {static_cast(rc), Api::IoError::none()}; } diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc index 5f3d5b3f3f565..c0647927dea4a 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc @@ -27,34 +27,30 @@ UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), owned_socket_(std::move(socket)) { - ENVOY_LOG(trace, "Created UpstreamReverseConnectionIOHandle for cluster: {} with FD: {}", - cluster_name_, fd_); + ENVOY_LOG(trace, "reverse_tunnel: created IO handle for cluster: {}, fd: {}", cluster_name_, fd_); } UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { - ENVOY_LOG(trace, "Destroying UpstreamReverseConnectionIOHandle for cluster: {} with FD: {}", - cluster_name_, fd_); - // The owned_socket_ will be automatically destroyed via RAII + ENVOY_LOG(trace, "reverse_tunnel: destroying IO handle for cluster: {}, fd: {}", cluster_name_, + fd_); + // The owned_socket_ will be automatically destroyed via RAII. } Api::SysCallIntResult UpstreamReverseConnectionIOHandle::connect( Envoy::Network::Address::InstanceConstSharedPtr address) { - ENVOY_LOG(trace, - "UpstreamReverseConnectionIOHandle::connect() to {} - connection already established " - "through reverse tunnel", + ENVOY_LOG(trace, "reverse_tunnel: connect() to {} - connection already established", address->asString()); - // For reverse connections, the connection is already established, therefore - // connect() is a no-op + // For reverse connections, the connection is already established. return Api::SysCallIntResult{0, 0}; } Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { - ENVOY_LOG(debug, "UpstreamReverseConnectionIOHandle::close() called for FD: {}", fd_); + ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); // Reset the owned socket to properly close the connection if (owned_socket_) { - ENVOY_LOG(debug, "Releasing owned socket for cluster: {}", cluster_name_); + ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); owned_socket_.reset(); } @@ -65,7 +61,7 @@ Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { // ReverseTunnelAcceptor implementation ReverseTunnelAcceptor::ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context) : extension_(nullptr), context_(&context) { - ENVOY_LOG(debug, "Created ReverseTunnelAcceptor."); + ENVOY_LOG(debug, "reverse_tunnel: created acceptor"); } Envoy::Network::IoHandlePtr @@ -80,11 +76,9 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, (void)socket_v6only; (void)options; - ENVOY_LOG(warn, "ReverseTunnelAcceptor::socket() called without address - reverse " - "connections require specific addresses. Returning nullptr."); + ENVOY_LOG(warn, "reverse_tunnel: socket() called without address - returning nullptr"); - // Reverse connection sockets should always have an address (cluster ID) - // This function should never be called for reverse connections + // Reverse connection sockets should always have an address. return nullptr; } @@ -92,42 +86,40 @@ Envoy::Network::IoHandlePtr ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, const Envoy::Network::Address::InstanceConstSharedPtr addr, const Envoy::Network::SocketCreationOptions& options) const { - ENVOY_LOG(debug, - "ReverseTunnelAcceptor::socket() called with address: {}. Finding socket for " - "node: {}", - addr->asString(), addr->logicalName()); + ENVOY_LOG(debug, "reverse_tunnel: socket() called for address: {}, node: {}", addr->asString(), + addr->logicalName()); // For upstream reverse connections, we need to get the thread-local socket manager // and check if there are any cached connections available auto* tls_registry = getLocalRegistry(); if (tls_registry && tls_registry->socketManager()) { + ENVOY_LOG(trace, "reverse_tunnel: running on dispatcher: {}", + tls_registry->dispatcher().name()); auto* socket_manager = tls_registry->socketManager(); - // The address's logical name should already be the node ID + // The address's logical name is the node ID. std::string node_id = addr->logicalName(); - ENVOY_LOG(debug, "ReverseTunnelAcceptor: Using node_id from logicalName: {}", node_id); + ENVOY_LOG(debug, "reverse_tunnel: using node_id: {}", node_id); - // Try to get a cached socket for the specific node + // Try to get a cached socket for the node. auto socket = socket_manager->getConnectionSocket(node_id); if (socket) { - ENVOY_LOG(info, "Reusing cached reverse connection socket for node: {}", node_id); - // Create IOHandle that properly owns the socket using RAII + ENVOY_LOG(info, "reverse_tunnel: reusing cached socket for node: {}", node_id); + // Create IOHandle that owns the socket using RAII. auto io_handle = std::make_unique(std::move(socket), node_id); return io_handle; } } - // This is unexpected. This indicates that no sockets are available for the node. - // Fallback to standard socket interface. - ENVOY_LOG(debug, "No available reverse connection, falling back to standard socket"); + // No sockets available, fallback to standard socket interface. + ENVOY_LOG(debug, "reverse_tunnel: no available connection, falling back to standard socket"); return Network::socketInterface( "envoy.extensions.network.socket_interface.default_socket_interface") ->socket(socket_type, addr, options); } bool ReverseTunnelAcceptor::ipFamilySupported(int domain) { - // Support standard IP families. return domain == AF_INET || domain == AF_INET6; } @@ -143,16 +135,15 @@ UpstreamSocketThreadLocal* ReverseTunnelAcceptor::getLocalRegistry() const { Server::BootstrapExtensionPtr ReverseTunnelAcceptor::createBootstrapExtension( const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { ENVOY_LOG(debug, "ReverseTunnelAcceptor::createBootstrapExtension()"); - // Cast the config to the proper type + // Cast the config to the proper type. const auto& message = MessageUtil::downcastAndValidate< const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: UpstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); - // Set the context for this socket interface instance + // Set the context for this socket interface instance. context_ = &context; - // Return a SocketInterfaceExtension that wraps this socket interface - // The onServerInitialized() will be called automatically by the BootstrapExtension lifecycle + // Return a SocketInterfaceExtension that wraps this socket interface. return std::make_unique(*this, context, message); } @@ -166,15 +157,15 @@ void ReverseTunnelAcceptorExtension::onServerInitialized() { ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension::onServerInitialized - creating thread local slot"); - // Set the extension reference in the socket interface + // Set the extension reference in the socket interface. if (socket_interface_) { socket_interface_->extension_ = this; } - // Create thread local slot to store dispatcher and socket manager for each worker thread + // Create thread local slot for dispatcher and socket manager. tls_slot_ = ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); - // Set up the thread local dispatcher and socket manager for each worker thread + // Set up the thread local dispatcher and socket manager. tls_slot_->set([this](Event::Dispatcher& dispatcher) { return std::make_shared(dispatcher, this); }); @@ -208,18 +199,18 @@ ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds // Process the stats to extract connection information for (const auto& [stat_name, count] : connection_stats) { if (count > 0) { - // Parse stat name to extract node/cluster information + // Parse stat name to extract node/cluster information. // Format: ".reverse_connections.nodes." or - // ".reverse_connections.clusters." + // ".reverse_connections.clusters.". if (stat_name.find("reverse_connections.nodes.") != std::string::npos) { - // Find the position after "reverse_connections.nodes." + // Find the position after "reverse_connections.nodes.". size_t pos = stat_name.find("reverse_connections.nodes."); if (pos != std::string::npos) { std::string node_id = stat_name.substr(pos + strlen("reverse_connections.nodes.")); connected_nodes.push_back(node_id); } } else if (stat_name.find("reverse_connections.clusters.") != std::string::npos) { - // Find the position after "reverse_connections.clusters." + // Find the position after "reverse_connections.clusters.". size_t pos = stat_name.find("reverse_connections.clusters."); if (pos != std::string::npos) { std::string cluster_id = stat_name.substr(pos + strlen("reverse_connections.clusters.")); @@ -276,36 +267,43 @@ void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& no // Create/update node connection stat if (!node_id.empty()) { std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", node_id); - auto& node_gauge = - stats_store.gaugeFromString(node_stat_name, Stats::Gauge::ImportMode::Accumulate); + Stats::StatNameManagedStorage node_stat_name_storage(node_stat_name, stats_store.symbolTable()); + auto& node_gauge = stats_store.gaugeFromStatName(node_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); if (increment) { node_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented node stat {} to {}", node_stat_name, node_gauge.value()); } else { - node_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented node stat {} to {}", - node_stat_name, node_gauge.value()); + if (node_gauge.value() > 0) { + node_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented node stat {} to {}", + node_stat_name, node_gauge.value()); + } } } - // Create/update cluster connection stat + // Create/update cluster connection stat. if (!cluster_id.empty()) { std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", cluster_id); - auto& cluster_gauge = - stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); + Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, + stats_store.symbolTable()); + auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); if (increment) { cluster_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented cluster stat {} to {}", cluster_stat_name, cluster_gauge.value()); } else { - cluster_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); + if (cluster_gauge.value() > 0) { + cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } } } - // Also update per-worker stats for debugging + // Also update per-worker stats for debugging. updatePerWorkerConnectionStats(node_id, cluster_id, increment); } @@ -314,28 +312,42 @@ void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::s bool increment) { auto& stats_store = context_.scope(); - // Get dispatcher name from the thread local dispatcher - std::string dispatcher_name = "main_thread"; // Default for main thread + // Get dispatcher name from the thread local dispatcher. + std::string dispatcher_name; auto* local_registry = getLocalRegistry(); - if (local_registry) { - // Dispatcher name is of the form "worker_x" where x is the worker index - dispatcher_name = local_registry->dispatcher().name(); + if (local_registry == nullptr) { + ENVOY_LOG(error, "ReverseTunnelAcceptorExtension: No local registry found"); + return; } + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: Updating stats for worker {}", dispatcher_name); + // Create/update per-worker node connection stat if (!node_id.empty()) { std::string worker_node_stat_name = fmt::format("reverse_connections.{}.node.{}", dispatcher_name, node_id); - auto& worker_node_gauge = - stats_store.gaugeFromString(worker_node_stat_name, Stats::Gauge::ImportMode::NeverImport); + Stats::StatNameManagedStorage worker_node_stat_name_storage(worker_node_stat_name, + stats_store.symbolTable()); + auto& worker_node_gauge = stats_store.gaugeFromStatName( + worker_node_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); if (increment) { worker_node_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker node stat {} to {}", worker_node_stat_name, worker_node_gauge.value()); } else { - worker_node_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker node stat {} to {}", - worker_node_stat_name, worker_node_gauge.value()); + // Guardrail: only decrement if the gauge value is greater than 0 + if (worker_node_gauge.value() > 0) { + worker_node_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker node stat {} to {}", + worker_node_stat_name, worker_node_gauge.value()); + } else { + ENVOY_LOG(trace, + "ReverseTunnelAcceptorExtension: skipping decrement for worker node stat {} " + "(already at 0)", + worker_node_stat_name); + } } } @@ -343,16 +355,26 @@ void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::s if (!cluster_id.empty()) { std::string worker_cluster_stat_name = fmt::format("reverse_connections.{}.cluster.{}", dispatcher_name, cluster_id); - auto& worker_cluster_gauge = stats_store.gaugeFromString(worker_cluster_stat_name, - Stats::Gauge::ImportMode::NeverImport); + Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, + stats_store.symbolTable()); + auto& worker_cluster_gauge = stats_store.gaugeFromStatName( + worker_cluster_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); if (increment) { worker_cluster_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker cluster stat {} to {}", worker_cluster_stat_name, worker_cluster_gauge.value()); } else { - worker_cluster_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker cluster stat {} to {}", - worker_cluster_stat_name, worker_cluster_gauge.value()); + // Guardrail: only decrement if the gauge value is greater than 0 + if (worker_cluster_gauge.value() > 0) { + worker_cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + ENVOY_LOG(trace, + "ReverseTunnelAcceptorExtension: skipping decrement for worker cluster stat {} " + "(already at 0)", + worker_cluster_stat_name); + } } } } @@ -361,15 +383,15 @@ absl::flat_hash_map ReverseTunnelAcceptorExtension::getPe absl::flat_hash_map stats_map; auto& stats_store = context_.scope(); - // Get the current dispatcher name - std::string dispatcher_name = "main_thread"; // Default for main thread + // Get the current dispatcher name. + std::string dispatcher_name = "main_thread"; // Default for main thread. auto* local_registry = getLocalRegistry(); if (local_registry) { - // Dispatcher name is of the form "worker_x" where x is the worker index + // Dispatcher name is of the form "worker_x" where x is the worker index. dispatcher_name = local_registry->dispatcher().name(); } - // Iterate through all gauges and filter for the current dispatcher + // Iterate through all gauges and filter for the current dispatcher. Stats::IterateFn gauge_callback = [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { const std::string& gauge_name = gauge->name(); @@ -397,7 +419,7 @@ UpstreamSocketManager::UpstreamSocketManager(Event::Dispatcher& dispatcher, ReverseTunnelAcceptorExtension* extension) : dispatcher_(dispatcher), random_generator_(std::make_unique()), extension_(extension) { - ENVOY_LOG(debug, "UpstreamSocketManager: creating UpstreamSocketManager with stats integration"); + ENVOY_LOG(debug, "reverse_tunnel: creating socket manager with stats integration"); ping_timer_ = dispatcher_.createTimer([this]() { pingConnections(); }); } @@ -406,15 +428,13 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, Network::ConnectionSocketPtr socket, const std::chrono::seconds& ping_interval, bool rebalanced) { - ENVOY_LOG(debug, - "UpstreamSocketManager: addConnectionSocket called for node_id='{}' cluster_id='{}'", - node_id, cluster_id); + ENVOY_LOG(debug, "reverse_tunnel: adding connection for node: {}, cluster: {}", node_id, + cluster_id); - // Both node_id and cluster_id are mandatory for consistent state management and stats tracking + // Both node_id and cluster_id are mandatory for consistent state management and stats tracking. if (node_id.empty() || cluster_id.empty()) { ENVOY_LOG(error, - "UpstreamSocketManager: addConnectionSocket called with empty node_id='{}' or " - "cluster_id='{}'. Both are mandatory.", + "reverse_tunnel: node_id or cluster_id cannot be empty. node: '{}', cluster: '{}'", node_id, cluster_id); return; } @@ -423,14 +443,10 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, const int fd = socket->ioHandle().fdDoNotUse(); const std::string& connectionKey = socket->connectionInfoProvider().localAddress()->asString(); - ENVOY_LOG(debug, "UpstreamSocketManager: Adding connection socket for node: {} and cluster: {}", - node_id, cluster_id); + ENVOY_LOG(debug, "reverse_tunnel: adding socket for node: {}, cluster: {}", node_id, cluster_id); - // Store node -> cluster mapping - ENVOY_LOG(trace, - "UpstreamSocketManager: adding node: {} cluster: {} to node_to_cluster_map_ and " - "cluster_to_node_map_", - node_id, cluster_id); + // Store node -> cluster mapping. + ENVOY_LOG(trace, "reverse_tunnel: adding mapping node: {} -> cluster: {}", node_id, cluster_id); if (node_to_cluster_map_.find(node_id) == node_to_cluster_map_.end()) { node_to_cluster_map_[node_id] = cluster_id; cluster_to_node_map_[cluster_id].push_back(node_id); @@ -450,7 +466,7 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, accepted_reverse_connections_[node_id].push_back(std::move(socket)); Network::ConnectionSocketPtr& socket_ref = accepted_reverse_connections_[node_id].back(); - ENVOY_LOG(debug, "UpstreamSocketManager: mapping fd {} to node '{}'", fd, node_id); + ENVOY_LOG(debug, "reverse_tunnel: mapping fd {} to node: {}", fd, node_id); fd_to_node_map_[fd] = node_id; // Update stats registry @@ -497,7 +513,7 @@ UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { ENVOY_LOG(debug, "UpstreamSocketManager: Looking for socket with node: {} cluster: {}", node_id, cluster_id); - // Find first available socket for the node + // Find first available socket for the node. auto node_sockets_it = accepted_reverse_connections_.find(node_id); if (node_sockets_it == accepted_reverse_connections_.end() || node_sockets_it->second.empty()) { ENVOY_LOG(debug, "UpstreamSocketManager: No available sockets for node: {}", node_id); @@ -535,11 +551,13 @@ std::string UpstreamSocketManager::getNodeID(const std::string& key) { // First check if the key exists as a cluster ID by checking global stats // This ensures we check across all threads, not just the current thread if (auto extension = getUpstreamExtension()) { - // Check if any thread has sockets for this cluster by looking at global stats + // Check if any thread has sockets for this cluster by looking at global stats. std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", key); auto& stats_store = extension->getStatsScope(); - auto& cluster_gauge = - stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); + Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, + stats_store.symbolTable()); + auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); if (cluster_gauge.value() > 0) { // Key is a cluster ID with active connections, find a node from this cluster @@ -565,7 +583,7 @@ std::string UpstreamSocketManager::getNodeID(const std::string& key) { } void UpstreamSocketManager::markSocketDead(const int fd) { - ENVOY_LOG(debug, "UpstreamSocketManager: markSocketDead called for fd {}", fd); + ENVOY_LOG(trace, "UpstreamSocketManager: markSocketDead called for fd {}", fd); auto node_it = fd_to_node_map_.find(fd); if (node_it == fd_to_node_map_.end()) { @@ -728,13 +746,20 @@ void UpstreamSocketManager::pingConnections(const std::string& node_id) { ENVOY_LOG(debug, "UpstreamSocketManager: Pinging connections for node: {}", node_id); auto& sockets = accepted_reverse_connections_[node_id]; ENVOY_LOG(debug, "UpstreamSocketManager: node:{} Number of sockets:{}", node_id, sockets.size()); - for (auto itr = sockets.begin(); itr != sockets.end(); itr++) { + + auto itr = sockets.begin(); + while (itr != sockets.end()) { int fd = itr->get()->ioHandle().fdDoNotUse(); auto buffer = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility:: createPingResponse(); auto ping_response_timeout = ping_interval_ / 2; fd_to_timer_map_[fd]->enableTimer(ping_response_timeout); + + // Use a flag to signal whether the socket needs to be marked dead. If the socket is marked dead + // in markSocketDead(), it is erased from the list, and the iterator becomes invalid. We need to + // break out of the loop to avoid a use after free error. + bool socket_dead = false; while (buffer->length() > 0) { Api::IoCallUint64Result result = itr->get()->ioHandle().write(*buffer); ENVOY_LOG(trace, @@ -747,14 +772,25 @@ void UpstreamSocketManager::pingConnections(const std::string& node_id) { ENVOY_LOG(error, "UpstreamSocketManager: node:{} FD:{}: failed to send ping", node_id, fd); markSocketDead(fd); + socket_dead = true; break; } } } if (buffer->length() > 0) { + // Move to next socket if current one couldn't be fully written + ++itr; continue; } + + if (socket_dead) { + // Socket was marked dead, iterator is now invalid, break out of the loop + break; + } + + // Move to next socket + ++itr; } } @@ -772,13 +808,13 @@ UpstreamSocketManager::~UpstreamSocketManager() { // Clean up all active file events and timers first for (auto& [fd, event] : fd_to_event_map_) { ENVOY_LOG(debug, "UpstreamSocketManager: cleaning up file event for FD: {}", fd); - event.reset(); // This will cancel the file event + event.reset(); // This will cancel the file event. } fd_to_event_map_.clear(); for (auto& [fd, timer] : fd_to_timer_map_) { ENVOY_LOG(debug, "UpstreamSocketManager: cleaning up timer for FD: {}", fd); - timer.reset(); // This will cancel the timer + timer.reset(); // This will cancel the timer. } fd_to_timer_map_.clear(); @@ -789,7 +825,7 @@ UpstreamSocketManager::~UpstreamSocketManager() { } for (int fd : fds_to_cleanup) { - ENVOY_LOG(debug, "UpstreamSocketManager: marking socket dead in destructor for FD: {}", fd); + ENVOY_LOG(trace, "UpstreamSocketManager: marking socket dead in destructor for FD: {}", fd); markSocketDead(fd); // false = not used, just cleanup } diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h index cdb791a781926..f8a7a0e258a74 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h @@ -33,14 +33,15 @@ class ReverseTunnelAcceptorExtension; class UpstreamSocketManager; /** - * Custom IoHandle for upstream reverse connections that properly owns a ConnectionSocket. - * This class uses RAII principles to manage socket lifetime. + * Custom IoHandle for upstream reverse connections that manages ConnectionSocket lifetime. + * This class implements RAII principles to ensure proper socket cleanup and provides + * reverse connection semantics where the connection is already established. */ class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { public: /** - * Constructor for UpstreamReverseConnectionIOHandle. - * Takes ownership of the socket and manages its lifetime properly. + * Constructs an UpstreamReverseConnectionIOHandle that takes ownership of a socket. + * * @param socket the reverse connection socket to own and manage. * @param cluster_name the name of the cluster this connection belongs to. */ @@ -53,21 +54,24 @@ class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { /** * Override of connect method for reverse connections. * For reverse connections, the connection is already established so this method - * is a no-op. + * is a no-op and always returns success. + * * @param address the target address (unused for reverse connections). - * @return SysCallIntResult with success status. + * @return SysCallIntResult with success status (0, 0). */ Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; /** * Override of close method for reverse connections. * Cleans up the owned socket and calls the parent close method. + * * @return IoCallUint64Result indicating the result of the close operation. */ Api::IoCallUint64Result close() override; /** - * Get the owned socket. This should only be used for read-only operations. + * Get the owned socket for read-only operations. + * * @return const reference to the owned socket. */ const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } @@ -81,12 +85,10 @@ class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { /** * Thread local storage for ReverseTunnelAcceptor. - * Stores the thread-local dispatcher and socket manager for each worker thread. */ class UpstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { public: /** - * Constructor for UpstreamSocketThreadLocal. * Creates a new socket manager instance for the given dispatcher. * @param dispatcher the thread-local dispatcher. * @param extension the upstream extension for stats integration. @@ -108,22 +110,22 @@ class UpstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { const UpstreamSocketManager* socketManager() const { return socket_manager_.get(); } private: - // The thread-local dispatcher. + // Thread-local dispatcher. Event::Dispatcher& dispatcher_; - // The thread-local socket manager. + // Thread-local socket manager. std::unique_ptr socket_manager_; }; /** * Socket interface that creates upstream reverse connection sockets. - * This class implements the SocketInterface interface to provide reverse connection - * functionality for upstream connections. It manages cached reverse TCP connections - * and provides them when requested by an incoming request. + * Manages cached reverse TCP connections and provides them when requested. */ class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, public Envoy::Logger::Loggable { public: /** + * Constructs a ReverseTunnelAcceptor with the given server factory context. + * * @param context the server factory context for this socket interface. */ ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context); @@ -132,7 +134,7 @@ class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, // SocketInterface overrides /** - * Create a socket without a specific address (not applicable reverse connections). + * Create a socket without a specific address (no-op for reverse connections). * @param socket_type the type of socket to create. * @param addr_type the address type. * @param version the IP version. @@ -146,7 +148,7 @@ class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, const Envoy::Network::SocketCreationOptions& options) const override; /** - * Create a socket with a specific address for reverse connections. + * Create a socket with a specific address. * @param socket_type the type of socket to create. * @param addr the address to bind to. * @param options socket creation options. @@ -184,14 +186,14 @@ class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, ProtobufTypes::MessagePtr createEmptyConfigProto() override; /** - * @return string containing the interface name. + * @return the interface name. */ std::string name() const override { return "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"; } /** - * @return pointer to the extension for accessing cross-thread aggregation functionality. + * @return pointer to the extension for cross-thread aggregation. */ ReverseTunnelAcceptorExtension* getExtension() const { return extension_; } @@ -203,8 +205,6 @@ class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, /** * Socket interface extension for upstream reverse connections. - * This class extends SocketInterfaceExtension and initializes the upstream reverse socket - * interface. */ class ReverseTunnelAcceptorExtension : public Envoy::Network::SocketInterfaceExtension, @@ -235,13 +235,11 @@ class ReverseTunnelAcceptorExtension /** * Called when the server is initialized. - * Sets up thread-local storage for the socket interface. */ void onServerInitialized() override; /** * Called when a worker thread is initialized. - * no-op for this extension. */ void onWorkerThreadInitialized() override {} @@ -257,7 +255,7 @@ class ReverseTunnelAcceptorExtension /** * Synchronous version for admin API endpoints that require immediate response on reverse - * connection stats. Uses blocking aggregation with timeout for production reliability. + * connection stats. * @param timeout_ms maximum time to wait for aggregation completion * @return pair of or empty if timeout */ @@ -266,34 +264,31 @@ class ReverseTunnelAcceptorExtension /** * Get cross-worker aggregated reverse connection stats. - * @return map of node/cluster -> connection count across all worker threads + * @return map of node/cluster -> connection count across all worker threads. */ absl::flat_hash_map getCrossWorkerStatMap(); /** * Update the cross-thread aggregated stats for the connection. - * @param node_id the node identifier for the connection - * @param cluster_id the cluster identifier for the connection - * @param increment whether to increment (true) or decrement (false) the connection count + * @param node_id the node identifier for the connection. + * @param cluster_id the cluster identifier for the connection. + * @param increment whether to increment (true) or decrement (false) the connection count. */ void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, bool increment); /** - * Update per-worker connection stats for debugging purposes. - * Creates worker-specific stats "reverse_connections.{worker_name}.node.{node_id}". - * @param node_id the node identifier for the connection - * @param cluster_id the cluster identifier for the connection - * @param increment whether to increment (true) or decrement (false) the connection count + * Update per-worker connection stats for debugging. + * @param node_id the node identifier for the connection. + * @param cluster_id the cluster identifier for the connection. + * @param increment whether to increment (true) or decrement (false) the connection count. */ void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, bool increment); /** - * Get per-worker connection stats for debugging purposes. - * Returns stats like "reverse_connections.{worker_name}.node.{node_id}" for the current thread - * only. - * @return map of node/cluster -> connection count for the current worker thread + * Get per-worker connection stats for debugging. + * @return map of node/cluster -> connection count for the current worker thread. */ absl::flat_hash_map getPerWorkerStatMap(); @@ -304,10 +299,8 @@ class ReverseTunnelAcceptorExtension Stats::Scope& getStatsScope() const { return context_.scope(); } /** - * Test-only method to set the thread local slot for testing purposes. - * This allows tests to inject a custom thread local registry without - * requiring friend class access. - * @param slot the thread local slot to set + * Test-only method to set the thread local slot. + * @param slot the thread local slot to set. */ void setTestOnlyTLSRegistry(std::unique_ptr> slot) { @@ -324,7 +317,6 @@ class ReverseTunnelAcceptorExtension /** * Thread-local socket manager for upstream reverse connections. - * Manages cached reverse connection sockets per cluster. */ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, public Logger::Loggable { @@ -339,51 +331,56 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, // RPING message now handled by ReverseConnectionUtility - /** Add the accepted connection and remote cluster mapping to UpstreamSocketManager maps. + /** + * Add accepted connection to socket manager. * @param node_id node_id of initiating node. - * @param cluster_id cluster_id of receiving(acceptor) cluster. + * @param cluster_id cluster_id of receiving cluster. * @param socket the socket to be added. - * @param ping_interval the interval at which ping keepalives are sent on accepted reverse conns. - * @param rebalanced is true if we are adding to the socket after rebalancing to pick the most - * appropriate thread. + * @param ping_interval the interval at which ping keepalives are sent. + * @param rebalanced true if adding socket after rebalancing. */ void addConnectionSocket(const std::string& node_id, const std::string& cluster_id, Network::ConnectionSocketPtr socket, const std::chrono::seconds& ping_interval, bool rebalanced); - /** Called by the responder envoy when a request is received, that could be sent through a reverse - * connection. This returns an accepted connection socket, if present. + /** + * Get an available reverse connection socket. * @param node_id the node ID to get a socket for. * @return the connection socket, or nullptr if none available. */ Network::ConnectionSocketPtr getConnectionSocket(const std::string& node_id); - /** Mark the connection socket dead and remove it from internal maps. + /** + * Mark connection socket dead and remove from internal maps. * @param fd the FD for the socket to be marked dead. */ void markSocketDead(const int fd); - /** Ping all active reverse connections to check their health and maintain keepalive. - * Sends ping messages to all accepted reverse connections and sets up response timeouts. + /** + * Ping all active reverse connections for health checks. */ void pingConnections(); - /** Ping reverse connections for a specific node to check their health. + /** + * Ping reverse connections for a specific node. * @param node_id the node ID whose connections should be pinged. */ void pingConnections(const std::string& node_id); - /** Try to enable the ping timer if it's not already enabled. + /** + * Enable the ping timer if not already enabled. * @param ping_interval the interval at which ping keepalives should be sent. */ void tryEnablePingTimer(const std::chrono::seconds& ping_interval); - /** Clean up stale node entries when no active sockets remain for a node. + /** + * Clean up stale node entries when no active sockets remain. * @param node_id the node ID to clean up. */ void cleanStaleNodeEntry(const std::string& node_id); - /** Handle ping response from a reverse connection. + /** + * Handle ping response from a reverse connection. * @param io_handle the IO handle for the socket that sent the ping response. */ void onPingResponse(Network::IoHandle& io_handle); @@ -394,41 +391,38 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, */ ReverseTunnelAcceptorExtension* getUpstreamExtension() const { return extension_; } /** - * Automatically discern whether the key is a node ID or a cluster ID. The key is a - * cluster ID if any worker has a reverse connection for that cluster, in which case - * return a node belonging to that cluster. Otherwise, it is a node ID, in which case - * return the node ID as-is. + * Automatically discern whether the key is a node ID or cluster ID. * @param key the key to get the node ID for. - * @return the node ID or cluster ID. + * @return the node ID. */ std::string getNodeID(const std::string& key); private: - // Pointer to the thread local Dispatcher instance. + // Thread local dispatcher instance. Event::Dispatcher& dispatcher_; Random::RandomGeneratorPtr random_generator_; - // Map of node IDs to connection sockets, stored on the accepting(remote) envoy. + // Map of node IDs to connection sockets. absl::flat_hash_map> accepted_reverse_connections_; - // Map from file descriptor to node ID + // Map from file descriptor to node ID. absl::flat_hash_map fd_to_node_map_; - // Map of node ID to the corresponding cluster it belongs to. + // Map of node ID to cluster. absl::flat_hash_map node_to_cluster_map_; - // Map of cluster IDs to list of node IDs + // Map of cluster IDs to node IDs. absl::flat_hash_map> cluster_to_node_map_; - // File events and timers for ping functionality + // File events and timers for ping functionality. absl::flat_hash_map fd_to_event_map_; absl::flat_hash_map fd_to_timer_map_; Event::TimerPtr ping_timer_; std::chrono::seconds ping_interval_{0}; - // Pointer to the upstream extension for stats integration + // Upstream extension for stats integration. ReverseTunnelAcceptorExtension* extension_; }; diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index 0dd69c2469f69..71d22afde89a1 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -39,21 +39,37 @@ namespace ReverseConnection { class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { public: /** - * Constructor that takes ownership of the socket. + * Constructor that takes ownership of the socket and stores parent pointer and connection key. */ - explicit DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket) - : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), owned_socket_(std::move(socket)) { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {}", - fd_); + DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, + ReverseConnectionIOHandle* parent, + const std::string& connection_key) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), + owned_socket_(std::move(socket)), + parent_(parent), + connection_key_(connection_key) { + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {} for connection key: {}", + fd_, connection_key_); } ~DownstreamReverseConnectionIOHandle() override { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: destroying handle for FD: {}", fd_); + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: destroying handle for FD: {} with connection key: {}", + fd_, connection_key_); } // Network::IoHandle overrides. Api::IoCallUint64Result close() override { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {}", fd_); + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {} with connection key: {}", + fd_, connection_key_); + + // Notify parent that this downstream connection has been closed + // This will trigger re-initiation of the reverse connection if needed + if (parent_) { + parent_->onDownstreamConnectionClosed(connection_key_); + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: notified parent of connection closure for key: {}", + connection_key_); + } + // Reset the owned socket to properly close the connection. if (owned_socket_) { owned_socket_.reset(); @@ -69,267 +85,112 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { private: // The socket that this IOHandle owns and manages lifetime for. Network::ConnectionSocketPtr owned_socket_; + // Pointer to parent ReverseConnectionIOHandle for connection lifecycle management + ReverseConnectionIOHandle* parent_; + // Connection key for tracking this specific connection + std::string connection_key_; }; // Forward declaration. class ReverseConnectionIOHandle; class ReverseTunnelInitiator; -/** - * RCConnectionWrapper manages the lifecycle of a ClientConnectionPtr for reverse connections. - * It handles connection callbacks, sends the gRPC handshake request, and processes the response. - */ -class RCConnectionWrapper : public Network::ConnectionCallbacks, - public Event::DeferredDeletable, - public ReverseConnection::GrpcReverseTunnelCallbacks, - Logger::Loggable { -public: - RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, - Upstream::HostDescriptionConstSharedPtr host, - const std::string& cluster_name) - : parent_(parent), connection_(std::move(connection)), host_(std::move(host)), - cluster_name_(cluster_name) { - - reverse_tunnel_client_ = nullptr; - const auto* grpc_config = parent.getGrpcConfig(); - if (grpc_config != nullptr) { - ENVOY_LOG(debug, "RCConnectionWrapper: gRPC config available, creating gRPC client"); - reverse_tunnel_client_ = std::make_unique( - parent.getClusterManager(), cluster_name_, *grpc_config, *this); - } else { - ENVOY_LOG(debug, "RCConnectionWrapper: gRPC config not available, using HTTP fallback"); - } + +// RCConnectionWrapper constructor implementation +RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, + Upstream::HostDescriptionConstSharedPtr host, + const std::string& cluster_name) + : parent_(parent), connection_(std::move(connection)), host_(std::move(host)), + cluster_name_(cluster_name) { + + reverse_tunnel_client_ = nullptr; + const auto* grpc_config = parent.getGrpcConfig(); + if (grpc_config != nullptr) { + ENVOY_LOG(debug, "RCConnectionWrapper: gRPC config available, creating gRPC client"); + reverse_tunnel_client_ = std::make_unique( + parent.getClusterManager(), cluster_name_, *grpc_config, *this); + } else { + ENVOY_LOG(debug, "RCConnectionWrapper: gRPC config not available, using HTTP fallback"); } +} - ~RCConnectionWrapper() override { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Starting safe RCConnectionWrapper destruction"); - - // Use atomic flag to prevent recursive destruction - static thread_local std::atomic destruction_in_progress{false}; - bool expected = false; - if (!destruction_in_progress.compare_exchange_strong(expected, true)) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Wrapper destruction already in progress, skipping"); - return; +// RCConnectionWrapper destructor implementation +RCConnectionWrapper::~RCConnectionWrapper() { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Starting safe RCConnectionWrapper destruction"); + + // Use atomic flag to prevent recursive destruction + static thread_local std::atomic destruction_in_progress{false}; + bool expected = false; + if (!destruction_in_progress.compare_exchange_strong(expected, true)) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Wrapper destruction already in progress, skipping"); + return; + } + + // RAII guard to ensure flag is reset + struct DestructionGuard { + std::atomic& flag; + DestructionGuard(std::atomic& f) : flag(f) {} + ~DestructionGuard() { flag = false; } + } guard(destruction_in_progress); + + try { + // STEP 1: Cancel gRPC client first to prevent callback access + if (reverse_tunnel_client_) { + try { + reverse_tunnel_client_->cancel(); + reverse_tunnel_client_.reset(); + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: gRPC client safely canceled"); + } catch (const std::exception& e) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: gRPC client cleanup exception: {}", e.what()); + } catch (...) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Unknown gRPC client cleanup exception"); + } } - - // RAII guard to ensure flag is reset - struct DestructionGuard { - std::atomic& flag; - DestructionGuard(std::atomic& f) : flag(f) {} - ~DestructionGuard() { flag = false; } - } guard(destruction_in_progress); - - try { - // STEP 1: Cancel gRPC client first to prevent callback access - if (reverse_tunnel_client_) { + + // STEP 2: Safely remove connection callbacks + if (connection_) { + try { + // Check if connection is still valid before accessing + auto state = connection_->state(); + + // Only remove callbacks if connection is in valid state + if (state != Network::Connection::State::Closed) { + connection_->removeConnectionCallbacks(*this); + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection callbacks safely removed"); + } + + // Don't call close() here - let Envoy's cleanup handle it + // This prevents double-close and access after free issues + connection_.reset(); + + } catch (const std::exception& e) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection cleanup exception: {}", e.what()); + // Still try to reset the connection pointer to prevent further access try { - reverse_tunnel_client_->cancel(); - reverse_tunnel_client_.reset(); - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: gRPC client safely canceled"); - } catch (const std::exception& e) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: gRPC client cleanup exception: {}", e.what()); + connection_.reset(); } catch (...) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Unknown gRPC client cleanup exception"); + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection reset failed"); } - } - - // STEP 2: Safely remove connection callbacks - if (connection_) { + } catch (...) { + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Unknown connection cleanup exception"); try { - // Check if connection is still valid before accessing - auto state = connection_->state(); - - // Only remove callbacks if connection is in valid state - if (state != Network::Connection::State::Closed) { - connection_->removeConnectionCallbacks(*this); - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection callbacks safely removed"); - } - - // Don't call close() here - let Envoy's cleanup handle it - // This prevents double-close and access after free issues connection_.reset(); - - } catch (const std::exception& e) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection cleanup exception: {}", e.what()); - // Still try to reset the connection pointer to prevent further access - try { - connection_.reset(); - } catch (...) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection reset failed"); - } } catch (...) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Unknown connection cleanup exception"); - try { - connection_.reset(); - } catch (...) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection reset failed"); - } + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection reset failed"); } } - - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: RCConnectionWrapper destruction completed safely"); - - } catch (const std::exception& e) { - ENVOY_LOG(error, "DEFENSIVE CLEANUP: Top-level wrapper destruction exception: {}", e.what()); - } catch (...) { - ENVOY_LOG(error, "DEFENSIVE CLEANUP: Unknown top-level wrapper destruction exception"); } + + ENVOY_LOG(debug, "DEFENSIVE CLEANUP: RCConnectionWrapper destruction completed safely"); + + } catch (const std::exception& e) { + ENVOY_LOG(error, "DEFENSIVE CLEANUP: Top-level wrapper destruction exception: {}", e.what()); + } catch (...) { + ENVOY_LOG(error, "DEFENSIVE CLEANUP: Unknown top-level wrapper destruction exception"); } +} - // Network::ConnectionCallbacks. - void onEvent(Network::ConnectionEvent event) override; - void onAboveWriteBufferHighWatermark() override {} - void onBelowWriteBufferLowWatermark() override {} - - // ::Envoy::ReverseConnection::HandshakeCallbacks - void onHandshakeSuccess( - std::unique_ptr response) - override; - void onHandshakeFailure(Grpc::Status::GrpcStatus status, const std::string& message) override; - - // Initiate the reverse connection gRPC handshake. - std::string connect(const std::string& src_tenant_id, const std::string& src_cluster_id, - const std::string& src_node_id); - - // Clean up on failure. Use graceful shutdown. - void onFailure() { - ENVOY_LOG(debug, - "RCConnectionWrapper::onFailure - initiating graceful shutdown due to failure"); - shutdown(); - } - - void shutdown() { - if (!connection_) { - ENVOY_LOG(debug, "Connection already null."); - return; - } - - ENVOY_LOG(debug, "Connection ID: {}, state: {}.", connection_->id(), - static_cast(connection_->state())); - - // Cancel any ongoing gRPC handshake - if (reverse_tunnel_client_) { - reverse_tunnel_client_->cancel(); - } - - // Remove callbacks first to prevent recursive calls during shutdown - connection_->removeConnectionCallbacks(*this); - - if (connection_->state() == Network::Connection::State::Open) { - ENVOY_LOG(debug, "Closing open connection gracefully."); - connection_->close(Network::ConnectionCloseType::FlushWrite); - } else if (connection_->state() == Network::Connection::State::Closing) { - ENVOY_LOG(debug, "Connection already closing, waiting."); - } else { - ENVOY_LOG(debug, "Connection already closed."); - } - - // Clear the connection pointer to prevent further access - connection_.reset(); - ENVOY_LOG(debug, "Completed graceful shutdown."); - } - - Network::ClientConnection* getConnection() { return connection_.get(); } - Upstream::HostDescriptionConstSharedPtr getHost() { return host_; } - // Release the connection when handshake succeeds. - Network::ClientConnectionPtr releaseConnection() { return std::move(connection_); } - -private: - /** - * Simplified read filter for HTTP fallback during gRPC migration. - */ - struct SimpleConnReadFilter : public Network::ReadFilterBaseImpl { - SimpleConnReadFilter(RCConnectionWrapper* parent) : parent_(parent) {} - - Network::FilterStatus onData(Buffer::Instance& buffer, bool) override { - if (parent_ == nullptr) { - ENVOY_LOG(error, "RC Connection Manager is null. Aborting read."); - return Network::FilterStatus::StopIteration; - } - - const std::string data = buffer.toString(); - ENVOY_LOG(debug, "SimpleConnReadFilter: Received data: {}", data); - - // Look for HTTP response status line first (supports both HTTP/1.1 and HTTP/2) - if (data.find("HTTP/1.1 200 OK") != std::string::npos || - data.find("HTTP/2 200") != std::string::npos) { - ENVOY_LOG(debug, "Received HTTP 200 OK response"); - - // Find the end of headers (double CRLF) - size_t headers_end = data.find("\r\n\r\n"); - if (headers_end != std::string::npos) { - // Extract the response body (after headers) - std::string response_body = data.substr(headers_end + 4); - - if (!response_body.empty()) { - // Try to parse the protobuf response - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; - if (ret.ParseFromString(response_body)) { - ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); - - // Check if the status is ACCEPTED - if (ret.status() == envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::ACCEPTED) { - ENVOY_LOG(debug, "Reverse connection accepted by cloud side"); - parent_->onHandshakeSuccess(nullptr); - return Network::FilterStatus::StopIteration; - } else { - ENVOY_LOG(error, "Reverse connection rejected: {}", ret.status_message()); - parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::PermissionDenied, - ret.status_message()); - return Network::FilterStatus::StopIteration; - } - } else { - ENVOY_LOG(debug, "Could not parse protobuf response, checking for text success indicators"); - - // Fallback: look for success indicators in the response body - if (response_body.find("reverse connection accepted") != std::string::npos || - response_body.find("ACCEPTED") != std::string::npos) { - ENVOY_LOG(debug, "Found success indicator in response body"); - parent_->onHandshakeSuccess(nullptr); - return Network::FilterStatus::StopIteration; - } else { - ENVOY_LOG(error, "No success indicator found in response body"); - parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, - "Unrecognized response format"); - return Network::FilterStatus::StopIteration; - } - } - } else { - ENVOY_LOG(debug, "Response body is empty, waiting for more data"); - return Network::FilterStatus::Continue; - } - } else { - ENVOY_LOG(debug, "HTTP headers not complete yet, waiting for more data"); - return Network::FilterStatus::Continue; - } - } else if (data.find("HTTP/1.1 ") != std::string::npos || data.find("HTTP/2 ") != std::string::npos) { - // Found HTTP response but not 200 OK - this is an error - ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); - parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, - "HTTP handshake failed with non-200 response"); - return Network::FilterStatus::StopIteration; - } else { - ENVOY_LOG(debug, "Waiting for HTTP response, received {} bytes", data.length()); - return Network::FilterStatus::Continue; - } - } - - RCConnectionWrapper* parent_; - }; - - ReverseConnectionIOHandle& parent_; - Network::ClientConnectionPtr connection_; - Upstream::HostDescriptionConstSharedPtr host_; - const std::string cluster_name_; - std::unique_ptr reverse_tunnel_client_; - - // Handshake data for HTTP fallback - std::string handshake_tenant_id_; - std::string handshake_cluster_id_; - std::string handshake_node_id_; - bool handshake_sent_{false}; -}; - +// RCConnectionWrapper method implementations void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { if (event == Network::ConnectionEvent::Connected && !handshake_sent_ && !handshake_tenant_id_.empty() && reverse_tunnel_client_ == nullptr) { @@ -354,6 +215,80 @@ void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { } } +// SimpleConnReadFilter::onData implementation +Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer::Instance& buffer, bool) { + if (parent_ == nullptr) { + ENVOY_LOG(error, "RC Connection Manager is null. Aborting read."); + return Network::FilterStatus::StopIteration; + } + + const std::string data = buffer.toString(); + ENVOY_LOG(debug, "SimpleConnReadFilter: Received data: {}", data); + + // Look for HTTP response status line first (supports both HTTP/1.1 and HTTP/2) + if (data.find("HTTP/1.1 200 OK") != std::string::npos || + data.find("HTTP/2 200") != std::string::npos) { + ENVOY_LOG(debug, "Received HTTP 200 OK response"); + + // Find the end of headers (double CRLF) + size_t headers_end = data.find("\r\n\r\n"); + if (headers_end != std::string::npos) { + // Extract the response body (after headers) + std::string response_body = data.substr(headers_end + 4); + + if (!response_body.empty()) { + // Try to parse the protobuf response + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; + if (ret.ParseFromString(response_body)) { + ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); + + // Check if the status is ACCEPTED + if (ret.status() == envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::ACCEPTED) { + ENVOY_LOG(debug, "Reverse connection accepted by cloud side"); + parent_->onHandshakeSuccess(nullptr); + return Network::FilterStatus::StopIteration; + } else { + ENVOY_LOG(error, "Reverse connection rejected: {}", ret.status_message()); + parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::PermissionDenied, + ret.status_message()); + return Network::FilterStatus::StopIteration; + } + } else { + ENVOY_LOG(debug, "Could not parse protobuf response, checking for text success indicators"); + + // Fallback: look for success indicators in the response body + if (response_body.find("reverse connection accepted") != std::string::npos || + response_body.find("ACCEPTED") != std::string::npos) { + ENVOY_LOG(debug, "Found success indicator in response body"); + parent_->onHandshakeSuccess(nullptr); + return Network::FilterStatus::StopIteration; + } else { + ENVOY_LOG(error, "No success indicator found in response body"); + parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, + "Unrecognized response format"); + return Network::FilterStatus::StopIteration; + } + } + } else { + ENVOY_LOG(debug, "Response body is empty, waiting for more data"); + return Network::FilterStatus::Continue; + } + } else { + ENVOY_LOG(debug, "HTTP headers not complete yet, waiting for more data"); + return Network::FilterStatus::Continue; + } + } else if (data.find("HTTP/1.1 ") != std::string::npos || data.find("HTTP/2 ") != std::string::npos) { + // Found HTTP response but not 200 OK - this is an error + ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); + parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, + "HTTP handshake failed with non-200 response"); + return Network::FilterStatus::StopIteration; + } else { + ENVOY_LOG(debug, "Waiting for HTTP response, received {} bytes", data.length()); + return Network::FilterStatus::Continue; + } +} + std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, const std::string& src_cluster_id, const std::string& src_node_id) { @@ -463,13 +398,51 @@ void RCConnectionWrapper::onHandshakeFailure(Grpc::Status::GrpcStatus status, parent_.onConnectionDone(message, this, false); } +void RCConnectionWrapper::onFailure() { + ENVOY_LOG(debug, + "RCConnectionWrapper::onFailure - initiating graceful shutdown due to failure"); + shutdown(); +} + +void RCConnectionWrapper::shutdown() { + if (!connection_) { + ENVOY_LOG(debug, "Connection already null."); + return; + } + + ENVOY_LOG(debug, "Connection ID: {}, state: {}.", connection_->id(), + static_cast(connection_->state())); + + // Cancel any ongoing gRPC handshake + if (reverse_tunnel_client_) { + reverse_tunnel_client_->cancel(); + } + + // Remove callbacks first to prevent recursive calls during shutdown + connection_->removeConnectionCallbacks(*this); + + if (connection_->state() == Network::Connection::State::Open) { + ENVOY_LOG(debug, "Closing open connection gracefully."); + connection_->close(Network::ConnectionCloseType::FlushWrite); + } else if (connection_->state() == Network::Connection::State::Closing) { + ENVOY_LOG(debug, "Connection already closing, waiting."); + } else { + ENVOY_LOG(debug, "Connection already closed."); + } + + // Clear the connection pointer to prevent further access + connection_.reset(); + ENVOY_LOG(debug, "Completed graceful shutdown."); +} + ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, const ReverseConnectionSocketConfig& config, Upstream::ClusterManager& cluster_manager, - const ReverseTunnelInitiator& socket_interface, + ReverseTunnelInitiatorExtension* extension, Stats::Scope& scope) : IoSocketHandleImpl(fd), config_(config), cluster_manager_(cluster_manager), - socket_interface_(socket_interface), original_socket_fd_(fd) { + extension_(extension), original_socket_fd_(fd) { + (void)scope; // Mark as unused ENVOY_LOG(debug, "Created ReverseConnectionIOHandle: fd={}, src_node={}, num_clusters={}", fd_, config_.src_node_id, config_.remote_clusters.size()); ENVOY_LOG(debug, @@ -477,7 +450,6 @@ ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, "health_check_interval: {}ms, connection_timeout: {}ms", config_.src_cluster_id, config_.src_node_id, config_.health_check_interval_ms, config_.connection_timeout_ms); - initializeStats(scope); // Defer trigger mechanism creation until listen() is called on a worker thread. // This avoids accessing thread-local dispatcher during main thread initialization. } @@ -492,6 +464,7 @@ void ReverseConnectionIOHandle::cleanup() { // CRITICAL: Clean up pipe trigger mechanism FIRST to prevent use-after-free // Clean up trigger pipe + ENVOY_LOG(trace, "ReverseConnectionIOHandle::cleanup() - cleaning up trigger pipe; trigger_pipe_write_fd_={}, trigger_pipe_read_fd_={}", trigger_pipe_write_fd_, trigger_pipe_read_fd_); if (trigger_pipe_write_fd_ >= 0) { ::close(trigger_pipe_write_fd_); trigger_pipe_write_fd_ = -1; @@ -503,15 +476,8 @@ void ReverseConnectionIOHandle::cleanup() { // Cancel the retry timer safely. if (rev_conn_retry_timer_) { - try { - rev_conn_retry_timer_->disableTimer(); - rev_conn_retry_timer_.reset(); - ENVOY_LOG(debug, "Cancelled and reset retry timer."); - } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception during timer cleanup (expected during shutdown): {}.", e.what()); - // Reset the timer pointer anyway to prevent further access - rev_conn_retry_timer_.reset(); - } + ENVOY_LOG(trace, "ReverseConnectionIOHandle::cleanup() - cancelling and resetting retry timer."); + rev_conn_retry_timer_.reset(); } // Graceful shutdown of connection wrappers with exception safety. ENVOY_LOG(debug, "Gracefully shutting down {} connection wrappers.", connection_wrappers_.size()); @@ -631,6 +597,14 @@ void ReverseConnectionIOHandle::initializeFileEvent(Event::Dispatcher& dispatche return; } } + + // CRITICAL: Replace the monitored FD with pipe read FD + // This must happen before any event registration + int trigger_fd = getPipeMonitorFd(); + if (trigger_fd != -1) { + ENVOY_LOG(info, "Replacing monitored FD from {} to pipe read FD {}", fd_, trigger_fd); + fd_ = trigger_fd; + } // Initialize reverse connections on worker thread if (!rev_conn_retry_timer_) { @@ -748,9 +722,9 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a // Reset file events on the duplicated socket to clear any inherited events duplicated_socket->ioHandle().resetFileEvents(); - // Create RAII-based IoHandle with duplicated socket + // Create RAII-based IoHandle with duplicated socket, passing parent pointer and connection key auto io_handle = std::make_unique( - std::move(duplicated_socket)); + std::move(duplicated_socket), this, connection_key); ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - RAII IoHandle created with duplicated socket."); connection->setSocketReused(true); @@ -793,26 +767,26 @@ ReverseConnectionIOHandle::connect(Envoy::Network::Address::InstanceConstSharedP return IoSocketHandleImpl::connect(address); } -// Note: This close method is called when the ReverseConnectionIOHandle itself is closed. -// Individual connections are managed via DownstreamReverseConnectionIOHandle RAII ownership. +// Note: This close method is called when the ReverseConnectionIOHandle itself is closed, which +// should typically happen when the listener is being drained. +// Individual reverse connections initiated by this ReverseConnectionIOHandle are managed via +// DownstreamReverseConnectionIOHandle RAII ownership. Api::IoCallUint64Result ReverseConnectionIOHandle::close() { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::close() - performing graceful shutdown."); + ENVOY_LOG(error, "ReverseConnectionIOHandle::close() - performing graceful shutdown."); - // Clean up original socket FD if it's different from the current fd_ - if (original_socket_fd_ != -1 && original_socket_fd_ != fd_) { - ENVOY_LOG(debug, "Closing original socket FD: {}.", original_socket_fd_); + // Clean up original socket FD + if (original_socket_fd_ != -1) { + ENVOY_LOG(error, "Closing original socket FD: {}.", original_socket_fd_); ::close(original_socket_fd_); original_socket_fd_ = -1; } - // CRITICAL: If we're using pipe trigger FD, don't let IoSocketHandleImpl close it - // because cleanup will handle it - if (isTriggerPipeReady() && trigger_pipe_read_fd_ == fd_) { - ENVOY_LOG(debug, - "Skipping close of pipe trigger FD {} - will be handled by cleanup.", + // CRITICAL: If we're using pipe trigger FD, let the IoSocketHandleImpl::close() + // close it and cleanup() set the pipe FDs to -1. + if (isTriggerPipeReady() && getPipeMonitorFd() == fd_) { + ENVOY_LOG(error, + "Skipping close of pipe trigger FD {} - will be handled by base close() method.", fd_); - // Reset fd_ to prevent double-close - fd_ = -1; } return IoSocketHandleImpl::close(); @@ -831,10 +805,14 @@ bool ReverseConnectionIOHandle::isTriggerReady() const { return ready; } +int ReverseConnectionIOHandle::getPipeMonitorFd() const { + return trigger_pipe_read_fd_; +} + // Use the thread-local registry to get the dispatcher Event::Dispatcher& ReverseConnectionIOHandle::getThreadLocalDispatcher() const { // Get the thread-local dispatcher from the socket interface's registry - auto* local_registry = socket_interface_.getLocalRegistry(); + auto* local_registry = extension_->getLocalRegistry(); if (local_registry) { // Return the dispatcher from the thread-local registry @@ -849,13 +827,17 @@ Event::Dispatcher& ReverseConnectionIOHandle::getThreadLocalDispatcher() const { // Safe wrapper for accessing thread-local dispatcher bool ReverseConnectionIOHandle::isThreadLocalDispatcherAvailable() const { try { - auto* local_registry = socket_interface_.getLocalRegistry(); + auto* local_registry = extension_->getLocalRegistry(); return local_registry != nullptr; } catch (...) { return false; } } +ReverseTunnelInitiatorExtension* ReverseConnectionIOHandle::getDownstreamExtension() const { + return extension_; +} + void ReverseConnectionIOHandle::maybeUpdateHostsMappingsAndConnections( const std::string& cluster_id, const std::vector& hosts) { absl::flat_hash_set new_hosts(hosts.begin(), hosts.end()); @@ -932,16 +914,24 @@ void ReverseConnectionIOHandle::maintainClusterConnections( const std::string& cluster_name, const RemoteClusterConnectionConfig& cluster_config) { ENVOY_LOG(debug, "Maintaining connections for cluster: {} with {} requested connections per host", cluster_name, cluster_config.reverse_connection_count); + + // Generate a temporary connection key for early failure tracking, to update stats gauges + const std::string temp_connection_key = "temp_" + cluster_name + "_" + std::to_string(rand()); + // Get thread local cluster to access resolved hosts auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); if (thread_local_cluster == nullptr) { ENVOY_LOG(error, "Cluster '{}' not found for reverse tunnel - will retry later", cluster_name); + updateConnectionState("", cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); return; } // Get all resolved hosts for the cluster const auto& host_map_ptr = thread_local_cluster->prioritySet().crossPriorityHostMap(); if (host_map_ptr == nullptr || host_map_ptr->empty()) { - ENVOY_LOG(warn, "No hosts found in cluster '{}' - will retry later", cluster_name); + ENVOY_LOG(error, "No hosts found in cluster '{}' - will retry later", cluster_name); + updateConnectionState("", cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); return; } // Retrieve the resolved hosts for a cluster and update the corresponding maps @@ -1100,6 +1090,14 @@ void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address } auto& host_info = host_it->second; + auto now = std::chrono::steady_clock::now(); + + // Check if the host is actually in backoff before resetting + if (now >= host_info.backoff_until) { + ENVOY_LOG(debug, "Host {} is not in backoff, skipping reset", host_address); + return; + } + host_info.failure_count = 0; host_info.backoff_until = std::chrono::steady_clock::now(); ENVOY_LOG(debug, "Reset backoff for host {}", host_address); @@ -1114,77 +1112,27 @@ void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address host_info.cluster_name, recovered_connection_key); } -void ReverseConnectionIOHandle::initializeStats(Stats::Scope& scope) { - const std::string stats_prefix = "reverse_connection_downstream"; - reverse_conn_scope_ = scope.createScope(stats_prefix); - ENVOY_LOG(debug, "Initialized ReverseConnectionIOHandle stats with scope: {}", - reverse_conn_scope_->constSymbolTable().toString(reverse_conn_scope_->prefix())); -} - -ReverseConnectionDownstreamStats* -ReverseConnectionIOHandle::getStatsByCluster(const std::string& cluster_name) { - auto iter = cluster_stats_map_.find(cluster_name); - if (iter != cluster_stats_map_.end()) { - ReverseConnectionDownstreamStats* stats = iter->second.get(); - return stats; - } - - ENVOY_LOG(debug, "ReverseConnectionIOHandle: Creating new stats for cluster: {}", cluster_name); - cluster_stats_map_[cluster_name] = std::make_unique( - ReverseConnectionDownstreamStats{ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS( - POOL_COUNTER_PREFIX(*reverse_conn_scope_, cluster_name), - POOL_GAUGE_PREFIX(*reverse_conn_scope_, cluster_name), - POOL_HISTOGRAM_PREFIX(*reverse_conn_scope_, cluster_name))}); - return cluster_stats_map_[cluster_name].get(); -} - -ReverseConnectionDownstreamStats* -ReverseConnectionIOHandle::getStatsByHost(const std::string& host_address, - const std::string& cluster_name) { - const std::string host_key = cluster_name + "." + host_address; - auto iter = host_stats_map_.find(host_key); - if (iter != host_stats_map_.end()) { - ReverseConnectionDownstreamStats* stats = iter->second.get(); - return stats; - } - - ENVOY_LOG(debug, "ReverseConnectionIOHandle: Creating new stats for host: {} in cluster: {}", - host_address, cluster_name); - host_stats_map_[host_key] = std::make_unique( - ReverseConnectionDownstreamStats{ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS( - POOL_COUNTER_PREFIX(*reverse_conn_scope_, host_key), - POOL_GAUGE_PREFIX(*reverse_conn_scope_, host_key), - POOL_HISTOGRAM_PREFIX(*reverse_conn_scope_, host_key))}); - return host_stats_map_[host_key].get(); -} - void ReverseConnectionIOHandle::updateConnectionState(const std::string& host_address, const std::string& cluster_name, const std::string& connection_key, ReverseConnectionState new_state) { - // Update cluster-level stats - ReverseConnectionDownstreamStats* cluster_stats = getStatsByCluster(cluster_name); - - // Update host-level stats - ReverseConnectionDownstreamStats* host_stats = getStatsByHost(host_address, cluster_name); - - // Update connection state in host info + // Update connection state in host info and handle old state auto host_it = host_to_conn_info_map_.find(host_address); if (host_it != host_to_conn_info_map_.end()) { - // Remove old state if it exists + // Remove old state if it exists auto old_state_it = host_it->second.connection_states.find(connection_key); if (old_state_it != host_it->second.connection_states.end()) { ReverseConnectionState old_state = old_state_it->second; - // Decrement old state gauge - decrementStateGauge(cluster_stats, host_stats, old_state); + // Decrement old state gauge using unified function + updateStateGauge(host_address, cluster_name, old_state, false /* decrement */); } // Set new state host_it->second.connection_states[connection_key] = new_state; } - // Increment new state gauge - incrementStateGauge(cluster_stats, host_stats, new_state); + // Increment new state gauge using unified function + updateStateGauge(host_address, cluster_name, new_state, true /* increment */); ENVOY_LOG(debug, "Updated connection {} state to {} for host {} in cluster {}", connection_key, static_cast(new_state), host_address, cluster_name); @@ -1193,20 +1141,14 @@ void ReverseConnectionIOHandle::updateConnectionState(const std::string& host_ad void ReverseConnectionIOHandle::removeConnectionState(const std::string& host_address, const std::string& cluster_name, const std::string& connection_key) { - // Update cluster-level stats - ReverseConnectionDownstreamStats* cluster_stats = getStatsByCluster(cluster_name); - - // Update host-level stats - ReverseConnectionDownstreamStats* host_stats = getStatsByHost(host_address, cluster_name); - // Remove connection state from host info and decrement gauge auto host_it = host_to_conn_info_map_.find(host_address); if (host_it != host_to_conn_info_map_.end()) { auto state_it = host_it->second.connection_states.find(connection_key); if (state_it != host_it->second.connection_states.end()) { ReverseConnectionState old_state = state_it->second; - // Decrement state gauge - decrementStateGauge(cluster_stats, host_stats, old_state); + // Decrement state gauge using unified function + updateStateGauge(host_address, cluster_name, old_state, false /* decrement */); // Remove from map host_it->second.connection_states.erase(state_it); } @@ -1259,79 +1201,57 @@ void ReverseConnectionIOHandle::onDownstreamConnectionClosed(const std::string& host_address, cluster_name); } -void ReverseConnectionIOHandle::incrementStateGauge(ReverseConnectionDownstreamStats* cluster_stats, - ReverseConnectionDownstreamStats* host_stats, - ReverseConnectionState state) { - if (!cluster_stats || !host_stats) { - ENVOY_LOG(debug, "Stats objects null during increment - likely during shutdown."); +void ReverseConnectionIOHandle::updateStateGauge(const std::string& host_address, + const std::string& cluster_name, + ReverseConnectionState state, + bool increment) { + // Get extension for stats updates + auto* extension = getDownstreamExtension(); + if (!extension) { + ENVOY_LOG(debug, "No downstream extension available for state gauge update"); return; } + // Use switch case to determine the state suffix for stat name + std::string state_suffix; switch (state) { case ReverseConnectionState::Connecting: - cluster_stats->reverse_conn_connecting_.inc(); - host_stats->reverse_conn_connecting_.inc(); + state_suffix = "connecting"; break; case ReverseConnectionState::Connected: - cluster_stats->reverse_conn_connected_.inc(); - host_stats->reverse_conn_connected_.inc(); + state_suffix = "connected"; break; case ReverseConnectionState::Failed: - cluster_stats->reverse_conn_failed_.inc(); - host_stats->reverse_conn_failed_.inc(); + state_suffix = "failed"; break; case ReverseConnectionState::Recovered: - cluster_stats->reverse_conn_recovered_.inc(); - host_stats->reverse_conn_recovered_.inc(); + state_suffix = "recovered"; break; case ReverseConnectionState::Backoff: - cluster_stats->reverse_conn_backoff_.inc(); - host_stats->reverse_conn_backoff_.inc(); + state_suffix = "backoff"; break; case ReverseConnectionState::CannotConnect: - cluster_stats->reverse_conn_cannot_connect_.inc(); - host_stats->reverse_conn_cannot_connect_.inc(); + state_suffix = "cannot_connect"; + break; + default: + state_suffix = "unknown"; break; } -} -void ReverseConnectionIOHandle::decrementStateGauge(ReverseConnectionDownstreamStats* cluster_stats, - ReverseConnectionDownstreamStats* host_stats, - ReverseConnectionState state) { - if (!cluster_stats || !host_stats) { - ENVOY_LOG(debug, "Stats objects null during decrement - likely during shutdown."); - return; - } + // Call extension to handle the actual stat update + extension_->updateConnectionStats(host_address, cluster_name, state_suffix, increment); - switch (state) { - case ReverseConnectionState::Connecting: - cluster_stats->reverse_conn_connecting_.dec(); - host_stats->reverse_conn_connecting_.dec(); - break; - case ReverseConnectionState::Connected: - cluster_stats->reverse_conn_connected_.dec(); - host_stats->reverse_conn_connected_.dec(); - break; - case ReverseConnectionState::Failed: - cluster_stats->reverse_conn_failed_.dec(); - host_stats->reverse_conn_failed_.dec(); - break; - case ReverseConnectionState::Recovered: - cluster_stats->reverse_conn_recovered_.dec(); - host_stats->reverse_conn_recovered_.dec(); - break; - case ReverseConnectionState::Backoff: - cluster_stats->reverse_conn_backoff_.dec(); - host_stats->reverse_conn_backoff_.dec(); - break; - case ReverseConnectionState::CannotConnect: - cluster_stats->reverse_conn_cannot_connect_.dec(); - host_stats->reverse_conn_cannot_connect_.dec(); - break; - } + ENVOY_LOG(trace, "{} state gauge for host {} cluster {} state {}", + increment ? "Incremented" : "Decremented", host_address, cluster_name, state_suffix); } void ReverseConnectionIOHandle::maintainReverseConnections() { + // Validate required configuration parameters at the top level + if (config_.src_node_id.empty()) { + ENVOY_LOG(error, "Source node ID is required but empty - cannot maintain reverse connections"); + return; + } + ENVOY_LOG(debug, "Maintaining reverse tunnels for {} clusters.", config_.remote_clusters.size()); for (const auto& cluster_config : config_.remote_clusters) { const std::string& cluster_name = cluster_config.cluster_name; @@ -1355,14 +1275,11 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& const std::string& host_address, Upstream::HostConstSharedPtr host) { // Generate a temporary connection key for early failure tracking - const std::string temp_connection_key = "temp_" + host_address + "_" + std::to_string(rand()); - - if (config_.src_node_id.empty() || cluster_name.empty() || host_address.empty()) { - ENVOY_LOG( - error, - "Source node ID, Host address and Cluster name are required; Source node: {} Host: {} " - "Cluster: {}", - config_.src_node_id, host_address, cluster_name); + const std::string temp_connection_key = "temp_" + cluster_name + "_" + host_address + "_" + std::to_string(rand()); + + // Only validate host_address here since it's specific to this connection attempt + if (host_address.empty()) { + ENVOY_LOG(error, "Host address is required but empty"); updateConnectionState(host_address, cluster_name, temp_connection_key, ReverseConnectionState::CannotConnect); return false; @@ -1759,7 +1676,7 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke // Create ReverseConnectionIOHandle with cluster manager from context and scope return std::make_unique(sock_fd, config, context_->clusterManager(), - *this, *scope_ptr); + extension_, *scope_ptr); } // Fall back to regular socket for non-stream or non-IP sockets @@ -1836,49 +1753,212 @@ ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension - TLS slot will be created in onWorkerThreadInitialized"); } -REGISTER_FACTORY(ReverseTunnelInitiator, Server::Configuration::BootstrapExtensionFactory); +void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& host_address, + const std::string& cluster_id, + const std::string& state_suffix, + bool increment) { + // Register stats with Envoy's system for automatic cross-thread aggregation + auto& stats_store = context_.scope(); + + // Create/update host connection stat with state suffix + if (!host_address.empty() && !state_suffix.empty()) { + std::string host_stat_name = fmt::format("reverse_connections.host.{}.{}", host_address, state_suffix); + auto& host_gauge = + stats_store.gaugeFromString(host_stat_name, Stats::Gauge::ImportMode::Accumulate); + if (increment) { + host_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented host stat {} to {}", + host_stat_name, host_gauge.value()); + } else { + host_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented host stat {} to {}", + host_stat_name, host_gauge.value()); + } + } -size_t ReverseTunnelInitiator::getConnectionCount(const std::string& target) const { - // For the downstream (initiator) side, we need to check the number of active connections - // to a specific target cluster. This would typically involve checking the connection - // wrappers in the ReverseConnectionIOHandle for each cluster. - ENVOY_LOG(debug, "Getting connection count for target: {}", target); + // Create/update cluster connection stat with state suffix + if (!cluster_id.empty() && !state_suffix.empty()) { + std::string cluster_stat_name = fmt::format("reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + auto& cluster_gauge = + stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); + if (increment) { + cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } else { + cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } + } - // Since we don't have direct access to the ReverseConnectionIOHandle from here, - // we'll return 1 if we have any reverse connection sockets created for this target. - // This is a simplified implementation - in a full implementation, we'd need to - // track connection state more precisely. + // Also update per-worker stats for debugging + updatePerWorkerConnectionStats(host_address, cluster_id, state_suffix, increment); +} - // For now, return 1 if target matches any of our configured clusters, 0 otherwise - if (!target.empty()) { - // Check if we have any established connections to this target - // This is a simplified check - ideally we'd check actual connection state - return 1; // Placeholder implementation +void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats(const std::string& host_address, + const std::string& cluster_id, + const std::string& state_suffix, + bool increment) { + auto& stats_store = context_.scope(); + + // Get dispatcher name from the thread local dispatcher + std::string dispatcher_name = "main_thread"; // Default for main thread + auto* local_registry = getLocalRegistry(); + if (local_registry) { + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + } + + // Create/update per-worker host connection stat + if (!host_address.empty() && !state_suffix.empty()) { + std::string worker_host_stat_name = + fmt::format("reverse_connections.{}.host.{}.{}", dispatcher_name, host_address, state_suffix); + auto& worker_host_gauge = + stats_store.gaugeFromString(worker_host_stat_name, Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_host_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker host stat {} to {}", + worker_host_stat_name, worker_host_gauge.value()); + } else { + worker_host_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented worker host stat {} to {}", + worker_host_stat_name, worker_host_gauge.value()); + } + } + + // Create/update per-worker cluster connection stat + if (!cluster_id.empty() && !state_suffix.empty()) { + std::string worker_cluster_stat_name = + fmt::format("reverse_connections.{}.cluster.{}.{}", dispatcher_name, cluster_id, state_suffix); + auto& worker_cluster_gauge = + stats_store.gaugeFromString(worker_cluster_stat_name, Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + worker_cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } } - return 0; } -std::vector ReverseTunnelInitiator::getEstablishedConnections() const { - ENVOY_LOG(debug, "Getting list of established connections."); +absl::flat_hash_map ReverseTunnelInitiatorExtension::getCrossWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Iterate through all gauges and filter for cross-worker stats only. + // Cross-worker stats have the pattern "reverse_connections.host.." or + // "reverse_connections.cluster.." (no dispatcher name in the middle). + Stats::IterateFn gauge_callback = + [&stats_map](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && + (gauge_name.find("reverse_connections.host.") != std::string::npos || + gauge_name.find("reverse_connections.cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); - // For the downstream (initiator) side, return the list of clusters we have - // established reverse connections to. In our case, this would be the "cloud" cluster - // if we have an active connection. + ENVOY_LOG(debug, + "ReverseTunnelInitiatorExtension: collected {} stats for reverse connections across all " + "worker threads", + stats_map.size()); - std::vector established_clusters; + return stats_map; +} - // Check if we have any active reverse connections - // In our example setup, if reverse connections are working, we should be connected to "cloud" - auto* tls_registry = getLocalRegistry(); - if (tls_registry) { - // If we have a registry, assume we have established connections to "cloud" - established_clusters.push_back("cloud"); +std::pair, std::vector> +ReverseTunnelInitiatorExtension::getConnectionStatsSync(std::chrono::milliseconds /* timeout_ms */) { + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: obtaining reverse connection stats"); + + // Get all gauges with the reverse_connections prefix. + auto connection_stats = getCrossWorkerStatMap(); + + std::vector connected_hosts; + std::vector accepted_connections; + + // Process the stats to extract connection information + // For initiator, stats format is: reverse_connections.host.. or reverse_connections.cluster.. + // We only want hosts/clusters with "connected" state + for (const auto& [stat_name, count] : connection_stats) { + if (count > 0) { + // Parse stat name to extract host/cluster information with state suffix + if (stat_name.find("reverse_connections.host.") != std::string::npos && + stat_name.find(".connected") != std::string::npos) { + // Find the position after "reverse_connections.host." and before ".connected" + size_t start_pos = stat_name.find("reverse_connections.host.") + strlen("reverse_connections.host."); + size_t end_pos = stat_name.find(".connected"); + if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { + std::string host_address = stat_name.substr(start_pos, end_pos - start_pos); + connected_hosts.push_back(host_address); + } + } else if (stat_name.find("reverse_connections.cluster.") != std::string::npos && + stat_name.find(".connected") != std::string::npos) { + // Find the position after "reverse_connections.cluster." and before ".connected" + size_t start_pos = stat_name.find("reverse_connections.cluster.") + strlen("reverse_connections.cluster."); + size_t end_pos = stat_name.find(".connected"); + if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { + std::string cluster_id = stat_name.substr(start_pos, end_pos - start_pos); + accepted_connections.push_back(cluster_id); + } + } + } } - ENVOY_LOG(debug, "Established connections count: {}.", established_clusters.size()); - return established_clusters; + ENVOY_LOG(debug, + "ReverseTunnelInitiatorExtension: found {} connected hosts, {} accepted connections", + connected_hosts.size(), accepted_connections.size()); + + return {connected_hosts, accepted_connections}; +} + +absl::flat_hash_map ReverseTunnelInitiatorExtension::getPerWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Get the current dispatcher name + std::string dispatcher_name = "main_thread"; // Default for main thread + auto* local_registry = getLocalRegistry(); + if (local_registry) { + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + } + + // Iterate through all gauges and filter for the current dispatcher + Stats::IterateFn gauge_callback = + [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && + gauge_name.find(dispatcher_name + ".") != std::string::npos && + (gauge_name.find(".host.") != std::string::npos || + gauge_name.find(".cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: collected {} stats for dispatcher '{}'", + stats_map.size(), dispatcher_name); + + return stats_map; } +REGISTER_FACTORY(ReverseTunnelInitiator, Server::Configuration::BootstrapExtensionFactory); + + + } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index a4bbbe8c6e61f..ae2f5c6c339cc 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -25,6 +25,7 @@ #include "source/common/network/socket_interface.h" #include "source/common/upstream/load_balancer_context_base.h" #include "source/extensions/bootstrap/reverse_tunnel/factory_base.h" +#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h" #include "absl/container/flat_hash_map.h" #include "absl/container/flat_hash_set.h" @@ -36,11 +37,115 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { +// Forward declaration for friend class +class ReverseConnectionIOHandleTest; + // Forward declarations. -class RCConnectionWrapper; class ReverseTunnelInitiator; class ReverseTunnelInitiatorExtension; class GrpcReverseTunnelClient; +class ReverseConnectionIOHandle; + +/** + * RCConnectionWrapper manages the lifecycle of a ClientConnectionPtr for reverse connections. + * It handles the handshake process (both gRPC and HTTP fallback) and manages connection + * callbacks and cleanup. + */ +class RCConnectionWrapper : public Network::ConnectionCallbacks, + public Event::DeferredDeletable, + public ReverseConnection::GrpcReverseTunnelCallbacks, + Logger::Loggable { +public: + /** + * Constructor for RCConnectionWrapper. + * @param parent reference to the parent ReverseConnectionIOHandle + * @param connection the client connection to wrap + * @param host the upstream host description + * @param cluster_name the name of the cluster + */ + RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, + Upstream::HostDescriptionConstSharedPtr host, + const std::string& cluster_name); + + /** + * Destructor for RCConnectionWrapper. + * Performs defensive cleanup to prevent crashes during shutdown. + */ + ~RCConnectionWrapper() override; + + // Network::ConnectionCallbacks overrides + void onEvent(Network::ConnectionEvent event) override; + void onAboveWriteBufferHighWatermark() override {} + void onBelowWriteBufferLowWatermark() override {} + + // ReverseConnection::GrpcReverseTunnelCallbacks overrides + void onHandshakeSuccess( + std::unique_ptr response) + override; + void onHandshakeFailure(Grpc::Status::GrpcStatus status, const std::string& message) override; + + /** + * Initiate the reverse connection handshake (gRPC or HTTP fallback). + * @param src_tenant_id the tenant identifier + * @param src_cluster_id the cluster identifier + * @param src_node_id the node identifier + * @return the local address as string + */ + std::string connect(const std::string& src_tenant_id, const std::string& src_cluster_id, + const std::string& src_node_id); + + /** + * Handle connection failure and initiate graceful shutdown. + */ + void onFailure(); + + /** + * Perform graceful shutdown of the connection. + */ + void shutdown(); + + /** + * Get the underlying connection. + * @return pointer to the client connection + */ + Network::ClientConnection* getConnection() { return connection_.get(); } + + /** + * Get the host description. + * @return shared pointer to the host description + */ + Upstream::HostDescriptionConstSharedPtr getHost() { return host_; } + + /** + * Release the connection when handshake succeeds. + * @return the released connection + */ + Network::ClientConnectionPtr releaseConnection() { return std::move(connection_); } + +private: + /** + * Simplified read filter for HTTP fallback during gRPC migration. + */ + struct SimpleConnReadFilter : public Network::ReadFilterBaseImpl { + SimpleConnReadFilter(RCConnectionWrapper* parent) : parent_(parent) {} + + Network::FilterStatus onData(Buffer::Instance& buffer, bool) override; + + RCConnectionWrapper* parent_; + }; + + ReverseConnectionIOHandle& parent_; + Network::ClientConnectionPtr connection_; + Upstream::HostDescriptionConstSharedPtr host_; + const std::string cluster_name_; + std::unique_ptr reverse_tunnel_client_; + + // Handshake data for HTTP fallback + std::string handshake_tenant_id_; + std::string handshake_cluster_id_; + std::string handshake_node_id_; + bool handshake_sent_{false}; +}; namespace { // HTTP protocol constants. @@ -54,27 +159,6 @@ static constexpr uint32_t kDefaultHealthCheckIntervalMs = 30000; // 30 seconds. static constexpr uint32_t kDefaultConnectionTimeoutMs = 10000; // 10 seconds. } // namespace -/** - * All reverse connection downstream stats. @see stats_macros.h - * These stats track the performance and health of outgoing reverse connections - * from the initiator (on-premises) to the acceptor (cloud). - */ -#define ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS(COUNTER, GAUGE, HISTOGRAM) \ - COUNTER(reverse_conn_connect_attempts) \ - COUNTER(reverse_conn_connect_failures) \ - COUNTER(reverse_conn_handshake_failures) \ - COUNTER(reverse_conn_timeout_failures) \ - COUNTER(reverse_conn_retries) \ - GAUGE(reverse_conn_connecting, Accumulate) \ - GAUGE(reverse_conn_connected, Accumulate) \ - GAUGE(reverse_conn_failed, Accumulate) \ - GAUGE(reverse_conn_recovered, Accumulate) \ - GAUGE(reverse_conn_backoff, Accumulate) \ - GAUGE(reverse_conn_cannot_connect, Accumulate) \ - HISTOGRAM(reverse_conn_establishment_time, Milliseconds) \ - HISTOGRAM(reverse_conn_handshake_time, Milliseconds) \ - HISTOGRAM(reverse_conn_retry_backoff_time, Milliseconds) - /** * Connection state tracking for reverse connections. */ @@ -87,16 +171,6 @@ enum class ReverseConnectionState { Backoff // Connection is in backoff state due to failures. }; -/** - * Struct definition for all reverse connection downstream stats. @see stats_macros.h - */ -struct ReverseConnectionDownstreamStats { - ALL_REVERSE_CONNECTION_DOWNSTREAM_STATS(GENERATE_COUNTER_STRUCT, GENERATE_GAUGE_STRUCT, - GENERATE_HISTOGRAM_STRUCT) -}; - -using ReverseConnectionDownstreamStatsPtr = std::unique_ptr; - /** * Configuration for remote cluster connections. * Defines connection parameters for each remote cluster that reverse connections should be @@ -147,6 +221,8 @@ struct ReverseConnectionSocketConfig { */ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, public Network::ConnectionCallbacks { + + friend class ReverseConnectionIOHandleTest; public: /** * Constructor for ReverseConnectionIOHandle. @@ -158,7 +234,7 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, */ ReverseConnectionIOHandle(os_fd_t fd, const ReverseConnectionSocketConfig& config, Upstream::ClusterManager& cluster_manager, - const ReverseTunnelInitiator& socket_interface, Stats::Scope& scope); + ReverseTunnelInitiatorExtension* extension, Stats::Scope& scope); ~ReverseConnectionIOHandle() override; @@ -246,6 +322,12 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, */ bool isTriggerReady() const; + /** + * Get the file descriptor for the pipe monitor used to wake up accept(). + * @return the file descriptor for the pipe monitor + */ + int getPipeMonitorFd() const; + // Callbacks from RCConnectionWrapper. /** * Called when a reverse connection handshake completes. @@ -278,28 +360,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, */ void resetHostBackoff(const std::string& host_address); - /** - * Initialize stats collection for reverse connections. - * @param scope the stats scope to use for metrics collection. - */ - void initializeStats(Stats::Scope& scope); - - /** - * Get or create stats for a specific cluster. - * @param cluster_name the name of the cluster to get stats for. - * @return pointer to the cluster stats. - */ - ReverseConnectionDownstreamStats* getStatsByCluster(const std::string& cluster_name); - - /** - * Get or create stats for a specific host within a cluster. - * @param host_address the address of the host to get stats for. - * @param cluster_name the name of the cluster the host belongs to. - * @return pointer to the host stats. - */ - ReverseConnectionDownstreamStats* getStatsByHost(const std::string& host_address, - const std::string& cluster_name); - /** * Update the connection state for a specific connection and update metrics. * @param host_address the address of the host. @@ -310,6 +370,16 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, void updateConnectionState(const std::string& host_address, const std::string& cluster_name, const std::string& connection_key, ReverseConnectionState new_state); + /** + * Update state-specific gauge using switch case logic (combined increment/decrement). + * @param host_address the address of the host + * @param cluster_name the name of the cluster + * @param state the connection state to update + * @param increment whether to increment (true) or decrement (false) the gauge + */ + void updateStateGauge(const std::string& host_address, const std::string& cluster_name, + ReverseConnectionState state, bool increment); + /** * Remove connection state tracking for a specific connection. * @param host_address the address of the host. @@ -343,26 +413,13 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, } /** - * Increment the gauge for a specific connection state. - * @param cluster_stats pointer to cluster-level stats - * @param host_stats pointer to host-level stats - * @param state the connection state to increment - */ - void incrementStateGauge(ReverseConnectionDownstreamStats* cluster_stats, - ReverseConnectionDownstreamStats* host_stats, - ReverseConnectionState state); - - /** - * Decrement the gauge for a specific connection state. - * @param cluster_stats pointer to cluster-level stats - * @param host_stats pointer to host-level stats - * @param state the connection state to decrement + * Get pointer to the downstream extension for stats updates. + * @return pointer to the extension, nullptr if not available */ - void decrementStateGauge(ReverseConnectionDownstreamStats* cluster_stats, - ReverseConnectionDownstreamStats* host_stats, - ReverseConnectionState state); + ReverseTunnelInitiatorExtension* getDownstreamExtension() const; private: + /** * @return reference to the thread-local dispatcher */ @@ -466,7 +523,7 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // Core components const ReverseConnectionSocketConfig config_; // Configuration for reverse connections Upstream::ClusterManager& cluster_manager_; - const ReverseTunnelInitiator& socket_interface_; + ReverseTunnelInitiatorExtension* extension_; // Connection wrapper management std::vector> @@ -488,11 +545,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // Maps connection key to socket object. // Socket cache removed - sockets are now managed via RAII in DownstreamReverseConnectionIOHandle - // Stats tracking per cluster and host - absl::flat_hash_map cluster_stats_map_; - absl::flat_hash_map host_stats_map_; - Stats::ScopeSharedPtr reverse_conn_scope_; // Stats scope for reverse connections - // Single retry timer for all clusters Event::TimerPtr rev_conn_retry_timer_; @@ -538,6 +590,9 @@ class DownstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { */ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, public Envoy::Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelInitiatorTest; + public: ReverseTunnelInitiator(Server::Configuration::ServerFactoryContext& context); @@ -590,18 +645,13 @@ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, // Socket interface functionality only - factory methods moved to ReverseTunnelInitiatorFactory - /** - * Get the number of established reverse connections to a specific target (cluster or node). - * @param target the cluster or node name to check connections for - * @return number of established connections to the target - */ - size_t getConnectionCount(const std::string& target) const; + /** - * Get a list of all clusters that have established reverse connections. - * @return vector of cluster names with active reverse connections + * Get the extension instance for accessing cross-thread aggregation capabilities. + * @return pointer to the extension, or nullptr if not available */ - std::vector getEstablishedConnections() const; + ReverseTunnelInitiatorExtension* getExtension() const { return extension_; } // BootstrapExtensionFactory implementation Server::BootstrapExtensionPtr createBootstrapExtension( @@ -626,6 +676,9 @@ DECLARE_FACTORY(ReverseTunnelInitiator); */ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, public Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelInitiatorExtensionTest; + public: ReverseTunnelInitiatorExtension( Server::Configuration::ServerFactoryContext& context, @@ -654,6 +707,63 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, return config_.grpc_service_config(); } + /** + * Update connection stats for reverse connections. + * @param node_id the node identifier for the connection + * @param cluster_id the cluster identifier for the connection + * @param state_suffix the state suffix (e.g., "connecting", "connected", "failed") + * @param increment whether to increment (true) or decrement (false) the connection count + */ + void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, + const std::string& state_suffix, bool increment); + + /** + * Update per-worker connection stats for debugging purposes. + * Creates worker-specific stats "reverse_connections.{worker_name}.node.{node_id}.{state_suffix}". + * @param node_id the node identifier for the connection + * @param cluster_id the cluster identifier for the connection + * @param state_suffix the state suffix for the connection + * @param increment whether to increment (true) or decrement (false) the connection count + */ + void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, + const std::string& state_suffix, bool increment); + + /** + * Get per-worker stat map for the current dispatcher. + * @return map of stat names to values for the current worker thread + */ + absl::flat_hash_map getPerWorkerStatMap(); + + /** + * Get cross-worker stat map across all dispatchers. + * @return map of stat names to values across all worker threads + */ + absl::flat_hash_map getCrossWorkerStatMap(); + + /** + * Get connection stats synchronously with timeout. + * @param timeout_ms timeout for the operation + * @return pair of vectors containing connected nodes and accepted connections + */ + std::pair, std::vector> + getConnectionStatsSync(std::chrono::milliseconds timeout_ms); + + /** + * Get the stats scope for accessing stats. + * @return reference to the stats scope. + */ + Stats::Scope& getStatsScope() const { return context_.scope(); } + + /** + * Test-only method to set the thread local slot for testing purposes. + * This allows tests to inject a custom thread local registry without + * requiring friend class access. + * @param slot the thread local slot to set + */ + void setTestOnlyTLSRegistry(std::unique_ptr> slot) { + tls_slot_ = std::move(slot); + } + private: Server::Configuration::ServerFactoryContext& context_; const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index 864be88b63712..a12148e3885a4 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -152,8 +152,6 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { }, absl::nullopt, ""); - // connection->setSocketReused(true); - // connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); ENVOY_STREAM_LOG(info, "DEBUG: About to save connection with node_uuid='{}' cluster_uuid='{}'", *decoder_callbacks_, node_uuid, cluster_uuid); saveDownstreamConnection(*connection, node_uuid, cluster_uuid); @@ -276,21 +274,37 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, const std::string& remote_cluster) { ENVOY_LOG(debug, "Getting reverse connection info for initiator role"); - // Get the downstream socket interface to check established connections - auto* downstream_interface = getDownstreamSocketInterface(); - if (!downstream_interface) { - ENVOY_LOG(error, "Failed to get downstream socket interface for initiator role"); + // Get the downstream socket interface extension to check established connections + auto* downstream_extension = getDownstreamSocketInterfaceExtension(); + if (!downstream_extension) { + ENVOY_LOG(error, "Failed to get downstream socket interface extension for initiator role"); std::string response = R"({"accepted":[],"connected":[]})"; - ENVOY_LOG(info, "handleInitiatorInfo response (no interface): {}", response); + ENVOY_LOG(info, "handleInitiatorInfo response (no extension): {}", response); decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } // For specific node or cluster query if (!remote_node.empty() || !remote_cluster.empty()) { - // Get connection count for specific remote node/cluster - size_t num_connections = downstream_interface->getConnectionCount( - remote_node.empty() ? remote_cluster : remote_node); + // Get connection count for specific remote node/cluster using stats + // For initiator, stats format includes state suffix: reverse_connections.nodes..connected + auto stats_map = downstream_extension->getCrossWorkerStatMap(); + size_t num_connections = 0; + + if (!remote_node.empty()) { + std::string node_stat_name = fmt::format("reverse_connections.nodes.{}.connected", remote_node); + auto it = stats_map.find(node_stat_name); + if (it != stats_map.end()) { + num_connections = it->second; + } + } else { + std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}.connected", remote_cluster); + auto it = stats_map.find(cluster_stat_name); + if (it != stats_map.end()) { + num_connections = it->second; + } + } + std::string response = fmt::format("{{\"available_connections\":{}}}", num_connections); ENVOY_LOG(info, "handleInitiatorInfo response for {}: {}", remote_node.empty() ? remote_cluster : remote_node, response); @@ -298,18 +312,27 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, return Http::FilterHeadersStatus::StopIteration; } - // Get all established connections from downstream interface - std::list connected_clusters; - auto established_connections = downstream_interface->getEstablishedConnections(); - for (const auto& cluster : established_connections) { - connected_clusters.push_back(cluster); - } + ENVOY_LOG(debug, "ReverseConnFilter: Using downstream socket manager to get connection stats"); + + // Use the production stats-based approach with Envoy's proven stats system + auto [connected_nodes, accepted_connections] = + downstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); + + // Convert vectors to lists for JSON serialization + std::list accepted_connections_list(accepted_connections.begin(), + accepted_connections.end()); + std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); + + ENVOY_LOG(debug, + "Stats aggregation completed: {} connected nodes, {} accepted connections", + connected_nodes.size(), accepted_connections.size()); + + // Create production-ready JSON response for multi-tenant environment + std::string response = fmt::format("{{\"accepted\":{},\"connected\":{}}}", + Json::Factory::listAsJsonString(accepted_connections_list), + Json::Factory::listAsJsonString(connected_nodes_list)); - // For initiator role, "accepted" is always empty (we don't accept, we initiate) - // "connected" shows which clusters we have established connections to - std::string response = fmt::format("{{\"accepted\":[],\"connected\":{}}}", - Json::Factory::listAsJsonString(connected_clusters)); - ENVOY_LOG(info, "handleInitiatorInfo response: {}", response); + ENVOY_LOG(info, "handleInitiatorInfo production stats-based response: {}", response); decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } @@ -519,7 +542,7 @@ Http::FilterDataStatus ReverseConnFilter::processGrpcRequest() { ENVOY_STREAM_LOG(info, "Saving downstream connection for gRPC request", *decoder_callbacks_); - // connection->setSocketReused(true); + connection->setSocketReused(true); ENVOY_STREAM_LOG(info, "DEBUG: About to save connection with node_uuid='{}' cluster_uuid='{}'", *decoder_callbacks_, initiator.node_id(), initiator.cluster_id()); saveDownstreamConnection(*connection, initiator.node_id(), initiator.cluster_id()); diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index 73e52429703a5..9192834c98ac0 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -210,6 +210,26 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str return upstream_socket_interface->getExtension(); } + // Get the downstream socket interface extension for production cross-thread aggregation + ReverseConnection::ReverseTunnelInitiatorExtension* getDownstreamSocketInterfaceExtension() { + auto* downstream_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + if (!downstream_interface) { + ENVOY_LOG(debug, "Downstream reverse socket interface not found"); + return nullptr; + } + + auto* downstream_socket_interface = + dynamic_cast(downstream_interface); + if (!downstream_socket_interface) { + ENVOY_LOG(error, "Failed to cast to ReverseTunnelInitiator"); + return nullptr; + } + + // Get the extension which provides cross-thread aggregation capabilities + return downstream_socket_interface->getExtension(); + } + // Determine the role of this envoy instance based on available socket interfaces std::string determineRole() { auto* upstream_manager = getUpstreamSocketManager(); diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD index b23fec5f051c1..ded2797646406 100644 --- a/test/extensions/bootstrap/reverse_tunnel/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/BUILD @@ -40,3 +40,24 @@ envoy_cc_test( "//test/test_common:test_runtime_lib", ], ) + +envoy_extension_cc_test( + name = "reverse_tunnel_initiator_test", + size = "large", + srcs = ["reverse_tunnel_initiator_test.cc"], + extension_names = ["envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"], + deps = [ + "//source/common/network:address_lib", + "//source/common/network:socket_interface_lib", + "//source/common/network:utility_lib", + "//source/common/thread_local:thread_local_lib", + "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc index 9b2468a12316b..e536272530287 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc @@ -32,27 +32,27 @@ namespace ReverseConnection { class ReverseTunnelAcceptorExtensionTest : public testing::Test { protected: ReverseTunnelAcceptorExtensionTest() { - // Set up the stats scope + // Set up the stats scope. stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - // Set up the mock context + // Set up the mock context. EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - // Create the config + // Create the config. config_.set_stat_prefix("test_prefix"); - // Create the socket interface + // Create the socket interface. socket_interface_ = std::make_unique(context_); - // Create the extension + // Create the extension. extension_ = std::make_unique(*socket_interface_, context_, config_); } - // Helper function to set up thread local slot for tests + // Helper function to set up thread local slot for tests. void setupThreadLocalSlot() { - // Create a thread local registry + // Create a thread local registry. thread_local_registry_ = std::make_shared(dispatcher_, extension_.get()); @@ -155,12 +155,22 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryAfterInitialization) auto* registry = extension_->getLocalRegistry(); EXPECT_NE(registry, nullptr); - // Verify we can access the socket manager from the registry + // Verify we can access the socket manager from the registry (non-const version) auto* socket_manager = registry->socketManager(); EXPECT_NE(socket_manager, nullptr); // Verify the socket manager has the correct extension reference EXPECT_EQ(socket_manager->getUpstreamExtension(), extension_.get()); + + // Test const socketManager() + const auto* const_registry = extension_->getLocalRegistry(); + EXPECT_NE(const_registry, nullptr); + + const auto* const_socket_manager = const_registry->socketManager(); + EXPECT_NE(const_socket_manager, nullptr); + + // Verify the const socket manager has the correct extension reference + EXPECT_EQ(const_socket_manager->getUpstreamExtension(), extension_.get()); } // Test stats aggregation for one thread only (test thread) @@ -187,6 +197,34 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetPerWorkerStatMapSingleThread) { for (const auto& [stat_name, value] : stat_map) { EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); } + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats + // creates the same gauges and increments them correctly + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); + + // Get stats again to verify the same gauges were incremented + stat_map = extension_->getPerWorkerStatMap(); + + // Verify the gauge values were incremented correctly + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 3); // 1 + 2 + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 3); // 1 + 2 + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); // unchanged + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); // unchanged + + // Test decrement operations to cover the decrement code paths + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); // Decrement node1 + extension_->updatePerWorkerConnectionStats("node2", "cluster2", false); // Decrement node2 once + extension_->updatePerWorkerConnectionStats("node2", "cluster2", false); // Decrement node2 again + + // Get stats again to verify the decrements worked correctly + stat_map = extension_->getPerWorkerStatMap(); + + // Verify the gauge values were decremented correctly + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 2); // 3 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 2); // 3 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 0); // 2 - 2 + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 0); // 2 - 2 } // Test cross-thread stat map functions using multiple dispatchers @@ -231,6 +269,70 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetCrossWorkerStatMapMultiThread) { EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 1); // cluster3: incremented 1 time from worker_1 EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again + // with the same names increments the existing gauges (not creates new ones) + extension_->updateConnectionStats("node1", "cluster1", true); // Increment again + extension_->updateConnectionStats("node2", "cluster2", false); // Decrement + + // Get stats again to verify the same gauges were updated + stat_map = extension_->getCrossWorkerStatMap(); + + // Verify the gauge values were updated correctly (StatNameManagedStorage ensures same gauge) + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 4); // 3 + 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 4); // 3 + 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); // unchanged + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); // unchanged + + // Test per-worker decrement operations to cover the per-worker decrement code paths + // First, test decrements from worker_0 context + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); // Decrement from worker_0 + + // Get per-worker stats to verify decrements worked correctly for worker_0 + auto per_worker_stat_map = extension_->getPerWorkerStatMap(); + + // Verify worker_0 stats were decremented correctly + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.node.node1"], 3); // 4 - 1 + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], + 3); // 4 - 1 + + // Decrement cluster2 which is already at 0 from cross-worker stats + extension_->updateConnectionStats("node2", "cluster2", false); + + // Get cross-worker stats to verify the guardrail worked + auto cross_worker_stat_map = extension_->getCrossWorkerStatMap(); + + // Verify that cluster2 remains at 0 (guardrail prevented underflow) + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster2"], 0); + + per_worker_stat_map = extension_->getPerWorkerStatMap(); + + // Verify that node2/cluster2 remain at 0 (not wrapped around to UINT64_MAX) + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.node.node2"], 0); + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 0); + + // Now test decrements from worker_1 context + thread_local_registry_ = another_thread_local_registry_; + + // Decrement some stats from worker_1 + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); // Decrement from worker_1 + extension_->updatePerWorkerConnectionStats("node3", "cluster3", false); // Decrement node3 to 0 + + // Get per-worker stats from worker_1 context + auto worker1_stat_map = extension_->getPerWorkerStatMap(); + + // Verify worker_1 stats were decremented correctly + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.node.node1"], 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.node.node3"], 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3"], + 0); // 1 - 1 + + // Restore original registry + thread_local_registry_ = original_registry; } // Test getConnectionStatsSync using multiple dispatchers @@ -285,6 +387,31 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncMultiThread) { // cluster3: should be present (incremented 1 time) EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != accepted_connections.end()); + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again + // with the same names updates the existing gauges and the sync result reflects this + extension_->updateConnectionStats("node1", "cluster1", true); // Increment again + extension_->updateConnectionStats("node2", "cluster2", false); // Decrement to 0 + + // Get connection stats again to verify the updated values + result = extension_->getConnectionStatsSync(); + auto& [updated_connected_nodes, updated_accepted_connections] = result; + + // Verify that node2 is no longer present (gauge value is 0) + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node2") == + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster2") == updated_accepted_connections.end()); + + // Verify that node1 and node3 are still present + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node1") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node3") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster1") != updated_accepted_connections.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster3") != updated_accepted_connections.end()); } // Test getConnectionStatsSync with timeouts @@ -334,6 +461,7 @@ class TestUpstreamSocketManager : public testing::Test { void TearDown() override { socket_manager_.reset(); + extension_.reset(); socket_interface_.reset(); } @@ -358,35 +486,51 @@ class TestUpstreamSocketManager : public testing::Test { return socket_manager_->fd_to_timer_map_.find(fd) != socket_manager_->fd_to_timer_map_.end(); } - size_t verifyAcceptedReverseConnectionsMap(const std::string& node) { - auto it = socket_manager_->accepted_reverse_connections_.find(node); - return (it != socket_manager_->accepted_reverse_connections_.end()) ? it->second.size() : 0; - } + size_t getFDToEventMapSize() { return socket_manager_->fd_to_event_map_.size(); } - std::string getNodeToClusterMapping(const std::string& node) { - auto it = socket_manager_->node_to_cluster_map_.find(node); - return (it != socket_manager_->node_to_cluster_map_.end()) ? it->second : ""; - } + size_t getFDToTimerMapSize() { return socket_manager_->fd_to_timer_map_.size(); } - std::vector getClusterToNodeMapping(const std::string& cluster) { - auto it = socket_manager_->cluster_to_node_map_.find(cluster); - return (it != socket_manager_->cluster_to_node_map_.end()) ? it->second - : std::vector{}; + size_t verifyAcceptedReverseConnectionsMap(const std::string& node_id) { + auto it = socket_manager_->accepted_reverse_connections_.find(node_id); + if (it == socket_manager_->accepted_reverse_connections_.end()) { + return 0; + } + return it->second.size(); } - size_t getAcceptedReverseConnectionsSize() { - return socket_manager_->accepted_reverse_connections_.size(); + std::string getNodeToClusterMapping(const std::string& node_id) { + auto it = socket_manager_->node_to_cluster_map_.find(node_id); + if (it == socket_manager_->node_to_cluster_map_.end()) { + return ""; + } + return it->second; } - size_t getFDToNodeMapSize() { return socket_manager_->fd_to_node_map_.size(); } + std::vector getClusterToNodeMapping(const std::string& cluster_id) { + auto it = socket_manager_->cluster_to_node_map_.find(cluster_id); + if (it == socket_manager_->cluster_to_node_map_.end()) { + return {}; + } + return it->second; + } size_t getNodeToClusterMapSize() { return socket_manager_->node_to_cluster_map_.size(); } size_t getClusterToNodeMapSize() { return socket_manager_->cluster_to_node_map_.size(); } - size_t getFDToEventMapSize() { return socket_manager_->fd_to_event_map_.size(); } + size_t getAcceptedReverseConnectionsSize() { + return socket_manager_->accepted_reverse_connections_.size(); + } - size_t getFDToTimerMapSize() { return socket_manager_->fd_to_timer_map_.size(); } + // Helper methods for the new test cases + void addNodeToClusterMapping(const std::string& node_id, const std::string& cluster_id) { + socket_manager_->node_to_cluster_map_[node_id] = cluster_id; + socket_manager_->cluster_to_node_map_[cluster_id].push_back(node_id); + } + + void addFDToNodeMapping(int fd, const std::string& node_id) { + socket_manager_->fd_to_node_map_[fd] = node_id; + } // Helper to create a mock socket with proper address setup Network::ConnectionSocketPtr createMockSocket(int fd = 123, @@ -1042,7 +1186,8 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { auto* mock_io_handle2 = dynamic_cast*>(&sockets.back()->ioHandle()); - // Send failed ping on mock_io_handle1 and successful one on mock_io_handle2 + // First call: Send failed ping on mock_io_handle1 + // When the first socket fails, the loop breaks and doesn't process the second socket EXPECT_CALL(*mock_io_handle1, write(_)) .Times(1) // Called once .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { @@ -1050,14 +1195,7 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { buffer.drain(buffer.length()); return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; })); - EXPECT_CALL(*mock_io_handle2, write(_)) - .Times(1) // Called once - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{ - 0, Network::IoSocketError::getIoSocketEagainError()}; // Second socket succeeds - })); + // Second socket should NOT be called in the first pingConnections call // Manually call pingConnections to test the functionality socket_manager_->pingConnections(node_id); @@ -1078,8 +1216,7 @@ TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { return Api::IoCallUint64Result{0, Network::IoSocketError::create(EPIPE)}; })); - // Manually call pingConnections again. This should ping once socket2, fail and trigger node - // cleanup + // Manually call pingConnections again. This should ping socket2, fail and trigger node cleanup socket_manager_->pingConnections(node_id); // Verify complete cleanup occurred (both sockets removed due to node cleanup) @@ -1234,10 +1371,13 @@ class TestReverseTunnelAcceptor : public testing::Test { } void TearDown() override { + // Destroy socket manager first so it can still access thread local slot during cleanup + socket_manager_.reset(); + + // Then destroy thread local components tls_slot_.reset(); thread_local_registry_.reset(); - socket_manager_.reset(); extension_.reset(); socket_interface_.reset(); } @@ -1410,7 +1550,7 @@ TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalNoCachedSockets const std::string node_id = "test-node"; auto address = createAddressWithLogicalName(node_id); - // Call socket() before calling addConnectionSocket() so that no sockets are cacheds + // Call socket() before calling addConnectionSocket() so that no sockets are cached Network::SocketCreationOptions options; auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); EXPECT_NE(io_handle, nullptr); // Should fall back to default socket interface @@ -1516,32 +1656,6 @@ TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { EXPECT_NE(&socket, nullptr); } -// Configuration validation tests -class ConfigValidationTest : public testing::Test { -protected: - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface config_; - NiceMock context_; -}; - -TEST_F(ConfigValidationTest, ValidConfiguration) { - // Test that valid configuration gets accepted - config_.set_stat_prefix("reverse_tunnel"); - - ReverseTunnelAcceptor acceptor(context_); - - // Should not throw when creating bootstrap extension - EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); -} - -TEST_F(ConfigValidationTest, EmptyStatPrefix) { - // Test that empty stat_prefix still works with default - ReverseTunnelAcceptor acceptor(context_); - - // Should not throw and should use default prefix - EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); -} - TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv4) { // Test that IPv4 is supported EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); @@ -1584,13 +1698,72 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, FactoryName) { "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); } +class UpstreamReverseConnectionIOHandleTest : public testing::Test { +protected: + void SetUp() override { + auto socket = std::make_unique>(); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + socket->io_handle_ = std::move(mock_io_handle); + + handle_ = + std::make_unique(std::move(socket), "test-cluster"); + } + + std::unique_ptr handle_; +}; + +TEST_F(UpstreamReverseConnectionIOHandleTest, ConnectReturnsSuccess) { + // Test that connect() returns success immediately for reverse connections + auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); + + auto result = handle_->connect(address); + + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + +TEST_F(UpstreamReverseConnectionIOHandleTest, GetSocketReturnsValidReference) { + // Test that getSocket() returns a valid reference + const auto& socket = handle_->getSocket(); + EXPECT_NE(&socket, nullptr); +} + +// Configuration validation tests +class ConfigValidationTest : public testing::Test { +protected: + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + NiceMock context_; +}; + +TEST_F(ConfigValidationTest, ValidConfiguration) { + // Test that valid configuration gets accepted + config_.set_stat_prefix("reverse_tunnel"); + + ReverseTunnelAcceptor acceptor(context_); + + // Should not throw when creating bootstrap extension + EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyStatPrefix) { + // Test that empty stat_prefix still works with default + ReverseTunnelAcceptor acceptor(context_); + + // Should not throw and should use default prefix + EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); +} + TEST_F(TestUpstreamSocketManager, GetConnectionSocketNoSocketsButValidMapping) { const std::string node_id = "test-node"; const std::string cluster_id = "test-cluster"; // Manually add mapping without adding any actual sockets - socket_manager_->node_to_cluster_map_[node_id] = cluster_id; - socket_manager_->cluster_to_node_map_[cluster_id].push_back(node_id); + addNodeToClusterMapping(node_id, cluster_id); // Try to get a socket - should hit the "No available sockets" log and return nullptr auto socket = socket_manager_->getConnectionSocket(node_id); @@ -1612,7 +1785,7 @@ TEST_F(TestUpstreamSocketManager, MarkSocketDeadInvalidSocketNotInPool) { EXPECT_NE(retrieved_socket, nullptr); // Manually add the fd back to fd_to_node_map to simulate the edge case - socket_manager_->fd_to_node_map_[123] = node_id; + addFDToNodeMapping(123, node_id); // Now mark socket dead - it should find the node but not find the socket in the pool // This will trigger the "Marking an invalid socket dead" error log diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc new file mode 100644 index 0000000000000..f7407911b0a06 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc @@ -0,0 +1,2742 @@ +#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.pb.h" +#include "envoy/network/socket_interface.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/network/utility.h" +#include "source/common/thread_local/thread_local_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" +#include "test/test_common/test_runtime.h" + +// Include the protobuf message for HTTP handshake testing +#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" + +#include + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseTunnelInitiatorExtensionTest : public testing::Test { +protected: + ReverseTunnelInitiatorExtensionTest() { + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = std::make_unique(context_, config_); + } + + // Helper function to set up thread local slot for tests + void setupThreadLocalSlot() { + // Create a thread local registry + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + void setupAnotherThreadLocalSlot() { + // Create a thread local registry for the other dispatcher + another_thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot + another_tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry + another_tls_slot_->set([registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method + extension_->setTestOnlyTLSRegistry(std::move(another_tls_slot_)); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + // Real thread local slot and registry + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + std::unique_ptr> another_tls_slot_; + std::shared_ptr another_thread_local_registry_; +}; + +// Basic functionality tests +TEST_F(ReverseTunnelInitiatorExtensionTest, InitializeWithDefaultConfig) { + // Test with empty config (should initialize successfully) + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface empty_config; + + auto extension_with_default = + std::make_unique(context_, empty_config); + + EXPECT_NE(extension_with_default, nullptr); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, OnServerInitialized) { + // This should be a no-op + extension_->onServerInitialized(); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, OnWorkerThreadInitialized) { + // Test that onWorkerThreadInitialized creates thread local slot + extension_->onWorkerThreadInitialized(); + + // Verify that the thread local slot was created by checking getLocalRegistry + EXPECT_NE(extension_->getLocalRegistry(), nullptr); +} + +// Thread local registry access tests +TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryBeforeInitialization) { + // Before tls_slot_ is set, getLocalRegistry should return nullptr + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryAfterInitialization) { + + // First test with uninitialized TLS + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); + + // Initialize the thread local slot + setupThreadLocalSlot(); + + // Now getLocalRegistry should return the actual registry + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); + + // Test multiple calls return same registry + auto* registry2 = extension_->getLocalRegistry(); + EXPECT_EQ(registry, registry2); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, GetStatsScope) { + // Test that getStatsScope returns the correct scope + EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsIncrement) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Test updateConnectionStats with increment=true + std::string node_id = "test-node-123"; + std::string cluster_id = "test-cluster-456"; + std::string state_suffix = "connecting"; + + // Call updateConnectionStats to increment + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + + // Verify that the correct stats were created and incremented using cross-worker stat map + auto stat_map = extension_->getCrossWorkerStatMap(); + + std::string expected_node_stat = fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); + std::string expected_cluster_stat = fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + + EXPECT_EQ(stat_map[expected_node_stat], 1); + EXPECT_EQ(stat_map[expected_cluster_stat], 1); + + // Debug: Print all stats to verify the stat map + std::cout << "\n=== UpdateConnectionStatsIncrement Stats ===" << std::endl; + for (const auto& [stat_name, value] : stat_map) { + std::cout << "Stat: " << stat_name << " = " << value << std::endl; + } + std::cout << "=============================================" << std::endl; +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsDecrement) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Test updateConnectionStats with increment=false + std::string node_id = "test-node-789"; + std::string cluster_id = "test-cluster-012"; + std::string state_suffix = "connected"; + + // First increment to have something to decrement + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + + // Verify incremented values using cross-worker stat map + auto stat_map = extension_->getCrossWorkerStatMap(); + std::string expected_node_stat = fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); + std::string expected_cluster_stat = fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + + EXPECT_EQ(stat_map[expected_node_stat], 2); + EXPECT_EQ(stat_map[expected_cluster_stat], 2); + + // Now decrement + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, false); + + // Get updated stats after decrement + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map[expected_node_stat], 1); + EXPECT_EQ(stat_map[expected_cluster_stat], 1); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsMultipleStates) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Test updateConnectionStats with multiple different states + std::string node_id = "test-node-multi"; + std::string cluster_id = "test-cluster-multi"; + + // Create stats for different states + extension_->updateConnectionStats(node_id, cluster_id, "connecting", true); + extension_->updateConnectionStats(node_id, cluster_id, "connected", true); + extension_->updateConnectionStats(node_id, cluster_id, "failed", true); + + // Verify all states have separate gauges using cross-worker stat map + auto stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connecting", node_id)], 1); + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connected", node_id)], 1); + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.failed", node_id)], 1); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsEmptyValues) { + // Test updateConnectionStats with empty values - should not update stats + auto& stats_store = extension_->getStatsScope(); + + // Empty host_id - should not create/update stats + extension_->updateConnectionStats("", "test-cluster", "connecting", true); + auto& empty_host_gauge = stats_store.gaugeFromString( + "reverse_connections.host..connecting", Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_host_gauge.value(), 0); + + // Empty cluster_id - should not create/update stats + extension_->updateConnectionStats("test-host", "", "connecting", true); + auto& empty_cluster_gauge = stats_store.gaugeFromString( + "reverse_connections.cluster..connecting", Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_cluster_gauge.value(), 0); + + // Empty state_suffix - should not create/update stats + extension_->updateConnectionStats("test-host", "test-cluster", "", true); + auto& empty_state_gauge = stats_store.gaugeFromString( + "reverse_connections.host.test-host.", Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_state_gauge.value(), 0); +} + +// Test per-worker stats aggregation for one thread only (test thread) +TEST_F(ReverseTunnelInitiatorExtensionTest, GetPerWorkerStatMapSingleThread) { + // Set up thread local slot first + setupThreadLocalSlot(); + + // Update per-worker stats for the current (test) thread + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", true); + extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); + extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); + + // Get the per-worker stat map + auto stat_map = extension_->getPerWorkerStatMap(); + + // Verify the stats are collected correctly for worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host2.connected"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2.connected"], 2); + + // Verify that only worker_0 stats are included + for (const auto& [stat_name, value] : stat_map) { + EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); + } +} + +// Test cross-thread stat map functions using multiple dispatchers +TEST_F(ReverseTunnelInitiatorExtensionTest, GetCrossWorkerStatMapMultiThread) { + // Set up thread local slot for the test thread (dispatcher name: "worker_0") + setupThreadLocalSlot(); + + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") + setupAnotherThreadLocalSlot(); + + // Simulate stats updates from worker_0 + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment twice + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + + // Temporarily switch the thread local registry to simulate updates from worker_1 + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + // Update stats from worker_1 + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment from worker_1 + extension_->updateConnectionStats("host3", "cluster3", "failed", true); // New host from worker_1 + + // Restore the original registry + thread_local_registry_ = original_registry; + + // Get the cross-worker stat map + auto stat_map = extension_->getCrossWorkerStatMap(); + + // Verify that cross-worker stats are collected correctly across multiple dispatchers + // host1: incremented 3 times total (2 from worker_0 + 1 from worker_1) + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 3); + // host2: incremented 1 time from worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 1); + // host3: incremented 1 time from worker_1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); + + // cluster1: incremented 3 times total (2 from worker_0 + 1 from worker_1) + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 3); + // cluster2: incremented 1 time from worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 1); + // cluster3: incremented 1 time from worker_1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again + // with the same names increments the existing gauges (not creates new ones) + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment again + extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 + + // Get stats again to verify the same gauges were updated + stat_map = extension_->getCrossWorkerStatMap(); + + // Verify the gauge values were updated correctly (StatNameManagedStorage ensures same gauge) + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 4); // 3 + 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 4); // 3 + 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); // unchanged + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); // unchanged + + // Test per-worker decrement operations to cover the per-worker decrement code paths + // First, test decrements from worker_0 context + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", false); // Decrement from worker_0 + + // Get per-worker stats to verify decrements worked correctly for worker_0 + auto per_worker_stat_map = extension_->getPerWorkerStatMap(); + + // Verify worker_0 stats were decremented correctly + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], 3); // 4 - 1 + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], 3); // 4 - 1 + + // Now test decrements from worker_1 context + thread_local_registry_ = another_thread_local_registry_; + + // Decrement some stats from worker_1 + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", false); // Decrement from worker_1 + extension_->updatePerWorkerConnectionStats("host3", "cluster3", "failed", false); // Decrement host3 to 0 + + // Get per-worker stats from worker_1 context + auto worker1_stat_map = extension_->getPerWorkerStatMap(); + + // Verify worker_1 stats were decremented correctly + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host1.connecting"], 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1.connecting"], 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host3.failed"], 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3.failed"], 0); // 1 - 1 + + // Restore original registry + thread_local_registry_ = original_registry; +} + +// Test getConnectionStatsSync using multiple dispatchers +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { + // Set up thread local slot for the test thread (dispatcher name: "worker_0") + setupThreadLocalSlot(); + + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") + setupAnotherThreadLocalSlot(); + + // Simulate stats updates from worker_0 + extension_->updateConnectionStats("host1", "cluster1", "connected", true); + extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment twice + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + + // Simulate stats updates from worker_1 + // Temporarily switch the thread local registry to simulate the other dispatcher + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + // Update stats from worker_1 + extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment from worker_1 + extension_->updateConnectionStats("host3", "cluster3", "connected", true); // New host from worker_1 + + // Restore the original registry + thread_local_registry_ = original_registry; + + // Get connection stats synchronously + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [connected_nodes, accepted_connections] = result; + + // Verify the result contains the expected data + EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); + + // Verify that we have the expected host and cluster data + // host1: should be present (incremented 3 times total) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") != + connected_nodes.end()); + // host2: should be present (incremented 1 time) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != + connected_nodes.end()); + // host3: should be present (incremented 1 time) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") != + connected_nodes.end()); + + // cluster1: should be present (incremented 3 times total) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != + accepted_connections.end()); + // cluster2: should be present (incremented 1 time) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); + // cluster3: should be present (incremented 1 time) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != + accepted_connections.end()); + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again + // with the same names updates the existing gauges and the sync result reflects this + extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment again + extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 + + // Get connection stats again to verify the updated values + result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [updated_connected_nodes, updated_accepted_connections] = result; + + // Verify that host2 is no longer present (gauge value is 0) + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host2") == + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster2") == updated_accepted_connections.end()); + + // Verify that host1 and host3 are still present + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host1") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host3") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster1") != updated_accepted_connections.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster3") != updated_accepted_connections.end()); +} + +// Test getConnectionStatsSync with timeouts +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncTimeout) { + // Test with a very short timeout to verify timeout behavior + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); + + // With no connections and short timeout, should return empty results + auto& [connected_nodes, accepted_connections] = result; + EXPECT_TRUE(connected_nodes.empty()); + EXPECT_TRUE(accepted_connections.empty()); +} + +// Test getConnectionStatsSync filters only "connected" state +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncFiltersConnectedState) { + // Set up thread local slot + setupThreadLocalSlot(); + + // Add connections with different states + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + extension_->updateConnectionStats("host3", "cluster3", "failed", true); + extension_->updateConnectionStats("host4", "cluster4", "connected", true); + + // Get connection stats synchronously + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [connected_nodes, accepted_connections] = result; + + // Should only include hosts/clusters with "connected" state + EXPECT_EQ(connected_nodes.size(), 2); + EXPECT_EQ(accepted_connections.size(), 2); + + // Verify only connected hosts are included + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host4") != + connected_nodes.end()); + + // Verify connecting and failed hosts are NOT included + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") == + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") == + connected_nodes.end()); + + // Verify only connected clusters are included + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster4") != + accepted_connections.end()); + + // Verify connecting and failed clusters are NOT included + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") == + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") == + accepted_connections.end()); +} + +// ReverseTunnelInitiator Test Class + +class ReverseTunnelInitiatorTest : public testing::Test { +protected: + ReverseTunnelInitiatorTest() { + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the config + config_.set_stat_prefix("test_prefix"); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = + std::make_unique(context_, config_); + } + + // Thread Local Setup Helpers + + // Helper function to set up thread local slot for tests + void setupThreadLocalSlot() { + // First, call onServerInitialized to set up the extension reference properly + extension_->onServerInitialized(); + + // Create a thread local registry with the properly initialized extension + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + + // Set the extension reference in the socket interface + socket_interface_->extension_ = extension_.get(); + } + + // Test Data Setup Helpers + + // Helper to create a test address + Network::Address::InstanceConstSharedPtr createTestAddress(const std::string& ip = "127.0.0.1", + uint32_t port = 8080) { + return Network::Utility::parseInternetAddressNoThrow(ip, port); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + // Real thread local slot and registry + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; +}; + +TEST_F(ReverseTunnelInitiatorTest, CreateBootstrapExtension) { + // Test createBootstrapExtension function + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config; + + auto extension = socket_interface_->createBootstrapExtension(config, context_); + EXPECT_NE(extension, nullptr); + + // Verify extension is stored in socket interface + EXPECT_NE(socket_interface_->getExtension(), nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateEmptyConfigProto) { + // Test createEmptyConfigProto function + auto config = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(config, nullptr); + + // Should be able to cast to the correct type + auto* typed_config = dynamic_cast< + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface*>(config.get()); + EXPECT_NE(typed_config, nullptr); +} + +// TODO: Add socket() function unit tests when the implementation is complete +// TEST_F(ReverseTunnelInitiatorTest, SocketTypeAndAddressBasic) { +// // Test basic socket creation without reverse connection config +// Network::SocketCreationOptions options; +// +// auto io_handle = socket_interface_->socket( +// Network::Socket::Type::Stream, +// Network::Address::Type::Ip, +// Network::Address::IpVersion::v4, +// false, +// options); +// +// EXPECT_NE(io_handle, nullptr); +// +// // Should be a regular IoSocketHandleImpl, not ReverseConnectionIOHandle +// EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); +// } + +// TEST_F(ReverseTunnelInitiatorTest, SocketWithRegularAddress) { +// // Test socket creation with regular address (non-reverse connection) +// auto address = createTestAddress(); +// Network::SocketCreationOptions options; +// +// auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); +// EXPECT_NE(io_handle, nullptr); +// +// // Should be a regular socket, not reverse connection socket +// EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); +// } + +TEST_F(ReverseTunnelInitiatorTest, IpFamilySupported) { + // Test IP family support + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); +} + +TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryNoExtension) { + // Test getLocalRegistry when extension is not set + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryWithExtension) { + // Test getLocalRegistry when extension is set + setupThreadLocalSlot(); + + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); +} + +TEST_F(ReverseTunnelInitiatorTest, FactoryName) { + // Test factory name (implied through socket interface) + EXPECT_EQ(socket_interface_->name(), + "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); +} + +// Configuration validation tests +class ConfigValidationTest : public testing::Test { +protected: + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + + ConfigValidationTest() { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + } +}; + +TEST_F(ConfigValidationTest, ValidConfiguration) { + // Test that valid configuration gets accepted + ReverseTunnelInitiator initiator(context_); + + // Should not throw when creating bootstrap extension + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyConfiguration) { + // Test that empty configuration still works + ReverseTunnelInitiator initiator(context_); + + // Should not throw with empty config + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyStatPrefix) { + // Test that empty stat_prefix still works with default + ReverseTunnelInitiator initiator(context_); + + // Should not throw and should use default prefix + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +// ReverseConnectionIOHandle Test Class + +class ReverseConnectionIOHandleTest : public testing::Test { +protected: + ReverseConnectionIOHandleTest() { + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the config + config_.set_stat_prefix("test_prefix"); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = + std::make_unique(context_, config_); + + // Set up mock dispatcher with default expectations + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + } + + void TearDown() override { + io_handle_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + // Helper to create a ReverseConnectionIOHandle with specified configuration + std::unique_ptr createTestIOHandle(const ReverseConnectionSocketConfig& config) { + // Create a test socket file descriptor + int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); + EXPECT_GE(test_fd, 0); + + // Create the IO handle + return std::make_unique(test_fd, config, cluster_manager_, + extension_.get(), *stats_scope_); + } + + // Helper to create a default test configuration + ReverseConnectionSocketConfig createDefaultTestConfig() { + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.enable_circuit_breaker = true; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + return config; + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr io_handle_; + + // Mock cluster manager + NiceMock cluster_manager_; + + // Thread local components for testing + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + std::unique_ptr> another_tls_slot_; + std::shared_ptr another_thread_local_registry_; + + // Thread Local Setup Helpers + + // Helper function to set up thread local slot for tests + void setupThreadLocalSlot() { + // Create a thread local registry + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + // Multi-Thread Local Setup Helpers + + void setupAnotherThreadLocalSlot() { + // Create a thread local registry for the other dispatcher + another_thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot + another_tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry + another_tls_slot_->set([registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method + extension_->setTestOnlyTLSRegistry(std::move(another_tls_slot_)); + } + + // Trigger Pipe Management Helpers + + bool isTriggerPipeReady() const { + return io_handle_->isTriggerPipeReady(); + } + + void createTriggerPipe() { + io_handle_->createTriggerPipe(); + } + + int getTriggerPipeReadFd() const { + return io_handle_->trigger_pipe_read_fd_; + } + + int getTriggerPipeWriteFd() const { + return io_handle_->trigger_pipe_write_fd_; + } + + // Connection Management Helpers + + bool initiateOneReverseConnection(const std::string& cluster_name, + const std::string& host_address, + Upstream::HostConstSharedPtr host) { + return io_handle_->initiateOneReverseConnection(cluster_name, host_address, host); + } + + void maintainReverseConnections() { + io_handle_->maintainReverseConnections(); + } + + void maintainClusterConnections(const std::string& cluster_name, + const RemoteClusterConnectionConfig& cluster_config) { + io_handle_->maintainClusterConnections(cluster_name, cluster_config); + } + + // Host Management Helpers + + void maybeUpdateHostsMappingsAndConnections(const std::string& cluster_id, + const std::vector& hosts) { + io_handle_->maybeUpdateHostsMappingsAndConnections(cluster_id, hosts); + } + + bool shouldAttemptConnectionToHost(const std::string& host_address, const std::string& cluster_name) { + return io_handle_->shouldAttemptConnectionToHost(host_address, cluster_name); + } + + void trackConnectionFailure(const std::string& host_address, const std::string& cluster_name) { + io_handle_->trackConnectionFailure(host_address, cluster_name); + } + + void resetHostBackoff(const std::string& host_address) { + io_handle_->resetHostBackoff(host_address); + } + + // Data Access Helpers + + const std::unordered_map& getHostToConnInfoMap() const { + return io_handle_->host_to_conn_info_map_; + } + + const ReverseConnectionIOHandle::HostConnectionInfo& getHostConnectionInfo(const std::string& host_address) const { + auto it = io_handle_->host_to_conn_info_map_.find(host_address); + EXPECT_NE(it, io_handle_->host_to_conn_info_map_.end()) << "Host " << host_address << " not found in host_to_conn_info_map_"; + return it->second; + } + + const std::vector>& getConnectionWrappers() const { + return io_handle_->connection_wrappers_; + } + + const std::unordered_map& getConnWrapperToHostMap() const { + return io_handle_->conn_wrapper_to_host_map_; + } + + // Test Data Setup Helpers + + void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, uint32_t target_count) { + io_handle_->host_to_conn_info_map_[host_address] = ReverseConnectionIOHandle::HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + target_count, // target_connection_count + 0, // failure_count + std::chrono::steady_clock::now(), // last_failure_time + std::chrono::steady_clock::now(), // backoff_until + {} // connection_states + }; + } + + // Helper to create a mock host + Upstream::HostConstSharedPtr createMockHost(const std::string& address) { + auto mock_host = std::make_shared>(); + auto mock_address = std::make_shared(address, 8080); + EXPECT_CALL(*mock_host, address()).WillRepeatedly(Return(mock_address)); + return mock_host; + } + + // Helper to access private members for testing + void addWrapperToHostMap(RCConnectionWrapper* wrapper, const std::string& host_address) { + io_handle_->conn_wrapper_to_host_map_[wrapper] = host_address; + } + + void cleanup() { + io_handle_->cleanup(); + } + + void removeStaleHostAndCloseConnections(const std::string& host) { + io_handle_->removeStaleHostAndCloseConnections(host); + } + + // Helper to get the established connections queue size (if accessible) + size_t getEstablishedConnectionsSize() const { + return io_handle_->established_connections_.size(); + } + +}; + +// Test getClusterManager returns correct reference +TEST_F(ReverseConnectionIOHandleTest, GetClusterManager) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Verify that getClusterManager returns the correct reference + EXPECT_EQ(&io_handle_->getClusterManager(), &cluster_manager_); +} + +// Basic setup +TEST_F(ReverseConnectionIOHandleTest, BasicSetup) { + // Test that constructor doesn't crash and creates a valid instance + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Verify the IO handle has a valid file descriptor + EXPECT_GE(io_handle_->fdDoNotUse(), 0); +} + +// listen() is a no-op for the initiator +TEST_F(ReverseConnectionIOHandleTest, ListenNoOp) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Test that listen() returns success (0) with no error + auto result = io_handle_->listen(10); + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + +// Test isTriggerPipeReady() behavior +TEST_F(ReverseConnectionIOHandleTest, IsTriggerPipeReady) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initially, trigger pipe should not be ready + EXPECT_FALSE(isTriggerPipeReady()); + + // Create the trigger pipe + createTriggerPipe(); + + // Now trigger pipe should be ready + EXPECT_TRUE(isTriggerPipeReady()); + + // Verify the file descriptors are valid + EXPECT_GE(getTriggerPipeReadFd(), 0); + EXPECT_GE(getTriggerPipeWriteFd(), 0); +} + +// Test createTriggerPipe() basic pipe creation +TEST_F(ReverseConnectionIOHandleTest, CreateTriggerPipe) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initially, trigger pipe should not be ready + EXPECT_FALSE(isTriggerPipeReady()); + + // Manually call createTriggerPipe + createTriggerPipe(); + + // Verify that the trigger pipe was created successfully + EXPECT_TRUE(isTriggerPipeReady()); + EXPECT_GE(getTriggerPipeReadFd(), 0); + EXPECT_GE(getTriggerPipeWriteFd(), 0); + + // Verify getPipeMonitorFd returns the correct file descriptor + EXPECT_EQ(io_handle_->getPipeMonitorFd(), getTriggerPipeReadFd()); + + // Verify the file descriptors are different + EXPECT_NE(getTriggerPipeReadFd(), getTriggerPipeWriteFd()); +} + +// Test initializeFileEvent() creates trigger pipe +TEST_F(ReverseConnectionIOHandleTest, InitializeFileEventCreatesTriggerPipe) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initially, trigger pipe should not be ready + EXPECT_FALSE(isTriggerPipeReady()); + + // Mock file event callback + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // Call initializeFileEvent - this should create the trigger pipe + io_handle_->initializeFileEvent(dispatcher_, mock_callback, + Event::FileTriggerType::Level, Event::FileReadyType::Read); + + // Verify that the trigger pipe was created successfully + EXPECT_TRUE(isTriggerPipeReady()); + EXPECT_GE(getTriggerPipeReadFd(), 0); + EXPECT_GE(getTriggerPipeWriteFd(), 0); + + // Verify getPipeMonitorFd returns the correct file descriptor + EXPECT_EQ(io_handle_->getPipeMonitorFd(), getTriggerPipeReadFd()); +} + +// Test that subsequent calls to initializeFileEvent do not create new pipes +TEST_F(ReverseConnectionIOHandleTest, InitializeFileEventDoesNotCreateNewPipes) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initially, trigger pipe should not be ready + EXPECT_FALSE(isTriggerPipeReady()); + + // Mock file event callback + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // First call to initializeFileEvent - should create the trigger pipe + io_handle_->initializeFileEvent(dispatcher_, mock_callback, + Event::FileTriggerType::Level, Event::FileReadyType::Read); + + // Verify that the trigger pipe was created + EXPECT_TRUE(isTriggerPipeReady()); + int first_read_fd = getTriggerPipeReadFd(); + int first_write_fd = getTriggerPipeWriteFd(); + EXPECT_GE(first_read_fd, 0); + EXPECT_GE(first_write_fd, 0); + + // Second call to initializeFileEvent - should NOT create new pipes because is_reverse_conn_started_ is true + io_handle_->initializeFileEvent(dispatcher_, mock_callback, + Event::FileTriggerType::Level, Event::FileReadyType::Read); + + // Verify that the same file descriptors are still used (no new pipes created) + EXPECT_TRUE(isTriggerPipeReady()); + EXPECT_EQ(getTriggerPipeReadFd(), first_read_fd); + EXPECT_EQ(getTriggerPipeWriteFd(), first_write_fd); + + // Verify getPipeMonitorFd still returns the correct file descriptor + EXPECT_EQ(io_handle_->getPipeMonitorFd(), first_read_fd); +} + +// Test that we do NOT update stats for the cluster if src_node_id is empty +TEST_F(ReverseConnectionIOHandleTest, EmptySrcNodeIdNoStatsUpdate) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Create config with empty src_node_id + ReverseConnectionSocketConfig empty_node_config; + empty_node_config.src_cluster_id = "test-cluster"; + empty_node_config.src_node_id = ""; // Empty node ID + empty_node_config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + io_handle_ = createTestIOHandle(empty_node_config); + EXPECT_NE(io_handle_, nullptr); + + // Call maintainReverseConnections - should return early due to empty src_node_id + maintainReverseConnections(); + + // Verify that no stats were updated + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map.size(), 0); // No stats should be created +} + +// Test that rev_conn_retry_timer_ gets created and enabled upon calling initializeFileEvent +TEST_F(ReverseConnectionIOHandleTest, RetryTimerEnabled) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Mock timer expectations + auto mock_timer = new NiceMock(); + EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); + EXPECT_CALL(*mock_timer, enableTimer(_, _)).Times(1); + + // Mock file event callback + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // Call initializeFileEvent - this should create and enable the retry timer + io_handle_->initializeFileEvent(dispatcher_, mock_callback, + Event::FileTriggerType::Level, Event::FileReadyType::Read); +} + +// Test that rev_conn_retry_timer_ is properly managed when reverse connection is started +TEST_F(ReverseConnectionIOHandleTest, RetryTimerWhenReverseConnStarted) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Mock timer expectations + auto mock_timer = new NiceMock(); + EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); + EXPECT_CALL(*mock_timer, enableTimer(_, _)).Times(1); + + // Mock file event callback + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // Call initializeFileEvent to create the timer + io_handle_->initializeFileEvent(dispatcher_, mock_callback, + Event::FileTriggerType::Level, Event::FileReadyType::Read); + + // Call initializeFileEvent again to ensure the timer is not created again + io_handle_->initializeFileEvent(dispatcher_, mock_callback, + Event::FileTriggerType::Level, Event::FileReadyType::Read); +} + +// Test that we do not initiate reverse tunnels when thread local cluster is not present +TEST_F(ReverseConnectionIOHandleTest, NoThreadLocalClusterCannotConnect) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up cluster manager to return nullptr for non-existent cluster + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("non-existent-cluster")) + .WillOnce(Return(nullptr)); + + // Call maintainClusterConnections with non-existent cluster + RemoteClusterConnectionConfig cluster_config("non-existent-cluster", 2); + maintainClusterConnections("non-existent-cluster", cluster_config); + + // Verify that CannotConnect gauge was updated for the cluster + auto stat_map = extension_->getCrossWorkerStatMap(); + + // Debug: Print all stats to verify the stat map + std::cout << "\n=== NoThreadLocalClusterCannotConnect Stats ===" << std::endl; + for (const auto& [stat_name, value] : stat_map) { + std::cout << "Stat: " << stat_name << " = " << value << std::endl; + } + std::cout << "===============================================" << std::endl; + + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.non-existent-cluster.cannot_connect"], 1); +} + +// Test that we do not initiate reverse tunnels when cluster has no hosts +TEST_F(ReverseConnectionIOHandleTest, NoHostsInClusterCannotConnect) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster with empty host map + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("empty-cluster")) + .WillOnce(Return(mock_thread_local_cluster.get())); + + // Set up empty priority set + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Set up empty cross priority host map + auto empty_host_map = std::make_shared(); + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(empty_host_map)); + + // Call maintainClusterConnections with empty cluster + RemoteClusterConnectionConfig cluster_config("empty-cluster", 2); + maintainClusterConnections("empty-cluster", cluster_config); + + // Verify that CannotConnect gauge was updated for the cluster + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.empty-cluster.cannot_connect"], 1); +} + +// Test maybeUpdateHostsMappingsAndConnections with valid hosts +TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsMappingsValidHosts) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with some hosts + auto host_map = std::make_shared(); + auto mock_host1 = createMockHost("192.168.1.1"); + auto mock_host2 = createMockHost("192.168.1.2"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); + (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Call maintainClusterConnections which will create HostConnectionInfo entries and call maybeUpdateHostsMappingsAndConnections + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify that hosts were added to the mapping + const auto& host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map.size(), 2); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.2"), host_to_conn_info_map.end()); +} + +// Test maybeUpdateHostsMappingsAndConnections with no new hosts +TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsMappingsNoNewHosts) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with multiple hosts + auto host_map = std::make_shared(); + auto mock_host1 = createMockHost("192.168.1.1"); + auto mock_host2 = createMockHost("192.168.1.2"); + auto mock_host3 = createMockHost("192.168.1.3"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); + (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); + (*host_map)["192.168.1.3"] = std::const_pointer_cast(mock_host3); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Call maintainClusterConnections which will create HostConnectionInfo entries and call maybeUpdateHostsMappingsAndConnections + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify that all three host entries exist after maintainClusterConnections + const auto& host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map.size(), 3); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.2"), host_to_conn_info_map.end()); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.3"), host_to_conn_info_map.end()); + + // Now test partial host removal by calling maybeUpdateHostsMappingsAndConnections with fewer hosts + std::vector reduced_host_addresses = {"192.168.1.1", "192.168.1.3"}; + maybeUpdateHostsMappingsAndConnections("test-cluster", reduced_host_addresses); + + // Verify that the removed host was cleaned up but others remain + const auto& updated_host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(updated_host_to_conn_info_map.size(), 2); + EXPECT_NE(updated_host_to_conn_info_map.find("192.168.1.1"), updated_host_to_conn_info_map.end()); + EXPECT_EQ(updated_host_to_conn_info_map.find("192.168.1.2"), updated_host_to_conn_info_map.end()); // Should be removed + EXPECT_NE(updated_host_to_conn_info_map.find("192.168.1.3"), updated_host_to_conn_info_map.end()); +} + +// Test shouldAttemptConnectionToHost with valid host and no existing connections +TEST_F(ReverseConnectionIOHandleTest, ShouldAttemptConnectionToHostValidHost) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Call maintainClusterConnections to create HostConnectionInfo entries + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Test with valid host and no existing connections + bool should_attempt = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_TRUE(should_attempt); +} + +// Test trackConnectionFailure puts host in backoff +TEST_F(ReverseConnectionIOHandleTest, TrackConnectionFailurePutsHostInBackoff) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify host is initially not in backoff + bool should_attempt_before = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_TRUE(should_attempt_before); + + // Call trackConnectionFailure to put host in backoff + trackConnectionFailure("192.168.1.1", "test-cluster"); + + // Verify host is now in backoff + bool should_attempt_after = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_FALSE(should_attempt_after); + + // Verify stat gauges - should show backoff state + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); + + // Test that trackConnectionFailure returns if host_to_conn_info_map_ does not have an entry + // Call trackConnectionFailure with a host that doesn't exist in host_to_conn_info_map_ + trackConnectionFailure("non-existent-host", "test-cluster"); + + // Verify that no stats were updated since the host doesn't exist + auto stat_map_after_non_existent = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map_after_non_existent["test_scope.reverse_connections.host.non-existent-host.backoff"], 0); +} + +// Test resetHostBackoff resets the backoff +TEST_F(ReverseConnectionIOHandleTest, ResetHostBackoff) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify host is initially not in backoff + bool should_attempt_before = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_TRUE(should_attempt_before); + + // Call trackConnectionFailure to put host in backoff + trackConnectionFailure("192.168.1.1", "test-cluster"); + + // Verify host is now in backoff + bool should_attempt_after_failure = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_FALSE(should_attempt_after_failure); + + // Verify stat gauges - should show backoff state + auto stat_map_after_failure = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map_after_failure["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); + + // Call resetHostBackoff to reset the backoff + resetHostBackoff("192.168.1.1"); + + // Verify host is no longer in backoff + bool should_attempt_after_reset = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_TRUE(should_attempt_after_reset); + + // Verify stat gauges - should show recovered state + auto stat_map_after_reset = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map_after_reset["test_scope.reverse_connections.host.192.168.1.1.backoff"], 0); + EXPECT_EQ(stat_map_after_reset["test_scope.reverse_connections.host.192.168.1.1.recovered"], 1); +} + +// Test resetHostBackoff returns if host_to_conn_info_map_ does not have an entry +TEST_F(ReverseConnectionIOHandleTest, ResetHostBackoffReturnsIfHostNotFound) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call resetHostBackoff with a host that doesn't exist in host_to_conn_info_map_ + // This should not crash and should return early + resetHostBackoff("non-existent-host"); + + // Verify that no stats were updated since the host doesn't exist + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.non-existent-host.recovered"], 0); +} + +// Test trackConnectionFailure exponential backoff +TEST_F(ReverseConnectionIOHandleTest, TrackConnectionFailureExponentialBackoff) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Get initial host info + const auto& host_info_initial = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info_initial.failure_count, 0); + + // First failure - should have 1 second backoff (1000ms) + trackConnectionFailure("192.168.1.1", "test-cluster"); + const auto& host_info_1 = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info_1.failure_count, 1); + // Verify backoff_until is set to a future time (approximately current_time + 1000ms) + auto now = std::chrono::steady_clock::now(); + auto backoff_duration_1 = host_info_1.backoff_until - now; + // backoff_delay_ms = 1000 * 2^(1-1) = 1000 * 2^0 = 1000 * 1 = 1000ms + auto backoff_ms_1 = std::chrono::duration_cast(backoff_duration_1).count(); + EXPECT_GE(backoff_ms_1, 900); // Should be at least 900ms (allowing for small timing variations) + EXPECT_LE(backoff_ms_1, 1100); // Should be at most 1100ms + + // Second failure - should have 2 second backoff (2000ms) + trackConnectionFailure("192.168.1.1", "test-cluster"); + const auto& host_info_2 = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info_2.failure_count, 2); + // backoff_delay_ms = 1000 * 2^(2-1) = 1000 * 2^1 = 1000 * 2 = 2000ms + auto backoff_duration_2 = host_info_2.backoff_until - now; + auto backoff_ms_2 = std::chrono::duration_cast(backoff_duration_2).count(); + EXPECT_GE(backoff_ms_2, 1900); // Should be at least 1900ms + EXPECT_LE(backoff_ms_2, 2100); // Should be at most 2100ms + + // Third failure - should have 4 second backoff (4000ms) + trackConnectionFailure("192.168.1.1", "test-cluster"); + const auto& host_info_3 = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info_3.failure_count, 3); + // backoff_delay_ms = 1000 * 2^(3-1) = 1000 * 2^2 = 1000 * 4 = 4000ms + auto backoff_duration_3 = host_info_3.backoff_until - now; + auto backoff_ms_3 = std::chrono::duration_cast(backoff_duration_3).count(); + EXPECT_GE(backoff_ms_3, 3900); // Should be at least 3900ms + EXPECT_LE(backoff_ms_3, 4100); // Should be at most 4100ms + + // Verify that shouldAttemptConnectionToHost returns false during backoff + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); +} + +// Test host mapping and backoff integration +TEST_F(ReverseConnectionIOHandleTest, HostMappingAndBackoffIntegration) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster for cluster-A + auto mock_thread_local_cluster_a = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("cluster-A")) + .WillRepeatedly(Return(mock_thread_local_cluster_a.get())); + + // Set up priority set with hosts for cluster-A + auto mock_priority_set_a = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster_a, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set_a)); + + // Create host map for cluster-A with hosts A1, A2, A3 + auto host_map_a = std::make_shared(); + auto mock_host_a1 = createMockHost("192.168.1.1"); + auto mock_host_a2 = createMockHost("192.168.1.2"); + auto mock_host_a3 = createMockHost("192.168.1.3"); + (*host_map_a)["192.168.1.1"] = std::const_pointer_cast(mock_host_a1); + (*host_map_a)["192.168.1.2"] = std::const_pointer_cast(mock_host_a2); + (*host_map_a)["192.168.1.3"] = std::const_pointer_cast(mock_host_a3); + + EXPECT_CALL(*mock_priority_set_a, crossPriorityHostMap()).WillRepeatedly(Return(host_map_a)); + + // Set up mock thread local cluster for cluster-B + auto mock_thread_local_cluster_b = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("cluster-B")) + .WillRepeatedly(Return(mock_thread_local_cluster_b.get())); + + // Set up priority set with hosts for cluster-B + auto mock_priority_set_b = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster_b, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set_b)); + + // Create host map for cluster-B with hosts B1, B2 + auto host_map_b = std::make_shared(); + auto mock_host_b1 = createMockHost("192.168.2.1"); + auto mock_host_b2 = createMockHost("192.168.2.2"); + (*host_map_b)["192.168.2.1"] = std::const_pointer_cast(mock_host_b1); + (*host_map_b)["192.168.2.2"] = std::const_pointer_cast(mock_host_b2); + + EXPECT_CALL(*mock_priority_set_b, crossPriorityHostMap()).WillRepeatedly(Return(host_map_b)); + + // Step 1: Create initial host mappings for cluster-A + RemoteClusterConnectionConfig cluster_config_a("cluster-A", 2); + maintainClusterConnections("cluster-A", cluster_config_a); + + // Step 2: Create initial host mappings for cluster-B + RemoteClusterConnectionConfig cluster_config_b("cluster-B", 2); + maintainClusterConnections("cluster-B", cluster_config_b); + + // Verify all hosts exist initially + const auto& host_to_conn_info_map_initial = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map_initial.size(), 5); // 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.2.1, 192.168.2.2 + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.1"), host_to_conn_info_map_initial.end()); + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.2"), host_to_conn_info_map_initial.end()); + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.3"), host_to_conn_info_map_initial.end()); + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.2.1"), host_to_conn_info_map_initial.end()); + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.2.2"), host_to_conn_info_map_initial.end()); + + // Step 3: Put some hosts in backoff + trackConnectionFailure("192.168.1.1", "cluster-A"); // 192.168.1.1 in backoff + trackConnectionFailure("192.168.2.1", "cluster-B"); // 192.168.2.1 in backoff + // 192.168.1.2, 192.168.1.3, 192.168.2.2 remain normal + + // Verify backoff states + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "cluster-A")); // In backoff + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.2.1", "cluster-B")); // In backoff + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.2", "cluster-A")); // Normal + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.3", "cluster-A")); // Normal + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.2.2", "cluster-B")); // Normal + + // Step 4: Update host mappings + // - Move 192.168.1.2 from cluster-A to cluster-B + // - Remove 192.168.1.3 from cluster-A + // - Add new host 192.168.1.4 to cluster-A + maybeUpdateHostsMappingsAndConnections("cluster-A", {"192.168.1.1", "192.168.1.4"}); // 192.168.1.2, 192.168.1.3 removed + maybeUpdateHostsMappingsAndConnections("cluster-B", {"192.168.2.1", "192.168.2.2", "192.168.1.2"}); // 192.168.1.2 added + + // Step 5: Verify backoff states are preserved for existing hosts + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "cluster-A")); // Still in backoff + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.2.1", "cluster-B")); // Still in backoff + + // Step 6: Verify moved host has clean state + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.2", "cluster-B")); // Moved, no backoff + + // Step 7: Verify removed host is cleaned up + const auto& host_to_conn_info_map_after = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map_after.find("192.168.1.3"), host_to_conn_info_map_after.end()); // Removed + + // Step 8: Verify stats are updated correctly + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.2.1.backoff"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.2.backoff"], 0); // Reset when moved +} + +// Test initiateOneReverseConnection when connection establishment fails +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionFailure) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Mock tcpConn to return null connection (simulating connection failure) + Upstream::MockHost::MockCreateConnectionData failed_conn_data; + failed_conn_data.connection_ = nullptr; // Connection creation failed + failed_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(failed_conn_data)); + + // Call initiateOneReverseConnection - should fail + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_FALSE(result); + + // Verify that CannotConnect stats are set + // Calculation: 3 increments total + // - 2 increments from maintainClusterConnections (target_connection_count = 2) + // - 1 increment from our direct call to initiateOneReverseConnection + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.cannot_connect"], 3); +} + +// Test initiateOneReverseConnection when connection establishment is successful +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionSuccess) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry using helper method + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Set up mock for successful connection + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection - should succeed + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify that Connecting stats are set + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); + + // Verify that connection wrapper is added to the map + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + // Verify that wrapper is mapped to the host + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + EXPECT_EQ(wrapper_to_host_map.begin()->second, "192.168.1.1"); +} + +// Test mixed success and failure scenarios for multiple connection attempts +TEST_F(ReverseConnectionIOHandleTest, InitiateMultipleConnectionsMixedResults) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with hosts + auto host_map = std::make_shared(); + auto mock_host1 = createMockHost("192.168.1.1"); + auto mock_host2 = createMockHost("192.168.1.2"); + auto mock_host3 = createMockHost("192.168.1.3"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); + (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); + (*host_map)["192.168.1.3"] = std::const_pointer_cast(mock_host3); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entries for all hosts with target count of 3 + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); // Host 1 + addHostConnectionInfo("192.168.1.2", "test-cluster", 1); // Host 2 + addHostConnectionInfo("192.168.1.3", "test-cluster", 1); // Host 3 + + // Set up connection outcomes in sequence: + // 1. First host: successful connection + // 2. Second host: null connection (failure) + // 3. Third host: successful connection + + auto mock_connection1 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data1; + success_conn_data1.connection_ = mock_connection1.get(); + success_conn_data1.host_description_ = mock_host1; + + Upstream::MockHost::MockCreateConnectionData failed_conn_data; + failed_conn_data.connection_ = nullptr; // Connection creation failed + failed_conn_data.host_description_ = mock_host2; + + auto mock_connection3 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data3; + success_conn_data3.connection_ = mock_connection3.get(); + success_conn_data3.host_description_ = mock_host3; + + // Set up connection attempts with host-specific expectations + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillRepeatedly(testing::Invoke([&](Upstream::LoadBalancerContext* context) { + // Cast to our custom context to get the host address + auto* reverse_context = dynamic_cast(context); + EXPECT_NE(reverse_context, nullptr); + + auto override_host = reverse_context->overrideHostToSelect(); + EXPECT_TRUE(override_host.has_value()); + + std::string host_address = std::string(override_host->first); + + if (host_address == "192.168.1.1") { + return success_conn_data1; // First host: success + } else if (host_address == "192.168.1.2") { + return failed_conn_data; // Second host: failure + } else if (host_address == "192.168.1.3") { + return success_conn_data3; // Third host: success + } else { + // Unexpected host + EXPECT_TRUE(false) << "Unexpected host address: " << host_address; + return failed_conn_data; + } + })); + + mock_connection1.release(); + mock_connection3.release(); + + // Create 1 connection per host + RemoteClusterConnectionConfig cluster_config("test-cluster", 1); + + // Call maintainClusterConnections which will attempt connections to all hosts + maintainClusterConnections("test-cluster", cluster_config); + + // Verify final stats + auto stat_map = extension_->getCrossWorkerStatMap(); + + // Print stats for debugging + std::cout << "=== Mixed Results Stats ===" << std::endl; + for (const auto& [key, value] : stat_map) { + if (key.find("192.168.1") != std::string::npos) { + std::cout << "Stat: " << key << " = " << value << std::endl; + } + } + std::cout << "============================" << std::endl; + + // Verify connecting stats for successful connections + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); // Success + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.3.connecting"], 1); // Success + + // Verify cannot_connect stats for failed connection + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.2.cannot_connect"], 1); // Failed + + // Verify cluster-level stats for test-cluster + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 2); // 2 successful connections + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.cannot_connect"], 1); // 1 failed connection + + // Verify that only 2 connection wrappers were created (for successful connections) + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 2); + + // Verify that wrappers are mapped to successful hosts only + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 2); + + // Count hosts in the mapping + std::set mapped_hosts; + for (const auto& [wrapper, host] : wrapper_to_host_map) { + mapped_hosts.insert(host); + } + EXPECT_EQ(mapped_hosts.size(), 2); // Should have 2 successful hosts + EXPECT_NE(mapped_hosts.find("192.168.1.1"), mapped_hosts.end()); // Success + EXPECT_EQ(mapped_hosts.find("192.168.1.2"), mapped_hosts.end()); // Failed - not in map + EXPECT_NE(mapped_hosts.find("192.168.1.3"), mapped_hosts.end()); // Success +} + +// Test removeStaleHostAndCloseConnections removes host and closes connections +TEST_F(ReverseConnectionIOHandleTest, RemoveStaleHostAndCloseConnections) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with multiple hosts + auto host_map = std::make_shared(); + auto mock_host1 = createMockHost("192.168.1.1"); + auto mock_host2 = createMockHost("192.168.1.2"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); + (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Set up successful connections for both hosts + auto mock_connection1 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data1; + success_conn_data1.connection_ = mock_connection1.get(); + success_conn_data1.host_description_ = mock_host1; + + auto mock_connection2 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data2; + success_conn_data2.connection_ = mock_connection2.get(); + success_conn_data2.host_description_ = mock_host2; + + // Set up connection attempts with host-specific expectations + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillRepeatedly(testing::Invoke([&](Upstream::LoadBalancerContext* context) { + // Cast to our custom context to get the host address + auto* reverse_context = dynamic_cast(context); + EXPECT_NE(reverse_context, nullptr); + + auto override_host = reverse_context->overrideHostToSelect(); + EXPECT_TRUE(override_host.has_value()); + + std::string host_address = std::string(override_host->first); + + if (host_address == "192.168.1.1") { + return success_conn_data1; // First host: success + } else if (host_address == "192.168.1.2") { + return success_conn_data2; // Second host: success + } else { + // Unexpected host + EXPECT_TRUE(false) << "Unexpected host address: " << host_address; + return success_conn_data1; // Default fallback + } + })); + + mock_connection1.release(); + mock_connection2.release(); + + // First call maintainClusterConnections to create HostConnectionInfo entries and connection wrappers + RemoteClusterConnectionConfig cluster_config("test-cluster", 1); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify both hosts are initially present + EXPECT_EQ(getHostToConnInfoMap().size(), 2); + EXPECT_NE(getHostToConnInfoMap().find("192.168.1.1"), getHostToConnInfoMap().end()); + EXPECT_NE(getHostToConnInfoMap().find("192.168.1.2"), getHostToConnInfoMap().end()); + + // Verify that connection wrappers were created by maintainClusterConnections + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 2); // One wrapper per host + EXPECT_EQ(getConnWrapperToHostMap().size(), 2); + + // Call removeStaleHostAndCloseConnections to remove host 192.168.1.1 + removeStaleHostAndCloseConnections("192.168.1.1"); + + // Verify that host 192.168.1.1 is still in host_to_conn_info_map_ (removeStaleHostAndCloseConnections doesn't remove it) + EXPECT_EQ(getHostToConnInfoMap().size(), 2); + EXPECT_NE(getHostToConnInfoMap().find("192.168.1.1"), getHostToConnInfoMap().end()); + EXPECT_NE(getHostToConnInfoMap().find("192.168.1.2"), getHostToConnInfoMap().end()); + + // Verify that connection wrappers for the removed host are removed + EXPECT_EQ(getConnectionWrappers().size(), 1); // Only host 192.168.1.2's wrapper remains + EXPECT_EQ(getConnWrapperToHostMap().size(), 1); // Only host 192.168.1.2's mapping remains + + // Verify that host 192.168.1.2's wrapper is still present and unaffected + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + EXPECT_EQ(wrapper_to_host_map.begin()->second, "192.168.1.2"); // Only 192.168.1.2 should remain +} + +// Test read() method - should delegate to base class +TEST_F(ReverseConnectionIOHandleTest, ReadMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a buffer to read into + Buffer::OwnedImpl buffer; + + // Call read() - should delegate to base class implementation + auto result = io_handle_->read(buffer, absl::optional(100)); + + // Should return a valid result + EXPECT_NE(result.err_, nullptr); +} + +// Test write() method - should delegate to base class +TEST_F(ReverseConnectionIOHandleTest, WriteMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a buffer to write from + Buffer::OwnedImpl buffer; + buffer.add("test data"); + + // Call write() - should delegate to base class implementation + auto result = io_handle_->write(buffer); + + // Should return a valid result + EXPECT_NE(result.err_, nullptr); +} + +// Test connect() method - should delegate to base class +TEST_F(ReverseConnectionIOHandleTest, ConnectMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a mock address + auto address = std::make_shared("127.0.0.1", 8080); + + // Call connect() - should delegate to base class implementation + auto result = io_handle_->connect(address); + + // Should return a valid result + EXPECT_NE(result.errno_, 0); // Should fail since we're not actually connecting +} + +// Test onEvent() method - should delegate to base class +TEST_F(ReverseConnectionIOHandleTest, OnEventMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call onEvent() with a mock event - no-op + io_handle_->onEvent(Network::ConnectionEvent::LocalClose); +} + +// onConnectionDone Unit Tests + +// Early returns in onConnectionDone without calling initiateOneReverseConnection +TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneEarlyReturns) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Test 1.1: Null wrapper - should return early + io_handle_->onConnectionDone("test error", nullptr, false); + + // Verify no stats were updated + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map.size(), 0); + + // Test 1.2: Empty conn_wrapper_to_host_map_ - should return early + // Create a dummy wrapper pointer (we can't easily mock RCConnectionWrapper directly) + RCConnectionWrapper* wrapper_ptr = reinterpret_cast(0x12345678); + + // Verify the map is empty + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 0); + + io_handle_->onConnectionDone("test error", wrapper_ptr, false); + + // Verify no stats were updated + stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map.size(), 0); + + // Test 1.3: Empty host_to_conn_info_map_ - should return early after finding wrapper + // First add wrapper to the map but no host info + addWrapperToHostMap(wrapper_ptr, "192.168.1.1"); + + // Verify host info map is empty + const auto& host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map.size(), 0); + + io_handle_->onConnectionDone("test error", wrapper_ptr, false); + + // Verify wrapper was removed from map but no stats updated + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map.size(), 0); +} + +// Connection success scenario - test stats and wrapper creation and mapping +TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneSuccess) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create trigger pipe BEFORE initiating connection to ensure it's ready + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a successful connection + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Verify initial state - no established connections yet + EXPECT_EQ(getEstablishedConnectionsSize(), 0); + + // Call onConnectionDone to simulate successful connection completion + io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr, false); + + // Verify wrapper was removed from tracking (cleanup should happen) + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify that connection was pushed to established_connections_ + EXPECT_EQ(getEstablishedConnectionsSize(), 1); + + // Verify that trigger mechanism was executed + // Read 1 byte from the pipe to verify the trigger was written + char trigger_byte; + int pipe_read_fd = getTriggerPipeReadFd(); + EXPECT_GE(pipe_read_fd, 0); + + ssize_t bytes_read = ::read(pipe_read_fd, &trigger_byte, 1); + EXPECT_EQ(bytes_read, 1) << "Expected to read 1 byte from trigger pipe, got " << bytes_read; + EXPECT_EQ(trigger_byte, 1) << "Expected trigger byte to be 1, got " << static_cast(trigger_byte); +} + +// Test 3: Connection failure and recovery scenario +TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneFailureAndRecovery) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Step 1: Create initial connection + auto mock_connection1 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data1; + success_conn_data1.connection_ = mock_connection1.get(); + success_conn_data1.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data1)); + + mock_connection1.release(); + + // Call initiateOneReverseConnection to create the wrapper + bool result1 = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result1); + + // Get the wrapper + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Verify host and cluster stats after connection initiation + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 1); + + // Step 2: Simulate connection failure by calling onConnectionDone with error + io_handle_->onConnectionDone("connection timeout", wrapper_ptr, true); + + // Verify wrapper was removed from tracking maps after failure + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify failure stats - onConnectionDone should have called trackConnectionFailure + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.failed"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.failed"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 0); // Should be decremented + + // Verify host is now in backoff + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); + + // Step 3: Create a new connection for recovery + auto mock_connection2 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data2; + success_conn_data2.connection_ = mock_connection2.get(); + success_conn_data2.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data2)); + + mock_connection2.release(); + + // Call initiateOneReverseConnection again for recovery + bool result2 = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result2); + + // Verify new wrapper was created and mapped + const auto& connection_wrappers2 = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers2.size(), 1); + + const auto& wrapper_to_host_map2 = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map2.size(), 1); + + RCConnectionWrapper* wrapper_ptr2 = connection_wrappers2[0].get(); + EXPECT_EQ(wrapper_to_host_map2.at(wrapper_ptr2), "192.168.1.1"); + + // Verify stats after recovery connection initiation + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); // New connection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 1); // New connection + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.recovered"], 1); // Recovery recorded + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.recovered"], 1); // Recovery recorded + + // Step 4: Simulate connection success (recovery) by calling onConnectionDone with success + io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr2, false); + + // Verify wrapper was removed from tracking maps after success + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify recovery stats - onConnectionDone should have called resetHostBackoff + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connected"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.recovered"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.failed"], 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connected"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.recovered"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.failed"], 0); // Reset by initiateOneReverseConnection + + // Verify host is no longer in backoff + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); + + // Verify final state - all maps should be clean + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify host info is still present (should not be removed) + const auto& host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map.size(), 1); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); +} + +// Test downstream connection closure and re-initiation +TEST_F(ReverseConnectionIOHandleTest, OnDownstreamConnectionClosedTriggersReInitiation) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create trigger pipe BEFORE initiating connection to ensure it's ready + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Step 1: Create initial connection + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Verify initial state - no established connections yet + EXPECT_EQ(getEstablishedConnectionsSize(), 0); + + // Step 2: Simulate successful connection completion + io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr, false); + + // Verify wrapper was removed from tracking (cleanup should happen) + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify that connection was pushed to established_connections_ + EXPECT_EQ(getEstablishedConnectionsSize(), 1); + + // Verify that trigger mechanism was executed + char trigger_byte; + int pipe_read_fd = getTriggerPipeReadFd(); + EXPECT_GE(pipe_read_fd, 0); + + ssize_t bytes_read = ::read(pipe_read_fd, &trigger_byte, 1); + EXPECT_EQ(bytes_read, 1) << "Expected to read 1 byte from trigger pipe, got " << bytes_read; + EXPECT_EQ(trigger_byte, 1) << "Expected trigger byte to be 1, got " << static_cast(trigger_byte); + + // Step 3: Get the actual connection key that was used for tracking + // The connection key should be the local address of the connection + auto host_it = getHostToConnInfoMap().find("192.168.1.1"); + EXPECT_NE(host_it, getHostToConnInfoMap().end()); + + // The connection key should have been added during onConnectionDone + // Let's find what connection key was actually used + std::string connection_key; + if (!host_it->second.connection_keys.empty()) { + connection_key = *host_it->second.connection_keys.begin(); + ENVOY_LOG_MISC(debug, "Found connection key: {}", connection_key); + } else { + // If no connection key was added, use a mock one for testing + connection_key = "192.168.1.1:12345"; + ENVOY_LOG_MISC(debug, "No connection key found, using mock: {}", connection_key); + } + + // Step 4: Simulate downstream connection closure + io_handle_->onDownstreamConnectionClosed(connection_key); + + // Verify connection key is removed from host tracking + host_it = getHostToConnInfoMap().find("192.168.1.1"); + EXPECT_NE(host_it, getHostToConnInfoMap().end()); + EXPECT_EQ(host_it->second.connection_keys.count(connection_key), 0); + + // Step 5: Set up expectation for new connection attempts + auto mock_connection2 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data2; + success_conn_data2.connection_ = mock_connection2.get(); + success_conn_data2.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data2)); + + mock_connection2.release(); + + // Step 6: Trigger maintenance cycle to verify re-initiation + RemoteClusterConnectionConfig cluster_config("test-cluster", 1); + + maintainClusterConnections("test-cluster", cluster_config); + + // Since the connection key was removed, the host should need a new connection + // and initiateOneReverseConnection should be called again + + // Verify that a new wrapper was created + const auto& connection_wrappers2 = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers2.size(), 1); + + const auto& wrapper_to_host_map2 = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map2.size(), 1); + + RCConnectionWrapper* wrapper_ptr2 = connection_wrappers2[0].get(); + EXPECT_EQ(wrapper_to_host_map2.at(wrapper_ptr2), "192.168.1.1"); + + // Verify stats show new connection attempt + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 1); +} + +// Test ReverseConnectionIOHandle::close() method without trigger pipe +TEST_F(ReverseConnectionIOHandleTest, CloseMethodWithoutTriggerPipe) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Verify initial state - trigger pipe not ready + EXPECT_FALSE(isTriggerPipeReady()); + + // Get initial file descriptor (this is the original socket FD) + int initial_fd = io_handle_->fdDoNotUse(); + std::cout << "initial_fd: " << initial_fd << std::endl; + EXPECT_GE(initial_fd, 0); + + // Call close() - should close only the original socket FD and delegate to base class + auto result = io_handle_->close(); + + // After close(), the FD should be -1 + EXPECT_EQ(io_handle_->fdDoNotUse(), -1); +} + +// Test ReverseConnectionIOHandle::close() method with trigger pipe +TEST_F(ReverseConnectionIOHandleTest, CloseMethodWithTriggerPipe) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Get the original socket FD before creating trigger pipe + int original_socket_fd = io_handle_->fdDoNotUse(); + EXPECT_GE(original_socket_fd, 0); + + // Create trigger pipe and initialize file event to set up the scenario where fd_ points to trigger pipe + // Mock file event callback + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // Initialize file event to ensure the monitored FD is set to the trigger pipe + io_handle_->initializeFileEvent(dispatcher_, mock_callback, + Event::FileTriggerType::Level, Event::FileReadyType::Read); + EXPECT_TRUE(isTriggerPipeReady()); + + // Get the pipe monitor FD (this becomes the monitored fd_ after initializeFileEvent) + int pipe_monitor_fd = getTriggerPipeReadFd(); + EXPECT_GE(pipe_monitor_fd, 0); + EXPECT_NE(original_socket_fd, pipe_monitor_fd); // Should be different FDs + + // Verify that the active FD is now the pipe monitor FD + EXPECT_EQ(io_handle_->fdDoNotUse(), pipe_monitor_fd); + + // Call close() - should: + // 1. Close the original socket FD (original_socket_fd_) + // 2. Let base class close() handle fd_ + + auto result = io_handle_->close(); + std::cout << "result: " << result.return_value_ << std::endl; + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(io_handle_->fdDoNotUse(), -1); +} + +// Test ReverseConnectionIOHandle::cleanup() method +TEST_F(ReverseConnectionIOHandleTest, CleanupMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up initial state with trigger pipe + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + EXPECT_GE(getTriggerPipeReadFd(), 0); + EXPECT_GE(getTriggerPipeWriteFd(), 0); + + // Add some host connection info + addHostConnectionInfo("192.168.1.1", "test-cluster", 2); + addHostConnectionInfo("192.168.1.2", "test-cluster", 1); + + // Verify initial state + EXPECT_EQ(getHostToConnInfoMap().size(), 2); + EXPECT_TRUE(isTriggerPipeReady()); + + // Call cleanup() - should reset all resources + cleanup(); + + // Verify that trigger pipe FDs are reset to -1 + EXPECT_FALSE(isTriggerPipeReady()); + EXPECT_EQ(getTriggerPipeReadFd(), -1); + EXPECT_EQ(getTriggerPipeWriteFd(), -1); + + // Verify that host connection info is cleared + EXPECT_EQ(getHostToConnInfoMap().size(), 0); + + // Verify that connection wrappers are cleared + EXPECT_EQ(getConnectionWrappers().size(), 0); + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + + // Verify that the base class fd_ is still valid (cleanup doesn't close the main socket) + EXPECT_GE(io_handle_->fdDoNotUse(), 0); +} + +// ============================================================================ +// RCConnectionWrapper Tests +// ============================================================================ + +class RCConnectionWrapperTest : public testing::Test { +protected: + void SetUp() override { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + extension_ = std::make_unique(context_, config_); + setupThreadLocalSlot(); + io_handle_ = createTestIOHandle(createDefaultTestConfig()); + } + + void TearDown() override { + io_handle_.reset(); + extension_.reset(); + } + + void setupThreadLocalSlot() { + thread_local_registry_ = std::make_shared(dispatcher_, *stats_scope_); + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + ReverseConnectionSocketConfig createDefaultTestConfig() { + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.enable_circuit_breaker = true; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + return config; + } + + std::unique_ptr createTestIOHandle(const ReverseConnectionSocketConfig& config) { + int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); + EXPECT_GE(test_fd, 0); + return std::make_unique( + test_fd, config, cluster_manager_, extension_.get(), *stats_scope_); + } + + // Test fixtures + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface config_; + std::unique_ptr extension_; + std::unique_ptr io_handle_; + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; +}; + +// Test RCConnectionWrapper::connect() method with HTTP/1.1 handshake success +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { + // Create a mock connection + auto mock_connection = std::make_unique>(); + + // Set up connection expectations + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)).Times(1); + EXPECT_CALL(*mock_connection, addReadFilter(_)).Times(1); + EXPECT_CALL(*mock_connection, connect()).Times(1); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + + // Set up socket expectations for address info + auto mock_address = std::make_shared("192.168.1.1", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations directly on the mock connection + EXPECT_CALL(*mock_connection, connectionInfoProvider()).WillRepeatedly(Invoke([mock_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique(mock_local_address, mock_address); + return *mock_provider; + })); + + // Capture the written buffer to verify HTTP POST content + Buffer::OwnedImpl captured_buffer; + EXPECT_CALL(*mock_connection, write(_, _)) + .WillOnce(Invoke([&captured_buffer](Buffer::Instance& buffer, bool) { + captured_buffer.add(buffer); + })); + + // Create a mock host + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Debug: Check if gRPC config is available + const auto* grpc_config = io_handle_->getGrpcConfig(); + if (grpc_config != nullptr) { + std::cout << "DEBUG: gRPC config is available, will use gRPC handshake" << std::endl; + } else { + std::cout << "DEBUG: gRPC config is null, will use HTTP handshake" << std::endl; + } + + // Call connect() method + std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + + // Verify connect() returns the local address + EXPECT_EQ(result, "127.0.0.1:12345"); + + // Verify the HTTP POST request content + std::string written_data = captured_buffer.toString(); + + // Check HTTP headers + EXPECT_THAT(written_data, testing::HasSubstr("POST /reverse_connections/request HTTP/1.1")); + EXPECT_THAT(written_data, testing::HasSubstr("Host: 192.168.1.1:8080")); + EXPECT_THAT(written_data, testing::HasSubstr("Accept: */*")); + EXPECT_THAT(written_data, testing::HasSubstr("Content-length:")); + + // Check that the body contains the protobuf serialized data + // The protobuf should contain tenant_uuid, cluster_uuid, and node_uuid + EXPECT_THAT(written_data, testing::HasSubstr("\r\n\r\n")); // Empty line after headers + + // Extract the body (everything after the double CRLF) + size_t body_start = written_data.find("\r\n\r\n"); + EXPECT_NE(body_start, std::string::npos); + std::string body = written_data.substr(body_start + 4); + EXPECT_FALSE(body.empty()); + + // Verify the protobuf content by deserializing it + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + bool parse_success = arg.ParseFromString(body); + EXPECT_TRUE(parse_success); + EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); + EXPECT_EQ(arg.cluster_uuid(), "test-cluster"); + EXPECT_EQ(arg.node_uuid(), "test-node"); +} + +// Test RCConnectionWrapper::connect() method with connection write failure +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWriteFailure) { + // Create a mock connection that fails to write + auto mock_connection = std::make_unique>(); + + // Set up connection expectations + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)).Times(1); + EXPECT_CALL(*mock_connection, addReadFilter(_)).Times(1); + EXPECT_CALL(*mock_connection, connect()).Times(1); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, write(_, _)) + .WillOnce(Invoke([](Buffer::Instance&, bool) -> void { + throw EnvoyException("Write failed"); + })); + + // Set up socket expectations + auto mock_address = std::make_shared("192.168.1.1", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations directly on the mock connection + EXPECT_CALL(*mock_connection, connectionInfoProvider()).WillRepeatedly(Invoke([mock_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique(mock_local_address, mock_address); + return *mock_provider; + })); + + // Create a mock host + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call connect() method - should handle the write failure gracefully + // The method should not throw but should handle the exception internally + std::string result; + try { + result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + } catch (const EnvoyException& e) { + // The connect() method doesn't handle exceptions, so we expect it to throw + // This is the current behavior - the method should be updated to handle exceptions + EXPECT_STREQ(e.what(), "Write failed"); + return; // Exit test early since exception was thrown + } + + // If no exception was thrown, verify connect() still returns the local address + EXPECT_EQ(result, "127.0.0.1:12345"); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy \ No newline at end of file From 1734fa429e270150507df48c18429adbf4c68d40 Mon Sep 17 00:00:00 2001 From: phlax Date: Sat, 26 Jul 2025 23:56:24 +0100 Subject: [PATCH 094/505] docker/release: Move to distribution directory (#40460) Signed-off-by: Ryan Northey --- .dockerignore | 1 + .github/dependabot.yml | 6 ++++ ci/do_ci.sh | 2 +- ci/docker_rebuild_google-vrp.sh | 4 +-- ci/test_docker_ci.sh | 8 ++--- distribution/docker/BUILD | 7 ++++ {ci => distribution/docker}/Dockerfile-envoy | 2 +- distribution/docker/README.md | 35 +++++++++++++++++++ .../docker}/docker-entrypoint.sh | 0 {ci => distribution/docker}/docker_ci.sh | 2 +- 10 files changed, 58 insertions(+), 9 deletions(-) create mode 100644 distribution/docker/BUILD rename {ci => distribution/docker}/Dockerfile-envoy (98%) create mode 100644 distribution/docker/README.md rename {ci => distribution/docker}/docker-entrypoint.sh (100%) rename {ci => distribution/docker}/docker_ci.sh (99%) diff --git a/.dockerignore b/.dockerignore index 935fd5f24e3f4..5927e0e01954b 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,6 +2,7 @@ !/VERSION.txt !/build_envoy !/ci +!/distribution/docker !/configs/google-vrp !/configs/*yaml !/linux/amd64/release.tar.zst diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3f35da513ec80..5783a8b191b96 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -34,6 +34,12 @@ updates: interval: daily time: "06:00" +- package-ecosystem: "docker" + directory: "/distribution/docker" + schedule: + interval: daily + time: "06:00" + - package-ecosystem: "github-actions" directory: "/" schedule: diff --git a/ci/do_ci.sh b/ci/do_ci.sh index 10eca5ac26b49..f25f4700c0d3f 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -596,7 +596,7 @@ case $CI_TARGET in # then load to Docker (ie local build) export DOCKER_LOAD_IMAGES=1 fi - "${ENVOY_SRCDIR}/ci/docker_ci.sh" + "${ENVOY_SRCDIR}/distribution/docker/docker_ci.sh" ;; dockerhub-publish) diff --git a/ci/docker_rebuild_google-vrp.sh b/ci/docker_rebuild_google-vrp.sh index a65804f876f6f..d5633aeb70441 100755 --- a/ci/docker_rebuild_google-vrp.sh +++ b/ci/docker_rebuild_google-vrp.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Script to rebuild Dockerfile-envoy-google-vrp locally (i.e. not in CI) for development purposes. +# Script to rebuild Dockerfile-envoy google-vrp target locally (i.e. not in CI) for development purposes. # This makes use of the latest envoy:dev base image on Docker Hub as the base and takes an # optional local path for an Envoy binary. When a custom local Envoy binary is used, the script # switches to using ${BASE_DOCKER_IMAGE} for the build, which should be configured to provide @@ -22,7 +22,7 @@ set -e # Don't use the local envoy:dev, but pull from Docker Hub instead, this avoids having to rebuild # this local dep which is fairly stable. BASE_DOCKER_IMAGE="envoyproxy/envoy:dev" -declare -r DOCKER_BUILD_FILE="ci/Dockerfile-envoy" +declare -r DOCKER_BUILD_FILE="distribution/docker/Dockerfile-envoy" DOCKER_CONTEXT=. DOCKER_BUILD_ARGS=( diff --git a/ci/test_docker_ci.sh b/ci/test_docker_ci.sh index cb33828714a23..35b73cce63a69 100755 --- a/ci/test_docker_ci.sh +++ b/ci/test_docker_ci.sh @@ -64,16 +64,16 @@ _test () { if [[ "$DOCKER_CI_TEST_COMMIT" ]]; then echo "COMMIT(${name}): > ${testdata}" - echo " ENVOY_VERSION=${version} ENVOY_DOCKER_IMAGE_DIRECTORY=/non/existent/test/path CI_BRANCH=${branch} DOCKER_CI_DRYRUN=1 ./ci/docker_ci.sh | grep -E \"^>\"" - ./ci/docker_ci.sh | grep -E "^>" > "$testdata" + echo " ENVOY_VERSION=${version} ENVOY_DOCKER_IMAGE_DIRECTORY=/non/existent/test/path CI_BRANCH=${branch} DOCKER_CI_DRYRUN=1 ./distribution/docker/docker_ci.sh | grep -E \"^>\"" + ./distribution/docker/docker_ci.sh | grep -E "^>" > "$testdata" return fi echo "TEST(${name}): <> ${testdata}" - echo " ENVOY_VERSION=${version} ENVOY_DOCKER_IMAGE_DIRECTORY=/non/existent/test/path CI_BRANCH=${branch} DOCKER_CI_DRYRUN=1 ./ci/docker_ci.sh | grep -E \"^>\"" + echo " ENVOY_VERSION=${version} ENVOY_DOCKER_IMAGE_DIRECTORY=/non/existent/test/path CI_BRANCH=${branch} DOCKER_CI_DRYRUN=1 ./distribution/docker/docker_ci.sh | grep -E \"^>\"" generated="$(mktemp)" - ./ci/docker_ci.sh | grep -E "^>" > "$generated" + ./distribution/docker/docker_ci.sh | grep -E "^>" > "$generated" cmp --silent "$testdata" "$generated" || { echo "files are different" >&2 diff --git a/distribution/docker/BUILD b/distribution/docker/BUILD new file mode 100644 index 0000000000000..41a3242f5a569 --- /dev/null +++ b/distribution/docker/BUILD @@ -0,0 +1,7 @@ +licenses(["notice"]) # Apache 2 + +exports_files([ + "Dockerfile-envoy", + "docker-entrypoint.sh", + "docker_ci.sh", +]) diff --git a/ci/Dockerfile-envoy b/distribution/docker/Dockerfile-envoy similarity index 98% rename from ci/Dockerfile-envoy rename to distribution/docker/Dockerfile-envoy index a94f1656e89cc..08070f0a404b5 100644 --- a/ci/Dockerfile-envoy +++ b/distribution/docker/Dockerfile-envoy @@ -5,7 +5,7 @@ ARG ENVOY_VRP_BASE_IMAGE=envoy-base FROM scratch AS binary -COPY ci/docker-entrypoint.sh / +COPY distribution/docker/docker-entrypoint.sh / ADD configs/envoyproxy_io_proxy.yaml /etc/envoy/envoy.yaml # See https://github.com/docker/buildx/issues/510 for why this _must_ be this way ARG TARGETPLATFORM diff --git a/distribution/docker/README.md b/distribution/docker/README.md new file mode 100644 index 0000000000000..6192f8bd038f3 --- /dev/null +++ b/distribution/docker/README.md @@ -0,0 +1,35 @@ +# Envoy Docker Distribution + +This directory contains the Docker build configuration for Envoy container images. + +## Files + +- `Dockerfile-envoy` - Main Dockerfile for building Envoy container images +- `docker_ci.sh` - Script for building and pushing Docker images in CI +- `docker-entrypoint.sh` - Entrypoint script for Envoy containers + +## Usage + +The Docker build is typically invoked through the main CI script: + +```bash +./ci/do_ci.sh docker +``` + +This will build Docker images for multiple platforms and variants including: +- Standard Envoy image +- Debug image +- Contrib image (with additional extensions) +- Distroless image +- Google VRP image +- Tools image + +## Development + +For local development, you can build images directly using the docker_ci.sh script: + +```bash +DOCKER_CI_DRYRUN=1 ./distribution/docker/docker_ci.sh +``` + +This will show what commands would be executed without actually building images. diff --git a/ci/docker-entrypoint.sh b/distribution/docker/docker-entrypoint.sh similarity index 100% rename from ci/docker-entrypoint.sh rename to distribution/docker/docker-entrypoint.sh diff --git a/ci/docker_ci.sh b/distribution/docker/docker_ci.sh similarity index 99% rename from ci/docker_ci.sh rename to distribution/docker/docker_ci.sh index 637ba8b369257..e08ccb6d8d0e4 100755 --- a/ci/docker_ci.sh +++ b/distribution/docker/docker_ci.sh @@ -147,7 +147,7 @@ build_args() { target="${build_type/-debug/}" target="${target/-contrib/}" - printf ' -f ci/Dockerfile-envoy --target %s' "envoy${target}" + printf ' -f distribution/docker/Dockerfile-envoy --target %s' "envoy${target}" if [[ "${build_type}" == *-contrib* ]]; then printf ' --build-arg ENVOY_BINARY=envoy-contrib' From af61c6b2101e8c70281b661d2bd726115ae1da2d Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Sat, 26 Jul 2025 16:54:17 -0700 Subject: [PATCH 095/505] docs: fix H2M filter docs to have proper spacing & breaks (#40450) ## Description This PR have some nits to have proper line breaks and note annotations for the Header-To-Metadata filter docs. **Current:** Screenshot 2025-07-25 at 15 57 34 **After This Change:** Screenshot 2025-07-25 at 17 16 35 --- **Commit Message:** docs: fix H2M filter docs to have proper spacing & breaks **Additional Description:** Some nits to have proper line breaks and note annotations for the Header-To-Metadata filter docs. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- .../v3/header_to_metadata.proto | 26 ++++++++++++------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto b/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto index a34568c0e57f4..e7bc0b858655e 100644 --- a/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto +++ b/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto @@ -27,6 +27,7 @@ message Config { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.header_to_metadata.v2.Config"; + // Specifies the value type to use in metadata. enum ValueType { STRING = 0; @@ -37,14 +38,18 @@ message Config { PROTOBUF_VALUE = 2; } - // ValueEncode defines the encoding algorithm. + // Specifies the encoding scheme for the value. enum ValueEncode { - // The value is not encoded. + // No encoding is applied. NONE = 0; // The value is encoded in `Base64 `_. - // Note: this is mostly used for STRING and PROTOBUF_VALUE to escape the - // non-ASCII characters in the header. + // + // .. note:: + // + // This is mostly used for ``STRING`` and ``PROTOBUF_VALUE`` to escape the + // non-ASCII characters in the header. + // BASE64 = 1; } @@ -74,7 +79,10 @@ message Config { // // This is only used for :ref:`on_header_present `. // - // Note: if the ``value`` field is non-empty this field should be empty. + // .. note:: + // + // If the ``value`` field is non-empty this field should be empty. + // type.matcher.v3.RegexMatchAndSubstitute regex_value_rewrite = 6 [(udpa.annotations.field_migrate).oneof_promotion = "value_type"]; @@ -106,15 +114,15 @@ message Config { (udpa.annotations.field_migrate).oneof_promotion = "header_cookie_specifier" ]; - // If the header or cookie is present, apply this metadata KeyValuePair. + // If the header or cookie is present, apply this metadata ``KeyValuePair``. // - // If the value in the KeyValuePair is non-empty, it'll be used instead + // If the value in the ``KeyValuePair`` is non-empty, it'll be used instead // of the header or cookie value. KeyValuePair on_header_present = 2 [(udpa.annotations.field_migrate).rename = "on_present"]; - // If the header or cookie is not present, apply this metadata KeyValuePair. + // If the header or cookie is not present, apply this metadata ``KeyValuePair``. // - // The value in the KeyValuePair must be set, since it'll be used in lieu + // The value in the ``KeyValuePair`` must be set, since it'll be used in lieu // of the missing header or cookie value. KeyValuePair on_header_missing = 3 [(udpa.annotations.field_migrate).rename = "on_missing"]; From 27357ee8f7e6fdc894ba449682f6eb56280489f0 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Sun, 27 Jul 2025 03:02:59 +0000 Subject: [PATCH 096/505] Remove gRPC handshake Signed-off-by: Basundhara Chakrabarty --- .../reverse_tunnel_initiator.cc | 301 +++++------------- .../reverse_tunnel/reverse_tunnel_initiator.h | 69 +--- .../http/reverse_conn/reverse_conn_filter.cc | 150 +-------- .../http/reverse_conn/reverse_conn_filter.h | 18 +- 4 files changed, 99 insertions(+), 439 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index 71d22afde89a1..6ce8fe15bd2cf 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -11,7 +11,6 @@ #include "envoy/registry/registry.h" #include "envoy/upstream/cluster_manager.h" #include "envoy/http/async_client.h" -#include "envoy/grpc/async_client.h" #include "envoy/tracing/tracer.h" #include "source/common/buffer/buffer_impl.h" @@ -24,7 +23,6 @@ #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" -#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h" #include "google/protobuf/empty.pb.h" @@ -102,100 +100,18 @@ RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, Netw const std::string& cluster_name) : parent_(parent), connection_(std::move(connection)), host_(std::move(host)), cluster_name_(cluster_name) { - - reverse_tunnel_client_ = nullptr; - const auto* grpc_config = parent.getGrpcConfig(); - if (grpc_config != nullptr) { - ENVOY_LOG(debug, "RCConnectionWrapper: gRPC config available, creating gRPC client"); - reverse_tunnel_client_ = std::make_unique( - parent.getClusterManager(), cluster_name_, *grpc_config, *this); - } else { - ENVOY_LOG(debug, "RCConnectionWrapper: gRPC config not available, using HTTP fallback"); - } + ENVOY_LOG(debug, "RCConnectionWrapper: Using HTTP handshake for reverse connections"); } // RCConnectionWrapper destructor implementation RCConnectionWrapper::~RCConnectionWrapper() { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Starting safe RCConnectionWrapper destruction"); - - // Use atomic flag to prevent recursive destruction - static thread_local std::atomic destruction_in_progress{false}; - bool expected = false; - if (!destruction_in_progress.compare_exchange_strong(expected, true)) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Wrapper destruction already in progress, skipping"); - return; - } - - // RAII guard to ensure flag is reset - struct DestructionGuard { - std::atomic& flag; - DestructionGuard(std::atomic& f) : flag(f) {} - ~DestructionGuard() { flag = false; } - } guard(destruction_in_progress); - - try { - // STEP 1: Cancel gRPC client first to prevent callback access - if (reverse_tunnel_client_) { - try { - reverse_tunnel_client_->cancel(); - reverse_tunnel_client_.reset(); - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: gRPC client safely canceled"); - } catch (const std::exception& e) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: gRPC client cleanup exception: {}", e.what()); - } catch (...) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Unknown gRPC client cleanup exception"); - } - } - - // STEP 2: Safely remove connection callbacks - if (connection_) { - try { - // Check if connection is still valid before accessing - auto state = connection_->state(); - - // Only remove callbacks if connection is in valid state - if (state != Network::Connection::State::Closed) { - connection_->removeConnectionCallbacks(*this); - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection callbacks safely removed"); - } - - // Don't call close() here - let Envoy's cleanup handle it - // This prevents double-close and access after free issues - connection_.reset(); - - } catch (const std::exception& e) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection cleanup exception: {}", e.what()); - // Still try to reset the connection pointer to prevent further access - try { - connection_.reset(); - } catch (...) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection reset failed"); - } - } catch (...) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Unknown connection cleanup exception"); - try { - connection_.reset(); - } catch (...) { - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: Connection reset failed"); - } - } - } - - ENVOY_LOG(debug, "DEFENSIVE CLEANUP: RCConnectionWrapper destruction completed safely"); - - } catch (const std::exception& e) { - ENVOY_LOG(error, "DEFENSIVE CLEANUP: Top-level wrapper destruction exception: {}", e.what()); - } catch (...) { - ENVOY_LOG(error, "DEFENSIVE CLEANUP: Unknown top-level wrapper destruction exception"); - } + ENVOY_LOG(debug, "RCConnectionWrapper destructor called"); + shutdown(); } // RCConnectionWrapper method implementations void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { - if (event == Network::ConnectionEvent::Connected && !handshake_sent_ && - !handshake_tenant_id_.empty() && reverse_tunnel_client_ == nullptr) { - ENVOY_LOG(error, "RCConnectionWrapper: onEvent() called but handshake_sent_ is false"); - } else if (event == Network::ConnectionEvent::RemoteClose) { + if (event == Network::ConnectionEvent::RemoteClose) { if (!connection_) { ENVOY_LOG(debug, "RCConnectionWrapper: connection is null, skipping event handling"); return; @@ -209,7 +125,7 @@ void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, found connection {} remote closed", connectionId, connectionKey); - // Don't call onFailure() here as it may cause cleanup during event processing + // Don't call shutdown() here as it may cause cleanup during event processing // Instead, just notify parent of closure parent_.onConnectionDone("Connection closed", this, true); } @@ -245,29 +161,17 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: // Check if the status is ACCEPTED if (ret.status() == envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::ACCEPTED) { ENVOY_LOG(debug, "Reverse connection accepted by cloud side"); - parent_->onHandshakeSuccess(nullptr); + parent_->onHandshakeSuccess(); return Network::FilterStatus::StopIteration; } else { ENVOY_LOG(error, "Reverse connection rejected: {}", ret.status_message()); - parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::PermissionDenied, - ret.status_message()); + parent_->onHandshakeFailure(ret.status_message()); return Network::FilterStatus::StopIteration; } } else { - ENVOY_LOG(debug, "Could not parse protobuf response, checking for text success indicators"); - - // Fallback: look for success indicators in the response body - if (response_body.find("reverse connection accepted") != std::string::npos || - response_body.find("ACCEPTED") != std::string::npos) { - ENVOY_LOG(debug, "Found success indicator in response body"); - parent_->onHandshakeSuccess(nullptr); - return Network::FilterStatus::StopIteration; - } else { - ENVOY_LOG(error, "No success indicator found in response body"); - parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, - "Unrecognized response format"); - return Network::FilterStatus::StopIteration; - } + ENVOY_LOG(error, "Could not parse protobuf response - invalid response format"); + parent_->onHandshakeFailure("Invalid response format - expected ReverseConnHandshakeRet protobuf"); + return Network::FilterStatus::StopIteration; } } else { ENVOY_LOG(debug, "Response body is empty, waiting for more data"); @@ -280,8 +184,7 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: } else if (data.find("HTTP/1.1 ") != std::string::npos || data.find("HTTP/2 ") != std::string::npos) { // Found HTTP response but not 200 OK - this is an error ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); - parent_->onHandshakeFailure(Grpc::Status::WellKnownGrpcStatus::Internal, - "HTTP handshake failed with non-200 response"); + parent_->onHandshakeFailure("HTTP handshake failed with non-200 response"); return Network::FilterStatus::StopIteration; } else { ENVOY_LOG(debug, "Waiting for HTTP response, received {} bytes", data.length()); @@ -298,141 +201,108 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, connection_->addConnectionCallbacks(*this); connection_->connect(); - if (reverse_tunnel_client_) { - // Use gRPC handshake - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, sending reverse connection creation " - "request through gRPC to cluster: {}", - connection_->id(), cluster_name_); - - ENVOY_LOG(debug, - "RCConnectionWrapper: Creating gRPC EstablishTunnel request with tenant='{}', " - "cluster='{}', node='{}'", - src_tenant_id, src_cluster_id, src_node_id); - - // Create a dummy span for tracing - auto span = std::make_unique(); - - connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); - - // Initiate the gRPC handshake using the actual interface - bool success = reverse_tunnel_client_->initiateHandshake( - src_tenant_id, src_cluster_id, src_node_id, absl::nullopt, *span); + // Use HTTP handshake + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, sending reverse connection creation " + "request through HTTP", + connection_->id()); - if (!success) { - ENVOY_LOG(error, "RCConnectionWrapper: Failed to initiate gRPC handshake"); - onFailure(); - return ""; - } + // Add read filter to handle HTTP response + connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, initiated gRPC EstablishTunnel request", - connection_->id()); + // Use HTTP handshake logic + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + arg.set_tenant_uuid(src_tenant_id); + arg.set_cluster_uuid(src_cluster_id); + arg.set_node_uuid(src_node_id); + ENVOY_LOG(debug, + "RCConnectionWrapper: Creating protobuf with tenant='{}', cluster='{}', node='{}'", + src_tenant_id, src_cluster_id, src_node_id); + std::string body = arg.SerializeAsString(); + ENVOY_LOG(debug, "RCConnectionWrapper: Serialized protobuf body length: {}, debug: '{}'", + body.length(), arg.DebugString()); + std::string host_value; + const auto& remote_address = connection_->connectionInfoProvider().remoteAddress(); + if (remote_address->type() == Network::Address::Type::EnvoyInternal) { + const auto& internal_address = + std::dynamic_pointer_cast(remote_address); + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, remote address is internal " + "listener {}, using endpoint ID in host header", + connection_->id(), internal_address->envoyInternalAddress()->addressId()); + host_value = internal_address->envoyInternalAddress()->endpointId(); } else { - // Fall back to HTTP handshake for now during transition + host_value = remote_address->asString(); ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, sending reverse connection creation " - "request through HTTP (fallback)", + "RCConnectionWrapper: connection: {}, remote address is external, " + "using address as host header", connection_->id()); - - // Add read filter to handle HTTP response - connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); - - // Use existing HTTP handshake logic - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; - arg.set_tenant_uuid(src_tenant_id); - arg.set_cluster_uuid(src_cluster_id); - arg.set_node_uuid(src_node_id); - ENVOY_LOG(debug, - "RCConnectionWrapper: Creating protobuf with tenant='{}', cluster='{}', node='{}'", - src_tenant_id, src_cluster_id, src_node_id); - std::string body = arg.SerializeAsString(); - ENVOY_LOG(debug, "RCConnectionWrapper: Serialized protobuf body length: {}, debug: '{}'", - body.length(), arg.DebugString()); - std::string host_value; - const auto& remote_address = connection_->connectionInfoProvider().remoteAddress(); - if (remote_address->type() == Network::Address::Type::EnvoyInternal) { - const auto& internal_address = - std::dynamic_pointer_cast(remote_address); - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, remote address is internal " - "listener {}, using endpoint ID in host header", - connection_->id(), internal_address->envoyInternalAddress()->addressId()); - host_value = internal_address->envoyInternalAddress()->endpointId(); - } else { - host_value = remote_address->asString(); - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, remote address is external, " - "using address as host header", - connection_->id()); - } - // Build HTTP request with protobuf body. - Buffer::OwnedImpl reverse_connection_request( - fmt::format("POST /reverse_connections/request HTTP/1.1\r\n" - "Host: {}\r\n" - "Accept: */*\r\n" - "Content-length: {}\r\n" - "\r\n{}", - host_value, body.length(), body)); - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, writing request to connection: {}", - connection_->id(), reverse_connection_request.toString()); - // Send reverse connection request over TCP connection. - connection_->write(reverse_connection_request, false); } + // Build HTTP request with protobuf body. + Buffer::OwnedImpl reverse_connection_request( + fmt::format("POST /reverse_connections/request HTTP/1.1\r\n" + "Host: {}\r\n" + "Accept: */*\r\n" + "Content-length: {}\r\n" + "\r\n{}", + host_value, body.length(), body)); + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, writing request to connection: {}", + connection_->id(), reverse_connection_request.toString()); + // Send reverse connection request over TCP connection. + connection_->write(reverse_connection_request, false); return connection_->connectionInfoProvider().localAddress()->asString(); } -void RCConnectionWrapper::onHandshakeSuccess( - std::unique_ptr response) { +void RCConnectionWrapper::onHandshakeSuccess() { std::string message = "reverse connection accepted"; - if (response) { - message = response->status_message(); - } ENVOY_LOG(debug, "handshake succeeded: {}", message); parent_.onConnectionDone(message, this, false); } -void RCConnectionWrapper::onHandshakeFailure(Grpc::Status::GrpcStatus status, - const std::string& message) { - ENVOY_LOG(error, "handshake failed with status {}: {}", static_cast(status), message); +void RCConnectionWrapper::onHandshakeFailure(const std::string& message) { + ENVOY_LOG(error, "handshake failed: {}", message); parent_.onConnectionDone(message, this, false); } -void RCConnectionWrapper::onFailure() { - ENVOY_LOG(debug, - "RCConnectionWrapper::onFailure - initiating graceful shutdown due to failure"); - shutdown(); -} - void RCConnectionWrapper::shutdown() { if (!connection_) { - ENVOY_LOG(debug, "Connection already null."); + ENVOY_LOG(error, "RCConnectionWrapper: Connection already null, nothing to shutdown"); return; } - ENVOY_LOG(debug, "Connection ID: {}, state: {}.", connection_->id(), - static_cast(connection_->state())); + ENVOY_LOG(error, "RCConnectionWrapper: Shutting down connection ID: {}, state: {}", + connection_->id(), static_cast(connection_->state())); - // Cancel any ongoing gRPC handshake - if (reverse_tunnel_client_) { - reverse_tunnel_client_->cancel(); + // Remove connection callbacks first to prevent recursive calls during shutdown + try { + auto state = connection_->state(); + if (state != Network::Connection::State::Closed) { + connection_->removeConnectionCallbacks(*this); + ENVOY_LOG(error, "Connection callbacks removed"); + } + } catch (const std::exception& e) { + ENVOY_LOG(error, "Exception removing connection callbacks: {}", e.what()); } - // Remove callbacks first to prevent recursive calls during shutdown - connection_->removeConnectionCallbacks(*this); - - if (connection_->state() == Network::Connection::State::Open) { - ENVOY_LOG(debug, "Closing open connection gracefully."); - connection_->close(Network::ConnectionCloseType::FlushWrite); - } else if (connection_->state() == Network::Connection::State::Closing) { - ENVOY_LOG(debug, "Connection already closing, waiting."); - } else { - ENVOY_LOG(debug, "Connection already closed."); + // Close the connection if it's still open + try { + auto state = connection_->state(); + if (state == Network::Connection::State::Open) { + ENVOY_LOG(error, "Closing open connection gracefully"); + connection_->close(Network::ConnectionCloseType::FlushWrite); + } else if (state == Network::Connection::State::Closing) { + ENVOY_LOG(error, "Connection already closing"); + } else { + ENVOY_LOG(error, "Connection already closed"); + } + } catch (const std::exception& e) { + ENVOY_LOG(error, "Exception closing connection: {}", e.what()); } // Clear the connection pointer to prevent further access connection_.reset(); - ENVOY_LOG(debug, "Completed graceful shutdown."); + ENVOY_LOG(error, "RCConnectionWrapper: Shutdown completed"); } ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, @@ -1706,11 +1576,6 @@ ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, RemoteClusterConnectionConfig cluster_config(config.remote_cluster, config.connection_count); socket_config.remote_clusters.push_back(cluster_config); - // Get gRPC config from extension if available - if (extension_ && extension_->hasGrpcConfig()) { - socket_config.grpc_service_config = extension_->getGrpcConfig(); - } - // Thread-safe: Pass config directly to helper method return createReverseConnectionSocket( socket_type, addr->type(), diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index ae2f5c6c339cc..e0747c9e2d01c 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -25,7 +25,6 @@ #include "source/common/network/socket_interface.h" #include "source/common/upstream/load_balancer_context_base.h" #include "source/extensions/bootstrap/reverse_tunnel/factory_base.h" -#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h" #include "absl/container/flat_hash_map.h" #include "absl/container/flat_hash_set.h" @@ -37,13 +36,9 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -// Forward declaration for friend class -class ReverseConnectionIOHandleTest; - // Forward declarations. class ReverseTunnelInitiator; class ReverseTunnelInitiatorExtension; -class GrpcReverseTunnelClient; class ReverseConnectionIOHandle; /** @@ -53,8 +48,8 @@ class ReverseConnectionIOHandle; */ class RCConnectionWrapper : public Network::ConnectionCallbacks, public Event::DeferredDeletable, - public ReverseConnection::GrpcReverseTunnelCallbacks, - Logger::Loggable { + public Logger::Loggable { + friend class SimpleConnReadFilterTest; public: /** * Constructor for RCConnectionWrapper. @@ -78,14 +73,8 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, void onAboveWriteBufferHighWatermark() override {} void onBelowWriteBufferLowWatermark() override {} - // ReverseConnection::GrpcReverseTunnelCallbacks overrides - void onHandshakeSuccess( - std::unique_ptr response) - override; - void onHandshakeFailure(Grpc::Status::GrpcStatus status, const std::string& message) override; - /** - * Initiate the reverse connection handshake (gRPC or HTTP fallback). + * Initiate the reverse connection handshake (HTTP only). * @param src_tenant_id the tenant identifier * @param src_cluster_id the cluster identifier * @param src_node_id the node identifier @@ -95,9 +84,15 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, const std::string& src_node_id); /** - * Handle connection failure and initiate graceful shutdown. + * Handle successful handshake completion. + */ + void onHandshakeSuccess(); + + /** + * Handle handshake failure. + * @param message error message */ - void onFailure(); + void onHandshakeFailure(const std::string& message); /** * Perform graceful shutdown of the connection. @@ -138,13 +133,6 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, Network::ClientConnectionPtr connection_; Upstream::HostDescriptionConstSharedPtr host_; const std::string cluster_name_; - std::unique_ptr reverse_tunnel_client_; - - // Handshake data for HTTP fallback - std::string handshake_tenant_id_; - std::string handshake_cluster_id_; - std::string handshake_node_id_; - bool handshake_sent_{false}; }; namespace { @@ -204,15 +192,11 @@ struct ReverseConnectionSocketConfig { uint32_t connection_timeout_ms; // Connection timeout in milliseconds. bool enable_metrics; // Whether to enable metrics collection. bool enable_circuit_breaker; // Whether to enable circuit breaker functionality. - - // gRPC service configuration for reverse tunnel handshake - absl::optional grpc_service_config; - bool enable_legacy_http_handshake; // Whether to enable legacy HTTP handshake ReverseConnectionSocketConfig() : health_check_interval_ms(kDefaultHealthCheckIntervalMs), connection_timeout_ms(kDefaultConnectionTimeoutMs), enable_metrics(true), - enable_circuit_breaker(true), enable_legacy_http_handshake(true) {} + enable_circuit_breaker(true) {} }; /** @@ -223,6 +207,7 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, public Network::ConnectionCallbacks { friend class ReverseConnectionIOHandleTest; + friend class RCConnectionWrapperTest; public: /** * Constructor for ReverseConnectionIOHandle. @@ -401,17 +386,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, */ Upstream::ClusterManager& getClusterManager() { return cluster_manager_; } - /** - * Get pointer to the gRPC service configuration if available. - * @return pointer to the gRPC config, nullptr if not available - */ - const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig* getGrpcConfig() const { - if (!config_.grpc_service_config.has_value()) { - return nullptr; - } - return &config_.grpc_service_config.value(); - } - /** * Get pointer to the downstream extension for stats updates. * @return pointer to the extension, nullptr if not available @@ -548,9 +522,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // Single retry timer for all clusters Event::TimerPtr rev_conn_retry_timer_; - // gRPC reverse tunnel client for handshake operations - std::unique_ptr reverse_tunnel_client_; - bool is_reverse_conn_started_{false}; // Whether reverse connections have been started on worker thread Event::Dispatcher* worker_dispatcher_{nullptr}; // Dispatcher for the worker thread @@ -693,20 +664,6 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, */ DownstreamSocketThreadLocal* getLocalRegistry() const; - /** - * @return true if gRPC service config is available in the configuration - */ - bool hasGrpcConfig() const { - return config_.has_grpc_service_config(); - } - - /** - * @return reference to the gRPC service config - */ - const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig& getGrpcConfig() const { - return config_.grpc_service_config(); - } - /** * Update connection stats for reverse connections. * @param node_id the node identifier for the connection diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index a12148e3885a4..9a261749611b7 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -23,8 +23,6 @@ namespace ReverseConn { const std::string ReverseConnFilter::reverse_connections_path = "/reverse_connections"; const std::string ReverseConnFilter::reverse_connections_request_path = "/reverse_connections/request"; -const std::string ReverseConnFilter::grpc_service_path = - "/envoy.service.reverse_tunnel.v3.ReverseTunnelHandshakeService/EstablishTunnel"; const std::string ReverseConnFilter::node_id_param = "node_id"; const std::string ReverseConnFilter::cluster_id_param = "cluster_id"; const std::string ReverseConnFilter::tenant_id_param = "tenant_id"; @@ -339,25 +337,6 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, Http::FilterHeadersStatus ReverseConnFilter::decodeHeaders(Http::RequestHeaderMap& request_headers, bool) { - // Check for gRPC reverse tunnel requests first - if (isGrpcReverseTunnelRequest(request_headers)) { - ENVOY_STREAM_LOG(info, "Handling gRPC reverse tunnel handshake request", *decoder_callbacks_); - request_headers_ = &request_headers; - is_accept_request_ = true; // Reuse this flag for gRPC requests - - // Read content length for gRPC request - const auto content_length_header = request_headers.getContentLengthValue(); - if (!content_length_header.empty()) { - expected_proto_size_ = static_cast(std::stoi(std::string(content_length_header))); - ENVOY_STREAM_LOG(info, "Expecting gRPC request with {} bytes", *decoder_callbacks_, - expected_proto_size_); - } else { - expected_proto_size_ = 0; // Will handle streaming - } - - return Http::FilterHeadersStatus::StopIteration; - } - // check that request path starts with "/reverse_connections" const absl::string_view request_path = request_headers.Path()->value().getStringView(); const bool should_intercept_request = @@ -398,18 +377,6 @@ bool ReverseConnFilter::matchRequestPath(const absl::string_view& request_path, return false; } -bool ReverseConnFilter::isGrpcReverseTunnelRequest(const Http::RequestHeaderMap& headers) { - // Check for gRPC content type - const auto content_type = headers.getContentTypeValue(); - if (content_type != "application/grpc") { - return false; - } - - // Check for gRPC reverse tunnel service path - const absl::string_view request_path = headers.Path()->value().getStringView(); - return request_path == grpc_service_path; -} - void ReverseConnFilter::saveDownstreamConnection(Network::Connection& downstream_connection, const std::string& node_id, const std::string& cluster_id) { @@ -467,128 +434,13 @@ Http::FilterDataStatus ReverseConnFilter::decodeData(Buffer::Instance& data, boo *decoder_callbacks_, expected_proto_size_, accept_rev_conn_proto_.length()); return Http::FilterDataStatus::StopIterationAndBuffer; } else { - // Check if this is a gRPC request by examining headers - if (isGrpcReverseTunnelRequest(*request_headers_)) { - return processGrpcRequest(); - } else { - return acceptReverseConnection(); - } + return acceptReverseConnection(); } } return Http::FilterDataStatus::Continue; } -Http::FilterDataStatus ReverseConnFilter::processGrpcRequest() { - ENVOY_STREAM_LOG(info, "Processing gRPC request body with {} bytes", *decoder_callbacks_, - accept_rev_conn_proto_.length()); - - decoder_callbacks_->setReverseConnForceLocalReply(true); - - try { - // Parse gRPC request from buffer - envoy::service::reverse_tunnel::v3::EstablishTunnelRequest grpc_request; - const std::string request_body = accept_rev_conn_proto_.toString(); - - // For gRPC over HTTP/2, we need to handle the gRPC frame format - // Skip the first 5 bytes (compression flag + message length) - if (request_body.length() >= 5) { - const std::string grpc_message = request_body.substr(5); - if (!grpc_request.ParseFromString(grpc_message)) { - ENVOY_STREAM_LOG(error, "Failed to parse gRPC request from body", *decoder_callbacks_); - decoder_callbacks_->sendLocalReply(Http::Code::BadRequest, "Invalid gRPC request format", - nullptr, absl::nullopt, ""); - decoder_callbacks_->setReverseConnForceLocalReply(false); - return Http::FilterDataStatus::StopIterationNoBuffer; - } - } else { - ENVOY_STREAM_LOG(error, "gRPC request too short: {} bytes", *decoder_callbacks_, - request_body.length()); - decoder_callbacks_->sendLocalReply(Http::Code::BadRequest, "gRPC request too short", nullptr, - absl::nullopt, ""); - decoder_callbacks_->setReverseConnForceLocalReply(false); - return Http::FilterDataStatus::StopIterationNoBuffer; - } - - ENVOY_STREAM_LOG(debug, "Parsed gRPC request: {}", *decoder_callbacks_, - grpc_request.DebugString()); - - // Process the gRPC request directly (without standalone service) - envoy::service::reverse_tunnel::v3::EstablishTunnelResponse grpc_response; - - // Validate the request - const auto& initiator = grpc_request.initiator(); - if (initiator.node_id().empty() || initiator.cluster_id().empty()) { - grpc_response.set_status(envoy::service::reverse_tunnel::v3::TunnelStatus::REJECTED); - grpc_response.set_status_message("Missing required initiator fields"); - } else { - // Accept the tunnel request - grpc_response.set_status(envoy::service::reverse_tunnel::v3::TunnelStatus::ACCEPTED); - grpc_response.set_status_message("Tunnel established successfully"); - - ENVOY_STREAM_LOG(info, "Accepting gRPC reverse tunnel for node='{}', cluster='{}'", - *decoder_callbacks_, initiator.node_id(), initiator.cluster_id()); - } - - ENVOY_STREAM_LOG(info, "gRPC EstablishTunnel processed: {}", *decoder_callbacks_, - grpc_response.DebugString()); - - // Send gRPC response - sendGrpcResponse(grpc_response); - - // Handle connection acceptance if successful - if (grpc_response.status() == envoy::service::reverse_tunnel::v3::TunnelStatus::ACCEPTED) { - Network::Connection* connection = - &const_cast(*decoder_callbacks_->connection()); - - ENVOY_STREAM_LOG(info, "Saving downstream connection for gRPC request", *decoder_callbacks_); - - connection->setSocketReused(true); - ENVOY_STREAM_LOG(info, "DEBUG: About to save connection with node_uuid='{}' cluster_uuid='{}'", - *decoder_callbacks_, initiator.node_id(), initiator.cluster_id()); - saveDownstreamConnection(*connection, initiator.node_id(), initiator.cluster_id()); - connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn_grpc"); - } - - decoder_callbacks_->setReverseConnForceLocalReply(false); - return Http::FilterDataStatus::StopIterationNoBuffer; - - } catch (const std::exception& e) { - ENVOY_STREAM_LOG(error, "Exception processing gRPC request: {}", *decoder_callbacks_, e.what()); - decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, "Internal server error", - nullptr, absl::nullopt, ""); - decoder_callbacks_->setReverseConnForceLocalReply(false); - return Http::FilterDataStatus::StopIterationNoBuffer; - } -} - -void ReverseConnFilter::sendGrpcResponse( - const envoy::service::reverse_tunnel::v3::EstablishTunnelResponse& response) { - // Serialize the gRPC response - std::string response_body = response.SerializeAsString(); - - // Add gRPC frame header (compression flag + message length) - std::string grpc_frame; - grpc_frame.reserve(5 + response_body.size()); - grpc_frame.append(1, 0); // No compression - - // Message length in big-endian format - uint32_t msg_len = htonl(response_body.size()); - grpc_frame.append(reinterpret_cast(&msg_len), 4); - grpc_frame.append(response_body); - ENVOY_STREAM_LOG(info, "Sending gRPC response: {} total bytes", *decoder_callbacks_, - grpc_frame.size()); - - // Send gRPC response with proper headers - decoder_callbacks_->sendLocalReply( - Http::Code::OK, grpc_frame, - [](Http::ResponseHeaderMap& headers) { - headers.setContentType("application/grpc"); - headers.addCopy(Http::LowerCaseString("grpc-status"), "0"); // OK - headers.addCopy(Http::LowerCaseString("grpc-message"), ""); - }, - absl::nullopt, ""); -} Http::FilterTrailersStatus ReverseConnFilter::decodeTrailers(Http::RequestTrailerMap&) { return Http::FilterTrailersStatus::Continue; diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index 9192834c98ac0..40730dcca49a6 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -15,9 +15,6 @@ #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" -// Add gRPC support -#include "envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.pb.h" - #include "absl/types/optional.h" namespace Envoy { @@ -58,9 +55,8 @@ static const char CRLF[] = "\r\n"; static const char DOUBLE_CRLF[] = "\r\n\r\n"; /** - * Enhanced reverse connection filter with gRPC support. - * This filter handles both legacy HTTP requests and modern gRPC requests for reverse tunnel - * handshakes. + * Reverse connection filter for HTTP handshake processing. + * This filter handles HTTP requests for reverse tunnel handshakes. */ class ReverseConnFilter : Logger::Loggable, public Http::StreamDecoderFilter { public: @@ -79,7 +75,6 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str static const std::string reverse_connections_path; static const std::string reverse_connections_request_path; - static const std::string grpc_service_path; // Add gRPC service path static const std::string stats_path; static const std::string tenant_path; static const std::string node_id_param; @@ -89,15 +84,6 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str static const std::string rc_accepted_response; private: - // Check if request is a gRPC reverse tunnel request - bool isGrpcReverseTunnelRequest(const Http::RequestHeaderMap& headers); - - // Process gRPC request body and handle the tunnel establishment - Http::FilterDataStatus processGrpcRequest(); - - // Send gRPC response with proper framing and headers - void - sendGrpcResponse(const envoy::service::reverse_tunnel::v3::EstablishTunnelResponse& response); void saveDownstreamConnection(Network::Connection& downstream_connection, const std::string& node_id, const std::string& cluster_id); From c44d174f0e6ea94613d612070ee66b4cbabdb73b Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Sun, 27 Jul 2025 06:02:21 +0000 Subject: [PATCH 097/505] some fixes and cleanup Signed-off-by: Basundhara Chakrabarty --- source/common/network/connection_impl.cc | 1 + .../reverse_connection_resolver.h | 3 +++ .../reverse_tunnel_initiator.cc | 7 ++++++ .../http/reverse_conn/reverse_conn_filter.cc | 24 ++++++++++++------- .../http/reverse_conn/reverse_conn_filter.h | 14 ++++++++++- 5 files changed, 40 insertions(+), 9 deletions(-) diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc index 1666d03f49003..ccf8dba0358f4 100644 --- a/source/common/network/connection_impl.cc +++ b/source/common/network/connection_impl.cc @@ -403,6 +403,7 @@ void ConnectionImpl::closeSocket(ConnectionEvent close_type) { ENVOY_CONN_LOG(trace, "closeSocket: socket_->close() completed", *this); } else { ENVOY_CONN_LOG(trace, "closeSocket: skipping socket close due to reuse_socket_=true", *this); + return; } // Call the base class directly as close() is called in the destructor. diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h index ad13d0d94c2cf..eeb6cf1a57c4b 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h @@ -24,6 +24,9 @@ class ReverseConnectionResolver : public Network::Address::Resolver { std::string name() const override { return "envoy.resolvers.reverse_connection"; } + // Friend class for testing + friend class ReverseConnectionResolverTest; + private: /** * Extracts reverse connection config from socket address metadata. diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index 6ce8fe15bd2cf..271dad9e61079 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -60,6 +60,13 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {} with connection key: {}", fd_, connection_key_); + // Prevent double-closing by checking if already closed + if (fd_ < 0) { + ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: handle already closed for connection key: {}", + connection_key_); + return Api::ioCallUint64ResultNoError(); + } + // Notify parent that this downstream connection has been closed // This will trigger re-initiation of the reverse connection if needed if (parent_) { diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index 9a261749611b7..621b6f7a4645d 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -154,6 +154,12 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { *decoder_callbacks_, node_uuid, cluster_uuid); saveDownstreamConnection(*connection, node_uuid, cluster_uuid); connection->setSocketReused(true); + + // Reset file events on the connection socket + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); + } + connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; @@ -181,14 +187,6 @@ Http::FilterHeadersStatus ReverseConnFilter::getReverseConnectionInfo() { if (is_responder) { return handleResponderInfo(remote_node, remote_cluster); } else if (is_initiator) { - auto* downstream_interface = getDownstreamSocketInterface(); - if (!downstream_interface) { - ENVOY_LOG(error, "Failed to get downstream socket interface for initiator role"); - decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, - "Failed to get downstream socket interface", nullptr, - absl::nullopt, ""); - return Http::FilterHeadersStatus::StopIteration; - } return handleInitiatorInfo(remote_node, remote_cluster); } else { ENVOY_LOG(error, "Unknown role: {}", role); @@ -272,6 +270,16 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, const std::string& remote_cluster) { ENVOY_LOG(debug, "Getting reverse connection info for initiator role"); + // Check if downstream socket interface is available + auto* downstream_interface = getDownstreamSocketInterface(); + if (!downstream_interface) { + ENVOY_LOG(error, "Failed to get downstream socket interface for initiator role"); + decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, + "Failed to get downstream socket interface", nullptr, + absl::nullopt, ""); + return Http::FilterHeadersStatus::StopIteration; + } + // Get the downstream socket interface extension to check established connections auto* downstream_extension = getDownstreamSocketInterfaceExtension(); if (!downstream_extension) { diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index 40730dcca49a6..9bcd0020f589a 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -42,11 +42,22 @@ class ReverseConnFilterConfig { public: ReverseConnFilterConfig( const envoy::extensions::filters::http::reverse_conn::v3::ReverseConn& config) - : ping_interval_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, ping_interval, 2)) {} + : ping_interval_(getValidPingInterval(config)) {} std::chrono::seconds pingInterval() const { return ping_interval_; } private: + static std::chrono::seconds getValidPingInterval( + const envoy::extensions::filters::http::reverse_conn::v3::ReverseConn& config) { + if (config.has_ping_interval()) { + uint32_t value = config.ping_interval().value(); + // If ping_interval is explicitly set to 0, use default value + return value > 0 ? std::chrono::seconds(value) : std::chrono::seconds(2); + } + // If ping_interval is not set, use default value + return std::chrono::seconds(2); + } + const std::chrono::seconds ping_interval_; }; @@ -59,6 +70,7 @@ static const char DOUBLE_CRLF[] = "\r\n\r\n"; * This filter handles HTTP requests for reverse tunnel handshakes. */ class ReverseConnFilter : Logger::Loggable, public Http::StreamDecoderFilter { + friend class ReverseConnFilterTest; public: ReverseConnFilter(ReverseConnFilterConfigSharedPtr config); ~ReverseConnFilter(); From daac6367f8ca6270921a15e80c32916403c27fdc Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Sun, 27 Jul 2025 06:02:55 +0000 Subject: [PATCH 098/505] unit tests Signed-off-by: Basundhara Chakrabarty --- .../extensions/bootstrap/reverse_tunnel/BUILD | 24 + .../reverse_connection_address_test.cc | 234 ++++++ .../reverse_connection_resolver_test.cc | 168 ++++ .../reverse_tunnel_initiator_test.cc | 734 +++++++++++++++++- .../filters/http/reverse_conn/BUILD | 30 + .../reverse_conn/reverse_conn_filter_test.cc | 732 +++++++++++++++++ 6 files changed, 1914 insertions(+), 8 deletions(-) create mode 100644 test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc create mode 100644 test/extensions/filters/http/reverse_conn/BUILD create mode 100644 test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD index ded2797646406..66736c4cdff84 100644 --- a/test/extensions/bootstrap/reverse_tunnel/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/BUILD @@ -61,3 +61,27 @@ envoy_extension_cc_test( "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", ], ) + +envoy_cc_test( + name = "reverse_connection_address_test", + size = "medium", + srcs = ["reverse_connection_address_test.cc"], + deps = [ + "//source/common/network:address_lib", + "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_address_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", + ], +) + +envoy_cc_test( + name = "reverse_connection_resolver_test", + size = "medium", + srcs = ["reverse_connection_resolver_test.cc"], + deps = [ + "//source/common/network:address_lib", + "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_resolver_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc new file mode 100644 index 0000000000000..e12bfcc12ec30 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc @@ -0,0 +1,234 @@ +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseConnectionAddressTest : public testing::Test { +protected: + void SetUp() override {} + + // Helper function to create a test config + ReverseConnectionAddress::ReverseConnectionConfig createTestConfig() { + return ReverseConnectionAddress::ReverseConnectionConfig{ + "test-node-123", + "test-cluster-456", + "test-tenant-789", + "remote-cluster-abc", + 5 + }; + } + + // Helper function to create a test address + ReverseConnectionAddress createTestAddress() { + return ReverseConnectionAddress(createTestConfig()); + } +}; + +// Test constructor and basic properties +TEST_F(ReverseConnectionAddressTest, BasicSetup) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Test that the address string is set correctly + EXPECT_EQ(address.asString(), "127.0.0.1:0"); + EXPECT_EQ(address.asStringView(), "127.0.0.1:0"); + + // Test that the logical name is formatted correctly + std::string expected_logical_name = "rc://test-node-123:test-cluster-456:test-tenant-789@remote-cluster-abc:5"; + EXPECT_EQ(address.logicalName(), expected_logical_name); + + // Test address type + EXPECT_EQ(address.type(), Network::Address::Type::Ip); + EXPECT_EQ(address.addressType(), "reverse_connection"); +} + +// Test equality operator +TEST_F(ReverseConnectionAddressTest, EqualityOperator) { + auto config1 = createTestConfig(); + auto config2 = createTestConfig(); + + ReverseConnectionAddress address1(config1); + ReverseConnectionAddress address2(config2); + + // Same config should be equal + EXPECT_TRUE(address1 == address2); + EXPECT_TRUE(address2 == address1); + + // Different configs should not be equal + config2.src_node_id = "different-node"; + ReverseConnectionAddress address3(config2); + EXPECT_FALSE(address1 == address3); + EXPECT_FALSE(address3 == address1); +} + +// Test equality with different address types +TEST_F(ReverseConnectionAddressTest, EqualityWithDifferentTypes) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Create a regular IPv4 address + auto regular_address = std::make_shared("127.0.0.1", 8080); + + // Should not be equal to different address types + EXPECT_FALSE(address == *regular_address); + EXPECT_FALSE(*regular_address == address); +} + +// Test reverse connection config accessor +TEST_F(ReverseConnectionAddressTest, ReverseConnectionConfig) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + const auto& retrieved_config = address.reverseConnectionConfig(); + + EXPECT_EQ(retrieved_config.src_node_id, config.src_node_id); + EXPECT_EQ(retrieved_config.src_cluster_id, config.src_cluster_id); + EXPECT_EQ(retrieved_config.src_tenant_id, config.src_tenant_id); + EXPECT_EQ(retrieved_config.remote_cluster, config.remote_cluster); + EXPECT_EQ(retrieved_config.connection_count, config.connection_count); +} + +// Test IP address properties +TEST_F(ReverseConnectionAddressTest, IpAddressProperties) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Should have IP address + EXPECT_NE(address.ip(), nullptr); + EXPECT_EQ(address.ip()->addressAsString(), "127.0.0.1"); + EXPECT_EQ(address.ip()->port(), 0); + + // Should not have pipe or envoy internal address + EXPECT_EQ(address.pipe(), nullptr); + EXPECT_EQ(address.envoyInternalAddress(), nullptr); +} + +// Test socket address properties +TEST_F(ReverseConnectionAddressTest, SocketAddressProperties) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + const sockaddr* sock_addr = address.sockAddr(); + EXPECT_NE(sock_addr, nullptr); + + socklen_t addr_len = address.sockAddrLen(); + EXPECT_EQ(addr_len, sizeof(struct sockaddr_in)); + + // Verify the sockaddr structure + const struct sockaddr_in* addr_in = reinterpret_cast(sock_addr); + EXPECT_EQ(addr_in->sin_family, AF_INET); + EXPECT_EQ(addr_in->sin_port, htons(0)); // Port 0 + EXPECT_EQ(addr_in->sin_addr.s_addr, htonl(INADDR_LOOPBACK)); // 127.0.0.1 +} + +// Test network namespace +TEST_F(ReverseConnectionAddressTest, NetworkNamespace) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Should not have a network namespace + auto namespace_opt = address.networkNamespace(); + EXPECT_FALSE(namespace_opt.has_value()); +} + +// Test socket interface +TEST_F(ReverseConnectionAddressTest, SocketInterface) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Should return a socket interface (either reverse connection or default) + const auto& socket_interface = address.socketInterface(); + EXPECT_NE(&socket_interface, nullptr); +} + +// Test with empty configuration values +TEST_F(ReverseConnectionAddressTest, EmptyConfigValues) { + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_node_id = ""; + config.src_cluster_id = ""; + config.src_tenant_id = ""; + config.remote_cluster = ""; + config.connection_count = 0; + + ReverseConnectionAddress address(config); + + // Should still work with empty values + EXPECT_EQ(address.asString(), "127.0.0.1:0"); + EXPECT_EQ(address.logicalName(), "rc://::@:0"); + + const auto& retrieved_config = address.reverseConnectionConfig(); + EXPECT_EQ(retrieved_config.src_node_id, ""); + EXPECT_EQ(retrieved_config.src_cluster_id, ""); + EXPECT_EQ(retrieved_config.src_tenant_id, ""); + EXPECT_EQ(retrieved_config.remote_cluster, ""); + EXPECT_EQ(retrieved_config.connection_count, 0); +} + +// Test multiple instances with different configurations +TEST_F(ReverseConnectionAddressTest, MultipleInstances) { + ReverseConnectionAddress::ReverseConnectionConfig config1; + config1.src_node_id = "node1"; + config1.src_cluster_id = "cluster1"; + config1.src_tenant_id = "tenant1"; + config1.remote_cluster = "remote1"; + config1.connection_count = 1; + + ReverseConnectionAddress::ReverseConnectionConfig config2; + config2.src_node_id = "node2"; + config2.src_cluster_id = "cluster2"; + config2.src_tenant_id = "tenant2"; + config2.remote_cluster = "remote2"; + config2.connection_count = 2; + + ReverseConnectionAddress address1(config1); + ReverseConnectionAddress address2(config2); + + // Should not be equal + EXPECT_FALSE(address1 == address2); + EXPECT_FALSE(address2 == address1); + + // Should have different logical names + EXPECT_NE(address1.logicalName(), address2.logicalName()); + + // Should have same address string (both use 127.0.0.1:0) + EXPECT_EQ(address1.asString(), address2.asString()); +} + +// Test copy constructor and assignment (if implemented) +TEST_F(ReverseConnectionAddressTest, CopyAndAssignment) { + auto config = createTestConfig(); + ReverseConnectionAddress original(config); + + // Test copy constructor + ReverseConnectionAddress copied(original); + EXPECT_TRUE(original == copied); + EXPECT_EQ(original.logicalName(), copied.logicalName()); + EXPECT_EQ(original.asString(), copied.asString()); + + // Test assignment operator + ReverseConnectionAddress::ReverseConnectionConfig config2; + config2.src_node_id = "different-node"; + config2.src_cluster_id = "different-cluster"; + config2.src_tenant_id = "different-tenant"; + config2.remote_cluster = "different-remote"; + config2.connection_count = 10; + + ReverseConnectionAddress assigned(config2); + assigned = original; + EXPECT_TRUE(original == assigned); + EXPECT_EQ(original.logicalName(), assigned.logicalName()); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc new file mode 100644 index 0000000000000..7ef3fab453900 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc @@ -0,0 +1,168 @@ +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h" + +#include "envoy/config/core/v3/address.pb.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseConnectionResolverTest : public testing::Test { +protected: + void SetUp() override {} + + // Helper function to create a valid socket address + envoy::config::core::v3::SocketAddress createSocketAddress(const std::string& address, uint32_t port = 0) { + envoy::config::core::v3::SocketAddress socket_address; + socket_address.set_address(address); + socket_address.set_port_value(port); + return socket_address; + } + + // Helper function to create a valid reverse connection address string + std::string createReverseConnectionAddress(const std::string& src_node_id, + const std::string& src_cluster_id, + const std::string& src_tenant_id, + const std::string& cluster_name, + uint32_t count) { + return fmt::format("rc://{}:{}:{}@{}:{}", src_node_id, src_cluster_id, src_tenant_id, cluster_name, count); + } + + // Helper function to access the private extractReverseConnectionConfig method + absl::StatusOr + extractReverseConnectionConfig(const envoy::config::core::v3::SocketAddress& socket_address) { + return resolver_.extractReverseConnectionConfig(socket_address); + } + + ReverseConnectionResolver resolver_; +}; + +// Test the name() method +TEST_F(ReverseConnectionResolverTest, Name) { + EXPECT_EQ(resolver_.name(), "envoy.resolvers.reverse_connection"); +} + +// Test successful resolution of a valid reverse connection address +TEST_F(ReverseConnectionResolverTest, ResolveValidAddress) { + std::string address_str = createReverseConnectionAddress("test-node", "test-cluster", "test-tenant", "remote-cluster", 5); + auto socket_address = createSocketAddress(address_str); + + auto result = resolver_.resolve(socket_address); + EXPECT_TRUE(result.ok()); + + auto resolved_address = result.value(); + EXPECT_NE(resolved_address, nullptr); + + // Verify it's a ReverseConnectionAddress + auto reverse_address = std::dynamic_pointer_cast(resolved_address); + EXPECT_NE(reverse_address, nullptr); + + // Verify the configuration + const auto& config = reverse_address->reverseConnectionConfig(); + EXPECT_EQ(config.src_node_id, "test-node"); + EXPECT_EQ(config.src_cluster_id, "test-cluster"); + EXPECT_EQ(config.src_tenant_id, "test-tenant"); + EXPECT_EQ(config.remote_cluster, "remote-cluster"); + EXPECT_EQ(config.connection_count, 5); +} + +// Test resolution failure for non-reverse connection address +TEST_F(ReverseConnectionResolverTest, ResolveNonReverseConnectionAddress) { + auto socket_address = createSocketAddress("127.0.0.1"); + + auto result = resolver_.resolve(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Address must start with 'rc://'")); +} + +// Test resolution failure for non-zero port +TEST_F(ReverseConnectionResolverTest, ResolveNonZeroPort) { + std::string address_str = createReverseConnectionAddress("test-node", "test-cluster", "test-tenant", "remote-cluster", 5); + auto socket_address = createSocketAddress(address_str, 8080); // Non-zero port + + auto result = resolver_.resolve(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Only port 0 is supported")); +} + +// Test successful extraction of reverse connection config +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigValid) { + std::string address_str = createReverseConnectionAddress("node-123", "cluster-456", "tenant-789", "remote-cluster-abc", 10); + auto socket_address = createSocketAddress(address_str); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_TRUE(result.ok()); + + const auto& config = result.value(); + EXPECT_EQ(config.src_node_id, "node-123"); + EXPECT_EQ(config.src_cluster_id, "cluster-456"); + EXPECT_EQ(config.src_tenant_id, "tenant-789"); + EXPECT_EQ(config.remote_cluster, "remote-cluster-abc"); + EXPECT_EQ(config.connection_count, 10); +} + +// Test extraction failure for invalid format (missing @) +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidFormat) { + auto socket_address = createSocketAddress("rc://node:cluster:tenant:cluster:5"); // Missing @ + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid reverse connection address format")); +} + +// Test extraction failure for invalid source info format +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidSourceInfo) { + auto socket_address = createSocketAddress("rc://node:cluster@remote:5"); // Missing tenant_id + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid source info format")); +} + +// Test extraction failure for invalid cluster config format +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidClusterConfig) { + auto socket_address = createSocketAddress("rc://node:cluster:tenant@remote"); // Missing count + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid cluster config format")); +} + +// Test extraction failure for invalid connection count +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidCount) { + auto socket_address = createSocketAddress("rc://node:cluster:tenant@remote:invalid"); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid connection count")); +} + +// Test extraction with zero connection count +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigZeroCount) { + std::string address_str = createReverseConnectionAddress("node-123", "cluster-456", "tenant-789", "remote-cluster", 0); + auto socket_address = createSocketAddress(address_str); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_TRUE(result.ok()); + + const auto& config = result.value(); + EXPECT_EQ(config.connection_count, 0); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc index f7407911b0a06..d4a64dc91186b 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc @@ -2597,6 +2597,47 @@ class RCConnectionWrapperTest : public testing::Test { test_fd, config, cluster_manager_, extension_.get(), *stats_scope_); } + // Connection Management Helpers + + bool initiateOneReverseConnection(const std::string& cluster_name, + const std::string& host_address, + Upstream::HostConstSharedPtr host) { + return io_handle_->initiateOneReverseConnection(cluster_name, host_address, host); + } + + // Data Access Helpers + + const std::vector>& getConnectionWrappers() const { + return io_handle_->connection_wrappers_; + } + + const std::unordered_map& getConnWrapperToHostMap() const { + return io_handle_->conn_wrapper_to_host_map_; + } + + // Test Data Setup Helpers + + void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, uint32_t target_count) { + io_handle_->host_to_conn_info_map_[host_address] = ReverseConnectionIOHandle::HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + target_count, // target_connection_count + 0, // failure_count + std::chrono::steady_clock::now(), // last_failure_time + std::chrono::steady_clock::now(), // backoff_until + {} // connection_states + }; + } + + // Helper to create a mock host + Upstream::HostConstSharedPtr createMockHost(const std::string& address) { + auto mock_host = std::make_shared>(); + auto mock_address = std::make_shared(address, 8080); + EXPECT_CALL(*mock_host, address()).WillRepeatedly(Return(mock_address)); + return mock_host; + } + // Test fixtures NiceMock context_; NiceMock thread_local_; @@ -2646,14 +2687,6 @@ TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { // Create RCConnectionWrapper with the mock connection RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - // Debug: Check if gRPC config is available - const auto* grpc_config = io_handle_->getGrpcConfig(); - if (grpc_config != nullptr) { - std::cout << "DEBUG: gRPC config is available, will use gRPC handshake" << std::endl; - } else { - std::cout << "DEBUG: gRPC config is null, will use HTTP handshake" << std::endl; - } - // Call connect() method std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); @@ -2736,6 +2769,691 @@ TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWriteFailure) { EXPECT_EQ(result, "127.0.0.1:12345"); } +// Test RCConnectionWrapper::onHandshakeSuccess method +TEST_F(RCConnectionWrapperTest, OnHandshakeSuccess) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onHandshakeSuccess + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_stat_name = "test_scope.reverse_connections.host.192.168.1.1.connected"; + std::string cluster_stat_name = "test_scope.reverse_connections.cluster.test-cluster.connected"; + + // Call onHandshakeSuccess + wrapper_ptr->onHandshakeSuccess(); + + // Get stats after onHandshakeSuccess + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that connected stats were incremented + EXPECT_EQ(final_stats[host_stat_name], initial_stats[host_stat_name] + 1); + EXPECT_EQ(final_stats[cluster_stat_name], initial_stats[cluster_stat_name] + 1); + + // Debug: Print stats for verification + std::cout << "\n=== OnHandshakeSuccess Stats ===" << std::endl; + std::cout << "Host stat '" << host_stat_name << "': " << initial_stats[host_stat_name] << " -> " << final_stats[host_stat_name] << std::endl; + std::cout << "Cluster stat '" << cluster_stat_name << "': " << initial_stats[cluster_stat_name] << " -> " << final_stats[cluster_stat_name] << std::endl; + std::cout << "=================================" << std::endl; +} + +// Test RCConnectionWrapper::onHandshakeFailure method +TEST_F(RCConnectionWrapperTest, OnHandshakeFailure) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onHandshakeFailure + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_failed_stat_name = "test_scope.reverse_connections.host.192.168.1.1.failed"; + std::string cluster_failed_stat_name = "test_scope.reverse_connections.cluster.test-cluster.failed"; + + // Call onHandshakeFailure with an error message + std::string error_message = "Handshake failed due to authentication error"; + wrapper_ptr->onHandshakeFailure(error_message); + + // Get stats after onHandshakeFailure + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that failed stats were incremented + EXPECT_EQ(final_stats[host_failed_stat_name], initial_stats[host_failed_stat_name] + 1); + EXPECT_EQ(final_stats[cluster_failed_stat_name], initial_stats[cluster_failed_stat_name] + 1); + + // Debug: Print stats for verification + std::cout << "\n=== OnHandshakeFailure Stats ===" << std::endl; + std::cout << "Host failed stat '" << host_failed_stat_name << "': " << initial_stats[host_failed_stat_name] << " -> " << final_stats[host_failed_stat_name] << std::endl; + std::cout << "Cluster failed stat '" << cluster_failed_stat_name << "': " << initial_stats[cluster_failed_stat_name] << " -> " << final_stats[cluster_failed_stat_name] << std::endl; + std::cout << "==================================" << std::endl; +} + +// Test RCConnectionWrapper::onEvent method with RemoteClose event +TEST_F(RCConnectionWrapperTest, OnEventRemoteClose) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_connected_stat_name = "test_scope.reverse_connections.host.192.168.1.1.connected"; + std::string cluster_connected_stat_name = "test_scope.reverse_connections.cluster.test-cluster.connected"; + + // Call onEvent with RemoteClose event + wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); + + // Get stats after onEvent + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that the connection closure was handled + // Note: The exact stat changes depend on the implementation of onConnectionDone + // For RemoteClose, we expect the connection to be marked as closed + + // Debug: Print stats for verification + std::cout << "\n=== OnEventRemoteClose Stats ===" << std::endl; + std::cout << "Host connected stat '" << host_connected_stat_name << "': " << initial_stats[host_connected_stat_name] << " -> " << final_stats[host_connected_stat_name] << std::endl; + std::cout << "Cluster connected stat '" << cluster_connected_stat_name << "': " << initial_stats[cluster_connected_stat_name] << " -> " << final_stats[cluster_connected_stat_name] << std::endl; + std::cout << "=================================" << std::endl; +} + +// Test RCConnectionWrapper::onEvent method with Connected event (should be ignored) +TEST_F(RCConnectionWrapperTest, OnEventConnected) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent + auto initial_stats = extension_->getCrossWorkerStatMap(); + + // Call onEvent with Connected event (should be ignored) + wrapper_ptr->onEvent(Network::ConnectionEvent::Connected); + + // Get stats after onEvent + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that Connected event doesn't change stats (it should be ignored) + // The stats should remain the same + EXPECT_EQ(final_stats, initial_stats); + + // Debug: Print stats for verification + std::cout << "\n=== OnEventConnected Stats ===" << std::endl; + std::cout << "Stats unchanged after Connected event (as expected)" << std::endl; + std::cout << "=================================" << std::endl; +} + +// Test RCConnectionWrapper::onEvent method with null connection +TEST_F(RCConnectionWrapperTest, OnEventWithNullConnection) { + // Set up thread local slot first so stats can be properly tracked + setupThreadLocalSlot(); + + // Set up mock thread local cluster + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent + auto initial_stats = extension_->getCrossWorkerStatMap(); + + // Call onEvent with RemoteClose event + wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); + + // Get stats after onEvent + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that the event was handled gracefully even with connection closure + // The exact behavior depends on the implementation, but it should not crash + + // Debug: Print stats for verification + std::cout << "\n=== OnEventWithNullConnection Stats ===" << std::endl; + std::cout << "Event handled gracefully after connection closure" << std::endl; + std::cout << "===============================================" << std::endl; +} + +// Test RCConnectionWrapper::releaseConnection method +TEST_F(RCConnectionWrapperTest, ReleaseConnection) { + // Create a mock connection + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Verify connection exists before release + EXPECT_NE(wrapper.getConnection(), nullptr); + + // Release the connection + auto released_connection = wrapper.releaseConnection(); + + // Verify connection was released + EXPECT_NE(released_connection, nullptr); + EXPECT_EQ(wrapper.getConnection(), nullptr); +} + +// Test RCConnectionWrapper::getConnection method +TEST_F(RCConnectionWrapperTest, GetConnection) { + // Create a mock connection + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Get the connection + auto* connection = wrapper.getConnection(); + + // Verify connection is returned + EXPECT_NE(connection, nullptr); + + // Test after release + wrapper.releaseConnection(); + EXPECT_EQ(wrapper.getConnection(), nullptr); +} + +// Test RCConnectionWrapper::getHost method +TEST_F(RCConnectionWrapperTest, GetHost) { + // Create a mock connection and host + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Get the host + auto host = wrapper.getHost(); + + // Verify host is returned + EXPECT_EQ(host, mock_host); +} + +// Test RCConnectionWrapper::onAboveWriteBufferHighWatermark method (no-op) +TEST_F(RCConnectionWrapperTest, OnAboveWriteBufferHighWatermark) { + // Create a mock connection + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call onAboveWriteBufferHighWatermark - should be a no-op + wrapper.onAboveWriteBufferHighWatermark(); +} + +// Test RCConnectionWrapper::onBelowWriteBufferLowWatermark method (no-op) +TEST_F(RCConnectionWrapperTest, OnBelowWriteBufferLowWatermark) { + // Create a mock connection + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call onBelowWriteBufferLowWatermark - should be a no-op + wrapper.onBelowWriteBufferLowWatermark(); +} + +// Test RCConnectionWrapper::shutdown method +TEST_F(RCConnectionWrapperTest, Shutdown) { + // Test 1: Shutdown with open connection + std::cout << "Test 1: Shutdown with open connection" << std::endl; + { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for open connection + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)).Times(1); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)).Times(1); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + std::cout << "Test 2: Shutdown with already closed connection" << std::endl; + // Test 2: Shutdown with already closed connection + { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for closed connection + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Closed)); + EXPECT_CALL(*mock_connection, close(_)).Times(0); // Should not call close on already closed connection + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12346)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + std::cout << "Test 3: Shutdown with closing connection" << std::endl; + + // Test 3: Shutdown with closing connection + { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for closing connection + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)).Times(1); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Closing)); + EXPECT_CALL(*mock_connection, close(_)).Times(0); // Should not call close on already closing connection + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12347)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + std::cout << "Test 4: Shutdown with null connection" << std::endl; + // Test 4: Shutdown with null connection (should be safe) + { + auto mock_host = std::make_shared>(); + + // Create wrapper with null connection + RCConnectionWrapper wrapper(*io_handle_, nullptr, mock_host, "test-cluster"); + + EXPECT_EQ(wrapper.getConnection(), nullptr); + wrapper.shutdown(); // Should not crash + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + std::cout << "Test 5: Multiple shutdown calls" << std::endl; + // Test 5: Multiple shutdown calls (should be safe) + { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)).Times(1); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)).Times(1); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12348)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + + // First shutdown + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + + // Second shutdown (should be safe) + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } +} + +// Test SimpleConnReadFilter::onData method +class SimpleConnReadFilterTest : public testing::Test { +protected: + void SetUp() override { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Create a mock IO handle + auto mock_io_handle = std::make_unique>(); + io_handle_ = std::make_unique( + 7, // dummy fd + ReverseConnectionSocketConfig{}, + cluster_manager_, + nullptr, // extension + *stats_scope_); // Use the created scope + } + + void TearDown() override { + io_handle_.reset(); + } + + // Helper to create a mock RCConnectionWrapper + std::unique_ptr createMockWrapper() { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + return std::make_unique(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + } + + // Helper to create SimpleConnReadFilter + std::unique_ptr createFilter(RCConnectionWrapper* parent) { + return std::make_unique(parent); + } + + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + std::unique_ptr io_handle_; +}; + +TEST_F(SimpleConnReadFilterTest, OnDataWithNullParent) { + // Create filter with null parent + auto filter = createFilter(nullptr); + + // Create a buffer with some data + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); + + // Call onData - should return StopIteration when parent is null + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp200Response) { + // Create wrapper and filter + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 200 response but invalid protobuf + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\nreverse connection accepted"); + + // Call onData - should return StopIteration for invalid response format + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2Response) { + // Create wrapper and filter + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP/2 response but invalid protobuf + Buffer::OwnedImpl buffer("HTTP/2 200\r\n\r\nACCEPTED"); + + // Call onData - should return StopIteration for invalid response format + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithIncompleteHeaders) { + // Create wrapper and filter + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with incomplete HTTP headers + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\nContent-Length: 10\r\n"); + + // Call onData - should return Continue for incomplete headers + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::Continue); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithEmptyResponseBody) { + // Create wrapper and filter + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 200 but empty body + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); + + // Call onData - should return Continue for empty body + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::Continue); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithNon200Response) { + // Create wrapper and filter + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 404 response + Buffer::OwnedImpl buffer("HTTP/1.1 404 Not Found\r\n\r\n"); + + // Call onData - should return StopIteration for error response + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2ErrorResponse) { + // Create wrapper and filter + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP/2 error response + Buffer::OwnedImpl buffer("HTTP/2 500\r\n\r\n"); + + // Call onData - should return StopIteration for error response + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithPartialData) { + // Create wrapper and filter + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with partial data (no HTTP response yet) + Buffer::OwnedImpl buffer("partial data"); + + // Call onData - should return Continue for partial data + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::Continue); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithProtobufResponse) { + // Create wrapper and filter + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a proper ReverseConnHandshakeRet protobuf response + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::ACCEPTED); + ret.set_status_message("Connection accepted"); + + std::string protobuf_data = ret.SerializeAsString(); + std::string http_response = "HTTP/1.1 200 OK\r\n\r\n" + protobuf_data; + Buffer::OwnedImpl buffer(http_response); + + // Call onData - should return StopIteration for successful protobuf response + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/test/extensions/filters/http/reverse_conn/BUILD b/test/extensions/filters/http/reverse_conn/BUILD new file mode 100644 index 0000000000000..01a56a335a70d --- /dev/null +++ b/test/extensions/filters/http/reverse_conn/BUILD @@ -0,0 +1,30 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_cc_test( + name = "reverse_conn_filter_test", + size = "medium", + srcs = ["reverse_conn_filter_test.cc"], + deps = [ + "//source/common/thread_local:thread_local_lib", + "//envoy/network:connection_interface", + "//source/common/buffer:buffer_lib", + "//source/common/http:message_lib", + "//source/common/network:address_lib", + "//source/common/network:connection_lib", + "//source/common/network:socket_interface_lib", + "//source/extensions/filters/http/reverse_conn:reverse_conn_filter_lib", + "//test/mocks/http:http_mocks", + "//test/mocks/network:network_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", + ], +) \ No newline at end of file diff --git a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc new file mode 100644 index 0000000000000..71fe757a8ba83 --- /dev/null +++ b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc @@ -0,0 +1,732 @@ +#include "source/extensions/filters/http/reverse_conn/reverse_conn_filter.h" + +#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" +#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" + +#include "envoy/network/connection.h" +#include "envoy/common/optref.h" +#include "source/common/buffer/buffer_impl.h" +#include "source/common/http/message_impl.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/connection_impl.h" +#include "source/common/network/socket_interface_impl.h" +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/utility.h" +#include "source/common/network/socket_interface.h" +#include "source/common/protobuf/protobuf.h" + +#include "test/mocks/http/mocks.h" +#include "test/mocks/network/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/stream_info/mocks.h" +#include "test/mocks/ssl/mocks.h" +#include "test/mocks/network/mocks.h" +#include "test/mocks/event/mocks.h" +#include "test/test_common/test_runtime.h" + +// Include reverse connection components for testing +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/common/thread_local/thread_local_impl.h" + +// Add namespace alias for convenience +namespace ReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; +using testing::ByMove; +using testing::Invoke; + +namespace Envoy { +namespace Extensions { +namespace HttpFilters { +namespace ReverseConn { + +class ReverseConnFilterTest : public testing::Test { +protected: + void SetUp() override { + // Initialize stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Set up the mock callbacks + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(Return(OptRef{connection_})); + EXPECT_CALL(callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); + EXPECT_CALL(stream_info_, dynamicMetadata()).WillRepeatedly(ReturnRef(metadata_)); + + } + + // Helper function to create a filter with default config + std::unique_ptr createFilter() { + envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; + config.mutable_ping_interval()->set_value(5); // 5 seconds + auto filter_config = std::make_shared(config); + auto filter = std::make_unique(filter_config); + filter->setDecoderFilterCallbacks(callbacks_); + return filter; + } + + // Helper function to create a filter with custom config + std::unique_ptr createFilterWithConfig(uint32_t ping_interval) { + envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; + config.mutable_ping_interval()->set_value(ping_interval); + auto filter_config = std::make_shared(config); + auto filter = std::make_unique(filter_config); + filter->setDecoderFilterCallbacks(callbacks_); + return filter; + } + + // Helper function to create HTTP headers + Http::TestRequestHeaderMapImpl createHeaders(const std::string& method, const std::string& path) { + Http::TestRequestHeaderMapImpl headers; + headers.setMethod(method); + headers.setPath(path); + headers.setHost("example.com"); + return headers; + } + + // Helper function to create reverse connection request headers + Http::TestRequestHeaderMapImpl createReverseConnectionRequestHeaders(uint32_t content_length = 100) { + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength(content_length); + return headers; + } + + // Helper function to create reverse connection info request headers + Http::TestRequestHeaderMapImpl createReverseConnectionInfoHeaders(const std::string& role = "") { + auto headers = createHeaders("GET", "/reverse_connections"); + if (!role.empty()) { + headers.addCopy(Http::LowerCaseString("role"), role); + } + return headers; + } + + // Helper function to test the private matchRequestPath method + bool testMatchRequestPath(ReverseConnFilter* filter, const std::string& request_path, const std::string& api_path) { + // Use the friend class access to call the private method + return filter->matchRequestPath(request_path, api_path); + } + + // Helper function to set up thread local slot for testing upstream socket manager + void setupThreadLocalSlot() { + setupThreadLocalSlotForTesting(); + } + + // Helper function to create a mock socket with proper address setup + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { + auto socket = std::make_unique>(); + + // Parse local address (IP:port format) + auto local_colon_pos = local_addr.find(':'); + std::string local_ip = local_addr.substr(0, local_colon_pos); + uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); + auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); + + // Parse remote address (IP:port format) + auto remote_colon_pos = remote_addr.find(':'); + std::string remote_ip = remote_addr.substr(0, remote_colon_pos); + uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); + auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); + + // Create a mock IO handle and set it up + auto mock_io_handle = std::make_unique>(); + auto* mock_io_handle_ptr = mock_io_handle.get(); + EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + + // Store the mock_io_handle in the socket + socket->io_handle_ = std::move(mock_io_handle); + + // Set up connection info provider with the desired addresses + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + return socket; + } + + // Helper function to create a protobuf handshake argument + std::string createHandshakeArg(const std::string& tenant_uuid, const std::string& cluster_uuid, const std::string& node_uuid) { + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + arg.set_tenant_uuid(tenant_uuid); + arg.set_cluster_uuid(cluster_uuid); + arg.set_node_uuid(node_uuid); + return arg.SerializeAsString(); + } + + // Helper function to get the upstream socket manager for testing + ReverseConnection::UpstreamSocketManager* getUpstreamSocketManager() { + // Use the local socket manager that was created in setupThreadLocalSlot + if (socket_manager_) { + return socket_manager_.get(); + } + + // Fallback to accessing through the socket interface if available + auto* upstream_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + if (!upstream_interface) { + return nullptr; + } + + auto* upstream_socket_interface = + dynamic_cast(upstream_interface); + if (!upstream_socket_interface) { + return nullptr; + } + + auto* tls_registry = upstream_socket_interface->getLocalRegistry(); + if (!tls_registry) { + return nullptr; + } + + return tls_registry->socketManager(); + } + + // Helper method to set up thread local slot for testing + void setupThreadLocalSlotForTesting() { + // Create the config + config_.set_stat_prefix("test_prefix"); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = std::make_unique( + *socket_interface_, context_, config_); + + // First, call onServerInitialized to set up the extension reference properly + extension_->onServerInitialized(); + + // Create a thread local registry with the properly initialized extension + thread_local_registry_ = std::make_shared( + dispatcher_, extension_.get()); + + // Create the actual TypedSlot + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Use the public setTestOnlyTLSRegistry method instead of accessing private members + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + + // Create the socket manager + socket_manager_ = std::make_unique(dispatcher_, extension_.get()); + } + + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock callbacks_; + NiceMock connection_; + NiceMock socket_; + NiceMock io_handle_; + NiceMock stream_info_; + envoy::config::core::v3::Metadata metadata_; + NiceMock dispatcher_{"test_dispatcher"}; + + // Mock socket for testing + std::unique_ptr> mock_socket_; + std::unique_ptr> mock_io_handle_; + + // Helper method to set up socket mock + void setupSocketMock() { + mock_socket_ = std::make_unique>(); + mock_io_handle_ = std::make_unique>(); + + EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); + mock_socket_->io_handle_ = std::move(mock_io_handle_); + + // Set up connection to return the mock socket + EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(*mock_socket_)); + } + + // Thread local components for testing upstream socket manager + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + std::unique_ptr socket_manager_; + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + // Config for reverse connection socket interface + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::UpstreamReverseConnectionSocketInterface config_; + + void TearDown() override { + // Clean up thread local components + tls_slot_.reset(); + thread_local_registry_.reset(); + socket_manager_.reset(); + extension_.reset(); + socket_interface_.reset(); + } +}; + +// Test basic filter construction and configuration +TEST_F(ReverseConnFilterTest, BasicConstruction) { + auto filter = createFilter(); + EXPECT_NE(filter, nullptr); +} + +// Test filter construction with default config +TEST_F(ReverseConnFilterTest, DefaultConfig) { + envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; + // Don't set ping_interval, should use default + auto filter_config = std::make_shared(config); + auto filter = std::make_unique(filter_config); + filter->setDecoderFilterCallbacks(callbacks_); + + EXPECT_NE(filter, nullptr); + EXPECT_EQ(filter_config->pingInterval().count(), 2); // Default is 2 seconds +} + +// Test filter construction with custom ping interval +TEST_F(ReverseConnFilterTest, CustomPingInterval) { + auto filter = createFilterWithConfig(10); + EXPECT_NE(filter, nullptr); +} + +// Test filter destruction +TEST_F(ReverseConnFilterTest, FilterDestruction) { + auto filter = createFilter(); + EXPECT_NE(filter, nullptr); + + // Should not crash on destruction + filter.reset(); + EXPECT_EQ(filter, nullptr); +} + +// Test onDestroy method +TEST_F(ReverseConnFilterTest, OnDestroy) { + auto filter = createFilter(); + EXPECT_NE(filter, nullptr); + + // Should not crash when onDestroy is called + filter->onDestroy(); +} + +// Test decodeHeaders with non-reverse connection path (should continue) +TEST_F(ReverseConnFilterTest, DecodeHeadersNonReverseConnectionPath) { + auto filter = createFilter(); + auto headers = createHeaders("GET", "/some/other/path"); + + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, false); + EXPECT_EQ(status, Http::FilterHeadersStatus::Continue); +} + +// Test decodeHeaders with reverse connection path but wrong method +TEST_F(ReverseConnFilterTest, DecodeHeadersReverseConnectionPathWrongMethod) { + auto filter = createFilter(); + auto headers = createHeaders("PUT", "/reverse_connections"); + + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, false); + EXPECT_EQ(status, Http::FilterHeadersStatus::Continue); +} + +// Test config validation with valid ping interval +TEST_F(ReverseConnFilterTest, ConfigValidationValidPingInterval) { + envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; + config.mutable_ping_interval()->set_value(1); // Valid: 1 second + + auto filter_config = std::make_shared(config); + EXPECT_EQ(filter_config->pingInterval().count(), 1); +} + +// Test config validation with zero ping interval +TEST_F(ReverseConnFilterTest, ConfigValidationZeroPingInterval) { + envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; + config.mutable_ping_interval()->set_value(0); // Zero should use default + + auto filter_config = std::make_shared(config); + EXPECT_EQ(filter_config->pingInterval().count(), 2); // Default is 2 seconds +} + +// Test config validation with large ping interval +TEST_F(ReverseConnFilterTest, ConfigValidationLargePingInterval) { + envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; + config.mutable_ping_interval()->set_value(3600); // 1 hour + + auto filter_config = std::make_shared(config); + EXPECT_EQ(filter_config->pingInterval().count(), 3600); +} + +// Test matchRequestPath helper function +TEST_F(ReverseConnFilterTest, MatchRequestPath) { + auto filter = createFilter(); + + // Test exact match + EXPECT_TRUE(testMatchRequestPath(filter.get(), "/reverse_connections", "/reverse_connections")); + + // Test prefix match + EXPECT_TRUE(testMatchRequestPath(filter.get(), "/reverse_connections/request", "/reverse_connections")); + + // Test no match + EXPECT_FALSE(testMatchRequestPath(filter.get(), "/some/other/path", "/reverse_connections")); + + // Test empty path + EXPECT_FALSE(testMatchRequestPath(filter.get(), "", "/reverse_connections")); + + // Test shorter path + EXPECT_FALSE(testMatchRequestPath(filter.get(), "/reverse", "/reverse_connections")); +} + +// Test decodeHeaders with POST method for reverse connection accept request +TEST_F(ReverseConnFilterTest, DecodeHeadersPostReverseConnectionAccept) { + auto filter = createFilter(); + + // Create headers for POST request to /reverse_connections/request + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength("100"); // Set content length for protobuf + + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, false); + EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); + +} + +// Test decodeHeaders with POST method for non-accept reverse connection path +TEST_F(ReverseConnFilterTest, DecodeHeadersPostNonAcceptPath) { + auto filter = createFilter(); + + // Create headers for POST request to /reverse_connections (not /request) + auto headers = createHeaders("POST", "/reverse_connections"); + headers.setContentLength("100"); + + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, false); + EXPECT_EQ(status, Http::FilterHeadersStatus::Continue); +} + +// acceptReverseConnection Tests + +// Test acceptReverseConnection with valid protobuf data +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionValidProtobuf) { + // Set up thread local slot for upstream socket manager + setupThreadLocalSlot(); + + auto filter = createFilter(); + + // Create valid protobuf handshake argument + std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); + + // Set up headers for reverse connection request + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength(std::to_string(handshake_arg.length())); + + // Process headers first + Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + // Create buffer with protobuf data + Buffer::OwnedImpl data(handshake_arg); + + // Process data - this should call acceptReverseConnection + Http::FilterDataStatus data_status = filter->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); + + // Verify that the socket was added to the upstream socket manager + auto* socket_manager = getUpstreamSocketManager(); + ASSERT_NE(socket_manager, nullptr); + + // Try to get the socket for the node - should be available + auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); + EXPECT_NE(retrieved_socket, nullptr); + + // Verify stats were updated + auto* extension = socket_manager->getUpstreamExtension(); + ASSERT_NE(extension, nullptr); + + // Get per-worker stats to verify the connection was counted + auto stat_map = extension->getPerWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster-456"], 1); +} + +// Test acceptReverseConnection with invalid protobuf data +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionInvalidProtobuf) { + auto filter = createFilter(); + + // Set up headers for reverse connection request + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength("50"); + + // Process headers first + Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + // Create buffer with invalid protobuf data + Buffer::OwnedImpl data("invalid protobuf data that cannot be parsed"); + + // Process data - this should call acceptReverseConnection and fail + Http::FilterDataStatus data_status = filter->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); + + // Verify that no socket was added to the upstream socket manager + auto* socket_manager = getUpstreamSocketManager(); + if (socket_manager) { + auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); + EXPECT_EQ(retrieved_socket, nullptr); + } +} + +// Test acceptReverseConnection with empty node_uuid in protobuf +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { + auto filter = createFilter(); + + // Create protobuf with empty node_uuid + envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + arg.set_tenant_uuid("tenant-123"); + arg.set_cluster_uuid("cluster-456"); + arg.set_node_uuid(""); // Empty node_uuid + std::string handshake_arg = arg.SerializeAsString(); + + // Set up headers for reverse connection request + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength(std::to_string(handshake_arg.length())); + + // Process headers first + Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + // Create buffer with protobuf data + Buffer::OwnedImpl data(handshake_arg); + + // Process data - this should call acceptReverseConnection and reject + Http::FilterDataStatus data_status = filter->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); + + // Verify that no socket was added to the upstream socket manager + auto* socket_manager = getUpstreamSocketManager(); + if (socket_manager) { + auto retrieved_socket = socket_manager->getConnectionSocket(""); + EXPECT_EQ(retrieved_socket, nullptr); + } +} + +// Test acceptReverseConnection with SSL certificate information +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionWithSSLCertificate) { + // Set up thread local slot for upstream socket manager + setupThreadLocalSlot(); + + auto filter = createFilter(); + + // Create valid protobuf handshake argument + std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); + + // Set up headers for reverse connection request + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength(std::to_string(handshake_arg.length())); + + // Mock SSL connection with certificate + auto mock_ssl = std::make_shared>(); + std::vector dns_sans = {"tenantId=ssl-tenant", "clusterId=ssl-cluster"}; + EXPECT_CALL(*mock_ssl, peerCertificatePresented()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_ssl, dnsSansPeerCertificate()).WillRepeatedly(Return(dns_sans)); + + // Set up connection with SSL + EXPECT_CALL(connection_, ssl()).WillRepeatedly(Return(mock_ssl)); + + // Set up socket mock + setupSocketMock(); + + // Process headers first + Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + // Create buffer with protobuf data + Buffer::OwnedImpl data(handshake_arg); + + // Process data - this should call acceptReverseConnection + Http::FilterDataStatus data_status = filter->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); + + // Verify that the socket was added to the upstream socket manager + // SSL certificate values should override protobuf values + auto* socket_manager = getUpstreamSocketManager(); + ASSERT_NE(socket_manager, nullptr); + + // Try to get the socket for the node - should be available + auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); + EXPECT_NE(retrieved_socket, nullptr); +} + +// Test acceptReverseConnection with multiple sockets for same node +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleSockets) { + // Set up thread local slot for upstream socket manager + setupThreadLocalSlot(); + + auto filter = createFilter(); + + // Create valid protobuf handshake argument + std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); + + // Set up headers for reverse connection request + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength(std::to_string(handshake_arg.length())); + + // Set up socket mock + setupSocketMock(); + + // Process headers first + Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + // Create buffer with protobuf data + Buffer::OwnedImpl data1(handshake_arg); + + // Process first data - this should call acceptReverseConnection + Http::FilterDataStatus data_status1 = filter->decodeData(data1, false); + EXPECT_EQ(data_status1, Http::FilterDataStatus::StopIterationNoBuffer); + + // Create second filter instance for second connection + auto filter2 = createFilter(); + + // Set up headers for second reverse connection request + auto headers2 = createHeaders("POST", "/reverse_connections/request"); + headers2.setContentLength(std::to_string(handshake_arg.length())); + + // Process headers for second connection + Http::FilterHeadersStatus header_status2 = filter2->decodeHeaders(headers2, false); + EXPECT_EQ(header_status2, Http::FilterHeadersStatus::StopIteration); + + // Create buffer with protobuf data for second connection + Buffer::OwnedImpl data2(handshake_arg); + + // Process second data - this should call acceptReverseConnection + Http::FilterDataStatus data_status2 = filter2->decodeData(data2, true); + EXPECT_EQ(data_status2, Http::FilterDataStatus::StopIterationNoBuffer); + + // Verify that both sockets were added to the upstream socket manager + auto* socket_manager = getUpstreamSocketManager(); + ASSERT_NE(socket_manager, nullptr); + + // Try to get the first socket for the node + auto retrieved_socket1 = socket_manager->getConnectionSocket("node-789"); + EXPECT_NE(retrieved_socket1, nullptr); + + // Try to get the second socket for the node + auto retrieved_socket2 = socket_manager->getConnectionSocket("node-789"); + EXPECT_NE(retrieved_socket2, nullptr); + + // Verify stats were updated correctly for multiple connections + auto* extension = socket_manager->getUpstreamExtension(); + ASSERT_NE(extension, nullptr); + + // Get per-worker stats to verify the connections were counted + auto stat_map = extension->getPerWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster-456"], 2); +} + +// Test acceptReverseConnection with cross-worker stats verification +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionCrossWorkerStats) { + // Set up thread local slot for upstream socket manager + setupThreadLocalSlot(); + + auto filter = createFilter(); + + // Create valid protobuf handshake argument + std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); + + // Set up headers for reverse connection request + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength(std::to_string(handshake_arg.length())); + + // Process headers first + Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + // Create buffer with protobuf data + Buffer::OwnedImpl data(handshake_arg); + + // Process data - this should call acceptReverseConnection + Http::FilterDataStatus data_status = filter->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); + + // Verify that the socket was added to the upstream socket manager + auto* socket_manager = getUpstreamSocketManager(); + ASSERT_NE(socket_manager, nullptr); + + // Try to get the socket for the node - should be available + auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); + EXPECT_NE(retrieved_socket, nullptr); + + // Verify cross-worker stats were updated correctly + auto* extension = socket_manager->getUpstreamExtension(); + ASSERT_NE(extension, nullptr); + + // Get cross-worker stats to verify the connection was counted + auto cross_worker_stat_map = extension->getCrossWorkerStatMap(); + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.nodes.node-789"], 1); + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster-456"], 1); +} + +// Test acceptReverseConnection with multiple nodes and clusters for cross-worker stats +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerStats) { + // Set up thread local slot for upstream socket manager + setupThreadLocalSlot(); + + // Create first filter and connection + auto filter1 = createFilter(); + std::string handshake_arg1 = createHandshakeArg("tenant-123", "cluster-456", "node-789"); + auto headers1 = createHeaders("POST", "/reverse_connections/request"); + headers1.setContentLength(std::to_string(handshake_arg1.length())); + + Http::FilterHeadersStatus header_status1 = filter1->decodeHeaders(headers1, false); + EXPECT_EQ(header_status1, Http::FilterHeadersStatus::StopIteration); + + Buffer::OwnedImpl data1(handshake_arg1); + Http::FilterDataStatus data_status1 = filter1->decodeData(data1, true); + EXPECT_EQ(data_status1, Http::FilterDataStatus::StopIterationNoBuffer); + + // Create second filter and connection with different node/cluster + auto filter2 = createFilter(); + std::string handshake_arg2 = createHandshakeArg("tenant-456", "cluster-789", "node-123"); + auto headers2 = createHeaders("POST", "/reverse_connections/request"); + headers2.setContentLength(std::to_string(handshake_arg2.length())); + + Http::FilterHeadersStatus header_status2 = filter2->decodeHeaders(headers2, false); + EXPECT_EQ(header_status2, Http::FilterHeadersStatus::StopIteration); + + Buffer::OwnedImpl data2(handshake_arg2); + Http::FilterDataStatus data_status2 = filter2->decodeData(data2, true); + EXPECT_EQ(data_status2, Http::FilterDataStatus::StopIterationNoBuffer); + + // Verify that both sockets were added to the upstream socket manager + auto* socket_manager = getUpstreamSocketManager(); + ASSERT_NE(socket_manager, nullptr); + + // Try to get both sockets + auto retrieved_socket1 = socket_manager->getConnectionSocket("node-789"); + EXPECT_NE(retrieved_socket1, nullptr); + + auto retrieved_socket2 = socket_manager->getConnectionSocket("node-123"); + EXPECT_NE(retrieved_socket2, nullptr); + + // Verify cross-worker stats were updated correctly for both connections + auto* extension = socket_manager->getUpstreamExtension(); + ASSERT_NE(extension, nullptr); + + // Get cross-worker stats to verify both connections were counted + auto cross_worker_stat_map = extension->getCrossWorkerStatMap(); + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.nodes.node-789"], 1); + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster-456"], 1); + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.nodes.node-123"], 1); + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster-789"], 1); +} + +} // namespace ReverseConn +} // namespace HttpFilters +} // namespace Extensions +} // namespace Envoy \ No newline at end of file From 55ef0befde07d1cc86c132b5e5885208b1a3f108 Mon Sep 17 00:00:00 2001 From: Greg Greenway Date: Mon, 28 Jul 2025 13:47:21 -0700 Subject: [PATCH 099/505] Fix reviewers.yaml opsgenie name (#40470) Signed-off-by: Greg Greenway --- reviewers.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reviewers.yaml b/reviewers.yaml index a60c034d715f3..eb733f4354abd 100644 --- a/reviewers.yaml +++ b/reviewers.yaml @@ -73,7 +73,7 @@ silverstar194: slack: U03LNPC8JN9 tonya11en: maintainer: true - opsgenie: Tony + opsgenie: tony slack: U989BG2CW tyxia: maintainer: true From 7d45be5107a15e28708a720103ca43aff2d53227 Mon Sep 17 00:00:00 2001 From: botengyao Date: Mon, 28 Jul 2025 19:13:35 -0400 Subject: [PATCH 100/505] runtime: remove envoy.reloadable_features.dfp_fail_on_empty_host_header (#40445) --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - .../http/dynamic_forward_proxy/proxy_filter.cc | 12 +++++------- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index ca318c957369b..fd556d4d14fbf 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -23,6 +23,9 @@ removed_config_or_runtime: - area: http_connection_manager change: | Removed runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` and legacy code paths. +- area: dfp + change: | + Removed runtime guard ``envoy.reloadable_features.dfp_fail_on_empty_host_header`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 6ef25df359248..b5d6334c5b32e 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -34,7 +34,6 @@ RUNTIME_GUARD(envoy_reloadable_features_allow_alt_svc_for_ips); RUNTIME_GUARD(envoy_reloadable_features_async_host_selection); RUNTIME_GUARD(envoy_reloadable_features_dfp_cluster_resolves_hosts); -RUNTIME_GUARD(envoy_reloadable_features_dfp_fail_on_empty_host_header); RUNTIME_GUARD(envoy_reloadable_features_disallow_quic_client_udp_mmsg); RUNTIME_GUARD(envoy_reloadable_features_enable_cel_regex_precompilation); RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); diff --git a/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc b/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc index f96af1630070f..8d4f82ad5abcc 100644 --- a/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc +++ b/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc @@ -303,13 +303,11 @@ Http::FilterHeadersStatus ProxyFilter::decodeHeaders(Http::RequestHeaderMap& hea latchTime(decoder_callbacks_, DNS_START); const bool is_proxying = isProxying(); - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.dfp_fail_on_empty_host_header")) { - if (headers.Host()->value().getStringView().empty()) { - decoder_callbacks_->sendLocalReply(Http::Code::BadRequest, - ResponseStrings::get().EmptyHostHeader, nullptr, - absl::nullopt, RcDetails::get().EmptyHostHeader); - return Http::FilterHeadersStatus::StopIteration; - } + if (headers.Host()->value().getStringView().empty()) { + decoder_callbacks_->sendLocalReply(Http::Code::BadRequest, + ResponseStrings::get().EmptyHostHeader, nullptr, + absl::nullopt, RcDetails::get().EmptyHostHeader); + return Http::FilterHeadersStatus::StopIteration; } // Get host value from the request headers. From 82f5ca90685494c8f9e03df34ebea152fdb74e25 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 29 Jul 2025 05:54:39 +0000 Subject: [PATCH 101/505] reverse conn filter unit test wip Signed-off-by: Basundhara Chakrabarty --- .../reverse_conn/reverse_conn_filter_test.cc | 40 ++++++++++++++++--- 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc index 71fe757a8ba83..81de059c97734 100644 --- a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc +++ b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc @@ -239,20 +239,24 @@ class ReverseConnFilterTest : public testing::Test { NiceMock dispatcher_{"test_dispatcher"}; // Mock socket for testing - std::unique_ptr> mock_socket_; + std::unique_ptr mock_socket_; std::unique_ptr> mock_io_handle_; // Helper method to set up socket mock void setupSocketMock() { - mock_socket_ = std::make_unique>(); + // Create a mock socket that inherits from ConnectionSocket + auto mock_socket_ptr = std::make_unique>(); mock_io_handle_ = std::make_unique>(); EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(123)); - EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); - mock_socket_->io_handle_ = std::move(mock_io_handle_); + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); + mock_socket_ptr->io_handle_ = std::move(mock_io_handle_); - // Set up connection to return the mock socket - EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(*mock_socket_)); + // Cast the mock to the base ConnectionSocket type + mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); + + // Set up connection to return the socket - return reference to the unique_ptr + EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); } // Thread local components for testing upstream socket manager @@ -424,6 +428,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionValidProtobuf) { auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); + // Set up socket mock + setupSocketMock(); + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); @@ -455,12 +462,18 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionValidProtobuf) { // Test acceptReverseConnection with invalid protobuf data TEST_F(ReverseConnFilterTest, AcceptReverseConnectionInvalidProtobuf) { + // Set up thread local slot for upstream socket manager + setupThreadLocalSlot(); + auto filter = createFilter(); // Set up headers for reverse connection request auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength("50"); + // Set up socket mock + setupSocketMock(); + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); @@ -482,6 +495,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionInvalidProtobuf) { // Test acceptReverseConnection with empty node_uuid in protobuf TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { + // Set up thread local slot for upstream socket manager + setupThreadLocalSlot(); + auto filter = createFilter(); // Create protobuf with empty node_uuid @@ -495,6 +511,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); + // Set up socket mock + setupSocketMock(); + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); @@ -643,6 +662,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionCrossWorkerStats) { auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); + // Set up socket mock + setupSocketMock(); + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); @@ -683,6 +705,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta auto headers1 = createHeaders("POST", "/reverse_connections/request"); headers1.setContentLength(std::to_string(handshake_arg1.length())); + // Set up socket mock for first connection + setupSocketMock(); + Http::FilterHeadersStatus header_status1 = filter1->decodeHeaders(headers1, false); EXPECT_EQ(header_status1, Http::FilterHeadersStatus::StopIteration); @@ -696,6 +721,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta auto headers2 = createHeaders("POST", "/reverse_connections/request"); headers2.setContentLength(std::to_string(handshake_arg2.length())); + // Set up socket mock for second connection + setupSocketMock(); + Http::FilterHeadersStatus header_status2 = filter2->decodeHeaders(headers2, false); EXPECT_EQ(header_status2, Http::FilterHeadersStatus::StopIteration); From 3c0e76f214333fb49bc618c0807dac07dbdbce0f Mon Sep 17 00:00:00 2001 From: Shreyas Nahar <55868454+shreyasnahar@users.noreply.github.com> Date: Tue, 29 Jul 2025 14:35:53 +0100 Subject: [PATCH 102/505] config-dump: support endpoint level load stats reporting (#39406) Signed-off-by: Shreyas Nahar Co-authored-by: Shreyas Nahar --- changelogs/current.yaml | 4 + source/common/upstream/load_stats_reporter.cc | 76 ++++++--- test/common/upstream/BUILD | 1 + .../upstream/load_stats_reporter_test.cc | 149 +++++++++++++++++- .../load_stats_integration_test.cc | 49 +++++- 5 files changed, 257 insertions(+), 22 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index fd556d4d14fbf..4052543f0ca68 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -67,5 +67,9 @@ new_features: - area: dns_filter, redis_proxy and prefix_matcher_map change: | Switch to using Radix Tree instead of Trie for performance improvements. +- area: load_reporting + change: | + Added support for endpoint-level load stats and metrics reporting. Locality load reports now include per + endpoint statistics and metrics, but only for endpoints with updated stats, optimizing report size and efficiency. deprecated: diff --git a/source/common/upstream/load_stats_reporter.cc b/source/common/upstream/load_stats_reporter.cc index c77d099caf9b5..e26f8e47006ca 100644 --- a/source/common/upstream/load_stats_reporter.cc +++ b/source/common/upstream/load_stats_reporter.cc @@ -3,6 +3,7 @@ #include "envoy/service/load_stats/v3/lrs.pb.h" #include "envoy/stats/scope.h" +#include "source/common/network/utility.h" #include "source/common/protobuf/protobuf.h" namespace Envoy { @@ -84,48 +85,84 @@ void LoadStatsReporter::sendLoadStatsRequest() { uint64_t rq_active = 0; uint64_t rq_issued = 0; LoadMetricStats::StatMap load_metrics; + + envoy::config::endpoint::v3::UpstreamLocalityStats locality_stats; + locality_stats.mutable_locality()->MergeFrom(hosts[0]->locality()); + locality_stats.set_priority(host_set->priority()); + for (const HostSharedPtr& host : hosts) { uint64_t host_rq_success = host->stats().rq_success_.latch(); uint64_t host_rq_error = host->stats().rq_error_.latch(); uint64_t host_rq_active = host->stats().rq_active_.value(); uint64_t host_rq_issued = host->stats().rq_total_.latch(); - rq_success += host_rq_success; - rq_error += host_rq_error; - rq_active += host_rq_active; - rq_issued += host_rq_issued; - if (host_rq_success + host_rq_error + host_rq_active != 0) { + + // Check if the host has any load stats updates. If the host has no load stats updates, we + // skip it. + bool endpoint_has_updates = + (host_rq_success + host_rq_error + host_rq_active + host_rq_issued) != 0; + + if (endpoint_has_updates) { + rq_success += host_rq_success; + rq_error += host_rq_error; + rq_active += host_rq_active; + rq_issued += host_rq_issued; + + envoy::config::endpoint::v3::UpstreamEndpointStats* upstream_endpoint_stats = nullptr; + // Set the upstream endpoint stats if we are reporting endpoint granularity. + if (message_ && message_->report_endpoint_granularity()) { + upstream_endpoint_stats = locality_stats.add_upstream_endpoint_stats(); + Network::Utility::addressToProtobufAddress( + *host->address(), *upstream_endpoint_stats->mutable_address()); + upstream_endpoint_stats->set_total_successful_requests(host_rq_success); + upstream_endpoint_stats->set_total_error_requests(host_rq_error); + upstream_endpoint_stats->set_total_requests_in_progress(host_rq_active); + upstream_endpoint_stats->set_total_issued_requests(host_rq_issued); + } + const std::unique_ptr latched_stats = host->loadMetricStats().latch(); if (latched_stats != nullptr) { for (const auto& metric : *latched_stats) { - const std::string& name = metric.first; - LoadMetricStats::Stat& stat = load_metrics[name]; - stat.num_requests_with_metric += metric.second.num_requests_with_metric; - stat.total_metric_value += metric.second.total_metric_value; + const auto& metric_name = metric.first; + const auto& metric_value = metric.second; + + // Add the metric to the load metrics map. + LoadMetricStats::Stat& stat = load_metrics[metric_name]; + stat.num_requests_with_metric += metric_value.num_requests_with_metric; + stat.total_metric_value += metric_value.total_metric_value; + + // If we are reporting endpoint granularity, add the metric to the upstream endpoint + // stats. + if (upstream_endpoint_stats != nullptr) { + auto* endpoint_load_metric = upstream_endpoint_stats->add_load_metric_stats(); + endpoint_load_metric->set_metric_name(metric_name); + endpoint_load_metric->set_num_requests_finished_with_metric( + metric_value.num_requests_with_metric); + endpoint_load_metric->set_total_metric_value(metric_value.total_metric_value); + } } } } } + bool should_send_locality_stats = rq_success + rq_error + rq_active != 0; if (Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.report_load_with_rq_issued")) { should_send_locality_stats = rq_issued != 0; } if (should_send_locality_stats) { - auto* locality_stats = cluster_stats->add_upstream_locality_stats(); - locality_stats->mutable_locality()->MergeFrom(hosts[0]->locality()); - locality_stats->set_priority(host_set->priority()); - locality_stats->set_total_successful_requests(rq_success); - locality_stats->set_total_error_requests(rq_error); - locality_stats->set_total_requests_in_progress(rq_active); - locality_stats->set_total_issued_requests(rq_issued); + locality_stats.set_total_successful_requests(rq_success); + locality_stats.set_total_error_requests(rq_error); + locality_stats.set_total_requests_in_progress(rq_active); + locality_stats.set_total_issued_requests(rq_issued); for (const auto& metric : load_metrics) { - auto* load_metric_stats = locality_stats->add_load_metric_stats(); + auto* load_metric_stats = locality_stats.add_load_metric_stats(); load_metric_stats->set_metric_name(metric.first); load_metric_stats->set_num_requests_finished_with_metric( metric.second.num_requests_with_metric); load_metric_stats->set_total_metric_value(metric.second.total_metric_value); } + cluster_stats->add_upstream_locality_stats()->MergeFrom(locality_stats); } } } @@ -150,8 +187,8 @@ void LoadStatsReporter::sendLoadStatsRequest() { ENVOY_LOG(trace, "Sending LoadStatsRequest: {}", request_.DebugString()); stream_->sendMessage(request_, false); stats_.responses_.inc(); - // When the connection is established, the message has not yet been read so we - // will not have a load reporting period. + // When the connection is established, the message has not yet been read so we will not have a + // load reporting period. if (message_) { startLoadReportPeriod(); } @@ -261,6 +298,5 @@ void LoadStatsReporter::onRemoteClose(Grpc::Status::GrpcStatus status, const std setRetryTimer(); } } - } // namespace Upstream } // namespace Envoy diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index 7d4d3a773b6af..80faff971f2e9 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -386,6 +386,7 @@ envoy_cc_test( srcs = ["load_stats_reporter_test.cc"], rbe_pool = "6gig", deps = [ + "//source/common/network:address_lib", "//source/common/stats:stats_lib", "//source/common/upstream:load_stats_reporter_lib", "//test/common/upstream:utility_lib", diff --git a/test/common/upstream/load_stats_reporter_test.cc b/test/common/upstream/load_stats_reporter_test.cc index effafb0a79476..949b42a00e426 100644 --- a/test/common/upstream/load_stats_reporter_test.cc +++ b/test/common/upstream/load_stats_reporter_test.cc @@ -3,6 +3,7 @@ #include "envoy/config/endpoint/v3/load_report.pb.h" #include "envoy/service/load_stats/v3/lrs.pb.h" +#include "source/common/network/address_impl.h" #include "source/common/upstream/load_stats_reporter.h" #include "test/common/upstream/utility.h" @@ -63,10 +64,12 @@ class LoadStatsReporterTest : public testing::Test { sendMessageRaw_(Grpc::ProtoBufferEqIgnoreRepeatedFieldOrdering(expected_request), false)); } - void deliverLoadStatsResponse(const std::vector& cluster_names) { + void deliverLoadStatsResponse(const std::vector& cluster_names, + bool report_endpoint_granularity = false) { std::unique_ptr response( new envoy::service::load_stats::v3::LoadStatsResponse()); response->mutable_load_reporting_interval()->set_seconds(42); + response->set_report_endpoint_granularity(report_endpoint_granularity); std::copy(cluster_names.begin(), cluster_names.end(), Protobuf::RepeatedPtrFieldBackInserter(response->mutable_clusters())); @@ -74,6 +77,16 @@ class LoadStatsReporterTest : public testing::Test { load_stats_reporter_->onReceiveMessage(std::move(response)); } + void + addEndpointStatExpectation(envoy::config::endpoint::v3::UpstreamEndpointStats* endpoint_stats, + const std::string& metric_name, uint64_t rq_count, + double total_value) { + auto* metric = endpoint_stats->add_load_metric_stats(); + metric->set_metric_name(metric_name); + metric->set_num_requests_finished_with_metric(rq_count); + metric->set_total_metric_value(total_value); + } + void setDropOverload(envoy::config::endpoint::v3::ClusterStats& cluster_stats, uint64_t count) { auto* dropped_request = cluster_stats.add_dropped_requests(); dropped_request->set_category("drop_overload"); @@ -250,6 +263,10 @@ HostSharedPtr makeTestHost(const std::string& hostname, const auto host = std::make_shared>(); ON_CALL(*host, hostname()).WillByDefault(::testing::ReturnRef(hostname)); ON_CALL(*host, locality()).WillByDefault(::testing::ReturnRef(locality)); + + // Use a concrete Ipv4Instance instead of a mock address + auto address = std::make_shared("127.0.0.1", 80); + ON_CALL(*host, address()).WillByDefault(::testing::Return(address)); return host; } @@ -279,6 +296,136 @@ void addStatExpectation(envoy::config::endpoint::v3::UpstreamLocalityStats* stat metric->set_total_metric_value(total_metric_value); } +// This test validates that the LoadStatsReporter correctly handles and reports +// endpoint-level granularity load metrics when the feature is enabled. It sets +// up a cluster with a host, simulates load metrics, and ensures that the +// generated load report includes the expected endpoint-level statistics. +TEST_F(LoadStatsReporterTest, EndpointLevelLoadStatsReporting) { + // Enable endpoint granularity + EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); + expectSendMessage({}); + createLoadStatsReporter(); + time_system_.setMonotonicTime(std::chrono::microseconds(100)); + + NiceMock cluster; + MockHostSet& host_set = *cluster.prioritySet().getMockHostSet(0); + ::envoy::config::core::v3::Locality locality; + locality.set_region("test_region"); + + // Create two hosts with different metric values + HostSharedPtr host1 = makeTestHost("host1", locality); + HostSharedPtr host2 = makeTestHost("host2", locality); + host_set.hosts_per_locality_ = makeHostsPerLocality({{host1, host2}}); + addStats(host1, 10.0); // metric_a = 10.0 + addStats(host2, 20.0); // metric_a = 20.0 + + cluster.info_->eds_service_name_ = "eds_service_for_foo"; + + ON_CALL(cm_, getActiveCluster("foo")) + .WillByDefault(Return(OptRef(cluster))); + deliverLoadStatsResponse({"foo"}, true); + time_system_.setMonotonicTime(std::chrono::microseconds(101)); + { + envoy::config::endpoint::v3::ClusterStats expected_cluster_stats; + + expected_cluster_stats.set_cluster_name("foo"); + expected_cluster_stats.set_cluster_service_name("eds_service_for_foo"); + expected_cluster_stats.mutable_load_report_interval()->MergeFrom( + Protobuf::util::TimeUtil::MicrosecondsToDuration(1)); + + auto* expected_locality_stats = expected_cluster_stats.add_upstream_locality_stats(); + expected_locality_stats->mutable_locality()->MergeFrom(locality); + expected_locality_stats->set_priority(0); + expected_locality_stats->set_total_successful_requests(2); + expected_locality_stats->set_total_issued_requests(2); + // Locality metric is the sum + addStatExpectation(expected_locality_stats, "metric_a", 2, 30.0); + + // Endpoint 1 + auto* endpoint_stats1 = expected_locality_stats->add_upstream_endpoint_stats(); + endpoint_stats1->mutable_address()->mutable_socket_address()->set_address("127.0.0.1"); + endpoint_stats1->mutable_address()->mutable_socket_address()->set_port_value(80); + endpoint_stats1->set_total_successful_requests(1); + endpoint_stats1->set_total_issued_requests(1); + addEndpointStatExpectation(endpoint_stats1, "metric_a", 1, 10.0); + + // Endpoint 2 + auto* endpoint_stats2 = expected_locality_stats->add_upstream_endpoint_stats(); + endpoint_stats2->mutable_address()->mutable_socket_address()->set_address("127.0.0.1"); + endpoint_stats2->mutable_address()->mutable_socket_address()->set_port_value(80); + endpoint_stats2->set_total_successful_requests(1); + endpoint_stats2->set_total_issued_requests(1); + addEndpointStatExpectation(endpoint_stats2, "metric_a", 1, 20.0); + + std::vector expected_cluster_stats_vector = { + expected_cluster_stats}; + + expectSendMessage(expected_cluster_stats_vector); + } + EXPECT_CALL(*response_timer_, enableTimer(std::chrono::milliseconds(42000), _)); + response_timer_cb_(); +} + +// This test validates that endpoint stats are not reported if the endpoint has no load stat +// updates. +TEST_F(LoadStatsReporterTest, EndpointLevelLoadStatsReportingNoUpdate) { + // Enable endpoint granularity + EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_)); + expectSendMessage({}); + createLoadStatsReporter(); + time_system_.setMonotonicTime(std::chrono::microseconds(100)); + + NiceMock cluster; + MockHostSet& host_set = *cluster.prioritySet().getMockHostSet(0); + ::envoy::config::core::v3::Locality locality; + locality.set_region("test_region"); + + // Create two hosts, but only one will have stats. + HostSharedPtr host1 = makeTestHost("host1", locality); + HostSharedPtr host2 = makeTestHost("host2", locality); + host_set.hosts_per_locality_ = makeHostsPerLocality({{host1, host2}}); + addStats(host1, 10.0); + // Host2 has no updates. Its stats are all 0 and will be latched as such. + + cluster.info_->eds_service_name_ = "eds_service_for_foo"; + + ON_CALL(cm_, getActiveCluster("foo")) + .WillByDefault(Return(OptRef(cluster))); + deliverLoadStatsResponse({"foo"}, true); + time_system_.setMonotonicTime(std::chrono::microseconds(101)); + { + envoy::config::endpoint::v3::ClusterStats expected_cluster_stats; + + expected_cluster_stats.set_cluster_name("foo"); + expected_cluster_stats.set_cluster_service_name("eds_service_for_foo"); + expected_cluster_stats.mutable_load_report_interval()->MergeFrom( + Protobuf::util::TimeUtil::MicrosecondsToDuration(1)); + + auto* expected_locality_stats = expected_cluster_stats.add_upstream_locality_stats(); + expected_locality_stats->mutable_locality()->MergeFrom(locality); + expected_locality_stats->set_priority(0); + // Locality stats should only reflect host1. + expected_locality_stats->set_total_successful_requests(1); + expected_locality_stats->set_total_issued_requests(1); + addStatExpectation(expected_locality_stats, "metric_a", 1, 10.0); + + // Only Endpoint 1 should be in the report. + auto* endpoint_stats1 = expected_locality_stats->add_upstream_endpoint_stats(); + endpoint_stats1->mutable_address()->mutable_socket_address()->set_address("127.0.0.1"); + endpoint_stats1->mutable_address()->mutable_socket_address()->set_port_value(80); + endpoint_stats1->set_total_successful_requests(1); + endpoint_stats1->set_total_issued_requests(1); + addEndpointStatExpectation(endpoint_stats1, "metric_a", 1, 10.0); + + std::vector expected_cluster_stats_vector = { + expected_cluster_stats}; + + expectSendMessage(expected_cluster_stats_vector); + } + EXPECT_CALL(*response_timer_, enableTimer(std::chrono::milliseconds(42000), _)); + response_timer_cb_(); +} + class LoadStatsReporterTestWithRqTotal : public LoadStatsReporterTest, public testing::WithParamInterface { public: diff --git a/test/integration/load_stats_integration_test.cc b/test/integration/load_stats_integration_test.cc index 9f9fad52f677a..942cb92f03b60 100644 --- a/test/integration/load_stats_integration_test.cc +++ b/test/integration/load_stats_integration_test.cc @@ -354,7 +354,8 @@ class LoadStatsIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, } void requestLoadStatsResponse(const std::vector& clusters, - bool send_all_clusters = false) { + bool send_all_clusters = false, + bool report_endpoint_granularity = false) { envoy::service::load_stats::v3::LoadStatsResponse loadstats_response; loadstats_response.mutable_load_reporting_interval()->MergeFrom( Protobuf::util::TimeUtil::MillisecondsToDuration(load_report_interval_ms_)); @@ -364,6 +365,7 @@ class LoadStatsIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, if (send_all_clusters) { loadstats_response.set_send_all_clusters(true); } + loadstats_response.set_report_endpoint_granularity(report_endpoint_granularity); loadstats_stream_->sendGrpcMessage(loadstats_response); // Wait until the request has been received by Envoy. test_server_->waitForCounterGe("load_reporter.requests", ++load_requests_); @@ -907,5 +909,50 @@ TEST_P(LoadStatsIntegrationTest, SuccessWithCustomMetricsNotSent) { cleanupLoadStatsConnection(); } +// Validate basic endpoint-level load stats reporting with successful and failing requests. +TEST_P(LoadStatsIntegrationTest, EndpointLevelStatsReportingSuccessAndFailure) { + initialize(); + + waitForLoadStatsStream(); + ASSERT_TRUE(waitForLoadStatsRequest({})); + loadstats_stream_->startGrpcStream(); + + // Tell Envoy to report for cluster_0 and enable endpoint granularity. + requestLoadStatsResponse({"cluster_0"}, false /*send_all_clusters*/, + true /*report_endpoint_granularity*/); + + // Configure cluster_0 with one endpoint (service_upstream_[0], which is fake_upstreams_[1]) + // in the "winter" locality. + updateClusterLoadAssignment({{0}}, {}, {}, {}); + test_server_->waitForGaugeEq("cluster.cluster_0.membership_total", 1); + + sendAndReceiveUpstream(0, 200, false /*send_orca_load_report*/); + sendAndReceiveUpstream(0, 503, false /*send_orca_load_report*/); + + // Construct the expected UpstreamLocalityStats with one UpstreamEndpointStats. + // Total: 1 success, 1 error, 2 issued. + envoy::config::endpoint::v3::UpstreamLocalityStats uls = + localityStats("winter", 1 /*success*/, 1 /*error*/, 0 /*active*/, 2 /*issued*/); + + auto* eps = uls.add_upstream_endpoint_stats(); + + const auto& endpoint_address = fake_upstreams_[1]->localAddress(); + eps->mutable_address()->mutable_socket_address()->set_address( + endpoint_address->ip()->addressAsString()); + eps->mutable_address()->mutable_socket_address()->set_port_value(endpoint_address->ip()->port()); + eps->set_total_successful_requests(1); + eps->set_total_error_requests(1); + eps->set_total_issued_requests(2); + + std::vector expected_uls_vector = {uls}; + ASSERT_TRUE(waitForLoadStatsRequest(expected_uls_vector)); + + EXPECT_EQ(1, test_server_->counter("load_reporter.requests")->value()); + EXPECT_EQ(2, test_server_->counter("load_reporter.responses")->value()); + EXPECT_EQ(0, test_server_->counter("load_reporter.errors")->value()); + + cleanupLoadStatsConnection(); +} + } // namespace } // namespace Envoy From a904ce4ade49e777d4dfefca91d4067dcf9b394f Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 29 Jul 2025 10:50:19 -0400 Subject: [PATCH 103/505] proto-hash: validate that Any unpacking is successful (#40475) This PR adds a protobuf Any unpacking validation for the deteriminstic-hash for protos function. Risk Level: low Testing: Added unit tests. Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- source/common/protobuf/deterministic_hash.cc | 4 +++- test/common/protobuf/deterministic_hash_test.cc | 15 +++++++++++++++ .../common/protobuf/deterministic_hash_test.proto | 1 + 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/source/common/protobuf/deterministic_hash.cc b/source/common/protobuf/deterministic_hash.cc index 62fa7a5745153..8e8c399d9fe8d 100644 --- a/source/common/protobuf/deterministic_hash.cc +++ b/source/common/protobuf/deterministic_hash.cc @@ -189,7 +189,9 @@ std::unique_ptr unpackAnyForReflection(const ProtobufWkt::Any Protobuf::MessageFactory::generated_factory()->GetPrototype(descriptor); ASSERT(prototype != nullptr, "should be impossible since the descriptor is known"); std::unique_ptr msg(prototype->New()); - any.UnpackTo(msg.get()); + if (!any.UnpackTo(msg.get())) { + return nullptr; + } return msg; } diff --git a/test/common/protobuf/deterministic_hash_test.cc b/test/common/protobuf/deterministic_hash_test.cc index f5ebf94a18060..c2b1028d44fb6 100644 --- a/test/common/protobuf/deterministic_hash_test.cc +++ b/test/common/protobuf/deterministic_hash_test.cc @@ -499,5 +499,20 @@ TEST(HashTest, AnyWithKnownTypeMismatch) { EXPECT_NE(hash(a1), hash(a2)); } +TEST(HashTest, ValidateRepeatedAnyMismatchingType) { + deterministichashtest::AnyContainer a1, a2; + deterministichashtest::Recursion value; + value.set_index(1); + a1.mutable_any()->PackFrom(value); + a2.mutable_any()->PackFrom(value); + // Set a2 Any to a mismatching invalid type. + a2.mutable_any()->set_type_url("RawMessage"); + EXPECT_NE(hash(a1), hash(a2)); + + // Set a2 Any to a mismatching valid type. + a2.mutable_any()->set_type_url("google.protobuf.Struct"); + EXPECT_NE(hash(a1), hash(a2)); +} + } // namespace DeterministicProtoHash } // namespace Envoy diff --git a/test/common/protobuf/deterministic_hash_test.proto b/test/common/protobuf/deterministic_hash_test.proto index 5f56d35d41b01..09e64b20c8f32 100644 --- a/test/common/protobuf/deterministic_hash_test.proto +++ b/test/common/protobuf/deterministic_hash_test.proto @@ -36,6 +36,7 @@ message RepeatedFields { repeated float floats = 9; repeated FooEnum enums = 10; repeated Recursion messages = 11; + repeated AnyContainer anys = 12; }; message SingleFields { From aef0df7ff06bb7a1dbbd61d20e4f81dfe6437fca Mon Sep 17 00:00:00 2001 From: code Date: Tue, 29 Jul 2025 23:57:47 +0800 Subject: [PATCH 104/505] tracing: clean up code of fluentd to eliminate unnecessary copy/construction (#40424) Clean up the code of fluentd to eliminate unnecessary copy/constructing and all unnecessary thao code. Risk Level: n/a. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Signed-off-by: wangbaiping(wbpcode) --- .../tracers/fluentd/fluentd_tracer_impl.cc | 83 +++++++------------ .../tracers/fluentd/fluentd_tracer_impl.h | 44 +++++----- .../tracers/fluentd/tracer_impl_test.cc | 40 ++++----- .../fluentd/tracer_integration_test.cc | 2 - 4 files changed, 66 insertions(+), 103 deletions(-) diff --git a/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc b/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc index 9f843583a3c25..5f42841ff65ea 100644 --- a/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc +++ b/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc @@ -150,17 +150,12 @@ Tracing::SpanPtr Driver::startSpan(const Tracing::Config& /*config*/, SpanContextExtractor extractor(trace_context); if (!extractor.propagationHeaderPresent()) { // No propagation header, so we can create a fresh span with the given decision. - - return tracer.startSpan(trace_context, stream_info.startTime(), operation_name, - tracing_decision); + return tracer.startSpan(stream_info.startTime(), operation_name, tracing_decision); } else { // Try to extract the span context. If we can't, just return a null span. absl::StatusOr span_context = extractor.extractSpanContext(); if (span_context.ok()) { - - return tracer.startSpan(trace_context, stream_info.startTime(), operation_name, - tracing_decision, span_context.value()); - + return tracer.startSpan(stream_info.startTime(), operation_name, span_context.value()); } else { ENVOY_LOG(trace, "Unable to extract span context: ", span_context.status()); return std::make_unique(); @@ -186,12 +181,10 @@ FluentdTracerImpl::FluentdTracerImpl(Upstream::ThreadLocalCluster& cluster, time_source_(dispatcher.timeSource()) {} // Initialize a span object -Span::Span(Tracing::TraceContext& trace_context, SystemTime start_time, - const std::string& operation_name, Tracing::Decision tracing_decision, - FluentdTracerSharedPtr tracer, const SpanContext& span_context, TimeSource& time_source) - : trace_context_(trace_context), start_time_(start_time), operation_(operation_name), - tracing_decision_(tracing_decision), tracer_(tracer), span_context_(span_context), - time_source_(time_source) {} +Span::Span(SystemTime start_time, const std::string& operation_name, FluentdTracerSharedPtr tracer, + SpanContext&& span_context, TimeSource& time_source) + : start_time_(start_time), operation_(operation_name), tracer_(std::move(tracer)), + span_context_(std::move(span_context)), time_source_(time_source) {} // Set the operation name for the span void Span::setOperation(absl::string_view operation) { operation_ = std::string(operation); } @@ -220,19 +213,14 @@ void Span::finishSpan() { .count(); // Make the record map - std::map record_map; + std::map record_map = std::move(tags_); record_map["operation"] = operation_; record_map["trace_id"] = span_context_.traceId(); - record_map["span_id"] = span_context_.parentId(); + record_map["span_id"] = span_context_.spanId(); record_map["start_time"] = std::to_string( std::chrono::duration_cast(start_time_.time_since_epoch()).count()); record_map["end_time"] = std::to_string(time); - // Add the tags to the record map - for (const auto& tag : tags_) { - record_map[tag.first] = tag.second; - } - EntryPtr entry = std::make_unique(time, std::move(record_map)); tracer_->log(std::move(entry)); @@ -243,30 +231,26 @@ void Span::injectContext(Tracing::TraceContext& trace_context, const Tracing::UpstreamContext& /*upstream*/) { std::string trace_id_hex = span_context_.traceId(); - std::string parent_id_hex = span_context_.parentId(); + std::string span_id_hex = span_context_.spanId(); std::vector trace_flags_vec{sampled()}; std::string trace_flags_hex = Hex::encode(trace_flags_vec); std::string traceparent_header_value = - absl::StrCat(kDefaultVersion, "-", trace_id_hex, "-", parent_id_hex, "-", trace_flags_hex); + absl::StrCat(kDefaultVersion, "-", trace_id_hex, "-", span_id_hex, "-", trace_flags_hex); // Set the traceparent in the trace_context. traceParentHeader().setRefKey(trace_context, traceparent_header_value); - // Also set the tracestate. - traceStateHeader().setRefKey(trace_context, span_context_.tracestate()); + if (!span_context_.tracestate().empty()) { + // Also set the tracestate. + traceStateHeader().setRefKey(trace_context, span_context_.tracestate()); + } } // Spawns a child span Tracing::SpanPtr Span::spawnChild(const Tracing::Config&, const std::string& name, SystemTime start_time) { - SpanContext span_context = - SpanContext(kDefaultVersion, span_context_.traceId(), span_context_.parentId(), sampled(), - span_context_.tracestate()); - return tracer_->startSpan(trace_context_, start_time, name, tracing_decision_, span_context); + return tracer_->startSpan(start_time, name, span_context_); } -// Set the sampled flag for the span -void Span::setSampled(bool sampled) { sampled_ = sampled; } - std::string Span::getBaggage(absl::string_view /*key*/) { // not implemented return EMPTY_STRING; @@ -278,11 +262,10 @@ void Span::setBaggage(absl::string_view /*key*/, absl::string_view /*value*/) { std::string Span::getTraceId() const { return span_context_.traceId(); } -std::string Span::getSpanId() const { return span_context_.parentId(); } +std::string Span::getSpanId() const { return span_context_.spanId(); } // Start a new span with no parent context -Tracing::SpanPtr FluentdTracerImpl::startSpan(Tracing::TraceContext& trace_context, - SystemTime start_time, +Tracing::SpanPtr FluentdTracerImpl::startSpan(SystemTime start_time, const std::string& operation_name, Tracing::Decision tracing_decision) { // make a new span context @@ -290,34 +273,24 @@ Tracing::SpanPtr FluentdTracerImpl::startSpan(Tracing::TraceContext& trace_conte uint64_t trace_id = random_.random(); uint64_t span_id = random_.random(); - SpanContext span_context = SpanContext( + SpanContext span_context( kDefaultVersion, absl::StrCat(Hex::uint64ToHex(trace_id_high), Hex::uint64ToHex(trace_id)), Hex::uint64ToHex(span_id), tracing_decision.traced, ""); - Span new_span(trace_context, start_time, operation_name, tracing_decision, shared_from_this(), - span_context, time_source_); - - new_span.setSampled(tracing_decision.traced); - - return std::make_unique(new_span); + return std::make_unique(start_time, operation_name, shared_from_this(), + std::move(span_context), time_source_); } // Start a new span with a parent context -Tracing::SpanPtr FluentdTracerImpl::startSpan(Tracing::TraceContext& trace_context, - SystemTime start_time, +Tracing::SpanPtr FluentdTracerImpl::startSpan(SystemTime start_time, const std::string& operation_name, - Tracing::Decision tracing_decision, - const SpanContext& previous_span_context) { - SpanContext span_context = SpanContext( - kDefaultVersion, previous_span_context.traceId(), Hex::uint64ToHex(random_.random()), - previous_span_context.sampled(), previous_span_context.tracestate()); - - Span new_span(trace_context, start_time, operation_name, tracing_decision, shared_from_this(), - span_context, time_source_); - - new_span.setSampled(previous_span_context.sampled()); - - return std::make_unique(new_span); + const SpanContext& parent_context) { + // Generate a new span context with new span id based on the parent context. + SpanContext span_context(kDefaultVersion, parent_context.traceId(), + Hex::uint64ToHex(random_.random()), parent_context.sampled(), + parent_context.tracestate()); + return std::make_unique(start_time, operation_name, shared_from_this(), + std::move(span_context), time_source_); } void FluentdTracerImpl::packMessage(MessagePackPacker& packer) { diff --git a/source/extensions/tracers/fluentd/fluentd_tracer_impl.h b/source/extensions/tracers/fluentd/fluentd_tracer_impl.h index 70800414188c7..2fa449f3c5a51 100644 --- a/source/extensions/tracers/fluentd/fluentd_tracer_impl.h +++ b/source/extensions/tracers/fluentd/fluentd_tracer_impl.h @@ -29,27 +29,28 @@ using FluentdConfigSharedPtr = std::shared_ptr; class SpanContext { public: SpanContext() = default; - SpanContext(absl::string_view version, absl::string_view trace_id, absl::string_view parent_id, - bool sampled, absl::string_view tracestate) - : version_(version), trace_id_(trace_id), parent_id_(parent_id), sampled_(sampled), - tracestate_(tracestate) {} + SpanContext(absl::string_view version, absl::string_view trace_id, absl::string_view span_id, + bool sampled, std::string tracestate) + : version_(version), trace_id_(trace_id), span_id_(span_id), sampled_(sampled), + tracestate_(std::move(tracestate)) {} const std::string& version() const { return version_; } const std::string& traceId() const { return trace_id_; } - const std::string& parentId() const { return parent_id_; } + const std::string& spanId() const { return span_id_; } bool sampled() const { return sampled_; } + void setSampled(bool sampled) { sampled_ = sampled; } const std::string& tracestate() const { return tracestate_; } private: - const std::string version_; - const std::string trace_id_; - const std::string parent_id_; - const bool sampled_{false}; - const std::string tracestate_; + std::string version_; + std::string trace_id_; + std::string span_id_; + bool sampled_{false}; + std::string tracestate_; }; // Trace context definitions @@ -82,14 +83,13 @@ class FluentdTracerImpl : public FluentdBase, BackOffStrategyPtr backoff_strategy, Stats::Scope& parent_scope, Random::RandomGenerator& random); - Tracing::SpanPtr startSpan(Tracing::TraceContext& trace_context, SystemTime start_time, - const std::string& operation_name, Tracing::Decision tracing_decision); + Tracing::SpanPtr startSpan(SystemTime start_time, const std::string& operation_name, + Tracing::Decision tracing_decision); - Tracing::SpanPtr startSpan(Tracing::TraceContext& trace_context, SystemTime start_time, - const std::string& operation_name, Tracing::Decision tracing_decision, - const SpanContext& previous_span_context); + Tracing::SpanPtr startSpan(SystemTime start_time, const std::string& operation_name, + const SpanContext& parent_context); - void packMessage(MessagePackPacker& packer); + void packMessage(MessagePackPacker& packer) override; private: std::map option_; @@ -157,9 +157,8 @@ class Driver : Logger::Loggable, public Tracing::Driver { // Span holds the span context and handles span operations class Span : public Tracing::Span { public: - Span(Tracing::TraceContext& trace_context, SystemTime start_time, - const std::string& operation_name, Tracing::Decision tracing_decision, - FluentdTracerSharedPtr tracer, const SpanContext& span_context, TimeSource& time_source); + Span(SystemTime start_time, const std::string& operation_name, FluentdTracerSharedPtr tracer, + SpanContext&& span_context, TimeSource& time_source); // Tracing::Span void setOperation(absl::string_view operation) override; @@ -170,8 +169,8 @@ class Span : public Tracing::Span { const Tracing::UpstreamContext& upstream) override; Tracing::SpanPtr spawnChild(const Tracing::Config& config, const std::string& name, SystemTime start_time) override; - void setSampled(bool sampled) override; - bool sampled() const { return sampled_; } + void setSampled(bool sampled) override { span_context_.setSampled(sampled); } + bool sampled() const { return span_context_.sampled(); } std::string getBaggage(absl::string_view key) override; void setBaggage(absl::string_view key, absl::string_view value) override; std::string getTraceId() const override; @@ -179,15 +178,12 @@ class Span : public Tracing::Span { private: // config - Tracing::TraceContext& trace_context_; SystemTime start_time_; std::string operation_; - Tracing::Decision tracing_decision_; FluentdTracerSharedPtr tracer_; SpanContext span_context_; std::map tags_; - bool sampled_; Envoy::TimeSource& time_source_; }; diff --git a/test/extensions/tracers/fluentd/tracer_impl_test.cc b/test/extensions/tracers/fluentd/tracer_impl_test.cc index 980dfad50f7bc..aef674bdac222 100644 --- a/test/extensions/tracers/fluentd/tracer_impl_test.cc +++ b/test/extensions/tracers/fluentd/tracer_impl_test.cc @@ -17,7 +17,6 @@ #include "msgpack.hpp" using testing::Return; -using testing::ReturnRef; namespace Envoy { namespace Extensions { @@ -70,7 +69,7 @@ class FluentdTracerImplTest : public testing::Test { std::map option_ = {{"fluent_signal", "2"}, {"TimeFormat", "DateTime"}}; packer.pack(option_); - return std::string(buffer.data(), buffer.size()); + return {buffer.data(), buffer.size()}; } std::string tag_ = "test.tag"; @@ -435,19 +434,19 @@ using StatusHelpers::HasStatusMessage; constexpr absl::string_view version = "00"; constexpr absl::string_view trace_id = "00000000000000000000000000000001"; -constexpr absl::string_view parent_id = "0000000000000003"; +constexpr absl::string_view span_id = "0000000000000003"; constexpr absl::string_view trace_flags = "01"; TEST(SpanContextExtractorTest, ExtractSpanContext) { Tracing::TestTraceContextImpl request_headers{ - {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}}; + {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, span_id, trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); EXPECT_OK(span_context); EXPECT_EQ(span_context->traceId(), trace_id); - EXPECT_EQ(span_context->parentId(), parent_id); + EXPECT_EQ(span_context->spanId(), span_id); EXPECT_EQ(span_context->version(), version); EXPECT_TRUE(span_context->sampled()); } @@ -456,13 +455,13 @@ TEST(SpanContextExtractorTest, ExtractSpanContextNotSampled) { const std::string trace_flags_unsampled{"00"}; Tracing::TestTraceContextImpl request_headers{ {"traceparent", - fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags_unsampled)}}; + fmt::format("{}-{}-{}-{}", version, trace_id, span_id, trace_flags_unsampled)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); EXPECT_OK(span_context); EXPECT_EQ(span_context->traceId(), trace_id); - EXPECT_EQ(span_context->parentId(), parent_id); + EXPECT_EQ(span_context->spanId(), span_id); EXPECT_EQ(span_context->version(), version); EXPECT_FALSE(span_context->sampled()); } @@ -479,7 +478,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithoutHeader) { TEST(SpanContextExtractorTest, ThrowsExceptionWithTooLongHeader) { Tracing::TestTraceContextImpl request_headers{ - {"traceparent", fmt::format("000{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}}; + {"traceparent", fmt::format("000{}-{}-{}-{}", version, trace_id, span_id, trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -490,7 +489,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithTooLongHeader) { TEST(SpanContextExtractorTest, ThrowsExceptionWithTooShortHeader) { Tracing::TestTraceContextImpl request_headers{ - {"traceparent", fmt::format("{}-{}-{}", trace_id, parent_id, trace_flags)}}; + {"traceparent", fmt::format("{}-{}-{}", trace_id, span_id, trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -501,7 +500,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithTooShortHeader) { TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidHyphenation) { Tracing::TestTraceContextImpl request_headers{ - {"traceparent", fmt::format("{}{}-{}-{}", version, trace_id, parent_id, trace_flags)}}; + {"traceparent", fmt::format("{}{}-{}-{}", version, trace_id, span_id, trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -512,7 +511,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidHyphenation) { TEST(SpanContextExtractorTest, ThrowExceptionWithInvalidHyphenation) { Tracing::TestTraceContextImpl request_headers{ - {"traceparent", fmt::format("{}-{}-{}---", version, trace_id, parent_id)}}; + {"traceparent", fmt::format("{}-{}-{}---", version, trace_id, span_id)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -526,7 +525,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidSizes) { const std::string invalid_trace_flags{"001"}; Tracing::TestTraceContextImpl request_headers{ {"traceparent", - fmt::format("{}-{}-{}-{}", invalid_version, trace_id, parent_id, invalid_trace_flags)}}; + fmt::format("{}-{}-{}-{}", invalid_version, trace_id, span_id, invalid_trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -538,8 +537,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidSizes) { TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidHex) { const std::string invalid_version{"ZZ"}; Tracing::TestTraceContextImpl request_headers{ - {"traceparent", - fmt::format("{}-{}-{}-{}", invalid_version, trace_id, parent_id, trace_flags)}}; + {"traceparent", fmt::format("{}-{}-{}-{}", invalid_version, trace_id, span_id, trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -551,8 +549,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithInvalidHex) { TEST(SpanContextExtractorTest, ThrowsExceptionWithAllZeroTraceId) { const std::string invalid_trace_id{"00000000000000000000000000000000"}; Tracing::TestTraceContextImpl request_headers{ - {"traceparent", - fmt::format("{}-{}-{}-{}", version, invalid_trace_id, parent_id, trace_flags)}}; + {"traceparent", fmt::format("{}-{}-{}-{}", version, invalid_trace_id, span_id, trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -562,10 +559,9 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithAllZeroTraceId) { } TEST(SpanContextExtractorTest, ThrowsExceptionWithAllZeroParentId) { - const std::string invalid_parent_id{"0000000000000000"}; + const std::string invalid_span_id{"0000000000000000"}; Tracing::TestTraceContextImpl request_headers{ - {"traceparent", - fmt::format("{}-{}-{}-{}", version, trace_id, invalid_parent_id, trace_flags)}}; + {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, invalid_span_id, trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -576,7 +572,7 @@ TEST(SpanContextExtractorTest, ThrowsExceptionWithAllZeroParentId) { TEST(SpanContextExtractorTest, ExtractSpanContextWithEmptyTracestate) { Tracing::TestTraceContextImpl request_headers{ - {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}}; + {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, span_id, trace_flags)}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -586,7 +582,7 @@ TEST(SpanContextExtractorTest, ExtractSpanContextWithEmptyTracestate) { TEST(SpanContextExtractorTest, ExtractSpanContextWithTracestate) { Tracing::TestTraceContextImpl request_headers{ - {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}, + {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, span_id, trace_flags)}, {"tracestate", "sample-tracestate"}}; SpanContextExtractor span_context_extractor(request_headers); absl::StatusOr span_context = span_context_extractor.extractSpanContext(); @@ -606,7 +602,7 @@ TEST(SpanContextExtractorTest, IgnoreTracestateWithoutTraceparent) { TEST(SpanContextExtractorTest, ExtractSpanContextWithMultipleTracestateEntries) { Http::TestRequestHeaderMapImpl request_headers{ - {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, parent_id, trace_flags)}, + {"traceparent", fmt::format("{}-{}-{}-{}", version, trace_id, span_id, trace_flags)}, {"tracestate", "sample-tracestate"}, {"tracestate", "sample-tracestate-2"}}; Tracing::HttpTraceContext trace_context(request_headers); diff --git a/test/extensions/tracers/fluentd/tracer_integration_test.cc b/test/extensions/tracers/fluentd/tracer_integration_test.cc index b6c1e8662c96e..d605346942a0d 100644 --- a/test/extensions/tracers/fluentd/tracer_integration_test.cc +++ b/test/extensions/tracers/fluentd/tracer_integration_test.cc @@ -13,8 +13,6 @@ #include "gtest/gtest.h" #include "msgpack.hpp" -using testing::AssertionResult; - namespace Envoy { namespace Extensions { namespace Tracers { From 3d5e07bf4a495b333fbc78e1e67ae46e2019f6ea Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Tue, 29 Jul 2025 11:36:36 -0700 Subject: [PATCH 105/505] statSink: add resource attributes for otlp statSink (#40351) Expose API to support configuring resource attribute in OTLP statSink --------- Signed-off-by: Xuyang Tao --- .../open_telemetry/v3/open_telemetry.proto | 7 ++- changelogs/current.yaml | 4 ++ .../opentelemetry/resource_detectors.rst | 2 +- .../stat_sinks/open_telemetry/BUILD | 1 + .../stat_sinks/open_telemetry/config.cc | 7 ++- .../open_telemetry/open_telemetry_impl.cc | 20 +++++- .../open_telemetry/open_telemetry_impl.h | 8 ++- .../opentelemetry_tracer_impl.cc | 5 +- .../resource_detectors/dynatrace/config.cc | 2 +- .../resource_detectors/dynatrace/config.h | 2 +- .../resource_detectors/environment/config.cc | 2 +- .../resource_detectors/environment/config.h | 2 +- .../environment_resource_detector.cc | 4 +- .../environment_resource_detector.h | 4 +- .../resource_detectors/resource_detector.h | 4 +- .../resource_detectors/resource_provider.cc | 31 ++++------ .../resource_detectors/resource_provider.h | 14 +++-- .../resource_detectors/static/config.cc | 2 +- .../resource_detectors/static/config.h | 2 +- .../static/static_config_resource_detector.h | 2 +- .../stats_sinks/open_telemetry/config_test.cc | 10 ++- .../open_telemetry_impl_test.cc | 31 +++++++--- .../opentelemetry_tracer_impl_test.cc | 8 ++- .../dynatrace/config_test.cc | 2 +- .../environment/config_test.cc | 6 +- .../environment_resource_detector_test.cc | 12 ++-- .../resource_provider_test.cc | 61 ++++++++----------- .../resource_detectors/static/config_test.cc | 2 +- .../static_config_resource_detector_test.cc | 8 ++- 29 files changed, 165 insertions(+), 100 deletions(-) diff --git a/api/envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto b/api/envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto index eb72322976288..34ffaf634d424 100644 --- a/api/envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto +++ b/api/envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto @@ -2,6 +2,7 @@ syntax = "proto3"; package envoy.extensions.stat_sinks.open_telemetry.v3; +import "envoy/config/core/v3/extension.proto"; import "envoy/config/core/v3/grpc_service.proto"; import "google/protobuf/wrappers.proto"; @@ -19,7 +20,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Stats configuration proto schema for ``envoy.stat_sinks.open_telemetry`` sink. // [#extension: envoy.stat_sinks.open_telemetry] -// [#next-free-field: 7] +// [#next-free-field: 8] message SinkConfig { oneof protocol_specifier { option (validate.required) = true; @@ -28,6 +29,10 @@ message SinkConfig { config.core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; } + // Attributes to be associated with the resource in the OTLP message. + // [#extension-category: envoy.tracers.opentelemetry.resource_detectors] + repeated config.core.v3.TypedExtensionConfig resource_detectors = 7; + // If set to true, counters will be emitted as deltas, and the OTLP message will have // ``AGGREGATION_TEMPORALITY_DELTA`` set as AggregationTemporality. bool report_counters_as_deltas = 2; diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 4052543f0ca68..68369e43137de 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -71,5 +71,9 @@ new_features: change: | Added support for endpoint-level load stats and metrics reporting. Locality load reports now include per endpoint statistics and metrics, but only for endpoints with updated stats, optimizing report size and efficiency. +- area: otlp_stat_sink + change: | + Added support for resource attributes. The stat sink will use the resource attributes configured for the OpenTelemetry tracer via + :ref:`resource_detectors `. deprecated: diff --git a/docs/root/api-v3/config/trace/opentelemetry/resource_detectors.rst b/docs/root/api-v3/config/trace/opentelemetry/resource_detectors.rst index 87790ac145ec8..c6ad6353bab4b 100644 --- a/docs/root/api-v3/config/trace/opentelemetry/resource_detectors.rst +++ b/docs/root/api-v3/config/trace/opentelemetry/resource_detectors.rst @@ -1,7 +1,7 @@ OpenTelemetry Resource Detectors ================================ -Resource detectors that can be configured with the OpenTelemetry Tracer: +Resource detectors that can be configured with the OpenTelemetry Tracer and the OpenTelemetry StatSink: .. toctree:: :glob: diff --git a/source/extensions/stat_sinks/open_telemetry/BUILD b/source/extensions/stat_sinks/open_telemetry/BUILD index 4a87743eff39e..e1770f4603fb0 100644 --- a/source/extensions/stat_sinks/open_telemetry/BUILD +++ b/source/extensions/stat_sinks/open_telemetry/BUILD @@ -17,6 +17,7 @@ envoy_cc_library( "//envoy/grpc:async_client_interface", "//envoy/singleton:instance_interface", "//source/common/grpc:async_client_lib", + "//source/extensions/tracers/opentelemetry/resource_detectors:resource_detector_lib", "@envoy_api//envoy/extensions/stat_sinks/open_telemetry/v3:pkg_cc_proto", "@opentelemetry_proto//:metrics_proto_cc", "@opentelemetry_proto//:metrics_service_proto_cc", diff --git a/source/extensions/stat_sinks/open_telemetry/config.cc b/source/extensions/stat_sinks/open_telemetry/config.cc index 391f87e387177..d8dbe0cab1ed6 100644 --- a/source/extensions/stat_sinks/open_telemetry/config.cc +++ b/source/extensions/stat_sinks/open_telemetry/config.cc @@ -4,6 +4,7 @@ #include "source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.h" #include "source/extensions/stat_sinks/open_telemetry/open_telemetry_proto_descriptors.h" +#include "source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.h" namespace Envoy { namespace Extensions { @@ -18,7 +19,11 @@ OpenTelemetrySinkFactory::createStatsSink(const Protobuf::Message& config, const auto& sink_config = MessageUtil::downcastAndValidate( config, server.messageValidationContext().staticValidationVisitor()); - auto otlp_options = std::make_shared(sink_config); + Tracers::OpenTelemetry::ResourceProviderPtr resource_provider = + std::make_unique(); + auto otlp_options = std::make_shared( + sink_config, resource_provider->getResource(sink_config.resource_detectors(), server, + /*service_name=*/"")); std::shared_ptr otlp_metrics_flusher = std::make_shared(otlp_options); diff --git a/source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.cc b/source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.cc index e50a6a85de91f..ef105b0057e17 100644 --- a/source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.cc +++ b/source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.cc @@ -7,14 +7,27 @@ namespace Extensions { namespace StatSinks { namespace OpenTelemetry { -OtlpOptions::OtlpOptions(const SinkConfig& sink_config) +Protobuf::RepeatedPtrField +generateResourceAttributes(const Tracers::OpenTelemetry::Resource& resource) { + Protobuf::RepeatedPtrField resource_attributes; + for (const auto& attr : resource.attributes_) { + auto* attribute = resource_attributes.Add(); + attribute->set_key(attr.first); + attribute->mutable_value()->set_string_value(attr.second); + } + return resource_attributes; +} + +OtlpOptions::OtlpOptions(const SinkConfig& sink_config, + const Tracers::OpenTelemetry::Resource& resource) : report_counters_as_deltas_(sink_config.report_counters_as_deltas()), report_histograms_as_deltas_(sink_config.report_histograms_as_deltas()), emit_tags_as_attributes_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(sink_config, emit_tags_as_attributes, true)), use_tag_extracted_name_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(sink_config, use_tag_extracted_name, true)), - stat_prefix_(!sink_config.prefix().empty() ? sink_config.prefix() + "." : "") {} + stat_prefix_(!sink_config.prefix().empty() ? sink_config.prefix() + "." : ""), + resource_attributes_(generateResourceAttributes(resource)) {} OpenTelemetryGrpcMetricsExporterImpl::OpenTelemetryGrpcMetricsExporterImpl( const OtlpOptionsSharedPtr config, Grpc::RawAsyncClientSharedPtr raw_async_client) @@ -46,7 +59,8 @@ MetricsExportRequestPtr OtlpMetricsFlusherImpl::flush(Stats::MetricSnapshot& sna auto request = std::make_unique(); auto* resource_metrics = request->add_resource_metrics(); auto* scope_metrics = resource_metrics->add_scope_metrics(); - + resource_metrics->mutable_resource()->mutable_attributes()->CopyFrom( + config_->resource_attributes()); int64_t snapshot_time_ns = std::chrono::duration_cast( snapshot.snapshotTime().time_since_epoch()) .count(); diff --git a/source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.h b/source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.h index 92ce4fe58d2e1..58a46b7983226 100644 --- a/source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.h +++ b/source/extensions/stat_sinks/open_telemetry/open_telemetry_impl.h @@ -12,6 +12,7 @@ #include "envoy/stats/stats.h" #include "source/common/grpc/typed_async_client.h" +#include "source/extensions/tracers/opentelemetry/resource_detectors/resource_detector.h" #include "opentelemetry/proto/collector/metrics/v1/metrics_service.pb.h" #include "opentelemetry/proto/common/v1/common.pb.h" @@ -35,13 +36,17 @@ using SinkConfig = envoy::extensions::stat_sinks::open_telemetry::v3::SinkConfig class OtlpOptions { public: - OtlpOptions(const SinkConfig& sink_config); + OtlpOptions(const SinkConfig& sink_config, const Tracers::OpenTelemetry::Resource& resource); bool reportCountersAsDeltas() { return report_counters_as_deltas_; } bool reportHistogramsAsDeltas() { return report_histograms_as_deltas_; } bool emitTagsAsAttributes() { return emit_tags_as_attributes_; } bool useTagExtractedName() { return use_tag_extracted_name_; } const std::string& statPrefix() { return stat_prefix_; } + const Protobuf::RepeatedPtrField& + resource_attributes() const { + return resource_attributes_; + } private: const bool report_counters_as_deltas_; @@ -49,6 +54,7 @@ class OtlpOptions { const bool emit_tags_as_attributes_; const bool use_tag_extracted_name_; const std::string stat_prefix_; + const Protobuf::RepeatedPtrField resource_attributes_; }; using OtlpOptionsSharedPtr = std::shared_ptr; diff --git a/source/extensions/tracers/opentelemetry/opentelemetry_tracer_impl.cc b/source/extensions/tracers/opentelemetry/opentelemetry_tracer_impl.cc index 956eb4759acc9..dd758787dd9f1 100644 --- a/source/extensions/tracers/opentelemetry/opentelemetry_tracer_impl.cc +++ b/source/extensions/tracers/opentelemetry/opentelemetry_tracer_impl.cc @@ -75,7 +75,10 @@ Driver::Driver(const envoy::config::trace::v3::OpenTelemetryConfig& opentelemetr POOL_COUNTER_PREFIX(context.serverFactoryContext().scope(), "tracing.opentelemetry"))} { auto& factory_context = context.serverFactoryContext(); - Resource resource = resource_provider.getResource(opentelemetry_config, context); + Resource resource = resource_provider.getResource( + opentelemetry_config.resource_detectors(), context.serverFactoryContext(), + opentelemetry_config.service_name().empty() ? kDefaultServiceName + : opentelemetry_config.service_name()); ResourceConstSharedPtr resource_ptr = std::make_shared(std::move(resource)); if (opentelemetry_config.has_grpc_service() && opentelemetry_config.has_http_service()) { diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.cc b/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.cc index 564c2cf291cdb..c5914244c7d52 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.cc +++ b/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.cc @@ -13,7 +13,7 @@ namespace Tracers { namespace OpenTelemetry { ResourceDetectorPtr DynatraceResourceDetectorFactory::createResourceDetector( - const Protobuf::Message& message, Server::Configuration::TracerFactoryContext& context) { + const Protobuf::Message& message, Server::Configuration::ServerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( dynamic_cast(message), context.messageValidationVisitor(), *this); diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.h b/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.h index f3063484aeb9b..3b955656ece67 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.h +++ b/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.h @@ -28,7 +28,7 @@ class DynatraceResourceDetectorFactory : public ResourceDetectorFactory { */ ResourceDetectorPtr createResourceDetector(const Protobuf::Message& message, - Server::Configuration::TracerFactoryContext& context) override; + Server::Configuration::ServerFactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(message), context.messageValidationVisitor(), *this); diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/environment/config.h b/source/extensions/tracers/opentelemetry/resource_detectors/environment/config.h index a2bf1f72025fd..d09a6bd41c1c1 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/environment/config.h +++ b/source/extensions/tracers/opentelemetry/resource_detectors/environment/config.h @@ -26,7 +26,7 @@ class EnvironmentResourceDetectorFactory : public ResourceDetectorFactory { */ ResourceDetectorPtr createResourceDetector(const Protobuf::Message& message, - Server::Configuration::TracerFactoryContext& context) override; + Server::Configuration::ServerFactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique; +using ResourceAttributes = absl::flat_hash_map; /** * @brief A Resource represents the entity producing telemetry as Attributes. @@ -67,7 +67,7 @@ class ResourceDetectorFactory : public Envoy::Config::TypedFactory { */ virtual ResourceDetectorPtr createResourceDetector(const Protobuf::Message& message, - Server::Configuration::TracerFactoryContext& context) PURE; + Server::Configuration::ServerFactoryContext& context) PURE; std::string category() const override { return "envoy.tracers.opentelemetry.resource_detectors"; } }; diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.cc b/source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.cc index 123994576a4c1..b6e04cb1333fb 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.cc +++ b/source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.cc @@ -14,23 +14,18 @@ namespace OpenTelemetry { namespace { bool isEmptyResource(const Resource& resource) { return resource.attributes_.empty(); } -Resource createInitialResource(const std::string& service_name) { +Resource createInitialResource(absl::string_view service_name) { Resource resource{}; // Creates initial resource with the static service.name and telemetry.sdk.* attributes. - resource.attributes_[std::string(kServiceNameKey.data(), kServiceNameKey.size())] = - service_name.empty() ? std::string{kDefaultServiceName} : service_name; - - resource - .attributes_[std::string(kTelemetrySdkLanguageKey.data(), kTelemetrySdkLanguageKey.size())] = - kDefaultTelemetrySdkLanguage; + if (!service_name.empty()) { + resource.attributes_[kServiceNameKey] = service_name; + } + resource.attributes_[kTelemetrySdkLanguageKey] = kDefaultTelemetrySdkLanguage; - resource.attributes_[std::string(kTelemetrySdkNameKey.data(), kTelemetrySdkNameKey.size())] = - kDefaultTelemetrySdkName; + resource.attributes_[kTelemetrySdkNameKey] = kDefaultTelemetrySdkName; - resource - .attributes_[std::string(kTelemetrySdkVersionKey.data(), kTelemetrySdkVersionKey.size())] = - Envoy::VersionInfo::version(); + resource.attributes_[kTelemetrySdkVersionKey] = Envoy::VersionInfo::version(); return resource; } @@ -88,14 +83,14 @@ void mergeResource(Resource& old_resource, const Resource& updating_resource) { } // namespace Resource ResourceProviderImpl::getResource( - const envoy::config::trace::v3::OpenTelemetryConfig& opentelemetry_config, - Server::Configuration::TracerFactoryContext& context) const { - - Resource resource = createInitialResource(opentelemetry_config.service_name()); + const Protobuf::RepeatedPtrField& + resource_detectors, + Envoy::Server::Configuration::ServerFactoryContext& context, + absl::string_view service_name) const { - const auto& detectors_configs = opentelemetry_config.resource_detectors(); + Resource resource = createInitialResource(service_name); - for (const auto& detector_config : detectors_configs) { + for (const auto& detector_config : resource_detectors) { ResourceDetectorPtr detector; auto* factory = Envoy::Config::Utility::getFactory(detector_config); diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.h b/source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.h index 8a2e0739a97b7..a9c56e18d6fbb 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.h +++ b/source/extensions/tracers/opentelemetry/resource_detectors/resource_provider.h @@ -36,14 +36,20 @@ class ResourceProvider : public Logger::Loggable { * @return Resource const The merged resource. */ virtual Resource - getResource(const envoy::config::trace::v3::OpenTelemetryConfig& opentelemetry_config, - Server::Configuration::TracerFactoryContext& context) const PURE; + getResource(const Protobuf::RepeatedPtrField& + resource_detectors, + Server::Configuration::ServerFactoryContext& context, + absl::string_view service_name) const PURE; }; +using ResourceProviderPtr = std::shared_ptr; class ResourceProviderImpl : public ResourceProvider { public: - Resource getResource(const envoy::config::trace::v3::OpenTelemetryConfig& opentelemetry_config, - Server::Configuration::TracerFactoryContext& context) const override; + Resource + getResource(const Protobuf::RepeatedPtrField& + resource_detectors, + Server::Configuration::ServerFactoryContext& context, + absl::string_view service_name) const override; }; } // namespace OpenTelemetry diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/static/config.cc b/source/extensions/tracers/opentelemetry/resource_detectors/static/config.cc index 5476816af27ca..1939532905b0e 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/static/config.cc +++ b/source/extensions/tracers/opentelemetry/resource_detectors/static/config.cc @@ -12,7 +12,7 @@ namespace Tracers { namespace OpenTelemetry { ResourceDetectorPtr StaticConfigResourceDetectorFactory::createResourceDetector( - const Protobuf::Message& message, Server::Configuration::TracerFactoryContext& context) { + const Protobuf::Message& message, Server::Configuration::ServerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( dynamic_cast(message), context.messageValidationVisitor(), *this); diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/static/config.h b/source/extensions/tracers/opentelemetry/resource_detectors/static/config.h index 4554622ecee0e..55566f0f6f5c7 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/static/config.h +++ b/source/extensions/tracers/opentelemetry/resource_detectors/static/config.h @@ -25,7 +25,7 @@ class StaticConfigResourceDetectorFactory : public ResourceDetectorFactory { */ ResourceDetectorPtr createResourceDetector(const Protobuf::Message& message, - Server::Configuration::TracerFactoryContext& context) override; + Server::Configuration::ServerFactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_uniqueset_value(false); sink_config.set_prefix("prefix"); - OtlpOptions options(sink_config); + Tracers::OpenTelemetry::Resource resource; + resource.attributes_["key"] = "value"; + OtlpOptions options(sink_config, resource); EXPECT_FALSE(options.reportCountersAsDeltas()); EXPECT_FALSE(options.reportHistogramsAsDeltas()); EXPECT_FALSE(options.emitTagsAsAttributes()); EXPECT_FALSE(options.useTagExtractedName()); EXPECT_EQ("prefix.", options.statPrefix()); + ASSERT_EQ(1, options.resource_attributes().size()); + EXPECT_EQ("key", options.resource_attributes()[0].key()); + EXPECT_EQ("value", options.resource_attributes()[0].value().string_value()); } } diff --git a/test/extensions/stats_sinks/open_telemetry/open_telemetry_impl_test.cc b/test/extensions/stats_sinks/open_telemetry/open_telemetry_impl_test.cc index 32e13c57188ee..e745afc0d23c8 100644 --- a/test/extensions/stats_sinks/open_telemetry/open_telemetry_impl_test.cc +++ b/test/extensions/stats_sinks/open_telemetry/open_telemetry_impl_test.cc @@ -35,19 +35,22 @@ class OpenTelemetryStatsSinkTests : public testing::Test { } } - const OtlpOptionsSharedPtr otlpOptions(bool report_counters_as_deltas = false, - bool report_histograms_as_deltas = false, - bool emit_tags_as_attributes = true, - bool use_tag_extracted_name = true, - const std::string& stat_prefix = "") { + const OtlpOptionsSharedPtr + otlpOptions(bool report_counters_as_deltas = false, bool report_histograms_as_deltas = false, + bool emit_tags_as_attributes = true, bool use_tag_extracted_name = true, + const std::string& stat_prefix = "", + absl::flat_hash_map resource_attributes = {}) { envoy::extensions::stat_sinks::open_telemetry::v3::SinkConfig sink_config; sink_config.set_report_counters_as_deltas(report_counters_as_deltas); sink_config.set_report_histograms_as_deltas(report_histograms_as_deltas); sink_config.mutable_emit_tags_as_attributes()->set_value(emit_tags_as_attributes); sink_config.mutable_use_tag_extracted_name()->set_value(use_tag_extracted_name); sink_config.set_prefix(stat_prefix); - - return std::make_shared(sink_config); + Tracers::OpenTelemetry::Resource resource; + for (const auto& [key, value] : resource_attributes) { + resource.attributes_[key] = value; + } + return std::make_shared(sink_config, resource); } std::string getTagExtractedName(const std::string name) { return name + "-tagged"; } @@ -433,6 +436,20 @@ TEST_F(OtlpMetricsFlusherTests, DeltaHistogramMetric) { expectHistogram(metricAt(1, metrics), getTagExtractedName("test_histogram2"), true); } +TEST_F(OtlpMetricsFlusherTests, SetResourceAttributes) { + OtlpMetricsFlusherImpl flusher( + otlpOptions(true, false, true, true, "", {{"key_foo", "val_foo"}})); + addCounterToSnapshot("test_counter1", 1, 1); + MetricsExportRequestSharedPtr metrics = flusher.flush(snapshot_); + expectMetricsCount(metrics, 1); + expectSum(metricAt(0, metrics), getTagExtractedName("test_counter1"), 1, true); + EXPECT_EQ(1, metrics->resource_metrics().size()); + EXPECT_EQ(1, metrics->resource_metrics()[0].resource().attributes().size()); + EXPECT_EQ("key_foo", metrics->resource_metrics()[0].resource().attributes()[0].key()); + EXPECT_EQ("val_foo", + metrics->resource_metrics()[0].resource().attributes()[0].value().string_value()); +} + class MockOpenTelemetryGrpcMetricsExporter : public OpenTelemetryGrpcMetricsExporter { public: MOCK_METHOD(void, send, (MetricsExportRequestPtr&&)); diff --git a/test/extensions/tracers/opentelemetry/opentelemetry_tracer_impl_test.cc b/test/extensions/tracers/opentelemetry/opentelemetry_tracer_impl_test.cc index f91cfd4f96932..57f83e7cf4182 100644 --- a/test/extensions/tracers/opentelemetry/opentelemetry_tracer_impl_test.cc +++ b/test/extensions/tracers/opentelemetry/opentelemetry_tracer_impl_test.cc @@ -32,8 +32,10 @@ using testing::ReturnRef; class MockResourceProvider : public ResourceProvider { public: MOCK_METHOD(Resource, getResource, - (const envoy::config::trace::v3::OpenTelemetryConfig& opentelemetry_config, - Server::Configuration::TracerFactoryContext& context), + (const Protobuf::RepeatedPtrField& + resource_detectors, + Server::Configuration::ServerFactoryContext& context, + absl::string_view service_name), (const)); }; @@ -57,7 +59,7 @@ class OpenTelemetryDriverTest : public testing::Test { resource.attributes_.insert(std::pair("key1", "val1")); auto mock_resource_provider = NiceMock(); - EXPECT_CALL(mock_resource_provider, getResource(_, _)).WillRepeatedly(Return(resource)); + EXPECT_CALL(mock_resource_provider, getResource(_, _, _)).WillRepeatedly(Return(resource)); driver_ = std::make_unique(opentelemetry_config, context_, mock_resource_provider); } diff --git a/test/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config_test.cc b/test/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config_test.cc index 9d769cc62dc62..6891bd2da4204 100644 --- a/test/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config_test.cc +++ b/test/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config_test.cc @@ -25,7 +25,7 @@ TEST(DynatraceResourceDetectorFactoryTest, Basic) { )EOF"; TestUtility::loadFromYaml(yaml, typed_config); - NiceMock context; + NiceMock context; EXPECT_NE(factory->createResourceDetector(typed_config.typed_config(), context), nullptr); EXPECT_STREQ(factory->name().c_str(), "envoy.tracers.opentelemetry.resource_detectors.dynatrace"); } diff --git a/test/extensions/tracers/opentelemetry/resource_detectors/environment/config_test.cc b/test/extensions/tracers/opentelemetry/resource_detectors/environment/config_test.cc index 7e9ada0850eb1..1d7180d604c13 100644 --- a/test/extensions/tracers/opentelemetry/resource_detectors/environment/config_test.cc +++ b/test/extensions/tracers/opentelemetry/resource_detectors/environment/config_test.cc @@ -26,8 +26,10 @@ TEST(EnvironmentResourceDetectorFactoryTest, Basic) { )EOF"; TestUtility::loadFromYaml(yaml, typed_config); - NiceMock context; - EXPECT_NE(factory->createResourceDetector(typed_config.typed_config(), context), nullptr); + NiceMock server_factory_context; + + EXPECT_NE(factory->createResourceDetector(typed_config.typed_config(), server_factory_context), + nullptr); } } // namespace OpenTelemetry diff --git a/test/extensions/tracers/opentelemetry/resource_detectors/environment/environment_resource_detector_test.cc b/test/extensions/tracers/opentelemetry/resource_detectors/environment/environment_resource_detector_test.cc index cc62387f4a983..0bd4fc7b1fc75 100644 --- a/test/extensions/tracers/opentelemetry/resource_detectors/environment/environment_resource_detector_test.cc +++ b/test/extensions/tracers/opentelemetry/resource_detectors/environment/environment_resource_detector_test.cc @@ -28,7 +28,8 @@ TEST(EnvironmentResourceDetectorTest, EnvVariableNotPresent) { envoy::extensions::tracers::opentelemetry::resource_detectors::v3:: EnvironmentResourceDetectorConfig config; - auto detector = std::make_unique(config, context); + auto detector = + std::make_unique(config, context.serverFactoryContext()); Resource resource = detector->detect(); EXPECT_EQ(resource.schema_url_, ""); @@ -44,7 +45,8 @@ TEST(EnvironmentResourceDetectorTest, EnvVariablePresentButEmpty) { envoy::extensions::tracers::opentelemetry::resource_detectors::v3:: EnvironmentResourceDetectorConfig config; - auto detector = std::make_unique(config, context); + auto detector = + std::make_unique(config, context.serverFactoryContext()); Resource resource = detector->detect(); EXPECT_EQ(resource.schema_url_, ""); @@ -64,7 +66,8 @@ TEST(EnvironmentResourceDetectorTest, EnvVariablePresentAndWithAttributes) { envoy::extensions::tracers::opentelemetry::resource_detectors::v3:: EnvironmentResourceDetectorConfig config; - auto detector = std::make_unique(config, context); + auto detector = + std::make_unique(config, context.serverFactoryContext()); Resource resource = detector->detect(); EXPECT_EQ(resource.schema_url_, ""); @@ -91,7 +94,8 @@ TEST(EnvironmentResourceDetectorTest, EnvVariablePresentAndWithAttributesWrongFo envoy::extensions::tracers::opentelemetry::resource_detectors::v3:: EnvironmentResourceDetectorConfig config; - auto detector = std::make_unique(config, context); + auto detector = + std::make_unique(config, context.serverFactoryContext()); Resource resource = detector->detect(); EXPECT_EQ(resource.schema_url_, ""); diff --git a/test/extensions/tracers/opentelemetry/resource_detectors/resource_provider_test.cc b/test/extensions/tracers/opentelemetry/resource_detectors/resource_provider_test.cc index 9f44804643137..257d6ead1b3f0 100644 --- a/test/extensions/tracers/opentelemetry/resource_detectors/resource_provider_test.cc +++ b/test/extensions/tracers/opentelemetry/resource_detectors/resource_provider_test.cc @@ -30,7 +30,7 @@ class DetectorFactoryA : public ResourceDetectorFactory { public: MOCK_METHOD(ResourceDetectorPtr, createResourceDetector, (const Protobuf::Message& message, - Server::Configuration::TracerFactoryContext& context)); + Server::Configuration::ServerFactoryContext& context)); ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -43,7 +43,7 @@ class DetectorFactoryB : public ResourceDetectorFactory { public: MOCK_METHOD(ResourceDetectorPtr, createResourceDetector, (const Protobuf::Message& message, - Server::Configuration::TracerFactoryContext& context)); + Server::Configuration::ServerFactoryContext& context)); ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique(); @@ -60,7 +60,7 @@ class ResourceProviderTest : public testing::Test { resource_a_.attributes_.insert(std::pair("key1", "val1")); resource_b_.attributes_.insert(std::pair("key2", "val2")); } - NiceMock context_; + testing::NiceMock server_factory_context_; Resource resource_a_; Resource resource_b_; }; @@ -78,7 +78,9 @@ TEST_F(ResourceProviderTest, NoResourceDetectorsConfigured) { TestUtility::loadFromYaml(yaml_string, opentelemetry_config); ResourceProviderImpl resource_provider; - Resource resource = resource_provider.getResource(opentelemetry_config, context_); + Resource resource = + resource_provider.getResource(opentelemetry_config.resource_detectors(), + server_factory_context_, opentelemetry_config.service_name()); EXPECT_EQ(resource.schema_url_, ""); @@ -99,29 +101,6 @@ TEST_F(ResourceProviderTest, NoResourceDetectorsConfigured) { } } -// Verifies a resource with the default service name is returned when no detectors + static service -// name are configured -TEST_F(ResourceProviderTest, ServiceNameNotProvided) { - const std::string yaml_string = R"EOF( - grpc_service: - envoy_grpc: - cluster_name: fake-cluster - timeout: 0.250s - )EOF"; - envoy::config::trace::v3::OpenTelemetryConfig opentelemetry_config; - TestUtility::loadFromYaml(yaml_string, opentelemetry_config); - - ResourceProviderImpl resource_provider; - Resource resource = resource_provider.getResource(opentelemetry_config, context_); - - EXPECT_EQ(resource.schema_url_, ""); - - // service.name receives the unknown value when not configured - EXPECT_EQ(4, resource.attributes_.size()); - auto service_name = resource.attributes_.find("service.name"); - EXPECT_EQ("unknown_service:envoy", service_name->second); -} - // Verifies it is possible to configure multiple resource detectors TEST_F(ResourceProviderTest, MultipleResourceDetectorsConfigured) { auto detector_a = std::make_unique>(); @@ -168,7 +147,9 @@ TEST_F(ResourceProviderTest, MultipleResourceDetectorsConfigured) { TestUtility::loadFromYaml(yaml_string, opentelemetry_config); ResourceProviderImpl resource_provider; - Resource resource = resource_provider.getResource(opentelemetry_config, context_); + Resource resource = + resource_provider.getResource(opentelemetry_config.resource_detectors(), + server_factory_context_, opentelemetry_config.service_name()); EXPECT_EQ(resource.schema_url_, ""); @@ -202,7 +183,9 @@ TEST_F(ResourceProviderTest, UnknownResourceDetectors) { ResourceProviderImpl resource_provider; EXPECT_THROW_WITH_MESSAGE( - resource_provider.getResource(opentelemetry_config, context_), EnvoyException, + resource_provider.getResource(opentelemetry_config.resource_detectors(), + server_factory_context_, opentelemetry_config.service_name()), + EnvoyException, "Resource detector factory not found: " "'envoy.tracers.opentelemetry.resource_detectors.UnkownResourceDetector'"); } @@ -231,7 +214,9 @@ TEST_F(ResourceProviderTest, ProblemCreatingResourceDetector) { TestUtility::loadFromYaml(yaml_string, opentelemetry_config); ResourceProviderImpl resource_provider; - EXPECT_THROW_WITH_MESSAGE(resource_provider.getResource(opentelemetry_config, context_), + EXPECT_THROW_WITH_MESSAGE(resource_provider.getResource(opentelemetry_config.resource_detectors(), + server_factory_context_, + opentelemetry_config.service_name()), EnvoyException, "Resource detector could not be created: " "'envoy.tracers.opentelemetry.resource_detectors.a'"); @@ -281,7 +266,9 @@ TEST_F(ResourceProviderTest, OldSchemaEmptyUpdatingSet) { TestUtility::loadFromYaml(yaml_string, opentelemetry_config); ResourceProviderImpl resource_provider; - Resource resource = resource_provider.getResource(opentelemetry_config, context_); + Resource resource = + resource_provider.getResource(opentelemetry_config.resource_detectors(), + server_factory_context_, opentelemetry_config.service_name()); // OTel spec says the updating schema should be used EXPECT_EQ(expected_schema_url, resource.schema_url_); @@ -331,7 +318,9 @@ TEST_F(ResourceProviderTest, OldSchemaSetUpdatingEmpty) { TestUtility::loadFromYaml(yaml_string, opentelemetry_config); ResourceProviderImpl resource_provider; - Resource resource = resource_provider.getResource(opentelemetry_config, context_); + Resource resource = + resource_provider.getResource(opentelemetry_config.resource_detectors(), + server_factory_context_, opentelemetry_config.service_name()); // OTel spec says the updating schema should be used EXPECT_EQ(expected_schema_url, resource.schema_url_); @@ -381,7 +370,9 @@ TEST_F(ResourceProviderTest, OldAndUpdatingSchemaAreEqual) { TestUtility::loadFromYaml(yaml_string, opentelemetry_config); ResourceProviderImpl resource_provider; - Resource resource = resource_provider.getResource(opentelemetry_config, context_); + Resource resource = + resource_provider.getResource(opentelemetry_config.resource_detectors(), + server_factory_context_, opentelemetry_config.service_name()); EXPECT_EQ(expected_schema_url, resource.schema_url_); } @@ -430,7 +421,9 @@ TEST_F(ResourceProviderTest, OldAndUpdatingSchemaAreDifferent) { TestUtility::loadFromYaml(yaml_string, opentelemetry_config); ResourceProviderImpl resource_provider; - Resource resource = resource_provider.getResource(opentelemetry_config, context_); + Resource resource = + resource_provider.getResource(opentelemetry_config.resource_detectors(), + server_factory_context_, opentelemetry_config.service_name()); // OTel spec says Old schema should be used EXPECT_EQ(expected_schema_url, resource.schema_url_); diff --git a/test/extensions/tracers/opentelemetry/resource_detectors/static/config_test.cc b/test/extensions/tracers/opentelemetry/resource_detectors/static/config_test.cc index 76b7c6e2b0e12..59e40fda2e30e 100644 --- a/test/extensions/tracers/opentelemetry/resource_detectors/static/config_test.cc +++ b/test/extensions/tracers/opentelemetry/resource_detectors/static/config_test.cc @@ -31,7 +31,7 @@ TEST(StaticConfigResourceDetectorFactoryTest, Basic) { )EOF"; TestUtility::loadFromYaml(yaml, typed_config); - NiceMock context; + NiceMock context; EXPECT_NE(factory->createResourceDetector(typed_config.typed_config(), context), nullptr); EXPECT_STREQ(factory->name().c_str(), "envoy.tracers.opentelemetry.resource_detectors.static_config"); diff --git a/test/extensions/tracers/opentelemetry/resource_detectors/static/static_config_resource_detector_test.cc b/test/extensions/tracers/opentelemetry/resource_detectors/static/static_config_resource_detector_test.cc index ba2243d47111f..c142c335735d9 100644 --- a/test/extensions/tracers/opentelemetry/resource_detectors/static/static_config_resource_detector_test.cc +++ b/test/extensions/tracers/opentelemetry/resource_detectors/static/static_config_resource_detector_test.cc @@ -22,7 +22,7 @@ namespace OpenTelemetry { // Test detector when when attributes is empty TEST(StaticConfigResourceDetectorTest, EmptyAttributesMap) { - NiceMock context; + NiceMock context; envoy::extensions::tracers::opentelemetry::resource_detectors::v3:: StaticConfigResourceDetectorConfig config; @@ -52,7 +52,8 @@ TEST(StaticConfigResourceDetectorTest, EmptyAttributesAreIgnored) { StaticConfigResourceDetectorConfig proto_config; TestUtility::loadFromYamlAndValidate(yaml, proto_config); - auto detector = std::make_unique(proto_config, context); + auto detector = + std::make_unique(proto_config, context.server_factory_context_); Resource resource = detector->detect(); EXPECT_EQ(resource.schema_url_, ""); @@ -84,7 +85,8 @@ TEST(StaticConfigResourceDetectorTest, ValidAttributes) { StaticConfigResourceDetectorConfig proto_config; TestUtility::loadFromYamlAndValidate(yaml, proto_config); - auto detector = std::make_unique(proto_config, context); + auto detector = + std::make_unique(proto_config, context.server_factory_context_); Resource resource = detector->detect(); EXPECT_EQ(resource.schema_url_, ""); From 849a1c0d8b52169a86e5f3f3fbd9cde60e03820c Mon Sep 17 00:00:00 2001 From: code Date: Wed, 30 Jul 2025 03:21:35 +0800 Subject: [PATCH 106/505] tracing: simplify the custom tags to avoid create new custom tag map for every request (#40366) In the previous implementation, we will create a new custom tags map for every request to merge the custom tags from hcm and route. This new implementation clean up the code and avoid that. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. --------- Signed-off-by: wangbaiping(wbpcode) --- envoy/tracing/trace_config.h | 69 ++----------------- source/common/http/conn_manager_config.h | 2 +- source/common/http/conn_manager_impl.cc | 53 +++++++------- source/common/http/conn_manager_impl.h | 11 +-- source/common/tracing/http_tracer_impl.cc | 10 +-- source/common/tracing/tracer_config_impl.h | 50 +++++++------- source/common/tracing/tracer_impl.cc | 12 +--- source/common/tracing/tracer_impl.h | 8 +-- .../filters/network/generic_proxy/config.cc | 2 +- .../filters/network/generic_proxy/proxy.cc | 13 ++-- .../filters/network/generic_proxy/proxy.h | 4 +- .../network/generic_proxy/router/router.cc | 8 +-- test/common/http/conn_manager_impl_test.cc | 14 ++-- test/common/tracing/http_tracer_impl_test.cc | 66 ++++++++++++------ .../common/tracing/tracer_config_impl_test.cc | 4 +- test/common/tracing/tracer_impl_test.cc | 20 ++++-- .../network/generic_proxy/proxy_test.cc | 2 +- test/mocks/router/mocks.cc | 7 +- test/mocks/router/mocks.h | 5 ++ test/mocks/tracing/mocks.cc | 1 - test/mocks/tracing/mocks.h | 3 +- test/test_common/utility.h | 1 + 22 files changed, 159 insertions(+), 206 deletions(-) diff --git a/envoy/tracing/trace_config.h b/envoy/tracing/trace_config.h index c556aa592f387..d593771372f2a 100644 --- a/envoy/tracing/trace_config.h +++ b/envoy/tracing/trace_config.h @@ -27,9 +27,13 @@ class Config { virtual bool spawnUpstreamSpan() const PURE; /** - * @return custom tags to be attached to the active span. + * @return modify the span. For example, set custom tags from configuration or + * make other modifications. + * This method MUST be called at most ONLY once per span before the span is + * finished. + * @param span the span to modify. */ - virtual const CustomTagMap* customTags() const PURE; + virtual void modifySpan(Span& span) const PURE; /** * @return true if spans should be annotated with more detailed information. @@ -43,66 +47,5 @@ class Config { virtual uint32_t maxPathTagLength() const PURE; }; -/** - * Route or connection manager level tracing configuration. - */ -class TracingConfig { -public: - virtual ~TracingConfig() = default; - - /** - * This method returns the client sampling percentage. - * @return the client sampling percentage - */ - virtual const envoy::type::v3::FractionalPercent& getClientSampling() const PURE; - - /** - * This method returns the random sampling percentage. - * @return the random sampling percentage - */ - virtual const envoy::type::v3::FractionalPercent& getRandomSampling() const PURE; - - /** - * This method returns the overall sampling percentage. - * @return the overall sampling percentage - */ - virtual const envoy::type::v3::FractionalPercent& getOverallSampling() const PURE; - - /** - * This method returns the tracing custom tags. - * @return the tracing custom tags. - */ - virtual const Tracing::CustomTagMap& getCustomTags() const PURE; -}; - -/** - * Connection manager tracing configuration. - */ -class ConnectionManagerTracingConfig : public TracingConfig { -public: - /** - * @return operation name for tracing, e.g., ingress. - */ - virtual OperationName operationName() const PURE; - - /** - * @return create separated child span for upstream request if true. - */ - virtual bool spawnUpstreamSpan() const PURE; - - /** - * @return true if spans should be annotated with more detailed information. - */ - virtual bool verbose() const PURE; - - /** - * @return the maximum length allowed for paths in the extracted HttpUrl tag. This is only used - * for HTTP protocol tracing. - */ - virtual uint32_t maxPathTagLength() const PURE; -}; - -using ConnectionManagerTracingConfigPtr = std::unique_ptr; - } // namespace Tracing } // namespace Envoy diff --git a/source/common/http/conn_manager_config.h b/source/common/http/conn_manager_config.h index d5054042c180b..c80f6bf90deda 100644 --- a/source/common/http/conn_manager_config.h +++ b/source/common/http/conn_manager_config.h @@ -126,7 +126,7 @@ struct ConnectionManagerTracingStats { CONN_MAN_TRACING_STATS(GENERATE_COUNTER_STRUCT) }; -using TracingConnectionManagerConfig = Tracing::ConnectionManagerTracingConfigImpl; +using TracingConnectionManagerConfig = Tracing::ConnectionManagerTracingConfig; using TracingConnectionManagerConfigPtr = std::unique_ptr; /** diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc index d99900e23eff7..5c2fedc43bf3b 100644 --- a/source/common/http/conn_manager_impl.cc +++ b/source/common/http/conn_manager_impl.cc @@ -1688,29 +1688,6 @@ void ConnectionManagerImpl::ActiveStream::refreshCachedRoute(const Router::Route setVirtualHostRoute(std::move(route_result)); } -void ConnectionManagerImpl::ActiveStream::refreshCachedTracingCustomTags() { - if (!connection_manager_tracing_config_.has_value()) { - return; - } - const Tracing::CustomTagMap& conn_manager_tags = connection_manager_tracing_config_->custom_tags_; - const Tracing::CustomTagMap* route_tags = nullptr; - if (hasCachedRoute() && cached_route_.value()->tracingConfig()) { - route_tags = &cached_route_.value()->tracingConfig()->getCustomTags(); - } - const bool configured_in_conn = !conn_manager_tags.empty(); - const bool configured_in_route = route_tags && !route_tags->empty(); - if (!configured_in_conn && !configured_in_route) { - return; - } - Tracing::CustomTagMap& custom_tag_map = getOrMakeTracingCustomTagMap(); - if (configured_in_route) { - custom_tag_map.insert(route_tags->begin(), route_tags->end()); - } - if (configured_in_conn) { - custom_tag_map.insert(conn_manager_tags.begin(), conn_manager_tags.end()); - } -} - // TODO(chaoqin-li1123): Make on demand vhds and on demand srds works at the same time. void ConnectionManagerImpl::ActiveStream::requestRouteConfigUpdate( Http::RouteConfigUpdatedCallbackSharedPtr route_config_updated_cb) { @@ -2039,8 +2016,29 @@ Tracing::OperationName ConnectionManagerImpl::ActiveStream::operationName() cons return connection_manager_tracing_config_->operation_name_; } -const Tracing::CustomTagMap* ConnectionManagerImpl::ActiveStream::customTags() const { - return tracing_custom_tags_.get(); +void ConnectionManagerImpl::ActiveStream::modifySpan(Tracing::Span& span) const { + ASSERT(connection_manager_tracing_config_.has_value()); + + const Tracing::HttpTraceContext trace_context(*request_headers_); + const Tracing::CustomTagContext ctx{trace_context, filter_manager_.streamInfo()}; + + // Cache the optional custom tags from the route first. + OptRef route_custom_tags; + + if (hasCachedRoute() && cached_route_.value()->tracingConfig() != nullptr) { + route_custom_tags.emplace(cached_route_.value()->tracingConfig()->getCustomTags()); + for (const auto& tag : *route_custom_tags) { + tag.second->applySpan(span, ctx); + } + } + + for (const auto& tag : connection_manager_tracing_config_->custom_tags_) { + if (!route_custom_tags.has_value() || !route_custom_tags->contains(tag.first)) { + // If the tag is defined in both the connection manager and the route, + // use the route's tag. + tag.second->applySpan(span, ctx); + } + } } bool ConnectionManagerImpl::ActiveStream::verbose() const { @@ -2147,7 +2145,6 @@ void ConnectionManagerImpl::ActiveStream::setVirtualHostRoute( filter_manager_.streamInfo().vhost_ = std::move(vhost_route.vhost); filter_manager_.streamInfo().setUpstreamClusterInfo(cached_cluster_info_.value()); - refreshCachedTracingCustomTags(); refreshDurationTimeout(); refreshIdleTimeout(); } @@ -2190,11 +2187,7 @@ void ConnectionManagerImpl::ActiveStream::clearRouteCache() { } setCachedRoute({}); - cached_cluster_info_ = absl::optional(); - if (tracing_custom_tags_) { - tracing_custom_tags_->clear(); - } } void ConnectionManagerImpl::ActiveStream::refreshRouteCluster() { diff --git a/source/common/http/conn_manager_impl.h b/source/common/http/conn_manager_impl.h index 812530b06c8c0..0ea44e932d9b8 100644 --- a/source/common/http/conn_manager_impl.h +++ b/source/common/http/conn_manager_impl.h @@ -332,7 +332,6 @@ class ConnectionManagerImpl : Logger::Loggable, void refreshCachedRoute(const Router::RouteCallback& cb); - void refreshCachedTracingCustomTags(); void refreshDurationTimeout(); void refreshIdleTimeout(); void refreshAccessLogFlushTimer(); @@ -407,13 +406,6 @@ class ConnectionManagerImpl : Logger::Loggable, return os; } - Tracing::CustomTagMap& getOrMakeTracingCustomTagMap() { - if (tracing_custom_tags_ == nullptr) { - tracing_custom_tags_ = std::make_unique(); - } - return *tracing_custom_tags_; - } - // Note: this method is a noop unless ENVOY_ENABLE_UHV is defined // Call header validator extension to validate request header map after it was deserialized. // If header map failed validation, it sends an error response and returns false. @@ -507,7 +499,6 @@ class ConnectionManagerImpl : Logger::Loggable, absl::optional cached_cluster_info_; const std::string* decorated_operation_{nullptr}; absl::optional> route_config_update_requester_; - std::unique_ptr tracing_custom_tags_{nullptr}; Http::ServerHeaderValidatorPtr header_validator_; friend FilterManager; @@ -517,7 +508,7 @@ class ConnectionManagerImpl : Logger::Loggable, // returned by the public tracingConfig() method. // Tracing::TracingConfig Tracing::OperationName operationName() const override; - const Tracing::CustomTagMap* customTags() const override; + void modifySpan(Tracing::Span& span) const override; bool verbose() const override; uint32_t maxPathTagLength() const override; bool spawnUpstreamSpan() const override; diff --git a/source/common/tracing/http_tracer_impl.cc b/source/common/tracing/http_tracer_impl.cc index da26e1ddd1455..c5c0e7144b218 100644 --- a/source/common/tracing/http_tracer_impl.cc +++ b/source/common/tracing/http_tracer_impl.cc @@ -256,15 +256,7 @@ void HttpTracerUtility::setCommonTags(Span& span, const StreamInfo::StreamInfo& span.setTag(Tracing::Tags::get().Error, Tracing::Tags::get().True); } - ReadOnlyHttpTraceContext trace_context{stream_info.getRequestHeaders() != nullptr - ? *stream_info.getRequestHeaders() - : *Http::StaticEmptyHeaders::get().request_headers}; - CustomTagContext ctx{trace_context, stream_info}; - if (const CustomTagMap* custom_tag_map = tracing_config.customTags(); custom_tag_map) { - for (const auto& it : *custom_tag_map) { - it.second->applySpan(span, ctx); - } - } + tracing_config.modifySpan(span); } } // namespace Tracing diff --git a/source/common/tracing/tracer_config_impl.h b/source/common/tracing/tracer_config_impl.h index 9ea8e1fe58b9c..26154b3c8d8c0 100644 --- a/source/common/tracing/tracer_config_impl.h +++ b/source/common/tracing/tracer_config_impl.h @@ -30,10 +30,10 @@ class TracerFactoryContextImpl : public Server::Configuration::TracerFactoryCont ProtobufMessage::ValidationVisitor& validation_visitor_; }; -class ConnectionManagerTracingConfigImpl : public ConnectionManagerTracingConfig { +class ConnectionManagerTracingConfig { public: - ConnectionManagerTracingConfigImpl(envoy::config::core::v3::TrafficDirection traffic_direction, - const ConnectionManagerTracingConfigProto& tracing_config) { + ConnectionManagerTracingConfig(envoy::config::core::v3::TrafficDirection traffic_direction, + const ConnectionManagerTracingConfigProto& tracing_config) { // Listener level traffic direction overrides the operation name switch (traffic_direction) { @@ -77,34 +77,28 @@ class ConnectionManagerTracingConfigImpl : public ConnectionManagerTracingConfig Tracing::DefaultMaxPathTagLength); } - ConnectionManagerTracingConfigImpl(Tracing::OperationName operation_name, - Tracing::CustomTagMap custom_tags, - envoy::type::v3::FractionalPercent client_sampling, - envoy::type::v3::FractionalPercent random_sampling, - envoy::type::v3::FractionalPercent overall_sampling, - bool verbose, uint32_t max_path_tag_length) - : operation_name_(operation_name), custom_tags_(custom_tags), - client_sampling_(client_sampling), random_sampling_(random_sampling), - overall_sampling_(overall_sampling), verbose_(verbose), + ConnectionManagerTracingConfig(Tracing::OperationName operation_name, + Tracing::CustomTagMap custom_tags, + envoy::type::v3::FractionalPercent client_sampling, + envoy::type::v3::FractionalPercent random_sampling, + envoy::type::v3::FractionalPercent overall_sampling, bool verbose, + uint32_t max_path_tag_length) + : operation_name_(operation_name), custom_tags_(std::move(custom_tags)), + client_sampling_(std::move(client_sampling)), random_sampling_(std::move(random_sampling)), + overall_sampling_(std::move(overall_sampling)), verbose_(verbose), max_path_tag_length_(max_path_tag_length) {} - ConnectionManagerTracingConfigImpl() = default; + ConnectionManagerTracingConfig() = default; - const envoy::type::v3::FractionalPercent& getClientSampling() const override { - return client_sampling_; - } - const envoy::type::v3::FractionalPercent& getRandomSampling() const override { - return random_sampling_; - } - const envoy::type::v3::FractionalPercent& getOverallSampling() const override { - return overall_sampling_; - } - const Tracing::CustomTagMap& getCustomTags() const override { return custom_tags_; } + const envoy::type::v3::FractionalPercent& getClientSampling() const { return client_sampling_; } + const envoy::type::v3::FractionalPercent& getRandomSampling() const { return random_sampling_; } + const envoy::type::v3::FractionalPercent& getOverallSampling() const { return overall_sampling_; } + const Tracing::CustomTagMap& getCustomTags() const { return custom_tags_; } - Tracing::OperationName operationName() const override { return operation_name_; } - bool verbose() const override { return verbose_; } - uint32_t maxPathTagLength() const override { return max_path_tag_length_; } - bool spawnUpstreamSpan() const override { return spawn_upstream_span_; } + Tracing::OperationName operationName() const { return operation_name_; } + bool verbose() const { return verbose_; } + uint32_t maxPathTagLength() const { return max_path_tag_length_; } + bool spawnUpstreamSpan() const { return spawn_upstream_span_; } // TODO(wbpcode): keep this field be public for compatibility. Then the HCM needn't change much // code to use this config. @@ -118,5 +112,7 @@ class ConnectionManagerTracingConfigImpl : public ConnectionManagerTracingConfig bool spawn_upstream_span_{}; }; +using ConnectionManagerTracingConfigPtr = std::unique_ptr; + } // namespace Tracing } // namespace Envoy diff --git a/source/common/tracing/tracer_impl.cc b/source/common/tracing/tracer_impl.cc index 8205d0d2f8cd0..c012dd76ed973 100644 --- a/source/common/tracing/tracer_impl.cc +++ b/source/common/tracing/tracer_impl.cc @@ -84,8 +84,7 @@ Decision TracerUtility::shouldTraceRequest(const StreamInfo::StreamInfo& stream_ } } -void TracerUtility::finalizeSpan(Span& span, const TraceContext& trace_context, - const StreamInfo::StreamInfo& stream_info, +void TracerUtility::finalizeSpan(Span& span, const StreamInfo::StreamInfo& stream_info, const Config& tracing_config, bool upstream_span) { span.setTag(Tracing::Tags::get().Component, Tracing::Tags::get().Proxy); @@ -123,14 +122,7 @@ void TracerUtility::finalizeSpan(Span& span, const TraceContext& trace_context, if (tracing_config.verbose()) { annotateVerbose(span, stream_info); } - - // Custom tag from configuration. - CustomTagContext ctx{trace_context, stream_info}; - if (const CustomTagMap* custom_tag_map = tracing_config.customTags(); custom_tag_map) { - for (const auto& it : *custom_tag_map) { - it.second->applySpan(span, ctx); - } - } + tracing_config.modifySpan(span); // Finish the span. span.finishSpan(); diff --git a/source/common/tracing/tracer_impl.h b/source/common/tracing/tracer_impl.h index 70354ef4ba8c5..446d532513bf3 100644 --- a/source/common/tracing/tracer_impl.h +++ b/source/common/tracing/tracer_impl.h @@ -34,14 +34,12 @@ class TracerUtility { /** * Finalize span and set protocol independent tags to the span. * @param span the downstream or upstream span. - * @param context traceable stream context. * @param stream_info stream info. * @param config tracing configuration. * @param upstream_span true if the span is an upstream span. */ - static void finalizeSpan(Span& span, const TraceContext& context, - const StreamInfo::StreamInfo& stream_info, const Config& config, - bool upstream_span); + static void finalizeSpan(Span& span, const StreamInfo::StreamInfo& stream_info, + const Config& config, bool upstream_span); private: static const std::string IngressOperation; @@ -52,7 +50,7 @@ class EgressConfigImpl : public Config { public: // Tracing::Config Tracing::OperationName operationName() const override { return Tracing::OperationName::Egress; } - const CustomTagMap* customTags() const override { return nullptr; } + void modifySpan(Tracing::Span&) const override {} bool verbose() const override { return false; } uint32_t maxPathTagLength() const override { return Tracing::DefaultMaxPathTagLength; } // This EgressConfigImpl is only used for async client tracing. Return false here is OK. diff --git a/source/extensions/filters/network/generic_proxy/config.cc b/source/extensions/filters/network/generic_proxy/config.cc index a922cb83dbaa3..55450932390ed 100644 --- a/source/extensions/filters/network/generic_proxy/config.cc +++ b/source/extensions/filters/network/generic_proxy/config.cc @@ -118,7 +118,7 @@ Factory::createFilterFactoryFromProtoTyped(const ProxyConfig& proto_config, if (proto_config.tracing().has_provider()) { tracer = tracer_manager->getOrCreateTracer(&proto_config.tracing().provider()); } - tracing_config = std::make_unique( + tracing_config = std::make_unique( context.listenerInfo().direction(), proto_config.tracing()); } diff --git a/source/extensions/filters/network/generic_proxy/proxy.cc b/source/extensions/filters/network/generic_proxy/proxy.cc index bb2e3ca8919cd..075c80046bad5 100644 --- a/source/extensions/filters/network/generic_proxy/proxy.cc +++ b/source/extensions/filters/network/generic_proxy/proxy.cc @@ -89,9 +89,15 @@ Tracing::OperationName ActiveStream::operationName() const { return conn_manager_tracing_config_->operationName(); } -const Tracing::CustomTagMap* ActiveStream::customTags() const { +void ActiveStream::modifySpan(Tracing::Span& span) const { ASSERT(conn_manager_tracing_config_.has_value()); - return &conn_manager_tracing_config_->getCustomTags(); + + const TraceContextBridge trace_context{*request_header_frame_}; + const Tracing::CustomTagContext ctx{trace_context, stream_info_}; + + for (const auto& it : conn_manager_tracing_config_->getCustomTags()) { + it.second->applySpan(span, ctx); + } } bool ActiveStream::verbose() const { @@ -621,8 +627,7 @@ void ActiveStream::completeStream(absl::optional re parent_.stats_helper_.onRequestComplete(stream_info_, local_reply_, error_reply); if (active_span_) { - const TraceContextBridge context{*request_header_frame_}; - Tracing::TracerUtility::finalizeSpan(*active_span_, context, stream_info_, *this, false); + Tracing::TracerUtility::finalizeSpan(*active_span_, stream_info_, *this, false); } for (const auto& access_log : parent_.config_->accessLogs()) { diff --git a/source/extensions/filters/network/generic_proxy/proxy.h b/source/extensions/filters/network/generic_proxy/proxy.h index 4a80b98aa30ac..8e196116b83ba 100644 --- a/source/extensions/filters/network/generic_proxy/proxy.h +++ b/source/extensions/filters/network/generic_proxy/proxy.h @@ -296,7 +296,7 @@ class ActiveStream : public FilterChainManager, // returned by the public tracingConfig() method. // Tracing::TracingConfig Tracing::OperationName operationName() const override; - const Tracing::CustomTagMap* customTags() const override; + void modifySpan(Tracing::Span& span) const override; bool verbose() const override; uint32_t maxPathTagLength() const override; bool spawnUpstreamSpan() const override; @@ -442,7 +442,7 @@ class Filter : public Envoy::Network::ReadFilter, bool downstream_connection_closed_{}; - FilterConfigSharedPtr config_{}; + FilterConfigSharedPtr config_; GenericFilterStatsHelper stats_helper_; const Network::DrainDecision& drain_decision_; diff --git a/source/extensions/filters/network/generic_proxy/router/router.cc b/source/extensions/filters/network/generic_proxy/router/router.cc index c219aef86db45..6c47f13205d60 100644 --- a/source/extensions/filters/network/generic_proxy/router/router.cc +++ b/source/extensions/filters/network/generic_proxy/router/router.cc @@ -92,9 +92,7 @@ void UpstreamRequest::resetStream(StreamResetReason reason, absl::string_view re if (span_ != nullptr) { span_->setTag(Tracing::Tags::get().Error, Tracing::Tags::get().True); span_->setTag(Tracing::Tags::get().ErrorReason, resetReasonToViewAndFlag(reason).view); - TraceContextBridge trace_context{*parent_.request_stream_}; - Tracing::TracerUtility::finalizeSpan(*span_, trace_context, stream_info_, - tracing_config_.value().get(), true); + Tracing::TracerUtility::finalizeSpan(*span_, stream_info_, tracing_config_.value().get(), true); } // Notify the parent filter that the upstream request has been reset. @@ -110,9 +108,7 @@ void UpstreamRequest::clearStream(bool close_connection) { close_connection); if (span_ != nullptr) { - TraceContextBridge trace_context{*parent_.request_stream_}; - Tracing::TracerUtility::finalizeSpan(*span_, trace_context, stream_info_, - tracing_config_.value().get(), true); + Tracing::TracerUtility::finalizeSpan(*span_, stream_info_, tracing_config_.value().get(), true); } generic_upstream_->removeUpstreamRequest(stream_id_); diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index ac99c40776eec..c4423d12bbb0b 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -1588,13 +1588,15 @@ TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanNormalFlow) { tracing_config_ = std::make_unique( TracingConnectionManagerConfig{Tracing::OperationName::Ingress, conn_tracing_tags, percent1, percent2, percent1, false, 256}); - NiceMock route_tracing; - ON_CALL(route_tracing, getClientSampling()).WillByDefault(ReturnRef(percent1)); - ON_CALL(route_tracing, getRandomSampling()).WillByDefault(ReturnRef(percent2)); - ON_CALL(route_tracing, getOverallSampling()).WillByDefault(ReturnRef(percent1)); - ON_CALL(route_tracing, getCustomTags()).WillByDefault(ReturnRef(route_tracing_tags)); + NiceMock& route_tracing = + route_config_provider_.route_config_->route_->route_tracing_; + route_tracing.client_sampling_ = percent1; + route_tracing.random_sampling_ = percent2; + route_tracing.overall_sampling_ = percent1; + route_tracing.custom_tags_ = route_tracing_tags; + ON_CALL(*route_config_provider_.route_config_->route_, tracingConfig()) - .WillByDefault(Return(&route_tracing)); + .WillByDefault(Return(&route_config_provider_.route_config_->route_->route_tracing_)); EXPECT_CALL(*span, finishSpan()); EXPECT_CALL(*span, setTag(_, _)).Times(testing::AnyNumber()); diff --git a/test/common/tracing/http_tracer_impl_test.cc b/test/common/tracing/http_tracer_impl_test.cc index 4d983b166fd22..5d0e588acfce6 100644 --- a/test/common/tracing/http_tracer_impl_test.cc +++ b/test/common/tracing/http_tracer_impl_test.cc @@ -59,17 +59,27 @@ class HttpConnManFinalizerImplTest : public testing::Test { for (const CustomTagCase& cas : cases) { envoy::type::tracing::v3::CustomTag custom_tag; TestUtility::loadFromYaml(cas.custom_tag, custom_tag); - config.custom_tags_.emplace(custom_tag.tag(), CustomTagUtility::createCustomTag(custom_tag)); + custom_tags_.emplace(custom_tag.tag(), CustomTagUtility::createCustomTag(custom_tag)); if (cas.set) { EXPECT_CALL(span, setTag(Eq(custom_tag.tag()), Eq(cas.value))); } else { EXPECT_CALL(span, setTag(Eq(custom_tag.tag()), _)).Times(0); } } + + EXPECT_CALL(config, modifySpan(_)).WillOnce(Invoke([this](Span& span) { + HttpTraceContext trace_context{request_headers_}; + const CustomTagContext ctx{trace_context, stream_info}; + for (const auto& [_, custom_tag] : custom_tags_) { + custom_tag->applySpan(span, ctx); + } + })); } NiceMock span; NiceMock config; + Tracing::CustomTagMap custom_tags_; + Http::TestRequestHeaderMapImpl request_headers_; NiceMock stream_info; std::shared_ptr> cluster_info_{ std::make_shared>()}; @@ -84,11 +94,12 @@ TEST_F(HttpConnManFinalizerImplTest, OriginalAndLongPath) { const auto remote_address = Network::Address::InstanceConstSharedPtr{ new Network::Address::Ipv4Instance(expected_ip, 0, nullptr)}; - Http::TestRequestHeaderMapImpl request_headers{{"x-request-id", "id"}, - {"x-envoy-original-path", path}, - {":method", "GET"}, - {":path", ""}, - {":scheme", "http"}}; + request_headers_ = Http::TestRequestHeaderMapImpl{{"x-request-id", "id"}, + {"x-envoy-original-path", path}, + {":method", "GET"}, + {":path", ""}, + {":scheme", "http"}}; + Http::TestResponseHeaderMapImpl response_headers; Http::TestResponseTrailerMapImpl response_trailers; @@ -106,7 +117,9 @@ TEST_F(HttpConnManFinalizerImplTest, OriginalAndLongPath) { EXPECT_CALL(span, setTag(Eq(Tracing::Tags::get().HttpProtocol), Eq("HTTP/2"))); EXPECT_CALL(span, setTag(Eq(Tracing::Tags::get().PeerAddress), Eq(expected_ip))); - HttpTracerUtility::finalizeDownstreamSpan(span, &request_headers, &response_headers, + expectSetCustomTags({}); + + HttpTracerUtility::finalizeDownstreamSpan(span, &request_headers_, &response_headers, &response_trailers, stream_info, config); } @@ -118,7 +131,7 @@ TEST_F(HttpConnManFinalizerImplTest, NoGeneratedId) { const auto remote_address = Network::Address::InstanceConstSharedPtr{ new Network::Address::Ipv4Instance(expected_ip, 0, nullptr)}; - Http::TestRequestHeaderMapImpl request_headers{ + request_headers_ = Http::TestRequestHeaderMapImpl{ {":path", ""}, {"x-envoy-original-path", path}, {":method", "GET"}, {":scheme", "http"}}; Http::TestResponseHeaderMapImpl response_headers; Http::TestResponseTrailerMapImpl response_trailers; @@ -137,7 +150,9 @@ TEST_F(HttpConnManFinalizerImplTest, NoGeneratedId) { EXPECT_CALL(span, setTag(Eq(Tracing::Tags::get().HttpProtocol), Eq("HTTP/2"))); EXPECT_CALL(span, setTag(Eq(Tracing::Tags::get().PeerAddress), Eq(expected_ip))); - HttpTracerUtility::finalizeDownstreamSpan(span, &request_headers, &response_headers, + expectSetCustomTags({}); + + HttpTracerUtility::finalizeDownstreamSpan(span, &request_headers_, &response_headers, &response_trailers, stream_info, config); } @@ -167,6 +182,8 @@ TEST_F(HttpConnManFinalizerImplTest, Connect) { EXPECT_CALL(span, setTag(Eq(Tracing::Tags::get().HttpProtocol), Eq("HTTP/2"))); EXPECT_CALL(span, setTag(Eq(Tracing::Tags::get().PeerAddress), Eq(expected_ip))); + expectSetCustomTags({}); + HttpTracerUtility::finalizeDownstreamSpan(span, &request_headers, &response_headers, &response_trailers, stream_info, config); } @@ -366,11 +383,11 @@ TEST_F(HttpConnManFinalizerImplTest, UnixDomainSocketPeerAddressTag) { TEST_F(HttpConnManFinalizerImplTest, SpanCustomTags) { TestEnvironment::setEnvVar("E_CC", "c", 1); - Http::TestRequestHeaderMapImpl request_headers{{"x-request-id", "id"}, - {":path", "/test"}, - {":method", "GET"}, - {":scheme", "https"}, - {"x-bb", "b"}}; + request_headers_ = Http::TestRequestHeaderMapImpl{{"x-request-id", "id"}, + {":path", "/test"}, + {":method", "GET"}, + {":scheme", "https"}, + {"x-bb", "b"}}; ProtobufWkt::Struct fake_struct; std::string yaml = R"EOF( @@ -400,7 +417,6 @@ TEST_F(HttpConnManFinalizerImplTest, SpanCustomTags) { EXPECT_CALL(stream_info, bytesSent()).WillOnce(Return(100)); EXPECT_CALL(*host_, metadata()).WillRepeatedly(Return(host_metadata)); - EXPECT_CALL(config, customTags()); EXPECT_CALL(span, setTag(_, _)).Times(testing::AnyNumber()); expectSetCustomTags( @@ -477,9 +493,9 @@ tag: dd-10, metadata_key: { key: m.host, path: [ { key: not-found } ] })EOF", false, ""}}); - ON_CALL(stream_info, getRequestHeaders()).WillByDefault(Return(&request_headers)); + ON_CALL(stream_info, getRequestHeaders()).WillByDefault(Return(&request_headers_)); - HttpTracerUtility::finalizeDownstreamSpan(span, &request_headers, nullptr, nullptr, stream_info, + HttpTracerUtility::finalizeDownstreamSpan(span, &request_headers_, nullptr, nullptr, stream_info, config); } @@ -688,12 +704,10 @@ TEST_F(HttpConnManFinalizerImplTest, CustomTagOverwritesCommonTag) { EXPECT_CALL(stream_info, responseCode()).WillRepeatedly(ReturnPointee(&response_code)); EXPECT_CALL(stream_info, bytesSent()).WillOnce(Return(100)); - EXPECT_CALL(config, customTags()); - std::string custom_tag_str = "{ tag: component, literal: { value: override_component } }"; envoy::type::tracing::v3::CustomTag custom_tag; TestUtility::loadFromYaml(custom_tag_str, custom_tag); - config.custom_tags_.emplace(custom_tag.tag(), CustomTagUtility::createCustomTag(custom_tag)); + custom_tags_.emplace(custom_tag.tag(), CustomTagUtility::createCustomTag(custom_tag)); EXPECT_CALL(span, setTag(_, _)).Times(testing::AnyNumber()); { @@ -703,6 +717,8 @@ TEST_F(HttpConnManFinalizerImplTest, CustomTagOverwritesCommonTag) { EXPECT_CALL(span, setTag(Eq(custom_tag.tag()), "override_component")); } + expectSetCustomTags({}); + HttpTracerUtility::finalizeDownstreamSpan(span, &request_headers, nullptr, nullptr, stream_info, config); } @@ -757,6 +773,16 @@ TEST(HttpTraceContextTest, HttpTraceContextTest) { // 'host' will be converted to ':authority'. EXPECT_EQ(23, size); } + + { + Http::TestRequestHeaderMapImpl request_headers; + ReadOnlyHttpTraceContext trace_context(request_headers); + + // No operations for ReadOnlyHttpTraceContext. + trace_context.set("key", "value"); + trace_context.remove("key"); + trace_context.requestHeaders(); + } } } // namespace diff --git a/test/common/tracing/tracer_config_impl_test.cc b/test/common/tracing/tracer_config_impl_test.cc index 85f49f594fe1c..8c65c327c517b 100644 --- a/test/common/tracing/tracer_config_impl_test.cc +++ b/test/common/tracing/tracer_config_impl_test.cc @@ -23,7 +23,7 @@ TEST(ConnectionManagerTracingConfigImplTest, SimpleTest) { custom_tag->set_tag("foo"); custom_tag->mutable_literal()->set_value("bar"); - ConnectionManagerTracingConfigImpl config(traffic_direction, tracing_config); + ConnectionManagerTracingConfig config(traffic_direction, tracing_config); EXPECT_EQ(Tracing::OperationName::Ingress, config.operationName()); EXPECT_EQ(true, config.verbose()); @@ -45,7 +45,7 @@ TEST(ConnectionManagerTracingConfigImplTest, SimpleTest) { custom_tag->set_tag("foo"); custom_tag->mutable_literal()->set_value("bar"); - ConnectionManagerTracingConfigImpl config(traffic_direction, tracing_config); + ConnectionManagerTracingConfig config(traffic_direction, tracing_config); EXPECT_EQ(Tracing::OperationName::Egress, config.operationName()); EXPECT_EQ(true, config.verbose()); diff --git a/test/common/tracing/tracer_impl_test.cc b/test/common/tracing/tracer_impl_test.cc index a6c70556b0a4b..2bd6f069d58ab 100644 --- a/test/common/tracing/tracer_impl_test.cc +++ b/test/common/tracing/tracer_impl_test.cc @@ -107,17 +107,26 @@ class FinalizerImplTest : public testing::Test { for (const CustomTagCase& cas : cases) { envoy::type::tracing::v3::CustomTag custom_tag; TestUtility::loadFromYaml(cas.custom_tag, custom_tag); - config.custom_tags_.emplace(custom_tag.tag(), CustomTagUtility::createCustomTag(custom_tag)); + custom_tags.emplace(custom_tag.tag(), CustomTagUtility::createCustomTag(custom_tag)); if (cas.set) { EXPECT_CALL(span, setTag(Eq(custom_tag.tag()), Eq(cas.value))); } else { EXPECT_CALL(span, setTag(Eq(custom_tag.tag()), _)).Times(0); } } + + EXPECT_CALL(config, modifySpan(_)).WillOnce(Invoke([this](Span& span) { + const CustomTagContext ctx{trace_context, stream_info}; + for (const auto& [_, custom_tag] : custom_tags) { + custom_tag->applySpan(span, ctx); + } + })); } NiceMock span; NiceMock config; + Tracing::CustomTagMap custom_tags; + Tracing::TestTraceContextImpl trace_context; NiceMock stream_info; std::shared_ptr> cluster_info_{ std::make_shared>()}; @@ -127,7 +136,7 @@ class FinalizerImplTest : public testing::Test { TEST_F(FinalizerImplTest, TestAll) { TestEnvironment::setEnvVar("E_CC", "c", 1); - Tracing::TestTraceContextImpl trace_context{{"x-request-id", "id"}, {"x-bb", "b"}}; + trace_context.context_map_ = {{"x-request-id", "id"}, {"x-bb", "b"}}; trace_context.context_host_ = "test.com"; trace_context.context_method_ = "method"; trace_context.context_path_ = "TestService"; @@ -197,7 +206,7 @@ TEST_F(FinalizerImplTest, TestAll) { {"{ tag: cc-3, environment: { name: E_CC_NOT_FOUND} }", false, ""}, }); - TracerUtility::finalizeSpan(span, trace_context, stream_info, config, true); + TracerUtility::finalizeSpan(span, stream_info, config, true); } { @@ -232,7 +241,7 @@ TEST_F(FinalizerImplTest, TestAll) { {"{ tag: cc-3, environment: { name: E_CC_NOT_FOUND} }", false, ""}, }); - TracerUtility::finalizeSpan(span, trace_context, stream_info, config, false); + TracerUtility::finalizeSpan(span, stream_info, config, false); } } @@ -240,9 +249,10 @@ TEST(EgressConfigImplTest, EgressConfigImplTest) { EgressConfigImpl config_impl; EXPECT_EQ(OperationName::Egress, config_impl.operationName()); - EXPECT_EQ(nullptr, config_impl.customTags()); EXPECT_EQ(false, config_impl.verbose()); EXPECT_EQ(Tracing::DefaultMaxPathTagLength, config_impl.maxPathTagLength()); + NiceMock span; + config_impl.modifySpan(span); } TEST(NullTracerTest, BasicFunctionality) { diff --git a/test/extensions/filters/network/generic_proxy/proxy_test.cc b/test/extensions/filters/network/generic_proxy/proxy_test.cc index 06cfe59f53140..d905524e5ffd3 100644 --- a/test/extensions/filters/network/generic_proxy/proxy_test.cc +++ b/test/extensions/filters/network/generic_proxy/proxy_test.cc @@ -62,7 +62,7 @@ class FilterConfigTest : public testing::Test { TestUtility::loadFromYaml(tracing_config_yaml, tracing_config); - tracing_config_ = std::make_unique( + tracing_config_ = std::make_unique( envoy::config::core::v3::TrafficDirection::OUTBOUND, tracing_config); } diff --git a/test/mocks/router/mocks.cc b/test/mocks/router/mocks.cc index 53e44e30dde00..33c5a40c2cadd 100644 --- a/test/mocks/router/mocks.cc +++ b/test/mocks/router/mocks.cc @@ -144,7 +144,12 @@ MockDecorator::MockDecorator() { } MockDecorator::~MockDecorator() = default; -MockRouteTracing::MockRouteTracing() = default; +MockRouteTracing::MockRouteTracing() { + ON_CALL(*this, getCustomTags()).WillByDefault(ReturnRef(custom_tags_)); + ON_CALL(*this, getClientSampling()).WillByDefault(ReturnRef(client_sampling_)); + ON_CALL(*this, getRandomSampling()).WillByDefault(ReturnRef(random_sampling_)); + ON_CALL(*this, getOverallSampling()).WillByDefault(ReturnRef(overall_sampling_)); +} MockRouteTracing::~MockRouteTracing() = default; MockRoute::MockRoute() { diff --git a/test/mocks/router/mocks.h b/test/mocks/router/mocks.h index ed0741ad25a82..87360a9393e9e 100644 --- a/test/mocks/router/mocks.h +++ b/test/mocks/router/mocks.h @@ -501,6 +501,11 @@ class MockRouteTracing : public RouteTracing { MOCK_METHOD(const envoy::type::v3::FractionalPercent&, getRandomSampling, (), (const)); MOCK_METHOD(const envoy::type::v3::FractionalPercent&, getOverallSampling, (), (const)); MOCK_METHOD(const Tracing::CustomTagMap&, getCustomTags, (), (const)); + + envoy::type::v3::FractionalPercent client_sampling_; + envoy::type::v3::FractionalPercent random_sampling_; + envoy::type::v3::FractionalPercent overall_sampling_; + Tracing::CustomTagMap custom_tags_; }; class MockRoute : public RouteEntryAndRoute { diff --git a/test/mocks/tracing/mocks.cc b/test/mocks/tracing/mocks.cc index 22987c53152d2..02c8b7f26680d 100644 --- a/test/mocks/tracing/mocks.cc +++ b/test/mocks/tracing/mocks.cc @@ -14,7 +14,6 @@ MockSpan::~MockSpan() = default; MockConfig::MockConfig() { ON_CALL(*this, operationName()).WillByDefault(ReturnPointee(&operation_name_)); - ON_CALL(*this, customTags()).WillByDefault(Return(&custom_tags_)); ON_CALL(*this, verbose()).WillByDefault(ReturnPointee(&verbose_)); ON_CALL(*this, maxPathTagLength()).WillByDefault(Return(uint32_t(256))); ON_CALL(*this, spawnUpstreamSpan()).WillByDefault(ReturnPointee(&spawn_upstream_span_)); diff --git a/test/mocks/tracing/mocks.h b/test/mocks/tracing/mocks.h index 51b0fbc6c83e0..e0d494506b195 100644 --- a/test/mocks/tracing/mocks.h +++ b/test/mocks/tracing/mocks.h @@ -18,13 +18,12 @@ class MockConfig : public Config { ~MockConfig() override; MOCK_METHOD(OperationName, operationName, (), (const)); - MOCK_METHOD(const CustomTagMap*, customTags, (), (const)); + MOCK_METHOD(void, modifySpan, (Span&), (const)); MOCK_METHOD(bool, verbose, (), (const)); MOCK_METHOD(uint32_t, maxPathTagLength, (), (const)); MOCK_METHOD(bool, spawnUpstreamSpan, (), (const)); OperationName operation_name_{OperationName::Ingress}; - CustomTagMap custom_tags_; bool verbose_{false}; bool spawn_upstream_span_{false}; }; diff --git a/test/test_common/utility.h b/test/test_common/utility.h index b4816a58a320e..0ce51e09ecc03 100644 --- a/test/test_common/utility.h +++ b/test/test_common/utility.h @@ -886,6 +886,7 @@ namespace Tracing { class TestTraceContextImpl : public Tracing::TraceContext { public: + TestTraceContextImpl() = default; TestTraceContextImpl(const std::initializer_list>& values) { for (const auto& value : values) { context_map_[value.first] = value.second; From 1cec2b32dfe3f65a9da3a1e45c5c453acd7b0567 Mon Sep 17 00:00:00 2001 From: Paul Sohn Date: Tue, 29 Jul 2025 15:30:47 -0400 Subject: [PATCH 107/505] re-enable runtime guard envoy_reloadable_features_quic_defer_logging_to_ack_listener (#40252) Risk Level: low Testing: integration tests already exist for this feature (see quic_http_integration_test) Docs Changes: N/A Release Notes: N/A Fixes #29930 --------- Signed-off-by: Paul Sohn --- source/common/runtime/runtime_features.cc | 3 +-- test/integration/protocol_integration_test.cc | 2 ++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index b5d6334c5b32e..c4503dacb6397 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -73,6 +73,7 @@ RUNTIME_GUARD(envoy_reloadable_features_prefix_map_matcher_resume_after_subtree_ RUNTIME_GUARD(envoy_reloadable_features_proxy_104); RUNTIME_GUARD(envoy_reloadable_features_proxy_ssl_port); RUNTIME_GUARD(envoy_reloadable_features_proxy_status_mapping_more_core_response_flags); +RUNTIME_GUARD(envoy_reloadable_features_quic_defer_logging_to_ack_listener); // Ignore the automated "remove this flag" issue: we should keep this for 1 year. Confirm with // @danzh2010 or @RyanTheOptimist before removing. RUNTIME_GUARD(envoy_reloadable_features_quic_send_server_preferred_address_to_all_clients); @@ -129,8 +130,6 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_quic_reject_all); // For more information about Universal Header Validation, please see // https://github.com/envoyproxy/envoy/issues/10646 FALSE_RUNTIME_GUARD(envoy_reloadable_features_enable_universal_header_validator); -// TODO(pksohn): enable after canarying the feature internally without problems. -FALSE_RUNTIME_GUARD(envoy_reloadable_features_quic_defer_logging_to_ack_listener); // TODO(alyssar) evaluate and either make this a config knob or remove. FALSE_RUNTIME_GUARD(envoy_reloadable_features_reresolve_null_addresses); // TODO(alyssar) evaluate and either make this a config knob or remove. diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index adefc8e4e8ca5..4c83251e35779 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -5185,6 +5185,8 @@ TEST_P(ProtocolIntegrationTest, InvalidResponseHeaderNameStreamError) { TEST_P(ProtocolIntegrationTest, ServerHalfCloseBeforeClientWithBufferedResponseData) { config_helper_.addRuntimeOverride( "envoy.reloadable_features.allow_multiplexed_upstream_half_close", "true"); + config_helper_.addRuntimeOverride("envoy.reloadable_features.quic_defer_logging_to_ack_listener", + "false"); useAccessLog("%DURATION% %REQUEST_DURATION% %REQUEST_TX_DURATION% %RESPONSE_DURATION% " "%RESPONSE_TX_DURATION%"); constexpr uint32_t kStreamWindowSize = 64 * 1024; From 0cde5333899bdb30f1ee3234a4dc54af1e80e980 Mon Sep 17 00:00:00 2001 From: botengyao Date: Tue, 29 Jul 2025 20:57:13 -0400 Subject: [PATCH 108/505] scoped_rds: nit remove unused to_be_removed_scopes (#40477) Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Boteng Yao --- source/common/router/scoped_rds.cc | 2 -- 1 file changed, 2 deletions(-) diff --git a/source/common/router/scoped_rds.cc b/source/common/router/scoped_rds.cc index c773654308d66..079b5a06c5f19 100644 --- a/source/common/router/scoped_rds.cc +++ b/source/common/router/scoped_rds.cc @@ -394,8 +394,6 @@ absl::Status ScopedRdsConfigSubscription::onConfigUpdate( const std::vector& added_resources, const Protobuf::RepeatedPtrField& removed_resources, const std::string& version_info) { - // NOTE: deletes are done before adds/updates. - absl::flat_hash_map to_be_removed_scopes; // Destruction of resume_rds will lift the floodgate for new RDS subscriptions. // Note in the case of partial acceptance, accepted RDS subscriptions should be started // despite of any error. From 25302a8308bc5d75ecd35b14ed74df77edecce79 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 29 Jul 2025 20:43:44 -0700 Subject: [PATCH 109/505] docs: address the stale docs for network_namespace_filepath (#40482) --- api/envoy/config/core/v3/address.proto | 3 --- 1 file changed, 3 deletions(-) diff --git a/api/envoy/config/core/v3/address.proto b/api/envoy/config/core/v3/address.proto index 56796fc721a5d..238494a09c755 100644 --- a/api/envoy/config/core/v3/address.proto +++ b/api/envoy/config/core/v3/address.proto @@ -105,9 +105,6 @@ message SocketAddress { // .. note:: // Setting this parameter requires Envoy to run with the ``CAP_NET_ADMIN`` capability. // - // .. note:: - // Currently only used for Listener sockets. - // // .. attention:: // Network namespaces are only configurable on Linux. Otherwise, this field has no effect. string network_namespace_filepath = 7; From b4d35dd3b41d294d9f8edaab5ef8af1637793880 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Jul 2025 09:34:01 +0100 Subject: [PATCH 110/505] build(deps): bump envoyproxy/toolshed from actions-v0.3.23 to 0.3.24 (#40476) Signed-off-by: dependabot[bot] Signed-off-by: Ryan Northey Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/_check_coverage.yml | 2 +- .github/workflows/_finish.yml | 8 +++---- .github/workflows/_load.yml | 10 ++++---- .github/workflows/_load_env.yml | 8 +++---- .github/workflows/_precheck_publish.yml | 2 +- .github/workflows/_publish_publish.yml | 4 ++-- .github/workflows/_request.yml | 22 ++++++++--------- .github/workflows/_request_cache_bazel.yml | 8 +++---- .github/workflows/_request_cache_docker.yml | 10 ++++---- .github/workflows/_request_checks.yml | 10 ++++---- .github/workflows/_run.yml | 24 +++++++++---------- .github/workflows/codeql-daily.yml | 2 +- .github/workflows/codeql-push.yml | 2 +- .github/workflows/command.yml | 6 ++--- .github/workflows/envoy-dependency.yml | 18 +++++++------- .github/workflows/envoy-release.yml | 26 ++++++++++----------- .github/workflows/envoy-sync.yml | 8 +++---- .github/workflows/mobile-android_build.yml | 12 +++++----- .github/workflows/mobile-ios_build.yml | 4 ++-- 19 files changed, 93 insertions(+), 93 deletions(-) diff --git a/.github/workflows/_check_coverage.yml b/.github/workflows/_check_coverage.yml index 12b7c6380fc63..7a92bdaade1dd 100644 --- a/.github/workflows/_check_coverage.yml +++ b/.github/workflows/_check_coverage.yml @@ -53,7 +53,7 @@ jobs: request: ${{ inputs.request }} runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }} steps-post: | - - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.24 with: bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }} path: generated/${{ matrix.target }}/html diff --git a/.github/workflows/_finish.yml b/.github/workflows/_finish.yml index fd01ca27761aa..1724e4907c940 100644 --- a/.github/workflows/_finish.yml +++ b/.github/workflows/_finish.yml @@ -36,7 +36,7 @@ jobs: actions: read contents: read steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 name: Incoming data id: needs with: @@ -87,7 +87,7 @@ jobs: summary: "Check has finished", text: $text}}}} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 name: Print summary with: input: ${{ toJSON(steps.needs.outputs.value).summary-title }} @@ -95,13 +95,13 @@ jobs: "## \(.)" options: -Rr output-path: GITHUB_STEP_SUMMARY - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.24 name: Update check with: action: update diff --git a/.github/workflows/_load.yml b/.github/workflows/_load.yml index 3fe651821c320..907e27a442b5d 100644 --- a/.github/workflows/_load.yml +++ b/.github/workflows/_load.yml @@ -100,7 +100,7 @@ jobs: # Handle any failure in triggering job # Remove any `checks` we dont care about # Prepare a check request - - uses: envoyproxy/toolshed/gh-actions/github/env/load@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/env/load@actions-v0.3.24 name: Load env id: data with: @@ -111,13 +111,13 @@ jobs: GH_TOKEN: ${{ github.token }} # Update the check - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.24 name: Update check if: ${{ fromJSON(steps.data.outputs.data).data.check.action == 'RUN' }} with: @@ -125,7 +125,7 @@ jobs: checks: ${{ toJSON(fromJSON(steps.data.outputs.data).checks) }} token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 name: Print request summary with: input: | @@ -145,7 +145,7 @@ jobs: | $summary.summary as $summary | "${{ inputs.template-request-summary }}" - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 id: request-output name: Load request with: diff --git a/.github/workflows/_load_env.yml b/.github/workflows/_load_env.yml index f82003f9ecc5b..3fb3a66b836f7 100644 --- a/.github/workflows/_load_env.yml +++ b/.github/workflows/_load_env.yml @@ -63,18 +63,18 @@ jobs: request: ${{ steps.env.outputs.data }} trusted: true steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 id: started name: Create timestamp with: options: -r filter: | now - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 id: checkout name: Checkout Envoy repository - name: Generate environment variables - uses: envoyproxy/toolshed/gh-actions/envoy/ci/env@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/envoy/ci/env@actions-v0.3.24 id: env with: branch-name: ${{ inputs.branch-name }} @@ -86,7 +86,7 @@ jobs: - name: Request summary id: summary - uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.24 with: actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} diff --git a/.github/workflows/_precheck_publish.yml b/.github/workflows/_precheck_publish.yml index a4de52c443d23..8c30bf2566512 100644 --- a/.github/workflows/_precheck_publish.yml +++ b/.github/workflows/_precheck_publish.yml @@ -78,7 +78,7 @@ jobs: --config=docs-ci rbe: true steps-post: | - - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.24 with: bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }} path: generated/docs diff --git a/.github/workflows/_publish_publish.yml b/.github/workflows/_publish_publish.yml index ccdd4f353c787..ce07bb39666bd 100644 --- a/.github/workflows/_publish_publish.yml +++ b/.github/workflows/_publish_publish.yml @@ -78,12 +78,12 @@ jobs: needs: - publish steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.24 with: ref: main repository: ${{ fromJSON(inputs.request).request.version.dev && 'envoyproxy/envoy-website' || 'envoyproxy/archive' }} diff --git a/.github/workflows/_request.yml b/.github/workflows/_request.yml index 523bf4eb02278..7986eb177f8c8 100644 --- a/.github/workflows/_request.yml +++ b/.github/workflows/_request.yml @@ -56,14 +56,14 @@ jobs: caches: ${{ steps.caches.outputs.value }} config: ${{ steps.config.outputs.config }} steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 id: started name: Create timestamp with: options: -r filter: | now - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 id: checkout name: Checkout Envoy repository (requested) with: @@ -77,7 +77,7 @@ jobs: # *ALL* variables collected should be treated as untrusted and should be sanitized before # use - name: Generate environment variables from commit - uses: envoyproxy/toolshed/gh-actions/envoy/ci/request@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/envoy/ci/request@actions-v0.3.24 id: env with: branch-name: ${{ steps.checkout.outputs.branch-name }} @@ -88,7 +88,7 @@ jobs: vars: ${{ toJSON(vars) }} working-directory: requested - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 id: checkout-target name: Checkout Envoy repository (target branch) with: @@ -96,7 +96,7 @@ jobs: config: | fetch-depth: 1 path: target - - uses: envoyproxy/toolshed/gh-actions/hashfiles@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/hashfiles@actions-v0.3.24 id: bazel-cache-hash name: Bazel cache hash with: @@ -105,7 +105,7 @@ jobs: - name: Request summary id: summary - uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.24 with: actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} @@ -121,7 +121,7 @@ jobs: target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - name: Environment data - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 id: data with: input: | @@ -164,18 +164,18 @@ jobs: path: /tmp/cache key: ${{ fromJSON(steps.data.outputs.value).request.build-image.default }}-arm64 - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.24 name: Setup GCP with: key: ${{ secrets.gcs-cache-key }} - - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.24 name: Check GCS bucket cache (x64) id: cache-exists-bazel-x64 with: bucket: ${{ inputs.gcs-cache-bucket }} key: ${{ fromJSON(steps.data.outputs.value).config.ci.cache.bazel }}-x64 - - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.24 name: Check GCS bucket cache (arm64) id: cache-exists-bazel-arm64 with: @@ -183,7 +183,7 @@ jobs: key: ${{ fromJSON(steps.data.outputs.value).config.ci.cache.bazel }}-arm64 - name: Caches - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 id: caches with: input-format: yaml diff --git a/.github/workflows/_request_cache_bazel.yml b/.github/workflows/_request_cache_bazel.yml index 3c0f9b3facc73..3eb83fe499d7e 100644 --- a/.github/workflows/_request_cache_bazel.yml +++ b/.github/workflows/_request_cache_bazel.yml @@ -51,7 +51,7 @@ jobs: name: "[${{ inputs.arch }}] Prime Bazel cache" if: ${{ ! fromJSON(inputs.caches).bazel[inputs.arch] }} steps: - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 id: checkout-target name: Checkout Envoy repository (target branch) with: @@ -59,14 +59,14 @@ jobs: config: | fetch-depth: 1 - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 id: appauth name: Appauth (mutex lock) with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.24 name: Setup GCP with: key: ${{ secrets.gcs-cache-key }} @@ -76,7 +76,7 @@ jobs: sudo mkdir /build sudo chown runner:docker /build echo "GITHUB_TOKEN=${{ github.token }}" >> $GITHUB_ENV - - uses: envoyproxy/toolshed/gh-actions/cache/prime@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/cache/prime@actions-v0.3.24 id: bazel-cache name: Prime Bazel cache with: diff --git a/.github/workflows/_request_cache_docker.yml b/.github/workflows/_request_cache_docker.yml index ae8314e331c45..9163c786fbfd8 100644 --- a/.github/workflows/_request_cache_docker.yml +++ b/.github/workflows/_request_cache_docker.yml @@ -39,7 +39,7 @@ on: # For a job that does, you can restore with something like: # # steps: -# - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.23 +# - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.24 # with: # key: "${{ needs.env.outputs.build-image }}" # @@ -51,13 +51,13 @@ jobs: name: "[${{ inputs.arch }}] Prime Docker cache" if: ${{ ! fromJSON(inputs.caches).docker[inputs.arch] }} steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 id: appauth name: Appauth (mutex lock) with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/docker/cache/prime@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/docker/cache/prime@actions-v0.3.24 id: docker name: Prime Docker cache (${{ inputs.image-tag }}${{ inputs.cache-suffix }}) with: @@ -65,7 +65,7 @@ jobs: key-suffix: ${{ inputs.cache-suffix }} lock-token: ${{ steps.appauth.outputs.token }} lock-repository: ${{ inputs.lock-repository }} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 id: data name: Cache data with: @@ -73,7 +73,7 @@ jobs: input: | cached: ${{ steps.docker.outputs.cached }} key: ${{ inputs.image-tag }}${{ inputs.cache-suffix }} - - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.24 name: Summary with: json: ${{ steps.data.outputs.value }} diff --git a/.github/workflows/_request_checks.yml b/.github/workflows/_request_checks.yml index ab9748555ffe7..3020742327544 100644 --- a/.github/workflows/_request_checks.yml +++ b/.github/workflows/_request_checks.yml @@ -55,7 +55,7 @@ jobs: runs-on: ${{ fromJSON(inputs.env).config.ci.agent-ubuntu }} name: Start checks steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 id: check-config name: Prepare check data with: @@ -78,13 +78,13 @@ jobs: | .skipped.output.summary = "${{ inputs.skipped-summary }}" | .skipped.output.text = "" - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.24 name: Start checks id: checks with: @@ -95,7 +95,7 @@ jobs: ${{ fromJSON(inputs.env).summary.summary }} token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.24 name: Summary with: collapse-open: true @@ -119,7 +119,7 @@ jobs: output-path: GITHUB_STEP_SUMMARY title: Checks started/skipped - - uses: envoyproxy/toolshed/gh-actions/github/env/save@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/env/save@actions-v0.3.24 name: Save env id: data with: diff --git a/.github/workflows/_run.yml b/.github/workflows/_run.yml index 8440c03855865..a021bef079b5c 100644 --- a/.github/workflows/_run.yml +++ b/.github/workflows/_run.yml @@ -155,7 +155,7 @@ on: summary-post: type: string default: | - - uses: envoyproxy/toolshed/gh-actions/envoy/run/summary@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/run/summary@actions-v0.3.24 with: context: %{{ inputs.context }} steps-pre: @@ -217,7 +217,7 @@ jobs: name: ${{ inputs.target-suffix && format('[{0}] ', inputs.target-suffix) || '' }}${{ inputs.command }} ${{ inputs.target }} timeout-minutes: ${{ inputs.timeout-minutes }} steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 id: started name: Create timestamp with: @@ -225,7 +225,7 @@ jobs: filter: | now # This controls which input vars are exposed to the run action (and related steps) - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 name: Context id: context with: @@ -257,13 +257,13 @@ jobs: if: ${{ inputs.docker-ipv6 }} # Caches - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.24 name: Setup GCP (cache) if: ${{ inputs.gcs-cache-bucket }} with: key: ${{ secrets.gcs-cache-key }} force-install: ${{ contains(fromJSON('["envoy-arm64-medium", "github-arm64-2c-8gb"]'), inputs.runs-on) }} - - uses: envoyproxy/toolshed/gh-actions/cache/restore@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/cache/restore@actions-v0.3.24 if: ${{ inputs.gcs-cache-bucket }} name: >- Restore Bazel cache @@ -283,12 +283,12 @@ jobs: key: ${{ inputs.cache-build-image }}${{ inputs.cache-build-image-key-suffix }} - if: ${{ inputs.cache-build-image && steps.cache-lookup.outputs.cache-hit == 'true' }} name: Restore Docker cache ${{ inputs.cache-build-image && format('({0})', inputs.cache-build-image) || '' }} - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.24 with: image-tag: ${{ inputs.cache-build-image }} key-suffix: ${{ inputs.cache-build-image-key-suffix }} - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 id: appauth name: Appauth if: ${{ inputs.trusted }} @@ -299,7 +299,7 @@ jobs: # - the workaround is to allow the token to be passed through. token: ${{ github.token }} token-ok: true - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 id: checkout name: Checkout Envoy repository with: @@ -316,7 +316,7 @@ jobs: token: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }} # This is currently only use by mobile-docs and can be removed once they are updated to the newer website - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 id: checkout-extra name: Checkout extra repository (for publishing) if: ${{ inputs.checkout-extra }} @@ -325,7 +325,7 @@ jobs: ssh-key: ${{ inputs.trusted && inputs.ssh-key-extra || '' }} - name: Import GPG key - uses: envoyproxy/toolshed/gh-actions/gpg/import@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/gpg/import@actions-v0.3.24 if: ${{ inputs.import-gpg }} with: key: ${{ secrets.gpg-key }} @@ -338,7 +338,7 @@ jobs: name: Configure PR Bazel settings if: >- ${{ fromJSON(inputs.request).request.pr != '' }} - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.24 name: Setup GCP (artefacts/rbe) id: gcp with: @@ -356,7 +356,7 @@ jobs: if: ${{ vars.ENVOY_CI_BAZELRC }} name: Configure repo Bazel settings - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.24 name: Run CI ${{ inputs.command }} ${{ inputs.target }} with: args: ${{ inputs.args != '--' && inputs.args || inputs.target }} diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml index fb09e96cffbca..afd64203b8136 100644 --- a/.github/workflows/codeql-daily.yml +++ b/.github/workflows/codeql-daily.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Free disk space - uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.24 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index 60104adf03224..03948292c3a88 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -63,7 +63,7 @@ jobs: - name: Free disk space if: ${{ env.BUILD_TARGETS != '' }} - uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.24 - name: Initialize CodeQL if: ${{ env.BUILD_TARGETS != '' }} diff --git a/.github/workflows/command.yml b/.github/workflows/command.yml index 3e24c99bfc139..dc923296bff7d 100644 --- a/.github/workflows/command.yml +++ b/.github/workflows/command.yml @@ -28,7 +28,7 @@ jobs: && github.actor != 'dependabot[bot]' }} steps: - - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.3.24 name: Parse command from comment id: command with: @@ -37,14 +37,14 @@ jobs: ^/(retest) # /retest - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 if: ${{ steps.command.outputs.command == 'retest' }} id: appauth-retest name: Appauth (retest) with: key: ${{ secrets.ENVOY_CI_APP_KEY }} app_id: ${{ secrets.ENVOY_CI_APP_ID }} - - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.3.24 if: ${{ steps.command.outputs.command == 'retest' }} name: Retest with: diff --git a/.github/workflows/envoy-dependency.yml b/.github/workflows/envoy-dependency.yml index a511a6e45fcde..c700fd312bbfd 100644 --- a/.github/workflows/envoy-dependency.yml +++ b/.github/workflows/envoy-dependency.yml @@ -53,16 +53,16 @@ jobs: steps: - id: appauth name: Appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 with: app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 with: token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.3.24 id: update name: Update dependency (${{ inputs.dependency }}) with: @@ -97,13 +97,13 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.3.24 name: Upload diff with: name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }} - name: Create a PR if: ${{ inputs.pr }} - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.24 with: base: main body: | @@ -134,11 +134,11 @@ jobs: steps: - id: appauth name: Appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 with: app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 id: checkout name: Checkout Envoy repository with: @@ -180,7 +180,7 @@ jobs: - name: Check Docker SHAs id: build-images - uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.3.24 with: images: | sha: envoyproxy/envoy-build-ubuntu:${{ steps.build-tools.outputs.tag }} @@ -209,7 +209,7 @@ jobs: name: Update SHAs working-directory: envoy - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.24 with: base: main body: Created by Envoy dependency bot diff --git a/.github/workflows/envoy-release.yml b/.github/workflows/envoy-release.yml index 886423e7dda9b..2337aaebda16a 100644 --- a/.github/workflows/envoy-release.yml +++ b/.github/workflows/envoy-release.yml @@ -59,14 +59,14 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} @@ -87,10 +87,10 @@ jobs: name: Check changelog summary - if: ${{ inputs.author }} name: Validate signoff email - uses: envoyproxy/toolshed/gh-actions/email/validate@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/email/validate@actions-v0.3.24 with: email: ${{ inputs.author }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.24 name: Create release with: source: | @@ -115,7 +115,7 @@ jobs: name: Release version id: release - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.24 with: base: ${{ github.ref_name }} commit: false @@ -140,20 +140,20 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} strip-prefix: release/ token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.24 name: Sync version histories with: command: >- @@ -163,7 +163,7 @@ jobs: -- --signoff="${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>" - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.24 with: append-commit-message: true base: ${{ github.ref_name }} @@ -190,13 +190,13 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 with: config: | fetch-depth: 0 @@ -226,13 +226,13 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - name: Checkout repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} diff --git a/.github/workflows/envoy-sync.yml b/.github/workflows/envoy-sync.yml index 5b13acb212563..755339966b024 100644 --- a/.github/workflows/envoy-sync.yml +++ b/.github/workflows/envoy-sync.yml @@ -34,12 +34,12 @@ jobs: - data-plane-api - mobile-website steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.24 with: repository: "envoyproxy/${{ matrix.downstream }}" ref: main @@ -61,12 +61,12 @@ jobs: downstream: - envoy-openssl steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.24 with: repository: "envoyproxy/${{ matrix.downstream }}" ref: release/v1.28 diff --git a/.github/workflows/mobile-android_build.yml b/.github/workflows/mobile-android_build.yml index 88625eb4b0554..9014f42b03a6e 100644 --- a/.github/workflows/mobile-android_build.yml +++ b/.github/workflows/mobile-android_build.yml @@ -82,9 +82,9 @@ jobs: target: kotlin-hello-world runs-on: ubuntu-22.04 steps-pre: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.24 steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.24 with: apk: bazel-bin/examples/kotlin/hello_world/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoykotlin/.MainActivity @@ -111,7 +111,7 @@ jobs: target: ${{ matrix.target }} runs-on: ubuntu-22.04 steps-pre: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.24 steps-post: ${{ matrix.steps-post }} timeout-minutes: 50 trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} @@ -122,7 +122,7 @@ jobs: include: - name: java-hello-world steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.24 with: apk: bazel-bin/examples/java/hello_world/hello_envoy.apk app: io.envoyproxy.envoymobile.helloenvoy/.MainActivity @@ -141,7 +141,7 @@ jobs: --config=mobile-remote-release-clang-android //test/kotlin/apps/baseline:hello_envoy_kt steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.24 with: apk: bazel-bin/test/kotlin/apps/baseline/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoybaselinetest/.MainActivity @@ -156,7 +156,7 @@ jobs: --config=mobile-remote-release-clang-android //test/kotlin/apps/experimental:hello_envoy_kt steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.24 with: apk: bazel-bin/test/kotlin/apps/experimental/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoyexperimentaltest/.MainActivity diff --git a/.github/workflows/mobile-ios_build.yml b/.github/workflows/mobile-ios_build.yml index 4ce906bff547d..22597704d60f8 100644 --- a/.github/workflows/mobile-ios_build.yml +++ b/.github/workflows/mobile-ios_build.yml @@ -97,7 +97,7 @@ jobs: source ./ci/mac_ci_setup.sh ./bazelw shutdown steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.24 with: app: ${{ matrix.app }} args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} @@ -142,7 +142,7 @@ jobs: source: | source ./ci/mac_ci_setup.sh steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.23 + - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.24 with: app: ${{ matrix.app }} args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} From bc253caa737d2797ad74582a87c35f1851729b6c Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 30 Jul 2025 02:17:19 -0700 Subject: [PATCH 111/505] changelog: fix typos in the current change logs and clean them up (#40481) ## Description Minor cleanup in the change logs to apply missing back-ticks. --- **Commit Message:** changelog: fix typos in the current change logs and clean them up **Additional Description:** This PR fixes typos in the current change logs and cleans them up. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 68369e43137de..9ed4236e3da09 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -33,10 +33,10 @@ new_features: Added support for request payloads in HTTP health checks. The ``send`` field in ``HttpHealthCheck`` can now be used to specify a request body to be sent during health checking. This feature supports both hex-encoded text and binary payloads, similar to TCP health checks. The payload can only be used with HTTP methods that support - request bodies (POST, PUT, PATCH, OPTIONS). Methods that must not have request bodies (GET, HEAD, DELETE, TRACE) - are validated and will throw an error if combined with payloads. The implementation is optimized to process the - payload once during configuration and reuse it for all health check requests. See :ref:`HttpHealthCheck - ` for configuration details. + request bodies (``POST``, ``PUT``, ``PATCH``, ``OPTIONS``). Methods that must not have request bodies + (``GET``, ``HEAD``, ``DELETE``, ``TRACE``) are validated and will throw an error if combined with payloads. + The implementation is optimized to process the payload once during configuration and reuse it for all health + check requests. See :ref:`HttpHealthCheck ` for configuration details. - area: router_check_tool change: | Added support for testing routes with :ref:`dynamic metadata matchers ` @@ -51,7 +51,9 @@ new_features: for more details. - area: socket change: | - Added ``network_namespace_filepath`` to ``SocketAddress``. + Added :ref:``network_namespace_filepath `` to + :ref:`SocketAddress `. This field allows specifying a Linux network namespace filepath + for socket creation, enabling network isolation in containerized environments. - area: ratelimit change: | Add the :ref:`rate_limits @@ -63,7 +65,7 @@ new_features: will take precedence over this field. - area: observability change: | - Added ENVOY_NOTIFICATION macro to track specific conditions in produiction environments. + Added ``ENVOY_NOTIFICATION`` macro to track specific conditions in produiction environments. - area: dns_filter, redis_proxy and prefix_matcher_map change: | Switch to using Radix Tree instead of Trie for performance improvements. From 14f555a5d1e8e89c681a5648982b0b570f09188f Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 30 Jul 2025 02:19:29 -0700 Subject: [PATCH 112/505] docs: fix typo in the protocol docs (rage => range) (#40484) ## Description This PR fixes a typo in the protocol docs. We misspelled range as "rage". --- **Commit Message:** docs: fix typo in the protocol docs (rage => range) **Additional Description:** Fixes a typo in the protocol docs. We misspelled range as "rage. **Risk Level:** N/A **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- api/envoy/config/core/v3/protocol.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/envoy/config/core/v3/protocol.proto b/api/envoy/config/core/v3/protocol.proto index 147caa2166614..a277316cf691f 100644 --- a/api/envoy/config/core/v3/protocol.proto +++ b/api/envoy/config/core/v3/protocol.proto @@ -77,7 +77,7 @@ message QuicProtocolOptions { [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; // Similar to ``initial_stream_window_size``, but for connection-level - // flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults + // flow-control. Valid values range from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults // to 25165824 (24 * 1024 * 1024). // // .. note:: From 6304f271f8bcdfaa97711a8263dcf171abfe7b3c Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Wed, 30 Jul 2025 11:03:21 -0400 Subject: [PATCH 113/505] xds-federation: adding RDS using on xds-TP based configs (#40425) This PR makes RDS the second xDS-resource-type to support xds-tp based configs, which enables it to be used in a federated-xDS scenario. This feature is under a runtime flag `envoy.reloadable_features.xdstp_based_config_singleton_subscriptions` which is disabled by default. Once we get to test it end-to-end, and add a few more xDS-resource types to the support, it could be enabled by default. We removed having the `config_source` constraint in an `RDS` config, and added a validation to check that the resource is an xDS-TP resource. Risk Level: low - disabled by default Testing: Added both unit and integration tests. Docs Changes: not yet Release Notes: not yet Platform Specific Features: N/A --------- Signed-off-by: Adi Suissa-Peleg --- .../v3/http_connection_manager.proto | 2 +- .../rds/rds_route_config_subscription.cc | 11 ++-- .../network/http_connection_manager/BUILD | 1 + .../network/http_connection_manager/config.cc | 16 ++++++ .../http_connection_manager/config_test.cc | 15 ++++++ .../xdstp_config_sources_integration_test.cc | 51 ++++++++++++++++++- 6 files changed, 91 insertions(+), 5 deletions(-) diff --git a/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto index e0282af86e6ef..32389d90bf30f 100644 --- a/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +++ b/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -1036,7 +1036,7 @@ message Rds { "envoy.config.filter.network.http_connection_manager.v2.Rds"; // Configuration source specifier for RDS. - config.core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; + config.core.v3.ConfigSource config_source = 1; // The name of the route configuration. This name will be passed to the RDS // API. This allows an Envoy configuration with multiple HTTP listeners (and diff --git a/source/common/rds/rds_route_config_subscription.cc b/source/common/rds/rds_route_config_subscription.cc index 901ee16f97f99..c9b299ad333b0 100644 --- a/source/common/rds/rds_route_config_subscription.cc +++ b/source/common/rds/rds_route_config_subscription.cc @@ -49,9 +49,14 @@ RdsRouteConfigSubscription::RdsRouteConfigSubscription( resource_decoder_(std::move(resource_decoder)) { const auto resource_type = route_config_provider_manager_.protoTraits().resourceType(); auto subscription_or_error = - factory_context.clusterManager().subscriptionFactory().subscriptionFromConfigSource( - config_source, Envoy::Grpc::Common::typeUrl(resource_type), *scope_, *this, - resource_decoder_, {}); + Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions") + ? factory_context.xdsManager().subscribeToSingletonResource( + route_config_name_, config_source, Envoy::Grpc::Common::typeUrl(resource_type), + *scope_, *this, resource_decoder_, {}) + : factory_context.clusterManager().subscriptionFactory().subscriptionFromConfigSource( + config_source, Envoy::Grpc::Common::typeUrl(resource_type), *scope_, *this, + resource_decoder_, {}); SET_AND_RETURN_IF_NOT_OK(subscription_or_error.status(), creation_status); subscription_ = std::move(*subscription_or_error); local_init_manager_.add(local_init_target_); diff --git a/source/extensions/filters/network/http_connection_manager/BUILD b/source/extensions/filters/network/http_connection_manager/BUILD index 515e5a0efb269..63e691817a2df 100644 --- a/source/extensions/filters/network/http_connection_manager/BUILD +++ b/source/extensions/filters/network/http_connection_manager/BUILD @@ -38,6 +38,7 @@ envoy_cc_extension( "//source/common/access_log:access_log_lib", "//source/common/common:minimal_logger_lib", "//source/common/config:utility_lib", + "//source/common/config:xds_resource_lib", "//source/common/filter:config_discovery_lib", "//source/common/http:conn_manager_lib", "//source/common/http:default_server_string_lib", diff --git a/source/extensions/filters/network/http_connection_manager/config.cc b/source/extensions/filters/network/http_connection_manager/config.cc index 1c65702f13398..cf1c3bae5d74c 100644 --- a/source/extensions/filters/network/http_connection_manager/config.cc +++ b/source/extensions/filters/network/http_connection_manager/config.cc @@ -22,6 +22,7 @@ #include "source/common/access_log/access_log_impl.h" #include "source/common/common/fmt.h" #include "source/common/config/utility.h" +#include "source/common/config/xds_resource.h" #include "source/common/http/conn_manager_config.h" #include "source/common/http/conn_manager_utility.h" #include "source/common/http/default_server_string.h" @@ -206,6 +207,20 @@ createHeaderValidatorFactory([[maybe_unused]] const envoy::extensions::filters:: return header_validator_factory; } +// Validates that an RDS config either has a config_source or an xdstp +// route_config_name defined. +absl::Status +validateRds(const envoy::extensions::filters::network::http_connection_manager::v3::Rds& rds) { + if (!rds.has_config_source() && + !Config::XdsResourceIdentifier::hasXdsTpScheme(rds.route_config_name())) { + return absl::InvalidArgumentError( + fmt::format("An RDS config must have either a 'config_source' or an xDS-TP based " + "'route_config_name'. Error while parsing RDS config:\n{}", + rds.DebugString())); + } + return absl::OkStatus(); +} + } // namespace // Singleton registration via macro defined in envoy/singleton/manager.h @@ -545,6 +560,7 @@ HttpConnectionManagerConfig::HttpConnectionManagerConfig( switch (config.route_specifier_case()) { case envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager:: RouteSpecifierCase::kRds: + SET_AND_RETURN_IF_NOT_OK(validateRds(config.rds()), creation_status); route_config_provider_ = route_config_provider_manager.createRdsRouteConfigProvider( // At the creation of a RDS route config provider, the factory_context's initManager is // always valid, though the init manager may go away later when the listener goes away. diff --git a/test/extensions/filters/network/http_connection_manager/config_test.cc b/test/extensions/filters/network/http_connection_manager/config_test.cc index f5d0ea8d68f1e..b09de6ba3aa8e 100644 --- a/test/extensions/filters/network/http_connection_manager/config_test.cc +++ b/test/extensions/filters/network/http_connection_manager/config_test.cc @@ -154,6 +154,21 @@ stat_prefix: router "chain."); } +TEST_F(HttpConnectionManagerConfigTest, NonXdsTpRouteWithoutConfigSource) { + const std::string yaml_string = R"EOF( +codec_type: http1 +stat_prefix: router +rds: + route_config_name: route1 +http_filters: +- name: foo + )EOF"; + + EXPECT_THROW_WITH_REGEX( + createHttpConnectionManagerConfig(yaml_string), EnvoyException, + "An RDS config must have either a 'config_source' or an xDS-TP based 'route_config_name'"); +} + TEST_F(HttpConnectionManagerConfigTest, MiscConfig) { const std::string yaml_string = R"EOF( codec_type: http1 diff --git a/test/integration/xdstp_config_sources_integration_test.cc b/test/integration/xdstp_config_sources_integration_test.cc index 8296e516d9f0d..f594fb5c99a6b 100644 --- a/test/integration/xdstp_config_sources_integration_test.cc +++ b/test/integration/xdstp_config_sources_integration_test.cc @@ -67,7 +67,9 @@ class XdsTpConfigsIntegrationTest : public AdsDeltaSotwIntegrationSubStateParamT // upstream for a backend (H/1). authority1_upstream_ = createAdsUpstream(); default_authority_upstream_ = createAdsUpstream(); - addFakeUpstream(Http::CodecType::HTTP1); + if (test_requires_additional_upstream_) { + addFakeUpstream(Http::CodecType::HTTP1); + } } bool isSotw() const { @@ -155,6 +157,8 @@ class XdsTpConfigsIntegrationTest : public AdsDeltaSotwIntegrationSubStateParamT fake_upstreams_.back().get()->localAddress()->ip()->port()); } + bool test_requires_additional_upstream_{true}; + // Data members that emulate the authority1 server. FakeUpstream* authority1_upstream_; FakeHttpConnectionPtr authority1_xds_connection_; @@ -399,4 +403,49 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigDefaultSource) { // TODO(adisuissa): add a test that validates that two clusters with the same // config source multiplex the request on the same stream. + +// Validate that a bootstrap cluster that has an xds-tp based config RDS source +// works. +TEST_P(XdsTpConfigsIntegrationTest, RdsOnlyConfigAuthority1) { + test_requires_additional_upstream_ = false; + const std::string route_config_name = + "xdstp://authority1.com/envoy.config.route.v3.RouteConfiguration/my_routes/route1"; + // Set up the listener to point to an RDS resource (that will route to the + // the default cluster_0). + // Update the route to the xdstp-based cluster. + config_helper_.addConfigModifier( + [&route_config_name]( + envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) { hcm.mutable_rds()->set_route_config_name(route_config_name); }); + + // Envoy will request the routes of the listener in the bootstrap during the + // initialization phase. This will make sure the xDS server answers with the + // correct assignment. + on_server_init_function_ = [this, &route_config_name]() { + connectAuthority1(); + connectDefaultAuthority(); + + // Authority1 should receive the RDS request. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().RouteConfiguration, "", {route_config_name}, {route_config_name}, + {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + sendDiscoveryResponse( + Config::TestTypeUrl::get().RouteConfiguration, + {ConfigHelper::buildRouteConfig(route_config_name, "cluster_0")}, + {ConfigHelper::buildRouteConfig(route_config_name, "cluster_0")}, {}, "1", {}, + authority1_xds_stream_.get()); + + // Expect an RDS ACK. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().RouteConfiguration, "1", {route_config_name}, {}, {}, false, + Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + }; + initialize(); + + test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); + // Try to send a request and see that it reaches the backend (backend 0). + testRouterHeaderOnlyRequestAndResponse(nullptr); + cleanupUpstreamAndDownstream(); +} + } // namespace Envoy From 40ad4c6baa6ea7fc831aad3cefbd9217c460e851 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Wed, 30 Jul 2025 11:46:02 -0400 Subject: [PATCH 114/505] Test HDS cluster deletion during health check (#40444) Part of #40443 Risk Level: low Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Yan Avlasov --- test/integration/hds_integration_test.cc | 40 ++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/test/integration/hds_integration_test.cc b/test/integration/hds_integration_test.cc index 7dc791d864fc7..5cf697c69ad82 100644 --- a/test/integration/hds_integration_test.cc +++ b/test/integration/hds_integration_test.cc @@ -268,6 +268,10 @@ class HdsIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, public H void waitForEndpointHealthResponse(envoy::config::core::v3::HealthStatus healthy) { ASSERT_TRUE(hds_stream_->waitForGrpcMessage(*dispatcher_, response_)); + if (!response_.has_endpoint_health_response() || + response_.endpoint_health_response().endpoints_health_size() == 0) { + return; + } while (!checkEndpointHealthResponse(response_.endpoint_health_response().endpoints_health(0), healthy, host_upstream_->localAddress())) { ASSERT_TRUE(hds_stream_->waitForGrpcMessage(*dispatcher_, response_)); @@ -1288,5 +1292,41 @@ TEST_P(HdsIntegrationTest, SingleEndpointHealthyHttpHdsReconnect) { cleanupHdsConnection(); } +TEST_P(HdsIntegrationTest, RemoveClusterDuringHealthCheck) { + initialize(); + + // Server <--> Envoy + waitForHdsStream(); + ASSERT_TRUE(hds_stream_->waitForGrpcMessage(*dispatcher_, envoy_msg_)); + EXPECT_EQ(envoy_msg_.health_check_request().capability().health_check_protocols(0), + envoy::service::health::v3::Capability::HTTP); + + // Server asks for health checking + server_health_check_specifier_ = + makeHttpHealthCheckSpecifier(envoy::type::v3::CodecClientType::HTTP1, false); + hds_stream_->startGrpcStream(); + hds_stream_->sendGrpcMessage(server_health_check_specifier_); + test_server_->waitForCounterGe("hds_delegate.requests", ++hds_requests_); + + // Envoy sends a health check message to an endpoint + healthcheckEndpoints(); + + server_health_check_specifier_ = envoy::service::health::v3::HealthCheckSpecifier(); + server_health_check_specifier_.mutable_interval()->set_nanos(100000000); // 0.1 seconds + + hds_stream_->sendGrpcMessage(server_health_check_specifier_); + test_server_->waitForCounterGe("hds_delegate.requests", ++hds_requests_); + + // As the HDS cluster is destroyed, existing connections should be closed. + EXPECT_TRUE(host_fake_connection_->waitForDisconnect()); + + // Receive updates until the one we expect arrives + waitForEndpointHealthResponse(envoy::config::core::v3::UNHEALTHY); + + // Clean up connections + cleanupHostConnections(); + cleanupHdsConnection(); +} + } // namespace } // namespace Envoy From d52fe1c9d0301bbf17987dc06228a3b574f3b56f Mon Sep 17 00:00:00 2001 From: dyasin-sc Date: Wed, 30 Jul 2025 09:34:44 -0700 Subject: [PATCH 115/505] runtime: add fast return for `featureEnabled` when fractional percent is >= 100 (#40447) Commit Message: In sampling, when the numerator >= denominator the result always evaluates to true. This behaviour is logged, however, we still call `ProtobufPercentHelper ::evaluateFractionalPercent` which needlessly jumps into a function and computes a modulo operation. Risk Level: Low Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Diyar Yasin --- source/common/runtime/runtime_impl.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/source/common/runtime/runtime_impl.cc b/source/common/runtime/runtime_impl.cc index 1c3f09e6480ef..a0144c6893f9a 100644 --- a/source/common/runtime/runtime_impl.cc +++ b/source/common/runtime/runtime_impl.cc @@ -181,6 +181,7 @@ bool SnapshotImpl::featureEnabled(absl::string_view key, "WARNING runtime key '{}': numerator ({}) > denominator ({}), condition always " "evaluates to true", key, percent.numerator(), denominator_value); + return true; } return ProtobufPercentHelper::evaluateFractionalPercent(percent, random_value); From bba98c94c729c6af96e397c0af8c3903cf1a1247 Mon Sep 17 00:00:00 2001 From: Gustavo Moyano Date: Wed, 30 Jul 2025 13:36:16 -0300 Subject: [PATCH 116/505] lua: add virtualHost() and virtualHost():metadata() APIs to Lua filter (#40092) Commit Message: lua: add virtualHost() and virtualHost():metadata() APIs to Lua filter Additional Description: This PR extends the Envoy HTTP Lua filter by adding a new method, `virtualHost()`, to the StreamHandle API. This method returns a VirtualHost object, allowing Lua scripts to access information about the associated virtual host. In this PR, the VirtualHost object exposes a single method: `metadata()`, which retrieves virtual host metadata scoped to the specific filter name. This enables Lua filters to access per-filter virtual host metadata directly from Lua scripts. Risk Level: Low Testing: Unit, integration and wrapper tests added Docs Changes: Added Release Notes: Added Platform Specific Features: N/A --------- Signed-off-by: Gustavo Moyano --- changelogs/current.yaml | 5 + .../http_filters/_include/lua-filter.yaml | 21 +- .../http/http_filters/lua_filter.rst | 53 ++++- .../extensions/filters/http/lua/lua_filter.cc | 13 + .../extensions/filters/http/lua/lua_filter.h | 21 +- .../extensions/filters/http/lua/wrappers.cc | 26 ++ source/extensions/filters/http/lua/wrappers.h | 24 ++ test/extensions/filters/http/lua/BUILD | 1 + .../filters/http/lua/lua_filter_test.cc | 225 ++++++++++++++++++ .../filters/http/lua/lua_integration_test.cc | 187 ++++++++++++++- .../filters/http/lua/wrappers_test.cc | 150 ++++++++++++ 11 files changed, 708 insertions(+), 18 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 9ed4236e3da09..534f6c8ca3c2c 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -77,5 +77,10 @@ new_features: change: | Added support for resource attributes. The stat sink will use the resource attributes configured for the OpenTelemetry tracer via :ref:`resource_detectors `. +- area: lua + change: | + Added ``virtualHost()`` to the Stream handle API, allowing Lua scripts to retrieve virtual host information. So far, the only method + implemented is ``metadata()``, allowing Lua scripts to access virtual host metadata scoped to the specific filter name. See + :ref:`Virtual host object API ` for more details. deprecated: diff --git a/docs/root/configuration/http/http_filters/_include/lua-filter.yaml b/docs/root/configuration/http/http_filters/_include/lua-filter.yaml index 2bce99f380732..8f4bff5b31c88 100644 --- a/docs/root/configuration/http/http_filters/_include/lua-filter.yaml +++ b/docs/root/configuration/http/http_filters/_include/lua-filter.yaml @@ -17,19 +17,26 @@ static_resources: virtual_hosts: - name: local_service domains: ["*"] + metadata: + filter_metadata: + lua-custom-name: + foo: vh-bar + baz: + - vh-bad + - vh-baz routes: - match: prefix: "/" route: host_rewrite_literal: upstream.com cluster: upstream_com - metadata: - filter_metadata: - lua-custom-name: - foo: bar - baz: - - bad - - baz + metadata: + filter_metadata: + lua-custom-name: + foo: bar + baz: + - bad + - baz http_filters: - name: lua-custom-name typed_config: diff --git a/docs/root/configuration/http/http_filters/lua_filter.rst b/docs/root/configuration/http/http_filters/lua_filter.rst index 76f03e5c7de4f..db61e76725a4e 100644 --- a/docs/root/configuration/http/http_filters/lua_filter.rst +++ b/docs/root/configuration/http/http_filters/lua_filter.rst @@ -54,8 +54,8 @@ A simple example of configuring the Lua HTTP filter that contains only :ref:`def .. literalinclude:: _include/lua-filter.yaml :language: yaml - :lines: 34-46 - :lineno-start: 34 + :lines: 41-53 + :lineno-start: 41 :linenos: :caption: :download:`lua-filter.yaml <_include/lua-filter.yaml>` @@ -486,8 +486,8 @@ Below is an example of a ``metadata`` in a :ref:`route entry ` @@ -678,6 +678,22 @@ since epoch. ``resolution`` is an optional enum parameter to indicate the resolu Supported resolutions are ``EnvoyTimestampResolution.MILLISECOND`` and ``EnvoyTimestampResolution.MICROSECOND``. The default resolution is millisecond if ``resolution`` is not set. +.. _config_http_filters_lua_stream_handle_api_virtual_host: + +``virtualHost()`` +^^^^^^^^^^^^^^^^^ + +.. code-block:: lua + + local virtual_host = handle:virtualHost() + +Returns a virtual host object that provides access to the virtual host configuration. This method always returns +a valid object, even when the request does not match any configured virtual host. However, if no virtual host +matches, calling methods on the returned object will return ``nil`` or, in the case of the ``metadata()`` method, +an empty metadata object. + +Returns a :ref:`virtual host object `. + .. _config_http_filters_lua_header_wrapper: Header object API @@ -1576,3 +1592,32 @@ field or if the field can't be converted to a UTF8 string. Returns the string representation of O fields (as a table) from the X.509 name. Returns an empty table if there is no such field or if the field can't be converted to a UTF8 string. + +.. _config_http_filters_lua_virtual_host_wrapper: + +Virtual host object API +----------------------- + +.. include:: ../../../_include/lua_common.rst + +``metadata()`` +^^^^^^^^^^^^^^ + +.. code-block:: lua + + local metadata = virtual_host:metadata() + +Returns the virtual host metadata. Note that the metadata should be specified +under the :ref:`filter config name +`. + +Below is an example of a ``metadata`` in a :ref:`route entry `. + +.. literalinclude:: _include/lua-filter.yaml + :language: yaml + :lines: 20-26 + :lineno-start: 20 + :linenos: + :caption: :download:`lua-filter.yaml <_include/lua-filter.yaml>` + +Returns a :ref:`metadata object `. diff --git a/source/extensions/filters/http/lua/lua_filter.cc b/source/extensions/filters/http/lua/lua_filter.cc index b742d4284f404..aa20a9ac7a0c9 100644 --- a/source/extensions/filters/http/lua/lua_filter.cc +++ b/source/extensions/filters/http/lua/lua_filter.cc @@ -212,6 +212,7 @@ PerLuaCodeSetup::PerLuaCodeSetup(const std::string& lua_code, ThreadLocal::SlotA lua_state_.registerType(); lua_state_.registerType(); lua_state_.registerType(); + lua_state_.registerType(); const Filters::Common::Lua::InitializerList initializers( // EnvoyTimestampResolution "enum". @@ -628,6 +629,18 @@ int StreamHandleWrapper::luaMetadata(lua_State* state) { return 1; } +int StreamHandleWrapper::luaVirtualHost(lua_State* state) { + ASSERT(state_ == State::Running); + if (virtual_host_wrapper_.get() != nullptr) { + virtual_host_wrapper_.pushStack(); + } else { + virtual_host_wrapper_.reset( + VirtualHostWrapper::create(state, callbacks_.streamInfo(), callbacks_.filterConfigName()), + true); + } + return 1; +} + int StreamHandleWrapper::luaStreamInfo(lua_State* state) { ASSERT(state_ == State::Running); if (stream_info_wrapper_.get() != nullptr) { diff --git a/source/extensions/filters/http/lua/lua_filter.h b/source/extensions/filters/http/lua/lua_filter.h index 7863d0cf115d0..4cd3f231287a2 100644 --- a/source/extensions/filters/http/lua/lua_filter.h +++ b/source/extensions/filters/http/lua/lua_filter.h @@ -129,6 +129,11 @@ class FilterCallbacks { * found. */ virtual const ProtobufWkt::Struct& filterContext() const PURE; + + /** + * @return absl::string_view the value of filter config name. + */ + virtual const absl::string_view filterConfigName() const PURE; }; class Filter; @@ -202,7 +207,8 @@ class StreamHandleWrapper : public Filters::Common::Lua::BaseLuaObject connection_stream_info_wrapper_; Filters::Common::Lua::LuaDeathRef connection_wrapper_; Filters::Common::Lua::LuaDeathRef public_key_wrapper_; + Filters::Common::Lua::LuaDeathRef virtual_host_wrapper_; State state_{State::Running}; std::function yield_callback_; Http::AsyncClient::Request* http_request_{}; @@ -565,6 +578,9 @@ class Filter : public Http::StreamFilter, private Filters::Common::Lua::LuaLogga } } const ProtobufWkt::Struct& filterContext() const override { return parent_.filterContext(); } + const absl::string_view filterConfigName() const override { + return callbacks_->filterConfigName(); + } Filter& parent_; Http::StreamDecoderFilterCallbacks* callbacks_{}; @@ -594,6 +610,9 @@ class Filter : public Http::StreamFilter, private Filters::Common::Lua::LuaLogga } void clearRouteCache() override {} const ProtobufWkt::Struct& filterContext() const override { return parent_.filterContext(); } + const absl::string_view filterConfigName() const override { + return callbacks_->filterConfigName(); + } Filter& parent_; Http::StreamEncoderFilterCallbacks* callbacks_{}; diff --git a/source/extensions/filters/http/lua/wrappers.cc b/source/extensions/filters/http/lua/wrappers.cc index 7e8e7aca64a6f..4c88ea4e4b585 100644 --- a/source/extensions/filters/http/lua/wrappers.cc +++ b/source/extensions/filters/http/lua/wrappers.cc @@ -445,6 +445,32 @@ int FilterStateWrapper::luaGet(lua_State* state) { return 0; } +const ProtobufWkt::Struct& VirtualHostWrapper::getMetadata() const { + const auto& virtual_host = stream_info_.virtualHost(); + if (virtual_host == nullptr) { + return ProtobufWkt::Struct::default_instance(); + } + + const auto& metadata = virtual_host->metadata(); + auto filter_it = metadata.filter_metadata().find(filter_config_name_); + + if (filter_it != metadata.filter_metadata().end()) { + return filter_it->second; + } + + return ProtobufWkt::Struct::default_instance(); +} + +int VirtualHostWrapper::luaMetadata(lua_State* state) { + if (metadata_wrapper_.get() != nullptr) { + metadata_wrapper_.pushStack(); + } else { + metadata_wrapper_.reset(Filters::Common::Lua::MetadataMapWrapper::create(state, getMetadata()), + true); + } + return 1; +} + } // namespace Lua } // namespace HttpFilters } // namespace Extensions diff --git a/source/extensions/filters/http/lua/wrappers.h b/source/extensions/filters/http/lua/wrappers.h index 498cd24bcb409..f357d7665267b 100644 --- a/source/extensions/filters/http/lua/wrappers.h +++ b/source/extensions/filters/http/lua/wrappers.h @@ -454,6 +454,30 @@ class Timestamp { enum Resolution { Millisecond, Microsecond, Undefined }; }; +class VirtualHostWrapper : public Filters::Common::Lua::BaseLuaObject { +public: + VirtualHostWrapper(const StreamInfo::StreamInfo& stream_info, + const absl::string_view filter_config_name) + : stream_info_{stream_info}, filter_config_name_{filter_config_name} {} + + static ExportedFunctions exportedFunctions() { return {{"metadata", static_luaMetadata}}; } + +private: + /** + * @return a handle to the metadata. + */ + DECLARE_LUA_FUNCTION(VirtualHostWrapper, luaMetadata); + + const ProtobufWkt::Struct& getMetadata() const; + + // Filters::Common::Lua::BaseLuaObject + void onMarkDead() override { metadata_wrapper_.reset(); } + + const StreamInfo::StreamInfo& stream_info_; + const absl::string_view filter_config_name_; + Filters::Common::Lua::LuaDeathRef metadata_wrapper_; +}; + } // namespace Lua } // namespace HttpFilters } // namespace Extensions diff --git a/test/extensions/filters/http/lua/BUILD b/test/extensions/filters/http/lua/BUILD index b4cbe06e32c2f..b67aeb7ba83cb 100644 --- a/test/extensions/filters/http/lua/BUILD +++ b/test/extensions/filters/http/lua/BUILD @@ -47,6 +47,7 @@ envoy_extension_cc_test( "//source/common/stream_info:uint64_accessor_lib", "//source/extensions/filters/http/lua:wrappers_lib", "//test/extensions/filters/common/lua:lua_wrappers_lib", + "//test/mocks/router:router_mocks", "//test/mocks/stream_info:stream_info_mocks", "//test/test_common:utility_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc index 78ea58e31b3d9..8039c724d57dc 100644 --- a/test/extensions/filters/http/lua/lua_filter_test.cc +++ b/test/extensions/filters/http/lua/lua_filter_test.cc @@ -116,6 +116,27 @@ class LuaHttpFilterTest : public testing::Test { ON_CALL(*decoder_callbacks_.route_, metadata()).WillByDefault(testing::ReturnRef(metadata_)); } + void setupVirtualHostMetadata(const std::string& yaml) { + TestUtility::loadFromYaml(yaml, virtual_host_metadata_); + + auto virtual_host = std::make_shared>(); + stream_info_.virtual_host_ = virtual_host; + + ON_CALL(*virtual_host, metadata()).WillByDefault(ReturnRef(virtual_host_metadata_)); + + ON_CALL(decoder_callbacks_.stream_info_, virtualHost()).WillByDefault(ReturnRef(virtual_host)); + ON_CALL(encoder_callbacks_.stream_info_, virtualHost()).WillByDefault(ReturnRef(virtual_host)); + + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillOnce(ReturnRef(stream_info_)); + EXPECT_CALL(encoder_callbacks_, streamInfo()).WillOnce(ReturnRef(stream_info_)); + + const std::string filter_name = "lua-filter-config-name"; + ON_CALL(decoder_callbacks_, filterConfigName()).WillByDefault(Return(filter_name)); + ON_CALL(encoder_callbacks_, filterConfigName()).WillByDefault(Return(filter_name)); + + EXPECT_EQ(0, stats_store_.counter("test.lua.errors").value()); + } + NiceMock server_factory_context_; NiceMock tls_; NiceMock api_; @@ -126,6 +147,7 @@ class LuaHttpFilterTest : public testing::Test { NiceMock decoder_callbacks_; NiceMock encoder_callbacks_; envoy::config::core::v3::Metadata metadata_; + envoy::config::core::v3::Metadata virtual_host_metadata_; std::shared_ptr> ssl_; NiceMock connection_; NiceMock stream_info_; @@ -3893,6 +3915,209 @@ TEST_F(LuaHttpFilterTest, GetStreamInfoTypedMetadataUnpackFailure) { EXPECT_EQ(0, stats_store_.counter("test.lua.errors").value()); } +// Test that handle:virtualHost():metadata() works when both virtual host and route match. +// This verifies that when a virtual host is matched and a route is found for the request, +// the virtualHost() function returns a valid object and metadata can be accessed +// successfully from both request and response handles. +TEST_F(LuaHttpFilterTest, GetVirtualHostMetadataFromHandle) { + const std::string SCRIPT{R"EOF( + function envoy_on_request(request_handle) + local metadata = request_handle:virtualHost():metadata() + request_handle:logTrace(metadata:get("foo.bar")["name"]) + request_handle:logTrace(metadata:get("foo.bar")["prop"]) + end + function envoy_on_response(response_handle) + local metadata = response_handle:virtualHost():metadata() + response_handle:logTrace(metadata:get("baz.bat")["name"]) + response_handle:logTrace(metadata:get("baz.bat")["prop"]) + end + )EOF"}; + + const std::string METADATA{R"EOF( + filter_metadata: + lua-filter-config-name: + foo.bar: + name: foo + prop: bar + baz.bat: + name: baz + prop: bat + )EOF"}; + + InSequence s; + setup(SCRIPT); + setupVirtualHostMetadata(METADATA); + + // Request path + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "foo"}, + {"trace", "bar"}, + }), + { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + filter_->decodeHeaders(request_headers, true)); + }); + + // Response path + Http::TestResponseHeaderMapImpl response_headers{{":status", "200"}}; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "baz"}, + {"trace", "bat"}, + }), + { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + filter_->encodeHeaders(response_headers, true)); + }); +} + +// Test that handle:virtualHost():metadata() returns empty metadata when no filter-specific metadata +// exists. This verifies that when a virtual host has metadata for other filters but not for the +// current one, the metadata object is empty. +TEST_F(LuaHttpFilterTest, GetVirtualHostMetadataFromHandleNoLuaMetadata) { + const std::string SCRIPT{R"EOF( + function is_metadata_empty(metadata) + for _, _ in pairs(metadata) do + return false + end + return true + end + function envoy_on_request(request_handle) + if is_metadata_empty(request_handle:virtualHost():metadata()) then + request_handle:logTrace("No metadata found on request") + end + end + function envoy_on_response(response_handle) + if is_metadata_empty(response_handle:virtualHost():metadata()) then + response_handle:logTrace("No metadata found on response") + end + end + )EOF"}; + + const std::string METADATA{R"EOF( + filter_metadata: + envoy.some_filter: + foo.bar: + name: foo + prop: bar + )EOF"}; + + InSequence s; + setup(SCRIPT); + setupVirtualHostMetadata(METADATA); + + // Request path + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_LOG_CONTAINS("trace", "No metadata found on request", { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); + }); + + // Response path + Http::TestResponseHeaderMapImpl response_headers{{":status", "200"}}; + EXPECT_LOG_CONTAINS("trace", "No metadata found on response", { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(response_headers, true)); + }); +} + +// Test that handle:virtualHost() returns a valid virtual host wrapper object that can be +// safely accessed when no virtual host matches the request authority. +// This verifies that calling metadata() returns an empty metadata object. +TEST_F(LuaHttpFilterTest, GetVirtualHostFromHandleNoVirtualHost) { + const std::string SCRIPT{R"EOF( + function envoy_on_request(request_handle) + local virtual_host = request_handle:virtualHost() + for _, _ in pairs(virtual_host:metadata()) do + return + end + request_handle:logTrace("No metadata found during request handling") + end + function envoy_on_response(response_handle) + local virtual_host = response_handle:virtualHost() + for _, _ in pairs(virtual_host:metadata()) do + return + end + response_handle:logTrace("No metadata found during response handling") + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + // Request path + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_LOG_CONTAINS("trace", "No metadata found during request handling", { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); + }); + + // Response path + Http::TestResponseHeaderMapImpl response_headers{{":status", "200"}}; + EXPECT_LOG_CONTAINS("trace", "No metadata found during response handling", { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(response_headers, true)); + }); + + EXPECT_EQ(0, stats_store_.counter("test.lua.errors").value()); +} + +// Test that handle:virtualHost():metadata() still works when there is no route. +// This verifies that when a virtual host is matched but no route is found for the request, +// the virtualHost() function returns a valid object and metadata can still be accessed +// successfully from both request and response handles. +TEST_F(LuaHttpFilterTest, GetVirtualHostMetadataFromHandleNoRoute) { + const std::string SCRIPT{R"EOF( + function envoy_on_request(request_handle) + local metadata = request_handle:virtualHost():metadata() + request_handle:logTrace(metadata:get("foo.bar")["name"]) + request_handle:logTrace(metadata:get("foo.bar")["prop"]) + end + function envoy_on_response(response_handle) + local metadata = response_handle:virtualHost():metadata() + response_handle:logTrace(metadata:get("baz.bat")["name"]) + response_handle:logTrace(metadata:get("baz.bat")["prop"]) + end + )EOF"}; + + const std::string METADATA{R"EOF( + filter_metadata: + lua-filter-config-name: + foo.bar: + name: foo + prop: bar + baz.bat: + name: baz + prop: bat + )EOF"}; + + InSequence s; + setup(SCRIPT); + setupVirtualHostMetadata(METADATA); + + // Request path + ON_CALL(decoder_callbacks_, route()).WillByDefault(Return(nullptr)); + + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "foo"}, + {"trace", "bar"}, + }), + { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + filter_->decodeHeaders(request_headers, true)); + }); + + // Response path + ON_CALL(encoder_callbacks_, route()).WillByDefault(Return(nullptr)); + + Http::TestResponseHeaderMapImpl response_headers{{":status", "200"}}; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "baz"}, + {"trace", "bat"}, + }), + { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + filter_->encodeHeaders(response_headers, true)); + }); +} + } // namespace } // namespace Lua } // namespace HttpFilters diff --git a/test/extensions/filters/http/lua/lua_integration_test.cc b/test/extensions/filters/http/lua/lua_integration_test.cc index e9ab87fc8c4eb..78bb2a53174bf 100644 --- a/test/extensions/filters/http/lua/lua_integration_test.cc +++ b/test/extensions/filters/http/lua/lua_integration_test.cc @@ -75,8 +75,29 @@ class LuaIntegrationTest : public UpstreamDownstreamIntegrationTest { response_header->set_key("fake_header"); response_header->set_value("fake_value"); - const std::string key = "envoy.filters.http.lua"; - const std::string yaml = + // Metadata variables for the virtual host and route. + std::string key; + ProtobufWkt::Struct value; + std::string yaml; + + // Sets the virtual host's metadata. + key = "lua"; + yaml = + R"EOF( + foo.bar: + foo: vhost_bar + baz: vhost_bat + )EOF"; + TestUtility::loadFromYaml(yaml, value); + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_metadata() + ->mutable_filter_metadata() + ->insert(Protobuf::MapPair(key, value)); + + // Sets the route's metadata. + key = "envoy.filters.http.lua"; + yaml = R"EOF( foo.bar: foo: bar @@ -84,11 +105,7 @@ class LuaIntegrationTest : public UpstreamDownstreamIntegrationTest { keyset: foo: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0cSZtAdFgMI1zQJwG8ujTXFMcRY0+SA6fMZGEfQYuxcz/e8UelJ1fLDVAwYmk7KHoYzpizy0JIxAcJ+OAE+cd6a6RpwSEm/9/vizlv0vWZv2XMRAqUxk/5amlpQZE/4sRg/qJdkZZjKrSKjf5VEUQg2NytExYyYWG+3FEYpzYyUeVktmW0y/205XAuEQuxaoe+AUVKeoON1iDzvxywE42C0749XYGUFicqBSRj2eO7jm4hNWvgTapYwpswM3hV9yOAPOVQGKNXzNbLDbFTHyLw3OKayGs/4FUBa+ijlGD9VDawZq88RRaf5ztmH22gOSiKcrHXe40fsnrzh/D27uwIDAQAB )EOF"; - - ProtobufWkt::Struct value; TestUtility::loadFromYaml(yaml, value); - - // Sets the route's metadata. hcm.mutable_route_config() ->mutable_virtual_hosts(0) ->mutable_routes(0) @@ -346,6 +363,7 @@ name: lua request_handle:logErr("log test") request_handle:logCritical("log test") + local vhost_metadata = request_handle:virtualHost():metadata():get("foo.bar") local metadata = request_handle:metadata():get("foo.bar") local body_length = request_handle:body():length() @@ -367,6 +385,8 @@ name: lua request_handle:headers():add("cookie_size", request_handle:headers():getNumValues("set-cookie")) request_handle:headers():add("request_body_size", body_length) + request_handle:headers():add("request_vhost_metadata_foo", vhost_metadata["foo"]) + request_handle:headers():add("request_vhost_metadata_baz", vhost_metadata["baz"]) request_handle:headers():add("request_metadata_foo", metadata["foo"]) request_handle:headers():add("request_metadata_baz", metadata["baz"]) if request_handle:connection():ssl() == nil then @@ -389,8 +409,11 @@ name: lua end function envoy_on_response(response_handle) + local vhost_metadata = response_handle:virtualHost():metadata():get("foo.bar") local metadata = response_handle:metadata():get("foo.bar") local body_length = response_handle:body():length() + response_handle:headers():add("response_vhost_metadata_foo", vhost_metadata["foo"]) + response_handle:headers():add("response_vhost_metadata_baz", vhost_metadata["baz"]) response_handle:headers():add("response_metadata_foo", metadata["foo"]) response_handle:headers():add("response_metadata_baz", metadata["baz"]) response_handle:headers():add("response_body_size", body_length) @@ -469,6 +492,16 @@ name: lua ->value() .getStringView()); + EXPECT_EQ("vhost_bar", upstream_request_->headers() + .get(Http::LowerCaseString("request_vhost_metadata_foo"))[0] + ->value() + .getStringView()); + + EXPECT_EQ("vhost_bat", upstream_request_->headers() + .get(Http::LowerCaseString("request_vhost_metadata_baz"))[0] + ->value() + .getStringView()); + EXPECT_EQ("bar", upstream_request_->headers() .get(Http::LowerCaseString("request_metadata_foo"))[0] ->value() @@ -543,6 +576,14 @@ name: lua .get(Http::LowerCaseString("response_body_size"))[0] ->value() .getStringView()); + EXPECT_EQ("vhost_bar", response->headers() + .get(Http::LowerCaseString("response_vhost_metadata_foo"))[0] + ->value() + .getStringView()); + EXPECT_EQ("vhost_bat", response->headers() + .get(Http::LowerCaseString("response_vhost_metadata_baz"))[0] + ->value() + .getStringView()); EXPECT_EQ("bar", response->headers() .get(Http::LowerCaseString("response_metadata_foo"))[0] ->value() @@ -2083,6 +2124,140 @@ name: lua cleanup(); } +// Test that handle:virtualHost():metadata() returns valid metadata when virtual host matches +// but route doesn't, ensuring metadata access works correctly. +TEST_P(LuaIntegrationTest, VirtualHostValidWhenNoRouteMatch) { + if (!testing_downstream_filter_) { + GTEST_SKIP() << "This is a local reply test that does not go upstream"; + } + + const std::string filter_config = + R"EOF( +name: lua +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + default_source_code: + inline_string: | + function envoy_on_request(request_handle) + local metadata = request_handle:virtualHost():metadata() + request_handle:logTrace(metadata:get("foo.bar")["name"]) + request_handle:logTrace(metadata:get("foo.bar")["prop"]) + end + function envoy_on_response(response_handle) + local metadata = response_handle:virtualHost():metadata() + response_handle:logTrace(metadata:get("baz.bat")["name"]) + response_handle:logTrace(metadata:get("baz.bat")["prop"]) + end +)EOF"; + + const std::string route_config = + R"EOF( +name: test_routes +virtual_hosts: +- name: test_vhost + domains: ["foo.lyft.com"] + metadata: + filter_metadata: + lua: + foo.bar: + name: foo + prop: bar + baz.bat: + name: baz + prop: bat + routes: + - match: + path: "/existing/route" + route: + cluster: cluster_0 +)EOF"; + + initializeWithYaml(filter_config, route_config); + codec_client_ = makeHttpConnection(lookupPort("http")); + + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/non/existing/path"}, + {":scheme", "http"}, + {":authority", "foo.lyft.com"}, + {"x-forwarded-for", "10.0.0.1"}}; + + IntegrationStreamDecoderPtr response; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "foo"}, + {"trace", "bar"}, + {"trace", "baz"}, + {"trace", "bat"}, + }), + { + auto encoder_decoder = codec_client_->startRequest(request_headers); + response = std::move(encoder_decoder.second); + + ASSERT_TRUE(response->waitForEndStream()); + }); + + EXPECT_TRUE(response->complete()); + EXPECT_EQ("404", response->headers().getStatusValue()); + cleanup(); +} + +// Test that handle:virtualHost() returns a valid object when no virtual host matches the request +// authority. This verifies that metadata() returns an empty metadata object that can be safely +// iterated. +TEST_P(LuaIntegrationTest, VirtualHostValidWhenNoVirtualHostMatch) { + if (!testing_downstream_filter_) { + GTEST_SKIP() << "This is a local reply test that does not go upstream"; + } + + const std::string FILTER_AND_CODE = + R"EOF( +name: lua +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + default_source_code: + inline_string: | + function envoy_on_request(request_handle) + local virtual_host = request_handle:virtualHost() + for _, _ in pairs(virtual_host:metadata()) do + return + end + request_handle:logTrace("No metadata found during request handling") + end + function envoy_on_response(response_handle) + local virtual_host = response_handle:virtualHost() + for _, _ in pairs(virtual_host:metadata()) do + return + end + response_handle:logTrace("No metadata found during response handling") + end + +)EOF"; + + initializeFilter(FILTER_AND_CODE, "foo.lyft.com"); + codec_client_ = makeHttpConnection(lookupPort("http")); + + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/test/long/url"}, + {":scheme", "http"}, + {":authority", "bar.lyft.com"}, + {"x-forwarded-for", "10.0.0.1"}}; + + IntegrationStreamDecoderPtr response; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "No metadata found during request handling"}, + {"trace", "No metadata found during response handling"}, + }), + { + auto encoder_decoder = codec_client_->startRequest(request_headers); + response = std::move(encoder_decoder.second); + + ASSERT_TRUE(response->waitForEndStream()); + }); + + EXPECT_TRUE(response->complete()); + EXPECT_EQ("404", response->headers().getStatusValue()); + cleanup(); +} + #ifdef NDEBUG // This test is only run in release mode because in debug mode, // the code reaches ENVOY_BUG() which triggers a forced abort diff --git a/test/extensions/filters/http/lua/wrappers_test.cc b/test/extensions/filters/http/lua/wrappers_test.cc index 0662d0d3165a7..f66389f16258b 100644 --- a/test/extensions/filters/http/lua/wrappers_test.cc +++ b/test/extensions/filters/http/lua/wrappers_test.cc @@ -9,12 +9,14 @@ #include "source/extensions/filters/http/lua/wrappers.h" #include "test/extensions/filters/common/lua/lua_wrappers.h" +#include "test/mocks/router/mocks.h" #include "test/mocks/stream_info/mocks.h" #include "test/test_common/utility.h" using testing::Expectation; using testing::InSequence; using testing::ReturnPointee; +using testing::ReturnRef; namespace Envoy { namespace Extensions { @@ -1415,6 +1417,154 @@ TEST_F(LuaStreamInfoWrapperTest, GetFilterStateNullObject) { wrapper.reset(); } +class LuaVirtualHostWrapperTest + : public Filters::Common::Lua::LuaWrappersTestBase { +public: + void setup(const std::string& script) override { + Filters::Common::Lua::LuaWrappersTestBase::setup(script); + state_->registerType(); + state_->registerType(); + } + + const std::string NO_METADATA_FOUND_SCRIPT{R"EOF( + function callMe(object) + for _, _ in pairs(object:metadata()) do + return + end + testPrint("No metadata found") + end + )EOF"}; +}; + +// Test that VirtualHostWrapper returns metadata under the current filter configured name. +// This verifies that when virtual host has filter metadata configured under the current filter +// configured name, the wrapper can successfully retrieves and returns it. +TEST_F(LuaVirtualHostWrapperTest, GetFilterMetadataBasic) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local metadata = object:metadata() + testPrint(metadata:get("foo.bar")["name"]) + testPrint(metadata:get("foo.bar")["prop"]) + end + )EOF"}; + + const std::string METADATA{R"EOF( + filter_metadata: + lua-filter-config-name: + foo.bar: + name: foo + prop: bar + )EOF"}; + + InSequence s; + setup(SCRIPT); + + // Create a mock virtual host. + auto virtual_host = std::make_shared>(); + const Router::VirtualHostConstSharedPtr virtual_host_ptr = virtual_host; + + // Load metadata into the mock virtual host. + TestUtility::loadFromYaml(METADATA, virtual_host->metadata_); + + // Set up the mock stream info to return the mock virtual host. + NiceMock stream_info; + ON_CALL(stream_info, virtualHost()).WillByDefault(ReturnRef(virtual_host_ptr)); + + // Set up wrapper with the mock stream info. + Filters::Common::Lua::LuaDeathRef wrapper( + VirtualHostWrapper::create(coroutine_->luaState(), stream_info, "lua-filter-config-name"), + true); + + EXPECT_CALL(printer_, testPrint("foo")); + EXPECT_CALL(printer_, testPrint("bar")); + + start("callMe"); + wrapper.reset(); +} + +// Test that VirtualHostWrapper returns an empty metadata object when no metadata exists +// under the current filter configured name. +TEST_F(LuaVirtualHostWrapperTest, GetMetadataNoMetadataUnderFilterName) { + const std::string METADATA{R"EOF( + filter_metadata: + envoy.some_filter: + foo.bar: + name: foo + prop: bar + )EOF"}; + + InSequence s; + setup(NO_METADATA_FOUND_SCRIPT); + + // Create a mock virtual host. + auto virtual_host = std::make_shared>(); + const Router::VirtualHostConstSharedPtr virtual_host_ptr = virtual_host; + + // Load metadata into the mock virtual host. + TestUtility::loadFromYaml(METADATA, virtual_host->metadata_); + + // Set up the mock stream info to return the mock virtual host. + NiceMock stream_info; + ON_CALL(stream_info, virtualHost()).WillByDefault(ReturnRef(virtual_host_ptr)); + + // Set up wrapper with the mock stream info. + Filters::Common::Lua::LuaDeathRef wrapper( + VirtualHostWrapper::create(coroutine_->luaState(), stream_info, "lua-filter-config-name"), + true); + + EXPECT_CALL(printer_, testPrint("No metadata found")); + + start("callMe"); + wrapper.reset(); +} + +// Test that VirtualHostWrapper returns an empty metadata object when no metadata is configured on +// the virtual host. This verifies that the wrapper correctly handles cases where the virtual host +// has no filter_metadata section, returning an empty metadata object without crashing. +TEST_F(LuaVirtualHostWrapperTest, GetMetadataNoMetadataAtAll) { + InSequence s; + setup(NO_METADATA_FOUND_SCRIPT); + + // Create a mock virtual host. + auto virtual_host = std::make_shared>(); + const Router::VirtualHostConstSharedPtr virtual_host_ptr = virtual_host; + + // Set up the mock stream info to return the mock virtual host. + NiceMock stream_info; + ON_CALL(stream_info, virtualHost()).WillByDefault(ReturnRef(virtual_host_ptr)); + + // Set up wrapper with the mock stream info. + Filters::Common::Lua::LuaDeathRef wrapper( + VirtualHostWrapper::create(coroutine_->luaState(), stream_info, "lua-filter-config-name"), + true); + + EXPECT_CALL(printer_, testPrint("No metadata found")); + + start("callMe"); + wrapper.reset(); +} + +// Test that VirtualHostWrapper returns an empty metadata object when no virtual host matches the +// request authority. This verifies that the wrapper correctly handles cases where the stream info +// does not have a virtual host, returning an empty metadata object without crashing. +TEST_F(LuaVirtualHostWrapperTest, GetMetadataNoVirtualHost) { + InSequence s; + setup(NO_METADATA_FOUND_SCRIPT); + + // Set up the mock stream info to return the mock virtual host. + NiceMock stream_info; + + // Set up wrapper with the mock stream info. + Filters::Common::Lua::LuaDeathRef wrapper( + VirtualHostWrapper::create(coroutine_->luaState(), stream_info, "lua-filter-config-name"), + true); + + EXPECT_CALL(printer_, testPrint("No metadata found")); + + start("callMe"); + wrapper.reset(); +} + } // namespace } // namespace Lua } // namespace HttpFilters From e8c31096f8cb60116c51ece8fea28f85c03eccb4 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 30 Jul 2025 09:46:43 -0700 Subject: [PATCH 117/505] deps: Bump `rules_cc` -> 0.1.4 (#40490) Created by Envoy dependency bot for @phlax Fix #40407 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 819754a99d853..5e050dfea5eb9 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1052,9 +1052,9 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "C++ rules for Bazel", project_desc = "Bazel rules for the C++ language", project_url = "https://github.com/bazelbuild/rules_cc", - version = "0.1.1", - sha256 = "712d77868b3152dd618c4d64faaddefcc5965f90f5de6e6dd1d5ddcd0be82d42", - release_date = "2025-02-07", + version = "0.1.4", + sha256 = "0d3b4f984c4c2e1acfd1378e0148d35caf2ef1d9eb95b688f8e19ce0c41bdf5b", + release_date = "2025-07-18", strip_prefix = "rules_cc-{version}", urls = ["https://github.com/bazelbuild/rules_cc/releases/download/{version}/rules_cc-{version}.tar.gz"], use_category = [ From 562e01142f223467b239709d21608bba176246b1 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 30 Jul 2025 09:46:47 -0700 Subject: [PATCH 118/505] deps/api: Bump `rules_jvm_external` -> 6.8 (#40492) Created by Envoy dependency bot for @phlax Fix #40204 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- api/bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl index 7268aa608cd1b..cfbb7e01c9661 100644 --- a/api/bazel/repository_locations.bzl +++ b/api/bazel/repository_locations.bzl @@ -38,11 +38,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Java Rules for Bazel", project_desc = "Bazel rules for Java", project_url = "https://github.com/bazelbuild/rules_jvm_external", - version = "6.7", + version = "6.8", strip_prefix = "rules_jvm_external-{version}", - sha256 = "a1e351607f04fed296ba33c4977d3fe2a615ed50df7896676b67aac993c53c18", + sha256 = "704a0197e4e966f96993260418f2542568198490456c21814f647ae7091f56f2", urls = ["https://github.com/bazelbuild/rules_jvm_external/releases/download/{version}/rules_jvm_external-{version}.tar.gz"], - release_date = "2025-02-11", + release_date = "2025-07-07", use_category = ["build"], license = "Apache-2.0", license_url = "https://github.com/bazelbuild/rules_jvm_external/blob/{version}/LICENSE", From cbc046960813697d8eaf684179bae6ceb2b6b810 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 30 Jul 2025 09:46:54 -0700 Subject: [PATCH 119/505] deps/api: Bump `rules_buf` -> 0.5.0 (#40489) Created by Envoy dependency bot for @phlax Fix #40409 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- api/bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl index cfbb7e01c9661..648adbf142c87 100644 --- a/api/bazel/repository_locations.bzl +++ b/api/bazel/repository_locations.bzl @@ -105,9 +105,9 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Bazel rules for Buf", project_desc = "Bazel rules for Buf", project_url = "https://github.com/bufbuild/rules_buf", - version = "0.4.0", - sha256 = "bb5735f5b329d6434771879b631da184a58529a6fdbe7641f6ecfb5d4a0c506f", - release_date = "2025-05-07", + version = "0.5.0", + sha256 = "19ca4b0359f03c41563054d54812602fcf925e86d62832581cba8c524ee419b1", + release_date = "2025-07-24", strip_prefix = "rules_buf-{version}", urls = ["https://github.com/bufbuild/rules_buf/archive/refs/tags/v{version}.tar.gz"], use_category = ["api"], From e118877c1ae3b8351e5faadcbd97699d10620ef0 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Wed, 30 Jul 2025 13:22:35 -0400 Subject: [PATCH 120/505] cleanup: remove redundant line in a list (#40487) Commit Message: cleanup: remove redundant line in a list Additional Description: This is just a cleanup that removes a redundant line in a list (see the line above). Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- source/common/config/type_to_endpoint.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/source/common/config/type_to_endpoint.cc b/source/common/config/type_to_endpoint.cc index 6578336813e85..eb96f803cbd90 100644 --- a/source/common/config/type_to_endpoint.cc +++ b/source/common/config/type_to_endpoint.cc @@ -50,7 +50,6 @@ TypeUrlToV3ServiceMap* buildTypeUrlToServiceMap() { for (absl::string_view name : { "envoy.service.route.v3.RouteDiscoveryService", "envoy.service.route.v3.ScopedRoutesDiscoveryService", - "envoy.service.route.v3.ScopedRoutesDiscoveryService", "envoy.service.route.v3.VirtualHostDiscoveryService", "envoy.service.secret.v3.SecretDiscoveryService", "envoy.service.cluster.v3.ClusterDiscoveryService", From 858fef718827ea57bea3157ae17a475b4a1944a3 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 30 Jul 2025 17:38:27 +0000 Subject: [PATCH 121/505] deps/api: Bump `bazel_skylib` -> 1.8.1 (#40491) Fix #40125 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: Rohit Agrawal --- api/bazel/repository_locations.bzl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl index 648adbf142c87..5ba30b6b18530 100644 --- a/api/bazel/repository_locations.bzl +++ b/api/bazel/repository_locations.bzl @@ -4,11 +4,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "bazel-skylib", project_desc = "Common useful functions and rules for Bazel", project_url = "https://github.com/bazelbuild/bazel-skylib", - version = "1.7.1", - sha256 = "bc283cdfcd526a52c3201279cda4bc298652efa898b10b4db0837dc51652756f", - release_date = "2024-06-03", + version = "1.8.1", + sha256 = "51b5105a760b353773f904d2bbc5e664d0987fbaf22265164de65d43e910d8ac", + release_date = "2025-07-07", urls = ["https://github.com/bazelbuild/bazel-skylib/releases/download/{version}/bazel-skylib-{version}.tar.gz"], - use_category = ["api"], + use_category = ["api", "test_only"], license = "Apache-2.0", license_url = "https://github.com/bazelbuild/bazel-skylib/blob/{version}/LICENSE", ), From 4bb05db55ecd583b6f451d81445d94210445176f Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 30 Jul 2025 14:04:19 -0700 Subject: [PATCH 122/505] deps: bump up cel-cpp to v0.11.0 (#39334) ## Description This PR bumps up the version of `cel-cpp` to v0.11.0. There are some major changes where we now have `cel::expr::ParsedExpr` instead of `google::api::expr::v1alpha1::ParsedExpr`. We are doing the conversion in the code to keep it backward compatible. We should remove it in a follow-up PR by migrating everything to use `cel::expr::ParsedExpr` instead. --- **Commit Message:** deps: bump up `cel-cpp` to v0.11.0 **Additional Description:** Bump up the version of `cel-cpp` to v0.11.0 **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal --- bazel/foreign_cc/cel-cpp.patch | 88 ++++++++ bazel/repositories.bzl | 24 ++- bazel/repository_locations.bzl | 38 +++- .../access_loggers/filters/cel/cel.cc | 22 +- .../access_loggers/filters/cel/cel.h | 4 +- source/extensions/common/wasm/foreign.cc | 11 +- .../filters/common/expr/evaluator.cc | 38 ++-- .../filters/common/expr/evaluator.h | 9 +- .../extensions/filters/common/rbac/matchers.h | 19 +- .../filters/http/ext_proc/matching_utils.cc | 10 +- .../filters/http/ext_proc/matching_utils.h | 4 +- source/extensions/formatter/cel/cel.cc | 16 +- source/extensions/formatter/cel/cel.h | 6 +- .../input_matchers/cel_matcher/matcher.cc | 42 +++- .../input_matchers/cel_matcher/matcher.h | 2 + .../rate_limit_descriptors/expr/config.cc | 18 +- .../opentelemetry/samplers/cel/cel_sampler.cc | 5 +- .../opentelemetry/samplers/cel/cel_sampler.h | 8 +- test/coverage.yaml | 9 +- .../common/expr/evaluator_fuzz_test.cc | 15 +- .../http/ext_proc/matching_utils_test.cc | 90 ++++----- test/extensions/formatter/cel/cel_test.cc | 22 ++ .../cel_matcher/cel_matcher_test.cc | 46 +++++ .../expr/config_test.cc | 190 ++++++++++++++---- 24 files changed, 570 insertions(+), 166 deletions(-) create mode 100644 bazel/foreign_cc/cel-cpp.patch diff --git a/bazel/foreign_cc/cel-cpp.patch b/bazel/foreign_cc/cel-cpp.patch new file mode 100644 index 0000000000000..eaeb3454acaae --- /dev/null +++ b/bazel/foreign_cc/cel-cpp.patch @@ -0,0 +1,88 @@ +From d88b2a2d81e62335708057b3a044abada46de2a3 Mon Sep 17 00:00:00 2001 +From: Rohit Agrawal +Date: Tue, 6 May 2025 17:30:08 +0900 +Subject: [PATCH] Patches for cel-cpp v0.11.0 + +Signed-off-by: Rohit Agrawal +--- + common/internal/byte_string.cc | 8 ++++++++ + common/value.h | 2 +- + common/values/value_variant.h | 10 ++++++++++ + runtime/type_registry.h | 4 ++-- + 4 files changed, 21 insertions(+), 3 deletions(-) + +diff --git a/common/internal/byte_string.cc b/common/internal/byte_string.cc +index e01c797f8..12345678a 100644 +--- a/common/internal/byte_string.cc ++++ b/common/internal/byte_string.cc +@@ -104,6 +104,14 @@ + + ByteString::ByteString(Allocator<> allocator, absl::string_view string) { + ABSL_DCHECK_LE(string.size(), max_size()); ++ ++ // Check for null data pointer in the string_view ++ if (string.data() == nullptr) { ++ // Handle null data by creating an empty ByteString ++ SetSmallEmpty(allocator.arena()); ++ return; ++ } ++ + auto* arena = allocator.arena(); + if (string.size() <= kSmallByteStringCapacity) { + SetSmall(arena, string); +diff --git a/common/value.h b/common/value.h +index 06a03c13d..9f5d77980 100644 +--- a/common/value.h ++++ b/common/value.h +@@ -2733,7 +2733,7 @@ + absl::Nonnull descriptor_pool, + absl::Nonnull message_factory, + absl::Nonnull arena) const { +- ABSL_DCHECK_GT(qualifiers.size(), 0); ++ ABSL_DCHECK_GT(static_cast(qualifiers.size()), 0); + ABSL_DCHECK(descriptor_pool != nullptr); + ABSL_DCHECK(message_factory != nullptr); + ABSL_DCHECK(arena != nullptr); +diff --git a/common/values/value_variant.h b/common/values/value_variant.h +index 61c19ce5f..fc7969bc8 100644 +--- a/common/values/value_variant.h ++++ b/common/values/value_variant.h +@@ -732,6 +732,13 @@ + const bool rhs_trivial = + (rhs.flags_ & ValueFlags::kNonTrivial) == ValueFlags::kNone; + if (lhs_trivial && rhs_trivial) { ++ // We need to suppress the compiler warnings about memory manipulation. ++ // The memcpy usage here is intentional for performance optimization ++ // Only suppress this warning on GCC, as Clang doesn't have this warning ++#if defined(__GNUC__) && !defined(__clang__) ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wclass-memaccess" ++#endif + alignas(ValueVariant) std::byte tmp[sizeof(ValueVariant)]; + // NOLINTNEXTLINE(bugprone-undefined-memory-manipulation) + std::memcpy(tmp, std::addressof(lhs), sizeof(ValueVariant)); +@@ -740,6 +747,9 @@ + sizeof(ValueVariant)); + // NOLINTNEXTLINE(bugprone-undefined-memory-manipulation) + std::memcpy(std::addressof(rhs), tmp, sizeof(ValueVariant)); ++#if defined(__GNUC__) && !defined(__clang__) ++#pragma GCC diagnostic pop ++#endif + } else { + SlowSwap(lhs, rhs, lhs_trivial, rhs_trivial); + } +diff --git a/runtime/type_registry.h b/runtime/type_registry.h +index 2b247946c..3e5ad423b 100644 +--- a/runtime/type_registry.h ++++ b/runtime/type_registry.h +@@ -77,8 +77,8 @@ + // Move-only + TypeRegistry(const TypeRegistry& other) = delete; + TypeRegistry& operator=(TypeRegistry& other) = delete; +- TypeRegistry(TypeRegistry&& other) = default; +- TypeRegistry& operator=(TypeRegistry&& other) = default; ++ TypeRegistry(TypeRegistry&& other) = delete; ++ TypeRegistry& operator=(TypeRegistry&& other) = delete; + + // Registers a type such that it can be accessed by name, i.e. `type(foo) == + // my_type`. Where `my_type` is the type being registered. diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 211e9d80606ea..d7d1b716041be 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -506,7 +506,29 @@ def _com_github_facebook_zstd(): def _com_google_cel_cpp(): external_http_archive( - "com_google_cel_cpp", + name = "com_google_cel_cpp", + patch_args = ["-p1"], + patches = ["@envoy//bazel/foreign_cc:cel-cpp.patch"], + ) + + # Load required dependencies that cel-cpp expects. + external_http_archive("com_google_cel_spec") + + # cel-cpp references ``@antlr4-cpp-runtime//:antlr4-cpp-runtime`` but it internally + # defines ``antlr4_runtimes`` with a cpp target. + # We are creating a repository alias to avoid duplicating the ANTLR4 dependency. + native.new_local_repository( + name = "antlr4-cpp-runtime", + path = ".", + build_file_content = """ +package(default_visibility = ["//visibility:public"]) + +# Alias to cel-cpp's embedded ANTLR4 runtime. +alias( + name = "antlr4-cpp-runtime", + actual = "@antlr4_runtimes//:cpp", +) +""", ) def _com_github_google_perfetto(): diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 5e050dfea5eb9..547f759b78805 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1301,12 +1301,44 @@ REPOSITORY_LOCATIONS_SPEC = dict( license = "googleurl", license_url = "https://quiche.googlesource.com/googleurl/+/{version}/LICENSE", ), + com_google_cel_spec = dict( + project_name = "Common Expression Language (CEL) spec", + project_desc = "Common Expression Language (CEL) spec and conformance tests", + project_url = "https://opensource.google/projects/cel", + version = "0.24.0", + sha256 = "5cba6b0029e727d1f4d8fd134de4e747cecc0bc293d026017d7edc48058d09f7", + strip_prefix = "cel-spec-{version}", + urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"], + use_category = ["dataplane_ext"], + extensions = [ + "envoy.access_loggers.extension_filters.cel", + "envoy.access_loggers.wasm", + "envoy.bootstrap.wasm", + "envoy.rate_limit_descriptors.expr", + "envoy.filters.http.ext_proc", + "envoy.filters.http.rate_limit_quota", + "envoy.filters.http.rbac", + "envoy.filters.http.wasm", + "envoy.filters.network.rbac", + "envoy.filters.network.wasm", + "envoy.stat_sinks.wasm", + "envoy.formatter.cel", + "envoy.matching.inputs.cel_data_input", + "envoy.matching.matchers.cel_matcher", + "envoy.tracers.opentelemetry", + "envoy.tracers.opentelemetry.samplers.cel", + ], + release_date = "2025-05-09", + cpe = "N/A", + license = "Apache-2.0", + license_url = "https://github.com/google/cel-spec/blob/v{version}/LICENSE", + ), com_google_cel_cpp = dict( project_name = "Common Expression Language (CEL) C++ library", project_desc = "Common Expression Language (CEL) C++ library", project_url = "https://opensource.google/projects/cel", - version = "0.10.0", - sha256 = "dd06b708a9f4c3728e76037ec9fb14fc9f6d9c9980e5d5f3a1d047f3855a8b98", + version = "0.11.0", + sha256 = "777f6780a3cc72264c3cc3279cc92affbaefb2bdc01aaff88463cca5b6167e1d", strip_prefix = "cel-cpp-{version}", urls = ["https://github.com/google/cel-cpp/archive/v{version}.tar.gz"], use_category = ["dataplane_ext"], @@ -1328,7 +1360,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( "envoy.tracers.opentelemetry", "envoy.tracers.opentelemetry.samplers.cel", ], - release_date = "2024-10-25", + release_date = "2025-04-03", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/google/cel-cpp/blob/v{version}/LICENSE", diff --git a/source/extensions/access_loggers/filters/cel/cel.cc b/source/extensions/access_loggers/filters/cel/cel.cc index 20f80b70e2a04..d25bbb0064951 100644 --- a/source/extensions/access_loggers/filters/cel/cel.cc +++ b/source/extensions/access_loggers/filters/cel/cel.cc @@ -9,23 +9,25 @@ namespace CEL { namespace Expr = Envoy::Extensions::Filters::Common::Expr; CELAccessLogExtensionFilter::CELAccessLogExtensionFilter( - const ::Envoy::LocalInfo::LocalInfo& local_info, Expr::BuilderInstanceSharedPtr builder, - const google::api::expr::v1alpha1::Expr& input_expr) + const ::Envoy::LocalInfo::LocalInfo& local_info, + Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder, + const cel::expr::Expr& input_expr) : local_info_(local_info), builder_(builder), parsed_expr_(input_expr) { - compiled_expr_ = Expr::createExpression(builder_->builder(), parsed_expr_); + compiled_expr_ = + Extensions::Filters::Common::Expr::createExpression(builder_->builder(), parsed_expr_); } bool CELAccessLogExtensionFilter::evaluate(const Formatter::HttpFormatterContext& log_context, const StreamInfo::StreamInfo& stream_info) const { - Protobuf::Arena arena; - auto eval_status = Expr::evaluate(*compiled_expr_, arena, &local_info_, stream_info, - &log_context.requestHeaders(), &log_context.responseHeaders(), - &log_context.responseTrailers()); - if (!eval_status.has_value() || eval_status.value().IsError()) { + ProtobufWkt::Arena arena; + const auto result = Extensions::Filters::Common::Expr::evaluate( + *compiled_expr_.get(), arena, &local_info_, stream_info, &log_context.requestHeaders(), + &log_context.responseHeaders(), &log_context.responseTrailers()); + if (!result.has_value() || result.value().IsError()) { return false; } - auto result = eval_status.value(); - return result.IsBool() ? result.BoolOrDie() : false; + auto eval_result = result.value(); + return eval_result.IsBool() ? eval_result.BoolOrDie() : false; } } // namespace CEL diff --git a/source/extensions/access_loggers/filters/cel/cel.h b/source/extensions/access_loggers/filters/cel/cel.h index 74247d5187d6e..0b496f4a4cfc9 100644 --- a/source/extensions/access_loggers/filters/cel/cel.h +++ b/source/extensions/access_loggers/filters/cel/cel.h @@ -21,7 +21,7 @@ class CELAccessLogExtensionFilter : public AccessLog::Filter { public: CELAccessLogExtensionFilter(const ::Envoy::LocalInfo::LocalInfo& local_info, Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr, - const google::api::expr::v1alpha1::Expr&); + const cel::expr::Expr&); bool evaluate(const Formatter::HttpFormatterContext& log_context, const StreamInfo::StreamInfo& stream_info) const override; @@ -29,7 +29,7 @@ class CELAccessLogExtensionFilter : public AccessLog::Filter { private: const ::Envoy::LocalInfo::LocalInfo& local_info_; Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder_; - const google::api::expr::v1alpha1::Expr parsed_expr_; + const cel::expr::Expr parsed_expr_; Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; }; diff --git a/source/extensions/common/wasm/foreign.cc b/source/extensions/common/wasm/foreign.cc index 43cf9369148d3..eae08f81aaf81 100644 --- a/source/extensions/common/wasm/foreign.cc +++ b/source/extensions/common/wasm/foreign.cc @@ -138,7 +138,7 @@ RegisterForeignFunction registerClearRouteCacheForeignFunction( class ExpressionFactory : public Logger::Loggable { protected: struct ExpressionData { - google::api::expr::v1alpha1::ParsedExpr parsed_expr_; + cel::expr::ParsedExpr parsed_expr_; Filters::Common::Expr::ExpressionPtr compiled_expr_; }; @@ -203,9 +203,13 @@ class CreateExpressionFactory : public ExpressionFactory { auto token = expr_context.createToken(); auto& handler = expr_context.getExpression(token); - handler.parsed_expr_ = parse_status.value(); + const auto& parsed_expr = parse_status.value(); + handler.parsed_expr_ = parsed_expr; + + std::vector warnings; auto cel_expression_status = expr_context.builder()->CreateExpression( - &handler.parsed_expr_.expr(), &handler.parsed_expr_.source_info()); + &handler.parsed_expr_.expr(), &handler.parsed_expr_.source_info(), &warnings); + if (!cel_expression_status.ok()) { ENVOY_LOG(info, "expr_create compile error: {}", cel_expression_status.status().message()); expr_context.deleteExpression(token); @@ -213,6 +217,7 @@ class CreateExpressionFactory : public ExpressionFactory { } handler.compiled_expr_ = std::move(cel_expression_status.value()); + auto result = reinterpret_cast(alloc_result(sizeof(uint32_t))); *result = token; return WasmResult::Ok; diff --git a/source/extensions/filters/common/expr/evaluator.cc b/source/extensions/filters/common/expr/evaluator.cc index 0b634c16ca2fd..eef3dba98d579 100644 --- a/source/extensions/filters/common/expr/evaluator.cc +++ b/source/extensions/filters/common/expr/evaluator.cc @@ -149,35 +149,21 @@ BuilderInstanceSharedPtr getBuilder(Server::Configuration::CommonFactoryContext& [] { return std::make_shared(createBuilder(nullptr)); }); } -// Converts from CEL canonical to CEL v1alpha1 -absl::optional -getExpr(const ::xds::type::v3::CelExpression& expression) { - ::cel::expr::Expr expr; +absl::optional getExpr(const ::xds::type::v3::CelExpression& expression) { if (expression.has_cel_expr_checked()) { - expr = expression.cel_expr_checked().expr(); + return expression.cel_expr_checked().expr(); } else if (expression.has_cel_expr_parsed()) { - expr = expression.cel_expr_parsed().expr(); + return expression.cel_expr_parsed().expr(); } else { return {}; } - - std::string data; - if (!expr.SerializeToString(&data)) { - return {}; - } - - // Parse the string into the target namespace message - google::api::expr::v1alpha1::Expr v1alpha1Expr; - if (!v1alpha1Expr.ParseFromString(data)) { - return {}; - } - - return v1alpha1Expr; } -ExpressionPtr createExpression(Builder& builder, const google::api::expr::v1alpha1::Expr& expr) { - google::api::expr::v1alpha1::SourceInfo source_info; - auto cel_expression_status = builder.CreateExpression(&expr, &source_info); +ExpressionPtr createExpression(Builder& builder, const cel::expr::Expr& expr) { + cel::expr::SourceInfo source_info; + std::vector warnings; + + auto cel_expression_status = builder.CreateExpression(&expr, &source_info, &warnings); if (!cel_expression_status.ok()) { throw CelException( absl::StrCat("failed to create an expression: ", cel_expression_status.status().message())); @@ -186,11 +172,11 @@ ExpressionPtr createExpression(Builder& builder, const google::api::expr::v1alph } absl::optional evaluate(const Expression& expr, Protobuf::Arena& arena, - const LocalInfo::LocalInfo* local_info, + const ::Envoy::LocalInfo::LocalInfo* local_info, const StreamInfo::StreamInfo& info, - const Http::RequestHeaderMap* request_headers, - const Http::ResponseHeaderMap* response_headers, - const Http::ResponseTrailerMap* response_trailers) { + const ::Envoy::Http::RequestHeaderMap* request_headers, + const ::Envoy::Http::ResponseHeaderMap* response_headers, + const ::Envoy::Http::ResponseTrailerMap* response_trailers) { auto activation = createActivation(local_info, info, request_headers, response_headers, response_trailers); auto eval_status = expr.Evaluate(*activation, &arena); diff --git a/source/extensions/filters/common/expr/evaluator.h b/source/extensions/filters/common/expr/evaluator.h index 74ad5adec69cc..fd20363c459c9 100644 --- a/source/extensions/filters/common/expr/evaluator.h +++ b/source/extensions/filters/common/expr/evaluator.h @@ -18,6 +18,7 @@ #include "eval/public/cel_value.h" #include "xds/type/v3/cel.pb.h" +#include "cel/expr/syntax.pb.h" #if defined(__GNUC__) #pragma GCC diagnostic pop @@ -94,13 +95,11 @@ BuilderPtr createBuilder(Protobuf::Arena* arena); // Gets the singleton expression builder. Must be called on the main thread. BuilderInstanceSharedPtr getBuilder(Server::Configuration::CommonFactoryContext& context); -// Converts from CEL canonical to CEL v1alpha1 -absl::optional -getExpr(const ::xds::type::v3::CelExpression& expression); +absl::optional getExpr(const ::xds::type::v3::CelExpression& expression); -// Creates an interpretable expression from a protobuf representation. +// Creates an interpretable expression from the new CEL expr format. // Throws an exception if fails to construct a runtime expression. -ExpressionPtr createExpression(Builder& builder, const google::api::expr::v1alpha1::Expr& expr); +ExpressionPtr createExpression(Builder& builder, const cel::expr::Expr& expr); // Evaluates an expression for a request. The arena is used to hold intermediate computational // results and potentially the final value. diff --git a/source/extensions/filters/common/rbac/matchers.h b/source/extensions/filters/common/rbac/matchers.h index 3198598f54087..033c9ca5c9de7 100644 --- a/source/extensions/filters/common/rbac/matchers.h +++ b/source/extensions/filters/common/rbac/matchers.h @@ -14,6 +14,8 @@ #include "source/extensions/filters/common/rbac/matcher_interface.h" #include "source/extensions/path/match/uri_template/uri_template_match.h" +#include "cel/expr/syntax.pb.h" + namespace Envoy { namespace Extensions { namespace Filters { @@ -187,7 +189,20 @@ class PolicyMatcher : public Matcher, NonCopyable { ProtobufMessage::ValidationVisitor& validation_visitor, Server::Configuration::CommonFactoryContext& context) : permissions_(policy.permissions(), validation_visitor, context), - principals_(policy.principals(), context), condition_(policy.condition()) { + principals_(policy.principals(), context), condition_([&policy]() { + if (policy.has_condition()) { + std::string serialized; + if (!policy.condition().SerializeToString(&serialized)) { + throw EnvoyException("Failed to serialize RBAC policy condition"); + } + cel::expr::Expr new_expr; + if (!new_expr.ParseFromString(serialized)) { + throw EnvoyException("Failed to convert RBAC policy condition to new format"); + } + return new_expr; + } + return cel::expr::Expr{}; + }()) { if (policy.has_condition()) { expr_ = Expr::createExpression(*builder, condition_); } @@ -199,7 +214,7 @@ class PolicyMatcher : public Matcher, NonCopyable { private: const OrMatcher permissions_; const OrMatcher principals_; - const google::api::expr::v1alpha1::Expr condition_; + const cel::expr::Expr condition_; Expr::ExpressionPtr expr_; }; diff --git a/source/extensions/filters/http/ext_proc/matching_utils.cc b/source/extensions/filters/http/ext_proc/matching_utils.cc index f87f44e89612c..6fb1020322e86 100644 --- a/source/extensions/filters/http/ext_proc/matching_utils.cc +++ b/source/extensions/filters/http/ext_proc/matching_utils.cc @@ -25,12 +25,14 @@ ExpressionManager::initExpressions(const Protobuf::RepeatedPtrField parse_status.status().ToString()); } - Filters::Common::Expr::ExpressionPtr expression = - Extensions::Filters::Common::Expr::createExpression(builder_->builder(), - parse_status.value().expr()); + const auto& parsed_expr = parse_status.value(); + const cel::expr::Expr& cel_expr = parsed_expr.expr(); + + Filters::Common::Expr::ExpressionPtr compiled_expression = + Extensions::Filters::Common::Expr::createExpression(builder_->builder(), cel_expr); expressions.emplace( - matcher, ExpressionManager::CelExpression{parse_status.value(), std::move(expression)}); + matcher, ExpressionManager::CelExpression{parsed_expr, std::move(compiled_expression)}); } #else ENVOY_LOG(warn, "CEL expression parsing is not available for use in this environment." diff --git a/source/extensions/filters/http/ext_proc/matching_utils.h b/source/extensions/filters/http/ext_proc/matching_utils.h index cfdf038c1d732..eeadbc4f9dc86 100644 --- a/source/extensions/filters/http/ext_proc/matching_utils.h +++ b/source/extensions/filters/http/ext_proc/matching_utils.h @@ -5,6 +5,8 @@ #include "source/common/protobuf/protobuf.h" #include "source/extensions/filters/common/expr/evaluator.h" +#include "cel/expr/syntax.pb.h" + namespace Envoy { namespace Extensions { namespace HttpFilters { @@ -13,7 +15,7 @@ namespace ExternalProcessing { class ExpressionManager : public Logger::Loggable { public: struct CelExpression { - google::api::expr::v1alpha1::ParsedExpr parsed_expr_; + cel::expr::ParsedExpr parsed_expr_; Filters::Common::Expr::ExpressionPtr compiled_expr_; }; diff --git a/source/extensions/formatter/cel/cel.cc b/source/extensions/formatter/cel/cel.cc index ac896db2c6f97..c57f2fab28e1e 100644 --- a/source/extensions/formatter/cel/cel.cc +++ b/source/extensions/formatter/cel/cel.cc @@ -17,8 +17,7 @@ namespace Expr = Filters::Common::Expr; CELFormatter::CELFormatter(const ::Envoy::LocalInfo::LocalInfo& local_info, Expr::BuilderInstanceSharedPtr expr_builder, - const google::api::expr::v1alpha1::Expr& input_expr, - absl::optional& max_length) + const cel::expr::Expr& input_expr, absl::optional& max_length) : local_info_(local_info), expr_builder_(expr_builder), parsed_expr_(input_expr), max_length_(max_length) { compiled_expr_ = Expr::createExpression(expr_builder_->builder(), parsed_expr_); @@ -66,9 +65,20 @@ CELFormatterCommandParser::parse(absl::string_view command, absl::string_view su Server::Configuration::ServerFactoryContext& context = Server::Configuration::ServerFactoryContextInstance::get(); + const auto& parsed_expr = parse_status.value(); + std::string serialized_expr; + if (!parsed_expr.expr().SerializeToString(&serialized_expr)) { + throw EnvoyException("Failed to serialize expression"); + } + + cel::expr::Expr cel_expr; + if (!cel_expr.ParseFromString(serialized_expr)) { + throw EnvoyException("Failed to parse expression into cel::expr::Expr format"); + } + return std::make_unique(context.localInfo(), Extensions::Filters::Common::Expr::getBuilder(context), - parse_status.value().expr(), max_length); + cel_expr, max_length); } return nullptr; diff --git a/source/extensions/formatter/cel/cel.h b/source/extensions/formatter/cel/cel.h index c217c8375b00e..e12339f6acfbc 100644 --- a/source/extensions/formatter/cel/cel.h +++ b/source/extensions/formatter/cel/cel.h @@ -15,8 +15,8 @@ namespace Formatter { class CELFormatter : public ::Envoy::Formatter::FormatterProvider { public: CELFormatter(const ::Envoy::LocalInfo::LocalInfo& local_info, - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr, - const google::api::expr::v1alpha1::Expr&, absl::optional&); + Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr, const cel::expr::Expr&, + absl::optional&); absl::optional formatWithContext(const Envoy::Formatter::HttpFormatterContext& context, @@ -27,7 +27,7 @@ class CELFormatter : public ::Envoy::Formatter::FormatterProvider { private: const ::Envoy::LocalInfo::LocalInfo& local_info_; Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr expr_builder_; - const google::api::expr::v1alpha1::Expr parsed_expr_; + const cel::expr::Expr parsed_expr_; const absl::optional max_length_; Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; }; diff --git a/source/extensions/matching/input_matchers/cel_matcher/matcher.cc b/source/extensions/matching/input_matchers/cel_matcher/matcher.cc index 5ffe47eb7937e..cf06122592542 100644 --- a/source/extensions/matching/input_matchers/cel_matcher/matcher.cc +++ b/source/extensions/matching/input_matchers/cel_matcher/matcher.cc @@ -14,21 +14,51 @@ CelInputMatcher::CelInputMatcher(CelMatcherSharedPtr cel_matcher, : builder_(builder), cel_matcher_(std::move(cel_matcher)) { const CelExpression& input_expr = cel_matcher_->expr_match(); + // First try to get expression from the new CEL canonical format auto expr = Filters::Common::Expr::getExpr(input_expr); if (expr.has_value()) { compiled_expr_ = Filters::Common::Expr::createExpression(builder_->builder(), expr.value()); return; } + // Fallback to handling legacy formats for backward compatibility switch (input_expr.expr_specifier_case()) { - case CelExpression::ExprSpecifierCase::kParsedExpr: - compiled_expr_ = Filters::Common::Expr::createExpression(builder_->builder(), - input_expr.parsed_expr().expr()); + case CelExpression::ExprSpecifierCase::kParsedExpr: { + // For legacy parsed_expr, we need to convert to the new format + const auto& legacy_parsed = input_expr.parsed_expr(); + + // Convert legacy expr to cel::expr::Expr format + std::string serialized_expr; + if (!legacy_parsed.expr().SerializeToString(&serialized_expr)) { + throw EnvoyException("Failed to serialize legacy expression"); + } + + converted_expr_ = cel::expr::Expr(); + if (!converted_expr_->ParseFromString(serialized_expr)) { + throw EnvoyException("Failed to convert legacy expression to new format"); + } + + compiled_expr_ = Filters::Common::Expr::createExpression(builder_->builder(), *converted_expr_); return; - case CelExpression::ExprSpecifierCase::kCheckedExpr: - compiled_expr_ = Filters::Common::Expr::createExpression(builder_->builder(), - input_expr.checked_expr().expr()); + } + case CelExpression::ExprSpecifierCase::kCheckedExpr: { + // For legacy checked_expr, we need to convert to the new format + const auto& legacy_checked = input_expr.checked_expr(); + + // Convert legacy expr to cel::expr::Expr format + std::string serialized_expr; + if (!legacy_checked.expr().SerializeToString(&serialized_expr)) { + throw EnvoyException("Failed to serialize legacy expression"); + } + + converted_expr_ = cel::expr::Expr(); + if (!converted_expr_->ParseFromString(serialized_expr)) { + throw EnvoyException("Failed to convert legacy expression to new format"); + } + + compiled_expr_ = Filters::Common::Expr::createExpression(builder_->builder(), *converted_expr_); return; + } case CelExpression::ExprSpecifierCase::EXPR_SPECIFIER_NOT_SET: PANIC_DUE_TO_PROTO_UNSET; } diff --git a/source/extensions/matching/input_matchers/cel_matcher/matcher.h b/source/extensions/matching/input_matchers/cel_matcher/matcher.h index 57e15a02c6c78..d72e477b23a43 100644 --- a/source/extensions/matching/input_matchers/cel_matcher/matcher.h +++ b/source/extensions/matching/input_matchers/cel_matcher/matcher.h @@ -44,6 +44,8 @@ class CelInputMatcher : public InputMatcher, public Logger::Loggable converted_expr_; CompiledExpressionPtr compiled_expr_; }; diff --git a/source/extensions/rate_limit_descriptors/expr/config.cc b/source/extensions/rate_limit_descriptors/expr/config.cc index e4a0cd8371d98..fedadb11c6306 100644 --- a/source/extensions/rate_limit_descriptors/expr/config.cc +++ b/source/extensions/rate_limit_descriptors/expr/config.cc @@ -24,7 +24,7 @@ class ExpressionDescriptor : public RateLimit::DescriptorProducer { ExpressionDescriptor( const envoy::extensions::rate_limit_descriptors::expr::v3::Descriptor& config, Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr& builder, - const google::api::expr::v1alpha1::Expr& input_expr) + const cel::expr::Expr& input_expr) : builder_(builder), input_expr_(input_expr), descriptor_key_(config.descriptor_key()), skip_if_error_(config.skip_if_error()) { compiled_expr_ = @@ -50,7 +50,7 @@ class ExpressionDescriptor : public RateLimit::DescriptorProducer { private: Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder_; - const google::api::expr::v1alpha1::Expr input_expr_; + const cel::expr::Expr input_expr_; const std::string descriptor_key_; const bool skip_if_error_; Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; @@ -79,11 +79,21 @@ ExprDescriptorFactory::createDescriptorProducerFromProto( return absl::InvalidArgumentError(absl::StrCat("Unable to parse descriptor expression: ", parse_status.status().ToString())); } + return std::make_unique(config, builder, parse_status.value().expr()); } #endif - case envoy::extensions::rate_limit_descriptors::expr::v3::Descriptor::kParsed: - return std::make_unique(config, builder, config.parsed()); + case envoy::extensions::rate_limit_descriptors::expr::v3::Descriptor::kParsed: { + std::string serialized; + if (!config.parsed().SerializeToString(&serialized)) { + return absl::InvalidArgumentError("Failed to serialize parsed expression"); + } + cel::expr::Expr new_expr; + if (!new_expr.ParseFromString(serialized)) { + return absl::InvalidArgumentError("Failed to convert parsed expression to new format"); + } + return std::make_unique(config, builder, new_expr); + } default: return absl::InvalidArgumentError( "Rate limit descriptor extension failed: expression specifier is not set"); diff --git a/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.cc b/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.cc index 87ebb25232f0a..26ed41a4312a3 100644 --- a/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.cc +++ b/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.cc @@ -13,8 +13,7 @@ namespace Tracers { namespace OpenTelemetry { CELSampler::CELSampler(const ::Envoy::LocalInfo::LocalInfo& local_info, - Expr::BuilderInstanceSharedPtr builder, - const google::api::expr::v1alpha1::Expr& expr) + Expr::BuilderInstanceSharedPtr builder, const cel::expr::Expr& expr) : local_info_(local_info), builder_(builder), parsed_expr_(expr) { compiled_expr_ = Expr::createExpression(builder_->builder(), parsed_expr_); } @@ -54,8 +53,6 @@ SamplingResult CELSampler::shouldSample(const StreamInfo::StreamInfo& stream_inf return result; } -std::string CELSampler::getDescription() const { return "CELSampler"; } - } // namespace OpenTelemetry } // namespace Tracers } // namespace Extensions diff --git a/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.h b/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.h index 26a77c46fddaa..86eae6e839bb6 100644 --- a/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.h +++ b/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.h @@ -25,19 +25,21 @@ namespace Expr = Envoy::Extensions::Filters::Common::Expr; class CELSampler : public Sampler, Logger::Loggable { public: CELSampler(const ::Envoy::LocalInfo::LocalInfo& local_info, - Expr::BuilderInstanceSharedPtr builder, const google::api::expr::v1alpha1::Expr& expr); + Expr::BuilderInstanceSharedPtr builder, const cel::expr::Expr& expr); + SamplingResult shouldSample(const StreamInfo::StreamInfo& stream_info, const absl::optional parent_context, const std::string& trace_id, const std::string& name, OTelSpanKind spankind, OptRef trace_context, const std::vector& links) override; - std::string getDescription() const override; + + std::string getDescription() const override { return "CELSampler"; } private: const ::Envoy::LocalInfo::LocalInfo& local_info_; Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder_; - const google::api::expr::v1alpha1::Expr parsed_expr_; + const cel::expr::Expr parsed_expr_; Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; }; diff --git a/test/coverage.yaml b/test/coverage.yaml index 1035b99a70792..151bf503c1627 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -38,12 +38,12 @@ directories: source/extensions/common/wasm/ext: 100.0 source/extensions/filters/common: 97.1 source/extensions/filters/common/fault: 94.5 - source/extensions/filters/common/rbac: 93.2 + source/extensions/filters/common/rbac: 92.6 source/extensions/filters/common/lua: 95.6 source/extensions/filters/http/cache: 95.9 source/extensions/filters/http/dynamic_forward_proxy: 94.3 source/extensions/filters/http/decompressor: 95.9 - source/extensions/filters/http/ext_proc: 96.5 + source/extensions/filters/http/ext_proc: 96.3 source/extensions/filters/http/grpc_json_reverse_transcoder: 94.8 source/extensions/filters/http/grpc_json_transcoder: 94.0 # TODO(#28232) source/extensions/filters/http/ip_tagging: 95.9 @@ -55,6 +55,7 @@ directories: source/extensions/filters/network/dubbo_proxy: 96.2 source/extensions/filters/network/mongo_proxy: 96.1 source/extensions/filters/network/sni_cluster: 88.9 + source/extensions/formatter/cel: 90.5 source/extensions/internal_redirect: 86.2 source/extensions/internal_redirect/safe_cross_scheme: 81.3 source/extensions/internal_redirect/allow_listed_routes: 85.7 @@ -63,7 +64,7 @@ directories: source/extensions/load_balancing_policies/round_robin: 96.4 source/extensions/load_balancing_policies/ring_hash: 96.9 source/extensions/rate_limit_descriptors: 95.0 - source/extensions/rate_limit_descriptors/expr: 95.2 + source/extensions/rate_limit_descriptors/expr: 88.2 source/extensions/stat_sinks/graphite_statsd: 82.8 # Death tests don't report LCOV source/extensions/stat_sinks/statsd: 85.2 # Death tests don't report LCOV source/extensions/tracers/zipkin: 95.9 @@ -80,4 +81,4 @@ directories: source/extensions/health_checkers/http: 94.2 source/extensions/health_checkers/grpc: 92.3 source/extensions/config_subscription/rest: 94.9 - source/extensions/matching/input_matchers/cel_matcher: 91.3 # Death tests don't report LCOV + source/extensions/matching/input_matchers/cel_matcher: 82.6 # Death tests don't report LCOV diff --git a/test/extensions/filters/common/expr/evaluator_fuzz_test.cc b/test/extensions/filters/common/expr/evaluator_fuzz_test.cc index a09c51bb4a2ad..75ec3eaee1e9f 100644 --- a/test/extensions/filters/common/expr/evaluator_fuzz_test.cc +++ b/test/extensions/filters/common/expr/evaluator_fuzz_test.cc @@ -8,6 +8,7 @@ #include "test/test_common/network_utility.h" #include "test/test_common/utility.h" +#include "cel/expr/syntax.pb.h" #include "gtest/gtest.h" namespace Envoy { @@ -39,8 +40,18 @@ DEFINE_PROTO_FUZZER(const test::extensions::filters::common::expr::EvaluatorTest auto response_trailers = Fuzz::fromHeaders(input.trailers()); try { - // Create the CEL expression. - Expr::ExpressionPtr expr = Expr::createExpression(*builder, input.expression()); + // Create the CEL expression with boundary conversion. + std::string serialized; + if (!input.expression().SerializeToString(&serialized)) { + ENVOY_LOG_MISC(debug, "Failed to serialize expression"); + return; + } + cel::expr::Expr new_expr; + if (!new_expr.ParseFromString(serialized)) { + ENVOY_LOG_MISC(debug, "Failed to convert expression to new format"); + return; + } + Expr::ExpressionPtr expr = Expr::createExpression(*builder, new_expr); // Evaluate the CEL expression. Protobuf::Arena arena; diff --git a/test/extensions/filters/http/ext_proc/matching_utils_test.cc b/test/extensions/filters/http/ext_proc/matching_utils_test.cc index 32372a68ce090..724549dd2fc32 100644 --- a/test/extensions/filters/http/ext_proc/matching_utils_test.cc +++ b/test/extensions/filters/http/ext_proc/matching_utils_test.cc @@ -21,64 +21,62 @@ using ::Envoy::Http::TestRequestTrailerMapImpl; using ::Envoy::Http::TestResponseHeaderMapImpl; using ::Envoy::Http::TestResponseTrailerMapImpl; +#ifdef USE_CEL_PARSER + class ExpressionManagerTest : public testing::Test { -public: - void initialize() { builder_ = Envoy::Extensions::Filters::Common::Expr::getBuilder(context_); } +protected: + ExpressionManagerTest() { + auto builder = Filters::Common::Expr::getBuilder(context_); + Protobuf::RepeatedPtrField request_matchers; + Protobuf::RepeatedPtrField response_matchers; + expression_manager_ = std::make_unique(builder, context_.local_info_, + request_matchers, response_matchers); + } - std::shared_ptr builder_; NiceMock context_; - testing::NiceMock stream_info_; - testing::NiceMock local_info_; - TestRequestHeaderMapImpl request_headers_; - TestResponseHeaderMapImpl response_headers_; - TestRequestTrailerMapImpl request_trailers_; - TestResponseTrailerMapImpl response_trailers_; - Protobuf::RepeatedPtrField req_matchers_; - Protobuf::RepeatedPtrField resp_matchers_; + std::unique_ptr expression_manager_; }; -#if defined(USE_CEL_PARSER) -TEST_F(ExpressionManagerTest, DuplicateAttributesIgnored) { - initialize(); - req_matchers_.Add("request.path"); - req_matchers_.Add("request.method"); - req_matchers_.Add("request.method"); - req_matchers_.Add("request.path"); - const auto expr_mgr = ExpressionManager(builder_, local_info_, req_matchers_, resp_matchers_); - - request_headers_.setMethod("GET"); - request_headers_.setPath("/foo"); - const auto activation_ptr = Filters::Common::Expr::createActivation( - &expr_mgr.localInfo(), stream_info_, &request_headers_, &response_headers_, - &response_trailers_); - - auto result = expr_mgr.evaluateRequestAttributes(*activation_ptr); - EXPECT_EQ(2, result.fields_size()); - EXPECT_NE(result.fields().end(), result.fields().find("request.path")); - EXPECT_NE(result.fields().end(), result.fields().find("request.method")); +TEST_F(ExpressionManagerTest, SimpleExpression) { + EXPECT_FALSE(expression_manager_->hasRequestExpr()); + EXPECT_FALSE(expression_manager_->hasResponseExpr()); } -TEST_F(ExpressionManagerTest, UnparsableExpressionThrowsException) { - initialize(); - req_matchers_.Add("++"); - EXPECT_THROW_WITH_REGEX(ExpressionManager(builder_, local_info_, req_matchers_, resp_matchers_), - EnvoyException, "Unable to parse descriptor expression.*"); +TEST_F(ExpressionManagerTest, InvalidExpression) { + Protobuf::RepeatedPtrField request_matchers; + request_matchers.Add("undefined_func()"); + auto builder = Filters::Common::Expr::getBuilder(context_); + EXPECT_THROW( + { ExpressionManager test_manager(builder, context_.local_info_, request_matchers, {}); }, + EnvoyException); } -TEST_F(ExpressionManagerTest, EmptyExpressionReturnsEmptyStruct) { - initialize(); - const auto expr_mgr = ExpressionManager(builder_, local_info_, req_matchers_, resp_matchers_); +TEST_F(ExpressionManagerTest, ComplexExpressionWithSourceInfo) { + // Create a complex expression that would test source info handling + Protobuf::RepeatedPtrField request_matchers; + request_matchers.Add("request.headers.contains('x-test') && " + "request.headers['x-test'].startsWith('value')"); + + // This should create successfully without throwing + auto builder = Filters::Common::Expr::getBuilder(context_); + ExpressionManager test_manager(builder, context_.local_info_, request_matchers, {}); + EXPECT_TRUE(test_manager.hasRequestExpr()); +} - request_headers_ = TestRequestHeaderMapImpl(); - request_headers_.setMethod("GET"); - request_headers_.setPath("/foo"); - const auto activation_ptr = Filters::Common::Expr::createActivation( - &expr_mgr.localInfo(), stream_info_, &request_headers_, &response_headers_, - &response_trailers_); +#else - EXPECT_EQ(0, expr_mgr.evaluateRequestAttributes(*activation_ptr).fields_size()); +TEST(ExpressionManagerTest, CelUnavailableTest) { + NiceMock context; + auto builder = Filters::Common::Expr::getBuilder(context); + Protobuf::RepeatedPtrField request_matchers; + request_matchers.Add("true"); + + // When CEL is not available, this should log a warning but not throw + ExpressionManager manager(builder, context.local_info_, request_matchers, {}); + EXPECT_FALSE(manager.hasRequestExpr()); } -#endif + +#endif // USE_CEL_PARSER } // namespace } // namespace ExternalProcessing diff --git a/test/extensions/formatter/cel/cel_test.cc b/test/extensions/formatter/cel/cel_test.cc index 044ca4aac4937..43ddcca30de8f 100644 --- a/test/extensions/formatter/cel/cel_test.cc +++ b/test/extensions/formatter/cel/cel_test.cc @@ -67,6 +67,28 @@ TEST_F(CELFormatterTest, TestNullFormatValue) { ProtoEq(ValueUtil::nullValue())); } +TEST_F(CELFormatterTest, TestFormatConversionV1AlphaToDevCel) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + + // Test with a basic path expression + auto formatter1 = cel_parser->parse("CEL", "request.path", max_length); + EXPECT_THAT(formatter1->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("/request/path?secret=parameter"))); + + // Test with a more complex expression + auto formatter2 = cel_parser->parse("CEL", "request.headers[':method'] == 'GET'", max_length); + // The formatter returns boolean expressions as strings + EXPECT_THAT(formatter2->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("true"))); + + // Test with string operations + auto formatter3 = cel_parser->parse("CEL", "request.path.startsWith('/request')", max_length); + // The formatter returns boolean expressions as strings + EXPECT_THAT(formatter3->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("true"))); +} + TEST_F(CELFormatterTest, TestRequestHeaderWithLegacyConfiguration) { const std::string yaml = R"EOF( text_format_source: diff --git a/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc b/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc index 898e93cdcf0f9..b45243c06a841 100644 --- a/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc +++ b/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc @@ -477,6 +477,52 @@ TEST_F(CelMatcherTest, NoCelExpression) { ".*panic: unset oneof.*"); } +// Add a test case specifically for testing format conversion +TEST_F(CelMatcherTest, FormatConversionV1AlphaToDevCel) { + // Use RequestHeaderCelExprString which is already defined and works + auto matcher_tree = buildMatcherTree(RequestHeaderCelExprString); + + TestRequestHeaderMapImpl request_headers = default_headers_; + buildCustomHeader({{"authenticated_user", "staging"}}, request_headers); + data_.onRequestHeaders(request_headers); + + const auto result = matcher_tree->match(data_); + // The match was complete, match found since user is "staging" + EXPECT_TRUE(result.isMatch()); + EXPECT_NE(result.action(), nullptr); +} + +// Test that we can parse and evaluate expressions in dev.cel format +TEST_F(CelMatcherTest, DevCelExpressionFormat) { + // Use the same RequestHeaderCelExprString with use_cel=true + auto matcher_tree = + buildMatcherTree(RequestHeaderCelExprString, ExpressionType::ParsedExpression, true); + + TestRequestHeaderMapImpl request_headers = default_headers_; + buildCustomHeader({{"authenticated_user", "staging"}}, request_headers); + data_.onRequestHeaders(request_headers); + + const auto result = matcher_tree->match(data_); + // The match was complete, match found + EXPECT_TRUE(result.isMatch()); + EXPECT_NE(result.action(), nullptr); +} + +// Test with different types of expressions and formats +TEST_F(CelMatcherTest, MixedFormatExpressions) { + // Use RequestHeaderCelExprString with CheckedExpression format + auto matcher_tree1 = + buildMatcherTree(RequestHeaderCelExprString, ExpressionType::CheckedExpression); + + TestRequestHeaderMapImpl request_headers = default_headers_; + buildCustomHeader({{"authenticated_user", "staging"}}, request_headers); + data_.onRequestHeaders(request_headers); + + const auto result1 = matcher_tree1->match(data_); + EXPECT_TRUE(result1.isMatch()); + EXPECT_NE(result1.action(), nullptr); +} + } // namespace CelMatcher } // namespace InputMatchers } // namespace Matching diff --git a/test/extensions/rate_limit_descriptors/expr/config_test.cc b/test/extensions/rate_limit_descriptors/expr/config_test.cc index b455fc29a9c97..49810f6e6c490 100644 --- a/test/extensions/rate_limit_descriptors/expr/config_test.cc +++ b/test/extensions/rate_limit_descriptors/expr/config_test.cc @@ -88,7 +88,7 @@ TEST_F(RateLimitPolicyEntryTest, ExpressionText) { testing::ContainerEq(descriptors_)); } -TEST_F(RateLimitPolicyEntryTest, ExpressionTextMalformed) { +TEST_F(RateLimitPolicyEntryTest, FormatConversionV1AlphaToDevCel) { const std::string yaml = R"EOF( actions: - extension: @@ -96,58 +96,83 @@ TEST_F(RateLimitPolicyEntryTest, ExpressionTextMalformed) { typed_config: "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor descriptor_key: my_descriptor_name - text: undefined_ext(false) + text: request.headers[":method"] == "GET" )EOF"; - EXPECT_THROW_WITH_REGEX(setupTest(yaml), EnvoyException, "failed to create an expression: .*"); + setupTest(yaml); + Http::TestRequestHeaderMapImpl header{{":method", "GET"}}; + + rate_limit_entry_->populateDescriptors(descriptors_, "service_cluster", header, stream_info_); + EXPECT_THAT(std::vector({{{{"my_descriptor_name", "true"}}}}), + testing::ContainerEq(descriptors_)); } -TEST_F(RateLimitPolicyEntryTest, ExpressionUnparsable) { +TEST_F(RateLimitPolicyEntryTest, ExpressionWithDifferentDataTypes) { const std::string yaml = R"EOF( actions: - extension: - name: custom_descriptor + name: string_descriptor typed_config: "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor - descriptor_key: my_descriptor_name - text: ++ + descriptor_key: string_value + text: request.headers[":method"] )EOF"; - EXPECT_THROW_WITH_REGEX(setupTest(yaml), EnvoyException, - "Unable to parse descriptor expression: .*"); + setupTest(yaml); + Http::TestRequestHeaderMapImpl header{{":method", "GET"}}; + + rate_limit_entry_->populateDescriptors(descriptors_, "service_cluster", header, stream_info_); + + EXPECT_EQ(1, descriptors_.size()); + // Check the descriptor has the correct value + EXPECT_EQ("GET", descriptors_[0].entries_[0].value_); } -#endif -TEST_F(RateLimitPolicyEntryTest, ExpressionParsed) { +// Test boolean expression evaluation +TEST_F(RateLimitPolicyEntryTest, BooleanExpressionEvaluation) { const std::string yaml = R"EOF( actions: - extension: - name: custom_descriptor + name: boolean_descriptor typed_config: "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor - descriptor_key: my_descriptor_name - parsed: - call_expr: - function: _==_ - args: - - select_expr: - operand: - ident_expr: - name: request - field: method - - const_expr: - string_value: GET + descriptor_key: boolean_value + text: request.headers[":method"] == "GET" )EOF"; setupTest(yaml); Http::TestRequestHeaderMapImpl header{{":method", "GET"}}; rate_limit_entry_->populateDescriptors(descriptors_, "service_cluster", header, stream_info_); - EXPECT_THAT(std::vector({{{{"my_descriptor_name", "true"}}}}), - testing::ContainerEq(descriptors_)); + + EXPECT_EQ(1, descriptors_.size()); + // Check the descriptor has the correct value - boolean results are converted to strings + EXPECT_EQ("true", descriptors_[0].entries_[0].value_); } -TEST_F(RateLimitPolicyEntryTest, ExpressionParsedMalformed) { +// Test numeric expression evaluation +TEST_F(RateLimitPolicyEntryTest, NumericExpressionEvaluation) { + const std::string yaml = R"EOF( +actions: +- extension: + name: number_descriptor + typed_config: + "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor + descriptor_key: number_value + text: size(request.headers[":method"]) + )EOF"; + + setupTest(yaml); + Http::TestRequestHeaderMapImpl header{{":method", "GET"}}; + + rate_limit_entry_->populateDescriptors(descriptors_, "service_cluster", header, stream_info_); + + EXPECT_EQ(1, descriptors_.size()); + // The numeric result is converted to a string + EXPECT_EQ("3", descriptors_[0].entries_[0].value_); +} + +TEST_F(RateLimitPolicyEntryTest, ExpressionTextMalformed) { const std::string yaml = R"EOF( actions: - extension: @@ -155,18 +180,52 @@ TEST_F(RateLimitPolicyEntryTest, ExpressionParsedMalformed) { typed_config: "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor descriptor_key: my_descriptor_name - parsed: - call_expr: - function: undefined_extent - args: - - const_expr: - bool_value: false + text: undefined_ext(false) )EOF"; EXPECT_THROW_WITH_REGEX(setupTest(yaml), EnvoyException, "failed to create an expression: .*"); } -#if defined(USE_CEL_PARSER) +TEST_F(RateLimitPolicyEntryTest, ExpressionUnparsable) { + const std::string yaml = R"EOF( +actions: +- extension: + name: custom_descriptor + typed_config: + "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor + descriptor_key: my_descriptor_name + text: ++ + )EOF"; + + EXPECT_THROW_WITH_REGEX(setupTest(yaml), EnvoyException, + "Unable to parse descriptor expression: .*"); +} + +TEST_F(RateLimitPolicyEntryTest, ComplexExpressionWithConditionals) { + const std::string yaml = R"EOF( +actions: +- extension: + name: complex_descriptor + typed_config: + "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor + descriptor_key: processed_path + text: "request.headers[\":path\"] == \"/api/users\" ? \"api_path\" : \"no_path\"" + )EOF"; + + setupTest(yaml); + Http::TestRequestHeaderMapImpl header{{":path", "/api/users"}}; + + rate_limit_entry_->populateDescriptors(descriptors_, "service_cluster", header, stream_info_); + EXPECT_EQ(1, descriptors_.size()); + + // Test with a different path + descriptors_.clear(); + Http::TestRequestHeaderMapImpl header2{{":path", "/other/path"}}; + + rate_limit_entry_->populateDescriptors(descriptors_, "service_cluster", header2, stream_info_); + EXPECT_EQ(1, descriptors_.size()); +} + TEST_F(RateLimitPolicyEntryTest, ExpressionTextError) { const std::string yaml = R"EOF( actions: @@ -216,6 +275,69 @@ TEST_F(RateLimitPolicyEntryTest, ExpressionTextErrorSkip) { } #endif +TEST_F(RateLimitPolicyEntryTest, ExpressionParsed) { + const std::string yaml = R"EOF( +actions: +- extension: + name: custom_descriptor + typed_config: + "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor + descriptor_key: my_descriptor_name + parsed: + call_expr: + function: _==_ + args: + - select_expr: + operand: + ident_expr: + name: request + field: method + - const_expr: + string_value: GET + )EOF"; + + setupTest(yaml); + Http::TestRequestHeaderMapImpl header{{":method", "GET"}}; + + rate_limit_entry_->populateDescriptors(descriptors_, "service_cluster", header, stream_info_); + EXPECT_THAT(std::vector({{{{"my_descriptor_name", "true"}}}}), + testing::ContainerEq(descriptors_)); +} + +TEST_F(RateLimitPolicyEntryTest, ExpressionParsedMalformed) { + const std::string yaml = R"EOF( +actions: +- extension: + name: custom_descriptor + typed_config: + "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor + descriptor_key: my_descriptor_name + parsed: + call_expr: + function: undefined_extent + args: + - const_expr: + bool_value: false + )EOF"; + + EXPECT_THROW_WITH_REGEX(setupTest(yaml), EnvoyException, "failed to create an expression: .*"); +} + +TEST_F(RateLimitPolicyEntryTest, ExprSpecifierNotSet) { + const std::string yaml = R"EOF( +actions: +- extension: + name: custom_descriptor + typed_config: + "@type": type.googleapis.com/envoy.extensions.rate_limit_descriptors.expr.v3.Descriptor + descriptor_key: test_key + )EOF"; + + EXPECT_THROW_WITH_REGEX( + setupTest(yaml), EnvoyException, + "Rate limit descriptor extension failed: expression specifier is not set"); +} + } // namespace } // namespace Expr } // namespace RateLimitDescriptors From 19686e60bcaa1faf365de7e6ff16f3160c36b94b Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 31 Jul 2025 08:00:50 +0000 Subject: [PATCH 123/505] Move handshake proto to downstream interface Signed-off-by: Basundhara Chakrabarty --- .../reverse_connection_handshake/v3/BUILD | 11 ++++ .../v3/reverse_connection_handshake.proto | 53 +++++++++++++++++++ .../v3/BUILD | 1 - .../reverse_connection_socket_interface.proto | 12 ----- .../extensions/bootstrap/reverse_tunnel/BUILD | 6 +-- .../reverse_tunnel_initiator.cc | 8 +-- .../reverse_tunnel/reverse_tunnel_initiator.h | 4 +- .../reverse_tunnel_initiator_test.cc | 8 +-- 8 files changed, 75 insertions(+), 28 deletions(-) create mode 100644 api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD create mode 100644 api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto diff --git a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD new file mode 100644 index 0000000000000..932a885a352bc --- /dev/null +++ b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD @@ -0,0 +1,11 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "@com_github_cncf_xds//udpa/annotations:pkg", + ], +) \ No newline at end of file diff --git a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto new file mode 100644 index 0000000000000..f914680ea12b7 --- /dev/null +++ b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto @@ -0,0 +1,53 @@ +syntax = "proto3"; + +package envoy.extensions.bootstrap.reverse_connection_handshake.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_connection_handshake.v3"; +option java_outer_classname = "ReverseConnectionHandshakeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_connection_handshake/v3;reverse_connection_handshakev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (udpa.annotations.file_status).work_in_progress = true; + +// [#protodoc-title: Reverse Connection Handshake] +// Reverse Connection Handshake :ref:`configuration overview `. +// [#extension: envoy.bootstrap.reverse_connection_handshake] + +// Config sent by the local cluster as part of the Initiation workflow. +// This message combined with message 'ReverseConnHandshakeRet' which is +// sent as a response can be used to transfer/negotiate parameter between the +// two envoys. +message ReverseConnHandshakeArg { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.reverse_conn.v3.ReverseConnHandshakeArg"; + + // Tenant UUID of the local cluster. + string tenant_uuid = 1; + + // Cluster UUID of the local cluster. + string cluster_uuid = 2; + + // Node UUID of the local cluster. + string node_uuid = 3; +} + +// Config used by the remote cluser in response to the above 'ReverseConnHandshakeArg'. +message ReverseConnHandshakeRet { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.reverse_conn.v3.ReverseConnHandshakeRet"; + + enum ConnectionStatus { + REJECTED = 0; + ACCEPTED = 1; + } + + // Tracks the status of the reverse connection initiation workflow. + ConnectionStatus status = 1; + + // This field can be used to transmit success/warning/error messages + // describing the status of the reverse connection, if needed. + string status_message = 2; +} \ No newline at end of file diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD index 6a2fd1ac4cc8e..b514f18ab81a3 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD +++ b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD @@ -6,7 +6,6 @@ licenses(["notice"]) # Apache 2 api_proto_package( deps = [ - "//envoy/service/reverse_tunnel/v3:pkg", "@com_github_cncf_xds//udpa/annotations:pkg", ], ) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto index 7d0772135e102..5d1cde3cbac38 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto @@ -2,8 +2,6 @@ syntax = "proto3"; package envoy.extensions.bootstrap.reverse_connection_socket_interface.v3; -import "envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto"; - import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -35,16 +33,6 @@ message DownstreamReverseConnectionSocketInterface { // Map of remote clusters to connection counts repeated RemoteClusterConnectionCount remote_cluster_to_conn_count = 5; - - // Optional: gRPC service configuration for reverse tunnel handshake. - // When specified, the initiator will use gRPC for tunnel establishment - // instead of the legacy HTTP-based handshake protocol. - envoy.service.reverse_tunnel.v3.ReverseTunnelGrpcConfig grpc_service_config = 6; - - // Optional: Legacy HTTP-based handshake support. - // When grpc_service_config is not specified, the initiator will fall back to - // HTTP-based handshake requests for backward compatibility. - bool enable_legacy_http_handshake = 7; } // Configuration for remote cluster connection count diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index 350ca9b982fe1..e86945536ca90 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -48,12 +48,9 @@ envoy_cc_extension( envoy_cc_extension( name = "reverse_tunnel_initiator_lib", srcs = [ - "grpc_reverse_tunnel_client.cc", "reverse_tunnel_initiator.cc", ], hdrs = [ - "factory_base.h", - "grpc_reverse_tunnel_client.h", "reverse_tunnel_initiator.h", ], visibility = ["//visibility:public"], @@ -83,8 +80,7 @@ envoy_cc_extension( "//source/common/upstream:load_balancer_context_base_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", - "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", - "@envoy_api//envoy/service/reverse_tunnel/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", ], alwayslink = 1, ) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index 271dad9e61079..fdddf802dc141 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -5,7 +5,7 @@ #include #include "envoy/event/deferred_deletable.h" -#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" +#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" #include "envoy/network/address.h" #include "envoy/network/connection.h" #include "envoy/registry/registry.h" @@ -161,12 +161,12 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: if (!response_body.empty()) { // Try to parse the protobuf response - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; if (ret.ParseFromString(response_body)) { ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); // Check if the status is ACCEPTED - if (ret.status() == envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::ACCEPTED) { + if (ret.status() == envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::ACCEPTED) { ENVOY_LOG(debug, "Reverse connection accepted by cloud side"); parent_->onHandshakeSuccess(); return Network::FilterStatus::StopIteration; @@ -218,7 +218,7 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); // Use HTTP handshake logic - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; arg.set_tenant_uuid(src_tenant_id); arg.set_cluster_uuid(src_cluster_id); arg.set_node_uuid(src_node_id); diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index e0747c9e2d01c..0d2fe397c4bbc 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -24,7 +24,6 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/upstream/load_balancer_context_base.h" -#include "source/extensions/bootstrap/reverse_tunnel/factory_base.h" #include "absl/container/flat_hash_map.h" #include "absl/container/flat_hash_set.h" @@ -635,8 +634,9 @@ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, return "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"; } -private: ReverseTunnelInitiatorExtension* extension_; + +private: Server::Configuration::ServerFactoryContext* context_; }; diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc index d4a64dc91186b..7922ca64ad4b8 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc @@ -17,7 +17,7 @@ #include "test/test_common/test_runtime.h" // Include the protobuf message for HTTP handshake testing -#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" +#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" #include @@ -2713,7 +2713,7 @@ TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { EXPECT_FALSE(body.empty()); // Verify the protobuf content by deserializing it - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; bool parse_success = arg.ParseFromString(body); EXPECT_TRUE(parse_success); EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); @@ -3441,8 +3441,8 @@ TEST_F(SimpleConnReadFilterTest, OnDataWithProtobufResponse) { auto filter = createFilter(wrapper.get()); // Create a proper ReverseConnHandshakeRet protobuf response - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::ACCEPTED); + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::ACCEPTED); ret.set_status_message("Connection accepted"); std::string protobuf_data = ret.SerializeAsString(); From d228b0a6c2260586dbdd3252ee46138466ec9b36 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 31 Jul 2025 08:01:43 +0000 Subject: [PATCH 124/505] http filter: move handshake proto to downstream interface, and add reverse conn filter tests Signed-off-by: Basundhara Chakrabarty --- .../http/reverse_conn/v3/reverse_conn.proto | 30 - .../filters/http/reverse_conn/BUILD | 2 +- .../http/reverse_conn/reverse_conn_filter.cc | 74 +- .../http/reverse_conn/reverse_conn_filter.h | 9 +- .../reverse_conn/reverse_conn_filter_test.cc | 968 ++++++++++++++---- 5 files changed, 811 insertions(+), 272 deletions(-) diff --git a/api/envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.proto b/api/envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.proto index 8c0c626ee19a9..96ef2792d8ca3 100644 --- a/api/envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.proto +++ b/api/envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.proto @@ -24,33 +24,3 @@ message ReverseConn { google.protobuf.UInt32Value ping_interval = 1; } - -// Config sent by the local cluster as part of the Initiation workflow. -// This message combined with message 'ReverseConnHandshakeRet' which is -// sent as a response can be used to transfer/negotiate parameter between the -// two envoys. -message ReverseConnHandshakeArg { - // Tenant UUID of the local cluster. - string tenant_uuid = 1; - - // Cluster UUID of the local cluster. - string cluster_uuid = 2; - - // Node UUID of the local cluster. - string node_uuid = 3; -} - -// Config used by the remote cluser in response to the above 'ReverseConnHandshakeArg'. -message ReverseConnHandshakeRet { - enum ConnectionStatus { - REJECTED = 0; - ACCEPTED = 1; - } - - // Tracks the status of the reverse connection initiation workflow. - ConnectionStatus status = 1; - - // This field can be used to transmit success/warning/error messages - // describing the status of the reverse connection, if needed. - string status_message = 2; -} \ No newline at end of file diff --git a/source/extensions/filters/http/reverse_conn/BUILD b/source/extensions/filters/http/reverse_conn/BUILD index b247d514e3dd5..f572fab5dce50 100644 --- a/source/extensions/filters/http/reverse_conn/BUILD +++ b/source/extensions/filters/http/reverse_conn/BUILD @@ -40,6 +40,6 @@ envoy_cc_extension( "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", - "@envoy_api//envoy/service/reverse_tunnel/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index 621b6f7a4645d..b38091d8360d8 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -49,25 +49,11 @@ std::string ReverseConnFilter::getQueryParam(const std::string& key) { } } -void ReverseConnFilter::getClusterDetailsUsingQueryParams(std::string* node_uuid, - std::string* cluster_uuid, - std::string* tenant_uuid) { - if (node_uuid) { - *node_uuid = getQueryParam(node_id_param); - } - if (cluster_uuid) { - *cluster_uuid = getQueryParam(cluster_id_param); - } - if (tenant_uuid) { - *tenant_uuid = getQueryParam(tenant_id_param); - } -} - void ReverseConnFilter::getClusterDetailsUsingProtobuf(std::string* node_uuid, std::string* cluster_uuid, std::string* tenant_uuid) { - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; const std::string request_body = accept_rev_conn_proto_.toString(); ENVOY_STREAM_LOG(debug, "Received protobuf request body length: {}", *decoder_callbacks_, request_body.length()); @@ -95,11 +81,11 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { std::string node_uuid, cluster_uuid, tenant_uuid; decoder_callbacks_->setReverseConnForceLocalReply(true); - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet ret; + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; getClusterDetailsUsingProtobuf(&node_uuid, &cluster_uuid, &tenant_uuid); if (node_uuid.empty()) { ret.set_status( - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::REJECTED); + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::REJECTED); ret.set_status_message("Failed to parse request message or required fields missing"); decoder_callbacks_->sendLocalReply(Http::Code::BadGateway, ret.SerializeAsString(), nullptr, absl::nullopt, ""); @@ -132,7 +118,7 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { ENVOY_STREAM_LOG(info, "Accepting reverse connection", *decoder_callbacks_); ret.set_status( - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeRet::ACCEPTED); + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::ACCEPTED); ENVOY_STREAM_LOG(info, "return value", *decoder_callbacks_); // Create response with explicit Content-Length @@ -203,9 +189,9 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, "ReverseConnFilter: Received reverse connection info request with remote_node: {} remote_cluster: {}", remote_node, remote_cluster); - // Production-ready cross-thread aggregation for multi-tenant reporting + // Production-ready cross-thread aggregation auto* upstream_extension = getUpstreamSocketInterfaceExtension(); - if (!upstream_extension) { + if (upstream_extension == nullptr) { ENVOY_LOG(error, "No upstream extension available for stats collection"); std::string response = R"({"accepted":[],"connected":[]})"; decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); @@ -220,15 +206,21 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, if (!remote_node.empty()) { std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", remote_node); - auto it = stats_map.find(node_stat_name); - if (it != stats_map.end()) { - num_connections = it->second; + // Search for the stat with scope prefix since getCrossWorkerStatMap returns full stat names + for (const auto& [stat_name, value] : stats_map) { + if (stat_name.find(node_stat_name) != std::string::npos) { + num_connections = value; + break; + } } } else { std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", remote_cluster); - auto it = stats_map.find(cluster_stat_name); - if (it != stats_map.end()) { - num_connections = it->second; + // Search for the stat with scope prefix since getCrossWorkerStatMap returns full stat names + for (const auto& [stat_name, value] : stats_map) { + if (stat_name.find(cluster_stat_name) != std::string::npos) { + num_connections = value; + break; + } } } @@ -242,7 +234,6 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, ENVOY_LOG(debug, "ReverseConnFilter: Using upstream socket manager to get connection stats"); - // Use the production stats-based approach with Envoy's proven stats system auto [connected_nodes, accepted_connections] = upstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); @@ -255,7 +246,7 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, "Stats aggregation completed: {} connected nodes, {} accepted connections", connected_nodes.size(), accepted_connections.size()); - // Create production-ready JSON response for multi-tenant environment + // Create JSON response std::string response = fmt::format("{{\"accepted\":{},\"connected\":{}}}", Json::Factory::listAsJsonString(accepted_connections_list), Json::Factory::listAsJsonString(connected_nodes_list)); @@ -272,7 +263,7 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, // Check if downstream socket interface is available auto* downstream_interface = getDownstreamSocketInterface(); - if (!downstream_interface) { + if (downstream_interface == nullptr) { ENVOY_LOG(error, "Failed to get downstream socket interface for initiator role"); decoder_callbacks_->sendLocalReply(Http::Code::InternalServerError, "Failed to get downstream socket interface", nullptr, @@ -282,10 +273,9 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, // Get the downstream socket interface extension to check established connections auto* downstream_extension = getDownstreamSocketInterfaceExtension(); - if (!downstream_extension) { + if (downstream_extension == nullptr) { ENVOY_LOG(error, "Failed to get downstream socket interface extension for initiator role"); std::string response = R"({"accepted":[],"connected":[]})"; - ENVOY_LOG(info, "handleInitiatorInfo response (no extension): {}", response); decoder_callbacks_->sendLocalReply(Http::Code::OK, response, nullptr, absl::nullopt, ""); return Http::FilterHeadersStatus::StopIteration; } @@ -298,16 +288,22 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, size_t num_connections = 0; if (!remote_node.empty()) { - std::string node_stat_name = fmt::format("reverse_connections.nodes.{}.connected", remote_node); - auto it = stats_map.find(node_stat_name); - if (it != stats_map.end()) { - num_connections = it->second; + std::string node_stat_name = fmt::format("reverse_connections.host.{}.connected", remote_node); + // Search for the stat with scope prefix since getCrossWorkerStatMap returns full stat names + for (const auto& [stat_name, value] : stats_map) { + if (stat_name.find(node_stat_name) != std::string::npos) { + num_connections = value; + break; + } } } else { - std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}.connected", remote_cluster); - auto it = stats_map.find(cluster_stat_name); - if (it != stats_map.end()) { - num_connections = it->second; + std::string cluster_stat_name = fmt::format("reverse_connections.cluster.{}.connected", remote_cluster); + // Search for the stat with scope prefix since getCrossWorkerStatMap returns full stat names + for (const auto& [stat_name, value] : stats_map) { + if (stat_name.find(cluster_stat_name) != std::string::npos) { + num_connections = value; + break; + } } } diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index 9bcd0020f589a..583f4d79b1f24 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -2,6 +2,8 @@ #include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" #include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.validate.h" +#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" +#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.validate.h" #include "envoy/http/async_client.h" #include "envoy/http/filter.h" #include "envoy/upstream/cluster_manager.h" @@ -134,13 +136,6 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str void getClusterDetailsUsingProtobuf(std::string* node_uuid, std::string* cluster_uuid, std::string* tenant_uuid); - // Gets the details of the remote cluster such as the node UUID, cluster UUID, - // and tenant UUID from the query parameters of the URL and populate them in - // the corresponding out parameters. This is used when the - // remote is not upgraded and using the old way to send this information. - // TODO- This is tech-debt and should eventually be removed. - void getClusterDetailsUsingQueryParams(std::string* node_uuid, std::string* cluster_uuid, - std::string* tenant_uuid); bool matchRequestPath(const absl::string_view& request_path, const std::string& api_path); diff --git a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc index 81de059c97734..47395649c40ae 100644 --- a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc +++ b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc @@ -1,6 +1,6 @@ #include "source/extensions/filters/http/reverse_conn/reverse_conn_filter.h" -#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" +#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" #include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/network/connection.h" @@ -24,6 +24,7 @@ #include "test/mocks/network/mocks.h" #include "test/mocks/event/mocks.h" #include "test/test_common/test_runtime.h" +#include "test/test_common/logging.h" // Include reverse connection components for testing #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" @@ -63,6 +64,55 @@ class ReverseConnFilterTest : public testing::Test { EXPECT_CALL(callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); EXPECT_CALL(stream_info_, dynamicMetadata()).WillRepeatedly(ReturnRef(metadata_)); + // Create the configs + upstream_config_.set_stat_prefix("test_prefix"); + downstream_config_.set_stat_prefix("test_prefix"); + } + + // Helper method to set up upstream extension only + void setupUpstreamExtension() { + // Create the upstream socket interface and extension + upstream_socket_interface_ = std::make_unique(context_); + upstream_extension_ = std::make_unique( + *upstream_socket_interface_, context_, upstream_config_); + + // Set up the extension in the global socket interface registry + auto* registered_upstream_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + if (registered_upstream_interface) { + auto* registered_acceptor = dynamic_cast( + const_cast(registered_upstream_interface)); + if (registered_acceptor) { + // Set up the extension for the registered upstream socket interface + registered_acceptor->extension_ = upstream_extension_.get(); + } + } + } + + // Helper method to set up downstream extension only + void setupDownstreamExtension() { + // Create the downstream socket interface and extension + downstream_socket_interface_ = std::make_unique(context_); + downstream_extension_ = std::make_unique( + context_, downstream_config_); + + // Set up the extension in the global socket interface registry + auto* registered_downstream_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + if (registered_downstream_interface) { + auto* registered_initiator = dynamic_cast( + const_cast(registered_downstream_interface)); + if (registered_initiator) { + // Set up the extension for the registered downstream socket interface + registered_initiator->extension_ = downstream_extension_.get(); + } + } + } + + // Helper method to set up both upstream and downstream extensions + void setupExtensions() { + setupUpstreamExtension(); + setupDownstreamExtension(); } // Helper function to create a filter with default config @@ -116,113 +166,90 @@ class ReverseConnFilterTest : public testing::Test { return filter->matchRequestPath(request_path, api_path); } - // Helper function to set up thread local slot for testing upstream socket manager - void setupThreadLocalSlot() { - setupThreadLocalSlotForTesting(); + // Helper functions to call private methods in ReverseConnFilter + ReverseConnection::UpstreamSocketManager* testGetUpstreamSocketManager(ReverseConnFilter* filter) { + return filter->getUpstreamSocketManager(); } - // Helper function to create a mock socket with proper address setup - Network::ConnectionSocketPtr createMockSocket(int fd = 123, - const std::string& local_addr = "127.0.0.1:8080", - const std::string& remote_addr = "127.0.0.1:9090") { - auto socket = std::make_unique>(); - - // Parse local address (IP:port format) - auto local_colon_pos = local_addr.find(':'); - std::string local_ip = local_addr.substr(0, local_colon_pos); - uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); - auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); - - // Parse remote address (IP:port format) - auto remote_colon_pos = remote_addr.find(':'); - std::string remote_ip = remote_addr.substr(0, remote_colon_pos); - uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); - auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); - - // Create a mock IO handle and set it up - auto mock_io_handle = std::make_unique>(); - auto* mock_io_handle_ptr = mock_io_handle.get(); - EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); - EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + const ReverseConnection::ReverseTunnelInitiator* testGetDownstreamSocketInterface(ReverseConnFilter* filter) { + return filter->getDownstreamSocketInterface(); + } - // Store the mock_io_handle in the socket - socket->io_handle_ = std::move(mock_io_handle); + ReverseConnection::ReverseTunnelAcceptorExtension* testGetUpstreamSocketInterfaceExtension(ReverseConnFilter* filter) { + return filter->getUpstreamSocketInterfaceExtension(); + } + + ReverseConnection::ReverseTunnelInitiatorExtension* testGetDownstreamSocketInterfaceExtension(ReverseConnFilter* filter) { + return filter->getDownstreamSocketInterfaceExtension(); + } + + // Helper function to call the private saveDownstreamConnection method + void testSaveDownstreamConnection(ReverseConnFilter* filter, Network::Connection& connection, + const std::string& node_id, const std::string& cluster_id) { + filter->saveDownstreamConnection(connection, node_id, cluster_id); + } - // Set up connection info provider with the desired addresses - socket->connection_info_provider_->setLocalAddress(local_address); - socket->connection_info_provider_->setRemoteAddress(remote_address); + // Helper function to test the private getQueryParam method + std::string testGetQueryParam(ReverseConnFilter* filter, const std::string& key) { + // Call the private method using friend class access + return filter->getQueryParam(key); + } - return socket; + // Helper function to test the private determineRole method + std::string testDetermineRole(ReverseConnFilter* filter) { + return filter->determineRole(); } // Helper function to create a protobuf handshake argument std::string createHandshakeArg(const std::string& tenant_uuid, const std::string& cluster_uuid, const std::string& node_uuid) { - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; arg.set_tenant_uuid(tenant_uuid); arg.set_cluster_uuid(cluster_uuid); arg.set_node_uuid(node_uuid); return arg.SerializeAsString(); } - // Helper function to get the upstream socket manager for testing - ReverseConnection::UpstreamSocketManager* getUpstreamSocketManager() { - // Use the local socket manager that was created in setupThreadLocalSlot - if (socket_manager_) { - return socket_manager_.get(); - } - - // Fallback to accessing through the socket interface if available - auto* upstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); - if (!upstream_interface) { - return nullptr; - } + // Helper method to set up upstream thread local slot for testing + void setupUpstreamThreadLocalSlot() { + // Call onServerInitialized to set up the extension references properly + upstream_extension_->onServerInitialized(); - auto* upstream_socket_interface = - dynamic_cast(upstream_interface); - if (!upstream_socket_interface) { - return nullptr; - } + // Create a thread local registry for upstream with the properly initialized extension + upstream_thread_local_registry_ = std::make_shared( + dispatcher_, upstream_extension_.get()); + + upstream_tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); - auto* tls_registry = upstream_socket_interface->getLocalRegistry(); - if (!tls_registry) { - return nullptr; - } + // Set up the upstream slot to return our registry + upstream_tls_slot_->set([registry = upstream_thread_local_registry_](Event::Dispatcher&) { return registry; }); - return tls_registry->socketManager(); + // Override the TLS slot with our test version + upstream_extension_->setTestOnlyTLSRegistry(std::move(upstream_tls_slot_)); } - // Helper method to set up thread local slot for testing - void setupThreadLocalSlotForTesting() { - // Create the config - config_.set_stat_prefix("test_prefix"); - - // Create the socket interface - socket_interface_ = std::make_unique(context_); - - // Create the extension - extension_ = std::make_unique( - *socket_interface_, context_, config_); - - // First, call onServerInitialized to set up the extension reference properly - extension_->onServerInitialized(); - - // Create a thread local registry with the properly initialized extension - thread_local_registry_ = std::make_shared( - dispatcher_, extension_.get()); - - // Create the actual TypedSlot - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); - thread_local_.setDispatcher(&dispatcher_); - - // Set up the slot to return our registry - tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + // Helper method to set up downstream thread local slot for testing + void setupDownstreamThreadLocalSlot() { + // Call onServerInitialized to set up the extension references properly + downstream_extension_->onServerInitialized(); + + // Create a thread local registry for downstream with the dispatcher + downstream_thread_local_registry_ = std::make_shared( + dispatcher_, *stats_scope_); - // Use the public setTestOnlyTLSRegistry method instead of accessing private members - extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + downstream_tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + + // Set up the downstream slot to return our registry + downstream_tls_slot_->set([registry = downstream_thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version + downstream_extension_->setTestOnlyTLSRegistry(std::move(downstream_tls_slot_)); + } - // Create the socket manager - socket_manager_ = std::make_unique(dispatcher_, extension_.get()); + // Helper method to set up thread local slot for testing + void setupThreadLocalSlot() { + setupUpstreamThreadLocalSlot(); + setupDownstreamThreadLocalSlot(); } NiceMock context_; @@ -236,46 +263,98 @@ class ReverseConnFilterTest : public testing::Test { NiceMock io_handle_; NiceMock stream_info_; envoy::config::core::v3::Metadata metadata_; - NiceMock dispatcher_{"test_dispatcher"}; + NiceMock dispatcher_{"worker_0"}; // Mock socket for testing std::unique_ptr mock_socket_; std::unique_ptr> mock_io_handle_; - - // Helper method to set up socket mock - void setupSocketMock() { + + // Helper method to set up socket mock with proper expectations for tests + void setupSocketMock(bool expect_duplicate = true) { // Create a mock socket that inherits from ConnectionSocket auto mock_socket_ptr = std::make_unique>(); - mock_io_handle_ = std::make_unique>(); + auto mock_io_handle_ = std::make_unique>(); + // Set up IO handle expectations EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*mock_io_handle_, isOpen()).WillRepeatedly(Return(true)); + + // Only expect duplicate() if the socket will actually be used + if (expect_duplicate) { + EXPECT_CALL(*mock_io_handle_, duplicate()).WillOnce(Invoke([&]() { + auto duplicated_handle = std::make_unique>(); + EXPECT_CALL(*duplicated_handle, fdDoNotUse()).WillRepeatedly(Return(124)); + EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*duplicated_handle, resetFileEvents()).Times(1); + return duplicated_handle; + })); + } + + // Set up socket expectations EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); - mock_socket_ptr->io_handle_ = std::move(mock_io_handle_); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); - // Cast the mock to the base ConnectionSocket type + // Store the mock_io_handle in the socket + mock_socket_ptr->io_handle_ = std::move(mock_io_handle_); + + // Cast the mock to the base ConnectionSocket type and store it mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); - // Set up connection to return the socket - return reference to the unique_ptr + // Set up connection to return the socket EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); } // Thread local components for testing upstream socket manager - std::unique_ptr> tls_slot_; - std::shared_ptr thread_local_registry_; - std::unique_ptr socket_manager_; - std::unique_ptr socket_interface_; - std::unique_ptr extension_; + std::unique_ptr> upstream_tls_slot_; + std::shared_ptr upstream_thread_local_registry_; + std::unique_ptr upstream_socket_interface_; + std::unique_ptr upstream_extension_; + + std::unique_ptr> downstream_tls_slot_; + std::shared_ptr downstream_thread_local_registry_; + std::unique_ptr downstream_socket_interface_; + std::unique_ptr downstream_extension_; // Config for reverse connection socket interface - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::UpstreamReverseConnectionSocketInterface config_; + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::UpstreamReverseConnectionSocketInterface upstream_config_; + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface downstream_config_; + + // Set debug logging for this test + LogLevelSetter log_level_setter_{ENVOY_SPDLOG_LEVEL(debug)}; void TearDown() override { // Clean up thread local components - tls_slot_.reset(); - thread_local_registry_.reset(); - socket_manager_.reset(); - extension_.reset(); - socket_interface_.reset(); + upstream_tls_slot_.reset(); + upstream_thread_local_registry_.reset(); + upstream_extension_.reset(); + upstream_socket_interface_.reset(); + + downstream_tls_slot_.reset(); + downstream_thread_local_registry_.reset(); + downstream_extension_.reset(); + downstream_socket_interface_.reset(); + } + + // Helper method to create an initiated connection for testing + void createInitiatedConnection(const std::string& node_id, const std::string& cluster_id) { + // Manually set the gauge values to simulate initiated connections + setInitiatedConnectionStats(node_id, cluster_id, 1); + } + + // Helper method to manually set gauge values for testing initiated connections + void setInitiatedConnectionStats(const std::string& node_id, const std::string& cluster_id, uint64_t count = 1) { + // Set cross-worker stats (these are the ones used by getCrossWorkerStatMap) + auto& stats_store = downstream_extension_->getStatsScope(); + + // Set host connection stat - use the pattern expected by getCrossWorkerStatMap + std::string host_stat_name = fmt::format("reverse_connections.host.{}.connected", node_id); + auto& host_gauge = stats_store.gaugeFromString(host_stat_name, Stats::Gauge::ImportMode::Accumulate); + host_gauge.set(count); + + // Set cluster connection stat - use the pattern expected by getCrossWorkerStatMap + std::string cluster_stat_name = fmt::format("reverse_connections.cluster.{}.connected", cluster_id); + auto& cluster_gauge = stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); + cluster_gauge.set(count); } }; @@ -322,6 +401,69 @@ TEST_F(ReverseConnFilterTest, OnDestroy) { filter->onDestroy(); } +// Test helper functions for socket interface access - Extension not created +TEST_F(ReverseConnFilterTest, SocketInterfaceHelpersNoExtensions) { + auto filter = createFilter(); + + // Test all four helper functions when no extensions are created + auto* upstream_manager = testGetUpstreamSocketManager(filter.get()); + auto* upstream_extension = testGetUpstreamSocketInterfaceExtension(filter.get()); + auto* downstream_extension = testGetDownstreamSocketInterfaceExtension(filter.get()); + + EXPECT_EQ(upstream_manager, nullptr); // No TLS registry set up + EXPECT_EQ(upstream_extension, nullptr); // No extension set up + EXPECT_EQ(downstream_extension, nullptr); // No extension set up +} + +// Test helper functions for socket interface access - Extensions created but no TLS slots +TEST_F(ReverseConnFilterTest, SocketInterfaceHelpersExtensionsNoSlots) { + auto filter = createFilter(); + + // Set up extensions but don't set up TLS slots + setupExtensions(); + + // Test all four helper functions when extensions are created but TLS slots are not set up + auto* upstream_manager = testGetUpstreamSocketManager(filter.get()); + auto* upstream_extension = testGetUpstreamSocketInterfaceExtension(filter.get()); + auto* downstream_extension = testGetDownstreamSocketInterfaceExtension(filter.get()); + + // Upstream manager should be nullptr because TLS registry is not set up + EXPECT_EQ(upstream_manager, nullptr); + + // Extensions should be found since we created them, but TLS slots are not set up + EXPECT_NE(upstream_extension, nullptr); + EXPECT_EQ(upstream_extension, upstream_extension_.get()); + EXPECT_NE(downstream_extension, nullptr); + EXPECT_EQ(downstream_extension, downstream_extension_.get()); +} + +// Test helper functions for socket interface access - Extensions and TLS slots set up +TEST_F(ReverseConnFilterTest, SocketInterfaceHelpersExtensionsAndSlots) { + auto filter = createFilter(); + + // Set up extensions and TLS slots + setupExtensions(); + setupThreadLocalSlot(); + + // Test all four helper functions when everything is properly set up + auto* upstream_manager = testGetUpstreamSocketManager(filter.get()); + auto* downstream_interface = testGetDownstreamSocketInterface(filter.get()); + auto* upstream_extension = testGetUpstreamSocketInterfaceExtension(filter.get()); + auto* downstream_extension = testGetDownstreamSocketInterfaceExtension(filter.get()); + + // All should be non-null when properly set up + EXPECT_NE(upstream_manager, nullptr); + EXPECT_EQ(upstream_manager, upstream_thread_local_registry_->socketManager()); + + EXPECT_NE(downstream_interface, nullptr); + + EXPECT_NE(upstream_extension, nullptr); + EXPECT_EQ(upstream_extension, upstream_extension_.get()); + + EXPECT_NE(downstream_extension, nullptr); + EXPECT_EQ(downstream_extension, downstream_extension_.get()); +} + // Test decodeHeaders with non-reverse connection path (should continue) TEST_F(ReverseConnFilterTest, DecodeHeadersNonReverseConnectionPath) { auto filter = createFilter(); @@ -416,7 +558,8 @@ TEST_F(ReverseConnFilterTest, DecodeHeadersPostNonAcceptPath) { // Test acceptReverseConnection with valid protobuf data TEST_F(ReverseConnFilterTest, AcceptReverseConnectionValidProtobuf) { - // Set up thread local slot for upstream socket manager + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); setupThreadLocalSlot(); auto filter = createFilter(); @@ -428,8 +571,8 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionValidProtobuf) { auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); - // Set up socket mock - setupSocketMock(); + // Set up socket mock with proper expectations + setupSocketMock(true); // Expect duplicate() for valid protobuf // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); @@ -443,7 +586,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionValidProtobuf) { EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); // Verify that the socket was added to the upstream socket manager - auto* socket_manager = getUpstreamSocketManager(); + auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); // Try to get the socket for the node - should be available @@ -451,57 +594,114 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionValidProtobuf) { EXPECT_NE(retrieved_socket, nullptr); // Verify stats were updated - auto* extension = socket_manager->getUpstreamExtension(); + auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); // Get per-worker stats to verify the connection was counted auto stat_map = extension->getPerWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster-456"], 1); } +// Test acceptReverseConnection with incomplete protobuf data +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionProtobufIncomplete) { + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); + setupThreadLocalSlot(); + + auto filter = createFilter(); + + // Set up headers for reverse connection request with large content length + auto headers = createHeaders("POST", "/reverse_connections/request"); + headers.setContentLength("100"); // Expect 100 bytes but only send 10 + + // Set up socket mock - expect no duplicate() since the socket won't be used + setupSocketMock(false); + + // Process headers first + Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + // Create buffer with incomplete protobuf data (less than expected size) + Buffer::OwnedImpl data("incomplete"); + + // Process data - this should return StopIterationAndBuffer waiting for more data + Http::FilterDataStatus data_status = filter->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationAndBuffer); + + // Verify that no socket was added to the upstream socket manager + auto* socket_manager = upstream_thread_local_registry_->socketManager(); + ASSERT_NE(socket_manager, nullptr); + + auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); + EXPECT_EQ(retrieved_socket, nullptr); +} + // Test acceptReverseConnection with invalid protobuf data -TEST_F(ReverseConnFilterTest, AcceptReverseConnectionInvalidProtobuf) { - // Set up thread local slot for upstream socket manager +TEST_F(ReverseConnFilterTest, AcceptReverseConnectionInvalidProtobufParseFailure) { + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); setupThreadLocalSlot(); auto filter = createFilter(); // Set up headers for reverse connection request auto headers = createHeaders("POST", "/reverse_connections/request"); - headers.setContentLength("50"); - - // Set up socket mock - setupSocketMock(); + headers.setContentLength("43"); // Match the actual data size we'll send + + // Set up socket mock - saveDownstreamConnection is not called since after + // protobuf unmarshalling since the node_uuid is empty + setupSocketMock(false); + + // Expect sendLocalReply to be called with BadGateway status + EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::BadGateway, _, _, _, _)) + .WillOnce(Invoke([](Http::Code code, absl::string_view body, + std::function, + const absl::optional&, + absl::string_view) { + // Verify the HTTP status code + EXPECT_EQ(code, Http::Code::BadGateway); + + // Deserialize the protobuf response to check the actual message + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + EXPECT_TRUE(ret.ParseFromString(std::string(body))); + EXPECT_EQ(ret.status(), + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::REJECTED); + EXPECT_EQ(ret.status_message(), "Failed to parse request message or required fields missing"); + })); // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - // Create buffer with invalid protobuf data + // Create buffer with invalid protobuf data that can't be parsed + // Send exactly 43 bytes to match the content length Buffer::OwnedImpl data("invalid protobuf data that cannot be parsed"); - // Process data - this should call acceptReverseConnection and fail + // Process data - this should call acceptReverseConnection and fail parsing + // The filter should return StopIterationNoBuffer and send a local reply Http::FilterDataStatus data_status = filter->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - + // Verify that no socket was added to the upstream socket manager - auto* socket_manager = getUpstreamSocketManager(); - if (socket_manager) { - auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); - EXPECT_EQ(retrieved_socket, nullptr); - } + auto* socket_manager = upstream_thread_local_registry_->socketManager(); + ASSERT_NE(socket_manager, nullptr); + + auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); + EXPECT_EQ(retrieved_socket, nullptr); } // Test acceptReverseConnection with empty node_uuid in protobuf TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { - // Set up thread local slot for upstream socket manager + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); setupThreadLocalSlot(); auto filter = createFilter(); // Create protobuf with empty node_uuid - envoy::extensions::filters::http::reverse_conn::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; arg.set_tenant_uuid("tenant-123"); arg.set_cluster_uuid("cluster-456"); arg.set_node_uuid(""); // Empty node_uuid @@ -511,8 +711,25 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); - // Set up socket mock - setupSocketMock(); + // Set up socket mock - since the node_uuid is empty, the socket is not saved + setupSocketMock(false); + + // Expect sendLocalReply to be called with BadGateway status for empty node_uuid + EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::BadGateway, _, _, _, _)) + .WillOnce(Invoke([](Http::Code code, absl::string_view body, + std::function, + const absl::optional&, + absl::string_view) { + // Verify the HTTP status code + EXPECT_EQ(code, Http::Code::BadGateway); + + // Deserialize the protobuf response to check the actual message + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + EXPECT_TRUE(ret.ParseFromString(std::string(body))); + EXPECT_EQ(ret.status(), + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::REJECTED); + EXPECT_EQ(ret.status_message(), "Failed to parse request message or required fields missing"); + })); // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); @@ -525,17 +742,22 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { Http::FilterDataStatus data_status = filter->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - // Verify that no socket was added to the upstream socket manager - auto* socket_manager = getUpstreamSocketManager(); - if (socket_manager) { - auto retrieved_socket = socket_manager->getConnectionSocket(""); - EXPECT_EQ(retrieved_socket, nullptr); - } + // Check that no stats were recorded for the cluster + auto* socket_manager = upstream_thread_local_registry_->socketManager(); + ASSERT_NE(socket_manager, nullptr); + + auto* extension = socket_manager->getUpstreamExtension(); + ASSERT_NE(extension, nullptr); + + // Get cross-worker stats to verify no connection was counted + auto cross_worker_stat_map = upstream_extension_->getCrossWorkerStatMap(); + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster-456"], 0); } // Test acceptReverseConnection with SSL certificate information TEST_F(ReverseConnFilterTest, AcceptReverseConnectionWithSSLCertificate) { - // Set up thread local slot for upstream socket manager + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); setupThreadLocalSlot(); auto filter = createFilter(); @@ -557,7 +779,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionWithSSLCertificate) { EXPECT_CALL(connection_, ssl()).WillRepeatedly(Return(mock_ssl)); // Set up socket mock - setupSocketMock(); + setupSocketMock(true); // Expect duplicate() for SSL test // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); @@ -569,10 +791,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionWithSSLCertificate) { // Process data - this should call acceptReverseConnection Http::FilterDataStatus data_status = filter->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - + // Verify that the socket was added to the upstream socket manager - // SSL certificate values should override protobuf values - auto* socket_manager = getUpstreamSocketManager(); + auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); // Try to get the socket for the node - should be available @@ -582,7 +803,8 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionWithSSLCertificate) { // Test acceptReverseConnection with multiple sockets for same node TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleSockets) { - // Set up thread local slot for upstream socket manager + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); setupThreadLocalSlot(); auto filter = createFilter(); @@ -594,8 +816,8 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleSockets) { auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); - // Set up socket mock - setupSocketMock(); + // Set up socket mock for first connection + setupSocketMock(true); // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); @@ -615,6 +837,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleSockets) { auto headers2 = createHeaders("POST", "/reverse_connections/request"); headers2.setContentLength(std::to_string(handshake_arg.length())); + // Set up socket mock for second connection + setupSocketMock(true); + // Process headers for second connection Http::FilterHeadersStatus header_status2 = filter2->decodeHeaders(headers2, false); EXPECT_EQ(header_status2, Http::FilterHeadersStatus::StopIteration); @@ -627,7 +852,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleSockets) { EXPECT_EQ(data_status2, Http::FilterDataStatus::StopIterationNoBuffer); // Verify that both sockets were added to the upstream socket manager - auto* socket_manager = getUpstreamSocketManager(); + auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); // Try to get the first socket for the node @@ -639,7 +864,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleSockets) { EXPECT_NE(retrieved_socket2, nullptr); // Verify stats were updated correctly for multiple connections - auto* extension = socket_manager->getUpstreamExtension(); + auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); // Get per-worker stats to verify the connections were counted @@ -648,55 +873,10 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleSockets) { EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster-456"], 2); } -// Test acceptReverseConnection with cross-worker stats verification -TEST_F(ReverseConnFilterTest, AcceptReverseConnectionCrossWorkerStats) { - // Set up thread local slot for upstream socket manager - setupThreadLocalSlot(); - - auto filter = createFilter(); - - // Create valid protobuf handshake argument - std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); - - // Set up headers for reverse connection request - auto headers = createHeaders("POST", "/reverse_connections/request"); - headers.setContentLength(std::to_string(handshake_arg.length())); - - // Set up socket mock - setupSocketMock(); - - // Process headers first - Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); - EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - - // Create buffer with protobuf data - Buffer::OwnedImpl data(handshake_arg); - - // Process data - this should call acceptReverseConnection - Http::FilterDataStatus data_status = filter->decodeData(data, true); - EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - - // Verify that the socket was added to the upstream socket manager - auto* socket_manager = getUpstreamSocketManager(); - ASSERT_NE(socket_manager, nullptr); - - // Try to get the socket for the node - should be available - auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); - EXPECT_NE(retrieved_socket, nullptr); - - // Verify cross-worker stats were updated correctly - auto* extension = socket_manager->getUpstreamExtension(); - ASSERT_NE(extension, nullptr); - - // Get cross-worker stats to verify the connection was counted - auto cross_worker_stat_map = extension->getCrossWorkerStatMap(); - EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.nodes.node-789"], 1); - EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster-456"], 1); -} - // Test acceptReverseConnection with multiple nodes and clusters for cross-worker stats TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerStats) { - // Set up thread local slot for upstream socket manager + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); setupThreadLocalSlot(); // Create first filter and connection @@ -706,7 +886,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta headers1.setContentLength(std::to_string(handshake_arg1.length())); // Set up socket mock for first connection - setupSocketMock(); + setupSocketMock(true); Http::FilterHeadersStatus header_status1 = filter1->decodeHeaders(headers1, false); EXPECT_EQ(header_status1, Http::FilterHeadersStatus::StopIteration); @@ -722,7 +902,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta headers2.setContentLength(std::to_string(handshake_arg2.length())); // Set up socket mock for second connection - setupSocketMock(); + setupSocketMock(true); Http::FilterHeadersStatus header_status2 = filter2->decodeHeaders(headers2, false); EXPECT_EQ(header_status2, Http::FilterHeadersStatus::StopIteration); @@ -732,7 +912,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta EXPECT_EQ(data_status2, Http::FilterDataStatus::StopIterationNoBuffer); // Verify that both sockets were added to the upstream socket manager - auto* socket_manager = getUpstreamSocketManager(); + auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); // Try to get both sockets @@ -743,7 +923,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta EXPECT_NE(retrieved_socket2, nullptr); // Verify cross-worker stats were updated correctly for both connections - auto* extension = socket_manager->getUpstreamExtension(); + auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); // Get cross-worker stats to verify both connections were counted @@ -754,6 +934,404 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster-789"], 1); } + +// Test saveDownstreamConnection without socket manager initialized +TEST_F(ReverseConnFilterTest, SaveDownstreamConnectionNoSocketManager) { + // Set up extensions but not thread local slot - socket manager will not be initialized + setupExtensions(); + auto filter = createFilter(); + + // Set up socket mock + setupSocketMock(false); + + // Call saveDownstreamConnection - should fail since socket manager is not initialized + testSaveDownstreamConnection(filter.get(), connection_, "node-789", "cluster-456"); + + // Check that no stats were recorded since the socket manager is not available + auto* extension = upstream_extension_.get(); + ASSERT_NE(extension, nullptr); + + // Get per-worker stats to verify no connection was counted + auto stat_map = extension->getPerWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster-456"], 0); +} + +// Test saveDownstreamConnection with original socket closure +TEST_F(ReverseConnFilterTest, SaveDownstreamConnectionOriginalSocketClosed) { + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); + setupThreadLocalSlot(); + + auto filter = createFilter(); + + // Set up socket mock with closed socket + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle_ = std::make_unique>(); + + // Set up IO handle expectations for closed socket + EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*mock_io_handle_, isOpen()).WillRepeatedly(Return(false)); // Socket is closed + + // Don't expect duplicate() since socket is closed + EXPECT_CALL(*mock_io_handle_, duplicate()).Times(0); + + // Set up socket expectations + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(false)); // Socket is closed + + // Store the mock_io_handle in the socket + mock_socket_ptr->io_handle_ = std::move(mock_io_handle_); + + // Cast the mock to the base ConnectionSocket type and store it + mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); + + // Set up connection to return the socket + EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); + + // Call saveDownstreamConnection directly - should fail since socket is closed + testSaveDownstreamConnection(filter.get(), connection_, "node-789", "cluster-456"); + + // Check that no stats were recorded since the socket was closed + auto* extension = upstream_extension_.get(); + ASSERT_NE(extension, nullptr); + + // Get per-worker stats to verify no connection was counted + auto stat_map = extension->getPerWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster-456"], 0); +} + +// Test saveDownstreamConnection with duplicate failure +TEST_F(ReverseConnFilterTest, SaveDownstreamConnectionDuplicateFailure) { + // Set up extensions and thread local slot for upstream socket manager + setupExtensions(); + setupThreadLocalSlot(); + + auto filter = createFilter(); + + // Set up socket mock with duplicate failure + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle_ = std::make_unique>(); + + // Set up IO handle expectations + EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*mock_io_handle_, isOpen()).WillRepeatedly(Return(true)); + + // Expect duplicate() to fail (return nullptr) + EXPECT_CALL(*mock_io_handle_, duplicate()).WillOnce(Return(nullptr)); + + // Set up socket expectations + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + + // Store the mock_io_handle in the socket + mock_socket_ptr->io_handle_ = std::move(mock_io_handle_); + + // Cast the mock to the base ConnectionSocket type and store it + mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); + + // Set up connection to return the socket + EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); + + // Call saveDownstreamConnection directly - should fail since duplicate() returns nullptr + testSaveDownstreamConnection(filter.get(), connection_, "node-789", "cluster-456"); + + // Check that no stats were recorded since the duplicate operation failed + auto* extension = upstream_extension_.get(); + ASSERT_NE(extension, nullptr); + + // Get per-worker stats to verify no connection was counted + auto stat_map = extension->getPerWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster-456"], 0); +} + +// Test getQueryParam +TEST_F(ReverseConnFilterTest, GetQueryParamAllCases) { + // Set up extensions and thread local slots to avoid crashes + setupExtensions(); + setupThreadLocalSlot(); + + auto filter = createFilter(); + + // Test with existing query parameters - use a reverse-connection path but with GET method to avoid triggering the full logic + auto headers = createHeaders("GET", "/reverse_connections?node_id=test-node&cluster_id=test-cluster&role=initiator"); + // Call decodeHeaders to properly set up the request headers + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, true); + EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); + + EXPECT_EQ(testGetQueryParam(filter.get(), "node_id"), "test-node"); + EXPECT_EQ(testGetQueryParam(filter.get(), "cluster_id"), "test-cluster"); + EXPECT_EQ(testGetQueryParam(filter.get(), "role"), "initiator"); + + // Test with non-existent query parameter + EXPECT_EQ(testGetQueryParam(filter.get(), "non_existent"), ""); + + // Test with empty query string + auto headers_empty = createHeaders("GET", "/reverse_connections"); + auto filter_empty = createFilter(); + Http::FilterHeadersStatus status_empty = filter_empty->decodeHeaders(headers_empty, true); + EXPECT_EQ(status_empty, Http::FilterHeadersStatus::StopIteration); + + EXPECT_EQ(testGetQueryParam(filter_empty.get(), "node_id"), ""); + EXPECT_EQ(testGetQueryParam(filter_empty.get(), "cluster_id"), ""); + EXPECT_EQ(testGetQueryParam(filter_empty.get(), "role"), ""); +} + +// Test determineRole with different interface registration scenarios +TEST_F(ReverseConnFilterTest, DetermineRoleDifferentInterfaceRegistration) { + // Test with only downstream extension enabled - should return "initiator" + auto filter_downstream_only = createFilter(); + setupDownstreamExtension(); + setupDownstreamThreadLocalSlot(); + EXPECT_EQ(testDetermineRole(filter_downstream_only.get()), "initiator"); + + // Test with both extensions enabled - should return "both" + auto filter_both = createFilter(); + setupExtensions(); + setupThreadLocalSlot(); + EXPECT_EQ(testDetermineRole(filter_both.get()), "both"); +} + +// Test GET request with initiator role - with remote node +TEST_F(ReverseConnFilterTest, GetRequestInitiatorRoleWithRemoteNode) { + // Set up both extensions + setupExtensions(); + setupThreadLocalSlot(); + + // Create an initiated connection by setting stats + createInitiatedConnection("test-node", "test-cluster"); + + // Now test the GET request + auto filter = createFilter(); + + // Create GET request with initiator role and remote node + auto headers = createHeaders("GET", "/reverse_connections?role=initiator&node_id=test-node"); + + // Expect sendLocalReply to be called with OK status and node-specific stats + EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) + .WillOnce(Invoke([](Http::Code code, absl::string_view body, + std::function, + const absl::optional&, + absl::string_view) { + EXPECT_EQ(code, Http::Code::OK); + // Should return JSON with available_connections for the specific node + EXPECT_TRUE(body.find("available_connections") != absl::string_view::npos); + // Should return count of 1 since we manually set the stats + EXPECT_TRUE(body.find("\"available_connections\":1") != absl::string_view::npos); + })); + + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, true); + EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); +} + +// Test GET request with initiator role - with remote cluster +TEST_F(ReverseConnFilterTest, GetRequestInitiatorRoleWithRemoteCluster) { + // Set up both extensions + setupExtensions(); + setupThreadLocalSlot(); + + // Create an initiated connection by setting stats + createInitiatedConnection("test-node", "test-cluster"); + + // Now test the GET request + auto filter = createFilter(); + + // Create GET request with initiator role and remote cluster + auto headers = createHeaders("GET", "/reverse_connections?role=initiator&cluster_id=test-cluster"); + + // Expect sendLocalReply to be called with OK status and cluster-specific stats + EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) + .WillOnce(Invoke([](Http::Code code, absl::string_view body, + std::function, + const absl::optional&, + absl::string_view) { + EXPECT_EQ(code, Http::Code::OK); + // Should return JSON with available_connections for the specific cluster + EXPECT_TRUE(body.find("available_connections") != absl::string_view::npos); + // Should return count of 1 since we manually set the stats + EXPECT_TRUE(body.find("\"available_connections\":1") != absl::string_view::npos); + })); + + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, true); + EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); +} + +// Test GET request with initiator role - no node/cluster (aggregated stats) +TEST_F(ReverseConnFilterTest, GetRequestInitiatorRoleAggregatedStats) { + // Set up both extensions + setupExtensions(); + setupThreadLocalSlot(); + + // Create an initiated connection by setting stats + createInitiatedConnection("test-node", "test-cluster"); + + // Now test the GET request + auto filter = createFilter(); + + // Create GET request with initiator role but no node_id or cluster_id + auto headers = createHeaders("GET", "/reverse_connections?role=initiator"); + + // Expect sendLocalReply to be called with OK status and aggregated stats + EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) + .WillOnce(Invoke([](Http::Code code, absl::string_view body, + std::function, + const absl::optional&, + absl::string_view) { + EXPECT_EQ(code, Http::Code::OK); + // Should return JSON with aggregated stats (accepted and connected arrays) + EXPECT_TRUE(body.find("accepted") != absl::string_view::npos); + EXPECT_TRUE(body.find("connected") != absl::string_view::npos); + // Should show test-cluster in the connected array since we set the stats + EXPECT_TRUE(body.find("test-cluster") != absl::string_view::npos); + })); + + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, true); + EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); +} + +// Test GET request with responder role - upstream extension present, with remote node +TEST_F(ReverseConnFilterTest, GetRequestResponderRoleWithRemoteNode) { + // Set up both extensions + setupExtensions(); + setupThreadLocalSlot(); + + // Create an accepted connection by sending a reverse connection request + auto filter1 = createFilter(); + std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); + auto headers1 = createHeaders("POST", "/reverse_connections/request"); + headers1.setContentLength(std::to_string(handshake_arg.length())); + + // Set up socket mock for the connection + setupSocketMock(true); + + // Process the reverse connection request to create an accepted connection + Http::FilterHeadersStatus header_status = filter1->decodeHeaders(headers1, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + Buffer::OwnedImpl data(handshake_arg); + Http::FilterDataStatus data_status = filter1->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); + + // Now test the GET request + auto filter2 = createFilter(); + + // Create GET request with responder role and remote node + auto headers2 = createHeaders("GET", "/reverse_connections?role=responder&node_id=node-789"); + + // Expect sendLocalReply to be called with OK status and node-specific stats + EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) + .WillOnce(Invoke([](Http::Code code, absl::string_view body, + std::function, + const absl::optional&, + absl::string_view) { + EXPECT_EQ(code, Http::Code::OK); + // Should return JSON with available_connections for the specific node + EXPECT_TRUE(body.find("available_connections") != absl::string_view::npos); + // Should return count of 1 since we created an actual connection + EXPECT_TRUE(body.find("\"available_connections\":1") != absl::string_view::npos); + })); + + Http::FilterHeadersStatus status = filter2->decodeHeaders(headers2, true); + EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); +} + +// Test GET request with responder role - upstream extension present, with remote cluster +TEST_F(ReverseConnFilterTest, GetRequestResponderRoleWithRemoteCluster) { + // Set up both extensions + setupExtensions(); + setupThreadLocalSlot(); + + // Create an accepted connection by sending a reverse connection request + auto filter1 = createFilter(); + std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); + auto headers1 = createHeaders("POST", "/reverse_connections/request"); + headers1.setContentLength(std::to_string(handshake_arg.length())); + + // Set up socket mock for the connection + setupSocketMock(true); + + // Process the reverse connection request to create an accepted connection + Http::FilterHeadersStatus header_status = filter1->decodeHeaders(headers1, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + Buffer::OwnedImpl data(handshake_arg); + Http::FilterDataStatus data_status = filter1->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); + + // Now test the GET request + auto filter2 = createFilter(); + + // Create GET request with responder role and remote cluster + auto headers2 = createHeaders("GET", "/reverse_connections?role=responder&cluster_id=cluster-456"); + + // Expect sendLocalReply to be called with OK status and cluster-specific stats + EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) + .WillOnce(Invoke([](Http::Code code, absl::string_view body, + std::function, + const absl::optional&, + absl::string_view) { + EXPECT_EQ(code, Http::Code::OK); + // Should return JSON with available_connections for the specific cluster + EXPECT_TRUE(body.find("available_connections") != absl::string_view::npos); + // Should return count of 1 since we created an actual connection + EXPECT_TRUE(body.find("\"available_connections\":1") != absl::string_view::npos); + })); + + Http::FilterHeadersStatus status = filter2->decodeHeaders(headers2, true); + EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); +} + +// Test GET request with responder role - upstream extension present, no node/cluster (aggregated stats) +TEST_F(ReverseConnFilterTest, GetRequestResponderRoleAggregatedStats) { + // Set up both extensions + setupExtensions(); + setupThreadLocalSlot(); + + // Create an accepted connection by sending a reverse connection request + auto filter1 = createFilter(); + std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); + auto headers1 = createHeaders("POST", "/reverse_connections/request"); + headers1.setContentLength(std::to_string(handshake_arg.length())); + + // Set up socket mock for the connection + setupSocketMock(true); + + // Process the reverse connection request to create an accepted connection + Http::FilterHeadersStatus header_status = filter1->decodeHeaders(headers1, false); + EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); + + Buffer::OwnedImpl data(handshake_arg); + Http::FilterDataStatus data_status = filter1->decodeData(data, true); + EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); + + // Now test the GET request + auto filter2 = createFilter(); + + // Create GET request with responder role but no node_id or cluster_id + auto headers2 = createHeaders("GET", "/reverse_connections?role=responder"); + + // Expect sendLocalReply to be called with OK status and aggregated stats + EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) + .WillOnce(Invoke([](Http::Code code, absl::string_view body, + std::function, + const absl::optional&, + absl::string_view) { + EXPECT_EQ(code, Http::Code::OK); + // Should return JSON with aggregated stats (accepted and connected arrays) + EXPECT_TRUE(body.find("accepted") != absl::string_view::npos); + EXPECT_TRUE(body.find("connected") != absl::string_view::npos); + // Should show cluster-456 in the accepted array since we created an actual connection + EXPECT_TRUE(body.find("cluster-456") != absl::string_view::npos); + // Should show node-789 in the connected array since we created an actual connection + EXPECT_TRUE(body.find("node-789") != absl::string_view::npos); + })); + + Http::FilterHeadersStatus status = filter2->decodeHeaders(headers2, true); + EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); +} + } // namespace ReverseConn } // namespace HttpFilters } // namespace Extensions From e3e3c185785e467929a8fdddbdf56f1e588eab17 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Thu, 31 Jul 2025 09:38:25 -0400 Subject: [PATCH 125/505] xds: refactor the pause() invocation mechansim and support it for xDS-TP based config sources (#40271) The xDS `pause()` mechanism allows pausing sending the subscriptions of some dependent resource types, until all the returned object from the `pause()` method is out-of-scope (cleaned up). This, for example, allows processing multiple EDS clusters and sending a single EDS subscription message that includes a list of all the required resources. This PR includes the following modifications: 1) Refactor the invocation of the `pause()` method that was directly invoked on the `ads_mux` object to be invoked via the `xds_manager` object. 2) Introduce the `pause()` method to the `xds_manager` where it will invoke both the `ads_mux` object's pause and xDS-TP based config-sources objects pause. Risk Level: low-medium - should not have any impact on Envoy users, but changes the typical flow. Testing: Added unit tests. Integration tests are covered by the original `pause()` tests for ADS. Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Adi Suissa-Peleg --- envoy/config/xds_manager.h | 26 ++++ envoy/upstream/cluster_manager.h | 13 +- source/common/config/xds_manager_impl.cc | 21 +++ source/common/config/xds_manager_impl.h | 4 + source/common/listener_manager/lds_api.cc | 21 ++- source/common/listener_manager/lds_api.h | 7 +- .../listener_manager/listener_manager_impl.h | 4 +- source/common/router/scoped_rds.cc | 4 +- source/common/upstream/BUILD | 1 + source/common/upstream/cds_api_helper.cc | 15 +-- source/common/upstream/cds_api_helper.h | 5 +- source/common/upstream/cds_api_impl.cc | 4 +- .../common/upstream/cluster_manager_impl.cc | 21 ++- source/common/upstream/cluster_manager_impl.h | 6 +- source/common/upstream/od_cds_api_impl.cc | 16 ++- source/common/upstream/od_cds_api_impl.h | 10 +- source/extensions/clusters/eds/eds.cc | 9 +- .../validation_listener_manager.h | 4 +- source/server/server.cc | 18 ++- source/server/server.h | 7 +- test/common/config/xds_manager_impl_test.cc | 122 ++++++++++++++++++ test/common/listener_manager/BUILD | 1 + test/common/listener_manager/lds_api_test.cc | 8 +- test/common/upstream/BUILD | 1 + .../upstream/cluster_manager_impl_test.cc | 4 +- test/common/upstream/od_cds_api_impl_test.cc | 6 +- .../xdstp_config_sources_integration_test.cc | 85 +++++++++++- test/mocks/config/xds_manager.h | 2 + test/server/BUILD | 1 + test/server/server_test.cc | 8 +- 30 files changed, 359 insertions(+), 95 deletions(-) diff --git a/envoy/config/xds_manager.h b/envoy/config/xds_manager.h index 0207341f036f4..d1457e974cb62 100644 --- a/envoy/config/xds_manager.h +++ b/envoy/config/xds_manager.h @@ -77,6 +77,32 @@ class XdsManager { absl::string_view type_url, Stats::Scope& scope, SubscriptionCallbacks& callbacks, OpaqueResourceDecoderSharedPtr resource_decoder, const SubscriptionOptions& options) PURE; + /** + * Pause discovery requests for a given API type on all ADS types (both xdstp-based and "old" + * ADS). This is useful, for example, when we're processing an update for LDS or CDS and don't + * want a flood of updates for RDS or EDS respectively. Discovery requests may later be resumed + * with after the returned ScopedResume object is destroyed. + * @param type_url type URL corresponding to xDS API, e.g. + * type.googleapis.com/envoy.config.cluster.v3.Cluster. + * + * @return a ScopedResume object, which when destructed, resumes the paused discovery requests. + * A discovery request will be sent if one would have been sent during the pause. + */ + ABSL_MUST_USE_RESULT virtual ScopedResume pause(const std::string& type_url) PURE; + + /** + * Pause discovery requests for given API types on all ADS types (both xdstp-based and "old" ADS). + * This is useful, for example, when we're processing an update for LDS or CDS and don't want a + * flood of updates for RDS or EDS respectively. Discovery requests may later be resumed with + * after the returned ScopedResume object is destroyed. + * @param type_urls type URLs corresponding to xDS API, e.g. + * type.googleapis.com/envoy.config.cluster.v3.Cluster. + * + * @return a ScopedResume object, which when destructed, resumes the paused discovery requests. + * A discovery request will be sent if one would have been sent during the pause. + */ + ABSL_MUST_USE_RESULT virtual ScopedResume pause(const std::vector& type_urls) PURE; + /** * Shuts down the xDS-Manager and all the configured connections to the config * servers. diff --git a/envoy/upstream/cluster_manager.h b/envoy/upstream/cluster_manager.h index 09e373ef555c8..8253cfcf81ced 100644 --- a/envoy/upstream/cluster_manager.h +++ b/envoy/upstream/cluster_manager.h @@ -46,6 +46,13 @@ class EnvoyQuicNetworkObserverRegistry; } // namespace Quic +namespace Config { +// TODO(adisuissa): This forward declaration is needed because OD-CDS code is +// part of the Envoy::Upstream namespace but should be eventually moved to the +// Envoy::Config namespace (next to the XdsManager). +class XdsManager; +} // namespace Config + namespace Upstream { /** @@ -515,9 +522,9 @@ class ClusterManager { using OdCdsCreationFunction = std::function>( const envoy::config::core::v3::ConfigSource& odcds_config, - OptRef odcds_resources_locator, ClusterManager& cm, - MissingClusterNotifier& notifier, Stats::Scope& scope, - ProtobufMessage::ValidationVisitor& validation_visitor)>; + OptRef odcds_resources_locator, + Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, + Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor)>; virtual absl::StatusOr allocateOdCdsApi(OdCdsCreationFunction creation_function, diff --git a/source/common/config/xds_manager_impl.cc b/source/common/config/xds_manager_impl.cc index a1eda653d1ad1..699aec512dcd7 100644 --- a/source/common/config/xds_manager_impl.cc +++ b/source/common/config/xds_manager_impl.cc @@ -266,6 +266,27 @@ absl::StatusOr XdsManagerImpl::subscribeToSingletonResource( fmt::format("No valid authority was found for the given xDS-TP resource {}.", resource_name)); } +ScopedResume XdsManagerImpl::pause(const std::vector& type_urls) { + // Apply the pause on all "ADS" based sources (old-ADS-mux, and + // xdstp-config-based sources) by collecting the per-xDS-mux scopes under a + // single scope. Using a shared_ptr here so we can pass it to the Cleanup + // object that is created at the return statement. + auto scoped_resume_collection = std::make_shared>(); + if (ads_mux_ != nullptr) { + scoped_resume_collection->emplace_back(ads_mux_->pause(type_urls)); + } + for (auto& authority : authorities_) { + scoped_resume_collection->emplace_back(authority.grpc_mux_->pause(type_urls)); + } + if (default_authority_ != nullptr) { + scoped_resume_collection->emplace_back(default_authority_->grpc_mux_->pause(type_urls)); + } + return std::make_unique([scoped_resume_collection]() { + // Do nothing. After this function is called the scoped_resume_collection + // will be destroyed, and all the internal cleanups will be invoked. + }); +} + absl::Status XdsManagerImpl::setAdsConfigSource(const envoy::config::core::v3::ApiConfigSource& config_source) { ASSERT_IS_MAIN_OR_TEST_THREAD(); diff --git a/source/common/config/xds_manager_impl.h b/source/common/config/xds_manager_impl.h index 8400a25385b22..ecb35e6f8187c 100644 --- a/source/common/config/xds_manager_impl.h +++ b/source/common/config/xds_manager_impl.h @@ -28,6 +28,10 @@ class XdsManagerImpl : public XdsManager { absl::string_view resource_name, OptRef config, absl::string_view type_url, Stats::Scope& scope, SubscriptionCallbacks& callbacks, OpaqueResourceDecoderSharedPtr resource_decoder, const SubscriptionOptions& options) override; + ScopedResume pause(const std::string& type_url) override { + return pause(std::vector{type_url}); + } + ScopedResume pause(const std::vector& type_urls) override; void shutdown() override { ads_mux_.reset(); } absl::Status setAdsConfigSource(const envoy::config::core::v3::ApiConfigSource& config_source) override; diff --git a/source/common/listener_manager/lds_api.cc b/source/common/listener_manager/lds_api.cc index 39fecc0de0930..b5059231e8d21 100644 --- a/source/common/listener_manager/lds_api.cc +++ b/source/common/listener_manager/lds_api.cc @@ -23,13 +23,13 @@ namespace Server { LdsApiImpl::LdsApiImpl(const envoy::config::core::v3::ConfigSource& lds_config, const xds::core::v3::ResourceLocator* lds_resources_locator, - Upstream::ClusterManager& cm, Init::Manager& init_manager, - Stats::Scope& scope, ListenerManager& lm, + Config::XdsManager& xds_manager, Upstream::ClusterManager& cm, + Init::Manager& init_manager, Stats::Scope& scope, ListenerManager& lm, ProtobufMessage::ValidationVisitor& validation_visitor) : Envoy::Config::SubscriptionBase(validation_visitor, "name"), - listener_manager_(lm), scope_(scope.createScope("listener_manager.lds.")), cm_(cm), - init_target_("LDS", [this]() { subscription_->start({}); }) { + listener_manager_(lm), scope_(scope.createScope("listener_manager.lds.")), + xds_manager_(xds_manager), init_target_("LDS", [this]() { subscription_->start({}); }) { const auto resource_name = getResourceName(); if (lds_resources_locator == nullptr) { subscription_ = THROW_OR_RETURN_VALUE(cm.subscriptionFactory().subscriptionFromConfigSource( @@ -49,14 +49,11 @@ absl::Status LdsApiImpl::onConfigUpdate(const std::vector& added_resources, const Protobuf::RepeatedPtrField& removed_resources, const std::string& system_version_info) { - Config::ScopedResume maybe_resume_rds_sds; - if (cm_.adsMux()) { - const std::vector paused_xds_types{ - Config::getTypeUrl(), - Config::getTypeUrl(), - Config::getTypeUrl()}; - maybe_resume_rds_sds = cm_.adsMux()->pause(paused_xds_types); - } + const std::vector paused_xds_types{ + Config::getTypeUrl(), + Config::getTypeUrl(), + Config::getTypeUrl()}; + Config::ScopedResume resume_rds_sds = xds_manager_.pause(paused_xds_types); bool any_applied = false; listener_manager_.beginListenerUpdate(); diff --git a/source/common/listener_manager/lds_api.h b/source/common/listener_manager/lds_api.h index 473fd8c85345d..1500441182c80 100644 --- a/source/common/listener_manager/lds_api.h +++ b/source/common/listener_manager/lds_api.h @@ -28,8 +28,9 @@ class LdsApiImpl : public LdsApi, public: LdsApiImpl(const envoy::config::core::v3::ConfigSource& lds_config, const xds::core::v3::ResourceLocator* lds_resources_locator, - Upstream::ClusterManager& cm, Init::Manager& init_manager, Stats::Scope& scope, - ListenerManager& lm, ProtobufMessage::ValidationVisitor& validation_visitor); + Config::XdsManager& xds_manager, Upstream::ClusterManager& cm, + Init::Manager& init_manager, Stats::Scope& scope, ListenerManager& lm, + ProtobufMessage::ValidationVisitor& validation_visitor); // Server::LdsApi std::string versionInfo() const override { return system_version_info_; } @@ -48,7 +49,7 @@ class LdsApiImpl : public LdsApi, std::string system_version_info_; ListenerManager& listener_manager_; Stats::ScopeSharedPtr scope_; - Upstream::ClusterManager& cm_; + Config::XdsManager& xds_manager_; Init::TargetImpl init_target_; }; diff --git a/source/common/listener_manager/listener_manager_impl.h b/source/common/listener_manager/listener_manager_impl.h index 2754b98b766b2..f590cada7574e 100644 --- a/source/common/listener_manager/listener_manager_impl.h +++ b/source/common/listener_manager/listener_manager_impl.h @@ -86,8 +86,8 @@ class ProdListenerComponentFactory : public ListenerComponentFactory, LdsApiPtr createLdsApi(const envoy::config::core::v3::ConfigSource& lds_config, const xds::core::v3::ResourceLocator* lds_resources_locator) override { return std::make_unique( - lds_config, lds_resources_locator, server_.clusterManager(), server_.initManager(), - *server_.stats().rootScope(), server_.listenerManager(), + lds_config, lds_resources_locator, server_.xdsManager(), server_.clusterManager(), + server_.initManager(), *server_.stats().rootScope(), server_.listenerManager(), server_.messageValidationContext().dynamicValidationVisitor()); } absl::StatusOr createNetworkFilterFactoryList( diff --git a/source/common/router/scoped_rds.cc b/source/common/router/scoped_rds.cc index 079b5a06c5f19..1061fbc4f9191 100644 --- a/source/common/router/scoped_rds.cc +++ b/source/common/router/scoped_rds.cc @@ -411,9 +411,7 @@ absl::Status ScopedRdsConfigSubscription::onConfigUpdate( // Pause RDS to not send a burst of RDS requests until we start all the new subscriptions. // In the case that localInitManager is uninitialized, RDS is already paused // either by Server init or LDS init. - if (factory_context_.clusterManager().adsMux()) { - resume_rds = factory_context_.clusterManager().adsMux()->pause(type_url); - } + resume_rds = factory_context_.xdsManager().pause(type_url); // if local init manager is initialized, the parent init manager may have gone away. if (localInitManager().state() == Init::Manager::State::Initialized) { srds_init_mgr = diff --git a/source/common/upstream/BUILD b/source/common/upstream/BUILD index a4066b6d89f23..f23a843982340 100644 --- a/source/common/upstream/BUILD +++ b/source/common/upstream/BUILD @@ -16,6 +16,7 @@ envoy_cc_library( deps = [ "//envoy/config:grpc_mux_interface", "//envoy/config:subscription_interface", + "//envoy/config:xds_manager_interface", "//envoy/upstream:cluster_manager_interface", "//source/common/common:minimal_logger_lib", "//source/common/config:resource_name_lib", diff --git a/source/common/upstream/cds_api_helper.cc b/source/common/upstream/cds_api_helper.cc index 591e71b643a7d..f3aece06267a9 100644 --- a/source/common/upstream/cds_api_helper.cc +++ b/source/common/upstream/cds_api_helper.cc @@ -18,15 +18,12 @@ std::pair> CdsApiHelper::onConfigUpdate(const std::vector& added_resources, const Protobuf::RepeatedPtrField& removed_resources, const std::string& system_version_info) { - Config::ScopedResume maybe_resume_eds_leds_sds; - if (cm_.adsMux()) { - // A cluster update pauses sending EDS and LEDS requests. - const std::vector paused_xds_types{ - Config::getTypeUrl(), - Config::getTypeUrl(), - Config::getTypeUrl()}; - maybe_resume_eds_leds_sds = cm_.adsMux()->pause(paused_xds_types); - } + // A cluster update pauses sending EDS and LEDS requests. + const std::vector paused_xds_types{ + Config::getTypeUrl(), + Config::getTypeUrl(), + Config::getTypeUrl()}; + Config::ScopedResume resume_eds_leds_sds = xds_manager_.pause(paused_xds_types); ENVOY_LOG( info, diff --git a/source/common/upstream/cds_api_helper.h b/source/common/upstream/cds_api_helper.h index 5fc45186320e3..0c0a14f513282 100644 --- a/source/common/upstream/cds_api_helper.h +++ b/source/common/upstream/cds_api_helper.h @@ -4,6 +4,7 @@ #include #include "envoy/config/subscription.h" +#include "envoy/config/xds_manager.h" #include "envoy/upstream/cluster_manager.h" #include "source/common/common/logger.h" @@ -18,7 +19,8 @@ namespace Upstream { */ class CdsApiHelper : Logger::Loggable { public: - CdsApiHelper(ClusterManager& cm, std::string name) : cm_(cm), name_(std::move(name)) {} + CdsApiHelper(ClusterManager& cm, Config::XdsManager& xds_manager, std::string name) + : cm_(cm), xds_manager_(xds_manager), name_(std::move(name)) {} /** * onConfigUpdate handles the addition and removal of clusters by notifying the ClusterManager * about the cluster changes. It closely follows the onConfigUpdate API from @@ -38,6 +40,7 @@ class CdsApiHelper : Logger::Loggable { private: ClusterManager& cm_; + Config::XdsManager& xds_manager_; const std::string name_; std::string system_version_info_; }; diff --git a/source/common/upstream/cds_api_impl.cc b/source/common/upstream/cds_api_impl.cc index 1161437fbf857..8882618e487ba 100644 --- a/source/common/upstream/cds_api_impl.cc +++ b/source/common/upstream/cds_api_impl.cc @@ -28,8 +28,8 @@ CdsApiImpl::CdsApiImpl(const envoy::config::core::v3::ConfigSource& cds_config, absl::Status& creation_status) : Envoy::Config::SubscriptionBase(validation_visitor, "name"), - helper_(cm, "cds"), cm_(cm), scope_(scope.createScope("cluster_manager.cds.")), - factory_context_(factory_context), + helper_(cm, factory_context.xdsManager(), "cds"), cm_(cm), + scope_(scope.createScope("cluster_manager.cds.")), factory_context_(factory_context), stats_({ALL_CDS_STATS(POOL_COUNTER(*scope_), POOL_GAUGE(*scope_))}) { const auto resource_name = getResourceName(); absl::StatusOr subscription_or_error; diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 1b82dfd04c74e..6f3658c83a900 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -223,14 +223,11 @@ void ClusterManagerInitHelper::maybeFinishInitialize() { // If the first CDS response doesn't have any primary cluster, ClusterLoadAssignment // should be already paused by CdsApiImpl::onConfigUpdate(). Need to check that to // avoid double pause ClusterLoadAssignment. - Config::ScopedResume maybe_resume_eds_leds_sds; - if (cm_.adsMux()) { - const std::vector paused_xds_types{ - Config::getTypeUrl(), - Config::getTypeUrl(), - Config::getTypeUrl()}; - maybe_resume_eds_leds_sds = cm_.adsMux()->pause(paused_xds_types); - } + const std::vector paused_xds_types{ + Config::getTypeUrl(), + Config::getTypeUrl(), + Config::getTypeUrl()}; + Config::ScopedResume resume_eds_leds_sds = xds_manager_.pause(paused_xds_types); initializeSecondaryClusters(); } return; @@ -313,7 +310,7 @@ ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v3::Boots ? absl::make_optional(bootstrap.cluster_manager().upstream_bind_config()) : absl::nullopt), local_info_(context.localInfo()), cm_stats_(generateStats(*stats_.rootScope())), - init_helper_(*this, + init_helper_(xds_manager_, [this](ClusterManagerCluster& cluster) { return onClusterInit(cluster); }), time_source_(context.timeSource()), dispatcher_(context.mainThreadDispatcher()), http_context_(context.httpContext()), router_context_(context.routerContext()), @@ -952,7 +949,7 @@ void ClusterManagerImpl::updateClusterCounts() { if (all_clusters_initialized && xds_manager_.adsMux()) { const auto type_url = Config::getTypeUrl(); if (resume_cds_ == nullptr && !warming_clusters_.empty()) { - resume_cds_ = xds_manager_.adsMux()->pause(type_url); + resume_cds_ = xds_manager_.pause(type_url); } else if (warming_clusters_.empty()) { resume_cds_.reset(); } @@ -1535,8 +1532,8 @@ ClusterManagerImpl::allocateOdCdsApi(OdCdsCreationFunction creation_function, // TODO(krnowak): Instead of creating a new handle every time, store the handles internally and // return an already existing one if the config or locator matches. Note that this may need a // way to clean up the unused handles, so we can close the unnecessary connections. - auto odcds_or_error = creation_function(odcds_config, odcds_resources_locator, *this, *this, - *stats_.rootScope(), validation_visitor); + auto odcds_or_error = creation_function(odcds_config, odcds_resources_locator, xds_manager_, + *this, *this, *stats_.rootScope(), validation_visitor); RETURN_IF_NOT_OK_REF(odcds_or_error.status()); return OdCdsApiHandleImpl::create(*this, std::move(*odcds_or_error)); } diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h index b90dd96a4654a..3ef053a5da275 100644 --- a/source/common/upstream/cluster_manager_impl.h +++ b/source/common/upstream/cluster_manager_impl.h @@ -133,9 +133,9 @@ class ClusterManagerInitHelper : Logger::Loggable { * initialized. The cluster manager can use this for post-init processing. */ ClusterManagerInitHelper( - ClusterManager& cm, + Config::XdsManager& xds_manager, const std::function& per_cluster_init_callback) - : cm_(cm), per_cluster_init_callback_(per_cluster_init_callback) {} + : xds_manager_(xds_manager), per_cluster_init_callback_(per_cluster_init_callback) {} enum class State { // Initial state. During this state all static clusters are loaded. Any primary clusters @@ -179,7 +179,7 @@ class ClusterManagerInitHelper : Logger::Loggable { void maybeFinishInitialize(); absl::Status onClusterInit(ClusterManagerCluster& cluster); - ClusterManager& cm_; + Config::XdsManager& xds_manager_; std::function per_cluster_init_callback_; CdsApi* cds_{}; ClusterManager::PrimaryClustersReadyCallback primary_clusters_initialized_callback_; diff --git a/source/common/upstream/od_cds_api_impl.cc b/source/common/upstream/od_cds_api_impl.cc index da4f452f924eb..59129f99212a7 100644 --- a/source/common/upstream/od_cds_api_impl.cc +++ b/source/common/upstream/od_cds_api_impl.cc @@ -11,31 +11,33 @@ namespace Upstream { absl::StatusOr OdCdsApiImpl::create(const envoy::config::core::v3::ConfigSource& odcds_config, OptRef odcds_resources_locator, - ClusterManager& cm, MissingClusterNotifier& notifier, Stats::Scope& scope, + Config::XdsManager& xds_manager, ClusterManager& cm, + MissingClusterNotifier& notifier, Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor) { absl::Status creation_status = absl::OkStatus(); - auto ret = OdCdsApiSharedPtr(new OdCdsApiImpl(odcds_config, odcds_resources_locator, cm, notifier, - scope, validation_visitor, creation_status)); + auto ret = + OdCdsApiSharedPtr(new OdCdsApiImpl(odcds_config, odcds_resources_locator, xds_manager, cm, + notifier, scope, validation_visitor, creation_status)); RETURN_IF_NOT_OK(creation_status); return ret; } OdCdsApiImpl::OdCdsApiImpl(const envoy::config::core::v3::ConfigSource& odcds_config, OptRef odcds_resources_locator, - ClusterManager& cm, MissingClusterNotifier& notifier, - Stats::Scope& scope, + Config::XdsManager& xds_manager, ClusterManager& cm, + MissingClusterNotifier& notifier, Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, absl::Status& creation_status) : Envoy::Config::SubscriptionBase(validation_visitor, "name"), - helper_(cm, "odcds"), cm_(cm), notifier_(notifier), + helper_(cm, xds_manager, "odcds"), notifier_(notifier), scope_(scope.createScope("cluster_manager.odcds.")) { // TODO(krnowak): Move the subscription setup to CdsApiHelper. Maybe make CdsApiHelper a base // class for CDS and ODCDS. const auto resource_name = getResourceName(); absl::StatusOr subscription_or_error; if (!odcds_resources_locator.has_value()) { - subscription_or_error = cm_.subscriptionFactory().subscriptionFromConfigSource( + subscription_or_error = cm.subscriptionFactory().subscriptionFromConfigSource( odcds_config, Grpc::Common::typeUrl(resource_name), *scope_, *this, resource_decoder_, {}); } else { subscription_or_error = cm.subscriptionFactory().collectionSubscriptionFromUrl( diff --git a/source/common/upstream/od_cds_api_impl.h b/source/common/upstream/od_cds_api_impl.h index 4bb7082f81391..239e58b674a61 100644 --- a/source/common/upstream/od_cds_api_impl.h +++ b/source/common/upstream/od_cds_api_impl.h @@ -36,9 +36,9 @@ class OdCdsApiImpl : public OdCdsApi, public: static absl::StatusOr create(const envoy::config::core::v3::ConfigSource& odcds_config, - OptRef odcds_resources_locator, ClusterManager& cm, - MissingClusterNotifier& notifier, Stats::Scope& scope, - ProtobufMessage::ValidationVisitor& validation_visitor); + OptRef odcds_resources_locator, + Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, + Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor); // Upstream::OdCdsApi void updateOnDemand(std::string cluster_name) override; @@ -54,14 +54,14 @@ class OdCdsApiImpl : public OdCdsApi, const EnvoyException* e) override; OdCdsApiImpl(const envoy::config::core::v3::ConfigSource& odcds_config, - OptRef odcds_resources_locator, ClusterManager& cm, + OptRef odcds_resources_locator, + Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, absl::Status& creation_status); void sendAwaiting(); CdsApiHelper helper_; - ClusterManager& cm_; MissingClusterNotifier& notifier_; Stats::ScopeSharedPtr scope_; StartStatus status_{StartStatus::NotStarted}; diff --git a/source/extensions/clusters/eds/eds.cc b/source/extensions/clusters/eds/eds.cc index 6baaf98c07cde..2384ef494a809 100644 --- a/source/extensions/clusters/eds/eds.cc +++ b/source/extensions/clusters/eds/eds.cc @@ -257,12 +257,9 @@ EdsClusterImpl::onConfigUpdate(const std::vector& re // Pause LEDS messages until the EDS config is finished processing. Config::ScopedResume maybe_resume_leds; - if (transport_factory_context_->serverFactoryContext().clusterManager().adsMux()) { - const auto type_url = Config::getTypeUrl(); - maybe_resume_leds = - transport_factory_context_->serverFactoryContext().clusterManager().adsMux()->pause( - type_url); - } + const auto type_url = Config::getTypeUrl(); + Config::ScopedResume resume_leds = + transport_factory_context_->serverFactoryContext().xdsManager().pause(type_url); update(cluster_load_assignment); // If previously used a cached version, remove the subscription from the cache's diff --git a/source/extensions/listener_managers/validation_listener_manager/validation_listener_manager.h b/source/extensions/listener_managers/validation_listener_manager/validation_listener_manager.h index c6d1961598547..cae99807e919f 100644 --- a/source/extensions/listener_managers/validation_listener_manager/validation_listener_manager.h +++ b/source/extensions/listener_managers/validation_listener_manager/validation_listener_manager.h @@ -14,8 +14,8 @@ class ValidationListenerComponentFactory : public ListenerComponentFactory { LdsApiPtr createLdsApi(const envoy::config::core::v3::ConfigSource& lds_config, const xds::core::v3::ResourceLocator* lds_resources_locator) override { return std::make_unique( - lds_config, lds_resources_locator, parent_.clusterManager(), parent_.initManager(), - *parent_.stats().rootScope(), parent_.listenerManager(), + lds_config, lds_resources_locator, parent_.xdsManager(), parent_.clusterManager(), + parent_.initManager(), *parent_.stats().rootScope(), parent_.listenerManager(), parent_.messageValidationContext().dynamicValidationVisitor()); } absl::StatusOr createNetworkFilterFactoryList( diff --git a/source/server/server.cc b/source/server/server.cc index bd0d57c06461b..24e233bf35da3 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -955,9 +955,10 @@ void InstanceBase::loadServerFlags(const absl::optional& flags_path } RunHelper::RunHelper(Instance& instance, const Options& options, Event::Dispatcher& dispatcher, - Upstream::ClusterManager& cm, AccessLog::AccessLogManager& access_log_manager, - Init::Manager& init_manager, OverloadManager& overload_manager, - OverloadManager& null_overload_manager, std::function post_init_cb) + Config::XdsManager& xds_manager, Upstream::ClusterManager& cm, + AccessLog::AccessLogManager& access_log_manager, Init::Manager& init_manager, + OverloadManager& overload_manager, OverloadManager& null_overload_manager, + std::function post_init_cb) : init_watcher_("RunHelper", [&instance, post_init_cb]() { if (!instance.isShutdown()) { post_init_cb(); @@ -1009,7 +1010,7 @@ RunHelper::RunHelper(Instance& instance, const Options& options, Event::Dispatch // this can fire immediately if all clusters have already initialized. Also note that we need // to guard against shutdown at two different levels since SIGTERM can come in once the run loop // starts. - cm.setInitializedCb([&instance, &init_manager, &cm, this]() { + cm.setInitializedCb([&instance, &init_manager, &xds_manager, this]() { if (instance.isShutdown()) { return; } @@ -1018,10 +1019,7 @@ RunHelper::RunHelper(Instance& instance, const Options& options, Event::Dispatch // Pause RDS to ensure that we don't send any requests until we've // subscribed to all the RDS resources. The subscriptions happen in the init callbacks, // so we pause RDS until we've completed all the callbacks. - Config::ScopedResume maybe_resume_rds; - if (cm.adsMux()) { - maybe_resume_rds = cm.adsMux()->pause(type_url); - } + Config::ScopedResume resume_rds = xds_manager.pause(type_url); ENVOY_LOG(info, "all clusters initialized. initializing init manager"); init_manager.initialize(init_watcher_); @@ -1036,8 +1034,8 @@ void InstanceBase::run() { // RunHelper exists primarily to facilitate testing of how we respond to early shutdown during // startup (see RunHelperTest in server_test.cc). const auto run_helper = - RunHelper(*this, options_, *dispatcher_, clusterManager(), access_log_manager_, init_manager_, - overloadManager(), nullOverloadManager(), [this] { + RunHelper(*this, options_, *dispatcher_, xdsManager(), clusterManager(), access_log_manager_, + init_manager_, overloadManager(), nullOverloadManager(), [this] { notifyCallbacksForStage(Stage::PostInit); startWorkers(); }); diff --git a/source/server/server.h b/source/server/server.h index 7a2ff1e91236a..88ffac5cdd404 100644 --- a/source/server/server.h +++ b/source/server/server.h @@ -161,9 +161,10 @@ class InstanceUtil : Logger::Loggable { class RunHelper : Logger::Loggable { public: RunHelper(Instance& instance, const Options& options, Event::Dispatcher& dispatcher, - Upstream::ClusterManager& cm, AccessLog::AccessLogManager& access_log_manager, - Init::Manager& init_manager, OverloadManager& overload_manager, - OverloadManager& null_overload_manager, std::function workers_start_cb); + Config::XdsManager& xds_manager, Upstream::ClusterManager& cm, + AccessLog::AccessLogManager& access_log_manager, Init::Manager& init_manager, + OverloadManager& overload_manager, OverloadManager& null_overload_manager, + std::function workers_start_cb); private: Init::WatcherImpl init_watcher_; diff --git a/test/common/config/xds_manager_impl_test.cc b/test/common/config/xds_manager_impl_test.cc index 2df95a37e7885..a8e2f25c45a6a 100644 --- a/test/common/config/xds_manager_impl_test.cc +++ b/test/common/config/xds_manager_impl_test.cc @@ -2310,6 +2310,128 @@ TEST_F(XdsManagerImplXdstpConfigSourcesTest, NonXdstpResourceRequiresConfigSourc resource_name))); } +// Validate that the pause-resume works on all gRPC-based ADS mux objects. +TEST_F(XdsManagerImplXdstpConfigSourcesTest, PauseResume) { + testing::InSequence s; + // Have a config-source and default_config_source with authority_2.com in each of them. + initialize(R"EOF( + config_sources: + - authorities: + - name: authority_1.com + api_config_source: + api_type: AGGREGATED_GRPC + set_node_on_first_message_only: true + grpc_services: + envoy_grpc: + cluster_name: config_source1_cluster + default_config_source: + authorities: + - name: authority_2.com + api_config_source: + api_type: AGGREGATED_GRPC + set_node_on_first_message_only: true + grpc_services: + envoy_grpc: + cluster_name: default_config_source_cluster + static_resources: + clusters: + - name: config_source1_cluster + connect_timeout: 0.250s + type: static + lb_policy: round_robin + load_assignment: + cluster_name: config_source1_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 11001 + - name: default_config_source_cluster + connect_timeout: 0.250s + type: static + lb_policy: round_robin + load_assignment: + cluster_name: default_config_source_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 11002 + )EOF", + true, false, true); + + // Validate pause() on a single type. + { + const std::string type_url = "type.googleapis.com/some.Type"; + const std::vector types{type_url}; + bool authority_a_resumed = false; + bool default_authority_resumed = false; + + // Validate that pause() on a single type is invoked on the underlying authorities mux objects, + // and that resume() is invoked when the cleanup object goes out of scope. + { + EXPECT_CALL(*authority_A_mux_, pause(types)) + .WillOnce(testing::Invoke( + [&authority_a_resumed](const std::vector) -> ScopedResume { + return std::make_unique( + [&authority_a_resumed]() { authority_a_resumed = true; }); + })); + EXPECT_CALL(*default_mux_, pause(types)) + .WillOnce(testing::Invoke( + [&default_authority_resumed](const std::vector) -> ScopedResume { + return std::make_unique( + [&default_authority_resumed]() { default_authority_resumed = true; }); + })); + ScopedResume pause_object = xds_manager_impl_.pause(type_url); + + // When the pause object gets out of scope, the resume should be invoked. + EXPECT_FALSE(authority_a_resumed); + EXPECT_FALSE(default_authority_resumed); + } + // The pause object is out of scope, the authorities should be resumed. + EXPECT_TRUE(authority_a_resumed); + EXPECT_TRUE(default_authority_resumed); + } + + // Validate pause() on multiple types. + { + const std::string type_url1 = "type.googleapis.com/some.Type1"; + const std::string type_url2 = "type.googleapis.com/some.Type2"; + const std::vector types{type_url1, type_url2}; + bool authority_a_resumed = false; + bool default_authority_resumed = false; + + // Validate that pause() on multiple types is invoked on the underlying authorities mux objects, + // and that resume() is invoked when the cleanup object goes out of scope. + { + EXPECT_CALL(*authority_A_mux_, pause(types)) + .WillOnce(testing::Invoke( + [&authority_a_resumed](const std::vector) -> ScopedResume { + return std::make_unique( + [&authority_a_resumed]() { authority_a_resumed = true; }); + })); + EXPECT_CALL(*default_mux_, pause(types)) + .WillOnce(testing::Invoke( + [&default_authority_resumed](const std::vector) -> ScopedResume { + return std::make_unique( + [&default_authority_resumed]() { default_authority_resumed = true; }); + })); + ScopedResume pause_object = xds_manager_impl_.pause(types); + + // When the pause object gets out of scope, the resume should be invoked. + EXPECT_FALSE(authority_a_resumed); + EXPECT_FALSE(default_authority_resumed); + } + // The pause object is out of scope, the authorities should be resumed. + EXPECT_TRUE(authority_a_resumed); + EXPECT_TRUE(default_authority_resumed); + } +} + } // namespace } // namespace Config } // namespace Envoy diff --git a/test/common/listener_manager/BUILD b/test/common/listener_manager/BUILD index 13d975af0228e..3c635e0f206c6 100644 --- a/test/common/listener_manager/BUILD +++ b/test/common/listener_manager/BUILD @@ -177,6 +177,7 @@ envoy_cc_test( "//source/common/listener_manager:lds_api_lib", "//source/common/protobuf:utility_lib", "//test/mocks/config:config_mocks", + "//test/mocks/config:xds_manager_mocks", "//test/mocks/init:init_mocks", "//test/mocks/protobuf:protobuf_mocks", "//test/mocks/server:listener_manager_mocks", diff --git a/test/common/listener_manager/lds_api_test.cc b/test/common/listener_manager/lds_api_test.cc index 1482978d31926..381ce80c8b37b 100644 --- a/test/common/listener_manager/lds_api_test.cc +++ b/test/common/listener_manager/lds_api_test.cc @@ -8,6 +8,7 @@ #include "source/common/protobuf/utility.h" #include "test/mocks/config/mocks.h" +#include "test/mocks/config/xds_manager.h" #include "test/mocks/init/mocks.h" #include "test/mocks/protobuf/mocks.h" #include "test/mocks/server/listener_manager.h" @@ -39,9 +40,9 @@ class LdsApiTest : public testing::Test { void setup() { envoy::config::core::v3::ConfigSource lds_config; EXPECT_CALL(init_manager_, add(_)); - lds_ = - std::make_unique(lds_config, nullptr, cluster_manager_, init_manager_, - *store_.rootScope(), listener_manager_, validation_visitor_); + lds_ = std::make_unique(lds_config, nullptr, xds_manager_, cluster_manager_, + init_manager_, *store_.rootScope(), listener_manager_, + validation_visitor_); EXPECT_CALL(*cluster_manager_.subscription_factory_.subscription_, start(_)); init_target_handle_->initialize(init_watcher_); lds_callbacks_ = cluster_manager_.subscription_factory_.callbacks_; @@ -91,6 +92,7 @@ class LdsApiTest : public testing::Test { return listener; } + NiceMock xds_manager_; std::shared_ptr> grpc_mux_; NiceMock cluster_manager_; Init::MockManager init_manager_; diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index 80faff971f2e9..3817a4a71e36f 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -21,6 +21,7 @@ envoy_cc_test( "//envoy/config:subscription_interface", "//source/common/stats:isolated_store_lib", "//source/common/upstream:od_cds_api_lib", + "//test/mocks/config:xds_manager_mocks", "//test/mocks/protobuf:protobuf_mocks", "//test/mocks/upstream:cluster_manager_mocks", "//test/mocks/upstream:missing_cluster_notifier_mocks", diff --git a/test/common/upstream/cluster_manager_impl_test.cc b/test/common/upstream/cluster_manager_impl_test.cc index 3ff203f79519f..a17c7fd288266 100644 --- a/test/common/upstream/cluster_manager_impl_test.cc +++ b/test/common/upstream/cluster_manager_impl_test.cc @@ -1822,8 +1822,8 @@ class ClusterManagerInitHelperTest : public testing::Test { public: MOCK_METHOD(void, onClusterInit, (ClusterManagerCluster & cluster)); - NiceMock cm_; - ClusterManagerInitHelper init_helper_{cm_, [this](ClusterManagerCluster& cluster) { + NiceMock xds_manager_; + ClusterManagerInitHelper init_helper_{xds_manager_, [this](ClusterManagerCluster& cluster) { onClusterInit(cluster); return absl::OkStatus(); }}; diff --git a/test/common/upstream/od_cds_api_impl_test.cc b/test/common/upstream/od_cds_api_impl_test.cc index e2cc8a07d24a9..98a3bf534ab00 100644 --- a/test/common/upstream/od_cds_api_impl_test.cc +++ b/test/common/upstream/od_cds_api_impl_test.cc @@ -4,6 +4,7 @@ #include "source/common/stats/isolated_store_impl.h" #include "source/common/upstream/od_cds_api_impl.h" +#include "test/mocks/config/xds_manager.h" #include "test/mocks/protobuf/mocks.h" #include "test/mocks/upstream/cluster_manager.h" #include "test/mocks/upstream/missing_cluster_notifier.h" @@ -24,11 +25,12 @@ class OdCdsApiImplTest : public testing::Test { void SetUp() override { envoy::config::core::v3::ConfigSource odcds_config; OptRef null_locator; - odcds_ = *OdCdsApiImpl::create(odcds_config, null_locator, cm_, notifier_, *store_.rootScope(), - validation_visitor_); + odcds_ = *OdCdsApiImpl::create(odcds_config, null_locator, xds_manager_, cm_, notifier_, + *store_.rootScope(), validation_visitor_); odcds_callbacks_ = cm_.subscription_factory_.callbacks_; } + NiceMock xds_manager_; NiceMock cm_; Stats::IsolatedStoreImpl store_; MockMissingClusterNotifier notifier_; diff --git a/test/integration/xdstp_config_sources_integration_test.cc b/test/integration/xdstp_config_sources_integration_test.cc index f594fb5c99a6b..605ba1c12be41 100644 --- a/test/integration/xdstp_config_sources_integration_test.cc +++ b/test/integration/xdstp_config_sources_integration_test.cc @@ -401,8 +401,89 @@ TEST_P(XdsTpConfigsIntegrationTest, EdsOnlyConfigDefaultSource) { cleanupUpstreamAndDownstream(); } -// TODO(adisuissa): add a test that validates that two clusters with the same -// config source multiplex the request on the same stream. +// Validate that two clusters with the same source multiplex the request on the +// same stream. +TEST_P(XdsTpConfigsIntegrationTest, TwoClustersWithEdsOnlyConfigAuthority1) { + // Setup a static cluster that requires EDS from authority1. + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + auto* static_resources = bootstrap.mutable_static_resources(); + + // Add 2 EDS clusters that will fetch endpoints from authority1. + static_resources->mutable_clusters()->Add()->CopyFrom( + TestUtility::parseYaml( + R"EOF( + name: xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1 + type: EDS + eds_cluster_config: {} + )EOF")); + static_resources->mutable_clusters()->Add()->CopyFrom( + TestUtility::parseYaml( + R"EOF( + name: xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster2 + type: EDS + eds_cluster_config: {} + )EOF")); + }); + + // Update the route to the xdstp-based cluster. + config_helper_.addConfigModifier( + [](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) { + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_routes(0) + ->mutable_route() + ->set_cluster("xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/" + "clusters/cluster1"); + }); + + // Envoy will request the endpoints of the cluster in the bootstrap during the + // initialization phase. This will make sure the xDS server answers with the + // correct assignment. + on_server_init_function_ = [this]() { + connectAuthority1(); + connectDefaultAuthority(); + + // Authority1 should receive the EDS request containing the 2 resources. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().ClusterLoadAssignment, "", + {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1", + "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster2"}, + {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1", + "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster2"}, + {}, true, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + sendDiscoveryResponse( + Config::TestTypeUrl::get().ClusterLoadAssignment, + {buildClusterLoadAssignment( + "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" + "cluster1"), + buildClusterLoadAssignment( + "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" + "cluster2")}, + {buildClusterLoadAssignment( + "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" + "cluster1"), + buildClusterLoadAssignment( + "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/" + "cluster2")}, + {}, "1", {}, authority1_xds_stream_.get()); + + // Expect an EDS ACK. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().ClusterLoadAssignment, "1", + {"xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster1", + "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/clusters/cluster2"}, + {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + }; + + initialize(); + + test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); + EXPECT_EQ(5, test_server_->gauge("cluster_manager.active_clusters")->value()); + // Try to send a request and see that it reaches the backend (backend 3). + testRouterHeaderOnlyRequestAndResponse(nullptr, 3); + cleanupUpstreamAndDownstream(); +} // Validate that a bootstrap cluster that has an xds-tp based config RDS source // works. diff --git a/test/mocks/config/xds_manager.h b/test/mocks/config/xds_manager.h index 11caa68147fd1..f38f96410f696 100644 --- a/test/mocks/config/xds_manager.h +++ b/test/mocks/config/xds_manager.h @@ -18,6 +18,8 @@ class MockXdsManager : public XdsManager { (const envoy::config::bootstrap::v3::Bootstrap& bootstrap, Upstream::ClusterManager* cm)); MOCK_METHOD(void, startXdstpAdsMuxes, ()); + MOCK_METHOD(ScopedResume, pause, (const std::string& type_url), (override)); + MOCK_METHOD(ScopedResume, pause, (const std::vector& type_urls), (override)); MOCK_METHOD(absl::StatusOr, subscribeToSingletonResource, (absl::string_view resource_name, OptRef config, diff --git a/test/server/BUILD b/test/server/BUILD index 62d92eed64f4e..c1175b3363133 100644 --- a/test/server/BUILD +++ b/test/server/BUILD @@ -379,6 +379,7 @@ envoy_cc_test( "//test/config:v2_link_hacks", "//test/integration:integration_lib", "//test/mocks/api:api_mocks", + "//test/mocks/config:xds_manager_mocks", "//test/mocks/server:bootstrap_extension_factory_mocks", "//test/mocks/server:fatal_action_factory_mocks", "//test/mocks/server:hot_restart_mocks", diff --git a/test/server/server_test.cc b/test/server/server_test.cc index 775f05a7bf6cb..9b69532160bc4 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -25,6 +25,7 @@ #include "test/integration/server.h" #include "test/mocks/api/mocks.h" #include "test/mocks/common.h" +#include "test/mocks/config/xds_manager.h" #include "test/mocks/server/bootstrap_extension_factory.h" #include "test/mocks/server/fatal_action_factory.h" #include "test/mocks/server/hot_restart.h" @@ -231,14 +232,15 @@ class RunHelperTest : public testing::Test { EXPECT_CALL(cm_, setInitializedCb(_)).WillOnce(SaveArg<0>(&cm_init_callback_)); ON_CALL(server_, shutdown()).WillByDefault(Assign(&shutdown_, true)); - helper_ = std::make_unique(server_, options_, dispatcher_, cm_, access_log_manager_, - init_manager_, overload_manager_, null_overload_manager_, - [this] { start_workers_.ready(); }); + helper_ = std::make_unique( + server_, options_, dispatcher_, xds_manager_, cm_, access_log_manager_, init_manager_, + overload_manager_, null_overload_manager_, [this] { start_workers_.ready(); }); } NiceMock server_; testing::NiceMock options_; NiceMock dispatcher_; + NiceMock xds_manager_; NiceMock cm_; NiceMock access_log_manager_; NiceMock overload_manager_; From 4d7c4668b6fabe45780db912f5d9ebf691e36002 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 31 Jul 2025 09:38:52 -0400 Subject: [PATCH 126/505] Use fmtlib to format double on iOS (#40495) IOS requires simulator 16.5 or newer for the `std::to_chars`. Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/buffer/buffer_util.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/common/buffer/buffer_util.h b/source/common/buffer/buffer_util.h index 7a8e3aef3c07e..2c8c0da05c0ce 100644 --- a/source/common/buffer/buffer_util.h +++ b/source/common/buffer/buffer_util.h @@ -39,7 +39,7 @@ class Util { // generate the string_view, and does not work on all platforms yet. // // The accuracy is checked in buffer_util_test. -#if defined(_LIBCPP_VERSION) && _LIBCPP_VERSION >= 14000 +#if defined(_LIBCPP_VERSION) && _LIBCPP_VERSION >= 14000 && !defined(__APPLE__) // This version is awkward, and doesn't work on all platforms used in Envoy CI // as of August 2023, but it is the fastest correct option on modern compilers. char buf[100]; From 1bd05d6749eecc9cb04d6636da6b458e32a744d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20R=2E=20Sede=C3=B1o?= Date: Thu, 31 Jul 2025 13:02:25 -0400 Subject: [PATCH 127/505] Update udp_tunneling_integration_test.cc's unknown capsule type (#40494) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When this test was written, capsule type 0x01 was unknown to Envoy and Google QUICHE, but it had already been assigned to the connect-ip draft, later RFC 9484. RFC 9297, which defines capsules in general, defines capsule types of the form 0x29 * N + 0x17, for integer values of N, as reserved for testing behavior with unknown capsule types. Setting N=0, we can just use 0x17 instead of 0x01 and per the RFC we should never collide with a real capsule assignment again. https://www.rfc-editor.org/rfc/rfc9484.html#section-12.4 https://www.rfc-editor.org/rfc/rfc9297.html#section-5.4-3 Risk Level: low Testing: test-only change Signed-off-by: Alejandro R. Sedeño --- test/integration/udp_tunneling_integration_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/udp_tunneling_integration_test.cc b/test/integration/udp_tunneling_integration_test.cc index 2223279b21751..fa49b4863ef40 100644 --- a/test/integration/udp_tunneling_integration_test.cc +++ b/test/integration/udp_tunneling_integration_test.cc @@ -225,7 +225,7 @@ TEST_P(ConnectUdpTerminationIntegrationTest, DropUnknownCapsules) { setUpConnection(); Network::UdpRecvData request_datagram; const std::string unknown_capsule_fragment = - absl::HexStringToBytes("01" // DATAGRAM Capsule Type + absl::HexStringToBytes("17" // Reserved UNKNOWN Capsule Type "08" // Capsule Length "00" // Context ID "a1a2a3a4a5a6a7" // UDP Proxying Payload From ac5db7af31d479acc36785b2ff3d245412324d5b Mon Sep 17 00:00:00 2001 From: code Date: Fri, 1 Aug 2025 02:20:02 +0800 Subject: [PATCH 128/505] tracing: clean up code of zipkin to eliminate unnecessry copy/construction (#40436) Signed-off-by: wangbaiping(wbpcode) Signed-off-by: WangBaiping --- source/extensions/tracers/zipkin/BUILD | 1 - .../extensions/tracers/zipkin/span_buffer.h | 1 - .../extensions/tracers/zipkin/span_context.cc | 20 ---- .../extensions/tracers/zipkin/span_context.h | 20 +--- source/extensions/tracers/zipkin/tracer.cc | 9 +- source/extensions/tracers/zipkin/tracer.h | 54 +---------- .../tracers/zipkin/tracer_interface.h | 48 ++++++++-- .../tracers/zipkin/zipkin_core_types.cc | 58 ++++++------ .../tracers/zipkin/zipkin_core_types.h | 68 +++++--------- .../tracers/zipkin/zipkin_tracer_impl.cc | 48 +--------- .../tracers/zipkin/zipkin_tracer_impl.h | 64 ------------- .../tracers/zipkin/span_buffer_test.cc | 19 +++- test/extensions/tracers/zipkin/tracer_test.cc | 70 +++++--------- .../tracers/zipkin/zipkin_core_types_test.cc | 94 ++++--------------- .../tracers/zipkin/zipkin_tracer_impl_test.cc | 86 ++++++++--------- 15 files changed, 210 insertions(+), 450 deletions(-) delete mode 100644 source/extensions/tracers/zipkin/span_context.cc diff --git a/source/extensions/tracers/zipkin/BUILD b/source/extensions/tracers/zipkin/BUILD index 171080ecb766c..953e0cc72c2b6 100644 --- a/source/extensions/tracers/zipkin/BUILD +++ b/source/extensions/tracers/zipkin/BUILD @@ -15,7 +15,6 @@ envoy_cc_library( name = "zipkin_lib", srcs = [ "span_buffer.cc", - "span_context.cc", "span_context_extractor.cc", "tracer.cc", "util.cc", diff --git a/source/extensions/tracers/zipkin/span_buffer.h b/source/extensions/tracers/zipkin/span_buffer.h index df1536044367f..53b30cdcd5433 100644 --- a/source/extensions/tracers/zipkin/span_buffer.h +++ b/source/extensions/tracers/zipkin/span_buffer.h @@ -3,7 +3,6 @@ #include "envoy/config/trace/v3/zipkin.pb.h" #include "source/common/protobuf/protobuf.h" -#include "source/extensions/tracers/zipkin/tracer_interface.h" #include "source/extensions/tracers/zipkin/zipkin_core_types.h" #include "zipkin.pb.h" diff --git a/source/extensions/tracers/zipkin/span_context.cc b/source/extensions/tracers/zipkin/span_context.cc deleted file mode 100644 index ecbd14b5c8bb2..0000000000000 --- a/source/extensions/tracers/zipkin/span_context.cc +++ /dev/null @@ -1,20 +0,0 @@ -#include "source/extensions/tracers/zipkin/span_context.h" - -#include "source/common/common/macros.h" -#include "source/common/common/utility.h" -#include "source/extensions/tracers/zipkin/zipkin_core_constants.h" - -namespace Envoy { -namespace Extensions { -namespace Tracers { -namespace Zipkin { - -SpanContext::SpanContext(const Span& span, bool inner_context) - : trace_id_high_(span.isSetTraceIdHigh() ? span.traceIdHigh() : 0), trace_id_(span.traceId()), - id_(span.id()), parent_id_(span.isSetParentId() ? span.parentId() : 0), - sampled_(span.sampled()), inner_context_(inner_context) {} - -} // namespace Zipkin -} // namespace Tracers -} // namespace Extensions -} // namespace Envoy diff --git a/source/extensions/tracers/zipkin/span_context.h b/source/extensions/tracers/zipkin/span_context.h index b1dfa3168743a..e4098e334cf63 100644 --- a/source/extensions/tracers/zipkin/span_context.h +++ b/source/extensions/tracers/zipkin/span_context.h @@ -1,10 +1,7 @@ #pragma once -#include - -#include "source/extensions/tracers/zipkin/util.h" -#include "source/extensions/tracers/zipkin/zipkin_core_constants.h" -#include "source/extensions/tracers/zipkin/zipkin_core_types.h" +#include +#include namespace Envoy { namespace Extensions { @@ -29,7 +26,7 @@ class SpanContext { * @param trace_id_high The high 64 bits of the trace id. * @param trace_id The low 64 bits of the trace id. * @param id The span id. - * @param parent_id The parent id. + * @param parent_id The parent span id. * @param sampled The sampled flag. * @param inner_context If this context is created base on the inner span. */ @@ -38,14 +35,6 @@ class SpanContext { : trace_id_high_(trace_id_high), trace_id_(trace_id), id_(id), parent_id_(parent_id), sampled_(sampled), inner_context_(inner_context) {} - /** - * Constructor that creates a context object from the given Zipkin span object. - * - * @param span The Zipkin span used to initialize a SpanContext object. - * @param inner_context If this context is created base on the inner span. - */ - SpanContext(const Span& span, bool inner_context = true); - /** * @return the span id as an integer */ @@ -80,6 +69,7 @@ class SpanContext { * @return the inner context flag. True if this context is created base on the inner span. */ bool innerContext() const { return inner_context_; } + void setInnerContextForTest(bool inner_context) { inner_context_ = inner_context; } private: const uint64_t trace_id_high_{0}; @@ -87,7 +77,7 @@ class SpanContext { const uint64_t id_{0}; const uint64_t parent_id_{0}; const bool sampled_{false}; - const bool inner_context_{false}; + bool inner_context_{false}; }; } // namespace Zipkin diff --git a/source/extensions/tracers/zipkin/tracer.cc b/source/extensions/tracers/zipkin/tracer.cc index 0ab5b01273bc7..e50283fc66a1a 100644 --- a/source/extensions/tracers/zipkin/tracer.cc +++ b/source/extensions/tracers/zipkin/tracer.cc @@ -6,6 +6,7 @@ #include "source/common/tracing/http_tracer_impl.h" #include "source/extensions/tracers/zipkin/util.h" #include "source/extensions/tracers/zipkin/zipkin_core_constants.h" +#include "source/extensions/tracers/zipkin/zipkin_json_field_names.h" namespace Envoy { namespace Extensions { @@ -53,7 +54,7 @@ SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span cs.setEndpoint(std::move(ep)); // Create an all-new span, with no parent id - SpanPtr span_ptr = std::make_unique(time_source_); + SpanPtr span_ptr = std::make_unique(time_source_, *this); span_ptr->setName(span_name); uint64_t random_number = random_generator_.random(); span_ptr->setId(random_number); @@ -75,14 +76,12 @@ SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span // Add CS annotation to the span span_ptr->addAnnotation(std::move(cs)); - span_ptr->setTracer(this); - return span_ptr; } SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span_name, SystemTime timestamp, const SpanContext& previous_context) { - SpanPtr span_ptr = std::make_unique(time_source_); + SpanPtr span_ptr = std::make_unique(time_source_, *this); // If the previous context is inner context then this span is span for upstream request. Annotation annotation = getAnnotation(split_spans_for_request_ || config.spawnUpstreamSpan(), previous_context.innerContext(), config.operationName()); @@ -140,8 +139,6 @@ SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span .count(); span_ptr->setStartTime(start_time_micro); - span_ptr->setTracer(this); - return span_ptr; } diff --git a/source/extensions/tracers/zipkin/tracer.h b/source/extensions/tracers/zipkin/tracer.h index 6b8fa780014dd..4834855a52f6a 100644 --- a/source/extensions/tracers/zipkin/tracer.h +++ b/source/extensions/tracers/zipkin/tracer.h @@ -6,7 +6,6 @@ #include "envoy/tracing/tracer.h" #include "source/extensions/tracers/zipkin/span_context.h" -#include "source/extensions/tracers/zipkin/tracer_interface.h" #include "source/extensions/tracers/zipkin/zipkin_core_constants.h" #include "source/extensions/tracers/zipkin/zipkin_core_types.h" @@ -15,29 +14,6 @@ namespace Extensions { namespace Tracers { namespace Zipkin { -/** - * Abstract class that delegates to users of the Tracer class the responsibility - * of "reporting" a Zipkin span that has ended its life cycle. "Reporting" can mean that the - * span will be sent to out to Zipkin, or buffered so that it can be sent out later. - */ -class Reporter { -public: - /** - * Destructor. - */ - virtual ~Reporter() = default; - - /** - * Method that a concrete Reporter class must implement to handle finished spans. - * For example, a span-buffer management policy could be implemented. - * - * @param span The span that needs action. - */ - virtual void reportSpan(Span&& span) PURE; -}; - -using ReporterPtr = std::unique_ptr; - /** * This class implements the Zipkin tracer. It has methods to create the appropriate Zipkin span * type, i.e., root span, child span, or shared-context span. @@ -68,33 +44,11 @@ class Tracer : public TracerInterface { shared_span_context_(shared_span_context), time_source_(time_source), split_spans_for_request_(split_spans_for_request) {} - /** - * Creates a "root" Zipkin span. - * - * @param config The tracing configuration - * @param span_name Name of the new span. - * @param start_time The time indicating the beginning of the span. - * @return SpanPtr The root span. - */ - SpanPtr startSpan(const Tracing::Config&, const std::string& span_name, SystemTime timestamp); - - /** - * Depending on the given context, creates either a "child" or a "shared-context" Zipkin span. - * - * @param config The tracing configuration - * @param span_name Name of the new span. - * @param start_time The time indicating the beginning of the span. - * @param previous_context The context of the span preceding the one to be created. - * @return SpanPtr The child span. - */ + // TracerInterface + SpanPtr startSpan(const Tracing::Config&, const std::string& span_name, + SystemTime timestamp) override; SpanPtr startSpan(const Tracing::Config&, const std::string& span_name, SystemTime timestamp, - const SpanContext& previous_context); - - /** - * TracerInterface::reportSpan. - * - * @param span The span to be reported. - */ + const SpanContext& previous_context) override; void reportSpan(Span&& span) override; /** diff --git a/source/extensions/tracers/zipkin/tracer_interface.h b/source/extensions/tracers/zipkin/tracer_interface.h index c56e130e2868d..9745bd6970bd9 100644 --- a/source/extensions/tracers/zipkin/tracer_interface.h +++ b/source/extensions/tracers/zipkin/tracer_interface.h @@ -5,6 +5,9 @@ #include #include "envoy/common/pure.h" +#include "envoy/tracing/trace_config.h" + +#include "source/extensions/tracers/zipkin/span_context.h" namespace Envoy { namespace Extensions { @@ -12,21 +15,23 @@ namespace Tracers { namespace Zipkin { class Span; +using SpanPtr = std::unique_ptr; /** - * This interface must be observed by a Zipkin tracer. + * Abstract class that delegates to users of the Tracer class the responsibility + * of "reporting" a Zipkin span that has ended its life cycle. "Reporting" can mean that the + * span will be sent to out to Zipkin, or buffered so that it can be sent out later. */ -class TracerInterface { +class Reporter { public: /** * Destructor. */ - virtual ~TracerInterface() = default; + virtual ~Reporter() = default; /** - * A Zipkin tracer must implement this method. Its implementation must perform whatever - * actions are required when the given span is considered finished. An implementation - * will typically buffer the given span so that it can be flushed later. + * Method that a concrete Reporter class must implement to handle finished spans. + * For example, a span-buffer management policy could be implemented. * * This method is invoked by the Span object when its finish() method is called. * @@ -35,6 +40,37 @@ class TracerInterface { virtual void reportSpan(Span&& span) PURE; }; +using ReporterPtr = std::unique_ptr; + +/** + * This interface must be observed by a Zipkin tracer. + */ +class TracerInterface : public Reporter { +public: + /** + * Creates a "root" Zipkin span. + * + * @param config The tracing configuration + * @param span_name Name of the new span. + * @param start_time The time indicating the beginning of the span. + * @return SpanPtr The root span. + */ + virtual SpanPtr startSpan(const Tracing::Config&, const std::string& span_name, + SystemTime timestamp) PURE; + + /** + * Depending on the given context, creates either a "child" or a "shared-context" Zipkin span. + * + * @param config The tracing configuration + * @param span_name Name of the new span. + * @param start_time The time indicating the beginning of the span. + * @param previous_context The context of the span preceding the one to be created. + * @return SpanPtr The child span. + */ + virtual SpanPtr startSpan(const Tracing::Config&, const std::string& span_name, + SystemTime timestamp, const SpanContext& previous_context) PURE; +}; + /** * Buffered pending spans serializer. */ diff --git a/source/extensions/tracers/zipkin/zipkin_core_types.cc b/source/extensions/tracers/zipkin/zipkin_core_types.cc index eb6c17c8382a2..b831ded6573c4 100644 --- a/source/extensions/tracers/zipkin/zipkin_core_types.cc +++ b/source/extensions/tracers/zipkin/zipkin_core_types.cc @@ -113,30 +113,6 @@ const ProtobufWkt::Struct BinaryAnnotation::toStruct(Util::Replacements& replace const std::string Span::EMPTY_HEX_STRING_ = "0000000000000000"; -Span::Span(const Span& span) : time_source_(span.time_source_) { - trace_id_ = span.traceId(); - if (span.isSetTraceIdHigh()) { - trace_id_high_ = span.traceIdHigh(); - } - name_ = span.name(); - id_ = span.id(); - if (span.isSetParentId()) { - parent_id_ = span.parentId(); - } - debug_ = span.debug(); - sampled_ = span.sampled(); - annotations_ = span.annotations(); - binary_annotations_ = span.binaryAnnotations(); - if (span.isSetTimestamp()) { - timestamp_ = span.timestamp(); - } - if (span.isSetDuration()) { - duration_ = span.duration(); - } - monotonic_start_time_ = span.startTime(); - tracer_ = span.tracer(); -} - void Span::setServiceName(const std::string& service_name) { for (auto& annotation : annotations_) { annotation.changeEndpointServiceName(service_name); @@ -169,6 +145,7 @@ const ProtobufWkt::Struct Span::toStruct(Util::Replacements& replacements) const if (!annotations_.empty()) { std::vector annotation_list; + annotation_list.reserve(annotations_.size()); for (auto& annotation : annotations_) { annotation_list.push_back(ValueUtil::structValue(annotation.toStruct(replacements))); } @@ -177,6 +154,7 @@ const ProtobufWkt::Struct Span::toStruct(Util::Replacements& replacements) const if (!binary_annotations_.empty()) { std::vector binary_annotation_list; + binary_annotation_list.reserve(binary_annotations_.size()); for (auto& binary_annotation : binary_annotations_) { binary_annotation_list.push_back( ValueUtil::structValue(binary_annotation.toStruct(replacements))); @@ -187,9 +165,8 @@ const ProtobufWkt::Struct Span::toStruct(Util::Replacements& replacements) const return span; } -void Span::finish() { +void Span::finishSpan() { // Assumption: Span will have only one annotation when this method is called. - SpanContext context(*this); if (annotations_[0].value() == SERVER_RECV) { // Need to set the SS annotation Annotation ss; @@ -218,9 +195,7 @@ void Span::finish() { setDuration(monotonic_stop_time - monotonic_start_time_); } - if (auto t = tracer()) { - t->reportSpan(std::move(*this)); - } + tracer_.reportSpan(std::move(*this)); } void Span::setTag(absl::string_view name, absl::string_view value) { @@ -237,6 +212,31 @@ void Span::log(SystemTime timestamp, const std::string& event) { addAnnotation(std::move(annotation)); } +void Span::injectContext(Tracing::TraceContext& trace_context, const Tracing::UpstreamContext&) { + // Set the trace-id and span-id headers properly, based on the newly-created span structure. + ZipkinCoreConstants::get().X_B3_TRACE_ID.setRefKey(trace_context, traceIdAsHexString()); + ZipkinCoreConstants::get().X_B3_SPAN_ID.setRefKey(trace_context, idAsHexString()); + + // Set the parent-span header properly, based on the newly-created span structure. + if (isSetParentId()) { + ZipkinCoreConstants::get().X_B3_PARENT_SPAN_ID.setRefKey(trace_context, parentIdAsHexString()); + } + + // Set the sampled header. + ZipkinCoreConstants::get().X_B3_SAMPLED.setRefKey(trace_context, + sampled() ? SAMPLED : NOT_SAMPLED); +} +Tracing::SpanPtr Span::spawnChild(const Tracing::Config& config, const std::string& name, + SystemTime start_time) { + return tracer_.startSpan(config, name, start_time, spanContext()); +} + +SpanContext Span::spanContext() const { + // The inner_context is set to true because this SpanContext is context of Envoy created span + // rather than the one that extracted from the downstream request headers. + return {trace_id_high_.value_or(0), trace_id_, id_, parent_id_.value_or(0), sampled_, true}; +} + } // namespace Zipkin } // namespace Tracers } // namespace Extensions diff --git a/source/extensions/tracers/zipkin/zipkin_core_types.h b/source/extensions/tracers/zipkin/zipkin_core_types.h index 26ee5c187c1a8..e7ef2fbc7abbf 100644 --- a/source/extensions/tracers/zipkin/zipkin_core_types.h +++ b/source/extensions/tracers/zipkin/zipkin_core_types.h @@ -299,22 +299,16 @@ class BinaryAnnotation : public ZipkinBase { AnnotationType annotation_type_{}; }; -using SpanPtr = std::unique_ptr; - /** * Represents a Zipkin span. This class is based on Zipkin's Thrift definition of a span. */ -class Span : public ZipkinBase { +class Span : public ZipkinBase, public Tracing::Span { public: - /** - * Copy constructor. - */ - Span(const Span&); - /** * Default constructor. Creates an empty span. */ - explicit Span(TimeSource& time_source) : time_source_(time_source) {} + explicit Span(TimeSource& time_source, TracerInterface& tracer) + : time_source_(time_source), tracer_(tracer) {} /** * Sets the span's trace id attribute. @@ -324,7 +318,7 @@ class Span : public ZipkinBase { /** * Sets the span's name attribute. */ - void setName(const std::string& val) { name_ = val; } + void setName(absl::string_view val) { name_ = std::string(val); } /** * Sets the span's id. @@ -341,11 +335,6 @@ class Span : public ZipkinBase { */ bool isSetParentId() const { return parent_id_.has_value(); } - /** - * Set the span's sampled flag. - */ - void setSampled(bool val) { sampled_ = val; } - /** * @return a vector with all annotations added to the span. */ @@ -547,18 +536,14 @@ class Span : public ZipkinBase { const ProtobufWkt::Struct toStruct(Util::Replacements& replacements) const override; /** - * Associates a Tracer object with the span. The tracer's reportSpan() method is invoked - * by the span's finish() method so that the tracer can decide what to do with the span - * when it is finished. + * @return the span's context. * - * @param tracer Represents the Tracer object to be associated with the span. + * This method returns a SpanContext object that contains the span's trace id, span id, parent id, + * and sampled attributes. */ - void setTracer(TracerInterface* tracer) { tracer_ = tracer; } + SpanContext spanContext() const; - /** - * @return the Tracer object associated with the span. - */ - TracerInterface* tracer() const { return tracer_; } + // Tracing::Span /** * Marks a successful end of the span. This method will: @@ -568,23 +553,20 @@ class Span : public ZipkinBase { * (2) compute and set the span's duration; and * (3) invoke the tracer's reportSpan() method if a tracer has been associated with the span. */ - void finish(); - - /** - * Adds a binary annotation to the span. - * - * @param name The binary annotation's key. - * @param value The binary annotation's value. - */ - void setTag(absl::string_view name, absl::string_view value); - - /** - * Adds an annotation to the span - * - * @param timestamp The annotation's timestamp. - * @param event The annotation's value. - */ - void log(SystemTime timestamp, const std::string& event); + void finishSpan() override; + void setTag(absl::string_view name, absl::string_view value) override; + void log(SystemTime timestamp, const std::string& event) override; + void setSampled(bool val) override { sampled_ = val; } + void setOperation(absl::string_view operation) override { setName(std::string(operation)); } + void injectContext(Tracing::TraceContext& trace_context, + const Tracing::UpstreamContext&) override; + Tracing::SpanPtr spawnChild(const Tracing::Config&, const std::string& name, + SystemTime start_time) override; + + void setBaggage(absl::string_view, absl::string_view) override {} + std::string getBaggage(absl::string_view) override { return EMPTY_STRING; } + std::string getSpanId() const override { return EMPTY_STRING; }; + std::string getTraceId() const override { return traceIdAsHexString(); }; private: static const std::string EMPTY_HEX_STRING_; @@ -600,10 +582,12 @@ class Span : public ZipkinBase { absl::optional duration_; absl::optional trace_id_high_; int64_t monotonic_start_time_{0}; - TracerInterface* tracer_{nullptr}; TimeSource& time_source_; + TracerInterface& tracer_; }; +using SpanPtr = std::unique_ptr; + } // namespace Zipkin } // namespace Tracers } // namespace Extensions diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc index 6da1581176028..1dd50a26b6552 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc @@ -19,52 +19,6 @@ namespace Extensions { namespace Tracers { namespace Zipkin { -ZipkinSpan::ZipkinSpan(Zipkin::Span& span, Zipkin::Tracer& tracer) : span_(span), tracer_(tracer) {} - -void ZipkinSpan::finishSpan() { span_.finish(); } - -void ZipkinSpan::setOperation(absl::string_view operation) { - span_.setName(std::string(operation)); -} - -void ZipkinSpan::setTag(absl::string_view name, absl::string_view value) { - span_.setTag(name, value); -} - -void ZipkinSpan::log(SystemTime timestamp, const std::string& event) { - span_.log(timestamp, event); -} - -// TODO(#11622): Implement baggage storage for zipkin spans -void ZipkinSpan::setBaggage(absl::string_view, absl::string_view) {} -std::string ZipkinSpan::getBaggage(absl::string_view) { return EMPTY_STRING; } - -void ZipkinSpan::injectContext(Tracing::TraceContext& trace_context, - const Tracing::UpstreamContext&) { - // Set the trace-id and span-id headers properly, based on the newly-created span structure. - ZipkinCoreConstants::get().X_B3_TRACE_ID.setRefKey(trace_context, span_.traceIdAsHexString()); - ZipkinCoreConstants::get().X_B3_SPAN_ID.setRefKey(trace_context, span_.idAsHexString()); - - // Set the parent-span header properly, based on the newly-created span structure. - if (span_.isSetParentId()) { - ZipkinCoreConstants::get().X_B3_PARENT_SPAN_ID.setRefKey(trace_context, - span_.parentIdAsHexString()); - } - - // Set the sampled header. - ZipkinCoreConstants::get().X_B3_SAMPLED.setRefKey(trace_context, - span_.sampled() ? SAMPLED : NOT_SAMPLED); -} - -void ZipkinSpan::setSampled(bool sampled) { span_.setSampled(sampled); } - -Tracing::SpanPtr ZipkinSpan::spawnChild(const Tracing::Config& config, const std::string& name, - SystemTime start_time) { - SpanContext previous_context(span_); - return std::make_unique( - *tracer_.startSpan(config, name, start_time, previous_context), tracer_); -} - Driver::TlsTracer::TlsTracer(TracerPtr&& tracer, Driver& driver) : tracer_(std::move(tracer)), driver_(driver) {} @@ -134,7 +88,7 @@ Tracing::SpanPtr Driver::startSpan(const Tracing::Config& config, END_TRY catch (const ExtractorException& e) { return std::make_unique(); } // Return the active Zipkin span. - return std::make_unique(*new_zipkin_span, tracer); + return new_zipkin_span; } ReporterImpl::ReporterImpl(Driver& driver, Event::Dispatcher& dispatcher, diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.h b/source/extensions/tracers/zipkin/zipkin_tracer_impl.h index 2739bc61010bf..bd0e12b500cf7 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.h +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.h @@ -36,70 +36,6 @@ struct ZipkinTracerStats { ZIPKIN_TRACER_STATS(GENERATE_COUNTER_STRUCT) }; -/** - * Class for Zipkin spans, wrapping a Zipkin::Span object. - */ -class ZipkinSpan : public Tracing::Span { -public: - /** - * Constructor. Wraps a Zipkin::Span object. - * - * @param span to be wrapped. - */ - ZipkinSpan(Zipkin::Span& span, Zipkin::Tracer& tracer); - - /** - * Calls Zipkin::Span::finishSpan() to perform all actions needed to finalize the span. - * This function is called by Tracing::HttpTracerUtility::finalizeSpan(). - */ - void finishSpan() override; - - /** - * This method sets the operation name on the span. - * @param operation the operation name - */ - void setOperation(absl::string_view operation) override; - - /** - * This function adds a Zipkin "string" binary annotation to this span. - * In Zipkin, binary annotations of the type "string" allow arbitrary key-value pairs - * to be associated with a span. - * - * Note that Tracing::HttpTracerUtility::finalizeSpan() makes several calls to this function, - * associating several key-value pairs with this span. - */ - void setTag(absl::string_view name, absl::string_view value) override; - - void log(SystemTime timestamp, const std::string& event) override; - - void injectContext(Tracing::TraceContext& trace_context, - const Tracing::UpstreamContext&) override; - Tracing::SpanPtr spawnChild(const Tracing::Config&, const std::string& name, - SystemTime start_time) override; - - void setSampled(bool sampled) override; - - // TODO(#11622): Implement baggage storage for zipkin spans - void setBaggage(absl::string_view, absl::string_view) override; - std::string getBaggage(absl::string_view) override; - - std::string getTraceId() const override { return span_.traceIdAsHexString(); }; - - // TODO(#34412): This method is unimplemented for Zipkin. - std::string getSpanId() const override { return EMPTY_STRING; }; - - /** - * @return a reference to the Zipkin::Span object. - */ - Zipkin::Span& span() { return span_; } - -private: - Zipkin::Span span_; - Zipkin::Tracer& tracer_; -}; - -using ZipkinSpanPtr = std::unique_ptr; - /** * Class for a Zipkin-specific Driver. */ diff --git a/test/extensions/tracers/zipkin/span_buffer_test.cc b/test/extensions/tracers/zipkin/span_buffer_test.cc index 5a5154a242eac..8972c9710e536 100644 --- a/test/extensions/tracers/zipkin/span_buffer_test.cc +++ b/test/extensions/tracers/zipkin/span_buffer_test.cc @@ -19,6 +19,18 @@ namespace Tracers { namespace Zipkin { namespace { +class EmptyTracer : public TracerInterface { +public: + SpanPtr startSpan(const Tracing::Config&, const std::string&, SystemTime) override { + return nullptr; + } + SpanPtr startSpan(const Tracing::Config&, const std::string&, SystemTime, + const SpanContext&) override { + return nullptr; + } + void reportSpan(Span&&) override {} +}; + // If this default timestamp is wrapped as double (using ValueUtil::numberValue()) and then it is // serialized using Protobuf::util::MessageToJsonString, it renders as: 1.58432429547687e+15. constexpr uint64_t DEFAULT_TEST_TIMESTAMP = 1584324295476870; @@ -68,7 +80,8 @@ BinaryAnnotation createTag() { Span createSpan(const std::vector& annotation_values, const IpType ip_type) { Event::SimulatedTimeSystem simulated_time_system; - Span span(simulated_time_system); + EmptyTracer tracer; + Span span(simulated_time_system, tracer); span.setId(1); span.setTraceId(1); span.setDuration(DEFAULT_TEST_DURATION); @@ -114,8 +127,10 @@ void expectSerializedBuffer(SpanBuffer& buffer, const bool delay_allocation, buffer.allocateBuffer(expected_list.size() + 1); } + EmptyTracer tracer; + // Add span after allocation, but missing required annotations should be false. - EXPECT_FALSE(buffer.addSpan(Span(test_time.timeSystem()))); + EXPECT_FALSE(buffer.addSpan(Span(test_time.timeSystem(), tracer))); EXPECT_FALSE(buffer.addSpan(createSpan({"aa"}, IpType::V4))); for (uint64_t i = 0; i < expected_list.size(); i++) { diff --git a/test/extensions/tracers/zipkin/tracer_test.cc b/test/extensions/tracers/zipkin/tracer_test.cc index b49783a63734c..27e9f14552af1 100644 --- a/test/extensions/tracers/zipkin/tracer_test.cc +++ b/test/extensions/tracers/zipkin/tracer_test.cc @@ -81,9 +81,6 @@ TEST_F(ZipkinTracerTest, SpanCreation) { Endpoint endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), root_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(root_span->isSetDuration()); @@ -93,7 +90,7 @@ TEST_F(ZipkinTracerTest, SpanCreation) { ON_CALL(config, operationName()).WillByDefault(Return(Tracing::OperationName::Ingress)); - SpanContext root_span_context(*root_span); + SpanContext root_span_context = root_span->spanContext(); SpanPtr server_side_shared_context_span = tracer.startSpan(config, "my_span", timestamp, root_span_context); @@ -125,9 +122,6 @@ TEST_F(ZipkinTracerTest, SpanCreation) { endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), server_side_shared_context_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(server_side_shared_context_span->isSetDuration()); @@ -137,7 +131,7 @@ TEST_F(ZipkinTracerTest, SpanCreation) { ON_CALL(config, operationName()).WillByDefault(Return(Tracing::OperationName::Egress)); ON_CALL(random_generator, random()).WillByDefault(Return(2000)); - SpanContext server_side_context(*server_side_shared_context_span); + SpanContext server_side_context = server_side_shared_context_span->spanContext(); SpanPtr child_span = tracer.startSpan(config, "my_child_span", timestamp, server_side_context); EXPECT_EQ("my_child_span", child_span->name()); @@ -171,9 +165,6 @@ TEST_F(ZipkinTracerTest, SpanCreation) { endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), child_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(child_span->isSetDuration()); @@ -218,9 +209,6 @@ TEST_F(ZipkinTracerTest, SpanCreation) { endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), new_shared_context_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(new_shared_context_span->isSetDuration()); } @@ -266,9 +254,6 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { Endpoint endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), root_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(root_span->isSetDuration()); @@ -278,7 +263,7 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { // ============== ON_CALL(random_generator, random()).WillByDefault(Return(2000)); - SpanContext root_span_context(*root_span); + SpanContext root_span_context = root_span->spanContext(); SpanPtr child_span = tracer.startSpan(config, "my_child_span", timestamp, root_span_context); EXPECT_EQ("my_child_span", child_span->name()); @@ -312,9 +297,6 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), child_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(child_span->isSetDuration()); @@ -322,7 +304,13 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { // Test the downstream span with parent context and the shared context is enabled. If the // independent proxy is set to true, the downstream span will be server span. // ============== - SpanContext child_span_context(*child_span, false); + SpanContext child_span_context = child_span->spanContext(); + + // By default the context that from an existing span is an inner context. But here we want to + // test the case there the context is an external context from the downstream request. So + // we set the inner context to false manually for test. + child_span_context.setInnerContextForTest(false); + SpanPtr server_side_shared_context_span = tracer.startSpan(config, "my_span", timestamp, child_span_context); @@ -354,9 +342,6 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), server_side_shared_context_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(server_side_shared_context_span->isSetDuration()); } @@ -402,9 +387,6 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxyByTracingConfig) { Endpoint endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), root_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(root_span->isSetDuration()); @@ -414,7 +396,7 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxyByTracingConfig) { // ============== ON_CALL(random_generator, random()).WillByDefault(Return(2000)); - SpanContext root_span_context(*root_span); + SpanContext root_span_context = root_span->spanContext(); SpanPtr child_span = tracer.startSpan(config, "my_child_span", timestamp, root_span_context); EXPECT_EQ("my_child_span", child_span->name()); @@ -448,9 +430,6 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxyByTracingConfig) { endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), child_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(child_span->isSetDuration()); @@ -458,7 +437,13 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxyByTracingConfig) { // Test the downstream span with parent context and the shared context is enabled. If the // independent proxy is set to true, the downstream span will be server span. // ============== - SpanContext child_span_context(*child_span, false); + SpanContext child_span_context = child_span->spanContext(); + + // By default the context that from an existing span is an inner context. But here we want to + // test the case there the context is an external context from the downstream request. So + // we set the inner context to false manually for test. + child_span_context.setInnerContextForTest(false); + SpanPtr server_side_shared_context_span = tracer.startSpan(config, "my_span", timestamp, child_span_context); @@ -490,9 +475,6 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxyByTracingConfig) { endpoint = ann.endpoint(); EXPECT_EQ("my_service_name", endpoint.serviceName()); - // The tracer must have been properly set - EXPECT_EQ(dynamic_cast(&tracer), server_side_shared_context_span->tracer()); - // Duration is not set at span-creation time EXPECT_FALSE(server_side_shared_context_span->isSetDuration()); } @@ -516,7 +498,7 @@ TEST_F(ZipkinTracerTest, FinishSpan) { span->setSampled(true); // Finishing a root span with a CS annotation must add a CR annotation - span->finish(); + span->finishSpan(); EXPECT_EQ(2ULL, span->annotations().size()); // Check the CS annotation added at span-creation time @@ -545,7 +527,7 @@ TEST_F(ZipkinTracerTest, FinishSpan) { ON_CALL(config, operationName()).WillByDefault(Return(Tracing::OperationName::Ingress)); - SpanContext context(*span); + SpanContext context = span->spanContext(); SpanPtr server_side = tracer.startSpan(config, "my_span", timestamp, context); // Associate a reporter with the tracer @@ -554,7 +536,7 @@ TEST_F(ZipkinTracerTest, FinishSpan) { tracer.setReporter(std::move(reporter_ptr)); // Finishing a server-side span with an SR annotation must add an SS annotation - server_side->finish(); + server_side->finishSpan(); EXPECT_EQ(2ULL, server_side->annotations().size()); // Test if the reporter's reportSpan method was actually called upon finishing the span @@ -602,7 +584,7 @@ TEST_F(ZipkinTracerTest, FinishNotSampledSpan) { // Creates a root-span with a CS annotation SpanPtr span = tracer.startSpan(config, "my_span", timestamp); span->setSampled(false); - span->finish(); + span->finishSpan(); // Test if the reporter's reportSpan method was NOT called upon finishing the span EXPECT_EQ(0ULL, reporter_object->reportedSpans().size()); @@ -622,14 +604,14 @@ TEST_F(ZipkinTracerTest, SpanSampledPropagatedToChild) { SpanPtr parent_span = tracer.startSpan(config, "parent_span", timestamp); parent_span->setSampled(true); - SpanContext parent_context1(*parent_span); + SpanContext parent_context1 = parent_span->spanContext(); SpanPtr child_span1 = tracer.startSpan(config, "child_span 1", timestamp, parent_context1); // Test that child span sampled flag is true EXPECT_TRUE(child_span1->sampled()); parent_span->setSampled(false); - SpanContext parent_context2(*parent_span); + SpanContext parent_context2 = parent_span->spanContext(); SpanPtr child_span2 = tracer.startSpan(config, "child_span 2", timestamp, parent_context2); // Test that sampled flag is false @@ -670,7 +652,7 @@ TEST_F(ZipkinTracerTest, SharedSpanContext) { // Create parent span SpanPtr parent_span = tracer.startSpan(config, "parent_span", timestamp); - SpanContext parent_context(*parent_span); + SpanContext parent_context = parent_span->spanContext(); // An CS annotation must have been added EXPECT_EQ(1ULL, parent_span->annotations().size()); @@ -706,7 +688,7 @@ TEST_F(ZipkinTracerTest, NotSharedSpanContext) { // Create parent span SpanPtr parent_span = tracer.startSpan(config, "parent_span", timestamp); - SpanContext parent_context(*parent_span); + SpanContext parent_context = parent_span->spanContext(); // An CS annotation must have been added EXPECT_EQ(1ULL, parent_span->annotations().size()); diff --git a/test/extensions/tracers/zipkin/zipkin_core_types_test.cc b/test/extensions/tracers/zipkin/zipkin_core_types_test.cc index 5bd447121258e..234d16487ba3a 100644 --- a/test/extensions/tracers/zipkin/zipkin_core_types_test.cc +++ b/test/extensions/tracers/zipkin/zipkin_core_types_test.cc @@ -7,6 +7,7 @@ #include "test/test_common/simulated_time_system.h" #include "test/test_common/utility.h" +#include "gmock/gmock.h" #include "gtest/gtest.h" namespace Envoy { @@ -350,9 +351,21 @@ TEST(ZipkinCoreTypesBinaryAnnotationTest, assignmentOperator) { EXPECT_EQ(ann.annotationType(), ann2.annotationType()); } +class MockTracer : public TracerInterface { +public: + MOCK_METHOD(SpanPtr, startSpan, + (const Tracing::Config&, const std::string& span_name, SystemTime timestamp), ()); + MOCK_METHOD(SpanPtr, startSpan, + (const Tracing::Config&, const std::string& span_name, SystemTime timestamp, + const SpanContext& parent_context), + ()); + MOCK_METHOD(void, reportSpan, (Span && span), ()); +}; + TEST(ZipkinCoreTypesSpanTest, defaultConstructor) { Event::SimulatedTimeSystem test_time; - Span span(test_time.timeSystem()); + MockTracer tracer; + Span span(test_time.timeSystem(), tracer); Util::Replacements replacements; EXPECT_EQ(0ULL, span.id()); @@ -575,85 +588,10 @@ TEST(ZipkinCoreTypesSpanTest, defaultConstructor) { EXPECT_EQ(6, replacements.size()); } -TEST(ZipkinCoreTypesSpanTest, copyConstructor) { - Event::SimulatedTimeSystem test_time; - Span span(test_time.timeSystem()); - Util::Replacements replacements; - - uint64_t id = Util::generateRandom64(test_time.timeSystem()); - std::string id_hex = Hex::uint64ToHex(id); - span.setId(id); - span.setParentId(id); - span.setTraceId(id); - int64_t timestamp = std::chrono::duration_cast( - test_time.timeSystem().systemTime().time_since_epoch()) - .count(); - span.setTimestamp(timestamp); - span.setDuration(3000LL); - span.setName("span_name"); - - Span span2(span); - - EXPECT_EQ(span.id(), span2.id()); - EXPECT_EQ(span.parentId(), span2.parentId()); - EXPECT_EQ(span.traceId(), span2.traceId()); - EXPECT_EQ(span.name(), span2.name()); - EXPECT_EQ(span.annotations().size(), span2.annotations().size()); - EXPECT_EQ(span.binaryAnnotations().size(), span2.binaryAnnotations().size()); - EXPECT_EQ(span.idAsHexString(), span2.idAsHexString()); - EXPECT_EQ(span.parentIdAsHexString(), span2.parentIdAsHexString()); - EXPECT_EQ(span.traceIdAsHexString(), span2.traceIdAsHexString()); - EXPECT_EQ(span.timestamp(), span2.timestamp()); - EXPECT_EQ(span.duration(), span2.duration()); - EXPECT_EQ(span.startTime(), span2.startTime()); - EXPECT_EQ(span.debug(), span2.debug()); - EXPECT_EQ(span.isSetDuration(), span2.isSetDuration()); - EXPECT_EQ(span.isSetParentId(), span2.isSetParentId()); - EXPECT_EQ(span.isSetTimestamp(), span2.isSetTimestamp()); - EXPECT_EQ(span.isSetTraceIdHigh(), span2.isSetTraceIdHigh()); -} - -TEST(ZipkinCoreTypesSpanTest, assignmentOperator) { - Event::SimulatedTimeSystem test_time; - Span span(test_time.timeSystem()); - Util::Replacements replacements; - - uint64_t id = Util::generateRandom64(test_time.timeSystem()); - std::string id_hex = Hex::uint64ToHex(id); - span.setId(id); - span.setParentId(id); - span.setTraceId(id); - int64_t timestamp = std::chrono::duration_cast( - test_time.timeSystem().systemTime().time_since_epoch()) - .count(); - span.setTimestamp(timestamp); - span.setDuration(3000LL); - span.setName("span_name"); - - Span span2 = span; - - EXPECT_EQ(span.id(), span2.id()); - EXPECT_EQ(span.parentId(), span2.parentId()); - EXPECT_EQ(span.traceId(), span2.traceId()); - EXPECT_EQ(span.name(), span2.name()); - EXPECT_EQ(span.annotations().size(), span2.annotations().size()); - EXPECT_EQ(span.binaryAnnotations().size(), span2.binaryAnnotations().size()); - EXPECT_EQ(span.idAsHexString(), span2.idAsHexString()); - EXPECT_EQ(span.parentIdAsHexString(), span2.parentIdAsHexString()); - EXPECT_EQ(span.traceIdAsHexString(), span2.traceIdAsHexString()); - EXPECT_EQ(span.timestamp(), span2.timestamp()); - EXPECT_EQ(span.duration(), span2.duration()); - EXPECT_EQ(span.startTime(), span2.startTime()); - EXPECT_EQ(span.debug(), span2.debug()); - EXPECT_EQ(span.isSetDuration(), span2.isSetDuration()); - EXPECT_EQ(span.isSetParentId(), span2.isSetParentId()); - EXPECT_EQ(span.isSetTimestamp(), span2.isSetTimestamp()); - EXPECT_EQ(span.isSetTraceIdHigh(), span2.isSetTraceIdHigh()); -} - TEST(ZipkinCoreTypesSpanTest, setTag) { Event::SimulatedTimeSystem test_time; - Span span(test_time.timeSystem()); + MockTracer tracer; + Span span(test_time.timeSystem(), tracer); span.setTag("key1", "value1"); span.setTag("key2", "value2"); diff --git a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc index e4292aa904527..9cee1325fec35 100644 --- a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc +++ b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc @@ -503,8 +503,8 @@ TEST_F(ZipkinDriverTest, NoB3ContextSampledTrue) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); - EXPECT_TRUE(zipkin_span->span().sampled()); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); + EXPECT_TRUE(zipkin_span->sampled()); } TEST_F(ZipkinDriverTest, NoB3ContextSampledFalse) { @@ -517,8 +517,8 @@ TEST_F(ZipkinDriverTest, NoB3ContextSampledFalse) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, false}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); - EXPECT_FALSE(zipkin_span->span().sampled()); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); + EXPECT_FALSE(zipkin_span->sampled()); } TEST_F(ZipkinDriverTest, PropagateB3NoSampleDecisionSampleTrue) { @@ -533,8 +533,8 @@ TEST_F(ZipkinDriverTest, PropagateB3NoSampleDecisionSampleTrue) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); - EXPECT_TRUE(zipkin_span->span().sampled()); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); + EXPECT_TRUE(zipkin_span->sampled()); } TEST_F(ZipkinDriverTest, PropagateB3NoSampleDecisionSampleFalse) { @@ -549,8 +549,8 @@ TEST_F(ZipkinDriverTest, PropagateB3NoSampleDecisionSampleFalse) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, false}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); - EXPECT_FALSE(zipkin_span->span().sampled()); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); + EXPECT_FALSE(zipkin_span->sampled()); } TEST_F(ZipkinDriverTest, PropagateB3NotSampled) { @@ -630,8 +630,8 @@ TEST_F(ZipkinDriverTest, PropagateB3SampleFalse) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); - EXPECT_FALSE(zipkin_span->span().sampled()); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); + EXPECT_FALSE(zipkin_span->sampled()); } TEST_F(ZipkinDriverTest, ZipkinSpanTest) { @@ -647,13 +647,12 @@ TEST_F(ZipkinDriverTest, ZipkinSpanTest) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); zipkin_span->setTag("key", "value"); - Span& zipkin_zipkin_span = zipkin_span->span(); - EXPECT_EQ(1ULL, zipkin_zipkin_span.binaryAnnotations().size()); - EXPECT_EQ("key", zipkin_zipkin_span.binaryAnnotations()[0].key()); - EXPECT_EQ("value", zipkin_zipkin_span.binaryAnnotations()[0].value()); + EXPECT_EQ(1ULL, zipkin_span->binaryAnnotations().size()); + EXPECT_EQ("key", zipkin_span->binaryAnnotations()[0].key()); + EXPECT_EQ("value", zipkin_span->binaryAnnotations()[0].value()); // ==== // Test setTag() with SR annotated span @@ -670,29 +669,27 @@ TEST_F(ZipkinDriverTest, ZipkinSpanTest) { Tracing::SpanPtr span2 = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span2(dynamic_cast(span2.release())); + Zipkin::SpanPtr zipkin_span2(dynamic_cast(span2.release())); zipkin_span2->setTag("key2", "value2"); - Span& zipkin_zipkin_span2 = zipkin_span2->span(); - EXPECT_EQ(1ULL, zipkin_zipkin_span2.binaryAnnotations().size()); - EXPECT_EQ("key2", zipkin_zipkin_span2.binaryAnnotations()[0].key()); - EXPECT_EQ("value2", zipkin_zipkin_span2.binaryAnnotations()[0].value()); + EXPECT_EQ(1ULL, zipkin_span2->binaryAnnotations().size()); + EXPECT_EQ("key2", zipkin_span2->binaryAnnotations()[0].key()); + EXPECT_EQ("value2", zipkin_span2->binaryAnnotations()[0].value()); // ==== // Test setTag() with empty annotations vector // ==== Tracing::SpanPtr span3 = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span3(dynamic_cast(span3.release())); - Span& zipkin_zipkin_span3 = zipkin_span3->span(); + Zipkin::SpanPtr zipkin_span3(dynamic_cast(span3.release())); std::vector annotations; - zipkin_zipkin_span3.setAnnotations(annotations); + zipkin_span3->setAnnotations(annotations); zipkin_span3->setTag("key3", "value3"); - EXPECT_EQ(1ULL, zipkin_zipkin_span3.binaryAnnotations().size()); - EXPECT_EQ("key3", zipkin_zipkin_span3.binaryAnnotations()[0].key()); - EXPECT_EQ("value3", zipkin_zipkin_span3.binaryAnnotations()[0].value()); + EXPECT_EQ(1ULL, zipkin_span3->binaryAnnotations().size()); + EXPECT_EQ("key3", zipkin_span3->binaryAnnotations()[0].key()); + EXPECT_EQ("value3", zipkin_span3->binaryAnnotations()[0].value()); // ==== // Test effective log() @@ -706,11 +703,10 @@ TEST_F(ZipkinDriverTest, ZipkinSpanTest) { std::chrono::duration_cast(timestamp.time_since_epoch()).count(); span4->log(timestamp, "abc"); - ZipkinSpanPtr zipkin_span4(dynamic_cast(span4.release())); - Span& zipkin_zipkin_span4 = zipkin_span4->span(); - EXPECT_FALSE(zipkin_zipkin_span4.annotations().empty()); - EXPECT_EQ(timestamp_count, zipkin_zipkin_span4.annotations().back().timestamp()); - EXPECT_EQ("abc", zipkin_zipkin_span4.annotations().back().value()); + Zipkin::SpanPtr zipkin_span4(dynamic_cast(span4.release())); + EXPECT_FALSE(zipkin_span4->annotations().empty()); + EXPECT_EQ(timestamp_count, zipkin_span4->annotations().back().timestamp()); + EXPECT_EQ("abc", zipkin_span4->annotations().back().value()); // ==== // Test baggage noop @@ -745,12 +741,12 @@ TEST_F(ZipkinDriverTest, ZipkinSpanContextFromB3HeadersTest) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); - EXPECT_EQ(trace_id, zipkin_span->span().traceIdAsHexString()); - EXPECT_EQ(span_id, zipkin_span->span().idAsHexString()); - EXPECT_EQ(parent_id, zipkin_span->span().parentIdAsHexString()); - EXPECT_TRUE(zipkin_span->span().sampled()); + EXPECT_EQ(trace_id, zipkin_span->traceIdAsHexString()); + EXPECT_EQ(span_id, zipkin_span->idAsHexString()); + EXPECT_EQ(parent_id, zipkin_span->parentIdAsHexString()); + EXPECT_TRUE(zipkin_span->sampled()); } TEST_F(ZipkinDriverTest, ZipkinSpanContextFromB3HeadersEmptyParentSpanTest) { @@ -769,8 +765,8 @@ TEST_F(ZipkinDriverTest, ZipkinSpanContextFromB3HeadersEmptyParentSpanTest) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); - EXPECT_TRUE(zipkin_span->span().sampled()); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); + EXPECT_TRUE(zipkin_span->sampled()); } TEST_F(ZipkinDriverTest, ZipkinSpanContextFromB3Headers128TraceIdTest) { @@ -791,14 +787,14 @@ TEST_F(ZipkinDriverTest, ZipkinSpanContextFromB3Headers128TraceIdTest) { Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); - ZipkinSpanPtr zipkin_span(dynamic_cast(span.release())); + Zipkin::SpanPtr zipkin_span(dynamic_cast(span.release())); - EXPECT_EQ(trace_id_high, zipkin_span->span().traceIdHigh()); - EXPECT_EQ(trace_id_low, zipkin_span->span().traceId()); - EXPECT_EQ(trace_id, zipkin_span->span().traceIdAsHexString()); - EXPECT_EQ(span_id, zipkin_span->span().idAsHexString()); - EXPECT_EQ(parent_id, zipkin_span->span().parentIdAsHexString()); - EXPECT_TRUE(zipkin_span->span().sampled()); + EXPECT_EQ(trace_id_high, zipkin_span->traceIdHigh()); + EXPECT_EQ(trace_id_low, zipkin_span->traceId()); + EXPECT_EQ(trace_id, zipkin_span->traceIdAsHexString()); + EXPECT_EQ(span_id, zipkin_span->idAsHexString()); + EXPECT_EQ(parent_id, zipkin_span->parentIdAsHexString()); + EXPECT_TRUE(zipkin_span->sampled()); EXPECT_EQ(trace_id, zipkin_span->getTraceId()); EXPECT_EQ("", zipkin_span->getSpanId()); } From 1835695578f5d2a9a37fc59d65edc24b1174c3c0 Mon Sep 17 00:00:00 2001 From: Ali Beyad Date: Thu, 31 Jul 2025 15:11:53 -0400 Subject: [PATCH 129/505] runtime: Deprecate runtime guard `prefer_quic_client_udp_gro` (#40501) Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: inline Fixes https://github.com/envoyproxy/envoy/issues/40380 --------- Signed-off-by: Ali Beyad --- changelogs/current.yaml | 3 +++ mobile/library/cc/engine_builder.cc | 1 - mobile/test/cc/unit/envoy_config_test.cc | 1 - .../engine/EnvoyConfigurationTest.kt | 3 --- .../quic/client_connection_factory_impl.cc | 3 +-- .../quic/envoy_quic_client_connection.cc | 19 +++++++++---------- .../quic/envoy_quic_client_connection.h | 7 +++---- source/common/quic/envoy_quic_utils.cc | 5 ++--- source/common/quic/envoy_quic_utils.h | 3 +-- source/common/runtime/runtime_features.cc | 1 - .../quic/envoy_quic_client_session_test.cc | 4 ++-- .../quic/envoy_quic_client_stream_test.cc | 3 +-- test/common/quic/test_utils.h | 2 +- .../integration/quic_http_integration_test.cc | 4 ++-- test/integration/quic_http_integration_test.h | 3 +-- 15 files changed, 26 insertions(+), 36 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 534f6c8ca3c2c..216741d4fcc1d 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -26,6 +26,9 @@ removed_config_or_runtime: - area: dfp change: | Removed runtime guard ``envoy.reloadable_features.dfp_fail_on_empty_host_header`` and legacy code paths. +- area: quic + change: | + Removed runtime guard ``envoy.reloadable_features.prefer_quic_client_udp_gro`` and legacy code paths. new_features: - area: health_check diff --git a/mobile/library/cc/engine_builder.cc b/mobile/library/cc/engine_builder.cc index ab5f5049f42e5..64415874e0b7b 100644 --- a/mobile/library/cc/engine_builder.cc +++ b/mobile/library/cc/engine_builder.cc @@ -846,7 +846,6 @@ std::unique_ptr EngineBuilder::generate *(*envoy_layer.mutable_fields())["envoy"].mutable_struct_value(); ProtobufWkt::Struct& reloadable_features = *(*runtime_values.mutable_fields())["reloadable_features"].mutable_struct_value(); - (*reloadable_features.mutable_fields())["prefer_quic_client_udp_gro"].set_bool_value(true); for (auto& guard_and_value : runtime_guards_) { (*reloadable_features.mutable_fields())[guard_and_value.first].set_bool_value( guard_and_value.second); diff --git a/mobile/test/cc/unit/envoy_config_test.cc b/mobile/test/cc/unit/envoy_config_test.cc index 94944657768b2..854c078d52f9f 100644 --- a/mobile/test/cc/unit/envoy_config_test.cc +++ b/mobile/test/cc/unit/envoy_config_test.cc @@ -107,7 +107,6 @@ TEST(TestConfig, ConfigIsApplied) { "num_timeouts_to_trigger_port_migration { value: 4 }", "idle_network_timeout { seconds: 60 }", "key: \"dns_persistent_cache\" save_interval { seconds: 101 }", - "key: \"prefer_quic_client_udp_gro\" value { bool_value: true }", "key: \"test_feature_false\" value { bool_value: true }", "key: \"device_os\" value { string_value: \"probably-ubuntu-on-CI\" } }", "key: \"app_version\" value { string_value: \"1.2.3\" } }", diff --git a/mobile/test/java/io/envoyproxy/envoymobile/engine/EnvoyConfigurationTest.kt b/mobile/test/java/io/envoyproxy/envoymobile/engine/EnvoyConfigurationTest.kt index c3963a232ad3f..94257304e1822 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/engine/EnvoyConfigurationTest.kt +++ b/mobile/test/java/io/envoyproxy/envoymobile/engine/EnvoyConfigurationTest.kt @@ -254,9 +254,6 @@ class EnvoyConfigurationTest { // enableDrainPostDnsRefresh = true assertThat(resolvedTemplate).contains("enable_drain_post_dns_refresh: true") - // UDP GRO enabled by default - assertThat(resolvedTemplate).contains("key: \"prefer_quic_client_udp_gro\" value { bool_value: true }") - // enableDNSCache = true assertThat(resolvedTemplate).contains("key: \"dns_persistent_cache\"") // dnsCacheSaveIntervalSeconds = 101 diff --git a/source/common/quic/client_connection_factory_impl.cc b/source/common/quic/client_connection_factory_impl.cc index f0f1a91b022d3..bca398c9d744f 100644 --- a/source/common/quic/client_connection_factory_impl.cc +++ b/source/common/quic/client_connection_factory_impl.cc @@ -53,8 +53,7 @@ std::unique_ptr createQuicNetworkConnection( ASSERT(!quic_versions.empty()); auto connection = std::make_unique( quic::QuicUtils::CreateRandomConnectionId(), server_addr, info_impl->conn_helper_, - info_impl->alarm_factory_, quic_versions, local_addr, dispatcher, options, generator, - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.prefer_quic_client_udp_gro")); + info_impl->alarm_factory_, quic_versions, local_addr, dispatcher, options, generator); // Override the max packet length of the QUIC connection if the option value is not 0. if (info_impl->max_packet_length_ > 0) { connection->SetMaxPacketLength(info_impl->max_packet_length_); diff --git a/source/common/quic/envoy_quic_client_connection.cc b/source/common/quic/envoy_quic_client_connection.cc index 1e761823b8fb9..45bd6c5fc647c 100644 --- a/source/common/quic/envoy_quic_client_connection.cc +++ b/source/common/quic/envoy_quic_client_connection.cc @@ -31,38 +31,37 @@ EnvoyQuicClientConnection::EnvoyQuicClientConnection( const quic::ParsedQuicVersionVector& supported_versions, Network::Address::InstanceConstSharedPtr local_addr, Event::Dispatcher& dispatcher, const Network::ConnectionSocket::OptionsSharedPtr& options, - quic::ConnectionIdGeneratorInterface& generator, const bool prefer_gro) + quic::ConnectionIdGeneratorInterface& generator) : EnvoyQuicClientConnection( server_connection_id, helper, alarm_factory, supported_versions, dispatcher, - createConnectionSocket(initial_peer_address, local_addr, options, prefer_gro), generator, - prefer_gro) {} + createConnectionSocket(initial_peer_address, local_addr, options), generator) {} EnvoyQuicClientConnection::EnvoyQuicClientConnection( const quic::QuicConnectionId& server_connection_id, quic::QuicConnectionHelperInterface& helper, quic::QuicAlarmFactory& alarm_factory, const quic::ParsedQuicVersionVector& supported_versions, Event::Dispatcher& dispatcher, Network::ConnectionSocketPtr&& connection_socket, - quic::ConnectionIdGeneratorInterface& generator, const bool prefer_gro) + quic::ConnectionIdGeneratorInterface& generator) : EnvoyQuicClientConnection( server_connection_id, helper, alarm_factory, new EnvoyQuicPacketWriter( std::make_unique(connection_socket->ioHandle())), /*owns_writer=*/true, supported_versions, dispatcher, std::move(connection_socket), - generator, prefer_gro) {} + generator) {} EnvoyQuicClientConnection::EnvoyQuicClientConnection( const quic::QuicConnectionId& server_connection_id, quic::QuicConnectionHelperInterface& helper, quic::QuicAlarmFactory& alarm_factory, quic::QuicPacketWriter* writer, bool owns_writer, const quic::ParsedQuicVersionVector& supported_versions, Event::Dispatcher& dispatcher, Network::ConnectionSocketPtr&& connection_socket, - quic::ConnectionIdGeneratorInterface& generator, const bool prefer_gro) + quic::ConnectionIdGeneratorInterface& generator) : quic::QuicConnection(server_connection_id, quic::QuicSocketAddress(), envoyIpAddressToQuicSocketAddress( connection_socket->connectionInfoProvider().remoteAddress()->ip()), &helper, &alarm_factory, writer, owns_writer, quic::Perspective::IS_CLIENT, supported_versions, generator), QuicNetworkConnection(std::move(connection_socket)), dispatcher_(dispatcher), - prefer_gro_(prefer_gro), disallow_mmsg_(Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.disallow_quic_client_udp_mmsg")) {} + disallow_mmsg_(Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.disallow_quic_client_udp_mmsg")) {} void EnvoyQuicClientConnection::processPacket( Network::Address::InstanceConstSharedPtr local_address, @@ -185,7 +184,7 @@ void EnvoyQuicClientConnection::probeWithNewPort(const quic::QuicSocketAddress& auto probing_socket = createConnectionSocket( peer_addr == peer_address() ? connectionSocket()->connectionInfoProvider().remoteAddress() : quicAddressToEnvoyAddressInstance(peer_addr), - new_local_address, connectionSocket()->options(), prefer_gro_); + new_local_address, connectionSocket()->options()); setUpConnectionSocket(*probing_socket, delegate_); auto writer = std::make_unique( std::make_unique(probing_socket->ioHandle())); @@ -259,7 +258,7 @@ void EnvoyQuicClientConnection::onFileEvent(uint32_t events, if (connected() && (events & Event::FileReadyType::Read)) { Api::IoErrorPtr err = Network::Utility::readPacketsFromSocket( connection_socket.ioHandle(), *connection_socket.connectionInfoProvider().localAddress(), - *this, dispatcher_.timeSource(), prefer_gro_, !disallow_mmsg_, packets_dropped_); + *this, dispatcher_.timeSource(), /*allow_gro=*/true, !disallow_mmsg_, packets_dropped_); if (err == nullptr) { // If this READ event is on the probing socket and any packet read failed the path validation // (i.e. via STATELESS_RESET), the probing socket should have been closed and the default diff --git a/source/common/quic/envoy_quic_client_connection.h b/source/common/quic/envoy_quic_client_connection.h index c66af480535a1..0da8a59418e78 100644 --- a/source/common/quic/envoy_quic_client_connection.h +++ b/source/common/quic/envoy_quic_client_connection.h @@ -60,7 +60,7 @@ class EnvoyQuicClientConnection : public quic::QuicConnection, Network::Address::InstanceConstSharedPtr local_addr, Event::Dispatcher& dispatcher, const Network::ConnectionSocket::OptionsSharedPtr& options, - quic::ConnectionIdGeneratorInterface& generator, bool prefer_gro); + quic::ConnectionIdGeneratorInterface& generator); EnvoyQuicClientConnection(const quic::QuicConnectionId& server_connection_id, quic::QuicConnectionHelperInterface& helper, @@ -69,7 +69,7 @@ class EnvoyQuicClientConnection : public quic::QuicConnection, const quic::ParsedQuicVersionVector& supported_versions, Event::Dispatcher& dispatcher, Network::ConnectionSocketPtr&& connection_socket, - quic::ConnectionIdGeneratorInterface& generator, bool prefer_gro); + quic::ConnectionIdGeneratorInterface& generator); // Network::UdpPacketProcessor void processPacket(Network::Address::InstanceConstSharedPtr local_address, @@ -142,7 +142,7 @@ class EnvoyQuicClientConnection : public quic::QuicConnection, const quic::ParsedQuicVersionVector& supported_versions, Event::Dispatcher& dispatcher, Network::ConnectionSocketPtr&& connection_socket, - quic::ConnectionIdGeneratorInterface& generator, bool prefer_gro); + quic::ConnectionIdGeneratorInterface& generator); void onFileEvent(uint32_t events, Network::ConnectionSocket& connection_socket); @@ -157,7 +157,6 @@ class EnvoyQuicClientConnection : public quic::QuicConnection, bool migrate_port_on_path_degrading_{false}; uint8_t num_socket_switches_{0}; size_t num_packets_with_unknown_dst_address_{0}; - const bool prefer_gro_; const bool disallow_mmsg_; }; diff --git a/source/common/quic/envoy_quic_utils.cc b/source/common/quic/envoy_quic_utils.cc index 06c89c55bfd1d..e4eecffebc096 100644 --- a/source/common/quic/envoy_quic_utils.cc +++ b/source/common/quic/envoy_quic_utils.cc @@ -184,8 +184,7 @@ Http::StreamResetReason quicErrorCodeToEnvoyRemoteResetReason(quic::QuicErrorCod Network::ConnectionSocketPtr createConnectionSocket(const Network::Address::InstanceConstSharedPtr& peer_addr, Network::Address::InstanceConstSharedPtr& local_addr, - const Network::ConnectionSocket::OptionsSharedPtr& options, - const bool prefer_gro) { + const Network::ConnectionSocket::OptionsSharedPtr& options) { ASSERT(peer_addr != nullptr); // NOTE: If changing the default cache size from 4 entries, make sure to profile it using // the benchmark test: //test/common/network:io_socket_handle_impl_benchmark @@ -212,7 +211,7 @@ createConnectionSocket(const Network::Address::InstanceConstSharedPtr& peer_addr connection_socket->addOptions(Network::SocketOptionFactory::buildIpPacketInfoOptions()); connection_socket->addOptions(Network::SocketOptionFactory::buildRxQueueOverFlowOptions()); connection_socket->addOptions(Network::SocketOptionFactory::buildIpRecvTosOptions()); - if (prefer_gro && Api::OsSysCallsSingleton::get().supportsUdpGro()) { + if (Api::OsSysCallsSingleton::get().supportsUdpGro()) { connection_socket->addOptions(Network::SocketOptionFactory::buildUdpGroOptions()); } if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.udp_set_do_not_fragment")) { diff --git a/source/common/quic/envoy_quic_utils.h b/source/common/quic/envoy_quic_utils.h index 9431d891436ff..f9d3b3eef674e 100644 --- a/source/common/quic/envoy_quic_utils.h +++ b/source/common/quic/envoy_quic_utils.h @@ -174,8 +174,7 @@ Http::StreamResetReason quicErrorCodeToEnvoyRemoteResetReason(quic::QuicErrorCod Network::ConnectionSocketPtr createConnectionSocket(const Network::Address::InstanceConstSharedPtr& peer_addr, Network::Address::InstanceConstSharedPtr& local_addr, - const Network::ConnectionSocket::OptionsSharedPtr& options, - bool prefer_gro = false); + const Network::ConnectionSocket::OptionsSharedPtr& options); // Convert a cert in string form to X509 object. // Return nullptr if the bytes passed cannot be passed. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index c4503dacb6397..f30626af8d57b 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -68,7 +68,6 @@ RUNTIME_GUARD(envoy_reloadable_features_oauth2_encrypt_tokens); RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); RUNTIME_GUARD(envoy_reloadable_features_original_src_fix_port_exhaustion); RUNTIME_GUARD(envoy_reloadable_features_prefer_ipv6_dns_on_macos); -RUNTIME_GUARD(envoy_reloadable_features_prefer_quic_client_udp_gro); RUNTIME_GUARD(envoy_reloadable_features_prefix_map_matcher_resume_after_subtree_miss); RUNTIME_GUARD(envoy_reloadable_features_proxy_104); RUNTIME_GUARD(envoy_reloadable_features_proxy_ssl_port); diff --git a/test/common/quic/envoy_quic_client_session_test.cc b/test/common/quic/envoy_quic_client_session_test.cc index 654489fef5fa7..4d214f50d62ac 100644 --- a/test/common/quic/envoy_quic_client_session_test.cc +++ b/test/common/quic/envoy_quic_client_session_test.cc @@ -59,7 +59,7 @@ class TestEnvoyQuicClientConnection : public EnvoyQuicClientConnection { quic::ConnectionIdGeneratorInterface& generator) : EnvoyQuicClientConnection(server_connection_id, helper, alarm_factory, &writer, false, supported_versions, dispatcher, std::move(connection_socket), - generator, /*prefer_gro=*/true) { + generator) { SetEncrypter(quic::ENCRYPTION_FORWARD_SECURE, std::make_unique(quic::ENCRYPTION_FORWARD_SECURE)); InstallDecrypter(quic::ENCRYPTION_FORWARD_SECURE, @@ -128,7 +128,7 @@ class EnvoyQuicClientSessionTest : public testing::TestWithParam cache; diff --git a/test/common/quic/envoy_quic_client_stream_test.cc b/test/common/quic/envoy_quic_client_stream_test.cc index 6ae790c29d1d0..b77bd9529180d 100644 --- a/test/common/quic/envoy_quic_client_stream_test.cc +++ b/test/common/quic/envoy_quic_client_stream_test.cc @@ -46,8 +46,7 @@ class EnvoyQuicClientStreamTest : public testing::Test { quic_connection_(new MockEnvoyQuicClientConnection( quic::test::TestConnectionId(), connection_helper_, alarm_factory_, &writer_, /*owns_writer=*/false, {quic_version_}, *dispatcher_, - createConnectionSocket(peer_addr_, self_addr_, nullptr, /*prefer_gro=*/true), - connection_id_generator_)), + createConnectionSocket(peer_addr_, self_addr_, nullptr), connection_id_generator_)), quic_session_(quic_config_, {quic_version_}, std::unique_ptr(quic_connection_), *dispatcher_, quic_config_.GetInitialStreamFlowControlWindowToSend() * 2, diff --git a/test/common/quic/test_utils.h b/test/common/quic/test_utils.h index a0144144ea3eb..230d39f719307 100644 --- a/test/common/quic/test_utils.h +++ b/test/common/quic/test_utils.h @@ -79,7 +79,7 @@ class MockEnvoyQuicClientConnection : public EnvoyQuicClientConnection { quic::ConnectionIdGeneratorInterface& generator) : EnvoyQuicClientConnection(server_connection_id, helper, alarm_factory, writer, owns_writer, supported_versions, dispatcher, std::move(connection_socket), - generator, /*prefer_gro=*/true) {} + generator) {} MOCK_METHOD(quic::MessageStatus, SendMessage, (quic::QuicMessageId, absl::Span, bool)); diff --git a/test/integration/quic_http_integration_test.cc b/test/integration/quic_http_integration_test.cc index df35b341aaae1..09ed57a1870aa 100644 --- a/test/integration/quic_http_integration_test.cc +++ b/test/integration/quic_http_integration_test.cc @@ -309,7 +309,7 @@ TEST_P(QuicHttpIntegrationTest, PortMigration) { Network::Address::InstanceConstSharedPtr local_addr = Network::Test::getCanonicalLoopbackAddress(version_); quic_connection_->switchConnectionSocket( - createConnectionSocket(server_addr_, local_addr, nullptr, /*prefer_gro=*/true)); + createConnectionSocket(server_addr_, local_addr, nullptr)); EXPECT_NE(old_port, local_addr->ip()->port()); // Send the rest data. codec_client_->sendData(*request_encoder_, 1024u, true); @@ -340,7 +340,7 @@ TEST_P(QuicHttpIntegrationTest, PortMigration) { auto options = std::make_shared(); options->push_back(option); quic_connection_->switchConnectionSocket( - createConnectionSocket(server_addr_, local_addr, options, /*prefer_gro=*/true)); + createConnectionSocket(server_addr_, local_addr, options)); EXPECT_TRUE(codec_client_->disconnected()); cleanupUpstreamAndDownstream(); } diff --git a/test/integration/quic_http_integration_test.h b/test/integration/quic_http_integration_test.h index 21319319d0349..c67fc2d50b7d2 100644 --- a/test/integration/quic_http_integration_test.h +++ b/test/integration/quic_http_integration_test.h @@ -66,8 +66,7 @@ class TestEnvoyQuicClientConnection : public EnvoyQuicClientConnection { bool validation_failure_on_path_response, quic::ConnectionIdGeneratorInterface& generator) : EnvoyQuicClientConnection(server_connection_id, initial_peer_address, helper, alarm_factory, - supported_versions, local_addr, dispatcher, options, generator, - /*prefer_gro=*/true), + supported_versions, local_addr, dispatcher, options, generator), dispatcher_(dispatcher), validation_failure_on_path_response_(validation_failure_on_path_response) {} From 91741c88887bbaa8aa25d71f2b21761eb4efcb7d Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 31 Jul 2025 20:43:22 +0000 Subject: [PATCH 130/505] remote reverse conn listener since they are fully untested Signed-off-by: Basundhara Chakrabarty --- .../filters/listener/reverse_connection/BUILD | 48 -- .../reverse_connection_config_test.cc | 233 ------ .../reverse_connection_test.cc | 668 ------------------ 3 files changed, 949 deletions(-) delete mode 100644 test/extensions/filters/listener/reverse_connection/BUILD delete mode 100644 test/extensions/filters/listener/reverse_connection/reverse_connection_config_test.cc delete mode 100644 test/extensions/filters/listener/reverse_connection/reverse_connection_test.cc diff --git a/test/extensions/filters/listener/reverse_connection/BUILD b/test/extensions/filters/listener/reverse_connection/BUILD deleted file mode 100644 index 805d0baee29e4..0000000000000 --- a/test/extensions/filters/listener/reverse_connection/BUILD +++ /dev/null @@ -1,48 +0,0 @@ -load( - "//bazel:envoy_build_system.bzl", - "envoy_package", -) -load( - "//test/extensions:extensions_build_system.bzl", - "envoy_extension_cc_test", -) - -licenses(["notice"]) # Apache 2 - -envoy_package() - -envoy_extension_cc_test( - name = "reverse_connection_test", - srcs = ["reverse_connection_test.cc"], - extension_names = ["envoy.filters.listener.reverse_connection"], - rbe_pool = "6gig", - deps = [ - "//source/common/buffer:buffer_lib", - "//source/common/network:listener_filter_buffer_lib", - "//source/common/network:utility_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_utility_lib", - "//source/extensions/filters/listener/reverse_connection:config_lib", - "//source/extensions/filters/listener/reverse_connection:reverse_connection_lib", - "//test/mocks/event:event_mocks", - "//test/mocks/network:network_mocks", - "//test/test_common:test_runtime_lib", - "//test/test_common:utility_lib", - "@envoy_api//envoy/config/listener/v3:pkg_cc_proto", - "@envoy_api//envoy/extensions/filters/listener/reverse_connection/v3:pkg_cc_proto", - ], -) - -envoy_extension_cc_test( - name = "reverse_connection_config_test", - srcs = ["reverse_connection_config_test.cc"], - extension_names = ["envoy.filters.listener.reverse_connection"], - rbe_pool = "6gig", - deps = [ - "//source/extensions/filters/listener/reverse_connection:config_factory_lib", - "//source/extensions/filters/listener/reverse_connection:config_lib", - "//source/extensions/filters/listener/reverse_connection:reverse_connection_lib", - "//test/mocks/server:listener_factory_context_mocks", - "//test/test_common:utility_lib", - "@envoy_api//envoy/extensions/filters/listener/reverse_connection/v3:pkg_cc_proto", - ], -) \ No newline at end of file diff --git a/test/extensions/filters/listener/reverse_connection/reverse_connection_config_test.cc b/test/extensions/filters/listener/reverse_connection/reverse_connection_config_test.cc deleted file mode 100644 index 45b3d0ce86e39..0000000000000 --- a/test/extensions/filters/listener/reverse_connection/reverse_connection_config_test.cc +++ /dev/null @@ -1,233 +0,0 @@ -#include "source/extensions/filters/listener/reverse_connection/config.h" -#include "source/extensions/filters/listener/reverse_connection/config_factory.h" -#include "source/extensions/filters/listener/reverse_connection/reverse_connection.h" - -#include "test/mocks/server/listener_factory_context.h" -#include "test/test_common/utility.h" - -#include "gmock/gmock.h" -#include "gtest/gtest.h" - -using testing::Invoke; -using testing::NiceMock; - -namespace Envoy { -namespace Extensions { -namespace ListenerFilters { -namespace ReverseConnection { -namespace { - -TEST(ReverseConnectionConfigTest, DefaultConfig) { - envoy::extensions::filters::listener::reverse_connection::v3::ReverseConnection proto_config; - - Config config(proto_config); - - // Test default ping wait timeout (10 seconds) - EXPECT_EQ(config.pingWaitTimeout().count(), 10); -} - -TEST(ReverseConnectionConfigTest, CustomConfig) { - envoy::extensions::filters::listener::reverse_connection::v3::ReverseConnection proto_config; - proto_config.set_ping_wait_timeout(google::protobuf::Duration()); - proto_config.mutable_ping_wait_timeout()->set_seconds(30); - - Config config(proto_config); - - // Test custom ping wait timeout (30 seconds) - EXPECT_EQ(config.pingWaitTimeout().count(), 30); -} - -TEST(ReverseConnectionConfigTest, ZeroTimeout) { - envoy::extensions::filters::listener::reverse_connection::v3::ReverseConnection proto_config; - proto_config.set_ping_wait_timeout(google::protobuf::Duration()); - proto_config.mutable_ping_wait_timeout()->set_seconds(0); - - Config config(proto_config); - - // Test zero ping wait timeout - EXPECT_EQ(config.pingWaitTimeout().count(), 0); -} - -TEST(ReverseConnectionConfigFactoryTest, TestCreateFactory) { - const std::string yaml = R"EOF( - ping_wait_timeout: - seconds: 15 - )EOF"; - - ReverseConnectionConfigFactory factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); - TestUtility::loadFromYaml(yaml, *proto_config); - - NiceMock context; - - Network::ListenerFilterFactoryCb cb = - factory.createListenerFilterFactoryFromProto(*proto_config, nullptr, context); - Network::MockListenerFilterManager manager; - Network::ListenerFilterPtr added_filter; - EXPECT_CALL(manager, addAcceptFilter_(_, _)) - .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, - Network::ListenerFilterPtr& filter) { - added_filter = std::move(filter); - })); - cb(manager); - - // Make sure we actually create the correct type! - EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); -} - -TEST(ReverseConnectionConfigFactoryTest, TestCreateFactoryWithDefaultConfig) { - const std::string yaml = R"EOF( - {} - )EOF"; - - ReverseConnectionConfigFactory factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); - TestUtility::loadFromYaml(yaml, *proto_config); - - NiceMock context; - - Network::ListenerFilterFactoryCb cb = - factory.createListenerFilterFactoryFromProto(*proto_config, nullptr, context); - Network::MockListenerFilterManager manager; - Network::ListenerFilterPtr added_filter; - EXPECT_CALL(manager, addAcceptFilter_(_, _)) - .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, - Network::ListenerFilterPtr& filter) { - added_filter = std::move(filter); - })); - cb(manager); - - // Make sure we actually create the correct type! - EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); -} - -TEST(ReverseConnectionConfigFactoryTest, TestCreateFactoryWithZeroTimeout) { - const std::string yaml = R"EOF( - ping_wait_timeout: - seconds: 0 - )EOF"; - - ReverseConnectionConfigFactory factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); - TestUtility::loadFromYaml(yaml, *proto_config); - - NiceMock context; - - Network::ListenerFilterFactoryCb cb = - factory.createListenerFilterFactoryFromProto(*proto_config, nullptr, context); - Network::MockListenerFilterManager manager; - Network::ListenerFilterPtr added_filter; - EXPECT_CALL(manager, addAcceptFilter_(_, _)) - .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, - Network::ListenerFilterPtr& filter) { - added_filter = std::move(filter); - })); - cb(manager); - - // Make sure we actually create the correct type! - EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); -} - -TEST(ReverseConnectionConfigFactoryTest, TestCreateFactoryWithMatcher) { - const std::string yaml = R"EOF( - ping_wait_timeout: - seconds: 20 - )EOF"; - - ReverseConnectionConfigFactory factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); - TestUtility::loadFromYaml(yaml, *proto_config); - - NiceMock context; - - // Create a mock filter matcher - auto matcher = std::make_shared(); - - Network::ListenerFilterFactoryCb cb = - factory.createListenerFilterFactoryFromProto(*proto_config, matcher, context); - Network::MockListenerFilterManager manager; - Network::ListenerFilterPtr added_filter; - EXPECT_CALL(manager, addAcceptFilter_(_, _)) - .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, - Network::ListenerFilterPtr& filter) { - added_filter = std::move(filter); - })); - cb(manager); - - // Make sure we actually create the correct type! - EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); -} - -TEST(ReverseConnectionConfigFactoryTest, TestCreateEmptyConfigProto) { - ReverseConnectionConfigFactory factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); - - EXPECT_NE(proto_config, nullptr); - - // Verify it's the correct type - auto* reverse_connection_config = - dynamic_cast( - proto_config.get()); - EXPECT_NE(reverse_connection_config, nullptr); -} - -TEST(ReverseConnectionConfigFactoryTest, TestFactoryRegistration) { - const std::string filter_name = "envoy.filters.listener.reverse_connection"; - - // Test that the factory is registered - Server::Configuration::NamedListenerFilterConfigFactory* factory = - Registry::FactoryRegistry:: - getFactory(filter_name); - - EXPECT_NE(factory, nullptr); - EXPECT_EQ(factory->name(), filter_name); -} - -TEST(ReverseConnectionConfigFactoryTest, TestFactoryWithValidation) { - const std::string yaml = R"EOF( - ping_wait_timeout: - seconds: 25 - nanos: 500000000 - )EOF"; - - ReverseConnectionConfigFactory factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); - TestUtility::loadFromYaml(yaml, *proto_config); - - NiceMock context; - EXPECT_CALL(context, messageValidationVisitor()) - .WillRepeatedly(ReturnRef(ProtobufMessage::getStrictValidationVisitor())); - - Network::ListenerFilterFactoryCb cb = - factory.createListenerFilterFactoryFromProto(*proto_config, nullptr, context); - Network::MockListenerFilterManager manager; - Network::ListenerFilterPtr added_filter; - EXPECT_CALL(manager, addAcceptFilter_(_, _)) - .WillOnce(Invoke([&added_filter](const Network::ListenerFilterMatcherSharedPtr&, - Network::ListenerFilterPtr& filter) { - added_filter = std::move(filter); - })); - cb(manager); - - // Make sure we actually create the correct type! - EXPECT_NE(dynamic_cast(added_filter.get()), nullptr); -} - -TEST(ReverseConnectionConfigFactoryTest, TestFactoryWithInvalidConfig) { - // Create an invalid config by using a different message type - auto invalid_config = std::make_unique(); - - ReverseConnectionConfigFactory factory; - NiceMock context; - - // This should throw an exception due to invalid message type - EXPECT_THROW( - factory.createListenerFilterFactoryFromProto(*invalid_config, nullptr, context), - EnvoyException); -} - -} // namespace -} // namespace ReverseConnection -} // namespace ListenerFilters -} // namespace Extensions -} // namespace Envoy \ No newline at end of file diff --git a/test/extensions/filters/listener/reverse_connection/reverse_connection_test.cc b/test/extensions/filters/listener/reverse_connection/reverse_connection_test.cc deleted file mode 100644 index 4ba61e3c16799..0000000000000 --- a/test/extensions/filters/listener/reverse_connection/reverse_connection_test.cc +++ /dev/null @@ -1,668 +0,0 @@ -#include -#include -#include - -#include "envoy/network/connection.h" -#include "envoy/network/filter.h" -#include "envoy/network/listen_socket.h" - -#include "source/common/buffer/buffer_impl.h" -#include "source/common/network/address_impl.h" -#include "source/common/network/utility.h" -#include "source/extensions/filters/listener/reverse_connection/reverse_connection.h" - -#include "test/mocks/event/mocks.h" -#include "test/mocks/network/mocks.h" -#include "test/test_common/utility.h" - -#include "gmock/gmock.h" -#include "gtest/gtest.h" - -using testing::_; -using testing::NiceMock; -using testing::Return; -using testing::ReturnRef; - -namespace Envoy { -namespace Extensions { -namespace ListenerFilters { -namespace ReverseConnection { - -class ReverseConnectionFilterTest : public testing::Test { -protected: - ReverseConnectionFilterTest() = default; - - // Helper to create a mock socket with proper address setup - Network::ConnectionSocketPtr createMockSocket(int fd = 123, - const std::string& local_addr = "127.0.0.1:8080", - const std::string& remote_addr = "127.0.0.1:9090") { - auto socket = std::make_unique>(); - - // Parse local address (IP:port format) - auto local_colon_pos = local_addr.find(':'); - std::string local_ip = local_addr.substr(0, local_colon_pos); - uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); - auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); - - // Parse remote address (IP:port format) - auto remote_colon_pos = remote_addr.find(':'); - std::string remote_ip = remote_addr.substr(0, remote_colon_pos); - uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); - auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); - - // Create a mock IO handle and set it up - auto mock_io_handle = std::make_unique>(); - auto* mock_io_handle_ptr = mock_io_handle.get(); - EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); - EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); - - // Store the mock_io_handle in the socket - socket->io_handle_ = std::move(mock_io_handle); - - // Set up connection info provider with the desired addresses - socket->connection_info_provider_->setLocalAddress(local_address); - socket->connection_info_provider_->setRemoteAddress(remote_address); - - return socket; - } - - // Helper to create a mock timer - Event::MockTimer* createMockTimer() { - auto timer = new NiceMock(); - EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(timer)); - return timer; - } - - NiceMock dispatcher_{"worker_0"}; -}; - -TEST_F(ReverseConnectionFilterTest, Constructor) { - // Test that constructor doesn't crash and creates a valid instance - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - EXPECT_EQ(config.pingWaitTimeout().count(), 1000); -} - -TEST_F(ReverseConnectionFilterTest, OnAccept) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept - Network::FilterStatus status = filter.onAccept(callbacks); - - // Should return StopIteration to wait for data - EXPECT_EQ(status, Network::FilterStatus::StopIteration); -} - -TEST_F(ReverseConnectionFilterTest, OnAcceptWithZeroTimeout) { - Config config(std::chrono::milliseconds(0)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(0), nullptr)); - - // Call onAccept - Network::FilterStatus status = filter.onAccept(callbacks); - - // Should return StopIteration to wait for data - EXPECT_EQ(status, Network::FilterStatus::StopIteration); -} - -TEST_F(ReverseConnectionFilterTest, OnDataWithValidPingMessage) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create mock IO handle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock successful write for ping response - EXPECT_CALL(*mock_io_handle, write(_)) - .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{5, Api::IoError::none()}; - })); - - // Set up the socket's IO handle - EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - // Create buffer with valid ping message - Buffer::OwnedImpl buffer("RPING"); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - EXPECT_CALL(filter_buffer, drain(buffer.length())).WillOnce(Return(true)); - - // Call onData with valid ping message - Network::FilterStatus status = filter.onData(filter_buffer); - - // Should return TryAgainLater to wait for more data - EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); -} - -TEST_F(ReverseConnectionFilterTest, OnDataWithHttpEmbeddedPingMessage) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create mock IO handle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock successful write for ping response - EXPECT_CALL(*mock_io_handle, write(_)) - .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{5, Api::IoError::none()}; - })); - - // Set up the socket's IO handle - EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - // Create buffer with HTTP-embedded ping message - std::string http_ping = "GET /ping HTTP/1.1\r\nHost: example.com\r\n\r\nRPING"; - Buffer::OwnedImpl buffer(http_ping); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - EXPECT_CALL(filter_buffer, drain(buffer.length())).WillOnce(Return(true)); - - // Call onData with HTTP-embedded ping message - Network::FilterStatus status = filter.onData(filter_buffer); - - // Should return TryAgainLater to wait for more data - EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); -} - -TEST_F(ReverseConnectionFilterTest, OnDataWithNonPingMessage) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create buffer with non-ping message - Buffer::OwnedImpl buffer("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - - // Call onData with non-ping message - Network::FilterStatus status = filter.onData(filter_buffer); - - // Should return Continue to proceed with normal processing - EXPECT_EQ(status, Network::FilterStatus::Continue); -} - -TEST_F(ReverseConnectionFilterTest, OnDataWithEmptyBuffer) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create empty buffer - Buffer::OwnedImpl buffer(""); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - - // Call onData with empty buffer - Network::FilterStatus status = filter.onData(filter_buffer); - - // Should return Error due to remote connection closed - EXPECT_EQ(status, Network::FilterStatus::StopIteration); -} - -TEST_F(ReverseConnectionFilterTest, OnDataWithPartialPingMessage) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create buffer with partial ping message - Buffer::OwnedImpl buffer("RPI"); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - - // Call onData with partial ping message - Network::FilterStatus status = filter.onData(filter_buffer); - - // Should return TryAgainLater to wait for more data - EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); -} - -TEST_F(ReverseConnectionFilterTest, OnDataWithPingResponseWriteFailure) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create mock IO handle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock failed write for ping response - EXPECT_CALL(*mock_io_handle, write(_)) - .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate write attempt - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; - })); - - // Set up the socket's IO handle - EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - // Create buffer with valid ping message - Buffer::OwnedImpl buffer("RPING"); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - EXPECT_CALL(filter_buffer, drain(buffer.length())).WillOnce(Return(true)); - - // Call onData with valid ping message - Network::FilterStatus status = filter.onData(filter_buffer); - - // Should return TryAgainLater even if write fails (logs error but continues) - EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); -} - -TEST_F(ReverseConnectionFilterTest, OnDataWithBufferDrainFailure) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create mock IO handle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock successful write for ping response - EXPECT_CALL(*mock_io_handle, write(_)) - .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{5, Api::IoError::none()}; - })); - - // Set up the socket's IO handle - EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - // Create buffer with valid ping message - Buffer::OwnedImpl buffer("RPING"); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - EXPECT_CALL(filter_buffer, drain(buffer.length())).WillOnce(Return(false)); - - // Call onData with valid ping message - Network::FilterStatus status = filter.onData(filter_buffer); - - // Should return TryAgainLater even if drain fails (logs error but continues) - EXPECT_EQ(status, Network::FilterStatus::TryAgainLater); -} - -TEST_F(ReverseConnectionFilterTest, OnPingWaitTimeout) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Expect continueFilterChain to be called with false - EXPECT_CALL(callbacks, continueFilterChain(false)); - - // Call onPingWaitTimeout - filter.onPingWaitTimeout(); -} - -TEST_F(ReverseConnectionFilterTest, OnClose) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create mock IO handle - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Set up the socket's IO handle - EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - // Expect close to be called on the IO handle - EXPECT_CALL(*mock_io_handle, close()); - - // Call onClose - filter.onClose(); -} - -TEST_F(ReverseConnectionFilterTest, OnCloseWithUsedConnection) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Create mock IO handle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock successful write for ping response - EXPECT_CALL(*mock_io_handle, write(_)) - .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{5, Api::IoError::none()}; - })); - - // Set up the socket's IO handle - EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - // Create buffer with non-ping message to mark connection as used - Buffer::OwnedImpl buffer("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - - // Call onData to mark connection as used - filter.onData(filter_buffer); - - // Call onClose - should not close the IO handle since connection was used - filter.onClose(); -} - -TEST_F(ReverseConnectionFilterTest, DestructorWithUnusedConnection) { - Config config(std::chrono::milliseconds(1000)); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Create filter and call onAccept - { - Filter filter(config); - filter.onAccept(callbacks); - - // Expect socket close to be called in destructor for unused connection - EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); - EXPECT_CALL(*mock_socket_ptr, close()); - } - // Filter goes out of scope here, destructor should be called -} - -TEST_F(ReverseConnectionFilterTest, DestructorWithUsedConnection) { - Config config(std::chrono::milliseconds(1000)); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Create filter and call onAccept - { - Filter filter(config); - filter.onAccept(callbacks); - - // Create mock IO handle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock successful write for ping response - EXPECT_CALL(*mock_io_handle, write(_)) - .WillOnce(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{5, Api::IoError::none()}; - })); - - // Set up the socket's IO handle - EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - // Create buffer with non-ping message to mark connection as used - Buffer::OwnedImpl buffer("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"); - NiceMock filter_buffer; - EXPECT_CALL(filter_buffer, rawSlice()).WillRepeatedly(Return(Buffer::RawSlice{ - const_cast(static_cast(buffer.toString().data())), buffer.length()})); - - // Call onData to mark connection as used - filter.onData(filter_buffer); - - // Expect socket close NOT to be called in destructor for used connection - EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); - // No EXPECT_CALL for close() since connection was used - } - // Filter goes out of scope here, destructor should be called -} - -TEST_F(ReverseConnectionFilterTest, DestructorWithClosedSocket) { - Config config(std::chrono::milliseconds(1000)); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Create filter and call onAccept - { - Filter filter(config); - filter.onAccept(callbacks); - - // Expect socket close NOT to be called in destructor for closed socket - EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(false)); - // No EXPECT_CALL for close() since socket is already closed - } - // Filter goes out of scope here, destructor should be called -} - -TEST_F(ReverseConnectionFilterTest, MaxReadBytes) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Test that maxReadBytes returns the correct value - size_t max_bytes = filter.maxReadBytes(); - EXPECT_EQ(max_bytes, 5); // "RPING" is 5 bytes -} - -TEST_F(ReverseConnectionFilterTest, Fd) { - Config config(std::chrono::milliseconds(1000)); - Filter filter(config); - - // Create mock socket - auto socket = createMockSocket(123); - auto* mock_socket_ptr = socket.get(); - - // Create mock callbacks - NiceMock callbacks; - EXPECT_CALL(callbacks, socket()).WillRepeatedly(ReturnRef(*mock_socket_ptr)); - - // Create mock timer - auto* mock_timer = createMockTimer(); - EXPECT_CALL(*mock_timer, enableTimer(std::chrono::milliseconds(1000), nullptr)); - - // Call onAccept first - filter.onAccept(callbacks); - - // Test that fd() returns the correct file descriptor - int fd = filter.fd(); - EXPECT_EQ(fd, 123); -} - -} // namespace ReverseConnection -} // namespace ListenerFilters -} // namespace Extensions -} // namespace Envoy \ No newline at end of file From 235ffa9806ffb265cb1b1088a0cf0dba60679dce Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 31 Jul 2025 15:41:03 -0700 Subject: [PATCH 131/505] deps: bump up cel-cpp to v0.13.0 (#40500) ## Description This PR bumps up the version of `cel-cpp` to v0.13.0. Fix https://github.com/envoyproxy/envoy/issues/40499 --- **Commit Message:** deps: bump up `cel-cpp` to v0.13.0 **Additional Description:** Bump up the version of `cel-cpp` to v0.13.0 **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- bazel/foreign_cc/cel-cpp.patch | 107 ++++++++++++++++----------------- bazel/repository_locations.bzl | 6 +- 2 files changed, 55 insertions(+), 58 deletions(-) diff --git a/bazel/foreign_cc/cel-cpp.patch b/bazel/foreign_cc/cel-cpp.patch index eaeb3454acaae..0e3287b2eaea9 100644 --- a/bazel/foreign_cc/cel-cpp.patch +++ b/bazel/foreign_cc/cel-cpp.patch @@ -1,21 +1,8 @@ -From d88b2a2d81e62335708057b3a044abada46de2a3 Mon Sep 17 00:00:00 2001 -From: Rohit Agrawal -Date: Tue, 6 May 2025 17:30:08 +0900 -Subject: [PATCH] Patches for cel-cpp v0.11.0 - -Signed-off-by: Rohit Agrawal ---- - common/internal/byte_string.cc | 8 ++++++++ - common/value.h | 2 +- - common/values/value_variant.h | 10 ++++++++++ - runtime/type_registry.h | 4 ++-- - 4 files changed, 21 insertions(+), 3 deletions(-) - diff --git a/common/internal/byte_string.cc b/common/internal/byte_string.cc index e01c797f8..12345678a 100644 --- a/common/internal/byte_string.cc +++ b/common/internal/byte_string.cc -@@ -104,6 +104,14 @@ +@@ -104,6 +104,13 @@ ByteString::ByteString(Allocator<> allocator, absl::string_view string) { ABSL_DCHECK_LE(string.size(), max_size()); @@ -26,18 +13,48 @@ index e01c797f8..12345678a 100644 + SetSmallEmpty(allocator.arena()); + return; + } -+ auto* arena = allocator.arena(); if (string.size() <= kSmallByteStringCapacity) { SetSmall(arena, string); -diff --git a/common/value.h b/common/value.h +diff --git a/common/typeinfo.h b/common/typeinfo.h index 06a03c13d..9f5d77980 100644 +--- a/common/typeinfo.h ++++ b/common/typeinfo.h +@@ -80,7 +80,7 @@ + std::conjunction_v, + std::negation>>, + TypeInfo> +-TypeId(const T& t) { ++TypeId(const T& t [[maybe_unused]]) { + return NativeTypeTraits>::Id(t); + } + +@@ -90,7 +90,7 @@ + std::negation>, + std::is_final>, + TypeInfo> +-TypeId(const T& t) { ++TypeId(const T& t [[maybe_unused]]) { + return cel::TypeId>(); + } + +@@ -99,7 +99,7 @@ + std::conjunction_v>, + common_internal::HasCelTypeId>, + TypeInfo> +-TypeId(const T& t) { ++TypeId(const T& t [[maybe_unused]]) { + return CelTypeId(t); + } + +diff --git a/common/value.h b/common/value.h +index abcdef123..987654fed 100644 --- a/common/value.h +++ b/common/value.h -@@ -2733,7 +2733,7 @@ - absl::Nonnull descriptor_pool, - absl::Nonnull message_factory, - absl::Nonnull arena) const { +@@ -2726,7 +2726,7 @@ + const google::protobuf::DescriptorPool* absl_nonnull descriptor_pool, + google::protobuf::MessageFactory* absl_nonnull message_factory, + google::protobuf::Arena* absl_nonnull arena) const { - ABSL_DCHECK_GT(qualifiers.size(), 0); + ABSL_DCHECK_GT(static_cast(qualifiers.size()), 0); ABSL_DCHECK(descriptor_pool != nullptr); @@ -47,42 +64,22 @@ diff --git a/common/values/value_variant.h b/common/values/value_variant.h index 61c19ce5f..fc7969bc8 100644 --- a/common/values/value_variant.h +++ b/common/values/value_variant.h -@@ -732,6 +732,13 @@ - const bool rhs_trivial = - (rhs.flags_ & ValueFlags::kNonTrivial) == ValueFlags::kNone; - if (lhs_trivial && rhs_trivial) { -+ // We need to suppress the compiler warnings about memory manipulation. -+ // The memcpy usage here is intentional for performance optimization -+ // Only suppress this warning on GCC, as Clang doesn't have this warning -+#if defined(__GNUC__) && !defined(__clang__) -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wclass-memaccess" -+#endif +@@ -737,9 +737,6 @@ + #if defined(__GNUC__) && !defined(__clang__) + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wclass-memaccess" +-#elif defined(__clang__) +-#pragma clang diagnostic push +-#pragma clang diagnostic ignored "-Wnontrivial-memcall" + #endif alignas(ValueVariant) std::byte tmp[sizeof(ValueVariant)]; // NOLINTNEXTLINE(bugprone-undefined-memory-manipulation) - std::memcpy(tmp, std::addressof(lhs), sizeof(ValueVariant)); -@@ -740,6 +747,9 @@ - sizeof(ValueVariant)); - // NOLINTNEXTLINE(bugprone-undefined-memory-manipulation) +@@ -751,8 +748,6 @@ std::memcpy(std::addressof(rhs), tmp, sizeof(ValueVariant)); -+#if defined(__GNUC__) && !defined(__clang__) -+#pragma GCC diagnostic pop -+#endif + #if defined(__GNUC__) && !defined(__clang__) + #pragma GCC diagnostic pop +-#elif defined(__clang__) +-#pragma clang diagnostic pop + #endif } else { - SlowSwap(lhs, rhs, lhs_trivial, rhs_trivial); - } -diff --git a/runtime/type_registry.h b/runtime/type_registry.h -index 2b247946c..3e5ad423b 100644 ---- a/runtime/type_registry.h -+++ b/runtime/type_registry.h -@@ -77,8 +77,8 @@ - // Move-only - TypeRegistry(const TypeRegistry& other) = delete; - TypeRegistry& operator=(TypeRegistry& other) = delete; -- TypeRegistry(TypeRegistry&& other) = default; -- TypeRegistry& operator=(TypeRegistry&& other) = default; -+ TypeRegistry(TypeRegistry&& other) = delete; -+ TypeRegistry& operator=(TypeRegistry&& other) = delete; - - // Registers a type such that it can be accessed by name, i.e. `type(foo) == - // my_type`. Where `my_type` is the type being registered. + SlowSwap(lhs, rhs, lhs_trivial, rhs_trivial); \ No newline at end of file diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 547f759b78805..74053dc9cb012 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1337,8 +1337,8 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Common Expression Language (CEL) C++ library", project_desc = "Common Expression Language (CEL) C++ library", project_url = "https://opensource.google/projects/cel", - version = "0.11.0", - sha256 = "777f6780a3cc72264c3cc3279cc92affbaefb2bdc01aaff88463cca5b6167e1d", + version = "0.13.0", + sha256 = "5766e26732c779b83daf37f9e7584ddee9748adcde662bf1f2291bbeb13e1a0a", strip_prefix = "cel-cpp-{version}", urls = ["https://github.com/google/cel-cpp/archive/v{version}.tar.gz"], use_category = ["dataplane_ext"], @@ -1360,7 +1360,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( "envoy.tracers.opentelemetry", "envoy.tracers.opentelemetry.samplers.cel", ], - release_date = "2025-04-03", + release_date = "2025-07-30", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/google/cel-cpp/blob/v{version}/LICENSE", From a73d92a4e1b12e2c4ec897423b6e06dff0f23a0d Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Thu, 31 Jul 2025 23:53:27 +0000 Subject: [PATCH 132/505] deps: Bump `bazel_features` -> 1.33.0 (#40506) ## Description This PR bump `bazel_features` -> 1.33.0 Fix https://github.com/envoyproxy/envoy/issues/40498 --- Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 74053dc9cb012..f60cc2c3886c4 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -34,11 +34,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Bazel features", project_desc = "Support Bazel feature detection from starlark", project_url = "https://github.com/bazel-contrib/bazel_features", - version = "1.32.0", - sha256 = "07bd2b18764cdee1e0d6ff42c9c0a6111ffcbd0c17f0de38e7f44f1519d1c0cd", + version = "1.33.0", + sha256 = "c41853e3b636c533b86bf5ab4658064e6cc9db0a3bce52cbff0629e094344ca9", urls = ["https://github.com/bazel-contrib/bazel_features/releases/download/v{version}/bazel_features-v{version}.tar.gz"], strip_prefix = "bazel_features-{version}", - release_date = "2025-06-17", + release_date = "2025-07-30", use_category = ["build"], license = "Apache-2.0", license_url = "https://github.com/bazel-contrib/bazel_features/blob/v{version}/LICENSE", From 09fee430f70c8d4612133ca1c7fe03d9e0940684 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 31 Jul 2025 21:31:10 -0400 Subject: [PATCH 133/505] Specify matchers to make newer gtest work (#40504) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- .../common/subscription_factory_impl_test.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/test/extensions/config_subscription/common/subscription_factory_impl_test.cc b/test/extensions/config_subscription/common/subscription_factory_impl_test.cc index 6477abf3cbcd2..76d04b57c3008 100644 --- a/test/extensions/config_subscription/common/subscription_factory_impl_test.cc +++ b/test/extensions/config_subscription/common/subscription_factory_impl_test.cc @@ -31,15 +31,16 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" +namespace Envoy { +namespace Config { +namespace { + using ::testing::_; +using ::testing::Eq; using ::testing::Invoke; using ::testing::Return; using ::testing::ReturnRef; -namespace Envoy { -namespace Config { -namespace { - enum class LegacyOrUnified { Legacy, Unified }; class SubscriptionFactoryTest : public testing::Test { @@ -370,7 +371,7 @@ TEST_F(SubscriptionFactoryTest, FilesystemSubscription) { config.set_path(test_path); auto* watcher = new Filesystem::MockWatcher(); EXPECT_CALL(dispatcher_, createFilesystemWatcher_()).WillOnce(Return(watcher)); - EXPECT_CALL(*watcher, addWatch(test_path, _, _)); + EXPECT_CALL(*watcher, addWatch(Eq(test_path), _, _)); EXPECT_CALL(callbacks_, onConfigUpdateFailed(_, _)); subscriptionFromConfigSource(config)->start({"foo"}); } @@ -387,7 +388,7 @@ TEST_F(SubscriptionFactoryTest, FilesystemCollectionSubscription) { std::string test_path = TestEnvironment::temporaryDirectory(); auto* watcher = new Filesystem::MockWatcher(); EXPECT_CALL(dispatcher_, createFilesystemWatcher_()).WillOnce(Return(watcher)); - EXPECT_CALL(*watcher, addWatch(test_path, _, _)); + EXPECT_CALL(*watcher, addWatch(Eq(test_path), _, _)); EXPECT_CALL(callbacks_, onConfigUpdateFailed(_, _)); // Unix paths start with /, Windows with c:/. const std::string file_path = test_path[0] == '/' ? test_path.substr(1) : test_path; From 04b5302c874ba6dc9449505b4445af2508bc6c1b Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 31 Jul 2025 21:53:37 -0400 Subject: [PATCH 134/505] Simplify the protobuf::BytesValue::set_value call (#40507) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- .../filters/listener/proxy_protocol/proxy_protocol.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc index 3e1d5a8eee885..34517c5e532e9 100644 --- a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc +++ b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc @@ -573,7 +573,7 @@ bool Filter::parseTlvs(const uint8_t* buf, size_t len) { tlv_type); } else { Protobuf::BytesValue tlv_byte_value; - tlv_byte_value.set_value(tlv_value.data(), tlv_value.size()); + tlv_byte_value.set_value(tlv_value); tlvs_metadata.mutable_typed_metadata()->insert( {key_value_pair->key(), tlv_byte_value.value()}); ProtobufWkt::Any typed_metadata; From ce8d50e6b689b6db41903ead56d20fc3b23e5fc9 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 31 Jul 2025 22:34:01 -0400 Subject: [PATCH 135/505] Use specific type to avoid template argument deduction (#40508) It is not enabled on all toolchains. Risk Level: none Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/http/conn_manager_impl.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc index 5c2fedc43bf3b..4d2c9bd1ef7f3 100644 --- a/source/common/http/conn_manager_impl.cc +++ b/source/common/http/conn_manager_impl.cc @@ -1647,7 +1647,7 @@ void ConnectionManagerImpl::ActiveStream::refreshDurationTimeout() { // See how long this stream has been alive, and adjust the timeout // accordingly. - std::chrono::duration time_used = std::chrono::duration_cast( + std::chrono::milliseconds time_used = std::chrono::duration_cast( connection_manager_.timeSource().monotonicTime() - filter_manager_.streamInfo().startTimeMonotonic()); if (timeout > time_used) { From 001b8595e084db6f469596ef6aa7f0aac2f001a8 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 1 Aug 2025 06:09:58 -0700 Subject: [PATCH 136/505] udp_proxy: deprecate flag enable_udp_proxy_outlier_detection and remove legacy code paths (#40512) Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - .../filters/udp/udp_proxy/udp_proxy_filter.cc | 15 +++------------ 3 files changed, 6 insertions(+), 13 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 216741d4fcc1d..76cc81a03298c 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -29,6 +29,9 @@ removed_config_or_runtime: - area: quic change: | Removed runtime guard ``envoy.reloadable_features.prefer_quic_client_udp_gro`` and legacy code paths. +- area: udp_proxy + change: | + Removed runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index f30626af8d57b..4a941c9b86ca8 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -39,7 +39,6 @@ RUNTIME_GUARD(envoy_reloadable_features_enable_cel_regex_precompilation); RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms); RUNTIME_GUARD(envoy_reloadable_features_enable_new_query_param_present_match_behavior); -RUNTIME_GUARD(envoy_reloadable_features_enable_udp_proxy_outlier_detection); RUNTIME_GUARD(envoy_reloadable_features_ext_proc_fail_close_spurious_resp); RUNTIME_GUARD(envoy_reloadable_features_filter_chain_aborted_can_not_continue); RUNTIME_GUARD(envoy_reloadable_features_gcp_authn_use_fixed_url); diff --git a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc index d0074a95cb4d3..f6ee7671cc5c6 100644 --- a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc +++ b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc @@ -1070,20 +1070,14 @@ void UdpProxyFilter::TunnelingActiveSession::onStreamFailure( break; case ConnectionPool::PoolFailureReason::Timeout: udp_session_info_.setResponseFlag(StreamInfo::CoreResponseFlag::UpstreamConnectionFailure); - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.enable_udp_proxy_outlier_detection")) { - host.outlierDetector().putResult(Upstream::Outlier::Result::LocalOriginTimeout); - } + host.outlierDetector().putResult(Upstream::Outlier::Result::LocalOriginTimeout); onUpstreamEvent(Network::ConnectionEvent::RemoteClose); break; case ConnectionPool::PoolFailureReason::RemoteConnectionFailure: if (connecting_) { udp_session_info_.setResponseFlag(StreamInfo::CoreResponseFlag::UpstreamConnectionFailure); } - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.enable_udp_proxy_outlier_detection")) { - host.outlierDetector().putResult(Upstream::Outlier::Result::LocalOriginConnectFailed); - } + host.outlierDetector().putResult(Upstream::Outlier::Result::LocalOriginConnectFailed); onUpstreamEvent(Network::ConnectionEvent::RemoteClose); break; } @@ -1105,10 +1099,7 @@ void UdpProxyFilter::TunnelingActiveSession::onStreamReady(StreamInfo::StreamInf connecting_ = false; can_send_upstream_ = true; cluster_->cluster_stats_.sess_tunnel_success_.inc(); - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.enable_udp_proxy_outlier_detection")) { - host.outlierDetector().putResult(Upstream::Outlier::Result::LocalOriginConnectSuccessFinal); - } + host.outlierDetector().putResult(Upstream::Outlier::Result::LocalOriginConnectSuccessFinal); if (filter_.config_->flushAccessLogOnTunnelConnected()) { fillSessionStreamInfo(); From b16259a18bb57e730cb11d46571582d6d75e7912 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 1 Aug 2025 09:45:50 -0700 Subject: [PATCH 137/505] release: fixes the typo in v1.35.x EOL date (#40515) ## Description This PR fixes the typo in the v1.35.x EOL date. Fix https://github.com/envoyproxy/envoy/issues/40514 Signed-off-by: Rohit Agrawal --- RELEASES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASES.md b/RELEASES.md index cab2bbe82ee5f..22643b5060138 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -100,7 +100,7 @@ deadline of 3 weeks. | 1.32.0 | 2024/10/15 | 2024/10/15 | 0 days | 2025/10/15 | | 1.33.0 | 2025/01/14 | 2025/01/14 | 0 days | 2026/01/14 | | 1.34.0 | 2025/04/15 | 2025/04/15 | 0 days | 2026/04/15 | -| 1.35.0 | 2025/07/15 | 2025/07/23 | 8 days | 2025/07/23 | +| 1.35.0 | 2025/07/15 | 2025/07/23 | 8 days | 2026/07/23 | | 1.36.0 | 2025/10/14 | | | | ### Cutting a major release From 96c84811734ff82ff1c9230bd67de3755cbf57d7 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 1 Aug 2025 10:55:57 -0700 Subject: [PATCH 138/505] ip_matcher: rename TrieMatcher to IpRangeMatcher (#40505) --- .../advanced/matching/matching_api.rst | 4 +- source/extensions/common/matcher/BUILD | 6 +-- .../{trie_matcher.cc => ip_range_matcher.cc} | 8 ++-- .../{trie_matcher.h => ip_range_matcher.h} | 45 ++++++++++--------- source/extensions/extensions_build_config.bzl | 2 +- source/extensions/extensions_metadata.yaml | 2 +- test/common/listener_manager/BUILD | 2 +- .../listener_manager_impl_test.cc | 2 +- test/extensions/common/matcher/BUILD | 6 +-- ...tcher_test.cc => ip_range_matcher_test.cc} | 37 +++++++-------- test/extensions/filters/http/rbac/BUILD | 4 +- tools/code_format/config.yaml | 2 +- 12 files changed, 61 insertions(+), 59 deletions(-) rename source/extensions/common/matcher/{trie_matcher.cc => ip_range_matcher.cc} (69%) rename source/extensions/common/matcher/{trie_matcher.h => ip_range_matcher.h} (77%) rename test/extensions/common/matcher/{trie_matcher_test.cc => ip_range_matcher_test.cc} (96%) diff --git a/docs/root/intro/arch_overview/advanced/matching/matching_api.rst b/docs/root/intro/arch_overview/advanced/matching/matching_api.rst index d930df331dfe8..af2abdf2d0c75 100644 --- a/docs/root/intro/arch_overview/advanced/matching/matching_api.rst +++ b/docs/root/intro/arch_overview/advanced/matching/matching_api.rst @@ -80,9 +80,9 @@ Custom Matching Algorithms In addition to the built-in exact and prefix matchers, these custom matchers are available in some contexts: -.. _extension_envoy.matching.custom_matchers.trie_matcher: +.. _extension_envoy.matching.custom_matchers.ip_range_matcher: -* :ref:`Trie-based IP matcher ` applies to network inputs. +* :ref:`IP range matcher ` applies to network inputs. .. _extension_envoy.matching.custom_matchers.domain_matcher: diff --git a/source/extensions/common/matcher/BUILD b/source/extensions/common/matcher/BUILD index 2d2d56a96f12d..b1319595c46ed 100644 --- a/source/extensions/common/matcher/BUILD +++ b/source/extensions/common/matcher/BUILD @@ -22,9 +22,9 @@ envoy_cc_library( ) envoy_cc_extension( - name = "trie_matcher_lib", - srcs = ["trie_matcher.cc"], - hdrs = ["trie_matcher.h"], + name = "ip_range_matcher_lib", + srcs = ["ip_range_matcher.cc"], + hdrs = ["ip_range_matcher.h"], extra_visibility = [ "//source/common/listener_manager:__subpackages__", "//test:__subpackages__", diff --git a/source/extensions/common/matcher/trie_matcher.cc b/source/extensions/common/matcher/ip_range_matcher.cc similarity index 69% rename from source/extensions/common/matcher/trie_matcher.cc rename to source/extensions/common/matcher/ip_range_matcher.cc index e0fbf4e66637a..0d419b23717e5 100644 --- a/source/extensions/common/matcher/trie_matcher.cc +++ b/source/extensions/common/matcher/ip_range_matcher.cc @@ -1,4 +1,4 @@ -#include "source/extensions/common/matcher/trie_matcher.h" +#include "source/extensions/common/matcher/ip_range_matcher.h" #include "envoy/registry/registry.h" @@ -7,11 +7,11 @@ namespace Extensions { namespace Common { namespace Matcher { -REGISTER_FACTORY(NetworkTrieMatcherFactory, +REGISTER_FACTORY(NetworkIpRangeMatcherFactory, ::Envoy::Matcher::CustomMatcherFactory); -REGISTER_FACTORY(UdpNetworkTrieMatcherFactory, +REGISTER_FACTORY(UdpNetworkIpRangeMatcherFactory, ::Envoy::Matcher::CustomMatcherFactory); -REGISTER_FACTORY(HttpTrieMatcherFactory, +REGISTER_FACTORY(HttpIpRangeMatcherFactory, ::Envoy::Matcher::CustomMatcherFactory); } // namespace Matcher diff --git a/source/extensions/common/matcher/trie_matcher.h b/source/extensions/common/matcher/ip_range_matcher.h similarity index 77% rename from source/extensions/common/matcher/trie_matcher.h rename to source/extensions/common/matcher/ip_range_matcher.h index d9a0d2f266b1d..0fb78e2ef9e32 100644 --- a/source/extensions/common/matcher/trie_matcher.h +++ b/source/extensions/common/matcher/ip_range_matcher.h @@ -26,25 +26,25 @@ using ::Envoy::Matcher::OnMatchFactory; using ::Envoy::Matcher::OnMatchFactoryCb; using ::Envoy::Matcher::SkippedMatchCb; -template struct TrieNode { +template struct IpRangeNode { size_t index_; uint32_t prefix_len_; bool exclusive_; std::shared_ptr> on_match_; - friend bool operator==(const TrieNode& lhs, const TrieNode& rhs) { + friend bool operator==(const IpRangeNode& lhs, const IpRangeNode& rhs) { return lhs.index_ == rhs.index_ && lhs.prefix_len_ == rhs.prefix_len_ && lhs.exclusive_ == rhs.exclusive_ && lhs.on_match_ == rhs.on_match_; } template friend H AbslHashValue(H h, // NOLINT(readability-identifier-naming) - const TrieNode& node) { + const IpRangeNode& node) { return H::combine(std::move(h), node.index_, node.prefix_len_, node.exclusive_, node.on_match_); } }; -template struct TrieNodeComparator { - inline bool operator()(const TrieNode& lhs, const TrieNode& rhs) const { +template struct IpRangeNodeComparator { + inline bool operator()(const IpRangeNode& lhs, const IpRangeNode& rhs) const { if (lhs.prefix_len_ > rhs.prefix_len_) { return true; } @@ -56,18 +56,18 @@ template struct TrieNodeComparator { }; /** - * Implementation of a `sublinear` LC-trie matcher. + * Implementation of a `sublinear` LC-trie matcher for IP ranges. */ -template class TrieMatcher : public MatchTree { +template class IpRangeMatcher : public MatchTree { public: - TrieMatcher(DataInputPtr&& data_input, absl::optional> on_no_match, - const std::shared_ptr>>& trie) + IpRangeMatcher(DataInputPtr&& data_input, absl::optional> on_no_match, + const std::shared_ptr>>& trie) : data_input_(std::move(data_input)), on_no_match_(std::move(on_no_match)), trie_(trie) { auto input_type = data_input_->dataInputType(); if (input_type != Envoy::Matcher::DefaultMatchingDataType) { throw EnvoyException( absl::StrCat("Unsupported data input type: ", input_type, - ", currently only string type is supported in trie matcher")); + ", currently only string type is supported in IP range matcher")); } } @@ -87,7 +87,7 @@ template class TrieMatcher : public MatchTree { auto values = trie_->getData(addr); // The candidates returned by the LC trie are not in any specific order, so we // sort them by the prefix length first (longest first), and the order of declaration second. - std::sort(values.begin(), values.end(), TrieNodeComparator()); + std::sort(values.begin(), values.end(), IpRangeNodeComparator()); bool first = true; for (const auto& node : values) { if (!first && node.exclusive_) { @@ -111,11 +111,11 @@ template class TrieMatcher : public MatchTree { private: const DataInputPtr data_input_; const absl::optional> on_no_match_; - std::shared_ptr>> trie_; + std::shared_ptr>> trie_; }; template -class TrieMatcherFactoryBase : public ::Envoy::Matcher::CustomMatcherFactory { +class IpRangeMatcherFactoryBase : public ::Envoy::Matcher::CustomMatcherFactory { public: ::Envoy::Matcher::MatchTreeFactoryCb createCustomMatcherFactoryCb(const Protobuf::Message& config, @@ -131,7 +131,7 @@ class TrieMatcherFactoryBase : public ::Envoy::Matcher::CustomMatcherFactory, std::vector>> data; + std::vector, std::vector>> data; data.reserve(match_children.size()); size_t i = 0; // Ranges might have variable prefix length so we cannot combine them into one node because @@ -139,16 +139,16 @@ class TrieMatcherFactoryBase : public ::Envoy::Matcher::CustomMatcherFactory>(match_children[i++]()); for (const auto& range : range_matcher.ranges()) { - TrieNode node = {i, range.prefix_len().value(), range_matcher.exclusive(), - on_match}; + IpRangeNode node = {i, range.prefix_len().value(), range_matcher.exclusive(), + on_match}; data.push_back({node, {THROW_OR_RETURN_VALUE(Network::Address::CidrRange::create(range), Network::Address::CidrRange)}}); } } - auto lc_trie = std::make_shared>>(data); + auto lc_trie = std::make_shared>>(data); return [data_input, lc_trie, on_no_match]() { - return std::make_unique>( + return std::make_unique>( data_input(), on_no_match ? absl::make_optional(on_no_match.value()()) : absl::nullopt, lc_trie); }; @@ -156,12 +156,13 @@ class TrieMatcherFactoryBase : public ::Envoy::Matcher::CustomMatcherFactory(); } - std::string name() const override { return "envoy.matching.custom_matchers.trie_matcher"; } + std::string name() const override { return "envoy.matching.custom_matchers.ip_range_matcher"; } }; -class NetworkTrieMatcherFactory : public TrieMatcherFactoryBase {}; -class UdpNetworkTrieMatcherFactory : public TrieMatcherFactoryBase {}; -class HttpTrieMatcherFactory : public TrieMatcherFactoryBase {}; +class NetworkIpRangeMatcherFactory : public IpRangeMatcherFactoryBase {}; +class UdpNetworkIpRangeMatcherFactory : public IpRangeMatcherFactoryBase { +}; +class HttpIpRangeMatcherFactory : public IpRangeMatcherFactoryBase {}; } // namespace Matcher } // namespace Common diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 0e87a50c70422..06512d6bd5279 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -488,7 +488,7 @@ EXTENSIONS = { # Custom matchers # - "envoy.matching.custom_matchers.trie_matcher": "//source/extensions/common/matcher:trie_matcher_lib", + "envoy.matching.custom_matchers.ip_range_matcher": "//source/extensions/common/matcher:ip_range_matcher_lib", "envoy.matching.custom_matchers.domain_matcher": "//source/extensions/common/matcher:domain_matcher_lib", # diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 6bf97f2dfb0cc..b6a83474b7423 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -1708,7 +1708,7 @@ envoy.matching.custom_matchers.domain_matcher: status: alpha type_urls: - xds.type.matcher.v3.ServerNameMatcher -envoy.matching.custom_matchers.trie_matcher: +envoy.matching.custom_matchers.ip_range_matcher: categories: - envoy.matching.http.custom_matchers - envoy.matching.network.custom_matchers diff --git a/test/common/listener_manager/BUILD b/test/common/listener_manager/BUILD index 3c635e0f206c6..5171fb943dd40 100644 --- a/test/common/listener_manager/BUILD +++ b/test/common/listener_manager/BUILD @@ -49,7 +49,7 @@ envoy_cc_test_library( "//source/common/listener_manager:listener_manager_lib", "//source/common/tls:server_context_lib", "//source/extensions/api_listeners/default_api_listener:api_listener_lib", - "//source/extensions/common/matcher:trie_matcher_lib", + "//source/extensions/common/matcher:ip_range_matcher_lib", "//test/mocks/init:init_mocks", "//test/mocks/matcher:matcher_mocks", "//test/mocks/network:network_mocks", diff --git a/test/common/listener_manager/listener_manager_impl_test.cc b/test/common/listener_manager/listener_manager_impl_test.cc index 77b51da017c59..c66fd36cdd905 100644 --- a/test/common/listener_manager/listener_manager_impl_test.cc +++ b/test/common/listener_manager/listener_manager_impl_test.cc @@ -25,7 +25,7 @@ #include "source/common/protobuf/protobuf.h" #include "source/common/router/string_accessor_impl.h" #include "source/common/tls/ssl_socket.h" -#include "source/extensions/common/matcher/trie_matcher.h" +#include "source/extensions/common/matcher/ip_range_matcher.h" #include "source/extensions/filters/listener/original_dst/original_dst.h" #include "source/extensions/filters/listener/tls_inspector/tls_inspector.h" diff --git a/test/extensions/common/matcher/BUILD b/test/extensions/common/matcher/BUILD index 3e12b6b801197..345fe7fc6fa52 100644 --- a/test/extensions/common/matcher/BUILD +++ b/test/extensions/common/matcher/BUILD @@ -21,15 +21,15 @@ envoy_cc_test( ) envoy_cc_test( - name = "trie_matcher_test", - srcs = ["trie_matcher_test.cc"], + name = "ip_range_matcher_test", + srcs = ["ip_range_matcher_test.cc"], rbe_pool = "6gig", deps = [ "//source/common/matcher:matcher_lib", "//source/common/network:address_lib", "//source/common/network/matching:data_impl_lib", "//source/common/network/matching:inputs_lib", - "//source/extensions/common/matcher:trie_matcher_lib", + "//source/extensions/common/matcher:ip_range_matcher_lib", "//source/extensions/matching/network/application_protocol:config", "//test/common/matcher:test_utility_lib", "//test/mocks/http:http_mocks", diff --git a/test/extensions/common/matcher/trie_matcher_test.cc b/test/extensions/common/matcher/ip_range_matcher_test.cc similarity index 96% rename from test/extensions/common/matcher/trie_matcher_test.cc rename to test/extensions/common/matcher/ip_range_matcher_test.cc index d7a4536b5fba9..be6fef2eccf4a 100644 --- a/test/extensions/common/matcher/trie_matcher_test.cc +++ b/test/extensions/common/matcher/ip_range_matcher_test.cc @@ -8,7 +8,7 @@ #include "source/common/network/address_impl.h" #include "source/common/network/matching/data_impl.h" #include "source/common/protobuf/utility.h" -#include "source/extensions/common/matcher/trie_matcher.h" +#include "source/extensions/common/matcher/ip_range_matcher.h" #include "test/common/matcher/test_utility.h" #include "test/mocks/matcher/mocks.h" @@ -40,16 +40,17 @@ using ::Envoy::Matcher::MatchTreeFactory; using ::Envoy::Matcher::MatchTreePtr; using ::Envoy::Matcher::MatchTreeSharedPtr; using ::Envoy::Matcher::MockMatchTreeValidationVisitor; +using ::Envoy::Matcher::SkippedMatchCb; using ::Envoy::Matcher::StringActionFactory; using ::Envoy::Matcher::TestData; using ::Envoy::Matcher::TestDataInputBoolFactory; using ::Envoy::Matcher::TestDataInputStringFactory; using ::testing::ElementsAre; -class TrieMatcherTest : public ::testing::Test { +class IpRangeMatcherTest : public ::testing::Test { public: - TrieMatcherTest() - : inject_action_(action_factory_), inject_matcher_(trie_matcher_factory_), + IpRangeMatcherTest() + : inject_action_(action_factory_), inject_matcher_(ip_range_matcher_factory_), factory_(context_, factory_context_, validation_visitor_) { EXPECT_CALL(validation_visitor_, performDataInputValidation(_, _)).Times(testing::AnyNumber()); } @@ -66,7 +67,7 @@ class TrieMatcherTest : public ::testing::Test { StringActionFactory action_factory_; Registry::InjectFactory> inject_action_; - TrieMatcherFactoryBase trie_matcher_factory_; + IpRangeMatcherFactoryBase ip_range_matcher_factory_; Registry::InjectFactory> inject_matcher_; MockMatchTreeValidationVisitor validation_visitor_; @@ -78,7 +79,7 @@ class TrieMatcherTest : public ::testing::Test { SkippedMatchCb skipped_match_cb_ = nullptr; }; -TEST_F(TrieMatcherTest, TestMatcher) { +TEST_F(IpRangeMatcherTest, TestMatcher) { const std::string yaml = R"EOF( matcher_tree: input: @@ -129,7 +130,7 @@ TEST_F(TrieMatcherTest, TestMatcher) { } } -TEST_F(TrieMatcherTest, TestInvalidMatcher) { +TEST_F(IpRangeMatcherTest, TestInvalidMatcher) { const std::string yaml = R"EOF( matcher_tree: input: @@ -164,11 +165,11 @@ TEST_F(TrieMatcherTest, TestInvalidMatcher) { auto input_factory = ::Envoy::Matcher::TestDataInputFloatFactory(3.14); auto match_tree = factory_.create(matcher_); std::string error_message = absl::StrCat("Unsupported data input type: float, currently only " - "string type is supported in trie matcher"); + "string type is supported in IP range matcher"); EXPECT_THROW_WITH_MESSAGE(match_tree(), EnvoyException, error_message); } -TEST_F(TrieMatcherTest, TestMatcherOnNoMatch) { +TEST_F(IpRangeMatcherTest, TestMatcherOnNoMatch) { const std::string yaml = R"EOF( matcher_tree: input: @@ -220,7 +221,7 @@ TEST_F(TrieMatcherTest, TestMatcherOnNoMatch) { } } -TEST_F(TrieMatcherTest, OverlappingMatcher) { +TEST_F(IpRangeMatcherTest, OverlappingMatcher) { const std::string yaml = R"EOF( matcher_tree: input: @@ -275,7 +276,7 @@ TEST_F(TrieMatcherTest, OverlappingMatcher) { } } -TEST_F(TrieMatcherTest, NestedInclusiveMatcher) { +TEST_F(IpRangeMatcherTest, NestedInclusiveMatcher) { const std::string yaml = R"EOF( matcher_tree: input: @@ -333,7 +334,7 @@ TEST_F(TrieMatcherTest, NestedInclusiveMatcher) { } } -TEST_F(TrieMatcherTest, NestedExclusiveMatcher) { +TEST_F(IpRangeMatcherTest, NestedExclusiveMatcher) { const std::string yaml = R"EOF( matcher_tree: input: @@ -393,7 +394,7 @@ TEST_F(TrieMatcherTest, NestedExclusiveMatcher) { } } -TEST_F(TrieMatcherTest, RecursiveMatcherTree) { +TEST_F(IpRangeMatcherTest, RecursiveMatcherTree) { const std::string yaml = R"EOF( matcher_tree: input: @@ -466,7 +467,7 @@ TEST_F(TrieMatcherTest, RecursiveMatcherTree) { } } -TEST_F(TrieMatcherTest, NoData) { +TEST_F(IpRangeMatcherTest, NoData) { const std::string yaml = R"EOF( matcher_tree: input: @@ -530,7 +531,7 @@ TEST_F(TrieMatcherTest, NoData) { } } -TEST_F(TrieMatcherTest, ExerciseKeepMatching) { +TEST_F(IpRangeMatcherTest, ExerciseKeepMatching) { const std::string yaml = R"EOF( matcher_tree: input: @@ -615,7 +616,7 @@ TEST_F(TrieMatcherTest, ExerciseKeepMatching) { ElementsAre(IsStringAction("foo"), IsStringAction("baz"), IsStringAction("bag"))); } -TEST(TrieMatcherIntegrationTest, NetworkMatchingData) { +TEST(IpRangeMatcherIntegrationTest, NetworkMatchingData) { const std::string yaml = R"EOF( matcher_tree: input: @@ -661,7 +662,7 @@ TEST(TrieMatcherIntegrationTest, NetworkMatchingData) { EXPECT_THAT(result, HasStringAction("foo")); } -TEST(TrieMatcherIntegrationTest, UdpNetworkMatchingData) { +TEST(IpRangeMatcherIntegrationTest, UdpNetworkMatchingData) { const std::string yaml = R"EOF( matcher_tree: input: @@ -704,7 +705,7 @@ TEST(TrieMatcherIntegrationTest, UdpNetworkMatchingData) { EXPECT_THAT(result, HasStringAction("foo")); } -TEST(TrieMatcherIntegrationTest, HttpMatchingData) { +TEST(IpRangeMatcherIntegrationTest, HttpMatchingData) { const std::string yaml = R"EOF( matcher_tree: input: diff --git a/test/extensions/filters/http/rbac/BUILD b/test/extensions/filters/http/rbac/BUILD index 1936c757eaf73..84236e4bd44d3 100644 --- a/test/extensions/filters/http/rbac/BUILD +++ b/test/extensions/filters/http/rbac/BUILD @@ -36,8 +36,8 @@ envoy_extension_cc_test( rbe_pool = "6gig", tags = ["skip_on_windows"], deps = [ + "//source/extensions/common/matcher:ip_range_matcher_lib", "//source/extensions/common/matcher:matcher_lib", - "//source/extensions/common/matcher:trie_matcher_lib", "//source/extensions/filters/common/rbac:utility_lib", "//source/extensions/filters/http/rbac:rbac_filter_lib", "//source/extensions/matching/http/cel_input:cel_input_lib", @@ -67,8 +67,8 @@ envoy_extension_cc_test( tags = ["skip_on_windows"], deps = [ "//source/extensions/clusters/dynamic_forward_proxy:cluster", + "//source/extensions/common/matcher:ip_range_matcher_lib", "//source/extensions/common/matcher:matcher_lib", - "//source/extensions/common/matcher:trie_matcher_lib", "//source/extensions/filters/http/dynamic_forward_proxy:config", "//source/extensions/filters/http/header_to_metadata:config", "//source/extensions/filters/http/rbac:config", diff --git a/tools/code_format/config.yaml b/tools/code_format/config.yaml index 72850f3e73c77..8ab23f648103b 100644 --- a/tools/code_format/config.yaml +++ b/tools/code_format/config.yaml @@ -90,7 +90,7 @@ paths: - source/common/filter/config_discovery_impl.h - source/common/config/utility.h - source/common/matcher/matcher.h - - source/extensions/common/matcher/trie_matcher.h + - source/extensions/common/matcher/ip_range_matcher.h - envoy/common/exception.h - source/common/protobuf/utility.h # legacy core files which throw exceptions. We can add to this list but strongly prefer From d4e8cb1be6baff02d7f512a2a40add07cc5ca82c Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 1 Aug 2025 11:06:28 -0700 Subject: [PATCH 139/505] http: deprecate flag filter_chain_aborted_can_not_continue and remove legacy code paths (#40511) Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/http/filter_manager.cc | 5 +---- source/common/runtime/runtime_features.cc | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 76cc81a03298c..c40c77d9cccb0 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -32,6 +32,9 @@ removed_config_or_runtime: - area: udp_proxy change: | Removed runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` and legacy code paths. +- area: http + change: | + Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/http/filter_manager.cc b/source/common/http/filter_manager.cc index 2db8bec5d04de..49c92a87b4772 100644 --- a/source/common/http/filter_manager.cc +++ b/source/common/http/filter_manager.cc @@ -373,10 +373,7 @@ bool ActiveStreamEncoderFilter::canContinue() { // As with ActiveStreamDecoderFilter::canContinue() make sure we do not // continue if a local reply has been sent or ActiveStreamDecoderFilter::recreateStream() is // called, etc. - return !parent_.state_.encoder_filter_chain_complete_ && - (!Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.filter_chain_aborted_can_not_continue") || - !parent_.stopEncoderFilterChain()); + return !parent_.state_.encoder_filter_chain_complete_ && !parent_.stopEncoderFilterChain(); } Buffer::InstancePtr ActiveStreamDecoderFilter::createBuffer() { diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 4a941c9b86ca8..81337024e8132 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -40,7 +40,7 @@ RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms); RUNTIME_GUARD(envoy_reloadable_features_enable_new_query_param_present_match_behavior); RUNTIME_GUARD(envoy_reloadable_features_ext_proc_fail_close_spurious_resp); -RUNTIME_GUARD(envoy_reloadable_features_filter_chain_aborted_can_not_continue); + RUNTIME_GUARD(envoy_reloadable_features_gcp_authn_use_fixed_url); RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_num_retries); RUNTIME_GUARD(envoy_reloadable_features_grpc_side_stream_flow_control); From c9abf2f4587e3d51b1c98b87ab4ae8653021e8bb Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 1 Aug 2025 14:20:25 -0400 Subject: [PATCH 140/505] Removed unused dependency from header map to runtime (#40521) To prevent runtime headers to be pulled everywhere. Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/http/BUILD | 1 - source/common/http/header_map_impl.cc | 1 - source/common/http/header_map_impl.h | 1 - source/common/quic/BUILD | 1 + source/common/quic/envoy_quic_client_connection.h | 1 + source/common/quic/envoy_quic_utils.cc | 1 + source/extensions/filters/http/gcp_authn/BUILD | 1 + source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc | 1 + test/common/quic/BUILD | 1 + test/common/quic/envoy_quic_utils_test.cc | 1 + 10 files changed, 7 insertions(+), 3 deletions(-) diff --git a/source/common/http/BUILD b/source/common/http/BUILD index 288761f3f7fbb..f784a9b99609c 100644 --- a/source/common/http/BUILD +++ b/source/common/http/BUILD @@ -467,7 +467,6 @@ envoy_cc_library( "//source/common/common:empty_string", "//source/common/common:non_copyable", "//source/common/common:utility_lib", - "//source/common/runtime:runtime_features_lib", "//source/common/singleton:const_singleton", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", ], diff --git a/source/common/http/header_map_impl.cc b/source/common/http/header_map_impl.cc index 4a6e8ac2c8248..1a5b4e6886a1a 100644 --- a/source/common/http/header_map_impl.cc +++ b/source/common/http/header_map_impl.cc @@ -10,7 +10,6 @@ #include "source/common/common/assert.h" #include "source/common/common/dump_state_utils.h" #include "source/common/common/empty_string.h" -#include "source/common/runtime/runtime_features.h" #include "source/common/singleton/const_singleton.h" #include "absl/strings/match.h" diff --git a/source/common/http/header_map_impl.h b/source/common/http/header_map_impl.h index 24ebc79bd414b..f053e42cacbd5 100644 --- a/source/common/http/header_map_impl.h +++ b/source/common/http/header_map_impl.h @@ -15,7 +15,6 @@ #include "source/common/common/non_copyable.h" #include "source/common/common/utility.h" #include "source/common/http/headers.h" -#include "source/common/runtime/runtime_features.h" namespace Envoy { namespace Http { diff --git a/source/common/quic/BUILD b/source/common/quic/BUILD index c44d4a489aa80..3e2ba82213d23 100644 --- a/source/common/quic/BUILD +++ b/source/common/quic/BUILD @@ -463,6 +463,7 @@ envoy_cc_library( "//source/common/network:socket_option_factory_lib", "//source/common/protobuf:utility_lib", "//source/common/quic:quic_io_handle_wrapper_lib", + "//source/common/runtime:runtime_lib", "@com_github_google_quiche//:quic_core_config_lib", "@com_github_google_quiche//:quic_core_http_header_list_lib", "@com_github_google_quiche//:quic_platform", diff --git a/source/common/quic/envoy_quic_client_connection.h b/source/common/quic/envoy_quic_client_connection.h index 0da8a59418e78..c257219503c9f 100644 --- a/source/common/quic/envoy_quic_client_connection.h +++ b/source/common/quic/envoy_quic_client_connection.h @@ -6,6 +6,7 @@ #include "source/common/quic/envoy_quic_packet_writer.h" #include "source/common/quic/envoy_quic_utils.h" #include "source/common/quic/quic_network_connection.h" +#include "source/common/runtime/runtime_features.h" #include "quiche/quic/core/quic_connection.h" diff --git a/source/common/quic/envoy_quic_utils.cc b/source/common/quic/envoy_quic_utils.cc index e4eecffebc096..a5af7ac94bd6a 100644 --- a/source/common/quic/envoy_quic_utils.cc +++ b/source/common/quic/envoy_quic_utils.cc @@ -10,6 +10,7 @@ #include "source/common/network/socket_option_factory.h" #include "source/common/network/utility.h" #include "source/common/protobuf/utility.h" +#include "source/common/runtime/runtime_features.h" #include "openssl/crypto.h" diff --git a/source/extensions/filters/http/gcp_authn/BUILD b/source/extensions/filters/http/gcp_authn/BUILD index 2dd2e7daa00ce..c6e0ba93debcd 100644 --- a/source/extensions/filters/http/gcp_authn/BUILD +++ b/source/extensions/filters/http/gcp_authn/BUILD @@ -19,6 +19,7 @@ envoy_cc_library( "//source/common/http:headers_lib", "//source/common/http:message_lib", "//source/common/http:utility_lib", + "//source/common/runtime:runtime_features_lib", "//source/extensions/filters/http/common:factory_base_lib", "//source/extensions/filters/http/common:pass_through_filter_lib", "@envoy_api//envoy/extensions/filters/http/gcp_authn/v3:pkg_cc_proto", diff --git a/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc b/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc index ef0d4e992d68b..5f88b4f0c10a6 100644 --- a/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc +++ b/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc @@ -6,6 +6,7 @@ #include "source/common/common/enum_to_int.h" #include "source/common/http/header_map_impl.h" #include "source/common/http/utility.h" +#include "source/common/runtime/runtime_features.h" #include "absl/strings/str_replace.h" diff --git a/test/common/quic/BUILD b/test/common/quic/BUILD index b1702ef161916..bc61e050ff7d6 100644 --- a/test/common/quic/BUILD +++ b/test/common/quic/BUILD @@ -332,6 +332,7 @@ envoy_cc_test( rbe_pool = "6gig", deps = envoy_select_enable_http3([ "//source/common/quic:envoy_quic_utils_lib", + "//source/common/runtime:runtime_lib", "//test/mocks/api:api_mocks", "//test/test_common:threadsafe_singleton_injector_lib", "@com_github_google_quiche//:quic_test_tools_test_utils_lib", diff --git a/test/common/quic/envoy_quic_utils_test.cc b/test/common/quic/envoy_quic_utils_test.cc index 299a2cbdcbbb6..9597fd3283c9a 100644 --- a/test/common/quic/envoy_quic_utils_test.cc +++ b/test/common/quic/envoy_quic_utils_test.cc @@ -1,4 +1,5 @@ #include "source/common/quic/envoy_quic_utils.h" +#include "source/common/runtime/runtime_features.h" #include "test/mocks/api/mocks.h" #include "test/test_common/threadsafe_singleton_injector.h" From 5d1c3936703742b326a85754f47495373d2218b1 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 1 Aug 2025 14:21:23 -0400 Subject: [PATCH 141/505] Add missing include fstream (#40509) Risk Level: none Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- test/common/config/datasource_test.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/common/config/datasource_test.cc b/test/common/config/datasource_test.cc index b5bfcbceac5b0..203e6435608c5 100644 --- a/test/common/config/datasource_test.cc +++ b/test/common/config/datasource_test.cc @@ -1,3 +1,5 @@ +#include + #include "envoy/config/core/v3/base.pb.h" #include "envoy/config/core/v3/base.pb.validate.h" From 5942adaf1ed798301a0296af180f3e30bb4e786a Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 1 Aug 2025 14:35:38 -0400 Subject: [PATCH 142/505] Remove dependency from runtime to codec (#40522) codec_interface dependency is very heavy and brings in libevent. This prevents WASM modules that need to use runtime facility from compiling with v8 runtime. Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- envoy/http/BUILD | 7 +++++++ envoy/http/codec.h | 15 +-------------- envoy/http/codec_runtime_overrides.h | 23 +++++++++++++++++++++++ source/common/runtime/BUILD | 3 +-- source/common/runtime/runtime_features.cc | 5 ++++- source/common/runtime/runtime_features.h | 8 ++------ 6 files changed, 38 insertions(+), 23 deletions(-) create mode 100644 envoy/http/codec_runtime_overrides.h diff --git a/envoy/http/BUILD b/envoy/http/BUILD index 68572e841b0f2..cb2b1a03695c9 100644 --- a/envoy/http/BUILD +++ b/envoy/http/BUILD @@ -40,10 +40,17 @@ envoy_cc_library( ], ) +envoy_cc_library( + name = "codec_runtime_overrides", + hdrs = ["codec_runtime_overrides.h"], + deps = ["@com_google_absl//absl/strings"], +) + envoy_cc_library( name = "codec_interface", hdrs = ["codec.h"], deps = [ + ":codec_runtime_overrides", ":header_map_interface", ":metadata_interface", ":protocol_interface", diff --git a/envoy/http/codec.h b/envoy/http/codec.h index a00db67b8b390..3c23ea86b2636 100644 --- a/envoy/http/codec.h +++ b/envoy/http/codec.h @@ -10,6 +10,7 @@ #include "envoy/common/optref.h" #include "envoy/common/pure.h" #include "envoy/grpc/status.h" +#include "envoy/http/codec_runtime_overrides.h" #include "envoy/http/header_formatter.h" #include "envoy/http/header_map.h" #include "envoy/http/metadata_interface.h" @@ -37,20 +38,6 @@ namespace Http3 { struct CodecStats; } -// Legacy default value of 60K is safely under both codec default limits. -static constexpr uint32_t DEFAULT_MAX_REQUEST_HEADERS_KB = 60; -// Default maximum number of headers. -static constexpr uint32_t DEFAULT_MAX_HEADERS_COUNT = 100; - -constexpr absl::string_view MaxRequestHeadersCountOverrideKey = - "envoy.reloadable_features.max_request_headers_count"; -constexpr absl::string_view MaxResponseHeadersCountOverrideKey = - "envoy.reloadable_features.max_response_headers_count"; -constexpr absl::string_view MaxRequestHeadersSizeOverrideKey = - "envoy.reloadable_features.max_request_headers_size_kb"; -constexpr absl::string_view MaxResponseHeadersSizeOverrideKey = - "envoy.reloadable_features.max_response_headers_size_kb"; - class Stream; class RequestDecoder; diff --git a/envoy/http/codec_runtime_overrides.h b/envoy/http/codec_runtime_overrides.h new file mode 100644 index 0000000000000..e75e4d5992e2f --- /dev/null +++ b/envoy/http/codec_runtime_overrides.h @@ -0,0 +1,23 @@ +#pragma once + +#include "absl/strings/string_view.h" + +namespace Envoy { +namespace Http { + +// Legacy default value of 60K is safely under both codec default limits. +static constexpr uint32_t DEFAULT_MAX_REQUEST_HEADERS_KB = 60; +// Default maximum number of headers. +static constexpr uint32_t DEFAULT_MAX_HEADERS_COUNT = 100; + +constexpr absl::string_view MaxRequestHeadersCountOverrideKey = + "envoy.reloadable_features.max_request_headers_count"; +constexpr absl::string_view MaxResponseHeadersCountOverrideKey = + "envoy.reloadable_features.max_response_headers_count"; +constexpr absl::string_view MaxRequestHeadersSizeOverrideKey = + "envoy.reloadable_features.max_request_headers_size_kb"; +constexpr absl::string_view MaxResponseHeadersSizeOverrideKey = + "envoy.reloadable_features.max_response_headers_size_kb"; + +} // namespace Http +} // namespace Envoy diff --git a/source/common/runtime/BUILD b/source/common/runtime/BUILD index 4ef3f40fe7dfa..7cc617d4cce80 100644 --- a/source/common/runtime/BUILD +++ b/source/common/runtime/BUILD @@ -48,9 +48,8 @@ envoy_cc_library( # the harder it is to runtime-guard without dependency loops. "@com_google_absl//absl/flags:commandlineflag", "@com_google_absl//absl/flags:flag", - "//envoy/http:codec_interface", + "//envoy/http:codec_runtime_overrides", "//envoy/runtime:runtime_interface", - "//source/common/common:hash_lib", "//source/common/singleton:const_singleton", ], ) diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 81337024e8132..9bb5c80ccbb60 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -1,9 +1,12 @@ #include "source/common/runtime/runtime_features.h" -#include "envoy/http/codec.h" +#include "envoy/http/codec_runtime_overrides.h" + +#include "source/common/singleton/const_singleton.h" #include "absl/flags/commandlineflag.h" #include "absl/flags/flag.h" +#include "absl/flags/reflection.h" #include "absl/strings/match.h" #include "absl/strings/str_replace.h" diff --git a/source/common/runtime/runtime_features.h b/source/common/runtime/runtime_features.h index bc36922f5fc7b..11200a31cb009 100644 --- a/source/common/runtime/runtime_features.h +++ b/source/common/runtime/runtime_features.h @@ -1,14 +1,10 @@ #pragma once -#include +#include #include "envoy/runtime/runtime.h" -#include "source/common/singleton/const_singleton.h" - -#include "absl/container/flat_hash_set.h" -#include "absl/flags/flag.h" -#include "absl/flags/reflection.h" +#include "absl/strings/string_view.h" namespace Envoy { namespace Runtime { From de90ffa94493f0084ae5ee0dc23ee9f9c2e83fb0 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Fri, 1 Aug 2025 23:59:36 -0700 Subject: [PATCH 143/505] deps: Bump `simdutf` -> 7.3.4 (#40517) ## Description This PR bumps up `simdutf` -> 7.3.4 Fix https://github.com/envoyproxy/envoy/issues/40516 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index f60cc2c3886c4..3a5c662bedfc1 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1251,12 +1251,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_desc = "Unicode routines (UTF8, UTF16, UTF32) and Base64: billions of characters per second using SSE2, AVX2, NEON, AVX-512, RISC-V Vector Extension, LoongArch64, POWER. Part of Node.js, WebKit/Safari, Ladybird, Chromium, Cloudflare Workers and Bun.", project_url = "https://github.com/simdutf/simdutf", # NOTE: Update together with v8 and proxy_wasm_cpp_host. - version = "7.3.3", - sha256 = "ebe033a48a3ea4a46205710f3dfdc98587dae3f9937d00d509773798b8243e60", + version = "7.3.4", + sha256 = "a8d2b481a2089280b84df7dc234223b658056b5bbd40bd4d476902d25d353a1f", urls = ["https://github.com/simdutf/simdutf/releases/download/v{version}/singleheader.zip"], use_category = ["dataplane_ext"], extensions = ["envoy.wasm.runtime.v8"], - release_date = "2025-07-13", + release_date = "2025-08-01", cpe = "N/A", ), intel_ittapi = dict( From 975159dc1ac6cba71ac47b27cd4d2a57e667de72 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Sat, 2 Aug 2025 00:15:42 -0700 Subject: [PATCH 144/505] rbac: use LC Trie for IP range matching performance optimization (#40493) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description This PR replaces linear search with LC Trie data structure for IP range matching in RBAC policies. This improves lookup performance from `O(n)` to `O(log n)`, providing significant speedup for policies with many IP ranges. Benchmarks show **~10x** improvement at **100** ranges and **~200x** at **5000** ranges. ### Benchmarks **Machine Config:** ``` Running /private/var/tmp/_bazel_rohit.agrawal/048a6df82575d9620a083f910cb235e5/execroot/envoy/bazel-out/darwin_arm64-opt/bin/test/common/network/lc_trie_ip_list_speed_test Run on (12 X 24 MHz CPU s) CPU Caches: L1 Data 64 KiB L1 Instruction 128 KiB L2 Unified 4096 KiB (x12) Load Average: 22.48, 15.87, 10.62 ``` **Command:** ``` bazel run -c opt test/common/network:lc_trie_ip_list_speed_test -- --benchmark_repetitions=10 ``` **Results:** | Benchmark | Trie Mean | RadixTree Mean | Speedup (×) | | --- | --- | --- | --- | | BM_LinearIpListMatching/10_mean | 98.3 ns | 28.0 ns | 3.51× | | BM_LinearIpListMatching/25_mean | 230.0 ns | 31.4 ns | 7.32× | | BM_LinearIpListMatching/50_mean | 455.0 ns | 28.3 ns | 16.08× | | BM_LinearIpListMatching/64_mean | 577.0 ns | 29.3 ns | 19.69× | | BM_LinearIpListMatching/100_mean | 900.0 ns | 29.5 ns | 30.51× | | BM_LinearIpListMatching/250_mean | 2153.0 ns | 31.9 ns | 67.49× | | BM_LinearIpListMatching/500_mean | 4132.0 ns | 35.7 ns | 115.74× | | BM_LinearIpListMatching/512_mean | 4223.0 ns | 34.8 ns | 121.35× | | BM_LinearIpListMatching/1000_mean | 7651.0 ns | 39.3 ns | 194.68× | | BM_LinearIpListMatching/4096_mean | 19871.0 ns | 48.5 ns | 409.71× | | BM_LinearIpListMatching/5000_mean | 23017.0 ns | 49.4 ns | 465.93× | image --- **Commit Message:** rbac: use LC Trie for IP range matching performance optimization **Additional Description:** Replaces linear search with LC Trie data structure for IP range matching in RBAC policies. **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 + source/extensions/filters/common/rbac/BUILD | 1 + .../filters/common/rbac/matchers.cc | 68 ++++- .../extensions/filters/common/rbac/matchers.h | 24 +- test/common/network/BUILD | 18 ++ .../network/lc_trie_ip_list_speed_test.cc | 286 ++++++++++++++++++ .../filters/common/rbac/matchers_test.cc | 165 ++++++++++ 7 files changed, 549 insertions(+), 16 deletions(-) create mode 100644 test/common/network/lc_trie_ip_list_speed_test.cc diff --git a/changelogs/current.yaml b/changelogs/current.yaml index c40c77d9cccb0..0a3d412c8b9cb 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -91,5 +91,8 @@ new_features: Added ``virtualHost()`` to the Stream handle API, allowing Lua scripts to retrieve virtual host information. So far, the only method implemented is ``metadata()``, allowing Lua scripts to access virtual host metadata scoped to the specific filter name. See :ref:`Virtual host object API ` for more details. +- area: rbac + change: | + Switch the IP matcher to use LC-Trie for performance improvements. deprecated: diff --git a/source/extensions/filters/common/rbac/BUILD b/source/extensions/filters/common/rbac/BUILD index 21a02747115f3..1c3e87c8a770e 100644 --- a/source/extensions/filters/common/rbac/BUILD +++ b/source/extensions/filters/common/rbac/BUILD @@ -49,6 +49,7 @@ envoy_cc_library( "//source/common/common:matchers_lib", "//source/common/http:header_utility_lib", "//source/common/network:cidr_range_lib", + "//source/common/network:lc_trie_lib", "//source/extensions/filters/common/expr:evaluator_lib", "//source/extensions/path/match/uri_template:uri_template_match_lib", "@com_google_absl//absl/types:optional", diff --git a/source/extensions/filters/common/rbac/matchers.cc b/source/extensions/filters/common/rbac/matchers.cc index 29dfde6fb80aa..647a0c810b22c 100644 --- a/source/extensions/filters/common/rbac/matchers.cc +++ b/source/extensions/filters/common/rbac/matchers.cc @@ -180,24 +180,72 @@ bool HeaderMatcher::matches(const Network::Connection&, return header_->matchesHeaders(headers); } +IPMatcher::IPMatcher(const envoy::config::core::v3::CidrRange& range, Type type) : type_(type) { + // Convert single range to LC Trie for consistency. + std::vector ranges; + ranges.push_back(THROW_OR_RETURN_VALUE(Network::Address::CidrRange::create(range), + Network::Address::CidrRange)); + + trie_ = std::make_unique>( + std::vector>>{{true, ranges}}); +} + +// static +absl::StatusOr> +IPMatcher::create(const Protobuf::RepeatedPtrField& ranges, + Type type) { + if (ranges.empty()) { + return absl::InvalidArgumentError("Empty IP range list provided"); + } + + // Convert protobuf ranges to CidrRange vector. + std::vector cidr_ranges; + cidr_ranges.reserve(ranges.size()); + for (const auto& range : ranges) { + auto cidr_result = Network::Address::CidrRange::create(range); + if (!cidr_result.ok()) { + return absl::InvalidArgumentError( + fmt::format("Failed to create CIDR range: {}", cidr_result.status().message())); + } + cidr_ranges.push_back(std::move(cidr_result.value())); + } + + // Create LC Trie directly following the pattern from Unified IP Matcher. + // Note: LcTrie constructor may throw EnvoyException on invalid input, but this + // should be rare since we've already validated the CIDR ranges above. + auto trie = std::make_unique>( + std::vector>>{{true, cidr_ranges}}); + + return std::unique_ptr(new IPMatcher(std::move(trie), type)); +} + +IPMatcher::IPMatcher(std::unique_ptr> trie, Type type) + : trie_(std::move(trie)), type_(type) {} + bool IPMatcher::matches(const Network::Connection& connection, const Envoy::Http::RequestHeaderMap&, const StreamInfo::StreamInfo& info) const { - Envoy::Network::Address::InstanceConstSharedPtr ip; + const auto ip = extractIpAddress(connection, info); + if (!ip) { + return false; + } + + return !trie_->getData(ip).empty(); +} + +Network::Address::InstanceConstSharedPtr +IPMatcher::extractIpAddress(const Network::Connection& connection, + const StreamInfo::StreamInfo& info) const { switch (type_) { case ConnectionRemote: - ip = connection.connectionInfoProvider().remoteAddress(); - break; + return connection.connectionInfoProvider().remoteAddress(); case DownstreamLocal: - ip = info.downstreamAddressProvider().localAddress(); - break; + return info.downstreamAddressProvider().localAddress(); case DownstreamDirectRemote: - ip = info.downstreamAddressProvider().directRemoteAddress(); - break; + return info.downstreamAddressProvider().directRemoteAddress(); case DownstreamRemote: - ip = info.downstreamAddressProvider().remoteAddress(); - break; + return info.downstreamAddressProvider().remoteAddress(); } - return range_.isInRange(*ip.get()); + return nullptr; } bool PortMatcher::matches(const Network::Connection&, const Envoy::Http::RequestHeaderMap&, diff --git a/source/extensions/filters/common/rbac/matchers.h b/source/extensions/filters/common/rbac/matchers.h index 033c9ca5c9de7..f2fe43ee9a9b8 100644 --- a/source/extensions/filters/common/rbac/matchers.h +++ b/source/extensions/filters/common/rbac/matchers.h @@ -10,6 +10,7 @@ #include "source/common/common/matchers.h" #include "source/common/http/header_utility.h" #include "source/common/network/cidr_range.h" +#include "source/common/network/lc_trie.h" #include "source/extensions/filters/common/expr/evaluator.h" #include "source/extensions/filters/common/rbac/matcher_interface.h" #include "source/extensions/path/match/uri_template/uri_template_match.h" @@ -113,23 +114,34 @@ class HeaderMatcher : public Matcher { }; /** - * Perform a match against an IP CIDR range. This rule can be applied to connection remote, + * Perform a match against IP CIDR ranges. This rule can be applied to connection remote, * downstream local address, downstream direct remote address or downstream remote address. + * Uses LC Trie algorithm for optimal O(log n) performance in IP address range matching. */ class IPMatcher : public Matcher { public: enum Type { ConnectionRemote = 0, DownstreamLocal, DownstreamDirectRemote, DownstreamRemote }; - IPMatcher(const envoy::config::core::v3::CidrRange& range, Type type) - : range_(THROW_OR_RETURN_VALUE(Network::Address::CidrRange::create(range), - Network::Address::CidrRange)), - type_(type) {} + // Single IP range constructor. + IPMatcher(const envoy::config::core::v3::CidrRange& range, Type type); + + // Multiple IP ranges constructor. + static absl::StatusOr> + create(const Protobuf::RepeatedPtrField& ranges, Type type); bool matches(const Network::Connection& connection, const Envoy::Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo& info) const override; private: - const Network::Address::CidrRange range_; + // Private constructor for LC Trie-based matcher. + IPMatcher(std::unique_ptr> trie, Type type); + + // Extract IP address based on matcher type. + Network::Address::InstanceConstSharedPtr + extractIpAddress(const Network::Connection& connection, const StreamInfo::StreamInfo& info) const; + + std::unique_ptr> trie_; + const Type type_; }; diff --git a/test/common/network/BUILD b/test/common/network/BUILD index 34b851995a56c..c607c3acfb236 100644 --- a/test/common/network/BUILD +++ b/test/common/network/BUILD @@ -64,6 +64,24 @@ envoy_benchmark_test( benchmark_binary = "address_impl_speed_test", ) +envoy_cc_benchmark_binary( + name = "lc_trie_ip_list_speed_test", + srcs = ["lc_trie_ip_list_speed_test.cc"], + rbe_pool = "6gig", + deps = [ + "//source/common/network:cidr_range_lib", + "//source/common/network:lc_trie_lib", + "//source/common/network:utility_lib", + "//test/test_common:utility_lib", + "@com_github_google_benchmark//:benchmark", + ], +) + +envoy_benchmark_test( + name = "lc_trie_ip_list_speed_test_benchmark_test", + benchmark_binary = "lc_trie_ip_list_speed_test", +) + envoy_cc_test( name = "cidr_range_test", srcs = ["cidr_range_test.cc"], diff --git a/test/common/network/lc_trie_ip_list_speed_test.cc b/test/common/network/lc_trie_ip_list_speed_test.cc new file mode 100644 index 0000000000000..62a4b1b6a0da5 --- /dev/null +++ b/test/common/network/lc_trie_ip_list_speed_test.cc @@ -0,0 +1,286 @@ +// Performance benchmark comparing LcTrie vs Linear Search for IP range matching +// in RBAC and access control scenarios. + +#include +#include + +#include "source/common/network/cidr_range.h" +#include "source/common/network/lc_trie.h" +#include "source/common/network/utility.h" +#include "source/common/protobuf/protobuf.h" + +#include "test/test_common/utility.h" + +#include "benchmark/benchmark.h" + +namespace Envoy { +namespace Network { +namespace Address { + +// Generate realistic IP ranges for testing RBAC scenarios. +class IpRangeGenerator { +public: + IpRangeGenerator() : generator_(42) {} // Fixed seed for reproducibility. + + Protobuf::RepeatedPtrField generateIpv4Ranges(size_t count) { + Protobuf::RepeatedPtrField ranges; + + std::uniform_int_distribution ip_dist(0, 0xFFFFFFFF); + std::uniform_int_distribution prefix_dist(8, 32); // Realistic CIDR prefixes + + for (size_t i = 0; i < count; ++i) { + auto* range = ranges.Add(); + + // Generate a random IPv4 address + uint32_t ip = ip_dist(generator_); + range->set_address_prefix(fmt::format("{}.{}.{}.{}", (ip >> 24) & 0xFF, (ip >> 16) & 0xFF, + (ip >> 8) & 0xFF, ip & 0xFF)); + + // Set a realistic prefix length + range->mutable_prefix_len()->set_value(prefix_dist(generator_)); + } + + return ranges; + } + + Protobuf::RepeatedPtrField generateIpv6Ranges(size_t count) { + Protobuf::RepeatedPtrField ranges; + + std::uniform_int_distribution segment_dist(0, 0xFFFF); + std::uniform_int_distribution prefix_dist(48, 128); // Realistic IPv6 prefixes + + for (size_t i = 0; i < count; ++i) { + auto* range = ranges.Add(); + + // Generate a random IPv6 address + range->set_address_prefix(fmt::format( + "{}:{}:{}:{}:{}:{}:{}:{}", segment_dist(generator_), segment_dist(generator_), + segment_dist(generator_), segment_dist(generator_), segment_dist(generator_), + segment_dist(generator_), segment_dist(generator_), segment_dist(generator_))); + + range->mutable_prefix_len()->set_value(prefix_dist(generator_)); + } + + return ranges; + } + + std::vector generateTestIps(size_t count, bool ipv6 = false) { + std::vector ips; + ips.reserve(count); + + if (ipv6) { + std::uniform_int_distribution segment_dist(0, 0xFFFF); + for (size_t i = 0; i < count; ++i) { + const std::string ip_str = fmt::format( + "{}:{}:{}:{}:{}:{}:{}:{}", segment_dist(generator_), segment_dist(generator_), + segment_dist(generator_), segment_dist(generator_), segment_dist(generator_), + segment_dist(generator_), segment_dist(generator_), segment_dist(generator_)); + auto ip = Utility::parseInternetAddressNoThrow(ip_str); + if (ip) { + ips.push_back(ip); + } + } + } else { + std::uniform_int_distribution ip_dist(0, 0xFFFFFFFF); + for (size_t i = 0; i < count; ++i) { + uint32_t ip = ip_dist(generator_); + const std::string ip_str = fmt::format("{}.{}.{}.{}", (ip >> 24) & 0xFF, (ip >> 16) & 0xFF, + (ip >> 8) & 0xFF, ip & 0xFF); + auto parsed_ip = Utility::parseInternetAddressNoThrow(ip_str); + if (parsed_ip) { + ips.push_back(parsed_ip); + } + } + } + + return ips; + } + +private: + std::mt19937 generator_; +}; + +// Helper function to convert protobuf ranges to CidrRange vector. +std::vector +protobufToCidrRanges(const Protobuf::RepeatedPtrField& ranges) { + std::vector cidr_ranges; + cidr_ranges.reserve(ranges.size()); + for (const auto& range : ranges) { + auto cidr_result = CidrRange::create(range); + if (cidr_result.ok()) { + cidr_ranges.push_back(std::move(cidr_result.value())); + } + } + return cidr_ranges; +} + +// Benchmark linear search IP list implementation. +static void BM_LinearIpListMatching(benchmark::State& state) { + const size_t num_ranges = state.range(0); + const size_t num_queries = 1000; + + IpRangeGenerator generator; + auto ranges = generator.generateIpv4Ranges(num_ranges); + auto test_ips = generator.generateTestIps(num_queries); + + auto ip_list_result = IpList::create(ranges); + if (!ip_list_result.ok()) { + state.SkipWithError("Failed to create IpList"); + return; + } + auto ip_list = std::move(ip_list_result.value()); + + // Pre-generate random queries for consistent benchmark. + std::mt19937 rng(12345); + std::uniform_int_distribution dist(0, test_ips.size() - 1); + std::vector query_indices; + for (size_t i = 0; i < 1024; ++i) { + query_indices.push_back(dist(rng)); + } + + size_t query_idx = 0; + for (auto _ : state) { + const auto& query_ip = test_ips[query_indices[query_idx % 1024]]; + bool result = ip_list->contains(*query_ip); + benchmark::DoNotOptimize(result); + query_idx++; + } + + state.SetItemsProcessed(state.iterations()); + state.SetLabel(fmt::format("LinearSearch_{}ranges", num_ranges)); +} + +// Benchmark LcTrie IP list implementation using existing Network::LcTrie::LcTrie. +static void BM_LcTrieIpListMatching(benchmark::State& state) { + const size_t num_ranges = state.range(0); + const size_t num_queries = 1000; + + IpRangeGenerator generator; + auto ranges = generator.generateIpv4Ranges(num_ranges); + auto test_ips = generator.generateTestIps(num_queries); + + // Convert protobuf ranges to CidrRange vector. + auto cidr_ranges = protobufToCidrRanges(ranges); + if (cidr_ranges.empty()) { + state.SkipWithError("Failed to convert ranges to CidrRange"); + return; + } + + // Create LC Trie directly following the pattern from Unified IP Matcher. + Network::LcTrie::LcTrie trie( + std::vector>>{{true, cidr_ranges}}); + + // Pre-generate random queries for consistent benchmark. + std::mt19937 rng(12345); + std::uniform_int_distribution dist(0, test_ips.size() - 1); + std::vector query_indices; + for (size_t i = 0; i < 1024; ++i) { + query_indices.push_back(dist(rng)); + } + + size_t query_idx = 0; + for (auto _ : state) { + const auto& query_ip = test_ips[query_indices[query_idx % 1024]]; + bool result = !trie.getData(query_ip).empty(); + benchmark::DoNotOptimize(result); + query_idx++; + } + + state.SetItemsProcessed(state.iterations()); + state.SetLabel(fmt::format("LcTrie_{}ranges", num_ranges)); +} + +// IPv6 benchmarks +static void BM_LinearIpListMatchingIPv6(benchmark::State& state) { + const size_t num_ranges = state.range(0); + const size_t num_queries = 1000; + + IpRangeGenerator generator; + auto ranges = generator.generateIpv6Ranges(num_ranges); + auto test_ips = generator.generateTestIps(num_queries, true); + + auto ip_list_result = IpList::create(ranges); + if (!ip_list_result.ok()) { + state.SkipWithError("Failed to create IpList"); + return; + } + auto ip_list = std::move(ip_list_result.value()); + + // Pre-generate random queries for consistent benchmark. + std::mt19937 rng(12345); + std::uniform_int_distribution dist(0, test_ips.size() - 1); + std::vector query_indices; + for (size_t i = 0; i < 512; ++i) { + query_indices.push_back(dist(rng)); + } + + size_t query_idx = 0; + for (auto _ : state) { + if (query_idx < query_indices.size()) { + const auto& query_ip = test_ips[query_indices[query_idx % 512]]; + bool result = ip_list->contains(*query_ip); + benchmark::DoNotOptimize(result); + query_idx++; + } + } + + state.SetItemsProcessed(state.iterations()); + state.SetLabel(fmt::format("LinearSearch_IPv6_{}ranges", num_ranges)); +} + +static void BM_LcTrieIpListMatchingIPv6(benchmark::State& state) { + const size_t num_ranges = state.range(0); + const size_t num_queries = 1000; + + IpRangeGenerator generator; + auto ranges = generator.generateIpv6Ranges(num_ranges); + auto test_ips = generator.generateTestIps(num_queries, true); + + // Convert protobuf ranges to CidrRange vector. + auto cidr_ranges = protobufToCidrRanges(ranges); + if (cidr_ranges.empty()) { + state.SkipWithError("Failed to convert ranges to CidrRange"); + return; + } + + // Create LC Trie directly following the pattern from Unified IP Matcher. + Network::LcTrie::LcTrie trie( + std::vector>>{{true, cidr_ranges}}); + + // Pre-generate random queries for consistent benchmark. + std::mt19937 rng(12345); + std::uniform_int_distribution dist(0, test_ips.size() - 1); + std::vector query_indices; + for (size_t i = 0; i < 512; ++i) { + query_indices.push_back(dist(rng)); + } + + size_t query_idx = 0; + for (auto _ : state) { + if (query_idx < query_indices.size()) { + const auto& query_ip = test_ips[query_indices[query_idx % 512]]; + bool result = !trie.getData(query_ip).empty(); + benchmark::DoNotOptimize(result); + query_idx++; + } + } + + state.SetItemsProcessed(state.iterations()); + state.SetLabel(fmt::format("LcTrie_IPv6_{}ranges", num_ranges)); +} + +// Comprehensive benchmarks for RBAC scenarios +BENCHMARK(BM_LinearIpListMatching)->Range(10, 5000)->Unit(benchmark::kNanosecond); +BENCHMARK(BM_LcTrieIpListMatching)->Range(10, 5000)->Unit(benchmark::kNanosecond); + +// Focused benchmarks for common RBAC policy sizes +BENCHMARK(BM_LinearIpListMatching)->Arg(25)->Arg(50)->Arg(100)->Arg(250)->Arg(500)->Arg(1000); +BENCHMARK(BM_LcTrieIpListMatching)->Arg(25)->Arg(50)->Arg(100)->Arg(250)->Arg(500)->Arg(1000); + +// IPv6 benchmarks for realistic dual-stack scenarios +BENCHMARK(BM_LinearIpListMatchingIPv6)->Arg(50)->Arg(200)->Arg(500); +BENCHMARK(BM_LcTrieIpListMatchingIPv6)->Arg(50)->Arg(200)->Arg(500); + +} // namespace Address +} // namespace Network +} // namespace Envoy diff --git a/test/extensions/filters/common/rbac/matchers_test.cc b/test/extensions/filters/common/rbac/matchers_test.cc index 894b7cd250a25..703b874cbaaa7 100644 --- a/test/extensions/filters/common/rbac/matchers_test.cc +++ b/test/extensions/filters/common/rbac/matchers_test.cc @@ -1088,6 +1088,171 @@ TEST(PrincipalMatcher, OrIds) { checkMatcher(OrMatcher(principals, factory_context), false, conn, headers, info); } +// Tests to cover missing lines in coverage report +TEST(IPMatcher, PrincipalSourceIpMatching) { + // Tests lines 77-79: kSourceIp case in Principal creation + NiceMock factory_context; + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_source_ip(); + cidr->set_address_prefix("192.168.1.0"); + cidr->mutable_prefix_len()->set_value(24); + + auto matcher = Matcher::create(principal, factory_context); + ASSERT_NE(matcher, nullptr); + + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + // Set connection remote address that matches the CIDR + auto addr = Envoy::Network::Utility::parseInternetAddressNoThrow("192.168.1.100", 123, false); + conn.stream_info_.downstream_connection_info_provider_->setRemoteAddress(addr); + + EXPECT_TRUE(matcher->matches(conn, headers, info)); + + // Set address that doesn't match + addr = Envoy::Network::Utility::parseInternetAddressNoThrow("10.0.0.1", 123, false); + conn.stream_info_.downstream_connection_info_provider_->setRemoteAddress(addr); + + EXPECT_FALSE(matcher->matches(conn, headers, info)); +} + +TEST(IPMatcher, PrincipalRemoteIpMatching) { + // Tests lines 83-85: kRemoteIp case in Principal creation + NiceMock factory_context; + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_remote_ip(); + cidr->set_address_prefix("10.0.0.0"); + cidr->mutable_prefix_len()->set_value(16); + + auto matcher = Matcher::create(principal, factory_context); + ASSERT_NE(matcher, nullptr); + + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + // Set downstream remote address that matches the CIDR + auto addr = Envoy::Network::Utility::parseInternetAddressNoThrow("10.0.5.100", 456, false); + info.downstream_connection_info_provider_->setRemoteAddress(addr); + + EXPECT_TRUE(matcher->matches(conn, headers, info)); + + // Set address that doesn't match + addr = Envoy::Network::Utility::parseInternetAddressNoThrow("172.16.1.1", 456, false); + info.downstream_connection_info_provider_->setRemoteAddress(addr); + + EXPECT_FALSE(matcher->matches(conn, headers, info)); +} + +TEST(IPMatcher, CreateWithInvalidCidrRange) { + // Tests lines 206-208: Invalid CIDR range error handling in IPMatcher::create + Protobuf::RepeatedPtrField ranges; + + // Add valid range first + auto* valid_range = ranges.Add(); + valid_range->set_address_prefix("192.168.1.0"); + valid_range->mutable_prefix_len()->set_value(24); + + // Add invalid range (invalid IP address) + auto* invalid_range = ranges.Add(); + invalid_range->set_address_prefix("invalid.ip.address"); + invalid_range->mutable_prefix_len()->set_value(24); + + auto result = IPMatcher::create(ranges, IPMatcher::Type::ConnectionRemote); + EXPECT_FALSE(result.ok()); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Failed to create CIDR range")); +} + +TEST(IPMatcher, CreateWithEmptyRangeList) { + // Tests empty range validation + Protobuf::RepeatedPtrField empty_ranges; + + auto result = IPMatcher::create(empty_ranges, IPMatcher::Type::ConnectionRemote); + EXPECT_FALSE(result.ok()); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Empty IP range list provided")); +} + +TEST(IPMatcher, MatchesWithNullIpAddress) { + // Tests line 227: null IP address check in matches method + envoy::config::core::v3::CidrRange range; + range.set_address_prefix("192.168.1.0"); + range.mutable_prefix_len()->set_value(24); + + IPMatcher matcher(range, IPMatcher::Type::ConnectionRemote); + + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + // Set null remote address + conn.stream_info_.downstream_connection_info_provider_->setRemoteAddress(nullptr); + + EXPECT_FALSE(matcher.matches(conn, headers, info)); +} + +TEST(IPMatcher, ExtractIpAddressWithInvalidType) { + // Tests line 247: return nullptr fallback in extractIpAddress + // This test exercises the default case that should never be reached in normal operation + envoy::config::core::v3::CidrRange range; + range.set_address_prefix("192.168.1.0"); + range.mutable_prefix_len()->set_value(24); + + // Create matcher with a specific type + IPMatcher matcher(range, IPMatcher::Type::ConnectionRemote); + + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + // Set all address types to non-null to ensure we test the extraction logic + auto addr = Envoy::Network::Utility::parseInternetAddressNoThrow("192.168.1.100", 123, false); + conn.stream_info_.downstream_connection_info_provider_->setRemoteAddress(addr); + info.downstream_connection_info_provider_->setLocalAddress(addr); + info.downstream_connection_info_provider_->setDirectRemoteAddressForTest(addr); + info.downstream_connection_info_provider_->setRemoteAddress(addr); + + // This should match and extract the connection remote address correctly + EXPECT_TRUE(matcher.matches(conn, headers, info)); +} + +TEST(IPMatcher, MultipleRangesCreateSuccess) { + // Tests successful creation with multiple ranges + Protobuf::RepeatedPtrField ranges; + + // Add multiple valid ranges + auto* range1 = ranges.Add(); + range1->set_address_prefix("192.168.1.0"); + range1->mutable_prefix_len()->set_value(24); + + auto* range2 = ranges.Add(); + range2->set_address_prefix("10.0.0.0"); + range2->mutable_prefix_len()->set_value(16); + + auto* range3 = ranges.Add(); + range3->set_address_prefix("2001:db8::"); + range3->mutable_prefix_len()->set_value(32); + + auto result = IPMatcher::create(ranges, IPMatcher::Type::ConnectionRemote); + EXPECT_TRUE(result.ok()); + EXPECT_NE(result.value(), nullptr); + + // Test that the created matcher works + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + // Test IPv4 match + auto addr = Envoy::Network::Utility::parseInternetAddressNoThrow("192.168.1.100", 123, false); + conn.stream_info_.downstream_connection_info_provider_->setRemoteAddress(addr); + EXPECT_TRUE(result.value()->matches(conn, headers, info)); + + // Test IPv4 no match + addr = Envoy::Network::Utility::parseInternetAddressNoThrow("172.16.1.1", 123, false); + conn.stream_info_.downstream_connection_info_provider_->setRemoteAddress(addr); + EXPECT_FALSE(result.value()->matches(conn, headers, info)); +} + } // namespace } // namespace RBAC } // namespace Common From 4f5386abdc9a52340a892e56ca8a50a6e196c98f Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Sat, 2 Aug 2025 07:36:47 -0400 Subject: [PATCH 145/505] ext_proc : adding integration test to verify request with large data (#40197) Adding an integration test to send consecutively large request for ext_proc FULL_DUPLEX_STREAMED mode. The test includes: 1) sending 30 consecutive HTTP requests 2) Each request contains a 2MB body 3) The request is sending to the ext_proc server. 4) After receives the complete request, the ext_proc server sends back 50 chunks, with 64KB data in each chunk back to Envoy. --------- Signed-off-by: Yanjun Xiang --- .../ext_proc/ext_proc_integration_test.cc | 57 +++++++++++++++++-- 1 file changed, 52 insertions(+), 5 deletions(-) diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 0d16ea738a721..3409ee5b23b39 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -788,9 +788,7 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, verifyDownstreamResponse(*response, 200); } - IntegrationStreamDecoderPtr initAndSendDataDuplexStreamedMode(absl::string_view body_sent, - bool end_of_stream, - bool both_direction = false) { + void initializeConfigDuplexStreamed(bool both_direction = false) { config_helper_.setBufferLimits(1024, 1024); auto* processing_mode = proto_config_.mutable_processing_mode(); processing_mode->set_request_header_mode(ProcessingMode::SEND); @@ -806,6 +804,12 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, initializeConfig(); HttpIntegrationTest::initialize(); + } + + IntegrationStreamDecoderPtr initAndSendDataDuplexStreamedMode(absl::string_view body_sent, + bool end_of_stream, + bool both_direction = false) { + initializeConfigDuplexStreamed(both_direction); codec_client_ = makeHttpConnection(lookupPort("http")); Http::TestRequestHeaderMapImpl default_headers; HttpTestUtility::addDefaultHeaders(default_headers); @@ -879,7 +883,7 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, } void serverSendBodyRespDuplexStreamed(uint32_t total_resp_body_msg, bool end_of_stream = true, - bool response = false) { + bool response = false, absl::string_view body_sent = "") { for (uint32_t i = 0; i < total_resp_body_msg; i++) { ProcessingResponse response_body; BodyResponse* body_resp; @@ -891,7 +895,11 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, auto* body_mut = body_resp->mutable_response()->mutable_body_mutation(); auto* streamed_response = body_mut->mutable_streamed_response(); - streamed_response->set_body("r"); + if (!body_sent.empty()) { + streamed_response->set_body(body_sent); + } else { + streamed_response->set_body("r"); + } if (end_of_stream) { const bool end_of_stream = (i == total_resp_body_msg - 1) ? true : false; streamed_response->set_end_of_stream(end_of_stream); @@ -5515,6 +5523,45 @@ TEST_P(ExtProcIntegrationTest, ServerWaitForBodyBeforeSendsHeaderRespDuplexStrea verifyDownstreamResponse(*response, 200); } +TEST_P(ExtProcIntegrationTest, LargeBodyTestDuplexStreamed) { + const std::string body_sent(2 * 1024 * 1024, 's'); + initializeConfigDuplexStreamed(false); + + // Sends 30 consecutive request, each carrying 2MB data. + for (int i = 0; i < 30; i++) { + codec_client_ = makeHttpConnection(lookupPort("http")); + Http::TestRequestHeaderMapImpl default_headers; + HttpTestUtility::addDefaultHeaders(default_headers); + + std::pair encoder_decoder = + codec_client_->startRequest(default_headers); + request_encoder_ = &encoder_decoder.first; + IntegrationStreamDecoderPtr response = std::move(encoder_decoder.second); + codec_client_->sendData(*request_encoder_, body_sent, true); + // The ext_proc server receives the headers. + ProcessingRequest header_request; + serverReceiveHeaderDuplexStreamed(header_request); + // The ext_proc server receives the body. + uint32_t total_req_body_msg = serverReceiveBodyDuplexStreamed(body_sent); + EXPECT_GT(total_req_body_msg, 0); + // The ext_proc server sends back the header response. + serverSendHeaderRespDuplexStreamed(); + // The ext_proc server sends back body responses, which include 50 chunks, + // and each chunk contains 64KB data, thus totally ~3MB per request. + uint32_t total_resp_body_msg = 50; + const std::string body_response(64 * 1024, 'r'); + const std::string body_upstream(total_resp_body_msg * 64 * 1024, 'r'); + serverSendBodyRespDuplexStreamed(total_resp_body_msg, /*end_of_stream*/ true, + /*response*/ false, body_response); + + handleUpstreamRequest(); + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_EQ(upstream_request_->body().toString(), body_upstream); + verifyDownstreamResponse(*response, 200); + TearDown(); + } +} + // Buffer the whole message including header, body and trailer before sending response. TEST_P(ExtProcIntegrationTest, ServerWaitForBodyAndTrailerBeforeSendsHeaderRespDuplexStreamedSmallBody) { From f5bc3c5fd2594e30f912ce2b3e85b297d7412b75 Mon Sep 17 00:00:00 2001 From: phlax Date: Mon, 4 Aug 2025 08:24:43 +0100 Subject: [PATCH 146/505] docker/ci: Build oci images natively (#40557) Signed-off-by: Ryan Northey --- .github/config.yml | 6 +- .github/workflows/_publish_build.yml | 159 +++----- ...blish_publish.yml => _publish_release.yml} | 73 +++- .../workflows/_publish_release_container.yml | 189 ++++++++++ .github/workflows/_publish_verify.yml | 9 +- .github/workflows/envoy-publish.yml | 39 +- ci/do_ci.sh | 10 +- ci/docker-compose.yml | 1 + distribution/docker/BUILD | 2 +- distribution/docker/README.md | 6 +- distribution/docker/build.sh | 192 ++++++++++ distribution/docker/docker_ci.sh | 352 ------------------ 12 files changed, 545 insertions(+), 493 deletions(-) rename .github/workflows/{_publish_publish.yml => _publish_release.yml} (55%) create mode 100644 .github/workflows/_publish_release_container.yml create mode 100755 distribution/docker/build.sh delete mode 100755 distribution/docker/docker_ci.sh diff --git a/.github/config.yml b/.github/config.yml index 9f1678d853475..72f06fcbc0c8d 100644 --- a/.github/config.yml +++ b/.github/config.yml @@ -146,7 +146,7 @@ checks: name: >- Envoy/Publish and verify on-run: - - publish + - release - verify required: true @@ -336,7 +336,7 @@ run: precheck-publish: paths: - "**/*" - publish: + release: paths: - .bazelrc - .bazelversion @@ -345,6 +345,7 @@ run: - bazel/**/* - ci/**/* - contrib/**/* + - distribution/**/* - envoy/**/* - examples/**/* - source/**/* @@ -359,6 +360,7 @@ run: - bazel/**/* - ci/**/* - contrib/**/* + - distribution/**/* - envoy/**/* - examples/**/* - source/**/* diff --git a/.github/workflows/_publish_build.yml b/.github/workflows/_publish_build.yml index 42438e49f603e..562025c33a249 100644 --- a/.github/workflows/_publish_build.yml +++ b/.github/workflows/_publish_build.yml @@ -6,8 +6,6 @@ permissions: on: workflow_call: secrets: - dockerhub-password: - required: false gcs-cache-key: required: true gpg-key: @@ -15,6 +13,9 @@ on: gpg-key-password: required: true inputs: + arch: + type: string + required: true gcs-cache-bucket: type: string required: true @@ -31,7 +32,7 @@ concurrency: ${{ github.actor != 'trigger-release-envoy[bot]' && github.event.inputs.head_ref || github.run_id - }}-${{ github.event.workflow.id }}-publish + }}-${{ inputs.arch }}-${{ github.event.workflow.id }}-publish cancel-in-progress: true @@ -42,117 +43,59 @@ jobs: permissions: contents: read packages: read - name: ${{ matrix.name || matrix.target }} + name: Binary uses: ./.github/workflows/_run.yml with: - arch: ${{ matrix.arch }} - bazel-extra: ${{ matrix.bazel-extra }} - target: ${{ matrix.target }} - target-suffix: ${{ matrix.arch }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }} - concurrency-suffix: -${{ matrix.arch }} - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - rbe: ${{ matrix.rbe }} - request: ${{ inputs.request }} - runs-on: ${{ matrix.runs-on }} - timeout-minutes: 120 - trusted: ${{ inputs.trusted }} - upload-name: release.${{ matrix.arch }} - upload-path: envoy/${{ matrix.arch }}/bin/ - strategy: - fail-fast: false - matrix: - include: - - target: release.server_only - name: Release (x64) - arch: x64 - bazel-extra: >- - --config=remote-envoy-engflow - rbe: true - - target: release.server_only - name: Release (arm64) - arch: arm64 - bazel-extra: >- - --config=remote-envoy-engflow - rbe: true - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} - - distribution: - permissions: - contents: read - packages: read - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - gpg-key: ${{ secrets.gpg-key }} - gpg-key-password: ${{ secrets.gpg-key-password }} - name: ${{ matrix.name || matrix.target }} - needs: - - binary - uses: ./.github/workflows/_run.yml - with: - arch: ${{ matrix.arch }} + arch: ${{ inputs.arch }} bazel-extra: >- - --config=remote-cache-envoy-engflow - downloads: | - release.${{ matrix.arch }}: release/${{ matrix.arch }}/bin/ - target: ${{ matrix.target }} - target-suffix: ${{ matrix.arch }} + --config=remote-envoy-engflow + target: release.server_only + target-suffix: ${{ inputs.arch }} cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ matrix.cache-build-image-key-suffix }} - concurrency-suffix: -${{ matrix.arch }} + cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} + concurrency-suffix: -${{ inputs.arch }} gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - import-gpg: true - rbe: false + rbe: true request: ${{ inputs.request }} - runs-on: ${{ matrix.runs-on }} + runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} + timeout-minutes: 120 trusted: ${{ inputs.trusted }} - upload-name: packages.${{ matrix.arch }} - upload-path: envoy/${{ matrix.arch }} - strategy: - fail-fast: false - matrix: - include: - - target: distribution - name: Package debs (x64) - arch: x64 - - target: distribution - name: Package debs (arm64) - arch: arm64 - cache-build-image-key-suffix: -arm64 - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} + upload-name: release.${{ inputs.arch }} + upload-path: envoy/${{ inputs.arch }}/bin/ docker: permissions: contents: read packages: read - secrets: - dockerhub-password: ${{ secrets.dockerhub-password }} - name: ${{ matrix.name || matrix.target }} + name: Docker OCI needs: - binary uses: ./.github/workflows/_run.yml with: - target: ${{ matrix.target }} + arch: ${{ inputs.arch }} + target: docker + target-suffix: ${{ inputs.arch }} cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} + cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} + concurrency-suffix: -${{ inputs.arch }} downloads: | - release.arm64: envoy/arm64/bin/ - release.x64: envoy/x64/bin/ + release.${{ inputs.arch }}: envoy/${{ inputs.arch }}/bin/ request: ${{ inputs.request }} source: | export NO_BUILD_SETUP=1 export ENVOY_DOCKER_IN_DOCKER=1 + export ENVOY_DOCKER_SAVE_IMAGE=true + export ENVOY_OCI_DIR=build_images + + # export DOCKER_BUILD_PLATFORM=${{ inputs.arch == 'x64' && 'linux/amd64' || 'linux/arm64' }} + # export DOCKER_LOAD_IMAGES=true + # export DOCKER_FORCE_OCI_OUTPUT=true trusted: ${{ inputs.trusted }} - upload-name: docker - upload-path: build_images - strategy: - fail-fast: false - matrix: - include: - - target: docker - name: Docker (Linux multiarch) + upload-name: oci.${{ inputs.arch }} + upload-path: envoy/${{ inputs.arch }}/build_images + runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} - sign: + distribution: permissions: contents: read packages: read @@ -160,34 +103,26 @@ jobs: gcs-cache-key: ${{ secrets.gcs-cache-key }} gpg-key: ${{ secrets.gpg-key }} gpg-key-password: ${{ secrets.gpg-key-password }} - name: ${{ matrix.name || matrix.target }} + name: Packages needs: - - distribution + - binary uses: ./.github/workflows/_run.yml with: - target: release.signed + arch: ${{ inputs.arch }} bazel-extra: >- - --//distribution:x64-packages=//distribution:custom/x64/packages.x64.tar.gz - --//distribution:arm64-packages=//distribution:custom/arm64/packages.arm64.tar.gz - --//distribution:x64-release=//distribution:custom/x64/bin/release.tar.zst - --//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - diskspace-hack: true + --config=remote-cache-envoy-engflow downloads: | - packages.arm64: envoy/arm64/ - packages.x64: envoy/x64/ - release.arm64: envoy/arm64/bin/ - release.x64: envoy/x64/bin/ + release.${{ inputs.arch }}: release/${{ inputs.arch }}/bin/ + target: distribution + target-suffix: ${{ inputs.arch }} + cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} + cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} + concurrency-suffix: -${{ inputs.arch }} gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} import-gpg: true + rbe: false request: ${{ inputs.request }} - source: | - export NO_BUILD_SETUP=1 + runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} trusted: ${{ inputs.trusted }} - upload-name: release.signed - upload-path: envoy/release.signed.tar.zst - steps-pre: | - - run: | - mkdir distribution/custom - cp -a %{{ runner.temp }}/envoy/x64 %{{ runner.temp }}/envoy/arm64 distribution/custom - shell: bash + upload-name: packages.${{ inputs.arch }} + upload-path: envoy/${{ inputs.arch }} diff --git a/.github/workflows/_publish_publish.yml b/.github/workflows/_publish_release.yml similarity index 55% rename from .github/workflows/_publish_publish.yml rename to .github/workflows/_publish_release.yml index ce07bb39666bd..d573bea5b43b0 100644 --- a/.github/workflows/_publish_publish.yml +++ b/.github/workflows/_publish_release.yml @@ -6,12 +6,18 @@ permissions: on: workflow_call: secrets: + dockerhub-password: + dockerhub-username: ENVOY_CI_SYNC_APP_ID: ENVOY_CI_SYNC_APP_KEY: ENVOY_CI_PUBLISH_APP_ID: ENVOY_CI_PUBLISH_APP_KEY: gcs-cache-key: required: true + gpg-key: + required: true + gpg-key-password: + required: true inputs: gcs-cache-bucket: type: string @@ -33,7 +39,65 @@ concurrency: jobs: - publish: + sign: + permissions: + contents: read + packages: read + secrets: + gcs-cache-key: ${{ secrets.gcs-cache-key }} + gpg-key: ${{ secrets.gpg-key }} + gpg-key-password: ${{ secrets.gpg-key-password }} + if: ${{ github.repository == 'envoyproxy/envoy-ci-staging' }} + name: Sign packages + uses: ./.github/workflows/_run.yml + with: + target: release.signed + bazel-extra: >- + --//distribution:x64-packages=//distribution:custom/x64/packages.x64.tar.gz + --//distribution:arm64-packages=//distribution:custom/arm64/packages.arm64.tar.gz + --//distribution:x64-release=//distribution:custom/x64/bin/release.tar.zst + --//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst + cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} + diskspace-hack: true + downloads: | + packages.arm64: envoy/arm64/ + packages.x64: envoy/x64/ + release.arm64: envoy/arm64/bin/ + release.x64: envoy/x64/bin/ + gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} + import-gpg: true + request: ${{ inputs.request }} + source: | + export NO_BUILD_SETUP=1 + trusted: ${{ inputs.trusted }} + upload-name: release.signed + upload-path: envoy/release.signed.tar.zst + steps-pre: | + - run: | + mkdir distribution/custom + cp -a %{{ runner.temp }}/envoy/x64 %{{ runner.temp }}/envoy/arm64 distribution/custom + shell: bash + + container: + secrets: + dockerhub-username: ${{ secrets.dockerhub-username }} + dockerhub-password: ${{ secrets.dockerhub-password }} + permissions: + contents: read + packages: read + name: Publish container images + uses: ./.github/workflows/_publish_release_container.yml + with: + dockerhub-repo: ${{ vars.DOCKERHUB_REPO || 'envoy' }} + dev: ${{ fromJSON(inputs.request).request.version.dev }} + sha: ${{ fromJSON(inputs.request).request.sha }} + target-branch: ${{ fromJSON(inputs.request).request.target-branch }} + trusted: ${{ inputs.trusted }} + version-major: ${{ fromJSON(inputs.request).request.version.major }} + version-minor: ${{ fromJSON(inputs.request).request.version.minor }} + version-patch: ${{ fromJSON(inputs.request).request.version.patch }} + + release: secrets: app-id: ${{ inputs.trusted && secrets.ENVOY_CI_PUBLISH_APP_ID || '' }} app-key: ${{ inputs.trusted && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }} @@ -41,6 +105,9 @@ jobs: permissions: contents: read packages: read + needs: + - container + - sign name: ${{ matrix.name || matrix.target }} uses: ./.github/workflows/_run.yml with: @@ -65,7 +132,7 @@ jobs: export ENVOY_REPO=${{ github.repository }} export ENVOY_PUBLISH_DRY_RUN=${{ (fromJSON(inputs.request).request.version.dev || ! inputs.trusted) && 1 || '' }} - publish_docs: + docs: # For normal commits to Envoy main this will trigger an update in the website repo, # which will update its envoy dep shas, and rebuild the website for the latest docs # @@ -76,7 +143,7 @@ jobs: if: ${{ inputs.trusted && github.repository == 'envoyproxy/envoy' }} runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }} needs: - - publish + - release steps: - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 id: appauth diff --git a/.github/workflows/_publish_release_container.yml b/.github/workflows/_publish_release_container.yml new file mode 100644 index 0000000000000..e5452e5f8426b --- /dev/null +++ b/.github/workflows/_publish_release_container.yml @@ -0,0 +1,189 @@ +name: Publish (containers) + +permissions: + contents: read + +on: + workflow_call: + secrets: + dockerhub-password: + dockerhub-username: + inputs: + dev: + required: true + type: boolean + default: true + dockerhub-repo: + required: true + default: envoy + type: string + sha: + required: true + type: string + target-branch: + required: true + type: string + trusted: + required: true + type: boolean + version-major: + required: false + type: number + version-minor: + required: false + type: number + version-patch: + required: false + type: number + +concurrency: + group: >- + ${{ github.actor != 'trigger-release-envoy[bot]' + && github.event.inputs.head_ref + || github.run_id + }}-${{ github.event.workflow.id }}-publish-release-container + cancel-in-progress: true + + +jobs: + push-manifests: + name: Create manifests (${{ inputs.trustred && 'dry run' || 'push' }}) + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: read + steps: + - name: Generate manifest configuration (dev) + id: dev-config + if: ${{ inputs.dev && inputs.target-branch == 'main' }} + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + with: + input-format: yaml + filter: >- + {manifests: .} + input: | + - name: ${{ inputs.dockerhub-repo }} + tag: dev + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy.{arch}.tar + additional-tags: + - dev-${{ github.sha }} + - name: ${{ inputs.dockerhub-repo }} + tag: contrib-dev + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-contrib.{arch}.tar + additional-tags: + - contrib-dev-${{ github.sha }} + - name: ${{ inputs.dockerhub-repo }} + tag: contrib-debug-dev + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-contrib-debug.{arch}.tar + additional-tags: + - contrib-debug-dev-${{ github.sha }} + - name: ${{ inputs.dockerhub-repo }} + tag: distroless-dev + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-distroless.{arch}.tar + additional-tags: + - distroless-dev-${{ github.sha }} + - name: ${{ inputs.dockerhub-repo }} + tag: google-vrp-dev + registry: docker.io/envoyproxy + architectures: + - amd64 + artifact-pattern: envoy-google-vrp.{arch}.tar + additional-tags: + - google-vrp-dev-${{ github.sha }} + - name: ${{ inputs.dockerhub-repo }} + tag: tools-dev + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-tools.{arch}.tar + additional-tags: + - tools-dev-${{ github.sha }} + + - name: Generate manifest configuration (release) + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + id: release-config + if: ${{ ! inputs.dev || ! inputs.target-branch != 'main' }} + with: + input-format: yaml + filter: >- + {manifests: .} + input: | + - name: ${{ inputs.dockerhub-repo }} + tag: v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy.{arch}.tar + additional-tags: + - v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest + - name: ${{ inputs.dockerhub-repo }} + tag: contrib-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-contrib.{arch}.tar + additional-tags: + - contrib-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest + - name: ${{ inputs.dockerhub-repo }} + tag: contrib-debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-contrib-debug.{arch}.tar + additional-tags: + - contrib-debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest + - name: ${{ inputs.dockerhub-repo }} + tag: distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-distroless.{arch}.tar + additional-tags: + - distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest + - name: ${{ inputs.dockerhub-repo }} + tag: google-vrp-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} + registry: docker.io/envoyproxy + architectures: + - amd64 + artifact-pattern: envoy-google-vrp.{arch}.tar + additional-tags: + - google-vrp-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest + - name: ${{ inputs.dockerhub-repo }} + tag: tools-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-tools.{arch}.tar + additional-tags: + - tools-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest + + - name: Collect and push OCI artifacts + uses: envoyproxy/toolshed/gh-actions/oci/collector@555132e7108208a8a610af6e03c38c97c204119d + with: + artifacts-pattern: oci.* + manifest-config: ${{ steps.dev-config.outputs.value || steps.release-config.outputs.value }} + dry-run: ${{ ! inputs.trusted || (inputs.target-branch != 'main' && inputs.dev) }} + dockerhub-username: ${{ inputs.trusted && secrets.dockerhub-username || '' }} + dockerhub-password: ${{ inputs.trusted && secrets.dockerhub-password || '' }} diff --git a/.github/workflows/_publish_verify.yml b/.github/workflows/_publish_verify.yml index 381df02220162..1f236fcf8020f 100644 --- a/.github/workflows/_publish_verify.yml +++ b/.github/workflows/_publish_verify.yml @@ -55,7 +55,8 @@ jobs: - name: examples target: verify_examples downloads: | - docker: build_images + oci.arm64: build_images + oci.x64: build_images rbe: false source: | export NO_BUILD_SETUP=1 @@ -74,7 +75,7 @@ jobs: for image in "${IMAGES[@]}"; do src_name="$(echo ${image} | cut -d: -f1)" dest_name="$(echo ${image} | cut -d: -f2)" - src="oci-archive:%{{ runner.temp }}/build_images/${src_name}.tar" + src="oci-archive:%{{ runner.temp }}/build_images/${src_name}.amd64.tar" dest="docker-daemon:envoyproxy/envoy:${dest_name}" echo "Copy image: ${src} ${dest}" skopeo copy -q "${src}" "${dest}" @@ -109,7 +110,7 @@ jobs: - name: distroless target: verify-distroless downloads: | - docker: build_images + oci.x64: build_images rbe: false source: | export NO_BUILD_SETUP=1 @@ -120,7 +121,7 @@ jobs: for image in "${IMAGES[@]}"; do src_name="$(echo ${image} | cut -d: -f1)" dest_name="$(echo ${image} | cut -d: -f2)" - src="oci-archive:%{{ runner.temp }}/build_images/${src_name}.tar" + src="oci-archive:%{{ runner.temp }}/build_images/${src_name}.amd64.tar" dest="docker-daemon:envoyproxy/envoy:${dest_name}" echo "Copy image: ${src} ${dest}" skopeo copy -q "${src}" "${dest}" diff --git a/.github/workflows/envoy-publish.yml b/.github/workflows/envoy-publish.yml index d76dc7e1d95c8..780b1bb5512c2 100644 --- a/.github/workflows/envoy-publish.yml +++ b/.github/workflows/envoy-publish.yml @@ -53,11 +53,6 @@ jobs: contents: read packages: read secrets: - dockerhub-password: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.DOCKERHUB_PASSWORD - || '' }} gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} gpg-key: >- ${{ needs.load.outputs.trusted @@ -69,18 +64,27 @@ jobs: && fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_GPG_MAINTAINER_KEY_PASSWORD || secrets.ENVOY_GPG_SNAKEOIL_KEY_PASSWORD }} - if: ${{ fromJSON(needs.load.outputs.request).run.publish || fromJSON(needs.load.outputs.request).run.verify }} + if: ${{ fromJSON(needs.load.outputs.request).run.release || fromJSON(needs.load.outputs.request).run.verify }} needs: - load uses: ./.github/workflows/_publish_build.yml name: Build + strategy: + fail-fast: false + matrix: + arch: + - x64 + - arm64 with: + arch: ${{ matrix.arch }} gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} request: ${{ needs.load.outputs.request }} trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - publish: + release: secrets: + dockerhub-password: ${{ secrets.DOCKERHUB_PASSWORD }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} ENVOY_CI_SYNC_APP_ID: >- ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) @@ -102,15 +106,25 @@ jobs: && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }} gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} + gpg-key: >- + ${{ needs.load.outputs.trusted + && fromJSON(needs.load.outputs.trusted) + && secrets.ENVOY_GPG_MAINTAINER_KEY + || secrets.ENVOY_GPG_SNAKEOIL_KEY }} + gpg-key-password: >- + ${{ needs.load.outputs.trusted + && fromJSON(needs.load.outputs.trusted) + && secrets.ENVOY_GPG_MAINTAINER_KEY_PASSWORD + || secrets.ENVOY_GPG_SNAKEOIL_KEY_PASSWORD }} permissions: contents: read packages: read - if: ${{ fromJSON(needs.load.outputs.request).run.publish }} + if: ${{ fromJSON(needs.load.outputs.request).run.release }} needs: - load - build - uses: ./.github/workflows/_publish_publish.yml - name: Publish + uses: ./.github/workflows/_publish_release.yml + name: Release with: gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} request: ${{ needs.load.outputs.request }} @@ -126,6 +140,7 @@ jobs: needs: - load - build + - release uses: ./.github/workflows/_publish_verify.yml name: Verify with: @@ -146,12 +161,12 @@ jobs: && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.repository.full_name == github.repository && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (fromJSON(needs.load.outputs.request).run.publish + && (fromJSON(needs.load.outputs.request).run.release || fromJSON(needs.load.outputs.request).run.verify) needs: - load - build - - publish + - release - verify uses: ./.github/workflows/_finish.yml with: diff --git a/ci/do_ci.sh b/ci/do_ci.sh index f25f4700c0d3f..68223a6a664b8 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -566,6 +566,8 @@ case $CI_TARGET in fi ENVOY_ARCH_DIR="$(dirname "${ENVOY_BUILD_DIR}")" ENVOY_TARBALL_DIR="${ENVOY_TARBALL_DIR:-${ENVOY_ARCH_DIR}}" + ENVOY_OCI_DIR="${ENVOY_BUILD_DIR}/${ENVOY_OCI_DIR}" + export ENVOY_OCI_DIR _PLATFORMS=() PLATFORM_NAMES=( x64:linux/amd64 @@ -591,12 +593,12 @@ case $CI_TARGET in fi PLATFORMS="$(IFS=, ; echo "${_PLATFORMS[*]}")" export DOCKER_PLATFORM="$PLATFORMS" - if [[ -z "${DOCKERHUB_PASSWORD}" && "${#_PLATFORMS[@]}" -eq 1 && -z $ENVOY_DOCKER_SAVE_IMAGE ]]; then - # if you are not pushing the images and there is only one platform - # then load to Docker (ie local build) + if [[ -z "$ENVOY_DOCKER_SAVE_IMAGE" ]]; then + # if you are not saving the images as OCI then load to Docker (ie local build) export DOCKER_LOAD_IMAGES=1 fi - "${ENVOY_SRCDIR}/distribution/docker/docker_ci.sh" + echo "BUILDING FOR: ${PLATFORMS}" + "${ENVOY_SRCDIR}/distribution/docker/build.sh" ;; dockerhub-publish) diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml index a434e258527eb..76fbd03f14aa5 100644 --- a/ci/docker-compose.yml +++ b/ci/docker-compose.yml @@ -11,6 +11,7 @@ x-envoy-build-base: &envoy-build-base - BUILD_DIR=/build - ENVOY_DOCKER_SOURCE_DIR=${ENVOY_DOCKER_SOURCE_DIR:-/source} - ENVOY_DOCKER_BUILD_DIR="${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}" + - ENVOY_OCI_DIR # Proxy settings - HTTP_PROXY diff --git a/distribution/docker/BUILD b/distribution/docker/BUILD index 41a3242f5a569..bd89a60245c4b 100644 --- a/distribution/docker/BUILD +++ b/distribution/docker/BUILD @@ -3,5 +3,5 @@ licenses(["notice"]) # Apache 2 exports_files([ "Dockerfile-envoy", "docker-entrypoint.sh", - "docker_ci.sh", + "build.sh", ]) diff --git a/distribution/docker/README.md b/distribution/docker/README.md index 6192f8bd038f3..be8af131aca5a 100644 --- a/distribution/docker/README.md +++ b/distribution/docker/README.md @@ -5,7 +5,7 @@ This directory contains the Docker build configuration for Envoy container image ## Files - `Dockerfile-envoy` - Main Dockerfile for building Envoy container images -- `docker_ci.sh` - Script for building and pushing Docker images in CI +- `buildd.sh` - Script for building Docker images in CI - `docker-entrypoint.sh` - Entrypoint script for Envoy containers ## Usage @@ -26,10 +26,10 @@ This will build Docker images for multiple platforms and variants including: ## Development -For local development, you can build images directly using the docker_ci.sh script: +For local development, you can build images directly using the build.sh script: ```bash -DOCKER_CI_DRYRUN=1 ./distribution/docker/docker_ci.sh +DOCKER_CI_DRYRUN=1 ./distribution/docker/build.sh ``` This will show what commands would be executed without actually building images. diff --git a/distribution/docker/build.sh b/distribution/docker/build.sh new file mode 100755 index 0000000000000..11167615f2df2 --- /dev/null +++ b/distribution/docker/build.sh @@ -0,0 +1,192 @@ +#!/usr/bin/env bash + +# Do not ever set -x here, it is a security hazard as it will place the credentials below in the +# CI logs. +set -e + +# Workaround for https://github.com/envoyproxy/envoy/issues/26634 +DOCKER_BUILD_TIMEOUT="${DOCKER_BUILD_TIMEOUT:-500}" + +# Allow single platform builds via DOCKER_BUILD_PLATFORM +if [[ -n "$DOCKER_BUILD_PLATFORM" ]]; then + DOCKER_PLATFORM="${DOCKER_BUILD_PLATFORM}" +else + DOCKER_PLATFORM="${DOCKER_PLATFORM:-linux/arm64,linux/amd64}" +fi + +if [[ -n "$DOCKER_CI_DRYRUN" ]]; then + CI_SHA1="${CI_SHA1:-MOCKSHA}" +fi + +DEV_VERSION_REGEX="-dev$" +if [[ -z "$ENVOY_VERSION" ]]; then + ENVOY_VERSION="$(cat VERSION.txt)" +fi + +if [[ "$ENVOY_VERSION" =~ $DEV_VERSION_REGEX ]]; then + # Dev version + IMAGE_POSTFIX="-dev" + IMAGE_NAME="${CI_SHA1}" +else + # Non-dev version + IMAGE_POSTFIX="" + IMAGE_NAME="v${ENVOY_VERSION}" +fi + +if [[ -n "$DOCKER_LOAD_IMAGES" ]]; then + LOAD_IMAGES=1 +fi + +ENVOY_OCI_DIR="${ENVOY_OCI_DIR:-${BUILD_DIR:-.}/build_images}" + +# This prefix is altered for the private security images on setec builds. +DOCKER_IMAGE_PREFIX="${DOCKER_IMAGE_PREFIX:-envoyproxy/envoy}" +if [[ -z "$DOCKER_CI_DRYRUN" ]]; then + mkdir -p "${ENVOY_OCI_DIR}" +fi + +# Setting environments for buildx tools + +config_env() { + BUILDKIT_VERSION=$(grep '^FROM moby/buildkit:' ci/Dockerfile-buildkit | cut -d ':' -f2) + echo ">> BUILDX: install ${BUILDKIT_VERSION}" + + if [[ "${DOCKER_PLATFORM}" == *","* ]]; then + echo "> docker run --rm --privileged tonistiigi/binfmt --install all" + docker run --rm --privileged tonistiigi/binfmt:qemu-v7.0.0 --install all + fi + + echo "> docker buildx rm envoy-builder 2> /dev/null || :" + echo "> docker buildx create --use --name envoy-builder --platform ${DOCKER_PLATFORM}" + + # Remove older build instance + docker buildx rm envoy-builder 2> /dev/null || : + docker buildx create --use --name envoy-builder --platform "${DOCKER_PLATFORM}" --driver-opt "image=moby/buildkit:${BUILDKIT_VERSION}" +} + +BUILD_TYPES=("" "-debug" "-contrib" "-contrib-debug" "-distroless" "-tools") + +if [[ "$DOCKER_PLATFORM" == "linux/amd64" ]]; then + BUILD_TYPES+=("-google-vrp") +fi + +# Configure docker-buildx tools +BUILD_COMMAND=("buildx" "build") +config_env + +image_tag_name () { + local build_type="$1" image_name="$2" image_tag + parts=() + if [[ -n "$build_type" ]]; then + parts+=("${build_type:1}") + fi + if [[ -n ${IMAGE_POSTFIX:1} ]]; then + parts+=("${IMAGE_POSTFIX:1}") + fi + if [[ -z "$image_name" ]]; then + parts+=("$IMAGE_NAME") + elif [[ "$image_name" != "latest" ]]; then + parts+=("$image_name") + fi + image_tag=$(IFS=- ; echo "${parts[*]}") + echo -n "${DOCKER_IMAGE_PREFIX}:${image_tag}" +} + +build_args() { + local build_type=$1 target + + target="${build_type/-debug/}" + target="${target/-contrib/}" + printf ' -f distribution/docker/Dockerfile-envoy --target %s' "envoy${target}" + + if [[ "${build_type}" == *-contrib* ]]; then + printf ' --build-arg ENVOY_BINARY=envoy-contrib' + fi + + if [[ "${build_type}" == *-debug ]]; then + printf ' --build-arg ENVOY_BINARY_PREFIX=dbg/' + fi +} + +use_builder() { + if [[ "${DOCKER_PLATFORM}" != *","* ]]; then + return + fi + echo ">> BUILDX: use envoy-builder" + echo "> docker buildx use envoy-builder" + + if [[ -n "$DOCKER_CI_DRYRUN" ]]; then + return + fi + docker buildx use envoy-builder +} + +build_image () { + local image_type="$1" platform docker_build_args _args args=() docker_build_args docker_image_tarball build_tag action platform size + + action="BUILD" + use_builder "${image_type}" + _args=$(build_args "${image_type}") + read -ra args <<<"$_args" + platform="$DOCKER_PLATFORM" + build_tag="$(image_tag_name "${image_type}")" + docker_image_tarball="${ENVOY_OCI_DIR}/envoy${image_type}.tar" + + # `--sbom` and `--provenance` args added for skopeo 1.5.0 compat, + # can probably be removed for later versions. + args+=( + "--sbom=false" + "--provenance=false") + if [[ -n "$LOAD_IMAGES" ]]; then + action="BUILD+LOAD" + args+=("--load") + else + if [[ "$platform" != *","* ]]; then + arch="$(echo "$platform" | cut -d/ -f2)" + docker_image_tarball="${ENVOY_OCI_DIR}/envoy${image_type}.${arch}.tar" + fi + action="BUILD+OCI" + args+=("-o" "type=oci,dest=${docker_image_tarball}") + fi + + docker_build_args=( + "${BUILD_COMMAND[@]}" + "--platform" "${platform}" + "${args[@]}" + -t "${build_tag}" + .) + echo ">> ${action}: ${build_tag}" + echo "> docker ${docker_build_args[*]}" + + timeout "$DOCKER_BUILD_TIMEOUT" docker "${docker_build_args[@]}" || { + if [[ "$?" == 124 ]]; then + echo "Docker build timed out ..." >&2 + else + echo "Docker build errored ..." >&2 + fi + sleep 5 + echo "trying again ..." >&2 + docker "${docker_build_args[@]}" + } + if [[ -n "$LOAD_IMAGES" || ! -f "${docker_image_tarball}" ]]; then + return + fi + size=$(du -h "${docker_image_tarball}" | cut -f1) + echo ">> OCI tarball created: ${docker_image_tarball} (${size})" +} + +do_docker_ci () { + local build_type + echo "Docker build configuration:" + echo " Platform(s): ${DOCKER_PLATFORM}" + echo " Output directory: ${ENVOY_OCI_DIR}" + if [[ -n "$DOCKER_FORCE_OCI_OUTPUT" ]]; then + echo " Output format: OCI tarballs only" + fi + echo + for build_type in "${BUILD_TYPES[@]}"; do + build_image "$build_type" + done +} + +do_docker_ci diff --git a/distribution/docker/docker_ci.sh b/distribution/docker/docker_ci.sh deleted file mode 100755 index e08ccb6d8d0e4..0000000000000 --- a/distribution/docker/docker_ci.sh +++ /dev/null @@ -1,352 +0,0 @@ -#!/usr/bin/env bash - -# Do not ever set -x here, it is a security hazard as it will place the credentials below in the -# CI logs. -set -e - -## DEBUGGING (NB: Set these in your env to avoided unwanted changes) -## Set this to _not_ build/push just print what would be -# DOCKER_CI_DRYRUN=true -# -## Set these to tag/push images to your own repo -# DOCKER_IMAGE_PREFIX=mydocker/repo -# DOCKERHUB_USERNAME=me -# DOCKERHUB_PASSWORD=mypassword -# -## Set these to simulate types of CI run -# CI_SHA1=MOCKSHA -# CI_BRANCH=refs/heads/main -# CI_BRANCH=refs/heads/release/v1.43 -# CI_BRANCH=refs/tags/v1.77.3 -## - -# Workaround for https://github.com/envoyproxy/envoy/issues/26634 -DOCKER_BUILD_TIMEOUT="${DOCKER_BUILD_TIMEOUT:-500}" - -DOCKER_PLATFORM="${DOCKER_PLATFORM:-linux/arm64,linux/amd64}" - -if [[ -n "$DOCKER_CI_DRYRUN" ]]; then - CI_SHA1="${CI_SHA1:-MOCKSHA}" -fi - -MAIN_BRANCH="refs/heads/main" -RELEASE_BRANCH_REGEX="^refs/heads/release/v.*" -DEV_VERSION_REGEX="-dev$" -DOCKER_REGISTRY="${DOCKER_REGISTRY:-docker.io}" -PUSH_IMAGES_TO_REGISTRY= -if [[ -z "$ENVOY_VERSION" ]]; then - ENVOY_VERSION="$(cat VERSION.txt)" -fi - -if [[ "$ENVOY_VERSION" =~ $DEV_VERSION_REGEX ]]; then - # Dev version - IMAGE_POSTFIX="-dev" - IMAGE_NAME="${CI_SHA1}" -else - # Non-dev version - IMAGE_POSTFIX="" - IMAGE_NAME="v${ENVOY_VERSION}" -fi - -# Only push images for main builds, and non-dev release branch builds -if [[ -n "$DOCKER_LOAD_IMAGES" ]]; then - LOAD_IMAGES=1 -elif [[ -n "$DOCKERHUB_USERNAME" ]] && [[ -n "$DOCKERHUB_PASSWORD" ]]; then - if [[ "${CI_BRANCH}" == "${MAIN_BRANCH}" ]]; then - echo "Pushing images for main." - PUSH_IMAGES_TO_REGISTRY=1 - elif [[ "${CI_BRANCH}" =~ ${RELEASE_BRANCH_REGEX} ]] && ! [[ "$ENVOY_VERSION" =~ $DEV_VERSION_REGEX ]]; then - echo "Pushing images for release branch ${CI_BRANCH}." - PUSH_IMAGES_TO_REGISTRY=1 - else - echo 'Ignoring non-release branch for docker push.' - fi -else - echo 'No credentials for docker push.' -fi - -ENVOY_DOCKER_IMAGE_DIRECTORY="${ENVOY_DOCKER_IMAGE_DIRECTORY:-${BUILD_DIR:-.}/build_images}" -# This prefix is altered for the private security images on setec builds. -DOCKER_IMAGE_PREFIX="${DOCKER_IMAGE_PREFIX:-envoyproxy/envoy}" -if [[ -z "$DOCKER_CI_DRYRUN" ]]; then - mkdir -p "${ENVOY_DOCKER_IMAGE_DIRECTORY}" -fi - -# Setting environments for buildx tools -config_env() { - BUILDKIT_VERSION=$(grep '^FROM moby/buildkit:' ci/Dockerfile-buildkit | cut -d ':' -f2) - echo ">> BUILDX: install ${BUILDKIT_VERSION}" - echo "> docker run --rm --privileged tonistiigi/binfmt --install all" - echo "> docker buildx rm multi-builder 2> /dev/null || :" - echo "> docker buildx create --use --name multi-builder --platform ${DOCKER_PLATFORM}" - - if [[ -n "$DOCKER_CI_DRYRUN" ]]; then - return - fi - - # Install QEMU emulators - docker run --rm --privileged tonistiigi/binfmt:qemu-v7.0.0 --install all - - # Remove older build instance - docker buildx rm multi-builder 2> /dev/null || : - docker buildx create --use --name multi-builder --platform "${DOCKER_PLATFORM}" --driver-opt "image=moby/buildkit:${BUILDKIT_VERSION}" -} - -# "-google-vrp" must come afer "" to ensure we rebuild the local base image dependency. -BUILD_TYPES=("" "-debug" "-contrib" "-contrib-debug" "-distroless" "-google-vrp" "-tools") - -# Configure docker-buildx tools -BUILD_COMMAND=("buildx" "build") -config_env - -old_image_tag_name () { - # envoyproxy/envoy-dev:latest - # envoyproxy/envoy-debug:v1.73.3 - # envoyproxy/envoy-debug:v1.73-latest - local build_type="$1" image_name="$2" - if [[ -z "$image_name" ]]; then - image_name="$IMAGE_NAME" - fi - echo -n "${DOCKER_IMAGE_PREFIX}${build_type}${IMAGE_POSTFIX}:${image_name}" -} - -new_image_tag_name () { - # envoyproxy/envoy:dev - # envoyproxy/envoy:debug-v1.73.3 - # envoyproxy/envoy:debug-v1.73-latest - - local build_type="$1" image_name="$2" image_tag - parts=() - if [[ -n "$build_type" ]]; then - parts+=("${build_type:1}") - fi - if [[ -n ${IMAGE_POSTFIX:1} ]]; then - parts+=("${IMAGE_POSTFIX:1}") - fi - if [[ -z "$image_name" ]]; then - parts+=("$IMAGE_NAME") - elif [[ "$image_name" != "latest" ]]; then - parts+=("$image_name") - fi - image_tag=$(IFS=- ; echo "${parts[*]}") - echo -n "${DOCKER_IMAGE_PREFIX}:${image_tag}" -} - -build_platforms() { - local build_type=$1 - - if [[ "${build_type}" == *-google-vrp ]]; then - echo -n "linux/amd64" - else - echo -n "$DOCKER_PLATFORM" - fi -} - -build_args() { - local build_type=$1 target - - target="${build_type/-debug/}" - target="${target/-contrib/}" - printf ' -f distribution/docker/Dockerfile-envoy --target %s' "envoy${target}" - - if [[ "${build_type}" == *-contrib* ]]; then - printf ' --build-arg ENVOY_BINARY=envoy-contrib' - fi - - if [[ "${build_type}" == *-debug ]]; then - printf ' --build-arg ENVOY_BINARY_PREFIX=dbg/' - fi -} - -use_builder() { - echo ">> BUILDX: use multi-builder" - echo "> docker buildx use multi-builder" - - if [[ -n "$DOCKER_CI_DRYRUN" ]]; then - return - fi - docker buildx use multi-builder -} - -build_and_maybe_push_image () { - # If the image is not required for local testing and this is main or a release this will push immediately - # If it is required for testing on a main or release branch (ie non-debug) it will push to a tar archive - # and then push to the registry from there. - local image_type="$1" platform docker_build_args _args args=() docker_build_args docker_image_tarball build_tag action platform - - action="BUILD" - use_builder "${image_type}" - _args=$(build_args "${image_type}") - read -ra args <<<"$_args" - platform="$(build_platforms "${image_type}")" - build_tag="$(old_image_tag_name "${image_type}")" - docker_image_tarball="${ENVOY_DOCKER_IMAGE_DIRECTORY}/envoy${image_type}.tar" - - # `--sbom` and `--provenance` args added for skopeo 1.5.0 compat, - # can probably be removed for later versions. - args+=( - "--sbom=false" - "--provenance=false") - if [[ -n "$LOAD_IMAGES" ]]; then - action="BUILD+LOAD" - args+=("--load") - elif [[ "${image_type}" =~ debug ]]; then - # For linux if its the debug image then push immediately for release branches, - # otherwise just test the build - if [[ -n "$PUSH_IMAGES_TO_REGISTRY" ]]; then - action="BUILD+PUSH" - args+=("--push") - fi - else - # For linux non-debug builds, save it first in the tarball, we will push it - # with skopeo from there if needed. - args+=("-o" "type=oci,dest=${docker_image_tarball}") - fi - - docker_build_args=( - "${BUILD_COMMAND[@]}" - "--platform" "${platform}" - "${args[@]}" - -t "${build_tag}" - .) - echo ">> ${action}: ${build_tag}" - echo "> docker ${docker_build_args[*]}" - - if [[ -z "$DOCKER_CI_DRYRUN" ]]; then - echo "..." - timeout "$DOCKER_BUILD_TIMEOUT" docker "${docker_build_args[@]}" || { - if [[ "$?" == 124 ]]; then - echo "Docker build timed out ..." >&2 - else - echo "Docker build errored ..." >&2 - fi - sleep 5 - echo "trying again ..." >&2 - docker "${docker_build_args[@]}" - } - fi - if [[ -z "$PUSH_IMAGES_TO_REGISTRY" ]]; then - return - fi - - if ! [[ "${image_type}" =~ debug ]]; then - push_image_from_tarball "$build_tag" "$docker_image_tarball" - fi -} - -tag_image () { - local build_tag="$1" tag="$2" docker_tag_args - - if [[ "$build_tag" == "$tag" ]]; then - return - fi - - echo ">> TAG: ${build_tag} -> ${tag}" - - docker_tag_args=( - buildx imagetools create - "${DOCKER_REGISTRY}/${build_tag}" - "--tag" "${DOCKER_REGISTRY}/${tag}") - - echo "> docker ${docker_tag_args[*]}" - - if [[ -z "$DOCKER_CI_DRYRUN" ]]; then - echo "..." - docker "${docker_tag_args[@]}" || { - echo "Retry Docker tag in 5s ..." >&2 - sleep 5 - docker "${docker_tag_args[@]}" - } - fi -} - -push_image_from_tarball () { - # Use skopeo to push from the created oci archive - - local build_tag="$1" docker_image_tarball="$2" src dest - - src="oci-archive:${docker_image_tarball}" - dest="docker://${DOCKER_REGISTRY}/${build_tag}" - # dest="oci-archive:${docker_image_tarball2}" - - echo ">> PUSH: ${src} -> ${dest}" - echo "> skopeo copy --all ${src} ${dest}" - - if [[ -n "$DOCKER_CI_DRYRUN" ]]; then - return - fi - - # NB: this command works with skopeo 1.5.0, later versions may require - # different flags, eg `--multi-arch all` - skopeo copy --all "${src}" "${dest}" - - # Test specific versions using a container, eg - # docker run -v "${HOME}/.docker:/root/.docker" -v "${PWD}/build_images:/build_images" --rm -it \ - # quay.io/skopeo/stable:v1.5.0 copy --all "${src}" "${dest}" -} - -tag_variants () { - # Tag image variants - local image_type="$1" build_tag new_image_name release_line variant_type tag_name new_tag_name - - if [[ -z "$PUSH_IMAGES_TO_REGISTRY" ]]; then - return - fi - - build_tag="$(old_image_tag_name "${image_type}")" - new_image_name="$(new_image_tag_name "${image_type}")" - - if [[ "$build_tag" != "$new_image_name" ]]; then - tag_image "${build_tag}" "${new_image_name}" - fi - - # Only push latest on main/dev builds. - if [[ "$ENVOY_VERSION" =~ $DEV_VERSION_REGEX ]]; then - if [[ "${CI_BRANCH}" == "${MAIN_BRANCH}" ]]; then - variant_type="latest" - fi - else - # Push vX.Y-latest to tag the latest image in a release line - release_line="$(echo "$ENVOY_VERSION" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1-latest/')" - variant_type="v${release_line}" - fi - if [[ -n "$variant_type" ]]; then - tag_name="$(old_image_tag_name "${image_type}" "${variant_type}")" - new_tag_name="$(new_image_tag_name "${image_type}" "${variant_type}")" - tag_image "${build_tag}" "${tag_name}" - if [[ "$tag_name" != "$new_tag_name" ]]; then - tag_image "${build_tag}" "${new_tag_name}" - fi - fi -} - -build_and_maybe_push_image_and_variants () { - local image_type="$1" - - build_and_maybe_push_image "$image_type" - tag_variants "$image_type" - - # Leave blank line before next build - echo -} - -login_docker () { - echo ">> LOGIN" - if [[ -z "$DOCKER_CI_DRYRUN" ]]; then - docker login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_PASSWORD" - fi -} - -do_docker_ci () { - local build_type - - if [[ -n "$PUSH_IMAGES_TO_REGISTRY" ]]; then - login_docker - fi - - for build_type in "${BUILD_TYPES[@]}"; do - build_and_maybe_push_image_and_variants "${build_type}" - done -} - -do_docker_ci From 4b65288163e2e11ab3cbf5edcc6b407c20f3a705 Mon Sep 17 00:00:00 2001 From: phlax Date: Mon, 4 Aug 2025 10:43:53 +0100 Subject: [PATCH 147/505] ci/release: Minor fix (#40563) Signed-off-by: Ryan Northey --- .github/workflows/_publish_release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_publish_release.yml b/.github/workflows/_publish_release.yml index d573bea5b43b0..b5245b6d46f32 100644 --- a/.github/workflows/_publish_release.yml +++ b/.github/workflows/_publish_release.yml @@ -47,7 +47,7 @@ jobs: gcs-cache-key: ${{ secrets.gcs-cache-key }} gpg-key: ${{ secrets.gpg-key }} gpg-key-password: ${{ secrets.gpg-key-password }} - if: ${{ github.repository == 'envoyproxy/envoy-ci-staging' }} + if: ${{ vars.ENVOY_CI_RELEASE || github.repository == 'envoyproxy/envoy' }} name: Sign packages uses: ./.github/workflows/_run.yml with: From 3055ace101d3e8bf90e06d96e647c5c12aea84d0 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Mon, 4 Aug 2025 06:06:22 -0400 Subject: [PATCH 148/505] Simplify typed metadata initialization (#40558) And avoid one memory copy. Signed-off-by: Yan Avlasov --- .../filters/listener/proxy_protocol/proxy_protocol.cc | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc index 34517c5e532e9..5dd755f8b8342 100644 --- a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc +++ b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc @@ -572,10 +572,7 @@ bool Filter::parseTlvs(const uint8_t* buf, size_t len) { "proxy_protocol: Failed to unpack typed metadata for TLV type ", tlv_type); } else { - Protobuf::BytesValue tlv_byte_value; - tlv_byte_value.set_value(tlv_value); - tlvs_metadata.mutable_typed_metadata()->insert( - {key_value_pair->key(), tlv_byte_value.value()}); + (*tlvs_metadata.mutable_typed_metadata())[key_value_pair->key()] = tlv_value; ProtobufWkt::Any typed_metadata; typed_metadata.PackFrom(tlvs_metadata); cb_->setDynamicTypedMetadata(metadata_key, typed_metadata); From 48af5fbaafa6cc8059833ec3ccc13a452e286982 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 4 Aug 2025 13:29:36 +0200 Subject: [PATCH 149/505] docs: improve the docs for Set-Metadata filter (#40465) ## Description [Set-Metadata filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/set_metadata_filter) docs are very limiting and doesn't have any good examples. The formatting is also off for list, etc. This PR improve the docs and add some examples, etc. Signed-off-by: Rohit Agrawal --- .../_include/set-metadata-basic-static.yaml | 42 +++++++ .../set-metadata-multiple-entries.yaml | 47 ++++++++ .../set-metadata-overwrite-control.yaml | 52 +++++++++ .../set-metadata-typed-configuration.yaml | 42 +++++++ .../http/http_filters/set_metadata_filter.rst | 108 ++++++++++++++++-- 5 files changed, 279 insertions(+), 12 deletions(-) create mode 100644 docs/root/configuration/http/http_filters/_include/set-metadata-basic-static.yaml create mode 100644 docs/root/configuration/http/http_filters/_include/set-metadata-multiple-entries.yaml create mode 100644 docs/root/configuration/http/http_filters/_include/set-metadata-overwrite-control.yaml create mode 100644 docs/root/configuration/http/http_filters/_include/set-metadata-typed-configuration.yaml diff --git a/docs/root/configuration/http/http_filters/_include/set-metadata-basic-static.yaml b/docs/root/configuration/http/http_filters/_include/set-metadata-basic-static.yaml new file mode 100644 index 0000000000000..11af094b0018b --- /dev/null +++ b/docs/root/configuration/http/http_filters/_include/set-metadata-basic-static.yaml @@ -0,0 +1,42 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: local_route + virtual_hosts: + - name: default + domains: + - "*" + routes: + - match: + prefix: "/" + direct_response: + status: 200 + body: + inline_string: "OK" + http_filters: + - name: envoy.filters.http.set_metadata + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.set_metadata.v3.Config + metadata: + - metadata_namespace: envoy.lb + value: + version: "v1.2.3" + environment: "production" + features: + - "feature_a" + - "feature_b" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/docs/root/configuration/http/http_filters/_include/set-metadata-multiple-entries.yaml b/docs/root/configuration/http/http_filters/_include/set-metadata-multiple-entries.yaml new file mode 100644 index 0000000000000..9ace86188df0e --- /dev/null +++ b/docs/root/configuration/http/http_filters/_include/set-metadata-multiple-entries.yaml @@ -0,0 +1,47 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: local_route + virtual_hosts: + - name: default + domains: + - "*" + routes: + - match: + prefix: "/" + direct_response: + status: 200 + body: + inline_string: "OK" + http_filters: + - name: envoy.filters.http.set_metadata + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.set_metadata.v3.Config + metadata: + # Service identification metadata + - metadata_namespace: envoy.lb + allow_overwrite: true + value: + service: "user-service" + version: "v2.1.0" + # Request routing metadata + - metadata_namespace: envoy.filters.http.fault + allow_overwrite: true + value: + upstream_cluster: "backend" + retry_policy: "aggressive" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/docs/root/configuration/http/http_filters/_include/set-metadata-overwrite-control.yaml b/docs/root/configuration/http/http_filters/_include/set-metadata-overwrite-control.yaml new file mode 100644 index 0000000000000..88d7866f44cd9 --- /dev/null +++ b/docs/root/configuration/http/http_filters/_include/set-metadata-overwrite-control.yaml @@ -0,0 +1,52 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: local_route + virtual_hosts: + - name: default + domains: + - "*" + routes: + - match: + prefix: "/" + direct_response: + status: 200 + body: + inline_string: "OK" + http_filters: + - name: envoy.filters.http.set_metadata + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.set_metadata.v3.Config + metadata: + # First entry - will be set initially + - metadata_namespace: test.namespace + value: + counter: 1 + list: ["first"] + # Second entry - will be ignored without allow_overwrite + - metadata_namespace: test.namespace + value: + counter: 2 + list: ["second"] + # Third entry - will merge with allow_overwrite: true + - metadata_namespace: test.namespace + allow_overwrite: true + value: + counter: 3 + list: ["third"] + new_field: "added" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/docs/root/configuration/http/http_filters/_include/set-metadata-typed-configuration.yaml b/docs/root/configuration/http/http_filters/_include/set-metadata-typed-configuration.yaml new file mode 100644 index 0000000000000..a5df2b984552b --- /dev/null +++ b/docs/root/configuration/http/http_filters/_include/set-metadata-typed-configuration.yaml @@ -0,0 +1,42 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: local_route + virtual_hosts: + - name: default + domains: + - "*" + routes: + - match: + prefix: "/" + direct_response: + status: 200 + body: + inline_string: "OK" + http_filters: + - name: envoy.filters.http.set_metadata + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.set_metadata.v3.Config + metadata: + - metadata_namespace: custom.typed + allow_overwrite: true + typed_value: + "@type": type.googleapis.com/envoy.extensions.filters.http.set_metadata.v3.Config + metadata_namespace: nested_namespace + value: + custom_field: "typed_value" + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/docs/root/configuration/http/http_filters/set_metadata_filter.rst b/docs/root/configuration/http/http_filters/set_metadata_filter.rst index fde69d5a50317..49634980e1d09 100644 --- a/docs/root/configuration/http/http_filters/set_metadata_filter.rst +++ b/docs/root/configuration/http/http_filters/set_metadata_filter.rst @@ -6,16 +6,43 @@ Set Metadata * This filter should be configured with the type URL ``type.googleapis.com/envoy.extensions.filters.http.set_metadata.v3.Config``. * :ref:`v3 API reference ` -This filters adds or updates dynamic metadata with static data. +The Set Metadata filter adds or updates dynamic metadata with static or dynamically formatted data. +This filter is useful for attaching contextual information to requests that can be consumed by other +filters, used for load balancing decisions, included in access logs, or utilized for routing decisions. -Dynamic metadata values are updated with the following rules. If a key does not exist, it is copied into the current metadata. If the key exists, then following rules will be used: +The filter supports both untyped metadata (using ``google.protobuf.Struct``) and typed metadata +(using ``google.protobuf.Any``). Dynamic metadata values are updated according to specific merge +rules that vary based on the value type and the ``allow_overwrite`` configuration. -* if :ref:`typed metadata value ` is used, it will overwrite existing values iff :ref:`allow_overwrite ` is set to true, otherwise nothing is done. -* if :ref:`untyped metadata value ` is used and ``allow_overwrite`` is set to true, or if deprecated :ref:`value ` field is used, the values are updated with the following scheme: - - existing value with different type: the existing value is replaced. - - scalar values (null, string, number, boolean): the existing value is replaced. - - lists: new values are appended to the current list. - - structures: recursively apply this scheme. +Common use cases include: + +* Tagging requests with environment or service information for downstream processing. +* Adding routing hints for load balancer subset selection. +* Enriching access logs with additional context. +* Storing computed values for use by subsequent filters in the chain. + +Configuration +------------- + +The filter can be configured with multiple metadata entries, each targeting a specific namespace. +Each entry can contain either static values or use the deprecated legacy configuration format. + +Metadata Merge Rules +-------------------- + +Dynamic metadata values are updated with the following rules. If a key does not exist, it is copied into the current metadata. If the key exists, the following rules apply: + +* **Typed metadata values**: When :ref:`typed_value ` is used, it will overwrite existing values if and only if :ref:`allow_overwrite ` is set to ``true``. Otherwise, the operation is skipped. + +* **Untyped metadata values**: When :ref:`value ` is used and ``allow_overwrite`` is set to ``true``, or when the deprecated :ref:`value ` field is used, values are merged using the following scheme: + + - **Different type values**: The existing value is replaced entirely. + - **Scalar values** (null, string, number, boolean): The existing value is replaced. + - **Lists**: New values are appended to the existing list. + - **Structures**: The merge rules are applied recursively to nested structures. + +Merge Example +^^^^^^^^^^^^^ For instance, if the namespace already contains this structure: @@ -48,15 +75,72 @@ After applying this filter, the namespace will contain: tag0: 1 tag1: 1 +Configuration Examples +---------------------- + +Basic Static Metadata +^^^^^^^^^^^^^^^^^^^^^^ + +A simple configuration that adds static metadata to the ``envoy.lb`` namespace: + +.. literalinclude:: _include/set-metadata-basic-static.yaml + :language: yaml + :lines: 29-39 + :lineno-start: 29 + :linenos: + :caption: :download:`set-metadata-basic-static.yaml <_include/set-metadata-basic-static.yaml>` + +Multiple Metadata Entries +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Configuration with multiple metadata entries targeting different namespaces: + +.. literalinclude:: _include/set-metadata-multiple-entries.yaml + :language: yaml + :lines: 29-44 + :lineno-start: 29 + :linenos: + :caption: :download:`set-metadata-multiple-entries.yaml <_include/set-metadata-multiple-entries.yaml>` + +Typed Metadata Configuration +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Configuration using typed metadata with ``google.protobuf.Any``: + +.. literalinclude:: _include/set-metadata-typed-configuration.yaml + :language: yaml + :lines: 29-39 + :lineno-start: 29 + :linenos: + :caption: :download:`set-metadata-typed-configuration.yaml <_include/set-metadata-typed-configuration.yaml>` + +Overwrite Control +^^^^^^^^^^^^^^^^^ + +Configuration demonstrating overwrite control behavior: + +.. literalinclude:: _include/set-metadata-overwrite-control.yaml + :language: yaml + :lines: 29-49 + :lineno-start: 29 + :linenos: + :caption: :download:`set-metadata-overwrite-control.yaml <_include/set-metadata-overwrite-control.yaml>` + +.. note:: + + In the above example, the final metadata will contain: + ``counter: 3``, ``list: ["first", "third"]``, and ``new_field: "added"``. + The second entry is ignored because ``allow_overwrite`` is not set. + Statistics ---------- -The ``set_metadata`` filter outputs statistics in the ``http..set_metadata.`` namespace. The :ref:`stat prefix -` comes from the -owning HTTP connection manager. +The Set Metadata filter outputs statistics in the ``http..set_metadata.`` namespace. +The :ref:`stat prefix ` +comes from the owning HTTP connection manager. .. csv-table:: :header: Name, Type, Description :widths: 1, 1, 2 - overwrite_denied, Counter, Total number of denied attempts to overwrite an existing metadata value + overwrite_denied, Counter, Total number of denied attempts to overwrite an existing metadata value when ``allow_overwrite`` is ``false`` From 261914f25fd7466e4a2f28a5102ce7c5c243f219 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 4 Aug 2025 14:02:13 +0200 Subject: [PATCH 150/505] coverage: adjusting coverage numbers to reflect current state (#40568) ## Description This PR adjusts the latest LCOV numbers per the current state. Signed-off-by: Rohit Agrawal --- test/coverage.yaml | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/test/coverage.yaml b/test/coverage.yaml index 151bf503c1627..8142f27540dab 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -6,8 +6,6 @@ directories: source/common: 96.4 source/common/api: 95.3 # some syscalls require sandboxing source/common/api/posix: 94.9 # setns requires Linux CAP_NET_ADMIN privileges - source/common/common/posix: 96.2 # flaky due to posix: be careful adjusting - source/common/config: 96.5 source/common/crypto: 95.5 source/common/event: 96.5 # Emulated edge events guards don't report LCOV and setns requires Linux CAP_NET_ADMIN privileges. source/common/filesystem/posix: 96.4 # FileReadToEndNotReadable fails in some env; createPath can't test all failure branches. @@ -22,14 +20,14 @@ directories: source/common/quic: 93.2 source/common/signal: 87.4 # Death tests don't report LCOV source/common/thread: 0.0 # Death tests don't report LCOV - source/common/tls: 94.4 # FIPS code paths impossible to trigger on non-FIPS builds and vice versa + source/common/tls: 94.5 # FIPS code paths impossible to trigger on non-FIPS builds and vice versa source/common/tls/cert_validator: 95.0 source/common/tls/private_key: 88.9 - source/common/tracing: 95.4 + source/common/tracing: 95.8 source/common/watchdog: 60.0 # Death tests don't report LCOV source/exe: 94.4 # increased by #32346, need coverage for terminate_handler and hot restart failures source/extensions/api_listeners: 55.0 # Many IS_ENVOY_BUG are not covered. - source/extensions/api_listeners/default_api_listener: 55.0 # Many IS_ENVOY_BUG are not covered. + source/extensions/api_listeners/default_api_listener: 59.0 # Many IS_ENVOY_BUG are not covered. source/extensions/common/aws: 98.5 source/extensions/common/aws/credential_providers: 100.0 source/extensions/common/proxy_protocol: 94.6 # Adjusted for security patch @@ -41,9 +39,9 @@ directories: source/extensions/filters/common/rbac: 92.6 source/extensions/filters/common/lua: 95.6 source/extensions/filters/http/cache: 95.9 - source/extensions/filters/http/dynamic_forward_proxy: 94.3 + source/extensions/filters/http/dynamic_forward_proxy: 94.8 source/extensions/filters/http/decompressor: 95.9 - source/extensions/filters/http/ext_proc: 96.3 + source/extensions/filters/http/ext_proc: 96.5 source/extensions/filters/http/grpc_json_reverse_transcoder: 94.8 source/extensions/filters/http/grpc_json_transcoder: 94.0 # TODO(#28232) source/extensions/filters/http/ip_tagging: 95.9 @@ -51,23 +49,23 @@ directories: source/extensions/filters/http/oauth2: 97.6 source/extensions/filters/listener: 96.5 source/extensions/filters/listener/original_src: 92.1 - source/extensions/filters/listener/tls_inspector: 94.0 + source/extensions/filters/listener/tls_inspector: 94.1 source/extensions/filters/network/dubbo_proxy: 96.2 source/extensions/filters/network/mongo_proxy: 96.1 source/extensions/filters/network/sni_cluster: 88.9 - source/extensions/formatter/cel: 90.5 + source/extensions/formatter/cel: 93.9 source/extensions/internal_redirect: 86.2 source/extensions/internal_redirect/safe_cross_scheme: 81.3 source/extensions/internal_redirect/allow_listed_routes: 85.7 source/extensions/internal_redirect/previous_routes: 89.3 - source/extensions/load_balancing_policies/maglev: 94.8 + source/extensions/load_balancing_policies/maglev: 94.9 source/extensions/load_balancing_policies/round_robin: 96.4 source/extensions/load_balancing_policies/ring_hash: 96.9 source/extensions/rate_limit_descriptors: 95.0 source/extensions/rate_limit_descriptors/expr: 88.2 source/extensions/stat_sinks/graphite_statsd: 82.8 # Death tests don't report LCOV source/extensions/stat_sinks/statsd: 85.2 # Death tests don't report LCOV - source/extensions/tracers/zipkin: 95.9 + source/extensions/tracers/zipkin: 96.1 source/extensions/transport_sockets/proxy_protocol: 96.2 source/extensions/wasm_runtime/wamr: 0.0 # Not enabled in coverage build source/extensions/wasm_runtime/wasmtime: 0.0 # Not enabled in coverage build @@ -76,9 +74,9 @@ directories: source/extensions/listener_managers/validation_listener_manager: 77.3 source/extensions/watchdog/profile_action: 86.1 source/server: 91.0 # flaky: be careful adjusting. See https://github.com/envoyproxy/envoy/issues/15239 - source/server/config_validation: 92.3 + source/server/config_validation: 93.1 source/extensions/health_checkers: 96.1 - source/extensions/health_checkers/http: 94.2 + source/extensions/health_checkers/http: 94.6 source/extensions/health_checkers/grpc: 92.3 source/extensions/config_subscription/rest: 94.9 source/extensions/matching/input_matchers/cel_matcher: 82.6 # Death tests don't report LCOV From 7972ca4c7cedcfecd18159c371d16c8dc3817b3b Mon Sep 17 00:00:00 2001 From: code Date: Mon, 4 Aug 2025 23:44:09 +0800 Subject: [PATCH 151/505] add proxy env to the dev container.json (#40533) --- .devcontainer/devcontainer.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index f24d57d22ede2..eb34fc304c06c 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -15,6 +15,9 @@ ], "containerEnv": { "ENVOY_SRCDIR": "${containerWorkspaceFolder}", + "HTTPS_PROXY": "${env:VSCODE_CONTAINER_HTTPS_PROXY}", + "HTTP_PROXY": "${env:VSCODE_CONTAINER_HTTP_PROXY}", + "NO_PROXY": "${env:VSCODE_CONTAINER_NO_PROXY}" }, "remoteUser": "vscode", "containerUser": "vscode", From 9eaac4bdc7671ba3e6c26343d786638f1068094e Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 4 Aug 2025 19:10:00 +0200 Subject: [PATCH 152/505] gcp_authn: deprecate flag gcp_authn_use_fixed_url and remove legacy code paths (#40546) ## Description This PR removes the deprecated reloadable flag `gcp_authn_use_fixed_url` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/39116 --- **Commit Message:** router: deprecate flag gcp_authn_use_fixed_url and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `gcp_authn_use_fixed_url` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 2 -- .../http/gcp_authn/gcp_authn_filter.cc | 6 +---- .../gcp_authn_filter_integration_test.cc | 23 ------------------- 4 files changed, 4 insertions(+), 30 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 0a3d412c8b9cb..a7c7feef3afaf 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -35,6 +35,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. +- area: gcp_authn + change: | + Removed runtime guard ``envoy.reloadable_features.gcp_authn_use_fixed_url`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 9bb5c80ccbb60..0f0d23cdd78ed 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -43,8 +43,6 @@ RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms); RUNTIME_GUARD(envoy_reloadable_features_enable_new_query_param_present_match_behavior); RUNTIME_GUARD(envoy_reloadable_features_ext_proc_fail_close_spurious_resp); - -RUNTIME_GUARD(envoy_reloadable_features_gcp_authn_use_fixed_url); RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_num_retries); RUNTIME_GUARD(envoy_reloadable_features_grpc_side_stream_flow_control); RUNTIME_GUARD(envoy_reloadable_features_http1_balsa_allow_cr_or_lf_at_request_start); diff --git a/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc b/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc index 5f88b4f0c10a6..c88702c442070 100644 --- a/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc +++ b/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc @@ -76,11 +76,7 @@ Http::FilterHeadersStatus GcpAuthnFilter::decodeHeaders(Http::RequestHeaderMap& // So, we add the audience from the config to the final url by substituting the `[AUDIENCE]` // with real audience string from the config. - std::string final_url = absl::StrReplaceAll( - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.gcp_authn_use_fixed_url") - ? UrlString - : filter_config_->http_uri().uri(), - {{"[AUDIENCE]", audience_str_}}); + std::string final_url = absl::StrReplaceAll(UrlString, {{"[AUDIENCE]", audience_str_}}); client_->fetchToken(*this, buildRequest(final_url)); initiating_call_ = false; } else { diff --git a/test/extensions/filters/http/gcp_authn/gcp_authn_filter_integration_test.cc b/test/extensions/filters/http/gcp_authn/gcp_authn_filter_integration_test.cc index 425233d190ca5..92bd8dd29c97c 100644 --- a/test/extensions/filters/http/gcp_authn/gcp_authn_filter_integration_test.cc +++ b/test/extensions/filters/http/gcp_authn/gcp_authn_filter_integration_test.cc @@ -231,29 +231,6 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, GcpAuthnFilterIntegrationTest, testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), TestUtility::ipTestParamsToString); -TEST_P(GcpAuthnFilterIntegrationTest, DEPRECATED_FEATURE_TEST(Basicflow)) { - use_new_config_ = false; - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({{"envoy.reloadable_features.gcp_authn_use_fixed_url", "false"}}); - initializeConfig(/*add_audience=*/true); - HttpIntegrationTest::initialize(); - int num = 2; - // Send multiple requests. - for (int i = 0; i < num; ++i) { - initiateClientConnection(); - // Send the request to cluster `gcp_authn`. - waitForGcpAuthnServerResponse(); - // Send the request to cluster `cluster_0` and validate the response. - sendRequestToDestinationAndValidateResponse(/*with_audience=*/true); - // Clean up the codec and connections. - cleanup(); - } - - // Verify request has been routed to both upstream clusters. - EXPECT_GE(test_server_->counter("cluster.gcp_authn.upstream_cx_total")->value(), num); - EXPECT_GE(test_server_->counter("cluster.cluster_0.upstream_cx_total")->value(), num); -} - TEST_P(GcpAuthnFilterIntegrationTest, BasicflowWithNewConfig) { initializeConfig(/*add_audience=*/true); HttpIntegrationTest::initialize(); From 1188a69c33b96fe817407225e4d231b8073cc7dc Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Mon, 4 Aug 2025 13:23:34 -0400 Subject: [PATCH 153/505] Revert "Ext_proc: do not support fail_open+FULL_DUPLEX_STREAMED configuraton combination (#39740)" (#40503) There is a request that to have ext_proc FULL_DUPLEX_STREAMED mode support fail_open to certain stage, like before the 1st chunk of data is shipped to the ext_proc server. This is doable. This PR reverts "Ext_proc: do not support fail_open+FULL_DUPLEX_STREAMED configuraton combination (#39740)", i.e, commit 4861b2057afbc67290da0ec77ae1f1af60f152d0. A follow up PR will implement the above fail-open behavior. --------- Signed-off-by: Yanjun Xiang --- .../filters/http/ext_proc/v3/ext_proc.proto | 6 +-- changelogs/current.yaml | 4 +- .../filters/http/ext_proc/config.cc | 11 ----- .../filters/http/ext_proc/config_test.cc | 48 ------------------- 4 files changed, 4 insertions(+), 65 deletions(-) diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto index 54676a15b3af9..2187c4547c61c 100644 --- a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +++ b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto @@ -168,11 +168,7 @@ message ExternalProcessor { (xds.annotations.v3.field_status).work_in_progress = true ]; - // If the ``BodySendMode`` in the - // :ref:`processing_mode ` - // is set to ``FULL_DUPLEX_STREAMED``, ``failure_mode_allow`` can not be set to true. - // - // Otherwise, by default, if in the following cases: + // By default, if in the following cases: // // 1. The gRPC stream cannot be established. // diff --git a/changelogs/current.yaml b/changelogs/current.yaml index a7c7feef3afaf..14af06baa005d 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -1,7 +1,9 @@ date: Pending behavior_changes: -# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* +- area: ext_proc + change: | + Reverted https://github.com/envoyproxy/envoy/pull/39740 to re-enable fail_open+FULL_DUPLEX_STREAMED configuraton combination. minor_behavior_changes: # *Changes that may cause incompatibilities for some users, but should not for most* diff --git a/source/extensions/filters/http/ext_proc/config.cc b/source/extensions/filters/http/ext_proc/config.cc index a85a987e334c6..88db5a9807bbe 100644 --- a/source/extensions/filters/http/ext_proc/config.cc +++ b/source/extensions/filters/http/ext_proc/config.cc @@ -50,17 +50,6 @@ absl::Status verifyProcessingModeConfig( "then the response_trailer_mode has to be set to SEND"); } - // Do not support fail open for FULL_DUPLEX_STREAMED body mode. - if (((processing_mode.request_body_mode() == - envoy::extensions::filters::http::ext_proc::v3::ProcessingMode::FULL_DUPLEX_STREAMED) || - (processing_mode.response_body_mode() == - envoy::extensions::filters::http::ext_proc::v3::ProcessingMode::FULL_DUPLEX_STREAMED)) && - config.failure_mode_allow()) { - return absl::InvalidArgumentError( - "If the ext_proc filter has either the request_body_mode or the response_body_mode set " - "to FULL_DUPLEX_STREAMED, then the failure_mode_allow has to be left as false"); - } - return absl::OkStatus(); } diff --git a/test/extensions/filters/http/ext_proc/config_test.cc b/test/extensions/filters/http/ext_proc/config_test.cc index cafb704ecca08..0fa8e8a53327f 100644 --- a/test/extensions/filters/http/ext_proc/config_test.cc +++ b/test/extensions/filters/http/ext_proc/config_test.cc @@ -256,54 +256,6 @@ TEST(HttpExtProcConfigTest, InvalidFullDuplexStreamedConfig) { "then the request_trailer_mode has to be set to SEND"); } -TEST(HttpExtProcConfigTest, InvalidRequestFullDuplexStreamedFailureModeAllowConfig) { - std::string yaml = R"EOF( - grpc_service: - envoy_grpc: - cluster_name: ext_proc_server - failure_mode_allow: true - processing_mode: - request_body_mode: FULL_DUPLEX_STREAMED - request_trailer_mode: SEND - )EOF"; - - ExternalProcessingFilterConfig factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); - TestUtility::loadFromYaml(yaml, *proto_config); - - testing::NiceMock context; - auto result = factory.createFilterFactoryFromProto(*proto_config, "stats", context); - EXPECT_FALSE(result.ok()); - EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); - EXPECT_EQ(result.status().message(), - "If the ext_proc filter has either the request_body_mode or the response_body_mode set " - "to FULL_DUPLEX_STREAMED, then the failure_mode_allow has to be left as false"); -} - -TEST(HttpExtProcConfigTest, InvalidResponseFullDuplexStreamedFailureModeAllowConfig) { - std::string yaml = R"EOF( - grpc_service: - envoy_grpc: - cluster_name: ext_proc_server - failure_mode_allow: true - processing_mode: - response_body_mode: FULL_DUPLEX_STREAMED - response_trailer_mode: SEND - )EOF"; - - ExternalProcessingFilterConfig factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); - TestUtility::loadFromYaml(yaml, *proto_config); - - testing::NiceMock context; - auto result = factory.createFilterFactoryFromProto(*proto_config, "stats", context); - EXPECT_FALSE(result.ok()); - EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); - EXPECT_EQ(result.status().message(), - "If the ext_proc filter has either the request_body_mode or the response_body_mode set " - "to FULL_DUPLEX_STREAMED, then the failure_mode_allow has to be left as false"); -} - TEST(HttpExtProcConfigTest, GrpcServiceHttpServiceBothSet) { std::string yaml = R"EOF( grpc_service: From f334a6cc614c5bf9f68e0c26220ae5e81f2bbcb8 Mon Sep 17 00:00:00 2001 From: danzh Date: Mon, 4 Aug 2025 14:35:05 -0400 Subject: [PATCH 154/505] quic: fix defer logging for half closed stream (#40449) Commit Message: mark deferred logging done only when we actually logged stream info. This fix a bug with half closed stream which may get last-sent byte ACKed while the stream is still reading request body. In such case, the current maybeDoDeferredLog() will skip logging but mark logging done. So when the stream eventually finishes reading, no more logging will happen. To fix the issue we should also cache the time of the received ACK of the last byte sent. And use it to populate the stream info's last_downstream_ack_timestamp_ when `maybeDoDeferredLog(/*record_ack_timing= */ false)` is called in `QuicStream::OnSoonToBeDestroyed()` call stack. Otherwise the `last_downstream_ack_timestamp_` will not be populated. Risk Level: low Testing: modified integration test to cover this case Docs Changes: N/A Release Notes: mentioned the runtime guard Platform Specific Features: N/A Runtime guard: envoy.reloadable_features.quic_fix_defer_logging_miss_for_half_closed_stream --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- changelogs/current.yaml | 5 +++ source/common/quic/quic_stats_gatherer.cc | 13 +++++++- source/common/quic/quic_stats_gatherer.h | 8 ++++- source/common/runtime/runtime_features.cc | 1 + test/integration/protocol_integration_test.cc | 33 ++++++++++++++----- 5 files changed, 50 insertions(+), 10 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 14af06baa005d..4d0757015a826 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -10,6 +10,11 @@ minor_behavior_changes: bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* +- area: http3 + change: | + Fixed a bug where access log gets skipped for HTTP/3 requests when the stream is half closed. This behavior can be + reverted by setting the runtime guard + ``envoy.reloadable_features.quic_fix_defer_logging_miss_for_half_closed_stream`` to ``false``. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/common/quic/quic_stats_gatherer.cc b/source/common/quic/quic_stats_gatherer.cc index c1a0da083082e..89241e5696a90 100644 --- a/source/common/quic/quic_stats_gatherer.cc +++ b/source/common/quic/quic_stats_gatherer.cc @@ -11,6 +11,9 @@ void QuicStatsGatherer::OnPacketAcked(int acked_bytes, quic::QuicTime::Delta /* delta_largest_observed */) { bytes_outstanding_ -= acked_bytes; if (bytes_outstanding_ == 0 && fin_sent_ && !logging_done_) { + if (time_source_ != nullptr) { + last_downstream_ack_timestamp_ = time_source_->monotonicTime(); + } maybeDoDeferredLog(); } } @@ -21,12 +24,20 @@ void QuicStatsGatherer::OnPacketRetransmitted(int retransmitted_bytes) { } void QuicStatsGatherer::maybeDoDeferredLog(bool record_ack_timing) { - logging_done_ = true; + if (!fix_defer_logging_miss_for_half_closed_stream_) { + logging_done_ = true; + } if (stream_info_ == nullptr) { return; } + if (fix_defer_logging_miss_for_half_closed_stream_) { + logging_done_ = true; + } if (time_source_ != nullptr && record_ack_timing) { stream_info_->downstreamTiming().onLastDownstreamAckReceived(*time_source_); + } else if (fix_defer_logging_miss_for_half_closed_stream_ && + last_downstream_ack_timestamp_.has_value()) { + stream_info_->downstreamTiming().last_downstream_ack_received_ = last_downstream_ack_timestamp_; } stream_info_->addBytesRetransmitted(retransmitted_bytes_); stream_info_->addPacketsRetransmitted(retransmitted_packets_); diff --git a/source/common/quic/quic_stats_gatherer.h b/source/common/quic/quic_stats_gatherer.h index 7d9af7f6fd40b..578a760570252 100644 --- a/source/common/quic/quic_stats_gatherer.h +++ b/source/common/quic/quic_stats_gatherer.h @@ -7,6 +7,8 @@ #include "envoy/http/header_map.h" #include "envoy/stream_info/stream_info.h" +#include "source/common/runtime/runtime_features.h" + #include "quiche/quic/core/quic_ack_listener_interface.h" #include "quiche/quic/platform/api/quic_flags.h" @@ -21,7 +23,8 @@ class QuicStatsGatherer : public quic::QuicAckListenerInterface { ~QuicStatsGatherer() override { if (!logging_done_) { if (notify_ack_listener_before_soon_to_be_destroyed_) { - ENVOY_LOG_MISC(error, "Stream destroyed without logging."); + ENVOY_BUG(stream_info_ == nullptr, + "Stream destroyed without logging metrics available in stream info."); } else { maybeDoDeferredLog(false); } @@ -73,10 +76,13 @@ class QuicStatsGatherer : public quic::QuicAckListenerInterface { bool logging_done_ = false; uint64_t retransmitted_packets_ = 0; uint64_t retransmitted_bytes_ = 0; + absl::optional last_downstream_ack_timestamp_; const bool notify_ack_listener_before_soon_to_be_destroyed_{ GetQuicReloadableFlag(quic_notify_ack_listener_earlier) && GetQuicReloadableFlag(quic_notify_stream_soon_to_destroy)}; + const bool fix_defer_logging_miss_for_half_closed_stream_{Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.quic_fix_defer_logging_miss_for_half_closed_stream")}; }; } // namespace Quic diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 0f0d23cdd78ed..4c2cc0e26d17b 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -73,6 +73,7 @@ RUNTIME_GUARD(envoy_reloadable_features_proxy_104); RUNTIME_GUARD(envoy_reloadable_features_proxy_ssl_port); RUNTIME_GUARD(envoy_reloadable_features_proxy_status_mapping_more_core_response_flags); RUNTIME_GUARD(envoy_reloadable_features_quic_defer_logging_to_ack_listener); +RUNTIME_GUARD(envoy_reloadable_features_quic_fix_defer_logging_miss_for_half_closed_stream); // Ignore the automated "remove this flag" issue: we should keep this for 1 year. Confirm with // @danzh2010 or @RyanTheOptimist before removing. RUNTIME_GUARD(envoy_reloadable_features_quic_send_server_preferred_address_to_all_clients); diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 4c83251e35779..ec3ea461139dd 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -5186,9 +5186,12 @@ TEST_P(ProtocolIntegrationTest, ServerHalfCloseBeforeClientWithBufferedResponseD config_helper_.addRuntimeOverride( "envoy.reloadable_features.allow_multiplexed_upstream_half_close", "true"); config_helper_.addRuntimeOverride("envoy.reloadable_features.quic_defer_logging_to_ack_listener", - "false"); - useAccessLog("%DURATION% %REQUEST_DURATION% %REQUEST_TX_DURATION% %RESPONSE_DURATION% " - "%RESPONSE_TX_DURATION%"); + "true"); + config_helper_.addRuntimeOverride( + "envoy.reloadable_features.quic_fix_defer_logging_miss_for_half_closed_stream", "true"); + + useAccessLog("%DURATION% %ROUNDTRIP_DURATION% %REQUEST_DURATION% %REQUEST_TX_DURATION% " + "%RESPONSE_DURATION% %RESPONSE_TX_DURATION%"); constexpr uint32_t kStreamWindowSize = 64 * 1024; // Set buffer limit large enough to accommodate H/2 stream window, so we can cause downstream // codec to buffer data without pushing back on upstream. @@ -5264,15 +5267,29 @@ TEST_P(ProtocolIntegrationTest, ServerHalfCloseBeforeClientWithBufferedResponseD } } - std::string timing = waitForAccessLog(access_log_name_); + std::string log = waitForAccessLog(access_log_name_); + std::vector timings = absl::StrSplit(log, ' '); + ASSERT_EQ(timings.size(), 6); if (fake_upstreams_[0]->httpType() != Http::CodecType::HTTP1 && downstreamProtocol() != Http::CodecType::HTTP1) { - // All duration values should be present (no '-' in the access log) when neither upstream nor - // downstream is H/1 - ASSERT_FALSE(absl::StrContains(timing, '-')); + // All duration values except for ROUNDTRIP_DURATION should be present (no '-' in the access + // log) when neither upstream nor downstream is H/1 + EXPECT_GE(/* DURATION */ std::stoi(timings.at(0)), 0); + if (downstreamProtocol() == Http::CodecType::HTTP3) { + // Only H/3 populate this metric. + EXPECT_GT(/* ROUNDTRIP_DURATION */ std::stoi(timings.at(1)), 0); + } + EXPECT_GE(/* REQUEST_DURATION */ std::stoi(timings.at(2)), 0); + EXPECT_GE(/* REQUEST_TX_DURATION */ std::stoi(timings.at(3)), 0); + EXPECT_GE(/* RESPONSE_DURATION */ std::stoi(timings.at(4)), 0); + EXPECT_GE(/* RESPONSE_TX_DURATION */ std::stoi(timings.at(5)), 0); } else { // When one the peers is H/1 the stream is reset and request duration values will be unset - ASSERT_TRUE(absl::StrContains(timing, " - - ")); + EXPECT_GE(/* DURATION */ std::stoi(timings.at(0)), 0); + EXPECT_EQ(/* ROUNDTRIP_DURATION */ timings.at(1), "-"); + EXPECT_EQ(/* REQUEST_DURATION */ timings.at(2), "-"); + EXPECT_EQ(/* REQUEST_TX_DURATION */ timings.at(3), "-"); + EXPECT_GE(/* RESPONSE_DURATION */ std::stoi(timings.at(4)), 0); } } From 4276caf2210454eff74e3d494865b1cb881f8643 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Mon, 4 Aug 2025 12:43:27 -0700 Subject: [PATCH 155/505] Unify scattered header matchers into ContainsHeader (#40528) Commit Message: Unify scattered header matchers into ContainsHeader Additional Description: Across envoy there's `Http::HeaderValueOf`, `HeaderHasValue`, `HeaderHasValueRef`, `SingleHeaderValueIs` and `HasHeader` all performing the same task. The only well-named one of these is `HasHeader`, which is the smallest scoped and worst-implemented one. `HeaderHasValueRef` sounds like it's a matcher for a header, checking that it has a ValueRef, when it is in fact a matcher for a reference to a HeaderMap, checking that it contains a specified key-value pair. `HeaderValueOf` *almost* makes sense, but Value is kind of meaningless, and you have to read it like `HeaderValueOf(x, y)` means `HeaderValueOf(x) is (y)` which is not a very natural reading. `HeaderHasValue` again sounds like it's a matcher for a header, checking that it has a value, when it is in fact a matcher for a HeaderMap pointer, checking that it contains a specified key-value pair. `SingleHeaderValueIs` is kind of okay in that by specifying single it sort of implies the matcher *isn't* operating on only one header because if it was why would you say that, but ugh. Also lived in a limited namespace, twice. `HasHeader` is doing what it says on the tin but has relatively unhelpful output on failure and lived in a limited namespace. `HasNoHeader` is kind of alright but unnecessary to be its own thing, and has relatively unhelpful output on failure, and lived in a limited namespace. Replacing all of these is `ContainsHeader`, which is intuitively checking that a HeaderMap *contains* the header described by a key-value pair. Initially I also replaced `HeaderHasValue` with `PointeeContainsHeader()` but it turns out there were in fact zero uses of `HeaderHasValue`, and `Pointee(ContainsHeader())` can achieve the same thing so it's not necessary. Risk Level: May require external extensions to update their matchers. Testing: It's test-only and used in existing tests. Docs Changes: Yes, HeaderValueOf documentation has been replaced. Release Notes: Yes. Platform Specific Features: n/a --------- Signed-off-by: Raven Black --- .clang-tidy | 3 +- changelogs/current.yaml | 5 + test/README.md | 6 +- test/common/http/filter_manager_test.cc | 4 +- test/common/router/router_test.cc | 14 +- .../cache/cache_filter_integration_test.cc | 12 +- .../filters/http/cache/cache_filter_test.cc | 47 +++-- .../filters/http/cache/http_cache_test.cc | 8 +- .../filters/http/common/jwks_fetcher_test.cc | 5 +- .../connect_grpc_bridge_integration_test.cc | 16 +- .../ext_authz/ext_authz_integration_test.cc | 28 +-- .../ext_proc/ext_proc_integration_test.cc | 138 ++++++++------- .../ext_proc_http_integration_test.cc | 24 +-- test/extensions/filters/http/ext_proc/utils.h | 17 -- .../fault/fault_filter_integration_test.cc | 12 +- .../grpc_http1_bridge_integration_test.cc | 2 +- .../reverse_bridge_integration_test.cc | 32 ++-- .../reverse_bridge_test.cc | 164 ++++++++++-------- ...son_reverse_transcoder_integration_test.cc | 75 ++++---- .../local_ratelimit_integration_test.cc | 13 +- .../filters/http/lua/lua_integration_test.cc | 6 +- .../ratelimit/ratelimit_integration_test.cc | 28 +-- ...nfig_resource_detector_integration_test.cc | 4 +- test/integration/eds_integration_test.cc | 11 +- test/integration/integration_admin_test.cc | 4 +- test/integration/integration_test.cc | 24 +-- .../multiplexed_upstream_integration_test.cc | 2 +- test/integration/protocol_integration_test.cc | 18 +- .../integration/quic_http_integration_test.cc | 8 +- test/integration/redirect_integration_test.cc | 3 +- .../upstream_http_filter_integration_test.cc | 13 +- test/mocks/http/mocks.h | 25 +-- test/mocks/http/mocks_test.cc | 91 ++++------ 33 files changed, 395 insertions(+), 467 deletions(-) diff --git a/.clang-tidy b/.clang-tidy index fba82af03640d..a9f97bc6c75c4 100644 --- a/.clang-tidy +++ b/.clang-tidy @@ -71,8 +71,7 @@ CheckOptions: |^value_or$| |^Ip6(ntohl|htonl)$| |^get_$| - |^HeaderHasValue(Ref)?$| - |^HeaderValueOf$| + |^ContainsHeader$| |^Is(Superset|Subset)OfHeaders$| |^LLVMFuzzerInitialize$| |^LLVMFuzzerTestOneInput$| diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 4d0757015a826..1bd4eeab85199 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -7,6 +7,11 @@ behavior_changes: minor_behavior_changes: # *Changes that may cause incompatibilities for some users, but should not for most* +- area: testing + change: | + In test code for external extensions, matchers ``Http::HeaderValueOf``, ``HasHeader`` and ``HeaderHasValueRef`` + must be replaced with ``ContainsHeader``. + Any uses of matcher ``HeaderHasValue(...)`` should be replaced with ``::testing::Pointee(ContainsHeader(...))``. bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* diff --git a/test/README.md b/test/README.md index a2c9298b857b0..32ac508c37da2 100644 --- a/test/README.md +++ b/test/README.md @@ -17,7 +17,7 @@ downstream-Envoy-upstream communication. Envoy includes some custom Google Mock matchers to make test expectation statements simpler to write and easier to understand. -### HeaderValueOf +### ContainsHeader Tests that a HeaderMap argument contains exactly one header with the given key, whose value satisfies the given expectation. The expectation can be a matcher, @@ -26,13 +26,13 @@ or a string that the value should equal. Examples: ```cpp -EXPECT_THAT(response->headers(), HeaderValueOf(Headers::get().Server, "envoy")); +EXPECT_THAT(response->headers(), ContainsHeader(Headers::get().Server, "envoy")); ``` ```cpp using testing::HasSubstr; EXPECT_THAT(request->headers(), - HeaderValueOf(Headers::get().AcceptEncoding, HasSubstr("gzip"))); + ContainsHeader(Headers::get().AcceptEncoding, HasSubstr("gzip"))); ``` ### HttpStatusIs diff --git a/test/common/http/filter_manager_test.cc b/test/common/http/filter_manager_test.cc index b2af2b000d010..3bad58cd63677 100644 --- a/test/common/http/filter_manager_test.cc +++ b/test/common/http/filter_manager_test.cc @@ -180,7 +180,7 @@ TEST_F(FilterManagerTest, SendLocalReplyDuringDecodingGrpcClassiciation) { EXPECT_CALL(filter_manager_callbacks_, setResponseHeaders_(_)) .WillOnce(Invoke([](auto& response_headers) { EXPECT_THAT(response_headers, - HeaderHasValueRef(Http::Headers::get().ContentType, "application/grpc")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); })); EXPECT_CALL(filter_manager_callbacks_, resetIdleTimer()); EXPECT_CALL(filter_manager_callbacks_, encodeHeaders(_, _)); @@ -245,7 +245,7 @@ TEST_F(FilterManagerTest, SendLocalReplyDuringEncodingGrpcClassiciation) { .WillOnce(Invoke([](auto&) {})) .WillOnce(Invoke([](auto& response_headers) { EXPECT_THAT(response_headers, - HeaderHasValueRef(Http::Headers::get().ContentType, "application/grpc")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); })); EXPECT_CALL(filter_manager_callbacks_, encodeHeaders(_, _)); EXPECT_CALL(filter_manager_callbacks_, endStream()); diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index 2ebcd49eba84d..3ee798c9dba55 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -2694,7 +2694,7 @@ TEST_F(RouterTest, RetryRequestBeforeBody) { NiceMock encoder2; expectNewStreamWithImmediateEncoder(encoder2, &response_decoder, Http::Protocol::Http10); - EXPECT_CALL(encoder2, encodeHeaders(HeaderHasValueRef("myheader", "present"), false)); + EXPECT_CALL(encoder2, encodeHeaders(ContainsHeader("myheader", "present"), false)); router_->retry_state_->callback_(); EXPECT_EQ(2U, callbacks_.route_->virtual_host_->virtual_cluster_.stats().upstream_rq_total_.value()); @@ -2747,7 +2747,7 @@ TEST_F(RouterTest, RetryRequestDuringBody) { NiceMock encoder2; expectNewStreamWithImmediateEncoder(encoder2, &response_decoder, Http::Protocol::Http10); - EXPECT_CALL(encoder2, encodeHeaders(HeaderHasValueRef("myheader", "present"), false)); + EXPECT_CALL(encoder2, encodeHeaders(ContainsHeader("myheader", "present"), false)); EXPECT_CALL(encoder2, encodeData(BufferStringEqual(body1), false)); router_->retry_state_->callback_(); EXPECT_EQ(2U, @@ -2805,7 +2805,7 @@ TEST_F(RouterTest, RetryRequestDuringBodyDataBetweenAttemptsNotEndStream) { NiceMock encoder2; expectNewStreamWithImmediateEncoder(encoder2, &response_decoder, Http::Protocol::Http10); - EXPECT_CALL(encoder2, encodeHeaders(HeaderHasValueRef("myheader", "present"), false)); + EXPECT_CALL(encoder2, encodeHeaders(ContainsHeader("myheader", "present"), false)); EXPECT_CALL(encoder2, encodeData(BufferStringEqual(body1 + body2), false)); router_->retry_state_->callback_(); EXPECT_EQ(2U, @@ -2888,7 +2888,7 @@ TEST_F(RouterTest, RetryRequestDuringBodyCompleteBetweenAttempts) { NiceMock encoder2; expectNewStreamWithImmediateEncoder(encoder2, &response_decoder, Http::Protocol::Http10); - EXPECT_CALL(encoder2, encodeHeaders(HeaderHasValueRef("myheader", "present"), false)); + EXPECT_CALL(encoder2, encodeHeaders(ContainsHeader("myheader", "present"), false)); EXPECT_CALL(encoder2, encodeData(BufferStringEqual(body1 + body2), true)); router_->retry_state_->callback_(); EXPECT_EQ(2U, @@ -2938,7 +2938,7 @@ TEST_F(RouterTest, RetryRequestDuringBodyTrailerBetweenAttempts) { NiceMock encoder2; expectNewStreamWithImmediateEncoder(encoder2, &response_decoder, Http::Protocol::Http10); - EXPECT_CALL(encoder2, encodeHeaders(HeaderHasValueRef("myheader", "present"), false)); + EXPECT_CALL(encoder2, encodeHeaders(ContainsHeader("myheader", "present"), false)); EXPECT_CALL(encoder2, encodeData(BufferStringEqual(body1), false)); EXPECT_CALL(encoder2, encodeTrailers(HeaderMapEqualRef(&trailers))); router_->retry_state_->callback_(); @@ -4930,8 +4930,8 @@ TEST_P(RouterShadowingTest, StreamingShadow) { Http::TestRequestTrailerMapImpl trailers{{"some", "trailer"}}; EXPECT_CALL(callbacks_, decodingBuffer()).Times(0); - EXPECT_CALL(foo_request, captureAndSendTrailers_(Http::HeaderValueOf("some", "trailer"))); - EXPECT_CALL(fizz_request, captureAndSendTrailers_(Http::HeaderValueOf("some", "trailer"))); + EXPECT_CALL(foo_request, captureAndSendTrailers_(ContainsHeader("some", "trailer"))); + EXPECT_CALL(fizz_request, captureAndSendTrailers_(ContainsHeader("some", "trailer"))); router_->decodeTrailers(trailers); EXPECT_EQ(1U, callbacks_.route_->virtual_host_->virtual_cluster_.stats().upstream_rq_total_.value()); diff --git a/test/extensions/filters/http/cache/cache_filter_integration_test.cc b/test/extensions/filters/http/cache/cache_filter_integration_test.cc index 34e318bdd4ccd..35873ec3c1553 100644 --- a/test/extensions/filters/http/cache/cache_filter_integration_test.cc +++ b/test/extensions/filters/http/cache/cache_filter_integration_test.cc @@ -150,8 +150,7 @@ TEST_P(CacheIntegrationTest, MissInsertHit) { sendHeaderOnlyRequestAwaitResponse(request_headers, serveFromCache()); EXPECT_THAT(response_decoder->headers(), IsSupersetOfHeaders(response_headers)); EXPECT_EQ(response_decoder->body(), response_body); - EXPECT_THAT(response_decoder->headers(), - HeaderHasValueRef(Http::CustomHeaders::get().Age, "10")); + EXPECT_THAT(response_decoder->headers(), ContainsHeader(Http::CustomHeaders::get().Age, "10")); // Advance time to force a log flush. simTime().advanceTimeWait(Seconds(1)); EXPECT_THAT(waitForAccessLog(access_log_name_, 1), @@ -222,8 +221,7 @@ TEST_P(CacheIntegrationTest, ExpiredValidated) { { IntegrationStreamDecoderPtr response_decoder = sendHeaderOnlyRequestAwaitResponse(request_headers, serveFromCache()); - EXPECT_THAT(response_decoder->headers(), - HeaderHasValueRef(Http::CustomHeaders::get().Age, "1")); + EXPECT_THAT(response_decoder->headers(), ContainsHeader(Http::CustomHeaders::get().Age, "1")); // Advance time to force a log flush. simTime().advanceTimeWait(Seconds(1)); @@ -355,8 +353,7 @@ TEST_P(CacheIntegrationTest, GetRequestWithResponseTrailers) { IntegrationStreamDecoderPtr response_decoder = sendHeaderOnlyRequestAwaitResponse(request_headers, serveFromCache()); EXPECT_THAT(response_decoder->headers(), IsSupersetOfHeaders(response_headers)); - EXPECT_THAT(response_decoder->headers(), - HeaderHasValueRef(Http::CustomHeaders::get().Age, "10")); + EXPECT_THAT(response_decoder->headers(), ContainsHeader(Http::CustomHeaders::get().Age, "10")); EXPECT_EQ(response_decoder->body(), response_body); ASSERT_TRUE(response_decoder->trailers() != nullptr); simTime().advanceTimeWait(Seconds(1)); @@ -434,8 +431,7 @@ TEST_P(CacheIntegrationTest, ServeHeadFromCacheAfterGetRequest) { sendHeaderOnlyRequestAwaitResponse(request_headers, serveFromCache()); EXPECT_THAT(response_decoder->headers(), IsSupersetOfHeaders(response_headers)); EXPECT_EQ(response_decoder->body().size(), 0); - EXPECT_THAT(response_decoder->headers(), - HeaderHasValueRef(Http::CustomHeaders::get().Age, "10")); + EXPECT_THAT(response_decoder->headers(), ContainsHeader(Http::CustomHeaders::get().Age, "10")); // Advance time to force a log flush. simTime().advanceTimeWait(Seconds(1)); EXPECT_THAT(waitForAccessLog(access_log_name_, 1), diff --git a/test/extensions/filters/http/cache/cache_filter_test.cc b/test/extensions/filters/http/cache/cache_filter_test.cc index fad814b0f575e..9b76553dc6e86 100644 --- a/test/extensions/filters/http/cache/cache_filter_test.cc +++ b/test/extensions/filters/http/cache/cache_filter_test.cc @@ -223,11 +223,10 @@ class CacheFilterTest : public ::testing::Test { void testDecodeRequestHitNoBody(CacheFilterSharedPtr filter) { // The filter should encode cached headers. - EXPECT_CALL( - decoder_callbacks_, - encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), - HeaderHasValueRef(Http::CustomHeaders::get().Age, age)), - true)); + EXPECT_CALL(decoder_callbacks_, + encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), + ContainsHeader(Http::CustomHeaders::get().Age, age)), + true)); // The filter should not encode any data as the response has no body. EXPECT_CALL(decoder_callbacks_, encodeData).Times(0); @@ -250,11 +249,10 @@ class CacheFilterTest : public ::testing::Test { void testDecodeRequestHitWithBody(CacheFilterSharedPtr filter, std::string body) { // The filter should encode cached headers. - EXPECT_CALL( - decoder_callbacks_, - encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), - HeaderHasValueRef(Http::CustomHeaders::get().Age, age)), - false)); + EXPECT_CALL(decoder_callbacks_, + encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), + ContainsHeader(Http::CustomHeaders::get().Age, age)), + false)); // The filter should encode cached data. EXPECT_CALL( @@ -1101,7 +1099,7 @@ TEST_F(CacheFilterTest, UnsuccessfulValidation) { receiveUpstreamBody(1, new_body, true); // The response headers should have the new status. - EXPECT_THAT(response_headers_, HeaderHasValueRef(Http::Headers::get().Status, "204")); + EXPECT_THAT(response_headers_, ContainsHeader(Http::Headers::get().Status, "204")); // The filter should not encode any data. EXPECT_CALL(encoder_callbacks_, addEncodedData).Times(0); @@ -1136,11 +1134,10 @@ TEST_F(CacheFilterTest, SingleSatisfiableRange) { CacheFilterSharedPtr filter = makeFilter(simple_cache_); // Decode request 2 header - EXPECT_CALL( - decoder_callbacks_, - encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), - HeaderHasValueRef(Http::CustomHeaders::get().Age, age)), - false)); + EXPECT_CALL(decoder_callbacks_, + encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), + ContainsHeader(Http::CustomHeaders::get().Age, age)), + false)); EXPECT_CALL( decoder_callbacks_, @@ -1177,11 +1174,10 @@ TEST_F(CacheFilterTest, MultipleSatisfiableRanges) { CacheFilterSharedPtr filter = makeFilter(simple_cache_); // Decode request 2 header - EXPECT_CALL( - decoder_callbacks_, - encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), - HeaderHasValueRef(Http::CustomHeaders::get().Age, age)), - false)); + EXPECT_CALL(decoder_callbacks_, + encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), + ContainsHeader(Http::CustomHeaders::get().Age, age)), + false)); EXPECT_CALL( decoder_callbacks_, @@ -1220,11 +1216,10 @@ TEST_F(CacheFilterTest, NotSatisfiableRange) { CacheFilterSharedPtr filter = makeFilter(simple_cache_); // Decode request 2 header - EXPECT_CALL( - decoder_callbacks_, - encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), - HeaderHasValueRef(Http::CustomHeaders::get().Age, age)), - true)); + EXPECT_CALL(decoder_callbacks_, + encodeHeaders_(testing::AllOf(IsSupersetOfHeaders(response_headers_), + ContainsHeader(Http::CustomHeaders::get().Age, age)), + true)); // 416 response should not have a body, so we don't expect a call to encodeData EXPECT_CALL(decoder_callbacks_, diff --git a/test/extensions/filters/http/cache/http_cache_test.cc b/test/extensions/filters/http/cache/http_cache_test.cc index 13de60b4011c2..bf2cb09db7389 100644 --- a/test/extensions/filters/http/cache/http_cache_test.cc +++ b/test/extensions/filters/http/cache/http_cache_test.cc @@ -199,7 +199,7 @@ TEST_P(LookupRequestTest, ResultWithoutBodyMatchesExpectation) { ASSERT_TRUE(lookup_response.headers_); EXPECT_THAT(*lookup_response.headers_, Http::IsSupersetOfHeaders(response_headers)); EXPECT_THAT(*lookup_response.headers_, - HeaderHasValueRef(Http::CustomHeaders::get().Age, GetParam().expected_age)); + ContainsHeader(Http::CustomHeaders::get().Age, GetParam().expected_age)); EXPECT_EQ(lookup_response.content_length_, 0); } @@ -217,7 +217,7 @@ TEST_P(LookupRequestTest, ResultWithUnknownContentLengthMatchesExpectation) { ASSERT_TRUE(lookup_response.headers_); EXPECT_THAT(*lookup_response.headers_, Http::IsSupersetOfHeaders(response_headers)); EXPECT_THAT(*lookup_response.headers_, - HeaderHasValueRef(Http::CustomHeaders::get().Age, GetParam().expected_age)); + ContainsHeader(Http::CustomHeaders::get().Age, GetParam().expected_age)); EXPECT_FALSE(lookup_response.content_length_.has_value()); } @@ -237,7 +237,7 @@ TEST_P(LookupRequestTest, ResultWithBodyMatchesExpectation) { ASSERT_TRUE(lookup_response.headers_); EXPECT_THAT(*lookup_response.headers_, Http::IsSupersetOfHeaders(response_headers)); EXPECT_THAT(*lookup_response.headers_, - HeaderHasValueRef(Http::CustomHeaders::get().Age, GetParam().expected_age)); + ContainsHeader(Http::CustomHeaders::get().Age, GetParam().expected_age)); EXPECT_EQ(lookup_response.content_length_, content_length); } @@ -357,7 +357,7 @@ TEST_P(LookupRequestTest, ResultWithBodyAndTrailersMatchesExpectation) { EXPECT_THAT(*lookup_response.headers_, Http::IsSupersetOfHeaders(response_headers)); // Age is populated in LookupRequest::makeLookupResult, which is called in makeLookupResult. EXPECT_THAT(*lookup_response.headers_, - HeaderHasValueRef(Http::CustomHeaders::get().Age, GetParam().expected_age)); + ContainsHeader(Http::CustomHeaders::get().Age, GetParam().expected_age)); EXPECT_EQ(lookup_response.content_length_, content_length); } diff --git a/test/extensions/filters/http/common/jwks_fetcher_test.cc b/test/extensions/filters/http/common/jwks_fetcher_test.cc index 0209c5cc7631a..51eca1bbdde31 100644 --- a/test/extensions/filters/http/common/jwks_fetcher_test.cc +++ b/test/extensions/filters/http/common/jwks_fetcher_test.cc @@ -330,8 +330,7 @@ TEST_F(JwksFetcherTest, TestSchemeHeaderHttps) { .WillOnce(testing::Invoke( [](Http::RequestMessagePtr& message, Http::AsyncClient::Callbacks&, const Http::AsyncClient::RequestOptions&) -> Http::AsyncClient::Request* { - EXPECT_THAT(message->headers(), - HeaderHasValueRef(Http::Headers::get().Scheme, "https")); + EXPECT_THAT(message->headers(), ContainsHeader(Http::Headers::get().Scheme, "https")); return nullptr; })); @@ -356,7 +355,7 @@ TEST_F(JwksFetcherTest, TestSchemeHeaderHttp) { .WillOnce(testing::Invoke( [](Http::RequestMessagePtr& message, Http::AsyncClient::Callbacks&, const Http::AsyncClient::RequestOptions&) -> Http::AsyncClient::Request* { - EXPECT_THAT(message->headers(), HeaderHasValueRef(Http::Headers::get().Scheme, "http")); + EXPECT_THAT(message->headers(), ContainsHeader(Http::Headers::get().Scheme, "http")); return nullptr; })); diff --git a/test/extensions/filters/http/connect_grpc_bridge/connect_grpc_bridge_integration_test.cc b/test/extensions/filters/http/connect_grpc_bridge/connect_grpc_bridge_integration_test.cc index 8e0f5fbae602a..1a434d4deb3ec 100644 --- a/test/extensions/filters/http/connect_grpc_bridge/connect_grpc_bridge_integration_test.cc +++ b/test/extensions/filters/http/connect_grpc_bridge/connect_grpc_bridge_integration_test.cc @@ -100,11 +100,11 @@ TEST_P(ConnectIntegrationTest, ConnectFilterUnaryRequestE2E) { EXPECT_THAT(grpc_request, ProtoEq(connect_request)); EXPECT_THAT(upstream_request_->headers(), - HeaderHasValueRef(Http::Headers::get().ContentType, "application/grpc+proto")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc+proto")); EXPECT_THAT(upstream_request_->headers(), - HeaderHasValueRef(Http::Headers::get().Path, "/Service/Method")); + ContainsHeader(Http::Headers::get().Path, "/Service/Method")); EXPECT_THAT(upstream_request_->headers(), - HeaderHasValueRef(Http::CustomHeaders::get().GrpcTimeout, "10000m")); + ContainsHeader(Http::CustomHeaders::get().GrpcTimeout, "10000m")); helloworld::HelloReply grpc_response; grpc_response.set_message("success"); @@ -119,7 +119,7 @@ TEST_P(ConnectIntegrationTest, ConnectFilterUnaryRequestE2E) { EXPECT_TRUE(response->complete()); EXPECT_THAT(response->headers(), Http::HttpStatusIs("200")); EXPECT_THAT(response->headers(), - HeaderHasValueRef(Http::Headers::get().ContentType, "application/proto")); + ContainsHeader(Http::Headers::get().ContentType, "application/proto")); helloworld::HelloReply connect_response; ASSERT_TRUE(connect_response.ParseFromString(response->body())); @@ -150,11 +150,11 @@ TEST_P(ConnectIntegrationTest, ConnectFilterStreamingRequestE2E) { EXPECT_THAT(grpc_request, ProtoEq(connect_request)); EXPECT_THAT(upstream_request_->headers(), - HeaderHasValueRef(Http::Headers::get().ContentType, "application/grpc+proto")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc+proto")); EXPECT_THAT(upstream_request_->headers(), - HeaderHasValueRef(Http::Headers::get().Path, "/Service/Method")); + ContainsHeader(Http::Headers::get().Path, "/Service/Method")); EXPECT_THAT(upstream_request_->headers(), - HeaderHasValueRef(Http::CustomHeaders::get().GrpcTimeout, "10000m")); + ContainsHeader(Http::CustomHeaders::get().GrpcTimeout, "10000m")); helloworld::HelloReply grpc_response; grpc_response.set_message("success"); @@ -170,7 +170,7 @@ TEST_P(ConnectIntegrationTest, ConnectFilterStreamingRequestE2E) { EXPECT_TRUE(response->complete()); EXPECT_THAT(response->headers(), Http::HttpStatusIs("200")); EXPECT_THAT(response->headers(), - HeaderHasValueRef(Http::Headers::get().ContentType, "application/connect+proto")); + ContainsHeader(Http::Headers::get().ContentType, "application/connect+proto")); Buffer::OwnedImpl response_body{response->body()}; ASSERT_THAT(response_body.length(), testing::Gt(5)); diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index 82aeac4ddd807..8e73a5808f38c 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -380,17 +380,17 @@ class ExtAuthzGrpcIntegrationTest if (opts.failure_mode_allowed_header) { EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf("x-envoy-auth-failure-mode-allowed", "true")); + ContainsHeader("x-envoy-auth-failure-mode-allowed", "true")); } // Check that ext_authz didn't remove this downstream header which should be immune to // mutations. EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf("disallow-mutation-downstream-req", - "authz resp cannot set or append to this header")); + ContainsHeader("disallow-mutation-downstream-req", + "authz resp cannot set or append to this header")); for (const auto& header_to_add : opts.headers_to_add) { EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf(header_to_add.first, header_to_add.second)); + ContainsHeader(header_to_add.first, header_to_add.second)); // For headers_to_add (with append = false), the original request headers have no "-replaced" // suffix, but the ones from the authorization server have it. EXPECT_TRUE(absl::EndsWith(header_to_add.second, "-replaced")); @@ -403,7 +403,7 @@ class ExtAuthzGrpcIntegrationTest // header is existed in the original request headers). EXPECT_THAT( upstream_request_->headers(), - Http::HeaderValueOf( + ContainsHeader( header_to_append.first, // In this test, the keys and values of the original request headers have the same // string value. Hence for "header2" key, the value is "header2,header2-appended". @@ -430,7 +430,7 @@ class ExtAuthzGrpcIntegrationTest // headers_to_append_multiple has append = false for the first entry of multiple entries, and // append = true for the rest entries. EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf("multiple", "multiple-first,multiple-second")); + ContainsHeader("multiple", "multiple-first,multiple-second")); } for (const auto& header_to_remove : opts.headers_to_remove) { @@ -746,11 +746,11 @@ class ExtAuthzHttpIntegrationTest result = ext_authz_request_->waitForEndStream(*dispatcher_); RELEASE_ASSERT(result, result.message()); - EXPECT_THAT(ext_authz_request_->headers(), Http::HeaderValueOf("allowed-prefix-one", "one")); - EXPECT_THAT(ext_authz_request_->headers(), Http::HeaderValueOf("allowed-prefix-two", "two")); - EXPECT_THAT(ext_authz_request_->headers(), Http::HeaderValueOf("authorization", "legit")); - EXPECT_THAT(ext_authz_request_->headers(), Http::HeaderValueOf("regex-food", "food")); - EXPECT_THAT(ext_authz_request_->headers(), Http::HeaderValueOf("regex-fool", "fool")); + EXPECT_THAT(ext_authz_request_->headers(), ContainsHeader("allowed-prefix-one", "one")); + EXPECT_THAT(ext_authz_request_->headers(), ContainsHeader("allowed-prefix-two", "two")); + EXPECT_THAT(ext_authz_request_->headers(), ContainsHeader("authorization", "legit")); + EXPECT_THAT(ext_authz_request_->headers(), ContainsHeader("regex-food", "food")); + EXPECT_THAT(ext_authz_request_->headers(), ContainsHeader("regex-fool", "fool")); EXPECT_TRUE(ext_authz_request_->headers() .get(Http::LowerCaseString(std::string("not-allowed"))) @@ -859,7 +859,7 @@ class ExtAuthzHttpIntegrationTest // The original client request header value of "baz" is "foo". Since we configure to "override" // the value of "baz", we expect the request headers to be sent to upstream contain only one // "baz" with value "baz" (set by the authorization server). - EXPECT_THAT(upstream_request_->headers(), Http::HeaderValueOf("baz", "baz")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("baz", "baz")); // The original client request header value of "bat" is "foo". Since we configure to "append" // the value of "bat", we expect the request headers to be sent to upstream contain two "bat"s, @@ -1428,7 +1428,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, DefaultCaseSensitiveStringMatcher) { // Verifies that "X-Forwarded-For" header is unmodified. TEST_P(ExtAuthzHttpIntegrationTest, UnmodifiedForwardedForHeader) { setup(false); - EXPECT_THAT(ext_authz_request_->headers(), Http::HeaderValueOf("x-forwarded-for", "1.2.3.4")); + EXPECT_THAT(ext_authz_request_->headers(), ContainsHeader("x-forwarded-for", "1.2.3.4")); } // Verifies that by default HTTP service uses the case-sensitive string matcher @@ -1548,7 +1548,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, TimeoutFailOpen) { RELEASE_ASSERT(result, result.message()); EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf("x-envoy-auth-failure-mode-allowed", "true")); + ContainsHeader("x-envoy-auth-failure-mode-allowed", "true")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); ASSERT_TRUE(response_->waitForEndStream()); diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 3409ee5b23b39..0c156feb3bde1 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -53,14 +53,14 @@ using envoy::service::ext_proc::v3::ProcessingResponse; using envoy::service::ext_proc::v3::ProtocolConfiguration; using envoy::service::ext_proc::v3::TrailersResponse; using Extensions::HttpFilters::ExternalProcessing::DEFAULT_DEFERRED_CLOSE_TIMEOUT_MS; -using Extensions::HttpFilters::ExternalProcessing::HasNoHeader; using Extensions::HttpFilters::ExternalProcessing::HeaderProtosEqual; using Extensions::HttpFilters::ExternalProcessing::makeHeaderValue; using Extensions::HttpFilters::ExternalProcessing::OnProcessingResponseFactory; -using Extensions::HttpFilters::ExternalProcessing::SingleHeaderValueIs; using Extensions::HttpFilters::ExternalProcessing::TestOnProcessingResponseFactory; using Http::LowerCaseString; using test::integration::filters::LoggingTestFilterConfig; +using testing::_; +using testing::Not; using namespace std::chrono_literals; @@ -360,8 +360,8 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, void verifyChunkedEncoding(const Http::RequestOrResponseHeaderMap& headers) { EXPECT_EQ(headers.ContentLength(), nullptr); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().TransferEncoding, - Http::Headers::get().TransferEncodingValues.Chunked)); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().TransferEncoding, + Http::Headers::get().TransferEncodingValues.Chunked)); } void handleUpstreamRequestWithTrailer() { @@ -1234,7 +1234,7 @@ TEST_P(ExtProcIntegrationTest, OnlyRequestHeadersResetOnServerMessage) { ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); EXPECT_EQ(upstream_request_->bodyLength(), 4); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -1277,7 +1277,7 @@ TEST_P(ExtProcIntegrationTest, OnlyRequestHeadersGracefulClose) { ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); EXPECT_EQ(upstream_request_->bodyLength(), 4); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -1326,7 +1326,7 @@ TEST_P(ExtProcIntegrationTest, OnlyRequestHeadersServerHalfClosesFirst) { ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); EXPECT_EQ(upstream_request_->bodyLength(), 4); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -1399,8 +1399,8 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeaders) { ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT(upstream_request_->headers(), HasNoHeader("x-remove-this")); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("x-remove-this", _))); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -1487,7 +1487,7 @@ TEST_P(ExtProcIntegrationTest, SetHostHeaderRoutingSucceeded) { ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); // Host header is updated when `allow_all_routing` mutation rule is true. - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":authority", "new_host")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(":authority", "new_host")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -1592,12 +1592,12 @@ TEST_P(ExtProcIntegrationTest, GetAndSetPathHeader) { ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); // Path header is updated. - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":path", "/mutated_path/bluh")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(":path", "/mutated_path/bluh")); // Routing headers are not updated by ext_proc when `allow_all_routing` mutation rule is false // (default value). - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":scheme", "http")); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":authority", "host")); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":method", "GET")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(":scheme", "http")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(":authority", "host")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(":method", "GET")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -1634,7 +1634,7 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeadersWithLogging) { ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -1684,7 +1684,7 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeadersNonUtf8WithValueInString) { ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT(upstream_request_->headers(), HasNoHeader("x-bad-utf8")); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("x-bad-utf8", _))); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -1746,9 +1746,9 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeadersNonUtf8WithValueInBytes) { ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT(upstream_request_->headers(), HasNoHeader("x-bad-utf8")); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("x-bad-utf8", _))); EXPECT_THAT(upstream_request_->headers(), - SingleHeaderValueIs("x-new-utf8", "valid_prefix\303(valid_suffix")); + ContainsHeader("x-new-utf8", "valid_prefix\303(valid_suffix")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); verifyDownstreamResponse(*response, 200); } @@ -1971,7 +1971,7 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeadersOnResponse) { }); verifyDownstreamResponse(*response, 201); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-response-processed", "1")); + EXPECT_THAT(response->headers(), ContainsHeader("x-response-processed", "1")); // Verify that the response processor added headers to dynamic metadata verifyMultipleHeaderValues( response->headers(), @@ -2006,7 +2006,7 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeadersOnResponseBadStatus) { // Invalid status code should be ignored, but the other header mutation // should still have been processed. verifyDownstreamResponse(*response, 200); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-response-processed", "1")); + EXPECT_THAT(response->headers(), ContainsHeader("x-response-processed", "1")); } // Test the filter using the default configuration by connecting to @@ -2041,7 +2041,7 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeadersOnResponseTwoStatuses) { // Invalid status code should be ignored, but the other header mutation // should still have been processed. verifyDownstreamResponse(*response, 201); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-response-processed", "1")); + EXPECT_THAT(response->headers(), ContainsHeader("x-response-processed", "1")); } // Test the filter using the default configuration by connecting to @@ -2072,11 +2072,10 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeadersAndTrailersOnResponse) { verifyDownstreamResponse(*response, 200); ASSERT_TRUE(response->trailers()); - EXPECT_THAT(*(response->trailers()), SingleHeaderValueIs("x-test-trailers", "Yes")); - EXPECT_THAT(*(response->trailers()), SingleHeaderValueIs("x-modified-trailers", "xxx")); - EXPECT_THAT( - response->headers(), - SingleHeaderValueIs("envoy-test-ext_proc-response_trailers_response", "x-modified-trailers")); + EXPECT_THAT(*(response->trailers()), ContainsHeader("x-test-trailers", "Yes")); + EXPECT_THAT(*(response->trailers()), ContainsHeader("x-modified-trailers", "xxx")); + EXPECT_THAT(response->headers(), ContainsHeader("envoy-test-ext_proc-response_trailers_response", + "x-modified-trailers")); } // Test the filter using the default configuration by connecting to @@ -2131,8 +2130,8 @@ TEST_P(ExtProcIntegrationTest, GetAndSetOnlyTrailersOnResponse) { verifyDownstreamResponse(*response, 200); ASSERT_TRUE(response->trailers()); - EXPECT_THAT(*(response->trailers()), SingleHeaderValueIs("x-test-trailers", "Yes")); - EXPECT_THAT(*(response->trailers()), SingleHeaderValueIs("x-modified-trailers", "xxx")); + EXPECT_THAT(*(response->trailers()), ContainsHeader("x-test-trailers", "Yes")); + EXPECT_THAT(*(response->trailers()), ContainsHeader("x-modified-trailers", "xxx")); } // Test the filter with a response body callback enabled using an @@ -2173,13 +2172,12 @@ TEST_P(ExtProcIntegrationTest, GetAndSetBodyAndHeadersOnResponse) { }); verifyDownstreamResponse(*response, 200); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-testing-response-header", "Yes")); + EXPECT_THAT(response->headers(), ContainsHeader("x-testing-response-header", "Yes")); // Verify that the content length header in the response is set by external processor, EXPECT_EQ(response->headers().getContentLengthValue(), "13"); EXPECT_EQ("Hello, World!", response->body()); - EXPECT_THAT( - response->headers(), - SingleHeaderValueIs("envoy-test-ext_proc-response_headers_response", "content-length")); + EXPECT_THAT(response->headers(), + ContainsHeader("envoy-test-ext_proc-response_headers_response", "content-length")); } TEST_P(ExtProcIntegrationTest, GetAndSetBodyOnResponse) { @@ -2238,7 +2236,7 @@ TEST_P(ExtProcIntegrationTest, GetAndSetBodyAndHeadersOnResponsePartialBuffered) verifyDownstreamResponse(*response, 200); // Verify that the content length header is removed in BUFFERED_PARTIAL BodySendMode. EXPECT_EQ(response->headers().ContentLength(), nullptr); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-testing-response-header", "Yes")); + EXPECT_THAT(response->headers(), ContainsHeader("x-testing-response-header", "Yes")); } // Test the filter with a response body callback enabled using an @@ -2275,8 +2273,8 @@ TEST_P(ExtProcIntegrationTest, GetAndSetBodyAndHeadersAndTrailersOnResponse) { verifyDownstreamResponse(*response, 200); ASSERT_TRUE(response->trailers()); - EXPECT_THAT(*(response->trailers()), SingleHeaderValueIs("x-test-trailers", "Yes")); - EXPECT_THAT(*(response->trailers()), SingleHeaderValueIs("x-modified-trailers", "xxx")); + EXPECT_THAT(*(response->trailers()), ContainsHeader("x-test-trailers", "Yes")); + EXPECT_THAT(*(response->trailers()), ContainsHeader("x-modified-trailers", "xxx")); } // Test the filter using a configuration that sends response headers and trailers, @@ -2338,7 +2336,7 @@ TEST_P(ExtProcIntegrationTest, GetAndSetBodyAndHeadersOnBigResponse) { }); verifyDownstreamResponse(*response, 200); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-testing-response-header", "Yes")); + EXPECT_THAT(response->headers(), ContainsHeader("x-testing-response-header", "Yes")); } // Test the filter with both body callbacks enabled and have the @@ -2409,7 +2407,7 @@ TEST_P(ExtProcIntegrationTest, ProcessingModeResponseOnly) { }); verifyDownstreamResponse(*response, 200); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-response-processed", "1")); + EXPECT_THAT(response->headers(), ContainsHeader("x-response-processed", "1")); } // Test the filter using the default configuration by connecting to @@ -2440,8 +2438,8 @@ TEST_P(ExtProcIntegrationTest, GetAndRespondImmediately) { EXPECT_TRUE(processor_stream_->waitForReset()); verifyDownstreamResponse(*response, 401); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-failure-reason", "testing")); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("content-type", "application/json")); + EXPECT_THAT(response->headers(), ContainsHeader("x-failure-reason", "testing")); + EXPECT_THAT(response->headers(), ContainsHeader("content-type", "application/json")); EXPECT_EQ("{\"reason\": \"Not authorized\"}", response->body()); } @@ -2474,8 +2472,8 @@ TEST_P(ExtProcIntegrationTest, GetAndRespondImmediatelyGracefulClose) { processor_stream_->finishGrpcStream(Grpc::Status::Ok); verifyDownstreamResponse(*response, 401); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-failure-reason", "testing")); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("content-type", "application/json")); + EXPECT_THAT(response->headers(), ContainsHeader("x-failure-reason", "testing")); + EXPECT_THAT(response->headers(), ContainsHeader("content-type", "application/json")); EXPECT_EQ("{\"reason\": \"Not authorized\"}", response->body()); if (IsEnvoyGrpc()) { // There should be no resets @@ -2511,8 +2509,8 @@ TEST_P(ExtProcIntegrationTest, GetAndRespondImmediatelyGracefulCloseNoServerTrai // However server fails to send trailers verifyDownstreamResponse(*response, 401); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-failure-reason", "testing")); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("content-type", "application/json")); + EXPECT_THAT(response->headers(), ContainsHeader("x-failure-reason", "testing")); + EXPECT_THAT(response->headers(), ContainsHeader("content-type", "application/json")); EXPECT_EQ("{\"reason\": \"Not authorized\"}", response->body()); // Since the server did not send trailers, gRPC client will reset the stream after remote close @@ -2542,8 +2540,8 @@ TEST_P(ExtProcIntegrationTest, GetAndRespondImmediatelyWithLogging) { }); verifyDownstreamResponse(*response, 401); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-failure-reason", "testing")); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("content-type", "application/json")); + EXPECT_THAT(response->headers(), ContainsHeader("x-failure-reason", "testing")); + EXPECT_THAT(response->headers(), ContainsHeader("content-type", "application/json")); EXPECT_EQ("{\"reason\": \"Not authorized\"}", response->body()); } @@ -2610,9 +2608,9 @@ TEST_P(ExtProcIntegrationTest, GetAndRespondImmediatelyOnStreamedRequestBody) { verifyDownstreamResponse(*response, 400); EXPECT_EQ("{\"reason\": \"Request too evil\"}", response->body()); // The previously added request header is not sent to the client. - EXPECT_THAT(response->headers(), HasNoHeader("foo")); + EXPECT_THAT(response->headers(), Not(ContainsHeader("foo", _))); EXPECT_THAT(response->headers(), - SingleHeaderValueIs("envoy-test-ext_proc-request_headers_response", "foo")); + ContainsHeader("envoy-test-ext_proc-request_headers_response", "foo")); } // Test immediate_response behavior with STREAMED response body. @@ -2644,7 +2642,7 @@ TEST_P(ExtProcIntegrationTest, GetAndRespondImmediatelyOnStreamedResponseBody) { verifyDownstreamResponse(*response, 400); EXPECT_EQ("{\"reason\": \"Response too evil\"}", response->body()); // The previously added response header is not sent to the client. - EXPECT_THAT(response->headers(), HasNoHeader("foo")); + EXPECT_THAT(response->headers(), Not(ContainsHeader("foo", _))); } // Test the filter with request body buffering enabled using @@ -2806,7 +2804,7 @@ TEST_P(ExtProcIntegrationTest, GetAndRespondImmediatelyWithSystemHeaderMutation) }); verifyDownstreamResponse(*response, 401); // The added system header is not sent to the client. - EXPECT_THAT(response->headers(), HasNoHeader(":foo")); + EXPECT_THAT(response->headers(), Not(ContainsHeader(":foo", _))); } // Test the filter using an ext_proc server that responds to the request_header message @@ -2826,7 +2824,7 @@ TEST_P(ExtProcIntegrationTest, GetAndRespondImmediatelyWithEnvoyHeaderMutation) hdr->mutable_header()->set_raw_value("bar"); }); verifyDownstreamResponse(*response, 401); - EXPECT_THAT(response->headers(), HasNoHeader("x-envoy-foo")); + EXPECT_THAT(response->headers(), Not(ContainsHeader("x-envoy-foo", _))); } TEST_P(ExtProcIntegrationTest, GetAndImmediateRespondMutationAllowEnvoy) { @@ -2849,8 +2847,8 @@ TEST_P(ExtProcIntegrationTest, GetAndImmediateRespondMutationAllowEnvoy) { }); verifyDownstreamResponse(*response, 401); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("host", "test")); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-envoy-foo", "bar")); + EXPECT_THAT(response->headers(), ContainsHeader("host", "test")); + EXPECT_THAT(response->headers(), ContainsHeader("x-envoy-foo", "bar")); } // Test the filter with request body buffering enabled using @@ -2926,8 +2924,8 @@ TEST_P(ExtProcIntegrationTest, ConvertGetToPost) { handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":method", "POST")); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("content-type", "text/plain")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(":method", "POST")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("content-type", "text/plain")); EXPECT_EQ(upstream_request_->bodyLength(), 14); EXPECT_EQ(upstream_request_->body().toString(), "Hello, Server!"); @@ -3567,7 +3565,7 @@ TEST_P(ExtProcIntegrationTest, PerRouteGrpcService) { return true; }); verifyDownstreamResponse(*response, 201); - EXPECT_THAT(response->headers(), SingleHeaderValueIs("x-response-processed", "1")); + EXPECT_THAT(response->headers(), ContainsHeader("x-response-processed", "1")); } // Set up per-route configuration that extends original metadata. @@ -3646,8 +3644,8 @@ TEST_P(ExtProcIntegrationTest, RequestAndResponseMessageNewTimeoutWithHeaderMuta ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT(upstream_request_->headers(), HasNoHeader("x-remove-this")); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("x-remove-this", _))); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -4449,7 +4447,7 @@ TEST_P(ExtProcIntegrationTest, SendAndReceiveDynamicMetadataObservabilityMode) { ASSERT_TRUE(response->waitForEndStream()); ASSERT_TRUE(response->complete()); // No headers from dynamic metadata response as the response is ignored in observability mode. - EXPECT_THAT(response->headers(), HasNoHeader(Http::LowerCaseString("receiving_ns_untyped.foo"))); + EXPECT_THAT(response->headers(), Not(ContainsHeader("receiving_ns_untyped.foo", _))); verifyDownstreamResponse(*response, 200); } @@ -4595,8 +4593,8 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeadersUpstream) { ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT(upstream_request_->headers(), HasNoHeader("x-remove-this")); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("x-remove-this", _))); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -4773,7 +4771,7 @@ TEST_P(ExtProcIntegrationTest, ObservabilityModeWithHeader) { ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); // Header mutation response has been ignored. - EXPECT_THAT(upstream_request_->headers(), HasNoHeader("x-remove-this")); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("x-remove-this", _))); Http::TestResponseHeaderMapImpl response_headers = Http::TestResponseHeaderMapImpl{{":status", "200"}}; @@ -4884,7 +4882,7 @@ TEST_P(ExtProcIntegrationTest, ObservabilityModeWithTrailer) { }); verifyDownstreamResponse(*response, 200); - EXPECT_THAT(*(response->trailers()), HasNoHeader("x-modified-trailers")); + EXPECT_THAT(*(response->trailers()), Not(ContainsHeader("x-modified-trailers", _))); timeSystem().advanceTimeWaitImpl(std::chrono::milliseconds(DEFAULT_DEFERRED_CLOSE_TIMEOUT_MS)); } @@ -5332,8 +5330,8 @@ TEST_P(ExtProcIntegrationTest, SendBodyBeforeHeaderRespStreamedBasicTest) { ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT(upstream_request_->headers(), HasNoHeader("x-remove-this")); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("x-remove-this", _))); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), "replaced body"); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); upstream_request_->encodeData(100, true); @@ -5442,7 +5440,7 @@ TEST_P(ExtProcIntegrationTest, ServerWaitForBodyBeforeSendsHeaderRespStreamedTes } handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), body_upstream); verifyDownstreamResponse(*response, 200); } @@ -5518,7 +5516,7 @@ TEST_P(ExtProcIntegrationTest, ServerWaitForBodyBeforeSendsHeaderRespDuplexStrea serverSendBodyRespDuplexStreamed(total_resp_body_msg); handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), body_upstream); verifyDownstreamResponse(*response, 200); } @@ -5605,7 +5603,7 @@ TEST_P(ExtProcIntegrationTest, serverSendTrailerRespDuplexStreamed(); handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), body_upstream); verifyDownstreamResponse(*response, 200); } @@ -5685,7 +5683,7 @@ TEST_P(ExtProcIntegrationTest, ServerSendBodyRespWithouRecvEntireBodyDuplexStrea serverSendTrailerRespDuplexStreamed(); handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), body_upstream); verifyDownstreamResponse(*response, 200); } @@ -5706,7 +5704,7 @@ TEST_P(ExtProcIntegrationTest, DuplexStreamedInBothDirection) { serverSendBodyRespDuplexStreamed(total_resp_body_msg); handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), body_upstream); // The ext_proc server receives the responses from backend server. @@ -5785,7 +5783,7 @@ TEST_P(ExtProcIntegrationTest, DuplexStreamedServerResponseWithSynthesizedTraile serverSendTrailerRespDuplexStreamed(); handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), body_upstream); EXPECT_EQ(upstream_request_->trailers(), nullptr); verifyDownstreamResponse(*response, 200); diff --git a/test/extensions/filters/http/ext_proc/http_client/ext_proc_http_integration_test.cc b/test/extensions/filters/http/ext_proc/http_client/ext_proc_http_integration_test.cc index 4636a0166609b..0871751683866 100644 --- a/test/extensions/filters/http/ext_proc/http_client/ext_proc_http_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/http_client/ext_proc_http_integration_test.cc @@ -31,10 +31,11 @@ using envoy::service::ext_proc::v3::HttpTrailers; using envoy::service::ext_proc::v3::ProcessingRequest; using envoy::service::ext_proc::v3::ProcessingResponse; using envoy::service::ext_proc::v3::TrailersResponse; -using Extensions::HttpFilters::ExternalProcessing::HasHeader; -using Extensions::HttpFilters::ExternalProcessing::HasNoHeader; using Extensions::HttpFilters::ExternalProcessing::HeaderProtosEqual; -using Extensions::HttpFilters::ExternalProcessing::SingleHeaderValueIs; + +using ::testing::_; +using ::testing::AllOf; +using ::testing::Not; using Http::LowerCaseString; @@ -178,9 +179,8 @@ class ExtProcHttpClientIntegrationTest : public testing::TestWithParamwaitForNewStream(*dispatcher_, processor_stream_)); ASSERT_TRUE(processor_stream_->waitForEndStream(*dispatcher_)); EXPECT_THAT(processor_stream_->headers(), - SingleHeaderValueIs("content-type", "application/json")); - EXPECT_THAT(processor_stream_->headers(), SingleHeaderValueIs(":method", "POST")); - EXPECT_THAT(processor_stream_->headers(), HasHeader("x-request-id")); + AllOf(ContainsHeader("content-type", "application/json"), + ContainsHeader(":method", "POST"), ContainsHeader("x-request-id", _))); } void sendHttpResponse(ProcessingResponse& response) { @@ -312,7 +312,7 @@ TEST_P(ExtProcHttpClientIntegrationTest, ServerNoRequestHeaderMutation) { // The request is sent to the upstream. handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("foo", "yes")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("foo", "yes")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); verifyDownstreamResponse(*response, 200); @@ -329,7 +329,7 @@ TEST_P(ExtProcHttpClientIntegrationTest, ServerNoResponseHeaderMutation) { // The request is sent to the upstream. handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("foo", "yes")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("foo", "yes")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); processResponseHeadersMessage(http_side_upstreams_[0], true, absl::nullopt); verifyDownstreamResponse(*response, 200); @@ -361,8 +361,8 @@ TEST_P(ExtProcHttpClientIntegrationTest, GetAndSetHeadersWithMutation) { // The request is sent to the upstream. handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); - EXPECT_THAT(upstream_request_->headers(), HasNoHeader("x-remove-this")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("x-remove-this", "_"))); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); verifyDownstreamResponse(*response, 200); @@ -472,7 +472,7 @@ TEST_P(ExtProcHttpClientIntegrationTest, SentHeadersInBothDirection) { // The request is sent to the upstream. handleUpstreamRequestWithTrailer(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), "foo"); processResponseHeadersMessage(http_side_upstreams_[0], false, absl::nullopt); @@ -523,7 +523,7 @@ TEST_P(ExtProcHttpClientIntegrationTest, StatsTestOnSuccess) { // The request is sent to the upstream. handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("foo", "yes")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("foo", "yes")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); verifyDownstreamResponse(*response, 200); diff --git a/test/extensions/filters/http/ext_proc/utils.h b/test/extensions/filters/http/ext_proc/utils.h index a0bf78e78b6ed..330a063bf830b 100644 --- a/test/extensions/filters/http/ext_proc/utils.h +++ b/test/extensions/filters/http/ext_proc/utils.h @@ -33,23 +33,6 @@ MATCHER_P(HeaderProtosEqual, expected, "HTTP header protos match") { return ExtProcTestUtility::headerProtosEqualIgnoreOrder(expected, arg); } -MATCHER_P(HasNoHeader, key, absl::StrFormat("Headers have no value for \"%s\"", key)) { - return arg.get(::Envoy::Http::LowerCaseString(std::string(key))).empty(); -} - -MATCHER_P(HasHeader, key, absl::StrFormat("There exists a header for \"%s\"", key)) { - return !arg.get(::Envoy::Http::LowerCaseString(std::string(key))).empty(); -} - -MATCHER_P2(SingleHeaderValueIs, key, value, - absl::StrFormat("Header \"%s\" equals \"%s\"", key, value)) { - const auto hdr = arg.get(::Envoy::Http::LowerCaseString(std::string(key))); - if (hdr.size() != 1) { - return false; - } - return hdr[0]->value() == value; -} - template inline void verifyMultipleHeaderValues(const Envoy::Http::HeaderMap& headers, Envoy::Http::LowerCaseString const& key, Args... values) { diff --git a/test/extensions/filters/http/fault/fault_filter_integration_test.cc b/test/extensions/filters/http/fault/fault_filter_integration_test.cc index a43df1d668ad8..3ea5f7efa64fb 100644 --- a/test/extensions/filters/http/fault/fault_filter_integration_test.cc +++ b/test/extensions/filters/http/fault/fault_filter_integration_test.cc @@ -329,10 +329,10 @@ TEST_P(FaultIntegrationTestAllProtocols, HeaderFaultAbortGrpcConfig) { EXPECT_TRUE(response->complete()); EXPECT_THAT(response->headers(), Envoy::Http::HttpStatusIs("200")); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(response->headers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "5")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(response->headers(), ContainsHeader(Http::Headers::get().GrpcStatus, "5")); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().GrpcMessage, "fault filter abort")); + ContainsHeader(Http::Headers::get().GrpcMessage, "fault filter abort")); EXPECT_EQ(nullptr, response->trailers()); EXPECT_EQ(1UL, test_server_->counter("http.config_test.fault.aborts_injected")->value()); @@ -380,10 +380,10 @@ TEST_P(FaultIntegrationTestAllProtocols, FaultAbortGrpcConfig) { EXPECT_TRUE(response->complete()); EXPECT_THAT(response->headers(), Envoy::Http::HttpStatusIs("200")); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(response->headers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "5")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(response->headers(), ContainsHeader(Http::Headers::get().GrpcStatus, "5")); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().GrpcMessage, "fault filter abort")); + ContainsHeader(Http::Headers::get().GrpcMessage, "fault filter abort")); EXPECT_EQ(nullptr, response->trailers()); EXPECT_EQ(1UL, test_server_->counter("http.config_test.fault.aborts_injected")->value()); diff --git a/test/extensions/filters/http/grpc_http1_bridge/grpc_http1_bridge_integration_test.cc b/test/extensions/filters/http/grpc_http1_bridge/grpc_http1_bridge_integration_test.cc index f8721b0c3121e..a9e4d470c7139 100644 --- a/test/extensions/filters/http/grpc_http1_bridge/grpc_http1_bridge_integration_test.cc +++ b/test/extensions/filters/http/grpc_http1_bridge/grpc_http1_bridge_integration_test.cc @@ -42,7 +42,7 @@ TEST_P(GrpcIntegrationTest, HittingGrpcFilterLimitBufferingHeaders) { EXPECT_TRUE(response->complete()); EXPECT_THAT(response->headers(), Http::HttpStatusIs("200")); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().GrpcStatus, "2")); // Unknown gRPC error + ContainsHeader(Http::Headers::get().GrpcStatus, "2")); // Unknown gRPC error } INSTANTIATE_TEST_SUITE_P(IpVersions, GrpcIntegrationTest, diff --git a/test/extensions/filters/http/grpc_http1_reverse_bridge/reverse_bridge_integration_test.cc b/test/extensions/filters/http/grpc_http1_reverse_bridge/reverse_bridge_integration_test.cc index a1ce6eaf34a85..4f1c988f9307c 100644 --- a/test/extensions/filters/http/grpc_http1_reverse_bridge/reverse_bridge_integration_test.cc +++ b/test/extensions/filters/http/grpc_http1_reverse_bridge/reverse_bridge_integration_test.cc @@ -12,8 +12,6 @@ #include "fmt/printf.h" #include "gtest/gtest.h" -using Envoy::Http::HeaderValueOf; - // for ::operator""s (which Windows compiler does not support): using namespace std::string_literals; @@ -87,7 +85,7 @@ TEST_P(ReverseBridgeIntegrationTest, DisabledRoute) { // Ensure that we don't do anything EXPECT_EQ("abcdef", upstream_request_->body().toString()); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); // Respond to the request. Http::TestResponseHeaderMapImpl response_headers; @@ -107,8 +105,8 @@ TEST_P(ReverseBridgeIntegrationTest, DisabledRoute) { EXPECT_EQ(response->body(), response_data.toString()); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(*response->trailers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(*response->trailers(), ContainsHeader(Http::Headers::get().GrpcStatus, "0")); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); @@ -138,9 +136,9 @@ TEST_P(ReverseBridgeIntegrationTest, EnabledRoute) { EXPECT_EQ("f", upstream_request_->body().toString()); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); // Respond to the request. Http::TestResponseHeaderMapImpl response_headers; @@ -165,8 +163,8 @@ TEST_P(ReverseBridgeIntegrationTest, EnabledRoute) { EXPECT_TRUE( std::equal(response->body().begin(), response->body().begin() + 5, expected_prefix.begin())); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(*response->trailers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(*response->trailers(), ContainsHeader(Http::Headers::get().GrpcStatus, "0")); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); @@ -195,8 +193,8 @@ TEST_P(ReverseBridgeIntegrationTest, EnabledRouteBadContentType) { // The response should indicate an error. EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(response->headers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "2")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(response->headers(), ContainsHeader(Http::Headers::get().GrpcStatus, "2")); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); @@ -229,9 +227,9 @@ TEST_P(ReverseBridgeIntegrationTest, EnabledRouteStreamResponse) { EXPECT_EQ("f", upstream_request_->body().toString()); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); // Respond to the request. Http::TestResponseHeaderMapImpl response_headers; @@ -265,8 +263,8 @@ TEST_P(ReverseBridgeIntegrationTest, EnabledRouteStreamResponse) { EXPECT_TRUE( std::equal(response->body().begin(), response->body().begin() + 5, expected_prefix.begin())); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(*response->trailers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(*response->trailers(), ContainsHeader(Http::Headers::get().GrpcStatus, "0")); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); @@ -298,9 +296,9 @@ TEST_P(ReverseBridgeIntegrationTest, EnabledRouteStreamWithholdResponse) { EXPECT_EQ("f", upstream_request_->body().toString()); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); // Respond to the request. Http::TestResponseHeaderMapImpl response_headers; diff --git a/test/extensions/filters/http/grpc_http1_reverse_bridge/reverse_bridge_test.cc b/test/extensions/filters/http/grpc_http1_reverse_bridge/reverse_bridge_test.cc index f3b5f36c90b17..613804ca609dd 100644 --- a/test/extensions/filters/http/grpc_http1_reverse_bridge/reverse_bridge_test.cc +++ b/test/extensions/filters/http/grpc_http1_reverse_bridge/reverse_bridge_test.cc @@ -18,7 +18,6 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" -using Envoy::Http::HeaderValueOf; using testing::_; using testing::ReturnRef; @@ -57,10 +56,11 @@ TEST_F(ReverseBridgeTest, InvalidGrpcRequest) { {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -69,11 +69,11 @@ TEST_F(ReverseBridgeTest, InvalidGrpcRequest) { buffer.add("abc", 3); EXPECT_CALL(decoder_callbacks_, sendLocalReply(_, _, _, _, _)); EXPECT_CALL(decoder_callbacks_, encodeHeaders_(_, _)).WillOnce(Invoke([](auto& headers, auto) { - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().Status, "200")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().GrpcStatus, "2")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().Status, "200")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().GrpcStatus, "2")); EXPECT_THAT(headers, - HeaderValueOf(Http::Headers::get().GrpcMessage, - Http::Utility::PercentEncoding::encode("invalid request body"))); + ContainsHeader(Http::Headers::get().GrpcMessage, + Http::Utility::PercentEncoding::encode("invalid request body"))); })); EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, filter_->decodeData(buffer, false)); EXPECT_EQ(decoder_callbacks_.details(), "grpc_bridge_data_too_small"); @@ -92,8 +92,8 @@ TEST_F(ReverseBridgeTest, HeaderOnlyGrpcRequest) { EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, true)); // Verify that headers are unmodified. - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "25")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "25")); } // Verify no modification on encoding path as well. @@ -101,8 +101,8 @@ TEST_F(ReverseBridgeTest, HeaderOnlyGrpcRequest) { {{"content-type", "application/grpc"}, {"content-length", "20"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, true)); // Ensure we didn't mutate content type or length. - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); // We should not drain the buffer, nor stop iteration. Envoy::Buffer::OwnedImpl buffer; @@ -121,8 +121,8 @@ TEST_F(ReverseBridgeTest, NoGrpcRequest) { {{"content-type", "application/json"}, {"content-length", "10"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); // Ensure we didn't mutate content type or length. - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/json")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "10")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/json")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "10")); } { @@ -140,8 +140,8 @@ TEST_F(ReverseBridgeTest, NoGrpcRequest) { {{"content-type", "application/json"}, {"content-length", "20"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); // Ensure we didn't mutate content type or length. - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/json")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/json")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); } Envoy::Buffer::OwnedImpl buffer; @@ -154,8 +154,8 @@ TEST_F(ReverseBridgeTest, NoGrpcRequest) { {{"content-type", "application/grpc"}, {"content-length", "20"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, true)); // Ensure we didn't mutate content type or length. - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); } // Verifies that if we receive a gRPC request but have configured the filter to not handle the gRPC @@ -172,10 +172,11 @@ TEST_F(ReverseBridgeTest, GrpcRequestNoManageFrameHeader) { {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "25")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "25")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -195,8 +196,8 @@ TEST_F(ReverseBridgeTest, GrpcRequestNoManageFrameHeader) { Http::TestResponseHeaderMapImpl headers( {{":status", "200"}, {"content-length", "30"}, {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "30")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "30")); { // We should not drain the buffer, nor stop iteration. @@ -215,7 +216,7 @@ TEST_F(ReverseBridgeTest, GrpcRequestNoManageFrameHeader) { buffer.add("ghj", 3); EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->encodeData(buffer, true)); EXPECT_EQ(3, buffer.length()); - EXPECT_THAT(trailers, HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(trailers, ContainsHeader(Http::Headers::get().GrpcStatus, "0")); } } @@ -233,10 +234,11 @@ TEST_F(ReverseBridgeTest, GrpcRequest) { {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -263,8 +265,8 @@ TEST_F(ReverseBridgeTest, GrpcRequest) { Http::TestResponseHeaderMapImpl headers( {{":status", "200"}, {"content-length", "30"}, {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "35")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "35")); { // First few calls should drain the buffer @@ -289,7 +291,7 @@ TEST_F(ReverseBridgeTest, GrpcRequest) { buffer.add("ghj", 4); EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->encodeData(buffer, true)); EXPECT_EQ(17, buffer.length()); - EXPECT_THAT(trailers, HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(trailers, ContainsHeader(Http::Headers::get().GrpcStatus, "0")); Grpc::Decoder decoder; std::vector frames; @@ -314,9 +316,10 @@ TEST_F(ReverseBridgeTest, GrpcRequestNoContentLength) { {{"content-type", "application/grpc"}, {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); // Ensure that we don't insert a content-length header. EXPECT_EQ(nullptr, headers.ContentLength()); } @@ -345,7 +348,7 @@ TEST_F(ReverseBridgeTest, GrpcRequestNoContentLength) { Http::TestResponseHeaderMapImpl headers( {{":status", "200"}, {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); // Ensure that we don't insert a content-length header. EXPECT_EQ(nullptr, headers.ContentLength()); @@ -372,7 +375,7 @@ TEST_F(ReverseBridgeTest, GrpcRequestNoContentLength) { buffer.add("ghj", 4); EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->encodeData(buffer, true)); EXPECT_EQ(17, buffer.length()); - EXPECT_THAT(trailers, HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(trailers, ContainsHeader(Http::Headers::get().GrpcStatus, "0")); Grpc::Decoder decoder; std::vector frames; @@ -398,10 +401,11 @@ TEST_F(ReverseBridgeTest, GrpcRequestHeaderOnlyResponse) { {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -434,8 +438,8 @@ TEST_F(ReverseBridgeTest, GrpcRequestHeaderOnlyResponse) { Http::TestResponseHeaderMapImpl headers( {{":status", "200"}, {"content-length", "0"}, {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, true)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "5")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "5")); } // Tests that a gRPC is downgraded to application/x-protobuf and upgraded back @@ -451,9 +455,10 @@ TEST_F(ReverseBridgeTest, GrpcRequestInternalError) { Http::TestRequestHeaderMapImpl headers( {{"content-type", "application/grpc"}, {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -480,8 +485,8 @@ TEST_F(ReverseBridgeTest, GrpcRequestInternalError) { Http::TestResponseHeaderMapImpl headers( {{":status", "400"}, {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().Status, "200")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().Status, "200")); { // First few calls should drain the buffer @@ -505,7 +510,7 @@ TEST_F(ReverseBridgeTest, GrpcRequestInternalError) { Envoy::Buffer::OwnedImpl buffer; buffer.add("ghj", 4); EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->encodeData(buffer, true)); - EXPECT_THAT(trailers, HeaderValueOf(Http::Headers::get().GrpcStatus, "13")); + EXPECT_THAT(trailers, ContainsHeader(Http::Headers::get().GrpcStatus, "13")); Grpc::Decoder decoder; std::vector frames; @@ -528,9 +533,10 @@ TEST_F(ReverseBridgeTest, GrpcRequestBadResponseNoContentType) { Http::TestRequestHeaderMapImpl headers( {{"content-type", "application/grpc"}, {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -575,9 +581,10 @@ TEST_F(ReverseBridgeTest, GrpcRequestBadResponse) { Http::TestRequestHeaderMapImpl headers( {{"content-type", "application/grpc"}, {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -634,10 +641,10 @@ TEST_F(ReverseBridgeTest, FilterConfigPerRouteDisabled) { EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); // Verify that headers are unmodified. - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "25")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "25")); EXPECT_THAT(headers, - HeaderValueOf(Http::Headers::get().Path, "/testing.ExampleService/SendData")); + ContainsHeader(Http::Headers::get().Path, "/testing.ExampleService/SendData")); } // Tests that a gRPC is downgraded to application/x-protobuf and upgraded back @@ -662,10 +669,11 @@ TEST_F(ReverseBridgeTest, FilterConfigPerRouteEnabled) { {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -692,8 +700,8 @@ TEST_F(ReverseBridgeTest, FilterConfigPerRouteEnabled) { Http::TestResponseHeaderMapImpl headers( {{":status", "200"}, {"content-length", "30"}, {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "35")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "35")); { // First few calls should drain the buffer @@ -718,7 +726,7 @@ TEST_F(ReverseBridgeTest, FilterConfigPerRouteEnabled) { buffer.add("ghj", 4); EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->encodeData(buffer, true)); EXPECT_EQ(17, buffer.length()); - EXPECT_THAT(trailers, HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(trailers, ContainsHeader(Http::Headers::get().GrpcStatus, "0")); Grpc::Decoder decoder; std::vector frames; @@ -748,10 +756,11 @@ TEST_F(ReverseBridgeTest, RouteWithTrailers) { {"content-length", "25"}, {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -770,8 +779,8 @@ TEST_F(ReverseBridgeTest, RouteWithTrailers) { Http::TestResponseHeaderMapImpl headers( {{":status", "200"}, {"content-length", "30"}, {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "35")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "35")); { // First few calls should drain the buffer @@ -795,7 +804,7 @@ TEST_F(ReverseBridgeTest, RouteWithTrailers) { .WillOnce(Invoke([&](Envoy::Buffer::Instance& buf, bool) -> void { buffer.move(buf); })); Http::TestResponseTrailerMapImpl trailers({{"foo", "bar"}, {"one", "two"}, {"three", "four"}}); EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter_->encodeTrailers(trailers)); - EXPECT_THAT(trailers, HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(trailers, ContainsHeader(Http::Headers::get().GrpcStatus, "0")); Grpc::Decoder decoder; std::vector frames; @@ -821,10 +830,11 @@ TEST_F(ReverseBridgeTest, WithholdGrpcStreamResponse) { {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "20")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "20")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -854,8 +864,8 @@ TEST_F(ReverseBridgeTest, WithholdGrpcStreamResponse) { {"custom-content-length", "8"}, {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "13")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "13")); { // The response data should be streamed to the client instead of buffered. Additionally, the @@ -875,7 +885,7 @@ TEST_F(ReverseBridgeTest, WithholdGrpcStreamResponse) { buffer.add("ghj", 4); EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->encodeData(buffer, true)); EXPECT_EQ(4, buffer.length()); - EXPECT_THAT(trailers, HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(trailers, ContainsHeader(Http::Headers::get().GrpcStatus, "0")); } } @@ -891,9 +901,10 @@ TEST_F(ReverseBridgeTest, WithholdGrpcStreamResponseNoContentLength) { Http::TestRequestHeaderMapImpl headers( {{"content-type", "application/grpc"}, {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -938,9 +949,10 @@ TEST_F(ReverseBridgeTest, WithholdGrpcStreamResponseWrongContentLength) { Http::TestRequestHeaderMapImpl headers( {{"content-type", "application/grpc"}, {":path", "/testing.ExampleService/SendData"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/x-protobuf")); EXPECT_THAT(headers, - HeaderValueOf(Http::CustomHeaders::get().Accept, "application/x-protobuf")); + ContainsHeader(Http::Headers::get().ContentType, "application/x-protobuf")); + EXPECT_THAT(headers, + ContainsHeader(Http::CustomHeaders::get().Accept, "application/x-protobuf")); } { @@ -970,8 +982,8 @@ TEST_F(ReverseBridgeTest, WithholdGrpcStreamResponseWrongContentLength) { {"content-type", "application/x-protobuf"}}); EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentType, "application/grpc")); - EXPECT_THAT(headers, HeaderValueOf(Http::Headers::get().ContentLength, "35")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentType, "application/grpc")); + EXPECT_THAT(headers, ContainsHeader(Http::Headers::get().ContentLength, "35")); { // The response data should be streamed to the client instead of buffered. Additionally, the @@ -996,7 +1008,7 @@ TEST_F(ReverseBridgeTest, WithholdGrpcStreamResponseWrongContentLength) { absl::make_optional(static_cast(Grpc::Status::Internal)), _)); EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, filter_->encodeData(buffer, true)); EXPECT_EQ(4, buffer.length()); - EXPECT_THAT(trailers, HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(trailers, ContainsHeader(Http::Headers::get().GrpcStatus, "0")); } } } // namespace diff --git a/test/extensions/filters/http/grpc_json_reverse_transcoder/grpc_json_reverse_transcoder_integration_test.cc b/test/extensions/filters/http/grpc_json_reverse_transcoder/grpc_json_reverse_transcoder_integration_test.cc index 1558258ab5526..16f0848294085 100644 --- a/test/extensions/filters/http/grpc_json_reverse_transcoder/grpc_json_reverse_transcoder_integration_test.cc +++ b/test/extensions/filters/http/grpc_json_reverse_transcoder/grpc_json_reverse_transcoder_integration_test.cc @@ -99,14 +99,14 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, SimpleRequest) { ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); std::string expected_request = "{\"author\":\"John Doe\",\"id\":\"123\",\"title\":\"Kids book\"}"; + EXPECT_THAT(upstream_request_->headers(), + ContainsHeader(Http::Headers::get().ContentType, + Http::Headers::get().ContentTypeValues.Json)); EXPECT_THAT( upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().ContentType, Http::Headers::get().ContentTypeValues.Json)); - EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf(Http::Headers::get().ContentLength, - std::to_string(expected_request.size()))); + ContainsHeader(Http::Headers::get().ContentLength, std::to_string(expected_request.size()))); EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf(Http::Headers::get().Path, "/shelves/12345/books/123")); + ContainsHeader(Http::Headers::get().Path, "/shelves/12345/books/123")); EXPECT_EQ(upstream_request_->body().toString(), expected_request); Http::TestResponseHeaderMapImpl response_headers; @@ -124,8 +124,8 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, SimpleRequest) { ASSERT_TRUE(response->waitForEndStream()); EXPECT_TRUE(response->complete()); - EXPECT_THAT(response->headers(), HeaderValueOf(Http::Headers::get().ContentType, - Http::Headers::get().ContentTypeValues.Grpc)); + EXPECT_THAT(response->headers(), ContainsHeader(Http::Headers::get().ContentType, + Http::Headers::get().ContentTypeValues.Grpc)); bookstore::Book expected_book; expected_book.set_id(123); @@ -143,7 +143,7 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, SimpleRequest) { EXPECT_TRUE(MessageDifferencer::Equals(expected_book, book)); - EXPECT_THAT(*response->trailers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(*response->trailers(), ContainsHeader(Http::Headers::get().GrpcStatus, "0")); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); @@ -176,14 +176,13 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, HttpBodyRequestResponse) { ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT( - upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().ContentType, Http::Headers::get().ContentTypeValues.Text)); - EXPECT_THAT( - upstream_request_->headers(), - Http::HeaderValueOf(Http::Headers::get().ContentLength, std::to_string(request_str.size()))); EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf(Http::Headers::get().Path, "/echoRawBody")); + ContainsHeader(Http::Headers::get().ContentType, + Http::Headers::get().ContentTypeValues.Text)); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Http::Headers::get().ContentLength, + std::to_string(request_str.size()))); + EXPECT_THAT(upstream_request_->headers(), + ContainsHeader(Http::Headers::get().Path, "/echoRawBody")); EXPECT_EQ(upstream_request_->body().toString(), request_str); Http::TestResponseHeaderMapImpl response_headers; @@ -202,8 +201,8 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, HttpBodyRequestResponse) { ASSERT_TRUE(response->waitForEndStream()); EXPECT_TRUE(response->complete()); - EXPECT_THAT(response->headers(), HeaderValueOf(Http::Headers::get().ContentType, - Http::Headers::get().ContentTypeValues.Grpc)); + EXPECT_THAT(response->headers(), ContainsHeader(Http::Headers::get().ContentType, + Http::Headers::get().ContentTypeValues.Grpc)); google::api::HttpBody expected_res; expected_res.set_content_type(Http::Headers::get().ContentTypeValues.Html); @@ -219,7 +218,7 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, HttpBodyRequestResponse) { EXPECT_TRUE(MessageDifferencer::Equals(expected_res, transcoded_res)); - EXPECT_THAT(*response->trailers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(*response->trailers(), ContainsHeader(Http::Headers::get().GrpcStatus, "0")); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); @@ -261,13 +260,13 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, NestedHttpBodyRequest) { ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - EXPECT_THAT( - upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().ContentType, Http::Headers::get().ContentTypeValues.Json)); - EXPECT_THAT(upstream_request_->headers(), Http::HeaderValueOf(Http::Headers::get().ContentLength, - std::to_string(book_str.size()))); EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf(Http::Headers::get().Path, "/v2/shelves/12345/books")); + ContainsHeader(Http::Headers::get().ContentType, + Http::Headers::get().ContentTypeValues.Json)); + EXPECT_THAT(upstream_request_->headers(), + ContainsHeader(Http::Headers::get().ContentLength, std::to_string(book_str.size()))); + EXPECT_THAT(upstream_request_->headers(), + ContainsHeader(Http::Headers::get().Path, "/v2/shelves/12345/books")); EXPECT_EQ(upstream_request_->body().toString(), book_str); Http::TestResponseHeaderMapImpl response_headers; @@ -286,8 +285,8 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, NestedHttpBodyRequest) { ASSERT_TRUE(response->waitForEndStream()); EXPECT_TRUE(response->complete()); - EXPECT_THAT(response->headers(), HeaderValueOf(Http::Headers::get().ContentType, - Http::Headers::get().ContentTypeValues.Grpc)); + EXPECT_THAT(response->headers(), ContainsHeader(Http::Headers::get().ContentType, + Http::Headers::get().ContentTypeValues.Grpc)); google::api::HttpBody expected_res; expected_res.set_content_type(Http::Headers::get().ContentTypeValues.Html); @@ -303,7 +302,7 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, NestedHttpBodyRequest) { EXPECT_TRUE(MessageDifferencer::Equals(expected_res, transcoded_res)); - EXPECT_THAT(*response->trailers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(*response->trailers(), ContainsHeader(Http::Headers::get().GrpcStatus, "0")); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); @@ -337,10 +336,10 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, RequestWithQueryParams) { ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().Method, Http::Headers::get().MethodValues.Get)); + ContainsHeader(Http::Headers::get().Method, Http::Headers::get().MethodValues.Get)); EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf(Http::Headers::get().Path, - "/shelves/12345/books:unary?author=567&theme=Science%20Fiction")); + ContainsHeader(Http::Headers::get().Path, + "/shelves/12345/books:unary?author=567&theme=Science%20Fiction")); Http::TestResponseHeaderMapImpl response_headers; response_headers.setStatus(200); @@ -359,8 +358,8 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, RequestWithQueryParams) { ASSERT_TRUE(response->waitForEndStream()); EXPECT_TRUE(response->complete()); - EXPECT_THAT(response->headers(), HeaderValueOf(Http::Headers::get().ContentType, - Http::Headers::get().ContentTypeValues.Grpc)); + EXPECT_THAT(response->headers(), ContainsHeader(Http::Headers::get().ContentType, + Http::Headers::get().ContentTypeValues.Grpc)); bookstore::ListBooksResponse expected_res; auto* book = expected_res.add_books(); @@ -378,7 +377,7 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, RequestWithQueryParams) { EXPECT_TRUE(MessageDifferencer::Equals(expected_res, transcoded_res)); - EXPECT_THAT(*response->trailers(), HeaderValueOf(Http::Headers::get().GrpcStatus, "0")); + EXPECT_THAT(*response->trailers(), ContainsHeader(Http::Headers::get().GrpcStatus, "0")); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); @@ -410,9 +409,9 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, ErrorFromBackend) { ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); EXPECT_THAT(upstream_request_->headers(), - HeaderValueOf(Http::Headers::get().Method, Http::Headers::get().MethodValues.Put)); + ContainsHeader(Http::Headers::get().Method, Http::Headers::get().MethodValues.Put)); EXPECT_THAT(upstream_request_->headers(), - Http::HeaderValueOf(Http::Headers::get().Path, "/shelves/12345/books")); + ContainsHeader(Http::Headers::get().Path, "/shelves/12345/books")); Http::TestResponseHeaderMapImpl response_headers; response_headers.setStatus(400); @@ -431,10 +430,10 @@ TEST_P(GrpcJsonReverseTranscoderIntegrationTest, ErrorFromBackend) { ASSERT_TRUE(response->trailers()); EXPECT_THAT(*response->trailers(), - Http::HeaderValueOf(Http::Headers::get().GrpcStatus, - std::to_string(Grpc::Status::WellKnownGrpcStatus::Internal))); + ContainsHeader(Http::Headers::get().GrpcStatus, + std::to_string(Grpc::Status::WellKnownGrpcStatus::Internal))); EXPECT_THAT(*response->trailers(), - Http::HeaderValueOf(Http::Headers::get().GrpcMessage, response_str)); + ContainsHeader(Http::Headers::get().GrpcMessage, response_str)); codec_client_->close(); ASSERT_TRUE(fake_upstream_connection_->close()); diff --git a/test/extensions/filters/http/local_ratelimit/local_ratelimit_integration_test.cc b/test/extensions/filters/http/local_ratelimit/local_ratelimit_integration_test.cc index 0a88798f24131..39a257ed0fd28 100644 --- a/test/extensions/filters/http/local_ratelimit/local_ratelimit_integration_test.cc +++ b/test/extensions/filters/http/local_ratelimit/local_ratelimit_integration_test.cc @@ -171,17 +171,16 @@ class LocalRateLimitFilterIntegrationTest : public Event::TestUsingSimulatedTime EXPECT_EQ(expected_body_size, response->body().size()); EXPECT_THAT( response->headers(), - Http::HeaderValueOf( + ContainsHeader( Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get().XRateLimitLimit, expected_limit)); + EXPECT_THAT(response->headers(), + ContainsHeader(Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get() + .XRateLimitRemaining, + expected_remaining)); EXPECT_THAT( response->headers(), - Http::HeaderValueOf(Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get() - .XRateLimitRemaining, - expected_remaining)); - EXPECT_THAT( - response->headers(), - Http::HeaderValueOf( + ContainsHeader( Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get().XRateLimitReset, expected_reset)); } diff --git a/test/extensions/filters/http/lua/lua_integration_test.cc b/test/extensions/filters/http/lua/lua_integration_test.cc index 78bb2a53174bf..13b6ee8c8dfc0 100644 --- a/test/extensions/filters/http/lua/lua_integration_test.cc +++ b/test/extensions/filters/http/lua/lua_integration_test.cc @@ -11,8 +11,6 @@ #include "gtest/gtest.h" -using Envoy::Http::HeaderValueOf; - namespace Envoy { namespace { @@ -789,8 +787,8 @@ name: envoy.filters.http.lua ASSERT_TRUE(fake_lua_connection_->waitForNewStream(*dispatcher_, lua_request_)); ASSERT_TRUE(lua_request_->waitForEndStream(*dispatcher_)); // Sanity checking that we sent the expected data. - EXPECT_THAT(lua_request_->headers(), HeaderValueOf(Http::Headers::get().Method, "POST")); - EXPECT_THAT(lua_request_->headers(), HeaderValueOf(Http::Headers::get().Path, "/")); + EXPECT_THAT(lua_request_->headers(), ContainsHeader(Http::Headers::get().Method, "POST")); + EXPECT_THAT(lua_request_->headers(), ContainsHeader(Http::Headers::get().Path, "/")); waitForNextUpstreamRequest(); diff --git a/test/extensions/filters/http/ratelimit/ratelimit_integration_test.cc b/test/extensions/filters/http/ratelimit/ratelimit_integration_test.cc index 5b84f13822385..41e303ae23f08 100644 --- a/test/extensions/filters/http/ratelimit/ratelimit_integration_test.cc +++ b/test/extensions/filters/http/ratelimit/ratelimit_integration_test.cc @@ -286,8 +286,8 @@ TEST_P(RatelimitIntegrationTest, OverLimit) { waitForFailedUpstreamResponse(429, 0); EXPECT_THAT(responses_[0].get()->headers(), - Http::HeaderValueOf(Http::Headers::get().EnvoyRateLimited, - Http::Headers::get().EnvoyRateLimitedValues.True)); + ContainsHeader(Http::Headers::get().EnvoyRateLimited, + Http::Headers::get().EnvoyRateLimitedValues.True)); cleanup(); @@ -313,8 +313,8 @@ TEST_P(RatelimitIntegrationTest, OverLimitWithHeaders) { }); EXPECT_THAT(responses_[0].get()->headers(), - Http::HeaderValueOf(Http::Headers::get().EnvoyRateLimited, - Http::Headers::get().EnvoyRateLimitedValues.True)); + ContainsHeader(Http::Headers::get().EnvoyRateLimited, + Http::Headers::get().EnvoyRateLimitedValues.True)); cleanup(); @@ -412,17 +412,17 @@ TEST_P(RatelimitFilterHeadersEnabledIntegrationTest, OkWithFilterHeaders) { EXPECT_THAT( responses_[0].get()->headers(), - Http::HeaderValueOf( + ContainsHeader( Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get().XRateLimitLimit, "1, 1;w=60;name=\"first\", 4;w=3600;name=\"second\"")); EXPECT_THAT( responses_[0].get()->headers(), - Http::HeaderValueOf( + ContainsHeader( Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get().XRateLimitRemaining, "2")); EXPECT_THAT( responses_[0].get()->headers(), - Http::HeaderValueOf( + ContainsHeader( Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get().XRateLimitReset, "3")); @@ -449,17 +449,17 @@ TEST_P(RatelimitFilterHeadersEnabledIntegrationTest, OverLimitWithFilterHeaders) EXPECT_THAT( responses_[0].get()->headers(), - Http::HeaderValueOf( + ContainsHeader( Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get().XRateLimitLimit, "1, 1;w=60;name=\"first\", 4;w=3600;name=\"second\"")); EXPECT_THAT( responses_[0].get()->headers(), - Http::HeaderValueOf( + ContainsHeader( Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get().XRateLimitRemaining, "2")); EXPECT_THAT( responses_[0].get()->headers(), - Http::HeaderValueOf( + ContainsHeader( Extensions::HttpFilters::Common::RateLimit::XRateLimitHeaders::get().XRateLimitReset, "3")); @@ -479,7 +479,7 @@ TEST_P(RatelimitFilterEnvoyRatelimitedHeaderDisabledIntegrationTest, waitForFailedUpstreamResponse(429, 0); EXPECT_THAT(responses_[0].get()->headers(), - ::testing::Not(Http::HeaderValueOf(Http::Headers::get().EnvoyRateLimited, _))); + ::testing::Not(ContainsHeader(Http::Headers::get().EnvoyRateLimited, _))); cleanup(); @@ -526,10 +526,10 @@ TEST_P(RatelimitIntegrationTest, OverLimitResponseHeadersToAdd) { waitForFailedUpstreamResponse(429, 0); EXPECT_THAT(responses_[0].get()->headers(), - Http::HeaderValueOf(Http::Headers::get().EnvoyRateLimited, - Http::Headers::get().EnvoyRateLimitedValues.True)); + ContainsHeader(Http::Headers::get().EnvoyRateLimited, + Http::Headers::get().EnvoyRateLimitedValues.True)); EXPECT_THAT(responses_[0].get()->headers(), - Http::HeaderValueOf("x-global-ratelimit-service", "rate_limit_service")); + ContainsHeader("x-global-ratelimit-service", "rate_limit_service")); cleanup(); EXPECT_EQ(nullptr, test_server_->counter("cluster.cluster_0.ratelimit.ok")); diff --git a/test/extensions/tracers/opentelemetry/resource_detectors/static/static_config_resource_detector_integration_test.cc b/test/extensions/tracers/opentelemetry/resource_detectors/static/static_config_resource_detector_integration_test.cc index 1380e1bd27187..cdbc8fea07fd5 100644 --- a/test/extensions/tracers/opentelemetry/resource_detectors/static/static_config_resource_detector_integration_test.cc +++ b/test/extensions/tracers/opentelemetry/resource_detectors/static/static_config_resource_detector_integration_test.cc @@ -114,9 +114,9 @@ TEST_P(StaticConfigResourceDetectorIntegrationTest, TestResourceAttributeSet) { ASSERT_TRUE(backend_request_->waitForEndStream(*dispatcher_)); // Sanity checking that we sent the expected data. - EXPECT_THAT(backend_request_->headers(), HeaderValueOf(Http::Headers::get().Method, "POST")); + EXPECT_THAT(backend_request_->headers(), ContainsHeader(Http::Headers::get().Method, "POST")); EXPECT_THAT(backend_request_->headers(), - HeaderValueOf(Http::Headers::get().Path, "/api/v2/traces")); + ContainsHeader(Http::Headers::get().Path, "/api/v2/traces")); backend_request_->encodeHeaders(default_response_headers_, true /*end_stream*/); diff --git a/test/integration/eds_integration_test.cc b/test/integration/eds_integration_test.cc index 4458b00694b61..ecda792d408f5 100644 --- a/test/integration/eds_integration_test.cc +++ b/test/integration/eds_integration_test.cc @@ -17,15 +17,6 @@ namespace Envoy { namespace { -MATCHER_P2(SingleHeaderValueIs, key, value, - absl::StrFormat("Header \"%s\" equals \"%s\"", key, value)) { - const auto hdr = arg.get(::Envoy::Http::LowerCaseString(std::string(key))); - if (hdr.size() != 1) { - return false; - } - return hdr[0]->value() == value; -} - void validateClusters(const Upstream::ClusterManager::ClusterInfoMap& active_cluster_map, const std::string& cluster, size_t expected_active_clusters, size_t hosts_expected, size_t healthy_hosts, size_t degraded_hosts) { @@ -235,7 +226,7 @@ class EdsIntegrationTest EXPECT_EQ(status, response->headers().getStatusValue()); if (numerator == 100) { EXPECT_THAT(response->headers(), - SingleHeaderValueIs("x-envoy-unconditional-drop-overload", "true")); + ContainsHeader("x-envoy-unconditional-drop-overload", "true")); } cleanupUpstreamAndDownstream(); } diff --git a/test/integration/integration_admin_test.cc b/test/integration/integration_admin_test.cc index 290ad989645e2..b86ba24ba68d0 100644 --- a/test/integration/integration_admin_test.cc +++ b/test/integration/integration_admin_test.cc @@ -53,13 +53,13 @@ TEST_P(IntegrationAdminTest, AdminLogging) { EXPECT_EQ("200", request("admin", "POST", "/logging", response)); EXPECT_EQ("text/plain; charset=UTF-8", contentType(response)); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().XContentTypeOptions, "nosniff")); + ContainsHeader(Http::Headers::get().XContentTypeOptions, "nosniff")); // Bad level EXPECT_EQ("400", request("admin", "POST", "/logging?level=blah", response)); EXPECT_EQ("text/plain; charset=UTF-8", contentType(response)); EXPECT_THAT(response->headers(), - HeaderValueOf(Http::Headers::get().XContentTypeOptions, "nosniff")); + ContainsHeader(Http::Headers::get().XContentTypeOptions, "nosniff")); EXPECT_THAT(response->body(), HasSubstr("error: unknown logger level\n")); // Bad logger diff --git a/test/integration/integration_test.cc b/test/integration/integration_test.cc index aaa4e6a5582f9..7ad6ea4cf36cc 100644 --- a/test/integration/integration_test.cc +++ b/test/integration/integration_test.cc @@ -28,7 +28,6 @@ #include "gtest/gtest.h" using Envoy::Http::Headers; -using Envoy::Http::HeaderValueOf; using Envoy::Http::HttpStatusIs; using testing::Combine; using testing::ContainsRegex; @@ -408,7 +407,7 @@ TEST_P(IntegrationTest, ConnectionCloseHeader) { EXPECT_TRUE(response->complete()); EXPECT_THAT(response->headers(), HttpStatusIs("200")); - EXPECT_THAT(response->headers(), HeaderValueOf(Headers::get().Connection, "close")); + EXPECT_THAT(response->headers(), ContainsHeader(Headers::get().Connection, "close")); EXPECT_EQ(codec_client_->lastConnectionEvent(), Network::ConnectionEvent::RemoteClose); } @@ -1633,8 +1632,8 @@ TEST_P(IntegrationTest, TestHead) { EXPECT_THAT(response->headers(), HttpStatusIs("200")); EXPECT_EQ(response->headers().ContentLength(), nullptr); EXPECT_THAT(response->headers(), - HeaderValueOf(Headers::get().TransferEncoding, - Http::Headers::get().TransferEncodingValues.Chunked)); + ContainsHeader(Headers::get().TransferEncoding, + Http::Headers::get().TransferEncodingValues.Chunked)); EXPECT_EQ(0, response->body().size()); // Preserve explicit content length. @@ -1643,7 +1642,7 @@ TEST_P(IntegrationTest, TestHead) { response = sendRequestAndWaitForResponse(head_request, 0, content_length_response, 0); ASSERT_TRUE(response->complete()); EXPECT_THAT(response->headers(), HttpStatusIs("200")); - EXPECT_THAT(response->headers(), HeaderValueOf(Headers::get().ContentLength, "12")); + EXPECT_THAT(response->headers(), ContainsHeader(Headers::get().ContentLength, "12")); EXPECT_EQ(response->headers().TransferEncoding(), nullptr); EXPECT_EQ(0, response->body().size()); } @@ -1756,13 +1755,13 @@ TEST_P(IntegrationTest, ViaAppendHeaderOnly) { {"via", "foo"}, {"connection", "close"}}); waitForNextUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Headers::get().Via, "foo, bar")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Headers::get().Via, "foo, bar")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); ASSERT_TRUE(response->waitForEndStream()); ASSERT_TRUE(codec_client_->waitForDisconnect()); EXPECT_TRUE(response->complete()); EXPECT_THAT(response->headers(), HttpStatusIs("200")); - EXPECT_THAT(response->headers(), HeaderValueOf(Headers::get().Via, "bar")); + EXPECT_THAT(response->headers(), ContainsHeader(Headers::get().Via, "bar")); } // Validate that 100-continue works as expected with via header addition on both request and @@ -2652,7 +2651,7 @@ TEST_P(IntegrationTest, AppendXForwardedPort) { {":authority", "host"}, {"connection", "close"}}); waitForNextUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), Not(HeaderValueOf(Headers::get().ForwardedPort, ""))); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader(Headers::get().ForwardedPort, ""))); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); ASSERT_TRUE(response->waitForEndStream()); ASSERT_TRUE(codec_client_->waitForDisconnect()); @@ -2695,7 +2694,7 @@ TEST_P(IntegrationTest, IgnoreAppendingXForwardedPortIfHasBeenSet) { {"connection", "close"}, {"x-forwarded-port", "8080"}}); waitForNextUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Headers::get().ForwardedPort, "8080")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Headers::get().ForwardedPort, "8080")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); ASSERT_TRUE(response->waitForEndStream()); ASSERT_TRUE(codec_client_->waitForDisconnect()); @@ -2717,7 +2716,7 @@ TEST_P(IntegrationTest, PreserveXForwardedPortFromTrustedHop) { {"connection", "close"}, {"x-forwarded-port", "80"}}); waitForNextUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Headers::get().ForwardedPort, "80")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Headers::get().ForwardedPort, "80")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); ASSERT_TRUE(response->waitForEndStream()); ASSERT_TRUE(codec_client_->waitForDisconnect()); @@ -2739,7 +2738,8 @@ TEST_P(IntegrationTest, OverwriteXForwardedPortFromUntrustedHop) { {"connection", "close"}, {"x-forwarded-port", "80"}}); waitForNextUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), Not(HeaderValueOf(Headers::get().ForwardedPort, "80"))); + EXPECT_THAT(upstream_request_->headers(), + Not(ContainsHeader(Headers::get().ForwardedPort, "80"))); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); ASSERT_TRUE(response->waitForEndStream()); ASSERT_TRUE(codec_client_->waitForDisconnect()); @@ -2761,7 +2761,7 @@ TEST_P(IntegrationTest, DoNotOverwriteXForwardedPortFromUntrustedHop) { {"connection", "close"}, {"x-forwarded-port", "80"}}); waitForNextUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Headers::get().ForwardedPort, "80")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Headers::get().ForwardedPort, "80")); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); ASSERT_TRUE(response->waitForEndStream()); ASSERT_TRUE(codec_client_->waitForDisconnect()); diff --git a/test/integration/multiplexed_upstream_integration_test.cc b/test/integration/multiplexed_upstream_integration_test.cc index a73f3b56d617d..62422bfef69b0 100644 --- a/test/integration/multiplexed_upstream_integration_test.cc +++ b/test/integration/multiplexed_upstream_integration_test.cc @@ -701,7 +701,7 @@ TEST_P(MultiplexedUpstreamIntegrationTest, AutoRetrySafeRequestUponTooEarlyRespo waitForNextUpstreamRequest(0); // If the request already has Early-Data header, no additional Early-Data header should be added // and the header should be forwarded as is. - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Http::Headers::get().EarlyData, "1")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Http::Headers::get().EarlyData, "1")); upstream_request_->encodeHeaders(too_early_response_headers, true); ASSERT_TRUE(response2->waitForEndStream()); // 425 response should be forwarded back to the client. diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index ec3ea461139dd..07cbba8dc62fa 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -1878,9 +1878,9 @@ TEST_P(ProtocolIntegrationTest, HeadersWithUnderscoresDropped) { Http::TestRequestTrailerMapImpl{{"trailer1", "value1"}, {"trailer_2", "value2"}}); waitForNextUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), Not(HeaderHasValueRef("foo_bar", "baz"))); + EXPECT_THAT(upstream_request_->headers(), Not(ContainsHeader("foo_bar", "baz"))); // Headers with underscores should be dropped from request headers and trailers. - EXPECT_THAT(*upstream_request_->trailers(), Not(HeaderHasValueRef("trailer_2", "value2"))); + EXPECT_THAT(*upstream_request_->trailers(), Not(ContainsHeader("trailer_2", "value2"))); upstream_request_->encodeHeaders( Http::TestResponseHeaderMapImpl{{":status", "200"}, {"bar_baz", "fooz"}}, false); upstream_request_->encodeData("b", false); @@ -1890,8 +1890,8 @@ TEST_P(ProtocolIntegrationTest, HeadersWithUnderscoresDropped) { EXPECT_TRUE(response->complete()); EXPECT_EQ("200", response->headers().getStatusValue()); // Both response headers and trailers must retain headers with underscores. - EXPECT_THAT(response->headers(), HeaderHasValueRef("bar_baz", "fooz")); - EXPECT_THAT(*response->trailers(), HeaderHasValueRef("response_trailer", "ok")); + EXPECT_THAT(response->headers(), ContainsHeader("bar_baz", "fooz")); + EXPECT_THAT(*response->trailers(), ContainsHeader("response_trailer", "ok")); Stats::Store& stats = test_server_->server().stats(); std::string stat_name; switch (downstreamProtocol()) { @@ -1924,13 +1924,13 @@ TEST_P(ProtocolIntegrationTest, HeadersWithUnderscoresRemainByDefault) { {"foo_bar", "baz"}}); waitForNextUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), HeaderHasValueRef("foo_bar", "baz")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("foo_bar", "baz")); upstream_request_->encodeHeaders( Http::TestResponseHeaderMapImpl{{":status", "200"}, {"bar_baz", "fooz"}}, true); ASSERT_TRUE(response->waitForEndStream()); EXPECT_TRUE(response->complete()); EXPECT_EQ("200", response->headers().getStatusValue()); - EXPECT_THAT(response->headers(), HeaderHasValueRef("bar_baz", "fooz")); + EXPECT_THAT(response->headers(), ContainsHeader("bar_baz", "fooz")); } // Verify that request with headers containing underscores is rejected when configured. @@ -2036,8 +2036,8 @@ TEST_P(ProtocolIntegrationTest, HeadersWithUnderscoresInResponseAllowRequest) { EXPECT_TRUE(response->complete()); EXPECT_EQ("200", response->headers().getStatusValue()); // Both response headers and trailers must retain headers with underscores. - EXPECT_THAT(response->headers(), HeaderHasValueRef("bar_baz", "fooz")); - EXPECT_THAT(*response->trailers(), HeaderHasValueRef("response_trailer", "ok")); + EXPECT_THAT(response->headers(), ContainsHeader("bar_baz", "fooz")); + EXPECT_THAT(*response->trailers(), ContainsHeader("response_trailer", "ok")); } TEST_P(DownstreamProtocolIntegrationTest, ValidZeroLengthContent) { @@ -5556,7 +5556,7 @@ TEST_P(DownstreamProtocolIntegrationTest, InvalidSchemeHeaderWithWhitespace) { // The scheme header is not conveyed in HTTP/1. EXPECT_EQ(nullptr, upstream_request_->headers().Scheme()); } else { - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Http::Headers::get().Scheme, "http")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Http::Headers::get().Scheme, "http")); } upstream_request_->encodeHeaders(default_response_headers_, true); ASSERT_TRUE(response->waitForEndStream()); diff --git a/test/integration/quic_http_integration_test.cc b/test/integration/quic_http_integration_test.cc index 09ed57a1870aa..3882cd9665c07 100644 --- a/test/integration/quic_http_integration_test.cc +++ b/test/integration/quic_http_integration_test.cc @@ -126,7 +126,7 @@ TEST_P(QuicHttpIntegrationTest, ZeroRtt) { // Send a complete request on the second connection. auto response2 = codec_client_->makeHeaderOnlyRequest(default_request_headers_); waitForNextUpstreamRequest(0); - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Http::Headers::get().EarlyData, "1")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Http::Headers::get().EarlyData, "1")); upstream_request_->encodeHeaders(default_response_headers_, true); ASSERT_TRUE(response2->waitForEndStream()); // Ensure 0-RTT was used by second connection. @@ -157,7 +157,7 @@ TEST_P(QuicHttpIntegrationTest, ZeroRtt) { /*wait_for_1rtt_key*/ false); auto response3 = codec_client_->makeHeaderOnlyRequest(default_request_headers_); waitForNextUpstreamRequest(0); - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Http::Headers::get().EarlyData, "1")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Http::Headers::get().EarlyData, "1")); upstream_request_->encodeHeaders(too_early_response_headers, true); ASSERT_TRUE(response3->waitForEndStream()); // This is downstream sending early data, so the 425 response should be forwarded back to the @@ -177,7 +177,7 @@ TEST_P(QuicHttpIntegrationTest, ZeroRtt) { waitForNextUpstreamRequest(0); // If the request already has Early-Data header, no additional Early-Data header should be added // and the header should be forwarded as is. - EXPECT_THAT(upstream_request_->headers(), HeaderValueOf(Http::Headers::get().EarlyData, "2")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader(Http::Headers::get().EarlyData, "2")); upstream_request_->encodeHeaders(too_early_response_headers, true); ASSERT_TRUE(response4->waitForEndStream()); // 425 response should be forwarded back to the client. @@ -1211,7 +1211,7 @@ TEST_P(QuicHttpIntegrationTest, DisableQpack) { auto response = codec_client_->makeHeaderOnlyRequest(headers); waitForNextUpstreamRequest(0); // Cookie crumbling is disabled along with QPACK. - EXPECT_THAT(upstream_request_->headers(), HeaderHasValueRef("cookie", "x;y")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("cookie", "x;y")); upstream_request_->encodeHeaders(default_response_headers_, true); ASSERT_TRUE(response->waitForEndStream()); codec_client_->close(); diff --git a/test/integration/redirect_integration_test.cc b/test/integration/redirect_integration_test.cc index 03375ca855b9f..f1107cdb653ba 100644 --- a/test/integration/redirect_integration_test.cc +++ b/test/integration/redirect_integration_test.cc @@ -267,8 +267,7 @@ TEST_P(RedirectIntegrationTest, ConnectionCloseHeaderHonoredInInternalRedirect) ASSERT_TRUE(response->complete()); EXPECT_EQ("200", response->headers().getStatusValue()); // "Connection: close" should be sent back in response. - EXPECT_THAT(response->headers(), - Envoy::Http::HeaderValueOf(Envoy::Http::Headers::get().Connection, "close")); + EXPECT_THAT(response->headers(), ContainsHeader(Envoy::Http::Headers::get().Connection, "close")); // Envoy should close the connection immediately. ASSERT_TRUE(codec_client_->waitForDisconnect(std::chrono::milliseconds(2000))); diff --git a/test/integration/upstream_http_filter_integration_test.cc b/test/integration/upstream_http_filter_integration_test.cc index 8adaecebcc421..14aeb1b364ba2 100644 --- a/test/integration/upstream_http_filter_integration_test.cc +++ b/test/integration/upstream_http_filter_integration_test.cc @@ -31,7 +31,6 @@ constexpr absl::string_view expected_types[] = { using HttpFilterProto = envoy::extensions::filters::network::http_connection_manager::v3::HttpFilter; -using Http::HeaderValueOf; using testing::Not; class UpstreamHttpFilterIntegrationTestBase : public HttpIntegrationTest { @@ -174,8 +173,8 @@ TEST_P(StaticRouterOrClusterFiltersIntegrationTest, initialize(); auto headers = sendRequestAndGetHeaders(); - EXPECT_THAT(*headers, Not(HeaderValueOf("x-test-router", "aa"))); - EXPECT_THAT(*headers, HeaderValueOf("x-test-cluster", "bb")); + EXPECT_THAT(*headers, Not(ContainsHeader("x-test-router", "aa"))); + EXPECT_THAT(*headers, ContainsHeader("x-test-cluster", "bb")); } TEST_P(StaticRouterOrClusterFiltersIntegrationTest, ClusterUpstreamFiltersDisabled) { @@ -185,7 +184,7 @@ TEST_P(StaticRouterOrClusterFiltersIntegrationTest, ClusterUpstreamFiltersDisabl initialize(); auto headers = sendRequestAndGetHeaders(); - EXPECT_THAT(*headers, Not(HeaderValueOf("x-test-router", "aa"))); + EXPECT_THAT(*headers, Not(ContainsHeader("x-test-router", "aa"))); } TEST_P(StaticRouterOrClusterFiltersIntegrationTest, RouterUpstreamFiltersDisabled) { @@ -195,7 +194,7 @@ TEST_P(StaticRouterOrClusterFiltersIntegrationTest, RouterUpstreamFiltersDisable initialize(); auto headers = sendRequestAndGetHeaders(); - EXPECT_THAT(*headers, Not(HeaderValueOf("x-test-cluster", "bb"))); + EXPECT_THAT(*headers, Not(ContainsHeader("x-test-cluster", "bb"))); } TEST_P(StaticRouterOrClusterFiltersIntegrationTest, @@ -213,9 +212,9 @@ TEST_P(StaticRouterOrClusterFiltersIntegrationTest, auto headers = sendRequestAndGetHeaders(); if (useRouterFilters()) { - EXPECT_THAT(*headers, Not(HeaderValueOf(default_header_key_, default_header_value_))); + EXPECT_THAT(*headers, Not(ContainsHeader(default_header_key_, default_header_value_))); } else { - EXPECT_THAT(*headers, HeaderValueOf(default_header_key_, default_header_value_)); + EXPECT_THAT(*headers, ContainsHeader(default_header_key_, default_header_value_)); } } diff --git a/test/mocks/http/mocks.h b/test/mocks/http/mocks.h index a1dc887af4abb..5eb005aaace20 100644 --- a/test/mocks/http/mocks.h +++ b/test/mocks/http/mocks.h @@ -800,14 +800,6 @@ class HeaderValueOfMatcher { const testing::Matcher matcher_; }; -// Test that a HeaderMap argument contains exactly one header with the given -// key, whose value satisfies the given expectation. The expectation can be a -// matcher, or a string that the value should equal. -template HeaderValueOfMatcher HeaderValueOf(K key, const T& matcher) { - return HeaderValueOfMatcher(LowerCaseString(key), - testing::SafeMatcherCast(matcher)); -} - // Tests the provided Envoy HeaderMap for the provided HTTP status code. MATCHER_P(HttpStatusIs, expected_code, "") { const HeaderEntry* status = arg.Status(); @@ -987,16 +979,13 @@ MATCHER_P(HeaderMapEqualRef, rhs, "") { return equal; } -// Test that a HeaderMapPtr argument includes a given key-value pair, e.g., -// HeaderHasValue("Upgrade", "WebSocket") -template -testing::Matcher HeaderHasValue(K key, V value) { - return testing::Pointee(Http::HeaderValueOf(key, value)); -} - -// Like HeaderHasValue, but matches against a HeaderMap& argument. -template Http::HeaderValueOfMatcher HeaderHasValueRef(K key, V value) { - return Http::HeaderValueOf(key, value); +// Test that a HeaderMap& argument includes a given key-value pair, e.g., +// ContainsHeader("Upgrade", "WebSocket"). Key is case-insensitive. +// Value can be a matcher, e.g. +// ContainsHeader("Upgrade", HasSubstr("Socket")) +template Http::HeaderValueOfMatcher ContainsHeader(K key, V value) { + return Http::HeaderValueOfMatcher(Http::LowerCaseString(key), + testing::SafeMatcherCast(value)); } } // namespace Envoy diff --git a/test/mocks/http/mocks_test.cc b/test/mocks/http/mocks_test.cc index 9ed2d1b227a22..78209bb33a293 100644 --- a/test/mocks/http/mocks_test.cc +++ b/test/mocks/http/mocks_test.cc @@ -8,48 +8,6 @@ using ::testing::_; using ::testing::Not; namespace Http { -TEST(HeaderValueOfTest, ConstHeaderMap) { - const TestRequestHeaderMapImpl header_map{{"key", "expected value"}}; - - // Positive checks. - EXPECT_THAT(header_map, HeaderValueOf("key", "expected value")); - EXPECT_THAT(header_map, HeaderValueOf("key", _)); - - // Negative checks. - EXPECT_THAT(header_map, Not(HeaderValueOf("key", "other value"))); - EXPECT_THAT(header_map, Not(HeaderValueOf("other key", _))); -} - -TEST(HeaderValueOfTest, MutableHeaderMap) { - TestRequestHeaderMapImpl header_map; - - // Negative checks. - EXPECT_THAT(header_map, Not(HeaderValueOf("key", "other value"))); - EXPECT_THAT(header_map, Not(HeaderValueOf("other key", _))); - - header_map.addCopy("key", "expected value"); - - // Positive checks. - EXPECT_THAT(header_map, HeaderValueOf("key", "expected value")); - EXPECT_THAT(header_map, HeaderValueOf("key", _)); -} - -TEST(HeaderValueOfTest, LowerCaseString) { - TestRequestHeaderMapImpl header_map; - LowerCaseString key("key"); - LowerCaseString other_key("other_key"); - - // Negative checks. - EXPECT_THAT(header_map, Not(HeaderValueOf(key, "other value"))); - EXPECT_THAT(header_map, Not(HeaderValueOf(other_key, _))); - - header_map.addCopy(key, "expected value"); - header_map.addCopy(other_key, "ValUe"); - - // Positive checks. - EXPECT_THAT(header_map, HeaderValueOf(key, "expected value")); - EXPECT_THAT(header_map, HeaderValueOf(other_key, _)); -} TEST(HttpStatusIsTest, CheckStatus) { TestResponseHeaderMapImpl header_map; @@ -106,36 +64,47 @@ TEST(IsSupersetOfHeadersTest, MutableHeaderMap) { } } // namespace Http -TEST(HeaderHasValueRefTest, MutableValueRef) { - Http::TestRequestHeaderMapImpl header_map; - - EXPECT_THAT(header_map, Not(HeaderHasValueRef("key", "value"))); - EXPECT_THAT(header_map, Not(HeaderHasValueRef("other key", "value"))); +TEST(ContainsHeaderTest, ConstHeaderMap) { + const Http::TestRequestHeaderMapImpl header_map{{"key", "expected value"}}; - header_map.addCopy("key", "value"); + // Positive checks. + EXPECT_THAT(header_map, ContainsHeader("key", "expected value")); + EXPECT_THAT(header_map, ContainsHeader("key", _)); - EXPECT_THAT(header_map, HeaderHasValueRef("key", "value")); - EXPECT_THAT(header_map, Not(HeaderHasValueRef("key", "wrong value"))); + // Negative checks. + EXPECT_THAT(header_map, Not(ContainsHeader("key", "other value"))); + EXPECT_THAT(header_map, Not(ContainsHeader("other key", _))); } -TEST(HeaderHasValueRefTest, ConstValueRef) { - const Http::TestRequestHeaderMapImpl header_map{{"key", "expected value"}}; +TEST(ContainsHeaderTest, MutableHeaderMap) { + Http::TestRequestHeaderMapImpl header_map; + + // Negative checks. + EXPECT_THAT(header_map, Not(ContainsHeader("key", "other value"))); + EXPECT_THAT(header_map, Not(ContainsHeader("other key", _))); + + header_map.addCopy("key", "expected value"); - EXPECT_THAT(header_map, Not(HeaderHasValueRef("key", "other value"))); - EXPECT_THAT(header_map, HeaderHasValueRef("key", "expected value")); + // Positive checks. + EXPECT_THAT(header_map, ContainsHeader("key", "expected value")); + EXPECT_THAT(header_map, ContainsHeader("key", _)); } -TEST(HeaderHasValueRefTest, LowerCaseStringArguments) { - Http::LowerCaseString key("key"), other_key("other key"); +TEST(ContainsHeaderTest, LowerCaseStringArguments) { Http::TestRequestHeaderMapImpl header_map; + Http::LowerCaseString key("key"); + Http::LowerCaseString other_key("other_key"); - EXPECT_THAT(header_map, Not(HeaderHasValueRef(key, "value"))); - EXPECT_THAT(header_map, Not(HeaderHasValueRef(other_key, "value"))); + // Negative checks. + EXPECT_THAT(header_map, Not(ContainsHeader(key, "other value"))); + EXPECT_THAT(header_map, Not(ContainsHeader(other_key, _))); - header_map.addCopy(key, "value"); + header_map.addCopy(key, "expected value"); + header_map.addCopy(other_key, "ValUe"); - EXPECT_THAT(header_map, HeaderHasValueRef(key, "value")); - EXPECT_THAT(header_map, Not(HeaderHasValueRef(other_key, "wrong value"))); + // Positive checks. + EXPECT_THAT(header_map, ContainsHeader(key, "expected value")); + EXPECT_THAT(header_map, ContainsHeader(other_key, _)); } TEST(HeaderMatcherTest, OutputsActualHeadersOnMatchFailure) { From 2a9789ef6f0d502948fa40ad313feee874dbdbcd Mon Sep 17 00:00:00 2001 From: "Antonio V. Leonti" <53806445+antoniovleonti@users.noreply.github.com> Date: Mon, 4 Aug 2025 15:54:04 -0400 Subject: [PATCH 156/505] add load shed point http2_server_go_away_and_close_on_dispatch (#40480) This load shed point is almost the same as `http2_server_go_away_on_dispatch` except it forcefully closes the connection after sending a goaway frame. If both load shed points are above their threshold, this takes precedence. Risk Level: low --------- Signed-off-by: antoniovleonti Signed-off-by: Antonio V. Leonti <53806445+antoniovleonti@users.noreply.github.com> --- changelogs/current.yaml | 7 ++++ .../overload_manager/overload_manager.rst | 8 ++++ envoy/server/overload/load_shed_point.h | 5 +++ source/common/http/conn_manager_impl.cc | 3 -- source/common/http/http2/codec_impl.cc | 15 ++++++- source/common/http/http2/codec_impl.h | 1 + test/common/http/http2/codec_impl_test.cc | 37 +++++++++++++++--- test/common/http/http2/codec_impl_test_util.h | 12 +++++- test/integration/overload_integration_test.cc | 39 +++++++++++++++++++ 9 files changed, 117 insertions(+), 10 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 1bd4eeab85199..86b1f888959cc 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -97,6 +97,13 @@ new_features: change: | Added support for endpoint-level load stats and metrics reporting. Locality load reports now include per endpoint statistics and metrics, but only for endpoints with updated stats, optimizing report size and efficiency. +- area: overload management + change: | + Added load shed point ``envoy.load_shed_points.http2_server_go_away_and_close_on_dispatch`` + that sends ``GOAWAY`` AND closes connections for HTTP2 server processing of requests. When + a ``GOAWAY`` frame is submitted by this the counter ``http2.goaway_sent`` will be + incremented. + - area: otlp_stat_sink change: | Added support for resource attributes. The stat sink will use the resource attributes configured for the OpenTelemetry tracer via diff --git a/docs/root/configuration/operations/overload_manager/overload_manager.rst b/docs/root/configuration/operations/overload_manager/overload_manager.rst index 9f7229b02db1a..86a7deaf7557f 100644 --- a/docs/root/configuration/operations/overload_manager/overload_manager.rst +++ b/docs/root/configuration/operations/overload_manager/overload_manager.rst @@ -218,6 +218,14 @@ The following core load shed points are supported: rejected by this load shed point and there is no available capacity to serve the downstream request, the downstream request will fail. + * - envoy.load_shed_points.http2_server_go_away_and_close_on_dispatch + - Envoy will send a ``GOAWAY`` while processing HTTP2 requests at the codec + level AND immediately force close the downstream connection. If both this and + ``http2_server_go_away_on_dispatch`` are configured and shouldShedLoad() + returns true for both, this takes precedence. This is a disruptive action + (causes downstream connections to ungracefully close) that should only be + used with a very high threshold (if at all). + .. _config_overload_manager_reducing_timeouts: Reducing timeouts diff --git a/envoy/server/overload/load_shed_point.h b/envoy/server/overload/load_shed_point.h index 9434aac1c9058..d25bae4b5f56f 100644 --- a/envoy/server/overload/load_shed_point.h +++ b/envoy/server/overload/load_shed_point.h @@ -27,6 +27,11 @@ class LoadShedPointNameValues { const std::string H2ServerGoAwayOnDispatch = "envoy.load_shed_points.http2_server_go_away_on_dispatch"; + // Envoy will send a GOAWAY and immediately close the connection while processing HTTP2 requests + // at the codec level. + const std::string H2ServerGoAwayAndCloseOnDispatch = + "envoy.load_shed_points.http2_server_go_away_and_close_on_dispatch"; + // Envoy will close the connections before creating codec if Envoy is under pressure, // typically memory. This happens once geting data from the connection. const std::string HcmCodecCreation = "envoy.load_shed_points.hcm_ondata_creating_codec"; diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc index 4d2c9bd1ef7f3..feb21aea2f288 100644 --- a/source/common/http/conn_manager_impl.cc +++ b/source/common/http/conn_manager_impl.cc @@ -510,9 +510,6 @@ Network::FilterStatus ConnectionManagerImpl::onData(Buffer::Instance& data, bool handleCodecError(status.message()); return Network::FilterStatus::StopIteration; } else if (isEnvoyOverloadError(status)) { - // The other codecs aren't wired to send this status. - ASSERT(codec_->protocol() < Protocol::Http2, - "Expected only HTTP1.1 and below to send overload error."); stats_.named_.downstream_rq_overload_close_.inc(); handleCodecOverloadError(status.message()); return Network::FilterStatus::StopIteration; diff --git a/source/common/http/http2/codec_impl.cc b/source/common/http/http2/codec_impl.cc index c03b77f372d8e..a8fe96c790631 100644 --- a/source/common/http/http2/codec_impl.cc +++ b/source/common/http/http2/codec_impl.cc @@ -2214,10 +2214,16 @@ ServerConnectionImpl::ServerConnectionImpl( max_request_headers_count), callbacks_(callbacks), headers_with_underscores_action_(headers_with_underscores_action), should_send_go_away_on_dispatch_(overload_manager.getLoadShedPoint( - Server::LoadShedPointName::get().H2ServerGoAwayOnDispatch)) { + Server::LoadShedPointName::get().H2ServerGoAwayOnDispatch)), + should_send_go_away_and_close_on_dispatch_(overload_manager.getLoadShedPoint( + Server::LoadShedPointName::get().H2ServerGoAwayAndCloseOnDispatch)) { ENVOY_LOG_ONCE_IF(trace, should_send_go_away_on_dispatch_ == nullptr, "LoadShedPoint envoy.load_shed_points.http2_server_go_away_on_dispatch is not " "found. Is it configured?"); + ENVOY_LOG_ONCE_IF( + trace, should_send_go_away_and_close_on_dispatch_ == nullptr, + "LoadShedPoint envoy.load_shed_points.http2_server_go_away_and_close_on_dispatch is not " + "found. Is it configured?"); Http2Options h2_options(http2_options, max_request_headers_kb); auto direct_visitor = std::make_unique(this); @@ -2283,6 +2289,13 @@ int ServerConnectionImpl::onHeader(int32_t stream_id, HeaderString&& name, Heade Http::Status ServerConnectionImpl::dispatch(Buffer::Instance& data) { // Make sure downstream outbound queue was not flooded by the upstream frames. RETURN_IF_ERROR(protocol_constraints_.checkOutboundFrameLimits()); + if (should_send_go_away_and_close_on_dispatch_ != nullptr && + should_send_go_away_and_close_on_dispatch_->shouldShedLoad()) { + ConnectionImpl::goAway(); + sent_go_away_on_dispatch_ = true; + return envoyOverloadError( + "Load shed point http2_server_go_away_and_close_on_dispatch triggered"); + } if (should_send_go_away_on_dispatch_ != nullptr && !sent_go_away_on_dispatch_ && should_send_go_away_on_dispatch_->shouldShedLoad()) { ConnectionImpl::goAway(); diff --git a/source/common/http/http2/codec_impl.h b/source/common/http/http2/codec_impl.h index a3a118c38e6fe..00a36b0af3746 100644 --- a/source/common/http/http2/codec_impl.h +++ b/source/common/http/http2/codec_impl.h @@ -877,6 +877,7 @@ class ServerConnectionImpl : public ServerConnection, public ConnectionImpl { envoy::config::core::v3::HttpProtocolOptions::HeadersWithUnderscoresAction headers_with_underscores_action_; Server::LoadShedPoint* should_send_go_away_on_dispatch_{nullptr}; + Server::LoadShedPoint* should_send_go_away_and_close_on_dispatch_{nullptr}; bool sent_go_away_on_dispatch_{false}; }; diff --git a/test/common/http/http2/codec_impl_test.cc b/test/common/http/http2/codec_impl_test.cc index 72b733df4010a..1a824d7cab318 100644 --- a/test/common/http/http2/codec_impl_test.cc +++ b/test/common/http/http2/codec_impl_test.cc @@ -4304,13 +4304,39 @@ TEST_P(Http2CodecImplTest, ServerDispatchLoadShedPointCanCauseServerToSendGoAway EXPECT_EQ(1, server_stats_store_.counter("http2.goaway_sent").value()); } -TEST_P(Http2CodecImplTest, ServerDispatchLoadShedPointIsOnlyConsultedOncePerDispatch) { +TEST_P(Http2CodecImplTest, ServerDispatchLoadShedPointSendGoAwayAndClose) { + expect_buffered_data_on_teardown_ = true; + initialize(); + ASSERT_EQ(0, server_stats_store_.counter("http2.goaway_sent").value()); + + TestRequestHeaderMapImpl request_headers; + HttpTestUtility::addDefaultHeaders(request_headers); + EXPECT_CALL(server_->server_go_away_and_close_on_dispatch, shouldShedLoad()) + .WillOnce(Return(true)); + EXPECT_CALL(client_callbacks_, onGoAway(_)); + + EXPECT_CALL(request_decoder_, decodeHeaders_(_, _)).Times(0); + EXPECT_TRUE(request_encoder_->encodeHeaders(request_headers, true).ok()); - int times_shed_load_invoked = 0; + driveToCompletion(); + + EXPECT_EQ(1, server_stats_store_.counter("http2.goaway_sent").value()); +} + +TEST_P(Http2CodecImplTest, ServerDispatchLoadShedPointsAreOnlyConsultedOncePerDispatch) { + initialize(); + + int times_shed_load_goaway_invoked = 0; EXPECT_CALL(server_->server_go_away_on_dispatch, shouldShedLoad()) - .WillRepeatedly(Invoke([×_shed_load_invoked]() { - ++times_shed_load_invoked; + .WillRepeatedly(Invoke([×_shed_load_goaway_invoked]() { + ++times_shed_load_goaway_invoked; + return false; + })); + int times_shed_load_goaway_and_close_invoked = 0; + EXPECT_CALL(server_->server_go_away_and_close_on_dispatch, shouldShedLoad()) + .WillRepeatedly(Invoke([×_shed_load_goaway_and_close_invoked]() { + ++times_shed_load_goaway_and_close_invoked; return false; })); @@ -4338,7 +4364,8 @@ TEST_P(Http2CodecImplTest, ServerDispatchLoadShedPointIsOnlyConsultedOncePerDisp // All the newly created streams are queued in the connection buffer. EXPECT_CALL(request_decoder_, decodeHeaders_(_, true)).Times(num_streams_to_create); driveToCompletion(); - EXPECT_EQ(1, times_shed_load_invoked); + EXPECT_EQ(1, times_shed_load_goaway_invoked); + EXPECT_EQ(1, times_shed_load_goaway_and_close_invoked); EXPECT_EQ(0, server_stats_store_.counter("http2.goaway_sent").value()); } diff --git a/test/common/http/http2/codec_impl_test_util.h b/test/common/http/http2/codec_impl_test_util.h index b98cdd410a6ff..b8573acd61a7c 100644 --- a/test/common/http/http2/codec_impl_test_util.h +++ b/test/common/http/http2/codec_impl_test_util.h @@ -1,6 +1,7 @@ #pragma once #include "envoy/http/codec.h" +#include "envoy/server/overload/load_shed_point.h" #include "source/common/http/http2/codec_impl.h" #include "source/common/http/utility.h" @@ -63,11 +64,20 @@ class TestCodecOverloadManagerProvider { public: TestCodecOverloadManagerProvider() { ON_CALL(overload_manager_, getLoadShedPoint(testing::_)) - .WillByDefault(testing::Return(&server_go_away_on_dispatch)); + .WillByDefault(testing::Invoke([this](absl::string_view name) -> Server::LoadShedPoint* { + if (name == Server::LoadShedPointName::get().H2ServerGoAwayOnDispatch) { + return &server_go_away_on_dispatch; + } + if (name == Server::LoadShedPointName::get().H2ServerGoAwayAndCloseOnDispatch) { + return &server_go_away_and_close_on_dispatch; + } + return nullptr; + })); } testing::NiceMock overload_manager_; testing::NiceMock server_go_away_on_dispatch; + testing::NiceMock server_go_away_and_close_on_dispatch; }; class TestServerConnectionImpl : public TestCodecStatsProvider, diff --git a/test/integration/overload_integration_test.cc b/test/integration/overload_integration_test.cc index 37454d3b4e0da..dc2163dc52f53 100644 --- a/test/integration/overload_integration_test.cc +++ b/test/integration/overload_integration_test.cc @@ -1094,6 +1094,45 @@ TEST_P(LoadShedPointIntegrationTest, Http2ServerDispatchSendsGoAwayCompletingPen "overload.envoy.load_shed_points.http2_server_go_away_on_dispatch.scale_percent", 0); } +TEST_P(LoadShedPointIntegrationTest, Http2ServerDispatchSendsGoAwayAndClosesConnection) { + // Test only applies to HTTP2. + if (downstreamProtocol() != Http::CodecClient::Type::HTTP2) { + return; + } + autonomous_upstream_ = true; + autonomous_allow_incomplete_streams_ = true; + initializeOverloadManager( + TestUtility::parseYaml(R"EOF( + name: "envoy.load_shed_points.http2_server_go_away_and_close_on_dispatch" + triggers: + - name: "envoy.resource_monitors.testonly.fake_resource_monitor" + threshold: + value: 0.90 + )EOF")); + + codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); + auto [first_request_encoder, first_request_decoder] = + codec_client_->startRequest(default_request_headers_); + test_server_->waitForCounterEq("http.config_test.downstream_rq_http2_total", 1); + + // Put envoy in overloaded state to send GOAWAY frames and close the connection. + updateResource(0.95); + test_server_->waitForGaugeEq( + "overload.envoy.load_shed_points.http2_server_go_away_and_close_on_dispatch.scale_percent", + 100); + + auto second_request_decoder = codec_client_->makeHeaderOnlyRequest(default_request_headers_); + + // The downstream should receive the GOAWAY and the connection should be closed. + ASSERT_TRUE(codec_client_->waitForDisconnect()); + EXPECT_TRUE(codec_client_->sawGoAway()); + test_server_->waitForCounterEq("http2.goaway_sent", 1); + test_server_->waitForCounterEq("http.config_test.downstream_rq_overload_close", 1); + + // The second request will not complete. + EXPECT_FALSE(second_request_decoder->complete()); +} + TEST_P(LoadShedPointIntegrationTest, HttpConnectionMnagerCloseConnectionCreatingCodec) { if (downstreamProtocol() == Http::CodecClient::Type::HTTP3) { return; From 4e453b12aa05d9b1a2abfe5d4f952fc9bcda6c28 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Mon, 4 Aug 2025 12:58:27 -0700 Subject: [PATCH 157/505] Fix JsonTranscoderFilter assert (#40446) Commit Message: Fix JsonTranscoderFilter assert Additional Description: If downstream sends more data after upstream sends non-grpc response headers, an assert was triggered in debug builds. This change makes it so if non-grpc response headers are expected (transcoding isn't happening) it's passed through without being tagged as an error. This is particularly an issue if a websocket connection shares a filter chain with a grpc_json_transcoder. Risk Level: Very small, behavior change is `error_` not being incorrectly set when there is no error, which is only used in the case where downstream sends more data after upstream sends a non-grpc response header, and mostly only an issue for debug builds. Testing: Output of new test before fix: ``` [ RUN ] GrpcJsonTranscoderFilterTest.NoTranscodingWithStreamedRequest [2025-07-25 19:27:57.572][91049][critical][assert] [source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc:587] assert failure: !error_. [2025-07-25 19:27:57.573][91049][error][envoy_bug] [./source/common/common/assert.h:38] stacktrace for envoy bug [2025-07-25 19:27:57.583][91049][error][envoy_bug] [./source/common/common/assert.h:43] #0 Envoy::Extensions::HttpFilters::GrpcJsonTranscoder::JsonTranscoderFilter::decodeData() [0x58c08814f50c] [...] ``` Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Raven Black --- .../json_transcoder_filter.cc | 9 ++-- .../json_transcoder_filter_test.cc | 41 +++++++++++++++++++ 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc index cb92a33abb403..151eaf21e5f96 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc +++ b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc @@ -667,6 +667,11 @@ void JsonTranscoderFilter::setDecoderFilterCallbacks( Http::FilterHeadersStatus JsonTranscoderFilter::encodeHeaders(Http::ResponseHeaderMap& headers, bool end_stream) { + if (error_ || !transcoder_) { + ENVOY_STREAM_LOG(debug, "Response headers is passed through", *encoder_callbacks_); + return Http::FilterHeadersStatus::Continue; + } + if (!Grpc::Common::isGrpcResponseHeaders(headers, end_stream)) { ENVOY_STREAM_LOG( debug, @@ -674,10 +679,6 @@ Http::FilterHeadersStatus JsonTranscoderFilter::encodeHeaders(Http::ResponseHead "without transcoding.", *encoder_callbacks_); error_ = true; - } - - if (error_ || !transcoder_) { - ENVOY_STREAM_LOG(debug, "Response headers is passed through", *encoder_callbacks_); return Http::FilterHeadersStatus::Continue; } diff --git a/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc b/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc index ba2de188e3eb7..d751984c27716 100644 --- a/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc +++ b/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc @@ -592,6 +592,47 @@ TEST_F(GrpcJsonTranscoderFilterTest, NoTranscoding) { EXPECT_EQ(expected_response_trailers, response_trailers); } +TEST_F(GrpcJsonTranscoderFilterTest, NoTranscodingWithStreamedRequest) { + // It should not be an error to pass-through a non-transcoded request/response when + // the downstream sends more data after the upstream headers have been sent. + // This is a bit of an odd thing to test for specifically, but there was a bug here + // that caused debug builds to assert, so this is an anti-regression test. + Http::TestRequestHeaderMapImpl request_headers{{"content-type", "application/grpc"}, + {":method", "POST"}, + {":path", "/grpc.service/UnknownGrpcMethod"}}; + + Http::TestRequestHeaderMapImpl expected_request_headers{ + {"content-type", "application/grpc"}, + {":method", "POST"}, + {":path", "/grpc.service/UnknownGrpcMethod"}}; + + EXPECT_CALL(decoder_callbacks_.downstream_callbacks_, clearRouteCache()).Times(0); + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_.decodeHeaders(request_headers, false)); + EXPECT_EQ(expected_request_headers, request_headers); + Http::MetadataMap metadata_map{{"metadata", "metadata"}}; + EXPECT_EQ(Http::FilterMetadataStatus::Continue, filter_.decodeMetadata(metadata_map)); + + // Not grpc response. + Http::TestResponseHeaderMapImpl response_headers{{"content-type", "application/json"}, + {":status", "200"}}; + + Http::TestResponseHeaderMapImpl expected_response_headers{{"content-type", "application/json"}, + {":status", "200"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_.encodeHeaders(response_headers, false)); + EXPECT_EQ(expected_response_headers, response_headers); + + // decodeData after pass-through encodeHeaders should not provoke an ASSERT. + Buffer::OwnedImpl request_data{"{}"}; + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_.decodeData(request_data, true)); + EXPECT_EQ(2, request_data.length()); + + Buffer::OwnedImpl response_data{"{}"}; + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_.encodeData(response_data, true)); + EXPECT_EQ(2, response_data.length()); +} + TEST_F(GrpcJsonTranscoderFilterTest, TranscodingUnaryPost) { Http::TestRequestHeaderMapImpl request_headers{ {"content-type", "application/json"}, {":method", "POST"}, {":path", "/shelf"}}; From 73b20a5224a96d0716975e66eb932e679755a236 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Mon, 4 Aug 2025 13:55:06 -0700 Subject: [PATCH 158/505] Fix racily added SingleHeaderValueIs->ContainsHeader (#40573) Commit Message: Fix racily added SingleHeaderValueIs->ContainsHeader Additional Description: CI broke because ContainsHeader cleanup raced with another PR adding one of the old matcher. Signed-off-by: Raven Black --- .../filters/http/ext_proc/ext_proc_integration_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 0c156feb3bde1..863a4af2a4642 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -5553,7 +5553,7 @@ TEST_P(ExtProcIntegrationTest, LargeBodyTestDuplexStreamed) { /*response*/ false, body_response); handleUpstreamRequest(); - EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs("x-new-header", "new")); + EXPECT_THAT(upstream_request_->headers(), ContainsHeader("x-new-header", "new")); EXPECT_EQ(upstream_request_->body().toString(), body_upstream); verifyDownstreamResponse(*response, 200); TearDown(); From 6ba543aedfd417461bdce3f901e49dd2b5ff09bd Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Mon, 4 Aug 2025 20:30:29 -0400 Subject: [PATCH 159/505] Utility function to convert proto bytes to string (#40569) trying to simplify swapping protobuf implementations that use std::string to represent bytes (current OSS implementation) and absl::Cord. Noop for now, but will simplify transition later. Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Yan Avlasov --- source/common/protobuf/BUILD | 1 + source/common/protobuf/utility.h | 12 ++++++++++-- .../grpc_json_transcoder/json_transcoder_filter.cc | 2 +- .../filters/http/rate_limit_quota/filter.cc | 3 ++- test/common/config/metadata_test.cc | 2 +- test/fuzz/BUILD | 1 + test/fuzz/utility.h | 5 +++-- 7 files changed, 19 insertions(+), 7 deletions(-) diff --git a/source/common/protobuf/BUILD b/source/common/protobuf/BUILD index b3e31d715c8e0..7778a54d8b24e 100644 --- a/source/common/protobuf/BUILD +++ b/source/common/protobuf/BUILD @@ -64,6 +64,7 @@ envoy_cc_library( "//envoy/protobuf:message_validator_interface", "//source/common/common:statusor_lib", "//source/common/common:stl_helpers", + "@com_google_absl//absl/strings", "@envoy_api//envoy/type/v3:pkg_cc_proto", ], ) diff --git a/source/common/protobuf/utility.h b/source/common/protobuf/utility.h index fa3297b4932b9..4ad3d64548a82 100644 --- a/source/common/protobuf/utility.h +++ b/source/common/protobuf/utility.h @@ -1,6 +1,7 @@ #pragma once #include +#include #include "envoy/api/api.h" #include "envoy/common/exception.h" @@ -17,6 +18,7 @@ #include "absl/status/status.h" #include "absl/status/statusor.h" #include "absl/strings/str_join.h" +#include "absl/strings/string_view.h" // Obtain the value of a wrapped field (e.g. google.protobuf.UInt32Value) if set. Otherwise, return // the default value. @@ -379,6 +381,12 @@ class MessageUtil { return typed_config; } + /** + * Utility method to swap between protobuf bytes type using absl::Cord instead of std::string. + * Noop for now. + */ + static const std::string& bytesToString(const std::string& bytes) { return bytes; } + /** * Convert from a typed message into a google.protobuf.Any. This should be used * instead of the inbuilt PackTo, as PackTo is not available with lite protos. @@ -416,9 +424,9 @@ class MessageUtil { if (any.Is()) { Protobuf::BytesValue b; RETURN_IF_NOT_OK(MessageUtil::unpackTo(any, b)); - return b.value(); + return bytesToString(b.value()); } - return any.value(); + return bytesToString(any.value()); }; /** diff --git a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc index 151eaf21e5f96..b4518fdac48fd 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc +++ b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc @@ -961,7 +961,7 @@ bool JsonTranscoderFilter::buildResponseFromHttpBodyOutput( encoder_callbacks_->resetStream(); return true; } - const auto& body = http_body.data(); + const auto& body = MessageUtil::bytesToString(http_body.data()); data.add(body); diff --git a/source/extensions/filters/http/rate_limit_quota/filter.cc b/source/extensions/filters/http/rate_limit_quota/filter.cc index cb297c5d0dd90..1f4354dbeaa37 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter.cc +++ b/source/extensions/filters/http/rate_limit_quota/filter.cc @@ -70,7 +70,8 @@ addDenyResponseHeadersCb(const DenyResponseSettings& settings) { Http::FilterHeadersStatus sendDenyResponse(Http::StreamDecoderFilterCallbacks* cb, const DenyResponseSettings& settings, StreamInfo::CoreResponseFlag flag) { - cb->sendLocalReply(getDenyResponseCode(settings), settings.http_body().value(), + cb->sendLocalReply(getDenyResponseCode(settings), + MessageUtil::bytesToString(settings.http_body().value()), addDenyResponseHeadersCb(settings), absl::nullopt, ""); cb->streamInfo().setResponseFlag(flag); return Envoy::Http::FilterHeadersStatus::StopIteration; diff --git a/test/common/config/metadata_test.cc b/test/common/config/metadata_test.cc index 2b37e9d034a70..dca0870d5158d 100644 --- a/test/common/config/metadata_test.cc +++ b/test/common/config/metadata_test.cc @@ -75,7 +75,7 @@ class TypedMetadataTest : public testing::Test { std::unique_ptr parse(const ProtobufWkt::Any& d) const override { if (!(d.type_url().empty())) { - return std::make_unique(std::string(d.value())); + return std::make_unique(MessageUtil::bytesToString(d.value())); } throw EnvoyException("Cannot create a Foo when Any metadata is empty."); } diff --git a/test/fuzz/BUILD b/test/fuzz/BUILD index 61a309e99baa8..f9a45c3bd91bd 100644 --- a/test/fuzz/BUILD +++ b/test/fuzz/BUILD @@ -66,6 +66,7 @@ envoy_cc_test_library( "//source/common/common:logger_lib", "//source/common/network:resolver_lib", "//source/common/network:utility_lib", + "//source/common/protobuf:utility_lib_header", "//test/common/stream_info:test_util", "//test/mocks/ssl:ssl_mocks", "//test/mocks/upstream:upstream_mocks", diff --git a/test/fuzz/utility.h b/test/fuzz/utility.h index d1ac39a70aa63..321cf875fc2f3 100644 --- a/test/fuzz/utility.h +++ b/test/fuzz/utility.h @@ -6,6 +6,7 @@ #include "source/common/network/resolver_impl.h" #include "source/common/network/socket_impl.h" #include "source/common/network/utility.h" +#include "source/common/protobuf/utility.h" #include "test/common/stream_info/test_util.h" #include "test/fuzz/common.pb.h" @@ -208,8 +209,8 @@ inline std::vector parseHttpData(const test::fuzz::HttpData& data) data_chunks.push_back(http_data); } } else if (data.has_proto_body()) { - const std::string serialized = data.proto_body().message().value(); - data_chunks = absl::StrSplit(serialized, absl::ByLength(data.proto_body().chunk_size())); + data_chunks = absl::StrSplit(MessageUtil::bytesToString(data.proto_body().message().value()), + absl::ByLength(data.proto_body().chunk_size())); } return data_chunks; From ec228f87f29bcd9be6c6dfd4c017e6464f4dae6a Mon Sep 17 00:00:00 2001 From: keyolk Date: Tue, 5 Aug 2025 11:24:12 +0900 Subject: [PATCH 160/505] redis: fix segfault at cluster removing (#40488) It is about to fix https://github.com/envoyproxy/envoy/issues/38585 again --------- Signed-off-by: Chanhun Jeong --- .../clusters/redis/redis_cluster.cc | 51 +++++++++++++++---- .../extensions/clusters/redis/redis_cluster.h | 6 ++- test/extensions/clusters/redis/BUILD | 1 + .../clusters/redis/redis_cluster_test.cc | 39 ++++++++++++++ 4 files changed, 87 insertions(+), 10 deletions(-) diff --git a/source/extensions/clusters/redis/redis_cluster.cc b/source/extensions/clusters/redis/redis_cluster.cc index 7be1cbb6ea5b0..72a139f527b40 100644 --- a/source/extensions/clusters/redis/redis_cluster.cc +++ b/source/extensions/clusters/redis/redis_cluster.cc @@ -74,11 +74,7 @@ RedisCluster::RedisCluster( context.serverFactoryContext().mainThreadDispatcher(), context.serverFactoryContext().clusterManager(), context.serverFactoryContext().api().timeSource())), - registration_handle_(refresh_manager_->registerCluster( - cluster_name_, redirect_refresh_interval_, redirect_refresh_threshold_, - failure_refresh_threshold_, host_degraded_refresh_threshold_, [&]() { - redis_discovery_session_->resolve_timer_->enableTimer(std::chrono::milliseconds(0)); - })) { + registration_handle_(nullptr) { const auto& locality_lb_endpoints = load_assignment_.endpoints(); for (const auto& locality_lb_endpoint : locality_lb_endpoints) { for (const auto& lb_endpoint : locality_lb_endpoint.lb_endpoints()) { @@ -87,6 +83,32 @@ RedisCluster::RedisCluster( *this, host.socket_address().address(), host.socket_address().port_value())); } } + + // Register the cluster callback using weak_ptr to avoid use-after-free + std::weak_ptr weak_session = redis_discovery_session_; + registration_handle_ = refresh_manager_->registerCluster( + cluster_name_, redirect_refresh_interval_, redirect_refresh_threshold_, + failure_refresh_threshold_, host_degraded_refresh_threshold_, [weak_session]() { + // Try to lock the weak pointer to ensure the session is still alive + auto session = weak_session.lock(); + if (session && session->resolve_timer_) { + session->resolve_timer_->enableTimer(std::chrono::milliseconds(0)); + } + }); +} + +RedisCluster::~RedisCluster() { + // Set flag to prevent any callbacks from executing during destruction + is_destroying_.store(true); + + // Reset redis_discovery_session_ before other members are destroyed + // to ensure any pending callbacks from refresh_manager_ don't access it. + // This matches the approach in PR #39625. + redis_discovery_session_.reset(); + + // Also clear DNS discovery targets to prevent their callbacks from + // accessing the destroyed cluster. + dns_discovery_resolve_targets_.clear(); } void RedisCluster::startPreInit() { @@ -198,7 +220,7 @@ RedisCluster::DnsDiscoveryResolveTarget::~DnsDiscoveryResolveTarget() { active_query_->cancel(Network::ActiveDnsQuery::CancelReason::QueryAbandoned); } // Disable timer for mock tests. - if (resolve_timer_) { + if (resolve_timer_ && resolve_timer_->enabled()) { resolve_timer_->disableTimer(); } } @@ -220,8 +242,13 @@ void RedisCluster::DnsDiscoveryResolveTarget::startResolveDns() { } if (!resolve_timer_) { - resolve_timer_ = - parent_.dispatcher_.createTimer([this]() -> void { startResolveDns(); }); + resolve_timer_ = parent_.dispatcher_.createTimer([this]() -> void { + // Check if the parent cluster is being destroyed + if (parent_.is_destroying_.load()) { + return; + } + startResolveDns(); + }); } // if the initial dns resolved to empty, we'll skip the redis discovery phase and // treat it as an empty cluster. @@ -244,7 +271,13 @@ RedisCluster::RedisDiscoverySession::RedisDiscoverySession( Envoy::Extensions::Clusters::Redis::RedisCluster& parent, NetworkFilters::Common::Redis::Client::ClientFactory& client_factory) : parent_(parent), dispatcher_(parent.dispatcher_), - resolve_timer_(parent.dispatcher_.createTimer([this]() -> void { startResolveRedis(); })), + resolve_timer_(parent.dispatcher_.createTimer([this]() -> void { + // Check if the parent cluster is being destroyed + if (parent_.is_destroying_.load()) { + return; + } + startResolveRedis(); + })), client_factory_(client_factory), buffer_timeout_(0), redis_command_stats_( NetworkFilters::Common::Redis::RedisCommandStats::createRedisCommandStats( diff --git a/source/extensions/clusters/redis/redis_cluster.h b/source/extensions/clusters/redis/redis_cluster.h index 2aa97218e5501..1b12f347ddf88 100644 --- a/source/extensions/clusters/redis/redis_cluster.h +++ b/source/extensions/clusters/redis/redis_cluster.h @@ -90,6 +90,7 @@ namespace Redis { class RedisCluster : public Upstream::BaseDynamicClusterImpl { public: + ~RedisCluster(); static absl::StatusOr> create(const envoy::config::cluster::v3::Cluster& cluster, const envoy::extensions::clusters::redis::v3::RedisClusterConfig& redis_cluster, @@ -302,7 +303,10 @@ class RedisCluster : public Upstream::BaseDynamicClusterImpl { const std::string auth_password_; const std::string cluster_name_; const Common::Redis::ClusterRefreshManagerSharedPtr refresh_manager_; - const Common::Redis::ClusterRefreshManager::HandlePtr registration_handle_; + Common::Redis::ClusterRefreshManager::HandlePtr registration_handle_; + + // Flag to prevent callbacks during destruction + std::atomic is_destroying_{false}; }; class RedisClusterFactory : public Upstream::ConfigurableClusterFactoryBase< diff --git a/test/extensions/clusters/redis/BUILD b/test/extensions/clusters/redis/BUILD index 6f0a607172659..32dfc5229938f 100644 --- a/test/extensions/clusters/redis/BUILD +++ b/test/extensions/clusters/redis/BUILD @@ -31,6 +31,7 @@ envoy_extension_cc_test( "//source/server:transport_socket_config_lib", "//test/common/upstream:utility_lib", "//test/extensions/clusters/redis:redis_cluster_mocks", + "//test/extensions/common/redis:mocks_lib", "//test/extensions/filters/network/common/redis:redis_mocks", "//test/extensions/filters/network/common/redis:test_utils_lib", "//test/extensions/filters/network/redis_proxy:redis_mocks", diff --git a/test/extensions/clusters/redis/redis_cluster_test.cc b/test/extensions/clusters/redis/redis_cluster_test.cc index ae331cf2fa171..baa81cac8fe46 100644 --- a/test/extensions/clusters/redis/redis_cluster_test.cc +++ b/test/extensions/clusters/redis/redis_cluster_test.cc @@ -18,6 +18,7 @@ #include "test/common/upstream/utility.h" #include "test/extensions/clusters/redis/mocks.h" +#include "test/extensions/common/redis/mocks.h" #include "test/extensions/filters/network/common/redis/mocks.h" #include "test/mocks/common.h" #include "test/mocks/protobuf/mocks.h" @@ -1487,6 +1488,44 @@ TEST_F(RedisClusterTest, HostRemovalAfterHcFail) { */ } +// Test that verifies cluster destruction does not cause segfault when refresh manager +// triggers callback after cluster is destroyed. This reproduces the issue from #38585. +TEST_F(RedisClusterTest, NoSegfaultOnClusterDestructionWithPendingCallback) { + // This test verifies that destroying the cluster properly cleans up resources + // and doesn't cause a segfault. The key protection is in the destructor that + // sets is_destroying_ flag and cleans up the redis_discovery_session_. + + // Create the cluster with basic configuration + setupFromV3Yaml(BasicConfig); + const std::list resolved_addresses{"127.0.0.1"}; + expectResolveDiscovery(Network::DnsLookupFamily::V4Only, "foo.bar.com", resolved_addresses); + expectRedisResolve(true); + + cluster_->initialize([&]() { + initialized_.ready(); + return absl::OkStatus(); + }); + + EXPECT_CALL(membership_updated_, ready()); + EXPECT_CALL(initialized_, ready()); + EXPECT_CALL(*cluster_callback_, onClusterSlotUpdate(_, _)); + std::bitset single_slot_primary(0xfff); + std::bitset no_replica(0); + expectClusterSlotResponse(createResponse(single_slot_primary, no_replica)); + expectHealthyHosts(std::list({"127.0.0.1:22120"})); + + // Now destroy the cluster. With the fix in place (destructor setting is_destroying_ + // and resetting redis_discovery_session_), this should not crash. + // Without the fix, accessing resolve_timer_ after destruction would segfault. + cluster_.reset(); + + // If we reach here without crashing, the test passes. + // The fix ensures that: + // 1. The destructor sets is_destroying_ = true + // 2. The destructor resets redis_discovery_session_ + // 3. Timer callbacks check is_destroying_ before accessing cluster members +} + } // namespace Redis } // namespace Clusters } // namespace Extensions From d463b2691b7f2c727fdb7259e454303a8c0d7cd3 Mon Sep 17 00:00:00 2001 From: "qero.9ram" Date: Tue, 5 Aug 2025 11:24:37 +0900 Subject: [PATCH 161/505] redis_proxy: Add support for GEOSEARCH (#40534) Commit Message: redis_proxy: Add support for GEOSEARCH Additional Description: Risk Level: Low Testing: Docs Changes: yes(./docs/root/intro/arch_overview/other_protocols/redis.rst, changelogs/current.yaml) Release Notes: Platform Specific Features: Fixes #Issue: #39489 Signed-off-by: qero.9ram --- changelogs/current.yaml | 3 +++ docs/root/intro/arch_overview/other_protocols/redis.rst | 1 + .../filters/network/common/redis/supported_commands.h | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 86b1f888959cc..81b717548b579 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -87,6 +87,9 @@ new_features: :ref:`RouteAction.rate_limits` fields will be ignored. However, :ref:`RateLimitPerRoute.rate_limits` will take precedence over this field. +- area: redis + change: | + Added support for ``GEOSEARCH``. - area: observability change: | Added ``ENVOY_NOTIFICATION`` macro to track specific conditions in produiction environments. diff --git a/docs/root/intro/arch_overview/other_protocols/redis.rst b/docs/root/intro/arch_overview/other_protocols/redis.rst index 04cdd322f5b8c..a5d310bb420d2 100644 --- a/docs/root/intro/arch_overview/other_protocols/redis.rst +++ b/docs/root/intro/arch_overview/other_protocols/redis.rst @@ -176,6 +176,7 @@ For details on each command's usage see the official GEOPOS, Geo GEORADIUS_RO, Geo GEORADIUSBYMEMBER_RO, Geo + GEOSEARCH, Geo HDEL, Hash HEXISTS, Hash HGET, Hash diff --git a/source/extensions/filters/network/common/redis/supported_commands.h b/source/extensions/filters/network/common/redis/supported_commands.h index e1869627a9f14..88fac5052a3b8 100644 --- a/source/extensions/filters/network/common/redis/supported_commands.h +++ b/source/extensions/filters/network/common/redis/supported_commands.h @@ -23,8 +23,8 @@ struct SupportedCommands { absl::flat_hash_set, "append", "bf.add", "bf.card", "bf.exists", "bf.info", "bf.insert", "bf.loadchunk", "bf.madd", "bf.mexists", "bf.reserve", "bf.scandump", "bitcount", "bitfield", "bitpos", "decr", "decrby", "dump", "expire", "expireat", "geoadd", - "geodist", "geohash", "geopos", "georadius_ro", "georadiusbymember_ro", "get", "getbit", - "getdel", "getrange", "getset", "hdel", "hexists", "hget", "hgetall", "hincrby", + "geodist", "geohash", "geopos", "georadius_ro", "georadiusbymember_ro", "geosearch", "get", + "getbit", "getdel", "getrange", "getset", "hdel", "hexists", "hget", "hgetall", "hincrby", "hincrbyfloat", "hkeys", "hlen", "hmget", "hmset", "hscan", "hset", "hsetnx", "hstrlen", "hvals", "incr", "incrby", "incrbyfloat", "lindex", "linsert", "llen", "lmove", "lpop", "lpush", "lpushx", "lrange", "lrem", "lset", "ltrim", "persist", "pexpire", "pexpireat", From 2eb57727c0839a82ae7114c5263b28310004d4a3 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 08:54:15 +0200 Subject: [PATCH 162/505] deps: Bump `rules_shell` -> 0.5.1 (#40545) --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 3a5c662bedfc1..fe1d046270ad8 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1134,12 +1134,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Shell script rules for Bazel", project_desc = "Bazel rules for shell scripts", project_url = "https://github.com/bazelbuild/rules_shell", - version = "0.5.0", - sha256 = "b15cc2e698a3c553d773ff4af35eb4b3ce2983c319163707dddd9e70faaa062d", + version = "0.5.1", + sha256 = "99bfc7aaefd1ed69613bbd25e24bf7871d68aeafca3a6b79f5f85c0996a41355", strip_prefix = "rules_shell-{version}", urls = ["https://github.com/bazelbuild/rules_shell/releases/download/v{version}/rules_shell-v{version}.tar.gz"], use_category = ["build"], - release_date = "2025-06-12", + release_date = "2025-08-01", license = "Apache-2.0", license_url = "https://github.com/protocolbuffers/rules_shell/blob/{version}/LICENSE", ), From 16bb136c5feae82b96e94e67e92f1e81ed00855b Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 11:30:04 +0200 Subject: [PATCH 163/505] coverage: adjusting coverage numbers for ExtProc (#40572) ## Description This PR fixes the coverage numbers for ExtProc. Two previous PRs https://github.com/envoyproxy/envoy/pull/40503 and https://github.com/envoyproxy/envoy/pull/40568 had a race to landing made coverage to fail in CI. --- Commit Message: coverage: adjusting coverage numbers for ExtProc Additional Description: Fixes the coverage numbers for ExtProc. Risk Level: N/A Testing: CI Docs Changes: N/A Release Notes: N/A Signed-off-by: Rohit Agrawal --- test/coverage.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/coverage.yaml b/test/coverage.yaml index 8142f27540dab..9f790a19a458d 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -41,7 +41,7 @@ directories: source/extensions/filters/http/cache: 95.9 source/extensions/filters/http/dynamic_forward_proxy: 94.8 source/extensions/filters/http/decompressor: 95.9 - source/extensions/filters/http/ext_proc: 96.5 + source/extensions/filters/http/ext_proc: 96.4 # might be flaky: be careful adjusting source/extensions/filters/http/grpc_json_reverse_transcoder: 94.8 source/extensions/filters/http/grpc_json_transcoder: 94.0 # TODO(#28232) source/extensions/filters/http/ip_tagging: 95.9 From e37e039bf4e8388a94052e7b80906d11bd4412ec Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 12:23:20 +0200 Subject: [PATCH 164/505] jwt_authn: deprecate flag jwt_authn_remove_jwt_from_query_params and remove legacy code paths (#40555) ## Description This PR removes the deprecated reloadable flag `jwt_authn_remove_jwt_from_query_params` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/38045 --- **Commit Message:** router: deprecate flag jwt_authn_remove_jwt_from_query_params and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `jwt_authn_remove_jwt_from_query_params` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 ++ source/common/runtime/runtime_features.cc | 1 - .../filters/http/jwt_authn/extractor.cc | 15 +++--- .../filters/http/jwt_authn/extractor_test.cc | 48 ++++--------------- 4 files changed, 17 insertions(+), 50 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 81b717548b579..0b56a7f11b4e0 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -50,6 +50,9 @@ removed_config_or_runtime: - area: gcp_authn change: | Removed runtime guard ``envoy.reloadable_features.gcp_authn_use_fixed_url`` and legacy code paths. +- area: jwt_authn + change: | + Removed runtime guard ``envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 4c2cc0e26d17b..f5c5c9ef0919f 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -56,7 +56,6 @@ RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_cookie); RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_trailers); // Delay deprecation and decommission until UHV is enabled. RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); -RUNTIME_GUARD(envoy_reloadable_features_jwt_authn_remove_jwt_from_query_params); RUNTIME_GUARD(envoy_reloadable_features_jwt_authn_validate_uri); RUNTIME_GUARD(envoy_reloadable_features_jwt_fetcher_use_scheme_from_uri); RUNTIME_GUARD(envoy_reloadable_features_local_reply_traverses_filter_chain_after_1xx); diff --git a/source/extensions/filters/http/jwt_authn/extractor.cc b/source/extensions/filters/http/jwt_authn/extractor.cc index b38e20f063908..9dd7c31ccbbb8 100644 --- a/source/extensions/filters/http/jwt_authn/extractor.cc +++ b/source/extensions/filters/http/jwt_authn/extractor.cc @@ -108,17 +108,14 @@ class JwtParamLocation : public JwtLocationBase { : JwtLocationBase(token, issuer_checker), param_(param) {} void removeJwt(Http::RequestHeaderMap& headers) const override { - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params")) { - absl::string_view path = headers.getPathValue(); - Http::Utility::QueryParamsMulti query_params = - Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(path); + absl::string_view path = headers.getPathValue(); + Http::Utility::QueryParamsMulti query_params = + Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(path); - query_params.remove(param_); + query_params.remove(param_); - const auto updated_path = query_params.replaceQueryString(headers.Path()->value()); - headers.setPath(updated_path); - } + const auto updated_path = query_params.replaceQueryString(headers.Path()->value()); + headers.setPath(updated_path); } private: diff --git a/test/extensions/filters/http/jwt_authn/extractor_test.cc b/test/extensions/filters/http/jwt_authn/extractor_test.cc index 75109af4fcb1b..9bf2c0d2abb87 100644 --- a/test/extensions/filters/http/jwt_authn/extractor_test.cc +++ b/test/extensions/filters/http/jwt_authn/extractor_test.cc @@ -205,26 +205,10 @@ TEST_F(ExtractorTest, TestDefaultParamLocation) { EXPECT_FALSE(tokens[0]->isIssuerAllowed("unknown_issuer")); // Test token remove from the query parameter - { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params", "false"}}); - - tokens[0]->removeJwt(headers); - Http::Utility::QueryParamsMulti query_params = - Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(headers.getPathValue()); - EXPECT_EQ(query_params.getFirstValue("access_token").has_value(), true); - } - { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params", "true"}}); - - tokens[0]->removeJwt(headers); - Http::Utility::QueryParamsMulti query_params = - Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(headers.getPathValue()); - EXPECT_EQ(query_params.getFirstValue("access_token").has_value(), false); - } + tokens[0]->removeJwt(headers); + Http::Utility::QueryParamsMulti query_params = + Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(headers.getPathValue()); + EXPECT_EQ(query_params.getFirstValue("access_token").has_value(), false); } // Test extracting token from the custom header: "token-header" @@ -341,26 +325,10 @@ TEST_F(ExtractorTest, TestCustomParamToken) { EXPECT_FALSE(tokens[0]->isIssuerAllowed("issuer5")); EXPECT_FALSE(tokens[0]->isIssuerAllowed("unknown_issuer")); - { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params", "false"}}); - - tokens[0]->removeJwt(headers); - Http::Utility::QueryParamsMulti query_params = - Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(headers.getPathValue()); - EXPECT_EQ(query_params.getFirstValue("token_param").has_value(), true); - } - { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params", "true"}}); - - tokens[0]->removeJwt(headers); - Http::Utility::QueryParamsMulti query_params = - Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(headers.getPathValue()); - EXPECT_EQ(query_params.getFirstValue("token_param").has_value(), false); - } + tokens[0]->removeJwt(headers); + Http::Utility::QueryParamsMulti query_params = + Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(headers.getPathValue()); + EXPECT_EQ(query_params.getFirstValue("token_param").has_value(), false); } // Test extracting token from a cookie From f05829cbe1903d963c77870a377c2ee999bc4f94 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 13:13:51 +0200 Subject: [PATCH 165/505] dispatcher: deprecate flag fix_dispatcher_approximate_now and remove legacy code paths (#40553) ## Description This PR removes the deprecated reloadable flag `fix_dispatcher_approximate_now` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/39133 --- **Commit Message:** router: deprecate flag fix_dispatcher_approximate_now and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `fix_dispatcher_approximate_now` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/event/dispatcher_impl.cc | 9 ++------- source/common/runtime/runtime_features.cc | 2 +- test/common/event/dispatcher_impl_test.cc | 19 ++++++------------- 4 files changed, 12 insertions(+), 21 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 0b56a7f11b4e0..727fb6061a3bc 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -53,6 +53,9 @@ removed_config_or_runtime: - area: jwt_authn change: | Removed runtime guard ``envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params`` and legacy code paths. +- area: dispatcher + change: | + Removed runtime guard ``envoy.restart_features.fix_dispatcher_approximate_now`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/event/dispatcher_impl.cc b/source/common/event/dispatcher_impl.cc index 50ce9aa45f731..6cc1e52312528 100644 --- a/source/common/event/dispatcher_impl.cc +++ b/source/common/event/dispatcher_impl.cc @@ -80,13 +80,8 @@ DispatcherImpl::DispatcherImpl(const std::string& name, Thread::ThreadFactory& t ASSERT(!name_.empty()); FatalErrorHandler::registerFatalErrorHandler(*this); updateApproximateMonotonicTimeInternal(); - if (Runtime::runtimeFeatureEnabled("envoy.restart_features.fix_dispatcher_approximate_now")) { - base_scheduler_.registerOnCheckCallback( - std::bind(&DispatcherImpl::updateApproximateMonotonicTime, this)); - } else { - base_scheduler_.registerOnPrepareCallback( - std::bind(&DispatcherImpl::updateApproximateMonotonicTime, this)); - } + base_scheduler_.registerOnCheckCallback( + std::bind(&DispatcherImpl::updateApproximateMonotonicTime, this)); } DispatcherImpl::~DispatcherImpl() { diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index f5c5c9ef0919f..a4a7fac73bffd 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -100,7 +100,7 @@ RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_reloadable_features_wait_for_first_byte_before_balsa_msg_done); RUNTIME_GUARD(envoy_reloadable_features_xds_failover_to_primary_enabled); RUNTIME_GUARD(envoy_reloadable_features_xds_prevent_resource_copy); -RUNTIME_GUARD(envoy_restart_features_fix_dispatcher_approximate_now); + RUNTIME_GUARD(envoy_restart_features_raise_file_limits); RUNTIME_GUARD(envoy_restart_features_skip_backing_cluster_check_for_sds); RUNTIME_GUARD(envoy_restart_features_use_eds_cache_for_ads); diff --git a/test/common/event/dispatcher_impl_test.cc b/test/common/event/dispatcher_impl_test.cc index a0a86c84fc114..84e2b06bef0d6 100644 --- a/test/common/event/dispatcher_impl_test.cc +++ b/test/common/event/dispatcher_impl_test.cc @@ -807,11 +807,9 @@ TEST_F(NotStartedDispatcherImplTest, IsThreadSafe) { EXPECT_TRUE(dispatcher_->isThreadSafe()); } -class DispatcherMonotonicTimeTest : public testing::TestWithParam { +class DispatcherMonotonicTimeTest : public testing::Test { protected: DispatcherMonotonicTimeTest() : api_(Api::createApiForTest()) { - runtime_.mergeValues({{"envoy.restart_features.fix_dispatcher_approximate_now", - (GetParam() ? "true" : "false")}}); dispatcher_ = api_->allocateDispatcher("test_thread"); dispatcher_->initializeStats(scope_); } @@ -825,28 +823,23 @@ class DispatcherMonotonicTimeTest : public testing::TestWithParam { MonotonicTime time_; }; -INSTANTIATE_TEST_SUITE_P(DispatcherMonotonicTimeTests, DispatcherMonotonicTimeTest, - ::testing::ValuesIn({false, true})); - -TEST_P(DispatcherMonotonicTimeTest, UpdateApproximateMonotonicTime) { +TEST_F(DispatcherMonotonicTimeTest, UpdateApproximateMonotonicTime) { dispatcher_->updateApproximateMonotonicTime(); MonotonicTime time1 = dispatcher_->approximateMonotonicTime(); Event::TimerPtr timer = dispatcher_->createTimer([&] { // Approximate time should have been updated in this loop to 1s later. MonotonicTime time2 = dispatcher_->approximateMonotonicTime(); EXPECT_LT(time1, time2); - if (Runtime::runtimeFeatureEnabled("envoy.restart_features.fix_dispatcher_approximate_now")) { - // Time2 should be updated roughly 2000ms later than time1. - EXPECT_NEAR( - 2000, std::chrono::duration_cast(time2 - time1).count(), 100); - } + // Time2 should be updated roughly 2000ms later than time1. + EXPECT_NEAR(2000, std::chrono::duration_cast(time2 - time1).count(), + 100); }); timer->enableTimer(std::chrono::seconds(2)); dispatcher_->run(Dispatcher::RunType::Block); } -TEST_P(DispatcherMonotonicTimeTest, ApproximateMonotonicTime) { +TEST_F(DispatcherMonotonicTimeTest, ApproximateMonotonicTime) { // approximateMonotonicTime is constant within one event loop run. dispatcher_->post([this]() { { From d8b03d2ab25aa729287ec1f4a9ed7325382a2f2a Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 14:46:54 +0200 Subject: [PATCH 166/505] upstream: deprecate flag use_config_in_happy_eyeballs and remove legacy code paths (#40552) ## Description This PR removes the deprecated reloadable flag `use_config_in_happy_eyeballs` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/39129 --- **Commit Message:** router: deprecate flag use_config_in_happy_eyeballs and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `use_config_in_happy_eyeballs` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - source/common/upstream/upstream_impl.cc | 14 +++++--------- test/common/upstream/upstream_impl_test.cc | 6 +----- 4 files changed, 9 insertions(+), 15 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 727fb6061a3bc..e249699434b80 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -56,6 +56,9 @@ removed_config_or_runtime: - area: dispatcher change: | Removed runtime guard ``envoy.restart_features.fix_dispatcher_approximate_now`` and legacy code paths. +- area: upstream + change: | + Removed runtime guard ``envoy.reloadable_features.use_config_in_happy_eyeballs`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index a4a7fac73bffd..e0f384cd15a0a 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -92,7 +92,6 @@ RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); RUNTIME_GUARD(envoy_reloadable_features_udp_socket_apply_aggregated_read_limit); RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); -RUNTIME_GUARD(envoy_reloadable_features_use_config_in_happy_eyeballs); RUNTIME_GUARD(envoy_reloadable_features_use_filter_manager_state_for_downstream_end_stream); RUNTIME_GUARD(envoy_reloadable_features_use_typed_metadata_in_proxy_protocol_listener); RUNTIME_GUARD(envoy_reloadable_features_validate_connect); diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 9de375074669a..9120df8d6c12a 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -641,17 +641,13 @@ Host::CreateConnectionData HostImplBase::createConnection( socket_factory.createTransportSocket(transport_socket_options, host), upstream_local_address.socket_options_, transport_socket_options); } else if (address_list_or_null != nullptr && address_list_or_null->size() > 1) { - // TODO(adisuissa): convert from OptRef to reference once the runtime flag - // envoy.reloadable_features.use_config_in_happy_eyeballs is deprecated. + ENVOY_LOG(debug, "Upstream using happy eyeballs config."); OptRef happy_eyeballs_config; - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.use_config_in_happy_eyeballs")) { - ENVOY_LOG(debug, "Upstream using happy eyeballs config."); - if (cluster.happyEyeballsConfig().has_value()) { - happy_eyeballs_config = cluster.happyEyeballsConfig(); - } else { - happy_eyeballs_config = defaultHappyEyeballsConfig(); - } + if (cluster.happyEyeballsConfig().has_value()) { + happy_eyeballs_config = cluster.happyEyeballsConfig(); + } else { + happy_eyeballs_config = defaultHappyEyeballsConfig(); } connection = std::make_unique( dispatcher, *address_list_or_null, source_address_selector, socket_factory, diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index f74ecd620351e..b31a2e04edde3 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -1983,8 +1983,6 @@ TEST_F(HostImplTest, ProxyOverridesHappyEyeballs) { } TEST_F(HostImplTest, CreateConnectionHappyEyeballsWithConfig) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({{"envoy.reloadable_features.use_config_in_happy_eyeballs", "true"}}); MockClusterMockPrioritySet cluster; // pass in custom happy_eyeballs_config @@ -2039,12 +2037,10 @@ TEST_F(HostImplTest, CreateConnectionHappyEyeballsWithConfig) { } TEST_F(HostImplTest, CreateConnectionHappyEyeballsWithEmptyConfig) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({{"envoy.reloadable_features.use_config_in_happy_eyeballs", "true"}}); MockClusterMockPrioritySet cluster; // pass in empty happy_eyeballs_config - // a default config will be created when flag turned on + // a default config will be created EXPECT_CALL(*(cluster.info_), happyEyeballsConfig()).WillRepeatedly(Return(absl::nullopt)); envoy::config::core::v3::Metadata metadata; From b52d8e7f33b47abb081b827feae0c937d1343c80 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 15:54:01 +0200 Subject: [PATCH 167/505] http: deprecate flag proxy_104 and remove legacy code paths (#40554) ## Description This PR removes the deprecated reloadable flag `proxy_104` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/38047 --- **Commit Message:** router: deprecate flag proxy_104 and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `proxy_104` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/http/header_utility.cc | 7 ++----- source/common/runtime/runtime_features.cc | 1 - 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index e249699434b80..c379fa445b74e 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -59,6 +59,9 @@ removed_config_or_runtime: - area: upstream change: | Removed runtime guard ``envoy.reloadable_features.use_config_in_happy_eyeballs`` and legacy code paths. +- area: http + change: | + Removed runtime guard ``envoy.reloadable_features.proxy_104`` and legacy code paths. new_features: - area: health_check diff --git a/source/common/http/header_utility.cc b/source/common/http/header_utility.cc index aa28156d5ff1f..f18bcbe5f07bc 100644 --- a/source/common/http/header_utility.cc +++ b/source/common/http/header_utility.cc @@ -236,12 +236,9 @@ bool HeaderUtility::authorityIsValid(const absl::string_view header_value) { } bool HeaderUtility::isSpecial1xx(const ResponseHeaderMap& response_headers) { - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.proxy_104") && - response_headers.Status()->value() == "104") { - return true; - } return response_headers.Status()->value() == "100" || - response_headers.Status()->value() == "102" || response_headers.Status()->value() == "103"; + response_headers.Status()->value() == "102" || + response_headers.Status()->value() == "103" || response_headers.Status()->value() == "104"; } bool HeaderUtility::isConnect(const RequestHeaderMap& headers) { diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index e0f384cd15a0a..5ade45ecc4e54 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -68,7 +68,6 @@ RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); RUNTIME_GUARD(envoy_reloadable_features_original_src_fix_port_exhaustion); RUNTIME_GUARD(envoy_reloadable_features_prefer_ipv6_dns_on_macos); RUNTIME_GUARD(envoy_reloadable_features_prefix_map_matcher_resume_after_subtree_miss); -RUNTIME_GUARD(envoy_reloadable_features_proxy_104); RUNTIME_GUARD(envoy_reloadable_features_proxy_ssl_port); RUNTIME_GUARD(envoy_reloadable_features_proxy_status_mapping_more_core_response_flags); RUNTIME_GUARD(envoy_reloadable_features_quic_defer_logging_to_ack_listener); From c4153775e0c6af33fe605f7db174f1d4e855320f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 14:18:41 +0000 Subject: [PATCH 168/505] build(deps): bump distroless/base-nossl-debian12 from `fa7b50f` to `9a1c8b2` in /distribution/docker (#40587) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- distribution/docker/Dockerfile-envoy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distribution/docker/Dockerfile-envoy b/distribution/docker/Dockerfile-envoy index 08070f0a404b5..b6703daf03a8d 100644 --- a/distribution/docker/Dockerfile-envoy +++ b/distribution/docker/Dockerfile-envoy @@ -59,7 +59,7 @@ COPY --chown=0:0 --chmod=755 \ # STAGE: envoy-distroless -FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:fa7b50f111719aaf5f7435383b6d05f12277f3ce9514bc0a62759374a04d6bae AS envoy-distroless +FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:9a1c8b2ff7412ea80ca8c531eb7542e0e7766c8cf79489a8f0f31f0aa341c0fe AS envoy-distroless EXPOSE 10000 ENTRYPOINT ["/usr/local/bin/envoy"] CMD ["-c", "/etc/envoy/envoy.yaml"] From d8d228ca19ad0f7c0bbc943b59fe0dea636d2735 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 16:19:31 +0200 Subject: [PATCH 169/505] dns: deprecate flag prefer_ipv6_dns_on_macos and remove legacy code paths (#40549) ## Description This PR removes the deprecated reloadable flag `prefer_ipv6_dns_on_macos` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/39123 --- **Commit Message:** router: deprecate flag prefer_ipv6_dns_on_macos and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `prefer_ipv6_dns_on_macos` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - .../network/dns_resolver/apple/apple_dns_impl.cc | 13 ++++--------- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index c379fa445b74e..3f7a472d6d0f8 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -26,6 +26,9 @@ removed_config_or_runtime: - area: router change: | Removed runtime guard ``envoy.reloadable_features.shadow_policy_inherit_trace_sampling`` and legacy code paths. +- area: dns + change: | + Removed runtime guard ``envoy.reloadable_features.prefer_ipv6_dns_on_macos`` and legacy code paths. - area: dynamic_forward_proxy change: | Removed runtime guard ``envoy.reloadable_features.avoid_dfp_cluster_removal_on_cds_update`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 5ade45ecc4e54..dcb2f4b59a25f 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -66,7 +66,6 @@ RUNTIME_GUARD(envoy_reloadable_features_oauth2_cleanup_cookies); RUNTIME_GUARD(envoy_reloadable_features_oauth2_encrypt_tokens); RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); RUNTIME_GUARD(envoy_reloadable_features_original_src_fix_port_exhaustion); -RUNTIME_GUARD(envoy_reloadable_features_prefer_ipv6_dns_on_macos); RUNTIME_GUARD(envoy_reloadable_features_prefix_map_matcher_resume_after_subtree_miss); RUNTIME_GUARD(envoy_reloadable_features_proxy_ssl_port); RUNTIME_GUARD(envoy_reloadable_features_proxy_status_mapping_more_core_response_flags); diff --git a/source/extensions/network/dns_resolver/apple/apple_dns_impl.cc b/source/extensions/network/dns_resolver/apple/apple_dns_impl.cc index 36f70e778a7bb..b98ff078b713c 100644 --- a/source/extensions/network/dns_resolver/apple/apple_dns_impl.cc +++ b/source/extensions/network/dns_resolver/apple/apple_dns_impl.cc @@ -230,15 +230,10 @@ std::list& AppleDnsResolverImpl::PendingResolution::finalAddressLis pending_response_.all_responses_.insert(pending_response_.all_responses_.end(), pending_response_.v4_responses_.begin(), pending_response_.v4_responses_.end()); - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.prefer_ipv6_dns_on_macos")) { - pending_response_.all_responses_.insert(pending_response_.all_responses_.end(), - pending_response_.v6_responses_.begin(), - pending_response_.v6_responses_.end()); - } else { - pending_response_.all_responses_.insert(pending_response_.all_responses_.begin(), - pending_response_.v6_responses_.begin(), - pending_response_.v6_responses_.end()); - } + // Prefer IPv6 addresses by inserting them at the beginning of the response list + pending_response_.all_responses_.insert(pending_response_.all_responses_.begin(), + pending_response_.v6_responses_.begin(), + pending_response_.v6_responses_.end()); return pending_response_.all_responses_; } IS_ENVOY_BUG("unexpected DnsLookupFamily enum"); From be542085935b009cc495e58f5917bb751ebda29e Mon Sep 17 00:00:00 2001 From: Ricardo Date: Tue, 5 Aug 2025 10:20:25 -0400 Subject: [PATCH 170/505] Update QUICHE from a157f7072 to 42832178b (#40570) https://github.com/google/quiche/compare/a157f7072..42832178b ``` $ git log a157f7072..42832178b --date=short --no-merges --format="%ad %al %s" 2025-08-01 martinduke Implement PUBLISH* message types in moqt. 2025-08-01 asedeno Renumber CONNECT-IP Capsules to match RFC 9484. 2025-08-01 quiche-dev Add new validation policy rejecting chunked requests framed with anything other than CRLFCRLF 2025-07-31 quiche-dev Add `QuicheCodeCounter` to help size the impact of b/433557986 2025-07-30 vasilvv Ignore invalid values in WT-Protocol header rather than rejecting them. 2025-07-29 martinduke Eliminate Track Alias negotiation in MoQT, per draft-12. 2025-07-29 martinduke Allow MoQT AUTHORIZATION_TOKEN parameters in CLIENT_SETUP to exceed the max cache size. 2025-07-29 martinduke Deprecate quic_heapless_key_derivation. 2025-07-29 vasilvv Plumb OBJECT_ACK time scale into the bitrate adjuster. 2025-07-28 birenroy Enabling rolled out flags. 2025-07-28 martinduke Fix asan error in moqt_session_test. 2025-07-25 quiche-dev Deprecate --gfe2_restart_flag_js_friendly_authenticated_request_headers 2025-07-25 dmcardle Delete unused rto_count QUIC statistic 2025-07-24 quiche-dev Add some Java/Kotlin targets for various ppn protos 2025-07-24 quiche-dev Add some test data helpers for BlindSignAuth 2025-07-23 elburrito BlindSignAuth: Remove `UnpackTo` usage in tests ``` Risk Level: Low Testing: Existing tests pass Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Rickyp --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index fe1d046270ad8..2856f7a1588dc 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1276,12 +1276,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "QUICHE", project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols", project_url = "https://github.com/google/quiche", - version = "a157f7072c266d79938bc3c5d24631749e98db68", - sha256 = "88414c5d8ab2e6e20aaf2c7f7054033f494f9681f2894547e34aadb6a39d8404", + version = "42832178b3b6ae20f0d1c9634c040c528614f45f", + sha256 = "ff03fab32698f0536713592ecdcfefea115e184814040c140b5d1bdf4b25b07b", urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"], strip_prefix = "quiche-{version}", use_category = ["controlplane", "dataplane_core"], - release_date = "2025-07-22", + release_date = "2025-08-01", cpe = "N/A", license = "BSD-3-Clause", license_url = "https://github.com/google/quiche/blob/{version}/LICENSE", From c3ee6b3b83b2b856570f95e8c65d5f0bc15bd84f Mon Sep 17 00:00:00 2001 From: Raven Black Date: Tue, 5 Aug 2025 07:32:35 -0700 Subject: [PATCH 171/505] Fix mismatched mock methods for Aws::Signer (#40575) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit Message: Fix mismatched mock method for Aws::Signer Additional Description: This should remove 18 instances of this noise from the gcc compile output: ``` INFO: From Compiling test/extensions/common/aws/mocks.cc: In file included from ./source/extensions/common/aws/signers/iam_roles_anywhere_sigv4_signer_impl.h:3, from ./test/extensions/common/aws/mocks.h:12, from test/extensions/common/aws/mocks.cc:1: ./source/extensions/common/aws/iam_roles_anywhere_signer_base_impl.h:60:16: warning: ‘virtual absl::lts_20250512::Status Envoy::Extensions::Common::Aws::IAMRolesAnywhereSignerBaseImpl::sign(Envoy::Http::RequestHeaderMap&, const std::string&, absl::lts_20250512::string_view)’ was hidden [-Woverloaded-virtual=] 60 | absl::Status sign(Http::RequestHeaderMap& headers, const std::string& content_hash, | ^~~~ In file included from external/com_google_googletest/googlemock/include/gmock/gmock-actions.h:148, from external/com_google_googletest/googlemock/include/gmock/gmock.h:56, from ./test/extensions/common/aws/mocks.h:15: ./test/extensions/common/aws/mocks.h:194:29: note: by ‘virtual testing::internal::Function&, bool, std::basic_string_view)>::Result Envoy::Extensions::Common::Aws::MockIAMRolesAnywhereSigV4Signer::sign(testing::internal::ElemFromList<0, Envoy::Http::Message&, bool, std::basic_string_view > >::type, testing::internal::ElemFromList<1, Envoy::Http::Message&, bool, std::basic_string_view > >::type, testing::internal::ElemFromList<2, Envoy::Http::Message&, bool, std::basic_string_view > >::type)’ 194 | MOCK_METHOD(absl::Status, sign, | ^~~~ ``` Risk Level: None. Testing: Test-only. Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Raven Black --- test/extensions/common/aws/mocks.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/test/extensions/common/aws/mocks.h b/test/extensions/common/aws/mocks.h index ec11ec1288fc9..d8cec3e088d1f 100644 --- a/test/extensions/common/aws/mocks.h +++ b/test/extensions/common/aws/mocks.h @@ -49,10 +49,12 @@ class MockSigner : public Signer { MockSigner(); ~MockSigner() override; - MOCK_METHOD(absl::Status, sign, (Http::RequestMessage&, bool, absl::string_view)); - MOCK_METHOD(absl::Status, sign, (Http::RequestHeaderMap&, const std::string&, absl::string_view)); - MOCK_METHOD(absl::Status, signEmptyPayload, (Http::RequestHeaderMap&, absl::string_view)); - MOCK_METHOD(absl::Status, signUnsignedPayload, (Http::RequestHeaderMap&, absl::string_view)); + MOCK_METHOD(absl::Status, sign, (Http::RequestMessage&, bool, const absl::string_view)); + MOCK_METHOD(absl::Status, sign, + (Http::RequestHeaderMap&, const std::string&, const absl::string_view)); + MOCK_METHOD(absl::Status, signEmptyPayload, (Http::RequestHeaderMap&, const absl::string_view)); + MOCK_METHOD(absl::Status, signUnsignedPayload, + (Http::RequestHeaderMap&, const absl::string_view)); MOCK_METHOD(bool, addCallbackIfCredentialsPending, (CredentialsPendingCallback&&)); }; @@ -194,6 +196,8 @@ class MockIAMRolesAnywhereSigV4Signer : public IAMRolesAnywhereSigV4Signer { MOCK_METHOD(absl::Status, sign, (Http::RequestMessage & message, bool sign_body, const absl::string_view override_region)); + MOCK_METHOD(absl::Status, sign, + (Http::RequestHeaderMap&, const std::string&, const absl::string_view)); private: MOCK_METHOD(std::string, createCredentialScope, From 0bb61cf19fa257d5be29083c65ba502da20b4849 Mon Sep 17 00:00:00 2001 From: Greg Greenway Date: Tue, 5 Aug 2025 07:33:02 -0700 Subject: [PATCH 172/505] quic-lb: add support for base64 encoded server_id (#40400) Signed-off-by: Greg Greenway --- .../quic_lb/v3/quic_lb.proto | 9 +++++- changelogs/current.yaml | 5 +++ .../connection_id_generator/quic_lb/BUILD | 1 + .../quic_lb/quic_lb.cc | 5 +++ .../quic_lb/quic_lb_test.cc | 32 +++++++++++++++++++ 5 files changed, 51 insertions(+), 1 deletion(-) diff --git a/api/envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto b/api/envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto index 446ff959d08e8..0b89583969138 100644 --- a/api/envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto +++ b/api/envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto @@ -31,7 +31,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // // This is still a work in progress. Performance is expected to be poor. Interoperability testing // has not yet been performed. -// [#next-free-field: 6] +// [#next-free-field: 7] message Config { option (xds.annotations.v3.message_status).work_in_progress = true; @@ -45,6 +45,13 @@ message Config { // See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-server-id-allocation. config.core.v3.DataSource server_id = 2 [(validate.rules).message = {required: true}]; + // If true, indicates that the :ref:`server_id + // ` is base64 encoded. + // + // This can be useful if the ID may contain binary data and must be transmitted as a string, for example in + // an environment variable. + bool server_id_base64_encoded = 6; + // Optional validation of the expected server ID length. If this is non-zero and the value in ``server_id`` // does not have a matching length, a configuration error is generated. This can be useful for validating // that the server ID is valid. diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 3f7a472d6d0f8..75a7d76c08f6d 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -67,6 +67,11 @@ removed_config_or_runtime: Removed runtime guard ``envoy.reloadable_features.proxy_104`` and legacy code paths. new_features: +- area: quic + change: | + Added new option to support :ref:`base64 encoded server ID + ` + in QUIC-LB. - area: health_check change: | Added support for request payloads in HTTP health checks. The ``send`` field in ``HttpHealthCheck`` can now be diff --git a/source/extensions/quic/connection_id_generator/quic_lb/BUILD b/source/extensions/quic/connection_id_generator/quic_lb/BUILD index b5ee28656d9bd..0c185fedefa51 100644 --- a/source/extensions/quic/connection_id_generator/quic_lb/BUILD +++ b/source/extensions/quic/connection_id_generator/quic_lb/BUILD @@ -19,6 +19,7 @@ envoy_cc_library( srcs = envoy_select_enable_http3(["quic_lb.cc"]), hdrs = envoy_select_enable_http3(["quic_lb.h"]), deps = envoy_select_enable_http3([ + "//source/common/common:base64_lib", "//source/common/config:datasource_lib", "//source/common/quic:envoy_quic_connection_id_generator_factory_interface", "//source/common/quic:envoy_quic_utils_lib", diff --git a/source/extensions/quic/connection_id_generator/quic_lb/quic_lb.cc b/source/extensions/quic/connection_id_generator/quic_lb/quic_lb.cc index 7cdff55e7cd19..f9dc0949eeaa4 100644 --- a/source/extensions/quic/connection_id_generator/quic_lb/quic_lb.cc +++ b/source/extensions/quic/connection_id_generator/quic_lb/quic_lb.cc @@ -2,6 +2,7 @@ #include "envoy/server/transport_socket_config.h" +#include "source/common/common/base64.h" #include "source/common/config/datasource.h" #include "source/common/network/socket_option_impl.h" #include "source/common/quic/envoy_quic_utils.h" @@ -209,6 +210,10 @@ Factory::create(const envoy::extensions::quic::connection_id_generator::quic_lb: std::string server_id = server_id_or_result.value(); + if (config.server_id_base64_encoded()) { + server_id = Base64::decodeWithoutPadding(server_id); + } + if (config.expected_server_id_length() > 0 && config.expected_server_id_length() != server_id.size()) { return absl::InvalidArgumentError( diff --git a/test/extensions/quic/connection_id_generator/quic_lb/quic_lb_test.cc b/test/extensions/quic/connection_id_generator/quic_lb/quic_lb_test.cc index c5a980f0e6f20..106a49743442a 100644 --- a/test/extensions/quic/connection_id_generator/quic_lb/quic_lb_test.cc +++ b/test/extensions/quic/connection_id_generator/quic_lb/quic_lb_test.cc @@ -189,6 +189,38 @@ TEST(QuicLbTest, Unencrypted) { absl::Span(expected, sizeof(expected))); } +TEST(QuicLbTest, Base64ServerId) { + constexpr absl::string_view id_data_base64 = "dGVzdHRlc3Q="; + constexpr absl::string_view id_data = "testtest"; + + envoy::extensions::quic::connection_id_generator::quic_lb::v3::Config cfg; + cfg.set_unsafe_unencrypted_testing_mode(true); + cfg.mutable_server_id()->set_inline_string(id_data_base64); + cfg.set_server_id_base64_encoded(true); + cfg.set_expected_server_id_length(id_data.length()); + cfg.set_nonce_length_bytes(8); + cfg.mutable_encryption_parameters()->set_name(kSecretName); + + testing::NiceMock factory_context; + + auto status = factory_context.server_factory_context_.secretManager().addStaticSecret( + encryptionParamaters(0)); + absl::StatusOr> factory_or_status = + Factory::create(cfg, factory_context); + auto generator = createTypedIdGenerator(*factory_or_status.value()); + auto new_cid = generator->GenerateNextConnectionId(quic::QuicConnectionId{}); + EXPECT_TRUE(new_cid.has_value()); + uint8_t expected[1 + id_data.size()]; + expected[0] = 16; // Configured length of encoded portion of CID. Zero version means the high bits + // are all unset. + memcpy(expected + 1, id_data.data(), id_data.size()); + ASSERT_GT(new_cid->length(), sizeof(expected)); + + // First bytes should be the version followed by unencrypted server ID. + EXPECT_EQ(absl::Span(reinterpret_cast(new_cid->data()), sizeof(expected)), + absl::Span(expected, sizeof(expected))); +} + TEST(QuicLbTest, TooLong) { uint8_t id_data[] = {0xab, 0xcd, 0xef, 0x12, 0x34, 0x56}; envoy::extensions::quic::connection_id_generator::quic_lb::v3::Config cfg; From 506fe86f569f041f676ed3aa8435d8d5e896d0b9 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 18:49:09 +0200 Subject: [PATCH 173/505] proxy_filter: deprecate flag proxy_ssl_port and remove legacy code paths (#40550) --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - .../transport_sockets/http_11_proxy/connect.cc | 13 ++++--------- .../transport_sockets/http_11_proxy/connect_test.cc | 8 -------- 4 files changed, 7 insertions(+), 18 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 75a7d76c08f6d..19cfba637ab51 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -50,6 +50,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. +- area: proxy_filter + change: | + Removed runtime guard ``envoy.reloadable_features.proxy_ssl_port`` and legacy code paths. - area: gcp_authn change: | Removed runtime guard ``envoy.reloadable_features.gcp_authn_use_fixed_url`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index dcb2f4b59a25f..243db3cb47d13 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -67,7 +67,6 @@ RUNTIME_GUARD(envoy_reloadable_features_oauth2_encrypt_tokens); RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); RUNTIME_GUARD(envoy_reloadable_features_original_src_fix_port_exhaustion); RUNTIME_GUARD(envoy_reloadable_features_prefix_map_matcher_resume_after_subtree_miss); -RUNTIME_GUARD(envoy_reloadable_features_proxy_ssl_port); RUNTIME_GUARD(envoy_reloadable_features_proxy_status_mapping_more_core_response_flags); RUNTIME_GUARD(envoy_reloadable_features_quic_defer_logging_to_ack_listener); RUNTIME_GUARD(envoy_reloadable_features_quic_fix_defer_logging_miss_for_half_closed_stream); diff --git a/source/extensions/transport_sockets/http_11_proxy/connect.cc b/source/extensions/transport_sockets/http_11_proxy/connect.cc index 69bd12ba02e98..9fc84f678bd7c 100644 --- a/source/extensions/transport_sockets/http_11_proxy/connect.cc +++ b/source/extensions/transport_sockets/http_11_proxy/connect.cc @@ -38,15 +38,10 @@ UpstreamHttp11ConnectSocket::UpstreamHttp11ConnectSocket( // options, we want to maintain the original behavior of this transport socket. if (options_ && options_->http11ProxyInfo()) { if (transport_socket_->ssl()) { - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.proxy_ssl_port")) { - header_buffer_.add(absl::StrCat( - "CONNECT ", options_->http11ProxyInfo()->hostname, - Http::HeaderUtility::hostHasPort(options_->http11ProxyInfo()->hostname) ? "" : ":443", - " HTTP/1.1\r\n\r\n")); - } else { - header_buffer_.add(absl::StrCat("CONNECT ", options_->http11ProxyInfo()->hostname, - ":443 HTTP/1.1\r\n\r\n")); - } + header_buffer_.add(absl::StrCat( + "CONNECT ", options_->http11ProxyInfo()->hostname, + Http::HeaderUtility::hostHasPort(options_->http11ProxyInfo()->hostname) ? "" : ":443", + " HTTP/1.1\r\n\r\n")); need_to_strip_connect_response_ = true; } return; diff --git a/test/extensions/transport_sockets/http_11_proxy/connect_test.cc b/test/extensions/transport_sockets/http_11_proxy/connect_test.cc index e6b9c3a1aefc4..eeb97a54aaade 100644 --- a/test/extensions/transport_sockets/http_11_proxy/connect_test.cc +++ b/test/extensions/transport_sockets/http_11_proxy/connect_test.cc @@ -153,14 +153,6 @@ TEST_P(Http11ConnectTest, HostWithPort) { injectHeaderOnceTest(); } -TEST_P(Http11ConnectTest, ProxySslPortRuntimeGuardDisabled) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({{"envoy.reloadable_features.proxy_ssl_port", "false"}}); - - initialize(); - injectHeaderOnceTest(); -} - // Test injects CONNECT only once. Configured via endpoint metadata. TEST_P(Http11ConnectTest, InjectsHeaderOnlyOnceEndpointMetadata) { initializeWithMetadataProxyAddr(); From 86dbda9d7dd3532cb80f4bb7d703665b2b8998d8 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 19:27:57 +0200 Subject: [PATCH 174/505] jwt_authn: deprecate flag jwt_authn_validate_uri and remove legacy code paths (#40586) Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - .../filters/http/jwt_authn/filter_config.cc | 18 ++++++++--------- .../http/jwt_authn/filter_config_test.cc | 20 ------------------- 4 files changed, 11 insertions(+), 31 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 19cfba637ab51..cd52d6770c4e9 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -59,6 +59,9 @@ removed_config_or_runtime: - area: jwt_authn change: | Removed runtime guard ``envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params`` and legacy code paths. +- area: jwt_authn + change: | + Removed runtime guard ``envoy.reloadable_features.jwt_authn_validate_uri`` and legacy code paths. - area: dispatcher change: | Removed runtime guard ``envoy.restart_features.fix_dispatcher_approximate_now`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 243db3cb47d13..22d1854c425ca 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -56,7 +56,6 @@ RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_cookie); RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_trailers); // Delay deprecation and decommission until UHV is enabled. RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); -RUNTIME_GUARD(envoy_reloadable_features_jwt_authn_validate_uri); RUNTIME_GUARD(envoy_reloadable_features_jwt_fetcher_use_scheme_from_uri); RUNTIME_GUARD(envoy_reloadable_features_local_reply_traverses_filter_chain_after_1xx); RUNTIME_GUARD(envoy_reloadable_features_mmdb_files_reload_enabled); diff --git a/source/extensions/filters/http/jwt_authn/filter_config.cc b/source/extensions/filters/http/jwt_authn/filter_config.cc index 2a1a733b4caf8..84f873cd31e55 100644 --- a/source/extensions/filters/http/jwt_authn/filter_config.cc +++ b/source/extensions/filters/http/jwt_authn/filter_config.cc @@ -28,16 +28,14 @@ FilterConfigImpl::FilterConfigImpl( // Validate provider URIs. // Note that the PGV well-known regex for URI is not implemented in C++, otherwise we could add a // PGV rule instead of doing this check manually. - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.jwt_authn_validate_uri")) { - for (const auto& provider_pair : proto_config_.providers()) { - const auto provider_value = std::get<1>(provider_pair); - if (provider_value.has_remote_jwks()) { - absl::string_view provider_uri = provider_value.remote_jwks().http_uri().uri(); - Http::Utility::Url url; - if (!url.initialize(provider_uri, /*is_connect=*/false)) { - throw EnvoyException(fmt::format("Provider '{}' has an invalid URI: '{}'", - std::get<0>(provider_pair), provider_uri)); - } + for (const auto& provider_pair : proto_config_.providers()) { + const auto provider_value = std::get<1>(provider_pair); + if (provider_value.has_remote_jwks()) { + absl::string_view provider_uri = provider_value.remote_jwks().http_uri().uri(); + Http::Utility::Url url; + if (!url.initialize(provider_uri, /*is_connect=*/false)) { + throw EnvoyException(fmt::format("Provider '{}' has an invalid URI: '{}'", + std::get<0>(provider_pair), provider_uri)); } } } diff --git a/test/extensions/filters/http/jwt_authn/filter_config_test.cc b/test/extensions/filters/http/jwt_authn/filter_config_test.cc index 0d9e703c49d66..e4c52c39690cf 100644 --- a/test/extensions/filters/http/jwt_authn/filter_config_test.cc +++ b/test/extensions/filters/http/jwt_authn/filter_config_test.cc @@ -340,26 +340,6 @@ TEST(HttpJwtAuthnFilterConfigTest, RemoteJwksInvalidUri) { HasSubstr("invalid URI")); } -TEST(HttpJwtAuthnFilterConfigTest, RemoteJwksInvalidUriValidationDisabled) { - // Disabling this runtime feature should allow invalid URIs. - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({{"envoy.reloadable_features.jwt_authn_validate_uri", "false"}}); - const char config[] = R"( -providers: - provider1: - issuer: issuer1 - remote_jwks: - http_uri: - uri: http://www.not\nvalid.com -)"; - - JwtAuthentication proto_config; - TestUtility::loadFromYaml(config, proto_config); - - NiceMock context; - EXPECT_NO_THROW(FilterConfigImpl(proto_config, "", context)); -} - TEST(HttpJwtAuthnFilterConfigTest, RemoteJwksValidUri) { // Valid URI should not fail config validation. const char config[] = R"( From e9aa0a4a94ffe0e46a68d7c83f38cb5c4d668b76 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 21:32:34 +0200 Subject: [PATCH 175/505] dns_resolver: deprecate flag getaddrinfo_num_retries and remove legacy code paths (#40547) --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - .../extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc | 3 +-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index cd52d6770c4e9..7b33e8ea8936f 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -50,6 +50,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. +- area: dns_resolver + change: | + Removed runtime guard ``envoy.reloadable_features.getaddrinfo_num_retries`` and legacy code paths. - area: proxy_filter change: | Removed runtime guard ``envoy.reloadable_features.proxy_ssl_port`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 22d1854c425ca..854f27084f440 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -43,7 +43,6 @@ RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms); RUNTIME_GUARD(envoy_reloadable_features_enable_new_query_param_present_match_behavior); RUNTIME_GUARD(envoy_reloadable_features_ext_proc_fail_close_spurious_resp); -RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_num_retries); RUNTIME_GUARD(envoy_reloadable_features_grpc_side_stream_flow_control); RUNTIME_GUARD(envoy_reloadable_features_http1_balsa_allow_cr_or_lf_at_request_start); RUNTIME_GUARD(envoy_reloadable_features_http1_balsa_delay_reset); diff --git a/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc b/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc index 4cad7867adc9c..fa2308f6d800d 100644 --- a/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc +++ b/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc @@ -61,8 +61,7 @@ ActiveDnsQuery* GetAddrInfoDnsResolver::resolve(const std::string& dns_name, ActiveDnsQuery* active_query = new_query.get(); { absl::MutexLock guard(&mutex_); - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.getaddrinfo_num_retries") && - config_.has_num_retries()) { + if (config_.has_num_retries()) { // + 1 to include the initial query. pending_queries_.push_back({std::move(new_query), config_.num_retries().value() + 1}); } else { From 452399a56c978d83d7bd1e8f99c98cf72fa3a500 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 5 Aug 2025 22:27:37 +0200 Subject: [PATCH 176/505] network: deprecate flag udp_socket_apply_aggregated_read_limit and remove legacy code paths (#40591) ## Description This PR removes the deprecated reloadable flag `udp_socket_apply_aggregated_read_limit` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/38054 --- **Commit Message:** router: deprecate flag udp_socket_apply_aggregated_read_limit and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `udp_socket_apply_aggregated_read_limit` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 ++ source/common/network/utility.cc | 37 ++++------------ source/common/runtime/runtime_features.cc | 1 - test/common/network/udp_listener_impl_test.cc | 43 ++----------------- .../udp_proxy/udp_proxy_integration_test.cc | 24 ----------- 5 files changed, 15 insertions(+), 93 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 7b33e8ea8936f..65d03b41dc06c 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -47,6 +47,9 @@ removed_config_or_runtime: - area: udp_proxy change: | Removed runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` and legacy code paths. +- area: network + change: | + Removed runtime guard ``envoy.reloadable_features.udp_socket_apply_aggregated_read_limit`` and legacy code paths. - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc index 5abbda13d11d2..f7913adba3d58 100644 --- a/source/common/network/utility.cc +++ b/source/common/network/utility.cc @@ -780,35 +780,16 @@ Api::IoErrorPtr Utility::readPacketsFromSocket(IoHandle& handle, // this goes over MAX_NUM_PACKETS_PER_EVENT_LOOP. size_t num_packets_to_read = std::min( MAX_NUM_PACKETS_PER_EVENT_LOOP, udp_packet_processor.numPacketsExpectedPerEventLoop()); - const bool apply_read_limit_differently = Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.udp_socket_apply_aggregated_read_limit"); - size_t num_reads; - if (apply_read_limit_differently) { - // Call socket read at least once and at most num_packets_read to avoid infinite loop. - num_reads = std::max(1, num_packets_to_read); - } else { - switch (recv_msg_method) { - case UdpRecvMsgMethod::RecvMsgWithGro: - num_reads = (num_packets_to_read / NUM_DATAGRAMS_PER_RECEIVE); - break; - case UdpRecvMsgMethod::RecvMmsg: - num_reads = (num_packets_to_read / NUM_DATAGRAMS_PER_RECEIVE); - break; - case UdpRecvMsgMethod::RecvMsg: - num_reads = num_packets_to_read; - break; - } - // Make sure to read at least once. - num_reads = std::max(1, num_reads); - } + // Call socket read at least once and at most num_packets_read to avoid infinite loop. + size_t num_reads = std::max(1, num_packets_to_read); do { const uint32_t old_packets_dropped = packets_dropped; uint32_t num_packets_processed = 0; const MonotonicTime receive_time = time_source.monotonicTime(); - Api::IoCallUint64Result result = Utility::readFromSocket( - handle, local_address, udp_packet_processor, receive_time, recv_msg_method, - &packets_dropped, apply_read_limit_differently ? &num_packets_processed : nullptr); + Api::IoCallUint64Result result = + Utility::readFromSocket(handle, local_address, udp_packet_processor, receive_time, + recv_msg_method, &packets_dropped, &num_packets_processed); if (!result.ok()) { // No more to read or encountered a system error. @@ -831,12 +812,10 @@ Api::IoErrorPtr Utility::readPacketsFromSocket(IoHandle& handle, delta); udp_packet_processor.onDatagramsDropped(delta); } - if (apply_read_limit_differently) { - if (num_packets_to_read <= num_packets_processed) { - return std::move(result.err_); - } - num_packets_to_read -= num_packets_processed; + if (num_packets_to_read <= num_packets_processed) { + return std::move(result.err_); } + num_packets_to_read -= num_packets_processed; --num_reads; if (num_reads == 0) { return std::move(result.err_); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 854f27084f440..cd532468a9ba7 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -84,7 +84,6 @@ RUNTIME_GUARD(envoy_reloadable_features_streaming_shadow); RUNTIME_GUARD(envoy_reloadable_features_tcp_proxy_retry_on_different_event_loop); RUNTIME_GUARD(envoy_reloadable_features_test_feature_true); RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); -RUNTIME_GUARD(envoy_reloadable_features_udp_socket_apply_aggregated_read_limit); RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); RUNTIME_GUARD(envoy_reloadable_features_use_filter_manager_state_for_downstream_end_stream); diff --git a/test/common/network/udp_listener_impl_test.cc b/test/common/network/udp_listener_impl_test.cc index 196afc332e629..1c3d83d5ae7f8 100644 --- a/test/common/network/udp_listener_impl_test.cc +++ b/test/common/network/udp_listener_impl_test.cc @@ -238,33 +238,6 @@ TEST_P(UdpListenerImplTest, LimitNumberOfReadsPerLoop) { dispatcher_->run(Event::Dispatcher::RunType::Block); } -#ifdef UDP_GRO -TEST_P(UdpListenerImplTest, GroLargeDatagramRecvmsg) { - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.udp_socket_apply_aggregated_read_limit")) { - return; - } - setup(true); - - ON_CALL(override_syscall_, supportsUdpGro()).WillByDefault(Return(true)); - client_.write(std::string(32768, 'a'), *send_to_addr_); - const std::string second("second"); - client_.write(second, *send_to_addr_); - - EXPECT_CALL(listener_callbacks_, onReadReady()); - EXPECT_CALL(listener_callbacks_, onDatagramsDropped(_)).Times(AtLeast(1)); - EXPECT_CALL(listener_callbacks_, onData(_)).WillOnce(Invoke([&](const UdpRecvData& data) -> void { - validateRecvCallbackParams(data, 1); - EXPECT_EQ(data.buffer_->toString(), second); - - dispatcher_->exit(); - })); - - dispatcher_->run(Event::Dispatcher::RunType::Block); - EXPECT_EQ(1, listener_->packetsDropped()); -} -#endif - /** * Tests UDP listener for read and write callbacks with actual data. */ @@ -667,10 +640,8 @@ TEST_P(UdpListenerImplTest, UdpGroBasic) { // Set msg_iovec EXPECT_EQ(msg->msg_iovlen, 1); memcpy(msg->msg_iov[0].iov_base, stacked_message.data(), stacked_message.length()); - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.udp_socket_apply_aggregated_read_limit")) { - EXPECT_EQ(msg->msg_iov[0].iov_len, 64 * 1024); - } + // The aggregated read limit is now always applied. + EXPECT_EQ(msg->msg_iov[0].iov_len, 64 * 1024); msg->msg_iov[0].iov_len = stacked_message.length(); // Set control headers @@ -738,10 +709,7 @@ TEST_P(UdpListenerImplTest, UdpGroBasic) { } TEST_P(UdpListenerImplTest, GroLargeDatagramRecvmsgNoDrop) { - if (!Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.udp_socket_apply_aggregated_read_limit")) { - return; - } + // The aggregated read limit is now always applied. setup(true); ON_CALL(override_syscall_, supportsUdpGro()).WillByDefault(Return(true)); @@ -771,10 +739,7 @@ TEST_P(UdpListenerImplTest, GroLargeDatagramRecvmsgNoDrop) { // of same size, regardless of MAX_NUM_PACKETS_PER_EVENT_LOOP or listener_callbacks_ provided limit. // But once MAX_NUM_PACKETS_PER_EVENT_LOOP of packets are processed, read will stop. TEST_P(UdpListenerImplTest, UdpGroReadLimit) { - if (!Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.udp_socket_apply_aggregated_read_limit")) { - return; - } + // The aggregated read limit is now always applied. setup(true); EXPECT_CALL(listener_callbacks_, numPacketsExpectedPerEventLoop()).WillRepeatedly(Return(32)); diff --git a/test/extensions/filters/udp/udp_proxy/udp_proxy_integration_test.cc b/test/extensions/filters/udp/udp_proxy/udp_proxy_integration_test.cc index 71e85456e17fb..205a9ac6e8b5c 100644 --- a/test/extensions/filters/udp/udp_proxy/udp_proxy_integration_test.cc +++ b/test/extensions/filters/udp/udp_proxy/udp_proxy_integration_test.cc @@ -338,30 +338,6 @@ TEST_P(UdpProxyIntegrationTest, DownstreamDrop) { } } -// Verify upstream drops are handled correctly with stats. -TEST_P(UdpProxyIntegrationTest, UpstreamDrop) { - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.udp_socket_apply_aggregated_read_limit")) { - return; - } - setup(1); - const uint32_t port = lookupPort("listener_0"); - const auto listener_address = *Network::Utility::resolveUrl( - fmt::format("tcp://{}:{}", Network::Test::getLoopbackAddressUrlString(version_), port)); - Network::Test::UdpSyncPeer client(version_); - - client.write("hello", *listener_address); - Network::UdpRecvData request_datagram; - ASSERT_TRUE(fake_upstreams_[0]->waitForUdpDatagram(request_datagram)); - EXPECT_EQ("hello", request_datagram.buffer_->toString()); - - const uint64_t large_datagram_size = - (Network::DEFAULT_UDP_MAX_DATAGRAM_SIZE * Network::NUM_DATAGRAMS_PER_RECEIVE) + 1024; - fake_upstreams_[0]->sendUdpDatagram(std::string(large_datagram_size, 'a'), - request_datagram.addresses_.peer_); - test_server_->waitForCounterEq("cluster.cluster_0.udp.sess_rx_datagrams_dropped", 1); -} - // Test with large packet sizes. TEST_P(UdpProxyIntegrationTest, LargePacketSizesOnLoopback) { // The following tests large packets end to end. We use a size larger than From 413c63f1f6dcb508693942f451135de210edd43f Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 6 Aug 2025 00:25:18 +0200 Subject: [PATCH 177/505] http: deprecate flag allow_alt_svc_for_ips and remove legacy code paths (#40594) ## Description This PR removes the deprecated reloadable flag `allow_alt_svc_for_ips` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/39111 --- **Commit Message:** router: deprecate flag allow_alt_svc_for_ips and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `allow_alt_svc_for_ips` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/http/conn_pool_grid.cc | 3 +-- source/common/runtime/runtime_features.cc | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 65d03b41dc06c..f2602532cefed 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -50,6 +50,9 @@ removed_config_or_runtime: - area: network change: | Removed runtime guard ``envoy.reloadable_features.udp_socket_apply_aggregated_read_limit`` and legacy code paths. +- area: http + change: | + Removed runtime guard ``envoy.reloadable_features.allow_alt_svc_for_ips`` and legacy code paths. - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. diff --git a/source/common/http/conn_pool_grid.cc b/source/common/http/conn_pool_grid.cc index 6b2dfe93fd4d9..efd45066c9068 100644 --- a/source/common/http/conn_pool_grid.cc +++ b/source/common/http/conn_pool_grid.cc @@ -33,8 +33,7 @@ std::string getTargetHostname(const Network::TransportSocketOptionsConstSharedPt } std::string default_sni = std::string(host->transportSocketFactory().defaultServerNameIndication()); - if (!default_sni.empty() || - !Runtime::runtimeFeatureEnabled("envoy.reloadable_features.allow_alt_svc_for_ips")) { + if (!default_sni.empty()) { return default_sni; } // If there's no configured SNI the hostname is probably an IP address. Return it here. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index cd532468a9ba7..99e11d6e7563c 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -34,7 +34,6 @@ // If issues are found that require a runtime feature to be disabled, it should be reported // ASAP by filing a bug on github. Overriding non-buggy code is strongly discouraged to avoid the // problem of the bugs being found after the old code path has been removed. -RUNTIME_GUARD(envoy_reloadable_features_allow_alt_svc_for_ips); RUNTIME_GUARD(envoy_reloadable_features_async_host_selection); RUNTIME_GUARD(envoy_reloadable_features_dfp_cluster_resolves_hosts); RUNTIME_GUARD(envoy_reloadable_features_disallow_quic_client_udp_mmsg); From 003c182a374cd44391f1b31a828294a5f6dd540a Mon Sep 17 00:00:00 2001 From: Gustavo Meira Date: Wed, 6 Aug 2025 12:47:14 +0100 Subject: [PATCH 178/505] Merging implementations of Strict and Logical DNS (#38483) The main idea here is tackling #37145 (which is a follow up from #36353). This approach simplifies the code merging the two current implementation of DNS cluster (logical and strict) by removing unnecessary logical DNS, as it can be treated as a special case of strict DNS. According to the documentation: _When using **strict DNS** service discovery, Envoy will continuously and asynchronously resolve the specified DNS targets. Each returned IP address in the DNS result will be considered an explicit host in the upstream cluster. This means that if the query returns three IP addresses, Envoy will assume the cluster has three hosts, and all three should be load balanced to. If a host is removed from the result Envoy assumes it no longer exists and will drain traffic from any existing connection pools_ _**Logical DNS** uses a similar asynchronous resolution mechanism to strict DNS. However, instead of strictly taking the results of the DNS query and assuming that they comprise the entire upstream cluster, a logical DNS cluster only uses the first IP address returned when a new connection needs to be initiated. Thus, a single logical connection pool may contain physical connections to a variety of different upstream hosts. Connections are never drained, including on a successful DNS resolution that returns 0 hosts._ --------- Signed-off-by: Gustavo --- source/common/runtime/runtime_features.cc | 7 + .../common/upstream/cluster_factory_impl.cc | 13 + source/common/upstream/cluster_factory_impl.h | 4 + source/extensions/clusters/dns/BUILD | 4 + source/extensions/clusters/dns/dns_cluster.cc | 442 +++++++++++++++++- source/extensions/clusters/dns/dns_cluster.h | 93 ++++ .../logical_dns/logical_dns_cluster.cc | 23 +- .../logical_dns/logical_dns_cluster.h | 13 - .../clusters/strict_dns/strict_dns_cluster.cc | 22 - .../clusters/strict_dns/strict_dns_cluster.h | 15 - test/common/upstream/BUILD | 7 +- test/common/upstream/upstream_impl_test.cc | 208 ++++++--- test/exe/BUILD | 5 +- test/extensions/clusters/common/BUILD | 1 - test/extensions/clusters/logical_dns/BUILD | 2 +- .../logical_dns/logical_dns_cluster_test.cc | 204 +++++++- .../filters/http/aws_request_signing/BUILD | 2 +- .../aws_request_signing_integration_test.cc | 10 +- .../filters/http/dynamic_forward_proxy/BUILD | 4 +- test/extensions/filters/http/ext_authz/BUILD | 2 +- test/integration/BUILD | 8 +- test/integration/admin_html/BUILD | 2 +- test/server/BUILD | 2 +- test/server/config_validation/BUILD | 3 +- 24 files changed, 908 insertions(+), 188 deletions(-) diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 99e11d6e7563c..a57c7f5ef6ca0 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -162,6 +162,13 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_ext_proc_graceful_grpc_close); FALSE_RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_no_ai_flags); +// TODO(grnmeira): +// Enables the new DNS implementation, a merged implementation of +// strict and logical DNS clusters. This new implementation will +// take over the split ones, and will be used as a base for the +// implementation of on-demand DNS. +FALSE_RUNTIME_GUARD(envoy_reloadable_features_enable_new_dns_implementation); + // Block of non-boolean flags. Use of int flags is deprecated. Do not add more. ABSL_FLAG(uint64_t, re2_max_program_size_error_level, 100, ""); // NOLINT ABSL_FLAG(uint64_t, re2_max_program_size_warn_level, // NOLINT diff --git a/source/common/upstream/cluster_factory_impl.cc b/source/common/upstream/cluster_factory_impl.cc index 8c4d1e5fe5463..1abb78ad1c309 100644 --- a/source/common/upstream/cluster_factory_impl.cc +++ b/source/common/upstream/cluster_factory_impl.cc @@ -105,6 +105,19 @@ ClusterFactoryImplBase::selectDnsResolver(const envoy::config::cluster::v3::Clus return context.dnsResolver(); } +absl::StatusOr ClusterFactoryImplBase::selectDnsResolver( + const envoy::config::core::v3::TypedExtensionConfig& typed_dns_resolver_config, + ClusterFactoryContext& context) { + if (typed_dns_resolver_config.has_typed_config()) { + Network::DnsResolverFactory& dns_resolver_factory = + Network::createDnsResolverFactoryFromTypedConfig(typed_dns_resolver_config); + auto& server_context = context.serverFactoryContext(); + return dns_resolver_factory.createDnsResolver(server_context.mainThreadDispatcher(), + server_context.api(), typed_dns_resolver_config); + } + return context.dnsResolver(); +} + absl::StatusOr> ClusterFactoryImplBase::create(const envoy::config::cluster::v3::Cluster& cluster, ClusterFactoryContext& context) { diff --git a/source/common/upstream/cluster_factory_impl.h b/source/common/upstream/cluster_factory_impl.h index b4cd69ecadfbf..be21c1d08a2c6 100644 --- a/source/common/upstream/cluster_factory_impl.h +++ b/source/common/upstream/cluster_factory_impl.h @@ -111,6 +111,10 @@ class ClusterFactoryImplBase : public ClusterFactory { selectDnsResolver(const envoy::config::cluster::v3::Cluster& cluster, ClusterFactoryContext& context); + absl::StatusOr + selectDnsResolver(const envoy::config::core::v3::TypedExtensionConfig& typed_dns_resolver_config, + ClusterFactoryContext& context); + // Upstream::ClusterFactory absl::StatusOr> create(const envoy::config::cluster::v3::Cluster& cluster, diff --git a/source/extensions/clusters/dns/BUILD b/source/extensions/clusters/dns/BUILD index 29df85897b31a..7d48ddd400c14 100644 --- a/source/extensions/clusters/dns/BUILD +++ b/source/extensions/clusters/dns/BUILD @@ -14,8 +14,12 @@ envoy_cc_extension( hdrs = ["dns_cluster.h"], visibility = ["//visibility:public"], deps = [ + "//source/common/common:dns_utils_lib", + "//source/common/network/dns_resolver:dns_factory_util_lib", "//source/common/upstream:cluster_factory_includes", "//source/common/upstream:upstream_includes", + "//source/extensions/clusters/common:dns_cluster_backcompat_lib", + "//source/extensions/clusters/common:logical_host_lib", "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", diff --git a/source/extensions/clusters/dns/dns_cluster.cc b/source/extensions/clusters/dns/dns_cluster.cc index 7aa22aa3a4643..79410407f0b98 100644 --- a/source/extensions/clusters/dns/dns_cluster.cc +++ b/source/extensions/clusters/dns/dns_cluster.cc @@ -1,5 +1,10 @@ #include "source/extensions/clusters/dns/dns_cluster.h" +// The purpose of these two headers is purely for backward compatibility. +// Never create new dependencies to symbols declared in these headers! +#include "source/extensions/clusters/logical_dns/logical_dns_cluster.h" +#include "source/extensions/clusters/strict_dns/strict_dns_cluster.h" + #include #include "envoy/common/exception.h" @@ -8,10 +13,10 @@ #include "envoy/config/endpoint/v3/endpoint_components.pb.h" #include "envoy/extensions/clusters/dns/v3/dns_cluster.pb.h" +#include "source/common/common/dns_utils.h" #include "source/common/network/dns_resolver/dns_factory_util.h" #include "source/extensions/clusters/common/dns_cluster_backcompat.h" -#include "source/extensions/clusters/logical_dns/logical_dns_cluster.h" -#include "source/extensions/clusters/strict_dns/strict_dns_cluster.h" +#include "source/extensions/clusters/common/logical_host.h" namespace Envoy { namespace Upstream { @@ -21,21 +26,16 @@ DnsClusterFactory::createClusterWithConfig( const envoy::config::cluster::v3::Cluster& cluster, const envoy::extensions::clusters::dns::v3::DnsCluster& proto_config, Upstream::ClusterFactoryContext& context) { + auto dns_resolver_or_error = selectDnsResolver(proto_config.typed_dns_resolver_config(), context); - absl::StatusOr dns_resolver_or_error; - if (proto_config.has_typed_dns_resolver_config()) { - Network::DnsResolverFactory& dns_resolver_factory = - Network::createDnsResolverFactoryFromTypedConfig(proto_config.typed_dns_resolver_config()); - auto& server_context = context.serverFactoryContext(); - dns_resolver_or_error = dns_resolver_factory.createDnsResolver( - server_context.mainThreadDispatcher(), server_context.api(), - proto_config.typed_dns_resolver_config()); - } else { - dns_resolver_or_error = context.dnsResolver(); - } RETURN_IF_NOT_OK(dns_resolver_or_error.status()); + absl::StatusOr> cluster_or_error; - if (proto_config.all_addresses_in_single_endpoint()) { + + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_new_dns_implementation")) { + cluster_or_error = + DnsClusterImpl::create(cluster, proto_config, context, std::move(*dns_resolver_or_error)); + } else if (proto_config.all_addresses_in_single_endpoint()) { cluster_or_error = LogicalDnsCluster::create(cluster, proto_config, context, std::move(*dns_resolver_or_error)); } else { @@ -44,13 +44,421 @@ DnsClusterFactory::createClusterWithConfig( } RETURN_IF_NOT_OK(cluster_or_error.status()); - return std::make_pair(std::shared_ptr(std::move(*cluster_or_error)), nullptr); + return std::make_pair(ClusterImplBaseSharedPtr(std::move(*cluster_or_error)), nullptr); +} + +REGISTER_FACTORY(DnsClusterFactory, ClusterFactory); + +class LegacyDnsClusterFactory : public ClusterFactoryImplBase { +public: + LegacyDnsClusterFactory(const std::string& name, bool set_all_addresses_in_single_endpoint) + : ClusterFactoryImplBase(name), + set_all_addresses_in_single_endpoint_(set_all_addresses_in_single_endpoint) {} + virtual absl::StatusOr> + createClusterImpl(const envoy::config::cluster::v3::Cluster& cluster, + ClusterFactoryContext& context) override { + absl::StatusOr dns_resolver_or_error = + selectDnsResolver(cluster, context); + RETURN_IF_NOT_OK(dns_resolver_or_error.status()); + + envoy::extensions::clusters::dns::v3::DnsCluster typed_config; + createDnsClusterFromLegacyFields(cluster, typed_config); + + typed_config.set_all_addresses_in_single_endpoint(set_all_addresses_in_single_endpoint_); + + absl::StatusOr> cluster_or_error; + + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_new_dns_implementation")) { + cluster_or_error = + DnsClusterImpl::create(cluster, typed_config, context, std::move(*dns_resolver_or_error)); + } else if (set_all_addresses_in_single_endpoint_) { + cluster_or_error = LogicalDnsCluster::create(cluster, typed_config, context, + std::move(*dns_resolver_or_error)); + } else { + cluster_or_error = StrictDnsClusterImpl::create(cluster, typed_config, context, + std::move(*dns_resolver_or_error)); + } + + RETURN_IF_NOT_OK(cluster_or_error.status()); + return std::make_pair(ClusterImplBaseSharedPtr(std::move(*cluster_or_error)), nullptr); + } + +private: + bool set_all_addresses_in_single_endpoint_{false}; +}; + +/** + * LogicalDNSFactory: making it back compatible with ClusterFactoryImplBase. + */ + +class LogicalDNSFactory : public LegacyDnsClusterFactory { +public: + LogicalDNSFactory() : LegacyDnsClusterFactory("envoy.cluster.logical_dns", true) {} +}; + +REGISTER_FACTORY(LogicalDNSFactory, ClusterFactory); + +/** + * StrictDNSFactory: making it back compatible with ClusterFactoryImplBase + */ + +class StrictDNSFactory : public LegacyDnsClusterFactory { +public: + StrictDNSFactory() : LegacyDnsClusterFactory("envoy.cluster.strict_dns", false) {} +}; + +REGISTER_FACTORY(StrictDNSFactory, ClusterFactory); + +envoy::config::endpoint::v3::ClusterLoadAssignment +DnsClusterImpl::extractAndProcessLoadAssignment(const envoy::config::cluster::v3::Cluster& cluster, + bool all_addresses_in_single_endpoint) { + // In Logical DNS we convert the priority set by the configuration back to zero. + // This helps ensure that we don't blow up later when using zone aware routing, + // as it only supports load assignments with priority 0. + // + // Since Logical DNS is limited to exactly one host declared per load_assignment + // (enforced in DnsClusterImpl::DnsClusterImpl), we can safely just rewrite the priority + // to zero. + if (all_addresses_in_single_endpoint) { + envoy::config::endpoint::v3::ClusterLoadAssignment converted; + converted.MergeFrom(cluster.load_assignment()); + for (auto& endpoint : *converted.mutable_endpoints()) { + endpoint.set_priority(0); + } + return converted; + } + + return cluster.load_assignment(); } /** - * Static registration for the dns cluster factory. @see RegisterFactory. + * DnsClusterImpl: implementation for both logical and strict DNS. */ -REGISTER_FACTORY(DnsClusterFactory, Upstream::ClusterFactory); + +absl::StatusOr> +DnsClusterImpl::create(const envoy::config::cluster::v3::Cluster& cluster, + const envoy::extensions::clusters::dns::v3::DnsCluster& dns_cluster, + ClusterFactoryContext& context, Network::DnsResolverSharedPtr dns_resolver) { + absl::Status creation_status = absl::OkStatus(); + auto ret = std::unique_ptr( + new DnsClusterImpl(cluster, dns_cluster, context, std::move(dns_resolver), creation_status)); + + RETURN_IF_NOT_OK(creation_status); + return ret; +} + +DnsClusterImpl::DnsClusterImpl(const envoy::config::cluster::v3::Cluster& cluster, + const envoy::extensions::clusters::dns::v3::DnsCluster& dns_cluster, + ClusterFactoryContext& context, + Network::DnsResolverSharedPtr dns_resolver, + absl::Status& creation_status) + : BaseDynamicClusterImpl(cluster, context, creation_status), + load_assignment_( + extractAndProcessLoadAssignment(cluster, dns_cluster.all_addresses_in_single_endpoint())), + local_info_(context.serverFactoryContext().localInfo()), dns_resolver_(dns_resolver), + dns_refresh_rate_ms_(std::chrono::milliseconds( + PROTOBUF_GET_MS_OR_DEFAULT(dns_cluster, dns_refresh_rate, 5000))), + dns_jitter_ms_(PROTOBUF_GET_MS_OR_DEFAULT(dns_cluster, dns_jitter, 0)), + respect_dns_ttl_(dns_cluster.respect_dns_ttl()), + dns_lookup_family_( + Envoy::DnsUtils::getDnsLookupFamilyFromEnum(dns_cluster.dns_lookup_family())), + all_addresses_in_single_endpoint_(dns_cluster.all_addresses_in_single_endpoint()) { + failure_backoff_strategy_ = Config::Utility::prepareDnsRefreshStrategy( + dns_cluster, dns_refresh_rate_ms_.count(), + context.serverFactoryContext().api().randomGenerator()); + + std::list resolve_targets; + const auto& locality_lb_endpoints = load_assignment_.endpoints(); + + if (all_addresses_in_single_endpoint_) { // Logical DNS + // For Logical DNS, we make sure we have just a single endpoint. + if (locality_lb_endpoints.size() != 1 || locality_lb_endpoints[0].lb_endpoints().size() != 1) { + if (cluster.has_load_assignment()) { + creation_status = + absl::InvalidArgumentError("LOGICAL_DNS clusters must have a single " + "locality_lb_endpoint and a single lb_endpoint"); + } else { + creation_status = + absl::InvalidArgumentError("LOGICAL_DNS clusters must have a single host"); + } + return; + } + } else { // Strict DNS + for (const auto& locality_lb_endpoint : locality_lb_endpoints) { + // Strict DNS clusters must ensure that the priority for all localities + // are set to zero when using zone-aware routing. Zone-aware routing only + // works for localities with priority zero (the highest). + SET_AND_RETURN_IF_NOT_OK(validateEndpointsForZoneAwareRouting(locality_lb_endpoint), + creation_status); + } + } + + for (const auto& locality_lb_endpoint : locality_lb_endpoints) { + for (const auto& lb_endpoint : locality_lb_endpoint.lb_endpoints()) { + const auto& socket_address = lb_endpoint.endpoint().address().socket_address(); + if (!socket_address.resolver_name().empty()) { + creation_status = absl::InvalidArgumentError( + all_addresses_in_single_endpoint_ + ? "LOGICAL_DNS clusters must NOT have a custom resolver name set" + : "STRICT_DNS clusters must NOT have a custom resolver name set"); + return; + } + + resolve_targets.emplace_back(new ResolveTarget( + *this, context.serverFactoryContext().mainThreadDispatcher(), socket_address.address(), + socket_address.port_value(), locality_lb_endpoint, lb_endpoint)); + } + } + resolve_targets_ = std::move(resolve_targets); + + overprovisioning_factor_ = PROTOBUF_GET_WRAPPED_OR_DEFAULT( + load_assignment_.policy(), overprovisioning_factor, kDefaultOverProvisioningFactor); + weighted_priority_health_ = load_assignment_.policy().weighted_priority_health(); +} + +void DnsClusterImpl::startPreInit() { + for (const ResolveTargetPtr& target : resolve_targets_) { + target->startResolve(); + } + // If the config provides no endpoints, the cluster is initialized immediately as if all hosts are + // resolved in failure. + if (resolve_targets_.empty() || !wait_for_warm_on_init_) { + onPreInitComplete(); + } +} + +void DnsClusterImpl::updateAllHosts(const HostVector& hosts_added, const HostVector& hosts_removed, + uint32_t current_priority) { + PriorityStateManager priority_state_manager(*this, local_info_, nullptr, random_); + // At this point we know that we are different so make a new host list and notify. + // + // TODO(dio): The uniqueness of a host address resolved in STRICT_DNS cluster per priority is not + // guaranteed. Need a clear agreement on the behavior here, whether it is allowable to have + // duplicated hosts inside a priority. And if we want to enforce this behavior, it should be done + // inside the priority state manager. + for (const ResolveTargetPtr& target : resolve_targets_) { + priority_state_manager.initializePriorityFor(target->locality_lb_endpoints_); + for (const HostSharedPtr& host : target->hosts_) { + if (target->locality_lb_endpoints_.priority() == current_priority) { + priority_state_manager.registerHostForPriority(host, target->locality_lb_endpoints_); + } + } + } + + // TODO(dio): Add assertion in here. + priority_state_manager.updateClusterPrioritySet( + current_priority, std::move(priority_state_manager.priorityState()[current_priority].first), + hosts_added, hosts_removed, absl::nullopt, weighted_priority_health_, + overprovisioning_factor_); +} + +DnsClusterImpl::ResolveTarget::ResolveTarget( + DnsClusterImpl& parent, Event::Dispatcher& dispatcher, const std::string& dns_address, + const uint32_t dns_port, + const envoy::config::endpoint::v3::LocalityLbEndpoints& locality_lb_endpoint, + const envoy::config::endpoint::v3::LbEndpoint& lb_endpoint) + : parent_(parent), locality_lb_endpoints_(locality_lb_endpoint), lb_endpoint_(lb_endpoint), + dns_address_(dns_address), + hostname_(lb_endpoint_.endpoint().hostname().empty() ? dns_address_ + : lb_endpoint_.endpoint().hostname()), + port_(dns_port), + resolve_timer_(dispatcher.createTimer([this]() -> void { startResolve(); })) {} + +DnsClusterImpl::ResolveTarget::~ResolveTarget() { + if (active_query_) { + active_query_->cancel(Network::ActiveDnsQuery::CancelReason::QueryAbandoned); + } +} + +bool DnsClusterImpl::ResolveTarget::isSuccessfulResponse( + const std::list& response, + const Network::DnsResolver::ResolutionStatus& status) { + if (parent_.all_addresses_in_single_endpoint_) { + // Logical DNS doesn't accept empty responses. + return status == Network::DnsResolver::ResolutionStatus::Completed && !response.empty(); + } else { + // For Strict DNS, an empty response just means no available hosts. + return status == Network::DnsResolver::ResolutionStatus::Completed; + } +} + +absl::StatusOr +DnsClusterImpl::ResolveTarget::createLogicalDnsHosts( + const std::list& response) { + ParsedHosts result; + const auto& addrinfo = response.front().addrInfo(); + Network::Address::InstanceConstSharedPtr new_address = + Network::Utility::getAddressWithPort(*(addrinfo.address_), port_); + auto address_list = DnsUtils::generateAddressList(response, port_); + auto logical_host_or_error = + LogicalHost::create(parent_.info_, hostname_, new_address, address_list, + locality_lb_endpoints_, lb_endpoint_, nullptr); + + RETURN_IF_NOT_OK(logical_host_or_error.status()); + + result.hosts.emplace_back(std::move(logical_host_or_error.value())); + result.host_addresses.emplace(new_address->asString()); + result.ttl_refresh_rate = min(result.ttl_refresh_rate, addrinfo.ttl_); + return result; +} + +absl::StatusOr +DnsClusterImpl::ResolveTarget::createStrictDnsHosts( + const std::list& response) { + ParsedHosts result; + for (const auto& resp : response) { + const auto& addrinfo = resp.addrInfo(); + // TODO(mattklein123): Currently the DNS interface does not consider port. We need to + // make a new address that has port in it. We need to both support IPv6 as well as + // potentially move port handling into the DNS interface itself, which would work + // better for SRV. + ASSERT(addrinfo.address_ != nullptr); + auto address = Network::Utility::getAddressWithPort(*(addrinfo.address_), port_); + if (result.host_addresses.count(address->asString()) > 0) { + continue; + } + + auto host_or_error = HostImpl::create( + parent_.info_, hostname_, address, + // TODO(zyfjeff): Created through metadata shared pool + std::make_shared(lb_endpoint_.metadata()), + std::make_shared( + locality_lb_endpoints_.metadata()), + lb_endpoint_.load_balancing_weight().value(), locality_lb_endpoints_.locality(), + lb_endpoint_.endpoint().health_check_config(), locality_lb_endpoints_.priority(), + lb_endpoint_.health_status()); + + RETURN_IF_NOT_OK(host_or_error.status()); + + result.hosts.emplace_back(std::move(host_or_error.value())); + result.host_addresses.emplace(address->asString()); + result.ttl_refresh_rate = min(result.ttl_refresh_rate, addrinfo.ttl_); + } + return result; +} + +void DnsClusterImpl::ResolveTarget::updateLogicalDnsHosts( + const std::list& response, const ParsedHosts& new_hosts) { + Network::Address::InstanceConstSharedPtr primary_address = + Network::Utility::getAddressWithPort(*(response.front().addrInfo().address_), port_); + auto all_addresses = DnsUtils::generateAddressList(response, port_); + if (!logic_dns_cached_address_ || + (*primary_address != *logic_dns_cached_address_ || + DnsUtils::listChanged(logic_dns_cached_address_list_, all_addresses))) { + logic_dns_cached_address_ = primary_address; + logic_dns_cached_address_list_ = std::move(all_addresses); + ENVOY_LOG(debug, "DNS hosts have changed for {}", dns_address_); + const auto previous_hosts = std::move(hosts_); + hosts_ = std::move(new_hosts.hosts); + // For logical DNS, we remove the unique logical host, and add the new one. + parent_.updateAllHosts(new_hosts.hosts, previous_hosts, locality_lb_endpoints_.priority()); + } else { + parent_.info_->configUpdateStats().update_no_rebuild_.inc(); + } +} + +void DnsClusterImpl::ResolveTarget::updateStrictDnsHosts(const ParsedHosts& new_hosts) { + HostVector hosts_added; + HostVector hosts_removed; + if (parent_.updateDynamicHostList(new_hosts.hosts, hosts_, hosts_added, hosts_removed, all_hosts_, + new_hosts.host_addresses)) { + ENVOY_LOG(debug, "DNS hosts have changed for {}", dns_address_); + ASSERT(std::all_of(hosts_.begin(), hosts_.end(), [&](const auto& host) { + return host->priority() == locality_lb_endpoints_.priority(); + })); + + // Update host map for current resolve target. + for (const auto& host : hosts_removed) { + all_hosts_.erase(host->address()->asString()); + } + for (const auto& host : hosts_added) { + all_hosts_.insert({host->address()->asString(), host}); + } + + parent_.updateAllHosts(hosts_added, hosts_removed, locality_lb_endpoints_.priority()); + } else { + parent_.info_->configUpdateStats().update_no_rebuild_.inc(); + } +} + +void DnsClusterImpl::ResolveTarget::startResolve() { + ENVOY_LOG(trace, "starting async DNS resolution for {}", dns_address_); + parent_.info_->configUpdateStats().update_attempt_.inc(); + + active_query_ = parent_.dns_resolver_->resolve( + dns_address_, parent_.dns_lookup_family_, + [this](Network::DnsResolver::ResolutionStatus status, absl::string_view details, + std::list&& response) -> void { + active_query_ = nullptr; + ENVOY_LOG(trace, "async DNS resolution complete for {} details {}", dns_address_, details); + + std::chrono::milliseconds final_refresh_rate = parent_.dns_refresh_rate_ms_; + + if (isSuccessfulResponse(response, status)) { + parent_.info_->configUpdateStats().update_success_.inc(); + + absl::StatusOr new_hosts_or_error; + + if (parent_.all_addresses_in_single_endpoint_) { + new_hosts_or_error = createLogicalDnsHosts(response); + } else { + new_hosts_or_error = createStrictDnsHosts(response); + } + + if (!new_hosts_or_error.ok()) { + ENVOY_LOG(error, "Failed to process DNS response for {} with error: {}", dns_address_, + new_hosts_or_error.status().message()); + parent_.info_->configUpdateStats().update_failure_.inc(); + return; + } + + const auto& new_hosts = new_hosts_or_error.value(); + + if (parent_.all_addresses_in_single_endpoint_) { + updateLogicalDnsHosts(response, new_hosts); + } else { + updateStrictDnsHosts(new_hosts); + } + + // reset failure backoff strategy because there was a success. + parent_.failure_backoff_strategy_->reset(); + + if (!response.empty() && parent_.respect_dns_ttl_ && + new_hosts.ttl_refresh_rate != std::chrono::seconds(0)) { + final_refresh_rate = new_hosts.ttl_refresh_rate; + ASSERT(new_hosts.ttl_refresh_rate != std::chrono::seconds::max() && + final_refresh_rate.count() > 0); + } + if (parent_.dns_jitter_ms_.count() > 0) { + // Note that `parent_.random_.random()` returns a uint64 while + // `parent_.dns_jitter_ms_.count()` returns a signed long that gets cast into a uint64. + // Thus, the modulo of the two will be a positive as long as + // `parent_dns_jitter_ms_.count()` is positive. + // It is important that this be positive, otherwise `final_refresh_rate` could be + // negative causing Envoy to crash. + final_refresh_rate += std::chrono::milliseconds(parent_.random_.random() % + parent_.dns_jitter_ms_.count()); + } + + ENVOY_LOG(debug, "DNS refresh rate reset for {}, refresh rate {} ms", dns_address_, + final_refresh_rate.count()); + } else { + parent_.info_->configUpdateStats().update_failure_.inc(); + + final_refresh_rate = + std::chrono::milliseconds(parent_.failure_backoff_strategy_->nextBackOffMs()); + ENVOY_LOG(debug, "DNS refresh rate reset for {}, (failure) refresh rate {} ms", + dns_address_, final_refresh_rate.count()); + } + + // If there is an initialize callback, fire it now. Note that if the cluster refers to + // multiple DNS names, this will return initialized after a single DNS resolution + // completes. This is not perfect but is easier to code and unclear if the extra + // complexity is needed so will start with this. + parent_.onPreInitComplete(); + resolve_timer_->enableTimer(final_refresh_rate); + }); +} } // namespace Upstream } // namespace Envoy diff --git a/source/extensions/clusters/dns/dns_cluster.h b/source/extensions/clusters/dns/dns_cluster.h index f198e09cef548..f930ab16a010d 100644 --- a/source/extensions/clusters/dns/dns_cluster.h +++ b/source/extensions/clusters/dns/dns_cluster.h @@ -31,6 +31,99 @@ class DnsClusterFactory : public Upstream::ConfigurableClusterFactoryBase< Upstream::ClusterFactoryContext& context) override; }; +class DnsClusterImpl : public BaseDynamicClusterImpl { +public: + // Upstream::Cluster + InitializePhase initializePhase() const override { return InitializePhase::Primary; } + static absl::StatusOr> + create(const envoy::config::cluster::v3::Cluster& cluster, + const envoy::extensions::clusters::dns::v3::DnsCluster& dns_cluster, + ClusterFactoryContext& context, Network::DnsResolverSharedPtr dns_resolver); + +protected: + DnsClusterImpl(const envoy::config::cluster::v3::Cluster& cluster, + const envoy::extensions::clusters::dns::v3::DnsCluster& dns_cluster, + ClusterFactoryContext& context, Network::DnsResolverSharedPtr dns_resolver, + absl::Status& creation_status); + +private: + struct ResolveTarget { + ResolveTarget(DnsClusterImpl& parent, Event::Dispatcher& dispatcher, + const std::string& dns_address, const uint32_t dns_port, + const envoy::config::endpoint::v3::LocalityLbEndpoints& locality_lb_endpoint, + const envoy::config::endpoint::v3::LbEndpoint& lb_endpoint); + ~ResolveTarget(); + void startResolve(); + bool isSuccessfulResponse(const std::list& response, + const Network::DnsResolver::ResolutionStatus& status); + + struct ParsedHosts { + HostVector hosts; + std::chrono::seconds ttl_refresh_rate = std::chrono::seconds::max(); + absl::flat_hash_set host_addresses; + }; + absl::StatusOr + createLogicalDnsHosts(const std::list& response); + absl::StatusOr + createStrictDnsHosts(const std::list& response); + void updateLogicalDnsHosts(const std::list& response, + const ParsedHosts& new_hosts); + void updateStrictDnsHosts(const ParsedHosts& new_hosts); + + DnsClusterImpl& parent_; + Network::ActiveDnsQuery* active_query_{}; + const envoy::config::endpoint::v3::LocalityLbEndpoints& locality_lb_endpoints_; + const envoy::config::endpoint::v3::LbEndpoint& lb_endpoint_; + const std::string dns_address_; + const std::string hostname_; + const uint32_t port_; + const Event::TimerPtr resolve_timer_; + HostVector hosts_; + + // Host map for current resolve target. When we have multiple resolve targets, multiple targets + // may contain two different hosts with the same address. This has two effects: + // 1) This host map cannot be replaced by the cross-priority global host map in the priority + // set. + // 2) Cross-priority global host map may not be able to search for the expected host based on + // the address. + HostMap all_hosts_; + + // These attributes are only used for logical DNS resolution. We use them to keep track of the + // previous responses, so we can check and update the hosts only when the DNS response changes. + // We cache those values here to avoid fetching them from the logical hosts, as that requires + // synchronization mechanisms. + Network::Address::InstanceConstSharedPtr logic_dns_cached_address_; + std::vector logic_dns_cached_address_list_; + }; + + using ResolveTargetPtr = std::unique_ptr; + + void updateAllHosts(const HostVector& hosts_added, const HostVector& hosts_removed, + uint32_t priority); + + // ClusterImplBase + void startPreInit() override; + + static envoy::config::endpoint::v3::ClusterLoadAssignment + extractAndProcessLoadAssignment(const envoy::config::cluster::v3::Cluster& cluster, + bool all_addresses_in_single_endpoint); + + // Keep load assignment as a member to make sure its data referenced in + // resolve_targets_ outlives them. + const envoy::config::endpoint::v3::ClusterLoadAssignment load_assignment_; + const LocalInfo::LocalInfo& local_info_; + Network::DnsResolverSharedPtr dns_resolver_; + std::list resolve_targets_; + const std::chrono::milliseconds dns_refresh_rate_ms_; + const std::chrono::milliseconds dns_jitter_ms_; + BackOffStrategyPtr failure_backoff_strategy_; + const bool respect_dns_ttl_; + Network::DnsLookupFamily dns_lookup_family_; + uint32_t overprovisioning_factor_; + bool weighted_priority_health_; + bool all_addresses_in_single_endpoint_; +}; + DECLARE_FACTORY(DnsClusterFactory); } // namespace Upstream diff --git a/source/extensions/clusters/logical_dns/logical_dns_cluster.cc b/source/extensions/clusters/logical_dns/logical_dns_cluster.cc index a57d49ddc1975..4f36f440ed1dc 100644 --- a/source/extensions/clusters/logical_dns/logical_dns_cluster.cc +++ b/source/extensions/clusters/logical_dns/logical_dns_cluster.cc @@ -180,6 +180,8 @@ void LogicalDnsCluster::startResolve() { // Make sure that we have an updated address for admin display, health // checking, and creating real host connections. logical_host_->setNewAddresses(new_address, address_list, lbEndpoint()); + } else { + info_->configUpdateStats().update_no_rebuild_.inc(); } // reset failure backoff strategy because there was a success. @@ -213,26 +215,5 @@ void LogicalDnsCluster::startResolve() { }); } -absl::StatusOr> -LogicalDnsClusterFactory::createClusterImpl(const envoy::config::cluster::v3::Cluster& cluster, - ClusterFactoryContext& context) { - auto dns_resolver_or_error = selectDnsResolver(cluster, context); - THROW_IF_NOT_OK_REF(dns_resolver_or_error.status()); - - absl::StatusOr> cluster_or_error; - envoy::extensions::clusters::dns::v3::DnsCluster proto_config_legacy{}; - createDnsClusterFromLegacyFields(cluster, proto_config_legacy); - cluster_or_error = LogicalDnsCluster::create(cluster, proto_config_legacy, context, - std::move(*dns_resolver_or_error)); - - RETURN_IF_NOT_OK(cluster_or_error.status()); - return std::make_pair(std::shared_ptr(std::move(*cluster_or_error)), nullptr); -} - -/** - * Static registration for the strict dns cluster factory. @see RegisterFactory. - */ -REGISTER_FACTORY(LogicalDnsClusterFactory, ClusterFactory); - } // namespace Upstream } // namespace Envoy diff --git a/source/extensions/clusters/logical_dns/logical_dns_cluster.h b/source/extensions/clusters/logical_dns/logical_dns_cluster.h index 975a494ca94af..76dc69afb1aea 100644 --- a/source/extensions/clusters/logical_dns/logical_dns_cluster.h +++ b/source/extensions/clusters/logical_dns/logical_dns_cluster.h @@ -93,18 +93,5 @@ class LogicalDnsCluster : public ClusterImplBase { const envoy::config::endpoint::v3::ClusterLoadAssignment load_assignment_; }; -class LogicalDnsClusterFactory : public ClusterFactoryImplBase { -public: - LogicalDnsClusterFactory() : ClusterFactoryImplBase("envoy.cluster.logical_dns") {} - -private: - friend class LogicalDnsClusterTest; - absl::StatusOr> - createClusterImpl(const envoy::config::cluster::v3::Cluster& cluster, - ClusterFactoryContext& context) override; -}; - -DECLARE_FACTORY(LogicalDnsClusterFactory); - } // namespace Upstream } // namespace Envoy diff --git a/source/extensions/clusters/strict_dns/strict_dns_cluster.cc b/source/extensions/clusters/strict_dns/strict_dns_cluster.cc index 77123a17f7734..acfd8287c23a1 100644 --- a/source/extensions/clusters/strict_dns/strict_dns_cluster.cc +++ b/source/extensions/clusters/strict_dns/strict_dns_cluster.cc @@ -233,27 +233,5 @@ void StrictDnsClusterImpl::ResolveTarget::startResolve() { }); } -absl::StatusOr> -StrictDnsClusterFactory::createClusterImpl(const envoy::config::cluster::v3::Cluster& cluster, - Upstream::ClusterFactoryContext& context) { - absl::StatusOr> cluster_or_error; - auto dns_resolver_or_error = selectDnsResolver(cluster, context); - RETURN_IF_NOT_OK(dns_resolver_or_error.status()); - - envoy::extensions::clusters::dns::v3::DnsCluster proto_config_legacy{}; - createDnsClusterFromLegacyFields(cluster, proto_config_legacy); - cluster_or_error = StrictDnsClusterImpl::create(cluster, proto_config_legacy, context, - std::move(*dns_resolver_or_error)); - - RETURN_IF_NOT_OK(cluster_or_error.status()); - return std::make_pair(std::shared_ptr(std::move(*cluster_or_error)), - nullptr); -} - -/** - * Static registration for the strict dns cluster factory. @see RegisterFactory. - */ -REGISTER_FACTORY(StrictDnsClusterFactory, ClusterFactory); - } // namespace Upstream } // namespace Envoy diff --git a/source/extensions/clusters/strict_dns/strict_dns_cluster.h b/source/extensions/clusters/strict_dns/strict_dns_cluster.h index 0f15b399b794b..ff8ac1a139dbb 100644 --- a/source/extensions/clusters/strict_dns/strict_dns_cluster.h +++ b/source/extensions/clusters/strict_dns/strict_dns_cluster.h @@ -81,20 +81,5 @@ class StrictDnsClusterImpl : public BaseDynamicClusterImpl { bool weighted_priority_health_; }; -/** - * Factory for StrictDnsClusterImpl - */ -class StrictDnsClusterFactory : public ClusterFactoryImplBase { -public: - StrictDnsClusterFactory() : ClusterFactoryImplBase("envoy.cluster.strict_dns") {} - -private: - absl::StatusOr> - createClusterImpl(const envoy::config::cluster::v3::Cluster& cluster, - ClusterFactoryContext& context) override; -}; - -DECLARE_FACTORY(StrictDnsClusterFactory); - } // namespace Upstream } // namespace Envoy diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index 3817a4a71e36f..521b701838df2 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -123,11 +123,11 @@ envoy_cc_test( ":test_cluster_manager", "//envoy/config:config_validator_interface", "//source/common/router:context_lib", + "//source/common/upstream:load_balancer_factory_base_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/eds:eds_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", "//source/extensions/clusters/original_dst:original_dst_cluster_lib", "//source/extensions/clusters/static:static_cluster_lib", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", "//source/extensions/config_subscription/grpc:grpc_collection_subscription_lib", "//source/extensions/config_subscription/grpc:grpc_subscription_lib", "//source/extensions/health_checkers/http:health_checker_lib", @@ -172,8 +172,8 @@ envoy_cc_test( srcs = ["cluster_manager_lifecycle_test.cc"], deps = [ ":cluster_manager_impl_test_common", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/static:static_cluster_lib", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", "//source/extensions/load_balancing_policies/ring_hash:config", "//source/extensions/network/dns_resolver/cares:config", "//test/mocks/upstream:cds_api_mocks", @@ -535,7 +535,6 @@ envoy_cc_test( "//source/extensions/clusters/eds:eds_lib", # TODO(mattklein123): Split this into 2 tests for each cluster. "//source/extensions/clusters/static:static_cluster_lib", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", "//source/extensions/transport_sockets/raw_buffer:config", "//source/extensions/transport_sockets/http_11_proxy:upstream_config", "//source/extensions/transport_sockets/tls:config", diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index b31a2e04edde3..a5276d480e63c 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -27,8 +27,8 @@ #include "source/common/protobuf/utility.h" #include "source/common/singleton/manager_impl.h" #include "source/extensions/clusters/common/dns_cluster_backcompat.h" +#include "source/extensions/clusters/dns/dns_cluster.h" #include "source/extensions/clusters/static/static_cluster.h" -#include "source/extensions/clusters/strict_dns/strict_dns_cluster.h" #include "source/extensions/load_balancing_policies/least_request/config.h" #include "source/extensions/load_balancing_policies/round_robin/config.h" #include "source/server/transport_socket_config_impl.h" @@ -82,7 +82,7 @@ class UpstreamImplTestBase { return std::dynamic_pointer_cast(status_or_cluster->first); } - absl::StatusOr> + absl::StatusOr> createStrictDnsCluster(const envoy::config::cluster::v3::Cluster& cluster_config, ClusterFactoryContext& factory_context, std::shared_ptr dns_resolver) { @@ -96,7 +96,7 @@ class UpstreamImplTestBase { if (!status_or_cluster.ok()) { return status_or_cluster.status(); } - return (std::dynamic_pointer_cast(status_or_cluster->first)); + return (std::dynamic_pointer_cast(status_or_cluster->first)); } NiceMock server_context_; @@ -153,35 +153,39 @@ struct ResolverData { }; using StrictDnsConfigTuple = - std::tuple>; + std::tuple, std::string>; std::vector generateStrictDnsParams() { std::vector dns_config; { std::string family_yaml(""); Network::DnsLookupFamily family(Network::DnsLookupFamily::Auto); std::list dns_response{"127.0.0.1", "127.0.0.2"}; - dns_config.push_back(std::make_tuple(family_yaml, family, dns_response)); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "true")); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "false")); } { std::string family_yaml(R"EOF(dns_lookup_family: v4_only )EOF"); Network::DnsLookupFamily family(Network::DnsLookupFamily::V4Only); std::list dns_response{"127.0.0.1", "127.0.0.2"}; - dns_config.push_back(std::make_tuple(family_yaml, family, dns_response)); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "true")); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "false")); } { std::string family_yaml(R"EOF(dns_lookup_family: v6_only )EOF"); Network::DnsLookupFamily family(Network::DnsLookupFamily::V6Only); std::list dns_response{"::1", "::2"}; - dns_config.push_back(std::make_tuple(family_yaml, family, dns_response)); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "true")); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "false")); } { std::string family_yaml(R"EOF(dns_lookup_family: auto )EOF"); Network::DnsLookupFamily family(Network::DnsLookupFamily::Auto); std::list dns_response{"127.0.0.1", "127.0.0.2"}; - dns_config.push_back(std::make_tuple(family_yaml, family, dns_response)); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "true")); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "false")); } return dns_config; } @@ -190,6 +194,9 @@ class StrictDnsParamTest : public testing::TestWithParam, public UpstreamImplTestBase { public: void dropOverloadRuntimeTest(uint64_t numerator, float drop_ratio) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); ReadyWatcher initialized; const std::string yaml = R"EOF( @@ -229,6 +236,9 @@ INSTANTIATE_TEST_SUITE_P(DnsParam, StrictDnsParamTest, testing::ValuesIn(generateStrictDnsParams())); TEST_P(StrictDnsParamTest, ImmediateResolve) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); ReadyWatcher initialized; const std::string yaml = R"EOF( @@ -270,6 +280,9 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { } TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBasicMillion) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); ReadyWatcher initialized; const std::string yaml = R"EOF( @@ -296,6 +309,9 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBasicMillion) { } TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBasicTenThousand) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); ReadyWatcher initialized; const std::string yaml = R"EOF( @@ -322,6 +338,9 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBasicTenThousand) { } TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBadDenominator) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); ReadyWatcher initialized; const std::string yaml = R"EOF( @@ -349,6 +368,9 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBadDenominator) { } TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBadNumerator) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); ReadyWatcher initialized; const std::string yaml = R"EOF( @@ -377,6 +399,9 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBadNumerator) { } TEST_P(StrictDnsParamTest, DropOverLoadConfigTestMultipleCategory) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); ReadyWatcher initialized; const std::string yaml = R"EOF( @@ -428,8 +453,19 @@ class StrictDnsClusterImplTest : public testing::Test, public UpstreamImplTestBa std::make_shared(); }; -TEST_F(StrictDnsClusterImplTest, ZeroHostsIsInializedImmediately) { +class StrictDnsClusterImplParamTest : public StrictDnsClusterImplTest, + public testing::WithParamInterface { +public: + TestScopedRuntime scoped_runtime; +}; + +INSTANTIATE_TEST_SUITE_P(DnsImplementations, StrictDnsClusterImplParamTest, + testing::ValuesIn({"true", "false"})); + +TEST_P(StrictDnsClusterImplParamTest, ZeroHostsIsInializedImmediately) { ReadyWatcher initialized; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string yaml = R"EOF( name: name @@ -456,8 +492,10 @@ TEST_F(StrictDnsClusterImplTest, ZeroHostsIsInializedImmediately) { } // Resolve zero hosts, while using health checking. -TEST_F(StrictDnsClusterImplTest, ZeroHostsHealthChecker) { +TEST_P(StrictDnsClusterImplParamTest, ZeroHostsHealthChecker) { ReadyWatcher initialized; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string yaml = R"EOF( name: name @@ -498,7 +536,9 @@ TEST_F(StrictDnsClusterImplTest, ZeroHostsHealthChecker) { EXPECT_EQ(0UL, cluster->prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); } -TEST_F(StrictDnsClusterImplTest, DontWaitForDNSOnInit) { +TEST_P(StrictDnsClusterImplParamTest, DontWaitForDNSOnInit) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); const std::string yaml = R"EOF( @@ -550,7 +590,9 @@ TEST_F(StrictDnsClusterImplTest, DontWaitForDNSOnInit) { TestUtility::makeDnsResponse({"127.0.0.2", "127.0.0.1"})); } -TEST_F(StrictDnsClusterImplTest, Basic) { +TEST_P(StrictDnsClusterImplParamTest, Basic) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); // gmock matches in LIFO order which is why these are swapped. ResolverData resolver2(*dns_resolver_, server_context_.dispatcher_); ResolverData resolver1(*dns_resolver_, server_context_.dispatcher_); @@ -754,7 +796,10 @@ TEST_F(StrictDnsClusterImplTest, Basic) { // Verifies that host removal works correctly when hosts are being health checked // but the cluster is configured to always remove hosts -TEST_F(StrictDnsClusterImplTest, HostRemovalActiveHealthSkipped) { +TEST_P(StrictDnsClusterImplParamTest, HostRemovalActiveHealthSkipped) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -814,7 +859,10 @@ TEST_F(StrictDnsClusterImplTest, HostRemovalActiveHealthSkipped) { // Verify that a host is not removed if it is removed from DNS but still passing active health // checking. -TEST_F(StrictDnsClusterImplTest, HostRemovalAfterHcFail) { +TEST_P(StrictDnsClusterImplParamTest, HostRemovalAfterHcFail) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -893,7 +941,10 @@ TEST_F(StrictDnsClusterImplTest, HostRemovalAfterHcFail) { } } -TEST_F(StrictDnsClusterImplTest, HostUpdateWithDisabledACEndpoint) { +TEST_P(StrictDnsClusterImplParamTest, HostUpdateWithDisabledACEndpoint) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -961,7 +1012,10 @@ TEST_F(StrictDnsClusterImplTest, HostUpdateWithDisabledACEndpoint) { } } -TEST_F(StrictDnsClusterImplTest, LoadAssignmentBasic) { +TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasic) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + // gmock matches in LIFO order which is why these are swapped. ResolverData resolver3(*dns_resolver_, server_context_.dispatcher_); ResolverData resolver2(*dns_resolver_, server_context_.dispatcher_); @@ -1226,7 +1280,10 @@ TEST_F(StrictDnsClusterImplTest, LoadAssignmentBasic) { cancel(Network::ActiveDnsQuery::CancelReason::QueryAbandoned)); } -TEST_F(StrictDnsClusterImplTest, LoadAssignmentBasicMultiplePriorities) { +TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasicMultiplePriorities) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + ResolverData resolver3(*dns_resolver_, server_context_.dispatcher_); ResolverData resolver2(*dns_resolver_, server_context_.dispatcher_); ResolverData resolver1(*dns_resolver_, server_context_.dispatcher_); @@ -1370,7 +1427,10 @@ TEST_F(StrictDnsClusterImplTest, LoadAssignmentBasicMultiplePriorities) { } // Verifies that specifying a custom resolver when using STRICT_DNS fails -TEST_F(StrictDnsClusterImplTest, CustomResolverFails) { +TEST_P(StrictDnsClusterImplParamTest, CustomResolverFails) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -1393,12 +1453,23 @@ TEST_F(StrictDnsClusterImplTest, CustomResolverFails) { Envoy::Upstream::ClusterFactoryContextImpl factory_context(server_context_, nullptr, nullptr, false); - EXPECT_THROW_WITH_MESSAGE( - auto cluster = *createStrictDnsCluster(cluster_config, factory_context, dns_resolver_), - EnvoyException, "STRICT_DNS clusters must NOT have a custom resolver name set"); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_new_dns_implementation")) { + auto cluster_or_error = createStrictDnsCluster(cluster_config, factory_context, dns_resolver_); + EXPECT_FALSE(cluster_or_error.ok()); + EXPECT_EQ(cluster_or_error.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_EQ(cluster_or_error.status().message(), + "STRICT_DNS clusters must NOT have a custom resolver name set"); + } else { + EXPECT_THROW_WITH_MESSAGE( + auto cluster = *createStrictDnsCluster(cluster_config, factory_context, dns_resolver_), + EnvoyException, "STRICT_DNS clusters must NOT have a custom resolver name set"); + } } -TEST_F(StrictDnsClusterImplTest, FailureRefreshRateBackoffResetsWhenSuccessHappens) { +TEST_P(StrictDnsClusterImplParamTest, FailureRefreshRateBackoffResetsWhenSuccessHappens) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); const std::string yaml = R"EOF( @@ -1447,7 +1518,10 @@ TEST_F(StrictDnsClusterImplTest, FailureRefreshRateBackoffResetsWhenSuccessHappe TestUtility::makeDnsResponse({})); } -TEST_F(StrictDnsClusterImplTest, ClusterTypeConfig) { +TEST_P(StrictDnsClusterImplParamTest, ClusterTypeConfig) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); const std::string yaml = R"EOF( @@ -1486,7 +1560,10 @@ TEST_F(StrictDnsClusterImplTest, ClusterTypeConfig) { TestUtility::makeDnsResponse({"192.168.1.1", "192.168.1.2"}, std::chrono::seconds(30))); } -TEST_F(StrictDnsClusterImplTest, ClusterTypeConfig2) { +TEST_P(StrictDnsClusterImplParamTest, ClusterTypeConfig2) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); const std::string yaml = R"EOF( @@ -1528,7 +1605,7 @@ TEST_F(StrictDnsClusterImplTest, ClusterTypeConfig2) { TestUtility::makeDnsResponse({"192.168.1.1", "192.168.1.2"}, std::chrono::seconds(30))); } -TEST_F(StrictDnsClusterImplTest, ClusterTypeConfigTypedDnsResolverConfig) { +TEST_P(StrictDnsClusterImplParamTest, ClusterTypeConfigTypedDnsResolverConfig) { NiceMock dns_resolver_factory; Registry::InjectFactory registered_dns_factory(dns_resolver_factory); EXPECT_CALL(dns_resolver_factory, createDnsResolver(_, _, _)).WillOnce(Return(dns_resolver_)); @@ -1568,7 +1645,10 @@ TEST_F(StrictDnsClusterImplTest, ClusterTypeConfigTypedDnsResolverConfig) { auto cluster = *createStrictDnsCluster(cluster_config, factory_context, nullptr); } -TEST_F(StrictDnsClusterImplTest, TtlAsDnsRefreshRateNoJitter) { +TEST_P(StrictDnsClusterImplParamTest, TtlAsDnsRefreshRateNoJitter) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); const std::string yaml = R"EOF( @@ -1623,7 +1703,10 @@ TEST_F(StrictDnsClusterImplTest, TtlAsDnsRefreshRateNoJitter) { TestUtility::makeDnsResponse({}, std::chrono::seconds(5))); } -TEST_F(StrictDnsClusterImplTest, NegativeDnsJitter) { +TEST_P(StrictDnsClusterImplParamTest, NegativeDnsJitter) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string yaml = R"EOF( name: name type: STRICT_DNS @@ -1646,7 +1729,11 @@ TEST_F(StrictDnsClusterImplTest, NegativeDnsJitter) { auto x = *createStrictDnsCluster(cluster_config, factory_context, dns_resolver_), EnvoyException, "(?s)Invalid duration: Expected positive duration:.*seconds: -1\n"); } -TEST_F(StrictDnsClusterImplTest, TtlAsDnsRefreshRateYesJitter) { + +TEST_P(StrictDnsClusterImplParamTest, TtlAsDnsRefreshRateYesJitter) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); const std::string yaml = R"EOF( @@ -1688,7 +1775,10 @@ TEST_F(StrictDnsClusterImplTest, TtlAsDnsRefreshRateYesJitter) { TestUtility::makeDnsResponse({"192.168.1.1", "192.168.1.2"}, std::chrono::seconds(ttl_s))); } -TEST_F(StrictDnsClusterImplTest, ExtremeJitter) { +TEST_P(StrictDnsClusterImplParamTest, ExtremeJitter) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); const std::string yaml = R"EOF( @@ -1722,7 +1812,10 @@ TEST_F(StrictDnsClusterImplTest, ExtremeJitter) { } // Ensures that HTTP/2 user defined SETTINGS parameter validation is enforced on clusters. -TEST_F(StrictDnsClusterImplTest, Http2UserDefinedSettingsParametersValidation) { +TEST_P(StrictDnsClusterImplParamTest, Http2UserDefinedSettingsParametersValidation) { + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4191,16 +4284,16 @@ class ClusterInfoImplTest : public testing::Test, public UpstreamImplTestBase { public: ClusterInfoImplTest() { ON_CALL(server_context_, api()).WillByDefault(ReturnRef(*api_)); } - std::shared_ptr makeCluster(const std::string& yaml) { + std::shared_ptr makeCluster(const std::string& yaml) { cluster_config_ = parseClusterFromV3Yaml(yaml); Envoy::Upstream::ClusterFactoryContextImpl factory_context( server_context_, [this]() { return dns_resolver_; }, nullptr, false); - StrictDnsClusterFactory factory{}; + DnsClusterFactory factory{}; auto status_or_cluster = factory.create(cluster_config_, factory_context); THROW_IF_NOT_OK_REF(status_or_cluster.status()); - return std::dynamic_pointer_cast(status_or_cluster->first); + return std::dynamic_pointer_cast(status_or_cluster->first); } class RetryBudgetTestClusterInfo : public ClusterInfoImpl { @@ -4216,6 +4309,7 @@ class ClusterInfoImplTest : public testing::Test, public UpstreamImplTestBase { NiceMock random_; Api::ApiPtr api_ = Api::createApiForTest(stats_, random_); NiceMock& runtime_ = server_context_.runtime_loader_; + TestScopedRuntime scoped_runtime_; std::shared_ptr dns_resolver_{new NiceMock()}; @@ -4223,6 +4317,12 @@ class ClusterInfoImplTest : public testing::Test, public UpstreamImplTestBase { envoy::config::cluster::v3::Cluster cluster_config_; }; +class ParametrizedClusterInfoImplTest : public ClusterInfoImplTest, + public testing::WithParamInterface {}; + +INSTANTIATE_TEST_SUITE_P(DnsImplementations, ParametrizedClusterInfoImplTest, + testing::ValuesIn({"true", "false"})); + struct Foo : public Envoy::Config::TypedMetadata::Object {}; struct Baz : public Envoy::Config::TypedMetadata::Object { @@ -4249,7 +4349,9 @@ class BazFactory : public ClusterTypedMetadataFactory { }; // Cluster metadata and common config retrieval. -TEST_F(ClusterInfoImplTest, Metadata) { +TEST_P(ParametrizedClusterInfoImplTest, Metadata) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4284,7 +4386,7 @@ TEST_F(ClusterInfoImplTest, Metadata) { } // Verify retry budget default values are honored. -TEST_F(ClusterInfoImplTest, RetryBudgetDefaultPopulation) { +TEST_P(ParametrizedClusterInfoImplTest, RetryBudgetDefaultPopulation) { std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4347,7 +4449,7 @@ TEST_F(ClusterInfoImplTest, RetryBudgetDefaultPopulation) { EXPECT_EQ(min_retry_concurrency, 123UL); } -TEST_F(ClusterInfoImplTest, LoadStatsConflictWithPerEndpointStats) { +TEST_P(ParametrizedClusterInfoImplTest, LoadStatsConflictWithPerEndpointStats) { std::string yaml = R"EOF( name: name type: STRICT_DNS @@ -4363,7 +4465,7 @@ TEST_F(ClusterInfoImplTest, LoadStatsConflictWithPerEndpointStats) { "load_stats_config can be specified"); } -TEST_F(ClusterInfoImplTest, UnsupportedPerHostFields) { +TEST_P(ParametrizedClusterInfoImplTest, UnsupportedPerHostFields) { std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4383,7 +4485,7 @@ TEST_F(ClusterInfoImplTest, UnsupportedPerHostFields) { } // Eds service_name is populated. -TEST_F(ClusterInfoImplTest, EdsServiceNamePopulation) { +TEST_P(ParametrizedClusterInfoImplTest, EdsServiceNamePopulation) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4430,7 +4532,7 @@ TEST_F(ClusterInfoImplTest, EdsServiceNamePopulation) { } // Typed metadata loading throws exception. -TEST_F(ClusterInfoImplTest, BrokenTypedMetadata) { +TEST_P(ParametrizedClusterInfoImplTest, BrokenTypedMetadata) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4458,7 +4560,7 @@ TEST_F(ClusterInfoImplTest, BrokenTypedMetadata) { } // Cluster extension protocol options fails validation when configured for an unregistered filter. -TEST_F(ClusterInfoImplTest, ExtensionProtocolOptionsForUnknownFilter) { +TEST_P(ParametrizedClusterInfoImplTest, ExtensionProtocolOptionsForUnknownFilter) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4484,7 +4586,7 @@ TEST_F(ClusterInfoImplTest, ExtensionProtocolOptionsForUnknownFilter) { "protocol options implementation for name: 'no_such_filter'"); } -TEST_F(ClusterInfoImplTest, TypedExtensionProtocolOptionsForUnknownFilter) { +TEST_P(ParametrizedClusterInfoImplTest, TypedExtensionProtocolOptionsForUnknownFilter) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4508,7 +4610,7 @@ TEST_F(ClusterInfoImplTest, TypedExtensionProtocolOptionsForUnknownFilter) { "protocol options implementation for name: 'no_such_filter'"); } -TEST_F(ClusterInfoImplTest, TestTrackRequestResponseSizesNotSetInConfig) { +TEST_P(ParametrizedClusterInfoImplTest, TestTrackRequestResponseSizesNotSetInConfig) { const std::string yaml_disabled = R"EOF( name: name connect_timeout: 0.25s @@ -4543,7 +4645,7 @@ TEST_F(ClusterInfoImplTest, TestTrackRequestResponseSizesNotSetInConfig) { EXPECT_FALSE(cluster->info()->requestResponseSizeStats().has_value()); } -TEST_F(ClusterInfoImplTest, TestTrackRequestResponseSizes) { +TEST_P(ParametrizedClusterInfoImplTest, TestTrackRequestResponseSizes) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4564,7 +4666,7 @@ TEST_F(ClusterInfoImplTest, TestTrackRequestResponseSizes) { EXPECT_EQ(Stats::Histogram::Unit::Bytes, req_resp_stats.upstream_rs_body_size_.unit()); } -TEST_F(ClusterInfoImplTest, TestTrackRemainingResourcesGauges) { +TEST_P(ParametrizedClusterInfoImplTest, TestTrackRemainingResourcesGauges) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4611,7 +4713,7 @@ TEST_F(ClusterInfoImplTest, TestTrackRemainingResourcesGauges) { EXPECT_EQ(4U, high_remaining_retries.value()); } -TEST_F(ClusterInfoImplTest, DefaultConnectTimeout) { +TEST_P(ParametrizedClusterInfoImplTest, DefaultConnectTimeout) { const std::string yaml = R"EOF( name: cluster1 type: STRICT_DNS @@ -4625,7 +4727,7 @@ TEST_F(ClusterInfoImplTest, DefaultConnectTimeout) { EXPECT_EQ(std::chrono::seconds(5), cluster->info()->connectTimeout()); } -TEST_F(ClusterInfoImplTest, MaxConnectionDurationTest) { +TEST_P(ParametrizedClusterInfoImplTest, MaxConnectionDurationTest) { constexpr absl::string_view yaml_base = R"EOF( name: {} type: STRICT_DNS @@ -4654,7 +4756,7 @@ TEST_F(ClusterInfoImplTest, MaxConnectionDurationTest) { EXPECT_EQ(absl::nullopt, cluster3->info()->maxConnectionDuration()); } -TEST_F(ClusterInfoImplTest, Timeouts) { +TEST_P(ParametrizedClusterInfoImplTest, Timeouts) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -4745,7 +4847,7 @@ TEST_F(ClusterInfoImplTest, Timeouts) { } } -TEST_F(ClusterInfoImplTest, TcpPoolIdleTimeout) { +TEST_P(ParametrizedClusterInfoImplTest, TcpPoolIdleTimeout) { constexpr absl::string_view yaml_base = R"EOF( name: {} type: STRICT_DNS @@ -4771,7 +4873,7 @@ TEST_F(ClusterInfoImplTest, TcpPoolIdleTimeout) { EXPECT_EQ(absl::nullopt, cluster3->info()->tcpPoolIdleTimeout()); } -TEST_F(ClusterInfoImplTest, TestTrackTimeoutBudgetsNotSetInConfig) { +TEST_P(ParametrizedClusterInfoImplTest, TestTrackTimeoutBudgetsNotSetInConfig) { // Check that without the flag specified, the histogram is null. const std::string yaml_disabled = R"EOF( name: name @@ -4807,7 +4909,7 @@ TEST_F(ClusterInfoImplTest, TestTrackTimeoutBudgetsNotSetInConfig) { EXPECT_FALSE(cluster->info()->timeoutBudgetStats().has_value()); } -TEST_F(ClusterInfoImplTest, TestTrackTimeoutBudgets) { +TEST_P(ParametrizedClusterInfoImplTest, TestTrackTimeoutBudgets) { // Check that with the flag, the histogram is created. const std::string yaml = R"EOF( name: name @@ -4828,7 +4930,7 @@ TEST_F(ClusterInfoImplTest, TestTrackTimeoutBudgets) { tb_stats.upstream_rq_timeout_budget_per_try_percent_used_.unit()); } -TEST_F(ClusterInfoImplTest, DEPRECATED_FEATURE_TEST(TestTrackTimeoutBudgetsOld)) { +TEST_P(ParametrizedClusterInfoImplTest, DEPRECATED_FEATURE_TEST(TestTrackTimeoutBudgetsOld)) { // Check that without the flag specified, the histogram is null. const std::string yaml_disabled = R"EOF( name: name @@ -4862,7 +4964,7 @@ TEST_F(ClusterInfoImplTest, DEPRECATED_FEATURE_TEST(TestTrackTimeoutBudgetsOld)) } // Validates HTTP2 SETTINGS config. -TEST_F(ClusterInfoImplTest, Http2ProtocolOptions) { +TEST_P(ParametrizedClusterInfoImplTest, Http2ProtocolOptions) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -5102,7 +5204,7 @@ TEST_F(ClusterInfoImplTest, ExtensionProtocolOptionsForFilterWithOptions) { // This vector is used to gather clusters with extension_protocol_options from the different // types of extension factories (network, http). - std::vector> clusters; + std::vector> clusters; { // Get the cluster with extension_protocol_options for a network filter factory. diff --git a/test/exe/BUILD b/test/exe/BUILD index ef1d7e6f9657e..680088fbbad0d 100644 --- a/test/exe/BUILD +++ b/test/exe/BUILD @@ -75,7 +75,6 @@ envoy_cc_test_library( "//source/common/stats:isolated_store_lib", "//source/exe:envoy_main_common_with_core_extensions_lib", "//source/exe:platform_impl_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", "//test/mocks/runtime:runtime_mocks", "//test/test_common:contention_lib", "//test/test_common:environment_lib", @@ -95,7 +94,7 @@ envoy_cc_test( "//source/common/formatter:formatter_extension_lib", "//source/exe:envoy_main_common_with_core_extensions_lib", "//source/exe:platform_impl_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//test/mocks/runtime:runtime_mocks", "//test/test_common:contention_lib", "//test/test_common:environment_lib", @@ -114,7 +113,7 @@ envoy_cc_test( "//source/common/formatter:formatter_extension_lib", "//source/exe:envoy_main_common_with_core_extensions_lib", "//source/exe:platform_impl_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//test/mocks/runtime:runtime_mocks", "//test/test_common:contention_lib", "//test/test_common:environment_lib", diff --git a/test/extensions/clusters/common/BUILD b/test/extensions/clusters/common/BUILD index 82b2239190f6b..13f1deed35e8e 100644 --- a/test/extensions/clusters/common/BUILD +++ b/test/extensions/clusters/common/BUILD @@ -40,7 +40,6 @@ envoy_cc_test( "//source/common/config:utility_lib", "//source/extensions/clusters/common:logical_host_lib", "//source/extensions/clusters/dns:dns_cluster_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", "//test/integration:http_integration_lib", "//test/mocks/network:network_mocks", "//test/test_common:registry_lib", diff --git a/test/extensions/clusters/logical_dns/BUILD b/test/extensions/clusters/logical_dns/BUILD index 5c1608f9b9e8f..8836173b6a5e9 100644 --- a/test/extensions/clusters/logical_dns/BUILD +++ b/test/extensions/clusters/logical_dns/BUILD @@ -18,7 +18,6 @@ envoy_cc_test( "//source/common/network:utility_lib", "//source/common/upstream:upstream_lib", "//source/extensions/clusters/dns:dns_cluster_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", "//source/extensions/load_balancing_policies/round_robin:config", "//source/extensions/transport_sockets/raw_buffer:config", "//source/server:transport_socket_config_lib", @@ -33,6 +32,7 @@ envoy_cc_test( "//test/mocks/ssl:ssl_mocks", "//test/mocks/thread_local:thread_local_mocks", "//test/mocks/upstream:cluster_manager_mocks", + "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", diff --git a/test/extensions/clusters/logical_dns/logical_dns_cluster_test.cc b/test/extensions/clusters/logical_dns/logical_dns_cluster_test.cc index 27249cbc543a6..75531cee4898e 100644 --- a/test/extensions/clusters/logical_dns/logical_dns_cluster_test.cc +++ b/test/extensions/clusters/logical_dns/logical_dns_cluster_test.cc @@ -13,6 +13,7 @@ #include "source/common/network/utility.h" #include "source/common/singleton/manager_impl.h" +#include "source/common/upstream/upstream_impl.h" #include "source/extensions/clusters/common/dns_cluster_backcompat.h" #include "source/extensions/clusters/dns/dns_cluster.h" #include "source/extensions/clusters/logical_dns/logical_dns_cluster.h" @@ -29,6 +30,7 @@ #include "test/mocks/ssl/mocks.h" #include "test/mocks/thread_local/mocks.h" #include "test/mocks/upstream/cluster_manager.h" +#include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" #include "gmock/gmock.h" @@ -59,7 +61,7 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi envoy::config::cluster::v3::Cluster cluster_config = parseClusterFromV3Yaml(yaml); Envoy::Upstream::ClusterFactoryContextImpl factory_context(server_context_, nullptr, nullptr, false); - absl::StatusOr> status_or_cluster; + absl::StatusOr> status_or_cluster; envoy::extensions::clusters::dns::v3::DnsCluster dns_cluster{}; if (cluster_config.has_cluster_type()) { @@ -76,8 +78,15 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi createDnsClusterFromLegacyFields(cluster_config, dns_cluster); } - status_or_cluster = - LogicalDnsCluster::create(cluster_config, dns_cluster, factory_context, dns_resolver_); + // Here we tell the DnsClusterImpl it's going to behave like a logic DNS cluster: + dns_cluster.set_all_addresses_in_single_endpoint(true); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_new_dns_implementation")) { + status_or_cluster = + DnsClusterImpl::create(cluster_config, dns_cluster, factory_context, dns_resolver_); + } else { + status_or_cluster = + LogicalDnsCluster::create(cluster_config, dns_cluster, factory_context, dns_resolver_); + } THROW_IF_NOT_OK_REF(status_or_cluster.status()); cluster_ = std::move(*status_or_cluster); priority_update_cb_ = cluster_->prioritySet().addPriorityUpdateCb( @@ -100,7 +109,12 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi auto status_or_cluster = ClusterFactoryImplBase::create(cluster_config, server_context_, resolver_fn, nullptr, false); if (status_or_cluster.ok()) { - cluster_ = std::dynamic_pointer_cast(status_or_cluster->first); + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.enable_new_dns_implementation")) { + cluster_ = std::dynamic_pointer_cast(status_or_cluster->first); + } else { + cluster_ = std::dynamic_pointer_cast(status_or_cluster->first); + } priority_update_cb_ = cluster_->prioritySet().addPriorityUpdateCb( [&](uint32_t, const HostVector&, const HostVector&) { membership_updated_.ready(); @@ -141,6 +155,16 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"})); + const auto previous_update_no_rebuild = + cluster_->info()->configUpdateStats().update_no_rebuild_.value(); + + EXPECT_CALL(*resolve_timer_, enableTimer(std::chrono::milliseconds(4000), _)); + dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", + TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"})); + + EXPECT_EQ(previous_update_no_rebuild + 1, + cluster_->info()->configUpdateStats().update_no_rebuild_.value()); + EXPECT_EQ(1UL, cluster_->prioritySet().hostSetsPerPriority()[0]->hosts().size()); EXPECT_EQ(1UL, cluster_->prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); EXPECT_EQ(1UL, @@ -167,11 +191,14 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi expectResolve(Network::DnsLookupFamily::V4Only, expected_address); resolve_timer_->invokeCallback(); - // Should not cause any changes. + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_new_dns_implementation")) { + EXPECT_CALL(membership_updated_, ready()); + } EXPECT_CALL(*resolve_timer_, enableTimer(_, _)); dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2", "127.0.0.3"})); + logical_host = cluster_->prioritySet().hostSetsPerPriority()[0]->hosts()[0]; EXPECT_EQ("127.0.0.1:" + std::to_string(expected_hc_port), logical_host->healthCheckAddress()->asString()); EXPECT_EQ("127.0.0.1:" + std::to_string(expected_port), logical_host->address()->asString()); @@ -208,9 +235,13 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi // Should cause a change. EXPECT_CALL(*resolve_timer_, enableTimer(_, _)); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_new_dns_implementation")) { + EXPECT_CALL(membership_updated_, ready()); + } dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.3", "127.0.0.1", "127.0.0.2"})); + logical_host = cluster_->prioritySet().hostSetsPerPriority()[0]->hosts()[0]; EXPECT_EQ("127.0.0.3:" + std::to_string(expected_hc_port), logical_host->healthCheckAddress()->asString()); EXPECT_EQ("127.0.0.3:" + std::to_string(expected_port), logical_host->address()->asString()); @@ -267,7 +298,8 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi Event::MockTimer* resolve_timer_; ReadyWatcher membership_updated_; ReadyWatcher initialized_; - std::shared_ptr cluster_; + std::shared_ptr cluster_; + TestScopedRuntime scoped_runtime_; NiceMock validation_visitor_; Common::CallbackHandlePtr priority_update_cb_; NiceMock access_log_manager_; @@ -275,35 +307,39 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi namespace { using LogicalDnsConfigTuple = - std::tuple>; + std::tuple, std::string>; std::vector generateLogicalDnsParams() { std::vector dns_config; { std::string family_yaml(""); Network::DnsLookupFamily family(Network::DnsLookupFamily::Auto); std::list dns_response{"127.0.0.1", "127.0.0.2"}; - dns_config.push_back(std::make_tuple(family_yaml, family, dns_response)); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "false")); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "true")); } { std::string family_yaml(R"EOF(dns_lookup_family: v4_only )EOF"); Network::DnsLookupFamily family(Network::DnsLookupFamily::V4Only); std::list dns_response{"127.0.0.1", "127.0.0.2"}; - dns_config.push_back(std::make_tuple(family_yaml, family, dns_response)); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "false")); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "true")); } { std::string family_yaml(R"EOF(dns_lookup_family: v6_only )EOF"); Network::DnsLookupFamily family(Network::DnsLookupFamily::V6Only); std::list dns_response{"::1", "::2"}; - dns_config.push_back(std::make_tuple(family_yaml, family, dns_response)); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "false")); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "true")); } { std::string family_yaml(R"EOF(dns_lookup_family: auto )EOF"); Network::DnsLookupFamily family(Network::DnsLookupFamily::Auto); std::list dns_response{"::1"}; - dns_config.push_back(std::make_tuple(family_yaml, family, dns_response)); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "false")); + dns_config.push_back(std::make_tuple(family_yaml, family, dns_response, "true")); } return dns_config; } @@ -318,6 +354,9 @@ INSTANTIATE_TEST_SUITE_P(DnsParam, LogicalDnsParamTest, // constructor, we have the expected host state and initialization callback // invocation. TEST_P(LogicalDnsParamTest, ImmediateResolve) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); + const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -354,7 +393,16 @@ TEST_P(LogicalDnsParamTest, ImmediateResolve) { HealthCheckHostMonitor::UnhealthyType::ImmediateHealthCheckFail); } -TEST_F(LogicalDnsParamTest, FailureRefreshRateBackoffResetsWhenSuccessHappens) { +class LogicalDnsImplementationsTest : public LogicalDnsClusterTest, + public testing::WithParamInterface {}; + +INSTANTIATE_TEST_SUITE_P(DnsImplementations, LogicalDnsImplementationsTest, + testing::ValuesIn({"true", "false"})); + +TEST_P(LogicalDnsImplementationsTest, FailureRefreshRateBackoffResetsWhenSuccessHappens) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string yaml = R"EOF( name: name type: LOGICAL_DNS @@ -402,7 +450,10 @@ TEST_F(LogicalDnsParamTest, FailureRefreshRateBackoffResetsWhenSuccessHappens) { dns_callback_(Network::DnsResolver::ResolutionStatus::Failure, "", {}); } -TEST_F(LogicalDnsParamTest, TtlAsDnsRefreshRate) { +TEST_P(LogicalDnsImplementationsTest, TtlAsDnsRefreshRate) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string yaml = R"EOF( name: name type: LOGICAL_DNS @@ -444,7 +495,9 @@ TEST_F(LogicalDnsParamTest, TtlAsDnsRefreshRate) { TestUtility::makeDnsResponse({}, std::chrono::seconds(5))); } -TEST_F(LogicalDnsClusterTest, BadConfig) { +TEST_P(LogicalDnsImplementationsTest, BadConfig) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string multiple_hosts_yaml = R"EOF( name: name type: LOGICAL_DNS @@ -692,10 +745,26 @@ TEST_F(LogicalDnsClusterTest, BadConfig) { EXPECT_EQ(factorySetupFromV3Yaml(custom_resolver_cluster_type_yaml).message(), "LOGICAL_DNS clusters must NOT have a custom resolver name set"); + + const std::string no_load_assignment_yaml = R"EOF( + name: name + cluster_type: + name: abc + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.dns.v3.DnsCluster + all_addresses_in_single_endpoint: true + connect_timeout: 0.25s + lb_policy: ROUND_ROBIN + )EOF"; + + EXPECT_EQ(factorySetupFromV3Yaml(no_load_assignment_yaml).message(), + "LOGICAL_DNS clusters must have a single host"); } // Test using both types of names in the cluster type. -TEST_F(LogicalDnsClusterTest, UseDnsExtension) { +TEST_P(LogicalDnsImplementationsTest, UseDnsExtension) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string config = R"EOF( name: name cluster_type: @@ -732,7 +801,9 @@ TEST_F(LogicalDnsClusterTest, UseDnsExtension) { TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"}, std::chrono::seconds(3000))); } -TEST_F(LogicalDnsClusterTest, TypedConfigBackcompat) { +TEST_P(LogicalDnsImplementationsTest, TypedConfigBackcompat) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string config = R"EOF( name: name cluster_type: @@ -766,7 +837,9 @@ TEST_F(LogicalDnsClusterTest, TypedConfigBackcompat) { TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"}, std::chrono::seconds(3000))); } -TEST_F(LogicalDnsClusterTest, Basic) { +TEST_P(LogicalDnsImplementationsTest, Basic) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string basic_yaml_hosts = R"EOF( name: name type: LOGICAL_DNS @@ -819,7 +892,9 @@ TEST_F(LogicalDnsClusterTest, Basic) { testBasicSetup(basic_yaml_load_assignment, "foo.bar.com", 443, 8000); } -TEST_F(LogicalDnsClusterTest, DontWaitForDNSOnInit) { +TEST_P(LogicalDnsImplementationsTest, DontWaitForDNSOnInit) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string config = R"EOF( name: name type: LOGICAL_DNS @@ -853,7 +928,9 @@ TEST_F(LogicalDnsClusterTest, DontWaitForDNSOnInit) { TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"})); } -TEST_F(LogicalDnsClusterTest, DNSRefreshHasJitter) { +TEST_P(LogicalDnsImplementationsTest, DNSRefreshHasJitter) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string config = R"EOF( name: name type: LOGICAL_DNS @@ -893,7 +970,9 @@ TEST_F(LogicalDnsClusterTest, DNSRefreshHasJitter) { TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"}, std::chrono::seconds(3000))); } -TEST_F(LogicalDnsClusterTest, NegativeDnsJitter) { +TEST_P(LogicalDnsImplementationsTest, NegativeDnsJitter) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); const std::string yaml = R"EOF( name: name type: LOGICAL_DNS @@ -913,7 +992,9 @@ TEST_F(LogicalDnsClusterTest, NegativeDnsJitter) { "(?s)Invalid duration: Expected positive duration:.*seconds: -1\n"); } -TEST_F(LogicalDnsClusterTest, ExtremeJitter) { +TEST_P(LogicalDnsImplementationsTest, ExtremeJitter) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); // When random returns large values, they were being reinterpreted as very negative values causing // negative refresh rates. const std::string jitter_yaml = R"EOF( @@ -950,6 +1031,87 @@ TEST_F(LogicalDnsClusterTest, ExtremeJitter) { TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"}, std::chrono::seconds(3000))); } +// This test makes sure that the logical DNS cluster updates not only the +// primary address of a host, but also the following addresses returned by +// the DNS response. This is important for Happy Eyeballs. +TEST_P(LogicalDnsImplementationsTest, LogicalDnsUpdatesEntireAddressList) { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); + const std::string config = R"EOF( + name: name + cluster_type: + name: cluster1 + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.dns.v3.DnsCluster + dns_refresh_rate: 4s + dns_lookup_family: V4_ONLY + all_addresses_in_single_endpoint: true # logical DNS + lb_policy: ROUND_ROBIN + load_assignment: + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: foo.bar.com + port_value: 443 + )EOF"; + + EXPECT_CALL(initialized_, ready()); + expectResolve(Network::DnsLookupFamily::V4Only, "foo.bar.com"); + ASSERT_TRUE(factorySetupFromV3Yaml(config).ok()); + + EXPECT_CALL(membership_updated_, ready()); + EXPECT_CALL(*resolve_timer_, enableTimer(testing::Ge(std::chrono::milliseconds(3000)), _)) + .Times(AnyNumber()); + + dns_callback_( + Network::DnsResolver::ResolutionStatus::Completed, "", + TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"}, std::chrono::seconds(3000))); + + auto logical_host = cluster_->prioritySet().hostSetsPerPriority()[0]->hosts()[0]; + EXPECT_CALL(server_context_.dispatcher_, + createClientConnection_( + PointeesEq(*Network::Utility::resolveUrl("tcp://127.0.0.1:443")), _, _, _)) + .WillOnce(Return(new NiceMock())); + EXPECT_CALL(server_context_.dispatcher_, createTimer_(_)).Times(AnyNumber()); + + auto data = logical_host->createConnection(server_context_.dispatcher_, nullptr, nullptr); + ASSERT_NE(data.host_description_->addressListOrNull(), nullptr); + std::vector expected_addresses = {"127.0.0.1:443", "127.0.0.2:443"}; + std::vector actual_addresses; + for (const auto& addr : *data.host_description_->addressListOrNull()) { + actual_addresses.push_back(addr->asString()); + } + EXPECT_THAT(actual_addresses, ::testing::UnorderedElementsAreArray(expected_addresses)); + + expectResolve(Network::DnsLookupFamily::V4Only, "foo.bar.com"); + resolve_timer_->invokeCallback(); + + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_new_dns_implementation")) { + EXPECT_CALL(membership_updated_, ready()); + } + + dns_callback_( + Network::DnsResolver::ResolutionStatus::Completed, "", + TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.3"}, std::chrono::seconds(3000))); + + logical_host = cluster_->prioritySet().hostSetsPerPriority()[0]->hosts()[0]; + EXPECT_CALL(server_context_.dispatcher_, + createClientConnection_( + PointeesEq(*Network::Utility::resolveUrl("tcp://127.0.0.1:443")), _, _, _)) + .WillOnce(Return(new NiceMock())); + EXPECT_CALL(server_context_.dispatcher_, createTimer_(_)).Times(AnyNumber()); + data = logical_host->createConnection(server_context_.dispatcher_, nullptr, nullptr); + ASSERT_NE(data.host_description_->addressListOrNull(), nullptr); + expected_addresses = {"127.0.0.1:443", "127.0.0.3:443"}; + actual_addresses.clear(); + for (const auto& addr : *data.host_description_->addressListOrNull()) { + actual_addresses.push_back(addr->asString()); + } + EXPECT_THAT(actual_addresses, ::testing::UnorderedElementsAreArray(expected_addresses)); +} + } // namespace } // namespace Upstream } // namespace Envoy diff --git a/test/extensions/filters/http/aws_request_signing/BUILD b/test/extensions/filters/http/aws_request_signing/BUILD index b1d387a3b94a3..e90ef61f3200a 100644 --- a/test/extensions/filters/http/aws_request_signing/BUILD +++ b/test/extensions/filters/http/aws_request_signing/BUILD @@ -41,7 +41,7 @@ envoy_extension_cc_test( extension_names = ["envoy.filters.http.aws_request_signing"], rbe_pool = "6gig", deps = [ - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/filters/http/aws_request_signing:aws_request_signing_filter_lib", "//source/extensions/filters/http/aws_request_signing:config", "//test/extensions/common/aws:aws_mocks", diff --git a/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc b/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc index b8501229cb8b2..64df10ef69bab 100644 --- a/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc +++ b/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc @@ -1,7 +1,9 @@ #include "envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.pb.h" #include "envoy/upstream/load_balancer.h" -#include "source/extensions/clusters/logical_dns/logical_dns_cluster.h" +#include "source/common/common/logger.h" +#include "source/common/upstream/cluster_factory_impl.h" +#include "source/extensions/clusters/dns/dns_cluster.h" #include "test/integration/http_integration.h" #include "test/test_common/registry.h" @@ -359,7 +361,7 @@ TEST_P(AwsRequestSigningIntegrationTest, SigV4AIntegrationUpstream) { EXPECT_FALSE( upstream_request_->headers().get(Http::LowerCaseString("x-amz-content-sha256")).empty()); } -class MockLogicalDnsClusterFactory : public Upstream::LogicalDnsClusterFactory { +class MockLogicalDnsClusterFactory : public Upstream::DnsClusterFactory { public: MockLogicalDnsClusterFactory() = default; ~MockLogicalDnsClusterFactory() override = default; @@ -384,7 +386,7 @@ class InitializeFilterTest : public ::testing::Test, public HttpIntegrationTest use_lds_ = false; } NiceMock logical_dns_cluster_factory_; - Registry::InjectFactory dns_cluster_factory_; + Registry::InjectFactory dns_cluster_factory_; NiceMock dns_resolver_factory_; Registry::InjectFactory registered_dns_factory_; @@ -865,7 +867,7 @@ class CdsInteractionTest : public testing::Test, public HttpIntegrationTest { } NiceMock logical_dns_cluster_factory_; - Registry::InjectFactory dns_cluster_factory_; + Registry::InjectFactory dns_cluster_factory_; NiceMock dns_resolver_factory_; Registry::InjectFactory registered_dns_factory_; diff --git a/test/extensions/filters/http/dynamic_forward_proxy/BUILD b/test/extensions/filters/http/dynamic_forward_proxy/BUILD index f5e2d9ac10372..2f724efceda54 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/BUILD +++ b/test/extensions/filters/http/dynamic_forward_proxy/BUILD @@ -80,8 +80,8 @@ envoy_extension_cc_test( tags = ["fails_on_clang_cl"], deps = [ ":test_resolver_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/dynamic_forward_proxy:cluster", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", "//source/extensions/filters/http/dynamic_forward_proxy:config", "//source/extensions/filters/http/set_filter_state:config", "//source/extensions/key_value/file_based:config_lib", @@ -114,8 +114,8 @@ envoy_extension_cc_test( tags = ["fails_on_clang_cl"], deps = [ ":test_resolver_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/dynamic_forward_proxy:cluster", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", "//source/extensions/filters/http/dynamic_forward_proxy:config", "//source/extensions/filters/http/set_filter_state:config", "//source/extensions/key_value/file_based:config_lib", diff --git a/test/extensions/filters/http/ext_authz/BUILD b/test/extensions/filters/http/ext_authz/BUILD index 694c9a635f2b9..33e055d352187 100644 --- a/test/extensions/filters/http/ext_authz/BUILD +++ b/test/extensions/filters/http/ext_authz/BUILD @@ -79,7 +79,7 @@ envoy_extension_cc_test( deps = [ ":ext_authz_fuzz_proto_cc_proto", ":logging_test_filter_lib", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/filters/http/ext_authz:config", "//source/extensions/listener_managers/validation_listener_manager:validation_listener_manager_lib", "//source/server/config_validation:server_lib", diff --git a/test/integration/BUILD b/test/integration/BUILD index 4449d2516603f..7e4d98558cfdf 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -430,8 +430,8 @@ envoy_cc_test_binary( "//source/common/http:rds_lib", "//source/exe:envoy_main_common_with_core_extensions_lib", "//source/exe:platform_impl_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/static:static_cluster_lib", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", "//source/extensions/load_balancing_policies/cluster_provided:config", "//source/extensions/load_balancing_policies/least_request:config", "//source/extensions/load_balancing_policies/random:config", @@ -903,8 +903,7 @@ envoy_cc_test_library( ":http_protocol_integration_lib", ":socket_interface_swap_lib", "//source/common/http:header_map_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/filters/http/buffer:config", "//test/common/http/http2:http2_frame", "//test/integration/filters:add_invalid_data_filter_lib", @@ -2882,8 +2881,7 @@ envoy_cc_test( ":http_protocol_integration_lib", "//source/common/http:character_set_validation_lib", "//source/common/http:header_map_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/filters/http/buffer:config", "//source/extensions/http/header_validators/envoy_default:character_tables", "//test/test_common:logging_lib", diff --git a/test/integration/admin_html/BUILD b/test/integration/admin_html/BUILD index e3f777c8fcfad..e9d7912b2bef2 100644 --- a/test/integration/admin_html/BUILD +++ b/test/integration/admin_html/BUILD @@ -18,7 +18,7 @@ envoy_cc_test_binary( "//source/common/formatter:formatter_extension_lib", "//source/exe:envoy_main_common_with_core_extensions_lib", "//source/exe:platform_impl_lib", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/static:static_cluster_lib", "//source/server/admin:admin_html_util", "@com_google_absl//absl/debugging:symbolize", diff --git a/test/server/BUILD b/test/server/BUILD index c1175b3363133..2e8665af462a9 100644 --- a/test/server/BUILD +++ b/test/server/BUILD @@ -364,7 +364,7 @@ envoy_cc_test( "//source/common/common:notification_lib", "//source/common/version:version_lib", "//source/extensions/access_loggers/file:config", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/filters/http/buffer:config", "//source/extensions/filters/http/grpc_http1_bridge:config", "//source/extensions/filters/http/health_check:config", diff --git a/test/server/config_validation/BUILD b/test/server/config_validation/BUILD index 3c9c1a5d048fd..91705b2691ce1 100644 --- a/test/server/config_validation/BUILD +++ b/test/server/config_validation/BUILD @@ -53,9 +53,8 @@ envoy_cc_test( rbe_pool = "6gig", deps = [ "//source/extensions/access_loggers/stream:config", - "//source/extensions/clusters/logical_dns:logical_dns_cluster_lib", + "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/original_dst:original_dst_cluster_lib", - "//source/extensions/clusters/strict_dns:strict_dns_cluster_lib", "//source/extensions/filters/http/router:config", "//source/extensions/filters/listener/original_dst:config", "//source/extensions/filters/network/http_connection_manager:config", From a036f72552a022ee51b5f2cf14237fb29dbd9e23 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 6 Aug 2025 15:06:02 +0200 Subject: [PATCH 179/505] http3: deprecate runtime flag http3_happy_eyeballs and remove legacy code paths (#40593) Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/http/conn_pool_grid.cc | 5 +---- source/common/runtime/runtime_features.cc | 1 - 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index f2602532cefed..762eeafba0bb0 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -56,6 +56,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. +- area: http3 + change: | + Removed runtime guard ``envoy.reloadable_features.http3_happy_eyeballs`` and legacy code paths. - area: dns_resolver change: | Removed runtime guard ``envoy.reloadable_features.getaddrinfo_num_retries`` and legacy code paths. diff --git a/source/common/http/conn_pool_grid.cc b/source/common/http/conn_pool_grid.cc index efd45066c9068..6a83e608b343a 100644 --- a/source/common/http/conn_pool_grid.cc +++ b/source/common/http/conn_pool_grid.cc @@ -105,10 +105,7 @@ bool ConnectivityGrid::WrapperCallbacks::shouldAttemptSecondHttp3Connection() { if (has_tried_http3_alternate_address_) { return false; } - // Branch on reloadable flags. - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { - return false; - } + // QUIC "happy eyeballs" currently only handles one v4 and one v6 address. If // there's not multiple families don't bother. return hasBothAddressFamilies(grid_.host_); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index a57c7f5ef6ca0..bc448890b05c9 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -49,7 +49,6 @@ RUNTIME_GUARD(envoy_reloadable_features_http1_balsa_disallow_lone_cr_in_chunk_ex RUNTIME_GUARD(envoy_reloadable_features_http2_discard_host_header); RUNTIME_GUARD(envoy_reloadable_features_http2_propagate_reset_events); RUNTIME_GUARD(envoy_reloadable_features_http2_use_oghttp2); -RUNTIME_GUARD(envoy_reloadable_features_http3_happy_eyeballs); RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_cookie); RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_trailers); // Delay deprecation and decommission until UHV is enabled. From 3e3cfd2cd96bd27259bc4eb12113cf7d89e421f8 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 6 Aug 2025 15:26:00 +0200 Subject: [PATCH 180/505] http3: deprecate flag http3_remove_empty_trailers and remove legacy code paths (#40596) ## Description This PR removes the deprecated reloadable flag `http3_remove_empty_trailers` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/39119 --- **Commit Message:** router: deprecate flag http3_remove_empty_trailers and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `http3_remove_empty_trailers` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/quic/envoy_quic_server_stream.cc | 14 ++++++-------- source/common/runtime/runtime_features.cc | 1 - 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 762eeafba0bb0..fe9627e63ae05 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -47,6 +47,9 @@ removed_config_or_runtime: - area: udp_proxy change: | Removed runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` and legacy code paths. +- area: http3 + change: | + Removed runtime guard ``envoy.reloadable_features.http3_remove_empty_trailers`` and legacy code paths. - area: network change: | Removed runtime guard ``envoy.reloadable_features.udp_socket_apply_aggregated_read_limit`` and legacy code paths. diff --git a/source/common/quic/envoy_quic_server_stream.cc b/source/common/quic/envoy_quic_server_stream.cc index f2b4edf7ddd65..16186db5c5c50 100644 --- a/source/common/quic/envoy_quic_server_stream.cc +++ b/source/common/quic/envoy_quic_server_stream.cc @@ -97,14 +97,12 @@ void EnvoyQuicServerStream::encodeHeaders(const Http::ResponseHeaderMap& headers } void EnvoyQuicServerStream::encodeTrailers(const Http::ResponseTrailerMap& trailers) { - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_remove_empty_trailers")) { - if (trailers.empty()) { - ENVOY_STREAM_LOG(debug, "skipping submitting empty trailers", *this); - // Instead of submitting empty trailers, we send empty data with end_stream=true instead. - Buffer::OwnedImpl empty_buffer; - encodeData(empty_buffer, true); - return; - } + if (trailers.empty()) { + ENVOY_STREAM_LOG(debug, "skipping submitting empty trailers", *this); + // Instead of submitting empty trailers, we send empty data with end_stream=true instead. + Buffer::OwnedImpl empty_buffer; + encodeData(empty_buffer, true); + return; } ENVOY_STREAM_LOG(debug, "encodeTrailers: {}.", *this, trailers); encodeTrailersImpl(envoyHeadersToHttp2HeaderBlock(trailers)); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index bc448890b05c9..50a342c8191f6 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -50,7 +50,6 @@ RUNTIME_GUARD(envoy_reloadable_features_http2_discard_host_header); RUNTIME_GUARD(envoy_reloadable_features_http2_propagate_reset_events); RUNTIME_GUARD(envoy_reloadable_features_http2_use_oghttp2); RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_cookie); -RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_trailers); // Delay deprecation and decommission until UHV is enabled. RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); RUNTIME_GUARD(envoy_reloadable_features_jwt_fetcher_use_scheme_from_uri); From 5a086559bece29bc8e2bf14614b47c1afbd6ccf3 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 6 Aug 2025 18:18:50 +0200 Subject: [PATCH 181/505] Revert "http3: deprecate runtime flag http3_happy_eyeballs and remove legacy..." (#40617) This reverts commit a036f72552a022ee51b5f2cf14237fb29dbd9e23. **See:** https://github.com/envoyproxy/envoy/pull/40593#issuecomment-3160480027 Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 --- source/common/http/conn_pool_grid.cc | 5 ++++- source/common/runtime/runtime_features.cc | 1 + 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index fe9627e63ae05..b7bf66e9f0b28 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -59,9 +59,6 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. -- area: http3 - change: | - Removed runtime guard ``envoy.reloadable_features.http3_happy_eyeballs`` and legacy code paths. - area: dns_resolver change: | Removed runtime guard ``envoy.reloadable_features.getaddrinfo_num_retries`` and legacy code paths. diff --git a/source/common/http/conn_pool_grid.cc b/source/common/http/conn_pool_grid.cc index 6a83e608b343a..efd45066c9068 100644 --- a/source/common/http/conn_pool_grid.cc +++ b/source/common/http/conn_pool_grid.cc @@ -105,7 +105,10 @@ bool ConnectivityGrid::WrapperCallbacks::shouldAttemptSecondHttp3Connection() { if (has_tried_http3_alternate_address_) { return false; } - + // Branch on reloadable flags. + if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { + return false; + } // QUIC "happy eyeballs" currently only handles one v4 and one v6 address. If // there's not multiple families don't bother. return hasBothAddressFamilies(grid_.host_); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 50a342c8191f6..4aaa348475814 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -49,6 +49,7 @@ RUNTIME_GUARD(envoy_reloadable_features_http1_balsa_disallow_lone_cr_in_chunk_ex RUNTIME_GUARD(envoy_reloadable_features_http2_discard_host_header); RUNTIME_GUARD(envoy_reloadable_features_http2_propagate_reset_events); RUNTIME_GUARD(envoy_reloadable_features_http2_use_oghttp2); +RUNTIME_GUARD(envoy_reloadable_features_http3_happy_eyeballs); RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_cookie); // Delay deprecation and decommission until UHV is enabled. RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); From c3ad18af95fd23d6383f0cd237cb048115346d54 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 6 Aug 2025 23:26:50 +0200 Subject: [PATCH 182/505] quic: deprecate flag report_stream_reset_error_code and remove legacy code paths (#40592) ## Description This PR removes the deprecated reloadable flag `report_stream_reset_error_code` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/38051 --- **Commit Message:** router: deprecate flag report_stream_reset_error_code and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `report_stream_reset_error_code` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/quic/envoy_quic_client_stream.cc | 13 +++---------- source/common/quic/envoy_quic_server_stream.cc | 14 +++----------- source/common/router/upstream_codec_filter.cc | 9 +-------- source/common/router/upstream_request.cc | 7 +------ source/common/runtime/runtime_features.cc | 1 - 6 files changed, 11 insertions(+), 36 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index b7bf66e9f0b28..a9eea760548eb 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -47,6 +47,9 @@ removed_config_or_runtime: - area: udp_proxy change: | Removed runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` and legacy code paths. +- area: quic + change: | + Removed runtime guard ``envoy.reloadable_features.report_stream_reset_error_code`` and legacy code paths. - area: http3 change: | Removed runtime guard ``envoy.reloadable_features.http3_remove_empty_trailers`` and legacy code paths. diff --git a/source/common/quic/envoy_quic_client_stream.cc b/source/common/quic/envoy_quic_client_stream.cc index cdfb83d2553f5..e7be876045555 100644 --- a/source/common/quic/envoy_quic_client_stream.cc +++ b/source/common/quic/envoy_quic_client_stream.cc @@ -257,10 +257,7 @@ bool EnvoyQuicClientStream::OnStopSending(quic::QuicResetStreamError error) { // Treat this as a remote reset, since the stream will be closed in both directions. runResetCallbacks( quicRstErrorToEnvoyRemoteResetReason(error.internal_code()), - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.report_stream_reset_error_code") - ? absl::StrCat(quic::QuicRstStreamErrorCodeToString(error.internal_code()), - "|FROM_PEER") - : absl::string_view()); + absl::StrCat(quic::QuicRstStreamErrorCodeToString(error.internal_code()), "|FROM_PEER")); } return true; } @@ -360,9 +357,7 @@ void EnvoyQuicClientStream::OnStreamReset(const quic::QuicRstStreamFrame& frame) if (write_side_closed() && !end_stream_decoded_and_encoded) { runResetCallbacks( quicRstErrorToEnvoyRemoteResetReason(frame.error_code), - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.report_stream_reset_error_code") - ? absl::StrCat(quic::QuicRstStreamErrorCodeToString(frame.error_code), "|FROM_PEER") - : absl::string_view()); + absl::StrCat(quic::QuicRstStreamErrorCodeToString(frame.error_code), "|FROM_PEER")); } } @@ -374,9 +369,7 @@ void EnvoyQuicClientStream::ResetWithError(quic::QuicResetStreamError error) { // Upper layers expect calling resetStream() to immediately raise reset callbacks. runResetCallbacks( quicRstErrorToEnvoyLocalResetReason(error.internal_code()), - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.report_stream_reset_error_code") - ? absl::StrCat(quic::QuicRstStreamErrorCodeToString(error.internal_code()), "|FROM_SELF") - : absl::string_view()); + absl::StrCat(quic::QuicRstStreamErrorCodeToString(error.internal_code()), "|FROM_SELF")); if (session()->connection()->connected()) { quic::QuicSpdyClientStream::ResetWithError(error); } diff --git a/source/common/quic/envoy_quic_server_stream.cc b/source/common/quic/envoy_quic_server_stream.cc index 16186db5c5c50..c65c900e50bd3 100644 --- a/source/common/quic/envoy_quic_server_stream.cc +++ b/source/common/quic/envoy_quic_server_stream.cc @@ -357,10 +357,7 @@ bool EnvoyQuicServerStream::OnStopSending(quic::QuicResetStreamError error) { // Treat this as a remote reset, since the stream will be closed in both directions. runResetCallbacks( quicRstErrorToEnvoyRemoteResetReason(error.internal_code()), - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.report_stream_reset_error_code") - ? absl::StrCat(quic::QuicRstStreamErrorCodeToString(error.internal_code()), - "|FROM_PEER") - : absl::string_view()); + absl::StrCat(quic::QuicRstStreamErrorCodeToString(error.internal_code()), "|FROM_PEER")); } return true; } @@ -378,9 +375,7 @@ void EnvoyQuicServerStream::OnStreamReset(const quic::QuicRstStreamFrame& frame) // stream callback. runResetCallbacks( quicRstErrorToEnvoyRemoteResetReason(frame.error_code), - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.report_stream_reset_error_code") - ? absl::StrCat(quic::QuicRstStreamErrorCodeToString(frame.error_code), "|FROM_PEER") - : absl::string_view()); + absl::StrCat(quic::QuicRstStreamErrorCodeToString(frame.error_code), "|FROM_PEER")); } } @@ -393,10 +388,7 @@ void EnvoyQuicServerStream::ResetWithError(quic::QuicResetStreamError error) { // Upper layers expect calling resetStream() to immediately raise reset callbacks. runResetCallbacks( quicRstErrorToEnvoyLocalResetReason(error.internal_code()), - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.report_stream_reset_error_code") - ? absl::StrCat(quic::QuicRstStreamErrorCodeToString(error.internal_code()), - "|FROM_SELF") - : absl::string_view()); + absl::StrCat(quic::QuicRstStreamErrorCodeToString(error.internal_code()), "|FROM_SELF")); } quic::QuicSpdyServerStreamBase::ResetWithError(error); } diff --git a/source/common/router/upstream_codec_filter.cc b/source/common/router/upstream_codec_filter.cc index 6c4dd3c0ecc0c..7d43509920e4c 100644 --- a/source/common/router/upstream_codec_filter.cc +++ b/source/common/router/upstream_codec_filter.cc @@ -233,14 +233,7 @@ void UpstreamCodecFilter::CodecBridge::onResetStream(Http::StreamResetReason rea std::string failure_reason(transport_failure_reason); if (reason == Http::StreamResetReason::LocalReset) { - if (!Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.report_stream_reset_error_code")) { - ASSERT(transport_failure_reason.empty()); - // Use this to communicate to the upstream request to not force-terminate. - failure_reason = "codec_error"; - } else { - failure_reason = absl::StrCat(transport_failure_reason, "|codec_error"); - } + failure_reason = absl::StrCat(transport_failure_reason, "|codec_error"); } filter_.callbacks_->resetStream(reason, failure_reason); } diff --git a/source/common/router/upstream_request.cc b/source/common/router/upstream_request.cc index c81ef69b2a134..ca8912ffd160c 100644 --- a/source/common/router/upstream_request.cc +++ b/source/common/router/upstream_request.cc @@ -797,12 +797,7 @@ void UpstreamRequestFilterManagerCallbacks::resetStream( // which should force reset the stream, and a codec driven reset, which should // tell the router the stream reset, and let the router make the decision to // send a local reply, or retry the stream. - bool is_codec_error; - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.report_stream_reset_error_code")) { - is_codec_error = absl::StrContains(transport_failure_reason, "codec_error"); - } else { - is_codec_error = transport_failure_reason == "codec_error"; - } + bool is_codec_error = absl::StrContains(transport_failure_reason, "codec_error"); if (reset_reason == Http::StreamResetReason::LocalReset && !is_codec_error) { upstream_request_.parent_.callbacks()->resetStream(); return; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 4aaa348475814..cd80fb4ab2a8e 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -74,7 +74,6 @@ RUNTIME_GUARD(envoy_reloadable_features_quic_upstream_reads_fixed_number_packets RUNTIME_GUARD(envoy_reloadable_features_quic_upstream_socket_use_address_cache_for_read); RUNTIME_GUARD(envoy_reloadable_features_reject_empty_trusted_ca_file); RUNTIME_GUARD(envoy_reloadable_features_report_load_with_rq_issued); -RUNTIME_GUARD(envoy_reloadable_features_report_stream_reset_error_code); RUNTIME_GUARD(envoy_reloadable_features_router_filter_resetall_on_local_reply); RUNTIME_GUARD(envoy_reloadable_features_skip_dns_lookup_for_proxied_requests); RUNTIME_GUARD(envoy_reloadable_features_skip_ext_proc_on_local_reply); From 24fab5af6478329df0e126d4e552f5424708f108 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 6 Aug 2025 22:19:12 -0700 Subject: [PATCH 183/505] deps: Bump `bazel_gazelle` -> 0.45.0 (#40603) ## Description This PR bumps bazel_gazelle -> 0.45.0. Fix https://github.com/envoyproxy/envoy/issues/40580 --- Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 2856f7a1588dc..a60df540260ed 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -47,10 +47,10 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Gazelle", project_desc = "Bazel BUILD file generator for Go projects", project_url = "https://github.com/bazelbuild/bazel-gazelle", - version = "0.44.0", - sha256 = "49b14c691ceec841f445f8642d28336e99457d1db162092fd5082351ea302f1d", + version = "0.45.0", + sha256 = "e467b801046b6598c657309b45d2426dc03513777bd1092af2c62eebf990aca5", urls = ["https://github.com/bazelbuild/bazel-gazelle/releases/download/v{version}/bazel-gazelle-v{version}.tar.gz"], - release_date = "2025-06-13", + release_date = "2025-08-04", use_category = ["build"], license = "Apache-2.0", license_url = "https://github.com/bazelbuild/bazel-gazelle/blob/v{version}/LICENSE", From 8a75b2ca447908cd879fefefa3aed7ebcb08fbb7 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 6 Aug 2025 22:19:24 -0700 Subject: [PATCH 184/505] deps: Bump `aws_lc` -> 1.57.0 (#40604) ## Description This PR bumps `aws_lc` -> 1.57.0 Fix https://github.com/envoyproxy/envoy/issues/40579 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index a60df540260ed..95a2269fd9d74 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -164,12 +164,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "AWS libcrypto (AWS-LC)", project_desc = "OpenSSL compatible general-purpose crypto library", project_url = "https://github.com/aws/aws-lc", - version = "1.56.0", - sha256 = "b7c5a91551ee067932a237ce6fdb5293d34d621e7e4b49f3974080b91be50bc2", + version = "1.57.0", + sha256 = "52b2284dedd8b0da8b75c51997954cb98cec157747496c41937a5c8c22919590", strip_prefix = "aws-lc-{version}", urls = ["https://github.com/aws/aws-lc/archive/v{version}.tar.gz"], use_category = ["controlplane", "dataplane_core"], - release_date = "2025-07-22", + release_date = "2025-08-04", cpe = "cpe:2.3:a:google:boringssl:*", ), aspect_bazel_lib = dict( From ebcde9d36c9e0677e8c379ea2866ebada8d11b8b Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 7 Aug 2025 01:20:00 -0400 Subject: [PATCH 185/505] Make test work with newer absl::Status (#40597) Risk Level: none Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- test/common/router/config_impl_test.cc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/test/common/router/config_impl_test.cc b/test/common/router/config_impl_test.cc index 79bc1825d7469..79d181aa37561 100644 --- a/test/common/router/config_impl_test.cc +++ b/test/common/router/config_impl_test.cc @@ -46,6 +46,7 @@ namespace { using ::testing::_; using ::testing::ContainerEq; +using ::testing::ContainsRegex; using ::testing::ElementsAre; using ::testing::Eq; using ::testing::IsEmpty; @@ -1415,11 +1416,12 @@ TEST_F(RouteMatcherTest, TestMatchInvalidInput) { {"www2", "root_www2", "www2_staging", "instant-server"}, {}); TestConfigImpl give_me_a_name(parseRouteConfigurationFromYaml(yaml), factory_context_, true, creation_status_); - EXPECT_EQ( + EXPECT_THAT( creation_status_.message(), - "requirement violation while creating route match tree: INVALID_ARGUMENT: Route table can " - "only match on request headers, saw " - "type.googleapis.com/envoy.type.matcher.v3.HttpResponseHeaderMatchInput"); + ContainsRegex("requirement violation while creating route match tree: INVALID_ARGUMENT: " + "Route table can " + "only match on request headers, saw " + "type.googleapis.com/envoy.type.matcher.v3.HttpResponseHeaderMatchInput")); } // Validates that we fail creating a route config if an invalid data input is used. From a11b3698fddb0bc9eadb4a506bf5203f835e51f4 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 7 Aug 2025 18:49:19 +0200 Subject: [PATCH 186/505] rbac: switch to using LC Trie for RBAC IP range matcher (#40536) ## Description This PR is a follow-up to our [previous change](https://github.com/envoyproxy/envoy/pull/40493) where we introduced the capability for RBAC to use LC-Trie. This change is for switching the RBAC to using the LC-Trie. We have also deprecated the old constructor in this PR in favor of `absl::Status`. --- **Commit Message:** rbac: switch to using LC Trie for RBAC IP range matcher **Additional Description:** This change is for switching the RBAC to using the LC-Trie **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal --- .../filters/common/rbac/matchers.cc | 82 ++++--- .../extensions/filters/common/rbac/matchers.h | 7 +- test/extensions/filters/common/rbac/BUILD | 1 + .../filters/common/rbac/matchers_test.cc | 201 ++++++++++++++++-- 4 files changed, 237 insertions(+), 54 deletions(-) diff --git a/source/extensions/filters/common/rbac/matchers.cc b/source/extensions/filters/common/rbac/matchers.cc index 647a0c810b22c..ecd9473f43758 100644 --- a/source/extensions/filters/common/rbac/matchers.cc +++ b/source/extensions/filters/common/rbac/matchers.cc @@ -1,5 +1,6 @@ #include "source/extensions/filters/common/rbac/matchers.h" +#include "envoy/common/exception.h" #include "envoy/config/rbac/v3/rbac.pb.h" #include "envoy/upstream/upstream.h" @@ -23,9 +24,12 @@ MatcherConstPtr Matcher::create(const envoy::config::rbac::v3::Permission& permi return std::make_unique(permission.or_rules(), validation_visitor, context); case envoy::config::rbac::v3::Permission::RuleCase::kHeader: return std::make_unique(permission.header(), context); - case envoy::config::rbac::v3::Permission::RuleCase::kDestinationIp: - return std::make_unique(permission.destination_ip(), - IPMatcher::Type::DownstreamLocal); + case envoy::config::rbac::v3::Permission::RuleCase::kDestinationIp: { + auto matcher_result = + IPMatcher::create(permission.destination_ip(), IPMatcher::Type::DownstreamLocal); + THROW_IF_NOT_OK_REF(matcher_result.status()); + return std::move(matcher_result.value()); + } case envoy::config::rbac::v3::Permission::RuleCase::kDestinationPort: return std::make_unique(permission.destination_port()); case envoy::config::rbac::v3::Permission::RuleCase::kDestinationPortRange: @@ -74,15 +78,24 @@ MatcherConstPtr Matcher::create(const envoy::config::rbac::v3::Principal& princi return std::make_unique(principal.or_ids(), context); case envoy::config::rbac::v3::Principal::IdentifierCase::kAuthenticated: return std::make_unique(principal.authenticated(), context); - case envoy::config::rbac::v3::Principal::IdentifierCase::kSourceIp: - return std::make_unique(principal.source_ip(), - IPMatcher::Type::ConnectionRemote); - case envoy::config::rbac::v3::Principal::IdentifierCase::kDirectRemoteIp: - return std::make_unique(principal.direct_remote_ip(), - IPMatcher::Type::DownstreamDirectRemote); - case envoy::config::rbac::v3::Principal::IdentifierCase::kRemoteIp: - return std::make_unique(principal.remote_ip(), - IPMatcher::Type::DownstreamRemote); + case envoy::config::rbac::v3::Principal::IdentifierCase::kSourceIp: { + auto matcher_result = + IPMatcher::create(principal.source_ip(), IPMatcher::Type::ConnectionRemote); + THROW_IF_NOT_OK_REF(matcher_result.status()); + return std::move(matcher_result.value()); + } + case envoy::config::rbac::v3::Principal::IdentifierCase::kDirectRemoteIp: { + auto matcher_result = + IPMatcher::create(principal.direct_remote_ip(), IPMatcher::Type::DownstreamDirectRemote); + THROW_IF_NOT_OK_REF(matcher_result.status()); + return std::move(matcher_result.value()); + } + case envoy::config::rbac::v3::Principal::IdentifierCase::kRemoteIp: { + auto matcher_result = + IPMatcher::create(principal.remote_ip(), IPMatcher::Type::DownstreamRemote); + THROW_IF_NOT_OK_REF(matcher_result.status()); + return std::move(matcher_result.value()); + } case envoy::config::rbac::v3::Principal::IdentifierCase::kHeader: return std::make_unique(principal.header(), context); case envoy::config::rbac::v3::Principal::IdentifierCase::kAny: @@ -180,14 +193,26 @@ bool HeaderMatcher::matches(const Network::Connection&, return header_->matchesHeaders(headers); } -IPMatcher::IPMatcher(const envoy::config::core::v3::CidrRange& range, Type type) : type_(type) { - // Convert single range to LC Trie for consistency. +// static +absl::StatusOr> +IPMatcher::create(const envoy::config::core::v3::CidrRange& range, Type type) { + // Convert single range to CidrRange with proper error handling. + auto cidr_result = Network::Address::CidrRange::create(range); + if (!cidr_result.ok()) { + return absl::InvalidArgumentError( + fmt::format("Failed to create CIDR range: {}", cidr_result.status().message())); + } + std::vector ranges; - ranges.push_back(THROW_OR_RETURN_VALUE(Network::Address::CidrRange::create(range), - Network::Address::CidrRange)); + ranges.push_back(std::move(cidr_result.value())); - trie_ = std::make_unique>( + // Create LC Trie directly following the pattern from Unified IP Matcher. + // Note: LcTrie constructor may throw EnvoyException on invalid input, but this + // should not happen as we've already validated the CIDR range above. + auto trie = std::make_unique>( std::vector>>{{true, ranges}}); + + return std::unique_ptr(new IPMatcher(std::move(trie), type)); } // static @@ -212,7 +237,7 @@ IPMatcher::create(const Protobuf::RepeatedPtrField>( std::vector>>{{true, cidr_ranges}}); @@ -222,17 +247,7 @@ IPMatcher::create(const Protobuf::RepeatedPtrField> trie, Type type) : trie_(std::move(trie)), type_(type) {} -bool IPMatcher::matches(const Network::Connection& connection, const Envoy::Http::RequestHeaderMap&, - const StreamInfo::StreamInfo& info) const { - const auto ip = extractIpAddress(connection, info); - if (!ip) { - return false; - } - - return !trie_->getData(ip).empty(); -} - -Network::Address::InstanceConstSharedPtr +const Network::Address::InstanceConstSharedPtr& IPMatcher::extractIpAddress(const Network::Connection& connection, const StreamInfo::StreamInfo& info) const { switch (type_) { @@ -245,7 +260,14 @@ IPMatcher::extractIpAddress(const Network::Connection& connection, case DownstreamRemote: return info.downstreamAddressProvider().remoteAddress(); } - return nullptr; + PANIC_DUE_TO_CORRUPT_ENUM; +} + +bool IPMatcher::matches(const Network::Connection& connection, const Envoy::Http::RequestHeaderMap&, + const StreamInfo::StreamInfo& info) const { + // Extract IP address using reference to avoid shared_ptr copies. + const auto& address = extractIpAddress(connection, info); + return address && !trie_->getData(address).empty(); } bool PortMatcher::matches(const Network::Connection&, const Envoy::Http::RequestHeaderMap&, diff --git a/source/extensions/filters/common/rbac/matchers.h b/source/extensions/filters/common/rbac/matchers.h index f2fe43ee9a9b8..5916d54eb71ce 100644 --- a/source/extensions/filters/common/rbac/matchers.h +++ b/source/extensions/filters/common/rbac/matchers.h @@ -123,7 +123,8 @@ class IPMatcher : public Matcher { enum Type { ConnectionRemote = 0, DownstreamLocal, DownstreamDirectRemote, DownstreamRemote }; // Single IP range constructor. - IPMatcher(const envoy::config::core::v3::CidrRange& range, Type type); + static absl::StatusOr> + create(const envoy::config::core::v3::CidrRange& range, Type type); // Multiple IP ranges constructor. static absl::StatusOr> @@ -136,8 +137,8 @@ class IPMatcher : public Matcher { // Private constructor for LC Trie-based matcher. IPMatcher(std::unique_ptr> trie, Type type); - // Extract IP address based on matcher type. - Network::Address::InstanceConstSharedPtr + // Helper method to extract IP address based on type, returning a reference to avoid copies. + const Network::Address::InstanceConstSharedPtr& extractIpAddress(const Network::Connection& connection, const StreamInfo::StreamInfo& info) const; std::unique_ptr> trie_; diff --git a/test/extensions/filters/common/rbac/BUILD b/test/extensions/filters/common/rbac/BUILD index c5d555e2da518..f28647786dcdc 100644 --- a/test/extensions/filters/common/rbac/BUILD +++ b/test/extensions/filters/common/rbac/BUILD @@ -26,6 +26,7 @@ envoy_extension_cc_test( "//test/mocks/network:network_mocks", "//test/mocks/server:server_factory_context_mocks", "//test/mocks/ssl:ssl_mocks", + "//test/test_common:status_utility_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/config/rbac/v3:pkg_cc_proto", diff --git a/test/extensions/filters/common/rbac/matchers_test.cc b/test/extensions/filters/common/rbac/matchers_test.cc index 703b874cbaaa7..778f742b5ce96 100644 --- a/test/extensions/filters/common/rbac/matchers_test.cc +++ b/test/extensions/filters/common/rbac/matchers_test.cc @@ -14,6 +14,7 @@ #include "test/mocks/network/mocks.h" #include "test/mocks/server/server_factory_context.h" #include "test/mocks/ssl/mocks.h" +#include "test/test_common/status_utility.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -227,28 +228,50 @@ TEST(IPMatcher, IPMatcher) { downstream_remote_cidr.set_address_prefix("8.9.10.11"); downstream_remote_cidr.mutable_prefix_len()->set_value(32); - checkMatcher(IPMatcher(connection_remote_cidr, IPMatcher::Type::ConnectionRemote), true, conn, - headers, info); - checkMatcher(IPMatcher(downstream_local_cidr, IPMatcher::Type::DownstreamLocal), true, conn, - headers, info); - checkMatcher(IPMatcher(downstream_direct_remote_cidr, IPMatcher::Type::DownstreamDirectRemote), - true, conn, headers, info); - checkMatcher(IPMatcher(downstream_remote_cidr, IPMatcher::Type::DownstreamRemote), true, conn, - headers, info); + auto connection_remote_matcher = + IPMatcher::create(connection_remote_cidr, IPMatcher::Type::ConnectionRemote); + ASSERT_OK(connection_remote_matcher); + checkMatcher(*connection_remote_matcher.value(), true, conn, headers, info); + + auto downstream_local_matcher = + IPMatcher::create(downstream_local_cidr, IPMatcher::Type::DownstreamLocal); + ASSERT_OK(downstream_local_matcher); + checkMatcher(*downstream_local_matcher.value(), true, conn, headers, info); + + auto downstream_direct_remote_matcher = + IPMatcher::create(downstream_direct_remote_cidr, IPMatcher::Type::DownstreamDirectRemote); + ASSERT_OK(downstream_direct_remote_matcher); + checkMatcher(*downstream_direct_remote_matcher.value(), true, conn, headers, info); + + auto downstream_remote_matcher = + IPMatcher::create(downstream_remote_cidr, IPMatcher::Type::DownstreamRemote); + ASSERT_OK(downstream_remote_matcher); + checkMatcher(*downstream_remote_matcher.value(), true, conn, headers, info); connection_remote_cidr.set_address_prefix("4.5.6.7"); downstream_local_cidr.set_address_prefix("1.2.4.8"); downstream_direct_remote_cidr.set_address_prefix("4.5.6.0"); downstream_remote_cidr.set_address_prefix("4.5.6.7"); - checkMatcher(IPMatcher(connection_remote_cidr, IPMatcher::Type::ConnectionRemote), false, conn, - headers, info); - checkMatcher(IPMatcher(downstream_local_cidr, IPMatcher::Type::DownstreamLocal), false, conn, - headers, info); - checkMatcher(IPMatcher(downstream_direct_remote_cidr, IPMatcher::Type::DownstreamDirectRemote), - false, conn, headers, info); - checkMatcher(IPMatcher(downstream_remote_cidr, IPMatcher::Type::DownstreamRemote), false, conn, - headers, info); + auto connection_remote_matcher2 = + IPMatcher::create(connection_remote_cidr, IPMatcher::Type::ConnectionRemote); + ASSERT_OK(connection_remote_matcher2); + checkMatcher(*connection_remote_matcher2.value(), false, conn, headers, info); + + auto downstream_local_matcher2 = + IPMatcher::create(downstream_local_cidr, IPMatcher::Type::DownstreamLocal); + ASSERT_OK(downstream_local_matcher2); + checkMatcher(*downstream_local_matcher2.value(), false, conn, headers, info); + + auto downstream_direct_remote_matcher2 = + IPMatcher::create(downstream_direct_remote_cidr, IPMatcher::Type::DownstreamDirectRemote); + ASSERT_OK(downstream_direct_remote_matcher2); + checkMatcher(*downstream_direct_remote_matcher2.value(), false, conn, headers, info); + + auto downstream_remote_matcher2 = + IPMatcher::create(downstream_remote_cidr, IPMatcher::Type::DownstreamRemote); + ASSERT_OK(downstream_remote_matcher2); + checkMatcher(*downstream_remote_matcher2.value(), false, conn, headers, info); } TEST(PortMatcher, PortMatcher) { @@ -1179,7 +1202,9 @@ TEST(IPMatcher, MatchesWithNullIpAddress) { range.set_address_prefix("192.168.1.0"); range.mutable_prefix_len()->set_value(24); - IPMatcher matcher(range, IPMatcher::Type::ConnectionRemote); + auto matcher_result = IPMatcher::create(range, IPMatcher::Type::ConnectionRemote); + ASSERT_OK(matcher_result); + const auto& matcher = *matcher_result.value(); NiceMock conn; Envoy::Http::TestRequestHeaderMapImpl headers; @@ -1191,15 +1216,16 @@ TEST(IPMatcher, MatchesWithNullIpAddress) { EXPECT_FALSE(matcher.matches(conn, headers, info)); } -TEST(IPMatcher, ExtractIpAddressWithInvalidType) { - // Tests line 247: return nullptr fallback in extractIpAddress - // This test exercises the default case that should never be reached in normal operation +TEST(IPMatcher, MatchesWithConnectionRemoteAddress) { + // Tests that IPMatcher correctly extracts and matches connection remote addresses. envoy::config::core::v3::CidrRange range; range.set_address_prefix("192.168.1.0"); range.mutable_prefix_len()->set_value(24); // Create matcher with a specific type - IPMatcher matcher(range, IPMatcher::Type::ConnectionRemote); + auto matcher_result = IPMatcher::create(range, IPMatcher::Type::ConnectionRemote); + ASSERT_OK(matcher_result); + const auto& matcher = *matcher_result.value(); NiceMock conn; Envoy::Http::TestRequestHeaderMapImpl headers; @@ -1253,6 +1279,139 @@ TEST(IPMatcher, MultipleRangesCreateSuccess) { EXPECT_FALSE(result.value()->matches(conn, headers, info)); } +// Tests for kDestinationIp case in Permission matcher creation. +TEST(Matcher, CreatePermissionDestinationIp) { + envoy::config::rbac::v3::Permission permission; + auto* cidr = permission.mutable_destination_ip(); + cidr->set_address_prefix("192.168.1.0"); + cidr->mutable_prefix_len()->set_value(24); + + NiceMock validation_visitor; + NiceMock context; + + auto matcher = Matcher::create(permission, validation_visitor, context); + EXPECT_NE(matcher, nullptr); +} + +// Tests error handling in kDestinationIp case with invalid CIDR. +TEST(Matcher, CreatePermissionDestinationIpInvalidCidr) { + envoy::config::rbac::v3::Permission permission; + auto* cidr = permission.mutable_destination_ip(); + cidr->set_address_prefix("invalid.ip.address"); + cidr->mutable_prefix_len()->set_value(24); + + NiceMock validation_visitor; + NiceMock context; + + EXPECT_THROW_WITH_REGEX(Matcher::create(permission, validation_visitor, context), EnvoyException, + "Failed to create CIDR range:.*malformed IP address"); +} + +// Tests for RULE_NOT_SET case that falls through to PANIC. +TEST(Matcher, CreatePermissionRuleNotSet) { + EXPECT_DEATH( + { + envoy::config::rbac::v3::Permission permission; + + NiceMock validation_visitor; + NiceMock context; + + Matcher::create(permission, validation_visitor, context); + }, + "panic: corrupted enum"); +} + +// Tests for kSourceIp case in Principal matcher creation. +TEST(Matcher, CreatePrincipalSourceIp) { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_source_ip(); + cidr->set_address_prefix("10.0.0.0"); + cidr->mutable_prefix_len()->set_value(16); + + NiceMock context; + + auto matcher = Matcher::create(principal, context); + EXPECT_NE(matcher, nullptr); +} + +// Tests error handling in kSourceIp case with invalid CIDR. +TEST(Matcher, CreatePrincipalSourceIpInvalidCidr) { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_source_ip(); + cidr->set_address_prefix("999.999.999.999"); + cidr->mutable_prefix_len()->set_value(24); + + NiceMock context; + + EXPECT_THROW_WITH_REGEX(Matcher::create(principal, context), EnvoyException, + "Failed to create CIDR range:.*malformed IP address"); +} + +// Tests for kDirectRemoteIp case in Principal matcher creation. +TEST(Matcher, CreatePrincipalDirectRemoteIp) { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_direct_remote_ip(); + cidr->set_address_prefix("172.16.0.0"); + cidr->mutable_prefix_len()->set_value(12); + + NiceMock context; + + auto matcher = Matcher::create(principal, context); + EXPECT_NE(matcher, nullptr); +} + +// Tests error handling in kDirectRemoteIp case with invalid CIDR. +TEST(Matcher, CreatePrincipalDirectRemoteIpInvalidCidr) { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_direct_remote_ip(); + cidr->set_address_prefix(""); // Empty IP address + cidr->mutable_prefix_len()->set_value(24); + + NiceMock context; + + EXPECT_THROW_WITH_REGEX(Matcher::create(principal, context), EnvoyException, + "Failed to create CIDR range:.*malformed IP address"); +} + +// Tests for kRemoteIp case in Principal matcher creation. +TEST(Matcher, CreatePrincipalRemoteIp) { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_remote_ip(); + cidr->set_address_prefix("2001:db8::"); + cidr->mutable_prefix_len()->set_value(32); + + NiceMock context; + + auto matcher = Matcher::create(principal, context); + EXPECT_NE(matcher, nullptr); +} + +// Tests error handling in kRemoteIp case with invalid CIDR. +TEST(Matcher, CreatePrincipalRemoteIpInvalidCidr) { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_remote_ip(); + cidr->set_address_prefix("2001:db8::gggg"); // Invalid IPv6 + cidr->mutable_prefix_len()->set_value(32); + + NiceMock context; + + EXPECT_THROW_WITH_REGEX(Matcher::create(principal, context), EnvoyException, + "Failed to create CIDR range:.*malformed IP address"); +} + +// Tests for IDENTIFIER_NOT_SET case that falls through to PANIC. +TEST(Matcher, CreatePrincipalIdentifierNotSet) { + EXPECT_DEATH( + { + envoy::config::rbac::v3::Principal principal; + + NiceMock context; + + Matcher::create(principal, context); + }, + "panic: corrupted enum"); +} + } // namespace } // namespace RBAC } // namespace Common From 4a134ce926cf0b882a4c416734b579f9722ed1eb Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 8 Aug 2025 19:23:03 +0200 Subject: [PATCH 187/505] http: deprecate flag proxy_status_mapping_more_core_response_flags and remove legacy code paths (#40608) --- changelogs/current.yaml | 3 ++ source/common/runtime/runtime_features.cc | 1 - source/common/stream_info/utility.cc | 57 +++++++++------------- test/common/http/conn_manager_impl_test.cc | 20 -------- test/common/stream_info/utility_test.cc | 38 +-------------- 5 files changed, 26 insertions(+), 93 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index a9eea760548eb..b73052edeaa1a 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -56,6 +56,9 @@ removed_config_or_runtime: - area: network change: | Removed runtime guard ``envoy.reloadable_features.udp_socket_apply_aggregated_read_limit`` and legacy code paths. +- area: http + change: | + Removed runtime guard ``envoy.reloadable_features.proxy_status_mapping_more_core_response_flags`` and legacy code paths. - area: http change: | Removed runtime guard ``envoy.reloadable_features.allow_alt_svc_for_ips`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index cd80fb4ab2a8e..d331e4aa1072b 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -63,7 +63,6 @@ RUNTIME_GUARD(envoy_reloadable_features_oauth2_encrypt_tokens); RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); RUNTIME_GUARD(envoy_reloadable_features_original_src_fix_port_exhaustion); RUNTIME_GUARD(envoy_reloadable_features_prefix_map_matcher_resume_after_subtree_miss); -RUNTIME_GUARD(envoy_reloadable_features_proxy_status_mapping_more_core_response_flags); RUNTIME_GUARD(envoy_reloadable_features_quic_defer_logging_to_ack_listener); RUNTIME_GUARD(envoy_reloadable_features_quic_fix_defer_logging_miss_for_half_closed_stream); // Ignore the automated "remove this flag" issue: we should keep this for 1 year. Confirm with diff --git a/source/common/stream_info/utility.cc b/source/common/stream_info/utility.cc index 387ed26b0de0b..fd5cce74ce65f 100644 --- a/source/common/stream_info/utility.cc +++ b/source/common/stream_info/utility.cc @@ -445,41 +445,28 @@ ProxyStatusUtils::fromStreamInfo(const StreamInfo& stream_info) { return ProxyStatusError::HttpResponseTimeout; } - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.proxy_status_mapping_more_core_response_flags")) { - if (stream_info.hasResponseFlag(CoreResponseFlag::DurationTimeout)) { - return ProxyStatusError::ConnectionTimeout; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::LocalReset)) { - return ProxyStatusError::ConnectionTimeout; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamRemoteReset)) { - return ProxyStatusError::ConnectionTerminated; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamConnectionFailure)) { - return ProxyStatusError::ConnectionRefused; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::UnauthorizedExternalService)) { - return ProxyStatusError::ConnectionRefused; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamConnectionTermination)) { - return ProxyStatusError::ConnectionTerminated; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::OverloadManager)) { - return ProxyStatusError::ConnectionLimitReached; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::DropOverLoad)) { - return ProxyStatusError::ConnectionLimitReached; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::FaultInjected)) { - return ProxyStatusError::HttpRequestError; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::DownstreamConnectionTermination)) { - return ProxyStatusError::ConnectionTerminated; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::DownstreamRemoteReset)) { - return ProxyStatusError::ConnectionTerminated; - } - } else { - if (stream_info.hasResponseFlag(CoreResponseFlag::LocalReset)) { - return ProxyStatusError::ConnectionTimeout; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamRemoteReset)) { - return ProxyStatusError::ConnectionTerminated; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamConnectionFailure)) { - return ProxyStatusError::ConnectionRefused; - } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamConnectionTermination)) { - return ProxyStatusError::ConnectionTerminated; - } + if (stream_info.hasResponseFlag(CoreResponseFlag::DurationTimeout)) { + return ProxyStatusError::ConnectionTimeout; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::LocalReset)) { + return ProxyStatusError::ConnectionTimeout; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamRemoteReset)) { + return ProxyStatusError::ConnectionTerminated; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamConnectionFailure)) { + return ProxyStatusError::ConnectionRefused; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::UnauthorizedExternalService)) { + return ProxyStatusError::ConnectionRefused; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamConnectionTermination)) { + return ProxyStatusError::ConnectionTerminated; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::OverloadManager)) { + return ProxyStatusError::ConnectionLimitReached; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::DropOverLoad)) { + return ProxyStatusError::ConnectionLimitReached; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::FaultInjected)) { + return ProxyStatusError::HttpRequestError; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::DownstreamConnectionTermination)) { + return ProxyStatusError::ConnectionTerminated; + } else if (stream_info.hasResponseFlag(CoreResponseFlag::DownstreamRemoteReset)) { + return ProxyStatusError::ConnectionTerminated; } if (stream_info.hasResponseFlag(CoreResponseFlag::UpstreamOverflow)) { diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index c4423d12bbb0b..8c65ff70ad1ed 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -4335,8 +4335,6 @@ TEST_F(ProxyStatusTest, PopulateProxyStatusWithDetailsAndResponseCode) { TEST_F(ProxyStatusTest, PopulateUnauthorizedProxyStatus) { TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.proxy_status_mapping_more_core_response_flags", "true"}}); proxy_status_config_ = std::make_unique(); proxy_status_config_->set_remove_details(false); @@ -4352,24 +4350,6 @@ TEST_F(ProxyStatusTest, PopulateUnauthorizedProxyStatus) { EXPECT_EQ(altered_headers->getStatusValue(), "403"); } -TEST_F(ProxyStatusTest, NoPopulateUnauthorizedProxyStatus) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.proxy_status_mapping_more_core_response_flags", "false"}}); - proxy_status_config_ = std::make_unique(); - proxy_status_config_->set_remove_details(false); - - initialize(); - - const ResponseHeaderMap* altered_headers = sendRequestWith( - 403, StreamInfo::CoreResponseFlag::UnauthorizedExternalService, /*details=*/"bar"); - - ASSERT_TRUE(altered_headers); - ASSERT_FALSE(altered_headers->ProxyStatus()); - EXPECT_EQ(altered_headers->getProxyStatusValue(), ""); - EXPECT_EQ(altered_headers->getStatusValue(), "403"); -} - TEST_F(ProxyStatusTest, PopulateProxyStatusWithDetails) { TestScopedRuntime scoped_runtime; proxy_status_config_ = std::make_unique(); diff --git a/test/common/stream_info/utility_test.cc b/test/common/stream_info/utility_test.cc index 89be1de3428ae..37470ecf0c74b 100644 --- a/test/common/stream_info/utility_test.cc +++ b/test/common/stream_info/utility_test.cc @@ -364,44 +364,8 @@ TEST(ProxyStatusErrorToString, TestAll) { } } -TEST(ProxyStatusFromStreamInfo, TestAll) { +TEST(ProxyStatusFromStreamInfo, TestAllWithExpandedResponseFlags) { TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.proxy_status_mapping_more_core_response_flags", "false"}}); - for (const auto& [response_flag, proxy_status_error] : - std::vector>{ - {CoreResponseFlag::FailedLocalHealthCheck, ProxyStatusError::DestinationUnavailable}, - {CoreResponseFlag::NoHealthyUpstream, ProxyStatusError::DestinationUnavailable}, - {CoreResponseFlag::UpstreamRequestTimeout, ProxyStatusError::HttpResponseTimeout}, - {CoreResponseFlag::LocalReset, ProxyStatusError::ConnectionTimeout}, - {CoreResponseFlag::UpstreamRemoteReset, ProxyStatusError::ConnectionTerminated}, - {CoreResponseFlag::UpstreamConnectionFailure, ProxyStatusError::ConnectionRefused}, - {CoreResponseFlag::UpstreamConnectionTermination, - ProxyStatusError::ConnectionTerminated}, - {CoreResponseFlag::UpstreamOverflow, ProxyStatusError::ConnectionLimitReached}, - {CoreResponseFlag::NoRouteFound, ProxyStatusError::DestinationNotFound}, - {CoreResponseFlag::RateLimited, ProxyStatusError::ConnectionLimitReached}, - {CoreResponseFlag::RateLimitServiceError, ProxyStatusError::ConnectionLimitReached}, - {CoreResponseFlag::UpstreamRetryLimitExceeded, ProxyStatusError::DestinationUnavailable}, - {CoreResponseFlag::StreamIdleTimeout, ProxyStatusError::HttpResponseTimeout}, - {CoreResponseFlag::InvalidEnvoyRequestHeaders, ProxyStatusError::HttpRequestError}, - {CoreResponseFlag::DownstreamProtocolError, ProxyStatusError::HttpRequestError}, - {CoreResponseFlag::UpstreamMaxStreamDurationReached, - ProxyStatusError::HttpResponseTimeout}, - {CoreResponseFlag::NoFilterConfigFound, ProxyStatusError::ProxyConfigurationError}, - {CoreResponseFlag::UpstreamProtocolError, ProxyStatusError::HttpProtocolError}, - {CoreResponseFlag::NoClusterFound, ProxyStatusError::DestinationUnavailable}, - {CoreResponseFlag::DnsResolutionFailed, ProxyStatusError::DnsError}}) { - NiceMock stream_info; - ON_CALL(stream_info, hasResponseFlag(response_flag)).WillByDefault(Return(true)); - EXPECT_THAT(ProxyStatusUtils::fromStreamInfo(stream_info), proxy_status_error); - } -} - -TEST(ProxyStatusFromStreamInfo, TestNewAll) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.proxy_status_mapping_more_core_response_flags", "true"}}); for (const auto& [response_flag, proxy_status_error] : std::vector>{ {CoreResponseFlag::FailedLocalHealthCheck, ProxyStatusError::DestinationUnavailable}, From 43cdcc8c0a9cb8e0e9c35d962d3a2c90a8a50ea2 Mon Sep 17 00:00:00 2001 From: phlax Date: Fri, 8 Aug 2025 19:28:36 +0100 Subject: [PATCH 188/505] macos/ci: Fix conditional runs-on setting (#40649) --- .github/workflows/envoy-macos.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/envoy-macos.yml b/.github/workflows/envoy-macos.yml index c09561e171778..e8b002b2c7e9f 100644 --- a/.github/workflows/envoy-macos.yml +++ b/.github/workflows/envoy-macos.yml @@ -54,10 +54,10 @@ jobs: request: ${{ needs.load.outputs.request }} # TODO: Remove these hardcoded branches when no longer supported runs-on: >- - ${{ (contains(fromJSON(needs.load.outputs.request).request.target-branch, 'v1.31') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, 'v1.32') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, 'v1.33') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, 'v1.34')) + ${{ (contains(fromJSON(needs.load.outputs.request).request.target-branch, '1.31') + || contains(fromJSON(needs.load.outputs.request).request.target-branch, '1.32') + || contains(fromJSON(needs.load.outputs.request).request.target-branch, '1.33') + || contains(fromJSON(needs.load.outputs.request).request.target-branch, '1.34')) && 'macos-14-xlarge' || 'macos-15-xlarge' }} source: ${{ matrix.source }} From 4aa9f4611ffbf57d8abb7da4f0c1fb67da30911d Mon Sep 17 00:00:00 2001 From: phlax Date: Fri, 8 Aug 2025 19:29:00 +0100 Subject: [PATCH 189/505] ci: Fix/improve artefact links (#40627) Signed-off-by: Ryan Northey --- bazel/README.md | 2 +- ci/repokitteh/modules/coverage.star | 8 ++++++-- ci/repokitteh/modules/docs.star | 4 ++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/bazel/README.md b/bazel/README.md index 7224e63792e86..4544cfcf5cba2 100644 --- a/bazel/README.md +++ b/bazel/README.md @@ -846,7 +846,7 @@ have seen some issues with seeing the artifacts tab. If you can't see it, log ou then log back in and it should start working. The latest coverage report for main is available -[here](https://storage.googleapis.com/envoy-postsubmit/main/coverage/index.html). The latest fuzz coverage report for main is available [here](https://storage.googleapis.com/envoy-postsubmit/main/fuzz_coverage/index.html). +[here](https://storage.googleapis.com/envoy-cncf-postsubmit/main/coverage/index.html). The latest fuzz coverage report for main is available [here](https://storage.googleapis.com/envoy-cncf-postsubmit/main/fuzz_coverage/index.html). It's also possible to specialize the coverage build to a specified test or test dir. This is useful when doing things like exploring the coverage of a fuzzer over its corpus. This can be done by diff --git a/ci/repokitteh/modules/coverage.star b/ci/repokitteh/modules/coverage.star index 76485748d7c01..d1a5347d388c7 100644 --- a/ci/repokitteh/modules/coverage.star +++ b/ci/repokitteh/modules/coverage.star @@ -3,9 +3,13 @@ COVERAGE_LINK_MESSAGE = """ Coverage for this Pull Request will be rendered here: -https://storage.googleapis.com/envoy-pr/%s/coverage/index.html +https://storage.googleapis.com/envoy-cncf-pr/%s/coverage/index.html -The coverage results are (re-)rendered each time the CI `envoy-presubmit (check linux_x64 coverage)` job completes. +For comparison, current coverage on `main` branch is here: + +https://storage.googleapis.com/envoy-cncf-postsubmit/main/coverage/index.html + +The coverage results are (re-)rendered each time the CI `Envoy/Checks (coverage)` job completes. """ diff --git a/ci/repokitteh/modules/docs.star b/ci/repokitteh/modules/docs.star index 8bd268946d798..b94d838d836ea 100644 --- a/ci/repokitteh/modules/docs.star +++ b/ci/repokitteh/modules/docs.star @@ -3,9 +3,9 @@ DOCS_LINK_MESSAGE = """ Docs for this Pull Request will be rendered here: -https://storage.googleapis.com/envoy-pr/%s/docs/index.html +https://storage.googleapis.com/envoy-cncf-pr/%s/docs/index.html -The docs are (re-)rendered each time the CI `envoy-presubmit (precheck docs)` job completes. +The docs are (re-)rendered each time the CI `Envoy/Prechecks (docs)` job completes. """ From d8698b9484ac27f7d394da77f7626449e5874f70 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 8 Aug 2025 20:45:50 +0200 Subject: [PATCH 190/505] rbac: guard LC-Trie matcher against non-IP addresses (#40631) ## Description This PR has a small fix to guard the RBAC LC-Trie based matcher against the non-IP addresses to avoid any crashes. --- **Commit Message:** rbac: guard LC-Trie matcher against non-IP addresses **Additional Description:** A small fix to guard the RBAC LC-Trie based matcher against the non-IP addresses to avoid any crashes. **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- .../filters/common/rbac/matchers.cc | 10 ++- .../filters/common/rbac/matchers_test.cc | 86 +++++++++++++++++++ 2 files changed, 95 insertions(+), 1 deletion(-) diff --git a/source/extensions/filters/common/rbac/matchers.cc b/source/extensions/filters/common/rbac/matchers.cc index ecd9473f43758..8167977b88e35 100644 --- a/source/extensions/filters/common/rbac/matchers.cc +++ b/source/extensions/filters/common/rbac/matchers.cc @@ -267,7 +267,15 @@ bool IPMatcher::matches(const Network::Connection& connection, const Envoy::Http const StreamInfo::StreamInfo& info) const { // Extract IP address using reference to avoid shared_ptr copies. const auto& address = extractIpAddress(connection, info); - return address && !trie_->getData(address).empty(); + // Guard against non-IP addresses (e.g., pipe) or missing address. + if (!address) { + return false; + } + const auto* ip = address->ip(); + if (ip == nullptr) { + return false; + } + return !trie_->getData(address).empty(); } bool PortMatcher::matches(const Network::Connection&, const Envoy::Http::RequestHeaderMap&, diff --git a/test/extensions/filters/common/rbac/matchers_test.cc b/test/extensions/filters/common/rbac/matchers_test.cc index 778f742b5ce96..80253171b9b48 100644 --- a/test/extensions/filters/common/rbac/matchers_test.cc +++ b/test/extensions/filters/common/rbac/matchers_test.cc @@ -274,6 +274,92 @@ TEST(IPMatcher, IPMatcher) { checkMatcher(*downstream_remote_matcher2.value(), false, conn, headers, info); } +// Ensure non-IP addresses (e.g., pipe) do not crash IPMatcher and simply return false. +TEST(IPMatcher, NonIpAddressesReturnFalseAndDoNotCrash) { + NiceMock factory_context; + + // Principal: source_ip (ConnectionRemote) + { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_source_ip(); + cidr->set_address_prefix("::"); + cidr->mutable_prefix_len()->set_value(0); + + auto matcher = Matcher::create(principal, factory_context); + ASSERT_NE(matcher, nullptr); + + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + Envoy::Network::Address::InstanceConstSharedPtr pipe = + *Envoy::Network::Address::PipeInstance::create("test"); + conn.stream_info_.downstream_connection_info_provider_->setRemoteAddress(pipe); + EXPECT_FALSE(matcher->matches(conn, headers, info)); + } + + // Permission: destination_ip (DownstreamLocal) + { + envoy::config::rbac::v3::Permission permission; + auto* cidr = permission.mutable_destination_ip(); + cidr->set_address_prefix("::"); + cidr->mutable_prefix_len()->set_value(0); + + auto matcher = + Matcher::create(permission, ProtobufMessage::getStrictValidationVisitor(), factory_context); + ASSERT_NE(matcher, nullptr); + + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + Envoy::Network::Address::InstanceConstSharedPtr pipe = + *Envoy::Network::Address::PipeInstance::create("test"); + info.downstream_connection_info_provider_->setLocalAddress(pipe); + EXPECT_FALSE(matcher->matches(conn, headers, info)); + } + + // Principal: direct_remote_ip (DownstreamDirectRemote) + { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_direct_remote_ip(); + cidr->set_address_prefix("::"); + cidr->mutable_prefix_len()->set_value(0); + + auto matcher = Matcher::create(principal, factory_context); + ASSERT_NE(matcher, nullptr); + + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + Envoy::Network::Address::InstanceConstSharedPtr pipe = + *Envoy::Network::Address::PipeInstance::create("test"); + info.downstream_connection_info_provider_->setDirectRemoteAddressForTest(pipe); + EXPECT_FALSE(matcher->matches(conn, headers, info)); + } + + // Principal: remote_ip (DownstreamRemote) + { + envoy::config::rbac::v3::Principal principal; + auto* cidr = principal.mutable_remote_ip(); + cidr->set_address_prefix("::"); + cidr->mutable_prefix_len()->set_value(0); + + auto matcher = Matcher::create(principal, factory_context); + ASSERT_NE(matcher, nullptr); + + NiceMock conn; + Envoy::Http::TestRequestHeaderMapImpl headers; + NiceMock info; + + Envoy::Network::Address::InstanceConstSharedPtr pipe = + *Envoy::Network::Address::PipeInstance::create("test"); + info.downstream_connection_info_provider_->setRemoteAddress(pipe); + EXPECT_FALSE(matcher->matches(conn, headers, info)); + } +} + TEST(PortMatcher, PortMatcher) { Envoy::Network::MockConnection conn; Envoy::Http::TestRequestHeaderMapImpl headers; From bad4e8af640525f39657516a09f46f32805bd6be Mon Sep 17 00:00:00 2001 From: tjwalton <15825356+tjwalton@users.noreply.github.com> Date: Fri, 8 Aug 2025 21:48:19 +0100 Subject: [PATCH 191/505] docs: Clarify hot restart behaviour in documentation (#40520) Commit Message: docs: Clarify hot restart behaviour Additional Description: From my testing and also from https://groups.google.com/g/envoy-users/c/KmVo_Md9xiE, I learnt that hot restart does *not* transfer existing connections to the new process. The way the documentation reads implies that it does. In fact, it only gives an overlapping drain period. This documentation update hopefully clarifies this so that no-one else has to work this out for themselves. Risk Level: N/A Testing: N/A Docs Changes: yes Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: tjwalton <15825356+tjwalton@users.noreply.github.com> --- .../intro/arch_overview/operations/hot_restart.rst | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/root/intro/arch_overview/operations/hot_restart.rst b/docs/root/intro/arch_overview/operations/hot_restart.rst index 6c98220cf6562..8a6f09eabafe7 100644 --- a/docs/root/intro/arch_overview/operations/hot_restart.rst +++ b/docs/root/intro/arch_overview/operations/hot_restart.rst @@ -6,8 +6,9 @@ Hot restart Ease of operation is one of the primary goals of Envoy. In addition to robust statistics and a local administration interface, Envoy has the ability to “hot” or “live” restart itself. This means that Envoy can fully reload itself (both code and configuration) without dropping existing connections -during the :ref:`drain process `. The hot restart functionality has the -following general architecture: +during the :ref:`drain process `. However, existing connections are not +transferred to the new envoy process: they must complete during the drain process or be terminated. +The hot restart functionality has the following general architecture: * The two active processes communicate with each other over unix domain sockets using a basic RPC protocol. All counters are sent from the old process to the new process over the unix domain, and @@ -21,8 +22,12 @@ following general architecture: * During the draining phase, the old process attempts to gracefully close existing connections. How this is done depends on the configured filters. The drain time is configurable via the :option:`--drain-time-s` option and as more time passes draining becomes more aggressive. -* After drain sequence, the new Envoy process tells the old Envoy process to shut itself down. - This time is configurable via the :option:`--parent-shutdown-time-s` option. +* Later, usually after the drain sequence, the new Envoy process tells the old Envoy process to shut + itself down. This time is configurable via the :option:`--parent-shutdown-time-s` option. Note + that the `--parent-shutdown-time-s` option is independent of the `--drain-time-s` value, and so + the parent shutdown time should be set to a larger value. +* Any remaining connections to the old envoy process are closed. The hot restart functionality + does not transfer existing connections to the new process. * Envoy’s hot restart support was designed so that it will work correctly even if the new Envoy process and the old Envoy process are running inside different containers. Communication between the processes takes place only using unix domain sockets. From 61ad531044177e06028079a646ca6514ec1dd9c7 Mon Sep 17 00:00:00 2001 From: botengyao Date: Fri, 8 Aug 2025 18:33:14 -0400 Subject: [PATCH 192/505] upsteram nit: remove unused encodeBodyAndTrailers (#40652) --- source/common/router/upstream_request.h | 1 - 1 file changed, 1 deletion(-) diff --git a/source/common/router/upstream_request.h b/source/common/router/upstream_request.h index 755e4e2fad0a9..eafe0d19323c3 100644 --- a/source/common/router/upstream_request.h +++ b/source/common/router/upstream_request.h @@ -143,7 +143,6 @@ class UpstreamRequest : public Logger::Loggable, }; void readEnable(); - void encodeBodyAndTrailers(); // Getters and setters Upstream::HostDescriptionOptConstRef upstreamHost() { From 1b389f593fd9db4e9d998f208b1a284b2145e714 Mon Sep 17 00:00:00 2001 From: Gustavo Moyano Date: Sat, 9 Aug 2025 02:06:00 -0300 Subject: [PATCH 193/505] lua: extend StreamHandle API with route() to access matched route metadata (#40531) ### Description This PR extends the Envoy HTTP Lua filter StreamHandle API by introducing a new `route()` method. This method returns a Route object representing the matched route for the current request. Initially, the Route object exposes a single method: `metadata()`, which retrieves route metadata scoped to a specific filter name. This enhancement allows Lua scripts to access per-filter route metadata through a dedicated Route object, improving API consistency and paving the way for future extensions. Currently, route metadata can be accessed via `StreamHandle:metadata()`. However, with the introduction of the Route object, the preferred access pattern becomes `StreamHandle:route():metadata()`. In the long term, the goal is to migrate usage towards this new interface and deprecate the direct `StreamHandle:metadata()` method for clarity and modularity. --- **Commit Message:** lua: extend StreamHandle API with route() to access matched route metadata **Risk Level:** Low **Testing:** Unit, integration and wrapper tests added **Docs Changes:** Added **Release Notes:** Added **Platform Specific Features:** N/A --------- Signed-off-by: Gustavo Moyano --- changelogs/current.yaml | 5 + .../http/http_filters/lua_filter.rst | 55 ++++++ .../extensions/filters/http/lua/lua_filter.cc | 12 ++ .../extensions/filters/http/lua/lua_filter.h | 10 +- .../extensions/filters/http/lua/wrappers.cc | 26 +++ source/extensions/filters/http/lua/wrappers.h | 24 +++ .../filters/http/lua/lua_filter_test.cc | 158 +++++++++++++++ .../filters/http/lua/lua_integration_test.cc | 182 +++++++++++++++++- .../filters/http/lua/wrappers_test.cc | 137 +++++++++++++ 9 files changed, 605 insertions(+), 4 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index b73052edeaa1a..4adf650d14eb3 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -163,5 +163,10 @@ new_features: - area: rbac change: | Switch the IP matcher to use LC-Trie for performance improvements. +- area: lua + change: | + Added ``route()`` to the Stream handle API, allowing Lua scripts to retrieve route information. So far, the only method + implemented is ``metadata()``, allowing Lua scripts to access route metadata scoped to the specific filter name. See + :ref:`Route object API ` for more details. deprecated: diff --git a/docs/root/configuration/http/http_filters/lua_filter.rst b/docs/root/configuration/http/http_filters/lua_filter.rst index db61e76725a4e..194317f9b3be3 100644 --- a/docs/root/configuration/http/http_filters/lua_filter.rst +++ b/docs/root/configuration/http/http_filters/lua_filter.rst @@ -482,6 +482,14 @@ If no entry could be found by the filter config name, then the filter canonical i.e. ``envoy.filters.http.lua`` will be used as an alternative. Note that this downgrade will be deprecated in the future. +.. note:: + + This method will be deprecated in the future. In order to access route configuration, + consider using :ref:`route object's metadata() ` instead, + which provides more consistent behavior. **Important**: route object's ``metadata()`` requires + metadata to be configured under the exact filter name and does not fall back to the + canonical name ``envoy.filters.http.lua``. + Below is an example of a ``metadata`` in a :ref:`route entry `. .. literalinclude:: _include/lua-filter.yaml @@ -694,6 +702,22 @@ an empty metadata object. Returns a :ref:`virtual host object `. +.. _config_http_filters_lua_stream_handle_api_route: + +``route()`` +^^^^^^^^^^^ + +.. code-block:: lua + + local route = handle:route() + +Returns a route object that provides access to the route configuration. This method always returns +a valid object, even when the request does not match any configured route. However, if no route +matches, calling methods on the returned object will return ``nil`` or, in the case of the ``metadata()`` method, +an empty metadata object. + +Returns a :ref:`route object `. + .. _config_http_filters_lua_header_wrapper: Header object API @@ -1621,3 +1645,34 @@ Below is an example of a ``metadata`` in a :ref:`route entry ` Returns a :ref:`metadata object `. + +.. _config_http_filters_lua_route_wrapper: + +Route object API +---------------- + +.. include:: ../../../_include/lua_common.rst + +.. _config_http_filters_lua_route_wrapper_metadata: + +``metadata()`` +^^^^^^^^^^^^^^ + +.. code-block:: lua + + local metadata = route:metadata() + +Returns the route metadata. Note that the metadata should be specified +under the :ref:`filter config name +`. + +Below is an example of a ``metadata`` in a :ref:`route entry `. + +.. literalinclude:: _include/lua-filter.yaml + :language: yaml + :lines: 33-39 + :lineno-start: 33 + :linenos: + :caption: :download:`lua-filter.yaml <_include/lua-filter.yaml>` + +Returns a :ref:`metadata object `. diff --git a/source/extensions/filters/http/lua/lua_filter.cc b/source/extensions/filters/http/lua/lua_filter.cc index aa20a9ac7a0c9..9d61e3f4219fb 100644 --- a/source/extensions/filters/http/lua/lua_filter.cc +++ b/source/extensions/filters/http/lua/lua_filter.cc @@ -213,6 +213,7 @@ PerLuaCodeSetup::PerLuaCodeSetup(const std::string& lua_code, ThreadLocal::SlotA lua_state_.registerType(); lua_state_.registerType(); lua_state_.registerType(); + lua_state_.registerType(); const Filters::Common::Lua::InitializerList initializers( // EnvoyTimestampResolution "enum". @@ -641,6 +642,17 @@ int StreamHandleWrapper::luaVirtualHost(lua_State* state) { return 1; } +int StreamHandleWrapper::luaRoute(lua_State* state) { + ASSERT(state_ == State::Running); + if (route_wrapper_.get() != nullptr) { + route_wrapper_.pushStack(); + } else { + route_wrapper_.reset( + RouteWrapper::create(state, callbacks_.streamInfo(), callbacks_.filterConfigName()), true); + } + return 1; +} + int StreamHandleWrapper::luaStreamInfo(lua_State* state) { ASSERT(state_ == State::Running); if (stream_info_wrapper_.get() != nullptr) { diff --git a/source/extensions/filters/http/lua/lua_filter.h b/source/extensions/filters/http/lua/lua_filter.h index 4cd3f231287a2..4ed635b95fdbf 100644 --- a/source/extensions/filters/http/lua/lua_filter.h +++ b/source/extensions/filters/http/lua/lua_filter.h @@ -208,7 +208,8 @@ class StreamHandleWrapper : public Filters::Common::Lua::BaseLuaObject connection_wrapper_; Filters::Common::Lua::LuaDeathRef public_key_wrapper_; Filters::Common::Lua::LuaDeathRef virtual_host_wrapper_; + Filters::Common::Lua::LuaDeathRef route_wrapper_; State state_{State::Running}; std::function yield_callback_; Http::AsyncClient::Request* http_request_{}; diff --git a/source/extensions/filters/http/lua/wrappers.cc b/source/extensions/filters/http/lua/wrappers.cc index 4c88ea4e4b585..957139ca50564 100644 --- a/source/extensions/filters/http/lua/wrappers.cc +++ b/source/extensions/filters/http/lua/wrappers.cc @@ -471,6 +471,32 @@ int VirtualHostWrapper::luaMetadata(lua_State* state) { return 1; } +const ProtobufWkt::Struct& RouteWrapper::getMetadata() const { + const auto& route = stream_info_.route(); + if (route == nullptr) { + return ProtobufWkt::Struct::default_instance(); + } + + const auto& metadata = route->metadata(); + auto filter_it = metadata.filter_metadata().find(filter_config_name_); + + if (filter_it != metadata.filter_metadata().end()) { + return filter_it->second; + } + + return ProtobufWkt::Struct::default_instance(); +} + +int RouteWrapper::luaMetadata(lua_State* state) { + if (metadata_wrapper_.get() != nullptr) { + metadata_wrapper_.pushStack(); + } else { + metadata_wrapper_.reset(Filters::Common::Lua::MetadataMapWrapper::create(state, getMetadata()), + true); + } + return 1; +} + } // namespace Lua } // namespace HttpFilters } // namespace Extensions diff --git a/source/extensions/filters/http/lua/wrappers.h b/source/extensions/filters/http/lua/wrappers.h index f357d7665267b..91b86107d8ab1 100644 --- a/source/extensions/filters/http/lua/wrappers.h +++ b/source/extensions/filters/http/lua/wrappers.h @@ -478,6 +478,30 @@ class VirtualHostWrapper : public Filters::Common::Lua::BaseLuaObject metadata_wrapper_; }; +class RouteWrapper : public Filters::Common::Lua::BaseLuaObject { +public: + RouteWrapper(const StreamInfo::StreamInfo& stream_info, + const absl::string_view filter_config_name) + : stream_info_{stream_info}, filter_config_name_{filter_config_name} {} + + static ExportedFunctions exportedFunctions() { return {{"metadata", static_luaMetadata}}; } + +private: + /** + * @return a handle to the metadata. + */ + DECLARE_LUA_FUNCTION(RouteWrapper, luaMetadata); + + const ProtobufWkt::Struct& getMetadata() const; + + // Filters::Common::Lua::BaseLuaObject + void onMarkDead() override { metadata_wrapper_.reset(); } + + const StreamInfo::StreamInfo& stream_info_; + const absl::string_view filter_config_name_; + Filters::Common::Lua::LuaDeathRef metadata_wrapper_; +}; + } // namespace Lua } // namespace HttpFilters } // namespace Extensions diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc index 8039c724d57dc..80443e2b435b1 100644 --- a/test/extensions/filters/http/lua/lua_filter_test.cc +++ b/test/extensions/filters/http/lua/lua_filter_test.cc @@ -137,6 +137,22 @@ class LuaHttpFilterTest : public testing::Test { EXPECT_EQ(0, stats_store_.counter("test.lua.errors").value()); } + void setupRouteMetadata(const std::string& yaml) { + auto route = std::make_shared>(); + TestUtility::loadFromYaml(yaml, route->metadata_); + + ON_CALL(stream_info_, route()).WillByDefault(Return(route)); + + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillOnce(ReturnRef(stream_info_)); + EXPECT_CALL(encoder_callbacks_, streamInfo()).WillOnce(ReturnRef(stream_info_)); + + const std::string filter_name = "lua-filter-config-name"; + ON_CALL(decoder_callbacks_, filterConfigName()).WillByDefault(Return(filter_name)); + ON_CALL(encoder_callbacks_, filterConfigName()).WillByDefault(Return(filter_name)); + + EXPECT_EQ(0, stats_store_.counter("test.lua.errors").value()); + } + NiceMock server_factory_context_; NiceMock tls_; NiceMock api_; @@ -4118,6 +4134,148 @@ TEST_F(LuaHttpFilterTest, GetVirtualHostMetadataFromHandleNoRoute) { }); } +// Test that handle:route():metadata() returns metadata when route matches the request. +// This verifies that when a route is found for the request, the route() function returns +// a valid object and metadata can be successfully accessed from both request and response handles. +TEST_F(LuaHttpFilterTest, GetRouteMetadataFromHandle) { + const std::string SCRIPT{R"EOF( + function envoy_on_request(request_handle) + local metadata = request_handle:route():metadata() + request_handle:logTrace(metadata:get("foo.bar")["name"]) + request_handle:logTrace(metadata:get("foo.bar")["prop"]) + end + function envoy_on_response(response_handle) + local metadata = response_handle:route():metadata() + response_handle:logTrace(metadata:get("baz.bat")["name"]) + response_handle:logTrace(metadata:get("baz.bat")["prop"]) + end + )EOF"}; + + const std::string METADATA{R"EOF( + filter_metadata: + lua-filter-config-name: + foo.bar: + name: foo + prop: bar + baz.bat: + name: baz + prop: bat + )EOF"}; + + InSequence s; + setup(SCRIPT); + setupRouteMetadata(METADATA); + + // Request path + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "foo"}, + {"trace", "bar"}, + }), + { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + filter_->decodeHeaders(request_headers, true)); + }); + + // Response path + Http::TestResponseHeaderMapImpl response_headers{{":status", "200"}}; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "baz"}, + {"trace", "bat"}, + }), + { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + filter_->encodeHeaders(response_headers, true)); + }); +} + +// Test that handle:route():metadata() returns empty metadata when no filter-specific metadata +// exists. This verifies that when a route has metadata for other filters but not for the +// current one, the metadata object is empty. +TEST_F(LuaHttpFilterTest, GetRouteMetadataFromHandleNoLuaMetadata) { + const std::string SCRIPT{R"EOF( + function is_metadata_empty(metadata) + for _, _ in pairs(metadata) do + return false + end + return true + end + function envoy_on_request(request_handle) + if is_metadata_empty(request_handle:route():metadata()) then + request_handle:logTrace("No metadata found during request handling") + end + end + function envoy_on_response(response_handle) + if is_metadata_empty(response_handle:route():metadata()) then + response_handle:logTrace("No metadata found during response handling") + end + end + )EOF"}; + + const std::string METADATA{R"EOF( + filter_metadata: + envoy.some_filter: + foo.bar: + name: foo + prop: bar + )EOF"}; + + InSequence s; + setup(SCRIPT); + setupRouteMetadata(METADATA); + + // Request path + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_LOG_CONTAINS("trace", "No metadata found during request handling", { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); + }); + + // Response path + Http::TestResponseHeaderMapImpl response_headers{{":status", "200"}}; + EXPECT_LOG_CONTAINS("trace", "No metadata found during response handling", { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(response_headers, true)); + }); +} + +// Test that handle:route() returns a valid route wrapper object that can be +// safely accessed when no route matches the request. +// This verifies that calling metadata() returns an empty metadata object. +TEST_F(LuaHttpFilterTest, GetRouteFromHandleNoRoute) { + const std::string SCRIPT{R"EOF( + function envoy_on_request(request_handle) + local route = request_handle:route() + for _, _ in pairs(route:metadata()) do + return + end + request_handle:logTrace("No metadata found during request handling") + end + function envoy_on_response(response_handle) + local route = response_handle:route() + for _, _ in pairs(route:metadata()) do + return + end + response_handle:logTrace("No metadata found during response handling") + end + )EOF"}; + + InSequence s; + setup(SCRIPT); + + // Request path + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_LOG_CONTAINS("trace", "No metadata found during request handling", { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); + }); + + // Response path + Http::TestResponseHeaderMapImpl response_headers{{":status", "200"}}; + EXPECT_LOG_CONTAINS("trace", "No metadata found during response handling", { + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(response_headers, true)); + }); + + EXPECT_EQ(0, stats_store_.counter("test.lua.errors").value()); +} + } // namespace } // namespace Lua } // namespace HttpFilters diff --git a/test/extensions/filters/http/lua/lua_integration_test.cc b/test/extensions/filters/http/lua/lua_integration_test.cc index 13b6ee8c8dfc0..bd2fcd2c8fe62 100644 --- a/test/extensions/filters/http/lua/lua_integration_test.cc +++ b/test/extensions/filters/http/lua/lua_integration_test.cc @@ -74,12 +74,11 @@ class LuaIntegrationTest : public UpstreamDownstreamIntegrationTest { response_header->set_value("fake_value"); // Metadata variables for the virtual host and route. - std::string key; + const std::string key = "lua"; ProtobufWkt::Struct value; std::string yaml; // Sets the virtual host's metadata. - key = "lua"; yaml = R"EOF( foo.bar: @@ -94,7 +93,6 @@ class LuaIntegrationTest : public UpstreamDownstreamIntegrationTest { ->insert(Protobuf::MapPair(key, value)); // Sets the route's metadata. - key = "envoy.filters.http.lua"; yaml = R"EOF( foo.bar: @@ -344,6 +342,80 @@ name: lua EXPECT_TRUE(response.find("HTTP/1.1 400 Bad Request\r\n") == 0); } +// Test that handle:metadata() falls back to metadata under the filter canonical name +// (envoy.filters.http.lua) when no metadata is present under the filter configured name. +TEST_P(LuaIntegrationTest, MetadataFallbackToCanonicalName) { + const std::string filter_config = + R"EOF( +name: lua-filter-custom-name +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + default_source_code: + inline_string: | + function envoy_on_request(request_handle) + local foo_bar = request_handle:metadata():get("foo.bar") + request_handle:logTrace(foo_bar["name"]) + request_handle:logTrace(foo_bar["prop"]) + end + function envoy_on_response(response_handle) + local baz_bat = response_handle:metadata():get("baz.bat") + response_handle:logTrace(baz_bat["name"]) + response_handle:logTrace(baz_bat["prop"]) + end +)EOF"; + + const std::string route_config = + R"EOF( +name: test_routes +virtual_hosts: +- name: test_vhost + domains: ["foo.lyft.com"] + routes: + - match: + path: "/test/long/url" + metadata: + filter_metadata: + envoy.filters.http.lua: + foo.bar: + name: foo + prop: bar + baz.bat: + name: baz + prop: bat + route: + cluster: cluster_0 +)EOF"; + + initializeWithYaml(filter_config, route_config); + + codec_client_ = makeHttpConnection(lookupPort("http")); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/test/long/url"}, + {":scheme", "http"}, + {":authority", "foo.lyft.com"}, + {"x-forwarded-for", "10.0.0.1"}}; + + IntegrationStreamDecoderPtr response; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "foo"}, + {"trace", "bar"}, + {"trace", "baz"}, + {"trace", "bat"}, + }), + { + response = codec_client_->makeHeaderOnlyRequest(request_headers); + waitForNextUpstreamRequest(); + + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + }); + + EXPECT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().getStatusValue()); + + cleanup(); +} + // Basic request and response. TEST_P(LuaIntegrationTest, RequestAndResponse) { const std::string FILTER_AND_CODE = @@ -362,6 +434,7 @@ name: lua request_handle:logCritical("log test") local vhost_metadata = request_handle:virtualHost():metadata():get("foo.bar") + local route_metadata = request_handle:route():metadata():get("foo.bar") local metadata = request_handle:metadata():get("foo.bar") local body_length = request_handle:body():length() @@ -385,6 +458,8 @@ name: lua request_handle:headers():add("request_body_size", body_length) request_handle:headers():add("request_vhost_metadata_foo", vhost_metadata["foo"]) request_handle:headers():add("request_vhost_metadata_baz", vhost_metadata["baz"]) + request_handle:headers():add("request_route_metadata_foo", route_metadata["foo"]) + request_handle:headers():add("request_route_metadata_baz", route_metadata["baz"]) request_handle:headers():add("request_metadata_foo", metadata["foo"]) request_handle:headers():add("request_metadata_baz", metadata["baz"]) if request_handle:connection():ssl() == nil then @@ -408,10 +483,13 @@ name: lua function envoy_on_response(response_handle) local vhost_metadata = response_handle:virtualHost():metadata():get("foo.bar") + local route_metadata = response_handle:route():metadata():get("foo.bar") local metadata = response_handle:metadata():get("foo.bar") local body_length = response_handle:body():length() response_handle:headers():add("response_vhost_metadata_foo", vhost_metadata["foo"]) response_handle:headers():add("response_vhost_metadata_baz", vhost_metadata["baz"]) + response_handle:headers():add("response_route_metadata_foo", route_metadata["foo"]) + response_handle:headers():add("response_route_metadata_baz", route_metadata["baz"]) response_handle:headers():add("response_metadata_foo", metadata["foo"]) response_handle:headers():add("response_metadata_baz", metadata["baz"]) response_handle:headers():add("response_body_size", body_length) @@ -500,6 +578,16 @@ name: lua ->value() .getStringView()); + EXPECT_EQ("bar", upstream_request_->headers() + .get(Http::LowerCaseString("request_route_metadata_foo"))[0] + ->value() + .getStringView()); + + EXPECT_EQ("bat", upstream_request_->headers() + .get(Http::LowerCaseString("request_route_metadata_baz"))[0] + ->value() + .getStringView()); + EXPECT_EQ("bar", upstream_request_->headers() .get(Http::LowerCaseString("request_metadata_foo"))[0] ->value() @@ -582,6 +670,14 @@ name: lua .get(Http::LowerCaseString("response_vhost_metadata_baz"))[0] ->value() .getStringView()); + EXPECT_EQ("bar", response->headers() + .get(Http::LowerCaseString("response_route_metadata_foo"))[0] + ->value() + .getStringView()); + EXPECT_EQ("bat", response->headers() + .get(Http::LowerCaseString("response_route_metadata_baz"))[0] + ->value() + .getStringView()); EXPECT_EQ("bar", response->headers() .get(Http::LowerCaseString("response_metadata_foo"))[0] ->value() @@ -2256,6 +2352,86 @@ name: lua cleanup(); } +// Test that handle:route() returns a valid object when no route matches the request. +// This verifies that metadata() returns an empty metadata object that can be safely +// iterated. +TEST_P(LuaIntegrationTest, RouteValidWhenNoRouteMatch) { + if (!testing_downstream_filter_) { + GTEST_SKIP() << "This is a local reply test that does not go upstream"; + } + + const std::string filter_config = + R"EOF( +name: lua +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + default_source_code: + inline_string: | + function envoy_on_request(request_handle) + local route = request_handle:route() + for _, _ in pairs(route:metadata()) do + return + end + request_handle:logTrace("No metadata found during request handling") + end + function envoy_on_response(response_handle) + local route = response_handle:route() + for _, _ in pairs(route:metadata()) do + return + end + response_handle:logTrace("No metadata found during response handling") + end +)EOF"; + + const std::string route_config = + R"EOF( +name: test_routes +virtual_hosts: +- name: test_vhost + domains: ["foo.lyft.com"] + routes: + - match: + path: "/existing/route" + metadata: + filter_metadata: + lua: + foo.bar: + name: foo + prop: bar + baz.bat: + name: baz + prop: bat + route: + cluster: cluster_0 +)EOF"; + + initializeWithYaml(filter_config, route_config); + codec_client_ = makeHttpConnection(lookupPort("http")); + + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/non/existing/path"}, + {":scheme", "http"}, + {":authority", "foo.lyft.com"}, + {"x-forwarded-for", "10.0.0.1"}}; + + IntegrationStreamDecoderPtr response; + EXPECT_LOG_CONTAINS_ALL_OF(Envoy::ExpectedLogMessages({ + {"trace", "No metadata found during request handling"}, + {"trace", "No metadata found during response handling"}, + }), + { + auto encoder_decoder = codec_client_->startRequest(request_headers); + response = std::move(encoder_decoder.second); + + ASSERT_TRUE(response->waitForEndStream()); + }); + + EXPECT_TRUE(response->complete()); + EXPECT_EQ("404", response->headers().getStatusValue()); + + cleanup(); +} + #ifdef NDEBUG // This test is only run in release mode because in debug mode, // the code reaches ENVOY_BUG() which triggers a forced abort diff --git a/test/extensions/filters/http/lua/wrappers_test.cc b/test/extensions/filters/http/lua/wrappers_test.cc index f66389f16258b..25b59fc519ed2 100644 --- a/test/extensions/filters/http/lua/wrappers_test.cc +++ b/test/extensions/filters/http/lua/wrappers_test.cc @@ -15,6 +15,7 @@ using testing::Expectation; using testing::InSequence; +using testing::Return; using testing::ReturnPointee; using testing::ReturnRef; @@ -1565,6 +1566,142 @@ TEST_F(LuaVirtualHostWrapperTest, GetMetadataNoVirtualHost) { wrapper.reset(); } +class LuaRouteWrapperTest : public Filters::Common::Lua::LuaWrappersTestBase { +public: + void setup(const std::string& script) override { + Filters::Common::Lua::LuaWrappersTestBase::setup(script); + state_->registerType(); + state_->registerType(); + } + + const std::string NO_METADATA_FOUND_SCRIPT{R"EOF( + function callMe(object) + for _, _ in pairs(object:metadata()) do + return + end + testPrint("No metadata found") + end + )EOF"}; +}; + +// Test that RouteWrapper returns metadata under the current filter configured name. +// This verifies that when route has filter metadata configured under the current filter +// configured name, the wrapper can successfully retrieves and returns it. +TEST_F(LuaRouteWrapperTest, GetFilterMetadataBasic) { + const std::string SCRIPT{R"EOF( + function callMe(object) + local metadata = object:metadata() + testPrint(metadata:get("foo.bar")["name"]) + testPrint(metadata:get("foo.bar")["prop"]) + end + )EOF"}; + + const std::string METADATA{R"EOF( + filter_metadata: + lua-filter-config-name: + foo.bar: + name: foo + prop: bar + )EOF"}; + + InSequence s; + setup(SCRIPT); + + // Create a mock route and load metadata into it. + auto route = std::make_shared>(); + TestUtility::loadFromYaml(METADATA, route->metadata_); + + // Set up the mock stream info to return the mock route. + NiceMock stream_info; + ON_CALL(stream_info, route()).WillByDefault(Return(route)); + + // Set up wrapper with the mock stream info. + Filters::Common::Lua::LuaDeathRef wrapper( + RouteWrapper::create(coroutine_->luaState(), stream_info, "lua-filter-config-name"), true); + + EXPECT_CALL(printer_, testPrint("foo")); + EXPECT_CALL(printer_, testPrint("bar")); + + start("callMe"); + wrapper.reset(); +} + +// Test that RouteWrapper returns an empty metadata object when no metadata exists +// under the current filter configured name. +TEST_F(LuaRouteWrapperTest, GetMetadataNoMetadataUnderFilterName) { + const std::string METADATA{R"EOF( + filter_metadata: + envoy.some_filter: + foo.bar: + name: foo + prop: bar + )EOF"}; + + InSequence s; + setup(NO_METADATA_FOUND_SCRIPT); + + // Create a mock route and load metadata into it. + auto route = std::make_shared>(); + TestUtility::loadFromYaml(METADATA, route->metadata_); + + // Set up the mock stream info to return the mock route. + NiceMock stream_info; + ON_CALL(stream_info, route()).WillByDefault(Return(route)); + + // Set up wrapper with the mock stream info. + Filters::Common::Lua::LuaDeathRef wrapper( + RouteWrapper::create(coroutine_->luaState(), stream_info, "lua-filter-config-name"), true); + + EXPECT_CALL(printer_, testPrint("No metadata found")); + + start("callMe"); + wrapper.reset(); +} + +// Test that RouteWrapper returns an empty metadata object when no metadata is configured on +// the route. This verifies that the wrapper correctly handles cases where the route +// has no filter_metadata section, returning an empty metadata object without crashing. +TEST_F(LuaRouteWrapperTest, GetMetadataNoMetadataAtAll) { + InSequence s; + setup(NO_METADATA_FOUND_SCRIPT); + + // Create a mock route but DO NOT load metadata into it. + auto route = std::make_shared>(); + + // Set up the mock stream info to return the mock route. + NiceMock stream_info; + ON_CALL(stream_info, route()).WillByDefault(Return(route)); + + // Set up wrapper with the mock stream info. + Filters::Common::Lua::LuaDeathRef wrapper( + RouteWrapper::create(coroutine_->luaState(), stream_info, "lua-filter-config-name"), true); + + EXPECT_CALL(printer_, testPrint("No metadata found")); + + start("callMe"); + wrapper.reset(); +} + +// Test that RouteWrapper returns an empty metadata object when no route matches the +// request. This verifies that the wrapper correctly handles cases where the stream info +// does not have a route, returning an empty metadata object without crashing. +TEST_F(LuaRouteWrapperTest, GetMetadataNoRoute) { + InSequence s; + setup(NO_METADATA_FOUND_SCRIPT); + + // Set up the mock stream info but DO NOT config it to return a valid route. + NiceMock stream_info; + + // Set up wrapper with the mock stream info. + Filters::Common::Lua::LuaDeathRef wrapper( + RouteWrapper::create(coroutine_->luaState(), stream_info, "lua-filter-config-name"), true); + + EXPECT_CALL(printer_, testPrint("No metadata found")); + + start("callMe"); + wrapper.reset(); +} + } // namespace } // namespace Lua } // namespace HttpFilters From 540a6b8dd4cb68a0a9a014f6e8dcd6eb22245226 Mon Sep 17 00:00:00 2001 From: Joe Kralicky Date: Sat, 9 Aug 2025 01:10:55 -0400 Subject: [PATCH 194/505] generic proxy: ensure downstream connection callbacks removed if bound upstream is closed first (#40535) Commit Message: generic proxy: ensure downstream connection callbacks removed if bound upstream is closed first Additional Description: This fixes an issue in the BoundGenericUpstream where the connection callbacks added to the downstream connection can be invoked after the upstream object has been deleted. Specifically, if the client codec sends a frame with FLAG_END_STREAM, then the upstream is disconnected before the frame triggers the downstream connection to be closed, the event that fires after the downstream connection is eventually closed may attempt to invoke callbacks on the BoundGenericUpstream instance after it has already been deleted. Risk Level: Testing: Added an integration test that should cover this case. Signed-off-by: Joe Kralicky --- .../network/generic_proxy/router/upstream.cc | 6 +++ .../network/generic_proxy/integration_test.cc | 49 +++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/source/extensions/filters/network/generic_proxy/router/upstream.cc b/source/extensions/filters/network/generic_proxy/router/upstream.cc index 0cbef86bddea4..adc6d56dfc63d 100644 --- a/source/extensions/filters/network/generic_proxy/router/upstream.cc +++ b/source/extensions/filters/network/generic_proxy/router/upstream.cc @@ -222,6 +222,12 @@ void BoundGenericUpstream::onEvent(Network::ConnectionEvent event) { encoder_decoder_->onConnectionClose(event); } + // Remove the connection event watcher callbacks since the upstream is already closed. + // If the upstream connection closes shortly after a frame that ends the stream is sent by the + // client codec, the downstream connection may end up being closed after this object has already + // been destroyed. + downstream_conn_.removeConnectionCallbacks(connection_event_watcher_); + // If the downstream connection is not closed, close it. downstream_conn_.close(Network::ConnectionCloseType::FlushWrite); } diff --git a/test/extensions/filters/network/generic_proxy/integration_test.cc b/test/extensions/filters/network/generic_proxy/integration_test.cc index 73111aa899e69..94c8bda2ea709 100644 --- a/test/extensions/filters/network/generic_proxy/integration_test.cc +++ b/test/extensions/filters/network/generic_proxy/integration_test.cc @@ -793,6 +793,55 @@ TEST_P(IntegrationTest, MultipleRequestsWithMultipleFrames) { cleanup(); } +TEST_P(IntegrationTest, UpstreamEndStreamFrameThenDisconnect) { + FakeStreamCodecFactoryConfig codec_factory_config; + Registry::InjectFactory registration(codec_factory_config); + + initialize(defaultConfig(true), std::make_unique()); + + EXPECT_TRUE(makeClientConnectionForTest()); + + FakeStreamCodecFactory::FakeRequest request; + request.host_ = "service_name_0"; + request.method_ = "hello"; + request.path_ = "/path_or_anything"; + request.protocol_ = "fake_fake_fake"; + request.data_ = {{"version", "v1"}}; + + sendRequestForTest(request); + + waitForUpstreamConnectionForTest(); + const std::function data_validator = + [](const std::string& data) -> bool { return data.find("v1") != std::string::npos; }; + waitForUpstreamRequestForTest(data_validator); + + FakeStreamCodecFactory::FakeResponse response; + response.protocol_ = "fake_fake_fake"; + response.status_ = StreamStatus(0, true); + response.data_["zzzz"] = "OK"; + response.stream_frame_flags_ = FrameFlags(1, 0); + sendResponseForTest(response); + + FakeStreamCodecFactory::FakeCommonFrame error; + error.data_["zzzz"] = "OK"; + error.stream_frame_flags_ = + FrameFlags(1, FrameFlags::FLAG_END_STREAM | FrameFlags::FLAG_DRAIN_CLOSE); + sendResponseForTest(response); + + // Partial cleanup (upstream only) + AssertionResult result = upstream_connection_->close(); + RELEASE_ASSERT(result, result.message()); + result = upstream_connection_->waitForDisconnect(); + RELEASE_ASSERT(result, result.message()); + upstream_connection_.reset(); + + // Run the event loop after the upstream connection is closed and reset, but before closing the + // client connection. + integration_->dispatcher_->run(Envoy::Event::Dispatcher::RunType::Block); + + client_connection_->close(Envoy::Network::ConnectionCloseType::NoFlush); +} + } // namespace } // namespace GenericProxy } // namespace NetworkFilters From b2d357c52f727c8f0459620f8b29295fb01dc0f0 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Sat, 9 Aug 2025 07:18:24 +0200 Subject: [PATCH 195/505] proxy_protocol: deprecate flag use_typed_metadata_in_proxy_protocol_listener and remove legacy code paths (#40609) --- api/envoy/data/core/v3/tlv_metadata.proto | 3 +- changelogs/current.yaml | 3 + source/common/runtime/runtime_features.cc | 1 - .../listener/proxy_protocol/proxy_protocol.cc | 37 +++--- .../proxy_protocol/proxy_protocol_test.cc | 116 +----------------- 5 files changed, 22 insertions(+), 138 deletions(-) diff --git a/api/envoy/data/core/v3/tlv_metadata.proto b/api/envoy/data/core/v3/tlv_metadata.proto index 8f99b004e3f35..caa7989864eb8 100644 --- a/api/envoy/data/core/v3/tlv_metadata.proto +++ b/api/envoy/data/core/v3/tlv_metadata.proto @@ -17,8 +17,7 @@ message TlvsMetadata { // Typed metadata for :ref:`Proxy protocol filter `, that represents a map of TLVs. // Each entry in the map consists of a key which corresponds to a configured // :ref:`rule key ` and a value (TLV value in bytes). - // When runtime flag ``envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener`` is enabled, // :ref:`Proxy protocol filter ` - // will populate typed metadata and regular metadata. By default filter will populate typed and untyped metadata. + // populates both typed and untyped metadata. map typed_metadata = 1; } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 4adf650d14eb3..e595997b831c4 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -65,6 +65,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. +- area: proxy_protocol + change: | + Removed runtime guard ``envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener`` and legacy code paths. - area: dns_resolver change: | Removed runtime guard ``envoy.reloadable_features.getaddrinfo_num_retries`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index d331e4aa1072b..fb9fae00bbe97 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -83,7 +83,6 @@ RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); RUNTIME_GUARD(envoy_reloadable_features_use_filter_manager_state_for_downstream_end_stream); -RUNTIME_GUARD(envoy_reloadable_features_use_typed_metadata_in_proxy_protocol_listener); RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_reloadable_features_wait_for_first_byte_before_balsa_msg_done); diff --git a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc index 5dd755f8b8342..a13a8269d7a17 100644 --- a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc +++ b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc @@ -557,26 +557,23 @@ bool Filter::parseTlvs(const uint8_t* buf, size_t len) { std::string metadata_key = key_value_pair->metadata_namespace().empty() ? "envoy.filters.listener.proxy_protocol" : key_value_pair->metadata_namespace(); - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener")) { - auto& typed_filter_metadata = (*cb_->dynamicMetadata().mutable_typed_filter_metadata()); - - const auto typed_proxy_filter_metadata = typed_filter_metadata.find(metadata_key); - envoy::data::core::v3::TlvsMetadata tlvs_metadata; - auto status = absl::OkStatus(); - if (typed_proxy_filter_metadata != typed_filter_metadata.end()) { - status = MessageUtil::unpackTo(typed_proxy_filter_metadata->second, tlvs_metadata); - } - if (!status.ok()) { - ENVOY_LOG_PERIODIC(warn, std::chrono::seconds(1), - "proxy_protocol: Failed to unpack typed metadata for TLV type ", - tlv_type); - } else { - (*tlvs_metadata.mutable_typed_metadata())[key_value_pair->key()] = tlv_value; - ProtobufWkt::Any typed_metadata; - typed_metadata.PackFrom(tlvs_metadata); - cb_->setDynamicTypedMetadata(metadata_key, typed_metadata); - } + auto& typed_filter_metadata = (*cb_->dynamicMetadata().mutable_typed_filter_metadata()); + + const auto typed_proxy_filter_metadata = typed_filter_metadata.find(metadata_key); + envoy::data::core::v3::TlvsMetadata tlvs_metadata; + auto status = absl::OkStatus(); + if (typed_proxy_filter_metadata != typed_filter_metadata.end()) { + status = MessageUtil::unpackTo(typed_proxy_filter_metadata->second, tlvs_metadata); + } + if (!status.ok()) { + ENVOY_LOG_PERIODIC(warn, std::chrono::seconds(1), + "proxy_protocol: Failed to unpack typed metadata for TLV type ", + tlv_type); + } else { + (*tlvs_metadata.mutable_typed_metadata())[key_value_pair->key()] = tlv_value; + ProtobufWkt::Any typed_metadata; + typed_metadata.PackFrom(tlvs_metadata); + cb_->setDynamicTypedMetadata(metadata_key, typed_metadata); } // Always populate untyped metadata for backwards compatibility. ProtobufWkt::Value metadata_value; diff --git a/test/extensions/filters/listener/proxy_protocol/proxy_protocol_test.cc b/test/extensions/filters/listener/proxy_protocol/proxy_protocol_test.cc index 89a39b1e9e65c..75e87a6f4354a 100644 --- a/test/extensions/filters/listener/proxy_protocol/proxy_protocol_test.cc +++ b/test/extensions/filters/listener/proxy_protocol/proxy_protocol_test.cc @@ -1535,51 +1535,6 @@ TEST_P(ProxyProtocolTest, V2ParseExtensionsLargeThanInitMaxReadBytes) { EXPECT_EQ(stats_store_.counter("proxy_proto.versions.v2.found").value(), 1); } -TEST_P(ProxyProtocolTest, V2ExtractTlvOfInterest) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({ - {"envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener", "false"}, - }); - // A well-formed ipv4/tcp with a pair of TLV extensions is accepted - constexpr uint8_t buffer[] = {0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49, - 0x54, 0x0a, 0x21, 0x11, 0x00, 0x1a, 0x01, 0x02, 0x03, 0x04, - 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x00, 0x02}; - constexpr uint8_t tlv1[] = {0x0, 0x0, 0x1, 0xff}; - constexpr uint8_t tlv_type_authority[] = {0x02, 0x00, 0x07, 0x66, 0x6f, - 0x6f, 0x2e, 0x63, 0x6f, 0x6d}; - constexpr uint8_t data[] = {'D', 'A', 'T', 'A'}; - - envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol proto_config; - auto rule = proto_config.add_rules(); - rule->set_tlv_type(0x02); - rule->mutable_on_tlv_present()->set_key("PP2 type authority"); - - connect(true, &proto_config); - write(buffer, sizeof(buffer)); - dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - - write(tlv1, sizeof(tlv1)); - write(tlv_type_authority, sizeof(tlv_type_authority)); - write(data, sizeof(data)); - expectData("DATA"); - - EXPECT_EQ(1, server_connection_->streamInfo().dynamicMetadata().filter_metadata_size()); - EXPECT_EQ(0, server_connection_->streamInfo().dynamicMetadata().typed_filter_metadata_size()); - - auto metadata = server_connection_->streamInfo().dynamicMetadata().filter_metadata(); - EXPECT_EQ(1, metadata.size()); - EXPECT_EQ(1, metadata.count(ProxyProtocol)); - - auto fields = metadata.at(ProxyProtocol).fields(); - EXPECT_EQ(1, fields.size()); - EXPECT_EQ(1, fields.count("PP2 type authority")); - - auto value_s = fields.at("PP2 type authority").string_value(); - ASSERT_THAT(value_s, ElementsAre(0x66, 0x6f, 0x6f, 0x2e, 0x63, 0x6f, 0x6d)); - disconnect(); - EXPECT_EQ(stats_store_.counter("proxy_proto.versions.v2.found").value(), 1); -} - TEST_P(ProxyProtocolTest, V2ExtractTlvOfInterestAndEmitWithSpecifiedMetadataNamespace) { // A well-formed ipv4/tcp with a pair of TLV extensions is accepted constexpr uint8_t buffer[] = {0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49, @@ -1621,76 +1576,7 @@ TEST_P(ProxyProtocolTest, V2ExtractTlvOfInterestAndEmitWithSpecifiedMetadataName EXPECT_EQ(stats_store_.counter("proxy_proto.versions.v2.found").value(), 1); } -TEST_P(ProxyProtocolTest, V2ExtractMultipleTlvsOfInterest) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({ - {"envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener", "false"}, - }); - // A well-formed ipv4/tcp with a pair of TLV extensions is accepted - constexpr uint8_t buffer[] = {0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49, - 0x54, 0x0a, 0x21, 0x11, 0x00, 0x39, 0x01, 0x02, 0x03, 0x04, - 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x00, 0x02}; - // a TLV of type 0x00 with size of 4 (1 byte is value) - constexpr uint8_t tlv1[] = {0x00, 0x00, 0x01, 0xff}; - // a TLV of type 0x02 with size of 10 bytes (7 bytes are value) - constexpr uint8_t tlv_type_authority[] = {0x02, 0x00, 0x07, 0x66, 0x6f, - 0x6f, 0x2e, 0x63, 0x6f, 0x6d}; - // a TLV of type 0x0f with size of 6 bytes (3 bytes are value) - constexpr uint8_t tlv3[] = {0x0f, 0x00, 0x03, 0xf0, 0x00, 0x0f}; - // a TLV of type 0xea with size of 25 bytes (22 bytes are value) - constexpr uint8_t tlv_vpc_id[] = {0xea, 0x00, 0x16, 0x01, 0x76, 0x70, 0x63, 0x2d, 0x30, - 0x32, 0x35, 0x74, 0x65, 0x73, 0x74, 0x32, 0x66, 0x61, - 0x36, 0x63, 0x36, 0x33, 0x68, 0x61, 0x37}; - constexpr uint8_t data[] = {'D', 'A', 'T', 'A'}; - - envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol proto_config; - auto rule_type_authority = proto_config.add_rules(); - rule_type_authority->set_tlv_type(0x02); - rule_type_authority->mutable_on_tlv_present()->set_key("PP2 type authority"); - - auto rule_vpc_id = proto_config.add_rules(); - rule_vpc_id->set_tlv_type(0xea); - rule_vpc_id->mutable_on_tlv_present()->set_key("PP2 vpc id"); - - connect(true, &proto_config); - write(buffer, sizeof(buffer)); - dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - - write(tlv1, sizeof(tlv1)); - write(tlv_type_authority, sizeof(tlv_type_authority)); - write(tlv3, sizeof(tlv3)); - write(tlv_vpc_id, sizeof(tlv_vpc_id)); - write(data, sizeof(data)); - expectData("DATA"); - - EXPECT_EQ(1, server_connection_->streamInfo().dynamicMetadata().filter_metadata_size()); - EXPECT_EQ(0, server_connection_->streamInfo().dynamicMetadata().typed_filter_metadata_size()); - - auto metadata = server_connection_->streamInfo().dynamicMetadata().filter_metadata(); - EXPECT_EQ(1, metadata.size()); - EXPECT_EQ(1, metadata.count(ProxyProtocol)); - - auto fields = metadata.at(ProxyProtocol).fields(); - EXPECT_EQ(2, fields.size()); - EXPECT_EQ(1, fields.count("PP2 type authority")); - EXPECT_EQ(1, fields.count("PP2 vpc id")); - - auto value_type_authority = fields.at("PP2 type authority").string_value(); - ASSERT_THAT(value_type_authority, ElementsAre(0x66, 0x6f, 0x6f, 0x2e, 0x63, 0x6f, 0x6d)); - - auto value_vpc_id = fields.at("PP2 vpc id").string_value(); - ASSERT_THAT(value_vpc_id, - ElementsAre(0x01, 0x76, 0x70, 0x63, 0x2d, 0x30, 0x32, 0x35, 0x74, 0x65, 0x73, 0x74, - 0x32, 0x66, 0x61, 0x36, 0x63, 0x36, 0x33, 0x68, 0x61, 0x37)); - disconnect(); - EXPECT_EQ(stats_store_.counter("proxy_proto.versions.v2.found").value(), 1); -} - TEST_P(ProxyProtocolTest, V2ExtractMultipleTlvsOfInterestAndSanitiseNonUtf8) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({ - {"envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener", "false"}, - }); // A well-formed ipv4/tcp with a pair of TLV extensions is accepted. constexpr uint8_t buffer[] = {0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49, 0x54, 0x0a, 0x21, 0x11, 0x00, 0x39, 0x01, 0x02, 0x03, 0x04, @@ -1731,7 +1617,7 @@ TEST_P(ProxyProtocolTest, V2ExtractMultipleTlvsOfInterestAndSanitiseNonUtf8) { expectData("DATA"); EXPECT_EQ(1, server_connection_->streamInfo().dynamicMetadata().filter_metadata_size()); - EXPECT_EQ(0, server_connection_->streamInfo().dynamicMetadata().typed_filter_metadata_size()); + EXPECT_EQ(1, server_connection_->streamInfo().dynamicMetadata().typed_filter_metadata_size()); auto metadata = server_connection_->streamInfo().dynamicMetadata().filter_metadata(); EXPECT_EQ(1, metadata.size()); From b0c33ac4a58e65e22fcac0426fe12800dd4a8564 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alex=20Sundstr=C3=B6m?= Date: Sat, 9 Aug 2025 10:38:30 +0200 Subject: [PATCH 196/505] maxmind geoip provider: fix bug for no entry found (#40365) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The maxmind provider previously only checked if the call to the maxmind C library returned an error, but failed to consider the case where it would not find an entry for an IP but return no error. This could lead to wrong data being decorated for IPs, such as ASN numbers being assigned to requests which IP did not actually belong to that network. The maxmind library's documentation states here that one should always check if the MMDB_lookup_result_s found_entry member is true first and otherwise the struct does not contain meaningful data: https://github.com/maxmind/libmaxminddb/blob/main/doc/libmaxminddb.md#mmdb_lookup_result_s Some of the maxmind provider tests seem to have accidentally relied on the buggy behaviour. To fix them I had to get proper data from the database files and in a few cases make adjustments to the test data itself (like for the tests around updating the database). My methodology was something like this: 1. Look through the source data for the test data here[ https://github.com/maxmind/MaxMind-DB/tree/main/source-data](https://github.com/maxmind/MaxMind-DB/tree/main/source-data) for IPs that would fit the test cases 2. For cases where data was expected to exist in 2 different databases, like the City and ASN ones, I used a small python script that would find IPs that were in ranges present in both files 3. For the tests around updating the database I had to dump the existing test data into json using[ https://github.com/maxmind/MaxMind-DB-Reader-perl/blob/main/eg/mmdb-dump-database](https://github.com/maxmind/MaxMind-DB-Reader-perl/blob/main/eg/mmdb-dump-database) , manually change some values and then write them to the mmdb file format again with[ https://github.com/maxmind/MaxMind-DB/tree/main/cmd/write-test-data](https://github.com/maxmind/MaxMind-DB/tree/main/cmd/write-test-data) Disclosure: this was initially submitted to the envoy security group first but as the geoip filter and maxmind provider are alpha extensions they aren’t covered by the security process and I was told it was fine to just submit a fix. --- Commit Message: maxmind geoip provider: fix bug for no entry found Additional Description: As per the maxmind library’s docs if the value of the found_entry field in the lookup result isn’t checked it’s possible to pull useless data from the DB https://github.com/maxmind/libmaxminddb/blob/main/doc/libmaxminddb.md#mmdb_lookup_result_s Risk Level: low Testing: unit testing Docs Changes: N/A Release Notes: Added Platform Specific Features: N/A --------- Signed-off-by: Alex Sundström Signed-off-by: Alex Sundström Co-authored-by: Alex Sundström --- changelogs/current.yaml | 5 + .../geoip_providers/maxmind/geoip_provider.cc | 8 +- .../geoip/geoip_filter_integration_test.cc | 91 +++++++++++------- .../maxmind/geoip_provider_test.cc | 66 ++++++++----- .../test_data/GeoLite2-ASN-Test-Updated.mmdb | Bin 12662 -> 17019 bytes .../test_data/GeoLite2-City-Test-Updated.mmdb | Bin 3461 -> 3472 bytes 6 files changed, 106 insertions(+), 64 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index e595997b831c4..2df432399c05f 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -15,6 +15,11 @@ minor_behavior_changes: bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* +- area: geoip + change: | + Fixed a bug in the maxmind provider where the found_entry field in the lookup result was not checked before trying to populate + headers with data. If this field is not checked the provider could try to populate headers with wrong data, as per the + documentation for the Maxmind library https://github.com/maxmind/libmaxminddb/blob/main/doc/libmaxminddb.md#mmdb_lookup_result_s. - area: http3 change: | Fixed a bug where access log gets skipped for HTTP/3 requests when the stream is half closed. This behavior can be diff --git a/source/extensions/geoip_providers/maxmind/geoip_provider.cc b/source/extensions/geoip_providers/maxmind/geoip_provider.cc index 7b6c8065a2879..abb9bab281ac2 100644 --- a/source/extensions/geoip_providers/maxmind/geoip_provider.cc +++ b/source/extensions/geoip_providers/maxmind/geoip_provider.cc @@ -202,7 +202,7 @@ void GeoipProvider::lookupInCityDb( city_db->mmdb(), reinterpret_cast(remote_address->sockAddr()), &mmdb_error); const uint32_t n_prev_hits = lookup_result.size(); - if (!mmdb_error) { + if (!mmdb_error && mmdb_lookup_result.found_entry) { MMDB_entry_data_list_s* entry_data_list; int status = MMDB_get_entry_data_list(&mmdb_lookup_result.entry, &entry_data_list); if (status == MMDB_SUCCESS) { @@ -255,7 +255,7 @@ void GeoipProvider::lookupInAsnDb( asn_db_ptr->mmdb(), reinterpret_cast(remote_address->sockAddr()), &mmdb_error); const uint32_t n_prev_hits = lookup_result.size(); - if (!mmdb_error) { + if (!mmdb_error && mmdb_lookup_result.found_entry) { MMDB_entry_data_list_s* entry_data_list; int status = MMDB_get_entry_data_list(&mmdb_lookup_result.entry, &entry_data_list); if (status == MMDB_SUCCESS) { @@ -293,7 +293,7 @@ void GeoipProvider::lookupInAnonDb( anon_db->mmdb(), reinterpret_cast(remote_address->sockAddr()), &mmdb_error); const uint32_t n_prev_hits = lookup_result.size(); - if (!mmdb_error) { + if (!mmdb_error && mmdb_lookup_result.found_entry) { MMDB_entry_data_list_s* entry_data_list; int status = MMDB_get_entry_data_list(&mmdb_lookup_result.entry, &entry_data_list); if (status == MMDB_SUCCESS) { @@ -347,7 +347,7 @@ void GeoipProvider::lookupInIspDb( MMDB_lookup_result_s mmdb_lookup_result = MMDB_lookup_sockaddr( isp_db->mmdb(), reinterpret_cast(remote_address->sockAddr()), &mmdb_error); const uint32_t n_prev_hits = lookup_result.size(); - if (!mmdb_error) { + if (!mmdb_error && mmdb_lookup_result.found_entry) { MMDB_entry_data_list_s* entry_data_list; int status = MMDB_get_entry_data_list(&mmdb_lookup_result.entry, &entry_data_list); if (status == MMDB_SUCCESS) { diff --git a/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc b/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc index 23721d881b4ab..e6148bf5c9bf6 100644 --- a/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc +++ b/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc @@ -132,27 +132,29 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, GeoipFilterIntegrationTest, testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), TestUtility::ipTestParamsToString); -TEST_P(GeoipFilterIntegrationTest, GeoDataPopulatedNoXff) { +TEST_P(GeoipFilterIntegrationTest, GeoDataDontPopulatedWhenCalledFromLocalhosNoXff) { config_helper_.prependFilter(TestEnvironment::substitute(DefaultConfig)); initialize(); codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); Http::TestRequestHeaderMapImpl request_headers{ {":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "host"}}; auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); - EXPECT_EQ("Boxford", headerValue("x-geo-city")); - EXPECT_EQ("ENG", headerValue("x-geo-region")); - EXPECT_EQ("GB", headerValue("x-geo-country")); - EXPECT_EQ("15169", headerValue("x-geo-asn")); + ASSERT_TRUE(response->headers().get(Http::LowerCaseString("x-geo-city")).empty()); + ASSERT_TRUE(response->headers().get(Http::LowerCaseString("x-geo-region")).empty()); + ASSERT_TRUE(response->headers().get(Http::LowerCaseString("x-geo-country")).empty()); + ASSERT_TRUE(response->headers().get(Http::LowerCaseString("x-geo-asn")).empty()); + ASSERT_TRUE(response->headers().get(Http::LowerCaseString("x-geo-anon-vpn")).empty()); + ASSERT_TRUE(response->headers().get(Http::LowerCaseString("x-geo-anon")).empty()); ASSERT_TRUE(response->complete()); EXPECT_EQ("200", response->headers().getStatusValue()); test_server_->waitForCounterEq("http.config_test.geoip.total", 1); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.city_db.total")->value()); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.asn_db.total")->value()); - EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.city_db.hit")->value()); - EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.asn_db.hit")->value()); + EXPECT_EQ(nullptr, test_server_->counter("http.config_test.maxmind.city_db.hit")); + EXPECT_EQ(nullptr, test_server_->counter("http.config_test.maxmind.asn_db.hit")); } -TEST_P(GeoipFilterIntegrationTest, GeoDataPopulatedUseXff) { +TEST_P(GeoipFilterIntegrationTest, GeoAnonDataPopulatedUseXff) { config_helper_.prependFilter(TestEnvironment::substitute(ConfigWithXff)); initialize(); codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); @@ -160,12 +162,8 @@ TEST_P(GeoipFilterIntegrationTest, GeoDataPopulatedUseXff) { {":path", "/"}, {":scheme", "http"}, {":authority", "host"}, - {"x-forwarded-for", "1.2.0.0,9.10.11.12"}}; + {"x-forwarded-for", "::81.2.69.0,9.10.11.12"}}; auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); - EXPECT_EQ("Boxford", headerValue("x-geo-city")); - EXPECT_EQ("ENG", headerValue("x-geo-region")); - EXPECT_EQ("GB", headerValue("x-geo-country")); - EXPECT_EQ("15169", headerValue("x-geo-asn")); EXPECT_EQ("true", headerValue("x-geo-anon")); EXPECT_EQ("true", headerValue("x-geo-anon-vpn")); ASSERT_TRUE(response->complete()); @@ -173,6 +171,25 @@ TEST_P(GeoipFilterIntegrationTest, GeoDataPopulatedUseXff) { test_server_->waitForCounterEq("http.config_test.geoip.total", 1); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.anon_db.total")->value()); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.anon_db.hit")->value()); +} + +TEST_P(GeoipFilterIntegrationTest, GeoDataPopulatedUseXff) { + config_helper_.prependFilter(TestEnvironment::substitute(ConfigWithXff)); + initialize(); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "host"}, + {"x-forwarded-for", "216.160.83.56"}}; + auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); + EXPECT_EQ("Milton", headerValue("x-geo-city")); + EXPECT_EQ("WA", headerValue("x-geo-region")); + EXPECT_EQ("US", headerValue("x-geo-country")); + EXPECT_EQ("209", headerValue("x-geo-asn")); + ASSERT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().getStatusValue()); + test_server_->waitForCounterEq("http.config_test.geoip.total", 1); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.city_db.total")->value()); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.city_db.hit")->value()); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.asn_db.total")->value()); @@ -187,13 +204,13 @@ TEST_P(GeoipFilterIntegrationTest, GeoDataPopulatedUseXffWithIspAndAsn) { {":path", "/"}, {":scheme", "http"}, {":authority", "host"}, - {"x-forwarded-for", "::12.96.16.1,9.10.11.12"}}; + {"x-forwarded-for", "216.160.83.56,9.10.11.12"}}; auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); - EXPECT_EQ("Boxford", headerValue("x-geo-city")); - EXPECT_EQ("ENG", headerValue("x-geo-region")); - EXPECT_EQ("GB", headerValue("x-geo-country")); - EXPECT_EQ("7018", headerValue("x-geo-asn")); - EXPECT_EQ("AT&T Services", headerValue("x-geo-isp")); + EXPECT_EQ("Milton", headerValue("x-geo-city")); + EXPECT_EQ("WA", headerValue("x-geo-region")); + EXPECT_EQ("US", headerValue("x-geo-country")); + EXPECT_EQ("209", headerValue("x-geo-asn")); + EXPECT_EQ("Century Link", headerValue("x-geo-isp")); EXPECT_EQ("false", headerValue("x-geo-apple-private-relay")); ASSERT_TRUE(response->complete()); EXPECT_EQ("200", response->headers().getStatusValue()); @@ -214,13 +231,13 @@ TEST_P(GeoipFilterIntegrationTest, GeoDataPopulatedUseXffWithIsp) { {":path", "/"}, {":scheme", "http"}, {":authority", "host"}, - {"x-forwarded-for", "::12.96.16.1,9.10.11.12"}}; + {"x-forwarded-for", "216.160.83.56,9.10.11.12"}}; auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); - EXPECT_EQ("Boxford", headerValue("x-geo-city")); - EXPECT_EQ("ENG", headerValue("x-geo-region")); - EXPECT_EQ("GB", headerValue("x-geo-country")); - EXPECT_EQ("7018", headerValue("x-geo-asn")); - EXPECT_EQ("AT&T Services", headerValue("x-geo-isp")); + EXPECT_EQ("Milton", headerValue("x-geo-city")); + EXPECT_EQ("WA", headerValue("x-geo-region")); + EXPECT_EQ("US", headerValue("x-geo-country")); + EXPECT_EQ("209", headerValue("x-geo-asn")); + EXPECT_EQ("Century Link", headerValue("x-geo-isp")); EXPECT_EQ("false", headerValue("x-geo-apple-private-relay")); ASSERT_TRUE(response->complete()); EXPECT_EQ("200", response->headers().getStatusValue()); @@ -242,17 +259,14 @@ TEST_P(GeoipFilterIntegrationTest, GeoHeadersOverridenInRequest) { {":path", "/"}, {":scheme", "http"}, {":authority", "host"}, - {"x-forwarded-for", "81.2.69.142,9.10.11.12"}, + {"x-forwarded-for", "216.160.83.56,9.10.11.12"}, {"x-geo-city", "Berlin"}, {"x-geo-country", "Germany"}}; auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); - EXPECT_EQ("London", headerValue("x-geo-city")); - EXPECT_EQ("GB", headerValue("x-geo-country")); + EXPECT_EQ("Milton", headerValue("x-geo-city")); + EXPECT_EQ("US", headerValue("x-geo-country")); ASSERT_TRUE(response->complete()); - EXPECT_EQ("200", response->headers().getStatusValue()); test_server_->waitForCounterEq("http.config_test.geoip.total", 1); - EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.anon_db.total")->value()); - EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.anon_db.hit")->value()); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.city_db.total")->value()); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.city_db.hit")->value()); EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.asn_db.total")->value()); @@ -278,7 +292,7 @@ TEST_P(GeoipFilterIntegrationTest, GeoDataNotPopulatedOnEmptyLookupResult) { } TEST_P(GeoipFilterIntegrationTest, GeoipFilterNoCrashOnLdsUpdate) { - config_helper_.prependFilter(TestEnvironment::substitute(DefaultConfig)); + config_helper_.prependFilter(TestEnvironment::substitute(ConfigWithXff)); initialize(); // LDS update to modify the listener and corresponding drain. @@ -295,11 +309,14 @@ TEST_P(GeoipFilterIntegrationTest, GeoipFilterNoCrashOnLdsUpdate) { test_server_->waitForGaugeEq("listener_manager.total_listeners_draining", 0); } codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); - Http::TestRequestHeaderMapImpl request_headers{ - {":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "host"}}; + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "host"}, + {"x-forwarded-for", "216.160.83.56,9.10.11.12"}}; auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); - EXPECT_EQ("Boxford", headerValue("x-geo-city")); - EXPECT_EQ("ENG", headerValue("x-geo-region")); + EXPECT_EQ("Milton", headerValue("x-geo-city")); + EXPECT_EQ("WA", headerValue("x-geo-region")); ASSERT_TRUE(response->complete()); EXPECT_EQ("200", response->headers().getStatusValue()); @@ -319,7 +336,7 @@ TEST_P(GeoipFilterIntegrationTest, OnlyApplePrivateRelayHeaderIsPopulated) { {":path", "/"}, {":scheme", "http"}, {":authority", "host"}, - {"x-forwarded-for", "81.2.69.142,9.10.11.12"}, + {"x-forwarded-for", "::65.116.3.80,9.10.11.12"}, {"x-geo-city", "Berlin"}, {"x-geo-country", "Germany"}}; auto response = sendRequestAndWaitForResponse(request_headers, 0, default_response_headers_, 0); diff --git a/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc b/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc index 70d1f4f00ba4f..e67ef8771452e 100644 --- a/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc +++ b/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc @@ -196,7 +196,7 @@ TEST_F(GeoipProviderTest, ValidConfigCityAndAsnDbsSuccessfulLookup) { )EOF"; initializeProvider(config_yaml, cb_added_nullopt); Network::Address::InstanceConstSharedPtr remote_address = - Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + Network::Utility::parseInternetAddressNoThrow("89.160.20.112"); Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; testing::MockFunction lookup_cb; auto lookup_cb_std = lookup_cb.AsStdFunction(); @@ -204,13 +204,13 @@ TEST_F(GeoipProviderTest, ValidConfigCityAndAsnDbsSuccessfulLookup) { provider_->lookup(std::move(lookup_rq), std::move(lookup_cb_std)); EXPECT_EQ(4, captured_lookup_response_.size()); const auto& city_it = captured_lookup_response_.find("x-geo-city"); - EXPECT_EQ("Boxford", city_it->second); + EXPECT_EQ("Linköping", city_it->second); const auto& region_it = captured_lookup_response_.find("x-geo-region"); - EXPECT_EQ("ENG", region_it->second); + EXPECT_EQ("E", region_it->second); const auto& country_it = captured_lookup_response_.find("x-geo-country"); - EXPECT_EQ("GB", country_it->second); + EXPECT_EQ("SE", country_it->second); const auto& asn_it = captured_lookup_response_.find("x-geo-asn"); - EXPECT_EQ("15169", asn_it->second); + EXPECT_EQ("29518", asn_it->second); expectStats("city_db"); expectStats("asn_db"); } @@ -224,7 +224,7 @@ TEST_F(GeoipProviderTest, ValidConfigAsnDbsSuccessfulLookup) { )EOF"; initializeProvider(config_yaml, cb_added_nullopt); Network::Address::InstanceConstSharedPtr remote_address = - Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + Network::Utility::parseInternetAddressNoThrow("89.160.20.112"); Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; testing::MockFunction lookup_cb; auto lookup_cb_std = lookup_cb.AsStdFunction(); @@ -232,7 +232,7 @@ TEST_F(GeoipProviderTest, ValidConfigAsnDbsSuccessfulLookup) { provider_->lookup(std::move(lookup_rq), std::move(lookup_cb_std)); EXPECT_EQ(1, captured_lookup_response_.size()); const auto& asn_it = captured_lookup_response_.find("x-geo-asn"); - EXPECT_EQ("15169", asn_it->second); + EXPECT_EQ("29518", asn_it->second); expectStats("asn_db"); } @@ -270,7 +270,7 @@ TEST_F(GeoipProviderTest, ValidConfigUsingAsnAndIspDbsSuccessfulLookup) { initializeProvider(config_yaml, cb_added_nullopt); Network::Address::InstanceConstSharedPtr remote_address = - Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + Network::Utility::parseInternetAddressNoThrow("2c0f:ff80::"); Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; testing::MockFunction lookup_cb; auto lookup_cb_std = lookup_cb.AsStdFunction(); @@ -278,10 +278,10 @@ TEST_F(GeoipProviderTest, ValidConfigUsingAsnAndIspDbsSuccessfulLookup) { provider_->lookup(std::move(lookup_rq), std::move(lookup_cb_std)); EXPECT_EQ(2, captured_lookup_response_.size()); const auto& asn_it = captured_lookup_response_.find("x-geo-asn"); - EXPECT_EQ("15169", asn_it->second); + EXPECT_EQ("237", asn_it->second); expectStats("asn_db"); const auto& isp_it = captured_lookup_response_.find("x-geo-isp"); - EXPECT_EQ("TOT Public Company Limited", isp_it->second); + EXPECT_EQ("Merit Network Inc.", isp_it->second); expectStats("isp_db"); } @@ -328,7 +328,7 @@ TEST_F(GeoipProviderTest, AsnLookupFallsBackToIspDb) { initializeProvider(config_yaml, cb_added_nullopt); Network::Address::InstanceConstSharedPtr remote_address = - Network::Utility::parseInternetAddressNoThrow("::1.128.0.1"); + Network::Utility::parseInternetAddressNoThrow("::1.128.0.0"); Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; testing::MockFunction lookup_cb; auto lookup_cb_std = lookup_cb.AsStdFunction(); @@ -355,7 +355,7 @@ TEST_F(GeoipProviderTest, ValidConfigUsingAsnDbNotReadingIspDbsSuccessfulLookup) initializeProvider(config_yaml, cb_added_nullopt); Network::Address::InstanceConstSharedPtr remote_address = - Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + Network::Utility::parseInternetAddressNoThrow("1.0.0.123"); Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; testing::MockFunction lookup_cb; auto lookup_cb_std = lookup_cb.AsStdFunction(); @@ -465,6 +465,26 @@ TEST_F(GeoipProviderTest, ValidConfigAnonHostingSuccessfulLookup) { expectStats("anon_db"); } +TEST_F(GeoipProviderTest, ValidConfigUsingCityDbNoHeadersAddedWhenIpIsNotInDb) { + const std::string config_yaml = R"EOF( + common_provider_config: + geo_headers_to_add: + country: "x-geo-country" + city_db_path: "{{ test_rundir }}/test/extensions/geoip_providers/maxmind/test_data/GeoLite2-City-Test.mmdb" + )EOF"; + + initializeProvider(config_yaml, cb_added_nullopt); + Network::Address::InstanceConstSharedPtr remote_address = + Network::Utility::parseInternetAddressNoThrow("1.2.3.4"); + Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; + testing::MockFunction lookup_cb; + auto lookup_cb_std = lookup_cb.AsStdFunction(); + EXPECT_CALL(lookup_cb, Call(_)).WillRepeatedly(SaveArg<0>(&captured_lookup_response_)); + provider_->lookup(std::move(lookup_rq), std::move(lookup_cb_std)); + EXPECT_EQ(0, captured_lookup_response_.size()); + expectStats("city_db", 1, 0, 1); +} + TEST_F(GeoipProviderTest, ValidConfigAnonTorNodeSuccessfulLookup) { const std::string config_yaml = R"EOF( common_provider_config: @@ -529,7 +549,7 @@ TEST_F(GeoipProviderTest, ValidConfigEmptyLookupResult) { TEST_F(GeoipProviderTest, ValidConfigCityMultipleLookups) { initializeProvider(default_city_config_yaml, cb_added_nullopt); Network::Address::InstanceConstSharedPtr remote_address1 = - Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + Network::Utility::parseInternetAddressNoThrow("2.125.160.216"); Geolocation::LookupRequest lookup_rq1{std::move(remote_address1)}; testing::MockFunction lookup_cb; auto lookup_cb_std = lookup_cb.AsStdFunction(); @@ -538,7 +558,7 @@ TEST_F(GeoipProviderTest, ValidConfigCityMultipleLookups) { EXPECT_EQ(3, captured_lookup_response_.size()); // Another lookup request. Network::Address::InstanceConstSharedPtr remote_address2 = - Network::Utility::parseInternetAddressNoThrow("63.25.243.11"); + Network::Utility::parseInternetAddressNoThrow("81.2.69.144"); Geolocation::LookupRequest lookup_rq2{std::move(remote_address2)}; testing::MockFunction lookup_cb2; auto lookup_cb_std2 = lookup_cb2.AsStdFunction(); @@ -568,7 +588,7 @@ TEST_F(GeoipProviderTest, DbReloadedOnMmdbFileUpdate) { auto cb_added_opt = absl::make_optional(); initializeProvider(formatted_config, cb_added_opt); Network::Address::InstanceConstSharedPtr remote_address = - Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + Network::Utility::parseInternetAddressNoThrow("81.2.69.144"); Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; testing::MockFunction lookup_cb; auto lookup_cb_std = lookup_cb.AsStdFunction(); @@ -576,7 +596,7 @@ TEST_F(GeoipProviderTest, DbReloadedOnMmdbFileUpdate) { provider_->lookup(std::move(lookup_rq), std::move(lookup_cb_std)); EXPECT_EQ(3, captured_lookup_response_.size()); const auto& city_it = captured_lookup_response_.find("x-geo-city"); - EXPECT_EQ("Boxford", city_it->second); + EXPECT_EQ("London", city_it->second); TestEnvironment::renameFile(city_db_path, city_db_path + "1"); TestEnvironment::renameFile(reloaded_city_db_path, city_db_path); cb_added_opt.value().waitReady(); @@ -587,7 +607,7 @@ TEST_F(GeoipProviderTest, DbReloadedOnMmdbFileUpdate) { expectReloadStats("city_db", 1, 0); captured_lookup_response_.clear(); EXPECT_EQ(0, captured_lookup_response_.size()); - remote_address = Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + remote_address = Network::Utility::parseInternetAddressNoThrow("81.2.69.144"); Geolocation::LookupRequest lookup_rq2{std::move(remote_address)}; testing::MockFunction lookup_cb2; auto lookup_cb_std2 = lookup_cb2.AsStdFunction(); @@ -622,7 +642,7 @@ TEST_F(GeoipProviderTest, DbReloadError) { auto cb_added_opt = absl::make_optional(); initializeProvider(formatted_config, cb_added_opt); Network::Address::InstanceConstSharedPtr remote_address = - Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + Network::Utility::parseInternetAddressNoThrow("81.2.69.144"); Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; testing::MockFunction lookup_cb; auto lookup_cb_std = lookup_cb.AsStdFunction(); @@ -630,7 +650,7 @@ TEST_F(GeoipProviderTest, DbReloadError) { provider_->lookup(std::move(lookup_rq), std::move(lookup_cb_std)); EXPECT_EQ(3, captured_lookup_response_.size()); const auto& city_it = captured_lookup_response_.find("x-geo-city"); - EXPECT_EQ("Boxford", city_it->second); + EXPECT_EQ("London", city_it->second); TestEnvironment::renameFile(city_db_path, city_db_path + "1"); TestEnvironment::renameFile(reloaded_invalid_city_db_path, city_db_path); cb_added_opt.value().waitReady(); @@ -642,14 +662,14 @@ TEST_F(GeoipProviderTest, DbReloadError) { expectReloadStats("city_db", 0, 1); captured_lookup_response_.clear(); EXPECT_EQ(0, captured_lookup_response_.size()); - remote_address = Network::Utility::parseInternetAddressNoThrow("78.26.243.166"); + remote_address = Network::Utility::parseInternetAddressNoThrow("81.2.69.144"); Geolocation::LookupRequest lookup_rq2{std::move(remote_address)}; testing::MockFunction lookup_cb2; auto lookup_cb_std2 = lookup_cb2.AsStdFunction(); EXPECT_CALL(lookup_cb2, Call(_)).WillRepeatedly(SaveArg<0>(&captured_lookup_response_)); provider_->lookup(std::move(lookup_rq2), std::move(lookup_cb_std2)); const auto& city1_it = captured_lookup_response_.find("x-geo-city"); - EXPECT_EQ("Boxford", city1_it->second); + EXPECT_EQ("London", city1_it->second); // Clean up modifications to mmdb file names. TestEnvironment::renameFile(city_db_path, reloaded_invalid_city_db_path); TestEnvironment::renameFile(city_db_path + "1", city_db_path); @@ -894,11 +914,11 @@ TEST_P(MmdbReloadImplTest, MmdbNotReloadedRuntimeFeatureDisabled) { struct MmdbReloadTestCase mmdb_reload_test_cases[] = { {default_city_config_yaml, "city_db", default_city_db_path, default_updated_city_db_path, - "x-geo-city", "Boxford", "BoxfordImaginary", "78.26.243.166"}, + "x-geo-city", "London", "BoxfordImaginary", "81.2.69.144"}, {default_isp_config_yaml, "isp_db", default_isp_db_path, default_updated_isp_db_path, "x-geo-isp", "AT&T Services", "AT&T Services Special", "::12.96.16.1"}, {default_asn_config_yaml, "asn_db", default_asn_db_path, default_updated_asn_db_path, - "x-geo-asn", "15169", "77777", "78.26.243.166"}, + "x-geo-asn", "237", "23742", "2806:2000::"}, {default_anon_config_yaml, "anon_db", default_anon_db_path, default_updated_anon_db_path, "x-geo-anon", "true", "false", "65.4.3.2"}, }; diff --git a/test/extensions/geoip_providers/maxmind/test_data/GeoLite2-ASN-Test-Updated.mmdb b/test/extensions/geoip_providers/maxmind/test_data/GeoLite2-ASN-Test-Updated.mmdb index c8b6fe84663210c5d3e8e8b7a2c8311a84619d25..fc7adc0053ad39ba1fa7aeda2aa6d17956ed48a9 100644 GIT binary patch literal 17019 zcmZvi2Ygi3^2g`aO+rEy3t+r}A}9pG-c18SLJ~iP6LuqKp_z>_m(s#uGaeyAZn)yAit+dk}jP zdl7pR`w;sQ`w{yS2N2~%1yM;<5!J*50uRkR;z>jeF`1|(>WC>sJ<&ik5(g4fi6)|% zm_|$|W)L%pgNRwgY~o;I4si%EmpGJ&Vr^pJEh6%vNGougNE>jWNDNpiGLM$+3Nu9M z5QzheMdq_@0ntfx5eXtmbQ6aWDI!f|h#q1gu}BfQm(mhNL3Rfmj^2;Z>6U*eOj<`m zd4UM_mywpy-K2Z8$T7gFbU0RIxk$mbBF7QOD|BEdh@2QoCyAUKN~h3$g`!{wk<-}G z>BJetO5#l7EaGfpmBREa=ZKt3<$1*U`8FhCaw)(%ya<-ph+GU@CUOaIsp`>Qz^AEM zuV!YKi(CPdt3b$#%GFY^f*oB8lN;%99l`$OdP+A)!A*I0xrxe~MQ(xLzf>w% zN9C=GLR;i^v^^zq2k^MaoxpuGxr?}43QM89M}$w)NG7}cp?p~6fv~>^>F|&ga^DtW z5y={nwZLN{j{uLVN#Q9Q=2>_L{hkncQiBz)XAe)q;Z>1mfR{v`1zx1(b0W`&-M%12 z5jw2PD~q-ic^M9`s6$Z|fz9w5ly8f?4y>p0G{$^G|&j(L7h{6PFj{6|rQnfe(WZ6WdtfOx-#?!Srr9!h`E@4v*KB7cQ#e=`^tie;%} z*Wu8q0dYGnd)^t4gbz;pRW-2t#gT$H@ zO0&f}I4>E8L(tz`raMb|EyWnF7b^;7D|={Rn=e)yJBkt5^2V|qmWP?2#Ofg8V$Da} z<6mL+itrUy(&qyZ9*-);c<*PYZ=R$d%17t3+TXu z6AG~|QU~i|u`bazRbDFAW%_Kb)%izkT`txYc?l2PSmH5TS0l=RIzGG%MsI4_(-3mM`)@@YYp7*m@h^#xsx+_%PE!I7> zyf;+dC&fb%<$mG;;z8meMK+h>T{s166{xq?qwxDnEEGiRYq88)dQPk-fTwBsq*y4& za5u#{8^wA?tY=j!u2xvj!(qKxd`4!_7Hgx0y@Fy1jrB6|ib75J{H)i+dR>*p?P1#+ z?EOu#-lE^zVcR=wdzW}mtoLd10r4Sv|4gipM2Z)Q^|3 z7)|eXZ?XHRGW(?Meky5OfA&5=fp&W!9L9*fIk2tRTL6LBSo8MQVs8Zuro*7zMzDwI z1~Nw_0@|fvXx2aM7aL31v<)MM=S_@qJH#9%_6W9ZPmIi);Eh!CWc{;u6nnI`6?0A4 zWpLkJ?6JVkV(&!vam4tIEO${!gYC+gyGbs}9&q1B>^n31W6#E#ynr_3t)0#?qkF#u|DmK>45rY|19>Uz(-Ej!SUIsf9TAdj-zD~~lvw|4)<63WD(_U7 z_rKiPy zhJMfHmD$Yf=f!@3Z7&k*h?kJ(YwZ1Hv04A@SO1^;>te5`!yEZF`%U`2C3aZqyRh+&IhU3r) z=+IxB0b#eBi8GKUsDE(Rm|GBA5?hHgC~O-n4(eaYZQ^WAloH!0jJs(Y8afOUhxO0d zmK|+Jj3BlrMk2v7aYo@y^>uM}P-reYGKtaRjL9ouV!m3PvEuAR_i+kUj%VA>#4ZX% z(qOxZvpX%ZVWDwQ|D1iq*^AQN8@27LlKSmO_x*_j#6kTt?iHa)r8rdxHi0J9ijsE) zf7EgkQA127cz!x{lvw|qdP)sMBXJ-xm1rWGiD|@iVg@mjIEa`<%qCd>oH>*ZA?6Z? z5>cXsXeHW+7=cx1rl6hZAmYS)Vgb=fbP)+6Npus35h)@~WQZPOA+d-+{WHBUA(j%X zf6hNB9YGwaFptqVEF+E<@!u2Y7@%65W2szD97h~aoIspNoJ5>VoC5c96IPrR;+zTz zYw0v#j5wzQShQyV!^K$%Y$?u}^gD|oYn`#c~I|~orj2r z6&huYIBP@c5pf<3CDuRZagBmoY3E6H^c3+l@eJ`S@f`6y@q)tKN;@x#vyRG_h?nzi zNW|oVTWRMtSbiYR>%g1htOwrsAGgxZTO8Qi;=BVBtig9Rm`357zw>_XR@(UxCZEya zBjRI%_0Rcq!`oixbGCgU&X@4}N~P?rwDYw}_}p>+jrHP)^DO|Y@9_Um^ke;Ve$ZQK z=SOi^|FXBz&d;#?U7TO?={mpC@3#$arJX;-`7bR07UxgkFLwLCZlzsITw8->Z>3%2 ziZb@tfzd@P=zJuJswB%xUx5oaf7q=89e~OFx=iVW103^g63N(v5 z3>Yge>z|9Ygvab|r!WuP9U<=aRE{J@g>5@-JKBSKyk+bdx<+f zbl+LrT|$Z9e=hGo-QC6ABW&A~!FV&|^83%-N8EkY#N7{}`Q_%a{<#M*37&jz1*J-& zO5AF#)9wUf;)Ye*tzpc`L@mMk=T4ziuP~+DZP4QFHs)%$I~B^NO>U*#X;2<4?sWCj zX`LbN%uqUrnav_*=WeClIq>Tg_mI$XuDFMWQdHcQP->-n8xa$Cp0>H|p-G3halDw- z(`3H53-S__ZdcyYtkxuYKc1G|#9>5AT-HAwN`}fFaTn&@-9_RqhWj#cQU7qY?4tew z>TtNYsDDOz1aV~8#_vDVhWZC<{3Px%;adEFwmR-;}b~Q0=cf#R4aqj{i5ch73 z7OMdD&%KW$;`bkhs?&3S?pE4;5GF5*i~8q2C+@=><{Dxx@d)uK@fd*w&4fGwzo*1~ z5-H_xrQN5s&D=w~&xp(Vm%WvCQUBbmC2uu*y(;cHDBl(LCE#T@v1_z=C`5y zy145@5BH~$qtG#=+c#d|Iy{j~td7gN_DzmrJ zUICQ-#VgFG!wJ?uZ#$K;x6vHp3x=X=-_-A)#7FM#)$ z-rnNv1Bs>1+gH5(G>S-SsF+s7xt+Y2uyc$(zpR`x2l8&#A zk7|kn?Op?tXcey!m?hqUj5!t34Dp(PX>@4LZ3J&RHUfSJhEiZAWM&we^$$D8n+?CY z;vGyA)IVc+NZvAg^XwhU&{6SPv@LsQ?6twYOS~8m7jGWj+lh{iEa$7F16#mgow=K5 zF9G+Ic&LA-_wLY=^)Gw#?4@%z&t4B49usdNaHDvOfR*Ac26(yYEfFs}=))Nk^$(#p zxOw(?|LGki-mh<9wLT+Vcl6YqEiJ0Wa4k!>dtCyRFql3?M(MYDIRTAC|o z?=-z@_D(0x$lW}9XENqlFgaH|)Ia2@v$TphCwKGgofo#9FWv>AbRjJ-67OOLyCiJ8 zRJ_YVX|;Hlhtd`FyHdQX=y!G4c8z$~Qh6PL#cm$X^~4Q|?9H=x6O!jYVDWBd%v;3! z7nHY)cdJ_Jh;GYW4|{in$~)BoYt*}&p;7<52gJLV(tV-j{kiL5??ITX5fAmxr1Y?2 zgX>{$t$2^X=b`=?d`o<% z&;+6UA$0grJk~$&CwBBR@eA=Q@f#BSTfE;<%3l}n4~5Pd>!0_hcz@-UFfp(7KK`Ko z!OXW6s&v@q5}pDkCYT=)zkrrlXU4Ax$`bK=QDXhe{-Vkc>z~j1=l5lle&YA1!vKYb z-b{SdKc5xP-&`%jYdbaBO8h~g!(av*B0lOL+SR0#*oFwiAIgq~0Z7$^RCD0gSfoyAA}^I7ryU8Q%O z`t?4Y;MVq0|4e3kiS&L{{JjK`s3eAGX`S^TL0zW**% zrFr0{Z5o04XQUYlb3j1CAMp?p9yvtks{JWhUg(s|6tjN@E2oXr-{D=I6?fS zz%uaFgHtTX>Y`kf*EN-EDJQ2$JSsDB2lh;xW@iSvl_i3=2cx1)3sLSHHV#gr}~ zE+tU^Ow8;sFQ;^c!u(rC({>ecHE|7bEpZ+3PXe0+4!IHC$kloiaWioXfu(5n(XI5m zjkq0ozAFA5l;@>O&eN^60JU~21JftxH63>ibjY9p_ijVqd zl#ddR5sxeSVjr2dC(*-;?C2@+pH`*1KO_FLGJKp-J{> zzD6Yuc+=l{;tk?W;w|EB0xQdZSNdX>;9z>dcbxw|Ch|D(KS0~B;(y3#{fPLO_=NbB z_>93mhXc;6FDQLUd_{b%&@p@?eV+-XZ^i$PCf^f35I>6aUC+t-kN7`P`7`m0qAxNt z!~Bg&{7(Eq{FnHX_>1@(SS(nA62X<81@x1Mt!)v9aDiSD@hIU*MEekpXHFG43NJG7#8aBAWwSOJobSVFyI;{kK&p z4btO2!ul5(BK;<_4G%67NMsw8a_J6*w5>!;?`CQ>La^T5&8Lo6f~DRQB+qg~3j!-;{5wbmX`+L`I#xWoZ$CgWpPFV;ZBa3!_Dm&td=(yeX3@XrbOEM8NLB<8>v#22zO|-{?##kzyOhh|P zPF+2Tc&m;-z2Okn7XKQQHdV!XGU?Wi82asuEl73+)xGYFdFvF2o=U42_O?x-@E>Q1J#R}=51pmbVgvOSi_Y?6`5{MNw;=`=&S=V*3|VKUep({F5K|Dx zv&3vyMmyv4lBq;I8bmWe6Z)u%$J&#|yzhvhbdruH5z81w=@0PtFm0{TG?IB2P8Y?F;um8{xe9+63xPE1gV`G{%OMKglZs-~Le za^uwh60Eq|WGWWT&4tlc7YC&WHYMj}TB3;sK}7|!N_Cf+WqS0J=I_xDK?c#W(Kh7W6>o#I;g9w)chWR>EJ1qHJcjd);b3pw2f^U8x5voMJ!Dwf{LDWJP}K$ zO}DdOG=HzCGJg+#+r*st6ZS@Ba`C1ibGvQJEzoCCWvsKaH5oKUQ<(&wR7bo!sH!N> zcQGTL!h%ejy=FFG(?%OG{{)6#9Fz|K)pR}Sc+>Tk=z3}eA~z*_G96`jr1^Eb5BB(+ zqNZePJccbe0o$ZC8c)Z9ww_>Wv@M>@pu6r4?4_WoOrOGGR!};*yr~L*f^@3Wgx_fx z7R!WG3^wIWM$u~|7C=R_>1SGPFg4bWLk61;ve`4nVq8H`Ilh$ zTMpYM7!z>U8vErB<0xwCNzLo-jGC|$yILk0{XlfxT#@Wq(%utG=axlK)6{4h)Ad1V zT}3L^hNaOqJ}9p+$`OqiaN)!roCj@YlTJyt#5Y~bctmA5>vR>ZFdKiZ+Ypq_Y??N8 z0y-ZZG~-~Xk7YVyDP+@T9>(xTg3{W`YAm0IF^%O@n~jgZ96sd@bwM*`6?-nIie{p@ z1#b+-j}A&3H%;C&^p7J)tG>B;)3vg}@nN3sj{S`FkXK>tHuWSXn$xy?VKm+u#hA<{ z&n?$rT9ZD!!qdB4uHM+_NO~zw_U&=i2O?HHycWZ~=g@-*W-rk-JD$1s7QSb(s z-f%3&qfJ;As0=k`wjH}1M*saFV zikS>5Qpu>U+5Cbw#;`S}Zx+IIV12y18z+t#eS0d}-JvsSB<|G>)=AJfA*hSCm_@pF z{oJ5*dQE+E_0;<6=3vUSy5^b*)zwu&WrJq1{?MRwr0i%c3tvHHs;#Q33G}bZhN+DW zQ_Guc8tS$6J>=jtCC4N%1=Z&9o2lz!8QZYHtzEh@Ea4lkliYfme5EeJwzgQJGmaB{ z<8^3y8;m+Qb5akMRcjRIP<3alHG`k?r=2<18|oXTW82j2wlPE;t?RAx@iLa|OfQIP`X;4f9OBcAjX5@JuvJje zo65S&qT1KM6L2C zW7Wm+4vd3vVrQ}iCrCp#4lMJ^o6etSZa4NsZDT#Qr`ddFQ6xKi)W(cu*id9pi)WNr z&>5eSWNNOywIvg)?M++b zIQ(+0m({lP#5>#O#=4WO9j@K6?B$Lrc(ISRMANaknI+w^x{0x59nR44V=zgzZLxG~ zD&B2|`awl3F=xkID~{26JYT#fnTln+gOT&17&{DV8pj7F=I8+V1+m4^u5MJ%?jG#= zG%9cs^?cOicy}(P)qV{geS1%|J(jlIVBzFMvMn~ZHQAHMtd0D$HiZ?NYMYymFO97p F@_!W_49oxk literal 12662 zcmZvh2YeLO+Q#2AGaJ$fh@uF%j-UuaLJ_;4nnnnzvY`lKoFqfCWU~`@HX;m5K$tL=^_^JKO#1MP8D$| zMTk6N5Rng;xgrIW3W*}3m>5iy5JQNe#Ad`WVsl~(VmPrSu@y0b*qRtgj3P!8+YnJ= zTf!x_BgPP8iS3CUh;hV@#CT!?u@f`UxNloJ(1B~e9G6Elb!VkS{b%p&TDdZK}7B$|k3Vt+h-WSUJW zMzj!f2vmoj?mS{XaR9M^SV$a5EFumfT8V=R54DMfw~5I6BJIF!A|1d5B0kVBvY4Ko z26|-a5{U!LMV8RkO(cjOB1r^9FL4NwBGN>L=p&XA%M2m|o3(<{CA9qwqaSK^LH=%_ zr*#;V=ZhRpmm?UUr+cKxQNSq-I9lWw*zOWJmN?G9EbMrZ6GG`kk&{B{WQMQgcn^r2 z3LDa&M*M>~o%knl25}~FmVq8w&K5a`%5#bHayI1DX(KO+TnNvrMJ@s^6}cF=#OSrl zcMO21tTF*|naJgkt`xZjmx0uU*|b!CgYwEd6IDh75Og&ydr{Rg8h63c!8eJiaZw% z`@9T7<>)D`%P9w~7I_H)FLS)th+josh4L+t*MRj#nZKQZye{$vv%G1LUqjCKN#d6B=Qpm+DhbS0Au|UhGXsj38mi{_g~_7kv~G)pG?L= zQOZcl5@j0~Q0A^F+0(T`+n*J$EH`BX$?H zN6u62N#$Om_70WUiG2`0L)5+);S*8&8JM+~i>jcql0db>#n`G1bU=+shEJkqimDBz zS)%H4lHT$LxEw615m+RuDV#*JsQp7}Hb;mNEu!Wao0^N!J4DSR<{Ox~93W~zC@mCq zU{2BjC~eis>3$^zD58RWM0rrQbA&e9&J)$afqY^yJv-rfh>j7}MZ`s+qzW)>w}G)G zMDU2@;e_GO6&V=$T&ZR30bqT68p`YS?&%;Cw-1NC zQPfRFS#Y$0x&@wVMBNHJEb2BYZ_mZ4I~aGTsJlYt-J#1M38!kcsX==g~?tO^_o!@gdIV>PTL!z2Cl=m!nn6-dxv;e)O$?L z{-@r@TyTecAX13y{zC&Z>yJczoRhQ-{ZG$~{ZFy~sV|HYW@AH@tKUR@4Y1>>Z?Zd~ zzB4W+_4lIw9ZKwf>PJ!Ne|m(UiC>6c39hzqCnK3G?0@R_+z5Z7hY!_X_{8GDvy@m6 zEw(z#7R$+n7gmUsmy@hPV&xmjDj>KbtB4Z%AI27 z8^CT2hg2%omcaI6Z3VbujR3Y0YinQ>14d>Kf;HM4AbnLLlNAk9v;X0|SliJyh8UZ3 z(E&Rk=LE6F(Y7NoKIby%pWId-F$*gu4 zu3=Zn+IC0y-eT>+xIIJ9y^JT^OdMVhs_26LXI&`Pe!w!Z%7KMqRRA^gtQ2d&vzh@j z34{%5iOSuJ9r|5yf13meHg#p$*Imx=0tG!RG`x)>6@gVU~==m@`*NC;2 zwnvCZLzl;liyq;LQ2C@-PleLI#2TojXL8DcnOVXty-ejR z1_;##4eK?r*3FI-iC-0+ZyO_ZDap4$;ODy{%3E`fp#Fq5jzs&F_$v2CtzVq#NNrkgiquo zCW&2|Q^G}mYqckfJ%!;@4UBRcZ95aw4Uows+g0q{=vl?MJ&4{AE7r3&g$<((__p1UxME#lS;iUjp1IHu|5vTI^MfyNtM;xPrKn zxQe)%xQ4ivxXu9Oq{q}Nvac8WhETeZ%A3T#IaKn`p!Th_-6r97m__d zm%E93hn>;%(v`0yA?8#eNUT{t$Zu@T1u817C>!f#|;!+aE&u zMC^}%k466#6-xbju5F(ZpAnxM=$9zi@FVt@Vt+;3*97{Xj{BDQj`*HH|I@Y~42m(` zY?hyx>}Romq06tK?LV~rCiZ`6`#opFB<(+q@`yo1K2cyWm~e`) zXWNNW42%?KFtE8eCGwk2GH!8ouw8S2a_W87GAwx@CjVjQs}F`k$}>_ki?CK06ugYTv^8L4*@ zX9}gM#57`OVqlrOP}x&LX2U;RlJ+N|%EPk7zR}VPP824sm?i789Lx8F-p; zDwh!5M1trcl0-nDvYbPt1iOUvdIbCd)6xBJgg6=4P8O$++q#rkMl2^*5dBQ{Hv}9h z&fh5=N*qQUZeZ4Mgp?c!c;uPXk;xytP z#OcI8fg*9x|C|TKITN@-oU>>Yu`i^VyY5}vekzLXqK=>p~J-JM4eX zO;Yj_v*;SUO`Kbel%4MFP~IiZ9dx;qwr?rjP26Kp@PxsTkpxcMK$meIkRb;e$$5x) z7&+e(XAPybkk)ZZkBIXqr02wW3}F9r9v6qHohKRal)(^Goj$2g6VDLO8WeMM=Xok$ zFc^X-rUPC?YW_LXd5OdFt;BgnoLA}c8nK>n*j63)2Jt49n6*~EO}vAg--`1t@Rd04 zQMm!q=i=bpIv;bO55)P9wvP;kaJtSXRDMc)W-!#E^ab&y!N8xYov*3<#$f1Hl)fXr z2P|>^jbZ-~=Lg_taek!jCxfBWDg6T5Z{qw)=|8m1ru1Lp_l=Z)8Yv=#q7CPED89#` z|6xNSxMm{wr#|>-DUU8Jn@B#D1w;-_rJZ&Qn2|F*_%py-1xuu=X-sbAQ|)oed*Tpigd>BX-)R^wE3w=)Z}%G)c>^x zsZK8$@AoqCAQ_v}+u>#W4!0%e`aIyOK* zY6+}vj~i_$ZyDF(#{AUMc)Op5a!rjJoj228mhdx~(q^x{+e>x0l|fIhmt3LEwi{iP z-{7UwUVB$x8ct~pmd?a8eHq^k7P~Eedsi|@1fAM@?aK4r=mF*3UXK?KEpb0RDL2Dm zAGy&5m5r4(vzz8LyOmw>q&IcfJ=_Y6+!iE#on)$uF$I+4 zl^5?x_$jwMSD0?h6sFE*>Dj2Npz1ICh?(@5jd3fnAHJD&;XF556{~G2*FnQBM#a?y zDc{TPh1OOVyV3n)!QxDtm+W>cDln^5Z<#LBBcIg2Cq0bcYu3SajULq5f0?fru<2tl zB|6Eiudg)odjPJZ8Y*iyb#|3{pS%3%4XDYK_-#8w!yu+mQ?+5@-QOJ$OHQeE+0x2mE%H^jVn3I&+Ql>a${xYDIB8Q=&bTs6@J`wDxuR)8G~Y(k@DeF9@C1V@hE_b z7Cp|KI(N3;iAx5D4zfNo+GA?I8?C8rE^SIC%uz2s4Vz;|=aIv)aZ6pETJ3+#!?=oK zeW}I02~Vf3>1ms(^}{iAOGVJPqO;FWXUoE^jWugyy3vi+SET$7lt#xix4c3t$2DWY z1vP!R4?6TAZ3x=po7OTOQ5o(!Q$;KF!C&h%xzYKtIkRVA@JVh9E`~-w)8(fyn-2Xj z#y;Xk>nf{JK24>~<+EFKOx`hwDQ~KGTd=D*b8eNF@v;T49i~lkqs^O6UK@tRF-O(d z(z0o-{N?)4Pj}*G+I#dX@OEN-$r^pzmM`_<2@h-1hdf)Z?wpu;cm=Py(dt>vjkTuA zN6x}yLR?Be@J&vHx$oAFy$cU}LAFrd>O8m8S&-lFxWL+0@y-dmpOJXtIE#RZB7MC;~jp=j5h3geHq6) z;~AvJ?WMa^_Q2$$*);3>IT@tfMl>|vW%)V3VqBYdlpY~_Xxw>0D$%hF$=%*WyWYBj z4e%V&7%X$qW0D#CkNj;b2JW|U|4*cjsw#4$2hNOREpBb|(p_^iA6Q)3B<(crA*9Z0 z^p~0ItS_|!^Ijb2UB=qmyL5@+xI*!){kFr zT@TyXUmM)o{?o%2zHyyo>uJ^%rU*Ma{A41I8+_wB)T50;ADln44`tQv;U20^`0W{d z&fRwUUT2jF)7&@1zjLDtwIlMFZr;8GuV6tU z-R+s_>nRoE>Yk&0^krF#1A;ytE9))u%vi&Z$Bi`b+LPUc;!p6N5L*^cr*+79e9H9m z4x6A$Q70XVi?&`T)f?3~ut8H-qsPwj`unpB&&^@vStuE`T1WOT#^Orqyf!R*;Ppx0 zj=FW>artd-AB2GmDYwaE@4;}@^Qv8JbWS-Kd)=aUent~+s&cog+O3W?mp7U#Z20b2 zHF{a6r`M3m_LlOPsmzghqgtfu<9PGM^;eS!+Hh|)_2Qb+FS_a6E#~y%B-AxG;!x@% zr;8#;^cf$$mNDC526cEw$?imaNw@E6*X(YLjN#rfw@Y6t==F4;YHZR`-nO_c>uVe9 zI)V%im{ygb6Iax-96yJ(VP17b>C`FHcbmTY*>4)W)_hzTGDz6rgzO&Ek^wY|5m(EHC9e!(j(3i}tjr>nt Q3Kg5`Xidla{Z*s?7fbf^>;M1& diff --git a/test/extensions/geoip_providers/maxmind/test_data/GeoLite2-City-Test-Updated.mmdb b/test/extensions/geoip_providers/maxmind/test_data/GeoLite2-City-Test-Updated.mmdb index 58b6aa62baa075f6339ffa6f0b1faa06edcbea42..2d2fb0eaf21508298c1ce74094c427ed90037e08 100644 GIT binary patch literal 3472 zcmZA233wFc8Nl&(V+5`D6)&P6oDn%*izfts@8I^I-ujgj*m917PU+J|;4#(a$tR(gaH}w2f|3QA`U%W$W;q&74b;s;oz7>q9t%!NHDA{6&WG9teSkU$oohxhuf=d?-yB7 zi6S2q8P%iQAyTR&MJHEM_aXRjrA^NnPWut~D69$z8a}QE8zcD%kvl7Oa+kG>&G1D}R_;4|=9_*_UZ(dSv&7vMg)A07w^dIf(E!WZEoy@>rH4{N?J@+Fdw zz*?PrLF7@*PLXvaAA`r?30MzL!Uos~o8T$f3|ru7J@gKdXNb1KHrNi&h8$e{J9~Jp zl9XMX#Fs_BLc#N}8@^iY`89feUE~|IeG|S_?egu)d48vwd{N}P)#!U7K6T@jq+V9A zGWmhX4{7@m{1|?s+g_r}Pep!4^5-G%+L*j7@(bF2S!t7BQTK|-tJUOdB+DXuDA-$V z+b8ntN)!x#pc2V%sQazR@2Gnneh+WJAK;JhC-^hG84~XHFAVlq_?yVz>GBWwXQij^ z9Txl>{sV8pe?ubFL?T2ra0t}Gp)dg^!eMZDhzv;N2&O#}j)J4%7&sP=gX7@@I1x^Q zIyf0lfm7i$I2|TIJ)8k&f`Z9#7Mu;|z`1Z9oDU5!1^E4oTu9UiO)wRv!9{Q}G{Yru zDNKjU;BvSEu7s=LYPbfjh3nvYm;p0EzqsJSTc8zU&<5?$0de5>FOneYf^O*19Q^H= zC6Qi|H$WfU2(vXwiOeCI3;l2t%!8X@J}iKRa7&1OPT^L99Sumts78alx|BrBYSJP( z1Zjy3(`Hw@=#kzvW`>?waKMEe+$s^TTAnAVNBQ4>`&v_WVdS;WwBgDcFwX6w0kB*R-OsIcnnWq}QnG_D4;tEmrj0 zoT2LZu%cF8^+tz0H7~lzm{l&VEthtbOHY(brE+O?ELUiX_UU%7*yXSBH;u3GpYwP5 z8)D0bn_7C>_C5Z{zRjE3Q*O~Icq3&!O~ds2JM6rh3@2`n>M2!s|6I$nY{yO)^i+x6 zPwOuor-oI1&m6}tSf)zYPTF*{Y9P_4JGx4zO;=foK6k_@X00Y2t3_Sq(TB>T>&vBe z<V|9mzXHDyJ z9n*FCJS%PI3wn2^-f(yZYF$^pIB42S?7W^ZUsD?#N^{OF>=p%Z9G&k0w-ISszxvl`p8M3e_{)cz%+41Dwm8%Yv#vXg|jc#LUx9yly zQ*QRa{K4?KB=zIT8ii!mSmb)iC6*T~e5~gGTlKY6S|3OZ7VV6gv~q50xVC0^#rnIt zO`~888hI;O7|B`P?Uvi6Z??IqMZevIY2{O%oeQoYc(Dr`-)UAsvzi_3tMy>LY8WyW zTT1tc_cp6w)JCOOsH~+%HkYwfuIT05ynaZolNp)PY3C|So)Fiknl2h?D<7#9M+yngO6mV3$-KSH8k_Vs!tk*( literal 3461 zcmZA233wFc8Nl&(BZ~KJJWBM#qXs0PC|=bHn=Hv@a~Xk%fXifOvYD_uvz^_gBrPq? z7PU<+1)JK|R!yswqGF(60YR$twzivIwAHrCk`&rnd*9bL^M_s9JkLJAec$hUzjHPt z5)ug|MXEFzk>fOP7nwwKJe&ZN;Y5wjoJ4dooC2r9X>dB60cXNla5kI+=fZhV4d=rJ za3Nd-Z-FUL0~f<3pkOLo3YWp-u7p~c2Gijxm;rS#6K28Ha1G3cYvDSW1J}b1 za3kCVH^bZD7PuAk#rSu08_b1y5QchafC$WoMreX4G(!wppcUGn9XjB45&4TqC(#|S z02aa`=z=?8G28`9U@0tvyCDwC!O-*FC(^BXw@8Ad36@Uwi}Vobr&xM}6Y@{VCfNro zAO&e~zzy(gM1S5v(t|AIAP+0yodH4JDyCf{GEhmr>*!j7E~`b}qi1-($a^bYbiw-= zY!C|NHeD3dt%ZBw-lJp62lQZ{Ciy{;p>mykNaTLq_MpgzE6H{A{0OXv4e$Vb6o%nr z0saa;&dNRkpM;0tQvrT2|MM_B0*~rN926PRd|Tu*BtHv}>Ezc$9@p#?`5eh7U?Y4U zHo=qd6g&-^;Taf(EwEJ&y+h;+MB89HJPTh8II{Sod)QS@%5$8=Zjn6{JP&)}OO>84 z(DOx+eYAZUzEbJ()$)0My^{Qf$Tus|OCsN*?&We)FUwzoD)Q4x@@FJ}F7g@$uUFa*h?L5aKm2$(k_qa5A##Yi z!|+S^75p0BfZxEI@Y{f3x4&bs-@_k7{z#WU!Jo@Lb?>0yukbhcJNyIw3IBqB!+!!o zj28+KRl#vE362kt z6Wk2E|3bGA-3t1N^Dq21m<#hD4E4|e5#aq7Y9wlcC^Tz&xapXLT1d7+8?-}*W{HGu zC+dVdU;!+IMbHIz!eY29KtE2wR{R|;mC&+EbT?~>OX!#`2FY$nNXVqXs?_O`jwv|u z8nh|sgB6g1w1k{Wxl2-y^1pu*4GBBff1o*OxsH*x;UJ;RQXDRB9a~d;zPPtI8X4%Vt8be>@zfI& z+qO0)+`NxakMV4pTj-AZusbc${)!%fS=v6gs3mrRW znJQ*GNz+ZM<*`oP(N#Kay2^@my8T8zZPn>m^|h1+A1e)RE)_PF26w8}>J7DaX>mhw zd-1vAj^Zx8t}S|XJH`f!qs2Yib!vG2p`k6~5AA76xd|g@yUxLOBaz5^MxsCN8K#}j zj+jj;-IB|jR`1;CYr(-sQ?8RFwO9Ys^Z%kbTOa&@>sYP9;aRgS9t}7f<)g^scT~;=y!j`up+iUAiYnN3OAJm)G*HPS7+%q;* z+^LG|i`(@n>>9gIpTHV5+;Zsgy$5$cGro4{aAD-hm)~qPR<+uWIWys=4=?Es9+$X& zc+y5Lo;LbiFTT?9{DqHH{eP>zmU8Q(vF^N`GUHapP4rHxvi9%a&}tevqua<@@mzn# ziZxnpv}1N%y?%0Irj<>2cE-Pe1NwPgHl0T0H>w5xo*ItSs@fi7g{6+P`y Date: Mon, 11 Aug 2025 10:47:04 +0900 Subject: [PATCH 197/505] redis_proxy: Add support for GETEX (#40578) Commit Message: redis_proxy: Add support for GETEX Additional Description: Risk Level: Low Testing: Docs Changes: yes(./docs/root/intro/arch_overview/other_protocols/redis.rst, changelogs/current.yaml) Release Notes: Platform Specific Features: Fixes #issue: #38492 Signed-off-by: qero.9ram --- changelogs/current.yaml | 2 +- .../intro/arch_overview/other_protocols/redis.rst | 1 + .../network/common/redis/supported_commands.h | 14 +++++++------- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 2df432399c05f..26a3c200189c4 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -141,7 +141,7 @@ new_features: will take precedence over this field. - area: redis change: | - Added support for ``GEOSEARCH``. + Added support for ``GEOSEARCH``and ``GETEX``. - area: observability change: | Added ``ENVOY_NOTIFICATION`` macro to track specific conditions in produiction environments. diff --git a/docs/root/intro/arch_overview/other_protocols/redis.rst b/docs/root/intro/arch_overview/other_protocols/redis.rst index a5d310bb420d2..869be36c7c894 100644 --- a/docs/root/intro/arch_overview/other_protocols/redis.rst +++ b/docs/root/intro/arch_overview/other_protocols/redis.rst @@ -252,6 +252,7 @@ For details on each command's usage see the official GET, String GETBIT, String GETDEL, String + GETEX, String GETRANGE, String GETSET, String INCR, String diff --git a/source/extensions/filters/network/common/redis/supported_commands.h b/source/extensions/filters/network/common/redis/supported_commands.h index 88fac5052a3b8..74ad5abf542f5 100644 --- a/source/extensions/filters/network/common/redis/supported_commands.h +++ b/source/extensions/filters/network/common/redis/supported_commands.h @@ -24,13 +24,13 @@ struct SupportedCommands { "bf.insert", "bf.loadchunk", "bf.madd", "bf.mexists", "bf.reserve", "bf.scandump", "bitcount", "bitfield", "bitpos", "decr", "decrby", "dump", "expire", "expireat", "geoadd", "geodist", "geohash", "geopos", "georadius_ro", "georadiusbymember_ro", "geosearch", "get", - "getbit", "getdel", "getrange", "getset", "hdel", "hexists", "hget", "hgetall", "hincrby", - "hincrbyfloat", "hkeys", "hlen", "hmget", "hmset", "hscan", "hset", "hsetnx", "hstrlen", - "hvals", "incr", "incrby", "incrbyfloat", "lindex", "linsert", "llen", "lmove", "lpop", - "lpush", "lpushx", "lrange", "lrem", "lset", "ltrim", "persist", "pexpire", "pexpireat", - "pfadd", "pfcount", "psetex", "pttl", "publish", "restore", "rpop", "rpush", "rpushx", - "sadd", "scard", "set", "setbit", "setex", "setnx", "setrange", "sismember", "smembers", - "spop", "srandmember", "srem", "sscan", "strlen", "ttl", "type", "xack", "xadd", + "getbit", "getdel", "getex", "getrange", "getset", "hdel", "hexists", "hget", "hgetall", + "hincrby", "hincrbyfloat", "hkeys", "hlen", "hmget", "hmset", "hscan", "hset", "hsetnx", + "hstrlen", "hvals", "incr", "incrby", "incrbyfloat", "lindex", "linsert", "llen", "lmove", + "lpop", "lpush", "lpushx", "lrange", "lrem", "lset", "ltrim", "persist", "pexpire", + "pexpireat", "pfadd", "pfcount", "psetex", "pttl", "publish", "restore", "rpop", "rpush", + "rpushx", "sadd", "scard", "set", "setbit", "setex", "setnx", "setrange", "sismember", + "smembers", "spop", "srandmember", "srem", "sscan", "strlen", "ttl", "type", "xack", "xadd", "xautoclaim", "xclaim", "xdel", "xlen", "xpending", "xrange", "xrevrange", "xtrim", "zadd", "zcard", "zcount", "zincrby", "zlexcount", "zpopmin", "zpopmax", "zrange", "zrangebylex", "zrangebyscore", "zrank", "zrem", "zremrangebylex", "zremrangebyrank", "zremrangebyscore", From 89a789a1c9f45bf916a687a720130210076ab1ce Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 11 Aug 2025 13:36:00 +0200 Subject: [PATCH 198/505] geoip_providers: deprecate flag mmdb_files_reload_enabled and remove legacy code paths (#40548) ## Description This PR removes the deprecated reloadable flag `mmdb_files_reload_enabled` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/39122 --- **Commit Message:** router: deprecate flag mmdb_files_reload_enabled and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `mmdb_files_reload_enabled` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 ++ source/common/runtime/runtime_features.cc | 1 - .../geoip_providers/maxmind/geoip_provider.cc | 12 ++---- .../maxmind/geoip_provider_test.cc | 38 ------------------- 4 files changed, 7 insertions(+), 47 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 26a3c200189c4..545e9df0e5184 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -70,6 +70,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. +- area: geoip_providers + change: | + Removed runtime guard ``envoy.reloadable_features.mmdb_files_reload_enabled`` and legacy code paths. - area: proxy_protocol change: | Removed runtime guard ``envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index fb9fae00bbe97..64fdc73c9b4e5 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -55,7 +55,6 @@ RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_cookie); RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); RUNTIME_GUARD(envoy_reloadable_features_jwt_fetcher_use_scheme_from_uri); RUNTIME_GUARD(envoy_reloadable_features_local_reply_traverses_filter_chain_after_1xx); -RUNTIME_GUARD(envoy_reloadable_features_mmdb_files_reload_enabled); RUNTIME_GUARD(envoy_reloadable_features_no_extension_lookup_by_name); RUNTIME_GUARD(envoy_reloadable_features_normalize_rds_provider_config); RUNTIME_GUARD(envoy_reloadable_features_oauth2_cleanup_cookies); diff --git a/source/extensions/geoip_providers/maxmind/geoip_provider.cc b/source/extensions/geoip_providers/maxmind/geoip_provider.cc index abb9bab281ac2..efeea7485a31c 100644 --- a/source/extensions/geoip_providers/maxmind/geoip_provider.cc +++ b/source/extensions/geoip_providers/maxmind/geoip_provider.cc @@ -126,31 +126,27 @@ GeoipProvider::GeoipProvider(Event::Dispatcher& dispatcher, Api::Api& api, mmdb_reload_thread_ = api.threadFactory().createThread( [this]() -> void { ENVOY_LOG_MISC(debug, "Started mmdb_reload_routine"); - if (config_->cityDbPath() && - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.mmdb_files_reload_enabled")) { + if (config_->cityDbPath()) { THROW_IF_NOT_OK(mmdb_watcher_->addWatch( config_->cityDbPath().value(), Filesystem::Watcher::Events::MovedTo, [this](uint32_t) { return onMaxmindDbUpdate(config_->cityDbPath().value(), CITY_DB_TYPE); })); } - if (config_->ispDbPath() && - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.mmdb_files_reload_enabled")) { + if (config_->ispDbPath()) { THROW_IF_NOT_OK(mmdb_watcher_->addWatch( config_->ispDbPath().value(), Filesystem::Watcher::Events::MovedTo, [this](uint32_t) { return onMaxmindDbUpdate(config_->ispDbPath().value(), ISP_DB_TYPE); })); } - if (config_->anonDbPath() && - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.mmdb_files_reload_enabled")) { + if (config_->anonDbPath()) { THROW_IF_NOT_OK(mmdb_watcher_->addWatch( config_->anonDbPath().value(), Filesystem::Watcher::Events::MovedTo, [this](uint32_t) { return onMaxmindDbUpdate(config_->anonDbPath().value(), ANON_DB_TYPE); })); } - if (config_->asnDbPath() && - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.mmdb_files_reload_enabled")) { + if (config_->asnDbPath()) { THROW_IF_NOT_OK(mmdb_watcher_->addWatch( config_->asnDbPath().value(), Filesystem::Watcher::Events::MovedTo, [this](uint32_t) { return onMaxmindDbUpdate(config_->asnDbPath().value(), ASN_DB_TYPE); diff --git a/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc b/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc index e67ef8771452e..a1cb1aba998b6 100644 --- a/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc +++ b/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc @@ -874,44 +874,6 @@ TEST_P(MmdbReloadImplTest, MmdbReloadedInFlightReadsNotAffected) { TestEnvironment::renameFile(source_db_file_path + "1", source_db_file_path); } -TEST_P(MmdbReloadImplTest, MmdbNotReloadedRuntimeFeatureDisabled) { - TestScopedRuntime scoped_runtime_; - scoped_runtime_.mergeValues({{"envoy.reloadable_features.mmdb_files_reload_enabled", "false"}}); - MmdbReloadTestCase test_case = GetParam(); - initializeProvider(test_case.yaml_config_, cb_added_nullopt); - Network::Address::InstanceConstSharedPtr remote_address = - Network::Utility::parseInternetAddressNoThrow(test_case.ip_); - Geolocation::LookupRequest lookup_rq{std::move(remote_address)}; - testing::MockFunction lookup_cb; - auto lookup_cb_std = lookup_cb.AsStdFunction(); - EXPECT_CALL(lookup_cb, Call(_)).WillRepeatedly(SaveArg<0>(&captured_lookup_response_)); - provider_->lookup(std::move(lookup_rq), std::move(lookup_cb_std)); - const auto& geoip_header_it = captured_lookup_response_.find(test_case.expected_header_name_); - EXPECT_EQ(test_case.expected_header_value_, geoip_header_it->second); - expectStats(test_case.db_type_, 1, 1); - std::string source_db_file_path = TestEnvironment::substitute(test_case.source_db_file_path_); - std::string reloaded_db_file_path = TestEnvironment::substitute(test_case.reloaded_db_file_path_); - TestEnvironment::renameFile(source_db_file_path, source_db_file_path + "1"); - TestEnvironment::renameFile(reloaded_db_file_path, source_db_file_path); - { - absl::ReaderMutexLock guard(&mutex_); - EXPECT_EQ(0, on_changed_cbs_.size()); - } - expectReloadStats(test_case.db_type_, 0, 0); - captured_lookup_response_.clear(); - remote_address = Network::Utility::parseInternetAddressNoThrow(test_case.ip_); - Geolocation::LookupRequest lookup_rq2{std::move(remote_address)}; - testing::MockFunction lookup_cb2; - auto lookup_cb_std2 = lookup_cb2.AsStdFunction(); - EXPECT_CALL(lookup_cb2, Call(_)).WillRepeatedly(SaveArg<0>(&captured_lookup_response_)); - provider_->lookup(std::move(lookup_rq2), std::move(lookup_cb_std2)); - const auto& geoip_header1_it = captured_lookup_response_.find(test_case.expected_header_name_); - EXPECT_EQ(test_case.expected_header_value_, geoip_header1_it->second); - // Clean up modifications to mmdb file names. - TestEnvironment::renameFile(source_db_file_path, reloaded_db_file_path); - TestEnvironment::renameFile(source_db_file_path + "1", source_db_file_path); -} - struct MmdbReloadTestCase mmdb_reload_test_cases[] = { {default_city_config_yaml, "city_db", default_city_db_path, default_updated_city_db_path, "x-geo-city", "London", "BoxfordImaginary", "81.2.69.144"}, From d9bda64c848ae34449ccac6efc2c6a18b8b44a3f Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 11 Aug 2025 14:45:27 +0200 Subject: [PATCH 199/505] rds: deprecate flag normalize_rds_provider_config and remove legacy code paths (#40660) --- changelogs/current.yaml | 3 ++ .../rds/route_config_provider_manager.h | 23 ++++------ source/common/runtime/runtime_features.cc | 1 - test/common/router/rds_impl_test.cc | 43 +++++++++---------- 4 files changed, 32 insertions(+), 38 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 545e9df0e5184..fbc76e02c4f3f 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -52,6 +52,9 @@ removed_config_or_runtime: - area: udp_proxy change: | Removed runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` and legacy code paths. +- area: rds + change: | + Removed runtime guard ``envoy.reloadable_features.normalize_rds_provider_config`` and legacy code paths. - area: quic change: | Removed runtime guard ``envoy.reloadable_features.report_stream_reset_error_code`` and legacy code paths. diff --git a/source/common/rds/route_config_provider_manager.h b/source/common/rds/route_config_provider_manager.h index f2c1b5c05c6d6..080f960948a72 100644 --- a/source/common/rds/route_config_provider_manager.h +++ b/source/common/rds/route_config_provider_manager.h @@ -45,20 +45,15 @@ class RouteConfigProviderManager { uint64_t manager_identifier; - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.normalize_rds_provider_config")) { - // Normalize the config_source part of the passed config. Some parts of the config_source - // do not affect selection of the RDS provider. They will be cleared (zeroed) and restored - // after calculating hash. - // Since rds is passed as const, the constness must be casted away before modifying rds. - auto* orig_initial_timeout = - const_cast(rds).mutable_config_source()->release_initial_fetch_timeout(); - manager_identifier = MessageUtil::hash(rds); - const_cast(rds).mutable_config_source()->set_allocated_initial_fetch_timeout( - orig_initial_timeout); - - } else { - manager_identifier = MessageUtil::hash(rds); - } + // Normalize the config_source part of the passed config. Some parts of the config_source + // do not affect selection of the RDS provider. They will be cleared (zeroed) and restored + // after calculating hash. + // Since rds is passed as const, the constness must be casted away before modifying rds. + auto* orig_initial_timeout = + const_cast(rds).mutable_config_source()->release_initial_fetch_timeout(); + manager_identifier = MessageUtil::hash(rds); + const_cast(rds).mutable_config_source()->set_allocated_initial_fetch_timeout( + orig_initial_timeout); auto existing_provider = reuseDynamicProvider(manager_identifier, init_manager, route_config_name); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 64fdc73c9b4e5..5fe64617b6c50 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -56,7 +56,6 @@ RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); RUNTIME_GUARD(envoy_reloadable_features_jwt_fetcher_use_scheme_from_uri); RUNTIME_GUARD(envoy_reloadable_features_local_reply_traverses_filter_chain_after_1xx); RUNTIME_GUARD(envoy_reloadable_features_no_extension_lookup_by_name); -RUNTIME_GUARD(envoy_reloadable_features_normalize_rds_provider_config); RUNTIME_GUARD(envoy_reloadable_features_oauth2_cleanup_cookies); RUNTIME_GUARD(envoy_reloadable_features_oauth2_encrypt_tokens); RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); diff --git a/test/common/router/rds_impl_test.cc b/test/common/router/rds_impl_test.cc index 5d9ce3db6426b..c34e93ddb000e 100644 --- a/test/common/router/rds_impl_test.cc +++ b/test/common/router/rds_impl_test.cc @@ -1176,30 +1176,27 @@ name: foo_route_config ->dynamic_route_configs() .size()); - for (bool normalize_config : std::vector({true, false})) { - Runtime::maybeSetRuntimeGuard("envoy.reloadable_features.normalize_rds_provider_config", - normalize_config); - envoy::extensions::filters::network::http_connection_manager::v3::Rds rds2; - rds2 = rds_; - // The following is valid only when normalize_config is true: - // Modify parameters which should not affect the provider. In other words, the same provider - // should be picked, regardless of the fact that initial_fetch_timeout is different for both - // configs. - rds2.mutable_config_source()->mutable_initial_fetch_timeout()->set_seconds( - rds_.config_source().initial_fetch_timeout().seconds() + 1); - - RouteConfigProviderSharedPtr provider2 = - route_config_provider_manager_->createRdsRouteConfigProvider( - rds2, server_factory_context_, "foo_prefix", outer_init_manager_); + // Test that modifying the initial_fetch_timeout in the config_source doesn't affect + // provider selection due to config normalization. + envoy::extensions::filters::network::http_connection_manager::v3::Rds rds2; + rds2 = rds_; + // Modify parameters which should not affect the provider. The same provider should be picked, + // regardless of the fact that initial_fetch_timeout is different for both configs. + rds2.mutable_config_source()->mutable_initial_fetch_timeout()->set_seconds( + rds_.config_source().initial_fetch_timeout().seconds() + 1); - EXPECT_TRUE(server_factory_context_.cluster_manager_.subscription_factory_.callbacks_ - ->onConfigUpdate(decoded_resources.refvec_, "provider2") - .ok()); - EXPECT_EQ(normalize_config ? 1UL : 2UL, - route_config_provider_manager_->dumpRouteConfigs(universal_name_matcher) - ->dynamic_route_configs() - .size()); - } + RouteConfigProviderSharedPtr provider2 = + route_config_provider_manager_->createRdsRouteConfigProvider( + rds2, server_factory_context_, "foo_prefix", outer_init_manager_); + + EXPECT_TRUE(server_factory_context_.cluster_manager_.subscription_factory_.callbacks_ + ->onConfigUpdate(decoded_resources.refvec_, "provider2") + .ok()); + // We expect only 1 provider since the configurations are considered equivalent after + // normalization. + EXPECT_EQ(1UL, route_config_provider_manager_->dumpRouteConfigs(universal_name_matcher) + ->dynamic_route_configs() + .size()); } } // namespace From 4e386b999ef6e9f3f6332aa651ab79863288c3b0 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 11 Aug 2025 18:25:09 +0200 Subject: [PATCH 200/505] balsa: deprecate flag wait_for_first_byte_before_balsa_msg_done and remove legacy code paths (#40666) --- changelogs/current.yaml | 3 +++ source/common/http/http1/balsa_parser.cc | 2 +- source/common/http/http1/balsa_parser.h | 3 --- source/common/runtime/runtime_features.cc | 1 - test/integration/protocol_integration_test.cc | 4 ---- 5 files changed, 4 insertions(+), 9 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index fbc76e02c4f3f..f03bd7d3d47a1 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -73,6 +73,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. +- area: balsa + change: | + Removed runtime guard ``envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done`` and legacy code paths. - area: geoip_providers change: | Removed runtime guard ``envoy.reloadable_features.mmdb_files_reload_enabled`` and legacy code paths. diff --git a/source/common/http/http1/balsa_parser.cc b/source/common/http/http1/balsa_parser.cc index 2642e3692bea7..23dd28a4e6468 100644 --- a/source/common/http/http1/balsa_parser.cc +++ b/source/common/http/http1/balsa_parser.cc @@ -366,7 +366,7 @@ void BalsaParser::MessageDone() { if (status_ == ParserStatus::Error || // In the case of early 1xx, MessageDone() can be called twice in a row. // The !first_byte_processed_ check is to make this function idempotent. - (wait_for_first_byte_before_msg_done_ && !first_byte_processed_)) { + !first_byte_processed_) { return; } status_ = convertResult(connection_->onMessageComplete()); diff --git a/source/common/http/http1/balsa_parser.h b/source/common/http/http1/balsa_parser.h index e4475a3983932..609bfe5ac88eb 100644 --- a/source/common/http/http1/balsa_parser.h +++ b/source/common/http/http1/balsa_parser.h @@ -85,9 +85,6 @@ class BalsaParser : public Parser, public quiche::BalsaVisitorInterface { // Latched value of `envoy.reloadable_features.http1_balsa_delay_reset`. const bool delay_reset_ = Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http1_balsa_delay_reset"); - // Latched value of `envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done`. - const bool wait_for_first_byte_before_msg_done_ = Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done"); // Latched value of `envoy.reloadable_features.http1_balsa_allow_cr_or_lf_at_request_start`. const bool allow_newlines_between_requests_ = Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.http1_balsa_allow_cr_or_lf_at_request_start"); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 5fe64617b6c50..092391b48d3bd 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -83,7 +83,6 @@ RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); RUNTIME_GUARD(envoy_reloadable_features_use_filter_manager_state_for_downstream_end_stream); RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); -RUNTIME_GUARD(envoy_reloadable_features_wait_for_first_byte_before_balsa_msg_done); RUNTIME_GUARD(envoy_reloadable_features_xds_failover_to_primary_enabled); RUNTIME_GUARD(envoy_reloadable_features_xds_prevent_resource_copy); diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 07cbba8dc62fa..bce87b9f12482 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -1586,8 +1586,6 @@ TEST_P(DownstreamProtocolIntegrationTest, EnvoyProxying102DelayBalsaReset) { config_helper_.addConfigModifier( [&](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& hcm) -> void { hcm.set_proxy_100_continue(true); }); - config_helper_.addRuntimeOverride( - "envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done", "false"); config_helper_.addRuntimeOverride("envoy.reloadable_features.http1_balsa_delay_reset", "true"); initialize(); @@ -1617,8 +1615,6 @@ TEST_P(DownstreamProtocolIntegrationTest, EnvoyProxying102DelayBalsaResetWaitFor config_helper_.addConfigModifier( [&](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& hcm) -> void { hcm.set_proxy_100_continue(true); }); - config_helper_.addRuntimeOverride( - "envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done", "true"); config_helper_.addRuntimeOverride("envoy.reloadable_features.http1_balsa_delay_reset", "true"); initialize(); From 0e923a2444b4077e94cba97c2a82fa47b4dcab06 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 11 Aug 2025 18:30:45 +0200 Subject: [PATCH 201/505] router: deprecate flag streaming_shadow and remove legacy code paths (#40659) --- changelogs/current.yaml | 3 + source/common/router/router.cc | 120 ++++++----------- source/common/router/router.h | 5 +- source/common/runtime/runtime_features.cc | 1 - test/common/router/router_test.cc | 154 ++-------------------- 5 files changed, 56 insertions(+), 227 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index f03bd7d3d47a1..3d12867f98a33 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -58,6 +58,9 @@ removed_config_or_runtime: - area: quic change: | Removed runtime guard ``envoy.reloadable_features.report_stream_reset_error_code`` and legacy code paths. +- area: router + change: | + Removed runtime guard ``envoy.reloadable_features.streaming_shadow`` and legacy code paths. - area: http3 change: | Removed runtime guard ``envoy.reloadable_features.http3_remove_empty_trailers`` and legacy code paths. diff --git a/source/common/router/router.cc b/source/common/router/router.cc index a01ff69ee1942..27216abfb445f 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -815,47 +815,45 @@ bool Filter::continueDecodeHeaders(Upstream::ThreadLocalCluster* cluster, allow_multiplexed_upstream_half_close_ /*enable_half_close*/); LinkedList::moveIntoList(std::move(upstream_request), upstream_requests_); upstream_requests_.front()->acceptHeadersFromRouter(end_stream); - if (streaming_shadows_) { - // start the shadow streams. - for (const auto& shadow_policy_wrapper : active_shadow_policies_) { - const auto& shadow_policy = shadow_policy_wrapper.get(); - const absl::optional shadow_cluster_name = - getShadowCluster(shadow_policy, *downstream_headers_); - if (!shadow_cluster_name.has_value()) { - continue; - } - auto shadow_headers = Http::createHeaderMap(*shadow_headers_); - const auto options = - Http::AsyncClient::RequestOptions() - .setTimeout(timeout_.global_timeout_) - .setParentSpan(callbacks_->activeSpan()) - .setChildSpanName("mirror") - .setSampled(shadow_policy.traceSampled()) - .setIsShadow(true) - .setIsShadowSuffixDisabled(shadow_policy.disableShadowHostSuffixAppend()) - .setBufferAccount(callbacks_->account()) - // A buffer limit of 1 is set in the case that retry_shadow_buffer_limit_ == 0, - // because a buffer limit of zero on async clients is interpreted as no buffer limit. - .setBufferLimit(1 > retry_shadow_buffer_limit_ ? 1 : retry_shadow_buffer_limit_) - .setDiscardResponseBody(true) - .setFilterConfig(config_) - .setParentContext(Http::AsyncClient::ParentContext{&callbacks_->streamInfo()}); - if (end_stream) { - // This is a header-only request, and can be dispatched immediately to the shadow - // without waiting. - Http::RequestMessagePtr request(new Http::RequestMessageImpl( - Http::createHeaderMap(*shadow_headers_))); - config_->shadowWriter().shadow(std::string(shadow_cluster_name.value()), std::move(request), - options); - } else { - Http::AsyncClient::OngoingRequest* shadow_stream = config_->shadowWriter().streamingShadow( - std::string(shadow_cluster_name.value()), std::move(shadow_headers), options); - if (shadow_stream != nullptr) { - shadow_streams_.insert(shadow_stream); - shadow_stream->setDestructorCallback( - [this, shadow_stream]() { shadow_streams_.erase(shadow_stream); }); - shadow_stream->setWatermarkCallbacks(watermark_callbacks_); - } + // Start the shadow streams. + for (const auto& shadow_policy_wrapper : active_shadow_policies_) { + const auto& shadow_policy = shadow_policy_wrapper.get(); + const absl::optional shadow_cluster_name = + getShadowCluster(shadow_policy, *downstream_headers_); + if (!shadow_cluster_name.has_value()) { + continue; + } + auto shadow_headers = Http::createHeaderMap(*shadow_headers_); + const auto options = + Http::AsyncClient::RequestOptions() + .setTimeout(timeout_.global_timeout_) + .setParentSpan(callbacks_->activeSpan()) + .setChildSpanName("mirror") + .setSampled(shadow_policy.traceSampled()) + .setIsShadow(true) + .setIsShadowSuffixDisabled(shadow_policy.disableShadowHostSuffixAppend()) + .setBufferAccount(callbacks_->account()) + // A buffer limit of 1 is set in the case that retry_shadow_buffer_limit_ == 0, + // because a buffer limit of zero on async clients is interpreted as no buffer limit. + .setBufferLimit(1 > retry_shadow_buffer_limit_ ? 1 : retry_shadow_buffer_limit_) + .setDiscardResponseBody(true) + .setFilterConfig(config_) + .setParentContext(Http::AsyncClient::ParentContext{&callbacks_->streamInfo()}); + if (end_stream) { + // This is a header-only request, and can be dispatched immediately to the shadow + // without waiting. + Http::RequestMessagePtr request(new Http::RequestMessageImpl( + Http::createHeaderMap(*shadow_headers_))); + config_->shadowWriter().shadow(std::string(shadow_cluster_name.value()), std::move(request), + options); + } else { + Http::AsyncClient::OngoingRequest* shadow_stream = config_->shadowWriter().streamingShadow( + std::string(shadow_cluster_name.value()), std::move(shadow_headers), options); + if (shadow_stream != nullptr) { + shadow_streams_.insert(shadow_stream); + shadow_stream->setDestructorCallback( + [this, shadow_stream]() { shadow_streams_.erase(shadow_stream); }); + shadow_stream->setWatermarkCallbacks(watermark_callbacks_); } } } @@ -931,7 +929,6 @@ Http::FilterDataStatus Filter::decodeData(Buffer::Instance& data, bool end_strea ASSERT(upstream_requests_.size() <= 1); bool buffering = (retry_state_ && retry_state_->enabled()) || - (!active_shadow_policies_.empty() && !streaming_shadows_) || (route_entry_ && route_entry_->internalRedirectPolicy().enabled()); if (buffering && getLength(callbacks_->decodingBuffer()) + data.length() > retry_shadow_buffer_limit_) { @@ -1085,41 +1082,6 @@ absl::optional Filter::getShadowCluster(const ShadowPolicy& p } } -void Filter::maybeDoShadowing() { - for (const auto& shadow_policy_wrapper : active_shadow_policies_) { - const auto& shadow_policy = shadow_policy_wrapper.get(); - - const absl::optional shadow_cluster_name = - getShadowCluster(shadow_policy, *downstream_headers_); - - // The cluster name got from headers is empty. - if (!shadow_cluster_name.has_value()) { - continue; - } - - Http::RequestMessagePtr request(new Http::RequestMessageImpl( - Http::createHeaderMap(*shadow_headers_))); - if (callbacks_->decodingBuffer()) { - request->body().add(*callbacks_->decodingBuffer()); - } - if (shadow_trailers_) { - request->trailers(Http::createHeaderMap(*shadow_trailers_)); - } - const auto options = - Http::AsyncClient::RequestOptions() - .setTimeout(timeout_.global_timeout_) - .setParentSpan(callbacks_->activeSpan()) - .setChildSpanName("mirror") - .setSampled(shadow_policy.traceSampled()) - .setIsShadow(true) - .setIsShadowSuffixDisabled(shadow_policy.disableShadowHostSuffixAppend()) - .setFilterConfig(config_) - .setParentContext(Http::AsyncClient::ParentContext{&callbacks_->streamInfo()}); - config_->shadowWriter().shadow(std::string(shadow_cluster_name.value()), std::move(request), - options); - } -} - void Filter::onRequestComplete() { // This should be called exactly once, when the downstream request has been received in full. ASSERT(!downstream_end_stream_); @@ -1131,10 +1093,6 @@ void Filter::onRequestComplete() { if (!upstream_requests_.empty()) { // Even if we got an immediate reset, we could still shadow, but that is a riskier change and // seems unnecessary right now. - if (!streaming_shadows_) { - maybeDoShadowing(); - } - if (timeout_.global_timeout_.count() > 0) { response_timeout_ = dispatcher.createTimer([this]() -> void { onResponseTimeout(); }); response_timeout_->enableTimer(timeout_.global_timeout_); diff --git a/source/common/router/router.h b/source/common/router/router.h index 61213e4f8d64f..7a535048a2182 100644 --- a/source/common/router/router.h +++ b/source/common/router/router.h @@ -311,8 +311,7 @@ class Filter : Logger::Loggable, Filter(const FilterConfigSharedPtr& config, FilterStats& stats) : config_(config), stats_(stats), grpc_request_(false), exclude_http_code_stats_(false), downstream_response_started_(false), downstream_end_stream_(false), is_retry_(false), - request_buffer_overflowed_(false), streaming_shadows_(Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.streaming_shadow")), + request_buffer_overflowed_(false), streaming_shadows_(true), allow_multiplexed_upstream_half_close_(Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.allow_multiplexed_upstream_half_close")), upstream_request_started_(false), orca_load_report_received_(false) {} @@ -547,8 +546,6 @@ class Filter : Logger::Loggable, UpstreamRequestPtr createUpstreamRequest(); absl::optional getShadowCluster(const ShadowPolicy& shadow_policy, const Http::HeaderMap& headers) const; - - void maybeDoShadowing(); bool maybeRetryReset(Http::StreamResetReason reset_reason, UpstreamRequest& upstream_request, TimeoutRetry is_timeout_retry); uint32_t numRequestsAwaitingHeaders(); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 092391b48d3bd..d6150d0db5cc3 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -74,7 +74,6 @@ RUNTIME_GUARD(envoy_reloadable_features_report_load_with_rq_issued); RUNTIME_GUARD(envoy_reloadable_features_router_filter_resetall_on_local_reply); RUNTIME_GUARD(envoy_reloadable_features_skip_dns_lookup_for_proxied_requests); RUNTIME_GUARD(envoy_reloadable_features_skip_ext_proc_on_local_reply); -RUNTIME_GUARD(envoy_reloadable_features_streaming_shadow); RUNTIME_GUARD(envoy_reloadable_features_tcp_proxy_retry_on_different_event_loop); RUNTIME_GUARD(envoy_reloadable_features_test_feature_true); RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index 3ee798c9dba55..b5aa42588bca9 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -4733,9 +4733,8 @@ class RouterShadowingTest : public RouterTest, public testing::WithParamInterfac INSTANTIATE_TEST_SUITE_P(StreamingShadow, RouterShadowingTest, testing::Bool()); TEST_P(RouterShadowingTest, BufferingShadowWithClusterHeader) { - if (streaming_shadow_) { - GTEST_SKIP(); - } + // Always skip this test as streaming_shadow is now always enabled + GTEST_SKIP(); ShadowPolicyPtr policy = makeShadowPolicy("", "some_header", "bar"); callbacks_.route_->route_entry_.shadow_policies_.push_back(policy); ON_CALL(callbacks_, streamId()).WillByDefault(Return(43)); @@ -4811,9 +4810,8 @@ TEST_P(RouterShadowingTest, ShadowNoClusterHeaderInHeader) { router_->decodeHeaders(headers, false); Buffer::InstancePtr body_data(new Buffer::OwnedImpl("hello")); - if (!streaming_shadow_) { - EXPECT_CALL(callbacks_, addDecodedData(_, true)); - } + // With streaming shadows always enabled, we never call addDecodedData. + EXPECT_CALL(callbacks_, addDecodedData(_, true)).Times(0); EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, router_->decodeData(*body_data, false)); Http::TestRequestTrailerMapImpl trailers{{"some", "trailer"}}; @@ -4852,9 +4850,8 @@ TEST_P(RouterShadowingTest, ShadowClusterNameEmptyInHeader) { router_->decodeHeaders(headers, false); Buffer::InstancePtr body_data(new Buffer::OwnedImpl("hello")); - if (!streaming_shadow_) { - EXPECT_CALL(callbacks_, addDecodedData(_, true)); - } + // With streaming shadows always enabled, we never call addDecodedData. + EXPECT_CALL(callbacks_, addDecodedData(_, true)).Times(0); EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, router_->decodeData(*body_data, false)); Http::TestRequestTrailerMapImpl trailers{{"some", "trailer"}}; @@ -4942,71 +4939,6 @@ TEST_P(RouterShadowingTest, StreamingShadow) { EXPECT_TRUE(verifyHostUpstreamStats(1, 0)); } -TEST_P(RouterShadowingTest, BufferingShadow) { - if (streaming_shadow_) { - GTEST_SKIP(); - } - ShadowPolicyPtr policy = makeShadowPolicy("foo", "", "bar"); - callbacks_.route_->route_entry_.shadow_policies_.push_back(policy); - policy = makeShadowPolicy("fizz", "", "buzz", envoy::type::v3::FractionalPercent(), false); - callbacks_.route_->route_entry_.shadow_policies_.push_back(policy); - ON_CALL(callbacks_, streamId()).WillByDefault(Return(43)); - - NiceMock encoder; - Http::ResponseDecoder* response_decoder = nullptr; - expectNewStreamWithImmediateEncoder(encoder, &response_decoder, Http::Protocol::Http10); - - expectResponseTimerCreate(); - - EXPECT_CALL( - runtime_.snapshot_, - featureEnabled("bar", testing::Matcher(Percent(0)), - 43)) - .WillOnce(Return(true)); - EXPECT_CALL( - runtime_.snapshot_, - featureEnabled("buzz", - testing::Matcher(Percent(0)), 43)) - .WillOnce(Return(true)); - - Http::TestRequestHeaderMapImpl headers; - HttpTestUtility::addDefaultHeaders(headers); - router_->decodeHeaders(headers, false); - - Buffer::InstancePtr body_data(new Buffer::OwnedImpl("hello")); - EXPECT_CALL(callbacks_, addDecodedData(_, true)); - EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, router_->decodeData(*body_data, false)); - - Http::TestRequestTrailerMapImpl trailers{{"some", "trailer"}}; - EXPECT_CALL(callbacks_, decodingBuffer()) - .Times(AtLeast(2)) - .WillRepeatedly(Return(body_data.get())); - EXPECT_CALL(*shadow_writer_, shadow_("foo", _, _)) - .WillOnce(Invoke([](const std::string&, Http::RequestMessagePtr& request, - const Http::AsyncClient::RequestOptions& options) -> void { - EXPECT_NE(request->body().length(), 0); - EXPECT_NE(nullptr, request->trailers()); - EXPECT_EQ(absl::optional(10), options.timeout); - EXPECT_TRUE(options.sampled_.value()); - })); - EXPECT_CALL(*shadow_writer_, shadow_("fizz", _, _)) - .WillOnce(Invoke([](const std::string&, Http::RequestMessagePtr& request, - const Http::AsyncClient::RequestOptions& options) -> void { - EXPECT_NE(request->body().length(), 0); - EXPECT_NE(nullptr, request->trailers()); - EXPECT_EQ(absl::optional(10), options.timeout); - EXPECT_FALSE(options.sampled_.value()); - })); - router_->decodeTrailers(trailers); - EXPECT_EQ(1U, - callbacks_.route_->virtual_host_->virtual_cluster_.stats().upstream_rq_total_.value()); - - Http::ResponseHeaderMapPtr response_headers( - new Http::TestResponseHeaderMapImpl{{":status", "200"}}); - response_decoder->decodeHeaders(std::move(response_headers), true); - EXPECT_TRUE(verifyHostUpstreamStats(1, 0)); -} - TEST_P(RouterShadowingTest, NoShadowForConnect) { ShadowPolicyPtr policy = makeShadowPolicy("foo"); callbacks_.route_->route_entry_.shadow_policies_.push_back(policy); @@ -5024,12 +4956,7 @@ TEST_P(RouterShadowingTest, NoShadowForConnect) { router_->onDestroy(); } -// If the shadow stream watermark callbacks are invoked in the Router filter destructor, -// it causes a potential use-after-free bug, as the FilterManager may have already been freed. -TEST_P(RouterShadowingTest, ShadowCallbacksNotCalledInDestructor) { - if (!streaming_shadow_) { - GTEST_SKIP(); - } +TEST_P(RouterShadowingTest, ShadowRequestCarriesParentContext) { ShadowPolicyPtr policy = makeShadowPolicy("foo", "", "bar"); callbacks_.route_->route_entry_.shadow_policies_.push_back(policy); ON_CALL(callbacks_, streamId()).WillByDefault(Return(43)); @@ -5047,74 +4974,19 @@ TEST_P(RouterShadowingTest, ShadowCallbacksNotCalledInDestructor) { HttpTestUtility::addDefaultHeaders(headers); NiceMock foo_client; NiceMock foo_request(&foo_client); + EXPECT_CALL(*shadow_writer_, streamingShadow_("foo", _, _)) .WillOnce(Invoke([&](const std::string&, Http::RequestHeaderMapPtr&, const Http::AsyncClient::RequestOptions& options) { - EXPECT_EQ(absl::optional(10), options.timeout); - EXPECT_TRUE(options.sampled_.value()); + EXPECT_NE(options.parent_context.stream_info, nullptr); + EXPECT_EQ(callbacks_.streamInfo().route(), options.parent_context.stream_info->route()); return &foo_request; })); - router_->decodeHeaders(headers, false); - Buffer::InstancePtr body_data(new Buffer::OwnedImpl("hello")); - EXPECT_CALL(callbacks_, addDecodedData(_, _)).Times(0); - EXPECT_CALL(foo_request, sendData(BufferStringEqual("hello"), false)); - EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, router_->decodeData(*body_data, false)); - - // Guarantee that callbacks are invoked in onDestroy instead of destructor. - { - EXPECT_CALL(foo_request, removeWatermarkCallbacks()); - EXPECT_CALL(foo_request, cancel()); - router_->onDestroy(); - } - EXPECT_CALL(foo_request, removeWatermarkCallbacks()).Times(0); - EXPECT_CALL(foo_request, cancel()).Times(0); -} - -TEST_P(RouterShadowingTest, ShadowRequestCarriesParentContext) { - ShadowPolicyPtr policy = makeShadowPolicy("foo", "", "bar"); - callbacks_.route_->route_entry_.shadow_policies_.push_back(policy); - ON_CALL(callbacks_, streamId()).WillByDefault(Return(43)); - - NiceMock encoder; - Http::ResponseDecoder* response_decoder = nullptr; - expectNewStreamWithImmediateEncoder(encoder, &response_decoder, Http::Protocol::Http10); - - EXPECT_CALL( - runtime_.snapshot_, - featureEnabled("bar", testing::Matcher(Percent(0)), - 43)) - .WillOnce(Return(true)); - Http::TestRequestHeaderMapImpl headers; - HttpTestUtility::addDefaultHeaders(headers); - NiceMock foo_client; - NiceMock foo_request(&foo_client); - - if (streaming_shadow_) { - EXPECT_CALL(*shadow_writer_, streamingShadow_("foo", _, _)) - .WillOnce(Invoke([&](const std::string&, Http::RequestHeaderMapPtr&, - const Http::AsyncClient::RequestOptions& options) { - EXPECT_NE(options.parent_context.stream_info, nullptr); - EXPECT_EQ(callbacks_.streamInfo().route(), options.parent_context.stream_info->route()); - return &foo_request; - })); - } else { - EXPECT_CALL(*shadow_writer_, shadow_("foo", _, _)) - .WillOnce(Invoke([&](const std::string&, Http::RequestMessagePtr&, - const Http::AsyncClient::RequestOptions& options) { - EXPECT_NE(options.parent_context.stream_info, nullptr); - EXPECT_EQ(callbacks_.streamInfo().route(), options.parent_context.stream_info->route()); - return &foo_request; - })); - } - - const auto should_end_stream = !streaming_shadow_; - router_->decodeHeaders(headers, should_end_stream); + router_->decodeHeaders(headers, false); - if (streaming_shadow_) { - EXPECT_CALL(foo_request, removeWatermarkCallbacks()); - EXPECT_CALL(foo_request, cancel()); - } + EXPECT_CALL(foo_request, removeWatermarkCallbacks()); + EXPECT_CALL(foo_request, cancel()); router_->onDestroy(); } From bc1de120b2f12188d7f21b444b7401b5a7ac6175 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 11 Aug 2025 12:11:03 -0700 Subject: [PATCH 202/505] Fixes reviewers.yaml for mathetake (#40671) This applies the same fix as in #40470. Signed-off-by: Takeshi Yoneda --- reviewers.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reviewers.yaml b/reviewers.yaml index eb733f4354abd..3442794413f16 100644 --- a/reviewers.yaml +++ b/reviewers.yaml @@ -46,7 +46,7 @@ mattklein123: slack: U5CALEVSL mathetake: maintainer: true - opsgenie: Mathetake + opsgenie: mathetake slack: UG9TD2FSB nezdolik: maintainer: true From 6944017f9fb497b81e5f37cd316e406c388a3e4e Mon Sep 17 00:00:00 2001 From: code Date: Tue, 12 Aug 2025 03:37:12 +0800 Subject: [PATCH 203/505] http: refresh the trace decision/decorator by route refresh (#40336) In the previous implementation, the route refresh will update the custom trace tags, but the trace decision, decorator, etc. won't be updated. Now, in the new implementation, tags, decision, decorator, etc. all will be refreshed after refreshed the target route. This make it's possible to change the sampling ratio after changed the target route or modified trace related control headers. More specificly, this works in following two ways: 1. Add x-envoy-force-trace or related headers and refresh the route. The header will be respected and the trace decision will be updated to true. 2. Mofifier other attributes and switch the request to another route with different samiling ratio by refreshing route. NOTE: 1. If the `pack_trace_reason` is set to true (by default), then a traced request may cannot be updated to untraced (depends on the `overall_sampling`). 2. The decision from Envoy core maybe ingored by the tracer implementations because the tracer may make the trace decision besed on the external trace context, custom sampler, etc. This is guarded by a runtime flag. Risk Level: mid. Testing: unit. Docs Changes: n/a. Release Notes: added. Platform Specific Features: n/a. Optional Runtime guard: `envoy.reloadable_features.trace_refresh_after_route_refresh` --------- Signed-off-by: wangbaiping(wbpcode) Signed-off-by: WangBaiping --- changelogs/current.yaml | 10 + envoy/tracing/trace_driver.h | 17 ++ source/common/http/conn_manager_impl.cc | 186 +++++++++----- source/common/http/conn_manager_impl.h | 9 +- source/common/runtime/runtime_features.cc | 1 + source/common/tracing/null_span_impl.h | 1 + source/extensions/tracers/datadog/span.cc | 3 +- source/extensions/tracers/datadog/span.h | 4 +- source/extensions/tracers/datadog/tracer.cc | 7 +- .../tracers/fluentd/fluentd_tracer_impl.cc | 9 +- .../tracers/fluentd/fluentd_tracer_impl.h | 5 +- .../tracers/opentelemetry/tracer.cc | 17 +- .../extensions/tracers/opentelemetry/tracer.h | 10 +- source/extensions/tracers/skywalking/tracer.h | 4 + source/extensions/tracers/xray/tracer.h | 3 + .../tracers/zipkin/span_context_extractor.cc | 16 +- .../tracers/zipkin/span_context_extractor.h | 2 +- .../tracers/zipkin/zipkin_core_types.h | 4 + .../tracers/zipkin/zipkin_tracer_impl.cc | 9 +- test/common/http/conn_manager_impl_test.cc | 240 +++++++++++++++++- .../common/http/conn_manager_impl_test_base.h | 6 +- test/common/tracing/http_tracer_impl_test.cc | 14 + .../http/ext_proc/tracer_test_filter.cc | 7 + test/extensions/tracers/datadog/span_test.cc | 15 ++ .../extensions/tracers/datadog/tracer_test.cc | 50 ++++ .../fluentd/tracer_integration_test.cc | 12 + .../opentelemetry_tracer_impl_test.cc | 42 +++ .../tracers/skywalking/tracer_test.cc | 3 + .../zipkin/span_context_extractor_test.cc | 30 +-- .../tracers/zipkin/zipkin_tracer_impl_test.cc | 32 +++ test/mocks/tracing/mocks.h | 3 +- 31 files changed, 651 insertions(+), 120 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 3d12867f98a33..fc6034996eb4d 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -1,6 +1,16 @@ date: Pending behavior_changes: +- area: http + change: | + The route refresh will now results in a tracing refresh. The trace sampling decision and decoration + of new route will be applied to the active span. + This change can be reverted by setting the runtime guard + ``envoy.reloadable_features.trace_refresh_after_route_refresh`` to ``false``. + Note, if :ref:`pack_trace_reason + ` is set + to ``true`` (it is ``true`` by default), then a request have been marked as traced may cannot be + unmarked as traced after the tracing refresh. - area: ext_proc change: | Reverted https://github.com/envoyproxy/envoy/pull/39740 to re-enable fail_open+FULL_DUPLEX_STREAMED configuraton combination. diff --git a/envoy/tracing/trace_driver.h b/envoy/tracing/trace_driver.h index 94a7ca27050e3..4e5e9617c6ae3 100644 --- a/envoy/tracing/trace_driver.h +++ b/envoy/tracing/trace_driver.h @@ -113,6 +113,23 @@ class Span { */ virtual void setSampled(bool sampled) PURE; + /** + * When the startSpan() of tracer is called, the Envoy tracing decision is passed to the + * tracer to help determine whether the span should be sampled. + * + * But note that the tracer may have its own sampling decision logic (e.g. custom sampler, + * external tracing context, etc.), and it may not use the Envoy tracing decision at all, + * then the desicion may be ignored by the tracer. + * + * The method is used to return whether the Envoy tracing decision is used by the tracer + * or not. + * + * When the Envoy tracing decision is refreshed becase route refresh or other reasons, if + * the Envoy tracing decision is used by the tracer, the sampled value will be updated + * by the HTTP connection manager based on the new Envoy tracing decision. + */ + virtual bool useLocalDecision() const PURE; + /** * Retrieve a key's value from the span's baggage. * This baggage data could've been set by this span or any parent spans. diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc index feb21aea2f288..3432bcff4ff81 100644 --- a/source/common/http/conn_manager_impl.cc +++ b/source/common/http/conn_manager_impl.cc @@ -826,7 +826,9 @@ ConnectionManagerImpl::ActiveStream::ActiveStream(ConnectionManagerImpl& connect request_response_timespan_(new Stats::HistogramCompletableTimespanImpl( connection_manager_.stats_.named_.downstream_rq_time_, connection_manager_.timeSource())), header_validator_( - connection_manager.config_->makeHeaderValidator(connection_manager.codec_->protocol())) { + connection_manager.config_->makeHeaderValidator(connection_manager.codec_->protocol())), + trace_refresh_after_route_refresh_(Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.trace_refresh_after_route_refresh")) { ASSERT(!connection_manager.config_->isRoutable() || ((connection_manager.config_->routeConfigProvider() == nullptr && connection_manager.config_->scopedRouteConfigProvider() != nullptr && @@ -1000,6 +1002,13 @@ void ConnectionManagerImpl::ActiveStream::onStreamMaxDurationReached() { } void ConnectionManagerImpl::ActiveStream::chargeStats(const ResponseHeaderMap& headers) { + if (trace_refresh_after_route_refresh_ && connection_manager_tracing_config_.has_value()) { + const Tracing::Decision tracing_decision = + Tracing::TracerUtility::shouldTraceRequest(filter_manager_.streamInfo()); + ConnectionManagerImpl::chargeTracingStats(tracing_decision.reason, + connection_manager_.config_->tracingStats()); + } + uint64_t response_code = Utility::getResponseStatus(headers); filter_manager_.streamInfo().setResponseCode(response_code); @@ -1058,6 +1067,78 @@ bool streamErrorOnlyErrors(absl::string_view error_details) { } } // namespace +void ConnectionManagerImpl::ActiveStream::setRequestDecorator(RequestHeaderMap& headers) { + ASSERT(active_span_ != nullptr); + + const Router::Decorator* decorater = + hasCachedRoute() ? cached_route_.value()->decorator() : nullptr; + + // If a decorator has been defined, apply it to the active span. + absl::string_view decorated_operation; + if (decorater != nullptr) { + decorated_operation = decorater->getOperation(); + + decorater->apply(*active_span_); + state_.decorated_propagate_ = decorater->propagate(); + } + + if (connection_manager_tracing_config_->operation_name_ == Tracing::OperationName::Egress) { + // For egress (outbound) requests, pass the decorator's operation name (if defined and + // propagation enabled) as a request header to enable the receiving service to use it in its + // server span. + if (!decorated_operation.empty() && state_.decorated_propagate_) { + headers.setEnvoyDecoratorOperation(decorated_operation); + } + } else { + absl::string_view req_operation_override = headers.getEnvoyDecoratorOperationValue(); + + // For ingress (inbound) requests, if a decorator operation name has been provided, it + // should be used to override the active span's operation. + if (!req_operation_override.empty()) { + active_span_->setOperation(req_operation_override); + + // Set the decorator operation as overridden to avoid propagating the route decorator + // operation to the client when the setResponseDecorator() is called. + state_.decorator_overriden_ = true; + } + // Remove header so not propagated to service + headers.removeEnvoyDecoratorOperation(); + } +} + +void ConnectionManagerImpl::ActiveStream::setResponseDecorator(ResponseHeaderMap& headers) { + ASSERT(active_span_ != nullptr); + + if (connection_manager_tracing_config_->operation_name_ == Tracing::OperationName::Ingress) { + // For ingress (inbound) responses, if the request headers do not include a + // decorator operation (override), and the decorated operation should be + // propagated, then pass the decorator's operation name (if defined) + // as a response header to enable the client service to use it in its client span. + if (state_.decorated_propagate_ && !state_.decorator_overriden_) { + const Router::Decorator* decorater = + hasCachedRoute() ? cached_route_.value()->decorator() : nullptr; + absl::string_view decorated_operation = + decorater != nullptr ? decorater->getOperation() : absl::string_view(); + + if (!decorated_operation.empty()) { + // If the decorator operation is defined, set it as the response header. + headers.setEnvoyDecoratorOperation(decorated_operation); + } + } + } else if (connection_manager_tracing_config_->operation_name_ == + Tracing::OperationName::Egress) { + const absl::string_view resp_operation_override = headers.getEnvoyDecoratorOperationValue(); + + // For Egress (outbound) response, if a decorator operation name has been provided, it + // should be used to override the active span's operation. + if (!resp_operation_override.empty()) { + active_span_->setOperation(resp_operation_override); + } + // Remove header so not propagated to service. + headers.removeEnvoyDecoratorOperation(); + } +} + bool ConnectionManagerImpl::ActiveStream::validateHeaders() { if (header_validator_) { auto validation_result = header_validator_->validateRequestHeaders(*request_headers_); @@ -1435,8 +1516,11 @@ void ConnectionManagerImpl::ActiveStream::decodeHeaders(RequestHeaderMapSharedPt void ConnectionManagerImpl::ActiveStream::traceRequest() { const Tracing::Decision tracing_decision = Tracing::TracerUtility::shouldTraceRequest(filter_manager_.streamInfo()); - ConnectionManagerImpl::chargeTracingStats(tracing_decision.reason, - connection_manager_.config_->tracingStats()); + + if (!trace_refresh_after_route_refresh_) { + ConnectionManagerImpl::chargeTracingStats(tracing_decision.reason, + connection_manager_.config_->tracingStats()); + } Tracing::HttpTraceContext trace_context(*request_headers_); active_span_ = connection_manager_.tracer().startSpan( @@ -1446,47 +1530,7 @@ void ConnectionManagerImpl::ActiveStream::traceRequest() { return; } - // TODO: Need to investigate the following code based on the cached route, as may - // be broken in the case a filter changes the route. - - // If a decorator has been defined, apply it to the active span. - if (hasCachedRoute() && cached_route_.value()->decorator()) { - const Router::Decorator* decorator = cached_route_.value()->decorator(); - - decorator->apply(*active_span_); - - state_.decorated_propagate_ = decorator->propagate(); - - // Cache decorated operation. - if (!decorator->getOperation().empty()) { - decorated_operation_ = &decorator->getOperation(); - } - } - - if (connection_manager_tracing_config_->operation_name_ == Tracing::OperationName::Egress) { - // For egress (outbound) requests, pass the decorator's operation name (if defined and - // propagation enabled) as a request header to enable the receiving service to use it in its - // server span. - if (decorated_operation_ && state_.decorated_propagate_) { - request_headers_->setEnvoyDecoratorOperation(*decorated_operation_); - } - } else { - const HeaderEntry* req_operation_override = request_headers_->EnvoyDecoratorOperation(); - - // For ingress (inbound) requests, if a decorator operation name has been provided, it - // should be used to override the active span's operation. - if (req_operation_override) { - if (!req_operation_override->value().empty()) { - active_span_->setOperation(req_operation_override->value().getStringView()); - - // Clear the decorated operation so won't be used in the response header, as - // it has been overridden by the inbound decorator operation request header. - decorated_operation_ = nullptr; - } - // Remove header so not propagated to service - request_headers_->removeEnvoyDecoratorOperation(); - } - } + setRequestDecorator(*request_headers_); } void ConnectionManagerImpl::ActiveStream::decodeData(Buffer::Instance& data, bool end_stream) { @@ -1685,6 +1729,34 @@ void ConnectionManagerImpl::ActiveStream::refreshCachedRoute(const Router::Route setVirtualHostRoute(std::move(route_result)); } +void ConnectionManagerImpl::ActiveStream::refreshTracing() { + if (!trace_refresh_after_route_refresh_) { + return; + } + + if (!connection_manager_tracing_config_.has_value() || active_span_ == nullptr || + request_headers_ == nullptr) { + return; + } + + ASSERT(cached_route_.has_value()); + + // NOTE: if the trace reason have been encoded into the request id then the trace reason may + // not be updated. That means we may cannot to force a traced request to be untraced by the + // refreshing. + const auto trace_reason = ConnectionManagerUtility::mutateTracingRequestHeader( + *request_headers_, connection_manager_.runtime_, *connection_manager_.config_, + cached_route_.value().get()); + filter_manager_.streamInfo().setTraceReason(trace_reason); + const Tracing::Decision tracing_decision = + Tracing::TracerUtility::shouldTraceRequest(filter_manager_.streamInfo()); + if (active_span_->useLocalDecision()) { + active_span_->setSampled(tracing_decision.traced); + } + + setRequestDecorator(*request_headers_); +} + // TODO(chaoqin-li1123): Make on demand vhds and on demand srds works at the same time. void ConnectionManagerImpl::ActiveStream::requestRouteConfigUpdate( Http::RouteConfigUpdatedCallbackSharedPtr route_config_updated_cb) { @@ -1834,29 +1906,8 @@ void ConnectionManagerImpl::ActiveStream::encodeHeaders(ResponseHeaderMap& heade } } - if (connection_manager_tracing_config_.has_value()) { - if (connection_manager_tracing_config_->operation_name_ == Tracing::OperationName::Ingress) { - // For ingress (inbound) responses, if the request headers do not include a - // decorator operation (override), and the decorated operation should be - // propagated, then pass the decorator's operation name (if defined) - // as a response header to enable the client service to use it in its client span. - if (decorated_operation_ && state_.decorated_propagate_) { - headers.setEnvoyDecoratorOperation(*decorated_operation_); - } - } else if (connection_manager_tracing_config_->operation_name_ == - Tracing::OperationName::Egress) { - const HeaderEntry* resp_operation_override = headers.EnvoyDecoratorOperation(); - - // For Egress (outbound) response, if a decorator operation name has been provided, it - // should be used to override the active span's operation. - if (resp_operation_override) { - if (!resp_operation_override->value().empty() && active_span_) { - active_span_->setOperation(resp_operation_override->value().getStringView()); - } - // Remove header so not propagated to service. - headers.removeEnvoyDecoratorOperation(); - } - } + if (connection_manager_tracing_config_.has_value() && active_span_ != nullptr) { + setResponseDecorator(headers); } chargeStats(headers); @@ -2142,6 +2193,7 @@ void ConnectionManagerImpl::ActiveStream::setVirtualHostRoute( filter_manager_.streamInfo().vhost_ = std::move(vhost_route.vhost); filter_manager_.streamInfo().setUpstreamClusterInfo(cached_cluster_info_.value()); + refreshTracing(); refreshDurationTimeout(); refreshIdleTimeout(); } diff --git a/source/common/http/conn_manager_impl.h b/source/common/http/conn_manager_impl.h index 0ea44e932d9b8..955b3443630f2 100644 --- a/source/common/http/conn_manager_impl.h +++ b/source/common/http/conn_manager_impl.h @@ -335,6 +335,10 @@ class ConnectionManagerImpl : Logger::Loggable, void refreshDurationTimeout(); void refreshIdleTimeout(); void refreshAccessLogFlushTimer(); + void refreshTracing(); + + void setRequestDecorator(RequestHeaderMap& headers); + void setResponseDecorator(ResponseHeaderMap& headers); // All state for the stream. Put here for readability. struct State { @@ -369,6 +373,9 @@ class ConnectionManagerImpl : Logger::Loggable, bool decorated_propagate_ : 1; + // True if the decorator operation is overridden by the request header. + bool decorator_overriden_ : 1 = false; + // Indicates that sending headers to the filter manager is deferred to the // next I/O cycle. If data or trailers are received when this flag is set // they are deferred too. @@ -497,7 +504,6 @@ class ConnectionManagerImpl : Logger::Loggable, absl::InlinedVector cleared_cached_routes_; absl::optional cached_cluster_info_; - const std::string* decorated_operation_{nullptr}; absl::optional> route_config_update_requester_; Http::ServerHeaderValidatorPtr header_validator_; @@ -517,6 +523,7 @@ class ConnectionManagerImpl : Logger::Loggable, std::unique_ptr deferred_data_; std::queue deferred_metadata_; RequestTrailerMapPtr deferred_request_trailers_; + const bool trace_refresh_after_route_refresh_{true}; }; using ActiveStreamPtr = std::unique_ptr; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index d6150d0db5cc3..3340f9e966aa1 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -76,6 +76,7 @@ RUNTIME_GUARD(envoy_reloadable_features_skip_dns_lookup_for_proxied_requests); RUNTIME_GUARD(envoy_reloadable_features_skip_ext_proc_on_local_reply); RUNTIME_GUARD(envoy_reloadable_features_tcp_proxy_retry_on_different_event_loop); RUNTIME_GUARD(envoy_reloadable_features_test_feature_true); +RUNTIME_GUARD(envoy_reloadable_features_trace_refresh_after_route_refresh); RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); diff --git a/source/common/tracing/null_span_impl.h b/source/common/tracing/null_span_impl.h index cba151272db4e..1de48d2e437e8 100644 --- a/source/common/tracing/null_span_impl.h +++ b/source/common/tracing/null_span_impl.h @@ -31,6 +31,7 @@ class NullSpan : public Span { return SpanPtr{new NullSpan()}; } void setSampled(bool) override {} + bool useLocalDecision() const override { return false; } }; } // namespace Tracing diff --git a/source/extensions/tracers/datadog/span.cc b/source/extensions/tracers/datadog/span.cc index 6aba88f937b23..d3617d233d788 100644 --- a/source/extensions/tracers/datadog/span.cc +++ b/source/extensions/tracers/datadog/span.cc @@ -33,7 +33,8 @@ class TraceContextWriter : public datadog::tracing::DictWriter { } // namespace -Span::Span(datadog::tracing::Span&& span) : span_(std::move(span)) {} +Span::Span(datadog::tracing::Span&& span, bool use_local_decision) + : span_(std::move(span)), use_local_decision_(use_local_decision) {} const datadog::tracing::Optional& Span::impl() const { return span_; } diff --git a/source/extensions/tracers/datadog/span.h b/source/extensions/tracers/datadog/span.h index 0e41272ef49bc..38c3acbb8a151 100644 --- a/source/extensions/tracers/datadog/span.h +++ b/source/extensions/tracers/datadog/span.h @@ -31,7 +31,7 @@ namespace Datadog { */ class Span : public Tracing::Span { public: - explicit Span(datadog::tracing::Span&& span); + explicit Span(datadog::tracing::Span&& span, bool use_local_decision = false); const datadog::tracing::Optional& impl() const; @@ -45,6 +45,7 @@ class Span : public Tracing::Span { Tracing::SpanPtr spawnChild(const Tracing::Config& config, const std::string& name, SystemTime start_time) override; void setSampled(bool sampled) override; + bool useLocalDecision() const override { return use_local_decision_; } std::string getBaggage(absl::string_view key) override; void setBaggage(absl::string_view key, absl::string_view value) override; std::string getTraceId() const override; @@ -52,6 +53,7 @@ class Span : public Tracing::Span { private: datadog::tracing::Optional span_; + const bool use_local_decision_{false}; }; } // namespace Datadog diff --git a/source/extensions/tracers/datadog/tracer.cc b/source/extensions/tracers/datadog/tracer.cc index ae5b510f9c0f7..4b8efc3480fa1 100644 --- a/source/extensions/tracers/datadog/tracer.cc +++ b/source/extensions/tracers/datadog/tracer.cc @@ -107,12 +107,15 @@ Tracing::SpanPtr Tracer::startSpan(const Tracing::Config&, Tracing::TraceContext // // If Envoy is telling us to keep the trace, then we leave it up to the // tracer's internal sampler (which might decide to drop the trace anyway). - if (!span.trace_segment().sampling_decision().has_value() && !tracing_decision.traced) { + const bool use_local_decision = !span.trace_segment().sampling_decision().has_value(); + if (use_local_decision && !tracing_decision.traced) { + // TODO(wbpcode): use USER_KEEP to indicate that the trace should be kept if the + // Envoy is telling us to keep the trace. span.trace_segment().override_sampling_priority( int(datadog::tracing::SamplingPriority::USER_DROP)); } - return std::make_unique(std::move(span)); + return std::make_unique(std::move(span), use_local_decision); } datadog::tracing::Span Tracer::extractOrCreateSpan(datadog::tracing::Tracer& tracer, diff --git a/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc b/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc index 5f42841ff65ea..edfa97a20cf7e 100644 --- a/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc +++ b/source/extensions/tracers/fluentd/fluentd_tracer_impl.cc @@ -182,9 +182,10 @@ FluentdTracerImpl::FluentdTracerImpl(Upstream::ThreadLocalCluster& cluster, // Initialize a span object Span::Span(SystemTime start_time, const std::string& operation_name, FluentdTracerSharedPtr tracer, - SpanContext&& span_context, TimeSource& time_source) + SpanContext&& span_context, TimeSource& time_source, bool use_local_decision) : start_time_(start_time), operation_(operation_name), tracer_(std::move(tracer)), - span_context_(std::move(span_context)), time_source_(time_source) {} + span_context_(std::move(span_context)), time_source_(time_source), + use_local_decision_(use_local_decision) {} // Set the operation name for the span void Span::setOperation(absl::string_view operation) { operation_ = std::string(operation); } @@ -278,7 +279,7 @@ Tracing::SpanPtr FluentdTracerImpl::startSpan(SystemTime start_time, Hex::uint64ToHex(span_id), tracing_decision.traced, ""); return std::make_unique(start_time, operation_name, shared_from_this(), - std::move(span_context), time_source_); + std::move(span_context), time_source_, true); } // Start a new span with a parent context @@ -290,7 +291,7 @@ Tracing::SpanPtr FluentdTracerImpl::startSpan(SystemTime start_time, Hex::uint64ToHex(random_.random()), parent_context.sampled(), parent_context.tracestate()); return std::make_unique(start_time, operation_name, shared_from_this(), - std::move(span_context), time_source_); + std::move(span_context), time_source_, false); } void FluentdTracerImpl::packMessage(MessagePackPacker& packer) { diff --git a/source/extensions/tracers/fluentd/fluentd_tracer_impl.h b/source/extensions/tracers/fluentd/fluentd_tracer_impl.h index 2fa449f3c5a51..040878679b3a2 100644 --- a/source/extensions/tracers/fluentd/fluentd_tracer_impl.h +++ b/source/extensions/tracers/fluentd/fluentd_tracer_impl.h @@ -158,7 +158,7 @@ class Driver : Logger::Loggable, public Tracing::Driver { class Span : public Tracing::Span { public: Span(SystemTime start_time, const std::string& operation_name, FluentdTracerSharedPtr tracer, - SpanContext&& span_context, TimeSource& time_source); + SpanContext&& span_context, TimeSource& time_source, bool use_local_decision); // Tracing::Span void setOperation(absl::string_view operation) override; @@ -171,6 +171,8 @@ class Span : public Tracing::Span { SystemTime start_time) override; void setSampled(bool sampled) override { span_context_.setSampled(sampled); } bool sampled() const { return span_context_.sampled(); } + bool useLocalDecision() const override { return use_local_decision_; } + std::string getBaggage(absl::string_view key) override; void setBaggage(absl::string_view key, absl::string_view value) override; std::string getTraceId() const override; @@ -185,6 +187,7 @@ class Span : public Tracing::Span { SpanContext span_context_; std::map tags_; Envoy::TimeSource& time_source_; + const bool use_local_decision_{false}; }; } // namespace Fluentd diff --git a/source/extensions/tracers/opentelemetry/tracer.cc b/source/extensions/tracers/opentelemetry/tracer.cc index cb46e183737cb..9017f360e2fbe 100644 --- a/source/extensions/tracers/opentelemetry/tracer.cc +++ b/source/extensions/tracers/opentelemetry/tracer.cc @@ -60,8 +60,9 @@ void callSampler(SamplerSharedPtr sampler, const StreamInfo::StreamInfo& stream_ Span::Span(const std::string& name, const StreamInfo::StreamInfo& stream_info, SystemTime start_time, Envoy::TimeSource& time_source, Tracer& parent_tracer, - OTelSpanKind span_kind) - : stream_info_(stream_info), parent_tracer_(parent_tracer), time_source_(time_source) { + OTelSpanKind span_kind, bool use_local_decision) + : stream_info_(stream_info), parent_tracer_(parent_tracer), time_source_(time_source), + use_local_decision_(use_local_decision) { span_ = ::opentelemetry::proto::trace::v1::Span(); span_.set_kind(span_kind); @@ -270,9 +271,14 @@ Tracing::SpanPtr Tracer::startSpan(const std::string& operation_name, Tracing::Decision tracing_decision, OptRef trace_context, OTelSpanKind span_kind) { + // If reached here, then this is main span for request and there is no previous span context. + // If the custom sampler is set, then the Envoy tracing decision is ignored and the custom sampler + // should make a sampling decision, otherwise the local Envoy tracing decision is used. + const bool use_local_decision = sampler_ == nullptr; + // Create an Tracers::OpenTelemetry::Span class that will contain the OTel span. auto new_span = std::make_unique(operation_name, stream_info, start_time, time_source_, - *this, span_kind); + *this, span_kind, use_local_decision); uint64_t trace_id_high = random_.random(); uint64_t trace_id = random_.random(); new_span->setTraceId(absl::StrCat(Hex::uint64ToHex(trace_id_high), Hex::uint64ToHex(trace_id))); @@ -291,9 +297,12 @@ Tracing::SpanPtr Tracer::startSpan(const std::string& operation_name, const SpanContext& parent_context, OptRef trace_context, OTelSpanKind span_kind) { + // If reached here, then this is main span for request with a parent context or this is + // subsequent spans. Ignore the Envoy tracing decision anyway. + // Create a new span and populate details from the span context. auto new_span = std::make_unique(operation_name, stream_info, start_time, time_source_, - *this, span_kind); + *this, span_kind, false); new_span->setTraceId(parent_context.traceId()); if (!parent_context.spanId().empty()) { new_span->setParentId(parent_context.spanId()); diff --git a/source/extensions/tracers/opentelemetry/tracer.h b/source/extensions/tracers/opentelemetry/tracer.h index ecc3b44908ae3..1f6e10ccf63ba 100644 --- a/source/extensions/tracers/opentelemetry/tracer.h +++ b/source/extensions/tracers/opentelemetry/tracer.h @@ -85,7 +85,8 @@ class Tracer : Logger::Loggable { class Span : Logger::Loggable, public Tracing::Span { public: Span(const std::string& name, const StreamInfo::StreamInfo& stream_info, SystemTime start_time, - Envoy::TimeSource& time_source, Tracer& parent_tracer, OTelSpanKind span_kind); + Envoy::TimeSource& time_source, Tracer& parent_tracer, OTelSpanKind span_kind, + bool use_local_decision = false); // Tracing::Span functions void setOperation(absl::string_view /*operation*/) override; @@ -103,9 +104,13 @@ class Span : Logger::Loggable, public Tracing::Span { void setSampled(bool sampled) override { sampled_ = sampled; }; /** - * @return whether or not the sampled attribute is set + * @return whether the local tracing decision is used by the span. */ + bool useLocalDecision() const override { return use_local_decision_; } + /** + * @return whether or not the sampled attribute is set + */ bool sampled() const { return sampled_; } std::string getBaggage(absl::string_view /*key*/) override { return EMPTY_STRING; }; @@ -172,6 +177,7 @@ class Span : Logger::Loggable, public Tracing::Span { Tracer& parent_tracer_; Envoy::TimeSource& time_source_; bool sampled_; + const bool use_local_decision_{false}; }; using TracerPtr = std::unique_ptr; diff --git a/source/extensions/tracers/skywalking/tracer.h b/source/extensions/tracers/skywalking/tracer.h index 32b948f4eabe5..ec046f9d386f0 100644 --- a/source/extensions/tracers/skywalking/tracer.h +++ b/source/extensions/tracers/skywalking/tracer.h @@ -86,6 +86,10 @@ class Span : public Tracing::Span { Tracing::SpanPtr spawnChild(const Tracing::Config& config, const std::string& name, SystemTime start_time) override; void setSampled(bool do_sample) override; + // TODO(wbpcode): The SkyWalking tracer may create NullSpanImpl if the tracing decision is not to + // trace. That make it is impossible to update the sampling decision. So, the useLocalDecision() + // always return false now. This should be resolved in the future. + bool useLocalDecision() const override { return false; } std::string getBaggage(absl::string_view) override { return EMPTY_STRING; } void setBaggage(absl::string_view, absl::string_view) override {} std::string getTraceId() const override { return tracing_context_->traceId(); } diff --git a/source/extensions/tracers/xray/tracer.h b/source/extensions/tracers/xray/tracer.h index 6d21b5999a94c..f352562ef75a8 100644 --- a/source/extensions/tracers/xray/tracer.h +++ b/source/extensions/tracers/xray/tracer.h @@ -153,6 +153,9 @@ class Span : public Tracing::Span, Logger::Loggable { */ void setSampled(bool sampled) override { sampled_ = sampled; }; + // X-Ray tracer does not use the sampling decision from Envoy anyway. + bool useLocalDecision() const override { return false; } + /** * Sets the server error as true for the traced operation/request. */ diff --git a/source/extensions/tracers/zipkin/span_context_extractor.cc b/source/extensions/tracers/zipkin/span_context_extractor.cc index 1e6c1f154258f..b4378588db95c 100644 --- a/source/extensions/tracers/zipkin/span_context_extractor.cc +++ b/source/extensions/tracers/zipkin/span_context_extractor.cc @@ -18,11 +18,11 @@ bool validSamplingFlags(char c) { return false; } -bool getSamplingFlags(char c, const Tracing::Decision tracing_decision) { +absl::optional getSamplingFlags(char c) { if (validSamplingFlags(c)) { return c == '0' ? false : true; } else { - return tracing_decision.traced; + return absl::nullopt; } } @@ -33,8 +33,7 @@ SpanContextExtractor::SpanContextExtractor(Tracing::TraceContext& trace_context) SpanContextExtractor::~SpanContextExtractor() = default; -bool SpanContextExtractor::extractSampled(const Tracing::Decision tracing_decision) { - bool sampled(false); +absl::optional SpanContextExtractor::extractSampled() { auto b3_header_entry = ZipkinCoreConstants::get().B3.get(trace_context_); if (b3_header_entry.has_value()) { // This is an implicitly untrusted header, so only the first value is used. @@ -56,21 +55,20 @@ bool SpanContextExtractor::extractSampled(const Tracing::Decision tracing_decisi sampled_pos = 50; break; default: - return tracing_decision.traced; + return absl::nullopt; // invalid length } - return getSamplingFlags(b3[sampled_pos], tracing_decision); + return getSamplingFlags(b3[sampled_pos]); } auto x_b3_sampled_entry = ZipkinCoreConstants::get().X_B3_SAMPLED.get(trace_context_); if (!x_b3_sampled_entry.has_value()) { - return tracing_decision.traced; + return absl::nullopt; } // Checking if sampled flag has been specified. Also checking for 'true' value, as some old // zipkin tracers may still use that value, although should be 0 or 1. // This is an implicitly untrusted header, so only the first value is used. absl::string_view xb3_sampled = x_b3_sampled_entry.value(); - sampled = xb3_sampled == SAMPLED || xb3_sampled == "true"; - return sampled; + return xb3_sampled == SAMPLED || xb3_sampled == "true"; } std::pair SpanContextExtractor::extractSpanContext(bool is_sampled) { diff --git a/source/extensions/tracers/zipkin/span_context_extractor.h b/source/extensions/tracers/zipkin/span_context_extractor.h index 1cc1f2fe1fd9d..50f302a40f623 100644 --- a/source/extensions/tracers/zipkin/span_context_extractor.h +++ b/source/extensions/tracers/zipkin/span_context_extractor.h @@ -23,7 +23,7 @@ class SpanContextExtractor { public: SpanContextExtractor(Tracing::TraceContext& trace_context); ~SpanContextExtractor(); - bool extractSampled(const Tracing::Decision tracing_decision); + absl::optional extractSampled(); std::pair extractSpanContext(bool is_sampled); private: diff --git a/source/extensions/tracers/zipkin/zipkin_core_types.h b/source/extensions/tracers/zipkin/zipkin_core_types.h index e7ef2fbc7abbf..dca1c9c79b2d1 100644 --- a/source/extensions/tracers/zipkin/zipkin_core_types.h +++ b/source/extensions/tracers/zipkin/zipkin_core_types.h @@ -543,6 +543,8 @@ class Span : public ZipkinBase, public Tracing::Span { */ SpanContext spanContext() const; + void setUseLocalDecision(bool use_local_decision) { use_local_decision_ = use_local_decision; } + // Tracing::Span /** @@ -557,6 +559,7 @@ class Span : public ZipkinBase, public Tracing::Span { void setTag(absl::string_view name, absl::string_view value) override; void log(SystemTime timestamp, const std::string& event) override; void setSampled(bool val) override { sampled_ = val; } + bool useLocalDecision() const override { return use_local_decision_; } void setOperation(absl::string_view operation) override { setName(std::string(operation)); } void injectContext(Tracing::TraceContext& trace_context, const Tracing::UpstreamContext&) override; @@ -584,6 +587,7 @@ class Span : public ZipkinBase, public Tracing::Span { int64_t monotonic_start_time_{0}; TimeSource& time_source_; TracerInterface& tracer_; + bool use_local_decision_{false}; }; using SpanPtr = std::unique_ptr; diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc index 1dd50a26b6552..b623c0f26207e 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc @@ -72,21 +72,24 @@ Tracing::SpanPtr Driver::startSpan(const Tracing::Config& config, Tracer& tracer = *tls_->getTyped().tracer_; SpanPtr new_zipkin_span; SpanContextExtractor extractor(trace_context); - bool sampled{extractor.extractSampled(tracing_decision)}; + const absl::optional sampled = extractor.extractSampled(); + bool use_local_decision = !sampled.has_value(); TRY_NEEDS_AUDIT { - auto ret_span_context = extractor.extractSpanContext(sampled); + auto ret_span_context = extractor.extractSpanContext(sampled.value_or(tracing_decision.traced)); if (!ret_span_context.second) { // Create a root Zipkin span. No context was found in the headers. new_zipkin_span = tracer.startSpan(config, std::string(trace_context.host()), stream_info.startTime()); - new_zipkin_span->setSampled(sampled); + new_zipkin_span->setSampled(sampled.value_or(tracing_decision.traced)); } else { + use_local_decision = false; new_zipkin_span = tracer.startSpan(config, std::string(trace_context.host()), stream_info.startTime(), ret_span_context.first); } } END_TRY catch (const ExtractorException& e) { return std::make_unique(); } + new_zipkin_span->setUseLocalDecision(use_local_decision); // Return the active Zipkin span. return new_zipkin_span; } diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index 8c65ff70ad1ed..a6b56ab1b1fee 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -1658,6 +1658,236 @@ TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanNormalFlow) { EXPECT_EQ(0UL, tracing_stats_.random_sampling_.value()); } +TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanAndTraceDecisionRefreshAndUseDecision) { + setup(SetupOpts().setTracing(true)); + + std::shared_ptr filter(new NiceMock()); + + EXPECT_CALL(filter_factory_, createFilterChain(_)) + .WillRepeatedly(Invoke([&](FilterChainManager& manager) -> bool { + auto factory = createDecoderFilterFactoryCb(filter); + manager.applyFilterFactoryCb({}, factory); + return true; + })); + + // Treat request as internal, otherwise x-request-id header will be overwritten. + use_remote_address_ = false; + EXPECT_CALL(random_, uuid()).Times(0); + + EXPECT_CALL(*codec_, dispatch(_)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data) -> Http::Status { + decoder_ = &conn_manager_->newStream(response_encoder_); + + RequestHeaderMapPtr headers{ + new TestRequestHeaderMapImpl{{":method", "GET"}, + {":authority", "host"}, + {":path", "/"}, + {"x-request-id", "125a4afb-6f55-a4ba-ad80-413f09f48a28"}}}; + + auto* span = new NiceMock(); + EXPECT_CALL(*tracer_, startSpan_(_, _, _, _)) + .WillOnce(Invoke([&](const Tracing::Config& config, Tracing::TraceContext&, + const StreamInfo::StreamInfo&, + const Tracing::Decision) -> Tracing::Span* { + EXPECT_EQ(Tracing::OperationName::Ingress, config.operationName()); + + return span; + })); + + EXPECT_CALL(runtime_.snapshot_, + featureEnabled("tracing.global_enabled", + An(), _)) + .WillOnce(Return(true)); + + decoder_->decodeHeaders(std::move(headers), true); + + // The trace decision will be refreshed when the route is refreshed. + EXPECT_CALL(runtime_.snapshot_, + featureEnabled("tracing.global_enabled", + An(), _)) + .WillOnce(Return(false)); + EXPECT_CALL(*span, useLocalDecision()).WillOnce(Return(true)); + EXPECT_CALL(*span, setSampled(false)); + + // Clear route cache and refresh the route to trigger a new trace decision. + filter->callbacks_->downstreamCallbacks()->clearRouteCache(); + filter->callbacks_->route(); + + EXPECT_CALL(*span, finishSpan()); + EXPECT_CALL(*span, setTag(_, _)).Times(testing::AnyNumber()); + + ResponseHeaderMapPtr response_headers{new TestResponseHeaderMapImpl{{":status", "200"}}}; + filter->callbacks_->streamInfo().setResponseCodeDetails(""); + filter->callbacks_->encodeHeaders(std::move(response_headers), true, "details"); + filter->callbacks_->activeSpan().setTag("service-cluster", "scoobydoo"); + data.drain(4); + + return Http::okStatus(); + })); + + Buffer::OwnedImpl fake_input("1234"); + conn_manager_->onData(fake_input, false); + + EXPECT_EQ(0UL, tracing_stats_.service_forced_.value()); + EXPECT_EQ(0UL, tracing_stats_.random_sampling_.value()); + EXPECT_EQ(1UL, tracing_stats_.not_traceable_.value()); +} + +TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanAndTraceDecisionRefreshAndNotUseDecision) { + setup(SetupOpts().setTracing(true)); + + std::shared_ptr filter(new NiceMock()); + + EXPECT_CALL(filter_factory_, createFilterChain(_)) + .WillRepeatedly(Invoke([&](FilterChainManager& manager) -> bool { + auto factory = createDecoderFilterFactoryCb(filter); + manager.applyFilterFactoryCb({}, factory); + return true; + })); + + // Treat request as internal, otherwise x-request-id header will be overwritten. + use_remote_address_ = false; + EXPECT_CALL(random_, uuid()).Times(0); + + EXPECT_CALL(*codec_, dispatch(_)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data) -> Http::Status { + decoder_ = &conn_manager_->newStream(response_encoder_); + + RequestHeaderMapPtr headers{ + new TestRequestHeaderMapImpl{{":method", "GET"}, + {":authority", "host"}, + {":path", "/"}, + {"x-request-id", "125a4afb-6f55-a4ba-ad80-413f09f48a28"}}}; + + auto* span = new NiceMock(); + EXPECT_CALL(*tracer_, startSpan_(_, _, _, _)) + .WillOnce(Invoke([&](const Tracing::Config& config, Tracing::TraceContext&, + const StreamInfo::StreamInfo&, + const Tracing::Decision) -> Tracing::Span* { + EXPECT_EQ(Tracing::OperationName::Ingress, config.operationName()); + + return span; + })); + + EXPECT_CALL(runtime_.snapshot_, + featureEnabled("tracing.global_enabled", + An(), _)) + .WillOnce(Return(true)); + + decoder_->decodeHeaders(std::move(headers), true); + + // The trace decision will be refreshed when the route is refreshed. + EXPECT_CALL(runtime_.snapshot_, + featureEnabled("tracing.global_enabled", + An(), _)) + .WillOnce(Return(false)); + EXPECT_CALL(*span, useLocalDecision()).WillOnce(Return(false)); + EXPECT_CALL(*span, setSampled(_)).Times(0); + + // Clear route cache and refresh the route to trigger a new trace decision. + filter->callbacks_->downstreamCallbacks()->clearRouteCache(); + filter->callbacks_->route(); + + EXPECT_CALL(*span, finishSpan()); + EXPECT_CALL(*span, setTag(_, _)).Times(testing::AnyNumber()); + + ResponseHeaderMapPtr response_headers{new TestResponseHeaderMapImpl{{":status", "200"}}}; + filter->callbacks_->streamInfo().setResponseCodeDetails(""); + filter->callbacks_->encodeHeaders(std::move(response_headers), true, "details"); + filter->callbacks_->activeSpan().setTag("service-cluster", "scoobydoo"); + data.drain(4); + + return Http::okStatus(); + })); + + Buffer::OwnedImpl fake_input("1234"); + conn_manager_->onData(fake_input, false); + + EXPECT_EQ(0UL, tracing_stats_.service_forced_.value()); + EXPECT_EQ(0UL, tracing_stats_.random_sampling_.value()); + EXPECT_EQ(1UL, tracing_stats_.not_traceable_.value()); +} + +TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanButDisableTraceDecisionRefresh) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.trace_refresh_after_route_refresh", "false"}}); + + setup(SetupOpts().setTracing(true)); + + std::shared_ptr filter(new NiceMock()); + + EXPECT_CALL(filter_factory_, createFilterChain(_)) + .WillRepeatedly(Invoke([&](FilterChainManager& manager) -> bool { + auto factory = createDecoderFilterFactoryCb(filter); + manager.applyFilterFactoryCb({}, factory); + return true; + })); + + // Treat request as internal, otherwise x-request-id header will be overwritten. + use_remote_address_ = false; + EXPECT_CALL(random_, uuid()).Times(0); + + EXPECT_CALL(*codec_, dispatch(_)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data) -> Http::Status { + decoder_ = &conn_manager_->newStream(response_encoder_); + + RequestHeaderMapPtr headers{ + new TestRequestHeaderMapImpl{{":method", "GET"}, + {":authority", "host"}, + {":path", "/"}, + {"x-request-id", "125a4afb-6f55-a4ba-ad80-413f09f48a28"}}}; + + auto* span = new NiceMock(); + EXPECT_CALL(*tracer_, startSpan_(_, _, _, _)) + .WillOnce(Invoke([&](const Tracing::Config& config, Tracing::TraceContext&, + const StreamInfo::StreamInfo&, + const Tracing::Decision) -> Tracing::Span* { + EXPECT_EQ(Tracing::OperationName::Ingress, config.operationName()); + + return span; + })); + + EXPECT_CALL(runtime_.snapshot_, + featureEnabled("tracing.global_enabled", + An(), _)) + .WillOnce(Return(true)); + + decoder_->decodeHeaders(std::move(headers), true); + + // The trace decision will be refreshed when the route is refreshed. + EXPECT_CALL(runtime_.snapshot_, + featureEnabled("tracing.global_enabled", + An(), _)) + .Times(0); + EXPECT_CALL(*span, useLocalDecision()).Times(0); + EXPECT_CALL(*span, setSampled(_)).Times(0); + + // Clear route cache and refresh the route. But this will not trigger a new trace + // decision because the feature is disabled. + filter->callbacks_->downstreamCallbacks()->clearRouteCache(); + filter->callbacks_->route(); + + EXPECT_CALL(*span, finishSpan()); + EXPECT_CALL(*span, setTag(_, _)).Times(testing::AnyNumber()); + + ResponseHeaderMapPtr response_headers{new TestResponseHeaderMapImpl{{":status", "200"}}}; + filter->callbacks_->streamInfo().setResponseCodeDetails(""); + filter->callbacks_->encodeHeaders(std::move(response_headers), true, "details"); + filter->callbacks_->activeSpan().setTag("service-cluster", "scoobydoo"); + data.drain(4); + + return Http::okStatus(); + })); + + Buffer::OwnedImpl fake_input("1234"); + conn_manager_->onData(fake_input, false); + + EXPECT_EQ(1UL, tracing_stats_.service_forced_.value()); + EXPECT_EQ(0UL, tracing_stats_.random_sampling_.value()); + EXPECT_EQ(0UL, tracing_stats_.not_traceable_.value()); +} + TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanNormalFlowIngressDecorator) { setup(); @@ -1741,7 +1971,7 @@ TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanNormalFlowIngressDecorat route_config_provider_.route_config_->route_->decorator_.operation_ = "testOp"; ON_CALL(route_config_provider_.route_config_->route_->decorator_, propagate()) .WillByDefault(Return(false)); - EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()).Times(2); + EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()); EXPECT_CALL(route_config_provider_.route_config_->route_->decorator_, apply(_)) .WillOnce(Invoke( [&](const Tracing::Span& apply_to_span) -> void { EXPECT_EQ(span, &apply_to_span); })); @@ -1808,7 +2038,7 @@ TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanNormalFlowIngressDecorat return span; })); route_config_provider_.route_config_->route_->decorator_.operation_ = "initOp"; - EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()).Times(2); + EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()); EXPECT_CALL(route_config_provider_.route_config_->route_->decorator_, apply(_)) .WillOnce(Invoke( [&](const Tracing::Span& apply_to_span) -> void { EXPECT_EQ(span, &apply_to_span); })); @@ -1891,7 +2121,7 @@ TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanNormalFlowEgressDecorato return span; })); route_config_provider_.route_config_->route_->decorator_.operation_ = "testOp"; - EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()).Times(2); + EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()); EXPECT_CALL(route_config_provider_.route_config_->route_->decorator_, apply(_)) .WillOnce(Invoke( [&](const Tracing::Span& apply_to_span) -> void { EXPECT_EQ(span, &apply_to_span); })); @@ -1977,7 +2207,7 @@ TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanNormalFlowEgressDecorato route_config_provider_.route_config_->route_->decorator_.operation_ = "testOp"; ON_CALL(route_config_provider_.route_config_->route_->decorator_, propagate()) .WillByDefault(Return(false)); - EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()).Times(2); + EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()); EXPECT_CALL(route_config_provider_.route_config_->route_->decorator_, apply(_)) .WillOnce(Invoke( [&](const Tracing::Span& apply_to_span) -> void { EXPECT_EQ(span, &apply_to_span); })); @@ -2061,7 +2291,7 @@ TEST_F(HttpConnectionManagerImplTest, StartAndFinishSpanNormalFlowEgressDecorato return span; })); route_config_provider_.route_config_->route_->decorator_.operation_ = "initOp"; - EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()).Times(2); + EXPECT_CALL(*route_config_provider_.route_config_->route_, decorator()); EXPECT_CALL(route_config_provider_.route_config_->route_->decorator_, apply(_)) .WillOnce(Invoke( [&](const Tracing::Span& apply_to_span) -> void { EXPECT_EQ(span, &apply_to_span); })); diff --git a/test/common/http/conn_manager_impl_test_base.h b/test/common/http/conn_manager_impl_test_base.h index 55377585d3973..3e830da57b1e9 100644 --- a/test/common/http/conn_manager_impl_test_base.h +++ b/test/common/http/conn_manager_impl_test_base.h @@ -288,7 +288,7 @@ class HttpConnectionManagerImplMixin : public ConnectionManagerConfig { std::chrono::milliseconds request_timeout_{}; std::chrono::milliseconds request_headers_timeout_{}; std::chrono::milliseconds delayed_close_timeout_{}; - absl::optional max_stream_duration_{}; + absl::optional max_stream_duration_; NiceMock random_; NiceMock local_info_; NiceMock factory_context_; @@ -317,8 +317,8 @@ class HttpConnectionManagerImplMixin : public ConnectionManagerConfig { NiceMock upstream_conn_; // for websocket tests NiceMock conn_pool_; // for websocket tests RequestIDExtensionSharedPtr request_id_extension_; - std::vector ip_detection_extensions_{}; - std::vector early_header_mutations_{}; + std::vector ip_detection_extensions_; + std::vector early_header_mutations_; bool add_proxy_protocol_connection_state_ = true; const LocalReply::LocalReplyPtr local_reply_; diff --git a/test/common/tracing/http_tracer_impl_test.cc b/test/common/tracing/http_tracer_impl_test.cc index 5d0e588acfce6..9d07e4f3fcc6b 100644 --- a/test/common/tracing/http_tracer_impl_test.cc +++ b/test/common/tracing/http_tracer_impl_test.cc @@ -774,6 +774,19 @@ TEST(HttpTraceContextTest, HttpTraceContextTest) { EXPECT_EQ(23, size); } + { + size_t size = 0; + Http::TestRequestHeaderMapImpl request_headers{{"host", "foo"}, {"bar", "var"}, {"ok", "no"}}; + HttpTraceContext trace_context(request_headers); + trace_context.forEach([&size](absl::string_view key, absl::string_view val) { + size += key.size(); + size += val.size(); + return false; + }); + // 'host' will be converted to ':authority'. + EXPECT_EQ(13, size); + } + { Http::TestRequestHeaderMapImpl request_headers; ReadOnlyHttpTraceContext trace_context(request_headers); @@ -782,6 +795,7 @@ TEST(HttpTraceContextTest, HttpTraceContextTest) { trace_context.set("key", "value"); trace_context.remove("key"); trace_context.requestHeaders(); + const_cast(trace_context).requestHeaders(); } } diff --git a/test/extensions/filters/http/ext_proc/tracer_test_filter.cc b/test/extensions/filters/http/ext_proc/tracer_test_filter.cc index ffc38344660e1..3d2b1ad673bbd 100644 --- a/test/extensions/filters/http/ext_proc/tracer_test_filter.cc +++ b/test/extensions/filters/http/ext_proc/tracer_test_filter.cc @@ -74,6 +74,13 @@ class Span : public Tracing::Span { ENVOY_LOG_MISC(trace, "TestTracer setSampled: {}", do_sample); sampled_ = do_sample; } + bool useLocalDecision() const override { + // NOTE: the trace decision from Envoy will be ignored in the startSpan() method + // of this test implementation. So, the useLocalDecision() method is only for logging + // and will also ignore the decision value. + ENVOY_LOG_MISC(trace, "TestTracer useLocalDecision"); + return false; + } void injectContext(Tracing::TraceContext& trace_context, const Tracing::UpstreamContext&) override { diff --git a/test/extensions/tracers/datadog/span_test.cc b/test/extensions/tracers/datadog/span_test.cc index 6104989bd7c90..764df76f83ad0 100644 --- a/test/extensions/tracers/datadog/span_test.cc +++ b/test/extensions/tracers/datadog/span_test.cc @@ -377,6 +377,21 @@ TEST_F(DatadogTracerSpanTest, SetSampledFalse) { EXPECT_EQ(-1, found->second); } +TEST_F(DatadogTracerSpanTest, UseLocalDecisionDefault) { + Span span{std::move(span_)}; + EXPECT_EQ(false, span.useLocalDecision()); +} + +TEST_F(DatadogTracerSpanTest, UseLocalDecisionTrue) { + Span span{std::move(span_), true}; + EXPECT_EQ(true, span.useLocalDecision()); +} + +TEST_F(DatadogTracerSpanTest, UseLocalDecisionFalse) { + Span span{std::move(span_), false}; + EXPECT_EQ(false, span.useLocalDecision()); +} + TEST_F(DatadogTracerSpanTest, Baggage) { // Baggage is not supported by dd-trace-cpp, so `Span::getBaggage` and // `Span::setBaggage` do nothing. diff --git a/test/extensions/tracers/datadog/tracer_test.cc b/test/extensions/tracers/datadog/tracer_test.cc index 8f2fa2ac04189..7b56589732485 100644 --- a/test/extensions/tracers/datadog/tracer_test.cc +++ b/test/extensions/tracers/datadog/tracer_test.cc @@ -18,6 +18,7 @@ #include "datadog/optional.h" #include "datadog/propagation_style.h" #include "datadog/sampling_priority.h" +#include "datadog/tags.h" #include "datadog/trace_segment.h" #include "datadog/tracer_config.h" #include "gtest/gtest.h" @@ -206,6 +207,55 @@ TEST_F(DatadogTracerTest, ExtractionSuccess) { EXPECT_EQ(5678, *dd_span.parent_id()); } +TEST_F(DatadogTracerTest, UseLocalDecisionTrue) { + datadog::tracing::TracerConfig config; + config.service = "envoy"; + + Tracer tracer("fake_cluster", "test_host", config, cluster_manager_, *store_.rootScope(), + thread_local_slot_allocator_, time_); + + const std::string operation_name = "do.thing"; + const SystemTime start = time_.timeSystem().systemTime(); + ON_CALL(stream_info_, startTime()).WillByDefault(testing::Return(start)); + + // trace context in the Datadog style + Tracing::TestTraceContextImpl context{}; + + const Tracing::SpanPtr span = + tracer.startSpan(Tracing::MockConfig{}, context, stream_info_, operation_name, + {Tracing::Reason::NotTraceable, false}); + + // The `useLocalDecision` method is true because the span has no external trace sampling + // decision. + EXPECT_EQ(true, span->useLocalDecision()); +} + +TEST_F(DatadogTracerTest, UseLocalDecisionFalse) { + datadog::tracing::TracerConfig config; + config.service = "envoy"; + + Tracer tracer("fake_cluster", "test_host", config, cluster_manager_, *store_.rootScope(), + thread_local_slot_allocator_, time_); + + const std::string operation_name = "do.thing"; + const SystemTime start = time_.timeSystem().systemTime(); + ON_CALL(stream_info_, startTime()).WillByDefault(testing::Return(start)); + + // trace context in the Datadog style + Tracing::TestTraceContextImpl context{ + {"x-datadog-trace-id", "1234"}, + {"x-datadog-parent-id", "5678"}, + {"x-datadog-sampling-priority", "0"}, + }; + + const Tracing::SpanPtr span = + tracer.startSpan(Tracing::MockConfig{}, context, stream_info_, operation_name, + {Tracing::Reason::NotTraceable, false}); + // The `useLocalDecision` method is false because the span has an external trace sampling + // decision. + EXPECT_EQ(false, span->useLocalDecision()); +} + TEST_F(DatadogTracerTest, ExtractionFailure) { // Verify that if there is invalid trace information in the `TraceContext` // supplied to `startSpan`, that the resulting span is nonetheless valid (it diff --git a/test/extensions/tracers/fluentd/tracer_integration_test.cc b/test/extensions/tracers/fluentd/tracer_integration_test.cc index d605346942a0d..b6425949889eb 100644 --- a/test/extensions/tracers/fluentd/tracer_integration_test.cc +++ b/test/extensions/tracers/fluentd/tracer_integration_test.cc @@ -96,6 +96,10 @@ TEST_F(FluentdTracerIntegrationTest, Span) { EXPECT_EQ(span->getTraceId(), trace_id_hex); + // The `useLocalDecision` method is false because the span has an external trace sampling + // decision. + EXPECT_EQ(false, span->useLocalDecision()); + // Test Span functions span->setOperation("test_new"); span->setTag("test_tag", "test_value"); @@ -139,6 +143,10 @@ TEST_F(FluentdTracerIntegrationTest, ParseSpanContextFromHeadersTest) { EXPECT_EQ(span->getTraceId(), trace_id_hex); + // The `useLocalDecision` method is false because the span has an external trace sampling + // decision. + EXPECT_EQ(false, span->useLocalDecision()); + // Remove headers, then inject context into header from the span. trace_context.remove(FluentdConstants::get().TRACE_PARENT.key()); trace_context.remove(FluentdConstants::get().TRACE_STATE.key()); @@ -181,6 +189,10 @@ TEST_F(FluentdTracerIntegrationTest, GenerateSpanContextWithoutHeadersTest) { Tracing::SpanPtr span = driver_->startSpan(mock_tracing_config_, trace_context, stream_info_, operation_name_, {Tracing::Reason::Sampling, true}); + // The `useLocalDecision` method is true because the span has no external trace sampling + // decision. + EXPECT_EQ(true, span->useLocalDecision()); + // Remove headers, then inject context into header from the span. trace_context.remove(FluentdConstants::get().TRACE_PARENT.key()); span->injectContext(trace_context, Tracing::UpstreamContext()); diff --git a/test/extensions/tracers/opentelemetry/opentelemetry_tracer_impl_test.cc b/test/extensions/tracers/opentelemetry/opentelemetry_tracer_impl_test.cc index 57f83e7cf4182..628a73283724c 100644 --- a/test/extensions/tracers/opentelemetry/opentelemetry_tracer_impl_test.cc +++ b/test/extensions/tracers/opentelemetry/opentelemetry_tracer_impl_test.cc @@ -866,6 +866,48 @@ TEST_F(OpenTelemetryDriverTest, IgnoreNotSampledSpan) { EXPECT_EQ(0U, stats_.counter("tracing.opentelemetry.spans_sent").value()); } +TEST_F(OpenTelemetryDriverTest, UseLocalDecisionTrue) { + setupValidDriver(); + Tracing::TestTraceContextImpl request_headers{ + {":authority", "test.com"}, {":path", "/"}, {":method", "GET"}}; + + Tracing::SpanPtr span = driver_->startSpan(mock_tracing_config_, request_headers, stream_info_, + operation_name_, {Tracing::Reason::Sampling, true}); + // The `useLocalDecision` should be true because there is no traceparent header in the request. + EXPECT_TRUE(span->useLocalDecision()); + + EXPECT_CALL(runtime_.snapshot_, getInteger("tracing.opentelemetry.min_flush_spans", 5U)) + .Times(1) + .WillRepeatedly(Return(1)); + EXPECT_CALL(*mock_client_, sendRaw(_, _, _, _, _, _)); + span->finishSpan(); + EXPECT_EQ(1U, stats_.counter("tracing.opentelemetry.spans_sent").value()); +} + +TEST_F(OpenTelemetryDriverTest, UseLocalDecisionFalse) { + setupValidDriver(); + Tracing::TestTraceContextImpl request_headers{ + {":authority", "test.com"}, + {":path", "/"}, + {":method", "GET"}, + {"traceparent", "00-00000000000000010000000000000002-0000000000000003-01"}}; + + // The traceparent header indicates the span is sampled and the Envoy tracing decision is + // ignored. + Tracing::SpanPtr span = + driver_->startSpan(mock_tracing_config_, request_headers, stream_info_, operation_name_, + {Tracing::Reason::NotTraceable, false}); + // The `useLocalDecision` should be false because there is a traceparent header in the request. + EXPECT_FALSE(span->useLocalDecision()); + + EXPECT_CALL(runtime_.snapshot_, getInteger("tracing.opentelemetry.min_flush_spans", 5U)) + .Times(1) + .WillRepeatedly(Return(1)); + EXPECT_CALL(*mock_client_, sendRaw(_, _, _, _, _, _)); + span->finishSpan(); + EXPECT_EQ(1U, stats_.counter("tracing.opentelemetry.spans_sent").value()); +} + // Verifies tracer is "disabled" when no exporter is configured TEST_F(OpenTelemetryDriverTest, NoExportWithoutGrpcService) { const std::string yaml_string = "{}"; diff --git a/test/extensions/tracers/skywalking/tracer_test.cc b/test/extensions/tracers/skywalking/tracer_test.cc index 1dab0f94550fd..de8ce15d44d67 100644 --- a/test/extensions/tracers/skywalking/tracer_test.cc +++ b/test/extensions/tracers/skywalking/tracer_test.cc @@ -97,6 +97,9 @@ TEST_F(TracerTest, TracerTestCreateNewSpanWithNoPropagationHeaders) { span->setSampled(false); EXPECT_TRUE(span->spanEntity()->skipAnalysis()); + EXPECT_FALSE(span->useLocalDecision()); // Always false for now. + EXPECT_TRUE(span->spanEntity()->skipAnalysis()); + // The initial operation name is consistent with the 'operation' parameter in the 'startSpan' // method call. EXPECT_EQ("/downstream/path", span->spanEntity()->operationName()); diff --git a/test/extensions/tracers/zipkin/span_context_extractor_test.cc b/test/extensions/tracers/zipkin/span_context_extractor_test.cc index 393b995f71679..2de89adcb2ee6 100644 --- a/test/extensions/tracers/zipkin/span_context_extractor_test.cc +++ b/test/extensions/tracers/zipkin/span_context_extractor_test.cc @@ -31,7 +31,7 @@ TEST(ZipkinSpanContextExtractorTest, Largest) { EXPECT_EQ(1, context.first.traceId()); EXPECT_EQ(9, context.first.traceIdHigh()); EXPECT_TRUE(context.first.sampled()); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, false})); + EXPECT_TRUE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, WithoutParentDebug) { @@ -46,7 +46,7 @@ TEST(ZipkinSpanContextExtractorTest, WithoutParentDebug) { EXPECT_EQ(1, context.first.traceId()); EXPECT_EQ(9, context.first.traceIdHigh()); EXPECT_TRUE(context.first.sampled()); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, false})); + EXPECT_TRUE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, MalformedUuid) { @@ -54,7 +54,7 @@ TEST(ZipkinSpanContextExtractorTest, MalformedUuid) { SpanContextExtractor extractor(request_headers); EXPECT_THROW_WITH_MESSAGE(extractor.extractSpanContext(true), ExtractorException, "Invalid input: invalid trace id b970dafd-0d95-40"); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, true})); + EXPECT_FALSE(extractor.extractSampled().has_value()); } TEST(ZipkinSpanContextExtractorTest, MiddleOfString) { @@ -63,7 +63,7 @@ TEST(ZipkinSpanContextExtractorTest, MiddleOfString) { SpanContextExtractor extractor(request_headers); EXPECT_THROW_WITH_MESSAGE(extractor.extractSpanContext(true), ExtractorException, "Invalid input: truncated"); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, true})); + EXPECT_FALSE(extractor.extractSampled().has_value()); } TEST(ZipkinSpanContextExtractorTest, DebugOnly) { @@ -77,7 +77,7 @@ TEST(ZipkinSpanContextExtractorTest, DebugOnly) { EXPECT_EQ(0, context.first.traceId()); EXPECT_EQ(0, context.first.traceIdHigh()); EXPECT_FALSE(context.first.sampled()); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, false})); + EXPECT_TRUE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, Sampled) { @@ -91,7 +91,7 @@ TEST(ZipkinSpanContextExtractorTest, Sampled) { EXPECT_EQ(0, context.first.traceId()); EXPECT_EQ(0, context.first.traceIdHigh()); EXPECT_FALSE(context.first.sampled()); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, false})); + EXPECT_TRUE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, SampledFalse) { @@ -105,7 +105,7 @@ TEST(ZipkinSpanContextExtractorTest, SampledFalse) { EXPECT_EQ(0, context.first.traceId()); EXPECT_EQ(0, context.first.traceIdHigh()); EXPECT_FALSE(context.first.sampled()); - EXPECT_FALSE(extractor.extractSampled({Tracing::Reason::Sampling, true})); + EXPECT_FALSE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, IdNotYetSampled128) { @@ -120,7 +120,7 @@ TEST(ZipkinSpanContextExtractorTest, IdNotYetSampled128) { EXPECT_EQ(1, context.first.traceId()); EXPECT_EQ(9, context.first.traceIdHigh()); EXPECT_TRUE(context.first.sampled()); - EXPECT_FALSE(extractor.extractSampled({Tracing::Reason::Sampling, false})); + EXPECT_FALSE(extractor.extractSampled().has_value()); } TEST(ZipkinSpanContextExtractorTest, IdsUnsampled) { @@ -134,7 +134,7 @@ TEST(ZipkinSpanContextExtractorTest, IdsUnsampled) { EXPECT_EQ(1, context.first.traceId()); EXPECT_EQ(0, context.first.traceIdHigh()); EXPECT_TRUE(context.first.sampled()); - EXPECT_FALSE(extractor.extractSampled({Tracing::Reason::Sampling, true})); + EXPECT_FALSE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, ParentUnsampled) { @@ -149,7 +149,7 @@ TEST(ZipkinSpanContextExtractorTest, ParentUnsampled) { EXPECT_EQ(1, context.first.traceId()); EXPECT_EQ(0, context.first.traceIdHigh()); EXPECT_TRUE(context.first.sampled()); - EXPECT_FALSE(extractor.extractSampled({Tracing::Reason::Sampling, true})); + EXPECT_FALSE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, ParentDebug) { @@ -164,7 +164,7 @@ TEST(ZipkinSpanContextExtractorTest, ParentDebug) { EXPECT_EQ(1, context.first.traceId()); EXPECT_EQ(0, context.first.traceIdHigh()); EXPECT_TRUE(context.first.sampled()); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, false})); + EXPECT_TRUE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, IdsWithDebug) { @@ -178,7 +178,7 @@ TEST(ZipkinSpanContextExtractorTest, IdsWithDebug) { EXPECT_EQ(1, context.first.traceId()); EXPECT_EQ(0, context.first.traceIdHigh()); EXPECT_TRUE(context.first.sampled()); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, false})); + EXPECT_TRUE(extractor.extractSampled().value()); } TEST(ZipkinSpanContextExtractorTest, WithoutSampled) { @@ -192,7 +192,7 @@ TEST(ZipkinSpanContextExtractorTest, WithoutSampled) { EXPECT_EQ(1, context.first.traceId()); EXPECT_EQ(0, context.first.traceIdHigh()); EXPECT_FALSE(context.first.sampled()); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, true})); + EXPECT_FALSE(extractor.extractSampled().has_value()); } TEST(ZipkinSpanContextExtractorTest, TooBig) { @@ -202,7 +202,7 @@ TEST(ZipkinSpanContextExtractorTest, TooBig) { SpanContextExtractor extractor(request_headers); EXPECT_THROW_WITH_MESSAGE(extractor.extractSpanContext(true), ExtractorException, "Invalid input: too long"); - EXPECT_FALSE(extractor.extractSampled({Tracing::Reason::Sampling, false})); + EXPECT_FALSE(extractor.extractSampled().has_value()); } { @@ -310,7 +310,7 @@ TEST(ZipkinSpanContextExtractorTest, InvalidInput) { { Tracing::TestTraceContextImpl request_headers{{"b3", "-"}}; SpanContextExtractor extractor(request_headers); - EXPECT_TRUE(extractor.extractSampled({Tracing::Reason::Sampling, true})); + EXPECT_FALSE(extractor.extractSampled().has_value()); EXPECT_THROW_WITH_MESSAGE(extractor.extractSpanContext(true), ExtractorException, "Invalid input: invalid sampling flag -"); } diff --git a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc index 9cee1325fec35..42bcd892fe221 100644 --- a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc +++ b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc @@ -875,6 +875,38 @@ TEST_F(ZipkinDriverTest, ExplicitlySetSampledTrue) { EXPECT_EQ(SAMPLED, sampled_entry.value()); } +TEST_F(ZipkinDriverTest, UseLocalDecisionTrue) { + setupValidDriver("HTTP_JSON"); + + Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, + operation_name_, {Tracing::Reason::Sampling, true}); + EXPECT_TRUE(span->useLocalDecision()); + + request_headers_.remove(ZipkinCoreConstants::get().X_B3_SAMPLED.key()); + + span->injectContext(request_headers_, Tracing::UpstreamContext()); + + auto sampled_entry = request_headers_.get(ZipkinCoreConstants::get().X_B3_SAMPLED.key()); + EXPECT_EQ(SAMPLED, sampled_entry.value()); +} + +TEST_F(ZipkinDriverTest, UseLocalDecisionFalse) { + setupValidDriver("HTTP_JSON"); + request_headers_.set(ZipkinCoreConstants::get().X_B3_SAMPLED.key(), NOT_SAMPLED); + + // Envoy tracing decision is ignored if the B3 sampled header is set to not sample. + Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, + operation_name_, {Tracing::Reason::Sampling, true}); + EXPECT_FALSE(span->useLocalDecision()); + + request_headers_.remove(ZipkinCoreConstants::get().X_B3_SAMPLED.key()); + + span->injectContext(request_headers_, Tracing::UpstreamContext()); + + auto sampled_entry = request_headers_.get(ZipkinCoreConstants::get().X_B3_SAMPLED.key()); + EXPECT_EQ(NOT_SAMPLED, sampled_entry.value()); +} + TEST_F(ZipkinDriverTest, DuplicatedHeader) { setupValidDriver("HTTP_JSON"); request_headers_.set(ZipkinCoreConstants::get().X_B3_TRACE_ID.key(), diff --git a/test/mocks/tracing/mocks.h b/test/mocks/tracing/mocks.h index e0d494506b195..b2bc492a1bb29 100644 --- a/test/mocks/tracing/mocks.h +++ b/test/mocks/tracing/mocks.h @@ -39,7 +39,8 @@ class MockSpan : public Span { MOCK_METHOD(void, finishSpan, ()); MOCK_METHOD(void, injectContext, (Tracing::TraceContext & request_headers, const Tracing::UpstreamContext& upstream)); - MOCK_METHOD(void, setSampled, (const bool sampled)); + MOCK_METHOD(void, setSampled, (bool sampled)); + MOCK_METHOD(bool, useLocalDecision, (), (const)); MOCK_METHOD(void, setBaggage, (absl::string_view key, absl::string_view value)); MOCK_METHOD(std::string, getBaggage, (absl::string_view key)); MOCK_METHOD(std::string, getTraceId, (), (const)); From 4a9ac391d661eb254ce81668baca401f8bde2382 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Mon, 11 Aug 2025 15:59:01 -0400 Subject: [PATCH 204/505] odcds: remove dead code (#40595) Commit Message: odcds: remove dead code Additional Description: Removing a line of code that cannot be reached. The `status_` data memebr is internal to the class, and can is only being set by the methods, so an invalid value cannot be set. Risk Level: low - unused code Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- source/common/upstream/od_cds_api_impl.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/source/common/upstream/od_cds_api_impl.cc b/source/common/upstream/od_cds_api_impl.cc index 59129f99212a7..bb4662ed7e255 100644 --- a/source/common/upstream/od_cds_api_impl.cc +++ b/source/common/upstream/od_cds_api_impl.cc @@ -116,7 +116,6 @@ void OdCdsApiImpl::updateOnDemand(std::string cluster_name) { subscription_->requestOnDemandUpdate({std::move(cluster_name)}); return; } - PANIC("corrupt enum"); } } // namespace Upstream From 06cfb15d7a4767192a93eedf20be759672a02247 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Mon, 11 Aug 2025 15:59:58 -0400 Subject: [PATCH 205/505] test: cleanup of unused var in stream_info/utility_test (#40669) Commit Message: test: cleanup of unused var in stream_info/utility_test Additional Description: minor cleanup - removing unused variable in a test. Risk Level: low - tests only Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- test/common/stream_info/BUILD | 1 - test/common/stream_info/utility_test.cc | 2 -- 2 files changed, 3 deletions(-) diff --git a/test/common/stream_info/BUILD b/test/common/stream_info/BUILD index 63d39eb6a350b..c1e6ff8afe6a0 100644 --- a/test/common/stream_info/BUILD +++ b/test/common/stream_info/BUILD @@ -69,7 +69,6 @@ envoy_cc_test( deps = [ "//source/common/stream_info:utility_lib", "//test/mocks/stream_info:stream_info_mocks", - "//test/test_common:test_runtime_lib", "@envoy_api//envoy/extensions/filters/network/http_connection_manager/v3:pkg_cc_proto", ], ) diff --git a/test/common/stream_info/utility_test.cc b/test/common/stream_info/utility_test.cc index 37470ecf0c74b..a8bb517c88423 100644 --- a/test/common/stream_info/utility_test.cc +++ b/test/common/stream_info/utility_test.cc @@ -4,7 +4,6 @@ #include "source/common/stream_info/utility.h" #include "test/mocks/stream_info/mocks.h" -#include "test/test_common/test_runtime.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -365,7 +364,6 @@ TEST(ProxyStatusErrorToString, TestAll) { } TEST(ProxyStatusFromStreamInfo, TestAllWithExpandedResponseFlags) { - TestScopedRuntime scoped_runtime; for (const auto& [response_flag, proxy_status_error] : std::vector>{ {CoreResponseFlag::FailedLocalHealthCheck, ProxyStatusError::DestinationUnavailable}, From 7c92b7ae8db8a14aff24a4d799acb718134b3ec9 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 11 Aug 2025 23:26:54 +0200 Subject: [PATCH 206/505] http: deprecate flag use_filter_manager_state_for_downstream_end_stream and remove legacy code paths (#40610) ## Description This PR removes the deprecated reloadable flag `use_filter_manager_state_for_downstream_end_stream` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/39130 --- **Commit Message:** router: deprecate flag use_filter_manager_state_for_downstream_end_stream and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `use_filter_manager_state_for_downstream_end_stream` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal Signed-off-by: yanavlasov Co-authored-by: yanavlasov --- changelogs/current.yaml | 3 +++ source/common/http/filter_manager.h | 17 ++--------------- source/common/runtime/runtime_features.cc | 1 - 3 files changed, 5 insertions(+), 16 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index fc6034996eb4d..73590c179f2eb 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -86,6 +86,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime guard ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` and legacy code paths. +- area: http + change: | + Removed runtime guard ``envoy.reloadable_features.use_filter_manager_state_for_downstream_end_stream`` and legacy code paths. - area: balsa change: | Removed runtime guard ``envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done`` and legacy code paths. diff --git a/source/common/http/filter_manager.h b/source/common/http/filter_manager.h index 3819705f77e32..eacd5a92da358 100644 --- a/source/common/http/filter_manager.h +++ b/source/common/http/filter_manager.h @@ -1181,9 +1181,7 @@ class DownstreamFilterManager : public FilterManager { std::move(parent_filter_state)), local_reply_(local_reply), filter_chain_factory_(filter_chain_factory), downstream_filter_load_shed_point_(overload_manager.getLoadShedPoint( - Server::LoadShedPointName::get().HttpDownstreamFilterCheck)), - use_filter_manager_state_for_downstream_end_stream_(Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.use_filter_manager_state_for_downstream_end_stream")) { + Server::LoadShedPointName::get().HttpDownstreamFilterCheck)) { ENVOY_LOG_ONCE_IF( trace, downstream_filter_load_shed_point_ == nullptr, "LoadShedPoint envoy.load_shed_points.http_downstream_filter_check is not found. " @@ -1219,15 +1217,7 @@ class DownstreamFilterManager : public FilterManager { /** * Whether downstream has observed end_stream. */ - bool decoderObservedEndStream() const override { - // Set by the envoy.reloadable_features.use_filter_manager_state_for_downstream_end_stream - // runtime flag. - if (use_filter_manager_state_for_downstream_end_stream_) { - return state_.observed_decode_end_stream_; - } - - return hasLastDownstreamByteReceived(); - } + bool decoderObservedEndStream() const override { return state_.observed_decode_end_stream_; } /** * Return true if the timestamp of the downstream end_stream was recorded. @@ -1284,9 +1274,6 @@ class DownstreamFilterManager : public FilterManager { const FilterChainFactory& filter_chain_factory_; Utility::PreparedLocalReplyPtr prepared_local_reply_{nullptr}; Server::LoadShedPoint* downstream_filter_load_shed_point_{nullptr}; - // Set by the envoy.reloadable_features.use_filter_manager_state_for_downstream_end_stream runtime - // flag. - const bool use_filter_manager_state_for_downstream_end_stream_{}; }; } // namespace Http diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 3340f9e966aa1..91252e3d49e4d 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -80,7 +80,6 @@ RUNTIME_GUARD(envoy_reloadable_features_trace_refresh_after_route_refresh); RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); -RUNTIME_GUARD(envoy_reloadable_features_use_filter_manager_state_for_downstream_end_stream); RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_reloadable_features_xds_failover_to_primary_enabled); From 369ace259ce3a67e16a1a29331671a533ffa6968 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 12 Aug 2025 00:41:55 +0200 Subject: [PATCH 207/505] router: add request_body_buffer_limit for large request buffering (#40254) ## Description ML/inference requests often require buffering the entire request body to determine routing destination based on content rather than headers, and to support retries of failed requests. The existing `per_request_buffer_limit_bytes` (32-bit) is insufficient for large ML payloads that can exceed 4GB. This PR adds `request_body_buffer_limit` configuration to `VirtualHost` and `Route` for buffering large request bodies beyond connection buffer limits. This enables support for ML/inference workloads that require buffering entire request bodies for processing and retries. When `request_body_buffer_limit` is not configured, the existing `per_request_buffer_limit_bytes` behavior is preserved. Routes inherit from virtual hosts when not explicitly configured. See https://github.com/envoyproxy/envoy/issues/40028 --- **Commit Message:** router: add request_body_buffer_limit for large request buffering **Additional Description:** Added `request_body_buffer_limit` configuration to `VirtualHost` and `Route` for buffering large request bodies beyond connection buffer limits. **Risk Level:** Low **Testing:** Added Unit + Integration Tests **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal Signed-off-by: yanavlasov Co-authored-by: yanavlasov --- .../config/route/v3/route_components.proto | 67 +++- changelogs/current.yaml | 8 +- envoy/router/router.h | 39 +- source/common/http/null_route_impl.h | 4 +- source/common/router/config_impl.cc | 12 +- source/common/router/config_impl.h | 28 +- source/common/router/delegating_route_impl.cc | 4 +- source/common/router/delegating_route_impl.h | 2 +- source/common/router/router.cc | 120 ++++-- source/common/router/router.h | 10 +- test/common/http/async_client_impl_test.cc | 2 +- test/common/http/conn_manager_impl_test.cc | 4 +- test/common/router/config_impl_test.cc | 45 ++- .../router/delegating_route_impl_test.cc | 2 +- test/common/router/router_2_test.cc | 3 + test/common/router/router_test.cc | 358 +++++++++++++++++- .../filter_integration_test.cc | 2 +- test/integration/protocol_integration_test.cc | 4 +- test/integration/redirect_integration_test.cc | 2 +- .../shadow_policy_integration_test.cc | 2 +- test/mocks/router/mocks.cc | 6 +- test/mocks/router/mocks.h | 6 +- 22 files changed, 641 insertions(+), 89 deletions(-) diff --git a/api/envoy/config/route/v3/route_components.proto b/api/envoy/config/route/v3/route_components.proto index 292e5b9355847..b9607c9c3b39d 100644 --- a/api/envoy/config/route/v3/route_components.proto +++ b/api/envoy/config/route/v3/route_components.proto @@ -41,7 +41,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // host header. This allows a single listener to service multiple top level domain path trees. Once // a virtual host is selected based on the domain, the routes are processed in order to see which // upstream cluster to route to or whether to perform a redirect. -// [#next-free-field: 25] +// [#next-free-field: 26] message VirtualHost { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualHost"; @@ -205,10 +205,37 @@ message VirtualHost { // request header in retries initiated by per try timeouts. bool include_is_timeout_retry_header = 23; - // The maximum bytes which will be buffered for retries and shadowing. - // If set and a route-specific limit is not set, the bytes actually buffered will be the minimum - // value of this and the listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18; + // The maximum bytes which will be buffered for retries and shadowing. If set, the bytes actually buffered will be + // the minimum value of this and the listener ``per_connection_buffer_limit_bytes``. + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // ` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set, then ``request_body_buffer_limit`` will be used. + // 2. If :ref:`per_request_buffer_limit_bytes ` + // is set but ``request_body_buffer_limit`` is not, then ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // will be used. + // 3. If neither is set, then ``per_connection_buffer_limit_bytes`` will be used. + // + // For flow control chunk sizes, ``min(per_connection_buffer_limit_bytes, 16KB)`` will be used. + // + // Only one of :ref:`per_request_buffer_limit_bytes ` + // and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt64Value request_body_buffer_limit = 25 + [(validate.rules).message = {required: false}]; // Specify a set of default request mirroring policies for every route under this virtual host. // It takes precedence over the route config mirror policy entirely. @@ -244,7 +271,7 @@ message RouteList { // // Envoy supports routing on HTTP method via :ref:`header matching // `. -// [#next-free-field: 20] +// [#next-free-field: 21] message Route { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Route"; @@ -341,7 +368,14 @@ message Route { // The maximum bytes which will be buffered for retries and shadowing. // If set, the bytes actually buffered will be the minimum value of this and the // listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16; + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // ` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // The human readable prefix to use when emitting statistics for this endpoint. // The statistics are rooted at vhost..route.. @@ -357,6 +391,25 @@ message Route { // every application endpoint. This is both not easily maintainable and // statistics use a non-trivial amount of memory(approximately 1KiB per route). string stat_prefix = 19; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set: use ``request_body_buffer_limit`` + // 2. If :ref:`per_request_buffer_limit_bytes ` + // is set but ``request_body_buffer_limit`` is not: use ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // 3. If neither is set: use ``per_connection_buffer_limit_bytes`` + // + // For flow control chunk sizes, use ``min(per_connection_buffer_limit_bytes, 16KB)``. + // + // Only one of :ref:`per_request_buffer_limit_bytes ` + // and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt64Value request_body_buffer_limit = 20; } // Compared to the :ref:`cluster ` field that specifies a diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 73590c179f2eb..03eb4112cd2cd 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -183,7 +183,13 @@ new_features: that sends ``GOAWAY`` AND closes connections for HTTP2 server processing of requests. When a ``GOAWAY`` frame is submitted by this the counter ``http2.goaway_sent`` will be incremented. - +- area: router + change: | + Added :ref:`request_body_buffer_limit + ` and + :ref:`request_body_buffer_limit + ` configuration fields + to enable buffering of large request bodies beyond connection buffer limits. - area: otlp_stat_sink change: | Added support for resource attributes. The stat sink will use the resource attributes configured for the OpenTelemetry tracer via diff --git a/envoy/router/router.h b/envoy/router/router.h index 363f40acf668e..d22c610f0cc82 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -677,14 +677,20 @@ class VirtualHost { virtual bool includeIsTimeoutRetryHeader() const PURE; /** - * @return uint32_t any route cap on bytes which should be buffered for shadowing or retries. - * This is an upper bound so does not necessarily reflect the bytes which will be buffered - * as other limits may apply. - * If a per route limit exists, it takes precedence over this configuration. - * Unlike some other buffer limits, 0 here indicates buffering should not be performed - * rather than no limit applies. + * @return uint64_t the maximum bytes which should be buffered for request bodies. This enables + * buffering larger request bodies beyond the connection buffer limit for use cases + * with large payloads, shadowing, or retries. + * + * This method consolidates the functionality of the previous + * per_request_buffer_limit_bytes and request_body_buffer_limit fields. It supports both + * legacy configurations using per_request_buffer_limit_bytes and new configurations using + * request_body_buffer_limit. + * + * If neither is set, falls back to connection buffer limits. Unlike some other buffer + * limits, 0 here indicates buffering should not be performed rather than no limit + * applies. */ - virtual uint32_t retryShadowBufferLimit() const PURE; + virtual uint64_t requestBodyBufferLimit() const PURE; /** * This is a helper to get the route's per-filter config if it exists, up along the config @@ -995,13 +1001,20 @@ class RouteEntry : public ResponseEntry { virtual const PathRewriterSharedPtr& pathRewriter() const PURE; /** - * @return uint32_t any route cap on bytes which should be buffered for shadowing or retries. - * This is an upper bound so does not necessarily reflect the bytes which will be buffered - * as other limits may apply. - * Unlike some other buffer limits, 0 here indicates buffering should not be performed - * rather than no limit applies. + * @return uint64_t the maximum bytes which should be buffered for request bodies. This enables + * buffering larger request bodies beyond the connection buffer limit for use cases + * with large payloads, shadowing, or retries. + * + * This method consolidates the functionality of the previous + * per_request_buffer_limit_bytes and request_body_buffer_limit fields. It supports both + * legacy configurations using per_request_buffer_limit_bytes and new configurations using + * request_body_buffer_limit. + * + * If neither is set, falls back to connection buffer limits. Unlike some other buffer + * limits, 0 here indicates buffering should not be performed rather than no limit + * applies. */ - virtual uint32_t retryShadowBufferLimit() const PURE; + virtual uint64_t requestBodyBufferLimit() const PURE; /** * @return const std::vector& the shadow policies for the route. The vector is empty diff --git a/source/common/http/null_route_impl.h b/source/common/http/null_route_impl.h index e976911162570..2043bf37267b0 100644 --- a/source/common/http/null_route_impl.h +++ b/source/common/http/null_route_impl.h @@ -63,7 +63,7 @@ struct NullVirtualHost : public Router::VirtualHost { bool includeAttemptCountInRequest() const override { return false; } bool includeAttemptCountInResponse() const override { return false; } bool includeIsTimeoutRetryHeader() const override { return false; } - uint32_t retryShadowBufferLimit() const override { return std::numeric_limits::max(); } + uint64_t requestBodyBufferLimit() const override { return std::numeric_limits::max(); } const Router::RouteSpecificFilterConfig* mostSpecificPerFilterConfig(absl::string_view) const override { return nullptr; @@ -161,7 +161,7 @@ struct RouteEntryImpl : public Router::RouteEntry { } const Router::PathMatcherSharedPtr& pathMatcher() const override { return path_matcher_; } const Router::PathRewriterSharedPtr& pathRewriter() const override { return path_rewriter_; } - uint32_t retryShadowBufferLimit() const override { return std::numeric_limits::max(); } + uint64_t requestBodyBufferLimit() const override { return std::numeric_limits::max(); } const std::vector& shadowPolicies() const override { return shadow_policies_; } diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index b09a5f678de76..11053386880fe 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -564,8 +564,10 @@ RouteEntryImplBase::RouteEntryImplBase(const CommonVirtualHostSharedPtr& vhost, opaque_config_(parseOpaqueConfig(route)), decorator_(parseDecorator(route)), route_tracing_(parseRouteTracing(route)), route_name_(route.name()), time_source_(factory_context.mainThreadDispatcher().timeSource()), - retry_shadow_buffer_limit_(PROTOBUF_GET_WRAPPED_OR_DEFAULT( - route, per_request_buffer_limit_bytes, vhost->retryShadowBufferLimit())), + per_request_buffer_limit_(PROTOBUF_GET_WRAPPED_OR_DEFAULT( + route, per_request_buffer_limit_bytes, std::numeric_limits::max())), + request_body_buffer_limit_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(route, request_body_buffer_limit, + vhost->requestBodyBufferLimit())), direct_response_code_(ConfigUtility::parseDirectResponseCode(route)), cluster_not_found_response_code_(ConfigUtility::parseClusterNotFoundResponseCode( route.route().cluster_not_found_response_code())), @@ -575,6 +577,7 @@ RouteEntryImplBase::RouteEntryImplBase(const CommonVirtualHostSharedPtr& vhost, using_new_timeouts_(route.route().has_max_stream_duration()), match_grpc_(route.match().has_grpc()), case_sensitive_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(route.match(), case_sensitive, true)) { + auto config_or_error = PerFilterConfigs::create(route.typed_per_filter_config(), factory_context, validator); SET_AND_RETURN_IF_NOT_OK(config_or_error.status(), creation_status); @@ -1556,11 +1559,14 @@ CommonVirtualHostImpl::CommonVirtualHostImpl( THROW_OR_RETURN_VALUE(PerFilterConfigs::create(virtual_host.typed_per_filter_config(), factory_context, validator), std::unique_ptr)), - retry_shadow_buffer_limit_(PROTOBUF_GET_WRAPPED_OR_DEFAULT( + per_request_buffer_limit_(PROTOBUF_GET_WRAPPED_OR_DEFAULT( virtual_host, per_request_buffer_limit_bytes, std::numeric_limits::max())), + request_body_buffer_limit_(PROTOBUF_GET_WRAPPED_OR_DEFAULT( + virtual_host, request_body_buffer_limit, std::numeric_limits::max())), include_attempt_count_in_request_(virtual_host.include_request_attempt_count()), include_attempt_count_in_response_(virtual_host.include_attempt_count_in_response()), include_is_timeout_retry_header_(virtual_host.include_is_timeout_retry_header()) { + if (!virtual_host.request_headers_to_add().empty() || !virtual_host.request_headers_to_remove().empty()) { request_headers_parser_ = diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index 5571df3e437b6..39c48c059c159 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -275,7 +275,16 @@ class CommonVirtualHostImpl : public VirtualHost, Logger::Loggable::max()) { + return request_body_buffer_limit_; + } + if (per_request_buffer_limit_ != std::numeric_limits::max()) { + return static_cast(per_request_buffer_limit_); + } + return std::numeric_limits::max(); + } RouteSpecificFilterConfigs perFilterConfigs(absl::string_view) const override; const envoy::config::core::v3::Metadata& metadata() const override; @@ -348,7 +357,8 @@ class CommonVirtualHostImpl : public VirtualHost, Logger::Loggable virtual_cluster_catch_all_; RouteMetadataPackPtr metadata_; // Keep small members (bools and enums) at the end of class, to reduce alignment overhead. - uint32_t retry_shadow_buffer_limit_{std::numeric_limits::max()}; + uint32_t per_request_buffer_limit_{std::numeric_limits::max()}; + uint64_t request_body_buffer_limit_{std::numeric_limits::max()}; const bool include_attempt_count_in_request_ : 1; const bool include_attempt_count_in_response_ : 1; const bool include_is_timeout_retry_header_ : 1; @@ -713,7 +723,16 @@ class RouteEntryImplBase : public RouteEntryAndRoute, const PathMatcherSharedPtr& pathMatcher() const override { return path_matcher_; } const PathRewriterSharedPtr& pathRewriter() const override { return path_rewriter_; } - uint32_t retryShadowBufferLimit() const override { return retry_shadow_buffer_limit_; } + uint64_t requestBodyBufferLimit() const override { + // Return the new field if set, otherwise return the legacy field. + if (request_body_buffer_limit_ != std::numeric_limits::max()) { + return request_body_buffer_limit_; + } + if (per_request_buffer_limit_ != std::numeric_limits::max()) { + return static_cast(per_request_buffer_limit_); + } + return std::numeric_limits::max(); + } const std::vector& shadowPolicies() const override { return shadow_policies_; } std::chrono::milliseconds timeout() const override { return timeout_; } bool usingNewTimeouts() const override { return using_new_timeouts_; } @@ -964,7 +983,8 @@ class RouteEntryImplBase : public RouteEntryAndRoute, EarlyDataPolicyPtr early_data_policy_; // Keep small members (bools and enums) at the end of class, to reduce alignment overhead. - uint32_t retry_shadow_buffer_limit_{std::numeric_limits::max()}; + uint32_t per_request_buffer_limit_{std::numeric_limits::max()}; + uint64_t request_body_buffer_limit_{std::numeric_limits::max()}; const absl::optional direct_response_code_; const Http::Code cluster_not_found_response_code_; const Upstream::ResourcePriority priority_; diff --git a/source/common/router/delegating_route_impl.cc b/source/common/router/delegating_route_impl.cc index 97d5b1e9b5faa..c43d527dae4f0 100644 --- a/source/common/router/delegating_route_impl.cc +++ b/source/common/router/delegating_route_impl.cc @@ -77,8 +77,8 @@ const InternalRedirectPolicy& DelegatingRouteEntry::internalRedirectPolicy() con return base_route_entry_->internalRedirectPolicy(); } -uint32_t DelegatingRouteEntry::retryShadowBufferLimit() const { - return base_route_entry_->retryShadowBufferLimit(); +uint64_t DelegatingRouteEntry::requestBodyBufferLimit() const { + return base_route_entry_->requestBodyBufferLimit(); } const std::vector& DelegatingRouteEntry::shadowPolicies() const { diff --git a/source/common/router/delegating_route_impl.h b/source/common/router/delegating_route_impl.h index 8ceaac54c4729..e720b6940d29e 100644 --- a/source/common/router/delegating_route_impl.h +++ b/source/common/router/delegating_route_impl.h @@ -104,7 +104,7 @@ class DelegatingRouteEntry : public DelegatingRouteBase { const Router::PathMatcherSharedPtr& pathMatcher() const override; const Router::PathRewriterSharedPtr& pathRewriter() const override; const InternalRedirectPolicy& internalRedirectPolicy() const override; - uint32_t retryShadowBufferLimit() const override; + uint64_t requestBodyBufferLimit() const override; const std::vector& shadowPolicies() const override; std::chrono::milliseconds timeout() const override; absl::optional idleTimeout() const override; diff --git a/source/common/router/router.cc b/source/common/router/router.cc index 27216abfb445f..293d68a627924 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -513,10 +513,10 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, // A route entry matches for the request. route_entry_ = route_->routeEntry(); - // If there's a route specific limit and it's smaller than general downstream - // limits, apply the new cap. - retry_shadow_buffer_limit_ = - std::min(retry_shadow_buffer_limit_, route_entry_->retryShadowBufferLimit()); + // Store buffer limits from the route entry. + // The requestBodyBufferLimit() method handles both legacy per_request_buffer_limit_bytes + // and new request_body_buffer_limit configurations automatically. + request_body_buffer_limit_ = route_entry_->requestBodyBufferLimit(); Upstream::ThreadLocalCluster* cluster = config_->cm_.getThreadLocalCluster(route_entry_->clusterName()); if (!cluster) { @@ -833,9 +833,16 @@ bool Filter::continueDecodeHeaders(Upstream::ThreadLocalCluster* cluster, .setIsShadow(true) .setIsShadowSuffixDisabled(shadow_policy.disableShadowHostSuffixAppend()) .setBufferAccount(callbacks_->account()) - // A buffer limit of 1 is set in the case that retry_shadow_buffer_limit_ == 0, + // Calculate effective buffer limit for shadow streams using the same logic as main + // request. A buffer limit of 1 is set in the case that the effective limit == 0, // because a buffer limit of zero on async clients is interpreted as no buffer limit. - .setBufferLimit(1 > retry_shadow_buffer_limit_ ? 1 : retry_shadow_buffer_limit_) + .setBufferLimit([this]() -> uint32_t { + uint64_t effective_limit = calculateEffectiveBufferLimit(); + // Convert to uint32_t for AsyncClient, clamping to max uint32_t if needed + uint32_t shadow_limit = static_cast(std::min( + effective_limit, static_cast(std::numeric_limits::max()))); + return shadow_limit == 0 ? 1 : shadow_limit; + }()) .setDiscardResponseBody(true) .setFilterConfig(config_) .setParentContext(Http::AsyncClient::ParentContext{&callbacks_->streamInfo()}); @@ -920,41 +927,98 @@ void Filter::sendNoHealthyUpstreamResponse(absl::optional optional_ absl::nullopt, details); } +uint64_t Filter::calculateEffectiveBufferLimit() const { + // Use requestBodyBufferLimit() method which handles both legacy and new + // configurations. If no buffer limit is configured, fall back to connection limit. + uint64_t buffer_limit = request_body_buffer_limit_; + + if (buffer_limit != std::numeric_limits::max()) { + return buffer_limit; + } + + // If no route-level buffer limit is set, use the connection buffer limit. + uint32_t current_connection_limit = callbacks_->decoderBufferLimit(); + if (current_connection_limit != 0) { + return static_cast(current_connection_limit); + } + + // If no limits are set at all, return unlimited. + return std::numeric_limits::max(); +} + Http::FilterDataStatus Filter::decodeData(Buffer::Instance& data, bool end_stream) { // upstream_requests_.size() cannot be > 1 because that only happens when a per // try timeout occurs with hedge_on_per_try_timeout enabled but the per // try timeout timer is not started until onRequestComplete(). It could be zero // if the first request attempt has already failed and a retry is waiting for - // a backoff timer. + // a backoff timer.. ASSERT(upstream_requests_.size() <= 1); - bool buffering = (retry_state_ && retry_state_->enabled()) || - (route_entry_ && route_entry_->internalRedirectPolicy().enabled()); - if (buffering && - getLength(callbacks_->decodingBuffer()) + data.length() > retry_shadow_buffer_limit_) { + bool retry_enabled = retry_state_ && retry_state_->enabled(); + bool redirect_enabled = route_entry_ && route_entry_->internalRedirectPolicy().enabled(); + bool buffering = retry_enabled || redirect_enabled; + uint64_t effective_buffer_limit = calculateEffectiveBufferLimit(); + + // Check if we would exceed buffer limits, regardless of current buffering state + // This ensures error details are set even if retry state was cleared due to upstream reset. + bool would_exceed_buffer = + (getLength(callbacks_->decodingBuffer()) + data.length() > effective_buffer_limit); + + // Handle retry/shadow buffer overflow, excluding redirect-only scenarios. + // For redirect scenarios, buffer overflow should only affect redirect processing, not initial + // request. + bool had_retry_or_shadow = retry_enabled; + bool is_redirect_only = redirect_enabled && !retry_enabled; + + if (would_exceed_buffer && had_retry_or_shadow && !is_redirect_only && + !request_buffer_overflowed_) { ENVOY_LOG(debug, - "The request payload has at least {} bytes data which exceeds buffer limit {}. Give " - "up on the retry/shadow.", - getLength(callbacks_->decodingBuffer()) + data.length(), retry_shadow_buffer_limit_); + "The request payload has at least {} bytes data which exceeds buffer limit {}. " + "Giving up on buffering.", + getLength(callbacks_->decodingBuffer()) + data.length(), effective_buffer_limit); + cluster_->trafficStats()->retry_or_shadow_abandoned_.inc(); retry_state_.reset(); + ENVOY_LOG(debug, "retry or shadow overflow: retry_state_ reset, buffering set to false"); buffering = false; active_shadow_policies_.clear(); - request_buffer_overflowed_ = true; - // If we had to abandon buffering and there's no request in progress, abort the request and - // clean up. This happens if the initial upstream request failed, and we are currently waiting - // for a backoff timer before starting the next upstream attempt. + // Only send local reply and cleanup if we're in a retry waiting state (no active upstream + // requests). If there are active upstream requests, let the normal upstream failure handling + // take precedence. if (upstream_requests_.empty()) { + request_buffer_overflowed_ = true; + ENVOY_LOG(debug, + "retry or shadow overflow: No upstream requests, resetting and calling cleanup()"); + resetAll(); cleanup(); + callbacks_->streamInfo().setResponseCodeDetails( + StreamInfo::ResponseCodeDetails::get().RequestPayloadExceededRetryBufferLimit); callbacks_->sendLocalReply( Http::Code::InsufficientStorage, "exceeded request buffer limit while retrying upstream", modify_headers_, absl::nullopt, StreamInfo::ResponseCodeDetails::get().RequestPayloadExceededRetryBufferLimit); return Http::FilterDataStatus::StopIterationNoBuffer; + } else { + ENVOY_LOG(debug, "retry or shadow overflow: Upstream requests exist, deferring to normal " + "upstream failure handling"); } } + // Handle redirect-only buffer overflow when retry/shadow is not active. + // For redirect scenarios, buffer overflow should only affect redirect processing, not initial + // request. + if (would_exceed_buffer && is_redirect_only && !request_buffer_overflowed_) { + ENVOY_LOG(debug, + "The request payload has at least {} bytes data which exceeds buffer limit {}. " + "Marking request as buffer overflowed to cancel internal redirects.", + getLength(callbacks_->decodingBuffer()) + data.length(), effective_buffer_limit); + + // Set the flag to cancel internal redirect processing, but allow the request to proceed + // normally. + request_buffer_overflowed_ = true; + } + for (auto* shadow_stream : shadow_streams_) { if (end_stream) { shadow_stream->removeDestructorCallback(); @@ -1045,11 +1109,8 @@ void Filter::setDecoderFilterCallbacks(Http::StreamDecoderFilterCallbacks& callb // it, it can latch the current buffer limit and does not need to update the // limit if another filter increases it. // - // The default is "do not limit". If there are configured (non-zero) buffer - // limits, apply them here. - if (callbacks_->decoderBufferLimit() != 0) { - retry_shadow_buffer_limit_ = callbacks_->decoderBufferLimit(); - } + // Store the connection buffer limit for use in the new buffer limit logic. + connection_buffer_limit_ = callbacks_->decoderBufferLimit(); watermark_callbacks_.setDecoderFilterCallbacks(callbacks_); } @@ -1059,6 +1120,7 @@ void Filter::cleanup() { // list as appropriate. ASSERT(upstream_requests_.empty()); + ENVOY_LOG(debug, "Executing cleanup(): resetting retry_state_ and disabling timers"); retry_state_.reset(); if (response_timeout_) { response_timeout_->disableTimer(); @@ -1324,6 +1386,14 @@ void Filter::onUpstreamAbort(Http::Code code, StreamInfo::CoreResponseFlag respo // If we have not yet sent anything downstream, send a response with an appropriate status code. // Otherwise just reset the ongoing response. callbacks_->streamInfo().setResponseFlag(response_flags); + + // Check if buffer overflow occurred and override error details accordingly + if (request_buffer_overflowed_) { + code = Http::Code::InsufficientStorage; + body = "exceeded request buffer limit while retrying upstream"; + details = StreamInfo::ResponseCodeDetails::get().RequestPayloadExceededRetryBufferLimit; + } + // This will destroy any created retry timers. cleanup(); // sendLocalReply may instead reset the stream if downstream_response_started_ is true. @@ -2259,9 +2329,9 @@ ProdFilter::createRetryState(const RetryPolicy& policy, Http::RequestHeaderMap& context, dispatcher, priority); if (retry_state != nullptr && retry_state->isAutomaticallyConfiguredForHttp3()) { // Since doing retry will make Envoy to buffer the request body, if upstream using HTTP/3 is the - // only reason for doing retry, set the retry shadow buffer limit to 0 so that we don't retry or + // only reason for doing retry, set the buffer limit to 0 so that we don't retry or // buffer safe requests with body which is not common. - setRetryShadowBufferLimit(0); + setRequestBodyBufferLimit(0); } return retry_state; } diff --git a/source/common/router/router.h b/source/common/router/router.h index 7a535048a2182..b9df5f63faa94 100644 --- a/source/common/router/router.h +++ b/source/common/router/router.h @@ -513,11 +513,12 @@ class Filter : Logger::Loggable, bool awaitingHost() { return host_selection_cancelable_ != nullptr; } protected: - void setRetryShadowBufferLimit(uint32_t retry_shadow_buffer_limit) { - ASSERT(retry_shadow_buffer_limit_ > retry_shadow_buffer_limit); - retry_shadow_buffer_limit_ = retry_shadow_buffer_limit; + void setRequestBodyBufferLimit(uint64_t buffer_limit) { + request_body_buffer_limit_ = buffer_limit; } + uint64_t calculateEffectiveBufferLimit() const; + private: friend class UpstreamRequest; @@ -632,7 +633,8 @@ class Filter : Logger::Loggable, absl::flat_hash_set shadow_streams_; // Keep small members (bools and enums) at the end of class, to reduce alignment overhead. - uint32_t retry_shadow_buffer_limit_{std::numeric_limits::max()}; + uint64_t request_body_buffer_limit_{std::numeric_limits::max()}; + uint32_t connection_buffer_limit_{0}; uint32_t attempt_count_{0}; uint32_t pending_retries_{0}; Http::Code timeout_response_code_ = Http::Code::GatewayTimeout; diff --git a/test/common/http/async_client_impl_test.cc b/test/common/http/async_client_impl_test.cc index 11cdd06c5103c..db1f98c9bad81 100644 --- a/test/common/http/async_client_impl_test.cc +++ b/test/common/http/async_client_impl_test.cc @@ -2470,7 +2470,7 @@ TEST_F(AsyncClientImplUnitTest, NullConfig) { } TEST_F(AsyncClientImplUnitTest, NullVirtualHost) { - EXPECT_EQ(std::numeric_limits::max(), vhost_.retryShadowBufferLimit()); + EXPECT_EQ(std::numeric_limits::max(), vhost_.requestBodyBufferLimit()); } } // namespace Http diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index a6b56ab1b1fee..79d335f342112 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -1259,8 +1259,8 @@ TEST_F(HttpConnectionManagerImplTest, DelegatingRouteEntryAllCalls) { ->internalRedirectPolicy() .shouldRedirectForResponseCode(Code::OK)); - EXPECT_EQ(default_route->routeEntry()->retryShadowBufferLimit(), - delegating_route_foo->routeEntry()->retryShadowBufferLimit()); + EXPECT_EQ(default_route->routeEntry()->requestBodyBufferLimit(), + delegating_route_foo->routeEntry()->requestBodyBufferLimit()); EXPECT_EQ(default_route->routeEntry()->shadowPolicies().empty(), delegating_route_foo->routeEntry()->shadowPolicies().empty()); EXPECT_EQ(default_route->routeEntry()->timeout(), diff --git a/test/common/router/config_impl_test.cc b/test/common/router/config_impl_test.cc index 79d181aa37561..0c7adb334858d 100644 --- a/test/common/router/config_impl_test.cc +++ b/test/common/router/config_impl_test.cc @@ -4782,7 +4782,7 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { const std::string yaml = R"EOF( virtual_hosts: - domains: [www.lyft.com] - per_request_buffer_limit_bytes: 8 + request_body_buffer_limit: 8 name: www retry_policy: num_retries: 3 @@ -4794,7 +4794,7 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { "@type": type.googleapis.com/google.protobuf.Struct routes: - match: {prefix: /foo} - per_request_buffer_limit_bytes: 7 + request_body_buffer_limit: 7 route: cluster: www retry_policy: @@ -4833,7 +4833,10 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { .retryOn()); EXPECT_EQ(7U, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() - ->retryShadowBufferLimit()); + ->requestBodyBufferLimit()); + EXPECT_EQ(7U, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) + ->routeEntry() + ->requestBodyBufferLimit()); EXPECT_EQ(1U, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() @@ -4856,6 +4859,12 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { ->routeEntry() ->retryPolicy() .retryOn()); + EXPECT_EQ(8U, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) + ->routeEntry() + ->requestBodyBufferLimit()); + EXPECT_EQ(8U, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) + ->routeEntry() + ->requestBodyBufferLimit()); EXPECT_EQ(std::chrono::milliseconds(1000), config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() @@ -4873,7 +4882,10 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { .retryOn()); EXPECT_EQ(8U, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() - ->retryShadowBufferLimit()); + ->requestBodyBufferLimit()); + EXPECT_EQ(8U, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) + ->routeEntry() + ->requestBodyBufferLimit()); EXPECT_EQ(1U, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() @@ -11688,6 +11700,31 @@ TEST_F(RouteMatcherTest, RequestMirrorPoliciesWithTraceSampled) { } } +// Test that route-level request_body_buffer_limit takes precedence over virtual_host +// request_body_buffer_limit +TEST_F(RouteConfigurationV2, RequestBodyBufferLimitPrecedenceRouteOverridesVirtualHost) { + const std::string yaml = R"EOF( +virtual_hosts: +- domains: [test.example.com] + name: test_host + request_body_buffer_limit: 32768 + routes: + - match: {prefix: /test} + route: + cluster: backend + request_body_buffer_limit: 4194304 +)EOF"; + + factory_context_.cluster_manager_.initializeClusters({"backend"}, {}); + TestConfigImpl config(parseRouteConfigurationFromYaml(yaml), factory_context_, true, + creation_status_); + EXPECT_TRUE(creation_status_.ok()); + + Http::TestRequestHeaderMapImpl headers = genHeaders("test.example.com", "/test", "GET"); + const RouteEntry* route = config.route(headers, 0)->routeEntry(); + EXPECT_EQ(4194304U, route->requestBodyBufferLimit()); +} + } // namespace } // namespace Router } // namespace Envoy diff --git a/test/common/router/delegating_route_impl_test.cc b/test/common/router/delegating_route_impl_test.cc index 84c434a397f29..215b2e90c516f 100644 --- a/test/common/router/delegating_route_impl_test.cc +++ b/test/common/router/delegating_route_impl_test.cc @@ -67,7 +67,7 @@ TEST(DelegatingRouteEntry, DelegatingRouteEntryTest) { TEST_METHOD(pathMatcher); TEST_METHOD(pathRewriter); TEST_METHOD(internalRedirectPolicy); - TEST_METHOD(retryShadowBufferLimit); + TEST_METHOD(requestBodyBufferLimit); TEST_METHOD(shadowPolicies); TEST_METHOD(timeout); TEST_METHOD(idleTimeout); diff --git a/test/common/router/router_2_test.cc b/test/common/router/router_2_test.cc index 4dfbd96387228..d34e66b22d4ae 100644 --- a/test/common/router/router_2_test.cc +++ b/test/common/router/router_2_test.cc @@ -112,6 +112,9 @@ class WatermarkTest : public RouterTestBase { WatermarkTest() : RouterTestBase(false, false, false, false, Protobuf::RepeatedPtrField{}) { EXPECT_CALL(callbacks_, activeSpan()).WillRepeatedly(ReturnRef(span_)); + // Add default mock for requestBodyBufferLimit which is called during router initialization. + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()) + .WillRepeatedly(Return(std::numeric_limits::max())); }; void sendRequest(bool header_only_request = true, bool pool_ready = true) { diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index b5aa42588bca9..77993021778b1 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -85,6 +85,9 @@ class RouterTest : public RouterTestBase { RouterTest() : RouterTestBase(false, false, false, false, Protobuf::RepeatedPtrField{}) { EXPECT_CALL(callbacks_, activeSpan()).WillRepeatedly(ReturnRef(span_)); + // Add default mock for requestBodyBufferLimit which is called during router initialization. + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()) + .WillRepeatedly(Return(std::numeric_limits::max())); ON_CALL(cm_.thread_local_cluster_, chooseHost(_)).WillByDefault(Invoke([this] { return Upstream::HostSelectionResponse{cm_.thread_local_cluster_.lb_.host_}; })); @@ -1150,7 +1153,7 @@ TEST_F(RouterTest, EnvoyAttemptCountInResponsePresentWithLocalReply) { // Pool failure, so upstream request was never initiated. EXPECT_EQ(0U, callbacks_.route_->virtual_host_->virtual_cluster_.stats().upstream_rq_total_.value()); - EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); // Expect 1 error for connection failure EXPECT_EQ(callbacks_.details(), "upstream_reset_before_response_started{remote_connection_failure}"); EXPECT_EQ(1U, callbacks_.stream_info_.attemptCount().value()); @@ -2965,7 +2968,7 @@ TEST_F(RouterTest, RetryRequestDuringBodyBufferLimitExceeded) { EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); EXPECT_CALL(callbacks_, addDecodedData(_, true)) .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); - EXPECT_CALL(callbacks_.route_->route_entry_, retryShadowBufferLimit()).WillOnce(Return(10)); + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillOnce(Return(10)); NiceMock encoder1; Http::ResponseDecoder* response_decoder = nullptr; @@ -2983,8 +2986,91 @@ TEST_F(RouterTest, RetryRequestDuringBodyBufferLimitExceeded) { router_->retry_state_->expectResetRetry(); encoder1.stream_.resetStream(Http::StreamResetReason::RemoteReset); - // Complete request while there is no upstream request. - const std::string body2(50, 'a'); + // Send additional 15 bytes - total 55 bytes, which should exceed request body buffer limit (50). + const std::string body2(15, 'y'); + Buffer::OwnedImpl buf2(body2); + router_->decodeData(buf2, false); + + EXPECT_EQ(callbacks_.details(), "request_payload_exceeded_retry_buffer_limit"); + EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_ + .counter("retry_or_shadow_abandoned") + .value()); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); +} + +// Test that router uses request_body_buffer_limit when configured instead of +// per_request_buffer_limit. +TEST_F(RouterTest, RequestBodyBufferLimitExceeded) { + Buffer::OwnedImpl decoding_buffer; + EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); + EXPECT_CALL(callbacks_, addDecodedData(_, true)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); + // Configure a large request body buffer limit (50 bytes) but small request buffer limit (10 + // bytes). + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillOnce(Return(50)); + + NiceMock encoder1; + Http::ResponseDecoder* response_decoder = nullptr; + expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); + + Http::TestRequestHeaderMapImpl headers{ + {"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}, {"myheader", "present"}}; + HttpTestUtility::addDefaultHeaders(headers); + router_->decodeHeaders(headers, false); + + // Send 40 bytes - should be within request body buffer limit (50) but exceeds retry limit (10). + const std::string body1(40, 'x'); + Buffer::OwnedImpl buf1(body1); + EXPECT_CALL(*router_->retry_state_, enabled()).Times(2).WillRepeatedly(Return(true)); + router_->decodeData(buf1, false); + + router_->retry_state_->expectResetRetry(); + encoder1.stream_.resetStream(Http::StreamResetReason::RemoteReset); + + // Send additional 15 bytes - total 55 bytes, which should exceed request body buffer limit (50). + const std::string body2(15, 'y'); + Buffer::OwnedImpl buf2(body2); + router_->decodeData(buf2, false); + + EXPECT_EQ(callbacks_.details(), "request_payload_exceeded_retry_buffer_limit"); + EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_ + .counter("retry_or_shadow_abandoned") + .value()); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); +} + +// Test when request_body_buffer_limit is set we should use request_body_buffer_limit +// regardless of other settings. +TEST_F(RouterTest, BufferLimitLogicCase1RequestBodyBufferLimitSet) { + Buffer::OwnedImpl decoding_buffer; + EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); + EXPECT_CALL(callbacks_, addDecodedData(_, true)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); + + // Case 1: request_body_buffer_limit=60, per_request_buffer_limit_bytes=20 + // Should use request_body_buffer_limit = 60 + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillRepeatedly(Return(60)); + + NiceMock encoder1; + Http::ResponseDecoder* response_decoder = nullptr; + expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); + + Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; + HttpTestUtility::addDefaultHeaders(headers); + router_->decodeHeaders(headers, false); + + // Send initial data (55 bytes) + const std::string body1(55, 'x'); + Buffer::OwnedImpl buf1(body1); + EXPECT_CALL(*router_->retry_state_, enabled()).Times(2).WillRepeatedly(Return(true)); + router_->decodeData(buf1, false); + + // Simulate upstream failure to trigger retry logic + router_->retry_state_->expectResetRetry(); + encoder1.stream_.resetStream(Http::StreamResetReason::RemoteReset); + + // Send additional data (10 bytes) - total 65 bytes should exceed limit of 60 + const std::string body2(10, 'y'); Buffer::OwnedImpl buf2(body2); router_->decodeData(buf2, false); @@ -2995,6 +3081,261 @@ TEST_F(RouterTest, RetryRequestDuringBodyBufferLimitExceeded) { EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); } +// When per_request_buffer_limit_bytes is set but request_body_buffer_limit is not set, +// we should use min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes). +TEST_F(RouterTest, BufferLimitLogicCase2PerRequestSetRequestBodyNotSet) { + Buffer::OwnedImpl decoding_buffer; + EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); + EXPECT_CALL(callbacks_, addDecodedData(_, true)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); + // Set up the connection buffer limit mock to return 40 as expected + EXPECT_CALL(callbacks_, decoderBufferLimit()).WillRepeatedly(Return(40)); + + // Case 2: per_request_buffer_limit_bytes=20, request_body_buffer_limit=not set + // Should use min(20, connection_buffer_limit) = 20 (since connection limit is default 40) + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillRepeatedly(Return(20)); + + NiceMock encoder1; + Http::ResponseDecoder* response_decoder = nullptr; + expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); + + Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; + HttpTestUtility::addDefaultHeaders(headers); + router_->decodeHeaders(headers, false); + + // Send initial data (15 bytes) + const std::string body1(15, 'x'); + Buffer::OwnedImpl buf1(body1); + EXPECT_CALL(*router_->retry_state_, enabled()).Times(2).WillRepeatedly(Return(true)); + router_->decodeData(buf1, false); + + // Simulate upstream failure to trigger retry logic + router_->retry_state_->expectResetRetry(); + encoder1.stream_.resetStream(Http::StreamResetReason::RemoteReset); + + // Send additional data (10 bytes) - total 25 bytes should exceed limit of 20 + const std::string body2(10, 'y'); + Buffer::OwnedImpl buf2(body2); + router_->decodeData(buf2, false); + + EXPECT_EQ(callbacks_.details(), "request_payload_exceeded_retry_buffer_limit"); + EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_ + .counter("retry_or_shadow_abandoned") + .value()); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); +} + +// Test that when connection limit is smaller than per_request limit, +// we use min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes) = connection limit. +TEST_F(RouterTest, BufferLimitLogicCase2ConnectionLimitSmaller) { + Buffer::OwnedImpl decoding_buffer; + EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); + EXPECT_CALL(callbacks_, addDecodedData(_, true)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); + // Set up the connection buffer limit mock to return 40 as expected + EXPECT_CALL(callbacks_, decoderBufferLimit()).WillRepeatedly(Return(40)); + + // Case 2: per_request_buffer_limit_bytes=50, request_body_buffer_limit=not set + // Should use min(50, connection_limit) = min(50, 40) = 40 + // With consolidated approach, the effective limit should be 40 + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillRepeatedly(Return(40)); + + NiceMock encoder1; + Http::ResponseDecoder* response_decoder = nullptr; + expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); + + Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; + HttpTestUtility::addDefaultHeaders(headers); + router_->decodeHeaders(headers, false); + + // Send initial data (35 bytes) + const std::string body1(35, 'x'); + Buffer::OwnedImpl buf1(body1); + EXPECT_CALL(*router_->retry_state_, enabled()).Times(2).WillRepeatedly(Return(true)); + router_->decodeData(buf1, false); + + // Simulate upstream failure to trigger retry logic + router_->retry_state_->expectResetRetry(); + encoder1.stream_.resetStream(Http::StreamResetReason::RemoteReset); + + // Send additional data (10 bytes) - total 45 bytes should exceed connection limit of 40 + const std::string body2(10, 'y'); + Buffer::OwnedImpl buf2(body2); + router_->decodeData(buf2, false); + + EXPECT_EQ(callbacks_.details(), "request_payload_exceeded_retry_buffer_limit"); + EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_ + .counter("retry_or_shadow_abandoned") + .value()); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); +} + +// Test that when neither fields are set we use per_connection_buffer_limit_bytes. +TEST_F(RouterTest, BufferLimitLogicCase3NeitherFieldSet) { + Buffer::OwnedImpl decoding_buffer; + EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); + EXPECT_CALL(callbacks_, addDecodedData(_, true)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); + // Set up the connection buffer limit mock to return 40 as expected + EXPECT_CALL(callbacks_, decoderBufferLimit()).WillRepeatedly(Return(40)); + + // Case 3: both fields not set + // Should use connection_limit = 40 (default from RouterTestBase) + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()) + .WillRepeatedly(Return(std::numeric_limits::max())); // Not set + + NiceMock encoder1; + Http::ResponseDecoder* response_decoder = nullptr; + expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); + + Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; + HttpTestUtility::addDefaultHeaders(headers); + router_->decodeHeaders(headers, false); + + // Send initial data (35 bytes) + const std::string body1(35, 'x'); + Buffer::OwnedImpl buf1(body1); + EXPECT_CALL(*router_->retry_state_, enabled()).Times(2).WillRepeatedly(Return(true)); + router_->decodeData(buf1, false); + + // Simulate upstream failure to trigger retry logic + router_->retry_state_->expectResetRetry(); + encoder1.stream_.resetStream(Http::StreamResetReason::RemoteReset); + + // Send additional data (10 bytes) - total 45 bytes should exceed connection limit of 40 + const std::string body2(10, 'y'); + Buffer::OwnedImpl buf2(body2); + router_->decodeData(buf2, false); + + EXPECT_EQ(callbacks_.details(), "request_payload_exceeded_retry_buffer_limit"); + EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_ + .counter("retry_or_shadow_abandoned") + .value()); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); +} + +// Test edge case: Zero limits should prevent buffering +TEST_F(RouterTest, BufferLimitLogicEdgeCaseZeroLimits) { + Buffer::OwnedImpl decoding_buffer; + EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); + EXPECT_CALL(callbacks_, addDecodedData(_, true)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); + + // Set request_body_buffer_limit to 0 (should prevent any buffering) + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillRepeatedly(Return(0)); + + NiceMock encoder1; + Http::ResponseDecoder* response_decoder = nullptr; + expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); + + Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; + HttpTestUtility::addDefaultHeaders(headers); + router_->decodeHeaders(headers, false); + + // Simulate upstream failure to trigger retry logic first + router_->retry_state_->expectResetRetry(); + encoder1.stream_.resetStream(Http::StreamResetReason::RemoteReset); + + // Send even 1 byte - should immediately exceed the 0 limit + const std::string body(1, 'x'); + Buffer::OwnedImpl buf(body); + EXPECT_CALL(*router_->retry_state_, enabled()).WillRepeatedly(Return(true)); + + // Should trigger buffer limit exceeded immediately + router_->decodeData(buf, false); + + EXPECT_EQ(callbacks_.details(), "request_payload_exceeded_retry_buffer_limit"); + EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_ + .counter("retry_or_shadow_abandoned") + .value()); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); +} + +// Test mixed buffer limit scenarios with multiple content chunks +TEST_F(RouterTest, BufferLimitLogicMultipleDataChunks) { + Buffer::OwnedImpl decoding_buffer; + EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); + EXPECT_CALL(callbacks_, addDecodedData(_, true)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); + EXPECT_CALL(callbacks_, decoderBufferLimit()).WillRepeatedly(Return(40)); + + // Buffer limit that should allow multiple small chunks but fail on larger ones + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillRepeatedly(Return(25)); + + NiceMock encoder1; + Http::ResponseDecoder* response_decoder = nullptr; + expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); + + Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; + HttpTestUtility::addDefaultHeaders(headers); + router_->decodeHeaders(headers, false); + + // Send small chunks that accumulate near the limit + EXPECT_CALL(*router_->retry_state_, enabled()).WillRepeatedly(Return(true)); + + // First chunk: 10 bytes + const std::string body1(10, 'a'); + Buffer::OwnedImpl buf1(body1); + router_->decodeData(buf1, false); + + // Second chunk: 10 more bytes (total 20, still under 25) + const std::string body2(10, 'b'); + Buffer::OwnedImpl buf2(body2); + router_->decodeData(buf2, false); + + // Simulate upstream failure to trigger retry logic + router_->retry_state_->expectResetRetry(); + encoder1.stream_.resetStream(Http::StreamResetReason::RemoteReset); + + // Third chunk: 10 more bytes (total 30, exceeds limit of 25) + const std::string body3(10, 'c'); + Buffer::OwnedImpl buf3(body3); + router_->decodeData(buf3, false); + + EXPECT_EQ(callbacks_.details(), "request_payload_exceeded_retry_buffer_limit"); + EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_ + .counter("retry_or_shadow_abandoned") + .value()); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); +} + +// Test request_body_buffer_limit with exactly uint32_t max value behavior +TEST_F(RouterTest, BufferLimitLogicMaxUint32Boundary) { + Buffer::OwnedImpl decoding_buffer; + EXPECT_CALL(callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer)); + EXPECT_CALL(callbacks_, addDecodedData(_, true)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data, bool) { decoding_buffer.move(data); })); + EXPECT_CALL(callbacks_, decoderBufferLimit()).WillRepeatedly(Return(40)); + + // Test exactly at uint32_t max boundary + const uint64_t large_limit = static_cast(std::numeric_limits::max()) + 100; + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()) + .WillRepeatedly(Return(large_limit)); + + NiceMock encoder1; + Http::ResponseDecoder* response_decoder = nullptr; + expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); + + Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; + HttpTestUtility::addDefaultHeaders(headers); + router_->decodeHeaders(headers, false); + + // Send data that's much smaller than the large limit + const std::string body(1000, 'x'); + Buffer::OwnedImpl buf(body); + EXPECT_CALL(*router_->retry_state_, enabled()).WillRepeatedly(Return(true)); + router_->decodeData(buf, true); + + // Send a successful upstream response to complete the request + Http::ResponseHeaderMapPtr response_headers( + new Http::TestResponseHeaderMapImpl{{":status", "200"}}); + response_decoder->decodeHeaders(std::move(response_headers), true); + + // Should be successful with the large buffer limit + EXPECT_EQ(1000U, decoding_buffer.length()); + EXPECT_TRUE(verifyHostUpstreamStats(1, 0)); +} + // Two requests are sent (slow request + hedged retry) and then global timeout // is hit. Verify everything gets cleaned up. TEST_F(RouterTest, HedgedPerTryTimeoutGlobalTimeout) { @@ -3476,7 +3817,7 @@ TEST_F(RouterTest, NoRetryWithBodyLimit) { expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); // Set a per route body limit which disallows any buffering. - EXPECT_CALL(callbacks_.route_->route_entry_, retryShadowBufferLimit()).WillOnce(Return(0)); + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillOnce(Return(0)); Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; HttpTestUtility::addDefaultHeaders(headers); router_->decodeHeaders(headers, false); @@ -3508,7 +3849,7 @@ TEST_F(RouterTest, NoRetryWithBodyLimitWithUpstreamHalfCloseEnabled) { expectNewStreamWithImmediateEncoder(encoder1, &response_decoder, Http::Protocol::Http10); // Set a per route body limit which disallows any buffering. - EXPECT_CALL(callbacks_.route_->route_entry_, retryShadowBufferLimit()).WillOnce(Return(0)); + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()).WillOnce(Return(0)); Http::TestRequestHeaderMapImpl headers{{"x-envoy-retry-on", "5xx"}, {"x-envoy-internal", "true"}}; HttpTestUtility::addDefaultHeaders(headers); router_->decodeHeaders(headers, false); @@ -4716,6 +5057,9 @@ class RouterShadowingTest : public RouterTest, public testing::WithParamInterfac RouterShadowingTest() : streaming_shadow_(GetParam()) { scoped_runtime_.mergeValues( {{"envoy.reloadable_features.streaming_shadow", streaming_shadow_ ? "true" : "false"}}); + // Add default mock for requestBodyBufferLimit which is called during router initialization. + EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()) + .WillRepeatedly(Return(std::numeric_limits::max())); // Recreate router filter so it latches the correct value of streaming shadow. router_ = std::make_unique(config_, config_->default_stats_); router_->setDecoderFilterCallbacks(callbacks_); @@ -6547,7 +6891,7 @@ TEST(RouterFilterUtilityTest, SetTimeoutHeaders) { Http::TestRequestHeaderMapImpl headers; TimeoutData timeout; timeout.global_timeout_ = std::chrono::milliseconds(200); - timeout.per_try_timeout_ = std::chrono::milliseconds(0); + timeout.per_try_timeout_ = std::chrono::milliseconds(150); FilterUtility::setTimeoutHeaders(300, timeout, route, headers, true, false, false); EXPECT_EQ("1", headers.get_("x-envoy-expected-rq-timeout-ms")); // Over time diff --git a/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc b/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc index 8868a34c87e07..2c7cff266f837 100644 --- a/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc +++ b/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc @@ -428,7 +428,7 @@ TEST_P(FilterIntegrationTest, H3PostHandshakeFailoverToTcp) { [](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& hcm) { auto* route = hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0); - route->mutable_per_request_buffer_limit_bytes()->set_value(4096); + route->mutable_request_body_buffer_limit()->set_value(4096); }); initialize(); diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index bce87b9f12482..4a31297da8e1b 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -1137,7 +1137,7 @@ TEST_P(ProtocolIntegrationTest, RetryStreamingCancelDueToBufferOverflow) { hcm) { auto* route = hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0); - route->mutable_per_request_buffer_limit_bytes()->set_value(1024); + route->mutable_request_body_buffer_limit()->set_value(1024); route->mutable_route() ->mutable_retry_policy() ->mutable_retry_back_off() @@ -1401,7 +1401,7 @@ TEST_P(ProtocolIntegrationTest, RetryHittingBufferLimit) { // Very similar set-up to RetryHittingBufferLimits but using the route specific cap. TEST_P(ProtocolIntegrationTest, RetryHittingRouteLimits) { auto host = config_helper_.createVirtualHost("routelimit.lyft.com", "/"); - host.mutable_per_request_buffer_limit_bytes()->set_value(0); + host.mutable_request_body_buffer_limit()->set_value(0); config_helper_.addVirtualHost(host); initialize(); codec_client_ = makeHttpConnection(lookupPort("http")); diff --git a/test/integration/redirect_integration_test.cc b/test/integration/redirect_integration_test.cc index f1107cdb653ba..947f5d815142a 100644 --- a/test/integration/redirect_integration_test.cc +++ b/test/integration/redirect_integration_test.cc @@ -565,7 +565,7 @@ TEST_P(RedirectIntegrationTest, InternalRedirectCancelledDueToBufferOverflow) { [](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& hcm) { auto* route = hcm.mutable_route_config()->mutable_virtual_hosts(2)->mutable_routes(0); - route->mutable_per_request_buffer_limit_bytes()->set_value(1024); + route->mutable_request_body_buffer_limit()->set_value(1024); }); initialize(); diff --git a/test/integration/shadow_policy_integration_test.cc b/test/integration/shadow_policy_integration_test.cc index 72b52059f31f1..e9b1ef5633a59 100644 --- a/test/integration/shadow_policy_integration_test.cc +++ b/test/integration/shadow_policy_integration_test.cc @@ -598,7 +598,7 @@ TEST_P(ShadowPolicyIntegrationTest, ShadowRequestOverRouteBufferLimit) { config_helper_.addConfigModifier([](ConfigHelper::HttpConnectionManager& hcm) { hcm.mutable_route_config() ->mutable_virtual_hosts(0) - ->mutable_per_request_buffer_limit_bytes() + ->mutable_request_body_buffer_limit() ->set_value(0); }); config_helper_.disableDelayClose(); diff --git a/test/mocks/router/mocks.cc b/test/mocks/router/mocks.cc index 33c5a40c2cadd..3c808199047e8 100644 --- a/test/mocks/router/mocks.cc +++ b/test/mocks/router/mocks.cc @@ -105,8 +105,7 @@ MockRouteEntry::MockRouteEntry() ON_CALL(*this, rateLimitPolicy()).WillByDefault(ReturnRef(rate_limit_policy_)); ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(retry_policy_)); ON_CALL(*this, internalRedirectPolicy()).WillByDefault(ReturnRef(internal_redirect_policy_)); - ON_CALL(*this, retryShadowBufferLimit()) - .WillByDefault(Return(std::numeric_limits::max())); + ON_CALL(*this, shadowPolicies()).WillByDefault(ReturnRef(shadow_policies_)); ON_CALL(*this, timeout()).WillByDefault(Return(std::chrono::milliseconds(10))); ON_CALL(*this, includeVirtualHostRateLimits()).WillByDefault(Return(true)); @@ -169,8 +168,7 @@ MockRoute::MockRoute() { ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(route_entry_.retry_policy_)); ON_CALL(*this, internalRedirectPolicy()) .WillByDefault(ReturnRef(route_entry_.internal_redirect_policy_)); - ON_CALL(*this, retryShadowBufferLimit()) - .WillByDefault(Return(std::numeric_limits::max())); + ON_CALL(*this, shadowPolicies()).WillByDefault(ReturnRef(route_entry_.shadow_policies_)); ON_CALL(*this, timeout()).WillByDefault(Return(std::chrono::milliseconds(10))); ON_CALL(*this, includeVirtualHostRateLimits()).WillByDefault(Return(true)); diff --git a/test/mocks/router/mocks.h b/test/mocks/router/mocks.h index 87360a9393e9e..090607ae1f7f5 100644 --- a/test/mocks/router/mocks.h +++ b/test/mocks/router/mocks.h @@ -326,7 +326,7 @@ class MockVirtualHost : public VirtualHost { MOCK_METHOD(bool, includeIsTimeoutRetryHeader, (), (const)); MOCK_METHOD(Upstream::RetryPrioritySharedPtr, retryPriority, ()); MOCK_METHOD(Upstream::RetryHostPredicateSharedPtr, retryHostPredicate, ()); - MOCK_METHOD(uint32_t, retryShadowBufferLimit, (), (const)); + MOCK_METHOD(uint64_t, requestBodyBufferLimit, (), (const)); MOCK_METHOD(RouteSpecificFilterConfigs, perFilterConfigs, (absl::string_view), (const)); MOCK_METHOD(const envoy::config::core::v3::Metadata&, metadata, (), (const)); MOCK_METHOD(const Envoy::Config::TypedMetadata&, typedMetadata, (), (const)); @@ -432,7 +432,7 @@ class MockRouteEntry : public RouteEntry { MOCK_METHOD(const InternalRedirectPolicy&, internalRedirectPolicy, (), (const)); MOCK_METHOD(const PathMatcherSharedPtr&, pathMatcher, (), (const)); MOCK_METHOD(const PathRewriterSharedPtr&, pathRewriter, (), (const)); - MOCK_METHOD(uint32_t, retryShadowBufferLimit, (), (const)); + MOCK_METHOD(uint64_t, requestBodyBufferLimit, (), (const)); MOCK_METHOD(const std::vector&, shadowPolicies, (), (const)); MOCK_METHOD(std::chrono::milliseconds, timeout, (), (const)); MOCK_METHOD(absl::optional, idleTimeout, (), (const)); @@ -552,7 +552,7 @@ class MockRoute : public RouteEntryAndRoute { MOCK_METHOD(const InternalRedirectPolicy&, internalRedirectPolicy, (), (const)); MOCK_METHOD(const PathMatcherSharedPtr&, pathMatcher, (), (const)); MOCK_METHOD(const PathRewriterSharedPtr&, pathRewriter, (), (const)); - MOCK_METHOD(uint32_t, retryShadowBufferLimit, (), (const)); + MOCK_METHOD(uint64_t, requestBodyBufferLimit, (), (const)); MOCK_METHOD(const std::vector&, shadowPolicies, (), (const)); MOCK_METHOD(std::chrono::milliseconds, timeout, (), (const)); MOCK_METHOD(absl::optional, idleTimeout, (), (const)); From 2512b1d442562b7f91a898e230a33161192286e5 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 11 Aug 2025 18:02:30 -0700 Subject: [PATCH 208/505] dynamic_modules: adds logging ABI (#40496) Commit Message: dynamic_modules: adds logging ABI Additional Description: This commit adds two new functions to the dynamic modules ABI: * envoy_dynamic_module_callback_log * envoy_dynamic_module_callback_log_enabled This enables modules to do logging just like the native envoy filters through the envoy logging stream. Closes #40143 Risk Level: none (100% new optional code path) Testing: done Docs Changes: done Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Takeshi Yoneda --- changelogs/current.yaml | 5 + source/extensions/dynamic_modules/abi.h | 40 +++++++ .../extensions/dynamic_modules/abi_version.h | 2 +- .../dynamic_modules/sdk/rust/src/lib.rs | 101 ++++++++++++++++++ .../dynamic_modules/sdk/rust/src/lib_test.rs | 11 ++ .../filters/http/dynamic_modules/abi_impl.cc | 30 ++++++ .../dynamic_modules/http/abi_impl_test.cc | 25 +++++ .../test_data/rust/http_integration_test.rs | 24 ++++- 8 files changed, 236 insertions(+), 2 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 03eb4112cd2cd..80f4c0d291a2a 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -208,4 +208,9 @@ new_features: implemented is ``metadata()``, allowing Lua scripts to access route metadata scoped to the specific filter name. See :ref:`Route object API ` for more details. +- area: dynamic_modules + change: | + Added a new Logging ABI that allows modules to emit logs in the standard Envoy logging stream under "dynamic_modules" ID. + In the Rust SDK, they are available as ``envoy_log_info``, etc. + deprecated: diff --git a/source/extensions/dynamic_modules/abi.h b/source/extensions/dynamic_modules/abi.h index 93cb7e71e265d..65d48378c0396 100644 --- a/source/extensions/dynamic_modules/abi.h +++ b/source/extensions/dynamic_modules/abi.h @@ -414,6 +414,21 @@ typedef enum { envoy_dynamic_module_type_attribute_id_XdsFilterChainName, } envoy_dynamic_module_type_attribute_id; +/** + * envoy_dynamic_module_type_log_level represents the log level passed to + * envoy_dynamic_module_callback_log. This corresponds to the enum defined in + * source/common/common/base_logger.h. + */ +typedef enum { + envoy_dynamic_module_type_log_level_Trace, + envoy_dynamic_module_type_log_level_Debug, + envoy_dynamic_module_type_log_level_Info, + envoy_dynamic_module_type_log_level_Warn, + envoy_dynamic_module_type_log_level_Error, + envoy_dynamic_module_type_log_level_Critical, + envoy_dynamic_module_type_log_level_Off, +} envoy_dynamic_module_type_log_level; + /** * envoy_dynamic_module_type_http_callout_init_result represents the result of the HTTP callout * initialization after envoy_dynamic_module_callback_http_filter_http_callout is called. @@ -727,6 +742,31 @@ void envoy_dynamic_module_on_http_filter_scheduled( // Callbacks are functions implemented by Envoy that can be called by the module to interact with // Envoy. The name of a callback must be prefixed with "envoy_dynamic_module_callback_". +// --------------------------------- Logging ----------------------------------- + +/** + * envoy_dynamic_module_callback_log is called by the module to log a message as part + * of the standard Envoy logging stream under [dynamic_modules] Id. + * + * @param level is the log level of the message. + * @param message_ptr is the pointer to the message to be logged. + * @param message_length is the length of the message. + * + */ +void envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level level, + const char* message_ptr, size_t message_length); + +/** + * envoy_dynamic_module_callback_log_enabled is called by the module to check if the log level is + * enabled for logging for the dynamic modules Id. This can be used to avoid unnecessary + * string formatting and allocation if the log level is not enabled since calling this function + * should be negligible in terms of performance. + * + * @param level is the log level to check. + * @return true if the log level is enabled, false otherwise. + */ +bool envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level level); + // ---------------------- HTTP Header/Trailer callbacks ------------------------ /** diff --git a/source/extensions/dynamic_modules/abi_version.h b/source/extensions/dynamic_modules/abi_version.h index 25fe27957a6ef..178e7299fb846 100644 --- a/source/extensions/dynamic_modules/abi_version.h +++ b/source/extensions/dynamic_modules/abi_version.h @@ -6,7 +6,7 @@ namespace DynamicModules { #endif // This is the ABI version calculated as a sha256 hash of the ABI header files. When the ABI // changes, this value must change, and the correctness of this value is checked by the test. -const char* kAbiVersion = "c32cc7696650a6a54653327e6609734a8b32aeb5c80a6a664687636a0d671666"; +const char* kAbiVersion = "c07c1d909f0fa183d9c454377242978585ca4569d2e7e9aa27002ccebf34a00d"; #ifdef __cplusplus } // namespace DynamicModules diff --git a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs index 1ab6edda83555..ea0a54f83d8fd 100644 --- a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs +++ b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs @@ -88,6 +88,107 @@ macro_rules! declare_init_functions { }; } +/// Log a trace message to Envoy's logging system with [dynamic_modules] Id. Messages won't be +/// allocated if the log level is not enabled on the Envoy side. +/// +/// This accepts the exact same arguments as the `format!` macro, so you can use it to log formatted +/// messages. +#[macro_export] +macro_rules! envoy_log_trace { + ($($arg:tt)*) => { + $crate::envoy_log!($crate::abi::envoy_dynamic_module_type_log_level::Trace, $($arg)*) + }; +} + +/// Log a debug message to Envoy's logging system with [dynamic_modules] Id. Messages won't be +/// allocated if the log level is not enabled on the Envoy side. +/// +/// This accepts the exact same arguments as the `format!` macro, so you can use it to log formatted +/// messages. +#[macro_export] +macro_rules! envoy_log_debug { + ($($arg:tt)*) => { + $crate::envoy_log!($crate::abi::envoy_dynamic_module_type_log_level::Debug, $($arg)*) + }; +} + +/// Log an info message to Envoy's logging system with [dynamic_modules] Id. Messages won't be +/// allocated if the log level is not enabled on the Envoy side. +/// +/// This accepts the exact same arguments as the `format!` macro, so you can use it to log formatted +/// messages. +#[macro_export] +macro_rules! envoy_log_info { + ($($arg:tt)*) => { + $crate::envoy_log!($crate::abi::envoy_dynamic_module_type_log_level::Info, $($arg)*) + }; +} + +/// Log a warning message to Envoy's logging system with [dynamic_modules] Id. Messages won't be +/// allocated if the log level is not enabled on the Envoy side. +/// +/// This accepts the exact same arguments as the `format!` macro, so you can use it to log formatted +/// messages. +#[macro_export] +macro_rules! envoy_log_warn { + ($($arg:tt)*) => { + $crate::envoy_log!($crate::abi::envoy_dynamic_module_type_log_level::Warn, $($arg)*) + }; +} + +/// Log an error message to Envoy's logging system with [dynamic_modules] Id. Messages won't be +/// allocated if the log level is not enabled on the Envoy side. +/// +/// This accepts the exact same arguments as the `format!` macro, so you can use it to log formatted +/// messages. +#[macro_export] +macro_rules! envoy_log_error { + ($($arg:tt)*) => { + $crate::envoy_log!($crate::abi::envoy_dynamic_module_type_log_level::Error, $($arg)*) + }; +} + +/// Log a critical message to Envoy's logging system with [dynamic_modules] Id. Messages won't be +/// allocated if the log level is not enabled on the Envoy side. +/// +/// This accepts the exact same arguments as the `format!` macro, so you can use it to log formatted +/// messages. +#[macro_export] +macro_rules! envoy_log_critical { + ($($arg:tt)*) => { + $crate::envoy_log!($crate::abi::envoy_dynamic_module_type_log_level::Critical, $($arg)*) + }; +} + +/// Internal logging macro that handles the actual call to the Envoy logging callback +/// used by envoy_log_* macros. +#[macro_export] +macro_rules! envoy_log { + ($level:expr, $($arg:tt)*) => { + { + #[cfg(not(test))] + unsafe { + // Avoid allocating the message if the log level is not enabled. + if $crate::abi::envoy_dynamic_module_callback_log_enabled($level) { + let message = format!($($arg)*); + let message_bytes = message.as_bytes(); + $crate::abi::envoy_dynamic_module_callback_log( + $level, + message_bytes.as_ptr() as *const ::std::os::raw::c_char, + message_bytes.len() + ); + } + } + // In unit tests, just print to stderr since the Envoy symbols are not available. + #[cfg(test)] + { + let message = format!($($arg)*); + eprintln!("[{}] {}", stringify!($level), message); + } + } + }; +} + /// The function signature for the program init function. /// /// This is called when the dynamic module is loaded, and it must return true on success, and false diff --git a/source/extensions/dynamic_modules/sdk/rust/src/lib_test.rs b/source/extensions/dynamic_modules/sdk/rust/src/lib_test.rs index 93741f2ebfa47..9b8de43cbb160 100644 --- a/source/extensions/dynamic_modules/sdk/rust/src/lib_test.rs +++ b/source/extensions/dynamic_modules/sdk/rust/src/lib_test.rs @@ -2,6 +2,17 @@ use crate::*; #[cfg(test)] use std::sync::atomic::AtomicBool; // This is used for testing the drop, not for the actual concurrency. +#[test] +fn test_loggers() { + // Test that the loggers are defined and can be used during the unit tests, i.e., not trying to + // find the symbol implemented by Envoy. + envoy_log_trace!("message with an argument: {}", "argument"); + envoy_log_debug!("message with an argument: {}", "argument"); + envoy_log_info!("message with an argument: {}", "argument"); + envoy_log_warn!("message with an argument: {}", "argument"); + envoy_log_error!("message with an argument: {}", "argument"); +} + #[test] fn test_envoy_dynamic_module_on_http_filter_config_new_impl() { struct TestHttpFilterConfig; diff --git a/source/extensions/filters/http/dynamic_modules/abi_impl.cc b/source/extensions/filters/http/dynamic_modules/abi_impl.cc index 5e19b60c78dfa..70f2b0a9770e7 100644 --- a/source/extensions/filters/http/dynamic_modules/abi_impl.cc +++ b/source/extensions/filters/http/dynamic_modules/abi_impl.cc @@ -1079,6 +1079,36 @@ void envoy_dynamic_module_callback_http_filter_continue_encoding( DynamicModuleHttpFilter* filter = static_cast(filter_envoy_ptr); filter->continueEncoding(); } + +bool envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level level) { + return Envoy::Logger::Registry::getLog(Envoy::Logger::Id::dynamic_modules).level() <= + static_cast(level); +} + +void envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level level, + const char* message_ptr, size_t message_length) { + absl::string_view message_view(static_cast(message_ptr), message_length); + spdlog::logger& logger = Envoy::Logger::Registry::getLog(Envoy::Logger::Id::dynamic_modules); + switch (level) { + case envoy_dynamic_module_type_log_level_Debug: + ENVOY_LOG_TO_LOGGER(logger, debug, message_view); + break; + case envoy_dynamic_module_type_log_level_Info: + ENVOY_LOG_TO_LOGGER(logger, info, message_view); + break; + case envoy_dynamic_module_type_log_level_Warn: + ENVOY_LOG_TO_LOGGER(logger, warn, message_view); + break; + case envoy_dynamic_module_type_log_level_Error: + ENVOY_LOG_TO_LOGGER(logger, error, message_view); + break; + case envoy_dynamic_module_type_log_level_Critical: + ENVOY_LOG_TO_LOGGER(logger, critical, message_view); + break; + default: + break; + } +} } } // namespace HttpFilters } // namespace DynamicModules diff --git a/test/extensions/dynamic_modules/http/abi_impl_test.cc b/test/extensions/dynamic_modules/http/abi_impl_test.cc index 4cc23934afc2e..deeb3cfb819d7 100644 --- a/test/extensions/dynamic_modules/http/abi_impl_test.cc +++ b/test/extensions/dynamic_modules/http/abi_impl_test.cc @@ -1060,6 +1060,31 @@ TEST(ABIImpl, HttpCallout) { envoy_dynamic_module_type_http_callout_init_result_MissingRequiredHeaders); } +TEST(ABIImpl, Log) { + Envoy::Logger::Registry::setLogLevel(spdlog::level::err); + EXPECT_FALSE( + envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level_Trace)); + EXPECT_FALSE( + envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level_Debug)); + EXPECT_FALSE(envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level_Info)); + EXPECT_FALSE(envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level_Warn)); + EXPECT_TRUE(envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level_Error)); + EXPECT_TRUE( + envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level_Critical)); + + // Use all log levels, mostly for coverage. + const std::string msg = "test log message"; + envoy_dynamic_module_type_buffer_module_ptr ptr = const_cast(msg.data()); + size_t len = msg.size(); + envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level_Trace, ptr, len); + envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level_Debug, ptr, len); + envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level_Info, ptr, len); + envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level_Warn, ptr, len); + envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level_Error, ptr, len); + envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level_Critical, ptr, len); + envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level_Off, ptr, len); +} + } // namespace HttpFilters } // namespace DynamicModules } // namespace Extensions diff --git a/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs b/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs index 284873b5c4bba..47bad3b9cc252 100644 --- a/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs +++ b/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs @@ -53,13 +53,35 @@ impl HttpFilterConfig for PassthroughHttpFilterConfig { fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { + // Just to test that loggers can be accessible in a filter config callback. + envoy_log_trace!("new_http_filter called"); + envoy_log_debug!("new_http_filter called"); + envoy_log_info!("new_http_filter called"); + envoy_log_warn!("new_http_filter called"); + envoy_log_error!("new_http_filter called"); + envoy_log_critical!("new_http_filter called"); Box::new(PassthroughHttpFilter {}) } } struct PassthroughHttpFilter {} -impl HttpFilter for PassthroughHttpFilter {} +impl HttpFilter for PassthroughHttpFilter { + fn on_request_headers( + &mut self, + _envoy_filter: &mut EHF, + _end_of_stream: bool, + ) -> envoy_dynamic_module_type_on_http_filter_request_headers_status { + // Just to test that loggers can be accessible in a filter callback. + envoy_log_trace!("on_request_headers called"); + envoy_log_debug!("on_request_headers called"); + envoy_log_info!("on_request_headers called"); + envoy_log_warn!("on_request_headers called"); + envoy_log_error!("on_request_headers called"); + envoy_log_critical!("on_request_headers called"); + envoy_dynamic_module_type_on_http_filter_request_headers_status::Continue + } +} struct HeadersHttpFilterConfig { headers_to_add: String, From c443c5317552120768d09b448f1e1d6d0f3e8b03 Mon Sep 17 00:00:00 2001 From: StarryNight Date: Tue, 12 Aug 2025 10:39:22 +0800 Subject: [PATCH 209/505] generic proxy codec add buffer limit (#40560) Commit Message: generic proxy codec add buffer limit Additional Description: issue #40275 Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A --------- Signed-off-by: wangkai19 --- changelogs/current.yaml | 5 + .../filters/network/source/codecs/kafka/BUILD | 1 + .../network/source/codecs/kafka/config.cc | 16 ++ .../network/test/codecs/kafka/config_test.cc | 38 +++++ source/common/runtime/runtime_features.cc | 1 + .../generic_proxy/codecs/dubbo/config.h | 13 +- .../generic_proxy/codecs/http1/config.h | 15 ++ .../generic_proxy/codecs/dubbo/config_test.cc | 143 +++++++++++++++--- .../generic_proxy/codecs/http1/config_test.cc | 76 +++++++++- 9 files changed, 280 insertions(+), 28 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 80f4c0d291a2a..d14ca7fb369fe 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -22,6 +22,11 @@ minor_behavior_changes: In test code for external extensions, matchers ``Http::HeaderValueOf``, ``HasHeader`` and ``HeaderHasValueRef`` must be replaced with ``ContainsHeader``. Any uses of matcher ``HeaderHasValue(...)`` should be replaced with ``::testing::Pointee(ContainsHeader(...))``. +- area: generic_proxy + change: | + Generic proxy codec add the same buffer limit as connection buffer limit, if the buffer limit is + exceeded, the connection is disconnected. This behavior can be reverted by setting the runtime guard + ``envoy.reloadable_features.generic_proxy_codec_buffer_limit`` to ``false``. bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* diff --git a/contrib/generic_proxy/filters/network/source/codecs/kafka/BUILD b/contrib/generic_proxy/filters/network/source/codecs/kafka/BUILD index e96582eba3a1e..30acc63a67f44 100644 --- a/contrib/generic_proxy/filters/network/source/codecs/kafka/BUILD +++ b/contrib/generic_proxy/filters/network/source/codecs/kafka/BUILD @@ -19,6 +19,7 @@ envoy_cc_contrib_extension( deps = [ "//contrib/kafka/filters/network/source:kafka_request_codec_lib", "//contrib/kafka/filters/network/source:kafka_response_codec_lib", + "//source/common/runtime:runtime_features_lib", "//source/extensions/filters/network/generic_proxy/interface:codec_interface", "@envoy_api//contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3:pkg_cc_proto", ], diff --git a/contrib/generic_proxy/filters/network/source/codecs/kafka/config.cc b/contrib/generic_proxy/filters/network/source/codecs/kafka/config.cc index 35c6d9572311b..cc817b73af46e 100644 --- a/contrib/generic_proxy/filters/network/source/codecs/kafka/config.cc +++ b/contrib/generic_proxy/filters/network/source/codecs/kafka/config.cc @@ -1,5 +1,7 @@ #include "contrib/generic_proxy/filters/network/source/codecs/kafka/config.h" +#include "source/common/runtime/runtime_features.h" + namespace Envoy { namespace Extensions { namespace NetworkFilters { @@ -17,6 +19,13 @@ void KafkaServerCodec::setCodecCallbacks(GenericProxy::ServerCodecCallbacks& cal void KafkaServerCodec::decode(Envoy::Buffer::Instance& buffer, bool) { request_buffer_.move(buffer); + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.generic_proxy_codec_buffer_limit")) { + if (request_buffer_.length() > request_callbacks_->callbacks_.connection()->bufferLimit()) { + request_callbacks_->callbacks_.onDecodingFailure(); + return; + } + } request_decoder_->onData(request_buffer_); // All data has been consumed, so we can drain the buffer. request_buffer_.drain(request_buffer_.length()); @@ -60,6 +69,13 @@ void KafkaClientCodec::setCodecCallbacks(GenericProxy::ClientCodecCallbacks& cal void KafkaClientCodec::decode(Envoy::Buffer::Instance& buffer, bool) { response_buffer_.move(buffer); + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.generic_proxy_codec_buffer_limit")) { + if (response_buffer_.length() > response_callbacks_->callbacks_.connection()->bufferLimit()) { + response_callbacks_->callbacks_.onDecodingFailure(); + return; + } + } response_decoder_->onData(response_buffer_); // All data has been consumed, so we can drain the buffer. response_buffer_.drain(response_buffer_.length()); diff --git a/contrib/generic_proxy/filters/network/test/codecs/kafka/config_test.cc b/contrib/generic_proxy/filters/network/test/codecs/kafka/config_test.cc index d6d4c46819e27..2925622f8d9de 100644 --- a/contrib/generic_proxy/filters/network/test/codecs/kafka/config_test.cc +++ b/contrib/generic_proxy/filters/network/test/codecs/kafka/config_test.cc @@ -129,6 +129,7 @@ TEST(KafkaCodecTest, KafkaServerCodecTest) { { // Test decode() method. + ON_CALL(mock_connection, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); EXPECT_CALL(callbacks, onDecodingSuccess(_, _)) .WillOnce(testing::Invoke([](RequestHeaderFramePtr request, absl::optional) { EXPECT_EQ(dynamic_cast(request.get()) @@ -150,6 +151,24 @@ TEST(KafkaCodecTest, KafkaServerCodecTest) { server_codec.decode(buffer, false); } + { + // Test decode buffer limit. + ON_CALL(mock_connection, bufferLimit()).WillByDefault(testing::Return(4)); + EXPECT_CALL(callbacks, onDecodingFailure(_)); + auto request = + std::make_shared>( + NetworkFilters::Kafka::RequestHeader(NetworkFilters::Kafka::FETCH_REQUEST_API_KEY, 0, 3, + absl::nullopt), + NetworkFilters::Kafka::FetchRequest({}, {}, {}, {})); + + Buffer::OwnedImpl buffer; + const uint32_t size = htobe32(request->computeSize()); + buffer.add(&size, sizeof(size)); // Encode data length. + + request->encode(buffer); + server_codec.decode(buffer, false); + } + { // Test encode() method with non-response frame. @@ -217,6 +236,7 @@ TEST(KafkaCodecTest, KafkaClientCodecTest) { { // Test decode() method. + ON_CALL(mock_connection, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); EXPECT_CALL(callbacks, onDecodingSuccess(_, _)) .WillOnce(testing::Invoke([](ResponseHeaderFramePtr response, absl::optional) { EXPECT_EQ(dynamic_cast(response.get()) @@ -240,6 +260,24 @@ TEST(KafkaCodecTest, KafkaClientCodecTest) { client_codec.decode(buffer, false); } + { + // Test decode buffer limit. + ON_CALL(mock_connection, bufferLimit()).WillByDefault(testing::Return(4)); + EXPECT_CALL(callbacks, onDecodingFailure(_)); + auto response = + std::make_shared>( + NetworkFilters::Kafka::ResponseMetadata(NetworkFilters::Kafka::FETCH_REQUEST_API_KEY, 0, + 3), + NetworkFilters::Kafka::FetchResponse({}, {})); + + Buffer::OwnedImpl buffer; + const uint32_t size = htobe32(response->computeSize()); + buffer.add(&size, sizeof(size)); // Encode data length. + + response->encode(buffer); + client_codec.decode(buffer, false); + } + { // Test encode() method with non-request frame. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 91252e3d49e4d..470dd3df3e4bf 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -42,6 +42,7 @@ RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms); RUNTIME_GUARD(envoy_reloadable_features_enable_new_query_param_present_match_behavior); RUNTIME_GUARD(envoy_reloadable_features_ext_proc_fail_close_spurious_resp); +RUNTIME_GUARD(envoy_reloadable_features_generic_proxy_codec_buffer_limit); RUNTIME_GUARD(envoy_reloadable_features_grpc_side_stream_flow_control); RUNTIME_GUARD(envoy_reloadable_features_http1_balsa_allow_cr_or_lf_at_request_start); RUNTIME_GUARD(envoy_reloadable_features_http1_balsa_delay_reset); diff --git a/source/extensions/filters/network/generic_proxy/codecs/dubbo/config.h b/source/extensions/filters/network/generic_proxy/codecs/dubbo/config.h index a64cee7171313..46627cce43415 100644 --- a/source/extensions/filters/network/generic_proxy/codecs/dubbo/config.h +++ b/source/extensions/filters/network/generic_proxy/codecs/dubbo/config.h @@ -164,10 +164,18 @@ class DubboDecoderBase : public DubboCodecBase, public CodecType { } void decode(Buffer::Instance& buffer, bool) override { - while (buffer.length() > 0) { + decoding_buffer_.move(buffer); + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.generic_proxy_codec_buffer_limit")) { + if (decoding_buffer_.length() > callback_->connection()->bufferLimit()) { + callback_->onDecodingFailure(); + return; + } + } + while (decoding_buffer_.length() > 0) { // Continue decoding if the buffer has more data and the previous decoding is // successful. - if (decodeOne(buffer) != Common::Dubbo::DecodeStatus::Success) { + if (decodeOne(decoding_buffer_) != Common::Dubbo::DecodeStatus::Success) { break; } } @@ -191,6 +199,7 @@ class DubboDecoderBase : public DubboCodecBase, public CodecType { CallBackType* callback_{}; private: + Buffer::OwnedImpl decoding_buffer_; Buffer::OwnedImpl encoding_buffer_; }; diff --git a/source/extensions/filters/network/generic_proxy/codecs/http1/config.h b/source/extensions/filters/network/generic_proxy/codecs/http1/config.h index ab9fd02062764..56d8df2b2a0d4 100644 --- a/source/extensions/filters/network/generic_proxy/codecs/http1/config.h +++ b/source/extensions/filters/network/generic_proxy/codecs/http1/config.h @@ -301,6 +301,14 @@ class Http1ServerCodec : public Http1CodecBase, public ServerCodec { void setCodecCallbacks(ServerCodecCallbacks& callbacks) override { callbacks_ = &callbacks; } void decode(Envoy::Buffer::Instance& buffer, bool) override { + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.generic_proxy_codec_buffer_limit")) { + if (decoding_buffer_.length() + buffer.length() > callbacks_->connection()->bufferLimit()) { + callbacks_->onDecodingFailure(); + return; + } + } + if (!decodeBuffer(buffer)) { onDecodingFailure(); } @@ -362,6 +370,13 @@ class Http1ClientCodec : public Http1CodecBase, public ClientCodec { void setCodecCallbacks(ClientCodecCallbacks& callbacks) override { callbacks_ = &callbacks; } void decode(Envoy::Buffer::Instance& buffer, bool) override { + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.generic_proxy_codec_buffer_limit")) { + if (decoding_buffer_.length() + buffer.length() > callbacks_->connection()->bufferLimit()) { + callbacks_->onDecodingFailure(); + return; + } + } if (!decodeBuffer(buffer)) { onDecodingFailure(); } diff --git a/test/extensions/filters/network/generic_proxy/codecs/dubbo/config_test.cc b/test/extensions/filters/network/generic_proxy/codecs/dubbo/config_test.cc index e2b1aff1f40da..e2ac0257081e7 100644 --- a/test/extensions/filters/network/generic_proxy/codecs/dubbo/config_test.cc +++ b/test/extensions/filters/network/generic_proxy/codecs/dubbo/config_test.cc @@ -230,19 +230,19 @@ TEST(DubboResponseTest, DubboResponseTest) { } TEST(DubboServerCodecTest, DubboServerCodecTest) { - auto codec = std::make_unique(); - codec->initilize(std::make_unique()); + NiceMock callbacks; + NiceMock mock_connection_; - MockServerCodecCallbacks callbacks; - DubboServerCodec server_codec(std::move(codec)); - server_codec.setCodecCallbacks(callbacks); - - auto raw_serializer = const_cast( - dynamic_cast(server_codec.codec_->serializer().get())); + ON_CALL(callbacks, connection()) + .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Decode failure. { - server_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); Buffer::OwnedImpl buffer; buffer.writeBEInt(0); buffer.writeBEInt(0); @@ -253,7 +253,10 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { // Waiting for header. { - server_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); Buffer::OwnedImpl buffer; buffer.add(std::string({'\xda', '\xbb', '\xc2', 0x00})); @@ -264,7 +267,10 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { // Waiting for data. { - server_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); Buffer::OwnedImpl buffer; buffer.add(std::string({'\xda', '\xbb', '\xc2', 0x00})); @@ -277,7 +283,13 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { // Decode request. { - server_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); + + auto raw_serializer = const_cast( + dynamic_cast(server_codec.codec_->serializer().get())); Buffer::OwnedImpl buffer; buffer.add(std::string({'\xda', '\xbb', '\xc2', 0x00})); @@ -294,7 +306,13 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { // Decode heartbeat request. { - server_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); + + auto raw_serializer = const_cast( + dynamic_cast(server_codec.codec_->serializer().get())); Buffer::OwnedImpl buffer; buffer.add(std::string({'\xda', '\xbb', '\xe2', 00})); @@ -309,7 +327,13 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { // Encode response. { + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); + auto raw_serializer = const_cast( + dynamic_cast(server_codec.codec_->serializer().get())); MockEncodingContext encoding_context; DubboRequest request(createDubboRequst(false)); DubboResponse response( @@ -322,6 +346,11 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { } { + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); + Status status = absl::OkStatus(); DubboRequest request(createDubboRequst(false)); @@ -336,6 +365,11 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { } { + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); + Status status(StatusCode::kInvalidArgument, "test_message"); DubboRequest request(createDubboRequst(false)); @@ -351,6 +385,11 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { } { + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); + Status status(StatusCode::kAborted, "test_message2"); DubboRequest request(createDubboRequst(false)); @@ -364,22 +403,42 @@ TEST(DubboServerCodecTest, DubboServerCodecTest) { EXPECT_EQ("anything", typed_inner_response.content().result()->toString().value().get()); EXPECT_EQ("test_message2", typed_inner_response.content().attachments().at("reason")); } + + // Decode buffer limit. + { + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboServerCodec server_codec(std::move(codec)); + server_codec.setCodecCallbacks(callbacks); + + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(4)); + + Buffer::OwnedImpl buffer; + buffer.add(std::string({'\xda', '\xbb', '\xc2', 0x00})); + buffer.writeBEInt(1); + buffer.writeBEInt(8); + buffer.add("anything"); + + EXPECT_CALL(callbacks, onDecodingFailure(_)); + server_codec.decode(buffer, false); + } } TEST(DubboClientCodecTest, DubboClientCodecTest) { - auto codec = std::make_unique(); - codec->initilize(std::make_unique()); - MockClientCodecCallbacks callbacks; - DubboClientCodec client_codec(std::move(codec)); - client_codec.setCodecCallbacks(callbacks); + NiceMock callbacks; + NiceMock mock_connection_; - auto raw_serializer = const_cast( - dynamic_cast(client_codec.codec_->serializer().get())); + ON_CALL(callbacks, connection()) + .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Decode failure. { - client_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboClientCodec client_codec(std::move(codec)); + client_codec.setCodecCallbacks(callbacks); Buffer::OwnedImpl buffer; buffer.writeBEInt(0); @@ -391,7 +450,10 @@ TEST(DubboClientCodecTest, DubboClientCodecTest) { // Waiting for header. { - client_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboClientCodec client_codec(std::move(codec)); + client_codec.setCodecCallbacks(callbacks); Buffer::OwnedImpl buffer; buffer.add(std::string({'\xda', '\xbb', '\x02', 20})); @@ -402,7 +464,10 @@ TEST(DubboClientCodecTest, DubboClientCodecTest) { // Waiting for data. { - client_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboClientCodec client_codec(std::move(codec)); + client_codec.setCodecCallbacks(callbacks); Buffer::OwnedImpl buffer; buffer.add(std::string({'\xda', '\xbb', '\x02', 20})); @@ -415,7 +480,13 @@ TEST(DubboClientCodecTest, DubboClientCodecTest) { // Decode response. { - client_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboClientCodec client_codec(std::move(codec)); + client_codec.setCodecCallbacks(callbacks); + + auto raw_serializer = const_cast( + dynamic_cast(client_codec.codec_->serializer().get())); Buffer::OwnedImpl buffer; buffer.add(std::string({'\xda', '\xbb', '\x02', 20})); @@ -435,7 +506,13 @@ TEST(DubboClientCodecTest, DubboClientCodecTest) { // Decode heartbeat request. { - client_codec.metadata_.reset(); + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboClientCodec client_codec(std::move(codec)); + client_codec.setCodecCallbacks(callbacks); + + auto raw_serializer = const_cast( + dynamic_cast(client_codec.codec_->serializer().get())); Buffer::OwnedImpl buffer; buffer.add(std::string({'\xda', '\xbb', '\xe2', 00})); @@ -450,6 +527,14 @@ TEST(DubboClientCodecTest, DubboClientCodecTest) { // Encode normal request. { + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboClientCodec client_codec(std::move(codec)); + client_codec.setCodecCallbacks(callbacks); + + auto raw_serializer = const_cast( + dynamic_cast(client_codec.codec_->serializer().get())); + MockEncodingContext encoding_context; DubboRequest request(createDubboRequst(false)); @@ -462,6 +547,14 @@ TEST(DubboClientCodecTest, DubboClientCodecTest) { // Encode one-way request. { + auto codec = std::make_unique(); + codec->initilize(std::make_unique()); + DubboClientCodec client_codec(std::move(codec)); + client_codec.setCodecCallbacks(callbacks); + + auto raw_serializer = const_cast( + dynamic_cast(client_codec.codec_->serializer().get())); + MockEncodingContext encoding_context; DubboRequest request(createDubboRequst(true)); diff --git a/test/extensions/filters/network/generic_proxy/codecs/http1/config_test.cc b/test/extensions/filters/network/generic_proxy/codecs/http1/config_test.cc index ba774324ca363..b445334b652ac 100644 --- a/test/extensions/filters/network/generic_proxy/codecs/http1/config_test.cc +++ b/test/extensions/filters/network/generic_proxy/codecs/http1/config_test.cc @@ -260,6 +260,7 @@ class Http1ServerCodecTest : public testing::Test { TEST_F(Http1ServerCodecTest, DecodeHeaderOnlyRequest) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Empty methods. Call these methods to increase coverage. codec_->onStatusImpl("", 0); @@ -295,6 +296,7 @@ TEST_F(Http1ServerCodecTest, DecodeHeaderOnlyRequest) { TEST_F(Http1ServerCodecTest, DecodeRequestWithBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -334,6 +336,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestWithBody) { TEST_F(Http1ServerCodecTest, DecodeRequestAndCloseConnectionAfterHeader) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -355,6 +358,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestAndCloseConnectionAfterHeader) { TEST_F(Http1ServerCodecTest, DecodeRequestAndCloseConnectionAfterBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -377,6 +381,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestAndCloseConnectionAfterBody) { TEST_F(Http1ServerCodecTest, DecodeRequestWithChunkedBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -425,6 +430,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestWithChunkedBody) { TEST_F(Http1ServerCodecTest, DecodeRequestWithChunkedBodyWithMultipleFrames) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -480,6 +486,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestWithChunkedBodyWithMultipleFrames) { TEST_F(Http1ServerCodecTest, DecodeUnexpectedRequest) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Connect. { @@ -787,7 +794,7 @@ TEST_F(Http1ServerCodecTest, EncodeResponseWithChunkedBodyButNotSetChunkHeader) TEST_F(Http1ServerCodecTest, DecodeRequestAndEncodeResponse) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); - + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Do repeated request and response. for (size_t i = 0; i < 100; i++) { Buffer::OwnedImpl buffer; @@ -830,6 +837,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestAndEncodeResponse) { TEST_F(Http1ServerCodecTest, DecodeExpectRequestAndItWillBeRepliedDirectly) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -871,6 +879,7 @@ TEST_F(Http1ServerCodecTest, DecodeExpectRequestAndItWillBeRepliedDirectly) { TEST_F(Http1ServerCodecTest, ResponseCompleteBeforeRequestComplete) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -915,6 +924,7 @@ TEST_F(Http1ServerCodecTest, ResponseCompleteBeforeRequestComplete) { TEST_F(Http1ServerCodecTest, NewRequestBeforeFirstRequestComplete) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -947,6 +957,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestInSingleFrameMode) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -984,6 +995,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestInSingleFrameModeButBodyTooLarge1) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -1003,6 +1015,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestInSingleFrameModeButBodyTooLarge2) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -1022,6 +1035,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestWithChunkedBodyInSingleFrameMode) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -1063,6 +1077,7 @@ TEST_F(Http1ServerCodecTest, DecodeRequestWithChunkedBodyWithMultipleFramesInSin ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -1135,6 +1150,24 @@ TEST_F(Http1ServerCodecTest, EncodeResponseInSingleFrameMode) { } } +TEST_F(Http1ServerCodecTest, AboveDecodeBufferLimit) { + ON_CALL(codec_callbacks_, connection()) + .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(4)); + + Buffer::OwnedImpl buffer; + + buffer.add("GET / HTTP/1.1\r\n" + "Host: host\r\n" + "Content-Length: 4\r\n" + "custom: value\r\n" + "\r\n" + "body"); + + EXPECT_CALL(codec_callbacks_, onDecodingFailure(_)); + codec_->decode(buffer, false); +} + class Http1ClientCodecTest : public testing::Test { public: Http1ClientCodecTest() { initializeCodec(); } @@ -1223,6 +1256,7 @@ class Http1ClientCodecTest : public testing::Test { TEST_F(Http1ClientCodecTest, DecodeHeaderOnlyResponse) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Empty methods. Call these methods to increase coverage. codec_->onUrlImpl("", 0); @@ -1251,6 +1285,7 @@ TEST_F(Http1ClientCodecTest, DecodeHeaderOnlyResponse) { TEST_F(Http1ClientCodecTest, ResponseComesBeforeRequest) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -1265,6 +1300,7 @@ TEST_F(Http1ClientCodecTest, ResponseComesBeforeRequest) { TEST_F(Http1ClientCodecTest, DecodeHTTP10Response) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); Buffer::OwnedImpl buffer; @@ -1279,6 +1315,7 @@ TEST_F(Http1ClientCodecTest, DecodeHTTP10Response) { TEST_F(Http1ClientCodecTest, DecodeResponseForHeadRequest) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); encodingHeadRequest(); @@ -1303,6 +1340,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseForHeadRequest) { TEST_F(Http1ClientCodecTest, DecodeResponseShouldNotHasBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); encodingGetRequest(); @@ -1327,6 +1365,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseShouldNotHasBody) { TEST_F(Http1ClientCodecTest, Decode1xxResponseAndItWillBeIgnored) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); encodingGetRequest(); @@ -1341,6 +1380,7 @@ TEST_F(Http1ClientCodecTest, Decode1xxResponseAndItWillBeIgnored) { TEST_F(Http1ClientCodecTest, DecodeResponseWithBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); encodingGetRequest(); @@ -1376,6 +1416,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseWithBody) { TEST_F(Http1ClientCodecTest, DecodeResponseAndCloseConnectionAfterHeader) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); encodingGetRequest(); @@ -1398,6 +1439,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseAndCloseConnectionAfterHeader) { TEST_F(Http1ClientCodecTest, DecodeResponseAndCloseConnectionAfterBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); encodingGetRequest(); @@ -1421,6 +1463,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseAndCloseConnectionAfterBody) { TEST_F(Http1ClientCodecTest, DecodeResponseWithChunkedBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); encodingGetRequest(); @@ -1462,6 +1505,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseWithChunkedBody) { TEST_F(Http1ClientCodecTest, DecodeResponseWithChunkedBodyWithMultipleFrames) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); encodingGetRequest(); @@ -1511,6 +1555,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseWithChunkedBodyWithMultipleFrames) { TEST_F(Http1ClientCodecTest, DecodeUnexpectedResponse) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Transfer-Encoding and Content-Length are set at same time. { @@ -1681,6 +1726,7 @@ TEST_F(Http1ClientCodecTest, DecodeUnexpectedResponse) { TEST_F(Http1ClientCodecTest, EncodeHeaderOnlyRequest) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Create a request. auto headers = Http::RequestHeaderMapImpl::create(); @@ -1711,6 +1757,7 @@ TEST_F(Http1ClientCodecTest, EncodeHeaderOnlyRequest) { TEST_F(Http1ClientCodecTest, EncodeRequestMissRequiredHeaders) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Create a request without method. auto headers = Http::RequestHeaderMapImpl::create(); @@ -1733,6 +1780,7 @@ TEST_F(Http1ClientCodecTest, EncodeRequestMissRequiredHeaders) { TEST_F(Http1ClientCodecTest, EncodeRequestWithBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Create a request. auto headers = Http::RequestHeaderMapImpl::create(); @@ -1774,6 +1822,7 @@ TEST_F(Http1ClientCodecTest, EncodeRequestWithBody) { TEST_F(Http1ClientCodecTest, EncodeRequestWithChunkdBody) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Create a request. auto headers = Http::RequestHeaderMapImpl::create(); @@ -1819,6 +1868,7 @@ TEST_F(Http1ClientCodecTest, EncodeRequestWithChunkdBody) { TEST_F(Http1ClientCodecTest, EncodeRequestAndDecodeResponse) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Do repeated request and response. for (size_t i = 0; i < 100; i++) { @@ -1864,6 +1914,7 @@ TEST_F(Http1ClientCodecTest, EncodeRequestAndDecodeResponse) { TEST_F(Http1ClientCodecTest, ResponseCompleteBeforeRequestComplete) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); // Create a request. auto headers = Http::RequestHeaderMapImpl::create(); @@ -1905,6 +1956,7 @@ TEST_F(Http1ClientCodecTest, ResponseCompleteBeforeRequestComplete) { TEST_F(Http1ClientCodecTest, EncodeRequestInSingleFrameMode) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); initializeCodec(true, 8 * 1024 * 1024); @@ -1938,6 +1990,7 @@ TEST_F(Http1ClientCodecTest, EncodeRequestInSingleFrameMode) { TEST_F(Http1ClientCodecTest, DecodeResponseInSingleFrameMode) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); initializeCodec(true, 8 * 1024 * 1024); @@ -1970,6 +2023,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseInSingleFrameMode) { TEST_F(Http1ClientCodecTest, DecodeResponseInSingleFrameModeButBodyIsTooLarge1) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); initializeCodec(true, 4); @@ -1990,6 +2044,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseInSingleFrameModeButBodyIsTooLarge1) TEST_F(Http1ClientCodecTest, DecodeResponseInSingleFrameModeButBodyIsTooLarge2) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); initializeCodec(true, 4); @@ -2010,6 +2065,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseInSingleFrameModeButBodyIsTooLarge2) TEST_F(Http1ClientCodecTest, DecodeResponseWithChunkedBodyInSingleFrameMode) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); initializeCodec(true, 8 * 1024 * 1024); @@ -2046,6 +2102,7 @@ TEST_F(Http1ClientCodecTest, DecodeResponseWithChunkedBodyInSingleFrameMode) { TEST_F(Http1ClientCodecTest, DecodeResponseWithChunkedBodyWithMultipleFramesInSingleFrameMode) { ON_CALL(codec_callbacks_, connection()) .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(1024 * 1024)); initializeCodec(true, 8 * 1024 * 1024); @@ -2084,6 +2141,23 @@ TEST_F(Http1ClientCodecTest, DecodeResponseWithChunkedBodyWithMultipleFramesInSi codec_->decode(buffer, false); } +TEST_F(Http1ClientCodecTest, AboveDecodeBufferLimit) { + ON_CALL(codec_callbacks_, connection()) + .WillByDefault(testing::Return(makeOptRef(mock_connection_))); + ON_CALL(mock_connection_, bufferLimit()).WillByDefault(testing::Return(4)); + + Buffer::OwnedImpl buffer; + + buffer.add("HTTP/1.1 200 OK\r\n" + "Content-Length: 4\r\n" + "custom: value\r\n" + "\r\n" + "body"); + + EXPECT_CALL(codec_callbacks_, onDecodingFailure(_)); + codec_->decode(buffer, false); +} + TEST(Http1CodecFactoryTest, Http1CodecFactoryTest) { NiceMock context; ProtoConfig proto_config; From 8f424102f7c2160ba8a69c1a23c4dc3d951b7cad Mon Sep 17 00:00:00 2001 From: botengyao Date: Tue, 12 Aug 2025 09:56:40 -0400 Subject: [PATCH 210/505] websocket: allow retry for 4xx and 5xx in the response (#40303) To unblock https://github.com/envoyproxy/envoy/issues/9961 it will let the 4xx and 5xx response go through the filter chain. Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: --------- Signed-off-by: Boteng Yao Co-authored-by: Garrett Heel --- changelogs/current.yaml | 4 + source/common/router/router.cc | 2 +- source/common/router/upstream_codec_filter.cc | 9 +- source/common/runtime/runtime_features.cc | 1 + .../http/ext_proc/ext_proc_misc_test.cc | 4 +- .../integration/websocket_integration_test.cc | 123 +++++++++++++++++- 6 files changed, 138 insertions(+), 5 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index d14ca7fb369fe..7e816b4d0ff9e 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -17,6 +17,10 @@ behavior_changes: minor_behavior_changes: # *Changes that may cause incompatibilities for some users, but should not for most* +- area: websocket + change: | + Allow 4xx and 5xx to go through the filter chain for websocket handshake response check, and the behaviour can be disabled + by a runtime ``envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain``. - area: testing change: | In test code for external extensions, matchers ``Http::HeaderValueOf``, ``HasHeader`` and ``HeaderHasValueRef`` diff --git a/source/common/router/router.cc b/source/common/router/router.cc index 293d68a627924..dcc50543044ef 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -47,7 +47,7 @@ namespace Envoy { namespace Router { namespace { -constexpr char NumInternalRedirectsFilterStateName[] = "num_internal_redirects"; +constexpr absl::string_view NumInternalRedirectsFilterStateName = "num_internal_redirects"; uint32_t getLength(const Buffer::Instance* instance) { return instance ? instance->length() : 0; } diff --git a/source/common/router/upstream_codec_filter.cc b/source/common/router/upstream_codec_filter.cc index 7d43509920e4c..c138950b39768 100644 --- a/source/common/router/upstream_codec_filter.cc +++ b/source/common/router/upstream_codec_filter.cc @@ -165,8 +165,15 @@ void UpstreamCodecFilter::CodecBridge::decodeHeaders(Http::ResponseHeaderMapPtr& // handshake is finished and continue the data processing. filter_.callbacks_->upstreamCallbacks()->setPausedForWebsocketUpgrade(false); filter_.callbacks_->continueDecoding(); + } else if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain") && + status >= 400) { + maybeEndDecode(end_stream); + filter_.callbacks_->encodeHeaders(std::move(headers), end_stream, + StreamInfo::ResponseCodeDetails::get().ViaUpstream); + return; } else { - // Other status, e.g., 426 or 200, indicate a failed handshake, Envoy as a proxy will proxy + // Other status, e.g., 200, indicate a failed handshake, Envoy as a proxy will proxy // back the response header to downstream and then close the request, since WebSocket // just needs headers for handshake per RFC-6455. Note: HTTP/2 200 will be normalized to // 101 before this point in codec and this patch will skip this scenario from the above diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 470dd3df3e4bf..d8ad75aaf5b50 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -83,6 +83,7 @@ RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); +RUNTIME_GUARD(envoy_reloadable_features_websocket_allow_4xx_5xx_through_filter_chain); RUNTIME_GUARD(envoy_reloadable_features_xds_failover_to_primary_enabled); RUNTIME_GUARD(envoy_reloadable_features_xds_prevent_resource_copy); diff --git a/test/extensions/filters/http/ext_proc/ext_proc_misc_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_misc_test.cc index 64e6cdf5dcfb6..c940a71adcbd9 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_misc_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_misc_test.cc @@ -213,11 +213,11 @@ class ExtProcMiscIntegrationTest : public HttpIntegrationTest, ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); - upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "401"}}, true); + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.skip_ext_proc_on_local_reply")) { processResponseHeadersMessage(*grpc_upstreams_[0], false, absl::nullopt); } - verifyDownstreamResponse(*response, 401); + verifyDownstreamResponse(*response, 200); } envoy::extensions::filters::http::ext_proc::v3::ExternalProcessor proto_config_{}; diff --git a/test/integration/websocket_integration_test.cc b/test/integration/websocket_integration_test.cc index 3e3aa2d2e1aaa..9316dca81875f 100644 --- a/test/integration/websocket_integration_test.cc +++ b/test/integration/websocket_integration_test.cc @@ -36,6 +36,10 @@ Http::TestResponseHeaderMapImpl upgradeResponseHeaders(const char* upgrade_type {":status", "101"}, {"connection", "upgrade"}, {"upgrade", upgrade_type}}; } +Http::TestResponseHeaderMapImpl upgradeFailedResponseHeaders() { + return Http::TestResponseHeaderMapImpl{{":status", "500"}}; +} + template void commonValidate(ProxiedHeaders& proxied_headers, const OriginalHeaders& original_headers) { // If no content length is specified, the HTTP1 codec will add a chunked encoding header. @@ -118,6 +122,18 @@ ConfigHelper::HttpModifierFunction setRouteUsingWebsocket() { hcm) { hcm.add_upgrade_configs()->set_upgrade_type("websocket"); }; } +ConfigHelper::HttpModifierFunction setRouteRetryOn5xxPolicy() { + return [](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) { + auto* route_config = hcm.mutable_route_config(); + auto* virtual_host = route_config->mutable_virtual_hosts(0); + auto* route = virtual_host->mutable_routes(0)->mutable_route(); + auto* retry_policy = route->mutable_retry_policy(); + retry_policy->set_retry_on("5xx"); + retry_policy->mutable_num_retries()->set_value(1); + }; +} + void WebsocketIntegrationTest::initialize() { if (upstreamProtocol() == Http::CodecType::HTTP2) { config_helper_.addConfigModifier( @@ -657,6 +673,10 @@ TEST_P(WebsocketIntegrationTest, Http1UpgradeStatusCodeUpgradeRequired) { return; } + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain", "false"}}); + useAccessLog("%RESPONSE_CODE_DETAILS%"); config_helper_.addConfigModifier(setRouteUsingWebsocket()); initialize(); @@ -676,6 +696,103 @@ TEST_P(WebsocketIntegrationTest, Http1UpgradeStatusCodeUpgradeRequired) { ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); } +// Test Websocket Upgrade in HTTP1 with 500 response code. +// Upgrade is a HTTP1 header. +TEST_P(WebsocketIntegrationTest, Http1UpgradeStatus5OOWithFilterChain) { + if (downstreamProtocol() != Http::CodecType::HTTP1 || + upstreamProtocol() != Http::CodecType::HTTP1) { + return; + } + + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain", "true"}}); + + useAccessLog("%RESPONSE_CODE_DETAILS%"); + config_helper_.addConfigModifier(setRouteUsingWebsocket()); + initialize(); + + auto in_correct_status_response_headers = upgradeFailedResponseHeaders(); + + // The upgrade should be paused, but the response header is proxied back to downstream. + performUpgrade(upgradeRequestHeaders(), in_correct_status_response_headers, true); + EXPECT_EQ("500", response_->headers().Status()->value().getStringView()); + + test_server_->waitForCounterEq("cluster.cluster_0.upstream_cx_destroy", 0); + test_server_->waitForGaugeEq("http.config_test.downstream_cx_upgrades_active", 1); + codec_client_->close(); + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); +} + +// Test Websocket Upgrade in HTTP1 with a retry policy. +TEST_P(WebsocketIntegrationTest, Http1UpgradeRetryWithFilterChain) { + if (downstreamProtocol() != Http::CodecType::HTTP1 || + upstreamProtocol() != Http::CodecType::HTTP1) { + return; + } + + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain", "true"}}); + + useAccessLog("%RESPONSE_CODE_DETAILS%"); + config_helper_.addConfigModifier(setRouteUsingWebsocket()); + config_helper_.addConfigModifier(setRouteRetryOn5xxPolicy()); + + initialize(); + + // Establish the initial connection. + codec_client_ = makeHttpConnection(lookupPort("http")); + + // Send websocket upgrade request + auto encoder_decoder = codec_client_->startRequest(upgradeRequestHeaders()); + request_encoder_ = &encoder_decoder.first; + response_ = std::move(encoder_decoder.second); + test_server_->waitForCounterGe("http.config_test.downstream_cx_upgrades_total", 1); + test_server_->waitForGaugeGe("http.config_test.downstream_cx_upgrades_active", 1); + + // Verify the first upgrade was received upstream. + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + validateUpgradeRequestHeaders(upstream_request_->headers(), upgradeRequestHeaders()); + + // Send a 500 response to trigger retry + auto failed_response_headers = upgradeFailedResponseHeaders(); + upstream_request_->encodeHeaders(failed_response_headers, false); + + // For HTTP/1, the connection will be closed and a new one established for retry + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); + + // Wait for the retry - new upstream connection and request + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + validateUpgradeRequestHeaders(upstream_request_->headers(), upgradeRequestHeaders()); + test_server_->waitForCounterEq("cluster.cluster_0.upstream_rq_retry", 1); + + // Send the successful 101 upgrade response on the second try + auto success_response_headers = upgradeResponseHeaders(); + upstream_request_->encodeHeaders(success_response_headers, false); + + // Verify the successful upgrade response was received downstream. + response_->waitForHeaders(); + EXPECT_EQ("101", response_->headers().Status()->value().getStringView()); + EXPECT_EQ("upgrade", response_->headers().Connection()->value().getStringView()); + EXPECT_EQ("websocket", response_->headers().Upgrade()->value().getStringView()); + validateUpgradeResponseHeaders(response_->headers(), success_response_headers); + test_server_->waitForCounterEq("cluster.cluster_0.upstream_rq_retry_success", 1); + + // Verify successful websocket connection by sending bidirectional data + sendBidirectionalData(); + + // Clean up + codec_client_->sendData(*request_encoder_, "bye!", false); + codec_client_->close(); + ASSERT_TRUE(upstream_request_->waitForData(*dispatcher_, "hellobye!")); + ASSERT_TRUE(waitForUpstreamDisconnectOrReset()); +} + // Test data flow when websocket handshake failed. TEST_P(WebsocketIntegrationTest, BidirectionalUpgradeFailedWithPrePayload) { if (downstreamProtocol() != Http::CodecType::HTTP1 || @@ -683,6 +800,10 @@ TEST_P(WebsocketIntegrationTest, BidirectionalUpgradeFailedWithPrePayload) { return; } + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain", "true"}}); + config_helper_.addConfigModifier(setRouteUsingWebsocket()); initialize(); @@ -712,7 +833,7 @@ TEST_P(WebsocketIntegrationTest, BidirectionalUpgradeFailedWithPrePayload) { ASSERT_FALSE(fake_upstream_connection->waitForData( FakeRawConnection::waitForInexactMatch("foo boo"), nullptr, std::chrono::milliseconds(10))); - tcp_client->waitForDisconnect(); + tcp_client->close(); ASSERT_TRUE(fake_upstream_connection->waitForDisconnect()); } From 14410a9f89624d6071aff8f598a1d4626a7dda95 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 12 Aug 2025 16:14:36 +0200 Subject: [PATCH 211/505] http: deprecate flag local_reply_traverses_filter_chain_after_1xx and remove legacy code paths (#40665) ## Description This PR removes the deprecated reloadable flag `local_reply_traverses_filter_chain_after_1xx` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/40377 --- **Commit Message:** router: deprecate flag local_reply_traverses_filter_chain_after_1xx and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `local_reply_traverses_filter_chain_after_1xx` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 +++ source/common/http/filter_manager.cc | 4 +--- source/common/runtime/runtime_features.cc | 1 - 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 7e816b4d0ff9e..edd03ebb9f849 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -74,6 +74,9 @@ removed_config_or_runtime: - area: rds change: | Removed runtime guard ``envoy.reloadable_features.normalize_rds_provider_config`` and legacy code paths. +- area: http + change: | + Removed runtime guard ``envoy.reloadable_features.local_reply_traverses_filter_chain_after_1xx`` and legacy code paths. - area: quic change: | Removed runtime guard ``envoy.reloadable_features.report_stream_reset_error_code`` and legacy code paths. diff --git a/source/common/http/filter_manager.cc b/source/common/http/filter_manager.cc index 49c92a87b4772..9c34168e1fca8 100644 --- a/source/common/http/filter_manager.cc +++ b/source/common/http/filter_manager.cc @@ -1011,9 +1011,7 @@ void DownstreamFilterManager::sendLocalReply( if (!filter_manager_callbacks_.responseHeaders().has_value() && (!filter_manager_callbacks_.informationalHeaders().has_value() || - (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.local_reply_traverses_filter_chain_after_1xx") && - !(state_.filter_call_state_ & FilterCallState::IsEncodingMask)))) { + !(state_.filter_call_state_ & FilterCallState::IsEncodingMask))) { // If the response has not started at all, or if the only response so far is an informational // 1xx that has already been fully processed, send the response through the filter chain. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index d8ad75aaf5b50..faa1c21eb53bb 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -55,7 +55,6 @@ RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_cookie); // Delay deprecation and decommission until UHV is enabled. RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); RUNTIME_GUARD(envoy_reloadable_features_jwt_fetcher_use_scheme_from_uri); -RUNTIME_GUARD(envoy_reloadable_features_local_reply_traverses_filter_chain_after_1xx); RUNTIME_GUARD(envoy_reloadable_features_no_extension_lookup_by_name); RUNTIME_GUARD(envoy_reloadable_features_oauth2_cleanup_cookies); RUNTIME_GUARD(envoy_reloadable_features_oauth2_encrypt_tokens); From 501a109714333fa07df45b1fef545f187a86e279 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 12 Aug 2025 16:50:44 +0200 Subject: [PATCH 212/505] xds: deprecate flag xds_prevent_resource_copy and remove legacy code paths (#40676) --- changelogs/current.yaml | 3 + source/common/runtime/runtime_features.cc | 1 - .../grpc/delta_subscription_state.cc | 37 +++----- .../grpc/xds_mux/delta_subscription_state.cc | 37 +++----- .../grpc/delta_subscription_state_test.cc | 88 ------------------- 5 files changed, 29 insertions(+), 137 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index edd03ebb9f849..91cf4acbf28d1 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -71,6 +71,9 @@ removed_config_or_runtime: - area: udp_proxy change: | Removed runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` and legacy code paths. +- area: xds + change: | + Removed runtime guard ``envoy.reloadable_features.xds_prevent_resource_copy`` and legacy code paths. - area: rds change: | Removed runtime guard ``envoy.reloadable_features.normalize_rds_provider_config`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index faa1c21eb53bb..635f35843c431 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -84,7 +84,6 @@ RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_reloadable_features_websocket_allow_4xx_5xx_through_filter_chain); RUNTIME_GUARD(envoy_reloadable_features_xds_failover_to_primary_enabled); -RUNTIME_GUARD(envoy_reloadable_features_xds_prevent_resource_copy); RUNTIME_GUARD(envoy_restart_features_raise_file_limits); RUNTIME_GUARD(envoy_restart_features_skip_backing_cluster_check_for_sds); diff --git a/source/extensions/config_subscription/grpc/delta_subscription_state.cc b/source/extensions/config_subscription/grpc/delta_subscription_state.cc index 5b540f146c729..00f7d452c665b 100644 --- a/source/extensions/config_subscription/grpc/delta_subscription_state.cc +++ b/source/extensions/config_subscription/grpc/delta_subscription_state.cc @@ -190,9 +190,7 @@ bool DeltaSubscriptionState::isHeartbeatResponse( void DeltaSubscriptionState::handleGoodResponse( envoy::service::discovery::v3::DeltaDiscoveryResponse& message) { absl::flat_hash_set names_added_removed; - // TODO(adisuissa): remove the non_heartbeat_resources structure once - // "envoy.reloadable_features.xds_prevent_resource_copy" is deprecated. - Protobuf::RepeatedPtrField non_heartbeat_resources; + for (const auto& resource : message.resources()) { if (!names_added_removed.insert(resource.name()).second) { throw EnvoyException( @@ -201,9 +199,6 @@ void DeltaSubscriptionState::handleGoodResponse( if (isHeartbeatResponse(resource)) { continue; } - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.xds_prevent_resource_copy")) { - non_heartbeat_resources.Add()->CopyFrom(resource); - } // DeltaDiscoveryResponses for unresolved aliases don't contain an actual resource if (!resource.has_resource() && resource.aliases_size() > 0) { continue; @@ -222,24 +217,18 @@ void DeltaSubscriptionState::handleGoodResponse( } } - absl::Span non_heartbeat_resources_span; - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.xds_prevent_resource_copy")) { - // Reorder the resources in the response, having all the non-heartbeat - // resources at the front of the list. Note that although there's no - // requirement to keep stable ordering, we do so to process the resources in - // the order they were sent. - auto last_non_heartbeat = std::stable_partition( - message.mutable_resources()->begin(), message.mutable_resources()->end(), - [&](const envoy::service::discovery::v3::Resource& resource) { - return !isHeartbeatResponse(resource); - }); - - non_heartbeat_resources_span = absl::MakeConstSpan( - message.resources().data(), last_non_heartbeat - message.resources().begin()); - } else { - non_heartbeat_resources_span = - absl::MakeConstSpan(non_heartbeat_resources.data(), non_heartbeat_resources.size()); - } + // Reorder the resources in the response, having all the non-heartbeat + // resources at the front of the list. Note that although there's no + // requirement to keep stable ordering, we do so to process the resources in + // the order they were sent. + auto last_non_heartbeat = std::stable_partition( + message.mutable_resources()->begin(), message.mutable_resources()->end(), + [&](const envoy::service::discovery::v3::Resource& resource) { + return !isHeartbeatResponse(resource); + }); + + auto non_heartbeat_resources_span = absl::MakeConstSpan( + message.resources().data(), last_non_heartbeat - message.resources().begin()); watch_map_.onConfigUpdate(non_heartbeat_resources_span, message.removed_resources(), message.system_version_info()); diff --git a/source/extensions/config_subscription/grpc/xds_mux/delta_subscription_state.cc b/source/extensions/config_subscription/grpc/xds_mux/delta_subscription_state.cc index 9c10163e4e52f..0f87c3e6df764 100644 --- a/source/extensions/config_subscription/grpc/xds_mux/delta_subscription_state.cc +++ b/source/extensions/config_subscription/grpc/xds_mux/delta_subscription_state.cc @@ -158,9 +158,7 @@ bool DeltaSubscriptionState::isHeartbeatResource( void DeltaSubscriptionState::handleGoodResponse( envoy::service::discovery::v3::DeltaDiscoveryResponse& message) { absl::flat_hash_set names_added_removed; - // TODO(adisuissa): remove the non_heartbeat_resources structure once - // "envoy.reloadable_features.xds_prevent_resource_copy" is deprecated. - Protobuf::RepeatedPtrField non_heartbeat_resources; + for (const auto& resource : message.resources()) { if (!names_added_removed.insert(resource.name()).second) { throw EnvoyException( @@ -169,9 +167,6 @@ void DeltaSubscriptionState::handleGoodResponse( if (isHeartbeatResource(resource)) { continue; } - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.xds_prevent_resource_copy")) { - non_heartbeat_resources.Add()->CopyFrom(resource); - } // DeltaDiscoveryResponses for unresolved aliases don't contain an actual resource if (!resource.has_resource() && resource.aliases_size() > 0) { continue; @@ -190,24 +185,18 @@ void DeltaSubscriptionState::handleGoodResponse( } } - absl::Span non_heartbeat_resources_span; - if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.xds_prevent_resource_copy")) { - // Reorder the resources in the response, having all the non-heartbeat - // resources at the front of the list. Note that although there's no - // requirement to keep stable ordering, we do so to process the resources in - // the order they were sent. - auto last_non_heartbeat = std::stable_partition( - message.mutable_resources()->begin(), message.mutable_resources()->end(), - [&](const envoy::service::discovery::v3::Resource& resource) { - return !isHeartbeatResource(resource); - }); - - non_heartbeat_resources_span = absl::MakeConstSpan( - message.resources().data(), last_non_heartbeat - message.resources().begin()); - } else { - non_heartbeat_resources_span = - absl::MakeConstSpan(non_heartbeat_resources.data(), non_heartbeat_resources.size()); - } + // Reorder the resources in the response, having all the non-heartbeat + // resources at the front of the list. Note that although there's no + // requirement to keep stable ordering, we do so to process the resources in + // the order they were sent. + auto last_non_heartbeat = std::stable_partition( + message.mutable_resources()->begin(), message.mutable_resources()->end(), + [&](const envoy::service::discovery::v3::Resource& resource) { + return !isHeartbeatResource(resource); + }); + + auto non_heartbeat_resources_span = absl::MakeConstSpan( + message.resources().data(), last_non_heartbeat - message.resources().begin()); callbacks().onConfigUpdate(non_heartbeat_resources_span, message.removed_resources(), message.system_version_info()); diff --git a/test/extensions/config_subscription/grpc/delta_subscription_state_test.cc b/test/extensions/config_subscription/grpc/delta_subscription_state_test.cc index bea8da1e122cc..2939c0b62fb93 100644 --- a/test/extensions/config_subscription/grpc/delta_subscription_state_test.cc +++ b/test/extensions/config_subscription/grpc/delta_subscription_state_test.cc @@ -1329,94 +1329,6 @@ TEST_P(DeltaSubscriptionStateTest, HeartbeatResourcesNotProcessed) { } } -// Validates that when both heartbeat and non-heartbeat resources are sent, only -// the non-heartbeat resources are processed. -// Once "envoy.reloadable_features.xds_prevent_resource_copy" is removed, this -// test should be removed (the HeartbeatResourcesNotProcessed will validate the -// required aspects). -TEST_P(DeltaSubscriptionStateTest, HeartbeatResourcesNotProcessedWithResourceCopy) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({{"envoy.reloadable_features.xds_prevent_resource_copy", "false"}}); - Event::SimulatedTimeSystem time_system; - time_system.setSystemTime(std::chrono::milliseconds(0)); - - auto create_resource_with_ttl = [](absl::string_view name, absl::string_view version, - absl::optional ttl_s, - bool include_resource) { - envoy::service::discovery::v3::Resource resource; - resource.set_name(name); - resource.set_version(version); - - if (include_resource) { - resource.mutable_resource(); - } - - if (ttl_s) { - ProtobufWkt::Duration ttl; - ttl.set_seconds(ttl_s->count()); - resource.mutable_ttl()->CopyFrom(ttl); - } - - return resource; - }; - - // Add 3 resources. - { - Protobuf::RepeatedPtrField added_resources; - const auto r1 = create_resource_with_ttl("name1", "version1", std::chrono::seconds(1), true); - const auto r2 = create_resource_with_ttl("name2", "version1", std::chrono::seconds(1), true); - const auto r3 = create_resource_with_ttl("name3", "version1", std::chrono::seconds(1), true); - added_resources.Add()->CopyFrom(r1); - added_resources.Add()->CopyFrom(r2); - added_resources.Add()->CopyFrom(r3); - EXPECT_CALL(*ttl_timer_, enabled()); - EXPECT_CALL(*ttl_timer_, enableTimer(std::chrono::milliseconds(1000), _)); - deliverDiscoveryResponse(added_resources, {}, "sys_version1", "nonce1", {r1, r2, r3}); - } - - // Update 3 resources, the second is a heartbeat. Validate that only the other - // two are passed to onConfigUpdate. - { - Protobuf::RepeatedPtrField added_resources; - const auto r1 = create_resource_with_ttl("name1", "version2", std::chrono::seconds(1), true); - const auto r2 = create_resource_with_ttl("name2", "version1", std::chrono::seconds(1), false); - const auto r3 = create_resource_with_ttl("name3", "version2", std::chrono::seconds(1), true); - added_resources.Add()->CopyFrom(r1); - added_resources.Add()->CopyFrom(r2); - added_resources.Add()->CopyFrom(r3); - EXPECT_CALL(*ttl_timer_, enabled()); - deliverDiscoveryResponse(added_resources, {}, "sys_version2", "nonce2", {r1, r3}); - } - - // Update 3 resources, the first is a heartbeat. Validate that only the other - // two are passed to onConfigUpdate. - { - Protobuf::RepeatedPtrField added_resources; - const auto r1 = create_resource_with_ttl("name1", "version2", std::chrono::seconds(1), false); - const auto r2 = create_resource_with_ttl("name2", "version3", std::chrono::seconds(1), true); - const auto r3 = create_resource_with_ttl("name3", "version3", std::chrono::seconds(1), true); - added_resources.Add()->CopyFrom(r1); - added_resources.Add()->CopyFrom(r2); - added_resources.Add()->CopyFrom(r3); - EXPECT_CALL(*ttl_timer_, enabled()); - deliverDiscoveryResponse(added_resources, {}, "sys_version3", "nonce3", {r2, r3}); - } - - // Update 3 resources, the last is a heartbeat. Validate that only the other - // two are passed to onConfigUpdate. - { - Protobuf::RepeatedPtrField added_resources; - const auto r1 = create_resource_with_ttl("name1", "version4", std::chrono::seconds(1), true); - const auto r2 = create_resource_with_ttl("name2", "version4", std::chrono::seconds(1), true); - const auto r3 = create_resource_with_ttl("name3", "version3", std::chrono::seconds(1), false); - added_resources.Add()->CopyFrom(r1); - added_resources.Add()->CopyFrom(r2); - added_resources.Add()->CopyFrom(r3); - EXPECT_CALL(*ttl_timer_, enabled()); - deliverDiscoveryResponse(added_resources, {}, "sys_version4", "nonce4", {r1, r2}); - } -} - TEST_P(DeltaSubscriptionStateTest, TypeUrlMismatch) { envoy::service::discovery::v3::DeltaDiscoveryResponse message; From 057f5730c5505edcae832b5d4305988770520c24 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Tue, 12 Aug 2025 14:44:55 -0400 Subject: [PATCH 213/505] H/2 codec: remove unused dependencies (#40685) Risk Level: none Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/http/http2/BUILD | 2 +- source/common/http/http2/codec_impl.cc | 4 ---- source/common/http/http2/codec_impl.h | 5 +---- 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/source/common/http/http2/BUILD b/source/common/http/http2/BUILD index 34b9dadd3868f..b01b0f9d7235c 100644 --- a/source/common/http/http2/BUILD +++ b/source/common/http/http2/BUILD @@ -39,6 +39,7 @@ envoy_cc_library( "//envoy/http:codes_interface", "//envoy/http:header_map_interface", "//envoy/network:connection_interface", + "//envoy/server/overload:overload_manager_interface", "//envoy/stats:stats_interface", "//source/common/buffer:buffer_lib", "//source/common/buffer:watermark_buffer_lib", @@ -50,7 +51,6 @@ envoy_cc_library( "//source/common/common:utility_lib", "//source/common/http:codec_helper_lib", "//source/common/http:codes_lib", - "//source/common/http:exception_lib", "//source/common/http:header_map_lib", "//source/common/http:header_utility_lib", "//source/common/http:headers_lib", diff --git a/source/common/http/http2/codec_impl.cc b/source/common/http/http2/codec_impl.cc index a8fe96c790631..65841f3bd8c50 100644 --- a/source/common/http/http2/codec_impl.cc +++ b/source/common/http/http2/codec_impl.cc @@ -15,12 +15,9 @@ #include "source/common/common/cleanup.h" #include "source/common/common/dump_state_utils.h" #include "source/common/common/enum_to_int.h" -#include "source/common/common/fmt.h" -#include "source/common/common/safe_memcpy.h" #include "source/common/common/scope_tracker.h" #include "source/common/common/utility.h" #include "source/common/http/codes.h" -#include "source/common/http/exception.h" #include "source/common/http/header_utility.h" #include "source/common/http/headers.h" #include "source/common/http/http2/codec_stats.h" @@ -28,7 +25,6 @@ #include "source/common/runtime/runtime_features.h" #include "absl/cleanup/cleanup.h" -#include "absl/container/fixed_array.h" #include "quiche/common/quiche_endian.h" #include "quiche/http2/adapter/nghttp2_adapter.h" #include "quiche/http2/adapter/oghttp2_adapter.h" diff --git a/source/common/http/http2/codec_impl.h b/source/common/http/http2/codec_impl.h index 00a36b0af3746..ae0757576489d 100644 --- a/source/common/http/http2/codec_impl.h +++ b/source/common/http/http2/codec_impl.h @@ -15,14 +15,12 @@ #include "envoy/event/deferred_deletable.h" #include "envoy/http/codec.h" #include "envoy/network/connection.h" +#include "envoy/server/overload/overload_manager.h" #include "source/common/buffer/buffer_impl.h" -#include "source/common/buffer/watermark_buffer.h" #include "source/common/common/assert.h" #include "source/common/common/linked_object.h" #include "source/common/common/logger.h" -#include "source/common/common/statusor.h" -#include "source/common/common/thread.h" #include "source/common/http/codec_helper.h" #include "source/common/http/header_map_impl.h" #include "source/common/http/http2/codec_stats.h" @@ -30,7 +28,6 @@ #include "source/common/http/http2/metadata_encoder.h" #include "source/common/http/http2/protocol_constraints.h" #include "source/common/http/status.h" -#include "source/common/http/utility.h" #include "absl/types/optional.h" #include "absl/types/span.h" From 276f1a00b903615e4ac8ae18229d2a26d79bc945 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 12 Aug 2025 14:07:57 -0700 Subject: [PATCH 214/505] docs: removes 'experimental' from dynamic_modules.rst (#40688) Commit Message: docs: removes 'experimental' from dynamic_modules.rst Additional Description: The dynamic_modules feature is no longer "experimental" after two Envoy stable releases. It has started being used in production as well, so the word "experimental" is not appropriate. Otherwise, people might think that there might be a breaking change in API, etc as opposed to the fact that it won't happen. Risk Level: n/a Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Takeshi Yoneda --- docs/root/intro/arch_overview/advanced/dynamic_modules.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/root/intro/arch_overview/advanced/dynamic_modules.rst b/docs/root/intro/arch_overview/advanced/dynamic_modules.rst index 55d6a3aa487be..0d56fb54d6804 100644 --- a/docs/root/intro/arch_overview/advanced/dynamic_modules.rst +++ b/docs/root/intro/arch_overview/advanced/dynamic_modules.rst @@ -5,8 +5,7 @@ Dynamic modules .. attention:: - The dynamic modules feature is experimental and is currently under active development. - + The dynamic modules feature is currently under active development. Capabilities will be expanded over time and it still lacks some features that are available in other extension mechanisms. We are looking for feedback from the community to improve the feature. From 85e2494b39b4a41183c2c6bf99da1329ee1f7d5a Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 12 Aug 2025 18:00:10 -0400 Subject: [PATCH 215/505] test: removing a test code that is never executed (#40683) Commit Message: test: removing a test code that is never executed Additional Description: Removing the test `RouterShadowingTest/BufferingShadowWithClusterHeader` that is always skipped. This was introduced in #40659. Risk Level: low - tests only Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- test/common/router/router_test.cc | 56 ------------------------------- 1 file changed, 56 deletions(-) diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index 77993021778b1..3a1e2d07805e2 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -5076,62 +5076,6 @@ class RouterShadowingTest : public RouterTest, public testing::WithParamInterfac INSTANTIATE_TEST_SUITE_P(StreamingShadow, RouterShadowingTest, testing::Bool()); -TEST_P(RouterShadowingTest, BufferingShadowWithClusterHeader) { - // Always skip this test as streaming_shadow is now always enabled - GTEST_SKIP(); - ShadowPolicyPtr policy = makeShadowPolicy("", "some_header", "bar"); - callbacks_.route_->route_entry_.shadow_policies_.push_back(policy); - ON_CALL(callbacks_, streamId()).WillByDefault(Return(43)); - - NiceMock encoder; - Http::ResponseDecoder* response_decoder = nullptr; - expectNewStreamWithImmediateEncoder(encoder, &response_decoder, Http::Protocol::Http10); - - EXPECT_CALL( - runtime_.snapshot_, - featureEnabled("bar", testing::Matcher(Percent(0)), - 43)) - .WillOnce(Return(true)); - - expectResponseTimerCreate(); - Http::TestRequestHeaderMapImpl headers; - HttpTestUtility::addDefaultHeaders(headers); - headers.addCopy("some_header", "some_cluster"); - - router_->decodeHeaders(headers, false); - - Buffer::InstancePtr body_data(new Buffer::OwnedImpl("hello")); - - EXPECT_CALL(callbacks_, addDecodedData(_, true)); - - EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, router_->decodeData(*body_data, false)); - - Http::TestRequestTrailerMapImpl trailers{{"some", "trailer"}}; - EXPECT_CALL(callbacks_, decodingBuffer()) - .Times(AtLeast(2)) - .WillRepeatedly(Return(body_data.get())); - EXPECT_CALL(*shadow_writer_, shadow_("some_cluster", _, _)) - .WillOnce(Invoke([](const std::string&, Http::RequestMessagePtr& request, - const Http::AsyncClient::RequestOptions& options) -> void { - EXPECT_NE(request->body().length(), 0); - EXPECT_NE(nullptr, request->trailers()); - EXPECT_EQ(absl::optional(10), options.timeout); - EXPECT_TRUE(options.sampled_.value()); - })); - - router_->decodeTrailers(trailers); - EXPECT_EQ(1U, - callbacks_.route_->virtual_host_->virtual_cluster_.stats().upstream_rq_total_.value()); - - EXPECT_CALL(cm_.thread_local_cluster_.conn_pool_.host_->outlier_detector_, - putResult(_, absl::optional(200))); - - Http::ResponseHeaderMapPtr response_headers( - new Http::TestResponseHeaderMapImpl{{":status", "200"}}); - response_decoder->decodeHeaders(std::move(response_headers), true); - EXPECT_TRUE(verifyHostUpstreamStats(1, 0)); -} - TEST_P(RouterShadowingTest, ShadowNoClusterHeaderInHeader) { ShadowPolicyPtr policy = makeShadowPolicy("", "some_header", "bar"); callbacks_.route_->route_entry_.shadow_policies_.push_back(policy); From 10b7a4cf4c8ef77f3d07fc15a00f6e1fd8ff0a19 Mon Sep 17 00:00:00 2001 From: Yuval Kohavi Date: Wed, 13 Aug 2025 13:29:05 -0400 Subject: [PATCH 216/505] bugfix: tls_inspector times out (#40544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a bug where the `tls_inspector` times out when used with the `http_inspector` and it gets a large client hello. Envoy was set up with both `http_inspector` and `tls_inspector` present. We noticed `tls_inspector` timing out when receiving a large client hello (>8 KB). Signed-off-by: Yuval Kohavi --- changelogs/current.yaml | 6 + .../listener/tls_inspector/tls_inspector.cc | 6 +- .../tls_inspector_integration_test.cc | 120 ++++++++++++++++++ 3 files changed, 129 insertions(+), 3 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 91cf4acbf28d1..602f856725279 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -44,6 +44,12 @@ bug_fixes: Fixed a bug where access log gets skipped for HTTP/3 requests when the stream is half closed. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.quic_fix_defer_logging_miss_for_half_closed_stream`` to ``false``. +- area: listeners + change: | + Fixed issue where :ref:`TLS inspector listener filter ` timed out + when used with other listener filters. The bug was triggered when a previous listener filter processed more data + than the TLS inspector had requested, causing the TLS inspector to incorrectly calculate its buffer growth strategy. + The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/extensions/filters/listener/tls_inspector/tls_inspector.cc b/source/extensions/filters/listener/tls_inspector/tls_inspector.cc index aac723a945a0f..31e2fbf71b3a0 100644 --- a/source/extensions/filters/listener/tls_inspector/tls_inspector.cc +++ b/source/extensions/filters/listener/tls_inspector/tls_inspector.cc @@ -194,15 +194,15 @@ ParseState Filter::parseClientHello(const void* data, size_t len, ParseState state = [this, ret]() { switch (SSL_get_error(ssl_.get(), ret)) { case SSL_ERROR_WANT_READ: - if (read_ == maxConfigReadBytes()) { + if (read_ >= maxConfigReadBytes()) { // We've hit the specified size limit. This is an unreasonably large ClientHello; // indicate failure. config_->stats().client_hello_too_large_.inc(); return ParseState::Error; } - if (read_ == requested_read_bytes_) { + if (read_ >= requested_read_bytes_) { // Double requested bytes up to the maximum configured. - requested_read_bytes_ = std::min(2 * requested_read_bytes_, maxConfigReadBytes()); + requested_read_bytes_ = std::min(2 * read_, maxConfigReadBytes()); } return ParseState::Continue; case SSL_ERROR_SSL: diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc index de46a2fc68346..2f0847685919b 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc @@ -22,6 +22,53 @@ namespace Envoy { namespace { +class LargeBufferListenerFilter : public Network::ListenerFilter { +public: + static constexpr int BUFFER_SIZE = 512; + // Network::ListenerFilter + Network::FilterStatus onAccept(Network::ListenerFilterCallbacks&) override { + ENVOY_LOG_MISC(debug, "LargeBufferListenerFilter::onAccept"); + return Network::FilterStatus::StopIteration; + } + + // this needs to be smaller than the client hello, but larger than tls inspector's initial read + // buffer size. + size_t maxReadBytes() const override { return BUFFER_SIZE; } + + Network::FilterStatus onData(Network::ListenerFilterBuffer& buffer) override { + auto raw_slice = buffer.rawSlice(); + ENVOY_LOG_MISC(debug, "LargeBufferListenerFilter::onData: recv: {}", raw_slice.len_); + return Network::FilterStatus::Continue; + } +}; + +class LargeBufferListenerFilterConfigFactory + : public Server::Configuration::NamedListenerFilterConfigFactory { +public: + // NamedListenerFilterConfigFactory + Network::ListenerFilterFactoryCb createListenerFilterFactoryFromProto( + const Protobuf::Message&, + const Network::ListenerFilterMatcherSharedPtr& listener_filter_matcher, + Server::Configuration::ListenerFactoryContext&) override { + return [listener_filter_matcher](Network::ListenerFilterManager& filter_manager) -> void { + filter_manager.addAcceptFilter(listener_filter_matcher, + std::make_unique()); + }; + } + + ProtobufTypes::MessagePtr createEmptyConfigProto() override { + return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + } + + std::string name() const override { + // This fake original_dest should be used only in integration test! + return "envoy.filters.listener.large_buffer"; + } +}; +static Registry::RegisterFactory + register_; + class TlsInspectorIntegrationTest : public testing::TestWithParam, public BaseIntegrationTest { public: @@ -96,6 +143,38 @@ class TlsInspectorIntegrationTest : public testing::TestWithParammutable_listeners(0) + ->mutable_listener_filters_timeout(); + timeout->MergeFrom(ProtobufUtil::TimeUtil::MillisecondsToDuration(1000)); + bootstrap.mutable_static_resources() + ->mutable_listeners(0) + ->set_continue_on_listener_filters_timeout(true); + }); + BaseIntegrationTest::initialize(); + + context_manager_ = std::make_unique( + server_factory_context_); + } + void setupConnections(bool listener_filter_disabled, bool expect_connection_open, bool ssl_client, const std::string& log_format = "%RESPONSE_CODE_DETAILS%", const Ssl::ClientSslTransportOptions& ssl_options = {}, @@ -284,6 +363,47 @@ TEST_P(TlsInspectorIntegrationTest, RequestedBufferSizeCanGrow) { 515); } +TEST_P(TlsInspectorIntegrationTest, RequestedBufferSizeCanStartBig) { + initializeWithTlsInspectorWithLargeBufferFilter(); + + Network::Address::InstanceConstSharedPtr address = + Ssl::getSslAddress(version_, lookupPort("echo")); + + Ssl::ClientSslTransportOptions ssl_options; + ssl_options.setCipherSuites({"ECDHE-RSA-AES128-GCM-SHA256"}); + ssl_options.setTlsVersion(envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); + const std::string really_long_sni(absl::StrCat(std::string(240, 'a'), ".foo.com")); + ssl_options.setSni(really_long_sni); + context_ = Ssl::createClientSslTransportSocketFactory(ssl_options, *context_manager_, *api_); + Network::TransportSocketPtr transport_socket = context_->createTransportSocket( + std::make_shared( + absl::string_view(""), std::vector(), std::vector{}), + nullptr); + + client_ = dispatcher_->createClientConnection(address, Network::Address::InstanceConstSharedPtr(), + std::move(transport_socket), nullptr, nullptr); + client_->addConnectionCallbacks(connect_callbacks_); + client_->connect(); + + while (!connect_callbacks_.connected() && !connect_callbacks_.closed()) { + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + } + + client_->close(Network::ConnectionCloseType::NoFlush); + + test_server_->waitUntilHistogramHasSamples("tls_inspector.bytes_processed"); + auto bytes_processed_histogram = test_server_->histogram("tls_inspector.bytes_processed"); + EXPECT_EQ( + TestUtility::readSampleCount(test_server_->server().dispatcher(), *bytes_processed_histogram), + 1); + auto bytes_processed = static_cast( + TestUtility::readSampleSum(test_server_->server().dispatcher(), *bytes_processed_histogram)); + EXPECT_EQ(bytes_processed, 515); + // Double check that the test is effective by ensuring that the + // LargeBufferListenerFilter::BUFFER_SIZE is smaller than the client hello. + EXPECT_GT(bytes_processed, LargeBufferListenerFilter::BUFFER_SIZE); +} + // This test verifies that `JA4` fingerprinting works with a malformed ClientHello that // should still be valid enough to extract a `JA4` hash TEST_P(TlsInspectorIntegrationTest, JA4FingerprintWithMalformedClientHello) { From f712ba46d00cb6df0da336a93510330a2ae4f558 Mon Sep 17 00:00:00 2001 From: Premnath Nenavath <76532344+premnathnenavath@users.noreply.github.com> Date: Thu, 14 Aug 2025 00:14:15 +0530 Subject: [PATCH 217/505] HTTP: Add request per connection tracking and metrics (#40266) Currently, Envoy lacks visibility into connection efficiency across HTTP protocols, making it difficult to detect cases where connections serve very few requests, leading to increased latency from repeated connection establishment. Existing metrics only provide broad averages between total requests and connections, obscuring distribution patterns and real-time fluctuations in connection reuse. This commit introduces universal per-connection request tracking that emits histogram metrics immediately when connections close, providing actionable insights into connection efficiency for all HTTP protocols and helping operators identify misconfigurations or excessive connection churn. Signed-off-by: premnath.nenavath --- changelogs/current.yaml | 3 + .../cluster_manager/cluster_stats.rst | 1 + envoy/upstream/upstream.h | 3 +- source/common/http/conn_pool_base.cc | 4 + source/common/http/conn_pool_base.h | 8 + test/common/http/http1/conn_pool_test.cc | 150 ++++++++++++++++++ test/common/http/http2/conn_pool_test.cc | 101 ++++++++++++ test/integration/protocol_integration_test.cc | 78 +++++++++ test/integration/stats_integration_test.cc | 3 +- 9 files changed, 349 insertions(+), 2 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 602f856725279..ca7373f725ce4 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -233,5 +233,8 @@ new_features: change: | Added a new Logging ABI that allows modules to emit logs in the standard Envoy logging stream under "dynamic_modules" ID. In the Rust SDK, they are available as ``envoy_log_info``, etc. +- area: http + change: | + Added ``upstream_rq_per_cx`` histogram to track requests per connection for monitoring connection reuse efficiency. deprecated: diff --git a/docs/root/configuration/upstream/cluster_manager/cluster_stats.rst b/docs/root/configuration/upstream/cluster_manager/cluster_stats.rst index 1a6426c522ed8..4303a5edd34b6 100644 --- a/docs/root/configuration/upstream/cluster_manager/cluster_stats.rst +++ b/docs/root/configuration/upstream/cluster_manager/cluster_stats.rst @@ -82,6 +82,7 @@ Every cluster has a statistics tree rooted at *cluster..* with the followi upstream_rq_pending_overflow, Counter, Total requests that overflowed connection pool or requests (mainly for HTTP/2 and above) circuit breaking and were failed upstream_rq_pending_failure_eject, Counter, Total requests that were failed due to a connection pool connection failure or remote connection termination upstream_rq_pending_active, Gauge, Total active requests pending a connection pool connection + upstream_rq_per_cx, Histogram, Number of requests handled per upstream connection for all HTTP protocols upstream_rq_cancelled, Counter, Total requests cancelled before obtaining a connection pool connection upstream_rq_maintenance_mode, Counter, Total requests that resulted in an immediate 503 due to :ref:`maintenance mode` upstream_rq_timeout, Counter, Total requests that timed out waiting for a response diff --git a/envoy/upstream/upstream.h b/envoy/upstream/upstream.h index 74ade9ff0d06b..380a70e900871 100644 --- a/envoy/upstream/upstream.h +++ b/envoy/upstream/upstream.h @@ -747,7 +747,8 @@ class PrioritySet { GAUGE(upstream_rq_active, Accumulate) \ GAUGE(upstream_rq_pending_active, Accumulate) \ HISTOGRAM(upstream_cx_connect_ms, Milliseconds) \ - HISTOGRAM(upstream_cx_length_ms, Milliseconds) + HISTOGRAM(upstream_cx_length_ms, Milliseconds) \ + HISTOGRAM(upstream_rq_per_cx, Unspecified) /** * All cluster load report stats. These are only use for EDS load reporting and not sent to the diff --git a/source/common/http/conn_pool_base.cc b/source/common/http/conn_pool_base.cc index 896c0596cff01..e3733f97e97dc 100644 --- a/source/common/http/conn_pool_base.cc +++ b/source/common/http/conn_pool_base.cc @@ -87,6 +87,10 @@ void HttpConnPoolImplBase::onPoolReady(Envoy::ConnectionPool::ActiveClient& clie auto& http_context = typedContext(context); Http::ResponseDecoder& response_decoder = *http_context.decoder_; Http::ConnectionPool::Callbacks& callbacks = *http_context.callbacks_; + + // Track this request on the connection + http_client->request_count_++; + Http::RequestEncoder& new_encoder = http_client->newStreamEncoder(response_decoder); callbacks.onPoolReady(new_encoder, client.real_host_description_, http_client->codec_client_->streamInfo(), diff --git a/source/common/http/conn_pool_base.h b/source/common/http/conn_pool_base.h index 5927d3f8a2644..4b0b0fd3674ea 100644 --- a/source/common/http/conn_pool_base.h +++ b/source/common/http/conn_pool_base.h @@ -140,6 +140,12 @@ class ActiveClient : public Envoy::ConnectionPool::ActiveClient { void close() override { codec_client_->close(); } virtual Http::RequestEncoder& newStreamEncoder(Http::ResponseDecoder& response_decoder) PURE; void onEvent(Network::ConnectionEvent event) override { + // Record request metrics only for successfully connected connections that handled requests + if ((event == Network::ConnectionEvent::LocalClose || + event == Network::ConnectionEvent::RemoteClose) && + hasHandshakeCompleted()) { + parent_.host()->cluster().trafficStats()->upstream_rq_per_cx_.recordValue(request_count_); + } parent_.onConnectionEvent(*this, codec_client_->connectionFailureReason(), event); } uint32_t numActiveStreams() const override { return codec_client_->numActiveRequests(); } @@ -147,6 +153,8 @@ class ActiveClient : public Envoy::ConnectionPool::ActiveClient { HttpConnPoolImplBase& parent() { return *static_cast(&parent_); } Http::CodecClientPtr codec_client_; + // Request tracking for HTTP protocols + uint32_t request_count_{0}; }; /* An implementation of Envoy::ConnectionPool::ConnPoolImplBase for HTTP/1 and HTTP/2 diff --git a/test/common/http/http1/conn_pool_test.cc b/test/common/http/http1/conn_pool_test.cc index c2ca33c446552..7f500aee6fe6f 100644 --- a/test/common/http/http1/conn_pool_test.cc +++ b/test/common/http/http1/conn_pool_test.cc @@ -285,6 +285,8 @@ TEST_F(Http1ConnPoolImplTest, VerifyTimingStats) { deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_connect_ms"), _)); EXPECT_CALL(cluster_->stats_store_, deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), _)); ActiveTestRequest r1(*this, 0, ActiveTestRequest::Type::CreateConnection); r1.startRequest(); @@ -518,6 +520,8 @@ TEST_F(Http1ConnPoolImplTest, MeasureConnectTime) { // Cleanup, cause the connections to go away. while (!conn_pool_->test_clients_.empty()) { + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), _)); EXPECT_CALL( cluster_->stats_store_, deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); @@ -1187,6 +1191,152 @@ TEST_F(Http1ConnPoolDestructImplTest, CbAfterConnPoolDestroyed) { dispatcher_.clearDeferredDeleteList(); } +// Verifies that the upstream_rq_per_cx histogram is emitted correctly. +TEST_F(Http1ConnPoolImplTest, RequestTrackingMetric) { + // Set up expectations for all histograms that will be emitted on connection close + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_connect_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), 3)); + + // Create connection and make 3 requests to test request counting + ActiveTestRequest r1(*this, 0, ActiveTestRequest::Type::CreateConnection); + r1.startRequest(); + conn_pool_->expectEnableUpstreamReady(); + r1.completeResponse(false); // Keep connection alive + + // Second request on same connection (HTTP/1.1 keep-alive) + ActiveTestRequest r2(*this, 0, ActiveTestRequest::Type::Immediate); + r2.startRequest(); + conn_pool_->expectEnableUpstreamReady(); + r2.completeResponse(false); // Keep connection alive + + // Third request on same connection + ActiveTestRequest r3(*this, 0, ActiveTestRequest::Type::Immediate); + r3.startRequest(); + conn_pool_->expectEnableUpstreamReady(); + r3.completeResponse(false); + + // Explicitly close connection to trigger metrics + EXPECT_CALL(*conn_pool_, onClientDestroy()); + conn_pool_->expectAndRunUpstreamReady(); + conn_pool_->test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); + dispatcher_.clearDeferredDeleteList(); +} + +// Verifies that the upstream_rq_per_cx histogram is emitted correctly for multiple connections. +TEST_F(Http1ConnPoolImplTest, RequestTrackingMultipleConnections) { + // Set up expectations for histograms from first connection + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_connect_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), 2)); + + // Create first connection and handle 2 requests + ActiveTestRequest r1(*this, 0, ActiveTestRequest::Type::CreateConnection); + r1.startRequest(); + conn_pool_->expectEnableUpstreamReady(); + r1.completeResponse(false); // Keep connection alive + + ActiveTestRequest r2(*this, 0, ActiveTestRequest::Type::Immediate); + r2.startRequest(); + conn_pool_->expectEnableUpstreamReady(); + r2.completeResponse(false); // Keep connection alive + + // Close first connection + EXPECT_CALL(*conn_pool_, onClientDestroy()); + conn_pool_->expectAndRunUpstreamReady(); + conn_pool_->test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); + dispatcher_.clearDeferredDeleteList(); + + // Set up expectations for histograms from second connection + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_connect_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), 1)); + + // Create second connection and handle 1 request + ActiveTestRequest r3(*this, 0, ActiveTestRequest::Type::CreateConnection); + r3.startRequest(); + conn_pool_->expectEnableUpstreamReady(); + r3.completeResponse(false); + + // Close second connection + EXPECT_CALL(*conn_pool_, onClientDestroy()); + conn_pool_->expectAndRunUpstreamReady(); + conn_pool_->test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); + dispatcher_.clearDeferredDeleteList(); +} + +// Test request tracking with single request per connection. +TEST_F(Http1ConnPoolImplTest, RequestTrackingSingleRequest) { + // Set up expectations for all histograms that will be emitted on connection close + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_connect_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), 1)); + + // Create connection and send request + ActiveTestRequest r1(*this, 0, ActiveTestRequest::Type::CreateConnection); + r1.startRequest(); + + // Complete response but keep connection open + conn_pool_->expectEnableUpstreamReady(); + r1.completeResponse(false); + + // Explicitly close connection to trigger metrics + EXPECT_CALL(*conn_pool_, onClientDestroy()); + conn_pool_->expectAndRunUpstreamReady(); + conn_pool_->test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); + dispatcher_.clearDeferredDeleteList(); +} + +// Test that upstream_rq_per_cx metric is NOT recorded for failed connections +TEST_F(Http1ConnPoolImplTest, RequestTrackingConnectionFailureNoMetric) { + // This test verifies that failed connections don't record our specific metric + // We'll allow other histograms but specifically check that upstream_rq_per_cx is never called + + // Allow any other histogram calls + EXPECT_CALL(cluster_->stats_store_, deliverHistogramToSinks(_, _)).Times(testing::AnyNumber()); + + // But specifically ensure upstream_rq_per_cx is NEVER called + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), _)) + .Times(0); + + InSequence s; + + // Request should kick off a new connection + NiceMock outer_decoder; + ConnPoolCallbacks callbacks; + conn_pool_->expectClientCreate(); + Http::ConnectionPool::Cancellable* handle = + conn_pool_->newStream(outer_decoder, callbacks, {false, true}); + EXPECT_NE(nullptr, handle); + + // Simulate connection failure before handshake completion + EXPECT_CALL(*conn_pool_->test_clients_[0].connect_timer_, disableTimer()); + EXPECT_CALL(callbacks.pool_failure_, ready()); + conn_pool_->test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); + EXPECT_CALL(*conn_pool_, onClientDestroy()); + dispatcher_.clearDeferredDeleteList(); + + // Verify that the connection failure stats are incremented + EXPECT_EQ(1U, cluster_->traffic_stats_->upstream_cx_connect_fail_.value()); + EXPECT_EQ(1U, cluster_->traffic_stats_->upstream_rq_pending_failure_eject_.value()); + + // The key validation: our specific metric should never have been called + // (This is verified by the EXPECT_CALL with Times(0) above) +} + } // namespace } // namespace Http1 } // namespace Http diff --git a/test/common/http/http2/conn_pool_test.cc b/test/common/http/http2/conn_pool_test.cc index 1cb7a1c052f2c..7baa93963894e 100644 --- a/test/common/http/http2/conn_pool_test.cc +++ b/test/common/http/http2/conn_pool_test.cc @@ -970,6 +970,8 @@ TEST_F(Http2ConnPoolImplTest, VerifyConnectionTimingStats) { r1.inner_decoder_->decodeHeaders( ResponseHeaderMapPtr{new TestResponseHeaderMapImpl{{":status", "200"}}}, true); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), _)); EXPECT_CALL(cluster_->stats_store_, deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); @@ -1986,6 +1988,105 @@ TEST_F(InitialStreamsLimitTest, InitialStreamsLimitRespectMaxRequests) { EXPECT_EQ(100, ActiveClient::calculateInitialStreamsLimit(cache_, origin_, mock_host_)); } +// Verifies the upstream_rq_per_cx histogram correctly tracks multiple concurrent HTTP/2 streams on +// the same connection. +TEST_F(Http2ConnPoolImplTest, RequestTrackingMultipleStreams) { + // Allow multiple concurrent streams on a single connection + cluster_->http2_options_.mutable_max_concurrent_streams()->set_value(5); + + // Set up expectations for all histograms that will be emitted on connection close + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_connect_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); + // Use _ to capture any value and let the test show us what it actually is + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), _)); + + InSequence s; + + // Create first request - this will create a new connection + expectClientCreate(); + ActiveTestRequest r1(*this, 0, false); + expectClientConnect(0, r1); + + // Create second and third requests - these should reuse the same connection due to multiplexing + ActiveTestRequest r2(*this, 0, true); // expect_connected=true means reuse connection + ActiveTestRequest r3(*this, 0, true); // expect_connected=true means reuse connection + + // Complete all requests + completeRequest(r1); + completeRequest(r2); + completeRequest(r3); + + // Close the connection to trigger metrics emission + // Set expectation first, then raise the event + EXPECT_CALL(*this, onClientDestroy()); + test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); + dispatcher_.clearDeferredDeleteList(); +} + +// Verify request tracking for HTTP/2 with 5 concurrent streams. +TEST_F(Http2ConnPoolImplTest, RequestTrackingFiveStreams) { + // Allow multiple concurrent streams on a single connection + cluster_->http2_options_.mutable_max_concurrent_streams()->set_value(10); + + // Set up expectations for all histograms that will be emitted on connection close + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_connect_ms"), _)); + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_cx_length_ms"), _)); + // Test with 5 requests to see if it correctly tracks all of them + EXPECT_CALL(cluster_->stats_store_, + deliverHistogramToSinks(Property(&Stats::Metric::name, "upstream_rq_per_cx"), 5)); + + InSequence s; + + // Create first request - this will create a new connection + expectClientCreate(); + ActiveTestRequest r1(*this, 0, false); + expectClientConnect(0, r1); + + // Create 4 more requests - these should reuse the same connection due to HTTP/2 multiplexing + ActiveTestRequest r2(*this, 0, true); + ActiveTestRequest r3(*this, 0, true); + ActiveTestRequest r4(*this, 0, true); + ActiveTestRequest r5(*this, 0, true); + + // Complete all requests + completeRequest(r1); + completeRequest(r2); + completeRequest(r3); + completeRequest(r4); + completeRequest(r5); + + // Close the connection to trigger metrics emission + EXPECT_CALL(*this, onClientDestroy()); + test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); + dispatcher_.clearDeferredDeleteList(); +} + +// Test that failed connections don't record upstream_rq_per_cx metric +TEST_F(Http2ConnPoolImplTest, RequestTrackingConnectionFailureNoMetric) { + // Create a request that will trigger connection creation + expectClientCreate(); + ActiveTestRequest r(*this, 0, false); + + // DO NOT call expectClientConnect - let the connection fail before handshake completion + // This should not record any upstream_rq_per_cx metric due to hasHandshakeCompleted() check + + EXPECT_CALL(r.callbacks_.pool_failure_, ready()); + + // Close/fail the connection BEFORE it becomes ready (before handshake completion) + EXPECT_CALL(*this, onClientDestroy()); + test_clients_[0].connection_->raiseEvent(Network::ConnectionEvent::RemoteClose); + dispatcher_.clearDeferredDeleteList(); + + // Verify the connection failure was recorded + EXPECT_EQ(1U, cluster_->traffic_stats_->upstream_cx_destroy_.value()); + EXPECT_EQ(1U, cluster_->traffic_stats_->upstream_cx_destroy_remote_.value()); +} + } // namespace Http2 } // namespace Http } // namespace Envoy diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 4a31297da8e1b..2d36148c6496b 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -75,6 +75,84 @@ TEST_P(ProtocolIntegrationTest, ShutdownWithActiveConnPoolConnections) { checkSimpleRequestSuccess(0U, 0U, response.get()); } +// Test upstream_rq_per_cx metric tracks requests per connection +TEST_P(ProtocolIntegrationTest, UpstreamRequestsPerConnectionMetric) { + initialize(); + + codec_client_ = makeHttpConnection(lookupPort("http")); + + // Send 3 requests on the same connection + for (int i = 0; i < 3; ++i) { + auto response = + sendRequestAndWaitForResponse(default_request_headers_, 0, default_response_headers_, 0); + ASSERT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().getStatusValue()); + } + + // Use the proper cleanup pattern that triggers histogram recording + cleanupUpstreamAndDownstream(); + + // Wait for the histogram to actually have samples using the proper integration test pattern + test_server_->waitUntilHistogramHasSamples("cluster.cluster_0.upstream_rq_per_cx"); + + // Get the histogram and read values using the proper pattern + auto histogram = test_server_->histogram("cluster.cluster_0.upstream_rq_per_cx"); + + uint64_t sample_count = + TestUtility::readSampleCount(test_server_->server().dispatcher(), *histogram); + uint64_t sample_sum = TestUtility::readSampleSum(test_server_->server().dispatcher(), *histogram); + + // Should have 1 sample with value 3 (3 requests on 1 connection) + EXPECT_EQ(sample_count, 1); + EXPECT_EQ(sample_sum, 3); +} + +// Test that upstream_rq_per_cx metric is NOT recorded when handshake fails +TEST_P(ProtocolIntegrationTest, UpstreamRequestsPerConnectionMetricHandshakeFailure) { + // This test intentionally causes upstream connection failures, so bypass the upstream validation + testing_upstream_intentionally_ = true; + + // Configure upstream with invalid port to force connection failure before handshake completion + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + auto* cluster = bootstrap.mutable_static_resources()->mutable_clusters(0); + auto* lb_endpoint = + cluster->mutable_load_assignment()->mutable_endpoints(0)->mutable_lb_endpoints(0); + // Use port 1 which is invalid/inaccessible to force connection establishment failure + lb_endpoint->mutable_endpoint()->mutable_address()->mutable_socket_address()->set_port_value(1); + }); + config_helper_.skipPortUsageValidation(); + + initialize(); + + codec_client_ = makeHttpConnection(lookupPort("http")); + + // Send request that will fail due to upstream connection failure + auto response = codec_client_->makeHeaderOnlyRequest(default_request_headers_); + + // Wait for response (should fail with 503 Service Unavailable) + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_TRUE(response->complete()); + EXPECT_EQ("503", response->headers().getStatusValue()); + + // Clean up + codec_client_->close(); + + // Wait for connection failure to be recorded + test_server_->waitForCounterGe("cluster.cluster_0.upstream_cx_connect_fail", 1); + + // Verify that NO upstream_rq_per_cx histogram samples were recorded + // because hasHandshakeCompleted() returned false (connection never established) + auto histogram = test_server_->histogram("cluster.cluster_0.upstream_rq_per_cx"); + uint64_t sample_count = + TestUtility::readSampleCount(test_server_->server().dispatcher(), *histogram); + + // Key assertion: No histogram samples should be recorded for failed connections + EXPECT_EQ(sample_count, 0); + + // Also verify connection failure was recorded (proving connection attempt was made) + EXPECT_GE(test_server_->counter("cluster.cluster_0.upstream_cx_connect_fail")->value(), 1); +} + TEST_P(ProtocolIntegrationTest, LogicalDns) { if (use_universal_header_validator_) { // TODO(#27132): auto_host_rewrite is broken for IPv6 and is failing UHV validation diff --git a/test/integration/stats_integration_test.cc b/test/integration/stats_integration_test.cc index abae5c6bd24c7..e92e4d3357c11 100644 --- a/test/integration/stats_integration_test.cc +++ b/test/integration/stats_integration_test.cc @@ -400,6 +400,7 @@ TEST_P(ClusterMemoryTestRunner, MemoryLargeClusterSize) { // 2021/08/18 13176 40577 40700 Support slow start mode // 2022/03/14 42000 Fix test flakes // 2022/10/27 44000 Update tcmalloc + // 2025/07/28 40266 44299 44500 Add request_count_ field to ActiveClient // Note: when adjusting this value: EXPECT_MEMORY_EQ is active only in CI // 'release' builds, where we control the platform and tool-chain. So you @@ -420,7 +421,7 @@ TEST_P(ClusterMemoryTestRunner, MemoryLargeClusterSize) { // https://github.com/envoyproxy/envoy/issues/12209 // EXPECT_MEMORY_EQ(m_per_cluster, 37061); } - EXPECT_MEMORY_LE(m_per_cluster, 44000); // Round up to allow platform variations. + EXPECT_MEMORY_LE(m_per_cluster, 44500); // Round up to allow platform variations. } TEST_P(ClusterMemoryTestRunner, MemoryLargeHostSizeWithStats) { From 6d70d7c6f01f06ca13370bb67d06e5534d5948f4 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Wed, 13 Aug 2025 20:27:42 -0400 Subject: [PATCH 218/505] Replace @krajshiva with @tgschwen on security team (#40702) Due to Google internal team changes, Thomas will be taking over Kirti's duties on the security team. Risk Level: none Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- OWNERS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OWNERS.md b/OWNERS.md index 046cd810f1c0b..abeb94a3c31a1 100644 --- a/OWNERS.md +++ b/OWNERS.md @@ -87,7 +87,7 @@ without further review. * Boteng Yao ([botengyao](https://github.com/botengyao)) (boteng@google.com) * Kevin Baichoo ([KBaichoo](https://github.com/KBaichoo)) (envoy@kevinbaichoo.com) * Tianyu Xia ([tyxia](https://github.com/tyxia)) (tyxia@google.com) -* Kirtimaan Rajshiva ([krajshiva](https://github.com/krajshiva)) +* Thomas Gschwendtner ([tgschwen](https://github.com/tgschwen)) (tgschwen@google.com) * Yanjun Xiang ([yanjunxiang-google](https://github.com/yanjunxiang-google)) (yanjunxiang@google.com) * Raven Black ([ravenblackx](https://github.com/ravenblackx)) (ravenblack@dropbox.com) From ad978b6a0c21676f23f6279c18578f62d15cdd70 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Wed, 13 Aug 2025 20:28:59 -0400 Subject: [PATCH 219/505] Remove unused streaming_shadows_ variable (#40700) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/router/router.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/common/router/router.h b/source/common/router/router.h index b9df5f63faa94..11351a9256eab 100644 --- a/source/common/router/router.h +++ b/source/common/router/router.h @@ -311,7 +311,7 @@ class Filter : Logger::Loggable, Filter(const FilterConfigSharedPtr& config, FilterStats& stats) : config_(config), stats_(stats), grpc_request_(false), exclude_http_code_stats_(false), downstream_response_started_(false), downstream_end_stream_(false), is_retry_(false), - request_buffer_overflowed_(false), streaming_shadows_(true), + request_buffer_overflowed_(false), allow_multiplexed_upstream_half_close_(Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.allow_multiplexed_upstream_half_close")), upstream_request_started_(false), orca_load_report_received_(false) {} @@ -648,7 +648,6 @@ class Filter : Logger::Loggable, bool include_attempt_count_in_request_ : 1; bool include_timeout_retry_header_in_request_ : 1; bool request_buffer_overflowed_ : 1; - const bool streaming_shadows_ : 1; const bool allow_multiplexed_upstream_half_close_ : 1; bool upstream_request_started_ : 1; // Indicate that ORCA report is received to process it only once in either response headers or From b2a23f1f51b7fd868948757faa4268abcfa04459 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Wed, 13 Aug 2025 20:34:10 -0400 Subject: [PATCH 220/505] Add Dan Zhang as EM and QUIC maintainer (#40701) Risk Level: none Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- OWNERS.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/OWNERS.md b/OWNERS.md index abeb94a3c31a1..3eb8925a4df93 100644 --- a/OWNERS.md +++ b/OWNERS.md @@ -63,6 +63,8 @@ The following Envoy maintainers have final say over any changes only affecting / * xDS, C++ integration tests. * Fredy Wijaya ([fredyw](https://github.com/fredyw)) (fredyw@google.com) * Android, Java, Kotlin, JNI. +* Dan Zhang ([danzh2010](https://github.com/danzh2010)) (danzh@google.com) + * Envoy Mobile, QUIC, HTTP/3. # Senior extension maintainers From 36648b451f889441d5ef514d53f8d53eb2dc6e94 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 14 Aug 2025 09:45:11 +0800 Subject: [PATCH 221/505] should not terminate CONNECT (#40706) Commit Message: this seems to be a mistake in https://github.com/envoyproxy/envoy/pull/39748, should not terminate CONNECT here. Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: zirain --- configs/proxy_connect.yaml | 2 -- configs/proxy_connect_udp_http3_downstream.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/configs/proxy_connect.yaml b/configs/proxy_connect.yaml index 4393f764cb469..4db7ab459606b 100644 --- a/configs/proxy_connect.yaml +++ b/configs/proxy_connect.yaml @@ -34,8 +34,6 @@ static_resources: cluster: cluster_0 upgrade_configs: - upgrade_type: CONNECT - connect_config: - {} http_filters: - name: envoy.filters.http.router typed_config: diff --git a/configs/proxy_connect_udp_http3_downstream.yaml b/configs/proxy_connect_udp_http3_downstream.yaml index 8c3269defabe2..de0cca5a94b9f 100644 --- a/configs/proxy_connect_udp_http3_downstream.yaml +++ b/configs/proxy_connect_udp_http3_downstream.yaml @@ -44,8 +44,6 @@ static_resources: cluster: cluster_0 upgrade_configs: - upgrade_type: CONNECT-UDP - connect_config: - {} http_filters: - name: envoy.filters.http.router typed_config: From fd04459a1da564053a1a2ee64ce99be7729a72eb Mon Sep 17 00:00:00 2001 From: wang178c <74213015+wang178c@users.noreply.github.com> Date: Thu, 14 Aug 2025 00:53:13 -0400 Subject: [PATCH 222/505] Remove QUIC idle_network_timeout upper bound. (#40251) Commit Message: Remove QUIC idle_network_timeout upper bound. For a non-front-line proxy, a longer value can be useful. Risk Level: None --------- Signed-off-by: Haoyue Wang --- api/envoy/config/core/v3/protocol.proto | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/api/envoy/config/core/v3/protocol.proto b/api/envoy/config/core/v3/protocol.proto index a277316cf691f..a2169811d00f1 100644 --- a/api/envoy/config/core/v3/protocol.proto +++ b/api/envoy/config/core/v3/protocol.proto @@ -111,10 +111,9 @@ message QuicProtocolOptions { // default 600s will be applied. // For internal corporate network, a long timeout is often fine. // But for client facing network, 30s is usually a good choice. - google.protobuf.Duration idle_network_timeout = 8 [(validate.rules).duration = { - lte {seconds: 600} - gte {seconds: 1} - }]; + // Do not add an upper bound here. A long idle timeout is useful for maintaining warm connections at non-front-line proxy for low QPS services." + google.protobuf.Duration idle_network_timeout = 8 + [(validate.rules).duration = {gte {seconds: 1}}]; // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection. // If not specified, one of the `default values in QUICHE `_ is used. From a6aca78d0aca42c99b20a3773fedd17d30b8ddfb Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Thu, 14 Aug 2025 01:45:35 -0400 Subject: [PATCH 223/505] cleanup: const init of a variable in route_config_provider_manager (#40681) Commit Message: cleanup: const init of a variable in route_config_provider_manager Additional Description: Minor cleanup after #40660 - const init of a local variable. Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- source/common/rds/route_config_provider_manager.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/source/common/rds/route_config_provider_manager.h b/source/common/rds/route_config_provider_manager.h index 080f960948a72..9ff2c245b3d49 100644 --- a/source/common/rds/route_config_provider_manager.h +++ b/source/common/rds/route_config_provider_manager.h @@ -43,15 +43,13 @@ class RouteConfigProviderManager { uint64_t manager_identifier)> create_dynamic_provider) { - uint64_t manager_identifier; - // Normalize the config_source part of the passed config. Some parts of the config_source // do not affect selection of the RDS provider. They will be cleared (zeroed) and restored // after calculating hash. // Since rds is passed as const, the constness must be casted away before modifying rds. auto* orig_initial_timeout = const_cast(rds).mutable_config_source()->release_initial_fetch_timeout(); - manager_identifier = MessageUtil::hash(rds); + const uint64_t manager_identifier = MessageUtil::hash(rds); const_cast(rds).mutable_config_source()->set_allocated_initial_fetch_timeout( orig_initial_timeout); From 49c5c95df9cac2df93856f8af3269207ef017762 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 14 Aug 2025 14:25:49 +0200 Subject: [PATCH 224/505] h2m: add optional stats to header-to-metadata filter (#40464) --- .../v3/header_to_metadata.proto | 11 + changelogs/current.yaml | 7 +- .../header_to_metadata_filter.rst | 50 +++- .../filters/http/header_to_metadata/config.cc | 7 +- .../header_to_metadata_filter.cc | 97 ++++++- .../header_to_metadata_filter.h | 69 ++++- .../header_to_metadata_filter_test.cc | 252 +++++++++++++++++- 7 files changed, 464 insertions(+), 29 deletions(-) diff --git a/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto b/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto index e7bc0b858655e..662eefc4c84d7 100644 --- a/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto +++ b/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto @@ -138,4 +138,15 @@ message Config { // The list of rules to apply to responses. repeated Rule response_rules = 2; + + // Optional prefix to use when emitting filter statistics. When configured, + // statistics are emitted with the prefix ``http_filter_name.``. + // + // This emits statistics such as: + // + // - ``http_filter_name.my_header_converter.rules_processed`` + // - ``http_filter_name.my_header_converter.metadata_added`` + // + // If not configured, no statistics are emitted. + string stat_prefix = 3; } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index ca7373f725ce4..25d3603fe0302 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -194,6 +194,12 @@ new_features: - area: dns_filter, redis_proxy and prefix_matcher_map change: | Switch to using Radix Tree instead of Trie for performance improvements. +- area: header_to_metadata + change: | + Added optional statistics collection for the Header-To-Metadata filter. When the :ref:`stat_prefix + ` field is configured, + the filter emits detailed counters for rule processing, metadata operations, etc. See + :ref:`Header-To-Metadata filter statistics ` for details. - area: load_reporting change: | Added support for endpoint-level load stats and metrics reporting. Locality load reports now include per @@ -228,7 +234,6 @@ new_features: Added ``route()`` to the Stream handle API, allowing Lua scripts to retrieve route information. So far, the only method implemented is ``metadata()``, allowing Lua scripts to access route metadata scoped to the specific filter name. See :ref:`Route object API ` for more details. - - area: dynamic_modules change: | Added a new Logging ABI that allows modules to emit logs in the standard Envoy logging stream under "dynamic_modules" ID. diff --git a/docs/root/configuration/http/http_filters/header_to_metadata_filter.rst b/docs/root/configuration/http/http_filters/header_to_metadata_filter.rst index 276780083d584..0119dd9926f34 100644 --- a/docs/root/configuration/http/http_filters/header_to_metadata_filter.rst +++ b/docs/root/configuration/http/http_filters/header_to_metadata_filter.rst @@ -20,6 +20,51 @@ A typical use case for this filter is to dynamically match requests with load ba subsets. For this, a given header's value would be extracted and attached to the request as dynamic metadata which would then be used to match a subset of endpoints. +Statistics +---------- + +The filter can optionally emit statistics when the :ref:`stat_prefix ` field is configured. + +.. code-block:: yaml + + http_filters: + - name: envoy.filters.http.header_to_metadata + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config + stat_prefix: header_converter + request_rules: + - header: x-version + on_header_present: + metadata_namespace: envoy.lb + key: version + type: STRING + +This configuration would emit statistics such as: + +- ``http_filter_name.header_converter.request_rules_processed`` +- ``http_filter_name.header_converter.request_metadata_added`` +- ``http_filter_name.header_converter.response_rules_processed`` +- ``http_filter_name.header_converter.response_metadata_added`` +- ``http_filter_name.header_converter.request_header_not_found`` + +When ``stat_prefix`` is not configured, no statistics are emitted. + +These statistics are rooted at *http_filter_name.* with the following counters: + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + request_rules_processed, Counter, Total number of request rules processed + response_rules_processed, Counter, Total number of response rules processed + request_metadata_added, Counter, Total number of metadata entries successfully added from request headers + response_metadata_added, Counter, Total number of metadata entries successfully added from response headers + request_header_not_found, Counter, Total number of times expected request headers were missing + response_header_not_found, Counter, Total number of times expected response headers were missing + base64_decode_failed, Counter, Total number of times Base64 decoding failed + header_value_too_long, Counter, Total number of times header values exceeded the maximum length + regex_substitution_failed, Counter, Total number of times regex substitution resulted in empty values + Example ------- @@ -78,8 +123,3 @@ Note that this filter also supports per route configuration: This can be used to either override the global configuration or if the global configuration is empty (no rules), it can be used to only enable the filter at a per route level. - -Statistics ----------- - -Currently, this filter generates no statistics. diff --git a/source/extensions/filters/http/header_to_metadata/config.cc b/source/extensions/filters/http/header_to_metadata/config.cc index 3cf74a3115bea..7c49a73e2a8d4 100644 --- a/source/extensions/filters/http/header_to_metadata/config.cc +++ b/source/extensions/filters/http/header_to_metadata/config.cc @@ -17,8 +17,8 @@ namespace HeaderToMetadataFilter { absl::StatusOr HeaderToMetadataConfig::createFilterFactoryFromProtoTyped( const envoy::extensions::filters::http::header_to_metadata::v3::Config& proto_config, const std::string&, Server::Configuration::FactoryContext& context) { - absl::StatusOr filter_config_or = - Config::create(proto_config, context.serverFactoryContext().regexEngine(), false); + absl::StatusOr filter_config_or = Config::create( + proto_config, context.serverFactoryContext().regexEngine(), context.scope(), false); RETURN_IF_ERROR(filter_config_or.status()); return [filter_config = std::move(filter_config_or.value())]( @@ -32,7 +32,8 @@ absl::StatusOr HeaderToMetadataConfig::createRouteSpecificFilterConfigTyped( const envoy::extensions::filters::http::header_to_metadata::v3::Config& config, Server::Configuration::ServerFactoryContext& context, ProtobufMessage::ValidationVisitor&) { - absl::StatusOr config_or = Config::create(config, context.regexEngine(), true); + absl::StatusOr config_or = + Config::create(config, context.regexEngine(), context.scope(), true); RETURN_IF_ERROR(config_or.status()); return std::move(config_or.value()); } diff --git a/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.cc b/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.cc index 405aa54a9fe32..041dc18e65516 100644 --- a/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.cc +++ b/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.cc @@ -111,15 +111,16 @@ Rule::Rule(const ProtoRule& rule, Regex::Engine& regex_engine, absl::Status& cre absl::StatusOr Config::create(const envoy::extensions::filters::http::header_to_metadata::v3::Config& config, - Regex::Engine& regex_engine, bool per_route) { + Regex::Engine& regex_engine, Stats::Scope& scope, bool per_route) { absl::Status creation_status = absl::OkStatus(); - auto cfg = ConfigSharedPtr(new Config(config, regex_engine, per_route, creation_status)); + auto cfg = ConfigSharedPtr(new Config(config, regex_engine, scope, per_route, creation_status)); RETURN_IF_NOT_OK_REF(creation_status); return cfg; } Config::Config(const envoy::extensions::filters::http::header_to_metadata::v3::Config config, - Regex::Engine& regex_engine, const bool per_route, absl::Status& creation_status) { + Regex::Engine& regex_engine, Stats::Scope& scope, const bool per_route, + absl::Status& creation_status) { absl::StatusOr request_set_or = Config::configToVector(config.request_rules(), request_rules_, regex_engine); SET_AND_RETURN_IF_NOT_OK(request_set_or.status(), creation_status); @@ -130,6 +131,11 @@ Config::Config(const envoy::extensions::filters::http::header_to_metadata::v3::C SET_AND_RETURN_IF_NOT_OK(response_set_or.status(), creation_status); response_set_ = response_set_or.value(); + // Generate stats only if stat_prefix is configured (opt-in behavior). + if (!config.stat_prefix().empty()) { + stats_.emplace(generateStats(config.stat_prefix(), scope)); + } + // Note: empty configs are fine for the global config, which would be the case for enabling // the filter globally without rules and then applying them at the virtual host or // route level. At the virtual or route level, it makes no sense to have an empty @@ -158,6 +164,51 @@ absl::StatusOr Config::configToVector(const ProtobufRepeatedRule& proto_ru return true; } +HeaderToMetadataFilterStats Config::generateStats(const std::string& stat_prefix, + Stats::Scope& scope) { + const std::string final_prefix = fmt::format("http_filter_name.{}", stat_prefix); + return {ALL_HEADER_TO_METADATA_FILTER_STATS(POOL_COUNTER_PREFIX(scope, final_prefix))}; +} + +void Config::chargeStat(StatsEvent event, HeaderDirection direction) const { + if (!stats_.has_value()) { + return; + } + + switch (event) { + case StatsEvent::RulesProcessed: + if (direction == HeaderDirection::Request) { + stats_->request_rules_processed_.inc(); + } else { + stats_->response_rules_processed_.inc(); + } + break; + case StatsEvent::MetadataAdded: + if (direction == HeaderDirection::Request) { + stats_->request_metadata_added_.inc(); + } else { + stats_->response_metadata_added_.inc(); + } + break; + case StatsEvent::HeaderNotFound: + if (direction == HeaderDirection::Request) { + stats_->request_header_not_found_.inc(); + } else { + stats_->response_header_not_found_.inc(); + } + break; + case StatsEvent::Base64DecodeFailed: + stats_->base64_decode_failed_.inc(); + break; + case StatsEvent::HeaderValueTooLong: + stats_->header_value_too_long_.inc(); + break; + case StatsEvent::RegexSubstitutionFailed: + stats_->regex_substitution_failed_.inc(); + break; + } +} + HeaderToMetadataFilter::HeaderToMetadataFilter(const ConfigSharedPtr config) : config_(config) {} HeaderToMetadataFilter::~HeaderToMetadataFilter() = default; @@ -166,7 +217,8 @@ Http::FilterHeadersStatus HeaderToMetadataFilter::decodeHeaders(Http::RequestHea bool) { const auto* config = getConfig(); if (config->doRequest()) { - writeHeaderToMetadata(headers, config->requestRules(), *decoder_callbacks_); + writeHeaderToMetadata(headers, config->requestRules(), *decoder_callbacks_, + HeaderDirection::Request); } return Http::FilterHeadersStatus::Continue; @@ -181,7 +233,8 @@ Http::FilterHeadersStatus HeaderToMetadataFilter::encodeHeaders(Http::ResponseHe bool) { const auto* config = getConfig(); if (config->doResponse()) { - writeHeaderToMetadata(headers, config->responseRules(), *encoder_callbacks_); + writeHeaderToMetadata(headers, config->responseRules(), *encoder_callbacks_, + HeaderDirection::Response); } return Http::FilterHeadersStatus::Continue; } @@ -193,14 +246,16 @@ void HeaderToMetadataFilter::setEncoderFilterCallbacks( bool HeaderToMetadataFilter::addMetadata(StructMap& struct_map, const std::string& meta_namespace, const std::string& key, std::string value, ValueType type, - ValueEncode encode) const { + ValueEncode encode, HeaderDirection direction) const { ProtobufWkt::Value val; + const auto* config = getConfig(); ASSERT(!value.empty()); if (value.size() >= MAX_HEADER_VALUE_LEN) { // Too long, go away. ENVOY_LOG(debug, "metadata value is too long"); + config->chargeStat(StatsEvent::HeaderValueTooLong, direction); return false; } @@ -208,6 +263,7 @@ bool HeaderToMetadataFilter::addMetadata(StructMap& struct_map, const std::strin value = Base64::decodeWithoutPadding(value); if (value.empty()) { ENVOY_LOG(debug, "Base64 decode failed"); + config->chargeStat(StatsEvent::Base64DecodeFailed, direction); return false; } } @@ -240,6 +296,9 @@ bool HeaderToMetadataFilter::addMetadata(StructMap& struct_map, const std::strin auto& keyval = struct_map[meta_namespace]; (*keyval.mutable_fields())[key] = std::move(val); + // Increment metadata_added stat if stats are enabled. + config->chargeStat(StatsEvent::MetadataAdded, direction); + return true; } @@ -249,18 +308,27 @@ const std::string& HeaderToMetadataFilter::decideNamespace(const std::string& ns // add metadata['key']= value depending on header present or missing case void HeaderToMetadataFilter::applyKeyValue(std::string&& value, const Rule& rule, - const KeyValuePair& keyval, StructMap& np) { + const KeyValuePair& keyval, StructMap& np, + HeaderDirection direction) { + const auto* config = getConfig(); + if (!keyval.value().empty()) { value = keyval.value(); } else { const auto& matcher = rule.regexRewrite(); if (matcher != nullptr) { + const bool was_non_empty = !value.empty(); value = matcher->replaceAll(value, rule.regexSubstitution()); + // If we had a non-empty input but got an empty result from regex, it could indicate a + // failure. + if (was_non_empty && value.empty()) { + config->chargeStat(StatsEvent::RegexSubstitutionFailed, direction); + } } } if (!value.empty()) { const auto& nspace = decideNamespace(keyval.metadata_namespace()); - addMetadata(np, nspace, keyval.key(), value, keyval.type(), keyval.encode()); + addMetadata(np, nspace, keyval.key(), value, keyval.type(), keyval.encode(), direction); } else { ENVOY_LOG(debug, "value is empty, not adding metadata"); } @@ -268,19 +336,26 @@ void HeaderToMetadataFilter::applyKeyValue(std::string&& value, const Rule& rule void HeaderToMetadataFilter::writeHeaderToMetadata(Http::HeaderMap& headers, const HeaderToMetadataRules& rules, - Http::StreamFilterCallbacks& callbacks) { + Http::StreamFilterCallbacks& callbacks, + HeaderDirection direction) { StructMap structs_by_namespace; + const auto* config = getConfig(); for (const auto& rule : rules) { const auto& proto_rule = rule.rule(); absl::optional value = rule.selector_->extract(headers); + // Increment rules_processed stat if stats are enabled. + config->chargeStat(StatsEvent::RulesProcessed, direction); + if (value && proto_rule.has_on_header_present()) { applyKeyValue(std::move(value).value_or(""), rule, proto_rule.on_header_present(), - structs_by_namespace); + structs_by_namespace, direction); } else if (!value && proto_rule.has_on_header_missing()) { + // Increment header_not_found stat if stats are enabled. + config->chargeStat(StatsEvent::HeaderNotFound, direction); applyKeyValue(std::move(value).value_or(""), rule, proto_rule.on_header_missing(), - structs_by_namespace); + structs_by_namespace, direction); } } // Any matching rules? diff --git a/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.h b/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.h index ef5db118f1e99..b9eba7aed8c65 100644 --- a/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.h +++ b/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.h @@ -17,11 +17,49 @@ namespace Extensions { namespace HttpFilters { namespace HeaderToMetadataFilter { +/** + * All stats for the Header-To-Metadata filter. @see stats_macros.h + */ +#define ALL_HEADER_TO_METADATA_FILTER_STATS(COUNTER) \ + COUNTER(request_rules_processed) \ + COUNTER(response_rules_processed) \ + COUNTER(request_metadata_added) \ + COUNTER(response_metadata_added) \ + COUNTER(request_header_not_found) \ + COUNTER(response_header_not_found) \ + COUNTER(base64_decode_failed) \ + COUNTER(header_value_too_long) \ + COUNTER(regex_substitution_failed) + +/** + * Wrapper struct for header-to-metadata filter stats. @see stats_macros.h + */ +struct HeaderToMetadataFilterStats { + ALL_HEADER_TO_METADATA_FILTER_STATS(GENERATE_COUNTER_STRUCT) +}; + using ProtoRule = envoy::extensions::filters::http::header_to_metadata::v3::Config::Rule; using ValueType = envoy::extensions::filters::http::header_to_metadata::v3::Config::ValueType; using ValueEncode = envoy::extensions::filters::http::header_to_metadata::v3::Config::ValueEncode; using KeyValuePair = envoy::extensions::filters::http::header_to_metadata::v3::Config::KeyValuePair; +/** + * Enum to distinguish between request and response processing for stats collection. + */ +enum class HeaderDirection { Request, Response }; + +/** + * Enum of all discrete events for which the filter records statistics. + */ +enum class StatsEvent { + RulesProcessed, + MetadataAdded, + HeaderNotFound, + Base64DecodeFailed, + HeaderValueTooLong, + RegexSubstitutionFailed, +}; + // Interface for getting values from a cookie or a header. class ValueSelector { public: @@ -98,18 +136,26 @@ class Config : public ::Envoy::Router::RouteSpecificFilterConfig, public: static absl::StatusOr> create(const envoy::extensions::filters::http::header_to_metadata::v3::Config& config, - Regex::Engine& regex_engine, bool per_route = false); + Regex::Engine& regex_engine, Stats::Scope& scope, bool per_route = false); const HeaderToMetadataRules& requestRules() const { return request_rules_; } const HeaderToMetadataRules& responseRules() const { return response_rules_; } bool doResponse() const { return response_set_; } bool doRequest() const { return request_set_; } + const absl::optional& stats() const { return stats_; } + + /** + * Increment the appropriate statistic for the given event and traffic direction. + * No-op if statistics were not configured. + */ + void chargeStat(StatsEvent event, HeaderDirection direction) const; private: using ProtobufRepeatedRule = Protobuf::RepeatedPtrField; Config(const envoy::extensions::filters::http::header_to_metadata::v3::Config config, - Regex::Engine& regex_engine, bool per_route, absl::Status& creation_status); + Regex::Engine& regex_engine, Stats::Scope& scope, bool per_route, + absl::Status& creation_status); /** * configToVector is a helper function for converting from configuration (protobuf types) into @@ -125,12 +171,23 @@ class Config : public ::Envoy::Router::RouteSpecificFilterConfig, static absl::StatusOr configToVector(const ProtobufRepeatedRule&, HeaderToMetadataRules&, Regex::Engine&); + /** + * Generate stats for the header-to-metadata filter. + * @param stat_prefix the prefix to use for stats. + * @param scope the stats scope. + * @return HeaderToMetadataFilterStats the generated stats. + */ + static HeaderToMetadataFilterStats generateStats(const std::string& stat_prefix, + Stats::Scope& scope); + const std::string& decideNamespace(const std::string& nspace) const; HeaderToMetadataRules request_rules_; HeaderToMetadataRules response_rules_; bool response_set_; bool request_set_; + // Mutable to allow stats charging from const contexts. + mutable absl::optional stats_; }; using ConfigSharedPtr = std::shared_ptr; @@ -193,12 +250,14 @@ class HeaderToMetadataFilter : public Http::StreamFilter, * @param rules the header-to-metadata mapping set in configuration. * @param callbacks the callback used to fetch the StreamInfo (which is then used to get * metadata). Callable with both encoder_callbacks_ and decoder_callbacks_. + * @param direction whether processing request or response headers for stats collection. */ void writeHeaderToMetadata(Http::HeaderMap& headers, const HeaderToMetadataRules& rules, - Http::StreamFilterCallbacks& callbacks); + Http::StreamFilterCallbacks& callbacks, HeaderDirection direction); bool addMetadata(StructMap&, const std::string&, const std::string&, std::string, ValueType, - ValueEncode) const; - void applyKeyValue(std::string&&, const Rule&, const KeyValuePair&, StructMap&); + ValueEncode, HeaderDirection direction) const; + void applyKeyValue(std::string&&, const Rule&, const KeyValuePair&, StructMap&, + HeaderDirection direction); const std::string& decideNamespace(const std::string& nspace) const; const Config* getConfig() const; }; diff --git a/test/extensions/filters/http/header_to_metadata/header_to_metadata_filter_test.cc b/test/extensions/filters/http/header_to_metadata/header_to_metadata_filter_test.cc index 10890d6eb071a..2d614c1820ffc 100644 --- a/test/extensions/filters/http/header_to_metadata/header_to_metadata_filter_test.cc +++ b/test/extensions/filters/http/header_to_metadata/header_to_metadata_filter_test.cc @@ -9,9 +9,11 @@ #include "source/extensions/filters/http/well_known_names.h" #include "test/mocks/http/mocks.h" +#include "test/mocks/stats/mocks.h" #include "test/mocks/stream_info/mocks.h" #include "test/test_common/utility.h" +#include "absl/container/flat_hash_map.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -73,7 +75,8 @@ class HeaderToMetadataTest : public testing::Test { absl::Status initializeFilter(const std::string& yaml) { envoy::extensions::filters::http::header_to_metadata::v3::Config config; TestUtility::loadFromYaml(yaml, config); - absl::StatusOr config_or = Config::create(config, regex_engine_); + absl::StatusOr config_or = + Config::create(config, regex_engine_, *stats_.rootScope()); RETURN_IF_NOT_OK_REF(config_or.status()); config_ = std::move(*config_or); filter_ = std::make_shared(config_); @@ -82,9 +85,15 @@ class HeaderToMetadataTest : public testing::Test { return absl::OkStatus(); } + uint64_t findCounter(const std::string& name) { + const auto counter = TestUtility::findCounter(stats_, name); + return counter != nullptr ? counter->value() : 0; + } + const Config* getConfig() { return filter_->getConfig(); } Regex::GoogleReEngine regex_engine_; + Stats::IsolatedStoreImpl stats_; ConfigSharedPtr config_; std::shared_ptr filter_; NiceMock decoder_callbacks_; @@ -139,7 +148,8 @@ TEST_F(HeaderToMetadataTest, PerRouteOverride) { // Setup per route config. envoy::extensions::filters::http::header_to_metadata::v3::Config config_proto; TestUtility::loadFromYaml(request_config_yaml, config_proto); - ConfigSharedPtr per_route_config = *Config::create(config_proto, regex_engine_, true); + ConfigSharedPtr per_route_config = + *Config::create(config_proto, regex_engine_, *stats_.rootScope(), true); EXPECT_CALL(*decoder_callbacks_.route_, mostSpecificPerFilterConfig(_)) .WillOnce(Return(per_route_config.get())); @@ -164,7 +174,8 @@ TEST_F(HeaderToMetadataTest, ConfigIsCached) { // Setup per route config. envoy::extensions::filters::http::header_to_metadata::v3::Config config_proto; TestUtility::loadFromYaml(request_config_yaml, config_proto); - ConfigSharedPtr per_route_config = *Config::create(config_proto, regex_engine_, true); + ConfigSharedPtr per_route_config = + *Config::create(config_proto, regex_engine_, *stats_.rootScope(), true); EXPECT_CALL(*decoder_callbacks_.route_, mostSpecificPerFilterConfig(_)) .WillOnce(Return(per_route_config.get())); @@ -475,7 +486,7 @@ TEST_F(HeaderToMetadataTest, PerRouteEmtpyRules) { envoy::extensions::filters::http::header_to_metadata::v3::Config config_proto; auto expected = "header_to_metadata_filter: Per filter configs must at " "least specify either request or response rules"; - auto create_or = Config::create(config_proto, regex_engine_, true); + auto create_or = Config::create(config_proto, regex_engine_, *stats_.rootScope(), true); EXPECT_FALSE(create_or.ok()); EXPECT_EQ(create_or.status().message(), expected); } @@ -792,6 +803,239 @@ TEST_F(HeaderToMetadataTest, CookieRegexSubstitution) { } } +/** + * Test that stats are not collected when stat_prefix is not configured. + */ +TEST_F(HeaderToMetadataTest, NoStatsWithoutPrefix) { + const std::string config_yaml = R"EOF( +request_rules: + - header: x-version + on_header_present: + metadata_namespace: envoy.lb + key: version + type: STRING +)EOF"; + + EXPECT_TRUE(initializeFilter(config_yaml).ok()); + EXPECT_FALSE(getConfig()->stats().has_value()); +} + +/** + * Test that stats are collected when stat_prefix is configured. + */ +TEST_F(HeaderToMetadataTest, StatsCollectedWithPrefix) { + const std::string config_yaml = R"EOF( +stat_prefix: test_prefix +request_rules: + - header: x-version + on_header_present: + metadata_namespace: envoy.lb + key: version + type: STRING +)EOF"; + + EXPECT_TRUE(initializeFilter(config_yaml).ok()); + EXPECT_TRUE(getConfig()->stats().has_value()); +} + +/** + * Test that rules_processed and metadata_added stats are incremented correctly. + */ +TEST_F(HeaderToMetadataTest, StatsRulesProcessedAndMetadataAdded) { + const std::string config_yaml = R"EOF( +stat_prefix: test_prefix +request_rules: + - header: x-version + on_header_present: + metadata_namespace: envoy.lb + key: version + type: STRING + - header: x-custom + on_header_present: + metadata_namespace: envoy.lb + key: custom + type: STRING +)EOF"; + + EXPECT_TRUE(initializeFilter(config_yaml).ok()); + + Http::TestRequestHeaderMapImpl headers{{"x-version", "1.0"}, {"x-custom", "test"}}; + absl::flat_hash_map expected = {{"version", "1.0"}, {"custom", "test"}}; + + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(testing::ReturnRef(req_info_)); + EXPECT_CALL(req_info_, setDynamicMetadata("envoy.lb", MapEq(expected))); + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); + + // Verify stats were collected correctly. + EXPECT_EQ(2U, findCounter("http_filter_name.test_prefix.request_rules_processed")); + EXPECT_EQ(2U, findCounter("http_filter_name.test_prefix.request_metadata_added")); + EXPECT_EQ(0U, findCounter("http_filter_name.test_prefix.response_rules_processed")); + EXPECT_EQ(0U, findCounter("http_filter_name.test_prefix.response_metadata_added")); +} + +/** + * Test that header_not_found stat is incremented when header is missing. + */ +TEST_F(HeaderToMetadataTest, StatsHeaderNotFound) { + const std::string config_yaml = R"EOF( +stat_prefix: test_prefix +request_rules: + - header: x-missing + on_header_missing: + metadata_namespace: envoy.lb + key: default + value: 'missing' + type: STRING +)EOF"; + + EXPECT_TRUE(initializeFilter(config_yaml).ok()); + + Http::TestRequestHeaderMapImpl headers{}; // No headers present. + absl::flat_hash_map expected = {{"default", "missing"}}; + + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(testing::ReturnRef(req_info_)); + EXPECT_CALL(req_info_, setDynamicMetadata("envoy.lb", MapEq(expected))); + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); + + // Verify stats were collected correctly. + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.request_rules_processed")); + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.request_header_not_found")); + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.request_metadata_added")); +} + +/** + * Test that value_too_long stat is incremented when header value exceeds limit. + */ +TEST_F(HeaderToMetadataTest, StatsValueTooLong) { + const std::string config_yaml = R"EOF( +stat_prefix: test_prefix +request_rules: + - header: x-long + on_header_present: + metadata_namespace: envoy.lb + key: long_value + type: STRING +)EOF"; + + EXPECT_TRUE(initializeFilter(config_yaml).ok()); + + // Create a header value that exceeds MAX_HEADER_VALUE_LEN (8KB). + std::string long_value(9000, 'a'); + Http::TestRequestHeaderMapImpl headers{{"x-long", long_value}}; + + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(testing::ReturnRef(req_info_)); + // No metadata should be set due to value being too long. + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); + + // Verify stats were collected correctly. + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.request_rules_processed")); + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.header_value_too_long")); + EXPECT_EQ( + 0U, findCounter("http_filter_name.test_prefix.request_metadata_added")); // No metadata added. +} + +/** + * Test that value_decode_failed stat is incremented when Base64 decode fails. + */ +TEST_F(HeaderToMetadataTest, StatsValueDecodeFailed) { + const std::string config_yaml = R"EOF( +stat_prefix: test_prefix +request_rules: + - header: x-encoded + on_header_present: + metadata_namespace: envoy.lb + key: decoded_value + type: STRING + encode: BASE64 +)EOF"; + + EXPECT_TRUE(initializeFilter(config_yaml).ok()); + + // Invalid Base64 string. + Http::TestRequestHeaderMapImpl headers{{"x-encoded", "invalid_base64!@#$"}}; + + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(testing::ReturnRef(req_info_)); + // No metadata should be set due to decode failure. + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); + + // Verify stats were collected correctly. + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.request_rules_processed")); + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.base64_decode_failed")); + EXPECT_EQ( + 0U, findCounter("http_filter_name.test_prefix.request_metadata_added")); // No metadata added. +} + +/** + * Test response rule processing and stats. + */ +TEST_F(HeaderToMetadataTest, StatsResponseRules) { + const std::string config_yaml = R"EOF( +stat_prefix: test_prefix +response_rules: + - header: x-response-header + on_header_present: + metadata_namespace: envoy.lb + key: response_value + type: STRING +)EOF"; + + EXPECT_TRUE(initializeFilter(config_yaml).ok()); + + Http::TestResponseHeaderMapImpl headers{{"x-response-header", "response_data"}}; + absl::flat_hash_map expected = {{"response_value", "response_data"}}; + + EXPECT_CALL(encoder_callbacks_, streamInfo()).WillRepeatedly(testing::ReturnRef(req_info_)); + EXPECT_CALL(req_info_, setDynamicMetadata("envoy.lb", MapEq(expected))); + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(headers, false)); + + // Verify stats were collected correctly. + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.response_rules_processed")); + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.response_metadata_added")); + EXPECT_EQ(0U, findCounter("http_filter_name.test_prefix.request_rules_processed")); + EXPECT_EQ(0U, findCounter("http_filter_name.test_prefix.request_metadata_added")); +} + +/** + * Test that regex_substitution_failed stat is incremented when regex results in empty value. + */ +TEST_F(HeaderToMetadataTest, StatsRegexSubstitutionFailed) { + const std::string config_yaml = R"EOF( +stat_prefix: test_prefix +request_rules: + - header: x-test + on_header_present: + metadata_namespace: envoy.lb + key: transformed_value + type: STRING + regex_value_rewrite: + pattern: + google_re2: {} + regex: "^([a-z]+)$" + substitution: "" +)EOF"; + + EXPECT_TRUE(initializeFilter(config_yaml).ok()); + + // Header value that matches pattern but substitution results in empty string. + Http::TestRequestHeaderMapImpl headers{{"x-test", "validinput"}}; + + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(testing::ReturnRef(req_info_)); + // No metadata should be set due to empty substitution result. + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false)); + + // Verify stats were collected correctly. + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.request_rules_processed")); + EXPECT_EQ(1U, findCounter("http_filter_name.test_prefix.regex_substitution_failed")); + EXPECT_EQ( + 0U, findCounter("http_filter_name.test_prefix.request_metadata_added")); // No metadata added. +} + } // namespace HeaderToMetadataFilter } // namespace HttpFilters } // namespace Extensions From 150411af676af070dca4c6d60ec37e57d4fc672d Mon Sep 17 00:00:00 2001 From: Ali Beyad Date: Thu, 14 Aug 2025 12:36:11 -0400 Subject: [PATCH 225/505] mobile/ci: Temporarily disable running the iOS simulator (#40715) CI is currently broken, as the `Mobile/iOS` and `Mobile/Release Validation` jobs are failing while trying to start the iOS Simulator 18.1: ``` INFO: Streaming build results to: https://envoy.cluster.engflow.com/invocation/e45b583d-15a6-431a-83f9-32b8b2e73dbb 2025-08-13 21:16:13.962 INFO Creating simulator, device=iPhone 16 Pro Max, version=18.1 Invalid runtime: com.apple.CoreSimulator.SimRuntime.iOS-18-1 2025-08-13 21:16:21.214 ERROR ['/Applications/Xcode_16.1.app/Contents/Developer/usr/bin/simctl', 'create', 'TestDevice', 'iPhone 16 Pro Max', 'com.apple.CoreSimulator.SimRuntime.iOS-18-1'] exited with error code 145 ``` CI is still building the iOS binary so we aren't losing too much build coverage. --------- Signed-off-by: Ali Beyad --- .github/workflows/mobile-ios_build.yml | 92 +++++++++---------- .../workflows/mobile-release_validation.yml | 84 ++++++++--------- 2 files changed, 88 insertions(+), 88 deletions(-) diff --git a/.github/workflows/mobile-ios_build.yml b/.github/workflows/mobile-ios_build.yml index 22597704d60f8..38e4f6cc253c7 100644 --- a/.github/workflows/mobile-ios_build.yml +++ b/.github/workflows/mobile-ios_build.yml @@ -73,51 +73,51 @@ jobs: target: ios timeout-minutes: 120 - hello-world: - permissions: - contents: read - packages: read - uses: ./.github/workflows/_run.yml - if: ${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).run.mobile-ios }} - needs: - - load - - build - name: ios-hello-world - with: - args: >- - build - ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} - ${{ matrix.app }} - command: ./bazelw - container-command: - docker-ipv6: false - request: ${{ needs.load.outputs.request }} - runs-on: macos-15 - source: | - source ./ci/mac_ci_setup.sh - ./bazelw shutdown - steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.24 - with: - app: ${{ matrix.app }} - args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} - expected: received headers with status ${{ matrix.expected-status }} - env: - ANDROID_NDK_HOME: - ANDROID_HOME: - target: ${{ matrix.target }} - timeout-minutes: ${{ matrix.timeout-minutes }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - working-directory: mobile - strategy: - fail-fast: false - matrix: - include: - - name: Build swift hello world - app: //examples/swift/hello_world:app - expected-status: 200 - target: swift-hello-world - timeout-minutes: 90 + # hello-world: + # permissions: + # contents: read + # packages: read + # uses: ./.github/workflows/_run.yml + # if: ${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).run.mobile-ios }} + # needs: + # - load + # - build + # name: ios-hello-world + # with: + # args: >- + # build + # ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} + # ${{ matrix.app }} + # command: ./bazelw + # container-command: + # docker-ipv6: false + # request: ${{ needs.load.outputs.request }} + # runs-on: macos-15 + # source: | + # source ./ci/mac_ci_setup.sh + # ./bazelw shutdown + # steps-post: | + # - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.24 + # with: + # app: ${{ matrix.app }} + # args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} + # expected: received headers with status ${{ matrix.expected-status }} + # env: + # ANDROID_NDK_HOME: + # ANDROID_HOME: + # target: ${{ matrix.target }} + # timeout-minutes: ${{ matrix.timeout-minutes }} + # trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} + # working-directory: mobile + # strategy: + # fail-fast: false + # matrix: + # include: + # - name: Build swift hello world + # app: //examples/swift/hello_world:app + # expected-status: 200 + # target: swift-hello-world + # timeout-minutes: 90 apps: permissions: @@ -186,7 +186,7 @@ jobs: needs: - load - build - - hello-world + # - hello-world - apps uses: ./.github/workflows/_finish.yml with: diff --git a/.github/workflows/mobile-release_validation.yml b/.github/workflows/mobile-release_validation.yml index 5a440a900178b..0406aa2a948c6 100644 --- a/.github/workflows/mobile-release_validation.yml +++ b/.github/workflows/mobile-release_validation.yml @@ -38,47 +38,47 @@ jobs: with: check-name: mobile-release-validation - validate-swiftpm-example: - permissions: - contents: read - packages: read - if: ${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).run.mobile-release-validation }} - needs: load - uses: ./.github/workflows/_run.yml - name: Build xframework - with: - args: >- - build - --config=mobile-remote-ci-macos-ios - //:ios_xcframework - command: ./bazelw - container-command: - docker-ipv6: false - request: ${{ needs.load.outputs.request }} - # revert this to non-large once updated - runs-on: macos-15 - source: | - source ./ci/mac_ci_setup.sh - # Ignore errors: Bad CRC when unzipping large files: https://bbs.archlinux.org/viewtopic.php?id=153011 - steps-post: | - - run: | - unzip mobile/bazel-bin/library/swift/Envoy.xcframework.zip \ - -d mobile/examples/swift/swiftpm/Packages \ - || : - shell: bash - name: Unzip xcframework - - run: | - xcodebuild -project mobile/examples/swift/swiftpm/EnvoySwiftPMExample.xcodeproj \ - -scheme EnvoySwiftPMExample \ - -destination platform="iOS Simulator,name=iPhone 16 Pro Max,OS=18.1" \ - -allowProvisioningUpdates - shell: bash - name: Build app - # TODO(jpsim): Run app and inspect logs to validate - target: validate-swiftpm-example - timeout-minutes: 120 - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - working-directory: mobile + # validate-swiftpm-example: + # permissions: + # contents: read + # packages: read + # if: ${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).run.mobile-release-validation }} + # needs: load + # uses: ./.github/workflows/_run.yml + # name: Build xframework + # with: + # args: >- + # build + # --config=mobile-remote-ci-macos-ios + # //:ios_xcframework + # command: ./bazelw + # container-command: + # docker-ipv6: false + # request: ${{ needs.load.outputs.request }} + # # revert this to non-large once updated + # runs-on: macos-15 + # source: | + # source ./ci/mac_ci_setup.sh + # # Ignore errors: Bad CRC when unzipping large files: https://bbs.archlinux.org/viewtopic.php?id=153011 + # steps-post: | + # - run: | + # unzip mobile/bazel-bin/library/swift/Envoy.xcframework.zip \ + # -d mobile/examples/swift/swiftpm/Packages \ + # || : + # shell: bash + # name: Unzip xcframework + # - run: | + # xcodebuild -project mobile/examples/swift/swiftpm/EnvoySwiftPMExample.xcodeproj \ + # -scheme EnvoySwiftPMExample \ + # -destination platform="iOS Simulator,name=iPhone 16 Pro Max,OS=18.1" \ + # -allowProvisioningUpdates + # shell: bash + # name: Build app + # # TODO(jpsim): Run app and inspect logs to validate + # target: validate-swiftpm-example + # timeout-minutes: 120 + # trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} + # working-directory: mobile request: secrets: @@ -97,7 +97,7 @@ jobs: && fromJSON(needs.load.outputs.request).run.mobile-release-validation needs: - load - - validate-swiftpm-example + # - validate-swiftpm-example uses: ./.github/workflows/_finish.yml with: needs: ${{ toJSON(needs) }} From ac4070404cddc64075d1db16807c6521adb7d1ca Mon Sep 17 00:00:00 2001 From: Ali Beyad Date: Thu, 14 Aug 2025 15:49:26 -0400 Subject: [PATCH 226/505] mobile/ci: Temporarily disable jobs starting the iOS Simulator pt 2 (#40717) This is a follow-up to https://github.com/envoyproxy/envoy/pull/40715 Signed-off-by: Ali Beyad --- .github/workflows/mobile-ios_build.yml | 98 +++++++++++++------------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/.github/workflows/mobile-ios_build.yml b/.github/workflows/mobile-ios_build.yml index 38e4f6cc253c7..835b59aa71d43 100644 --- a/.github/workflows/mobile-ios_build.yml +++ b/.github/workflows/mobile-ios_build.yml @@ -119,54 +119,54 @@ jobs: # target: swift-hello-world # timeout-minutes: 90 - apps: - permissions: - contents: read - packages: read - uses: ./.github/workflows/_run.yml - if: ${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).run.mobile-ios-all }} - needs: - - load - - build - name: ios-apps - with: - args: >- - build - ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} - ${{ matrix.app }} - command: ./bazelw - container-command: - docker-ipv6: false - request: ${{ needs.load.outputs.request }} - runs-on: macos-15 - source: | - source ./ci/mac_ci_setup.sh - steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.24 - with: - app: ${{ matrix.app }} - args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} - expected: >- - ${{ matrix.expected - || format('received headers with status {0}', matrix.expected-status) }} - timeout: ${{ matrix.timeout || '5m' }} - env: - ANDROID_NDK_HOME: - ANDROID_HOME: - target: ${{ matrix.target }} - timeout-minutes: 90 - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - working-directory: mobile - strategy: - fail-fast: false - matrix: - include: - - name: Build swift experimental app - args: >- - --config=mobile-remote-ci-macos-ios - app: //test/swift/apps/experimental:app - expected-status: 200 - target: swift-experimental-app + # apps: + # permissions: + # contents: read + # packages: read + # uses: ./.github/workflows/_run.yml + # if: ${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).run.mobile-ios-all }} + # needs: + # - load + # - build + # name: ios-apps + # with: + # args: >- + # build + # ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} + # ${{ matrix.app }} + # command: ./bazelw + # container-command: + # docker-ipv6: false + # request: ${{ needs.load.outputs.request }} + # runs-on: macos-15 + # source: | + # source ./ci/mac_ci_setup.sh + # steps-post: | + # - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.24 + # with: + # app: ${{ matrix.app }} + # args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} + # expected: >- + # ${{ matrix.expected + # || format('received headers with status {0}', matrix.expected-status) }} + # timeout: ${{ matrix.timeout || '5m' }} + # env: + # ANDROID_NDK_HOME: + # ANDROID_HOME: + # target: ${{ matrix.target }} + # timeout-minutes: 90 + # trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} + # working-directory: mobile + # strategy: + # fail-fast: false + # matrix: + # include: + # - name: Build swift experimental app + # args: >- + # --config=mobile-remote-ci-macos-ios + # app: //test/swift/apps/experimental:app + # expected-status: 200 + # target: swift-experimental-app request: secrets: @@ -187,7 +187,7 @@ jobs: - load - build # - hello-world - - apps + # - apps uses: ./.github/workflows/_finish.yml with: needs: ${{ toJSON(needs) }} From 04644828d0cadc8b3d5e101cee44955f41ea2ddc Mon Sep 17 00:00:00 2001 From: danzh Date: Thu, 14 Aug 2025 16:54:58 -0400 Subject: [PATCH 227/505] mobile: use AndroidNetworkMonitorV2 (#40625) Commit Message: Add a new API setUseV2NetworkMonitor() to Cronvoy and Kotlin engine builder which will configure the android engine to switch to the new network monitor implementation `AndroidNetworkMonitorV2` which reports not just the default network change but also connect and disconnect events on non-default networks. These signals will be needed by HTTP/3 connection migration. While using AndroidNetworkMonitorV2, InternalEngine will handle default network changes slightly differently. It will delegate the signals to ConnectivityManagerImpl in the current thread which will deduplicate the signals and update the preferred network and post a callback to the Envoy network thread to reset HTTP brokenness, refresh DNS and drain connections. ConnectivityManagerImpl also keeps track of all connected networks. Additional Description: Expose ConnectivityManagerImpl to InternalEngine instead of the ConnectivityManager interface. This will allow its network_state_ to be non-static and accessed via a handle to the ConnectivityManagerImpl object. Risk Level: low, new feature is behind a new API Testing: new unit tests added for ConnectivityManagerImpl and new integration tests added Docs Changes: N/A Release Notes: N/A Platform Specific Features: listen to Android network signals. --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- mobile/library/common/internal_engine.cc | 57 +++- mobile/library/common/internal_engine.h | 9 +- mobile/library/common/network/BUILD | 1 + .../common/network/connectivity_manager.cc | 175 ++++++++++- .../common/network/connectivity_manager.h | 70 ++++- mobile/library/common/system/BUILD | 1 + .../common/system/default_system_helper.cc | 6 + .../common/system/default_system_helper.h | 2 + .../system/default_system_helper_android.cc | 6 + .../system/default_system_helper_apple.cc | 6 + mobile/library/common/system/system_helper.h | 7 + .../envoymobile/engine/AndroidEngineImpl.java | 8 +- .../engine/AndroidNetworkMonitorV2.java | 16 + .../io/envoyproxy/envoymobile/engine/BUILD | 7 +- .../envoymobile/engine/JniLibrary.java | 12 + .../envoyproxy/envoymobile/engine/types/BUILD | 1 + .../engine/types/NetworkWithType.java | 16 + .../utilities/AndroidNetworkLibrary.java | 29 ++ .../io/envoyproxy/envoymobile/utilities/BUILD | 26 +- .../impl/NativeCronvoyEngineBuilderImpl.java | 8 +- mobile/library/jni/BUILD | 3 +- mobile/library/jni/android_network_utility.cc | 57 ++++ mobile/library/jni/android_network_utility.h | 5 + mobile/library/jni/jni_impl.cc | 31 ++ mobile/library/jni/jni_init.cc | 26 +- .../envoymobile/AndroidEngineBuilder.kt | 3 +- .../kotlin/io/envoyproxy/envoymobile/BUILD | 1 + .../integration/client_integration_test.cc | 37 +++ mobile/test/common/internal_engine_test.cc | 4 + mobile/test/common/mocks/common/mocks.h | 2 + mobile/test/common/network/BUILD | 1 + .../network/connectivity_manager_test.cc | 136 +++++++- .../utilities/AndroidNetworkTest.java | 114 +++++++ .../io/envoyproxy/envoymobile/utilities/BUILD | 26 ++ .../org/chromium/net/CronetHttp3Test.java | 290 +++++++++++++++++- .../test/java/org/chromium/net/testing/BUILD | 1 + 36 files changed, 1115 insertions(+), 85 deletions(-) create mode 100644 mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java create mode 100644 mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index 1a891b27834be..aac77e59e2719 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -220,6 +220,26 @@ envoy_status_t InternalEngine::main(std::shared_ptr options) { server_->serverFactoryContext(), server_->serverFactoryContext().messageValidationVisitor()); connectivity_manager_ = Network::ConnectivityManagerFactory{generic_context}.get(); + Network::DefaultNetworkChangeCallback cb = + [this](envoy_netconf_t current_configuration_key) { + dispatcher_->post([this, current_configuration_key]() { + if (connectivity_manager_->getConfigurationKey() != current_configuration_key) { + // The default network has changed to a different one. + return; + } + ENVOY_LOG_MISC( + trace, + "Default network state has been changed. Current net configuration key {}", + current_configuration_key); + resetHttpPropertiesAndDrainHosts(probeAndGetLocalAddr(AF_INET6) != nullptr); + if (!disable_dns_refresh_on_network_change_) { + // This call will possibly drain all connections asynchronously. + connectivity_manager_->doRefreshDns(current_configuration_key, + /*drain_connections=*/true); + } + }); + }; + connectivity_manager_->setDefaultNetworkChangeCallback(std::move(cb)); if (Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.dns_cache_set_ip_version_to_remove")) { if (probeAndGetLocalAddr(AF_INET6) == nullptr) { @@ -375,23 +395,21 @@ void InternalEngine::onDefaultNetworkChanged(int network) { }); } -void InternalEngine::onDefaultNetworkChangedAndroid(ConnectionType /*connection_type*/, - int64_t /*net_id*/) { - ENVOY_LOG_MISC(trace, "Calling the default network changed callback on Android"); +void InternalEngine::onDefaultNetworkChangedAndroid(ConnectionType connection_type, + int64_t net_id) { + connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); } -void InternalEngine::onNetworkDisconnectAndroid(int64_t /*net_id*/) { - ENVOY_LOG_MISC(trace, "Calling network disconnect callback on Android"); +void InternalEngine::onNetworkDisconnectAndroid(int64_t net_id) { + connectivity_manager_->onNetworkDisconnectAndroid(net_id); } -void InternalEngine::onNetworkConnectAndroid(ConnectionType /*connection_type*/, - int64_t /*net_id*/) { - ENVOY_LOG_MISC(trace, "Calling network connect callback on Android"); +void InternalEngine::onNetworkConnectAndroid(ConnectionType connection_type, int64_t net_id) { + connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); } -void InternalEngine::purgeActiveNetworkListAndroid( - const std::vector& /*active_network_ids*/) { - ENVOY_LOG_MISC(trace, "Calling network purge callback on Android"); +void InternalEngine::purgeActiveNetworkListAndroid(const std::vector& active_network_ids) { + connectivity_manager_->purgeActiveNetworkListAndroid(active_network_ids); } void InternalEngine::onDefaultNetworkUnavailable() { @@ -400,8 +418,17 @@ void InternalEngine::onDefaultNetworkUnavailable() { } void InternalEngine::handleNetworkChange(const int network_type, const bool has_ipv6_connectivity) { - envoy_netconf_t configuration = - Network::ConnectivityManagerImpl::setPreferredNetwork(network_type); + envoy_netconf_t configuration = connectivity_manager_->setPreferredNetwork(network_type); + + resetHttpPropertiesAndDrainHosts(has_ipv6_connectivity); + if (!disable_dns_refresh_on_network_change_) { + // Refresh DNS upon network changes. + // This call will possibly drain all connections asynchronously. + connectivity_manager_->refreshDns(configuration, /*drain_connections=*/true); + } +} + +void InternalEngine::resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity) { if (Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.dns_cache_set_ip_version_to_remove") || Runtime::runtimeFeatureEnabled( @@ -435,11 +462,7 @@ void InternalEngine::handleNetworkChange(const int network_type, const bool has_ ENVOY_LOG_EVENT(debug, "netconf_immediate_drain", "DrainAllHosts"); getClusterManager().drainConnections([](const Upstream::Host&) { return true; }); } - return; } - // Refresh DNS upon network changes. - // This call will possibly drain all connections asynchronously. - connectivity_manager_->refreshDns(configuration, /*drain_connections=*/true); } envoy_status_t InternalEngine::recordCounterInc(absl::string_view elements, envoy_stats_tags tags, diff --git a/mobile/library/common/internal_engine.h b/mobile/library/common/internal_engine.h index c6fc839813b24..e90c7a0f53359 100644 --- a/mobile/library/common/internal_engine.h +++ b/mobile/library/common/internal_engine.h @@ -157,8 +157,8 @@ class InternalEngine : public Logger::Loggable { void onNetworkConnectAndroid(ConnectionType connection_type, int64_t net_id); /** - * The callback that gets executed when the device decides that the given list of networks should - * be forgotten. + * The callback that gets executed when the device decides to forget all networks other than the + * given list. */ void purgeActiveNetworkListAndroid(const std::vector& active_network_ids); @@ -228,6 +228,9 @@ class InternalEngine : public Logger::Loggable { // there is no connectivity for the `domain`, a null pointer will be returned. static Network::Address::InstanceConstSharedPtr probeAndGetLocalAddr(int domain); + // Called when it's been determined that the default network has changed. + void resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity); + Thread::PosixThreadFactoryPtr thread_factory_; Event::Dispatcher* event_dispatcher_{}; Stats::ScopeSharedPtr client_scope_; @@ -241,7 +244,7 @@ class InternalEngine : public Logger::Loggable { Thread::MutexBasicLockable mutex_; Thread::CondVar cv_; Http::ClientPtr http_client_; - Network::ConnectivityManagerSharedPtr connectivity_manager_; + Network::ConnectivityManagerImplSharedPtr connectivity_manager_; Event::ProvisionalDispatcherPtr dispatcher_; // Used by the cerr logger to ensure logs don't overwrite each other. absl::Mutex log_mutex_; diff --git a/mobile/library/common/network/BUILD b/mobile/library/common/network/BUILD index 22b2ec7e213a8..82a5d6b384604 100644 --- a/mobile/library/common/network/BUILD +++ b/mobile/library/common/network/BUILD @@ -19,6 +19,7 @@ envoy_cc_library( ":proxy_settings_lib", "//library/common:engine_types_lib", "//library/common/network:src_addr_socket_option_lib", + "//library/common/system:system_helper_lib", "//library/common/types:c_types_lib", "@envoy//envoy/network:socket_interface", "@envoy//envoy/singleton:manager_interface", diff --git a/mobile/library/common/network/connectivity_manager.cc b/mobile/library/common/network/connectivity_manager.cc index 02091ac65b9cd..a2015a213c34a 100644 --- a/mobile/library/common/network/connectivity_manager.cc +++ b/mobile/library/common/network/connectivity_manager.cc @@ -2,6 +2,7 @@ #include +#include #include #include "envoy/common/platform.h" @@ -16,8 +17,8 @@ #include "fmt/ostream.h" #include "library/common/network/network_type_socket_option_impl.h" -#include "library/common/network/network_types.h" #include "library/common/network/src_addr_socket_option_impl.h" +#include "library/common/system/system_helper.h" // Used on Linux (requires root/CAP_NET_RAW) #ifdef SO_BINDTODEVICE @@ -77,14 +78,12 @@ constexpr absl::string_view BaseDnsCache = "base_dns_cache"; // The number of faults allowed on a newly-established connection before switching socket mode. constexpr unsigned int InitialFaultThreshold = 1; -// The number of faults allowed on a previously-successful connection (i.e. able to send and receive -// L7 bytes) before switching socket mode. -constexpr unsigned int MaxFaultThreshold = 3; -ConnectivityManagerImpl::DefaultNetworkState ConnectivityManagerImpl::network_state_{ - 1, 0, MaxFaultThreshold, SocketMode::DefaultPreferredNetworkMode}; - -Thread::MutexBasicLockable ConnectivityManagerImpl::network_mutex_{}; +ConnectivityManagerImpl::ConnectivityManagerImpl(Upstream::ClusterManager& cluster_manager, + DnsCacheManagerSharedPtr dns_cache_manager) + : cluster_manager_(cluster_manager), dns_cache_manager_(dns_cache_manager) { + initializeNetworkStates(); +} envoy_netconf_t ConnectivityManagerImpl::setPreferredNetwork(int network) { Thread::LockGuard lock{network_mutex_}; @@ -97,14 +96,19 @@ envoy_netconf_t ConnectivityManagerImpl::setPreferredNetwork(int network) { // return network_state_.configuration_key_ - 1; //} - ENVOY_LOG_EVENT(debug, "netconf_network_change", "{}", std::to_string(static_cast(network))); + setPreferredNetworkNoLock(network); + return network_state_.configuration_key_; +} + +void ConnectivityManagerImpl::setPreferredNetworkNoLock(int network_type) + ABSL_EXCLUSIVE_LOCKS_REQUIRED(network_mutex_) { + ENVOY_LOG_EVENT(debug, "netconf_network_change", "network_type changed to {}", + std::to_string(static_cast(network_type))); network_state_.configuration_key_++; - network_state_.network_ = network; + network_state_.network_ = network_type; network_state_.remaining_faults_ = 1; network_state_.socket_mode_ = SocketMode::DefaultPreferredNetworkMode; - - return network_state_.configuration_key_; } void ConnectivityManagerImpl::setProxySettings(ProxySettingsConstSharedPtr new_proxy_settings) { @@ -275,7 +279,11 @@ void ConnectivityManagerImpl::refreshDns(envoy_netconf_t configuration_key, return; } } + doRefreshDns(configuration_key, drain_connections); +} +void ConnectivityManagerImpl::doRefreshDns(envoy_netconf_t configuration_key, + bool drain_connections) { if (auto dns_cache = dnsCache()) { ENVOY_LOG_EVENT(debug, "netconf_refresh_dns", "{}", std::to_string(configuration_key)); @@ -458,7 +466,148 @@ ConnectivityManagerImpl::enumerateInterfaces([[maybe_unused]] unsigned short fam return pairs; } -ConnectivityManagerSharedPtr ConnectivityManagerFactory::get() { +int connectionTypeToCompoundNetworkType(ConnectionType connection_type) { + int compound_type = 0; + switch (connection_type) { + case ConnectionType::CONNECTION_2G: + compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_2G)); + break; + case ConnectionType::CONNECTION_3G: + compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_3G)); + break; + case ConnectionType::CONNECTION_4G: + compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_4G)); + break; + case ConnectionType::CONNECTION_5G: + compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_5G)); + break; + case ConnectionType::CONNECTION_WIFI: + case ConnectionType::CONNECTION_ETHERNET: + compound_type |= static_cast(NetworkType::WLAN); + break; + case ConnectionType::CONNECTION_NONE: + break; + case ConnectionType::CONNECTION_BLUETOOTH: + case ConnectionType::CONNECTION_UNKNOWN: + compound_type = static_cast(NetworkType::Generic); + break; + } + return compound_type; +} + +void ConnectivityManagerImpl::onDefaultNetworkChangedAndroid(ConnectionType connection_type, + NetworkHandle net_id) { + bool already_connected{false}; + envoy_netconf_t current_configuration_key{0}; + { + Thread::LockGuard lock{network_mutex_}; + ENVOY_LOG_EVENT(debug, "android_default_network_changed", + "default network changed from {} to {}, new connection_type {}, ", + default_network_handle_, net_id, static_cast(connection_type)); + if (net_id == default_network_handle_) { + return; + } + current_configuration_key = network_state_.configuration_key_; + default_network_handle_ = net_id; + if (connected_networks_.find(net_id) != connected_networks_.end()) { + // Android Lollipop had race conditions where CONNECTIVITY_ACTION intents + // were sent out before the network was actually made the default. + // Delay switching to the new default until Android platform notifies that the network + // connected. + setPreferredNetworkNoLock(connectionTypeToCompoundNetworkType(connection_type)); + current_configuration_key = network_state_.configuration_key_; + already_connected = true; + } + } + if (already_connected) { + if (default_network_change_callback_ != nullptr) { + default_network_change_callback_(current_configuration_key); + } + if (observer_ != nullptr) { + observer_->onNetworkMadeDefault(net_id); + } + } +} + +void ConnectivityManagerImpl::onNetworkDisconnectAndroid(NetworkHandle net_id) { + { + Thread::LockGuard lock{network_mutex_}; + if (net_id == default_network_handle_) { + default_network_handle_ = kInvalidNetworkHandle; + } + if (connected_networks_.erase(net_id) == 0) { + return; + } + } + if (observer_ != nullptr) { + observer_->onNetworkDisconnected(net_id); + } +} + +void ConnectivityManagerImpl::onNetworkConnectAndroid(ConnectionType connection_type, + NetworkHandle net_id) { + bool is_default_network{false}; + envoy_netconf_t current_configuration_key{0}; + { + Thread::LockGuard lock{network_mutex_}; + if (connected_networks_.find(net_id) != connected_networks_.end()) { + return; + } + connected_networks_[net_id] = connection_type; + current_configuration_key = network_state_.configuration_key_; + if (net_id == default_network_handle_) { + // The reported default network finally gets connected. + is_default_network = true; + setPreferredNetworkNoLock(connectionTypeToCompoundNetworkType(connection_type)); + current_configuration_key = network_state_.configuration_key_; + } + } + // Android Lollipop would send many duplicate notifications. + // This was later fixed in Android Marshmallow. + // Deduplicate them here by avoiding sending duplicate notifications. + if (observer_ != nullptr) { + observer_->onNetworkConnected(net_id); + } + if (is_default_network) { + if (default_network_change_callback_ != nullptr) { + default_network_change_callback_(current_configuration_key); + } + if (observer_ != nullptr) { + observer_->onNetworkMadeDefault(net_id); + } + } +} + +void ConnectivityManagerImpl::purgeActiveNetworkListAndroid( + const std::vector& active_network_ids) { + std::vector disconnected_networks; + { + Thread::LockGuard lock{network_mutex_}; + for (auto& i : connected_networks_) { + if (std::find(active_network_ids.begin(), active_network_ids.end(), i.first) == + active_network_ids.end()) { + disconnected_networks.push_back(i.first); + } + } + } + for (auto disconnected_network : disconnected_networks) { + onNetworkDisconnectAndroid(disconnected_network); + } +} + +void ConnectivityManagerImpl::initializeNetworkStates() { + NetworkHandle default_net_id = SystemHelper::getInstance().getDefaultNetworkHandle(); + std::vector> all_connected_networks = + SystemHelper::getInstance().getAllConnectedNetworks(); + + Thread::LockGuard lock{network_mutex_}; + default_network_handle_ = default_net_id; + for (auto& entry : all_connected_networks) { + connected_networks_[entry.first] = entry.second; + } +} + +ConnectivityManagerImplSharedPtr ConnectivityManagerFactory::get() { return context_.serverFactoryContext().singletonManager().getTyped( SINGLETON_MANAGER_REGISTERED_NAME(connectivity_manager), [this] { Envoy::Extensions::Common::DynamicForwardProxy::DnsCacheManagerFactoryImpl diff --git a/mobile/library/common/network/connectivity_manager.h b/mobile/library/common/network/connectivity_manager.h index 43da8e0466990..aa3026168eff4 100644 --- a/mobile/library/common/network/connectivity_manager.h +++ b/mobile/library/common/network/connectivity_manager.h @@ -3,6 +3,7 @@ #include #include +#include "envoy/common/optref.h" #include "envoy/network/socket.h" #include "envoy/singleton/manager.h" #include "envoy/upstream/cluster_manager.h" @@ -11,6 +12,7 @@ #include "source/extensions/common/dynamic_forward_proxy/dns_cache_impl.h" #include "library/common/engine_types.h" +#include "library/common/network/network_types.h" #include "library/common/network/proxy_settings.h" #include "library/common/types/c_types.h" @@ -20,11 +22,11 @@ * remain valid/relevant at time of execution. * * Currently, there are two primary circumstances this is used: - * 1. When network type changes, a refreshDNS call will be scheduled on the event dispatcher, along - * with a configuration key of this type. If network type changes again before that refresh - * executes, the refresh is now stale, another refresh task will have been queued, and it should no - * longer execute. The configuration key allows the connectivity_manager to determine if the - * refreshDNS call is representative of current configuration. + * 1. When network type changes, some clean up will be scheduled on the event dispatcher, along + * with a configuration key of this type. If network type changes again before that scheduled clean + * up executes, another clean up will be scheduled, and the old one should no longer execute. The + * configuration key allows the connectivity_manager to determine if the clean up is representative + * of current configuration. * 2. When a request is configured with a certain set of socket options and begins, it is given a * configuration key. The heuristic in reportNetworkUsage relies on characteristics of the * request/response to make future decisions about socket options, but needs to be able to correctly @@ -39,6 +41,9 @@ */ typedef uint16_t envoy_netconf_t; +using NetworkHandle = int64_t; +constexpr NetworkHandle kInvalidNetworkHandle = -1; + namespace Envoy { namespace Network { @@ -59,6 +64,14 @@ enum class SocketMode : int { AlternateBoundInterfaceMode = 1, }; +namespace { + +// The number of faults allowed on a previously-successful connection (i.e. able to send and receive +// L7 bytes) before switching socket mode. +constexpr unsigned int MaxFaultThreshold = 3; + +} // namespace + using DnsCacheManagerSharedPtr = Extensions::Common::DynamicForwardProxy::DnsCacheManagerSharedPtr; using InterfacePair = std::pair; @@ -185,6 +198,8 @@ class ConnectivityManager { virtual Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dnsCache() PURE; }; +using ConnectivityManagerSharedPtr = std::shared_ptr; + // Used when draining hosts upon DNS refreshing is desired. class RefreshDnsWithPostDrainHandler : public Extensions::Common::DynamicForwardProxy::DnsCache::UpdateCallbacks, @@ -217,6 +232,16 @@ class RefreshDnsWithPostDrainHandler dns_callbacks_handle_; }; +using DefaultNetworkChangeCallback = std::function; + +class NetworkChangeObserver { +public: + virtual ~NetworkChangeObserver() = default; + virtual void onNetworkMadeDefault(NetworkHandle network) PURE; + virtual void onNetworkDisconnected(NetworkHandle network) PURE; + virtual void onNetworkConnected(NetworkHandle network) PURE; +}; + class ConnectivityManagerImpl : public ConnectivityManager, public Singleton::Instance, public Logger::Loggable { @@ -227,11 +252,10 @@ class ConnectivityManagerImpl : public ConnectivityManager, * @param network, the OS-preferred network. * @returns configuration key to associate with any related calls. */ - static envoy_netconf_t setPreferredNetwork(int network); + envoy_netconf_t setPreferredNetwork(int network); ConnectivityManagerImpl(Upstream::ClusterManager& cluster_manager, - DnsCacheManagerSharedPtr dns_cache_manager) - : cluster_manager_(cluster_manager), dns_cache_manager_(dns_cache_manager) {} + DnsCacheManagerSharedPtr dns_cache_manager); // ConnectivityManager std::vector enumerateV4Interfaces() override; @@ -251,6 +275,19 @@ class ConnectivityManagerImpl : public ConnectivityManager, envoy_netconf_t addUpstreamSocketOptions(Socket::OptionsSharedPtr options) override; Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dnsCache() override; + // These interfaces are only used to handle Android network change notifications. + void onDefaultNetworkChangedAndroid(ConnectionType connection_type, NetworkHandle net_id); + void onNetworkDisconnectAndroid(NetworkHandle net_id); + void onNetworkConnectAndroid(ConnectionType connection_type, NetworkHandle net_id); + void purgeActiveNetworkListAndroid(const std::vector& active_network_ids); + void setDefaultNetworkChangeCallback(DefaultNetworkChangeCallback cb) { + default_network_change_callback_ = cb; + } + void setNetworkChangeObserver(NetworkChangeObserver* observer) { observer_ = observer; } + + // Refresh DNS regardless of configuration key change. + void doRefreshDns(envoy_netconf_t configuration_key, bool drain_connections); + private: // The states of the current default network picked by the platform. struct DefaultNetworkState { @@ -264,6 +301,8 @@ class ConnectivityManagerImpl : public ConnectivityManager, Socket::OptionsSharedPtr getAlternateInterfaceSocketOptions(int network); InterfacePair getActiveAlternateInterface(int network, unsigned short family); Socket::OptionsSharedPtr getUpstreamSocketOptions(int network, SocketMode socket_mode); + void setPreferredNetworkNoLock(int network_type) ABSL_EXCLUSIVE_LOCKS_REQUIRED(network_mutex_); + void initializeNetworkStates(); bool enable_interface_binding_{false}; Upstream::ClusterManager& cluster_manager_; @@ -271,11 +310,18 @@ class ConnectivityManagerImpl : public ConnectivityManager, std::unique_ptr dns_refresh_handler_; DnsCacheManagerSharedPtr dns_cache_manager_; ProxySettingsConstSharedPtr proxy_settings_; - static DefaultNetworkState network_state_ ABSL_GUARDED_BY(network_mutex_); - static Thread::MutexBasicLockable network_mutex_; + DefaultNetworkState network_state_ ABSL_GUARDED_BY(network_mutex_){ + 1, 0, MaxFaultThreshold, SocketMode::DefaultPreferredNetworkMode}; + Thread::MutexBasicLockable network_mutex_{}; + // Below states are only populated on Android platform. + NetworkHandle default_network_handle_ ABSL_GUARDED_BY(network_mutex_){kInvalidNetworkHandle}; + absl::flat_hash_map + connected_networks_ ABSL_GUARDED_BY(network_mutex_); + DefaultNetworkChangeCallback default_network_change_callback_; + NetworkChangeObserver* observer_{nullptr}; }; -using ConnectivityManagerSharedPtr = std::shared_ptr; +using ConnectivityManagerImplSharedPtr = std::shared_ptr; /** * Provides access to the singleton ConnectivityManager. @@ -288,7 +334,7 @@ class ConnectivityManagerFactory { /** * @returns singleton ConnectivityManager instance. */ - ConnectivityManagerSharedPtr get(); + ConnectivityManagerImplSharedPtr get(); private: Server::GenericFactoryContextImpl context_; diff --git a/mobile/library/common/system/BUILD b/mobile/library/common/system/BUILD index a8069f9eb773a..d97ca50096cde 100644 --- a/mobile/library/common/system/BUILD +++ b/mobile/library/common/system/BUILD @@ -29,6 +29,7 @@ envoy_cc_library( deps = [ ":default_system_helper_lib", "//library/common/extensions/cert_validator/platform_bridge:c_types_lib", + "//library/common/network:network_types_lib", ] + select({ ":use_android_system_helper": [ "//library/jni:android_jni_utility_lib", diff --git a/mobile/library/common/system/default_system_helper.cc b/mobile/library/common/system/default_system_helper.cc index 15142762e204f..0db0ae1b01b15 100644 --- a/mobile/library/common/system/default_system_helper.cc +++ b/mobile/library/common/system/default_system_helper.cc @@ -16,4 +16,10 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& /* void DefaultSystemHelper::cleanupAfterCertificateValidation() {} +int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return -1; } + +std::vector> DefaultSystemHelper::getAllConnectedNetworks() { + return {}; +} + } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper.h b/mobile/library/common/system/default_system_helper.h index a9ef1d32e5199..56d80bd25753f 100644 --- a/mobile/library/common/system/default_system_helper.h +++ b/mobile/library/common/system/default_system_helper.h @@ -17,6 +17,8 @@ class DefaultSystemHelper : public SystemHelper { envoy_cert_validation_result validateCertificateChain(const std::vector& certs, absl::string_view hostname) override; void cleanupAfterCertificateValidation() override; + int64_t getDefaultNetworkHandle() override; + std::vector> getAllConnectedNetworks() override; }; } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper_android.cc b/mobile/library/common/system/default_system_helper_android.cc index 5d205f0945d7f..f678e1cecb7b0 100644 --- a/mobile/library/common/system/default_system_helper_android.cc +++ b/mobile/library/common/system/default_system_helper_android.cc @@ -16,4 +16,10 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& ce void DefaultSystemHelper::cleanupAfterCertificateValidation() { JNI::jvmDetachThread(); } +int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return JNI::getDefaultNetworkHandle(); } + +std::vector> DefaultSystemHelper::getAllConnectedNetworks() { + return JNI::getAllConnectedNetworks(); +} + } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper_apple.cc b/mobile/library/common/system/default_system_helper_apple.cc index 1facd039d2480..16caed9c22ec4 100644 --- a/mobile/library/common/system/default_system_helper_apple.cc +++ b/mobile/library/common/system/default_system_helper_apple.cc @@ -13,4 +13,10 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& ce void DefaultSystemHelper::cleanupAfterCertificateValidation() {} +int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return -1; } + +std::vector> DefaultSystemHelper::getAllConnectedNetworks() { + return {}; +} + } // namespace Envoy diff --git a/mobile/library/common/system/system_helper.h b/mobile/library/common/system/system_helper.h index d18c6537e49a4..9f9123c6a9011 100644 --- a/mobile/library/common/system/system_helper.h +++ b/mobile/library/common/system/system_helper.h @@ -7,6 +7,7 @@ #include "absl/strings/string_view.h" #include "library/common/extensions/cert_validator/platform_bridge/c_types.h" +#include "library/common/network/network_types.h" namespace Envoy { @@ -39,6 +40,12 @@ class SystemHelper { */ virtual void cleanupAfterCertificateValidation() PURE; + /** + * Invokes platform APIs to retrieve a handle to the current default network. + */ + virtual int64_t getDefaultNetworkHandle() PURE; + + virtual std::vector> getAllConnectedNetworks() PURE; /** * @return a reference to the current SystemHelper instance. */ diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java index 595311f3e72f1..01e905e01d5f0 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java @@ -25,14 +25,18 @@ public class AndroidEngineImpl implements EnvoyEngine { public AndroidEngineImpl(Context context, EnvoyOnEngineRunning runningCallback, EnvoyLogger logger, EnvoyEventTracker eventTracker, Boolean enableProxying, Boolean useNetworkChangeEvent, - Boolean disableDnsRefreshOnNetworkChange) { + Boolean disableDnsRefreshOnNetworkChange, Boolean useV2NetworkMonitor) { this.context = context; this.envoyEngine = new EnvoyEngineImpl(runningCallback, logger, eventTracker, disableDnsRefreshOnNetworkChange); if (ContextUtils.getApplicationContext() == null) { ContextUtils.initApplicationContext(context.getApplicationContext()); } - AndroidNetworkMonitor.load(context, envoyEngine, useNetworkChangeEvent); + if (useV2NetworkMonitor) { + AndroidNetworkMonitorV2.load(context, envoyEngine); + } else { + AndroidNetworkMonitor.load(context, envoyEngine, useNetworkChangeEvent); + } if (enableProxying) { AndroidProxyMonitor.load(context, envoyEngine); } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java index 1dc6bcf851ee1..03ff20cc2538a 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java @@ -1,6 +1,7 @@ package io.envoyproxy.envoymobile.engine; import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; +import io.envoyproxy.envoymobile.engine.types.NetworkWithType; import static android.net.ConnectivityManager.TYPE_VPN; import static android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET; @@ -796,4 +797,19 @@ public void unregisterNetworkCallbacks() { mConnectivityManager.unregisterNetworkCallback(mDefaultNetworkCallback); } } + + public NetworkWithType[] getAllNetworksAndTypes() { + Network[] filteredNetworks = getAllNetworksFiltered(null); + int size = filteredNetworks.length; + + // Directly create the array with the known size. + NetworkWithType[] networks = new NetworkWithType[size]; + + for (int i = 0; i < size; i++) { + Network network = filteredNetworks[i]; + final EnvoyConnectionType connectionType = getEnvoyConnectionType(network); + networks[i] = new NetworkWithType(network.getNetworkHandle(), connectionType); + } + return networks; + } } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD index 89b5f05dabbe3..abb0890c57e8e 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD @@ -9,8 +9,6 @@ android_library( name = "envoy_engine_lib", srcs = [ "AndroidEngineImpl.java", - "AndroidNetworkMonitor.java", - "AndroidNetworkMonitorV2.java", "AndroidProxyMonitor.java", "UpstreamHttpProtocol.java", ], @@ -21,14 +19,16 @@ android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "@maven//:androidx_annotation_annotation", - "@maven//:androidx_core_core", ], ) android_library( name = "envoy_base_engine_lib", srcs = [ + "AndroidNetworkMonitor.java", + "AndroidNetworkMonitorV2.java", "ByteBuffers.java", "EnvoyConfiguration.java", "EnvoyEngine.java", @@ -52,6 +52,7 @@ android_library( deps = [ "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "@maven//:androidx_annotation_annotation", + "@maven//:androidx_core_core", "@maven//:com_google_code_findbugs_jsr305", "@maven//:com_google_protobuf_protobuf_javalite", ], diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java index 62caa99458906..b45c7142b9c24 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java @@ -305,6 +305,18 @@ public static native Object callCertificateVerificationFromNative(byte[][] certC */ public static native void callClearTestRootCertificateFromNative(); + /** + * Mimic a call to AndroidNetworkLibrary#getDefaultNetworkHandle from native code. + * To be used for testing only. + */ + public static native long callGetDefaultNetworkHandleFromNative(); + + /** + * Mimic a call to AndroidNetworkLibrary#getAllConnectedNetworks from native code. + * To be used for testing only. + */ + public static native long[][] callGetAllConnectedNetworksFromNative(); + /** * Given a filter name, create the proto config for adding the native filter * diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD index a28043e1746ae..07e52827bb388 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD @@ -22,6 +22,7 @@ android_library( "EnvoyStatus.java", "EnvoyStreamIntel.java", "EnvoyStringAccessor.java", + "NetworkWithType.java", ], visibility = ["//visibility:public"], ) diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java new file mode 100644 index 0000000000000..235730ba508e8 --- /dev/null +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java @@ -0,0 +1,16 @@ +package io.envoyproxy.envoymobile.engine.types; + +public class NetworkWithType { + // an opaque handle to a network interface. + private final long netId; + private final EnvoyConnectionType connectionType; + + public NetworkWithType(long netId, EnvoyConnectionType connectionType) { + this.netId = netId; + this.connectionType = connectionType; + } + + public long getNetId() { return netId; } + + public EnvoyConnectionType getConnectionType() { return connectionType; } +} diff --git a/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java b/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java index 99ac5265f4284..2ee5c88c2ebce 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java @@ -23,6 +23,9 @@ import java.nio.charset.StandardCharsets; +import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; +import io.envoyproxy.envoymobile.engine.types.NetworkWithType; + /** * This class implements net utilities required by the net component. */ @@ -125,6 +128,32 @@ public static boolean isCleartextTrafficPermitted(String host) { } } + public static long getDefaultNetworkHandle() { + if (io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() == null) { + return -1; + } + return io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance().getDefaultNetId(); + } + + public static long[][] getAllConnectedNetworks() { + if (io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() == null) { + return new long[0][0]; + } + NetworkWithType[] networks = + io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() + .getAllNetworksAndTypes(); + if (networks == null || networks.length == 0) { + return new long[0][0]; + } + + long[][] result = new long[networks.length][2]; + for (int i = 0; i < networks.length; i++) { + result[i][0] = networks[i].getNetId(); + result[i][1] = networks[i].getConnectionType().getValue(); + } + return result; + } + /** * Class to wrap FileDescriptor.setInt$() which is hidden and so must be accessed via * reflection. diff --git a/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD index 2b51fccee9d1c..677efa1db7b0b 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD @@ -8,10 +8,34 @@ envoy_mobile_package() android_library( name = "utilities", - srcs = glob(["*.java"]), + srcs = [ + "ContextUtils.java", + "StatsUtils.java", + "StrictModeContext.java", + "ThreadStatsUid.java", + ], + manifest = "UtilitiesManifest.xml", + visibility = ["//visibility:public"], + deps = [ + artifact("androidx.annotation:annotation"), + ], +) + +android_library( + name = "network_utilities", + srcs = [ + "AndroidCertVerifyResult.java", + "AndroidNetworkLibrary.java", + "CertVerifyStatusAndroid.java", + "FakeX509Util.java", + "X509Util.java", + ], manifest = "UtilitiesManifest.xml", visibility = ["//visibility:public"], deps = [ + ":utilities", + "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", + "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", artifact("androidx.annotation:annotation"), ], ) diff --git a/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java b/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java index e4b464e5917e4..ee15699fbbea5 100644 --- a/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java +++ b/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java @@ -69,6 +69,7 @@ public class NativeCronvoyEngineBuilderImpl extends CronvoyEngineBuilderImpl { private String mUpstreamTlsSni = ""; private int mH3ConnectionKeepaliveInitialIntervalMilliseconds = 0; private boolean mUseNetworkChangeEvent = false; + private boolean mUseV2NetworkMonitor = false; private final Map mRuntimeGuards = new HashMap<>(); @@ -136,6 +137,11 @@ public NativeCronvoyEngineBuilderImpl setUseNetworkChangeEvent(boolean use) { return this; } + public NativeCronvoyEngineBuilderImpl setUseV2NetworkMonitor(boolean useV2NetworkMonitor) { + mUseV2NetworkMonitor = useV2NetworkMonitor; + return this; + } + /** * Set the DNS minimum refresh time, in seconds, which ensures that we wait to refresh a DNS * entry for at least the minimum refresh time. For example, if the DNS record TTL is 60 seconds @@ -267,7 +273,7 @@ EnvoyEngine createEngine(EnvoyOnEngineRunning onEngineRunning, EnvoyLogger envoy String logLevel) { AndroidEngineImpl engine = new AndroidEngineImpl( getContext(), onEngineRunning, envoyLogger, mEnvoyEventTracker, mEnableProxying, - mUseNetworkChangeEvent, mDisableDnsRefreshOnNetworkChange); + mUseNetworkChangeEvent, mDisableDnsRefreshOnNetworkChange, mUseV2NetworkMonitor); engine.runWithConfig(createEnvoyConfiguration(), logLevel); return engine; } diff --git a/mobile/library/jni/BUILD b/mobile/library/jni/BUILD index 0c0107c303003..5a7dc8865f609 100644 --- a/mobile/library/jni/BUILD +++ b/mobile/library/jni/BUILD @@ -90,7 +90,7 @@ envoy_cc_library( alwayslink = True, ) -# Cert verification related functions which call into AndroidNetworkLibrary. +# Cert verification related functions which call into AndroidNetworkLibrary. And network retrieval functions which call into AndroidNetworkMonitorV2. envoy_cc_library( name = "android_network_utility_lib", srcs = [ @@ -105,6 +105,7 @@ envoy_cc_library( ":jni_utility_lib", "//library/common/bridge:utility_lib", "//library/common/extensions/cert_validator/platform_bridge:c_types_lib", + "//library/common/network:network_types_lib", "//library/common/types:c_types_lib", "@envoy//bazel:boringssl", ], diff --git a/mobile/library/jni/android_network_utility.cc b/mobile/library/jni/android_network_utility.cc index 3f7492a9c6e7c..35c81666e3941 100644 --- a/mobile/library/jni/android_network_utility.cc +++ b/mobile/library/jni/android_network_utility.cc @@ -166,6 +166,63 @@ envoy_cert_validation_result verifyX509CertChain(const std::vector& } } +int64_t getDefaultNetworkHandle() { + JniHelper jni_helper(JniHelper::getThreadLocalEnv()); + jclass jcls_AndroidNetworkLibrary = + jni_helper.findClassFromCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary"); + jmethodID jmid_getDefaultNetworkHandle = jni_helper.getStaticMethodIdFromCache( + jcls_AndroidNetworkLibrary, "getDefaultNetworkHandle", "()J"); + jlong defaultNetwork = + jni_helper.callStaticLongMethod(jcls_AndroidNetworkLibrary, jmid_getDefaultNetworkHandle); + return static_cast(defaultNetwork); +} + +std::vector> getAllConnectedNetworks() { + std::vector> connected_networks; + Envoy::JNI::JniHelper jni_helper(Envoy::JNI::JniHelper::getThreadLocalEnv()); + + // Use a unique_ptr to automatically release the class reference. + jclass jcls_android_network_library = + jni_helper.findClassFromCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary"); + if (jcls_android_network_library == nullptr) { + return connected_networks; + } + + jmethodID jmid_get_all_connected_networks = jni_helper.getStaticMethodIdFromCache( + jcls_android_network_library, "getAllConnectedNetworks", "()[[J"); + if (jmid_get_all_connected_networks == nullptr) { + return connected_networks; + } + + // Call the static Java method to get the long[][] array. + Envoy::JNI::LocalRefUniquePtr java_network_array = + jni_helper.callStaticObjectMethod(jcls_android_network_library, + jmid_get_all_connected_networks); + if (java_network_array == nullptr) { + return connected_networks; + } + + jsize num_networks = jni_helper.getArrayLength(java_network_array.get()); + + for (jsize i = 0; i < num_networks; ++i) { + // Each entry is a jlongArray (long[2]). + Envoy::JNI::LocalRefUniquePtr network_info_array = + jni_helper.getObjectArrayElement(java_network_array.get(), i); + if (network_info_array == nullptr) { + continue; + } + + std::vector network_info; + Envoy::JNI::javaLongArrayToInt64Vector(jni_helper, network_info_array.get(), &network_info); + + if (network_info.size() == 2) { + connected_networks.emplace_back(network_info[0], + static_cast(network_info[1])); + } + } + return connected_networks; +} + void jvmDetachThread() { JniHelper::detachCurrentThread(); } } // namespace JNI diff --git a/mobile/library/jni/android_network_utility.h b/mobile/library/jni/android_network_utility.h index b86ff77081fe7..48dabb3694c8e 100644 --- a/mobile/library/jni/android_network_utility.h +++ b/mobile/library/jni/android_network_utility.h @@ -5,6 +5,7 @@ #include "absl/strings/string_view.h" #include "library/common/extensions/cert_validator/platform_bridge/c_types.h" +#include "library/common/network/network_types.h" #include "library/jni/jni_helper.h" namespace Envoy { @@ -21,6 +22,10 @@ LocalRefUniquePtr callJvmVerifyX509CertChain(JniHelper& jni_helper, envoy_cert_validation_result verifyX509CertChain(const std::vector& certs, absl::string_view hostname); +int64_t getDefaultNetworkHandle(); + +std::vector> getAllConnectedNetworks(); + void jvmDetachThread(); } // namespace JNI diff --git a/mobile/library/jni/jni_impl.cc b/mobile/library/jni/jni_impl.cc index 206aade981d63..2b324a4081513 100644 --- a/mobile/library/jni/jni_impl.cc +++ b/mobile/library/jni/jni_impl.cc @@ -1397,3 +1397,34 @@ Java_io_envoyproxy_envoymobile_engine_JniLibrary_callClearTestRootCertificateFro jni_helper.callStaticVoidMethod(java_android_network_library_class, java_clear_test_root_certificates_method_id); } + +extern "C" JNIEXPORT jlong JNICALL +Java_io_envoyproxy_envoymobile_engine_JniLibrary_callGetDefaultNetworkHandleFromNative(JNIEnv*, + jclass) { + return Envoy::JNI::getDefaultNetworkHandle(); +} + +extern "C" JNIEXPORT jobjectArray JNICALL +Java_io_envoyproxy_envoymobile_engine_JniLibrary_callGetAllConnectedNetworksFromNative(JNIEnv* env, + jclass) { + Envoy::JNI::JniHelper jni_helper(env); + std::vector> networks = + Envoy::JNI::getAllConnectedNetworks(); + + jclass long_array_class = env->FindClass("[J"); + jobjectArray result = env->NewObjectArray(networks.size(), long_array_class, nullptr); + + for (size_t i = 0; i < networks.size(); ++i) { + jlongArray network_info_array = env->NewLongArray(2); + if (network_info_array == nullptr) { + return nullptr; + } + jlong network_info[2]; + network_info[0] = networks[i].first; + network_info[1] = static_cast(networks[i].second); + env->SetLongArrayRegion(network_info_array, 0, 2, network_info); + env->SetObjectArrayElement(result, i, network_info_array); + env->DeleteLocalRef(network_info_array); + } + return result; +} diff --git a/mobile/library/jni/jni_init.cc b/mobile/library/jni/jni_init.cc index 024000e9bc850..2e8e834873503 100644 --- a/mobile/library/jni/jni_init.cc +++ b/mobile/library/jni/jni_init.cc @@ -9,20 +9,18 @@ namespace JNI { void initialize(JavaVM* jvm) { JniHelper::initialize(jvm); JniUtility::initCache(); - JniHelper::addToCache( - "io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary", - /* methods= */ {}, - /* static_methods= */ - { - {"isCleartextTrafficPermitted", "(Ljava/lang/String;)Z"}, - {"tagSocket", "(III)V"}, - {"verifyServerCertificates", - "([[B[B[B)Lio/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult;"}, - {"addTestRootCertificate", "([B)V"}, - {"clearTestRootCertificates", "()V"}, - - }, - /* fields= */ {}, /* static_fields= */ {}); + JniHelper::addToCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary", + /* methods= */ {}, + /* static_methods= */ + {{"isCleartextTrafficPermitted", "(Ljava/lang/String;)Z"}, + {"tagSocket", "(III)V"}, + {"verifyServerCertificates", + "([[B[B[B)Lio/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult;"}, + {"addTestRootCertificate", "([B)V"}, + {"clearTestRootCertificates", "()V"}, + {"getDefaultNetworkHandle", "()J"}, + {"getAllConnectedNetworks", "()[[J"}}, + /* fields= */ {}, /* static_fields= */ {}); JniHelper::addToCache("io/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult", /* methods= */ { diff --git a/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt b/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt index a56b2de2601b5..b3fcb45d46129 100644 --- a/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt +++ b/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt @@ -14,7 +14,8 @@ class AndroidEngineBuilder(context: Context) : EngineBuilder() { eventTracker, enableProxying, /*useNetworkChangeEvent*/ false, - /*disableDnsRefreshOnNetworkChange*/ false + /*disableDnsRefreshOnNetworkChange*/ false, + /*useV2NetworkMonitor*/ false ) } } diff --git a/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD b/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD index fb10726671765..909190cebf272 100644 --- a/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD +++ b/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD @@ -39,6 +39,7 @@ kt_android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", ], ) diff --git a/mobile/test/common/integration/client_integration_test.cc b/mobile/test/common/integration/client_integration_test.cc index 26abde47daad1..a57df133f2f03 100644 --- a/mobile/test/common/integration/client_integration_test.cc +++ b/mobile/test/common/integration/client_integration_test.cc @@ -103,6 +103,14 @@ class ClientIntegrationTest builder_.enableDnsCache(true, /* save_interval_seconds */ 1); } + // Initialize the connectivity manager with a WIFI default network and another network with + // unknown type. + std::vector> connected_networks{ + {1, ConnectionType::CONNECTION_WIFI}, {2, ConnectionType::CONNECTION_UNKNOWN}}; + EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()).WillOnce(Return(1)); + EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()) + .WillOnce(Return(connected_networks)); + BaseClientIntegrationTest::initialize(); if (getCodecType() == Http::CodecType::HTTP3) { @@ -362,6 +370,35 @@ TEST_P(ClientIntegrationTest, HandleNetworkChangeEvents) { EXPECT_EQ(4, current_change_event); } +TEST_P(ClientIntegrationTest, HandleNetworkChangeEventsAndroid) { + absl::Notification found_force_dns_refresh; + std::atomic handled_network_change{false}; + auto logger = std::make_unique(); + logger->on_log_ = [&](Logger::Logger::Levels, const std::string& msg) { + if (msg.find("Default network state has been changed. Current net configuration key") != + std::string::npos) { + handled_network_change = true; + } + if (msg.find("beginning DNS cache force refresh") != std::string::npos) { + found_force_dns_refresh.Notify(); + } + }; + builder_.setLogger(std::move(logger)); + builder_.setDisableDnsRefreshOnNetworkChange(false); + + initialize(); + + // A new WIFI network appears and becomes the default network. Even though + // the test is initialized with a WIFI network, this should still have triggred + // a network change event as it has a different network handle. + internalEngine()->onNetworkConnectAndroid(ConnectionType::CONNECTION_WIFI, 123); + internalEngine()->onDefaultNetworkChangedAndroid(ConnectionType::CONNECTION_WIFI, 123); + // The HTTP status reset and DNS refresh should have been posted to the network thread and to be + // handled there. + found_force_dns_refresh.WaitForNotification(); + EXPECT_TRUE(handled_network_change); +} + TEST_P(ClientIntegrationTest, LargeResponse) { initialize(); std::string data(1024 * 32, 'a'); diff --git a/mobile/test/common/internal_engine_test.cc b/mobile/test/common/internal_engine_test.cc index d74493fa9a48e..96009d1ff089f 100644 --- a/mobile/test/common/internal_engine_test.cc +++ b/mobile/test/common/internal_engine_test.cc @@ -102,6 +102,10 @@ class InternalEngineTest : public testing::Test { helper_handle_ = test::SystemHelperPeer::replaceSystemHelper(); EXPECT_CALL(helper_handle_->mock_helper(), isCleartextPermitted(_)) .WillRepeatedly(Return(true)); + EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()) + .Times(testing::AtMost(1)) + .WillOnce(Return(-1)); + EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()).Times(testing::AtMost(1)); } envoy_status_t runEngine(const std::unique_ptr& engine, diff --git a/mobile/test/common/mocks/common/mocks.h b/mobile/test/common/mocks/common/mocks.h index f6825405b9c7e..383adda3aed38 100644 --- a/mobile/test/common/mocks/common/mocks.h +++ b/mobile/test/common/mocks/common/mocks.h @@ -16,6 +16,8 @@ class MockSystemHelper : public SystemHelper { MOCK_METHOD(envoy_cert_validation_result, validateCertificateChain, (const std::vector& certs, absl::string_view hostname)); MOCK_METHOD(void, cleanupAfterCertificateValidation, ()); + MOCK_METHOD(int64_t, getDefaultNetworkHandle, ()); + MOCK_METHOD((std::vector>), getAllConnectedNetworks, ()); }; // SystemHelperPeer allows the replacement of the SystemHelper singleton diff --git a/mobile/test/common/network/BUILD b/mobile/test/common/network/BUILD index b26d4b163bf15..a40973ef1bed6 100644 --- a/mobile/test/common/network/BUILD +++ b/mobile/test/common/network/BUILD @@ -10,6 +10,7 @@ envoy_cc_test( repository = "@envoy", deps = [ "//library/common/network:connectivity_manager_lib", + "//test/common/mocks/common:common_mocks", "@envoy//test/extensions/common/dynamic_forward_proxy:mocks", "@envoy//test/mocks/upstream:cluster_manager_mocks", ], diff --git a/mobile/test/common/network/connectivity_manager_test.cc b/mobile/test/common/network/connectivity_manager_test.cc index 6ef1c37fb7c67..42ee049c219a0 100644 --- a/mobile/test/common/network/connectivity_manager_test.cc +++ b/mobile/test/common/network/connectivity_manager_test.cc @@ -1,5 +1,6 @@ #include +#include "test/common/mocks/common/mocks.h" #include "test/extensions/common/dynamic_forward_proxy/mocks.h" #include "test/mocks/upstream/cluster_manager.h" @@ -13,29 +14,55 @@ using testing::Return; namespace Envoy { namespace Network { +class MockNetworkChangeObserver : public NetworkChangeObserver { +public: + MOCK_METHOD(void, onNetworkMadeDefault, (NetworkHandle network), (override)); + MOCK_METHOD(void, onNetworkDisconnected, (NetworkHandle network), (override)); + MOCK_METHOD(void, onNetworkConnected, (NetworkHandle network), (override)); +}; + class ConnectivityManagerTest : public testing::Test { public: ConnectivityManagerTest() : dns_cache_manager_( new NiceMock()), dns_cache_(dns_cache_manager_->dns_cache_), - connectivity_manager_(std::make_shared(cm_, dns_cache_manager_)) { + helper_handle_(test::SystemHelperPeer::replaceSystemHelper()) { + + EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()).WillOnce(Return(1)); + std::vector> connected_networks{ + {1, ConnectionType::CONNECTION_WIFI}, {2, ConnectionType::CONNECTION_UNKNOWN}}; + EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()) + .WillOnce(Return(connected_networks)); + connectivity_manager_ = std::make_shared(cm_, dns_cache_manager_); ON_CALL(*dns_cache_manager_, lookUpCacheByName(_)).WillByDefault(Return(dns_cache_)); // Toggle network to reset network state. - ConnectivityManagerImpl::setPreferredNetwork(1); - ConnectivityManagerImpl::setPreferredNetwork(2); + connectivity_manager_->setPreferredNetwork(1); + connectivity_manager_->setPreferredNetwork(2); + + // Set up the default network change callback. + auto callback = [&](envoy_netconf_t key) { + EXPECT_EQ(key, connectivity_manager_->getConfigurationKey()); + num_default_network_change_++; + }; + connectivity_manager_->setDefaultNetworkChangeCallback(std::move(callback)); + connectivity_manager_->setNetworkChangeObserver(&observer_); } std::shared_ptr> dns_cache_manager_; std::shared_ptr dns_cache_; NiceMock cm_{}; - std::shared_ptr connectivity_manager_; + std::unique_ptr helper_handle_; + ConnectivityManagerImplSharedPtr connectivity_manager_; + testing::StrictMock observer_; + // Track callback invocation count. + int num_default_network_change_{0}; }; TEST_F(ConnectivityManagerTest, SetPreferredNetworkWithNewNetworkChangesConfigurationKey) { envoy_netconf_t original_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t new_key = ConnectivityManagerImpl::setPreferredNetwork(4); + envoy_netconf_t new_key = connectivity_manager_->setPreferredNetwork(4); EXPECT_NE(original_key, new_key); EXPECT_EQ(new_key, connectivity_manager_->getConfigurationKey()); } @@ -43,7 +70,7 @@ TEST_F(ConnectivityManagerTest, SetPreferredNetworkWithNewNetworkChangesConfigur TEST_F(ConnectivityManagerTest, DISABLED_SetPreferredNetworkWithUnchangedNetworkReturnsStaleConfigurationKey) { envoy_netconf_t original_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t stale_key = ConnectivityManagerImpl::setPreferredNetwork(2); + envoy_netconf_t stale_key = connectivity_manager_->setPreferredNetwork(2); EXPECT_NE(original_key, stale_key); EXPECT_EQ(original_key, connectivity_manager_->getConfigurationKey()); } @@ -172,7 +199,7 @@ TEST_F(ConnectivityManagerTest, ReportNetworkUsageDisablesOverrideAfterThirdFaul TEST_F(ConnectivityManagerTest, ReportNetworkUsageDisregardsCallsWithStaleConfigurationKey) { envoy_netconf_t stale_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t current_key = ConnectivityManagerImpl::setPreferredNetwork(4); + envoy_netconf_t current_key = connectivity_manager_->setPreferredNetwork(4); EXPECT_NE(stale_key, current_key); connectivity_manager_->setInterfaceBindingEnabled(true); @@ -253,7 +280,7 @@ TEST_F(ConnectivityManagerTest, NetworkChangeResultsInDifferentSocketOptionsHash for (const auto& option : *options1) { option->hashKey(hash1); } - ConnectivityManagerImpl::setPreferredNetwork(64); + connectivity_manager_->setPreferredNetwork(64); auto options2 = std::make_shared(); connectivity_manager_->addUpstreamSocketOptions(options2); std::vector hash2; @@ -263,5 +290,98 @@ TEST_F(ConnectivityManagerTest, NetworkChangeResultsInDifferentSocketOptionsHash EXPECT_NE(hash1, hash2); } +// Verifies that when the platform notifies about the same default network +// again, the signal will be ignored. +TEST_F(ConnectivityManagerTest, DuplicatedSignalOfAndroidNetworkBecomesDefault) { + EXPECT_CALL(observer_, onNetworkMadeDefault(_)).Times(0); + connectivity_manager_->onDefaultNetworkChangedAndroid(ConnectionType::CONNECTION_WIFI, 1); + // The callback should not have been called. + EXPECT_EQ(num_default_network_change_, 0); +} + +// Verifies that when a network is connected and then becomes the default +// default_network_change_callback_ called at the end rather than in the middle. +TEST_F(ConnectivityManagerTest, AndroidNetworkConnectedAndThenBecomesDefault) { + const NetworkHandle net_id = 123; + const auto connection_type = ConnectionType::CONNECTION_WIFI; + + // Simulate a network is connected. + EXPECT_CALL(observer_, onNetworkConnected(net_id)); + connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); + // The callback should not have been called yet. + EXPECT_EQ(num_default_network_change_, 0); + + // Simulate the connected network now becomes the default. + EXPECT_CALL(observer_, onNetworkMadeDefault(net_id)); + connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); + + // Verify the callback was invoked exactly once. + EXPECT_EQ(num_default_network_change_, 1); +} + +// Verifies that when a network becomes the default without becoming connected, +// default_network_change_callback_ is not called. And it should be called once the network is +// connected. +TEST_F(ConnectivityManagerTest, AndroidNetworkBecomesDefaultAndThenConnected) { + const NetworkHandle net_id = 123; + const auto connection_type = ConnectionType::CONNECTION_4G; + const envoy_netconf_t initial_config_key = connectivity_manager_->getConfigurationKey(); + + // Simulate that the network becomes the default. At this point, it is not yet "connected". + connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); + + // The callback should not have been called, and the preferred network should not have changed + // yet. + EXPECT_EQ(num_default_network_change_, 0); + EXPECT_EQ(initial_config_key, connectivity_manager_->getConfigurationKey()); + + // Now, simulate the network becoming connected. + // This should trigger the deferred default network callback and update the internal state. + EXPECT_CALL(observer_, onNetworkConnected(net_id)); + EXPECT_CALL(observer_, onNetworkMadeDefault(net_id)); + connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); + + // Verify the callback was invoked. + EXPECT_EQ(num_default_network_change_, 1); + EXPECT_NE(initial_config_key, connectivity_manager_->getConfigurationKey()); +} + +// Verifies that the observer is notified about a network becoming connected and +// disconnected. +TEST_F(ConnectivityManagerTest, AndroidNetworkConnectedAndThenDisconnected) { + const NetworkHandle net_id = 123; + const auto connection_type = ConnectionType::CONNECTION_WIFI; + + EXPECT_CALL(observer_, onNetworkConnected(net_id)); + // Simulate a network is connected. + connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); + EXPECT_EQ(num_default_network_change_, 0); + + EXPECT_CALL(observer_, onNetworkDisconnected(net_id)); + connectivity_manager_->onNetworkDisconnectAndroid(net_id); + + // Disconnected network should not be used as the default. + connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); + EXPECT_EQ(num_default_network_change_, 0); +} + +// Verifies that the observer is notified about networks becoming disconnected when they are purged. +// But if the network is exempted from purging, observer shouldn't be notified about it being +// disconnected. +TEST_F(ConnectivityManagerTest, AndroidPurgeNetworks) { + + EXPECT_CALL(observer_, onNetworkConnected(_)).Times(3); + connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_WIFI, 123); + connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_4G, 456); + connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_5G, 789); + + // Purge all networks other than the 5G network. + EXPECT_CALL(observer_, onNetworkDisconnected(1)); + EXPECT_CALL(observer_, onNetworkDisconnected(2)); + EXPECT_CALL(observer_, onNetworkDisconnected(123)); + EXPECT_CALL(observer_, onNetworkDisconnected(456)); + connectivity_manager_->purgeActiveNetworkListAndroid({789}); +} + } // namespace Network } // namespace Envoy diff --git a/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java b/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java new file mode 100644 index 0000000000000..0140329f96ab4 --- /dev/null +++ b/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java @@ -0,0 +1,114 @@ +package io.envoyproxy.envoymobile.utilities; + +import static org.junit.Assert.*; +import static org.mockito.Mockito.mock; +import static org.robolectric.Shadows.shadowOf; + +import io.envoyproxy.envoymobile.engine.JniLibrary; +import io.envoyproxy.envoymobile.engine.EnvoyEngine; +import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; +import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; + +import java.nio.charset.StandardCharsets; + +import android.content.Context; +import android.Manifest; +import android.net.ConnectivityManager; +import android.net.NetworkCapabilities; +import android.net.Network; +import android.net.NetworkInfo; + +import androidx.test.platform.app.InstrumentationRegistry; +import androidx.test.rule.GrantPermissionRule; + +import org.junit.After; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.runner.RunWith; + +import org.robolectric.RobolectricTestRunner; +import org.robolectric.shadows.ShadowNetworkInfo; +import org.robolectric.shadows.ShadowNetworkCapabilities; + +@RunWith(RobolectricTestRunner.class) +public final class AndroidNetworkTest { + @Rule + public GrantPermissionRule mRuntimePermissionRule = + GrantPermissionRule.grant(Manifest.permission.ACCESS_NETWORK_STATE); + + private AndroidNetworkMonitorV2 mAndroidNetworkMonitor; + private ConnectivityManager mConnectivityManager; + private final EnvoyEngine mMockEnvoyEngine = mock(EnvoyEngine.class); + + @BeforeClass + public static void beforeClass() { + JniLibrary.loadTestLibrary(); + } + + @Before + public void setUp() throws Exception { + Context context = InstrumentationRegistry.getInstrumentation().getTargetContext(); + if (ContextUtils.getApplicationContext() == null) { + ContextUtils.initApplicationContext(context.getApplicationContext()); + } + AndroidNetworkMonitorV2.load(context, mMockEnvoyEngine); + mAndroidNetworkMonitor = AndroidNetworkMonitorV2.getInstance(); + mConnectivityManager = mAndroidNetworkMonitor.getConnectivityManager(); + } + + @After + public void tearDown() throws Exception { + AndroidNetworkMonitorV2.shutdown(); + } + + @Test + public void testGetDefaultNetworkHandle() { + Network activeNetwork = mConnectivityManager.getActiveNetwork(); + long networkHandle = JniLibrary.callGetDefaultNetworkHandleFromNative(); + assertEquals(activeNetwork.getNetworkHandle(), networkHandle); + + NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, + ConnectivityManager.TYPE_WIFI, 0, + true, NetworkInfo.State.CONNECTED); + shadowOf(mConnectivityManager).setActiveNetworkInfo(wifiNetworkInfo); + Network wifiNetwork = mConnectivityManager.getActiveNetwork(); + long wifiNetworkHandle = JniLibrary.callGetDefaultNetworkHandleFromNative(); + assertEquals(wifiNetwork.getNetworkHandle(), wifiNetworkHandle); + } + + @Test + public void testGetAllConnectedNetworks() { + // Make all networks connected to the internet. + Network[] networks = mConnectivityManager.getAllNetworks(); + for (Network network : networks) { + NetworkCapabilities capabilities = mConnectivityManager.getNetworkCapabilities(network); + shadowOf(capabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + NetworkInfo netInfo = mConnectivityManager.getNetworkInfo(network); + shadowOf(netInfo).setConnectionStatus(NetworkInfo.State.CONNECTED); + } + long[][] networkArray = JniLibrary.callGetAllConnectedNetworksFromNative(); + assertEquals(networks.length, networkArray.length); + // The ShadowConnectivityManager should have 2 networks cached, one default WIFI network and + // another cellular one. + Network cellNetwork = null; + for (int i = 0; i < networks.length; ++i) { + assertEquals(networks[i].getNetworkHandle(), networkArray[i][0]); + NetworkCapabilities capabilities = mConnectivityManager.getNetworkCapabilities(networks[i]); + if (capabilities.hasTransport(NetworkCapabilities.TRANSPORT_WIFI)) { + assertEquals(EnvoyConnectionType.CONNECTION_WIFI.getValue(), networkArray[i][1]); + } else { + cellNetwork = networks[i]; + assertTrue(capabilities.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)); + assertEquals(EnvoyConnectionType.CONNECTION_2G.getValue(), networkArray[i][1]); + } + } + + assertNotNull(cellNetwork); + shadowOf(mConnectivityManager).removeNetwork(cellNetwork); + networkArray = JniLibrary.callGetAllConnectedNetworksFromNative(); + assertEquals(1, networkArray.length); + assertEquals(EnvoyConnectionType.CONNECTION_WIFI.getValue(), networkArray[0][1]); + } +} diff --git a/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD b/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD index c783227d57923..70cc84213d165 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD +++ b/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD @@ -24,6 +24,32 @@ envoy_mobile_android_test( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "//library/java/org/chromium/net", ], ) + +envoy_mobile_android_test( + name = "android_network_test", + srcs = [ + "AndroidNetworkTest.java", + ], + native_deps = [ + "//test/jni:libenvoy_jni_with_test_extensions.so", + ] + select({ + "@platforms//os:macos": [ + "//test/jni:libenvoy_jni_with_test_extensions_jnilib", + ], + "//conditions:default": [], + }), + native_lib_name = "envoy_jni_with_test_extensions", + test_class = "io.envoyproxy.envoymobile.utilities.AndroidNetworkTest", + deps = [ + "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", + "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", + "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", + "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", + "@maven//:org_robolectric_annotations", + ], +) diff --git a/mobile/test/java/org/chromium/net/CronetHttp3Test.java b/mobile/test/java/org/chromium/net/CronetHttp3Test.java index 0397260e3d58d..acf5e7006f66f 100644 --- a/mobile/test/java/org/chromium/net/CronetHttp3Test.java +++ b/mobile/test/java/org/chromium/net/CronetHttp3Test.java @@ -1,33 +1,47 @@ package org.chromium.net; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.assertFalse; - +import static org.junit.Assert.*; +import static org.robolectric.Shadows.shadowOf; +import static com.google.common.truth.Truth.assertThat; + +import android.net.ConnectivityManager; +import android.net.LinkProperties; +import android.net.NetworkCapabilities; +import android.net.Network; +import android.net.NetworkInfo; import android.Manifest; +import io.envoyproxy.envoymobile.engine.testing.HttpTestServerFactory; import io.envoyproxy.envoymobile.engine.types.EnvoyNetworkType; -import org.chromium.net.impl.CronvoyUrlRequestContext; +import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; +import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitor; +import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; import io.envoyproxy.envoymobile.engine.EnvoyEngine; +import io.envoyproxy.envoymobile.engine.JniLibrary; +import org.chromium.net.impl.CronvoyUrlRequestContext; import org.chromium.net.impl.CronvoyLogger; +import org.chromium.net.impl.NativeCronvoyEngineBuilderImpl; import androidx.test.core.app.ApplicationProvider; -import org.chromium.net.testing.TestUploadDataProvider; import androidx.test.filters.SmallTest; import androidx.test.rule.GrantPermissionRule; -import org.chromium.net.impl.NativeCronvoyEngineBuilderImpl; import org.chromium.net.testing.CronetTestRule; import org.chromium.net.testing.Feature; +import org.chromium.net.testing.TestUploadDataProvider; import org.chromium.net.testing.TestUrlRequestCallback; -import io.envoyproxy.envoymobile.engine.JniLibrary; import org.junit.After; import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; import org.robolectric.RobolectricTestRunner; -import io.envoyproxy.envoymobile.engine.testing.HttpTestServerFactory; + +import org.robolectric.RobolectricTestRunner; +import org.robolectric.shadows.ShadowNetwork; +import org.robolectric.shadows.ShadowNetworkInfo; +import org.robolectric.shadows.ShadowNetworkCapabilities; + import java.util.HashMap; import java.util.Map; import java.util.Collections; @@ -63,6 +77,8 @@ public class CronetHttp3Test { private boolean drainOnNetworkChange = false; private boolean resetBrokennessOnNetworkChange = false; private boolean disableDnsRefreshOnNetworkChange = false; + private boolean useAndroidNetworkMonitorV2 = false; + private ConnectivityManager connectivityManager; @BeforeClass public static void loadJniLibrary() { @@ -108,11 +124,29 @@ public void log(int logLevel, String message) { nativeCronetEngineBuilder.setLogger(logger); nativeCronetEngineBuilder.setLogLevel(EnvoyEngine.LogLevel.TRACE); } + if (useAndroidNetworkMonitorV2) { + nativeCronetEngineBuilder.setUseV2NetworkMonitor(useAndroidNetworkMonitorV2); + } // Make sure the handshake will work despite lack of real certs. nativeCronetEngineBuilder.setMockCertVerifierForTesting(); cronvoyEngine = new CronvoyUrlRequestContext(nativeCronetEngineBuilder); // Clear network states in ConnectivityManager. cronvoyEngine.getEnvoyEngine().resetConnectivityState(); + + if (useAndroidNetworkMonitorV2) { + AndroidNetworkMonitorV2 androidNetworkMonitor = AndroidNetworkMonitorV2.getInstance(); + connectivityManager = androidNetworkMonitor.getConnectivityManager(); + // AndroidNetworkMonitorV2 registers 2 NetworkCallbacks. + assertThat(shadowOf(connectivityManager).getNetworkCallbacks()).hasSize(2); + } else { + AndroidNetworkMonitor androidNetworkMonitor = AndroidNetworkMonitor.getInstance(); + connectivityManager = androidNetworkMonitor.getConnectivityManager(); + } + NetworkCapabilities networkCapabilities = + connectivityManager.getNetworkCapabilities(connectivityManager.getActiveNetwork()); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + // Verifies initial states of ShadowConnectivityManager. + assertTrue(networkCapabilities.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)); } @After @@ -123,6 +157,9 @@ public void tearDown() throws Exception { if (http3TestServer != null) { http3TestServer.shutdown(); } + if (useAndroidNetworkMonitorV2) { + AndroidNetworkMonitorV2.shutdown(); + } } private TestUrlRequestCallback doBasicGetRequest() { @@ -366,6 +403,241 @@ public void networkChangeWithDrains() throws Exception { assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); } + @Test + @SmallTest + @Feature({"Cronet"}) + public void networkChangeMonitorV2FromCellToWifi() throws Exception { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + drainOnNetworkChange = true; + useAndroidNetworkMonitorV2 = true; + setUp(printEnvoyLogs); + + // Do the initial handshake dance + doInitialHttp2Request(); + + // Do a HTTP/3 request to establish a connection. + TestUrlRequestCallback getCallback1 = doBasicGetRequest(); + assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); + + // There should be one HTTP/3 connection. + String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + + // Change from cell to newly connected WIFI network. + NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, + ConnectivityManager.TYPE_WIFI, 0, + true, NetworkInfo.State.CONNECTED); + shadowOf(connectivityManager).setActiveNetworkInfo(wifiNetworkInfo); + Network wifiNetwork = connectivityManager.getActiveNetwork(); + NetworkCapabilities networkCapabilities = + connectivityManager.getNetworkCapabilities(wifiNetwork); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_METERED); + shadowOf(networkCapabilities).addTransportType(NetworkCapabilities.TRANSPORT_WIFI); + shadowOf(connectivityManager).setNetworkCapabilities(wifiNetwork, networkCapabilities); + + // Connected to the new network shouldn't be regarded as switching the default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onAvailable(wifiNetwork); + }); + + // Make another request. It should reuse the existing connection because the new network won't + // be regarded as default. + TestUrlRequestCallback getCallback2 = doBasicGetRequest(); + assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // The connection count should STILL be 1, proving reuse. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + // No connections should have been destroyed. + assertFalse(postStats, postStats.contains("cluster.base.upstream_cx_destroy:")); + + // Reported capability change should be regarded as switching the default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + LinkProperties link = new LinkProperties(); + callback.onLinkPropertiesChanged(wifiNetwork, link); + callback.onCapabilitiesChanged(wifiNetwork, networkCapabilities); + }); + + // Do a 3rd HTTP/3 request. This must create a new connection. + TestUrlRequestCallback getCallback3 = doBasicGetRequest(); + assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); + // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been + // closed during draining. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); + + // WIFI disconnected, no effect as long as the default network hasn't been switched. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onLost(wifiNetwork); + }); + + // Do a 4th HTTP/3 request. This should reuse the existing connection. + TestUrlRequestCallback getCallback4 = doBasicGetRequest(); + assertEquals(200, getCallback4.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback4.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Stats shouldn't have been changed. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); + } + + @Test + @SmallTest + @Feature({"Cronet"}) + public void networkChangeMonitorV2FromDisconnectedCellToWifi() throws Exception { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + drainOnNetworkChange = true; + useAndroidNetworkMonitorV2 = true; + setUp(printEnvoyLogs); + + // Do the initial handshake dance + doInitialHttp2Request(); + + // Do a HTTP/3 request to establish a connection. + TestUrlRequestCallback getCallback1 = doBasicGetRequest(); + assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); + + // There should be one HTTP/3 connection. + String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + + // Lost current cellular network. + Network cellNetwork = connectivityManager.getActiveNetwork(); + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onLost(cellNetwork); + }); + + // Change from the disconnected cell to newly connected WIFI network. + NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, + ConnectivityManager.TYPE_WIFI, 0, + true, NetworkInfo.State.CONNECTED); + shadowOf(connectivityManager).setActiveNetworkInfo(wifiNetworkInfo); + Network wifiNetwork = connectivityManager.getActiveNetwork(); + NetworkCapabilities networkCapabilities = + connectivityManager.getNetworkCapabilities(wifiNetwork); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_METERED); + shadowOf(networkCapabilities).addTransportType(NetworkCapabilities.TRANSPORT_WIFI); + shadowOf(connectivityManager).setNetworkCapabilities(wifiNetwork, networkCapabilities); + + // Connected to the new network shouldn't be regarded as switching the default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onAvailable(wifiNetwork); + }); + + // Make another request. It should reuse the existing connection because the new network won't + // be regarded as default. + TestUrlRequestCallback getCallback2 = doBasicGetRequest(); + assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // The connection count should STILL be 1, proving reuse. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + // No connections should have been destroyed. + assertFalse(postStats, postStats.contains("cluster.base.upstream_cx_destroy:")); + + // Reported capability change should be regarded as switching the default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + LinkProperties link = new LinkProperties(); + callback.onLinkPropertiesChanged(wifiNetwork, link); + callback.onCapabilitiesChanged(wifiNetwork, networkCapabilities); + }); + + // Do a 3rd HTTP/3 request. This must create a new connection. + TestUrlRequestCallback getCallback3 = doBasicGetRequest(); + assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); + // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been + // closed during draining. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); + } + + @Test + @SmallTest + @Feature({"Cronet"}) + public void networkChangeMonitorV2VpnOnAndOff() throws Exception { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + drainOnNetworkChange = true; + useAndroidNetworkMonitorV2 = true; + setUp(printEnvoyLogs); + + // Do the initial handshake dance + doInitialHttp2Request(); + + // Do a HTTP/3 request to establish a connection. + TestUrlRequestCallback getCallback1 = doBasicGetRequest(); + assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); + + // There should be one HTTP/3 connection. + String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + + // A VPN network becomes available. + NetworkInfo networkInfoVpn = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, + ConnectivityManager.TYPE_VPN, 0, + true, NetworkInfo.State.CONNECTED); + Network vpnNetwork = ShadowNetwork.newInstance(2); + shadowOf(connectivityManager).addNetwork(vpnNetwork, networkInfoVpn); + NetworkCapabilities capabilities = ShadowNetworkCapabilities.newInstance(); + shadowOf(capabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + shadowOf(capabilities).addTransportType(NetworkCapabilities.TRANSPORT_VPN); + shadowOf(connectivityManager).setNetworkCapabilities(vpnNetwork, capabilities); + + // As long as VPN is available, it should be regarded as default network and trigger a default + // network change. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + // This should also purge the cellular network. But it's not observable to requests. + callback.onAvailable(vpnNetwork); + }); + + // Do another HTTP/3 request. This should create a new connection as the existing one is + // drained. + TestUrlRequestCallback getCallback2 = doBasicGetRequest(); + assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); + // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been + // closed during draining. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); + + // The VPN becomes unavailable, the underlying cellular network should be regarded as the + // default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onLost(vpnNetwork); + }); + + // Do a 3rd HTTP/3 request. This must create a new connection. + TestUrlRequestCallback getCallback3 = doBasicGetRequest(); + assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Total HTTP/3 connections is now 3. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 3")); + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 3")); + } + @Test @SmallTest @Feature({"Cronet"}) diff --git a/mobile/test/java/org/chromium/net/testing/BUILD b/mobile/test/java/org/chromium/net/testing/BUILD index fd0adffecd18e..dc30f7ec0feb4 100644 --- a/mobile/test/java/org/chromium/net/testing/BUILD +++ b/mobile/test/java/org/chromium/net/testing/BUILD @@ -37,6 +37,7 @@ android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "//library/java/org/chromium/net", "//library/java/org/chromium/net/impl:cronvoy", "//library/kotlin/io/envoyproxy/envoymobile:envoy_interfaces_lib", From 490297ae47e8bb2a4dd3c212cfd174c0175eb965 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 14 Aug 2025 17:35:19 -0400 Subject: [PATCH 228/505] Replace ProtobufWkt with Protobuf namespace (#40699) This is a large but trivial change. Remove ProtobufWkt and use Protobuf namespace instead. These namespaces were aliases to the same ::google::protobuf namespace. Separate aliases just increase confusion as they were used interchangeably and their benefit no longer outweighs the mess they create. The main change is in `source/common/protobuf/protobuf.h` the rest is search and replace of ProtobufWkt to Protobuf Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Yan Avlasov --- api/envoy/type/matcher/v3/value.proto | 2 +- api/envoy/type/matcher/value.proto | 2 +- contrib/common/sqlutils/source/sqlutils.cc | 2 +- contrib/common/sqlutils/source/sqlutils.h | 2 +- contrib/common/sqlutils/test/sqlutils_test.cc | 2 +- .../config/source/kv_store_xds_delegate.cc | 2 +- contrib/config/source/kv_store_xds_delegate.h | 2 +- .../filters/http/source/golang_filter.cc | 4 +- .../filters/http/source/golang_filter.h | 4 +- .../http/test/golang_integration_test.cc | 12 +- .../golang/filters/network/source/golang.h | 4 +- .../source/golang_cluster_specifier.h | 2 +- .../http/tcp/source/upstream_request.h | 2 +- .../filters/network/source/mysql_filter.cc | 2 +- .../filters/network/source/postgres_filter.cc | 2 +- .../network/test/postgres_filter_test.cc | 4 +- .../filters/network/source/active_message.cc | 2 +- .../filters/network/source/codec.cc | 25 +- .../filters/network/source/codec.h | 5 +- .../filters/network/source/conn_manager.cc | 4 +- .../filters/network/source/protocol.cc | 222 +++++++++--------- .../filters/network/source/protocol.h | 42 ++-- .../filters/network/source/topic_route.cc | 26 +- .../filters/network/source/topic_route.h | 6 +- .../network/test/active_message_test.cc | 4 +- .../filters/network/test/codec_test.cc | 2 +- .../filters/network/test/conn_manager_test.cc | 8 +- .../filters/network/test/protocol_test.cc | 60 ++--- .../network/test/route_matcher_test.cc | 2 +- .../filters/network/test/topic_route_test.cc | 6 +- .../sip_proxy/filters/network/test/mocks.cc | 6 +- .../sip_proxy/filters/network/test/mocks.h | 4 +- .../udp_sink/source/udp_sink_impl.cc | 2 +- .../advanced/data_sharing_between_filters.rst | 4 +- docs/root/operations/admin.rst | 6 +- envoy/config/config_validator.h | 2 +- envoy/config/subscription.h | 6 +- envoy/config/typed_metadata.h | 5 +- envoy/config/xds_config_tracker.h | 2 +- envoy/config/xds_resources_delegate.h | 2 +- envoy/formatter/substitution_formatter_base.h | 4 +- envoy/network/filter.h | 4 +- envoy/router/router.h | 4 +- envoy/stream_info/filter_state.h | 2 +- envoy/stream_info/stream_info.h | 4 +- envoy/upstream/health_check_event_sink.h | 2 +- mobile/library/cc/engine_builder.cc | 16 +- mobile/library/cc/engine_builder.h | 6 +- mobile/test/cc/integration/send_data_test.cc | 2 +- .../test/cc/integration/send_headers_test.cc | 2 +- .../test/cc/integration/send_trailers_test.cc | 2 +- mobile/test/cc/unit/envoy_config_test.cc | 2 +- mobile/test/common/internal_engine_test.cc | 2 +- mobile/test/jni/jni_utility_test.cc | 2 +- source/common/common/matchers.cc | 22 +- source/common/common/matchers.h | 18 +- source/common/config/decoded_resource_impl.h | 9 +- source/common/config/metadata.cc | 38 ++- source/common/config/metadata.h | 29 ++- .../config/opaque_resource_decoder_impl.h | 2 +- source/common/config/utility.cc | 6 +- source/common/config/utility.h | 8 +- source/common/config/xds_context_params.cc | 2 +- source/common/filter/config_discovery_impl.h | 2 +- .../formatter/http_specific_formatter.cc | 24 +- .../formatter/http_specific_formatter.h | 52 ++-- .../common/formatter/stream_info_formatter.cc | 41 ++-- .../common/formatter/stream_info_formatter.h | 22 +- .../formatter/substitution_format_string.cc | 2 +- .../formatter/substitution_format_string.h | 4 +- .../formatter/substitution_format_utility.cc | 2 +- .../formatter/substitution_format_utility.h | 2 +- .../formatter/substitution_formatter.cc | 30 +-- .../common/formatter/substitution_formatter.h | 14 +- source/common/http/filter_manager.h | 2 +- source/common/http/http1/settings.cc | 2 +- source/common/http/http1/settings.h | 3 +- source/common/http/utility.cc | 4 +- source/common/http/utility.h | 4 +- source/common/json/json_internal.cc | 22 +- source/common/json/json_internal.h | 2 +- source/common/json/json_loader.cc | 2 +- source/common/json/json_loader.h | 2 +- source/common/json/json_utility.cc | 44 ++-- source/common/json/json_utility.h | 4 +- .../listener_manager/active_tcp_socket.cc | 6 +- .../listener_manager/active_tcp_socket.h | 4 +- .../filter_chain_manager_impl.cc | 6 +- .../common/listener_manager/listener_impl.cc | 4 +- .../common/listener_manager/listener_impl.h | 2 +- source/common/protobuf/deterministic_hash.cc | 4 +- source/common/protobuf/protobuf.h | 14 +- source/common/protobuf/utility.cc | 103 ++++---- source/common/protobuf/utility.h | 105 ++++----- source/common/protobuf/visitor.cc | 2 +- source/common/protobuf/yaml_utility.cc | 24 +- .../quic/envoy_quic_server_connection.h | 4 +- source/common/router/config_impl.cc | 2 +- .../router/metadatamatchcriteria_impl.cc | 2 +- .../router/metadatamatchcriteria_impl.h | 6 +- source/common/router/per_filter_config.cc | 12 +- source/common/router/per_filter_config.h | 6 +- source/common/router/router_ratelimit.cc | 8 +- source/common/router/string_accessor_impl.h | 2 +- source/common/runtime/runtime_impl.cc | 34 +-- source/common/runtime/runtime_impl.h | 11 +- source/common/secret/secret_manager_impl.cc | 8 +- .../common/stream_info/bool_accessor_impl.h | 2 +- source/common/stream_info/stream_info_impl.h | 4 +- .../common/stream_info/uint32_accessor_impl.h | 2 +- .../common/stream_info/uint64_accessor_impl.h | 2 +- source/common/tcp_proxy/upstream.cc | 2 +- source/common/tls/context_impl.cc | 4 +- .../tls/default_tls_certificate_selector.h | 2 +- .../common/tls/server_context_config_impl.cc | 2 +- source/common/tls/ssl_handshaker.h | 2 +- source/common/tls/utility.cc | 4 +- source/common/tracing/custom_tag_impl.cc | 12 +- .../common/upstream/cluster_factory_impl.cc | 2 +- source/common/upstream/upstream_impl.cc | 2 +- source/docs/subset_load_balancer.md | 6 +- .../access_loggers/filters/cel/cel.cc | 2 +- .../grpc/grpc_access_log_utils.cc | 6 +- .../open_telemetry/grpc_access_log_impl.h | 4 +- .../extensions/access_loggers/wasm/config.h | 2 +- .../original_dst/original_dst_cluster.cc | 8 +- ...iam_roles_anywhere_credentials_provider.cc | 2 +- .../validators/minimum_clusters/config.cc | 2 +- .../validators/minimum_clusters/config.h | 2 +- .../config_subscription/grpc/watch_map.cc | 2 +- .../config_subscription/grpc/watch_map.h | 2 +- .../filters/common/expr/cel_state.cc | 4 +- .../extensions/filters/common/expr/context.cc | 4 +- .../extensions/filters/common/expr/context.h | 2 +- .../filters/common/ext_authz/ext_authz.h | 2 +- .../common/ext_authz/ext_authz_http_impl.cc | 6 +- .../filters/common/lua/protobuf_converter.cc | 6 +- .../filters/common/lua/protobuf_converter.h | 2 +- .../extensions/filters/common/lua/wrappers.cc | 36 +-- .../extensions/filters/common/lua/wrappers.h | 16 +- .../filters/common/ratelimit/ratelimit.h | 2 +- .../common/ratelimit/ratelimit_impl.cc | 2 +- .../ratelimit_config/ratelimit_config.cc | 2 +- .../filters/common/rbac/engine_impl.cc | 2 +- .../http/aws_lambda/aws_lambda_filter.cc | 2 +- .../filters/http/composite/filter.cc | 4 +- .../filters/http/composite/filter.h | 2 +- .../end_stream_response.cc | 22 +- .../connect_grpc_bridge/end_stream_response.h | 2 +- .../filters/http/custom_response/policy.h | 2 +- .../filters/http/dynamic_modules/abi_impl.cc | 14 +- .../filters/http/ext_authz/ext_authz.cc | 2 +- .../filters/http/ext_authz/ext_authz.h | 10 +- .../filters/http/ext_proc/ext_proc.cc | 4 +- .../filters/http/ext_proc/ext_proc.h | 12 +- .../filters/http/ext_proc/matching_utils.cc | 8 +- .../filters/http/ext_proc/matching_utils.h | 6 +- .../filters/http/ext_proc/processor_state.h | 6 +- .../filters/http/fault/fault_filter.h | 4 +- .../http/grpc_field_extraction/extractor.h | 2 +- .../grpc_field_extraction/extractor_impl.cc | 2 +- .../http/grpc_field_extraction/filter.cc | 2 +- .../filter_config.cc | 6 +- .../grpc_json_transcoder/http_body_utils.cc | 14 +- .../grpc_json_transcoder/http_body_utils.h | 5 +- .../json_transcoder_filter.cc | 6 +- .../json_transcoder_filter.h | 6 +- .../http/grpc_stats/response_frame_counter.cc | 2 +- .../header_to_metadata_filter.cc | 2 +- .../header_to_metadata_filter.h | 2 +- .../filters/http/json_to_metadata/filter.cc | 26 +- .../filters/http/json_to_metadata/filter.h | 10 +- .../filters/http/jwt_authn/authenticator.cc | 20 +- .../filters/http/jwt_authn/authenticator.h | 2 +- .../filters/http/jwt_authn/filter.cc | 2 +- .../filters/http/jwt_authn/filter.h | 4 +- .../filters/http/jwt_authn/jwks_cache.cc | 2 +- .../filters/http/jwt_authn/verifier.cc | 10 +- .../filters/http/jwt_authn/verifier.h | 2 +- .../extensions/filters/http/lua/lua_filter.cc | 10 +- .../extensions/filters/http/lua/lua_filter.h | 24 +- .../extensions/filters/http/lua/wrappers.cc | 14 +- source/extensions/filters/http/lua/wrappers.h | 8 +- .../extensions/filters/http/oauth2/filter.cc | 2 +- .../extraction_util/extraction_util.cc | 10 +- .../extraction_util/extraction_util.h | 17 +- .../extraction_util/proto_extractor.cc | 2 +- .../extraction_util/proto_extractor.h | 13 +- .../proto_extractor_interface.h | 2 +- .../http/proto_message_extraction/extractor.h | 6 +- .../extractor_impl.cc | 2 +- .../proto_message_extraction/extractor_impl.h | 4 +- .../http/proto_message_extraction/filter.cc | 4 +- .../proto_message_extraction/filter_config.cc | 2 +- .../filters/http/rate_limit_quota/filter.cc | 2 +- .../filters/http/rbac/rbac_filter.cc | 6 +- .../filters/http/rbac/rbac_filter.h | 5 +- .../http/set_metadata/set_metadata_filter.cc | 2 +- .../http/set_metadata/set_metadata_filter.h | 4 +- .../filters/http/thrift_to_metadata/filter.cc | 49 ++-- .../filters/http/thrift_to_metadata/filter.h | 12 +- .../listener/proxy_protocol/proxy_protocol.cc | 7 +- .../filters/network/ext_authz/ext_authz.cc | 2 +- .../network/generic_proxy/access_log.cc | 4 +- .../network/generic_proxy/access_log.h | 9 +- .../filters/network/generic_proxy/config.cc | 2 +- .../filters/network/generic_proxy/config.h | 2 +- .../network/generic_proxy/route_impl.cc | 2 +- .../network/generic_proxy/route_impl.h | 2 +- .../filters/network/mongo_proxy/proxy.cc | 2 +- .../filters/network/rbac/rbac_filter.cc | 2 +- .../network/redis_proxy/external_auth.h | 2 +- .../network/thrift_proxy/conn_manager.cc | 4 +- .../header_to_metadata_filter.cc | 2 +- .../header_to_metadata_filter.h | 2 +- .../payload_to_metadata_filter.cc | 2 +- .../payload_to_metadata_filter.h | 2 +- .../filters/network/zookeeper_proxy/filter.cc | 4 +- .../filters/udp/udp_proxy/udp_proxy_filter.cc | 4 +- source/extensions/formatter/cel/cel.cc | 2 +- source/extensions/formatter/cel/cel.h | 4 +- .../req_without_query/req_without_query.cc | 2 +- .../req_without_query/req_without_query.h | 4 +- .../event_sinks/file/file_sink_impl.cc | 2 +- .../event_sinks/file/file_sink_impl.h | 2 +- .../header_mutation/config.cc | 2 +- .../header_validators/envoy_default/config.cc | 2 +- .../custom_header/config.cc | 2 +- .../http/original_ip_detection/xff/config.cc | 2 +- .../common/thread_aware_lb_impl.h | 2 +- .../override_host/load_balancer.cc | 3 +- .../subset/subset_lb.cc | 12 +- .../subset/subset_lb.h | 8 +- .../subset/subset_lb_config.h | 8 +- .../matching/http/metadata_input/meta_input.h | 4 +- .../rate_limit_descriptors/expr/config.cc | 2 +- .../omit_host_metadata/omit_host_metadata.h | 2 +- .../resource_detectors/dynatrace/config.cc | 2 +- .../resource_detectors/environment/config.cc | 2 +- .../resource_detectors/static/config.cc | 2 +- .../opentelemetry/samplers/cel/config.cc | 2 +- .../samplers/dynatrace/config.cc | 2 +- .../samplers/parent_based/config.cc | 2 +- .../samplers/trace_id_ratio_based/config.cc | 2 +- source/extensions/tracers/xray/config.cc | 2 +- .../tracers/xray/localized_sampling.cc | 14 +- source/extensions/tracers/xray/tracer.h | 16 +- .../tracers/xray/xray_configuration.h | 2 +- .../extensions/tracers/zipkin/span_buffer.cc | 20 +- .../extensions/tracers/zipkin/span_buffer.h | 6 +- source/extensions/tracers/zipkin/util.cc | 4 +- source/extensions/tracers/zipkin/util.h | 6 +- .../tracers/zipkin/zipkin_core_types.cc | 22 +- .../tracers/zipkin/zipkin_core_types.h | 12 +- .../transport_sockets/alts/tsi_socket.cc | 4 +- source/server/admin/admin.cc | 4 +- source/server/admin/config_dump_handler.cc | 2 +- source/server/admin/runtime_handler.cc | 10 +- source/server/overload_manager_impl.cc | 2 +- .../common/access_log/access_log_impl_test.cc | 11 +- test/common/common/logger_test.cc | 34 +-- test/common/common/matchers_test.cc | 14 +- .../custom_config_validators_impl_test.cc | 6 +- .../config/decoded_resource_impl_test.cc | 46 ++-- test/common/config/metadata_test.cc | 33 ++- .../opaque_resource_decoder_impl_test.cc | 8 +- test/common/config/utility_test.cc | 45 ++-- test/common/config/xds_manager_impl_test.cc | 4 +- .../filter/config_discovery_impl_test.cc | 14 +- test/common/formatter/command_extension.cc | 16 +- test/common/formatter/command_extension.h | 10 +- .../substitution_formatter_fuzz_test.cc | 4 +- .../substitution_formatter_speed_test.cc | 4 +- .../formatter/substitution_formatter_test.cc | 93 ++++---- test/common/http/async_client_impl_test.cc | 2 +- test/common/http/conn_manager_impl_test.cc | 4 +- test/common/http/filter_manager_test.cc | 2 +- test/common/http/utility_test.cc | 6 +- test/common/json/json_fuzz_test.cc | 8 +- test/common/json/json_loader_test.cc | 6 +- test/common/json/json_utility_test.cc | 6 +- test/common/matcher/test_utility.h | 20 +- test/common/protobuf/utility_test.cc | 197 ++++++++-------- test/common/protobuf/value_util_fuzz_test.cc | 2 +- .../quic/envoy_quic_proof_source_test.cc | 2 +- .../router/config_impl_integration_test.cc | 4 +- test/common/router/config_impl_test.cc | 50 ++-- test/common/router/router_test_base.cc | 4 +- test/common/router/scoped_rds_test.cc | 3 +- test/common/runtime/runtime_impl_test.cc | 29 ++- test/common/stats/thread_local_store_test.cc | 6 +- .../stream_info/stream_info_impl_test.cc | 4 +- .../stream_info/uint32_accessor_impl_test.cc | 2 +- .../stream_info/uint64_accessor_impl_test.cc | 2 +- test/common/tcp_proxy/config_test.cc | 18 +- test/common/tcp_proxy/tcp_proxy_test.cc | 18 +- test/common/tcp_proxy/upstream_test.cc | 2 +- .../tls/cert_selector/async_cert_selector.h | 6 +- .../default_validator_integration_test.cc | 4 +- test/common/tls/handshaker_factory_test.cc | 8 +- .../tls/test_private_key_method_provider.cc | 20 +- .../tls/test_private_key_method_provider.h | 2 +- test/common/tracing/http_tracer_impl_test.cc | 2 +- .../tracing/tracer_manager_impl_test.cc | 8 +- .../upstream/cluster_manager_impl_test.cc | 4 +- .../upstream/cluster_manager_misc_test.cc | 2 +- ...local_address_selector_integration_test.cc | 4 +- .../upstream/test_local_address_selector.h | 2 +- test/common/upstream/upstream_impl_test.cc | 10 +- test/config/utility.cc | 8 +- test/config/utility.h | 2 +- test/exe/all_extensions_build_test.cc | 8 +- .../common/grpc_access_logger_test.cc | 55 +++-- .../fluentd/substitution_formatter_test.cc | 2 +- .../grpc/grpc_access_log_utils_test.cc | 6 +- .../grpc/http_grpc_access_log_impl_test.cc | 10 +- .../open_telemetry/access_log_impl_test.cc | 2 +- .../grpc_access_log_impl_test.cc | 2 +- .../substitution_formatter_test.cc | 18 +- .../access_loggers/wasm/config_test.cc | 2 +- test/extensions/bootstrap/wasm/config_test.cc | 4 +- test/extensions/common/tap/admin_test.cc | 20 +- test/extensions/common/wasm/wasm_test.cc | 8 +- .../minimum_clusters/config_test.cc | 4 +- .../grpc/delta_subscription_state_test.cc | 8 +- .../grpc/watch_map_test.cc | 41 ++-- .../dynamic_modules/http/abi_impl_test.cc | 4 +- .../filters/common/expr/context_test.cc | 4 +- .../filters/common/expr/evaluator_test.cc | 4 +- .../ext_authz/ext_authz_grpc_impl_test.cc | 6 +- .../ext_authz/ext_authz_http_impl_test.cc | 2 +- .../common/lua/protobuf_converter_test.cc | 8 +- .../common/ratelimit/ratelimit_impl_test.cc | 2 +- .../ratelimit_config/ratelimit_config_test.cc | 2 +- .../filters/common/rbac/engine_impl_test.cc | 4 +- .../filters/common/rbac/matchers_test.cc | 14 +- .../http/aws_lambda/aws_lambda_filter_test.cc | 4 +- .../http/common/empty_http_filter_config.h | 2 +- .../http/common/fuzz/uber_per_filter.cc | 2 +- .../filters/http/composite/filter_test.cc | 4 +- .../compressor_filter_integration_test.cc | 2 +- .../connect_grpc_bridge_filter_test.cc | 4 +- .../end_stream_response_test.cc | 4 +- .../custom_response_integration_test.cc | 2 +- .../filters/http/custom_response/utility.h | 2 +- .../ext_authz/ext_authz_integration_test.cc | 12 +- .../filters/http/ext_authz/ext_authz_test.cc | 12 +- .../http/ext_authz/logging_test_filter.cc | 2 +- .../ext_proc/ext_proc_integration_test.cc | 14 +- .../filters/http/ext_proc/filter_test.cc | 36 +-- test/extensions/filters/http/ext_proc/utils.h | 18 +- .../http/grpc_field_extraction/filter_test.cc | 18 +- ...son_reverse_transcoder_integration_test.cc | 2 +- .../grpc_json_transcoder_integration_test.cc | 14 +- .../http_body_utils_test.cc | 6 +- .../json_transcoder_filter_test.cc | 2 +- .../filters/http/grpc_stats/config_test.cc | 4 +- .../header_mutation_integration_test.cc | 30 +-- .../header_to_metadata_filter_test.cc | 12 +- .../http/json_to_metadata/filter_test.cc | 76 +++--- .../http/jwt_authn/authenticator_test.cc | 22 +- .../filters/http/jwt_authn/filter_test.cc | 4 +- .../http/jwt_authn/group_verifier_test.cc | 20 +- test/extensions/filters/http/jwt_authn/mock.h | 2 +- .../http/jwt_authn/provider_verifier_test.cc | 46 ++-- .../filters/http/lua/lua_filter_test.cc | 58 ++--- .../filters/http/lua/lua_integration_test.cc | 14 +- .../filters/http/lua/wrappers_test.cc | 42 ++-- .../http/match_delegate/config_test.cc | 4 +- .../match_delegate_integration_test.cc | 2 +- .../http/on_demand/odcds_integration_test.cc | 4 +- .../http/proto_api_scrubber/filter_test.cc | 2 +- .../extraction_util/extraction_util_test.cc | 12 +- .../proto_message_extraction/filter_test.cc | 52 ++-- .../integration_test.cc | 2 +- .../filters/http/ratelimit/ratelimit_test.cc | 4 +- .../http/rbac/rbac_filter_integration_test.cc | 16 +- .../filters/http/rbac/rbac_filter_test.cc | 8 +- .../set_metadata/set_metadata_filter_test.cc | 34 +-- .../stateful_session_integration_test.cc | 2 +- .../http/thrift_to_metadata/filter_test.cc | 4 +- .../filters/http/wasm/wasm_filter_test.cc | 36 +-- .../tls_inspector_integration_test.cc | 2 +- ...ated_input_generator_any_map_extensions.cc | 2 +- .../filters/network/dubbo_proxy/mocks.cc | 2 +- .../filters/network/dubbo_proxy/mocks.h | 6 +- .../network/dubbo_proxy/route_matcher_test.cc | 6 +- .../network/dubbo_proxy/router_test.cc | 12 +- .../network/ext_authz/ext_authz_test.cc | 28 +-- .../ext_proc/ext_proc_integration_test.cc | 28 +-- .../filters/network/ext_proc/ext_proc_test.cc | 11 +- .../network/generic_proxy/config_test.cc | 2 +- .../network/generic_proxy/fake_codec.h | 4 +- .../network/generic_proxy/mocks/codec.h | 2 +- .../network/generic_proxy/mocks/filter.cc | 2 +- .../network/generic_proxy/route_test.cc | 12 +- .../generic_proxy/router/router_test.cc | 4 +- .../http_connection_manager/config_test.cc | 6 +- .../network/match_delegate/config_test.cc | 4 +- .../match_delegate_integration_test.cc | 4 +- .../network/ratelimit/ratelimit_test.cc | 4 +- .../filters/network/rbac/filter_test.cc | 10 +- .../network/thrift_proxy/conn_manager_test.cc | 2 +- .../header_to_metadata_filter_test.cc | 12 +- .../payload_to_metadata_filter_test.cc | 4 +- .../filters/ratelimit/ratelimit_test.cc | 4 +- .../filters/network/thrift_proxy/mocks.cc | 10 +- .../filters/network/thrift_proxy/mocks.h | 12 +- .../thrift_proxy/route_matcher_test.cc | 8 +- .../network/thrift_proxy/router_test.cc | 8 +- .../network/zookeeper_proxy/config_test.cc | 17 +- .../network/zookeeper_proxy/filter_test.cc | 4 +- .../udp_proxy/udp_proxy_integration_test.cc | 2 +- .../formatter/metadata/integration_test.cc | 2 +- .../formatter/metadata/metadata_test.cc | 2 +- .../event_sinks/file/file_sink_impl_test.cc | 2 +- .../header_mutation/config_test.cc | 2 +- .../user_space/io_handle_impl_test.cc | 4 +- .../common/benchmark_base_tester.cc | 4 +- .../override_host/config_test.cc | 8 +- .../override_host/load_balancer_test.cc | 2 +- .../subset/subset_test.cc | 60 ++--- .../cel_matcher/cel_matcher_test.cc | 2 +- .../network/common/inputs_integration_test.cc | 2 +- .../dns_resolver/cares/dns_impl_test.cc | 12 +- .../pending_proof_source_factory_impl.h | 2 +- .../host/omit_canary_hosts/config_test.cc | 2 +- .../retry/host/previous_hosts/config_test.cc | 2 +- .../grpc_trace_exporter_integration_test.cc | 2 +- .../resource_provider_test.cc | 4 +- .../opentelemetry/samplers/sampler_test.cc | 2 +- test/extensions/tracers/xray/tracer_test.cc | 4 +- .../tracers/xray/xray_tracer_impl_test.cc | 2 +- .../tracers/zipkin/span_buffer_test.cc | 8 +- .../http_11_proxy/connect_test.cc | 2 +- .../internal_upstream_test.cc | 4 +- .../proxy_protocol_integration_test.cc | 2 +- .../proxy_protocol/proxy_protocol_test.cc | 10 +- test/extensions/upstreams/http/config_test.cc | 2 +- .../upstreams/http/generic/config_test.cc | 2 +- .../upstreams/http/udp/config_test.cc | 2 +- test/fuzz/mutable_visitor.cc | 2 +- test/fuzz/utility.h | 2 +- test/fuzz/validated_input_generator.cc | 10 +- .../access_log_integration_test.cc | 2 +- test/integration/ads_integration.cc | 18 +- test/integration/ads_integration_test.cc | 4 +- test/integration/base_integration_test.cc | 2 +- test/integration/base_integration_test.h | 24 +- .../circuit_breakers_integration_test.cc | 2 +- .../cluster_filter_integration_test.cc | 10 +- ...ter_upstream_extension_integration_test.cc | 2 +- ...nd_formatter_extension_integration_test.cc | 2 +- .../extension_discovery_integration_test.cc | 2 +- .../filter_manager_integration_test.cc | 2 +- .../address_restore_listener_filter.cc | 2 +- .../filters/decode_dynamic_metadata_filter.cc | 6 +- .../filters/listener_typed_metadata_filter.cc | 6 +- .../filters/stream_info_to_headers_filter.cc | 14 +- .../http_typed_per_filter_config_test.cc | 4 +- test/integration/integration_test.cc | 4 +- .../listener_lds_integration_test.cc | 2 +- .../multiplexed_upstream_integration_test.cc | 4 +- test/integration/rtds_integration_test.cc | 6 +- .../tcp_conn_pool_integration_test.cc | 2 +- .../integration/tcp_proxy_integration_test.cc | 8 +- .../typed_metadata_integration_test.cc | 8 +- .../upstreams/per_host_upstream_config.h | 6 +- .../xds_config_tracker_integration_test.cc | 4 +- ...xds_delegate_extension_integration_test.cc | 2 +- test/mocks/config/mocks.h | 4 +- test/mocks/http/stateful_session.h | 2 +- test/mocks/network/mocks.h | 4 +- test/mocks/router/mocks.h | 4 +- test/mocks/server/tracer_factory.cc | 2 +- test/mocks/stream_info/mocks.h | 4 +- test/mocks/upstream/cluster_info.h | 2 +- test/mocks/upstream/retry_priority_factory.h | 2 +- .../test_retry_host_predicate_factory.h | 2 +- .../upstream/typed_load_balancer_factory.h | 2 +- test/server/admin/admin_test.cc | 4 +- test/server/admin/config_dump_handler_test.cc | 12 +- test/server/admin/config_tracker_impl_test.cc | 2 +- test/server/api_listener_test.cc | 2 +- test/server/filter_config_test.cc | 4 +- test/server/guarddog_impl_test.cc | 4 +- test/server/options_impl_test.cc | 4 +- test/server/overload_manager_impl_test.cc | 10 +- test/server/server_test.cc | 6 +- test/test_common/test_runtime.h | 6 +- test/test_common/utility.h | 21 +- test/test_common/wasm_base.h | 2 +- test/tools/router_check/router.cc | 2 +- tools/code_format/config.yaml | 11 - tools/testdata/check_format/proto_style.cc | 4 +- .../testdata/check_format/proto_style.cc.gold | 14 +- 496 files changed, 2272 insertions(+), 2349 deletions(-) diff --git a/api/envoy/type/matcher/v3/value.proto b/api/envoy/type/matcher/v3/value.proto index d773c6057fccc..8d65c457ccca7 100644 --- a/api/envoy/type/matcher/v3/value.proto +++ b/api/envoy/type/matcher/v3/value.proto @@ -17,7 +17,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Value matcher] -// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. +// Specifies the way to match a Protobuf::Value. Primitive values and ListValue are supported. // StructValue is not supported and is always not matched. // [#next-free-field: 8] message ValueMatcher { diff --git a/api/envoy/type/matcher/value.proto b/api/envoy/type/matcher/value.proto index 89d341bbbaa4c..6452fcedec4f3 100644 --- a/api/envoy/type/matcher/value.proto +++ b/api/envoy/type/matcher/value.proto @@ -16,7 +16,7 @@ option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Value matcher] -// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. +// Specifies the way to match a Protobuf::Value. Primitive values and ListValue are supported. // StructValue is not supported and is always not matched. // [#next-free-field: 7] message ValueMatcher { diff --git a/contrib/common/sqlutils/source/sqlutils.cc b/contrib/common/sqlutils/source/sqlutils.cc index dffa393bd0390..8f20108dc422c 100644 --- a/contrib/common/sqlutils/source/sqlutils.cc +++ b/contrib/common/sqlutils/source/sqlutils.cc @@ -6,7 +6,7 @@ namespace Common { namespace SQLUtils { bool SQLUtils::setMetadata(const std::string& query, const DecoderAttributes& attr, - ProtobufWkt::Struct& metadata) { + Protobuf::Struct& metadata) { hsql::SQLParserResult result; hsql::SQLParser::parse(query, &result); diff --git a/contrib/common/sqlutils/source/sqlutils.h b/contrib/common/sqlutils/source/sqlutils.h index 4c62f2a5e91d9..5b731f30a7744 100644 --- a/contrib/common/sqlutils/source/sqlutils.h +++ b/contrib/common/sqlutils/source/sqlutils.h @@ -24,7 +24,7 @@ class SQLUtils { * stored in metadata.mutable_fields. **/ static bool setMetadata(const std::string& query, const DecoderAttributes& attr, - ProtobufWkt::Struct& metadata); + Protobuf::Struct& metadata); }; } // namespace SQLUtils diff --git a/contrib/common/sqlutils/test/sqlutils_test.cc b/contrib/common/sqlutils/test/sqlutils_test.cc index e58f03eab5f7d..6a97edde1a574 100644 --- a/contrib/common/sqlutils/test/sqlutils_test.cc +++ b/contrib/common/sqlutils/test/sqlutils_test.cc @@ -40,7 +40,7 @@ TEST_P(MetadataFromSQLTest, ParsingAndMetadataTest) { while (!test_queries.empty()) { std::string test_query = test_queries.back(); - ProtobufWkt::Struct metadata; + Protobuf::Struct metadata; // Check if the parsing result is what expected. ASSERT_EQ(std::get<1>(GetParam()), diff --git a/contrib/config/source/kv_store_xds_delegate.cc b/contrib/config/source/kv_store_xds_delegate.cc index 8d53446cceed4..5a228d2ffeb76 100644 --- a/contrib/config/source/kv_store_xds_delegate.cc +++ b/contrib/config/source/kv_store_xds_delegate.cc @@ -148,7 +148,7 @@ std::string KeyValueStoreXdsDelegateFactory::name() const { }; Envoy::Config::XdsResourcesDelegatePtr KeyValueStoreXdsDelegateFactory::createXdsResourcesDelegate( - const ProtobufWkt::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor, + const Protobuf::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor, Api::Api& api, Event::Dispatcher& dispatcher) { const auto& validator_config = Envoy::MessageUtil::anyConvertAndValidate(config, diff --git a/contrib/config/source/kv_store_xds_delegate.h b/contrib/config/source/kv_store_xds_delegate.h index c0e29b7792993..e3c62ec8ae098 100644 --- a/contrib/config/source/kv_store_xds_delegate.h +++ b/contrib/config/source/kv_store_xds_delegate.h @@ -79,7 +79,7 @@ class KeyValueStoreXdsDelegateFactory : public Envoy::Config::XdsResourcesDelega std::string name() const override; Envoy::Config::XdsResourcesDelegatePtr - createXdsResourcesDelegate(const ProtobufWkt::Any& config, + createXdsResourcesDelegate(const Protobuf::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor, Api::Api& api, Event::Dispatcher& dispatcher) override; }; diff --git a/contrib/golang/filters/http/source/golang_filter.cc b/contrib/golang/filters/http/source/golang_filter.cc index 2b8af6ffb3508..c3bc4e3250d3f 100644 --- a/contrib/golang/filters/http/source/golang_filter.cc +++ b/contrib/golang/filters/http/source/golang_filter.cc @@ -1225,8 +1225,8 @@ CAPIStatus Filter::setDynamicMetadata(std::string filter_name, std::string key, void Filter::setDynamicMetadataInternal(std::string filter_name, std::string key, const absl::string_view& buf) { - ProtobufWkt::Struct value; - ProtobufWkt::Value v; + Protobuf::Struct value; + Protobuf::Value v; v.ParseFromArray(buf.data(), buf.length()); (*value.mutable_fields())[key] = v; diff --git a/contrib/golang/filters/http/source/golang_filter.h b/contrib/golang/filters/http/source/golang_filter.h index a49be6cbc2643..f5aa4409d9556 100644 --- a/contrib/golang/filters/http/source/golang_filter.h +++ b/contrib/golang/filters/http/source/golang_filter.h @@ -97,7 +97,7 @@ class FilterConfig : public std::enable_shared_from_this, const std::string plugin_name_; const std::string so_id_; const std::string so_path_; - const ProtobufWkt::Any plugin_config_; + const Protobuf::Any plugin_config_; uint32_t concurrency_; GolangFilterStats stats_; @@ -126,7 +126,7 @@ class RoutePluginConfig : public std::enable_shared_from_this private: const std::string plugin_name_; - const ProtobufWkt::Any plugin_config_; + const Protobuf::Any plugin_config_; Dso::HttpFilterDsoPtr dso_lib_; uint64_t config_id_{0}; diff --git a/contrib/golang/filters/http/test/golang_integration_test.cc b/contrib/golang/filters/http/test/golang_integration_test.cc index 18f2b9f52c9bb..aea3b97c3b941 100644 --- a/contrib/golang/filters/http/test/golang_integration_test.cc +++ b/contrib/golang/filters/http/test/golang_integration_test.cc @@ -202,12 +202,12 @@ name: golang set: bar )EOF"; auto yaml = absl::StrFormat(yaml_fmt, so_id); - ProtobufWkt::Any value; + Protobuf::Any value; TestUtility::loadFromYaml(yaml, value); hcm.mutable_route_config() ->mutable_virtual_hosts(0) ->mutable_typed_per_filter_config() - ->insert(Protobuf::MapPair(key, value)); + ->insert(Protobuf::MapPair(key, value)); // route level per route config const auto yaml_fmt2 = @@ -223,13 +223,13 @@ name: golang set: baz )EOF"; auto yaml2 = absl::StrFormat(yaml_fmt2, so_id); - ProtobufWkt::Any value2; + Protobuf::Any value2; TestUtility::loadFromYaml(yaml2, value2); auto* new_route2 = hcm.mutable_route_config()->mutable_virtual_hosts(0)->add_routes(); new_route2->mutable_match()->set_prefix("/route-config-test"); new_route2->mutable_typed_per_filter_config()->insert( - Protobuf::MapPair(key, value2)); + Protobuf::MapPair(key, value2)); new_route2->mutable_route()->set_cluster("cluster_0"); }); @@ -1758,14 +1758,14 @@ TEST_P(GolangIntegrationTest, RefreshRouteCache) { value: )EOF"; auto yaml = absl::StrFormat(yaml_fmt, so_id); - ProtobufWkt::Any value; + Protobuf::Any value; TestUtility::loadFromYaml(yaml, value); auto* route_first_matched = hcm.mutable_route_config()->mutable_virtual_hosts(0)->add_routes(); route_first_matched->mutable_match()->set_prefix("/disney/api"); route_first_matched->mutable_typed_per_filter_config()->insert( - Protobuf::MapPair(key, value)); + Protobuf::MapPair(key, value)); auto* resp_header = route_first_matched->add_response_headers_to_add(); auto* header = resp_header->mutable_header(); header->set_key("add-header-from"); diff --git a/contrib/golang/filters/network/source/golang.h b/contrib/golang/filters/network/source/golang.h index a60a3a4d86042..e35913c2d4920 100644 --- a/contrib/golang/filters/network/source/golang.h +++ b/contrib/golang/filters/network/source/golang.h @@ -33,13 +33,13 @@ class FilterConfig { const std::string& libraryID() const { return library_id_; } const std::string& libraryPath() const { return library_path_; } const std::string& pluginName() const { return plugin_name_; } - const ProtobufWkt::Any& pluginConfig() const { return plugin_config_; } + const Protobuf::Any& pluginConfig() const { return plugin_config_; } private: const std::string library_id_; const std::string library_path_; const std::string plugin_name_; - const ProtobufWkt::Any plugin_config_; + const Protobuf::Any plugin_config_; }; using FilterConfigSharedPtr = std::shared_ptr; diff --git a/contrib/golang/router/cluster_specifier/source/golang_cluster_specifier.h b/contrib/golang/router/cluster_specifier/source/golang_cluster_specifier.h index b7a5ce0401559..df0918164f81e 100644 --- a/contrib/golang/router/cluster_specifier/source/golang_cluster_specifier.h +++ b/contrib/golang/router/cluster_specifier/source/golang_cluster_specifier.h @@ -24,7 +24,7 @@ class ClusterConfig : Logger::Loggable { const std::string so_id_; const std::string so_path_; const std::string default_cluster_; - const ProtobufWkt::Any config_; + const Protobuf::Any config_; uint64_t plugin_id_{0}; Dso::ClusterSpecifierDsoPtr dynamic_lib_; }; diff --git a/contrib/golang/upstreams/http/tcp/source/upstream_request.h b/contrib/golang/upstreams/http/tcp/source/upstream_request.h index 44a51a284689c..6d24342007940 100644 --- a/contrib/golang/upstreams/http/tcp/source/upstream_request.h +++ b/contrib/golang/upstreams/http/tcp/source/upstream_request.h @@ -58,7 +58,7 @@ class BridgeConfig : httpConfig, const std::string plugin_name_; const std::string so_id_; const std::string so_path_; - const ProtobufWkt::Any plugin_config_; + const Protobuf::Any plugin_config_; Dso::HttpTcpBridgeDsoPtr dso_lib_; uint64_t config_id_{0}; diff --git a/contrib/mysql_proxy/filters/network/source/mysql_filter.cc b/contrib/mysql_proxy/filters/network/source/mysql_filter.cc index 6c1f450d35bfb..1574bd2a23e80 100644 --- a/contrib/mysql_proxy/filters/network/source/mysql_filter.cc +++ b/contrib/mysql_proxy/filters/network/source/mysql_filter.cc @@ -108,7 +108,7 @@ void MySQLFilter::onCommand(Command& command) { // Parse a given query envoy::config::core::v3::Metadata& dynamic_metadata = read_callbacks_->connection().streamInfo().dynamicMetadata(); - ProtobufWkt::Struct metadata( + Protobuf::Struct metadata( (*dynamic_metadata.mutable_filter_metadata())[NetworkFilterNames::get().MySQLProxy]); auto result = Common::SQLUtils::SQLUtils::setMetadata(command.getData(), diff --git a/contrib/postgres_proxy/filters/network/source/postgres_filter.cc b/contrib/postgres_proxy/filters/network/source/postgres_filter.cc index ebf6955d8619f..ed2ce7447f280 100644 --- a/contrib/postgres_proxy/filters/network/source/postgres_filter.cc +++ b/contrib/postgres_proxy/filters/network/source/postgres_filter.cc @@ -185,7 +185,7 @@ void PostgresFilter::incStatements(StatementType type) { void PostgresFilter::processQuery(const std::string& sql) { if (config_->enable_sql_parsing_) { - ProtobufWkt::Struct metadata; + Protobuf::Struct metadata; auto result = Common::SQLUtils::SQLUtils::setMetadata(sql, decoder_->getAttributes(), metadata); diff --git a/contrib/postgres_proxy/filters/network/test/postgres_filter_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_filter_test.cc index e08d81f65e0a5..f1fc73ab820ad 100644 --- a/contrib/postgres_proxy/filters/network/test/postgres_filter_test.cc +++ b/contrib/postgres_proxy/filters/network/test/postgres_filter_test.cc @@ -51,9 +51,9 @@ class PostgresFilterTest EXPECT_CALL(read_callbacks_, connection()).WillRepeatedly(ReturnRef(connection_)); EXPECT_CALL(connection_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); ON_CALL(stream_info_, setDynamicMetadata(NetworkFilterNames::get().PostgresProxy, _)) - .WillByDefault(Invoke([this](const std::string&, const ProtobufWkt::Struct& obj) { + .WillByDefault(Invoke([this](const std::string&, const Protobuf::Struct& obj) { stream_info_.metadata_.mutable_filter_metadata()->insert( - Protobuf::MapPair( + Protobuf::MapPair( NetworkFilterNames::get().PostgresProxy, obj)); })); } diff --git a/contrib/rocketmq_proxy/filters/network/source/active_message.cc b/contrib/rocketmq_proxy/filters/network/source/active_message.cc index 4f3023b178abb..119c102ca77d8 100644 --- a/contrib/rocketmq_proxy/filters/network/source/active_message.cc +++ b/contrib/rocketmq_proxy/filters/network/source/active_message.cc @@ -206,7 +206,7 @@ void ActiveMessage::onQueryTopicRoute() { } ENVOY_LOG(trace, "Prepare TopicRouteData for {} OK", topic_name); TopicRouteData topic_route_data(std::move(queue_data_list), std::move(broker_data_list)); - ProtobufWkt::Struct data_struct; + Protobuf::Struct data_struct; topic_route_data.encode(data_struct); std::string json = MessageUtil::getJsonStringFromMessageOrError(data_struct); ENVOY_LOG(trace, "Serialize TopicRouteData for {} OK:\n{}", cluster_name, json); diff --git a/contrib/rocketmq_proxy/filters/network/source/codec.cc b/contrib/rocketmq_proxy/filters/network/source/codec.cc index cffed93ce6c54..0b78e117340db 100644 --- a/contrib/rocketmq_proxy/filters/network/source/codec.cc +++ b/contrib/rocketmq_proxy/filters/network/source/codec.cc @@ -59,7 +59,7 @@ RemotingCommandPtr Decoder::decode(Buffer::Instance& buffer, bool& underflow, bo int32_t code, version, opaque; uint32_t flag; if (isJsonHeader(mark)) { - ProtobufWkt::Struct header_struct; + Protobuf::Struct header_struct; // Parse header JSON text try { @@ -247,8 +247,7 @@ std::string Decoder::decodeMsgId(Buffer::Instance& buffer, int32_t cursor) { return msg_id; } -CommandCustomHeaderPtr Decoder::decodeExtHeader(RequestCode code, - ProtobufWkt::Struct& header_struct) { +CommandCustomHeaderPtr Decoder::decodeExtHeader(RequestCode code, Protobuf::Struct& header_struct) { const auto& filed_value_pair = header_struct.fields(); switch (code) { case RequestCode::SendMessage: { @@ -320,7 +319,7 @@ CommandCustomHeaderPtr Decoder::decodeExtHeader(RequestCode code, } CommandCustomHeaderPtr Decoder::decodeResponseExtHeader(ResponseCode response_code, - ProtobufWkt::Struct& header_struct, + Protobuf::Struct& header_struct, RequestCode request_code) { // No need to decode a failed response. if (response_code != ResponseCode::Success && @@ -352,41 +351,41 @@ CommandCustomHeaderPtr Decoder::decodeResponseExtHeader(ResponseCode response_co void Encoder::encode(const RemotingCommandPtr& command, Buffer::Instance& data) { - ProtobufWkt::Struct command_struct; + Protobuf::Struct command_struct; auto* fields = command_struct.mutable_fields(); - ProtobufWkt::Value code_v; + Protobuf::Value code_v; code_v.set_number_value(command->code_); (*fields)["code"] = code_v; - ProtobufWkt::Value language_v; + Protobuf::Value language_v; language_v.set_string_value(command->language()); (*fields)["language"] = language_v; - ProtobufWkt::Value version_v; + Protobuf::Value version_v; version_v.set_number_value(command->version_); (*fields)["version"] = version_v; - ProtobufWkt::Value opaque_v; + Protobuf::Value opaque_v; opaque_v.set_number_value(command->opaque_); (*fields)["opaque"] = opaque_v; - ProtobufWkt::Value flag_v; + Protobuf::Value flag_v; flag_v.set_number_value(command->flag_); (*fields)["flag"] = flag_v; if (!command->remark_.empty()) { - ProtobufWkt::Value remark_v; + Protobuf::Value remark_v; remark_v.set_string_value(command->remark_); (*fields)["remark"] = remark_v; } - ProtobufWkt::Value serialization_type_v; + Protobuf::Value serialization_type_v; serialization_type_v.set_string_value(command->serializeTypeCurrentRPC()); (*fields)["serializeTypeCurrentRPC"] = serialization_type_v; if (command->custom_header_) { - ProtobufWkt::Value ext_fields_v; + Protobuf::Value ext_fields_v; command->custom_header_->encode(ext_fields_v); (*fields)["extFields"] = ext_fields_v; } diff --git a/contrib/rocketmq_proxy/filters/network/source/codec.h b/contrib/rocketmq_proxy/filters/network/source/codec.h index 6ee9c8a9a97bb..e42398d0099e0 100644 --- a/contrib/rocketmq_proxy/filters/network/source/codec.h +++ b/contrib/rocketmq_proxy/filters/network/source/codec.h @@ -60,11 +60,10 @@ class Decoder : Logger::Loggable { static bool isJsonHeader(uint32_t len) { return (len >> 24u) == 0; } - static CommandCustomHeaderPtr decodeExtHeader(RequestCode code, - ProtobufWkt::Struct& header_struct); + static CommandCustomHeaderPtr decodeExtHeader(RequestCode code, Protobuf::Struct& header_struct); static CommandCustomHeaderPtr decodeResponseExtHeader(ResponseCode response_code, - ProtobufWkt::Struct& header_struct, + Protobuf::Struct& header_struct, RequestCode request_code); static bool isComplete(Buffer::Instance& buffer, int32_t cursor); diff --git a/contrib/rocketmq_proxy/filters/network/source/conn_manager.cc b/contrib/rocketmq_proxy/filters/network/source/conn_manager.cc index 90e05219c45cd..6bc53596324f9 100644 --- a/contrib/rocketmq_proxy/filters/network/source/conn_manager.cc +++ b/contrib/rocketmq_proxy/filters/network/source/conn_manager.cc @@ -168,7 +168,7 @@ void ConnectionManager::onHeartbeat(RemotingCommandPtr request) { purgeDirectiveTable(); - ProtobufWkt::Struct body_struct; + Protobuf::Struct body_struct; try { MessageUtil::loadFromJson(body, body_struct); } catch (std::exception& e) { @@ -294,7 +294,7 @@ void ConnectionManager::onGetConsumerListByGroup(RemotingCommandPtr request) { ENVOY_LOG(warn, "There is no consumer belongs to consumer_group: {}", requestExtHeader->consumerGroup()); } - ProtobufWkt::Struct body_struct; + Protobuf::Struct body_struct; getConsumerListByGroupResponseBody.encode(body_struct); diff --git a/contrib/rocketmq_proxy/filters/network/source/protocol.cc b/contrib/rocketmq_proxy/filters/network/source/protocol.cc index cd0481710ba13..6bc63066bde3b 100644 --- a/contrib/rocketmq_proxy/filters/network/source/protocol.cc +++ b/contrib/rocketmq_proxy/filters/network/source/protocol.cc @@ -10,133 +10,133 @@ namespace Extensions { namespace NetworkFilters { namespace RocketmqProxy { -void SendMessageRequestHeader::encode(ProtobufWkt::Value& root) { +void SendMessageRequestHeader::encode(Protobuf::Value& root) { auto& members = *(root.mutable_struct_value()->mutable_fields()); switch (version_) { case SendMessageRequestVersion::V1: { - ProtobufWkt::Value producer_group_v; + Protobuf::Value producer_group_v; producer_group_v.set_string_value(producer_group_); members["producerGroup"] = producer_group_v; - ProtobufWkt::Value topic_v; + Protobuf::Value topic_v; topic_v.set_string_value(topic_.c_str(), topic_.length()); members["topic"] = topic_v; - ProtobufWkt::Value default_topic_v; + Protobuf::Value default_topic_v; default_topic_v.set_string_value(default_topic_); members["defaultTopic"] = default_topic_v; - ProtobufWkt::Value default_topic_queue_number_v; + Protobuf::Value default_topic_queue_number_v; default_topic_queue_number_v.set_number_value(default_topic_queue_number_); members["defaultTopicQueueNums"] = default_topic_queue_number_v; - ProtobufWkt::Value queue_id_v; + Protobuf::Value queue_id_v; queue_id_v.set_number_value(queue_id_); members["queueId"] = queue_id_v; - ProtobufWkt::Value sys_flag_v; + Protobuf::Value sys_flag_v; sys_flag_v.set_number_value(sys_flag_); members["sysFlag"] = sys_flag_v; - ProtobufWkt::Value born_timestamp_v; + Protobuf::Value born_timestamp_v; born_timestamp_v.set_number_value(born_timestamp_); members["bornTimestamp"] = born_timestamp_v; - ProtobufWkt::Value flag_v; + Protobuf::Value flag_v; flag_v.set_number_value(flag_); members["flag"] = flag_v; if (!properties_.empty()) { - ProtobufWkt::Value properties_v; + Protobuf::Value properties_v; properties_v.set_string_value(properties_.c_str(), properties_.length()); members["properties"] = properties_v; } if (reconsume_time_ > 0) { - ProtobufWkt::Value reconsume_times_v; + Protobuf::Value reconsume_times_v; reconsume_times_v.set_number_value(reconsume_time_); members["reconsumeTimes"] = reconsume_times_v; } if (unit_mode_) { - ProtobufWkt::Value unit_mode_v; + Protobuf::Value unit_mode_v; unit_mode_v.set_bool_value(unit_mode_); members["unitMode"] = unit_mode_v; } if (batch_) { - ProtobufWkt::Value batch_v; + Protobuf::Value batch_v; batch_v.set_bool_value(batch_); members["batch"] = batch_v; } if (max_reconsume_time_ > 0) { - ProtobufWkt::Value max_reconsume_time_v; + Protobuf::Value max_reconsume_time_v; max_reconsume_time_v.set_number_value(max_reconsume_time_); members["maxReconsumeTimes"] = max_reconsume_time_v; } break; } case SendMessageRequestVersion::V2: { - ProtobufWkt::Value producer_group_v; + Protobuf::Value producer_group_v; producer_group_v.set_string_value(producer_group_.c_str(), producer_group_.length()); members["a"] = producer_group_v; - ProtobufWkt::Value topic_v; + Protobuf::Value topic_v; topic_v.set_string_value(topic_.c_str(), topic_.length()); members["b"] = topic_v; - ProtobufWkt::Value default_topic_v; + Protobuf::Value default_topic_v; default_topic_v.set_string_value(default_topic_.c_str(), default_topic_.length()); members["c"] = default_topic_v; - ProtobufWkt::Value default_topic_queue_number_v; + Protobuf::Value default_topic_queue_number_v; default_topic_queue_number_v.set_number_value(default_topic_queue_number_); members["d"] = default_topic_queue_number_v; - ProtobufWkt::Value queue_id_v; + Protobuf::Value queue_id_v; queue_id_v.set_number_value(queue_id_); members["e"] = queue_id_v; - ProtobufWkt::Value sys_flag_v; + Protobuf::Value sys_flag_v; sys_flag_v.set_number_value(sys_flag_); members["f"] = sys_flag_v; - ProtobufWkt::Value born_timestamp_v; + Protobuf::Value born_timestamp_v; born_timestamp_v.set_number_value(born_timestamp_); members["g"] = born_timestamp_v; - ProtobufWkt::Value flag_v; + Protobuf::Value flag_v; flag_v.set_number_value(flag_); members["h"] = flag_v; if (!properties_.empty()) { - ProtobufWkt::Value properties_v; + Protobuf::Value properties_v; properties_v.set_string_value(properties_.c_str(), properties_.length()); members["i"] = properties_v; } if (reconsume_time_ > 0) { - ProtobufWkt::Value reconsume_times_v; + Protobuf::Value reconsume_times_v; reconsume_times_v.set_number_value(reconsume_time_); members["j"] = reconsume_times_v; } if (unit_mode_) { - ProtobufWkt::Value unit_mode_v; + Protobuf::Value unit_mode_v; unit_mode_v.set_bool_value(unit_mode_); members["k"] = unit_mode_v; } if (batch_) { - ProtobufWkt::Value batch_v; + Protobuf::Value batch_v; batch_v.set_bool_value(batch_); members["m"] = batch_v; } if (max_reconsume_time_ > 0) { - ProtobufWkt::Value max_reconsume_time_v; + Protobuf::Value max_reconsume_time_v; max_reconsume_time_v.set_number_value(max_reconsume_time_); members["l"] = max_reconsume_time_v; } @@ -147,7 +147,7 @@ void SendMessageRequestHeader::encode(ProtobufWkt::Value& root) { } } -void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { +void SendMessageRequestHeader::decode(const Protobuf::Value& ext_fields) { const auto& members = ext_fields.struct_value().fields(); switch (version_) { case SendMessageRequestVersion::V1: { @@ -164,31 +164,31 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { topic_ = members.at("topic").string_value(); default_topic_ = members.at("defaultTopic").string_value(); - if (members.at("defaultTopicQueueNums").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("defaultTopicQueueNums").kind_case() == Protobuf::Value::kNumberValue) { default_topic_queue_number_ = members.at("defaultTopicQueueNums").number_value(); } else { default_topic_queue_number_ = std::stoi(members.at("defaultTopicQueueNums").string_value()); } - if (members.at("queueId").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("queueId").kind_case() == Protobuf::Value::kNumberValue) { queue_id_ = members.at("queueId").number_value(); } else { queue_id_ = std::stoi(members.at("queueId").string_value()); } - if (members.at("sysFlag").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("sysFlag").kind_case() == Protobuf::Value::kNumberValue) { sys_flag_ = static_cast(members.at("sysFlag").number_value()); } else { sys_flag_ = std::stoi(members.at("sysFlag").string_value()); } - if (members.at("bornTimestamp").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("bornTimestamp").kind_case() == Protobuf::Value::kNumberValue) { born_timestamp_ = static_cast(members.at("bornTimestamp").number_value()); } else { born_timestamp_ = std::stoll(members.at("bornTimestamp").string_value()); } - if (members.at("flag").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("flag").kind_case() == Protobuf::Value::kNumberValue) { flag_ = static_cast(members.at("flag").number_value()); } else { flag_ = std::stoi(members.at("flag").string_value()); @@ -199,7 +199,7 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } if (members.contains("reconsumeTimes")) { - if (members.at("reconsumeTimes").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("reconsumeTimes").kind_case() == Protobuf::Value::kNumberValue) { reconsume_time_ = members.at("reconsumeTimes").number_value(); } else { reconsume_time_ = std::stoi(members.at("reconsumeTimes").string_value()); @@ -207,7 +207,7 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } if (members.contains("unitMode")) { - if (members.at("unitMode").kind_case() == ProtobufWkt::Value::kBoolValue) { + if (members.at("unitMode").kind_case() == Protobuf::Value::kBoolValue) { unit_mode_ = members.at("unitMode").bool_value(); } else { unit_mode_ = (members.at("unitMode").string_value() == std::string("true")); @@ -215,7 +215,7 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } if (members.contains("batch")) { - if (members.at("batch").kind_case() == ProtobufWkt::Value::kBoolValue) { + if (members.at("batch").kind_case() == Protobuf::Value::kBoolValue) { batch_ = members.at("batch").bool_value(); } else { batch_ = (members.at("batch").string_value() == std::string("true")); @@ -223,7 +223,7 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } if (members.contains("maxReconsumeTimes")) { - if (members.at("maxReconsumeTimes").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("maxReconsumeTimes").kind_case() == Protobuf::Value::kNumberValue) { max_reconsume_time_ = static_cast(members.at("maxReconsumeTimes").number_value()); } else { max_reconsume_time_ = std::stoi(members.at("maxReconsumeTimes").string_value()); @@ -246,31 +246,31 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { topic_ = members.at("b").string_value(); default_topic_ = members.at("c").string_value(); - if (members.at("d").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("d").kind_case() == Protobuf::Value::kNumberValue) { default_topic_queue_number_ = members.at("d").number_value(); } else { default_topic_queue_number_ = std::stoi(members.at("d").string_value()); } - if (members.at("e").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("e").kind_case() == Protobuf::Value::kNumberValue) { queue_id_ = members.at("e").number_value(); } else { queue_id_ = std::stoi(members.at("e").string_value()); } - if (members.at("f").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("f").kind_case() == Protobuf::Value::kNumberValue) { sys_flag_ = static_cast(members.at("f").number_value()); } else { sys_flag_ = std::stoi(members.at("f").string_value()); } - if (members.at("g").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("g").kind_case() == Protobuf::Value::kNumberValue) { born_timestamp_ = static_cast(members.at("g").number_value()); } else { born_timestamp_ = std::stoll(members.at("g").string_value()); } - if (members.at("h").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("h").kind_case() == Protobuf::Value::kNumberValue) { flag_ = static_cast(members.at("h").number_value()); } else { flag_ = std::stoi(members.at("h").string_value()); @@ -281,7 +281,7 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } if (members.contains("j")) { - if (members.at("j").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("j").kind_case() == Protobuf::Value::kNumberValue) { reconsume_time_ = members.at("j").number_value(); } else { reconsume_time_ = std::stoi(members.at("j").string_value()); @@ -289,7 +289,7 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } if (members.contains("k")) { - if (members.at("k").kind_case() == ProtobufWkt::Value::kBoolValue) { + if (members.at("k").kind_case() == Protobuf::Value::kBoolValue) { unit_mode_ = members.at("k").bool_value(); } else { unit_mode_ = (members.at("k").string_value() == std::string("true")); @@ -297,7 +297,7 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } if (members.contains("m")) { - if (members.at("m").kind_case() == ProtobufWkt::Value::kBoolValue) { + if (members.at("m").kind_case() == Protobuf::Value::kBoolValue) { batch_ = members.at("m").bool_value(); } else { batch_ = (members.at("m").string_value() == std::string("true")); @@ -305,7 +305,7 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } if (members.contains("l")) { - if (members.at("l").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("l").kind_case() == Protobuf::Value::kNumberValue) { max_reconsume_time_ = members.at("l").number_value(); } else { max_reconsume_time_ = std::stoi(members.at("l").string_value()); @@ -319,32 +319,32 @@ void SendMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } } -void SendMessageResponseHeader::encode(ProtobufWkt::Value& root) { +void SendMessageResponseHeader::encode(Protobuf::Value& root) { auto& members = *(root.mutable_struct_value()->mutable_fields()); ASSERT(!msg_id_.empty()); - ProtobufWkt::Value msg_id_v; + Protobuf::Value msg_id_v; msg_id_v.set_string_value(msg_id_.c_str(), msg_id_.length()); members["msgId"] = msg_id_v; ASSERT(queue_id_ >= 0); - ProtobufWkt::Value queue_id_v; + Protobuf::Value queue_id_v; queue_id_v.set_number_value(queue_id_); members["queueId"] = queue_id_v; ASSERT(queue_offset_ >= 0); - ProtobufWkt::Value queue_offset_v; + Protobuf::Value queue_offset_v; queue_offset_v.set_number_value(queue_offset_); members["queueOffset"] = queue_offset_v; if (!transaction_id_.empty()) { - ProtobufWkt::Value transaction_id_v; + Protobuf::Value transaction_id_v; transaction_id_v.set_string_value(transaction_id_.c_str(), transaction_id_.length()); members["transactionId"] = transaction_id_v; } } -void SendMessageResponseHeader::decode(const ProtobufWkt::Value& ext_fields) { +void SendMessageResponseHeader::decode(const Protobuf::Value& ext_fields) { const auto& members = ext_fields.struct_value().fields(); ASSERT(members.contains("msgId")); ASSERT(members.contains("queueId")); @@ -352,13 +352,13 @@ void SendMessageResponseHeader::decode(const ProtobufWkt::Value& ext_fields) { msg_id_ = members.at("msgId").string_value(); - if (members.at("queueId").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("queueId").kind_case() == Protobuf::Value::kNumberValue) { queue_id_ = members.at("queueId").number_value(); } else { queue_id_ = std::stoi(members.at("queueId").string_value()); } - if (members.at("queueOffset").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("queueOffset").kind_case() == Protobuf::Value::kNumberValue) { queue_offset_ = members.at("queueOffset").number_value(); } else { queue_offset_ = std::stoll(members.at("queueOffset").string_value()); @@ -369,71 +369,71 @@ void SendMessageResponseHeader::decode(const ProtobufWkt::Value& ext_fields) { } } -void GetRouteInfoRequestHeader::encode(ProtobufWkt::Value& root) { +void GetRouteInfoRequestHeader::encode(Protobuf::Value& root) { auto& members = *(root.mutable_struct_value()->mutable_fields()); - ProtobufWkt::Value topic_v; + Protobuf::Value topic_v; topic_v.set_string_value(topic_.c_str(), topic_.length()); members["topic"] = topic_v; } -void GetRouteInfoRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { +void GetRouteInfoRequestHeader::decode(const Protobuf::Value& ext_fields) { const auto& members = ext_fields.struct_value().fields(); ASSERT(members.contains("topic")); topic_ = members.at("topic").string_value(); } -void PopMessageRequestHeader::encode(ProtobufWkt::Value& root) { +void PopMessageRequestHeader::encode(Protobuf::Value& root) { auto& members = *(root.mutable_struct_value()->mutable_fields()); ASSERT(!consumer_group_.empty()); - ProtobufWkt::Value consumer_group_v; + Protobuf::Value consumer_group_v; consumer_group_v.set_string_value(consumer_group_.c_str(), consumer_group_.size()); members["consumerGroup"] = consumer_group_v; ASSERT(!topic_.empty()); - ProtobufWkt::Value topicNode; + Protobuf::Value topicNode; topicNode.set_string_value(topic_.c_str(), topic_.length()); members["topic"] = topicNode; - ProtobufWkt::Value queue_id_v; + Protobuf::Value queue_id_v; queue_id_v.set_number_value(queue_id_); members["queueId"] = queue_id_v; - ProtobufWkt::Value max_msg_nums_v; + Protobuf::Value max_msg_nums_v; max_msg_nums_v.set_number_value(max_msg_nums_); members["maxMsgNums"] = max_msg_nums_v; - ProtobufWkt::Value invisible_time_v; + Protobuf::Value invisible_time_v; invisible_time_v.set_number_value(invisible_time_); members["invisibleTime"] = invisible_time_v; - ProtobufWkt::Value poll_time_v; + Protobuf::Value poll_time_v; poll_time_v.set_number_value(poll_time_); members["pollTime"] = poll_time_v; - ProtobufWkt::Value born_time_v; + Protobuf::Value born_time_v; born_time_v.set_number_value(born_time_); members["bornTime"] = born_time_v; - ProtobufWkt::Value init_mode_v; + Protobuf::Value init_mode_v; init_mode_v.set_number_value(init_mode_); members["initMode"] = init_mode_v; if (!exp_type_.empty()) { - ProtobufWkt::Value exp_type_v; + Protobuf::Value exp_type_v; exp_type_v.set_string_value(exp_type_.c_str(), exp_type_.size()); members["expType"] = exp_type_v; } if (!exp_.empty()) { - ProtobufWkt::Value exp_v; + Protobuf::Value exp_v; exp_v.set_string_value(exp_.c_str(), exp_.size()); members["exp"] = exp_v; } } -void PopMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { +void PopMessageRequestHeader::decode(const Protobuf::Value& ext_fields) { const auto& members = ext_fields.struct_value().fields(); ASSERT(members.contains("consumerGroup")); ASSERT(members.contains("topic")); @@ -447,37 +447,37 @@ void PopMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { consumer_group_ = members.at("consumerGroup").string_value(); topic_ = members.at("topic").string_value(); - if (members.at("queueId").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("queueId").kind_case() == Protobuf::Value::kNumberValue) { queue_id_ = members.at("queueId").number_value(); } else { queue_id_ = std::stoi(members.at("queueId").string_value()); } - if (members.at("maxMsgNums").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("maxMsgNums").kind_case() == Protobuf::Value::kNumberValue) { max_msg_nums_ = members.at("maxMsgNums").number_value(); } else { max_msg_nums_ = std::stoi(members.at("maxMsgNums").string_value()); } - if (members.at("invisibleTime").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("invisibleTime").kind_case() == Protobuf::Value::kNumberValue) { invisible_time_ = members.at("invisibleTime").number_value(); } else { invisible_time_ = std::stoll(members.at("invisibleTime").string_value()); } - if (members.at("pollTime").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("pollTime").kind_case() == Protobuf::Value::kNumberValue) { poll_time_ = members.at("pollTime").number_value(); } else { poll_time_ = std::stoll(members.at("pollTime").string_value()); } - if (members.at("bornTime").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("bornTime").kind_case() == Protobuf::Value::kNumberValue) { born_time_ = members.at("bornTime").number_value(); } else { born_time_ = std::stoll(members.at("bornTime").string_value()); } - if (members.at("initMode").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("initMode").kind_case() == Protobuf::Value::kNumberValue) { init_mode_ = members.at("initMode").number_value(); } else { init_mode_ = std::stol(members.at("initMode").string_value()); @@ -492,70 +492,70 @@ void PopMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { } } -void PopMessageResponseHeader::encode(ProtobufWkt::Value& root) { +void PopMessageResponseHeader::encode(Protobuf::Value& root) { auto& members = *(root.mutable_struct_value()->mutable_fields()); - ProtobufWkt::Value pop_time_v; + Protobuf::Value pop_time_v; pop_time_v.set_number_value(pop_time_); members["popTime"] = pop_time_v; - ProtobufWkt::Value invisible_time_v; + Protobuf::Value invisible_time_v; invisible_time_v.set_number_value(invisible_time_); members["invisibleTime"] = invisible_time_v; - ProtobufWkt::Value revive_qid_v; + Protobuf::Value revive_qid_v; revive_qid_v.set_number_value(revive_qid_); members["reviveQid"] = revive_qid_v; - ProtobufWkt::Value rest_num_v; + Protobuf::Value rest_num_v; rest_num_v.set_number_value(rest_num_); members["restNum"] = rest_num_v; if (!start_offset_info_.empty()) { - ProtobufWkt::Value start_offset_info_v; + Protobuf::Value start_offset_info_v; start_offset_info_v.set_string_value(start_offset_info_.c_str(), start_offset_info_.size()); members["startOffsetInfo"] = start_offset_info_v; } if (!msg_off_set_info_.empty()) { - ProtobufWkt::Value msg_offset_info_v; + Protobuf::Value msg_offset_info_v; msg_offset_info_v.set_string_value(msg_off_set_info_.c_str(), msg_off_set_info_.size()); members["msgOffsetInfo"] = msg_offset_info_v; } if (!order_count_info_.empty()) { - ProtobufWkt::Value order_count_info_v; + Protobuf::Value order_count_info_v; order_count_info_v.set_string_value(order_count_info_.c_str(), order_count_info_.size()); members["orderCountInfo"] = order_count_info_v; } } -void PopMessageResponseHeader::decode(const ProtobufWkt::Value& ext_fields) { +void PopMessageResponseHeader::decode(const Protobuf::Value& ext_fields) { const auto& members = ext_fields.struct_value().fields(); ASSERT(members.contains("popTime")); ASSERT(members.contains("invisibleTime")); ASSERT(members.contains("reviveQid")); ASSERT(members.contains("restNum")); - if (members.at("popTime").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("popTime").kind_case() == Protobuf::Value::kNumberValue) { pop_time_ = members.at("popTime").number_value(); } else { pop_time_ = std::stoull(members.at("popTime").string_value()); } - if (members.at("invisibleTime").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("invisibleTime").kind_case() == Protobuf::Value::kNumberValue) { invisible_time_ = members.at("invisibleTime").number_value(); } else { invisible_time_ = std::stoull(members.at("invisibleTime").string_value()); } - if (members.at("reviveQid").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("reviveQid").kind_case() == Protobuf::Value::kNumberValue) { revive_qid_ = members.at("reviveQid").number_value(); } else { revive_qid_ = std::stoul(members.at("reviveQid").string_value()); } - if (members.at("restNum").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("restNum").kind_case() == Protobuf::Value::kNumberValue) { rest_num_ = members.at("restNum").number_value(); } else { rest_num_ = std::stoull(members.at("restNum").string_value()); @@ -574,36 +574,36 @@ void PopMessageResponseHeader::decode(const ProtobufWkt::Value& ext_fields) { } } -void AckMessageRequestHeader::encode(ProtobufWkt::Value& root) { +void AckMessageRequestHeader::encode(Protobuf::Value& root) { auto& members = *(root.mutable_struct_value()->mutable_fields()); ASSERT(!consumer_group_.empty()); - ProtobufWkt::Value consumer_group_v; + Protobuf::Value consumer_group_v; consumer_group_v.set_string_value(consumer_group_.c_str(), consumer_group_.size()); members["consumerGroup"] = consumer_group_v; ASSERT(!topic_.empty()); - ProtobufWkt::Value topic_v; + Protobuf::Value topic_v; topic_v.set_string_value(topic_.c_str(), topic_.size()); members["topic"] = topic_v; ASSERT(queue_id_ >= 0); - ProtobufWkt::Value queue_id_v; + Protobuf::Value queue_id_v; queue_id_v.set_number_value(queue_id_); members["queueId"] = queue_id_v; ASSERT(!extra_info_.empty()); - ProtobufWkt::Value extra_info_v; + Protobuf::Value extra_info_v; extra_info_v.set_string_value(extra_info_.c_str(), extra_info_.size()); members["extraInfo"] = extra_info_v; ASSERT(offset_ >= 0); - ProtobufWkt::Value offset_v; + Protobuf::Value offset_v; offset_v.set_number_value(offset_); members["offset"] = offset_v; } -void AckMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { +void AckMessageRequestHeader::decode(const Protobuf::Value& ext_fields) { const auto& members = ext_fields.struct_value().fields(); ASSERT(members.contains("consumerGroup")); ASSERT(members.contains("topic")); @@ -615,7 +615,7 @@ void AckMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { topic_ = members.at("topic").string_value(); - if (members.at("queueId").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("queueId").kind_case() == Protobuf::Value::kNumberValue) { queue_id_ = members.at("queueId").number_value(); } else { queue_id_ = std::stoi(members.at("queueId").string_value()); @@ -623,36 +623,36 @@ void AckMessageRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { extra_info_ = members.at("extraInfo").string_value(); - if (members.at("offset").kind_case() == ProtobufWkt::Value::kNumberValue) { + if (members.at("offset").kind_case() == Protobuf::Value::kNumberValue) { offset_ = members.at("offset").number_value(); } else { offset_ = std::stoll(members.at("offset").string_value()); } } -void UnregisterClientRequestHeader::encode(ProtobufWkt::Value& root) { +void UnregisterClientRequestHeader::encode(Protobuf::Value& root) { auto& members = *(root.mutable_struct_value()->mutable_fields()); ASSERT(!client_id_.empty()); - ProtobufWkt::Value client_id_v; + Protobuf::Value client_id_v; client_id_v.set_string_value(client_id_.c_str(), client_id_.size()); members["clientID"] = client_id_v; ASSERT(!producer_group_.empty() || !consumer_group_.empty()); if (!producer_group_.empty()) { - ProtobufWkt::Value producer_group_v; + Protobuf::Value producer_group_v; producer_group_v.set_string_value(producer_group_.c_str(), producer_group_.size()); members["producerGroup"] = producer_group_v; } if (!consumer_group_.empty()) { - ProtobufWkt::Value consumer_group_v; + Protobuf::Value consumer_group_v; consumer_group_v.set_string_value(consumer_group_.c_str(), consumer_group_.size()); members["consumerGroup"] = consumer_group_v; } } -void UnregisterClientRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { +void UnregisterClientRequestHeader::decode(const Protobuf::Value& ext_fields) { const auto& members = ext_fields.struct_value().fields(); ASSERT(members.contains("clientID")); ASSERT(members.contains("producerGroup") || members.contains("consumerGroup")); @@ -668,20 +668,20 @@ void UnregisterClientRequestHeader::decode(const ProtobufWkt::Value& ext_fields) } } -void GetConsumerListByGroupResponseBody::encode(ProtobufWkt::Struct& root) { +void GetConsumerListByGroupResponseBody::encode(Protobuf::Struct& root) { auto& members = *(root.mutable_fields()); - ProtobufWkt::Value consumer_id_list_v; + Protobuf::Value consumer_id_list_v; auto member_list = consumer_id_list_v.mutable_list_value(); for (const auto& consumerId : consumer_id_list_) { - auto consumer_id_v = new ProtobufWkt::Value; + auto consumer_id_v = new Protobuf::Value; consumer_id_v->set_string_value(consumerId.c_str(), consumerId.size()); member_list->mutable_values()->AddAllocated(consumer_id_v); } members["consumerIdList"] = consumer_id_list_v; } -bool HeartbeatData::decode(ProtobufWkt::Struct& doc) { +bool HeartbeatData::decode(Protobuf::Struct& doc) { const auto& members = doc.fields(); if (!members.contains("clientID")) { return false; @@ -700,23 +700,23 @@ bool HeartbeatData::decode(ProtobufWkt::Struct& doc) { return true; } -void HeartbeatData::encode(ProtobufWkt::Struct& root) { +void HeartbeatData::encode(Protobuf::Struct& root) { auto& members = *(root.mutable_fields()); - ProtobufWkt::Value client_id_v; + Protobuf::Value client_id_v; client_id_v.set_string_value(client_id_.c_str(), client_id_.size()); members["clientID"] = client_id_v; } -void GetConsumerListByGroupRequestHeader::encode(ProtobufWkt::Value& root) { +void GetConsumerListByGroupRequestHeader::encode(Protobuf::Value& root) { auto& members = *(root.mutable_struct_value()->mutable_fields()); - ProtobufWkt::Value consumer_group_v; + Protobuf::Value consumer_group_v; consumer_group_v.set_string_value(consumer_group_.c_str(), consumer_group_.size()); members["consumerGroup"] = consumer_group_v; } -void GetConsumerListByGroupRequestHeader::decode(const ProtobufWkt::Value& ext_fields) { +void GetConsumerListByGroupRequestHeader::decode(const Protobuf::Value& ext_fields) { const auto& members = ext_fields.struct_value().fields(); ASSERT(members.contains("consumerGroup")); diff --git a/contrib/rocketmq_proxy/filters/network/source/protocol.h b/contrib/rocketmq_proxy/filters/network/source/protocol.h index 2de55a04130fa..52a7cf06d5a59 100644 --- a/contrib/rocketmq_proxy/filters/network/source/protocol.h +++ b/contrib/rocketmq_proxy/filters/network/source/protocol.h @@ -48,9 +48,9 @@ class CommandCustomHeader { virtual ~CommandCustomHeader() = default; - virtual void encode(ProtobufWkt::Value& root) PURE; + virtual void encode(Protobuf::Value& root) PURE; - virtual void decode(const ProtobufWkt::Value& ext_fields) PURE; + virtual void decode(const Protobuf::Value& ext_fields) PURE; const std::string& targetBrokerName() const { return target_broker_name_; } @@ -264,9 +264,9 @@ class SendMessageRequestHeader : public RoutingCommandCustomHeader, void producerGroup(std::string producer_group) { producer_group_ = std::move(producer_group); } - void encode(ProtobufWkt::Value& root) override; + void encode(Protobuf::Value& root) override; - void decode(const ProtobufWkt::Value& ext_fields) override; + void decode(const Protobuf::Value& ext_fields) override; const std::string& producerGroup() const { return producer_group_; } @@ -336,9 +336,9 @@ class SendMessageResponseHeader : public CommandCustomHeader { : msg_id_(std::move(msg_id)), queue_id_(queue_id), queue_offset_(queue_offset), transaction_id_(std::move(transaction_id)) {} - void encode(ProtobufWkt::Value& root) override; + void encode(Protobuf::Value& root) override; - void decode(const ProtobufWkt::Value& ext_fields) override; + void decode(const Protobuf::Value& ext_fields) override; const std::string& msgId() const { return msg_id_; } @@ -376,9 +376,9 @@ class SendMessageResponseHeader : public CommandCustomHeader { */ class GetRouteInfoRequestHeader : public RoutingCommandCustomHeader { public: - void encode(ProtobufWkt::Value& root) override; + void encode(Protobuf::Value& root) override; - void decode(const ProtobufWkt::Value& ext_fields) override; + void decode(const Protobuf::Value& ext_fields) override; }; /** @@ -398,9 +398,9 @@ class PopMessageRequestHeader : public RoutingCommandCustomHeader { public: friend class Decoder; - void encode(ProtobufWkt::Value& root) override; + void encode(Protobuf::Value& root) override; - void decode(const ProtobufWkt::Value& ext_fields) override; + void decode(const Protobuf::Value& ext_fields) override; const std::string& consumerGroup() const { return consumer_group_; } @@ -460,9 +460,9 @@ class PopMessageRequestHeader : public RoutingCommandCustomHeader { */ class PopMessageResponseHeader : public CommandCustomHeader { public: - void decode(const ProtobufWkt::Value& ext_fields) override; + void decode(const Protobuf::Value& ext_fields) override; - void encode(ProtobufWkt::Value& root) override; + void encode(Protobuf::Value& root) override; // This function is for testing only. int64_t popTimeForTest() const { return pop_time_; } @@ -517,9 +517,9 @@ class PopMessageResponseHeader : public CommandCustomHeader { */ class AckMessageRequestHeader : public RoutingCommandCustomHeader { public: - void decode(const ProtobufWkt::Value& ext_fields) override; + void decode(const Protobuf::Value& ext_fields) override; - void encode(ProtobufWkt::Value& root) override; + void encode(Protobuf::Value& root) override; absl::string_view consumerGroup() const { return consumer_group_; } @@ -559,9 +559,9 @@ class AckMessageRequestHeader : public RoutingCommandCustomHeader { */ class UnregisterClientRequestHeader : public CommandCustomHeader { public: - void encode(ProtobufWkt::Value& root) override; + void encode(Protobuf::Value& root) override; - void decode(const ProtobufWkt::Value& ext_fields) override; + void decode(const Protobuf::Value& ext_fields) override; void clientId(absl::string_view client_id) { client_id_ = std::string(client_id.data(), client_id.length()); @@ -592,9 +592,9 @@ class UnregisterClientRequestHeader : public CommandCustomHeader { */ class GetConsumerListByGroupRequestHeader : public CommandCustomHeader { public: - void encode(ProtobufWkt::Value& root) override; + void encode(Protobuf::Value& root) override; - void decode(const ProtobufWkt::Value& ext_fields) override; + void decode(const Protobuf::Value& ext_fields) override; void consumerGroup(absl::string_view consumer_group) { consumer_group_ = std::string(consumer_group.data(), consumer_group.length()); @@ -611,7 +611,7 @@ class GetConsumerListByGroupRequestHeader : public CommandCustomHeader { */ class GetConsumerListByGroupResponseBody { public: - void encode(ProtobufWkt::Struct& root); + void encode(Protobuf::Struct& root); void add(absl::string_view consumer_id) { consumer_id_list_.emplace_back(consumer_id.data(), consumer_id.length()); @@ -626,13 +626,13 @@ class GetConsumerListByGroupResponseBody { */ class HeartbeatData : public Logger::Loggable { public: - bool decode(ProtobufWkt::Struct& doc); + bool decode(Protobuf::Struct& doc); const std::string& clientId() const { return client_id_; } const std::vector& consumerGroups() const { return consumer_groups_; } - void encode(ProtobufWkt::Struct& root); + void encode(Protobuf::Struct& root); void clientId(absl::string_view client_id) { client_id_ = std::string(client_id.data(), client_id.size()); diff --git a/contrib/rocketmq_proxy/filters/network/source/topic_route.cc b/contrib/rocketmq_proxy/filters/network/source/topic_route.cc index 7336ec97d17cc..756cccdc243a9 100644 --- a/contrib/rocketmq_proxy/filters/network/source/topic_route.cc +++ b/contrib/rocketmq_proxy/filters/network/source/topic_route.cc @@ -5,42 +5,42 @@ namespace Extensions { namespace NetworkFilters { namespace RocketmqProxy { -void QueueData::encode(ProtobufWkt::Struct& data_struct) { +void QueueData::encode(Protobuf::Struct& data_struct) { auto* fields = data_struct.mutable_fields(); - ProtobufWkt::Value broker_name_v; + Protobuf::Value broker_name_v; broker_name_v.set_string_value(broker_name_); (*fields)["brokerName"] = broker_name_v; - ProtobufWkt::Value read_queue_num_v; + Protobuf::Value read_queue_num_v; read_queue_num_v.set_number_value(read_queue_nums_); (*fields)["readQueueNums"] = read_queue_num_v; - ProtobufWkt::Value write_queue_num_v; + Protobuf::Value write_queue_num_v; write_queue_num_v.set_number_value(write_queue_nums_); (*fields)["writeQueueNums"] = write_queue_num_v; - ProtobufWkt::Value perm_v; + Protobuf::Value perm_v; perm_v.set_number_value(perm_); (*fields)["perm"] = perm_v; } -void BrokerData::encode(ProtobufWkt::Struct& data_struct) { +void BrokerData::encode(Protobuf::Struct& data_struct) { auto& members = *(data_struct.mutable_fields()); - ProtobufWkt::Value cluster_v; + Protobuf::Value cluster_v; cluster_v.set_string_value(cluster_); members["cluster"] = cluster_v; - ProtobufWkt::Value broker_name_v; + Protobuf::Value broker_name_v; broker_name_v.set_string_value(broker_name_); members["brokerName"] = broker_name_v; if (!broker_addrs_.empty()) { - ProtobufWkt::Value brokerAddrsNode; + Protobuf::Value brokerAddrsNode; auto& brokerAddrsMembers = *(brokerAddrsNode.mutable_struct_value()->mutable_fields()); for (auto& entry : broker_addrs_) { - ProtobufWkt::Value address_v; + Protobuf::Value address_v; address_v.set_string_value(entry.second); brokerAddrsMembers[std::to_string(entry.first)] = address_v; } @@ -48,11 +48,11 @@ void BrokerData::encode(ProtobufWkt::Struct& data_struct) { } } -void TopicRouteData::encode(ProtobufWkt::Struct& data_struct) { +void TopicRouteData::encode(Protobuf::Struct& data_struct) { auto* fields = data_struct.mutable_fields(); if (!queue_data_.empty()) { - ProtobufWkt::ListValue queue_data_list_v; + Protobuf::ListValue queue_data_list_v; for (auto& queueData : queue_data_) { queueData.encode(data_struct); queue_data_list_v.add_values()->mutable_struct_value()->CopyFrom(data_struct); @@ -61,7 +61,7 @@ void TopicRouteData::encode(ProtobufWkt::Struct& data_struct) { } if (!broker_data_.empty()) { - ProtobufWkt::ListValue broker_data_list_v; + Protobuf::ListValue broker_data_list_v; for (auto& brokerData : broker_data_) { brokerData.encode(data_struct); broker_data_list_v.add_values()->mutable_struct_value()->CopyFrom(data_struct); diff --git a/contrib/rocketmq_proxy/filters/network/source/topic_route.h b/contrib/rocketmq_proxy/filters/network/source/topic_route.h index 6d5622e24366b..b7f4968ddc1af 100644 --- a/contrib/rocketmq_proxy/filters/network/source/topic_route.h +++ b/contrib/rocketmq_proxy/filters/network/source/topic_route.h @@ -18,7 +18,7 @@ class QueueData { : broker_name_(broker_name), read_queue_nums_(read_queue_num), write_queue_nums_(write_queue_num), perm_(perm) {} - void encode(ProtobufWkt::Struct& data_struct); + void encode(Protobuf::Struct& data_struct); const std::string& brokerName() const { return broker_name_; } @@ -41,7 +41,7 @@ class BrokerData { absl::node_hash_map&& broker_addrs) : cluster_(cluster), broker_name_(broker_name), broker_addrs_(broker_addrs) {} - void encode(ProtobufWkt::Struct& data_struct); + void encode(Protobuf::Struct& data_struct); const std::string& cluster() const { return cluster_; } @@ -57,7 +57,7 @@ class BrokerData { class TopicRouteData { public: - void encode(ProtobufWkt::Struct& data_struct); + void encode(Protobuf::Struct& data_struct); TopicRouteData() = default; diff --git a/contrib/rocketmq_proxy/filters/network/test/active_message_test.cc b/contrib/rocketmq_proxy/filters/network/test/active_message_test.cc index 6ed1e33541b01..a75dd942cc240 100644 --- a/contrib/rocketmq_proxy/filters/network/test/active_message_test.cc +++ b/contrib/rocketmq_proxy/filters/network/test/active_message_test.cc @@ -172,7 +172,7 @@ TEST_F(ActiveMessageTest, RecordPopRouteInfo) { auto host_description = new NiceMock(); auto metadata = std::make_shared(); - ProtobufWkt::Struct topic_route_data; + Protobuf::Struct topic_route_data; auto* fields = topic_route_data.mutable_fields(); std::string broker_name = "broker-a"; @@ -184,7 +184,7 @@ TEST_F(ActiveMessageTest, RecordPopRouteInfo) { (*fields)[RocketmqConstants::get().BrokerName] = ValueUtil::stringValue(broker_name); (*fields)[RocketmqConstants::get().BrokerId] = ValueUtil::numberValue(broker_id); (*fields)[RocketmqConstants::get().Perm] = ValueUtil::numberValue(6); - metadata->mutable_filter_metadata()->insert(Protobuf::MapPair( + metadata->mutable_filter_metadata()->insert(Protobuf::MapPair( NetworkFilterNames::get().RocketmqProxy, topic_route_data)); EXPECT_CALL(*host_description, metadata()).WillRepeatedly(Return(metadata)); diff --git a/contrib/rocketmq_proxy/filters/network/test/codec_test.cc b/contrib/rocketmq_proxy/filters/network/test/codec_test.cc index 9a8d471078a7c..f84b0cdafb6af 100644 --- a/contrib/rocketmq_proxy/filters/network/test/codec_test.cc +++ b/contrib/rocketmq_proxy/filters/network/test/codec_test.cc @@ -519,7 +519,7 @@ TEST_F(RocketmqCodecTest, EncodeResponseSendMessageSuccess) { Decoder::FRAME_LENGTH_FIELD_SIZE + Decoder::FRAME_HEADER_LENGTH_FIELD_SIZE; response_buffer.copyOut(frame_header_content_offset, header_length, header_data.get()); std::string header_json(header_data.get(), header_length); - ProtobufWkt::Struct doc; + Protobuf::Struct doc; MessageUtil::loadFromJson(header_json, doc); const auto& members = doc.fields(); diff --git a/contrib/rocketmq_proxy/filters/network/test/conn_manager_test.cc b/contrib/rocketmq_proxy/filters/network/test/conn_manager_test.cc index 967365507026b..2cbd77621f6f9 100644 --- a/contrib/rocketmq_proxy/filters/network/test/conn_manager_test.cc +++ b/contrib/rocketmq_proxy/filters/network/test/conn_manager_test.cc @@ -366,7 +366,7 @@ stat_prefix: test initializeFilter(yaml); auto metadata = std::make_shared(); - ProtobufWkt::Struct topic_route_data; + Protobuf::Struct topic_route_data; auto* fields = topic_route_data.mutable_fields(); (*fields)[RocketmqConstants::get().ReadQueueNum] = ValueUtil::numberValue(4); (*fields)[RocketmqConstants::get().WriteQueueNum] = ValueUtil::numberValue(4); @@ -374,7 +374,7 @@ stat_prefix: test (*fields)[RocketmqConstants::get().BrokerName] = ValueUtil::stringValue("broker-a"); (*fields)[RocketmqConstants::get().BrokerId] = ValueUtil::numberValue(0); (*fields)[RocketmqConstants::get().Perm] = ValueUtil::numberValue(6); - metadata->mutable_filter_metadata()->insert(Protobuf::MapPair( + metadata->mutable_filter_metadata()->insert(Protobuf::MapPair( NetworkFilterNames::get().RocketmqProxy, topic_route_data)); host_->metadata(metadata); initializeCluster(); @@ -465,7 +465,7 @@ develop_mode: true initializeFilter(yaml); auto metadata = std::make_shared(); - ProtobufWkt::Struct topic_route_data; + Protobuf::Struct topic_route_data; auto* fields = topic_route_data.mutable_fields(); (*fields)[RocketmqConstants::get().ReadQueueNum] = ValueUtil::numberValue(4); (*fields)[RocketmqConstants::get().WriteQueueNum] = ValueUtil::numberValue(4); @@ -473,7 +473,7 @@ develop_mode: true (*fields)[RocketmqConstants::get().BrokerName] = ValueUtil::stringValue("broker-a"); (*fields)[RocketmqConstants::get().BrokerId] = ValueUtil::numberValue(0); (*fields)[RocketmqConstants::get().Perm] = ValueUtil::numberValue(6); - metadata->mutable_filter_metadata()->insert(Protobuf::MapPair( + metadata->mutable_filter_metadata()->insert(Protobuf::MapPair( NetworkFilterNames::get().RocketmqProxy, topic_route_data)); host_->metadata(metadata); initializeCluster(); diff --git a/contrib/rocketmq_proxy/filters/network/test/protocol_test.cc b/contrib/rocketmq_proxy/filters/network/test/protocol_test.cc index 495eb74671463..3c1de1fe298a0 100644 --- a/contrib/rocketmq_proxy/filters/network/test/protocol_test.cc +++ b/contrib/rocketmq_proxy/filters/network/test/protocol_test.cc @@ -21,7 +21,7 @@ TEST_F(UnregisterClientRequestHeaderTest, Encode) { request_header.producerGroup(producer_group_); request_header.consumerGroup(consumer_group_); - ProtobufWkt::Value doc; + Protobuf::Value doc; request_header.encode(doc); const auto& members = doc.struct_value().fields(); @@ -40,7 +40,7 @@ TEST_F(UnregisterClientRequestHeaderTest, Decode) { } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); UnregisterClientRequestHeader unregister_client_request_header; unregister_client_request_header.decode(doc); @@ -54,7 +54,7 @@ TEST(GetConsumerListByGroupResponseBodyTest, Encode) { response_body.add("localhost@1"); response_body.add("localhost@2"); - ProtobufWkt::Struct doc; + Protobuf::Struct doc; response_body.encode(doc); const auto& members = doc.fields(); @@ -79,7 +79,7 @@ TEST_F(AckMessageRequestHeaderTest, Encode) { ack_header.extraInfo(extra_info); ack_header.offset(offset); - ProtobufWkt::Value doc; + Protobuf::Value doc; ack_header.encode(doc); const auto& members = doc.struct_value().fields(); @@ -111,7 +111,7 @@ TEST_F(AckMessageRequestHeaderTest, Decode) { } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); AckMessageRequestHeader ack_header; @@ -134,7 +134,7 @@ TEST_F(AckMessageRequestHeaderTest, DecodeNumSerializedAsString) { } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); AckMessageRequestHeader ack_header; @@ -174,7 +174,7 @@ TEST_F(PopMessageRequestHeaderTest, Encode) { pop_request_header.expType(exp_type); pop_request_header.exp(exp); - ProtobufWkt::Value doc; + Protobuf::Value doc; pop_request_header.encode(doc); const auto& members = doc.struct_value().fields(); @@ -226,7 +226,7 @@ TEST_F(PopMessageRequestHeaderTest, Decode) { } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); PopMessageRequestHeader pop_request_header; pop_request_header.decode(doc); @@ -259,7 +259,7 @@ TEST_F(PopMessageRequestHeaderTest, DecodeNumSerializedAsString) { } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); PopMessageRequestHeader pop_request_header; pop_request_header.decode(doc); @@ -298,7 +298,7 @@ TEST_F(PopMessageResponseHeaderTest, Encode) { pop_response_header.msgOffsetInfo(msg_offset_info); pop_response_header.orderCountInfo(order_count_info); - ProtobufWkt::Value doc; + Protobuf::Value doc; pop_response_header.encode(doc); const auto& members = doc.struct_value().fields(); @@ -333,7 +333,7 @@ TEST_F(PopMessageResponseHeaderTest, Decode) { } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); PopMessageResponseHeader header; @@ -362,7 +362,7 @@ TEST_F(PopMessageResponseHeaderTest, DecodeNumSerializedAsString) { } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); PopMessageResponseHeader header; @@ -388,7 +388,7 @@ TEST_F(SendMessageResponseHeaderTest, Encode) { response_header_.queueId(1); response_header_.queueOffset(100); response_header_.transactionId("TX_01"); - ProtobufWkt::Value doc; + Protobuf::Value doc; response_header_.encode(doc); const auto& members = doc.struct_value().fields(); @@ -412,7 +412,7 @@ TEST_F(SendMessageResponseHeaderTest, Decode) { "transactionId": "TX_1" } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); response_header_.decode(doc); EXPECT_STREQ("abc", response_header_.msgId().c_str()); @@ -430,7 +430,7 @@ TEST_F(SendMessageResponseHeaderTest, DecodeNumSerializedAsString) { "transactionId": "TX_1" } )EOF"; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); response_header_.decode(doc); EXPECT_STREQ("abc", response_header_.msgId().c_str()); @@ -443,7 +443,7 @@ class SendMessageRequestHeaderTest : public testing::Test {}; TEST_F(SendMessageRequestHeaderTest, EncodeDefault) { SendMessageRequestHeader header; - ProtobufWkt::Value doc; + Protobuf::Value doc; header.encode(doc); const auto& members = doc.struct_value().fields(); EXPECT_TRUE(members.contains("producerGroup")); @@ -468,7 +468,7 @@ TEST_F(SendMessageRequestHeaderTest, EncodeOptional) { header.unitMode(true); header.batch(true); header.maxReconsumeTimes(32); - ProtobufWkt::Value doc; + Protobuf::Value doc; header.encode(doc); const auto& members = doc.struct_value().fields(); EXPECT_TRUE(members.contains("producerGroup")); @@ -495,7 +495,7 @@ TEST_F(SendMessageRequestHeaderTest, EncodeOptional) { TEST_F(SendMessageRequestHeaderTest, EncodeDefaultV2) { SendMessageRequestHeader header; header.version(SendMessageRequestVersion::V2); - ProtobufWkt::Value doc; + Protobuf::Value doc; header.encode(doc); const auto& members = doc.struct_value().fields(); EXPECT_TRUE(members.contains("a")); @@ -521,7 +521,7 @@ TEST_F(SendMessageRequestHeaderTest, EncodeOptionalV2) { header.batch(true); header.maxReconsumeTimes(32); header.version(SendMessageRequestVersion::V2); - ProtobufWkt::Value doc; + Protobuf::Value doc; header.encode(doc); const auto& members = doc.struct_value().fields(); @@ -549,7 +549,7 @@ TEST_F(SendMessageRequestHeaderTest, EncodeOptionalV2) { TEST_F(SendMessageRequestHeaderTest, EncodeV3) { SendMessageRequestHeader header; header.version(SendMessageRequestVersion::V3); - ProtobufWkt::Value doc; + Protobuf::Value doc; header.encode(doc); } @@ -571,7 +571,7 @@ TEST_F(SendMessageRequestHeaderTest, DecodeV1) { )EOF"; SendMessageRequestHeader header; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); header.decode(doc); EXPECT_STREQ("FooBar", header.topic().c_str()); @@ -609,7 +609,7 @@ TEST_F(SendMessageRequestHeaderTest, DecodeV1Optional) { )EOF"; SendMessageRequestHeader header; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); header.decode(doc); EXPECT_STREQ("FooBar", header.topic().c_str()); @@ -647,7 +647,7 @@ TEST_F(SendMessageRequestHeaderTest, DecodeV1OptionalNumSerializedAsString) { )EOF"; SendMessageRequestHeader header; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); header.decode(doc); EXPECT_STREQ("FooBar", header.topic().c_str()); @@ -684,7 +684,7 @@ TEST_F(SendMessageRequestHeaderTest, DecodeV2) { SendMessageRequestHeader header; header.version(SendMessageRequestVersion::V2); - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); header.decode(doc); EXPECT_STREQ("FooBar", header.topic().c_str()); @@ -723,7 +723,7 @@ TEST_F(SendMessageRequestHeaderTest, DecodeV2Optional) { SendMessageRequestHeader header; header.version(SendMessageRequestVersion::V2); - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); header.decode(doc); EXPECT_STREQ("FooBar", header.topic().c_str()); @@ -762,7 +762,7 @@ TEST_F(SendMessageRequestHeaderTest, DecodeV2OptionalNumSerializedAsString) { SendMessageRequestHeader header; header.version(SendMessageRequestVersion::V2); - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); header.decode(doc); EXPECT_STREQ("FooBar", header.topic().c_str()); @@ -798,7 +798,7 @@ TEST_F(SendMessageRequestHeaderTest, DecodeV3) { )EOF"; SendMessageRequestHeader header; - ProtobufWkt::Value doc; + Protobuf::Value doc; MessageUtil::loadFromJson(json, *(doc.mutable_struct_value())); header.version(SendMessageRequestVersion::V3); header.decode(doc); @@ -845,7 +845,7 @@ TEST_F(HeartbeatDataTest, Decoding) { const char* consumerGroup = "please_rename_unique_group_name_4"; HeartbeatData heart_beat_data; - ProtobufWkt::Struct doc; + Protobuf::Struct doc; MessageUtil::loadFromJson(json, doc); heart_beat_data.decode(doc); @@ -885,14 +885,14 @@ TEST_F(HeartbeatDataTest, DecodeClientIdMissing) { } )EOF"; - ProtobufWkt::Struct doc; + Protobuf::Struct doc; MessageUtil::loadFromJson(json, doc); EXPECT_FALSE(data_.decode(doc)); } TEST_F(HeartbeatDataTest, Encode) { data_.clientId("CID_01"); - ProtobufWkt::Struct doc; + Protobuf::Struct doc; data_.encode(doc); const auto& members = doc.fields(); EXPECT_TRUE(members.contains("clientID")); diff --git a/contrib/rocketmq_proxy/filters/network/test/route_matcher_test.cc b/contrib/rocketmq_proxy/filters/network/test/route_matcher_test.cc index f078f6d437538..8304972293ad9 100644 --- a/contrib/rocketmq_proxy/filters/network/test/route_matcher_test.cc +++ b/contrib/rocketmq_proxy/filters/network/test/route_matcher_test.cc @@ -59,7 +59,7 @@ name: default_route const std::vector& mmc = criteria->metadataMatchCriteria(); - ProtobufWkt::Value v1; + Protobuf::Value v1; v1.set_string_value("v1"); HashedValue hv1(v1); diff --git a/contrib/rocketmq_proxy/filters/network/test/topic_route_test.cc b/contrib/rocketmq_proxy/filters/network/test/topic_route_test.cc index 2a067b6a25bfd..59b0699d181af 100644 --- a/contrib/rocketmq_proxy/filters/network/test/topic_route_test.cc +++ b/contrib/rocketmq_proxy/filters/network/test/topic_route_test.cc @@ -11,7 +11,7 @@ namespace RocketmqProxy { TEST(TopicRouteTest, Serialization) { QueueData queue_data("broker-a", 8, 8, 6); - ProtobufWkt::Struct doc; + Protobuf::Struct doc; queue_data.encode(doc); const auto& members = doc.fields(); @@ -33,7 +33,7 @@ TEST(BrokerDataTest, Serialization) { std::string broker_name("broker-a"); BrokerData broker_data(cluster, broker_name, std::move(broker_addrs)); - ProtobufWkt::Struct doc; + Protobuf::Struct doc; broker_data.encode(doc); const auto& members = doc.fields(); @@ -61,7 +61,7 @@ TEST(TopicRouteDataTest, Serialization) { topic_route_data.brokerData().emplace_back( BrokerData(cluster, broker_name, std::move(broker_addrs))); } - ProtobufWkt::Struct doc; + Protobuf::Struct doc; EXPECT_NO_THROW(topic_route_data.encode(doc)); MessageUtil::getJsonStringFromMessageOrError(doc); } diff --git a/contrib/sip_proxy/filters/network/test/mocks.cc b/contrib/sip_proxy/filters/network/test/mocks.cc index 488254734f1b9..aa3e32fe42a90 100644 --- a/contrib/sip_proxy/filters/network/test/mocks.cc +++ b/contrib/sip_proxy/filters/network/test/mocks.cc @@ -12,9 +12,9 @@ using testing::ReturnRef; namespace Envoy { -// Provide a specialization for ProtobufWkt::Struct (for MockFilterConfigFactory) +// Provide a specialization for Protobuf::Struct (for MockFilterConfigFactory) template <> -void MessageUtil::validate(const ProtobufWkt::Struct&, ProtobufMessage::ValidationVisitor&, bool) {} +void MessageUtil::validate(const Protobuf::Struct&, ProtobufMessage::ValidationVisitor&, bool) {} namespace Extensions { namespace NetworkFilters { @@ -68,7 +68,7 @@ FilterFactoryCb MockFilterConfigFactory::createFilterFactoryFromProto( Server::Configuration::FactoryContext& context) { UNREFERENCED_PARAMETER(context); - config_struct_ = dynamic_cast(proto_config); + config_struct_ = dynamic_cast(proto_config); config_stat_prefix_ = stats_prefix; return [this](FilterChainFactoryCallbacks& callbacks) -> void { diff --git a/contrib/sip_proxy/filters/network/test/mocks.h b/contrib/sip_proxy/filters/network/test/mocks.h index 39287e245e8b7..6e5b19bef3e2e 100644 --- a/contrib/sip_proxy/filters/network/test/mocks.h +++ b/contrib/sip_proxy/filters/network/test/mocks.h @@ -153,12 +153,12 @@ class MockFilterConfigFactory : public NamedSipFilterConfigFactory { Server::Configuration::FactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return name_; } - ProtobufWkt::Struct config_struct_; + Protobuf::Struct config_struct_; std::string config_stat_prefix_; private: diff --git a/contrib/tap_sinks/udp_sink/source/udp_sink_impl.cc b/contrib/tap_sinks/udp_sink/source/udp_sink_impl.cc index 2791f35000bc1..fc61e9b0c0c22 100644 --- a/contrib/tap_sinks/udp_sink/source/udp_sink_impl.cc +++ b/contrib/tap_sinks/udp_sink/source/udp_sink_impl.cc @@ -62,7 +62,7 @@ void UdpTapSink::UdpTapSinkHandle::setStreamedTraceDataAndSubmit( // Set data from original trace to new trace. dst_streamed_trace.set_trace_id(src_streamed_trace.trace_id()); - ProtobufWkt::Timestamp* dst_ts = dst_streamed_trace.mutable_event()->mutable_timestamp(); + Protobuf::Timestamp* dst_ts = dst_streamed_trace.mutable_event()->mutable_timestamp(); dst_ts->CopyFrom(src_streamed_trace.event().timestamp()); dst_ts->set_nanos(dst_ts->nanos() + new_trace_cnt); diff --git a/docs/root/intro/arch_overview/advanced/data_sharing_between_filters.rst b/docs/root/intro/arch_overview/advanced/data_sharing_between_filters.rst index 695b8b80edf1a..9e39057fabd53 100644 --- a/docs/root/intro/arch_overview/advanced/data_sharing_between_filters.rst +++ b/docs/root/intro/arch_overview/advanced/data_sharing_between_filters.rst @@ -40,13 +40,13 @@ logic for a specific key. Incoming config metadata (via xDS) is converted to class objects at config load time. Filters can then obtain a typed variant of the metadata at runtime (per request or connection), thereby eliminating the need for filters to repeatedly convert from -``ProtobufWkt::Struct`` to some internal object during request/connection +``Protobuf::Struct`` to some internal object during request/connection processing. For example, a filter that desires to have a convenience wrapper class over an opaque metadata with key ``xxx.service.policy`` in ``ClusterInfo`` could register a factory ``ServicePolicyFactory`` that inherits from -``ClusterTypedMetadataFactory``. The factory translates the ``ProtobufWkt::Struct`` +``ClusterTypedMetadataFactory``. The factory translates the ``Protobuf::Struct`` into an instance of ``ServicePolicy`` class (inherited from ``FilterState::Object``). When a ``Cluster`` is created, the associated ``ServicePolicy`` instance will be created and cached. Note that typed diff --git a/docs/root/operations/admin.rst b/docs/root/operations/admin.rst index 09e77e7c5e3f8..059bbb83b2a07 100644 --- a/docs/root/operations/admin.rst +++ b/docs/root/operations/admin.rst @@ -177,7 +177,7 @@ modify different aspects of the server: .. http:get:: /config_dump?mask={} Specify a subset of fields that you would like to be returned. The mask is parsed as a - ``ProtobufWkt::FieldMask`` and applied to each top level dump such as + ``Protobuf::FieldMask`` and applied to each top level dump such as :ref:`BootstrapConfigDump ` and :ref:`ClustersConfigDump `. This behavior changes if both resource and mask query parameters are specified. See @@ -225,7 +225,7 @@ modify different aspects of the server: When both resource and mask query parameters are specified, the mask is applied to every element in the desired repeated field so that only a subset of fields are returned. The mask is parsed - as a ``ProtobufWkt::FieldMask``. + as a ``Protobuf::FieldMask``. For example, get the names of all active dynamic clusters with ``/config_dump?resource=dynamic_active_clusters&mask=cluster.name`` @@ -288,7 +288,7 @@ modify different aspects of the server: .. http:get:: /init_dump?mask={} When mask query parameters is specified, the mask value is the desired component to dump unready targets. - The mask is parsed as a ``ProtobufWkt::FieldMask``. + The mask is parsed as a ``Protobuf::FieldMask``. For example, get the unready targets of all listeners with ``/init_dump?mask=listener`` diff --git a/envoy/config/config_validator.h b/envoy/config/config_validator.h index 285995934a8f3..158bce05add20 100644 --- a/envoy/config/config_validator.h +++ b/envoy/config/config_validator.h @@ -60,7 +60,7 @@ class ConfigValidatorFactory : public Config::TypedFactory { * Creates a ConfigValidator using the given config. */ virtual ConfigValidatorPtr - createConfigValidator(const ProtobufWkt::Any& config, + createConfigValidator(const Protobuf::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor) PURE; std::string category() const override { return "envoy.config.validators"; } diff --git a/envoy/config/subscription.h b/envoy/config/subscription.h index 6ca9dc2403b57..bb835a607db53 100644 --- a/envoy/config/subscription.h +++ b/envoy/config/subscription.h @@ -75,11 +75,11 @@ class OpaqueResourceDecoder { virtual ~OpaqueResourceDecoder() = default; /** - * @param resource some opaque resource (ProtobufWkt::Any). + * @param resource some opaque resource (Protobuf::Any). * @return ProtobufTypes::MessagePtr decoded protobuf message in the opaque resource, e.g. the * RouteConfiguration for an Any containing envoy.config.route.v3.RouteConfiguration. */ - virtual ProtobufTypes::MessagePtr decodeResource(const ProtobufWkt::Any& resource) PURE; + virtual ProtobufTypes::MessagePtr decodeResource(const Protobuf::Any& resource) PURE; /** * @param resource some opaque resource (Protobuf::Message). @@ -166,7 +166,7 @@ class UntypedConfigUpdateCallbacks { * is accepted. Accepted configurations have their version_info reflected in subsequent * requests. */ - virtual void onConfigUpdate(const Protobuf::RepeatedPtrField& resources, + virtual void onConfigUpdate(const Protobuf::RepeatedPtrField& resources, const std::string& version_info) PURE; /** diff --git a/envoy/config/typed_metadata.h b/envoy/config/typed_metadata.h index 059c563c782e9..bd93e0d0dbf22 100644 --- a/envoy/config/typed_metadata.h +++ b/envoy/config/typed_metadata.h @@ -63,7 +63,7 @@ class TypedMetadataFactory : public UntypedFactory { * @throw EnvoyException if the parsing can't be done. */ virtual std::unique_ptr - parse(const ProtobufWkt::Struct& data) const PURE; + parse(const Protobuf::Struct& data) const PURE; /** * Convert the google.protobuf.Any into an instance of TypedMetadata::Object. @@ -73,8 +73,7 @@ class TypedMetadataFactory : public UntypedFactory { * one doesn't implement parse() method. * @throw EnvoyException if the parsing can't be done. */ - virtual std::unique_ptr - parse(const ProtobufWkt::Any& data) const PURE; + virtual std::unique_ptr parse(const Protobuf::Any& data) const PURE; std::string category() const override { return "envoy.typed_metadata"; } }; diff --git a/envoy/config/xds_config_tracker.h b/envoy/config/xds_config_tracker.h index 5f0b3ddd740aa..d4bacc586c6b3 100644 --- a/envoy/config/xds_config_tracker.h +++ b/envoy/config/xds_config_tracker.h @@ -99,7 +99,7 @@ class XdsConfigTrackerFactory : public Config::TypedFactory { * Creates an XdsConfigTracker using the given config. */ virtual XdsConfigTrackerPtr - createXdsConfigTracker(const ProtobufWkt::Any& config, + createXdsConfigTracker(const Protobuf::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor, Api::Api& api, Event::Dispatcher& dispatcher) PURE; diff --git a/envoy/config/xds_resources_delegate.h b/envoy/config/xds_resources_delegate.h index ca58cb05f1ce3..407c9059426ce 100644 --- a/envoy/config/xds_resources_delegate.h +++ b/envoy/config/xds_resources_delegate.h @@ -104,7 +104,7 @@ class XdsResourcesDelegateFactory : public Config::TypedFactory { * @return The created XdsResourcesDelegate instance */ virtual XdsResourcesDelegatePtr - createXdsResourcesDelegate(const ProtobufWkt::Any& config, + createXdsResourcesDelegate(const Protobuf::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor, Api::Api& api, Event::Dispatcher& dispatcher) PURE; diff --git a/envoy/formatter/substitution_formatter_base.h b/envoy/formatter/substitution_formatter_base.h index c9bd79aaaa6b8..115c89d92c144 100644 --- a/envoy/formatter/substitution_formatter_base.h +++ b/envoy/formatter/substitution_formatter_base.h @@ -55,10 +55,10 @@ class FormatterProvider { * Format the value with the given context and stream info. * @param context supplies the formatter context. * @param stream_info supplies the stream info. - * @return ProtobufWkt::Value containing a single value extracted from the given + * @return Protobuf::Value containing a single value extracted from the given * context and stream info. */ - virtual ProtobufWkt::Value + virtual Protobuf::Value formatValueWithContext(const Context& context, const StreamInfo::StreamInfo& stream_info) const PURE; }; diff --git a/envoy/network/filter.h b/envoy/network/filter.h index 8aef12ca5a628..44226e7fa540d 100644 --- a/envoy/network/filter.h +++ b/envoy/network/filter.h @@ -355,7 +355,7 @@ class ListenerFilterCallbacks { * @param value the struct to set on the namespace. A merge will be performed with new values for * the same key overriding existing. */ - virtual void setDynamicMetadata(const std::string& name, const ProtobufWkt::Struct& value) PURE; + virtual void setDynamicMetadata(const std::string& name, const Protobuf::Struct& value) PURE; /** * @param name the namespace used in the metadata in reverse DNS format, for example: @@ -363,7 +363,7 @@ class ListenerFilterCallbacks { * @param value of type protobuf any to set on the namespace. A merge will be performed with new * values for the same key overriding existing. */ - virtual void setDynamicTypedMetadata(const std::string& name, const ProtobufWkt::Any& value) PURE; + virtual void setDynamicTypedMetadata(const std::string& name, const Protobuf::Any& value) PURE; /** * @return const envoy::config::core::v3::Metadata& the dynamic metadata associated with this diff --git a/envoy/router/router.h b/envoy/router/router.h index d22c610f0cc82..2fe9d575342d4 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -790,12 +790,12 @@ class MetadataMatchCriteria { * Creates a new MetadataMatchCriteria, merging existing * metadata criteria with the provided criteria. The result criteria is the * combination of both sets of criteria, with those from the metadata_matches - * ProtobufWkt::Struct taking precedence. + * Protobuf::Struct taking precedence. * @param metadata_matches supplies the new criteria. * @return MetadataMatchCriteriaConstPtr the result criteria. */ virtual MetadataMatchCriteriaConstPtr - mergeMatchCriteria(const ProtobufWkt::Struct& metadata_matches) const PURE; + mergeMatchCriteria(const Protobuf::Struct& metadata_matches) const PURE; /** * Creates a new MetadataMatchCriteria with criteria vector reduced to given names diff --git a/envoy/stream_info/filter_state.h b/envoy/stream_info/filter_state.h index f43ffe00eb3b9..55bc1f21e945f 100644 --- a/envoy/stream_info/filter_state.h +++ b/envoy/stream_info/filter_state.h @@ -93,7 +93,7 @@ class FilterState { /** * @return Protobuf::MessagePtr an unique pointer to the proto serialization of the filter - * state. If returned message type is ProtobufWkt::Any it will be directly used in protobuf + * state. If returned message type is Protobuf::Any it will be directly used in protobuf * logging. nullptr if the filter state cannot be serialized or serialization is not supported. */ virtual ProtobufTypes::MessagePtr serializeAsProto() const { return nullptr; } diff --git a/envoy/stream_info/stream_info.h b/envoy/stream_info/stream_info.h index b96b4c460479b..fbe9ff30e0a03 100644 --- a/envoy/stream_info/stream_info.h +++ b/envoy/stream_info/stream_info.h @@ -863,14 +863,14 @@ class StreamInfo { * @param value the struct to set on the namespace. A merge will be performed with new values for * the same key overriding existing. */ - virtual void setDynamicMetadata(const std::string& name, const ProtobufWkt::Struct& value) PURE; + virtual void setDynamicMetadata(const std::string& name, const Protobuf::Struct& value) PURE; /** * @param name the namespace used in the metadata in reverse DNS format, for example: * envoy.test.my_filter. * @param value of type protobuf any to set on the namespace. */ - virtual void setDynamicTypedMetadata(const std::string& name, const ProtobufWkt::Any& value) PURE; + virtual void setDynamicTypedMetadata(const std::string& name, const Protobuf::Any& value) PURE; /** * Object on which filters can share data on a per-request basis. For singleton data objects, only diff --git a/envoy/upstream/health_check_event_sink.h b/envoy/upstream/health_check_event_sink.h index 9f82edda1458b..6dc3fdb4acff0 100644 --- a/envoy/upstream/health_check_event_sink.h +++ b/envoy/upstream/health_check_event_sink.h @@ -30,7 +30,7 @@ class HealthCheckEventSinkFactory : public Config::TypedFactory { * Creates an HealthCheckEventSink using the given config. */ virtual HealthCheckEventSinkPtr - createHealthCheckEventSink(const ProtobufWkt::Any& config, + createHealthCheckEventSink(const Protobuf::Any& config, Server::Configuration::HealthCheckerFactoryContext& context) PURE; std::string category() const override { return "envoy.health_check.event_sinks"; } diff --git a/mobile/library/cc/engine_builder.cc b/mobile/library/cc/engine_builder.cc index 64415874e0b7b..15d1d436210da 100644 --- a/mobile/library/cc/engine_builder.cc +++ b/mobile/library/cc/engine_builder.cc @@ -308,7 +308,7 @@ EngineBuilder& EngineBuilder::addNativeFilter(std::string name, std::string type } EngineBuilder& EngineBuilder::addNativeFilter(const std::string& name, - const ProtobufWkt::Any& typed_config) { + const Protobuf::Any& typed_config) { native_filter_chain_.push_back(NativeFilterConfig(name, typed_config)); return *this; } @@ -324,7 +324,7 @@ std::string EngineBuilder::nativeNameToConfig(absl::string_view name) { proto_config.set_platform_filter_name(name); std::string ret; proto_config.SerializeToString(&ret); - ProtobufWkt::Any any_config; + Protobuf::Any any_config; any_config.set_type_url( "type.googleapis.com/envoymobile.extensions.filters.http.platform_bridge.PlatformBridge"); any_config.set_value(ret); @@ -833,7 +833,7 @@ std::unique_ptr EngineBuilder::generate auto* node = bootstrap->mutable_node(); node->set_id("envoy-mobile"); node->set_cluster("envoy-mobile"); - ProtobufWkt::Struct& metadata = *node->mutable_metadata(); + Protobuf::Struct& metadata = *node->mutable_metadata(); (*metadata.mutable_fields())["app_id"].set_string_value(app_id_); (*metadata.mutable_fields())["app_version"].set_string_value(app_version_); (*metadata.mutable_fields())["device_os"].set_string_value(device_os_); @@ -841,16 +841,16 @@ std::unique_ptr EngineBuilder::generate // Set up runtime. auto* runtime = bootstrap->mutable_layered_runtime()->add_layers(); runtime->set_name("static_layer_0"); - ProtobufWkt::Struct envoy_layer; - ProtobufWkt::Struct& runtime_values = + Protobuf::Struct envoy_layer; + Protobuf::Struct& runtime_values = *(*envoy_layer.mutable_fields())["envoy"].mutable_struct_value(); - ProtobufWkt::Struct& reloadable_features = + Protobuf::Struct& reloadable_features = *(*runtime_values.mutable_fields())["reloadable_features"].mutable_struct_value(); for (auto& guard_and_value : runtime_guards_) { (*reloadable_features.mutable_fields())[guard_and_value.first].set_bool_value( guard_and_value.second); } - ProtobufWkt::Struct& restart_features = + Protobuf::Struct& restart_features = *(*runtime_values.mutable_fields())["restart_features"].mutable_struct_value(); (*runtime_values.mutable_fields())["disallow_global_stats"].set_bool_value(true); (*runtime_values.mutable_fields())["enable_dfp_dns_trace"].set_bool_value(true); @@ -858,7 +858,7 @@ std::unique_ptr EngineBuilder::generate (*restart_features.mutable_fields())[guard_and_value.first].set_bool_value( guard_and_value.second); } - ProtobufWkt::Struct& overload_values = + Protobuf::Struct& overload_values = *(*envoy_layer.mutable_fields())["overload"].mutable_struct_value(); (*overload_values.mutable_fields())["global_downstream_max_connections"].set_string_value( "4294967295"); diff --git a/mobile/library/cc/engine_builder.h b/mobile/library/cc/engine_builder.h index 724c2f2421a19..95f2f76b3960e 100644 --- a/mobile/library/cc/engine_builder.h +++ b/mobile/library/cc/engine_builder.h @@ -87,7 +87,7 @@ class EngineBuilder { // E.g. addDnsPreresolveHost(std::string host, uint32_t port); EngineBuilder& addDnsPreresolveHostnames(const std::vector& hostnames); EngineBuilder& addNativeFilter(std::string name, std::string typed_config); - EngineBuilder& addNativeFilter(const std::string& name, const ProtobufWkt::Any& typed_config); + EngineBuilder& addNativeFilter(const std::string& name, const Protobuf::Any& typed_config); EngineBuilder& addPlatformFilter(const std::string& name); // Adds a runtime guard for the `envoy.reloadable_features.`. @@ -140,12 +140,12 @@ class EngineBuilder { NativeFilterConfig(std::string name, std::string typed_config) : name_(std::move(name)), textproto_typed_config_(std::move(typed_config)) {} - NativeFilterConfig(const std::string& name, const ProtobufWkt::Any& typed_config) + NativeFilterConfig(const std::string& name, const Protobuf::Any& typed_config) : name_(name), typed_config_(typed_config) {} std::string name_; std::string textproto_typed_config_{}; - ProtobufWkt::Any typed_config_{}; + Protobuf::Any typed_config_{}; }; Logger::Logger::Levels log_level_ = Logger::Logger::Levels::info; diff --git a/mobile/test/cc/integration/send_data_test.cc b/mobile/test/cc/integration/send_data_test.cc index 97a519bf2b099..87a4bd73d5eb4 100644 --- a/mobile/test/cc/integration/send_data_test.cc +++ b/mobile/test/cc/integration/send_data_test.cc @@ -15,7 +15,7 @@ TEST(SendDataTest, Success) { auto* request_generic_body_match = assertion.mutable_match_config()->mutable_http_request_generic_body_match(); request_generic_body_match->add_patterns()->set_string_match("request body"); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url( "type.googleapis.com/envoymobile.extensions.filters.http.assertion.Assertion"); std::string serialized_assertion; diff --git a/mobile/test/cc/integration/send_headers_test.cc b/mobile/test/cc/integration/send_headers_test.cc index 2f29fc42ea35a..aa035cc3b4318 100644 --- a/mobile/test/cc/integration/send_headers_test.cc +++ b/mobile/test/cc/integration/send_headers_test.cc @@ -23,7 +23,7 @@ TEST(SendHeadersTest, Success) { auto* headers3 = http_request_headers_match->add_headers(); headers3->set_name(":path"); headers3->set_exact_match("/"); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url( "type.googleapis.com/envoymobile.extensions.filters.http.assertion.Assertion"); std::string serialized_assertion; diff --git a/mobile/test/cc/integration/send_trailers_test.cc b/mobile/test/cc/integration/send_trailers_test.cc index c3c79e45ca173..2184cf04f5425 100644 --- a/mobile/test/cc/integration/send_trailers_test.cc +++ b/mobile/test/cc/integration/send_trailers_test.cc @@ -17,7 +17,7 @@ TEST(SendTrailersTest, Success) { auto trailer = http_request_trailers_match->add_headers(); trailer->set_name("trailer-key"); trailer->set_exact_match("trailer-value"); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url( "type.googleapis.com/envoymobile.extensions.filters.http.assertion.Assertion"); std::string serialized_assertion; diff --git a/mobile/test/cc/unit/envoy_config_test.cc b/mobile/test/cc/unit/envoy_config_test.cc index 854c078d52f9f..1d2f2db3295c7 100644 --- a/mobile/test/cc/unit/envoy_config_test.cc +++ b/mobile/test/cc/unit/envoy_config_test.cc @@ -461,7 +461,7 @@ TEST(TestConfig, AddNativeFilters) { envoy::extensions::filters::http::buffer::v3::Buffer buffer; buffer.mutable_max_request_bytes()->set_value(5242880); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url("type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer"); std::string serialized_buffer; buffer.SerializeToString(&serialized_buffer); diff --git a/mobile/test/common/internal_engine_test.cc b/mobile/test/common/internal_engine_test.cc index 96009d1ff089f..812fcdec15a2f 100644 --- a/mobile/test/common/internal_engine_test.cc +++ b/mobile/test/common/internal_engine_test.cc @@ -339,7 +339,7 @@ TEST_F(InternalEngineTest, BasicStream) { envoy::extensions::filters::http::buffer::v3::Buffer buffer; buffer.mutable_max_request_bytes()->set_value(65000); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url("type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer"); std::string serialized_buffer; buffer.SerializeToString(&serialized_buffer); diff --git a/mobile/test/jni/jni_utility_test.cc b/mobile/test/jni/jni_utility_test.cc index 9799ddeb3dc9a..1f531d8b9b6ef 100644 --- a/mobile/test/jni/jni_utility_test.cc +++ b/mobile/test/jni/jni_utility_test.cc @@ -25,7 +25,7 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_io_envoyproxy_envoymobile_jni_JniUtilityTest_protoJavaByteArrayConversion(JNIEnv* env, jclass, jbyteArray source) { Envoy::JNI::JniHelper jni_helper(env); - Envoy::ProtobufWkt::Struct s; + Envoy::Protobuf::Struct s; Envoy::JNI::javaByteArrayToProto(jni_helper, source, &s); return Envoy::JNI::protoToJavaByteArray(jni_helper, s).release(); } diff --git a/source/common/common/matchers.cc b/source/common/common/matchers.cc index 40072b5445969..46176591d0c96 100644 --- a/source/common/common/matchers.cc +++ b/source/common/common/matchers.cc @@ -44,20 +44,20 @@ ValueMatcher::create(const envoy::type::matcher::v3::ValueMatcher& v, PANIC("unexpected"); } -bool NullMatcher::match(const ProtobufWkt::Value& value) const { - return value.kind_case() == ProtobufWkt::Value::kNullValue; +bool NullMatcher::match(const Protobuf::Value& value) const { + return value.kind_case() == Protobuf::Value::kNullValue; } -bool BoolMatcher::match(const ProtobufWkt::Value& value) const { - return value.kind_case() == ProtobufWkt::Value::kBoolValue && matcher_ == value.bool_value(); +bool BoolMatcher::match(const Protobuf::Value& value) const { + return value.kind_case() == Protobuf::Value::kBoolValue && matcher_ == value.bool_value(); } -bool PresentMatcher::match(const ProtobufWkt::Value& value) const { - return matcher_ && value.kind_case() != ProtobufWkt::Value::KIND_NOT_SET; +bool PresentMatcher::match(const Protobuf::Value& value) const { + return matcher_ && value.kind_case() != Protobuf::Value::KIND_NOT_SET; } -bool DoubleMatcher::match(const ProtobufWkt::Value& value) const { - if (value.kind_case() != ProtobufWkt::Value::kNumberValue) { +bool DoubleMatcher::match(const Protobuf::Value& value) const { + if (value.kind_case() != Protobuf::Value::kNumberValue) { return false; } @@ -81,8 +81,8 @@ ListMatcher::ListMatcher(const envoy::type::matcher::v3::ListMatcher& matcher, oneof_value_matcher_ = ValueMatcher::create(matcher.one_of(), context); } -bool ListMatcher::match(const ProtobufWkt::Value& value) const { - if (value.kind_case() != ProtobufWkt::Value::kListValue) { +bool ListMatcher::match(const Protobuf::Value& value) const { + if (value.kind_case() != Protobuf::Value::kListValue) { return false; } @@ -104,7 +104,7 @@ OrMatcher::OrMatcher(const envoy::type::matcher::v3::OrMatcher& matcher, } } -bool OrMatcher::match(const ProtobufWkt::Value& value) const { +bool OrMatcher::match(const Protobuf::Value& value) const { for (const auto& or_matcher : or_matchers_) { if (or_matcher->match(value)) { return true; diff --git a/source/common/common/matchers.h b/source/common/common/matchers.h index 0fdb15f471c86..651734361fd70 100644 --- a/source/common/common/matchers.h +++ b/source/common/common/matchers.h @@ -36,7 +36,7 @@ class ValueMatcher { /** * Check whether the value is matched to the matcher. */ - virtual bool match(const ProtobufWkt::Value& value) const PURE; + virtual bool match(const Protobuf::Value& value) const PURE; /** * Create the matcher object. @@ -50,14 +50,14 @@ class NullMatcher : public ValueMatcher { /** * Check whether the value is NULL. */ - bool match(const ProtobufWkt::Value& value) const override; + bool match(const Protobuf::Value& value) const override; }; class BoolMatcher : public ValueMatcher { public: BoolMatcher(bool matcher) : matcher_(matcher) {} - bool match(const ProtobufWkt::Value& value) const override; + bool match(const Protobuf::Value& value) const override; private: const bool matcher_; @@ -67,7 +67,7 @@ class PresentMatcher : public ValueMatcher { public: PresentMatcher(bool matcher) : matcher_(matcher) {} - bool match(const ProtobufWkt::Value& value) const override; + bool match(const Protobuf::Value& value) const override; private: const bool matcher_; @@ -77,7 +77,7 @@ class DoubleMatcher : public ValueMatcher { public: DoubleMatcher(const envoy::type::matcher::v3::DoubleMatcher& matcher) : matcher_(matcher) {} - bool match(const ProtobufWkt::Value& value) const override; + bool match(const Protobuf::Value& value) const override; private: const envoy::type::matcher::v3::DoubleMatcher matcher_; @@ -249,8 +249,8 @@ class StringMatcherImpl : public ValueMatcher, public StringMatcher { } // ValueMatcher - bool match(const ProtobufWkt::Value& value) const override { - if (value.kind_case() != ProtobufWkt::Value::kStringValue) { + bool match(const Protobuf::Value& value) const override { + if (value.kind_case() != Protobuf::Value::kStringValue) { return false; } @@ -347,7 +347,7 @@ class ListMatcher : public ValueMatcher { ListMatcher(const envoy::type::matcher::v3::ListMatcher& matcher, Server::Configuration::CommonFactoryContext& context); - bool match(const ProtobufWkt::Value& value) const override; + bool match(const Protobuf::Value& value) const override; private: ValueMatcherConstSharedPtr oneof_value_matcher_; @@ -358,7 +358,7 @@ class OrMatcher : public ValueMatcher { OrMatcher(const envoy::type::matcher::v3::OrMatcher& matcher, Server::Configuration::CommonFactoryContext& context); - bool match(const ProtobufWkt::Value& value) const override; + bool match(const Protobuf::Value& value) const override; private: std::vector or_matchers_; diff --git a/source/common/config/decoded_resource_impl.h b/source/common/config/decoded_resource_impl.h index 384eaca379ad3..fd58b708d5b5c 100644 --- a/source/common/config/decoded_resource_impl.h +++ b/source/common/config/decoded_resource_impl.h @@ -28,7 +28,7 @@ using DecodedResourceImplPtr = std::unique_ptr; class DecodedResourceImpl : public DecodedResource { public: static absl::StatusOr - fromResource(OpaqueResourceDecoder& resource_decoder, const ProtobufWkt::Any& resource, + fromResource(OpaqueResourceDecoder& resource_decoder, const Protobuf::Any& resource, const std::string& version) { if (resource.Is()) { envoy::service::discovery::v3::Resource r; @@ -83,8 +83,8 @@ class DecodedResourceImpl : public DecodedResource { private: DecodedResourceImpl(OpaqueResourceDecoder& resource_decoder, absl::optional name, const Protobuf::RepeatedPtrField& aliases, - const ProtobufWkt::Any& resource, bool has_resource, - const std::string& version, absl::optional ttl, + const Protobuf::Any& resource, bool has_resource, const std::string& version, + absl::optional ttl, const absl::optional& metadata) : resource_(resource_decoder.decodeResource(resource)), has_resource_(has_resource), name_(name ? *name : resource_decoder.resourceName(*resource_)), @@ -108,8 +108,7 @@ struct DecodedResourcesWrapper { DecodedResourcesWrapper() = default; static absl::StatusOr> create(OpaqueResourceDecoder& resource_decoder, - const Protobuf::RepeatedPtrField& resources, - const std::string& version) { + const Protobuf::RepeatedPtrField& resources, const std::string& version) { std::unique_ptr ret = std::make_unique(); for (const auto& resource : resources) { absl::StatusOr resource_or_error = diff --git a/source/common/config/metadata.cc b/source/common/config/metadata.cc index e58d3f2f9847f..3c1621bb3780f 100644 --- a/source/common/config/metadata.cc +++ b/source/common/config/metadata.cc @@ -17,31 +17,31 @@ MetadataKey::MetadataKey(const envoy::type::metadata::v3::MetadataKey& metadata_ } } -const ProtobufWkt::Value& Metadata::metadataValue(const envoy::config::core::v3::Metadata* metadata, - const MetadataKey& metadata_key) { +const Protobuf::Value& Metadata::metadataValue(const envoy::config::core::v3::Metadata* metadata, + const MetadataKey& metadata_key) { return metadataValue(metadata, metadata_key.key_, metadata_key.path_); } -const ProtobufWkt::Value& Metadata::metadataValue(const envoy::config::core::v3::Metadata* metadata, - const std::string& filter, - const std::vector& path) { +const Protobuf::Value& Metadata::metadataValue(const envoy::config::core::v3::Metadata* metadata, + const std::string& filter, + const std::vector& path) { if (!metadata) { - return ProtobufWkt::Value::default_instance(); + return Protobuf::Value::default_instance(); } const auto filter_it = metadata->filter_metadata().find(filter); if (filter_it == metadata->filter_metadata().end()) { - return ProtobufWkt::Value::default_instance(); + return Protobuf::Value::default_instance(); } - const ProtobufWkt::Struct* data_struct = &(filter_it->second); - const ProtobufWkt::Value* val = nullptr; + const Protobuf::Struct* data_struct = &(filter_it->second); + const Protobuf::Value* val = nullptr; // go through path to select sub entries for (const auto& p : path) { if (nullptr == data_struct) { // sub entry not found - return ProtobufWkt::Value::default_instance(); + return Protobuf::Value::default_instance(); } const auto entry_it = data_struct->fields().find(p); if (entry_it == data_struct->fields().end()) { - return ProtobufWkt::Value::default_instance(); + return Protobuf::Value::default_instance(); } val = &(entry_it->second); if (val->has_struct_value()) { @@ -51,21 +51,19 @@ const ProtobufWkt::Value& Metadata::metadataValue(const envoy::config::core::v3: } } if (nullptr == val) { - return ProtobufWkt::Value::default_instance(); + return Protobuf::Value::default_instance(); } return *val; } -const ProtobufWkt::Value& Metadata::metadataValue(const envoy::config::core::v3::Metadata* metadata, - const std::string& filter, - const std::string& key) { +const Protobuf::Value& Metadata::metadataValue(const envoy::config::core::v3::Metadata* metadata, + const std::string& filter, const std::string& key) { const std::vector path{key}; return metadataValue(metadata, filter, path); } -ProtobufWkt::Value& Metadata::mutableMetadataValue(envoy::config::core::v3::Metadata& metadata, - const std::string& filter, - const std::string& key) { +Protobuf::Value& Metadata::mutableMetadataValue(envoy::config::core::v3::Metadata& metadata, + const std::string& filter, const std::string& key) { return (*(*metadata.mutable_filter_metadata())[filter].mutable_fields())[key]; } @@ -79,7 +77,7 @@ bool Metadata::metadataLabelMatch(const LabelSet& label_set, if (filter_it == host_metadata->filter_metadata().end()) { return label_set.empty(); } - const ProtobufWkt::Struct& data_struct = filter_it->second; + const Protobuf::Struct& data_struct = filter_it->second; const auto& fields = data_struct.fields(); for (const auto& kv : label_set) { const auto entry_it = fields.find(kv.first); @@ -87,7 +85,7 @@ bool Metadata::metadataLabelMatch(const LabelSet& label_set, return false; } - if (list_as_any && entry_it->second.kind_case() == ProtobufWkt::Value::kListValue) { + if (list_as_any && entry_it->second.kind_case() == Protobuf::Value::kListValue) { bool any_match = false; for (const auto& v : entry_it->second.list_value().values()) { if (ValueUtil::equal(v, kv.second)) { diff --git a/source/common/config/metadata.h b/source/common/config/metadata.h index ffa24cb19711c..2b4c174348e24 100644 --- a/source/common/config/metadata.h +++ b/source/common/config/metadata.h @@ -42,42 +42,41 @@ class Metadata { * @param metadata reference. * @param filter name. * @param key for filter metadata. - * @return const ProtobufWkt::Value& value if found, empty if not found. + * @return const Protobuf::Value& value if found, empty if not found. */ - static const ProtobufWkt::Value& metadataValue(const envoy::config::core::v3::Metadata* metadata, - const std::string& filter, const std::string& key); + static const Protobuf::Value& metadataValue(const envoy::config::core::v3::Metadata* metadata, + const std::string& filter, const std::string& key); /** * Lookup value by a multi-key path for a given filter in Metadata. If path is empty * will return the empty struct. * @param metadata reference. * @param filter name. * @param path multi-key path. - * @return const ProtobufWkt::Value& value if found, empty if not found. + * @return const Protobuf::Value& value if found, empty if not found. */ - static const ProtobufWkt::Value& metadataValue(const envoy::config::core::v3::Metadata* metadata, - const std::string& filter, - const std::vector& path); + static const Protobuf::Value& metadataValue(const envoy::config::core::v3::Metadata* metadata, + const std::string& filter, + const std::vector& path); /** * Lookup the value by a metadata key from a Metadata. * @param metadata reference. * @param metadata_key with key name and path to retrieve the value. - * @return const ProtobufWkt::Value& value if found, empty if not found. + * @return const Protobuf::Value& value if found, empty if not found. */ - static const ProtobufWkt::Value& metadataValue(const envoy::config::core::v3::Metadata* metadata, - const MetadataKey& metadata_key); + static const Protobuf::Value& metadataValue(const envoy::config::core::v3::Metadata* metadata, + const MetadataKey& metadata_key); /** * Obtain mutable reference to metadata value for a given filter and key. * @param metadata reference. * @param filter name. * @param key for filter metadata. - * @return ProtobufWkt::Value&. A Value message is created if not found. + * @return Protobuf::Value&. A Value message is created if not found. */ - static ProtobufWkt::Value& mutableMetadataValue(envoy::config::core::v3::Metadata& metadata, - const std::string& filter, - const std::string& key); + static Protobuf::Value& mutableMetadataValue(envoy::config::core::v3::Metadata& metadata, + const std::string& filter, const std::string& key); - using LabelSet = std::vector>; + using LabelSet = std::vector>; /** * Returns whether a set of the labels match a particular host's metadata. diff --git a/source/common/config/opaque_resource_decoder_impl.h b/source/common/config/opaque_resource_decoder_impl.h index bb0af603f15d1..99677c14dd137 100644 --- a/source/common/config/opaque_resource_decoder_impl.h +++ b/source/common/config/opaque_resource_decoder_impl.h @@ -14,7 +14,7 @@ template class OpaqueResourceDecoderImpl : public Config::Opa : validation_visitor_(validation_visitor), name_field_(name_field) {} // Config::OpaqueResourceDecoder - ProtobufTypes::MessagePtr decodeResource(const ProtobufWkt::Any& resource) override { + ProtobufTypes::MessagePtr decodeResource(const Protobuf::Any& resource) override { auto typed_message = std::make_unique(); // If the Any is a synthetic empty message (e.g. because the resource field was not set in // Resource, this might be empty, so we shouldn't decode. diff --git a/source/common/config/utility.cc b/source/common/config/utility.cc index feea51edb4398..43406c7281f5b 100644 --- a/source/common/config/utility.cc +++ b/source/common/config/utility.cc @@ -273,10 +273,10 @@ absl::StatusOr Utility::factoryForGrpcApiConfigSour return async_client_manager.factoryForGrpcService(grpc_service, scope, skip_cluster_check); } -absl::Status Utility::translateOpaqueConfig(const ProtobufWkt::Any& typed_config, +absl::Status Utility::translateOpaqueConfig(const Protobuf::Any& typed_config, ProtobufMessage::ValidationVisitor& validation_visitor, Protobuf::Message& out_proto) { - static const std::string struct_type(ProtobufWkt::Struct::default_instance().GetTypeName()); + static const std::string struct_type(Protobuf::Struct::default_instance().GetTypeName()); static const std::string typed_struct_type( xds::type::v3::TypedStruct::default_instance().GetTypeName()); static const std::string legacy_typed_struct_type( @@ -322,7 +322,7 @@ absl::Status Utility::translateOpaqueConfig(const ProtobufWkt::Any& typed_config RETURN_IF_NOT_OK(MessageUtil::unpackTo(typed_config, out_proto)); } else { #ifdef ENVOY_ENABLE_YAML - ProtobufWkt::Struct struct_config; + Protobuf::Struct struct_config; RETURN_IF_NOT_OK(MessageUtil::unpackTo(typed_config, struct_config)); MessageUtil::jsonConvert(struct_config, validation_visitor, out_proto); #else diff --git a/source/common/config/utility.h b/source/common/config/utility.h index 05f1f66f82641..a272b991896ca 100644 --- a/source/common/config/utility.h +++ b/source/common/config/utility.h @@ -298,7 +298,7 @@ class Utility { * Get type URL from a typed config. * @param typed_config for the extension config. */ - static std::string getFactoryType(const ProtobufWkt::Any& typed_config) { + static std::string getFactoryType(const Protobuf::Any& typed_config) { static const std::string typed_struct_type( xds::type::v3::TypedStruct::default_instance().GetTypeName()); static const std::string legacy_typed_struct_type( @@ -324,7 +324,7 @@ class Utility { * Get a Factory from the registry by type URL. * @param typed_config for the extension config. */ - template static Factory* getFactoryByType(const ProtobufWkt::Any& typed_config) { + template static Factory* getFactoryByType(const Protobuf::Any& typed_config) { if (typed_config.type_url().empty()) { return nullptr; } @@ -367,7 +367,7 @@ class Utility { */ template static ProtobufTypes::MessagePtr - translateAnyToFactoryConfig(const ProtobufWkt::Any& typed_config, + translateAnyToFactoryConfig(const Protobuf::Any& typed_config, ProtobufMessage::ValidationVisitor& validation_visitor, Factory& factory) { ProtobufTypes::MessagePtr config = factory.createEmptyConfigProto(); @@ -413,7 +413,7 @@ class Utility { * @param out_proto the proto message instantiated by extensions * @return a status indicating if translation was a success */ - static absl::Status translateOpaqueConfig(const ProtobufWkt::Any& typed_config, + static absl::Status translateOpaqueConfig(const Protobuf::Any& typed_config, ProtobufMessage::ValidationVisitor& validation_visitor, Protobuf::Message& out_proto); diff --git a/source/common/config/xds_context_params.cc b/source/common/config/xds_context_params.cc index fe3cf6137776a..bb09c143eb852 100644 --- a/source/common/config/xds_context_params.cc +++ b/source/common/config/xds_context_params.cc @@ -40,7 +40,7 @@ const NodeContextRenderers& nodeParamCbs() { } void mergeMetadataJson(Protobuf::Map& params, - const ProtobufWkt::Struct& metadata, const std::string& prefix) { + const Protobuf::Struct& metadata, const std::string& prefix) { #ifdef ENVOY_ENABLE_YAML for (const auto& it : metadata.fields()) { absl::StatusOr json_or_error = MessageUtil::getJsonStringFromMessage(it.second); diff --git a/source/common/filter/config_discovery_impl.h b/source/common/filter/config_discovery_impl.h index 33121542ad4fb..d95300ae4d863 100644 --- a/source/common/filter/config_discovery_impl.h +++ b/source/common/filter/config_discovery_impl.h @@ -651,7 +651,7 @@ class FilterConfigProviderManagerImpl : public FilterConfigProviderManagerImplBa } absl::StatusOr - getDefaultConfig(const ProtobufWkt::Any& proto_config, const std::string& filter_config_name, + getDefaultConfig(const Protobuf::Any& proto_config, const std::string& filter_config_name, Server::Configuration::ServerFactoryContext& server_context, bool last_filter_in_filter_chain, const std::string& filter_chain_type, const absl::flat_hash_set& require_type_urls) const { diff --git a/source/common/formatter/http_specific_formatter.cc b/source/common/formatter/http_specific_formatter.cc index 6997e1953cf4c..d924af5626e7a 100644 --- a/source/common/formatter/http_specific_formatter.cc +++ b/source/common/formatter/http_specific_formatter.cc @@ -24,7 +24,7 @@ LocalReplyBodyFormatter::formatWithContext(const HttpFormatterContext& context, return std::string(context.localReplyBody()); } -ProtobufWkt::Value +Protobuf::Value LocalReplyBodyFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo&) const { return ValueUtil::stringValue(std::string(context.localReplyBody())); @@ -36,7 +36,7 @@ AccessLogTypeFormatter::formatWithContext(const HttpFormatterContext& context, return AccessLogType_Name(context.accessLogType()); } -ProtobufWkt::Value +Protobuf::Value AccessLogTypeFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo&) const { return ValueUtil::stringValue(AccessLogType_Name(context.accessLogType())); @@ -70,7 +70,7 @@ absl::optional HeaderFormatter::format(const Http::HeaderMap& heade return std::string(val); } -ProtobufWkt::Value HeaderFormatter::formatValue(const Http::HeaderMap& headers) const { +Protobuf::Value HeaderFormatter::formatValue(const Http::HeaderMap& headers) const { const Http::HeaderEntry* header = findHeader(headers); if (!header) { return SubstitutionFormatUtils::unspecifiedValue(); @@ -92,7 +92,7 @@ ResponseHeaderFormatter::formatWithContext(const HttpFormatterContext& context, return HeaderFormatter::format(context.responseHeaders()); } -ProtobufWkt::Value +Protobuf::Value ResponseHeaderFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo&) const { return HeaderFormatter::formatValue(context.responseHeaders()); @@ -109,7 +109,7 @@ RequestHeaderFormatter::formatWithContext(const HttpFormatterContext& context, return HeaderFormatter::format(context.requestHeaders()); } -ProtobufWkt::Value +Protobuf::Value RequestHeaderFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo&) const { return HeaderFormatter::formatValue(context.requestHeaders()); @@ -126,7 +126,7 @@ ResponseTrailerFormatter::formatWithContext(const HttpFormatterContext& context, return HeaderFormatter::format(context.responseTrailers()); } -ProtobufWkt::Value +Protobuf::Value ResponseTrailerFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo&) const { return HeaderFormatter::formatValue(context.responseTrailers()); @@ -156,15 +156,15 @@ HeadersByteSizeFormatter::formatWithContext(const HttpFormatterContext& context, context.responseTrailers())); } -ProtobufWkt::Value +Protobuf::Value HeadersByteSizeFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo&) const { return ValueUtil::numberValue(extractHeadersByteSize( context.requestHeaders(), context.responseHeaders(), context.responseTrailers())); } -ProtobufWkt::Value TraceIDFormatter::formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo&) const { +Protobuf::Value TraceIDFormatter::formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo&) const { auto trace_id = context.activeSpan().getTraceId(); if (trace_id.empty()) { return SubstitutionFormatUtils::unspecifiedValue(); @@ -236,7 +236,7 @@ GrpcStatusFormatter::formatWithContext(const HttpFormatterContext& context, PANIC_DUE_TO_CORRUPT_ENUM; } -ProtobufWkt::Value +Protobuf::Value GrpcStatusFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& info) const { if (!Grpc::Common::isGrpcRequestHeaders(context.requestHeaders())) { @@ -288,7 +288,7 @@ QueryParameterFormatter::formatWithContext(const HttpFormatterContext& context, return value; } -ProtobufWkt::Value +Protobuf::Value QueryParameterFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { return ValueUtil::optionalStringValue(formatWithContext(context, stream_info)); @@ -334,7 +334,7 @@ absl::optional PathFormatter::formatWithContext(const HttpFormatter return std::string(path_view); } -ProtobufWkt::Value +Protobuf::Value PathFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { return ValueUtil::optionalStringValue(formatWithContext(context, stream_info)); diff --git a/source/common/formatter/http_specific_formatter.h b/source/common/formatter/http_specific_formatter.h index f0badbff5e409..f0ba656f3ed64 100644 --- a/source/common/formatter/http_specific_formatter.h +++ b/source/common/formatter/http_specific_formatter.h @@ -30,9 +30,8 @@ class LocalReplyBodyFormatter : public FormatterProvider { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; }; /** @@ -46,9 +45,8 @@ class AccessLogTypeFormatter : public FormatterProvider { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; }; class HeaderFormatter { @@ -58,7 +56,7 @@ class HeaderFormatter { protected: absl::optional format(const Http::HeaderMap& headers) const; - ProtobufWkt::Value formatValue(const Http::HeaderMap& headers) const; + Protobuf::Value formatValue(const Http::HeaderMap& headers) const; private: const Http::HeaderEntry* findHeader(const Http::HeaderMap& headers) const; @@ -81,9 +79,8 @@ class HeadersByteSizeFormatter : public FormatterProvider { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; private: uint64_t extractHeadersByteSize(const Http::RequestHeaderMap& request_headers, @@ -104,9 +101,8 @@ class RequestHeaderFormatter : public FormatterProvider, HeaderFormatter { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; }; /** @@ -121,9 +117,8 @@ class ResponseHeaderFormatter : public FormatterProvider, HeaderFormatter { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; }; /** @@ -138,9 +133,8 @@ class ResponseTrailerFormatter : public FormatterProvider, HeaderFormatter { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; }; /** @@ -151,9 +145,8 @@ class TraceIDFormatter : public FormatterProvider { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; }; class GrpcStatusFormatter : public FormatterProvider, HeaderFormatter { @@ -171,9 +164,8 @@ class GrpcStatusFormatter : public FormatterProvider, HeaderFormatter { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; static Format parseFormat(absl::string_view format); @@ -189,9 +181,8 @@ class QueryParameterFormatter : public FormatterProvider { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; private: const std::string parameter_key_; @@ -213,9 +204,8 @@ class PathFormatter : public FormatterProvider { absl::optional formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; PathFormatter(bool with_query, PathFormatterOption option, absl::optional max_length) : with_query_(with_query), option_(option), max_length_(max_length) {} diff --git a/source/common/formatter/stream_info_formatter.cc b/source/common/formatter/stream_info_formatter.cc index ec1026e3cbfa2..4180bf34fbf8a 100644 --- a/source/common/formatter/stream_info_formatter.cc +++ b/source/common/formatter/stream_info_formatter.cc @@ -47,14 +47,14 @@ MetadataFormatter::MetadataFormatter(absl::string_view filter_namespace, absl::optional MetadataFormatter::formatMetadata(const envoy::config::core::v3::Metadata& metadata) const { - ProtobufWkt::Value value = formatMetadataValue(metadata); - if (value.kind_case() == ProtobufWkt::Value::kNullValue) { + Protobuf::Value value = formatMetadataValue(metadata); + if (value.kind_case() == Protobuf::Value::kNullValue) { return absl::nullopt; } std::string str; str.reserve(256); - if (value.kind_case() == ProtobufWkt::Value::kStringValue) { + if (value.kind_case() == Protobuf::Value::kStringValue) { str = value.string_value(); } else { Json::Utility::appendValueToString(value, str); @@ -63,21 +63,20 @@ MetadataFormatter::formatMetadata(const envoy::config::core::v3::Metadata& metad return str; } -ProtobufWkt::Value +Protobuf::Value MetadataFormatter::formatMetadataValue(const envoy::config::core::v3::Metadata& metadata) const { if (path_.empty()) { const auto filter_it = metadata.filter_metadata().find(filter_namespace_); if (filter_it == metadata.filter_metadata().end()) { return SubstitutionFormatUtils::unspecifiedValue(); } - ProtobufWkt::Value output; + Protobuf::Value output; output.mutable_struct_value()->CopyFrom(filter_it->second); return output; } - const ProtobufWkt::Value& val = - Config::Metadata::metadataValue(&metadata, filter_namespace_, path_); - if (val.kind_case() == ProtobufWkt::Value::KindCase::KIND_NOT_SET) { + const Protobuf::Value& val = Config::Metadata::metadataValue(&metadata, filter_namespace_, path_); + if (val.kind_case() == Protobuf::Value::KindCase::KIND_NOT_SET) { return SubstitutionFormatUtils::unspecifiedValue(); } @@ -90,7 +89,7 @@ MetadataFormatter::format(const StreamInfo::StreamInfo& stream_info) const { return (metadata != nullptr) ? formatMetadata(*metadata) : absl::nullopt; } -ProtobufWkt::Value MetadataFormatter::formatValue(const StreamInfo::StreamInfo& stream_info) const { +Protobuf::Value MetadataFormatter::formatValue(const StreamInfo::StreamInfo& stream_info) const { auto metadata = get_func_(stream_info); return formatMetadataValue((metadata != nullptr) ? *metadata : envoy::config::core::v3::Metadata()); @@ -259,8 +258,7 @@ FilterStateFormatter::format(const StreamInfo::StreamInfo& stream_info) const { } } -ProtobufWkt::Value -FilterStateFormatter::formatValue(const StreamInfo::StreamInfo& stream_info) const { +Protobuf::Value FilterStateFormatter::formatValue(const StreamInfo::StreamInfo& stream_info) const { const Envoy::StreamInfo::FilterState::Object* state = filterState(stream_info); if (!state) { return SubstitutionFormatUtils::unspecifiedValue(); @@ -282,7 +280,7 @@ FilterStateFormatter::formatValue(const StreamInfo::StreamInfo& stream_info) con } #ifdef ENVOY_ENABLE_YAML - ProtobufWkt::Value val; + Protobuf::Value val; if (MessageUtil::jsonConvertValue(*proto, val)) { return val; } @@ -476,7 +474,7 @@ CommonDurationFormatter::format(const StreamInfo::StreamInfo& info) const { } return fmt::format_int(duration.value()).str(); } -ProtobufWkt::Value CommonDurationFormatter::formatValue(const StreamInfo::StreamInfo& info) const { +Protobuf::Value CommonDurationFormatter::formatValue(const StreamInfo::StreamInfo& info) const { auto duration = getDurationCount(info); if (!duration.has_value()) { return SubstitutionFormatUtils::unspecifiedValue(); @@ -561,8 +559,7 @@ SystemTimeFormatter::format(const StreamInfo::StreamInfo& stream_info) const { return date_formatter_.fromTime(time_field.value()); } -ProtobufWkt::Value -SystemTimeFormatter::formatValue(const StreamInfo::StreamInfo& stream_info) const { +Protobuf::Value SystemTimeFormatter::formatValue(const StreamInfo::StreamInfo& stream_info) const { return ValueUtil::optionalStringValue(format(stream_info)); } @@ -584,7 +581,7 @@ EnvironmentFormatter::EnvironmentFormatter(absl::string_view key, absl::optional EnvironmentFormatter::format(const StreamInfo::StreamInfo&) const { return str_.string_value(); } -ProtobufWkt::Value EnvironmentFormatter::formatValue(const StreamInfo::StreamInfo&) const { +Protobuf::Value EnvironmentFormatter::formatValue(const StreamInfo::StreamInfo&) const { return str_; } @@ -599,7 +596,7 @@ class StreamInfoStringFormatterProvider : public StreamInfoFormatterProvider { absl::optional format(const StreamInfo::StreamInfo& stream_info) const override { return field_extractor_(stream_info); } - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { + Protobuf::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { return ValueUtil::optionalStringValue(field_extractor_(stream_info)); } @@ -624,7 +621,7 @@ class StreamInfoDurationFormatterProvider : public StreamInfoFormatterProvider { return fmt::format_int(millis.value()).str(); } - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { + Protobuf::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { const auto millis = extractMillis(stream_info); if (!millis) { return SubstitutionFormatUtils::unspecifiedValue(); @@ -656,7 +653,7 @@ class StreamInfoUInt64FormatterProvider : public StreamInfoFormatterProvider { absl::optional format(const StreamInfo::StreamInfo& stream_info) const override { return fmt::format_int(field_extractor_(stream_info)).str(); } - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { + Protobuf::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { return ValueUtil::numberValue(field_extractor_(stream_info)); } @@ -698,7 +695,7 @@ class StreamInfoAddressFormatterProvider : public StreamInfoFormatterProvider { return toString(*address); } - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { + Protobuf::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { Network::Address::InstanceConstSharedPtr address = field_extractor_(stream_info); if (!address) { return SubstitutionFormatUtils::unspecifiedValue(); @@ -753,7 +750,7 @@ class StreamInfoSslConnectionInfoFormatterProvider : public StreamInfoFormatterP return value; } - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { + Protobuf::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { if (stream_info.downstreamAddressProvider().sslConnection() == nullptr) { return SubstitutionFormatUtils::unspecifiedValue(); } @@ -791,7 +788,7 @@ class StreamInfoUpstreamSslConnectionInfoFormatterProvider : public StreamInfoFo return value; } - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { + Protobuf::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override { if (!stream_info.upstreamInfo() || stream_info.upstreamInfo()->upstreamSslConnection() == nullptr) { return SubstitutionFormatUtils::unspecifiedValue(); diff --git a/source/common/formatter/stream_info_formatter.h b/source/common/formatter/stream_info_formatter.h index 4989d1131c31d..805e5e922db61 100644 --- a/source/common/formatter/stream_info_formatter.h +++ b/source/common/formatter/stream_info_formatter.h @@ -26,8 +26,8 @@ class StreamInfoFormatterProvider : public FormatterProvider { formatWithContext(const Context&, const StreamInfo::StreamInfo& stream_info) const override { return format(stream_info); } - ProtobufWkt::Value - formatValueWithContext(const Context&, const StreamInfo::StreamInfo& stream_info) const override { + Protobuf::Value formatValueWithContext(const Context&, + const StreamInfo::StreamInfo& stream_info) const override { return formatValue(stream_info); } @@ -42,9 +42,9 @@ class StreamInfoFormatterProvider : public FormatterProvider { /** * Format the value with the given stream info. * @param stream_info supplies the stream info. - * @return ProtobufWkt::Value containing a single value extracted from the given stream info. + * @return Protobuf::Value containing a single value extracted from the given stream info. */ - virtual ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo& stream_info) const PURE; + virtual Protobuf::Value formatValue(const StreamInfo::StreamInfo& stream_info) const PURE; }; using StreamInfoFormatterProviderPtr = std::unique_ptr; @@ -68,12 +68,12 @@ class MetadataFormatter : public StreamInfoFormatterProvider { // StreamInfoFormatterProvider absl::optional format(const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValue(const StreamInfo::StreamInfo& stream_info) const override; protected: absl::optional formatMetadata(const envoy::config::core::v3::Metadata& metadata) const; - ProtobufWkt::Value formatMetadataValue(const envoy::config::core::v3::Metadata& metadata) const; + Protobuf::Value formatMetadataValue(const envoy::config::core::v3::Metadata& metadata) const; private: std::string filter_namespace_; @@ -128,7 +128,7 @@ class FilterStateFormatter : public StreamInfoFormatterProvider { // StreamInfoFormatterProvider absl::optional format(const StreamInfo::StreamInfo&) const override; - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo&) const override; + Protobuf::Value formatValue(const StreamInfo::StreamInfo&) const override; private: const Envoy::StreamInfo::FilterState::Object* @@ -156,7 +156,7 @@ class CommonDurationFormatter : public StreamInfoFormatterProvider { // StreamInfoFormatterProvider absl::optional format(const StreamInfo::StreamInfo&) const override; - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo&) const override; + Protobuf::Value formatValue(const StreamInfo::StreamInfo&) const override; static const absl::flat_hash_map KnownTimePointGetters; @@ -210,7 +210,7 @@ class SystemTimeFormatter : public StreamInfoFormatterProvider { // StreamInfoFormatterProvider absl::optional format(const StreamInfo::StreamInfo&) const override; - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo&) const override; + Protobuf::Value formatValue(const StreamInfo::StreamInfo&) const override; private: const Envoy::DateFormatter date_formatter_; @@ -272,10 +272,10 @@ class EnvironmentFormatter : public StreamInfoFormatterProvider { // StreamInfoFormatterProvider absl::optional format(const StreamInfo::StreamInfo&) const override; - ProtobufWkt::Value formatValue(const StreamInfo::StreamInfo&) const override; + Protobuf::Value formatValue(const StreamInfo::StreamInfo&) const override; private: - ProtobufWkt::Value str_; + Protobuf::Value str_; }; class DefaultBuiltInStreamInfoCommandParserFactory : public BuiltInCommandParserFactory { diff --git a/source/common/formatter/substitution_format_string.cc b/source/common/formatter/substitution_format_string.cc index c6c305de1bcca..60cabc98f997d 100644 --- a/source/common/formatter/substitution_format_string.cc +++ b/source/common/formatter/substitution_format_string.cc @@ -52,7 +52,7 @@ absl::StatusOr SubstitutionFormatStringUtils::fromProtoConfig( } FormatterPtr -SubstitutionFormatStringUtils::createJsonFormatter(const ProtobufWkt::Struct& struct_format, +SubstitutionFormatStringUtils::createJsonFormatter(const Protobuf::Struct& struct_format, bool omit_empty_values, const std::vector& commands) { return std::make_unique(struct_format, omit_empty_values, commands); diff --git a/source/common/formatter/substitution_format_string.h b/source/common/formatter/substitution_format_string.h index cbf31a130ad37..686f54542ad39 100644 --- a/source/common/formatter/substitution_format_string.h +++ b/source/common/formatter/substitution_format_string.h @@ -24,7 +24,7 @@ namespace Formatter { class SubstitutionFormatStringUtils { public: using FormattersConfig = - ProtobufWkt::RepeatedPtrField; + Protobuf::RepeatedPtrField; /** * Parse list of formatter configurations to commands. @@ -44,7 +44,7 @@ class SubstitutionFormatStringUtils { /** * Generate a Json formatter object from proto::Struct config */ - static FormatterPtr createJsonFormatter(const ProtobufWkt::Struct& struct_format, + static FormatterPtr createJsonFormatter(const Protobuf::Struct& struct_format, bool omit_empty_values, const std::vector& commands = {}); }; diff --git a/source/common/formatter/substitution_format_utility.cc b/source/common/formatter/substitution_format_utility.cc index a2190c0f0bc45..cd3f6e0bb241c 100644 --- a/source/common/formatter/substitution_format_utility.cc +++ b/source/common/formatter/substitution_format_utility.cc @@ -69,7 +69,7 @@ const absl::optional SubstitutionFormatUtils::getHostname() { return hostname; } -const ProtobufWkt::Value& SubstitutionFormatUtils::unspecifiedValue() { +const Protobuf::Value& SubstitutionFormatUtils::unspecifiedValue() { return ValueUtil::nullValue(); } diff --git a/source/common/formatter/substitution_format_utility.h b/source/common/formatter/substitution_format_utility.h index 907dd04d62adb..e5e5bee0ff16a 100644 --- a/source/common/formatter/substitution_format_utility.h +++ b/source/common/formatter/substitution_format_utility.h @@ -44,7 +44,7 @@ class SubstitutionFormatUtils { /** * Unspecified value for protobuf. */ - static const ProtobufWkt::Value& unspecifiedValue(); + static const Protobuf::Value& unspecifiedValue(); /** * Truncate a string to a maximum length. Do nothing if max_length is not set or diff --git a/source/common/formatter/substitution_formatter.cc b/source/common/formatter/substitution_formatter.cc index 72c0b3c55abfc..e52c49070105d 100644 --- a/source/common/formatter/substitution_formatter.cc +++ b/source/common/formatter/substitution_formatter.cc @@ -167,14 +167,14 @@ class JsonFormatBuilder { * * @param struct_format the proto struct format configuration. */ - FormatElements fromStruct(const ProtobufWkt::Struct& struct_format); + FormatElements fromStruct(const Protobuf::Struct& struct_format); private: - using ProtoDict = Protobuf::Map; - using ProtoList = Protobuf::RepeatedPtrField; + using ProtoDict = Protobuf::Map; + using ProtoList = Protobuf::RepeatedPtrField; void formatValueToFormatElements(const ProtoDict& dict_value); - void formatValueToFormatElements(const ProtobufWkt::Value& value); + void formatValueToFormatElements(const Protobuf::Value& value); void formatValueToFormatElements(const ProtoList& list_value); std::string buffer_; // JSON writer buffer. @@ -183,7 +183,7 @@ class JsonFormatBuilder { }; JsonFormatBuilder::FormatElements -JsonFormatBuilder::fromStruct(const ProtobufWkt::Struct& struct_format) { +JsonFormatBuilder::fromStruct(const Protobuf::Struct& struct_format) { elements_.clear(); // This call will iterate through the map tree and serialize the key/values as JSON. @@ -197,16 +197,16 @@ JsonFormatBuilder::fromStruct(const ProtobufWkt::Struct& struct_format) { return std::move(elements_); }; -void JsonFormatBuilder::formatValueToFormatElements(const ProtobufWkt::Value& value) { +void JsonFormatBuilder::formatValueToFormatElements(const Protobuf::Value& value) { switch (value.kind_case()) { - case ProtobufWkt::Value::KIND_NOT_SET: - case ProtobufWkt::Value::kNullValue: + case Protobuf::Value::KIND_NOT_SET: + case Protobuf::Value::kNullValue: serializer_.addNull(); break; - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: serializer_.addNumber(value.number_value()); break; - case ProtobufWkt::Value::kStringValue: { + case Protobuf::Value::kStringValue: { absl::string_view string_format = value.string_value(); if (!absl::StrContains(string_format, '%')) { serializer_.addString(string_format); @@ -223,13 +223,13 @@ void JsonFormatBuilder::formatValueToFormatElements(const ProtobufWkt::Value& va elements_.push_back(FormatElement{std::string(string_format), true}); break; } - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: serializer_.addBool(value.bool_value()); break; - case ProtobufWkt::Value::kStructValue: { + case Protobuf::Value::kStructValue: { formatValueToFormatElements(value.struct_value().fields()); break; - case ProtobufWkt::Value::kListValue: + case Protobuf::Value::kListValue: formatValueToFormatElements(value.list_value().values()); break; } @@ -400,8 +400,8 @@ void stringValueToLogLine(const JsonFormatterImpl::Formatters& formatters, const log_line.push_back('"'); // End the JSON string. } -JsonFormatterImpl::JsonFormatterImpl(const ProtobufWkt::Struct& struct_format, - bool omit_empty_values, const CommandParsers& commands) +JsonFormatterImpl::JsonFormatterImpl(const Protobuf::Struct& struct_format, bool omit_empty_values, + const CommandParsers& commands) : omit_empty_values_(omit_empty_values) { for (JsonFormatBuilder::FormatElement& element : JsonFormatBuilder().fromStruct(struct_format)) { if (element.is_template_) { diff --git a/source/common/formatter/substitution_formatter.h b/source/common/formatter/substitution_formatter.h index cc9fc64346c6c..e88dcb9834946 100644 --- a/source/common/formatter/substitution_formatter.h +++ b/source/common/formatter/substitution_formatter.h @@ -37,13 +37,13 @@ class PlainStringFormatter : public FormatterProvider { const StreamInfo::StreamInfo&) const override { return str_.string_value(); } - ProtobufWkt::Value formatValueWithContext(const Context&, - const StreamInfo::StreamInfo&) const override { + Protobuf::Value formatValueWithContext(const Context&, + const StreamInfo::StreamInfo&) const override { return str_; } private: - ProtobufWkt::Value str_; + Protobuf::Value str_; }; /** @@ -59,13 +59,13 @@ class PlainNumberFormatter : public FormatterProvider { std::string str = absl::StrFormat("%g", num_.number_value()); return str; } - ProtobufWkt::Value formatValueWithContext(const Context&, - const StreamInfo::StreamInfo&) const override { + Protobuf::Value formatValueWithContext(const Context&, + const StreamInfo::StreamInfo&) const override { return num_; } private: - ProtobufWkt::Value num_; + Protobuf::Value num_; }; /** @@ -114,7 +114,7 @@ class JsonFormatterImpl : public Formatter { using Formatter = FormatterProviderPtr; using Formatters = std::vector; - JsonFormatterImpl(const ProtobufWkt::Struct& struct_format, bool omit_empty_values, + JsonFormatterImpl(const Protobuf::Struct& struct_format, bool omit_empty_values, const CommandParsers& commands = {}); // Formatter diff --git a/source/common/http/filter_manager.h b/source/common/http/filter_manager.h index eacd5a92da358..0ec304f94c06c 100644 --- a/source/common/http/filter_manager.h +++ b/source/common/http/filter_manager.h @@ -48,7 +48,7 @@ class LocalReplyOwnerObject : public StreamInfo::FilterState::Object { : filter_config_name_(filter_config_name) {} ProtobufTypes::MessagePtr serializeAsProto() const override { - auto message = std::make_unique(); + auto message = std::make_unique(); message->set_value(filter_config_name_); return message; } diff --git a/source/common/http/http1/settings.cc b/source/common/http/http1/settings.cc index 35eceba9874e4..e530690e5b740 100644 --- a/source/common/http/http1/settings.cc +++ b/source/common/http/http1/settings.cc @@ -52,7 +52,7 @@ Http1Settings parseHttp1Settings(const envoy::config::core::v3::Http1ProtocolOpt Http1Settings parseHttp1Settings(const envoy::config::core::v3::Http1ProtocolOptions& config, Server::Configuration::CommonFactoryContext& context, ProtobufMessage::ValidationVisitor& validation_visitor, - const ProtobufWkt::BoolValue& hcm_stream_error, + const Protobuf::BoolValue& hcm_stream_error, bool validate_scheme) { Http1Settings ret = parseHttp1Settings(config, context, validation_visitor); ret.validate_scheme_ = validate_scheme; diff --git a/source/common/http/http1/settings.h b/source/common/http/http1/settings.h index 51ed573b426e1..0e808d61c115e 100644 --- a/source/common/http/http1/settings.h +++ b/source/common/http/http1/settings.h @@ -20,8 +20,7 @@ Http1Settings parseHttp1Settings(const envoy::config::core::v3::Http1ProtocolOpt Http1Settings parseHttp1Settings(const envoy::config::core::v3::Http1ProtocolOptions& config, Server::Configuration::CommonFactoryContext& context, ProtobufMessage::ValidationVisitor& validation_visitor, - const ProtobufWkt::BoolValue& hcm_stream_error, - bool validate_scheme); + const Protobuf::BoolValue& hcm_stream_error, bool validate_scheme); } // namespace Http1 } // namespace Http diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 126a0814331f1..13bf03eeaf213 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -174,7 +174,7 @@ validateCustomSettingsParameters(const envoy::config::core::v3::Http2ProtocolOpt absl::StatusOr initializeAndValidateOptions(const envoy::config::core::v3::Http2ProtocolOptions& options, bool hcm_stream_error_set, - const ProtobufWkt::BoolValue& hcm_stream_error) { + const Protobuf::BoolValue& hcm_stream_error) { auto ret = initializeAndValidateOptions(options); if (ret.status().ok() && !options.has_override_stream_error_on_invalid_http_message() && hcm_stream_error_set) { @@ -254,7 +254,7 @@ namespace Utility { envoy::config::core::v3::Http3ProtocolOptions initializeAndValidateOptions(const envoy::config::core::v3::Http3ProtocolOptions& options, bool hcm_stream_error_set, - const ProtobufWkt::BoolValue& hcm_stream_error) { + const Protobuf::BoolValue& hcm_stream_error) { if (options.has_override_stream_error_on_invalid_http_message()) { return options; } diff --git a/source/common/http/utility.h b/source/common/http/utility.h index 0c7b9a78c137d..73716add98be2 100644 --- a/source/common/http/utility.h +++ b/source/common/http/utility.h @@ -59,7 +59,7 @@ initializeAndValidateOptions(const envoy::config::core::v3::Http2ProtocolOptions absl::StatusOr initializeAndValidateOptions(const envoy::config::core::v3::Http2ProtocolOptions& options, bool hcm_stream_error_set, - const ProtobufWkt::BoolValue& hcm_stream_error); + const Protobuf::BoolValue& hcm_stream_error); } // namespace Utility } // namespace Http2 namespace Http3 { @@ -68,7 +68,7 @@ namespace Utility { envoy::config::core::v3::Http3ProtocolOptions initializeAndValidateOptions(const envoy::config::core::v3::Http3ProtocolOptions& options, bool hcm_stream_error_set, - const ProtobufWkt::BoolValue& hcm_stream_error); + const Protobuf::BoolValue& hcm_stream_error); } // namespace Utility } // namespace Http3 diff --git a/source/common/json/json_internal.cc b/source/common/json/json_internal.cc index 9b67d36d47fce..5925dcc60e3d1 100644 --- a/source/common/json/json_internal.cc +++ b/source/common/json/json_internal.cc @@ -743,20 +743,20 @@ absl::StatusOr Factory::loadFromString(const std::string& json) } absl::StatusOr -loadFromProtobufStructInternal(const ProtobufWkt::Struct& protobuf_struct); +loadFromProtobufStructInternal(const Protobuf::Struct& protobuf_struct); absl::StatusOr -loadFromProtobufValueInternal(const ProtobufWkt::Value& protobuf_value) { +loadFromProtobufValueInternal(const Protobuf::Value& protobuf_value) { switch (protobuf_value.kind_case()) { - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: return Field::createValue(protobuf_value.string_value()); - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: return Field::createValue(protobuf_value.number_value()); - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: return Field::createValue(protobuf_value.bool_value()); - case ProtobufWkt::Value::kNullValue: + case Protobuf::Value::kNullValue: return Field::createNull(); - case ProtobufWkt::Value::kListValue: { + case Protobuf::Value::kListValue: { FieldSharedPtr array = Field::createArray(); for (const auto& list_value : protobuf_value.list_value().values()) { absl::StatusOr proto_or_error = loadFromProtobufValueInternal(list_value); @@ -765,16 +765,16 @@ loadFromProtobufValueInternal(const ProtobufWkt::Value& protobuf_value) { } return array; } - case ProtobufWkt::Value::kStructValue: + case Protobuf::Value::kStructValue: return loadFromProtobufStructInternal(protobuf_value.struct_value()); - case ProtobufWkt::Value::KIND_NOT_SET: + case Protobuf::Value::KIND_NOT_SET: break; } return absl::InvalidArgumentError("Protobuf value case not implemented"); } absl::StatusOr -loadFromProtobufStructInternal(const ProtobufWkt::Struct& protobuf_struct) { +loadFromProtobufStructInternal(const Protobuf::Struct& protobuf_struct) { auto root = Field::createObject(); for (const auto& field : protobuf_struct.fields()) { absl::StatusOr proto_or_error = loadFromProtobufValueInternal(field.second); @@ -785,7 +785,7 @@ loadFromProtobufStructInternal(const ProtobufWkt::Struct& protobuf_struct) { return root; } -ObjectSharedPtr Factory::loadFromProtobufStruct(const ProtobufWkt::Struct& protobuf_struct) { +ObjectSharedPtr Factory::loadFromProtobufStruct(const Protobuf::Struct& protobuf_struct) { return THROW_OR_RETURN_VALUE(loadFromProtobufStructInternal(protobuf_struct), ObjectSharedPtr); } diff --git a/source/common/json/json_internal.h b/source/common/json/json_internal.h index 6e43a0da73e34..530f195ec802a 100644 --- a/source/common/json/json_internal.h +++ b/source/common/json/json_internal.h @@ -23,7 +23,7 @@ class Factory { /** * Constructs a Json Object from a Protobuf struct. */ - static ObjectSharedPtr loadFromProtobufStruct(const ProtobufWkt::Struct& protobuf_struct); + static ObjectSharedPtr loadFromProtobufStruct(const Protobuf::Struct& protobuf_struct); /** * Serializes a string in JSON format, throwing an exception if not valid UTF-8. diff --git a/source/common/json/json_loader.cc b/source/common/json/json_loader.cc index 130c9dbeac645..80f7ab45acef7 100644 --- a/source/common/json/json_loader.cc +++ b/source/common/json/json_loader.cc @@ -10,7 +10,7 @@ absl::StatusOr Factory::loadFromString(const std::string& json) return Nlohmann::Factory::loadFromString(json); } -ObjectSharedPtr Factory::loadFromProtobufStruct(const ProtobufWkt::Struct& protobuf_struct) { +ObjectSharedPtr Factory::loadFromProtobufStruct(const Protobuf::Struct& protobuf_struct) { return Nlohmann::Factory::loadFromProtobufStruct(protobuf_struct); } diff --git a/source/common/json/json_loader.h b/source/common/json/json_loader.h index f659e7ea25f7f..af7eac7a04c09 100644 --- a/source/common/json/json_loader.h +++ b/source/common/json/json_loader.h @@ -23,7 +23,7 @@ class Factory { /** * Constructs a Json Object from a Protobuf struct. */ - static ObjectSharedPtr loadFromProtobufStruct(const ProtobufWkt::Struct& protobuf_struct); + static ObjectSharedPtr loadFromProtobufStruct(const Protobuf::Struct& protobuf_struct); /* * Serializes a JSON string to a byte vector using the MessagePack serialization format. diff --git a/source/common/json/json_utility.cc b/source/common/json/json_utility.cc index d0110e506c315..27760e5e33169 100644 --- a/source/common/json/json_utility.cc +++ b/source/common/json/json_utility.cc @@ -5,36 +5,36 @@ namespace Json { namespace { -void structValueToJson(const ProtobufWkt::Struct& struct_value, StringStreamer::Map& level); -void listValueToJson(const ProtobufWkt::ListValue& list_value, StringStreamer::Array& level); +void structValueToJson(const Protobuf::Struct& struct_value, StringStreamer::Map& level); +void listValueToJson(const Protobuf::ListValue& list_value, StringStreamer::Array& level); -void valueToJson(const ProtobufWkt::Value& value, StringStreamer::Level& level) { +void valueToJson(const Protobuf::Value& value, StringStreamer::Level& level) { switch (value.kind_case()) { - case ProtobufWkt::Value::KIND_NOT_SET: - case ProtobufWkt::Value::kNullValue: + case Protobuf::Value::KIND_NOT_SET: + case Protobuf::Value::kNullValue: level.addNull(); break; - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: level.addNumber(value.number_value()); break; - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: level.addString(value.string_value()); break; - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: level.addBool(value.bool_value()); break; - case ProtobufWkt::Value::kStructValue: + case Protobuf::Value::kStructValue: structValueToJson(value.struct_value(), *level.addMap()); break; - case ProtobufWkt::Value::kListValue: + case Protobuf::Value::kListValue: listValueToJson(value.list_value(), *level.addArray()); break; } } -void structValueToJson(const ProtobufWkt::Struct& struct_value, StringStreamer::Map& map) { +void structValueToJson(const Protobuf::Struct& struct_value, StringStreamer::Map& map) { using PairRefWrapper = - std::reference_wrapper::value_type>; + std::reference_wrapper::value_type>; absl::InlinedVector sorted_fields; sorted_fields.reserve(struct_value.fields_size()); @@ -51,34 +51,34 @@ void structValueToJson(const ProtobufWkt::Struct& struct_value, StringStreamer:: } } -void listValueToJson(const ProtobufWkt::ListValue& list_value, StringStreamer::Array& arr) { - for (const ProtobufWkt::Value& value : list_value.values()) { +void listValueToJson(const Protobuf::ListValue& list_value, StringStreamer::Array& arr) { + for (const Protobuf::Value& value : list_value.values()) { valueToJson(value, arr); } } } // namespace -void Utility::appendValueToString(const ProtobufWkt::Value& value, std::string& dest) { +void Utility::appendValueToString(const Protobuf::Value& value, std::string& dest) { StringStreamer streamer(dest); switch (value.kind_case()) { - case ProtobufWkt::Value::KIND_NOT_SET: - case ProtobufWkt::Value::kNullValue: + case Protobuf::Value::KIND_NOT_SET: + case Protobuf::Value::kNullValue: streamer.addNull(); break; - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: streamer.addNumber(value.number_value()); break; - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: streamer.addString(value.string_value()); break; - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: streamer.addBool(value.bool_value()); break; - case ProtobufWkt::Value::kStructValue: + case Protobuf::Value::kStructValue: structValueToJson(value.struct_value(), *streamer.makeRootMap()); break; - case ProtobufWkt::Value::kListValue: + case Protobuf::Value::kListValue: listValueToJson(value.list_value(), *streamer.makeRootArray()); break; } diff --git a/source/common/json/json_utility.h b/source/common/json/json_utility.h index 3797a3befdaaf..43fe22dd4dc23 100644 --- a/source/common/json/json_utility.h +++ b/source/common/json/json_utility.h @@ -11,11 +11,11 @@ namespace Json { class Utility { public: /** - * Convert a ProtobufWkt::Value to a JSON string. + * Convert a Protobuf::Value to a JSON string. * @param value message of type type.googleapis.com/google.protobuf.Value * @param dest JSON string. */ - static void appendValueToString(const ProtobufWkt::Value& value, std::string& dest); + static void appendValueToString(const Protobuf::Value& value, std::string& dest); }; } // namespace Json diff --git a/source/common/listener_manager/active_tcp_socket.cc b/source/common/listener_manager/active_tcp_socket.cc index d40267d8debeb..9e12149136e93 100644 --- a/source/common/listener_manager/active_tcp_socket.cc +++ b/source/common/listener_manager/active_tcp_socket.cc @@ -173,13 +173,11 @@ void ActiveTcpSocket::continueFilterChain(bool success) { } } -void ActiveTcpSocket::setDynamicMetadata(const std::string& name, - const ProtobufWkt::Struct& value) { +void ActiveTcpSocket::setDynamicMetadata(const std::string& name, const Protobuf::Struct& value) { stream_info_->setDynamicMetadata(name, value); } -void ActiveTcpSocket::setDynamicTypedMetadata(const std::string& name, - const ProtobufWkt::Any& value) { +void ActiveTcpSocket::setDynamicTypedMetadata(const std::string& name, const Protobuf::Any& value) { stream_info_->setDynamicTypedMetadata(name, value); } diff --git a/source/common/listener_manager/active_tcp_socket.h b/source/common/listener_manager/active_tcp_socket.h index 9491a2d38713e..6170e4389edb4 100644 --- a/source/common/listener_manager/active_tcp_socket.h +++ b/source/common/listener_manager/active_tcp_socket.h @@ -75,8 +75,8 @@ class ActiveTcpSocket : public Network::ListenerFilterManager, void startFilterChain() { continueFilterChain(true); } - void setDynamicMetadata(const std::string& name, const ProtobufWkt::Struct& value) override; - void setDynamicTypedMetadata(const std::string& name, const ProtobufWkt::Any& value) override; + void setDynamicMetadata(const std::string& name, const Protobuf::Struct& value) override; + void setDynamicTypedMetadata(const std::string& name, const Protobuf::Any& value) override; envoy::config::core::v3::Metadata& dynamicMetadata() override { return stream_info_->dynamicMetadata(); }; diff --git a/source/common/listener_manager/filter_chain_manager_impl.cc b/source/common/listener_manager/filter_chain_manager_impl.cc index d1aed994ab478..24fae4608bf7c 100644 --- a/source/common/listener_manager/filter_chain_manager_impl.cc +++ b/source/common/listener_manager/filter_chain_manager_impl.cc @@ -32,7 +32,7 @@ Network::Address::InstanceConstSharedPtr fakeAddress() { } struct FilterChainNameAction - : public Matcher::ActionBase { + : public Matcher::ActionBase { explicit FilterChainNameAction(const std::string& name) : name_(name) {} const Network::FilterChain* get(const FilterChainsByName& filter_chains_by_name, const StreamInfo::StreamInfo&) const override { @@ -53,10 +53,10 @@ class FilterChainNameActionFactory : public Matcher::ActionFactory( - dynamic_cast(config).value()); + dynamic_cast(config).value()); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } }; diff --git a/source/common/listener_manager/listener_impl.cc b/source/common/listener_manager/listener_impl.cc index 2dc08259640c1..6b02542e78715 100644 --- a/source/common/listener_manager/listener_impl.cc +++ b/source/common/listener_manager/listener_impl.cc @@ -877,7 +877,7 @@ void ListenerImpl::buildOriginalDstListenerFilter( "envoy.filters.listener.original_dst"); Network::ListenerFilterFactoryCb callback = factory.createListenerFilterFactoryFromProto( - Envoy::ProtobufWkt::Empty(), nullptr, *listener_factory_context_); + Envoy::Protobuf::Empty(), nullptr, *listener_factory_context_); auto* cfg_provider_manager = parent_.factory_->getTcpListenerConfigProviderManager(); auto filter_config_provider = cfg_provider_manager->createStaticFilterConfigProvider( callback, "envoy.filters.listener.original_dst"); @@ -974,7 +974,7 @@ bool ListenerImpl::createQuicListenerFilterChain(Network::QuicListenerFilterMana return false; } -void ListenerImpl::dumpListenerConfig(ProtobufWkt::Any& dump) const { +void ListenerImpl::dumpListenerConfig(Protobuf::Any& dump) const { dump.PackFrom(config_maybe_partial_filter_chains_); } diff --git a/source/common/listener_manager/listener_impl.h b/source/common/listener_manager/listener_impl.h index 9cbc6dc897054..9dcd00035f133 100644 --- a/source/common/listener_manager/listener_impl.h +++ b/source/common/listener_manager/listener_impl.h @@ -259,7 +259,7 @@ class ListenerImpl final : public Network::ListenerConfig, return socket_factories_; } void debugLog(const std::string& message); - void dumpListenerConfig(ProtobufWkt::Any& dump) const; + void dumpListenerConfig(Protobuf::Any& dump) const; void initialize(); DrainManager& localDrainManager() const { return listener_factory_context_->listener_factory_context_base_->drainManager(); diff --git a/source/common/protobuf/deterministic_hash.cc b/source/common/protobuf/deterministic_hash.cc index 8e8c399d9fe8d..67db37db978c8 100644 --- a/source/common/protobuf/deterministic_hash.cc +++ b/source/common/protobuf/deterministic_hash.cc @@ -176,7 +176,7 @@ absl::string_view typeUrlToDescriptorFullName(absl::string_view url) { return url; } -std::unique_ptr unpackAnyForReflection(const ProtobufWkt::Any& any) { +std::unique_ptr unpackAnyForReflection(const Protobuf::Any& any) { const Protobuf::Descriptor* descriptor = Protobuf::DescriptorPool::generated_pool()->FindMessageTypeByName( typeUrlToDescriptorFullName(any.type_url())); @@ -202,7 +202,7 @@ uint64_t reflectionHashMessage(const Protobuf::Message& message, uint64_t seed) const Protobuf::Descriptor* descriptor = message.GetDescriptor(); seed = HashUtil::xxHash64(descriptor->full_name(), seed); if (descriptor->well_known_type() == Protobuf::Descriptor::WELLKNOWNTYPE_ANY) { - const ProtobufWkt::Any* any = Protobuf::DynamicCastMessage(&message); + const Protobuf::Any* any = Protobuf::DynamicCastMessage(&message); ASSERT(any != nullptr, "casting to any should always work for WELLKNOWNTYPE_ANY"); std::unique_ptr submsg = unpackAnyForReflection(*any); if (submsg == nullptr) { diff --git a/source/common/protobuf/protobuf.h b/source/common/protobuf/protobuf.h index 0af00b515d4ad..cec93d68d034a 100644 --- a/source/common/protobuf/protobuf.h +++ b/source/common/protobuf/protobuf.h @@ -65,32 +65,42 @@ namespace Protobuf { using Closure = ::google::protobuf::Closure; +using ::google::protobuf::Any; // NOLINT(misc-unused-using-decls) using ::google::protobuf::Arena; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::BoolValue; // NOLINT(misc-unused-using-decls) using ::google::protobuf::BytesValue; // NOLINT(misc-unused-using-decls) using ::google::protobuf::Descriptor; // NOLINT(misc-unused-using-decls) using ::google::protobuf::DescriptorPool; // NOLINT(misc-unused-using-decls) using ::google::protobuf::DescriptorPoolDatabase; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::Duration; // NOLINT(misc-unused-using-decls) using ::google::protobuf::DynamicCastMessage; // NOLINT(misc-unused-using-decls) using ::google::protobuf::DynamicMessageFactory; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::Empty; // NOLINT(misc-unused-using-decls) using ::google::protobuf::EnumValueDescriptor; // NOLINT(misc-unused-using-decls) using ::google::protobuf::FieldDescriptor; // NOLINT(misc-unused-using-decls) using ::google::protobuf::FieldMask; // NOLINT(misc-unused-using-decls) using ::google::protobuf::FileDescriptor; // NOLINT(misc-unused-using-decls) using ::google::protobuf::FileDescriptorProto; // NOLINT(misc-unused-using-decls) using ::google::protobuf::FileDescriptorSet; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::ListValue; // NOLINT(misc-unused-using-decls) using ::google::protobuf::Map; // NOLINT(misc-unused-using-decls) using ::google::protobuf::MapPair; // NOLINT(misc-unused-using-decls) using ::google::protobuf::MessageFactory; // NOLINT(misc-unused-using-decls) using ::google::protobuf::MethodDescriptor; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::NULL_VALUE; // NOLINT(misc-unused-using-decls) using ::google::protobuf::OneofDescriptor; // NOLINT(misc-unused-using-decls) using ::google::protobuf::Reflection; // NOLINT(misc-unused-using-decls) using ::google::protobuf::RepeatedField; // NOLINT(misc-unused-using-decls) using ::google::protobuf::RepeatedFieldBackInserter; // NOLINT(misc-unused-using-decls) using ::google::protobuf::RepeatedPtrField; // NOLINT(misc-unused-using-decls) using ::google::protobuf::RepeatedPtrFieldBackInserter; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::StringValue; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::Struct; // NOLINT(misc-unused-using-decls) using ::google::protobuf::TextFormat; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::Timestamp; // NOLINT(misc-unused-using-decls) using ::google::protobuf::Type; // NOLINT(misc-unused-using-decls) using ::google::protobuf::UInt32Value; // NOLINT(misc-unused-using-decls) +using ::google::protobuf::Value; // NOLINT(misc-unused-using-decls) using Message = ::google::protobuf::MessageLite; @@ -147,10 +157,6 @@ namespace Envoy { // Allows mapping from google::protobuf::util to other util libraries. namespace ProtobufUtil = ::google::protobuf::util; -// Protobuf well-known types (WKT) should be referenced via the ProtobufWkt -// namespace. -namespace ProtobufWkt = ::google::protobuf; - // Alternative protobuf implementations might not have the same basic types. // Below we provide wrappers to facilitate remapping of the type during import. namespace ProtobufTypes { diff --git a/source/common/protobuf/utility.cc b/source/common/protobuf/utility.cc index 9f1b7b7a87695..19b249972369e 100644 --- a/source/common/protobuf/utility.cc +++ b/source/common/protobuf/utility.cc @@ -29,7 +29,7 @@ namespace { // Validates that the max value of nanoseconds and seconds doesn't cause an // overflow in the protobuf time-util computations. -absl::Status validateDurationNoThrow(const ProtobufWkt::Duration& duration) { +absl::Status validateDurationNoThrow(const Protobuf::Duration& duration) { // Apply a strict max boundary to the `seconds` value to avoid overflow when // both seconds and nanoseconds are at their highest values. // Note that protobuf internally converts to the input's seconds and @@ -54,7 +54,7 @@ absl::Status validateDurationNoThrow(const ProtobufWkt::Duration& duration) { return absl::OkStatus(); } -void validateDuration(const ProtobufWkt::Duration& duration) { +void validateDuration(const Protobuf::Duration& duration) { const absl::Status result = validateDurationNoThrow(duration); if (!result.ok()) { throwEnvoyExceptionOrPanic(std::string(result.message())); @@ -341,7 +341,7 @@ class DurationFieldProtoVisitor : public ProtobufMessage::ConstProtoVisitor { absl::Span, bool) override { const Protobuf::ReflectableMessage reflectable_message = createReflectableMessage(message); if (reflectable_message->GetDescriptor()->full_name() == "google.protobuf.Duration") { - ProtobufWkt::Duration duration_message; + Protobuf::Duration duration_message; #if defined(ENVOY_ENABLE_FULL_PROTOS) duration_message.CheckTypeAndMergeFrom(message); #else @@ -393,7 +393,7 @@ void MessageUtil::recursivePgvCheck(const Protobuf::Message& message) { THROW_IF_NOT_OK(ProtobufMessage::traverseMessage(visitor, message, true)); } -void MessageUtil::packFrom(ProtobufWkt::Any& any_message, const Protobuf::Message& message) { +void MessageUtil::packFrom(Protobuf::Any& any_message, const Protobuf::Message& message) { #if defined(ENVOY_ENABLE_FULL_PROTOS) any_message.PackFrom(message); #else @@ -402,8 +402,7 @@ void MessageUtil::packFrom(ProtobufWkt::Any& any_message, const Protobuf::Messag #endif } -absl::Status MessageUtil::unpackTo(const ProtobufWkt::Any& any_message, - Protobuf::Message& message) { +absl::Status MessageUtil::unpackTo(const Protobuf::Any& any_message, Protobuf::Message& message) { #if defined(ENVOY_ENABLE_FULL_PROTOS) if (!any_message.UnpackTo(&message)) { return absl::InternalError(absl::StrCat("Unable to unpack as ", @@ -430,17 +429,17 @@ std::string MessageUtil::convertToStringForLogs(const Protobuf::Message& message #endif } -ProtobufWkt::Struct MessageUtil::keyValueStruct(const std::string& key, const std::string& value) { - ProtobufWkt::Struct struct_obj; - ProtobufWkt::Value val; +Protobuf::Struct MessageUtil::keyValueStruct(const std::string& key, const std::string& value) { + Protobuf::Struct struct_obj; + Protobuf::Value val; val.set_string_value(value); (*struct_obj.mutable_fields())[key] = val; return struct_obj; } -ProtobufWkt::Struct MessageUtil::keyValueStruct(const std::map& fields) { - ProtobufWkt::Struct struct_obj; - ProtobufWkt::Value val; +Protobuf::Struct MessageUtil::keyValueStruct(const std::map& fields) { + Protobuf::Struct struct_obj; + Protobuf::Value val; for (const auto& pair : fields) { val.set_string_value(pair.second); (*struct_obj.mutable_fields())[pair.first] = val; @@ -669,31 +668,31 @@ std::string MessageUtil::toTextProto(const Protobuf::Message& message) { #endif } -bool ValueUtil::equal(const ProtobufWkt::Value& v1, const ProtobufWkt::Value& v2) { - ProtobufWkt::Value::KindCase kind = v1.kind_case(); +bool ValueUtil::equal(const Protobuf::Value& v1, const Protobuf::Value& v2) { + Protobuf::Value::KindCase kind = v1.kind_case(); if (kind != v2.kind_case()) { return false; } switch (kind) { - case ProtobufWkt::Value::KIND_NOT_SET: - return v2.kind_case() == ProtobufWkt::Value::KIND_NOT_SET; + case Protobuf::Value::KIND_NOT_SET: + return v2.kind_case() == Protobuf::Value::KIND_NOT_SET; - case ProtobufWkt::Value::kNullValue: + case Protobuf::Value::kNullValue: return true; - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: return v1.number_value() == v2.number_value(); - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: return v1.string_value() == v2.string_value(); - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: return v1.bool_value() == v2.bool_value(); - case ProtobufWkt::Value::kStructValue: { - const ProtobufWkt::Struct& s1 = v1.struct_value(); - const ProtobufWkt::Struct& s2 = v2.struct_value(); + case Protobuf::Value::kStructValue: { + const Protobuf::Struct& s1 = v1.struct_value(); + const Protobuf::Struct& s2 = v2.struct_value(); if (s1.fields_size() != s2.fields_size()) { return false; } @@ -710,9 +709,9 @@ bool ValueUtil::equal(const ProtobufWkt::Value& v1, const ProtobufWkt::Value& v2 return true; } - case ProtobufWkt::Value::kListValue: { - const ProtobufWkt::ListValue& l1 = v1.list_value(); - const ProtobufWkt::ListValue& l2 = v2.list_value(); + case Protobuf::Value::kListValue: { + const Protobuf::ListValue& l1 = v1.list_value(); + const Protobuf::ListValue& l2 = v2.list_value(); if (l1.values_size() != l2.values_size()) { return false; } @@ -727,57 +726,57 @@ bool ValueUtil::equal(const ProtobufWkt::Value& v1, const ProtobufWkt::Value& v2 return false; } -const ProtobufWkt::Value& ValueUtil::nullValue() { - static const auto* v = []() -> ProtobufWkt::Value* { - auto* vv = new ProtobufWkt::Value(); - vv->set_null_value(ProtobufWkt::NULL_VALUE); +const Protobuf::Value& ValueUtil::nullValue() { + static const auto* v = []() -> Protobuf::Value* { + auto* vv = new Protobuf::Value(); + vv->set_null_value(Protobuf::NULL_VALUE); return vv; }(); return *v; } -ProtobufWkt::Value ValueUtil::stringValue(absl::string_view str) { - ProtobufWkt::Value val; +Protobuf::Value ValueUtil::stringValue(absl::string_view str) { + Protobuf::Value val; val.set_string_value(str); return val; } -ProtobufWkt::Value ValueUtil::optionalStringValue(const absl::optional& str) { +Protobuf::Value ValueUtil::optionalStringValue(const absl::optional& str) { if (str.has_value()) { return ValueUtil::stringValue(str.value()); } return ValueUtil::nullValue(); } -ProtobufWkt::Value ValueUtil::boolValue(bool b) { - ProtobufWkt::Value val; +Protobuf::Value ValueUtil::boolValue(bool b) { + Protobuf::Value val; val.set_bool_value(b); return val; } -ProtobufWkt::Value ValueUtil::structValue(const ProtobufWkt::Struct& obj) { - ProtobufWkt::Value val; +Protobuf::Value ValueUtil::structValue(const Protobuf::Struct& obj) { + Protobuf::Value val; (*val.mutable_struct_value()) = obj; return val; } -ProtobufWkt::Value ValueUtil::listValue(const std::vector& values) { - auto list = std::make_unique(); +Protobuf::Value ValueUtil::listValue(const std::vector& values) { + auto list = std::make_unique(); for (const auto& value : values) { *list->add_values() = value; } - ProtobufWkt::Value val; + Protobuf::Value val; val.set_allocated_list_value(list.release()); return val; } -uint64_t DurationUtil::durationToMilliseconds(const ProtobufWkt::Duration& duration) { +uint64_t DurationUtil::durationToMilliseconds(const Protobuf::Duration& duration) { validateDuration(duration); return Protobuf::util::TimeUtil::DurationToMilliseconds(duration); } absl::StatusOr -DurationUtil::durationToMillisecondsNoThrow(const ProtobufWkt::Duration& duration) { +DurationUtil::durationToMillisecondsNoThrow(const Protobuf::Duration& duration) { const absl::Status result = validateDurationNoThrow(duration); if (!result.ok()) { return result; @@ -785,13 +784,13 @@ DurationUtil::durationToMillisecondsNoThrow(const ProtobufWkt::Duration& duratio return Protobuf::util::TimeUtil::DurationToMilliseconds(duration); } -uint64_t DurationUtil::durationToSeconds(const ProtobufWkt::Duration& duration) { +uint64_t DurationUtil::durationToSeconds(const Protobuf::Duration& duration) { validateDuration(duration); return Protobuf::util::TimeUtil::DurationToSeconds(duration); } void TimestampUtil::systemClockToTimestamp(const SystemTime system_clock_time, - ProtobufWkt::Timestamp& timestamp) { + Protobuf::Timestamp& timestamp) { // Converts to millisecond-precision Timestamp by explicitly casting to millisecond-precision // time_point. timestamp.MergeFrom(Protobuf::util::TimeUtil::MillisecondsToTimestamp( @@ -812,7 +811,7 @@ std::string TypeUtil::descriptorFullNameToTypeUrl(absl::string_view type) { return "type.googleapis.com/" + std::string(type); } -void StructUtil::update(ProtobufWkt::Struct& obj, const ProtobufWkt::Struct& with) { +void StructUtil::update(Protobuf::Struct& obj, const Protobuf::Struct& with) { auto& obj_fields = *obj.mutable_fields(); for (const auto& [key, val] : with.fields()) { @@ -828,24 +827,24 @@ void StructUtil::update(ProtobufWkt::Struct& obj, const ProtobufWkt::Struct& wit // Otherwise, the strategy depends on the value kind. switch (val.kind_case()) { // For scalars, the last one wins. - case ProtobufWkt::Value::kNullValue: - case ProtobufWkt::Value::kNumberValue: - case ProtobufWkt::Value::kStringValue: - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kNullValue: + case Protobuf::Value::kNumberValue: + case Protobuf::Value::kStringValue: + case Protobuf::Value::kBoolValue: obj_key = val; break; // If we got a structure, recursively update. - case ProtobufWkt::Value::kStructValue: + case Protobuf::Value::kStructValue: update(*obj_key.mutable_struct_value(), val.struct_value()); break; // For lists, append the new values. - case ProtobufWkt::Value::kListValue: { + case Protobuf::Value::kListValue: { auto& obj_key_vec = *obj_key.mutable_list_value()->mutable_values(); const auto& vals = val.list_value().values(); obj_key_vec.MergeFrom(vals); break; } - case ProtobufWkt::Value::KIND_NOT_SET: + case Protobuf::Value::KIND_NOT_SET: break; } } diff --git a/source/common/protobuf/utility.h b/source/common/protobuf/utility.h index 4ad3d64548a82..1c5ae2b989d5e 100644 --- a/source/common/protobuf/utility.h +++ b/source/common/protobuf/utility.h @@ -268,7 +268,7 @@ class MessageUtil { */ static absl::Status loadFromJsonNoThrow(absl::string_view json, Protobuf::Message& message, bool& has_unknown_fileld); - static void loadFromJson(absl::string_view json, ProtobufWkt::Struct& message); + static void loadFromJson(absl::string_view json, Protobuf::Struct& message); static void loadFromYaml(const std::string& yaml, Protobuf::Message& message, ProtobufMessage::ValidationVisitor& validation_visitor); #endif @@ -396,7 +396,7 @@ class MessageUtil { * * @throw EnvoyException if the message does not unpack. */ - static void packFrom(ProtobufWkt::Any& any_message, const Protobuf::Message& message); + static void packFrom(Protobuf::Any& any_message, const Protobuf::Message& message); /** * Convert from google.protobuf.Any to a typed message. This should be used @@ -407,7 +407,7 @@ class MessageUtil { * * @return absl::Status */ - static absl::Status unpackTo(const ProtobufWkt::Any& any_message, Protobuf::Message& message); + static absl::Status unpackTo(const Protobuf::Any& any_message, Protobuf::Message& message); /** * Convert from google.protobuf.Any to bytes as std::string @@ -415,13 +415,13 @@ class MessageUtil { * * @return std::string consists of bytes in the input message or error status. */ - static absl::StatusOr anyToBytes(const ProtobufWkt::Any& any) { - if (any.Is()) { - ProtobufWkt::StringValue s; + static absl::StatusOr anyToBytes(const Protobuf::Any& any) { + if (any.Is()) { + Protobuf::StringValue s; RETURN_IF_NOT_OK(MessageUtil::unpackTo(any, s)); return s.value(); } - if (any.Is()) { + if (any.Is()) { Protobuf::BytesValue b; RETURN_IF_NOT_OK(MessageUtil::unpackTo(any, b)); return bytesToString(b.value()); @@ -436,12 +436,11 @@ class MessageUtil { * @return MessageType the typed message inside the Any. */ template - static inline void anyConvert(const ProtobufWkt::Any& message, MessageType& typed_message) { + static inline void anyConvert(const Protobuf::Any& message, MessageType& typed_message) { THROW_IF_NOT_OK(unpackTo(message, typed_message)); }; - template - static inline MessageType anyConvert(const ProtobufWkt::Any& message) { + template static inline MessageType anyConvert(const Protobuf::Any& message) { MessageType typed_message; anyConvert(message, typed_message); return typed_message; @@ -455,8 +454,7 @@ class MessageUtil { * @throw EnvoyException if the message does not satisfy its type constraints. */ template - static inline void anyConvertAndValidate(const ProtobufWkt::Any& message, - MessageType& typed_message, + static inline void anyConvertAndValidate(const Protobuf::Any& message, MessageType& typed_message, ProtobufMessage::ValidationVisitor& validation_visitor) { anyConvert(message, typed_message); validate(typed_message, validation_visitor); @@ -464,7 +462,7 @@ class MessageUtil { template static inline MessageType - anyConvertAndValidate(const ProtobufWkt::Any& message, + anyConvertAndValidate(const Protobuf::Any& message, ProtobufMessage::ValidationVisitor& validation_visitor) { MessageType typed_message; anyConvertAndValidate(message, typed_message, validation_visitor); @@ -498,12 +496,12 @@ class MessageUtil { * @param dest message. */ static void jsonConvert(const Protobuf::Message& source, Protobuf::Message& dest); - static void jsonConvert(const Protobuf::Message& source, ProtobufWkt::Struct& dest); - static void jsonConvert(const ProtobufWkt::Struct& source, + static void jsonConvert(const Protobuf::Message& source, Protobuf::Struct& dest); + static void jsonConvert(const Protobuf::Struct& source, ProtobufMessage::ValidationVisitor& validation_visitor, Protobuf::Message& dest); - // Convert a message to a ProtobufWkt::Value, return false upon failure. - static bool jsonConvertValue(const Protobuf::Message& source, ProtobufWkt::Value& dest); + // Convert a message to a Protobuf::Value, return false upon failure. + static bool jsonConvertValue(const Protobuf::Message& source, Protobuf::Value& dest); /** * Extract YAML as string from a google.protobuf.Message. @@ -556,14 +554,14 @@ class MessageUtil { * @param key the key to use to set the value * @param value the string value to associate with the key */ - static ProtobufWkt::Struct keyValueStruct(const std::string& key, const std::string& value); + static Protobuf::Struct keyValueStruct(const std::string& key, const std::string& value); /** * Utility method to create a Struct containing the passed in key/value map. * * @param fields the key/value pairs to initialize the Struct proto */ - static ProtobufWkt::Struct keyValueStruct(const std::map& fields); + static Protobuf::Struct keyValueStruct(const std::map& fields); /** * Utility method to print a human readable string of the code passed in. @@ -581,10 +579,10 @@ class MessageUtil { * traversed recursively to redact their contents. * * LIMITATION: This works properly for strongly-typed messages, as well as for messages packed in - * a `ProtobufWkt::Any` with a `type_url` corresponding to a proto that was compiled into the - * Envoy binary. However it does not work for messages encoded as `ProtobufWkt::Struct`, since + * a `Protobuf::Any` with a `type_url` corresponding to a proto that was compiled into the + * Envoy binary. However it does not work for messages encoded as `Protobuf::Struct`, since * structs are missing the "sensitive" annotations that this function expects. Similarly, it fails - * for messages encoded as `ProtobufWkt::Any` with a `type_url` that isn't registered with the + * for messages encoded as `Protobuf::Any` with a `type_url` that isn't registered with the * binary. If you're working with struct-typed messages, including those that might be hiding * within strongly-typed messages, please reify them to strongly-typed messages using * `MessageUtil::jsonConvert()` before calling `MessageUtil::redact()`. @@ -609,86 +607,86 @@ class MessageUtil { class ValueUtil { public: - static std::size_t hash(const ProtobufWkt::Value& value) { return MessageUtil::hash(value); } + static std::size_t hash(const Protobuf::Value& value) { return MessageUtil::hash(value); } #ifdef ENVOY_ENABLE_YAML /** - * Load YAML string into ProtobufWkt::Value. + * Load YAML string into Protobuf::Value. */ - static ProtobufWkt::Value loadFromYaml(const std::string& yaml); + static Protobuf::Value loadFromYaml(const std::string& yaml); #endif /** - * Compare two ProtobufWkt::Values for equality. + * Compare two Protobuf::Values for equality. * @param v1 message of type type.googleapis.com/google.protobuf.Value * @param v2 message of type type.googleapis.com/google.protobuf.Value * @return true if v1 and v2 are identical */ - static bool equal(const ProtobufWkt::Value& v1, const ProtobufWkt::Value& v2); + static bool equal(const Protobuf::Value& v1, const Protobuf::Value& v2); /** - * @return wrapped ProtobufWkt::NULL_VALUE. + * @return wrapped Protobuf::NULL_VALUE. */ - static const ProtobufWkt::Value& nullValue(); + static const Protobuf::Value& nullValue(); /** - * Wrap absl::string_view into ProtobufWkt::Value string value. + * Wrap absl::string_view into Protobuf::Value string value. * @param str string to be wrapped. * @return wrapped string. */ - static ProtobufWkt::Value stringValue(absl::string_view str); + static Protobuf::Value stringValue(absl::string_view str); /** - * Wrap optional std::string into ProtobufWkt::Value string value. - * If the argument contains a null optional, return ProtobufWkt::NULL_VALUE. + * Wrap optional std::string into Protobuf::Value string value. + * If the argument contains a null optional, return Protobuf::NULL_VALUE. * @param str string to be wrapped. * @return wrapped string. */ - static ProtobufWkt::Value optionalStringValue(const absl::optional& str); + static Protobuf::Value optionalStringValue(const absl::optional& str); /** - * Wrap boolean into ProtobufWkt::Value boolean value. + * Wrap boolean into Protobuf::Value boolean value. * @param str boolean to be wrapped. * @return wrapped boolean. */ - static ProtobufWkt::Value boolValue(bool b); + static Protobuf::Value boolValue(bool b); /** - * Wrap ProtobufWkt::Struct into ProtobufWkt::Value struct value. + * Wrap Protobuf::Struct into Protobuf::Value struct value. * @param obj struct to be wrapped. * @return wrapped struct. */ - static ProtobufWkt::Value structValue(const ProtobufWkt::Struct& obj); + static Protobuf::Value structValue(const Protobuf::Struct& obj); /** - * Wrap number into ProtobufWkt::Value double value. + * Wrap number into Protobuf::Value double value. * @param num number to be wrapped. * @return wrapped number. */ - template static ProtobufWkt::Value numberValue(const T num) { - ProtobufWkt::Value val; + template static Protobuf::Value numberValue(const T num) { + Protobuf::Value val; val.set_number_value(static_cast(num)); return val; } /** - * Wrap a collection of ProtobufWkt::Values into ProtobufWkt::Value list value. - * @param values collection of ProtobufWkt::Values to be wrapped. + * Wrap a collection of Protobuf::Values into Protobuf::Value list value. + * @param values collection of Protobuf::Values to be wrapped. * @return wrapped list value. */ - static ProtobufWkt::Value listValue(const std::vector& values); + static Protobuf::Value listValue(const std::vector& values); }; /** - * HashedValue is a wrapper around ProtobufWkt::Value that computes + * HashedValue is a wrapper around Protobuf::Value that computes * and stores a hash code for the Value at construction. */ class HashedValue { public: - HashedValue(const ProtobufWkt::Value& value) : value_(value), hash_(ValueUtil::hash(value)) {}; + HashedValue(const Protobuf::Value& value) : value_(value), hash_(ValueUtil::hash(value)) {}; HashedValue(const HashedValue& v) = default; - const ProtobufWkt::Value& value() const { return value_; } + const Protobuf::Value& value() const { return value_; } std::size_t hash() const { return hash_; } bool operator==(const HashedValue& rhs) const { @@ -698,7 +696,7 @@ class HashedValue { bool operator!=(const HashedValue& rhs) const { return !(*this == rhs); } private: - const ProtobufWkt::Value value_; + const Protobuf::Value value_; const std::size_t hash_; }; @@ -712,15 +710,14 @@ class DurationUtil { * @return duration in milliseconds. * @throw EnvoyException when duration is out-of-range. */ - static uint64_t durationToMilliseconds(const ProtobufWkt::Duration& duration); + static uint64_t durationToMilliseconds(const Protobuf::Duration& duration); /** * Same as DurationUtil::durationToMilliseconds but does not throw an exception. * @param duration protobuf. * @return duration in milliseconds or an error status. */ - static absl::StatusOr - durationToMillisecondsNoThrow(const ProtobufWkt::Duration& duration); + static absl::StatusOr durationToMillisecondsNoThrow(const Protobuf::Duration& duration); /** * Same as Protobuf::util::TimeUtil::DurationToSeconds but with extra validation logic. @@ -729,7 +726,7 @@ class DurationUtil { * @return duration in seconds. * @throw EnvoyException when duration is out-of-range. */ - static uint64_t durationToSeconds(const ProtobufWkt::Duration& duration); + static uint64_t durationToSeconds(const Protobuf::Duration& duration); }; class TimestampUtil { @@ -740,7 +737,7 @@ class TimestampUtil { * @param timestamp a pointer to the mutable protobuf member to be written into. */ static void systemClockToTimestamp(const SystemTime system_clock_time, - ProtobufWkt::Timestamp& timestamp); + Protobuf::Timestamp& timestamp); }; class StructUtil { @@ -759,7 +756,7 @@ class StructUtil { * @param obj the object to update in-place * @param with the object to update \p obj with */ - static void update(ProtobufWkt::Struct& obj, const ProtobufWkt::Struct& with); + static void update(Protobuf::Struct& obj, const Protobuf::Struct& with); }; } // namespace Envoy diff --git a/source/common/protobuf/visitor.cc b/source/common/protobuf/visitor.cc index 70890648959c9..d94c354161578 100644 --- a/source/common/protobuf/visitor.cc +++ b/source/common/protobuf/visitor.cc @@ -23,7 +23,7 @@ absl::Status traverseMessageWorker(ConstProtoVisitor& visitor, const Protobuf::M absl::string_view target_type_url; if (message.GetTypeName() == "google.protobuf.Any") { - auto* any_message = Protobuf::DynamicCastMessage(&message); + auto* any_message = Protobuf::DynamicCastMessage(&message); inner_message = Helper::typeUrlToMessage(any_message->type_url()); target_type_url = any_message->type_url(); // inner_message must be valid as parsing would have already failed to load if there was an diff --git a/source/common/protobuf/yaml_utility.cc b/source/common/protobuf/yaml_utility.cc index 741817bc04315..2ee35579d4834 100644 --- a/source/common/protobuf/yaml_utility.cc +++ b/source/common/protobuf/yaml_utility.cc @@ -42,11 +42,11 @@ void blockFormat(YAML::Node node) { } } -ProtobufWkt::Value parseYamlNode(const YAML::Node& node) { - ProtobufWkt::Value value; +Protobuf::Value parseYamlNode(const YAML::Node& node) { + Protobuf::Value value; switch (node.Type()) { case YAML::NodeType::Null: - value.set_null_value(ProtobufWkt::NULL_VALUE); + value.set_null_value(Protobuf::NULL_VALUE); break; case YAML::NodeType::Scalar: { if (node.Tag() == "!") { @@ -63,7 +63,7 @@ ProtobufWkt::Value parseYamlNode(const YAML::Node& node) { if (std::numeric_limits::min() <= int_value && std::numeric_limits::max() >= int_value) { // We could convert all integer values to string but it will break some stuff relying on - // ProtobufWkt::Struct itself, only convert small numbers into number_value here. + // Protobuf::Struct itself, only convert small numbers into number_value here. value.set_number_value(int_value); } else { // Proto3 JSON mapping allows use string for integer, this still has to be converted from @@ -164,7 +164,7 @@ absl::Status MessageUtil::loadFromJsonNoThrow(absl::string_view json, Protobuf:: return relaxed_status; } -void MessageUtil::loadFromJson(absl::string_view json, ProtobufWkt::Struct& message) { +void MessageUtil::loadFromJson(absl::string_view json, Protobuf::Struct& message) { // No need to validate if converting to a Struct, since there are no unknown // fields possible. loadFromJson(json, message, ProtobufMessage::getNullValidationVisitor()); @@ -172,9 +172,9 @@ void MessageUtil::loadFromJson(absl::string_view json, ProtobufWkt::Struct& mess void MessageUtil::loadFromYaml(const std::string& yaml, Protobuf::Message& message, ProtobufMessage::ValidationVisitor& validation_visitor) { - ProtobufWkt::Value value = ValueUtil::loadFromYaml(yaml); - if (value.kind_case() == ProtobufWkt::Value::kStructValue || - value.kind_case() == ProtobufWkt::Value::kListValue) { + Protobuf::Value value = ValueUtil::loadFromYaml(yaml); + if (value.kind_case() == Protobuf::Value::kStructValue || + value.kind_case() == Protobuf::Value::kListValue) { jsonConvertInternal(value, validation_visitor, message); return; } @@ -248,20 +248,20 @@ void MessageUtil::jsonConvert(const Protobuf::Message& source, Protobuf::Message jsonConvertInternal(source, ProtobufMessage::getNullValidationVisitor(), dest); } -void MessageUtil::jsonConvert(const Protobuf::Message& source, ProtobufWkt::Struct& dest) { +void MessageUtil::jsonConvert(const Protobuf::Message& source, Protobuf::Struct& dest) { // Any proto3 message can be transformed to Struct, so there is no need to check for unknown // fields. There is one catch; Duration/Timestamp etc. which have non-object canonical JSON // representations don't work. jsonConvertInternal(source, ProtobufMessage::getNullValidationVisitor(), dest); } -void MessageUtil::jsonConvert(const ProtobufWkt::Struct& source, +void MessageUtil::jsonConvert(const Protobuf::Struct& source, ProtobufMessage::ValidationVisitor& validation_visitor, Protobuf::Message& dest) { jsonConvertInternal(source, validation_visitor, dest); } -bool MessageUtil::jsonConvertValue(const Protobuf::Message& source, ProtobufWkt::Value& dest) { +bool MessageUtil::jsonConvertValue(const Protobuf::Message& source, Protobuf::Value& dest) { Protobuf::util::JsonPrintOptions json_options; json_options.preserve_proto_field_names = true; std::string json; @@ -277,7 +277,7 @@ bool MessageUtil::jsonConvertValue(const Protobuf::Message& source, ProtobufWkt: return false; } -ProtobufWkt::Value ValueUtil::loadFromYaml(const std::string& yaml) { +Protobuf::Value ValueUtil::loadFromYaml(const std::string& yaml) { TRY_ASSERT_MAIN_THREAD { return parseYamlNode(YAML::Load(yaml)); } END_TRY catch (YAML::ParserException& e) { diff --git a/source/common/quic/envoy_quic_server_connection.h b/source/common/quic/envoy_quic_server_connection.h index 28b655f4d70ae..84ba859eecff2 100644 --- a/source/common/quic/envoy_quic_server_connection.h +++ b/source/common/quic/envoy_quic_server_connection.h @@ -67,10 +67,10 @@ class QuicListenerFilterManagerImpl : public Network::QuicListenerFilterManager, Event::Dispatcher& dispatcher() override { return dispatcher_; } void continueFilterChain(bool /*success*/) override { IS_ENVOY_BUG("Should not be used."); } void useOriginalDst(bool /*use_original_dst*/) override { IS_ENVOY_BUG("Should not be used."); } - void setDynamicMetadata(const std::string& name, const ProtobufWkt::Struct& value) override { + void setDynamicMetadata(const std::string& name, const Protobuf::Struct& value) override { stream_info_.setDynamicMetadata(name, value); } - void setDynamicTypedMetadata(const std::string& name, const ProtobufWkt::Any& value) override { + void setDynamicTypedMetadata(const std::string& name, const Protobuf::Any& value) override { stream_info_.setDynamicTypedMetadata(name, value); } envoy::config::core::v3::Metadata& dynamicMetadata() override { diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 11053386880fe..df46ccc0c604b 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -1112,7 +1112,7 @@ RouteEntryImplBase::parseOpaqueConfig(const envoy::config::route::v3::Route& rou return ret; } for (const auto& it : filter_metadata->second.fields()) { - if (it.second.kind_case() == ProtobufWkt::Value::kStringValue) { + if (it.second.kind_case() == Protobuf::Value::kStringValue) { ret.emplace(it.first, it.second.string_value()); } } diff --git a/source/common/router/metadatamatchcriteria_impl.cc b/source/common/router/metadatamatchcriteria_impl.cc index 36fb3dcce3f12..129f2b899fd75 100644 --- a/source/common/router/metadatamatchcriteria_impl.cc +++ b/source/common/router/metadatamatchcriteria_impl.cc @@ -4,7 +4,7 @@ namespace Envoy { namespace Router { std::vector MetadataMatchCriteriaImpl::extractMetadataMatchCriteria(const MetadataMatchCriteriaImpl* parent, - const ProtobufWkt::Struct& matches) { + const Protobuf::Struct& matches) { std::vector v; // Track locations of each name (from the parent) in v to make it diff --git a/source/common/router/metadatamatchcriteria_impl.h b/source/common/router/metadatamatchcriteria_impl.h index e83e52e507d75..cbb120c0107e5 100644 --- a/source/common/router/metadatamatchcriteria_impl.h +++ b/source/common/router/metadatamatchcriteria_impl.h @@ -10,7 +10,7 @@ using MetadataMatchCriteriaImplConstPtr = std::unique_ptr extractMetadataMatchCriteria(const MetadataMatchCriteriaImpl* parent, - const ProtobufWkt::Struct& metadata_matches); + const Protobuf::Struct& metadata_matches); const std::vector metadata_match_criteria_; }; diff --git a/source/common/router/per_filter_config.cc b/source/common/router/per_filter_config.cc index ccbd6e2461e84..3229cda56a073 100644 --- a/source/common/router/per_filter_config.cc +++ b/source/common/router/per_filter_config.cc @@ -8,7 +8,7 @@ namespace Envoy { namespace Router { absl::StatusOr> -PerFilterConfigs::create(const Protobuf::Map& typed_configs, +PerFilterConfigs::create(const Protobuf::Map& typed_configs, Server::Configuration::ServerFactoryContext& factory_context, ProtobufMessage::ValidationVisitor& validator) { absl::Status creation_status = absl::OkStatus(); @@ -20,7 +20,7 @@ PerFilterConfigs::create(const Protobuf::Map& typ absl::StatusOr PerFilterConfigs::createRouteSpecificFilterConfig( - const std::string& name, const ProtobufWkt::Any& typed_config, bool is_optional, + const std::string& name, const Protobuf::Any& typed_config, bool is_optional, Server::Configuration::ServerFactoryContext& factory_context, ProtobufMessage::ValidationVisitor& validator) { Server::Configuration::NamedHttpFilterConfigFactory* factory = @@ -61,10 +61,10 @@ PerFilterConfigs::createRouteSpecificFilterConfig( return object; } -PerFilterConfigs::PerFilterConfigs( - const Protobuf::Map& typed_configs, - Server::Configuration::ServerFactoryContext& factory_context, - ProtobufMessage::ValidationVisitor& validator, absl::Status& creation_status) { +PerFilterConfigs::PerFilterConfigs(const Protobuf::Map& typed_configs, + Server::Configuration::ServerFactoryContext& factory_context, + ProtobufMessage::ValidationVisitor& validator, + absl::Status& creation_status) { std::string filter_config_type( envoy::config::route::v3::FilterConfig::default_instance().GetTypeName()); diff --git a/source/common/router/per_filter_config.h b/source/common/router/per_filter_config.h index 22967dd28b7fd..8bf515dfa4479 100644 --- a/source/common/router/per_filter_config.h +++ b/source/common/router/per_filter_config.h @@ -10,7 +10,7 @@ namespace Router { class PerFilterConfigs : public Logger::Loggable { public: static absl::StatusOr> - create(const Protobuf::Map& typed_configs, + create(const Protobuf::Map& typed_configs, Server::Configuration::ServerFactoryContext& factory_context, ProtobufMessage::ValidationVisitor& validator); @@ -29,12 +29,12 @@ class PerFilterConfigs : public Logger::Loggable { absl::optional disabled(absl::string_view name) const; private: - PerFilterConfigs(const Protobuf::Map& typed_configs, + PerFilterConfigs(const Protobuf::Map& typed_configs, Server::Configuration::ServerFactoryContext& factory_context, ProtobufMessage::ValidationVisitor& validator, absl::Status& creation_status); absl::StatusOr - createRouteSpecificFilterConfig(const std::string& name, const ProtobufWkt::Any& typed_config, + createRouteSpecificFilterConfig(const std::string& name, const Protobuf::Any& typed_config, bool is_optional, Server::Configuration::ServerFactoryContext& factory_context, ProtobufMessage::ValidationVisitor& validator); diff --git a/source/common/router/router_ratelimit.cc b/source/common/router/router_ratelimit.cc index 2afdd4122e5dd..29fff9b3ec2a7 100644 --- a/source/common/router/router_ratelimit.cc +++ b/source/common/router/router_ratelimit.cc @@ -58,9 +58,9 @@ bool MatchInputRateLimitDescriptor::populateDescriptor(RateLimit::DescriptorEntr bool DynamicMetadataRateLimitOverride::populateOverride( RateLimit::Descriptor& descriptor, const envoy::config::core::v3::Metadata* metadata) const { - const ProtobufWkt::Value& metadata_value = + const Protobuf::Value& metadata_value = Envoy::Config::Metadata::metadataValue(metadata, metadata_key_); - if (metadata_value.kind_case() != ProtobufWkt::Value::kStructValue) { + if (metadata_value.kind_case() != Protobuf::Value::kStructValue) { return false; } @@ -68,9 +68,9 @@ bool DynamicMetadataRateLimitOverride::populateOverride( const auto& limit_it = override_value.find("requests_per_unit"); const auto& unit_it = override_value.find("unit"); if (limit_it != override_value.end() && - limit_it->second.kind_case() == ProtobufWkt::Value::kNumberValue && + limit_it->second.kind_case() == Protobuf::Value::kNumberValue && unit_it != override_value.end() && - unit_it->second.kind_case() == ProtobufWkt::Value::kStringValue) { + unit_it->second.kind_case() == Protobuf::Value::kStringValue) { envoy::type::v3::RateLimitUnit unit; if (envoy::type::v3::RateLimitUnit_Parse(unit_it->second.string_value(), &unit)) { descriptor.limit_.emplace(RateLimit::RateLimitOverride{ diff --git a/source/common/router/string_accessor_impl.h b/source/common/router/string_accessor_impl.h index d4851e9b1a754..81f0cab4f8f3e 100644 --- a/source/common/router/string_accessor_impl.h +++ b/source/common/router/string_accessor_impl.h @@ -14,7 +14,7 @@ class StringAccessorImpl : public StringAccessor { // FilterState::Object ProtobufTypes::MessagePtr serializeAsProto() const override { - auto message = std::make_unique(); + auto message = std::make_unique(); message->set_value(value_); return message; } diff --git a/source/common/runtime/runtime_impl.cc b/source/common/runtime/runtime_impl.cc index a0144c6893f9a..9ccf170365dd1 100644 --- a/source/common/runtime/runtime_impl.cc +++ b/source/common/runtime/runtime_impl.cc @@ -234,7 +234,7 @@ SnapshotImpl::SnapshotImpl(Random::RandomGenerator& generator, RuntimeStats& sta stats.num_keys_.set(values_.size()); } -void parseFractionValue(SnapshotImpl::Entry& entry, const ProtobufWkt::Struct& value) { +void parseFractionValue(SnapshotImpl::Entry& entry, const Protobuf::Struct& value) { envoy::type::v3::FractionalPercent percent; static_assert(envoy::type::v3::FractionalPercent::MILLION == envoy::type::v3::FractionalPercent::DenominatorType_MAX); @@ -286,11 +286,11 @@ bool parseEntryDoubleValue(Envoy::Runtime::Snapshot::Entry& entry) { } void SnapshotImpl::addEntry(Snapshot::EntryMap& values, const std::string& key, - const ProtobufWkt::Value& value, absl::string_view raw_string) { + const Protobuf::Value& value, absl::string_view raw_string) { values.emplace(key, SnapshotImpl::createEntry(value, raw_string)); } -SnapshotImpl::Entry SnapshotImpl::createEntry(const ProtobufWkt::Value& value, +SnapshotImpl::Entry SnapshotImpl::createEntry(const Protobuf::Value& value, absl::string_view raw_string) { Entry entry; entry.raw_string_value_ = value.string_value(); @@ -298,26 +298,26 @@ SnapshotImpl::Entry SnapshotImpl::createEntry(const ProtobufWkt::Value& value, entry.raw_string_value_ = raw_string; } switch (value.kind_case()) { - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: setNumberValue(entry, value.number_value()); if (entry.raw_string_value_.empty()) { entry.raw_string_value_ = absl::StrCat(value.number_value()); } break; - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: entry.bool_value_ = value.bool_value(); if (entry.raw_string_value_.empty()) { // Convert boolean to "true"/"false" entry.raw_string_value_ = value.bool_value() ? "true" : "false"; } break; - case ProtobufWkt::Value::kStructValue: + case Protobuf::Value::kStructValue: if (entry.raw_string_value_.empty()) { entry.raw_string_value_ = value.struct_value().DebugString(); } parseFractionValue(entry, value.struct_value()); break; - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: parseEntryDoubleValue(entry); break; default: @@ -422,7 +422,7 @@ absl::Status DiskLayer::walkDirectory(const std::string& path, const std::string return absl::OkStatus(); } -ProtoLayer::ProtoLayer(absl::string_view name, const ProtobufWkt::Struct& proto, +ProtoLayer::ProtoLayer(absl::string_view name, const Protobuf::Struct& proto, absl::Status& creation_status) : OverrideLayerImpl{name} { creation_status = absl::OkStatus(); @@ -434,18 +434,18 @@ ProtoLayer::ProtoLayer(absl::string_view name, const ProtobufWkt::Struct& proto, } } -absl::Status ProtoLayer::walkProtoValue(const ProtobufWkt::Value& v, const std::string& prefix) { +absl::Status ProtoLayer::walkProtoValue(const Protobuf::Value& v, const std::string& prefix) { switch (v.kind_case()) { - case ProtobufWkt::Value::KIND_NOT_SET: - case ProtobufWkt::Value::kListValue: - case ProtobufWkt::Value::kNullValue: + case Protobuf::Value::KIND_NOT_SET: + case Protobuf::Value::kListValue: + case Protobuf::Value::kNullValue: return absl::InvalidArgumentError(absl::StrCat("Invalid runtime entry value for ", prefix)); break; - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: SnapshotImpl::addEntry(values_, prefix, v, ""); break; - case ProtobufWkt::Value::kNumberValue: - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kNumberValue: + case Protobuf::Value::kBoolValue: if (hasRuntimePrefix(prefix) && !isRuntimeFeature(prefix) && !isLegacyRuntimeFeature(prefix)) { IS_ENVOY_BUG(absl::StrCat( "Using a removed guard ", prefix, @@ -453,8 +453,8 @@ absl::Status ProtoLayer::walkProtoValue(const ProtobufWkt::Value& v, const std:: } SnapshotImpl::addEntry(values_, prefix, v, ""); break; - case ProtobufWkt::Value::kStructValue: { - const ProtobufWkt::Struct& s = v.struct_value(); + case Protobuf::Value::kStructValue: { + const Protobuf::Struct& s = v.struct_value(); if (s.fields().empty() || s.fields().find("numerator") != s.fields().end() || s.fields().find("denominator") != s.fields().end()) { SnapshotImpl::addEntry(values_, prefix, v, ""); diff --git a/source/common/runtime/runtime_impl.h b/source/common/runtime/runtime_impl.h index 986b6bd6bf3f1..37b43d962bcd3 100644 --- a/source/common/runtime/runtime_impl.h +++ b/source/common/runtime/runtime_impl.h @@ -88,9 +88,9 @@ class SnapshotImpl : public Snapshot, Logger::Loggable { const EntryMap& values() const; - static Entry createEntry(const ProtobufWkt::Value& value, absl::string_view raw_string); + static Entry createEntry(const Protobuf::Value& value, absl::string_view raw_string); static void addEntry(Snapshot::EntryMap& values, const std::string& key, - const ProtobufWkt::Value& value, absl::string_view raw_string = ""); + const Protobuf::Value& value, absl::string_view raw_string = ""); private: const std::vector layers_; @@ -164,11 +164,10 @@ class DiskLayer : public OverrideLayerImpl, Logger::Loggable { public: - ProtoLayer(absl::string_view name, const ProtobufWkt::Struct& proto, - absl::Status& creation_status); + ProtoLayer(absl::string_view name, const Protobuf::Struct& proto, absl::Status& creation_status); private: - absl::Status walkProtoValue(const ProtobufWkt::Value& v, const std::string& prefix); + absl::Status walkProtoValue(const Protobuf::Value& v, const std::string& prefix); }; class LoaderImpl; @@ -201,7 +200,7 @@ struct RtdsSubscription : Envoy::Config::SubscriptionBase; diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index fdd59bbf919d6..a995ab6403c63 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -233,7 +233,7 @@ SecretManagerImpl::dumpSecretConfigs(const Matchers::StringMatcher& name_matcher const bool secret_ready = tls_cert != nullptr; envoy::extensions::transport_sockets::tls::v3::Secret secret; secret.set_name(secret_data.resource_name_); - ProtobufWkt::Timestamp last_updated_ts; + Protobuf::Timestamp last_updated_ts; TimestampUtil::systemClockToTimestamp(secret_data.last_updated_, last_updated_ts); secret.set_name(secret_data.resource_name_); if (secret_ready) { @@ -271,7 +271,7 @@ SecretManagerImpl::dumpSecretConfigs(const Matchers::StringMatcher& name_matcher if (!name_matcher.match(secret.name())) { continue; } - ProtobufWkt::Timestamp last_updated_ts; + Protobuf::Timestamp last_updated_ts; envoy::admin::v3::SecretsConfigDump::DynamicSecret* dump_secret; TimestampUtil::systemClockToTimestamp(secret_data.last_updated_, last_updated_ts); if (secret_ready) { @@ -299,7 +299,7 @@ SecretManagerImpl::dumpSecretConfigs(const Matchers::StringMatcher& name_matcher if (!name_matcher.match(secret.name())) { continue; } - ProtobufWkt::Timestamp last_updated_ts; + Protobuf::Timestamp last_updated_ts; TimestampUtil::systemClockToTimestamp(secret_data.last_updated_, last_updated_ts); envoy::admin::v3::SecretsConfigDump::DynamicSecret* dump_secret; if (secret_ready) { @@ -328,7 +328,7 @@ SecretManagerImpl::dumpSecretConfigs(const Matchers::StringMatcher& name_matcher if (!name_matcher.match(secret.name())) { continue; } - ProtobufWkt::Timestamp last_updated_ts; + Protobuf::Timestamp last_updated_ts; TimestampUtil::systemClockToTimestamp(secret_data.last_updated_, last_updated_ts); envoy::admin::v3::SecretsConfigDump::DynamicSecret* dump_secret; if (secret_ready) { diff --git a/source/common/stream_info/bool_accessor_impl.h b/source/common/stream_info/bool_accessor_impl.h index 8de1563fae48e..274a95a4c719b 100644 --- a/source/common/stream_info/bool_accessor_impl.h +++ b/source/common/stream_info/bool_accessor_impl.h @@ -14,7 +14,7 @@ class BoolAccessorImpl : public BoolAccessor { // From FilterState::Object ProtobufTypes::MessagePtr serializeAsProto() const override { - auto message = std::make_unique(); + auto message = std::make_unique(); message->set_value(value_); return message; } diff --git a/source/common/stream_info/stream_info_impl.h b/source/common/stream_info/stream_info_impl.h index f83f314a3961b..6b4a538bae80f 100644 --- a/source/common/stream_info/stream_info_impl.h +++ b/source/common/stream_info/stream_info_impl.h @@ -306,11 +306,11 @@ struct StreamInfoImpl : public StreamInfo { envoy::config::core::v3::Metadata& dynamicMetadata() override { return metadata_; }; const envoy::config::core::v3::Metadata& dynamicMetadata() const override { return metadata_; }; - void setDynamicMetadata(const std::string& name, const ProtobufWkt::Struct& value) override { + void setDynamicMetadata(const std::string& name, const Protobuf::Struct& value) override { (*metadata_.mutable_filter_metadata())[name].MergeFrom(value); }; - void setDynamicTypedMetadata(const std::string& name, const ProtobufWkt::Any& value) override { + void setDynamicTypedMetadata(const std::string& name, const Protobuf::Any& value) override { (*metadata_.mutable_typed_filter_metadata())[name].MergeFrom(value); } diff --git a/source/common/stream_info/uint32_accessor_impl.h b/source/common/stream_info/uint32_accessor_impl.h index 7c725302bfcad..0e7c4b2e458d7 100644 --- a/source/common/stream_info/uint32_accessor_impl.h +++ b/source/common/stream_info/uint32_accessor_impl.h @@ -14,7 +14,7 @@ class UInt32AccessorImpl : public UInt32Accessor { // From FilterState::Object ProtobufTypes::MessagePtr serializeAsProto() const override { - auto message = std::make_unique(); + auto message = std::make_unique(); message->set_value(value_); return message; } diff --git a/source/common/stream_info/uint64_accessor_impl.h b/source/common/stream_info/uint64_accessor_impl.h index ff14bbe7844c8..c9d724fd04cce 100644 --- a/source/common/stream_info/uint64_accessor_impl.h +++ b/source/common/stream_info/uint64_accessor_impl.h @@ -14,7 +14,7 @@ class UInt64AccessorImpl : public UInt64Accessor { // From FilterState::Object ProtobufTypes::MessagePtr serializeAsProto() const override { - auto message = std::make_unique(); + auto message = std::make_unique(); message->set_value(value_); return message; } diff --git a/source/common/tcp_proxy/upstream.cc b/source/common/tcp_proxy/upstream.cc index 6c9e93c948d81..e40807d4acbae 100644 --- a/source/common/tcp_proxy/upstream.cc +++ b/source/common/tcp_proxy/upstream.cc @@ -309,7 +309,7 @@ std::unique_ptr HttpConnPool::createConnPool( return nullptr; } - ProtobufWkt::Any message; + Protobuf::Any message; if (cluster.info()->upstreamConfig()) { message = cluster.info()->upstreamConfig()->typed_config(); } diff --git a/source/common/tls/context_impl.cc b/source/common/tls/context_impl.cc index aace5f7706ea7..e32186ddb4c44 100644 --- a/source/common/tls/context_impl.cc +++ b/source/common/tls/context_impl.cc @@ -624,9 +624,9 @@ std::vector ContextImpl::getCertChainInformat auto ocsp_resp = ctx.ocsp_response_.get(); if (ocsp_resp) { auto* ocsp_details = detail->mutable_ocsp_details(); - ProtobufWkt::Timestamp* valid_from = ocsp_details->mutable_valid_from(); + Protobuf::Timestamp* valid_from = ocsp_details->mutable_valid_from(); TimestampUtil::systemClockToTimestamp(ocsp_resp->getThisUpdate(), *valid_from); - ProtobufWkt::Timestamp* expiration = ocsp_details->mutable_expiration(); + Protobuf::Timestamp* expiration = ocsp_details->mutable_expiration(); TimestampUtil::systemClockToTimestamp(ocsp_resp->getNextUpdate(), *expiration); } cert_details.push_back(std::move(detail)); diff --git a/source/common/tls/default_tls_certificate_selector.h b/source/common/tls/default_tls_certificate_selector.h index 1fdb290020ba6..f741814c9c1db 100644 --- a/source/common/tls/default_tls_certificate_selector.h +++ b/source/common/tls/default_tls_certificate_selector.h @@ -70,7 +70,7 @@ class TlsCertificateSelectorConfigFactoryImpl : public Ssl::TlsCertificateSelect }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } static Ssl::TlsCertificateSelectorConfigFactory* getDefaultTlsCertificateSelectorConfigFactory() { diff --git a/source/common/tls/server_context_config_impl.cc b/source/common/tls/server_context_config_impl.cc index fc42a6ed041af..b7d303ae01017 100644 --- a/source/common/tls/server_context_config_impl.cc +++ b/source/common/tls/server_context_config_impl.cc @@ -180,7 +180,7 @@ ServerContextConfigImpl::ServerContextConfigImpl( auto factory = TlsCertificateSelectorConfigFactoryImpl::getDefaultTlsCertificateSelectorConfigFactory(); - const ProtobufWkt::Any any; + const Protobuf::Any any; tls_certificate_selector_factory_ = factory->createTlsCertificateSelectorFactory( any, factory_context.serverFactoryContext(), ProtobufMessage::getNullValidationVisitor(), creation_status, for_quic); diff --git a/source/common/tls/ssl_handshaker.h b/source/common/tls/ssl_handshaker.h index 3a5e162d99ada..fd42390ce1611 100644 --- a/source/common/tls/ssl_handshaker.h +++ b/source/common/tls/ssl_handshaker.h @@ -174,7 +174,7 @@ class HandshakerFactoryImpl : public Ssl::HandshakerFactory { std::string name() const override { return "envoy.default_tls_handshaker"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } Ssl::HandshakerFactoryCb createHandshakerCb(const Protobuf::Message&, diff --git a/source/common/tls/utility.cc b/source/common/tls/utility.cc index 6024c9fe97e5f..f412baeeb1b8c 100644 --- a/source/common/tls/utility.cc +++ b/source/common/tls/utility.cc @@ -30,9 +30,9 @@ Envoy::Ssl::CertificateDetailsPtr Utility::certificateDetails(X509* cert, const const auto days_until_expiry = Utility::getDaysUntilExpiration(cert, time_source).value_or(0); certificate_details->set_days_until_expiration(days_until_expiry); - ProtobufWkt::Timestamp* valid_from = certificate_details->mutable_valid_from(); + Protobuf::Timestamp* valid_from = certificate_details->mutable_valid_from(); TimestampUtil::systemClockToTimestamp(Utility::getValidFrom(*cert), *valid_from); - ProtobufWkt::Timestamp* expiration_time = certificate_details->mutable_expiration_time(); + Protobuf::Timestamp* expiration_time = certificate_details->mutable_expiration_time(); TimestampUtil::systemClockToTimestamp(Utility::getExpirationTime(*cert), *expiration_time); for (auto& dns_san : Utility::getSubjectAltNames(*cert, GEN_DNS)) { diff --git a/source/common/tracing/custom_tag_impl.cc b/source/common/tracing/custom_tag_impl.cc index 3b9c8e5fc0a6a..d221d0ec668c5 100644 --- a/source/common/tracing/custom_tag_impl.cc +++ b/source/common/tracing/custom_tag_impl.cc @@ -95,17 +95,17 @@ MetadataCustomTag::metadataToString(const envoy::config::core::v3::Metadata* met return absl::nullopt; } - const ProtobufWkt::Value& value = Envoy::Config::Metadata::metadataValue(metadata, metadata_key_); + const Protobuf::Value& value = Envoy::Config::Metadata::metadataValue(metadata, metadata_key_); switch (value.kind_case()) { - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: return value.bool_value() ? "true" : "false"; - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: return absl::StrCat(value.number_value()); - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: return value.string_value(); - case ProtobufWkt::Value::kListValue: + case Protobuf::Value::kListValue: return jsonOrNullopt(value.list_value()); - case ProtobufWkt::Value::kStructValue: + case Protobuf::Value::kStructValue: return jsonOrNullopt(value.struct_value()); default: break; diff --git a/source/common/upstream/cluster_factory_impl.cc b/source/common/upstream/cluster_factory_impl.cc index 1abb78ad1c309..556e1a19057c1 100644 --- a/source/common/upstream/cluster_factory_impl.cc +++ b/source/common/upstream/cluster_factory_impl.cc @@ -27,7 +27,7 @@ ClusterFactoryImplBase::create(const envoy::config::cluster::v3::Cluster& cluste // try to look up by typed_config if (cluster.has_cluster_type() && cluster.cluster_type().has_typed_config() && (TypeUtil::typeUrlToDescriptorFullName(cluster.cluster_type().typed_config().type_url()) != - ProtobufWkt::Struct::GetDescriptor()->full_name())) { + Protobuf::Struct::GetDescriptor()->full_name())) { cluster_config_type_name = TypeUtil::typeUrlToDescriptorFullName(cluster.cluster_type().typed_config().type_url()); factory = Registry::FactoryRegistry::getFactoryByType(cluster_config_type_name); diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 9120df8d6c12a..7b283b5c29db0 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -94,7 +94,7 @@ parseTcpKeepaliveConfig(const envoy::config::cluster::v3::Cluster& config) { } absl::StatusOr -createProtocolOptionsConfig(const std::string& name, const ProtobufWkt::Any& typed_config, +createProtocolOptionsConfig(const std::string& name, const Protobuf::Any& typed_config, Server::Configuration::ProtocolOptionsFactoryContext& factory_context) { Server::Configuration::ProtocolOptionsFactory* factory = Registry::FactoryRegistry::getFactory( diff --git a/source/docs/subset_load_balancer.md b/source/docs/subset_load_balancer.md index 23220d79e1a39..6ba8fde0783ac 100644 --- a/source/docs/subset_load_balancer.md +++ b/source/docs/subset_load_balancer.md @@ -64,12 +64,12 @@ The CDS configuration for the subset selectors is meant to allow future extensio Subsets are stored in a trie-like fashion. Keys in the selectors are lexically sorted. An `LbSubsetMap` is an `unordered_map` of string keys to `ValueSubsetMap`. `ValueSubsetMap` is an -`unordered_map` of (wrapped, see below) `ProtobufWkt::Value` to `LbSubsetEntry`. The +`unordered_map` of (wrapped, see below) `Protobuf::Value` to `LbSubsetEntry`. The `LbSubsetEntry` may contain an `LbSubsetMap` of additional keys or a `Subset`. `Subset` encapsulates the filtered `Upstream::HostSet` and `Upstream::LoadBalancer` for a subset. -`ProtobufWkt::Value` is wrapped to provide a cached hash value for the value. Currently, -`ProtobufWkt::Value` is hashed by first encoding the value as a string and then hashing the +`Protobuf::Value` is wrapped to provide a cached hash value for the value. Currently, +`Protobuf::Value` is hashed by first encoding the value as a string and then hashing the string. By wrapping it, we can compute the hash value outside the request path for both the metadata values provided in `LoadBalancerContext` and those used internally by the SLB. diff --git a/source/extensions/access_loggers/filters/cel/cel.cc b/source/extensions/access_loggers/filters/cel/cel.cc index d25bbb0064951..a039806b302cc 100644 --- a/source/extensions/access_loggers/filters/cel/cel.cc +++ b/source/extensions/access_loggers/filters/cel/cel.cc @@ -19,7 +19,7 @@ CELAccessLogExtensionFilter::CELAccessLogExtensionFilter( bool CELAccessLogExtensionFilter::evaluate(const Formatter::HttpFormatterContext& log_context, const StreamInfo::StreamInfo& stream_info) const { - ProtobufWkt::Arena arena; + Protobuf::Arena arena; const auto result = Extensions::Filters::Common::Expr::evaluate( *compiled_expr_.get(), arena, &local_info_, stream_info, &log_context.requestHeaders(), &log_context.responseHeaders(), &log_context.responseTrailers()); diff --git a/source/extensions/access_loggers/grpc/grpc_access_log_utils.cc b/source/extensions/access_loggers/grpc/grpc_access_log_utils.cc index 017ca04259aa0..d57565805aed7 100644 --- a/source/extensions/access_loggers/grpc/grpc_access_log_utils.cc +++ b/source/extensions/access_loggers/grpc/grpc_access_log_utils.cc @@ -357,9 +357,9 @@ bool extractFilterStateData(const StreamInfo::FilterState& filter_state, const s ProtobufTypes::MessagePtr serialized_proto = state->serializeAsProto(); if (serialized_proto != nullptr) { auto& filter_state_objects = *common_access_log.mutable_filter_state_objects(); - ProtobufWkt::Any& any = filter_state_objects[key]; - if (dynamic_cast(serialized_proto.get()) != nullptr) { - any.Swap(dynamic_cast(serialized_proto.get())); + Protobuf::Any& any = filter_state_objects[key]; + if (dynamic_cast(serialized_proto.get()) != nullptr) { + any.Swap(dynamic_cast(serialized_proto.get())); } else { any.PackFrom(*serialized_proto); } diff --git a/source/extensions/access_loggers/open_telemetry/grpc_access_log_impl.h b/source/extensions/access_loggers/open_telemetry/grpc_access_log_impl.h index 215fb22b3763b..49e102a1bab86 100644 --- a/source/extensions/access_loggers/open_telemetry/grpc_access_log_impl.h +++ b/source/extensions/access_loggers/open_telemetry/grpc_access_log_impl.h @@ -33,7 +33,7 @@ class GrpcAccessLoggerImpl // OpenTelemetry logging uses LogRecord for both HTTP and TCP, so protobuf::Empty is used // as an empty placeholder for the non-used addEntry method. // TODO(itamarkam): Don't cache OpenTelemetry loggers by type (HTTP/TCP). - ProtobufWkt::Empty, opentelemetry::proto::collector::logs::v1::ExportLogsServiceRequest, + Protobuf::Empty, opentelemetry::proto::collector::logs::v1::ExportLogsServiceRequest, opentelemetry::proto::collector::logs::v1::ExportLogsServiceResponse> { public: GrpcAccessLoggerImpl( @@ -88,7 +88,7 @@ class GrpcAccessLoggerImpl // Extensions::AccessLoggers::GrpcCommon::GrpcAccessLogger void addEntry(opentelemetry::proto::logs::v1::LogRecord&& entry) override; // Non used addEntry method (the above is used for both TCP and HTTP). - void addEntry(ProtobufWkt::Empty&& entry) override { (void)entry; }; + void addEntry(Protobuf::Empty&& entry) override { (void)entry; }; bool isEmpty() override; void initMessage() override; void clearMessage() override; diff --git a/source/extensions/access_loggers/wasm/config.h b/source/extensions/access_loggers/wasm/config.h index d85ad871c2299..791d2783ace8d 100644 --- a/source/extensions/access_loggers/wasm/config.h +++ b/source/extensions/access_loggers/wasm/config.h @@ -25,7 +25,7 @@ class WasmAccessLogFactory : public AccessLog::AccessLogInstanceFactory, std::string name() const override; private: - absl::flat_hash_map convertJsonFormatToMap(ProtobufWkt::Struct config); + absl::flat_hash_map convertJsonFormatToMap(Protobuf::Struct config); }; } // namespace Wasm diff --git a/source/extensions/clusters/original_dst/original_dst_cluster.cc b/source/extensions/clusters/original_dst/original_dst_cluster.cc index 60f742af9c718..1886062fe629f 100644 --- a/source/extensions/clusters/original_dst/original_dst_cluster.cc +++ b/source/extensions/clusters/original_dst/original_dst_cluster.cc @@ -156,7 +156,7 @@ OriginalDstCluster::LoadBalancer::metadataOverrideHost(LoadBalancerContext* cont const auto streamInfos = { const_cast(context->requestStreamInfo()), context->downstreamConnection() ? &context->downstreamConnection()->streamInfo() : nullptr}; - const ProtobufWkt::Value* value = nullptr; + const Protobuf::Value* value = nullptr; for (const auto streamInfo : streamInfos) { if (streamInfo == nullptr) { continue; @@ -164,17 +164,17 @@ OriginalDstCluster::LoadBalancer::metadataOverrideHost(LoadBalancerContext* cont const auto& metadata = streamInfo->dynamicMetadata(); value = &Config::Metadata::metadataValue(&metadata, metadata_key_.value()); // Path can refer to a list, in which case we extract the first element. - if (value->kind_case() == ProtobufWkt::Value::kListValue) { + if (value->kind_case() == Protobuf::Value::kListValue) { const auto& values = value->list_value().values(); if (!values.empty()) { value = &(values[0]); } } - if (value->kind_case() == ProtobufWkt::Value::kStringValue) { + if (value->kind_case() == Protobuf::Value::kStringValue) { break; } } - if (value == nullptr || value->kind_case() != ProtobufWkt::Value::kStringValue) { + if (value == nullptr || value->kind_case() != Protobuf::Value::kStringValue) { return nullptr; } const std::string& metadata_override_host = value->string_value(); diff --git a/source/extensions/common/aws/credential_providers/iam_roles_anywhere_credentials_provider.cc b/source/extensions/common/aws/credential_providers/iam_roles_anywhere_credentials_provider.cc index 33e472163c337..c59516cb9ee23 100644 --- a/source/extensions/common/aws/credential_providers/iam_roles_anywhere_credentials_provider.cc +++ b/source/extensions/common/aws/credential_providers/iam_roles_anywhere_credentials_provider.cc @@ -74,7 +74,7 @@ void IAMRolesAnywhereCredentialsProvider::refresh() { message.headers().setPath("/sessions"); message.headers().setContentType("application/json"); - auto json_message = ProtobufWkt::Struct(); + auto json_message = Protobuf::Struct(); auto& fields = *json_message.mutable_fields(); fields["profileArn"].set_string_value(profile_arn_); fields["roleArn"].set_string_value(role_arn_); diff --git a/source/extensions/config/validators/minimum_clusters/config.cc b/source/extensions/config/validators/minimum_clusters/config.cc index de06a18be89cc..3de7f7d123e15 100644 --- a/source/extensions/config/validators/minimum_clusters/config.cc +++ b/source/extensions/config/validators/minimum_clusters/config.cc @@ -12,7 +12,7 @@ namespace Config { namespace Validators { Envoy::Config::ConfigValidatorPtr MinimumClustersValidatorFactory::createConfigValidator( - const ProtobufWkt::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor) { + const Protobuf::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor) { const auto& validator_config = MessageUtil::anyConvertAndValidate< envoy::extensions::config::validators::minimum_clusters::v3::MinimumClustersValidator>( config, validation_visitor); diff --git a/source/extensions/config/validators/minimum_clusters/config.h b/source/extensions/config/validators/minimum_clusters/config.h index b200892b81d6e..1c1019b907313 100644 --- a/source/extensions/config/validators/minimum_clusters/config.h +++ b/source/extensions/config/validators/minimum_clusters/config.h @@ -14,7 +14,7 @@ class MinimumClustersValidatorFactory : public Envoy::Config::ConfigValidatorFac MinimumClustersValidatorFactory() = default; Envoy::Config::ConfigValidatorPtr - createConfigValidator(const ProtobufWkt::Any& config, + createConfigValidator(const Protobuf::Any& config, ProtobufMessage::ValidationVisitor& validation_visitor) override; Envoy::ProtobufTypes::MessagePtr createEmptyConfigProto() override; diff --git a/source/extensions/config_subscription/grpc/watch_map.cc b/source/extensions/config_subscription/grpc/watch_map.cc index 439f0000f0675..e762bba72b16e 100644 --- a/source/extensions/config_subscription/grpc/watch_map.cc +++ b/source/extensions/config_subscription/grpc/watch_map.cc @@ -199,7 +199,7 @@ void WatchMap::onConfigUpdate(const std::vector& resources, } } -void WatchMap::onConfigUpdate(const Protobuf::RepeatedPtrField& resources, +void WatchMap::onConfigUpdate(const Protobuf::RepeatedPtrField& resources, const std::string& version_info) { if (watches_.empty()) { return; diff --git a/source/extensions/config_subscription/grpc/watch_map.h b/source/extensions/config_subscription/grpc/watch_map.h index 1f824900c211a..b9481f59a6424 100644 --- a/source/extensions/config_subscription/grpc/watch_map.h +++ b/source/extensions/config_subscription/grpc/watch_map.h @@ -99,7 +99,7 @@ class WatchMap : public UntypedConfigUpdateCallbacks, public Logger::Loggable& resources, + void onConfigUpdate(const Protobuf::RepeatedPtrField& resources, const std::string& version_info) override; void onConfigUpdate(const std::vector& resources, diff --git a/source/extensions/filters/common/expr/cel_state.cc b/source/extensions/filters/common/expr/cel_state.cc index 7a25144b80ede..8672e26ceb884 100644 --- a/source/extensions/filters/common/expr/cel_state.cc +++ b/source/extensions/filters/common/expr/cel_state.cc @@ -40,10 +40,10 @@ CelValue CelState::exprValue(Protobuf::Arena* arena, bool last) const { } ProtobufTypes::MessagePtr CelState::serializeAsProto() const { - auto any = std::make_unique(); + auto any = std::make_unique(); if (type_ != CelStateType::Protobuf) { - ProtobufWkt::BytesValue value; + Protobuf::BytesValue value; value.set_value(value_); any->PackFrom(value); } else { diff --git a/source/extensions/filters/common/expr/context.cc b/source/extensions/filters/common/expr/context.cc index b46de5c899113..9a4d795b8c4c1 100644 --- a/source/extensions/filters/common/expr/context.cc +++ b/source/extensions/filters/common/expr/context.cc @@ -682,11 +682,11 @@ absl::optional FilterStateWrapper::operator[](CelValue key) const { // field support, but callers only want to access the whole object. if (object->hasFieldSupport()) { return CelValue::CreateMap( - ProtobufWkt::Arena::Create(&arena_, object)); + Protobuf::Arena::Create(&arena_, object)); } absl::optional serialized = object->serializeAsString(); if (serialized.has_value()) { - std::string* out = ProtobufWkt::Arena::Create(&arena_, serialized.value()); + std::string* out = Protobuf::Arena::Create(&arena_, serialized.value()); return CelValue::CreateBytes(out); } } diff --git a/source/extensions/filters/common/expr/context.h b/source/extensions/filters/common/expr/context.h index 5f966f1e8d705..0fd9f1a30a901 100644 --- a/source/extensions/filters/common/expr/context.h +++ b/source/extensions/filters/common/expr/context.h @@ -228,7 +228,7 @@ class BaseWrapper : public google::api::expr::runtime::CelMap { } protected: - ProtobufWkt::Arena& arena_; + Protobuf::Arena& arena_; }; class RequestWrapper : public BaseWrapper { diff --git a/source/extensions/filters/common/ext_authz/ext_authz.h b/source/extensions/filters/common/ext_authz/ext_authz.h index 1e8f20b272e0d..4a09ad5dd3a9e 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz.h +++ b/source/extensions/filters/common/ext_authz/ext_authz.h @@ -125,7 +125,7 @@ struct Response { // A set of metadata returned by the authorization server, that will be emitted as filter's // dynamic metadata that other filters can leverage. - ProtobufWkt::Struct dynamic_metadata{}; + Protobuf::Struct dynamic_metadata{}; // The gRPC status returned by the authorization server when it is making a // gRPC call. diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc index 03ddd880e139e..070636df941af 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc +++ b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc @@ -46,7 +46,7 @@ const Response& errorResponse() { {}, EMPTY_STRING, Http::Code::Forbidden, - ProtobufWkt::Struct{}}); + Protobuf::Struct{}}); } // SuccessResponse used for creating either DENIED or OK authorization responses. @@ -366,7 +366,7 @@ ResponsePtr RawHttpClientImpl::toResponse(Http::ResponseMessagePtr message) { {}, EMPTY_STRING, Http::Code::OK, - ProtobufWkt::Struct{}}}; + Protobuf::Struct{}}}; return std::move(ok.response_); } @@ -389,7 +389,7 @@ ResponsePtr RawHttpClientImpl::toResponse(Http::ResponseMessagePtr message) { {}, message->bodyAsString(), static_cast(status_code), - ProtobufWkt::Struct{}}}; + Protobuf::Struct{}}}; return std::move(denied.response_); } diff --git a/source/extensions/filters/common/lua/protobuf_converter.cc b/source/extensions/filters/common/lua/protobuf_converter.cc index 2e28f26580262..aacd6d5a69a1f 100644 --- a/source/extensions/filters/common/lua/protobuf_converter.cc +++ b/source/extensions/filters/common/lua/protobuf_converter.cc @@ -245,7 +245,7 @@ void ProtobufConverterUtils::pushLuaArrayFromRepeatedField( } int ProtobufConverterUtils::processDynamicTypedMetadataFromLuaCall( - lua_State* state, const Protobuf::Map& typed_metadata_map) { + lua_State* state, const Protobuf::Map& typed_metadata_map) { // Get filter name from Lua argument const absl::string_view filter_name = getStringViewFromLuaString(state, 2); @@ -258,8 +258,8 @@ int ProtobufConverterUtils::processDynamicTypedMetadataFromLuaCall( return 1; } - // The typed metadata is stored as a ProtobufWkt::Any - const ProtobufWkt::Any& any_message = it->second; + // The typed metadata is stored as a Protobuf::Any + const Protobuf::Any& any_message = it->second; // Extract the type name from the type URL absl::string_view type_url = any_message.type_url(); diff --git a/source/extensions/filters/common/lua/protobuf_converter.h b/source/extensions/filters/common/lua/protobuf_converter.h index a80827c138df1..83bf2166dd7f4 100644 --- a/source/extensions/filters/common/lua/protobuf_converter.h +++ b/source/extensions/filters/common/lua/protobuf_converter.h @@ -67,7 +67,7 @@ class ProtobufConverterUtils { * Returns nil if metadata is not found or cannot be processed. */ static int processDynamicTypedMetadataFromLuaCall( - lua_State* state, const Protobuf::Map& typed_metadata_map); + lua_State* state, const Protobuf::Map& typed_metadata_map); /** * Push a Lua value onto the stack that represents the value of a field diff --git a/source/extensions/filters/common/lua/wrappers.cc b/source/extensions/filters/common/lua/wrappers.cc index f440b88a71e23..fd43157b5d043 100644 --- a/source/extensions/filters/common/lua/wrappers.cc +++ b/source/extensions/filters/common/lua/wrappers.cc @@ -73,23 +73,23 @@ int BufferWrapper::luaSetBytes(lua_State* state) { return 1; } -void MetadataMapHelper::setValue(lua_State* state, const ProtobufWkt::Value& value) { - ProtobufWkt::Value::KindCase kind = value.kind_case(); +void MetadataMapHelper::setValue(lua_State* state, const Protobuf::Value& value) { + Protobuf::Value::KindCase kind = value.kind_case(); switch (kind) { - case ProtobufWkt::Value::kNullValue: + case Protobuf::Value::kNullValue: return lua_pushnil(state); - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: return lua_pushnumber(state, value.number_value()); - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: return lua_pushboolean(state, value.bool_value()); - case ProtobufWkt::Value::kStructValue: + case Protobuf::Value::kStructValue: return createTable(state, value.struct_value().fields()); - case ProtobufWkt::Value::kStringValue: { + case Protobuf::Value::kStringValue: { const auto& string_value = value.string_value(); return lua_pushlstring(state, string_value.data(), string_value.size()); } - case ProtobufWkt::Value::kListValue: { + case Protobuf::Value::kListValue: { const auto& list = value.list_value(); const int values_size = list.values_size(); @@ -111,13 +111,13 @@ void MetadataMapHelper::setValue(lua_State* state, const ProtobufWkt::Value& val } return; } - case ProtobufWkt::Value::KIND_NOT_SET: + case Protobuf::Value::KIND_NOT_SET: PANIC("not implemented"); } } void MetadataMapHelper::createTable(lua_State* state, - const Protobuf::Map& fields) { + const Protobuf::Map& fields) { lua_createtable(state, 0, fields.size()); for (const auto& field : fields) { int top = lua_gettop(state); @@ -128,17 +128,17 @@ void MetadataMapHelper::createTable(lua_State* state, } /** - * Converts the value on top of the Lua stack into a ProtobufWkt::Value. + * Converts the value on top of the Lua stack into a Protobuf::Value. * Any Lua types that cannot be directly mapped to Value types will * yield an error. */ -ProtobufWkt::Value MetadataMapHelper::loadValue(lua_State* state) { - ProtobufWkt::Value value; +Protobuf::Value MetadataMapHelper::loadValue(lua_State* state) { + Protobuf::Value value; int type = lua_type(state, -1); switch (type) { case LUA_TNIL: - value.set_null_value(ProtobufWkt::NullValue()); + value.set_null_value(Protobuf::NullValue()); break; case LUA_TNUMBER: value.set_number_value(static_cast(lua_tonumber(state, -1))); @@ -190,8 +190,8 @@ int MetadataMapHelper::tableLength(lua_State* state) { return static_cast(max); } -ProtobufWkt::ListValue MetadataMapHelper::loadList(lua_State* state, int length) { - ProtobufWkt::ListValue list; +Protobuf::ListValue MetadataMapHelper::loadList(lua_State* state, int length) { + Protobuf::ListValue list; for (int i = 1; i <= length; i++) { lua_rawgeti(state, -1, i); @@ -202,8 +202,8 @@ ProtobufWkt::ListValue MetadataMapHelper::loadList(lua_State* state, int length) return list; } -ProtobufWkt::Struct MetadataMapHelper::loadStruct(lua_State* state) { - ProtobufWkt::Struct struct_obj; +Protobuf::Struct MetadataMapHelper::loadStruct(lua_State* state) { + Protobuf::Struct struct_obj; lua_pushnil(state); while (lua_next(state, -2) != 0) { diff --git a/source/extensions/filters/common/lua/wrappers.h b/source/extensions/filters/common/lua/wrappers.h index d474555272794..b644a25ecf6e9 100644 --- a/source/extensions/filters/common/lua/wrappers.h +++ b/source/extensions/filters/common/lua/wrappers.h @@ -53,14 +53,14 @@ class BufferWrapper : public BaseLuaObject { class MetadataMapWrapper; struct MetadataMapHelper { - static void setValue(lua_State* state, const ProtobufWkt::Value& value); + static void setValue(lua_State* state, const Protobuf::Value& value); static void createTable(lua_State* state, - const Protobuf::Map& fields); - static ProtobufWkt::Value loadValue(lua_State* state); + const Protobuf::Map& fields); + static Protobuf::Value loadValue(lua_State* state); private: - static ProtobufWkt::Struct loadStruct(lua_State* state); - static ProtobufWkt::ListValue loadList(lua_State* state, int length); + static Protobuf::Struct loadStruct(lua_State* state); + static Protobuf::ListValue loadList(lua_State* state, int length); static int tableLength(lua_State* state); }; @@ -77,7 +77,7 @@ class MetadataMapIterator : public BaseLuaObject { private: MetadataMapWrapper& parent_; - Protobuf::Map::const_iterator current_; + Protobuf::Map::const_iterator current_; }; /** @@ -85,7 +85,7 @@ class MetadataMapIterator : public BaseLuaObject { */ class MetadataMapWrapper : public BaseLuaObject { public: - MetadataMapWrapper(const ProtobufWkt::Struct& metadata) : metadata_{metadata} {} + MetadataMapWrapper(const Protobuf::Struct& metadata) : metadata_{metadata} {} static ExportedFunctions exportedFunctions() { return {{"get", static_luaGet}, {"__pairs", static_luaPairs}}; @@ -111,7 +111,7 @@ class MetadataMapWrapper : public BaseLuaObject { iterator_.reset(); } - const ProtobufWkt::Struct metadata_; + const Protobuf::Struct metadata_; LuaDeathRef iterator_; friend class MetadataMapIterator; diff --git a/source/extensions/filters/common/ratelimit/ratelimit.h b/source/extensions/filters/common/ratelimit/ratelimit.h index 44a29d13da6ac..3c0dc231f072d 100644 --- a/source/extensions/filters/common/ratelimit/ratelimit.h +++ b/source/extensions/filters/common/ratelimit/ratelimit.h @@ -35,7 +35,7 @@ enum class LimitStatus { using DescriptorStatusList = std::vector; using DescriptorStatusListPtr = std::unique_ptr; -using DynamicMetadataPtr = std::unique_ptr; +using DynamicMetadataPtr = std::unique_ptr; /** * Async callbacks used during limit() calls. diff --git a/source/extensions/filters/common/ratelimit/ratelimit_impl.cc b/source/extensions/filters/common/ratelimit/ratelimit_impl.cc index f5918e33529bb..4a836c600ca98 100644 --- a/source/extensions/filters/common/ratelimit/ratelimit_impl.cc +++ b/source/extensions/filters/common/ratelimit/ratelimit_impl.cc @@ -109,7 +109,7 @@ void GrpcClientImpl::onSuccess( response->statuses().begin(), response->statuses().end()); DynamicMetadataPtr dynamic_metadata = response->has_dynamic_metadata() - ? std::make_unique(response->dynamic_metadata()) + ? std::make_unique(response->dynamic_metadata()) : nullptr; // The rate limit requests applied on stream-done will destroy the client inside the complete // callback, so we release the callback here to make the destructor happy. diff --git a/source/extensions/filters/common/ratelimit_config/ratelimit_config.cc b/source/extensions/filters/common/ratelimit_config/ratelimit_config.cc index fd8e1bdd310a3..7621230463128 100644 --- a/source/extensions/filters/common/ratelimit_config/ratelimit_config.cc +++ b/source/extensions/filters/common/ratelimit_config/ratelimit_config.cc @@ -142,7 +142,7 @@ void RateLimitPolicy::populateDescriptors(const Http::RequestHeaderMap& headers, // Populate hits_addend if set. if (hits_addend_provider_ != nullptr) { - const ProtobufWkt::Value hits_addend_value = + const Protobuf::Value hits_addend_value = hits_addend_provider_->formatValueWithContext({&headers}, stream_info); double hits_addend = 0; diff --git a/source/extensions/filters/common/rbac/engine_impl.cc b/source/extensions/filters/common/rbac/engine_impl.cc index 7c6a272406d91..05f03c4a96fca 100644 --- a/source/extensions/filters/common/rbac/engine_impl.cc +++ b/source/extensions/filters/common/rbac/engine_impl.cc @@ -33,7 +33,7 @@ REGISTER_FACTORY(ActionFactory, Envoy::Matcher::ActionFactory); void generateLog(StreamInfo::StreamInfo& info, EnforcementMode mode, bool log) { // If not shadow enforcement, set shared log metadata. if (mode != EnforcementMode::Shadow) { - ProtobufWkt::Struct log_metadata; + Protobuf::Struct log_metadata; auto& log_fields = *log_metadata.mutable_fields(); log_fields[DynamicMetadataKeysSingleton::get().AccessLogKey].set_bool_value(log); info.setDynamicMetadata(DynamicMetadataKeysSingleton::get().CommonNamespace, log_metadata); diff --git a/source/extensions/filters/http/aws_lambda/aws_lambda_filter.cc b/source/extensions/filters/http/aws_lambda/aws_lambda_filter.cc index e25b196956aa0..4e1b7ef841b1e 100644 --- a/source/extensions/filters/http/aws_lambda/aws_lambda_filter.cc +++ b/source/extensions/filters/http/aws_lambda/aws_lambda_filter.cc @@ -59,7 +59,7 @@ void setLambdaHeaders(Http::RequestHeaderMap& headers, const absl::optional * Determines if the target cluster has the AWS Lambda metadata on it. */ bool isTargetClusterLambdaGateway(Upstream::ClusterInfo const& cluster_info) { - using ProtobufWkt::Value; + using Protobuf::Value; const auto& filter_metadata_map = cluster_info.metadata().filter_metadata(); auto metadata_it = filter_metadata_map.find(filter_metadata_key); if (metadata_it == filter_metadata_map.end()) { diff --git a/source/extensions/filters/http/composite/filter.cc b/source/extensions/filters/http/composite/filter.cc index fd12f0946ecd7..072beefa78da0 100644 --- a/source/extensions/filters/http/composite/filter.cc +++ b/source/extensions/filters/http/composite/filter.cc @@ -30,8 +30,8 @@ template Overloaded(Ts...) -> Overloaded; } // namespace -std::unique_ptr MatchedActionInfo::buildProtoStruct() const { - auto message = std::make_unique(); +std::unique_ptr MatchedActionInfo::buildProtoStruct() const { + auto message = std::make_unique(); auto& fields = *message->mutable_fields(); for (const auto& p : actions_) { fields[p.first] = ValueUtil::stringValue(p.second); diff --git a/source/extensions/filters/http/composite/filter.h b/source/extensions/filters/http/composite/filter.h index 551744416fc5b..3f64e619e8abb 100644 --- a/source/extensions/filters/http/composite/filter.h +++ b/source/extensions/filters/http/composite/filter.h @@ -47,7 +47,7 @@ class MatchedActionInfo : public StreamInfo::FilterState::Object { } private: - std::unique_ptr buildProtoStruct() const; + std::unique_ptr buildProtoStruct() const; absl::flat_hash_map actions_; }; diff --git a/source/extensions/filters/http/connect_grpc_bridge/end_stream_response.cc b/source/extensions/filters/http/connect_grpc_bridge/end_stream_response.cc index a228db503b7b8..1c65019d5747a 100644 --- a/source/extensions/filters/http/connect_grpc_bridge/end_stream_response.cc +++ b/source/extensions/filters/http/connect_grpc_bridge/end_stream_response.cc @@ -56,8 +56,8 @@ std::string statusCodeToString(const Grpc::Status::GrpcStatus status) { } } -ProtobufWkt::Struct convertToStruct(const Error& error) { - ProtobufWkt::Struct obj; +Protobuf::Struct convertToStruct(const Error& error) { + Protobuf::Struct obj; (*obj.mutable_fields())["code"] = ValueUtil::stringValue(statusCodeToString(error.code)); if (!error.message.empty()) { @@ -65,7 +65,7 @@ ProtobufWkt::Struct convertToStruct(const Error& error) { } if (!error.details.empty()) { - auto details_list = std::make_unique(); + auto details_list = std::make_unique(); for (const auto& detail : error.details) { const auto& value = detail.value(); *details_list->add_values() = ValueUtil::structValue(MessageUtil::keyValueStruct({ @@ -74,30 +74,30 @@ ProtobufWkt::Struct convertToStruct(const Error& error) { })); } - ProtobufWkt::Value details_value; + Protobuf::Value details_value; details_value.set_allocated_list_value(details_list.release()); (*obj.mutable_fields())["details"] = details_value; } return obj; } -ProtobufWkt::Struct convertToStruct(const EndStreamResponse& response) { - ProtobufWkt::Struct obj; +Protobuf::Struct convertToStruct(const EndStreamResponse& response) { + Protobuf::Struct obj; if (response.error.has_value()) { (*obj.mutable_fields())["error"] = ValueUtil::structValue(convertToStruct(*response.error)); } if (!response.metadata.empty()) { - ProtobufWkt::Struct metadata_obj; + Protobuf::Struct metadata_obj; for (const auto& [name, values] : response.metadata) { - auto values_list = std::make_unique(); + auto values_list = std::make_unique(); for (const auto& value : values) { *values_list->add_values() = ValueUtil::stringValue(value); } - ProtobufWkt::Value values_value; + Protobuf::Value values_value; values_value.set_allocated_list_value(values_list.release()); (*metadata_obj.mutable_fields())[name] = values_value; } @@ -110,12 +110,12 @@ ProtobufWkt::Struct convertToStruct(const EndStreamResponse& response) { } // namespace bool serializeJson(const Error& error, std::string& out) { - ProtobufWkt::Struct message = convertToStruct(error); + Protobuf::Struct message = convertToStruct(error); return Protobuf::util::MessageToJsonString(message, &out).ok(); } bool serializeJson(const EndStreamResponse& response, std::string& out) { - ProtobufWkt::Struct message = convertToStruct(response); + Protobuf::Struct message = convertToStruct(response); return Protobuf::util::MessageToJsonString(message, &out).ok(); } diff --git a/source/extensions/filters/http/connect_grpc_bridge/end_stream_response.h b/source/extensions/filters/http/connect_grpc_bridge/end_stream_response.h index 7a0600fc7bee5..d5f27a12d0bbb 100644 --- a/source/extensions/filters/http/connect_grpc_bridge/end_stream_response.h +++ b/source/extensions/filters/http/connect_grpc_bridge/end_stream_response.h @@ -19,7 +19,7 @@ namespace ConnectGrpcBridge { struct Error { Grpc::Status::GrpcStatus code; std::string message; - std::vector details; + std::vector details; }; struct EndStreamResponse { diff --git a/source/extensions/filters/http/custom_response/policy.h b/source/extensions/filters/http/custom_response/policy.h index 8a18f647ea2e3..c45f214a3e0e1 100644 --- a/source/extensions/filters/http/custom_response/policy.h +++ b/source/extensions/filters/http/custom_response/policy.h @@ -20,7 +20,7 @@ class CustomResponseFilter; // Base class for custom response policies. class Policy : public std::enable_shared_from_this, - public Matcher::ActionBase { + public Matcher::ActionBase { public: virtual Http::FilterHeadersStatus encodeHeaders(Http::ResponseHeaderMap&, bool, CustomResponseFilter&) const PURE; diff --git a/source/extensions/filters/http/dynamic_modules/abi_impl.cc b/source/extensions/filters/http/dynamic_modules/abi_impl.cc index 70f2b0a9770e7..9aaecb4db7871 100644 --- a/source/extensions/filters/http/dynamic_modules/abi_impl.cc +++ b/source/extensions/filters/http/dynamic_modules/abi_impl.cc @@ -283,7 +283,7 @@ void envoy_dynamic_module_callback_http_send_response( * each variant differs in the returned type of the metadata. For example, route metadata will * return OptRef vs upstream host metadata will return a shared pointer. */ -const ProtobufWkt::Struct* +const Protobuf::Struct* getMetadataNamespaceImpl(const envoy::config::core::v3::Metadata& metadata, envoy_dynamic_module_type_buffer_module_ptr namespace_ptr, size_t namespace_length) { @@ -306,7 +306,7 @@ getMetadataNamespaceImpl(const envoy::config::core::v3::Metadata& metadata, * @param namespace_length is the length of the namespace. * @return the metadata namespace if it exists, nullptr otherwise. */ -const ProtobufWkt::Struct* +const Protobuf::Struct* getMetadataNamespace(envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, envoy_dynamic_module_type_metadata_source metadata_source, envoy_dynamic_module_type_buffer_module_ptr namespace_ptr, @@ -379,7 +379,7 @@ getMetadataNamespace(envoy_dynamic_module_type_http_filter_envoy_ptr filter_envo * @param namespace_length is the length of the namespace. * @return the metadata namespace if it exists, nullptr otherwise. */ -ProtobufWkt::Struct* +Protobuf::Struct* getDynamicMetadataNamespace(envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, envoy_dynamic_module_type_buffer_module_ptr namespace_ptr, size_t namespace_length) { @@ -394,7 +394,7 @@ getDynamicMetadataNamespace(envoy_dynamic_module_type_http_filter_envoy_ptr filt absl::string_view namespace_view(static_cast(namespace_ptr), namespace_length); auto metadata_namespace = metadata->find(namespace_view); if (metadata_namespace == metadata->end()) { - metadata_namespace = metadata->emplace(namespace_view, ProtobufWkt::Struct{}).first; + metadata_namespace = metadata->emplace(namespace_view, Protobuf::Struct{}).first; } return &metadata_namespace->second; } @@ -410,7 +410,7 @@ getDynamicMetadataNamespace(envoy_dynamic_module_type_http_filter_envoy_ptr filt * @param key_length is the length of the key. * @return the metadata value if it exists, nullptr otherwise. */ -const ProtobufWkt::Value* +const Protobuf::Value* getMetadataValue(envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, envoy_dynamic_module_type_metadata_source metadata_source, envoy_dynamic_module_type_buffer_module_ptr namespace_ptr, size_t namespace_length, @@ -441,7 +441,7 @@ bool envoy_dynamic_module_callback_http_set_dynamic_metadata_number( return false; } absl::string_view key_view(static_cast(key_ptr), key_length); - ProtobufWkt::Struct metadata_value; + Protobuf::Struct metadata_value; (*metadata_value.mutable_fields())[key_view].set_number_value(value); metadata_namespace->MergeFrom(metadata_value); return true; @@ -481,7 +481,7 @@ bool envoy_dynamic_module_callback_http_set_dynamic_metadata_string( } absl::string_view key_view(static_cast(key_ptr), key_length); absl::string_view value_view(static_cast(value_ptr), value_length); - ProtobufWkt::Struct metadata_value; + Protobuf::Struct metadata_value; (*metadata_value.mutable_fields())[key_view].set_string_value(value_view); metadata_namespace->MergeFrom(metadata_value); return true; diff --git a/source/extensions/filters/http/ext_authz/ext_authz.cc b/source/extensions/filters/http/ext_authz/ext_authz.cc index 87f25714d7151..9efd5b6fc36f6 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/ext_authz.cc @@ -488,7 +488,7 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) { } else { // Add duration of call to dynamic metadata if applicable if (start_time_.has_value() && response->status == CheckStatus::OK) { - ProtobufWkt::Value ext_authz_duration_value; + Protobuf::Value ext_authz_duration_value; auto duration = decoder_callbacks_->dispatcher().timeSource().monotonicTime() - start_time_.value(); ext_authz_duration_value.set_number_value( diff --git a/source/extensions/filters/http/ext_authz/ext_authz.h b/source/extensions/filters/http/ext_authz/ext_authz.h index b1c37426d4a92..3f309b97c6d2e 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.h +++ b/source/extensions/filters/http/ext_authz/ext_authz.h @@ -54,10 +54,10 @@ struct ExtAuthzFilterStats { class ExtAuthzLoggingInfo : public Envoy::StreamInfo::FilterState::Object { public: - explicit ExtAuthzLoggingInfo(const absl::optional filter_metadata) + explicit ExtAuthzLoggingInfo(const absl::optional filter_metadata) : filter_metadata_(filter_metadata) {} - const absl::optional& filterMetadata() const { return filter_metadata_; } + const absl::optional& filterMetadata() const { return filter_metadata_; } absl::optional latency() const { return latency_; }; absl::optional bytesSent() const { return bytes_sent_; } absl::optional bytesReceived() const { return bytes_received_; } @@ -99,7 +99,7 @@ class ExtAuthzLoggingInfo : public Envoy::StreamInfo::FilterState::Object { void clearUpstreamHost() { upstream_host_ = nullptr; } private: - const absl::optional filter_metadata_; + const absl::optional filter_metadata_; absl::optional latency_; // The following stats are populated for ext_authz filters using Envoy gRPC only. absl::optional bytes_sent_; @@ -198,7 +198,7 @@ class FilterConfig { bool includeTLSSession() const { return include_tls_session_; } const LabelsMap& destinationLabels() const { return destination_labels_; } - const absl::optional& filterMetadata() const { return filter_metadata_; } + const absl::optional& filterMetadata() const { return filter_metadata_; } bool emitFilterStateStats() const { return emit_filter_state_stats_; } @@ -252,7 +252,7 @@ class FilterConfig { Runtime::Loader& runtime_; Http::Context& http_context_; LabelsMap destination_labels_; - const absl::optional filter_metadata_; + const absl::optional filter_metadata_; const bool emit_filter_state_stats_; const absl::optional filter_enabled_; diff --git a/source/extensions/filters/http/ext_proc/ext_proc.cc b/source/extensions/filters/http/ext_proc/ext_proc.cc index dcad82a88a002..0af5ec63b1573 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.cc +++ b/source/extensions/filters/http/ext_proc/ext_proc.cc @@ -326,7 +326,7 @@ ExtProcLoggingInfo::grpcCalls(envoy::config::core::v3::TrafficDirection traffic_ } ProtobufTypes::MessagePtr ExtProcLoggingInfo::serializeAsProto() const { - auto struct_msg = std::make_unique(); + auto struct_msg = std::make_unique(); if (decoding_processor_grpc_calls_.header_stats_) { (*struct_msg->mutable_fields())[RequestHeaderLatencyUsField].set_number_value( @@ -1311,7 +1311,7 @@ void Filter::logStreamInfo() { } } -void Filter::onNewTimeout(const ProtobufWkt::Duration& override_message_timeout) { +void Filter::onNewTimeout(const Protobuf::Duration& override_message_timeout) { const auto result = DurationUtil::durationToMillisecondsNoThrow(override_message_timeout); if (!result.ok()) { ENVOY_STREAM_LOG(warn, diff --git a/source/extensions/filters/http/ext_proc/ext_proc.h b/source/extensions/filters/http/ext_proc/ext_proc.h index 1f99582cac485..a739993186816 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.h +++ b/source/extensions/filters/http/ext_proc/ext_proc.h @@ -58,7 +58,7 @@ struct ExtProcFilterStats { class ExtProcLoggingInfo : public Envoy::StreamInfo::FilterState::Object { public: - explicit ExtProcLoggingInfo(const Envoy::ProtobufWkt::Struct& filter_metadata) + explicit ExtProcLoggingInfo(const Envoy::Protobuf::Struct& filter_metadata) : filter_metadata_(filter_metadata) {} // gRPC call stats for headers and trailers. @@ -120,7 +120,7 @@ class ExtProcLoggingInfo : public Envoy::StreamInfo::FilterState::Object { Upstream::ClusterInfoConstSharedPtr clusterInfo() const { return cluster_info_; } Upstream::HostDescriptionConstSharedPtr upstreamHost() const { return upstream_host_; } const GrpcCalls& grpcCalls(envoy::config::core::v3::TrafficDirection traffic_direction) const; - const Envoy::ProtobufWkt::Struct& filterMetadata() const { return filter_metadata_; } + const Envoy::Protobuf::Struct& filterMetadata() const { return filter_metadata_; } const std::string& httpResponseCodeDetails() const { return http_response_code_details_; } ProtobufTypes::MessagePtr serializeAsProto() const override; @@ -135,7 +135,7 @@ class ExtProcLoggingInfo : public Envoy::StreamInfo::FilterState::Object { GrpcCalls& grpcCalls(envoy::config::core::v3::TrafficDirection traffic_direction); GrpcCalls decoding_processor_grpc_calls_; GrpcCalls encoding_processor_grpc_calls_; - const Envoy::ProtobufWkt::Struct filter_metadata_; + const Envoy::Protobuf::Struct filter_metadata_; // The following stats are populated for ext_proc filters using Envoy gRPC only. // The bytes sent and received are for the entire stream. uint64_t bytes_sent_{0}, bytes_received_{0}; @@ -264,7 +264,7 @@ class FilterConfig { return disallowed_headers_; } - const ProtobufWkt::Struct& filterMetadata() const { return filter_metadata_; } + const Protobuf::Struct& filterMetadata() const { return filter_metadata_; } const ExpressionManager& expressionManager() const { return expression_manager_; } @@ -327,7 +327,7 @@ class FilterConfig { ExtProcFilterStats stats_; const envoy::extensions::filters::http::ext_proc::v3::ProcessingMode processing_mode_; const Filters::Common::MutationRules::Checker mutation_checker_; - const ProtobufWkt::Struct filter_metadata_; + const Protobuf::Struct filter_metadata_; // If set to true, allow the processing mode to be modified by the ext_proc response. const bool allow_mode_override_; // If set to true, disable the immediate response from the ext_proc server, which means @@ -475,7 +475,7 @@ class Filter : public Logger::Loggable, void logStreamInfo() override; void onMessageTimeout(); - void onNewTimeout(const ProtobufWkt::Duration& override_message_timeout); + void onNewTimeout(const Protobuf::Duration& override_message_timeout); envoy::service::ext_proc::v3::ProcessingRequest setupBodyChunk(ProcessorState& state, const Buffer::Instance& data, bool end_stream); diff --git a/source/extensions/filters/http/ext_proc/matching_utils.cc b/source/extensions/filters/http/ext_proc/matching_utils.cc index 6fb1020322e86..a4dfe31e92fdb 100644 --- a/source/extensions/filters/http/ext_proc/matching_utils.cc +++ b/source/extensions/filters/http/ext_proc/matching_utils.cc @@ -42,18 +42,18 @@ ExpressionManager::initExpressions(const Protobuf::RepeatedPtrField return expressions; } -ProtobufWkt::Struct +Protobuf::Struct ExpressionManager::evaluateAttributes(const Filters::Common::Expr::Activation& activation, const absl::flat_hash_map& expr) { - ProtobufWkt::Struct proto; + Protobuf::Struct proto; if (expr.empty()) { return proto; } for (const auto& hash_entry : expr) { - ProtobufWkt::Arena arena; + Protobuf::Arena arena; const auto result = hash_entry.second.compiled_expr_->Evaluate(activation, &arena); if (!result.ok()) { // TODO: Stats? @@ -84,7 +84,7 @@ ExpressionManager::evaluateAttributes(const Filters::Common::Expr::Activation& a // Handling all value types here would be graceful but is not currently // testable and drives down coverage %. This is not a _great_ reason to // not do it; will get feedback from reviewers. - ProtobufWkt::Value value; + Protobuf::Value value; switch (result.value().type()) { case google::api::expr::runtime::CelValue::Type::kBool: value.set_bool_value(result.value().BoolOrDie()); diff --git a/source/extensions/filters/http/ext_proc/matching_utils.h b/source/extensions/filters/http/ext_proc/matching_utils.h index eeadbc4f9dc86..87e20360771aa 100644 --- a/source/extensions/filters/http/ext_proc/matching_utils.h +++ b/source/extensions/filters/http/ext_proc/matching_utils.h @@ -31,17 +31,17 @@ class ExpressionManager : public Logger::Loggable { bool hasResponseExpr() const { return !response_expr_.empty(); }; - ProtobufWkt::Struct + Protobuf::Struct evaluateRequestAttributes(const Filters::Common::Expr::Activation& activation) const { return evaluateAttributes(activation, request_expr_); } - ProtobufWkt::Struct + Protobuf::Struct evaluateResponseAttributes(const Filters::Common::Expr::Activation& activation) const { return evaluateAttributes(activation, response_expr_); } - static ProtobufWkt::Struct + static Protobuf::Struct evaluateAttributes(const Filters::Common::Expr::Activation& activation, const absl::flat_hash_map& expr); diff --git a/source/extensions/filters/http/ext_proc/processor_state.h b/source/extensions/filters/http/ext_proc/processor_state.h index 26fb4786cf961..fde56c016a7ce 100644 --- a/source/extensions/filters/http/ext_proc/processor_state.h +++ b/source/extensions/filters/http/ext_proc/processor_state.h @@ -225,7 +225,7 @@ class ProcessorState : public Logger::Loggable { void setSentAttributes(bool sent) { attributes_sent_ = sent; } - virtual ProtobufWkt::Struct + virtual Protobuf::Struct evaluateAttributes(const ExpressionManager& mgr, const Filters::Common::Expr::Activation& activation) const PURE; @@ -502,7 +502,7 @@ class DecodingProcessorState : public ProcessorState { } const Http::RequestOrResponseHeaderMap* responseHeaders() const override { return nullptr; } - ProtobufWkt::Struct + Protobuf::Struct evaluateAttributes(const ExpressionManager& mgr, const Filters::Common::Expr::Activation& activation) const override { return mgr.evaluateRequestAttributes(activation); @@ -594,7 +594,7 @@ class EncodingProcessorState : public ProcessorState { const Http::RequestOrResponseHeaderMap* responseHeaders() const override { return headers_; } - ProtobufWkt::Struct + Protobuf::Struct evaluateAttributes(const ExpressionManager& mgr, const Filters::Common::Expr::Activation& activation) const override { return mgr.evaluateResponseAttributes(activation); diff --git a/source/extensions/filters/http/fault/fault_filter.h b/source/extensions/filters/http/fault/fault_filter.h index a17538fa0d7ae..1189682daa5d9 100644 --- a/source/extensions/filters/http/fault/fault_filter.h +++ b/source/extensions/filters/http/fault/fault_filter.h @@ -77,7 +77,7 @@ class FaultSettings : public Router::RouteSpecificFilterConfig { return response_rate_limit_percent_runtime_; } bool disableDownstreamClusterStats() const { return disable_downstream_cluster_stats_; } - const Envoy::ProtobufWkt::Struct& filterMetadata() const { return filter_metadata_; } + const Envoy::Protobuf::Struct& filterMetadata() const { return filter_metadata_; } private: class RuntimeKeyValues { @@ -111,7 +111,7 @@ class FaultSettings : public Router::RouteSpecificFilterConfig { const std::string response_rate_limit_percent_runtime_; const bool disable_downstream_cluster_stats_; - const Envoy::ProtobufWkt::Struct filter_metadata_; + const Envoy::Protobuf::Struct filter_metadata_; }; /** diff --git a/source/extensions/filters/http/grpc_field_extraction/extractor.h b/source/extensions/filters/http/grpc_field_extraction/extractor.h index d321b3651ec4f..f601833f81d11 100644 --- a/source/extensions/filters/http/grpc_field_extraction/extractor.h +++ b/source/extensions/filters/http/grpc_field_extraction/extractor.h @@ -25,7 +25,7 @@ struct RequestField { absl::string_view path; // The request field value. - ProtobufWkt::Value value; + Protobuf::Value value; }; using ExtractionResult = std::vector; diff --git a/source/extensions/filters/http/grpc_field_extraction/extractor_impl.cc b/source/extensions/filters/http/grpc_field_extraction/extractor_impl.cc index 6b78d6bd29d72..95d95d647d21d 100644 --- a/source/extensions/filters/http/grpc_field_extraction/extractor_impl.cc +++ b/source/extensions/filters/http/grpc_field_extraction/extractor_impl.cc @@ -48,7 +48,7 @@ ExtractorImpl::processRequest(Protobuf::field_extraction::MessageData& message) ExtractionResult result; for (const auto& it : per_field_extractors_) { - absl::StatusOr extracted_value = it.second->ExtractValue(message); + absl::StatusOr extracted_value = it.second->ExtractValue(message); if (!extracted_value.ok()) { return extracted_value.status(); } diff --git a/source/extensions/filters/http/grpc_field_extraction/filter.cc b/source/extensions/filters/http/grpc_field_extraction/filter.cc index 7ae1fb12f326b..813a23138c830 100644 --- a/source/extensions/filters/http/grpc_field_extraction/filter.cc +++ b/source/extensions/filters/http/grpc_field_extraction/filter.cc @@ -211,7 +211,7 @@ Filter::HandleDecodeDataStatus Filter::handleDecodeData(Envoy::Buffer::Instance& void Filter::handleExtractionResult(const ExtractionResult& result) { RELEASE_ASSERT(extractor_, "`extractor_ should be inited when extracting fields"); - ProtobufWkt::Struct dest_metadata; + Protobuf::Struct dest_metadata; for (const auto& req_field : result) { RELEASE_ASSERT(!req_field.path.empty(), "`req_field.path` shouldn't be empty"); (*dest_metadata.mutable_fields())[req_field.path] = req_field.value; diff --git a/source/extensions/filters/http/grpc_json_reverse_transcoder/filter_config.cc b/source/extensions/filters/http/grpc_json_reverse_transcoder/filter_config.cc index 600d97b1bce2c..3b1bafbb9cde7 100644 --- a/source/extensions/filters/http/grpc_json_reverse_transcoder/filter_config.cc +++ b/source/extensions/filters/http/grpc_json_reverse_transcoder/filter_config.cc @@ -123,15 +123,15 @@ bool GrpcJsonReverseTranscoderConfig::IsRequestNestedHttpBody( if (http_request_body_field.empty() || http_request_body_field == "*") { return false; } - const ProtobufWkt::Type* request_type = type_helper_->Info()->GetTypeByTypeUrl(request_type_url); - std::vector request_body_field_path; + const Protobuf::Type* request_type = type_helper_->Info()->GetTypeByTypeUrl(request_type_url); + std::vector request_body_field_path; absl::Status status = type_helper_->ResolveFieldPath(*request_type, http_request_body_field, &request_body_field_path); if (!status.ok() || request_body_field_path.empty()) { ENVOY_LOG(error, "Failed to resolve the request type: {}", request_type_url); return false; } - const ProtobufWkt::Type* request_body_type = + const Protobuf::Type* request_body_type = type_helper_->Info()->GetTypeByTypeUrl(request_body_field_path.back()->type_url()); return request_body_type != nullptr && diff --git a/source/extensions/filters/http/grpc_json_transcoder/http_body_utils.cc b/source/extensions/filters/http/grpc_json_transcoder/http_body_utils.cc index 58ef86e3591ff..16f4f6999507f 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/http_body_utils.cc +++ b/source/extensions/filters/http/grpc_json_transcoder/http_body_utils.cc @@ -20,7 +20,7 @@ namespace { constexpr uint32_t ProtobufLengthDelimitedField = 2; bool parseMessageByFieldPath(CodedInputStream* input, - absl::Span field_path, + absl::Span field_path, Protobuf::Message* message) { if (field_path.empty()) { return message->MergeFromCodedStream(input); @@ -52,9 +52,9 @@ bool parseMessageByFieldPath(CodedInputStream* input, } } // namespace -bool HttpBodyUtils::parseMessageByFieldPath( - ZeroCopyInputStream* stream, const std::vector& field_path, - Protobuf::Message* message) { +bool HttpBodyUtils::parseMessageByFieldPath(ZeroCopyInputStream* stream, + const std::vector& field_path, + Protobuf::Message* message) { CodedInputStream input(stream); input.SetRecursionLimit(field_path.size()); @@ -63,7 +63,7 @@ bool HttpBodyUtils::parseMessageByFieldPath( } void HttpBodyUtils::appendHttpBodyEnvelope( - Buffer::Instance& output, const std::vector& request_body_field_path, + Buffer::Instance& output, const std::vector& request_body_field_path, std::string content_type, uint64_t content_length, const UnknownQueryParams& unknown_params) { // Manually encode the protobuf envelope for the body. // See https://developers.google.com/protocol-buffers/docs/encoding#embedded for wire format. @@ -88,7 +88,7 @@ void HttpBodyUtils::appendHttpBodyEnvelope( std::vector message_sizes; message_sizes.reserve(request_body_field_path.size()); for (auto it = request_body_field_path.rbegin(); it != request_body_field_path.rend(); ++it) { - const ProtobufWkt::Field* field = *it; + const Protobuf::Field* field = *it; const uint64_t message_size = envelope_size + content_length; const uint32_t field_number = (field->number() << 3) | ProtobufLengthDelimitedField; const uint64_t field_size = CodedOutputStream::VarintSize32(field_number) + @@ -105,7 +105,7 @@ void HttpBodyUtils::appendHttpBodyEnvelope( // Serialize body field definition manually to avoid the copy of the body. for (size_t i = 0; i < request_body_field_path.size(); ++i) { - const ProtobufWkt::Field* field = request_body_field_path[i]; + const Protobuf::Field* field = request_body_field_path[i]; const uint32_t field_number = (field->number() << 3) | ProtobufLengthDelimitedField; const uint64_t message_size = message_sizes[i]; coded_stream.WriteTag(field_number); diff --git a/source/extensions/filters/http/grpc_json_transcoder/http_body_utils.h b/source/extensions/filters/http/grpc_json_transcoder/http_body_utils.h index 37b550bde77a2..b75c2af785397 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/http_body_utils.h +++ b/source/extensions/filters/http/grpc_json_transcoder/http_body_utils.h @@ -15,11 +15,10 @@ namespace GrpcJsonTranscoder { class HttpBodyUtils { public: static bool parseMessageByFieldPath(Protobuf::io::ZeroCopyInputStream* stream, - const std::vector& field_path, + const std::vector& field_path, Protobuf::Message* message); static void appendHttpBodyEnvelope( - Buffer::Instance& output, - const std::vector& request_body_field_path, + Buffer::Instance& output, const std::vector& request_body_field_path, std::string content_type, uint64_t content_length, const envoy::extensions::filters::http::grpc_json_transcoder::v3::UnknownQueryParams& unknown_params); diff --git a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc index b4518fdac48fd..17b658c123ecc 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc +++ b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc @@ -269,9 +269,9 @@ void JsonTranscoderConfig::addBuiltinSymbolDescriptor(const std::string& symbol_ Status JsonTranscoderConfig::resolveField(const Protobuf::Descriptor* descriptor, const std::string& field_path_str, - std::vector* field_path, + std::vector* field_path, bool* is_http_body) { - const ProtobufWkt::Type* message_type = + const Protobuf::Type* message_type = type_helper_->Info()->GetTypeByTypeUrl(Grpc::Common::typeUrl(descriptor->full_name())); if (message_type == nullptr) { return {StatusCode::kNotFound, @@ -287,7 +287,7 @@ Status JsonTranscoderConfig::resolveField(const Protobuf::Descriptor* descriptor if (field_path->empty()) { *is_http_body = descriptor->full_name() == google::api::HttpBody::descriptor()->full_name(); } else { - const ProtobufWkt::Type* body_type = + const Protobuf::Type* body_type = type_helper_->Info()->GetTypeByTypeUrl(field_path->back()->type_url()); *is_http_body = body_type != nullptr && body_type->name() == google::api::HttpBody::descriptor()->full_name(); diff --git a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.h b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.h index 6871171d38a21..c833e4965546f 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.h +++ b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.h @@ -27,8 +27,8 @@ namespace GrpcJsonTranscoder { struct MethodInfo { const Protobuf::MethodDescriptor* descriptor_ = nullptr; - std::vector request_body_field_path; - std::vector response_body_field_path; + std::vector request_body_field_path; + std::vector response_body_field_path; bool request_type_is_http_body_ = false; bool response_type_is_http_body_ = false; }; @@ -113,7 +113,7 @@ class JsonTranscoderConfig : public Logger::Loggable, void addFileDescriptor(const Protobuf::FileDescriptorProto& file); absl::Status resolveField(const Protobuf::Descriptor* descriptor, const std::string& field_path_str, - std::vector* field_path, bool* is_http_body); + std::vector* field_path, bool* is_http_body); absl::Status createMethodInfo(const Protobuf::MethodDescriptor* descriptor, const google::api::HttpRule& http_rule, MethodInfoSharedPtr& method_info); diff --git a/source/extensions/filters/http/grpc_stats/response_frame_counter.cc b/source/extensions/filters/http/grpc_stats/response_frame_counter.cc index 1c5dd742e572a..5a7a7b686a40a 100644 --- a/source/extensions/filters/http/grpc_stats/response_frame_counter.cc +++ b/source/extensions/filters/http/grpc_stats/response_frame_counter.cc @@ -53,7 +53,7 @@ void ResponseFrameCounter::frameDataEnd() { ASSERT(connect_eos_buffer_ != nullptr); bool has_unknown_field; - ProtobufWkt::Struct message; + Protobuf::Struct message; auto status = MessageUtil::loadFromJsonNoThrow(connect_eos_buffer_->toString(), message, has_unknown_field); if (!has_unknown_field && !status.ok()) { diff --git a/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.cc b/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.cc index 041dc18e65516..784448dca965b 100644 --- a/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.cc +++ b/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.cc @@ -247,7 +247,7 @@ void HeaderToMetadataFilter::setEncoderFilterCallbacks( bool HeaderToMetadataFilter::addMetadata(StructMap& struct_map, const std::string& meta_namespace, const std::string& key, std::string value, ValueType type, ValueEncode encode, HeaderDirection direction) const { - ProtobufWkt::Value val; + Protobuf::Value val; const auto* config = getConfig(); ASSERT(!value.empty()); diff --git a/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.h b/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.h index b9eba7aed8c65..3c62dabdfac0c 100644 --- a/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.h +++ b/source/extensions/filters/http/header_to_metadata/header_to_metadata_filter.h @@ -234,7 +234,7 @@ class HeaderToMetadataFilter : public Http::StreamFilter, private: friend class HeaderToMetadataTest; - using StructMap = std::map; + using StructMap = std::map; const ConfigSharedPtr config_; mutable const Config* effective_config_{nullptr}; diff --git a/source/extensions/filters/http/json_to_metadata/filter.cc b/source/extensions/filters/http/json_to_metadata/filter.cc index ede9136ee630c..3a61fa1811f61 100644 --- a/source/extensions/filters/http/json_to_metadata/filter.cc +++ b/source/extensions/filters/http/json_to_metadata/filter.cc @@ -35,27 +35,27 @@ struct JsonValueToDoubleConverter { }; struct JsonValueToProtobufValueConverter { - absl::StatusOr operator()(bool&& val) { - ProtobufWkt::Value protobuf_value; + absl::StatusOr operator()(bool&& val) { + Protobuf::Value protobuf_value; protobuf_value.set_bool_value(val); return protobuf_value; } - absl::StatusOr operator()(int64_t&& val) { - ProtobufWkt::Value protobuf_value; + absl::StatusOr operator()(int64_t&& val) { + Protobuf::Value protobuf_value; protobuf_value.set_number_value(val); return protobuf_value; } - absl::StatusOr operator()(double&& val) { - ProtobufWkt::Value protobuf_value; + absl::StatusOr operator()(double&& val) { + Protobuf::Value protobuf_value; protobuf_value.set_number_value(val); return protobuf_value; } - absl::StatusOr operator()(std::string&& val) { + absl::StatusOr operator()(std::string&& val) { if (val.size() > MAX_PAYLOAD_VALUE_LEN) { return absl::InternalError( fmt::format("metadata value is too long. value.length: {}", val.size())); } - ProtobufWkt::Value protobuf_value; + Protobuf::Value protobuf_value; protobuf_value.set_string_value(std::move(val)); return protobuf_value; } @@ -171,20 +171,20 @@ void Filter::applyKeyValue(const std::string& value, const KeyValuePair& keyval, StructMap& struct_map, Http::StreamFilterCallbacks& filter_callback) { ASSERT(!value.empty()); - ProtobufWkt::Value val; + Protobuf::Value val; val.set_string_value(value); applyKeyValue(std::move(val), keyval, struct_map, filter_callback); } void Filter::applyKeyValue(double value, const KeyValuePair& keyval, StructMap& struct_map, Http::StreamFilterCallbacks& filter_callback) { - ProtobufWkt::Value val; + Protobuf::Value val; val.set_number_value(value); applyKeyValue(std::move(val), keyval, struct_map, filter_callback); } -void Filter::applyKeyValue(ProtobufWkt::Value value, const KeyValuePair& keyval, - StructMap& struct_map, Http::StreamFilterCallbacks& filter_callback) { +void Filter::applyKeyValue(Protobuf::Value value, const KeyValuePair& keyval, StructMap& struct_map, + Http::StreamFilterCallbacks& filter_callback) { const auto& nspace = decideNamespace(keyval.metadata_namespace()); addMetadata(nspace, keyval.key(), std::move(value), keyval.preserve_existing_metadata_value(), struct_map, filter_callback); @@ -195,7 +195,7 @@ const std::string& Filter::decideNamespace(const std::string& nspace) const { } bool Filter::addMetadata(const std::string& meta_namespace, const std::string& key, - ProtobufWkt::Value val, const bool preserve_existing_metadata_value, + Protobuf::Value val, const bool preserve_existing_metadata_value, StructMap& struct_map, Http::StreamFilterCallbacks& filter_callback) { if (preserve_existing_metadata_value) { diff --git a/source/extensions/filters/http/json_to_metadata/filter.h b/source/extensions/filters/http/json_to_metadata/filter.h index 690276a70f648..60491c093f398 100644 --- a/source/extensions/filters/http/json_to_metadata/filter.h +++ b/source/extensions/filters/http/json_to_metadata/filter.h @@ -106,7 +106,7 @@ class Filter : public Http::PassThroughFilter, Logger::Loggable; + using StructMap = absl::flat_hash_map; // Handle on_missing case of the `rule` and store in `struct_map`. void handleOnMissing(const Rule& rule, StructMap& struct_map, Http::StreamFilterCallbacks& filter_callback); @@ -132,14 +132,14 @@ class Filter : public Http::PassThroughFilter, Logger::Loggable, void handleGoodJwt(bool cache_hit); // Normalize and set the payload metadata. - void setPayloadMetadata(const ProtobufWkt::Struct& jwt_payload); + void setPayloadMetadata(const Protobuf::Struct& jwt_payload); // Calls the callback with status. void doneWithStatus(const Status& status); @@ -333,23 +333,23 @@ void AuthenticatorImpl::verifyKey() { bool AuthenticatorImpl::addJWTClaimToHeader(const std::string& claim_name, const std::string& header_name) { StructUtils payload_getter(jwt_->payload_pb_); - const ProtobufWkt::Value* claim_value; + const Protobuf::Value* claim_value; const auto status = payload_getter.GetValue(claim_name, claim_value); std::string str_claim_value; if (status == StructUtils::OK) { switch (claim_value->kind_case()) { - case Envoy::ProtobufWkt::Value::kStringValue: + case Envoy::Protobuf::Value::kStringValue: str_claim_value = claim_value->string_value(); break; - case Envoy::ProtobufWkt::Value::kNumberValue: + case Envoy::Protobuf::Value::kNumberValue: str_claim_value = convertClaimDoubleToString(claim_value->number_value()); break; - case Envoy::ProtobufWkt::Value::kBoolValue: + case Envoy::Protobuf::Value::kBoolValue: str_claim_value = claim_value->bool_value() ? "true" : "false"; break; - case Envoy::ProtobufWkt::Value::kStructValue: + case Envoy::Protobuf::Value::kStructValue: ABSL_FALLTHROUGH_INTENDED; - case Envoy::ProtobufWkt::Value::kListValue: { + case Envoy::Protobuf::Value::kListValue: { std::string output; auto status = claim_value->has_struct_value() ? ProtobufUtil::MessageToJsonString(claim_value->struct_value(), &output) @@ -422,14 +422,14 @@ void AuthenticatorImpl::handleGoodJwt(bool cache_hit) { doneWithStatus(Status::Ok); } -void AuthenticatorImpl::setPayloadMetadata(const ProtobufWkt::Struct& jwt_payload) { +void AuthenticatorImpl::setPayloadMetadata(const Protobuf::Struct& jwt_payload) { const auto& provider = jwks_data_->getJwtProvider(); const auto& normalize = provider.normalize_payload_in_metadata(); if (normalize.space_delimited_claims().empty()) { set_extracted_jwt_data_cb_(provider.payload_in_metadata(), jwt_payload); } // Make a temporary copy to normalize the JWT struct. - ProtobufWkt::Struct out_payload = jwt_payload; + Protobuf::Struct out_payload = jwt_payload; for (const auto& claim : normalize.space_delimited_claims()) { const auto& it = jwt_payload.fields().find(claim); if (it != jwt_payload.fields().end() && it->second.has_string_value()) { @@ -462,7 +462,7 @@ void AuthenticatorImpl::doneWithStatus(const Status& status) { if (!failed_status_in_metadata.empty()) { - ProtobufWkt::Struct failed_status; + Protobuf::Struct failed_status; auto& failed_status_fields = *failed_status.mutable_fields(); failed_status_fields["code"].set_number_value(enumToInt(status)); failed_status_fields["message"].set_string_value(google::jwt_verify::getStatusString(status)); diff --git a/source/extensions/filters/http/jwt_authn/authenticator.h b/source/extensions/filters/http/jwt_authn/authenticator.h index d54157a472f40..45b89d770987f 100644 --- a/source/extensions/filters/http/jwt_authn/authenticator.h +++ b/source/extensions/filters/http/jwt_authn/authenticator.h @@ -20,7 +20,7 @@ using AuthenticatorPtr = std::unique_ptr; using AuthenticatorCallback = std::function; using SetExtractedJwtDataCallback = - std::function; + std::function; using ClearRouteCacheCallback = std::function; diff --git a/source/extensions/filters/http/jwt_authn/filter.cc b/source/extensions/filters/http/jwt_authn/filter.cc index 10b92ace9403d..574076e7e93f2 100644 --- a/source/extensions/filters/http/jwt_authn/filter.cc +++ b/source/extensions/filters/http/jwt_authn/filter.cc @@ -102,7 +102,7 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, return Http::FilterHeadersStatus::StopIteration; } -void Filter::setExtractedData(const ProtobufWkt::Struct& extracted_data) { +void Filter::setExtractedData(const Protobuf::Struct& extracted_data) { decoder_callbacks_->streamInfo().setDynamicMetadata("envoy.filters.http.jwt_authn", extracted_data); } diff --git a/source/extensions/filters/http/jwt_authn/filter.h b/source/extensions/filters/http/jwt_authn/filter.h index 461f4bc9deb74..ef2a6ac574ed1 100644 --- a/source/extensions/filters/http/jwt_authn/filter.h +++ b/source/extensions/filters/http/jwt_authn/filter.h @@ -31,8 +31,8 @@ class Filter : public Http::StreamDecoderFilter, private: // Following two functions are for Verifier::Callbacks interface. - // Pass the extracted data from a verified JWT as an opaque ProtobufWkt::Struct. - void setExtractedData(const ProtobufWkt::Struct& extracted_data) override; + // Pass the extracted data from a verified JWT as an opaque Protobuf::Struct. + void setExtractedData(const Protobuf::Struct& extracted_data) override; void clearRouteCache() override; // It will be called when its verify() call is completed. void onComplete(const ::google::jwt_verify::Status& status) override; diff --git a/source/extensions/filters/http/jwt_authn/jwks_cache.cc b/source/extensions/filters/http/jwt_authn/jwks_cache.cc index 19d5b3447c9f7..0a9cf92757aa0 100644 --- a/source/extensions/filters/http/jwt_authn/jwks_cache.cc +++ b/source/extensions/filters/http/jwt_authn/jwks_cache.cc @@ -46,7 +46,7 @@ class JwksDataImpl : public JwksCache::JwksData, public Logger::Loggable completion_states_; std::vector auths_; - ProtobufWkt::Struct extracted_data_; + Protobuf::Struct extracted_data_; }; // base verifier for provider_name, provider_and_audiences, and allow_missing_or_failed. @@ -120,7 +120,7 @@ class ProviderVerifierImpl : public BaseVerifierImpl { extractor_->sanitizeHeaders(ctximpl.headers()); auth->verify( ctximpl.headers(), ctximpl.parentSpan(), extractor_->extract(ctximpl.headers()), - [&ctximpl](const std::string& name, const ProtobufWkt::Struct& extracted_data) { + [&ctximpl](const std::string& name, const Protobuf::Struct& extracted_data) { ctximpl.addExtractedData(name, extracted_data); }, [this, &ctximpl](const Status& status) { onComplete(status, ctximpl); }, @@ -170,7 +170,7 @@ class AllowFailedVerifierImpl : public BaseVerifierImpl { extractor_->sanitizeHeaders(ctximpl.headers()); auth->verify( ctximpl.headers(), ctximpl.parentSpan(), extractor_->extract(ctximpl.headers()), - [&ctximpl](const std::string& name, const ProtobufWkt::Struct& extracted_data) { + [&ctximpl](const std::string& name, const Protobuf::Struct& extracted_data) { ctximpl.addExtractedData(name, extracted_data); }, [this, &ctximpl](const Status& status) { onComplete(status, ctximpl); }, @@ -203,7 +203,7 @@ class AllowMissingVerifierImpl : public BaseVerifierImpl { extractor_->sanitizeHeaders(ctximpl.headers()); auth->verify( ctximpl.headers(), ctximpl.parentSpan(), extractor_->extract(ctximpl.headers()), - [&ctximpl](const std::string& name, const ProtobufWkt::Struct& extracted_data) { + [&ctximpl](const std::string& name, const Protobuf::Struct& extracted_data) { ctximpl.addExtractedData(name, extracted_data); }, [this, &ctximpl](const Status& status) { onComplete(status, ctximpl); }, diff --git a/source/extensions/filters/http/jwt_authn/verifier.h b/source/extensions/filters/http/jwt_authn/verifier.h index 26a6964dac8e8..b235d3a9319de 100644 --- a/source/extensions/filters/http/jwt_authn/verifier.h +++ b/source/extensions/filters/http/jwt_authn/verifier.h @@ -32,7 +32,7 @@ class Verifier { * This function is called before onComplete() function. * It will not be called if no payload to write. */ - virtual void setExtractedData(const ProtobufWkt::Struct& payload) PURE; + virtual void setExtractedData(const Protobuf::Struct& payload) PURE; /** * JWT payloads added to headers may require clearing the cached route. diff --git a/source/extensions/filters/http/lua/lua_filter.cc b/source/extensions/filters/http/lua/lua_filter.cc index 9d61e3f4219fb..64e2a21733ebd 100644 --- a/source/extensions/filters/http/lua/lua_filter.cc +++ b/source/extensions/filters/http/lua/lua_filter.cc @@ -105,9 +105,9 @@ void parseOptionsFromTable(lua_State* state, int index, } } -const ProtobufWkt::Struct& getMetadata(Http::StreamFilterCallbacks* callbacks) { +const Protobuf::Struct& getMetadata(Http::StreamFilterCallbacks* callbacks) { if (callbacks->route() == nullptr) { - return ProtobufWkt::Struct::default_instance(); + return Protobuf::Struct::default_instance(); } const auto& metadata = callbacks->route()->metadata(); @@ -123,7 +123,7 @@ const ProtobufWkt::Struct& getMetadata(Http::StreamFilterCallbacks* callbacks) { } } - return ProtobufWkt::Struct::default_instance(); + return Protobuf::Struct::default_instance(); } // Okay to return non-const reference because this doesn't ever get changed. @@ -988,7 +988,7 @@ void Filter::DecoderCallbacks::respond(Http::ResponseHeaderMapPtr&& headers, Buf HttpResponseCodeDetails::get().LuaResponse); } -const ProtobufWkt::Struct& Filter::DecoderCallbacks::metadata() const { +const Protobuf::Struct& Filter::DecoderCallbacks::metadata() const { return getMetadata(callbacks_); } @@ -999,7 +999,7 @@ void Filter::EncoderCallbacks::respond(Http::ResponseHeaderMapPtr&&, Buffer::Ins luaL_error(state, "respond not currently supported in the response path"); } -const ProtobufWkt::Struct& Filter::EncoderCallbacks::metadata() const { +const Protobuf::Struct& Filter::EncoderCallbacks::metadata() const { return getMetadata(callbacks_); } diff --git a/source/extensions/filters/http/lua/lua_filter.h b/source/extensions/filters/http/lua/lua_filter.h index 4ed635b95fdbf..c73a459c2527d 100644 --- a/source/extensions/filters/http/lua/lua_filter.h +++ b/source/extensions/filters/http/lua/lua_filter.h @@ -91,10 +91,10 @@ class FilterCallbacks { lua_State* state) PURE; /** - * @return const ProtobufWkt::Struct& the value of metadata inside the lua filter scope of current + * @return const Protobuf::Struct& the value of metadata inside the lua filter scope of current * route entry. */ - virtual const ProtobufWkt::Struct& metadata() const PURE; + virtual const Protobuf::Struct& metadata() const PURE; /** * @return StreamInfo::StreamInfo& the current stream info handle. This handle is mutable to @@ -124,11 +124,11 @@ class FilterCallbacks { virtual void clearRouteCache() PURE; /** - * @return const ProtobufWkt::Struct& the filter context from the most specific filter config + * @return const Protobuf::Struct& the filter context from the most specific filter config * from the route or virtual host. Empty struct will be returned if no route or virtual host is * found. */ - virtual const ProtobufWkt::Struct& filterContext() const PURE; + virtual const Protobuf::Struct& filterContext() const PURE; /** * @return absl::string_view the value of filter config name. @@ -485,13 +485,13 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { bool disabled() const { return disabled_; } absl::string_view name() const { return name_; } PerLuaCodeSetup* perLuaCodeSetup() const { return per_lua_code_setup_ptr_.get(); } - const ProtobufWkt::Struct& filterContext() const { return filter_context_; } + const Protobuf::Struct& filterContext() const { return filter_context_; } private: const bool disabled_; const std::string name_; PerLuaCodeSetupPtr per_lua_code_setup_ptr_; - const ProtobufWkt::Struct filter_context_; + const Protobuf::Struct filter_context_; }; /** @@ -571,7 +571,7 @@ class Filter : public Http::StreamFilter, private Filters::Common::Lua::LuaLogga void respond(Http::ResponseHeaderMapPtr&& headers, Buffer::Instance* body, lua_State* state) override; - const ProtobufWkt::Struct& metadata() const override; + const Protobuf::Struct& metadata() const override; StreamInfo::StreamInfo& streamInfo() override { return callbacks_->streamInfo(); } const Network::Connection* connection() const override { return callbacks_->connection().ptr(); @@ -585,7 +585,7 @@ class Filter : public Http::StreamFilter, private Filters::Common::Lua::LuaLogga cb->clearRouteCache(); } } - const ProtobufWkt::Struct& filterContext() const override { return parent_.filterContext(); } + const Protobuf::Struct& filterContext() const override { return parent_.filterContext(); } const absl::string_view filterConfigName() const override { return callbacks_->filterConfigName(); } @@ -607,7 +607,7 @@ class Filter : public Http::StreamFilter, private Filters::Common::Lua::LuaLogga void respond(Http::ResponseHeaderMapPtr&& headers, Buffer::Instance* body, lua_State* state) override; - const ProtobufWkt::Struct& metadata() const override; + const Protobuf::Struct& metadata() const override; StreamInfo::StreamInfo& streamInfo() override { return callbacks_->streamInfo(); } const Network::Connection* connection() const override { return callbacks_->connection().ptr(); @@ -617,7 +617,7 @@ class Filter : public Http::StreamFilter, private Filters::Common::Lua::LuaLogga UNREFERENCED_PARAMETER(host_and_strict); } void clearRouteCache() override {} - const ProtobufWkt::Struct& filterContext() const override { return parent_.filterContext(); } + const Protobuf::Struct& filterContext() const override { return parent_.filterContext(); } const absl::string_view filterConfigName() const override { return callbacks_->filterConfigName(); } @@ -652,8 +652,8 @@ class Filter : public Http::StreamFilter, private Filters::Common::Lua::LuaLogga return config_->perLuaCodeSetup(); } - const ProtobufWkt::Struct& filterContext() const { - return per_route_config_ == nullptr ? ProtobufWkt::Struct::default_instance() + const Protobuf::Struct& filterContext() const { + return per_route_config_ == nullptr ? Protobuf::Struct::default_instance() : per_route_config_->filterContext(); } diff --git a/source/extensions/filters/http/lua/wrappers.cc b/source/extensions/filters/http/lua/wrappers.cc index 957139ca50564..a9aa071e9987b 100644 --- a/source/extensions/filters/http/lua/wrappers.cc +++ b/source/extensions/filters/http/lua/wrappers.cc @@ -337,7 +337,7 @@ int DynamicMetadataMapWrapper::luaSet(lua_State* state) { // so push a copy of the 3rd arg ("value") to the top. lua_pushvalue(state, 4); - ProtobufWkt::Struct value; + Protobuf::Struct value; (*value.mutable_fields())[key] = Filters::Common::Lua::MetadataMapHelper::loadValue(state); streamInfo().setDynamicMetadata(filter_name, value); @@ -445,10 +445,10 @@ int FilterStateWrapper::luaGet(lua_State* state) { return 0; } -const ProtobufWkt::Struct& VirtualHostWrapper::getMetadata() const { +const Protobuf::Struct& VirtualHostWrapper::getMetadata() const { const auto& virtual_host = stream_info_.virtualHost(); if (virtual_host == nullptr) { - return ProtobufWkt::Struct::default_instance(); + return Protobuf::Struct::default_instance(); } const auto& metadata = virtual_host->metadata(); @@ -458,7 +458,7 @@ const ProtobufWkt::Struct& VirtualHostWrapper::getMetadata() const { return filter_it->second; } - return ProtobufWkt::Struct::default_instance(); + return Protobuf::Struct::default_instance(); } int VirtualHostWrapper::luaMetadata(lua_State* state) { @@ -471,10 +471,10 @@ int VirtualHostWrapper::luaMetadata(lua_State* state) { return 1; } -const ProtobufWkt::Struct& RouteWrapper::getMetadata() const { +const Protobuf::Struct& RouteWrapper::getMetadata() const { const auto& route = stream_info_.route(); if (route == nullptr) { - return ProtobufWkt::Struct::default_instance(); + return Protobuf::Struct::default_instance(); } const auto& metadata = route->metadata(); @@ -484,7 +484,7 @@ const ProtobufWkt::Struct& RouteWrapper::getMetadata() const { return filter_it->second; } - return ProtobufWkt::Struct::default_instance(); + return Protobuf::Struct::default_instance(); } int RouteWrapper::luaMetadata(lua_State* state) { diff --git a/source/extensions/filters/http/lua/wrappers.h b/source/extensions/filters/http/lua/wrappers.h index 91b86107d8ab1..1e457fa31b42d 100644 --- a/source/extensions/filters/http/lua/wrappers.h +++ b/source/extensions/filters/http/lua/wrappers.h @@ -147,7 +147,7 @@ class DynamicMetadataMapIterator private: DynamicMetadataMapWrapper& parent_; - Protobuf::Map::const_iterator current_; + Protobuf::Map::const_iterator current_; }; /** @@ -165,7 +165,7 @@ class ConnectionDynamicMetadataMapIterator private: ConnectionDynamicMetadataMapWrapper& parent_; - Protobuf::Map::const_iterator current_; + Protobuf::Map::const_iterator current_; }; /** @@ -468,7 +468,7 @@ class VirtualHostWrapper : public Filters::Common::Lua::BaseLuaObject { */ DECLARE_LUA_FUNCTION(RouteWrapper, luaMetadata); - const ProtobufWkt::Struct& getMetadata() const; + const Protobuf::Struct& getMetadata() const; // Filters::Common::Lua::BaseLuaObject void onMarkDead() override { metadata_wrapper_.reset(); } diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index d1f9b1c621e93..db290adc838ae 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -1310,7 +1310,7 @@ OAuth2Filter::validateOAuthCallback(const Http::RequestHeaderMap& headers, // Decode the state parameter to get the original request URL and the CSRF token. const std::string state = Base64Url::decode(stateVal.value()); bool has_unknown_field; - ProtobufWkt::Struct message; + Protobuf::Struct message; auto status = MessageUtil::loadFromJsonNoThrow(state, message, has_unknown_field); if (!status.ok()) { diff --git a/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.cc b/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.cc index 7e027c1af1e34..bea5671d9ad9a 100644 --- a/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.cc +++ b/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.cc @@ -48,7 +48,9 @@ namespace { using ::Envoy::Protobuf::Field; using ::Envoy::Protobuf::Map; +using ::Envoy::Protobuf::Struct; using ::Envoy::Protobuf::Type; +using ::Envoy::Protobuf::Value; using ::Envoy::Protobuf::field_extraction::FieldExtractor; using ::Envoy::Protobuf::internal::WireFormatLite; using ::Envoy::Protobuf::io::CodedInputStream; @@ -57,8 +59,6 @@ using ::Envoy::Protobuf::io::CordOutputStream; using ::Envoy::Protobuf::util::JsonParseOptions; using ::Envoy::Protobuf::util::converter::JsonObjectWriter; using ::Envoy::Protobuf::util::converter::ProtoStreamObjectSource; -using ::Envoy::ProtobufWkt::Struct; -using ::Envoy::ProtobufWkt::Value; std::string kLocationRegionExtractorPattern = R"((?:^|/)(?:locations|regions)/([^/]+))"; @@ -388,7 +388,7 @@ absl::Status RedactStructRecursively(std::vector::const_iterator pa } absl::Status ConvertToStruct(const Protobuf::field_extraction::MessageData& message, - const Envoy::ProtobufWkt::Type& type, + const Envoy::Protobuf::Type& type, ::Envoy::Protobuf::util::TypeResolver* type_resolver, Struct* message_struct) { // Convert from message data to JSON using absl::Cord. @@ -418,10 +418,10 @@ absl::Status ConvertToStruct(const Protobuf::field_extraction::MessageData& mess } bool ScrubToStruct(const proto_processing_lib::proto_scrubber::ProtoScrubber* scrubber, - const Envoy::ProtobufWkt::Type& type, + const Envoy::Protobuf::Type& type, const ::google::grpc::transcoding::TypeHelper& type_helper, Protobuf::field_extraction::MessageData* message, - Envoy::ProtobufWkt::Struct* message_struct) { + Envoy::Protobuf::Struct* message_struct) { message_struct->Clear(); // When scrubber or message is nullptr, it indicates that there's nothing to diff --git a/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.h b/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.h index 1442657e6183a..f2885b42fa6c8 100644 --- a/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.h +++ b/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.h @@ -44,7 +44,7 @@ constexpr int kProtoTranslationMaxRecursionDepth = 64; ABSL_CONST_INIT const char* const kStructTypeUrl = "type.googleapis.com/google.protobuf.Struct"; -bool IsEmptyStruct(const ProtobufWkt::Struct& message_struct); +bool IsEmptyStruct(const Protobuf::Struct& message_struct); bool IsLabelName(absl::string_view value); @@ -86,10 +86,9 @@ absl::string_view ExtractLocationIdFromResourceName(absl::string_view resource_n // Recursively redacts the path_pieces in the enclosing proto_struct. void RedactPath(std::vector::const_iterator path_begin, - std::vector::const_iterator path_end, - ProtobufWkt::Struct* proto_struct); + std::vector::const_iterator path_end, Protobuf::Struct* proto_struct); -void RedactPaths(absl::Span paths_to_redact, ProtobufWkt::Struct* proto_struct); +void RedactPaths(absl::Span paths_to_redact, Protobuf::Struct* proto_struct); // Finds the last value of the non-repeated string field after the first // value. Returns an empty string if there is only one string field. Returns @@ -116,15 +115,15 @@ ExtractStringFieldValue(const Protobuf::Type& type, absl::Status RedactStructRecursively(std::vector::const_iterator path_pieces_begin, std::vector::const_iterator path_pieces_end, - ProtobufWkt::Struct* message_struct); + Protobuf::Struct* message_struct); // Converts given proto message to Struct. It also adds // a "@type" property with proto type url to the generated Struct. Expects the // TypeResolver to handle types prefixed with "type.googleapis.com/". absl::Status ConvertToStruct(const Protobuf::field_extraction::MessageData& message, - const Envoy::ProtobufWkt::Type& type, + const Envoy::Protobuf::Type& type, ::Envoy::Protobuf::util::TypeResolver* type_resolver, - ::Envoy::ProtobufWkt::Struct* message_struct); + ::Envoy::Protobuf::Struct* message_struct); // Extracts given proto message and convert the extracted proto to Struct. // @@ -133,10 +132,10 @@ absl::Status ConvertToStruct(const Protobuf::field_extraction::MessageData& mess // (2) error during scrubbing/converting; // (3) the message is empty after scrubbing; bool ScrubToStruct(const proto_processing_lib::proto_scrubber::ProtoScrubber* scrubber, - const Envoy::ProtobufWkt::Type& type, + const Envoy::Protobuf::Type& type, const ::google::grpc::transcoding::TypeHelper& type_helper, Protobuf::field_extraction::MessageData* message, - Envoy::ProtobufWkt::Struct* message_struct); + Envoy::Protobuf::Struct* message_struct); } // namespace ProtoMessageExtraction } // namespace HttpFilters diff --git a/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.cc b/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.cc index d31926425f63b..f7bdbcefd4198 100644 --- a/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.cc +++ b/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.cc @@ -35,9 +35,9 @@ namespace Extensions { namespace HttpFilters { namespace ProtoMessageExtraction { +using ::Envoy::Protobuf::Type; using ::Envoy::Protobuf::util::JsonParseOptions; using ::Envoy::ProtobufUtil::FieldMaskUtil; -using ::Envoy::ProtobufWkt::Type; using ::google::grpc::transcoding::TypeHelper; using ::proto_processing_lib::proto_scrubber::FieldCheckerInterface; using ::proto_processing_lib::proto_scrubber::FieldMaskPathChecker; diff --git a/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.h b/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.h index 82e37cccd4d2b..9f6f7f911e03a 100644 --- a/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.h +++ b/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.h @@ -27,8 +27,7 @@ class ProtoExtractor : public ProtoExtractorInterface { static std::unique_ptr Create(proto_processing_lib::proto_scrubber::ScrubberContext scrubber_context, const google::grpc::transcoding::TypeHelper* type_helper, - const ::Envoy::ProtobufWkt::Type* message_type, - const FieldPathToExtractType& field_policies); + const ::Envoy::Protobuf::Type* message_type, const FieldPathToExtractType& field_policies); // Input message must be a message data. ExtractedMessageMetadata @@ -38,7 +37,7 @@ class ProtoExtractor : public ProtoExtractorInterface { // Initializes an instance of ProtoExtractor using FieldPolicies. ProtoExtractor(proto_processing_lib::proto_scrubber::ScrubberContext scrubber_context, const google::grpc::transcoding::TypeHelper* type_helper, - const ::Envoy::ProtobufWkt::Type* message_type, + const ::Envoy::Protobuf::Type* message_type, const FieldPathToExtractType& field_policies); // Populate the target resource or the target resource callback in the extracted message @@ -48,14 +47,14 @@ class ProtoExtractor : public ProtoExtractorInterface { bool callback, ExtractedMessageMetadata* extracted_message_metadata) const; // Function to get the value associated with a key - const ProtobufWkt::FieldMask& FindWithDefault(ExtractedMessageDirective directive); + const Protobuf::FieldMask& FindWithDefault(ExtractedMessageDirective directive); const google::grpc::transcoding::TypeHelper* type_helper_; - const ::Envoy::ProtobufWkt::Type* message_type_; + const ::Envoy::Protobuf::Type* message_type_; // We use std::map instead of absl::flat_hash_map because of flat_hash_map's // rehash behavior. - std::map directives_mapping_; - std::function type_finder_; + std::map directives_mapping_; + std::function type_finder_; std::unique_ptr field_checker_; std::unique_ptr scrubber_; // A field path for 'location_selector' associated with the field marked as diff --git a/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor_interface.h b/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor_interface.h index 9c9e680501ccd..29f42b283bc2a 100644 --- a/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor_interface.h +++ b/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor_interface.h @@ -29,7 +29,7 @@ struct ExtractedMessageMetadata { absl::optional target_resource; absl::optional target_resource_callback; absl::optional resource_location; - ProtobufWkt::Struct extracted_message; + Protobuf::Struct extracted_message; }; // A proto-extraction interface for extracting that converts a source message diff --git a/source/extensions/filters/http/proto_message_extraction/extractor.h b/source/extensions/filters/http/proto_message_extraction/extractor.h index 42e0fdffd8d54..dce6b2ac13751 100644 --- a/source/extensions/filters/http/proto_message_extraction/extractor.h +++ b/source/extensions/filters/http/proto_message_extraction/extractor.h @@ -24,7 +24,7 @@ namespace ProtoMessageExtraction { using ::Envoy::Protobuf::Type; -using TypeFinder = std::function; +using TypeFinder = std::function; struct ExtractedMessageResult { const TypeFinder* type_finder; @@ -35,8 +35,8 @@ struct ExtractedMessageResult { response_data; // Extracted struct with a "@type" field. - ProtobufWkt::Struct request_type_struct; - ProtobufWkt::Struct response_type_struct; + Protobuf::Struct request_type_struct; + Protobuf::Struct response_type_struct; }; class Extractor { diff --git a/source/extensions/filters/http/proto_message_extraction/extractor_impl.cc b/source/extensions/filters/http/proto_message_extraction/extractor_impl.cc index 7cbbbf9781769..dc33916adc640 100644 --- a/source/extensions/filters/http/proto_message_extraction/extractor_impl.cc +++ b/source/extensions/filters/http/proto_message_extraction/extractor_impl.cc @@ -58,7 +58,7 @@ std::string getFullTypeWithUrl(absl::string_view simple_type) { return absl::StrCat(kTypeServiceBaseUrl, "/", simple_type); } -void fillStructWithType(const ::Envoy::ProtobufWkt::Type& type, ::Envoy::ProtobufWkt::Struct& out) { +void fillStructWithType(const ::Envoy::Protobuf::Type& type, ::Envoy::Protobuf::Struct& out) { (*out.mutable_fields())[kTypeProperty].set_string_value(getFullTypeWithUrl(type.name())); } diff --git a/source/extensions/filters/http/proto_message_extraction/extractor_impl.h b/source/extensions/filters/http/proto_message_extraction/extractor_impl.h index 9d9bf6312fdb3..bbe639e714f8c 100644 --- a/source/extensions/filters/http/proto_message_extraction/extractor_impl.h +++ b/source/extensions/filters/http/proto_message_extraction/extractor_impl.h @@ -24,8 +24,8 @@ class ExtractorImpl : public Extractor { ExtractorImpl( const TypeFinder& type_finder, const google::grpc::transcoding::TypeHelper& type_helper, absl::string_view request_type_url, absl::string_view response_type_url, - // const Envoy::ProtobufWkt::Type* request_type, - // const Envoy::ProtobufWkt::Type* response_type, + // const Envoy::Protobuf::Type* request_type, + // const Envoy::Protobuf::Type* response_type, const envoy::extensions::filters::http::proto_message_extraction::v3::MethodExtraction& method_extraction) : method_extraction_(method_extraction), request_type_url_(request_type_url), diff --git a/source/extensions/filters/http/proto_message_extraction/filter.cc b/source/extensions/filters/http/proto_message_extraction/filter.cc index 7d686ec54aebc..4a48d1ccc55ff 100644 --- a/source/extensions/filters/http/proto_message_extraction/filter.cc +++ b/source/extensions/filters/http/proto_message_extraction/filter.cc @@ -365,7 +365,7 @@ Filter::HandleDataStatus Filter::handleEncodeData(Envoy::Buffer::Instance& data, void Filter::handleRequestExtractionResult(const std::vector& result) { RELEASE_ASSERT(extractor_, "`extractor_` should be initialized when extracting fields"); - Envoy::ProtobufWkt::Struct dest_metadata; + Envoy::Protobuf::Struct dest_metadata; auto addResultToMetadata = [&](const std::string& category, const std::string& key, const ExtractedMessageMetadata& metadata) { @@ -399,7 +399,7 @@ void Filter::handleRequestExtractionResult(const std::vector& result) { RELEASE_ASSERT(extractor_, "`extractor_` should be initialized when extracting fields"); - Envoy::ProtobufWkt::Struct dest_metadata; + Envoy::Protobuf::Struct dest_metadata; auto addResultToMetadata = [&](const std::string& category, const std::string& key, const ExtractedMessageMetadata& metadata) { diff --git a/source/extensions/filters/http/proto_message_extraction/filter_config.cc b/source/extensions/filters/http/proto_message_extraction/filter_config.cc index 8bfd86ed307d2..ef017c6b0db18 100644 --- a/source/extensions/filters/http/proto_message_extraction/filter_config.cc +++ b/source/extensions/filters/http/proto_message_extraction/filter_config.cc @@ -35,7 +35,7 @@ FilterConfig::FilterConfig(const ProtoMessageExtractionConfig& proto_config, Envoy::Grpc::Common::typeUrlPrefix(), descriptor_pool_.get())); type_finder_ = std::make_unique( - [this](absl::string_view type_url) -> const ::Envoy::ProtobufWkt::Type* { + [this](absl::string_view type_url) -> const ::Envoy::Protobuf::Type* { return type_helper_->Info()->GetTypeByTypeUrl(type_url); }); diff --git a/source/extensions/filters/http/rate_limit_quota/filter.cc b/source/extensions/filters/http/rate_limit_quota/filter.cc index 1f4354dbeaa37..04a4697472816 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter.cc +++ b/source/extensions/filters/http/rate_limit_quota/filter.cc @@ -112,7 +112,7 @@ Http::FilterHeadersStatus RateLimitQuotaFilter::decodeHeaders(Http::RequestHeade bucket_id, bucket_id_proto.DebugString()); // Add the matched bucket_id to dynamic metadata for logging. - ProtobufWkt::Struct bucket_log; + Protobuf::Struct bucket_log; auto* bucket_log_fields = bucket_log.mutable_fields(); for (const auto& bucket : bucket_id_proto.bucket()) { (*bucket_log_fields)[bucket.first] = ValueUtil::stringValue(bucket.second); diff --git a/source/extensions/filters/http/rbac/rbac_filter.cc b/source/extensions/filters/http/rbac/rbac_filter.cc index 164b0d55b3449..ab49448d494c9 100644 --- a/source/extensions/filters/http/rbac/rbac_filter.cc +++ b/source/extensions/filters/http/rbac/rbac_filter.cc @@ -146,7 +146,7 @@ RoleBasedAccessControlRouteSpecificFilterConfig::RoleBasedAccessControlRouteSpec // Evaluates the shadow engine policy and updates metrics accordingly bool RoleBasedAccessControlFilter::evaluateShadowEngine(const Http::RequestHeaderMap& headers, - ProtobufWkt::Struct& metrics) const { + Protobuf::Struct& metrics) const { const auto shadow_engine = config_->engine(callbacks_, Filters::Common::RBAC::EnforcementMode::Shadow); if (shadow_engine == nullptr) { @@ -193,7 +193,7 @@ bool RoleBasedAccessControlFilter::evaluateShadowEngine(const Http::RequestHeade // Evaluates the enforced engine policy and returns the appropriate filter status Http::FilterHeadersStatus RoleBasedAccessControlFilter::evaluateEnforcedEngine(Http::RequestHeaderMap& headers, - ProtobufWkt::Struct& metrics) const { + Protobuf::Struct& metrics) const { const auto engine = config_->engine(callbacks_, Filters::Common::RBAC::EnforcementMode::Enforced); if (engine == nullptr) { return Http::FilterHeadersStatus::Continue; @@ -263,7 +263,7 @@ RoleBasedAccessControlFilter::decodeHeaders(Http::RequestHeaderMap& headers, boo headers, callbacks_->streamInfo().dynamicMetadata().DebugString()); // Create metrics structure to hold results - ProtobufWkt::Struct metrics; + Protobuf::Struct metrics; // Evaluate shadow engine if it exists const bool shadow_engine_evaluated = evaluateShadowEngine(headers, metrics); diff --git a/source/extensions/filters/http/rbac/rbac_filter.h b/source/extensions/filters/http/rbac/rbac_filter.h index c5432c3b435fc..f0dc61074a269 100644 --- a/source/extensions/filters/http/rbac/rbac_filter.h +++ b/source/extensions/filters/http/rbac/rbac_filter.h @@ -126,12 +126,11 @@ class RoleBasedAccessControlFilter final : public Http::StreamDecoderFilter, private: // Handles shadow engine evaluation and updates metrics - bool evaluateShadowEngine(const Http::RequestHeaderMap& headers, - ProtobufWkt::Struct& metrics) const; + bool evaluateShadowEngine(const Http::RequestHeaderMap& headers, Protobuf::Struct& metrics) const; // Handles enforced engine evaluation and updates metrics Http::FilterHeadersStatus evaluateEnforcedEngine(Http::RequestHeaderMap& headers, - ProtobufWkt::Struct& metrics) const; + Protobuf::Struct& metrics) const; RoleBasedAccessControlFilterConfigSharedPtr config_; Http::StreamDecoderFilterCallbacks* callbacks_{}; diff --git a/source/extensions/filters/http/set_metadata/set_metadata_filter.cc b/source/extensions/filters/http/set_metadata/set_metadata_filter.cc index 129fba5af7d29..24d695f630b77 100644 --- a/source/extensions/filters/http/set_metadata/set_metadata_filter.cc +++ b/source/extensions/filters/http/set_metadata/set_metadata_filter.cc @@ -60,7 +60,7 @@ Http::FilterHeadersStatus SetMetadataFilter::decodeHeaders(Http::RequestHeaderMa mut_untyped_metadata[entry.metadata_namespace] = entry.value; } else if (entry.allow_overwrite) { // Get the existing metadata at this key for merging. - ProtobufWkt::Struct& orig_fields = mut_untyped_metadata[entry.metadata_namespace]; + Protobuf::Struct& orig_fields = mut_untyped_metadata[entry.metadata_namespace]; const auto& to_merge = entry.value; // Merge the new metadata into the existing metadata. diff --git a/source/extensions/filters/http/set_metadata/set_metadata_filter.h b/source/extensions/filters/http/set_metadata/set_metadata_filter.h index e293690a32abd..9aff8a68650e3 100644 --- a/source/extensions/filters/http/set_metadata/set_metadata_filter.h +++ b/source/extensions/filters/http/set_metadata/set_metadata_filter.h @@ -27,12 +27,12 @@ struct FilterStats { struct UntypedMetadataEntry { bool allow_overwrite{}; std::string metadata_namespace; - ProtobufWkt::Struct value; + Protobuf::Struct value; }; struct TypedMetadataEntry { bool allow_overwrite{}; std::string metadata_namespace; - ProtobufWkt::Any value; + Protobuf::Any value; }; class Config : public ::Envoy::Router::RouteSpecificFilterConfig, public Logger::Loggable { diff --git a/source/extensions/filters/http/thrift_to_metadata/filter.cc b/source/extensions/filters/http/thrift_to_metadata/filter.cc index 23753568d326f..071e95067c2bb 100644 --- a/source/extensions/filters/http/thrift_to_metadata/filter.cc +++ b/source/extensions/filters/http/thrift_to_metadata/filter.cc @@ -24,13 +24,12 @@ Rule::Rule(const ProtoRule& rule) : rule_(rule) { switch (rule_.field()) { PANIC_ON_PROTO_ENUM_SENTINEL_VALUES; case envoy::extensions::filters::http::thrift_to_metadata::v3::METHOD_NAME: - protobuf_value_extracter_ = - [](MessageMetadataSharedPtr metadata, - const ThriftDecoderHandler&) -> absl::optional { + protobuf_value_extracter_ = [](MessageMetadataSharedPtr metadata, + const ThriftDecoderHandler&) -> absl::optional { if (!metadata->hasMethodName()) { return absl::nullopt; } - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value(metadata->methodName()); return value; }; @@ -38,8 +37,8 @@ Rule::Rule(const ProtoRule& rule) : rule_(rule) { case envoy::extensions::filters::http::thrift_to_metadata::v3::PROTOCOL: protobuf_value_extracter_ = [](MessageMetadataSharedPtr, - const ThriftDecoderHandler& handler) -> absl::optional { - ProtobufWkt::Value value; + const ThriftDecoderHandler& handler) -> absl::optional { + Protobuf::Value value; value.set_string_value(handler.protocolName()); return value; }; @@ -47,56 +46,52 @@ Rule::Rule(const ProtoRule& rule) : rule_(rule) { case envoy::extensions::filters::http::thrift_to_metadata::v3::TRANSPORT: protobuf_value_extracter_ = [](MessageMetadataSharedPtr, - const ThriftDecoderHandler& handler) -> absl::optional { - ProtobufWkt::Value value; + const ThriftDecoderHandler& handler) -> absl::optional { + Protobuf::Value value; value.set_string_value(handler.transportName()); return value; }; break; case envoy::extensions::filters::http::thrift_to_metadata::v3::HEADER_FLAGS: - protobuf_value_extracter_ = - [](MessageMetadataSharedPtr metadata, - const ThriftDecoderHandler&) -> absl::optional { + protobuf_value_extracter_ = [](MessageMetadataSharedPtr metadata, + const ThriftDecoderHandler&) -> absl::optional { if (!metadata->hasHeaderFlags()) { return absl::nullopt; } - ProtobufWkt::Value value; + Protobuf::Value value; value.set_number_value(metadata->headerFlags()); return value; }; break; case envoy::extensions::filters::http::thrift_to_metadata::v3::SEQUENCE_ID: - protobuf_value_extracter_ = - [](MessageMetadataSharedPtr metadata, - const ThriftDecoderHandler&) -> absl::optional { + protobuf_value_extracter_ = [](MessageMetadataSharedPtr metadata, + const ThriftDecoderHandler&) -> absl::optional { if (!metadata->hasSequenceId()) { return absl::nullopt; } - ProtobufWkt::Value value; + Protobuf::Value value; value.set_number_value(metadata->sequenceId()); return value; }; break; case envoy::extensions::filters::http::thrift_to_metadata::v3::MESSAGE_TYPE: - protobuf_value_extracter_ = - [](MessageMetadataSharedPtr metadata, - const ThriftDecoderHandler&) -> absl::optional { + protobuf_value_extracter_ = [](MessageMetadataSharedPtr metadata, + const ThriftDecoderHandler&) -> absl::optional { if (!metadata->hasMessageType()) { return absl::nullopt; } - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value(MessageTypeNames::get().fromType(metadata->messageType())); return value; }; break; case envoy::extensions::filters::http::thrift_to_metadata::v3::REPLY_TYPE: - protobuf_value_extracter_ = - [](MessageMetadataSharedPtr metadata, - const ThriftDecoderHandler&) -> absl::optional { + protobuf_value_extracter_ = [](MessageMetadataSharedPtr metadata, + const ThriftDecoderHandler&) -> absl::optional { if (!metadata->hasReplyType()) { return absl::nullopt; } - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value(ReplyTypeNames::get().fromType(metadata->replyType())); return value; }; @@ -298,7 +293,7 @@ void Filter::processMetadata(MessageMetadataSharedPtr metadata, const Rules& rul ThriftToMetadataStats& stats, bool& processing_finished_flag) { StructMap struct_map; for (const auto& rule : rules) { - absl::optional val_opt = rule.extract_value(metadata, *handler); + absl::optional val_opt = rule.extract_value(metadata, *handler); if (val_opt.has_value()) { handleOnPresent(std::move(val_opt).value(), rule, struct_map); @@ -310,7 +305,7 @@ void Filter::processMetadata(MessageMetadataSharedPtr metadata, const Rules& rul finalizeDynamicMetadata(filter_callback, struct_map, processing_finished_flag); } -void Filter::handleOnPresent(ProtobufWkt::Value&& value, const Rule& rule, StructMap& struct_map) { +void Filter::handleOnPresent(Protobuf::Value&& value, const Rule& rule, StructMap& struct_map) { if (!rule.rule().has_on_present()) { return; } @@ -335,7 +330,7 @@ void Filter::handleAllOnMissing(const Rules& rules, Http::StreamFilterCallbacks& finalizeDynamicMetadata(filter_callback, struct_map, processing_finished_flag); } -void Filter::applyKeyValue(ProtobufWkt::Value value, const KeyValuePair& keyval, +void Filter::applyKeyValue(Protobuf::Value value, const KeyValuePair& keyval, StructMap& struct_map) { const auto& metadata_namespace = decideNamespace(keyval.metadata_namespace()); const auto& key = keyval.key(); diff --git a/source/extensions/filters/http/thrift_to_metadata/filter.h b/source/extensions/filters/http/thrift_to_metadata/filter.h index f5d9c50fc7032..ec9a9fa7d8021 100644 --- a/source/extensions/filters/http/thrift_to_metadata/filter.h +++ b/source/extensions/filters/http/thrift_to_metadata/filter.h @@ -47,19 +47,19 @@ struct ThriftToMetadataStats { using ProtoRule = envoy::extensions::filters::http::thrift_to_metadata::v3::Rule; using KeyValuePair = envoy::extensions::filters::http::thrift_to_metadata::v3::KeyValuePair; -using StructMap = absl::flat_hash_map; +using StructMap = absl::flat_hash_map; using namespace Envoy::Extensions::NetworkFilters::ThriftProxy; class ThriftDecoderHandler; -using ThriftMetadataToProtobufValue = std::function( +using ThriftMetadataToProtobufValue = std::function( MessageMetadataSharedPtr, const ThriftDecoderHandler&)>; class Rule { public: Rule(const ProtoRule& rule); const ProtoRule& rule() const { return rule_; } - absl::optional extract_value(MessageMetadataSharedPtr metadata, - const ThriftDecoderHandler& handler) const { + absl::optional extract_value(MessageMetadataSharedPtr metadata, + const ThriftDecoderHandler& handler) const { return protobuf_value_extracter_(metadata, handler); } @@ -198,12 +198,12 @@ class Filter : public Http::PassThroughFilter, ThriftDecoderHandlerPtr& handler, Http::StreamFilterCallbacks& filter_callback, ThriftToMetadataStats& stats, bool& processing_finished_flag); - void handleOnPresent(ProtobufWkt::Value&& value, const Rule& rule, StructMap& struct_map); + void handleOnPresent(Protobuf::Value&& value, const Rule& rule, StructMap& struct_map); void handleOnMissing(const Rule& rule, StructMap& struct_map); void handleAllOnMissing(const Rules& rules, Http::StreamFilterCallbacks& filter_callback, bool& processing_finished_flag); - void applyKeyValue(ProtobufWkt::Value value, const KeyValuePair& keyval, StructMap& struct_map); + void applyKeyValue(Protobuf::Value value, const KeyValuePair& keyval, StructMap& struct_map); void finalizeDynamicMetadata(Http::StreamFilterCallbacks& filter_callback, const StructMap& struct_map, bool& processing_finished_flag); const std::string& decideNamespace(const std::string& nspace) const; diff --git a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc index a13a8269d7a17..90a5d857e609b 100644 --- a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc +++ b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc @@ -571,17 +571,16 @@ bool Filter::parseTlvs(const uint8_t* buf, size_t len) { tlv_type); } else { (*tlvs_metadata.mutable_typed_metadata())[key_value_pair->key()] = tlv_value; - ProtobufWkt::Any typed_metadata; + Protobuf::Any typed_metadata; typed_metadata.PackFrom(tlvs_metadata); cb_->setDynamicTypedMetadata(metadata_key, typed_metadata); } // Always populate untyped metadata for backwards compatibility. - ProtobufWkt::Value metadata_value; + Protobuf::Value metadata_value; // Sanitize any non utf8 characters. auto sanitised_tlv_value = MessageUtil::sanitizeUtf8String(tlv_value); metadata_value.set_string_value(sanitised_tlv_value.data(), sanitised_tlv_value.size()); - ProtobufWkt::Struct metadata( - (*cb_->dynamicMetadata().mutable_filter_metadata())[metadata_key]); + Protobuf::Struct metadata((*cb_->dynamicMetadata().mutable_filter_metadata())[metadata_key]); metadata.mutable_fields()->insert({key_value_pair->key(), metadata_value}); cb_->setDynamicMetadata(metadata_key, metadata); } else { diff --git a/source/extensions/filters/network/ext_authz/ext_authz.cc b/source/extensions/filters/network/ext_authz/ext_authz.cc index 2a8276a1f6809..b54ffc301f20c 100644 --- a/source/extensions/filters/network/ext_authz/ext_authz.cc +++ b/source/extensions/filters/network/ext_authz/ext_authz.cc @@ -78,7 +78,7 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) { config_->stats().ok_.inc(); // Add duration of call to dynamic metadata if applicable if (start_time_.has_value()) { - ProtobufWkt::Value ext_authz_duration_value; + Protobuf::Value ext_authz_duration_value; auto duration = filter_callbacks_->connection().dispatcher().timeSource().monotonicTime() - start_time_.value(); ext_authz_duration_value.set_number_value( diff --git a/source/extensions/filters/network/generic_proxy/access_log.cc b/source/extensions/filters/network/generic_proxy/access_log.cc index b946f30275620..546af3bb0b49d 100644 --- a/source/extensions/filters/network/generic_proxy/access_log.cc +++ b/source/extensions/filters/network/generic_proxy/access_log.cc @@ -24,7 +24,7 @@ StringValueFormatterProvider::formatWithContext(const FormatterContext& context, } return optional_str; } -ProtobufWkt::Value StringValueFormatterProvider::formatValueWithContext( +Protobuf::Value StringValueFormatterProvider::formatValueWithContext( const FormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { return ValueUtil::optionalStringValue(formatWithContext(context, stream_info)); } @@ -37,7 +37,7 @@ GenericStatusCodeFormatterProvider::formatWithContext(const FormatterContext& co return std::to_string(code); } -ProtobufWkt::Value +Protobuf::Value GenericStatusCodeFormatterProvider::formatValueWithContext(const FormatterContext& context, const StreamInfo::StreamInfo&) const { CHECK_DATA_OR_RETURN(context, response_, ValueUtil::nullValue()); diff --git a/source/extensions/filters/network/generic_proxy/access_log.h b/source/extensions/filters/network/generic_proxy/access_log.h index 9ebb528789109..f7eb5e6044ddf 100644 --- a/source/extensions/filters/network/generic_proxy/access_log.h +++ b/source/extensions/filters/network/generic_proxy/access_log.h @@ -42,9 +42,8 @@ class StringValueFormatterProvider : public FormatterProvider { absl::optional formatWithContext(const FormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const FormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const FormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; private: ValueExtractor value_extractor_; @@ -58,8 +57,8 @@ class GenericStatusCodeFormatterProvider : public FormatterProvider { // FormatterProvider absl::optional formatWithContext(const FormatterContext& context, const StreamInfo::StreamInfo&) const override; - ProtobufWkt::Value formatValueWithContext(const FormatterContext& context, - const StreamInfo::StreamInfo&) const override; + Protobuf::Value formatValueWithContext(const FormatterContext& context, + const StreamInfo::StreamInfo&) const override; }; Formatter::CommandParserPtr createGenericProxyCommandParser(); diff --git a/source/extensions/filters/network/generic_proxy/config.cc b/source/extensions/filters/network/generic_proxy/config.cc index 55450932390ed..bbc9b9661b739 100644 --- a/source/extensions/filters/network/generic_proxy/config.cc +++ b/source/extensions/filters/network/generic_proxy/config.cc @@ -50,7 +50,7 @@ Factory::routeConfigProviderFromProto(const ProxyConfig& config, } std::vector -Factory::filtersFactoryFromProto(const ProtobufWkt::RepeatedPtrField& filters, +Factory::filtersFactoryFromProto(const Protobuf::RepeatedPtrField& filters, const TypedExtensionConfig& codec_config, const std::string stats_prefix, Envoy::Server::Configuration::FactoryContext& context) { diff --git a/source/extensions/filters/network/generic_proxy/config.h b/source/extensions/filters/network/generic_proxy/config.h index 8708223d1e654..6e746f72a81ff 100644 --- a/source/extensions/filters/network/generic_proxy/config.h +++ b/source/extensions/filters/network/generic_proxy/config.h @@ -31,7 +31,7 @@ class Factory : public Envoy::Extensions::NetworkFilters::Common::FactoryBase - filtersFactoryFromProto(const ProtobufWkt::RepeatedPtrField& filters, + filtersFactoryFromProto(const Protobuf::RepeatedPtrField& filters, const TypedExtensionConfig& codec_config, const std::string stats_prefix, Server::Configuration::FactoryContext& context); }; diff --git a/source/extensions/filters/network/generic_proxy/route_impl.cc b/source/extensions/filters/network/generic_proxy/route_impl.cc index d70a3a99fc9d6..18d37d2f28087 100644 --- a/source/extensions/filters/network/generic_proxy/route_impl.cc +++ b/source/extensions/filters/network/generic_proxy/route_impl.cc @@ -18,7 +18,7 @@ namespace NetworkFilters { namespace GenericProxy { RouteSpecificFilterConfigConstSharedPtr RouteEntryImpl::createRouteSpecificFilterConfig( - const std::string& name, const ProtobufWkt::Any& typed_config, + const std::string& name, const Protobuf::Any& typed_config, Server::Configuration::ServerFactoryContext& factory_context, ProtobufMessage::ValidationVisitor& validator) { diff --git a/source/extensions/filters/network/generic_proxy/route_impl.h b/source/extensions/filters/network/generic_proxy/route_impl.h index ef81c9818d7a3..d8eae22e55477 100644 --- a/source/extensions/filters/network/generic_proxy/route_impl.h +++ b/source/extensions/filters/network/generic_proxy/route_impl.h @@ -52,7 +52,7 @@ class RouteEntryImpl : public RouteEntry, public Matcher::ActionBaseconnection() .streamInfo() .dynamicMetadata() diff --git a/source/extensions/filters/network/rbac/rbac_filter.cc b/source/extensions/filters/network/rbac/rbac_filter.cc index 501935e70a0aa..7961129c420b6 100644 --- a/source/extensions/filters/network/rbac/rbac_filter.cc +++ b/source/extensions/filters/network/rbac/rbac_filter.cc @@ -170,7 +170,7 @@ void RoleBasedAccessControlFilter::onEvent(Network::ConnectionEvent event) { void RoleBasedAccessControlFilter::setDynamicMetadata(const std::string& shadow_engine_result, const std::string& shadow_policy_id) const { - ProtobufWkt::Struct metrics; + Protobuf::Struct metrics; auto& fields = *metrics.mutable_fields(); if (!shadow_policy_id.empty()) { fields[config_->shadowEffectivePolicyIdField()].set_string_value(shadow_policy_id); diff --git a/source/extensions/filters/network/redis_proxy/external_auth.h b/source/extensions/filters/network/redis_proxy/external_auth.h index dc37148c360e7..763029a5d4495 100644 --- a/source/extensions/filters/network/redis_proxy/external_auth.h +++ b/source/extensions/filters/network/redis_proxy/external_auth.h @@ -48,7 +48,7 @@ struct AuthenticateResponse { std::string message; // The expiration time of the authentication. - ProtobufWkt::Timestamp expiration; + Protobuf::Timestamp expiration; }; using AuthenticateResponsePtr = std::unique_ptr; diff --git a/source/extensions/filters/network/thrift_proxy/conn_manager.cc b/source/extensions/filters/network/thrift_proxy/conn_manager.cc index f83cedb319b72..89f45d5f3ea04 100644 --- a/source/extensions/filters/network/thrift_proxy/conn_manager.cc +++ b/source/extensions/filters/network/thrift_proxy/conn_manager.cc @@ -831,7 +831,7 @@ void ConnectionManager::ActiveRpc::recordResponseAccessLog( void ConnectionManager::ActiveRpc::recordResponseAccessLog(const std::string& message_type, const std::string& reply_type) { - ProtobufWkt::Struct stats_obj; + Protobuf::Struct stats_obj; auto& fields_map = *stats_obj.mutable_fields(); auto& response_fields_map = *fields_map["response"].mutable_struct_value()->mutable_fields(); @@ -891,7 +891,7 @@ FilterStatus ConnectionManager::ActiveRpc::messageBegin(MessageMetadataSharedPtr throw EnvoyException(error.value()); } - ProtobufWkt::Struct stats_obj; + Protobuf::Struct stats_obj; auto& fields_map = *stats_obj.mutable_fields(); fields_map["cluster"] = ValueUtil::stringValue(cluster_name); fields_map["method"] = ValueUtil::stringValue(method); diff --git a/source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.cc b/source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.cc index f29f4bdf07b0b..3b376ce674e06 100644 --- a/source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.cc +++ b/source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.cc @@ -78,7 +78,7 @@ const std::string& HeaderToMetadataFilter::decideNamespace(const std::string& ns bool HeaderToMetadataFilter::addMetadata(StructMap& struct_map, const std::string& meta_namespace, const std::string& key, std::string value, ValueType type, ValueEncode encode) const { - ProtobufWkt::Value val; + Protobuf::Value val; ASSERT(!value.empty()); diff --git a/source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.h b/source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.h index 1f5f3ac66fb2c..7701a1b50d5f7 100644 --- a/source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.h +++ b/source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.h @@ -81,7 +81,7 @@ class HeaderToMetadataFilter : public ThriftProxy::ThriftFilters::PassThroughDec private: using ProtobufRepeatedRule = Protobuf::RepeatedPtrField; - using StructMap = std::map; + using StructMap = std::map; /** * writeHeaderToMetadata encapsulates (1) searching for the header and (2) writing it to the diff --git a/source/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter.cc b/source/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter.cc index d94cfa6e3ab65..294879f864193 100644 --- a/source/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter.cc +++ b/source/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter.cc @@ -242,7 +242,7 @@ const std::string& PayloadToMetadataFilter::decideNamespace(const std::string& n bool PayloadToMetadataFilter::addMetadata(const std::string& meta_namespace, const std::string& key, std::string value, ValueType type) { - ProtobufWkt::Value val; + Protobuf::Value val; ASSERT(!value.empty()); if (value.size() >= MAX_PAYLOAD_VALUE_LEN) { diff --git a/source/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter.h b/source/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter.h index ee5532bb22169..c21ea96044108 100644 --- a/source/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter.h +++ b/source/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter.h @@ -170,7 +170,7 @@ class PayloadToMetadataFilter : public MetadataHandler, } // TODO(kuochunghsu): extract the metadata handling logic form header/payload to metadata filters. - using StructMap = std::map; + using StructMap = std::map; bool addMetadata(const std::string&, const std::string&, std::string, ValueType); void applyKeyValue(std::string, const Rule&, const KeyValuePair&); const std::string& decideNamespace(const std::string& nspace) const; diff --git a/source/extensions/filters/network/zookeeper_proxy/filter.cc b/source/extensions/filters/network/zookeeper_proxy/filter.cc index 29e599ba782b0..fe9ef9e17f708 100644 --- a/source/extensions/filters/network/zookeeper_proxy/filter.cc +++ b/source/extensions/filters/network/zookeeper_proxy/filter.cc @@ -229,12 +229,12 @@ void ZooKeeperFilter::setDynamicMetadata( const std::vector>& data) { envoy::config::core::v3::Metadata& dynamic_metadata = read_callbacks_->connection().streamInfo().dynamicMetadata(); - ProtobufWkt::Struct metadata( + Protobuf::Struct metadata( (*dynamic_metadata.mutable_filter_metadata())[NetworkFilterNames::get().ZooKeeperProxy]); auto& fields = *metadata.mutable_fields(); for (const auto& pair : data) { - auto val = ProtobufWkt::Value(); + auto val = Protobuf::Value(); val.set_string_value(pair.second); fields.insert({pair.first, val}); } diff --git a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc index f6ee7671cc5c6..859e4fd5acd76 100644 --- a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc +++ b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc @@ -385,7 +385,7 @@ UdpProxyFilter::ActiveSession::createDownstreamConnectionInfoProvider() { } void UdpProxyFilter::ActiveSession::fillSessionStreamInfo() { - ProtobufWkt::Struct stats_obj; + Protobuf::Struct stats_obj; auto& fields_map = *stats_obj.mutable_fields(); if (cluster_ != nullptr) { fields_map["cluster_name"] = ValueUtil::stringValue(cluster_->cluster_info_->name()); @@ -402,7 +402,7 @@ void UdpProxyFilter::ActiveSession::fillSessionStreamInfo() { } void UdpProxyFilter::fillProxyStreamInfo() { - ProtobufWkt::Struct stats_obj; + Protobuf::Struct stats_obj; auto& fields_map = *stats_obj.mutable_fields(); fields_map["bytes_sent"] = ValueUtil::numberValue(config_->stats().downstream_sess_tx_bytes_.value()); diff --git a/source/extensions/formatter/cel/cel.cc b/source/extensions/formatter/cel/cel.cc index c57f2fab28e1e..6ee44909861f1 100644 --- a/source/extensions/formatter/cel/cel.cc +++ b/source/extensions/formatter/cel/cel.cc @@ -41,7 +41,7 @@ CELFormatter::formatWithContext(const Envoy::Formatter::HttpFormatterContext& co return result; } -ProtobufWkt::Value +Protobuf::Value CELFormatter::formatValueWithContext(const Envoy::Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { auto result = formatWithContext(context, stream_info); diff --git a/source/extensions/formatter/cel/cel.h b/source/extensions/formatter/cel/cel.h index e12339f6acfbc..ae3093a81b1be 100644 --- a/source/extensions/formatter/cel/cel.h +++ b/source/extensions/formatter/cel/cel.h @@ -21,8 +21,8 @@ class CELFormatter : public ::Envoy::Formatter::FormatterProvider { absl::optional formatWithContext(const Envoy::Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo&) const override; - ProtobufWkt::Value formatValueWithContext(const Envoy::Formatter::HttpFormatterContext& context, - const StreamInfo::StreamInfo&) const override; + Protobuf::Value formatValueWithContext(const Envoy::Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo&) const override; private: const ::Envoy::LocalInfo::LocalInfo& local_info_; diff --git a/source/extensions/formatter/req_without_query/req_without_query.cc b/source/extensions/formatter/req_without_query/req_without_query.cc index cf5e07eaac604..c3916b7dfe1e5 100644 --- a/source/extensions/formatter/req_without_query/req_without_query.cc +++ b/source/extensions/formatter/req_without_query/req_without_query.cc @@ -40,7 +40,7 @@ ReqWithoutQuery::formatWithContext(const Envoy::Formatter::HttpFormatterContext& return val; } -ProtobufWkt::Value +Protobuf::Value ReqWithoutQuery::formatValueWithContext(const Envoy::Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo&) const { const Http::HeaderEntry* header = findHeader(context.requestHeaders()); diff --git a/source/extensions/formatter/req_without_query/req_without_query.h b/source/extensions/formatter/req_without_query/req_without_query.h index a4c1be0df82e4..cdc67f30ca427 100644 --- a/source/extensions/formatter/req_without_query/req_without_query.h +++ b/source/extensions/formatter/req_without_query/req_without_query.h @@ -20,8 +20,8 @@ class ReqWithoutQuery : public ::Envoy::Formatter::FormatterProvider { absl::optional formatWithContext(const Envoy::Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo&) const override; - ProtobufWkt::Value formatValueWithContext(const Envoy::Formatter::HttpFormatterContext& context, - const StreamInfo::StreamInfo&) const override; + Protobuf::Value formatValueWithContext(const Envoy::Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo&) const override; private: const Http::HeaderEntry* findHeader(const Http::HeaderMap& headers) const; diff --git a/source/extensions/health_check/event_sinks/file/file_sink_impl.cc b/source/extensions/health_check/event_sinks/file/file_sink_impl.cc index 61f0113c75c47..8ee9cba7a58c4 100644 --- a/source/extensions/health_check/event_sinks/file/file_sink_impl.cc +++ b/source/extensions/health_check/event_sinks/file/file_sink_impl.cc @@ -18,7 +18,7 @@ void HealthCheckEventFileSink::log(envoy::data::core::v3::HealthCheckEvent event }; HealthCheckEventSinkPtr HealthCheckEventFileSinkFactory::createHealthCheckEventSink( - const ProtobufWkt::Any& config, Server::Configuration::HealthCheckerFactoryContext& context) { + const Protobuf::Any& config, Server::Configuration::HealthCheckerFactoryContext& context) { const auto& validator_config = Envoy::MessageUtil::anyConvertAndValidate< envoy::extensions::health_check::event_sinks::file::v3::HealthCheckEventFileSink>( config, context.messageValidationVisitor()); diff --git a/source/extensions/health_check/event_sinks/file/file_sink_impl.h b/source/extensions/health_check/event_sinks/file/file_sink_impl.h index 712e0fe2964fc..f4f8f25b3d3d4 100644 --- a/source/extensions/health_check/event_sinks/file/file_sink_impl.h +++ b/source/extensions/health_check/event_sinks/file/file_sink_impl.h @@ -31,7 +31,7 @@ class HealthCheckEventFileSinkFactory : public HealthCheckEventSinkFactory { HealthCheckEventFileSinkFactory() = default; HealthCheckEventSinkPtr - createHealthCheckEventSink(const ProtobufWkt::Any& config, + createHealthCheckEventSink(const Protobuf::Any& config, Server::Configuration::HealthCheckerFactoryContext& context) override; std::string name() const override { return "envoy.health_check.event_sink.file"; } diff --git a/source/extensions/http/early_header_mutation/header_mutation/config.cc b/source/extensions/http/early_header_mutation/header_mutation/config.cc index 7dddb6547eb25..346568d8e29d3 100644 --- a/source/extensions/http/early_header_mutation/header_mutation/config.cc +++ b/source/extensions/http/early_header_mutation/header_mutation/config.cc @@ -12,7 +12,7 @@ Envoy::Http::EarlyHeaderMutationPtr Factory::createExtension(const Protobuf::Message& message, Server::Configuration::FactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - *Envoy::Protobuf::DynamicCastMessage(&message), + *Envoy::Protobuf::DynamicCastMessage(&message), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::http::early_header_mutation::header_mutation::v3::HeaderMutation&>( diff --git a/source/extensions/http/header_validators/envoy_default/config.cc b/source/extensions/http/header_validators/envoy_default/config.cc index 545645ab7eb34..45a47cbd35d01 100644 --- a/source/extensions/http/header_validators/envoy_default/config.cc +++ b/source/extensions/http/header_validators/envoy_default/config.cc @@ -15,7 +15,7 @@ namespace EnvoyDefault { ::Envoy::Http::HeaderValidatorFactoryPtr HeaderValidatorFactoryConfig::createFromProto( const Protobuf::Message& message, Server::Configuration::ServerFactoryContext& server_context) { auto mptr = ::Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(message), server_context.messageValidationVisitor(), + dynamic_cast(message), server_context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate CustomHeaderIPDetectionFactory::createExtension(const Protobuf::Message& message, Server::Configuration::FactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - *Envoy::Protobuf::DynamicCastMessage(&message), + *Envoy::Protobuf::DynamicCastMessage(&message), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::http::original_ip_detection::custom_header::v3::CustomHeaderConfig&>( diff --git a/source/extensions/http/original_ip_detection/xff/config.cc b/source/extensions/http/original_ip_detection/xff/config.cc index 3ebfa8deecef5..1ae2b55c5fdeb 100644 --- a/source/extensions/http/original_ip_detection/xff/config.cc +++ b/source/extensions/http/original_ip_detection/xff/config.cc @@ -17,7 +17,7 @@ absl::StatusOr XffIPDetectionFactory::createExtension(const Protobuf::Message& message, Server::Configuration::FactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(message), context.messageValidationVisitor(), *this); + dynamic_cast(message), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::http::original_ip_detection::xff::v3::XffConfig&>( *mptr, context.messageValidationVisitor()); diff --git a/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.h b/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.h index 13ecbe805870c..e1b1373d82da0 100644 --- a/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.h +++ b/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.h @@ -38,7 +38,7 @@ class ThreadAwareLoadBalancerBase : public LoadBalancerBase, public ThreadAwareL virtual ~HashingLoadBalancer() = default; virtual HostSelectionResponse chooseHost(uint64_t hash, uint32_t attempt) const PURE; const absl::string_view hashKey(HostConstSharedPtr host, bool use_hostname) const { - const ProtobufWkt::Value& val = Config::Metadata::metadataValue( + const Protobuf::Value& val = Config::Metadata::metadataValue( host->metadata().get(), Config::MetadataFilters::get().ENVOY_LB, Config::MetadataEnvoyLbKeys::get().HASH_KEY); if (val.kind_case() != val.kStringValue && val.kind_case() != val.KIND_NOT_SET) { diff --git a/source/extensions/load_balancing_policies/override_host/load_balancer.cc b/source/extensions/load_balancing_policies/override_host/load_balancer.cc index 889a254b407ad..30f2ee662421a 100644 --- a/source/extensions/load_balancing_policies/override_host/load_balancer.cc +++ b/source/extensions/load_balancing_policies/override_host/load_balancer.cc @@ -186,8 +186,7 @@ OverrideHostLoadBalancer::LoadBalancerImpl::chooseHost(LoadBalancerContext* cont absl::optional OverrideHostLoadBalancer::LoadBalancerImpl::getSelectedHostsFromMetadata( const ::envoy::config::core::v3::Metadata& metadata, const Config::MetadataKey& metadata_key) { - const ProtobufWkt::Value& metadata_value = - Config::Metadata::metadataValue(&metadata, metadata_key); + const Protobuf::Value& metadata_value = Config::Metadata::metadataValue(&metadata, metadata_key); // TODO(yanavlasov): make it distinguish between not-present and invalid metadata. if (metadata_value.has_string_value()) { return absl::string_view{metadata_value.string_value()}; diff --git a/source/extensions/load_balancing_policies/subset/subset_lb.cc b/source/extensions/load_balancing_policies/subset/subset_lb.cc index f963d02a85356..4e82879d3311f 100644 --- a/source/extensions/load_balancing_policies/subset/subset_lb.cc +++ b/source/extensions/load_balancing_policies/subset/subset_lb.cc @@ -188,7 +188,7 @@ HostSelectionResponse SubsetLoadBalancer::chooseHost(LoadBalancerContext* contex Cluster_LbSubsetConfig_LbSubsetMetadataFallbackPolicy_FALLBACK_LIST) { return chooseHostIteration(context); } - const ProtobufWkt::Value* metadata_fallbacks = getMetadataFallbackList(context); + const Protobuf::Value* metadata_fallbacks = getMetadataFallbackList(context); if (metadata_fallbacks == nullptr) { return chooseHostIteration(context); } @@ -231,7 +231,7 @@ SubsetLoadBalancer::removeMetadataFallbackList(LoadBalancerContext* context) { return {context, to_preserve}; } -const ProtobufWkt::Value* +const Protobuf::Value* SubsetLoadBalancer::getMetadataFallbackList(LoadBalancerContext* context) const { if (context == nullptr) { return nullptr; @@ -557,7 +557,7 @@ SubsetLoadBalancer::extractSubsetMetadata(const std::set& subset_ke break; } - if (list_as_any_ && it->second.kind_case() == ProtobufWkt::Value::kListValue) { + if (list_as_any_ && it->second.kind_case() == Protobuf::Value::kListValue) { // If the list of kvs is empty, we initialize one kvs for each value in the list. // Otherwise, we branch the list of kvs by generating one new kvs per old kvs per // new value. @@ -611,7 +611,7 @@ std::string SubsetLoadBalancer::describeMetadata(const SubsetLoadBalancer::Subse first = false; } - const ProtobufWkt::Value& value = it.second; + const Protobuf::Value& value = it.second; buf << it.first << "=" << MessageUtil::getJsonStringFromMessageOrError(value); } return buf.str(); @@ -625,7 +625,7 @@ SubsetLoadBalancer::findOrCreateLbSubsetEntry(LbSubsetMap& subsets, const Subset ASSERT(idx < kvs.size()); const std::string& name = kvs[idx].first; - const ProtobufWkt::Value& pb_value = kvs[idx].second; + const Protobuf::Value& pb_value = kvs[idx].second; const HashedValue value(pb_value); LbSubsetEntryPtr entry; @@ -908,7 +908,7 @@ SubsetLoadBalancer::LoadBalancerContextWrapper::LoadBalancerContextWrapper( } SubsetLoadBalancer::LoadBalancerContextWrapper::LoadBalancerContextWrapper( - LoadBalancerContext* wrapped, const ProtobufWkt::Struct& metadata_match_criteria_override) + LoadBalancerContext* wrapped, const Protobuf::Struct& metadata_match_criteria_override) : wrapped_(wrapped) { ASSERT(wrapped->metadataMatchCriteria()); metadata_match_ = diff --git a/source/extensions/load_balancing_policies/subset/subset_lb.h b/source/extensions/load_balancing_policies/subset/subset_lb.h index 55c896b97dfa0..f7795d0c93a3e 100644 --- a/source/extensions/load_balancing_policies/subset/subset_lb.h +++ b/source/extensions/load_balancing_policies/subset/subset_lb.h @@ -58,7 +58,7 @@ class SubsetLoadBalancer : public LoadBalancer, Logger::Loggable>; + using SubsetMetadata = std::vector>; static std::string describeMetadata(const SubsetMetadata& kvs); private: @@ -149,7 +149,7 @@ class SubsetLoadBalancer : public LoadBalancer, Logger::Loggable; using LbSubsetMap = absl::node_hash_map; using SubsetSelectorFallbackParamsRef = std::reference_wrapper; - using MetadataFallbacks = ProtobufWkt::RepeatedPtrField; + using MetadataFallbacks = Protobuf::RepeatedPtrField; public: class LoadBalancerContextWrapper : public LoadBalancerContext { @@ -162,7 +162,7 @@ class SubsetLoadBalancer : public LoadBalancer, Logger::Loggable computeHashKey() override { return wrapped_->computeHashKey(); } const Router::MetadataMatchCriteria* metadataMatchCriteria() override { @@ -341,7 +341,7 @@ class SubsetLoadBalancer : public LoadBalancer, Logger::Loggable>& a vector of @@ -181,7 +181,7 @@ class LoadBalancerSubsetInfoImpl : public LoadBalancerSubsetInfo { MetadataFallbackPolicy metadataFallbackPolicy() const override { return metadata_fallback_policy_; } - const ProtobufWkt::Struct& defaultSubset() const override { return default_subset_; } + const Protobuf::Struct& defaultSubset() const override { return default_subset_; } const std::vector& subsetSelectors() const override { return subset_selectors_; } @@ -192,7 +192,7 @@ class LoadBalancerSubsetInfoImpl : public LoadBalancerSubsetInfo { bool allowRedundantKeys() const override { return allow_redundant_keys_; } private: - const ProtobufWkt::Struct default_subset_; + const Protobuf::Struct default_subset_; std::vector subset_selectors_; // Keep small members (bools and enums) at the end of class, to reduce alignment overhead. const FallbackPolicy fallback_policy_; diff --git a/source/extensions/matching/http/metadata_input/meta_input.h b/source/extensions/matching/http/metadata_input/meta_input.h index cec7b0253052b..b112e31d37eac 100644 --- a/source/extensions/matching/http/metadata_input/meta_input.h +++ b/source/extensions/matching/http/metadata_input/meta_input.h @@ -15,8 +15,8 @@ namespace MetadataInput { class MetadataMatchData : public ::Envoy::Matcher::CustomMatchData { public: - explicit MetadataMatchData(const ProtobufWkt::Value& value) : value_(value) {} - const ProtobufWkt::Value& value_; + explicit MetadataMatchData(const Protobuf::Value& value) : value_(value) {} + const Protobuf::Value& value_; }; template diff --git a/source/extensions/rate_limit_descriptors/expr/config.cc b/source/extensions/rate_limit_descriptors/expr/config.cc index fedadb11c6306..457470ad24980 100644 --- a/source/extensions/rate_limit_descriptors/expr/config.cc +++ b/source/extensions/rate_limit_descriptors/expr/config.cc @@ -35,7 +35,7 @@ class ExpressionDescriptor : public RateLimit::DescriptorProducer { bool populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry, const std::string&, const Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo& info) const override { - ProtobufWkt::Arena arena; + Protobuf::Arena arena; const auto result = Filters::Common::Expr::evaluate(*compiled_expr_.get(), arena, nullptr, info, &headers, nullptr, nullptr); if (!result.has_value() || result.value().IsError()) { diff --git a/source/extensions/retry/host/omit_host_metadata/omit_host_metadata.h b/source/extensions/retry/host/omit_host_metadata/omit_host_metadata.h index e7f3a04c2230d..8a1fb2051f1b6 100644 --- a/source/extensions/retry/host/omit_host_metadata/omit_host_metadata.h +++ b/source/extensions/retry/host/omit_host_metadata/omit_host_metadata.h @@ -29,7 +29,7 @@ class OmitHostsRetryPredicate : public Upstream::RetryHostPredicate { private: const envoy::config::core::v3::Metadata metadata_match_criteria_; - std::vector> label_set_; + std::vector> label_set_; }; } // namespace Host diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.cc b/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.cc index c5914244c7d52..e8eeed9642927 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.cc +++ b/source/extensions/tracers/opentelemetry/resource_detectors/dynatrace/config.cc @@ -16,7 +16,7 @@ ResourceDetectorPtr DynatraceResourceDetectorFactory::createResourceDetector( const Protobuf::Message& message, Server::Configuration::ServerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(message), context.messageValidationVisitor(), *this); + dynamic_cast(message), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::tracers::opentelemetry::resource_detectors::v3:: diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/environment/config.cc b/source/extensions/tracers/opentelemetry/resource_detectors/environment/config.cc index 921defeadbcf7..3cba1d9add5d9 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/environment/config.cc +++ b/source/extensions/tracers/opentelemetry/resource_detectors/environment/config.cc @@ -15,7 +15,7 @@ ResourceDetectorPtr EnvironmentResourceDetectorFactory::createResourceDetector( const Protobuf::Message& message, Server::Configuration::ServerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(message), context.messageValidationVisitor(), *this); + dynamic_cast(message), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::tracers::opentelemetry::resource_detectors::v3:: diff --git a/source/extensions/tracers/opentelemetry/resource_detectors/static/config.cc b/source/extensions/tracers/opentelemetry/resource_detectors/static/config.cc index 1939532905b0e..b25c875c2c1d6 100644 --- a/source/extensions/tracers/opentelemetry/resource_detectors/static/config.cc +++ b/source/extensions/tracers/opentelemetry/resource_detectors/static/config.cc @@ -15,7 +15,7 @@ ResourceDetectorPtr StaticConfigResourceDetectorFactory::createResourceDetector( const Protobuf::Message& message, Server::Configuration::ServerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(message), context.messageValidationVisitor(), *this); + dynamic_cast(message), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::tracers::opentelemetry::resource_detectors::v3:: diff --git a/source/extensions/tracers/opentelemetry/samplers/cel/config.cc b/source/extensions/tracers/opentelemetry/samplers/cel/config.cc index 44e59fdd7826a..4ad951dc7cee8 100644 --- a/source/extensions/tracers/opentelemetry/samplers/cel/config.cc +++ b/source/extensions/tracers/opentelemetry/samplers/cel/config.cc @@ -17,7 +17,7 @@ SamplerSharedPtr CELSamplerFactory::createSampler(const Protobuf::Message& config, Server::Configuration::TracerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(config), context.messageValidationVisitor(), *this); + dynamic_cast(config), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::tracers::opentelemetry::samplers::v3::CELSamplerConfig&>( diff --git a/source/extensions/tracers/opentelemetry/samplers/dynatrace/config.cc b/source/extensions/tracers/opentelemetry/samplers/dynatrace/config.cc index bfcfb2d382f93..11f9e9cb1d2df 100644 --- a/source/extensions/tracers/opentelemetry/samplers/dynatrace/config.cc +++ b/source/extensions/tracers/opentelemetry/samplers/dynatrace/config.cc @@ -17,7 +17,7 @@ SamplerSharedPtr DynatraceSamplerFactory::createSampler(const Protobuf::Message& config, Server::Configuration::TracerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(config), context.messageValidationVisitor(), *this); + dynamic_cast(config), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::tracers::opentelemetry::samplers::v3::DynatraceSamplerConfig&>( diff --git a/source/extensions/tracers/opentelemetry/samplers/parent_based/config.cc b/source/extensions/tracers/opentelemetry/samplers/parent_based/config.cc index 87ca75f763de0..0b4170343c77d 100644 --- a/source/extensions/tracers/opentelemetry/samplers/parent_based/config.cc +++ b/source/extensions/tracers/opentelemetry/samplers/parent_based/config.cc @@ -16,7 +16,7 @@ SamplerSharedPtr ParentBasedSamplerFactory::createSampler(const Protobuf::Message& config, Server::Configuration::TracerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(config), context.messageValidationVisitor(), *this); + dynamic_cast(config), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::tracers::opentelemetry::samplers::v3::ParentBasedSamplerConfig&>( *mptr, context.messageValidationVisitor()); diff --git a/source/extensions/tracers/opentelemetry/samplers/trace_id_ratio_based/config.cc b/source/extensions/tracers/opentelemetry/samplers/trace_id_ratio_based/config.cc index cbe15acf95d32..17f40da90e170 100644 --- a/source/extensions/tracers/opentelemetry/samplers/trace_id_ratio_based/config.cc +++ b/source/extensions/tracers/opentelemetry/samplers/trace_id_ratio_based/config.cc @@ -15,7 +15,7 @@ namespace OpenTelemetry { SamplerSharedPtr TraceIdRatioBasedSamplerFactory::createSampler( const Protobuf::Message& config, Server::Configuration::TracerFactoryContext& context) { auto mptr = Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(config), context.messageValidationVisitor(), *this); + dynamic_cast(config), context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate{}; + auto aws = absl::flat_hash_map{}; for (const auto& field : proto_config.segment_fields().aws().fields()) { aws.emplace(field.first, field.second); } diff --git a/source/extensions/tracers/xray/localized_sampling.cc b/source/extensions/tracers/xray/localized_sampling.cc index 5126545b1736a..a9b5ec7b93d5a 100644 --- a/source/extensions/tracers/xray/localized_sampling.cc +++ b/source/extensions/tracers/xray/localized_sampling.cc @@ -34,8 +34,8 @@ void fail(absl::string_view msg) { bool isValidRate(double n) { return n >= 0 && n <= 1.0; } bool isValidFixedTarget(double n) { return n >= 0 && static_cast(n) == n; } -bool validateRule(const ProtobufWkt::Struct& rule) { - using ProtobufWkt::Value; +bool validateRule(const Protobuf::Struct& rule) { + using Protobuf::Value; const auto host_it = rule.fields().find(HostJsonKey); if (host_it != rule.fields().end() && @@ -93,7 +93,7 @@ LocalizedSamplingManifest::LocalizedSamplingManifest(const std::string& rule_jso return; } - ProtobufWkt::Struct document; + Protobuf::Struct document; TRY_NEEDS_AUDIT { MessageUtil::loadFromJson(rule_json, document); } END_TRY catch (EnvoyException& e) { fail("invalid JSON format"); @@ -106,7 +106,7 @@ LocalizedSamplingManifest::LocalizedSamplingManifest(const std::string& rule_jso return; } - if (version_it->second.kind_case() != ProtobufWkt::Value::KindCase::kNumberValue || + if (version_it->second.kind_case() != Protobuf::Value::KindCase::kNumberValue || version_it->second.number_value() != SamplingFileVersion) { fail("wrong version number"); return; @@ -114,7 +114,7 @@ LocalizedSamplingManifest::LocalizedSamplingManifest(const std::string& rule_jso const auto default_rule_it = document.fields().find(DefaultRuleJsonKey); if (default_rule_it == document.fields().end() || - default_rule_it->second.kind_case() != ProtobufWkt::Value::KindCase::kStructValue) { + default_rule_it->second.kind_case() != Protobuf::Value::KindCase::kStructValue) { fail("missing default rule"); return; } @@ -134,13 +134,13 @@ LocalizedSamplingManifest::LocalizedSamplingManifest(const std::string& rule_jso return; } - if (custom_rules_it->second.kind_case() != ProtobufWkt::Value::KindCase::kListValue) { + if (custom_rules_it->second.kind_case() != Protobuf::Value::KindCase::kListValue) { fail("rules must be JSON array"); return; } for (auto& el : custom_rules_it->second.list_value().values()) { - if (el.kind_case() != ProtobufWkt::Value::KindCase::kStructValue) { + if (el.kind_case() != Protobuf::Value::KindCase::kStructValue) { fail("rules array must be objects"); return; } diff --git a/source/extensions/tracers/xray/tracer.h b/source/extensions/tracers/xray/tracer.h index f352562ef75a8..5708ab98b59f0 100644 --- a/source/extensions/tracers/xray/tracer.h +++ b/source/extensions/tracers/xray/tracer.h @@ -115,14 +115,14 @@ class Span : public Tracing::Span, Logger::Loggable { /** * Sets the aws metadata field of the Span. */ - void setAwsMetadata(const absl::flat_hash_map& aws_metadata) { + void setAwsMetadata(const absl::flat_hash_map& aws_metadata) { aws_metadata_ = aws_metadata; } /* * Adds to the http request annotation field of the Span. */ - void addToHttpRequestAnnotations(absl::string_view key, const ProtobufWkt::Value& value) { + void addToHttpRequestAnnotations(absl::string_view key, const Protobuf::Value& value) { http_request_annotations_.emplace(std::string(key), value); } @@ -136,7 +136,7 @@ class Span : public Tracing::Span, Logger::Loggable { /* * Adds to the http response annotation field of the Span. */ - void addToHttpResponseAnnotations(absl::string_view key, const ProtobufWkt::Value& value) { + void addToHttpResponseAnnotations(absl::string_view key, const Protobuf::Value& value) { http_response_annotations_.emplace(std::string(key), value); } @@ -260,9 +260,9 @@ class Span : public Tracing::Span, Logger::Loggable { std::string name_; std::string origin_; std::string type_; - absl::flat_hash_map aws_metadata_; - absl::flat_hash_map http_request_annotations_; - absl::flat_hash_map http_response_annotations_; + absl::flat_hash_map aws_metadata_; + absl::flat_hash_map http_request_annotations_; + absl::flat_hash_map http_response_annotations_; absl::flat_hash_map custom_annotations_; bool server_error_{false}; uint64_t response_status_code_{0}; @@ -274,7 +274,7 @@ using SpanPtr = std::unique_ptr; class Tracer { public: Tracer(absl::string_view segment_name, absl::string_view origin, - const absl::flat_hash_map& aws_metadata, + const absl::flat_hash_map& aws_metadata, DaemonBrokerPtr daemon_broker, TimeSource& time_source, Random::RandomGenerator& random) : segment_name_(segment_name), origin_(origin), aws_metadata_(aws_metadata), daemon_broker_(std::move(daemon_broker)), time_source_(time_source), random_(random) {} @@ -296,7 +296,7 @@ class Tracer { private: const std::string segment_name_; const std::string origin_; - const absl::flat_hash_map aws_metadata_; + const absl::flat_hash_map aws_metadata_; const DaemonBrokerPtr daemon_broker_; Envoy::TimeSource& time_source_; Random::RandomGenerator& random_; diff --git a/source/extensions/tracers/xray/xray_configuration.h b/source/extensions/tracers/xray/xray_configuration.h index d5a9837f5dc9d..70e855fce0a27 100644 --- a/source/extensions/tracers/xray/xray_configuration.h +++ b/source/extensions/tracers/xray/xray_configuration.h @@ -18,7 +18,7 @@ struct XRayConfiguration { const std::string segment_name_; const std::string sampling_rules_; const std::string origin_; - const absl::flat_hash_map aws_metadata_; + const absl::flat_hash_map aws_metadata_; }; enum class SamplingDecision { diff --git a/source/extensions/tracers/zipkin/span_buffer.cc b/source/extensions/tracers/zipkin/span_buffer.cc index 818ba0681908c..91ca412aaae72 100644 --- a/source/extensions/tracers/zipkin/span_buffer.cc +++ b/source/extensions/tracers/zipkin/span_buffer.cc @@ -74,7 +74,7 @@ std::string JsonV2Serializer::serialize(const std::vector& zipkin_spans) { absl::StrAppend( out, absl::StrJoin( toListOfSpans(zipkin_span, replacements), ",", - [&replacement_values](std::string* element, const ProtobufWkt::Struct& span) { + [&replacement_values](std::string* element, const Protobuf::Struct& span) { absl::StatusOr json_or_error = MessageUtil::getJsonStringFromMessage(span, false, true); ENVOY_BUG(json_or_error.ok(), "Failed to parse json"); @@ -108,16 +108,16 @@ std::string JsonV2Serializer::serialize(const std::vector& zipkin_spans) { return absl::StrCat("[", serialized_elements, "]"); } -const std::vector +const std::vector JsonV2Serializer::toListOfSpans(const Span& zipkin_span, Util::Replacements& replacements) const { - std::vector spans; + std::vector spans; spans.reserve(zipkin_span.annotations().size()); // This holds the annotation entries from logs. - std::vector annotation_entries; + std::vector annotation_entries; for (const auto& annotation : zipkin_span.annotations()) { - ProtobufWkt::Struct span; + Protobuf::Struct span; auto* fields = span.mutable_fields(); if (annotation.value() == CLIENT_SEND) { (*fields)[SPAN_KIND] = ValueUtil::stringValue(KIND_CLIENT); @@ -127,7 +127,7 @@ JsonV2Serializer::toListOfSpans(const Span& zipkin_span, Util::Replacements& rep } (*fields)[SPAN_KIND] = ValueUtil::stringValue(KIND_SERVER); } else { - ProtobufWkt::Struct annotation_entry; + Protobuf::Struct annotation_entry; auto* annotation_entry_fields = annotation_entry.mutable_fields(); (*annotation_entry_fields)[ANNOTATION_VALUE] = ValueUtil::stringValue(annotation.value()); (*annotation_entry_fields)[ANNOTATION_TIMESTAMP] = @@ -137,7 +137,7 @@ JsonV2Serializer::toListOfSpans(const Span& zipkin_span, Util::Replacements& rep } if (annotation.isSetEndpoint()) { - // Usually we store number to a ProtobufWkt::Struct object via ValueUtil::numberValue. + // Usually we store number to a Protobuf::Struct object via ValueUtil::numberValue. // However, due to the possibility of rendering that to a number with scientific notation, we // chose to store it as a string and keeping track the corresponding replacement. For example, // we have 1584324295476870 if we stored it as a double value, MessageToJsonString gives @@ -171,7 +171,7 @@ JsonV2Serializer::toListOfSpans(const Span& zipkin_span, Util::Replacements& rep const auto& binary_annotations = zipkin_span.binaryAnnotations(); if (!binary_annotations.empty()) { - ProtobufWkt::Struct tags; + Protobuf::Struct tags; auto* tag_fields = tags.mutable_fields(); for (const auto& binary_annotation : binary_annotations) { (*tag_fields)[binary_annotation.key()] = ValueUtil::stringValue(binary_annotation.value()); @@ -193,8 +193,8 @@ JsonV2Serializer::toListOfSpans(const Span& zipkin_span, Util::Replacements& rep return spans; } -const ProtobufWkt::Struct JsonV2Serializer::toProtoEndpoint(const Endpoint& zipkin_endpoint) const { - ProtobufWkt::Struct endpoint; +const Protobuf::Struct JsonV2Serializer::toProtoEndpoint(const Endpoint& zipkin_endpoint) const { + Protobuf::Struct endpoint; auto* fields = endpoint.mutable_fields(); Network::Address::InstanceConstSharedPtr address = zipkin_endpoint.address(); diff --git a/source/extensions/tracers/zipkin/span_buffer.h b/source/extensions/tracers/zipkin/span_buffer.h index 53b30cdcd5433..1304b7cd457cd 100644 --- a/source/extensions/tracers/zipkin/span_buffer.h +++ b/source/extensions/tracers/zipkin/span_buffer.h @@ -106,9 +106,9 @@ class JsonV2Serializer : public Serializer { std::string serialize(const std::vector& pending_spans) override; private: - const std::vector toListOfSpans(const Span& zipkin_span, - Util::Replacements& replacements) const; - const ProtobufWkt::Struct toProtoEndpoint(const Endpoint& zipkin_endpoint) const; + const std::vector toListOfSpans(const Span& zipkin_span, + Util::Replacements& replacements) const; + const Protobuf::Struct toProtoEndpoint(const Endpoint& zipkin_endpoint) const; const bool shared_span_context_; }; diff --git a/source/extensions/tracers/zipkin/util.cc b/source/extensions/tracers/zipkin/util.cc index 53763443576f6..05d23514b98dd 100644 --- a/source/extensions/tracers/zipkin/util.cc +++ b/source/extensions/tracers/zipkin/util.cc @@ -23,8 +23,8 @@ uint64_t Util::generateRandom64(TimeSource& time_source) { return rand_64(); } -ProtobufWkt::Value Util::uint64Value(uint64_t value, absl::string_view name, - Replacements& replacements) { +Protobuf::Value Util::uint64Value(uint64_t value, absl::string_view name, + Replacements& replacements) { const std::string string_value = std::to_string(value); replacements.push_back({absl::StrCat("\"", name, "\":\"", string_value, "\""), absl::StrCat("\"", name, "\":", string_value)}); diff --git a/source/extensions/tracers/zipkin/util.h b/source/extensions/tracers/zipkin/util.h index 6f21924052855..ded339112024e 100644 --- a/source/extensions/tracers/zipkin/util.h +++ b/source/extensions/tracers/zipkin/util.h @@ -55,10 +55,10 @@ class Util { * @param value unt64_t number that will be represented in string. * @param name std::string that is the key for the value being replaced. * @param replacements a container to hold the required replacements when serializing this value. - * @return ProtobufWkt::Value wrapped uint64_t as a string. + * @return Protobuf::Value wrapped uint64_t as a string. */ - static ProtobufWkt::Value uint64Value(uint64_t value, absl::string_view name, - Replacements& replacements); + static Protobuf::Value uint64Value(uint64_t value, absl::string_view name, + Replacements& replacements); }; } // namespace Zipkin diff --git a/source/extensions/tracers/zipkin/zipkin_core_types.cc b/source/extensions/tracers/zipkin/zipkin_core_types.cc index b831ded6573c4..8998d1e3a65b6 100644 --- a/source/extensions/tracers/zipkin/zipkin_core_types.cc +++ b/source/extensions/tracers/zipkin/zipkin_core_types.cc @@ -24,8 +24,8 @@ Endpoint& Endpoint::operator=(const Endpoint& ep) { return *this; } -const ProtobufWkt::Struct Endpoint::toStruct(Util::Replacements&) const { - ProtobufWkt::Struct endpoint; +const Protobuf::Struct Endpoint::toStruct(Util::Replacements&) const { + Protobuf::Struct endpoint; auto* fields = endpoint.mutable_fields(); if (!address_) { (*fields)[ENDPOINT_IPV4] = ValueUtil::stringValue(""); @@ -65,8 +65,8 @@ void Annotation::changeEndpointServiceName(const std::string& service_name) { } } -const ProtobufWkt::Struct Annotation::toStruct(Util::Replacements& replacements) const { - ProtobufWkt::Struct annotation; +const Protobuf::Struct Annotation::toStruct(Util::Replacements& replacements) const { + Protobuf::Struct annotation; auto* fields = annotation.mutable_fields(); (*fields)[ANNOTATION_TIMESTAMP] = Util::uint64Value(timestamp_, SPAN_TIMESTAMP, replacements); (*fields)[ANNOTATION_VALUE] = ValueUtil::stringValue(value_); @@ -97,8 +97,8 @@ BinaryAnnotation& BinaryAnnotation::operator=(const BinaryAnnotation& ann) { return *this; } -const ProtobufWkt::Struct BinaryAnnotation::toStruct(Util::Replacements& replacements) const { - ProtobufWkt::Struct binary_annotation; +const Protobuf::Struct BinaryAnnotation::toStruct(Util::Replacements& replacements) const { + Protobuf::Struct binary_annotation; auto* fields = binary_annotation.mutable_fields(); (*fields)[BINARY_ANNOTATION_KEY] = ValueUtil::stringValue(key_); (*fields)[BINARY_ANNOTATION_VALUE] = ValueUtil::stringValue(value_); @@ -119,8 +119,8 @@ void Span::setServiceName(const std::string& service_name) { } } -const ProtobufWkt::Struct Span::toStruct(Util::Replacements& replacements) const { - ProtobufWkt::Struct span; +const Protobuf::Struct Span::toStruct(Util::Replacements& replacements) const { + Protobuf::Struct span; auto* fields = span.mutable_fields(); (*fields)[SPAN_TRACE_ID] = ValueUtil::stringValue(traceIdAsHexString()); (*fields)[SPAN_NAME] = ValueUtil::stringValue(name_); @@ -131,7 +131,7 @@ const ProtobufWkt::Struct Span::toStruct(Util::Replacements& replacements) const } if (timestamp_.has_value()) { - // Usually we store number to a ProtobufWkt::Struct object via ValueUtil::numberValue. + // Usually we store number to a Protobuf::Struct object via ValueUtil::numberValue. // However, due to the possibility of rendering that to a number with scientific notation, we // chose to store it as a string and keeping track the corresponding replacement. (*fields)[SPAN_TIMESTAMP] = Util::uint64Value(timestamp_.value(), SPAN_TIMESTAMP, replacements); @@ -144,7 +144,7 @@ const ProtobufWkt::Struct Span::toStruct(Util::Replacements& replacements) const } if (!annotations_.empty()) { - std::vector annotation_list; + std::vector annotation_list; annotation_list.reserve(annotations_.size()); for (auto& annotation : annotations_) { annotation_list.push_back(ValueUtil::structValue(annotation.toStruct(replacements))); @@ -153,7 +153,7 @@ const ProtobufWkt::Struct Span::toStruct(Util::Replacements& replacements) const } if (!binary_annotations_.empty()) { - std::vector binary_annotation_list; + std::vector binary_annotation_list; binary_annotation_list.reserve(binary_annotations_.size()); for (auto& binary_annotation : binary_annotations_) { binary_annotation_list.push_back( diff --git a/source/extensions/tracers/zipkin/zipkin_core_types.h b/source/extensions/tracers/zipkin/zipkin_core_types.h index dca1c9c79b2d1..14e5516739cee 100644 --- a/source/extensions/tracers/zipkin/zipkin_core_types.h +++ b/source/extensions/tracers/zipkin/zipkin_core_types.h @@ -35,11 +35,11 @@ class ZipkinBase { /** * All classes defining Zipkin abstractions need to implement this method to convert - * the corresponding abstraction to a ProtobufWkt::Struct. + * the corresponding abstraction to a Protobuf::Struct. * @param replacements A container that is used to hold the required replacements when this object * is serialized. */ - virtual const ProtobufWkt::Struct toStruct(Util::Replacements& replacements) const PURE; + virtual const Protobuf::Struct toStruct(Util::Replacements& replacements) const PURE; /** * Serializes the a type as a Zipkin-compliant JSON representation as a string. @@ -110,7 +110,7 @@ class Endpoint : public ZipkinBase { * * @return a protobuf struct. */ - const ProtobufWkt::Struct toStruct(Util::Replacements& replacements) const override; + const Protobuf::Struct toStruct(Util::Replacements& replacements) const override; private: std::string service_name_; @@ -202,7 +202,7 @@ class Annotation : public ZipkinBase { * * @return a protobuf struct. */ - const ProtobufWkt::Struct toStruct(Util::Replacements& replacements) const override; + const Protobuf::Struct toStruct(Util::Replacements& replacements) const override; private: uint64_t timestamp_{0}; @@ -290,7 +290,7 @@ class BinaryAnnotation : public ZipkinBase { * @param replacements Used to hold the required replacements on serialization step. * @return a protobuf struct. */ - const ProtobufWkt::Struct toStruct(Util::Replacements& replacements) const override; + const Protobuf::Struct toStruct(Util::Replacements& replacements) const override; private: std::string key_; @@ -533,7 +533,7 @@ class Span : public ZipkinBase, public Tracing::Span { * * @return a protobuf struct. */ - const ProtobufWkt::Struct toStruct(Util::Replacements& replacements) const override; + const Protobuf::Struct toStruct(Util::Replacements& replacements) const override; /** * @return the span's context. diff --git a/source/extensions/transport_sockets/alts/tsi_socket.cc b/source/extensions/transport_sockets/alts/tsi_socket.cc index 37d87347d8614..cf343e66082dd 100644 --- a/source/extensions/transport_sockets/alts/tsi_socket.cc +++ b/source/extensions/transport_sockets/alts/tsi_socket.cc @@ -118,8 +118,8 @@ Network::PostIoAction TsiSocket::doHandshakeNextDone(NextResultPtr&& next_result err); return Network::PostIoAction::Close; } - ProtobufWkt::Struct dynamic_metadata; - ProtobufWkt::Value val; + Protobuf::Struct dynamic_metadata; + Protobuf::Value val; val.set_string_value(tsi_info.peer_identity_); dynamic_metadata.mutable_fields()->insert({std::string("peer_identity"), val}); callbacks_->connection().streamInfo().setDynamicMetadata( diff --git a/source/server/admin/admin.cc b/source/server/admin/admin.cc index c3ad262d82ef2..d4b308c760d18 100644 --- a/source/server/admin/admin.cc +++ b/source/server/admin/admin.cc @@ -136,7 +136,7 @@ AdminImpl::AdminImpl(const std::string& profile_path, Server::Instance& server, {Admin::ParamDescriptor::Type::String, "mask", "The mask to apply. When both resource and mask are specified, " "the mask is applied to every element in the desired repeated field so that only a " - "subset of fields are returned. The mask is parsed as a ProtobufWkt::FieldMask"}, + "subset of fields are returned. The mask is parsed as a Protobuf::FieldMask"}, {Admin::ParamDescriptor::Type::String, "name_regex", "Dump only the currently loaded configurations whose names match the specified " "regex. Can be used with both resource and mask query parameters."}, @@ -147,7 +147,7 @@ AdminImpl::AdminImpl(const std::string& profile_path, Server::Instance& server, MAKE_ADMIN_HANDLER(init_dump_handler_.handlerInitDump), false, false, {{Admin::ParamDescriptor::Type::String, "mask", "The desired component to dump unready targets. The mask is parsed as " - "a ProtobufWkt::FieldMask. For example, get the unready targets of " + "a Protobuf::FieldMask. For example, get the unready targets of " "all listeners with /init_dump?mask=listener`"}}), makeHandler("/contention", "dump current Envoy mutex contention stats (if enabled)", MAKE_ADMIN_HANDLER(stats_handler_.handlerContention), false, false), diff --git a/source/server/admin/config_dump_handler.cc b/source/server/admin/config_dump_handler.cc index 6526155fff86a..3fbd9c476f936 100644 --- a/source/server/admin/config_dump_handler.cc +++ b/source/server/admin/config_dump_handler.cc @@ -95,7 +95,7 @@ bool trimResourceMessage(const Protobuf::FieldMask& field_mask, Protobuf::Messag if (reflection->HasField(message, any_field)) { ASSERT(any_field != nullptr); // Unpack to a DynamicMessage. - ProtobufWkt::Any any_message; + Protobuf::Any any_message; any_message.MergeFrom(reflection->GetMessage(message, any_field)); Protobuf::DynamicMessageFactory dmf; const absl::string_view inner_type_name = diff --git a/source/server/admin/runtime_handler.cc b/source/server/admin/runtime_handler.cc index 456146cb8e9c5..80408cfb6001d 100644 --- a/source/server/admin/runtime_handler.cc +++ b/source/server/admin/runtime_handler.cc @@ -23,7 +23,7 @@ Http::Code RuntimeHandler::handlerRuntime(Http::ResponseHeaderMap& response_head // TODO(jsedgwick): Use proto to structure this output instead of arbitrary JSON. const auto& layers = server_.runtime().snapshot().getLayers(); - std::vector layer_names; + std::vector layer_names; layer_names.reserve(layers.size()); std::map> entries; for (const auto& layer : layers) { @@ -45,10 +45,10 @@ Http::Code RuntimeHandler::handlerRuntime(Http::ResponseHeaderMap& response_head } } - ProtobufWkt::Struct layer_entries; + Protobuf::Struct layer_entries; auto* layer_entry_fields = layer_entries.mutable_fields(); for (const auto& entry : entries) { - std::vector layer_entry_values; + std::vector layer_entry_values; layer_entry_values.reserve(entry.second.size()); std::string final_value; for (const auto& value : entry.second) { @@ -58,7 +58,7 @@ Http::Code RuntimeHandler::handlerRuntime(Http::ResponseHeaderMap& response_head layer_entry_values.push_back(ValueUtil::stringValue(value)); } - ProtobufWkt::Struct layer_entry_value; + Protobuf::Struct layer_entry_value; auto* layer_entry_value_fields = layer_entry_value.mutable_fields(); (*layer_entry_value_fields)["final_value"] = ValueUtil::stringValue(final_value); @@ -66,7 +66,7 @@ Http::Code RuntimeHandler::handlerRuntime(Http::ResponseHeaderMap& response_head (*layer_entry_fields)[entry.first] = ValueUtil::structValue(layer_entry_value); } - ProtobufWkt::Struct runtime; + Protobuf::Struct runtime; auto* fields = runtime.mutable_fields(); (*fields)["layers"] = ValueUtil::listValue(layer_names); diff --git a/source/server/overload_manager_impl.cc b/source/server/overload_manager_impl.cc index 524e2592f2da9..1615f0c75f3c9 100644 --- a/source/server/overload_manager_impl.cc +++ b/source/server/overload_manager_impl.cc @@ -147,7 +147,7 @@ absl::StatusOr parseTimerType( } absl::StatusOr -parseTimerMinimums(const ProtobufWkt::Any& typed_config, +parseTimerMinimums(const Protobuf::Any& typed_config, ProtobufMessage::ValidationVisitor& validation_visitor) { using Config = envoy::config::overload::v3::ScaleTimersOverloadActionConfig; const Config action_config = diff --git a/test/common/access_log/access_log_impl_test.cc b/test/common/access_log/access_log_impl_test.cc index 9fbc073609582..c397271572e57 100644 --- a/test/common/access_log/access_log_impl_test.cc +++ b/test/common/access_log/access_log_impl_test.cc @@ -1494,7 +1494,7 @@ name: accesslog )EOF"; TestStreamInfo stream_info(time_source_); - ProtobufWkt::Struct metadata_val; + Protobuf::Struct metadata_val; auto& fields_a = *metadata_val.mutable_fields(); auto& struct_b = *fields_a["a"].mutable_struct_value(); auto& fields_b = *struct_b.mutable_fields(); @@ -1530,7 +1530,7 @@ name: accesslog )EOF"; TestStreamInfo stream_info(time_source_); - ProtobufWkt::Struct metadata_val; + Protobuf::Struct metadata_val; stream_info.setDynamicMetadata("some.namespace", metadata_val); const InstanceSharedPtr log = @@ -1577,7 +1577,7 @@ name: accesslog )EOF"; TestStreamInfo stream_info(time_source_); - ProtobufWkt::Struct metadata_val; + Protobuf::Struct metadata_val; auto& fields_a = *metadata_val.mutable_fields(); auto& struct_b = *fields_a["a"].mutable_struct_value(); auto& fields_b = *struct_b.mutable_fields(); @@ -1703,14 +1703,13 @@ class SampleExtensionFilterFactory : public ExtensionFilterFactory { auto factory_config = Config::Utility::translateToFactoryConfig( config, context.messageValidationVisitor(), *this); - ProtobufWkt::Struct struct_config = - *dynamic_cast(factory_config.get()); + Protobuf::Struct struct_config = *dynamic_cast(factory_config.get()); return std::make_unique( static_cast(struct_config.fields().at("rate").number_value())); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "sample_extension_filter"; } diff --git a/test/common/common/logger_test.cc b/test/common/common/logger_test.cc index 050d6bb959374..37225c4c3a19c 100644 --- a/test/common/common/logger_test.cc +++ b/test/common/common/logger_test.cc @@ -291,7 +291,7 @@ TEST(LoggerTest, LogWithLogDetails) { } TEST(LoggerTest, TestJsonFormatError) { - ProtobufWkt::Any log_struct; + Protobuf::Any log_struct; log_struct.set_type_url("type.googleapis.com/bad.type.url"); log_struct.set_value("asdf"); @@ -307,9 +307,9 @@ TEST(LoggerTest, TestJsonFormatNonEscapedThrows) { Envoy::Logger::Registry::setLogLevel(spdlog::level::info); { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Message"].set_string_value("%v"); - (*log_struct.mutable_fields())["NullField"].set_null_value(ProtobufWkt::NULL_VALUE); + (*log_struct.mutable_fields())["NullField"].set_null_value(Protobuf::NULL_VALUE); auto status = Envoy::Logger::Registry::setJsonLogFormat(log_struct); EXPECT_FALSE(status.ok()); @@ -319,9 +319,9 @@ TEST(LoggerTest, TestJsonFormatNonEscapedThrows) { } { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Message"].set_string_value("%_"); - (*log_struct.mutable_fields())["NullField"].set_null_value(ProtobufWkt::NULL_VALUE); + (*log_struct.mutable_fields())["NullField"].set_null_value(Protobuf::NULL_VALUE); auto status = Envoy::Logger::Registry::setJsonLogFormat(log_struct); EXPECT_FALSE(status.ok()); @@ -332,7 +332,7 @@ TEST(LoggerTest, TestJsonFormatNonEscapedThrows) { } TEST(LoggerTest, TestJsonFormatEmptyStruct) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; Envoy::Logger::Registry::setLogLevel(spdlog::level::info); EXPECT_TRUE(Envoy::Logger::Registry::setJsonLogFormat(log_struct).ok()); EXPECT_TRUE(Envoy::Logger::Registry::jsonLogFormatSet()); @@ -347,10 +347,10 @@ TEST(LoggerTest, TestJsonFormatEmptyStruct) { } TEST(LoggerTest, TestJsonFormatNullAndFixedField) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Message"].set_string_value("%j"); (*log_struct.mutable_fields())["FixedValue"].set_string_value("Fixed"); - (*log_struct.mutable_fields())["NullField"].set_null_value(ProtobufWkt::NULL_VALUE); + (*log_struct.mutable_fields())["NullField"].set_null_value(Protobuf::NULL_VALUE); Envoy::Logger::Registry::setLogLevel(spdlog::level::info); EXPECT_TRUE(Envoy::Logger::Registry::setJsonLogFormat(log_struct).ok()); EXPECT_TRUE(Envoy::Logger::Registry::jsonLogFormatSet()); @@ -367,7 +367,7 @@ TEST(LoggerTest, TestJsonFormatNullAndFixedField) { } TEST(LoggerTest, TestJsonFormat) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message"].set_string_value("%j"); Envoy::Logger::Registry::setLogLevel(spdlog::level::info); @@ -401,7 +401,7 @@ TEST(LoggerTest, TestJsonFormat) { } TEST(LoggerTest, TestJsonFormatWithNestedJsonMessage) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message"].set_string_value("%j"); (*log_struct.mutable_fields())["FixedValue"].set_string_value("Fixed"); @@ -598,7 +598,7 @@ TEST(TaggedLogTest, TestConnEventLog) { } TEST(TaggedLogTest, TestConnEventLogWithJsonFormat) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message"].set_string_value("%j"); Envoy::Logger::Registry::setLogLevel(spdlog::level::info); @@ -682,7 +682,7 @@ TEST(TaggedLogTest, TestStreamLog) { } TEST(TaggedLogTest, TestTaggedLogWithJsonFormat) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message"].set_string_value("%j"); Envoy::Logger::Registry::setLogLevel(spdlog::level::info); @@ -715,7 +715,7 @@ TEST(TaggedLogTest, TestTaggedLogWithJsonFormat) { } TEST(TaggedLogTest, TestTaggedConnLogWithJsonFormat) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message"].set_string_value("%j"); Envoy::Logger::Registry::setLogLevel(spdlog::level::info); @@ -759,7 +759,7 @@ TEST(TaggedLogTest, TestTaggedConnLogWithJsonFormat) { } TEST(TaggedLogTest, TestConnLogWithJsonFormat) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message"].set_string_value("%j"); Envoy::Logger::Registry::setLogLevel(spdlog::level::info); @@ -784,7 +784,7 @@ TEST(TaggedLogTest, TestConnLogWithJsonFormat) { } TEST(TaggedLogTest, TestTaggedStreamLogWithJsonFormat) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message"].set_string_value("%j"); Envoy::Logger::Registry::setLogLevel(spdlog::level::info); @@ -831,7 +831,7 @@ TEST(TaggedLogTest, TestTaggedStreamLogWithJsonFormat) { } TEST(TaggedLogTest, TestStreamLogWithJsonFormat) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message"].set_string_value("%j"); Envoy::Logger::Registry::setLogLevel(spdlog::level::info); @@ -857,7 +857,7 @@ TEST(TaggedLogTest, TestStreamLogWithJsonFormat) { } TEST(TaggedLogTest, TestTaggedLogWithJsonFormatMultipleJFlags) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Level"].set_string_value("%l"); (*log_struct.mutable_fields())["Message1"].set_string_value("%j"); (*log_struct.mutable_fields())["Message2"].set_string_value("%j"); diff --git a/test/common/common/matchers_test.cc b/test/common/common/matchers_test.cc index 468cf2fcf6719..1736719d836c0 100644 --- a/test/common/common/matchers_test.cc +++ b/test/common/common/matchers_test.cc @@ -30,7 +30,7 @@ TEST_F(MetadataTest, MatchNullValue) { Envoy::Config::Metadata::mutableMetadataValue(metadata, "envoy.filter.a", "label") .set_string_value("test"); Envoy::Config::Metadata::mutableMetadataValue(metadata, "envoy.filter.b", "label") - .set_null_value(ProtobufWkt::NullValue::NULL_VALUE); + .set_null_value(Protobuf::NullValue::NULL_VALUE); envoy::type::matcher::v3::MetadataMatcher matcher; matcher.set_filter("envoy.filter.b"); @@ -223,9 +223,9 @@ listMatchEntry(envoy::type::matcher::v3::MetadataMatcher* matcher) { TEST_F(MetadataTest, MatchStringListValue) { envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Value& metadataValue = + Protobuf::Value& metadataValue = Envoy::Config::Metadata::mutableMetadataValue(metadata, "envoy.filter.a", "groups"); - ProtobufWkt::ListValue* values = metadataValue.mutable_list_value(); + Protobuf::ListValue* values = metadataValue.mutable_list_value(); values->add_values()->set_string_value("first"); values->add_values()->set_string_value("second"); values->add_values()->set_string_value("third"); @@ -251,9 +251,9 @@ TEST_F(MetadataTest, MatchStringListValue) { TEST_F(MetadataTest, MatchBoolListValue) { envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Value& metadataValue = + Protobuf::Value& metadataValue = Envoy::Config::Metadata::mutableMetadataValue(metadata, "envoy.filter.a", "groups"); - ProtobufWkt::ListValue* values = metadataValue.mutable_list_value(); + Protobuf::ListValue* values = metadataValue.mutable_list_value(); values->add_values()->set_bool_value(false); values->add_values()->set_bool_value(false); @@ -274,9 +274,9 @@ TEST_F(MetadataTest, MatchBoolListValue) { TEST_F(MetadataTest, MatchDoubleListValue) { envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Value& metadataValue = + Protobuf::Value& metadataValue = Envoy::Config::Metadata::mutableMetadataValue(metadata, "envoy.filter.a", "groups"); - ProtobufWkt::ListValue* values = metadataValue.mutable_list_value(); + Protobuf::ListValue* values = metadataValue.mutable_list_value(); values->add_values()->set_number_value(10); values->add_values()->set_number_value(23); diff --git a/test/common/config/custom_config_validators_impl_test.cc b/test/common/config/custom_config_validators_impl_test.cc index f907fedaf2381..0ac2434711d24 100644 --- a/test/common/config/custom_config_validators_impl_test.cc +++ b/test/common/config/custom_config_validators_impl_test.cc @@ -36,15 +36,15 @@ class FakeConfigValidatorFactory : public ConfigValidatorFactory { public: FakeConfigValidatorFactory(bool should_reject) : should_reject_(should_reject) {} - ConfigValidatorPtr createConfigValidator(const ProtobufWkt::Any&, + ConfigValidatorPtr createConfigValidator(const Protobuf::Any&, ProtobufMessage::ValidationVisitor&) override { return std::make_unique(should_reject_); } Envoy::ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom empty config proto. This is only allowed in tests. - return should_reject_ ? ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()} - : ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Value()}; + return should_reject_ ? ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()} + : ProtobufTypes::MessagePtr{new Envoy::Protobuf::Value()}; } std::string name() const override { diff --git a/test/common/config/decoded_resource_impl_test.cc b/test/common/config/decoded_resource_impl_test.cc index 7ebfe808cb81a..5d1e4ae9837eb 100644 --- a/test/common/config/decoded_resource_impl_test.cc +++ b/test/common/config/decoded_resource_impl_test.cc @@ -14,21 +14,21 @@ namespace { TEST(DecodedResourceImplTest, All) { MockOpaqueResourceDecoder resource_decoder; - ProtobufWkt::Any some_opaque_resource; + Protobuf::Any some_opaque_resource; some_opaque_resource.set_type_url("some_type_url"); { EXPECT_CALL(resource_decoder, decodeResource(ProtoEq(some_opaque_resource))) .WillOnce(InvokeWithoutArgs( - []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); - EXPECT_CALL(resource_decoder, resourceName(ProtoEq(ProtobufWkt::Empty()))) + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); + EXPECT_CALL(resource_decoder, resourceName(ProtoEq(Protobuf::Empty()))) .WillOnce(Return("some_name")); auto decoded_resource = *DecodedResourceImpl::fromResource(resource_decoder, some_opaque_resource, "foo"); EXPECT_EQ("some_name", decoded_resource->name()); EXPECT_TRUE(decoded_resource->aliases().empty()); EXPECT_EQ("foo", decoded_resource->version()); - EXPECT_THAT(decoded_resource->resource(), ProtoEq(ProtobufWkt::Empty())); + EXPECT_THAT(decoded_resource->resource(), ProtoEq(Protobuf::Empty())); EXPECT_TRUE(decoded_resource->hasResource()); } @@ -41,13 +41,13 @@ TEST(DecodedResourceImplTest, All) { resource_wrapper.set_version("foo"); EXPECT_CALL(resource_decoder, decodeResource(ProtoEq(some_opaque_resource))) .WillOnce(InvokeWithoutArgs( - []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); - EXPECT_CALL(resource_decoder, resourceName(ProtoEq(ProtobufWkt::Empty()))).Times(0); + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); + EXPECT_CALL(resource_decoder, resourceName(ProtoEq(Protobuf::Empty()))).Times(0); DecodedResourceImpl decoded_resource(resource_decoder, resource_wrapper); EXPECT_EQ("real_name", decoded_resource.name()); EXPECT_EQ((std::vector{"bar", "baz"}), decoded_resource.aliases()); EXPECT_EQ("foo", decoded_resource.version()); - EXPECT_THAT(decoded_resource.resource(), ProtoEq(ProtobufWkt::Empty())); + EXPECT_THAT(decoded_resource.resource(), ProtoEq(Protobuf::Empty())); EXPECT_TRUE(decoded_resource.hasResource()); EXPECT_FALSE(decoded_resource.metadata().has_value()); } @@ -62,18 +62,18 @@ TEST(DecodedResourceImplTest, All) { {"fake_test_domain", MessageUtil::keyValueStruct("fake_test_key", "fake_test_value")}); EXPECT_CALL(resource_decoder, decodeResource(ProtoEq(some_opaque_resource))) .WillOnce(InvokeWithoutArgs( - []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); - EXPECT_CALL(resource_decoder, resourceName(ProtoEq(ProtobufWkt::Empty()))).Times(0); + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); + EXPECT_CALL(resource_decoder, resourceName(ProtoEq(Protobuf::Empty()))).Times(0); DecodedResourceImpl decoded_resource(resource_decoder, resource_wrapper); EXPECT_EQ("real_name", decoded_resource.name()); - EXPECT_THAT(decoded_resource.resource(), ProtoEq(ProtobufWkt::Empty())); + EXPECT_THAT(decoded_resource.resource(), ProtoEq(Protobuf::Empty())); EXPECT_TRUE(decoded_resource.hasResource()); EXPECT_TRUE(decoded_resource.metadata().has_value()); EXPECT_EQ(metadata->DebugString(), decoded_resource.metadata()->DebugString()); } // To verify the metadata is decoded as expected for the fromResource variant - // with ProtobufWkt::Any& input. + // with Protobuf::Any& input. { envoy::service::discovery::v3::Resource resource_wrapper; resource_wrapper.set_name("real_name"); @@ -81,16 +81,16 @@ TEST(DecodedResourceImplTest, All) { auto metadata = resource_wrapper.mutable_metadata(); metadata->mutable_filter_metadata()->insert( {"fake_test_domain", MessageUtil::keyValueStruct("fake_test_key", "fake_test_value")}); - ProtobufWkt::Any resource_any; + Protobuf::Any resource_any; resource_any.PackFrom(resource_wrapper); EXPECT_CALL(resource_decoder, decodeResource(ProtoEq(some_opaque_resource))) .WillOnce(InvokeWithoutArgs( - []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); - EXPECT_CALL(resource_decoder, resourceName(ProtoEq(ProtobufWkt::Empty()))).Times(0); + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); + EXPECT_CALL(resource_decoder, resourceName(ProtoEq(Protobuf::Empty()))).Times(0); DecodedResourceImplPtr decoded_resource = *DecodedResourceImpl::fromResource(resource_decoder, resource_any, "1"); EXPECT_EQ("real_name", decoded_resource->name()); - EXPECT_THAT(decoded_resource->resource(), ProtoEq(ProtobufWkt::Empty())); + EXPECT_THAT(decoded_resource->resource(), ProtoEq(Protobuf::Empty())); EXPECT_TRUE(decoded_resource->hasResource()); EXPECT_TRUE(decoded_resource->metadata().has_value()); EXPECT_EQ(metadata->DebugString(), decoded_resource->metadata()->DebugString()); @@ -102,15 +102,15 @@ TEST(DecodedResourceImplTest, All) { resource_wrapper.set_version("foo"); resource_wrapper.add_aliases("bar"); resource_wrapper.add_aliases("baz"); - EXPECT_CALL(resource_decoder, decodeResource(ProtoEq(ProtobufWkt::Any()))) + EXPECT_CALL(resource_decoder, decodeResource(ProtoEq(Protobuf::Any()))) .WillOnce(InvokeWithoutArgs( - []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); EXPECT_CALL(resource_decoder, resourceName(_)).Times(0); DecodedResourceImpl decoded_resource(resource_decoder, resource_wrapper); EXPECT_EQ("real_name", decoded_resource.name()); EXPECT_EQ((std::vector{"bar", "baz"}), decoded_resource.aliases()); EXPECT_EQ("foo", decoded_resource.version()); - EXPECT_THAT(decoded_resource.resource(), ProtoEq(ProtobufWkt::Empty())); + EXPECT_THAT(decoded_resource.resource(), ProtoEq(Protobuf::Empty())); EXPECT_FALSE(decoded_resource.hasResource()); } @@ -126,26 +126,26 @@ TEST(DecodedResourceImplTest, All) { {"fake_test_domain", MessageUtil::keyValueStruct("fake_test_key", "fake_test_value")}); EXPECT_CALL(resource_decoder, decodeResource(ProtoEq(some_opaque_resource))) .WillOnce(InvokeWithoutArgs( - []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); - EXPECT_CALL(resource_decoder, resourceName(ProtoEq(ProtobufWkt::Empty()))).Times(0); + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); + EXPECT_CALL(resource_decoder, resourceName(ProtoEq(Protobuf::Empty()))).Times(0); DecodedResourceImplPtr decoded_resource = DecodedResourceImpl::fromResource(resource_decoder, resource_wrapper); EXPECT_EQ("real_name", decoded_resource->name()); EXPECT_EQ((std::vector{"bar", "baz"}), decoded_resource->aliases()); EXPECT_EQ("foo", decoded_resource->version()); - EXPECT_THAT(decoded_resource->resource(), ProtoEq(ProtobufWkt::Empty())); + EXPECT_THAT(decoded_resource->resource(), ProtoEq(Protobuf::Empty())); EXPECT_TRUE(decoded_resource->hasResource()); EXPECT_TRUE(decoded_resource->metadata().has_value()); EXPECT_EQ(metadata->DebugString(), decoded_resource->metadata()->DebugString()); } { - auto message = std::make_unique(); + auto message = std::make_unique(); DecodedResourceImpl decoded_resource(std::move(message), "real_name", {"bar", "baz"}, "foo"); EXPECT_EQ("real_name", decoded_resource.name()); EXPECT_EQ((std::vector{"bar", "baz"}), decoded_resource.aliases()); EXPECT_EQ("foo", decoded_resource.version()); - EXPECT_THAT(decoded_resource.resource(), ProtoEq(ProtobufWkt::Empty())); + EXPECT_THAT(decoded_resource.resource(), ProtoEq(Protobuf::Empty())); EXPECT_TRUE(decoded_resource.hasResource()); } } diff --git a/test/common/config/metadata_test.cc b/test/common/config/metadata_test.cc index dca0870d5158d..65d2223a3007d 100644 --- a/test/common/config/metadata_test.cc +++ b/test/common/config/metadata_test.cc @@ -33,20 +33,20 @@ TEST(MetadataTest, MetadataValuePath) { std::vector path{"test_obj", "inner_key"}; // not found case EXPECT_EQ(Metadata::metadataValue(&metadata, filter, path).kind_case(), - ProtobufWkt::Value::KindCase::KIND_NOT_SET); - ProtobufWkt::Struct& filter_struct = (*metadata.mutable_filter_metadata())[filter]; + Protobuf::Value::KindCase::KIND_NOT_SET); + Protobuf::Struct& filter_struct = (*metadata.mutable_filter_metadata())[filter]; auto obj = MessageUtil::keyValueStruct("inner_key", "inner_value"); - ProtobufWkt::Value val; + Protobuf::Value val; *val.mutable_struct_value() = obj; (*filter_struct.mutable_fields())["test_obj"] = val; EXPECT_EQ(Metadata::metadataValue(&metadata, filter, path).string_value(), "inner_value"); // not found with longer path path.push_back("bad_key"); EXPECT_EQ(Metadata::metadataValue(&metadata, filter, path).kind_case(), - ProtobufWkt::Value::KindCase::KIND_NOT_SET); + Protobuf::Value::KindCase::KIND_NOT_SET); // empty path returns not found EXPECT_EQ(Metadata::metadataValue(&metadata, filter, std::vector{}).kind_case(), - ProtobufWkt::Value::KindCase::KIND_NOT_SET); + Protobuf::Value::KindCase::KIND_NOT_SET); } class TypedMetadataTest : public testing::Test { @@ -65,15 +65,14 @@ class TypedMetadataTest : public testing::Test { class FoobarFactory : public TypedMetadataFactory { public: // Throws EnvoyException (conversion failure) if d is empty. - std::unique_ptr - parse(const ProtobufWkt::Struct& d) const override { + std::unique_ptr parse(const Protobuf::Struct& d) const override { if (d.fields().find("name") != d.fields().end()) { return std::make_unique(d.fields().at("name").string_value()); } throw EnvoyException("Cannot create a Foo when Struct metadata is empty."); } - std::unique_ptr parse(const ProtobufWkt::Any& d) const override { + std::unique_ptr parse(const Protobuf::Any& d) const override { if (!(d.type_url().empty())) { return std::make_unique(MessageUtil::bytesToString(d.value())); } @@ -97,7 +96,7 @@ class TypedMetadataTest : public testing::Test { std::string name() const override { return "baz"; } using FoobarFactory::parse; // Override Any parse() to just return nullptr. - std::unique_ptr parse(const ProtobufWkt::Any&) const override { + std::unique_ptr parse(const Protobuf::Any&) const override { return nullptr; } }; @@ -126,7 +125,7 @@ TEST_F(TypedMetadataTest, OkTestStruct) { // Tests data parsing and retrieving when only Any field present in the metadata. TEST_F(TypedMetadataTest, OkTestAny) { envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Any any; + Protobuf::Any any; any.set_type_url("type.googleapis.com/waldo"); any.set_value("fred"); (*metadata.mutable_typed_filter_metadata())[bar_factory_.name()] = any; @@ -139,7 +138,7 @@ TEST_F(TypedMetadataTest, OkTestAny) { // also Any data parsing method just return nullptr. TEST_F(TypedMetadataTest, OkTestAnyParseReturnNullptr) { envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Any any; + Protobuf::Any any; any.set_type_url("type.googleapis.com/waldo"); any.set_value("fred"); (*metadata.mutable_typed_filter_metadata())[baz_factory_.name()] = any; @@ -153,7 +152,7 @@ TEST_F(TypedMetadataTest, OkTestBothSameFactory) { envoy::config::core::v3::Metadata metadata; (*metadata.mutable_filter_metadata())[foo_factory_.name()] = MessageUtil::keyValueStruct("name", "garply"); - ProtobufWkt::Any any; + Protobuf::Any any; any.set_type_url("type.googleapis.com/waldo"); any.set_value("fred"); (*metadata.mutable_typed_filter_metadata())[foo_factory_.name()] = any; @@ -170,7 +169,7 @@ TEST_F(TypedMetadataTest, OkTestBothDifferentFactory) { envoy::config::core::v3::Metadata metadata; (*metadata.mutable_filter_metadata())[foo_factory_.name()] = MessageUtil::keyValueStruct("name", "garply"); - ProtobufWkt::Any any; + Protobuf::Any any; any.set_type_url("type.googleapis.com/waldo"); any.set_value("fred"); (*metadata.mutable_typed_filter_metadata())[bar_factory_.name()] = any; @@ -192,7 +191,7 @@ TEST_F(TypedMetadataTest, OkTestBothSameFactoryAnyParseReturnNullptr) { envoy::config::core::v3::Metadata metadata; (*metadata.mutable_filter_metadata())[baz_factory_.name()] = MessageUtil::keyValueStruct("name", "garply"); - ProtobufWkt::Any any; + Protobuf::Any any; any.set_type_url("type.googleapis.com/waldo"); any.set_value("fred"); (*metadata.mutable_typed_filter_metadata())[baz_factory_.name()] = any; @@ -237,7 +236,7 @@ TEST_F(TypedMetadataTest, StructMetadataRefreshTest) { // Tests data parsing and retrieving when Any metadata updates. TEST_F(TypedMetadataTest, AnyMetadataRefreshTest) { envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Any any; + Protobuf::Any any; any.set_type_url("type.googleapis.com/waldo"); any.set_value("fred"); (*metadata.mutable_typed_filter_metadata())[bar_factory_.name()] = any; @@ -262,7 +261,7 @@ TEST_F(TypedMetadataTest, AnyMetadataRefreshTest) { // Tests empty Struct metadata parsing case. TEST_F(TypedMetadataTest, InvalidStructMetadataTest) { envoy::config::core::v3::Metadata metadata; - (*metadata.mutable_filter_metadata())[foo_factory_.name()] = ProtobufWkt::Struct(); + (*metadata.mutable_filter_metadata())[foo_factory_.name()] = Protobuf::Struct(); EXPECT_THROW_WITH_MESSAGE(TypedMetadataImpl typed(metadata), Envoy::EnvoyException, "Cannot create a Foo when Struct metadata is empty."); @@ -271,7 +270,7 @@ TEST_F(TypedMetadataTest, InvalidStructMetadataTest) { // Tests empty Any metadata parsing case. TEST_F(TypedMetadataTest, InvalidAnyMetadataTest) { envoy::config::core::v3::Metadata metadata; - (*metadata.mutable_typed_filter_metadata())[bar_factory_.name()] = ProtobufWkt::Any(); + (*metadata.mutable_typed_filter_metadata())[bar_factory_.name()] = Protobuf::Any(); EXPECT_THROW_WITH_MESSAGE(TypedMetadataImpl typed(metadata), Envoy::EnvoyException, "Cannot create a Foo when Any metadata is empty."); diff --git a/test/common/config/opaque_resource_decoder_impl_test.cc b/test/common/config/opaque_resource_decoder_impl_test.cc index 332d436b32822..4541c155c0258 100644 --- a/test/common/config/opaque_resource_decoder_impl_test.cc +++ b/test/common/config/opaque_resource_decoder_impl_test.cc @@ -16,7 +16,7 @@ class OpaqueResourceDecoderImplTest : public testing::Test { public: std::pair decodeTypedResource(const envoy::config::endpoint::v3::ClusterLoadAssignment& typed_resource) { - ProtobufWkt::Any opaque_resource; + Protobuf::Any opaque_resource; opaque_resource.PackFrom(typed_resource); auto decoded_resource = resource_decoder_.decodeResource(opaque_resource); const std::string name = resource_decoder_.resourceName(*decoded_resource); @@ -30,7 +30,7 @@ class OpaqueResourceDecoderImplTest : public testing::Test { // Negative test for bad type URL in Any. TEST_F(OpaqueResourceDecoderImplTest, WrongType) { - ProtobufWkt::Any opaque_resource; + Protobuf::Any opaque_resource; opaque_resource.set_type_url("huh"); EXPECT_THROW_WITH_REGEX(resource_decoder_.decodeResource(opaque_resource), EnvoyException, "Unable to unpack"); @@ -39,7 +39,7 @@ TEST_F(OpaqueResourceDecoderImplTest, WrongType) { // If the Any is empty (no type set), the default instance of the opaque resource decoder type is // created. TEST_F(OpaqueResourceDecoderImplTest, Empty) { - ProtobufWkt::Any opaque_resource; + Protobuf::Any opaque_resource; const auto decoded_resource = resource_decoder_.decodeResource(opaque_resource); EXPECT_THAT(*decoded_resource, ProtoEq(envoy::config::endpoint::v3::ClusterLoadAssignment())); EXPECT_EQ("", resource_decoder_.resourceName(*decoded_resource)); @@ -61,7 +61,7 @@ TEST_F(OpaqueResourceDecoderImplTest, ValidateIgnored) { auto* unknown = strange_resource.GetReflection()->MutableUnknownFields(&strange_resource); // add a field that doesn't exist in the proto definition: unknown->AddFixed32(1000, 1); - ProtobufWkt::Any opaque_resource; + Protobuf::Any opaque_resource; opaque_resource.PackFrom(strange_resource); const auto decoded_resource = resource_decoder.decodeResource(opaque_resource); EXPECT_THAT(*decoded_resource, ProtoEq(strange_resource)); diff --git a/test/common/config/utility_test.cc b/test/common/config/utility_test.cc index e1a7a4f40faec..ee9d81b292aad 100644 --- a/test/common/config/utility_test.cc +++ b/test/common/config/utility_test.cc @@ -729,11 +729,11 @@ TEST(UtilityTest, PrepareJitteredExponentialBackOffStrategyCustomValues) { // Validate that an opaque config of the wrong type throws during conversion. TEST(UtilityTest, AnyWrongType) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(42); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(source_duration); - ProtobufWkt::Timestamp out; + Protobuf::Timestamp out; EXPECT_THAT( Utility::translateOpaqueConfig(typed_config, ProtobufMessage::getStrictValidationVisitor(), out) @@ -743,14 +743,14 @@ TEST(UtilityTest, AnyWrongType) { } TEST(UtilityTest, TranslateAnyWrongToFactoryConfig) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(42); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(source_duration); MockTypedFactory factory; EXPECT_CALL(factory, createEmptyConfigProto()).WillOnce(Invoke([]() -> ProtobufTypes::MessagePtr { - return ProtobufTypes::MessagePtr{new ProtobufWkt::Timestamp()}; + return ProtobufTypes::MessagePtr{new Protobuf::Timestamp()}; })); EXPECT_THROW_WITH_REGEX( @@ -761,14 +761,14 @@ TEST(UtilityTest, TranslateAnyWrongToFactoryConfig) { } TEST(UtilityTest, TranslateAnyToFactoryConfig) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(42); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(source_duration); MockTypedFactory factory; EXPECT_CALL(factory, createEmptyConfigProto()).WillOnce(Invoke([]() -> ProtobufTypes::MessagePtr { - return ProtobufTypes::MessagePtr{new ProtobufWkt::Duration()}; + return ProtobufTypes::MessagePtr{new Protobuf::Duration()}; })); auto config = Utility::translateAnyToFactoryConfig( @@ -779,8 +779,7 @@ TEST(UtilityTest, TranslateAnyToFactoryConfig) { template class UtilityTypedStructTest : public ::testing::Test { public: - static void packTypedStructIntoAny(ProtobufWkt::Any& typed_config, - const Protobuf::Message& inner) { + static void packTypedStructIntoAny(Protobuf::Any& typed_config, const Protobuf::Message& inner) { T typed_struct; (*typed_struct.mutable_type_url()) = absl::StrCat("type.googleapis.com/", inner.GetDescriptor()->full_name()); @@ -794,12 +793,12 @@ TYPED_TEST_SUITE(UtilityTypedStructTest, TypedStructTypes); // Verify that TypedStruct can be translated into google.protobuf.Struct TYPED_TEST(UtilityTypedStructTest, TypedStructToStruct) { - ProtobufWkt::Any typed_config; - ProtobufWkt::Struct untyped_struct; + Protobuf::Any typed_config; + Protobuf::Struct untyped_struct; (*untyped_struct.mutable_fields())["foo"].set_string_value("bar"); this->packTypedStructIntoAny(typed_config, untyped_struct); - ProtobufWkt::Struct out; + Protobuf::Struct out; EXPECT_TRUE(Utility::translateOpaqueConfig(typed_config, ProtobufMessage::getStrictValidationVisitor(), out) .ok()); @@ -810,7 +809,7 @@ TYPED_TEST(UtilityTypedStructTest, TypedStructToStruct) { // Verify that TypedStruct can be translated into an arbitrary message of correct type // (v2 API, no upgrading). TYPED_TEST(UtilityTypedStructTest, TypedStructToClusterV2) { - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; API_NO_BOOST(envoy::api::v2::Cluster) cluster; const std::string cluster_config_yaml = R"EOF( drain_connections_on_host_removal: true @@ -837,7 +836,7 @@ TYPED_TEST(UtilityTypedStructTest, TypedStructToClusterV2) { // Verify that TypedStruct can be translated into an arbitrary message of correct type // (v3 API, upgrading). TYPED_TEST(UtilityTypedStructTest, TypedStructToClusterV3) { - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; API_NO_BOOST(envoy::config::cluster::v3::Cluster) cluster; const std::string cluster_config_yaml = R"EOF( ignore_health_on_host_removal: true @@ -863,7 +862,7 @@ TYPED_TEST(UtilityTypedStructTest, TypedStructToClusterV3) { // Verify that translation from TypedStruct into message of incorrect type fails TYPED_TEST(UtilityTypedStructTest, TypedStructToInvalidType) { - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; envoy::config::bootstrap::v3::Bootstrap bootstrap; const std::string bootstrap_config_yaml = R"EOF( admin: @@ -879,7 +878,7 @@ TYPED_TEST(UtilityTypedStructTest, TypedStructToInvalidType) { TestUtility::loadFromYaml(bootstrap_config_yaml, bootstrap); this->packTypedStructIntoAny(typed_config, bootstrap); - ProtobufWkt::Any out; + Protobuf::Any out; EXPECT_THROW_WITH_REGEX(Utility::translateOpaqueConfig( typed_config, ProtobufMessage::getStrictValidationVisitor(), out) .IgnoreError(), @@ -889,7 +888,7 @@ TYPED_TEST(UtilityTypedStructTest, TypedStructToInvalidType) { // Verify that Any can be translated into an arbitrary message of correct type // (v2 API, no upgrading). TEST(UtilityTest, AnyToClusterV2) { - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; API_NO_BOOST(envoy::api::v2::Cluster) cluster; const std::string cluster_config_yaml = R"EOF( drain_connections_on_host_removal: true @@ -907,7 +906,7 @@ TEST(UtilityTest, AnyToClusterV2) { // Verify that Any can be translated into an arbitrary message of correct type // (v3 API, upgrading). TEST(UtilityTest, AnyToClusterV3) { - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; API_NO_BOOST(envoy::config::cluster::v3::Cluster) cluster; const std::string cluster_config_yaml = R"EOF( ignore_health_on_host_removal: true @@ -922,10 +921,10 @@ TEST(UtilityTest, AnyToClusterV3) { EXPECT_THAT(out, ProtoEq(cluster)); } -// Verify that ProtobufWkt::Empty can load into a typed factory with an empty config proto +// Verify that Protobuf::Empty can load into a typed factory with an empty config proto TEST(UtilityTest, EmptyToEmptyConfig) { - ProtobufWkt::Any typed_config; - ProtobufWkt::Empty empty_config; + Protobuf::Any typed_config; + Protobuf::Empty empty_config; typed_config.PackFrom(empty_config); envoy::extensions::filters::http::cors::v3::Cors out; diff --git a/test/common/config/xds_manager_impl_test.cc b/test/common/config/xds_manager_impl_test.cc index a8e2f25c45a6a..24618e24b68db 100644 --- a/test/common/config/xds_manager_impl_test.cc +++ b/test/common/config/xds_manager_impl_test.cc @@ -64,14 +64,14 @@ class FakeConfigValidatorFactory : public Config::ConfigValidatorFactory { public: FakeConfigValidatorFactory() = default; - Config::ConfigValidatorPtr createConfigValidator(const ProtobufWkt::Any&, + Config::ConfigValidatorPtr createConfigValidator(const Protobuf::Any&, ProtobufMessage::ValidationVisitor&) override { return nullptr; } Envoy::ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Value instead of a custom empty config proto. This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Value()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Value()}; } std::string name() const override { return "envoy.fake_validator"; } diff --git a/test/common/filter/config_discovery_impl_test.cc b/test/common/filter/config_discovery_impl_test.cc index 0c7582279fdaf..838d46fa0d256 100644 --- a/test/common/filter/config_discovery_impl_test.cc +++ b/test/common/filter/config_discovery_impl_test.cc @@ -62,7 +62,7 @@ class TestHttpFilterFactory : public TestFilterFactory, return [](Http::FilterChainFactoryCallbacks&) -> void {}; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.filter"; } bool isTerminalFilterByProto(const Protobuf::Message&, @@ -89,7 +89,7 @@ class TestNetworkFilterFactory return [](Network::FilterManager&) -> void {}; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.filter"; } bool isTerminalFilterByProto(const Protobuf::Message&, @@ -109,7 +109,7 @@ class TestListenerFilterFactory : public TestFilterFactory, return [](Network::ListenerFilterManager&) -> void {}; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.filter"; } }; @@ -125,7 +125,7 @@ class TestUdpListenerFilterFactory return [](Network::UdpListenerFilterManager&, Network::UdpReadFilterCallbacks&) -> void {}; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.filter"; } }; @@ -141,7 +141,7 @@ class TestUdpSessionFilterFactory return [](Network::UdpSessionFilterChainFactoryCallbacks&) -> void {}; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.filter"; } }; @@ -158,7 +158,7 @@ class TestQuicListenerFilterFactory return [](Network::QuicListenerFilterManager&) -> void {}; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.filter"; } }; @@ -218,7 +218,7 @@ class FilterConfigDiscoveryImplTest : public FilterConfigDiscoveryTestBase { config_source.add_type_urls(getTypeUrl()); config_source.set_apply_default_config_without_warming(!warm); if (default_configuration || !warm) { - ProtobufWkt::StringValue default_config; + Protobuf::StringValue default_config; config_source.mutable_default_config()->PackFrom(default_config); } diff --git a/test/common/formatter/command_extension.cc b/test/common/formatter/command_extension.cc index a29f6b8c9feb9..16aeda5db8a83 100644 --- a/test/common/formatter/command_extension.cc +++ b/test/common/formatter/command_extension.cc @@ -10,7 +10,7 @@ absl::optional TestFormatter::formatWithContext(const HttpFormatter return "TestFormatter"; } -ProtobufWkt::Value +Protobuf::Value TestFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { return ValueUtil::stringValue(formatWithContext(context, stream_info).value()); @@ -30,14 +30,14 @@ TestCommandFactory::createCommandParserFromProto(const Protobuf::Message& messag Server::Configuration::GenericFactoryContext&) { // Cast the config message to the actual type to test that it was constructed properly. [[maybe_unused]] const auto& config = - *Envoy::Protobuf::DynamicCastMessage(&message); + *Envoy::Protobuf::DynamicCastMessage(&message); return std::make_unique(); } std::set TestCommandFactory::configTypes() { return {"google.protobuf.StringValue"}; } ProtobufTypes::MessagePtr TestCommandFactory::createEmptyConfigProto() { - return std::make_unique(); + return std::make_unique(); } std::string TestCommandFactory::name() const { return "envoy.formatter.TestFormatter"; } @@ -48,7 +48,7 @@ AdditionalFormatter::formatWithContext(const HttpFormatterContext&, return "AdditionalFormatter"; } -ProtobufWkt::Value +Protobuf::Value AdditionalFormatter::formatValueWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { return ValueUtil::stringValue(formatWithContext(context, stream_info).value()); @@ -67,7 +67,7 @@ CommandParserPtr AdditionalCommandFactory::createCommandParserFromProto( const Protobuf::Message& message, Server::Configuration::GenericFactoryContext&) { // Cast the config message to the actual type to test that it was constructed properly. [[maybe_unused]] const auto& config = - *Envoy::Protobuf::DynamicCastMessage(&message); + *Envoy::Protobuf::DynamicCastMessage(&message); return std::make_unique(); } @@ -76,7 +76,7 @@ std::set AdditionalCommandFactory::configTypes() { } ProtobufTypes::MessagePtr AdditionalCommandFactory::createEmptyConfigProto() { - return std::make_unique(); + return std::make_unique(); } std::string AdditionalCommandFactory::name() const { return "envoy.formatter.AdditionalFormatter"; } @@ -86,14 +86,14 @@ FailCommandFactory::createCommandParserFromProto(const Protobuf::Message& messag Server::Configuration::GenericFactoryContext&) { // Cast the config message to the actual type to test that it was constructed properly. [[maybe_unused]] const auto& config = - *Envoy::Protobuf::DynamicCastMessage(&message); + *Envoy::Protobuf::DynamicCastMessage(&message); return nullptr; } std::set FailCommandFactory::configTypes() { return {"google.protobuf.UInt64Value"}; } ProtobufTypes::MessagePtr FailCommandFactory::createEmptyConfigProto() { - return std::make_unique(); + return std::make_unique(); } std::string FailCommandFactory::name() const { return "envoy.formatter.FailFormatter"; } diff --git a/test/common/formatter/command_extension.h b/test/common/formatter/command_extension.h index 6b3e89b3342e8..3b442c2e57976 100644 --- a/test/common/formatter/command_extension.h +++ b/test/common/formatter/command_extension.h @@ -17,9 +17,8 @@ class TestFormatter : public FormatterProvider { formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; }; class TestCommandParser : public CommandParser { @@ -45,9 +44,8 @@ class AdditionalFormatter : public FormatterProvider { formatWithContext(const HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; - ProtobufWkt::Value - formatValueWithContext(const HttpFormatterContext& context, - const StreamInfo::StreamInfo& stream_info) const override; + Protobuf::Value formatValueWithContext(const HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const override; }; class AdditionalCommandParser : public CommandParser { diff --git a/test/common/formatter/substitution_formatter_fuzz_test.cc b/test/common/formatter/substitution_formatter_fuzz_test.cc index df31aa446f808..d467e6699f56f 100644 --- a/test/common/formatter/substitution_formatter_fuzz_test.cc +++ b/test/common/formatter/substitution_formatter_fuzz_test.cc @@ -64,7 +64,7 @@ DEFINE_PROTO_FUZZER(const test::common::substitution::TestCase& input) { try { // Create struct for JSON formatter. - ProtobufWkt::Struct struct_for_json_formatter; + Protobuf::Struct struct_for_json_formatter; TestUtility::loadFromYaml(fmt::format(R"EOF( may_empty_a: '%REQ(may_empty)%' raw_bool_value: true @@ -111,7 +111,7 @@ DEFINE_PROTO_FUZZER(const test::common::substitution::TestCase& input) { formatter_omit_empty->formatWithContext(formatter_context, *stream_info); // Ensure the result is legal JSON. - ProtobufWkt::Struct proto_struct; + Protobuf::Struct proto_struct; TestUtility::loadFromJson(keep_empty_result, proto_struct); TestUtility::loadFromJson(omit_empty_result, proto_struct); diff --git a/test/common/formatter/substitution_formatter_speed_test.cc b/test/common/formatter/substitution_formatter_speed_test.cc index 33b71027c1d2b..1138fab417d96 100644 --- a/test/common/formatter/substitution_formatter_speed_test.cc +++ b/test/common/formatter/substitution_formatter_speed_test.cc @@ -12,7 +12,7 @@ namespace Envoy { namespace { std::unique_ptr makeJsonFormatter() { - ProtobufWkt::Struct struct_format; + Protobuf::Struct struct_format; const std::string format_yaml = R"EOF( remote_address: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%' start_time: '%START_TIME(%Y/%m/%dT%H:%M:%S%z %s)%' @@ -82,7 +82,7 @@ static void BM_AccessLogFormatterTextMockJson(benchmark::State& state) { testing::NiceMock time_system; std::unique_ptr stream_info = makeStreamInfo(time_system); - ProtobufWkt::Struct struct_format; + Protobuf::Struct struct_format; const std::string format_yaml = R"EOF( remote_address: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%' start_time: '%START_TIME(%Y/%m/%dT%H:%M:%S%z %s)%' diff --git a/test/common/formatter/substitution_formatter_test.cc b/test/common/formatter/substitution_formatter_test.cc index c6fee03003c67..a78b171c64661 100644 --- a/test/common/formatter/substitution_formatter_test.cc +++ b/test/common/formatter/substitution_formatter_test.cc @@ -68,9 +68,8 @@ class StreamInfoFormatter : public FormatterProvider { const StreamInfo::StreamInfo& stream_info) const override { return formatter_->formatWithContext(context, stream_info); } - ProtobufWkt::Value - formatValueWithContext(const Context& context, - const StreamInfo::StreamInfo& stream_info) const override { + Protobuf::Value formatValueWithContext(const Context& context, + const StreamInfo::StreamInfo& stream_info) const override { return formatter_->formatValueWithContext(context, stream_info); } @@ -81,7 +80,7 @@ class StreamInfoFormatter : public FormatterProvider { class TestSerializedUnknownFilterState : public StreamInfo::FilterState::Object { public: ProtobufTypes::MessagePtr serializeAsProto() const override { - auto any = std::make_unique(); + auto any = std::make_unique(); any->set_type_url("UnknownType"); any->set_value("\xde\xad\xbe\xef"); return any; @@ -94,7 +93,7 @@ class TestSerializedStructFilterState : public StreamInfo::FilterState::Object { (*struct_.mutable_fields())["inner_key"] = ValueUtil::stringValue("inner_value"); } - explicit TestSerializedStructFilterState(const ProtobufWkt::Struct& s) : use_struct_(true) { + explicit TestSerializedStructFilterState(const Protobuf::Struct& s) : use_struct_(true) { struct_.CopyFrom(s); } @@ -104,20 +103,20 @@ class TestSerializedStructFilterState : public StreamInfo::FilterState::Object { ProtobufTypes::MessagePtr serializeAsProto() const override { if (use_struct_) { - auto s = std::make_unique(); + auto s = std::make_unique(); s->CopyFrom(struct_); return s; } - auto d = std::make_unique(); + auto d = std::make_unique(); d->CopyFrom(duration_); return d; } private: const bool use_struct_{false}; - ProtobufWkt::Struct struct_; - ProtobufWkt::Duration duration_; + Protobuf::Struct struct_; + Protobuf::Duration duration_; }; // Class used to test serializeAsString and serializeAsProto of FilterState @@ -128,7 +127,7 @@ class TestSerializedStringFilterState : public StreamInfo::FilterState::Object { return raw_string_ + " By PLAIN"; } ProtobufTypes::MessagePtr serializeAsProto() const override { - auto message = std::make_unique(); + auto message = std::make_unique(); message->set_value(raw_string_ + " By TYPED"); return message; } @@ -2906,12 +2905,12 @@ TEST(SubstitutionFormatterTest, TraceIDFormatter) { * "com.test": {"test_key":"test_value","test_obj":{"inner_key":"inner_value"}} */ void populateMetadataTestData(envoy::config::core::v3::Metadata& metadata) { - ProtobufWkt::Struct struct_obj; + Protobuf::Struct struct_obj; auto& fields_map = *struct_obj.mutable_fields(); fields_map["test_key"] = ValueUtil::stringValue("test_value"); - ProtobufWkt::Struct struct_inner; + Protobuf::Struct struct_inner; (*struct_inner.mutable_fields())["inner_key"] = ValueUtil::stringValue("inner_value"); - ProtobufWkt::Value val; + Protobuf::Value val; *val.mutable_struct_value() = struct_inner; fields_map["test_obj"] = val; (*metadata.mutable_filter_metadata())["com.test"] = struct_obj; @@ -2930,7 +2929,7 @@ TEST(SubstitutionFormatterTest, DynamicMetadataFieldExtractor) { EXPECT_TRUE(val.find("\"test_key\":\"test_value\"") != std::string::npos); EXPECT_TRUE(val.find("\"test_obj\":{\"inner_key\":\"inner_value\"}") != std::string::npos); - ProtobufWkt::Value expected_val; + Protobuf::Value expected_val; expected_val.mutable_struct_value()->CopyFrom(metadata.filter_metadata().at("com.test")); EXPECT_THAT(formatter.formatValue(stream_info), ProtoEq(expected_val)); } @@ -2943,7 +2942,7 @@ TEST(SubstitutionFormatterTest, DynamicMetadataFieldExtractor) { DynamicMetadataFormatter formatter("com.test", {"test_obj"}, absl::optional()); EXPECT_EQ("{\"inner_key\":\"inner_value\"}", formatter.format(stream_info)); - ProtobufWkt::Value expected_val; + Protobuf::Value expected_val; (*expected_val.mutable_struct_value()->mutable_fields())["inner_key"] = ValueUtil::stringValue("inner_value"); EXPECT_THAT(formatter.formatValue(stream_info), ProtoEq(expected_val)); @@ -2983,9 +2982,9 @@ TEST(SubstitutionFormatterTest, DynamicMetadataFieldExtractor) { } { - ProtobufWkt::Value val; + Protobuf::Value val; val.set_number_value(std::numeric_limits::quiet_NaN()); - ProtobufWkt::Struct struct_obj; + Protobuf::Struct struct_obj; (*struct_obj.mutable_fields())["nan_val"] = val; (*metadata.mutable_filter_metadata())["com.test"] = struct_obj; @@ -2995,9 +2994,9 @@ TEST(SubstitutionFormatterTest, DynamicMetadataFieldExtractor) { } { - ProtobufWkt::Value val; + Protobuf::Value val; val.set_number_value(std::numeric_limits::infinity()); - ProtobufWkt::Struct struct_obj; + Protobuf::Struct struct_obj; (*struct_obj.mutable_fields())["inf_val"] = val; (*metadata.mutable_filter_metadata())["com.test"] = struct_obj; @@ -3040,7 +3039,7 @@ TEST(SubstitutionFormatterTest, FilterStateFormatter) { EXPECT_EQ("{\"inner_key\":\"inner_value\"}", formatter.format(stream_info)); - ProtobufWkt::Value expected; + Protobuf::Value expected; (*expected.mutable_struct_value()->mutable_fields())["inner_key"] = ValueUtil::stringValue("inner_value"); @@ -3587,7 +3586,7 @@ TEST(SubstitutionFormatterTest, GrpcStatusFormatterNumberTest) { } } -void verifyStructOutput(ProtobufWkt::Struct output, +void verifyStructOutput(Protobuf::Struct output, absl::node_hash_map expected_map) { for (const auto& pair : expected_map) { EXPECT_EQ(output.fields().at(pair.first).string_value(), pair.second); @@ -3609,7 +3608,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterPlainStringTest) { {"plain_string": "plain_string_value"} )EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( plain_string: plain_string_value )EOF", @@ -3632,7 +3631,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterPlainNumberTest) { {"plain_number": 400} )EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( plain_number: 400 )EOF", @@ -3651,7 +3650,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterTypesTest) { absl::optional protocol = Http::Protocol::Http11; EXPECT_CALL(stream_info, protocol()).WillRepeatedly(Return(protocol)); - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( string_type: plain_string_value struct_type: @@ -3664,7 +3663,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterTypesTest) { key_mapping); JsonFormatterImpl formatter(key_mapping, false); - const ProtobufWkt::Struct expected = TestUtility::jsonToStruct(R"EOF({ + const Protobuf::Struct expected = TestUtility::jsonToStruct(R"EOF({ "string_type": "plain_string_value", "struct_type": { "plain_string": "plain_string_value", @@ -3675,7 +3674,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterTypesTest) { "HTTP/1.1" ] })EOF"); - const ProtobufWkt::Struct out_struct = + const Protobuf::Struct out_struct = TestUtility::jsonToStruct(formatter.formatWithContext({}, stream_info)); EXPECT_TRUE(TestUtility::protoEqual(out_struct, expected)); } @@ -3689,7 +3688,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterNestedObjectsTest) { absl::optional protocol = Http::Protocol::Http11; EXPECT_CALL(stream_info, protocol()).WillRepeatedly(Return(protocol)); - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; // For both struct and list, we test 3 nesting levels of all types (string, struct and list). TestUtility::loadFromYaml(R"EOF( struct: @@ -3737,7 +3736,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterNestedObjectsTest) { )EOF", key_mapping); JsonFormatterImpl formatter(key_mapping, false); - const ProtobufWkt::Struct expected = TestUtility::jsonToStruct(R"EOF({ + const Protobuf::Struct expected = TestUtility::jsonToStruct(R"EOF({ "struct": { "struct_string": "plain_string_value", "struct_protocol": "HTTP/1.1", @@ -3795,7 +3794,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterNestedObjectsTest) { ], ], })EOF"); - const ProtobufWkt::Struct out_struct = + const Protobuf::Struct out_struct = TestUtility::jsonToStruct(formatter.formatWithContext({}, stream_info)); EXPECT_TRUE(TestUtility::protoEqual(out_struct, expected)); } @@ -3810,7 +3809,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterSingleOperatorTest) { absl::node_hash_map expected_json_map = {{"protocol", "HTTP/1.1"}}; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( protocol: '%PROTOCOL%' )EOF", @@ -3831,7 +3830,7 @@ TEST(SubstitutionFormatterTest, EmptyJsonFormatterTest) { absl::node_hash_map expected_json_map = {{"protocol", ""}}; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( protocol: '' )EOF", @@ -3859,7 +3858,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterNonExistentHeaderTest) { "some_response_header": "SOME_RESPONSE_HEADER" })EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( protocol: '%PROTOCOL%' some_request_header: '%REQ(some_request_header)%' @@ -3894,7 +3893,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterAlternateHeaderTest) { {"response_absent_header_or_response_absent_header", "RESPONSE_PRESENT_HEADER"}, {"response_present_header_or_response_absent_header", "RESPONSE_PRESENT_HEADER"}}; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( request_present_header_or_request_absent_header: '%REQ(request_present_header?request_absent_header)%' @@ -3939,7 +3938,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterDynamicMetadataTest) { "test_obj.inner_key": "inner_value" })EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key: '%DYNAMIC_METADATA(com.test:test_key)%' test_obj: '%DYNAMIC_METADATA(com.test:test_obj)%' @@ -3979,7 +3978,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterClusterMetadataTest) { "test_obj.non_existing_key": null })EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key: '%CLUSTER_METADATA(com.test:test_key)%' test_obj: '%CLUSTER_METADATA(com.test:test_obj)%' @@ -4007,7 +4006,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterClusterMetadataNoClusterInfoTest) { {"test_key": null} )EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key: '%CLUSTER_METADATA(com.test:test_key)%' )EOF", @@ -4057,7 +4056,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterUpstreamHostMetadataTest) { "test_obj.non_existing_key": null })EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key: '%UPSTREAM_METADATA(com.test:test_key)%' test_obj: '%UPSTREAM_METADATA(com.test:test_obj)%' @@ -4085,7 +4084,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterUpstreamHostMetadataNullPtrs) { {"test_key": null} )EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key: '%UPSTREAM_METADATA(com.test:test_key)%' )EOF", @@ -4136,7 +4135,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterFilterStateTest) { } )EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key: '%FILTER_STATE(test_key)%' test_obj: '%FILTER_STATE(test_obj)%' @@ -4173,7 +4172,7 @@ TEST(SubstitutionFormatterTest, FilterStateSpeciferTest) { } )EOF"; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key_plain: '%FILTER_STATE(test_key:PLAIN)%' test_key_typed: '%FILTER_STATE(test_key:TYPED)%' @@ -4202,7 +4201,7 @@ TEST(SubstitutionFormatterTest, FilterStateErrorSpeciferTest) { StreamInfo::FilterState::StateType::ReadOnly); // 'ABCDE' is error specifier. - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key_plain: '%FILTER_STATE(test_key:ABCDE)%' test_key_typed: '%FILTER_STATE(test_key:TYPED)%' @@ -4214,7 +4213,7 @@ TEST(SubstitutionFormatterTest, FilterStateErrorSpeciferTest) { // Error specifier for PLAIN will cause an error if field is specified. TEST(SubstitutionFormatterTest, FilterStateErrorSpeciferFieldTest) { - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key_plain: '%FILTER_STATE(test_key:PLAIN:test_field)%' )EOF", @@ -4226,7 +4225,7 @@ TEST(SubstitutionFormatterTest, FilterStateErrorSpeciferFieldTest) { // Error specifier for FIELD will cause an exception to be thrown if no field is specified. TEST(SubstitutionFormatterTest, FilterStateErrorSpeciferFieldNoNameTest) { - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( test_key_plain: '%FILTER_STATE(test_key:FIELD)%' )EOF", @@ -4260,7 +4259,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterStartTimeTest) { absl::FormatTime("%Y-%m-%dT%H:%M:%E3S%z", absl::FromChrono(time), absl::LocalTimeZone())}, {"all_zeroes", "000000000.0.00.000"}}; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( simple_date: '%START_TIME(%Y/%m/%d)%' test_time: '%START_TIME(%s)%' @@ -4293,7 +4292,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterMultiTokenTest) { absl::node_hash_map expected_json_map = { {"multi_token_field", "HTTP/1.1 plainstring SOME_REQUEST_HEADER SOME_RESPONSE_HEADER"}}; - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( multi_token_field: '%PROTOCOL% plainstring %REQ(some_request_header)% %RESP(some_response_header)%' @@ -4330,7 +4329,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterTest) { .WillOnce(Return(MonotonicTime(std::chrono::nanoseconds(5000000)))); stream_info.downstream_timing_.onLastDownstreamRxByteReceived(time_system); - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( raw_bool_value: true raw_nummber_value: 6 @@ -4394,7 +4393,7 @@ TEST(SubstitutionFormatterTest, JsonFormatterWithOrderedPropertiesTest) { .WillOnce(Return(MonotonicTime(std::chrono::nanoseconds(5000000)))); stream_info.downstream_timing_.onLastDownstreamRxByteReceived(time_system); - ProtobufWkt::Struct key_mapping; + Protobuf::Struct key_mapping; TestUtility::loadFromYaml(R"EOF( request_duration: '%REQUEST_DURATION%' bfield: valb diff --git a/test/common/http/async_client_impl_test.cc b/test/common/http/async_client_impl_test.cc index db1f98c9bad81..8b64e6ca686b8 100644 --- a/test/common/http/async_client_impl_test.cc +++ b/test/common/http/async_client_impl_test.cc @@ -2284,7 +2284,7 @@ TEST_F(AsyncClientImplTest, MetadataMatchCriteriaWithValidRouteEntry) { NiceMock route_entry; const auto metadata_criteria = - std::make_shared(ProtobufWkt::Struct()); + std::make_shared(Protobuf::Struct()); EXPECT_CALL(*route, routeEntry()).WillRepeatedly(Return(&route_entry)); EXPECT_CALL(route_entry, metadataMatchCriteria()).WillRepeatedly(Return(metadata_criteria.get())); diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index 79d335f342112..a951ab5f7dfaa 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -2533,9 +2533,9 @@ TEST_F(HttpConnectionManagerImplTest, TestFilterCanEnrichAccessLogs) { })); EXPECT_CALL(*filter, onStreamComplete()).WillOnce(Invoke([&]() { - ProtobufWkt::Value metadata_value; + Protobuf::Value metadata_value; metadata_value.set_string_value("value"); - ProtobufWkt::Struct metadata; + Protobuf::Struct metadata; metadata.mutable_fields()->insert({"field", metadata_value}); filter->callbacks_->streamInfo().setDynamicMetadata("metadata_key", metadata); })); diff --git a/test/common/http/filter_manager_test.cc b/test/common/http/filter_manager_test.cc index 3bad58cd63677..8cde313bf66af 100644 --- a/test/common/http/filter_manager_test.cc +++ b/test/common/http/filter_manager_test.cc @@ -66,7 +66,7 @@ class FilterManagerTest : public testing::Test { LocalReplyFilterStateKey); EXPECT_EQ(fs_value->serializeAsString(), expected_name); - auto expected = std::make_unique(); + auto expected = std::make_unique(); expected->set_value(expected_name); EXPECT_TRUE(MessageDifferencer::Equals(*(fs_value->serializeAsProto()), *expected)); } diff --git a/test/common/http/utility_test.cc b/test/common/http/utility_test.cc index 74218f2d8d763..fd058bab44f08 100644 --- a/test/common/http/utility_test.cc +++ b/test/common/http/utility_test.cc @@ -709,7 +709,7 @@ TEST(HttpUtility, ValidateStreamErrorsWithHcm) { .value()); // If the HCM value is present it will take precedence over the old value. - ProtobufWkt::BoolValue hcm_value; + Protobuf::BoolValue hcm_value; hcm_value.set_value(false); EXPECT_FALSE(Envoy::Http2::Utility::initializeAndValidateOptions(http2_options, true, hcm_value) .value() @@ -732,7 +732,7 @@ TEST(HttpUtility, ValidateStreamErrorsWithHcm) { TEST(HttpUtility, ValidateStreamErrorConfigurationForHttp1) { envoy::config::core::v3::Http1ProtocolOptions http1_options; - ProtobufWkt::BoolValue hcm_value; + Protobuf::BoolValue hcm_value; NiceMock context; NiceMock validation_visitor; @@ -772,7 +772,7 @@ TEST(HttpUtility, ValidateStreamErrorConfigurationForHttp1) { TEST(HttpUtility, AllowCustomMethods) { envoy::config::core::v3::Http1ProtocolOptions http1_options; - ProtobufWkt::BoolValue hcm_value; + Protobuf::BoolValue hcm_value; NiceMock context; NiceMock validation_visitor; diff --git a/test/common/json/json_fuzz_test.cc b/test/common/json/json_fuzz_test.cc index ca5ca39f72887..4479047e22d3b 100644 --- a/test/common/json/json_fuzz_test.cc +++ b/test/common/json/json_fuzz_test.cc @@ -22,11 +22,11 @@ DEFINE_FUZZER(const uint8_t* buf, size_t len) { std::string json_string{reinterpret_cast(buf), len}; // Load via Protobuf JSON parsing, if we can. - ProtobufWkt::Struct message; + Protobuf::Struct message; try { MessageUtil::loadFromJson(json_string, message); // We should be able to serialize, parse again and get the same result. - ProtobufWkt::Struct message2; + Protobuf::Struct message2; // This can sometimes fail on too deep recursion in case protobuf parsing is configured to have // less recursion depth than json parsing in the proto library. // This is the only version of MessageUtil::getJsonStringFromMessage function safe to use on @@ -40,10 +40,10 @@ DEFINE_FUZZER(const uint8_t* buf, size_t len) { // MessageUtil::getYamlStringFromMessage automatically convert types, so we have to do another // round-trip. std::string yaml = MessageUtil::getYamlStringFromMessage(message); - ProtobufWkt::Struct yaml_message; + Protobuf::Struct yaml_message; TestUtility::loadFromYaml(yaml, yaml_message); - ProtobufWkt::Struct message3; + Protobuf::Struct message3; TestUtility::loadFromYaml(MessageUtil::getYamlStringFromMessage(yaml_message), message3); FUZZ_ASSERT(TestUtility::protoEqual(yaml_message, message3)); } catch (const Envoy::EnvoyException& e) { diff --git a/test/common/json/json_loader_test.cc b/test/common/json/json_loader_test.cc index aaf004c58c286..0be63f7f925c0 100644 --- a/test/common/json/json_loader_test.cc +++ b/test/common/json/json_loader_test.cc @@ -505,15 +505,15 @@ TEST_F(JsonLoaderTest, LoadFromStruct) { ], })EOF"; - const ProtobufWkt::Struct src = TestUtility::jsonToStruct(json_string); + const Protobuf::Struct src = TestUtility::jsonToStruct(json_string); ObjectSharedPtr json = Factory::loadFromProtobufStruct(src); const auto output_json = json->asJsonString(); EXPECT_TRUE(TestUtility::jsonStringEqual(output_json, json_string)); } TEST_F(JsonLoaderTest, LoadFromStructUnknownValueCase) { - ProtobufWkt::Struct src; - ProtobufWkt::Value value_not_set; + Protobuf::Struct src; + Protobuf::Value value_not_set; (*src.mutable_fields())["field"] = value_not_set; EXPECT_THROW_WITH_MESSAGE(Factory::loadFromProtobufStruct(src), EnvoyException, "Protobuf value case not implemented"); diff --git a/test/common/json/json_utility_test.cc b/test/common/json/json_utility_test.cc index 036efdd487345..ec0e2edc1a521 100644 --- a/test/common/json/json_utility_test.cc +++ b/test/common/json/json_utility_test.cc @@ -8,19 +8,19 @@ namespace Envoy { namespace Json { namespace { -std::string toJson(const ProtobufWkt::Value& v) { +std::string toJson(const Protobuf::Value& v) { std::string json_string; Utility::appendValueToString(v, json_string); return json_string; } TEST(JsonUtilityTest, AppendValueToString) { - ProtobufWkt::Value v; + Protobuf::Value v; // null EXPECT_EQ(toJson(v), "null"); - v.set_null_value(ProtobufWkt::NULL_VALUE); + v.set_null_value(Protobuf::NULL_VALUE); EXPECT_EQ(toJson(v), "null"); // bool diff --git a/test/common/matcher/test_utility.h b/test/common/matcher/test_utility.h index 7eeec55e96897..15ada874b3633 100644 --- a/test/common/matcher/test_utility.h +++ b/test/common/matcher/test_utility.h @@ -35,7 +35,7 @@ class TestCommonProtocolInputFactory : public CommonProtocolInputFactory { } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return factory_name_; } @@ -72,7 +72,7 @@ class TestDataInputStringFactory : public DataInputFactory { } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "string"; } @@ -95,7 +95,7 @@ class TestDataInputBoolFactory : public DataInputFactory { } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "bool"; } @@ -116,7 +116,7 @@ class TestDataInputFloatFactory : public DataInputFactory { } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "float"; } @@ -151,7 +151,7 @@ struct TestMatcher : public InputMatcher { }; // An action that evaluates to a proto StringValue. -struct StringAction : public ActionBase { +struct StringAction : public ActionBase { explicit StringAction(const std::string& string) : string_(string) {} const std::string string_; @@ -164,12 +164,12 @@ class StringActionFactory : public ActionFactory { public: ActionConstSharedPtr createAction(const Protobuf::Message& config, absl::string_view&, ProtobufMessage::ValidationVisitor&) override { - const auto& string = dynamic_cast(config); + const auto& string = dynamic_cast(config); return std::make_shared(string.value()); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "string_action"; } }; @@ -194,7 +194,7 @@ class NeverMatchFactory : public InputMatcherFactory { } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "never_match"; } @@ -228,12 +228,12 @@ class CustomStringMatcherFactory : public InputMatcherFactory { InputMatcherFactoryCb createInputMatcherFactoryCb(const Protobuf::Message& config, Server::Configuration::ServerFactoryContext&) override { - const auto& string = dynamic_cast(config); + const auto& string = dynamic_cast(config); return [string]() { return std::make_unique(string.value()); }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "custom_match"; } diff --git a/test/common/protobuf/utility_test.cc b/test/common/protobuf/utility_test.cc index 41f25d27cee5e..24e0fa62beac1 100644 --- a/test/common/protobuf/utility_test.cc +++ b/test/common/protobuf/utility_test.cc @@ -45,8 +45,8 @@ namespace Envoy { using ::testing::HasSubstr; -bool checkProtoEquality(const ProtobufWkt::Value& proto1, std::string text_proto2) { - ProtobufWkt::Value proto2; +bool checkProtoEquality(const Protobuf::Value& proto1, std::string text_proto2) { + Protobuf::Value proto2; if (!Protobuf::TextFormat::ParseFromString(text_proto2, &proto2)) { return false; } @@ -172,25 +172,25 @@ TEST_F(ProtobufUtilityTest, EvaluateFractionalPercent) { } // namespace ProtobufPercentHelper TEST_F(ProtobufUtilityTest, MessageUtilHash) { - ProtobufWkt::Struct s; + Protobuf::Struct s; (*s.mutable_fields())["ab"].set_string_value("fgh"); (*s.mutable_fields())["cde"].set_string_value("ij"); - ProtobufWkt::Struct s2; + Protobuf::Struct s2; (*s2.mutable_fields())["ab"].set_string_value("ij"); (*s2.mutable_fields())["cde"].set_string_value("fgh"); - ProtobufWkt::Struct s3; + Protobuf::Struct s3; (*s3.mutable_fields())["ac"].set_string_value("fgh"); (*s3.mutable_fields())["cdb"].set_string_value("ij"); - ProtobufWkt::Any a1; + Protobuf::Any a1; a1.PackFrom(s); // The two base64 encoded Struct to test map is identical to the struct above, this tests whether // a map is deterministically serialized and hashed. - ProtobufWkt::Any a2 = a1; + Protobuf::Any a2 = a1; a2.set_value(Base64::decode("CgsKA2NkZRIEGgJpagoLCgJhYhIFGgNmZ2g=")); - ProtobufWkt::Any a3 = a1; + Protobuf::Any a3 = a1; a3.set_value(Base64::decode("CgsKAmFiEgUaA2ZnaAoLCgNjZGUSBBoCaWo=")); - ProtobufWkt::Any a4, a5; + Protobuf::Any a4, a5; a4.PackFrom(s2); a5.PackFrom(s3); @@ -207,7 +207,7 @@ TEST_F(ProtobufUtilityTest, MessageUtilHash) { } TEST_F(ProtobufUtilityTest, RepeatedPtrUtilDebugString) { - Protobuf::RepeatedPtrField repeated; + Protobuf::RepeatedPtrField repeated; EXPECT_EQ("[]", RepeatedPtrUtil::debugString(repeated)); repeated.Add()->set_value(10); EXPECT_THAT(RepeatedPtrUtil::debugString(repeated), @@ -293,7 +293,7 @@ TEST_F(ProtobufUtilityTest, ValidateUnknownFieldsNestedAny) { } TEST_F(ProtobufUtilityTest, JsonConvertAnyUnknownMessageType) { - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.set_type_url("type.googleapis.com/bad.type.url"); source_any.set_value("asdf"); auto status = MessageUtil::getJsonStringFromMessage(source_any, true).status(); @@ -301,14 +301,14 @@ TEST_F(ProtobufUtilityTest, JsonConvertAnyUnknownMessageType) { } TEST_F(ProtobufUtilityTest, JsonConvertKnownGoodMessage) { - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(envoy::config::bootstrap::v3::Bootstrap::default_instance()); EXPECT_THAT(MessageUtil::getJsonStringFromMessageOrError(source_any, true), testing::HasSubstr("@type")); } TEST_F(ProtobufUtilityTest, JsonConvertOrErrorAnyWithUnknownMessageType) { - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.set_type_url("type.googleapis.com/bad.type.url"); source_any.set_value("asdf"); EXPECT_THAT(MessageUtil::getJsonStringFromMessageOrError(source_any), @@ -404,7 +404,7 @@ watchdog: { miss_timeout: 1s })EOF"; // An unknown field (or with wrong type) in a message is rejected. TEST_F(ProtobufUtilityTest, LoadBinaryProtoUnknownFieldFromFile) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(42); const std::string filename = TestEnvironment::writeStringToFileForTest("proto.pb", source_duration.SerializeAsString()); @@ -416,7 +416,7 @@ TEST_F(ProtobufUtilityTest, LoadBinaryProtoUnknownFieldFromFile) { // Multiple unknown fields (or with wrong type) in a message are rejected. TEST_F(ProtobufUtilityTest, LoadBinaryProtoUnknownMultipleFieldsFromFile) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(42); source_duration.set_nanos(42); const std::string filename = @@ -864,20 +864,20 @@ TEST_F(ProtobufUtilityTest, RedactAny) { // Empty `Any` can be trivially redacted. TEST_F(ProtobufUtilityTest, RedactEmptyAny) { - ProtobufWkt::Any actual; + Protobuf::Any actual; TestUtility::loadFromYaml(R"EOF( '@type': type.googleapis.com/envoy.test.Sensitive )EOF", actual); - ProtobufWkt::Any expected = actual; + Protobuf::Any expected = actual; MessageUtil::redact(actual); EXPECT_TRUE(TestUtility::protoEqual(expected, actual)); } // Messages packed into `Any` with unknown type URLs are skipped. TEST_F(ProtobufUtilityTest, RedactAnyWithUnknownTypeUrl) { - ProtobufWkt::Any actual; + Protobuf::Any actual; // Note, `loadFromYaml` validates the type when populating `Any`, so we have to pass the real type // first and substitute an unknown message type after loading. TestUtility::loadFromYaml(R"EOF( @@ -887,7 +887,7 @@ sensitive_string: This field is sensitive, but we have no way of knowing. actual); actual.set_type_url("type.googleapis.com/envoy.unknown.Message"); - ProtobufWkt::Any expected = actual; + Protobuf::Any expected = actual; MessageUtil::redact(actual); EXPECT_TRUE(TestUtility::protoEqual(expected, actual)); } @@ -1130,9 +1130,9 @@ TYPED_TEST(TypedStructUtilityTest, RedactEmptyTypeUrlTypedStruct) { } TEST_F(ProtobufUtilityTest, RedactEmptyTypeUrlAny) { - ProtobufWkt::Any actual; + Protobuf::Any actual; MessageUtil::redact(actual); - ProtobufWkt::Any expected = actual; + Protobuf::Any expected = actual; EXPECT_TRUE(TestUtility::protoEqual(expected, actual)); } @@ -1213,29 +1213,29 @@ TEST_F(ProtobufUtilityTest, SanitizeUTF8) { } TEST_F(ProtobufUtilityTest, KeyValueStruct) { - const ProtobufWkt::Struct obj = MessageUtil::keyValueStruct("test_key", "test_value"); + const Protobuf::Struct obj = MessageUtil::keyValueStruct("test_key", "test_value"); EXPECT_EQ(obj.fields_size(), 1); - EXPECT_EQ(obj.fields().at("test_key").kind_case(), ProtobufWkt::Value::KindCase::kStringValue); + EXPECT_EQ(obj.fields().at("test_key").kind_case(), Protobuf::Value::KindCase::kStringValue); EXPECT_EQ(obj.fields().at("test_key").string_value(), "test_value"); } TEST_F(ProtobufUtilityTest, KeyValueStructMap) { - const ProtobufWkt::Struct obj = MessageUtil::keyValueStruct( + const Protobuf::Struct obj = MessageUtil::keyValueStruct( {{"test_key", "test_value"}, {"test_another_key", "test_another_value"}}); EXPECT_EQ(obj.fields_size(), 2); - EXPECT_EQ(obj.fields().at("test_key").kind_case(), ProtobufWkt::Value::KindCase::kStringValue); + EXPECT_EQ(obj.fields().at("test_key").kind_case(), Protobuf::Value::KindCase::kStringValue); EXPECT_EQ(obj.fields().at("test_key").string_value(), "test_value"); EXPECT_EQ(obj.fields().at("test_another_key").kind_case(), - ProtobufWkt::Value::KindCase::kStringValue); + Protobuf::Value::KindCase::kStringValue); EXPECT_EQ(obj.fields().at("test_another_key").string_value(), "test_another_value"); } TEST_F(ProtobufUtilityTest, ValueUtilEqual_NullValues) { - ProtobufWkt::Value v1, v2; - v1.set_null_value(ProtobufWkt::NULL_VALUE); - v2.set_null_value(ProtobufWkt::NULL_VALUE); + Protobuf::Value v1, v2; + v1.set_null_value(Protobuf::NULL_VALUE); + v2.set_null_value(Protobuf::NULL_VALUE); - ProtobufWkt::Value other; + Protobuf::Value other; other.set_string_value("s"); EXPECT_TRUE(ValueUtil::equal(v1, v2)); @@ -1243,7 +1243,7 @@ TEST_F(ProtobufUtilityTest, ValueUtilEqual_NullValues) { } TEST_F(ProtobufUtilityTest, ValueUtilEqual_StringValues) { - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_string_value("s"); v2.set_string_value("s"); v3.set_string_value("not_s"); @@ -1253,7 +1253,7 @@ TEST_F(ProtobufUtilityTest, ValueUtilEqual_StringValues) { } TEST_F(ProtobufUtilityTest, ValueUtilEqual_NumberValues) { - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_number_value(1.0); v2.set_number_value(1.0); v3.set_number_value(100.0); @@ -1263,7 +1263,7 @@ TEST_F(ProtobufUtilityTest, ValueUtilEqual_NumberValues) { } TEST_F(ProtobufUtilityTest, ValueUtilEqual_BoolValues) { - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_bool_value(true); v2.set_bool_value(true); v3.set_bool_value(false); @@ -1273,13 +1273,13 @@ TEST_F(ProtobufUtilityTest, ValueUtilEqual_BoolValues) { } TEST_F(ProtobufUtilityTest, ValueUtilEqual_StructValues) { - ProtobufWkt::Value string_val1, string_val2, bool_val; + Protobuf::Value string_val1, string_val2, bool_val; string_val1.set_string_value("s1"); string_val2.set_string_value("s2"); bool_val.set_bool_value(true); - ProtobufWkt::Value v1, v2, v3, v4; + Protobuf::Value v1, v2, v3, v4; v1.mutable_struct_value()->mutable_fields()->insert({"f1", string_val1}); v1.mutable_struct_value()->mutable_fields()->insert({"f2", bool_val}); @@ -1297,7 +1297,7 @@ TEST_F(ProtobufUtilityTest, ValueUtilEqual_StructValues) { } TEST_F(ProtobufUtilityTest, ValueUtilEqual_ListValues) { - ProtobufWkt::Value v1, v2, v3, v4; + Protobuf::Value v1, v2, v3, v4; v1.mutable_list_value()->add_values()->set_string_value("s"); v1.mutable_list_value()->add_values()->set_bool_value(true); @@ -1315,14 +1315,14 @@ TEST_F(ProtobufUtilityTest, ValueUtilEqual_ListValues) { } TEST_F(ProtobufUtilityTest, ValueUtilHash) { - ProtobufWkt::Value v; + Protobuf::Value v; v.set_string_value("s1"); EXPECT_NE(ValueUtil::hash(v), 0); } TEST_F(ProtobufUtilityTest, MessageUtilLoadYamlDouble) { - ProtobufWkt::DoubleValue v; + Protobuf::DoubleValue v; MessageUtil::loadFromYaml("value: 1.0", v, ProtobufMessage::getNullValidationVisitor()); EXPECT_DOUBLE_EQ(1.0, v.value()); } @@ -1386,7 +1386,7 @@ TEST(LoadFromYamlExceptionTest, ParserException) { } TEST_F(ProtobufUtilityTest, HashedValue) { - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_string_value("s"); v2.set_string_value("s"); v3.set_string_value("not_s"); @@ -1401,7 +1401,7 @@ TEST_F(ProtobufUtilityTest, HashedValue) { } TEST_F(ProtobufUtilityTest, HashedValueStdHash) { - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_string_value("s"); v2.set_string_value("s"); v3.set_string_value("not_s"); @@ -1420,22 +1420,22 @@ TEST_F(ProtobufUtilityTest, HashedValueStdHash) { TEST_F(ProtobufUtilityTest, AnyBytes) { { - ProtobufWkt::StringValue source; + Protobuf::StringValue source; source.set_value("abc"); - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(source); EXPECT_EQ(*MessageUtil::anyToBytes(source_any), "abc"); } { - ProtobufWkt::BytesValue source; + Protobuf::BytesValue source; source.set_value("\x01\x02\x03"); - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(source); EXPECT_EQ(*MessageUtil::anyToBytes(source_any), "\x01\x02\x03"); } { envoy::config::cluster::v3::Filter filter; - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(filter); EXPECT_EQ(*MessageUtil::anyToBytes(source_any), source_any.value()); } @@ -1443,19 +1443,19 @@ TEST_F(ProtobufUtilityTest, AnyBytes) { // MessageUtility::anyConvert() with the wrong type throws. TEST_F(ProtobufUtilityTest, AnyConvertWrongType) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(42); - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(source_duration); EXPECT_THROW_WITH_REGEX( - TestUtility::anyConvert(source_any), EnvoyException, + TestUtility::anyConvert(source_any), EnvoyException, R"(Unable to unpack as google.protobuf.Timestamp:.*[\n]*\[type.googleapis.com/google.protobuf.Duration\] .*)"); } // Validated exception thrown when anyConvertAndValidate observes a PGV failures. TEST_F(ProtobufUtilityTest, AnyConvertAndValidateFailedValidation) { envoy::config::cluster::v3::Filter filter; - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(filter); EXPECT_THROW(MessageUtil::anyConvertAndValidate( source_any, ProtobufMessage::getStrictValidationVisitor()), @@ -1463,11 +1463,11 @@ TEST_F(ProtobufUtilityTest, AnyConvertAndValidateFailedValidation) { } TEST_F(ProtobufUtilityTest, UnpackToWrongType) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(42); - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(source_duration); - ProtobufWkt::Timestamp dst; + Protobuf::Timestamp dst; EXPECT_THAT( MessageUtil::unpackTo(source_any, dst).message(), testing::ContainsRegex( @@ -1478,7 +1478,7 @@ TEST_F(ProtobufUtilityTest, UnpackToSameVersion) { { API_NO_BOOST(envoy::api::v2::Cluster) source; source.set_drain_connections_on_host_removal(true); - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(source); API_NO_BOOST(envoy::api::v2::Cluster) dst; ASSERT_TRUE(MessageUtil::unpackTo(source_any, dst).ok()); @@ -1487,7 +1487,7 @@ TEST_F(ProtobufUtilityTest, UnpackToSameVersion) { { API_NO_BOOST(envoy::config::cluster::v3::Cluster) source; source.set_ignore_health_on_host_removal(true); - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(source); API_NO_BOOST(envoy::config::cluster::v3::Cluster) dst; ASSERT_TRUE(MessageUtil::unpackTo(source_any, dst).ok()); @@ -1497,11 +1497,11 @@ TEST_F(ProtobufUtilityTest, UnpackToSameVersion) { // MessageUtility::unpackTo() with the right type. TEST_F(ProtobufUtilityTest, UnpackToNoThrowRightType) { - ProtobufWkt::Duration src_duration; + Protobuf::Duration src_duration; src_duration.set_seconds(42); - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(src_duration); - ProtobufWkt::Duration dst_duration; + Protobuf::Duration dst_duration; EXPECT_OK(MessageUtil::unpackTo(source_any, dst_duration)); // Source and destination are expected to be equal. EXPECT_EQ(src_duration, dst_duration); @@ -1509,11 +1509,11 @@ TEST_F(ProtobufUtilityTest, UnpackToNoThrowRightType) { // MessageUtility::unpackTo() with the wrong type. TEST_F(ProtobufUtilityTest, UnpackToNoThrowWrongType) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(42); - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.PackFrom(source_duration); - ProtobufWkt::Timestamp dst; + Protobuf::Timestamp dst; auto status = MessageUtil::unpackTo(source_any, dst); EXPECT_TRUE(absl::IsInternal(status)); EXPECT_THAT( @@ -1569,7 +1569,7 @@ TEST_F(ProtobufUtilityTest, LoadFromJsonNoBoosting) { TEST_F(ProtobufUtilityTest, JsonConvertSuccess) { envoy::config::bootstrap::v3::Bootstrap source; source.set_flags_path("foo"); - ProtobufWkt::Struct tmp; + Protobuf::Struct tmp; envoy::config::bootstrap::v3::Bootstrap dest; TestUtility::jsonConvert(source, tmp); TestUtility::jsonConvert(tmp, dest); @@ -1577,18 +1577,18 @@ TEST_F(ProtobufUtilityTest, JsonConvertSuccess) { } TEST_F(ProtobufUtilityTest, JsonConvertUnknownFieldSuccess) { - const ProtobufWkt::Struct obj = MessageUtil::keyValueStruct("test_key", "test_value"); + const Protobuf::Struct obj = MessageUtil::keyValueStruct("test_key", "test_value"); envoy::config::bootstrap::v3::Bootstrap bootstrap; EXPECT_NO_THROW( MessageUtil::jsonConvert(obj, ProtobufMessage::getNullValidationVisitor(), bootstrap)); } TEST_F(ProtobufUtilityTest, JsonConvertFail) { - ProtobufWkt::Duration source_duration; + Protobuf::Duration source_duration; source_duration.set_seconds(-281474976710656); - ProtobufWkt::Struct dest_struct; + Protobuf::Struct dest_struct; std::string expected_duration_text = R"pb(seconds: -281474976710656)pb"; - ProtobufWkt::Duration expected_duration_proto; + Protobuf::Duration expected_duration_proto; Protobuf::TextFormat::ParseFromString(expected_duration_text, &expected_duration_proto); EXPECT_THROW(TestUtility::jsonConvert(source_duration, dest_struct), EnvoyException); } @@ -1598,7 +1598,7 @@ TEST_F(ProtobufUtilityTest, JsonConvertCamelSnake) { envoy::config::bootstrap::v3::Bootstrap bootstrap; // Make sure we use a field eligible for snake/camel case translation. bootstrap.mutable_cluster_manager()->set_local_cluster_name("foo"); - ProtobufWkt::Struct json; + Protobuf::Struct json; TestUtility::jsonConvert(bootstrap, json); // Verify we can round-trip. This didn't cause the #3665 regression, but useful as a sanity check. TestUtility::loadFromJson(MessageUtil::getJsonStringFromMessageOrError(json, false), bootstrap); @@ -1616,7 +1616,7 @@ TEST_F(ProtobufUtilityTest, JsonConvertValueSuccess) { { envoy::config::bootstrap::v3::Bootstrap source; source.set_flags_path("foo"); - ProtobufWkt::Value tmp; + Protobuf::Value tmp; envoy::config::bootstrap::v3::Bootstrap dest; EXPECT_TRUE(MessageUtil::jsonConvertValue(source, tmp)); TestUtility::jsonConvert(tmp, dest); @@ -1624,20 +1624,20 @@ TEST_F(ProtobufUtilityTest, JsonConvertValueSuccess) { } { - ProtobufWkt::StringValue source; + Protobuf::StringValue source; source.set_value("foo"); - ProtobufWkt::Value dest; + Protobuf::Value dest; EXPECT_TRUE(MessageUtil::jsonConvertValue(source, dest)); - ProtobufWkt::Value expected; + Protobuf::Value expected; expected.set_string_value("foo"); EXPECT_THAT(dest, ProtoEq(expected)); } { - ProtobufWkt::Duration source; + Protobuf::Duration source; source.set_seconds(-281474976710656); - ProtobufWkt::Value dest; + Protobuf::Value dest; EXPECT_FALSE(MessageUtil::jsonConvertValue(source, dest)); } } @@ -1687,7 +1687,7 @@ flags_path: foo)EOF"; } TEST_F(ProtobufUtilityTest, GetYamlStringFromProtoInvalidAny) { - ProtobufWkt::Any source_any; + Protobuf::Any source_any; source_any.set_type_url("type.googleapis.com/bad.type.url"); source_any.set_value("asdf"); EXPECT_THROW(MessageUtil::getYamlStringFromMessage(source_any, true), EnvoyException); @@ -1695,29 +1695,29 @@ TEST_F(ProtobufUtilityTest, GetYamlStringFromProtoInvalidAny) { TEST(DurationUtilTest, OutOfRange) { { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_seconds(-1); EXPECT_THROW(DurationUtil::durationToMilliseconds(duration), EnvoyException); } { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_nanos(-1); EXPECT_THROW(DurationUtil::durationToMilliseconds(duration), EnvoyException); } // Invalid number of nanoseconds. { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_nanos(1000000000); EXPECT_THROW(DurationUtil::durationToMilliseconds(duration), EnvoyException); } { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_seconds(Protobuf::util::TimeUtil::kDurationMaxSeconds + 1); EXPECT_THROW(DurationUtil::durationToMilliseconds(duration), EnvoyException); } // Invalid number of seconds. { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; constexpr int64_t kMaxInt64Nanoseconds = (std::numeric_limits::max() - 999999999) / (1000 * 1000 * 1000); duration.set_seconds(kMaxInt64Nanoseconds + 1); @@ -1725,7 +1725,7 @@ TEST(DurationUtilTest, OutOfRange) { } // Max valid seconds and nanoseconds. { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; constexpr int64_t kMaxInt64Nanoseconds = (std::numeric_limits::max() - 999999999) / (1000 * 1000 * 1000); duration.set_seconds(kMaxInt64Nanoseconds); @@ -1734,7 +1734,7 @@ TEST(DurationUtilTest, OutOfRange) { } // Invalid combined seconds and nanoseconds. { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; constexpr int64_t kMaxInt64Nanoseconds = std::numeric_limits::max() / (1000 * 1000 * 1000); duration.set_seconds(kMaxInt64Nanoseconds); @@ -1746,7 +1746,7 @@ TEST(DurationUtilTest, OutOfRange) { TEST(DurationUtilTest, NoThrow) { { // In range test - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_seconds(5); duration.set_nanos(10000000); const auto result = DurationUtil::durationToMillisecondsNoThrow(duration); @@ -1755,33 +1755,33 @@ TEST(DurationUtilTest, NoThrow) { } // Below are out-of-range tests { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_seconds(-1); const auto result = DurationUtil::durationToMillisecondsNoThrow(duration); EXPECT_FALSE(result.ok()); } { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_nanos(-1); const auto result = DurationUtil::durationToMillisecondsNoThrow(duration); EXPECT_FALSE(result.ok()); } // Invalid number of nanoseconds. { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_nanos(1000000000); const auto result = DurationUtil::durationToMillisecondsNoThrow(duration); EXPECT_FALSE(result.ok()); } { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; duration.set_seconds(Protobuf::util::TimeUtil::kDurationMaxSeconds + 1); const auto result = DurationUtil::durationToMillisecondsNoThrow(duration); EXPECT_FALSE(result.ok()); } // Invalid number of seconds. { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; constexpr int64_t kMaxInt64Nanoseconds = (std::numeric_limits::max() - 999999999) / (1000 * 1000 * 1000); duration.set_seconds(kMaxInt64Nanoseconds + 1); @@ -1790,7 +1790,7 @@ TEST(DurationUtilTest, NoThrow) { } // Max valid seconds and nanoseconds. { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; constexpr int64_t kMaxInt64Nanoseconds = (std::numeric_limits::max() - 999999999) / (1000 * 1000 * 1000); duration.set_seconds(kMaxInt64Nanoseconds); @@ -1800,7 +1800,7 @@ TEST(DurationUtilTest, NoThrow) { } // Invalid combined seconds and nanoseconds. { - ProtobufWkt::Duration duration; + Protobuf::Duration duration; constexpr int64_t kMaxInt64Nanoseconds = std::numeric_limits::max() / (1000 * 1000 * 1000); duration.set_seconds(kMaxInt64Nanoseconds); @@ -2193,7 +2193,7 @@ TEST_P(TimestampUtilTest, SystemClockToTimestampTest) { auto time_original = epoch_time + std::chrono::milliseconds(GetParam()); // And convert that to Timestamp. - ProtobufWkt::Timestamp timestamp; + Protobuf::Timestamp timestamp; TimestampUtil::systemClockToTimestamp(time_original, timestamp); // Then convert that Timestamp back into a time_point, @@ -2241,9 +2241,8 @@ TEST(TypeUtilTest, TypeUrlHelperFunction) { class StructUtilTest : public ProtobufUtilityTest { protected: - ProtobufWkt::Struct updateSimpleStruct(const ProtobufWkt::Value& v0, - const ProtobufWkt::Value& v1) { - ProtobufWkt::Struct obj, with; + Protobuf::Struct updateSimpleStruct(const Protobuf::Value& v0, const Protobuf::Value& v1) { + Protobuf::Struct obj, with; (*obj.mutable_fields())["key"] = v0; (*with.mutable_fields())["key"] = v1; StructUtil::update(obj, with); @@ -2270,7 +2269,7 @@ TEST_F(StructUtilTest, StructUtilUpdateScalars) { { const auto obj = updateSimpleStruct(ValueUtil::nullValue(), ValueUtil::nullValue()); - EXPECT_EQ(obj.fields().at("key").kind_case(), ProtobufWkt::Value::KindCase::kNullValue); + EXPECT_EQ(obj.fields().at("key").kind_case(), Protobuf::Value::KindCase::kNullValue); } } @@ -2278,7 +2277,7 @@ TEST_F(StructUtilTest, StructUtilUpdateDifferentKind) { { const auto obj = updateSimpleStruct(ValueUtil::stringValue("v0"), ValueUtil::numberValue(1)); auto& val = obj.fields().at("key"); - EXPECT_EQ(val.kind_case(), ProtobufWkt::Value::KindCase::kNumberValue); + EXPECT_EQ(val.kind_case(), Protobuf::Value::KindCase::kNumberValue); EXPECT_EQ(val.number_value(), 1); } @@ -2287,13 +2286,13 @@ TEST_F(StructUtilTest, StructUtilUpdateDifferentKind) { updateSimpleStruct(ValueUtil::structValue(MessageUtil::keyValueStruct("subkey", "v0")), ValueUtil::stringValue("v1")); auto& val = obj.fields().at("key"); - EXPECT_EQ(val.kind_case(), ProtobufWkt::Value::KindCase::kStringValue); + EXPECT_EQ(val.kind_case(), Protobuf::Value::KindCase::kStringValue); EXPECT_EQ(val.string_value(), "v1"); } } TEST_F(StructUtilTest, StructUtilUpdateList) { - ProtobufWkt::Struct obj, with; + Protobuf::Struct obj, with; auto& list = *(*obj.mutable_fields())["key"].mutable_list_value(); list.add_values()->set_string_value("v0"); @@ -2311,7 +2310,7 @@ TEST_F(StructUtilTest, StructUtilUpdateList) { } TEST_F(StructUtilTest, StructUtilUpdateNewKey) { - ProtobufWkt::Struct obj, with; + Protobuf::Struct obj, with; (*obj.mutable_fields())["key0"].set_number_value(1); (*with.mutable_fields())["key1"].set_number_value(1); StructUtil::update(obj, with); @@ -2322,14 +2321,14 @@ TEST_F(StructUtilTest, StructUtilUpdateNewKey) { } TEST_F(StructUtilTest, StructUtilUpdateRecursiveStruct) { - ProtobufWkt::Struct obj, with; + Protobuf::Struct obj, with; *(*obj.mutable_fields())["tags"].mutable_struct_value() = MessageUtil::keyValueStruct("tag0", "1"); *(*with.mutable_fields())["tags"].mutable_struct_value() = MessageUtil::keyValueStruct("tag1", "1"); StructUtil::update(obj, with); - ASSERT_EQ(obj.fields().at("tags").kind_case(), ProtobufWkt::Value::KindCase::kStructValue); + ASSERT_EQ(obj.fields().at("tags").kind_case(), Protobuf::Value::KindCase::kStructValue); const auto& tags = obj.fields().at("tags").struct_value().fields(); EXPECT_TRUE(ValueUtil::equal(tags.at("tag0"), ValueUtil::stringValue("1"))); EXPECT_TRUE(ValueUtil::equal(tags.at("tag1"), ValueUtil::stringValue("1"))); diff --git a/test/common/protobuf/value_util_fuzz_test.cc b/test/common/protobuf/value_util_fuzz_test.cc index 1999427d5ca9a..b0076bc009aca 100644 --- a/test/common/protobuf/value_util_fuzz_test.cc +++ b/test/common/protobuf/value_util_fuzz_test.cc @@ -5,7 +5,7 @@ namespace Envoy { namespace Fuzz { -DEFINE_PROTO_FUZZER(const ProtobufWkt::Value& input) { ValueUtil::equal(input, input); } +DEFINE_PROTO_FUZZER(const Protobuf::Value& input) { ValueUtil::equal(input, input); } } // namespace Fuzz } // namespace Envoy diff --git a/test/common/quic/envoy_quic_proof_source_test.cc b/test/common/quic/envoy_quic_proof_source_test.cc index e3b0b9e831a19..a51dfa36722b8 100644 --- a/test/common/quic/envoy_quic_proof_source_test.cc +++ b/test/common/quic/envoy_quic_proof_source_test.cc @@ -198,7 +198,7 @@ class EnvoyQuicProofSourceTest : public ::testing::Test { getDefaultTlsCertificateSelectorConfigFactory(); ASSERT_TRUE(factory); ASSERT_EQ("envoy.tls.certificate_selectors.default", factory->name()); - const ProtobufWkt::Any any; + const Protobuf::Any any; absl::Status creation_status = absl::OkStatus(); auto tls_certificate_selector_factory_cb = factory->createTlsCertificateSelectorFactory( any, factory_context_, ProtobufMessage::getNullValidationVisitor(), creation_status, true); diff --git a/test/common/router/config_impl_integration_test.cc b/test/common/router/config_impl_integration_test.cc index 72b06ecc769e0..c8ce490360f89 100644 --- a/test/common/router/config_impl_integration_test.cc +++ b/test/common/router/config_impl_integration_test.cc @@ -39,13 +39,13 @@ class FakeClusterSpecifierPluginFactoryConfig : public ClusterSpecifierPluginFac ClusterSpecifierPluginSharedPtr createClusterSpecifierPlugin(const Protobuf::Message& config, Server::Configuration::ServerFactoryContext&) override { - const auto& typed_config = dynamic_cast(config); + const auto& typed_config = dynamic_cast(config); return std::make_shared( typed_config.fields().at("name").string_value()); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.router.cluster_specifier_plugin.fake"; } diff --git a/test/common/router/config_impl_test.cc b/test/common/router/config_impl_test.cc index 0c7adb334858d..1273817260a37 100644 --- a/test/common/router/config_impl_test.cc +++ b/test/common/router/config_impl_test.cc @@ -3818,7 +3818,7 @@ TEST_F(RouteMatcherTest, ClusterSpecifierPlugin) { mock_cluster_specifier_plugin_3]( const Protobuf::Message& config, Server::Configuration::CommonFactoryContext&) -> ClusterSpecifierPluginSharedPtr { - const auto& typed_config = dynamic_cast(config); + const auto& typed_config = dynamic_cast(config); if (auto iter = typed_config.fields().find("a"); iter == typed_config.fields().end()) { return nullptr; } else if (iter->second.string_value() == "test1") { @@ -3896,7 +3896,7 @@ TEST_F(RouteMatcherTest, UnknownClusterSpecifierPluginName) { mock_cluster_specifier_plugin_3]( const Protobuf::Message& config, Server::Configuration::CommonFactoryContext&) -> ClusterSpecifierPluginSharedPtr { - const auto& typed_config = dynamic_cast(config); + const auto& typed_config = dynamic_cast(config); if (auto iter = typed_config.fields().find("a"); iter == typed_config.fields().end()) { return nullptr; } else if (iter->second.string_value() == "test1") { @@ -4772,7 +4772,7 @@ class TestRetryOptionsPredicateFactory : public Upstream::RetryOptionsPredicateF ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom empty config proto. This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "test_retry_options_predicate_factory"; } @@ -6258,7 +6258,7 @@ class BazFactory : public HttpRouteTypedMetadataFactory { std::string name() const override { return "baz"; } // Returns nullptr (conversion failure) if d is empty. std::unique_ptr - parse(const ProtobufWkt::Struct& d) const override { + parse(const Protobuf::Struct& d) const override { if (d.fields().find("name") != d.fields().end()) { return std::make_unique(d.fields().at("name").string_value()); } @@ -6266,7 +6266,7 @@ class BazFactory : public HttpRouteTypedMetadataFactory { } std::unique_ptr - parse(const ProtobufWkt::Any&) const override { + parse(const Protobuf::Any&) const override { return nullptr; } }; @@ -7538,14 +7538,14 @@ TEST_F(CustomRequestHeadersTest, CustomHeaderWrongFormat) { } TEST(MetadataMatchCriteriaImpl, Create) { - auto v1 = ProtobufWkt::Value(); + auto v1 = Protobuf::Value(); v1.set_string_value("v1"); - auto v2 = ProtobufWkt::Value(); + auto v2 = Protobuf::Value(); v2.set_number_value(2.0); - auto v3 = ProtobufWkt::Value(); + auto v3 = Protobuf::Value(); v3.set_bool_value(true); - auto metadata_struct = ProtobufWkt::Struct(); + auto metadata_struct = Protobuf::Struct(); auto mutable_fields = metadata_struct.mutable_fields(); mutable_fields->insert({"a", v1}); mutable_fields->insert({"b", v2}); @@ -7568,14 +7568,14 @@ TEST(MetadataMatchCriteriaImpl, Create) { } TEST(MetadataMatchCriteriaImpl, Merge) { - auto pv1 = ProtobufWkt::Value(); + auto pv1 = Protobuf::Value(); pv1.set_string_value("v1"); - auto pv2 = ProtobufWkt::Value(); + auto pv2 = Protobuf::Value(); pv2.set_number_value(2.0); - auto pv3 = ProtobufWkt::Value(); + auto pv3 = Protobuf::Value(); pv3.set_bool_value(true); - auto parent_struct = ProtobufWkt::Struct(); + auto parent_struct = Protobuf::Struct(); auto parent_fields = parent_struct.mutable_fields(); parent_fields->insert({"a", pv1}); parent_fields->insert({"b", pv2}); @@ -7583,14 +7583,14 @@ TEST(MetadataMatchCriteriaImpl, Merge) { auto parent_matches = MetadataMatchCriteriaImpl(parent_struct); - auto v1 = ProtobufWkt::Value(); + auto v1 = Protobuf::Value(); v1.set_string_value("override1"); - auto v2 = ProtobufWkt::Value(); + auto v2 = Protobuf::Value(); v2.set_string_value("v2"); - auto v3 = ProtobufWkt::Value(); + auto v3 = Protobuf::Value(); v3.set_string_value("override3"); - auto metadata_struct = ProtobufWkt::Struct(); + auto metadata_struct = Protobuf::Struct(); auto mutable_fields = metadata_struct.mutable_fields(); mutable_fields->insert({"a", v1}); mutable_fields->insert({"b++", v2}); @@ -7617,14 +7617,14 @@ TEST(MetadataMatchCriteriaImpl, Merge) { } TEST(MetadataMatchCriteriaImpl, Filter) { - auto pv1 = ProtobufWkt::Value(); + auto pv1 = Protobuf::Value(); pv1.set_string_value("v1"); - auto pv2 = ProtobufWkt::Value(); + auto pv2 = Protobuf::Value(); pv2.set_number_value(2.0); - auto pv3 = ProtobufWkt::Value(); + auto pv3 = Protobuf::Value(); pv3.set_bool_value(true); - auto metadata_matches = ProtobufWkt::Struct(); + auto metadata_matches = Protobuf::Struct(); auto parent_fields = metadata_matches.mutable_fields(); parent_fields->insert({"a", pv1}); parent_fields->insert({"b", pv2}); @@ -10658,7 +10658,7 @@ class PerFilterConfigsTest : public testing::Test, public ConfigImplTestBase { : registered_factory_(factory_), registered_default_factory_(default_factory_) {} struct DerivedFilterConfig : public RouteSpecificFilterConfig { - ProtobufWkt::Timestamp config_; + Protobuf::Timestamp config_; }; class TestFilterConfig : public Extensions::HttpFilters::Common::EmptyHttpFilterConfig { public: @@ -10669,11 +10669,11 @@ class PerFilterConfigsTest : public testing::Test, public ConfigImplTestBase { PANIC("not implemented"); } ProtobufTypes::MessagePtr createEmptyRouteConfigProto() override { - return ProtobufTypes::MessagePtr{new ProtobufWkt::Timestamp()}; + return ProtobufTypes::MessagePtr{new Protobuf::Timestamp()}; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Override this to guarantee that we have a different factory mapping by-type. - return ProtobufTypes::MessagePtr{new ProtobufWkt::Timestamp()}; + return ProtobufTypes::MessagePtr{new Protobuf::Timestamp()}; } std::set configTypes() override { return {"google.protobuf.Timestamp"}; } absl::StatusOr @@ -10694,7 +10694,7 @@ class PerFilterConfigsTest : public testing::Test, public ConfigImplTestBase { PANIC("not implemented"); } ProtobufTypes::MessagePtr createEmptyRouteConfigProto() override { - return ProtobufTypes::MessagePtr{new ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Protobuf::Struct()}; } std::set configTypes() override { return {"google.protobuf.Struct"}; } }; diff --git a/test/common/router/router_test_base.cc b/test/common/router/router_test_base.cc index 144567f98ebca..7f240e8473b39 100644 --- a/test/common/router/router_test_base.cc +++ b/test/common/router/router_test_base.cc @@ -88,8 +88,8 @@ AssertionResult RouterTestBase::verifyHostUpstreamStats(uint64_t success, uint64 } void RouterTestBase::verifyMetadataMatchCriteriaFromRequest(bool route_entry_has_match) { - ProtobufWkt::Struct request_struct, route_struct; - ProtobufWkt::Value val; + Protobuf::Struct request_struct, route_struct; + Protobuf::Value val; // Populate metadata like StreamInfo.setDynamicMetadata() would. auto& fields_map = *request_struct.mutable_fields(); diff --git a/test/common/router/scoped_rds_test.cc b/test/common/router/scoped_rds_test.cc index ef3c7e656b609..4ba7d2b41754b 100644 --- a/test/common/router/scoped_rds_test.cc +++ b/test/common/router/scoped_rds_test.cc @@ -89,8 +89,7 @@ class ScopedRoutesTestBase : public testing::Test { // The delta style API helper. Protobuf::RepeatedPtrField - anyToResource(Protobuf::RepeatedPtrField& resources, - const std::string& version) { + anyToResource(Protobuf::RepeatedPtrField& resources, const std::string& version) { Protobuf::RepeatedPtrField added_resources; for (const auto& resource_any : resources) { auto config = diff --git a/test/common/runtime/runtime_impl_test.cc b/test/common/runtime/runtime_impl_test.cc index 9678cfd650978..3e7875e4c6559 100644 --- a/test/common/runtime/runtime_impl_test.cc +++ b/test/common/runtime/runtime_impl_test.cc @@ -112,7 +112,7 @@ class DiskLoaderImplTest : public LoaderImplTest { EXPECT_TRUE(on_changed_cbs_[layer](Filesystem::Watcher::Events::MovedTo).ok()); } - ProtobufWkt::Struct base_; + Protobuf::Struct base_; }; TEST_F(DiskLoaderImplTest, EmptyKeyTest) { @@ -276,7 +276,7 @@ TEST_F(DiskLoaderImplTest, UintLargeIntegerConversion) { } TEST_F(DiskLoaderImplTest, GetLayers) { - base_ = TestUtility::parseYaml(R"EOF( + base_ = TestUtility::parseYaml(R"EOF( foo: whatevs )EOF"); setup(); @@ -478,7 +478,7 @@ TEST_F(DiskLoaderImplTest, MergeValues) { // Validate that admin overrides disk, disk overrides bootstrap. TEST_F(DiskLoaderImplTest, LayersOverride) { - base_ = TestUtility::parseYaml(R"EOF( + base_ = TestUtility::parseYaml(R"EOF( some: thing other: thang file2: whatevs @@ -550,7 +550,7 @@ class StaticLoaderImplTest : public LoaderImplTest { loader_ = std::move(loader.value()); } - ProtobufWkt::Struct base_; + Protobuf::Struct base_; }; TEST_F(StaticLoaderImplTest, All) { @@ -574,7 +574,7 @@ TEST_F(StaticLoaderImplTest, QuicheReloadableFlags) { EXPECT_FALSE(GetQuicheReloadableFlag(quic_testonly_default_false)); // Test that Quiche flags can be overwritten via Envoy runtime config. - base_ = TestUtility::parseYaml( + base_ = TestUtility::parseYaml( "envoy.reloadable_features.FLAGS_envoy_quiche_reloadable_flag_quic_testonly_default_true: " "true"); setup(); @@ -583,7 +583,7 @@ TEST_F(StaticLoaderImplTest, QuicheReloadableFlags) { EXPECT_FALSE(GetQuicheReloadableFlag(quic_testonly_default_false)); // Test that Quiche flags can be overwritten again. - base_ = TestUtility::parseYaml( + base_ = TestUtility::parseYaml( "envoy.reloadable_features.FLAGS_envoy_quiche_reloadable_flag_quic_testonly_default_true: " "false"); setup(); @@ -594,20 +594,20 @@ TEST_F(StaticLoaderImplTest, QuicheReloadableFlags) { #endif TEST_F(StaticLoaderImplTest, RemovedFlags) { - base_ = TestUtility::parseYaml(R"EOF( + base_ = TestUtility::parseYaml(R"EOF( envoy.reloadable_features.removed_foo: true )EOF"); EXPECT_ENVOY_BUG(setup(), "envoy.reloadable_features.removed_foo"); } TEST_F(StaticLoaderImplTest, ProtoParsingInvalidField) { - base_ = TestUtility::parseYaml("file0:"); + base_ = TestUtility::parseYaml("file0:"); EXPECT_THROW_WITH_MESSAGE(setup(), EnvoyException, "Invalid runtime entry value for file0"); } TEST_F(StaticLoaderImplTest, ProtoParsing) { // Validate proto parsing sanity. - base_ = TestUtility::parseYaml(R"EOF( + base_ = TestUtility::parseYaml(R"EOF( file1: hello override file2: world file3: 2 @@ -755,7 +755,7 @@ TEST_F(StaticLoaderImplTest, ProtoParsing) { EXPECT_EQ(2, store_.gauge("runtime.num_layers", Stats::Gauge::ImportMode::NeverImport).value()); // While null values are generally filtered out by walkProtoValue, test manually. - ProtobufWkt::Value empty_value; + Protobuf::Value empty_value; const_cast(dynamic_cast(loader_->snapshot())) .createEntry(empty_value, ""); } @@ -764,7 +764,7 @@ TEST_F(StaticLoaderImplTest, ProtoParsing) { // isn't an actual feature flag. TEST_F(StaticLoaderImplTest, ProtoParsingRuntimeFeaturePrefix) { // Validate proto parsing sanity. - base_ = TestUtility::parseYaml(R"EOF( + base_ = TestUtility::parseYaml(R"EOF( envoy.reloadable_features.not_a_feature: true )EOF"); EXPECT_ENVOY_BUG(setup(), @@ -777,7 +777,7 @@ TEST_F(StaticLoaderImplTest, ProtoParsingRuntimeFeaturePrefix) { // in a debug build if the bug was present. TEST_F(StaticLoaderImplTest, ProtoParsingRuntimeFeaturePrefixLegacy) { // Validate proto parsing sanity. - base_ = TestUtility::parseYaml(R"EOF( + base_ = TestUtility::parseYaml(R"EOF( envoy.reloadable_features.max_request_headers_count: 2 envoy.reloadable_features.max_response_headers_count: 3 envoy.reloadable_features.max_request_headers_size_kb: 4 @@ -792,7 +792,7 @@ TEST_F(StaticLoaderImplTest, ProtoParsingRuntimeFeaturePrefixLegacy) { } TEST_F(StaticLoaderImplTest, InvalidNumerator) { - base_ = TestUtility::parseYaml(R"EOF( + base_ = TestUtility::parseYaml(R"EOF( invalid_numerator: numerator: 111 denominator: HUNDRED @@ -924,8 +924,7 @@ class RtdsLoaderImplTest : public LoaderImplTest { LoaderImplTest::setup(); envoy::config::bootstrap::v3::LayeredRuntime config; - *config.add_layers()->mutable_static_layer() = - TestUtility::parseYaml(R"EOF( + *config.add_layers()->mutable_static_layer() = TestUtility::parseYaml(R"EOF( foo: whatevs bar: yar )EOF"); diff --git a/test/common/stats/thread_local_store_test.cc b/test/common/stats/thread_local_store_test.cc index e21ad17d3b4f0..de9faf5227d73 100644 --- a/test/common/stats/thread_local_store_test.cc +++ b/test/common/stats/thread_local_store_test.cc @@ -2165,11 +2165,11 @@ class HistogramParameterisedTest : public HistogramTest, // Set the feature flag in SetUp as store_ is constructed in HistogramTest::SetUp. api_ = Api::createApiForTest(*store_); - ProtobufWkt::Struct base = TestUtility::parseYaml( - GetParam() == EnableIncludeHistograms::Yes ? R"EOF( + Protobuf::Struct base = + TestUtility::parseYaml(GetParam() == EnableIncludeHistograms::Yes ? R"EOF( envoy.reloadable_features.enable_include_histograms: true )EOF" - : R"EOF( + : R"EOF( envoy.reloadable_features.enable_include_histograms: false )EOF"); envoy::config::bootstrap::v3::LayeredRuntime layered_runtime; diff --git a/test/common/stream_info/stream_info_impl_test.cc b/test/common/stream_info/stream_info_impl_test.cc index 6cbd768df1064..2bd3816b5fdfa 100644 --- a/test/common/stream_info/stream_info_impl_test.cc +++ b/test/common/stream_info/stream_info_impl_test.cc @@ -516,8 +516,8 @@ TEST_F(StreamInfoImplTest, DynamicMetadataTest) { EXPECT_EQ("test_value", Config::Metadata::metadataValue(&stream_info.dynamicMetadata(), "com.test", "test_key") .string_value()); - ProtobufWkt::Struct struct_obj2; - ProtobufWkt::Value val2; + Protobuf::Struct struct_obj2; + Protobuf::Value val2; val2.set_string_value("another_value"); (*struct_obj2.mutable_fields())["another_key"] = val2; stream_info.setDynamicMetadata("com.test", struct_obj2); diff --git a/test/common/stream_info/uint32_accessor_impl_test.cc b/test/common/stream_info/uint32_accessor_impl_test.cc index 62f5b542e233a..d7941d9e5b283 100644 --- a/test/common/stream_info/uint32_accessor_impl_test.cc +++ b/test/common/stream_info/uint32_accessor_impl_test.cc @@ -25,7 +25,7 @@ TEST(UInt32AccessorImplTest, TestProto) { auto message = accessor.serializeAsProto(); EXPECT_NE(nullptr, message); - auto* uint32_struct = dynamic_cast(message.get()); + auto* uint32_struct = dynamic_cast(message.get()); EXPECT_NE(nullptr, uint32_struct); EXPECT_EQ(init_value, uint32_struct->value()); } diff --git a/test/common/stream_info/uint64_accessor_impl_test.cc b/test/common/stream_info/uint64_accessor_impl_test.cc index 8767001919383..4b3b206d16a17 100644 --- a/test/common/stream_info/uint64_accessor_impl_test.cc +++ b/test/common/stream_info/uint64_accessor_impl_test.cc @@ -26,7 +26,7 @@ TEST(UInt64AccessorImplTest, TestProto) { auto message = accessor.serializeAsProto(); EXPECT_NE(nullptr, message); - auto* uint64_struct = dynamic_cast(message.get()); + auto* uint64_struct = dynamic_cast(message.get()); EXPECT_NE(nullptr, uint64_struct); EXPECT_EQ(init_value, uint64_struct->value()); } diff --git a/test/common/tcp_proxy/config_test.cc b/test/common/tcp_proxy/config_test.cc index 72403ebfcbb7f..1928cf8ad3b57 100644 --- a/test/common/tcp_proxy/config_test.cc +++ b/test/common/tcp_proxy/config_test.cc @@ -297,7 +297,7 @@ TEST(ConfigTest, WeightedClustersWithMetadataMatchConfig) { Config config_obj(constructConfigFromYaml(yaml, factory_context)); { - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); @@ -324,7 +324,7 @@ TEST(ConfigTest, WeightedClustersWithMetadataMatchConfig) { } { - ProtobufWkt::Value v3, v4; + Protobuf::Value v3, v4; v3.set_string_value("v3"); v4.set_string_value("v4"); HashedValue hv3(v3), hv4(v4); @@ -383,14 +383,14 @@ TEST(ConfigTest, WeightedClustersWithMetadataMatchAndTopLevelMetadataMatchConfig NiceMock factory_context; Config config_obj(constructConfigFromYaml(yaml, factory_context)); - ProtobufWkt::Value v00, v01, v04; + Protobuf::Value v00, v01, v04; v00.set_string_value("v00"); v01.set_string_value("v01"); v04.set_string_value("v04"); HashedValue hv00(v00), hv01(v01), hv04(v04); { - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); @@ -423,7 +423,7 @@ TEST(ConfigTest, WeightedClustersWithMetadataMatchAndTopLevelMetadataMatchConfig } { - ProtobufWkt::Value v3, v4; + Protobuf::Value v3, v4; v3.set_string_value("v3"); v4.set_string_value("v4"); HashedValue hv3(v3), hv4(v4); @@ -474,7 +474,7 @@ TEST(ConfigTest, WeightedClustersWithTopLevelMetadataMatchConfig) { NiceMock factory_context; Config config_obj(constructConfigFromYaml(yaml, factory_context)); - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); @@ -513,7 +513,7 @@ TEST(ConfigTest, TopLevelMetadataMatchConfig) { NiceMock factory_context; Config config_obj(constructConfigFromYaml(yaml, factory_context)); - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); @@ -546,7 +546,7 @@ TEST(ConfigTest, ClusterWithTopLevelMetadataMatchConfig) { NiceMock factory_context; Config config_obj(constructConfigFromYaml(yaml, factory_context)); - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); @@ -585,7 +585,7 @@ TEST(ConfigTest, PerConnectionClusterWithTopLevelMetadataMatchConfig) { NiceMock factory_context; Config config_obj(constructConfigFromYaml(yaml, factory_context)); - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); diff --git a/test/common/tcp_proxy/tcp_proxy_test.cc b/test/common/tcp_proxy/tcp_proxy_test.cc index 8659ac4c11f4e..9ffed77090c51 100644 --- a/test/common/tcp_proxy/tcp_proxy_test.cc +++ b/test/common/tcp_proxy/tcp_proxy_test.cc @@ -966,16 +966,16 @@ TEST_P(TcpProxyTest, StreamDecoderFilterCallbacks) { } TEST_P(TcpProxyTest, RouteWithMetadataMatch) { - auto v1 = ProtobufWkt::Value(); + auto v1 = Protobuf::Value(); v1.set_string_value("v1"); - auto v2 = ProtobufWkt::Value(); + auto v2 = Protobuf::Value(); v2.set_number_value(2.0); - auto v3 = ProtobufWkt::Value(); + auto v3 = Protobuf::Value(); v3.set_bool_value(true); std::vector criteria = {{"a", v1}, {"b", v2}, {"c", v3}}; - auto metadata_struct = ProtobufWkt::Struct(); + auto metadata_struct = Protobuf::Struct(); auto mutable_fields = metadata_struct.mutable_fields(); for (const auto& criterion : criteria) { @@ -1032,7 +1032,7 @@ TEST_P(TcpProxyTest, WeightedClusterWithMetadataMatch) { {"cluster1", "cluster2"}); config_ = std::make_shared(constructConfigFromYaml(yaml, factory_context_)); - ProtobufWkt::Value v0, v1, v2; + Protobuf::Value v0, v1, v2; v0.set_string_value("v0"); v1.set_string_value("v1"); v2.set_string_value("v2"); @@ -1105,11 +1105,11 @@ TEST_P(TcpProxyTest, WeightedClusterWithMetadataMatch) { TEST_P(TcpProxyTest, StreamInfoDynamicMetadata) { configure(defaultConfig()); - ProtobufWkt::Value val; + Protobuf::Value val; val.set_string_value("val"); envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Struct& map = + Protobuf::Struct& map = (*metadata.mutable_filter_metadata())[Envoy::Config::MetadataFilters::get().ENVOY_LB]; (*map.mutable_fields())["test"] = val; EXPECT_CALL(filter_callbacks_.connection_.stream_info_, dynamicMetadata()) @@ -1158,14 +1158,14 @@ TEST_P(TcpProxyTest, StreamInfoDynamicMetadataAndConfigMerged) { {"cluster1"}); config_ = std::make_shared(constructConfigFromYaml(yaml, factory_context_)); - ProtobufWkt::Value v0, v1, v2; + Protobuf::Value v0, v1, v2; v0.set_string_value("v0"); v1.set_string_value("from_streaminfo"); // 'v1' is overridden with this value by streamInfo. v2.set_string_value("v2"); HashedValue hv0(v0), hv1(v1), hv2(v2); envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Struct& map = + Protobuf::Struct& map = (*metadata.mutable_filter_metadata())[Envoy::Config::MetadataFilters::get().ENVOY_LB]; (*map.mutable_fields())["k1"] = v1; (*map.mutable_fields())["k2"] = v2; diff --git a/test/common/tcp_proxy/upstream_test.cc b/test/common/tcp_proxy/upstream_test.cc index 3dc669e38c434..21f3807cdad8b 100644 --- a/test/common/tcp_proxy/upstream_test.cc +++ b/test/common/tcp_proxy/upstream_test.cc @@ -239,7 +239,7 @@ class HttpUpstreamRequestEncoderTest : public testing::TestWithParam(&config); + const Protobuf::Any* any_config = dynamic_cast(&config); if (any_config) { - ProtobufWkt::StringValue string_value; + Protobuf::StringValue string_value; if (any_config->UnpackTo(&string_value)) { mode = string_value.value(); } @@ -76,7 +76,7 @@ class AsyncTlsCertificateSelectorFactory : public Ssl::TlsCertificateSelectorCon } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new ProtobufWkt::StringValue()}; + return ProtobufTypes::MessagePtr{new Protobuf::StringValue()}; } std::string name() const override { return "test-tls-context-provider"; }; diff --git a/test/common/tls/cert_validator/default_validator_integration_test.cc b/test/common/tls/cert_validator/default_validator_integration_test.cc index c2d82336d9903..b3535d2b4ba38 100644 --- a/test/common/tls/cert_validator/default_validator_integration_test.cc +++ b/test/common/tls/cert_validator/default_validator_integration_test.cc @@ -172,7 +172,7 @@ class TestSanListenerFilterFactory }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "test.tcp_listener.set_dns_filter_state"; } }; @@ -200,7 +200,7 @@ class CustomSanStringMatcherFactory : public Matchers::StringMatcherExtensionFac std::string name() const override { return "envoy.string_matcher.test_custom_san_matcher"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } }; diff --git a/test/common/tls/handshaker_factory_test.cc b/test/common/tls/handshaker_factory_test.cc index 151562f81ca99..2fde1cec99400 100644 --- a/test/common/tls/handshaker_factory_test.cc +++ b/test/common/tls/handshaker_factory_test.cc @@ -65,7 +65,7 @@ class HandshakerFactoryImplForTest std::string name() const override { return kFactoryName; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new ProtobufWkt::StringValue()}; + return ProtobufTypes::MessagePtr{new Protobuf::StringValue()}; } Ssl::HandshakerFactoryCb @@ -103,7 +103,7 @@ class HandshakerFactoryTest : public testing::Test { envoy::config::core::v3::TypedExtensionConfig* custom_handshaker = tls_context_.mutable_common_tls_context()->mutable_custom_handshaker(); custom_handshaker->set_name(HandshakerFactoryImplForTest::kFactoryName); - custom_handshaker->mutable_typed_config()->PackFrom(ProtobufWkt::StringValue()); + custom_handshaker->mutable_typed_config()->PackFrom(Protobuf::StringValue()); } NiceMock server_factory_context_; @@ -213,7 +213,7 @@ class HandshakerFactoryImplForDownstreamTest std::string name() const override { return kFactoryName; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new ProtobufWkt::BoolValue()}; + return ProtobufTypes::MessagePtr{new Protobuf::BoolValue()}; } Ssl::HandshakerFactoryCb @@ -278,7 +278,7 @@ TEST_F(HandshakerFactoryDownstreamTest, ServerHandshakerProvidesCertificates) { envoy::config::core::v3::TypedExtensionConfig* custom_handshaker = tls_context_.mutable_common_tls_context()->mutable_custom_handshaker(); custom_handshaker->set_name(HandshakerFactoryImplForDownstreamTest::kFactoryName); - custom_handshaker->mutable_typed_config()->PackFrom(ProtobufWkt::BoolValue()); + custom_handshaker->mutable_typed_config()->PackFrom(Protobuf::BoolValue()); CustomProcessObjectForTest custom_process_object_for_test( /*cb=*/[](SSL_CTX* ssl_ctx) { SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); }); diff --git a/test/common/tls/test_private_key_method_provider.cc b/test/common/tls/test_private_key_method_provider.cc index 242e634f671e2..48f155997c254 100644 --- a/test/common/tls/test_private_key_method_provider.cc +++ b/test/common/tls/test_private_key_method_provider.cc @@ -314,43 +314,43 @@ int TestPrivateKeyMethodProvider::ecdsaConnectionIndex() { } TestPrivateKeyMethodProvider::TestPrivateKeyMethodProvider( - const ProtobufWkt::Any& typed_config, + const Protobuf::Any& typed_config, Server::Configuration::TransportSocketFactoryContext& factory_context) { std::string private_key_path; - auto config = MessageUtil::anyConvert(typed_config); + auto config = MessageUtil::anyConvert(typed_config); for (auto& value_it : config.fields()) { auto& value = value_it.second; if (value_it.first == "private_key_file" && - value.kind_case() == ProtobufWkt::Value::kStringValue) { + value.kind_case() == Protobuf::Value::kStringValue) { private_key_path = value.string_value(); } - if (value_it.first == "sync_mode" && value.kind_case() == ProtobufWkt::Value::kBoolValue) { + if (value_it.first == "sync_mode" && value.kind_case() == Protobuf::Value::kBoolValue) { test_options_.sync_mode_ = value.bool_value(); } - if (value_it.first == "crypto_error" && value.kind_case() == ProtobufWkt::Value::kBoolValue) { + if (value_it.first == "crypto_error" && value.kind_case() == Protobuf::Value::kBoolValue) { test_options_.crypto_error_ = value.bool_value(); } - if (value_it.first == "method_error" && value.kind_case() == ProtobufWkt::Value::kBoolValue) { + if (value_it.first == "method_error" && value.kind_case() == Protobuf::Value::kBoolValue) { test_options_.method_error_ = value.bool_value(); } - if (value_it.first == "is_available" && value.kind_case() == ProtobufWkt::Value::kBoolValue) { + if (value_it.first == "is_available" && value.kind_case() == Protobuf::Value::kBoolValue) { test_options_.is_available_ = value.bool_value(); } if (value_it.first == "async_method_error" && - value.kind_case() == ProtobufWkt::Value::kBoolValue) { + value.kind_case() == Protobuf::Value::kBoolValue) { test_options_.async_method_error_ = value.bool_value(); } if (value_it.first == "expected_operation" && - value.kind_case() == ProtobufWkt::Value::kStringValue) { + value.kind_case() == Protobuf::Value::kStringValue) { if (value.string_value() == "decrypt") { test_options_.decrypt_expected_ = true; } else if (value.string_value() == "sign") { test_options_.sign_expected_ = true; } } - if (value_it.first == "mode" && value.kind_case() == ProtobufWkt::Value::kStringValue) { + if (value_it.first == "mode" && value.kind_case() == Protobuf::Value::kStringValue) { mode_ = value.string_value(); } } diff --git a/test/common/tls/test_private_key_method_provider.h b/test/common/tls/test_private_key_method_provider.h index 7de910d4a2db5..f31aac5657258 100644 --- a/test/common/tls/test_private_key_method_provider.h +++ b/test/common/tls/test_private_key_method_provider.h @@ -64,7 +64,7 @@ class TestPrivateKeyConnection { class TestPrivateKeyMethodProvider : public virtual Ssl::PrivateKeyMethodProvider { public: TestPrivateKeyMethodProvider( - const ProtobufWkt::Any& typed_config, + const Protobuf::Any& typed_config, Server::Configuration::TransportSocketFactoryContext& factory_context); // Ssl::PrivateKeyMethodProvider void registerPrivateKeyMethod(SSL* ssl, Ssl::PrivateKeyConnectionCallbacks& cb, diff --git a/test/common/tracing/http_tracer_impl_test.cc b/test/common/tracing/http_tracer_impl_test.cc index 9d07e4f3fcc6b..9a3e115649a39 100644 --- a/test/common/tracing/http_tracer_impl_test.cc +++ b/test/common/tracing/http_tracer_impl_test.cc @@ -389,7 +389,7 @@ TEST_F(HttpConnManFinalizerImplTest, SpanCustomTags) { {":scheme", "https"}, {"x-bb", "b"}}; - ProtobufWkt::Struct fake_struct; + Protobuf::Struct fake_struct; std::string yaml = R"EOF( ree: foo: bar diff --git a/test/common/tracing/tracer_manager_impl_test.cc b/test/common/tracing/tracer_manager_impl_test.cc index 6520fc2919d0e..8a29f403fa50b 100644 --- a/test/common/tracing/tracer_manager_impl_test.cc +++ b/test/common/tracing/tracer_manager_impl_test.cc @@ -40,7 +40,7 @@ class SampleTracerFactory : public Server::Configuration::TracerFactory { std::string name() const override { return "envoy.tracers.sample"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } }; @@ -66,7 +66,7 @@ TEST_F(TracerManagerImplTest, ShouldReturnWhenNoTracingProviderHasBeenConfigured TEST_F(TracerManagerImplTest, ShouldUseProperTracerFactory) { envoy::config::trace::v3::Tracing_Http tracing_config; tracing_config.set_name("envoy.tracers.sample"); - tracing_config.mutable_typed_config()->PackFrom(ProtobufWkt::Struct()); + tracing_config.mutable_typed_config()->PackFrom(Protobuf::Struct()); auto tracer = tracer_manager_.getOrCreateTracer(&tracing_config); @@ -120,7 +120,7 @@ TEST_F(TracerManagerImplTest, ShouldCacheTracersBasedOnFullConfig) { TEST_F(TracerManagerImplTest, ShouldFailIfTracerProviderIsUnknown) { envoy::config::trace::v3::Tracing_Http tracing_config; tracing_config.set_name("invalid"); - tracing_config.mutable_typed_config()->PackFrom(ProtobufWkt::Value()); + tracing_config.mutable_typed_config()->PackFrom(Protobuf::Value()); EXPECT_THROW_WITH_MESSAGE(tracer_manager_.getOrCreateTracer(&tracing_config), EnvoyException, "Didn't find a registered implementation for 'invalid' " @@ -132,7 +132,7 @@ TEST_F(TracerManagerImplTest, ShouldFailIfProviderSpecificConfigIsNotValid) { tracing_config.set_name("envoy.tracers.sample"); tracing_config.mutable_typed_config()->PackFrom(ValueUtil::stringValue("value")); - ProtobufWkt::Any expected_any_proto; + Protobuf::Any expected_any_proto; expected_any_proto.PackFrom(ValueUtil::stringValue("value")); EXPECT_THROW_WITH_MESSAGE(tracer_manager_.getOrCreateTracer(&tracing_config), EnvoyException, "Didn't find a registered implementation for 'envoy.tracers.sample' " diff --git a/test/common/upstream/cluster_manager_impl_test.cc b/test/common/upstream/cluster_manager_impl_test.cc index a17c7fd288266..f3b69d6b1b3cb 100644 --- a/test/common/upstream/cluster_manager_impl_test.cc +++ b/test/common/upstream/cluster_manager_impl_test.cc @@ -74,7 +74,7 @@ class AlpnTestConfigFactory return std::make_unique(); } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } }; @@ -1774,7 +1774,7 @@ class TestUpstreamNetworkFilterConfigFactory ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom per-filter empty config proto // This is only allowed in tests. - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.filter"; } }; diff --git a/test/common/upstream/cluster_manager_misc_test.cc b/test/common/upstream/cluster_manager_misc_test.cc index fa7ad8985fc34..9d3f253b887a0 100644 --- a/test/common/upstream/cluster_manager_misc_test.cc +++ b/test/common/upstream/cluster_manager_misc_test.cc @@ -184,7 +184,7 @@ class MetadataWriterLbImpl : public Upstream::ThreadAwareLoadBalancer { Upstream::HostSelectionResponse chooseHost(Upstream::LoadBalancerContext* context) override { if (context && context->requestStreamInfo()) { - ProtobufWkt::Struct value; + Protobuf::Struct value; (*value.mutable_fields())["foo"] = ValueUtil::stringValue("bar"); context->requestStreamInfo()->setDynamicMetadata("envoy.load_balancers.metadata_writer", value); diff --git a/test/common/upstream/local_address_selector_integration_test.cc b/test/common/upstream/local_address_selector_integration_test.cc index 22b0ce57426a5..4f5ef84940dc8 100644 --- a/test/common/upstream/local_address_selector_integration_test.cc +++ b/test/common/upstream/local_address_selector_integration_test.cc @@ -57,7 +57,7 @@ TEST_P(HttpProtocolIntegrationTest, CustomUpstreamLocalAddressSelector) { uint32_t const port_value = 1234; auto bind_config = bootstrap.mutable_cluster_manager()->mutable_upstream_bind_config(); auto local_address_selector_config = bind_config->mutable_local_address_selector(); - ProtobufWkt::Empty empty; + Protobuf::Empty empty; local_address_selector_config->mutable_typed_config()->PackFrom(empty); local_address_selector_config->set_name("mock.upstream.local.address.selector"); bind_config->mutable_source_address()->set_address("::1"); @@ -131,7 +131,7 @@ TEST_P(HttpProtocolIntegrationTest, BindConfigOverride) { bind_config->mutable_source_address()->set_address( version_ == Network::Address::IpVersion::v4 ? "127.0.0.2" : "::1"); bind_config->mutable_source_address()->set_port_value(port_value_1); - ProtobufWkt::Empty empty; + Protobuf::Empty empty; auto address_selector_config = bind_config->mutable_local_address_selector(); address_selector_config->mutable_typed_config()->PackFrom(empty); address_selector_config->set_name("test.upstream.local.address.selector"); diff --git a/test/common/upstream/test_local_address_selector.h b/test/common/upstream/test_local_address_selector.h index a4b7407a6a602..501114c0d9c32 100644 --- a/test/common/upstream/test_local_address_selector.h +++ b/test/common/upstream/test_local_address_selector.h @@ -48,7 +48,7 @@ class TestUpstreamLocalAddressSelectorFactory : public UpstreamLocalAddressSelec } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "test.upstream.local.address.selector"; } diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index a5276d480e63c..3fda2e6869e3a 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -3989,7 +3989,7 @@ TEST_F(StaticClusterImplTest, CustomUpstreamLocalAddressSelector) { envoy::config::cluster::v3::Cluster config; config.set_name("staticcluster"); config.mutable_connect_timeout(); - ProtobufWkt::Empty empty; + Protobuf::Empty empty; auto address_selector_config = server_context_.cluster_manager_.mutableBindConfig().mutable_local_address_selector(); address_selector_config->mutable_typed_config()->PackFrom(empty); @@ -4335,7 +4335,7 @@ class BazFactory : public ClusterTypedMetadataFactory { std::string name() const override { return "baz"; } // Returns nullptr (conversion failure) if d is empty. std::unique_ptr - parse(const ProtobufWkt::Struct& d) const override { + parse(const Protobuf::Struct& d) const override { if (d.fields().find("name") != d.fields().end()) { return std::make_unique(d.fields().at("name").string_value()); } @@ -4343,7 +4343,7 @@ class BazFactory : public ClusterTypedMetadataFactory { } std::unique_ptr - parse(const ProtobufWkt::Any&) const override { + parse(const Protobuf::Any&) const override { return nullptr; } }; @@ -5154,9 +5154,9 @@ TEST_F(ClusterInfoImplTest, ExtensionProtocolOptionsForFilterWithOptions) { auto protocol_options = std::make_shared(); TestFilterConfigFactoryBase factoryBase( - []() -> ProtobufTypes::MessagePtr { return std::make_unique(); }, + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); }, [&](const Protobuf::Message& msg) -> Upstream::ProtocolOptionsConfigConstSharedPtr { - const auto& msg_struct = dynamic_cast(msg); + const auto& msg_struct = dynamic_cast(msg); EXPECT_TRUE(msg_struct.fields().find("option") != msg_struct.fields().end()); return protocol_options; diff --git a/test/config/utility.cc b/test/config/utility.cc index ace3c2c698b80..6494cb82c3cc1 100644 --- a/test/config/utility.cc +++ b/test/config/utility.cc @@ -773,7 +773,7 @@ ConfigHelper::ConfigHelper(const Network::Address::IpVersion version, } } -void ConfigHelper::addListenerTypedMetadata(absl::string_view key, ProtobufWkt::Any& packed_value) { +void ConfigHelper::addListenerTypedMetadata(absl::string_view key, Protobuf::Any& packed_value) { RELEASE_ASSERT(!finalized_, ""); auto* static_resources = bootstrap_.mutable_static_resources(); ASSERT_TRUE(static_resources->listeners_size() > 0); @@ -786,7 +786,7 @@ void ConfigHelper::addClusterFilterMetadata(absl::string_view metadata_yaml, absl::string_view cluster_name) { #ifdef ENVOY_ENABLE_YAML RELEASE_ASSERT(!finalized_, ""); - ProtobufWkt::Struct cluster_metadata; + Protobuf::Struct cluster_metadata; TestUtility::loadFromYaml(std::string(metadata_yaml), cluster_metadata); auto* static_resources = bootstrap_.mutable_static_resources(); @@ -796,7 +796,7 @@ void ConfigHelper::addClusterFilterMetadata(absl::string_view metadata_yaml, continue; } for (const auto& kvp : cluster_metadata.fields()) { - ASSERT_TRUE(kvp.second.kind_case() == ProtobufWkt::Value::KindCase::kStructValue); + ASSERT_TRUE(kvp.second.kind_case() == Protobuf::Value::KindCase::kStructValue); cluster->mutable_metadata()->mutable_filter_metadata()->insert( {kvp.first, kvp.second.struct_value()}); } @@ -1728,7 +1728,7 @@ void ConfigHelper::setLds(absl::string_view version_info) { envoy::service::discovery::v3::DiscoveryResponse lds; lds.set_version_info(std::string(version_info)); for (auto& listener : bootstrap_.static_resources().listeners()) { - ProtobufWkt::Any* resource = lds.add_resources(); + Protobuf::Any* resource = lds.add_resources(); resource->PackFrom(listener); } diff --git a/test/config/utility.h b/test/config/utility.h index 1221f1cc853a1..0d08a13f12c97 100644 --- a/test/config/utility.h +++ b/test/config/utility.h @@ -437,7 +437,7 @@ class ConfigHelper { void addRuntimeOverride(absl::string_view key, absl::string_view value); // Add typed_filter_metadata to the first listener. - void addListenerTypedMetadata(absl::string_view key, ProtobufWkt::Any& packed_value); + void addListenerTypedMetadata(absl::string_view key, Protobuf::Any& packed_value); // Add filter_metadata to a cluster with the given name void addClusterFilterMetadata(absl::string_view metadata_yaml, diff --git a/test/exe/all_extensions_build_test.cc b/test/exe/all_extensions_build_test.cc index 3e57d90e3cf38..60390f768c4a3 100644 --- a/test/exe/all_extensions_build_test.cc +++ b/test/exe/all_extensions_build_test.cc @@ -10,7 +10,7 @@ namespace Envoy { namespace { -std::vector stringsFromListValue(const ProtobufWkt::Value& value) { +std::vector stringsFromListValue(const Protobuf::Value& value) { std::vector strings; for (const auto& elt : value.list_value().values()) { strings.push_back(elt.string_value()); @@ -30,8 +30,8 @@ TEST(CheckExtensionsAgainstRegistry, CorrectMetadata) { const std::string manifest_path = TestEnvironment::runfilesPath("source/extensions/extensions_metadata.yaml"); const std::string manifest = TestEnvironment::readFileToStringForTest(manifest_path); - ProtobufWkt::Value value = ValueUtil::loadFromYaml(manifest); - ASSERT_EQ(ProtobufWkt::Value::kStructValue, value.kind_case()); + Protobuf::Value value = ValueUtil::loadFromYaml(manifest); + ASSERT_EQ(Protobuf::Value::kStructValue, value.kind_case()); const auto& json = value.struct_value(); for (const auto& ext : Registry::FactoryCategoryRegistry::registeredFactories()) { @@ -45,7 +45,7 @@ TEST(CheckExtensionsAgainstRegistry, CorrectMetadata) { ENVOY_LOG_MISC(warn, "Missing extension '{}' from category '{}'.", name, ext.first); continue; } - ASSERT_EQ(ProtobufWkt::Value::kStructValue, it->second.kind_case()) + ASSERT_EQ(Protobuf::Value::kStructValue, it->second.kind_case()) << "Malformed extension metadata for: " << name; const auto& extension_fields = it->second.struct_value().fields(); diff --git a/test/extensions/access_loggers/common/grpc_access_logger_test.cc b/test/extensions/access_loggers/common/grpc_access_logger_test.cc index 9d06bc250d92a..ae31325695b29 100644 --- a/test/extensions/access_loggers/common/grpc_access_logger_test.cc +++ b/test/extensions/access_loggers/common/grpc_access_logger_test.cc @@ -44,9 +44,9 @@ const Protobuf::MethodDescriptor& mockMethodDescriptor() { // need to use a proto type because the ByteSizeLong() is used to determine the log size, so we use // standard Struct and Empty protos. class MockGrpcAccessLoggerImpl - : public Common::GrpcAccessLogger, - public Grpc::AsyncRequestCallbacks { + : public Common::GrpcAccessLogger, + public Grpc::AsyncRequestCallbacks { public: MockGrpcAccessLoggerImpl( const Grpc::RawAsyncClientSharedPtr& client, @@ -56,18 +56,17 @@ class MockGrpcAccessLoggerImpl : GrpcAccessLogger(config, dispatcher, scope, access_log_prefix, createGrpcAccessLoggClient(stream, client, service_method, config)) {} - std::unique_ptr> + std::unique_ptr> createGrpcAccessLoggClient( bool stream, const Grpc::RawAsyncClientSharedPtr& client, const Protobuf::MethodDescriptor& service_method, const envoy::extensions::access_loggers::grpc::v3::CommonGrpcAccessLogConfig& config) { if (stream) { return std::make_unique< - Common::StreamingGrpcAccessLogClient>( + Common::StreamingGrpcAccessLogClient>( client, service_method, GrpcCommon::optionalRetryPolicy(config)); } - return std::make_unique< - Common::UnaryGrpcAccessLogClient>( + return std::make_unique>( client, service_method, GrpcCommon::optionalRetryPolicy(config), [this]() -> MockGrpcAccessLoggerImpl& { return *this; }); } @@ -76,7 +75,7 @@ class MockGrpcAccessLoggerImpl int numClears() const { return num_clears_; } - void onSuccess(Grpc::ResponsePtr&&, Tracing::Span&) override {} + void onSuccess(Grpc::ResponsePtr&&, Tracing::Span&) override {} void onCreateInitialMetadata(Http::RequestHeaderMap&) override {} void onFailure(Grpc::Status::GrpcStatus, const std::string&, Tracing::Span&) override {} @@ -84,7 +83,7 @@ class MockGrpcAccessLoggerImpl private: void mockAddEntry(const std::string& key) { if (!message_.fields().contains(key)) { - ProtobufWkt::Value default_value; + Protobuf::Value default_value; default_value.set_number_value(0); message_.mutable_fields()->insert({key, default_value}); } @@ -97,12 +96,12 @@ class MockGrpcAccessLoggerImpl // it's up to each logger implementation. We test whether they were called in the regular flow of // logging or not. For example, we count how many entries were added, but don't add the log entry // itself to the message. - void addEntry(ProtobufWkt::Struct&& entry) override { + void addEntry(Protobuf::Struct&& entry) override { (void)entry; mockAddEntry(MOCK_HTTP_LOG_FIELD_NAME); } - void addEntry(ProtobufWkt::Empty&& entry) override { + void addEntry(Protobuf::Empty&& entry) override { (void)entry; mockAddEntry(MOCK_TCP_LOG_FIELD_NAME); } @@ -123,13 +122,13 @@ class MockGrpcAccessLoggerImpl class StreamingGrpcAccessLogTest : public testing::Test { public: using MockAccessLogStream = Grpc::MockAsyncStream; - using AccessLogCallbacks = Grpc::AsyncStreamCallbacks; + using AccessLogCallbacks = Grpc::AsyncStreamCallbacks; // We log a non empty entry (even though not used) so that we can trigger buffering mechanisms, // which are based on the entry size. - ProtobufWkt::Struct mockHttpEntry() { - ProtobufWkt::Struct entry; - entry.mutable_fields()->insert({"test-key", ProtobufWkt::Value()}); + Protobuf::Struct mockHttpEntry() { + Protobuf::Struct entry; + entry.mutable_fields()->insert({"test-key", Protobuf::Value()}); return entry; } @@ -160,7 +159,7 @@ class StreamingGrpcAccessLogTest : public testing::Test { EXPECT_CALL(stream, isAboveWriteBufferHighWatermark()).WillOnce(Return(false)); EXPECT_CALL(stream, sendMessageRaw_(_, false)) .WillOnce(Invoke([key, count](Buffer::InstancePtr& request, bool) { - ProtobufWkt::Struct message; + Protobuf::Struct message; Buffer::ZeroCopyInputStreamImpl request_stream(std::move(request)); EXPECT_TRUE(message.ParseFromZeroCopyStream(&request_stream)); EXPECT_TRUE(message.fields().contains(key)); @@ -195,14 +194,14 @@ TEST_F(StreamingGrpcAccessLogTest, BasicFlow) { // Log a TCP entry. expectFlushedLogEntriesCount(stream, MOCK_TCP_LOG_FIELD_NAME, 1); - logger_->log(ProtobufWkt::Empty()); + logger_->log(Protobuf::Empty()); EXPECT_EQ(2, logger_->numClears()); // TCP logging doesn't change the logs_written counter. EXPECT_EQ(1, TestUtility::findCounter(stats_store_, "mock_access_log_prefix.logs_written")->value()); // Verify that sending an empty response message doesn't do anything bad. - callbacks->onReceiveMessage(std::make_unique()); + callbacks->onReceiveMessage(std::make_unique()); // Close the stream and make sure we make a new one. callbacks->onRemoteClose(Grpc::Status::Internal, "bad"); @@ -323,9 +322,9 @@ TEST_F(StreamingGrpcAccessLogTest, Batching) { // Logging an entry that's bigger than the buffer size should trigger another flush. expectFlushedLogEntriesCount(stream, MOCK_HTTP_LOG_FIELD_NAME, 1); - ProtobufWkt::Struct big_entry = mockHttpEntry(); + Protobuf::Struct big_entry = mockHttpEntry(); const std::string big_key(max_buffer_size, 'a'); - big_entry.mutable_fields()->insert({big_key, ProtobufWkt::Value()}); + big_entry.mutable_fields()->insert({big_key, Protobuf::Value()}); logger_->log(std::move(big_entry)); EXPECT_EQ(2, logger_->numClears()); } @@ -357,13 +356,13 @@ TEST_F(StreamingGrpcAccessLogTest, Flushing) { class UnaryGrpcAccessLogTest : public testing::Test { public: using MockAccessLogStream = Grpc::MockAsyncStream; - using AccessLogCallbacks = Grpc::AsyncRequestCallbacks; + using AccessLogCallbacks = Grpc::AsyncRequestCallbacks; // We log a non empty entry (even though not used) so that we can trigger buffering mechanisms, // which are based on the entry size. - ProtobufWkt::Struct mockHttpEntry() { - ProtobufWkt::Struct entry; - entry.mutable_fields()->insert({"test-key", ProtobufWkt::Value()}); + Protobuf::Struct mockHttpEntry() { + Protobuf::Struct entry; + entry.mutable_fields()->insert({"test-key", Protobuf::Value()}); return entry; } @@ -385,7 +384,7 @@ class UnaryGrpcAccessLogTest : public testing::Test { Invoke([key, count](absl::string_view, absl::string_view, Buffer::InstancePtr&& request, Grpc::RawAsyncRequestCallbacks&, Tracing::Span&, const Http::AsyncClient::RequestOptions&) { - ProtobufWkt::Struct message; + Protobuf::Struct message; Buffer::ZeroCopyInputStreamImpl request_stream(std::move(request)); EXPECT_TRUE(message.ParseFromZeroCopyStream(&request_stream)); EXPECT_TRUE(message.fields().contains(key)); @@ -416,7 +415,7 @@ TEST_F(UnaryGrpcAccessLogTest, BasicFlow) { // Log a TCP entry. expectFlushedLogEntriesCount(MOCK_TCP_LOG_FIELD_NAME, 1); - logger_->log(ProtobufWkt::Empty()); + logger_->log(Protobuf::Empty()); // Message should be initialized and cleared every time a request is sent. EXPECT_EQ(2, logger_->numInits()); EXPECT_EQ(2, logger_->numClears()); @@ -463,9 +462,9 @@ TEST_F(UnaryGrpcAccessLogTest, Batching) { // Logging an entry that's bigger than the buffer size should trigger another flush. expectFlushedLogEntriesCount(MOCK_HTTP_LOG_FIELD_NAME, 1); - ProtobufWkt::Struct big_entry = mockHttpEntry(); + Protobuf::Struct big_entry = mockHttpEntry(); const std::string big_key(max_buffer_size, 'a'); - big_entry.mutable_fields()->insert({big_key, ProtobufWkt::Value()}); + big_entry.mutable_fields()->insert({big_key, Protobuf::Value()}); logger_->log(std::move(big_entry)); EXPECT_EQ(2, logger_->numClears()); } diff --git a/test/extensions/access_loggers/fluentd/substitution_formatter_test.cc b/test/extensions/access_loggers/fluentd/substitution_formatter_test.cc index 962d60a1ce4a2..865646f017203 100644 --- a/test/extensions/access_loggers/fluentd/substitution_formatter_test.cc +++ b/test/extensions/access_loggers/fluentd/substitution_formatter_test.cc @@ -19,7 +19,7 @@ namespace Fluentd { namespace { TEST(FluentdFormatterImplTest, FormatMsgpack) { - ProtobufWkt::Struct log_struct; + Protobuf::Struct log_struct; (*log_struct.mutable_fields())["Message"].set_string_value("SomeValue"); (*log_struct.mutable_fields())["LogType"].set_string_value("%ACCESS_LOG_TYPE%"); diff --git a/test/extensions/access_loggers/grpc/grpc_access_log_utils_test.cc b/test/extensions/access_loggers/grpc/grpc_access_log_utils_test.cc index b3982539ada8b..870a0e44e6c5a 100644 --- a/test/extensions/access_loggers/grpc/grpc_access_log_utils_test.cc +++ b/test/extensions/access_loggers/grpc/grpc_access_log_utils_test.cc @@ -89,7 +89,7 @@ TEST(UtilityExtractCommonAccessLogPropertiesTest, FilterStateFromDownstream) { ASSERT_EQ(common_access_log.mutable_filter_state_objects()->count("downstream_peer"), 1); ASSERT_EQ(common_access_log.mutable_filter_state_objects()->size(), 1); auto any = (*(common_access_log.mutable_filter_state_objects()))["downstream_peer"]; - ProtobufWkt::BytesValue gotState; + Protobuf::BytesValue gotState; any.UnpackTo(&gotState); EXPECT_EQ(gotState.value(), "value_from_downstream_peer"); } @@ -120,7 +120,7 @@ TEST(UtilityExtractCommonAccessLogPropertiesTest, FilterStateFromUpstream) { ASSERT_EQ(common_access_log.mutable_filter_state_objects()->count("upstream_peer"), 1); ASSERT_EQ(common_access_log.mutable_filter_state_objects()->size(), 1); auto any = (*(common_access_log.mutable_filter_state_objects()))["upstream_peer"]; - ProtobufWkt::BytesValue gotState; + Protobuf::BytesValue gotState; any.UnpackTo(&gotState); EXPECT_EQ(gotState.value(), "value_from_upstream_peer"); } @@ -160,7 +160,7 @@ TEST(UtilityExtractCommonAccessLogPropertiesTest, ASSERT_EQ(common_access_log.mutable_filter_state_objects()->count("same_key"), 1); ASSERT_EQ(common_access_log.mutable_filter_state_objects()->size(), 1); auto any = (*(common_access_log.mutable_filter_state_objects()))["same_key"]; - ProtobufWkt::BytesValue gotState; + Protobuf::BytesValue gotState; any.UnpackTo(&gotState); EXPECT_EQ(gotState.value(), "value_from_downstream_peer"); } diff --git a/test/extensions/access_loggers/grpc/http_grpc_access_log_impl_test.cc b/test/extensions/access_loggers/grpc/http_grpc_access_log_impl_test.cc index 0f03f55222a3a..b372c753b8362 100644 --- a/test/extensions/access_loggers/grpc/http_grpc_access_log_impl_test.cc +++ b/test/extensions/access_loggers/grpc/http_grpc_access_log_impl_test.cc @@ -170,8 +170,8 @@ response: {{}} class TestSerializedFilterState : public StreamInfo::FilterState::Object { public: ProtobufTypes::MessagePtr serializeAsProto() const override { - auto any = std::make_unique(); - ProtobufWkt::Duration value; + auto any = std::make_unique(); + Protobuf::Duration value; value.set_seconds(10); any->PackFrom(value); return any; @@ -195,7 +195,7 @@ TEST_F(HttpGrpcAccessLogTest, Marshalling) { ASSERT(timing.lastDownstreamTxByteSent().has_value()); stream_info.downstream_connection_info_provider_->setLocalAddress( *Network::Address::PipeInstance::create("/foo")); - (*stream_info.metadata_.mutable_filter_metadata())["foo"] = ProtobufWkt::Struct(); + (*stream_info.metadata_.mutable_filter_metadata())["foo"] = Protobuf::Struct(); stream_info.filter_state_->setData("string_accessor", std::make_unique("test_value"), StreamInfo::FilterState::StateType::ReadOnly, @@ -765,7 +765,7 @@ response: {} ASSERT(timing.lastDownstreamTxByteSent().has_value()); stream_info.downstream_connection_info_provider_->setLocalAddress( *Network::Address::PipeInstance::create("/foo")); - (*stream_info.metadata_.mutable_filter_metadata())["foo"] = ProtobufWkt::Struct(); + (*stream_info.metadata_.mutable_filter_metadata())["foo"] = Protobuf::Struct(); stream_info.filter_state_->setData("string_accessor", std::make_unique("test_value"), StreamInfo::FilterState::StateType::ReadOnly, @@ -1080,7 +1080,7 @@ tag: mtag std::shared_ptr> host( new NiceMock()); auto metadata = std::make_shared(); - metadata->mutable_filter_metadata()->insert(Protobuf::MapPair( + metadata->mutable_filter_metadata()->insert(Protobuf::MapPair( "foo", MessageUtil::keyValueStruct("bar", "baz"))); ON_CALL(*host, metadata()).WillByDefault(Return(metadata)); stream_info.upstreamInfo()->setUpstreamHost(host); diff --git a/test/extensions/access_loggers/open_telemetry/access_log_impl_test.cc b/test/extensions/access_loggers/open_telemetry/access_log_impl_test.cc index db253e668004c..9c65513b242c4 100644 --- a/test/extensions/access_loggers/open_telemetry/access_log_impl_test.cc +++ b/test/extensions/access_loggers/open_telemetry/access_log_impl_test.cc @@ -53,7 +53,7 @@ class MockGrpcAccessLogger : public GrpcAccessLogger { public: // GrpcAccessLogger MOCK_METHOD(void, log, (LogRecord && entry)); - MOCK_METHOD(void, log, (ProtobufWkt::Empty && entry)); + MOCK_METHOD(void, log, (Protobuf::Empty && entry)); }; class MockGrpcAccessLoggerCache : public GrpcAccessLoggerCache { diff --git a/test/extensions/access_loggers/open_telemetry/grpc_access_log_impl_test.cc b/test/extensions/access_loggers/open_telemetry/grpc_access_log_impl_test.cc index e9b99bef9a5af..0013291aed670 100644 --- a/test/extensions/access_loggers/open_telemetry/grpc_access_log_impl_test.cc +++ b/test/extensions/access_loggers/open_telemetry/grpc_access_log_impl_test.cc @@ -139,7 +139,7 @@ TEST_F(GrpcAccessLoggerImplTest, Log) { .value(), 1); // TCP logging shouldn't do anything. - logger_->log(ProtobufWkt::Empty()); + logger_->log(Protobuf::Empty()); EXPECT_EQ(stats_store_.findCounterByString("access_logs.open_telemetry_access_log.logs_written") .value() .get() diff --git a/test/extensions/access_loggers/open_telemetry/substitution_formatter_test.cc b/test/extensions/access_loggers/open_telemetry/substitution_formatter_test.cc index 8127d8ce9be00..f22fd74a01749 100644 --- a/test/extensions/access_loggers/open_telemetry/substitution_formatter_test.cc +++ b/test/extensions/access_loggers/open_telemetry/substitution_formatter_test.cc @@ -41,7 +41,7 @@ class TestSerializedStructFilterState : public StreamInfo::FilterState::Object { (*struct_.mutable_fields())["inner_key"] = ValueUtil::stringValue("inner_value"); } - explicit TestSerializedStructFilterState(const ProtobufWkt::Struct& s) : use_struct_(true) { + explicit TestSerializedStructFilterState(const Protobuf::Struct& s) : use_struct_(true) { struct_.CopyFrom(s); } @@ -51,20 +51,20 @@ class TestSerializedStructFilterState : public StreamInfo::FilterState::Object { ProtobufTypes::MessagePtr serializeAsProto() const override { if (use_struct_) { - auto s = std::make_unique(); + auto s = std::make_unique(); s->CopyFrom(struct_); return s; } - auto d = std::make_unique(); + auto d = std::make_unique(); d->CopyFrom(duration_); return d; } private: const bool use_struct_{false}; - ProtobufWkt::Struct struct_; - ProtobufWkt::Duration duration_; + Protobuf::Struct struct_; + Protobuf::Duration duration_; }; // Class used to test serializeAsString and serializeAsProto of FilterState @@ -75,7 +75,7 @@ class TestSerializedStringFilterState : public StreamInfo::FilterState::Object { return raw_string_ + " By PLAIN"; } ProtobufTypes::MessagePtr serializeAsProto() const override { - auto message = std::make_unique(); + auto message = std::make_unique(); message->set_value(raw_string_ + " By TYPED"); return message; } @@ -89,12 +89,12 @@ class TestSerializedStringFilterState : public StreamInfo::FilterState::Object { * "com.test": {"test_key":"test_value","test_obj":{"inner_key":"inner_value"}} */ void populateMetadataTestData(envoy::config::core::v3::Metadata& metadata) { - ProtobufWkt::Struct struct_obj; + Protobuf::Struct struct_obj; auto& fields_map = *struct_obj.mutable_fields(); fields_map["test_key"] = ValueUtil::stringValue("test_value"); - ProtobufWkt::Struct struct_inner; + Protobuf::Struct struct_inner; (*struct_inner.mutable_fields())["inner_key"] = ValueUtil::stringValue("inner_value"); - ProtobufWkt::Value val; + Protobuf::Value val; *val.mutable_struct_value() = struct_inner; fields_map["test_obj"] = val; (*metadata.mutable_filter_metadata())["com.test"] = struct_obj; diff --git a/test/extensions/access_loggers/wasm/config_test.cc b/test/extensions/access_loggers/wasm/config_test.cc index d068451056348..4054ff93124ee 100644 --- a/test/extensions/access_loggers/wasm/config_test.cc +++ b/test/extensions/access_loggers/wasm/config_test.cc @@ -109,7 +109,7 @@ TEST_P(WasmAccessLogConfigTest, CreateWasmFromWASM) { config.mutable_config()->mutable_vm_config()->mutable_code()->mutable_local()->set_inline_bytes( code); // Test Any configuration. - ProtobufWkt::Struct some_proto; + Protobuf::Struct some_proto; config.mutable_config()->mutable_vm_config()->mutable_configuration()->PackFrom(some_proto); AccessLog::FilterPtr filter; diff --git a/test/extensions/bootstrap/wasm/config_test.cc b/test/extensions/bootstrap/wasm/config_test.cc index b2c66245a9c95..77b6d52528f81 100644 --- a/test/extensions/bootstrap/wasm/config_test.cc +++ b/test/extensions/bootstrap/wasm/config_test.cc @@ -119,7 +119,7 @@ TEST_P(WasmFactoryTest, UnknownRuntime) { } TEST_P(WasmFactoryTest, StartFailed) { - ProtobufWkt::StringValue plugin_configuration; + Protobuf::StringValue plugin_configuration; plugin_configuration.set_value("bad"); config_.mutable_config()->mutable_vm_config()->mutable_configuration()->PackFrom( plugin_configuration); @@ -129,7 +129,7 @@ TEST_P(WasmFactoryTest, StartFailed) { } TEST_P(WasmFactoryTest, ConfigureFailed) { - ProtobufWkt::StringValue plugin_configuration; + Protobuf::StringValue plugin_configuration; plugin_configuration.set_value("bad"); config_.mutable_config()->mutable_configuration()->PackFrom(plugin_configuration); diff --git a/test/extensions/common/tap/admin_test.cc b/test/extensions/common/tap/admin_test.cc index 9a0e9e6d54398..ec3c7e2cabb92 100644 --- a/test/extensions/common/tap/admin_test.cc +++ b/test/extensions/common/tap/admin_test.cc @@ -190,9 +190,8 @@ TEST(TypedExtensionConfigTest, AddTestConfig) { MockTapSinkFactory factory_impl; EXPECT_CALL(factory_impl, name).Times(AtLeast(1)); EXPECT_CALL(factory_impl, createEmptyConfigProto) - .WillRepeatedly(Invoke([]() -> ProtobufTypes::MessagePtr { - return std::make_unique(); - })); + .WillRepeatedly(Invoke( + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); EXPECT_CALL(factory_impl, createSinkPtr(_, _)); Registry::InjectFactory factory(factory_impl); @@ -222,9 +221,8 @@ TEST(TypedExtensionConfigTest, AddTestConfigForMinStreamedSentBytes) { MockTapSinkFactory factory_impl; EXPECT_CALL(factory_impl, name).Times(AtLeast(1)); EXPECT_CALL(factory_impl, createEmptyConfigProto) - .WillRepeatedly(Invoke([]() -> ProtobufTypes::MessagePtr { - return std::make_unique(); - })); + .WillRepeatedly(Invoke( + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); EXPECT_CALL(factory_impl, createSinkPtr(_, _)); Registry::InjectFactory factory(factory_impl); @@ -253,9 +251,8 @@ TEST(TypedExtensionConfigTest, BufferedAdminNoAdminStreamerRejected) { MockTapSinkFactory factory_impl; EXPECT_CALL(factory_impl, name).Times(AtLeast(1)); EXPECT_CALL(factory_impl, createEmptyConfigProto) - .WillRepeatedly(Invoke([]() -> ProtobufTypes::MessagePtr { - return std::make_unique(); - })); + .WillRepeatedly(Invoke( + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); Registry::InjectFactory factory(factory_impl); NiceMock factory_context; @@ -281,9 +278,8 @@ TEST(TypedExtensionConfigTest, StreamingAdminNoAdminStreamerRejected) { MockTapSinkFactory factory_impl; EXPECT_CALL(factory_impl, name).Times(AtLeast(1)); EXPECT_CALL(factory_impl, createEmptyConfigProto) - .WillRepeatedly(Invoke([]() -> ProtobufTypes::MessagePtr { - return std::make_unique(); - })); + .WillRepeatedly(Invoke( + []() -> ProtobufTypes::MessagePtr { return std::make_unique(); })); Registry::InjectFactory factory(factory_impl); NiceMock factory_context; diff --git a/test/extensions/common/wasm/wasm_test.cc b/test/extensions/common/wasm/wasm_test.cc index aee687e10ccea..783a35184b0a6 100644 --- a/test/extensions/common/wasm/wasm_test.cc +++ b/test/extensions/common/wasm/wasm_test.cc @@ -148,7 +148,7 @@ TEST_P(WasmCommonTest, WasmFailState) { Filters::Common::Expr::CelValue::Type::kNullType); wasm_state->setValue("foo"); auto any = wasm_state->serializeAsProto(); - EXPECT_TRUE(static_cast(any.get())->Is()); + EXPECT_TRUE(static_cast(any.get())->Is()); } TEST_P(WasmCommonTest, Logging) { @@ -580,7 +580,7 @@ TEST_P(WasmCommonTest, VmCache) { auto vm_config = plugin_config.mutable_vm_config(); vm_config->set_runtime(absl::StrCat("envoy.wasm.runtime.", std::get<0>(GetParam()))); - ProtobufWkt::StringValue vm_configuration_string; + Protobuf::StringValue vm_configuration_string; vm_configuration_string.set_value(vm_configuration); vm_config->mutable_configuration()->PackFrom(vm_configuration_string); std::string code; @@ -669,7 +669,7 @@ TEST_P(WasmCommonTest, RemoteCode) { auto vm_config = plugin_config.mutable_vm_config(); vm_config->set_runtime(absl::StrCat("envoy.wasm.runtime.", std::get<0>(GetParam()))); - ProtobufWkt::BytesValue vm_configuration_bytes; + Protobuf::BytesValue vm_configuration_bytes; vm_configuration_bytes.set_value(vm_configuration); vm_config->mutable_configuration()->PackFrom(vm_configuration_bytes); std::string sha256 = Extensions::Common::Wasm::sha256(code); @@ -772,7 +772,7 @@ TEST_P(WasmCommonTest, RemoteCodeMultipleRetry) { auto vm_config = plugin_config.mutable_vm_config(); vm_config->set_runtime(absl::StrCat("envoy.wasm.runtime.", std::get<0>(GetParam()))); - ProtobufWkt::StringValue vm_configuration_string; + Protobuf::StringValue vm_configuration_string; vm_configuration_string.set_value(vm_configuration); vm_config->mutable_configuration()->PackFrom(vm_configuration_string); std::string sha256 = Extensions::Common::Wasm::sha256(code); diff --git a/test/extensions/config/validators/minimum_clusters/config_test.cc b/test/extensions/config/validators/minimum_clusters/config_test.cc index adc2c2ef7f967..eda3911252f72 100644 --- a/test/extensions/config/validators/minimum_clusters/config_test.cc +++ b/test/extensions/config/validators/minimum_clusters/config_test.cc @@ -20,7 +20,7 @@ TEST(MinimumClustersValidatorFactoryTest, CreateValidator) { envoy::extensions::config::validators::minimum_clusters::v3::MinimumClustersValidator config; config.set_min_clusters_num(5); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(config); auto validator = factory->createConfigValidator(typed_config, ProtobufMessage::getStrictValidationVisitor()); @@ -38,7 +38,7 @@ TEST(MinimumClustersValidatorFactoryTest, CreateEmptyValidator) { empty_proto.get()); EXPECT_EQ(0, config.min_clusters_num()); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(config); auto validator = factory->createConfigValidator(typed_config, ProtobufMessage::getStrictValidationVisitor()); diff --git a/test/extensions/config_subscription/grpc/delta_subscription_state_test.cc b/test/extensions/config_subscription/grpc/delta_subscription_state_test.cc index 2939c0b62fb93..8beec372fa14f 100644 --- a/test/extensions/config_subscription/grpc/delta_subscription_state_test.cc +++ b/test/extensions/config_subscription/grpc/delta_subscription_state_test.cc @@ -474,7 +474,7 @@ TEST_P(DeltaSubscriptionStateTestBlank, AmbiguousResourceTTL) { } if (ttl_s) { - ProtobufWkt::Duration ttl; + Protobuf::Duration ttl; ttl.set_seconds(ttl_s->count()); resource->mutable_ttl()->CopyFrom(ttl); } @@ -1197,7 +1197,7 @@ TEST_P(DeltaSubscriptionStateTest, ResourceTTL) { } if (ttl_s) { - ProtobufWkt::Duration ttl; + Protobuf::Duration ttl; ttl.set_seconds(ttl_s->count()); resource->mutable_ttl()->CopyFrom(ttl); } @@ -1264,7 +1264,7 @@ TEST_P(DeltaSubscriptionStateTest, HeartbeatResourcesNotProcessed) { } if (ttl_s) { - ProtobufWkt::Duration ttl; + Protobuf::Duration ttl; ttl.set_seconds(ttl_s->count()); resource.mutable_ttl()->CopyFrom(ttl); } @@ -1412,7 +1412,7 @@ TEST_P(VhdsDeltaSubscriptionStateTest, ResourceTTL) { resource->mutable_resource(); } - ProtobufWkt::Duration ttl; + Protobuf::Duration ttl; ttl.set_seconds(1); resource->mutable_ttl()->CopyFrom(ttl); diff --git a/test/extensions/config_subscription/grpc/watch_map_test.cc b/test/extensions/config_subscription/grpc/watch_map_test.cc index 014a1221b0c4b..222bab7743a2b 100644 --- a/test/extensions/config_subscription/grpc/watch_map_test.cc +++ b/test/extensions/config_subscription/grpc/watch_map_test.cc @@ -88,8 +88,7 @@ void expectEmptySotwNoDeltaUpdate(MockSubscriptionCallbacks& callbacks, } Protobuf::RepeatedPtrField -wrapInResource(const Protobuf::RepeatedPtrField& anys, - const std::string& version) { +wrapInResource(const Protobuf::RepeatedPtrField& anys, const std::string& version) { Protobuf::RepeatedPtrField ret; for (const auto& a : anys) { envoy::config::endpoint::v3::ClusterLoadAssignment cur_endpoint; @@ -103,7 +102,7 @@ wrapInResource(const Protobuf::RepeatedPtrField& anys, } void doDeltaUpdate(WatchMap& watch_map, - const Protobuf::RepeatedPtrField& sotw_resources, + const Protobuf::RepeatedPtrField& sotw_resources, const std::vector& removed_names, const std::string& version) { Protobuf::RepeatedPtrField delta_resources = @@ -118,7 +117,7 @@ void doDeltaUpdate(WatchMap& watch_map, // Similar to expectDeltaAndSotwUpdate(), but making the onConfigUpdate() happen, rather than // EXPECT-ing it. void doDeltaAndSotwUpdate(WatchMap& watch_map, - const Protobuf::RepeatedPtrField& sotw_resources, + const Protobuf::RepeatedPtrField& sotw_resources, const std::vector& removed_names, const std::string& version) { watch_map.onConfigUpdate(sotw_resources, version); @@ -150,7 +149,7 @@ TEST(WatchMapTest, Basic) { EXPECT_TRUE(added_removed.removed_.empty()); // ...the update is going to contain Bob and Carol... - Protobuf::RepeatedPtrField updated_resources; + Protobuf::RepeatedPtrField updated_resources; envoy::config::endpoint::v3::ClusterLoadAssignment bob; bob.set_cluster_name("bob"); updated_resources.Add()->PackFrom(bob); @@ -173,7 +172,7 @@ TEST(WatchMapTest, Basic) { EXPECT_EQ(absl::flat_hash_set({"alice"}), added_removed.removed_); // ...the update is going to contain Alice, Carol, Dave... - Protobuf::RepeatedPtrField updated_resources; + Protobuf::RepeatedPtrField updated_resources; envoy::config::endpoint::v3::ClusterLoadAssignment alice; alice.set_cluster_name("alice"); updated_resources.Add()->PackFrom(alice); @@ -211,7 +210,7 @@ TEST(WatchMapTest, Overlap) { Watch* watch1 = watch_map.addWatch(callbacks1, resource_decoder); Watch* watch2 = watch_map.addWatch(callbacks2, resource_decoder); - Protobuf::RepeatedPtrField updated_resources; + Protobuf::RepeatedPtrField updated_resources; envoy::config::endpoint::v3::ClusterLoadAssignment alice; alice.set_cluster_name("alice"); updated_resources.Add()->PackFrom(alice); @@ -283,7 +282,7 @@ TEST(WatchMapTest, CacheResourceAddResource) { Watch* watch1 = watch_map.addWatch(callbacks1, resource_decoder); Watch* watch2 = watch_map.addWatch(callbacks2, resource_decoder); - Protobuf::RepeatedPtrField updated_resources; + Protobuf::RepeatedPtrField updated_resources; envoy::config::endpoint::v3::ClusterLoadAssignment alice; alice.set_cluster_name("alice"); updated_resources.Add()->PackFrom(alice); @@ -383,7 +382,7 @@ class SameWatchRemoval : public testing::Test { WatchMap watch_map_; NiceMock callbacks1_; MockSubscriptionCallbacks callbacks2_; - Protobuf::RepeatedPtrField updated_resources_; + Protobuf::RepeatedPtrField updated_resources_; Watch* watch1_; Watch* watch2_; bool watch_cb_invoked_{}; @@ -441,7 +440,7 @@ TEST(WatchMapTest, AddRemoveAdd) { Watch* watch1 = watch_map.addWatch(callbacks1, resource_decoder); Watch* watch2 = watch_map.addWatch(callbacks2, resource_decoder); - Protobuf::RepeatedPtrField updated_resources; + Protobuf::RepeatedPtrField updated_resources; envoy::config::endpoint::v3::ClusterLoadAssignment alice; alice.set_cluster_name("alice"); updated_resources.Add()->PackFrom(alice); @@ -498,12 +497,12 @@ TEST(WatchMapTest, UninterestingUpdate) { Watch* watch = watch_map.addWatch(callbacks, resource_decoder); watch_map.updateWatchInterest(watch, {"alice"}); - Protobuf::RepeatedPtrField alice_update; + Protobuf::RepeatedPtrField alice_update; envoy::config::endpoint::v3::ClusterLoadAssignment alice; alice.set_cluster_name("alice"); alice_update.Add()->PackFrom(alice); - Protobuf::RepeatedPtrField bob_update; + Protobuf::RepeatedPtrField bob_update; envoy::config::endpoint::v3::ClusterLoadAssignment bob; bob.set_cluster_name("bob"); bob_update.Add()->PackFrom(bob); @@ -545,7 +544,7 @@ TEST(WatchMapTest, WatchingEverything) { // watch1 never specifies any names, and so is treated as interested in everything. watch_map.updateWatchInterest(watch2, {"alice"}); - Protobuf::RepeatedPtrField updated_resources; + Protobuf::RepeatedPtrField updated_resources; envoy::config::endpoint::v3::ClusterLoadAssignment alice; alice.set_cluster_name("alice"); updated_resources.Add()->PackFrom(alice); @@ -588,7 +587,7 @@ TEST(WatchMapTest, DeltaOnConfigUpdate) { // onConfigUpdate. But, if SotW holds no resources, then an update with nothing it cares about // will just not trigger any onConfigUpdate at all. { - Protobuf::RepeatedPtrField prepare_removed; + Protobuf::RepeatedPtrField prepare_removed; envoy::config::endpoint::v3::ClusterLoadAssignment will_be_removed_later; will_be_removed_later.set_cluster_name("removed"); prepare_removed.Add()->PackFrom(will_be_removed_later); @@ -597,7 +596,7 @@ TEST(WatchMapTest, DeltaOnConfigUpdate) { doDeltaAndSotwUpdate(watch_map, prepare_removed, {}, "version0"); } - Protobuf::RepeatedPtrField update; + Protobuf::RepeatedPtrField update; envoy::config::endpoint::v3::ClusterLoadAssignment updated; updated.set_cluster_name("updated"); update.Add()->PackFrom(updated); @@ -640,7 +639,7 @@ TEST(WatchMapTest, OnConfigUpdateXdsTpGlobCollections) { { // Verify that we pay attention to all matching resources, no matter the order of context // params. - Protobuf::RepeatedPtrField update; + Protobuf::RepeatedPtrField update; envoy::config::endpoint::v3::ClusterLoadAssignment resource1; resource1.set_cluster_name("xdstp://foo/bar/baz/a?some=thing&thing=some"); update.Add()->PackFrom(resource1); @@ -662,7 +661,7 @@ TEST(WatchMapTest, OnConfigUpdateXdsTpGlobCollections) { } // verify removal { - Protobuf::RepeatedPtrField update; + Protobuf::RepeatedPtrField update; expectDeltaUpdate(callbacks, {}, {"xdstp://foo/bar/baz/a?thing=some&some=thing"}, "version1"); doDeltaUpdate( watch_map, update, @@ -685,7 +684,7 @@ TEST(WatchMapTest, OnConfigUpdateXdsTpSingletons) { { // Verify that we pay attention to all matching resources, no matter the order of context // params. - Protobuf::RepeatedPtrField update; + Protobuf::RepeatedPtrField update; envoy::config::endpoint::v3::ClusterLoadAssignment resource1; resource1.set_cluster_name("xdstp://foo/bar/baz?thing=some&some=thing"); update.Add()->PackFrom(resource1); @@ -704,7 +703,7 @@ TEST(WatchMapTest, OnConfigUpdateXdsTpSingletons) { } // verify removal { - Protobuf::RepeatedPtrField update; + Protobuf::RepeatedPtrField update; expectDeltaUpdate(callbacks, {}, {"xdstp://foo/bar/baz?thing=some&some=thing"}, "version1"); doDeltaUpdate(watch_map, update, {"xdstp://foo/bar/baz?thing=some&some=thing", "whatevs"}, "version1"); @@ -728,7 +727,7 @@ TEST(WatchMapTest, OnConfigUpdateUsingNamespaces) { // verify update { - Protobuf::RepeatedPtrField update; + Protobuf::RepeatedPtrField update; envoy::config::endpoint::v3::ClusterLoadAssignment resource; resource.set_cluster_name("ns1/resource1"); update.Add()->PackFrom(resource); @@ -738,7 +737,7 @@ TEST(WatchMapTest, OnConfigUpdateUsingNamespaces) { } // verify removal { - Protobuf::RepeatedPtrField update; + Protobuf::RepeatedPtrField update; expectDeltaUpdate(callbacks2, {}, {"ns2/removed"}, "version1"); doDeltaUpdate(watch_map, update, {"ns2/removed"}, "version1"); } diff --git a/test/extensions/dynamic_modules/http/abi_impl_test.cc b/test/extensions/dynamic_modules/http/abi_impl_test.cc index deeb3cfb819d7..b0b5c999d6668 100644 --- a/test/extensions/dynamic_modules/http/abi_impl_test.cc +++ b/test/extensions/dynamic_modules/http/abi_impl_test.cc @@ -525,8 +525,8 @@ TEST(ABIImpl, metadata) { auto upstream_host = std::make_shared(); EXPECT_CALL(*upstream_info, upstreamHost).WillRepeatedly(testing::Return(upstream_host)); auto locality_metadata = std::make_shared(); - locality_metadata->mutable_filter_metadata()->insert({namespace_str, ProtobufWkt::Struct()}); - ProtobufWkt::Value lbendpoint_value_proto; + locality_metadata->mutable_filter_metadata()->insert({namespace_str, Protobuf::Struct()}); + Protobuf::Value lbendpoint_value_proto; lbendpoint_value_proto.set_string_value(lbendpoint_value); locality_metadata->mutable_filter_metadata() ->at(namespace_str) diff --git a/test/extensions/filters/common/expr/context_test.cc b/test/extensions/filters/common/expr/context_test.cc index 50d9d96f253f4..b727e976c276e 100644 --- a/test/extensions/filters/common/expr/context_test.cc +++ b/test/extensions/filters/common/expr/context_test.cc @@ -841,7 +841,7 @@ TEST(Context, ConnectionAttributes) { TEST(Context, FilterStateAttributes) { StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::FilterChain); - ProtobufWkt::Arena arena; + Protobuf::Arena arena; FilterStateWrapper wrapper(arena, filter_state); auto status_or = wrapper.ListKeys(&arena); EXPECT_EQ(status_or.status().message(), "ListKeys() is not implemented"); @@ -874,7 +874,7 @@ TEST(Context, FilterStateAttributes) { "type.googleapis.com/google.protobuf.DoubleValue", StreamInfo::FilterState::LifeSpan::FilterChain); auto cel_state = std::make_shared(prototype); - ProtobufWkt::DoubleValue v; + Protobuf::DoubleValue v; v.set_value(1.0); cel_state->setValue(v.SerializeAsString()); EXPECT_TRUE(cel_state->serializeAsString().has_value()); diff --git a/test/extensions/filters/common/expr/evaluator_test.cc b/test/extensions/filters/common/expr/evaluator_test.cc index 6358a08b3f6b7..beba03eaa2bfc 100644 --- a/test/extensions/filters/common/expr/evaluator_test.cc +++ b/test/extensions/filters/common/expr/evaluator_test.cc @@ -27,7 +27,7 @@ TEST(Evaluator, Print) { EXPECT_EQ(print(CelValue::CreateString(&test)), "test"); EXPECT_EQ(print(CelValue::CreateBytes(&test)), "test"); - ProtobufWkt::Arena arena; + Protobuf::Arena arena; envoy::config::core::v3::Node node; std::string node_yaml = "id: test"; TestUtility::loadFromYaml(node_yaml, node); @@ -48,7 +48,7 @@ TEST(Evaluator, Activation) { auto filter_state = std::make_shared(StreamInfo::FilterState::LifeSpan::FilterChain); info.upstreamInfo()->setUpstreamFilterState(filter_state); - ProtobufWkt::Arena arena; + Protobuf::Arena arena; const auto activation = createActivation(nullptr, info, nullptr, nullptr, nullptr); EXPECT_TRUE(activation->FindValue("filter_state", &arena).has_value()); EXPECT_TRUE(activation->FindValue("upstream_filter_state", &arena).has_value()); diff --git a/test/extensions/filters/common/ext_authz/ext_authz_grpc_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_grpc_impl_test.cc index 88ebcae33dcfb..59c629a50b7a1 100644 --- a/test/extensions/filters/common/ext_authz/ext_authz_grpc_impl_test.cc +++ b/test/extensions/filters/common/ext_authz/ext_authz_grpc_impl_test.cc @@ -69,7 +69,7 @@ TEST_F(ExtAuthzGrpcClientTest, AuthorizationOk) { auto check_response = std::make_unique(); auto status = check_response->mutable_status(); - ProtobufWkt::Struct expected_dynamic_metadata; + Protobuf::Struct expected_dynamic_metadata; auto* metadata_fields = expected_dynamic_metadata.mutable_fields(); (*metadata_fields)["foo"] = ValueUtil::stringValue("ok"); (*metadata_fields)["bar"] = ValueUtil::numberValue(1); @@ -344,12 +344,12 @@ TEST_F(ExtAuthzGrpcClientTest, AuthorizationOkWithDynamicMetadata) { auto check_response = std::make_unique(); auto status = check_response->mutable_status(); - ProtobufWkt::Struct expected_dynamic_metadata; + Protobuf::Struct expected_dynamic_metadata; auto* metadata_fields = expected_dynamic_metadata.mutable_fields(); (*metadata_fields)["original"] = ValueUtil::stringValue("true"); check_response->mutable_dynamic_metadata()->MergeFrom(expected_dynamic_metadata); - ProtobufWkt::Struct overridden_dynamic_metadata; + Protobuf::Struct overridden_dynamic_metadata; metadata_fields = overridden_dynamic_metadata.mutable_fields(); (*metadata_fields)["original"] = ValueUtil::stringValue("false"); diff --git a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc index b472848ee087d..298abb58a10e0 100644 --- a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc +++ b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc @@ -119,7 +119,7 @@ class ExtAuthzHttpClientTest : public testing::Test { envoy::service::auth::v3::CheckRequest request; client_->check(request_callbacks_, request, parent_span_, stream_info_); - ProtobufWkt::Struct expected_dynamic_metadata; + Protobuf::Struct expected_dynamic_metadata; auto* metadata_fields = expected_dynamic_metadata.mutable_fields(); (*metadata_fields)["x-metadata-header-0"] = ValueUtil::stringValue("zero"); (*metadata_fields)["x-metadata-header-1"] = ValueUtil::stringValue("2"); diff --git a/test/extensions/filters/common/lua/protobuf_converter_test.cc b/test/extensions/filters/common/lua/protobuf_converter_test.cc index 28b5fe58464d3..cd8991e23d95d 100644 --- a/test/extensions/filters/common/lua/protobuf_converter_test.cc +++ b/test/extensions/filters/common/lua/protobuf_converter_test.cc @@ -1139,10 +1139,10 @@ TEST_F(LuaProtobufConverterTest, NestedMessageWithRecursion) { TEST_F(LuaProtobufConverterTest, TypeURLEndingWithSlash) { // Create Any with type URL ending with slash and no type name after slash - ProtobufWkt::Any any_message; + Protobuf::Any any_message; any_message.set_type_url("type.googleapis.com/"); - Protobuf::Map typed_metadata_map; + Protobuf::Map typed_metadata_map; typed_metadata_map["test.filter"] = any_message; // Push dummy value at index 1, then filter name at index 2 (function expects index 2) @@ -1160,11 +1160,11 @@ TEST_F(LuaProtobufConverterTest, TypeURLEndingWithSlash) { TEST_F(LuaProtobufConverterTest, PrototypeNotFound) { // Create Any with a valid but invalid message type // Using a well-known type that exists in descriptor pool but might not have a prototype - ProtobufWkt::Any any_message; + Protobuf::Any any_message; any_message.set_type_url("type.googleapis.com/google.protobuf.FileDescriptorSet"); any_message.set_value("dummy_data"); - Protobuf::Map typed_metadata_map; + Protobuf::Map typed_metadata_map; typed_metadata_map["test.filter"] = any_message; // Push dummy value at index 1, then filter name at index 2 (function expects index 2) diff --git a/test/extensions/filters/common/ratelimit/ratelimit_impl_test.cc b/test/extensions/filters/common/ratelimit/ratelimit_impl_test.cc index 4686c925ce8a8..f4f20c8a26135 100644 --- a/test/extensions/filters/common/ratelimit/ratelimit_impl_test.cc +++ b/test/extensions/filters/common/ratelimit/ratelimit_impl_test.cc @@ -47,7 +47,7 @@ class MockRequestCallbacks : public RequestCallbacks { (LimitStatus status, const DescriptorStatusList* descriptor_statuses, const Http::ResponseHeaderMap* response_headers_to_add, const Http::RequestHeaderMap* request_headers_to_add, - const std::string& response_body, const ProtobufWkt::Struct* dynamic_metadata)); + const std::string& response_body, const Protobuf::Struct* dynamic_metadata)); }; class RateLimitGrpcClientTest : public testing::Test { diff --git a/test/extensions/filters/common/ratelimit_config/ratelimit_config_test.cc b/test/extensions/filters/common/ratelimit_config/ratelimit_config_test.cc index 5cfcebd105daa..903e1385dde35 100644 --- a/test/extensions/filters/common/ratelimit_config/ratelimit_config_test.cc +++ b/test/extensions/filters/common/ratelimit_config/ratelimit_config_test.cc @@ -1268,7 +1268,7 @@ TEST_F(RateLimitPolicyTest, RequestMatchInputSkip) { class ExtensionDescriptorFactory : public Envoy::RateLimit::DescriptorProducerFactory { public: ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "test.descriptor_producer"; } diff --git a/test/extensions/filters/common/rbac/engine_impl_test.cc b/test/extensions/filters/common/rbac/engine_impl_test.cc index ea042abc4ca46..1bd52515017ed 100644 --- a/test/extensions/filters/common/rbac/engine_impl_test.cc +++ b/test/extensions/filters/common/rbac/engine_impl_test.cc @@ -94,7 +94,7 @@ void checkMatcherEngine( void onMetadata(NiceMock& info) { ON_CALL(info, setDynamicMetadata("envoy.common", _)) - .WillByDefault(Invoke([&info](const std::string&, const ProtobufWkt::Struct& obj) { + .WillByDefault(Invoke([&info](const std::string&, const Protobuf::Struct& obj) { (*info.metadata_.mutable_filter_metadata())["envoy.common"] = obj; })); } @@ -443,7 +443,7 @@ TEST(RoleBasedAccessControlEngineImpl, MetadataCondition) { auto label = MessageUtil::keyValueStruct("label", "prod"); envoy::config::core::v3::Metadata metadata; metadata.mutable_filter_metadata()->insert( - Protobuf::MapPair("other", label)); + Protobuf::MapPair("other", label)); EXPECT_CALL(Const(info), dynamicMetadata()).WillRepeatedly(ReturnRef(metadata)); checkEngine(engine, true, LogResult::Undecided, info, Envoy::Network::MockConnection(), headers); diff --git a/test/extensions/filters/common/rbac/matchers_test.cc b/test/extensions/filters/common/rbac/matchers_test.cc index 80253171b9b48..07e749febcb8a 100644 --- a/test/extensions/filters/common/rbac/matchers_test.cc +++ b/test/extensions/filters/common/rbac/matchers_test.cc @@ -637,9 +637,9 @@ TEST(MetadataMatcher, MetadataMatcher) { auto label = MessageUtil::keyValueStruct("label", "prod"); envoy::config::core::v3::Metadata metadata; metadata.mutable_filter_metadata()->insert( - Protobuf::MapPair("other", label)); + Protobuf::MapPair("other", label)); metadata.mutable_filter_metadata()->insert( - Protobuf::MapPair("rbac", label)); + Protobuf::MapPair("rbac", label)); EXPECT_CALL(Const(info), dynamicMetadata()).WillRepeatedly(ReturnRef(metadata)); envoy::type::matcher::v3::MetadataMatcher matcher; @@ -854,14 +854,14 @@ TEST(MetadataMatcher, SourcedMetadataMatcher) { auto dynamic_label = MessageUtil::keyValueStruct("dynamic_key", "dynamic_value"); envoy::config::core::v3::Metadata dynamic_metadata; dynamic_metadata.mutable_filter_metadata()->insert( - Protobuf::MapPair("rbac", dynamic_label)); + Protobuf::MapPair("rbac", dynamic_label)); EXPECT_CALL(Const(info), dynamicMetadata()).WillRepeatedly(ReturnRef(dynamic_metadata)); // Set up route metadata auto route_label = MessageUtil::keyValueStruct("route_key", "route_value"); envoy::config::core::v3::Metadata route_metadata; route_metadata.mutable_filter_metadata()->insert( - Protobuf::MapPair("rbac", route_label)); + Protobuf::MapPair("rbac", route_label)); EXPECT_CALL(*route, metadata()).WillRepeatedly(ReturnRef(route_metadata)); EXPECT_CALL(info, route()).WillRepeatedly(Return(route)); @@ -1047,15 +1047,15 @@ TEST(MetadataMatcher, NestedMetadata) { NiceMock info; // Create nested metadata structure - ProtobufWkt::Struct nested_struct; + Protobuf::Struct nested_struct; (*nested_struct.mutable_fields())["nested_key"] = ValueUtil::stringValue("nested_value"); - ProtobufWkt::Struct top_struct; + Protobuf::Struct top_struct; (*top_struct.mutable_fields())["top_key"] = ValueUtil::structValue(nested_struct); envoy::config::core::v3::Metadata metadata; metadata.mutable_filter_metadata()->insert( - Protobuf::MapPair("rbac", top_struct)); + Protobuf::MapPair("rbac", top_struct)); EXPECT_CALL(Const(info), dynamicMetadata()).WillRepeatedly(ReturnRef(metadata)); // Test matching nested value diff --git a/test/extensions/filters/http/aws_lambda/aws_lambda_filter_test.cc b/test/extensions/filters/http/aws_lambda/aws_lambda_filter_test.cc index 3b65b0042ce02..eb4a19c26a9b8 100644 --- a/test/extensions/filters/http/aws_lambda/aws_lambda_filter_test.cc +++ b/test/extensions/filters/http/aws_lambda/aws_lambda_filter_test.cc @@ -67,7 +67,7 @@ class AwsLambdaFilterTest : public ::testing::Test { } void setupClusterMetadata() { - ProtobufWkt::Struct cluster_metadata; + Protobuf::Struct cluster_metadata; TestUtility::loadFromYaml(metadata_yaml_, cluster_metadata); metadata_.mutable_filter_metadata()->insert({"com.amazonaws.lambda", cluster_metadata}); ON_CALL(*decoder_callbacks_.cluster_info_, metadata()).WillByDefault(ReturnRef(metadata_)); @@ -204,7 +204,7 @@ TEST_F(AwsLambdaFilterTest, PerRouteConfigWrongClusterMetadata) { setupDownstreamFilter(InvocationMode::Synchronous, true /*passthrough*/, ""); - ProtobufWkt::Struct cluster_metadata; + Protobuf::Struct cluster_metadata; envoy::config::core::v3::Metadata metadata; TestUtility::loadFromYaml(metadata_yaml, cluster_metadata); metadata.mutable_filter_metadata()->insert({"WrongMetadataKey", cluster_metadata}); diff --git a/test/extensions/filters/http/common/empty_http_filter_config.h b/test/extensions/filters/http/common/empty_http_filter_config.h index d78f9ec268ac6..43508cde792a1 100644 --- a/test/extensions/filters/http/common/empty_http_filter_config.h +++ b/test/extensions/filters/http/common/empty_http_filter_config.h @@ -30,7 +30,7 @@ class EmptyHttpFilterConfig : public Server::Configuration::NamedHttpFilterConfi ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom filter config proto. This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::set configTypes() override { return {}; } diff --git a/test/extensions/filters/http/common/fuzz/uber_per_filter.cc b/test/extensions/filters/http/common/fuzz/uber_per_filter.cc index 7890c93309338..40188b761fa80 100644 --- a/test/extensions/filters/http/common/fuzz/uber_per_filter.cc +++ b/test/extensions/filters/http/common/fuzz/uber_per_filter.cc @@ -93,7 +93,7 @@ void UberFilterFuzzer::guideAnyProtoType(test::fuzz::HttpData* mutable_data, uin "type.googleapis.com/google.protobuf.Empty", "type.googleapis.com/google.api.HttpBody", }; - ProtobufWkt::Any* mutable_any = mutable_data->mutable_proto_body()->mutable_message(); + Protobuf::Any* mutable_any = mutable_data->mutable_proto_body()->mutable_message(); const std::string& type_url = expected_types[choice % expected_types.size()]; mutable_any->set_type_url(type_url); } diff --git a/test/extensions/filters/http/composite/filter_test.cc b/test/extensions/filters/http/composite/filter_test.cc index 03ecafba79106..e8dfee81054e6 100644 --- a/test/extensions/filters/http/composite/filter_test.cc +++ b/test/extensions/filters/http/composite/filter_test.cc @@ -80,7 +80,7 @@ class CompositeFilterTest : public ::testing::Test { void expectFilterStateInfo(std::shared_ptr filter_state) { auto* info = filter_state->getDataMutable(MatchedActionsFilterStateKey); EXPECT_NE(nullptr, info); - ProtobufWkt::Struct expected; + Protobuf::Struct expected; auto& fields = *expected.mutable_fields(); fields["rootFilterName"] = ValueUtil::stringValue("actionName"); EXPECT_TRUE(MessageDifferencer::Equals(expected, *(info->serializeAsProto()))); @@ -740,7 +740,7 @@ TEST_F(FilterTest, MatchingActionShouldNotCollitionWithOtherRootFilter) { auto* info = filter_state->getDataMutable(MatchedActionsFilterStateKey); EXPECT_NE(nullptr, info); - ProtobufWkt::Struct expected; + Protobuf::Struct expected; auto& fields = *expected.mutable_fields(); fields["otherRootFilterName"] = ValueUtil::stringValue("anyActionName"); fields["rootFilterName"] = ValueUtil::stringValue("actionName"); diff --git a/test/extensions/filters/http/compressor/compressor_filter_integration_test.cc b/test/extensions/filters/http/compressor/compressor_filter_integration_test.cc index 07d61d93dafa7..555b13e28d1d2 100644 --- a/test/extensions/filters/http/compressor/compressor_filter_integration_test.cc +++ b/test/extensions/filters/http/compressor/compressor_filter_integration_test.cc @@ -12,8 +12,8 @@ namespace Envoy { +using Envoy::Protobuf::Any; using Envoy::Protobuf::MapPair; -using Envoy::ProtobufWkt::Any; class CompressorIntegrationTest : public testing::TestWithParam, public Event::SimulatedTimeSystem, diff --git a/test/extensions/filters/http/connect_grpc_bridge/connect_grpc_bridge_filter_test.cc b/test/extensions/filters/http/connect_grpc_bridge/connect_grpc_bridge_filter_test.cc index 2c99607397ca9..bb347b686b989 100644 --- a/test/extensions/filters/http/connect_grpc_bridge/connect_grpc_bridge_filter_test.cc +++ b/test/extensions/filters/http/connect_grpc_bridge/connect_grpc_bridge_filter_test.cc @@ -27,7 +27,7 @@ class ConnectGrpcBridgeFilterTest : public testing::Test { } bool jsonEqual(const std::string& expected, const std::string& actual) { - ProtobufWkt::Value expected_value, actual_value; + Protobuf::Value expected_value, actual_value; TestUtility::loadFromJson(expected, expected_value); TestUtility::loadFromJson(actual, actual_value); return TestUtility::protoEqual(expected_value, actual_value); @@ -41,7 +41,7 @@ class ConnectGrpcBridgeFilterTest : public testing::Test { } void addStatusDetails(google::rpc::Status& status, const Protobuf::Message& message) { - ProtobufWkt::Any any; + Protobuf::Any any; any.PackFrom(message); *status.add_details() = any; } diff --git a/test/extensions/filters/http/connect_grpc_bridge/end_stream_response_test.cc b/test/extensions/filters/http/connect_grpc_bridge/end_stream_response_test.cc index 5927c10680187..259e43316e0b1 100644 --- a/test/extensions/filters/http/connect_grpc_bridge/end_stream_response_test.cc +++ b/test/extensions/filters/http/connect_grpc_bridge/end_stream_response_test.cc @@ -18,7 +18,7 @@ using GrpcStatus = Grpc::Status::WellKnownGrpcStatus; class EndStreamResponseTest : public testing::Test { protected: void compareJson(const std::string& expected, const std::string& actual) { - ProtobufWkt::Value expected_value, actual_value; + Protobuf::Value expected_value, actual_value; TestUtility::loadFromJson(expected, expected_value); TestUtility::loadFromJson(actual, actual_value); EXPECT_TRUE(TestUtility::protoEqual(expected_value, actual_value)); @@ -43,7 +43,7 @@ TEST_F(EndStreamResponseTest, StatusCodeToConnectUnaryStatus) { } TEST_F(EndStreamResponseTest, SerializeJsonError) { - ProtobufWkt::Any detail; + Protobuf::Any detail; detail.set_type_url("type.url"); detail.set_value("protobuf"); const std::vector> test_set = { diff --git a/test/extensions/filters/http/custom_response/custom_response_integration_test.cc b/test/extensions/filters/http/custom_response/custom_response_integration_test.cc index 1991be48d2dce..45147af783731 100644 --- a/test/extensions/filters/http/custom_response/custom_response_integration_test.cc +++ b/test/extensions/filters/http/custom_response/custom_response_integration_test.cc @@ -24,8 +24,8 @@ using LocalResponsePolicyProto = using RedirectPolicyProto = envoy::extensions::http::custom_response::redirect_policy::v3::RedirectPolicy; using RedirectActionProto = envoy::config::route::v3::RedirectAction; +using Envoy::Protobuf::Any; using Envoy::Protobuf::MapPair; -using Envoy::ProtobufWkt::Any; namespace { diff --git a/test/extensions/filters/http/custom_response/utility.h b/test/extensions/filters/http/custom_response/utility.h index 63f23766b98ec..0f433fea5326a 100644 --- a/test/extensions/filters/http/custom_response/utility.h +++ b/test/extensions/filters/http/custom_response/utility.h @@ -268,7 +268,7 @@ class TestModifyRequestHeadersActionFactory ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom filter config proto. This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "modify-request-headers-action"; } diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index 8e73a5808f38c..e072262e484b5 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -143,11 +143,11 @@ class ExtAuthzGrpcIntegrationTest labels["label_1"] = "value_1"; labels["label_2"] = "value_2"; - ProtobufWkt::Struct metadata; - ProtobufWkt::Value val; - ProtobufWkt::Struct* labels_obj = val.mutable_struct_value(); + Protobuf::Struct metadata; + Protobuf::Value val; + Protobuf::Struct* labels_obj = val.mutable_struct_value(); for (const auto& pair : labels) { - ProtobufWkt::Value val; + Protobuf::Value val; val.set_string_value(pair.second); (*labels_obj->mutable_fields())[pair.first] = val; } @@ -188,10 +188,10 @@ class ExtAuthzGrpcIntegrationTest config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto* layer = bootstrap.mutable_layered_runtime()->add_layers(); layer->set_name("enable layer"); - ProtobufWkt::Struct& runtime = *layer->mutable_static_layer(); + Protobuf::Struct& runtime = *layer->mutable_static_layer(); bootstrap.mutable_layered_runtime()->mutable_layers(0)->set_name("base layer"); - ProtobufWkt::Struct& enable = + Protobuf::Struct& enable = *(*runtime.mutable_fields())["envoy.ext_authz.enable"].mutable_struct_value(); (*enable.mutable_fields())["numerator"].set_number_value(0); }); diff --git a/test/extensions/filters/http/ext_authz/ext_authz_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_test.cc index 5f24a87dd33ee..129798b8cefb5 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_test.cc @@ -80,7 +80,7 @@ template class HttpFilterTestBase : public T { static envoy::extensions::filters::http::ext_authz::v3::ExtAuthz getFilterConfig(bool failure_mode_allow, bool http_client, bool emit_filter_state_stats = false, - absl::optional filter_metadata = absl::nullopt) { + absl::optional filter_metadata = absl::nullopt) { const std::string http_config = R"EOF( failure_mode_allow_header_add: true http_service: @@ -270,12 +270,12 @@ class EmitFilterStateTest public: EmitFilterStateTest() : expected_output_(filterMetadata()) {} - absl::optional filterMetadata() const { + absl::optional filterMetadata() const { if (!std::get<2>(GetParam())) { return absl::nullopt; } - auto filter_metadata = Envoy::ProtobufWkt::Struct(); + auto filter_metadata = Envoy::Protobuf::Struct(); *(*filter_metadata.mutable_fields())["foo"].mutable_string_value() = "bar"; return filter_metadata; } @@ -3660,7 +3660,7 @@ TEST_F(HttpFilterTest, EmitDynamicMetadata) { decoder_filter_callbacks_.dispatcher_.globalTimeSystem().advanceTimeWait( std::chrono::milliseconds(10)); - ProtobufWkt::Value ext_authz_duration_value; + Protobuf::Value ext_authz_duration_value; ext_authz_duration_value.set_number_value(10); Filters::Common::ExtAuthz::Response response{}; @@ -3672,7 +3672,7 @@ TEST_F(HttpFilterTest, EmitDynamicMetadata) { EXPECT_CALL(decoder_filter_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce(Invoke([&response](const std::string& ns, - const ProtobufWkt::Struct& returned_dynamic_metadata) { + const Protobuf::Struct& returned_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.ext_authz"); // Check timing metadata correctness EXPECT_TRUE(returned_dynamic_metadata.fields().at("ext_authz_duration").has_number_value()); @@ -3726,7 +3726,7 @@ TEST_F(HttpFilterTest, EmitDynamicMetadataWhenDenied) { EXPECT_CALL(decoder_filter_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce(Invoke([&response](const std::string& ns, - const ProtobufWkt::Struct& returned_dynamic_metadata) { + const Protobuf::Struct& returned_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.ext_authz"); // Check timing metadata correctness EXPECT_FALSE(returned_dynamic_metadata.fields().contains("ext_authz_duration")); diff --git a/test/extensions/filters/http/ext_authz/logging_test_filter.cc b/test/extensions/filters/http/ext_authz/logging_test_filter.cc index 3222cfceb4754..5b33ab7079459 100644 --- a/test/extensions/filters/http/ext_authz/logging_test_filter.cc +++ b/test/extensions/filters/http/ext_authz/logging_test_filter.cc @@ -123,7 +123,7 @@ class LoggingTestFilter : public Http::PassThroughFilter { const bool expect_stats_; const bool expect_envoy_grpc_specific_stats_; const bool expect_response_bytes_; - const absl::optional filter_metadata_; + const absl::optional filter_metadata_; // The gRPC status returned by the authorization server when it is making a gRPC call. const LoggingTestFilterConfig::GrpcStatus expect_grpc_status_; }; diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 863a4af2a4642..610dcd416099f 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -39,8 +39,8 @@ using envoy::extensions::filters::http::ext_proc::v3::ExtProcPerRoute; using envoy::extensions::filters::http::ext_proc::v3::ProcessingMode; using envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager; using Envoy::Extensions::HttpFilters::ExternalProcessing::verifyMultipleHeaderValues; +using Envoy::Protobuf::Any; using Envoy::Protobuf::MapPair; -using Envoy::ProtobufWkt::Any; using envoy::service::ext_proc::v3::BodyResponse; using envoy::service::ext_proc::v3::CommonResponse; using envoy::service::ext_proc::v3::HeadersResponse; @@ -187,7 +187,7 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, auto* untyped_md = set_metadata_config.add_metadata(); untyped_md->set_metadata_namespace("forwarding_ns_untyped"); untyped_md->set_allow_overwrite(true); - ProtobufWkt::Struct test_md_val; + Protobuf::Struct test_md_val; (*test_md_val.mutable_fields())["foo"].set_string_value("value from set_metadata"); (*untyped_md->mutable_value()) = test_md_val; @@ -254,7 +254,7 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, processing_response_factory_registration_ = std::make_unique>( *processing_response_factory_); - ProtobufWkt::Struct config; + Protobuf::Struct config; proto_config_.mutable_on_processing_response()->set_name("test-on-processing-response"); proto_config_.mutable_on_processing_response()->mutable_typed_config()->PackFrom(config); } @@ -721,10 +721,10 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, } void testSendDyanmicMetadata() { - ProtobufWkt::Struct test_md_struct; + Protobuf::Struct test_md_struct; (*test_md_struct.mutable_fields())["foo"].set_string_value("value from ext_proc"); - ProtobufWkt::Value md_val; + Protobuf::Value md_val; *(md_val.mutable_struct_value()) = test_md_struct; processGenericMessage( @@ -732,7 +732,7 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, [md_val](const ProcessingRequest& req, ProcessingResponse& resp) { // Verify the processing request contains the untyped metadata we injected. EXPECT_TRUE(req.metadata_context().filter_metadata().contains("forwarding_ns_untyped")); - const ProtobufWkt::Struct& fwd_metadata = + const Protobuf::Struct& fwd_metadata = req.metadata_context().filter_metadata().at("forwarding_ns_untyped"); EXPECT_EQ(1, fwd_metadata.fields_size()); EXPECT_TRUE(fwd_metadata.fields().contains("foo")); @@ -741,7 +741,7 @@ class ExtProcIntegrationTest : public HttpIntegrationTest, // Verify the processing request contains the typed metadata we injected. EXPECT_TRUE( req.metadata_context().typed_filter_metadata().contains("forwarding_ns_typed")); - const ProtobufWkt::Any& fwd_typed_metadata = + const Protobuf::Any& fwd_typed_metadata = req.metadata_context().typed_filter_metadata().at("forwarding_ns_typed"); EXPECT_EQ("type.googleapis.com/envoy.extensions.filters.http.set_metadata.v3.Metadata", fwd_typed_metadata.type_url()); diff --git a/test/extensions/filters/http/ext_proc/filter_test.cc b/test/extensions/filters/http/ext_proc/filter_test.cc index 1d5d02a8d2dc1..c3396e2b52e30 100644 --- a/test/extensions/filters/http/ext_proc/filter_test.cc +++ b/test/extensions/filters/http/ext_proc/filter_test.cc @@ -206,7 +206,7 @@ class HttpFilterTest : public testing::Test { return stream; } - void doSetDynamicMetadata(const std::string& ns, const ProtobufWkt::Struct& val) { + void doSetDynamicMetadata(const std::string& ns, const Protobuf::Struct& val) { (*dynamic_metadata_.mutable_filter_metadata())[ns] = val; }; @@ -627,13 +627,13 @@ class HttpFilterTest : public testing::Test { // The metadata configured as part of ext_proc filter should be in the filter state. // In addition, bytes sent/received should also be stored. - void expectFilterState(const Envoy::ProtobufWkt::Struct& expected_metadata) { + void expectFilterState(const Envoy::Protobuf::Struct& expected_metadata) { const auto* filterState = stream_info_.filterState() ->getDataReadOnly< Envoy::Extensions::HttpFilters::ExternalProcessing::ExtProcLoggingInfo>( filter_config_name); - const Envoy::ProtobufWkt::Struct& loggedMetadata = filterState->filterMetadata(); + const Envoy::Protobuf::Struct& loggedMetadata = filterState->filterMetadata(); EXPECT_THAT(loggedMetadata, ProtoEq(expected_metadata)); } @@ -735,7 +735,7 @@ TEST_F(HttpFilterTest, SimplestPost) { checkGrpcCallHeaderOnlyStats(envoy::config::core::v3::TrafficDirection::INBOUND); checkGrpcCallHeaderOnlyStats(envoy::config::core::v3::TrafficDirection::OUTBOUND); - Envoy::ProtobufWkt::Struct filter_metadata; + Envoy::Protobuf::Struct filter_metadata; (*filter_metadata.mutable_fields())["scooby"].set_string_value("doo"); expectFilterState(filter_metadata); } @@ -885,7 +885,7 @@ TEST_F(HttpFilterTest, PostAndRespondImmediately) { checkGrpcCallHeaderOnlyStats(envoy::config::core::v3::TrafficDirection::INBOUND); expectNoGrpcCall(envoy::config::core::v3::TrafficDirection::OUTBOUND); - expectFilterState(Envoy::ProtobufWkt::Struct()); + expectFilterState(Envoy::Protobuf::Struct()); } TEST_F(HttpFilterTest, PostAndRespondImmediatelyWithDisabledConfig) { @@ -4188,7 +4188,7 @@ TEST_F(HttpFilterTest, EmitDynamicMetadata) { EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->encodeHeaders(response_headers_, false)); processResponseHeaders(false, [](const HttpHeaders&, ProcessingResponse& resp, HeadersResponse&) { - ProtobufWkt::Struct foobar; + Protobuf::Struct foobar; (*foobar.mutable_fields())["foo"].set_string_value("bar"); auto metadata_mut = resp.mutable_dynamic_metadata()->mutable_fields(); auto mut_struct = (*metadata_mut)["envoy.filters.http.ext_proc"].mutable_struct_value(); @@ -4237,7 +4237,7 @@ TEST_F(HttpFilterTest, EmitDynamicMetadataArbitraryNamespace) { EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->encodeHeaders(response_headers_, false)); processResponseHeaders(false, [](const HttpHeaders&, ProcessingResponse& resp, HeadersResponse&) { - ProtobufWkt::Struct foobar; + Protobuf::Struct foobar; (*foobar.mutable_fields())["foo"].set_string_value("bar"); auto metadata_mut = resp.mutable_dynamic_metadata()->mutable_fields(); auto mut_struct = (*metadata_mut)["envoy.filters.http.ext_authz"].mutable_struct_value(); @@ -4283,7 +4283,7 @@ TEST_F(HttpFilterTest, DisableEmitDynamicMetadata) { EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->encodeHeaders(response_headers_, false)); processResponseHeaders(false, [](const HttpHeaders&, ProcessingResponse& resp, HeadersResponse&) { - ProtobufWkt::Struct foobar; + Protobuf::Struct foobar; (*foobar.mutable_fields())["foo"].set_string_value("bar"); auto metadata_mut = resp.mutable_dynamic_metadata()->mutable_fields(); auto mut_struct = (*metadata_mut)["envoy.filters.http.ext_proc"].mutable_struct_value(); @@ -4329,7 +4329,7 @@ TEST_F(HttpFilterTest, DisableEmittingDynamicMetadataToDisallowedNamespaces) { EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->encodeHeaders(response_headers_, false)); processResponseHeaders(false, [](const HttpHeaders&, ProcessingResponse& resp, HeadersResponse&) { - ProtobufWkt::Struct foobar; + Protobuf::Struct foobar; (*foobar.mutable_fields())["foo"].set_string_value("bar"); auto metadata_mut = resp.mutable_dynamic_metadata()->mutable_fields(); auto mut_struct = (*metadata_mut)["envoy.filters.http.ext_authz"].mutable_struct_value(); @@ -4369,7 +4369,7 @@ TEST_F(HttpFilterTest, EmitDynamicMetadataUseLast) { EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); processRequestHeaders(false, [](const HttpHeaders&, ProcessingResponse& resp, HeadersResponse&) { - ProtobufWkt::Struct batbaz; + Protobuf::Struct batbaz; (*batbaz.mutable_fields())["bat"].set_string_value("baz"); auto metadata_mut = resp.mutable_dynamic_metadata()->mutable_fields(); auto mut_struct = (*metadata_mut)["envoy.filters.http.ext_proc"].mutable_struct_value(); @@ -4381,7 +4381,7 @@ TEST_F(HttpFilterTest, EmitDynamicMetadataUseLast) { EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->encodeHeaders(response_headers_, false)); processResponseHeaders(false, [](const HttpHeaders&, ProcessingResponse& resp, HeadersResponse&) { - ProtobufWkt::Struct foobar; + Protobuf::Struct foobar; (*foobar.mutable_fields())["foo"].set_string_value("bar"); auto metadata_mut = resp.mutable_dynamic_metadata()->mutable_fields(); auto mut_struct = (*metadata_mut)["envoy.filters.http.ext_proc"].mutable_struct_value(); @@ -5648,7 +5648,7 @@ TEST_F(HttpFilterTest, OnProcessingResponseHeaders) { dynamic_metadata_.filter_metadata().contains("envoy-test-ext_proc-request_headers_response")); const auto& request_headers_struct_metadata = dynamic_metadata_.filter_metadata().at("envoy-test-ext_proc-request_headers_response"); - ProtobufWkt::Struct expected_request_headers; + Protobuf::Struct expected_request_headers; TestUtility::loadFromJson(R"EOF( { "x-do-we-want-this": "remove", @@ -5694,7 +5694,7 @@ TEST_F(HttpFilterTest, OnProcessingResponseHeaders) { "envoy-test-ext_proc-response_headers_response")); const auto& response_headers_struct_metadata = dynamic_metadata_.filter_metadata().at("envoy-test-ext_proc-response_headers_response"); - ProtobufWkt::Struct expected_response_headers; + Protobuf::Struct expected_response_headers; TestUtility::loadFromJson(R"EOF( { "x-new-header": "new", @@ -5915,7 +5915,7 @@ TEST_F(HttpFilterTest, OnProcessingResponseBodies) { dynamic_metadata_.filter_metadata().contains("envoy-test-ext_proc-request_body_response")); const auto& request_body_struct_metadata = dynamic_metadata_.filter_metadata().at("envoy-test-ext_proc-request_body_response"); - ProtobufWkt::Struct expected_request_body; + Protobuf::Struct expected_request_body; TestUtility::loadFromJson(R"EOF( { "clear_body": "1" @@ -5949,7 +5949,7 @@ TEST_F(HttpFilterTest, OnProcessingResponseBodies) { dynamic_metadata_.filter_metadata().contains("envoy-test-ext_proc-response_body_response")); const auto& response_body_struct_metadata = dynamic_metadata_.filter_metadata().at("envoy-test-ext_proc-response_body_response"); - ProtobufWkt::Struct expected_response_body; + Protobuf::Struct expected_response_body; TestUtility::loadFromJson(R"EOF( { "body": "Hello, World!" @@ -6075,7 +6075,7 @@ TEST_F(HttpFilterTest, SaveImmediateResponse) { checkGrpcCallHeaderOnlyStats(envoy::config::core::v3::TrafficDirection::INBOUND); expectNoGrpcCall(envoy::config::core::v3::TrafficDirection::OUTBOUND); - expectFilterState(Envoy::ProtobufWkt::Struct()); + expectFilterState(Envoy::Protobuf::Struct()); } TEST_F(HttpFilterTest, DontSaveImmediateResponse) { @@ -6140,7 +6140,7 @@ TEST_F(HttpFilterTest, DontSaveImmediateResponse) { checkGrpcCallHeaderOnlyStats(envoy::config::core::v3::TrafficDirection::INBOUND); expectNoGrpcCall(envoy::config::core::v3::TrafficDirection::OUTBOUND); - expectFilterState(Envoy::ProtobufWkt::Struct()); + expectFilterState(Envoy::Protobuf::Struct()); } TEST_F(HttpFilterTest, DontSaveImmediateResponseOnError) { @@ -6197,7 +6197,7 @@ TEST_F(HttpFilterTest, DontSaveImmediateResponseOnError) { expectNoGrpcCall(envoy::config::core::v3::TrafficDirection::OUTBOUND); - expectFilterState(Envoy::ProtobufWkt::Struct()); + expectFilterState(Envoy::Protobuf::Struct()); } TEST_F(HttpFilterTest, SaveResponseTrailers) { diff --git a/test/extensions/filters/http/ext_proc/utils.h b/test/extensions/filters/http/ext_proc/utils.h index 330a063bf830b..1b724297d978c 100644 --- a/test/extensions/filters/http/ext_proc/utils.h +++ b/test/extensions/filters/http/ext_proc/utils.h @@ -87,30 +87,30 @@ class TestOnProcessingResponse : public OnProcessingResponse { Envoy::StreamInfo::StreamInfo&) override; private: - Envoy::ProtobufWkt::Struct + Envoy::Protobuf::Struct getHeaderMutations(const envoy::service::ext_proc::v3::HeaderMutation& header_mutation) { - Envoy::ProtobufWkt::Struct struct_metadata; + Envoy::Protobuf::Struct struct_metadata; for (auto& header : header_mutation.set_headers()) { - Envoy::ProtobufWkt::Value value; + Envoy::Protobuf::Value value; value.mutable_string_value()->assign(header.header().raw_value()); struct_metadata.mutable_fields()->insert(std::make_pair(header.header().key(), value)); } for (auto& header : header_mutation.remove_headers()) { - Envoy::ProtobufWkt::Value value; + Envoy::Protobuf::Value value; value.mutable_string_value()->assign("remove"); struct_metadata.mutable_fields()->insert(std::make_pair(header, value)); } return struct_metadata; } - Envoy::ProtobufWkt::Struct + Envoy::Protobuf::Struct getBodyMutation(const envoy::service::ext_proc::v3::BodyMutation& body_mutation) { - Envoy::ProtobufWkt::Struct struct_metadata; + Envoy::Protobuf::Struct struct_metadata; if (body_mutation.has_body()) { - Envoy::ProtobufWkt::Value value; + Envoy::Protobuf::Value value; value.mutable_string_value()->assign(body_mutation.body()); struct_metadata.mutable_fields()->insert(std::make_pair("body", value)); } else { - Envoy::ProtobufWkt::Value value; + Envoy::Protobuf::Value value; value.mutable_string_value()->assign(absl::StrCat(body_mutation.clear_body())); struct_metadata.mutable_fields()->insert(std::make_pair("clear_body", value)); } @@ -130,7 +130,7 @@ class TestOnProcessingResponseFactory : public OnProcessingResponseFactory { ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom filter config proto. This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "on_processing_response"; } diff --git a/test/extensions/filters/http/grpc_field_extraction/filter_test.cc b/test/extensions/filters/http/grpc_field_extraction/filter_test.cc index b4cf646a959e9..71d0a220b2383 100644 --- a/test/extensions/filters/http/grpc_field_extraction/filter_test.cc +++ b/test/extensions/filters/http/grpc_field_extraction/filter_test.cc @@ -90,8 +90,8 @@ CreateApiKeyRequest makeCreateApiKeyRequest(absl::string_view pb = R"pb( return request; } -void checkProtoStruct(ProtobufWkt::Struct got, absl::string_view expected_in_pbtext) { - ProtobufWkt::Struct expected; +void checkProtoStruct(Protobuf::Struct got, absl::string_view expected_in_pbtext) { + Protobuf::Struct expected; ASSERT_TRUE(Protobuf::TextFormat::ParseFromString(expected_in_pbtext, &expected)); EXPECT_TRUE(TestUtility::protoEqual(got, expected, true)) << "got:\n" << got.DebugString() << "expected:\n" @@ -111,7 +111,7 @@ TEST_F(FilterTestExtractOk, UnarySingleBuffer) { CreateApiKeyRequest request = makeCreateApiKeyRequest(); Envoy::Buffer::InstancePtr request_data = Envoy::Grpc::Common::serializeToGrpcFrame(request); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.grpc_field_extraction"); checkProtoStruct(new_dynamic_metadata, expected_metadata); })); @@ -133,7 +133,7 @@ TEST_F(FilterTestExtractOk, EmptyFields) { CreateApiKeyRequest request = makeCreateApiKeyRequest(""); Envoy::Buffer::InstancePtr request_data = Envoy::Grpc::Common::serializeToGrpcFrame(request); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.grpc_field_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -183,7 +183,7 @@ TEST_F(FilterTestExtractOk, UnaryMultipeBuffers) { EXPECT_EQ(middle_request_data.length(), 0); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.grpc_field_extraction"); checkProtoStruct(new_dynamic_metadata, expected_metadata); })); @@ -235,7 +235,7 @@ extractions_by_method: { EXPECT_EQ(request_data3->length(), 0); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.grpc_field_extraction"); checkProtoStruct(new_dynamic_metadata, expected_metadata); })); @@ -354,7 +354,7 @@ supported_types: { )pb"); Envoy::Buffer::InstancePtr request_data = Envoy::Grpc::Common::serializeToGrpcFrame(request); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.grpc_field_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb(fields { key: "supported_types.double" @@ -539,7 +539,7 @@ repeated_intermediate: { )pb"); Envoy::Buffer::InstancePtr request_data = Envoy::Grpc::Common::serializeToGrpcFrame(request); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.grpc_field_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -689,7 +689,7 @@ repeated_supported_types: { )pb"); Envoy::Buffer::InstancePtr request_data = Envoy::Grpc::Common::serializeToGrpcFrame(request); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.grpc_field_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { diff --git a/test/extensions/filters/http/grpc_json_reverse_transcoder/grpc_json_reverse_transcoder_integration_test.cc b/test/extensions/filters/http/grpc_json_reverse_transcoder/grpc_json_reverse_transcoder_integration_test.cc index 16f0848294085..a14f61b37a2ca 100644 --- a/test/extensions/filters/http/grpc_json_reverse_transcoder/grpc_json_reverse_transcoder_integration_test.cc +++ b/test/extensions/filters/http/grpc_json_reverse_transcoder/grpc_json_reverse_transcoder_integration_test.cc @@ -16,8 +16,8 @@ using absl::Status; using absl::StatusCode; +using Envoy::Protobuf::Empty; using Envoy::Protobuf::TextFormat; -using Envoy::ProtobufWkt::Empty; using Envoy::Protobuf::util::MessageDifferencer; diff --git a/test/extensions/filters/http/grpc_json_transcoder/grpc_json_transcoder_integration_test.cc b/test/extensions/filters/http/grpc_json_transcoder/grpc_json_transcoder_integration_test.cc index 9b3e8d930b662..c0dddba0d1b45 100644 --- a/test/extensions/filters/http/grpc_json_transcoder/grpc_json_transcoder_integration_test.cc +++ b/test/extensions/filters/http/grpc_json_transcoder/grpc_json_transcoder_integration_test.cc @@ -15,8 +15,8 @@ using absl::Status; using absl::StatusCode; +using Envoy::Protobuf::Empty; using Envoy::Protobuf::TextFormat; -using Envoy::ProtobufWkt::Empty; namespace Envoy { namespace { @@ -1059,7 +1059,7 @@ std::string createDeepJson(int level, bool valid) { } std::string jsonStrToPbStrucStr(std::string json) { - Envoy::ProtobufWkt::Struct message; + Envoy::Protobuf::Struct message; std::string structStr; TestUtility::loadFromJson(json, message); TextFormat::PrintToString(message, &structStr); @@ -1106,12 +1106,12 @@ TEST_P(GrpcJsonTranscoderIntegrationTest, DeepStruct) { } std::string createLargeJson(int level) { - std::shared_ptr cur = std::make_shared(); + std::shared_ptr cur = std::make_shared(); for (int i = 0; i < level - 1; ++i) { - std::shared_ptr next = std::make_shared(); - ProtobufWkt::Value val = ProtobufWkt::Value(); - ProtobufWkt::Value left = ProtobufWkt::Value(*cur); - ProtobufWkt::Value right = ProtobufWkt::Value(*cur); + std::shared_ptr next = std::make_shared(); + Protobuf::Value val = Protobuf::Value(); + Protobuf::Value left = Protobuf::Value(*cur); + Protobuf::Value right = Protobuf::Value(*cur); val.mutable_list_value()->add_values()->Swap(&left); val.mutable_list_value()->add_values()->Swap(&right); (*next->mutable_struct_value()->mutable_fields())["k"] = val; diff --git a/test/extensions/filters/http/grpc_json_transcoder/http_body_utils_test.cc b/test/extensions/filters/http/grpc_json_transcoder/http_body_utils_test.cc index e9d0bd66a0a0a..010a7f093d650 100644 --- a/test/extensions/filters/http/grpc_json_transcoder/http_body_utils_test.cc +++ b/test/extensions/filters/http/grpc_json_transcoder/http_body_utils_test.cc @@ -26,7 +26,7 @@ class HttpBodyUtilsTest : public testing::Test { void setBodyFieldPath(const std::vector& body_field_path) { for (int field_number : body_field_path) { - ProtobufWkt::Field field; + Protobuf::Field field; field.set_number(field_number); raw_body_field_path_.emplace_back(std::move(field)); } @@ -82,8 +82,8 @@ class HttpBodyUtilsTest : public testing::Test { EXPECT_FALSE(HttpBodyUtils::parseMessageByFieldPath(&stream, body_field_path_, &http_body)); } - std::vector raw_body_field_path_; - std::vector body_field_path_; + std::vector raw_body_field_path_; + std::vector body_field_path_; }; TEST_F(HttpBodyUtilsTest, UnknownQueryParamsAppearInExtension) { diff --git a/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc b/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc index d751984c27716..40eebdcd935de 100644 --- a/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc +++ b/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc @@ -1531,7 +1531,7 @@ bookstore::EchoStructReqResp createDeepStruct(int level) { auto* field_map = msg.mutable_content()->mutable_fields(); for (int i = 0; i < level; ++i) { (*field_map)["level"] = ValueUtil::numberValue(i); - Envoy::ProtobufWkt::Struct s; + Envoy::Protobuf::Struct s; (*field_map)["struct"] = ValueUtil::structValue(s); field_map = (*field_map)["struct"].mutable_struct_value()->mutable_fields(); } diff --git a/test/extensions/filters/http/grpc_stats/config_test.cc b/test/extensions/filters/http/grpc_stats/config_test.cc index 4346ec23aee88..5fb0ce40d6a2c 100644 --- a/test/extensions/filters/http/grpc_stats/config_test.cc +++ b/test/extensions/filters/http/grpc_stats/config_test.cc @@ -504,11 +504,11 @@ TEST_F(GrpcStatsFilterConfigTest, MessageCounts) { {":path", "/lyft.users.BadCompanions/GetBadCompanions"}}; EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, false)); - ProtobufWkt::Value v1; + Protobuf::Value v1; v1.set_string_value("v1"); auto b1 = Grpc::Common::serializeToGrpcFrame(v1); EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(*b1, false)); - ProtobufWkt::Value v2; + Protobuf::Value v2; v2.set_string_value("v2"); auto b2 = Grpc::Common::serializeToGrpcFrame(v2); EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(*b2, true)); diff --git a/test/extensions/filters/http/header_mutation/header_mutation_integration_test.cc b/test/extensions/filters/http/header_mutation/header_mutation_integration_test.cc index 9da8b14b6515e..eeb89c585ab0d 100644 --- a/test/extensions/filters/http/header_mutation/header_mutation_integration_test.cc +++ b/test/extensions/filters/http/header_mutation/header_mutation_integration_test.cc @@ -70,7 +70,7 @@ class HeaderMutationIntegrationTest : public testing::TestWithParammutable_typed_per_filter_config()->insert( {"downstream-header-mutation", per_route_config}); @@ -87,7 +87,7 @@ class HeaderMutationIntegrationTest : public testing::TestWithParammutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config; + Protobuf::Any per_route_config; per_route_config.PackFrom(header_mutation); route->mutable_typed_per_filter_config()->insert( {absl::StrCat(prefix, "-header-mutation"), per_route_config}); @@ -106,7 +106,7 @@ class HeaderMutationIntegrationTest : public testing::TestWithParammutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config_vhost; + Protobuf::Any per_route_config_vhost; per_route_config_vhost.PackFrom(header_mutation_vhost); auto* vhost = hcm.mutable_route_config()->mutable_virtual_hosts(0); @@ -124,7 +124,7 @@ class HeaderMutationIntegrationTest : public testing::TestWithParammutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config_rt; + Protobuf::Any per_route_config_rt; per_route_config_rt.PackFrom(header_mutation_rt); auto* route_table = hcm.mutable_route_config(); @@ -222,7 +222,7 @@ class HeaderMutationIntegrationTest : public testing::TestWithParamPackFrom(header_mutation); - ProtobufWkt::Any per_route_config; + Protobuf::Any per_route_config; per_route_config.PackFrom(per_route_filter_config); route->mutable_typed_per_filter_config()->insert( {"upstream-header-mutation", per_route_config}); @@ -234,7 +234,7 @@ class HeaderMutationIntegrationTest : public testing::TestWithParamPackFrom(header_mutation_vhost); - ProtobufWkt::Any per_route_config_vhost; + Protobuf::Any per_route_config_vhost; per_route_config_vhost.PackFrom(per_route_filter_config_vhost); auto* vhost = hcm.mutable_route_config()->mutable_virtual_hosts(0); @@ -248,7 +248,7 @@ class HeaderMutationIntegrationTest : public testing::TestWithParamPackFrom(header_mutation_rt); - ProtobufWkt::Any per_route_config_rt; + Protobuf::Any per_route_config_rt; per_route_config_rt.PackFrom(per_route_filter_config_rt); auto* route_table = hcm.mutable_route_config(); @@ -388,7 +388,7 @@ disabled: true request_mutation->mutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::APPEND_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config; + Protobuf::Any per_route_config; per_route_config.PackFrom(header_mutation); route->mutable_typed_per_filter_config()->insert( {"downstream-header-mutation", per_route_config}); @@ -405,7 +405,7 @@ disabled: true "upstream-per-route-flag-header-value"); response_mutation->mutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::APPEND_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config; + Protobuf::Any per_route_config; per_route_config.PackFrom(header_mutation); route->mutable_typed_per_filter_config()->insert( {"upstream-header-mutation", per_route_config}); @@ -416,7 +416,7 @@ disabled: true envoy::config::route::v3::FilterConfig filter_config; filter_config.mutable_config()->PackFrom(PerRouteProtoConfig()); filter_config.set_disabled(false); - ProtobufWkt::Any per_route_config; + Protobuf::Any per_route_config; per_route_config.PackFrom(filter_config); // Try enable the filter that is disabled by default. route->mutable_typed_per_filter_config()->insert( @@ -429,7 +429,7 @@ disabled: true // Per route disable downstream and upstream header mutation. envoy::config::route::v3::FilterConfig filter_config; filter_config.set_disabled(true); - ProtobufWkt::Any per_route_config; + Protobuf::Any per_route_config; per_route_config.PackFrom(filter_config); another_route->mutable_typed_per_filter_config()->insert( {"downstream-header-mutation", per_route_config}); @@ -451,7 +451,7 @@ disabled: true response_mutation_vhost->mutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::APPEND_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config_vhost; + Protobuf::Any per_route_config_vhost; per_route_config_vhost.PackFrom(header_mutation_vhost); auto* vhost = hcm.mutable_route_config()->mutable_virtual_hosts(0); @@ -470,7 +470,7 @@ disabled: true response_mutation_vhost->mutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::APPEND_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config_vhost; + Protobuf::Any per_route_config_vhost; per_route_config_vhost.PackFrom(header_mutation_vhost); auto* vhost = hcm.mutable_route_config()->mutable_virtual_hosts(0); @@ -492,7 +492,7 @@ disabled: true response_mutation_rt->mutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::APPEND_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config_rt; + Protobuf::Any per_route_config_rt; per_route_config_rt.PackFrom(header_mutation_rt); auto* route_table = hcm.mutable_route_config(); @@ -511,7 +511,7 @@ disabled: true response_mutation_rt->mutable_append()->set_append_action( envoy::config::core::v3::HeaderValueOption::APPEND_IF_EXISTS_OR_ADD); - ProtobufWkt::Any per_route_config_rt; + Protobuf::Any per_route_config_rt; per_route_config_rt.PackFrom(header_mutation_rt); auto* route_table = hcm.mutable_route_config(); diff --git a/test/extensions/filters/http/header_to_metadata/header_to_metadata_filter_test.cc b/test/extensions/filters/http/header_to_metadata/header_to_metadata_filter_test.cc index 2d614c1820ffc..6dd58a2358d84 100644 --- a/test/extensions/filters/http/header_to_metadata/header_to_metadata_filter_test.cc +++ b/test/extensions/filters/http/header_to_metadata/header_to_metadata_filter_test.cc @@ -28,7 +28,7 @@ namespace HeaderToMetadataFilter { namespace { MATCHER_P(MapEq, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).string_value(), entry.second); @@ -37,7 +37,7 @@ MATCHER_P(MapEq, rhs, "") { } MATCHER_P(MapEqNum, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).number_value(), entry.second); @@ -46,7 +46,7 @@ MATCHER_P(MapEqNum, rhs, "") { } MATCHER_P(MapEqValue, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_TRUE(TestUtility::protoEqual(obj.fields().at(entry.first), entry.second)); @@ -289,10 +289,10 @@ TEST_F(HeaderToMetadataTest, ProtobufValueTypeInBase64UrlTest) { )EOF"; EXPECT_TRUE(initializeFilter(response_config_yaml).ok()); - ProtobufWkt::Value value; + Protobuf::Value value; auto* s = value.mutable_struct_value(); - ProtobufWkt::Value v; + Protobuf::Value v; v.set_string_value("blafoo"); (*s->mutable_fields())["k1"] = v; v.set_number_value(2019.07); @@ -304,7 +304,7 @@ TEST_F(HeaderToMetadataTest, ProtobufValueTypeInBase64UrlTest) { ASSERT_TRUE(value.SerializeToString(&data)); const auto encoded = Base64::encode(data.c_str(), data.size()); Http::TestResponseHeaderMapImpl incoming_headers{{"x-authenticated", encoded}}; - std::map expected = {{"auth", value}}; + std::map expected = {{"auth", value}}; EXPECT_CALL(encoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(req_info_)); EXPECT_CALL(req_info_, diff --git a/test/extensions/filters/http/json_to_metadata/filter_test.cc b/test/extensions/filters/http/json_to_metadata/filter_test.cc index f2a684b593494..d5b3268df8904 100644 --- a/test/extensions/filters/http/json_to_metadata/filter_test.cc +++ b/test/extensions/filters/http/json_to_metadata/filter_test.cc @@ -22,7 +22,7 @@ namespace HttpFilters { namespace JsonToMetadata { MATCHER_P(MapEq, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).string_value(), entry.second); @@ -31,7 +31,7 @@ MATCHER_P(MapEq, rhs, "") { } MATCHER_P2(MapEqType, rhs, getter, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(getter(obj.fields().at(entry.first)), entry.second); @@ -208,11 +208,10 @@ TEST_F(FilterTest, BasicBoolMatch) { filter_->decodeHeaders(incoming_headers_, false)); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); - EXPECT_CALL( - stream_info_, - setDynamicMetadata("envoy.lb", MapEqType(expected, [](const ProtobufWkt::Value& value) { - return value.bool_value(); - }))); + EXPECT_CALL(stream_info_, + setDynamicMetadata("envoy.lb", MapEqType(expected, [](const Protobuf::Value& value) { + return value.bool_value(); + }))); testRequestWithBody(request_body); EXPECT_EQ(getCounterValue("json_to_metadata.rq.success"), 1); @@ -230,11 +229,10 @@ TEST_F(FilterTest, BasicIntegerMatch) { filter_->decodeHeaders(incoming_headers_, false)); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); - EXPECT_CALL( - stream_info_, - setDynamicMetadata("envoy.lb", MapEqType(expected, [](const ProtobufWkt::Value& value) { - return value.number_value(); - }))); + EXPECT_CALL(stream_info_, + setDynamicMetadata("envoy.lb", MapEqType(expected, [](const Protobuf::Value& value) { + return value.number_value(); + }))); testRequestWithBody(request_body); EXPECT_EQ(getCounterValue("json_to_metadata.rq.success"), 1); @@ -252,11 +250,10 @@ TEST_F(FilterTest, BasicDoubleMatch) { filter_->decodeHeaders(incoming_headers_, false)); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); - EXPECT_CALL( - stream_info_, - setDynamicMetadata("envoy.lb", MapEqType(expected, [](const ProtobufWkt::Value& value) { - return value.number_value(); - }))); + EXPECT_CALL(stream_info_, + setDynamicMetadata("envoy.lb", MapEqType(expected, [](const Protobuf::Value& value) { + return value.number_value(); + }))); testRequestWithBody(request_body); EXPECT_EQ(getCounterValue("json_to_metadata.rq.success"), 1); @@ -374,11 +371,10 @@ TEST_F(FilterTest, StringToNumber) { filter_->decodeHeaders(incoming_headers_, false)); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); - EXPECT_CALL( - stream_info_, - setDynamicMetadata("envoy.lb", MapEqType(expected, [](const ProtobufWkt::Value& value) { - return value.number_value(); - }))); + EXPECT_CALL(stream_info_, + setDynamicMetadata("envoy.lb", MapEqType(expected, [](const Protobuf::Value& value) { + return value.number_value(); + }))); testRequestWithBody(request_body); EXPECT_EQ(getCounterValue("json_to_metadata.rq.success"), 1); @@ -409,11 +405,10 @@ TEST_F(FilterTest, BadStringToNumber) { filter_->decodeHeaders(incoming_headers_, false)); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); - EXPECT_CALL( - stream_info_, - setDynamicMetadata("envoy.lb", MapEqType(expected, [](const ProtobufWkt::Value& value) { - return value.number_value(); - }))); + EXPECT_CALL(stream_info_, + setDynamicMetadata("envoy.lb", MapEqType(expected, [](const Protobuf::Value& value) { + return value.number_value(); + }))); testRequestWithBody(request_body); EXPECT_EQ(getCounterValue("json_to_metadata.rq.success"), 1); @@ -467,11 +462,10 @@ TEST_F(FilterTest, NumberToNumber) { filter_->decodeHeaders(incoming_headers_, false)); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); - EXPECT_CALL( - stream_info_, - setDynamicMetadata("envoy.lb", MapEqType(expected, [](const ProtobufWkt::Value& value) { - return value.number_value(); - }))); + EXPECT_CALL(stream_info_, + setDynamicMetadata("envoy.lb", MapEqType(expected, [](const Protobuf::Value& value) { + return value.number_value(); + }))); testRequestWithBody(request_body); EXPECT_EQ(getCounterValue("json_to_metadata.rq.success"), 1); @@ -525,11 +519,10 @@ TEST_F(FilterTest, IntegerToNumber) { filter_->decodeHeaders(incoming_headers_, false)); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); - EXPECT_CALL( - stream_info_, - setDynamicMetadata("envoy.lb", MapEqType(expected, [](const ProtobufWkt::Value& value) { - return value.number_value(); - }))); + EXPECT_CALL(stream_info_, + setDynamicMetadata("envoy.lb", MapEqType(expected, [](const Protobuf::Value& value) { + return value.number_value(); + }))); testRequestWithBody(request_body); EXPECT_EQ(getCounterValue("json_to_metadata.rq.success"), 1); @@ -583,11 +576,10 @@ TEST_F(FilterTest, BoolToNumber) { filter_->decodeHeaders(incoming_headers_, false)); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); - EXPECT_CALL( - stream_info_, - setDynamicMetadata("envoy.lb", MapEqType(expected, [](const ProtobufWkt::Value& value) { - return value.number_value(); - }))); + EXPECT_CALL(stream_info_, + setDynamicMetadata("envoy.lb", MapEqType(expected, [](const Protobuf::Value& value) { + return value.number_value(); + }))); testRequestWithBody(request_body); EXPECT_EQ(getCounterValue("json_to_metadata.rq.success"), 1); diff --git a/test/extensions/filters/http/jwt_authn/authenticator_test.cc b/test/extensions/filters/http/jwt_authn/authenticator_test.cc index 0202d588358b9..946b3bb839e19 100644 --- a/test/extensions/filters/http/jwt_authn/authenticator_test.cc +++ b/test/extensions/filters/http/jwt_authn/authenticator_test.cc @@ -65,7 +65,7 @@ class AuthenticatorTest : public testing::Test { google::jwt_verify::getStatusString(expected_status).c_str()); }; auto set_extracted_jwt_data_cb = [this](const std::string& name, - const ProtobufWkt::Struct& extracted_data) { + const Protobuf::Struct& extracted_data) { this->addExtractedData(name, extracted_data); }; initTokenExtractor(); @@ -86,7 +86,7 @@ class AuthenticatorTest : public testing::Test { // This is like ContextImpl::addExtractedData in // source/extensions/filters/http/jwt_authn/verifier.cc. - void addExtractedData(const std::string& name, const ProtobufWkt::Struct& extracted_data) { + void addExtractedData(const std::string& name, const Protobuf::Struct& extracted_data) { *(*out_extracted_data_.mutable_fields())[name].mutable_struct_value() = extracted_data; } @@ -98,7 +98,7 @@ class AuthenticatorTest : public testing::Test { JwksFetcherPtr fetcher_; AuthenticatorPtr auth_; ::google::jwt_verify::JwksPtr jwks_; - ProtobufWkt::Struct out_extracted_data_; + Protobuf::Struct out_extracted_data_; NiceMock parent_span_; }; @@ -318,7 +318,7 @@ TEST_F(AuthenticatorTest, TestSetPayload) { // Only one field is set. EXPECT_EQ(1, out_extracted_data_.fields().size()); - ProtobufWkt::Value expected_payload; + Protobuf::Value expected_payload; TestUtility::loadFromJson(ExpectedPayloadJSON, expected_payload); EXPECT_TRUE( TestUtility::protoEqual(expected_payload, out_extracted_data_.fields().at("my_payload"))); @@ -350,7 +350,7 @@ TEST_F(AuthenticatorTest, TestSetPayloadWithSpaces) { // Only one field is set. EXPECT_EQ(1, out_extracted_data_.fields().size()); - ProtobufWkt::Value expected_payload; + Protobuf::Value expected_payload; TestUtility::loadFromJson(ExpectedPayloadJSONWithSpaces, expected_payload); EXPECT_TRUE( TestUtility::protoEqual(expected_payload, out_extracted_data_.fields().at("my_payload"))); @@ -377,7 +377,7 @@ TEST_F(AuthenticatorTest, TestSetHeader) { EXPECT_EQ(1, out_extracted_data_.fields().size()); // We should expect empty JWT payload. - ProtobufWkt::Value expected_payload; + Protobuf::Value expected_payload; TestUtility::loadFromJson(ExpectedHeaderJSON, expected_payload); EXPECT_TRUE( TestUtility::protoEqual(expected_payload, out_extracted_data_.fields().at("my_header"))); @@ -604,12 +604,12 @@ TEST_F(AuthenticatorTest, TestSetPayloadAndHeader) { EXPECT_EQ(2, out_extracted_data_.fields().size()); // We should expect both JWT payload and header are set. - ProtobufWkt::Value expected_payload; + Protobuf::Value expected_payload; TestUtility::loadFromJson(ExpectedPayloadJSON, expected_payload); EXPECT_TRUE( TestUtility::protoEqual(expected_payload, out_extracted_data_.fields().at("my_payload"))); - ProtobufWkt::Value expected_header; + Protobuf::Value expected_header; TestUtility::loadFromJson(ExpectedHeaderJSON, expected_header); EXPECT_TRUE( TestUtility::protoEqual(expected_header, out_extracted_data_.fields().at("my_header"))); @@ -1102,7 +1102,7 @@ class AuthenticatorJwtCacheTest : public testing::Test { ASSERT_EQ(status, expected_status); }; auto set_extracted_jwt_data_cb = [this](const std::string& name, - const ProtobufWkt::Struct& extracted_data) { + const Protobuf::Struct& extracted_data) { out_name_ = name; out_extracted_data_ = extracted_data; }; @@ -1120,7 +1120,7 @@ class AuthenticatorJwtCacheTest : public testing::Test { ExtractorConstPtr extractor_; NiceMock parent_span_; std::string out_name_; - ProtobufWkt::Struct out_extracted_data_; + Protobuf::Struct out_extracted_data_; }; TEST_F(AuthenticatorJwtCacheTest, TestNonProvider) { @@ -1183,7 +1183,7 @@ TEST_F(AuthenticatorJwtCacheTest, TestCacheHit) { // Payload is set EXPECT_EQ(out_name_, "my_payload"); - ProtobufWkt::Struct expected_payload; + Protobuf::Struct expected_payload; TestUtility::loadFromJson(ExpectedPayloadJSON, expected_payload); EXPECT_TRUE(TestUtility::protoEqual(out_extracted_data_, expected_payload)); } diff --git a/test/extensions/filters/http/jwt_authn/filter_test.cc b/test/extensions/filters/http/jwt_authn/filter_test.cc index 404b52a6997fe..6870ce1bcb6e9 100644 --- a/test/extensions/filters/http/jwt_authn/filter_test.cc +++ b/test/extensions/filters/http/jwt_authn/filter_test.cc @@ -147,7 +147,7 @@ TEST_F(FilterTest, CorsPreflightMssingAccessControlRequestMethod) { // This test verifies the setExtractedData call is handled correctly TEST_F(FilterTest, TestSetExtractedData) { setupMockConfig(); - ProtobufWkt::Struct extracted_data; + Protobuf::Struct extracted_data; // A successful authentication completed inline: callback is called inside verify(). EXPECT_CALL(*mock_verifier_, verify(_)) .WillOnce(Invoke([&extracted_data](ContextSharedPtr context) { @@ -157,7 +157,7 @@ TEST_F(FilterTest, TestSetExtractedData) { EXPECT_CALL(filter_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([&extracted_data](const std::string& ns, const ProtobufWkt::Struct& out_payload) { + Invoke([&extracted_data](const std::string& ns, const Protobuf::Struct& out_payload) { EXPECT_EQ(ns, "envoy.filters.http.jwt_authn"); EXPECT_TRUE(TestUtility::protoEqual(out_payload, extracted_data)); })); diff --git a/test/extensions/filters/http/jwt_authn/group_verifier_test.cc b/test/extensions/filters/http/jwt_authn/group_verifier_test.cc index a54a747481c56..97e61234afef7 100644 --- a/test/extensions/filters/http/jwt_authn/group_verifier_test.cc +++ b/test/extensions/filters/http/jwt_authn/group_verifier_test.cc @@ -88,7 +88,7 @@ class GroupVerifierTest : public testing::Test { SetExtractedJwtDataCallback set_extracted_jwt_data_cb, AuthenticatorCallback callback) { if (status == Status::Ok) { - ProtobufWkt::Struct empty_struct; + Protobuf::Struct empty_struct; set_extracted_jwt_data_cb(issuer, empty_struct); } callback(status); @@ -101,11 +101,11 @@ class GroupVerifierTest : public testing::Test { // This expected extracted data is only for createSyncMockAuthsAndVerifier() function // which set an empty extracted data struct for each issuer. - static ProtobufWkt::Struct getExpectedExtractedData(const std::vector& issuers) { - ProtobufWkt::Struct struct_obj; + static Protobuf::Struct getExpectedExtractedData(const std::vector& issuers) { + Protobuf::Struct struct_obj; auto* fields = struct_obj.mutable_fields(); for (const auto& issuer : issuers) { - ProtobufWkt::Struct empty_struct; + Protobuf::Struct empty_struct; *(*fields)[issuer].mutable_struct_value() = empty_struct; } return struct_obj; @@ -174,7 +174,7 @@ TEST_F(GroupVerifierTest, DeeplyNestedAnys) { createSyncMockAuthsAndVerifier(StatusMap{{"example_provider", Status::Ok}}); EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& extracted_data) { + .WillOnce(Invoke([](const Protobuf::Struct& extracted_data) { EXPECT_TRUE(TestUtility::protoEqual(extracted_data, getExpectedExtractedData({"example_provider"}))); })); @@ -231,7 +231,7 @@ TEST_F(GroupVerifierTest, TestRequiresAll) { StatusMap{{"example_provider", Status::Ok}, {"other_provider", Status::Ok}}); EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& extracted_data) { + .WillOnce(Invoke([](const Protobuf::Struct& extracted_data) { EXPECT_TRUE(TestUtility::protoEqual( extracted_data, getExpectedExtractedData({"example_provider", "other_provider"}))); })); @@ -319,7 +319,7 @@ TEST_F(GroupVerifierTest, TestRequiresAnyFirstAuthOK) { createSyncMockAuthsAndVerifier(StatusMap{{"example_provider", Status::Ok}}); EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& extracted_data) { + .WillOnce(Invoke([](const Protobuf::Struct& extracted_data) { EXPECT_TRUE(TestUtility::protoEqual(extracted_data, getExpectedExtractedData({"example_provider"}))); })); @@ -342,7 +342,7 @@ TEST_F(GroupVerifierTest, TestRequiresAnyLastAuthOk) { StatusMap{{"example_provider", Status::JwtUnknownIssuer}, {"other_provider", Status::Ok}}); EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& extracted_data) { + .WillOnce(Invoke([](const Protobuf::Struct& extracted_data) { EXPECT_TRUE( TestUtility::protoEqual(extracted_data, getExpectedExtractedData({"other_provider"}))); })); @@ -431,7 +431,7 @@ TEST_F(GroupVerifierTest, TestAnyInAllFirstAnyIsOk) { createSyncMockAuthsAndVerifier(StatusMap{{"provider_1", Status::Ok}, {"provider_3", Status::Ok}}); EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& extracted_data) { + .WillOnce(Invoke([](const Protobuf::Struct& extracted_data) { EXPECT_TRUE(TestUtility::protoEqual( extracted_data, getExpectedExtractedData({"provider_1", "provider_3"}))); })); @@ -451,7 +451,7 @@ TEST_F(GroupVerifierTest, TestAnyInAllLastAnyIsOk) { {"provider_3", Status::Ok}}); EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& extracted_data) { + .WillOnce(Invoke([](const Protobuf::Struct& extracted_data) { EXPECT_TRUE(TestUtility::protoEqual( extracted_data, getExpectedExtractedData({"provider_2", "provider_3"}))); })); diff --git a/test/extensions/filters/http/jwt_authn/mock.h b/test/extensions/filters/http/jwt_authn/mock.h index b9e340d0f7876..92dcf2ad88bc3 100644 --- a/test/extensions/filters/http/jwt_authn/mock.h +++ b/test/extensions/filters/http/jwt_authn/mock.h @@ -47,7 +47,7 @@ class MockAuthenticator : public Authenticator { class MockVerifierCallbacks : public Verifier::Callbacks { public: - MOCK_METHOD(void, setExtractedData, (const ProtobufWkt::Struct& payload)); + MOCK_METHOD(void, setExtractedData, (const Protobuf::Struct& payload)); MOCK_METHOD(void, clearRouteCache, ()); MOCK_METHOD(void, onComplete, (const Status& status)); }; diff --git a/test/extensions/filters/http/jwt_authn/provider_verifier_test.cc b/test/extensions/filters/http/jwt_authn/provider_verifier_test.cc index dacbefbdd6137..0c27591c6f98a 100644 --- a/test/extensions/filters/http/jwt_authn/provider_verifier_test.cc +++ b/test/extensions/filters/http/jwt_authn/provider_verifier_test.cc @@ -22,11 +22,11 @@ namespace HttpFilters { namespace JwtAuthn { namespace { -ProtobufWkt::Struct getExpectedPayload(const std::string& name) { - ProtobufWkt::Struct expected_payload; +Protobuf::Struct getExpectedPayload(const std::string& name) { + Protobuf::Struct expected_payload; TestUtility::loadFromJson(ExpectedPayloadJSON, expected_payload); - ProtobufWkt::Struct struct_obj; + Protobuf::Struct struct_obj; *(*struct_obj.mutable_fields())[name].mutable_struct_value() = expected_payload; return struct_obj; } @@ -60,10 +60,9 @@ TEST_F(ProviderVerifierTest, TestOkJWT) { createVerifier(); MockUpstream mock_pubkey(mock_factory_ctx_.server_factory_context_.cluster_manager_, PublicKey); - EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& payload) { - EXPECT_TRUE(TestUtility::protoEqual(payload, getExpectedPayload("my_payload"))); - })); + EXPECT_CALL(mock_cb_, setExtractedData(_)).WillOnce(Invoke([](const Protobuf::Struct& payload) { + EXPECT_TRUE(TestUtility::protoEqual(payload, getExpectedPayload("my_payload"))); + })); EXPECT_CALL(mock_cb_, onComplete(Status::Ok)); @@ -91,14 +90,13 @@ TEST_F(ProviderVerifierTest, TestOkJWTWithExtractedHeaderAndPayload) { createVerifier(); MockUpstream mock_pubkey(mock_factory_ctx_.server_factory_context_.cluster_manager_, PublicKey); - EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& payload) { - // The expected payload is a merged struct of the extracted (from the JWT) payload and - // header data with "my_payload" and "my_header" as the keys. - ProtobufWkt::Struct expected_payload; - MessageUtil::loadFromJson(ExpectedPayloadAndHeaderJSON, expected_payload); - EXPECT_TRUE(TestUtility::protoEqual(payload, expected_payload)); - })); + EXPECT_CALL(mock_cb_, setExtractedData(_)).WillOnce(Invoke([](const Protobuf::Struct& payload) { + // The expected payload is a merged struct of the extracted (from the JWT) payload and + // header data with "my_payload" and "my_header" as the keys. + Protobuf::Struct expected_payload; + MessageUtil::loadFromJson(ExpectedPayloadAndHeaderJSON, expected_payload); + EXPECT_TRUE(TestUtility::protoEqual(payload, expected_payload)); + })); EXPECT_CALL(mock_cb_, onComplete(Status::Ok)); @@ -119,13 +117,12 @@ TEST_F(ProviderVerifierTest, TestExpiredJWTWithFailedStatusInMetadata) { createVerifier(); MockUpstream mock_pubkey(mock_factory_ctx_.server_factory_context_.cluster_manager_, PublicKey); - EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& payload) { - ProtobufWkt::Struct expected_payload; - MessageUtil::loadFromJson(ExpectedJWTExpiredStatusJSON, expected_payload); + EXPECT_CALL(mock_cb_, setExtractedData(_)).WillOnce(Invoke([](const Protobuf::Struct& payload) { + Protobuf::Struct expected_payload; + MessageUtil::loadFromJson(ExpectedJWTExpiredStatusJSON, expected_payload); - EXPECT_TRUE(TestUtility::protoEqual(payload, expected_payload)); - })); + EXPECT_TRUE(TestUtility::protoEqual(payload, expected_payload)); + })); EXPECT_CALL(mock_cb_, onComplete(Status::JwtExpired)); @@ -142,10 +139,9 @@ TEST_F(ProviderVerifierTest, TestSpanPassedDown) { createVerifier(); MockUpstream mock_pubkey(mock_factory_ctx_.server_factory_context_.cluster_manager_, PublicKey); - EXPECT_CALL(mock_cb_, setExtractedData(_)) - .WillOnce(Invoke([](const ProtobufWkt::Struct& payload) { - EXPECT_TRUE(TestUtility::protoEqual(payload, getExpectedPayload("my_payload"))); - })); + EXPECT_CALL(mock_cb_, setExtractedData(_)).WillOnce(Invoke([](const Protobuf::Struct& payload) { + EXPECT_TRUE(TestUtility::protoEqual(payload, getExpectedPayload("my_payload"))); + })); EXPECT_CALL(mock_cb_, onComplete(Status::Ok)); diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc index 80443e2b435b1..985ad9d2b29ff 100644 --- a/test/extensions/filters/http/lua/lua_filter_test.cc +++ b/test/extensions/filters/http/lua/lua_filter_test.cc @@ -2304,17 +2304,17 @@ TEST_F(LuaHttpFilterTest, GetConnectionDynamicMetadata) { )EOF"}; // Proxy Protocol Filter Metadata - ProtobufWkt::Value tlv_ea_value; + Protobuf::Value tlv_ea_value; tlv_ea_value.set_string_value("vpce-064c279a4001a055f"); - ProtobufWkt::Struct proxy_protocol_metadata; + Protobuf::Struct proxy_protocol_metadata; proxy_protocol_metadata.mutable_fields()->insert({"tlv_ea", tlv_ea_value}); (*stream_info_.metadata_.mutable_filter_metadata())["envoy.proxy_protocol"] = proxy_protocol_metadata; // LB Filter Metadata - ProtobufWkt::Value lb_version_value; + Protobuf::Value lb_version_value; lb_version_value.set_string_value("v1.0"); - ProtobufWkt::Struct lb_metadata; + Protobuf::Struct lb_metadata; lb_metadata.mutable_fields()->insert({"version", lb_version_value}); (*stream_info_.metadata_.mutable_filter_metadata())["envoy.lb"] = lb_metadata; @@ -2363,10 +2363,10 @@ TEST_F(LuaHttpFilterTest, GetConnectionTypedMetadata) { setup(SCRIPT); // Create a simple Struct for testing typed metadata - ProtobufWkt::Struct main_struct; + Protobuf::Struct main_struct; // Create a nested struct for typed_metadata - ProtobufWkt::Struct typed_metadata_struct; + Protobuf::Struct typed_metadata_struct; (*typed_metadata_struct.mutable_fields())["tlv_ea"].set_string_value("vpce-1234567890abcdef"); (*typed_metadata_struct.mutable_fields())["pp2_type"].set_string_value("PROXY"); @@ -2374,7 +2374,7 @@ TEST_F(LuaHttpFilterTest, GetConnectionTypedMetadata) { auto* typed_meta_value = &(*main_struct.mutable_fields())["typed_metadata"]; typed_meta_value->mutable_struct_value()->MergeFrom(typed_metadata_struct); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(main_struct); // Add the typed metadata to the stream info @@ -2431,14 +2431,14 @@ TEST_F(LuaHttpFilterTest, GetConnectionTypedMetadataComplex) { setup(SCRIPT); // Create a complex Struct for testing - ProtobufWkt::Struct main_struct; + Protobuf::Struct main_struct; // Add simple key/value pairs (*main_struct.mutable_fields())["tlv_ea"].set_string_value("vpce-1234567890abcdef"); (*main_struct.mutable_fields())["pp2_type"].set_string_value("PROXY"); // Create a nested struct for SSL info - ProtobufWkt::Struct ssl_info; + Protobuf::Struct ssl_info; (*ssl_info.mutable_fields())["version"].set_string_value("TLSv1.3"); (*ssl_info.mutable_fields())["cipher"].set_string_value("ECDHE-RSA-AES128-GCM-SHA256"); @@ -2447,7 +2447,7 @@ TEST_F(LuaHttpFilterTest, GetConnectionTypedMetadataComplex) { ssl_value->mutable_struct_value()->MergeFrom(ssl_info); // Create an array of addresses - ProtobufWkt::ListValue addresses; + Protobuf::ListValue addresses; addresses.add_values()->set_string_value("192.168.1.1"); addresses.add_values()->set_string_value("10.0.0.1"); addresses.add_values()->set_string_value("172.16.0.1"); @@ -2456,7 +2456,7 @@ TEST_F(LuaHttpFilterTest, GetConnectionTypedMetadataComplex) { auto* addresses_value = &(*main_struct.mutable_fields())["addresses"]; addresses_value->mutable_list_value()->MergeFrom(addresses); - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(main_struct); // Add the typed metadata to the stream info @@ -2524,7 +2524,7 @@ TEST_F(LuaHttpFilterTest, GetConnectionTypedMetadataInvalidType) { setup(SCRIPT); // Pack an invalid/unknown message type - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url("type.googleapis.com/unknown.type"); typed_config.set_value("invalid data"); @@ -2555,7 +2555,7 @@ TEST_F(LuaHttpFilterTest, GetConnectionTypedMetadataUnpackFailure) { setup(SCRIPT); // Pack invalid data that will fail to unpack - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url("type.googleapis.com/envoy.data.core.v3.TlvsMetadata"); typed_config.set_value("invalid protobuf data"); @@ -2586,10 +2586,10 @@ TEST_F(LuaHttpFilterTest, GetDynamicMetadataBinaryData) { end )EOF"}; - ProtobufWkt::Value metadata_value; + Protobuf::Value metadata_value; constexpr uint8_t buffer[] = {'h', 'e', 0x00, 'l', 'l', 'o'}; metadata_value.set_string_value(reinterpret_cast(buffer), sizeof(buffer)); - ProtobufWkt::Struct metadata; + Protobuf::Struct metadata; metadata.mutable_fields()->insert({"bin_data", metadata_value}); (*stream_info_.metadata_.mutable_filter_metadata())["envoy.pp"] = metadata; @@ -2641,12 +2641,12 @@ TEST_F(LuaHttpFilterTest, SetGetDynamicMetadata) { .at("foo") .string_value()); - const ProtobufWkt::Struct& meta_complex = stream_info.dynamicMetadata() - .filter_metadata() - .at("envoy.lb") - .fields() - .at("complex") - .struct_value(); + const Protobuf::Struct& meta_complex = stream_info.dynamicMetadata() + .filter_metadata() + .at("envoy.lb") + .fields() + .at("complex") + .struct_value(); EXPECT_EQ("abcd", meta_complex.fields().at("x").string_value()); EXPECT_EQ(1234.0, meta_complex.fields().at("y").number_value()); EXPECT_EQ(0, stats_store_.counter("test.lua.errors").value()); @@ -3731,14 +3731,14 @@ TEST_F(LuaHttpFilterTest, GetStreamInfoTypedMetadata) { setup(SCRIPT); // Create a Struct for testing typed metadata using the set_metadata filter's proto - ProtobufWkt::Struct main_struct; + Protobuf::Struct main_struct; // Add simple key/value pairs (*main_struct.mutable_fields())["metadata_namespace"].set_string_value("test.namespace"); (*main_struct.mutable_fields())["allow_overwrite"].set_bool_value(true); // Pack the Struct into an Any - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url("type.googleapis.com/google.protobuf.Struct"); typed_config.PackFrom(main_struct); @@ -3794,14 +3794,14 @@ TEST_F(LuaHttpFilterTest, GetStreamInfoComplexTypedMetadata) { setup(SCRIPT); // Create a complex Struct for testing - ProtobufWkt::Struct main_struct; + Protobuf::Struct main_struct; // Add simple key/value pairs (*main_struct.mutable_fields())["filter_name"].set_string_value("complex_metadata"); (*main_struct.mutable_fields())["version"].set_string_value("v1.2.3"); // Create a nested struct for config - ProtobufWkt::Struct config_struct; + Protobuf::Struct config_struct; (*config_struct.mutable_fields())["version"].set_string_value("v2.0.0"); (*config_struct.mutable_fields())["enabled"].set_bool_value(true); @@ -3810,7 +3810,7 @@ TEST_F(LuaHttpFilterTest, GetStreamInfoComplexTypedMetadata) { *config_value->mutable_struct_value() = config_struct; // Create a list for servers - ProtobufWkt::ListValue servers_list; + Protobuf::ListValue servers_list; servers_list.add_values()->set_string_value("server1.example.com"); servers_list.add_values()->set_string_value("server2.example.com"); @@ -3819,7 +3819,7 @@ TEST_F(LuaHttpFilterTest, GetStreamInfoComplexTypedMetadata) { *servers_value->mutable_list_value() = servers_list; // Pack the Struct into an Any - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url("type.googleapis.com/google.protobuf.Struct"); typed_config.PackFrom(main_struct); @@ -3884,7 +3884,7 @@ TEST_F(LuaHttpFilterTest, GetStreamInfoTypedMetadataInvalidType) { setup(SCRIPT); // Pack an invalid/unknown message type - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url("type.googleapis.com/unknown.type"); typed_config.set_value("invalid data"); @@ -3916,7 +3916,7 @@ TEST_F(LuaHttpFilterTest, GetStreamInfoTypedMetadataUnpackFailure) { setup(SCRIPT); // Pack invalid data that will fail to unpack - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.set_type_url("type.googleapis.com/google.protobuf.Struct"); typed_config.set_value("invalid protobuf data"); diff --git a/test/extensions/filters/http/lua/lua_integration_test.cc b/test/extensions/filters/http/lua/lua_integration_test.cc index bd2fcd2c8fe62..7eac57b65ce92 100644 --- a/test/extensions/filters/http/lua/lua_integration_test.cc +++ b/test/extensions/filters/http/lua/lua_integration_test.cc @@ -75,7 +75,7 @@ class LuaIntegrationTest : public UpstreamDownstreamIntegrationTest { // Metadata variables for the virtual host and route. const std::string key = "lua"; - ProtobufWkt::Struct value; + Protobuf::Struct value; std::string yaml; // Sets the virtual host's metadata. @@ -90,7 +90,7 @@ class LuaIntegrationTest : public UpstreamDownstreamIntegrationTest { ->mutable_virtual_hosts(0) ->mutable_metadata() ->mutable_filter_metadata() - ->insert(Protobuf::MapPair(key, value)); + ->insert(Protobuf::MapPair(key, value)); // Sets the route's metadata. yaml = @@ -107,7 +107,7 @@ class LuaIntegrationTest : public UpstreamDownstreamIntegrationTest { ->mutable_routes(0) ->mutable_metadata() ->mutable_filter_metadata() - ->insert(Protobuf::MapPair(key, value)); + ->insert(Protobuf::MapPair(key, value)); }); // This filter is not compatible with the async load balancer, as httpCall with data will @@ -1611,7 +1611,7 @@ class TestTypedMetadataFilter final : public Network::ReadFilter { (*typed_metadata_map)["ssl_cn"] = "client.example.com"; // Pack metadata into Any - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(metadata); typed_filter_metadata.insert({metadata_key, typed_config}); @@ -1639,7 +1639,7 @@ class TestTypedMetadataFilterConfig final } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.typed_metadata"; } @@ -1687,7 +1687,7 @@ class PPV2TypedMetadataFilter final : public Network::ReadFilter { (*typed_metadata_map)["ssl_cipher"] = "ECDHE-RSA-AES128-GCM-SHA256"; // Pack metadata into Any - ProtobufWkt::Any typed_config; + Protobuf::Any typed_config; typed_config.PackFrom(metadata); typed_filter_metadata.insert({metadata_key, typed_config}); @@ -1715,7 +1715,7 @@ class PPV2TypedMetadataFilterConfig final } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.test.ppv2.typed_metadata"; } diff --git a/test/extensions/filters/http/lua/wrappers_test.cc b/test/extensions/filters/http/lua/wrappers_test.cc index 25b59fc519ed2..30f53ef1d87c3 100644 --- a/test/extensions/filters/http/lua/wrappers_test.cc +++ b/test/extensions/filters/http/lua/wrappers_test.cc @@ -475,10 +475,10 @@ TEST_F(LuaStreamInfoWrapperTest, GetDynamicMetadataBinaryData) { end )EOF"}; - ProtobufWkt::Value metadata_value; + Protobuf::Value metadata_value; constexpr uint8_t buffer[] = {'h', 'e', 0x00, 'l', 'l', 'o'}; metadata_value.set_string_value(reinterpret_cast(buffer), sizeof(buffer)); - ProtobufWkt::Struct metadata; + Protobuf::Struct metadata; metadata.mutable_fields()->insert({"bin_data", metadata_value}); setup(SCRIPT); @@ -533,18 +533,18 @@ TEST_F(LuaStreamInfoWrapperTest, SetGetComplexDynamicMetadata) { start("callMe"); EXPECT_EQ(1, stream_info.dynamicMetadata().filter_metadata_size()); - const ProtobufWkt::Struct& meta_foo = stream_info.dynamicMetadata() - .filter_metadata() - .at("envoy.lb") - .fields() - .at("foo") - .struct_value(); + const Protobuf::Struct& meta_foo = stream_info.dynamicMetadata() + .filter_metadata() + .at("envoy.lb") + .fields() + .at("foo") + .struct_value(); EXPECT_EQ(1234.0, meta_foo.fields().at("x").number_value()); EXPECT_EQ("baz", meta_foo.fields().at("y").string_value()); EXPECT_EQ(true, meta_foo.fields().at("z").bool_value()); - const ProtobufWkt::ListValue& meta_so = + const Protobuf::ListValue& meta_so = stream_info.dynamicMetadata().filter_metadata().at("envoy.lb").fields().at("so").list_value(); EXPECT_EQ(4, meta_so.values_size()); @@ -766,10 +766,10 @@ TEST_F(LuaStreamInfoWrapperTest, GetDynamicTypedMetadataBasic) { StreamInfo::FilterState::LifeSpan::FilterChain); // Create test typed metadata - ProtobufWkt::Struct test_struct; + Protobuf::Struct test_struct; (*test_struct.mutable_fields())["test_field"].set_string_value("test_value"); - ProtobufWkt::Any any_metadata; + Protobuf::Any any_metadata; any_metadata.set_type_url("type.googleapis.com/google.protobuf.Struct"); any_metadata.PackFrom(test_struct); @@ -831,10 +831,10 @@ TEST_F(LuaStreamInfoWrapperTest, GetDynamicTypedMetadataComplexStructure) { StreamInfo::FilterState::LifeSpan::FilterChain); // Create complex test metadata - ProtobufWkt::Struct complex_struct; + Protobuf::Struct complex_struct; // Add nested structure - ProtobufWkt::Struct nested_struct; + Protobuf::Struct nested_struct; (*nested_struct.mutable_fields())["inner_field"].set_string_value("inner_value"); (*complex_struct.mutable_fields())["nested"].mutable_struct_value()->CopyFrom(nested_struct); @@ -843,12 +843,12 @@ TEST_F(LuaStreamInfoWrapperTest, GetDynamicTypedMetadataComplexStructure) { (*complex_struct.mutable_fields())["number_field"].set_number_value(42.5); // Add array - ProtobufWkt::ListValue array_value; + Protobuf::ListValue array_value; array_value.add_values()->set_string_value("first"); array_value.add_values()->set_string_value("second"); (*complex_struct.mutable_fields())["array_field"].mutable_list_value()->CopyFrom(array_value); - ProtobufWkt::Any any_metadata; + Protobuf::Any any_metadata; any_metadata.set_type_url("type.googleapis.com/google.protobuf.Struct"); any_metadata.PackFrom(complex_struct); @@ -885,7 +885,7 @@ TEST_F(LuaStreamInfoWrapperTest, GetDynamicTypedMetadataInvalidTypeUrl) { StreamInfo::FilterState::LifeSpan::FilterChain); // Create metadata with invalid/unknown type URL - ProtobufWkt::Any any_metadata; + Protobuf::Any any_metadata; any_metadata.set_type_url("type.googleapis.com/invalid.unknown.Type"); any_metadata.set_value("invalid_data"); @@ -918,7 +918,7 @@ TEST_F(LuaStreamInfoWrapperTest, GetDynamicTypedMetadataUnpackFailure) { StreamInfo::FilterState::LifeSpan::FilterChain); // Create metadata with correct type URL but corrupted data - ProtobufWkt::Any any_metadata; + Protobuf::Any any_metadata; any_metadata.set_type_url("type.googleapis.com/google.protobuf.Struct"); any_metadata.set_value("corrupted_protobuf_data_that_cannot_be_unpacked"); @@ -965,17 +965,17 @@ TEST_F(LuaStreamInfoWrapperTest, IterateDynamicTypedMetadata) { StreamInfo::FilterState::LifeSpan::FilterChain); // Create first metadata entry - ProtobufWkt::Struct struct1; + Protobuf::Struct struct1; (*struct1.mutable_fields())["field_one"].set_string_value("value_one"); - ProtobufWkt::Any any1; + Protobuf::Any any1; any1.set_type_url("type.googleapis.com/google.protobuf.Struct"); any1.PackFrom(struct1); (*stream_info.metadata_.mutable_typed_filter_metadata())["envoy.metadata.one"] = any1; // Create second metadata entry - ProtobufWkt::Struct struct2; + Protobuf::Struct struct2; (*struct2.mutable_fields())["field_two"].set_string_value("value_two"); - ProtobufWkt::Any any2; + Protobuf::Any any2; any2.set_type_url("type.googleapis.com/google.protobuf.Struct"); any2.PackFrom(struct2); (*stream_info.metadata_.mutable_typed_filter_metadata())["envoy.metadata.two"] = any2; diff --git a/test/extensions/filters/http/match_delegate/config_test.cc b/test/extensions/filters/http/match_delegate/config_test.cc index 2e032c3953952..bb7294ed526eb 100644 --- a/test/extensions/filters/http/match_delegate/config_test.cc +++ b/test/extensions/filters/http/match_delegate/config_test.cc @@ -19,7 +19,7 @@ namespace { struct TestFactory : public Envoy::Server::Configuration::NamedHttpFilterConfigFactory { std::string name() const override { return "test"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } absl::StatusOr createFilterFactoryFromProto(const Protobuf::Message&, const std::string&, @@ -293,7 +293,7 @@ TEST(MatchWrapper, WithMatcherInvalidDataInput) { "according to allowlist"); } -struct TestAction : Matcher::ActionBase {}; +struct TestAction : Matcher::ActionBase {}; template Matcher::MatchTreeSharedPtr diff --git a/test/extensions/filters/http/match_delegate/match_delegate_integration_test.cc b/test/extensions/filters/http/match_delegate/match_delegate_integration_test.cc index cc453fbd58cda..258d87facdbda 100644 --- a/test/extensions/filters/http/match_delegate/match_delegate_integration_test.cc +++ b/test/extensions/filters/http/match_delegate/match_delegate_integration_test.cc @@ -18,8 +18,8 @@ namespace MatchDelegate { namespace { using envoy::extensions::common::matching::v3::ExtensionWithMatcherPerRoute; +using Envoy::Protobuf::Any; using Envoy::Protobuf::MapPair; -using Envoy::ProtobufWkt::Any; class MatchDelegateIntegrationTest : public testing::TestWithParam, public HttpIntegrationTest { diff --git a/test/extensions/filters/http/on_demand/odcds_integration_test.cc b/test/extensions/filters/http/on_demand/odcds_integration_test.cc index 0c96b90e678ae..b66bbcb7c715c 100644 --- a/test/extensions/filters/http/on_demand/odcds_integration_test.cc +++ b/test/extensions/filters/http/on_demand/odcds_integration_test.cc @@ -132,7 +132,7 @@ class OdCdsIntegrationHelper { return createConfig(std::move(config_source), timeout_millis); } - static OptRef> + static OptRef> findPerRouteConfigMap(ConfigHelper::HttpConnectionManager& hcm, absl::string_view vhost_name, absl::string_view route_name) { auto* route_config = hcm.mutable_route_config(); @@ -215,7 +215,7 @@ class OdCdsListenerBuilder { private: envoy::config::listener::v3::Listener listener_; - ProtobufWkt::Any* hcm_any_; + Protobuf::Any* hcm_any_; ConfigHelper::HttpConnectionManager hcm_; }; diff --git a/test/extensions/filters/http/proto_api_scrubber/filter_test.cc b/test/extensions/filters/http/proto_api_scrubber/filter_test.cc index 363025289dff2..743ad98525f53 100644 --- a/test/extensions/filters/http/proto_api_scrubber/filter_test.cc +++ b/test/extensions/filters/http/proto_api_scrubber/filter_test.cc @@ -31,7 +31,7 @@ using ::Envoy::Http::MockStreamDecoderFilterCallbacks; using ::Envoy::Http::MockStreamEncoderFilterCallbacks; using ::Envoy::Http::TestRequestHeaderMapImpl; using ::Envoy::Http::TestResponseHeaderMapImpl; -using ::Envoy::ProtobufWkt::Struct; +using ::Envoy::Protobuf::Struct; using ::testing::Eq; inline constexpr const char kApiKeysDescriptorRelativePath[] = "test/proto/apikeys.descriptor"; diff --git a/test/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util_test.cc b/test/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util_test.cc index e572ecb2d56e9..c48324ca69e41 100644 --- a/test/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util_test.cc +++ b/test/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util_test.cc @@ -38,9 +38,9 @@ namespace { using ::Envoy::Protobuf::Field; using ::Envoy::Protobuf::FieldMask; using Envoy::Protobuf::FileDescriptorSet; +using ::Envoy::Protobuf::Struct; using ::Envoy::Protobuf::Type; using ::Envoy::Protobuf::field_extraction::CordMessageData; -using ::Envoy::ProtobufWkt::Struct; using ::Envoy::StatusHelpers::IsOkAndHolds; using ::Envoy::StatusHelpers::StatusIs; using ::extraction::TestRequest; @@ -224,15 +224,15 @@ class ExtractionUtilTest : public ::testing::Test { }; TEST_F(ExtractionUtilTest, IsEmptyStruct_EmptyStruct) { - ProtobufWkt::Struct message_struct; - message_struct.mutable_fields()->insert({kTypeProperty, ProtobufWkt::Value()}); + Protobuf::Struct message_struct; + message_struct.mutable_fields()->insert({kTypeProperty, Protobuf::Value()}); EXPECT_TRUE(IsEmptyStruct(message_struct)); } TEST_F(ExtractionUtilTest, IsEmptyStruct_NonEmptyStruct) { - ProtobufWkt::Struct message_struct; - message_struct.mutable_fields()->insert({kTypeProperty, ProtobufWkt::Value()}); - message_struct.mutable_fields()->insert({"another_field", ProtobufWkt::Value()}); + Protobuf::Struct message_struct; + message_struct.mutable_fields()->insert({kTypeProperty, Protobuf::Value()}); + message_struct.mutable_fields()->insert({"another_field", Protobuf::Value()}); EXPECT_FALSE(IsEmptyStruct(message_struct)); } diff --git a/test/extensions/filters/http/proto_message_extraction/filter_test.cc b/test/extensions/filters/http/proto_message_extraction/filter_test.cc index 6d8a1698e9d45..8b549d763e2dc 100644 --- a/test/extensions/filters/http/proto_message_extraction/filter_test.cc +++ b/test/extensions/filters/http/proto_message_extraction/filter_test.cc @@ -32,7 +32,7 @@ using ::Envoy::Http::MockStreamDecoderFilterCallbacks; using ::Envoy::Http::MockStreamEncoderFilterCallbacks; using ::Envoy::Http::TestRequestHeaderMapImpl; using ::Envoy::Http::TestResponseHeaderMapImpl; -using ::Envoy::ProtobufWkt::Struct; +using ::Envoy::Protobuf::Struct; using ::testing::Eq; constexpr absl::string_view kFilterName = "envoy.filters.http.proto_message_extraction"; @@ -95,8 +95,8 @@ fields { } )pb"; -void checkProtoStruct(Envoy::ProtobufWkt::Struct got, absl::string_view expected_in_pbtext) { - Envoy::ProtobufWkt::Struct expected; +void checkProtoStruct(Envoy::Protobuf::Struct got, absl::string_view expected_in_pbtext) { + Envoy::Protobuf::Struct expected; ASSERT_THAT(Envoy::Protobuf::TextFormat::ParseFromString(expected_in_pbtext, &expected), true); EXPECT_THAT(Envoy::TestUtility::protoEqual(got, expected, true), true) << "got:\n" @@ -217,7 +217,7 @@ TEST_F(FilterTestExtractOk, UnarySingleBuffer) { EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, kExpectedRequestExtractedResult); })); @@ -240,7 +240,7 @@ TEST_F(FilterTestExtractOk, UnarySingleBuffer) { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, kExpectedResponseExtractedResult); })); @@ -278,7 +278,7 @@ TEST_F(FilterTestExtractOk, UnarySingleBufferWithMultipleFields) { EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -347,7 +347,7 @@ fields { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -420,7 +420,7 @@ TEST_F(FilterTestExtractOk, UnarySingleBufferWithMultipleFieldsforResponseOnly) EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -464,7 +464,7 @@ fields { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -569,7 +569,7 @@ fields { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -670,7 +670,7 @@ TEST_F(FilterTestExtractOk, UnaryMultipeBuffers) { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, kExpectedResponseExtractedResult); })); @@ -737,7 +737,7 @@ extraction_by_method: { )pb"); Envoy::Buffer::InstancePtr request_data4 = Envoy::Grpc::Common::serializeToGrpcFrame(request4); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.proto_message_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -854,7 +854,7 @@ fields { )pb"); Envoy::Buffer::InstancePtr response_data4 = Envoy::Grpc::Common::serializeToGrpcFrame(response4); EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.proto_message_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -930,7 +930,7 @@ TEST_F(FilterTestExtractOk, RequestResponseWithTrailers) { EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -988,7 +988,7 @@ fields { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -1123,7 +1123,7 @@ supported_types: { )pb"); Envoy::Buffer::InstancePtr request_data = Envoy::Grpc::Common::serializeToGrpcFrame(request); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.proto_message_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -1250,7 +1250,7 @@ fields { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -1394,7 +1394,7 @@ repeated_supported_types: { )pb"); Envoy::Buffer::InstancePtr request_data = Envoy::Grpc::Common::serializeToGrpcFrame(request); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.proto_message_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -1628,7 +1628,7 @@ TEST_F(FilterTestWithExtractRedacted, UnarySingleBuffer) { EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -1692,7 +1692,7 @@ fields { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -1793,7 +1793,7 @@ extraction_by_method: { )pb"); Envoy::Buffer::InstancePtr request_data4 = Envoy::Grpc::Common::serializeToGrpcFrame(request4); EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.proto_message_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -1912,7 +1912,7 @@ fields { )pb"); Envoy::Buffer::InstancePtr response_data4 = Envoy::Grpc::Common::serializeToGrpcFrame(response4); EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([](const std::string& ns, const ProtobufWkt::Struct& new_dynamic_metadata) { + .WillOnce(Invoke([](const std::string& ns, const Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.proto_message_extraction"); checkProtoStruct(new_dynamic_metadata, R"pb( fields { @@ -2168,7 +2168,7 @@ TEST_F(FilterTestWithExtractModeUnspecified, ModeUnspecified) { EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, kExpectedRequestExtractedResult); })); @@ -2191,7 +2191,7 @@ TEST_F(FilterTestWithExtractModeUnspecified, ModeUnspecified) { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, kExpectedResponseExtractedResult); })); @@ -2228,7 +2228,7 @@ TEST_F(FilterTestWithExtractDirectiveUnspecified, HappyPath) { EXPECT_CALL(mock_decoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, kExpectedRequestExtractedResult); })); @@ -2251,7 +2251,7 @@ TEST_F(FilterTestWithExtractDirectiveUnspecified, HappyPath) { EXPECT_CALL(mock_encoder_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce( - Invoke([](const std::string& ns, const Envoy::ProtobufWkt::Struct& new_dynamic_metadata) { + Invoke([](const std::string& ns, const Envoy::Protobuf::Struct& new_dynamic_metadata) { EXPECT_EQ(ns, kFilterName); checkProtoStruct(new_dynamic_metadata, kExpectedResponseExtractedResult); })); diff --git a/test/extensions/filters/http/proto_message_extraction/integration_test.cc b/test/extensions/filters/http/proto_message_extraction/integration_test.cc index 5414d49bd0e14..2b4e003587979 100644 --- a/test/extensions/filters/http/proto_message_extraction/integration_test.cc +++ b/test/extensions/filters/http/proto_message_extraction/integration_test.cc @@ -20,7 +20,7 @@ using ::apikeys::CreateApiKeyRequest; using ::Envoy::Extensions::HttpFilters::GrpcFieldExtraction::checkSerializedData; void compareJson(const std::string& actual, const std::string& expected) { - ProtobufWkt::Value expected_value, actual_value; + Protobuf::Value expected_value, actual_value; TestUtility::loadFromJson(expected, expected_value); TestUtility::loadFromJson(actual, actual_value); EXPECT_TRUE(TestUtility::protoEqual(expected_value, actual_value)) diff --git a/test/extensions/filters/http/ratelimit/ratelimit_test.cc b/test/extensions/filters/http/ratelimit/ratelimit_test.cc index ba8c4c46a9e15..b84a335092bf6 100644 --- a/test/extensions/filters/http/ratelimit/ratelimit_test.cc +++ b/test/extensions/filters/http/ratelimit/ratelimit_test.cc @@ -767,13 +767,13 @@ TEST_F(HttpRateLimitFilterTest, LimitResponseWithDynamicMetadata) { filter_->decodeHeaders(request_headers_, false)); Filters::Common::RateLimit::DynamicMetadataPtr dynamic_metadata = - std::make_unique(); + std::make_unique(); auto* fields = dynamic_metadata->mutable_fields(); (*fields)["name"] = ValueUtil::stringValue("my-limit"); (*fields)["x"] = ValueUtil::numberValue(3); EXPECT_CALL(filter_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce(Invoke([&dynamic_metadata](const std::string& ns, - const ProtobufWkt::Struct& returned_dynamic_metadata) { + const Protobuf::Struct& returned_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.http.ratelimit"); EXPECT_TRUE(TestUtility::protoEqual(returned_dynamic_metadata, *dynamic_metadata)); })); diff --git a/test/extensions/filters/http/rbac/rbac_filter_integration_test.cc b/test/extensions/filters/http/rbac/rbac_filter_integration_test.cc index 10829ce779f47..dbfb437482d22 100644 --- a/test/extensions/filters/http/rbac/rbac_filter_integration_test.cc +++ b/test/extensions/filters/http/rbac/rbac_filter_integration_test.cc @@ -747,12 +747,12 @@ TEST_P(RBACIntegrationTest, RouteMetadataMatcherAllow) { baz: bat )EOF"; - ProtobufWkt::Struct value; + Protobuf::Struct value; TestUtility::loadFromYaml(yaml, value); auto default_route = hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0); default_route->mutable_metadata()->mutable_filter_metadata()->insert( - Protobuf::MapPair(key, value)); + Protobuf::MapPair(key, value)); }); initialize(); @@ -791,12 +791,12 @@ TEST_P(RBACIntegrationTest, RouteMetadataMatcherDeny) { foo: baz )EOF"; - ProtobufWkt::Struct value; + Protobuf::Struct value; TestUtility::loadFromYaml(yaml, value); auto default_route = hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0); default_route->mutable_metadata()->mutable_filter_metadata()->insert( - Protobuf::MapPair(key, value)); + Protobuf::MapPair(key, value)); }); initialize(); @@ -833,12 +833,12 @@ TEST_P(RBACIntegrationTest, DEPRECATED_FEATURE_TEST(DynamicMetadataMatcherAllow) baz: bat )EOF"; - ProtobufWkt::Struct value; + Protobuf::Struct value; TestUtility::loadFromYaml(yaml, value); auto default_route = hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0); default_route->mutable_metadata()->mutable_filter_metadata()->insert( - Protobuf::MapPair(key, value)); + Protobuf::MapPair(key, value)); }); initialize(); @@ -877,12 +877,12 @@ TEST_P(RBACIntegrationTest, DynamicMetadataMatcherDeny) { foo: baz )EOF"; - ProtobufWkt::Struct value; + Protobuf::Struct value; TestUtility::loadFromYaml(yaml, value); auto default_route = hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0); default_route->mutable_metadata()->mutable_filter_metadata()->insert( - Protobuf::MapPair(key, value)); + Protobuf::MapPair(key, value)); }); initialize(); diff --git a/test/extensions/filters/http/rbac/rbac_filter_test.cc b/test/extensions/filters/http/rbac/rbac_filter_test.cc index 4668f7394725d..cb1a1c28a1e3a 100644 --- a/test/extensions/filters/http/rbac/rbac_filter_test.cc +++ b/test/extensions/filters/http/rbac/rbac_filter_test.cc @@ -296,17 +296,17 @@ class RoleBasedAccessControlFilterTest : public testing::Test { void setMetadata() { ON_CALL(req_info_, setDynamicMetadata("envoy.filters.http.rbac", _)) - .WillByDefault(Invoke([this](const std::string&, const ProtobufWkt::Struct& obj) { + .WillByDefault(Invoke([this](const std::string&, const Protobuf::Struct& obj) { req_info_.metadata_.mutable_filter_metadata()->insert( - Protobuf::MapPair("envoy.filters.http.rbac", obj)); + Protobuf::MapPair("envoy.filters.http.rbac", obj)); })); ON_CALL(req_info_, setDynamicMetadata( Filters::Common::RBAC::DynamicMetadataKeysSingleton::get().CommonNamespace, _)) - .WillByDefault(Invoke([this](const std::string&, const ProtobufWkt::Struct& obj) { + .WillByDefault(Invoke([this](const std::string&, const Protobuf::Struct& obj) { req_info_.metadata_.mutable_filter_metadata()->insert( - Protobuf::MapPair( + Protobuf::MapPair( Filters::Common::RBAC::DynamicMetadataKeysSingleton::get().CommonNamespace, obj)); })); } diff --git a/test/extensions/filters/http/set_metadata/set_metadata_filter_test.cc b/test/extensions/filters/http/set_metadata/set_metadata_filter_test.cc index 5ada203e0d78d..11b89d1df4b41 100644 --- a/test/extensions/filters/http/set_metadata/set_metadata_filter_test.cc +++ b/test/extensions/filters/http/set_metadata/set_metadata_filter_test.cc @@ -45,12 +45,12 @@ class SetMetadataFilterTest : public testing::Test { filter_->onDestroy(); } - void checkKeyInt(const ProtobufWkt::Struct& s, std::string key, int val) { + void checkKeyInt(const Protobuf::Struct& s, std::string key, int val) { const auto& fields = s.fields(); const auto it = fields.find(key); ASSERT_NE(it, fields.end()); const auto& pbval = it->second; - ASSERT_EQ(pbval.kind_case(), ProtobufWkt::Value::kNumberValue); + ASSERT_EQ(pbval.kind_case(), Protobuf::Value::kNumberValue); EXPECT_EQ(pbval.number_value(), val); } @@ -80,7 +80,7 @@ TEST_F(SetMetadataFilterTest, DeprecatedSimple) { const auto it_tags = fields.find("tags"); ASSERT_NE(it_tags, fields.end()); const auto& tags = it_tags->second; - ASSERT_EQ(tags.kind_case(), ProtobufWkt::Value::kStructValue); + ASSERT_EQ(tags.kind_case(), Protobuf::Value::kStructValue); checkKeyInt(tags.struct_value(), "mytag0", 1); } @@ -125,18 +125,18 @@ TEST_F(SetMetadataFilterTest, DeprecatedWithMerge) { const auto it_mylist = fields.find("mylist"); ASSERT_NE(it_mylist, fields.end()); const auto& mylist = it_mylist->second; - ASSERT_EQ(mylist.kind_case(), ProtobufWkt::Value::kListValue); + ASSERT_EQ(mylist.kind_case(), Protobuf::Value::kListValue); const auto& vals = mylist.list_value().values(); ASSERT_EQ(vals.size(), 2); - ASSERT_EQ(vals[0].kind_case(), ProtobufWkt::Value::kStringValue); + ASSERT_EQ(vals[0].kind_case(), Protobuf::Value::kStringValue); EXPECT_EQ(vals[0].string_value(), "a"); - ASSERT_EQ(vals[1].kind_case(), ProtobufWkt::Value::kStringValue); + ASSERT_EQ(vals[1].kind_case(), Protobuf::Value::kStringValue); EXPECT_EQ(vals[1].string_value(), "b"); const auto it_tags = fields.find("tags"); ASSERT_NE(it_tags, fields.end()); const auto& tags = it_tags->second; - ASSERT_EQ(tags.kind_case(), ProtobufWkt::Value::kStructValue); + ASSERT_EQ(tags.kind_case(), Protobuf::Value::kStructValue); const auto& tags_struct = tags.struct_value(); checkKeyInt(tags_struct, "mytag0", 1); @@ -163,7 +163,7 @@ TEST_F(SetMetadataFilterTest, UntypedSimple) { const auto it_tags = fields.find("tags"); ASSERT_NE(it_tags, fields.end()); const auto& tags = it_tags->second; - ASSERT_EQ(tags.kind_case(), ProtobufWkt::Value::kStructValue); + ASSERT_EQ(tags.kind_case(), Protobuf::Value::kStructValue); checkKeyInt(tags.struct_value(), "mytag0", 1); } @@ -228,18 +228,18 @@ TEST_F(SetMetadataFilterTest, UntypedWithAllowOverwrite) { const auto it_mylist = fields.find("mylist"); ASSERT_NE(it_mylist, fields.end()); const auto& mylist = it_mylist->second; - ASSERT_EQ(mylist.kind_case(), ProtobufWkt::Value::kListValue); + ASSERT_EQ(mylist.kind_case(), Protobuf::Value::kListValue); const auto& vals = mylist.list_value().values(); ASSERT_EQ(vals.size(), 2); - ASSERT_EQ(vals[0].kind_case(), ProtobufWkt::Value::kStringValue); + ASSERT_EQ(vals[0].kind_case(), Protobuf::Value::kStringValue); EXPECT_EQ(vals[0].string_value(), "a"); - ASSERT_EQ(vals[1].kind_case(), ProtobufWkt::Value::kStringValue); + ASSERT_EQ(vals[1].kind_case(), Protobuf::Value::kStringValue); EXPECT_EQ(vals[1].string_value(), "b"); const auto it_tags = fields.find("tags"); ASSERT_NE(it_tags, fields.end()); const auto& tags = it_tags->second; - ASSERT_EQ(tags.kind_case(), ProtobufWkt::Value::kStructValue); + ASSERT_EQ(tags.kind_case(), Protobuf::Value::kStructValue); const auto& tags_struct = tags.struct_value(); checkKeyInt(tags_struct, "mytag0", 1); @@ -280,16 +280,16 @@ TEST_F(SetMetadataFilterTest, UntypedWithNoAllowOverwrite) { const auto it_mylist = fields.find("mylist"); ASSERT_NE(it_mylist, fields.end()); const auto& mylist = it_mylist->second; - ASSERT_EQ(mylist.kind_case(), ProtobufWkt::Value::kListValue); + ASSERT_EQ(mylist.kind_case(), Protobuf::Value::kListValue); const auto& vals = mylist.list_value().values(); ASSERT_EQ(vals.size(), 1); - ASSERT_EQ(vals[0].kind_case(), ProtobufWkt::Value::kStringValue); + ASSERT_EQ(vals[0].kind_case(), Protobuf::Value::kStringValue); EXPECT_EQ(vals[0].string_value(), "a"); const auto it_tags = fields.find("tags"); ASSERT_NE(it_tags, fields.end()); const auto& tags = it_tags->second; - ASSERT_EQ(tags.kind_case(), ProtobufWkt::Value::kStructValue); + ASSERT_EQ(tags.kind_case(), Protobuf::Value::kStructValue); const auto& tags_struct = tags.struct_value(); checkKeyInt(tags_struct, "mytag0", 1); @@ -392,7 +392,7 @@ TEST_F(SetMetadataFilterTest, UntypedWithDeprecated) { const auto it_tags = fields.find("tags"); ASSERT_NE(it_tags, fields.end()); const auto& tags = it_tags->second; - ASSERT_EQ(tags.kind_case(), ProtobufWkt::Value::kStructValue); + ASSERT_EQ(tags.kind_case(), Protobuf::Value::kStructValue); checkKeyInt(tags.struct_value(), "mytag0", 1); } @@ -422,7 +422,7 @@ TEST_F(SetMetadataFilterTest, TypedWithDeprecated) { const auto it_tags = fields.find("tags"); ASSERT_NE(it_tags, fields.end()); const auto& tags = it_tags->second; - ASSERT_EQ(tags.kind_case(), ProtobufWkt::Value::kStructValue); + ASSERT_EQ(tags.kind_case(), Protobuf::Value::kStructValue); checkKeyInt(tags.struct_value(), "mytag0", 0); // Verify that `metadata` contains our typed Config. diff --git a/test/extensions/filters/http/stateful_session/stateful_session_integration_test.cc b/test/extensions/filters/http/stateful_session/stateful_session_integration_test.cc index aa64b31cf7c16..2460f1559dc09 100644 --- a/test/extensions/filters/http/stateful_session/stateful_session_integration_test.cc +++ b/test/extensions/filters/http/stateful_session/stateful_session_integration_test.cc @@ -73,7 +73,7 @@ class StatefulSessionIntegrationTest : public Envoy::HttpIntegrationTest, public // Update per route config of default route. if (!per_route_config_yaml.empty()) { auto* route = virtual_host.mutable_routes(0); - ProtobufWkt::Any per_route_config; + Protobuf::Any per_route_config; TestUtility::loadFromYaml(per_route_config_yaml, per_route_config); route->mutable_typed_per_filter_config()->insert( diff --git a/test/extensions/filters/http/thrift_to_metadata/filter_test.cc b/test/extensions/filters/http/thrift_to_metadata/filter_test.cc index c24be79929476..154f3b47f0816 100644 --- a/test/extensions/filters/http/thrift_to_metadata/filter_test.cc +++ b/test/extensions/filters/http/thrift_to_metadata/filter_test.cc @@ -23,7 +23,7 @@ namespace HttpFilters { namespace ThriftToMetadata { MATCHER_P(MapEq, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).string_value(), entry.second); @@ -32,7 +32,7 @@ MATCHER_P(MapEq, rhs, "") { } MATCHER_P(MapNumEq, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).number_value(), entry.second); diff --git a/test/extensions/filters/http/wasm/wasm_filter_test.cc b/test/extensions/filters/http/wasm/wasm_filter_test.cc index 7eb4d3f33ccc5..8a587aa8ad8e7 100644 --- a/test/extensions/filters/http/wasm/wasm_filter_test.cc +++ b/test/extensions/filters/http/wasm/wasm_filter_test.cc @@ -16,7 +16,7 @@ using testing::Return; using testing::ReturnRef; MATCHER_P(MapEq, rhs, "") { - const Envoy::ProtobufWkt::Struct& obj = arg; + const Envoy::Protobuf::Struct& obj = arg; EXPECT_TRUE(rhs.size() > 0); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).string_value(), entry.second); @@ -1075,7 +1075,7 @@ TEST_P(WasmHttpFilterTest, GrpcCall) { const Http::AsyncClient::RequestOptions& options) -> Grpc::AsyncRequest* { EXPECT_EQ(service_full_name, "service"); EXPECT_EQ(method_name, "method"); - ProtobufWkt::Value value; + Protobuf::Value value; EXPECT_TRUE( value.ParseFromArray(message->linearize(message->length()), message->length())); EXPECT_EQ(value.string_value(), "request"); @@ -1102,7 +1102,7 @@ TEST_P(WasmHttpFilterTest, GrpcCall) { EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, filter().decodeHeaders(request_headers, false)); - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value("response"); std::string response_string; EXPECT_TRUE(value.SerializeToString(&response_string)); @@ -1198,7 +1198,7 @@ TEST_P(WasmHttpFilterTest, GrpcCallFailure) { const Http::AsyncClient::RequestOptions& options) -> Grpc::AsyncRequest* { EXPECT_EQ(service_full_name, "service"); EXPECT_EQ(method_name, "method"); - ProtobufWkt::Value value; + Protobuf::Value value; EXPECT_TRUE( value.ParseFromArray(message->linearize(message->length()), message->length())); EXPECT_EQ(value.string_value(), "request"); @@ -1240,7 +1240,7 @@ TEST_P(WasmHttpFilterTest, GrpcCallFailure) { EXPECT_EQ(filter().grpcCancel(0xFF02), proxy_wasm::WasmResult::NotFound); EXPECT_EQ(filter().grpcClose(0xFF02), proxy_wasm::WasmResult::NotFound); - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value("response"); std::string response_string; EXPECT_TRUE(value.SerializeToString(&response_string)); @@ -1289,7 +1289,7 @@ TEST_P(WasmHttpFilterTest, GrpcCallCancel) { const Http::AsyncClient::RequestOptions& options) -> Grpc::AsyncRequest* { EXPECT_EQ(service_full_name, "service"); EXPECT_EQ(method_name, "method"); - ProtobufWkt::Value value; + Protobuf::Value value; EXPECT_TRUE( value.ParseFromArray(message->linearize(message->length()), message->length())); EXPECT_EQ(value.string_value(), "request"); @@ -1349,7 +1349,7 @@ TEST_P(WasmHttpFilterTest, GrpcCallClose) { const Http::AsyncClient::RequestOptions& options) -> Grpc::AsyncRequest* { EXPECT_EQ(service_full_name, "service"); EXPECT_EQ(method_name, "method"); - ProtobufWkt::Value value; + Protobuf::Value value; EXPECT_TRUE( value.ParseFromArray(message->linearize(message->length()), message->length())); EXPECT_EQ(value.string_value(), "request"); @@ -1409,7 +1409,7 @@ TEST_P(WasmHttpFilterTest, GrpcCallAfterDestroyed) { const Http::AsyncClient::RequestOptions& options) -> Grpc::AsyncRequest* { EXPECT_EQ(service_full_name, "service"); EXPECT_EQ(method_name, "method"); - ProtobufWkt::Value value; + Protobuf::Value value; EXPECT_TRUE( value.ParseFromArray(message->linearize(message->length()), message->length())); EXPECT_EQ(value.string_value(), "request"); @@ -1448,7 +1448,7 @@ TEST_P(WasmHttpFilterTest, GrpcCallAfterDestroyed) { wasm_.reset(); } - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value("response"); std::string response_string; EXPECT_TRUE(value.SerializeToString(&response_string)); @@ -1538,7 +1538,7 @@ TEST_P(WasmHttpFilterTest, GrpcStream) { EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, filter().decodeHeaders(request_headers, false)); - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value("response"); std::string response_string; EXPECT_TRUE(value.SerializeToString(&response_string)); @@ -1599,7 +1599,7 @@ TEST_P(WasmHttpFilterTest, GrpcStreamCloseLocal) { EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, filter().decodeHeaders(request_headers, false)); - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value("close"); std::string response_string; EXPECT_TRUE(value.SerializeToString(&response_string)); @@ -1659,7 +1659,7 @@ TEST_P(WasmHttpFilterTest, GrpcStreamCloseRemote) { EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, filter().decodeHeaders(request_headers, false)); - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value("response"); std::string response_string; EXPECT_TRUE(value.SerializeToString(&response_string)); @@ -1709,7 +1709,7 @@ TEST_P(WasmHttpFilterTest, GrpcStreamCancel) { EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, filter().decodeHeaders(request_headers, false)); - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value("response"); std::string response_string; EXPECT_TRUE(value.SerializeToString(&response_string)); @@ -1766,7 +1766,7 @@ TEST_P(WasmHttpFilterTest, GrpcStreamOpenAtShutdown) { EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, filter().decodeHeaders(request_headers, false)); - ProtobufWkt::Value value; + Protobuf::Value value; value.set_string_value("response"); std::string response_string; EXPECT_TRUE(value.SerializeToString(&response_string)); @@ -1800,7 +1800,7 @@ TEST_P(WasmHttpFilterTest, Metadata) { setupTest("", "metadata"); setupFilter(); envoy::config::core::v3::Node node_data; - ProtobufWkt::Value node_val; + Protobuf::Value node_val; node_val.set_string_value("wasm_node_get_value"); (*node_data.mutable_metadata()->mutable_fields())["wasm_node_get_key"] = node_val; (*node_data.mutable_metadata()->mutable_fields())["wasm_node_list_key"] = @@ -1821,7 +1821,7 @@ TEST_P(WasmHttpFilterTest, Metadata) { } request_stream_info_.metadata_.mutable_filter_metadata()->insert( - Protobuf::MapPair( + Protobuf::MapPair( "envoy.filters.http.wasm", MessageUtil::keyValueStruct("wasm_request_get_key", "wasm_request_get_value"))); @@ -1857,14 +1857,14 @@ TEST_P(WasmHttpFilterTest, Property) { return; } envoy::config::core::v3::Node node_data; - ProtobufWkt::Value node_val; + Protobuf::Value node_val; node_val.set_string_value("sample_data"); (*node_data.mutable_metadata()->mutable_fields())["istio.io/metadata"] = node_val; EXPECT_CALL(local_info_, node()).WillRepeatedly(ReturnRef(node_data)); setupTest("", "property"); setupFilter(); request_stream_info_.metadata_.mutable_filter_metadata()->insert( - Protobuf::MapPair( + Protobuf::MapPair( "envoy.filters.http.wasm", MessageUtil::keyValueStruct("wasm_request_get_key", "wasm_request_get_value"))); EXPECT_CALL(request_stream_info_, responseCode()).WillRepeatedly(Return(403)); diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc index 2f0847685919b..687c3334ea14a 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc @@ -57,7 +57,7 @@ class LargeBufferListenerFilterConfigFactory } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { diff --git a/test/extensions/filters/network/common/fuzz/validated_input_generator_any_map_extensions.cc b/test/extensions/filters/network/common/fuzz/validated_input_generator_any_map_extensions.cc index 8a5f234df6273..8b45226e90334 100644 --- a/test/extensions/filters/network/common/fuzz/validated_input_generator_any_map_extensions.cc +++ b/test/extensions/filters/network/common/fuzz/validated_input_generator_any_map_extensions.cc @@ -19,7 +19,7 @@ namespace ProtobufMessage { ValidatedInputGenerator::AnyMap composeFiltersAnyMap() { static const auto dummy_proto_msg = []() -> std::unique_ptr { - return std::make_unique(); + return std::make_unique(); }; static ValidatedInputGenerator::AnyMap any_map; diff --git a/test/extensions/filters/network/dubbo_proxy/mocks.cc b/test/extensions/filters/network/dubbo_proxy/mocks.cc index f42a21a3ee129..1c74494ed30dd 100644 --- a/test/extensions/filters/network/dubbo_proxy/mocks.cc +++ b/test/extensions/filters/network/dubbo_proxy/mocks.cc @@ -107,7 +107,7 @@ MockFilterConfigFactory::MockFilterConfigFactory() MockFilterConfigFactory::~MockFilterConfigFactory() = default; FilterFactoryCb -MockFilterConfigFactory::createFilterFactoryFromProtoTyped(const ProtobufWkt::Struct& proto_config, +MockFilterConfigFactory::createFilterFactoryFromProtoTyped(const Protobuf::Struct& proto_config, const std::string& stat_prefix, Server::Configuration::FactoryContext&) { config_struct_ = proto_config; diff --git a/test/extensions/filters/network/dubbo_proxy/mocks.h b/test/extensions/filters/network/dubbo_proxy/mocks.h index cee1ae8aa0bbe..616fa3417b6d5 100644 --- a/test/extensions/filters/network/dubbo_proxy/mocks.h +++ b/test/extensions/filters/network/dubbo_proxy/mocks.h @@ -300,18 +300,18 @@ template class MockFactoryBase : public NamedDubboFilterConf const std::string name_; }; -class MockFilterConfigFactory : public MockFactoryBase { +class MockFilterConfigFactory : public MockFactoryBase { public: MockFilterConfigFactory(); ~MockFilterConfigFactory() override; DubboFilters::FilterFactoryCb - createFilterFactoryFromProtoTyped(const ProtobufWkt::Struct& proto_config, + createFilterFactoryFromProtoTyped(const Protobuf::Struct& proto_config, const std::string& stat_prefix, Server::Configuration::FactoryContext& context) override; std::shared_ptr mock_filter_; - ProtobufWkt::Struct config_struct_; + Protobuf::Struct config_struct_; std::string config_stat_prefix_; }; diff --git a/test/extensions/filters/network/dubbo_proxy/route_matcher_test.cc b/test/extensions/filters/network/dubbo_proxy/route_matcher_test.cc index f9c6460fa6db7..649fa639fb8b8 100644 --- a/test/extensions/filters/network/dubbo_proxy/route_matcher_test.cc +++ b/test/extensions/filters/network/dubbo_proxy/route_matcher_test.cc @@ -959,7 +959,7 @@ interface: org.apache.dubbo.demo.DemoService criteria->metadataMatchCriteria(); EXPECT_EQ(2, mmc.size()); - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); @@ -1035,7 +1035,7 @@ interface: org.apache.dubbo.demo.DemoService NiceMock context; SingleRouteMatcherImpl matcher(config, context); - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_string_value("v1"); v2.set_string_value("v2"); v3.set_string_value("v3"); @@ -1132,7 +1132,7 @@ interface: org.apache.dubbo.demo.DemoService NiceMock context; SingleRouteMatcherImpl matcher(config, context); - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_string_value("v1"); v2.set_string_value("v2"); v3.set_string_value("v3"); diff --git a/test/extensions/filters/network/dubbo_proxy/router_test.cc b/test/extensions/filters/network/dubbo_proxy/router_test.cc index 8f26e582a172e..1d12f85448b20 100644 --- a/test/extensions/filters/network/dubbo_proxy/router_test.cc +++ b/test/extensions/filters/network/dubbo_proxy/router_test.cc @@ -98,8 +98,8 @@ class DubboRouterTestBase { } void verifyMetadataMatchCriteriaFromRequest(bool route_entry_has_match) { - ProtobufWkt::Struct request_struct; - ProtobufWkt::Value val; + Protobuf::Struct request_struct; + Protobuf::Value val; // Populate metadata like StreamInfo.setDynamicMetadata() would. auto& fields_map = *request_struct.mutable_fields(); @@ -150,8 +150,8 @@ class DubboRouterTestBase { } void verifyMetadataMatchCriteriaFromRoute(bool route_entry_has_match) { - ProtobufWkt::Struct route_struct; - ProtobufWkt::Value val; + Protobuf::Struct route_struct; + Protobuf::Value val; // Populate metadata like StreamInfo.setDynamicMetadata() would. auto& fields_map = *route_struct.mutable_fields(); @@ -193,8 +193,8 @@ class DubboRouterTestBase { } void verifyMetadataMatchCriteriaFromPreviousCompute() { - ProtobufWkt::Struct request_struct; - ProtobufWkt::Value val; + Protobuf::Struct request_struct; + Protobuf::Value val; // Populate metadata like StreamInfo.setDynamicMetadata() would. auto& fields_map = *request_struct.mutable_fields(); diff --git a/test/extensions/filters/network/ext_authz/ext_authz_test.cc b/test/extensions/filters/network/ext_authz/ext_authz_test.cc index 2a4370303ab44..131a72d78ab6e 100644 --- a/test/extensions/filters/network/ext_authz/ext_authz_test.cc +++ b/test/extensions/filters/network/ext_authz/ext_authz_test.cc @@ -104,16 +104,16 @@ class ExtAuthzFilterTest : public testing::Test { (*fields)["ext_authz_duration"] = ValueUtil::numberValue(10); EXPECT_CALL(filter_callbacks_.connection_.stream_info_, setDynamicMetadata(_, _)) - .WillOnce(Invoke([&response](const std::string& ns, - const ProtobufWkt::Struct& returned_dynamic_metadata) { - EXPECT_EQ(ns, NetworkFilterNames::get().ExtAuthorization); - EXPECT_TRUE( - returned_dynamic_metadata.fields().at("ext_authz_duration").has_number_value()); - EXPECT_TRUE( - TestUtility::protoEqual(returned_dynamic_metadata, response.dynamic_metadata)); - EXPECT_EQ(response.dynamic_metadata.fields().at("ext_authz_duration").number_value(), - returned_dynamic_metadata.fields().at("ext_authz_duration").number_value()); - })); + .WillOnce(Invoke( + [&response](const std::string& ns, const Protobuf::Struct& returned_dynamic_metadata) { + EXPECT_EQ(ns, NetworkFilterNames::get().ExtAuthorization); + EXPECT_TRUE( + returned_dynamic_metadata.fields().at("ext_authz_duration").has_number_value()); + EXPECT_TRUE( + TestUtility::protoEqual(returned_dynamic_metadata, response.dynamic_metadata)); + EXPECT_EQ(response.dynamic_metadata.fields().at("ext_authz_duration").number_value(), + returned_dynamic_metadata.fields().at("ext_authz_duration").number_value()); + })); EXPECT_CALL(filter_callbacks_, continueReading()); request_callbacks_->onComplete(std::make_unique(response)); @@ -385,7 +385,7 @@ TEST_F(ExtAuthzFilterTest, ImmediateOK) { addr_); filter_callbacks_.connection_.dispatcher_.globalTimeSystem().advanceTimeWait( std::chrono::milliseconds(5)); - ProtobufWkt::Struct dynamic_metadata; + Protobuf::Struct dynamic_metadata; (*dynamic_metadata.mutable_fields())["baz"] = ValueUtil::stringValue("hello-ok"); (*dynamic_metadata.mutable_fields())["x"] = ValueUtil::numberValue(12); // Since this is a stack response, duration should be 0; @@ -404,7 +404,7 @@ TEST_F(ExtAuthzFilterTest, ImmediateOK) { EXPECT_CALL(filter_callbacks_.connection_.stream_info_, setDynamicMetadata(_, _)) .WillOnce(Invoke([&dynamic_metadata](const std::string& ns, - const ProtobufWkt::Struct& returned_dynamic_metadata) { + const Protobuf::Struct& returned_dynamic_metadata) { EXPECT_TRUE(returned_dynamic_metadata.fields().contains("ext_authz_duration")); EXPECT_TRUE(dynamic_metadata.fields().contains("ext_authz_duration")); EXPECT_EQ(ns, NetworkFilterNames::get().ExtAuthorization); @@ -440,7 +440,7 @@ TEST_F(ExtAuthzFilterTest, ImmediateNOK) { addr_); filter_callbacks_.connection_.stream_info_.downstream_connection_info_provider_->setLocalAddress( addr_); - ProtobufWkt::Struct dynamic_metadata; + Protobuf::Struct dynamic_metadata; (*dynamic_metadata.mutable_fields())["baz"] = ValueUtil::stringValue("hello-nok"); (*dynamic_metadata.mutable_fields())["x"] = ValueUtil::numberValue(15); EXPECT_CALL(filter_callbacks_, continueReading()).Times(0); @@ -454,7 +454,7 @@ TEST_F(ExtAuthzFilterTest, ImmediateNOK) { }))); EXPECT_CALL(filter_callbacks_.connection_.stream_info_, setDynamicMetadata(_, _)) .WillOnce(Invoke([&dynamic_metadata](const std::string& ns, - const ProtobufWkt::Struct& returned_dynamic_metadata) { + const Protobuf::Struct& returned_dynamic_metadata) { EXPECT_EQ(ns, NetworkFilterNames::get().ExtAuthorization); EXPECT_FALSE(returned_dynamic_metadata.fields().contains("ext_authz_duration")); EXPECT_FALSE(dynamic_metadata.fields().contains("ext_authz_duration")); diff --git a/test/extensions/filters/network/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/network/ext_proc/ext_proc_integration_test.cc index 12fb32b7c8f61..a1d44f4bf9ac7 100644 --- a/test/extensions/filters/network/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/network/ext_proc/ext_proc_integration_test.cc @@ -23,7 +23,7 @@ using envoy::service::network_ext_proc::v3::ProcessingResponse; // Test-only filter that sets both typed and untyped connection metadata based on filter config class MetadataSetterFilter : public Network::ReadFilter { public: - MetadataSetterFilter(const ProtobufWkt::Struct& filter_config) : filter_config_(filter_config) {} + MetadataSetterFilter(const Protobuf::Struct& filter_config) : filter_config_(filter_config) {} Network::FilterStatus onNewConnection() override { // Set untyped metadata from config @@ -50,11 +50,11 @@ class MetadataSetterFilter : public Network::ReadFilter { for (const auto& [namespace_name, string_value] : typed_namespaces.fields()) { if (string_value.has_string_value()) { // Create a StringValue - ProtobufWkt::StringValue string_proto; + Protobuf::StringValue string_proto; string_proto.set_value(string_value.string_value()); // Serialize to an Any - ProtobufWkt::Any typed_value; + Protobuf::Any typed_value; typed_value.PackFrom(string_proto); // Use the appropriate way to add typed metadata @@ -78,7 +78,7 @@ class MetadataSetterFilter : public Network::ReadFilter { private: Network::ReadFilterCallbacks* callbacks_{nullptr}; - const ProtobufWkt::Struct& filter_config_; + const Protobuf::Struct& filter_config_; }; class MetadataSetterFilterFactory : public Server::Configuration::NamedNetworkFilterConfigFactory { @@ -86,14 +86,14 @@ class MetadataSetterFilterFactory : public Server::Configuration::NamedNetworkFi absl::StatusOr createFilterFactoryFromProto(const Protobuf::Message& proto_config, Server::Configuration::FactoryContext&) override { - const auto& struct_config = dynamic_cast(proto_config); + const auto& struct_config = dynamic_cast(proto_config); return [struct_config](Network::FilterManager& filter_manager) -> void { filter_manager.addReadFilter(std::make_shared(struct_config)); }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "test.metadata_setter"; } @@ -222,25 +222,25 @@ class NetworkExtProcFilterIntegrationTest for (int i = 0; i < filters->size(); i++) { if ((*filters)[i].name() == "test.metadata_setter") { - ProtobufWkt::Struct existing_config; + Protobuf::Struct existing_config; if ((*filters)[i].has_typed_config()) { (*filters)[i].typed_config().UnpackTo(&existing_config); } // Set untyped metadata if (!untyped_values.empty()) { - ProtobufWkt::Struct metadata_struct; + Protobuf::Struct metadata_struct; auto* fields = metadata_struct.mutable_fields(); for (const auto& [key, value] : untyped_values) { (*fields)[key].set_string_value(value); } - ProtobufWkt::Value namespace_value; + Protobuf::Value namespace_value; *namespace_value.mutable_struct_value() = metadata_struct; if (!existing_config.fields().contains("untyped_metadata")) { - ProtobufWkt::Value untyped_value; + Protobuf::Value untyped_value; existing_config.mutable_fields()->insert({"untyped_metadata", untyped_value}); } @@ -252,13 +252,13 @@ class NetworkExtProcFilterIntegrationTest // Set typed metadata if (typed_value.has_value()) { if (!existing_config.fields().contains("typed_metadata")) { - ProtobufWkt::Value typed_value; + Protobuf::Value typed_value; existing_config.mutable_fields()->insert({"typed_metadata", typed_value}); } auto* typed_metadata = existing_config.mutable_fields()->at("typed_metadata").mutable_struct_value(); - typed_metadata->mutable_fields()->insert({namespace_name, ProtobufWkt::Value()}); + typed_metadata->mutable_fields()->insert({namespace_name, Protobuf::Value()}); typed_metadata->mutable_fields() ->at(namespace_name) .set_string_value(typed_value.value()); @@ -933,7 +933,7 @@ TEST_P(NetworkExtProcFilterIntegrationTest, TypedMetadataForwarding) { EXPECT_EQ(typed_metadata.type_url(), "type.googleapis.com/google.protobuf.StringValue"); // Deserialize the StringValue to verify the content - ProtobufWkt::StringValue string_value; + Protobuf::StringValue string_value; EXPECT_TRUE(string_value.ParseFromString(typed_metadata.value())); EXPECT_EQ(string_value.value(), "hello-world"); @@ -979,7 +979,7 @@ TEST_P(NetworkExtProcFilterIntegrationTest, BothTypedAndUntypedMetadataForwardin EXPECT_EQ(typed_metadata.type_url(), "type.googleapis.com/google.protobuf.StringValue"); // Deserialize the StringValue - ProtobufWkt::StringValue string_value; + Protobuf::StringValue string_value; EXPECT_TRUE(string_value.ParseFromString(typed_metadata.value())); EXPECT_EQ(string_value.value(), "typed-test-value"); diff --git a/test/extensions/filters/network/ext_proc/ext_proc_test.cc b/test/extensions/filters/network/ext_proc/ext_proc_test.cc index 8f9173a4f595e..a9584057ec4c4 100644 --- a/test/extensions/filters/network/ext_proc/ext_proc_test.cc +++ b/test/extensions/filters/network/ext_proc/ext_proc_test.cc @@ -132,15 +132,14 @@ class NetworkExtProcFilterTest : public testing::Test { void addDynamicMetadata(const std::string& namespace_key, const std::string& key, const std::string& value) { auto& metadata = *stream_info_.metadata_.mutable_filter_metadata(); - ProtobufWkt::Struct struct_obj; + Protobuf::Struct struct_obj; auto& fields = *struct_obj.mutable_fields(); fields[key].set_string_value(value); metadata[namespace_key] = struct_obj; } // Add typed dynamic metadata to the stream info - void addTypedDynamicMetadata(const std::string& namespace_key, - const ProtobufWkt::Any& typed_value) { + void addTypedDynamicMetadata(const std::string& namespace_key, const Protobuf::Any& typed_value) { stream_info_.metadata_.mutable_typed_filter_metadata()->insert({namespace_key, typed_value}); } @@ -719,7 +718,7 @@ TEST_F(NetworkExtProcFilterTest, TypedMetadataForwarding) { recreateFilterWithMetadataOptions({}, {"typed-namespace"}); // Create a typed metadata value - ProtobufWkt::Any typed_value; + Protobuf::Any typed_value; typed_value.set_type_url("type.googleapis.com/envoy.test.TestMessage"); typed_value.set_value("test-value"); @@ -727,7 +726,7 @@ TEST_F(NetworkExtProcFilterTest, TypedMetadataForwarding) { addTypedDynamicMetadata("typed-namespace", typed_value); // Create another typed value that shouldn't be forwarded - ProtobufWkt::Any other_typed_value; + Protobuf::Any other_typed_value; other_typed_value.set_type_url("type.googleapis.com/envoy.test.OtherMessage"); other_typed_value.set_value("other-value"); addTypedDynamicMetadata("other-namespace", other_typed_value); @@ -776,7 +775,7 @@ TEST_F(NetworkExtProcFilterTest, BothTypedAndUntypedMetadataForwarding) { addDynamicMetadata("untyped-ns", "key1", "value1"); // Add typed metadata - ProtobufWkt::Any typed_value; + Protobuf::Any typed_value; typed_value.set_type_url("type.googleapis.com/envoy.test.TestMessage"); typed_value.set_value("test-value"); addTypedDynamicMetadata("typed-ns", typed_value); diff --git a/test/extensions/filters/network/generic_proxy/config_test.cc b/test/extensions/filters/network/generic_proxy/config_test.cc index d21737c819798..d86da067b5599 100644 --- a/test/extensions/filters/network/generic_proxy/config_test.cc +++ b/test/extensions/filters/network/generic_proxy/config_test.cc @@ -273,7 +273,7 @@ TEST(BasicFilterConfigTest, CreatingCodecFactory) { TEST(BasicFilterConfigTest, CreatingFilterFactories) { NiceMock factory_context; - ProtobufWkt::RepeatedPtrField filters_proto_config; + Protobuf::RepeatedPtrField filters_proto_config; envoy::config::core::v3::TypedExtensionConfig codec_config; const std::string yaml_config_0 = R"EOF( diff --git a/test/extensions/filters/network/generic_proxy/fake_codec.h b/test/extensions/filters/network/generic_proxy/fake_codec.h index 1f9cd32f56378..66e63a9bd7d79 100644 --- a/test/extensions/filters/network/generic_proxy/fake_codec.h +++ b/test/extensions/filters/network/generic_proxy/fake_codec.h @@ -417,7 +417,7 @@ class FakeStreamCodecFactoryConfig : public CodecFactoryConfig { createCodecFactory(const Protobuf::Message& config, Envoy::Server::Configuration::ServerFactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::set configTypes() override { return {"envoy.generic_proxy.codecs.fake.type"}; } std::string name() const override { return "envoy.generic_proxy.codecs.fake"; } @@ -442,7 +442,7 @@ class FakeAccessLogExtensionFilterFactory : public AccessLog::ExtensionFilterFac } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.generic_proxy.access_log.fake"; } }; diff --git a/test/extensions/filters/network/generic_proxy/mocks/codec.h b/test/extensions/filters/network/generic_proxy/mocks/codec.h index e1c7ff8c167e4..b93f4c8184fcb 100644 --- a/test/extensions/filters/network/generic_proxy/mocks/codec.h +++ b/test/extensions/filters/network/generic_proxy/mocks/codec.h @@ -100,7 +100,7 @@ class MockStreamCodecFactoryConfig : public CodecFactoryConfig { (const Protobuf::Message&, Server::Configuration::ServerFactoryContext&)); ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::set configTypes() override { return {"envoy.generic_proxy.codecs.mock.type"}; } std::string name() const override { return "envoy.generic_proxy.codecs.mock"; } diff --git a/test/extensions/filters/network/generic_proxy/mocks/filter.cc b/test/extensions/filters/network/generic_proxy/mocks/filter.cc index 4e5e3cf487263..8c4f8ab5394b6 100644 --- a/test/extensions/filters/network/generic_proxy/mocks/filter.cc +++ b/test/extensions/filters/network/generic_proxy/mocks/filter.cc @@ -17,7 +17,7 @@ MockRequestFramesHandler::MockRequestFramesHandler() = default; MockStreamFilterConfig::MockStreamFilterConfig() { ON_CALL(*this, createEmptyConfigProto()).WillByDefault(Invoke([]() { - return std::make_unique(); + return std::make_unique(); })); ON_CALL(*this, createFilterFactoryFromProto(_, _, _)) .WillByDefault(Return([](FilterChainFactoryCallbacks&) {})); diff --git a/test/extensions/filters/network/generic_proxy/route_test.cc b/test/extensions/filters/network/generic_proxy/route_test.cc index 1ee03a8bdd915..3eb597570f12b 100644 --- a/test/extensions/filters/network/generic_proxy/route_test.cc +++ b/test/extensions/filters/network/generic_proxy/route_test.cc @@ -85,7 +85,7 @@ class BazFactory : public RouteTypedMetadataFactory { std::string name() const override { return "baz"; } // Returns nullptr (conversion failure) if d is empty. std::unique_ptr - parse(const ProtobufWkt::Struct& d) const override { + parse(const Protobuf::Struct& d) const override { if (d.fields().find("name") != d.fields().end()) { return std::make_unique(d.fields().at("name").string_value()); } @@ -93,7 +93,7 @@ class BazFactory : public RouteTypedMetadataFactory { } std::unique_ptr - parse(const ProtobufWkt::Any&) const override { + parse(const Protobuf::Any&) const override { return nullptr; } }; @@ -130,7 +130,7 @@ TEST_F(RouteEntryImplTest, RouteTypedMetadata) { */ TEST_F(RouteEntryImplTest, RoutePerFilterConfig) { ON_CALL(filter_config_, createEmptyRouteConfigProto()).WillByDefault(Invoke([]() { - return std::make_unique(); + return std::make_unique(); })); Registry::InjectFactory registration(filter_config_); @@ -175,7 +175,7 @@ TEST_F(RouteEntryImplTest, RouteTimeout) { */ TEST_F(RouteEntryImplTest, RoutePerFilterConfigWithUnknownType) { ON_CALL(filter_config_, createEmptyRouteConfigProto()).WillByDefault(Invoke([]() { - return std::make_unique(); + return std::make_unique(); })); Registry::InjectFactory registration(filter_config_); @@ -206,7 +206,7 @@ TEST_F(RouteEntryImplTest, RoutePerFilterConfigWithUnknownTypeButEnableExtension scoped_runtime.mergeValues({{"envoy.reloadable_features.no_extension_lookup_by_name", "false"}}); ON_CALL(filter_config_, createEmptyRouteConfigProto()).WillByDefault(Invoke([]() { - return std::make_unique(); + return std::make_unique(); })); Registry::InjectFactory registration(filter_config_); @@ -264,7 +264,7 @@ TEST_F(RouteEntryImplTest, NullRouteEmptyProto) { TEST_F(RouteEntryImplTest, NullRouteSpecificConfig) { Registry::InjectFactory registration(filter_config_); ON_CALL(filter_config_, createEmptyRouteConfigProto()).WillByDefault(Invoke([]() { - return std::make_unique(); + return std::make_unique(); })); const std::string yaml_config = R"EOF( diff --git a/test/extensions/filters/network/generic_proxy/router/router_test.cc b/test/extensions/filters/network/generic_proxy/router/router_test.cc index 8c2fd694efbc8..f339fea54b33b 100644 --- a/test/extensions/filters/network/generic_proxy/router/router_test.cc +++ b/test/extensions/filters/network/generic_proxy/router/router_test.cc @@ -196,8 +196,8 @@ class RouterFilterTest : public testing::Test { } void verifyMetadataMatchCriteria() { - ProtobufWkt::Struct request_struct; - ProtobufWkt::Value val; + Protobuf::Struct request_struct; + Protobuf::Value val; // Populate metadata like StreamInfo.setDynamicMetadata() would. auto& fields_map = *request_struct.mutable_fields(); diff --git a/test/extensions/filters/network/http_connection_manager/config_test.cc b/test/extensions/filters/network/http_connection_manager/config_test.cc index b09de6ba3aa8e..f7fe6b9eb9aa1 100644 --- a/test/extensions/filters/network/http_connection_manager/config_test.cc +++ b/test/extensions/filters/network/http_connection_manager/config_test.cc @@ -2608,7 +2608,7 @@ class OriginalIPDetectionExtensionNotCreatedFactory : public Http::OriginalIPDet } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { @@ -2624,7 +2624,7 @@ class EarlyHeaderMutationExtensionNotCreatedFactory : public Http::EarlyHeaderMu } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { @@ -3234,7 +3234,7 @@ class DefaultHeaderValidatorFactoryConfigOverride : public Http::HeaderValidator createFromProto(const Protobuf::Message& message, Server::Configuration::ServerFactoryContext& server_context) override { auto mptr = ::Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(message), server_context.messageValidationVisitor(), + dynamic_cast(message), server_context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidate(); + return std::make_unique(); } absl::StatusOr @@ -376,7 +376,7 @@ TEST(DelegatingNetworkFilterManager, RemoveReadFilterAndInitializeReadFilters) { } // Custom action type for testing non-skip action -class TestAction : public Matcher::ActionBase { +class TestAction : public Matcher::ActionBase { public: explicit TestAction(const std::string& value = "test_value") : value_(value) {} diff --git a/test/extensions/filters/network/match_delegate/match_delegate_integration_test.cc b/test/extensions/filters/network/match_delegate/match_delegate_integration_test.cc index b8d612b81f9d1..a1c466686d728 100644 --- a/test/extensions/filters/network/match_delegate/match_delegate_integration_test.cc +++ b/test/extensions/filters/network/match_delegate/match_delegate_integration_test.cc @@ -18,8 +18,8 @@ namespace MatchDelegate { namespace { using envoy::extensions::common::matching::v3::ExtensionWithMatcher; -using Envoy::ProtobufWkt::StringValue; -using Envoy::ProtobufWkt::UInt32Value; +using Envoy::Protobuf::StringValue; +using Envoy::Protobuf::UInt32Value; // A simple network filter that counts connections and data. class CountingFilter : public Network::Filter { diff --git a/test/extensions/filters/network/ratelimit/ratelimit_test.cc b/test/extensions/filters/network/ratelimit/ratelimit_test.cc index 8c51eea83bf7a..f183d6eeedff7 100644 --- a/test/extensions/filters/network/ratelimit/ratelimit_test.cc +++ b/test/extensions/filters/network/ratelimit/ratelimit_test.cc @@ -291,7 +291,7 @@ TEST_F(RateLimitFilterTest, OverLimitWithDynamicMetadata) { EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data, false)); Filters::Common::RateLimit::DynamicMetadataPtr dynamic_metadata = - std::make_unique(); + std::make_unique(); auto* fields = dynamic_metadata->mutable_fields(); (*fields)["name"] = ValueUtil::stringValue("my-limit"); (*fields)["x"] = ValueUtil::numberValue(3); @@ -299,7 +299,7 @@ TEST_F(RateLimitFilterTest, OverLimitWithDynamicMetadata) { EXPECT_CALL(filter_callbacks_.connection_, streamInfo()).WillOnce(ReturnRef(stream_info)); EXPECT_CALL(stream_info, setDynamicMetadata(_, _)) .WillOnce(Invoke([&dynamic_metadata](const std::string& ns, - const ProtobufWkt::Struct& returned_dynamic_metadata) { + const Protobuf::Struct& returned_dynamic_metadata) { EXPECT_EQ(ns, NetworkFilterNames::get().RateLimit); EXPECT_TRUE(TestUtility::protoEqual(returned_dynamic_metadata, *dynamic_metadata)); })); diff --git a/test/extensions/filters/network/rbac/filter_test.cc b/test/extensions/filters/network/rbac/filter_test.cc index 46af305b79fd7..d09674d636d00 100644 --- a/test/extensions/filters/network/rbac/filter_test.cc +++ b/test/extensions/filters/network/rbac/filter_test.cc @@ -218,18 +218,18 @@ class RoleBasedAccessControlNetworkFilterTest : public testing::Test { void setMetadata() { ON_CALL(stream_info_, setDynamicMetadata(NetworkFilterNames::get().Rbac, _)) - .WillByDefault(Invoke([this](const std::string&, const ProtobufWkt::Struct& obj) { + .WillByDefault(Invoke([this](const std::string&, const Protobuf::Struct& obj) { stream_info_.metadata_.mutable_filter_metadata()->insert( - Protobuf::MapPair(NetworkFilterNames::get().Rbac, - obj)); + Protobuf::MapPair(NetworkFilterNames::get().Rbac, + obj)); })); ON_CALL(stream_info_, setDynamicMetadata( Filters::Common::RBAC::DynamicMetadataKeysSingleton::get().CommonNamespace, _)) - .WillByDefault(Invoke([this](const std::string&, const ProtobufWkt::Struct& obj) { + .WillByDefault(Invoke([this](const std::string&, const Protobuf::Struct& obj) { stream_info_.metadata_.mutable_filter_metadata()->insert( - Protobuf::MapPair( + Protobuf::MapPair( Filters::Common::RBAC::DynamicMetadataKeysSingleton::get().CommonNamespace, obj)); })); } diff --git a/test/extensions/filters/network/thrift_proxy/conn_manager_test.cc b/test/extensions/filters/network/thrift_proxy/conn_manager_test.cc index b5835c8ed9833..70b4693c552d0 100644 --- a/test/extensions/filters/network/thrift_proxy/conn_manager_test.cc +++ b/test/extensions/filters/network/thrift_proxy/conn_manager_test.cc @@ -212,7 +212,7 @@ stat_prefix: test config_, random_, filter_callbacks_.connection_.dispatcher_.timeSource(), drain_decision_); filter_->initializeReadFilterCallbacks(filter_callbacks_); ON_CALL(filter_callbacks_.connection_.stream_info_, setDynamicMetadata(_, _)) - .WillByDefault(Invoke([this](const std::string& key, const ProtobufWkt::Struct& obj) { + .WillByDefault(Invoke([this](const std::string& key, const Protobuf::Struct& obj) { (*filter_callbacks_.connection_.stream_info_.metadata_.mutable_filter_metadata())[key] .MergeFrom(obj); })); diff --git a/test/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter_test.cc b/test/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter_test.cc index 29214e232c045..658cc0ba63965 100644 --- a/test/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter_test.cc +++ b/test/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter_test.cc @@ -19,7 +19,7 @@ namespace HeaderToMetadataFilter { namespace { MATCHER_P(MapEq, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).string_value(), entry.second); @@ -28,7 +28,7 @@ MATCHER_P(MapEq, rhs, "") { } MATCHER_P(MapEqNum, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).number_value(), entry.second); @@ -37,7 +37,7 @@ MATCHER_P(MapEqNum, rhs, "") { } MATCHER_P(MapEqValue, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_TRUE(TestUtility::protoEqual(obj.fields().at(entry.first), entry.second)); @@ -284,10 +284,10 @@ TEST_F(HeaderToMetadataTest, ProtobufValueTypeInBase64UrlTest) { )EOF"; initializeFilter(request_config_yaml); - ProtobufWkt::Value value; + Protobuf::Value value; auto* s = value.mutable_struct_value(); - ProtobufWkt::Value v; + Protobuf::Value v; v.set_string_value("blafoo"); (*s->mutable_fields())["k1"] = v; v.set_number_value(2019.07); @@ -295,7 +295,7 @@ TEST_F(HeaderToMetadataTest, ProtobufValueTypeInBase64UrlTest) { v.set_bool_value(true); (*s->mutable_fields())["k3"] = v; - std::map expected = {{"proto_key", value}}; + std::map expected = {{"proto_key", value}}; EXPECT_CALL(req_info_, setDynamicMetadata("envoy.lb", MapEqValue(expected))); std::string data; diff --git a/test/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter_test.cc b/test/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter_test.cc index 54ddca99d2d18..73e7fd2f2ac69 100644 --- a/test/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter_test.cc +++ b/test/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/payload_to_metadata_filter_test.cc @@ -20,7 +20,7 @@ namespace { using ::testing::Return; MATCHER_P(MapEq, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_NE(obj.fields().find(entry.first), obj.fields().end()); @@ -30,7 +30,7 @@ MATCHER_P(MapEq, rhs, "") { } MATCHER_P(MapEqNum, rhs, "") { - const ProtobufWkt::Struct& obj = arg; + const Protobuf::Struct& obj = arg; EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_NE(obj.fields().find(entry.first), obj.fields().end()); diff --git a/test/extensions/filters/network/thrift_proxy/filters/ratelimit/ratelimit_test.cc b/test/extensions/filters/network/thrift_proxy/filters/ratelimit/ratelimit_test.cc index 81c567dacf0d8..5cb3a7fc22059 100644 --- a/test/extensions/filters/network/thrift_proxy/filters/ratelimit/ratelimit_test.cc +++ b/test/extensions/filters/network/thrift_proxy/filters/ratelimit/ratelimit_test.cc @@ -331,13 +331,13 @@ TEST_F(ThriftRateLimitFilterTest, ErrorResponseWithDynamicMetadata) { EXPECT_EQ(ThriftProxy::FilterStatus::StopIteration, filter_->messageBegin(request_metadata_)); Filters::Common::RateLimit::DynamicMetadataPtr dynamic_metadata = - std::make_unique(); + std::make_unique(); auto* fields = dynamic_metadata->mutable_fields(); (*fields)["name"] = ValueUtil::stringValue("my-limit"); (*fields)["x"] = ValueUtil::numberValue(3); EXPECT_CALL(filter_callbacks_.stream_info_, setDynamicMetadata(_, _)) .WillOnce(Invoke([&dynamic_metadata](const std::string& ns, - const ProtobufWkt::Struct& returned_dynamic_metadata) { + const Protobuf::Struct& returned_dynamic_metadata) { EXPECT_EQ(ns, "envoy.filters.thrift.rate_limit"); EXPECT_TRUE(TestUtility::protoEqual(returned_dynamic_metadata, *dynamic_metadata)); })); diff --git a/test/extensions/filters/network/thrift_proxy/mocks.cc b/test/extensions/filters/network/thrift_proxy/mocks.cc index ad491a3a968a1..276ad6f0409c8 100644 --- a/test/extensions/filters/network/thrift_proxy/mocks.cc +++ b/test/extensions/filters/network/thrift_proxy/mocks.cc @@ -13,9 +13,9 @@ using testing::ReturnRef; namespace Envoy { -// Provide a specialization for ProtobufWkt::Struct (for MockFilterConfigFactory) +// Provide a specialization for Protobuf::Struct (for MockFilterConfigFactory) template <> -void MessageUtil::validate(const ProtobufWkt::Struct&, ProtobufMessage::ValidationVisitor&, bool) {} +void MessageUtil::validate(const Protobuf::Struct&, ProtobufMessage::ValidationVisitor&, bool) {} namespace Extensions { namespace NetworkFilters { @@ -187,7 +187,7 @@ FilterFactoryCb MockDecoderFilterConfigFactory::createFilterFactoryFromProto( Server::Configuration::FactoryContext& context) { UNREFERENCED_PARAMETER(context); - config_struct_ = dynamic_cast(proto_config); + config_struct_ = dynamic_cast(proto_config); config_stat_prefix_ = stats_prefix; return [this](FilterChainFactoryCallbacks& callbacks) -> void { @@ -207,7 +207,7 @@ FilterFactoryCb MockEncoderFilterConfigFactory::createFilterFactoryFromProto( Server::Configuration::FactoryContext& context) { UNREFERENCED_PARAMETER(context); - config_struct_ = dynamic_cast(proto_config); + config_struct_ = dynamic_cast(proto_config); config_stat_prefix_ = stats_prefix; return [this](FilterChainFactoryCallbacks& callbacks) -> void { @@ -227,7 +227,7 @@ FilterFactoryCb MockBidirectionalFilterConfigFactory::createFilterFactoryFromPro Server::Configuration::FactoryContext& context) { UNREFERENCED_PARAMETER(context); - config_struct_ = dynamic_cast(proto_config); + config_struct_ = dynamic_cast(proto_config); config_stat_prefix_ = stats_prefix; return [this](FilterChainFactoryCallbacks& callbacks) -> void { diff --git a/test/extensions/filters/network/thrift_proxy/mocks.h b/test/extensions/filters/network/thrift_proxy/mocks.h index f81af7f674049..36cba4bcfb0c4 100644 --- a/test/extensions/filters/network/thrift_proxy/mocks.h +++ b/test/extensions/filters/network/thrift_proxy/mocks.h @@ -417,12 +417,12 @@ class MockDecoderFilterConfigFactory : public NamedThriftFilterConfigFactory { Server::Configuration::FactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return name_; } - ProtobufWkt::Struct config_struct_; + Protobuf::Struct config_struct_; std::string config_stat_prefix_; private: @@ -441,12 +441,12 @@ class MockEncoderFilterConfigFactory : public NamedThriftFilterConfigFactory { Server::Configuration::FactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return name_; } - ProtobufWkt::Struct config_struct_; + Protobuf::Struct config_struct_; std::string config_stat_prefix_; private: @@ -465,12 +465,12 @@ class MockBidirectionalFilterConfigFactory : public NamedThriftFilterConfigFacto Server::Configuration::FactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return name_; } - ProtobufWkt::Struct config_struct_; + Protobuf::Struct config_struct_; std::string config_stat_prefix_; private: diff --git a/test/extensions/filters/network/thrift_proxy/route_matcher_test.cc b/test/extensions/filters/network/thrift_proxy/route_matcher_test.cc index 92d944aca0539..65731f90b5e23 100644 --- a/test/extensions/filters/network/thrift_proxy/route_matcher_test.cc +++ b/test/extensions/filters/network/thrift_proxy/route_matcher_test.cc @@ -647,7 +647,7 @@ name: config criteria->metadataMatchCriteria(); EXPECT_EQ(2, mmc.size()); - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); @@ -703,7 +703,7 @@ name: config auto matcher = createMatcher(yaml); MessageMetadata metadata; metadata.setMethodName("method1"); - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_string_value("v1"); v2.set_string_value("v2"); v3.set_string_value("v3"); @@ -790,7 +790,7 @@ name: config auto matcher = createMatcher(yaml); MessageMetadata metadata; metadata.setMethodName("method1"); - ProtobufWkt::Value v1, v2, v3; + Protobuf::Value v1, v2, v3; v1.set_string_value("v1"); v2.set_string_value("v2"); v3.set_string_value("v3"); @@ -901,7 +901,7 @@ TEST_F(ThriftRouteMatcherTest, ClusterHeaderMetadataMatch) { criteria->metadataMatchCriteria(); EXPECT_EQ(2, mmc.size()); - ProtobufWkt::Value v1, v2; + Protobuf::Value v1, v2; v1.set_string_value("v1"); v2.set_string_value("v2"); HashedValue hv1(v1), hv2(v2); diff --git a/test/extensions/filters/network/thrift_proxy/router_test.cc b/test/extensions/filters/network/thrift_proxy/router_test.cc index cd1de06c40da9..80d300e994cd8 100644 --- a/test/extensions/filters/network/thrift_proxy/router_test.cc +++ b/test/extensions/filters/network/thrift_proxy/router_test.cc @@ -151,8 +151,8 @@ class ThriftRouterTestBase { } void verifyMetadataMatchCriteriaFromRequest(bool route_entry_has_match) { - ProtobufWkt::Struct request_struct; - ProtobufWkt::Value val; + Protobuf::Struct request_struct; + Protobuf::Value val; // Populate metadata like StreamInfo.setDynamicMetadata() would. auto& fields_map = *request_struct.mutable_fields(); @@ -202,8 +202,8 @@ class ThriftRouterTestBase { } void verifyMetadataMatchCriteriaFromRoute(bool route_entry_has_match) { - ProtobufWkt::Struct route_struct; - ProtobufWkt::Value val; + Protobuf::Struct route_struct; + Protobuf::Value val; auto& fields_map = *route_struct.mutable_fields(); val.set_string_value("v3.1"); diff --git a/test/extensions/filters/network/zookeeper_proxy/config_test.cc b/test/extensions/filters/network/zookeeper_proxy/config_test.cc index 07799f663caf5..cd0ce589ab49d 100644 --- a/test/extensions/filters/network/zookeeper_proxy/config_test.cc +++ b/test/extensions/filters/network/zookeeper_proxy/config_test.cc @@ -20,7 +20,7 @@ using ZooKeeperProxyProtoConfig = class ZookeeperFilterConfigTest : public testing::Test { public: - std::string populateFullConfig(const ProtobufWkt::EnumDescriptor* opcode_descriptor) { + std::string populateFullConfig(const Protobuf::EnumDescriptor* opcode_descriptor) { std::string yaml = R"EOF( stat_prefix: test_prefix max_packet_bytes: 1048576 @@ -185,7 +185,7 @@ stat_prefix: test_prefix EXPECT_EQ(proto_config_.enable_per_opcode_decoder_error_metrics(), false); EXPECT_EQ(proto_config_.enable_latency_threshold_metrics(), false); EXPECT_EQ(proto_config_.default_latency_threshold(), - ProtobufWkt::util::TimeUtil::SecondsToDuration(0)); + Protobuf::util::TimeUtil::SecondsToDuration(0)); EXPECT_EQ(proto_config_.latency_threshold_overrides_size(), 0); Network::FilterFactoryCb cb = @@ -208,7 +208,7 @@ default_latency_threshold: "0.15s" EXPECT_EQ(proto_config_.enable_per_opcode_decoder_error_metrics(), false); EXPECT_EQ(proto_config_.enable_latency_threshold_metrics(), false); EXPECT_EQ(proto_config_.default_latency_threshold(), - ProtobufWkt::util::TimeUtil::MillisecondsToDuration(150)); + Protobuf::util::TimeUtil::MillisecondsToDuration(150)); EXPECT_EQ(proto_config_.latency_threshold_overrides_size(), 0); Network::FilterFactoryCb cb = @@ -233,12 +233,11 @@ stat_prefix: test_prefix EXPECT_EQ(proto_config_.enable_per_opcode_decoder_error_metrics(), false); EXPECT_EQ(proto_config_.enable_latency_threshold_metrics(), false); EXPECT_EQ(proto_config_.default_latency_threshold(), - ProtobufWkt::util::TimeUtil::SecondsToDuration(0)); + Protobuf::util::TimeUtil::SecondsToDuration(0)); EXPECT_EQ(proto_config_.latency_threshold_overrides_size(), 1); LatencyThresholdOverride threshold_override = proto_config_.latency_threshold_overrides().at(0); EXPECT_EQ(threshold_override.opcode(), LatencyThresholdOverride::Connect); - EXPECT_EQ(threshold_override.threshold(), - ProtobufWkt::util::TimeUtil::MillisecondsToDuration(151)); + EXPECT_EQ(threshold_override.threshold(), Protobuf::util::TimeUtil::MillisecondsToDuration(151)); Network::FilterFactoryCb cb = factory_.createFilterFactoryFromProto(proto_config_, context_).value(); @@ -247,7 +246,7 @@ stat_prefix: test_prefix } TEST_F(ZookeeperFilterConfigTest, FullConfig) { - const ProtobufWkt::EnumDescriptor* opcode_descriptor = envoy::extensions::filters::network:: + const Protobuf::EnumDescriptor* opcode_descriptor = envoy::extensions::filters::network:: zookeeper_proxy::v3::LatencyThresholdOverride_Opcode_descriptor(); std::string yaml = populateFullConfig(opcode_descriptor); TestUtility::loadFromYamlAndValidate(yaml, proto_config_); @@ -259,7 +258,7 @@ TEST_F(ZookeeperFilterConfigTest, FullConfig) { EXPECT_EQ(proto_config_.enable_per_opcode_decoder_error_metrics(), true); EXPECT_EQ(proto_config_.enable_latency_threshold_metrics(), true); EXPECT_EQ(proto_config_.default_latency_threshold(), - ProtobufWkt::util::TimeUtil::MillisecondsToDuration(100)); + Protobuf::util::TimeUtil::MillisecondsToDuration(100)); EXPECT_EQ(proto_config_.latency_threshold_overrides_size(), 27); for (int i = 0; i < opcode_descriptor->value_count(); i++) { @@ -270,7 +269,7 @@ TEST_F(ZookeeperFilterConfigTest, FullConfig) { EXPECT_EQ(opcode_name, opcode_tuple->name()); uint64_t threshold_delta = static_cast(opcode_tuple->number()); EXPECT_EQ(threshold_override.threshold(), - ProtobufWkt::util::TimeUtil::MillisecondsToDuration(150 + threshold_delta)); + Protobuf::util::TimeUtil::MillisecondsToDuration(150 + threshold_delta)); } Network::FilterFactoryCb cb = diff --git a/test/extensions/filters/network/zookeeper_proxy/filter_test.cc b/test/extensions/filters/network/zookeeper_proxy/filter_test.cc index 4136112f463b6..9aed2549a4b01 100644 --- a/test/extensions/filters/network/zookeeper_proxy/filter_test.cc +++ b/test/extensions/filters/network/zookeeper_proxy/filter_test.cc @@ -16,7 +16,7 @@ namespace Extensions { namespace NetworkFilters { namespace ZooKeeperProxy { -bool protoMapEq(const ProtobufWkt::Struct& obj, const std::map& rhs) { +bool protoMapEq(const Protobuf::Struct& obj, const std::map& rhs) { EXPECT_TRUE(!rhs.empty()); for (auto const& entry : rhs) { EXPECT_EQ(obj.fields().at(entry.first).string_value(), entry.second); @@ -584,7 +584,7 @@ class ZooKeeperFilterTest : public testing::Test { auto& call = EXPECT_CALL(stream_info_, setDynamicMetadata(_, _)); for (const auto& value : values) { - call.WillOnce(Invoke([value](const std::string& key, const ProtobufWkt::Struct& obj) -> void { + call.WillOnce(Invoke([value](const std::string& key, const Protobuf::Struct& obj) -> void { EXPECT_STREQ(key.c_str(), "envoy.filters.network.zookeeper_proxy"); protoMapEq(obj, value); })); diff --git a/test/extensions/filters/udp/udp_proxy/udp_proxy_integration_test.cc b/test/extensions/filters/udp/udp_proxy/udp_proxy_integration_test.cc index 205a9ac6e8b5c..8f45bb7825204 100644 --- a/test/extensions/filters/udp/udp_proxy/udp_proxy_integration_test.cc +++ b/test/extensions/filters/udp/udp_proxy/udp_proxy_integration_test.cc @@ -51,7 +51,7 @@ class UdpReverseFilterConfigFactory } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "test.udp_listener.reverse"; } diff --git a/test/extensions/formatter/metadata/integration_test.cc b/test/extensions/formatter/metadata/integration_test.cc index 56903d7a75c52..663c7223971f9 100644 --- a/test/extensions/formatter/metadata/integration_test.cc +++ b/test/extensions/formatter/metadata/integration_test.cc @@ -24,7 +24,7 @@ class IntegrationTest : public testing::TestWithParam()) { // Create metadata object with test values. - ProtobufWkt::Struct struct_obj; + Protobuf::Struct struct_obj; auto& fields_map = *struct_obj.mutable_fields(); fields_map["test_key"] = ValueUtil::stringValue("test_value"); (*metadata_->mutable_filter_metadata())["metadata.test"] = struct_obj; diff --git a/test/extensions/health_check/event_sinks/file/file_sink_impl_test.cc b/test/extensions/health_check/event_sinks/file/file_sink_impl_test.cc index fc404286c9bfe..11515145aa250 100644 --- a/test/extensions/health_check/event_sinks/file/file_sink_impl_test.cc +++ b/test/extensions/health_check/event_sinks/file/file_sink_impl_test.cc @@ -26,7 +26,7 @@ TEST(HealthCheckEventFileSinkFactory, createHealthCheckEventSink) { envoy::extensions::health_check::event_sinks::file::v3::HealthCheckEventFileSink config; config.set_event_log_path("test_path"); - Envoy::ProtobufWkt::Any typed_config; + Envoy::Protobuf::Any typed_config; typed_config.PackFrom(config); NiceMock context; diff --git a/test/extensions/http/early_header_mutation/header_mutation/config_test.cc b/test/extensions/http/early_header_mutation/header_mutation/config_test.cc index 4812abc5fb8e7..c863110c31008 100644 --- a/test/extensions/http/early_header_mutation/header_mutation/config_test.cc +++ b/test/extensions/http/early_header_mutation/header_mutation/config_test.cc @@ -38,7 +38,7 @@ TEST(FactoryTest, FactoryTest) { ProtoHeaderMutation proto_mutation; TestUtility::loadFromYaml(config, proto_mutation); - ProtobufWkt::Any any_config; + Protobuf::Any any_config; any_config.PackFrom(proto_mutation); EXPECT_NE(nullptr, factory->createExtension(any_config, context)); diff --git a/test/extensions/io_socket/user_space/io_handle_impl_test.cc b/test/extensions/io_socket/user_space/io_handle_impl_test.cc index bea47e6bdd96c..f19d50bccbfdb 100644 --- a/test/extensions/io_socket/user_space/io_handle_impl_test.cc +++ b/test/extensions/io_socket/user_space/io_handle_impl_test.cc @@ -1205,8 +1205,8 @@ class TestObject : public StreamInfo::FilterState::Object { TEST_F(IoHandleImplTest, PassthroughState) { auto source_metadata = std::make_unique(); - ProtobufWkt::Struct& map = (*source_metadata->mutable_filter_metadata())["envoy.test"]; - ProtobufWkt::Value val; + Protobuf::Struct& map = (*source_metadata->mutable_filter_metadata())["envoy.test"]; + Protobuf::Value val; val.set_string_value("val"); (*map.mutable_fields())["key"] = val; StreamInfo::FilterState::Objects source_filter_state; diff --git a/test/extensions/load_balancing_policies/common/benchmark_base_tester.cc b/test/extensions/load_balancing_policies/common/benchmark_base_tester.cc index 368999143e0a1..740c52bd99437 100644 --- a/test/extensions/load_balancing_policies/common/benchmark_base_tester.cc +++ b/test/extensions/load_balancing_policies/common/benchmark_base_tester.cc @@ -13,9 +13,9 @@ BaseTester::BaseTester(uint64_t num_hosts, uint32_t weighted_subset_percent, uin const auto effective_weight = should_weight ? weight : 1; if (attach_metadata) { envoy::config::core::v3::Metadata metadata; - ProtobufWkt::Value value; + Protobuf::Value value; value.set_number_value(i); - ProtobufWkt::Struct& map = + Protobuf::Struct& map = (*metadata.mutable_filter_metadata())[Config::MetadataFilters::get().ENVOY_LB]; (*map.mutable_fields())[std::string(metadata_key)] = value; diff --git a/test/extensions/load_balancing_policies/override_host/config_test.cc b/test/extensions/load_balancing_policies/override_host/config_test.cc index 0e634db89b1b6..6ef6d61ff94b4 100644 --- a/test/extensions/load_balancing_policies/override_host/config_test.cc +++ b/test/extensions/load_balancing_policies/override_host/config_test.cc @@ -73,7 +73,7 @@ TEST(OverrideHostLbonfigTest, NoPrimaryOverideSources) { config.set_name("envoy.load_balancers.override_host"); OverrideHost config_msg; - ProtobufWkt::Struct invalid_policy; + Protobuf::Struct invalid_policy; auto* typed_extension_config = config_msg.mutable_fallback_policy()->add_policies()->mutable_typed_extension_config(); typed_extension_config->mutable_typed_config()->PackFrom(invalid_policy); @@ -100,7 +100,7 @@ TEST(OverrideHostLbonfigTest, FirstValidFallbackPolicyIsUsed) { OverrideHost config_msg; config_msg.add_override_host_sources()->set_header("x-foo"); - ProtobufWkt::Struct invalid_policy; + Protobuf::Struct invalid_policy; auto* typed_extension_config = config_msg.mutable_fallback_policy()->add_policies()->mutable_typed_extension_config(); typed_extension_config->mutable_typed_config()->PackFrom(invalid_policy); @@ -128,7 +128,7 @@ TEST(OverrideHostLbonfigTest, EmptyPrimaryOverrideSource) { // Do not set either host or metadata keys config_msg.add_override_host_sources(); - ProtobufWkt::Struct invalid_policy; + Protobuf::Struct invalid_policy; auto* typed_extension_config = config_msg.mutable_fallback_policy()->add_policies()->mutable_typed_extension_config(); typed_extension_config->mutable_typed_config()->PackFrom(invalid_policy); @@ -161,7 +161,7 @@ TEST(OverrideHostLbonfigTest, HeaderAndMetadataInTheSameOverrideSource) { metadata_key->set_key("x-bar"); metadata_key->add_path()->set_key("a/b/c"); - ProtobufWkt::Struct invalid_policy; + Protobuf::Struct invalid_policy; auto* typed_extension_config = config_msg.mutable_fallback_policy()->add_policies()->mutable_typed_extension_config(); typed_extension_config->mutable_typed_config()->PackFrom(invalid_policy); diff --git a/test/extensions/load_balancing_policies/override_host/load_balancer_test.cc b/test/extensions/load_balancing_policies/override_host/load_balancer_test.cc index 2476ec4a8b84f..596a3a533767b 100644 --- a/test/extensions/load_balancing_policies/override_host/load_balancer_test.cc +++ b/test/extensions/load_balancing_policies/override_host/load_balancer_test.cc @@ -127,7 +127,7 @@ class OverrideHostLoadBalancerTest : public ::testing::Test { void setSelectedEndpointsMetadata(absl::string_view key, absl::string_view selected_endpoints_text_proto) { - Envoy::ProtobufWkt::Struct selected_endpoints; + Envoy::Protobuf::Struct selected_endpoints; EXPECT_TRUE( Protobuf::TextFormat::ParseFromString(selected_endpoints_text_proto, &selected_endpoints)); (*metadata_.mutable_filter_metadata())[key] = selected_endpoints; diff --git a/test/extensions/load_balancing_policies/subset/subset_test.cc b/test/extensions/load_balancing_policies/subset/subset_test.cc index e84b9eac54206..3a988d0985f49 100644 --- a/test/extensions/load_balancing_policies/subset/subset_test.cc +++ b/test/extensions/load_balancing_policies/subset/subset_test.cc @@ -53,7 +53,7 @@ class MockLoadBalancerSubsetInfo : public LoadBalancerSubsetInfo { fallbackPolicy, (), (const)); MOCK_METHOD(envoy::config::cluster::v3::Cluster::LbSubsetConfig::LbSubsetMetadataFallbackPolicy, metadataFallbackPolicy, (), (const)); - MOCK_METHOD(const ProtobufWkt::Struct&, defaultSubset, (), (const)); + MOCK_METHOD(const Protobuf::Struct&, defaultSubset, (), (const)); MOCK_METHOD(const std::vector&, subsetSelectors, (), (const)); MOCK_METHOD(bool, localityWeightAware, (), (const)); MOCK_METHOD(bool, scaleLocalityWeight, (), (const)); @@ -68,7 +68,7 @@ MockLoadBalancerSubsetInfo::MockLoadBalancerSubsetInfo() { ON_CALL(*this, isEnabled()).WillByDefault(Return(true)); ON_CALL(*this, fallbackPolicy()) .WillByDefault(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::ANY_ENDPOINT)); - ON_CALL(*this, defaultSubset()).WillByDefault(ReturnRef(ProtobufWkt::Struct::default_instance())); + ON_CALL(*this, defaultSubset()).WillByDefault(ReturnRef(Protobuf::Struct::default_instance())); ON_CALL(*this, subsetSelectors()).WillByDefault(ReturnRef(subset_selectors_)); } @@ -91,7 +91,7 @@ class TestMetadataMatchCriteria : public Router::MetadataMatchCriteria { public: TestMetadataMatchCriteria(const std::map matches) { for (const auto& it : matches) { - ProtobufWkt::Value v; + Protobuf::Value v; v.set_string_value(it.second); matches_.emplace_back( @@ -99,7 +99,7 @@ class TestMetadataMatchCriteria : public Router::MetadataMatchCriteria { } } - TestMetadataMatchCriteria(const std::map matches) { + TestMetadataMatchCriteria(const std::map matches) { for (const auto& it : matches) { matches_.emplace_back( std::make_shared(it.first, HashedValue(it.second))); @@ -112,7 +112,7 @@ class TestMetadataMatchCriteria : public Router::MetadataMatchCriteria { } Router::MetadataMatchCriteriaConstPtr - mergeMatchCriteria(const ProtobufWkt::Struct& override) const override { + mergeMatchCriteria(const Protobuf::Struct& override) const override { auto new_criteria = std::make_unique(*this); // TODO: this is copied from MetadataMatchCriteriaImpl::extractMetadataMatchCriteria. @@ -265,7 +265,7 @@ TEST(LoadBalancerSubsetInfoImplTest, DefaultConfigIsDiabled) { } TEST(LoadBalancerSubsetInfoImplTest, SubsetConfig) { - auto subset_value = ProtobufWkt::Value(); + auto subset_value = Protobuf::Value(); subset_value.set_string_value("the value"); auto subset_config = envoy::config::cluster::v3::Cluster::LbSubsetConfig::default_instance(); @@ -306,9 +306,9 @@ class TestLoadBalancerContext : public LoadBalancerContextBase { new TestMetadataMatchCriteria(std::map(metadata_matches))) {} TestLoadBalancerContext( - std::initializer_list::value_type> metadata_matches) + std::initializer_list::value_type> metadata_matches) : matches_(new TestMetadataMatchCriteria( - std::map(metadata_matches))) {} + std::map(metadata_matches))) {} // Upstream::LoadBalancerContext absl::optional computeHashKey() override { return {}; } @@ -514,12 +514,12 @@ class SubsetLoadBalancerTest : public Event::TestUsingSimulatedTime, return makeTestHost(info_, url, m); } - ProtobufWkt::Struct makeDefaultSubset(HostMetadata metadata) { - ProtobufWkt::Struct default_subset; + Protobuf::Struct makeDefaultSubset(HostMetadata metadata) { + Protobuf::Struct default_subset; auto* fields = default_subset.mutable_fields(); for (const auto& it : metadata) { - ProtobufWkt::Value v; + Protobuf::Value v; v.set_string_value(it.second); fields->insert({it.first, v}); } @@ -707,8 +707,8 @@ class SubsetLoadBalancerTest : public Event::TestUsingSimulatedTime, return std::make_shared(metadata); } - ProtobufWkt::Value valueFromJson(std::string json) { - ProtobufWkt::Value v; + Protobuf::Value valueFromJson(std::string json) { + Protobuf::Value v; TestUtility::loadFromJson(json, v); return v; } @@ -805,7 +805,7 @@ TEST_F(SubsetLoadBalancerTest, FallbackDefaultSubset) { EXPECT_CALL(subset_info_, fallbackPolicy()) .WillRepeatedly(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::DEFAULT_SUBSET)); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"version", "default"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"version", "default"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); init({ @@ -824,7 +824,7 @@ TEST_F(SubsetLoadBalancerTest, FallbackPanicMode) { EXPECT_CALL(subset_info_, panicModeAny()).WillRepeatedly(Return(true)); // The default subset will be empty. - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"version", "none"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"version", "none"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); init({ @@ -844,7 +844,7 @@ TEST_P(SubsetLoadBalancerTest, FallbackPanicModeWithUpdates) { EXPECT_CALL(subset_info_, panicModeAny()).WillRepeatedly(Return(true)); // The default subset will be empty. - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"version", "none"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"version", "none"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); init({{"tcp://127.0.0.1:80", {{"version", "default"}}}}); @@ -862,7 +862,7 @@ TEST_P(SubsetLoadBalancerTest, FallbackDefaultSubsetAfterUpdate) { EXPECT_CALL(subset_info_, fallbackPolicy()) .WillRepeatedly(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::DEFAULT_SUBSET)); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"version", "default"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"version", "default"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); init({ @@ -885,7 +885,7 @@ TEST_F(SubsetLoadBalancerTest, FallbackEmptyDefaultSubsetConvertsToAnyEndpoint) .WillRepeatedly(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::DEFAULT_SUBSET)); EXPECT_CALL(subset_info_, defaultSubset()) - .WillRepeatedly(ReturnRef(ProtobufWkt::Struct::default_instance())); + .WillRepeatedly(ReturnRef(Protobuf::Struct::default_instance())); init(); @@ -1154,7 +1154,7 @@ TEST_P(SubsetLoadBalancerTest, OnlyMetadataChanged) { EXPECT_CALL(subset_info_, subsetSelectors()).WillRepeatedly(ReturnRef(subset_selectors)); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"default", "true"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"default", "true"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); EXPECT_CALL(subset_info_, fallbackPolicy()) @@ -1342,7 +1342,7 @@ TEST_P(SubsetLoadBalancerTest, MetadataChangedHostsAddedRemoved) { TestLoadBalancerContext context_13({{"version", "1.3"}}); TestLoadBalancerContext context_14({{"version", "1.4"}}); TestLoadBalancerContext context_default({{"default", "true"}}); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"default", "true"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"default", "true"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); EXPECT_CALL(subset_info_, fallbackPolicy()) @@ -1837,7 +1837,7 @@ TEST_F(SubsetLoadBalancerTest, ZoneAwareFallbackDefaultSubset) { EXPECT_CALL(subset_info_, fallbackPolicy()) .WillRepeatedly(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::DEFAULT_SUBSET)); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"version", "default"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"version", "default"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); std::vector subset_selectors = {makeSelector( @@ -1896,7 +1896,7 @@ TEST_P(SubsetLoadBalancerTest, ZoneAwareFallbackDefaultSubsetAfterUpdate) { EXPECT_CALL(subset_info_, fallbackPolicy()) .WillRepeatedly(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::DEFAULT_SUBSET)); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"version", "default"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"version", "default"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); std::vector subset_selectors = {makeSelector( @@ -2280,10 +2280,10 @@ TEST_F(SubsetLoadBalancerTest, DescribeMetadata) { .WillRepeatedly(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::NO_FALLBACK)); init(); - ProtobufWkt::Value str_value; + Protobuf::Value str_value; str_value.set_string_value("abc"); - ProtobufWkt::Value num_value; + Protobuf::Value num_value; num_value.set_number_value(100); EXPECT_EQ("version=\"abc\"", SubsetLoadBalancer::describeMetadata({{"version", str_value}})); @@ -2718,7 +2718,7 @@ TEST_P(SubsetLoadBalancerTest, SubsetSelectorDefaultAnyFallbackPerSelector) { EXPECT_CALL(subset_info_, subsetSelectors()).WillRepeatedly(ReturnRef(subset_selectors)); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"bar", "default"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"bar", "default"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); // Add hosts initial hosts. @@ -2744,7 +2744,7 @@ TEST_P(SubsetLoadBalancerTest, SubsetSelectorDefaultAfterUpdate) { EXPECT_CALL(subset_info_, fallbackPolicy()) .WillRepeatedly(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::DEFAULT_SUBSET)); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"version", "default"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"version", "default"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); std::vector subset_selectors = {makeSelector( @@ -2799,7 +2799,7 @@ TEST_P(SubsetLoadBalancerTest, SubsetSelectorAnyAfterUpdate) { TEST_P(SubsetLoadBalancerTest, FallbackForCompoundSelector) { EXPECT_CALL(subset_info_, fallbackPolicy()) .WillRepeatedly(Return(envoy::config::cluster::v3::Cluster::LbSubsetConfig::ANY_ENDPOINT)); - const ProtobufWkt::Struct default_subset = makeDefaultSubset({{"foo", "bar"}}); + const Protobuf::Struct default_subset = makeDefaultSubset({{"foo", "bar"}}); EXPECT_CALL(subset_info_, defaultSubset()).WillRepeatedly(ReturnRef(default_subset)); std::vector subset_selectors = { @@ -2954,8 +2954,8 @@ TEST_P(SubsetLoadBalancerTest, MetadataFallbackList) { // if fallback_list is not a list, it should be ignored // regular metadata is in effect - ProtobufWkt::Value null_value; - null_value.set_null_value(ProtobufWkt::NullValue::NULL_VALUE); + Protobuf::Value null_value; + null_value.set_null_value(Protobuf::NullValue::NULL_VALUE); TestLoadBalancerContext context_with_invalid_fallback_list_null( {{"version", valueFromJson("\"3.0\"")}, {"fallback_list", null_value}}); @@ -3309,7 +3309,7 @@ INSTANTIATE_TEST_SUITE_P(UpdateOrderings, SubsetLoadBalancerSingleHostPerSubsetT TEST(LoadBalancerContextWrapperTest, LoadBalancingContextWrapperTest) { testing::NiceMock mock_context; - ProtobufWkt::Struct empty_struct; + Protobuf::Struct empty_struct; Router::MetadataMatchCriteriaImpl match_criteria(empty_struct); ON_CALL(mock_context, metadataMatchCriteria()).WillByDefault(testing::Return(&match_criteria)); diff --git a/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc b/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc index b45243c06a841..887dfc3917039 100644 --- a/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc +++ b/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc @@ -267,7 +267,7 @@ TEST_F(CelMatcherTest, CelMatcherDynamicMetadataNotMatched) { TEST_F(CelMatcherTest, CelMatcherTypedDynamicMetadataMatched) { ::envoy::config::core::v3::Pipe pipe; pipe.set_path("/foo/bar/baz.fads"); - ProtobufWkt::Any typed_metadata; + Protobuf::Any typed_metadata; typed_metadata.PackFrom(pipe); stream_info_.metadata_.mutable_typed_filter_metadata()->insert( {std::string(kFilterNamespace), typed_metadata}); diff --git a/test/extensions/matching/network/common/inputs_integration_test.cc b/test/extensions/matching/network/common/inputs_integration_test.cc index 75c335611f113..fd461f81ca1a4 100644 --- a/test/extensions/matching/network/common/inputs_integration_test.cc +++ b/test/extensions/matching/network/common/inputs_integration_test.cc @@ -229,7 +229,7 @@ TEST_F(InputsIntegrationTest, DynamicMetadataInput) { std::string label_key("label_key"); auto label = MessageUtil::keyValueStruct(label_key, "bar"); metadata.mutable_filter_metadata()->insert( - Protobuf::MapPair(metadata_key, label)); + Protobuf::MapPair(metadata_key, label)); auto stored_metadata = data.dynamicMetadata().filter_metadata(); EXPECT_EQ(label.fields_size(), 1); EXPECT_EQ(stored_metadata[metadata_key].fields_size(), 1); diff --git a/test/extensions/network/dns_resolver/cares/dns_impl_test.cc b/test/extensions/network/dns_resolver/cares/dns_impl_test.cc index 1e61dd5752dfd..772b90d464cff 100644 --- a/test/extensions/network/dns_resolver/cares/dns_impl_test.cc +++ b/test/extensions/network/dns_resolver/cares/dns_impl_test.cc @@ -975,7 +975,7 @@ class DnsImplTest : public testing::TestWithParam { virtual bool setResolverInConstructor() const { return false; } virtual bool filterUnroutableFamilies() const { return false; } virtual bool setRotateNameservers() const { return false; } - virtual ProtobufWkt::UInt32Value* udpMaxQueries() const { return nullptr; } + virtual Protobuf::UInt32Value* udpMaxQueries() const { return nullptr; } Stats::TestUtil::TestStore stats_store_; NiceMock runtime_; std::unique_ptr server_; @@ -2198,10 +2198,10 @@ TEST_F(DnsImplConstructor, VerifyCustomTimeoutAndTries) { dns_resolvers); envoy::extensions::network::dns_resolver::cares::v3::CaresDnsResolverConfig cares; cares.add_resolvers()->MergeFrom(dns_resolvers); - auto query_timeout_seconds = std::make_unique(); + auto query_timeout_seconds = std::make_unique(); query_timeout_seconds->set_value(9); cares.set_allocated_query_timeout_seconds(query_timeout_seconds.release()); - auto query_tries = std::make_unique(); + auto query_tries = std::make_unique(); query_tries->set_value(7); cares.set_allocated_query_tries(query_tries.release()); Network::Utility::addressToProtobufAddress( @@ -2243,10 +2243,10 @@ TEST_F(DnsImplConstructor, VerifyCustomTimeoutAndTries) { class DnsImplAresFlagsForMaxUdpQueriesinTest : public DnsImplTest { protected: bool tcpOnly() const override { return false; } - ProtobufWkt::UInt32Value* udpMaxQueries() const override { - auto udp_max_queries = std::make_unique(); + Protobuf::UInt32Value* udpMaxQueries() const override { + auto udp_max_queries = std::make_unique(); udp_max_queries->set_value(100); - return dynamic_cast(udp_max_queries.release()); + return dynamic_cast(udp_max_queries.release()); } }; diff --git a/test/extensions/quic/proof_source/pending_proof_source_factory_impl.h b/test/extensions/quic/proof_source/pending_proof_source_factory_impl.h index 35b77043d3859..0643b371c51fe 100644 --- a/test/extensions/quic/proof_source/pending_proof_source_factory_impl.h +++ b/test/extensions/quic/proof_source/pending_proof_source_factory_impl.h @@ -13,7 +13,7 @@ class PendingProofSourceFactoryImpl : public EnvoyQuicProofSourceFactoryInterfac public: ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom config proto. This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "envoy.quic.proof_source.pending_signing"; } diff --git a/test/extensions/retry/host/omit_canary_hosts/config_test.cc b/test/extensions/retry/host/omit_canary_hosts/config_test.cc index aae083d6ac8f7..2927aa70a0db8 100644 --- a/test/extensions/retry/host/omit_canary_hosts/config_test.cc +++ b/test/extensions/retry/host/omit_canary_hosts/config_test.cc @@ -22,7 +22,7 @@ TEST(OmitCanaryHostsRetryPredicateTest, PredicateTest) { ASSERT_NE(nullptr, factory); - ProtobufWkt::Struct config; + Protobuf::Struct config; auto predicate = factory->createHostPredicate(config, 3); auto host1 = std::make_shared>(); diff --git a/test/extensions/retry/host/previous_hosts/config_test.cc b/test/extensions/retry/host/previous_hosts/config_test.cc index 5e24b59fc2895..281e3af00a047 100644 --- a/test/extensions/retry/host/previous_hosts/config_test.cc +++ b/test/extensions/retry/host/previous_hosts/config_test.cc @@ -23,7 +23,7 @@ TEST(PreviousHostsRetryPredicateConfigTest, PredicateTest) { ASSERT_NE(nullptr, factory); - ProtobufWkt::Struct config; + Protobuf::Struct config; auto predicate = factory->createHostPredicate(config, 3); auto host1 = std::make_shared>(); diff --git a/test/extensions/tracers/opentelemetry/grpc_trace_exporter_integration_test.cc b/test/extensions/tracers/opentelemetry/grpc_trace_exporter_integration_test.cc index 6f510c142e89d..cb354785b20c0 100644 --- a/test/extensions/tracers/opentelemetry/grpc_trace_exporter_integration_test.cc +++ b/test/extensions/tracers/opentelemetry/grpc_trace_exporter_integration_test.cc @@ -97,7 +97,7 @@ class OpenTelemetryTraceExporterIntegrationTest } FakeUpstream* grpc_receiver_upstream_{}; - ProtobufWkt::Struct otel_runtime_config_; + Protobuf::Struct otel_runtime_config_; FakeHttpConnectionPtr connection_; std::vector streams_; diff --git a/test/extensions/tracers/opentelemetry/resource_detectors/resource_provider_test.cc b/test/extensions/tracers/opentelemetry/resource_detectors/resource_provider_test.cc index 257d6ead1b3f0..cd08b58e55878 100644 --- a/test/extensions/tracers/opentelemetry/resource_detectors/resource_provider_test.cc +++ b/test/extensions/tracers/opentelemetry/resource_detectors/resource_provider_test.cc @@ -33,7 +33,7 @@ class DetectorFactoryA : public ResourceDetectorFactory { Server::Configuration::ServerFactoryContext& context)); ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.tracers.opentelemetry.resource_detectors.a"; } @@ -46,7 +46,7 @@ class DetectorFactoryB : public ResourceDetectorFactory { Server::Configuration::ServerFactoryContext& context)); ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.tracers.opentelemetry.resource_detectors.b"; } diff --git a/test/extensions/tracers/opentelemetry/samplers/sampler_test.cc b/test/extensions/tracers/opentelemetry/samplers/sampler_test.cc index 747d0ded66034..cbd3302210ac6 100644 --- a/test/extensions/tracers/opentelemetry/samplers/sampler_test.cc +++ b/test/extensions/tracers/opentelemetry/samplers/sampler_test.cc @@ -41,7 +41,7 @@ class TestSamplerFactory : public SamplerFactory { Server::Configuration::TracerFactoryContext& context)); ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.tracers.opentelemetry.samplers.testsampler"; } diff --git a/test/extensions/tracers/xray/tracer_test.cc b/test/extensions/tracers/xray/tracer_test.cc index c451fb993f1f6..ebf0d0002f7a1 100644 --- a/test/extensions/tracers/xray/tracer_test.cc +++ b/test/extensions/tracers/xray/tracer_test.cc @@ -60,7 +60,7 @@ class XRayTracerTest : public ::testing::Test { expected_(std::make_unique( "Service 1", "AWS::Service::Proxy", "test_value", "egress hostname", "POST", "/first/second", "Mozilla/5.0 (Macintosh; Intel Mac OS X)", "egress")) {} - absl::flat_hash_map aws_metadata_; + absl::flat_hash_map aws_metadata_; NiceMock server_; NiceMock config_; std::unique_ptr broker_; @@ -584,7 +584,7 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, XRayDaemonTest, TEST_P(XRayDaemonTest, VerifyUdpPacketContents) { NiceMock config_; ON_CALL(config_, operationName()).WillByDefault(Return(Tracing::OperationName::Ingress)); - absl::flat_hash_map aws_metadata; + absl::flat_hash_map aws_metadata; NiceMock server; Network::Test::UdpSyncPeer xray_fake_daemon(GetParam()); const std::string daemon_endpoint = xray_fake_daemon.localAddress()->asString(); diff --git a/test/extensions/tracers/xray/xray_tracer_impl_test.cc b/test/extensions/tracers/xray/xray_tracer_impl_test.cc index 4a7a2c995c328..cf4e85b2a1fe6 100644 --- a/test/extensions/tracers/xray/xray_tracer_impl_test.cc +++ b/test/extensions/tracers/xray/xray_tracer_impl_test.cc @@ -34,7 +34,7 @@ class XRayDriverTest : public ::testing::Test { // The MockStreamInfo will register the singleton time system to SimulatedTimeSystem and ignore // the TestRealTimeSystem in the MockTracerFactoryContext. NiceMock stream_info_; - absl::flat_hash_map aws_metadata_; + absl::flat_hash_map aws_metadata_; NiceMock context_; NiceMock tls_; NiceMock tracing_config_; diff --git a/test/extensions/tracers/zipkin/span_buffer_test.cc b/test/extensions/tracers/zipkin/span_buffer_test.cc index 8972c9710e536..fdf3cb063f191 100644 --- a/test/extensions/tracers/zipkin/span_buffer_test.cc +++ b/test/extensions/tracers/zipkin/span_buffer_test.cc @@ -160,7 +160,7 @@ template std::string serializedMessageToJson(const std::string& TEST(ZipkinSpanBufferTest, TestSerializeTimestamp) { const std::string default_timestamp_string = std::to_string(DEFAULT_TEST_TIMESTAMP); - ProtobufWkt::Struct object; + Protobuf::Struct object; auto* fields = object.mutable_fields(); Util::Replacements replacements; (*fields)["timestamp"] = Util::uint64Value(DEFAULT_TEST_TIMESTAMP, "timestamp", replacements); @@ -462,7 +462,7 @@ TEST(ZipkinSpanBufferTest, SerializeSpan) { } TEST(ZipkinSpanBufferTest, TestSerializeTimestampInTheFuture) { - ProtobufWkt::Struct objectWithScientificNotation; + Protobuf::Struct objectWithScientificNotation; auto* objectWithScientificNotationFields = objectWithScientificNotation.mutable_fields(); (*objectWithScientificNotationFields)["timestamp"] = ValueUtil::numberValue( DEFAULT_TEST_TIMESTAMP); // the value of DEFAULT_TEST_TIMESTAMP is 1584324295476870. @@ -472,7 +472,7 @@ TEST(ZipkinSpanBufferTest, TestSerializeTimestampInTheFuture) { // see the value is rendered with scientific notation (1.58432429547687e+15). EXPECT_EQ(R"({"timestamp":1.58432429547687e+15})", objectWithScientificNotationJson); - ProtobufWkt::Struct object; + Protobuf::Struct object; auto* objectFields = object.mutable_fields(); Util::Replacements replacements; (*objectFields)["timestamp"] = @@ -486,7 +486,7 @@ TEST(ZipkinSpanBufferTest, TestSerializeTimestampInTheFuture) { SpanBuffer bufferDeprecatedJsonV1(envoy::config::trace::v3::ZipkinConfig::HTTP_JSON, true, 2); bufferDeprecatedJsonV1.addSpan(createSpan({"cs"}, IpType::V4)); - // We do "HasSubstr" here since we could not compare the serialized JSON of a ProtobufWkt::Struct + // We do "HasSubstr" here since we could not compare the serialized JSON of a Protobuf::Struct // object, since the positions of keys are not consistent between calls. EXPECT_THAT(bufferDeprecatedJsonV1.serialize(), HasSubstr(R"("timestamp":1584324295476871)")); EXPECT_THAT(bufferDeprecatedJsonV1.serialize(), diff --git a/test/extensions/transport_sockets/http_11_proxy/connect_test.cc b/test/extensions/transport_sockets/http_11_proxy/connect_test.cc index eeb97a54aaade..20450732e6a3f 100644 --- a/test/extensions/transport_sockets/http_11_proxy/connect_test.cc +++ b/test/extensions/transport_sockets/http_11_proxy/connect_test.cc @@ -113,7 +113,7 @@ class Http11ConnectTest : public testing::TestWithParamset_address(proxy_info_hostname); addr_proto.mutable_socket_address()->set_port_value(1234); - ProtobufWkt::Any anypb; + Protobuf::Any anypb; anypb.PackFrom(addr_proto); metadata->mutable_typed_filter_metadata()->emplace(std::make_pair(metadata_key, anypb)); EXPECT_CALL(*host, metadata()).Times(AnyNumber()).WillRepeatedly(Return(metadata)); diff --git a/test/extensions/transport_sockets/internal_upstream/internal_upstream_test.cc b/test/extensions/transport_sockets/internal_upstream/internal_upstream_test.cc index 0736d9407f7b6..f43fdc8c125e7 100644 --- a/test/extensions/transport_sockets/internal_upstream/internal_upstream_test.cc +++ b/test/extensions/transport_sockets/internal_upstream/internal_upstream_test.cc @@ -83,8 +83,8 @@ TEST_F(InternalSocketTest, PassthroughStateInjected) { filter_state_objects_.push_back( {filter_state_object, StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::StreamSharingMayImpactPooling::SharedWithUpstreamConnection, "test.object"}); - ProtobufWkt::Struct& map = (*metadata_->mutable_filter_metadata())["envoy.test"]; - ProtobufWkt::Value val; + Protobuf::Struct& map = (*metadata_->mutable_filter_metadata())["envoy.test"]; + Protobuf::Value val; val.set_string_value("val"); (*map.mutable_fields())["key"] = val; diff --git a/test/extensions/transport_sockets/proxy_protocol/proxy_protocol_integration_test.cc b/test/extensions/transport_sockets/proxy_protocol/proxy_protocol_integration_test.cc index 9c3190e72e9ab..8079ed6adc933 100644 --- a/test/extensions/transport_sockets/proxy_protocol/proxy_protocol_integration_test.cc +++ b/test/extensions/transport_sockets/proxy_protocol/proxy_protocol_integration_test.cc @@ -490,7 +490,7 @@ class ProxyProtocolTLVsIntegrationTest : public testing::TestWithParamset_type(tlv.first); entry->set_value(std::string(tlv.second.begin(), tlv.second.end())); } - ProtobufWkt::Any typed_metadata; + Protobuf::Any typed_metadata; typed_metadata.PackFrom(tlvs_metadata); const std::string metadata_key = Config::MetadataFilters::get().ENVOY_TRANSPORT_SOCKETS_PROXY_PROTOCOL; diff --git a/test/extensions/transport_sockets/proxy_protocol/proxy_protocol_test.cc b/test/extensions/transport_sockets/proxy_protocol/proxy_protocol_test.cc index 9c8abb2a695b6..5964ce747f2bc 100644 --- a/test/extensions/transport_sockets/proxy_protocol/proxy_protocol_test.cc +++ b/test/extensions/transport_sockets/proxy_protocol/proxy_protocol_test.cc @@ -781,7 +781,7 @@ TEST_F(ProxyProtocolTest, V2CustomTLVsFromHostMetadata) { host_added_tlvs->set_type(0x96); host_added_tlvs->set_value("moredata"); - ProtobufWkt::Any typed_metadata; + Protobuf::Any typed_metadata; typed_metadata.PackFrom(host_metadata_config); metadata->mutable_typed_filter_metadata()->emplace(std::make_pair(metadata_key, typed_metadata)); EXPECT_CALL(*host, metadata()).Times(testing::AnyNumber()).WillRepeatedly(Return(metadata)); @@ -844,7 +844,7 @@ TEST_F(ProxyProtocolTest, V2CombinedPrecedenceHostConfigPassthrough) { host_added_tlvs->set_type(0x99); host_added_tlvs->set_value("hostValue"); - ProtobufWkt::Any typed_metadata; + Protobuf::Any typed_metadata; typed_metadata.PackFrom(host_metadata_config); metadata->mutable_typed_filter_metadata()->emplace(std::make_pair(metadata_key, typed_metadata)); EXPECT_CALL(*host, metadata()).WillRepeatedly(Return(metadata)); @@ -908,7 +908,7 @@ TEST_F(ProxyProtocolTest, V2DuplicateTLVsInConfigAndMetadataHandledProperly) { auto duplicate_host_entry = host_metadata_config.add_added_tlvs(); duplicate_host_entry->set_type(0x98); duplicate_host_entry->set_value("d2"); // Last duplicate value - ProtobufWkt::Any typed_metadata; + Protobuf::Any typed_metadata; typed_metadata.PackFrom(host_metadata_config); metadata->mutable_typed_filter_metadata()->emplace(std::make_pair(metadata_key, typed_metadata)); EXPECT_CALL(*host, metadata()).WillRepeatedly(Return(metadata)); @@ -979,7 +979,7 @@ TEST_F(ProxyProtocolTest, V2CustomTLVMetadataInvalidFormat) { envoy::config::core::v3::Address addr_proto; addr_proto.mutable_socket_address()->set_address("0.0.0.0"); addr_proto.mutable_socket_address()->set_port_value(1234); - ProtobufWkt::Any typed_metadata; + Protobuf::Any typed_metadata; typed_metadata.PackFrom(addr_proto); metadata->mutable_typed_filter_metadata()->emplace(std::make_pair(metadata_key, typed_metadata)); EXPECT_CALL(*host, metadata()).Times(testing::AnyNumber()).WillRepeatedly(Return(metadata)); @@ -1034,7 +1034,7 @@ TEST_F(ProxyProtocolTest, V2CustomTLVHostMetadataMissing) { outbound-proxy-protocol: true )EOF", socket_match_metadata); - ProtobufWkt::Any typed_metadata; + Protobuf::Any typed_metadata; typed_metadata.PackFrom(socket_match_metadata); auto host = std::make_shared>(); diff --git a/test/extensions/upstreams/http/config_test.cc b/test/extensions/upstreams/http/config_test.cc index 5571a6526df25..155ad08367b99 100644 --- a/test/extensions/upstreams/http/config_test.cc +++ b/test/extensions/upstreams/http/config_test.cc @@ -148,7 +148,7 @@ class DefaultHeaderValidatorFactoryConfigOverride createFromProto(const Protobuf::Message& message, Server::Configuration::ServerFactoryContext& server_context) override { auto mptr = ::Envoy::Config::Utility::translateAnyToFactoryConfig( - dynamic_cast(message), server_context.messageValidationVisitor(), + dynamic_cast(message), server_context.messageValidationVisitor(), *this); const auto& proto_config = MessageUtil::downcastAndValidatefull_name() == "google.protobuf.Any") { - auto* any_message = Protobuf::DynamicCastMessage(&message); + auto* any_message = Protobuf::DynamicCastMessage(&message); inner_message = Helper::typeUrlToMessage(any_message->type_url()); target_type_url = any_message->type_url(); if (inner_message) { diff --git a/test/fuzz/utility.h b/test/fuzz/utility.h index 321cf875fc2f3..230f01f8a19e8 100644 --- a/test/fuzz/utility.h +++ b/test/fuzz/utility.h @@ -72,7 +72,7 @@ replaceInvalidStringValues(const envoy::config::core::v3::Metadata& upstream_met // This clears any invalid characters in string values. It may not be likely a coverage-driven // fuzzer will explore recursive structs, so this case is not handled here. for (auto& field : *metadata_struct.second.mutable_fields()) { - if (field.second.kind_case() == ProtobufWkt::Value::kStringValue) { + if (field.second.kind_case() == Protobuf::Value::kStringValue) { field.second.set_string_value(replaceInvalidCharacters(field.second.string_value())); } } diff --git a/test/fuzz/validated_input_generator.cc b/test/fuzz/validated_input_generator.cc index 2d53ac0f406ac..9427b9a8feae9 100644 --- a/test/fuzz/validated_input_generator.cc +++ b/test/fuzz/validated_input_generator.cc @@ -164,8 +164,8 @@ void ValidatedInputGenerator::handleAnyRules( if (any_rules.has_required() && any_rules.required()) { // Stop creating any message when a certain depth is reached if (max_depth_ > 0 && current_depth_ > max_depth_) { - auto* any_message = Protobuf::DynamicCastMessage(msg); - any_message->PackFrom(ProtobufWkt::Struct()); + auto* any_message = Protobuf::DynamicCastMessage(msg); + any_message->PackFrom(Protobuf::Struct()); return; } const Protobuf::Descriptor* descriptor = msg->GetDescriptor(); @@ -178,7 +178,7 @@ void ValidatedInputGenerator::handleAnyRules( const std::string field_name = std::string(message_path_.back()); FieldToTypeUrls::const_iterator field_to_typeurls_cand = field_to_typeurls.find(field_name); if (field_to_typeurls_cand != any_map_cand->second.end()) { - auto* any_message = Protobuf::DynamicCastMessage(msg); + auto* any_message = Protobuf::DynamicCastMessage(msg); inner_message = ProtobufMessage::Helper::typeUrlToMessage(any_message->type_url()); if (!inner_message || !any_message->UnpackTo(inner_message.get())) { const TypeUrlAndFactory& randomed_typeurl = field_to_typeurls_cand->second.at( @@ -415,7 +415,7 @@ void ValidatedInputGenerator::onEnterMessage(Protobuf::Message& msg, const Protobuf::Descriptor* descriptor = msg.GetDescriptor(); message_path_.push_back(field_name); if (descriptor->full_name() == kAny) { - auto* any_message = Protobuf::DynamicCastMessage(&msg); + auto* any_message = Protobuf::DynamicCastMessage(&msg); std::unique_ptr inner_message = ProtobufMessage::Helper::typeUrlToMessage(any_message->type_url()); if (!inner_message || !any_message->UnpackTo(inner_message.get())) { @@ -464,7 +464,7 @@ void ValidatedInputGenerator::onLeaveMessage(Protobuf::Message&, ValidatedInputGenerator::AnyMap ValidatedInputGenerator::getDefaultAnyMap() { static const auto dummy_proto_msg = []() -> std::unique_ptr { - return std::make_unique(); + return std::make_unique(); }; static const ValidatedInputGenerator::ListOfTypeUrlAndFactory matchers = { diff --git a/test/integration/access_log_integration_test.cc b/test/integration/access_log_integration_test.cc index cce81f75187a5..cf3c54d7e0b4e 100644 --- a/test/integration/access_log_integration_test.cc +++ b/test/integration/access_log_integration_test.cc @@ -45,7 +45,7 @@ TEST_P(AccessLogIntegrationTest, ShouldReplaceInvalidUtf8) { auto* log_format = access_log_config.mutable_log_format(); auto* json = log_format->mutable_json_format(); - Envoy::ProtobufWkt::Value v; + Envoy::Protobuf::Value v; v.set_string_value("%REQ(X-FORWARDED-FOR)%"); auto fields = json->mutable_fields(); (*fields)["x_forwarded_for"] = v; diff --git a/test/integration/ads_integration.cc b/test/integration/ads_integration.cc index 335e7f014e35e..96eb78fd557db 100644 --- a/test/integration/ads_integration.cc +++ b/test/integration/ads_integration.cc @@ -210,11 +210,11 @@ void AdsIntegrationTest::testBasicFlow() { test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); makeSingleRequest(); - const ProtobufWkt::Timestamp first_active_listener_ts_1 = + const Protobuf::Timestamp first_active_listener_ts_1 = getListenersConfigDump().dynamic_listeners(0).active_state().last_updated(); - const ProtobufWkt::Timestamp first_active_cluster_ts_1 = + const Protobuf::Timestamp first_active_cluster_ts_1 = getClustersConfigDump().dynamic_active_clusters()[0].last_updated(); - const ProtobufWkt::Timestamp first_route_config_ts_1 = + const Protobuf::Timestamp first_route_config_ts_1 = getRoutesConfigDump().dynamic_route_configs()[0].last_updated(); // Upgrade RDS/CDS/EDS to a newer config, validate we can process a request. @@ -242,11 +242,11 @@ void AdsIntegrationTest::testBasicFlow() { {"route_config_0"}, {}, {})); makeSingleRequest(); - const ProtobufWkt::Timestamp first_active_listener_ts_2 = + const Protobuf::Timestamp first_active_listener_ts_2 = getListenersConfigDump().dynamic_listeners(0).active_state().last_updated(); - const ProtobufWkt::Timestamp first_active_cluster_ts_2 = + const Protobuf::Timestamp first_active_cluster_ts_2 = getClustersConfigDump().dynamic_active_clusters()[0].last_updated(); - const ProtobufWkt::Timestamp first_route_config_ts_2 = + const Protobuf::Timestamp first_route_config_ts_2 = getRoutesConfigDump().dynamic_route_configs()[0].last_updated(); // Upgrade LDS/RDS, validate we can process a request. @@ -276,11 +276,11 @@ void AdsIntegrationTest::testBasicFlow() { test_server_->waitForCounterGe("listener_manager.listener_create_success", 2); makeSingleRequest(); - const ProtobufWkt::Timestamp first_active_listener_ts_3 = + const Protobuf::Timestamp first_active_listener_ts_3 = getListenersConfigDump().dynamic_listeners(0).active_state().last_updated(); - const ProtobufWkt::Timestamp first_active_cluster_ts_3 = + const Protobuf::Timestamp first_active_cluster_ts_3 = getClustersConfigDump().dynamic_active_clusters()[0].last_updated(); - const ProtobufWkt::Timestamp first_route_config_ts_3 = + const Protobuf::Timestamp first_route_config_ts_3 = getRoutesConfigDump().dynamic_route_configs()[0].last_updated(); // Expect last_updated timestamps to be updated in a predictable way diff --git a/test/integration/ads_integration_test.cc b/test/integration/ads_integration_test.cc index 0ecb723633caf..2996ff26950e5 100644 --- a/test/integration/ads_integration_test.cc +++ b/test/integration/ads_integration_test.cc @@ -69,13 +69,13 @@ TEST_P(AdsIntegrationTest, BasicClusterInitialWarmingWithResourceWrapper) { EXPECT_TRUE(compareDiscoveryRequest(cds_type_url, "", {}, {}, {}, true)); sendDiscoveryResponse( cds_type_url, {buildCluster("cluster_0")}, {buildCluster("cluster_0")}, {}, "1", - {{"test", ProtobufWkt::Any()}}); + {{"test", Protobuf::Any()}}); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 1); test_server_->waitForGaugeEq("cluster.cluster_0.warming_state", 1); EXPECT_TRUE(compareDiscoveryRequest(eds_type_url, "", {"cluster_0"}, {"cluster_0"}, {})); sendDiscoveryResponse( eds_type_url, {buildClusterLoadAssignment("cluster_0")}, - {buildClusterLoadAssignment("cluster_0")}, {}, "1", {{"test", ProtobufWkt::Any()}}); + {buildClusterLoadAssignment("cluster_0")}, {}, "1", {{"test", Protobuf::Any()}}); test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 0); test_server_->waitForGaugeGe("cluster_manager.active_clusters", 2); diff --git a/test/integration/base_integration_test.cc b/test/integration/base_integration_test.cc index 3741ae20c2efd..b6a6d241cf7d6 100644 --- a/test/integration/base_integration_test.cc +++ b/test/integration/base_integration_test.cc @@ -223,7 +223,7 @@ std::string BaseIntegrationTest::finalizeConfigWithPorts(ConfigHelper& config_he envoy::service::discovery::v3::DiscoveryResponse lds; lds.set_version_info("0"); for (auto& listener : config_helper.bootstrap().static_resources().listeners()) { - ProtobufWkt::Any* resource = lds.add_resources(); + Protobuf::Any* resource = lds.add_resources(); resource->PackFrom(listener); } #ifdef ENVOY_ENABLE_YAML diff --git a/test/integration/base_integration_test.h b/test/integration/base_integration_test.h index 64ba788d0dd8b..0d54d3b6cf090 100644 --- a/test/integration/base_integration_test.h +++ b/test/integration/base_integration_test.h @@ -190,12 +190,11 @@ class BaseIntegrationTest : protected Logger::Loggable { absl::nullopt); template - void - sendDiscoveryResponse(const std::string& type_url, const std::vector& state_of_the_world, - const std::vector& added_or_updated, - const std::vector& removed, const std::string& version, - const absl::flat_hash_map& metadata = {}, - FakeStream* stream = nullptr) { + void sendDiscoveryResponse(const std::string& type_url, const std::vector& state_of_the_world, + const std::vector& added_or_updated, + const std::vector& removed, const std::string& version, + const absl::flat_hash_map& metadata = {}, + FakeStream* stream = nullptr) { if (sotw_or_delta_ == Grpc::SotwOrDelta::Sotw || sotw_or_delta_ == Grpc::SotwOrDelta::UnifiedSotw) { sendSotwDiscoveryResponse(type_url, state_of_the_world, version, stream, metadata); @@ -237,10 +236,9 @@ class BaseIntegrationTest : protected Logger::Loggable { sendSotwDiscoveryResponse(type_url, messages, version, stream, {}); } template - void - sendSotwDiscoveryResponse(const std::string& type_url, const std::vector& messages, - const std::string& version, FakeStream* stream, - const absl::flat_hash_map& metadata) { + void sendSotwDiscoveryResponse(const std::string& type_url, const std::vector& messages, + const std::string& version, FakeStream* stream, + const absl::flat_hash_map& metadata) { if (stream == nullptr) { stream = xds_stream_.get(); } @@ -287,7 +285,7 @@ class BaseIntegrationTest : protected Logger::Loggable { void sendDeltaDiscoveryResponse(const std::string& type_url, const std::vector& added_or_updated, const std::vector& removed, const std::string& version, - const absl::flat_hash_map& metadata) { + const absl::flat_hash_map& metadata) { sendDeltaDiscoveryResponse(type_url, added_or_updated, removed, version, xds_stream_, {}, metadata); } @@ -297,7 +295,7 @@ class BaseIntegrationTest : protected Logger::Loggable { sendDeltaDiscoveryResponse(const std::string& type_url, const std::vector& added_or_updated, const std::vector& removed, const std::string& version, FakeStream* stream, const std::vector& aliases, - const absl::flat_hash_map& metadata) { + const absl::flat_hash_map& metadata) { auto response = createDeltaDiscoveryResponse(type_url, added_or_updated, removed, version, aliases, metadata); if (stream == nullptr) { @@ -327,7 +325,7 @@ class BaseIntegrationTest : protected Logger::Loggable { createDeltaDiscoveryResponse(const std::string& type_url, const std::vector& added_or_updated, const std::vector& removed, const std::string& version, const std::vector& aliases, - const absl::flat_hash_map& metadata) { + const absl::flat_hash_map& metadata) { std::vector resources; for (const auto& message : added_or_updated) { envoy::service::discovery::v3::Resource resource; diff --git a/test/integration/circuit_breakers_integration_test.cc b/test/integration/circuit_breakers_integration_test.cc index 6d38b10776938..adc4a9885deaf 100644 --- a/test/integration/circuit_breakers_integration_test.cc +++ b/test/integration/circuit_breakers_integration_test.cc @@ -151,7 +151,7 @@ TEST_P(CircuitBreakersIntegrationTest, CircuitBreakerRuntimeProto) { auto* layer = bootstrap.mutable_layered_runtime()->add_layers(); layer->set_name("enable layer"); - ProtobufWkt::Struct& runtime = *layer->mutable_static_layer(); + Protobuf::Struct& runtime = *layer->mutable_static_layer(); (*runtime.mutable_fields())["circuit_breakers.cluster_0.default.max_requests"].set_number_value( 0); diff --git a/test/integration/cluster_filter_integration_test.cc b/test/integration/cluster_filter_integration_test.cc index a363d9f512c2d..e716b0a5195ff 100644 --- a/test/integration/cluster_filter_integration_test.cc +++ b/test/integration/cluster_filter_integration_test.cc @@ -23,7 +23,7 @@ class TestParent { class PoliteFilter : public Network::Filter, Logger::Loggable { public: - PoliteFilter(TestParent& parent, const ProtobufWkt::StringValue& value) + PoliteFilter(TestParent& parent, const Protobuf::StringValue& value) : parent_(parent), greeting_(value.value()) {} Network::FilterStatus onData(Buffer::Instance& data, bool end_stream) override { @@ -80,14 +80,14 @@ class PoliteFilterConfigFactory Network::FilterFactoryCb createFilterFactoryFromProto(const Protobuf::Message& proto_config, Server::Configuration::UpstreamFactoryContext&) override { - auto config = dynamic_cast(proto_config); + auto config = dynamic_cast(proto_config); return [this, config](Network::FilterManager& filter_manager) -> void { filter_manager.addFilter(std::make_shared(test_parent_, config)); }; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.upstream.polite"; } @@ -139,7 +139,7 @@ class ClusterFilterTcpIntegrationTest : public ClusterFilterIntegrationTestBase, auto* cluster_0 = bootstrap.mutable_static_resources()->mutable_clusters(0); auto* filter = cluster_0->add_filters(); filter->set_name("envoy.upstream.polite"); - ProtobufWkt::StringValue config; + Protobuf::StringValue config; config.set_value("surely "); filter->mutable_typed_config()->PackFrom(config); }); @@ -199,7 +199,7 @@ class ClusterFilterHttpIntegrationTest : public ClusterFilterIntegrationTestBase auto* cluster_0 = bootstrap.mutable_static_resources()->mutable_clusters(0); auto* filter = cluster_0->add_filters(); filter->set_name("envoy.upstream.polite"); - ProtobufWkt::StringValue config; + Protobuf::StringValue config; config.set_value(""); filter->mutable_typed_config()->PackFrom(config); }); diff --git a/test/integration/cluster_upstream_extension_integration_test.cc b/test/integration/cluster_upstream_extension_integration_test.cc index 0853bedb76d52..da83a4d865d7f 100644 --- a/test/integration/cluster_upstream_extension_integration_test.cc +++ b/test/integration/cluster_upstream_extension_integration_test.cc @@ -26,7 +26,7 @@ class ClusterUpstreamExtensionIntegrationTest const std::string& key1, const std::string& key2, const std::string& value) { - ProtobufWkt::Struct struct_obj; + Protobuf::Struct struct_obj; (*struct_obj.mutable_fields())[key2] = ValueUtil::stringValue(value); (*metadata.mutable_filter_metadata())[key1] = struct_obj; } diff --git a/test/integration/command_formatter_extension_integration_test.cc b/test/integration/command_formatter_extension_integration_test.cc index e0fe588e61302..b8f3df1eccfc5 100644 --- a/test/integration/command_formatter_extension_integration_test.cc +++ b/test/integration/command_formatter_extension_integration_test.cc @@ -22,7 +22,7 @@ TEST_F(CommandFormatterExtensionIntegrationTest, BasicExtension) { Registry::InjectFactory command_register(factory); std::vector formatters; envoy::config::core::v3::TypedExtensionConfig typed_config; - ProtobufWkt::StringValue config; + Protobuf::StringValue config; typed_config.set_name("envoy.formatter.TestFormatter"); typed_config.mutable_typed_config()->PackFrom(config); diff --git a/test/integration/extension_discovery_integration_test.cc b/test/integration/extension_discovery_integration_test.cc index bbe2f039a9395..0766b32a9bbee 100644 --- a/test/integration/extension_discovery_integration_test.cc +++ b/test/integration/extension_discovery_integration_test.cc @@ -329,7 +329,7 @@ class ExtensionDiscoveryIntegrationTest : public Grpc::GrpcClientIntegrationPara void sendHttpFilterEcdsResponseWithFullYaml(const std::string& name, const std::string& version, const std::string& full_yaml) { - const auto configuration = TestUtility::parseYaml(full_yaml); + const auto configuration = TestUtility::parseYaml(full_yaml); envoy::config::core::v3::TypedExtensionConfig typed_config; typed_config.set_name(name); typed_config.mutable_typed_config()->MergeFrom(configuration); diff --git a/test/integration/filter_manager_integration_test.cc b/test/integration/filter_manager_integration_test.cc index 518daa2486e9c..a0738cd85e4eb 100644 --- a/test/integration/filter_manager_integration_test.cc +++ b/test/integration/filter_manager_integration_test.cc @@ -265,7 +265,7 @@ class DispenserFilterConfigFactory : public Server::Configuration::NamedNetworkF ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom per-filter empty config proto // This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return name_; } diff --git a/test/integration/filters/address_restore_listener_filter.cc b/test/integration/filters/address_restore_listener_filter.cc index e623afbcae506..581ab56c47cdf 100644 --- a/test/integration/filters/address_restore_listener_filter.cc +++ b/test/integration/filters/address_restore_listener_filter.cc @@ -54,7 +54,7 @@ class FakeOriginalDstListenerFilterConfigFactory } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { diff --git a/test/integration/filters/decode_dynamic_metadata_filter.cc b/test/integration/filters/decode_dynamic_metadata_filter.cc index e5441bfa131c6..3624c4e52eaa6 100644 --- a/test/integration/filters/decode_dynamic_metadata_filter.cc +++ b/test/integration/filters/decode_dynamic_metadata_filter.cc @@ -16,13 +16,13 @@ class DecodeDynamicMetadataFilter : public Http::PassThroughFilter { for (auto const& [k, v] : kvs.fields()) { std::string value; switch (v.kind_case()) { - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: value = fmt::format("{:g}", v.number_value()); break; - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: value = v.string_value(); break; - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: value = v.bool_value() ? "true" : "false"; break; default: diff --git a/test/integration/filters/listener_typed_metadata_filter.cc b/test/integration/filters/listener_typed_metadata_filter.cc index 8150d36153371..ef85187a0e672 100644 --- a/test/integration/filters/listener_typed_metadata_filter.cc +++ b/test/integration/filters/listener_typed_metadata_filter.cc @@ -27,13 +27,13 @@ class BazTypedMetadataFactory : public Network::ListenerTypedMetadataFactory { std::string name() const override { return std::string(kMetadataKey); } std::unique_ptr - parse(const ProtobufWkt::Struct&) const override { + parse(const Protobuf::Struct&) const override { ADD_FAILURE() << "Filter should not parse struct-typed metadata."; return nullptr; } std::unique_ptr - parse(const ProtobufWkt::Any& d) const override { - ProtobufWkt::StringValue v; + parse(const Protobuf::Any& d) const override { + Protobuf::StringValue v; EXPECT_TRUE(d.UnpackTo(&v)); auto object = std::make_unique(); object->item_ = v.value(); diff --git a/test/integration/filters/stream_info_to_headers_filter.cc b/test/integration/filters/stream_info_to_headers_filter.cc index 3b792c495e65a..2036909af97af 100644 --- a/test/integration/filters/stream_info_to_headers_filter.cc +++ b/test/integration/filters/stream_info_to_headers_filter.cc @@ -18,28 +18,28 @@ std::string toUsec(MonotonicTime time) { return absl::StrCat(time.time_since_epo } // namespace void addValueHeaders(Http::ResponseHeaderMap& headers, std::string key_prefix, - const ProtobufWkt::Value& val) { + const Protobuf::Value& val) { switch (val.kind_case()) { - case ProtobufWkt::Value::kNullValue: + case Protobuf::Value::kNullValue: headers.addCopy(Http::LowerCaseString(key_prefix), "null"); break; - case ProtobufWkt::Value::kNumberValue: + case Protobuf::Value::kNumberValue: headers.addCopy(Http::LowerCaseString(key_prefix), std::to_string(val.number_value())); break; - case ProtobufWkt::Value::kStringValue: + case Protobuf::Value::kStringValue: headers.addCopy(Http::LowerCaseString(key_prefix), val.string_value()); break; - case ProtobufWkt::Value::kBoolValue: + case Protobuf::Value::kBoolValue: headers.addCopy(Http::LowerCaseString(key_prefix), val.bool_value() ? "true" : "false"); break; - case ProtobufWkt::Value::kListValue: { + case Protobuf::Value::kListValue: { const auto& vals = val.list_value().values(); for (auto i = 0; i < vals.size(); ++i) { addValueHeaders(headers, key_prefix + "." + std::to_string(i), vals[i]); } break; } - case ProtobufWkt::Value::kStructValue: + case Protobuf::Value::kStructValue: for (const auto& field : val.struct_value().fields()) { addValueHeaders(headers, key_prefix + "." + field.first, field.second); } diff --git a/test/integration/http_typed_per_filter_config_test.cc b/test/integration/http_typed_per_filter_config_test.cc index 6c9ceaf468835..95b7bd7bf6515 100644 --- a/test/integration/http_typed_per_filter_config_test.cc +++ b/test/integration/http_typed_per_filter_config_test.cc @@ -41,7 +41,7 @@ TEST_F(HTTPTypedPerFilterConfigTest, RejectUnknownHttpFilterInTypedPerFilterConf hcm) { auto* virtual_host = hcm.mutable_route_config()->mutable_virtual_hosts(0); auto* config = virtual_host->mutable_typed_per_filter_config(); - (*config)["filter.unknown"].PackFrom(Envoy::ProtobufWkt::Struct()); + (*config)["filter.unknown"].PackFrom(Envoy::Protobuf::Struct()); }); EXPECT_DEATH(initialize(), "Didn't find a registered implementation for 'filter.unknown' with type URL: " @@ -57,7 +57,7 @@ TEST_F(HTTPTypedPerFilterConfigTest, IgnoreUnknownOptionalHttpFilterInTypedPerFi envoy::config::route::v3::FilterConfig filter_config; filter_config.set_is_optional(true); - filter_config.mutable_config()->PackFrom(Envoy::ProtobufWkt::Struct()); + filter_config.mutable_config()->PackFrom(Envoy::Protobuf::Struct()); (*config)["filter.unknown"].PackFrom(filter_config); auto* filter = hcm.mutable_http_filters()->Add(); diff --git a/test/integration/integration_test.cc b/test/integration/integration_test.cc index 7ad6ea4cf36cc..b1e66223ebed6 100644 --- a/test/integration/integration_test.cc +++ b/test/integration/integration_test.cc @@ -171,7 +171,7 @@ class TestConnectionBalanceFactory : public Network::ConnectionBalanceFactory { public: ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom empty config proto. This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } Network::ConnectionBalancerSharedPtr createConnectionBalancerFromProto(const Protobuf::Message&, @@ -2470,7 +2470,7 @@ class TestRetryOptionsPredicateFactory : public Upstream::RetryOptionsPredicateF ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom empty config proto. This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "test_retry_options_predicate_factory"; } diff --git a/test/integration/listener_lds_integration_test.cc b/test/integration/listener_lds_integration_test.cc index 8c01a129627d6..ceb4d5692e18c 100644 --- a/test/integration/listener_lds_integration_test.cc +++ b/test/integration/listener_lds_integration_test.cc @@ -1739,7 +1739,7 @@ class RebalancerTest : public testing::TestWithParamPackFrom(ProtobufWkt::Struct()); + filter.mutable_typed_config()->PackFrom(Protobuf::Struct()); auto& virtual_listener_config = *bootstrap.mutable_static_resources()->add_listeners(); virtual_listener_config = src_listener_config; virtual_listener_config.mutable_use_original_dst()->set_value(false); diff --git a/test/integration/multiplexed_upstream_integration_test.cc b/test/integration/multiplexed_upstream_integration_test.cc index 62422bfef69b0..a4848e9a179da 100644 --- a/test/integration/multiplexed_upstream_integration_test.cc +++ b/test/integration/multiplexed_upstream_integration_test.cc @@ -862,7 +862,7 @@ class QuicFailHandshakeCryptoServerStreamFactory : public Quic::EnvoyQuicCryptoServerStreamFactoryInterface { public: Envoy::ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "envoy.quic.crypto_stream.server.fail_handshake"; } @@ -901,7 +901,7 @@ TEST_P(MultiplexedUpstreamIntegrationTest, UpstreamDisconnectDuringEarlyData) { envoy::config::listener::v3::QuicProtocolOptions options; auto* crypto_stream_config = options.mutable_crypto_stream_config(); crypto_stream_config->set_name("envoy.quic.crypto_stream.server.fail_handshake"); - crypto_stream_config->mutable_typed_config()->PackFrom(ProtobufWkt::Struct()); + crypto_stream_config->mutable_typed_config()->PackFrom(Protobuf::Struct()); mergeOptions(options); initialize(); diff --git a/test/integration/rtds_integration_test.cc b/test/integration/rtds_integration_test.cc index 377422073d6b0..c245b15f68843 100644 --- a/test/integration/rtds_integration_test.cc +++ b/test/integration/rtds_integration_test.cc @@ -286,9 +286,9 @@ TEST_P(RtdsIntegrationTest, RtdsUpdate) { )EOF"); // Use the Resource wrapper no matter if it is Sotw or Delta. - sendDiscoveryResponse( - Config::TestTypeUrl::get().Runtime, {some_rtds_layer}, {some_rtds_layer}, {}, "1", - {{"test", ProtobufWkt::Any()}}); + sendDiscoveryResponse(Config::TestTypeUrl::get().Runtime, + {some_rtds_layer}, {some_rtds_layer}, + {}, "1", {{"test", Protobuf::Any()}}); test_server_->waitForCounterGe("runtime.load_success", initial_load_success_ + 1); EXPECT_EQ("bar", getRuntimeKey("foo")); diff --git a/test/integration/tcp_conn_pool_integration_test.cc b/test/integration/tcp_conn_pool_integration_test.cc index 0aa2e61343555..5bf016e8a888e 100644 --- a/test/integration/tcp_conn_pool_integration_test.cc +++ b/test/integration/tcp_conn_pool_integration_test.cc @@ -98,7 +98,7 @@ class TestFilterConfigFactory : public Server::Configuration::NamedNetworkFilter ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom per-filter empty config proto // This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { CONSTRUCT_ON_FIRST_USE(std::string, "envoy.test.router"); } diff --git a/test/integration/tcp_proxy_integration_test.cc b/test/integration/tcp_proxy_integration_test.cc index a8cfd0790aef6..bc8de62ae98ee 100644 --- a/test/integration/tcp_proxy_integration_test.cc +++ b/test/integration/tcp_proxy_integration_test.cc @@ -1058,9 +1058,9 @@ class TcpProxyMetadataMatchIntegrationTest : public TcpProxyIntegrationTest { envoy::config::core::v3::Metadata TcpProxyMetadataMatchIntegrationTest::lbMetadata(std::map values) { - ProtobufWkt::Struct map; + Protobuf::Struct map; auto* mutable_fields = map.mutable_fields(); - ProtobufWkt::Value value; + Protobuf::Value value; std::map::iterator it; for (it = values.begin(); it != values.end(); it++) { @@ -1314,10 +1314,10 @@ class InjectDynamicMetadata : public Network::ReadFilter { return Network::FilterStatus::StopIteration; } - ProtobufWkt::Value val; + Protobuf::Value val; val.set_string_value(data.toString()); - ProtobufWkt::Struct& map = + Protobuf::Struct& map = (*read_callbacks_->connection() .streamInfo() .dynamicMetadata() diff --git a/test/integration/typed_metadata_integration_test.cc b/test/integration/typed_metadata_integration_test.cc index d49d318c7f50a..256a17de7292b 100644 --- a/test/integration/typed_metadata_integration_test.cc +++ b/test/integration/typed_metadata_integration_test.cc @@ -23,9 +23,9 @@ INSTANTIATE_TEST_SUITE_P(Protocols, ListenerTypedMetadataIntegrationTest, TEST_P(ListenerTypedMetadataIntegrationTest, Hello) { // Add some typed metadata to the listener. - ProtobufWkt::StringValue value; + Protobuf::StringValue value; value.set_value("hello world"); - ProtobufWkt::Any packed_value; + Protobuf::Any packed_value; packed_value.PackFrom(value); config_helper_.addListenerTypedMetadata("test.listener.typed.metadata", packed_value); @@ -77,9 +77,9 @@ TEST_P(ListenerTypedMetadataIntegrationTest, ListenerMetadataPlumbingToAccessLog Registry::InjectFactory factory_register(factory); // Add some typed metadata to the listener. - ProtobufWkt::StringValue value; + Protobuf::StringValue value; value.set_value("hello world"); - ProtobufWkt::Any packed_value; + Protobuf::Any packed_value; packed_value.PackFrom(value); config_helper_.addListenerTypedMetadata("test.listener.typed.metadata", packed_value); diff --git a/test/integration/upstreams/per_host_upstream_config.h b/test/integration/upstreams/per_host_upstream_config.h index 8730d689d1acc..ed3ed2372d8e1 100644 --- a/test/integration/upstreams/per_host_upstream_config.h +++ b/test/integration/upstreams/per_host_upstream_config.h @@ -30,11 +30,11 @@ void addHeader(Envoy::Http::RequestHeaderMap& header_map, absl::string_view head absl::string_view key2) { if (auto filter_metadata = metadata.filter_metadata().find(std::string(key1)); filter_metadata != metadata.filter_metadata().end()) { - const ProtobufWkt::Struct& data_struct = filter_metadata->second; + const Protobuf::Struct& data_struct = filter_metadata->second; const auto& fields = data_struct.fields(); if (auto iter = fields.find(toStdStringView(key2)); // NOLINT(std::string_view) iter != fields.end()) { - if (iter->second.kind_case() == ProtobufWkt::Value::kStringValue) { + if (iter->second.kind_case() == Protobuf::Value::kStringValue) { header_map.setCopy(Envoy::Http::LowerCaseString(std::string(header_name)), iter->second.string_value()); } @@ -111,7 +111,7 @@ class PerHostGenericConnPoolFactory : public Router::GenericConnPoolFactory { } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } }; diff --git a/test/integration/xds_config_tracker_integration_test.cc b/test/integration/xds_config_tracker_integration_test.cc index 8acc3fa99853b..069da0d2037dc 100644 --- a/test/integration/xds_config_tracker_integration_test.cc +++ b/test/integration/xds_config_tracker_integration_test.cc @@ -113,7 +113,7 @@ class TestXdsConfigTrackerFactory : public Config::XdsConfigTrackerFactory { std::string name() const override { return "envoy.config.xds.test_xds_tracker"; }; - Config::XdsConfigTrackerPtr createXdsConfigTracker(const ProtobufWkt::Any&, + Config::XdsConfigTrackerPtr createXdsConfigTracker(const Protobuf::Any&, ProtobufMessage::ValidationVisitor&, Api::Api& api, Event::Dispatcher&) override { return std::make_unique(api.rootScope()); @@ -221,7 +221,7 @@ TEST_P(XdsConfigTrackerIntegrationTest, XdsConfigTrackerSuccessCountWithWrapper) // Add a typed metadata to the Resource wrapper. test::envoy::config::xds::TestTrackerMetadata test_metadata; - ProtobufWkt::Any packed_value; + Protobuf::Any packed_value; packed_value.PackFrom(test_metadata); sendDiscoveryResponse( Config::TestTypeUrl::get().Cluster, {cluster1_, cluster2_}, {cluster1_, cluster2_}, {}, "1", diff --git a/test/integration/xds_delegate_extension_integration_test.cc b/test/integration/xds_delegate_extension_integration_test.cc index b17c8f3c06cab..75e19a2bf5b59 100644 --- a/test/integration/xds_delegate_extension_integration_test.cc +++ b/test/integration/xds_delegate_extension_integration_test.cc @@ -84,7 +84,7 @@ class TestXdsResourcesDelegateFactory : public Config::XdsResourcesDelegateFacto std::string name() const override { return "envoy.config.xds.test_delegate"; }; - Config::XdsResourcesDelegatePtr createXdsResourcesDelegate(const ProtobufWkt::Any&, + Config::XdsResourcesDelegatePtr createXdsResourcesDelegate(const Protobuf::Any&, ProtobufMessage::ValidationVisitor&, Api::Api&, Event::Dispatcher&) override { diff --git a/test/mocks/config/mocks.h b/test/mocks/config/mocks.h index f4cde563ec4aa..ce0331f725539 100644 --- a/test/mocks/config/mocks.h +++ b/test/mocks/config/mocks.h @@ -40,7 +40,7 @@ class MockOpaqueResourceDecoder : public OpaqueResourceDecoder { MockOpaqueResourceDecoder(); ~MockOpaqueResourceDecoder() override; - MOCK_METHOD(ProtobufTypes::MessagePtr, decodeResource, (const ProtobufWkt::Any& resource)); + MOCK_METHOD(ProtobufTypes::MessagePtr, decodeResource, (const Protobuf::Any& resource)); MOCK_METHOD(std::string, resourceName, (const Protobuf::Message& resource)); }; @@ -50,7 +50,7 @@ class MockUntypedConfigUpdateCallbacks : public UntypedConfigUpdateCallbacks { ~MockUntypedConfigUpdateCallbacks() override; MOCK_METHOD(void, onConfigUpdate, - (const Protobuf::RepeatedPtrField& resources, + (const Protobuf::RepeatedPtrField& resources, const std::string& version_info)); MOCK_METHOD(void, onConfigUpdate, diff --git a/test/mocks/http/stateful_session.h b/test/mocks/http/stateful_session.h index 362b34c2db304..846341f34137e 100644 --- a/test/mocks/http/stateful_session.h +++ b/test/mocks/http/stateful_session.h @@ -27,7 +27,7 @@ class MockSessionStateFactoryConfig : public Http::SessionStateFactoryConfig { MockSessionStateFactoryConfig(); ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } MOCK_METHOD(SessionStateFactorySharedPtr, createSessionStateFactory, diff --git a/test/mocks/network/mocks.h b/test/mocks/network/mocks.h index 05700f0390528..93ba6f2169ebb 100644 --- a/test/mocks/network/mocks.h +++ b/test/mocks/network/mocks.h @@ -436,8 +436,8 @@ class MockListenerFilterCallbacks : public ListenerFilterCallbacks { MOCK_METHOD(ConnectionSocket&, socket, ()); MOCK_METHOD(Event::Dispatcher&, dispatcher, ()); MOCK_METHOD(void, continueFilterChain, (bool)); - MOCK_METHOD(void, setDynamicMetadata, (const std::string&, const ProtobufWkt::Struct&)); - MOCK_METHOD(void, setDynamicTypedMetadata, (const std::string&, const ProtobufWkt::Any& value)); + MOCK_METHOD(void, setDynamicMetadata, (const std::string&, const Protobuf::Struct&)); + MOCK_METHOD(void, setDynamicTypedMetadata, (const std::string&, const Protobuf::Any& value)); MOCK_METHOD(envoy::config::core::v3::Metadata&, dynamicMetadata, ()); MOCK_METHOD(const envoy::config::core::v3::Metadata&, dynamicMetadata, (), (const)); MOCK_METHOD(StreamInfo::FilterState&, filterState, (), ()); diff --git a/test/mocks/router/mocks.h b/test/mocks/router/mocks.h index 090607ae1f7f5..f715a0cb79ebe 100644 --- a/test/mocks/router/mocks.h +++ b/test/mocks/router/mocks.h @@ -368,7 +368,7 @@ class MockMetadataMatchCriteria : public MetadataMatchCriteria { // Router::MetadataMatchCriteria MOCK_METHOD(const std::vector&, metadataMatchCriteria, (), (const)); - MOCK_METHOD(MetadataMatchCriteriaConstPtr, mergeMatchCriteria, (const ProtobufWkt::Struct&), + MOCK_METHOD(MetadataMatchCriteriaConstPtr, mergeMatchCriteria, (const Protobuf::Struct&), (const)); MOCK_METHOD(MetadataMatchCriteriaConstPtr, filterMatchCriteria, (const std::set&), (const)); @@ -759,7 +759,7 @@ class MockClusterSpecifierPluginFactoryConfig : public ClusterSpecifierPluginFac Server::Configuration::ServerFactoryContext& context)); ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "envoy.router.cluster_specifier_plugin.mock"; } diff --git a/test/mocks/server/tracer_factory.cc b/test/mocks/server/tracer_factory.cc index 7dcaa39f7ae18..99525eabed8ca 100644 --- a/test/mocks/server/tracer_factory.cc +++ b/test/mocks/server/tracer_factory.cc @@ -13,7 +13,7 @@ using ::testing::Invoke; MockTracerFactory::MockTracerFactory(const std::string& name) : name_(name) { ON_CALL(*this, createEmptyConfigProto()).WillByDefault(Invoke([] { - return std::make_unique(); + return std::make_unique(); })); } diff --git a/test/mocks/stream_info/mocks.h b/test/mocks/stream_info/mocks.h index 93927e4e74974..67bc08f87eb12 100644 --- a/test/mocks/stream_info/mocks.h +++ b/test/mocks/stream_info/mocks.h @@ -142,10 +142,10 @@ class MockStreamInfo : public StreamInfo { MOCK_METHOD(const Router::VirtualHostConstSharedPtr&, virtualHost, (), (const)); MOCK_METHOD(envoy::config::core::v3::Metadata&, dynamicMetadata, ()); MOCK_METHOD(const envoy::config::core::v3::Metadata&, dynamicMetadata, (), (const)); - MOCK_METHOD(void, setDynamicMetadata, (const std::string&, const ProtobufWkt::Struct&)); + MOCK_METHOD(void, setDynamicMetadata, (const std::string&, const Protobuf::Struct&)); MOCK_METHOD(void, setDynamicMetadata, (const std::string&, const std::string&, const std::string&)); - MOCK_METHOD(void, setDynamicTypedMetadata, (const std::string&, const ProtobufWkt::Any& value)); + MOCK_METHOD(void, setDynamicTypedMetadata, (const std::string&, const Protobuf::Any& value)); MOCK_METHOD(const FilterStateSharedPtr&, filterState, ()); MOCK_METHOD(const FilterState&, filterState, (), (const)); MOCK_METHOD(void, setRequestHeaders, (const Http::RequestHeaderMap&)); diff --git a/test/mocks/upstream/cluster_info.h b/test/mocks/upstream/cluster_info.h index bf422346aedd2..1971ebe9d2756 100644 --- a/test/mocks/upstream/cluster_info.h +++ b/test/mocks/upstream/cluster_info.h @@ -71,7 +71,7 @@ class MockUpstreamLocalAddressSelectorFactory : public UpstreamLocalAddressSelec (const)); ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } std::string name() const override { return "mock.upstream.local.address.selector"; } diff --git a/test/mocks/upstream/retry_priority_factory.h b/test/mocks/upstream/retry_priority_factory.h index 158359c22a482..097bd23642a3b 100644 --- a/test/mocks/upstream/retry_priority_factory.h +++ b/test/mocks/upstream/retry_priority_factory.h @@ -23,7 +23,7 @@ class MockRetryPriorityFactory : public RetryPriorityFactory { ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom per-filter empty config proto // This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } private: diff --git a/test/mocks/upstream/test_retry_host_predicate_factory.h b/test/mocks/upstream/test_retry_host_predicate_factory.h index b436ae01bcacd..f3ab3228b4f09 100644 --- a/test/mocks/upstream/test_retry_host_predicate_factory.h +++ b/test/mocks/upstream/test_retry_host_predicate_factory.h @@ -19,7 +19,7 @@ class TestRetryHostPredicateFactory : public RetryHostPredicateFactory { ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom per-filter empty config proto // This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } }; } // namespace Upstream diff --git a/test/mocks/upstream/typed_load_balancer_factory.h b/test/mocks/upstream/typed_load_balancer_factory.h index a0b9b2b4daed4..1c2c75dd8855c 100644 --- a/test/mocks/upstream/typed_load_balancer_factory.h +++ b/test/mocks/upstream/typed_load_balancer_factory.h @@ -34,7 +34,7 @@ class MockTypedLoadBalancerFactory : public TypedLoadBalancerFactory { ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom per-filter empty config proto // This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } }; } // namespace Upstream diff --git a/test/server/admin/admin_test.cc b/test/server/admin/admin_test.cc index d36dbd2b96556..572b30d17a431 100644 --- a/test/server/admin/admin_test.cc +++ b/test/server/admin/admin_test.cc @@ -148,7 +148,7 @@ TEST_P(AdminInstanceTest, Help) { /clusters: upstream cluster status /config_dump: dump current Envoy configs (experimental) resource: The resource to dump - mask: The mask to apply. When both resource and mask are specified, the mask is applied to every element in the desired repeated field so that only a subset of fields are returned. The mask is parsed as a ProtobufWkt::FieldMask + mask: The mask to apply. When both resource and mask are specified, the mask is applied to every element in the desired repeated field so that only a subset of fields are returned. The mask is parsed as a Protobuf::FieldMask name_regex: Dump only the currently loaded configurations whose names match the specified regex. Can be used with both resource and mask query parameters. include_eds: Dump currently loaded configuration including EDS. See the response definition for more information /contention: dump current Envoy mutex contention stats (if enabled) @@ -166,7 +166,7 @@ TEST_P(AdminInstanceTest, Help) { /help: print out list of admin commands /hot_restart_version: print the hot restart compatibility version /init_dump: dump current Envoy init manager information (experimental) - mask: The desired component to dump unready targets. The mask is parsed as a ProtobufWkt::FieldMask. For example, get the unready targets of all listeners with /init_dump?mask=listener` + mask: The desired component to dump unready targets. The mask is parsed as a Protobuf::FieldMask. For example, get the unready targets of all listeners with /init_dump?mask=listener` /listeners: print listener info format: File format to use; One of (text, json) /logging (POST): query/change logging levels diff --git a/test/server/admin/config_dump_handler_test.cc b/test/server/admin/config_dump_handler_test.cc index ecf381ea28124..85fe1e3636328 100644 --- a/test/server/admin/config_dump_handler_test.cc +++ b/test/server/admin/config_dump_handler_test.cc @@ -53,7 +53,7 @@ TEST_P(AdminInstanceTest, ConfigDump) { Buffer::OwnedImpl response2; Http::TestResponseHeaderMapImpl header_map; auto entry = admin_.getConfigTracker().add("foo", [](const Matchers::StringMatcher&) { - auto msg = std::make_unique(); + auto msg = std::make_unique(); msg->set_value("bar"); return msg; }); @@ -77,24 +77,24 @@ TEST_P(AdminInstanceTest, ConfigDumpMaintainsOrder) { // Add configs in random order and validate config_dump dumps in the order. auto bootstrap_entry = admin_.getConfigTracker().add("bootstrap", [](const Matchers::StringMatcher&) { - auto msg = std::make_unique(); + auto msg = std::make_unique(); msg->set_value("bootstrap_config"); return msg; }); auto route_entry = admin_.getConfigTracker().add("routes", [](const Matchers::StringMatcher&) { - auto msg = std::make_unique(); + auto msg = std::make_unique(); msg->set_value("routes_config"); return msg; }); auto listener_entry = admin_.getConfigTracker().add("listeners", [](const Matchers::StringMatcher&) { - auto msg = std::make_unique(); + auto msg = std::make_unique(); msg->set_value("listeners_config"); return msg; }); auto cluster_entry = admin_.getConfigTracker().add("clusters", [](const Matchers::StringMatcher&) { - auto msg = std::make_unique(); + auto msg = std::make_unique(); msg->set_value("clusters_config"); return msg; }); @@ -723,7 +723,7 @@ TEST_P(AdminInstanceTest, ConfigDumpNonExistentResource) { Buffer::OwnedImpl response; Http::TestResponseHeaderMapImpl header_map; auto listeners = admin_.getConfigTracker().add("listeners", [](const Matchers::StringMatcher&) { - auto msg = std::make_unique(); + auto msg = std::make_unique(); msg->set_value("listeners_config"); return msg; }); diff --git a/test/server/admin/config_tracker_impl_test.cc b/test/server/admin/config_tracker_impl_test.cc index 3f0f994fe12f4..a664ddb704419 100644 --- a/test/server/admin/config_tracker_impl_test.cc +++ b/test/server/admin/config_tracker_impl_test.cc @@ -18,7 +18,7 @@ class ConfigTrackerImplTest : public testing::Test { }; } - ProtobufTypes::MessagePtr testMsg() { return std::make_unique(); } + ProtobufTypes::MessagePtr testMsg() { return std::make_unique(); } ~ConfigTrackerImplTest() override = default; diff --git a/test/server/api_listener_test.cc b/test/server/api_listener_test.cc index 9d1bd32235687..697cb166e2de4 100644 --- a/test/server/api_listener_test.cc +++ b/test/server/api_listener_test.cc @@ -122,7 +122,7 @@ name: test_api_listener const envoy::config::listener::v3::Listener config = parseListenerFromV3Yaml(yaml); - ProtobufWkt::Any expected_any_proto; + Protobuf::Any expected_any_proto; envoy::config::cluster::v3::Cluster expected_cluster_proto; expected_cluster_proto.set_name("cluster1"); expected_cluster_proto.set_type(envoy::config::cluster::v3::Cluster::EDS); diff --git a/test/server/filter_config_test.cc b/test/server/filter_config_test.cc index 3161a547348ea..f89d2cfb878cd 100644 --- a/test/server/filter_config_test.cc +++ b/test/server/filter_config_test.cc @@ -46,7 +46,7 @@ TEST(NamedHttpFilterConfigFactoryTest, CreateFilterFactory) { TestHttpFilterConfigFactory factory; const std::string stats_prefix = "foo"; Server::Configuration::MockFactoryContext context; - ProtobufTypes::MessagePtr message{new Envoy::ProtobufWkt::Struct()}; + ProtobufTypes::MessagePtr message{new Envoy::Protobuf::Struct()}; EXPECT_TRUE(factory.createFilterFactoryFromProto(*message, stats_prefix, context).status().ok()); } @@ -55,7 +55,7 @@ TEST(NamedHttpFilterConfigFactoryTest, Dependencies) { TestHttpFilterConfigFactory factory; const std::string stats_prefix = "foo"; Server::Configuration::MockFactoryContext context; - ProtobufTypes::MessagePtr message{new Envoy::ProtobufWkt::Struct()}; + ProtobufTypes::MessagePtr message{new Envoy::Protobuf::Struct()}; EXPECT_TRUE(factory.createFilterFactoryFromProto(*message, stats_prefix, context).status().ok()); diff --git a/test/server/guarddog_impl_test.cc b/test/server/guarddog_impl_test.cc index 2f12ae1d8aeca..bbee03fac2536 100644 --- a/test/server/guarddog_impl_test.cc +++ b/test/server/guarddog_impl_test.cc @@ -579,9 +579,9 @@ class GuardDogActionsTest : public GuardDogTestBase { std::vector actions_; std::vector events_; - RecordGuardDogActionFactory log_factory_; + RecordGuardDogActionFactory log_factory_; Registry::InjectFactory register_log_factory_; - AssertGuardDogActionFactory assert_factory_; + AssertGuardDogActionFactory assert_factory_; Registry::InjectFactory register_assert_factory_; NiceMock fake_stats_; WatchDogSharedPtr first_dog_; diff --git a/test/server/options_impl_test.cc b/test/server/options_impl_test.cc index d6ed5184d9542..7e75a755738aa 100644 --- a/test/server/options_impl_test.cc +++ b/test/server/options_impl_test.cc @@ -666,7 +666,7 @@ class TestFactory : public Config::TypedFactory { ~TestFactory() override = default; std::string category() const override { return "test"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } }; @@ -680,7 +680,7 @@ class TestingFactory : public Config::TypedFactory { ~TestingFactory() override = default; std::string category() const override { return "testing"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return std::make_unique(); + return std::make_unique(); } }; diff --git a/test/server/overload_manager_impl_test.cc b/test/server/overload_manager_impl_test.cc index 663751cfed182..45298779af956 100644 --- a/test/server/overload_manager_impl_test.cc +++ b/test/server/overload_manager_impl_test.cc @@ -231,11 +231,11 @@ class OverloadManagerImplTest : public testing::Test { options_, creation_status); } - FakeResourceMonitorFactory factory1_; - FakeResourceMonitorFactory factory2_; - FakeResourceMonitorFactory factory3_; - FakeResourceMonitorFactory factory4_; - FakeProactiveResourceMonitorFactory factory5_; + FakeResourceMonitorFactory factory1_; + FakeResourceMonitorFactory factory2_; + FakeResourceMonitorFactory factory3_; + FakeResourceMonitorFactory factory4_; + FakeProactiveResourceMonitorFactory factory5_; Registry::InjectFactory register_factory1_; Registry::InjectFactory register_factory2_; Registry::InjectFactory register_factory3_; diff --git a/test/server/server_test.cc b/test/server/server_test.cc index 9b69532160bc4..8c1a81b05e3e4 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -432,7 +432,7 @@ class CustomStatsSinkFactory : public Server::Configuration::StatsSinkFactory { ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom per-filter empty config proto // This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "envoy.custom_stats_sink"; } @@ -1598,7 +1598,7 @@ TEST_P(ServerInstanceImplTest, WithFatalActions) { // Inject Unsafe Factory NiceMock mock_unsafe_factory; EXPECT_CALL(mock_unsafe_factory, createEmptyConfigProto()).WillRepeatedly(Invoke([]() { - return std::make_unique(); + return std::make_unique(); })); EXPECT_CALL(mock_unsafe_factory, name()).WillRepeatedly(Return("envoy_test.fatal_action.unsafe")); @@ -1724,7 +1724,7 @@ class CallbacksStatsSinkFactory : public Server::Configuration::StatsSinkFactory ProtobufTypes::MessagePtr createEmptyConfigProto() override { // Using Struct instead of a custom per-filter empty config proto // This is only allowed in tests. - return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()}; + return ProtobufTypes::MessagePtr{new Envoy::Protobuf::Struct()}; } std::string name() const override { return "envoy.callbacks_stats_sink"; } diff --git a/test/test_common/test_runtime.h b/test/test_common/test_runtime.h index 189c341d43adc..98e39503af454 100644 --- a/test/test_common/test_runtime.h +++ b/test/test_common/test_runtime.h @@ -76,10 +76,10 @@ class TestScopedStaticReloadableFeaturesRuntime { // Set up runtime. auto* runtime = config.add_layers(); runtime->set_name("test_static_layer_test_runtime"); - ProtobufWkt::Struct envoy_layer; - ProtobufWkt::Struct& runtime_values = + Protobuf::Struct envoy_layer; + Protobuf::Struct& runtime_values = *(*envoy_layer.mutable_fields())["envoy"].mutable_struct_value(); - ProtobufWkt::Struct& flags = + Protobuf::Struct& flags = *(*runtime_values.mutable_fields())["reloadable_features"].mutable_struct_value(); for (const auto& [key, value] : values) { (*flags.mutable_fields())[key].set_bool_value(value); diff --git a/test/test_common/utility.h b/test/test_common/utility.h index 0ce51e09ecc03..8192ae549d94d 100644 --- a/test/test_common/utility.h +++ b/test/test_common/utility.h @@ -645,8 +645,7 @@ class TestUtility { */ static std::string nonZeroedGauges(const std::vector& gauges); - template - static inline MessageType anyConvert(const ProtobufWkt::Any& message) { + template static inline MessageType anyConvert(const Protobuf::Any& message) { return MessageUtil::anyConvert(message); } @@ -702,7 +701,7 @@ class TestUtility { template static Config::DecodedResourcesWrapper - decodeResources(const Protobuf::RepeatedPtrField& resources, + decodeResources(const Protobuf::RepeatedPtrField& resources, const std::string& version, const std::string& name_field = "name") { TestOpaqueResourceDecoderImpl resource_decoder(name_field); std::unique_ptr tmp_wrapper = @@ -765,8 +764,8 @@ class TestUtility { #ifdef ENVOY_ENABLE_YAML /** - * Compare two JSON strings serialized from ProtobufWkt::Struct for equality. When two identical - * ProtobufWkt::Struct are serialized into JSON strings, the results have the same set of + * Compare two JSON strings serialized from Protobuf::Struct for equality. When two identical + * Protobuf::Struct are serialized into JSON strings, the results have the same set of * properties (values), but the positions may be different. * * @param lhs JSON string on LHS. @@ -799,7 +798,7 @@ class TestUtility { MessageUtil::loadFromJson(json, message, ProtobufMessage::getStrictValidationVisitor()); } - static void loadFromJson(const std::string& json, ProtobufWkt::Struct& message) { + static void loadFromJson(const std::string& json, Protobuf::Struct& message) { MessageUtil::loadFromJson(json, message); } @@ -815,22 +814,22 @@ class TestUtility { static void jsonConvert(const Protobuf::Message& source, Protobuf::Message& dest) { // Explicit round-tripping to support conversions inside tests between arbitrary messages as a // convenience. - ProtobufWkt::Struct tmp; + Protobuf::Struct tmp; MessageUtil::jsonConvert(source, tmp); MessageUtil::jsonConvert(tmp, ProtobufMessage::getStrictValidationVisitor(), dest); } - static ProtobufWkt::Struct jsonToStruct(const std::string& json) { - ProtobufWkt::Struct message; + static Protobuf::Struct jsonToStruct(const std::string& json) { + Protobuf::Struct message; MessageUtil::loadFromJson(json, message); return message; } - static ProtobufWkt::Struct jsonArrayToStruct(const std::string& json) { + static Protobuf::Struct jsonArrayToStruct(const std::string& json) { // Hacky: add a surrounding root message, allowing JSON to be parsed into a struct. std::string root_message = absl::StrCat("{ \"testOnlyArrayRoot\": ", json, "}"); - ProtobufWkt::Struct message; + Protobuf::Struct message; MessageUtil::loadFromJson(root_message, message); return message; } diff --git a/test/test_common/wasm_base.h b/test/test_common/wasm_base.h index d066de36d46e1..2269d83d56329 100644 --- a/test/test_common/wasm_base.h +++ b/test/test_common/wasm_base.h @@ -76,7 +76,7 @@ template class WasmTestBase : public Base { auto vm_config = plugin_config.mutable_vm_config(); vm_config->set_vm_id("vm_id"); vm_config->set_runtime(absl::StrCat("envoy.wasm.runtime.", runtime)); - ProtobufWkt::StringValue vm_configuration_string; + Protobuf::StringValue vm_configuration_string; vm_configuration_string.set_value(vm_configuration_); vm_config->mutable_configuration()->PackFrom(vm_configuration_string); vm_config->mutable_code()->mutable_local()->set_inline_bytes(code); diff --git a/test/tools/router_check/router.cc b/test/tools/router_check/router.cc index 26cf81a734abd..41d80b2e40e44 100644 --- a/test/tools/router_check/router.cc +++ b/test/tools/router_check/router.cc @@ -253,7 +253,7 @@ void RouterCheckTool::applyDynamicMetadata( mut_untyped_metadata[metadata_namespace] = metadata.value(); } else if (metadata.allow_overwrite()) { // Get the existing metadata at this key for merging. - ProtobufWkt::Struct& orig_fields = mut_untyped_metadata[metadata_namespace]; + Protobuf::Struct& orig_fields = mut_untyped_metadata[metadata_namespace]; const auto& to_merge = metadata.value(); // Merge the new metadata into the existing metadata. diff --git a/tools/code_format/config.yaml b/tools/code_format/config.yaml index 8ab23f648103b..245920af2d934 100644 --- a/tools/code_format/config.yaml +++ b/tools/code_format/config.yaml @@ -414,17 +414,6 @@ replacements: "absl::make_unique<": "std::make_unique<" protobuf_type_errors: - # Well-known types should be referenced from the ProtobufWkt namespace. - "Protobuf::Any": "ProtobufWkt::Any" - "Protobuf::Empty": "ProtobufWkt::Empty" - "Protobuf::ListValue": "ProtobufWkt::ListValue" - "Protobuf::NULL_VALUE": "ProtobufWkt::NULL_VALUE" - "Protobuf::StringValue": "ProtobufWkt::StringValue" - "Protobuf::Struct": "ProtobufWkt::Struct" - "Protobuf::Value": "ProtobufWkt::Value" - # Other common mis-namespacing of protobuf types. - "ProtobufWkt::Map": "Protobuf::Map" - "ProtobufWkt::MapPair": "Protobuf::MapPair" "ProtobufUtil::MessageDifferencer": "Protobuf::util::MessageDifferencer" include_angle: "#include <" diff --git a/tools/testdata/check_format/proto_style.cc b/tools/testdata/check_format/proto_style.cc index 670bcbe6d2254..52fc3d8b60ed2 100644 --- a/tools/testdata/check_format/proto_style.cc +++ b/tools/testdata/check_format/proto_style.cc @@ -8,8 +8,8 @@ Protobuf::StringValue stringvalue; Protobuf::Struct struct; Protobuf::Value value; Protobuf::MapPair mappair; -ProtobufWkt::Map map; -ProtobufWkt::MapPair mappair; +Protobuf::Map map; +Protobuf::MapPair mappair; ProtobufUtil::MessageDifferencer messagedifferencer; } // namespace Envoy diff --git a/tools/testdata/check_format/proto_style.cc.gold b/tools/testdata/check_format/proto_style.cc.gold index 0f1dc985d72b9..67935d4d9bd5f 100644 --- a/tools/testdata/check_format/proto_style.cc.gold +++ b/tools/testdata/check_format/proto_style.cc.gold @@ -1,12 +1,12 @@ namespace Envoy { -ProtobufWkt::Any any; -ProtobufWkt::Empty empty; -ProtobufWkt::ListValue list_value; -ProtobufWkt::Value value = ProtobufWkt::NULL_VALUE; -ProtobufWkt::StringValue stringvalue; -ProtobufWkt::Struct struct; -ProtobufWkt::Value value; +Protobuf::Any any; +Protobuf::Empty empty; +Protobuf::ListValue list_value; +Protobuf::Value value = Protobuf::NULL_VALUE; +Protobuf::StringValue stringvalue; +Protobuf::Struct struct; +Protobuf::Value value; Protobuf::MapPair mappair; Protobuf::Map map; Protobuf::MapPair mappair; From c55a1ed88ee2784872440435cc861be46aba9be4 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 14 Aug 2025 19:20:49 -0400 Subject: [PATCH 229/505] Add missing includes (#40722) Prep for future QUICHE update. Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/quic/envoy_quic_client_stream.cc | 1 + source/common/quic/envoy_quic_server_stream.cc | 1 + 2 files changed, 2 insertions(+) diff --git a/source/common/quic/envoy_quic_client_stream.cc b/source/common/quic/envoy_quic_client_stream.cc index e7be876045555..841547dc781b3 100644 --- a/source/common/quic/envoy_quic_client_stream.cc +++ b/source/common/quic/envoy_quic_client_stream.cc @@ -14,6 +14,7 @@ #include "quiche/common/http/http_header_block.h" #include "quiche/quic/core/http/quic_header_list.h" #include "quiche/quic/core/quic_session.h" +#include "quiche/quic/core/quic_types.h" namespace Envoy { namespace Quic { diff --git a/source/common/quic/envoy_quic_server_stream.cc b/source/common/quic/envoy_quic_server_stream.cc index c65c900e50bd3..08583f3ee00e5 100644 --- a/source/common/quic/envoy_quic_server_stream.cc +++ b/source/common/quic/envoy_quic_server_stream.cc @@ -19,6 +19,7 @@ #include "quiche/common/http/http_header_block.h" #include "quiche/quic/core/http/quic_header_list.h" #include "quiche/quic/core/quic_session.h" +#include "quiche/quic/core/quic_types.h" #include "quiche_platform_impl/quiche_mem_slice_impl.h" namespace Envoy { From e180b62c439d1f10ee114a1c5aaecf19a0252c28 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 14 Aug 2025 19:49:07 -0400 Subject: [PATCH 230/505] cleanup: Remove unused dependency (#40723) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- .../http/proto_message_extraction/extraction_util/BUILD | 3 --- 1 file changed, 3 deletions(-) diff --git a/source/extensions/filters/http/proto_message_extraction/extraction_util/BUILD b/source/extensions/filters/http/proto_message_extraction/extraction_util/BUILD index 3e43405088b0e..e44f22d9a3f6c 100644 --- a/source/extensions/filters/http/proto_message_extraction/extraction_util/BUILD +++ b/source/extensions/filters/http/proto_message_extraction/extraction_util/BUILD @@ -15,7 +15,6 @@ envoy_cc_library( ], deps = [ "//source/common/protobuf", - "//source/common/protobuf:cc_wkt_protos", "@com_google_absl//absl/container:flat_hash_map", "@com_google_protofieldextraction//:all_libs", ], @@ -34,7 +33,6 @@ envoy_cc_library( ":proto_extractor_interface", "//source/common/common:regex_lib", "//source/common/protobuf", - "//source/common/protobuf:cc_wkt_protos", "@com_google_protoconverter//:all", "@com_google_protofieldextraction//:all_libs", "@com_google_protoprocessinglib//proto_processing_lib/proto_scrubber", @@ -54,7 +52,6 @@ envoy_cc_library( ":proto_extractor_interface", "//source/common/common:regex_lib", "//source/common/protobuf", - "//source/common/protobuf:cc_wkt_protos", "@com_google_protoconverter//:all", "@com_google_protofieldextraction//:all_libs", "@com_google_protoprocessinglib//proto_processing_lib/proto_scrubber", From ca2cc3d59fdb6744bb555f136071194ec261be6a Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 14 Aug 2025 20:26:28 -0400 Subject: [PATCH 231/505] cleanup: Remove unused headers (#40721) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/router/BUILD | 13 +------------ source/common/router/router.cc | 7 +------ source/common/router/router.h | 12 +----------- 3 files changed, 3 insertions(+), 29 deletions(-) diff --git a/source/common/router/BUILD b/source/common/router/BUILD index d56ce3b5e208a..1a1f91f67c810 100644 --- a/source/common/router/BUILD +++ b/source/common/router/BUILD @@ -358,42 +358,35 @@ envoy_cc_library( "upstream_request.h", ], deps = [ - ":config_lib", ":context_lib", ":debug_config_lib", ":header_parser_lib", + ":metadatamatchcriteria_lib", ":retry_state_lib", ":upstream_codec_filter_lib", "//envoy/event:dispatcher_interface", "//envoy/event:timer_interface", "//envoy/grpc:status", - "//envoy/http:codec_interface", "//envoy/http:codes_interface", "//envoy/http:conn_pool_interface", "//envoy/http:filter_factory_interface", "//envoy/http:filter_interface", - "//envoy/http:stateful_session_interface", "//envoy/local_info:local_info_interface", "//envoy/router:router_filter_interface", "//envoy/router:shadow_writer_interface", "//envoy/runtime:runtime_interface", "//envoy/server:factory_context_interface", - "//envoy/server:filter_config_interface", "//envoy/stats:stats_interface", "//envoy/stats:stats_macros", "//envoy/upstream:cluster_manager_interface", "//envoy/upstream:upstream_interface", "//source/common/access_log:access_log_lib", - "//source/common/buffer:watermark_buffer_lib", "//source/common/common:assert_lib", "//source/common/common:cleanup_lib", - "//source/common/common:empty_string", "//source/common/common:enum_to_int", "//source/common/common:hash_lib", "//source/common/common:hex_lib", - "//source/common/common:linked_object", "//source/common/common:minimal_logger_lib", - "//source/common/common:scope_tracker", "//source/common/common:utility_lib", "//source/common/config:utility_lib", "//source/common/grpc:common_lib", @@ -405,15 +398,11 @@ envoy_cc_library( "//source/common/http:message_lib", "//source/common/http:sidestream_watermark_lib", "//source/common/http:utility_lib", - "//source/common/network:application_protocol_lib", - "//source/common/network:socket_option_factory_lib", "//source/common/network:transport_socket_options_lib", "//source/common/network:upstream_socket_options_filter_state_lib", "//source/common/orca:orca_load_metrics_lib", "//source/common/orca:orca_parser", - "//source/common/stream_info:stream_info_lib", "//source/common/stream_info:uint32_accessor_lib", - "//source/common/tracing:http_tracer_lib", "//source/common/upstream:load_balancer_context_base_lib", "//source/common/upstream:upstream_factory_context_lib", "//source/extensions/common/proxy_protocol:proxy_protocol_header_lib", diff --git a/source/common/router/router.cc b/source/common/router/router.cc index dcc50543044ef..b3d24c1d23a4f 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -16,11 +16,10 @@ #include "envoy/upstream/health_check_host_monitor.h" #include "envoy/upstream/upstream.h" +#include "source/common/access_log/access_log_impl.h" #include "source/common/common/assert.h" #include "source/common/common/cleanup.h" -#include "source/common/common/empty_string.h" #include "source/common/common/enum_to_int.h" -#include "source/common/common/scope_tracker.h" #include "source/common/common/utility.h" #include "source/common/config/utility.h" #include "source/common/grpc/common.h" @@ -29,20 +28,16 @@ #include "source/common/http/headers.h" #include "source/common/http/message_impl.h" #include "source/common/http/utility.h" -#include "source/common/network/application_protocol.h" -#include "source/common/network/socket_option_factory.h" #include "source/common/network/transport_socket_options_impl.h" #include "source/common/network/upstream_server_name.h" #include "source/common/network/upstream_socket_options_filter_state.h" #include "source/common/network/upstream_subject_alt_names.h" #include "source/common/orca/orca_load_metrics.h" #include "source/common/orca/orca_parser.h" -#include "source/common/router/config_impl.h" #include "source/common/router/debug_config.h" #include "source/common/router/retry_state_impl.h" #include "source/common/runtime/runtime_features.h" #include "source/common/stream_info/uint32_accessor_impl.h" -#include "source/common/tracing/http_tracer_impl.h" namespace Envoy { namespace Router { diff --git a/source/common/router/router.h b/source/common/router/router.h index 11351a9256eab..6bf68b48876a7 100644 --- a/source/common/router/router.h +++ b/source/common/router/router.h @@ -4,45 +4,35 @@ #include #include #include -#include #include #include "envoy/common/random_generator.h" #include "envoy/extensions/filters/http/router/v3/router.pb.h" -#include "envoy/http/codec.h" #include "envoy/http/codes.h" #include "envoy/http/filter.h" #include "envoy/http/filter_factory.h" #include "envoy/http/hash_policy.h" -#include "envoy/http/stateful_session.h" #include "envoy/local_info/local_info.h" #include "envoy/router/router_filter_interface.h" #include "envoy/router/shadow_writer.h" #include "envoy/runtime/runtime.h" #include "envoy/server/factory_context.h" -#include "envoy/server/filter_config.h" #include "envoy/stats/scope.h" #include "envoy/stats/stats_macros.h" #include "envoy/stream_info/stream_info.h" #include "envoy/upstream/cluster_manager.h" -#include "source/common/access_log/access_log_impl.h" -#include "source/common/buffer/watermark_buffer.h" -#include "source/common/common/cleanup.h" #include "source/common/common/hash.h" #include "source/common/common/hex.h" -#include "source/common/common/linked_object.h" #include "source/common/common/logger.h" -#include "source/common/config/utility.h" #include "source/common/config/well_known_names.h" #include "source/common/http/filter_chain_helper.h" #include "source/common/http/sidestream_watermark.h" #include "source/common/http/utility.h" -#include "source/common/router/config_impl.h" #include "source/common/router/context_impl.h" +#include "source/common/router/metadatamatchcriteria_impl.h" #include "source/common/router/upstream_request.h" #include "source/common/stats/symbol_table.h" -#include "source/common/stream_info/stream_info_impl.h" #include "source/common/upstream/load_balancer_context_base.h" #include "source/common/upstream/upstream_factory_context_impl.h" From 45c37454c7acea764b5bdae2490da9dd81c1e088 Mon Sep 17 00:00:00 2001 From: Kuat Date: Thu, 14 Aug 2025 18:43:54 -0700 Subject: [PATCH 232/505] stats: metric expiry (#40395) Change-Id: If3a45283b13cfda7d4f9a7bb661a1573f552ed7e Commit Message: Introduce mark and sweep eviction of stale metrics in a stats scope. Additional Description: The intended use case is the high cardinality metrics generated from the request data (e.g. [Istio standard metrics](https://istio.io/latest/docs/reference/config/metrics/)). This in combination with the cardinality bounds (future PR) would ensure bounded metric resource usage. The algorithm works as follows: 1. An "evictable" scope is allocated by a filter. 2. A delta stats sink is configured, e.g. OTLP. 3. At every flush interval, a scope metric that is used (e.g. has observed a data point) is marked as unused. A metric that has not been used is deleted from the central caches. 4. A notification is sent to all workers to purge scope stale metrics from their thread-local caches. 5. Once all workers complete, the unused metrics are purged from the allocator. There are several edge conditions that need to be explained to validate correctness of this algorithm: 1. A worker attempting to use a stale metric after (3) but before (4) might have its data lost. It will not be lost if 1) the same metric is recreated in the central cache by another worker since all metrics are uniquely indexed in the allocators; or 2) we implement deferred allocator deletions to await for the flush operation. 2. A worker should not use a stored stale metric after (4). This requires that workers to not store the metrics by reference (hence, this solution will not work for most xDS metrics). Thread local cache references are always deleted before the storage is deleted. 3. Histograms are handled slightly different because the parent histogram needs to be "merged" to observe usage, and clearing the usage requires updating all "children" histograms. Because we do this during flush, merging is always done first. 4. A metric that is re-created after eviction would continue having its start time set as the original metric. This is a limitation of Envoy since it does not store the metric start times, but it is not an issue with delta aggregation in OTLP. Delta is the recommended protocol for handling high cardinality or sparse metric data. We could add start_time in a follow-up. Risk Level: low, requires explicit usage Testing: unit and a load test with Istio Proxy Docs Changes: none Release Notes: none --------- Signed-off-by: Kuat Yessenov --- api/envoy/config/bootstrap/v3/bootstrap.proto | 10 +- changelogs/current.yaml | 6 + envoy/server/configuration.h | 5 + envoy/stats/scope.h | 8 +- envoy/stats/stats.h | 5 + envoy/stats/store.h | 9 +- source/common/stats/allocator_impl.cc | 1 + source/common/stats/histogram_impl.h | 2 + source/common/stats/isolated_store_impl.cc | 6 +- source/common/stats/isolated_store_impl.h | 8 +- source/common/stats/null_counter.h | 1 + source/common/stats/null_gauge.h | 1 + source/common/stats/null_text_readout.h | 1 + source/common/stats/thread_local_store.cc | 127 +++++++++++++++++- source/common/stats/thread_local_store.h | 16 ++- source/server/configuration_impl.cc | 8 ++ source/server/configuration_impl.h | 2 + source/server/server.cc | 6 + source/server/server.h | 4 + test/common/stats/thread_local_store_test.cc | 80 +++++++++++ test/integration/server.h | 16 ++- test/mocks/server/server_factory_context.h | 1 + test/mocks/stats/mocks.h | 8 +- test/server/configuration_impl_test.cc | 29 ++++ test/server/server_test.cc | 32 +++++ .../server/stats_evict_bootstrap.yaml | 11 ++ 26 files changed, 380 insertions(+), 23 deletions(-) create mode 100644 test/server/test_data/server/stats_evict_bootstrap.yaml diff --git a/api/envoy/config/bootstrap/v3/bootstrap.proto b/api/envoy/config/bootstrap/v3/bootstrap.proto index bf65f3df45c47..28b1eba6680ef 100644 --- a/api/envoy/config/bootstrap/v3/bootstrap.proto +++ b/api/envoy/config/bootstrap/v3/bootstrap.proto @@ -41,7 +41,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // ` for more detail. // Bootstrap :ref:`configuration overview `. -// [#next-free-field: 42] +// [#next-free-field: 43] message Bootstrap { option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Bootstrap"; @@ -230,6 +230,14 @@ message Bootstrap { bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}]; } + oneof stats_eviction { + // Optional duration to perform metric eviction. At every interval, during the stats flush + // the unused metrics are removed from the worker caches and the used metrics + // are marked as unused. Must be a multiple of the ``stats_flush_interval``. + google.protobuf.Duration stats_eviction_interval = 42 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + } + // Optional watchdog configuration. // This is for a single watchdog configuration for the entire system. // Deprecated in favor of ``watchdogs`` which has finer granularity. diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 25d3603fe0302..1e82649d226cd 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -145,6 +145,12 @@ removed_config_or_runtime: Removed runtime guard ``envoy.reloadable_features.proxy_104`` and legacy code paths. new_features: +- area: stats + change: | + Added support to remove unused metrics from memory for extensions that + support evictable metrics. This is done :ref:`periodically + ` + during the metric flush. - area: quic change: | Added new option to support :ref:`base64 encoded server ID diff --git a/envoy/server/configuration.h b/envoy/server/configuration.h index 4c18b49054270..9da04d1ac7012 100644 --- a/envoy/server/configuration.h +++ b/envoy/server/configuration.h @@ -89,6 +89,11 @@ class StatsConfig { * @return true if deferred creation of stats is enabled. */ virtual bool enableDeferredCreationStats() const PURE; + + /** + * @return uint32_t a multiple of the flush interval to perform stats eviction, or 0 if disabled. + */ + virtual uint32_t evictOnFlush() const PURE; }; /** diff --git a/envoy/stats/scope.h b/envoy/stats/scope.h index 1116281d93026..e76582b34c430 100644 --- a/envoy/stats/scope.h +++ b/envoy/stats/scope.h @@ -71,8 +71,10 @@ class Scope : public std::enable_shared_from_this { * See also scopeFromStatName, which is preferred. * * @param name supplies the scope's namespace prefix. + * @param evictable whether unused metrics can be deleted from the scope caches. This requires + * that the metrics are not stored by reference. */ - virtual ScopeSharedPtr createScope(const std::string& name) PURE; + virtual ScopeSharedPtr createScope(const std::string& name, bool evictable = false) PURE; /** * Allocate a new scope. NOTE: The implementation should correctly handle overlapping scopes @@ -80,8 +82,10 @@ class Scope : public std::enable_shared_from_this { * gracefully swapped in while an old scope with the same name is being destroyed. * * @param name supplies the scope's namespace prefix. + * @param evictable whether unused metrics can be deleted from the scope caches. This requires + * that the metrics are not stored by reference. */ - virtual ScopeSharedPtr scopeFromStatName(StatName name) PURE; + virtual ScopeSharedPtr scopeFromStatName(StatName name, bool evictable = false) PURE; /** * Creates a Counter from the stat name. Tag extraction will be performed on the name. diff --git a/envoy/stats/stats.h b/envoy/stats/stats.h index 5d5b1f58c80cb..a8307baf836dd 100644 --- a/envoy/stats/stats.h +++ b/envoy/stats/stats.h @@ -93,6 +93,11 @@ class Metric : public RefcountInterface { */ virtual bool used() const PURE; + /** + * Clear any indicator on whether this metric has been updated. + */ + virtual void markUnused() PURE; + /** * Indicates whether this metric is hidden. */ diff --git a/envoy/stats/store.h b/envoy/stats/store.h index ff1c6a08c53e0..306cef4c5a9b0 100644 --- a/envoy/stats/store.h +++ b/envoy/stats/store.h @@ -117,6 +117,11 @@ class Store { virtual void forEachHistogram(SizeFn f_size, StatFn f_stat) const PURE; virtual void forEachScope(SizeFn f_size, StatFn f_stat) const PURE; + /** + * Delete unused metrics from all the evictable scope caches, and mark the rest as unused. + */ + virtual void evictUnused() PURE; + /** * @return a null counter that will ignore increments and always return 0. */ @@ -172,7 +177,9 @@ class Store { /** * @return a scope of the given name. */ - ScopeSharedPtr createScope(const std::string& name) { return rootScope()->createScope(name); } + ScopeSharedPtr createScope(const std::string& name, bool evictable = false) { + return rootScope()->createScope(name, evictable); + } /** * Extracts tags from the name and appends them to the provided StatNameTagVector. diff --git a/source/common/stats/allocator_impl.cc b/source/common/stats/allocator_impl.cc index c8c6905f4f481..963279a96ca9e 100644 --- a/source/common/stats/allocator_impl.cc +++ b/source/common/stats/allocator_impl.cc @@ -85,6 +85,7 @@ template class StatsSharedImpl : public MetricImpl // Metric SymbolTable& symbolTable() final { return alloc_.symbolTable(); } bool used() const override { return flags_ & Metric::Flags::Used; } + void markUnused() override { flags_ &= ~Metric::Flags::Used; } bool hidden() const override { return flags_ & Metric::Flags::Hidden; } // RefcountInterface diff --git a/source/common/stats/histogram_impl.h b/source/common/stats/histogram_impl.h index 3b30f1b289df7..80718294b7856 100644 --- a/source/common/stats/histogram_impl.h +++ b/source/common/stats/histogram_impl.h @@ -111,6 +111,7 @@ class HistogramImpl : public HistogramImplHelper { void recordValue(uint64_t value) override { parent_.deliverHistogramToSinks(*this, value); } bool used() const override { return true; } + void markUnused() override {} bool hidden() const override { return false; } SymbolTable& symbolTable() final { return parent_.symbolTable(); } @@ -132,6 +133,7 @@ class NullHistogramImpl : public HistogramImplHelper { ~NullHistogramImpl() override { MetricImpl::clear(symbol_table_); } bool used() const override { return false; } + void markUnused() override {} bool hidden() const override { return false; } SymbolTable& symbolTable() override { return symbol_table_; } diff --git a/source/common/stats/isolated_store_impl.cc b/source/common/stats/isolated_store_impl.cc index 9b4097971eef5..d070a996a1f39 100644 --- a/source/common/stats/isolated_store_impl.cc +++ b/source/common/stats/isolated_store_impl.cc @@ -63,12 +63,12 @@ ConstScopeSharedPtr IsolatedStoreImpl::constRootScope() const { IsolatedStoreImpl::~IsolatedStoreImpl() = default; -ScopeSharedPtr IsolatedScopeImpl::createScope(const std::string& name) { +ScopeSharedPtr IsolatedScopeImpl::createScope(const std::string& name, bool) { StatNameManagedStorage stat_name_storage(Utility::sanitizeStatsName(name), symbolTable()); - return scopeFromStatName(stat_name_storage.statName()); + return scopeFromStatName(stat_name_storage.statName(), false); } -ScopeSharedPtr IsolatedScopeImpl::scopeFromStatName(StatName name) { +ScopeSharedPtr IsolatedScopeImpl::scopeFromStatName(StatName name, bool) { SymbolTable::StoragePtr prefix_name_storage = symbolTable().join({prefix(), name}); ScopeSharedPtr scope = store_.makeScope(StatName(prefix_name_storage.get())); addScopeToStore(scope); diff --git a/source/common/stats/isolated_store_impl.h b/source/common/stats/isolated_store_impl.h index 84ea935102b98..76c3d364bf77b 100644 --- a/source/common/stats/isolated_store_impl.h +++ b/source/common/stats/isolated_store_impl.h @@ -203,6 +203,10 @@ class IsolatedStoreImpl : public Store { } } + void evictUnused() override { + // Do nothing. Eviction is only supported on the thread local stores. + } + void forEachSinkedCounter(SizeFn f_size, StatFn f_stat) const override { forEachCounter(f_size, f_stat); } @@ -295,8 +299,8 @@ class IsolatedScopeImpl : public Scope { StatNameTagVectorOptConstRef tags) override { return store_.counters_.get(prefix(), name, tags, symbolTable()); } - ScopeSharedPtr createScope(const std::string& name) override; - ScopeSharedPtr scopeFromStatName(StatName name) override; + ScopeSharedPtr createScope(const std::string& name, bool evictable) override; + ScopeSharedPtr scopeFromStatName(StatName name, bool evictable) override; Gauge& gaugeFromStatNameWithTags(const StatName& name, StatNameTagVectorOptConstRef tags, Gauge::ImportMode import_mode) override { Gauge& gauge = store_.gauges_.get(prefix(), name, tags, symbolTable(), import_mode); diff --git a/source/common/stats/null_counter.h b/source/common/stats/null_counter.h index ca576310f0d79..f8b755c58c57d 100644 --- a/source/common/stats/null_counter.h +++ b/source/common/stats/null_counter.h @@ -31,6 +31,7 @@ class NullCounterImpl : public MetricImpl { // Metric bool used() const override { return false; } + void markUnused() override {} bool hidden() const override { return false; } SymbolTable& symbolTable() override { return symbol_table_; } diff --git a/source/common/stats/null_gauge.h b/source/common/stats/null_gauge.h index 5af09aa5999ee..642950de18d88 100644 --- a/source/common/stats/null_gauge.h +++ b/source/common/stats/null_gauge.h @@ -35,6 +35,7 @@ class NullGaugeImpl : public MetricImpl { // Metric bool used() const override { return false; } + void markUnused() override {} bool hidden() const override { return false; } SymbolTable& symbolTable() override { return symbol_table_; } diff --git a/source/common/stats/null_text_readout.h b/source/common/stats/null_text_readout.h index 3073fa8182b48..40a155b7ee66c 100644 --- a/source/common/stats/null_text_readout.h +++ b/source/common/stats/null_text_readout.h @@ -28,6 +28,7 @@ class NullTextReadoutImpl : public MetricImpl { // Metric bool used() const override { return false; } + void markUnused() override {} bool hidden() const override { return false; } SymbolTable& symbolTable() override { return symbol_table_; } diff --git a/source/common/stats/thread_local_store.cc b/source/common/stats/thread_local_store.cc index 175d7d473e3cb..6bc34f71a086b 100644 --- a/source/common/stats/thread_local_store.cc +++ b/source/common/stats/thread_local_store.cc @@ -38,7 +38,7 @@ ThreadLocalStoreImpl::ThreadLocalStoreImpl(Allocator& alloc) well_known_tags_->rememberBuiltin(desc.name_); } StatNameManagedStorage empty("", alloc.symbolTable()); - auto new_scope = std::make_shared(*this, StatName(empty.statName())); + auto new_scope = std::make_shared(*this, StatName(empty.statName()), false); addScope(new_scope); default_scope_ = new_scope; } @@ -154,14 +154,15 @@ std::vector ThreadLocalStoreImpl::counters() const { return ret; } -ScopeSharedPtr ThreadLocalStoreImpl::ScopeImpl::createScope(const std::string& name) { +ScopeSharedPtr ThreadLocalStoreImpl::ScopeImpl::createScope(const std::string& name, + bool evictable) { StatNameManagedStorage stat_name_storage(Utility::sanitizeStatsName(name), symbolTable()); - return scopeFromStatName(stat_name_storage.statName()); + return scopeFromStatName(stat_name_storage.statName(), evictable); } -ScopeSharedPtr ThreadLocalStoreImpl::ScopeImpl::scopeFromStatName(StatName name) { +ScopeSharedPtr ThreadLocalStoreImpl::ScopeImpl::scopeFromStatName(StatName name, bool evictable) { SymbolTable::StoragePtr joined = symbolTable().join({prefix_.statName(), name}); - auto new_scope = std::make_shared(parent_, StatName(joined.get())); + auto new_scope = std::make_shared(parent_, StatName(joined.get()), evictable); parent_.addScope(new_scope); return new_scope; } @@ -394,8 +395,9 @@ void ThreadLocalStoreImpl::clearHistogramsFromCaches() { } } -ThreadLocalStoreImpl::ScopeImpl::ScopeImpl(ThreadLocalStoreImpl& parent, StatName prefix) - : scope_id_(parent.next_scope_id_++), parent_(parent), +ThreadLocalStoreImpl::ScopeImpl::ScopeImpl(ThreadLocalStoreImpl& parent, StatName prefix, + bool evictable) + : scope_id_(parent.next_scope_id_++), parent_(parent), evictable_(evictable), prefix_(prefix, parent.alloc_.symbolTable()), central_cache_(new CentralCacheEntry(parent.alloc_.symbolTable())) {} @@ -910,6 +912,14 @@ bool ParentHistogramImpl::used() const { return merged_; } +void ParentHistogramImpl::markUnused() { + merged_ = false; + Thread::LockGuard lock(merge_lock_); + for (const TlsHistogramSharedPtr& tls_histogram : tls_histograms_) { + tls_histogram->markUnused(); + } +} + bool ParentHistogramImpl::hidden() const { return false; } void ParentHistogramImpl::merge() { @@ -1030,6 +1040,109 @@ void ThreadLocalStoreImpl::forEachScope(std::function f_size, } } +namespace { +struct MetricBag { + explicit MetricBag(uint64_t scope_id) : scope_id_(scope_id) {} + const uint64_t scope_id_; + StatNameHashMap counters_; + StatNameHashMap gauges_; + StatNameHashMap histograms_; + StatNameHashMap text_readouts_; + bool empty() const { + return counters_.empty() && gauges_.empty() && histograms_.empty() && text_readouts_.empty(); + } +}; + +} // namespace + +void ThreadLocalStoreImpl::evictUnused() { + ASSERT_IS_MAIN_OR_TEST_THREAD(); + + // If we are shutting down, we no longer perform eviction as workers may be shutting down + // and not able to complete their work. + if (shutting_down_ || !tls_cache_) { + return; + } + + auto evicted_metrics = std::make_shared>(); + { + Thread::LockGuard lock(lock_); + iterateScopesLockHeld([evicted_metrics](const ScopeImplSharedPtr& scope) -> bool { + if (scope->evictable_) { + MetricBag metrics(scope->scope_id_); + CentralCacheEntrySharedPtr& central_cache = scope->centralCacheMutableNoThreadAnalysis(); + auto filter_unused = [](StatNameHashMap& unused_metrics) { + return [&unused_metrics](std::pair kv) { + const auto& [name, metric] = kv; + if (metric->used()) { + metric->markUnused(); + return false; + } else { + unused_metrics.try_emplace(name, metric); + return true; + } + }; + }; + absl::erase_if(central_cache->counters_, filter_unused(metrics.counters_)); + absl::erase_if(central_cache->gauges_, filter_unused(metrics.gauges_)); + absl::erase_if(central_cache->text_readouts_, filter_unused(metrics.text_readouts_)); + absl::erase_if(central_cache->histograms_, filter_unused(metrics.histograms_)); + if (!metrics.empty()) { + evicted_metrics->push_back(std::move(metrics)); + } + } + return true; + }); + } + + // At this point, central caches no longer return the evicted stats, but we + // need to keep the storage for the evicted stats until after the thread + // local caches are cleared. + if (!evicted_metrics->empty()) { + tls_cache_->runOnAllThreads( + [evicted_metrics](OptRef tls_cache) { + for (const auto& metrics : *evicted_metrics) { + TlsCacheEntry& entry = tls_cache->insertScope(metrics.scope_id_); + absl::erase_if(entry.counters_, + [&](std::pair> kv) { + return metrics.counters_.contains(kv.first); + }); + absl::erase_if(entry.gauges_, + [&](std::pair> kv) { + return metrics.gauges_.contains(kv.first); + }); + absl::erase_if(entry.text_readouts_, + [&](std::pair> kv) { + return metrics.text_readouts_.contains(kv.first); + }); + absl::erase_if(entry.parent_histograms_, + [&](std::pair kv) { + return metrics.histograms_.contains(kv.first); + }); + } + }, + [evicted_metrics]() { + // We want to delete stale stats on the main thread since stat + // destructors lock the stats allocator. Note that we might have + // received fresh values on the stale cache-local stats after deleting them from the + // central cache.. Eventually, we might also want to defer the deletion further in the + // allocator until the values are flushed to the sinks. + size_t scopes = 0, counters = 0, gauges = 0, readouts = 0, histograms = 0; + for (const auto& metrics : *evicted_metrics) { + scopes += 1; + counters += metrics.counters_.size(); + gauges += metrics.gauges_.size(); + readouts += metrics.text_readouts_.size(); + histograms += metrics.histograms_.size(); + } + ENVOY_LOG(debug, + "deleted stale {} counters, {} gauges, {} text readouts, {} histograms from " + "{} scopes", + counters, gauges, readouts, histograms, scopes); + }); + } +} + bool ThreadLocalStoreImpl::iterateScopesLockHeld( const std::function fn) const ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { diff --git a/source/common/stats/thread_local_store.h b/source/common/stats/thread_local_store.h index b2d7f54990ea7..8a598b82713ce 100644 --- a/source/common/stats/thread_local_store.h +++ b/source/common/stats/thread_local_store.h @@ -60,6 +60,7 @@ class ThreadLocalHistogramImpl : public HistogramImplHelper { // Stats::Metric SymbolTable& symbolTable() final { return symbol_table_; } bool used() const override { return used_; } + void markUnused() override { used_ = false; } bool hidden() const override { return false; } private: @@ -116,6 +117,7 @@ class ParentHistogramImpl : public MetricImpl { // Stats::Metric SymbolTable& symbolTable() override; bool used() const override; + void markUnused() override; bool hidden() const override; // RefcountInterface @@ -184,6 +186,8 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo void forEachHistogram(SizeFn f_size, StatFn f_stat) const override; void forEachScope(SizeFn f_size, StatFn f_stat) const override; + void evictUnused() override; + // Stats::StoreRoot void addSink(Sink& sink) override { timer_sinks_.push_back(sink); } void setTagProducer(TagProducerPtr&& tag_producer) override { @@ -277,7 +281,7 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo using CentralCacheEntrySharedPtr = RefcountPtr; struct ScopeImpl : public Scope { - ScopeImpl(ThreadLocalStoreImpl& parent, StatName prefix); + ScopeImpl(ThreadLocalStoreImpl& parent, StatName prefix, bool evictable); ~ScopeImpl() override; // Stats::Scope @@ -290,8 +294,8 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo Histogram::Unit unit) override; TextReadout& textReadoutFromStatNameWithTags(const StatName& name, StatNameTagVectorOptConstRef tags) override; - ScopeSharedPtr createScope(const std::string& name) override; - ScopeSharedPtr scopeFromStatName(StatName name) override; + ScopeSharedPtr createScope(const std::string& name, bool evictale) override; + ScopeSharedPtr scopeFromStatName(StatName name, bool evictable) override; const SymbolTable& constSymbolTable() const final { return parent_.constSymbolTable(); } SymbolTable& symbolTable() final { return parent_.symbolTable(); } @@ -429,6 +433,11 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo return central_cache_; } + CentralCacheEntrySharedPtr& + centralCacheMutableNoThreadAnalysis() const ABSL_NO_THREAD_SAFETY_ANALYSIS { + return central_cache_; + } + // Returns the central cache, bypassing thread analysis. // // This is used only when passing references to maps held in the central @@ -441,6 +450,7 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo const uint64_t scope_id_; ThreadLocalStoreImpl& parent_; + const bool evictable_{}; private: StatNameStorage prefix_; diff --git a/source/server/configuration_impl.cc b/source/server/configuration_impl.cc index a1c9a438604cd..f341803f78c4e 100644 --- a/source/server/configuration_impl.cc +++ b/source/server/configuration_impl.cc @@ -99,6 +99,14 @@ StatsConfigImpl::StatsConfigImpl(const envoy::config::bootstrap::v3::Bootstrap& if (bootstrap.stats_flush_case() == envoy::config::bootstrap::v3::Bootstrap::kStatsFlushOnAdmin) { flush_on_admin_ = bootstrap.stats_flush_on_admin(); } + + const auto evict_interval_ms = PROTOBUF_GET_MS_OR_DEFAULT(bootstrap, stats_eviction_interval, 0); + if (evict_interval_ms % flush_interval_.count() != 0) { + status = absl::InvalidArgumentError( + "stats_eviction_interval must be a multiple of stats_flush_interval"); + return; + } + evict_on_flush_ = evict_interval_ms / flush_interval_.count(); } absl::Status MainImpl::initialize(const envoy::config::bootstrap::v3::Bootstrap& bootstrap, diff --git a/source/server/configuration_impl.h b/source/server/configuration_impl.h index 2165239456f1b..932ffab806b24 100644 --- a/source/server/configuration_impl.h +++ b/source/server/configuration_impl.h @@ -56,6 +56,7 @@ class StatsConfigImpl : public StatsConfig { const std::list& sinks() const override { return sinks_; } std::chrono::milliseconds flushInterval() const override { return flush_interval_; } bool flushOnAdmin() const override { return flush_on_admin_; } + uint32_t evictOnFlush() const override { return evict_on_flush_; } void addSink(Stats::SinkPtr sink) { sinks_.emplace_back(std::move(sink)); } bool enableDeferredCreationStats() const override { @@ -67,6 +68,7 @@ class StatsConfigImpl : public StatsConfig { std::chrono::milliseconds flush_interval_; bool flush_on_admin_{false}; const envoy::config::bootstrap::v3::Bootstrap::DeferredStatOptions deferred_stat_options_; + uint32_t evict_on_flush_{0}; }; /** diff --git a/source/server/server.cc b/source/server/server.cc index 24e233bf35da3..cd89ef64c6a9c 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -292,6 +292,12 @@ void InstanceBase::flushStatsInternal() { auto& stats_config = config_.statsConfig(); InstanceUtil::flushMetricsToSinks(stats_config.sinks(), stats_store_, clusterManager(), timeSource()); + if (const auto evict_on_flush = stats_config.evictOnFlush(); evict_on_flush > 0) { + stats_eviction_counter_ = (stats_eviction_counter_ + 1) % evict_on_flush; + if (stats_eviction_counter_ == 0) { + stats_store_.evictUnused(); + } + } // TODO(ramaraochavali): consider adding different flush interval for histograms. if (stat_flush_timer_ != nullptr) { stat_flush_timer_->enableTimer(stats_config.flushInterval()); diff --git a/source/server/server.h b/source/server/server.h index 88ffac5cdd404..b59fce228f034 100644 --- a/source/server/server.h +++ b/source/server/server.h @@ -453,6 +453,8 @@ class InstanceBase : Logger::Loggable, : RaiiListElement(callbacks, callback) {} }; + uint32_t stats_eviction_counter_{0}; + #ifdef ENVOY_PERFETTO std::unique_ptr tracing_session_{}; os_fd_t tracing_fd_{INVALID_HANDLE}; @@ -468,6 +470,8 @@ class InstanceBase : Logger::Loggable, // copying and probably be a cleaner API in general. class MetricSnapshotImpl : public Stats::MetricSnapshot { public: + // MetricSnapshotImpl captures a snapshot of metrics by latching the delta usage, and optionally + // marking the stats as used. explicit MetricSnapshotImpl(Stats::Store& store, Upstream::ClusterManager& cluster_manager, TimeSource& time_source); diff --git a/test/common/stats/thread_local_store_test.cc b/test/common/stats/thread_local_store_test.cc index de9faf5227d73..4bcdcc0237dd9 100644 --- a/test/common/stats/thread_local_store_test.cc +++ b/test/common/stats/thread_local_store_test.cc @@ -606,6 +606,86 @@ TEST_F(StatsThreadLocalStoreTest, ScopeDelete) { tls_.shutdownThread(); } +TEST_F(StatsThreadLocalStoreTest, Eviction) { + InSequence s; + store_->initializeThreading(main_thread_dispatcher_, tls_); + + ScopeSharedPtr scope = store_->createScope("scope.", true); + ScopeSharedPtr scope1 = store_->createScope("scope.", true); + // References will become invalid, so we create a lexical scope. + { + Counter& c1 = scope->counterFromString("c1"); + EXPECT_EQ(&c1, &scope1->counterFromString("c1")); + c1.add(1); + EXPECT_TRUE(c1.used()); + + Gauge& g1 = scope->gaugeFromString("g1", Gauge::ImportMode::Accumulate); + g1.set(5); + EXPECT_TRUE(g1.used()); + + TextReadout& t1 = scope->textReadoutFromString("t1"); + t1.set("hello"); + EXPECT_TRUE(t1.used()); + + Histogram& h1 = scope->histogramFromString("h1", Histogram::Unit::Unspecified); + EXPECT_CALL(sink_, onHistogramComplete(Ref(h1), 1)); + h1.recordValue(1); + store_->mergeHistograms([]() -> void {}); + + // Eviction only marks unused but does not remove the counters. + store_->evictUnused(); + + EXPECT_EQ(&c1, &scope->counterFromString("c1")); + EXPECT_FALSE(c1.used()); + EXPECT_EQ(1, c1.value()); + EXPECT_EQ(1UL, store_->counters().size()); + + EXPECT_EQ(&g1, &scope->gaugeFromString("g1", Gauge::ImportMode::Accumulate)); + EXPECT_EQ(&g1, &scope1->gaugeFromString("g1", Gauge::ImportMode::Accumulate)); + EXPECT_FALSE(g1.used()); + EXPECT_EQ(5, g1.value()); + EXPECT_EQ(1UL, store_->gauges().size()); + + EXPECT_EQ(&t1, &scope->textReadoutFromString("t1")); + EXPECT_EQ(&t1, &scope1->textReadoutFromString("t1")); + EXPECT_FALSE(t1.used()); + EXPECT_EQ("hello", t1.value()); + EXPECT_EQ(1UL, store_->textReadouts().size()); + + EXPECT_EQ(&h1, &scope->histogramFromString("h1", Histogram::Unit::Unspecified)); + EXPECT_EQ(&h1, &scope1->histogramFromString("h1", Histogram::Unit::Unspecified)); + EXPECT_FALSE(h1.used()); + EXPECT_EQ(1UL, store_->histograms().size()); + } + + // Eviction removes here. + EXPECT_CALL(tls_, runOnAllThreads(_, _)).Times(testing::AtLeast(1)); + store_->evictUnused(); + EXPECT_EQ(0UL, store_->counters().size()); + EXPECT_EQ(0UL, store_->gauges().size()); + EXPECT_EQ(0UL, store_->textReadouts().size()); + EXPECT_EQ(0UL, store_->histograms().size()); + + // Make sure no dangling data is on caches and it is safe to use the same metrics. + { + scope->counterFromString("c1").add(1); + scope1->counterFromString("c1").add(1); + scope->gaugeFromString("g1", Gauge::ImportMode::Accumulate).set(5); + scope1->gaugeFromString("g1", Gauge::ImportMode::Accumulate).set(5); + scope->textReadoutFromString("t1").set("hello"); + scope1->textReadoutFromString("t1").set("hello"); + Histogram& h1 = scope->histogramFromString("h1", Histogram::Unit::Unspecified); + EXPECT_CALL(sink_, onHistogramComplete(Ref(h1), 1)); + h1.recordValue(1); + Histogram& h2 = scope1->histogramFromString("h1", Histogram::Unit::Unspecified); + EXPECT_EQ(&h1, &h2); + } + + tls_.shutdownGlobalThreading(); + store_->shutdownThreading(); + tls_.shutdownThread(); +} + TEST_F(StatsThreadLocalStoreTest, NestedScopes) { InSequence s; store_->initializeThreading(main_thread_dispatcher_, tls_); diff --git a/test/integration/server.h b/test/integration/server.h index 335d55fa4431b..a78a8b4eb4ef2 100644 --- a/test/integration/server.h +++ b/test/integration/server.h @@ -77,12 +77,12 @@ class TestScopeWrapper : public Scope { TestScopeWrapper(Thread::MutexBasicLockable& lock, ScopeSharedPtr wrapped_scope, Store& store) : lock_(lock), wrapped_scope_(wrapped_scope), store_(store) {} - ScopeSharedPtr createScope(const std::string& name) override { + ScopeSharedPtr createScope(const std::string& name, bool) override { Thread::LockGuard lock(lock_); return std::make_shared(lock_, wrapped_scope_->createScope(name), store_); } - ScopeSharedPtr scopeFromStatName(StatName name) override { + ScopeSharedPtr scopeFromStatName(StatName name, bool) override { Thread::LockGuard lock(lock_); return std::make_shared(lock_, wrapped_scope_->scopeFromStatName(name), store_); @@ -196,6 +196,7 @@ class NotifyingCounter : public Stats::Counter { uint32_t use_count() const override { return counter_->use_count(); } StatName tagExtractedStatName() const override { return counter_->tagExtractedStatName(); } bool used() const override { return counter_->used(); } + void markUnused() override { counter_->markUnused(); } bool hidden() const override { return counter_->hidden(); } SymbolTable& symbolTable() override { return counter_->symbolTable(); } const SymbolTable& constSymbolTable() const override { return counter_->constSymbolTable(); } @@ -365,6 +366,16 @@ class TestIsolatedStoreImpl : public StoreRoot { void extractAndAppendTags(absl::string_view, StatNamePool&, StatNameTagVector&) override {}; const Stats::TagVector& fixedTags() override { CONSTRUCT_ON_FIRST_USE(Stats::TagVector); } + void evictUnused() override { + Thread::LockGuard lock(lock_); + eviction_count_++; + } + + uint32_t evictionCount() const { + Thread::LockGuard lock(lock_); + return eviction_count_; + } + // Stats::StoreRoot void addSink(Sink&) override {} void setTagProducer(TagProducerPtr&&) override {} @@ -381,6 +392,7 @@ class TestIsolatedStoreImpl : public StoreRoot { IsolatedStoreImpl store_; PostMergeCb merge_cb_; ScopeSharedPtr lazy_default_scope_; + uint32_t eviction_count_{0}; }; } // namespace Stats diff --git a/test/mocks/server/server_factory_context.h b/test/mocks/server/server_factory_context.h index 7221103be6359..059a50aaa9032 100644 --- a/test/mocks/server/server_factory_context.h +++ b/test/mocks/server/server_factory_context.h @@ -51,6 +51,7 @@ class MockStatsConfig : public virtual StatsConfig { MOCK_METHOD(bool, flushOnAdmin, (), (const)); MOCK_METHOD(const Stats::SinkPredicates*, sinkPredicates, (), (const)); MOCK_METHOD(bool, enableDeferredCreationStats, (), (const)); + MOCK_METHOD(uint32_t, evictOnFlush, (), (const)); }; class MockServerFactoryContext : public virtual ServerFactoryContext { diff --git a/test/mocks/stats/mocks.h b/test/mocks/stats/mocks.h index 2b0d25435ca9c..e476b6bf75776 100644 --- a/test/mocks/stats/mocks.h +++ b/test/mocks/stats/mocks.h @@ -142,6 +142,7 @@ class MockCounter : public MockStatWithRefcount { MOCK_METHOD(uint64_t, latch, ()); MOCK_METHOD(void, reset, ()); MOCK_METHOD(bool, used, (), (const)); + MOCK_METHOD(void, markUnused, ()); MOCK_METHOD(bool, hidden, (), (const)); MOCK_METHOD(uint64_t, value, (), (const)); @@ -164,6 +165,7 @@ class MockGauge : public MockStatWithRefcount { MOCK_METHOD(void, sub, (uint64_t amount)); MOCK_METHOD(void, mergeImportMode, (ImportMode)); MOCK_METHOD(bool, used, (), (const)); + MOCK_METHOD(void, markUnused, ()); MOCK_METHOD(bool, hidden, (), (const)); MOCK_METHOD(uint64_t, value, (), (const)); MOCK_METHOD(absl::optional, cachedShouldImport, (), (const)); @@ -181,6 +183,7 @@ class MockHistogram : public MockMetric { ~MockHistogram() override; MOCK_METHOD(bool, used, (), (const)); + MOCK_METHOD(void, markUnused, ()); MOCK_METHOD(bool, hidden, (), (const)); MOCK_METHOD(Histogram::Unit, unit, (), (const)); MOCK_METHOD(void, recordValue, (uint64_t value)); @@ -206,6 +209,7 @@ class MockParentHistogram : public MockMetric { std::string quantileSummary() const override { return ""; }; std::string bucketSummary() const override { return ""; }; MOCK_METHOD(bool, used, (), (const)); + MOCK_METHOD(void, markUnused, ()); MOCK_METHOD(bool, hidden, (), (const)); MOCK_METHOD(Histogram::Unit, unit, (), (const)); MOCK_METHOD(void, recordValue, (uint64_t value)); @@ -292,10 +296,10 @@ class MockScope : public TestUtil::TestScope { public: MockScope(StatName prefix, MockStore& store); - ScopeSharedPtr createScope(const std::string& name) override { + ScopeSharedPtr createScope(const std::string& name, bool) override { return ScopeSharedPtr(createScope_(name)); } - ScopeSharedPtr scopeFromStatName(StatName name) override { + ScopeSharedPtr scopeFromStatName(StatName name, bool) override { return createScope_(symbolTable().toString(name)); } diff --git a/test/server/configuration_impl_test.cc b/test/server/configuration_impl_test.cc index 5ce86dc719cea..c916ebd031643 100644 --- a/test/server/configuration_impl_test.cc +++ b/test/server/configuration_impl_test.cc @@ -94,6 +94,7 @@ TEST_F(ConfigurationImplTest, DefaultStatsFlushInterval) { EXPECT_EQ(std::chrono::milliseconds(5000), config.statsConfig().flushInterval()); EXPECT_FALSE(config.statsConfig().flushOnAdmin()); + EXPECT_EQ(0, config.statsConfig().evictOnFlush()); } TEST_F(ConfigurationImplTest, CustomStatsFlushInterval) { @@ -224,6 +225,34 @@ TEST_F(ConfigurationImplTest, IntervalAndAdminFlush) { "Only one of stats_flush_interval or stats_flush_on_admin should be set!"); } +TEST_F(ConfigurationImplTest, Eviction) { + std::string json = R"EOF( + { + "stats_flush_interval": "0.500s", + "stats_eviction_interval": "1.5s" + } + )EOF"; + + auto bootstrap = Upstream::parseBootstrapFromV3Json(json); + MainImpl config; + EXPECT_TRUE(config.initialize(bootstrap, server_, cluster_manager_factory_).ok()); + EXPECT_EQ(3, config.statsConfig().evictOnFlush()); +} + +TEST_F(ConfigurationImplTest, EvictionNotMultiple) { + std::string json = R"EOF( + { + "stats_flush_interval": "0.500s", + "stats_eviction_interval": "0.750s" + } + )EOF"; + + auto bootstrap = Upstream::parseBootstrapFromV3Json(json); + MainImpl config; + EXPECT_THAT(config.initialize(bootstrap, server_, cluster_manager_factory_).message(), + testing::HasSubstr("must be a multiple")); +} + TEST_F(ConfigurationImplTest, SetUpstreamClusterPerConnectionBufferLimit) { const std::string json = R"EOF( { diff --git a/test/server/server_test.cc b/test/server/server_test.cc index 8c1a81b05e3e4..25bb1121a89a4 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -964,6 +964,38 @@ TEST_P(ServerInstanceImplTest, FlushStatsOnAdmin) { server_thread->join(); } +TEST_P(ServerInstanceImplTest, EvictStats) { + CustomStatsSinkFactory factory; + Registry::InjectFactory registered(factory); + auto server_thread = + startTestServer("test/server/test_data/server/stats_evict_bootstrap.yaml", true); + EXPECT_EQ(2, server_->statsConfig().evictOnFlush()); + EXPECT_EQ(std::chrono::seconds(5), server_->statsConfig().flushInterval()); + + auto counter = TestUtility::findCounter(stats_store_, "stats.flushed"); + + time_system_.advanceTimeWait(std::chrono::seconds(6)); + EXPECT_EQ(1L, counter->value()); + EXPECT_EQ(0, stats_store_.evictionCount()); + + // Eviction applied here: side-effect is that c1 is now marked as unused. + time_system_.advanceTimeWait(std::chrono::seconds(6)); + EXPECT_EQ(2L, counter->value()); + EXPECT_EQ(1, stats_store_.evictionCount()); + + time_system_.advanceTimeWait(std::chrono::seconds(6)); + EXPECT_EQ(3L, counter->value()); + EXPECT_EQ(1, stats_store_.evictionCount()); + + // Second pass of eviction deletes the counter. + time_system_.advanceTimeWait(std::chrono::seconds(6)); + EXPECT_EQ(4L, counter->value()); + EXPECT_EQ(2, stats_store_.evictionCount()); + + server_->dispatcher().post([&] { server_->shutdown(); }); + server_thread->join(); +} + TEST_P(ServerInstanceImplTest, ConcurrentFlushes) { CustomStatsSinkFactory factory; Registry::InjectFactory registered(factory); diff --git a/test/server/test_data/server/stats_evict_bootstrap.yaml b/test/server/test_data/server/stats_evict_bootstrap.yaml new file mode 100644 index 0000000000000..b295c2c0c471c --- /dev/null +++ b/test/server/test_data/server/stats_evict_bootstrap.yaml @@ -0,0 +1,11 @@ +node: + id: bootstrap_id + cluster: bootstrap_cluster + locality: + zone: bootstrap_zone + sub_zone: bootstrap_sub_zone +stats_sinks: +- name: envoy.custom_stats_sink + typed_config: + "@type": type.googleapis.com/google.protobuf.Struct +stats_eviction_interval: 10s From 0a1c47e3b7d5fbef1ea19f1816eb1cbd3ea5b1a7 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Fri, 15 Aug 2025 13:30:25 +0000 Subject: [PATCH 233/505] deps: Bump `highway` -> 1.3.0 (#40731) ## Description This PR bumps up highway -> `1.3.0` Fix https://github.com/envoyproxy/envoy/issues/40712 --- Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 95a2269fd9d74..3b1dbd6107532 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1209,13 +1209,13 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_desc = "Performance-portable, length-agnostic SIMD with runtime dispatch", project_url = "https://github.com/google/highway", # NOTE: Update together with v8 and proxy_wasm_cpp_host. - version = "1.2.0", + version = "1.3.0", strip_prefix = "highway-{version}", - sha256 = "7e0be78b8318e8bdbf6fa545d2ecb4c90f947df03f7aadc42c1967f019e63343", + sha256 = "07b3c1ba2c1096878a85a31a5b9b3757427af963b1141ca904db2f9f4afe0bc2", urls = ["https://github.com/google/highway/archive/refs/tags/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = ["envoy.wasm.runtime.v8"], - release_date = "2024-05-31", + release_date = "2025-08-14", cpe = "N/A", ), dragonbox = dict( From b7ade038fc0347fe03f4edfccb3213dc56fb4330 Mon Sep 17 00:00:00 2001 From: James Jenkins <108480513+Jenkins-J@users.noreply.github.com> Date: Fri, 15 Aug 2025 09:45:07 -0400 Subject: [PATCH 234/505] Bump com_github_bufbuild_buf to v1.56.0 (#40719) Commit Message: Bump the version of the Buf dependency from 1.50.0 to 1.56.0. Resolves #40588. Additional Description: Versions of Buf >= 1.54.0 now release a ppc64le binary. Bumping the version will allow Envoy to continue building on the ppc64le architecture. Risk Level: Low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: James Jenkins --- bazel/dependency_imports.bzl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bazel/dependency_imports.bzl b/bazel/dependency_imports.bzl index 4615eed5c9ade..8fe4b68252065 100644 --- a/bazel/dependency_imports.bzl +++ b/bazel/dependency_imports.bzl @@ -29,8 +29,8 @@ GO_VERSION = "1.23.1" JQ_VERSION = "1.7" YQ_VERSION = "4.24.4" -BUF_SHA = "736e74d1697dcf253bc60b2f0fb4389c39dbc7be68472a7d564a953df8b19d12" -BUF_VERSION = "v1.50.0" +BUF_SHA = "5790beb45aaf51a6d7e68ca2255b22e1b14c9ae405a6c472cdcfc228c66abfc1" +BUF_VERSION = "v1.56.0" def envoy_dependency_imports( go_version = GO_VERSION, From 959d40d0722b3c15c165148d2ade1ac0e7226e0d Mon Sep 17 00:00:00 2001 From: botengyao Date: Fri, 15 Aug 2025 10:43:16 -0400 Subject: [PATCH 235/505] network ext_proc: api remove no-implement hide (#40724) Commit Message: Additional Description: Risk Level: low Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Boteng Yao --- .../extensions/filters/network/ext_proc/v3/ext_proc.proto | 3 --- 1 file changed, 3 deletions(-) diff --git a/api/envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto b/api/envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto index 744c6f7bdeb83..f37feaa94f8d1 100644 --- a/api/envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto +++ b/api/envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto @@ -45,11 +45,9 @@ message NetworkExternalProcessor { // prematurely with an error, the filter will fail, leading to the close of connection. // With this parameter set to true, however, then if the gRPC stream is prematurely closed // or could not be opened, processing continues without error. - // [#not-implemented-hide:] bool failure_mode_allow = 2; // Options for controlling processing behavior. - // [#not-implemented-hide:] ProcessingMode processing_mode = 3; // Specifies the timeout for each individual message sent on the stream and @@ -57,7 +55,6 @@ message NetworkExternalProcessor { // the proxy sends a message on the stream that requires a response, it will // reset this timer, and will stop processing and return an error (subject // to the processing mode) if the timer expires. Default is 200 ms. - // [#not-implemented-hide:] google.protobuf.Duration message_timeout = 4 [(validate.rules).duration = { lte {seconds: 3600} gte {} From 624af8eb53a7e70f7857e11330b075aa6c6087f3 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 15 Aug 2025 18:48:12 +0200 Subject: [PATCH 236/505] stats: deprecate flag enable_include_histograms and remove legacy code paths (#40606) ## Description This PR removes the deprecated reloadable flag `enable_include_histograms` and cleans up the legacy paths. Fix https://github.com/envoyproxy/envoy/issues/36603 --- **Commit Message:** router: deprecate flag enable_include_histograms and remove legacy code paths **Additional Description:** Remove the deprecated reloadable flag `enable_include_histograms` and cleans up the legacy paths. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 3 + envoy/stats/sink.h | 2 - source/common/runtime/runtime_features.cc | 1 - source/common/stats/thread_local_store.cc | 3 +- test/common/stats/thread_local_store_test.cc | 82 +++----------------- 5 files changed, 15 insertions(+), 76 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 1e82649d226cd..313c69bb73ce3 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -95,6 +95,9 @@ removed_config_or_runtime: - area: http3 change: | Removed runtime guard ``envoy.reloadable_features.http3_remove_empty_trailers`` and legacy code paths. +- area: stats + change: | + Removed runtime guard ``envoy.reloadable_features.enable_include_histograms`` and legacy code paths. - area: network change: | Removed runtime guard ``envoy.reloadable_features.udp_socket_apply_aggregated_read_limit`` and legacy code paths. diff --git a/envoy/stats/sink.h b/envoy/stats/sink.h index a56ec2bb27575..6c7029d484230 100644 --- a/envoy/stats/sink.h +++ b/envoy/stats/sink.h @@ -83,8 +83,6 @@ class SinkPredicates { /* * @return true if @param histogram needs to be flushed to sinks. - * Note that this is used only if runtime flag envoy.reloadable_features.enable_include_histograms - * (which is false by default) is set to true. */ virtual bool includeHistogram(const Histogram& histogram) PURE; }; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 635f35843c431..b54b9908d1a6b 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -39,7 +39,6 @@ RUNTIME_GUARD(envoy_reloadable_features_dfp_cluster_resolves_hosts); RUNTIME_GUARD(envoy_reloadable_features_disallow_quic_client_udp_mmsg); RUNTIME_GUARD(envoy_reloadable_features_enable_cel_regex_precompilation); RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); -RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms); RUNTIME_GUARD(envoy_reloadable_features_enable_new_query_param_present_match_behavior); RUNTIME_GUARD(envoy_reloadable_features_ext_proc_fail_close_spurious_resp); RUNTIME_GUARD(envoy_reloadable_features_generic_proxy_codec_buffer_limit); diff --git a/source/common/stats/thread_local_store.cc b/source/common/stats/thread_local_store.cc index 6bc34f71a086b..3917111c9a866 100644 --- a/source/common/stats/thread_local_store.cc +++ b/source/common/stats/thread_local_store.cc @@ -1177,8 +1177,7 @@ void ThreadLocalStoreImpl::forEachSinkedTextReadout(SizeFn f_size, void ThreadLocalStoreImpl::forEachSinkedHistogram(SizeFn f_size, StatFn f_stat) const { - if (sink_predicates_.has_value() && - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_include_histograms")) { + if (sink_predicates_.has_value()) { Thread::LockGuard lock(hist_mutex_); if (f_size != nullptr) { diff --git a/test/common/stats/thread_local_store_test.cc b/test/common/stats/thread_local_store_test.cc index 4bcdcc0237dd9..f7b1d518af2b2 100644 --- a/test/common/stats/thread_local_store_test.cc +++ b/test/common/stats/thread_local_store_test.cc @@ -2233,53 +2233,15 @@ TEST_F(StatsThreadLocalStoreTest, SetSinkPredicates) { EXPECT_EQ(expected_sinked_stats, num_sinked_text_readouts); } -enum class EnableIncludeHistograms { No = 0, Yes }; -class HistogramParameterisedTest : public HistogramTest, - public ::testing::WithParamInterface { +class HistogramParameterisedTest : public HistogramTest { public: - HistogramParameterisedTest() { local_info_.node_.set_cluster(""); } + HistogramParameterisedTest() {} protected: - void SetUp() override { - HistogramTest::SetUp(); - - // Set the feature flag in SetUp as store_ is constructed in HistogramTest::SetUp. - api_ = Api::createApiForTest(*store_); - Protobuf::Struct base = - TestUtility::parseYaml(GetParam() == EnableIncludeHistograms::Yes ? R"EOF( - envoy.reloadable_features.enable_include_histograms: true - )EOF" - : R"EOF( - envoy.reloadable_features.enable_include_histograms: false - )EOF"); - envoy::config::bootstrap::v3::LayeredRuntime layered_runtime; - { - auto* layer = layered_runtime.add_layers(); - layer->set_name("base"); - layer->mutable_static_layer()->MergeFrom(base); - } - { - auto* layer = layered_runtime.add_layers(); - layer->set_name("admin"); - layer->mutable_admin_layer(); - } - absl::StatusOr> loader = - Runtime::LoaderImpl::create(dispatcher_, tls_, layered_runtime, local_info_, *store_, - generator_, validation_visitor_, *api_); - THROW_IF_NOT_OK(loader.status()); - loader_ = std::move(loader.value()); - } - - NiceMock context_; - Event::MockDispatcher dispatcher_; - Api::ApiPtr api_; - NiceMock local_info_; - Random::MockRandomGenerator generator_; - NiceMock validation_visitor_; - std::unique_ptr loader_; + void SetUp() override { HistogramTest::SetUp(); } }; -TEST_P(HistogramParameterisedTest, ForEachSinkedHistogram) { +TEST_F(HistogramParameterisedTest, ForEachSinkedHistogram) { std::unique_ptr test_sink_predicates = std::make_unique(); std::vector> sinked_histograms; @@ -2328,18 +2290,11 @@ TEST_P(HistogramParameterisedTest, ForEachSinkedHistogram) { store_->forEachSinkedHistogram( [&num_sinked_histograms](std::size_t size) { num_sinked_histograms = size; }, [&num_iterations, &sink_predicates](ParentHistogram& histogram) { - if (GetParam() == EnableIncludeHistograms::Yes) { - EXPECT_TRUE(sink_predicates.has(histogram.statName())); - } + EXPECT_TRUE(sink_predicates.has(histogram.statName())); ++num_iterations; }); - if (GetParam() == EnableIncludeHistograms::Yes) { - EXPECT_EQ(num_sinked_histograms, 3); - EXPECT_EQ(num_iterations, 3); - } else { - EXPECT_EQ(num_sinked_histograms, 11); - EXPECT_EQ(num_iterations, 11); - } + EXPECT_EQ(num_sinked_histograms, 3); + EXPECT_EQ(num_iterations, 3); // Verify that rejecting histograms removes them from the sink set. envoy::config::metrics::v3::StatsConfig stats_config_; stats_config_.mutable_stats_matcher()->set_reject_all(true); @@ -2356,7 +2311,7 @@ TEST_P(HistogramParameterisedTest, ForEachSinkedHistogram) { // Verify that histograms that are not flushed to sinks are merged in the call // to mergeHistograms -TEST_P(HistogramParameterisedTest, UnsinkedHistogramsAreMerged) { +TEST_F(HistogramParameterisedTest, UnsinkedHistogramsAreMerged) { store_->setSinkPredicates(std::make_unique()); auto& sink_predicates = testSinkPredicatesOrDie(); StatName stat_name = pool_.add("h1"); @@ -2390,18 +2345,11 @@ TEST_P(HistogramParameterisedTest, UnsinkedHistogramsAreMerged) { store_->forEachSinkedHistogram( [&num_sinked_histograms](std::size_t size) { num_sinked_histograms = size; }, [&num_iterations, &sink_predicates](ParentHistogram& histogram) { - if (GetParam() == EnableIncludeHistograms::Yes) { - EXPECT_TRUE(sink_predicates.has(histogram.statName())); - } + EXPECT_TRUE(sink_predicates.has(histogram.statName())); ++num_iterations; }); - if (GetParam() == EnableIncludeHistograms::Yes) { - EXPECT_EQ(num_sinked_histograms, 1); - EXPECT_EQ(num_iterations, 1); - } else { - EXPECT_EQ(num_sinked_histograms, 2); - EXPECT_EQ(num_iterations, 2); - } + EXPECT_EQ(num_sinked_histograms, 1); + EXPECT_EQ(num_iterations, 1); }); EXPECT_THAT(h1.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 1,")); @@ -2412,13 +2360,5 @@ TEST_P(HistogramParameterisedTest, UnsinkedHistogramsAreMerged) { EXPECT_EQ(h1.used(), true); EXPECT_EQ(h2.used(), true); } - -INSTANTIATE_TEST_SUITE_P(HistogramParameterisedTestGroup, HistogramParameterisedTest, - testing::Values(EnableIncludeHistograms::Yes, EnableIncludeHistograms::No), - [](const testing::TestParamInfo& info) { - return info.param == EnableIncludeHistograms::No - ? "DisableIncludeHistograms" - : "EnableIncludeHistograms"; - }); } // namespace Stats } // namespace Envoy From a008e6f663f822d8bba75d48944fbcc0c68169ee Mon Sep 17 00:00:00 2001 From: danzh Date: Fri, 15 Aug 2025 14:05:18 -0400 Subject: [PATCH 237/505] quic: turn off HTTP/3 happy eyeball (#40703) Commit Message: turn off envoy.reloadable_features.http3_happy_eyeballs due to a known issue. Additional Description: the current implementation favors TCP over QUIC when UDP doesn't work on V6 network but works on V4. Risk Level: low, only affect mobile Testing: changed ConnectivityGridTest which was heavily testing the H3 happy eyeball. Docs Changes: N/A Release Notes: Y Platform Specific Features: N/A --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- changelogs/current.yaml | 6 +- source/common/runtime/runtime_features.cc | 4 +- test/common/http/conn_pool_grid_test.cc | 124 ++++++++++++------ .../filters/http/dynamic_forward_proxy/BUILD | 2 + .../proxy_filter_integration_test.cc | 3 + 5 files changed, 95 insertions(+), 44 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 313c69bb73ce3..56dfd6530499a 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -13,7 +13,7 @@ behavior_changes: unmarked as traced after the tracing refresh. - area: ext_proc change: | - Reverted https://github.com/envoyproxy/envoy/pull/39740 to re-enable fail_open+FULL_DUPLEX_STREAMED configuraton combination. + Reverted https://github.com/envoyproxy/envoy/pull/39740 to re-enable fail_open+FULL_DUPLEX_STREAMED configuration combination. minor_behavior_changes: # *Changes that may cause incompatibilities for some users, but should not for most* @@ -31,6 +31,10 @@ minor_behavior_changes: Generic proxy codec add the same buffer limit as connection buffer limit, if the buffer limit is exceeded, the connection is disconnected. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.generic_proxy_codec_buffer_limit`` to ``false``. +- area: http3 + change: | + turn off HTTP/3 happy eyeball in upstream via runtime guard ``envoy.reloadable_features.http3_happy_eyeballs``. + It is found to favor TCP over QUIC when UDP does not work on v6 network but works on v4. bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index b54b9908d1a6b..01eb4ccf1a8ea 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -49,7 +49,6 @@ RUNTIME_GUARD(envoy_reloadable_features_http1_balsa_disallow_lone_cr_in_chunk_ex RUNTIME_GUARD(envoy_reloadable_features_http2_discard_host_header); RUNTIME_GUARD(envoy_reloadable_features_http2_propagate_reset_events); RUNTIME_GUARD(envoy_reloadable_features_http2_use_oghttp2); -RUNTIME_GUARD(envoy_reloadable_features_http3_happy_eyeballs); RUNTIME_GUARD(envoy_reloadable_features_http3_remove_empty_cookie); // Delay deprecation and decommission until UHV is enabled. RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); @@ -128,6 +127,9 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_drain_pools_on_network_change); FALSE_RUNTIME_GUARD(envoy_reloadable_features_quic_no_tcp_delay); // Adding runtime flag to use balsa_parser for http_inspector. FALSE_RUNTIME_GUARD(envoy_reloadable_features_http_inspector_use_balsa_parser); +// TODO(danzh) re-enable it when the issue of preferring TCP over v6 rather than QUIC over v4 is +// fixed. +FALSE_RUNTIME_GUARD(envoy_reloadable_features_http3_happy_eyeballs); // TODO(renjietang): Evaluate and make this a config knob or remove. FALSE_RUNTIME_GUARD(envoy_reloadable_features_use_canonical_suffix_for_quic_brokenness); // TODO(abeyad): Evaluate and make this a config knob or remove. diff --git a/test/common/http/conn_pool_grid_test.cc b/test/common/http/conn_pool_grid_test.cc index 48171a652c347..10f4549fc326d 100644 --- a/test/common/http/conn_pool_grid_test.cc +++ b/test/common/http/conn_pool_grid_test.cc @@ -318,6 +318,9 @@ TEST_F(ConnectivityGridTest, ImmediateSuccess) { // Test the first pool failing and the second connecting. TEST_F(ConnectivityGridTest, DoubleFailureThenSuccessSerial) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); + initialize(); addHttp3AlternateProtocol(); EXPECT_EQ(grid_->http3Pool(), nullptr); @@ -353,6 +356,9 @@ TEST_F(ConnectivityGridTest, DoubleFailureThenSuccessSerial) { // Test HTTP/3 attempting to use the alternate pool immediately if it's connected and TCP not // delayed. TEST_F(ConnectivityGridTest, ThreeParallelConnections) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); + initialize(); grid_->alternate_immediate_ = false; addHttp3AlternateProtocol(); @@ -520,13 +526,15 @@ TEST_F(ConnectivityGridTest, ParallelConnectionsNoTcpDelayQuicFailsTcpSucceeds) "reason", host_)); // HTTP/3 is still not marked broken yet. EXPECT_FALSE(grid_->isHttp3Broken()); - // Also force the alternate QUIC to fail. - EXPECT_LOG_CONTAINS( - "trace", "alternate pool failed to create connection to host 'hostname'", - grid_->callbacks(2)->onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, - "reason", host_)); - // HTTP/3 is still not marked broken yet. - EXPECT_FALSE(grid_->isHttp3Broken()); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { + // Also force the alternate QUIC to fail. + EXPECT_LOG_CONTAINS( + "trace", "alternate pool failed to create connection to host 'hostname'", + grid_->callbacks(2)->onPoolFailure( + ConnectionPool::PoolFailureReason::LocalConnectionFailure, "reason", host_)); + // HTTP/3 is still not marked broken yet. + EXPECT_FALSE(grid_->isHttp3Broken()); + } // TCP succeeds. EXPECT_LOG_CONTAINS("trace", "http2 pool successfully connected to host 'hostname'", @@ -580,13 +588,15 @@ TEST_F(ConnectivityGridTest, ParallelConnectionsNoTcpDelayTcpAndQuicFail) { "reason", host_)); // HTTP/3 is still not marked broken yet. EXPECT_FALSE(grid_->isHttp3Broken()); - // Also force the alternate QUIC to fail. - EXPECT_LOG_CONTAINS( - "trace", "alternate pool failed to create connection to host 'hostname'", - grid_->callbacks(2)->onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, - "reason", host_)); - // HTTP/3 is still not marked broken yet. - EXPECT_FALSE(grid_->isHttp3Broken()); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { + // Also force the alternate QUIC to fail. + EXPECT_LOG_CONTAINS( + "trace", "alternate pool failed to create connection to host 'hostname'", + grid_->callbacks(2)->onPoolFailure( + ConnectionPool::PoolFailureReason::LocalConnectionFailure, "reason", host_)); + // HTTP/3 is still not marked broken yet. + EXPECT_FALSE(grid_->isHttp3Broken()); + } // Force TCP to fail. EXPECT_LOG_CONTAINS( @@ -665,6 +675,9 @@ TEST_F(ConnectivityGridTest, ParallelConnectionsNoTcpDelayTcpFailsQuicSucceeds) // Same test as above but with the H3 alternate pool succeeding inline no TCP is attempted. TEST_F(ConnectivityGridTest, ParallelH3NoTcp) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); + initialize(); grid_->alternate_immediate_ = false; addHttp3AlternateProtocol(); @@ -697,6 +710,9 @@ TEST_F(ConnectivityGridTest, ParallelH3NoTcp) { // Test all three connections in parallel, H3 failing and TCP connecting. TEST_F(ConnectivityGridTest, ParallelConnectionsTcpConnects) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); + initialize(); grid_->alternate_immediate_ = false; addHttp3AlternateProtocol(); @@ -743,6 +759,9 @@ TEST_F(ConnectivityGridTest, ParallelConnectionsTcpConnects) { // Test all three connections in parallel, TCP fails and H3 connecting. TEST_F(ConnectivityGridTest, ParallelConnectionsTcpFailsFirst) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); + initialize(); grid_->alternate_immediate_ = false; addHttp3AlternateProtocol(); @@ -792,6 +811,9 @@ TEST_F(ConnectivityGridTest, ParallelConnectionsTcpFailsFirst) { // Test the first pool failing inline but http/3 happy eyeballs succeeding inline TEST_F(ConnectivityGridTest, H3HappyEyeballsMeansNoH2Pool) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); + // The alternate H3 pool will succeed inline. initialize(); grid_->alternate_failure_ = false; @@ -811,6 +833,9 @@ TEST_F(ConnectivityGridTest, H3HappyEyeballsMeansNoH2Pool) { // Test both connections happening in parallel and the second connecting. TEST_F(ConnectivityGridTest, TimeoutThenSuccessParallelH2Connects) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); + initialize(); addHttp3AlternateProtocol(); EXPECT_EQ(grid_->http3Pool(), nullptr); @@ -847,6 +872,9 @@ TEST_F(ConnectivityGridTest, TimeoutThenSuccessParallelH2Connects) { // Test both connections happening in parallel and the second connecting. TEST_F(ConnectivityGridTest, TimeoutThenSuccessParallelH2ConnectsNoHE) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); + address_list_ = {*Network::Utility::resolveUrl("tcp://127.0.0.1:9000"), *Network::Utility::resolveUrl("tcp://127.0.0.1:9001")}; initialize(); @@ -925,13 +953,17 @@ TEST_F(ConnectivityGridTest, TimeoutThenSuccessParallelFirstConnects) { // Kick off the second and third connections. failover_timer->invokeCallback(); EXPECT_NE(grid_->http2Pool(), nullptr); - EXPECT_NE(grid_->alternate(), nullptr); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { + EXPECT_NE(grid_->alternate(), nullptr); + } // onPoolFailure should not be passed up the first time. Instead the grid // should wait on the other pools - EXPECT_CALL(callbacks_.pool_failure_, ready()).Times(0); - grid_->callbacks(2)->onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, - "reason", host_); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { + EXPECT_CALL(callbacks_.pool_failure_, ready()).Times(0); + grid_->callbacks(2)->onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, + "reason", host_); + } EXPECT_CALL(callbacks_.pool_failure_, ready()).Times(0); grid_->callbacks(1)->onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, @@ -1593,23 +1625,29 @@ TEST_F(ConnectivityGridTest, Http3FailedRecentlyThenFailsAgain) { EXPECT_TRUE(ConnectivityGridForTest::hasHttp3FailedRecently(*grid_)); // Getting onPoolFailure() from Http3 pool later should mark H3 broken. - grid_->createHttp3AlternatePool(); - EXPECT_CALL(*grid_->alternate(), newStream) - .WillOnce(Invoke( - [&](Http::ResponseDecoder&, ConnectionPool::Callbacks& callbacks, - const ConnectionPool::Instance::StreamOptions&) -> ConnectionPool::Cancellable* { - grid_->callbacks_.push_back(&callbacks); - return grid_->cancel_; - })); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { + grid_->createHttp3AlternatePool(); + EXPECT_CALL(*grid_->alternate(), newStream) + .WillOnce(Invoke( + [&](Http::ResponseDecoder&, ConnectionPool::Callbacks& callbacks, + const ConnectionPool::Instance::StreamOptions&) -> ConnectionPool::Cancellable* { + grid_->callbacks_.push_back(&callbacks); + return grid_->cancel_; + })); + } grid_->callbacks(0)->onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, "reason", host_); - // Because the alternate pool is outstanding H3 is not broken. - EXPECT_FALSE(grid_->isHttp3Broken()); - - // When H3 alternate connects, there should not be a second up call. - EXPECT_CALL(callbacks_.pool_ready_, ready()).Times(0); - grid_->callbacks(2)->onPoolReady(encoder_, host_, info_, absl::nullopt); - EXPECT_FALSE(grid_->isHttp3Broken()); + if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { + EXPECT_TRUE(grid_->isHttp3Broken()); + } else { + // Because the alternate pool is outstanding H3 is not broken. + EXPECT_FALSE(grid_->isHttp3Broken()); + + // When H3 alternate connects, there should not be a second up call. + EXPECT_CALL(callbacks_.pool_ready_, ready()).Times(0); + grid_->callbacks(2)->onPoolReady(encoder_, host_, info_, absl::nullopt); + EXPECT_FALSE(grid_->isHttp3Broken()); + } } // Same as above only the alternate pool connects after TCP. @@ -1636,15 +1674,17 @@ TEST_F(ConnectivityGridTest, Http3FailedRecentlyThenTCPThenAlternate) { EXPECT_TRUE(ConnectivityGridForTest::hasHttp3FailedRecently(*grid_)); // Getting onPoolFailure() from Http3 pool later should mark H3 broken. - grid_->createHttp3AlternatePool(); - EXPECT_CALL(*grid_->alternate(), newStream) - .WillOnce(Invoke( - [&](Http::ResponseDecoder&, ConnectionPool::Callbacks& callbacks, - const ConnectionPool::Instance::StreamOptions&) -> ConnectionPool::Cancellable* { - callbacks.onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, - "reason", host_); - return nullptr; - })); + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.http3_happy_eyeballs")) { + grid_->createHttp3AlternatePool(); + EXPECT_CALL(*grid_->alternate(), newStream) + .WillOnce(Invoke( + [&](Http::ResponseDecoder&, ConnectionPool::Callbacks& callbacks, + const ConnectionPool::Instance::StreamOptions&) -> ConnectionPool::Cancellable* { + callbacks.onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, + "reason", host_); + return nullptr; + })); + } grid_->callbacks(0)->onPoolFailure(ConnectionPool::PoolFailureReason::LocalConnectionFailure, "reason", host_); EXPECT_TRUE(grid_->isHttp3Broken()); diff --git a/test/extensions/filters/http/dynamic_forward_proxy/BUILD b/test/extensions/filters/http/dynamic_forward_proxy/BUILD index 2f724efceda54..2ee9530fc5533 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/BUILD +++ b/test/extensions/filters/http/dynamic_forward_proxy/BUILD @@ -88,6 +88,7 @@ envoy_extension_cc_test( "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/integration:http_integration_lib", "//test/integration/filters:stream_info_to_headers_filter_lib", + "//test/test_common:test_runtime_lib", "//test/test_common:threadsafe_singleton_injector_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", @@ -122,6 +123,7 @@ envoy_extension_cc_test( "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/integration:http_integration_lib", "//test/integration/filters:stream_info_to_headers_filter_lib", + "//test/test_common:test_runtime_lib", "//test/test_common:threadsafe_singleton_injector_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc index d75453fa894a8..e67ba891b371d 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -12,6 +12,7 @@ #include "test/integration/http_integration.h" #include "test/integration/ssl_utility.h" #include "test/test_common/registry.h" +#include "test/test_common/test_runtime.h" #include "test/test_common/threadsafe_singleton_injector.h" using testing::HasSubstr; @@ -1277,6 +1278,8 @@ TEST_P(ProxyFilterIntegrationTest, UseCacheFileAndTestHappyEyeballs) { #if defined(ENVOY_ENABLE_QUIC) TEST_P(ProxyFilterIntegrationTest, UseCacheFileAndHttp3) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.http3_happy_eyeballs", "true"}}); upstream_cert_name_ = ""; // Force standard TLS dns_hostname_ = "sni.lyft.com"; autonomous_upstream_ = true; From 306931e59133a16c4ab7b716c86aca0432da23ef Mon Sep 17 00:00:00 2001 From: Ali Beyad Date: Fri, 15 Aug 2025 14:20:43 -0400 Subject: [PATCH 238/505] Revert "mobile: use AndroidNetworkMonitorV2" (#40744) Reverts envoyproxy/envoy#40625, which fails to build for API versions less than 24. Signed-off-by: Ali Beyad --- mobile/library/common/internal_engine.cc | 57 +--- mobile/library/common/internal_engine.h | 9 +- mobile/library/common/network/BUILD | 1 - .../common/network/connectivity_manager.cc | 175 +---------- .../common/network/connectivity_manager.h | 70 +---- mobile/library/common/system/BUILD | 1 - .../common/system/default_system_helper.cc | 6 - .../common/system/default_system_helper.h | 2 - .../system/default_system_helper_android.cc | 6 - .../system/default_system_helper_apple.cc | 6 - mobile/library/common/system/system_helper.h | 7 - .../envoymobile/engine/AndroidEngineImpl.java | 8 +- .../engine/AndroidNetworkMonitorV2.java | 16 - .../io/envoyproxy/envoymobile/engine/BUILD | 7 +- .../envoymobile/engine/JniLibrary.java | 12 - .../envoyproxy/envoymobile/engine/types/BUILD | 1 - .../engine/types/NetworkWithType.java | 16 - .../utilities/AndroidNetworkLibrary.java | 29 -- .../io/envoyproxy/envoymobile/utilities/BUILD | 26 +- .../impl/NativeCronvoyEngineBuilderImpl.java | 8 +- mobile/library/jni/BUILD | 3 +- mobile/library/jni/android_network_utility.cc | 57 ---- mobile/library/jni/android_network_utility.h | 5 - mobile/library/jni/jni_impl.cc | 31 -- mobile/library/jni/jni_init.cc | 26 +- .../envoymobile/AndroidEngineBuilder.kt | 3 +- .../kotlin/io/envoyproxy/envoymobile/BUILD | 1 - .../integration/client_integration_test.cc | 37 --- mobile/test/common/internal_engine_test.cc | 4 - mobile/test/common/mocks/common/mocks.h | 2 - mobile/test/common/network/BUILD | 1 - .../network/connectivity_manager_test.cc | 136 +------- .../utilities/AndroidNetworkTest.java | 114 ------- .../io/envoyproxy/envoymobile/utilities/BUILD | 26 -- .../org/chromium/net/CronetHttp3Test.java | 290 +----------------- .../test/java/org/chromium/net/testing/BUILD | 1 - 36 files changed, 85 insertions(+), 1115 deletions(-) delete mode 100644 mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java delete mode 100644 mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index aac77e59e2719..1a891b27834be 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -220,26 +220,6 @@ envoy_status_t InternalEngine::main(std::shared_ptr options) { server_->serverFactoryContext(), server_->serverFactoryContext().messageValidationVisitor()); connectivity_manager_ = Network::ConnectivityManagerFactory{generic_context}.get(); - Network::DefaultNetworkChangeCallback cb = - [this](envoy_netconf_t current_configuration_key) { - dispatcher_->post([this, current_configuration_key]() { - if (connectivity_manager_->getConfigurationKey() != current_configuration_key) { - // The default network has changed to a different one. - return; - } - ENVOY_LOG_MISC( - trace, - "Default network state has been changed. Current net configuration key {}", - current_configuration_key); - resetHttpPropertiesAndDrainHosts(probeAndGetLocalAddr(AF_INET6) != nullptr); - if (!disable_dns_refresh_on_network_change_) { - // This call will possibly drain all connections asynchronously. - connectivity_manager_->doRefreshDns(current_configuration_key, - /*drain_connections=*/true); - } - }); - }; - connectivity_manager_->setDefaultNetworkChangeCallback(std::move(cb)); if (Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.dns_cache_set_ip_version_to_remove")) { if (probeAndGetLocalAddr(AF_INET6) == nullptr) { @@ -395,21 +375,23 @@ void InternalEngine::onDefaultNetworkChanged(int network) { }); } -void InternalEngine::onDefaultNetworkChangedAndroid(ConnectionType connection_type, - int64_t net_id) { - connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); +void InternalEngine::onDefaultNetworkChangedAndroid(ConnectionType /*connection_type*/, + int64_t /*net_id*/) { + ENVOY_LOG_MISC(trace, "Calling the default network changed callback on Android"); } -void InternalEngine::onNetworkDisconnectAndroid(int64_t net_id) { - connectivity_manager_->onNetworkDisconnectAndroid(net_id); +void InternalEngine::onNetworkDisconnectAndroid(int64_t /*net_id*/) { + ENVOY_LOG_MISC(trace, "Calling network disconnect callback on Android"); } -void InternalEngine::onNetworkConnectAndroid(ConnectionType connection_type, int64_t net_id) { - connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); +void InternalEngine::onNetworkConnectAndroid(ConnectionType /*connection_type*/, + int64_t /*net_id*/) { + ENVOY_LOG_MISC(trace, "Calling network connect callback on Android"); } -void InternalEngine::purgeActiveNetworkListAndroid(const std::vector& active_network_ids) { - connectivity_manager_->purgeActiveNetworkListAndroid(active_network_ids); +void InternalEngine::purgeActiveNetworkListAndroid( + const std::vector& /*active_network_ids*/) { + ENVOY_LOG_MISC(trace, "Calling network purge callback on Android"); } void InternalEngine::onDefaultNetworkUnavailable() { @@ -418,17 +400,8 @@ void InternalEngine::onDefaultNetworkUnavailable() { } void InternalEngine::handleNetworkChange(const int network_type, const bool has_ipv6_connectivity) { - envoy_netconf_t configuration = connectivity_manager_->setPreferredNetwork(network_type); - - resetHttpPropertiesAndDrainHosts(has_ipv6_connectivity); - if (!disable_dns_refresh_on_network_change_) { - // Refresh DNS upon network changes. - // This call will possibly drain all connections asynchronously. - connectivity_manager_->refreshDns(configuration, /*drain_connections=*/true); - } -} - -void InternalEngine::resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity) { + envoy_netconf_t configuration = + Network::ConnectivityManagerImpl::setPreferredNetwork(network_type); if (Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.dns_cache_set_ip_version_to_remove") || Runtime::runtimeFeatureEnabled( @@ -462,7 +435,11 @@ void InternalEngine::resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity ENVOY_LOG_EVENT(debug, "netconf_immediate_drain", "DrainAllHosts"); getClusterManager().drainConnections([](const Upstream::Host&) { return true; }); } + return; } + // Refresh DNS upon network changes. + // This call will possibly drain all connections asynchronously. + connectivity_manager_->refreshDns(configuration, /*drain_connections=*/true); } envoy_status_t InternalEngine::recordCounterInc(absl::string_view elements, envoy_stats_tags tags, diff --git a/mobile/library/common/internal_engine.h b/mobile/library/common/internal_engine.h index e90c7a0f53359..c6fc839813b24 100644 --- a/mobile/library/common/internal_engine.h +++ b/mobile/library/common/internal_engine.h @@ -157,8 +157,8 @@ class InternalEngine : public Logger::Loggable { void onNetworkConnectAndroid(ConnectionType connection_type, int64_t net_id); /** - * The callback that gets executed when the device decides to forget all networks other than the - * given list. + * The callback that gets executed when the device decides that the given list of networks should + * be forgotten. */ void purgeActiveNetworkListAndroid(const std::vector& active_network_ids); @@ -228,9 +228,6 @@ class InternalEngine : public Logger::Loggable { // there is no connectivity for the `domain`, a null pointer will be returned. static Network::Address::InstanceConstSharedPtr probeAndGetLocalAddr(int domain); - // Called when it's been determined that the default network has changed. - void resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity); - Thread::PosixThreadFactoryPtr thread_factory_; Event::Dispatcher* event_dispatcher_{}; Stats::ScopeSharedPtr client_scope_; @@ -244,7 +241,7 @@ class InternalEngine : public Logger::Loggable { Thread::MutexBasicLockable mutex_; Thread::CondVar cv_; Http::ClientPtr http_client_; - Network::ConnectivityManagerImplSharedPtr connectivity_manager_; + Network::ConnectivityManagerSharedPtr connectivity_manager_; Event::ProvisionalDispatcherPtr dispatcher_; // Used by the cerr logger to ensure logs don't overwrite each other. absl::Mutex log_mutex_; diff --git a/mobile/library/common/network/BUILD b/mobile/library/common/network/BUILD index 82a5d6b384604..22b2ec7e213a8 100644 --- a/mobile/library/common/network/BUILD +++ b/mobile/library/common/network/BUILD @@ -19,7 +19,6 @@ envoy_cc_library( ":proxy_settings_lib", "//library/common:engine_types_lib", "//library/common/network:src_addr_socket_option_lib", - "//library/common/system:system_helper_lib", "//library/common/types:c_types_lib", "@envoy//envoy/network:socket_interface", "@envoy//envoy/singleton:manager_interface", diff --git a/mobile/library/common/network/connectivity_manager.cc b/mobile/library/common/network/connectivity_manager.cc index a2015a213c34a..02091ac65b9cd 100644 --- a/mobile/library/common/network/connectivity_manager.cc +++ b/mobile/library/common/network/connectivity_manager.cc @@ -2,7 +2,6 @@ #include -#include #include #include "envoy/common/platform.h" @@ -17,8 +16,8 @@ #include "fmt/ostream.h" #include "library/common/network/network_type_socket_option_impl.h" +#include "library/common/network/network_types.h" #include "library/common/network/src_addr_socket_option_impl.h" -#include "library/common/system/system_helper.h" // Used on Linux (requires root/CAP_NET_RAW) #ifdef SO_BINDTODEVICE @@ -78,12 +77,14 @@ constexpr absl::string_view BaseDnsCache = "base_dns_cache"; // The number of faults allowed on a newly-established connection before switching socket mode. constexpr unsigned int InitialFaultThreshold = 1; +// The number of faults allowed on a previously-successful connection (i.e. able to send and receive +// L7 bytes) before switching socket mode. +constexpr unsigned int MaxFaultThreshold = 3; -ConnectivityManagerImpl::ConnectivityManagerImpl(Upstream::ClusterManager& cluster_manager, - DnsCacheManagerSharedPtr dns_cache_manager) - : cluster_manager_(cluster_manager), dns_cache_manager_(dns_cache_manager) { - initializeNetworkStates(); -} +ConnectivityManagerImpl::DefaultNetworkState ConnectivityManagerImpl::network_state_{ + 1, 0, MaxFaultThreshold, SocketMode::DefaultPreferredNetworkMode}; + +Thread::MutexBasicLockable ConnectivityManagerImpl::network_mutex_{}; envoy_netconf_t ConnectivityManagerImpl::setPreferredNetwork(int network) { Thread::LockGuard lock{network_mutex_}; @@ -96,19 +97,14 @@ envoy_netconf_t ConnectivityManagerImpl::setPreferredNetwork(int network) { // return network_state_.configuration_key_ - 1; //} - setPreferredNetworkNoLock(network); - return network_state_.configuration_key_; -} - -void ConnectivityManagerImpl::setPreferredNetworkNoLock(int network_type) - ABSL_EXCLUSIVE_LOCKS_REQUIRED(network_mutex_) { - ENVOY_LOG_EVENT(debug, "netconf_network_change", "network_type changed to {}", - std::to_string(static_cast(network_type))); + ENVOY_LOG_EVENT(debug, "netconf_network_change", "{}", std::to_string(static_cast(network))); network_state_.configuration_key_++; - network_state_.network_ = network_type; + network_state_.network_ = network; network_state_.remaining_faults_ = 1; network_state_.socket_mode_ = SocketMode::DefaultPreferredNetworkMode; + + return network_state_.configuration_key_; } void ConnectivityManagerImpl::setProxySettings(ProxySettingsConstSharedPtr new_proxy_settings) { @@ -279,11 +275,7 @@ void ConnectivityManagerImpl::refreshDns(envoy_netconf_t configuration_key, return; } } - doRefreshDns(configuration_key, drain_connections); -} -void ConnectivityManagerImpl::doRefreshDns(envoy_netconf_t configuration_key, - bool drain_connections) { if (auto dns_cache = dnsCache()) { ENVOY_LOG_EVENT(debug, "netconf_refresh_dns", "{}", std::to_string(configuration_key)); @@ -466,148 +458,7 @@ ConnectivityManagerImpl::enumerateInterfaces([[maybe_unused]] unsigned short fam return pairs; } -int connectionTypeToCompoundNetworkType(ConnectionType connection_type) { - int compound_type = 0; - switch (connection_type) { - case ConnectionType::CONNECTION_2G: - compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_2G)); - break; - case ConnectionType::CONNECTION_3G: - compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_3G)); - break; - case ConnectionType::CONNECTION_4G: - compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_4G)); - break; - case ConnectionType::CONNECTION_5G: - compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_5G)); - break; - case ConnectionType::CONNECTION_WIFI: - case ConnectionType::CONNECTION_ETHERNET: - compound_type |= static_cast(NetworkType::WLAN); - break; - case ConnectionType::CONNECTION_NONE: - break; - case ConnectionType::CONNECTION_BLUETOOTH: - case ConnectionType::CONNECTION_UNKNOWN: - compound_type = static_cast(NetworkType::Generic); - break; - } - return compound_type; -} - -void ConnectivityManagerImpl::onDefaultNetworkChangedAndroid(ConnectionType connection_type, - NetworkHandle net_id) { - bool already_connected{false}; - envoy_netconf_t current_configuration_key{0}; - { - Thread::LockGuard lock{network_mutex_}; - ENVOY_LOG_EVENT(debug, "android_default_network_changed", - "default network changed from {} to {}, new connection_type {}, ", - default_network_handle_, net_id, static_cast(connection_type)); - if (net_id == default_network_handle_) { - return; - } - current_configuration_key = network_state_.configuration_key_; - default_network_handle_ = net_id; - if (connected_networks_.find(net_id) != connected_networks_.end()) { - // Android Lollipop had race conditions where CONNECTIVITY_ACTION intents - // were sent out before the network was actually made the default. - // Delay switching to the new default until Android platform notifies that the network - // connected. - setPreferredNetworkNoLock(connectionTypeToCompoundNetworkType(connection_type)); - current_configuration_key = network_state_.configuration_key_; - already_connected = true; - } - } - if (already_connected) { - if (default_network_change_callback_ != nullptr) { - default_network_change_callback_(current_configuration_key); - } - if (observer_ != nullptr) { - observer_->onNetworkMadeDefault(net_id); - } - } -} - -void ConnectivityManagerImpl::onNetworkDisconnectAndroid(NetworkHandle net_id) { - { - Thread::LockGuard lock{network_mutex_}; - if (net_id == default_network_handle_) { - default_network_handle_ = kInvalidNetworkHandle; - } - if (connected_networks_.erase(net_id) == 0) { - return; - } - } - if (observer_ != nullptr) { - observer_->onNetworkDisconnected(net_id); - } -} - -void ConnectivityManagerImpl::onNetworkConnectAndroid(ConnectionType connection_type, - NetworkHandle net_id) { - bool is_default_network{false}; - envoy_netconf_t current_configuration_key{0}; - { - Thread::LockGuard lock{network_mutex_}; - if (connected_networks_.find(net_id) != connected_networks_.end()) { - return; - } - connected_networks_[net_id] = connection_type; - current_configuration_key = network_state_.configuration_key_; - if (net_id == default_network_handle_) { - // The reported default network finally gets connected. - is_default_network = true; - setPreferredNetworkNoLock(connectionTypeToCompoundNetworkType(connection_type)); - current_configuration_key = network_state_.configuration_key_; - } - } - // Android Lollipop would send many duplicate notifications. - // This was later fixed in Android Marshmallow. - // Deduplicate them here by avoiding sending duplicate notifications. - if (observer_ != nullptr) { - observer_->onNetworkConnected(net_id); - } - if (is_default_network) { - if (default_network_change_callback_ != nullptr) { - default_network_change_callback_(current_configuration_key); - } - if (observer_ != nullptr) { - observer_->onNetworkMadeDefault(net_id); - } - } -} - -void ConnectivityManagerImpl::purgeActiveNetworkListAndroid( - const std::vector& active_network_ids) { - std::vector disconnected_networks; - { - Thread::LockGuard lock{network_mutex_}; - for (auto& i : connected_networks_) { - if (std::find(active_network_ids.begin(), active_network_ids.end(), i.first) == - active_network_ids.end()) { - disconnected_networks.push_back(i.first); - } - } - } - for (auto disconnected_network : disconnected_networks) { - onNetworkDisconnectAndroid(disconnected_network); - } -} - -void ConnectivityManagerImpl::initializeNetworkStates() { - NetworkHandle default_net_id = SystemHelper::getInstance().getDefaultNetworkHandle(); - std::vector> all_connected_networks = - SystemHelper::getInstance().getAllConnectedNetworks(); - - Thread::LockGuard lock{network_mutex_}; - default_network_handle_ = default_net_id; - for (auto& entry : all_connected_networks) { - connected_networks_[entry.first] = entry.second; - } -} - -ConnectivityManagerImplSharedPtr ConnectivityManagerFactory::get() { +ConnectivityManagerSharedPtr ConnectivityManagerFactory::get() { return context_.serverFactoryContext().singletonManager().getTyped( SINGLETON_MANAGER_REGISTERED_NAME(connectivity_manager), [this] { Envoy::Extensions::Common::DynamicForwardProxy::DnsCacheManagerFactoryImpl diff --git a/mobile/library/common/network/connectivity_manager.h b/mobile/library/common/network/connectivity_manager.h index aa3026168eff4..43da8e0466990 100644 --- a/mobile/library/common/network/connectivity_manager.h +++ b/mobile/library/common/network/connectivity_manager.h @@ -3,7 +3,6 @@ #include #include -#include "envoy/common/optref.h" #include "envoy/network/socket.h" #include "envoy/singleton/manager.h" #include "envoy/upstream/cluster_manager.h" @@ -12,7 +11,6 @@ #include "source/extensions/common/dynamic_forward_proxy/dns_cache_impl.h" #include "library/common/engine_types.h" -#include "library/common/network/network_types.h" #include "library/common/network/proxy_settings.h" #include "library/common/types/c_types.h" @@ -22,11 +20,11 @@ * remain valid/relevant at time of execution. * * Currently, there are two primary circumstances this is used: - * 1. When network type changes, some clean up will be scheduled on the event dispatcher, along - * with a configuration key of this type. If network type changes again before that scheduled clean - * up executes, another clean up will be scheduled, and the old one should no longer execute. The - * configuration key allows the connectivity_manager to determine if the clean up is representative - * of current configuration. + * 1. When network type changes, a refreshDNS call will be scheduled on the event dispatcher, along + * with a configuration key of this type. If network type changes again before that refresh + * executes, the refresh is now stale, another refresh task will have been queued, and it should no + * longer execute. The configuration key allows the connectivity_manager to determine if the + * refreshDNS call is representative of current configuration. * 2. When a request is configured with a certain set of socket options and begins, it is given a * configuration key. The heuristic in reportNetworkUsage relies on characteristics of the * request/response to make future decisions about socket options, but needs to be able to correctly @@ -41,9 +39,6 @@ */ typedef uint16_t envoy_netconf_t; -using NetworkHandle = int64_t; -constexpr NetworkHandle kInvalidNetworkHandle = -1; - namespace Envoy { namespace Network { @@ -64,14 +59,6 @@ enum class SocketMode : int { AlternateBoundInterfaceMode = 1, }; -namespace { - -// The number of faults allowed on a previously-successful connection (i.e. able to send and receive -// L7 bytes) before switching socket mode. -constexpr unsigned int MaxFaultThreshold = 3; - -} // namespace - using DnsCacheManagerSharedPtr = Extensions::Common::DynamicForwardProxy::DnsCacheManagerSharedPtr; using InterfacePair = std::pair; @@ -198,8 +185,6 @@ class ConnectivityManager { virtual Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dnsCache() PURE; }; -using ConnectivityManagerSharedPtr = std::shared_ptr; - // Used when draining hosts upon DNS refreshing is desired. class RefreshDnsWithPostDrainHandler : public Extensions::Common::DynamicForwardProxy::DnsCache::UpdateCallbacks, @@ -232,16 +217,6 @@ class RefreshDnsWithPostDrainHandler dns_callbacks_handle_; }; -using DefaultNetworkChangeCallback = std::function; - -class NetworkChangeObserver { -public: - virtual ~NetworkChangeObserver() = default; - virtual void onNetworkMadeDefault(NetworkHandle network) PURE; - virtual void onNetworkDisconnected(NetworkHandle network) PURE; - virtual void onNetworkConnected(NetworkHandle network) PURE; -}; - class ConnectivityManagerImpl : public ConnectivityManager, public Singleton::Instance, public Logger::Loggable { @@ -252,10 +227,11 @@ class ConnectivityManagerImpl : public ConnectivityManager, * @param network, the OS-preferred network. * @returns configuration key to associate with any related calls. */ - envoy_netconf_t setPreferredNetwork(int network); + static envoy_netconf_t setPreferredNetwork(int network); ConnectivityManagerImpl(Upstream::ClusterManager& cluster_manager, - DnsCacheManagerSharedPtr dns_cache_manager); + DnsCacheManagerSharedPtr dns_cache_manager) + : cluster_manager_(cluster_manager), dns_cache_manager_(dns_cache_manager) {} // ConnectivityManager std::vector enumerateV4Interfaces() override; @@ -275,19 +251,6 @@ class ConnectivityManagerImpl : public ConnectivityManager, envoy_netconf_t addUpstreamSocketOptions(Socket::OptionsSharedPtr options) override; Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dnsCache() override; - // These interfaces are only used to handle Android network change notifications. - void onDefaultNetworkChangedAndroid(ConnectionType connection_type, NetworkHandle net_id); - void onNetworkDisconnectAndroid(NetworkHandle net_id); - void onNetworkConnectAndroid(ConnectionType connection_type, NetworkHandle net_id); - void purgeActiveNetworkListAndroid(const std::vector& active_network_ids); - void setDefaultNetworkChangeCallback(DefaultNetworkChangeCallback cb) { - default_network_change_callback_ = cb; - } - void setNetworkChangeObserver(NetworkChangeObserver* observer) { observer_ = observer; } - - // Refresh DNS regardless of configuration key change. - void doRefreshDns(envoy_netconf_t configuration_key, bool drain_connections); - private: // The states of the current default network picked by the platform. struct DefaultNetworkState { @@ -301,8 +264,6 @@ class ConnectivityManagerImpl : public ConnectivityManager, Socket::OptionsSharedPtr getAlternateInterfaceSocketOptions(int network); InterfacePair getActiveAlternateInterface(int network, unsigned short family); Socket::OptionsSharedPtr getUpstreamSocketOptions(int network, SocketMode socket_mode); - void setPreferredNetworkNoLock(int network_type) ABSL_EXCLUSIVE_LOCKS_REQUIRED(network_mutex_); - void initializeNetworkStates(); bool enable_interface_binding_{false}; Upstream::ClusterManager& cluster_manager_; @@ -310,18 +271,11 @@ class ConnectivityManagerImpl : public ConnectivityManager, std::unique_ptr dns_refresh_handler_; DnsCacheManagerSharedPtr dns_cache_manager_; ProxySettingsConstSharedPtr proxy_settings_; - DefaultNetworkState network_state_ ABSL_GUARDED_BY(network_mutex_){ - 1, 0, MaxFaultThreshold, SocketMode::DefaultPreferredNetworkMode}; - Thread::MutexBasicLockable network_mutex_{}; - // Below states are only populated on Android platform. - NetworkHandle default_network_handle_ ABSL_GUARDED_BY(network_mutex_){kInvalidNetworkHandle}; - absl::flat_hash_map - connected_networks_ ABSL_GUARDED_BY(network_mutex_); - DefaultNetworkChangeCallback default_network_change_callback_; - NetworkChangeObserver* observer_{nullptr}; + static DefaultNetworkState network_state_ ABSL_GUARDED_BY(network_mutex_); + static Thread::MutexBasicLockable network_mutex_; }; -using ConnectivityManagerImplSharedPtr = std::shared_ptr; +using ConnectivityManagerSharedPtr = std::shared_ptr; /** * Provides access to the singleton ConnectivityManager. @@ -334,7 +288,7 @@ class ConnectivityManagerFactory { /** * @returns singleton ConnectivityManager instance. */ - ConnectivityManagerImplSharedPtr get(); + ConnectivityManagerSharedPtr get(); private: Server::GenericFactoryContextImpl context_; diff --git a/mobile/library/common/system/BUILD b/mobile/library/common/system/BUILD index d97ca50096cde..a8069f9eb773a 100644 --- a/mobile/library/common/system/BUILD +++ b/mobile/library/common/system/BUILD @@ -29,7 +29,6 @@ envoy_cc_library( deps = [ ":default_system_helper_lib", "//library/common/extensions/cert_validator/platform_bridge:c_types_lib", - "//library/common/network:network_types_lib", ] + select({ ":use_android_system_helper": [ "//library/jni:android_jni_utility_lib", diff --git a/mobile/library/common/system/default_system_helper.cc b/mobile/library/common/system/default_system_helper.cc index 0db0ae1b01b15..15142762e204f 100644 --- a/mobile/library/common/system/default_system_helper.cc +++ b/mobile/library/common/system/default_system_helper.cc @@ -16,10 +16,4 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& /* void DefaultSystemHelper::cleanupAfterCertificateValidation() {} -int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return -1; } - -std::vector> DefaultSystemHelper::getAllConnectedNetworks() { - return {}; -} - } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper.h b/mobile/library/common/system/default_system_helper.h index 56d80bd25753f..a9ef1d32e5199 100644 --- a/mobile/library/common/system/default_system_helper.h +++ b/mobile/library/common/system/default_system_helper.h @@ -17,8 +17,6 @@ class DefaultSystemHelper : public SystemHelper { envoy_cert_validation_result validateCertificateChain(const std::vector& certs, absl::string_view hostname) override; void cleanupAfterCertificateValidation() override; - int64_t getDefaultNetworkHandle() override; - std::vector> getAllConnectedNetworks() override; }; } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper_android.cc b/mobile/library/common/system/default_system_helper_android.cc index f678e1cecb7b0..5d205f0945d7f 100644 --- a/mobile/library/common/system/default_system_helper_android.cc +++ b/mobile/library/common/system/default_system_helper_android.cc @@ -16,10 +16,4 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& ce void DefaultSystemHelper::cleanupAfterCertificateValidation() { JNI::jvmDetachThread(); } -int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return JNI::getDefaultNetworkHandle(); } - -std::vector> DefaultSystemHelper::getAllConnectedNetworks() { - return JNI::getAllConnectedNetworks(); -} - } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper_apple.cc b/mobile/library/common/system/default_system_helper_apple.cc index 16caed9c22ec4..1facd039d2480 100644 --- a/mobile/library/common/system/default_system_helper_apple.cc +++ b/mobile/library/common/system/default_system_helper_apple.cc @@ -13,10 +13,4 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& ce void DefaultSystemHelper::cleanupAfterCertificateValidation() {} -int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return -1; } - -std::vector> DefaultSystemHelper::getAllConnectedNetworks() { - return {}; -} - } // namespace Envoy diff --git a/mobile/library/common/system/system_helper.h b/mobile/library/common/system/system_helper.h index 9f9123c6a9011..d18c6537e49a4 100644 --- a/mobile/library/common/system/system_helper.h +++ b/mobile/library/common/system/system_helper.h @@ -7,7 +7,6 @@ #include "absl/strings/string_view.h" #include "library/common/extensions/cert_validator/platform_bridge/c_types.h" -#include "library/common/network/network_types.h" namespace Envoy { @@ -40,12 +39,6 @@ class SystemHelper { */ virtual void cleanupAfterCertificateValidation() PURE; - /** - * Invokes platform APIs to retrieve a handle to the current default network. - */ - virtual int64_t getDefaultNetworkHandle() PURE; - - virtual std::vector> getAllConnectedNetworks() PURE; /** * @return a reference to the current SystemHelper instance. */ diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java index 01e905e01d5f0..595311f3e72f1 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java @@ -25,18 +25,14 @@ public class AndroidEngineImpl implements EnvoyEngine { public AndroidEngineImpl(Context context, EnvoyOnEngineRunning runningCallback, EnvoyLogger logger, EnvoyEventTracker eventTracker, Boolean enableProxying, Boolean useNetworkChangeEvent, - Boolean disableDnsRefreshOnNetworkChange, Boolean useV2NetworkMonitor) { + Boolean disableDnsRefreshOnNetworkChange) { this.context = context; this.envoyEngine = new EnvoyEngineImpl(runningCallback, logger, eventTracker, disableDnsRefreshOnNetworkChange); if (ContextUtils.getApplicationContext() == null) { ContextUtils.initApplicationContext(context.getApplicationContext()); } - if (useV2NetworkMonitor) { - AndroidNetworkMonitorV2.load(context, envoyEngine); - } else { - AndroidNetworkMonitor.load(context, envoyEngine, useNetworkChangeEvent); - } + AndroidNetworkMonitor.load(context, envoyEngine, useNetworkChangeEvent); if (enableProxying) { AndroidProxyMonitor.load(context, envoyEngine); } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java index 03ff20cc2538a..1dc6bcf851ee1 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java @@ -1,7 +1,6 @@ package io.envoyproxy.envoymobile.engine; import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; -import io.envoyproxy.envoymobile.engine.types.NetworkWithType; import static android.net.ConnectivityManager.TYPE_VPN; import static android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET; @@ -797,19 +796,4 @@ public void unregisterNetworkCallbacks() { mConnectivityManager.unregisterNetworkCallback(mDefaultNetworkCallback); } } - - public NetworkWithType[] getAllNetworksAndTypes() { - Network[] filteredNetworks = getAllNetworksFiltered(null); - int size = filteredNetworks.length; - - // Directly create the array with the known size. - NetworkWithType[] networks = new NetworkWithType[size]; - - for (int i = 0; i < size; i++) { - Network network = filteredNetworks[i]; - final EnvoyConnectionType connectionType = getEnvoyConnectionType(network); - networks[i] = new NetworkWithType(network.getNetworkHandle(), connectionType); - } - return networks; - } } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD index abb0890c57e8e..89b5f05dabbe3 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD @@ -9,6 +9,8 @@ android_library( name = "envoy_engine_lib", srcs = [ "AndroidEngineImpl.java", + "AndroidNetworkMonitor.java", + "AndroidNetworkMonitorV2.java", "AndroidProxyMonitor.java", "UpstreamHttpProtocol.java", ], @@ -19,16 +21,14 @@ android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "//library/java/io/envoyproxy/envoymobile/utilities", - "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "@maven//:androidx_annotation_annotation", + "@maven//:androidx_core_core", ], ) android_library( name = "envoy_base_engine_lib", srcs = [ - "AndroidNetworkMonitor.java", - "AndroidNetworkMonitorV2.java", "ByteBuffers.java", "EnvoyConfiguration.java", "EnvoyEngine.java", @@ -52,7 +52,6 @@ android_library( deps = [ "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "@maven//:androidx_annotation_annotation", - "@maven//:androidx_core_core", "@maven//:com_google_code_findbugs_jsr305", "@maven//:com_google_protobuf_protobuf_javalite", ], diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java index b45c7142b9c24..62caa99458906 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java @@ -305,18 +305,6 @@ public static native Object callCertificateVerificationFromNative(byte[][] certC */ public static native void callClearTestRootCertificateFromNative(); - /** - * Mimic a call to AndroidNetworkLibrary#getDefaultNetworkHandle from native code. - * To be used for testing only. - */ - public static native long callGetDefaultNetworkHandleFromNative(); - - /** - * Mimic a call to AndroidNetworkLibrary#getAllConnectedNetworks from native code. - * To be used for testing only. - */ - public static native long[][] callGetAllConnectedNetworksFromNative(); - /** * Given a filter name, create the proto config for adding the native filter * diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD index 07e52827bb388..a28043e1746ae 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD @@ -22,7 +22,6 @@ android_library( "EnvoyStatus.java", "EnvoyStreamIntel.java", "EnvoyStringAccessor.java", - "NetworkWithType.java", ], visibility = ["//visibility:public"], ) diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java deleted file mode 100644 index 235730ba508e8..0000000000000 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java +++ /dev/null @@ -1,16 +0,0 @@ -package io.envoyproxy.envoymobile.engine.types; - -public class NetworkWithType { - // an opaque handle to a network interface. - private final long netId; - private final EnvoyConnectionType connectionType; - - public NetworkWithType(long netId, EnvoyConnectionType connectionType) { - this.netId = netId; - this.connectionType = connectionType; - } - - public long getNetId() { return netId; } - - public EnvoyConnectionType getConnectionType() { return connectionType; } -} diff --git a/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java b/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java index 2ee5c88c2ebce..99ac5265f4284 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java @@ -23,9 +23,6 @@ import java.nio.charset.StandardCharsets; -import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; -import io.envoyproxy.envoymobile.engine.types.NetworkWithType; - /** * This class implements net utilities required by the net component. */ @@ -128,32 +125,6 @@ public static boolean isCleartextTrafficPermitted(String host) { } } - public static long getDefaultNetworkHandle() { - if (io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() == null) { - return -1; - } - return io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance().getDefaultNetId(); - } - - public static long[][] getAllConnectedNetworks() { - if (io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() == null) { - return new long[0][0]; - } - NetworkWithType[] networks = - io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() - .getAllNetworksAndTypes(); - if (networks == null || networks.length == 0) { - return new long[0][0]; - } - - long[][] result = new long[networks.length][2]; - for (int i = 0; i < networks.length; i++) { - result[i][0] = networks[i].getNetId(); - result[i][1] = networks[i].getConnectionType().getValue(); - } - return result; - } - /** * Class to wrap FileDescriptor.setInt$() which is hidden and so must be accessed via * reflection. diff --git a/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD index 677efa1db7b0b..2b51fccee9d1c 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD @@ -8,34 +8,10 @@ envoy_mobile_package() android_library( name = "utilities", - srcs = [ - "ContextUtils.java", - "StatsUtils.java", - "StrictModeContext.java", - "ThreadStatsUid.java", - ], - manifest = "UtilitiesManifest.xml", - visibility = ["//visibility:public"], - deps = [ - artifact("androidx.annotation:annotation"), - ], -) - -android_library( - name = "network_utilities", - srcs = [ - "AndroidCertVerifyResult.java", - "AndroidNetworkLibrary.java", - "CertVerifyStatusAndroid.java", - "FakeX509Util.java", - "X509Util.java", - ], + srcs = glob(["*.java"]), manifest = "UtilitiesManifest.xml", visibility = ["//visibility:public"], deps = [ - ":utilities", - "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", - "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", artifact("androidx.annotation:annotation"), ], ) diff --git a/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java b/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java index ee15699fbbea5..e4b464e5917e4 100644 --- a/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java +++ b/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java @@ -69,7 +69,6 @@ public class NativeCronvoyEngineBuilderImpl extends CronvoyEngineBuilderImpl { private String mUpstreamTlsSni = ""; private int mH3ConnectionKeepaliveInitialIntervalMilliseconds = 0; private boolean mUseNetworkChangeEvent = false; - private boolean mUseV2NetworkMonitor = false; private final Map mRuntimeGuards = new HashMap<>(); @@ -137,11 +136,6 @@ public NativeCronvoyEngineBuilderImpl setUseNetworkChangeEvent(boolean use) { return this; } - public NativeCronvoyEngineBuilderImpl setUseV2NetworkMonitor(boolean useV2NetworkMonitor) { - mUseV2NetworkMonitor = useV2NetworkMonitor; - return this; - } - /** * Set the DNS minimum refresh time, in seconds, which ensures that we wait to refresh a DNS * entry for at least the minimum refresh time. For example, if the DNS record TTL is 60 seconds @@ -273,7 +267,7 @@ EnvoyEngine createEngine(EnvoyOnEngineRunning onEngineRunning, EnvoyLogger envoy String logLevel) { AndroidEngineImpl engine = new AndroidEngineImpl( getContext(), onEngineRunning, envoyLogger, mEnvoyEventTracker, mEnableProxying, - mUseNetworkChangeEvent, mDisableDnsRefreshOnNetworkChange, mUseV2NetworkMonitor); + mUseNetworkChangeEvent, mDisableDnsRefreshOnNetworkChange); engine.runWithConfig(createEnvoyConfiguration(), logLevel); return engine; } diff --git a/mobile/library/jni/BUILD b/mobile/library/jni/BUILD index 5a7dc8865f609..0c0107c303003 100644 --- a/mobile/library/jni/BUILD +++ b/mobile/library/jni/BUILD @@ -90,7 +90,7 @@ envoy_cc_library( alwayslink = True, ) -# Cert verification related functions which call into AndroidNetworkLibrary. And network retrieval functions which call into AndroidNetworkMonitorV2. +# Cert verification related functions which call into AndroidNetworkLibrary. envoy_cc_library( name = "android_network_utility_lib", srcs = [ @@ -105,7 +105,6 @@ envoy_cc_library( ":jni_utility_lib", "//library/common/bridge:utility_lib", "//library/common/extensions/cert_validator/platform_bridge:c_types_lib", - "//library/common/network:network_types_lib", "//library/common/types:c_types_lib", "@envoy//bazel:boringssl", ], diff --git a/mobile/library/jni/android_network_utility.cc b/mobile/library/jni/android_network_utility.cc index 35c81666e3941..3f7492a9c6e7c 100644 --- a/mobile/library/jni/android_network_utility.cc +++ b/mobile/library/jni/android_network_utility.cc @@ -166,63 +166,6 @@ envoy_cert_validation_result verifyX509CertChain(const std::vector& } } -int64_t getDefaultNetworkHandle() { - JniHelper jni_helper(JniHelper::getThreadLocalEnv()); - jclass jcls_AndroidNetworkLibrary = - jni_helper.findClassFromCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary"); - jmethodID jmid_getDefaultNetworkHandle = jni_helper.getStaticMethodIdFromCache( - jcls_AndroidNetworkLibrary, "getDefaultNetworkHandle", "()J"); - jlong defaultNetwork = - jni_helper.callStaticLongMethod(jcls_AndroidNetworkLibrary, jmid_getDefaultNetworkHandle); - return static_cast(defaultNetwork); -} - -std::vector> getAllConnectedNetworks() { - std::vector> connected_networks; - Envoy::JNI::JniHelper jni_helper(Envoy::JNI::JniHelper::getThreadLocalEnv()); - - // Use a unique_ptr to automatically release the class reference. - jclass jcls_android_network_library = - jni_helper.findClassFromCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary"); - if (jcls_android_network_library == nullptr) { - return connected_networks; - } - - jmethodID jmid_get_all_connected_networks = jni_helper.getStaticMethodIdFromCache( - jcls_android_network_library, "getAllConnectedNetworks", "()[[J"); - if (jmid_get_all_connected_networks == nullptr) { - return connected_networks; - } - - // Call the static Java method to get the long[][] array. - Envoy::JNI::LocalRefUniquePtr java_network_array = - jni_helper.callStaticObjectMethod(jcls_android_network_library, - jmid_get_all_connected_networks); - if (java_network_array == nullptr) { - return connected_networks; - } - - jsize num_networks = jni_helper.getArrayLength(java_network_array.get()); - - for (jsize i = 0; i < num_networks; ++i) { - // Each entry is a jlongArray (long[2]). - Envoy::JNI::LocalRefUniquePtr network_info_array = - jni_helper.getObjectArrayElement(java_network_array.get(), i); - if (network_info_array == nullptr) { - continue; - } - - std::vector network_info; - Envoy::JNI::javaLongArrayToInt64Vector(jni_helper, network_info_array.get(), &network_info); - - if (network_info.size() == 2) { - connected_networks.emplace_back(network_info[0], - static_cast(network_info[1])); - } - } - return connected_networks; -} - void jvmDetachThread() { JniHelper::detachCurrentThread(); } } // namespace JNI diff --git a/mobile/library/jni/android_network_utility.h b/mobile/library/jni/android_network_utility.h index 48dabb3694c8e..b86ff77081fe7 100644 --- a/mobile/library/jni/android_network_utility.h +++ b/mobile/library/jni/android_network_utility.h @@ -5,7 +5,6 @@ #include "absl/strings/string_view.h" #include "library/common/extensions/cert_validator/platform_bridge/c_types.h" -#include "library/common/network/network_types.h" #include "library/jni/jni_helper.h" namespace Envoy { @@ -22,10 +21,6 @@ LocalRefUniquePtr callJvmVerifyX509CertChain(JniHelper& jni_helper, envoy_cert_validation_result verifyX509CertChain(const std::vector& certs, absl::string_view hostname); -int64_t getDefaultNetworkHandle(); - -std::vector> getAllConnectedNetworks(); - void jvmDetachThread(); } // namespace JNI diff --git a/mobile/library/jni/jni_impl.cc b/mobile/library/jni/jni_impl.cc index 2b324a4081513..206aade981d63 100644 --- a/mobile/library/jni/jni_impl.cc +++ b/mobile/library/jni/jni_impl.cc @@ -1397,34 +1397,3 @@ Java_io_envoyproxy_envoymobile_engine_JniLibrary_callClearTestRootCertificateFro jni_helper.callStaticVoidMethod(java_android_network_library_class, java_clear_test_root_certificates_method_id); } - -extern "C" JNIEXPORT jlong JNICALL -Java_io_envoyproxy_envoymobile_engine_JniLibrary_callGetDefaultNetworkHandleFromNative(JNIEnv*, - jclass) { - return Envoy::JNI::getDefaultNetworkHandle(); -} - -extern "C" JNIEXPORT jobjectArray JNICALL -Java_io_envoyproxy_envoymobile_engine_JniLibrary_callGetAllConnectedNetworksFromNative(JNIEnv* env, - jclass) { - Envoy::JNI::JniHelper jni_helper(env); - std::vector> networks = - Envoy::JNI::getAllConnectedNetworks(); - - jclass long_array_class = env->FindClass("[J"); - jobjectArray result = env->NewObjectArray(networks.size(), long_array_class, nullptr); - - for (size_t i = 0; i < networks.size(); ++i) { - jlongArray network_info_array = env->NewLongArray(2); - if (network_info_array == nullptr) { - return nullptr; - } - jlong network_info[2]; - network_info[0] = networks[i].first; - network_info[1] = static_cast(networks[i].second); - env->SetLongArrayRegion(network_info_array, 0, 2, network_info); - env->SetObjectArrayElement(result, i, network_info_array); - env->DeleteLocalRef(network_info_array); - } - return result; -} diff --git a/mobile/library/jni/jni_init.cc b/mobile/library/jni/jni_init.cc index 2e8e834873503..024000e9bc850 100644 --- a/mobile/library/jni/jni_init.cc +++ b/mobile/library/jni/jni_init.cc @@ -9,18 +9,20 @@ namespace JNI { void initialize(JavaVM* jvm) { JniHelper::initialize(jvm); JniUtility::initCache(); - JniHelper::addToCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary", - /* methods= */ {}, - /* static_methods= */ - {{"isCleartextTrafficPermitted", "(Ljava/lang/String;)Z"}, - {"tagSocket", "(III)V"}, - {"verifyServerCertificates", - "([[B[B[B)Lio/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult;"}, - {"addTestRootCertificate", "([B)V"}, - {"clearTestRootCertificates", "()V"}, - {"getDefaultNetworkHandle", "()J"}, - {"getAllConnectedNetworks", "()[[J"}}, - /* fields= */ {}, /* static_fields= */ {}); + JniHelper::addToCache( + "io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary", + /* methods= */ {}, + /* static_methods= */ + { + {"isCleartextTrafficPermitted", "(Ljava/lang/String;)Z"}, + {"tagSocket", "(III)V"}, + {"verifyServerCertificates", + "([[B[B[B)Lio/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult;"}, + {"addTestRootCertificate", "([B)V"}, + {"clearTestRootCertificates", "()V"}, + + }, + /* fields= */ {}, /* static_fields= */ {}); JniHelper::addToCache("io/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult", /* methods= */ { diff --git a/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt b/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt index b3fcb45d46129..a56b2de2601b5 100644 --- a/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt +++ b/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt @@ -14,8 +14,7 @@ class AndroidEngineBuilder(context: Context) : EngineBuilder() { eventTracker, enableProxying, /*useNetworkChangeEvent*/ false, - /*disableDnsRefreshOnNetworkChange*/ false, - /*useV2NetworkMonitor*/ false + /*disableDnsRefreshOnNetworkChange*/ false ) } } diff --git a/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD b/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD index 909190cebf272..fb10726671765 100644 --- a/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD +++ b/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD @@ -39,7 +39,6 @@ kt_android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "//library/java/io/envoyproxy/envoymobile/utilities", - "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", ], ) diff --git a/mobile/test/common/integration/client_integration_test.cc b/mobile/test/common/integration/client_integration_test.cc index a57df133f2f03..26abde47daad1 100644 --- a/mobile/test/common/integration/client_integration_test.cc +++ b/mobile/test/common/integration/client_integration_test.cc @@ -103,14 +103,6 @@ class ClientIntegrationTest builder_.enableDnsCache(true, /* save_interval_seconds */ 1); } - // Initialize the connectivity manager with a WIFI default network and another network with - // unknown type. - std::vector> connected_networks{ - {1, ConnectionType::CONNECTION_WIFI}, {2, ConnectionType::CONNECTION_UNKNOWN}}; - EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()).WillOnce(Return(1)); - EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()) - .WillOnce(Return(connected_networks)); - BaseClientIntegrationTest::initialize(); if (getCodecType() == Http::CodecType::HTTP3) { @@ -370,35 +362,6 @@ TEST_P(ClientIntegrationTest, HandleNetworkChangeEvents) { EXPECT_EQ(4, current_change_event); } -TEST_P(ClientIntegrationTest, HandleNetworkChangeEventsAndroid) { - absl::Notification found_force_dns_refresh; - std::atomic handled_network_change{false}; - auto logger = std::make_unique(); - logger->on_log_ = [&](Logger::Logger::Levels, const std::string& msg) { - if (msg.find("Default network state has been changed. Current net configuration key") != - std::string::npos) { - handled_network_change = true; - } - if (msg.find("beginning DNS cache force refresh") != std::string::npos) { - found_force_dns_refresh.Notify(); - } - }; - builder_.setLogger(std::move(logger)); - builder_.setDisableDnsRefreshOnNetworkChange(false); - - initialize(); - - // A new WIFI network appears and becomes the default network. Even though - // the test is initialized with a WIFI network, this should still have triggred - // a network change event as it has a different network handle. - internalEngine()->onNetworkConnectAndroid(ConnectionType::CONNECTION_WIFI, 123); - internalEngine()->onDefaultNetworkChangedAndroid(ConnectionType::CONNECTION_WIFI, 123); - // The HTTP status reset and DNS refresh should have been posted to the network thread and to be - // handled there. - found_force_dns_refresh.WaitForNotification(); - EXPECT_TRUE(handled_network_change); -} - TEST_P(ClientIntegrationTest, LargeResponse) { initialize(); std::string data(1024 * 32, 'a'); diff --git a/mobile/test/common/internal_engine_test.cc b/mobile/test/common/internal_engine_test.cc index 812fcdec15a2f..f62f3639fd6a0 100644 --- a/mobile/test/common/internal_engine_test.cc +++ b/mobile/test/common/internal_engine_test.cc @@ -102,10 +102,6 @@ class InternalEngineTest : public testing::Test { helper_handle_ = test::SystemHelperPeer::replaceSystemHelper(); EXPECT_CALL(helper_handle_->mock_helper(), isCleartextPermitted(_)) .WillRepeatedly(Return(true)); - EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()) - .Times(testing::AtMost(1)) - .WillOnce(Return(-1)); - EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()).Times(testing::AtMost(1)); } envoy_status_t runEngine(const std::unique_ptr& engine, diff --git a/mobile/test/common/mocks/common/mocks.h b/mobile/test/common/mocks/common/mocks.h index 383adda3aed38..f6825405b9c7e 100644 --- a/mobile/test/common/mocks/common/mocks.h +++ b/mobile/test/common/mocks/common/mocks.h @@ -16,8 +16,6 @@ class MockSystemHelper : public SystemHelper { MOCK_METHOD(envoy_cert_validation_result, validateCertificateChain, (const std::vector& certs, absl::string_view hostname)); MOCK_METHOD(void, cleanupAfterCertificateValidation, ()); - MOCK_METHOD(int64_t, getDefaultNetworkHandle, ()); - MOCK_METHOD((std::vector>), getAllConnectedNetworks, ()); }; // SystemHelperPeer allows the replacement of the SystemHelper singleton diff --git a/mobile/test/common/network/BUILD b/mobile/test/common/network/BUILD index a40973ef1bed6..b26d4b163bf15 100644 --- a/mobile/test/common/network/BUILD +++ b/mobile/test/common/network/BUILD @@ -10,7 +10,6 @@ envoy_cc_test( repository = "@envoy", deps = [ "//library/common/network:connectivity_manager_lib", - "//test/common/mocks/common:common_mocks", "@envoy//test/extensions/common/dynamic_forward_proxy:mocks", "@envoy//test/mocks/upstream:cluster_manager_mocks", ], diff --git a/mobile/test/common/network/connectivity_manager_test.cc b/mobile/test/common/network/connectivity_manager_test.cc index 42ee049c219a0..6ef1c37fb7c67 100644 --- a/mobile/test/common/network/connectivity_manager_test.cc +++ b/mobile/test/common/network/connectivity_manager_test.cc @@ -1,6 +1,5 @@ #include -#include "test/common/mocks/common/mocks.h" #include "test/extensions/common/dynamic_forward_proxy/mocks.h" #include "test/mocks/upstream/cluster_manager.h" @@ -14,55 +13,29 @@ using testing::Return; namespace Envoy { namespace Network { -class MockNetworkChangeObserver : public NetworkChangeObserver { -public: - MOCK_METHOD(void, onNetworkMadeDefault, (NetworkHandle network), (override)); - MOCK_METHOD(void, onNetworkDisconnected, (NetworkHandle network), (override)); - MOCK_METHOD(void, onNetworkConnected, (NetworkHandle network), (override)); -}; - class ConnectivityManagerTest : public testing::Test { public: ConnectivityManagerTest() : dns_cache_manager_( new NiceMock()), dns_cache_(dns_cache_manager_->dns_cache_), - helper_handle_(test::SystemHelperPeer::replaceSystemHelper()) { - - EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()).WillOnce(Return(1)); - std::vector> connected_networks{ - {1, ConnectionType::CONNECTION_WIFI}, {2, ConnectionType::CONNECTION_UNKNOWN}}; - EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()) - .WillOnce(Return(connected_networks)); - connectivity_manager_ = std::make_shared(cm_, dns_cache_manager_); + connectivity_manager_(std::make_shared(cm_, dns_cache_manager_)) { ON_CALL(*dns_cache_manager_, lookUpCacheByName(_)).WillByDefault(Return(dns_cache_)); // Toggle network to reset network state. - connectivity_manager_->setPreferredNetwork(1); - connectivity_manager_->setPreferredNetwork(2); - - // Set up the default network change callback. - auto callback = [&](envoy_netconf_t key) { - EXPECT_EQ(key, connectivity_manager_->getConfigurationKey()); - num_default_network_change_++; - }; - connectivity_manager_->setDefaultNetworkChangeCallback(std::move(callback)); - connectivity_manager_->setNetworkChangeObserver(&observer_); + ConnectivityManagerImpl::setPreferredNetwork(1); + ConnectivityManagerImpl::setPreferredNetwork(2); } std::shared_ptr> dns_cache_manager_; std::shared_ptr dns_cache_; NiceMock cm_{}; - std::unique_ptr helper_handle_; - ConnectivityManagerImplSharedPtr connectivity_manager_; - testing::StrictMock observer_; - // Track callback invocation count. - int num_default_network_change_{0}; + std::shared_ptr connectivity_manager_; }; TEST_F(ConnectivityManagerTest, SetPreferredNetworkWithNewNetworkChangesConfigurationKey) { envoy_netconf_t original_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t new_key = connectivity_manager_->setPreferredNetwork(4); + envoy_netconf_t new_key = ConnectivityManagerImpl::setPreferredNetwork(4); EXPECT_NE(original_key, new_key); EXPECT_EQ(new_key, connectivity_manager_->getConfigurationKey()); } @@ -70,7 +43,7 @@ TEST_F(ConnectivityManagerTest, SetPreferredNetworkWithNewNetworkChangesConfigur TEST_F(ConnectivityManagerTest, DISABLED_SetPreferredNetworkWithUnchangedNetworkReturnsStaleConfigurationKey) { envoy_netconf_t original_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t stale_key = connectivity_manager_->setPreferredNetwork(2); + envoy_netconf_t stale_key = ConnectivityManagerImpl::setPreferredNetwork(2); EXPECT_NE(original_key, stale_key); EXPECT_EQ(original_key, connectivity_manager_->getConfigurationKey()); } @@ -199,7 +172,7 @@ TEST_F(ConnectivityManagerTest, ReportNetworkUsageDisablesOverrideAfterThirdFaul TEST_F(ConnectivityManagerTest, ReportNetworkUsageDisregardsCallsWithStaleConfigurationKey) { envoy_netconf_t stale_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t current_key = connectivity_manager_->setPreferredNetwork(4); + envoy_netconf_t current_key = ConnectivityManagerImpl::setPreferredNetwork(4); EXPECT_NE(stale_key, current_key); connectivity_manager_->setInterfaceBindingEnabled(true); @@ -280,7 +253,7 @@ TEST_F(ConnectivityManagerTest, NetworkChangeResultsInDifferentSocketOptionsHash for (const auto& option : *options1) { option->hashKey(hash1); } - connectivity_manager_->setPreferredNetwork(64); + ConnectivityManagerImpl::setPreferredNetwork(64); auto options2 = std::make_shared(); connectivity_manager_->addUpstreamSocketOptions(options2); std::vector hash2; @@ -290,98 +263,5 @@ TEST_F(ConnectivityManagerTest, NetworkChangeResultsInDifferentSocketOptionsHash EXPECT_NE(hash1, hash2); } -// Verifies that when the platform notifies about the same default network -// again, the signal will be ignored. -TEST_F(ConnectivityManagerTest, DuplicatedSignalOfAndroidNetworkBecomesDefault) { - EXPECT_CALL(observer_, onNetworkMadeDefault(_)).Times(0); - connectivity_manager_->onDefaultNetworkChangedAndroid(ConnectionType::CONNECTION_WIFI, 1); - // The callback should not have been called. - EXPECT_EQ(num_default_network_change_, 0); -} - -// Verifies that when a network is connected and then becomes the default -// default_network_change_callback_ called at the end rather than in the middle. -TEST_F(ConnectivityManagerTest, AndroidNetworkConnectedAndThenBecomesDefault) { - const NetworkHandle net_id = 123; - const auto connection_type = ConnectionType::CONNECTION_WIFI; - - // Simulate a network is connected. - EXPECT_CALL(observer_, onNetworkConnected(net_id)); - connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); - // The callback should not have been called yet. - EXPECT_EQ(num_default_network_change_, 0); - - // Simulate the connected network now becomes the default. - EXPECT_CALL(observer_, onNetworkMadeDefault(net_id)); - connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); - - // Verify the callback was invoked exactly once. - EXPECT_EQ(num_default_network_change_, 1); -} - -// Verifies that when a network becomes the default without becoming connected, -// default_network_change_callback_ is not called. And it should be called once the network is -// connected. -TEST_F(ConnectivityManagerTest, AndroidNetworkBecomesDefaultAndThenConnected) { - const NetworkHandle net_id = 123; - const auto connection_type = ConnectionType::CONNECTION_4G; - const envoy_netconf_t initial_config_key = connectivity_manager_->getConfigurationKey(); - - // Simulate that the network becomes the default. At this point, it is not yet "connected". - connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); - - // The callback should not have been called, and the preferred network should not have changed - // yet. - EXPECT_EQ(num_default_network_change_, 0); - EXPECT_EQ(initial_config_key, connectivity_manager_->getConfigurationKey()); - - // Now, simulate the network becoming connected. - // This should trigger the deferred default network callback and update the internal state. - EXPECT_CALL(observer_, onNetworkConnected(net_id)); - EXPECT_CALL(observer_, onNetworkMadeDefault(net_id)); - connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); - - // Verify the callback was invoked. - EXPECT_EQ(num_default_network_change_, 1); - EXPECT_NE(initial_config_key, connectivity_manager_->getConfigurationKey()); -} - -// Verifies that the observer is notified about a network becoming connected and -// disconnected. -TEST_F(ConnectivityManagerTest, AndroidNetworkConnectedAndThenDisconnected) { - const NetworkHandle net_id = 123; - const auto connection_type = ConnectionType::CONNECTION_WIFI; - - EXPECT_CALL(observer_, onNetworkConnected(net_id)); - // Simulate a network is connected. - connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); - EXPECT_EQ(num_default_network_change_, 0); - - EXPECT_CALL(observer_, onNetworkDisconnected(net_id)); - connectivity_manager_->onNetworkDisconnectAndroid(net_id); - - // Disconnected network should not be used as the default. - connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); - EXPECT_EQ(num_default_network_change_, 0); -} - -// Verifies that the observer is notified about networks becoming disconnected when they are purged. -// But if the network is exempted from purging, observer shouldn't be notified about it being -// disconnected. -TEST_F(ConnectivityManagerTest, AndroidPurgeNetworks) { - - EXPECT_CALL(observer_, onNetworkConnected(_)).Times(3); - connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_WIFI, 123); - connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_4G, 456); - connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_5G, 789); - - // Purge all networks other than the 5G network. - EXPECT_CALL(observer_, onNetworkDisconnected(1)); - EXPECT_CALL(observer_, onNetworkDisconnected(2)); - EXPECT_CALL(observer_, onNetworkDisconnected(123)); - EXPECT_CALL(observer_, onNetworkDisconnected(456)); - connectivity_manager_->purgeActiveNetworkListAndroid({789}); -} - } // namespace Network } // namespace Envoy diff --git a/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java b/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java deleted file mode 100644 index 0140329f96ab4..0000000000000 --- a/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java +++ /dev/null @@ -1,114 +0,0 @@ -package io.envoyproxy.envoymobile.utilities; - -import static org.junit.Assert.*; -import static org.mockito.Mockito.mock; -import static org.robolectric.Shadows.shadowOf; - -import io.envoyproxy.envoymobile.engine.JniLibrary; -import io.envoyproxy.envoymobile.engine.EnvoyEngine; -import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; -import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; - -import java.nio.charset.StandardCharsets; - -import android.content.Context; -import android.Manifest; -import android.net.ConnectivityManager; -import android.net.NetworkCapabilities; -import android.net.Network; -import android.net.NetworkInfo; - -import androidx.test.platform.app.InstrumentationRegistry; -import androidx.test.rule.GrantPermissionRule; - -import org.junit.After; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Rule; -import org.junit.Test; -import org.junit.runner.RunWith; - -import org.robolectric.RobolectricTestRunner; -import org.robolectric.shadows.ShadowNetworkInfo; -import org.robolectric.shadows.ShadowNetworkCapabilities; - -@RunWith(RobolectricTestRunner.class) -public final class AndroidNetworkTest { - @Rule - public GrantPermissionRule mRuntimePermissionRule = - GrantPermissionRule.grant(Manifest.permission.ACCESS_NETWORK_STATE); - - private AndroidNetworkMonitorV2 mAndroidNetworkMonitor; - private ConnectivityManager mConnectivityManager; - private final EnvoyEngine mMockEnvoyEngine = mock(EnvoyEngine.class); - - @BeforeClass - public static void beforeClass() { - JniLibrary.loadTestLibrary(); - } - - @Before - public void setUp() throws Exception { - Context context = InstrumentationRegistry.getInstrumentation().getTargetContext(); - if (ContextUtils.getApplicationContext() == null) { - ContextUtils.initApplicationContext(context.getApplicationContext()); - } - AndroidNetworkMonitorV2.load(context, mMockEnvoyEngine); - mAndroidNetworkMonitor = AndroidNetworkMonitorV2.getInstance(); - mConnectivityManager = mAndroidNetworkMonitor.getConnectivityManager(); - } - - @After - public void tearDown() throws Exception { - AndroidNetworkMonitorV2.shutdown(); - } - - @Test - public void testGetDefaultNetworkHandle() { - Network activeNetwork = mConnectivityManager.getActiveNetwork(); - long networkHandle = JniLibrary.callGetDefaultNetworkHandleFromNative(); - assertEquals(activeNetwork.getNetworkHandle(), networkHandle); - - NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, - ConnectivityManager.TYPE_WIFI, 0, - true, NetworkInfo.State.CONNECTED); - shadowOf(mConnectivityManager).setActiveNetworkInfo(wifiNetworkInfo); - Network wifiNetwork = mConnectivityManager.getActiveNetwork(); - long wifiNetworkHandle = JniLibrary.callGetDefaultNetworkHandleFromNative(); - assertEquals(wifiNetwork.getNetworkHandle(), wifiNetworkHandle); - } - - @Test - public void testGetAllConnectedNetworks() { - // Make all networks connected to the internet. - Network[] networks = mConnectivityManager.getAllNetworks(); - for (Network network : networks) { - NetworkCapabilities capabilities = mConnectivityManager.getNetworkCapabilities(network); - shadowOf(capabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); - NetworkInfo netInfo = mConnectivityManager.getNetworkInfo(network); - shadowOf(netInfo).setConnectionStatus(NetworkInfo.State.CONNECTED); - } - long[][] networkArray = JniLibrary.callGetAllConnectedNetworksFromNative(); - assertEquals(networks.length, networkArray.length); - // The ShadowConnectivityManager should have 2 networks cached, one default WIFI network and - // another cellular one. - Network cellNetwork = null; - for (int i = 0; i < networks.length; ++i) { - assertEquals(networks[i].getNetworkHandle(), networkArray[i][0]); - NetworkCapabilities capabilities = mConnectivityManager.getNetworkCapabilities(networks[i]); - if (capabilities.hasTransport(NetworkCapabilities.TRANSPORT_WIFI)) { - assertEquals(EnvoyConnectionType.CONNECTION_WIFI.getValue(), networkArray[i][1]); - } else { - cellNetwork = networks[i]; - assertTrue(capabilities.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)); - assertEquals(EnvoyConnectionType.CONNECTION_2G.getValue(), networkArray[i][1]); - } - } - - assertNotNull(cellNetwork); - shadowOf(mConnectivityManager).removeNetwork(cellNetwork); - networkArray = JniLibrary.callGetAllConnectedNetworksFromNative(); - assertEquals(1, networkArray.length); - assertEquals(EnvoyConnectionType.CONNECTION_WIFI.getValue(), networkArray[0][1]); - } -} diff --git a/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD b/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD index 70cc84213d165..c783227d57923 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD +++ b/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD @@ -24,32 +24,6 @@ envoy_mobile_android_test( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/utilities", - "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "//library/java/org/chromium/net", ], ) - -envoy_mobile_android_test( - name = "android_network_test", - srcs = [ - "AndroidNetworkTest.java", - ], - native_deps = [ - "//test/jni:libenvoy_jni_with_test_extensions.so", - ] + select({ - "@platforms//os:macos": [ - "//test/jni:libenvoy_jni_with_test_extensions_jnilib", - ], - "//conditions:default": [], - }), - native_lib_name = "envoy_jni_with_test_extensions", - test_class = "io.envoyproxy.envoymobile.utilities.AndroidNetworkTest", - deps = [ - "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", - "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", - "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", - "//library/java/io/envoyproxy/envoymobile/utilities", - "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", - "@maven//:org_robolectric_annotations", - ], -) diff --git a/mobile/test/java/org/chromium/net/CronetHttp3Test.java b/mobile/test/java/org/chromium/net/CronetHttp3Test.java index acf5e7006f66f..0397260e3d58d 100644 --- a/mobile/test/java/org/chromium/net/CronetHttp3Test.java +++ b/mobile/test/java/org/chromium/net/CronetHttp3Test.java @@ -1,47 +1,33 @@ package org.chromium.net; -import static org.junit.Assert.*; -import static org.robolectric.Shadows.shadowOf; -import static com.google.common.truth.Truth.assertThat; - -import android.net.ConnectivityManager; -import android.net.LinkProperties; -import android.net.NetworkCapabilities; -import android.net.Network; -import android.net.NetworkInfo; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertFalse; + import android.Manifest; -import io.envoyproxy.envoymobile.engine.testing.HttpTestServerFactory; import io.envoyproxy.envoymobile.engine.types.EnvoyNetworkType; -import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; -import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitor; -import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; -import io.envoyproxy.envoymobile.engine.EnvoyEngine; -import io.envoyproxy.envoymobile.engine.JniLibrary; import org.chromium.net.impl.CronvoyUrlRequestContext; +import io.envoyproxy.envoymobile.engine.EnvoyEngine; import org.chromium.net.impl.CronvoyLogger; -import org.chromium.net.impl.NativeCronvoyEngineBuilderImpl; import androidx.test.core.app.ApplicationProvider; +import org.chromium.net.testing.TestUploadDataProvider; import androidx.test.filters.SmallTest; import androidx.test.rule.GrantPermissionRule; +import org.chromium.net.impl.NativeCronvoyEngineBuilderImpl; import org.chromium.net.testing.CronetTestRule; import org.chromium.net.testing.Feature; -import org.chromium.net.testing.TestUploadDataProvider; import org.chromium.net.testing.TestUrlRequestCallback; +import io.envoyproxy.envoymobile.engine.JniLibrary; import org.junit.After; import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; import org.robolectric.RobolectricTestRunner; - -import org.robolectric.RobolectricTestRunner; -import org.robolectric.shadows.ShadowNetwork; -import org.robolectric.shadows.ShadowNetworkInfo; -import org.robolectric.shadows.ShadowNetworkCapabilities; - +import io.envoyproxy.envoymobile.engine.testing.HttpTestServerFactory; import java.util.HashMap; import java.util.Map; import java.util.Collections; @@ -77,8 +63,6 @@ public class CronetHttp3Test { private boolean drainOnNetworkChange = false; private boolean resetBrokennessOnNetworkChange = false; private boolean disableDnsRefreshOnNetworkChange = false; - private boolean useAndroidNetworkMonitorV2 = false; - private ConnectivityManager connectivityManager; @BeforeClass public static void loadJniLibrary() { @@ -124,29 +108,11 @@ public void log(int logLevel, String message) { nativeCronetEngineBuilder.setLogger(logger); nativeCronetEngineBuilder.setLogLevel(EnvoyEngine.LogLevel.TRACE); } - if (useAndroidNetworkMonitorV2) { - nativeCronetEngineBuilder.setUseV2NetworkMonitor(useAndroidNetworkMonitorV2); - } // Make sure the handshake will work despite lack of real certs. nativeCronetEngineBuilder.setMockCertVerifierForTesting(); cronvoyEngine = new CronvoyUrlRequestContext(nativeCronetEngineBuilder); // Clear network states in ConnectivityManager. cronvoyEngine.getEnvoyEngine().resetConnectivityState(); - - if (useAndroidNetworkMonitorV2) { - AndroidNetworkMonitorV2 androidNetworkMonitor = AndroidNetworkMonitorV2.getInstance(); - connectivityManager = androidNetworkMonitor.getConnectivityManager(); - // AndroidNetworkMonitorV2 registers 2 NetworkCallbacks. - assertThat(shadowOf(connectivityManager).getNetworkCallbacks()).hasSize(2); - } else { - AndroidNetworkMonitor androidNetworkMonitor = AndroidNetworkMonitor.getInstance(); - connectivityManager = androidNetworkMonitor.getConnectivityManager(); - } - NetworkCapabilities networkCapabilities = - connectivityManager.getNetworkCapabilities(connectivityManager.getActiveNetwork()); - shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); - // Verifies initial states of ShadowConnectivityManager. - assertTrue(networkCapabilities.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)); } @After @@ -157,9 +123,6 @@ public void tearDown() throws Exception { if (http3TestServer != null) { http3TestServer.shutdown(); } - if (useAndroidNetworkMonitorV2) { - AndroidNetworkMonitorV2.shutdown(); - } } private TestUrlRequestCallback doBasicGetRequest() { @@ -403,241 +366,6 @@ public void networkChangeWithDrains() throws Exception { assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); } - @Test - @SmallTest - @Feature({"Cronet"}) - public void networkChangeMonitorV2FromCellToWifi() throws Exception { - // Disable dns refreshment so that the engine will attempt immediate draining. - disableDnsRefreshOnNetworkChange = true; - drainOnNetworkChange = true; - useAndroidNetworkMonitorV2 = true; - setUp(printEnvoyLogs); - - // Do the initial handshake dance - doInitialHttp2Request(); - - // Do a HTTP/3 request to establish a connection. - TestUrlRequestCallback getCallback1 = doBasicGetRequest(); - assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); - - // There should be one HTTP/3 connection. - String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); - - // Change from cell to newly connected WIFI network. - NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, - ConnectivityManager.TYPE_WIFI, 0, - true, NetworkInfo.State.CONNECTED); - shadowOf(connectivityManager).setActiveNetworkInfo(wifiNetworkInfo); - Network wifiNetwork = connectivityManager.getActiveNetwork(); - NetworkCapabilities networkCapabilities = - connectivityManager.getNetworkCapabilities(wifiNetwork); - shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); - shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_METERED); - shadowOf(networkCapabilities).addTransportType(NetworkCapabilities.TRANSPORT_WIFI); - shadowOf(connectivityManager).setNetworkCapabilities(wifiNetwork, networkCapabilities); - - // Connected to the new network shouldn't be regarded as switching the default. - shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { - callback.onAvailable(wifiNetwork); - }); - - // Make another request. It should reuse the existing connection because the new network won't - // be regarded as default. - TestUrlRequestCallback getCallback2 = doBasicGetRequest(); - assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); - - postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - // The connection count should STILL be 1, proving reuse. - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 1")); - // No connections should have been destroyed. - assertFalse(postStats, postStats.contains("cluster.base.upstream_cx_destroy:")); - - // Reported capability change should be regarded as switching the default. - shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { - LinkProperties link = new LinkProperties(); - callback.onLinkPropertiesChanged(wifiNetwork, link); - callback.onCapabilitiesChanged(wifiNetwork, networkCapabilities); - }); - - // Do a 3rd HTTP/3 request. This must create a new connection. - TestUrlRequestCallback getCallback3 = doBasicGetRequest(); - assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); - - postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); - // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been - // closed during draining. - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); - - // WIFI disconnected, no effect as long as the default network hasn't been switched. - shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { - callback.onLost(wifiNetwork); - }); - - // Do a 4th HTTP/3 request. This should reuse the existing connection. - TestUrlRequestCallback getCallback4 = doBasicGetRequest(); - assertEquals(200, getCallback4.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback4.mResponseInfo.getNegotiatedProtocol()); - - postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - // Stats shouldn't have been changed. - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); - } - - @Test - @SmallTest - @Feature({"Cronet"}) - public void networkChangeMonitorV2FromDisconnectedCellToWifi() throws Exception { - // Disable dns refreshment so that the engine will attempt immediate draining. - disableDnsRefreshOnNetworkChange = true; - drainOnNetworkChange = true; - useAndroidNetworkMonitorV2 = true; - setUp(printEnvoyLogs); - - // Do the initial handshake dance - doInitialHttp2Request(); - - // Do a HTTP/3 request to establish a connection. - TestUrlRequestCallback getCallback1 = doBasicGetRequest(); - assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); - - // There should be one HTTP/3 connection. - String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); - - // Lost current cellular network. - Network cellNetwork = connectivityManager.getActiveNetwork(); - shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { - callback.onLost(cellNetwork); - }); - - // Change from the disconnected cell to newly connected WIFI network. - NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, - ConnectivityManager.TYPE_WIFI, 0, - true, NetworkInfo.State.CONNECTED); - shadowOf(connectivityManager).setActiveNetworkInfo(wifiNetworkInfo); - Network wifiNetwork = connectivityManager.getActiveNetwork(); - NetworkCapabilities networkCapabilities = - connectivityManager.getNetworkCapabilities(wifiNetwork); - shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); - shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_METERED); - shadowOf(networkCapabilities).addTransportType(NetworkCapabilities.TRANSPORT_WIFI); - shadowOf(connectivityManager).setNetworkCapabilities(wifiNetwork, networkCapabilities); - - // Connected to the new network shouldn't be regarded as switching the default. - shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { - callback.onAvailable(wifiNetwork); - }); - - // Make another request. It should reuse the existing connection because the new network won't - // be regarded as default. - TestUrlRequestCallback getCallback2 = doBasicGetRequest(); - assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); - - postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - // The connection count should STILL be 1, proving reuse. - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 1")); - // No connections should have been destroyed. - assertFalse(postStats, postStats.contains("cluster.base.upstream_cx_destroy:")); - - // Reported capability change should be regarded as switching the default. - shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { - LinkProperties link = new LinkProperties(); - callback.onLinkPropertiesChanged(wifiNetwork, link); - callback.onCapabilitiesChanged(wifiNetwork, networkCapabilities); - }); - - // Do a 3rd HTTP/3 request. This must create a new connection. - TestUrlRequestCallback getCallback3 = doBasicGetRequest(); - assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); - - postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); - // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been - // closed during draining. - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); - } - - @Test - @SmallTest - @Feature({"Cronet"}) - public void networkChangeMonitorV2VpnOnAndOff() throws Exception { - // Disable dns refreshment so that the engine will attempt immediate draining. - disableDnsRefreshOnNetworkChange = true; - drainOnNetworkChange = true; - useAndroidNetworkMonitorV2 = true; - setUp(printEnvoyLogs); - - // Do the initial handshake dance - doInitialHttp2Request(); - - // Do a HTTP/3 request to establish a connection. - TestUrlRequestCallback getCallback1 = doBasicGetRequest(); - assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); - - // There should be one HTTP/3 connection. - String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); - - // A VPN network becomes available. - NetworkInfo networkInfoVpn = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, - ConnectivityManager.TYPE_VPN, 0, - true, NetworkInfo.State.CONNECTED); - Network vpnNetwork = ShadowNetwork.newInstance(2); - shadowOf(connectivityManager).addNetwork(vpnNetwork, networkInfoVpn); - NetworkCapabilities capabilities = ShadowNetworkCapabilities.newInstance(); - shadowOf(capabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); - shadowOf(capabilities).addTransportType(NetworkCapabilities.TRANSPORT_VPN); - shadowOf(connectivityManager).setNetworkCapabilities(vpnNetwork, capabilities); - - // As long as VPN is available, it should be regarded as default network and trigger a default - // network change. - shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { - // This should also purge the cellular network. But it's not observable to requests. - callback.onAvailable(vpnNetwork); - }); - - // Do another HTTP/3 request. This should create a new connection as the existing one is - // drained. - TestUrlRequestCallback getCallback2 = doBasicGetRequest(); - assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); - - postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); - // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been - // closed during draining. - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); - - // The VPN becomes unavailable, the underlying cellular network should be regarded as the - // default. - shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { - callback.onLost(vpnNetwork); - }); - - // Do a 3rd HTTP/3 request. This must create a new connection. - TestUrlRequestCallback getCallback3 = doBasicGetRequest(); - assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); - assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); - - postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); - // Total HTTP/3 connections is now 3. - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 3")); - assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 3")); - } - @Test @SmallTest @Feature({"Cronet"}) diff --git a/mobile/test/java/org/chromium/net/testing/BUILD b/mobile/test/java/org/chromium/net/testing/BUILD index dc30f7ec0feb4..fd0adffecd18e 100644 --- a/mobile/test/java/org/chromium/net/testing/BUILD +++ b/mobile/test/java/org/chromium/net/testing/BUILD @@ -37,7 +37,6 @@ android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/utilities", - "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "//library/java/org/chromium/net", "//library/java/org/chromium/net/impl:cronvoy", "//library/kotlin/io/envoyproxy/envoymobile:envoy_interfaces_lib", From 2fd787344d8e3dc760400b3e1463bfcadd716438 Mon Sep 17 00:00:00 2001 From: botengyao Date: Fri, 15 Aug 2025 14:22:59 -0400 Subject: [PATCH 239/505] stateful session: fix statefulSessionConfig typo (#40743) Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Boteng Yao --- .../filters/http/stateful_session/stateful_session.cc | 2 +- .../extensions/filters/http/stateful_session/stateful_session.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source/extensions/filters/http/stateful_session/stateful_session.cc b/source/extensions/filters/http/stateful_session/stateful_session.cc index 80f4c7525cb21..fd1616352027d 100644 --- a/source/extensions/filters/http/stateful_session/stateful_session.cc +++ b/source/extensions/filters/http/stateful_session/stateful_session.cc @@ -59,7 +59,7 @@ Http::FilterHeadersStatus StatefulSession::decodeHeaders(Http::RequestHeaderMap& if (route_config->disabled()) { return Http::FilterHeadersStatus::Continue; } - config = route_config->statefuleSessionConfig(); + config = route_config->statefulSessionConfig(); } session_state_ = config->createSessionState(headers); if (session_state_ == nullptr) { diff --git a/source/extensions/filters/http/stateful_session/stateful_session.h b/source/extensions/filters/http/stateful_session/stateful_session.h index c92b0254f75de..5112a3fabb26d 100644 --- a/source/extensions/filters/http/stateful_session/stateful_session.h +++ b/source/extensions/filters/http/stateful_session/stateful_session.h @@ -47,7 +47,7 @@ class PerRouteStatefulSession : public Router::RouteSpecificFilterConfig { Server::Configuration::GenericFactoryContext& context); bool disabled() const { return disabled_; } - StatefulSessionConfig* statefuleSessionConfig() const { return config_.get(); } + StatefulSessionConfig* statefulSessionConfig() const { return config_.get(); } private: bool disabled_{}; From 644cd97b89bf21ff30fce3e30c0e9675f4f7af1b Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 15 Aug 2025 15:03:13 -0400 Subject: [PATCH 240/505] Revert "deps: Bump `highway` -> 1.3.0 (#40731)" (#40741) This reverts commit 0a1c47e3b7d5fbef1ea19f1816eb1cbd3ea5b1a7. Highway has to be updated together with V8. This update breaks V8 build. Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 3b1dbd6107532..95a2269fd9d74 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1209,13 +1209,13 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_desc = "Performance-portable, length-agnostic SIMD with runtime dispatch", project_url = "https://github.com/google/highway", # NOTE: Update together with v8 and proxy_wasm_cpp_host. - version = "1.3.0", + version = "1.2.0", strip_prefix = "highway-{version}", - sha256 = "07b3c1ba2c1096878a85a31a5b9b3757427af963b1141ca904db2f9f4afe0bc2", + sha256 = "7e0be78b8318e8bdbf6fa545d2ecb4c90f947df03f7aadc42c1967f019e63343", urls = ["https://github.com/google/highway/archive/refs/tags/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = ["envoy.wasm.runtime.v8"], - release_date = "2025-08-14", + release_date = "2024-05-31", cpe = "N/A", ), dragonbox = dict( From e17eb7855215d20928fce89fc69c0eaae9114899 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Fri, 15 Aug 2025 20:30:08 -0400 Subject: [PATCH 241/505] cleanup: followup on PR 40606 - cleaning the tests (#40746) Commit Message: cleanup: followup on PR 40606 - cleaning the tests Additional Description: Minor cleanup for the histogram tests that were updated in #40606. Risk Level: low - tests only Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg --- test/common/stats/thread_local_store_test.cc | 248 +++++++++---------- 1 file changed, 120 insertions(+), 128 deletions(-) diff --git a/test/common/stats/thread_local_store_test.cc b/test/common/stats/thread_local_store_test.cc index f7b1d518af2b2..9c950ccf3f0f9 100644 --- a/test/common/stats/thread_local_store_test.cc +++ b/test/common/stats/thread_local_store_test.cc @@ -1934,6 +1934,126 @@ TEST_F(HistogramTest, ForEachHistogram) { EXPECT_EQ(deleted_histogram.unit(), Histogram::Unit::Unspecified); } +TEST_F(HistogramTest, ForEachSinkedHistogram) { + std::unique_ptr test_sink_predicates = + std::make_unique(); + std::vector> sinked_histograms; + std::vector> unsinked_histograms; + auto scope = store_->rootScope(); + + const size_t num_stats = 11; + // Create some histograms before setting the predicates. + for (size_t idx = 0; idx < num_stats / 2; ++idx) { + auto name = absl::StrCat("histogram.", idx); + StatName stat_name = pool_.add(name); + // sink every 3rd stat + if ((idx + 1) % 3 == 0) { + test_sink_predicates->add(stat_name); + sinked_histograms.emplace_back( + scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); + } else { + unsinked_histograms.emplace_back( + scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); + } + } + + store_->setSinkPredicates(std::move(test_sink_predicates)); + auto& sink_predicates = testSinkPredicatesOrDie(); + + // Create some histograms after setting the predicates. + for (size_t idx = num_stats / 2; idx < num_stats; ++idx) { + auto name = absl::StrCat("histogram.", idx); + StatName stat_name = pool_.add(name); + // sink every 3rd stat + if ((idx + 1) % 3 == 0) { + sink_predicates.add(stat_name); + sinked_histograms.emplace_back( + scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); + } else { + unsinked_histograms.emplace_back( + scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); + } + } + + EXPECT_EQ(sinked_histograms.size(), 3); + EXPECT_EQ(unsinked_histograms.size(), 8); + + size_t num_sinked_histograms = 0; + size_t num_iterations = 0; + store_->forEachSinkedHistogram( + [&num_sinked_histograms](std::size_t size) { num_sinked_histograms = size; }, + [&num_iterations, &sink_predicates](ParentHistogram& histogram) { + EXPECT_TRUE(sink_predicates.has(histogram.statName())); + ++num_iterations; + }); + EXPECT_EQ(num_sinked_histograms, 3); + EXPECT_EQ(num_iterations, 3); + // Verify that rejecting histograms removes them from the sink set. + envoy::config::metrics::v3::StatsConfig stats_config_; + stats_config_.mutable_stats_matcher()->set_reject_all(true); + store_->setStatsMatcher( + std::make_unique(stats_config_, symbol_table_, context_)); + num_sinked_histograms = 0; + num_iterations = 0; + store_->forEachSinkedHistogram( + [&num_sinked_histograms](std::size_t size) { num_sinked_histograms = size; }, + [&num_iterations](ParentHistogram&) { ++num_iterations; }); + EXPECT_EQ(num_sinked_histograms, 0); + EXPECT_EQ(num_iterations, 0); +} + +// Verify that histograms that are not flushed to sinks are merged in the call +// to mergeHistograms +TEST_F(HistogramTest, UnsinkedHistogramsAreMerged) { + store_->setSinkPredicates(std::make_unique()); + auto& sink_predicates = testSinkPredicatesOrDie(); + StatName stat_name = pool_.add("h1"); + sink_predicates.add(stat_name); + auto scope = store_->rootScope(); + + auto& h1 = static_cast( + scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); + stat_name = pool_.add("h2"); + auto& h2 = static_cast( + scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); + + EXPECT_EQ("h1", h1.name()); + EXPECT_EQ("h2", h2.name()); + EXPECT_CALL(sink_, onHistogramComplete(Ref(h1), 5)); + EXPECT_CALL(sink_, onHistogramComplete(Ref(h2), 5)); + + h1.recordValue(5); + h2.recordValue(5); + + EXPECT_THAT(h1.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 0,")); + EXPECT_THAT(h2.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 0,")); + + // Verify that all the histograms have not been merged yet. + EXPECT_EQ(h1.used(), false); + EXPECT_EQ(h2.used(), false); + + store_->mergeHistograms([this, &sink_predicates]() -> void { + size_t num_iterations = 0; + size_t num_sinked_histograms = 0; + store_->forEachSinkedHistogram( + [&num_sinked_histograms](std::size_t size) { num_sinked_histograms = size; }, + [&num_iterations, &sink_predicates](ParentHistogram& histogram) { + EXPECT_TRUE(sink_predicates.has(histogram.statName())); + ++num_iterations; + }); + EXPECT_EQ(num_sinked_histograms, 1); + EXPECT_EQ(num_iterations, 1); + }); + + EXPECT_THAT(h1.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 1,")); + EXPECT_THAT(h2.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 1,")); + EXPECT_EQ(h1.cumulativeStatistics().bucketSummary(), h2.cumulativeStatistics().bucketSummary()); + + // Verify that all the histograms have been merged. + EXPECT_EQ(h1.used(), true); + EXPECT_EQ(h2.used(), true); +} + class OneWorkerThread : public ThreadLocalRealThreadsMixin, public testing::Test { protected: static constexpr uint32_t NumThreads = 1; @@ -2232,133 +2352,5 @@ TEST_F(StatsThreadLocalStoreTest, SetSinkPredicates) { }); EXPECT_EQ(expected_sinked_stats, num_sinked_text_readouts); } - -class HistogramParameterisedTest : public HistogramTest { -public: - HistogramParameterisedTest() {} - -protected: - void SetUp() override { HistogramTest::SetUp(); } -}; - -TEST_F(HistogramParameterisedTest, ForEachSinkedHistogram) { - std::unique_ptr test_sink_predicates = - std::make_unique(); - std::vector> sinked_histograms; - std::vector> unsinked_histograms; - auto scope = store_->rootScope(); - - const size_t num_stats = 11; - // Create some histograms before setting the predicates. - for (size_t idx = 0; idx < num_stats / 2; ++idx) { - auto name = absl::StrCat("histogram.", idx); - StatName stat_name = pool_.add(name); - // sink every 3rd stat - if ((idx + 1) % 3 == 0) { - test_sink_predicates->add(stat_name); - sinked_histograms.emplace_back( - scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); - } else { - unsinked_histograms.emplace_back( - scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); - } - } - - store_->setSinkPredicates(std::move(test_sink_predicates)); - auto& sink_predicates = testSinkPredicatesOrDie(); - - // Create some histograms after setting the predicates. - for (size_t idx = num_stats / 2; idx < num_stats; ++idx) { - auto name = absl::StrCat("histogram.", idx); - StatName stat_name = pool_.add(name); - // sink every 3rd stat - if ((idx + 1) % 3 == 0) { - sink_predicates.add(stat_name); - sinked_histograms.emplace_back( - scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); - } else { - unsinked_histograms.emplace_back( - scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); - } - } - - EXPECT_EQ(sinked_histograms.size(), 3); - EXPECT_EQ(unsinked_histograms.size(), 8); - - size_t num_sinked_histograms = 0; - size_t num_iterations = 0; - store_->forEachSinkedHistogram( - [&num_sinked_histograms](std::size_t size) { num_sinked_histograms = size; }, - [&num_iterations, &sink_predicates](ParentHistogram& histogram) { - EXPECT_TRUE(sink_predicates.has(histogram.statName())); - ++num_iterations; - }); - EXPECT_EQ(num_sinked_histograms, 3); - EXPECT_EQ(num_iterations, 3); - // Verify that rejecting histograms removes them from the sink set. - envoy::config::metrics::v3::StatsConfig stats_config_; - stats_config_.mutable_stats_matcher()->set_reject_all(true); - store_->setStatsMatcher( - std::make_unique(stats_config_, symbol_table_, context_)); - num_sinked_histograms = 0; - num_iterations = 0; - store_->forEachSinkedHistogram( - [&num_sinked_histograms](std::size_t size) { num_sinked_histograms = size; }, - [&num_iterations](ParentHistogram&) { ++num_iterations; }); - EXPECT_EQ(num_sinked_histograms, 0); - EXPECT_EQ(num_iterations, 0); -} - -// Verify that histograms that are not flushed to sinks are merged in the call -// to mergeHistograms -TEST_F(HistogramParameterisedTest, UnsinkedHistogramsAreMerged) { - store_->setSinkPredicates(std::make_unique()); - auto& sink_predicates = testSinkPredicatesOrDie(); - StatName stat_name = pool_.add("h1"); - sink_predicates.add(stat_name); - auto scope = store_->rootScope(); - - auto& h1 = static_cast( - scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); - stat_name = pool_.add("h2"); - auto& h2 = static_cast( - scope->histogramFromStatName(stat_name, Histogram::Unit::Unspecified)); - - EXPECT_EQ("h1", h1.name()); - EXPECT_EQ("h2", h2.name()); - EXPECT_CALL(sink_, onHistogramComplete(Ref(h1), 5)); - EXPECT_CALL(sink_, onHistogramComplete(Ref(h2), 5)); - - h1.recordValue(5); - h2.recordValue(5); - - EXPECT_THAT(h1.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 0,")); - EXPECT_THAT(h2.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 0,")); - - // Verify that all the histograms have not been merged yet. - EXPECT_EQ(h1.used(), false); - EXPECT_EQ(h2.used(), false); - - store_->mergeHistograms([this, &sink_predicates]() -> void { - size_t num_iterations = 0; - size_t num_sinked_histograms = 0; - store_->forEachSinkedHistogram( - [&num_sinked_histograms](std::size_t size) { num_sinked_histograms = size; }, - [&num_iterations, &sink_predicates](ParentHistogram& histogram) { - EXPECT_TRUE(sink_predicates.has(histogram.statName())); - ++num_iterations; - }); - EXPECT_EQ(num_sinked_histograms, 1); - EXPECT_EQ(num_iterations, 1); - }); - - EXPECT_THAT(h1.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 1,")); - EXPECT_THAT(h2.cumulativeStatistics().bucketSummary(), HasSubstr(" B10: 1,")); - EXPECT_EQ(h1.cumulativeStatistics().bucketSummary(), h2.cumulativeStatistics().bucketSummary()); - - // Verify that all the histograms have been merged. - EXPECT_EQ(h1.used(), true); - EXPECT_EQ(h2.used(), true); -} } // namespace Stats } // namespace Envoy From e409899cb586a2374ce2e20bddaa792edeff3928 Mon Sep 17 00:00:00 2001 From: danzh Date: Fri, 15 Aug 2025 23:34:36 -0400 Subject: [PATCH 242/505] Update QUICHE from 42832178b to 82b2b2501 (#40742) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.com/google/quiche/compare/42832178b..82b2b2501 ``` $ git log 42832178b..82b2b2501 --date=short --no-merges --format="%ad %al %s" 2025-08-14 danzh Fix HPACK/QPACK decoding of excessively large variable-length integers. 2025-08-14 quiche-dev Add tracing hooks to BlindSignAuth. 2025-08-14 martinduke Add hardcoded peer reordering_threshold to QuicConfig. 2025-08-14 quiche-dev Enable client cert verification at QUICHE `TlsServerHandshaker`. 2025-08-14 elburrito BlindSignAuth: Propagate error codes returned from BlindSignMessageInterface to clients 2025-08-13 vasilvv Fix standalone QUICHE build 2025-08-13 jprat Enable QUIC's flow-label-based blackhole avoidance logic when the server receives the CFLS connection option from the client. 2025-08-13 martinduke Update MoQT version to draft-13. 2025-08-12 quiche-dev [Indeterminate-Length BHTTP] Treat `OutOfRange` as `InvalidArgument` on `end_stream` 2025-08-12 quiche-dev Refactoring OHTTP common code. This will be needed for chunk implementation. 2025-08-12 danzh Add 2 new classes QuicConnectionMigrationManager and QuicSpdyClientSessionWithMigration which are extracted from Chromium [QuicChromiumClientSession](https://source.chromium.org/chromium/chromium/src/+/main:net/quic/quic_chromium_client_session.h) to handle network disconnected signal from the platform by migrating to an alternative network if available. 2025-08-12 martinduke No public description 2025-08-12 martinduke No public description 2025-08-11 vasilvv Fix MoqtSession to actually read data from the padding streams. 2025-08-11 vasilvv Fix DataRecvd callback in QuicGenericSessionBase. 2025-08-11 quiche-dev This CL reorders the fields of one or multiple types (classes/structs) to group the hot fields together to increase data density. This CL doesn’t change functionality but expects to reduce cache misses and save GCUs. 2025-08-11 quiche-dev [Indeterminate-Length BHTTP] Adding response encoder 2025-08-11 vasilvv Use uint64_t instead of size_t in QuicIntervalDeque 2025-08-08 martinduke Rename MoQT SubscribeAnnounces to SubscribeNamespace. 2025-08-08 martinduke Update MoQT Stream Header subgroup to draft-12. 2025-08-08 davidben Make it possible to configure an empty trust anchor ID list 2025-08-08 quiche-dev Propagate error codes returned from Phosphor 2025-08-07 vasilvv No public description 2025-08-06 martinduke Allow EndOfGroup status with payload in MoQT datagrams. 2025-08-06 quiche-dev Fix copybara strip directives in blind_sign_message_response.cc 2025-08-05 martinduke Update MOQT FETCH to draft-12. 2025-08-05 martinduke Update MoQT SUBSCRIBE_ANNOUNCES to draft-12 by rejecting any request that is a subset of superset of an existing subscription. 2025-08-04 quiche-dev Fix compilation with an upcoming Crosstool release. Constructing an absl::string_view from a null pointer is undefined behavior. When possible to detect statically, Clang will issue a `-Wnonnull` diagnostic (which is an error in google3 builds). 2025-08-04 elburrito BlindSignAuth: Change `AttestAndSign` to take a span of certificates as attestation data, and update Astrea's JNI interface to use the new API. ``` Risk Level: low Testing: existing tests pass Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 95a2269fd9d74..c04a77599be38 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1276,12 +1276,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "QUICHE", project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols", project_url = "https://github.com/google/quiche", - version = "42832178b3b6ae20f0d1c9634c040c528614f45f", - sha256 = "ff03fab32698f0536713592ecdcfefea115e184814040c140b5d1bdf4b25b07b", + version = "82b2b2501a274fb5129a9556ca3cf6676910bb04", + sha256 = "e02e830eb1285aaa4b2891a58adda8bd22e52d64865795858480a9d641f81b99", urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"], strip_prefix = "quiche-{version}", use_category = ["controlplane", "dataplane_core"], - release_date = "2025-08-01", + release_date = "2025-08-14", cpe = "N/A", license = "BSD-3-Clause", license_url = "https://github.com/google/quiche/blob/{version}/LICENSE", From d4a94e75908cd65d159101ebf3fa9e106be62491 Mon Sep 17 00:00:00 2001 From: Prashanth Josyula Date: Fri, 15 Aug 2025 21:37:28 -0700 Subject: [PATCH 243/505] tracing: add W3C trace header fallback support to Zipkin tracer (#40525) Commit Message: tracing: add W3C trace header fallback support to Zipkin tracer Added w3c_fallback configuration option to ZipkinConfig that allows the Zipkin tracer to extract trace information from W3C trace headers (traceparent and tracestate) when B3 headers are not present or cannot be extracted. Key features: - Disabled by default to maintain backward compatibility - B3 headers always take precedence when present - Supports full W3C to Zipkin span context conversion - Comprehensive test coverage for all scenarios This enables better interoperability with systems that use W3C trace context propagation while preserving existing B3 header functionality. Additional Description: This change enhances the Zipkin tracer to support W3C trace context as a fallback mechanism, improving interoperability with systems that use W3C trace propagation standards. The implementation leverages the existing OpenTelemetry W3C extraction logic and maintains strict precedence rules to ensure B3 headers are always preferred when available. The feature addresses scenarios where services in a mixed tracing environment may use different header propagation formats, allowing seamless trace continuity without requiring protocol conversion at the service level. Risk Level: Medium Testing: - Unit tests covering all code paths: default behavior (disabled), enabled behavior, header precedence, and error handling - Integration with existing Zipkin tracer test suite - Manual testing with W3C and B3 header combinations - Coverage verification for new code paths Docs Changes: - Updated tracing architecture overview documentation to explain W3C fallback functionality - Enhanced proto field documentation with detailed behavior description - Added cross-references to W3C trace header documentation Release Notes: Added to new_features section: - area: tracing change: | Added :ref:`w3c_fallback ` to the Zipkin tracer config. This allows the Zipkin tracer to extract trace information from W3C trace headers when x-b3 headers are not present or cannot be extracted. This feature is disabled by default to maintain backward compatibility. Platform Specific Features: N/A - This feature is cross-platform and uses existing portable code paths. Optional Runtime guard: N/A - This is a low-risk, opt-in feature that is disabled by default and does not modify existing behavior. Fixes #Issue: N/A Fixes commit #PR or SHA: N/A Deprecated: N/A Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): This change adds a new boolean field `w3c_fallback` to `envoy.config.trace.v3.ZipkinConfig`: - **Field Addition**: Added `bool w3c_fallback = 8;` - safe as it's a new optional field - **Default Behavior**: Defaults to `false` to maintain backward compatibility - **Wire Compatibility**: New field is optional and backward compatible - **Forward Compatibility**: Older Envoy versions will ignore the unknown field - **Documentation**: Field is fully documented with behavior, defaults, and examples - **Validation**: No additional validation required - simple boolean flag - **Deprecation Impact**: None - this is a new feature addition --------- Signed-off-by: Prashanth Josyula Signed-off-by: prashanth.chaitanya Co-authored-by: prashanth.chaitanya --- api/envoy/config/trace/v3/zipkin.proto | 20 +- changelogs/current.yaml | 8 + .../http/http_conn_man/headers.rst | 22 ++ .../arch_overview/observability/tracing.rst | 13 ++ source/extensions/tracers/zipkin/BUILD | 1 + .../tracers/zipkin/span_context_extractor.cc | 120 ++++++++-- .../tracers/zipkin/span_context_extractor.h | 12 +- source/extensions/tracers/zipkin/tracer.h | 19 +- .../tracers/zipkin/tracer_interface.h | 9 + .../tracers/zipkin/zipkin_core_constants.h | 4 + .../tracers/zipkin/zipkin_core_types.cc | 38 ++- .../tracers/zipkin/zipkin_core_types.h | 5 + .../tracers/zipkin/zipkin_tracer_impl.cc | 11 +- .../tracers/zipkin/zipkin_tracer_impl.h | 11 +- test/coverage.yaml | 2 +- .../tracers/zipkin/span_buffer_test.cc | 3 + .../zipkin/span_context_extractor_test.cc | 221 ++++++++++++++++++ .../tracers/zipkin/zipkin_core_types_test.cc | 2 + .../tracers/zipkin/zipkin_tracer_impl_test.cc | 138 ++++++++++- 19 files changed, 620 insertions(+), 39 deletions(-) diff --git a/api/envoy/config/trace/v3/zipkin.proto b/api/envoy/config/trace/v3/zipkin.proto index 2d8f3195c31e3..4f62a00eed545 100644 --- a/api/envoy/config/trace/v3/zipkin.proto +++ b/api/envoy/config/trace/v3/zipkin.proto @@ -21,10 +21,22 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Configuration for the Zipkin tracer. // [#extension: envoy.tracers.zipkin] -// [#next-free-field: 8] +// [#next-free-field: 9] message ZipkinConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.ZipkinConfig"; + // Available trace context options for handling different trace header formats. + enum TraceContextOption { + // Use B3 headers only (default behavior). + USE_B3 = 0; + + // Enable B3 and W3C dual header support: + // - For downstream: Extract from B3 headers first, fallback to W3C traceparent if B3 is unavailable. + // - For upstream: Inject both B3 and W3C traceparent headers. + // When this option is NOT set, only B3 headers are used for both extraction and injection. + USE_B3_WITH_W3C_PROPAGATION = 1; + } + // Available Zipkin collector endpoint versions. enum CollectorEndpointVersion { // Zipkin API v1, JSON over HTTP. @@ -88,4 +100,10 @@ message ZipkinConfig { // Please use that ``spawn_upstream_span`` field to control the span creation. bool split_spans_for_request = 7 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Determines which trace context format to use for trace header extraction and propagation. + // This controls both downstream request header extraction and upstream request header injection. + // Here is the spec for W3C trace headers: https://www.w3.org/TR/trace-context/ + // The default value is USE_B3 to maintain backward compatibility. + TraceContextOption trace_context_option = 8; } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 56dfd6530499a..a6326d4619c6b 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -239,6 +239,13 @@ new_features: Added ``virtualHost()`` to the Stream handle API, allowing Lua scripts to retrieve virtual host information. So far, the only method implemented is ``metadata()``, allowing Lua scripts to access virtual host metadata scoped to the specific filter name. See :ref:`Virtual host object API ` for more details. +- area: tracing + change: | + Added :ref:`trace_context_option ` enum + in the Zipkin tracer config. When set to ``USE_B3_WITH_W3C_PROPAGATION``, the tracer will: + extract trace information from W3C trace headers when B3 headers are not present (downstream), + and inject both B3 and W3C trace headers for upstream requests to maximize compatibility. + The default value ``USE_B3`` maintains backward compatibility with B3-only behavior. - area: rbac change: | Switch the IP matcher to use LC-Trie for performance improvements. @@ -255,4 +262,5 @@ new_features: change: | Added ``upstream_rq_per_cx`` histogram to track requests per connection for monitoring connection reuse efficiency. + deprecated: diff --git a/docs/root/configuration/http/http_conn_man/headers.rst b/docs/root/configuration/http/http_conn_man/headers.rst index 7c9be4c62459c..df30d728f73c2 100644 --- a/docs/root/configuration/http/http_conn_man/headers.rst +++ b/docs/root/configuration/http/http_conn_man/headers.rst @@ -637,6 +637,28 @@ The ``x-amzn-trace-id`` HTTP header is used by the AWS X-Ray tracer in Envoy. Th parent ID and sampling decision are added to HTTP requests in the tracing header. See more on AWS X-Ray tracing `here `__. +.. _config_http_conn_man_headers_traceparent: + +traceparent +----------- + +The ``traceparent`` HTTP header is used for W3C trace context propagation. It contains version, trace ID, +parent ID, and trace flags in a standardized format. This header is supported by the Zipkin tracer when +``trace_context_option`` is set to ``USE_B3_WITH_W3C_PROPAGATION``. In this mode, the tracer will extract +from W3C headers as fallback when B3 headers are not present, and inject both B3 and W3C headers for +upstream requests. See more on W3C Trace Context `here `__. + +.. _config_http_conn_man_headers_tracestate: + +tracestate +---------- + +The ``tracestate`` HTTP header is used for W3C trace context propagation. It carries vendor-specific trace +identification data as a set of name/value pairs. This header is supported by the Zipkin tracer when +``trace_context_option`` is set to ``USE_B3_WITH_W3C_PROPAGATION``. In this mode, the tracer will extract +from W3C headers as fallback when B3 headers are not present, and inject both B3 and W3C headers for +upstream requests. See more on W3C Trace Context `here `__. + .. _config_http_conn_man_headers_custom_request_headers: Custom request/response headers diff --git a/docs/root/intro/arch_overview/observability/tracing.rst b/docs/root/intro/arch_overview/observability/tracing.rst index 9d5fb69374c03..3e5afe4aa5b8d 100644 --- a/docs/root/intro/arch_overview/observability/tracing.rst +++ b/docs/root/intro/arch_overview/observability/tracing.rst @@ -100,6 +100,19 @@ Alternatively the trace context can be manually propagated by the service: request. In addition, the single :ref:`config_http_conn_man_headers_b3` header propagation format is supported, which is a more compressed format. + The Zipkin tracer can optionally be configured to support both B3 and W3C trace context formats + for improved interoperability. This is controlled by the + :ref:`trace_context_option ` configuration option. + When set to ``USE_B3_WITH_W3C_PROPAGATION``, the tracer will: + + - For downstream requests: Extract trace context from B3 headers first, fallback to W3C trace headers + (:ref:`traceparent ` and + :ref:`tracestate `) when B3 headers are not present. + - For upstream requests: Inject both B3 and W3C trace headers to maximize compatibility. + + This option is disabled by default (``USE_B3``) to maintain backward compatibility, where only + B3 headers are used for both extraction and injection. + * When using the Datadog tracer, Envoy relies on the service to propagate the Datadog-specific HTTP headers ( :ref:`config_http_conn_man_headers_x-datadog-trace-id`, diff --git a/source/extensions/tracers/zipkin/BUILD b/source/extensions/tracers/zipkin/BUILD index 953e0cc72c2b6..8604a416d1466 100644 --- a/source/extensions/tracers/zipkin/BUILD +++ b/source/extensions/tracers/zipkin/BUILD @@ -54,6 +54,7 @@ envoy_cc_library( "//source/common/singleton:const_singleton", "//source/common/tracing:http_tracer_lib", "//source/common/upstream:cluster_update_tracker_lib", + "//source/extensions/tracers/opentelemetry:opentelemetry_tracer_lib", "@com_github_openzipkin_zipkinapi//:zipkin_cc_proto", "@com_google_absl//absl/types:optional", "@envoy_api//envoy/config/trace/v3:pkg_cc_proto", diff --git a/source/extensions/tracers/zipkin/span_context_extractor.cc b/source/extensions/tracers/zipkin/span_context_extractor.cc index b4378588db95c..c02ec29cc11e2 100644 --- a/source/extensions/tracers/zipkin/span_context_extractor.cc +++ b/source/extensions/tracers/zipkin/span_context_extractor.cc @@ -1,5 +1,7 @@ #include "source/extensions/tracers/zipkin/span_context_extractor.h" +#include + #include "source/common/common/assert.h" #include "source/common/common/utility.h" #include "source/extensions/tracers/zipkin/span_context.h" @@ -11,6 +13,7 @@ namespace Tracers { namespace Zipkin { namespace { constexpr int FormatMaxLength = 32 + 1 + 16 + 3 + 16; // traceid128-spanid-1-parentid + bool validSamplingFlags(char c) { if (c == '1' || c == '0' || c == 'd') { return true; @@ -26,14 +29,25 @@ absl::optional getSamplingFlags(char c) { } } +// Helper function to parse hex string_view to uint64_t using std::from_chars +bool parseHexStringView(absl::string_view hex_str, uint64_t& result) { + const char* begin = hex_str.data(); + const char* end = begin + hex_str.size(); + auto [ptr, ec] = std::from_chars(begin, end, result, 16); + return ec == std::errc{} && ptr == end; +} + } // namespace -SpanContextExtractor::SpanContextExtractor(Tracing::TraceContext& trace_context) - : trace_context_(trace_context) {} +SpanContextExtractor::SpanContextExtractor(Tracing::TraceContext& trace_context, + bool w3c_fallback_enabled) + : trace_context_(trace_context), w3c_fallback_enabled_(w3c_fallback_enabled) {} SpanContextExtractor::~SpanContextExtractor() = default; absl::optional SpanContextExtractor::extractSampled() { + bool sampled(false); + // Try B3 single format first. auto b3_header_entry = ZipkinCoreConstants::get().B3.get(trace_context_); if (b3_header_entry.has_value()) { // This is an implicitly untrusted header, so only the first value is used. @@ -60,29 +74,48 @@ absl::optional SpanContextExtractor::extractSampled() { return getSamplingFlags(b3[sampled_pos]); } + // Try individual B3 sampled header. auto x_b3_sampled_entry = ZipkinCoreConstants::get().X_B3_SAMPLED.get(trace_context_); - if (!x_b3_sampled_entry.has_value()) { - return absl::nullopt; + + if (x_b3_sampled_entry.has_value()) { + // Checking if sampled flag has been specified. Also checking for 'true' value, as some old + // zipkin tracers may still use that value, although should be 0 or 1. + // This is an implicitly untrusted header, so only the first value is used. + absl::string_view xb3_sampled = x_b3_sampled_entry.value(); + sampled = xb3_sampled == SAMPLED || xb3_sampled == "true"; + return sampled; } - // Checking if sampled flag has been specified. Also checking for 'true' value, as some old - // zipkin tracers may still use that value, although should be 0 or 1. - // This is an implicitly untrusted header, so only the first value is used. - absl::string_view xb3_sampled = x_b3_sampled_entry.value(); - return xb3_sampled == SAMPLED || xb3_sampled == "true"; + + // Try W3C Trace Context format as fallback only if enabled. + if (w3c_fallback_enabled_) { + Extensions::Tracers::OpenTelemetry::SpanContextExtractor w3c_extractor( + const_cast(trace_context_)); + if (w3c_extractor.propagationHeaderPresent()) { + auto w3c_span_context = w3c_extractor.extractSpanContext(); + if (w3c_span_context.ok()) { + return w3c_span_context.value().sampled(); + } + } + } + + return absl::nullopt; } std::pair SpanContextExtractor::extractSpanContext(bool is_sampled) { + // Try B3 single format first. if (ZipkinCoreConstants::get().B3.get(trace_context_).has_value()) { return extractSpanContextFromB3SingleFormat(is_sampled); } - uint64_t trace_id(0); - uint64_t trace_id_high(0); - uint64_t span_id(0); - uint64_t parent_id(0); + // Try individual B3 headers. auto b3_trace_id_entry = ZipkinCoreConstants::get().X_B3_TRACE_ID.get(trace_context_); auto b3_span_id_entry = ZipkinCoreConstants::get().X_B3_SPAN_ID.get(trace_context_); if (b3_span_id_entry.has_value() && b3_trace_id_entry.has_value()) { + uint64_t trace_id(0); + uint64_t trace_id_high(0); + uint64_t span_id(0); + uint64_t parent_id(0); + // Extract trace id - which can either be 128 or 64 bit. For 128 bit, // it needs to be divided into two 64 bit numbers (high and low). // This is an implicitly untrusted header, so only the first value is used. @@ -113,11 +146,23 @@ std::pair SpanContextExtractor::extractSpanContext(bool is_sa throw ExtractorException(absl::StrCat("Invalid parent span id ", pspid.c_str())); } } - } else { - return {SpanContext(), false}; + + return {SpanContext(trace_id_high, trace_id, span_id, parent_id, is_sampled), true}; } - return {SpanContext(trace_id_high, trace_id, span_id, parent_id, is_sampled), true}; + // Try W3C Trace Context format as fallback only if enabled. + if (w3c_fallback_enabled_) { + Extensions::Tracers::OpenTelemetry::SpanContextExtractor w3c_extractor( + const_cast(trace_context_)); + if (w3c_extractor.propagationHeaderPresent()) { + auto w3c_span_context = w3c_extractor.extractSpanContext(); + if (w3c_span_context.ok()) { + return convertW3CToZipkin(w3c_span_context.value(), is_sampled); + } + } + } + + return {SpanContext(), false}; } std::pair @@ -205,7 +250,7 @@ SpanContextExtractor::extractSpanContextFromB3SingleFormat(bool is_sampled) { } if (b3.length() > pos) { - // If we are at this point, we should have a parent ID, encoded as "-[0-9a-f]{16}" + // If we are at this point, we should have a parent ID, encoded as "-[0-9a-f]{16}". if (b3.length() != pos + 17) { throw ExtractorException("Invalid input: truncated"); } @@ -224,6 +269,47 @@ SpanContextExtractor::extractSpanContextFromB3SingleFormat(bool is_sampled) { return {SpanContext(trace_id_high, trace_id, span_id, parent_id, is_sampled), true}; } +std::pair SpanContextExtractor::convertW3CToZipkin( + const Extensions::Tracers::OpenTelemetry::SpanContext& w3c_context, bool fallback_sampled) { + // Convert W3C 128-bit trace ID (32 hex chars) to Zipkin format. + const absl::string_view trace_id_str = w3c_context.traceId(); + + if (trace_id_str.length() != 32) { + throw ExtractorException(fmt::format("Invalid W3C trace ID length: {}", trace_id_str.length())); + } + + // Split 128-bit trace ID into high and low 64-bit parts for Zipkin. + const absl::string_view trace_id_high_str = absl::string_view(trace_id_str).substr(0, 16); + const absl::string_view trace_id_low_str = absl::string_view(trace_id_str).substr(16, 16); + + uint64_t trace_id_high(0); + uint64_t trace_id(0); + if (!parseHexStringView(trace_id_high_str, trace_id_high) || + !parseHexStringView(trace_id_low_str, trace_id)) { + throw ExtractorException(fmt::format("Invalid W3C trace ID: {}", trace_id_str)); + } + + // Convert W3C span ID (16 hex chars) to Zipkin span ID. + const absl::string_view span_id_str = w3c_context.spanId(); + if (span_id_str.length() != 16) { + throw ExtractorException(fmt::format("Invalid W3C span ID length: {}", span_id_str.length())); + } + + uint64_t span_id(0); + if (!parseHexStringView(span_id_str, span_id)) { + throw ExtractorException(fmt::format("Invalid W3C span ID: {}", span_id_str)); + } + + // W3C doesn't have a direct parent span concept like B3 + // The W3C span-id becomes our span-id, and we don't set a parent. + uint64_t parent_id(0); + + // Use W3C sampling decision, or fallback if not specified. + bool sampled = w3c_context.sampled() || fallback_sampled; + + return {SpanContext(trace_id_high, trace_id, span_id, parent_id, sampled), true}; +} + } // namespace Zipkin } // namespace Tracers } // namespace Extensions diff --git a/source/extensions/tracers/zipkin/span_context_extractor.h b/source/extensions/tracers/zipkin/span_context_extractor.h index 50f302a40f623..a1df976fac505 100644 --- a/source/extensions/tracers/zipkin/span_context_extractor.h +++ b/source/extensions/tracers/zipkin/span_context_extractor.h @@ -4,6 +4,7 @@ #include "envoy/tracing/tracer.h" #include "source/common/http/header_map_impl.h" +#include "source/extensions/tracers/opentelemetry/span_context_extractor.h" namespace Envoy { namespace Extensions { @@ -21,7 +22,7 @@ struct ExtractorException : public EnvoyException { */ class SpanContextExtractor { public: - SpanContextExtractor(Tracing::TraceContext& trace_context); + SpanContextExtractor(Tracing::TraceContext& trace_context, bool w3c_fallback_enabled = false); ~SpanContextExtractor(); absl::optional extractSampled(); std::pair extractSpanContext(bool is_sampled); @@ -33,8 +34,17 @@ class SpanContextExtractor { * See: "https://github.com/openzipkin/b3-propagation */ std::pair extractSpanContextFromB3SingleFormat(bool is_sampled); + + /* + * Convert W3C span context to Zipkin span context format + */ + std::pair + convertW3CToZipkin(const Extensions::Tracers::OpenTelemetry::SpanContext& w3c_context, + bool fallback_sampled); + bool tryExtractSampledFromB3SingleFormat(); const Tracing::TraceContext& trace_context_; + bool w3c_fallback_enabled_; }; } // namespace Zipkin diff --git a/source/extensions/tracers/zipkin/tracer.h b/source/extensions/tracers/zipkin/tracer.h index 4834855a52f6a..6d038df9f84a3 100644 --- a/source/extensions/tracers/zipkin/tracer.h +++ b/source/extensions/tracers/zipkin/tracer.h @@ -1,12 +1,10 @@ #pragma once -#include "envoy/common/pure.h" #include "envoy/common/random_generator.h" #include "envoy/common/time.h" -#include "envoy/tracing/tracer.h" +#include "envoy/config/trace/v3/zipkin.pb.h" #include "source/extensions/tracers/zipkin/span_context.h" -#include "source/extensions/tracers/zipkin/zipkin_core_constants.h" #include "source/extensions/tracers/zipkin/zipkin_core_types.h" namespace Envoy { @@ -44,6 +42,20 @@ class Tracer : public TracerInterface { shared_span_context_(shared_span_context), time_source_(time_source), split_spans_for_request_(split_spans_for_request) {} + /** + * Sets the trace context option for header injection behavior. + * @param trace_context_option The trace context option from ZipkinConfig. + */ + void setTraceContextOption(TraceContextOption trace_context_option) { + trace_context_option_ = trace_context_option; + } + + /** + * Gets the current trace context option. + * @return The current trace context option. + */ + TraceContextOption traceContextOption() const override { return trace_context_option_; } + // TracerInterface SpanPtr startSpan(const Tracing::Config&, const std::string& span_name, SystemTime timestamp) override; @@ -67,6 +79,7 @@ class Tracer : public TracerInterface { const bool shared_span_context_; TimeSource& time_source_; const bool split_spans_for_request_{}; + TraceContextOption trace_context_option_{envoy::config::trace::v3::ZipkinConfig::USE_B3}; }; using TracerPtr = std::unique_ptr; diff --git a/source/extensions/tracers/zipkin/tracer_interface.h b/source/extensions/tracers/zipkin/tracer_interface.h index 9745bd6970bd9..fc8ad623c985b 100644 --- a/source/extensions/tracers/zipkin/tracer_interface.h +++ b/source/extensions/tracers/zipkin/tracer_interface.h @@ -5,6 +5,7 @@ #include #include "envoy/common/pure.h" +#include "envoy/config/trace/v3/zipkin.pb.h" #include "envoy/tracing/trace_config.h" #include "source/extensions/tracers/zipkin/span_context.h" @@ -14,6 +15,8 @@ namespace Extensions { namespace Tracers { namespace Zipkin { +using TraceContextOption = envoy::config::trace::v3::ZipkinConfig::TraceContextOption; + class Span; using SpanPtr = std::unique_ptr; @@ -69,6 +72,12 @@ class TracerInterface : public Reporter { */ virtual SpanPtr startSpan(const Tracing::Config&, const std::string& span_name, SystemTime timestamp, const SpanContext& previous_context) PURE; + + /** + * Gets the current trace context option for header injection behavior. + * @return The current trace context option. + */ + virtual TraceContextOption traceContextOption() const PURE; }; /** diff --git a/source/extensions/tracers/zipkin/zipkin_core_constants.h b/source/extensions/tracers/zipkin/zipkin_core_constants.h index 3685849259f4e..06aad0c4ebc15 100644 --- a/source/extensions/tracers/zipkin/zipkin_core_constants.h +++ b/source/extensions/tracers/zipkin/zipkin_core_constants.h @@ -53,6 +53,10 @@ class ZipkinCoreConstantValues { // Zipkin b3 single header const Tracing::TraceContextHandler B3{"b3"}; + + // W3C trace context headers + const Tracing::TraceContextHandler TRACE_PARENT{"traceparent"}; + const Tracing::TraceContextHandler TRACE_STATE{"tracestate"}; }; using ZipkinCoreConstants = ConstSingleton; diff --git a/source/extensions/tracers/zipkin/zipkin_core_types.cc b/source/extensions/tracers/zipkin/zipkin_core_types.cc index 8998d1e3a65b6..040c430adff72 100644 --- a/source/extensions/tracers/zipkin/zipkin_core_types.cc +++ b/source/extensions/tracers/zipkin/zipkin_core_types.cc @@ -2,12 +2,14 @@ #include -#include "source/common/common/utility.h" #include "source/extensions/tracers/zipkin/span_context.h" #include "source/extensions/tracers/zipkin/util.h" #include "source/extensions/tracers/zipkin/zipkin_core_constants.h" #include "source/extensions/tracers/zipkin/zipkin_json_field_names.h" +#include "absl/strings/str_cat.h" +#include "fmt/format.h" + namespace Envoy { namespace Extensions { namespace Tracers { @@ -213,7 +215,9 @@ void Span::log(SystemTime timestamp, const std::string& event) { } void Span::injectContext(Tracing::TraceContext& trace_context, const Tracing::UpstreamContext&) { - // Set the trace-id and span-id headers properly, based on the newly-created span structure. + auto trace_context_option = tracer_.traceContextOption(); + + // Always inject B3 headers ZipkinCoreConstants::get().X_B3_TRACE_ID.setRefKey(trace_context, traceIdAsHexString()); ZipkinCoreConstants::get().X_B3_SPAN_ID.setRefKey(trace_context, idAsHexString()); @@ -225,6 +229,11 @@ void Span::injectContext(Tracing::TraceContext& trace_context, const Tracing::Up // Set the sampled header. ZipkinCoreConstants::get().X_B3_SAMPLED.setRefKey(trace_context, sampled() ? SAMPLED : NOT_SAMPLED); + + // Additionally inject W3C headers if dual propagation is enabled + if (trace_context_option == envoy::config::trace::v3::ZipkinConfig::USE_B3_WITH_W3C_PROPAGATION) { + injectW3CContext(trace_context); + } } Tracing::SpanPtr Span::spawnChild(const Tracing::Config& config, const std::string& name, SystemTime start_time) { @@ -237,6 +246,31 @@ SpanContext Span::spanContext() const { return {trace_id_high_.value_or(0), trace_id_, id_, parent_id_.value_or(0), sampled_, true}; } +void Span::injectW3CContext(Tracing::TraceContext& trace_context) { + // Convert Zipkin span context to W3C traceparent format + // W3C traceparent format: 00-{trace-id}-{span-id}-{trace-flags} + + // Construct the 128-bit trace ID (32 hex chars) + std::string trace_id_str; + if (trace_id_high_.has_value() && trace_id_high_.value() != 0) { + // We have a 128-bit trace ID, use both high and low parts + trace_id_str = absl::StrCat(fmt::format("{:016x}", trace_id_high_.value()), + fmt::format("{:016x}", trace_id_)); + } else { + // We have a 64-bit trace ID, pad with zeros for the high part + trace_id_str = absl::StrCat("0000000000000000", fmt::format("{:016x}", trace_id_)); + } + + // Construct the traceparent header value in W3C format: version-traceid-spanid-flags + std::string traceparent_value = + fmt::format("00-{}-{:016x}-{}", trace_id_str, id_, sampled() ? "01" : "00"); + + // Set the W3C traceparent header + ZipkinCoreConstants::get().TRACE_PARENT.setRefKey(trace_context, traceparent_value); + + // For now, we don't set tracestate as it's optional and we don't have vendor-specific data +} + } // namespace Zipkin } // namespace Tracers } // namespace Extensions diff --git a/source/extensions/tracers/zipkin/zipkin_core_types.h b/source/extensions/tracers/zipkin/zipkin_core_types.h index 14e5516739cee..52c8d3806e2ab 100644 --- a/source/extensions/tracers/zipkin/zipkin_core_types.h +++ b/source/extensions/tracers/zipkin/zipkin_core_types.h @@ -572,6 +572,11 @@ class Span : public ZipkinBase, public Tracing::Span { std::string getTraceId() const override { return traceIdAsHexString(); }; private: + /** + * Injects W3C trace context headers based on this span's context. + * @param trace_context The trace context to inject headers into. + */ + void injectW3CContext(Tracing::TraceContext& trace_context); static const std::string EMPTY_HEX_STRING_; uint64_t trace_id_{0}; std::string name_; diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc index b623c0f26207e..cdd2b6fc96b89 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc @@ -2,15 +2,11 @@ #include "envoy/config/trace/v3/zipkin.pb.h" -#include "source/common/common/empty_string.h" #include "source/common/common/enum_to_int.h" -#include "source/common/common/fmt.h" -#include "source/common/common/utility.h" #include "source/common/config/utility.h" #include "source/common/http/headers.h" #include "source/common/http/message_impl.h" #include "source/common/http/utility.h" -#include "source/common/tracing/http_tracer_impl.h" #include "source/extensions/tracers/zipkin/span_context_extractor.h" #include "source/extensions/tracers/zipkin/zipkin_core_constants.h" @@ -30,7 +26,7 @@ Driver::Driver(const envoy::config::trace::v3::ZipkinConfig& zipkin_config, : cm_(cluster_manager), tracer_stats_{ZIPKIN_TRACER_STATS(POOL_COUNTER_PREFIX(scope, "tracing.zipkin."))}, tls_(tls.allocateSlot()), runtime_(runtime), local_info_(local_info), - time_source_(time_source) { + time_source_(time_source), trace_context_option_(zipkin_config.trace_context_option()) { THROW_IF_NOT_OK_REF(Config::Utility::checkCluster("envoy.tracers.zipkin", zipkin_config.collector_cluster(), cm_, /* allow_added_via_api */ true) @@ -59,6 +55,7 @@ Driver::Driver(const envoy::config::trace::v3::ZipkinConfig& zipkin_config, TracerPtr tracer = std::make_unique( local_info_.clusterName(), local_info_.address(), random_generator, trace_id_128bit, shared_span_context, time_source_, split_spans_for_request); + tracer->setTraceContextOption(trace_context_option_); tracer->setReporter( ReporterImpl::newInstance(std::ref(*this), std::ref(dispatcher), collector)); return std::make_shared(std::move(tracer), *this); @@ -71,7 +68,9 @@ Tracing::SpanPtr Driver::startSpan(const Tracing::Config& config, Tracing::Decision tracing_decision) { Tracer& tracer = *tls_->getTyped().tracer_; SpanPtr new_zipkin_span; - SpanContextExtractor extractor(trace_context); + + // W3C fallback extraction is only enabled when USE_B3_WITH_W3C_PROPAGATION is configured + SpanContextExtractor extractor(trace_context, w3cFallbackEnabled()); const absl::optional sampled = extractor.extractSampled(); bool use_local_decision = !sampled.has_value(); TRY_NEEDS_AUDIT { diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.h b/source/extensions/tracers/zipkin/zipkin_tracer_impl.h index bd0e12b500cf7..57bd21876b5f0 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.h +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.h @@ -8,12 +8,7 @@ #include "envoy/tracing/trace_driver.h" #include "envoy/upstream/cluster_manager.h" -#include "source/common/common/empty_string.h" #include "source/common/http/async_client_utility.h" -#include "source/common/http/header_map_impl.h" -#include "source/common/json/json_loader.h" -#include "source/common/tracing/common_values.h" -#include "source/common/tracing/null_span_impl.h" #include "source/common/upstream/cluster_update_tracker.h" #include "source/extensions/tracers/zipkin/span_buffer.h" #include "source/extensions/tracers/zipkin/tracer.h" @@ -72,6 +67,11 @@ class Driver : public Tracing::Driver { const std::string& hostname() { return hostname_; } Runtime::Loader& runtime() { return runtime_; } ZipkinTracerStats& tracerStats() { return tracer_stats_; } + bool w3cFallbackEnabled() const { + return trace_context_option_ == + envoy::config::trace::v3::ZipkinConfig::USE_B3_WITH_W3C_PROPAGATION; + } + TraceContextOption traceContextOption() const { return trace_context_option_; } private: /** @@ -92,6 +92,7 @@ class Driver : public Tracing::Driver { Runtime::Loader& runtime_; const LocalInfo::LocalInfo& local_info_; TimeSource& time_source_; + TraceContextOption trace_context_option_; }; /** diff --git a/test/coverage.yaml b/test/coverage.yaml index 9f790a19a458d..d0b2b2be3e2b6 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -65,7 +65,7 @@ directories: source/extensions/rate_limit_descriptors/expr: 88.2 source/extensions/stat_sinks/graphite_statsd: 82.8 # Death tests don't report LCOV source/extensions/stat_sinks/statsd: 85.2 # Death tests don't report LCOV - source/extensions/tracers/zipkin: 96.1 + source/extensions/tracers/zipkin: 95.4 source/extensions/transport_sockets/proxy_protocol: 96.2 source/extensions/wasm_runtime/wamr: 0.0 # Not enabled in coverage build source/extensions/wasm_runtime/wasmtime: 0.0 # Not enabled in coverage build diff --git a/test/extensions/tracers/zipkin/span_buffer_test.cc b/test/extensions/tracers/zipkin/span_buffer_test.cc index fdf3cb063f191..d266d371a1b9e 100644 --- a/test/extensions/tracers/zipkin/span_buffer_test.cc +++ b/test/extensions/tracers/zipkin/span_buffer_test.cc @@ -29,6 +29,9 @@ class EmptyTracer : public TracerInterface { return nullptr; } void reportSpan(Span&&) override {} + envoy::config::trace::v3::ZipkinConfig::TraceContextOption traceContextOption() const override { + return envoy::config::trace::v3::ZipkinConfig::USE_B3; + } }; // If this default timestamp is wrapped as double (using ValueUtil::numberValue()) and then it is diff --git a/test/extensions/tracers/zipkin/span_context_extractor_test.cc b/test/extensions/tracers/zipkin/span_context_extractor_test.cc index 2de89adcb2ee6..06c916e22d416 100644 --- a/test/extensions/tracers/zipkin/span_context_extractor_test.cc +++ b/test/extensions/tracers/zipkin/span_context_extractor_test.cc @@ -407,6 +407,227 @@ TEST(ZipkinSpanContextExtractorTest, Truncated) { } } +// Test W3C fallback functionality +TEST(ZipkinSpanContextExtractorTest, W3CFallbackDisabledByDefault) { + // Test that W3C headers are ignored when w3c_fallback is disabled (default) + Tracing::TestTraceContextImpl request_headers{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor(request_headers); // w3c_fallback disabled by default + auto context = extractor.extractSpanContext(true); + EXPECT_FALSE(context.second); // Should not extract context from W3C headers + EXPECT_FALSE(extractor.extractSampled().has_value()); +} + +TEST(ZipkinSpanContextExtractorTest, W3CFallbackEnabled) { + // Test that W3C headers are used when w3c_fallback is enabled + Tracing::TestTraceContextImpl request_headers{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor(request_headers, true); // w3c_fallback enabled + auto context = extractor.extractSpanContext(true); + EXPECT_TRUE(context.second); // Should extract context from W3C headers + EXPECT_TRUE(extractor.extractSampled().value()); + + // Verify the converted values + EXPECT_EQ(0xb7ad6b7169203331, context.first.id()); // W3C span-id becomes span-id + EXPECT_EQ(0, context.first.parentId()); // No parent in W3C conversion + EXPECT_TRUE(context.first.is128BitTraceId()); + EXPECT_EQ(0x8448eb211c80319c, context.first.traceId()); // Low 64 bits + EXPECT_EQ(0x0af7651916cd43dd, context.first.traceIdHigh()); // High 64 bits +} + +TEST(ZipkinSpanContextExtractorTest, B3TakesPrecedenceOverW3C) { + // Test that B3 headers take precedence over W3C headers when both are present + Tracing::TestTraceContextImpl request_headers{ + {"b3", fmt::format("{}-{}-1", trace_id, span_id)}, + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor(request_headers, true); // w3c_fallback enabled + auto context = extractor.extractSpanContext(true); + EXPECT_TRUE(context.second); + + // Should use B3 values, not W3C values + EXPECT_EQ(3, context.first.id()); // From B3 span_id + EXPECT_EQ(0, context.first.parentId()); + EXPECT_FALSE(context.first.is128BitTraceId()); // B3 uses 64-bit in this test + EXPECT_EQ(1, context.first.traceId()); // From B3 trace_id +} + +TEST(ZipkinSpanContextExtractorTest, W3CFallbackWithInvalidHeaders) { + // Test that invalid W3C headers are handled gracefully + Tracing::TestTraceContextImpl request_headers{{"traceparent", "invalid-header-format"}}; + SpanContextExtractor extractor(request_headers, true); // w3c_fallback enabled + auto context = extractor.extractSpanContext(true); + EXPECT_FALSE(context.second); // Should not extract context from invalid W3C headers + EXPECT_FALSE(extractor.extractSampled().has_value()); +} + +TEST(ZipkinSpanContextExtractorTest, W3CFallbackWithInvalidTraceIdLength) { + // Test invalid W3C trace ID length (too short) + Tracing::TestTraceContextImpl request_headers{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor(request_headers, true); + auto context = extractor.extractSpanContext(true); + EXPECT_FALSE(context.second); + + // Test invalid W3C trace ID length (too long) + Tracing::TestTraceContextImpl request_headers2{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c123-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor2(request_headers2, true); + auto context2 = extractor2.extractSpanContext(true); + EXPECT_FALSE(context2.second); +} + +TEST(ZipkinSpanContextExtractorTest, W3CTraceIdLengthValidation) { + // Test that invalid W3C trace ID lengths are properly rejected + // Invalid headers should not extract a valid context (context.second should be false) + + // Too short trace ID (31 chars instead of 32) + Tracing::TestTraceContextImpl request_headers1{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor1(request_headers1, true); + auto context1 = extractor1.extractSpanContext(true); + EXPECT_FALSE(context1.second); // Should not extract context from invalid trace ID length + + // Too long trace ID (33 chars instead of 32) + Tracing::TestTraceContextImpl request_headers2{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c1-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor2(request_headers2, true); + auto context2 = extractor2.extractSpanContext(true); + EXPECT_FALSE(context2.second); // Should not extract context from invalid trace ID length + + // Empty trace ID + Tracing::TestTraceContextImpl request_headers3{{"traceparent", "00--b7ad6b7169203331-01"}}; + SpanContextExtractor extractor3(request_headers3, true); + auto context3 = extractor3.extractSpanContext(true); + EXPECT_FALSE(context3.second); // Should not extract context from empty trace ID +} + +TEST(ZipkinSpanContextExtractorTest, W3CFallbackWithInvalidSpanIdLength) { + // Test invalid W3C span ID length (too short) + Tracing::TestTraceContextImpl request_headers{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b716920331-01"}}; + SpanContextExtractor extractor(request_headers, true); + auto context = extractor.extractSpanContext(true); + EXPECT_FALSE(context.second); + + // Test invalid W3C span ID length (too long) + Tracing::TestTraceContextImpl request_headers2{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331123-01"}}; + SpanContextExtractor extractor2(request_headers2, true); + auto context2 = extractor2.extractSpanContext(true); + EXPECT_FALSE(context2.second); +} + +TEST(ZipkinSpanContextExtractorTest, W3CFallbackWithInvalidHexCharacters) { + // Test invalid hex characters in trace ID + Tracing::TestTraceContextImpl request_headers{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319g-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor(request_headers, true); + auto context = extractor.extractSpanContext(true); + EXPECT_FALSE(context.second); + + // Test invalid hex characters in span ID + Tracing::TestTraceContextImpl request_headers2{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331g-01"}}; + SpanContextExtractor extractor2(request_headers2, true); + auto context2 = extractor2.extractSpanContext(true); + EXPECT_FALSE(context2.second); +} + +TEST(ZipkinSpanContextExtractorTest, W3CTraceIdHexValidation) { + // Test that invalid hex characters in W3C trace IDs are properly rejected + // Invalid headers should not extract a valid context (context.second should be false) + + // Invalid hex character 'g' in high part of trace ID + Tracing::TestTraceContextImpl request_headers1{ + {"traceparent", "00-0af7651916cd43dg8448eb211c80319c-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor1(request_headers1, true); + auto context1 = extractor1.extractSpanContext(true); + EXPECT_FALSE(context1.second); // Should not extract context from invalid hex in trace ID + + // Invalid hex character 'z' in low part of trace ID + Tracing::TestTraceContextImpl request_headers2{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319z-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor2(request_headers2, true); + auto context2 = extractor2.extractSpanContext(true); + EXPECT_FALSE(context2.second); // Should not extract context from invalid hex in trace ID + + // Invalid character at start of trace ID + Tracing::TestTraceContextImpl request_headers3{ + {"traceparent", "00-xaf7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor3(request_headers3, true); + auto context3 = extractor3.extractSpanContext(true); + EXPECT_FALSE(context3.second); // Should not extract context from invalid hex in trace ID + + // Invalid character at end of trace ID + Tracing::TestTraceContextImpl request_headers4{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319x-b7ad6b7169203331-01"}}; + SpanContextExtractor extractor4(request_headers4, true); + auto context4 = extractor4.extractSpanContext(true); + EXPECT_FALSE(context4.second); // Should not extract context from invalid hex in trace ID +} + +TEST(ZipkinSpanContextExtractorTest, W3CSpanIdHexValidation) { + // Test that invalid hex characters in W3C span IDs are properly rejected + // Invalid headers should not extract a valid context (context.second should be false) + + // Invalid hex character 'g' in span ID + Tracing::TestTraceContextImpl request_headers1{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331g-01"}}; + SpanContextExtractor extractor1(request_headers1, true); + auto context1 = extractor1.extractSpanContext(true); + EXPECT_FALSE(context1.second); // Should not extract context from invalid hex in span ID + + // Invalid hex character 'z' in span ID + Tracing::TestTraceContextImpl request_headers2{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331z-01"}}; + SpanContextExtractor extractor2(request_headers2, true); + auto context2 = extractor2.extractSpanContext(true); + EXPECT_FALSE(context2.second); // Should not extract context from invalid hex in span ID + + // Invalid character at start of span ID + Tracing::TestTraceContextImpl request_headers3{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-x7ad6b7169203331-01"}}; + SpanContextExtractor extractor3(request_headers3, true); + auto context3 = extractor3.extractSpanContext(true); + EXPECT_FALSE(context3.second); // Should not extract context from invalid hex in span ID + + // Invalid character in middle of span ID + Tracing::TestTraceContextImpl request_headers4{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b71692x3331-01"}}; + SpanContextExtractor extractor4(request_headers4, true); + auto context4 = extractor4.extractSpanContext(true); + EXPECT_FALSE(context4.second); // Should not extract context from invalid hex in span ID + + // Non-hex character like space + Tracing::TestTraceContextImpl request_headers5{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203 31-01"}}; + SpanContextExtractor extractor5(request_headers5, true); + auto context5 = extractor5.extractSpanContext(true); + EXPECT_FALSE(context5.second); // Should not extract context from invalid hex in span ID +} + +TEST(ZipkinSpanContextExtractorTest, W3CFallbackWithMalformedTraceparent) { + // Test missing components + Tracing::TestTraceContextImpl request_headers{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c"}}; + SpanContextExtractor extractor(request_headers, true); + auto context = extractor.extractSpanContext(true); + EXPECT_FALSE(context.second); + + // Test wrong number of dashes + Tracing::TestTraceContextImpl request_headers2{ + {"traceparent", "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01-extra"}}; + SpanContextExtractor extractor2(request_headers2, true); + auto context2 = extractor2.extractSpanContext(true); + EXPECT_FALSE(context2.second); + + // Test empty traceparent + Tracing::TestTraceContextImpl request_headers3{{"traceparent", ""}}; + SpanContextExtractor extractor3(request_headers3, true); + auto context3 = extractor3.extractSpanContext(true); + EXPECT_FALSE(context3.second); +} + } // namespace Zipkin } // namespace Tracers } // namespace Extensions diff --git a/test/extensions/tracers/zipkin/zipkin_core_types_test.cc b/test/extensions/tracers/zipkin/zipkin_core_types_test.cc index 234d16487ba3a..850a279455f9b 100644 --- a/test/extensions/tracers/zipkin/zipkin_core_types_test.cc +++ b/test/extensions/tracers/zipkin/zipkin_core_types_test.cc @@ -360,6 +360,8 @@ class MockTracer : public TracerInterface { const SpanContext& parent_context), ()); MOCK_METHOD(void, reportSpan, (Span && span), ()); + MOCK_METHOD(envoy::config::trace::v3::ZipkinConfig::TraceContextOption, traceContextOption, (), + (const)); }; TEST(ZipkinCoreTypesSpanTest, defaultConstructor) { diff --git a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc index 42bcd892fe221..d72677cd37073 100644 --- a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc +++ b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc @@ -5,11 +5,8 @@ #include "envoy/config/trace/v3/zipkin.pb.h" -#include "source/common/http/header_map_impl.h" #include "source/common/http/headers.h" #include "source/common/http/message_impl.h" -#include "source/common/runtime/runtime_impl.h" -#include "source/common/tracing/http_tracer_impl.h" #include "source/extensions/tracers/zipkin/zipkin_core_constants.h" #include "source/extensions/tracers/zipkin/zipkin_tracer_impl.h" @@ -206,6 +203,141 @@ TEST_F(ZipkinDriverTest, InitializeDriver) { } } +TEST_F(ZipkinDriverTest, TraceContextOptionConfiguration) { + cm_.initializeClusters({"fake_cluster"}, {}); + + { + // Test default trace_context_option value (USE_B3) - W3C fallback should be disabled. + const std::string yaml_string = R"EOF( + collector_cluster: fake_cluster + collector_endpoint: /api/v2/spans + collector_endpoint_version: HTTP_JSON + )EOF"; + envoy::config::trace::v3::ZipkinConfig zipkin_config; + TestUtility::loadFromYaml(yaml_string, zipkin_config); + + setup(zipkin_config, true); + EXPECT_FALSE(driver_->w3cFallbackEnabled()); // W3C fallback should be disabled by default + EXPECT_EQ(driver_->traceContextOption(), envoy::config::trace::v3::ZipkinConfig::USE_B3); + } + + { + // Test trace_context_option explicitly set to USE_B3 - W3C fallback should be disabled. + const std::string yaml_string = R"EOF( + collector_cluster: fake_cluster + collector_endpoint: /api/v2/spans + collector_endpoint_version: HTTP_JSON + trace_context_option: USE_B3 + )EOF"; + envoy::config::trace::v3::ZipkinConfig zipkin_config; + TestUtility::loadFromYaml(yaml_string, zipkin_config); + + setup(zipkin_config, true); + EXPECT_FALSE(driver_->w3cFallbackEnabled()); // W3C fallback should be disabled + EXPECT_EQ(driver_->traceContextOption(), envoy::config::trace::v3::ZipkinConfig::USE_B3); + } + + { + // Test trace_context_option set to USE_B3_WITH_W3C_PROPAGATION - W3C fallback should be + // enabled. + const std::string yaml_string = R"EOF( + collector_cluster: fake_cluster + collector_endpoint: /api/v2/spans + collector_endpoint_version: HTTP_JSON + trace_context_option: USE_B3_WITH_W3C_PROPAGATION + )EOF"; + envoy::config::trace::v3::ZipkinConfig zipkin_config; + TestUtility::loadFromYaml(yaml_string, zipkin_config); + + setup(zipkin_config, true); + EXPECT_TRUE(driver_->w3cFallbackEnabled()); // W3C fallback should be enabled + EXPECT_EQ(driver_->traceContextOption(), + envoy::config::trace::v3::ZipkinConfig::USE_B3_WITH_W3C_PROPAGATION); + } +} + +TEST_F(ZipkinDriverTest, DualHeaderExtractionAndInjection) { + cm_.initializeClusters({"fake_cluster"}, {}); + + // Test complete dual header cycle: extract from B3 headers, then inject both B3 and W3C headers + const std::string yaml_string = R"EOF( + collector_cluster: fake_cluster + collector_endpoint: /api/v2/spans + collector_endpoint_version: HTTP_JSON + trace_context_option: USE_B3_WITH_W3C_PROPAGATION + )EOF"; + envoy::config::trace::v3::ZipkinConfig zipkin_config; + TestUtility::loadFromYaml(yaml_string, zipkin_config); + + setup(zipkin_config, true); + + // Step 1: Simulate incoming request with B3 headers (extraction phase) + Tracing::TestTraceContextImpl incoming_trace_context{ + {"x-b3-traceid", "463ac35c9f6413ad48485a3953bb6124"}, + {"x-b3-spanid", "a2fb4a1d1a96d312"}, + {"x-b3-sampled", "1"}}; + + // Create a span from the incoming B3 headers + Tracing::SpanPtr span = driver_->startSpan(config_, incoming_trace_context, stream_info_, + "test_operation", {Tracing::Reason::Sampling, true}); + + // Step 2: Inject context for outgoing request (injection phase) + Tracing::TestTraceContextImpl outgoing_trace_context{{}}; + Tracing::UpstreamContext upstream_context; + span->injectContext(outgoing_trace_context, upstream_context); + + // Step 3: Verify both B3 and W3C headers are injected + + // Verify B3 headers are injected + auto b3_traceid = outgoing_trace_context.get("x-b3-traceid"); + auto b3_spanid = outgoing_trace_context.get("x-b3-spanid"); + auto b3_sampled = outgoing_trace_context.get("x-b3-sampled"); + + EXPECT_TRUE(b3_traceid.has_value()); + EXPECT_TRUE(b3_spanid.has_value()); + EXPECT_TRUE(b3_sampled.has_value()); + + // Verify the trace ID is preserved from extraction + EXPECT_EQ(b3_traceid.value(), "463ac35c9f6413ad48485a3953bb6124"); + EXPECT_EQ(b3_sampled.value(), "1"); + + // Verify W3C traceparent header is also injected + auto traceparent = outgoing_trace_context.get("traceparent"); + EXPECT_TRUE(traceparent.has_value()); + EXPECT_FALSE(traceparent.value().empty()); + + // Verify traceparent format and contains the same trace ID + const std::string traceparent_value = std::string(traceparent.value()); + EXPECT_EQ(traceparent_value.length(), 55); // 2+1+32+1+16+1+2 + EXPECT_EQ(traceparent_value.substr(0, 3), "00-"); // version + EXPECT_EQ(traceparent_value.substr(3, 32), "463ac35c9f6413ad48485a3953bb6124"); // same trace ID + EXPECT_EQ(traceparent_value[35], '-'); // separator after trace-id + EXPECT_EQ(traceparent_value[52], '-'); // separator after span-id + EXPECT_EQ(traceparent_value.substr(53, 2), "01"); // sampled flag + + // Step 4: Test W3C extraction fallback when B3 headers are not present + Tracing::TestTraceContextImpl w3c_only_context{ + {"traceparent", "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01"}}; + + Tracing::SpanPtr w3c_span = + driver_->startSpan(config_, w3c_only_context, stream_info_, "w3c_test_operation", + {Tracing::Reason::Sampling, true}); + + // Inject context for W3C extracted span + Tracing::TestTraceContextImpl w3c_outgoing_context{{}}; + w3c_span->injectContext(w3c_outgoing_context, upstream_context); + + // Verify both B3 and W3C headers are injected even when extracted from W3C + EXPECT_TRUE(w3c_outgoing_context.get("x-b3-traceid").has_value()); + EXPECT_TRUE(w3c_outgoing_context.get("x-b3-spanid").has_value()); + EXPECT_TRUE(w3c_outgoing_context.get("x-b3-sampled").has_value()); + EXPECT_TRUE(w3c_outgoing_context.get("traceparent").has_value()); + + // Verify the trace ID is preserved from W3C extraction + auto w3c_b3_traceid = w3c_outgoing_context.get("x-b3-traceid"); + EXPECT_EQ(w3c_b3_traceid.value(), "4bf92f3577b34da6a3ce929d0e0e4736"); +} + TEST_F(ZipkinDriverTest, AllowCollectorClusterToBeAddedViaApi) { cm_.initializeClusters({"fake_cluster"}, {}); ON_CALL(*cm_.active_clusters_["fake_cluster"]->info_, addedViaApi()).WillByDefault(Return(true)); From aaa6d018d66913d004f3f7098ad3477adeb81f03 Mon Sep 17 00:00:00 2001 From: Pradeep Rao <84025829+pradeepcrao@users.noreply.github.com> Date: Sat, 16 Aug 2025 09:54:59 -0400 Subject: [PATCH 244/505] async-client: refactor - use shared grpc async client instead of unique (#40629) Signed-off-by: pcrao --- envoy/config/grpc_mux.h | 4 +- envoy/config/subscription_factory.h | 4 +- source/common/config/null_grpc_mux_impl.h | 4 +- source/common/config/utility.cc | 31 +++- source/common/config/utility.h | 16 ++ source/common/config/xds_manager_impl.cc | 169 +++++++++--------- source/common/grpc/typed_async_client.h | 3 +- .../common/upstream/cluster_manager_impl.cc | 7 +- source/common/upstream/load_stats_reporter.cc | 2 +- source/common/upstream/load_stats_reporter.h | 2 +- .../grpc/grpc_mux_context.h | 4 +- .../config_subscription/grpc/grpc_mux_impl.cc | 15 +- .../config_subscription/grpc/grpc_mux_impl.h | 8 +- .../config_subscription/grpc/grpc_stream.h | 3 +- .../grpc/grpc_subscription_factory.cc | 4 +- .../grpc/new_grpc_mux_impl.cc | 13 +- .../grpc/new_grpc_mux_impl.h | 8 +- .../grpc/xds_mux/grpc_mux_impl.cc | 18 +- .../grpc/xds_mux/grpc_mux_impl.h | 18 +- test/common/config/xds_manager_impl_test.cc | 40 ++--- test/mocks/config/mocks.h | 4 +- 21 files changed, 213 insertions(+), 164 deletions(-) diff --git a/envoy/config/grpc_mux.h b/envoy/config/grpc_mux.h index 690b5463d93ac..d6408e1c907c6 100644 --- a/envoy/config/grpc_mux.h +++ b/envoy/config/grpc_mux.h @@ -120,8 +120,8 @@ class GrpcMux { * Updates the current gRPC-Mux object to use a new gRPC client, and config. */ virtual absl::Status - updateMuxSource(Grpc::RawAsyncClientPtr&& primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, Stats::Scope& scope, + updateMuxSource(Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const envoy::config::core::v3::ApiConfigSource& ads_config_source) PURE; }; diff --git a/envoy/config/subscription_factory.h b/envoy/config/subscription_factory.h index c9977e7773e93..9fb51f6c4a823 100644 --- a/envoy/config/subscription_factory.h +++ b/envoy/config/subscription_factory.h @@ -140,8 +140,8 @@ class MuxFactory : public Config::UntypedFactory { std::string category() const override { return "envoy.config_mux"; } virtual void shutdownAll() PURE; virtual std::shared_ptr - create(std::unique_ptr&& async_client, - std::unique_ptr&& async_failover_client, + create(std::shared_ptr&& async_client, + std::shared_ptr&& async_failover_client, Event::Dispatcher& dispatcher, Random::RandomGenerator& random, Stats::Scope& scope, const envoy::config::core::v3::ApiConfigSource& ads_config, const LocalInfo::LocalInfo& local_info, diff --git a/source/common/config/null_grpc_mux_impl.h b/source/common/config/null_grpc_mux_impl.h index 924e037799f62..a90a4b49e0f39 100644 --- a/source/common/config/null_grpc_mux_impl.h +++ b/source/common/config/null_grpc_mux_impl.h @@ -27,8 +27,8 @@ class NullGrpcMuxImpl : public GrpcMux, ENVOY_BUG(false, "unexpected request for on demand update"); } - absl::Status updateMuxSource(Grpc::RawAsyncClientPtr&&, Grpc::RawAsyncClientPtr&&, Stats::Scope&, - BackOffStrategyPtr&&, + absl::Status updateMuxSource(Grpc::RawAsyncClientSharedPtr&&, Grpc::RawAsyncClientSharedPtr&&, + Stats::Scope&, BackOffStrategyPtr&&, const envoy::config::core::v3::ApiConfigSource&) override { return absl::UnimplementedError(""); } diff --git a/source/common/config/utility.cc b/source/common/config/utility.cc index 43406c7281f5b..9bab06ab810b2 100644 --- a/source/common/config/utility.cc +++ b/source/common/config/utility.cc @@ -7,12 +7,14 @@ #include "envoy/config/core/v3/grpc_service.pb.h" #include "envoy/config/endpoint/v3/endpoint.pb.h" #include "envoy/config/endpoint/v3/endpoint_components.pb.h" +#include "envoy/grpc/async_client_manager.h" #include "envoy/stats/scope.h" #include "source/common/common/assert.h" #include "source/common/protobuf/utility.h" #include "absl/status/status.h" +#include "absl/types/optional.h" namespace Envoy { namespace Config { @@ -240,10 +242,10 @@ bool isApiTypeNonAggregated(const envoy::config::core::v3::ApiConfigSource::ApiT } } // namespace -absl::StatusOr Utility::factoryForGrpcApiConfigSource( - Grpc::AsyncClientManager& async_client_manager, - const envoy::config::core::v3::ApiConfigSource& api_config_source, Stats::Scope& scope, - bool skip_cluster_check, int grpc_service_idx, bool xdstp_config_source) { +absl::StatusOr> +Utility::getGrpcConfigFromApiConfigSource( + const envoy::config::core::v3::ApiConfigSource& api_config_source, int grpc_service_idx, + bool xdstp_config_source) { RETURN_IF_NOT_OK(checkApiConfigSourceNames( api_config_source, Runtime::runtimeFeatureEnabled("envoy.restart_features.xds_failover_support") ? 2 : 1)); @@ -264,13 +266,26 @@ absl::StatusOr Utility::factoryForGrpcApiConfigSour if (grpc_service_idx >= api_config_source.grpc_services_size()) { // No returned factory in case there's no entry. - return nullptr; + return absl::nullopt; } - envoy::config::core::v3::GrpcService grpc_service; - grpc_service.MergeFrom(api_config_source.grpc_services(grpc_service_idx)); + return Envoy::makeOptRef(api_config_source.grpc_services(grpc_service_idx)); +} + +absl::StatusOr Utility::factoryForGrpcApiConfigSource( + Grpc::AsyncClientManager& async_client_manager, + const envoy::config::core::v3::ApiConfigSource& api_config_source, Stats::Scope& scope, + bool skip_cluster_check, int grpc_service_idx, bool xdstp_config_source) { - return async_client_manager.factoryForGrpcService(grpc_service, scope, skip_cluster_check); + absl::StatusOr> maybe_grpc_service = + getGrpcConfigFromApiConfigSource(api_config_source, grpc_service_idx, xdstp_config_source); + RETURN_IF_NOT_OK(maybe_grpc_service.status()); + + if (!maybe_grpc_service.value().has_value()) { + return nullptr; + } + return async_client_manager.factoryForGrpcService(*maybe_grpc_service.value(), scope, + skip_cluster_check); } absl::Status Utility::translateOpaqueConfig(const Protobuf::Any& typed_config, diff --git a/source/common/config/utility.h b/source/common/config/utility.h index a272b991896ca..469ffd47e2264 100644 --- a/source/common/config/utility.h +++ b/source/common/config/utility.h @@ -387,6 +387,22 @@ class Utility { */ static std::string truncateGrpcStatusMessage(absl::string_view error_message); + /** + * Obtain Grpc service config from the api config source. + * @param api_config_source envoy::config::core::v3::ApiConfigSource. Must have config type GRPC. + * @param grpc_service_idx index of the grpc service in the api_config_source. If there's no entry + * in the given index, a nullptr factory will be returned. + * @param xdstp_config_source whether the config source will be used for xdstp config source. + * These sources must be of type AGGREGATED_GRPC or + * AGGREGATED_DELTA_GRPC. + * @return OptRef to either const envoy::config::core::v3::GrpcService or nullptr if there's no + * grpc_service in the given index. + */ + static absl::StatusOr> + getGrpcConfigFromApiConfigSource( + const envoy::config::core::v3::ApiConfigSource& api_config_source, int grpc_service_idx, + bool xdstp_config_source); + /** * Obtain gRPC async client factory from a envoy::config::core::v3::ApiConfigSource. * @param async_client_manager gRPC async client manager. diff --git a/source/common/config/xds_manager_impl.cc b/source/common/config/xds_manager_impl.cc index 699aec512dcd7..e011c1288aac8 100644 --- a/source/common/config/xds_manager_impl.cc +++ b/source/common/config/xds_manager_impl.cc @@ -1,24 +1,73 @@ #include "source/common/config/xds_manager_impl.h" +#include +#include +#include +#include +#include +#include + +#include "envoy/common/exception.h" +#include "envoy/common/optref.h" +#include "envoy/config/core/v3/config_source.pb.h" #include "envoy/config/core/v3/config_source.pb.validate.h" - +#include "envoy/config/custom_config_validators.h" +#include "envoy/config/grpc_mux.h" +#include "envoy/config/subscription.h" +#include "envoy/config/subscription_factory.h" +#include "envoy/config/xds_config_tracker.h" +#include "envoy/config/xds_resources_delegate.h" +#include "envoy/grpc/async_client.h" +#include "envoy/grpc/async_client_manager.h" +#include "envoy/stats/scope.h" +#include "envoy/upstream/cluster_manager.h" + +#include "source/common/common/assert.h" +#include "source/common/common/backoff_strategy.h" +#include "source/common/common/cleanup.h" +#include "source/common/common/logger.h" #include "source/common/common/thread.h" #include "source/common/config/custom_config_validators_impl.h" #include "source/common/config/null_grpc_mux_impl.h" +#include "source/common/config/subscription_factory_impl.h" #include "source/common/config/utility.h" +#include "source/common/config/xds_resource.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/protobuf/utility.h" +#include "source/common/runtime/runtime_features.h" + +#include "absl/container/flat_hash_set.h" +#include "absl/status/status.h" +#include "absl/status/statusor.h" +#include "absl/strings/string_view.h" namespace Envoy { namespace Config { namespace { -absl::Status createClients(Grpc::AsyncClientFactoryPtr& primary_factory, - Grpc::AsyncClientFactoryPtr& failover_factory, - Grpc::RawAsyncClientPtr& primary_client, - Grpc::RawAsyncClientPtr& failover_client) { - absl::StatusOr success = primary_factory->createUncachedRawAsyncClient(); +absl::Status createGrpcClients(Grpc::AsyncClientManager& async_client_manager, + const envoy::config::core::v3::ApiConfigSource& config_source, + Stats::Scope& stats_scope, bool skip_cluster_check, + bool xdstp_config_source, + Grpc::RawAsyncClientSharedPtr& primary_client, + Grpc::RawAsyncClientSharedPtr& failover_client) { + auto factory_primary_or_error = Config::Utility::factoryForGrpcApiConfigSource( + async_client_manager, config_source, stats_scope, skip_cluster_check, 0 /*grpc_service_idx*/, + xdstp_config_source); + RETURN_IF_NOT_OK_REF(factory_primary_or_error.status()); + Grpc::AsyncClientFactoryPtr factory_failover = nullptr; + if (Runtime::runtimeFeatureEnabled("envoy.restart_features.xds_failover_support")) { + auto factory_failover_or_error = Config::Utility::factoryForGrpcApiConfigSource( + async_client_manager, config_source, stats_scope, skip_cluster_check, + 1 /*grpc_service_idx*/, xdstp_config_source); + RETURN_IF_NOT_OK_REF(factory_failover_or_error.status()); + factory_failover = std::move(factory_failover_or_error.value()); + } + absl::StatusOr success = + factory_primary_or_error.value()->createUncachedRawAsyncClient(); RETURN_IF_NOT_OK_REF(success.status()); primary_client = std::move(*success); - if (failover_factory) { - success = failover_factory->createUncachedRawAsyncClient(); + if (factory_failover) { + success = factory_failover->createUncachedRawAsyncClient(); RETURN_IF_NOT_OK_REF(success.status()); failover_client = std::move(*success); } @@ -119,22 +168,13 @@ XdsManagerImpl::initializeAdsConnections(const envoy::config::bootstrap::v3::Boo if (!factory) { return absl::InvalidArgumentError(fmt::format("{} not found", name)); } - auto factory_primary_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), dyn_resources.ads_config(), *stats_.rootScope(), false, 0, - false); - RETURN_IF_NOT_OK_REF(factory_primary_or_error.status()); - Grpc::AsyncClientFactoryPtr factory_failover = nullptr; - if (Runtime::runtimeFeatureEnabled("envoy.restart_features.xds_failover_support")) { - auto factory_failover_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), dyn_resources.ads_config(), *stats_.rootScope(), false, - 1, false); - RETURN_IF_NOT_OK_REF(factory_failover_or_error.status()); - factory_failover = std::move(factory_failover_or_error.value()); - } - Grpc::RawAsyncClientPtr primary_client; - Grpc::RawAsyncClientPtr failover_client; - RETURN_IF_NOT_OK(createClients(factory_primary_or_error.value(), factory_failover, - primary_client, failover_client)); + Grpc::RawAsyncClientSharedPtr primary_client; + Grpc::RawAsyncClientSharedPtr failover_client; + RETURN_IF_NOT_OK(createGrpcClients(cm_->grpcAsyncClientManager(), dyn_resources.ads_config(), + *stats_.rootScope(), /*skip_cluster_check*/ false, + /*xdstp_config_source*/ false, primary_client, + failover_client)); + ads_mux_ = factory->create(std::move(primary_client), std::move(failover_client), main_thread_dispatcher_, random_, *stats_.rootScope(), dyn_resources.ads_config(), local_info_, @@ -154,24 +194,14 @@ XdsManagerImpl::initializeAdsConnections(const envoy::config::bootstrap::v3::Boo if (!factory) { return absl::InvalidArgumentError(fmt::format("{} not found", name)); } - auto factory_primary_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), dyn_resources.ads_config(), *stats_.rootScope(), false, 0, - false); - RETURN_IF_NOT_OK_REF(factory_primary_or_error.status()); - Grpc::AsyncClientFactoryPtr factory_failover = nullptr; - if (Runtime::runtimeFeatureEnabled("envoy.restart_features.xds_failover_support")) { - auto factory_failover_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), dyn_resources.ads_config(), *stats_.rootScope(), false, - 1, false); - RETURN_IF_NOT_OK_REF(factory_failover_or_error.status()); - factory_failover = std::move(factory_failover_or_error.value()); - } + Grpc::RawAsyncClientSharedPtr primary_client; + Grpc::RawAsyncClientSharedPtr failover_client; + RETURN_IF_NOT_OK(createGrpcClients(cm_->grpcAsyncClientManager(), dyn_resources.ads_config(), + *stats_.rootScope(), /*skip_cluster_check*/ false, + /*xdstp_config_source*/ false, primary_client, + failover_client)); OptRef xds_resources_delegate = makeOptRefFromPtr(xds_resources_delegate_.get()); - Grpc::RawAsyncClientPtr primary_client; - Grpc::RawAsyncClientPtr failover_client; - RETURN_IF_NOT_OK(createClients(factory_primary_or_error.value(), factory_failover, - primary_client, failover_client)); ads_mux_ = factory->create(std::move(primary_client), std::move(failover_client), main_thread_dispatcher_, random_, *stats_.rootScope(), dyn_resources.ads_config(), local_info_, @@ -363,20 +393,12 @@ XdsManagerImpl::createAuthority(const envoy::config::core::v3::ConfigSource& con if (!factory) { return absl::InvalidArgumentError(fmt::format("{} not found", name)); } - auto factory_primary_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), api_config_source, *stats_.rootScope(), false, 0, true); - RETURN_IF_NOT_OK_REF(factory_primary_or_error.status()); - Grpc::AsyncClientFactoryPtr factory_failover = nullptr; - if (Runtime::runtimeFeatureEnabled("envoy.restart_features.xds_failover_support")) { - auto factory_failover_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), api_config_source, *stats_.rootScope(), false, 1, true); - RETURN_IF_NOT_OK_REF(factory_failover_or_error.status()); - factory_failover = std::move(factory_failover_or_error.value()); - } - Grpc::RawAsyncClientPtr primary_client; - Grpc::RawAsyncClientPtr failover_client; - RETURN_IF_NOT_OK(createClients(factory_primary_or_error.value(), factory_failover, - primary_client, failover_client)); + Grpc::RawAsyncClientSharedPtr primary_client; + Grpc::RawAsyncClientSharedPtr failover_client; + RETURN_IF_NOT_OK(createGrpcClients(cm_->grpcAsyncClientManager(), api_config_source, + *stats_.rootScope(), /*skip_cluster_check*/ false, + /*xdstp_config_source*/ true, primary_client, + failover_client)); authority_mux = factory->create( std::move(primary_client), std::move(failover_client), main_thread_dispatcher_, random_, *stats_.rootScope(), api_config_source, local_info_, std::move(custom_config_validators), @@ -397,22 +419,14 @@ XdsManagerImpl::createAuthority(const envoy::config::core::v3::ConfigSource& con if (!factory) { return absl::InvalidArgumentError(fmt::format("{} not found", name)); } - auto factory_primary_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), api_config_source, *stats_.rootScope(), false, 0, true); - RETURN_IF_NOT_OK_REF(factory_primary_or_error.status()); - Grpc::AsyncClientFactoryPtr factory_failover = nullptr; - if (Runtime::runtimeFeatureEnabled("envoy.restart_features.xds_failover_support")) { - auto factory_failover_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), api_config_source, *stats_.rootScope(), false, 1, true); - RETURN_IF_NOT_OK_REF(factory_failover_or_error.status()); - factory_failover = std::move(factory_failover_or_error.value()); - } + Grpc::RawAsyncClientSharedPtr primary_client; + Grpc::RawAsyncClientSharedPtr failover_client; + RETURN_IF_NOT_OK(createGrpcClients(cm_->grpcAsyncClientManager(), api_config_source, + *stats_.rootScope(), /*skip_cluster_check*/ false, + /*xdstp_config_source*/ true, primary_client, + failover_client)); OptRef xds_resources_delegate = makeOptRefFromPtr(xds_resources_delegate_.get()); - Grpc::RawAsyncClientPtr primary_client; - Grpc::RawAsyncClientPtr failover_client; - RETURN_IF_NOT_OK(createClients(factory_primary_or_error.value(), factory_failover, - primary_client, failover_client)); authority_mux = factory->create( std::move(primary_client), std::move(failover_client), main_thread_dispatcher_, random_, *stats_.rootScope(), api_config_source, local_info_, std::move(custom_config_validators), @@ -485,20 +499,11 @@ XdsManagerImpl::replaceAdsMux(const envoy::config::core::v3::ApiConfigSource& ad absl::Status status = Config::Utility::checkTransportVersion(ads_config); RETURN_IF_NOT_OK(status); - auto factory_primary_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), ads_config, *stats_.rootScope(), false, 0, false); - RETURN_IF_NOT_OK_REF(factory_primary_or_error.status()); - Grpc::AsyncClientFactoryPtr factory_failover = nullptr; - if (Runtime::runtimeFeatureEnabled("envoy.restart_features.xds_failover_support")) { - auto factory_failover_or_error = Config::Utility::factoryForGrpcApiConfigSource( - cm_->grpcAsyncClientManager(), ads_config, *stats_.rootScope(), false, 1, false); - RETURN_IF_NOT_OK_REF(factory_failover_or_error.status()); - factory_failover = std::move(factory_failover_or_error.value()); - } - Grpc::RawAsyncClientPtr primary_client; - Grpc::RawAsyncClientPtr failover_client; - RETURN_IF_NOT_OK(createClients(factory_primary_or_error.value(), factory_failover, primary_client, - failover_client)); + Grpc::RawAsyncClientSharedPtr primary_client; + Grpc::RawAsyncClientSharedPtr failover_client; + RETURN_IF_NOT_OK(createGrpcClients( + cm_->grpcAsyncClientManager(), ads_config, *stats_.rootScope(), /*skip_cluster_check*/ false, + /*xdstp_config_source*/ false, primary_client, failover_client)); // Primary client must not be null, as the primary xDS source must be a valid one. // The failover_client may be null (no failover defined). diff --git a/source/common/grpc/typed_async_client.h b/source/common/grpc/typed_async_client.h index 30c2ecdc52630..e664106c04688 100644 --- a/source/common/grpc/typed_async_client.h +++ b/source/common/grpc/typed_async_client.h @@ -113,7 +113,8 @@ template class AsyncClient /* : public Raw public: AsyncClient() = default; AsyncClient(RawAsyncClientPtr&& client) : client_(std::move(client)) {} - AsyncClient(RawAsyncClientSharedPtr client) : client_(client) {} + AsyncClient(const RawAsyncClientSharedPtr& client) : client_(client) {} + AsyncClient(RawAsyncClientSharedPtr&& client) : client_(std::move(client)) {} virtual ~AsyncClient() = default; virtual AsyncRequest* send(const Protobuf::MethodDescriptor& service_method, diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 6f3658c83a900..1fe95455eaa22 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -13,6 +13,7 @@ #include "envoy/config/core/v3/config_source.pb.h" #include "envoy/config/core/v3/protocol.pb.h" #include "envoy/event/dispatcher.h" +#include "envoy/grpc/async_client.h" #include "envoy/network/dns.h" #include "envoy/runtime/runtime.h" #include "envoy/stats/scope.h" @@ -42,6 +43,8 @@ #include "source/common/upstream/load_balancer_context_base.h" #include "source/common/upstream/priority_conn_pool_map_impl.h" +#include "absl/status/status.h" + #ifdef ENVOY_ENABLE_QUIC #include "source/common/http/conn_pool_grid.h" #include "source/common/http/http3/conn_pool.h" @@ -500,11 +503,11 @@ absl::Status ClusterManagerImpl::initializeSecondaryClusters( auto factory_or_error = Config::Utility::factoryForGrpcApiConfigSource( *async_client_manager_, load_stats_config, *stats_.rootScope(), false, 0, false); RETURN_IF_NOT_OK_REF(factory_or_error.status()); - absl::StatusOr client_or_error = + absl::StatusOr client_or_error = factory_or_error.value()->createUncachedRawAsyncClient(); RETURN_IF_NOT_OK_REF(client_or_error.status()); load_stats_reporter_ = std::make_unique( - local_info_, *this, *stats_.rootScope(), std::move(*client_or_error), dispatcher_); + local_info_, *this, *stats_.rootScope(), std::move(client_or_error.value()), dispatcher_); } return absl::OkStatus(); } diff --git a/source/common/upstream/load_stats_reporter.cc b/source/common/upstream/load_stats_reporter.cc index e26f8e47006ca..6cc62f14709ff 100644 --- a/source/common/upstream/load_stats_reporter.cc +++ b/source/common/upstream/load_stats_reporter.cc @@ -11,7 +11,7 @@ namespace Upstream { LoadStatsReporter::LoadStatsReporter(const LocalInfo::LocalInfo& local_info, ClusterManager& cluster_manager, Stats::Scope& scope, - Grpc::RawAsyncClientPtr async_client, + Grpc::RawAsyncClientSharedPtr&& async_client, Event::Dispatcher& dispatcher) : cm_(cluster_manager), stats_{ALL_LOAD_REPORTER_STATS(POOL_COUNTER_PREFIX(scope, "load_reporter."))}, diff --git a/source/common/upstream/load_stats_reporter.h b/source/common/upstream/load_stats_reporter.h index 4f85f158a6f38..eeae2b6050c39 100644 --- a/source/common/upstream/load_stats_reporter.h +++ b/source/common/upstream/load_stats_reporter.h @@ -34,7 +34,7 @@ class LoadStatsReporter Logger::Loggable { public: LoadStatsReporter(const LocalInfo::LocalInfo& local_info, ClusterManager& cluster_manager, - Stats::Scope& scope, Grpc::RawAsyncClientPtr async_client, + Stats::Scope& scope, Grpc::RawAsyncClientSharedPtr&& async_client, Event::Dispatcher& dispatcher); // Grpc::AsyncStreamCallbacks diff --git a/source/extensions/config_subscription/grpc/grpc_mux_context.h b/source/extensions/config_subscription/grpc/grpc_mux_context.h index 03f7e4c7d119f..a5ed5121dc25a 100644 --- a/source/extensions/config_subscription/grpc/grpc_mux_context.h +++ b/source/extensions/config_subscription/grpc/grpc_mux_context.h @@ -18,8 +18,8 @@ namespace Config { // Context (data) needed for creating a GrpcMux object. // These are parameters needed for the creation of all GrpcMux objects. struct GrpcMuxContext { - Grpc::RawAsyncClientPtr async_client_; - Grpc::RawAsyncClientPtr failover_async_client_; + Grpc::RawAsyncClientSharedPtr async_client_; + Grpc::RawAsyncClientSharedPtr failover_async_client_; Event::Dispatcher& dispatcher_; const Protobuf::MethodDescriptor& service_method_; const LocalInfo::LocalInfo& local_info_; diff --git a/source/extensions/config_subscription/grpc/grpc_mux_impl.cc b/source/extensions/config_subscription/grpc/grpc_mux_impl.cc index 79fb7428bef3b..907ec17b2b0db 100644 --- a/source/extensions/config_subscription/grpc/grpc_mux_impl.cc +++ b/source/extensions/config_subscription/grpc/grpc_mux_impl.cc @@ -84,8 +84,8 @@ GrpcMuxImpl::GrpcMuxImpl(GrpcMuxContext& grpc_mux_context, bool skip_subsequent_ std::unique_ptr> -GrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientPtr&& async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, +GrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, const Protobuf::MethodDescriptor& service_method, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const RateLimitSettings& rate_limit_settings) { @@ -299,9 +299,9 @@ GrpcMuxWatchPtr GrpcMuxImpl::addWatch(const std::string& type_url, } absl::Status -GrpcMuxImpl::updateMuxSource(Grpc::RawAsyncClientPtr&& primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, Stats::Scope& scope, - BackOffStrategyPtr&& backoff_strategy, +GrpcMuxImpl::updateMuxSource(Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, + Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const envoy::config::core::v3::ApiConfigSource& ads_config_source) { // Process the rate limit settings. absl::StatusOr rate_limit_settings_or_error = @@ -659,8 +659,9 @@ class GrpcMuxFactory : public MuxFactory { std::string name() const override { return "envoy.config_mux.grpc_mux_factory"; } void shutdownAll() override { return GrpcMuxImpl::shutdownAll(); } std::shared_ptr - create(Grpc::RawAsyncClientPtr&& async_client, Grpc::RawAsyncClientPtr&& failover_async_client, - Event::Dispatcher& dispatcher, Random::RandomGenerator&, Stats::Scope& scope, + create(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Event::Dispatcher& dispatcher, + Random::RandomGenerator&, Stats::Scope& scope, const envoy::config::core::v3::ApiConfigSource& ads_config, const LocalInfo::LocalInfo& local_info, CustomConfigValidatorsPtr&& config_validators, BackOffStrategyPtr&& backoff_strategy, XdsConfigTrackerOptRef xds_config_tracker, diff --git a/source/extensions/config_subscription/grpc/grpc_mux_impl.h b/source/extensions/config_subscription/grpc/grpc_mux_impl.h index b13c852222a38..0a08a0554e1e3 100644 --- a/source/extensions/config_subscription/grpc/grpc_mux_impl.h +++ b/source/extensions/config_subscription/grpc/grpc_mux_impl.h @@ -74,8 +74,8 @@ class GrpcMuxImpl : public GrpcMux, } absl::Status - updateMuxSource(Grpc::RawAsyncClientPtr&& primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, Stats::Scope& scope, + updateMuxSource(Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const envoy::config::core::v3::ApiConfigSource& ads_config_source) override; @@ -108,8 +108,8 @@ class GrpcMuxImpl : public GrpcMux, // Helper function to create the grpc_stream_ object. std::unique_ptr> - createGrpcStreamObject(Grpc::RawAsyncClientPtr&& async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, + createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, const Protobuf::MethodDescriptor& service_method, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const RateLimitSettings& rate_limit_settings); diff --git a/source/extensions/config_subscription/grpc/grpc_stream.h b/source/extensions/config_subscription/grpc/grpc_stream.h index cd04a03c182d1..60d7a7c789ac6 100644 --- a/source/extensions/config_subscription/grpc/grpc_stream.h +++ b/source/extensions/config_subscription/grpc/grpc_stream.h @@ -34,7 +34,8 @@ class GrpcStream : public GrpcStreamInterface, SECOND_ENTRY }; - GrpcStream(GrpcStreamCallbacks* callbacks, Grpc::RawAsyncClientPtr async_client, + GrpcStream(GrpcStreamCallbacks* callbacks, + Grpc::RawAsyncClientSharedPtr&& async_client, const Protobuf::MethodDescriptor& service_method, Event::Dispatcher& dispatcher, Stats::Scope& scope, BackOffStrategyPtr backoff_strategy, const RateLimitSettings& rate_limit_settings, ConnectedStateValue connected_state_val) diff --git a/source/extensions/config_subscription/grpc/grpc_subscription_factory.cc b/source/extensions/config_subscription/grpc/grpc_subscription_factory.cc index 26ecf9f047f1a..3eb793f22ed91 100644 --- a/source/extensions/config_subscription/grpc/grpc_subscription_factory.cc +++ b/source/extensions/config_subscription/grpc/grpc_subscription_factory.cc @@ -35,7 +35,7 @@ GrpcConfigSubscriptionFactory::create(ConfigSubscriptionFactory::SubscriptionDat GrpcMuxContext grpc_mux_context{ /*async_client_=*/THROW_OR_RETURN_VALUE( factory_primary_or_error.value()->createUncachedRawAsyncClient(), - Grpc::RawAsyncClientPtr), + Grpc::RawAsyncClientSharedPtr), /*failover_async_client_=*/nullptr, // Failover is only supported for ADS. /*dispatcher_=*/data.dispatcher_, /*service_method_=*/sotwGrpcMethod(data.type_url_), @@ -86,7 +86,7 @@ DeltaGrpcConfigSubscriptionFactory::create(ConfigSubscriptionFactory::Subscripti GrpcMuxContext grpc_mux_context{ /*async_client_=*/THROW_OR_RETURN_VALUE( factory_primary_or_error.value()->createUncachedRawAsyncClient(), - Grpc::RawAsyncClientPtr), + Grpc::RawAsyncClientSharedPtr), /*failover_async_client_=*/nullptr, // Failover is only supported for ADS. /*dispatcher_=*/data.dispatcher_, /*service_method_=*/deltaGrpcMethod(data.type_url_), diff --git a/source/extensions/config_subscription/grpc/new_grpc_mux_impl.cc b/source/extensions/config_subscription/grpc/new_grpc_mux_impl.cc index 2323b5663e0bc..80406edb4c604 100644 --- a/source/extensions/config_subscription/grpc/new_grpc_mux_impl.cc +++ b/source/extensions/config_subscription/grpc/new_grpc_mux_impl.cc @@ -57,8 +57,8 @@ NewGrpcMuxImpl::NewGrpcMuxImpl(GrpcMuxContext& grpc_mux_context) std::unique_ptr> -NewGrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientPtr&& async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, +NewGrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, const Protobuf::MethodDescriptor& service_method, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const RateLimitSettings& rate_limit_settings) { @@ -252,8 +252,8 @@ GrpcMuxWatchPtr NewGrpcMuxImpl::addWatch(const std::string& type_url, } absl::Status -NewGrpcMuxImpl::updateMuxSource(Grpc::RawAsyncClientPtr&& primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, +NewGrpcMuxImpl::updateMuxSource(Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const envoy::config::core::v3::ApiConfigSource& ads_config_source) { // Process the rate limit settings. @@ -455,8 +455,9 @@ class NewGrpcMuxFactory : public MuxFactory { std::string name() const override { return "envoy.config_mux.new_grpc_mux_factory"; } void shutdownAll() override { return NewGrpcMuxImpl::shutdownAll(); } std::shared_ptr - create(Grpc::RawAsyncClientPtr&& async_client, Grpc::RawAsyncClientPtr&& failover_async_client, - Event::Dispatcher& dispatcher, Random::RandomGenerator&, Stats::Scope& scope, + create(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Event::Dispatcher& dispatcher, + Random::RandomGenerator&, Stats::Scope& scope, const envoy::config::core::v3::ApiConfigSource& ads_config, const LocalInfo::LocalInfo& local_info, CustomConfigValidatorsPtr&& config_validators, BackOffStrategyPtr&& backoff_strategy, XdsConfigTrackerOptRef xds_config_tracker, diff --git a/source/extensions/config_subscription/grpc/new_grpc_mux_impl.h b/source/extensions/config_subscription/grpc/new_grpc_mux_impl.h index f2f6d14903548..e9e728e432ab7 100644 --- a/source/extensions/config_subscription/grpc/new_grpc_mux_impl.h +++ b/source/extensions/config_subscription/grpc/new_grpc_mux_impl.h @@ -79,8 +79,8 @@ class NewGrpcMuxImpl void start() override; absl::Status - updateMuxSource(Grpc::RawAsyncClientPtr&& primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, Stats::Scope& scope, + updateMuxSource(Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const envoy::config::core::v3::ApiConfigSource& ads_config_source) override; @@ -159,8 +159,8 @@ class NewGrpcMuxImpl // Helper function to create the grpc_stream_ object. std::unique_ptr> - createGrpcStreamObject(Grpc::RawAsyncClientPtr&& async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, + createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, const Protobuf::MethodDescriptor& service_method, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const RateLimitSettings& rate_limit_settings); diff --git a/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.cc b/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.cc index 0d6067c6aa4c0..e261c81aa045a 100644 --- a/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.cc +++ b/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.cc @@ -65,7 +65,8 @@ GrpcMuxImpl::GrpcMuxImpl(std::unique_ptr subscription_state_fac template std::unique_ptr> GrpcMuxImpl::createGrpcStreamObject( - Grpc::RawAsyncClientPtr&& async_client, Grpc::RawAsyncClientPtr&& failover_async_client, + Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, const Protobuf::MethodDescriptor& service_method, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const RateLimitSettings& rate_limit_settings) { if (Runtime::runtimeFeatureEnabled("envoy.restart_features.xds_failover_support")) { @@ -230,8 +231,9 @@ ScopedResume GrpcMuxImpl::pause(const std::vector typ template absl::Status GrpcMuxImpl::updateMuxSource( - Grpc::RawAsyncClientPtr&& primary_async_client, Grpc::RawAsyncClientPtr&& failover_async_client, - Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, + Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope& scope, + BackOffStrategyPtr&& backoff_strategy, const envoy::config::core::v3::ApiConfigSource& ads_config_source) { // Process the rate limit settings. absl::StatusOr rate_limit_settings_or_error = @@ -488,8 +490,9 @@ class DeltaGrpcMuxFactory : public MuxFactory { std::string name() const override { return "envoy.config_mux.delta_grpc_mux_factory"; } void shutdownAll() override { return GrpcMuxDelta::shutdownAll(); } std::shared_ptr - create(Grpc::RawAsyncClientPtr&& async_client, Grpc::RawAsyncClientPtr&& failover_async_client, - Event::Dispatcher& dispatcher, Random::RandomGenerator&, Stats::Scope& scope, + create(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Event::Dispatcher& dispatcher, + Random::RandomGenerator&, Stats::Scope& scope, const envoy::config::core::v3::ApiConfigSource& ads_config, const LocalInfo::LocalInfo& local_info, CustomConfigValidatorsPtr&& config_validators, BackOffStrategyPtr&& backoff_strategy, XdsConfigTrackerOptRef xds_config_tracker, @@ -527,8 +530,9 @@ class SotwGrpcMuxFactory : public MuxFactory { std::string name() const override { return "envoy.config_mux.sotw_grpc_mux_factory"; } void shutdownAll() override { return GrpcMuxSotw::shutdownAll(); } std::shared_ptr - create(Grpc::RawAsyncClientPtr&& async_client, Grpc::RawAsyncClientPtr&& failover_async_client, - Event::Dispatcher& dispatcher, Random::RandomGenerator&, Stats::Scope& scope, + create(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Event::Dispatcher& dispatcher, + Random::RandomGenerator&, Stats::Scope& scope, const envoy::config::core::v3::ApiConfigSource& ads_config, const LocalInfo::LocalInfo& local_info, CustomConfigValidatorsPtr&& config_validators, BackOffStrategyPtr&& backoff_strategy, XdsConfigTrackerOptRef xds_config_tracker, diff --git a/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.h b/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.h index 72182dc18f321..7fff1c263d0e7 100644 --- a/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.h +++ b/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.h @@ -106,8 +106,8 @@ class GrpcMuxImpl : public GrpcStreamCallbacks, } absl::Status - updateMuxSource(Grpc::RawAsyncClientPtr&& primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, Stats::Scope& scope, + updateMuxSource(Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const envoy::config::core::v3::ApiConfigSource& ads_config_source) override; @@ -179,10 +179,12 @@ class GrpcMuxImpl : public GrpcStreamCallbacks, // Helper function to create the grpc_stream_ object. // TODO(adisuissa): this should be removed when envoy.restart_features.xds_failover_support // is deprecated. - std::unique_ptr> createGrpcStreamObject( - Grpc::RawAsyncClientPtr&& async_client, Grpc::RawAsyncClientPtr&& failover_async_client, - const Protobuf::MethodDescriptor& service_method, Stats::Scope& scope, - BackOffStrategyPtr&& backoff_strategy, const RateLimitSettings& rate_limit_settings); + std::unique_ptr> + createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, + const Protobuf::MethodDescriptor& service_method, Stats::Scope& scope, + BackOffStrategyPtr&& backoff_strategy, + const RateLimitSettings& rate_limit_settings); // Checks whether external conditions allow sending a DeltaDiscoveryRequest. (Does not check // whether we *want* to send a (Delta)DiscoveryRequest). @@ -300,8 +302,8 @@ class NullGrpcMuxImpl : public GrpcMux { SubscriptionCallbacks&, OpaqueResourceDecoderSharedPtr, const SubscriptionOptions&) override; - absl::Status updateMuxSource(Grpc::RawAsyncClientPtr&&, Grpc::RawAsyncClientPtr&&, Stats::Scope&, - BackOffStrategyPtr&&, + absl::Status updateMuxSource(Grpc::RawAsyncClientSharedPtr&&, Grpc::RawAsyncClientSharedPtr&&, + Stats::Scope&, BackOffStrategyPtr&&, const envoy::config::core::v3::ApiConfigSource&) override { return absl::UnimplementedError(""); } diff --git a/test/common/config/xds_manager_impl_test.cc b/test/common/config/xds_manager_impl_test.cc index 24618e24b68db..cbf01c150b1fb 100644 --- a/test/common/config/xds_manager_impl_test.cc +++ b/test/common/config/xds_manager_impl_test.cc @@ -36,7 +36,7 @@ class MockGrpcMuxFactory : public MuxFactory { MockGrpcMuxFactory(absl::string_view name = "envoy.config_mux.grpc_mux_factory") : name_(name) { ON_CALL(*this, create(_, _, _, _, _, _, _, _, _, _, _, _)) .WillByDefault(Invoke( - [](std::unique_ptr&&, std::unique_ptr&&, + [](std::shared_ptr&&, std::shared_ptr&&, Event::Dispatcher&, Random::RandomGenerator&, Stats::Scope&, const envoy::config::core::v3::ApiConfigSource&, const LocalInfo::LocalInfo&, std::unique_ptr&&, BackOffStrategyPtr&&, @@ -50,7 +50,7 @@ class MockGrpcMuxFactory : public MuxFactory { void shutdownAll() override {} MOCK_METHOD(std::shared_ptr, create, - (std::unique_ptr&&, std::unique_ptr&&, + (std::shared_ptr&&, std::shared_ptr&&, Event::Dispatcher&, Random::RandomGenerator&, Stats::Scope&, const envoy::config::core::v3::ApiConfigSource&, const LocalInfo::LocalInfo&, std::unique_ptr&&, BackOffStrategyPtr&&, @@ -173,8 +173,8 @@ TEST_F(XdsManagerImplTest, AdsReplacementPrimaryOnly) { NiceMock& ads_mux(*ads_mux_shared.get()); EXPECT_CALL(factory, create(_, _, _, _, _, _, _, _, _, _, _, _)) .WillOnce(Invoke( - [&ads_mux_shared](std::unique_ptr&& primary_async_client, - std::unique_ptr&& failover_async_client, + [&ads_mux_shared](std::shared_ptr&& primary_async_client, + std::shared_ptr&& failover_async_client, Event::Dispatcher&, Random::RandomGenerator&, Stats::Scope&, const envoy::config::core::v3::ApiConfigSource&, const LocalInfo::LocalInfo&, @@ -237,10 +237,10 @@ TEST_F(XdsManagerImplTest, AdsReplacementPrimaryOnly) { )EOF", new_ads_config); - Grpc::RawAsyncClientPtr failover_client; + Grpc::RawAsyncClientSharedPtr failover_client; EXPECT_CALL(ads_mux, updateMuxSource(_, _, _, _, ProtoEq(new_ads_config))) - .WillOnce(Invoke([](Grpc::RawAsyncClientPtr&& primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, Stats::Scope&, + .WillOnce(Invoke([](Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope&, BackOffStrategyPtr&&, const envoy::config::core::v3::ApiConfigSource&) -> absl::Status { EXPECT_NE(primary_async_client, nullptr); @@ -264,8 +264,8 @@ TEST_F(XdsManagerImplTest, AdsReplacementPrimaryAndFailover) { NiceMock& ads_mux(*ads_mux_shared.get()); EXPECT_CALL(factory, create(_, _, _, _, _, _, _, _, _, _, _, _)) .WillOnce(Invoke( - [&ads_mux_shared](std::unique_ptr&& primary_async_client, - std::unique_ptr&& failover_async_client, + [&ads_mux_shared](std::shared_ptr&& primary_async_client, + std::shared_ptr&& failover_async_client, Event::Dispatcher&, Random::RandomGenerator&, Stats::Scope&, const envoy::config::core::v3::ApiConfigSource&, const LocalInfo::LocalInfo&, @@ -332,10 +332,10 @@ TEST_F(XdsManagerImplTest, AdsReplacementPrimaryAndFailover) { )EOF", new_ads_config); - Grpc::RawAsyncClientPtr failover_client; + Grpc::RawAsyncClientSharedPtr failover_client; EXPECT_CALL(ads_mux, updateMuxSource(_, _, _, _, ProtoEq(new_ads_config))) - .WillOnce(Invoke([](Grpc::RawAsyncClientPtr&& primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, Stats::Scope&, + .WillOnce(Invoke([](Grpc::RawAsyncClientSharedPtr&& primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope&, BackOffStrategyPtr&&, const envoy::config::core::v3::ApiConfigSource&) -> absl::Status { EXPECT_NE(primary_async_client, nullptr); @@ -810,8 +810,8 @@ class XdsManagerImplXdstpConfigSourcesTest : public testing::Test { if (enable_authority_a) { EXPECT_CALL(grpc_mux_factory_, create(_, _, _, _, _, _, _, _, _, _, _, _)) .WillOnce(Invoke( - [&](std::unique_ptr&& primary_async_client, - std::unique_ptr&&, Event::Dispatcher&, + [&](std::shared_ptr&& primary_async_client, + std::shared_ptr&&, Event::Dispatcher&, Random::RandomGenerator&, Stats::Scope&, const envoy::config::core::v3::ApiConfigSource&, const LocalInfo::LocalInfo&, std::unique_ptr&&, BackOffStrategyPtr&&, @@ -824,8 +824,8 @@ class XdsManagerImplXdstpConfigSourcesTest : public testing::Test { if (enable_authority_b) { EXPECT_CALL(grpc_mux_factory_, create(_, _, _, _, _, _, _, _, _, _, _, _)) .WillOnce(Invoke( - [&](std::unique_ptr&& primary_async_client, - std::unique_ptr&&, Event::Dispatcher&, + [&](std::shared_ptr&& primary_async_client, + std::shared_ptr&&, Event::Dispatcher&, Random::RandomGenerator&, Stats::Scope&, const envoy::config::core::v3::ApiConfigSource&, const LocalInfo::LocalInfo&, std::unique_ptr&&, BackOffStrategyPtr&&, @@ -838,8 +838,8 @@ class XdsManagerImplXdstpConfigSourcesTest : public testing::Test { if (enable_default_authority) { EXPECT_CALL(grpc_mux_factory_, create(_, _, _, _, _, _, _, _, _, _, _, _)) .WillOnce(Invoke( - [&](std::unique_ptr&& primary_async_client, - std::unique_ptr&&, Event::Dispatcher&, + [&](std::shared_ptr&& primary_async_client, + std::shared_ptr&&, Event::Dispatcher&, Random::RandomGenerator&, Stats::Scope&, const envoy::config::core::v3::ApiConfigSource&, const LocalInfo::LocalInfo&, std::unique_ptr&&, BackOffStrategyPtr&&, @@ -1169,8 +1169,8 @@ TEST_F(XdsManagerImplXdstpConfigSourcesTest, NonDefaultConfigSourceDeltaGrpc) { Registry::InjectFactory registry(factory); EXPECT_CALL(factory, create(_, _, _, _, _, _, _, _, _, _, _, _)) .WillOnce(Invoke( - [&](std::unique_ptr&& primary_async_client, - std::unique_ptr&&, Event::Dispatcher&, Random::RandomGenerator&, + [&](std::shared_ptr&& primary_async_client, + std::shared_ptr&&, Event::Dispatcher&, Random::RandomGenerator&, Stats::Scope&, const envoy::config::core::v3::ApiConfigSource&, const LocalInfo::LocalInfo&, std::unique_ptr&&, BackOffStrategyPtr&&, OptRef, diff --git a/test/mocks/config/mocks.h b/test/mocks/config/mocks.h index ce0331f725539..717c32117d25a 100644 --- a/test/mocks/config/mocks.h +++ b/test/mocks/config/mocks.h @@ -137,8 +137,8 @@ class MockGrpcMux : public GrpcMux { MOCK_METHOD(EdsResourcesCacheOptRef, edsResourcesCache, ()); MOCK_METHOD(absl::Status, updateMuxSource, - (Grpc::RawAsyncClientPtr && primary_async_client, - Grpc::RawAsyncClientPtr&& failover_async_client, Stats::Scope& scope, + (Grpc::RawAsyncClientSharedPtr && primary_async_client, + Grpc::RawAsyncClientSharedPtr&& failover_async_client, Stats::Scope& scope, BackOffStrategyPtr&& backoff_strategy, const envoy::config::core::v3::ApiConfigSource& ads_config_source)); }; From fc3db7c435874f0e8acb3db1c27b0299e5bf2763 Mon Sep 17 00:00:00 2001 From: Ian Kerins Date: Sun, 17 Aug 2025 21:43:00 -0400 Subject: [PATCH 245/505] cel: add support for typed Value format output (#40448) Commit Message: Add a new TYPED_CEL formatter command in addition to the existing CEL command. The latter, when used in formatting contexts that accept protobuf Values, will output non-string values. The new command is introduced so as to not break compatibility with the existing one's behavior. Additional Description: N/A Risk Level: Low. Testing: Unit tests. Docs Changes: Just in the cel proto, I could find no other docs Release Notes: Yes. Platform Specific Features: No. Fixes #40122. --------- Signed-off-by: Ian Kerins Signed-off-by: code Co-authored-by: code --- .../extensions/formatter/cel/v3/cel.proto | 17 ++ changelogs/current.yaml | 6 + source/extensions/formatter/cel/BUILD | 1 + source/extensions/formatter/cel/cel.cc | 41 +++- source/extensions/formatter/cel/cel.h | 5 +- test/extensions/formatter/cel/cel_test.cc | 185 +++++++++++++++++- tools/spelling/spelling_dictionary.txt | 1 + 7 files changed, 241 insertions(+), 15 deletions(-) diff --git a/api/envoy/extensions/formatter/cel/v3/cel.proto b/api/envoy/extensions/formatter/cel/v3/cel.proto index 265f9dd352da1..ced34e735f00d 100644 --- a/api/envoy/extensions/formatter/cel/v3/cel.proto +++ b/api/envoy/extensions/formatter/cel/v3/cel.proto @@ -30,6 +30,23 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // * ``%CEL(request.headers['x-envoy-original-path']):10%`` // * ``%CEL(request.headers['x-log-mtls'] || request.url_path.contains('v1beta3'))%`` +// Alternatively: %TYPED_CEL(EXPRESSION):Z% +// When using a non-text access log format like JSON, this format command is +// able to emit values of non-string types, like number, boolean, and null, +// based on the output of the CEL expression. It otherwise functions the same as +// %CEL%. CEL types not native to JSON are coerced as follows: +// +// * Bytes are base64 encoded to produce a string. +// * Durations are stringified as a count of seconds, e.g. `duration("1h30m")` +// becomes "5400s". +// * Timestamps are formatted to UTC, e.g. +// `timestamp("2023-08-26T12:39:00-07:00")` becomes +// "2023-08-26T19:39:00+00:00" +// * Maps become objects, provided all keys can be coerced to strings and that +// all values can coerce to types representable in JSON. +// * Lists become lists, provided all values can coerce to types representable +// in JSON. + // Configuration for the CEL formatter. // // .. warning:: diff --git a/changelogs/current.yaml b/changelogs/current.yaml index a6326d4619c6b..328ebd4958aed 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -254,6 +254,12 @@ new_features: Added ``route()`` to the Stream handle API, allowing Lua scripts to retrieve route information. So far, the only method implemented is ``metadata()``, allowing Lua scripts to access route metadata scoped to the specific filter name. See :ref:`Route object API ` for more details. +- area: cel + change: | + Add a new %TYPED_CEL% formatter command that, unlike %CEL%, can output non-string values (number, boolean, null, etc) + when used in formatting contexts that accept non-string values, such as + :ref:`json_format `. The new command is introduced + so as to not break compatibility with the existing command's behavior. - area: dynamic_modules change: | Added a new Logging ABI that allows modules to emit logs in the standard Envoy logging stream under "dynamic_modules" ID. diff --git a/source/extensions/formatter/cel/BUILD b/source/extensions/formatter/cel/BUILD index 2483f1de9d457..f6386177a8ef0 100644 --- a/source/extensions/formatter/cel/BUILD +++ b/source/extensions/formatter/cel/BUILD @@ -27,6 +27,7 @@ envoy_cc_library( { "//bazel:windows_x86_64": [], "//conditions:default": [ + "@com_google_cel_cpp//eval/public:value_export_util", "@com_google_cel_cpp//parser", ], }, diff --git a/source/extensions/formatter/cel/cel.cc b/source/extensions/formatter/cel/cel.cc index 6ee44909861f1..47163f87f4f2a 100644 --- a/source/extensions/formatter/cel/cel.cc +++ b/source/extensions/formatter/cel/cel.cc @@ -7,6 +7,7 @@ #if defined(USE_CEL_PARSER) #include "parser/parser.h" +#include "eval/public/value_export_util.h" #endif namespace Envoy { @@ -17,9 +18,10 @@ namespace Expr = Filters::Common::Expr; CELFormatter::CELFormatter(const ::Envoy::LocalInfo::LocalInfo& local_info, Expr::BuilderInstanceSharedPtr expr_builder, - const cel::expr::Expr& input_expr, absl::optional& max_length) + const cel::expr::Expr& input_expr, absl::optional& max_length, + bool typed) : local_info_(local_info), expr_builder_(expr_builder), parsed_expr_(input_expr), - max_length_(max_length) { + max_length_(max_length), typed_(typed) { compiled_expr_ = Expr::createExpression(expr_builder_->builder(), parsed_expr_); } @@ -44,22 +46,41 @@ CELFormatter::formatWithContext(const Envoy::Formatter::HttpFormatterContext& co Protobuf::Value CELFormatter::formatValueWithContext(const Envoy::Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { - auto result = formatWithContext(context, stream_info); - if (!result.has_value()) { - return ValueUtil::nullValue(); + if (typed_) { + Protobuf::Arena arena; + auto eval_status = + Expr::evaluate(*compiled_expr_, arena, &local_info_, stream_info, &context.requestHeaders(), + &context.responseHeaders(), &context.responseTrailers()); + if (!eval_status.has_value() || eval_status.value().IsError()) { + return ValueUtil::nullValue(); + } + + Protobuf::Value proto_value; + if (!ExportAsProtoValue(eval_status.value(), &proto_value).ok()) { + return ValueUtil::nullValue(); + } + + if (max_length_ && proto_value.kind_case() == Protobuf::Value::kStringValue) { + proto_value.set_string_value(proto_value.string_value().substr(0, max_length_.value())); + } + return proto_value; + } else { + auto result = formatWithContext(context, stream_info); + if (!result.has_value()) { + return ValueUtil::nullValue(); + } + return ValueUtil::stringValue(result.value()); } - return ValueUtil::stringValue(result.value()); } ::Envoy::Formatter::FormatterProviderPtr CELFormatterCommandParser::parse(absl::string_view command, absl::string_view subcommand, absl::optional max_length) const { #if defined(USE_CEL_PARSER) - if (command == "CEL") { + if (command == "CEL" || command == "TYPED_CEL") { auto parse_status = google::api::expr::parser::Parse(subcommand); if (!parse_status.ok()) { - throw EnvoyException("Not able to parse filter expression: " + - parse_status.status().ToString()); + throw EnvoyException("Not able to parse expression: " + parse_status.status().ToString()); } Server::Configuration::ServerFactoryContext& context = @@ -78,7 +99,7 @@ CELFormatterCommandParser::parse(absl::string_view command, absl::string_view su return std::make_unique(context.localInfo(), Extensions::Filters::Common::Expr::getBuilder(context), - cel_expr, max_length); + cel_expr, max_length, command == "TYPED_CEL"); } return nullptr; diff --git a/source/extensions/formatter/cel/cel.h b/source/extensions/formatter/cel/cel.h index ae3093a81b1be..8b1d9cd912772 100644 --- a/source/extensions/formatter/cel/cel.h +++ b/source/extensions/formatter/cel/cel.h @@ -15,8 +15,8 @@ namespace Formatter { class CELFormatter : public ::Envoy::Formatter::FormatterProvider { public: CELFormatter(const ::Envoy::LocalInfo::LocalInfo& local_info, - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr, const cel::expr::Expr&, - absl::optional&); + Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr expr_builder, + const cel::expr::Expr& input_expr, absl::optional& max_length, bool typed); absl::optional formatWithContext(const Envoy::Formatter::HttpFormatterContext& context, @@ -30,6 +30,7 @@ class CELFormatter : public ::Envoy::Formatter::FormatterProvider { const cel::expr::Expr parsed_expr_; const absl::optional max_length_; Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; + const bool typed_; }; class CELFormatterCommandParser : public ::Envoy::Formatter::CommandParser { diff --git a/test/extensions/formatter/cel/cel_test.cc b/test/extensions/formatter/cel/cel_test.cc index 43ddcca30de8f..e3491d8b44747 100644 --- a/test/extensions/formatter/cel/cel_test.cc +++ b/test/extensions/formatter/cel/cel_test.cc @@ -42,14 +42,151 @@ TEST_F(CELFormatterTest, TestNodeId) { auto formatter = cel_parser->parse("CEL", "xds.node.id", max_length); EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), ProtoEq(ValueUtil::stringValue("node_name"))); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "xds.node.id", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("node_name"))); +} + +TEST_F(CELFormatterTest, TestFormatWithContext) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "xds.node.id", max_length); + EXPECT_THAT(formatter->formatWithContext(formatter_context_, stream_info_), "node_name"); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "xds.node.id", max_length); + EXPECT_THAT(typed_formatter->formatWithContext(formatter_context_, stream_info_), "node_name"); } -TEST_F(CELFormatterTest, TestFormatValue) { +TEST_F(CELFormatterTest, TestFormatStringValue) { auto cel_parser = std::make_unique(); absl::optional max_length = absl::nullopt; auto formatter = cel_parser->parse("CEL", "request.headers[':method']", max_length); EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), ProtoEq(ValueUtil::stringValue("GET"))); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "request.headers[':method']", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("GET"))); +} + +TEST_F(CELFormatterTest, TestFormatNumberValue) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "request.headers[':method'].size()", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("3"))); + + auto typed_formatter = + cel_parser->parse("TYPED_CEL", "request.headers[':method'].size()", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::numberValue(3))); +} + +TEST_F(CELFormatterTest, TestFormatNullValue) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "request.headers.nope", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::nullValue())); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "request.headers.nope", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::nullValue())); +} + +TEST_F(CELFormatterTest, TestFormatBoolValue) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "request.headers[':method'] == 'GET'", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("true"))); + + auto typed_formatter = + cel_parser->parse("TYPED_CEL", "request.headers[':method'] == 'GET'", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::boolValue(true))); +} + +TEST_F(CELFormatterTest, TestFormatDurationValue) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "duration(\"1h30m\")", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("1h30m"))); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "duration(\"1h30m\")", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("5400s"))); +} + +TEST_F(CELFormatterTest, TestFormatTimestampValue) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "timestamp(\"2023-08-26T12:39:00-07:00\")", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("2023-08-26T19:39:00+00:00"))); + + auto typed_formatter = + cel_parser->parse("TYPED_CEL", "timestamp(\"2023-08-26T12:39:00-07:00\")", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("2023-08-26T19:39:00Z"))); +} + +TEST_F(CELFormatterTest, TestFormatBytesValue) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "bytes(\"hello\")", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("hello"))); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "bytes(\"hello\")", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("aGVsbG8="))); +} + +TEST_F(CELFormatterTest, TestFormatListValue) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "[\"foo\", 42, true]", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("CelList value"))); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "[\"foo\", 42, true]", max_length); + EXPECT_THAT( + typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::listValue({ValueUtil::stringValue("foo"), ValueUtil::numberValue(42), + ValueUtil::boolValue(true)}))); +} + +TEST_F(CELFormatterTest, TestFormatMapValue) { + auto cel_parser = std::make_unique(); + absl::optional max_length = absl::nullopt; + auto formatter = cel_parser->parse("CEL", "{\"foo\": \"42\"}", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("CelMap value"))); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "{\"foo\": \"42\"}", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::structValue(MessageUtil::keyValueStruct("foo", "42")))); + + // Test something that fails to format. For whatever reason, + // ExportAsProtoValue will not tolerate boolean keys. + auto invalid_typed_formatter = cel_parser->parse("TYPED_CEL", "{true: \"42\"}", max_length); + EXPECT_THAT(invalid_typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::nullValue())); +} + +TEST_F(CELFormatterTest, TestTruncation) { + auto cel_parser = std::make_unique(); + absl::optional max_length = 2; + auto formatter = cel_parser->parse("CEL", "request.headers[':method']", max_length); + EXPECT_THAT(formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("GE"))); + + auto typed_formatter = cel_parser->parse("TYPED_CEL", "request.headers[':method']", max_length); + EXPECT_THAT(typed_formatter->formatValueWithContext(formatter_context_, stream_info_), + ProtoEq(ValueUtil::stringValue("GE"))); } TEST_F(CELFormatterTest, TestParseFail) { @@ -178,7 +315,7 @@ TEST_F(CELFormatterTest, TestComplexCelExpression) { EXPECT_EQ("true /original false", formatter->formatWithContext(formatter_context_, stream_info_)); } -TEST_F(CELFormatterTest, TestInvalidExpression) { +TEST_F(CELFormatterTest, TestUntypedInvalidExpression) { const std::string yaml = R"EOF( text_format_source: inline_string: "%CEL(+++++)%" @@ -187,7 +324,19 @@ TEST_F(CELFormatterTest, TestInvalidExpression) { EXPECT_THROW_WITH_REGEX( *Envoy::Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config_, context_), - EnvoyException, "Not able to parse filter expression: .*"); + EnvoyException, "Not able to parse expression: .*"); +} + +TEST_F(CELFormatterTest, TestTypedInvalidExpression) { + const std::string yaml = R"EOF( + text_format_source: + inline_string: "%TYPED_CEL(+++++)%" +)EOF"; + TestUtility::loadFromYaml(yaml, config_); + + EXPECT_THROW_WITH_REGEX( + *Envoy::Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config_, context_), + EnvoyException, "Not able to parse expression: .*"); } TEST_F(CELFormatterTest, TestRegexExtFunctions) { @@ -201,6 +350,36 @@ TEST_F(CELFormatterTest, TestRegexExtFunctions) { *Envoy::Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config_, context_); EXPECT_EQ("true ", formatter->formatWithContext(formatter_context_, stream_info_)); } + +TEST_F(CELFormatterTest, TestUntypedJsonFormat) { + const std::string yaml = R"EOF( + json_format: + methodSize: "%CEL(request.headers[':method'].size())%" + shortMethod: "%CEL(request.headers[':method']):2%" + missingHeaderUnusedMaxLength: "%CEL(request.headers.missing):2%" +)EOF"; + TestUtility::loadFromYaml(yaml, config_); + + auto formatter = + *Envoy::Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config_, context_); + EXPECT_EQ("{\"methodSize\":\"3\",\"missingHeaderUnusedMaxLength\":null,\"shortMethod\":\"GE\"}\n", + formatter->formatWithContext(formatter_context_, stream_info_)); +} + +TEST_F(CELFormatterTest, TestTypedJsonFormat) { + const std::string yaml = R"EOF( + json_format: + methodSize: "%TYPED_CEL(request.headers[':method'].size())%" + shortMethod: "%TYPED_CEL(request.headers[':method']):2%" + missingHeaderUnusedMaxLength: "%TYPED_CEL(request.headers.missing):2%" +)EOF"; + TestUtility::loadFromYaml(yaml, config_); + + auto formatter = + *Envoy::Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config_, context_); + EXPECT_EQ("{\"methodSize\":3,\"missingHeaderUnusedMaxLength\":null,\"shortMethod\":\"GE\"}\n", + formatter->formatWithContext(formatter_context_, stream_info_)); +} #endif } // namespace Formatter diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index ad594752b72f4..e1e479b218197 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -1245,6 +1245,7 @@ reperform repicked replayable repo +representable reproducibility requirepass reselecting From 33ad5bafe402b0dc6b4d396fda4175dfc9f32f95 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 18 Aug 2025 17:45:19 +0200 Subject: [PATCH 246/505] cleanup: remove the unused TrieLookupTable (#40738) ## Description We moved the prefix matching to Radix Trees and after that `TrieLookupTable` is unused. This PR is to cleanup `TrieLookupTable` from the codebase. --- **Commit Message:** cleanup: remove the unused TrieLookupTable **Additional Description:** Remove the unused `TrieLookupTable` from the codebase. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal --- source/common/common/BUILD | 5 - source/common/common/trie_lookup_table.h | 199 ------------------ .../filters/network/redis_proxy/BUILD | 4 +- test/common/common/BUILD | 24 --- .../common/prefix_matching_benchmark.cc | 39 ---- .../common/trie_lookup_table_speed_test.cc | 89 -------- test/common/common/trie_lookup_table_test.cc | 92 -------- 7 files changed, 2 insertions(+), 450 deletions(-) delete mode 100644 source/common/common/trie_lookup_table.h delete mode 100644 test/common/common/trie_lookup_table_speed_test.cc delete mode 100644 test/common/common/trie_lookup_table_test.cc diff --git a/source/common/common/BUILD b/source/common/common/BUILD index f6314bcd96629..ef91ada8975e9 100644 --- a/source/common/common/BUILD +++ b/source/common/common/BUILD @@ -488,11 +488,6 @@ envoy_cc_library( ], ) -envoy_cc_library( - name = "trie_lookup_table_lib", - hdrs = ["trie_lookup_table.h"], -) - envoy_cc_library( name = "radix_tree_lib", hdrs = ["radix_tree.h"], diff --git a/source/common/common/trie_lookup_table.h b/source/common/common/trie_lookup_table.h deleted file mode 100644 index 5613ac0c56140..0000000000000 --- a/source/common/common/trie_lookup_table.h +++ /dev/null @@ -1,199 +0,0 @@ -#pragma once - -#include - -#include "source/common/common/assert.h" - -#include "absl/strings/string_view.h" - -namespace Envoy { - -/** - * A trie used for faster lookup with lookup time at most equal to the size of the key. - * - * Type of Value must be empty-constructible and moveable, e.g. smart pointers and POD types. - */ -template class TrieLookupTable { - static constexpr int32_t NoNode = -1; - // A TrieNode aims to be a good balance of performant and - // space-efficient, by allocating a vector the size of the range of children - // the node contains. This should be good for most use-cases. - // - // For example, a node with children 'a' and 'z' will contain a vector of - // size 26, containing two values and 24 nulls. A node with only one - // child will contain a vector of size 1. A node with no children will - // contain an empty vector. - // - // Compared to allocating 256 entries for every node, this makes insertions - // a little bit inefficient (especially insertions in reverse order), but - // trie lookups remain O(length-of-longest-matching-prefix) with just a - // couple of very cheap operations extra per step. - // - // By size, having 256 entries for every node makes each node's overhead - // (excluding values) consume 8KB; even a trie containing only a single - // prefix "foobar" consumes 56KB. - // Using ranged vectors like this makes a single prefix "foobar" consume - // less than 20 bytes per node, for a total of less than 0.14KB. - // - // Using indices instead of pointers helps keep the bulk of the data - // localized, and prevents recursive deletion which can provoke a stack - // overflow. - struct TrieNode { - Value value_{}; - // Vector of indices into nodes_, where [0] maps to min_child_key_. - // NoNode will be in any index where there is not a child. - std::vector children_; - uint8_t min_child_key_{0}; - }; - - /** - * Get the index of the node that the branch whose key is `char_key` from the - * node indexed by `current` leads to. - * @param current the index of the node to follow a branch from. - * @param char_key the one-byte key of the branch to be followed. - */ - int32_t getChildIndex(int32_t current, uint8_t char_key) const { - ASSERT(current >= 0 && static_cast(current) < nodes_.size()); - const TrieNode& node = nodes_[current]; - if (node.min_child_key_ > char_key || node.min_child_key_ + node.children_.size() <= char_key) { - return NoNode; - } - return node.children_[char_key - node.min_child_key_]; - } - int32_t getChildIndex(int32_t current, uint8_t char_key) { - return std::as_const(*this).getChildIndex(current, char_key); - } - - /** - * Make the branch whose key is `char_key`, of the node indexed by `current` - * point to node indexed by `child_index`. - * @param current the index of the node whose child is to be updated. - * @param char_key the one-byte key of the branch to be updated. - * @param child_index the index of the node the branch will lead to. - */ - void setChildIndex(int32_t current, uint8_t char_key, int32_t child_index) { - ASSERT(current >= 0 && static_cast(current) < nodes_.size()); - ASSERT(child_index >= 0 && static_cast(child_index) < nodes_.size()); - TrieNode& node = nodes_[current]; - if (node.children_.empty()) { - node.children_.reserve(1); - node.children_.push_back(child_index); - node.min_child_key_ = char_key; - return; - } - if (char_key < node.min_child_key_) { - std::vector new_children; - new_children.reserve(node.min_child_key_ - char_key + node.children_.size()); - new_children.resize(node.min_child_key_ - char_key, NoNode); - std::move(node.children_.begin(), node.children_.end(), std::back_inserter(new_children)); - new_children[0] = child_index; - node.min_child_key_ = char_key; - node.children_ = std::move(new_children); - return; - } - if (char_key >= (node.min_child_key_ + node.children_.size())) { - // Expand the vector forwards. - node.children_.resize(char_key - node.min_child_key_ + 1, NoNode); - // Fall through to "insert" behavior. - } - node.children_[char_key - node.min_child_key_] = child_index; - } - -public: - /** - * Adds an entry to the Trie at the given Key. - * @param key the key used to add the entry. - * @param value the value to be associated with the key. - * @param overwrite_existing will overwrite the value when the value for a given key already - * exists. - * @return false when a value already exists for the given key. - */ - bool add(absl::string_view key, Value value, bool overwrite_existing = true) { - int32_t current = 0; - for (uint8_t c : key) { - int32_t next = getChildIndex(current, c); - if (next == NoNode) { - next = nodes_.size(); - nodes_.emplace_back(); - setChildIndex(current, c, next); - } - current = next; - } - if (nodes_[current].value_ && !overwrite_existing) { - return false; - } - nodes_[current].value_ = std::move(value); - return true; - } - - /** - * Finds the entry associated with the key. - * @param key the key used to find. - * @return the Value associated with the key, or an empty-initialized Value - * if there is no matching key. - */ - Value find(absl::string_view key) const { - int32_t current = 0; - for (uint8_t c : key) { - current = getChildIndex(current, c); - if (current == NoNode) { - return {}; - } - } - return nodes_[current].value_; - } - - /** - * Returns the set of entries that are prefixes of the specified key, longest last. - * Complexity is O(min(longest key prefix, key length)). - * @param key the key used to find. - * @return a vector of values whose keys are a prefix of the specified key, longest last. - */ - absl::InlinedVector findMatchingPrefixes(absl::string_view key) const { - absl::InlinedVector result; - int32_t current = 0; - - for (uint8_t c : key) { - current = getChildIndex(current, c); - - if (current == NoNode) { - return result; - } else if (nodes_[current].value_) { - result.push_back(nodes_[current].value_); - } - } - return result; - } - - /** - * Finds the entry with the longest key that is a prefix of the specified key. - * Complexity is O(min(longest key prefix, key length)). - * @param key the key used to find. - * @return a value whose key is a prefix of the specified key. If there are - * multiple such values, the one with the longest key. If there are - * no keys that are a prefix of the input key, an empty-initialized Value. - */ - Value findLongestPrefix(absl::string_view key) const { - int32_t current = 0; - int32_t result = 0; - - for (uint8_t c : key) { - current = getChildIndex(current, c); - - if (current == NoNode) { - return nodes_[result].value_; - } else if (nodes_[current].value_) { - result = current; - } - } - return nodes_[result].value_; - } - -private: - // Flat representation of the tree - each node has a vector of indices to its - // child nodes. - // Initialized with a single empty node as the root node. - std::vector nodes_ = {TrieNode()}; -}; - -} // namespace Envoy diff --git a/source/extensions/filters/network/redis_proxy/BUILD b/source/extensions/filters/network/redis_proxy/BUILD index ffe7a6e69c59f..425eeb1c13acb 100644 --- a/source/extensions/filters/network/redis_proxy/BUILD +++ b/source/extensions/filters/network/redis_proxy/BUILD @@ -67,7 +67,7 @@ envoy_cc_library( "//envoy/stats:timespan_interface", "//source/common/common:assert_lib", "//source/common/common:minimal_logger_lib", - "//source/common/common:trie_lookup_table_lib", + "//source/common/common:radix_tree_lib", "//source/common/stats:timespan_lib", "//source/extensions/filters/network/common/redis:client_lib", "//source/extensions/filters/network/common/redis:fault_lib", @@ -172,7 +172,7 @@ envoy_cc_library( "//envoy/stream_info:stream_info_interface", "//envoy/thread_local:thread_local_interface", "//envoy/upstream:cluster_manager_interface", - "//source/common/common:trie_lookup_table_lib", + "//source/common/common:radix_tree_lib", "//source/extensions/filters/network/common/redis:codec_lib", "//source/extensions/filters/network/common/redis:supported_commands_lib", "//source/extensions/filters/network/common/redis:utility_lib", diff --git a/test/common/common/BUILD b/test/common/common/BUILD index a78e7566e5706..1ae3b9647066a 100644 --- a/test/common/common/BUILD +++ b/test/common/common/BUILD @@ -306,13 +306,6 @@ envoy_cc_test( ], ) -envoy_cc_test( - name = "trie_lookup_table_test", - srcs = ["trie_lookup_table_test.cc"], - rbe_pool = "6gig", - deps = ["//source/common/common:trie_lookup_table_lib"], -) - envoy_cc_test( name = "radix_tree_test", srcs = ["radix_tree_test.cc"], @@ -454,22 +447,6 @@ envoy_benchmark_test( benchmark_binary = "utility_speed_test", ) -envoy_cc_benchmark_binary( - name = "trie_lookup_table_speed_test", - srcs = ["trie_lookup_table_speed_test.cc"], - rbe_pool = "6gig", - deps = [ - "//source/common/common:trie_lookup_table_lib", - "@com_github_google_benchmark//:benchmark", - "@com_google_absl//absl/strings", - ], -) - -envoy_benchmark_test( - name = "trie_lookup_table_speed_test_benchmark_test", - benchmark_binary = "trie_lookup_table_speed_test", -) - envoy_cc_benchmark_binary( name = "radix_tree_speed_test", srcs = ["radix_tree_speed_test.cc"], @@ -492,7 +469,6 @@ envoy_cc_benchmark_binary( rbe_pool = "6gig", deps = [ "//source/common/common:radix_tree_lib", - "//source/common/common:trie_lookup_table_lib", "//source/common/http:headers_lib", "@com_github_google_benchmark//:benchmark", "@com_google_absl//absl/strings", diff --git a/test/common/common/prefix_matching_benchmark.cc b/test/common/common/prefix_matching_benchmark.cc index c89ad5138f3a3..0f80037b2f8cd 100644 --- a/test/common/common/prefix_matching_benchmark.cc +++ b/test/common/common/prefix_matching_benchmark.cc @@ -4,7 +4,6 @@ #include #include "source/common/common/radix_tree.h" -#include "source/common/common/trie_lookup_table.h" #include "source/common/http/headers.h" #include "benchmark/benchmark.h" @@ -87,27 +86,11 @@ template static void typedBmPrefixMatching(benchmark::State& s typedBmPrefixMatching(state, keys, search_keys); } -// Benchmark for TrieLookupTable -static void bmTrieLookupTablePrefixMatching(benchmark::State& s) { - typedBmPrefixMatching>(s); -} - // Benchmark for RadixTree static void bmRadixTreePrefixMatching(benchmark::State& s) { typedBmPrefixMatching>(s); } -// Real-world scenario benchmarks using HTTP headers -static void bmTrieLookupTableRequestHeadersPrefixMatching(benchmark::State& s) { - std::vector keys; - INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); - - // Generate search keys based on the headers - std::vector search_keys = generateSearchKeys(keys, 1000); - - typedBmPrefixMatching>(s, keys, search_keys); -} - static void bmRadixTreeRequestHeadersPrefixMatching(benchmark::State& s) { std::vector keys; INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); @@ -118,16 +101,6 @@ static void bmRadixTreeRequestHeadersPrefixMatching(benchmark::State& s) { typedBmPrefixMatching>(s, keys, search_keys); } -static void bmTrieLookupTableResponseHeadersPrefixMatching(benchmark::State& s) { - std::vector keys; - INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); - - // Generate search keys based on the headers - std::vector search_keys = generateSearchKeys(keys, 1000); - - typedBmPrefixMatching>(s, keys, search_keys); -} - static void bmRadixTreeResponseHeadersPrefixMatching(benchmark::State& s) { std::vector keys; INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); @@ -138,24 +111,12 @@ static void bmRadixTreeResponseHeadersPrefixMatching(benchmark::State& s) { typedBmPrefixMatching>(s, keys, search_keys); } -// Register benchmarks for synthetic data -BENCHMARK(bmTrieLookupTablePrefixMatching) - ->ArgsProduct({{100, 1000, 10000}, {3, 5, 8}, {1000}}) - ->Name("TrieLookupTable/PrefixMatching"); - BENCHMARK(bmRadixTreePrefixMatching) ->ArgsProduct({{100, 1000, 10000}, {3, 5, 8}, {1000}}) ->Name("RadixTree/PrefixMatching"); -// Register benchmarks for real-world HTTP headers -BENCHMARK(bmTrieLookupTableRequestHeadersPrefixMatching) - ->Name("TrieLookupTable/RequestHeadersPrefixMatching"); - BENCHMARK(bmRadixTreeRequestHeadersPrefixMatching)->Name("RadixTree/RequestHeadersPrefixMatching"); -BENCHMARK(bmTrieLookupTableResponseHeadersPrefixMatching) - ->Name("TrieLookupTable/ResponseHeadersPrefixMatching"); - BENCHMARK(bmRadixTreeResponseHeadersPrefixMatching) ->Name("RadixTree/ResponseHeadersPrefixMatching"); diff --git a/test/common/common/trie_lookup_table_speed_test.cc b/test/common/common/trie_lookup_table_speed_test.cc deleted file mode 100644 index 642ef712173e0..0000000000000 --- a/test/common/common/trie_lookup_table_speed_test.cc +++ /dev/null @@ -1,89 +0,0 @@ -// Note: this should be run with --compilation_mode=opt, and would benefit from a -// quiescent system with disabled cstate power management. - -#include - -#include "envoy/http/header_map.h" - -#include "source/common/common/trie_lookup_table.h" -#include "source/common/http/headers.h" - -#include "benchmark/benchmark.h" - -namespace Envoy { - -// NOLINT(namespace-envoy) - -template -static void typedBmTrieLookups(benchmark::State& state, std::vector& keys) { - std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability - std::uniform_int_distribution keyindex_distribution(0, keys.size() - 1); - TableType trie; - for (const std::string& key : keys) { - trie.add(key, nullptr); - } - std::vector key_selections; - for (size_t i = 0; i < 1024; i++) { - key_selections.push_back(keyindex_distribution(prng)); - } - - // key_index indexes into key_selections which is a pre-selected - // random ordering of 1024 indexes into the existing keys. This - // way we read from all over the trie, without spending time during - // the performance test generating these random choices. - size_t key_index = 0; - for (auto _ : state) { - UNREFERENCED_PARAMETER(_); - auto v = trie.find(keys[key_selections[key_index++]]); - // Reset key_index to 0 whenever it reaches 1024. - key_index &= 1023; - benchmark::DoNotOptimize(v); - } -} - -// Range args are: -// 0 - num_keys -// 1 - key_length (0 is a special case that generates mixed-length keys) -template static void typedBmTrieLookups(benchmark::State& state) { - std::mt19937 prng(1); // PRNG with a fixed seed, for repeatability - int num_keys = state.range(0); - int key_length = state.range(1); - std::uniform_int_distribution char_distribution('a', 'z'); - std::uniform_int_distribution key_length_distribution(key_length == 0 ? 8 : key_length, - key_length == 0 ? 128 : key_length); - auto make_key = [&](size_t len) { - std::string ret; - for (size_t i = 0; i < len; i++) { - ret.push_back(static_cast(char_distribution(prng))); - } - return ret; - }; - std::vector keys; - for (int i = 0; i < num_keys; i++) { - std::string key = make_key(key_length_distribution(prng)); - keys.push_back(std::move(key)); - } - typedBmTrieLookups(state, keys); -} - -static void bmTrieLookups(benchmark::State& s) { - typedBmTrieLookups>(s); -} - -#define ADD_HEADER_TO_KEYS(name) keys.emplace_back(Http::Headers::get().name); -static void bmTrieLookupsRequestHeaders(benchmark::State& s) { - std::vector keys; - INLINE_REQ_HEADERS(ADD_HEADER_TO_KEYS); - typedBmTrieLookups>(s, keys); -} -static void bmTrieLookupsResponseHeaders(benchmark::State& s) { - std::vector keys; - INLINE_RESP_HEADERS(ADD_HEADER_TO_KEYS); - typedBmTrieLookups>(s, keys); -} - -BENCHMARK(bmTrieLookupsRequestHeaders); -BENCHMARK(bmTrieLookupsResponseHeaders); -BENCHMARK(bmTrieLookups)->ArgsProduct({{10, 100, 1000, 10000}, {0, 8, 128}}); - -} // namespace Envoy diff --git a/test/common/common/trie_lookup_table_test.cc b/test/common/common/trie_lookup_table_test.cc deleted file mode 100644 index a36a21c486868..0000000000000 --- a/test/common/common/trie_lookup_table_test.cc +++ /dev/null @@ -1,92 +0,0 @@ -#include "source/common/common/trie_lookup_table.h" - -#include "gmock/gmock.h" -#include "gtest/gtest.h" - -using testing::ElementsAre; - -namespace Envoy { - -TEST(TrieLookupTable, AddItems) { - TrieLookupTable trie; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - - EXPECT_TRUE(trie.add("foo", cstr_a)); - EXPECT_TRUE(trie.add("bar", cstr_b)); - EXPECT_EQ(cstr_a, trie.find("foo")); - EXPECT_EQ(cstr_b, trie.find("bar")); - - // overwrite_existing = false - EXPECT_FALSE(trie.add("foo", cstr_c, false)); - EXPECT_EQ(cstr_a, trie.find("foo")); - - // overwrite_existing = true - EXPECT_TRUE(trie.add("foo", cstr_c)); - EXPECT_EQ(cstr_c, trie.find("foo")); -} - -TEST(TrieLookupTable, LongestPrefix) { - TrieLookupTable trie; - const char* cstr_a = "a"; - const char* cstr_b = "b"; - const char* cstr_c = "c"; - const char* cstr_d = "d"; - const char* cstr_e = "e"; - const char* cstr_f = "f"; - - EXPECT_TRUE(trie.add("foo", cstr_a)); - EXPECT_TRUE(trie.add("bar", cstr_b)); - EXPECT_TRUE(trie.add("baro", cstr_c)); - EXPECT_TRUE(trie.add("foo/bar", cstr_d)); - // Verify that prepending and appending branches to a node both work. - EXPECT_TRUE(trie.add("barn", cstr_e)); - EXPECT_TRUE(trie.add("barp", cstr_f)); - - EXPECT_EQ(cstr_a, trie.find("foo")); - EXPECT_EQ(cstr_a, trie.findLongestPrefix("foo")); - EXPECT_THAT(trie.findMatchingPrefixes("foo"), ElementsAre(cstr_a)); - EXPECT_EQ(cstr_a, trie.findLongestPrefix("foosball")); - EXPECT_THAT(trie.findMatchingPrefixes("foosball"), ElementsAre(cstr_a)); - EXPECT_EQ(cstr_a, trie.findLongestPrefix("foo/")); - EXPECT_THAT(trie.findMatchingPrefixes("foo/"), ElementsAre(cstr_a)); - EXPECT_EQ(cstr_d, trie.findLongestPrefix("foo/bar")); - EXPECT_THAT(trie.findMatchingPrefixes("foo/bar"), ElementsAre(cstr_a, cstr_d)); - EXPECT_EQ(cstr_d, trie.findLongestPrefix("foo/bar/zzz")); - EXPECT_THAT(trie.findMatchingPrefixes("foo/bar/zzz"), ElementsAre(cstr_a, cstr_d)); - - EXPECT_EQ(cstr_b, trie.find("bar")); - EXPECT_EQ(cstr_b, trie.findLongestPrefix("bar")); - EXPECT_THAT(trie.findMatchingPrefixes("bar"), ElementsAre(cstr_b)); - EXPECT_EQ(cstr_b, trie.findLongestPrefix("baritone")); - EXPECT_THAT(trie.findMatchingPrefixes("baritone"), ElementsAre(cstr_b)); - EXPECT_EQ(cstr_c, trie.findLongestPrefix("barometer")); - EXPECT_THAT(trie.findMatchingPrefixes("barometer"), ElementsAre(cstr_b, cstr_c)); - - EXPECT_EQ(cstr_e, trie.find("barn")); - EXPECT_EQ(cstr_e, trie.findLongestPrefix("barnacle")); - EXPECT_THAT(trie.findMatchingPrefixes("barnacle"), ElementsAre(cstr_b, cstr_e)); - - EXPECT_EQ(cstr_f, trie.find("barp")); - EXPECT_EQ(cstr_f, trie.findLongestPrefix("barpomus")); - EXPECT_THAT(trie.findMatchingPrefixes("barpomus"), ElementsAre(cstr_b, cstr_f)); - - EXPECT_EQ(nullptr, trie.find("toto")); - EXPECT_EQ(nullptr, trie.findLongestPrefix("toto")); - EXPECT_THAT(trie.findMatchingPrefixes("toto"), ElementsAre()); - EXPECT_EQ(nullptr, trie.find(" ")); - EXPECT_EQ(nullptr, trie.findLongestPrefix(" ")); - EXPECT_THAT(trie.findMatchingPrefixes(" "), ElementsAre()); -} - -TEST(TrieLookupTable, VeryDeepTrieDoesNotStackOverflowOnDestructor) { - TrieLookupTable trie; - const char* cstr_a = "a"; - - std::string key_a(20960, 'a'); - EXPECT_TRUE(trie.add(key_a, cstr_a)); - EXPECT_EQ(cstr_a, trie.find(key_a)); -} - -} // namespace Envoy From 074e0a282150482bfef1293b11d72aa3958dab11 Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Mon, 18 Aug 2025 15:24:18 -0400 Subject: [PATCH 247/505] ext_proc: support mode override from None to FULL_DUPLEX_STREAMED (#40687) Fix https://github.com/envoyproxy/envoy/issues/40340 When mode is overridden into FULL_DUPLEX_STREAMED, the buffered body has to be sent to the ext_proc server. --------- Signed-off-by: Yanjun Xiang --- .../filters/http/ext_proc/processor_state.cc | 19 ++--- .../ext_proc/ext_proc_integration_test.cc | 83 +++++++++++++++++++ 2 files changed, 92 insertions(+), 10 deletions(-) diff --git a/source/extensions/filters/http/ext_proc/processor_state.cc b/source/extensions/filters/http/ext_proc/processor_state.cc index 65fc531eb99e0..62830935b5534 100644 --- a/source/extensions/filters/http/ext_proc/processor_state.cc +++ b/source/extensions/filters/http/ext_proc/processor_state.cc @@ -90,17 +90,20 @@ bool ProcessorState::restartMessageTimer(const uint32_t message_timeout_ms) { } } +// Process the data being buffered in STREAMED or FULL_DUPLEX_STREAMED mode. void ProcessorState::sendBufferedDataInStreamedMode(bool end_stream) { - // Process the data being buffered in streaming mode. - // Move the current buffer into the queue for remote processing and clear the buffered data. if (hasBufferedData()) { Buffer::OwnedImpl buffered_chunk; modifyBufferedData([&buffered_chunk](Buffer::Instance& data) { buffered_chunk.move(data); }); ENVOY_STREAM_LOG(debug, "Sending a chunk of buffered data ({})", *filter_callbacks_, buffered_chunk.length()); - // Need to first enqueue the data into the chunk queue before sending. auto req = filter_.setupBodyChunk(*this, buffered_chunk, end_stream); - enqueueStreamingChunk(buffered_chunk, end_stream); + if (body_mode_ != ProcessingMode::FULL_DUPLEX_STREAMED) { + // Move the current buffer into the queue for remote processing and clear the buffered data. + enqueueStreamingChunk(buffered_chunk, end_stream); + } else { + buffered_chunk.drain(buffered_chunk.length()); + } filter_.sendBodyChunk(*this, ProcessorState::CallbackState::StreamedBodyCallback, req); } if (queueBelowLowLimit()) { @@ -224,16 +227,12 @@ absl::Status ProcessorState::handleHeaderContinue(const HeadersResponse& respons clearWatermark(); filter_.onProcessHeadersResponse(response, absl::OkStatus(), trafficDirection()); return absl::OkStatus(); - } else if (body_mode_ == ProcessingMode::STREAMED) { + } else if (body_mode_ == ProcessingMode::STREAMED || + body_mode_ == ProcessingMode::FULL_DUPLEX_STREAMED) { sendBufferedDataInStreamedMode(false); filter_.onProcessHeadersResponse(response, absl::OkStatus(), trafficDirection()); continueIfNecessary(); return absl::OkStatus(); - } else if (body_mode_ == ProcessingMode::FULL_DUPLEX_STREAMED) { - // There is no buffered data in this mode. - filter_.onProcessHeadersResponse(response, absl::OkStatus(), trafficDirection()); - continueIfNecessary(); - return absl::OkStatus(); } else if (body_mode_ == ProcessingMode::BUFFERED_PARTIAL) { return handleBufferedPartialMode(response); } diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 610dcd416099f..37d4bbee7d1b4 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -5890,6 +5890,89 @@ TEST_P(ExtProcIntegrationTest, RequestHeaderModeIgnoredInModeOverrideComparison) verifyDownstreamResponse(*response, 200); } +TEST_P(ExtProcIntegrationTest, ModeOverrideNoneToFullDuplex) { + proto_config_.mutable_processing_mode()->set_response_header_mode(ProcessingMode::SKIP); + proto_config_.set_allow_mode_override(true); + initializeConfig(); + HttpIntegrationTest::initialize(); + + std::string body_str = std::string(10, 'a'); + std::string upstream_body_str = std::string(5, 'b'); + auto response = sendDownstreamRequestWithBody(body_str, absl::nullopt); + // Process request header message. + processGenericMessage( + *grpc_upstreams_[0], true, [](const ProcessingRequest&, ProcessingResponse& resp) { + resp.mutable_request_headers(); + resp.mutable_mode_override()->set_request_body_mode(ProcessingMode::FULL_DUPLEX_STREAMED); + return true; + }); + + processRequestBodyMessage( + *grpc_upstreams_[0], false, + [&body_str, &upstream_body_str](const HttpBody& body, BodyResponse& resp) { + EXPECT_TRUE(body.end_of_stream()); + EXPECT_EQ(body.body(), body_str); + auto* streamed_response = + resp.mutable_response()->mutable_body_mutation()->mutable_streamed_response(); + streamed_response->set_body(upstream_body_str); + streamed_response->set_end_of_stream(true); + return true; + }); + handleUpstreamRequest(); + EXPECT_EQ(upstream_request_->body().toString(), upstream_body_str); + verifyDownstreamResponse(*response, 200); +} + +TEST_P(ExtProcIntegrationTest, NoneToFullDuplexMoreDataAfterModeOverride) { + proto_config_.mutable_processing_mode()->set_response_header_mode(ProcessingMode::SKIP); + proto_config_.set_allow_mode_override(true); + initializeConfig(); + HttpIntegrationTest::initialize(); + + codec_client_ = makeHttpConnection(lookupPort("http")); + Http::TestRequestHeaderMapImpl headers; + HttpTestUtility::addDefaultHeaders(headers); + auto encoder_decoder = codec_client_->startRequest(headers); + request_encoder_ = &encoder_decoder.first; + codec_client_->sendData(*request_encoder_, 10, false); + IntegrationStreamDecoderPtr response = std::move(encoder_decoder.second); + // Process request header message. + processGenericMessage( + *grpc_upstreams_[0], true, [](const ProcessingRequest&, ProcessingResponse& resp) { + resp.mutable_request_headers(); + resp.mutable_mode_override()->set_request_body_mode(ProcessingMode::FULL_DUPLEX_STREAMED); + return true; + }); + + processRequestBodyMessage( + *grpc_upstreams_[0], false, [](const HttpBody& body, BodyResponse& resp) { + EXPECT_FALSE(body.end_of_stream()); + EXPECT_EQ(body.body().size(), 10); + auto* streamed_response = + resp.mutable_response()->mutable_body_mutation()->mutable_streamed_response(); + streamed_response->set_body("bbbbb"); + streamed_response->set_end_of_stream(false); + return true; + }); + + codec_client_->sendData(*request_encoder_, 20, true); + + processRequestBodyMessage( + *grpc_upstreams_[0], false, [](const HttpBody& body, BodyResponse& resp) { + EXPECT_TRUE(body.end_of_stream()); + EXPECT_EQ(body.body().size(), 20); + auto* streamed_response = + resp.mutable_response()->mutable_body_mutation()->mutable_streamed_response(); + streamed_response->set_body("0123456789"); + streamed_response->set_end_of_stream(true); + return true; + }); + + handleUpstreamRequest(); + EXPECT_EQ(upstream_request_->body().toString(), "bbbbb0123456789"); + verifyDownstreamResponse(*response, 200); +} + TEST_P(ExtProcIntegrationTest, BufferedModeOverSizeRequestLocalReply) { proto_config_.mutable_processing_mode()->set_request_body_mode(ProcessingMode::BUFFERED); proto_config_.mutable_processing_mode()->set_response_header_mode(ProcessingMode::SKIP); From 69fe44b9ddb82fe10b1ff0e23d491323756c34f9 Mon Sep 17 00:00:00 2001 From: code Date: Tue, 19 Aug 2025 06:29:48 +0700 Subject: [PATCH 248/505] http: fix a bug where premature resets may result in recursive drain (#40714) --- changelogs/current.yaml | 5 ++ source/common/http/conn_manager_impl.cc | 21 ++++++ source/common/http/conn_manager_impl.h | 3 + .../multiplexed_integration_test.cc | 71 ++++++++++++++++++- 4 files changed, 99 insertions(+), 1 deletion(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 328ebd4958aed..1335481ea7766 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -48,6 +48,11 @@ bug_fixes: Fixed a bug where access log gets skipped for HTTP/3 requests when the stream is half closed. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.quic_fix_defer_logging_miss_for_half_closed_stream`` to ``false``. +- area: http + change: | + Fixed a bug where the premature resets of streams may result in the recursive draining and potential + stack overflow. Setting proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate + the risk of the stack overflow before this fix. - area: listeners change: | Fixed issue where :ref:`TLS inspector listener filter ` timed out diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc index 3432bcff4ff81..81df610026576 100644 --- a/source/common/http/conn_manager_impl.cc +++ b/source/common/http/conn_manager_impl.cc @@ -681,6 +681,23 @@ bool ConnectionManagerImpl::isPrematureRstStream(const ActiveStream& stream) con // Sends a GOAWAY if too many streams have been reset prematurely on this // connection. void ConnectionManagerImpl::maybeDrainDueToPrematureResets() { + // If the connection has been drained due to premature resets, do not check this again. + // Without this flag, recursion may occur, as shown in the following stack trace: + // + // maybeDrainDueToPrematureResets() + // doConnectionClose() + // resetAllStreams() + // onResetStream() + // doDeferredStreamDestroy() + // maybeDrainDueToPrematureResets() + // ... + // + // The recursion will continue until all streams are destroyed. If there are many streams + // that may result in a stack overflow. This flag is used to avoid above recursion. + if (drained_due_to_premature_resets_) { + return; + } + if (closed_non_internally_destroyed_requests_ == 0) { return; } @@ -703,6 +720,10 @@ void ConnectionManagerImpl::maybeDrainDueToPrematureResets() { if (read_callbacks_->connection().state() == Network::Connection::State::Open) { stats_.named_.downstream_rq_too_many_premature_resets_.inc(); + + // Mark the the connection has been drained due to too many premature resets. + drained_due_to_premature_resets_ = true; + doConnectionClose(Network::ConnectionCloseType::Abort, absl::nullopt, "too_many_premature_resets"); } diff --git a/source/common/http/conn_manager_impl.h b/source/common/http/conn_manager_impl.h index 955b3443630f2..db0aad3e6ed6c 100644 --- a/source/common/http/conn_manager_impl.h +++ b/source/common/http/conn_manager_impl.h @@ -672,6 +672,9 @@ class ConnectionManagerImpl : Logger::Loggable, // request was incomplete at response completion, the stream is reset. const bool allow_upstream_half_close_{}; + + // Whether the connection manager is drained due to premature resets. + bool drained_due_to_premature_resets_{false}; }; } // namespace Http diff --git a/test/integration/multiplexed_integration_test.cc b/test/integration/multiplexed_integration_test.cc index 1c6db190d84fe..558974d6380cc 100644 --- a/test/integration/multiplexed_integration_test.cc +++ b/test/integration/multiplexed_integration_test.cc @@ -104,6 +104,14 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, MultiplexedIntegrationTestWithSimulatedTime {Http::CodecType::HTTP1})), HttpProtocolIntegrationTest::protocolTestParamsToString); +class MultiplexedIntegrationTestWithSimulatedTimeHttp2Only : public Event::TestUsingSimulatedTime, + public MultiplexedIntegrationTest {}; + +INSTANTIATE_TEST_SUITE_P(IpVersions, MultiplexedIntegrationTestWithSimulatedTimeHttp2Only, + testing::ValuesIn(HttpProtocolIntegrationTest::getProtocolTestParams( + {Http::CodecType::HTTP2}, {Http::CodecType::HTTP2})), + HttpProtocolIntegrationTest::protocolTestParamsToString); + TEST_P(MultiplexedIntegrationTest, RouterRequestAndResponseWithBodyNoBuffer) { testRouterRequestAndResponseWithBody(1024, 512, false, false); } @@ -1261,7 +1269,7 @@ TEST_P(MultiplexedIntegrationTestWithSimulatedTime, GoAwayAfterTooManyResets) { test_server_->waitForCounterEq("http.config_test.downstream_rq_too_many_premature_resets", 1); } -TEST_P(MultiplexedIntegrationTestWithSimulatedTime, GoAwayQuicklyAfterTooManyResets) { +TEST_P(MultiplexedIntegrationTestWithSimulatedTimeHttp2Only, GoAwayQuicklyAfterTooManyResets) { EXCLUDE_DOWNSTREAM_HTTP3; // Need to wait for the server to reset the stream // before opening new one. const int total_streams = 100; @@ -1287,6 +1295,67 @@ TEST_P(MultiplexedIntegrationTestWithSimulatedTime, GoAwayQuicklyAfterTooManyRes test_server_->waitForCounterEq("http.config_test.downstream_rq_too_many_premature_resets", 1); } +TEST_P(MultiplexedIntegrationTestWithSimulatedTimeHttp2Only, TooManyRequestResetAndNoRecursion) { + if (downstreamProtocol() != Http::CodecType::HTTP2 || + upstreamProtocol() != Http::CodecType::HTTP2) { + // This test is only valid for HTTP/2 and HTTP/3. + return; + } + + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + bootstrap.mutable_static_resources() + ->mutable_clusters(0) + ->mutable_circuit_breakers() + ->add_thresholds() + ->mutable_max_requests() + ->set_value(60000); + }); + + config_helper_.addRuntimeOverride("overload.premature_reset_total_stream_count", + absl::StrCat(100)); + + autonomous_upstream_ = true; + autonomous_allow_incomplete_streams_ = true; + initialize(); + + Http::TestRequestHeaderMapImpl headers{ + {":method", "GET"}, {":path", "/healthcheck"}, {":scheme", "http"}, {":authority", "host"}}; + codec_client_ = makeHttpConnection(lookupPort("http")); + + const int pending_streams = 1800; // 18000 in local or this consume too much resource. + std::vector> encoder_decoders; + encoder_decoders.reserve(pending_streams); + + const int pending_streams_per_iteration = pending_streams / 4; + for (size_t i = 0; i < 4; i++) { + for (size_t j = 0; j < pending_streams_per_iteration; ++j) { + // Send and wait + encoder_decoders.emplace_back(codec_client_->startRequest(headers)); + } + test_server_->waitForCounterEq("http.config_test.downstream_rq_total", + pending_streams_per_iteration * (i + 1), + TestUtility::DefaultTimeout * 5); + } + + // Reset 50 streams and then the connection should be closed because too much premature resets. + // All streams should be reset correctly without recursion. + for (int i = 0; i < 50; ++i) { + // Send and reset + auto encoder_decoder = codec_client_->startRequest(headers); + request_encoder_ = &encoder_decoder.first; + auto response = std::move(encoder_decoder.second); + codec_client_->sendReset(*request_encoder_); + ASSERT_TRUE(response->waitForReset()); + } + + // Envoy should disconnect client due to premature reset check + ASSERT_TRUE(codec_client_->waitForDisconnect()); + test_server_->waitForCounterEq("http.config_test.downstream_rq_rx_reset", pending_streams + 50, + TestUtility::DefaultTimeout * 5); + // If there is recursion, this result won't be 1. + test_server_->waitForCounterEq("http.config_test.downstream_rq_too_many_premature_resets", 1); +} + TEST_P(MultiplexedIntegrationTestWithSimulatedTime, DontGoAwayAfterTooManyResetsForLongStreams) { EXCLUDE_DOWNSTREAM_HTTP3; // Need to wait for the server to reset the stream // before opening new one. From bbb6816483c0a1409bba615508618ccbf0e967cb Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 19 Aug 2025 11:12:01 +0100 Subject: [PATCH 249/505] bazel/deps: Add zipkin to opentelemetry allow list (#40772) Signed-off-by: Ryan Northey --- bazel/repository_locations.bzl | 1 + 1 file changed, 1 insertion(+) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index c04a77599be38..b573a6f15ec27 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -612,6 +612,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( "envoy.tracers.opentelemetry.samplers.cel", "envoy.tracers.opentelemetry.samplers.parent_based", "envoy.tracers.opentelemetry.samplers.trace_id_ratio_based", + "envoy.tracers.zipkin", ], release_date = "2025-07-11", cpe = "N/A", From 34260a94f0417288ebd9418955f991f800d7ad9b Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Tue, 19 Aug 2025 12:29:50 +0100 Subject: [PATCH 250/505] deps: Bump `envoy_examples` -> 0.1.2 (#40775) Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index b573a6f15ec27..dc573f360cab3 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -97,12 +97,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "envoy_examples", project_desc = "Envoy proxy examples", project_url = "https://github.com/envoyproxy/examples", - version = "0.1.1", - sha256 = "fe8bfa1530c57c7da321eeb5fe0c7ef15789ab8793a82b7e206cefb2f98916b0", + version = "0.1.2", + sha256 = "42b005266f1a6650bd215afe34c8ec3086cfd1f8c7337dbc873fa336c57ac720", strip_prefix = "examples-{version}", urls = ["https://github.com/envoyproxy/examples/archive/v{version}.tar.gz"], use_category = ["test_only"], - release_date = "2025-07-21", + release_date = "2025-08-19", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/envoyproxy/examples/blob/v{version}/LICENSE", From e53336985da615f1c7cf30ad5c61309d129018be Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 19 Aug 2025 12:39:12 +0100 Subject: [PATCH 251/505] docker/release: Bump distroless -> 6fe9fd5 (#40756) Signed-off-by: Ryan Northey --- distribution/docker/Dockerfile-envoy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distribution/docker/Dockerfile-envoy b/distribution/docker/Dockerfile-envoy index b6703daf03a8d..d1252a5732360 100644 --- a/distribution/docker/Dockerfile-envoy +++ b/distribution/docker/Dockerfile-envoy @@ -59,7 +59,7 @@ COPY --chown=0:0 --chmod=755 \ # STAGE: envoy-distroless -FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:9a1c8b2ff7412ea80ca8c531eb7542e0e7766c8cf79489a8f0f31f0aa341c0fe AS envoy-distroless +FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:6fe9fd551fab9d442b7ee7096b8fcf286047ff91bac31bc577270bb77afa0184 AS envoy-distroless EXPOSE 10000 ENTRYPOINT ["/usr/local/bin/envoy"] CMD ["-c", "/etc/envoy/envoy.yaml"] From 4a060ee67c088e0340e0072ab9e7e25e63d599ad Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 19 Aug 2025 12:39:26 +0100 Subject: [PATCH 252/505] docker/release: Bump Ubuntu image -> 1aa979d (#40755) Signed-off-by: Ryan Northey --- distribution/docker/Dockerfile-envoy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distribution/docker/Dockerfile-envoy b/distribution/docker/Dockerfile-envoy index d1252a5732360..fc5dd5cfd6902 100644 --- a/distribution/docker/Dockerfile-envoy +++ b/distribution/docker/Dockerfile-envoy @@ -1,6 +1,6 @@ ARG BUILD_OS=ubuntu ARG BUILD_TAG=22.04 -ARG BUILD_SHA=1ec65b2719518e27d4d25f104d93f9fac60dc437f81452302406825c46fcc9cb +ARG BUILD_SHA=1aa979d85661c488ce030ac292876cf6ed04535d3a237e49f61542d8e5de5ae0 ARG ENVOY_VRP_BASE_IMAGE=envoy-base From 45540d3e64d2a42cdfc6e772686428732dd8871d Mon Sep 17 00:00:00 2001 From: danzh Date: Tue, 19 Aug 2025 14:29:10 -0400 Subject: [PATCH 253/505] mobile: AndroidNetworkMonitorV2 support Android API versions below 26 (#40790) Commit Message: added a BroadcastReceiver callback in AndroidNetworkMonitorV2 to listen for default network changes on Android SDK versions below Oreo (API level 26). Also lower min SDK version from 26 to 23. Additional Description: AndroidNetworkMonitor also calls `registerDefaultNetworkCallback()` which is only supported on version 24 (N) and above. So this PR has to add version guard around the call. Unfortunately AndroidNetworkMonitor will not handle network change event on devices below version N, but we will replace it with AndroidNetworkMonitorV2 soon. Risk Level: low Testing: new unit test pass Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- mobile/bazel/android_artifacts.bzl | 2 +- mobile/bazel/test_manifest.xml | 2 +- .../java/hello_world/AndroidManifest.xml | 2 +- .../kotlin/hello_world/AndroidManifest.xml | 2 +- .../kotlin/shared/AndroidManifest.xml | 2 +- .../engine/AndroidEngineManifest.xml | 2 +- .../engine/AndroidNetworkMonitor.java | 7 +- .../engine/AndroidNetworkMonitorV2.java | 75 ++++++++++++++++--- .../utilities/UtilitiesManifest.xml | 2 +- .../org/chromium/net/ChromiumNetManifest.xml | 2 +- .../org/chromium/net/impl/CronvoyManifest.xml | 2 +- .../urlconnection/URLConnectionManifest.xml | 2 +- .../envoyproxy/envoymobile/EnvoyManifest.xml | 2 +- .../engine/AndroidNetworkMonitorV2Test.java | 28 ++++++- .../kotlin/apps/baseline/AndroidManifest.xml | 2 +- .../apps/experimental/AndroidManifest.xml | 2 +- 16 files changed, 111 insertions(+), 25 deletions(-) diff --git a/mobile/bazel/android_artifacts.bzl b/mobile/bazel/android_artifacts.bzl index d2e63cfbf39d1..f2885d18a586f 100644 --- a/mobile/bazel/android_artifacts.bzl +++ b/mobile/bazel/android_artifacts.bzl @@ -308,7 +308,7 @@ def _manifest(package_name): package="{}" > """.format(package_name) diff --git a/mobile/bazel/test_manifest.xml b/mobile/bazel/test_manifest.xml index 2176226b2013d..da03dbd55d9f5 100644 --- a/mobile/bazel/test_manifest.xml +++ b/mobile/bazel/test_manifest.xml @@ -7,6 +7,6 @@ diff --git a/mobile/examples/java/hello_world/AndroidManifest.xml b/mobile/examples/java/hello_world/AndroidManifest.xml index 3bcd50ef8bf2c..761c180a60c7c 100644 --- a/mobile/examples/java/hello_world/AndroidManifest.xml +++ b/mobile/examples/java/hello_world/AndroidManifest.xml @@ -8,7 +8,7 @@ diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineManifest.xml b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineManifest.xml index c77e3bede5324..af8b382f5f36a 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineManifest.xml +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineManifest.xml @@ -2,7 +2,7 @@ diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitor.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitor.java index eaba27e9fe345..19e2f26aa31ee 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitor.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitor.java @@ -11,6 +11,7 @@ import android.net.Network; import android.net.NetworkCapabilities; import android.net.NetworkInfo; +import android.os.Build; import android.telephony.TelephonyManager; import androidx.annotation.NonNull; @@ -198,8 +199,10 @@ private AndroidNetworkMonitor(Context context, EnvoyEngine envoyEngine, connectivityManager = (ConnectivityManager)context.getSystemService(Context.CONNECTIVITY_SERVICE); - connectivityManager.registerDefaultNetworkCallback( - new DefaultNetworkCallback(envoyEngine, connectivityManager, useNetworkChangeEvent)); + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) { + connectivityManager.registerDefaultNetworkCallback( + new DefaultNetworkCallback(envoyEngine, connectivityManager, useNetworkChangeEvent)); + } } /** @returns The singleton instance of {@link AndroidNetworkMonitor}. */ diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java index 1dc6bcf851ee1..63061605816ce 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java @@ -9,7 +9,10 @@ import android.Manifest; import android.annotation.SuppressLint; +import android.content.BroadcastReceiver; import android.content.Context; +import android.content.Intent; +import android.content.IntentFilter; import android.content.pm.PackageManager; import android.net.ConnectivityManager; import android.net.ConnectivityManager.NetworkCallback; @@ -172,6 +175,10 @@ public EnvoyConnectionType getEnvoyConnectionType() { private NetworkRequest mNetworkRequest; private NetworkState mNetworkState; private boolean mRegistered = false; + private IntentFilter mIntentFilter; + private Context mApplicationContext; + private BroadcastReceiver mBroadcastReceiver; + private boolean mIgnoreNextBroadcast = false; public static void load(Context context, EnvoyEngine envoyEngine) { if (mInstance != null) { @@ -292,8 +299,7 @@ public long getDefaultNetId() { /** Returns the current default {@link Network}, or {@code null} if disconnected. */ private Network getDefaultNetwork() { - Network defaultNetwork = null; - defaultNetwork = mConnectivityManager.getActiveNetwork(); + Network defaultNetwork = mConnectivityManager.getActiveNetwork(); if (defaultNetwork != null) { return defaultNetwork; } @@ -698,6 +704,22 @@ public void run() { } } + private class ConnectivityBroadcastReceiver extends BroadcastReceiver { + @Override + public void onReceive(Context context, Intent intent) { + runOnThread(new Runnable() { + @Override + public void run() { + if (mIgnoreNextBroadcast) { + mIgnoreNextBroadcast = false; + return; + } + onNetworkStateChangedTo(getDefaultNetworkState(), getDefaultNetId()); + } + }); + } + } + private void onNetworkStateChangedTo(NetworkState networkState, long netId) { assert mNetworkState != null; if (networkState.getEnvoyConnectionType() != mNetworkState.getEnvoyConnectionType() || @@ -710,6 +732,7 @@ private void onNetworkStateChangedTo(NetworkState networkState, long netId) { } private AndroidNetworkMonitorV2(Context context, EnvoyEngine envoyEngine) { + mApplicationContext = context.getApplicationContext(); int permission = ContextCompat.checkSelfPermission(context, Manifest.permission.ACCESS_NETWORK_STATE); if (permission == PackageManager.PERMISSION_DENIED) { @@ -726,7 +749,9 @@ private AndroidNetworkMonitorV2(Context context, EnvoyEngine envoyEngine) { (ConnectivityManager)context.getSystemService(Context.CONNECTIVITY_SERVICE); mLooper = Looper.myLooper(); mHandler = new Handler(mLooper); - mDefaultNetworkCallback = new DefaultNetworkCallback(); + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) { + mDefaultNetworkCallback = new DefaultNetworkCallback(); + } mAllNetworksCallback = new AllNetworksCallback(); mNetworkRequest = new NetworkRequest.Builder() .addCapability(NET_CAPABILITY_INTERNET) @@ -734,6 +759,9 @@ private AndroidNetworkMonitorV2(Context context, EnvoyEngine envoyEngine) { .removeCapability(NET_CAPABILITY_NOT_VPN) .build(); mNetworkState = getDefaultNetworkState(); + mIntentFilter = new IntentFilter(ConnectivityManager.CONNECTIVITY_ACTION); + // Used when mDefaultNetworkCallback is null. + mBroadcastReceiver = new ConnectivityBroadcastReceiver(); registerNetworkCallbacks(false); } @@ -746,10 +774,23 @@ public void registerNetworkCallbacks(boolean shouldSignalDefaultNetworkChange) { } if (mDefaultNetworkCallback != null) { - try { - mConnectivityManager.registerDefaultNetworkCallback(mDefaultNetworkCallback); - } catch (RuntimeException e) { - mDefaultNetworkCallback = null; + // This is only reachable for Android O+. + // If registration fails, mDefaultNetworkCallback will be reset. + maybeRegisterDefaultNetworkCallback(); + } + if (mDefaultNetworkCallback == null) { + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) { + // When registering for a sticky broadcast, like CONNECTIVITY_ACTION, if + // registerReceiver returns non-null, it means the broadcast was previously issued + // and onReceive() will be immediately called with this previous Intent. Since this + // initial callback doesn't actually indicate a network change, we can ignore it. + mIgnoreNextBroadcast = (mApplicationContext.registerReceiver( + mBroadcastReceiver, mIntentFilter, /*permission*/ null, + mHandler, /*flags*/ 0) != null); + } else { + mIgnoreNextBroadcast = + (mApplicationContext.registerReceiver(mBroadcastReceiver, mIntentFilter, + /*permission*/ null, mHandler) != null); } } mRegistered = true; @@ -757,8 +798,12 @@ public void registerNetworkCallbacks(boolean shouldSignalDefaultNetworkChange) { if (mAllNetworksCallback != null) { mAllNetworksCallback.initializeVpnInPlace(); try { - mConnectivityManager.registerNetworkCallback(mNetworkRequest, mAllNetworksCallback, - mHandler); + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) { + mConnectivityManager.registerNetworkCallback(mNetworkRequest, mAllNetworksCallback, + mHandler); + } else { + mConnectivityManager.registerNetworkCallback(mNetworkRequest, mAllNetworksCallback); + } } catch (RuntimeException e) { // If Android thinks this app has used up all available NetworkRequests, don't // bother trying to register any more callbacks as Android will still think @@ -784,6 +829,16 @@ public void registerNetworkCallbacks(boolean shouldSignalDefaultNetworkChange) { } } + // This is guaranteed to be called only for Android O+. + @SuppressLint("NewApi") + private void maybeRegisterDefaultNetworkCallback() { + try { + mConnectivityManager.registerDefaultNetworkCallback(mDefaultNetworkCallback); + } catch (RuntimeException e) { + mDefaultNetworkCallback = null; + } + } + public void unregisterNetworkCallbacks() { assert onThread(); if (!mRegistered) @@ -794,6 +849,8 @@ public void unregisterNetworkCallbacks() { } if (mDefaultNetworkCallback != null) { mConnectivityManager.unregisterNetworkCallback(mDefaultNetworkCallback); + } else { + mApplicationContext.unregisterReceiver(mBroadcastReceiver); } } } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/utilities/UtilitiesManifest.xml b/mobile/library/java/io/envoyproxy/envoymobile/utilities/UtilitiesManifest.xml index 735bcdad9756b..4db455f49c8b4 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/utilities/UtilitiesManifest.xml +++ b/mobile/library/java/io/envoyproxy/envoymobile/utilities/UtilitiesManifest.xml @@ -2,7 +2,7 @@ diff --git a/mobile/library/java/org/chromium/net/ChromiumNetManifest.xml b/mobile/library/java/org/chromium/net/ChromiumNetManifest.xml index bd37d29766181..46a9bb48f66dc 100644 --- a/mobile/library/java/org/chromium/net/ChromiumNetManifest.xml +++ b/mobile/library/java/org/chromium/net/ChromiumNetManifest.xml @@ -2,7 +2,7 @@ diff --git a/mobile/library/java/org/chromium/net/impl/CronvoyManifest.xml b/mobile/library/java/org/chromium/net/impl/CronvoyManifest.xml index 9f12f96b1a7ae..2ec90bc6dc1bd 100644 --- a/mobile/library/java/org/chromium/net/impl/CronvoyManifest.xml +++ b/mobile/library/java/org/chromium/net/impl/CronvoyManifest.xml @@ -2,7 +2,7 @@ diff --git a/mobile/library/java/org/chromium/net/urlconnection/URLConnectionManifest.xml b/mobile/library/java/org/chromium/net/urlconnection/URLConnectionManifest.xml index 94feae1f3d065..ce017fe44da19 100644 --- a/mobile/library/java/org/chromium/net/urlconnection/URLConnectionManifest.xml +++ b/mobile/library/java/org/chromium/net/urlconnection/URLConnectionManifest.xml @@ -2,6 +2,6 @@ diff --git a/mobile/library/kotlin/io/envoyproxy/envoymobile/EnvoyManifest.xml b/mobile/library/kotlin/io/envoyproxy/envoymobile/EnvoyManifest.xml index 90e95d8149fb3..9b6186d0801e2 100644 --- a/mobile/library/kotlin/io/envoyproxy/envoymobile/EnvoyManifest.xml +++ b/mobile/library/kotlin/io/envoyproxy/envoymobile/EnvoyManifest.xml @@ -2,7 +2,7 @@ diff --git a/mobile/test/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2Test.java b/mobile/test/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2Test.java index 16b80675c42e8..d05cce6a8b6ca 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2Test.java +++ b/mobile/test/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2Test.java @@ -11,6 +11,7 @@ import static org.robolectric.Shadows.shadowOf; import android.content.Context; +import android.content.Intent; import android.Manifest; import android.net.ConnectivityManager; import android.net.NetworkCapabilities; @@ -22,6 +23,7 @@ import androidx.test.rule.GrantPermissionRule; import static androidx.test.core.app.ApplicationProvider.getApplicationContext; import android.os.Build; +import android.os.Looper; import org.junit.After; import org.junit.Before; @@ -44,6 +46,8 @@ * Tests functionality of AndroidNetworkMonitorV2 */ @RunWith(RobolectricTestRunner.class) +// Individual tests may override this to test different Android SDK versions. +@Config(sdk = Build.VERSION_CODES.O) public class AndroidNetworkMonitorV2Test { @Rule public GrantPermissionRule mRuntimePermissionRule = @@ -62,7 +66,12 @@ public void setUp() { connectivityManager = androidNetworkMonitor.getConnectivityManager(); networkCapabilities = connectivityManager.getNetworkCapabilities(connectivityManager.getActiveNetwork()); - assertThat(shadowOf(connectivityManager).getNetworkCallbacks()).hasSize(2); + int expectedNetworkCallbackSize = 2; + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.O) { + expectedNetworkCallbackSize = 1; + } + assertThat(shadowOf(connectivityManager).getNetworkCallbacks()) + .hasSize(expectedNetworkCallbackSize); } @After @@ -246,4 +255,21 @@ public void testOnDefaultNetworkChangedVPN() { .onDefaultNetworkChangedV2(EnvoyConnectionType.CONNECTION_WIFI, activeNetwork.getNetworkHandle()); } + + // Tests that the broadcast receiver is triggered when the default network changes from cell to + // WIFI on Android M. + @Test + @Config(sdk = Build.VERSION_CODES.M) + public void testBroadcastReceiver() { + Network activeNetwork = triggerDefaultNetworkChange(NetworkCapabilities.TRANSPORT_WIFI, + ConnectivityManager.TYPE_WIFI, 0); + Context context = InstrumentationRegistry.getInstrumentation().getTargetContext(); + Intent intent = new Intent(ConnectivityManager.CONNECTIVITY_ACTION); + context.sendBroadcast(intent); + // Robolectric doesn't seem to run the receiver in the main looper, so we need to idle it. + shadowOf(Looper.getMainLooper()).idle(); + verify(mockEnvoyEngine) + .onDefaultNetworkChangedV2(EnvoyConnectionType.CONNECTION_WIFI, + activeNetwork.getNetworkHandle()); + } } diff --git a/mobile/test/kotlin/apps/baseline/AndroidManifest.xml b/mobile/test/kotlin/apps/baseline/AndroidManifest.xml index a760b59467071..00ed711cac105 100644 --- a/mobile/test/kotlin/apps/baseline/AndroidManifest.xml +++ b/mobile/test/kotlin/apps/baseline/AndroidManifest.xml @@ -6,7 +6,7 @@ Date: Tue, 19 Aug 2025 15:33:45 -0400 Subject: [PATCH 254/505] Roll forward "mobile: use AndroidNetworkMonitorV2" (#40796) Undo revert in envoyproxy/envoy#40744 to add back a config knob to use AndroidNetworkMonitorV2. --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- mobile/library/common/internal_engine.cc | 57 +++- mobile/library/common/internal_engine.h | 9 +- mobile/library/common/network/BUILD | 1 + .../common/network/connectivity_manager.cc | 175 ++++++++++- .../common/network/connectivity_manager.h | 70 ++++- mobile/library/common/system/BUILD | 1 + .../common/system/default_system_helper.cc | 6 + .../common/system/default_system_helper.h | 2 + .../system/default_system_helper_android.cc | 6 + .../system/default_system_helper_apple.cc | 6 + mobile/library/common/system/system_helper.h | 7 + .../envoymobile/engine/AndroidEngineImpl.java | 8 +- .../engine/AndroidNetworkMonitorV2.java | 16 + .../io/envoyproxy/envoymobile/engine/BUILD | 7 +- .../envoymobile/engine/JniLibrary.java | 12 + .../envoyproxy/envoymobile/engine/types/BUILD | 1 + .../engine/types/NetworkWithType.java | 16 + .../utilities/AndroidNetworkLibrary.java | 29 ++ .../io/envoyproxy/envoymobile/utilities/BUILD | 26 +- .../impl/NativeCronvoyEngineBuilderImpl.java | 8 +- mobile/library/jni/BUILD | 3 +- mobile/library/jni/android_network_utility.cc | 57 ++++ mobile/library/jni/android_network_utility.h | 5 + mobile/library/jni/jni_impl.cc | 31 ++ mobile/library/jni/jni_init.cc | 26 +- .../envoymobile/AndroidEngineBuilder.kt | 3 +- .../kotlin/io/envoyproxy/envoymobile/BUILD | 1 + .../integration/client_integration_test.cc | 37 +++ mobile/test/common/internal_engine_test.cc | 4 + mobile/test/common/mocks/common/mocks.h | 2 + mobile/test/common/network/BUILD | 1 + .../network/connectivity_manager_test.cc | 136 +++++++- .../utilities/AndroidNetworkTest.java | 114 +++++++ .../io/envoyproxy/envoymobile/utilities/BUILD | 26 ++ .../org/chromium/net/CronetHttp3Test.java | 290 +++++++++++++++++- .../test/java/org/chromium/net/testing/BUILD | 1 + 36 files changed, 1115 insertions(+), 85 deletions(-) create mode 100644 mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java create mode 100644 mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index 1a891b27834be..aac77e59e2719 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -220,6 +220,26 @@ envoy_status_t InternalEngine::main(std::shared_ptr options) { server_->serverFactoryContext(), server_->serverFactoryContext().messageValidationVisitor()); connectivity_manager_ = Network::ConnectivityManagerFactory{generic_context}.get(); + Network::DefaultNetworkChangeCallback cb = + [this](envoy_netconf_t current_configuration_key) { + dispatcher_->post([this, current_configuration_key]() { + if (connectivity_manager_->getConfigurationKey() != current_configuration_key) { + // The default network has changed to a different one. + return; + } + ENVOY_LOG_MISC( + trace, + "Default network state has been changed. Current net configuration key {}", + current_configuration_key); + resetHttpPropertiesAndDrainHosts(probeAndGetLocalAddr(AF_INET6) != nullptr); + if (!disable_dns_refresh_on_network_change_) { + // This call will possibly drain all connections asynchronously. + connectivity_manager_->doRefreshDns(current_configuration_key, + /*drain_connections=*/true); + } + }); + }; + connectivity_manager_->setDefaultNetworkChangeCallback(std::move(cb)); if (Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.dns_cache_set_ip_version_to_remove")) { if (probeAndGetLocalAddr(AF_INET6) == nullptr) { @@ -375,23 +395,21 @@ void InternalEngine::onDefaultNetworkChanged(int network) { }); } -void InternalEngine::onDefaultNetworkChangedAndroid(ConnectionType /*connection_type*/, - int64_t /*net_id*/) { - ENVOY_LOG_MISC(trace, "Calling the default network changed callback on Android"); +void InternalEngine::onDefaultNetworkChangedAndroid(ConnectionType connection_type, + int64_t net_id) { + connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); } -void InternalEngine::onNetworkDisconnectAndroid(int64_t /*net_id*/) { - ENVOY_LOG_MISC(trace, "Calling network disconnect callback on Android"); +void InternalEngine::onNetworkDisconnectAndroid(int64_t net_id) { + connectivity_manager_->onNetworkDisconnectAndroid(net_id); } -void InternalEngine::onNetworkConnectAndroid(ConnectionType /*connection_type*/, - int64_t /*net_id*/) { - ENVOY_LOG_MISC(trace, "Calling network connect callback on Android"); +void InternalEngine::onNetworkConnectAndroid(ConnectionType connection_type, int64_t net_id) { + connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); } -void InternalEngine::purgeActiveNetworkListAndroid( - const std::vector& /*active_network_ids*/) { - ENVOY_LOG_MISC(trace, "Calling network purge callback on Android"); +void InternalEngine::purgeActiveNetworkListAndroid(const std::vector& active_network_ids) { + connectivity_manager_->purgeActiveNetworkListAndroid(active_network_ids); } void InternalEngine::onDefaultNetworkUnavailable() { @@ -400,8 +418,17 @@ void InternalEngine::onDefaultNetworkUnavailable() { } void InternalEngine::handleNetworkChange(const int network_type, const bool has_ipv6_connectivity) { - envoy_netconf_t configuration = - Network::ConnectivityManagerImpl::setPreferredNetwork(network_type); + envoy_netconf_t configuration = connectivity_manager_->setPreferredNetwork(network_type); + + resetHttpPropertiesAndDrainHosts(has_ipv6_connectivity); + if (!disable_dns_refresh_on_network_change_) { + // Refresh DNS upon network changes. + // This call will possibly drain all connections asynchronously. + connectivity_manager_->refreshDns(configuration, /*drain_connections=*/true); + } +} + +void InternalEngine::resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity) { if (Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.dns_cache_set_ip_version_to_remove") || Runtime::runtimeFeatureEnabled( @@ -435,11 +462,7 @@ void InternalEngine::handleNetworkChange(const int network_type, const bool has_ ENVOY_LOG_EVENT(debug, "netconf_immediate_drain", "DrainAllHosts"); getClusterManager().drainConnections([](const Upstream::Host&) { return true; }); } - return; } - // Refresh DNS upon network changes. - // This call will possibly drain all connections asynchronously. - connectivity_manager_->refreshDns(configuration, /*drain_connections=*/true); } envoy_status_t InternalEngine::recordCounterInc(absl::string_view elements, envoy_stats_tags tags, diff --git a/mobile/library/common/internal_engine.h b/mobile/library/common/internal_engine.h index c6fc839813b24..e90c7a0f53359 100644 --- a/mobile/library/common/internal_engine.h +++ b/mobile/library/common/internal_engine.h @@ -157,8 +157,8 @@ class InternalEngine : public Logger::Loggable { void onNetworkConnectAndroid(ConnectionType connection_type, int64_t net_id); /** - * The callback that gets executed when the device decides that the given list of networks should - * be forgotten. + * The callback that gets executed when the device decides to forget all networks other than the + * given list. */ void purgeActiveNetworkListAndroid(const std::vector& active_network_ids); @@ -228,6 +228,9 @@ class InternalEngine : public Logger::Loggable { // there is no connectivity for the `domain`, a null pointer will be returned. static Network::Address::InstanceConstSharedPtr probeAndGetLocalAddr(int domain); + // Called when it's been determined that the default network has changed. + void resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity); + Thread::PosixThreadFactoryPtr thread_factory_; Event::Dispatcher* event_dispatcher_{}; Stats::ScopeSharedPtr client_scope_; @@ -241,7 +244,7 @@ class InternalEngine : public Logger::Loggable { Thread::MutexBasicLockable mutex_; Thread::CondVar cv_; Http::ClientPtr http_client_; - Network::ConnectivityManagerSharedPtr connectivity_manager_; + Network::ConnectivityManagerImplSharedPtr connectivity_manager_; Event::ProvisionalDispatcherPtr dispatcher_; // Used by the cerr logger to ensure logs don't overwrite each other. absl::Mutex log_mutex_; diff --git a/mobile/library/common/network/BUILD b/mobile/library/common/network/BUILD index 22b2ec7e213a8..82a5d6b384604 100644 --- a/mobile/library/common/network/BUILD +++ b/mobile/library/common/network/BUILD @@ -19,6 +19,7 @@ envoy_cc_library( ":proxy_settings_lib", "//library/common:engine_types_lib", "//library/common/network:src_addr_socket_option_lib", + "//library/common/system:system_helper_lib", "//library/common/types:c_types_lib", "@envoy//envoy/network:socket_interface", "@envoy//envoy/singleton:manager_interface", diff --git a/mobile/library/common/network/connectivity_manager.cc b/mobile/library/common/network/connectivity_manager.cc index 02091ac65b9cd..a2015a213c34a 100644 --- a/mobile/library/common/network/connectivity_manager.cc +++ b/mobile/library/common/network/connectivity_manager.cc @@ -2,6 +2,7 @@ #include +#include #include #include "envoy/common/platform.h" @@ -16,8 +17,8 @@ #include "fmt/ostream.h" #include "library/common/network/network_type_socket_option_impl.h" -#include "library/common/network/network_types.h" #include "library/common/network/src_addr_socket_option_impl.h" +#include "library/common/system/system_helper.h" // Used on Linux (requires root/CAP_NET_RAW) #ifdef SO_BINDTODEVICE @@ -77,14 +78,12 @@ constexpr absl::string_view BaseDnsCache = "base_dns_cache"; // The number of faults allowed on a newly-established connection before switching socket mode. constexpr unsigned int InitialFaultThreshold = 1; -// The number of faults allowed on a previously-successful connection (i.e. able to send and receive -// L7 bytes) before switching socket mode. -constexpr unsigned int MaxFaultThreshold = 3; -ConnectivityManagerImpl::DefaultNetworkState ConnectivityManagerImpl::network_state_{ - 1, 0, MaxFaultThreshold, SocketMode::DefaultPreferredNetworkMode}; - -Thread::MutexBasicLockable ConnectivityManagerImpl::network_mutex_{}; +ConnectivityManagerImpl::ConnectivityManagerImpl(Upstream::ClusterManager& cluster_manager, + DnsCacheManagerSharedPtr dns_cache_manager) + : cluster_manager_(cluster_manager), dns_cache_manager_(dns_cache_manager) { + initializeNetworkStates(); +} envoy_netconf_t ConnectivityManagerImpl::setPreferredNetwork(int network) { Thread::LockGuard lock{network_mutex_}; @@ -97,14 +96,19 @@ envoy_netconf_t ConnectivityManagerImpl::setPreferredNetwork(int network) { // return network_state_.configuration_key_ - 1; //} - ENVOY_LOG_EVENT(debug, "netconf_network_change", "{}", std::to_string(static_cast(network))); + setPreferredNetworkNoLock(network); + return network_state_.configuration_key_; +} + +void ConnectivityManagerImpl::setPreferredNetworkNoLock(int network_type) + ABSL_EXCLUSIVE_LOCKS_REQUIRED(network_mutex_) { + ENVOY_LOG_EVENT(debug, "netconf_network_change", "network_type changed to {}", + std::to_string(static_cast(network_type))); network_state_.configuration_key_++; - network_state_.network_ = network; + network_state_.network_ = network_type; network_state_.remaining_faults_ = 1; network_state_.socket_mode_ = SocketMode::DefaultPreferredNetworkMode; - - return network_state_.configuration_key_; } void ConnectivityManagerImpl::setProxySettings(ProxySettingsConstSharedPtr new_proxy_settings) { @@ -275,7 +279,11 @@ void ConnectivityManagerImpl::refreshDns(envoy_netconf_t configuration_key, return; } } + doRefreshDns(configuration_key, drain_connections); +} +void ConnectivityManagerImpl::doRefreshDns(envoy_netconf_t configuration_key, + bool drain_connections) { if (auto dns_cache = dnsCache()) { ENVOY_LOG_EVENT(debug, "netconf_refresh_dns", "{}", std::to_string(configuration_key)); @@ -458,7 +466,148 @@ ConnectivityManagerImpl::enumerateInterfaces([[maybe_unused]] unsigned short fam return pairs; } -ConnectivityManagerSharedPtr ConnectivityManagerFactory::get() { +int connectionTypeToCompoundNetworkType(ConnectionType connection_type) { + int compound_type = 0; + switch (connection_type) { + case ConnectionType::CONNECTION_2G: + compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_2G)); + break; + case ConnectionType::CONNECTION_3G: + compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_3G)); + break; + case ConnectionType::CONNECTION_4G: + compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_4G)); + break; + case ConnectionType::CONNECTION_5G: + compound_type |= (static_cast(NetworkType::WWAN) | static_cast(NetworkType::WWAN_5G)); + break; + case ConnectionType::CONNECTION_WIFI: + case ConnectionType::CONNECTION_ETHERNET: + compound_type |= static_cast(NetworkType::WLAN); + break; + case ConnectionType::CONNECTION_NONE: + break; + case ConnectionType::CONNECTION_BLUETOOTH: + case ConnectionType::CONNECTION_UNKNOWN: + compound_type = static_cast(NetworkType::Generic); + break; + } + return compound_type; +} + +void ConnectivityManagerImpl::onDefaultNetworkChangedAndroid(ConnectionType connection_type, + NetworkHandle net_id) { + bool already_connected{false}; + envoy_netconf_t current_configuration_key{0}; + { + Thread::LockGuard lock{network_mutex_}; + ENVOY_LOG_EVENT(debug, "android_default_network_changed", + "default network changed from {} to {}, new connection_type {}, ", + default_network_handle_, net_id, static_cast(connection_type)); + if (net_id == default_network_handle_) { + return; + } + current_configuration_key = network_state_.configuration_key_; + default_network_handle_ = net_id; + if (connected_networks_.find(net_id) != connected_networks_.end()) { + // Android Lollipop had race conditions where CONNECTIVITY_ACTION intents + // were sent out before the network was actually made the default. + // Delay switching to the new default until Android platform notifies that the network + // connected. + setPreferredNetworkNoLock(connectionTypeToCompoundNetworkType(connection_type)); + current_configuration_key = network_state_.configuration_key_; + already_connected = true; + } + } + if (already_connected) { + if (default_network_change_callback_ != nullptr) { + default_network_change_callback_(current_configuration_key); + } + if (observer_ != nullptr) { + observer_->onNetworkMadeDefault(net_id); + } + } +} + +void ConnectivityManagerImpl::onNetworkDisconnectAndroid(NetworkHandle net_id) { + { + Thread::LockGuard lock{network_mutex_}; + if (net_id == default_network_handle_) { + default_network_handle_ = kInvalidNetworkHandle; + } + if (connected_networks_.erase(net_id) == 0) { + return; + } + } + if (observer_ != nullptr) { + observer_->onNetworkDisconnected(net_id); + } +} + +void ConnectivityManagerImpl::onNetworkConnectAndroid(ConnectionType connection_type, + NetworkHandle net_id) { + bool is_default_network{false}; + envoy_netconf_t current_configuration_key{0}; + { + Thread::LockGuard lock{network_mutex_}; + if (connected_networks_.find(net_id) != connected_networks_.end()) { + return; + } + connected_networks_[net_id] = connection_type; + current_configuration_key = network_state_.configuration_key_; + if (net_id == default_network_handle_) { + // The reported default network finally gets connected. + is_default_network = true; + setPreferredNetworkNoLock(connectionTypeToCompoundNetworkType(connection_type)); + current_configuration_key = network_state_.configuration_key_; + } + } + // Android Lollipop would send many duplicate notifications. + // This was later fixed in Android Marshmallow. + // Deduplicate them here by avoiding sending duplicate notifications. + if (observer_ != nullptr) { + observer_->onNetworkConnected(net_id); + } + if (is_default_network) { + if (default_network_change_callback_ != nullptr) { + default_network_change_callback_(current_configuration_key); + } + if (observer_ != nullptr) { + observer_->onNetworkMadeDefault(net_id); + } + } +} + +void ConnectivityManagerImpl::purgeActiveNetworkListAndroid( + const std::vector& active_network_ids) { + std::vector disconnected_networks; + { + Thread::LockGuard lock{network_mutex_}; + for (auto& i : connected_networks_) { + if (std::find(active_network_ids.begin(), active_network_ids.end(), i.first) == + active_network_ids.end()) { + disconnected_networks.push_back(i.first); + } + } + } + for (auto disconnected_network : disconnected_networks) { + onNetworkDisconnectAndroid(disconnected_network); + } +} + +void ConnectivityManagerImpl::initializeNetworkStates() { + NetworkHandle default_net_id = SystemHelper::getInstance().getDefaultNetworkHandle(); + std::vector> all_connected_networks = + SystemHelper::getInstance().getAllConnectedNetworks(); + + Thread::LockGuard lock{network_mutex_}; + default_network_handle_ = default_net_id; + for (auto& entry : all_connected_networks) { + connected_networks_[entry.first] = entry.second; + } +} + +ConnectivityManagerImplSharedPtr ConnectivityManagerFactory::get() { return context_.serverFactoryContext().singletonManager().getTyped( SINGLETON_MANAGER_REGISTERED_NAME(connectivity_manager), [this] { Envoy::Extensions::Common::DynamicForwardProxy::DnsCacheManagerFactoryImpl diff --git a/mobile/library/common/network/connectivity_manager.h b/mobile/library/common/network/connectivity_manager.h index 43da8e0466990..aa3026168eff4 100644 --- a/mobile/library/common/network/connectivity_manager.h +++ b/mobile/library/common/network/connectivity_manager.h @@ -3,6 +3,7 @@ #include #include +#include "envoy/common/optref.h" #include "envoy/network/socket.h" #include "envoy/singleton/manager.h" #include "envoy/upstream/cluster_manager.h" @@ -11,6 +12,7 @@ #include "source/extensions/common/dynamic_forward_proxy/dns_cache_impl.h" #include "library/common/engine_types.h" +#include "library/common/network/network_types.h" #include "library/common/network/proxy_settings.h" #include "library/common/types/c_types.h" @@ -20,11 +22,11 @@ * remain valid/relevant at time of execution. * * Currently, there are two primary circumstances this is used: - * 1. When network type changes, a refreshDNS call will be scheduled on the event dispatcher, along - * with a configuration key of this type. If network type changes again before that refresh - * executes, the refresh is now stale, another refresh task will have been queued, and it should no - * longer execute. The configuration key allows the connectivity_manager to determine if the - * refreshDNS call is representative of current configuration. + * 1. When network type changes, some clean up will be scheduled on the event dispatcher, along + * with a configuration key of this type. If network type changes again before that scheduled clean + * up executes, another clean up will be scheduled, and the old one should no longer execute. The + * configuration key allows the connectivity_manager to determine if the clean up is representative + * of current configuration. * 2. When a request is configured with a certain set of socket options and begins, it is given a * configuration key. The heuristic in reportNetworkUsage relies on characteristics of the * request/response to make future decisions about socket options, but needs to be able to correctly @@ -39,6 +41,9 @@ */ typedef uint16_t envoy_netconf_t; +using NetworkHandle = int64_t; +constexpr NetworkHandle kInvalidNetworkHandle = -1; + namespace Envoy { namespace Network { @@ -59,6 +64,14 @@ enum class SocketMode : int { AlternateBoundInterfaceMode = 1, }; +namespace { + +// The number of faults allowed on a previously-successful connection (i.e. able to send and receive +// L7 bytes) before switching socket mode. +constexpr unsigned int MaxFaultThreshold = 3; + +} // namespace + using DnsCacheManagerSharedPtr = Extensions::Common::DynamicForwardProxy::DnsCacheManagerSharedPtr; using InterfacePair = std::pair; @@ -185,6 +198,8 @@ class ConnectivityManager { virtual Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dnsCache() PURE; }; +using ConnectivityManagerSharedPtr = std::shared_ptr; + // Used when draining hosts upon DNS refreshing is desired. class RefreshDnsWithPostDrainHandler : public Extensions::Common::DynamicForwardProxy::DnsCache::UpdateCallbacks, @@ -217,6 +232,16 @@ class RefreshDnsWithPostDrainHandler dns_callbacks_handle_; }; +using DefaultNetworkChangeCallback = std::function; + +class NetworkChangeObserver { +public: + virtual ~NetworkChangeObserver() = default; + virtual void onNetworkMadeDefault(NetworkHandle network) PURE; + virtual void onNetworkDisconnected(NetworkHandle network) PURE; + virtual void onNetworkConnected(NetworkHandle network) PURE; +}; + class ConnectivityManagerImpl : public ConnectivityManager, public Singleton::Instance, public Logger::Loggable { @@ -227,11 +252,10 @@ class ConnectivityManagerImpl : public ConnectivityManager, * @param network, the OS-preferred network. * @returns configuration key to associate with any related calls. */ - static envoy_netconf_t setPreferredNetwork(int network); + envoy_netconf_t setPreferredNetwork(int network); ConnectivityManagerImpl(Upstream::ClusterManager& cluster_manager, - DnsCacheManagerSharedPtr dns_cache_manager) - : cluster_manager_(cluster_manager), dns_cache_manager_(dns_cache_manager) {} + DnsCacheManagerSharedPtr dns_cache_manager); // ConnectivityManager std::vector enumerateV4Interfaces() override; @@ -251,6 +275,19 @@ class ConnectivityManagerImpl : public ConnectivityManager, envoy_netconf_t addUpstreamSocketOptions(Socket::OptionsSharedPtr options) override; Extensions::Common::DynamicForwardProxy::DnsCacheSharedPtr dnsCache() override; + // These interfaces are only used to handle Android network change notifications. + void onDefaultNetworkChangedAndroid(ConnectionType connection_type, NetworkHandle net_id); + void onNetworkDisconnectAndroid(NetworkHandle net_id); + void onNetworkConnectAndroid(ConnectionType connection_type, NetworkHandle net_id); + void purgeActiveNetworkListAndroid(const std::vector& active_network_ids); + void setDefaultNetworkChangeCallback(DefaultNetworkChangeCallback cb) { + default_network_change_callback_ = cb; + } + void setNetworkChangeObserver(NetworkChangeObserver* observer) { observer_ = observer; } + + // Refresh DNS regardless of configuration key change. + void doRefreshDns(envoy_netconf_t configuration_key, bool drain_connections); + private: // The states of the current default network picked by the platform. struct DefaultNetworkState { @@ -264,6 +301,8 @@ class ConnectivityManagerImpl : public ConnectivityManager, Socket::OptionsSharedPtr getAlternateInterfaceSocketOptions(int network); InterfacePair getActiveAlternateInterface(int network, unsigned short family); Socket::OptionsSharedPtr getUpstreamSocketOptions(int network, SocketMode socket_mode); + void setPreferredNetworkNoLock(int network_type) ABSL_EXCLUSIVE_LOCKS_REQUIRED(network_mutex_); + void initializeNetworkStates(); bool enable_interface_binding_{false}; Upstream::ClusterManager& cluster_manager_; @@ -271,11 +310,18 @@ class ConnectivityManagerImpl : public ConnectivityManager, std::unique_ptr dns_refresh_handler_; DnsCacheManagerSharedPtr dns_cache_manager_; ProxySettingsConstSharedPtr proxy_settings_; - static DefaultNetworkState network_state_ ABSL_GUARDED_BY(network_mutex_); - static Thread::MutexBasicLockable network_mutex_; + DefaultNetworkState network_state_ ABSL_GUARDED_BY(network_mutex_){ + 1, 0, MaxFaultThreshold, SocketMode::DefaultPreferredNetworkMode}; + Thread::MutexBasicLockable network_mutex_{}; + // Below states are only populated on Android platform. + NetworkHandle default_network_handle_ ABSL_GUARDED_BY(network_mutex_){kInvalidNetworkHandle}; + absl::flat_hash_map + connected_networks_ ABSL_GUARDED_BY(network_mutex_); + DefaultNetworkChangeCallback default_network_change_callback_; + NetworkChangeObserver* observer_{nullptr}; }; -using ConnectivityManagerSharedPtr = std::shared_ptr; +using ConnectivityManagerImplSharedPtr = std::shared_ptr; /** * Provides access to the singleton ConnectivityManager. @@ -288,7 +334,7 @@ class ConnectivityManagerFactory { /** * @returns singleton ConnectivityManager instance. */ - ConnectivityManagerSharedPtr get(); + ConnectivityManagerImplSharedPtr get(); private: Server::GenericFactoryContextImpl context_; diff --git a/mobile/library/common/system/BUILD b/mobile/library/common/system/BUILD index a8069f9eb773a..d97ca50096cde 100644 --- a/mobile/library/common/system/BUILD +++ b/mobile/library/common/system/BUILD @@ -29,6 +29,7 @@ envoy_cc_library( deps = [ ":default_system_helper_lib", "//library/common/extensions/cert_validator/platform_bridge:c_types_lib", + "//library/common/network:network_types_lib", ] + select({ ":use_android_system_helper": [ "//library/jni:android_jni_utility_lib", diff --git a/mobile/library/common/system/default_system_helper.cc b/mobile/library/common/system/default_system_helper.cc index 15142762e204f..0db0ae1b01b15 100644 --- a/mobile/library/common/system/default_system_helper.cc +++ b/mobile/library/common/system/default_system_helper.cc @@ -16,4 +16,10 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& /* void DefaultSystemHelper::cleanupAfterCertificateValidation() {} +int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return -1; } + +std::vector> DefaultSystemHelper::getAllConnectedNetworks() { + return {}; +} + } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper.h b/mobile/library/common/system/default_system_helper.h index a9ef1d32e5199..56d80bd25753f 100644 --- a/mobile/library/common/system/default_system_helper.h +++ b/mobile/library/common/system/default_system_helper.h @@ -17,6 +17,8 @@ class DefaultSystemHelper : public SystemHelper { envoy_cert_validation_result validateCertificateChain(const std::vector& certs, absl::string_view hostname) override; void cleanupAfterCertificateValidation() override; + int64_t getDefaultNetworkHandle() override; + std::vector> getAllConnectedNetworks() override; }; } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper_android.cc b/mobile/library/common/system/default_system_helper_android.cc index 5d205f0945d7f..f678e1cecb7b0 100644 --- a/mobile/library/common/system/default_system_helper_android.cc +++ b/mobile/library/common/system/default_system_helper_android.cc @@ -16,4 +16,10 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& ce void DefaultSystemHelper::cleanupAfterCertificateValidation() { JNI::jvmDetachThread(); } +int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return JNI::getDefaultNetworkHandle(); } + +std::vector> DefaultSystemHelper::getAllConnectedNetworks() { + return JNI::getAllConnectedNetworks(); +} + } // namespace Envoy diff --git a/mobile/library/common/system/default_system_helper_apple.cc b/mobile/library/common/system/default_system_helper_apple.cc index 1facd039d2480..16caed9c22ec4 100644 --- a/mobile/library/common/system/default_system_helper_apple.cc +++ b/mobile/library/common/system/default_system_helper_apple.cc @@ -13,4 +13,10 @@ DefaultSystemHelper::validateCertificateChain(const std::vector& ce void DefaultSystemHelper::cleanupAfterCertificateValidation() {} +int64_t DefaultSystemHelper::getDefaultNetworkHandle() { return -1; } + +std::vector> DefaultSystemHelper::getAllConnectedNetworks() { + return {}; +} + } // namespace Envoy diff --git a/mobile/library/common/system/system_helper.h b/mobile/library/common/system/system_helper.h index d18c6537e49a4..9f9123c6a9011 100644 --- a/mobile/library/common/system/system_helper.h +++ b/mobile/library/common/system/system_helper.h @@ -7,6 +7,7 @@ #include "absl/strings/string_view.h" #include "library/common/extensions/cert_validator/platform_bridge/c_types.h" +#include "library/common/network/network_types.h" namespace Envoy { @@ -39,6 +40,12 @@ class SystemHelper { */ virtual void cleanupAfterCertificateValidation() PURE; + /** + * Invokes platform APIs to retrieve a handle to the current default network. + */ + virtual int64_t getDefaultNetworkHandle() PURE; + + virtual std::vector> getAllConnectedNetworks() PURE; /** * @return a reference to the current SystemHelper instance. */ diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java index 595311f3e72f1..01e905e01d5f0 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidEngineImpl.java @@ -25,14 +25,18 @@ public class AndroidEngineImpl implements EnvoyEngine { public AndroidEngineImpl(Context context, EnvoyOnEngineRunning runningCallback, EnvoyLogger logger, EnvoyEventTracker eventTracker, Boolean enableProxying, Boolean useNetworkChangeEvent, - Boolean disableDnsRefreshOnNetworkChange) { + Boolean disableDnsRefreshOnNetworkChange, Boolean useV2NetworkMonitor) { this.context = context; this.envoyEngine = new EnvoyEngineImpl(runningCallback, logger, eventTracker, disableDnsRefreshOnNetworkChange); if (ContextUtils.getApplicationContext() == null) { ContextUtils.initApplicationContext(context.getApplicationContext()); } - AndroidNetworkMonitor.load(context, envoyEngine, useNetworkChangeEvent); + if (useV2NetworkMonitor) { + AndroidNetworkMonitorV2.load(context, envoyEngine); + } else { + AndroidNetworkMonitor.load(context, envoyEngine, useNetworkChangeEvent); + } if (enableProxying) { AndroidProxyMonitor.load(context, envoyEngine); } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java index 63061605816ce..e5921844e3b66 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/AndroidNetworkMonitorV2.java @@ -1,6 +1,7 @@ package io.envoyproxy.envoymobile.engine; import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; +import io.envoyproxy.envoymobile.engine.types.NetworkWithType; import static android.net.ConnectivityManager.TYPE_VPN; import static android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET; @@ -853,4 +854,19 @@ public void unregisterNetworkCallbacks() { mApplicationContext.unregisterReceiver(mBroadcastReceiver); } } + + public NetworkWithType[] getAllNetworksAndTypes() { + Network[] filteredNetworks = getAllNetworksFiltered(null); + int size = filteredNetworks.length; + + // Directly create the array with the known size. + NetworkWithType[] networks = new NetworkWithType[size]; + + for (int i = 0; i < size; i++) { + Network network = filteredNetworks[i]; + final EnvoyConnectionType connectionType = getEnvoyConnectionType(network); + networks[i] = new NetworkWithType(network.getNetworkHandle(), connectionType); + } + return networks; + } } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD index 89b5f05dabbe3..abb0890c57e8e 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD @@ -9,8 +9,6 @@ android_library( name = "envoy_engine_lib", srcs = [ "AndroidEngineImpl.java", - "AndroidNetworkMonitor.java", - "AndroidNetworkMonitorV2.java", "AndroidProxyMonitor.java", "UpstreamHttpProtocol.java", ], @@ -21,14 +19,16 @@ android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "@maven//:androidx_annotation_annotation", - "@maven//:androidx_core_core", ], ) android_library( name = "envoy_base_engine_lib", srcs = [ + "AndroidNetworkMonitor.java", + "AndroidNetworkMonitorV2.java", "ByteBuffers.java", "EnvoyConfiguration.java", "EnvoyEngine.java", @@ -52,6 +52,7 @@ android_library( deps = [ "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "@maven//:androidx_annotation_annotation", + "@maven//:androidx_core_core", "@maven//:com_google_code_findbugs_jsr305", "@maven//:com_google_protobuf_protobuf_javalite", ], diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java index 62caa99458906..b45c7142b9c24 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java @@ -305,6 +305,18 @@ public static native Object callCertificateVerificationFromNative(byte[][] certC */ public static native void callClearTestRootCertificateFromNative(); + /** + * Mimic a call to AndroidNetworkLibrary#getDefaultNetworkHandle from native code. + * To be used for testing only. + */ + public static native long callGetDefaultNetworkHandleFromNative(); + + /** + * Mimic a call to AndroidNetworkLibrary#getAllConnectedNetworks from native code. + * To be used for testing only. + */ + public static native long[][] callGetAllConnectedNetworksFromNative(); + /** * Given a filter name, create the proto config for adding the native filter * diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD index a28043e1746ae..07e52827bb388 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/BUILD @@ -22,6 +22,7 @@ android_library( "EnvoyStatus.java", "EnvoyStreamIntel.java", "EnvoyStringAccessor.java", + "NetworkWithType.java", ], visibility = ["//visibility:public"], ) diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java new file mode 100644 index 0000000000000..235730ba508e8 --- /dev/null +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/NetworkWithType.java @@ -0,0 +1,16 @@ +package io.envoyproxy.envoymobile.engine.types; + +public class NetworkWithType { + // an opaque handle to a network interface. + private final long netId; + private final EnvoyConnectionType connectionType; + + public NetworkWithType(long netId, EnvoyConnectionType connectionType) { + this.netId = netId; + this.connectionType = connectionType; + } + + public long getNetId() { return netId; } + + public EnvoyConnectionType getConnectionType() { return connectionType; } +} diff --git a/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java b/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java index 99ac5265f4284..2ee5c88c2ebce 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary.java @@ -23,6 +23,9 @@ import java.nio.charset.StandardCharsets; +import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; +import io.envoyproxy.envoymobile.engine.types.NetworkWithType; + /** * This class implements net utilities required by the net component. */ @@ -125,6 +128,32 @@ public static boolean isCleartextTrafficPermitted(String host) { } } + public static long getDefaultNetworkHandle() { + if (io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() == null) { + return -1; + } + return io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance().getDefaultNetId(); + } + + public static long[][] getAllConnectedNetworks() { + if (io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() == null) { + return new long[0][0]; + } + NetworkWithType[] networks = + io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2.getInstance() + .getAllNetworksAndTypes(); + if (networks == null || networks.length == 0) { + return new long[0][0]; + } + + long[][] result = new long[networks.length][2]; + for (int i = 0; i < networks.length; i++) { + result[i][0] = networks[i].getNetId(); + result[i][1] = networks[i].getConnectionType().getValue(); + } + return result; + } + /** * Class to wrap FileDescriptor.setInt$() which is hidden and so must be accessed via * reflection. diff --git a/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD index 2b51fccee9d1c..677efa1db7b0b 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/utilities/BUILD @@ -8,10 +8,34 @@ envoy_mobile_package() android_library( name = "utilities", - srcs = glob(["*.java"]), + srcs = [ + "ContextUtils.java", + "StatsUtils.java", + "StrictModeContext.java", + "ThreadStatsUid.java", + ], + manifest = "UtilitiesManifest.xml", + visibility = ["//visibility:public"], + deps = [ + artifact("androidx.annotation:annotation"), + ], +) + +android_library( + name = "network_utilities", + srcs = [ + "AndroidCertVerifyResult.java", + "AndroidNetworkLibrary.java", + "CertVerifyStatusAndroid.java", + "FakeX509Util.java", + "X509Util.java", + ], manifest = "UtilitiesManifest.xml", visibility = ["//visibility:public"], deps = [ + ":utilities", + "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", + "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", artifact("androidx.annotation:annotation"), ], ) diff --git a/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java b/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java index e4b464e5917e4..ee15699fbbea5 100644 --- a/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java +++ b/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java @@ -69,6 +69,7 @@ public class NativeCronvoyEngineBuilderImpl extends CronvoyEngineBuilderImpl { private String mUpstreamTlsSni = ""; private int mH3ConnectionKeepaliveInitialIntervalMilliseconds = 0; private boolean mUseNetworkChangeEvent = false; + private boolean mUseV2NetworkMonitor = false; private final Map mRuntimeGuards = new HashMap<>(); @@ -136,6 +137,11 @@ public NativeCronvoyEngineBuilderImpl setUseNetworkChangeEvent(boolean use) { return this; } + public NativeCronvoyEngineBuilderImpl setUseV2NetworkMonitor(boolean useV2NetworkMonitor) { + mUseV2NetworkMonitor = useV2NetworkMonitor; + return this; + } + /** * Set the DNS minimum refresh time, in seconds, which ensures that we wait to refresh a DNS * entry for at least the minimum refresh time. For example, if the DNS record TTL is 60 seconds @@ -267,7 +273,7 @@ EnvoyEngine createEngine(EnvoyOnEngineRunning onEngineRunning, EnvoyLogger envoy String logLevel) { AndroidEngineImpl engine = new AndroidEngineImpl( getContext(), onEngineRunning, envoyLogger, mEnvoyEventTracker, mEnableProxying, - mUseNetworkChangeEvent, mDisableDnsRefreshOnNetworkChange); + mUseNetworkChangeEvent, mDisableDnsRefreshOnNetworkChange, mUseV2NetworkMonitor); engine.runWithConfig(createEnvoyConfiguration(), logLevel); return engine; } diff --git a/mobile/library/jni/BUILD b/mobile/library/jni/BUILD index 0c0107c303003..5a7dc8865f609 100644 --- a/mobile/library/jni/BUILD +++ b/mobile/library/jni/BUILD @@ -90,7 +90,7 @@ envoy_cc_library( alwayslink = True, ) -# Cert verification related functions which call into AndroidNetworkLibrary. +# Cert verification related functions which call into AndroidNetworkLibrary. And network retrieval functions which call into AndroidNetworkMonitorV2. envoy_cc_library( name = "android_network_utility_lib", srcs = [ @@ -105,6 +105,7 @@ envoy_cc_library( ":jni_utility_lib", "//library/common/bridge:utility_lib", "//library/common/extensions/cert_validator/platform_bridge:c_types_lib", + "//library/common/network:network_types_lib", "//library/common/types:c_types_lib", "@envoy//bazel:boringssl", ], diff --git a/mobile/library/jni/android_network_utility.cc b/mobile/library/jni/android_network_utility.cc index 3f7492a9c6e7c..35c81666e3941 100644 --- a/mobile/library/jni/android_network_utility.cc +++ b/mobile/library/jni/android_network_utility.cc @@ -166,6 +166,63 @@ envoy_cert_validation_result verifyX509CertChain(const std::vector& } } +int64_t getDefaultNetworkHandle() { + JniHelper jni_helper(JniHelper::getThreadLocalEnv()); + jclass jcls_AndroidNetworkLibrary = + jni_helper.findClassFromCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary"); + jmethodID jmid_getDefaultNetworkHandle = jni_helper.getStaticMethodIdFromCache( + jcls_AndroidNetworkLibrary, "getDefaultNetworkHandle", "()J"); + jlong defaultNetwork = + jni_helper.callStaticLongMethod(jcls_AndroidNetworkLibrary, jmid_getDefaultNetworkHandle); + return static_cast(defaultNetwork); +} + +std::vector> getAllConnectedNetworks() { + std::vector> connected_networks; + Envoy::JNI::JniHelper jni_helper(Envoy::JNI::JniHelper::getThreadLocalEnv()); + + // Use a unique_ptr to automatically release the class reference. + jclass jcls_android_network_library = + jni_helper.findClassFromCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary"); + if (jcls_android_network_library == nullptr) { + return connected_networks; + } + + jmethodID jmid_get_all_connected_networks = jni_helper.getStaticMethodIdFromCache( + jcls_android_network_library, "getAllConnectedNetworks", "()[[J"); + if (jmid_get_all_connected_networks == nullptr) { + return connected_networks; + } + + // Call the static Java method to get the long[][] array. + Envoy::JNI::LocalRefUniquePtr java_network_array = + jni_helper.callStaticObjectMethod(jcls_android_network_library, + jmid_get_all_connected_networks); + if (java_network_array == nullptr) { + return connected_networks; + } + + jsize num_networks = jni_helper.getArrayLength(java_network_array.get()); + + for (jsize i = 0; i < num_networks; ++i) { + // Each entry is a jlongArray (long[2]). + Envoy::JNI::LocalRefUniquePtr network_info_array = + jni_helper.getObjectArrayElement(java_network_array.get(), i); + if (network_info_array == nullptr) { + continue; + } + + std::vector network_info; + Envoy::JNI::javaLongArrayToInt64Vector(jni_helper, network_info_array.get(), &network_info); + + if (network_info.size() == 2) { + connected_networks.emplace_back(network_info[0], + static_cast(network_info[1])); + } + } + return connected_networks; +} + void jvmDetachThread() { JniHelper::detachCurrentThread(); } } // namespace JNI diff --git a/mobile/library/jni/android_network_utility.h b/mobile/library/jni/android_network_utility.h index b86ff77081fe7..48dabb3694c8e 100644 --- a/mobile/library/jni/android_network_utility.h +++ b/mobile/library/jni/android_network_utility.h @@ -5,6 +5,7 @@ #include "absl/strings/string_view.h" #include "library/common/extensions/cert_validator/platform_bridge/c_types.h" +#include "library/common/network/network_types.h" #include "library/jni/jni_helper.h" namespace Envoy { @@ -21,6 +22,10 @@ LocalRefUniquePtr callJvmVerifyX509CertChain(JniHelper& jni_helper, envoy_cert_validation_result verifyX509CertChain(const std::vector& certs, absl::string_view hostname); +int64_t getDefaultNetworkHandle(); + +std::vector> getAllConnectedNetworks(); + void jvmDetachThread(); } // namespace JNI diff --git a/mobile/library/jni/jni_impl.cc b/mobile/library/jni/jni_impl.cc index 206aade981d63..2b324a4081513 100644 --- a/mobile/library/jni/jni_impl.cc +++ b/mobile/library/jni/jni_impl.cc @@ -1397,3 +1397,34 @@ Java_io_envoyproxy_envoymobile_engine_JniLibrary_callClearTestRootCertificateFro jni_helper.callStaticVoidMethod(java_android_network_library_class, java_clear_test_root_certificates_method_id); } + +extern "C" JNIEXPORT jlong JNICALL +Java_io_envoyproxy_envoymobile_engine_JniLibrary_callGetDefaultNetworkHandleFromNative(JNIEnv*, + jclass) { + return Envoy::JNI::getDefaultNetworkHandle(); +} + +extern "C" JNIEXPORT jobjectArray JNICALL +Java_io_envoyproxy_envoymobile_engine_JniLibrary_callGetAllConnectedNetworksFromNative(JNIEnv* env, + jclass) { + Envoy::JNI::JniHelper jni_helper(env); + std::vector> networks = + Envoy::JNI::getAllConnectedNetworks(); + + jclass long_array_class = env->FindClass("[J"); + jobjectArray result = env->NewObjectArray(networks.size(), long_array_class, nullptr); + + for (size_t i = 0; i < networks.size(); ++i) { + jlongArray network_info_array = env->NewLongArray(2); + if (network_info_array == nullptr) { + return nullptr; + } + jlong network_info[2]; + network_info[0] = networks[i].first; + network_info[1] = static_cast(networks[i].second); + env->SetLongArrayRegion(network_info_array, 0, 2, network_info); + env->SetObjectArrayElement(result, i, network_info_array); + env->DeleteLocalRef(network_info_array); + } + return result; +} diff --git a/mobile/library/jni/jni_init.cc b/mobile/library/jni/jni_init.cc index 024000e9bc850..2e8e834873503 100644 --- a/mobile/library/jni/jni_init.cc +++ b/mobile/library/jni/jni_init.cc @@ -9,20 +9,18 @@ namespace JNI { void initialize(JavaVM* jvm) { JniHelper::initialize(jvm); JniUtility::initCache(); - JniHelper::addToCache( - "io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary", - /* methods= */ {}, - /* static_methods= */ - { - {"isCleartextTrafficPermitted", "(Ljava/lang/String;)Z"}, - {"tagSocket", "(III)V"}, - {"verifyServerCertificates", - "([[B[B[B)Lio/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult;"}, - {"addTestRootCertificate", "([B)V"}, - {"clearTestRootCertificates", "()V"}, - - }, - /* fields= */ {}, /* static_fields= */ {}); + JniHelper::addToCache("io/envoyproxy/envoymobile/utilities/AndroidNetworkLibrary", + /* methods= */ {}, + /* static_methods= */ + {{"isCleartextTrafficPermitted", "(Ljava/lang/String;)Z"}, + {"tagSocket", "(III)V"}, + {"verifyServerCertificates", + "([[B[B[B)Lio/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult;"}, + {"addTestRootCertificate", "([B)V"}, + {"clearTestRootCertificates", "()V"}, + {"getDefaultNetworkHandle", "()J"}, + {"getAllConnectedNetworks", "()[[J"}}, + /* fields= */ {}, /* static_fields= */ {}); JniHelper::addToCache("io/envoyproxy/envoymobile/utilities/AndroidCertVerifyResult", /* methods= */ { diff --git a/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt b/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt index a56b2de2601b5..b3fcb45d46129 100644 --- a/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt +++ b/mobile/library/kotlin/io/envoyproxy/envoymobile/AndroidEngineBuilder.kt @@ -14,7 +14,8 @@ class AndroidEngineBuilder(context: Context) : EngineBuilder() { eventTracker, enableProxying, /*useNetworkChangeEvent*/ false, - /*disableDnsRefreshOnNetworkChange*/ false + /*disableDnsRefreshOnNetworkChange*/ false, + /*useV2NetworkMonitor*/ false ) } } diff --git a/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD b/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD index fb10726671765..909190cebf272 100644 --- a/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD +++ b/mobile/library/kotlin/io/envoyproxy/envoymobile/BUILD @@ -39,6 +39,7 @@ kt_android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", ], ) diff --git a/mobile/test/common/integration/client_integration_test.cc b/mobile/test/common/integration/client_integration_test.cc index 26abde47daad1..a57df133f2f03 100644 --- a/mobile/test/common/integration/client_integration_test.cc +++ b/mobile/test/common/integration/client_integration_test.cc @@ -103,6 +103,14 @@ class ClientIntegrationTest builder_.enableDnsCache(true, /* save_interval_seconds */ 1); } + // Initialize the connectivity manager with a WIFI default network and another network with + // unknown type. + std::vector> connected_networks{ + {1, ConnectionType::CONNECTION_WIFI}, {2, ConnectionType::CONNECTION_UNKNOWN}}; + EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()).WillOnce(Return(1)); + EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()) + .WillOnce(Return(connected_networks)); + BaseClientIntegrationTest::initialize(); if (getCodecType() == Http::CodecType::HTTP3) { @@ -362,6 +370,35 @@ TEST_P(ClientIntegrationTest, HandleNetworkChangeEvents) { EXPECT_EQ(4, current_change_event); } +TEST_P(ClientIntegrationTest, HandleNetworkChangeEventsAndroid) { + absl::Notification found_force_dns_refresh; + std::atomic handled_network_change{false}; + auto logger = std::make_unique(); + logger->on_log_ = [&](Logger::Logger::Levels, const std::string& msg) { + if (msg.find("Default network state has been changed. Current net configuration key") != + std::string::npos) { + handled_network_change = true; + } + if (msg.find("beginning DNS cache force refresh") != std::string::npos) { + found_force_dns_refresh.Notify(); + } + }; + builder_.setLogger(std::move(logger)); + builder_.setDisableDnsRefreshOnNetworkChange(false); + + initialize(); + + // A new WIFI network appears and becomes the default network. Even though + // the test is initialized with a WIFI network, this should still have triggred + // a network change event as it has a different network handle. + internalEngine()->onNetworkConnectAndroid(ConnectionType::CONNECTION_WIFI, 123); + internalEngine()->onDefaultNetworkChangedAndroid(ConnectionType::CONNECTION_WIFI, 123); + // The HTTP status reset and DNS refresh should have been posted to the network thread and to be + // handled there. + found_force_dns_refresh.WaitForNotification(); + EXPECT_TRUE(handled_network_change); +} + TEST_P(ClientIntegrationTest, LargeResponse) { initialize(); std::string data(1024 * 32, 'a'); diff --git a/mobile/test/common/internal_engine_test.cc b/mobile/test/common/internal_engine_test.cc index f62f3639fd6a0..812fcdec15a2f 100644 --- a/mobile/test/common/internal_engine_test.cc +++ b/mobile/test/common/internal_engine_test.cc @@ -102,6 +102,10 @@ class InternalEngineTest : public testing::Test { helper_handle_ = test::SystemHelperPeer::replaceSystemHelper(); EXPECT_CALL(helper_handle_->mock_helper(), isCleartextPermitted(_)) .WillRepeatedly(Return(true)); + EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()) + .Times(testing::AtMost(1)) + .WillOnce(Return(-1)); + EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()).Times(testing::AtMost(1)); } envoy_status_t runEngine(const std::unique_ptr& engine, diff --git a/mobile/test/common/mocks/common/mocks.h b/mobile/test/common/mocks/common/mocks.h index f6825405b9c7e..383adda3aed38 100644 --- a/mobile/test/common/mocks/common/mocks.h +++ b/mobile/test/common/mocks/common/mocks.h @@ -16,6 +16,8 @@ class MockSystemHelper : public SystemHelper { MOCK_METHOD(envoy_cert_validation_result, validateCertificateChain, (const std::vector& certs, absl::string_view hostname)); MOCK_METHOD(void, cleanupAfterCertificateValidation, ()); + MOCK_METHOD(int64_t, getDefaultNetworkHandle, ()); + MOCK_METHOD((std::vector>), getAllConnectedNetworks, ()); }; // SystemHelperPeer allows the replacement of the SystemHelper singleton diff --git a/mobile/test/common/network/BUILD b/mobile/test/common/network/BUILD index b26d4b163bf15..a40973ef1bed6 100644 --- a/mobile/test/common/network/BUILD +++ b/mobile/test/common/network/BUILD @@ -10,6 +10,7 @@ envoy_cc_test( repository = "@envoy", deps = [ "//library/common/network:connectivity_manager_lib", + "//test/common/mocks/common:common_mocks", "@envoy//test/extensions/common/dynamic_forward_proxy:mocks", "@envoy//test/mocks/upstream:cluster_manager_mocks", ], diff --git a/mobile/test/common/network/connectivity_manager_test.cc b/mobile/test/common/network/connectivity_manager_test.cc index 6ef1c37fb7c67..42ee049c219a0 100644 --- a/mobile/test/common/network/connectivity_manager_test.cc +++ b/mobile/test/common/network/connectivity_manager_test.cc @@ -1,5 +1,6 @@ #include +#include "test/common/mocks/common/mocks.h" #include "test/extensions/common/dynamic_forward_proxy/mocks.h" #include "test/mocks/upstream/cluster_manager.h" @@ -13,29 +14,55 @@ using testing::Return; namespace Envoy { namespace Network { +class MockNetworkChangeObserver : public NetworkChangeObserver { +public: + MOCK_METHOD(void, onNetworkMadeDefault, (NetworkHandle network), (override)); + MOCK_METHOD(void, onNetworkDisconnected, (NetworkHandle network), (override)); + MOCK_METHOD(void, onNetworkConnected, (NetworkHandle network), (override)); +}; + class ConnectivityManagerTest : public testing::Test { public: ConnectivityManagerTest() : dns_cache_manager_( new NiceMock()), dns_cache_(dns_cache_manager_->dns_cache_), - connectivity_manager_(std::make_shared(cm_, dns_cache_manager_)) { + helper_handle_(test::SystemHelperPeer::replaceSystemHelper()) { + + EXPECT_CALL(helper_handle_->mock_helper(), getDefaultNetworkHandle()).WillOnce(Return(1)); + std::vector> connected_networks{ + {1, ConnectionType::CONNECTION_WIFI}, {2, ConnectionType::CONNECTION_UNKNOWN}}; + EXPECT_CALL(helper_handle_->mock_helper(), getAllConnectedNetworks()) + .WillOnce(Return(connected_networks)); + connectivity_manager_ = std::make_shared(cm_, dns_cache_manager_); ON_CALL(*dns_cache_manager_, lookUpCacheByName(_)).WillByDefault(Return(dns_cache_)); // Toggle network to reset network state. - ConnectivityManagerImpl::setPreferredNetwork(1); - ConnectivityManagerImpl::setPreferredNetwork(2); + connectivity_manager_->setPreferredNetwork(1); + connectivity_manager_->setPreferredNetwork(2); + + // Set up the default network change callback. + auto callback = [&](envoy_netconf_t key) { + EXPECT_EQ(key, connectivity_manager_->getConfigurationKey()); + num_default_network_change_++; + }; + connectivity_manager_->setDefaultNetworkChangeCallback(std::move(callback)); + connectivity_manager_->setNetworkChangeObserver(&observer_); } std::shared_ptr> dns_cache_manager_; std::shared_ptr dns_cache_; NiceMock cm_{}; - std::shared_ptr connectivity_manager_; + std::unique_ptr helper_handle_; + ConnectivityManagerImplSharedPtr connectivity_manager_; + testing::StrictMock observer_; + // Track callback invocation count. + int num_default_network_change_{0}; }; TEST_F(ConnectivityManagerTest, SetPreferredNetworkWithNewNetworkChangesConfigurationKey) { envoy_netconf_t original_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t new_key = ConnectivityManagerImpl::setPreferredNetwork(4); + envoy_netconf_t new_key = connectivity_manager_->setPreferredNetwork(4); EXPECT_NE(original_key, new_key); EXPECT_EQ(new_key, connectivity_manager_->getConfigurationKey()); } @@ -43,7 +70,7 @@ TEST_F(ConnectivityManagerTest, SetPreferredNetworkWithNewNetworkChangesConfigur TEST_F(ConnectivityManagerTest, DISABLED_SetPreferredNetworkWithUnchangedNetworkReturnsStaleConfigurationKey) { envoy_netconf_t original_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t stale_key = ConnectivityManagerImpl::setPreferredNetwork(2); + envoy_netconf_t stale_key = connectivity_manager_->setPreferredNetwork(2); EXPECT_NE(original_key, stale_key); EXPECT_EQ(original_key, connectivity_manager_->getConfigurationKey()); } @@ -172,7 +199,7 @@ TEST_F(ConnectivityManagerTest, ReportNetworkUsageDisablesOverrideAfterThirdFaul TEST_F(ConnectivityManagerTest, ReportNetworkUsageDisregardsCallsWithStaleConfigurationKey) { envoy_netconf_t stale_key = connectivity_manager_->getConfigurationKey(); - envoy_netconf_t current_key = ConnectivityManagerImpl::setPreferredNetwork(4); + envoy_netconf_t current_key = connectivity_manager_->setPreferredNetwork(4); EXPECT_NE(stale_key, current_key); connectivity_manager_->setInterfaceBindingEnabled(true); @@ -253,7 +280,7 @@ TEST_F(ConnectivityManagerTest, NetworkChangeResultsInDifferentSocketOptionsHash for (const auto& option : *options1) { option->hashKey(hash1); } - ConnectivityManagerImpl::setPreferredNetwork(64); + connectivity_manager_->setPreferredNetwork(64); auto options2 = std::make_shared(); connectivity_manager_->addUpstreamSocketOptions(options2); std::vector hash2; @@ -263,5 +290,98 @@ TEST_F(ConnectivityManagerTest, NetworkChangeResultsInDifferentSocketOptionsHash EXPECT_NE(hash1, hash2); } +// Verifies that when the platform notifies about the same default network +// again, the signal will be ignored. +TEST_F(ConnectivityManagerTest, DuplicatedSignalOfAndroidNetworkBecomesDefault) { + EXPECT_CALL(observer_, onNetworkMadeDefault(_)).Times(0); + connectivity_manager_->onDefaultNetworkChangedAndroid(ConnectionType::CONNECTION_WIFI, 1); + // The callback should not have been called. + EXPECT_EQ(num_default_network_change_, 0); +} + +// Verifies that when a network is connected and then becomes the default +// default_network_change_callback_ called at the end rather than in the middle. +TEST_F(ConnectivityManagerTest, AndroidNetworkConnectedAndThenBecomesDefault) { + const NetworkHandle net_id = 123; + const auto connection_type = ConnectionType::CONNECTION_WIFI; + + // Simulate a network is connected. + EXPECT_CALL(observer_, onNetworkConnected(net_id)); + connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); + // The callback should not have been called yet. + EXPECT_EQ(num_default_network_change_, 0); + + // Simulate the connected network now becomes the default. + EXPECT_CALL(observer_, onNetworkMadeDefault(net_id)); + connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); + + // Verify the callback was invoked exactly once. + EXPECT_EQ(num_default_network_change_, 1); +} + +// Verifies that when a network becomes the default without becoming connected, +// default_network_change_callback_ is not called. And it should be called once the network is +// connected. +TEST_F(ConnectivityManagerTest, AndroidNetworkBecomesDefaultAndThenConnected) { + const NetworkHandle net_id = 123; + const auto connection_type = ConnectionType::CONNECTION_4G; + const envoy_netconf_t initial_config_key = connectivity_manager_->getConfigurationKey(); + + // Simulate that the network becomes the default. At this point, it is not yet "connected". + connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); + + // The callback should not have been called, and the preferred network should not have changed + // yet. + EXPECT_EQ(num_default_network_change_, 0); + EXPECT_EQ(initial_config_key, connectivity_manager_->getConfigurationKey()); + + // Now, simulate the network becoming connected. + // This should trigger the deferred default network callback and update the internal state. + EXPECT_CALL(observer_, onNetworkConnected(net_id)); + EXPECT_CALL(observer_, onNetworkMadeDefault(net_id)); + connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); + + // Verify the callback was invoked. + EXPECT_EQ(num_default_network_change_, 1); + EXPECT_NE(initial_config_key, connectivity_manager_->getConfigurationKey()); +} + +// Verifies that the observer is notified about a network becoming connected and +// disconnected. +TEST_F(ConnectivityManagerTest, AndroidNetworkConnectedAndThenDisconnected) { + const NetworkHandle net_id = 123; + const auto connection_type = ConnectionType::CONNECTION_WIFI; + + EXPECT_CALL(observer_, onNetworkConnected(net_id)); + // Simulate a network is connected. + connectivity_manager_->onNetworkConnectAndroid(connection_type, net_id); + EXPECT_EQ(num_default_network_change_, 0); + + EXPECT_CALL(observer_, onNetworkDisconnected(net_id)); + connectivity_manager_->onNetworkDisconnectAndroid(net_id); + + // Disconnected network should not be used as the default. + connectivity_manager_->onDefaultNetworkChangedAndroid(connection_type, net_id); + EXPECT_EQ(num_default_network_change_, 0); +} + +// Verifies that the observer is notified about networks becoming disconnected when they are purged. +// But if the network is exempted from purging, observer shouldn't be notified about it being +// disconnected. +TEST_F(ConnectivityManagerTest, AndroidPurgeNetworks) { + + EXPECT_CALL(observer_, onNetworkConnected(_)).Times(3); + connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_WIFI, 123); + connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_4G, 456); + connectivity_manager_->onNetworkConnectAndroid(ConnectionType::CONNECTION_5G, 789); + + // Purge all networks other than the 5G network. + EXPECT_CALL(observer_, onNetworkDisconnected(1)); + EXPECT_CALL(observer_, onNetworkDisconnected(2)); + EXPECT_CALL(observer_, onNetworkDisconnected(123)); + EXPECT_CALL(observer_, onNetworkDisconnected(456)); + connectivity_manager_->purgeActiveNetworkListAndroid({789}); +} + } // namespace Network } // namespace Envoy diff --git a/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java b/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java new file mode 100644 index 0000000000000..0140329f96ab4 --- /dev/null +++ b/mobile/test/java/io/envoyproxy/envoymobile/utilities/AndroidNetworkTest.java @@ -0,0 +1,114 @@ +package io.envoyproxy.envoymobile.utilities; + +import static org.junit.Assert.*; +import static org.mockito.Mockito.mock; +import static org.robolectric.Shadows.shadowOf; + +import io.envoyproxy.envoymobile.engine.JniLibrary; +import io.envoyproxy.envoymobile.engine.EnvoyEngine; +import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; +import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; + +import java.nio.charset.StandardCharsets; + +import android.content.Context; +import android.Manifest; +import android.net.ConnectivityManager; +import android.net.NetworkCapabilities; +import android.net.Network; +import android.net.NetworkInfo; + +import androidx.test.platform.app.InstrumentationRegistry; +import androidx.test.rule.GrantPermissionRule; + +import org.junit.After; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.runner.RunWith; + +import org.robolectric.RobolectricTestRunner; +import org.robolectric.shadows.ShadowNetworkInfo; +import org.robolectric.shadows.ShadowNetworkCapabilities; + +@RunWith(RobolectricTestRunner.class) +public final class AndroidNetworkTest { + @Rule + public GrantPermissionRule mRuntimePermissionRule = + GrantPermissionRule.grant(Manifest.permission.ACCESS_NETWORK_STATE); + + private AndroidNetworkMonitorV2 mAndroidNetworkMonitor; + private ConnectivityManager mConnectivityManager; + private final EnvoyEngine mMockEnvoyEngine = mock(EnvoyEngine.class); + + @BeforeClass + public static void beforeClass() { + JniLibrary.loadTestLibrary(); + } + + @Before + public void setUp() throws Exception { + Context context = InstrumentationRegistry.getInstrumentation().getTargetContext(); + if (ContextUtils.getApplicationContext() == null) { + ContextUtils.initApplicationContext(context.getApplicationContext()); + } + AndroidNetworkMonitorV2.load(context, mMockEnvoyEngine); + mAndroidNetworkMonitor = AndroidNetworkMonitorV2.getInstance(); + mConnectivityManager = mAndroidNetworkMonitor.getConnectivityManager(); + } + + @After + public void tearDown() throws Exception { + AndroidNetworkMonitorV2.shutdown(); + } + + @Test + public void testGetDefaultNetworkHandle() { + Network activeNetwork = mConnectivityManager.getActiveNetwork(); + long networkHandle = JniLibrary.callGetDefaultNetworkHandleFromNative(); + assertEquals(activeNetwork.getNetworkHandle(), networkHandle); + + NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, + ConnectivityManager.TYPE_WIFI, 0, + true, NetworkInfo.State.CONNECTED); + shadowOf(mConnectivityManager).setActiveNetworkInfo(wifiNetworkInfo); + Network wifiNetwork = mConnectivityManager.getActiveNetwork(); + long wifiNetworkHandle = JniLibrary.callGetDefaultNetworkHandleFromNative(); + assertEquals(wifiNetwork.getNetworkHandle(), wifiNetworkHandle); + } + + @Test + public void testGetAllConnectedNetworks() { + // Make all networks connected to the internet. + Network[] networks = mConnectivityManager.getAllNetworks(); + for (Network network : networks) { + NetworkCapabilities capabilities = mConnectivityManager.getNetworkCapabilities(network); + shadowOf(capabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + NetworkInfo netInfo = mConnectivityManager.getNetworkInfo(network); + shadowOf(netInfo).setConnectionStatus(NetworkInfo.State.CONNECTED); + } + long[][] networkArray = JniLibrary.callGetAllConnectedNetworksFromNative(); + assertEquals(networks.length, networkArray.length); + // The ShadowConnectivityManager should have 2 networks cached, one default WIFI network and + // another cellular one. + Network cellNetwork = null; + for (int i = 0; i < networks.length; ++i) { + assertEquals(networks[i].getNetworkHandle(), networkArray[i][0]); + NetworkCapabilities capabilities = mConnectivityManager.getNetworkCapabilities(networks[i]); + if (capabilities.hasTransport(NetworkCapabilities.TRANSPORT_WIFI)) { + assertEquals(EnvoyConnectionType.CONNECTION_WIFI.getValue(), networkArray[i][1]); + } else { + cellNetwork = networks[i]; + assertTrue(capabilities.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)); + assertEquals(EnvoyConnectionType.CONNECTION_2G.getValue(), networkArray[i][1]); + } + } + + assertNotNull(cellNetwork); + shadowOf(mConnectivityManager).removeNetwork(cellNetwork); + networkArray = JniLibrary.callGetAllConnectedNetworksFromNative(); + assertEquals(1, networkArray.length); + assertEquals(EnvoyConnectionType.CONNECTION_WIFI.getValue(), networkArray[0][1]); + } +} diff --git a/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD b/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD index c783227d57923..70cc84213d165 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD +++ b/mobile/test/java/io/envoyproxy/envoymobile/utilities/BUILD @@ -24,6 +24,32 @@ envoy_mobile_android_test( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "//library/java/org/chromium/net", ], ) + +envoy_mobile_android_test( + name = "android_network_test", + srcs = [ + "AndroidNetworkTest.java", + ], + native_deps = [ + "//test/jni:libenvoy_jni_with_test_extensions.so", + ] + select({ + "@platforms//os:macos": [ + "//test/jni:libenvoy_jni_with_test_extensions_jnilib", + ], + "//conditions:default": [], + }), + native_lib_name = "envoy_jni_with_test_extensions", + test_class = "io.envoyproxy.envoymobile.utilities.AndroidNetworkTest", + deps = [ + "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", + "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", + "//library/java/io/envoyproxy/envoymobile/engine/types:envoy_c_types_lib", + "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", + "@maven//:org_robolectric_annotations", + ], +) diff --git a/mobile/test/java/org/chromium/net/CronetHttp3Test.java b/mobile/test/java/org/chromium/net/CronetHttp3Test.java index 0397260e3d58d..acf5e7006f66f 100644 --- a/mobile/test/java/org/chromium/net/CronetHttp3Test.java +++ b/mobile/test/java/org/chromium/net/CronetHttp3Test.java @@ -1,33 +1,47 @@ package org.chromium.net; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.assertFalse; - +import static org.junit.Assert.*; +import static org.robolectric.Shadows.shadowOf; +import static com.google.common.truth.Truth.assertThat; + +import android.net.ConnectivityManager; +import android.net.LinkProperties; +import android.net.NetworkCapabilities; +import android.net.Network; +import android.net.NetworkInfo; import android.Manifest; +import io.envoyproxy.envoymobile.engine.testing.HttpTestServerFactory; import io.envoyproxy.envoymobile.engine.types.EnvoyNetworkType; -import org.chromium.net.impl.CronvoyUrlRequestContext; +import io.envoyproxy.envoymobile.engine.types.EnvoyConnectionType; +import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitor; +import io.envoyproxy.envoymobile.engine.AndroidNetworkMonitorV2; import io.envoyproxy.envoymobile.engine.EnvoyEngine; +import io.envoyproxy.envoymobile.engine.JniLibrary; +import org.chromium.net.impl.CronvoyUrlRequestContext; import org.chromium.net.impl.CronvoyLogger; +import org.chromium.net.impl.NativeCronvoyEngineBuilderImpl; import androidx.test.core.app.ApplicationProvider; -import org.chromium.net.testing.TestUploadDataProvider; import androidx.test.filters.SmallTest; import androidx.test.rule.GrantPermissionRule; -import org.chromium.net.impl.NativeCronvoyEngineBuilderImpl; import org.chromium.net.testing.CronetTestRule; import org.chromium.net.testing.Feature; +import org.chromium.net.testing.TestUploadDataProvider; import org.chromium.net.testing.TestUrlRequestCallback; -import io.envoyproxy.envoymobile.engine.JniLibrary; import org.junit.After; import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; import org.robolectric.RobolectricTestRunner; -import io.envoyproxy.envoymobile.engine.testing.HttpTestServerFactory; + +import org.robolectric.RobolectricTestRunner; +import org.robolectric.shadows.ShadowNetwork; +import org.robolectric.shadows.ShadowNetworkInfo; +import org.robolectric.shadows.ShadowNetworkCapabilities; + import java.util.HashMap; import java.util.Map; import java.util.Collections; @@ -63,6 +77,8 @@ public class CronetHttp3Test { private boolean drainOnNetworkChange = false; private boolean resetBrokennessOnNetworkChange = false; private boolean disableDnsRefreshOnNetworkChange = false; + private boolean useAndroidNetworkMonitorV2 = false; + private ConnectivityManager connectivityManager; @BeforeClass public static void loadJniLibrary() { @@ -108,11 +124,29 @@ public void log(int logLevel, String message) { nativeCronetEngineBuilder.setLogger(logger); nativeCronetEngineBuilder.setLogLevel(EnvoyEngine.LogLevel.TRACE); } + if (useAndroidNetworkMonitorV2) { + nativeCronetEngineBuilder.setUseV2NetworkMonitor(useAndroidNetworkMonitorV2); + } // Make sure the handshake will work despite lack of real certs. nativeCronetEngineBuilder.setMockCertVerifierForTesting(); cronvoyEngine = new CronvoyUrlRequestContext(nativeCronetEngineBuilder); // Clear network states in ConnectivityManager. cronvoyEngine.getEnvoyEngine().resetConnectivityState(); + + if (useAndroidNetworkMonitorV2) { + AndroidNetworkMonitorV2 androidNetworkMonitor = AndroidNetworkMonitorV2.getInstance(); + connectivityManager = androidNetworkMonitor.getConnectivityManager(); + // AndroidNetworkMonitorV2 registers 2 NetworkCallbacks. + assertThat(shadowOf(connectivityManager).getNetworkCallbacks()).hasSize(2); + } else { + AndroidNetworkMonitor androidNetworkMonitor = AndroidNetworkMonitor.getInstance(); + connectivityManager = androidNetworkMonitor.getConnectivityManager(); + } + NetworkCapabilities networkCapabilities = + connectivityManager.getNetworkCapabilities(connectivityManager.getActiveNetwork()); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + // Verifies initial states of ShadowConnectivityManager. + assertTrue(networkCapabilities.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR)); } @After @@ -123,6 +157,9 @@ public void tearDown() throws Exception { if (http3TestServer != null) { http3TestServer.shutdown(); } + if (useAndroidNetworkMonitorV2) { + AndroidNetworkMonitorV2.shutdown(); + } } private TestUrlRequestCallback doBasicGetRequest() { @@ -366,6 +403,241 @@ public void networkChangeWithDrains() throws Exception { assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); } + @Test + @SmallTest + @Feature({"Cronet"}) + public void networkChangeMonitorV2FromCellToWifi() throws Exception { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + drainOnNetworkChange = true; + useAndroidNetworkMonitorV2 = true; + setUp(printEnvoyLogs); + + // Do the initial handshake dance + doInitialHttp2Request(); + + // Do a HTTP/3 request to establish a connection. + TestUrlRequestCallback getCallback1 = doBasicGetRequest(); + assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); + + // There should be one HTTP/3 connection. + String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + + // Change from cell to newly connected WIFI network. + NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, + ConnectivityManager.TYPE_WIFI, 0, + true, NetworkInfo.State.CONNECTED); + shadowOf(connectivityManager).setActiveNetworkInfo(wifiNetworkInfo); + Network wifiNetwork = connectivityManager.getActiveNetwork(); + NetworkCapabilities networkCapabilities = + connectivityManager.getNetworkCapabilities(wifiNetwork); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_METERED); + shadowOf(networkCapabilities).addTransportType(NetworkCapabilities.TRANSPORT_WIFI); + shadowOf(connectivityManager).setNetworkCapabilities(wifiNetwork, networkCapabilities); + + // Connected to the new network shouldn't be regarded as switching the default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onAvailable(wifiNetwork); + }); + + // Make another request. It should reuse the existing connection because the new network won't + // be regarded as default. + TestUrlRequestCallback getCallback2 = doBasicGetRequest(); + assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // The connection count should STILL be 1, proving reuse. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + // No connections should have been destroyed. + assertFalse(postStats, postStats.contains("cluster.base.upstream_cx_destroy:")); + + // Reported capability change should be regarded as switching the default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + LinkProperties link = new LinkProperties(); + callback.onLinkPropertiesChanged(wifiNetwork, link); + callback.onCapabilitiesChanged(wifiNetwork, networkCapabilities); + }); + + // Do a 3rd HTTP/3 request. This must create a new connection. + TestUrlRequestCallback getCallback3 = doBasicGetRequest(); + assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); + // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been + // closed during draining. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); + + // WIFI disconnected, no effect as long as the default network hasn't been switched. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onLost(wifiNetwork); + }); + + // Do a 4th HTTP/3 request. This should reuse the existing connection. + TestUrlRequestCallback getCallback4 = doBasicGetRequest(); + assertEquals(200, getCallback4.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback4.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Stats shouldn't have been changed. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); + } + + @Test + @SmallTest + @Feature({"Cronet"}) + public void networkChangeMonitorV2FromDisconnectedCellToWifi() throws Exception { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + drainOnNetworkChange = true; + useAndroidNetworkMonitorV2 = true; + setUp(printEnvoyLogs); + + // Do the initial handshake dance + doInitialHttp2Request(); + + // Do a HTTP/3 request to establish a connection. + TestUrlRequestCallback getCallback1 = doBasicGetRequest(); + assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); + + // There should be one HTTP/3 connection. + String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + + // Lost current cellular network. + Network cellNetwork = connectivityManager.getActiveNetwork(); + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onLost(cellNetwork); + }); + + // Change from the disconnected cell to newly connected WIFI network. + NetworkInfo wifiNetworkInfo = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, + ConnectivityManager.TYPE_WIFI, 0, + true, NetworkInfo.State.CONNECTED); + shadowOf(connectivityManager).setActiveNetworkInfo(wifiNetworkInfo); + Network wifiNetwork = connectivityManager.getActiveNetwork(); + NetworkCapabilities networkCapabilities = + connectivityManager.getNetworkCapabilities(wifiNetwork); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + shadowOf(networkCapabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_NOT_METERED); + shadowOf(networkCapabilities).addTransportType(NetworkCapabilities.TRANSPORT_WIFI); + shadowOf(connectivityManager).setNetworkCapabilities(wifiNetwork, networkCapabilities); + + // Connected to the new network shouldn't be regarded as switching the default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onAvailable(wifiNetwork); + }); + + // Make another request. It should reuse the existing connection because the new network won't + // be regarded as default. + TestUrlRequestCallback getCallback2 = doBasicGetRequest(); + assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // The connection count should STILL be 1, proving reuse. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + // No connections should have been destroyed. + assertFalse(postStats, postStats.contains("cluster.base.upstream_cx_destroy:")); + + // Reported capability change should be regarded as switching the default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + LinkProperties link = new LinkProperties(); + callback.onLinkPropertiesChanged(wifiNetwork, link); + callback.onCapabilitiesChanged(wifiNetwork, networkCapabilities); + }); + + // Do a 3rd HTTP/3 request. This must create a new connection. + TestUrlRequestCallback getCallback3 = doBasicGetRequest(); + assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); + // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been + // closed during draining. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); + } + + @Test + @SmallTest + @Feature({"Cronet"}) + public void networkChangeMonitorV2VpnOnAndOff() throws Exception { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + drainOnNetworkChange = true; + useAndroidNetworkMonitorV2 = true; + setUp(printEnvoyLogs); + + // Do the initial handshake dance + doInitialHttp2Request(); + + // Do a HTTP/3 request to establish a connection. + TestUrlRequestCallback getCallback1 = doBasicGetRequest(); + assertEquals(200, getCallback1.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback1.mResponseInfo.getNegotiatedProtocol()); + + // There should be one HTTP/3 connection. + String postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + assertTrue(postStats.contains("cluster.base.upstream_cx_http3_total: 1")); + + // A VPN network becomes available. + NetworkInfo networkInfoVpn = ShadowNetworkInfo.newInstance(NetworkInfo.DetailedState.CONNECTED, + ConnectivityManager.TYPE_VPN, 0, + true, NetworkInfo.State.CONNECTED); + Network vpnNetwork = ShadowNetwork.newInstance(2); + shadowOf(connectivityManager).addNetwork(vpnNetwork, networkInfoVpn); + NetworkCapabilities capabilities = ShadowNetworkCapabilities.newInstance(); + shadowOf(capabilities).addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET); + shadowOf(capabilities).addTransportType(NetworkCapabilities.TRANSPORT_VPN); + shadowOf(connectivityManager).setNetworkCapabilities(vpnNetwork, capabilities); + + // As long as VPN is available, it should be regarded as default network and trigger a default + // network change. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + // This should also purge the cellular network. But it's not observable to requests. + callback.onAvailable(vpnNetwork); + }); + + // Do another HTTP/3 request. This should create a new connection as the existing one is + // drained. + TestUrlRequestCallback getCallback2 = doBasicGetRequest(); + assertEquals(200, getCallback2.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback2.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Total HTTP/3 connections is now 2 (the original, now destroyed, and the new one). + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 2")); + // The 1st HTTP/3 connection and the TCP connection are both idle now, so they should have been + // closed during draining. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 2")); + + // The VPN becomes unavailable, the underlying cellular network should be regarded as the + // default. + shadowOf(connectivityManager).getNetworkCallbacks().forEach(callback -> { + callback.onLost(vpnNetwork); + }); + + // Do a 3rd HTTP/3 request. This must create a new connection. + TestUrlRequestCallback getCallback3 = doBasicGetRequest(); + assertEquals(200, getCallback3.mResponseInfo.getHttpStatusCode()); + assertEquals("h3", getCallback3.mResponseInfo.getNegotiatedProtocol()); + + postStats = cronvoyEngine.getEnvoyEngine().dumpStats(); + // Total HTTP/3 connections is now 3. + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_http3_total: 3")); + assertTrue(postStats, postStats.contains("cluster.base.upstream_cx_destroy: 3")); + } + @Test @SmallTest @Feature({"Cronet"}) diff --git a/mobile/test/java/org/chromium/net/testing/BUILD b/mobile/test/java/org/chromium/net/testing/BUILD index fd0adffecd18e..dc30f7ec0feb4 100644 --- a/mobile/test/java/org/chromium/net/testing/BUILD +++ b/mobile/test/java/org/chromium/net/testing/BUILD @@ -37,6 +37,7 @@ android_library( "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", "//library/java/io/envoyproxy/envoymobile/engine:envoy_engine_lib", "//library/java/io/envoyproxy/envoymobile/utilities", + "//library/java/io/envoyproxy/envoymobile/utilities:network_utilities", "//library/java/org/chromium/net", "//library/java/org/chromium/net/impl:cronvoy", "//library/kotlin/io/envoyproxy/envoymobile:envoy_interfaces_lib", From d740158a0fa6f0a687883e4d6546e725d2d6da6b Mon Sep 17 00:00:00 2001 From: Ali Beyad Date: Tue, 19 Aug 2025 16:40:22 -0400 Subject: [PATCH 255/505] Update QUICHE from 82b2b2501 to 2013a0735 (#40758) https://github.com/google/quiche/compare/82b2b2501..2013a0735 ``` $ git log 82b2b2501..2013a0735 --date=short --no-merges --format="%ad %al %s" 2025-08-18 ricea Fix MigrationStatus histogram calls in quic_connection_migration_manager.cc 2025-08-15 dmcardle Clarify nullability of ProofSource pointers with absl annotations 2025-08-15 dmcardle Use std::unique_ptr in QuicCryptoClientConfig::CachedState::SetProofVerifyDetails 2025-08-15 martinduke Clone MoqtLiveRelayQueue to MoqtRelayTrackPublisher. ``` Signed-off-by: Ali Beyad --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index dc573f360cab3..9dcc696362a84 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1277,12 +1277,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "QUICHE", project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols", project_url = "https://github.com/google/quiche", - version = "82b2b2501a274fb5129a9556ca3cf6676910bb04", - sha256 = "e02e830eb1285aaa4b2891a58adda8bd22e52d64865795858480a9d641f81b99", + version = "2013a0735d16e1d1f131d57417850025d750513d", + sha256 = "b2ff7620a7a50a220e29f77bce623436e47524de9cbf7148d9bc2386ce78d893", urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"], strip_prefix = "quiche-{version}", use_category = ["controlplane", "dataplane_core"], - release_date = "2025-08-14", + release_date = "2025-08-18", cpe = "N/A", license = "BSD-3-Clause", license_url = "https://github.com/google/quiche/blob/{version}/LICENSE", From 0c6b39113ce28edf87a0381aba77977adb9651f0 Mon Sep 17 00:00:00 2001 From: "publish-envoy[bot]" <140627008+publish-envoy[bot]@users.noreply.github.com> Date: Tue, 19 Aug 2025 20:58:28 +0000 Subject: [PATCH 256/505] repo: Sync version histories (#40799) Co-authored-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com> --- changelogs/1.32.10.yaml | 21 +++++++++++++++++++++ changelogs/1.33.7.yaml | 21 +++++++++++++++++++++ changelogs/1.34.5.yaml | 14 ++++++++++++++ changelogs/1.35.1.yaml | 19 +++++++++++++++++++ docs/inventories/v1.32/objects.inv | Bin 179051 -> 179103 bytes docs/inventories/v1.33/objects.inv | Bin 181675 -> 181750 bytes docs/inventories/v1.34/objects.inv | Bin 186689 -> 186737 bytes docs/inventories/v1.35/objects.inv | Bin 189384 -> 189503 bytes docs/versions.yaml | 8 ++++---- 9 files changed, 79 insertions(+), 4 deletions(-) create mode 100644 changelogs/1.32.10.yaml create mode 100644 changelogs/1.33.7.yaml create mode 100644 changelogs/1.34.5.yaml create mode 100644 changelogs/1.35.1.yaml diff --git a/changelogs/1.32.10.yaml b/changelogs/1.32.10.yaml new file mode 100644 index 0000000000000..139bd7fe2bebc --- /dev/null +++ b/changelogs/1.32.10.yaml @@ -0,0 +1,21 @@ +date: August 19, 2025 + +bug_fixes: +- area: http + change: | + Fixed a bug where the premature resets of streams may result in the recursive draining and potential + stack overflow. Setting proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate + the risk of the stack overflow before this fix. +- area: listeners + change: | + Fixed issue where :ref:`TLS inspector listener filter ` timed out + when used with other listener filters. The bug was triggered when a previous listener filter processed more data + than the TLS inspector had requested, causing the TLS inspector to incorrectly calculate its buffer growth strategy. + The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. + +new_features: +- area: http + change: | + Added :ref:`ignore_http_11_upgrade + ` + to ignore HTTP/1.1 Upgrade values matching any of the supplied matchers. diff --git a/changelogs/1.33.7.yaml b/changelogs/1.33.7.yaml new file mode 100644 index 0000000000000..139bd7fe2bebc --- /dev/null +++ b/changelogs/1.33.7.yaml @@ -0,0 +1,21 @@ +date: August 19, 2025 + +bug_fixes: +- area: http + change: | + Fixed a bug where the premature resets of streams may result in the recursive draining and potential + stack overflow. Setting proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate + the risk of the stack overflow before this fix. +- area: listeners + change: | + Fixed issue where :ref:`TLS inspector listener filter ` timed out + when used with other listener filters. The bug was triggered when a previous listener filter processed more data + than the TLS inspector had requested, causing the TLS inspector to incorrectly calculate its buffer growth strategy. + The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. + +new_features: +- area: http + change: | + Added :ref:`ignore_http_11_upgrade + ` + to ignore HTTP/1.1 Upgrade values matching any of the supplied matchers. diff --git a/changelogs/1.34.5.yaml b/changelogs/1.34.5.yaml new file mode 100644 index 0000000000000..786669800f88b --- /dev/null +++ b/changelogs/1.34.5.yaml @@ -0,0 +1,14 @@ +date: August 19, 2025 + +bug_fixes: +- area: http + change: | + Fixed a bug where the premature resets of streams may result in the recursive draining and potential + stack overflow. Setting proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate + the risk of the stack overflow before this fix. +- area: listeners + change: | + Fixed issue where :ref:`TLS inspector listener filter ` timed out + when used with other listener filters. The bug was triggered when a previous listener filter processed more data + than the TLS inspector had requested, causing the TLS inspector to incorrectly calculate its buffer growth strategy. + The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. diff --git a/changelogs/1.35.1.yaml b/changelogs/1.35.1.yaml new file mode 100644 index 0000000000000..daca86aecd04a --- /dev/null +++ b/changelogs/1.35.1.yaml @@ -0,0 +1,19 @@ +date: August 19, 2025 + +behavior_changes: +- area: ext_proc + change: | + Reverted https://github.com/envoyproxy/envoy/pull/39740 to re-enable fail_open+FULL_DUPLEX_STREAMED configuraton combination. + +bug_fixes: +- area: http + change: | + Fixed a bug where the premature resets of streams may result in the recursive draining and potential + stack overflow. Setting proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate + the risk of the stack overflow before this fix. +- area: listeners + change: | + Fixed issue where :ref:`TLS inspector listener filter ` timed out + when used with other listener filters. The bug was triggered when a previous listener filter processed more data + than the TLS inspector had requested, causing the TLS inspector to incorrectly calculate its buffer growth strategy. + The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. diff --git a/docs/inventories/v1.32/objects.inv b/docs/inventories/v1.32/objects.inv index 4a6ef2c722362ee9446e66add3c3faccbbfbc997..767ecc6c090aa0bd8f36d5307f44c26bd4c5c17a 100644 GIT binary patch delta 113863 zcmV(|K+(VJ_6nc(3XnqrF)*=2^5}nlF4dp;a{r&?c0JcBdSt}}!G+QP2n{jK=Bu>& zk#(JCQqS&H?^HQgm8$ZmYJPb}ad>%!$OdROJueyAL{$oABWpC9lM-LMpy8jWQ>?fr z|GBBXs$XV1)I0z~Acim)SpS&gTd4P6Gqn)vM%-59zhSb$|=F{nc~1Jf(ch=&Kr*`BC3H-Rc?!X3~zE$ckYZq7Fi6h-tQ!N*j5) zwXmpBUVcwHpAA=`x-^eywv_pMaxu zxl4BNOM9fDv{_xcmA7T=A)Mi>@pjE1y@wS7=1S1}q**u!VSKpslNd!|Y&{CJ{`+F1Nb{``My-27?VygWD8 z6kJyg?DrgV>Zm=`k=+@g2n(g#45xJQy!uT=I%boYl=l1tS-3=ZNTtuuae`XHzR;O} zPq%h)Ip&OJ6mQ?`{r7aUS3?Zize6@(r3Wha{(Zc1Z)DehZuzMjkmE2eBA_k6&Ie*y1$oO6&8%n@$v-L(}FyMCnC#->V(q^k_&jJk`&K+M3ckg87yT(c*>NPV_a_z}Ir?D@QIvCH+dv5rbWm!P=T(n1l0Dx`#5KIf?V+4l@%&3-F(t zIF_?{Ghi&ky@dLf_l>i{>Ie>Vq72lAxhM^mTaTFj8Knq)-!e;SKa|N$y0m6IAeCiX z-=lz1B>dL_^Kxs`&GXd`gE^}c?C}NUift0e!Gg09M$#-!7A7S(4?o#1-FS(=&kR07ghlbmdo7wp7a|uW*6t2(BUsi~#>EMOu13_#-(TeaN_> zJ8}4L*R*M1!fatkcYCLB!60E1H?lOFE7J1k~SB8At9Vn#ro!phr4U-mfusjYKZW-7t-Vwe29 z^{BZiwTelXPdHSInFOXp>zJ0IFYrZuQR0H@lN9ejM4WU0?lo&kkNBIf^k4t?eEYdUOtZ`& zWAFIlqBQ_E_S#dxF19;1Uw*Nme|0#$;S8+)sS0%wFCGUQfLh0-CT5RdG5_h(oOwRH zwZ{6whnTz`4eUcts`t@jF<6VM14ECcl3ws1ml|z;=g2=1)6McJXjk7u!ml|3 zx9rLtX7o8GvHg?iHtyoyQ?(zxqPLzU?V@XdK{Km>pY1tKhv3Ai9~%Y09bD!Rs4sm82Q zp!dhU-utLC-2hr9ryYKq!(5=AlT(=76pJ%FxZj(Gp%$fjkY#qQR0R!KIkOckIF>d| zel9OC8ihZ7`Z!GQ2@80=*F^&Kx8aYI4Ej^LQ`tbPl<99Ye|yR50L<1ZLC5!Ezm`s;@gPCN(Akxf9oQjLi3T>R_aci?0+#L$M}+* z#`6)XTknZZBb(so@s(;2D-An>%m6ObYPM6=il@0T%kl|N-TiTRbXBSwc;hbCYe~Av`-(%=>A0R)cZ&x*I*s1!KoWA7gdqKDUb~*?|Ac*ecpMdkzhkM|!?RvCE zIAM;Tf2}XeoAd)3Yo`{T0@@xPMKdD`LhK#-w+Hy^y@BcKKAoFe8DV(z#(Ig%=8nV^ z={mV&TIjw%M{bs zcGXNNbGQMb>1dHL!Lze^s7O1;QBJ{6?Hy@i$ zOm_)<^8uS~&0aeA?#K{5BzHx40)42OZ+U`_OzO_tOBptl4GecWzD**!D_ydh$d=+< zmKy0v;MQcft47I6ydPk$(=&!q8m)(!HrX11`=6FmO2eO@liHsz$rDNL@`ZbziQ4Dt zf13~$@-keK>@12X1F|6hnJwy8;-vIr*V`ULMy$R)acieq+!K33R_1gMr#bOZw`2dw zIY7mdTiPynAtqboreCUW}M7K(-YoWY>MBn0gS`eMtvaYK-?xT=tadhn= z&hUvypD}>wylHN+9{@d4O*}){1Ihrpe@(%jmoP`;ymL`R;?4aiFNJ}c=M7*(b32{X zo<48IaZZ7bX?Pk;&^mgcYe9Sqx?T&&I12N%Zf#!V|2!QG9^8Q*k+6t_O*BKgO8x12 zJBVsU(o;JiTcvW}8*^W0_#5+3t6LLr6N!F}ziB}ic{#`_sz`dL=zwgM%H69Ue|@Q2 zRX?Ug?^*qrQoTj>V@mh#)sHFh+g3lOY}mW{G37$M>W3NmV-Jts)d4d`$sWaRk5THA zK2U$IuczcxLk9z_LIozIzfGQA`0uqmKPk`$d%#J~zv=``FU!=z??v}}{EkH+n1EhZ zC|NpIcWXVp(Ygyq=}u_-%nJzpJtgaq1*J z!9=FJ>w$58dS&Y&2GNcCV}>D=o1|yA?5$)h$(}KRyEJFUR@gpyGsZGbUujZpB8+a%Eqp^LV>)k%f6dOi8Wz)dDA?)xAbh`zgutsZlb5v2=xaAx9aP=nKW@4D z@q!hZH&r%CCz#Hx);yr~aKU6A;)E=_2{s^nXMG!z1rVp#ci#Qz4#nzqsm+0XM($z8 zt-(xVe_$m$g}$41#UYS`lIp(=xZIUt+1qH_b zXHS-%*j}(jL+eru@w{bX@)=HE$Sv1IT_R_>^C2cMPPE7kY{6g;pnZKfkn+CPAnKq) ziYLbJERIM7lUP{Z()c8R6n{HQ<5QJLEUdNCj&o{GUX39yL*Cc3tlQC)5=aN-tE;PZ zELmP>dwE?o$?%L3e;11FI$H1nO;S|n?YoV-{uK-=AZQogncQ*uc4!R&=4{XDiqjuy zOY!K2T-8?>f_h~qo!S1#%M2Ek^Qkee;D@lVz8!|O8Jzj=*Hm3XI*V4K8p`Q8>Y*S4 zlekT2f*CSbf!x}IYBSCLke*$7DCMF!)w&k*p&uByZEl;vcwD!muq{vMr5b3g2LJi zp8U1MZnU`fe{&XrvFWBhqH&coey9@lwmyE$qry)yt1;HEhfDV zsW)7i^K)6%GC3EOx^ZD2x+=;qdCZH15CkFM-Bu979GkO7$nXa3uN_(>I(FAA8PT}P z8Qy9msu@-V-i9n|wd_#UnXTT0s?xv$5?vj#fhHaFe{ft|NMo#@UdbO>##9YUU06`i z=p-n}wXC1H5!7;iXJ-~nfefwNVanqqv(MA~6}+y`@4JxL)z~#dZ=bO22bQ17$Gwf( zFLoU?mXU=Dc|j~sX>c8KwMor*SX7Yz3eEkQ*UCaNKDg;%W% z)s8=Xe;3vH=~6_26{ygHL(}p@Llz$`pJ@XJQkKboZc??^3t67qugIzZLI8w72*D8Z ze9lVi^z$=6CG=GJ$-Icr0x7oWVvlG%e}U?5NhZD?F@UWj*nV+%c=7_qwtm z`UH`)C{?0Yb$-sF_MSB{4-4E^bZ7yghb)d-e~vI3xz7@8RPsO~x9B;MX||_AelaKm zG(UaON0$yn`BqT(9*sSav368;e|Oyz`YTLGfi(l((=yv(i1t%1p}2Uwwjm6t`F>E% zccb|pSo3g1AC06rm;u9ah%^T1ZJIrpHTbrX?R$MIA`gLjZi$8y1c(0yQ(ji>Auj~Q zf5jJqAq=Lust+l-s#&q-TPXNHxBN6*M$_uD$mGZEoWQD7ZRJ|!g9=(4-wtmC0to}u zJHL03rZHpVC9JH6md|;$RJ*OMb3Xm+tZKiecE~VAUau>JjrQFL06)JQ0$$ zY7OYo_`4r}nn`82^w4{AIy~lH=*TU*>bH7js_M7oicdF#*1?F04s~}!Mp&Z5vS$7Q z)*P?50eB=G%lM5%V@cmD;N8mgf3Y|KrTT$>`K|NT`C-gPdf@>LVd)p5vme$xpnu>B zXI}?Xvg(Za)v_ipzn4s*;opL8N-eiYDgO%o){E#cg=Q8ShTh=t2OMex!&Ou{c!{V1 zh6y16j^Qu>(_B6ZpAQiTtcU|X9T;E{f2otV0)ZbltZ>V=&C7H1&Tlt`f1imhbZmZI zC*)~2-DWZ<^0RI@Tf$x41M)w3?!eL#QI0_u6BoSDF|GK^;CYkN3hH?+Fvdw;KuwZ1 z2})S1hBx(M;?BCJa0K88z!7O97-s@;g<#Ba#~ zZB^g3s=UlEw+l?2!w0i%m8cr|={vbrzv^C5eJ1Vi!-vi~0BAG87RfU?SkxaU&;+9i zMuR8Lh$awCRG$LS7718r5WK=VptQ8dvx6E&c`xRo0&AXFf1NJp^OLE!TTq+0dSfBI z-cIqcX(Yq@L7g2RFvqiez#Yi*r8l~5GAK~-# zQZ5Cf9~3Qy=fN_DK0K3foZzqaIVPH7=C zzIDAfY0HW7llBYF*Q&_2*VJPW9fPnKCcyj@!a{82c}IB!U~3y9xd?+1uXWSEo$LNx z^LJ=mB=|Ox+IcGL@6fKGw{M1T8|e!MD(@m*b6Jexe+|HY4<((5@ZUgk@lSLHamA?F zUonZrZwU=G0lLrvQ#$C9>}jV`7?s1g+^_VkN2!O-#BuKLn$z{ZZr>qf7LQZM!xu-^ zh<7oK+l5?mzf$*XiCKEE=A_^FjrTA=2O)K_u&+QQyQrP|pO1NS~!h8IV0IYF2YCDP1(vRo0ihY0$AU zOP)?{_J`{t;k12 zHvt3bh;E!!9qBGn)qIoC5#2az`JbD*3T2j9OFV53ZKB$%OubFAxXD?RdL)R1<#|LV zFmH99wDNK-R8??V0L6z<|4VKkCO@p;w=OQ(h-+%Rz-fgLv9LMif1E8j3T-y ze`aerVkflO6w;1kZ99P0d3nmOX|XY97pB`>LaD!uHS#>$ic*Kc>NteqaE^%g?eP{@ z#5=58`z6a3v*u)*1NMUT-uXj!pKp2Nn$}=_jh$&0zR8u8kW)ugbWggqm@_dAR`#8okWegFAaT3o+U`UpPJe`ABw zKllYq@cw*thGB@mx)6VH2X!7jl@8;$l`_!ej?U zuK!{@(|^%_;613DynI@>8~QbhVr(17_j6D0r~8XGaaxBkI`qaP*Q#49;r!=`MrOeJ zwYZ)0l2%H5`X~x^g4YCWIOp8Ne_z30rWr)XV768$${S9I@_4M@#+vd*7z&GMk*-SZ zjatrWQB=Rlsg@bE6`nPqLn$)x1;!V4{1K6tBC5#lqejQ>k$9<4Ro$;D+ed|t-6Qc* zK`R45UP~Bw_B6f6W{QYI5QomVJxA!JR8?z!RQoO|W&2yz-wCZ9zKd8!e-VtrE1JJO z;&hZO|6Hp^?sTP5aC52kSsaCM(|kd`)D47iCxH&$XK@u$)xT+-B_?||oXs$Yxya97 zZR|tDG+kD2xausLC$x^*p{kcYc|06mBUCyeDo1x@Zobk?U5)#kcof{6czu>7LNZlb z#KhF^)m1)E;uuPT2`jp=e`d>#TLr$R=Vv{E!MVGzW@`~Q_Is+Dx{BXO9(wdqW%nrb z6Tt-rhkv~Bp*!@}>?Xj3hnFQHsCZsJAT1EQ9d>!YL?4e+>p&DL3eEkbY8LuI)X(GQ<&#!+(Q3nS}EYcA56Xz9QEJL^vpTHB|>q&zpCNE@?y~38FcbjO_Mar@C#he^oRWWzoHUEB@ERA;uStXFOB|_*eUakT@~uLLK6uhnju}Kop;1N-n81%^}efk*33w>RFp!RV_hQuKQ~$5uW7BS>23T5 z!(?=~hQqXg==JVtB`fRS)7oNJ_NJw+s`PcUZMmny5)mHX8tB(|O5_I!0{?Phn!YU|9gZBQ~T zv0=aa&JrU6wt;5N*u5<@Yed*K(X0W3tFJkhe+h$fqZt+!evOI)w3`MErT{G^PF9xe z+1O)h;J3v>!P-^Htfu@Z#`?iy$LoS?ntH-P9M*&sSMjZy*k1rs8H{i8L{wcvk7%gP&jx({s0-`&r0ir)qh7Jw%6xr2-@^-Tqs+Lo&p67W**cOn6J2mD}e?S3y z`hX?RtIyBa$^b<$3SVe|A^_z9rjKIY6MhW)QM>6Ta{a`~sxXv3!PL#=0wxtbaR#46C z*nI?HHM(P%0`n6WX{O3Zkcz7TJi#$>Qj^4;Mm-^fIP96!bAWzAuXSG4d3)bSo{8Rv z@sgq|O&@6^_p2(}H69g6qr0Q#TzXPWURvt4WWcR~m1g$$#xM6aUMp1$rT}ZR#z}rus5s|u|&*NDF;$0ODO`PG3GYpZa};dL$|)~AUa>&|dXb=e2Ijg*>%by3V#TzkW>r()F{2T#{kX$vz z9CK|c(P3Q%SdXcb1#84^2d~$T?Zfy=fz@C>t6P~R@rN-@XoJOT5N9x|=?Si{db7w| zLaV&(CEIWa=9mL?e->KRO>|KZ6aI09m1$kv6C4jsJu$J#5kTPRYz7!1xoSGs*OMNA z0?(-$8U6MI2zpG6V1x-QS7l#m^R?4)g3$U1Sr|SFxbsnct>jT^ut<=s+gvt#$l@-@ zjz?HLlaxVJce`7-WO6L|9hmD9%TKje-?`jXBLdLNY9a4wf7{mi$F1G@v;`Jnv2>g3 zB}VOooE7KZH#sZl>4M);1R=$_wfe@53soogp}O=}%wJlRp^AQ{Ur7t30WW=DJ9`T8_LZhWw4K^|#! z$Qe}zL2o$A!8MC^YJ1~CO1klFfjEn>x{r72QMLQDO}RhDTBWSWVJX>SS81AI3T%}) zo~Nyf*Io7TEPD3^Z>oLif4(jfFDD9H6UE z7{_h*&Bqo9gUapa1#d$jA3^)90XUQubm70D#0D14yd>GJPWQL~K_4LqgD`>Rp^WyR zchG;Ff5k0G^{pNB_QCoOxwsVwU^BqmII++3y=7)hJ^1TkueanF7s9}ctu76nxhw8S z^HGLz8hGA=ah1ZgWUeyra$n^NJlEz4VFJrpS^UIFwy4!vlX_AjP8IBl;J8lH11<0! zTOM|EV?`Td*S^hwJ(+q$_$9CFs-{b7hfxlCf58)D6`kiJW_;4AMgMmBv82aJ5Tp z4(#a$Br(tVQTxb(DM(-4`VmZ37I*gyfdK^TM?(N$G6POxc}j#H=Rq=)&e@T=7 zBVAKetQQQO;)7f(0&oQ2aHfg{$i8McCq4jr+3B-ece0lS_y{Vcl)ZXKQQ(!@Xdl-wQ6nWFqR=hp{h$%QGy)4G1#eGkZ zfVPoklec-qEK{_0F9a7|@IH&H5blS?cM%^qvJ&nT*3kzvj#_qE4Y3mwe`XcLP7aLi ziYx&`!at6vF_!`8XmwQAwmdOMovls4?o+cnRJtZ&KO^k81#eoTxojdIMU8|`H|TMV zoHWi-Wf*i0xk)ltb-T!6ejngn)~fH&!z@PM$=Pj;1jz|E9D?LD>8Ff5EsKOeV4jH8 zF*w4v1*}d|w(?IKnO;Q}e>$>7;m*%L#P_^b1YF{xHWBcN!m2d*hQlN z!wL**A-IrNKajAX*yR9l?CuB*VO)gNs+>{!_s~J1I~fC%B`Tob`JFyYC==smJ;)GB zf5@SFffwOYCo}i(f5+^3>PPnJeHyUG%EmJQce>m2Z=p*+TJ~Wprd#%58&+Kgsnh6< zFuXb}zq(S#P6cG6uSx}Ei_p11cv*P$-CK#H%VMrTWh>J;OBhHX5R8R0Ku?i#JUmnCRKMmv%j@qjwg(e?3HX)gAFEnypZWb$D#n zqmKBztcUG0h|dO(d;>*j@4M&zE1KCdHec7wmL7T1xUF-=r174D-IhG-i3vU2@QK8D zYiK=D8DgyAl-3>Q&QB=~IM8sYGOuOQ7P}}@p`jc9&BAb3u-lS#eKoc17M&5DxI9tO8BU5dadJtmFd4;w-JtVRllsW)f zB1lg~)ICKp#SCJ1LIMb&k9SCMG9!vUUZ3FPvE0292tO7bG^Oxk1L9{_dn|o*zO~14 zV>L@3i*#zJJ{GiJ>*uk=;O!x28{$>doSg{KW_sqwe{Qw&XKnOoKs_?I{jly zcC2ka_G5$k=VK@6Wq;w!K`%bCBCmZjRI_5Wo1qdtAop9|BaS^E3ew|*VLTaAjKO^5 zwNAp+X7e0m8crn*k#CJn{_augcW*!OiIY$YE;^_be)6``KN_0dF zPZ-x})@`Jn? ze?EvQu|ZB_-q(KTF$I_h&=)ylixbOvB(tLjE!QvZ2AuFRj@j*HD@9aq$UtbBtbnl*~rofNf` zidsKK(C&?)faAcwu7tRd(vxW{p(w3bf4sGn7CS7=(ZD{CErGGW!kiKmt{>eAoM%kI z_U6<)Qww8Rah-Uf;|9CN)t@#8hG5t~55ernZpc-w3eoLhDGa?h0h&`j(%Ea`2_3H& z|2eyQG3D}R_e2v!Kbv26BOI_Tc-RySQ9nPj1G@mzA&Nvy!8CF&^dn~I0S9WDf2Ycy zex#>wS*lxMrCuI_!_RSw@b~>UExuvSptwB>XAODTv}t*gPakRp z)}Z6k)2tqavj(V_oYK>m#8l1^ML;zP17n`)w?2onj7HW!dHf^6Vd+5F3`+#SsG+Pn zn*}+FLY`VxeP6IbnUTT!aMaL?e=JPoZb7mk%NjW_Ds1s#39HA19@Drhg0T%IZ9p_J z6jhhGJqC9P&R0nY1tG2x(ybS(Q3n%h9+;E==kaLBFiPz3g2M|Fe#o;#S9O)D$S#{( zW9}vD)(m^0rN9;>y)x3eeL1QdLI@4PU(pcLY+f>}Q+kGE6={~$vS}jgf8*#vM<39v zQY8PtG8n3@v0w$E4W(%evxd+d-zu@Vax`DdI|;>gtu?|Fm!H5}d#?7r3^l~yGMr}f zlBsHpr|+!Jf7JP~&!uP)h>l=HwOZZIm!&OpbZI`~TrGUZOVk$KyG-Z!R*O}@e?#i$ ze9z;{5F+m%*^bRqW(Elre|A5Qfnw?uo}}|qYKpa`_3Lo*OhJodc`XhvA^+r8)v(DoQF^P3eZ)cFj$x^URu=LC(>M8#UPYzZiHDQ{K);amDHw-}@QLxBitu^1 z2C!*-6{*SqX8B4o*n{D-L7pG>>}8W1GZFi*qR#PRgqCjYiPZ_r0aicO7+%Bd=EiZbEsu2pbDd zd{=v*Lkki^!9T8i?~AYCFp!I8oKBO{+$)D`G!QY(1?x=!TYh=|sZ(8MW~sbXszO#~ zSJk{<*4Y3*cVzD(e+r5yOvC|!BfriUn!v!WTU> zoaQTq(S6M|EuEestk*-41w=NF4kl>a6{(wQi@Ru&&&p(YjHL>qqo@Xk%?T5In#x%n zb^7I5@<0Fje?RhAs_4@^6C8CwF{J_?Nx!Ej)i7y_>I^!}8y?(6?-TVw0=3dfDX^En z%nw0Kx68+Re=zlp`7-{kAD`a~_$$UA@c4=1#T{X(26a!k?)&q4($^2*L30WjB0EZJY7@WtnAsv8K_YR^SQRXQ~TbyzVA%upQBJ|793hr_^QBiKhJg$fj1+J%nW`KFb!H;sqfcKo7lA(nt2;t8K!D$D}g}0 zDi}==etSk7!iU>cS8WgBg2vI)zTY0x26do4f0hI7V+Vqq14VkQO96NuT?sS10Zgcm zpuC=vTL;s4m}?!y&R*)1tRdyMhmzkul)vr_FB%wX3>gyV7NglzZvpGboA7-aKSjou zM~@`8)MO5u1{e~p)U|J~pHbKE^P8qysdVT5zOMM`_x8>3troj<-NHzkr&ca}OuN#7 zf5Y^3b_MTTPv=wSl~x>~m(#c~)yMgWG@SNb`ZuR^Bgh=#GQHiyz3vY8t}T0zW-6rA zDF$;)IptIzX@xehW=~xZpEY$T%k;oNP4fZv7{1fV5wor|h7f#)S`Z^FZ-Iz+s)~oh zgf`Zv8O%tbA(XeeN5f7w7NtW!7-OGZ|_l* zjN*$fzS&wM$Leh0B_blXbh$mB145$JMJjBt|8NK@lv_}|1a-Qw1Gw;?F z%(D=RE>hKZ_EyCZeWo?)n$wrO$emQ_;P|peh3Q@BRmP(9fJ`eh{UE*SW4|Y4#Jb9X z1~T}ZcU0U!S|J4JSX>lQ+h{@Ce<0#v9Wu=}42C24Rvp`s6K1$i^g6-F05cG&S1TCd zg^_!zGP%1@gyd_%3dEVsLF#}slyuI6l56PdYzQr zB^!_t+A5*bx9-S&RU_5Yb&c`UrWGAkIw}q~ea~c(-jlq9fzJ_S_ks%ye=bb$K8u%{ z65MF2;)WB(_)%nRRVALi456QxzD=`vsqE?|(=+8_3+^gX(-ZsNo)WLL!8{(3bseFf zbymK4ZbKZige&FpcnkG++3qKnM}rW>44s!yo@$ajTEcfjg&f{2={w}{(F9k!%y>|c zD!hyKOEr{F-;uQu1`k=Xe=+9x{IuSRcCT9s2JdbueHI@zdHItTd6v*mV|R1*#W9PZ zpAI`aACme=r?X*?Qie`YifmE%h$t&P+%Wm9Ze{HAv8?p)M?v9-Jf50(-WnxB*h?AD zsN-x5M&AURr%Eb`?q-Z{e2Gk8D&}t!RG#8!y3|gGj;3vyLuRq~f2gT`WL;D#tjJuZ zXBoQ&ro#&ze#qmasm7U-u%Nt7Qn*X)vc`FwfMJqz62=_gI<3)f*quHV+UD@mVdhfS z)rA*CqS7d~Dl^AZf$&023^LE?qu9*!E96e~Wi#urkfI|PQTd3wl{_%%ADO*J8Ux)I zXA|f#&n^R-=k-MEe=dF?NFz*fdFi{38~OY6!E|#^x(*3V@_;gw=>7U)ri9xxPiR*e z0E^J+JU_b4tlp^tF5AlmSSC;BCerPCjkJV&l^;+G`7Em6y~LaNBcfHZcI|94;s#x9 zGjywj?%2&XoN`4BlVmF;QZK=Vk1(Sw$Ci^Z|{JAnKF1Y>Qg>_SDg%0t>}1e;;xB=)Owm*FJ)5 zAemGBfYL`aB%?Ux*Dpwucgx$@#S^5)pzwmi4|#kwHR_LWXO1wueXNLs!_f9Vi?^CG zf1LV#V?AZwC4e9D_-cwZ19vP(N46+tMeyT1T+{2;e-^o{X(==H8~LMZhf3w+jv(Fv zuIEKNNX#A*+QkAz`Y|J{>@|fU7=vE?)##^}k59Bnn)DZF-2sctU!TNU&IuZAr(2u< zNW$G+Dsl;nOAyx#?^*+N8V_|9cl&vVx^S;BjxTna46E(E`^Vdef7Mk!{}z5~>WitWN5g&i03KL)<|~ZX zH{ua{2v7Pq=fCyy*soePUsaJE$ew=v;&1(A*^n+&w8pffTtT)ytFE1@#)Y)3;nr!E z@!-OD%3=IukT~oDmt@5s(YGD+sbAwl88_X+PlF zj4nu1nB#;LlWgu1sf}k&?w!s;YJzr`nBD#yu(?a@vFht}AD#38m5HVtA(VN_b&A!= zAG^35NmW-PGE8uJh}+{D#Grmx7(POJf0(0hBW4p=Z@9BRU#Mpz_T>xp%(9nNQdIDe zGUXKeZ#_Y(vPR1;4Gts4v$fF{KaDPAuum*YmX~_!$L8BE{B}?@KkG`oKEo`3e^xet zuU^{pqmb{MJHN=A_Wfy|fAuTChl~RB>jmtPl|X%}0}3mkN$CG9f&UO%ZRmx|HFN?y z+?L#ms>uaLwGq5DENl3L*5Kaad89$l1&eze^wczpY9Y92;NO`H+?(TTY7 z^UOBWJ20r{8QqcJE+3BuN^iwZVd=$#pDv8Jx20a_F!!du8tfq7K?-)&V_ZYvFXC~A z?M?WfXV!jBUFT2M8`y?iht(VY3VvmN{)+892c;Jm_Mg0NZ)uTLmozWmf77!0g>JJ5 zx2#@ZL4oo9)iL<%(3QT(Doj|t;jbV{>C>lozm3U1s;n(B^$pAhd$J5#2xuLVXQxrb zDU8J$zRT*jOq$#0XZ~mFnh(YjCRRW6Vq!jO2_3eLkvW*q!3M!+q1*Hd(2%0{J$;&* zRDByrd3mt~nCb`cDP{#ue|4_W^jUV%0aVl0d3oNBiuZ3KE#hkHTM08FvW>X9{hO_4 zT-_AG_k{~u`Vv}G6#HvdE?cT{%)4}1$^gKFl_wW2ILXM6YxP4F1hSS{Tc@hoIGK;~ zsQ}oI1O6!NbfV1Zk3aC!Tza9Ie|5lTsqvPQn*_W# zO+C7fZs9@FZX0Z$Up5y1$MQg&xza7PeuD^iY-SvPDbvY(2ENnoLZaHe_;^#$Cd2;@%W#Bc=*S+ zheLfP7#9qD3&iL$&}{+~&*04=DGL7U3>W86)0ORYtcg;VS@JB0c~DjrkTYMtb+MOm zPu6*&)E*`)KPxH`lS-ZptldTgPl@cJUaZ5j}rwQ9;rzbA2ItJ zEfzI%ydI)WiG(MxC1fCKIA2myROhp5zrKIw1rCCS*Dm|fXH{R)X_4Ko{_5}QFW3c0 z$6Y?w-R*?4C<)#PWVpxi(LEl)JoFMm;NJ~o>^_)Ee}K|bEx-_Z)&GZ+YaQ4QFND}@ z+I}5JCepw^A*9jNfJ2_WG>O4Jhexo^4z%!kk_8wc|G;XO@J;%I^?|zyu;ahfj`5+g z+W!hGU{^xz1Aa1Ov_5$2HXUs!ZmLwz@LZrx<2fyl^iDUqME$k-O7c?0{YeW~PiWV8 zZg4@^SxRiurR=rGB)z6$^VfL2E821CxGQ4G$Z`b{_p_ZBfFvz`8Biy zR8+Nd4;l_)f<@VFhPI-Xr>f45Yy%V0OL+M(T(P>&=XE=b3ozJHgZ8jD@r3vN{*j)( ztIyAuv4}YZa~sD7IyUtTR*K<1s06Os%e8$Sf8$^+9EKMLeo9ej3!64=6IFlu%>NwO zEWi{7(;$a-qfO68b^-9z|8AH0PKUtmd=oFSHE3s zl6U<^xuf3$H@*Y-Z@k*=?0q^5r4(Tld(Vh*{>RgepLf!YM-pjMxl4@Os7+t&HV&Aolrj|1+gzcfiN z?~#X1umEB}oxfXQc8lq%AK(iMzuVl@u-PezN4M(X?8adBthvmN;nQAMVwN{Bkv{pj zsejgFUMA?HnRk2w)dDh!u9}D;9nX-|g{q_kZ^VH};RJg0bZ3^&Ov_cFcYC%8g>(|A<5S%J$=cAZL|Z}2dTyoSr^(v4S_9cZXfy}G_T{5 zqV9g9smDrId!_cNzoefneJp(RwttIDBVJK_=%;Und;?ctG?MNAip;a)pK6)qnClWZCM%hVYOBIR zjq|H3PPv2o12=FZ@%IFO4__M-8UvWHzdWany@eexbzZgjj_rtsoPiJFi+^5X#_amx zLZ!Poqt}!%&KS&D0U_MMwBlwlsDpci+0f03R%550hza2rd{o1@W4-sK!$RXar7?|3 z26I-xChi>cL>k%Can4J4W)NkHO`ChEZo0W@EQ3k-7T#UbGCdok^5=%&?*6iNhYzOB z+k|)M;0!(Q!d>7@N_1x$5P#ApqcEcgf2Attf=tb4QpPDS{R40Zhu&tMDjUF;f*V* z>ic$8!7h1me+|b7SupZQM0k%bdHI4TmZBb?R6{A@%~GXfeP7(9J%m$;Y#O*D5#c?0 zy_0ElB5ivTVQ1Y9p0zCP>_3Q08ryy>G7=NkFKkLL>2BQJBJ30ZQjHweh;ONOl@>So zGUtpU7D%j5m!X8P27f^{7OZcM?+jGK3DrP{^~z#qQo@==nW{`d{v+#`DPJhTy z&uVitZ!?0Hxpqn0(^p=eDPtM`^*3+7@DG@^j6ZZc!}NatvVZ@Y=$*P+r1wTS%f^)5 zhx%k1Vh3`AUyo^mhU3>jlK*5)a%kBK&`7sn!^pqNx>oHid3YN%=sG)~=~U#GyahjS zkv#KBCYw{8U)xHR31wU7i*L_n5BOZh1aLLL{1U!6hbA-{zlK!ZR^PHrK5mf9_K4Dv zPcWYi>tVt%kAM0$2YgQJ9a?V(RC|Xu8Z^s-YQ-krA=MHY{u@X!zCV~&V#0p|sWhKe zsw!RQnOP&SNz~0Exs`|WU_@*lcL_)`j>IDko4NH81|j5f8#r-%nqBhJOvQzlWbv2+ zm!)mT5;=Li1t7XH0|v!O481ddHn}0-xq?%hC5W;~8h_HO+a@+z0HrYJPPIsnB9(B= z&~h8@xmcZY`u#&86}kDS!WmThLs)VU=Nm0htM~X9{rInLk6-}r(ZvA0LqWe4-41b0 zZ2k}safZ}eM;l1Ko*!N0t*p}mylvHPl1r7T!l67L))YP8o52Nx3j_X4Ss(+YI#n}u z_ki6V)_*L9M04J3;y@-E>fgM~s^4Ru0mMiL-{N(5Ad}(mC-y!AnPBfS{5@sH1YP#lFrbX5^wtvQ9G=p4 zK^nYWtkLmV z`bz8UH?3u2<5rL)md_2`-z)0Ez8UU9bg*E*{> zq*Tw@gn#lbu+`V+3~F2!tbZ9gq<%bS5&kJaq5aI0wZ-;c)&wuQpBN=e z>{ft5df(0M@**}7wJ_8J6`NS3-X`$=wJcI^1yT=GgtbWTHTg`70v31kzq{>Zm-b0$ z1=fx3fx56Z`gFbQ=$VD<-0?ED;(f)sO)MUdOptmHNKsyNDn-j(Kj$bWLo zs+iXI!x>cVZH`Sv>wq|%uy%Oynsg!`)t z_t!8S7&Jm~Fbl^(b^8~*uP(EY`hV%19Go9-z6f%L`kuH+D-3p1q9kMpk>!czL3Qtz z%rxYEnTb#4*Erj$+t*@mc!y@%li3B%b?V+NonW|BEX*rAtXPDDf7XblKbp_fRfnZW zCSiKoPoBx_So+7jf_R1D9q@1C4vZzv>(_C|@DBI`yF;VRUgz8)-tOEP@PBXP&dZ!T z?2h3b@UL-4&q?EbU1Zs+Yb$NjggUn=V>zrFa4eUmxCL-?Pdz1KNA5{An|OvnFb0Ic zyH;|mix+XOPmi}X0rXmin`NKrt-zTYxRJ>sy{oVMf$8C}?dS>a1ecP>-TFF#zs8Hq zKna8r1Z4rPS4+!g9!)M$v4370alPQHtWWA}O3(5*axJEAbB)w)Y7m_)izcGQ(A&*C zqBEMnEXaVWX%qiVzCWI4Uf4lDZPLGp*wKbDg0Gze9)G^XiOj|fBm7vGc_%x-rQXOk zp^p-n^(4FcBfiB6tjdm43j+=pOf4Q5Fx)+OLHqReLhX@1!bw}QtA9Xtz=DBs&anl* zg*CW{7z{&QFp23P<{+|QH45~iRJHCB$Pkj;t~7||HT)rR0py}1pOCYKYv1`b$v+c$xwbEIIsvlCKLsP(0u~ws zYp%biS$b{rAI$Q1x_{NRZm;Uk?T@W(svD@io}`3j69DYCxJn0+|C)-7naQV!oUMcq zLhnjgyP|36BXPa2P~AX_6D;nj{H=Va=ZD!VyQ?Me>sC&|A|AP_#Nia;x+;pr8S;*7 zo>nC~ReGNNyx%Dh7?~+FhE`@7arGc1DqXn~(M%UNdq#K(aAxu2q zsv=Vn{i-~bDoCr|2Nn?Cy^&F@Uqyu8U0^V`aiPT zh>TLAKeGGpynk)~%g<|;NH4n?&8f5We*UW+=bT|i>p=T%$AEM2En9Z%rH=qB<)zAc zx;J&dNiWwzCh7TH%QIA2`JqH!$d~t|8=d_dqU)rG4JWF@&oByp z;^^sM=Va(GqOY60AKk{+*%EDXVUc&6;SKWZZ`$3RReya*VC)}r||`d>CEg& zi{oV9R)2joy&f$d(%in&`t)Ue6PmYo9e(;>bN=E_jhLRaI8OF${qH(|ZGE(#!TCF( z*~xX-F0ttcs!mm**VQuPHFSpexo;-b6>6=HR?qDXEuV$*v|jH|nEmm3)nh` zO)c`N4NmU=Hc63QKC+bZ&6Cl!V*}aj1ikBa>3?a~ZzE_2lyshaQB3Op)!I(A%%FcE zEt47imP2{#tH7#Uf{B?wfuz=?QkaG;Nrxd%$5lXry}ACf%No=>uU}cD#+iL-|3~Ok7Lus9sPFmJw}We-HFhidI?q zExm>hZfQfGQV^vc4%lOMbwWSpYVvc*OJk~!^}<{H;i?SX%(TW$>{M^+yW?b`gPDjD^yDF1&vu5< z{@>-FYhF`zs?9I*mHi_{qEjSL(LmuQj@I(*{OtHJ<}p0IY+_F%>!1826PIK|2Q!H! zP)Z_O&o+k9Ymye{s)m)FU)42!wR8-XZQ|dpk;$!ucM@7i*iw2?3zZb1rRav>+kce4 zEsQj4o=^PXHT^V;qfh+cZ31UgSD{Zlxz_SC|MTK*f)Zhr7*#IreWYdfn`iA;Vpiuh zAJHeAG}F18YOrTqfNT)V&nB}MVb<#HBkR1MymX_%-^7<%Hdpm)nY4A97p^Ue{Y}#R z!tl=t3u~YHdf_)kYDdoix*PP~lYbD_9rx@kdt0+6S<6CGhG(QtA-8<@DOVm4j1OGrbFF*F7z9dIq z^q$EQ6UWyLwF3b=AR`!5^g+2V>}?W1gfE{}{hQWVqFMtrG(`{W45JE-s(-zikr2Wi z*kyA>F9;0(4WQFBCXTAtv=MxD&4Klv<~l2q7irE8CDTCZ4Hv0q;2Lh2acf2OE3@P$t?yos zfy}V9HAB$Ma5D={Fq!}~^M6ohig&dMUdMVn;o*;RelDw8nxcS4WJUb!#|mHftuBhL8{=)=P~f97o&eouOR4 zV^76dDd6WQ+UCN)C@#VaBNc9ox*(}eJWtf|CLTpQ+|hM0XoJoOaDQ@#*ZnaIm+24m z>7f69O;y7UpQXDN61)eqhFP~uKb!dHX6>>*arbv17Mj?`-^8EhEB)91{omJcMzi9} z7H%{z;Y0IgwnCafQ&f{%NvB(OXfFs>bg)BuCuge5wQ6$8W0~DmGde$YnWxlCqN*~d z>POaY!x+tev6MAIJbxY0zsFT?Y)H{nyclvw9movl(Fd^%a9!qTEL8rHC)GruFQhnA zTZ{LqMr|g10#uu!D_4E)pq6k>3C<*OU`seLh5_wy2erh%svXskFxBtgYI@eY(^pkB zQvJGa+|P<`H9c#O{x)>0=~?dxP!OO^8%93n7|!yVay)eRj(--?h`KDA7T1(1Y{A&H zoSLm+L#uoqW$o+Iio__6-f*TWJPd^_&+XR>*~DqL@PuOcv7S)o@n%xwA9dXK5rO7*(jc3ZUxV(rE=j%&Fx? zwT^JA*R@S>Eq^~4SbJcPh*%J@(8SuRhk61zMt#<%l=rRo#xaXJ;SH>={m!WfY0yeA`&Up!*!Mb0T6_cd`+&FBc~(kq@;ljPCPtD$2rbVr=CZjU?V zw3)AX2c7nG_dDx~F`d!83paps&IjnNuJcSbuXSHA*nfN7Al8lhiR4nCaX`;3FbCt% z9(0su%io1jsb*hCFHuC#D~MM#t1UdEYK2ndr#p=!H&o&wPRn8)E1sUnu*s_ zx0yziK~#GUrrS_)Zv>s!(78FK7ukMQ*>RL=o*rEgrB$7u^O6%I(5RBbs3tbf;6TG) z-e#$TxPNi2^B+j{SIYLcs=qnq&tVK_>i<4@gKHplgJV~UiTDpMXN`mP{MSlKjk8r5<^cF=ZG@-BvpD0-A4-QB? z%LDj;Lnajo6Rp(Me5IKxEsk@N6OcK{`+QDfO@DPK$x9gd#mxcpvH6q=Ox@=Tiyo`` zw^dzob7dSBO`4$b^vvu@=sorGw3$!oE}=WQS(o+2w`an)vHSInwG?b^7Bq6)v%Ve3 zt4@H~a&oGvKhYZXs_SN1mP7kbsi2CV&66^dibMn zX#5#jF5YFb->ubqA8z27y<2du7sk&vdlxu7S#CLi%)=+1bXHc7nWAh|b^7Ad2Y3wY zc$QsR2_t4Oxo$#dFoW$kUPH}do7j7!fq$n|1hXi}IFZ;kZ8~0LiCx2MHqBI>s?D2G z@AfO$IJ{rQ`ogJGBf!0mN_VkdaUFp6{+}CK;A*G|s1Ax=B2ExKy*Q7r(xqn@o zwwCE7Q7zTl^})u0`~xvUixEc5l*A33ynQ66LbYsE%lEZUL#0Hp5`7|$#RV~Nu;hci z7=TxkV^FsqHK&i}y_d|V$j>6d&S8JoTTMPK4jeom>+ zF>l&G`1J`?lZRxOiOJ(>@^fE!r%7AEt?9_NFsW!OxV66Z!9$tCJ(Ak;Q<1|Yr$e7K z+*Kor5v!n*OQ2jr=sV##cH4O$B&(3J%poGJg$Ai0f6B z*-P4oCYHqFvDO+M@DHBLrdAJOCj$juq~P?xudltQwRZJU?pMi1Rf zYkbaqQKf|IxSj1x>!a#ne1s}A>ZE{B?yO7f8qJx&nO+|`a!pU)N!lFQ4L}rW!%p;o zyH1qKtVJ32yleF-UWCTr>;@HRFliCrFAdrTOkj3zA!A8GeW}(f_*3@gj3}`NnvCL z-usT{O?ek-tMA-z1Ka@m)sBvR8|nzVcH#(ny%7>tsp1i;P!=7uaFx997?iAt$;Ijn zegI!+{kKumTvd})O@GLB#oZVV(Mooso`w$isiY9DL8+D0>F-f5Df?jXL zXPOtcnpRw-jO|A=f(dbbNUHO`jiI+NLf_Jk^L*!lC;ILTun(mKaLRugLkw#|&1qO7 z-jq$pcEJ>~Z!`G8d^xxuLm$HFKiAh&!fT!%O+2va#o6C%(0}!^;ZH}EjepW?Ht2fU zd8yjR8DtxWfmJZJ`4g5dJe&p0DS%VhoO1%gS<@Dc^1EpcSOe9rC`6$VC$QIhVQQ|r zlN%N=Xs+q$c#V8h4cA@t7U}~T>ph}=l^1e~x`rP4^;A+Q*C@&V%Xvo&6+CzFsl4?* z`Ys|I!K(m^1%JeK?ymq38(5(Cdvj>LX+0LyV`zCOIWOs7~~g>VsKf zl2an3FqD1haAtTVD~)KwsywAV>F^1+FZ-hc^=Wnx3x6!m{un@gfxJ!9Z{iC*T7Cgz z7<8IHh&8wh=%Fg2wja1)Dbrb`L6pO*tdm=vA5b{K34}A8uCf)=iAzUWmuUg-X=X1c z0EK>foekI71lXJQ03-QZ06*tqvJa~Bmcru(13Cd8*cn(nnD>lvngg2y3m`MAAl7LK z;VjDJr+?ZpPOpHZnLcyeqFJO_1+tp?Yts?}TErtJ*N-}i;}Vbm9FIYo6%yX7{Bn_5 z4ow8_8+25&3~zUzo|h8Nt^g0tqu8{`+6;tDcTVu_4$q(s>hL1`N*zI`+*PChst)xqnknzz1~ZC0rRgvYi{;X<1$UdKDwt z!JV&~a)=$!kafeOrw4=v~b&t0(dN^Bn3s;Xg ztS22L88Uzl=Z5arPTRK5KW^<&uNjlLqvIT-hqQ&KvK-$RJ-6L9W&|J5nXWyVq$jUI z<9~6C=~~2sImhVXY-wbf(IiWqTK_lA;Q?40jS- z1PAna#UPA0E`}M3VL1Ssb|?6%ag^J5FhC49oN{18w~!q+yC9VnTWT8m8D zbt6pjhjr(8r^vvRz)k4B1qW>z^=;U)VSm)OaG6O%)IBnp9^Fwy9TVXV}1lNzl-F8Xmh6V7_oPV>X#NtnJaIE*HA*UGO#I z8aMD}04h3AdpzSLekgDB`)p%-rDR%F85>lP0(jF$?I)K))De7OQ*>&Om#{@=IkAng1O&FG zt<$`C8E=@jZ;mY?m^<9r`4X2Cch=h1(-1$jFE4UMu`~TkYAhkNJFjw4u|0#UYC?pI zL7(ZZXmOPb*hoLBy5+7ToJZy42Y>DY%%Gk6S%AOA#VQOCcNGzk1-DkG&T;{7jv-WM z{ zv99f;R!x!oB9EifE`@}qo8=DThjn2b&=2bp9{4fA9mEg5gbwHhlMQ?r@PDrKAd^LU zKZIr?!GA+&O0rw6hd&+Xz#^K^Xy(XH69=*3h^IHXFg(2{dDnWtqwurpx8#KvbXHmS z)Qy|j!LtZDNRt?sAfKsNYf`t{(s_o{W~Ovz5Y&)zrRX)21h&!~a8AI4VxMO*TPf8n z9uHV1l)=Do7F3J5dRy8gYi!eW+4?q~DbEv)n8FFdY|lic9-l@?$h< zOg9T~3F4Yy4X^%?cmD}DMsbS<+c)#exIGU#|YDa>0#Osc9tJ!F5!PxW?+<%nMTT$p$Orq{VM~Z<4(HTb^3VcciY@LYC+D>!p1ZN}V8eg479CCs>`67r~Fj zWRxWTOiBse{b_xFIr}GV7Wt>>Bt2Ih+-NS1f4^jzT&t$ZUDty+g0*~)0TIFyF;=$T zKKPVAq|bWGo?p^3J%9TxdA^H{kHiQTqgOreYungJpX^S@b5N`B$oAyrna7-&BbvrC ze5S;B*w(aF4Kt4UP6vsYUfe-eq`%IJMk?3)N+m4&s0-ucn`dJSgRM6L+j5bYsy6i~ zT%FRV9lyIzq(lD|b#S|XR$*W#2dD7sS~<8rZ7=6FZfmBxKY!h1@|B;zlHXMA=#tjo z9&5iI&Rf(aK$kGOgx0mt0T<`brz@t+D`^?)ESKd;zTfJ?$wspmaIf2?pK0p%n1!#T z^{EL-0FwIOTbp`=+r3*UO&Ip5{B9?Bij(I$Gp7w5*ba|=xY$lGqDN=kbNx8J!8HSA zWCQSPz^GxvT7OW>R^1w}Rgs_WN45bu1#{ZaVeRlqMHJZyjp&hpXo3FfTb4XX_s}K) zCqL4Bv!T81z@1=G+q+jZ`9Ja?Mhpr0E`fv{>^cL;#CMn|b0pO~o))p-pCBTC(n3|J zJQ7gE5sP>_{e;cxBwkke6|Z*OP>4Ud^Q8?xMX7opK7TUdw|F_@h5^wVD@6VI{Pe2Q zZ6Hgb=vrGxwN4tBMzFi`c1hYA>OooZRb87S$mOC4geyG3cmnaJn4Qe1inKf{H`3zz zmAh_&l{lz=ux4t&uj|K0GkGNnkp};!EaC)8l{o*M`G@En1>T7X3 z=cU(my??oEV$&CTk2IKY_d9Sb*+^zlu9n=G%oeoQ=8#9-P_hqA|M)lSPXOF|O}l$P zmIXGN>6UQU3)3siS8B@JMvp(#XWd7QnI}8^vg0jpDjwVd^`+)#4NM;~U*WydBaglc zGkWs$tQeBY&GYt3h-cU>&2kzNC%)vyN2qafeaD zUsd*+HrglZ$6c_LNr6F3FepPB$RG>pa z(7c?7S_I!eNW_$~O*~we81Vr9g~^_XLVx~lsxrZqb5B)90}SAE_}Kb1y{R(vl3uTQ zd3HBz5CeR&_PxR@*sOulP%q)b>wmdQ z8hS}}CUkA&AlKUeYf1ucoy-;lPxNl;a`xY1Z#L&^7R%5}+Md2tX>+PBkm5`C!(pA{ zaXoc+_!M~W&YwQcI7ov-nQjeoQ=QCdz8)oodph~D(jqJ^eQ8n5r1`&e5TO;(Bq>Y>Zkrc3mS#cIsfxNp3X`H+ zSX5w6a&*JhzZYu2VX*%u&y6&}(jE$r;rvw<@3Q{kM*$q9^y@J_lI>a-J%9V)Af#(v zatyq z%bO=a#FVm)OtktQRC`WEOs}exDPFKo(CS_hT8Tg)(jw0&#pbIv5p+wn zlVaKn^D4KswTsuS(1M9s)PF^Siv?k$kD{KcqR5+9c7CK*kXpfNspU&iEwxK5+37Ip zZe-s9WCuSkx)+`0O^V*x`IqleUwRBiJ?>A8*yy;t)IC9aBu9|5%hgJp zlk|a{flA{~p516kZ&hER?%_L!*SsQb;PTZK2@A>hKY`If_|+t)dy5s zO|QZQa*duLDbB4t)Rjn_rptgi1#wQ&2XlrW_a5IGeq25DW{Tg*oPT)cJiMO1RJFq6 znf^aKNB$rGDf0jD40(7(49?JDi2OxW7kCH)UrP%4Ba3~tb$>L1XhwWNl&YJ%s_>le zhY@RlrYKiSc76D;e23Likyu*PP|O;8G7gDFUPj zEoJ!qMxc}ha(@H+tM~mfE*fC771R+kk?GZ(F%y`=J7o6LRf7+2PIqCMDzRZ6sR-zg zu1vm^LAqjWIW*MaVG+y<I!xlO1xEQ!u@acVx|v zw%G-<)5|vYxOOie#v6}5=H;&Fztb2j=i#e|G0FVB(|<9RwvC0gJj*``<@T%PZ=JU< z>LCi@jD=drgt%>7bk0w37~7ECH7UVzV{q#=ogsAmH<&kO3e>HT&CA$gW_2NTPeVXw z^wNJXW{qCekiD^0gfmC&O>I}-`RiOuz$}=VUc%bpk>F%^JDAx$gUNF{s?u~4Mxt^C44{f^Hm4&;}{9|;QUS1m8q&x@5l%uFwib`kb)>K}cVJ-x10nkmfkk1Ew*Qj&@9-dA@ZW6i8> zt;_l)>Ut)8OVgc;x&s;O)j{lP&`Y0so*l&tJi`1=*p>K>!=n>Bi*WNoesw}ANwo(+x4G&_j8sDa>DC5Tg5%Pv6n_RD zt3k=3C20mCmxiP;5Ls^_FKoI^2WR18Lb#bwJ-uyC$ys z1%?<uniE)P%Np+?WihT@1IU%Wd`FyG|kZ7uDRnc^kJzo8EAC{on7;I<9~7tp5&RmZ*9yB9hrpn#lz)*@rj#dbq#+Vsl#}(_373Iujq~CJY)qsf?sDkjh%AqXs+zvZrHkDdKNM$DT++ zmFS1kJ#x`2dIyT5m1nj*npcVS1u7*jaTz88OC+owbn1!ri6h*{!nJ1PzJKAmsYDq; z1_i4I={M&v37}S{v@%QUn1v;buoIMW0>4qGsM&+_*8^h-#NVg`7Ygj^T|^;^#ic2z zOV0~_i$W=C_vJDCMkVf6sXzCsA7Zff)d%Xcv@QXloCjptHtES7jrM`kmiP(FC5=r| z%50fSTBruC>`h{W+%zUV}8Qq**e(*jBF(0p|m%gluO3L(yJX zh`PRpm;5PJ^x?&4TWLUwLv!5LaVUL#!ColH;#HhQ(0CD=e^iFeDyLSY7tgTrVkX}C z>>-L9xQ4|djW%1T7k}q@QC;Fp{L4*wA>bs>h&5#%JN3J3#V;%s!3z#OXqVZF@O8Bg z7MrGqvfE|Dn3g^2#tXSpUX5dvs-@CfCF|QJJTVIX0UUem)_T}r2ztYV%!o)Dr2fhI5yD*CLGzzT+!{*brX5^{WqA{-DJDq@9>_(xW zzK&X72z1XwSjZtj0$LtCKPOwOfB*S!(Eg=7TdODk^09(`g?68&087^ht)2=jTr0ES`p6y<8q2viY?{?~-RxIjjc4wjTmv7OW zO;#ILw}(-QUOPaHLkO;*Fb-mk@&diG!W-)g_D_$ngL()IT4fBCF;Zr!^kJH+%tIPM zVfm&Cej~1{)rWidF}hYFFyHti$kO_Jc&&H?tK=4$NPm6<^NZ4$l4k2%;M?RHI7|x1 zlZWBDBa8;RpYXpovms{lec$Wl^EYVJ0aI`rA@?b=EK;NY!8m-^UsD-aGCM`LLj>cU z7~Jeb5N5&xd4?sDwIa=yFaP#$E{!W2lj!`Wa8>1{B#W1O5U0mhEA%i@}aKVrBw6~mP`7g#5IME7g ztvq(S7Tx-Q7;B4{=RCLjE?>h)&Nxk@@3SmI=0$V7tfpIGQNvhOX^4R#CJnWD&{XHX zd846cCs6=`IOn)N1jcCMx zM?BppH)KZLL}&!mEh`>q=~*b=cwF&{VhD$jo<4)r5unqUWDg{|i;IVr8g~~%SL((j z`yingYweZ|9XbN9i$pIv+b!AZDOT>8@Bqo=fo0qTc)ys88|0ZAW>mCK7;{GhZNmUm z*%G}trkajAB)eLY+45r4aev^`%3eK;dAi}a79V+WrDr4@$4V6=RhC2#j@8Rea8(xS ztxW6c%Jks-TKCFU;aI=cy>j7cAa)Uew(jF4$pj1=6KM$UTV0HF$v23TQRvMw7N4WE zxWr-9O4znh8&ldkNDN03`4ZYo&wvBU?7sbYdw=V>!9>552h2m) zDV(&{H8|j}y23AD82GEMxjc1LuZQJ)iId=&pvYG5dNlGPPk8V+NTsEC4IsglrfwkV z7Ohq(R>3_7>xxvo2@C`%V@jE&(wA{vOBtYZUBimfY@M^b=TXWpah{_6Tx}O=GIP-z z6An5yfjYX*8J&;Dm47HkqVWG>hcb+|)+2&Ge@#&ZW>{)$t3jC7I8g0{1%(+P04)qZ zyjX=f;)`n&pjWL-eLB1CP4yPi!`z$V&GnJ4#D~b^EUK#nFR%IzUoUa>InS&W82YsX zceJd6U@{22$gMtx`rzLj!zd$?d3_y!z-Xkhl;rqxO#lXibL8D|qDHJi{i${`@U{U-k*c_!j;wJO9BEwe zT7OBdwR{pI-1juZZHJ5;(!P^zcR%QLQ^6u0PYj(LGJox`wYw^G)gf7xy7lhE5>~yg z)f}-W|`ccu#Z_|f~URW)H1WL0yXu+)Kt(X5a<7X>6*RAS@squpRSWG9^)Emm-ftzBhGia1{H@M ztyx?*)(!H6R{?!8@M%3Pr&0H-UWvSTs!Sp;M)QYpmn(yP@)TywU=WE*#bKUysAmwl z4CX7&4$IhBVaCePonM%AxT^10)st#S*nwV;Y=0NJ+SRz|xmuB*!%%{7uqpBL2N}$S zv|!%!aA0|xMcoyi!#uYE(px^k`b>VSOduQ%*j=X+o_i^>f9eQFXIDq1EgdlBz;ff4 zSs_ELM9PnwIco>oX3U1$(K2O&Yf*-5rjxbS!%-87{6rL%`Gu!0(>iqKm0dieY-cW6 zYkxf)H9N`=qp&Q^dX9(3wtTR2yNTB4%Kv+p4@+bat%3!-eyW}}r)rm%BtncWta5;-E= z2M$#>pFLmdHXPI|2CB2AdU5Wj;dlcGtA95Bj-Z*pn8+p|99IpwZPIBz^{uQfooM}z z?Q0#u%)3=pRAE}b)-WPX3+xE?fWWnle0A#!#ukoSZKv1|^Od5VdEf7=h4H;$L6c4W zdt1SzdW&(iC4Rch5eO%uV+g>}t2`BL!l%~YF!f)@OLfg=&WhsO2`Rw;%UndxS%1$O zjyieGK%cYI`W&alcND@cNK(w5*j2XF;QsfevZsVts=QbW=4Q2RcFRXM)H>UTkz${? zxG98*LGF8nQ4lW73W6938dK?N+2oh-WlyUnLqs9)Z~5mQtjyVMpI0r|>cebAQe9ANb&DRQ==D7jz}xN*~kuSoM!7?%vV9h>4_H zHBoXF@}#(Gq|60N<+_h?* z2?~IcrrMT_v{A)=AmFGXU2CT6p@kmDy#1~$OftF-<4&Zc!>u#%)?_OwqrorX3x#gcWSodEGxbv z=)Lw`i6%JLW*c>~R%cJQ7Z%|^2xfcrN5O2Q z>ofRNTXECG$r%UUl|`08ZK#+zZ61Y$hAB)(t9UXTtF~HcuxL=ml(cchz92OGQfBeo z^l*IwM%Rc|Z{8hhJGZc|WDS)rGM;46A+8F-t=6JG7x^-syaKwKrWcy2ukL7^?MFqoDFo>rs-29}3+cvy2!kXhl!O@E0 z!!wSyn-2|7NDl<2?E<8=>y5P_^^ZLwtp2g5zJ^)we&oyJ-*Hx+W86;OiYmHR^J=5y ziLWXU*mh;`Bi|J%6x;?W45VmHi+u5_5$__Iovf~7%~E4+FMl#ftJWoPj*EepO(gfa z47XazF)gnrTR{{~=FsbQeTQntikeJ-wWcutMD zA*EO(jgd4vwST&$c?pNFI1{O8egnyRwH(ZTZEbTrHgO3>G5AP|%SFBpP=)X;fAVZ7 zW`cd}O_db2qL?M>p5kQ?^hhN6 zm5VQ);w$pr5cIGqEehY`Pxlnhf^e?HdlTX625mhoo_|yGOhPTH7wp_M55pi-q%w@l z5fTQ(aOH%ydbT5)x~QG-zi%Gma4@7|;T;3CcpMD`YKDKyVaQ?wwg8l|s9xrlZgxRo zE5;Jg%#zOp4htLe_Q&GAiEje5`Hfxsb8>6~8>ayy0AA*=Zng^r9Kt|aXRlHA$bF>K zsUu-vMt^kIgC{Vw#8z~S%m%5DV#;bP^`3ah^8Q8Cwa7mXfn^> zce4(s!jbrC+6`tj7-XWB`*`(|6-k^$of&Izmo+EZHHZ4=x$~9l7+!lZfb)K&vmxlf z8GnYW!}V)lUXcz!P$|Br1t0R%)b(If z{S5Ro(oemwZyB42FXzp7QGM$16n}M{Me()4VT!a%?!g`K4}+RH98*Q`+KT|l_2Zn) zPKB*UTgZSI1cZ|@*y3p~1f|9I-T0;@%INzna9ZQKITR{UGE|N?=BeYuHzb)*%2LNU zN_iIl9tx6D&PaL3hi^y@*GtUbjBxsqxqs6!Au&_m z*ORU89jAL{0+dVqV|8_}kB3JZV77stp%suhwn&77%uk!d9Arxpr`>V+Nug3v!GylL z-Ork&O7EIWrWc|D10g!&pdj0}%67IYBT{e7wSRqkE2ttFtfy64EB_I#Xf@k?8z4Bh z!*{n2fv7h*c@Buw{*}m%WPc9`ux(fkwwl!+b!!aNh^=6t(1G-YIN&QCGqY8DOBAh0 zr*`iN-b1|!Ea!6vyxen5-{2Mt)iixWh49axXZ&U6DD|Dp<1bojN4Pf}muuFDGUJh* zu7r(6OYS6&r%@x`FzNclSrz5`;4xL7D77Qp8;;}LES-B~m0P3cm4Apc@h{G!ae(`y zqnB=yp#^_*++RU9#^UF7qYHw@4B`4tK1vwWH`AASOPsH=h3&VDD;b_V8oxqCxsbtC zFZ?H#uTQu$SR6OBGt^GYcbzOB>qD#J{DU798fsV2EFYes)kmOHD-5>cg&b6|2ZdA4 zrlxcXFu}R0)m!>=n}3GKBFkn}Rw}%Z{_q|bvP-%=JQ`{w1N;xrCh5Ze9&E-~ar)xe z_`AMc(&soo?*!wfFJ7Q`wesIiKTkJ#N3}m1-&}m0Vfi}6xegYHR?3Xhfp!mAx;epz z+*gK2q?`1UNc`^|04|5~9w$6>2(3`F2BJ+@8nW}&)P>gZ#pXZaKM9{Lv?%P+M3RuoO$RB>qr z;6~`Xo->`R#$cj&rQ=k5&LHGZ*iY$SI73TjMsizjBFQ*-<*p$w$n=t)7noTU2Ns3N zNv}}~I%&k&X@4l)4-s0TPW4!c=C1X&F&1hzRbtzf-)@-j0tlCct$Fn&=9jLvp@OU1 zYK693FaAX?i|z83E4d`>Fw6b6ER^qA-pq%BfjE{&x4~efVjx=TsDYViK46%INPkpeP1R)hso&}Z{Yqg0B^9bO zA{DMG!Ko?@uT@@Cpt$D3ds1;-hII}XmpA)8nYg~?PhnBYd`y*l+?qi41S7?>ZtuT= zofVK(ys3U+X+)9y9*Gv}W=gkhVg*Js*TxG0kCr@d$-HqWu;fNU^F#dwXmA5}>Xo76 zAD7XLtG(S^#0iVKl_{rJ zFK;4GqigBBAlNu83fwe-c|%2^nKFCDKt9v*?WMzR`C3FzVpBWxTTjC4I?9TL@5}Po zZbY7N$+LfKy^QoS(A!G)N(2kCUg{9GVuFg>VS}xFuUs4ll;AbpJ6&2b|}-Ml^~#+e+hhGoqmr~<@}iVxf^nm_Cg)p3;W z^~ZtW9B1gGnt1`s=smmE=Lp9He#P07qGf;Rk{Opb{ci}qD4nLOJqmGcZ|Hb+#%bDH z?#VtKY8v@-K~K~E(hb(>i*Ra&A^6 zeyWQ>wJP>Ye=Y+vYc!u8uvq<4P_ZadD?!2B15wJGSY*%jOemjvp(^mnw9h*X*2a(R zl5xYW*RZF;uKigrqNfqhYhykq7ka|v1E$JMe@OlAi1QHZe8(=(pOj0CU8aA)bB^1W zOlfJZ@{}y9uXxn^HIroysVjcVM1AJzA9DTFg(DcuhQVwYbI7fJWnlzyRLAcybGp6E zUX-f7V$XH$aO5=D?X5D%jNQjXwzww$^W4=RXmMEaG46Z|-hV$o@4v@+|Gf)u*HyBD zr)&m5*)BIB`t&#O`2D;2?TdfqWau*)r)dS{u|s!i8po|YGUZWsZMxxoE95Fx)!i-; zX%*qBFZENx@3>{)mMOQE^L@}?bMX_^Me@m;KY=~iW!kRoeQo;GcwF&Pz7;%SGD9uq zXiujwL&s|~hEl$+o>DV`N1ty`#Tnjpbgi7S$fU(_=d1JP)d!F2ES7)ox6hS$pfjeO zb$qT3H7}|QEVIa+Mjr%C)mWo(3tgvcb1f?Ifdgbj3GD>xv?py$)Ml9|nK5fOCO)FE z_SJwZ9(@b>kJm|D@>D-wQJg$oT@{#RV3sMfI%QF_Po5spSp90q5)!YzI0lMu1y9`N-A0 z=8t&Z1T)2GhEvKA<>N$RTn5#J&)qi6lwoy6(D0DK_Sd1}m*R`tfv8c#)F|?V9Y}_k zh8Wm^SPV?(l1Zd?yMTYxmFiuRz1i!r7SVeafBYerKznB7d6a*|_7{Z4!9Wjdp2G+M zqbG5g`ukuPhDHe)@9h;L@At@Tf1$22<{Xw7d%Bm2{$-I)890Tv3Cs1`$Q@=;3>qx> znLoMWd~Cf6(`W3x->)my9&dQx3c0X?eM;WK3idSSdMnb;d{g&t=B;kx1@p9q&DGO% zuCs~O$(dic9@~F{>%_f7Eb#*SBDC< z$TUPs5DJz%lHrBJa` z z#xH&DiT+xNKL$H^m4B<_{uE{O^Zp*uTtm-=S9)X88`IvpUROu!zFte%SiLOk;(!wu zFXL5JR4~p|?nQkqog!s}Wd^<!!Fw&9n77 zGnmmILw}ant?~aPD~%Zj5aNG$6zP*GpCjJ4!Va@3$65B=DTp%J zCLw*-ThW%*zeGBJU8_S-Hsf+T7H=6mYi&sB7Pq!FFm$6PU(5CHqb=oxyV7e3y*Arkp z7v-8WvZv?$It?AK&G<{iPX!hH$iKC*K|^hRy+loQts9<3=c0VBn-f~5r9q|)GBh~m z+AnE3TrFH0rJ_#YHT?I$Xz6ghCT#1dZ*hMWjxzM47qApR<3w+)!b{X@TFXPvRj-hV zni(^eu~onwyz{mqhA#Z~(N>J0$dn#`NRncOZuB@L+nPUiI5{ECO{faoZ$ac&tdx>Ccc~3|(!JZ|JEsC`rIvrl?CA< zx|KNWG%X|SR7T5;voX7?v86MggQoIAAFB~F6JHci9rhgL%p@NL)cT#e7FQ!_CKr5` z$JxxFh=z0xkX*gn5Wo1q)lN(8KBS@~FiRVa;!^qpd68%Su@}cs zfKu;C{)Kso{x`{MFOUUz3I@VpDp=N)%}6%W zvb!$)Ln=yoH^(|yOSdIsGDcGqDG8a&KeR(U2rk3UXGNM_+>u_0(J7C5E z(+&onR->o(ICVDN9h}-jZ+W(p^>E44uNN7MTffr%i7EZM2WijGYTU}WYH&+Nbj_Q? zaWncE>F@bjk6Trw*W|eOo7Qiw)oc6l#0~evsZ1yvQRBeMI`n^A4EMB>srH~}VI?~5 zZ_c~XLCHM}KIxcbkd`jKIP~+}gOEwhX%S|WJz~WtskXQmEvRkS7E`NP)i(4^_ylAo zFH(u&AqbgSn2hLwjhT#apjlMK4bQ|yH0@A2v!{~zrnvCPaT1$e1n_>`?usZ1XIK~# zGl91w=gc0Z-b{Z`({tmUR(*~u?DuvsPN*B(GK~ZOY}~6@_NL>dzU48YrugJ}^ma`? zd2=vCD4i+kwvU;RE=B%PP^Jig@GE_blLYGjvSN1e+6oh}*ikqW!9Y}oF3)LoGSbOF zXDito1z1Wu&gXY`-Ijq-sW-g&Pk9#qhHaiC;(u?pxqN@dqVzY9FCvj8j3!RwCJq|| zNM=ehGm=M*c*C?Hi`f>ApB&}#TmO?;AmHnA5N)6c!ivKk1O#G%FhV_nDCKMTN5yNy zf{Ockw|a)K%om}ZxT+oI$L&UA%Kg3Aohj*X3@9r9cU-8FEJL2k#n9Lq_!it!A#mI9 zMw4e;L=Jz&uDZ^S$jTUCV4!1X4PNa;!pFqbPL3?~+h%6M>bx4XUs7Htl_;BHekDcc zb->4qK<5>p{bEbBwmtbTE)GkYZf2d-(T5+y@3F|P@+BN91*4SbzoB|pLa|1Zq0oVJ zKSWv&*wQNIk3!uF32ZS{YoL@4#ruJ>AVc1YhM#{-_lAGRb?&zEuI0HcO;^3e3EG8E zo@3849I4|n4KoCSZXqytpYm+92%nZDnlibsafx4C`)q!PqZMpwCF*mDDW`Ur6)d^; zqUxm1qtkv;gy0$!q4W=Mu#}8*xji>AZ`88O$)kq1okn@!nm`w zIDS-R;#^MMlO6~+#a7#e2U4g$DKeU%xqiWGQO0#G&qzb1)Dunjl@Z;suoj|g4cFOMhlJ|db5->b$EgRUe$NgEalsG4xv~$<2SIlKm zWHoOZk$==LZ`b#C8OM8etVstdGyBLi;7b=b}*8#7PQKm!3rZQ zlue)R`CON-Y0SIkpLy|}Tk|{A2PAA7DwQ2(+j-=7J<>&a(86ROH<@p}&49jr8Hoc^1o)lHW+=(M2Rx5jX@T zmx-JyxdQ{<&`?Vc%}g9P7Lv-8)Q)h^IMi%zNnCS@yoO*J@x_mTN6pm+(wToPz3*i$ zVoh?6;w+=r*%6kS=v?V`oA729BADQx7M409C|Izd zRp0TlCN#(H1$)y{vb}XdxXA}!5Oo#q5ngvkVBrg|uA8=Be7nBZ#;9VW$PSyJ4V-M5 z#8v!KeDUa@4=t(J&u+)dy3l`cMNC;JuBxIs?n8_&7`bR4;}LHgz@+#N|0oZ*lNr^gQNLS5*Yj|^!vx^LH~dZHttT5Xrur^dqbCd+9M%&v`8KP_vF{DO=~N^q|T|eYTPfq zOFCBpZRDF&F0I_TOF&N_76pC7D-c?&zW+Pg{b1=VVC=M@+*V9FN}X4Kn}or!c4QY2 ziz-IOVc_khRvZkL0*Yi>r26#fA6GaD+dWCd|1+J-x4ek<;edY^4&Ld$dMWZK=igQ@ z?zs&5VFQIhe9k~*NNOLJEIFJ=${8dJ{M+iFej0e0i%FD`DPNkI$dZc7h*fPaU~6O$ zvnlDIUuDo{4l;5WW;}}w&@#EYU9kr|6 z7F`|=^PBI)!fk(b=5YoUZz{pR4s%!Z^saJW^qGWwXY_fjb8pbvk71{reYKtw&-(fX zQ$W5QgvLOwXB=`{O{1bpWlQFV*^EkGwYSM(CPH!?5x5_pW%K<_r2=(_u&fe>3QG>U z6zcb5q~&9%TK=dh&-_fLjfKWYeLVmoHwVNAtwEz@JB=p@|SK3yN)VX2b1 z$v5cxA#kZuxyb>Q^q!Tqh?&gec*IOLsHFF-tVK*-m--N;QUgjUrjPZoG{<6s<$x7w z=px4P9xQ*Wz@)?v?5xGjE@d1KoLy?t>Ia6_LU)*glY+Hg$w>h*MULa$NT%?lr1z|N zAx2>yrMkbPc9qKhE{~w=bh|K?*XNq%QJ9|dB~H^whFtwdO+hnux`WUV+PFNRFioU5 zy{MGSP%di<+I1Q_@Pr0tk)t_GMZ+&aV}Tj*XbXR(c9k#3ajl!;BL3xR{QfR-(ZB+P zP)4Xjg)$J#v|#nQ1{1lXjItt5qqjJV^MoIV4oGJpowd??W>z2u*W&jj=tO5+vr2h9 zB{ny>P~WkGfl;FAV>L7|zllqq(4FDHBrPag>t78J=7$HPLz?mbYFx|<+QHaZy7ks# zM!0|Ky?PgMT$pkrDz?%^i&Q>34`0V}@Yr;0~_x-{$?=kOR)BhT|zTAI92fYORPGv-TOa)ux&@z!aj_=$ zDQ}tet$4zhRzx$e)bVR<>6bX0;)#IMIJ& zJdS|ItTu$onNi*~vJR}G_5^R$8 z3574T9VapquA{7&eeap@fKD5@GYuI;>t5?)q>q8VR;p*`YNc_J%d;fe&_Srx(v94k zMtoyZ?}x$j(K?6Hy%2G1b=n5Qvc{%y!*o~KG|fu1^CxTG1_M1J_B~-%*M)zXn(rC% zf(#byc3fv;8$cjXFQH+H^mn!>Lw*NcDbx=OcG1j|=l$|lf66Z_nf zQf8En$@j*^TIjT$IxI?6t7y2Ctd(0^-OT8IY|RhBMN@2UM9bsMn&T9JDu;C$!UO>K z1<5l)J=vzfUWznHYsWXntq^~ZREARZE1<303y}pi3)^t;Q=c$yUT#ncMiyXno72JG zX+|vU_MS6_^MD24F{FDJhMTJlEfe`i&}o)YY3h@Evi-79wN+|%T^RQjr)l71RBe>f z48zwzbJxN;l#04>>DaRqAFWnztiq&}fk$QBoR0wo-k@^iKEZGcQTMsIc9?cyL?1__ zq?FUgTvF#syf;d<{*ix*7f`a-cPenCy-i{Eeez#ykuGCVz3@D7Sbxus-uyU>9^j6M za;J>ZD$x2ziU3}3%;PG<>$_&QYo=V&$6n|irh7j+ceh#Ny%9GFIHXN=87F_-jc@k0 z1cp%dx;z#C;6Kz`MwauxE7AOM*9Q?$-yxH|S2i3pd3Pwc^pGNO_d<{P+0ilqCk17+M;b zToGvNR!@Jub$p^Y1siQ@PeYq4GOe5V;|VZo8}k2(uw18^2o9H-ip^~z3L6>DOPyU3qqs#`~aiCkP>a74SOaAS>n+)7})q9UVCmn|u>g=2p&%ZW_z9(m|EwFv^<=c%jPBansT zjkW{gby(3IAZ?~t2TY?az|~gCt@g=5)v{g$WGOUvmf%4%QMJURm>I=4ocL!&5zs7S z2S{Z{RIixwjxnmPIg|yX_lgcW7%U~98Toxb9`VWYohT!36;JEJLb1KtqJe&oaF&m{ z-j09G3PZ2Q$ShwxZ3`xT7EYT0z-`&I?GY?lGHn8euQ(I1OnuM~N|%V1+&(V@6FxZE zYpVrG#a>vgJ~>W`a@)Dczj)PzYh3B04}Z3OwIQ$SeT5d^E``vG6@+1x)+d-V0lzO; zTd$9x6M;7pwoGqXWykxH<@I)8;A?@saVCHLwa)bSkiqmn>>4nBH|3v;co=Cs&%$bru%Kxm@=Ivt$z2@3_7o6!>&2u*0d~ z8G~@P3}>TN_*6oiO5y(&#V6bsJ-~N)H9`?K31e;_8b*dYrt$R$7OcWo|M1G*Q|+@i0CNLx;B`yp;>=g=x!SH zj*{o`TgHbG!KkfDB=xa~lA9q=rrkWUyB1$Kgwl>ERUhC|2{Q>Lh&f1mav z^BX|d9Vy>_8(u#PblqzdP2GV$YJL;wYVDRMqpnt~d5nF`zIX1!v`pv42SYtfwOb>1 zOnL_jZ9HY1d~)@~9E&2fUXg!#x2DriL=wFh)pvhfrET%P1Ly7f{*JG-*!Oe}9~0xNit%+cMuayi#fc;QsnR{g z%2eP?1>U|5bO@7ArhRs8Z^l{oONIgv?UC8fte4QElGmM^p*X0WTQ9I(82eriXfyt( z;>(|TOnsw!tsA+Euq`fXH;`%SuOE5in(&p>R(`mfr6x zVp!+qKgacX_VhAa+6IB`Y%(3W9ucT1QD&^ivNZ!W>&d*OQ)XDF9=VYy0|!7l8R*oC zJ;4xZ#$BpUw}O8F`b-t6E!LBN>_Zx6+NY(dPfvz%I|@7dAB+<1i}u7ql{M!MvDp%Z zE)E-sUCDkysERPvGd~q|0%DDGQWh0~ng;rp?f+a-J+1D6RL_G7Vh z{)UHamcDbZ48!l+a?gBo&2yeX+i$qHgVAVif}UtkEaZPz%B^H(r7I(?_qTWXI&+Rh zF2nkYvk*az7_i?-(Eu|BZdzLrCq-nx6z36LO+C1ur$-@6IPG`-T-~ay^)khc-UD&V_64zB)X(sX2Lsy!(`rxu;Fk^iE&N%gO z98%6u`G|j;_0XxA5n;`wI86^iO^JqOm_T&b!+NaBqL!B_lbes z^|-1M;ek>xRjx(FmiqM&U1d&E9*2*Vi^a5)*6oXoUg4}Ra1>s+wVGzRHd3nVHpdP4 zq9b7!mG}_QExxXjKpWBF=Fl>klnHIL$dJ$h(i9Zp%1;9?aju0~#(^d-)V9P@?=ciZmd#vCwkz_bI~&ejz1 zAvrKZ(%)LynqTvH_0xdqfqHFYYjR&@eqeucpkCY9l3aaMXi~WR+YnVEnu8{6s2u)n zNvpW#O?6aYO1%2q5SyqYNCl3GP1Kl{os@|Uu~qy-9F>~VP9HOwUE-gM$Wwr(HuYc) z$V$?;Ni9ZwEGi`6qQiFvqXK~AI|3=wOW&x8$X4r%0Hk+8699pRfUVXW0lXE>krRLG zVfJA`&yPN`ouhTkfiFIyE`z>7q&{Kd)iE5vV0@FQP;d-`V;CI6;Gjl^!&$dvtAnBQ7s~Fs zm;np!m5QgL#sQ7EF=2#HFN9Y-5eI)WVhB$D;jX~baWErpOdHA5w?k7sx62>QSwpdJ zj6!JVymz;zCZIOU9XKwU_|WXs<#IN3I(J>1haM-d>9L{7`HOd)o2GohVcwWZMfGpp z@Jj@{Y4o=mq|NCE*pIt)Mu!8$CnZ|)%vU`8bvz=SaE(Zq4oIG(MzLe!ML~bryJ1a{Z^#E(};Fs zc^!=f(2hqxlPpHo_UOVe+pm9W%r8vVKeWWq68zf)9?b1=iJK>6$doh7!JtGvm^QD7>Ck&;zSwsduS8mm(GKzh+W; zeG%hHtHX|h?Zv6zHfpcO16o;rtgcww&VB4j&NM<{ID(k`<3@Xec{Z@}TD+kCRuDFQ$Brx}8D! zE6zk3H-)53C#lh{ZTeu2=#5bQ7R@=j=CGX$yuZv!u{a2*hNv4i`3Z6K)GR;6{Y}B~f_4(=;%~UH{R(wav z`I>+7G|G7XF|kc0bmTpw42?2nlqsWQ?pM7A@=<~{(i*C4rl!xs-{RU71*1)kT3r<` z#8*b|Rs3;*9sz&vl`Q2>ZX*nsFZyEI7Xx2R`5HI8DrH$t$4H_avhYm&i{;N}Nv@?k zWXn44OtO97{My_h=1#;q6-P;!XY)FVVY0S5i|g~#6kG0ir>lkK8ReZR@48I$2+nR- zt^O2{FjgNhshZOC%vTEhGUb;UzatR#y&}Ws`{^&rFvWj6-9Rzr(un-OIK^6&R6La# zlZZ3uq?vPB9DwVhH`|{l0UitXRfPp~b+GfG>QI>#DpNthnR?R_+iv=#L6`0TB$QD4 za3)a1*XH~`06=Z&g*n?}+*weNfIYVRf7d4_cRN-ard;1vB}^b<}@Uu)58(bbM6DYexr;1ndZ#N7~Gn zBFoSw3f=yxi|c>0p;c8KX~KgBc4?I{txK@t z@K{n!1a$^DK1lLJ)i27^(55@qpZ9lwDL-@-FT9n?uQDW9K79c|836ztXuhw*ba7 zkAx1-tYbu>&HMDMs`Q-jJeYQ>d36l#aP^= zP-(SP9BO>SAX5g_x~gPw#PkEspZpi63L86y|D_3SxevS%cHx<&8(GeoY=q^IT(F7VO7#y z!N34Nt<%!{07-ZHNVA}+sh$%lkG{G1IIA=whyQParqaP<;1GQT9zegpWpVN;pI?}( zQWOu1&o^|uKGK1BA8DNozB|>XS?qt+RQJgkn2v#A3=Ctytn&^HrfD!mqeo}2izE}2 zH+iEL#T(5dTJb5v{h$0=5fmn&P#g-%IIG>RTvZiSbZvy`7$RTw;_UG(a?gJ8fD5y@ zFwNyAvAr(gg+r$`D&9a}X<7EVlvkKn)mHh3Ur&NW_BA=$Q-0OczLz+R! z1%~^-8Dfs9t3jf3#W7BMT{GGxqbfzElZ*eoZt5h~V$s*`7O$PJ-?dC(F`oaucI~wz zB)#j_;pBSFtVuTIq4HHfZ_aUjmIq~Tx@|{(SLgERJx(S}NqzIGIM1+oldv_@<_!Z3 zzN>TP>lqmsF|{H>SO5SfV26Lq4)Z#7z_B>OA_v+9X6)Lz9D&WHElF$DLnGcFfF=o!x2=*6j5&?u3d3;BEo<9#X2!BhKIqKX@wx|vWze?Vtz&=Bj#3tn4AkCUuP!GFd8O3 za-gOXwe76J%aphm7lHSsX5K1BUM7~7hwl@tc}Bf*)DZ4t@-r@&cG0u74!bsCJ@U%CCd z*SDHuMTFX-;UpDLW#q9e=za2E=W1695;&>A7bBu@u$F(CwrHG+k;_o-mYFQ$|8}M*9K=V7FChsMDAa4C7`WO z4LN|WW>cm_&>_EeLVg_!83^Ie(*fzwb=NWqomrtX9l9E10KLto&dG6uO3s__qWT07 z>8}h%Bsw`K_3t8U9#5Kk1B?nBSg1`M?NTTzI5=%gHdC_cV;wS67Cs1$3yPkwg24hN zHOGI&65yTcka(1Sc*lZQti_<{9>fWB2vXo+`g-Srz>^~U3X5+I+rUT1dBK{l*Q}Tf zrW?!aFcvifNk8uSpa_DFX{^D2Y{VB+e&}Omb~S%IBH=jX$PIru9APQ7=3MdmTx3s# zuC-*g93h^6OIVsLhK8XyE6=gDr{W*{N6&vHdnub=SAZtSR~1RSXE`$y6jOm)d(eTN zA{HH3ZdM}(%kpKst`CaK$k!X|fhsOm6PNN}OA$K|TWjFC zrey>P?LSvu9q%ra>M_gE>U(Zh0akN!Fs`AfODRV~SM&BBgFe&7$4!SWI6vUMDy>BR zUeJ=|=IanGEaNt_n9_l11x{<3o3B2>TEWuV=C>W;YIWL?e;JG~-JhXujX3lEdQFdYmWKdze2 zFseHqrVy(5H-vkSkve3IQlx&HL`xlepO@A%kC-~^9%E;W7nY1G>zik0|+qhXyR zDf&yK*vq8)Et}%fzCnNJ9qMp-G);V^sTNrlr96utzFv;T_o{<8?-oYDbdVGJ+-F`A;Lk(hF2uucHSltxu z@m8A%Y3U8N4<)CY>7T1eUTR*!n;KN)^Qz*hUi2C}_{L3K7uSC(;dGQaNFAf6_@!_7 zZt~mR_lO}#c)cY7@{Lx)bdnG#qd=Jn)GYfA9e*eJVk5rvzLWagk#L&FW`**n!wlvO zYuo9Lz^AMbcR0{!YQlPMzQBs|>;F!iPb6rT;6qO=VtLw*;(wlm;(siP|M5ieUHrhZ z#XDtL7<+Whtz5qcZfrN@DS z^`F;G!up@*zG44k-?0DL^oISxVmFo{SRoQNET!Wal+D2yp#1F3!pP+Pk`6z2=3Nb2}fW)o&Z-iioy7chsyjK{>s z2z_YfAu+02i7rJhFm+Cg?_Aw^ZP!7nP%^(*Kj?pD=;EJ9Evhvhz+B12{dzGW+sS3Hi+9(v;5Oi**^`D^469z5O=a z0el-pTO`K_7XZdk7=&Vq-K}f{iNAqtMzTk&%!VcM|4PoVhPe6(N5rU|dSBZKkWZPl zX~=(T5DU%L)Q@@rJsnv46O5r5^}&n}z44G*Q~kcc1ePxal&x?oOM5U0?1i0rpT5=f zJbjpnJ*FmOd4*tJhp_;!;ojMAdl(1J&eZ%qw|jL?L@UO>V-lV}9xFf?b##BPBhdlNk=>3kbxceL$=V>{)LX_F8Dp)n zzSBosi)#b@0`>XCENNP$s;ya83CdSK1q@C zU}3285ov7oK7fD&kZX~D)-NAbT%Lu@s$gG@?~r;I?SaFlHt@FLzV^b!zS6y@CiB3t z(-i1nT>h!L=CExWfBIb!Xybi zjiywK?FtO)$)#jwB-1?R<4&ey`i^T{eHlNeRWVo?;4CnYXS-O26X7`goKtB~H@Fg` zZoX>E@pDS>-9Vg*?G%J=5VL>E>W-y!Y}u&j_HFMbQz4u3hGz7~8(MM{3E|R5=mT^w z!pUU~74d5);@4rsxR3!xtm@mM!7>7v?|qLeS;o=oD6q9hM-i#LOA+e8^}Ovv{pL+m>Tj*A1?zv@H09J{U6{DQ zfhq6VcGf~x6@^S@%Q&Z(vx~^D%|Y3L6^2&u^;20HHMkZ{8A6;l$Hb?!)5l{#d5y)V zx=22GQ@_MngJAIU9Or3$jz6KkYVynAw_Y5Me;fj`=EbK8)rt_sN&fWFtPgUFBo+Bg9TyO@z-DYRrkO#XARDu52zDg zr_+)CMRg8XLJyPUzy4wv37mJ&)ZqM6U-fLL0$%6xIE!>-)a*_>hg5ZgD^CBX8p}UL zp3bK`h?rX9`)U@T)q%BLwy-7shBY=~jiEL8w+GiLuW|?FI(2{Ps>NK(xUQRXRa`&L zrnABmFtuzMzNay-Yx7;6$_B^Qe;SL4d4vv$5G2YAbG$uKeczb|n>kpv2#ZI{QEq}2_w$*^0}l)nE%o;Z|99t59} zl{UM>!@)xG@Ed>1?Jk~DIn&C=4SDA#-)~^jJ|0)uZ{(KaY>$jYGZc*ttEYjDMWBWc zs(GjazPW~vp~*z-8*9wUY+7{_SB(rnRf*!ZsiTuu0RmMAN3J=94p-HFQhW9i3_g6aX`V|E~0_{MR4@ZdBl5aT>F2f_tp)3f!|{{z^!qwH8j2f zKGdS6u0R?Z#?Z_ezc9qm(7*-wP)nVf5~!taiOuCjOz%$pmkyhxq)tlKQrRAi>rm0Y ziDC(agcc~Nt);QIp`rT8m%I{18Y&9ayI+ayNS+UYQpAK;jd&M{4CyP*M2ZU>s#1?$ z9Q3CYFdKh>b*KX%N*d|0UBrdb#Cy8+lAxs9KJ;|c(JK6sDhr$xD3pKexWCp-af#Fq zMdhBAY)S-GGo#vMIOA?sA%{ITqWbyLcQ>1X*gf+r;#)q;Q%4QwexBRRJ56Us|5pY3K zEIzfGS3#m~TzOkci8m0230(yS_ z2F`y>>1D0nfdgkwXn^Xd)GK6}n>IH064=7pG)<+aj)6MXs_TmN#z5|P6S>6OUJCa% zl68S-sjQW18b$$5D?X9zlNF>9)j&@ke!9M>S8X1$E{DupcsK z(ikIS`qh7mdwKWROronNg3KC1;K(c>t7}yeP=j1%YY${MR*qUq?NVMDscD!MO zk_35#xwfKcjYrw`Yi86-aogp$%%36`$ ze1~6>8YvvDSSUJTd1v>cjMWpZQ@n(B`bFKsymA{;srwe#-N1&zy>dxKjXm<9iI;!B zUo&|LY6u5Lu3j(YqAJi8K`Gfx%VtV8vt&=OwjRn1=Bqy-OVIrg<_&XRY03*GuUHc2 zn8VhQjH%8=bP@HW2`Bde36dE|#!^DfBta>e8OaYUdBs;GHFo|eUKJr_}HW!OpfRswqA#kC0=os!s< z?26-q=e!aLp?#qbXZtFYy5~5)ba-I%?2v$==I2fI$MR(YjFev^%c{d|1Gty5M(k+kCEyXz32w;_PF;{Ef{fr z!zSb&3or9(W+DI6+KfzRYY7O(eXq%)-(s=Qwa0(zdf&!Zt*5U`@&3+%qv?ik1~Wmo%e1(}B46|#7*QO9 ze*QiP-BPc5lWO%HFDs#<(3ho(yV4>99#YatoamCgUGp?MHZQu9&nbd#%Pk44o z7Jc}#N;NK176{+oFKNSd!7ZKsokzO1DP#nuLhv-E+!K@lhk5jftT?bken_NQ@$r%s zNt{J$MWbnJK(E{&VzhrT)TUQmQVTkd=v@wB%8G59xkfP))?l09tKyeJK0RSxT@u&3 zykm+NaKMh09F|3Sp;rE=zKSM&%ns=S%6Bl08j$})c?OMYP9f4W+08)ES5AB?ZK#spB?eVZM z0a3+s{!ug{4xn%9P^6kasVj0sxJN9(brT<=32+Q7sf`g zD49&k#8)wrIV#>G9GKjHMK>n~(D!eI3(QBO8$nTFU$RFUbuPjKfTHq8Q!bdvEpZ7D zy%dPfatiF=UcbcGrkL18!vu(net<(<;=^QOI>^bMO@Oq(hg#R8r;vd{-BH6*>&-pv z*9)j+INv?Y{io+Dh>}>o=WA~PBWi6hW22pcfuRkiZ9Fu(23^>H{GS1fV<1KCZDCGp zAGfp?yuS|&@9%MVe{Tlw!0g7+twT-~ypBXn6(7e*-SguG82>3Vk%)$(2s$U#Qt2Qi zbxglkFh|V+hWdBN1#Uq6``{3_%?)lqJUGKGa|I0fT|lWZR7&`pmT2qs0-(F9;X!U3 zvkJ@j?Q-9fA8a*$kF52COdLUHld$-@wKkIBrbOTOfAm48sQ|SPuglY6kKc$TQ#*)pX6Z0%W!zKgWE(%O)ui@PpEf)3cD}jT zc#j37fqYAU3lJy6I8E#>(x;3R@~C?1xSmn1RZ%q2<53tMtbh+GK1$yaVbT{SEjDxRb3S9cn3=6T1kqOZ=@chf`9WhZk7;QVwWa@ zM!uCfMkaUM$c7a+YvUeOG}l%hC!Y~!a4A;}lowHdZ)FT(XPEh>Ts5F#>^D@+HCJ78 zC{J%>M#rW;=Zcl-nAj=_lBuVR3uBxp6FzHReTjs>Y?0Vo@y%MfeN1mH@{f!+Yo|K4 zWGhO&^-y?|oYMlw)4t0*Ad0c%saBeYJ+b|E2R(As{s|8&1^wC$8l3hbo8g&)WGVng z0jTwVWlo0KR8vS!H!V~DyUa;9(ax)_BGSbzB!E+*&bCu)nKT=Xz}98?3Ja0 zO7QwcZbq>EyQ|f{EU?Z$Q;N^dRPezH}SnTc0W0)255|{hCBP|THw6Z)otV6L^ zD{u93V?`anEr}}N-(o*EDrGixBQ=cI)XZ{n;mx@Sz>U&DAB$bxe3#wS)7^;-=J`>5 z1Oo7+mFSJd-sJx(fIOIF;Qz&zs`xv93ZrBpl~CzIOIqx$PR{(%tL7HYv=01O?n?X{ zf+tiV|2g@QX=j|qO?-FA@#=oG3Nxsr<6niORpU!XwG)pAmw?p7X6^1F>4 zTg8Lve5ct$8+%?LC4fHMeUz2R6H&(5j#gR?X3O1>I%-EdMge^~SyAcaJ}z{BXur+5UzQU7;IU$6)#6Y>0(~w$?oT1(Nj+BcB~5e!6V zHO{6~p1bEY>s+g4m&lYLpp2D9-FtmsdrDL9(L9Yy^$j2}??c;v9vlbav~}poS^Zl# z{Gy8=k;vbReLa#OT~cBsXee^2@0}A`Wp+VI8$uC(h0^_=1zHbf+5089y^IWU1-INF zj566u#j(9hVjc@&eJgt;?tMF*^xQ2WAEe>X##j|uRAzC$!|kVTJEek=ijJlQ-gbJV zmXwzFFE#lsFzsG{W>}}Vpv>%>C@4c7QUz*!F*U>T`Ky~M7I{;@#CaN7-?wskTM?6r zn60R%(2MJKI{?F$n0C{%%}mtIOIX*rE3R|NeP8apXac**rJ|1Go~Mrj*ggI_7V!FTJyKkac5!N$KUDaSF^3U6U~UKiRo1 zkiEp2i0jSDh~`yTN2@;P>z>sAWCh_S-YNY}#-%@;$72QAcW0-(FIR7DE!o7YH{7L1 zdm!(!??{>Nq-nCP^+S~MZ@$)hi^s00S4Vqi$=AEOVb%4fs7w#Hw!6#5PLvSS)y)zz z)aGn+hetwx8*@*L;H2RN+MzIN3mRUiPGR(}TsHzcTst&6>B7NWG%}(DR6`%%%eBFY zTpsr})@OD)d%+G~*F`l^J&s0`=fJOa^wT;W-xQx@Jg%ahEuaW8((0LGXV4FCdozPR zc&8~H?`!+&(?J=XIqs!47U1b`7ABOYc?&^Tl0 z%picSGDmwgZ-Ve9br@rorg^UFoinSR3itd9dY(gOutNbzM?JsrV?^^jjf(e(CSBY~ zz0|;eigz{fn)H8W}rFSO-4fCJ;p$+OqR`2aZ%TS;0exOhh?NOQ;dIBlBWMj#4_qIzaF!be^ z77YD_ahaUTo=SqqKW5IQ;N8$b$^6+B?i-tbHNDCP_7=@hcHe682FK~e;x3Om$ZlY^ zqllrRp-6Yb>T`#>uc6h>Y|6H<<@R<-IBz>_-wQkPmiyeNgmv4f(bE^W#H#9q9L6nc z7sNW!JU9&IuI=UfeSsdVhI8ZU{-Euh+mqb!#opG_@HQN||D4^)q&Syh+Kvbp8&-!zN=P@%#m1GG^nH+t-IBP-_x^qd zKHdCTPpqzCZOeEox*Eo7l`T(y?WVJfhf~#f*FR~3ntPgy>cQQnuI#khQQ!VS|tp(V0)0=HFpbWDUve!C^pQE3aTO2E*L zoo(&T#H%-^dC=uolQh3{t~WENU{XbUR}XaEGkM`nB@%Q< zbt-CyYO;QzQ`OG92Gud(PHmb;gBXbP~_)`?uwfM*{G7$;*{-A?fsrp8_VPQ2|ZA|*nYNLieXs`fL zCLSz&wI{>A0h=j*7=V?P(7+92+mW?GgV|Ra{_%Sps#a)5{D`4tG_R2VQxUw@2^u{R z_)EPnE?b>W(dba6ZbY$n9_{{6Qv4At?SB6$|9vL;^`a}dYk09KzIo7iq+VT1Uo)+D z%*1BUXvxmQFjI0zEUZZkGZ3D|WgRvu%mB4cTeL?wX>o~vMII0ZC5S#A8O1O<4t1qz z%3zHbPo;1nnWILu*T=Ggj+q)#d?a!v%F4ZtpGtlS7 z_3lPdz+yY!j|ai6W#n6pcvBjd*yxUfoU-EjN~XGh12o$;*T?iNGCY5c`L!H-TW0=& zXUbA}y@N?BYTCGKgQr3k;IGu33BO4ZKfikT9sHtSI?A}Nzl-X@g);%7Dg0)}@?ks^ zO~RQBPM}$@?+9Z?nBMT^SkkK==YKmmHp2AAa>u%>^G_+N$3r!@HLW{3x7ylGZ_ZVF zdw8~gwJ`PR&G3XVFuVAjJh@v1?`9W{R@G(}|32uAqK-sA&E$TU>MT^RHYqCnKU3u6 zB*mA;No8mCMvCLugnaX-QDN#!R3}AwUoD*vVv~BZSoO|{L)Y3!)fYyQ+6o*DeDIuC z@(u4Nt<^}kdNUs?ZYJYqI_?oY?yh7Yz3cRU_-S6jppjv&9Lea2^5POd_IF7i+NCYZ zhfA5f!lCjenY7B&s#XO}@h)#-qh%=1hv_VqZyVP#l_lA9Kf9oUX%)649~K{`_^Vo5 zk_!y1Oj`DLRXelR{hexS@&drCT60d0YzF!qc>J$z4lz8Rzv*MpWGJe@s8TPT}f5v|L{CDehEN!oja_ zFy8)j@O_E++6HIPQh0F2{WsGwJ!O1jx&S|VFnIVkRnM(;p#8|Xv*dF}3@FBb8O+{` z>OxD;$s~~4M_w+x`jEF#7T33?TkD90u%cdIGn5adFe8Pb6sDzgge~)!!@f-X%OjLu zy(iJ%|KI=n&%SPrC_IcwQ4B@h5W9%Lz8AJWwVO9>s23n`k`~vujO!izCr+B%`qg1z zA-`VUcr`_}IthO1M8+sG{6AlRskHyWw^B-x;r}U0-$e!^)@Av@$o=HMlf=@g_;SQ& zN*>0_AXfS3s9EM)Fwp{j-9bD>&vf*ymMM1NQBgGjY5`98P2}aZ(eohR&rdB|5LSez z)-zq*QK9EQMirK#ndaob>KB(!w+!M=T2y^IgJVhUW_VNI?;!VWRZXIs@YPqijh8C zB;S9n^Dp@Ed)@=FHUEHr(cqJdSRQq&sOOZk`VKHb*itt|i2tYPg&G$96&p`(4C)?~ zy5+Gmm0D3ztBs6GMd_qeJFhnr+{V}yFhzb*b#96K?PWf)6%!%d5^Wnyk^Bl?VA4Tzz!7_6Hvw;cuo#JBJ0D+jb6m1P42+x15O-E-<@yYY(&f1eJ7{NI8f|Is@d(vxuiStGz zYU-tzOZ?xWifAz3UE%t~NS`@Pb}v4L@i7&j9r-NLBHvat#AifXk1a$T!Qz@aDJo2>F{)nFV~W4w&PWTaQ;6S+O0D>(W(E09d$*Civ?;*oEPnt@+z2YygFvo5Vw|@Pa6c=d3hcB=H#Ld5=G`k9D zbC)ll=UDwhdPglT3UQRc|IdHj+by?^B-_HT!pl8z0#tO*iE}SYcDHBbwpvtA@7OmC zh=eGNL4XZ_mgTGS8sF=EPjV_Vs|tnx%mPTsb7709pRBbOfI|IdCFr~bKYnz17pidV*?22mA+j3dVhbbhdL&!gXhm=P)pD+ z4^g^JOw)oa;kX|CB3RdWF`4u(Q~jQuy@_<`!F<5ZH2P%8J_!1f0RDm(vpxi1@EGnQ z%ftkDXfk4Jnl8qcRmOh?5YQWaIa!h7uVYxCw|V;IAw;){Y5d6&wkPQq!CK+Pbkg6d zXIcIB;oN0mBIR$@djP*R<9L@wTY3rJe}k=A>ZX5~{5GUf`JClnE{vbXBC)3qG=gN} zNbPz{rVFxeCyT@$chC&d9~BH;+~2Gg5DG5FHq^YEK}O?h9uI$6xPW2YO>yxheEfn7 zk?@C~j%>q|g)|=Yv7~@X3a|jMM?Z+dKjAlyRd2MDQqxd=RIQj_$j;&x?98I=^luo$ z)O7vEzhpY;3?DN?2ye^!Ay?h3+&&Qc+E1c!i<6b2XNgQ!&z8P+AF+2BG@nlU2tQMF z^Q)jKLJgXnNhyCYXrC)5$d&3-H0`r!SnXemzY<;Bz!J*p(odx^dy^$Xi@MT+wVTc* z0si!|`u%2cn5#BAWJS4C9X88}Zhbx2Pb-1x$+8)vRylgQ8o@;4RtL@}VxGZh(f+UM z!KjD$>BqA=Svq61dgvM<1pW>KKm9)6hp>y^v5e*u>sWtAC)5aCA~@3Q|I*Uj;S%es zT1#RExr+Fp$zj>mXb)Zb$;L7|S-yfs)|7H&*1n(m(#Uw6sTonRD)Z1%QopB))M;); zd6Z474g4m!_ji}`s#3ejQ#I)@Hlrf7C&l(559fN-Y@gVK%%xVt;0Y9~LYk_1D5U+* z?Jm#Jb1#fq7d0&=5gN(!u9t6UXA6n-_=3!TYFK|7L= zrD=q7GwX*?b)z=X#Ws1cEY)wGa8i3>z3hmDEg;YZ1j?ut3x4Y{-sE9XC0^*nd81G5 zA>AR5zlLQ5OOfH7`5MC+yBC}MF0lCR4k${CBXfIrj)=KttJdifF9ey z%TEsrogJ1OE=>0M6#OeJ-6^9fx^>7@8QJpC>FXx3xYh4y-0tHPhsUGbIKJ&9-IcJ9 z7lmLB91w>brmBQ>W{)uRtvd94aP&~{@YT|CA?i$au%0dj20 zcnF)xxhNqY?z*u^A!G#se6Vm{kot1N(V`r%t>jFwln;+HHN992S>qr=J}bz7dD(t5UZ057$m^$RaJYBL2o24 zj~p7okp%J-UbPtYJahDNVfK|}IsFd{&<@E_^{a(EU61$H-5QT(UsefA*K>cqb-jkq zX$oE5?c$Rjx4gXlC}nmm@dd@5W`%BeI3awVEJGsJIzR4+D|Fk&4bh_?%GCT|+mW zPo_Jkh!dCy$OJikrNVc2w^s`aMhCE7oN6c3viXdkYdgrrJXQ`59VCB#S)QUWDWBH3 z>4Q(Aol8W5veQnJ>O-f378oSvfW982H=>HYF0q$ODSeOOSIV+JMHmG&{FNqEMlT(l)#Gi!DU*oE1FQc z`n38*pI2CT@}s9y%*@T^!-?|O*-)66hjZA_n$AI9yGJ&#NR8N#F?5UtWX!m|)^y#o zk|=?8g)QZN+#bwqrnEiTlU2l2*|5*3+mig_`qoT&QaG1alx}|yS)7*GTGYSCDfQ=K zu`yY&nQ4COR;Ir6Yh-reTEnK_ELDy0!jD+XfIr8|QiE>c!!XIh?K+PRSuVU~t&Czu zU?Ct2W{ORPsG1)_xLjzo@uGanlo7LPL?u{U*#yPn^3T=c@(=V7G8J)qN9w6mM&m*~oAhH` z2u5}mf47%~N4}}->Y3I*OruTx=JGQ0>-Zq56y|!I(r|xH78{erq_EdiI1CP(ARj({ zTqg2pa4_o?{Jw%+xI|w;mH~f`t*@X%*Tnd6{p%QS*sZd`jACwJq240<{g01V)pICo zl)2cT)#%&ktMCVK#`3Zln)NQu(wF*Rj#&a@hDGGW z##X}&=8%7qaM#4}mc!`cGu35>b{$U0>fhs_`*X2?n=CkeYkuolTYb6s6sF;hUzuAc zcsQz&Fof^U!NPB|;y6fRzoxLR2g9Y0P5uyW5Qh58K;BBtL#>h{VEAhqv$mCUNvmhB zU>PoqJl(y!y!sm(f22M5?z1#5vs^XZzNuE5YJz_pOsm`pVlecu$J0O?4z%F_tw3Ap zVA}g`5CQ!F0Wkh^@YW+v{~c}02s&UCV`;QvJk$|e_tVN4t742~?HIF8l)@J#oG)OR zzg%SC4RfO^g8XF-rz&APxE06|OlplOkTM&9g@7#J`A^u$ZU^e>4JwB#3}5^T;fq^n zk8giCD*|g|4tex7&W=UJq#nW*g=a?~hsj=P(FidE-4y7p0(8SU`>qGl^H|~L&Bm^2 zoH3!}sJt5Mbu^-8`bbtEPOYYSjh?h|ZUGjX>;N^7@CLQB$v9E|_U)o@qy~AntY()bT`e#= zmm>#9e5%uyl@jocOhWvWJIG4W>J3{uPSO%x0p?aN8EBl|rR?V6p#xmRiYM{zsZ>3@ zg8+OZj|{ra>?gN+!_!Ta7RN#WxS2_YxXNul@had71AL!zFsV8i5%lj~ghU$oHyI@t>>3e+PHr3q2z_+ZRVSf$#A_-6H`7H-n4> z<3 zzvTLqzMd4ifkKHEH;`y?Nr_bDL5W7i#nW!Zd!$Bl4NHKtScChcaD`yCJF4LE7}}|^ z#`UdZoVXSk{08@X&|=%ZT_1|^4(d)!#pT|y(2>b`BqxV!*D^_$V{NhI6ncMU@|80~ zJCa90No8)%ywZv{yNXY{)4hK=NM>FU;WoulboFOlh7U=mBG6FsGEqJ*4*B))7r%}n5o?mLtr@;H*%%^c=zj8UiM zqtuh5`rP3BpZ@7by~m6sQJov!A&@3686n`wj7jDq~Wba8))6J)Sckl57I zQ+YRvr0w@!-mLyMfijE?tnJVMEhpS@Che!0^c4nd2h~Uhu3g+Ur}*n58~+8;{ms?R zUoGA7!6|+C<)u%z5nn}g{|J`~;4iyYAl-)fR{em`!tmGGCTQ>+76=~xdhu@?@Z}B` z@QVk33Cf@9r)OnQxqW{?KU1mdxwk3^{vV~5j{gBV6mR|1qclxpR(`d+uTp7J`_V0iCM_mtEL2LYiTzT^+ zM+0H;l5Q{w!mlpZds+^~K59*1jjssx9nlUZK~<{DK$|r$6GT93+breUOjM`$(T6Vl zCfqzlB6+yxr26!}Nibl5c8A|3pGn>}JL{a-<-Q*G@Zn`iDv|YPT-$P9_y19CJsWVN=!HTvrq73BgG(d-8$l1O7m?{%jlIz;I~NS6s;9q0*x zsRH~_Yo*dM5ZcxdvpuWz<2IfW>12CaBo-gm;h2Bd%t;n~g)#jwvPEms)R#DPy=!Wn zFzJF~rsz{d<(h)fEi?}Ep@&N^ZAPs5>Y~gVPXTBaGLwT&VvL)v>Y_$sn&B5 zkQL)ZL|;{_X>TxKk^s6*wl3mbs>d8Vf<1pFkr?+ENt+9_IiprHSj+ZY+)>1e!oAgd z2-EFzye*&BcDS+;&7()q!r)b&_Q?Uax=q@a;9@$$FaxU;~Mp-!Av--+~(zHkm$5kQA|A z6<{uW1Q;;nDSa=1DqnQQ94gciY>rYjG1`&Fl=r2`ACZ&#>!VOByQc;!Kaz&O zn&s;5gFmffQD%GaZgNm@^vc$Qe8@75dP;z%0%Ho*Xas3tFccgsW9Zb6WpjU~#=Z6s zY22KjJk80U+O^rGx0(I{>0kZR72zY0M**Ia^)5K-j2K#c5^1t12B6!Wu{Dk^&0Tw-#Pj90cX8F+F37eo{*$? zDavTSu7(TRp*{+TOnYhrNywTrLeUXgZ75q|IE`D-LvqD)h}p+;w>eUHtc@~6c+Of-ikdGu8UM>A_PY<03m+B{FIJ4!r@X8$g-bd9^TH|h(Y+s)p1 zUdQjQ3+suFIsuC>t$LjNMiz;fGQ0Pc_`qR{DW`Y>x-?;O6fvC7BIp>uR zLVk`O>;Y}+w=eTfGZUCA8}{Hg`0X(NGkWl+{9S(UF5xmqKjjhS?7N)4oxT2Up}VkNg|e6 zMq!>2k zCxfbNv=!X_TwUpH&){!{+$#ABKy8EiBi{`35QA^lPZ(-+)Ze037{UGr1kd;e{rkDB zI;!5Sk6tUDdOUxZRbRK(_V~x2_c&-cLr3>ZoFrxu62Nw^JtP=6=cfhOv8$L=w%WBm zm|g`f^m-<5ImjDeZQo@T{PqyO^13|_RK(OaPBnygL>e$2=e`WtjsV10j{wD?L@)7xktrgUtIx$xmR zV91j$YzqM+$k<+J*6HFJuNT*`>SL;2x&K5_mdEP5s$RPy$02?9+DC~|bDnx=JAtx; zlDOAe6&*;6)McqPfNcxkmjI!mNR|J~S$LtIt!ygmVlGRu%U8uVY4S zpk|ndTzr4Ceu6n40<>j(0Mx>qgM@DI<|fA=~kwGUy}7OrNP2XVexKQX$th_%9c zc8g8?h5!w>Tj*YUDm84*Um>@5S-Y;3nX6Zcia&oIRf9n9TG!|7xnVx)u+4g^q-_P- zmO10E7FHei2f+&+Y{mtB6*InYL!WWsW@bP3#;dM9f$cu@9}=cRotuLu?NA@KBGaB) z(3#YYF`14~trSJfI4)y+>#t#U2|tMS5D(pWCjIoXM**NEJi)Xcq7N_Cfmaabt&QBt zaKhAv)Ejr;~UFQJliwf4v;K9wMVFG%J?D`mLnlU1QC960bs>Z73g2;DlGi z5*r*}@@RF74f|_0ICj-DbVa?B8FaHf_AQN8y4RkHjhpn>$_@lV$Zz#4~^EuavVKdqdm#8zDm{WK7YkOp1CPTnq42 zi(}MZD`l)+t=9u|1{D;~GrwN(zLXe@nvRBgVx%yVmri`dPW#ZNP8*=2ZMEouF|9uE1*83p<2+*%sP zh2RcV;*H+V>P#vcmx$nAwdSS1>%IP@{nel7#h#}P$+0<;c*E^Tc+_-y|4o0$-K=oy zmlH6DQr$LZQVMsNxdB}d*_`rBXlV}Fnokb5wb}Kq&GwGrFtpPJ*Jqj75$bl7pKQM6 zcuVSfp`lYY=#UmOG~N;AjFDHd3mrQ}YiVb_qC|%&0Pg=iXckD7j^CkzQw2lqHzPYv(9>=h9QK5qthJrLlX^y?d#} z`R$`UYHl7~dYu&YM*3^!Th=5!dwnDIM^;*I=kk$cWGFX>inhJ*lXQQ`mbYZeP9;%w zp{LibZl_mddUX^bx2s`Jvio$#BK-xW^;jgMU9|IxyHy88IfO4s7H*rWbOg_MC!~eW zdoOe`&708`tf%93%o%RStc_iH3G)hlj%IO<<2>VJ43qQdbh6pj8iQ$LJ_Dxa5uq{S zL#tU&GvL$Y;$F|APTPOtY$DaJJG7dhi~pL|ehc2bXI$B8(0$LcFHv+*UwM0@8bN-n zxpuv^u-2-_pc$kO$;+~TVyJ(E^|(FYG01dn4n?LbnLOi`#DXZ3c$Tv6KI)T|^_89_ z{B1SiqYRkUKYb(37LQYUjGeDUFE!yGJwaw~iI-2=5AJzavvq%-y0xLf^6*d`lc*Xz zr|UViAGbe~()yeTG+YhJ>ubGP;riAb8iBzRw)oV^`n3jzY)llT@%;zl^xR3!Ec8i~+2g_(@Y5!b z{#rlB<&%1?)_)zNTn~#k0;Ot6ta|9DECt$9fR<>;y&1?<)Exh+GcPc+;+hNnKA}%o zc=^A^Tjvl;I!tBHU9!fr!WPXsswH#g2unJRW#2r;^Ot`pgUL*+Rd013|DINp%0B$I zkI7ky{^=)4pB-;ev=v&_LqGLoW%%ury6VBjHN^X2!*WAKgpjH6}&^Zi1!DTq|Q~cqef!OM<+7cJnqijOS8fhRt`G)&h{0v z9Q*d}jS^rb#Y-dPP)kB|sBLqUH+bsL8Q>D5N|j37GBzFLOVh^Xz@ zHM^K@>3Dl+1~pF?nyNh1m$+4{lA;kbL2a(_X$l*Yj<(I9>U)6O!)DYo3iIS;-E=iP zmp|hfijZlGWwjg`vwa<3M|dvD0?jO*8lI1<2E9~e&CGTwiVNstMmd~t9@6&0T7W=Z zKhu9QRkc`E8G$hwfJxdy>;{+}#1yuGFr%h5;w$3UFo{(M6b=leoZHBrPt!~y*HLcW zOUkMkolY0yJeoF%+4%+O{{R2`{}l_J)_CUrmr1C{sl>w4`G3)NU7ZP7n0409!gGO` zB8xHsjcMlq!@{oLt}kSF)^0mz8qT6l!{vYH&r`MOwl{+^4TqvXyB8JH}UU{fZ9Qcx?VGez>BvvG~tuc zEx@-&JP%X-nXF~g)Ev4gV~`jA5WN5X@L_gkT29b5S@tE?oeKCRkcMeXrcKLZ8kv8h z4hsGU|NvhfG@&1*%@O+8d@naB~V2r?hi;ZJO8@VUlFe zYxMZBUE_QYj_Py-uOLt7#v9&K@)#<7Zxx`ieg=C zo}xXiwr>Vb)Y+qu30i~U01XFZ7*|)f0_!6}D*6gyR~R{$-d~~@=oB3FFdn$ED)%MXcVrO%i|8)WJ4d zKS%NINmq6${QnTsgwseGo{*Dg3XJEp8Ns#XEz+j2z8!M{z@lnJ1%%wGlS;j&Vzv;f~n-E@+nSKqJg3 zP8(tLyxjJL3VTiH%B)RSZg78sx9#1be9lydV6lg425c^@%>|8hR?WI%4iS?mEK2uS znp(g#NjbJB3ye11^Ka?_db}ON>PmEX`2+sha$onnSMe=m|9y+$1RK%60Mj) zwW7eKyz0*!YV}x~s*H-D@1>%PusJnKiQlONME-bd?4=TN$4*fg#9B}~>%n++bFGw@nry4gj+K2lm2zi9z0 zqq5{{lwX901AX1`$J&kK$>(R4Etz#9oWj~#G7+Fv$_GDcaReG8a2KD6n5@($%xTU6 zf6S%SsMTpop;dpZwDCuWQkwu`=9Ov(FZ@<@w;nTEBw{b;l1)^?GzlHsv@E5%?2yxm zo~&t+ZN5b18Yed%!wtSrddbkb87I?HZdt4$nF*{J-2185Mz!MVi}ombVWa)G?PbR@ ziKDz)EU{Kiz!(>WRl}%Jo@e4VLDlr zw1_sxGXARaK@o*%VAext5K2#%=fCQ*lGcNFEJ+F!?b;~wp@jUJA>_1CzF^)WepaWM7FUF$hZA#6pVG}mn` zS`4(s#xXPXI4n);`}-dsuUz-Cm~x?0E-`}GSj`>D!3aG9Ha*UgiiGle8%CC zFnmGbz7mj}>q8zrs&96*T|<*QDzFIw0}Wy^BnD-&kmbNy4zy)#4qMBvK-VgCMe^v! z#%6zB=**|k?J@qQ0{T*jR+Py#bed$_>^Zf^ft$uCeakyzdVeK1uu0`SVXTY!%|1WePzZU!__v|^$W=&O#z z`UI`)#zPy0YciUFdahH4FHE>hz%qY-xp>No@*;y~%qC33{ACRR_yV;8xypH&6-cJ+ z2aq!WQvsR60DKMGfqIuFG?%V0eDN!U!;TU8{)8qy_*L_H-3}Es+^5?2))9ZXGsqpG zwFWv03h~wCGTQXp_u=ri8;a~RQx6df$usDqoZXRRAHPOOV{g*r2k(%_Sss6vFBJnF z5;rzuRly#Q-_%lsQkvo_@hZDDO`YKGyo3Dy3{c6oSsid6>}!U}AbH-dQl zJxsENfK1xenK2ZQA?(~Vf^>fmM~D8e6^44MlO3XTU8)Cbk1q?<$+Zx%Havqq%7C4~ z+QC}A9-^yq6}Y%JfeTbe>=(`o-qv8bLv+xn$BTs<=k-k>r4x)sk;WY)si`sq@GTB(0kOWKxdJY!?} zcD(7xnH1nAirU=QI)%q@q(l*SP52pZ0He5*+yZx9df!cO*QKBPHb5Oi^M9(4bKD44 zfhV~YRI+Jm_1%mWrZUs&r@I|R2rdY7?dRb+d@0shy4ImnWM>$jD6c7j97aG1L6(|O z>n8%j7oXF`io#DKTvdOq&MaJy;TeUi>gKv|RgFAJxU|5@2U_@6s0X3c4+OWv$+01k zgN*5gdPM+6==rhT%FCPk)ijpqM)aqj93S{*GRDN{(Mn$lgau5{2c6;k^poR#-%R(I z7+sQ?7BDkCa4N&aPs^X=$L_T0T1OtHa2h0R1p108u|7db>mPr_Du_dn%|J5*soj29 zJtql>cW;drHd#`8VCqr68VU=TAft2ggECipA{$YS2a=w{TOB)1Ph1C}NW$N>jrJ99 z$l3&@aNU5)gMX`N0ttZ&8#qmkJbYe193LO``ET~hSC3(P6BJRV0y0JW%k7m}0Pwtc zhXK>{D1OF1srrB8t3cDj1kTC^HadR}#mj#?aFt!spu_KGx1#) zhgf~^D~H*lX+3|-^XNlGIBvM>t^{vCe)#Zyaiyw;_>m??D?i)<{qO*{5Vy|ZR*&4A z>Sp%UQRsjAF@%9B<~)s;QMPJ$L>yWV$c{NT&g|3Eq1w88kX)!g6%g++$zbm=TWL?t+HT=&W$vJ~o;|6_I!vE}lp`M-kz_~axilbVJrX4zm zG-Kv`g@FdGZr66pa=)2V6*#X`*ClhPGG@+K6{w4JmDH`uAKN)qF^{|%Oj>6L!Gc%heq)JyiQH*R18xepHWku!sz;? z=h1;K^pq!mN4`#F!s3(}R-`;b<7J!eU=$luRBmzVAzU&da{{JhH_%ps%B4;t#K=JD z7nk%zmrr52*k)0IdlD!Mc+?t|3O0(xo9H6kY@(t_vK`I74L!}nS%xX=yn)S2^K<6u z+}+(?EhuiGA{RRO;=e9$R)6DjIhN>_Gc3zIemItY==8l*YI8^p=Vh`}MljkK3A7P2 z3u(d^I$TT*9vz&*f&c-nj(jpo#sCFqI_hVZn@uqGo-rxub(uJJ%o0!- zbJ{XpW|&g9ak0t1>cgEw7SQf2Jg7D=rkMoRUPvJ~GI{{7E^32&Hh6J)`%%3E`$LvS zDZ{0Ip@A8t+d~$oxEV5H-HXl~JVqufKK{}>L1z}{5e)Na$A^uewNA<*AvDJ1_mvio zX%k4Z5oD6esDCS=WwWW(I}o61_rX&H- zuqG|u6xwqq{1jAoW0`sUbXM)*6MxpLvriN%e%Bp;27eth+G>_3e{pWua8@2K$N2$& z+Q4NG%7*Ll;08S&{0`BJm7#Zc^Sj^J9ugXGnEl!` zgXv1zh-TVg5{2xxSxr}6jcYh{xmcK(1;oISnH#^xHtvN&^sGv-ot#My@*yv2^=C^g zga`{?h=m*@d9y`bN*>Ct988?rqb`VlSz4sVp>D@_@$O#oVWjD26p+QFBR!9Yp63R^ zrFz51=}7Aim>@ecFi~PoY%^6b>6EJl#dS%3wUS8AT4vOjm`9_vc!;SqE(*u;Xk9w{ zQ$3WC2|3s9R`r7Q+9&!R7prqCJMb@RN9RY+WbI8oj2p7q!TQ>{syI4NA=tlv6~P6+ zjkHdbPAVTBndD^^5J9(*bsJ{Gu!^B&S2m{L(=%K8&`U;wJA2_g)iG*=*%-9U4nXvw zk>KuM$Zx%9KoFhm%63iO#D%jzqvuMD=8}=o2X42|iNI%%c|JrF6T?~ma26SdhP(Yw zQg{1JENQltJWo|}8EnX>A^)a-e)_{b?jHu1Q4eJhLdKj1G+ubah6+Lex=JpCjP;OH z@%X|;7hVFqPI?(&@)c&9?CQ5SWNK!tH|pV9j~$D|%qyd!+dyEXcC?XO#eDRuVrXNw zh)~Wv7^cl4ug-X(&E6AkNq*eO?n9M94Ety|T&?iJ8#W%VD?sg}mw~2#!+xotf8m+F zGRU$MV@C3Dp!c8pVn0JH|b7QL$bE{UqJ<13J7Wd(f z2Ok&@6P#UWLsgpu&YJ2< zCaPL$0XSVDI~a9W6sqWdf(`f(dn|WFF|pvjSD=n*T#8s!8Kev#r-Pn`Ztr2p z>JJse#$H7G5Jo%KU!%NW^o4t~@bH_wfzE5UWl-=!2eaXq*_SAPT|XRQ=`;g+J2?+F z<_jpF88LyN1qF@5wX2$7ox%g`c^F+2HJoJ_wq5K5QIMChw&_cpB*h|BSQI4{lt|>^~1ds&-O%_dPs9YY}O}x#=fL3WZ z7$J2BJf|QgvMfn|^pZ|h;pd}rcBf|{wmAdL*@eCv43`Nm#abW2Jlq%KJld&wEc8M! z%-6}G0|t+Qo%0_9-$=;8U9Bf*LvEJKLp$VMwm%&QYs2O1K%p|E>m=Ls9g#AgUW8od z9AMA@BV>|>d$#aSVi5<(HblU|FpM7id0D<8XRhk+8W%i&(AtDP7K}_oY_LlR+0X+Z z{Ka(=l-*&)!8XjU*$dx9Ngt=)q(e-aopqI|KA`iyItAfIHIa`Yw34sh-~7$=;tL^z zZMF~NluN=*E#X1=Yzqy~yMRZEG4{{}V`Lnkl|=%7cnE)Ve60&l_bJ0eDJ6hq#|3wl zI&cccXmSaE()uA4s=x6VN85#Q^*B6d)di%tcRG?-g1OyM_0za_z0fcUSTK zqrqdTC20Kyf-M3@jV!8(Wi>Dl;P?Y7d@vgiq@FX%M+Q*b(%>(wN$eXqA5O~wh`H+H zQ2jeHN0GO)`yP2w~<6Y#(-ZHUD3BPQe#!X6@Z5GVIg z+XP(e4agXEi%}yW?eQA^{kkSHYqD05@t(@WqkBy=bl&>lnG!lt-cY0r>~b6D@Th!^ zP7gbOsLC25u)H?Om{hQ3KC!FW2OVv9qWw+9i~z*%gdM@qek~@9oHRjp+OHwFhZOHk z3UUhE0~%*Jp_d8y;4gGGsjoR#57^*ub%33s+E_lTzp!E84iogC2Pu}ORSy+el$eIt zq^_=k+|koD_B+eJiW1!^U;^G|$A=`s4<{Rc_;9nU4|+#Qortb69e%T?QdzzZufT`o z(t|N{xb24A!aN(;1D~g>-^Y2V;7+9A8^vxBF3eMkLjp{$aa#WU=X2c8c0rwZK0-2& zd)6|)d=*lG2g9Ww-T(8y&&04%P#>xP^S|fdv3wO$fd@mc+jd|x8yI-&rF9r)aO(+w zR{fIQl_}VRMq$HL)Gv?Q0NXBUu!l`)WK5}#R=cE5KsPE`?U)%R5jOm>5z;>VgQ&f* zn!ljT$#Dm6VM83uU$_zee3p-Klx)v+Q(SUEtz<6KCm>pX0|7&x zvis9Aza*Szrxn!8<&j)oVYNFU{D!PW0Mo1l#wbHJlq?(rI zAcKu5x>qzKIM-?$AI6e~BM_Z|N8c&(CO+3>tt@A}as*X1(li$+$6~FdYJ6%Ok{(5w z5t6akgrvt_Mj+u73eDtCTtv`+gyveV6^U~)wEeCPF5K=_b*EB2WEni0;en=gw#WUU zbFn;Ta6Njdgo79{0|a!HV2gieB5BU(T15_k-8g3j41-h&3m!bzrY*=hlz<0k8c&V@f{6gxm?c}+=mjEo%}se5j6^-_np z(P6%PYP5Cp1kXJgZbDsQ@DQ$SzYo(btUl7N!iT|8vwa<>j~NqRyMPKL#oeel?Tma7 z>50Cwoi8QlWsEl4lh+)7jWTT6?^U=5NW3IxI9-cfPJ=pV71~1sFUc=Y-$Iy*m-fqh z`a953P=((_^6o|3l&QW=)JgA3yZE5H_#u9#IyX^1cS=|5uSL4E^g+&4&9f;#WkpH; zZ0E1=TefYfzp5DWm^)hSgOSrf>jE_j$N0=0L1UBg;8a#^K{qCUhy&)-HA`1PZKSN4 zrNfk|SxnT~I0Vgthd7zq#6(TwNY30|izt;YVGA!tB&1B0*ZJ>iqufE7R9#B$DWfj( zeft{~lB@k-rL>RsS#y^_6BDK30n+xY{ZDv31mIXk-_SSr2na|wasqE1NoBY~17Uc) z?f@cmn|tzlu~mwHE&mQuSS=BTlgOoc~6n>LKHHn9bu@~S2mG^ z&Gwk%i3w-p(kQSC)3r__;bHeNpN&Yf#4c2J@3e%zLz8$dO<#mUJlhJJ7j4QJtpD#8YLZtc452I z$v&uLB2ILK+4<!Lu=c z_hB0D1{V~biuWLpVGW?CbqQJNe9upm)vp@R)1R+$>zic{v(}TZvKy}#foXNmz^+kX z7bd;FS>HAv9?R@ls#~9Lqmn!^o}F0GLNLyB`I+)un>VeD;FcueOQb$Ix?^$%28{x{Fx^lR-4){Tpk+;A zqFqRyua@X3xCcU|T%#xvhwm;7H z0k!9THA)`hWPeCLtj2zEMpDHfjsAAFZV-}}_k44V%ZEG)zx3^d(BO40a{P|D);b%9 zfX+>x;Ok|!QC(4rcRGa!ktH10Ry<|N_Ek6qPVuAkmiIRCG^WcuD)X0z<8~L7ugp4d zp-2>1-a*E9n31K%z$V=ex;mqOkftu9gGb*M++Lu#_ccqChw*`nxo`)KB712p>1>dj zhmiq^QC6^Rw!j?^C7i~X&_3KH(buywY!ung?Gq;SVU^|a zE>1($(me0Y>ngXO-)EhF`r7Z-9dg)Dl&VMjkR|cvTYPIdKVehl!Qj1?UhYCwiJv*Z}}7+4lmJ5q#pjHIK$_u z7fH~CL?FZRSIGZf=O6o&;Q-9?OQa&hGkWadD2cg>GR%7Ib54e&L9XRCb+^p-TUP&YvIr&PYN6$G&XBVTwAyQ)C za3en%hK|L5dOcAZ=VbXwG-?BRMdeJvgmWm@OlXIku2F%106JrU87p547R?xVYQTTe;Zwq1r%H6{yQH&yqtDrYETfYWCYeA?_C9MuDETy6Uf~1eMe_EntUxa)hr7|Ha2V zU%6cnjklwyCh)Ylvq_kBfibJl2pTz42skD6;8!WQjTwxOQ~anWr)?>B7S(|B9@2b& z)M>bFXzNVy6pwjjyb0Ar@bR6kuInzbkASH5!?SzI;E5lXc0p|dxvprqj|%t|*+=D5 zwjCetCghM~Od57gQ~!O22^{0LV$?NF3WaFbWSo(i34nY!Bi9IEH`12Z1QNU zI=XR~6z8WGG!d}qF0WLst18z_^mSAm?%$LqK_@IPp>)*8%TFgz&-i3@!XEQ%e@KqI zIDG>$4&(FF(>R%R!agXQw`g-NVRe#lv&oKW`S0hF+(f>uhm--*Phy?qk_`WUhJPlTbh`XM6 z9b2s8H(pX1Ztn@@f~y3=PMf7^^O%A2AL2ac~<~{2auT ze2wXa$Zaug%*MyR1g-YhaDMzjyWoCC+Gm3=N2ml|fnl@Q0e(>9__EWB*3ZqZS?mBi zy;$Ch-64E|&2Z;pWr`bMb4y7?EMTQo@d`JoRqg<!!|^=w)qs1>@@?^&A_Pq= z9-=I7(Z-ds@h8||iS+Y-86WST8ISkRK96_P@KU||Wt{GcLzsvAXv}ND%(Q}b=?tRF zmCki*aT71L5HirQ1_N)Ft!)y~J2HT;5KV zX@J}NPwJ2v8%`*L@ostwu-0~?OyduA6r7nFJq0*xyHTc@IvoX;zjGz4)NhstDVtw6JLB_V9K*^FQ%sEuX4p~Yo8jvtH363 zNMaf<%(bpHvxl%K%BMU#?w-ozYjH+G&60sfCA38i}n;jpL)7+g}0ZrT# zd5w`=tdCKDSRQjc)BA*g-BP+yf1ng_XgC{sPUi)M2@GjQX?aQlt+IM(*mSp)j!WkB z6o!Ed;U43({QJ)*M5_zv2K&cHh#bXQY@VXMK4%i0*V4EPvuEtnL>MTsfo+8;X=wev zmU5gH`qMq_9-4X?P3#!S-8n<1HY!GYonwu)VWu^IC)da_rrUb_h0ey^d>0UyPnrGAH=JDRY2_z8F5FWSA0eSly|v&uefCY~ehTxXTsN zd$T2PtgpgV7tLh4!qg(3MfNqy^LTr{$FwSOfK~BXCmJW?%o0$YPICn3n_=ih(B$W& zqX~z96{Z`dSZ)rsH-Dndo0U_Th41 z+bkmNU4=CXK$^y$-%%FF?LmKp*#uOUwfXJ~oH`ScW_b-be{2u>lh1^&U0$DY+IXnQ zCL5j9XBrvLCyln-ILE`4PSVwGmC?ZPC&gcXoA_SPQMx^3swd!_e*w!9!=i|H>3*cY zWHRH+VGJ=?n6%E>7mY$Y&}rxQa7@9aP3X^yasI-|=rs;u7-czj4g;6$a+_xd_!y6^ zg*`R%paw)J!}3~X{;V@gG#Nd~!KDqx*Leh=6;I~1qZ~TO4Iksshac~u`dsLf(9X?& zCukNw!VhnjO0Q31-2s`*TjA@{XF_3T~HbEQ2 z06*}Is8f#(J#;d579WqdNlwMM4PuC~vl4ow-O|Mv-l=`0n)I7*HwBKC!MU~#=AYoG!6H#sqnQP!w~=-kpG|@ zQyxmwe7BOGi)?4PT^w~nLsCx7JU8d2Rxfvent5V}sp&K0%BMVjEa4N+ zJJ`sIqdCvTTIJ<1qz&sfH>Pk4?#FleTztd>r-nXy9r=__5%gBK)~SgPMX<6)GizhV zlWrfLeg+>@j(3p5x=;{~Qyk1_q=&?N(bHbC3()bmR} z79;R*BVI2la2W=NE8(NMDPz@toeH0i+k*)ozpEyt8CWvcf}tgo1*7^wbU?nu)OX?Y zAKSx?4j;LVHO7**xl7aWCT*kMJcYyVrA`8!O6|pe1<_Ix%PieS`_TAbKIWr;bNHvD7Ib47 zCcONdUSp;!HeoT2*(fWws|J*o9@3b5$3Qufr9|z&i8k+)MQ_B;l59k}2mI}hA^ui2?$^`-b-C_To9zV)*m4i;^TI30AY}g@ z({MNZI?Tzz6gNQP6D47>fD?*f=jJ|3WAzN4nnkm?4n%i{$W!eUWu!X(P7WoUtYS&1WZo#xLW*OPpd7R^RU8y-%~(DyN$B$-d$d?0I4Tn8<$D8 z+r{aQG15E*WYASs2XOTasB|}!ZftG-O@IP!A0X&g6*Bg1Y}$&`e@7ejj;&3MHECi@gokP^ z<5s+XcCkJh8Y@+dk+KK8T!oK1#&pd_^)2(4Wv1FH>y7G)<}YjTW`pa`Adtc^h&9=V z<}O<1V9{K=43>h*UI1AG${Ju+SVPwfZ=Bg@6?lbV;Ebmjp9Lgas)(;~b}TAGCPXSw z-4dwNu+5gnacyE4cyVj1s=pM1 zB4YG?=7HW-YKsLXy3>iqx=AJ%&A^|FNUgLc6q?SL0cU(JX9V8(zSV(`eX~qza~{@z z=rqzi$m_*5!I(3+hG&x;?Au**t}4bYtc_d6aVr_KiV8ju@Q$2|Ku@_%cxJ`coleH3 zRrecuwg;-a*e1BT+fw!eW=Et>&!Z};3Brzq3Ggn@RfSf=dp*^tMZe@$rA-p*t6Y?E zii??bljZ!pf({U4RMnT<=FyEPANDVQX}FI!93SDQqTWC-&YLp8)}ren7vue;cd!r( zy!pPo0$-=_QL4XC+J8nb9xR>H6GvCwpNMM1VetjJ>EKM4vG?di z)VolOvj2pc$Pe(?2BiT3Uhie*zr_f^2b zqA(nBo{Vn|0D~~5A9K>#&sYyQzFO;~Uj8Uw@?P%ICgHeEoSS0PabgFpQMZW$R9>@z zWiSYuSca{_D)^m$%Jcd0QOF*S!Q@i70lS4$)7PcRWNtUC#LsCt}(>Eux>~=y4GhKlpJ5E?7(pH~e5?JlmJaDXbGO z`6AVv(0B2+Nt<5_@ zmF!C#y`m0SJexVBp2#&U%RGKKU!BrNy22r1e`&IL%Rtj_u+!)DByce>>C?m@Y=H8o zezpc&H|xG;TsL8MW3HPk|E#@}a_&BmZ;U(hpuSEG_Te}3bhl+V!I__XyZ9l_pTci+ z0L1l}!<$a7dZ=h0=XsWYzsC2w3&0RxJy!Jz)BAkUkB40zZliOpRdBi1iymV62c_h$ zV(8^(8ZEERHmCz(b2p6@krHeVR&~;Hrk(Do>ZEwisOtE^GsBtg6&BSA9Q;8r@t$jP zqbjQtF?V{xnlW$3*;Z>*MF)+d`w5vhfWK;^;s>5Dt4q!z_ql0*b|V;I`-{p@U5>7S z?;u?!;1i*YzLl@Wx(C7l?fV2=H9!s-Z&eO>;`gidDDzrg`Sq6Cgtx+kJ{4hK5lil( zh}p>nT`MB`2rgMmB8EsVAM}&T{Hd;G{OaBJrI{GTa{+fN$1c+6LUY_ynzj#|fG>nD?gb z$YHFP2Az~#t&BDgz1oNcneQsp7jU-&P+dIJ(Pt-EmP5~ZP`BK4cETTb$EmZa3ixnj zj2!ubui3AE7yTKdM#g+qE(z6JO*c`0S{w@jgDR7VM60YOn9nM~6(*3t zFQX&^uZS-~1~#9VM6<*$9`_~4JT8qA; zs3sa1zKD1pqG}9A##}6HXvVGaDi=d{hFfZQhlX34AhE4_4y4#%?SqTW)p5+<@=)?_ zLUIv*RL6d^=>NV8*)L#aW?4iyPWKo`$?)jb9H4`GY5f$ID@ynQ6OI%59v{>jEKr^@ zh-lQxXae{jj2zM59J5EKQm*x8ly#x%Pw)my?iU`zV^U%Q9dDwCcp1wV-InoNOqSO@ zWiym8h0w81_WrM2-~;>8U#w;%9Bk)<%GCy_ zH#>hhF`teC+o*oMzrVG&=RG9ia?xv6&USmc%j{;P*T=|jka1{oW>&32`)E-@882gh z{xJ!6r>0XctBu7l_yF-@@XKQgZUnPD{@&xR@I*|4TEQcjIULK)c`Jr?d2LMh zS02?unG|Pxaq4At5V%>%UXz-^!TzbuXq;1n-RN;t#% z_0hv~rUD2EkyeY2_ zzOKsn1a#%`cuda5!6~wj#>yst8DWxUNtW*5%dIPrlUG%pCDt(gmfc_qTW5_|R%P>yS{b#{?^R5{w+l?VP3c_5v?#-eWZ-#MDR5XYE!LQF9G^;xp8#Xp zE$=!l?jeweYN<#4dN(=DgD`N5=|a2Iql?}996FJ!A5l7R2-i%=-C{a_k*go?bpk$e zJ(F}|;HH#5+`Kxjeuvy3oHr+yCk>N0mYUW^W zFpg!nz-kU+7#NH$n}xZ5I8!%@4|1^4wavSQ!-TO}^^0@#LafWZ`Y;W4%V)tHm|_O8 zFF#SLaSk-Or;Y3B-uWqXmeORf(uwp6iJtu^ZmuGO^Oj|gj7pUjhb%AI1iDIbQLHdt z@a&Mmk9DLOS`ETRwZor>h6 zea_=DIx$=-qYv+&5X%AVRaf{TAFVQog1pi|gU@+*IP`1;a?$H_Z0t4TZmEdxPl{;c zi@udn3J1v*dO~0g2Tw(Lf%{6#{t`P^&UTz)+wpK!z49Hlg=6 zC;7M$X_Fk)Q;x@H>YvV{mfj^*1L}|wd_=TqPjx6aJ}BM5SfoDCPiGxY_cE;s3X#{m zp?&6WL9U>Na)Nf`f3J6kdcS4x1wefU=m@~ov_}mr;56%h$Wg5QqJahKYxE%+XG06S zz-_^VXUrJGO<`|Hm_9t?OmM5(Jff7FH>F7roN*rao2iPxs{D1epuf2@V46a8qdtSs%4IgT!y<{9__-~;g!4!*O<7lCa?pc7lJT<9%(rU=_uGrV1fAxl$e|4e+F*bNdD8S!n^UIZ_+S#fS*h9>MHE-Z2d!8k zkqmaG7v_kD!tZgytmv5peyn|!!QAHbhGP85vC!c-heGhU&|FAZyrfFUIEl~*Uc%Kr zOv4?2TLZLp;n>1J zjp!6OFg+z(-lK`ztZS~eZL{|!-KK@=yF5jkINu!O@(sxWzTfN@82&PBTu28<- zx~LDQfa-NxT!D!zGVxBEm`6UzyZH*L^}U{d<6^O2P;@r}`(trTRmVQZ<T%ccHgsq zY0(9UBZt-D+U650@|MK#(BVW9Ec^Gyy^;_CA(G3n?AcQ1A&LzfJeKdZ1Zt!65X*-3 zAMw|=s%MGO5tOKz!e6M>)UJA<+!NKfC$=uHeUo|E})!2Weyh&5-JIicNi!Y1CA1yMGn`{ zEP}WO*^)Hr2u0a_j}Hx5AxI(zq;EVMXw^dq$k%u-5Dg#vFDghzzA2y={pPbUNr2{a zFe*Wlf=GnF!m=e}m>ix$9V5|#a?~FNw54NwB%z%3rvh#2n1z_v?-(NzNNLc2r;v)0 zN~DtaX;ko6ZZt(wS^HE1jB<9rQxsdMww&L4KUF*Zzn7Uy`T4Y*z>}o>lrJ#Lty@x<>!`XNImSe!KRMex7(IHB=QM#eARC_fh zgI#l}$5U-aQpFl&%3xPs>d{ndfK;)lxJ0h)mA@DiX~X(_uDp^c9q71!#Ar?GwUgCf zBr_xl-mv04f(6=dN~TVHTymdu<~t|zyi%bv-#9%S%P>i@=iW_~Z%DnM1M(C>(SPtq zuy+aex_5H+7l0KYzOL|N8zrH%?!t_?-WN^z>4tgny{up`K!1QA*N}Q5XMGUrTjC$M zkVIPOgHk8z!k)-Dy&j!^vlxRq@TM?${8h4V(e|xL5jd#Cs;F<6$~>Du^rXHyg=aSCrl2*RbzLtCAzaTqHG2BNS zZo>n(Lj$kNn`54vmVgO&g1NGR-HR@}xO%9oJfV(IKwu07jv<;)X#i#Bv+4KZeVCJDTB(qUZ0jkq!&N-EeOW> z&2^KO&KrRruB)nlC_Fp9IN@#7!%TVkA9n+Xn9X+U^oZQu{r#kywvTZLb*)L5dGkU~ z@j{sJZZs^?t!NhGcOSHsKwB~M?KQ9>s+T5E%R94jOYKB%15N?*IQ*fM44U94DZA9p z@~*VC6Dy5-4*w%$4{A(iy$5*K__=NfWc|;$AvGrR-VoS-H0*Ih65PgBMr-5r%q*(5 zy(OQvX`fZvMch}U*L^V70&6WmYgJ!rta&;l0d=Ru?b7FBorL>`ZK(Zxi3PLmr8TJk&rUX?EUmeUk@wfFLG*I!Vn04zu4~9O5 zWnIL(R4th9gMBe*!)s+_ouu?nY%WycuCCK&Qi1d5T@Jbcw0WL?ILa)BpTgEJsZ|= zWon}UA04fYz%EyBfE3VsXM*_S{Mu9zZ`N=&5Q(IJuHZtbkFi10Sc`tDsO$k`CqWD# z9)Wjob*U~UE8z9!okNMy*Q!SmkGBY&U7{-ZOC|+oK^e%5mjsv<=@Wu+sN|v3pQPV? zKLy$G8{Hr+zr(gCBG@@wBX0X${(UUlpX%8j+YOkzBetGe?V zvFOEre47T48Ohh+a0py&(;M|utO1=NvA1iIO@NOQI;&l8ZH;@$p)=cc)(vEAMprsu zW@+r@+ttWk`if;Q1*&EHLsrDv>yEjQX=HNgtzg=omp~@B-WjIRu)trL3s3TT2fxpY zbRq%jh*%`9DU0~sacxB3;PA7E5`_Iu=+7;GM;9&@q4$)L#_KM7oZJsts#gD3S7J%3 z4GfM+Us0+J3=Se5g)4hCT?D<_WEy%OVqu;)c zJwU}m>LG$tC`sq${s>ZbBlXad49za4*{G{o zqZ3-Q)Ox7j+%q(QkVmogx_LcOc-qbyCgIl)D)VmIq-uvf5)OL>exjj8^3F^a*|VlS z?EL0SHyLdegug;fXfGrh@RNYHJ7URW@UF7F@FT_Buy{IZ?cIsJ1O*!tDX*O$UB@Y$ zkE&}>8*D;l?AumRjE=&*w6S&qW2ZiUJ8VGC|7J2S#N>jlhhT zC@LeWP?bLh^-BE}KQPCl%=T+jMXlP_FEukeWs}K8%dAS7zbu)ZqRAHHP;p`=-W~K9ZYC$vTZ%K+eA{Ggp=AS5py1?IW zLIVqi1^xZE5?+t*6PbGr-=A86(UJR3CFH~QH8XhpH=RfKCd6>@un6FP(d3jtCV_&w zF{cZ_kyUUlA44&gj0|YiR|UvyP8Fy_;t+YSbKRO;-g>~#DG$ae1ZiSoDgt86@rb}r zzX`2V3Nk){)ggz+q*aF)-c{(Sv|v@A4JrI8Ph*6<`{?csI9WR;Z{gYKhQ%R74u?M2 zoOh7ZPn&&IhTvz8d4}_U=~Zb0;*j{H^KedP<|<*YRi{w3?ZZv<_QVM~FnZ`^uYa>< z{3O)hLG?uLv#o!PQ<+(Voyn>-U~!n-+AN>4t)SYe`#lREvRpO_FwM&uGOznMBM75# z(WBWVq@Bc7SG8}2ci_SiXrL=tUp?RoFJ4W83c)DYU+?d4k-30>C>$ABycA`$UpII6 zJVa07*I3v%ZyQ7%+QoQ@qRa$jrnLjeqLoplVUBk?^Sr_>A6^b&QT$l?1se1e8JF+S z#>{Fy9+Tw7V|U%_OX?z@r0WMTB;B%z^*facoxoU>e%Tygekb*Nm1?HS?2FRY(^0^wlxcxtQMrd)UM>XM zicly1?TDfA@O7Zk1c3xm7NZ9O{2?O_Igm8k@FEO3@twfZM?wAqKYYn8zdb(sJnVDR z3@RKv!pr}EetZ-^+F25!2PW!o7}s7UG51%+!e$C`MjHdNoI)U`8*h-lB*TFZG9n_Rq} zIWm$*Uts~}9J`Nutk z*_K9sMIao4t5CV74YMGpQ;4^uU^b`>nXgO(t&}i)UH+kh?``NQL{zNfwDeh<^XiHQ zHR#jjUEYE{@d_V-*820P&qD^c6F;Qxy)CG)PGe@HU4api*mcoP< zR6~aB0j5OXjtm-)M263pMJU5_^k6<1>ZhE)%7i18#+EmKmDyDJ0E7b?s_;Lf2La>n zdT{o;bl~~B9+3U+J0AO8566BV8g$n1e)%pMa&|~rPf;paq8i7^>#+=4P&l-$Coq+N z>;`i2b)boh_5N6frV~#=CPbt~!y3raEWk%0vJn^?)k1j-Qb3PpUOwrN8I|(tIlh)+ zqaDUk<>Vd34wL40@kT|f@Cis6g$l7WWwtiU_dUnF+J+o;T=NqIDl@yufH4BrO-E&=(>#DjT4M zW6?(m)oRk&A$0|aN8sb_JzY#zfPTF>9q5--4f@5`gu34K7Y+xZG7};arfCj;OUUy9@^}k@ zet5u7^F}^wbs{aAkeG6yZ=fohzaqZN#!n>&XT^9^3$OL!Eg_OH-j|ujqVbbSQA5NQ z19IJG(zWAFIo^;CLII{SSCGHPZ-u)B!)1S~Gfd~dOtX9+Ch>RGP=85(vT*yR1PNN` zqzWy6GZt>ig1=<2bRy29y{eGkgh(zPt}J&|o>_zl(`^zLZ%z*b%R`pSbbAvQ^Qe>M zZ&4hL%0rva`2=YuxST$TC`@0{H4eW1qw7NGs_8i{pUnQs;tlB035zF-&ibdyYW9E@ zp6aM4Eh{7FKD@pp4i*-F_B%`u-5783_Fa1$J=!K9rVKWdtVjDLPLj1=p$LZH+Q(bA zYX{V*+4a!`449>pklqExCG$^pE%uWQ`=^c}uFa-BR3<>Ahsk93fmyRYVwlW!FPO!| zW^tnf1VUt+P{|pVQ4;TC6cmGOh)j^WHF!p!EzL&)t#{fMK4Q0fS7s0jYTM{GygFt-0e{gYmh_k%H{OB@OAXK{EMtjwHMXgf$EtADqKxM2sFLly@ za-%>73=8__^csIpWWL!JZ;CwN5%Is;`riBro#j)h!0a#AX!!P*vpn9#scH}vIXc`m z*XmNHg<}WhaP4|2q74Mf06rQHFfN(T`g)ab_=+Id^&ULT?V`qBf9rizK4s3Hc#%YX zh9~wSF;Ae)Hg=k~@cNMcghr~}`}0VNaXM;}UxZhXbr8Fc7`G7jiK6`7Bvf6h^r9`fageuFppVdCB%n?l8o|MkA=DE3wo~^zguFvT^3#B%!Y=7D z-aZ`TL^}2LW`qu!e=Oz_eo2=fx9`aC`ECSl!~BoBD?yFYscsQ%;5_~PQmy(IbNbtl zT}=g@RA#$B*UGv%>+TE{TJ-G@t3Fp)6!9*F;bt%Y@^9zn^z)hR4!x%$E^QHVKlSt7 zrez)-izo?;vWojpyLCYq$J5`=_6ruf9#|(+YS3IJMF9I?UdjZ zZve}2!MM_X&J4ySHOI64C~{i7{!*I52U|qV=L0de_t}9m<6el885P!73mU!aj4{G)}Q3^c%Tyi!VR40kz_j`S6?S#AM`@w z%Ch`JTew6EH`z|?q)WAw))asqbbNhsHqC%kEz>@tDI+=nodR)ub9PaZHYC8tM3)V& z2_wg(eOw@gz(GTk!c+;oHvFDkgwgH2O&an|y~SV0f3SGMb5HP>OaRP+)X9t&Y0QeJ znGk|;s4M&>APH~E<1twmy@X|sX3A7P9QZ@8eCo9O-r`6zS{A|30tK*NT0AN`Dp08OAr z;u=6cG1KwBf&jik&tb8L?C@742V?*d(0~th$O!4M zf2*3;R+u5G9@}B8IlBaNOM9`*^|p{}=Gv;QDcu(SYT0$ATiRge0+bLlYfG;SUxoZv z+_n{(VbyJ0A>PW{USiVKx7LsX{_SOr@Hbha7mI#-F#%$g>h?gVMhU)3p_#y#(JMn8 zpfZxT5OS*nW>w6qEA#5|jdp6dTFSdPe{5kT9iG=0w6E*K7Lwf&vKGsvsDG7JfPc%Q zW)0i!HS@l@DJ%76M-8Ni-hEQY+8k+AK4WwK#(+ zDhGn%bGXi#n+N+efJ;jA_M~vIe+d+UOIqYNSs1)}o4OD*p)A-SnxYEr$wLRj6J@~{ zc_u+zRD3S9H4xn#&m_qbj~;j*AEZD?ZN%9It&L34Pc+GJ2B~@{4|?$PX9qVpceLS29r8j_ET4h%z4|L7 z_>G*=eMgqx(E0XvF;ipYg3@V=zMQ|2Q@!s<+(6=Tc>fJOfqxgNu!EtXc%vVeYFGb+ zs2 zNTzi?WBL{@aBm5)!-2Ed9zz+Ortvg-GXwn7-0GrHGavlZtm>jgGb8-d6m_ixFhBg$ ztm=LVAHUGjG59gJx@Z)gY+^BUs*4tJ9a$5&w*>!$AM>b-Uuzn%e|pM_5-;QQa4e_E zs?CC;ri58E)yD8)t;6+U{Hrp7Esu|2VjdOE#2N*qW&ZN!mF$4*!`#dSqN4A?%sh%Z zV*)?Mli337!`d0UnDOa6gyqu@q+|oG593>9Vs;ht>=5PU%a5dF8?u+0+RWUFY7f&o z(*z{N#&_QlyLin0^~D%eJXiOj-OYfk%{s? zh3(e~k&{B9k!s7v+QAtxTE> zj<~QpJw1n4(1_ids%`p8g1PM;RmQkUor1^k2<~-o)`RWCG~7`gk7oASL!3mAs!F8O zNTup2%5M7TK;fw)ZvJrA$Z2ypj6X)oPpkJ}_7j?gvA}9E-6u*j*FE{qxe;@!e}2iA zPaAJfGjIPke*|6ZX1q1aUpIcPY`kw*oT~h3n1tJHu8Q@m>)-GV>*hD-E&HfTxTF&1 z{nT{dH2lJYCyL{L-VJMWoAYL2zhi~g&vB!QsN5X$JW5Mil)s7cavPOloct$MibE{t zym_mryrObwKf{$O=bFkn?QMj^0^;;P=`Ayi=Da=ke`NEtx8iu%<>5B^kE{0Tyym-Q%6d`i>)x_x*!{Gb(VgMzQZWaJYXnM+;O ztvE#6e;>6fsL=bdUt#_ks|5|HHI`q%{_P)G;vPnmWN%Gb6gTnzR2Be#`w(ffXi zidYjTykZYk)=&S~apLS~tKD|b>bA9{wmmU745~<#xVoxXO|qnxujV!O>+L5w$V>nP zNf1boRcd)Ix>W>``F)uLLHs5H2j_W@qWY_Qf4-XT=tC6oiY`874}k||cC`dp%}f%|_>M{gy>SA1?qx0&dymbea8p5Ivf&wrSa z)#}4P;iI1s7nke)sBoXmV?X+Im#wmpW3>Kf6@aL*|0@-Rqkr7}NDP7s1#VD?ugl^S zx0^Qt2LS=Tx1%@$_5=a+x0*cy*a3ekihp1d{~NbUw@2xwk}-HdiMSfGOin18H;TYX zhT1^?2whRCuOV}n6w8t~n<{vbo7W$r2G6riEiP&y{)BxL*@%wuo2bA+(K#vFt1n?^ z5neoXU)qR{^5qpO8s|&#PrmC_R>AF~y)JYGk7|gygqRO5dELu$SMWUilWTve33L3y z*FZ0gsvSl?g`?};%}rJY_Cx<-&m?Lax!)&r^aCmn>EGJX=xo7cTkTfaeqR<-b8{@C zMB2+^ppzL%w$?cLg?&4+j(OJA}} z4Zo$dzH!O}Z^ItlCe>}&WWax;xg;{Ug?s1dXCWOh-tTjidZXeHAZF(czbwvsS z25@~I6PIJR3_PCSY$Qi`Ph5`LGQjZR$bAEk>O#iG0fq<1>>dbr;6563kL%9R))~jS zlN)6$S3{(~hrg1iTZH%HXoyw#!18lZu9F%Eo3jb$$X42 z+6Yg93`F{Yx`kHzS9Ou3=@a%~G(>rtXODhr)Y1-z>SOUbO@lnXPQI-3O^THk{Tx>y zr7%`sQsqd8N^z{hT8wyBd`P~05I-4(PdtiMeH$-sv&E;Q>@I)X)Nz$>KH-NillyK& z2E32AAsuq~d}At}8;ap`k3%g8z;q8Oi%?mF$|6(-U;IpNoUyYEG4*H6a1Qr>gxjJ^ zlwFA&YzN|MSUB8AA8QoiC0zCkLizxsG48>Iy?AtyI<#oUVT)%H1sO`S$j#!DP*X{& zSz0mHSUD}OSDAmzSe$8TiQC}1-ckTYEFp3AP}SKwmP2unOhb_w-GFpV=G7gLeUAC( zcJ1mNvEXt&MMIB5g5DESWG2&iYjJ6n~lC2F2t({qW1DC z4ZUlqdV>B2s@-jJxDVc!A3C?<&Wk{fmFn$AL@BpS05>t3~^I5=YP$ISyH% zKJD@B%6yyDw;OohR{5V;x&4oLN-o3p_ON~{^9up;iwVMhX8Gn{;)|W7@j`siMW;7U zRxq@%$;x~Ikn$(%G1zp?r2=>cN^OYimCne}8A(MTr}%~1^%MOZ>7XLn)wd_0hklKB z56ORnccjkA&LKS@Cb_}$ zM&!01?5e-q+<-#yXR` zy67VbpM$X9QF!9*&2AN|b$N@T_>{}@ec{)&=ryGBCT3>2tE+ZS%4nnt0YdzxwCN>? zq=RN>>?8y1JjY)@fC{;C=n68A@LlsN)2}`GuBpsM)M7o~H8s}|$pAa4vI_HEz7c=@ z&kYV=(csEavRW1Q@hXRM8{-m69KpwAN~J_zW!BR_x9A6NT9V_iaa0A>3_hXGh;-6w zP@J|HGG&ZgUPJPGOvOc{6{Aw@E8mvcU0&=eL$OMl=IoAQIa*>SO?I-KsOw~vY!>-uNyFH=DB9Eqh^su!VztK>iv0%uzs`SYWd`Pf zEGh?P!23RT4&csxxae{pH|E2@7+jh|q&Ud_PXzk){^AJrN2nhg5iZ;Jm4>JWS$wY5{7h=zUr(ugv|gOF%%bnvAp71+=>xe-C#Wjsuj9vPkoqJC>jYJ$9?J877Mm=&Ps;2s5 z+mn+k(Tfp1%d&o|9_hRLDXw&Bp-l81 zDpN7~jSc24Z2RlDmd!-|Z4jdd1D z*Ma=nrhHk^i(QaW!bo!gXxGx0Xpmr8%PYDJOm$j}`r-Lk*h zX;=kX%xGKqCr+tl*3k=L6GAlp0u7ih(GecoSF?qv)DPS2FX6L>=m>wGeH6m`@L63Zn+l%ZU!>nQ zz&FU|k4nenK3i3-WI)_1*-Y`AP=v!S)oMQ;6N+R2TuqE^&6`bim29T^q}pA>n)oN^ zlom6#Jy#?()h)X+f0{+bB*wPpw=xeaDkvV~CB<@4%OqmC+`_tCgzc%e`gvcyT%pzl z4fP;3>J@*Ev1lZc8m&u7W}`jQTTU{{+qdGIQC5ot2IZ60_BLr!#(G#Qm`jyS%2cOn zMUhn9q|8Pc`?E^fxATt5Y?*!eYq>BY&eI%ubO}mExijBFxz4v^y_RorWPLl;Mfny4 z1P?anciT}0j|qY|Wc-wncteix1<2#r#R``4i&5dn=Qi-c`+9@g3RFz9u=RmK~+5YyAp~-#%xm#(ZDX zTuAH63bZm^r<(DNMmcGiMM8_NqkvnuMQ>KuEXTmX4rNvqtGlekd8# zci0fs$EH_3k@qnSaBnLxMn9j<%38u6qK(ir#90^LgT zk(Q^KK`UFPt#3&B3U9qrcbu++ISTqNK`%9~v-K8E1e3j1b%_~x1rrp~H+gO<#3;_j zHGTZJE(4|X)rBr=q?E`mtc@klMA4P~C@=9?S4LSwZDn>3ur8O$ECEiF5^lFCx+HASz8t%KKEF1@x`5jmSySR)1ujRwGF4oPbT_wouBDZLC-WJSwtX7b@(y7}q z8kOr#Qj0s-jF`7li*C$#xQ9FA91}iVUr_dcWDg%u;b?b%PHL@O{NAUNg*xqDfSKf4 zp+I|em}ii=|4ix;Zv4E<7iMcT&8~lU%lIy@a)=-#-i7O=$`?Gpfv)+GE;(3by%!@0 z*P{SqHoH+(BvpZoNjb#SA3$z|&+;_Jusey=15p^tb-u}~8hOZkd8%`b^QVae?o`2( z477NN)=1yxX{2?~cbsWjfV+Jc^PLNn*==h?v(TsxoOd`wCOJ-Vub0o0z8SXnVi7rpo}Ym|AErzo9k6CnzXq z4{67KmyXYX3%I5kM6M6W(iqz5S%tkJ80;bCluKulc>1XY^vS=bfLK@qm}Kq1r7pejODk)bLA6>@)#w&KJ$j-IiJ{5SR=WsNg_?Ov|^BBC~p(Bh=3I{6|+U4kdKb)D#5UX9A&_{ZQIq zJ`J?tn1YpfknO+8w0B!rBldx^y8Q_=l5w_K=9_HNjCV`XJ|<~VVI&oDXSaRk@aDAJ zT41=jD3+_N%ud3*00V!?C>aaUadyKvu?BZh{0Vbi{&?cC40kn)4${$Xmt*J>_$!lh z=IBMEWe(E#dVn^zg|t^&^!z{!%f5w#oAz(wuiT^kjx!1YBj?bhiPxepi8aq+yNh>q zu7dqyXKuSQQn=3OD4ur|W52G0#rBl!yeQp~P!t)8u%l-q9cq91`F8hPlQPPmX>q@i zRZ`Oxr&hSWW84_)T{{f6xa|Z+`?}F*j8{-Y++om2AHC6cn(>Kh)N`OV)oqq+b-NBO z#`?Qa*EHBr`DnkQ4hRLg)r~TPV1RAd+WJ{sjPjEXLac7#3LBZI(#CqNr<^vnb`eMW zP)B0cw_sV0oqT_|7v9OlOPR* zQq(&KnR!nyMzQXJv3)8OM<5b`j)-(%0>0yegaeHJRV1Ec+Ru=5p>za!5`M+zvLQ%? zM3u%ZqisjF)M`(*QUm*6U60}~bDh)x@etd=qu@)mbSi(WWak6owAx|iApT5qQZ*MUFhbQXnd+J<5=t;0)h^+?MceXz z$En+3f2TZvb6F?CwbKq#BZ{E>|o!Jfq(?gJ39yO{oM5F<`w|$aq z1Amf9SD4~GX4FttY_m;VXRByV?pW?%n4) zO~QXgEx4vTqv2GH0GDMW9ri}4RsEbd@-E}m3BfU92_62?n1PEP<>C0P8|k(m8^s5H zKv3PN^*o1vLWCxpvXAqO7zU1X-4$x4=drh^R3&hhZz+%DxKAD`k(bh@JPxInPT~Ny zaj}VI>NK}2)pYWPjd76CuTjOXn=4A&iz9z^CAw!%Hs6B1dvbtsklDJD5Ar2#c$W*+ zD^Un*Ss3ez;jy;#9Hgks@y7$S7P;8Hia?r*S6$6mY+sANfrjFl+Q-MR0Q3vCB=LyM zW4u%|j#?_*6D{?vX;pPc4vUX>6COcyd>kPJo;l>QAj}zfq9+{b`Q<@Pwd&vqfsTLH zhnFZ$H2O@5d+>BmKMg>4K}Wk;AL62?vT*=41-ZDpcbrJ#xXR%ZNaiV7;Sa zuuOd|a4C~e3V)kf$q5d|wO%3<{EdH`_i3~@aW$97JVcOX-9N?OW@dFCzS=`kJfx=r z3z_MssU@mR?&Is-%?%yXC$8us+&_&XiuA74j`ony5s?mx^{%J|*mIfO|9}^PUcuuW z>Xqtd;%|1#yWceGQK2H8I}nXxUx^Cmv7s!@$5>Z z3B{}f4GGuzCQA?Ux*oz=5sUE{k3s@!-v8Te^a7qn5wsHGSYmWZCKg59=9(|6Y*A+8 zok8N0{m~}Fq5l&}T%p7`4>TLw)u#2YU9(#laSUm;*2`l=%W)2=(u#kc!06`FUJFH+ z4#$M6w4x$0rS0@I-id&hVai)jZFA8%h1y(J;{g+wgB4^WeT$Ow_0@LsV_{3nh*EjLCc^GPl}`Usldpr(=Tr9i;Rs)n%o%>8(W zuA=RvSe_!u*Q*)={d0e|*bSF+5=TqL8dx~8^ZTb!4Z8L~0{afZiFP=rirNbSr}m{()(4Np6&nmQ`^LU!eUsNob2v-JacKXUXu> zPgU^)2nIMx4btP<4b?j~I?Bzi%WYAt&@ivRlulf|GM9=dN+|v`BVvJ8w!f5OTC*ax z869aGS(dS~Tit)`B)t&wICC80J^W8D0h;bN{7>Y-MK$~J82%?$_=NdNnFb4bCVHt} z(3H$#4?Yq~)Re`3JOncr@NHWJ`bQe|aWU09;?iMZQm6PEI4>HBx^IQ+_3Z>25emc6A|NZN@;x z*YHZzp&06eC#w6oxIIH8% ztnPo;nDky`{y>?h8Hf!>oeFz=^MPvp;8sU=DgmxI`uXF>3!VBSX_)ArJQYkZcE?xp zib){E7w@#(L=T8|;1ekzRwf}n`FOss;vt$`TTvN3b_LPEa?HMzxg9p{>Ra6SS_@}f z@9>~Md2tuhQwGx@B*%1s6r{R$REEqIT0*mIW= zPe)j~&3qNqVN4`kpKTYJvlbdM>MK4v_G26W$eJ1HuVJ8x?z8dZ`ztvG?l*IBn=L+t zJUD3C;bv6S5Momss>9PCv_+bJI~E&V%S6cD$kGi=te%Zuk*l|&uZ*rde|iEe4!V%iEo-{C@1-* zt{%rc7rxa{642}F&KrU0CLcAwSNVTqmDyoBQI}4jLynr??{j`Rclf8uH_KJlq>jf#rH7RY>6ERvyv zgbrnZ#&p^7o-zfR11tL<)fNJD83J1dhOH3oRhY!Zx#jC3eOT{moGx)1p@e^04PHnP z{V`80L1hef(}e^cY}&%L5c@%7_#iXzO<^@I4q!^JdC@h+->@(xXsP+vFs6%aAxArL z!wg!M+XVzF*j0~djEQO?^^>@Lg|~S|+-6Cdm0#m+=^|Um{ft?{-WXC_eT{O~gB~=g z3M*;Qp@ui|QH{}zUr~!ZY^rdee+X4+cV1#@ed^@0Zv-%2#G`Itne3Th@rsV5& zmgY&FeU10T0&b!BPUQ-FS0pXb9OVo%?AbC4xP{_{&gC6$7_#i~ADRu_V_V2$Q|0?> znAXR(5LEA%-z-t*tmMGAUKQpvhXiopYs#C(B#HJqwOJp(S(V0OOXq)SWSewbK%b88 z9FF+_T;B@H_@m1BGu{cXh!SvS;Lz5zpoT0V18^>aV};qbPy%$$_2$Z)58MKE{S?t-MPTeqQk*^wnGY|4b)vQ9337jRWGAr04 ze`>WH+oVjh60Hl}r$}qiK2U;piK@po?&{0KnrT~t>9Lr#`f`8BcvfLOkjcGbJ7lQ8 z+?Jwa9ItXX=kxQfpz}SiceoKJb(+={#4ypT&%Dd>3!y`z8Er0r0?#9K*KfN|%wW zp-QX0toLW%R`y;at8K$?QT?#ZbhNBRQGCkn{2`x?_C@)eq#?f!=Oy*Fu+A~fLui}S zw-|Z%rYP6L>m6I3E#Alf8`Q=3^3c?({b(p$^|EhD}eM$~@=xqut)<(uuUX4!+G9Wi?qWR45B%h3q- zAXkvXy?2l|$UyO5`GDJ|9^XhSw!_eWLVnztHPTqQ2=ehQ?E^c^l&dhqZKM{`x>pf*7EiWe8!C2xi;{vhlvc9BlUM ztWMITPC~dVnIQIEpe~UQ^8Q%n*ov;QCCt}8niY`=>ahsh#aEQqZ{0>!B;59{$RA{h z3D5=qMO8|i=TMY~eNh|zUF2U&Hc5YYP9ZcQe-KL(pbHKUp3St(mf07)PBv+^yRPcI z-qjh4HOdCj9zyG~x`cda!|P3YrSpZD!}R{cuM{Rq6H2Fzu_(Jvw!{vNVLHAIX?&8O_aVS&sP*ou)k z&1MY1^f;(?%RjP*FviRmV4v(QuYlbW&KqE}D&M4!VhZ34^A~pmNvq9}k40YXh;$pF zwnT;+b6ZsPqgjGrZZm!^s?dK@UcFU4@mQiF8i&+*R3WEsHJJT2r=SewU%3|n9x z77}6&jg3BzArfoY1{!+}p}&IjHIvoj@K<2N2E3;nAr`1t=y6QYXv2RtsP}ll2tEH- zCYzp{3j4?gJZO<>I#=RZd=$BV+vJYtQDy67Q|F62Q9*w>S8w5RKgt`+%q(lV z01Eg@rvFaq!wl=6@M%Q8kxJ(+3SmUGoA1ZkLOB7E2*tc zC(rdS()(|-AGLqPkAN||DaskOz-GHDn=O(G)}Zy}5g;uVF7*M*p?t*)csYvlAx3lM znL6>RST2Xc=#j%a2mI)xc+4lLKq3Vakxwaiq(CArouek7Y&$#(!RF{T)nsu|zAg%^ zp|&n=Iumfy7c6d#eg_FTy5sbZ%!9oK`pLrAs$K9Hul0ZEQzqUy7+Q7Gz`S#vcdl>o z=%9E6V~YgkrUgqPu#Q&02ZBNy$N$M^PHQzAG2*GNxLg%}WZ*Lyr`br(rXa?H&L;3~ zv2ZfSM<||2oY_jX(yBgOl_Mw#B&~++_8AQGTL^xp7Lf_)5bT zWZh=(-(r99moV6l=Tg__6bF?89F(J}Py7{3PoJjD;R%ahV6&C$sjEB~aY+7-p>!1+ z*f|tLP~$PU$w%t*9z~XlF&G$lvA!+y8{7{|zk>KFOa{GOx;=6oj%9hkLInQBxXBV2 z>Wd(fLMl?oJfiVqKWCuGde*oMrFIij)s9|Bfh~Uvl#DHt>x0}hmV=Nw=$)PluDh&4 z>!6kn^YnQBqgF@6qeLWWuxYzmU609|(F|K=MUL;lU7iL|#;Ou!iKqC%b%uu|YmUATmK*gmy`pimsFFgjEM>xGI=P!8j0lgJjTC7l2RXTyWGR2g zdgKn3Hn%Tn)nCT17GE-GDGW8pBQZFvWR2I`WFwwMS$wAxWomZBz<-Do=;dg+4z6#&&r$Z9~~hAHt|bcM1*4Jsiz#5P$vgJBpH!s9fB%=>>m}Mf*4Rl`&|^KvN#5sozX4gc4~KC#72ahE?~E(tAQU zT;$K}HW9yVnTuX{ogbc>f#hNZ0CH#v7SG0xRiFDI2SReF2v_M#Kp)3aEgp#V2{`d~ zwG%Ix@5PZbj6L!BvJfpxScZ|TwzrAA{}{J%@&z5I!XknPw0MWKX~rv_xC3>V1Y}j;4HplZU7hyqOdZXPZNS4L z0six=SJlxXE9+RVMDS6@h+PnPT(lKoU7bi-RdP|unmGU_BqBg<)<5_-!ZI87q?oAL z?x3O55}H$!Zhfs^3zdJsri>c_Ia6gA-_ZTd(=itDTTB8xB2u>>9-_N#>TH$4+h=@| zX=Jxx@@p#zU>LO|n{RakA8bOEthcM|k%?-$7h4M%4g<)jBbu8ecx!RR z_iyFn)YhRt+d>lEl?}{Z@mA$VK)}meWX{5AW-{7i7C;b@{CrkBQAMSplt>C$(a#WK z64J{Jzp1d4B#?g{h~R6vssd=?3<{!oiNTj8)}NL@c5Pw&WE9KFy}ZUs7!*Yf3omOy zGb_tLwp1&~);83Ve0~y-!>bsGMt3M)fam2^FCMY<2{2~igL*QMlD{stazdm&pJs?m zPiQ;WVH&)ep|+kV@arYI$ZB2947YV@W|#Ec!uy>NS#*E*Lj0C3s~B-^68B5m&;lSA z5zd3;KDh>U;GwB~6GzE%S!T=8zmE3e1Mi-qY{dn_sSmY3W5%=|E7Ez~*a*k6!Ww>K#uGPx)b&F3jDW zL=-}ZfE-L0=P>co?-YxkBD3jOSS2 zBGayCgSiHH^>b2>_bUmvJxeVSsg_Baaz{a=1CZf5muHv97CYW7hLrOqy-b{FNUsP7NL7!>cDFl=bUMIw00c3Ms4Y3hqWU&KX@ zh3eJN0{v+uB11KkkLnJku~7mK#ZZHph0=cjd$(DX86JYYg2x+b!6R|+vZj;9AiTu# z^5T4Eid8HV8qe>Qa^vGsj)k$>>OoXu>%Fov)V?(kf}PgrIn*O>5X`4NiS*u|F)Ex~ z0849B&k3|p;pLB4AEW=c`t_IDR=5v?wK$nIUut9X9zN$-K4@B8#@W+n?B%m7P?LWb z{X4GjeS=`^`on?}$&xa#8PH{6mBTD>fJG$GF~&6&=^`)D`()J|mfUA7mqJb3=*)|_ z(B9v!_Bl)ZVWQ~LBuzx|x`VZ0o5ik#ctj6DTd`~kXg;-{&Y_R4R>G0V%4^9wuV}`z zfN_sipcx%$vZ0e0V1Sg26d51;6^?&@*O{(8syKW%?w}T$%ow=Iw@PVJt$z#QJvPtjr zw7#X4Pa5g}2aD=PF5O+>cSN6Kh(`Be9d-A-- zVTUhjp`NZ};UyjzQ3eEvntOkUtwXG=yiEGR7aldHgN?S9jWi{n6;*i?Mq3CVPw|&e z3{ZSbzCz3r8&yZh5)11`3=L=@>lxH;Gaa+opiOyb!GZM#-w5UsguXRJIQ>HNEy4&E zK1SjuHlzLwBBiC~l!-3b)Wpq*KpE_W(nT;i5RySoV1X3wQ|X?d=wp9~z#f7($!-ECjazf*hu6?uF1A>f!UDu-DV!%(7i^kBA|g;9 zI|$mg_sDQIMhN6%gWKZ5=XkO~Z(W8aB{SPh>FR z(1%~gV_KL!>9Mp?2eW^5X@Hg)#D~u&Qg3USW`fieV#>cNaT7PLK)lH^+=`9@+|Z}5 z!i)e_k->$-ANNm&vqrJ8&L&I_yZh`qoSP8RVI{@yFm8b8VKy>&9un-x%Fu~s5}U3o zMBXs#x`>@;E_sL>;s$pkHI#l`G^aB8EzmJ0L%C}~Ua(3#Umbt2(#JI4!XZ`5(2?3k z4413xD>lb`8!225L#lN~mW8e`u4EF0zbM+NH@t;0-K_S_0hwk~TL8ktqJXk`5=4YVa6fd=G=+rn5rQyW>tvILaZ*x9OI`4( z!KxVq^|4c12dXlx>uw4nN8_4LQ|&AObPrS1DJs~i60gwM{>qS&5%nVGi=?W6UW*Z5 z>hrD${PuK()tOsn8ruRR@)R*)Fb}VhT6NKgT8Lf$K=6O6FlOHHST;I<;$srD!X)4b z4;vrWYLY6e5oCwI_`C?q$LQ;Xa<=hxMRK+={}R@B5c!)>PG9(yIN*4w)JfPlVokB`>V!Xr zSSQ{QL>YhOXl$RQFK&cR8q;r)L6ib|E^2>Uj3<)>v2TlF@RC*vo3)M)LL5AdIeUm( zJh>Z+Tbu^=6n9TsqJRzg2I8az%mnKl;B9doRY|9C_$p;8AhzPdU_Y`?qv<>QHS7k3 zHh|x?(H3|&*}CYP!mZYFT7?n!?8O~s9nik-vmSrh#_zLsxAV=&1YaKXYRF*TZE-od zXru&jr#Nw%3xj>VswTXsEorQ!&4eK85Ri@Ymg)fIs~nHxsa8RY{?robjyP>IZzXZq z>+t0$iZRzcD*-L>)q^S-&A%frJB6*ZAPbr>)4p0pM_;F-D?-<(C<{8`VZB-%gq;qu zU@U)7(X4mZ*G1TR56!p{#f1~iWe{Z$^RDYqbhE{65y}%}a0P|<8^R2+7?ki3<8^VJ z>-`YD(8FIVxbc8tbTk4oZY{P05yhBcc<7=Q{Xj;qYta@kmbNIGt=%7waYmk<%b z*Sy>V@R|}vl^XTj4bdh(Rq(?`G5(XrD0u77BN?}(X%@ju3F0j!+0@6*E$CqUdzxNQ z1_aD7XcJWQ|AQYSFhE(IC&1yl$yG>~V784YI=Q(FBD={|R2U}RNjn2f@`D=$25*KM z7P?nJnF;YsN13Gsaj0i8qVPa;Q#OB1a^-evwX6B=ec zQR?q@5_w#OSR}*GPM`h zs7bx($HA!iw3cMEfv zphZIvS=>&H@~%3pwG%13!<7PXlp*UNpVqb}LzsP}kGZ8OLIre?;?UtfCLqQ=U3F9( zYtM&8ic5<-rMSDaxI=L$?(VJyW^pZ0+}+*X-QC@xIK}euI7S0U$RE%_oC!M;!c69=Fru81 zfc4P2T)YeYB#LpJ;q8Bm)XLY0h$?)t_&eog|tgc9U z1icZ3HfwQHF$wj%uKI!Ge#T~DnNN=HEnFQ zoQIr?qbcF}b2Kv9O006Unp%Dg#}G1b0U@v8##%{4Xz1=(q5{eRmd;|+^=ZRixoqePUJn@RbS%=i;ydwZ#OmXbu`y^%f3`)E*Ki}0 z3n5E~)cw9dG>9;26{aT z7;NbMo@|k)$T{6j(}aF*sotsHoSk*R&s=Y7CR~(jnG%rR zn^lZru#T%@C6o72w-#`QqXi+18=H+!;E9aNFi7m3nM1#70c*<*NT|~pIz`S$6(K5f zjT-RdM}uM=HD7*Zh&{6hHW*D7(BX}TY2xT+52DAV&W3D>44hSat+=T~ufx+R2-1i? ziqp~6#wc@t4xz@s_}%LirG;@^Co#skqOIK(5!Xt`VTToYkCx!>a7tV~$EI1l&!OUE zP}O+q&{!XE4T$D4vRsQMCyy{4g>18X7PV+chu+}<8w~b*@UlG@^xMWTok@G`${Tz$6E%I?dPMYvc*wEyI zasD_+5s>$Ea8BAS5jQBP;=10QUCrT=8}|xulbilYa3|>v`P!p!!Ggu!sp|DRM9iNJ zCpV+JfOud6(J(sbSS*@^md#4ULx0j@~qn&gfbqtQugfz;nK%vmyexW>wC*Z#>T z(&n+Xtkdtbv<{Po5~g1q)xar_1}QuF*3_N#6|Nf-7jl%)VnpV0rSX3?Q+lW@3rqZg zFj7vmeo6c!1)KEOi6p0JQX0=uoF$^@WLxqcvcK}ERO;6K-oJvb*fHCfLkxZEGEwMG18{bB~NoJ-Z=SjmWLiqBPG5xq7@0h>_nK{xPG)f zcw@vfMn!xiTdjOkb5EOnExLyz1k3p^RFy=i=$B8BsgbxptLtQ}b}=kd@&QW&6=a%& zKkv2P1>P<+PXyIFhFHLwmKl}0a!;_{4#|hc`96vPSL3R+zLxh=ETGzj{2F8QE5b$C zlB|PL{9M&EHvHD$mtJPy;*6D1VubdIj^EZaER6_;zZ}q6Hqms-LoI_Dv{!9+Q(9!( zaW-~nR#Ai#vOaV$&41OuMF+MD6<|`B$YPiVtlC_K)(|*r3VeTLJALd4pGje6qfcRW zen8v6Qn5_4h1@{BY^MB6w9^F7?l{PEKD2%N+a`PEV-}sS)qb>&Jo@j@U@jPSzmQex z<#KL%eQP<|xG5aF#ek3qNzE304|}&mRtv=X`J_ls9uNJdrzxwERy08SeY5h7+)KKs z2jYD!WO}7!quU;H5xg)YZ>$k!k_PS|dTuf2;8+J(1 zBA@&8z>Y-=GQyd+&lEveXBL$0ccT|=EX&{Jq}>Q~r*ju1EoIOzaU+h8S^e$VR--U6 zuTr^)U7x1xD+dM7xaEK_^0edR=G)=0;;d2ZI3A>d2VWuBraUdG$Xo}?5aT2(TgNF! zJ0|ATd5Q6_(N54-v>}ozl2!NXe4Wixj2|u%r%(J7nyU;GQ9Vze*mxAb3n|hls>vGk zajf(@*AELEk!~{A!(1XRNa;tzWEFO~I`FDx9bk~iI`Q}Lu66?6uwg!l-nHxMu12`* z%9_6F^uMEyKA_GD-5^k?NUOcH4l5CSE~$SQ`_=HUJnF8BQ&;EPBQ%>tnwvc}bbs6J zLn`oPTIlx|14`tU%49WqHnyf)S)P#dd&2OD+S~&v4WL5VH>?1*cMvMo6 zI%%PM=!QN9oANV~)()J;gQ$JBiLueTx+Rv|%`ty?>f!gMJ`W#>cx#St2JKmeTBO z9Fx{FBF{IvDV=n2WIi}3C>qe?2JElML49)978xGyij^uWJe`lDdVQTr^G-p^E$m%r zx6RXHr6MN-dUw!z`o;zZS{u{60_iX3{Ue*n#0`254Kc!YcDjPoy}mjnf<#GHa>VoSmjbZ_s-&u6#c$*M{YPvE?w zcq3Jt?@-kf5(;n`ZG%{-_cJK)AImVI?Dm;`Cf^CKjwZF+deD z6PJ`bcaOiFd^#nD;K}3}Md1xO<^6;~MnXw~IfFob#^od@->39LcsdquwS$(@&?&6|D^FxHqL@Vx6rz%fj}nGp9Vqvs43*UvTK*;5mSmL2pZeJB z2QaXefcAb-wy-|pT=ysPVxqB5>mcG?^|{eQH;qsOGSfQ)j|ZG(|yrgO9(S}hi!p(7p&MYh(HpTA|>v;zDe&%#~H zcpuG!Qrw21ngp%f)l0$;U@IAHe1F~}LhGz708daGHsi-oB73-kWQYZqr308UnKW_) ze=)xkg_bJ&IrsWgg(rjSvGF&s0 z;-YDG!@)F3CmoM_V*0~ShA{Vip5ymMRG`i2?|HY<_6B23sSd%|ym~cyqgj1yS{KJ& zF=Sf@CTjL&FidTlun*s8bTkn%FKwknr}A){`eTQtcO%x^nG8c&+xlLKlXseJv|^br zv%rcgrXIy+Wh`BdN4`z{EG83-no0?z*O7}MBo=%&>fXtRQG4f`^;r#T)~5320s!4s zy>4!Z@^Uw9sThp`GtW(-v|*c^w5>RHhGm3pC4MPey~aEf$;1kQ{hQy9`lR1w$!ioT zPUPwSFr3l}N%&|EZaR~>$swS?;>r>esAiwRyw61pVR87Aqug*vNhT~Y$To3n#wCsI zjH_xq_&wdYCh0!og0weupmOqxRbVr1G>s<|tj~`1J#&*3er(!Ffp?9frFi~ENz<`z zXl?RyPiCKLM{CL&9GtV1ys9#!6b3law5Fv?7^gp1dv`8KvzZ_$2zQ?{TqmSh zdoCa>TLoAe*DPvS>3n~|Qk7fF+ z;ab~1+mW;M26YWa2Q0Ss%*PbUMkmE%&I>Ok4he%6wjG(I6-QODp@Aio8h9S;mg-TC zupl*?ADo?ONh_x*V{b3#Z%PvkjHV>4Gc4H&Rb$Z~*LRMsV2K%Mf3a1Nh#9pGj`T59 z>{w3Cy%-gFCmHafu2C+UMm?CaynWwmaL~{mSTTxW+u5S!wTRlua|fGElccoF|d1 zF>I-!bsZUY!&T%2UUdM838d ztA!>t2|qrn)H3SLIsjeQeu`LQwLIqUC)D?yWv*W{o9vN)7d7B?7?7qSopRAbppNP} zX4p<|xBGTn%Cuw75#NZk5Cr~3|C^FuMibgc9INVVVQRaft#vb%$&tWa&DK67vaqQ5 z`T67Ut*3oSXz4Tn(+;li#bQ~!fycFRsbZ=|{$@&vP;2gR^z`)?`;{{hqf?fqMQ@7w z83)8j=Z5umZkxx?U_n|+doH=mM^NSZ3>LAD0;^UUaA^1=={|V(#t%_uuPQv5>JN+G z;_+e|Mqjd(A6V>it;pFp(b@lx?PvCEAEvs`w05J^{X_t;iUeB=(b5AM929~s35|r> zTh<=LJ-T+}UUxz0#h5$YYcoOC_zjKU(vN^Dpbm)bCG$uO1SM0xp zNkLL_miP;*>8pj`X1?bpmF$U?a9yx}ZFVr$Ua(PwL#tR zN#ZAym}VG&Yqn5K1d~HZGSbp)plymiXsGRy{xfLcf(khmvSM*v-W>8Ng(jHZM%0dW zm=i`L2O(v7v(zR0Id)O!dIixSVyhh>6fPT^N}6}4AJ6bsKp|`=IP3El zdWT~NTm_q((@-{z`$WZWY;?UQ>-bVfGjZyl<&W`9S-SUo`%G@o&g;z?>FVfLbG+rQ zE7S;CFg6S9JRm1#rkA(&+U%Tb@ok}tm2#! z;5P+&wbnoP0-sO`7@a>ThV+*;eN8}dM>qEY-fM>H?dgl!d|XtxM;3-yN@~5IH}@8- zZfM?`p2Nz{#k4Cv%uj_ZIU7n)TT8Z0aJDdBp$-Xs8~C_S!uYENukfRF-SM{ckC0mx zg$f7!#BtVwZ`Sf&oY8pRo%~q-qScLKyO!tuU8%xMZc6n*BBrRI)TsdEYARY(<*Z^7 z0P&+l#+!%x9z@|VJ}P*S84hClKsCWO2(onLwHb#+$w-z(eKWS4^KZqdjWE5-R&$ z{Ja|EDRkV=(^os#+!>$*(V}e%uN;+UuSVq=2lY^3<~YuUdkR4<%{^G1a^-}++}x%- zXef4j$zhns#0lG(Y~+OgIp5btFfS9=9+%rS=V!lU!52~V($G< z3Y*}_5}s*JSm?l}dD0+3O&u^y3samBXL(DmZrfs-%nWH%R;>I?^)`RkcUM!wsY-)j8P_FZK&ecS zU*!I!6@WDTD)GaKfg$ZhV`}xia*k}WCn`)^km!|y8vl_jkDujw1Sk4Hh6B#@*HSue z&YzzKGf>{JRV{jiwc$mXft~7pf9{qnFn2We(pyDDfxSnrFJ;dNGdEch7M?FlcC|m+ zSaxmS@(VVZ5{=^dEQ#R^BB0e#bY{f8zg?x1v6Px0PNHwPf6fi)eO#v29=BJ;8M@)H zEO9q2WR_dB{KMSy`BrWr=Uawr(;?Z^`Fd`b0M=C{f3&$+?c?XunaE$Cs`N6XW>-Mm zQa;A9cfe2WVw+(DUQ0sAev>7F5%xd>veScw-J9qhS66hQ;4h_LE({wh^=`-A2?m8U z-r$E~`?4*eK12#aEDo1d4!!TZoMj!fy_~J=*_pjwTT7Ob-iAZ>c0E@$M^LY|{~9tb zJqOLDLMHw<4VL1smBA&2_YssmIsEh68b%FIg(|T0b~oz1oP*fOg{nySWX3x@m6yYP zT;-LRbDAkuK;#@{c-$+tVjeC_e^lE)UlpEyg{6&PEzWw2qUS_de5kz6>-pQcIs2|s zgfjQWNOZp_WL+2yD$16Ivf3SQdy_PXq48ES7_xxSBZARMe_57?fM;ORo-6B9wqv0F zaV#J-Fy+UPw)P3Z+7zu>4%5htbAp(FOJ~yFB=b|IW3Artg}_P|Sl0MxQ-FuG^5@UZ zn8hKI4n&&Eq^Dhh1fCIGzcn)GvI3}PCys#+^^x$qg!c#2CtRN=z5Zq#lrnLeys1^K zPw9^;-M4Z})qlc#m=28T|Lr+HUpT$FI({ z5S~8lArts>I(4Q=H?aps`qlAS+X!UvSw?sjrru<7QHoF^O_HcwnQ?8y^EO zYvEb8<@b3dhhBj(Pz4UYU`|Lv^{{+tSBYys%p9d~LreDRAXrT7>@zOsQw~f1ek1Og<00oh@y|zdylHl{ z#Q{eGXI$74l$u^d)MVqL9%u=T3$W#5GVj601X7_OPyAA{f{27%B#1(@)142njf_>V z%){gL=jf@RA>?ah;8C!Dq6@bhnyr3Rbg+>0YcY8qEWt zOA;G>SAaF90x_{k!nO(4a91`fs&SV7sF^cmkwzj7biYwc-Dg5UzxEccqm!3wgqwb> zaq4f$>J8)HH4rPPrebgLTziQ9NNb~r|0CcN|M&- zJXAq>gh9Zth^|Zh`drKV-u)Y$R#O}Lj!yMW)Ot5B25~*{YKG**vOYM>G`yaMMfw@F zWJQiqZAg!zVyEn zY=7KK3p!}`LM$kiiemx3;c>B=d%)2dI86Mog;|6)2prz{V`?(}_-_=Lze-yR`&b;w zt|W|U-8_Z|cN;XW2BU8%jYl{_Mh6XBFL&xES(7(BbstLyi`94@AeOT-R~ajkUnipG z*5HuxJAW(Y!%6V5xPu4vc9PWd=zYkPv63^3eKk!{7PnSL+-7S9$tm;d7DRf_z^ z$=Zm}%HzbKShZFDjTmX)fQEG;y@%OrzfIloT)pknDL;` z{K!|FM`NT=iaxy@SFMULnKQ$gu~q3qhbjE>x?AZwdaXPNY_)E3&TgR(A`_;Sq00%i z(;r|U*~)kvU@k1aC3?{}cNfoLNbW7)R2&k@8e4DeSs09XRfecfj~gFIYuL;A?ai-RbWCSs z1tkC_K3)^M+n>6oZ1NGm7J_$@$m(rnkubJiIhTayX*V47WSf`@U`PL)q@Xrhq9INX zHP{5RGV~@v+QTyXAM&rLt3v^U^{c9^>1?T7RlPL8(IVnmA=hqfciZ8>ljGwsN|Pt`*B{Z| zKp@pls_3Ip%j>KFmvNjTxqE*A7c0p)SDrFF-+vT8Bq+W;<+I{(F?QSQIN0mFAN;b2 z->XyAidBUjF4?E&?spj-sv_JAf4$Qmv>HqC+MnJBYMjN!9=y|*vQ3*l#0FD zAOqjAo88JLuT$(mzEKAme(;~>*6R-5f1s<3>1=q$)jB)5+o&iP2U^5~oLWeRoxLnl zYK&c~62o|rkK-`Cq!e%;9_C<@nd&SxU4`$b9iNVmGm&MT(;OxY$9M>2cqf%nmoREA zKO3u<&U)%5rqP*}6&po1kqp2FFAX>}(8gWEWAFEZxwqm!lY0(}ah02qf+9aSe{l*9PzGN}uJAg#rmy88;lhZym7{*>OWA7~rpc~&< zyJ#yCA98=#_eXRz=uEwk`u&l2&ma{Kryx}^7kZ)*&J?yAw+5pv`^^iDMN=tMr>XWq z`uBJtb%%u*$y$VJ_JCHnA=C~R(vE+ay@6h;zkaF%vn(>w4@gB{Q!Rg1DAG!Zhm|6p z9LT@jo_Y3w{M&9X$`#?uIn?i^WQWHz>6DJtqwwTw*Rjs4q7g=^zln(URssa9X%$9t zO(X@dgXV=-FEEm(Yq&d57DElbFnX<6H!vz8#-I4IhVm#FDLVG~d5unsJ?gztMj7 z!+l)rOtRdzz8}Bsd``uMJJSBjw6` zlST82Bek*iVFNZzA%^eI&4<>`%>gA7N;Y@E&S=~+&{|% zj(Urc_q`AbJQxE?Cn`Fz@=i_BaPCFi@iMx=0fy!8xL@^5n%JPK4bw28>NOjL6{$r5t|Io_zss#saO=$guNI_k`FxU!itdWL@1L zcHSKV>7bR2^Ur-?dcVTv-6PzO5?pb))FZ_GX9(OJ>&;472rG$(Gs!!)>Nm0Rd-yZe z`-^tV4Fs8=7{)^&9lOg!VlSw%_htpmk;B@zJ1a*{lOP@YOGIK19U1x^p?2IYWg1Yo zVX(IYATNDYL#U<_w89f$`$saRdUbJ+!eRSqWoJYHc<%wx`*DH$h&cv#*|#SMqxyUb z&$D-~;NSiGy}Kpb5vE^F2gNKda;)K*bXmYsKS9bo0WeaQQ_HoH9xrHOeD4e8)ZNF; ztS77dVn6D`wI`H{hvqTX+`^wPGSP@*3fqrc5~>(|a<|VM^tH)Ugr_^Omk6#j{!Kg1_1@JtQvU)L%4Yn3p=o@Bfc%@o$3sOe{y&wsG` zcHm7B%hVFv&LppM{dh|ho1g{6CcuVrJBWKFv2qU6G7Qr~?Wwes@IYKf|7S$BFVlHr zZ&JtM$rsYR+4~Hl|HDzDHP{ek7#@4CSAct~p6!2{;NJVk4fcz2v&xSPN&SACo5w{C z&L_PH^}F;9yX@|ipIN4(U3>>TlprTms#t6G8{h@;Zb{8;4(3-KHas~L&&BN7+b7~w zTZRn7RqxS=K2Pd?_l@yXD;b}&oTK%wqLW2kFZZmUJtcO8NL9-|m3kug`BZl5%NOQ& zi9qbJ!wsPE%DTw@!oY+zK4j*ATP7PH0+Me`kxrhjE&+v}Fw72Yx2nU#CZi?>3h(_2 z;3ksh(viY+mt=&Fldxd@hU|X&qX7)_^bD!Xq7a;a$Prs>7(UzJmLhf`bk2*n_MZLa zV>p-RdXtXMJ`vf>j7D``h>t&$#=MB%>d`
*+#`fO64DG(2<4(-nWtw4eej(h&+ zp&iPWnm?3(4n<#-V5-)KsK?PixK+@yk`pbbX$4K%4TyLLTAXQSF5QIPfd<-lX6MoXJ?EuSMa$`H zn)G^*Hf`Hnbz9Dr_6W>Mn1>Zk3SPWESig|@r?r%8ub$lKy|VM$Q=JoR&)s|af3#5S zup=j_OD*02(jWxa%<53h7s}VrB(v&2Hb;@z>c6XtAOy#z`}FVQjtqfgE?FlhznOA# z+d2H*HL=pFj0I7_xSOzYFsMtx$42v(+2=pGqD%*A7YOGVr(~cEbXJ+!NydqEogYRc zlOT0WM2!7u$2l2wo9FJP zH9HxN%4ryq=&_u+aj}i5i=l+4e#JqNL5x>`$T^fPa)6bu27iR;DJxVYTRhundiGj$ zj;_|Ie~`35A~?P&wG`tO#=*mnHvk(fqH}WOe>JS+JXN}UA)6kh1TG?8k>0WKwK}Lj zB9AMR%fkq@>=RZD1jUxv?IfEqE;ZBi@88Vf;l@UtgTcRfYe&=tP{5vDgXtNm{Q@Ky zv!pI&>eay?(RR}QiU`)C;*Fht*Pi6!B%cW}q0A?>Dy;F+nSLtz+uLXRMAx}Wv;^}j zApiY4#CO#Rtqddq{es0R%j?^zD-|u7Rnt~HQ&xGxi}L2TXLFck)V|L3cY*tX;@E8S zNph6QWsY$8M*e&Y1E}EmGKKJyG-|VKfluR)beTW%6N|dPOQP0-A(DMf5ZHD` zCqYtXp-Hr(o*}dv0>`D%UR934C(VK*59u%>6Br9rTEcjlFtZaFvo!J}+*vS2lNdA9 z@3X*q^Jb?3Sg9{XciJggBm3{HAlbZ!t73A%usz7*2sf#n*Nu9dp->G%)b4g_Bv3hQ&LD-S9gV#Nc9Tn{qqHc|CfPlpjUyHasFSEmO&gIqZP3SP5e$3hUTM z#yW6R@@LHetAxa27>qfLC2FIAmJ*oUIgIyditv^-Sd(f>v&vcdsT&#sqGc>zxX!^z z&Ocf93bCS;l+<$c#z2;J;PPaUCXAJPWF5FOd7CHTSgocGJe{0Pfxy0{wE&8?3{9dL zjjh*x=jUB1#VGn$fQ|S*(md$MBGeM2Tz#_^D@t8SuLMkQ*@QKzsia&WPk7LVg{Gr4 zDxyzO3$H1lQD)#}?F^^s^b^DIUzU_}kREL-850VWfCx35d2tu)rwHI$Z!QTOu4|lxlAFV4>+NZHhor zmXc};{E|^n3P^Ssw`!6qXU{EYLV;*mLGyps=u|2Lc_}%=Ev-#&L(hZuEf6d*O4T!K zvF!fk{}eP-2VP4CeT6wuJFNqs|0e>GMG&mjzamgJMC7WXHp>?PSQX>x^@j2@n?Pfd zUiIKV8Uc^x$7r=J#NTNuVOAIZK~;@FD7{`!e&-KJ%^xxJn*;fUvROQ`sq}iI`H3Oj z-zDPe!NMuN`3P*}d&{67)(FYelU6=9nw{ZgzFwRzaI3_IxW@Hh+LUa(01K{=`b^#w zKMODRhEi2c`9fgKXYLG7qmF)a@tweyhGILt-dcX9tPhXk0R84xer5Xn8qWCrIysI3yXrq{dA@5}=+sNXbz^EC4w)6dZA zen$CCxgxr?{A-(79*D`U+~xC{j?z5sFnho{f$C|ce%*#|yDf?pd!@0=CJ4bUv_zl& z92PsuS4peDj?fknd(vNNRb-2zm0wGMK-OLJgUyraM3ia`!nSEYLG0AX1G`+hv14%^Ne2Fc%aS z3CT#dG=b++|M3fkUI(CT$IxWj*;MvS#KH+`i!6D>@el?Q;ey1xZaPWnX7Hp|z@yX^ zTJ2AgFt#*As&VRag~mYF3`D63fV*H)UChZ?6sG+ui!9ZHJMt}u3YYR9!&44H1 zkA!LqI5*9g0)dV6^c1x0@-L~oCdA-XYMXpJ*7Xa9OqYVjrtUHKgBI{f+BOzK0}1^F zsM`heh;~JI@~ldxf0rTCt{_v)2XFn9fyB9>@f}s`w+xx?1&y*>JnL@^B;Ey$A>A?( zWUXL?bl@M{8WUcE9Na>asb|A$`VkMesZGk69H+?`Gd)$a+OK(`Pt!xmwJ$&)-TrYB zTc;NwjrSwWa&oUrP_`Sw5k{dQ@?X%=`vO$6{*J?lgS*rw#Y{@mER2~61(`{pv3R!w z82>8_Zq>nukDuDWY&zsm%lBwaKT#5Efgwb*-G9|_H-Z?t_djiLGae@YrwzomOz(6< z&0p3D!GB=FuQ4=*H5FADHwz2?H4z;~y|RLTOhhfM4Lp#ZosYo22Ym-J`5Br-JsPgO zj@WocZB{PesOZb6*HMre0HTjKyM*z)$7oU>-214|t~CbS;w?I^e5hRWqrd9^3CZ0y ze06h8YH-KJZ(N2wIj8imd#l36Saeh?YuJzfv4Y5R%3Zx|D7!f?1K>c2!Cm7W`D$gJk@6Z&gRsV!5M70NMn_{~em}YNCIewUN47+}WXPD6!40hE* z?viV4y9cFNp)9P}UER(zIZ|l=M%`f!S-8T#_g--Yu8gQor1O~fGA$5x^xDy14 z!LC$@Tjv1ojE2N`pNY!d5D)JB48o|9PlRb|26tA2Flv=E$(z=}fEG5~Wa9cqNJxV_ zI<`7Hu$Igl-jw6Zhu}3w@Aqje4l1{n5^~GL0xqc4Of*1K^BsGp=>{r9i{`d}jBYuH zx36iwdtmMLh)PKXByW{B#NwJzuG5pl&5otWL=-WJ3n#yXZM)X52k4patjMO*38p<^ zXMU9j`^#lZ1X9*&K-!D4#Y`?o*DPY`P0Z5DuuS7MO!@uLv-ZQ*BlhAj<<$yD2lBq| zCU^Si`SLSEBH&Z##Pa^sD(CxvZH7#FRbc(fmdL*o;285z!vSE8W?Vg14L!T3@T2ZC zy0On1y=IT;LSH4cQkby-OZ$w%5A-F_$x`cQPhHv@43%%dcN5zJSo~DH6Oiek(W{F^ zWmi!b!+qDA(d*eMdHMK*idMcdt%RsthIxvsm5b@!=H91eNj#|AJ zPtJ{<7l*5wOMr+u8|{aoW0}jE7WH#i*OjM~tiF5kAe>i5o9v1Z?{nSPGsl~ID&Xuk z!?oIdsVu$T(!F@RWbCN*uQ}nqgI3ycsO^uG1C=yW$DG=8#6qZT4w5sdZS;$uZS;?( zHS~{FD_Acj8-W39*2EKY3bF@tO&S^)^L z2zx0#cbWHGcUSq8V`Z)FTk6CIO+cXF$n&psi{{I@iPDRGQ%A*)jS2o;9dB#ziqdLe zpO@PE2k*{ZP=eXd&~;991!DASwnJYk_V(8ytU|FRni}r0jS&uI`-xmVigdGQC0@xkbbCOABL)67N@nk`#}4 zHSKZKr=8p9zh{#!P*`V5-OZv;wch~qw=31ix^)Xb);`W)zp3~fmpPGvF*wP|eY)CAC~NZ#D0#v53Yh;*{Zf0B`YM1A#=ApC+-TjKdz zy}YLT<4)x|fq4Dx??R!ihvJ`pjFULUXO$e3Z{ z6q7 zY(rlhyA9hghvL}woZs7GBaGvva!8t?Wb97~g#FCL)61@>N+^qxN@!Wn$#@2_zAChlHX z(a~OANh-d&cR%pz*cPTb^=Pk&{V5G)u9-U`HG2ZJjbw z%lRZVrC7t}Rl9Ev!pIV*p7W~SsjI&#Rh3B9hw_XH0$y|=vJsk1 z&(=jYQI&$(sPxioPD*_3g643dj4$rVe{O28>X+FL_hY~ih#?FH-j(P07V7=i%)Oa9 z*R~b;ubG=N$L^8%%ISIu6PUiC4Em9gRdooWLzv?7)%bNyPv1#P4|x|pbAJ!055tR= z9y>$$A&;*v{qWQB>NhVlbyDo0Qa_lrjwZp7=EtmS9pD0PfAw50PbnWW`l^P-Z`Air zx4MSminQYo z5Faiu$us0MpR=Mh*6E#J>wlcG_H&djqsI<@X^%9NHmgfQ^0tgUgfo0K-mV!Wy|6;S z3<7$eGz*6&Y~&M{C4^|31&H)sAfk`1H6B*CmV&7tv~^W*m>sOrB!WrUrMCx^L4@xw zcuMFxfd^{-{OfqlpMQ;;KW&?r=jNJ%>#EuLo@1sNwTC*gJ0lcfp?`Fn;gl|(ZN8~U z#~cfj(w?6n3m2{qsr30dPEbqO7drFr>DDeTQk>B|+wGgZ|DJC4YKTGmcgW_e^g!j_ zzmHe$jqLi*EkAX`R2)VN1hfShx&btrVUld2%;}y`u9mBNtJ;RIHx3z2{Pj-vf^w_E zg3*~zp1^uqkZ16mV1M}lmT-C@vKh%@V|XgzrkC!1$ZmBS{~&UUQFoCTh#9yQQuXP8 zE7`;ssn1plKLT1IjHl;Nd&X_RWmt(C1Y2Vk$OFh#vUzHb_VN2;56L`fNFQDWF$1?k zD&M&FyF&Rs+q*gkPz&Yhly-Q}U6@l5zw4C?&x%NO0*I(XJAV?dn64OvKlt=SwQuEu zUbTI(5crL=2=ybqJiA_*-2u^Myyz-Kk8z@m=yEE1<3W&RCoZgGM^AoDn+`@G(j)OU zU)D*}+&-E%Z*O=9roAPUxZVwa1S0@O*f4##1p>`OFx>#QpWI>P$YlVbUuijFuxm0{ zTQdxEa9&FHP=Dq#Q*WN!VZL5y0sb@g#&R}q28?C6mr&pGzHzQp9l>Fykb&ATL!-fR z>k-pGqr{o-TjuWUhcX#Em)492q_S-5dlXQLg#S8VUT$r=c^21UFy|z$BiiM883NFn zj0+3XE8rR;d3#rs=gm%29Yk;tdU2ssHHqY(s+1e^sedqn!f-qn#t3{EVj-7K+xGsM z7clkOCBvLMqTaipXk8Y$L39^zN<|qLpK@UiMNE<`kWyBeeCH%spE7NiX5Doc0FiV8 zE)!`Gc{%Xn2AwykYfBEnvU{0cpfg%OtJ=~`4koN%O-@u5nyv`gQU*b35ZE+x#f z4awBb^M7n9Ns+5_qJ-7W(kxS_ZL{e$W1@*J+62L3crL29B-SDH#!|Lzi%?`UAzTZ| zTcb+W^bEz-$1PW1`cYTcW)%`-g^&V63JfW9$T=1dElZP~u9tw329Z60quM@U_;RZu zA0B-~%R4X5(MN9+{VNv%!a?8JAWl@@w4=Kzm?F!lMe163})Of&9NIy%m9NE1Cu)L zyE{TI4_kSai>tOh@h*pUsZMaZO(#V2u-=rJP zH%QoWxwg$#8VmyEc`^um9N_FX2u~p$MMIH?iwu*r?;`?g=abp*GY!}JM1$*st--ad zS*dlC8SozpxpBh|;$A?Lqmh$B@Gt_`gp+jeH-BQ9eVSzkqxR_m`|Y}QTCaHoe%x;m z`b6v0(Vw8h5RzN`!cqdeNTfeO|E9$;W?Lc_*GAA|dH8j+;Xl1-dgSOEzdFhZ=l_oz0QJF(7t=zjd*lv9Wi2anTw88++|3U>DmRn=iju z(0@9d-f#w1|5Sy#h!>B84M449QWLXBu$cdJY0f+!-dcHl;X_Pbr3Ln(C)NAtu^6l+ z$AO_oGQIU?|*t;>Vn>ccjb1yI#)CMT#_7gX~7-})urFC z2TE_?;(dpQZ|8bhr9KpQ7hag~dSiu@<*kzqgqYw<+ao;@?ZW3s!N56S+B%;*j<=lE zsJ{1^MrSH~?~ybS*_$r4A}wZT5PC#QgjvaBsKLmoV<7J^3}#w=H%Tw}k4udr2?fm?Rv4m0{3li2=AbQ^bZ@2T34 zUguiRl6KKGz@Qwve@vU3I#8$BJS1Lg`6=tI9cN|MZ@bkl|RDZ$gt*w$K zEfY*@zwxAp2Ot7KgaQ#3$OK#vxn;hmMipIStW;xGDbV}lUhjR>nQj0rlhY2r&0#K3 z&&erFZi>Yj9^CIu!%&M-J;*Y&Z8K7Aaf_k;z!-s>U( z`rGiwNe2BX-KlJ#Rm$`?nt#1ybpU2-m7wRdSGH8c(VtFXS*qhbtE(%Hr+_~<`^pjk zBRZHqTPU@9hwm_Q`urrjP9)KqNf;)*5nMHz%A?YrEU*(>JRW`vZGalW3jM{TY12a8 zYd)XkGmKz?`640-LYm?Xp&z_f_&+(+?je!gXA1YRoh=wr38tE%4S!+8uguS1Fjm4W zd#S1$#p7y21Sd3Bw`eD0&GEW<0Z+Laui6ISCbfiSxwmAD9;%+vm%?jV>?}#IsL_*V zqxndLQV?3)dZC;6@|eIZ!}B&oS|LmC!uf6-T%K8EXyrY4TAsG-=^{~aH0nc2I6XKY zwHD~2PVsF-VkLt1)PHr6PoeopY%6sqPWHbTkz;&GPUHCq)vfnLr;$zY^Y}_Nh?RyN zL1q9KYBk%bYQ@vsm}U8dr|$kZJi02?4ZLv|YqmQQE7$N8p1(wg@$WHox(|?_)3>Xd zHSAP)unA`nFP@lU|{>BBwn*LFQxBb+eD&wtjJYrATulsVi0(R8%PGSfZfU+E83 zlG$&kOLY@NsDCQYrvl-O2^UH(KFmA45%r4g;+v06C#JguzWIPnw`MOLe0OAs9+JBv zJb^w`&9^*3M<#XW?WGJG$_9oz9p5Gq-IXp`O=L@PE=!H{Byel8+f}1vCEgD(*XbF< zD2>*`Oq*3V9hWNp==RlmS_g|I8M3 zD{)f#vFmM*AtP4bp18GBE$)duAuDsbhtr&RsN1psWS!V40?#g!X*Gz)-o)!*p4Nr; z8$NWzGNN0h)wNLGK%#GPJS~XMY+2V;9rsblv^cu<5NG&Aq|X>Yblx<#*bjgnsV1JG z>;Yu}-G8QF&r6u2ao)KoBJt*al$XLl&GQDZp}Cz-YEPfH;y9;3$22?*CTJZ!(6u1G z1zoQNWE_S0TDLYY@_(KV1`qB)k4RWV!X}y_U8VkXy&XigBI&6ekgZa=?~S>yGyIKt zsMW0rxQRr+#^1D{i@Y4<6jda>Q*=PKO6Bg=kAJ?@t*ReWqW7$ROsU?Y`Z1+@_v*)# z_-(5nQ#R~f{g`qgUiHI_{IQ2e@9KaVqhycbw#O*-Ngt>`*Vj{Ws-c4cR-pnD(%&Xe zFZ}mfo}U!xgFWCR=U;UKrk7=E;rF8ZJ$}a`5KKTXE0io9tGl(H-e}#0qjV>*18S+3g&k+8!A_n7EidJCR`<4Jdz8MosMsv9Ps=6{YWo%wpSVGL-b z`d*tn>+so0KG6xH>qs9+w?_iW`W+UXXx@MR#T!q~@BWYf!r%P$^Do+1Ce9wEB%y|- zekp$b#T(C;-7WH_l_e~+`)|Jyk$MMs4}Z}+TZFE^jelG*`th-Zq{bs2i`!^n%y6E^t6W!kJLM7_bgLR#G-8glUo?s%=-SxmYKfSW`5QFH({V~H3 z%1zR`_Gc{{;338sACK@mnb=N7&plrf#R#D8XI zT@8zAJQVD7eGtCiMMB_JnaN99X7sfitq!X0@E^Ba{dmEO%$q8kq!UbMR%;&6dbnUR z4{<`4-2@vDzO%j!$pVPe>pSm$bcbT~y42>tJ|p)qyuhIrmGG5HK9 zFXWbMqAroM-1!g_7$;if2DV_Z2hhGg97uUzYY=tNA;lBpcNRw^f=MhaZ)toIK#ISe zrSYjsBo@|MX~#J=C$Gkkmm%-#S=Q}nN(rQc^3~PVI+iT2v%S2onq+v!h<^*kb{#GF zfF>!b^Y-0FUH=LO6%e$G?@aDEeLJ*<0CTqIbj9h9w551-L$2zp3qifIlg?~^P8_iL&yA)Q4lQ4Qtv9Q9BTfl1sZG{Fp+t3Yn;LA9A?e@M?R zy%iEW2A-E9b+_Iuoxe=pkAHqF{wGxxXZ~y#$vqx{Jlch~9$h%e>hIa1Gy{+&+UE06 zt=fS%nW$67R28_-(YG^Zoo2)lu;7#aka0{G%o1i-AM{$XcHePC-FjhLyEpr7ipg15 z4V~aV_2D&YYV1mbpj~`da#>;qh|9G-T_dtnSV3WJ22cK4VmDgc`+qr$z}R$CAJMqV z89!8sdRreq=279NnAYfOb`sR|lsH#4k_SX(A5*@p1mW*gzwOV$l>daPe zLRD#C0g0{-*+7#HdVe^sEu=BlPp{;UEMuyMr7kQeXmk=3}u?qp|?+1_5;h$xC@O?N?+~03iTEAcSCuc|K>Qb^7_4pAvei{A6B4Xn_=4 zbg@S?9&*a&n$~ga1$I}4*&_fnSEq_NCjofDmHY#}_kz4ef$TZtiA-@=u0h*t_=%Y&qqI@f;dymE*$XGin zyT7~c3H=o&q`;a1?`fIsFhu()mrz_hUfU1`)O9L#{>I7Au) z^ft{N%o=>#$o9Ry6_JNPJ-0-|34+6agDEeo_K+8X;(y``!4L-1T-Aq^T-B^t^DPwo zpId$!E~9C6S!D9#c1~bbs*SSJPt| zl4rtTP53cEy~d9Eer>DdOWj(Vuk>5G_HTzb0)d19>K^9LkggZcNe}iu14uY$X3)od zf^dakdVjc^?WR%3=hqcV@~qhZTm=Yoe%eGUgk4kU)x?Jw>X_sBI_u)cwXPDJO17J7 zCWI$4KnSl^>4k)X2p4Nv<5yi(pL&MI&X+K<=n>t_GQqb(Eh6g=UAy3e>xIwExNg%g zKgqa4b1nadNjRnawV(3sCYo@B!m*!EzD-lEkbm8zKk9_JH0Qm~Y5)-cqEG1|*&2~B zB5|;W&m}+CsY~~Gc*QVmab{cLF-_|M2EV&AtNl&VOcYO0c(!e+WvD>-;cgBfao|hOqPt(b*4c9?(BH+aq?CUJf9pkbm_joP4MT5m_yZ2Lf#E8u9K1x-0Kz;IQ#b-}1mK9Y z5sWi|xI!@IxZ{uZREqiWG=~kfLYq0y6ZGs-WxGl=ICNMMX997BU|vKUI~!n(tbaN| zGFi0guIDf>_pPDeOlGKA+!Ypd6RzQ>s;=HVXs(<;qdb!04qexH1t!X(8O)P2{*vfHfB-9YZK?z^z z@A41qAm>T7+biL?!oD5zj7!J=1!VOZ>SwV-(SMbvT>TwJm;O;df4bh_YI-}Uz@WUGpnnD6fnUqB z{1XqH!r{Lju%P*ff&i{h-c{518XwKHv`I z`O+KRHX1x`c~e?AS<`#^e2_p`9UNHb!0FTH|Bvu_dMTHJ(GQ9i!}DMnLm!?=I8ULv z^hlnsR=>-Uu zSQ&&7)IxFkcl@(Rx1B*$=ljl(I&Q%|q+eTdH>b3a8Q;3zo3!Ob`APc)=WA7D+iU7E zh>k&63=?2}3Sl9(^1P!w0=7j(Azh| zw~h1#1C@6XuemJ7@P7v2zlV}eMEGwYx%ekKgScYU?5~)_;0>-Zbb~nI%srH~YhNk#O2RMKUp6QST8T z?=ZvO4a}Z|o?ka-w5P(WaQ*21%2VW z*RjGCdhh(9 zyU(}0aZPKmKF8R76emr*OlB=FRV%k^5*c1zvXkOrn`i*wM9*0cVK~<2M}U+0Q7k*K z6Y-{v27klq+-5L*8`s7Sp;u+xP(sZ(-@M#_inxkG!JPP1jX1)6K~=yZ3I%iGi*~tp z*SX&X4z=nCPC}I$!npd#V;8pfk%vt{ARW>PbmJyi-zrO$cD=n^HDSZT==zp=n=^y+8CU}3oI>Ru;UtNg5IE3}l zLcN1gKRn1Bb|844Vt|dw0q_fe%?mk9NO3VMFJZESBG-R0p6S2nKky#ZOejQ7#(`!k!#hhm2m#^L?bg`{aW14c}XiJK7AAgJHcxLHk@;A z;(xE;FVhU7V=!AQ6y*&kM0q^cZ(~h)BMgN_v`AN__C_t|v?!|I3m>A&5g~ z+@2%!QmU#oKdOC~l(PM;>hFZs4&OyAqkjlS;T6r_9&tKKmVd5QBX_#eD7d-Q`Yet@ zxM{v1U+M-zxRXE!@3XiHsp{Xf&JvS78_s5!!(8O&uQv7}Vwx_iH(YfV%@bNj?NHTA zpFAE8uMsMp5S61lGB;mormn_)PCN>3PP{(L5+RwYEn;Ho_v$L2CvglV!GslESbwwS z#;pQh)AO^Qz~J0nShKZ=8~Z&~OD5*C_2?NZx6o-HyBy=1+lO|VVi1Zx(tqB^ahD_isEcPWEf}1ISRn2y^72R4yUC#Ftiwie z7xJ{nY!d;C#?(#&Q(Bt9g`q7sJc0r3hSpqEDf z$?UJ$(E{i`(ti>i&@|@?;eTemxjn^N5Z&eqQTlD78};gk*{%xpTcL>r5zUaU(#|{L z9&cK0>3ZK)JZokoS}IB*&9N?#|DT(z@7J_e)$}%ggJCkdTf<>mK=gX|w33ze?`dtZ zD|^$@R#p1C*|yx%XHWj($MG?wbyICqy?kajH%)U)u=#1ct8+R(C4Y;?b8aS(AiBYx zL#j2>^giBo-sGoA4Yt;)iA;KDBI@x4Qrw*C{0ggxe#`qoBx@uANPWT}qV>jMB%2KY zvgy3!Mjco+(&jm&YNP^}w^bMTUdM>z;~}wF)@V^bKf(pq(QI(7O-tRcK%Ew=i_<=! zmtgL8z#YV^+>CT`-+u^VaP4MHwn8B81$T0UQ+UXKQbCoe4 zjXf7mMCN%}hZjb0#L;WdwQ3lLVQeFXm$doD5#u;{X2BvKo5>>*J)uXFO!BQzN;~5H zy#M^4#5@sezLP?hJ4)}NiJ$+|J-KVX1)z;-!x{0v$2H=A$A3orZx|!?Y`QwlPkbuj z0BzLG8mC8Um2TJ^Jx)7xqXwuE*nH>LB>zm(59mPLS0b>8{8MO_9@ zUUIO%G%+2fySHeNM;M-7)8+xIzjm{`W3_eW*fuDcme{c0eP@Xg0oy>cX6)V;nl&P9 zn`qX6!PVCs%YTGHxzP*@3%^Fi0oqN222+5R5+^H5_H67jgK6UqnAYgxT^ykh?-OlM zbPptR-(Rc;;?MMQ?wBh3c23vJd-<*I?x!Q$A29REw{qw!JGw%2A?IRIek>G607f>cm@>Vf#3oF0vj z8q65JqZ&+PZq(Q`K5D41zLvjr9%u6OP!2sm&;WfN4?#4$Wj{SM-A2dn(Rit`Mj7v- z#v1+n)_zWH^Hhe4u7D4J$=BE=hf$DY-NBV7=8?+x}jiK)L!SD2C&Yr0g}I_J)Vh7Y8yWonL+f| zN`Lu{;!Tg77D^OmO5_xrkHj5sf`j|sx?3Io8Y`$~cI-Zauo~SlOo91{i!@VZBuK^8 z0G{BOIH^hEPNSX>LLBx?>N!9^q1QUE>b$-0BhN(d!+1&2m8Orhk^5B@?V1vhbQQ!N z*D8g()`hpJ0K+yEIOcTTsS-8BSXY-CNPlYYSE+w=0BMM$)AZSFUQ+e7yWfG+1S^l3 z5wiQ?GJ@6}Dcmr*NTVphjV`3wa^UT!&xlCf&*$+r09mde-Y7!cpm58_1QKJ+XYhpS zHD>}hq7^K-;Z}&?26Xo67Tm|}^HaUW4wMBessu%cPDtIxBo6Ah<0VoaV=k8)^?&&c zZkUKp4`LX$*RqC;G-;N_MDMlvAyp2L$7< zhzb9=!pgKR?g@^ErkebT$KwkX$vL>+4AmK!N8}jf{SK0t7uKMliwzmaDR_ zwE5cUI6-KAge(jn1>E_lzE<)mHCQA_)@?4EJ!EkgWXB^co=M6es=M7STrxS9{0_`@ ziRGu-tM6Rysu2O`Wwns^w0~{u{NvW{eA)twuvogy^%A4@LC%VE@0*+z^mM`RD1wmU z*;3%k1hs9kzaD^4|F2eKPTgaicm^ln8Q4jTmw#fJM&enXW@1_;_bxy;&z|DA^Mf#K zrq$ALFYmEtH$GB_Bsi&Y>0HKXUHi1HEjbL}*Q_21iJmgxk*HM(1AiW>j6b96q0Y4v zyr#7dGM?-xbC8T>n2TktMzf>6?|gllAU8f(v>=bPI^>KhgP=E@<=~n{JGH%WAtl}T zwm_UkSl!1v^{Co?+NRteW35tFBo@7UfGNb!mo<&8d7FlFmssSbNtm;He?H;Nck4gF zbyq)Fv@D6YMs{EJU`;i>X!ac7dZGK={Ki6=V-C<&D2(H_`{rW{ghA!@^Mbb_kdL5! z)&LyJ3cB#$P+|j%W?qu)R;PPhfS`{Mgh80V@=!*5&^zcq&VS+-r25tldi!Aghg{qW z1h5(4ZJgNW`Q9=!rXKwDu-991j0<7l#a5Sw&fFDur1>brI1N1S!MIA{S~6Fece$@} z1)gj3gfM~StSo-wBwN(#tVum75vL0FL~vZE>46sbjx7(nxv`>+v1{LEz@AJ!BK(rq zbyd?PwZkX}J%41KFoeOF!Shr}d(jWO_8DzBfwFc4;sbR%^`Siw8D^y7lw_T>wfRc3 z>X$~MHn&eGUun?o5nRw&W(kthWg#Sw7=C*yBZOD=t%Uks@>%cGIWT1nGYP{qgbX1Z zhRZ8&)62Dxhd3b+NNAuQp1WS0vcF4Zjk5<(Y#YQ?#D7kG96GFLkH+nKu2nh4--&+v zpDfcP=I+>`^wVA6_VIkt^$8$ ze*S_Khksm~j9&0+0AT<|NQ*Vmhq~Wv?s1TVL?2x}h}maW&FowhU%C0YtZIHZ+btiI zX=tcKW$34gN+VkZa2c14zeA>kiK)R@ZvbhJ9EYg?X} zqt4bQVE3un9V%TDv7Zrk+=4f)(Ofo>kD^9GryKORMot=MsWJ>YhukEYtGZp}FuxD* zE^F0y=wTM4@8s+@MuOyo8xBEon)Fjfo|Z*IATUqF>KGj1+X7Z6DO>rcjZCj13x6Hi zqHyQuAL4snD*`TYSg1VWV@4xt0!MT>W-E+N-K08*&JM?HEzzm=rJB7HEvKca7H9{F zPqS$*wo7t_NBr-qR5@Ri+qf=fc}{lLBs7m89zi@BEtuTq5F(p5v$aau;=cDS1UYrY z&q}DuBvV)K!qJ*r=urPLfniytNPib+)@QqEqi^(CCip_@O?EvoCq&c9I!C%hKIdJ2 zKNY#UY-z}5qy*3$T2N?VLJv@!RNR`jx+HBHXY8U;fMErOwGdp$s~<>MQ0#I5ICggg zhA=KdYE{lC{d?%3(4C9{$`TdO@BB_5CX|VBvmRs!r9b3Qy}*lbsgs#|_U_nV!u{fkvCwHRV9wn2F@PTq)r^ z!Sz+IM@;l=-AlV3*3ml)-hUpVy6TSj6wOws!#X@R>rqF1Ue?3*8N_FUN4|j~wD;X} z{}s(_8Jn+bW=oGeY24PiV$yg|!EQ^Q^~8i8ZumrEyfw6*s0=aIa7ybAbLXd&1{`QO zRGHT@X^UNysnF1k|7KyhE7)zxy1ts=<0PM{-0RZYXpm%IZrsVveSd)~COh{;L>sWy z!*?CBW+U&oe4MRegORDWN<9cM=Db2%o*oj}4N4sVEfJ)rBI=%^m|_O8J0SrC(8oKZ zIGGVeAFoev@>uR(34|Yu4w_QtY3t38&!I^Wu3xv`q1k3~8)R38i4ul4g-V(|8m zvkmd8Y0gfBXfr+YV}G~W`7<|y*Vo;hIL@iDQJwy=B|FwOAN#RE{qwOC^s>Kj=AaiJ zS&`Si8LC;a+Radj9+3Mj?-9qI4+ZIQ!Z4nUDaK$v^4h9Z4UYZJJB+W-Hyh@Gm^QtF z6zXi2S(;t)vdPPD%(Z~Y)gHEf)X)FIcb5yMS6zUwegdD5B7b5!1&-JS_d#Ef5iKP5 z@=Rz2V1?V0g0#JT>qKX4v!lM_#7&{dv17u&N=4AP#OX*-)W`@&Mu8h4PqX&Cx-5 z3cbSf1kGv!dU~7^jn|9Sw09 zMSm71acUP+#Z9w1m~+Hgn|&)2WEdrOc){U?2|wgnqN}<}Rb-dVtugl!b!&#b&{ALvl3p2U-M$>v z4IzYv;IC+iX*MsJ)hRtgvWhgzYS}cA^?z}6p`#CIRwOY6)>yED(1y}9hFL>s zj&GG%TsfMr<(-7$y4D(Dipx*ntvy$JUxpfDa2ZasdC62Y#?yCJ=RfLv*ymET2t-FP zqFSwP=gZQTIl43-ajq7=<0Wc~?p>yHe5=JO;J+dDbH3;CWeAb?k8H>0DKmqF3V*ww z$3QW43Qy8`DK*8~()x8cd8VMnvAhqMfk*cPeu4VTLaiMzKT?30JD50nQXBo-|V7G zV~7r8Oy;YR)_<;d5oTi3tG5K#9)E`5I@a_ybe)2_7mHFWI^2`I`xS?=b(%-Lq?>HFSN=(~#0)3r%2PS8_?q{8KhDWaz*+u1s`+CwW{&NzBVlUu5pAcK0%EHFS8-Q$e$LD2=p2?_mI$DB)2gSBvwp9S=}|Wt=o#^9AByUf7Dv#JAXB<~gsb%)=YY>2 z>A;6r742mMk6e;ZReuKDYDgNMHZzsDNa78XU?#y#3%FMs@(XEQDeHl{q-6dx^Movt z7l6YF84S*2+K>*ws(S}fk0|q$o~j?MfVHVc9XNZi#?^Cv&g#^(kOjQ@fCu{Vi!Dw$ zg%CnROp*C%#PN$4ndO-2T-Dap(XQ{&RoWO>i6o3^IzOck*MBV7Qrn_M3!d|vxxk;r z9<@O;Pnp8^X*?BS4yoBz|E6j%5tX$t++2JAxe9d=s{15lP>QYsLkkYADSTC6xu0h{ zh`^f>MrH;-377`0tme_vPp^n3ee_*RQux^7`4%~LBEKBisiz<*)-I=g~*uBY=U^GYj@(93CD znCjzvL>f-}F8!NRx)EfKaGBoj;a+!#d)JmdNHY~u>J)=HrkrxBkF-J?ShJ@th|iij zlx2Egpr-i%dko*{O4gfe;MkAWrk+;8vaNz4y|rIeowxTWN=ETT7vF5Hkz;i>@DdS`Z`{)= ztv(W7#bW+3u7g1X~8DJP->#aw$Mj8#3Rc#ztK42$lngN$Hcu={7ag5n*MAA&WxOGWbet;SoF-mw9I{>O`t6V{ zgwjWg7sQjPDF##l1s>vP>Wtp~1KJ}DAvw=>)|q$f3g%e|MHi{+JA12Qh(6OAbe5;P_$O$vtCwiS=WPlln)T05W?zN(Sx>AJ@F zY14|1DjgMvo4#kVNbgBr!ocSUvU|Y=27ebOc%Q{fO$lx^RdK@!WBe#GwyF}(UWU+5 zOy8#2yi|5|lj)gqu?2S(sp*M*Z%>I=+F%}!$hwZu&pIpLJhvf^S;CcadAx=CyKMIp z%cDVvVusF3C{Hy>9xdU!p+XLCmh>I+_-KNwU1mHeNEO~i`=uJnr|-zx2!n?#*?$;w ze12MQMZ4E61%r3Dls=1(n!Nl;i#$u{r?I;^`{I~I&`*b*oexQUq|@23M=3)mC`Gm? zd_A?&4$XVh^v2BU9+%~K_nM0YdBH@-wB zFctH+2`W!*~S_B2j4+Ta}sPsX%z4CI*>j z^igbP`W14g`m&jISV++kjHrCX-AW#q^pDKmBaMOXi?a#zm}i%P&GUMqb$=H>5Tp^N zxV-dT$Bq1b`e3@bCtZhxCV4;^O7wnxF;l{AnkTfY41h)Gbe)W10hjIN0xXlK za}()yy+&HXy~+=$g?tv(?_T0f{1MSAS-W<&8F7QIwi&urLU-(D8&0_*hDoxO5~-J9 zpQ^)Xl9k4o<6EhVDBghazaufato zY0<{X;p3oIC@9WMKA;S)U+oz7`+lqQBRRlW0-ab~u!C`27pT%2EnLkebzOkM%?-IZdd3-g+nt?l( zqa#}svm*F$9VR`#00 z5R5@D{%Z8o%f}~LBu)AYwC;dK=C4m;E$0M{w$rW6e`{aRO=8)f6i2USP%gTd%=n(f4xcz=Zl-u>fk#DD54pMMKKHTA_*)uZ7)d;kwDJo6RC>l^WiJ%lIyoAclLdF)p$o3EkXQRpUZh)^O`I%Xo0%JLNEbGDsYDflIRDkLcSD z`qZy+F47bL=UC?9;T?>N9JK3J8cAF!e{$;zt*K98T7M2mVIw&yqlSH!nZcmX8Uw*q zQJX%?%n(%~7%{oaTG+zhMv+I0eojXw&vgo!j&~ib*ziiPXk3C-+Wg zAvHm}OU!P64%pl!_E`1xx{pr!fXYNuju6T`NSSm+3Uc6>;d2+t zb;Zw{o_J@YN0-~t^h-OYdBo~2eM#5MHZq;MV#fGf!0%O~)wiA?Rav8Dmj;KC;@R40 zi=RdpGT0}UCCf`a^<(pG7k)b^nxAzgUY}u>KYuG5z*jGA`ccSt&YfT6P5b^d&%gQ= z;6p|M`t<^K$V#9-)d7VS&?NMKmcV}qtv2++L@3VCfBbN)FSXv(5CfSwoNp6 z9eho|9fC!sm|Nc?8TD33(6ZF^!lQBk9lUB=^Yr<^NjAuZM^b%@E7qo!}ccp&ogU3r>^rS>kVu}uEXjL ze+9oXKYzt`o`ceh3;R!Ax3{#&s!N)e?|*68{6e=`gj-fGu%N(r|LPe0b?8c8WECc? z-tbotrS$33yWhs-A63?tnED20gFRUWEd;cV$g|TZ;uOYW4c}$;TPDrz^E3ambgB@=wO53v(RmN1!zdo`<^~cO{%^Pq`bV?0!;M-_!P4Or++%v zX!=m4r|>%2T~N5%U$krr{a^{s>%5!psu-TuwiGp=rm;QPV_Eqw{CDT@6yE0--* zIp$ruEM)-T!OD{h7o22d$hG>R3IbWntgTbkY@EzT`BVVx#{qv7b~;h!baG60O&8?^ z3^aoiaeFBo4NvxeLX-bWOVlq|X+!3x~RN={gIR$|c@KBhMFj($iZx==60fzqg>D3f*7F zh(eEPRtwv(M0%*ob=jh&dbYfV9}2Q^xA#d_NV3t*P(Z^W}+TYvoX&vz+> z#gcY71^w3#c%};9Je)TiSPYfmFjtr(KSOV-)33=W?{NqaY{&@UPKs@~8+ryzg6O0Q6z6D}*8R#|vif8cV zkQ4>~b%u*`sOie~I@Uxf%Pe`8!#pUf3dor+-@4e#xF_p8QECs9m7f)rh)E?+2G(vP zf~Q1094Gr6J;LocO#KtT_gkmetE{meo#;Ddf`57{K>v0*z8w;4(tkpSq(8k)V7SZB z_R#MWHYkc59h#4Z4*dYjNgf^k$j6C-4v*9%ijSCmjuwlWIbILZrbNOM*b*`jHJmRg zDXQ~XwO`*q^8yD!!)urQ=(DOX>9ojhSAX?)^%v{{q~k6h>+W{KS(F6t1Tx&?_~;&w zU>XLv5qrtzGXM|!85T%!Kkd?k6Q;{K$Ct0%N;JU2L?w|^(}dptuXf%#r75Lg)C zNf{e?)#U%k2ZLUY5m77oJ;13#rGw1rKZwu!1gedd3TY!+Y&gK3aMyV0iSBf9{2>VG%Y z=lXi0!J#n36W(o6&4vA9qUWOVHURcPV@qd9x2xYSHp#nw8`Yq272D^=oK$78x+Lnn zJfu#4Q&H2tP6#cOe$QRqDfjvL~=f)E!>VqUVp*7qJ@Mi=eGx1LfZzP=`~Uh z=@WiK1KPCPIAJd`b*+m0bU&~w_Ig4qtOKa=1Q+muCVmgP{l#@TVbA-nsR$}`NOV;&AW)+O^(RU4YvA9ng8 zF7^k{PJh}sscU;5^+?y(GE!4Na&n+7td+bvA-y}GX}q2y^Yv)`jA&1X_F)&F3i)L)vUm-ooSCfKboyTx?X5AcPB-)(Mc z*zA>v5?tY(`})BhGB94a&lX}xSWkF$YY!{jW(y(wH*HWhymq3!Y6P$g9K;H{^c4#~ zhVS-xy8D0of*bosRl!*D^!koZOQ7)v83|=ci@fL$&1d#Agzt}Mn$6z-8tomlk3%jt z!t7b-od~@X_|1^J_cTOt_hmfshzG%_v*CQMMWM8cO%ShuiU|Mmr z7}UW%!ffbfMXRw>PsD`q3qGo0+_B#K(qW--ozj@bB!f9CU=w!^dLoVN={V;lJTr(g z#iq@@R5#sRHI~67d<*X`X_=mlQTcO2aCd)MyTb?5=54||bZ~~Aci}E@CMCKv4G4c} z6Y`*n!Nye8LaM4bxO5^FNNQ1sHv{&neVNacel%l%T6;v)wuEIa%~pR^gCE=br@TJh z^7cdR_!|lxXq#MRndRkKkMC+0x;0x5Hk}L3cFop3_SfD$G; zvUQ`bAVL=!eO6R>?}jz6MJ= zm%Mzz6H8H#PpYAm@MfvfvA!>E(jLMoL^ciFk%;gfz23<*I+3%A78!{N>lZeqmvlGoZV`400I5a}Ys9xyyGo0je3^4b5ep>Nr^`@6Sc89{8VlAp z$9D#*;e=|S!+Nn~;?@2(JY3exU%d4=1gwPsFK|v+4|Y20DJfyiqD)n$Apeo|%akva zcFWwE6uK^GW<`bd?gmq7PFMI|(pA)7;9R@GJfYJSzGt;LnztE2%Urvp?ddBo&y=x@ z|N5J^U-$>iTE-u`ond;vf7yS3P4rG(Ez*0VoMmIm?n8Yt4Y32c!LP?OLBsKDAjyBS zCONch1!$yOuwmq1WnHWGmOQ)-8g!i<&~z&DOWuMXxJaJ)B$Lgl&aZ8y%7n75^ToGk zvj==GV*31}fmE8$Dpi%P^USOf*d*#^k=)9|c`zb2 zkGljU8AsxghRxi134;)Fxec5+KFuz9X{O@BOR{)Ofy>giV~LzR-U1Nam;r<0B!=FZ zKbzbT@La*E%@Rb}Bn^M*)ol|SEr3#(bEjIQN0CZ6W@xz$_gt(_IsN{jkc!-VRN)LN z{UIzli1UpWsMUM?i+=o9w?{C5_vm7P-l3r1if)IvCN_Tvh&V&)t)mSjU(b&&@>bSq z0p7N1H_4^SRN+vb4{M5^@6F(X!G!^TrYw+wQk|-qx_iKG4{LuGL!vovHgO;m^749X zlMmIJ_)b3ZMg8yl7=fSyK?Q;i$pabkpIfTVyZd2%(0u$FNcC@CX4UVp&j4bigKzP= zJCMon_Y-@cflRP>8UCI!V}dSwYZy?*Q+jI&a}G~wyC4nTuGZ)~3&88?$vyaI>Ktr5 z|C3(_*Aji?bryfYPY0I~?#;_2_~qadqK{UdIkS?x?<9r%k;Uo0$S|D^5c(oc))S8D#^btTY` z`$YimmjB{s1pT&O7T{jZUshfh&)ry4L)godpmm0)7Ja34_M6r+vGVA=fJ++N&Ia^0 zr6r_S)bz(pL(As|?(Y?KVPL+b4tq*VNUu0s{A-<6oN>%Pr^Y%QT~ey&Y{EZz7uf3S za|Sgo3)X)O9a2A@vk3nbpwNEi$=YIjFKdDq-A{~?C3Y*oAieMAc6kw-h*}uxfr?Em zQg0J@|5_HQw*sjLD#BW%_nLgBMFESu`QP1kvP=6Uv;yl!_ds1(8-2Q7cJ$1`b?$f> zTk*c)W;S-rk<`{4|*(7Me4l2_b)qv#HI zpPh5Sr^t&UeRbhB>|a`2ybZgTR!SarFNG`OCWV{JX4wGT_|kiT_M4~jaSYQ>TI5;U zR*#)a`4rH@rhL z?aAx{=Q?%omQFBSDi-FI9ab#D!9Q!n(jU!d>Z-$1B$F^b?I+J2Iu_O1SnoT^zAQ%He;9V=Z)y0cA*QdwZngDt&!_BhK z^j6?Z4cy3Nk>1r;{=oEb*mm>;cY;gF<8FPOz+dAhs91lm zjksR$Rn{kUHl=5I9Jv-#x4A}YH#LY(mPHfMV(9H=9?=<1U>0OR)wGHKCf^^=GcW9* zpEl`VMC@q87{S-h0gpdl;zVX+h7o?O%e<2v;8Jg7o6tuI%zBbt{Sn{d1Xg9osf7WD z3#Jwi3>fYnyr6yhdZG5nAK|1e*;RiaJ7B@UIOo`c-@+PPL=1+ZE||o05OWY&Fmg}8 z1_o6he?w~NmpOHa7tfpyeFI-Ge{fY6FJcSkK1N&vzJV#tSE^cf31kRKZdV#a^BVpT zxd3v}kx$6k!nN=Gn&h8}yj)BkEzGdrsyl?zq>HQx zom=|~!y8n{@i|Y!`2QPho|DLv7kF9h-HiUPDg7T=ZA3;X(I46Uciw-t|K;a3OQe_G zjONr?dO!cwj&sg1qjjKtw`0IL_?9g@_R>dymGV+$J>8qS-=vpoA(QlcuH_l3to%?S zFXYSnP1=OfCTwluiZO zxvVtrX{{WQ>B*hL<7F5qjq;4U} zsfN6pdHQlz5x?m82ZA=UOb1XEx$EiG{nPjY#B^r%q{VTvZ>xVknqH3<4{2`SX?^;# zz6s6SyAD77uQ`A5r$$UqS{x_)w*GgWzqUTw&*1!>(Cp+oY?s*d168N0(CccM@fteA z``kB^>I$`1N2}-dhL+Dld0MacC(QnMy=pVULnn@({iYWA)CMQ_f19L8FCSS-`R2*! z+OdIbc7on@yYzoF>$efK14=qiz9=U3|7vZgT4vC{kQUA1G}>&|c1X=|&U`v|D#g_< zG~)#KYAaB*4;{h&|vi9yC(DYm;uz z$Mk_PEj!*u;Gz7WY9_8FcT_K^2Fr*xu)ha-DMhQS{FYwB2e-7LPbr8}4+rcqyE>sC zb2a(7&o!^9I@RVE`O5y0BGD-l zsA!;Y6Gv-#c7Aqz81opOUN*6(k@Zi0l8H;Qp@W&k5-25+t!Ep<=ru`;b5+C2&adhk zzgjwm$~N)u*2v^m!aE5qBy1_YsD(<3&{A|m@NIue-xfxiHP0u0@S1*_#nC5z@HT<7 zsjJW@o?L7Bng4llH$jOoN{lKO_de1x`^~fVD>19{nvducPMYc5O*PmvEyCSNmc6Z6ldNT-DZ?|;rx4%Kq2ZOLOYRw2fxWwx&<;y{hLrB<8DX0tr2`pZ zJ@Ty>?C4LB8bFhulJwSoktOOKzJY(Bo0lK^P+yXxFM7{piHYOuhT4IE9gqF>Q7u$>zX% zPjj6W$%`~+hmvWa^oEO6GjI(z%(%6p`juJolh${y$3SLS+L|F~X1JM!CKycsnt6Yy zGsU~w1g~Sgo$&BSIX{VbIbFOH*a^v+PO-m$0RtQ7Eb6m4_iUlbSNg^>!k zMO~0oC!QzjcoUDJ9q#D57_>oW1UP@W!|VQ-h0F8@`gG8Lzox3;hR@Pn3klwXS;MT` zrJqgwbF+3?pSb%w5DQIg<8R_m^OgSV|Nif5IHOtdWeYc&m++x^Gg~1|ped@!t)$Z} zJG2)BD>~RAy^}N5 zrvzt`IItz07{h?}xPw~aU)7FkNSNw(Z#6yZ-RY~U8mWF=H|}Rex0;@{M}Hf-)%2`) z1Skm5rVS$>a|~yBO*tOAdq;l@X+&KXO^a*F6t-Y&T29T@u%T5xkFxf4X+>fbM{hV& z6&{8{mgn~Cg>2%qTX;e-{8&#Y^LR5U@{c<8sH;V?NpEV*F?k?EUf`VRof(^)6^Ac_ zw=8YB3pT0BM7HVKtFttc5sWHST?J5eZ|SsxAm-HaqFP5d)$7_OxR!q(46Hq{M?@@$ zSZHEx)k8gj9HTyKQ_B0+d*hfzo$v-$*M8?zgtTZ}7lgax3)nTT4dU_{4BnFw$S)o- z^&;mKkNcW9sb+Kpb?FsPt4Z=`=he`$7rG$&ZV>Cn{X}vp&^VxH7MO!^Xb(C{v*qu?s8qABqn9Y6=M}^& zn$;GbQME!T^3$D0mnFVwtzbvwl-jYcM`{btAI-$;soP8=${?z}2Geb*xHp2%Yv|mZ z(u-`rs_ZyQHBXN&h|;Rg&w0s-5olD&VN??vXKiyi06Cm?g__xVf2k0<;6)gP@iwDSe_(O zRxMpXa3#U?q9Q+kwMRJAdU}f@6q-<2gijQ#^alqdp5+02z#)^0go#$_YQEA;l@`Z2 z$qC4uc)@ECxdVJO-|_V1N|5T_Ou4~(sg5kOFjJ2H#Gi?EEn%G+3(isy$?5V%-$_H z*9+rko4pGho-DTt55bv(HOUvc#_8HJfItPSxhksCWAnY#d&*M$E7y|7}+0*8chr zo;Zl7fyPig@h-%3*!YHR`WSYRW3PO=Z8~O0&ri~QdP>2c`)Em`tZcfu@y?D-g+S{j zV|#kY)2?*iCGKmq>X6dWmRkp~VOz zW=i4)PToF}Q=wWms^$CIr=e0JScyIn$Krw*I9T$*UJSsi$+4@4gOwrdWe#+cV?yBO zJ{GWOoMRX3agEe!rX&WjQl061qU(DxpZ0l~x0uvkp}mlqLp|oo20cRSnG)$@r}`YT znf-r*IhfT(Rpwq#%*5pJH2JwN zywjwu;MR0xTbNX|72I0i`rx5V;T}nC`KicZlGCA28g4%5vxbmICr@8V6uV$}H?Ii# zg3iI1bxr?N-$s6#TH`C7fTjXGJOzhpBAI`NCB*eA%j_lX!}5;spDPS(sjeYhWSeGb zn;@o;v|%TDz}_xUwk&M|PAgY`?tXd@CwhOF zf-$Y1zKzKPS)wP)nUk){?gh$-hmlY8TMcB=b8$qu(;xo;QTTLr2QpWb98Nr0OJ|xw7 z-^S2e7@==z$9cZK6C#qrQE>dz691J!r^D^Z<^$S~>E(1c^{~{G>&mK~J9U z^FEwSnox9vW9aop9QBd0@gc_3Vw0Q_A5BOa@tjn~3_cXJY6M#ZLz0QW~Yy#{}dw`MrEr6eM zG1&*zc}wAOg8`j@59|yq9?W~jIL(30fd!D6RS@g6gm4yR@>7597^hc2(oCN@ZqY2# ztO8lh{IzKb0WIPYlj}zv#c_$pe~!l>%?b(cRerh1EQcn7_YFF#S%$Z}PtQvUXIFp+ z=TU6hj>H~_U^dm3w_Kr93W7^T<#Jb1Z7(JXVyoIYr9M+Q#k_;I@hjT;sYo~2n=O4HB zsMm~1+|hB4(L>t8Q(2Dhi=NwV8#96r=uFq1OwyCrpz(h=#&j)W!JK3CaJDqE%xIFO zPObl&=J0?7Qvc{7wa0EGg9MsJs+SL72~h9XV}?5kE`kI4ykZbW92dh3#jqTJO}i6( z)i}y+JQyH`8%{Z}pr`NO(%yi;UgO5i4R--3g- zjQTcg*)V_V+i}cVZ{LmWD!s6|ew@K}9)ufXFeln?8PrIsSFV0)>!ykacTK7@2iw%E zvombq!6aztJPnUs2{2zcnlYQq9M<;eQkM(e_b&LFag7^zGXNDGs6C!>5F!?0kvK zi92iU>uHD|+Lsr(qS%@KB{h~1+MQRqsMwytRW%{P#h}mhR z@&kW&0cOxn{Vc%W;$jsBh`Wji$bws|Q)jt=H^&gFvvMGjjkj7VcEBF!kW%+B0a4(Nw<2@m|3;11#kUqT1;g2@Ix40wN6dXUK?y&pm|k>I}}G$q-s*2ABUb6^oo zXf$(Vr-_5uaKzJ_To|6-le}v^;8FNl^;`173p%T;d+Nr`?BH1h9i&N&OOVf0tTn0I zZRtG2X){wgGYD!(xl;6+NdjAG4mc-ZLb1=Yn5~p*7LNxk6UtypoN|KhkeX`dRLkewdDnI>n{^F8MK70w z0xc`uG7B;Bo%9gam<6OX)R59ibgrrl&0YQM!Yg!iE7yF;uki3WPHFaF$ZMZ?=+6ZA#KIOVZ*uy*Ei- z{w+@}Yaz>X`}NX33Z+hvIzj3Ls}row$&27eVlqmSe(Os-Ya^2}q-%n?mv89q~DJZx*)s)iZIe5Zp%OfT*r zE7D(QMI)8#eWenXebj~V@y)Zbg~8Svfo-|SOI4eC6s}I`(~jTWC(@z+iaNO6KdUgX zlY>+Eb*&s+pSG9t8n-o5-JgGMGWp8SU&(K(c63SWZ;!QK59clF5}->MT|(;cHmC1sO{Y=n*1Mm z5F>_!e3wAN4tAXZWa2walsS@W9#4x{@J|qtKWU*VR2~T^;)q2&oqob*brLVD{EAmQ zZYac`-1*XmpQ2Q~4+^ z@mpUT@W+Dp#YbE)m{4FHV>rFe{eJNjBbv>*UiG!Oo%7P`y54_WHnHgoy+;~MxcePA zmTV-mC|65vOlAw(Yjen>ZYbG@rhojK^(O%Cy{6s0AIkz8&2&q+>xJnR<|{SjZKKB@ z>a*^n#>|r)e%bMsHx&5)fYg_%D){BoD?aHKDYo$!YN3@grL zbE@-eTh*}W&yj!4oYf#Y4X}>UTVK+~{#i#V`MAR<;jb!tO&jeK_2VvB%A~*`rt&F| zf5O&GmN(a`$?@;mUEN9Yli$$r$d*15B3MW_o_wgx*-O~^pX8&?v$F&rSyX;5t6IWC z0jzS>>PFnUjx-`T>$y&0$zu@oar;c#3g`J9 z*eOO98dFt$gry{<R6m*N*qM!&ebVp+jt1cXTK`7D=N^TAZT9BLoI^uA0%Q**(M&YON@8` z|H5QXL?M5FH&vP7%DJa1qX7o+Iect=n%-0ydP%R>yga*`HHZN|S^Hk$73^4ayV6y; zK0NdrS3<+vN;Wdp!Tt|fh=I*>$Nn)5gbH%vt~n2%a(rW#L8)wCBI*JOKFK;(>fZ}B;4s*Kljla7 zU}+D9$8i3tig#K6@S^|@Qu_6n9?5pCi=Kada1hcpFFA(cIt`ZmE%H((nZ!9yJ{_z_ zvRh~SB2~gxH7$2DtKpD#kMdv8RXANO0YgQRj7vW9^5xAFAYw|{MkZQ)52`(Zm#n5a!x4)U8MsRj5LMtj!#@XZ}GHk z-oNGj*lvxP1u(1sH*y3Ars|iM^M-%0`Gw{_x?gsfrh7EVOhQ^yPVx-j@aS{J9fuhb zg}WM!Ap=I8n3@}p}zt=H8RTap+T3(Cv1ljXj=#5V7Wx+kBwncG|nFTN_D|>(In$x7W zr>X+EN5|x|s^PfsfjZ(7t)^Gu0=Y)dkQC=u9_mUYPSa(; zoPszf>4Q1Lk9&`A4L`0PdNalEWX?Z4a~@t#U#eQ+@l5|8o+JN{{}lOuc!oT@A_iyZ zFhu^MstY^>fv+Wn{E@}J+B$z4K{O-2AWGHET~&C__rr)aKvR^fCA&WS*hr|t=r+AY zapuMSPgYJ2Ngy_rx3phXm#Th~kKDDw99S7~2;{JsTy*I*S#NEsXKT_&=95dMZd=fR z&p-21GWdRzsJLz>4E6wi3?cli(QD4~UT~?0o)iI6gqAY=ej`xI0=a*I{nh(^85a$( z*$V22naK2N&X@^I;T8inpH>bO>OqJL$k5mNoM^`3a${<}awj3Jj@URGGh4JKb zYg+WTyko!GHO=dHS)N?i%pULDvdIp)$|;!M#yhg+N89Xz+395)dtAGh595tTAMgUBuA7-W(M>~r4D}glU-`p{z-qTx3bMCyXuDwgPp$p+{fZBz? zU2rdursTZrNZA1gvw&BjzvOt%sn73vncnp5e)Ep%3!$r0rsU7>!bX20EtG>ki?T;{ zYQpIzzT*H2s^@e@g=_|>MT0vm~dCU({Jc=x3i(! z7x-Z9+0TXiDtHI*eS^lIH*bs>My=X{zd8?Lil$j@!Cz^-5`hL)u3p@SAjMV>F9>M? zhj2l+AD#P5A{n4tyU1t5x`?OItNrQ}j#aMAC#(8*hx>mAM@BLIe4+8N{aRHYeRU77 zt2-JJq~P^Nr;1O5CVjs_eWxkLAvh?kc5u&TSbDQs9HwmHi%5%4lPMD5ViRtR6_qcB%vVZrU|*)h{rt7;lx?m7^xK#pA|g zNbO>{JzZ|A|K4>9xxc99=FQu5~@T$lUeP;H9IZUF z<4nm(G+M_@?x$DNIkwzFBY8seF!)oP$gtL0~m_-!a~&bHN50csiF@rKHEwI zQXHD&wvI#T>kIZmK^Cv#EP}?1(EOt^Y*sn7BE5Kql@~Md&Swu%+`u&~7HNO9*+RWI z&x`63XW}1j$_oJ}c}A=$^Vq51T`PWJsR&+h=s~;8R)nvsb+FhpHI&^h8^*NkQ8!-5 zmGWvFqf{-G-YQw&HsOg;@DJeFW4G4B21C#r9%M#D(kLggWO}lVt$OmrQiRmS!*-7f znWbPKn0TR&i z;Q2Y(TK)Uae}ncf<=I+2`InCs^eeRcGzFMCD3z?E(*EL!Mo}FA28n-MfrXydS_w}@ z4NETtk(qX-F(XZH`0{M`k_#nI=y|tO2eo2RSF<|{mA`z8=4`Usu(~~rO7z+RVjMzn z1%+`CYm^u0l@;DtU$B3AgdNmFV9+XKsEm;^OQjFfRAnC02nx$LRqz{eU9CRc!;jIm z5`p=~A3>JZ=fi8o8(4oOx5z~D8<<~|#*{Q$=K|j**T7*?IG#KV*BxOr(EWt}y_pR$ zoA3KxFQ30bqYjvY+X%T&k!6t@{SU_ByZ)NWz>?W1x*Z}I@5JC{AA&Fw7RWO!k*pPI zwtV@we{*SE*_cGp=6pJr@n4KH0oRol9 zK#WpmDIKbxg#~+*z-o}#{0+$m?rQhM*?0U4BUAJGdVzLwx&}@0$@A##ntbwk18sXT zLgLcyiYQJ;aM*uQ#)J$fb-gh1!ju| zrvJ1DIrT-|lapEs{>M5%0;06|&g-V)F?4_1&vS?Oxc!N?B%y+zwU(G= zX}WvA)Y}+k0V#$_E$iYc9}XGhIfe^_SZn36+qLM{2gF!gygcW* z-FNvKMsmh!8hxK-5i&2D<7GA73X2-Xs!Br)3^8e_&4Z>o_sv^P`q+*3KzP+0mR-K5 z8@~L)tDAq>RRBAp(rV|v{!hWsxJ(AHGmM5A%|^d}FxUD}Oi(U-_$6`3I*(4}#(K3F zU+3tE#euJLr$o?oF^kX@XX}IyU1g*SU$a*$mti1-tLuE6@=UZUKXetBDl4Lv5q*wM zMV^U#XNRPLoLPDt9a&83-7HxbONy`*xtem#+I)X{@{m;-N4h7OTh~61wzQCC9r;F# z&2G$J!<5rxOCx3iNC=H5J0WyT01Ig3|2LRaTMpx<=}d5kTaNxH6gXCGDJApAMfW|a zju5aN)k!gT4ViW9sg9$t&6Frhpf9_#S0P#7EG;FX#d$JXRN^1(UMFA5)3OjV=c8ZU zwb6gajJ|Q%9(W`bPhqmjI1A`Lw?$do9_;E8AP!vQFlkaau62o3X_Mu<(@?HQ2C^6; z!#t}7-jInXrRt4tgwHK2UTEdNGJNX26=5gFnfaf_^fsaq10L~opWKicbrYcxP`9jj zprvP_c;j)!D~cf;LVEfPQb&MJW0F0P=q@fET58-~3|*-klk9_pUaYlSHgxC+ye<;G z=xn!StEX7GXTk#{lLwY@6X5+~GH#G(ZkSQgK4Huq4YUmdP-RQ>;+SeW>X7VeNoIe` zi&4jcPb+)%Fy`ro<63;=#g(3sa2zXDj8s_?Jvde`H^Eg|sJAk$t1Huk?`z#FTZLo& zTKCF@r-9f-0NT2bmn0J~Y)qsfxNmha(k0&@PDY_O%UFDl(&7?_Q7d8FMr}-K>nQbX zADSWRFx`_hTc=;|801T6FFgYeD6@b2_T%lX=LQq~QXVi5U8iu;TG!x!zv>FVfMMXT zy5{oKQN13P^CeD#XM!SIz3b7)i#*}M;~UCFiyg`^+FFkY`usIT6_{bEv8@JSTH`>q7Zwy|fB>{G{P1EG=7=w@O@LmtGWF@~ zwl~#VNDp&wiZ|Csx)L8EkF%(*61=?XJAA#w)#p63R$%DY4&2eQ3WCWX@FKVR80v$6 za}1-5Napo*`~jo2nkvS@aA1G_!kcrETKn`6n|4?9_Dd1W0&^?U#q;3cSxg1Y+JNEg zz8f>L$lCSxOA(yzI9-vh8glb2c-6?FalW^``T~rAo|{@rgWPvN=L%RO=KsDH4fd=zgO_j*jpeF&(}?_|exa|>Tj}j8vbkL#`q2U7 zfdn_&)-(Ya49<~v$B7!T2KA@f$-vtNBt@#?dOEVkS#YFr!E5~`xz_SYjBwx65VsvN za!C75w%z@p*G&bBcszeGbaKeF!`AMq&{cj!(#?H9Q)xqi*&CZXi zOd^NT>!Bg;8)INhk8`(7Zci8|t$r)g-{<0sL7^>Ua3{9Uc=uvZ%9v$xd%`|ujR~Ii zic`zXz6#XT4^vY?pFo`d`;DLDFHsz~Fs(eX))Ors6J7=M$-t-e zu$)HSuX-i&;;Ax;yco?N#$B!q_Q_M2F@r%QE)|D)+M%97TtulddIAC|3PI&I6$o{S)9GzVqm9})ilmp9+UuK02u@WgiZsx2VY@0C~ zZb!?M4X#BQvYAfSS`SA}B=QqcSmqa=x=icPnOAo4jIw{7xn!;NaMbK5Ka9e%H0wDY z9^3N4&g~{zpO5Ez#M9D1n|NP+4WJv0-eZwnD;`0wuL#-(!b77ZV(&C;zBmm;djMf2 ziIDS&goj7MN^iBsp=_@#yex>aF`JE6KAFPKv1N8!SW4uGa345S*?jhVsoQW+uNbJ# zmg>d1pN4GDjes zh>jruN3Zf!vj0rZzrSx|1W=Y5jkf)YdGrUH3NOlPU~}=7T-|_ zw;)L|cVbuBQiJ>7m&%?JVyW_CEts3tw%IKo-B9anA4ZCO;^L+dCI-3h6-Gh0Fe?aR zBxp>ft7Vg4!k0a*nhX(zz`t3R;M59D(N_AK#}|>fTtW;0ol#JZ-tc5}M_Wpfx`rKn zi=2PL%OK1(%YWd5r&0B{TVK$Xd@FrS>tog5rnq}Y`ywWiYSl!^S;&*>GR}hlfub0S zVoFq3CU+Y8m2O#q&df1KuX`4MaL*J>{j;nsI-MG+KJS_z&B;YjW`SHLlO#Q*Fgf6DMaJcvlu# z2DPDL=CpYf5*ns39j)TYaID&DrNN>>8B@~675jqF@JpG+bJN512^d`?TD^I9sO{Xs zx{@_iy2yBvL5H|12)9~``dsA8bn*)5YMNeXroOtPah6|rKX|`pQ7vDs)Fgk5dY|5< zKIxTY9)Moxh@u~(BNP=3Q^6pfu5j~{5^me@&IoIc4+Tdnh7Zp;+HO8HJRv<0n6?X$ z)~+|!g493uh_L#{p86VQ!TXUfkAKBkd5&>Ac`K^uTFtACk|(~ZKw#UI!H;}bq)>1h zq%e@8H7)YRt46$wWOlN;jx~QvjkUeVAgx-L#5pboUN({3>oVMGCC9Y9o|MN(9`050 z?rC4bB)wL+4sQVdjTF7H#21lKU0s}-s@5?{x>VmB(@-_4c8UFqh$@~GRT|aepAa7B zi(n*(p`fn5B~Hsqd_iB(PyQQ#O{Io`8cW#{gY~(%!r?hJ;)axBku-ls((KggmgXfK zzT!-zqWKLZ>(z2F`?a;r@z}&A6vf~pDJ~cJIzSb|v;4`kp_m1MxLK2D!h!HXDpa-f zsiVo!mwL?8;yYJOU^2LzC$lphpEgxe)QV!3sC$Z+LC_G%Kr>4|6F4kv%-bJ} z_a?px(B?OG?a#@v32dAOi~x9I0z2;x}pWQ+WoYGIuY zM)JL=!4})!a^@hvT?qAEsP0F~1tS+D&Q{~cFJ<%FiR-Ws(Mkv9>6XV8aH7Ga$PS3l zNY@)H;L$De^9O(9hQUbpFi=CxZ8xjXQWM7<7nhn5NAt4%tN^U3;=G2bu@A_q)o!-@ z6Kcl~ANxUUhaYeGKw9*U{a{-7JUyV_aeV<~`03De0OtV+Jm1YaoC-(cr)f8s(O{5? zTJGc3OI9Rt7IkKZR5}s3BhkSy84R3d>13!A{>?Qn<^23cy7;Zu{r>qiJLo+|WpZ`&Et<1T#iQ>*E_GwwJ9vaNh( z*i3XM9EM&-k7J358sevLMclf=P2b_{Cg-!N;xCt9Us0S zIb@4LAX=6$8a$@Ac4R93+I?ybDW}_~7chUq=||>H$ArX8eP2(ux_6xJnF&xX@sHKj zy*?fuX@J=VdWKd&=GY<;4l+M&5_6C(Nt|}aUKYCk}ADxE}3443Jiqk zjDvz~+bY}Hs*FgzG1va}?X94SWU!uAX|4Q6w4&8)_icdS+z#K}J_MrPCbH% z9*ZoSQCX?*Li)pdT*xlz^6+S=kqq!ZK%1ls|9h|*W5wx)iXnb?=afapV6z4ivAX+IiN(b6KVCm)rA97zA9+7U+Pa^TZcL2B? z&U>8j&>^%!&6all5Q1#e0y_<#VTB)OtnV#iO*n8+7a4f&j_FGXjbyLNq8Gsw1?|RO3t{Q`h;+2k5 z@i~K#KVd(mf8Y!)nHkA#xrrp>;FY_Eydcv{dR|~=RUB9pCMUf{Dd>Ns5of2NbU#FB zi8|F|C7Qd|+s0U^*;I*bSAM%;!V4f=61L{mmzZC=+J*|QZmSjAa=rK$xh%HJTdw4i zu){3(+pEv=eOu!%zFrxOp=l3I^g> z9^D3mk&1z6siOvFqWOP-VHP4$g*8=^;irD96Z9*E1(Z~%&WKdFssyL1G`v=MO@ZQ? z3-3wAbs5$Df2N^?s01Z*%OQu&$_+;26k3JR`I6#g{2Wi@_Qs& zsGBL>wuu!O&0HHV1Uy>uye0F-p}>+G3C$1nFF=DExKpnT9shs0jAk6?M6uy)QvU*4 z6s;#%6gbW^^)CpbZv_W@*aI7T*4E_+^UP*EdWQ}M_)dFdl4ORV8AfLM_7>5^8YEuX zbCc7qT&4vcazzzBfYVWVLZ^bWXDDx#d&(d0(}6`1^AERH#4sq41Ew9cc6?EjJ7o6T z{NgT=m)FMZiVlAOp+H{0a&rwWm|b+2bqx6er{;Ikd(K7O9Dr3j)$;pu zSyEv?l}#Bp=i`w<)$ngED)g+1`OTOCuxYion~OMMQMWSX^y=kJ*ezd+=t*p9hkolxcwI+XvG9Fa9@~w7$P+GkmaUhOUIuzw z>0XIoLDowh!d6UBaXW0VmG6~{jlhow*f@NPWF;(!KsT5S-%-eN;0qU>Ut< z*ZLgcn82@pID1mG3|%tg@}~a{!55{|bhSqzuI&vSug*A4d&@o9r$bF6e=g{0+F!cC zI-UGZV6w$!xz@ajCSL5o}` zSMNRXsdO&KFiBR9*5_docS3`hGdk^GsP5b z^d5z^uK=z}fm7rZHIEzzVFZm{Ib`V2jM*6Vy*lhFmKpI=LI!6oT-)c`Pe(BF;U}lZx z(*qW(UkWM~MQSA|n0p{fc@vB5xtqYc5 z;(2Y%=j1|9n0&xgnduLy-yLxtVx8~U1^SbJa*46a6nM^Y`;sXw%~hU~MfDYrdcS6} z%prBfZ<(miJpDtipSo}agV`{c4Py?u)vqj!Adc$z9cE6qm)VO_)mQAft{sk?2D`mg z2AQ$@n8+5_==6QWOl1CQT- zznkB_SWbpMlX03>P#!yUr>1e-+9OjQb=RgF-nT-oVpZMk5|LIBuKH3xCH#(C25y;h zYdPNs{WTXqQC%dTy!jK@gI%WW+TPcuPmRYFFXdao6DBj%VvhE73Nv)PHe)E|>*^^r z6L|Fb_EenVT}Ri-DT_>69CyAtZ(eWgEb_*U?wEnC_s(?;zku6q=J*1rPK zh529q>wm#njmWS3$+$x=ZfTDhdqc8KQig zNQ}#%y70N%hM6*~t_T_)GT8n)RQytWaXSz-YM2^Dp0ESS@X`0C02)NU8> zkGfL5OR_h6J=P+6&*G0i+Nh zLgf7(ne8vsRmPmd5@S#IGSR;*(kTO{@HSz&UK_c?EQ&#c1wZpASDcTnS7G{$z4!Zd z#oFTy?^_`kR{AAO}t>9*08yHn$C4L(K?sjozWK{uL;o+SzU1x4@BuGd*2g$LH!$p*Fet6K-oXdh52nLt&#U z@N`v<3OM;{J+6*M&*z>#@>TBH;m#BHRUS|d~`eW$N^12mX7(s`_ zFl3}r#`BLS8+)aHF~a~t9FHP>GUao``&QUtHsv_Wo;w9mCfg*W?|LiR()yQ3=dWvZ z2+GEs-q?z273Zl;t)BW8CXekM-1EE@>bi`-^L9aZ`89t^+~~7i(Vlz`y>EqGCRcC8 zldZR)QEPANb8V#8@}r7V-LdMqigL;u)82YsH$tm=o%1|@e#@S0!orS2rX8x!ZSg+i ztY2Nc+Tlhse|7QdN9XAlqv$f$DF)iKJ+Dr?h5<~MqTzZ1tmmR!b4K>`ykDoGaVS z|32D^5fquy;}1zvtk8`fhh$sx#||ea#JLGof%~mUewpTtv4Lhn=Qngq_N0nQ=B| zcQv+j=5x?gUg%>rVrJrt0;}YuK>_iWWAAjKJVi06#h&U+)J zhCdBQ%&M%+X=QRFDQ*PG^)vAt$#EEYd;np8P4@EPP|wE8dli3Nc;4vmYJ!@tIJ@E$ z@Ku~N#q*>Tt#j6MuIKGR=d5);4rJG>gIbJ~7oKrA=FhoCUH?q`SDyi1nyBVwEFbPa z=|LL5NUS9>U=z}X6M4#i{@9B}?(u&}7v=Ly-7_!p%s=+x7z$A8J;}c?FVX)bdF_RN zvRH(e*gZ>qgws`8yAtEp6{(+@czrTkGqHZg@1Jq>Ru!MbQlxKj%~RS@@$U*&khy03 z1;)wGMQ8^O+&Ymt!@^J)g#sttl8i(CPw;OoCi9mT*qMkFJbPh)$uwN1?bw+IN_LoV zV+xbH+XM77{Tu1L@cJxa#94Wc;d%Uy zt5oD4n0PmF^#OAWXD|?=a^nKwzpC)9T}#107)%Ary0RI`W?FXFg?~szDUwBhx6U4j zK(xMvYzNEn;4TF_l|kkLO0O?(MbXrKc2YZo;Z~WWg}{T99UV0ev9FrRx;Hd^en7I$NkNDH##V}XTc{OlMK?* z#TSQuo_i27sW~mejIu|p_$1X9_o4;04clUBHLKc&z6qaz%;ZHXF+2nzGYgXuJ+Lv8 z5e_tqs<`2qxQM15N@w;|GT#&z9yv~8(~AJ!kK0`lMd1t!Lt-ZIcI2FY*`w5(32J(7 zywj@BafSWf4#o*}V_T+i;Gd0q70cdqywtZmCe#$4JdfV4$tQ0Ph6trICEfNh6Vj!~ zKMKke0T6zrZ*h`9{a;qhE?!$<0v0<8XCfGg%FyLGtxiTd8R%>!d!qnLX~+5e?ylQ1 zFe>$iH~%Tm;@_~%lSKS~@69%s&sdcH=J7=&vV_sZY23tNV*traNoGd!s1a|N7GyEo z!ts-%Tz>1nGYbTKT@IoR6hT;VxPyQ|ED%PhClIB44gaWkZCFroU+-4W5SIBOv=djg z!~D42XiT}k7rQeh9gYD-<^PTgRgz`MQ@I!#TLa&MTPg%@8{TMt@{Ehfq1aW|*%4V8 z0}Kpw?5x47ok;kYxZ25)rGDGYOjw;)gZ4|x>!cE8Q_QcV=)4a2coFEl0<>RjiPp9! z|HZ{&Nz=`&lREnFWB5H5*;T%TL#1Gp^87bc?@B1vXfhN!knV>_>j7I@#r#pITOolh zrfLn8(xG@iP!?o=$Xn6ylj+{@@3_w0R^GKdx25T-w>Uw&@X2%RS%xEZT&7`$K+r7& z=I&FTjTYh4l0;J`_cbo@i))|F?{Kt&O|3+IE-~fQ4zq$K_nw>`JM}qEi|;6$OGSdr z73=Er;53x$r+g|omNs7=qa_*3x_-ME$_>qnID}>0Pxi@wQ_;SF(N{RU%Hu4)HfOy^ zk**+teKNdK&`9{%9NOp*hZVa!6$qrQKe}l_*N(tGW?2|_wid^as!W{Ase94`;ilMX zyYN5?)h9(p6ExQ^crD7fuH_kNsFZr5>Ao_eI~LYLbgkh!UHG988POdJeh^_Jm>v|@ zz71F-@2nSpu98>s9!>&=hplA;JNCFg>y;Acgp+pen)QmgEQ+k=O(XJ;`sMBV{x0Kq z&#v{^b(!()(b^UmSzu_vyrPZyT94xB#XA_r(c5$Uwpt45gKkJcG&@VDwZ;Pg!7OVa(U+6wh&geQx594~GWDFc{hfhMrdE2ZvOY zY#fuHZD8nWJ$|rQvdX$@@ehyQ_UNnRNkQ;~_}_h6tvIaA6l7v4~% z@?KScckWT@6`-S_QQfOpxMgQ`UiC47)i;UNt06l;z03$PqxzN|Z@hE`qq-idiZN_j zTC=*lwB~Uu-blU2*DUncFQt(_ygAQec~bHli9EW9q$&c3pyV=7kj4 z1II#AnUdNO?iq)g%`J&*E|J#|Oe4Pd5%8#gx!OQFv!(aFtVOIz&QY9YbX^VwOe$wm zIo)5Uo|AQO;m3>Pv^P7#QWKpk-EI@!%t8bc{L{ixM+5~67PRU+Ue<)>*u7wHT1vLJ zE(kaI;0vOz!ac(4?g%V=;nj81_KR=V*V-6WY!umH6SRSoEt9y4Uy3gt9rU3k_4?U= z?RZ%i8m@>b3&mAcRL6aY(FG$H?PEORZ3CDT-{BwSftPI`<{?V{BO^|s$)-)7>!$## zoOLpz`ZVfyYv_6&j(3;BgRzU<%*OKcgNNz&s7Ati4{~Y$9Rfc!Hefh zm_)^C>V(~pxX+?62?qXmoz!SIDD+={tL}JM50cY}qkRdXBFL+Z+Hbli`DmkN4p;^odt}Y7L?nHNk^&k>Ti=UIM$Br0%B3c$T$qVz0`_>!BRkx zOp8>XKKcu^mK|gGuFo@3?hzv>X z!;&S36G=IPWPyKM9n?<)FLN=8GBV{$GZR@-aT&3y%>`_Y3}QAV9rUXV+RQ-)(YT`# zB{L;SGw)bOEz@e%=L$SrW*OZH21<39OmrMW$}@hP+oGd(mD{4r!(o1Z^PO0@t_}5|Xik{w8?u$N?knfB>k9F=1TKh5Vl(VnabK+TF-(U*Jw}a3a$n}gvZmVfj zRH8tiOIm|>zjw1s1S6)(gn%%fEIchs&@+27?6 zbe(P&#`5}H(>w~(bH2oB8p)8W->4~Q#!hz-8bTYF2Nb4>6sH%Jav92HO+mX(LkFJF zz$|h!hpA}zC1@;vFe4sqq13MOewU58 z*~+(<>P{7D@iJO%lak=n}k%EGLFHiQ)?dW^>r(3sVRP&qToyGGW5 zRg@f8y!;aJkw_`o3}jmt)?p;`Kz$Vsk^tMNpm%|;M%2Z~fuYsF0aX)x$uHGXXAlDRiy!igbn%5X=Q z3#Nj9WGcvZ_6*yZ_tkW#GsTf>UvYNj&qEW(=#i(^-b{i`(mtW^g|_2FX2Nxp6|?U> z6CTiM19zq&gJ|7reT?)m(AP@!>|CuhE^>L6BpW&iwOYE7d(((-OzQnGcs^R^P`Vc) zj;&7HU|81JG;WygDx0QRiFW>E&D&t0N5sB=C(P=)FjMnALtc=0A;JzSvMyMy-6xd6VCTZ<| z_{O*u0+Py5s(uBub$cPQpk`qk4u0wr#?8wOD#6GCjBax}*gMULh27qB#&906;5&wN z@4|3%m7!%K{|GwGGAd1da!Wx*Hlrr$BjGOZ@pnzP4a*gnRb+A-L8GqP=k0ZzFws+#B^_#)eW+v|2*0v(q zRI$j8jM5mmV{R3gR~Z4^_{Sh8)#3wt(z3lU`R3x|+(1`9s+y3F_ zWq5tp%y!L`Yx>v=y~A|xN9XP~YrHq&CIN@EsV?K>kGt{B-j=`+%3hbJ;vf8nddtXi z{&yvsKkoV<0_r=&G=dQlJf@LsdwDbsgr4^o^uPht2xi2>YB~( zwSPe5W)5@o+i|}obs3-ISl}Zvmu?r0Dqf7b$fJv>YmtBaDY#(?QRTQbzXSHN;x*5k zKM1>a+?wASd&Mus7yna`E4TFF19chy;-q{%)@ru}8-uTT#*?O~UXrta$WkxRM+5-% zFqURx)dpoQl9@FADyzqz!F1C1CuL%0&U&uske?#6sKUL zP3>uDb48|g6MsAbMr}j>UlEq;G!wz$GE=d+O+;ZM!?{T-SuAuU*1WZbFK z!XleEbzf9u)akN+B}KMy>}5HT3Em?Q9j7)yp!+;^b$bM|aJGbD z#LvQM69Bj^o3=fIB}=AF!0;7k0+y){`a$Uu(URNeWnjVwCwpzRAgS03tJNpRNl|V) z7x@>jnsALPee~hawy!qiRlTp!;@hPVda;5qtkU`fb0*;T1#9c|5p*K(M#7fqEvxK! zU$VU34h(#MEwDGvq`%gg{vI-z{wiliv))*R46dvKYc?DSO)J`L`GT`-$%$>5_*#DA z4huEX>y!W1)MKOil0~<;=Ha7JW5_@{)6yAAziG-NIGAu-RXfN?WNht}+u@^w3B|Q| zRzk~GEB=l#kN9-wnKG_xxxcu6oWsYa`{UT6M~wJ?#B_{&4cM%en=M?Vb9)lLmg&4l zWXZ(in*;GQ3Hcoy>Nm$_JGUpIe$#rp@_lkSNZ}8VtXkx2s`LoA1*n97OP$LgUMS6p z>f%}@p_b+og30W_jHO z%^K5xyUv0ZVD02eGrG>g;y9Pq4Y4OFYN~HXyC|zcr?Zp7z`;j_hFafm}|CV~D)YHd` zl+2!^f@%$zt>w7PF4~jw_xPGMkrELd1zOjC22(aPOAFmigWgf{JbuggFd`VWRf(iN z7Ey9D1j@9VM|RiZ3x`nJ5v3eHD(dfkXv}a3nPSQm_4Du3eq??F=(;22+i%0`XMwJJ zjiRYL&_~U00$r`$@?_N2YBi6skJ-2K%tGNjFV5Uo|t2Q zQH0hjQcpMNsc*+SuLafZ`=VM_^?psumo%?c#WZk{-{^~4RVv8@&zqS|GcwrMHdr8H zMKT+P42`AcI~?8<$w;Jm3$!JB1|h#R@^rNi&XCV?kzH{i<|9Dr7{D`H0~+9{tyMwd z^Ud=Vmcq>B4Sp@_BVok!isUmbf5g&%stECdeZic*^TsQOz)x#8LzMewRwYM$*UU}- zMLi-8_9RnpJo7w%QJ0UlYu<=GZ&0!OP3X`_q=wRw>={J&?t*}-JkIb6G*G?{n^5<* z((3V4Qa?1bDnF5DBIn1XN7^lReKY>Z%`d-h4rp;nRsN|0bd@aMx{7$gg;ffr&yT^oTwd{l0HQrI`j7=XA60z$Gp|YOejLgM*9Ows zBu>uUq1be+>j1d|I<;RfZR;C<(00roj|JLi25V;LnK_R_mzsOWhAsy)Bahqs2m@>K z3vR2sWBzcFfz3Af(@iOACXeMJoG-2CUbKF^+BW=q>3 zu$@h&BiADWH6_Z7^;ouMpk_Upw{*%3>(nDR5@p~3NGAiGTCpb>BF(seOZDki5I~=) zBDKYO@{fH;!%X|MH1+ApFm6X-Xa9pyqJ7bxSg5k*+#xnwqR_=*Be5&lF9=l;rh4Y5 zqE4W-{x@JQs_IR@b{WNe3#)LN(>r`WHgmg#&tu>+fx~_*md@Yskj>I}?v-KqeOvCC zZ?1XHGidt__jWKE%}vmM6YYtG{7Si%%&c@}r1k#xE?;NPk;r9OUvU;9s1XD9J1H7q z#=uQ$E8?Vx?3dy^qN}L~_w)29WC^GJ&Y!DWm9<``81~28JQyAulvW4Z6TL#~&UK~AecZeL%l}%ig0A25P!ftqh<`k%;`b*rlk$E zqb;<7+ukAy!0 zEv&;SD-v9+LdDg{OOw9Dd68q@FyU_7o!poM1`e2ZVB6W6B0eMsW=Q&5D_iqx9sE^sN49gcjydqf zN7QA|H;B|{?hi}r1N$;<$(nPNoO$y3!oOg4qgv#jSQotCV;CIN$Z$C8mTYw}bpArwT^BQ8!M#%PRMa@25jQ4` z@actr@QNqmU`7nV$v@l`csdSd#EoeqdHQx}s^@n3gE?y`_Ki^p?VR`S*3<;lX1N2$ zMH3&Iow{7khEC_Mi}TRqm!_ts8!cU^k8aR)e%T{Q&!M zx6bHrfcT_DOP=|PhrfFkfT$elf<)Kg+Ax3Alm#4K9wU5-d=92R>M%4$Z^@@oyIT>i#Xo#n*WhCT247ZR z;l9~Pc(3yP@?yF;y}-L?*7kT(19@R;e)vJ}SG(Ve^miK3ZY-~(u>jif=x36}$l4x% zT^MHjRgL+D$@+(u7+QjVo4|v)JuY$cgbbN-X1QFQXus#<#7548(d~Er)J>x|+^g)cK@eR%V|vVVX>Jq%$4#@HYbB1#38c%vDO`A5WxwkFi!Rp&o7Z0Y->KGH?lODy z#%bZziVhsGc@IQfpl_B@>b z0>+k8oZ8_70^3{zoI$eUaSaV+=Sm**9OQBGO7g{&uTi%%D1XJ7NaLoEl<6cj+O2{K-BcFmN4z5fykQo~_ZgzdXIz}_qN|qJhQF6ZKpFE8+o_|biQwbe; z&nQEqOc`a$=$QLeuYr7&V2!kfDx0b4^YFL0Hbuc`Q=?W_g$wbO(R&qte_WtPz=?>YljyscV-#5QDcZj(Y zu};NN66V>wPGXp>t#K++f}PS1tg5s2TZD_G(Gc` z0>4c8WybFagnh5b@cDj!`inA5@lH2TOt~~7|1VCl79|x=WyU1p3_5A%Towo5y6DaJ z=ShIaf_+tC0bL#JJg7QUW`)XBP;jQ+w8XZXK55XUI{*nKls=pZ6!En={~G|PExj;j zdyG2^3KCGLz&((lkl;kMrPmd;1P?v<=3^fM`>`VG5TNWsU_VxWv7L;EH9@J%BGSWw zQumltZai!Ns^)TMb5vMLeaDMGXmwJQJoKbVi^LCq-kai+LzQ=079tP*{y?$Ji0x|k z&E%ao$vL74kETvm90VT}uI6nr!f$(;!p%$=A`6fyZ#ceW>Gn)2HQ<;(+(F;<7&feq zGvPt&a?KlPVXk0*Cf~S@nhI98nU;=^>Uizwz>$C*Ve?3v`BG#V+C-t-KXq~aFE+HQ zsv}K!(7-OOGG&#;HPconLs|FQsCSo114)9XuYN=`ma%mSRvaEns)?Y^0LKSOo~Zgo zc^cYu$NKaB4lw11uHuEaQu$Se1k0x{04M_iY!HJFSTY=cIL#=f_iEUym3EbTWCDTa z*NaXDqH|H!0fT`ZQm#(l7|I><;2Dt)IuU6VIv>r3v<}q!Afp1r@LqytVyjd%CKG_f zhreI5NUsK(6ve0DG~WPhy~Q<8)sJ|v+CK?IKlE2Rm*y70c;=DN;hA-eC={AuU{tNz zf1(d3B5i(uMO#B6lk@ulk2Y&^%992>+I;AS*2(MlU|}}L4(ZejO%*&dfsYt2CW>Q% zaX0Oyopw1@ABiQ0hY!yn&exGR0oKUwsGTu)8bBSH)wvjpn-nUomWo4-Zy03Cpjuaz z433z7!1~)c3g7PMB)S`H!c|Y;J-3;GWMAZe(=?WQU1>-&D7nCJ|0hGtF?BUabgnqY zX|HQWyJS?QsC07iKi5s2#9A!++TG%{^Yy!yDJ;hGKi96kc7&vN-8!6HubDN;raV-> z>gUZluFvwI>`k}r$nWZ09=*rOgej?SUKQsVHg6KPX4<@AfWdclu6#Ws10$wZLM+1GD&w5dV% zrYEJk9vLp-nXPk@VFc>>t z7y;SQ!n_iZ?W%6MEidJZT|xL}9=4uh?}xS1mAO~kc-E3QsN zIKNmY=Ed+ZI5Vvfq+ON~Mn=rfXk^6PDiD)%A>`}Kq!~uTq(=_aRHC+>Rd|^a_u?Y( zzSPWH#mLLV((>?qf;G>mSB@IOeN2AF1=B8iw$@?SCag!k`K%m6+vpo}#CM55GX6yi zHQ-iTHKA)5mOr@^G_Bl#ku1i4Md8r;4Y<|H)-@*9gL==CFK#Q;nrwh=+q#kgviYUtbF7F^TQr=c;;D>0 zmIb{}{_9-rN8D><`h5ml=}jbz0n3$7Zz1Z2yVjg@0z~;mK*5TH`AD@^$7-lkKKm1 z@l6+aqCMb*dVQwS10pr_TB9NwwC*18K_mxQ`h+HH{V0wb^Ttts$Y5hwtUc)GPCzRw zEG_?gvJ`uR(0$RSUS%QU=vEp~*SOQD3txyXyouAeiKF8r)>`r)k-p`{7c1;97hQ^! z2mV;0P*}%{+qRaQhVATFuBBkO#)R(s$W?o^77i??8Txga-7KhE3O2z^{F8T(A8|pln6TH*G|Z< zV<7_}{CPSc9lGvXMxiq+bf!aBgAAaz+0;2XZcxd2^IcS*03!XB!H7gB=cN8!WXYbFV#*JFtjw^KS`Dlf}?5 z6ldi*w)Rwi{Dc4KxnwV8^Xm%G1o^5WY4s1Ix{7#9&#zjMw!+ zaT)n~V?9vC)j{jHVb4|*F(gEf2Z#^>2`~NvA z8jueE)`G(iT4v<+Nqst!5hc94$^S4ZbyUUqhdT;UVx?@k+_xy<6!{-iF{R2lk-^EWrW^ZIeXQ?;BX-w1`#HK710u z32qO60DyGje@FY(HE#rT{;g=0Q0#$9`^>KXF|J_x;b2$Pe*B9;sSueC5j&-J9Sx2- z^<}I`b4fK}I0UCw59%uTq{wqM5?Ku@dP%c4lheZX%uX1(8h#k^s|?L#v=H)SBDw;; z4bu#ZlHr*A6}FdklAD3$@$2%=B&NI;&+rR>^M}J~TodLz-`P0KdajjPswbjI^ID!! z7n#hwUgEN(c5vK~Kj~joyST`c?3(iEn!{v4I6(G2zQ~vC>5%OBUNIV6hXFRCj+WV| zRl6}2Qk`CWg-1N2ff zF|38Het5(V4yMW`Czwr0K9ASbE`MG8m?Vf#b(j(-}r}$HNpt75|2C?=ez` zj8TfzZ(uQb&n%c7KL@x#~4(fD3<@aEmZ2$&9%0>*`wOu$TsV_q=s8-cgZjFFMn z(>4g(P>#;94drA>b)xup+!%mzd!^e?hHR)oj0=IuAPlRUqCMVf6Co|V!SZ z70FA@D|l0bihN#GJk^U{V+Y@VxQXlHS|yy0G6$(+^c27J4c|?EyZat71PQOVBtX8= zN|;U(0%a5^Gl80AzoFyrBwuXAm)>_$pF0vx^VqCV{&bkZoMCM{-4Xbd72*yD8cj`D z&&?NDQGWgJiSvmB%@Ta*iA5|=+fn?_lTiGRMe#qLD87pyShjelEDK|Qk8T|?d!gZn ztRK4FA|rD{?lliP2KUu+w#Qch)2ZjBjY+b$XM5dg)}dHY!CP}CE~1H2UMH0(VWjyB|0ydhnwfpp=9GGZ@o--u+*drZoKevZ zfiVn>S%JZ_logh{%szX66GV13dqYviRsFb2(M|}IIQsBrx&9PoB;F%jS2V#dS%KO|Y4Gon*|#`(F&*fxC9KB~Um{5hUWu`ZMC}tL>`{l>M?NGVqj)ua z==xD$(@1Zh?r}E*jEtl0L8rrm4!aN@wvmk4u#Y@hD%OUECb64;^i#mY!^qBv#YZsJ zYDOY`xnAWzpeH}oZegmWp>tnT#R;@n$v5kV-C)~rUm-k11>sM}q826*DT5P{!%!Fl zVGM;aC2Szo4*_ax*N5VK!4ydyU&?I4Y{**?q3#0aP?+(U_!yxNtvn<~RV&e@$OWd( zY4M$_JFo3JNEJ$d<`?S+y$oIa6RAbD#sheav?t_sJRGcM8kabOKE=g!T&xYz>Mu#P zPq$5DCm6N5*mwY^hgfD`9x5T9d0d*(Ief7$1AN7a!=ty~hC6_7qiBod7~ulI7z%?> zOtHI_jUe$ikj+T;h?Uu}ME+mN8P*V2KjDZNwNvkFI|1^4DYG^Wc@1Kr*_!%MFQBIb zYkz_!QfsQ;7ns2ErGT;(PGxBiCV{=MQ}5Hanx3Z*GqK0iWGt@`%7pcy(LG}^L#?sX(OU^%ke5vGob=^$AfB%FH77$ak>HP(0fh--0epkJU~m$&4J zkOx&SA4L}96fCNb2icld{Xl`f4g!6pKuue_ieow}47XiXScl6fptc(av1ym{nNX21 zkAt3OTpfQ9AbPHJt-9yJFQQDmRdMwjJsyq{2puJV7>1{`+Sg$+WfHo;sGww9zayFY zCA(sFCqMi?O!cb_5*LBI#>;WkOa_BXK5CsSJw78qRKX`HQXVV}RX!q(t=^7u94QICdI?WjYK-VPNOzf!vub zw6ke{Kv^A2=r{*D6rSWkm!rUew+~d06T2JrH>#6jVy>q@ns2ilXFs)bNa7 zu(%BK2+RE{RpC(bmvC{^L)U5ye-dDg^XKP#k~ zY1Qz=DAhOp_~msLbyGmveK2CJ?jf@=PoAhjm9k92;8d6-fv3@wYO!5`K|Q&Y%#383 z$9&w$bWGoIjjJ!?=d>yY3j>@5=J9M7%Wxtbho5sQ4eAD0V${u7Z8?5U3BDVMQ?Z?Y zg3t|OR$1M#l#VSM72Uq=-DE0cQ{K>w{&+)6jv^sk`Uri1?nOActf3-)?L_=Kj2IU( zz=&0STQoRkIz1IB>qOet0GmkhS$OEyE~QK^n2ZC*rX^08Vcv5*O6}D3aq7MAaV5(* zS{((p_UI@gwRb5(9k`yieW>5OX-fTnt(CQ4otvhdTC58b7dSBGJ=@M&$f}}{$!r@f3@ER$_*56kCvWPPIBO6LexBnz ztPOwOSUI$_y zv}xnaXd6{L8v-U)|N0jUy8OX{Fzoo(zwoQ>fn&}ZoIf8>C%#UnBmIl&9I%8QCddE! z7sE*4ynChw=b!qjXG0b6I+w>;q$8tdciK6msvBH!`ajiJ{weZwKHWjY)DquUvjD9Q ztnIReE%7(3u@P$wt--%NxK4S0l{+ZcsY_Qa=32&e-JGl9`f)a$6`p{pWy|nAjd@+0 z@A6bOIJW-NSWL_#bdVGobuy8A^o}9bY4sOFmfeUtSyoTO0-Tgn>5!;r$vro-szW@$ zTYgK1iP8Uki35rxQ21=SJhmjQZjeoe-IAvC{U7qgp+xc^_>8Qy*&QB#4i=J!-%xIM z@s!G$Rz7aXJ2&}$1C#dgxXOMbw;X4CWF(rQXlz(L4Qwm|HGELbLlyANHGB+BCSu=M zV^(I1|K za21XN3ifsp4fHR9qi@cCBi>Wv+BdzoZr}_29=iceQ4#Ep>eswJJh2&U+4XFYgOj){+e3yNa#snxs+5_RKR$3*A2 z4n6Hs52AGpL)ACjY(=gvKgIFLq3RoMRw4I|9c|Mnl`j>4(DU;*aAry`YxNEsICDY+ zR7a&=Atvs^u zRCk{@J<#?zIPX4=dK~cx^4m_gB|eNls?$2Ec~UK?GY^3MkU5ja7#Y*A{!`rhyB<`} z&~`Kpjw@AvkXQl-l6}L#mRLI{=NV>Gfuh0IWV=A3$`FLYW1HhxKzF%0hvk%3ayiuC3?{F2m2;b_G|(Gkl# zyBB4wo@kxoCA8Bo>K5je+n7q-x4`ZOHWcoaODbxA?2!jey!`!|$xBc}I52YcdMOuG zfvyNj$!1zMQ?i*QdxEv~P-ZY+{Q+5m?uRgMnDa_gUNCvZk~qg4wvJ>>buOZds3%Q0 zxd%v)%s?`h5^5$1O3BPfeqhNfz9Oly^G7MKSy^Nv`3;d6sAQy)DV0OvUb)aR4^ff{ zp397XMwI6XtCa77hJ-Q_%Cyi?`Cb9R1f8PdCJGOoZC0eD)EZ2d+S^9F^3us*Be1`t ze5VZZcG5{Y$z&vRD1B`-!4+Sp!Wt>VPO`TW&=} zM-J54DwJM}BN(W!nC|>GbbB(zQ(?BQO<$r!nQ8paeL~qeo=LfgSQgBF&1Am#j$QEK(~PO;kRIBAcEg$al%p7W2Q5pe*0Q->ne{7GGr zBf>pm39g&?2$fYkiH|Vh`FjCN7*%zQuQS&=-n}q3fQYOBNk<3wl@gCv84~)8kSmb?qR=PKrO@h?qTjfJy$`L z#PU5~dkYv*Yl9gZ?FCt47bb`FywaurN&Sx;cr@^t=9{H?y80dxpB-YEaSJ!e|=AWu+==W z))O*u1f5O7;_KGhNQRpdeczKWY;6oj%|CCL*dY_Whx4yzz`1R9dJpF_(Da?LHVLhX zk_l=eDYNT`(D!3| zcSP3hF|nYs%$Tjix=Wd*!>pBYPo{J2(=+Dm=f?8Mvo=3?VLe-@Ai@+~buoDAbM zvAam0GE&H+>Z#*;MzvN&(L|3&VR)1aG0J@Cq+)gv{dL*?DgL^cdEqYep3bj}ok7YB zo+rhn6d7Ncx{gF^HXE=9_ZWfQqr-P&Le!O4DD~Du;Z1T*3mi}T zF7tpW#*(L6X&&~(_S+rw$Wi+zJggM-Yd2_c+KX(4X9|+3e*hQ-pw^G?tHlmQMy)N~ zFBE-LIyslw8;m~6DDGQW2hfx;AmPBFK_Zs)F(~?BkCTMgH4F&B1-YRH#_Xyu@-zP6 zRFMWdMj@!6Ud?&nIeysJOh5bPG+JbPQ~_0kp#r1Diz~BNmI^At>le8h!S?U2R{OHR zIwM&|;9~zGf0f|~d1AGjS4%>>>CqTo&YLf^+d9N+h+4ELpGNaruQVH*L>>8!_nleh zpgMWiGzaRTQGizB!%~0=&WNhn>CLq{gYmeLr@vhr-uCvVsps2V?Y>PJ4m#A~MD47? zll;o_@t2+sGf%#yV<^qZVan@9{s(^os z{oJUO+0>2HFkVwL%gKc|=OO?%N(X%`c6IYzc2iGxCo-7lNA(d1z>`*@Hx_%7|EmD< zV3L9Ve-~S-;_oPol7&=4r3)=-v9~%o^GC0mTR77?@MF0v@lObzP=);G)F)>W;@u-u*k>F zmh{bhpn_XX>yLdDASsND6SWMp&vA)PZtLP&?Ue@TxbeeDJg$>BsQBFL;uN3lg|Sr3 zw*V`hUh9q3n@Hhfie|d^=v`C^pIm{lMD{S=d5s|>y604)dzS7{Z9ZaPqdR6q|LohQ z`0Oa(JOS#)?REBPmBxife@zj=q_SUpCkw18m=Z9MB(`;n-J`Rj2rSCjOvZZx=-RX-P-8b4Gc1F$h&7W6?Gyndi6_5eI`>O zy+;?Jc~uovl*$B3+^=miXM)`};AvLP@s#q92w^CMDIvD1g$6|~8X+%?#D_0`e|p;0 zdRMnf71OGiQFT-ALJki*udQu)Qm?fMMhqC}-X~v!uWxlCU%~b@XRafPVy&oKYW+gE z=0RexW!+Z190jF|d66f(+ozfde5TVsLn^Jl1p4Y5%t(ILP zQ-XjpRvLBh^?mIrO}$6+G%nRQe}KTe4{dvJ9Ej7_p(khcZ{6^VE`CHJe=qj+NP=`p ziIJe8$fdq_PH2_c1u1O^Mf?>?_j?v-J(Okdm*Dm?GRPI&a)U6+WGfZN_AZHeEQIx~ z?2)+l?R3&}w}gC@;Rb)|_#rY1mpStao3PvhAnihE5>5*DeTHe3Zf8@8ow0oIh zo#KKrvu~oH40%WusPV?W6rI*xk^y||Wd7Gar|?>)Alu0Ai8X+D>B&kO&N z_f`nr`^uP7Mjz{#zqP*ff6mT9){P~lmwU!3Fhg`r!tnoO=ej`l5@#Z=H!CBWS79Bk z`kb$OQvZ_`gqwJ$^fwuo{%{_T6=dI?o$|h1y|J}q6R+NImmckbyvx2LWxkW9$+p%H zQOdvhTJJ3$yP{ql?VTlG@9KtC*PEg;J>1&vE*m>hLQGdTOUO{0f3wXU9tmyCJu!ll zh8Jju!l*51c%eFl(Ytcp2<&j}(CDNK2XoQLh!Ri@eS9z11}AcP+}l{6+3D;BJ9u3e z)kO6;8cm)9zuM7H>vVime3J3FigvbuBFIRqXO5jgKfLYD4Eo@mrgXfwjnK+-olfkL zMzpP;t`fAzjFOHne@Ab0m1%q!&WF3JKf3*B5F4o(=yUX`C)f$$D(ZQEw3ePWM~4%7 z{I6|na@T*`#z$2qbjB_g+UVWn)5SBXICV{lrgZrCZlx0ta>Wk^DF3i4w=CY1t1;u{KAhB&GR%W-XofHe{m=EQUfdA)x?jdj-ok! z)D_*^k{)y5+0{M|zU61ec&5GwcpJ*Vgx=WRg^rmS33_9y5plWjRK!xxoeVV0 zfAWVms25qiw-YTxeY*RBLPfMkX=dmNr09~3CClC0E~&uKmt$Hm^b^Kqaw>Z&2_pZP zIhTTWLjxuAe`i;?Z*11|DjV2aG(*{atHm1}rx%O6JnA63f!U5ChKhzF-3_bH9qPV@ zRy(sP+rpOH+a=+=?XZ0>?8sa0bDt8{ZKFm{U*Hm}suOY;x2#qzt9Fqpfxm+$ul zdaxSKjjQ{Ews&q%qKjLX`88H`>tn)=2WCw{E83@ue`mz5k<`}r3{@_$40&+`t!tG? z_je0wm{HTww!otfB2p`J++B%#OS@VaGfRdjVYd`7fDlHp$<$qXEI0KG?w$qpJbElS z^_=dX1NE$WEj#sRXbI%T^;&wmF$+yNHhq?#`ep;VeZ7^S^zmV|B=^-UX-k%eW@@rQ zvo^ije;MISfRSFF;r<1sQ^4Xmox0o>or6utCT_hG<7RE#-VhsKN-Jhh zm(liO-|6+XX6$FL`^eSKc7_*wTTjE=aOD1Te|9I6;#?-eRTI@k^2wX%0*lb{jXfF_ zj8rhK;+8yTzt@slj-xk0qZ)55)xDZmt$=|7y?FPStZ5$gEui-3uPb`$#%R8t^oEme z^{h^4#_}p&eW++VB3x`(9TF)a-7ps$S7OrlK_+%f;v(Ps`yKdn^JhJ=x`wqaZqwbb$?|eG%98*?| z*^Eu+B}pqAlRKM9UGjvM$kqwmR^`z#5hnTVmP|*bEwCy9Lpyf1wL259-k9b=mtRfN z{IW&adJwBsqMlih9vaYlHq~z;)fd- zYjP8(_{Ee&RPup4?|Nwi0zX+b)eoG9rQ(`Abp@DIjRbV$EU@*kXtI)!hbGMcR7qXkCJ!hR*eImPNbX%%Flv742O;&~?w`g*TN*&>_{Ss2!@w`h`waJMS7) z$ACMvX(E~CRGkGsj!9v3s+Q6bw#1=GdEQ_FZC`tqj&{?JvB!DEhVG_iAQkkC$;3r8 z(cjmiiE*s)6)H7Fsy6N#>YoqJf2!>7sZSl8&hT`Gr{g$d6}{Rx(Z^g9un%|Po_0_N z1{TH1!}i4$oQ-QzKAFlV$km8KY zH5lMeQC!#JBfrQ*B;fml4sNCD8|8+D)o8Ub=|`)L8v3BY0z{d3u<+HMe+>HuY^GoU zR#rj-H;ipZ)(Q<~UupQq?{TPFp&9WbhL+L1LjF%h@LDHm^g!S*^}e`lbvi|(LzTJ_ z#ol?e`$I|bN3gW}{ipo*ndH}tuHdfW#isb?LF18nbuE3(wB9ijn?a)`I}gK5$sMt< zCNa!Fcovs+*r+fA)H-d^e;(na#U&PbKopc9`gmj%!{|8Fm8L0&mCMSes2=A#cp|x) zV~RZ4ZgkD59l5o=z|FL)FYD-Vab`{Y5`*SZ+$ zVx((KtWOw}{8t>(0g-=%z=4i!CG{jOaX)7efv|ri+<@S#S?cmr5(;Lej>#oi}rKlbc)!f#!?&#cVYd5_)e^>48;n~*0)TcMY6UM;o z;&<}oZWX+nT{v1*n_2w(pf`#-68$uj`(3KDP`%ousPO+xk&lxUUm7Qsoz)vDj$;$@ z&7VevsV`BT6y<%jbUuhp>d9i&J0}iZYa>-(7)5F;a4_(}b6&|eyq~mIBi-uFe5kmY zjGO7WNA$S6f0BXpuG8bEc?E+;hPiSiqa(_TOZ?d1C4Fd@wkRJiW%3G#%9~`;Do?9g z6*R@WyorsLp*$a^vsk`uT+39JWYhiZf(oWp*phr$e3;^|YHdj_Ft9Rd+22*|%v$$% zs;$Wj0IzDzX$9b^7TbJhKZ9+4cxvT1n0weQ*Qbj~f8B0x2;BktV#f4+@@N?^+BFo5sp zX|#(Ee~Py83KsRp89Iu4uw4;?e0_G3JnrP>7 zDP#*z)5;}xE!Ab5*E<k z-bPtm-iifVNd{L+bx ze^F%kf4)*_|ATL(lp@3bQ#%oba2-%WI?OLB5}#TDBmp2v4nNy1Ju6&wq?6EJZWT z$$!-^E}w20#GSOL`gR7#lrY>$i@%>Ne^oP0s=1^0zJvoA%da6->+F7qj?3_6Z~x18 zL&p+>P}!ir7CDcK_eoB^;_Ny%ZM33dGAbscq8O*@q{LJ2l%)sg=}}M8OQ$*r?!?JV zoO)x5bln|X@1i_nl5BnIOyRv4RjzcR4;RTI|Ke4%rDPQ&eYi-z|61o?@ZQ+(DDQEQ^V1lrvZi*29PtglCEcz=pp4=GJJt%d{V`nP0qM}wC8I_9C zNvU>TZzi~nu`6JT{G#gI68GE7d}J#oLb@f|HnMK~Q?$dgFgyK#17}LM;+dCjRQ!Yg z;P*IB>+4(Hi00aGofl5hi($+ZJ$xfxogeD#aES%8d8?oBnm)RbTVLimlHWgy;v<7) z;Z3HhDkV-Q~(wWDfzraa;YmU#J)Z#Pjb{^7U8z5(0lCoJM{3dLc zjEU)*JmWwAdleok*oi!}2=6?!jEOvS68NA@Iy75CJaSe-`ll!hv!?jud30y($rX%XoO;1YTfjZ(HNV7pBN8?B(#s|OZ&5`wnD4G| zePX1~oF=;$AH(>ViqDRGmS~Z0D;nZ6qOHj1h%WE93;I(_5tVn_0i`~?W9Wu~l4^E; zd1|fEzRxD=vm%0$YSykj-HCRpR_K9=-|IDnLdQ=Pe@h$TREcynrj%fDO`Q}Krqvi# zFX}PH-*9K71=cCVZ$+h6{8O`ne8)0v(rbf^D%a}{83W&8)FcpRVg+%}V_~rEfnZy1ccW<}cHj-=$zX~t+#0gN* zJtxk+EZN&TD+H_dUs}%&aOD{xb_8CC`N|qJFa0 zS^x_5o3;2ajQHCWv6K>h+*FjGTpXK|1yh##e-wkLN-}jdQ8V4uCZ7YFr)cw~IPNVi z6Ts6-VoR)%Hcs9Rj4dmT4IrRb`f~B>{r#;T>X@t!oqCeoz`^8q{4=#wS;Am~d1_zPal`VfG@W4Mbf6BFQ}$%w6Kx)@tl ze;FGfoBm<)+mJ@(bC!R(Fn$_~#GX3P2$G2-wd*aJF37r_EE0R% zK{H5yR4{aLf3sRZD7YBgQ1fmE8I7xXe>`O20)}xn#l@HK@e3|Q!XJJ*vJFob(sPidNZaS9)_|wbk_nXCGuG;93 z73EHK*eoZy_4Qystpuhg%VvyP<>={Z1QU&09XOwec?P3J`@gCOqaNa?AJ6J!>5S3p zp=*Q?_&W^z^!t1t!Y+QtGMZ1Ue`6V)P$P7S;7GIoOG|TyORTSIEr}WAD&m7ChhkX{zR-koG^fyFedwf7Z{=#na0{ z{n>=6C1yi-N_iU=D`rXx$c>&UDX?~}a#aXX_|;r5bS57K?MOnFrV-A~tRF(vjoL&P z+vLHrRKIz`N$rXCvLh0c%c*LjXt%9bca0t8kP|(MTU3g zYYb=XUTpH0Lz(R>swRM^f1j68v52~q0QV1?QUYVNnlLZ{dTa+TKRqmTc35(_Fxlr* z@UO6Rr;MiP)@f=cwUj+~(#cFXUEa?o4?5;pN9it3qZ#Tnp*gWkXg|>QMfI1DHqS0XoF`NOc}@Wu_;%H+Lq=B99sxyWXnURubaf;R=?K;b_!_yf5l_CVK%dPR>WE; zQSjSv3me6*zDbdAyN^>G9*=V4__mXDSHeDC6oNT$Kpb+IsuI?j zJ;Knp>d^DS(L=$*S4+!$=4H(_ALTyU zXZZ^UqMMS5kFuDdP`r>JQ?=u!;6Zbevaw+v3l6UY=+x)x8}7H@A#5h+qJ(_7>&7C5 zkQD^*!NPe#>dOsBi*mrWk~6_lK0MCU^kOk&LA!?7aLbVOe`4EYOn5528KMct-(#w< zF2cn==D{TP!c?03z52XU@Ir;->9_@#)I*lx(rG*?#$Jq* z8p_8aW%EFi>VgV>XRf(4^k*BtPI10Ds(St*kHX>EM`m6Y9n)Hc?;9Bjv=MWkD0HDi z3m<0mQ^v^6e>J0wTduNLxjJ>FY)Ydo5LStTr8f6w{W^%_2>DRguZ_V~z0Udtdtu5+4?FI_Fnjw(6uB9fpkA}`2ARBr)^ znmwj;f8CX(E!cd}9oanCa(tj-duY&c{HS5e%Qe298cMH4c&A;neLn-PGBM+6Xf)j z3g6w`UM(mX9l&~Vs+~~F<}-e-?I0KPSUEg&e~|cPd5XfMd|KnC4?c-@E)faJPCHGi z51k5HV33#t`g)Mwh;}X+2V5pzyAil9-1|lVoMRpf3D_KR@G5Hu@Wmf@9~V;an0k{X zeDL)gBJd`wSrMl%7ukW1W0hn7hO>ck2CaNj9%g+*jm4z20xQ}FmubPSXhP}g)9M#}USZ+MkDg93 zGdG(LC(2)ELt$bb&S67qItO{}9@)SmHDW`?&@mQ}G2`}H({;~Eq6FF%wv_vEdoZ(^ z()MIeRuNNW!#<;KOY)EFTQlWJ;apx(f4V(naav+)QU4yN)SrvR#$>@}runT~nflVN zk=cc74V!+mR5ij2KVmHd{v0by4Z4L7!z2s0>pVJSx$u^?GKv|2g@7!WDK-_NYJLde za-q@2i}ERtA4|J(_h+2n|7mFtkU74=U;69VCU>Q1VjCRK)Easi#sIjSKZ`(vNW=7};6;-ChdW-D$KR#Yn&!MbQ=3;|ZqjL}Bss43|DO`9rut80s$rc`G#!wMveF;jd}T+E&gbt)97pWwThiP zk@n!b&(gTea@BPErdn;Pe+hCht#T)b!O+7VPXlc@(1ruF0&S&(Y45v11oQ(0!1&L> zTaP&XceE)Z=zvj-rO}GtAHyE@O{p~r0QTq(7$^T5^3a;444=5D;+E%dpcAuUGe5 z9!j3|D!B|H8zQ+f3j|3Fl3^EdwQ`7h#ybwMbN4*K) zBFQ#kveqkff7gY2(KjV}W4$HF=Q&dmEM-ht0a~)lkc}n$lIv6YdQ#{H3ME?H zK%&JZB~q0KB^nhMPrDWGks8f4ECJ494epP^6@u07sDj61Xs5;+*SC&w;#y$v8{F?f zi*5UMeJI8|s5>zgmwU%TM<(ZyoE)xQ%OqWnwZ)QCf9RFTSI!LWNFD(tmAN_dN-N&% zDn9K__x|M|nR!Ko+Z0F9)t_}4J|xi?qwe$!Hro`(+~E&qG?mA1D+?cjvAe^A&h1zB zC1!vg=~Hf{SfP`_L|P@~`l$bf2^}Pj{@SZu0uu*4AXMFg^;B{TcSi}<%b!~ zSFfhCS9lUn^pv)V5^@HT__FOZGl4U@?@)%w<49sRbC|O+MxBbsv-;Zv z$}lppwnGE7oN&jPw4Y|uR~WDzR3jOaM(L1@g%IS!F9yd6zJjYKwf@foA@e!mGtv0-=l_sf%#8%cEUL(>voH z9AqZg5?HrZ)>hlU!=;H@Y`i=@bU`;05RX~@tlqTB$+MplJackY%uI*2TX~DFD|AiC z7CM>sLq4Bcdb#W0>Brhnqah=5W%SC~f4}P=bv(T<;|ZQ4TQx@y1^s}zq(xS zX*m@8s5OB#z9Q6jL_3%SRjDomZPvU@5CN@ivy^KyQJvmLAG+|HaPt(2eKrs z!GHnU9e$U5CVAWJtaD zly-gHpuMR1aLB7ggo3pfZQR@;C00%;(XPQJ@0zIcmKB!ztTt7@w2g;A8 z95p7AtdnZ!QLb)0|mCQeYGf8Uh92F+)oslpu3LHpR*3%?_52Mu{?&_1j-a1N>c zANC2g~7ju%V?HrgyYZFyEiE!!8Q*T3h+m*l}gJ%Xj?;A+jvT(lkI7dSbSKAe`8)VCt36r#`MF;7OhEBU*gd9uBmmxqzj6fqE8W(YYIZQ z&^XM89xlDK8L{T8i!y6G1)y2TOb$AYf9Eowwv4hn*f0;UUN2HawK^ zS9D3YIp(>k6uQDa&QO+{7mJ89`o>=1*dxc09pQQyNk_rpnu(eqf8##JmIfV$k&#!0 zW}ugVe8axdX=8ylM!Gcvjc7W&+R*2#Sb|dkWn_I_>A^9Y!R(3jQE);*o{Acy)(e*z zpTjxTzDTXGiMMN)ip3Sg`z!ritdns6unmo?54!Tva?q5gTF*s5R*Vx7eO0Zdy}^J< z0_Zl`x`=nF9&_vnfA*9_V%%ROZ7$H}j9SfLE!%T(M-eLu_g3#AOt;VRwtQOK;mSsk zhiY7-erj1$fgKfX1{r_6I#iF0`fF6g8$9w}``y)7Udjxa^3_9G3BZc>?`y7%3Myc6 zsRH~3I6gkoj57W5A>L`ilQ3F9vh+(6#S3qe_N(FhDe5xde@D=MPTWric0TD_Azz49 z2f9tyNtV%gz5eaPx7Um(>unl<4J2-UyWFpT3vN`{Wcn~cQp9>yfVuDyV8D>41jdM- z2hkU{^F-H^m{)^t)s-jrepCMJtMNPMs^TvnzH6Yy!#daKHtZpfw>#cB4HNA7N`Z!H ztsWU}o#${xe`yx5c+V{2^B0DO8sV>(4$bVov}rIB{~DHg;ZMu@W?R#!jDB3(!9Jvg z#yusee9;+ms8C0+IZD;UXh#}T-j^bOL{93jk3y~No*Jn9NE-fXmaDrD{^7y;=9EU}(vTh7``0Xh|w;6v4z=lx(e>ViURbem*o9?DoG%osswYuJC z+i0Q|f1TE*OH!E)!0hRinKA*^Yrv0x=j7K1ob~!>XT7|6LXzU8D5L$l8ZKyu`Y0eW z?WqkUA#2VEMMr40p=^cWG;To;$raBbW*^Vp=73cn&g|I>55a~E`N^Y%AxgVlvz zsB?9@fNN;CZl+bHyC{osNCJQOQ139{Nf`_ve_i~cslso6cF@s$jH6_`R!Q<|8rQoE z%d+UnA3CpSI;c#yy0O@A{Q#+;^3nxlU|YHflrXtu9!kD|b+*TqlEpBC>h z(HxrO(N`55&8*F^)yW!Z^E|EYDDf116O0eJ`tIxkJs;Fr~p(EkxPgAFv31X0cw`8j&92ehf*zRWw# zOkl2T*n{8Tx5NC;=)s@zcl~Mn?)PbJW%s1`U4K^_OMQK5(IHK1b6~3W#Nq~dkmVZn zlYmTB=f9HYms(KwVX%62k@psgE{zTaeAa8)R zeV0{`_ev(VRX=gatzd0~XBAXi%S65fowFjmbvokfum1SR(a7w{`iM0I{L$o&{>%R| zc+q}FZ-Jg`vN|pJF(XsxZ_rtRfAx9N;wx26Z=-#f(y=M#!iVR8Ay2xnEd-1pV|$@l zr;BU6UR=kjkEwd){u4!69;@%FdhLoFhxFZRA0E0x zFq`^-7e%;><{A&=8ue2Mvj*Dw(5T?8K2He~&M`1pRoLsljv2LqnqeMtfAP)w3FdqV z(3bH5Pz!So61u^U!|xD0NvfLj0`Je~pe27nYTgiPpUD|Mkjzt+_}M*qcAUHP?$UpS zmpSe9@8hSX%1n6D)2F5W-RqpxK7?IcxSC-e#QA3Z#OT^0)(Y#{EjIBR0yNxip?mGA z)UY{!h1}j{?YdHCu3jZ7fBtw>4FbJuU7xe(hWV(&HtVU9wiRew=8V5uSasYV1TS>3 z85i_b%=p3$ea3~Gnf=%sue$aGw)@b3NSF?FZVsBXLw(qaOnYiUXHqxDWI95%QWP=c zxQy|wzlPZ*{2XNXh>Wh#tXKx?w~~f;jWz2@yb5u)p?oxf6J8NZY;b(Zqtz`o?62A2 z*j3Na74=SL(9QPPw=`PmUVADwZqi>XI}os?LD1TDV_@LAm{+06LnZ=~GbnWOp%Y67 z*Dl+g;d-U06XK~7f6uJHQqFSh4Q=OdgbbaKF-5O3De84_Ex=PPj!}QDl(BlXUJuZX zpPSVzm3kVL&sqM(YzhMh4z})XhRM{DTNX>EiwG)n)$Zz6SZ)6qo|fY~;$oO>;~e(U z)i%#~j9@a&d8$`B=QOj$LUzqqwiX0yvGQIs{+Sm=>f1aU*^ zZ42HKfC=0@1Aq1Q5cP8szZrH+acuc>9@;nc8zt)7KQ%>|9enTOjedr!DJvgeX%d^> zLTTgr4XI|qe`@~HexXFQcjb~kxwE}8b(T2VQBZ|oYsER_8!$YRhE#&Cc-(r|RymlW zvGnm#wfX8Y&#fgcVmD(JKh3CRm*IJ}r1kfDIOHd16y&FKYiS%8f;&`+H+ny-GpT4? zB7%F>nwR>n_xh9eSAU`xd!9BV$L37p4YwoVQPb)De>Wj_v%;-kPQV;Wb=#atDcoV^ z26R1SbILQJr8#74J~`ahX4ktm+dGEC&`uXzpJif4sM}F~viX+dEvf5;hECa_Lt4zx zct?~oMqb4(bnFz7XJ6VWHta2)17lJ{d5|$=PeIfs$N_7QoA3A zkm(ite=IASSjN1iIOVz~i`;u@Q@;g&!t*U~vgq*OuIkfLU3#(|vFFbn&jhPJSI(t- zK-lCj_x$Uj93h@S(Eha^^MdYS!unU%SV!tq1+rQ+V;Xvf6^ga-jXRhl|uab>GP_dUzLMA1QgvJN| za5X5euk~hy>sxbZ1O`vo;!`K<*BThIF;SGp_aBJUbAzGNeI2!++lz@3H0(^5p}J^F zA)%e+`>=$1cN5_PX7z_jv^OW8nlTZmytu$JGE162m?-BcaF_=^W=1 z91C0cadvx?!hS2mhKCMr2eZ+u9986Nn8(?%&?ix5j|*eKPn$gYYyBLTPwKT=|8Y<;q6lhBUTB0HMW*}2hbNs8$yui$gYcBNrgg#;6<^LLQokJ+;FqJ)b z$r{fJTQuvamdu$WEa^0see)R4e_x^uCNr^Cz14aAdsM?}cXhJoPAYogbndUlT*DYp!lv;NTQ;4Yr@HMIqZFBv-*Uxh6iD`O+|5Zid zDQ|LD@DAZ3-XBzwI#|(m5O*4sHN4a$`DXU_1I$ezOXxb!Z z=NF{=|Nrm*S1fc|%6X&jn(NEXo8lrkw)}3%h>1 zzL4EnyX~B5IEy+Bf0v&>Pt~T|-VDk#9E$$zdKCS6iY(T5gX$}9qmmYDn=dFm!p;eX z6d+K^-@HsT>n0+GGXQlt<`Zq+#J@KJY6m6idd(ODFW%PBgil7d0N)<*JWTaxvX)I# zbLggwL0LU(c{NCXNF-4wS<05=it^YhLigmGhiuSbHz8N@CXOBWA zXbpw~G#rp&TwUD?td9t(=qrd_VdPwTe~Dh8Q*hM7gjiikhs!uN*lH7Z|3gd@ zP9te}LY^K0`!?WuT?-{JPy#9@fMNnuOn}7%SPb5(u{62~LCIDs+2T)~3|1_r@V`p7 zxKS7u?+gYrax}{w#SI~5o{S#WM%dIl#w}rnJ7V{{pjo;DjWDA)ZG_SDa@!Ls>@}e) zvo>A1f58dfws(i}Ia3{i#U82|u(_}{7c|ycHS3BwL`~B>GAd;qYskeBIV23r5Chavgt}xplZWoi=%xZnHh@XMkVR zwCT1sSsOA&J0b9w*#!X?C)5V6p2Fe@37LzDe+muQoURjGfjyMUUTC#IoL|-T2?eXS zOJ-{XjoFf)~@ZL4QGTdLez6 z*Kv9{mN=;q=UKXkb}p>#3m<414@UEJ^0&;^%oJf76;wpv6cLyr@FYcuuBJ&$nuSTT zf4~GYsAo1^C|dfbj+vy~h}Eg8nT;GOulcECYHc+gw=h;nv|G2wnK%AO)5pMB)xy8xS%o|Xv2E& zp&4r30PBc_j#y|@b0|y)MsrV_=2@Ane-NEMZO@+mcsnO!|Mll`i<6ZYSetHFn$M_B zeoV`FAFUsqL+P4f)3oB3Fj+foHh6T-z-xu+W)}tfNNHXCrUk5w%95{9ei0rH^mWG{ zYd4N3pPyB>WY&pr3Ttc0M1WQ)AN;7r5onCSU3?~DvQnEcr#T1wF_%)KR;MY2e^#;5 z#vdI@Z32jySE?Pn@LSd0ddz5%h`pRkHc<)FBy?=kvXttwLry1pvZh70`4W|DoZNT} zH~2#7B}40GoJ>o(WwC~2Ca`93@26fH)rzYx+N0=&jrQNRmmSL_j`C`;#9B20V_Xzg z4WmYRp5<%Y7sXT2&njC%ZQfape__l!gS2QqK=WF?EI&Mj>10*XBHA3w_^ZkXMHHri zSr45-C`m!{XlHGcdWC7sHbSLx9>Vg8S`in=JYJX4{*Y)tXzn$&EO^3sm}E-?wyEh6 zC|iNCg?mQbYf7RwkLK~>UPq97;)Q%u0+Pz3=R8(S25IR;0-#l zQIv;je;wnEd$h|odN}UZU*jUy$K>?I!PGN%t>-L-uoZ>UT(_}kG0+wp$IR5@ur#gj z?|*!}a^1^f%7sq3z?2^AXq!sJ+chpk4Yd$vEwTDE?c-GScH_;uC%K>WlMD2|4e>Ux zrtlM^*E2gM_a^VYB_FRBe>REty~tkvlJ{DR_r1yRYfN7YI@<{P~!pt=^wF>XdC2Idbazdnkrx^|?%@CAkYNFBJ7?jCEmIG@!(3Y_|Y%RM2U8~R)$)g_|f17!sGoM1Y$M~BH z=u075Q8s5;^Qn!6_NS;Vslpq98RonPm47@{pBI}vKG61*ZwIRB)nA^#Y(s4I9DjO_ z#Q-eP@jZvU?P#w`>G;|Z2?9Q(?SPv-!xuK~XL(sW*H?$FMMr*2wa=FiJXhP{JbPd; zj0-EHwL^qWSp66ffAn{4(!elsm~I!4&JOg+m+RD zzCK_n(3Wr%1udy?vybH$3|QQ~|5-*67s{ws(8ci>jq ze|0C|57h<|5uy)*(@{Pg*Q$G(=%cZ);ZhIcvh}qrkV1dWf2uzB;TSmfu#MCR(o;vb ze=MBPX_9TT=hPktZW^QXE$@u+70|Do3366uorX9yCAwquxSEZ08t26{jp-Bq6orTC zgAP}|S`OQrpc#Gk!Bo`Rp=9T)M*W#jg+!J4WRD6PonkSIy^jJ5nrusa#mKR^ z*-%lL43sTg(tb2+K5mX8$AYjYRQn^_<>BEeRvlajE3jGK2;%YgFv%7IGHF+5#!x_p zuyfN0f6_f19s0jk80x7`c8Jn-sUEC7zAR8D*FwbF@C^DW19k#y2W$0uh_1?2;Nso{ zE>In@UpR-5-2eDsW*_D=cpWD#nosftNo5{xpgw}f zqIv>t>zC$m^~^AMgU0mhRy5*cQaO) z%1o=D?sgO*xFF26pNHr0rC4X_T8B=Nond&Qyru+l7y%^&S!zP9p9lzFd`=fD3O|W( ze^s?Qvv56zXB4igo9n_=HS#3k(gG(RXyIF-9)waq5Zn$Y$A&}>GNu>m6#*Eb=f`#{ zFK_Nw(^#S#(Vu>DeBhhO7!#vMD}5yp7BE2{bcXZOPmcF}Gu>libV+7fz|8c(sSFoC zEq{_9yVIs?9eJ3-X^^lH=qskg`UEAde}53GAPzw`1I-YmcKc!VoFpLLy)|0cWJ&FT zsYm&0C@f%tjLyjq%3SSv8`AA;`fVH3d3m1{)9!6a(|9F! zK5*Q^1hyqj{grmk?_M_9*8y&Gpm9TUbS_?aQys82h4zO0^A+YOUb?7`;-!(cdt1A$ zXxqhe9v%);UvB-xs#djkecv)Me?<#=*1^^c@3%oFaOT4@G6TU5*FE<)EB_5Ny|{~L zlSfnUt!rdDd9r5DfrpFY1k5K?=1mLJIad`o+~%sKqPI}Z#CKgBV)enV9A=BA_53Z* zqYo9~xZ$q561@HR;lumIm8u%zN17O|{BR5O!vowx+&YI_J#urZo7q=Kf1&Hg5C*20 z^E6&Y*{b0YacDgtJLcRtvrkWlYU}Pna-sfIK)lD0M=!5kk*yzKCShK=hRseFOxX|6 ze!pbDtUfO=$#n5_UrjsqZF^&P_lF!ZZgJ}f3t^rcIpG?;>;+HYAKp_=p53Fne!C}8nn7y+bzreW=>V$ zyiQ%0%%RGdIbT(vF49#}w<>=Ci9mM0Z0A(PJo08RX`LMe3u;Bid=)Y8jvepPR?W); zr{dbtuFnVY%GinoJn8e-#S*I?8o~SXIyJFVF-(1YMooDNqwANRM+dslQ-7Wu`8t&e zi&JJ;k@5_UmuKGqzPZ>a4|J_bZ`m_ z0tB==^2sO}0~Da?sGnJGHo@3?#-yazW#X{Xmh;?oW#Ex8OF&`FY0Gq(VM^V`#U}fz z4|fh(K)bW>pxV5cW)fI?A%)z?=mEUCs15Gf;Kk+bNA(Wu4_O+e41bq~24<9Q4_Tbz zX2^(jFFJGZ7@4g2_)G5uomremFwCPJA2x#4Iw^;Q&=`~7S6VoxO(4xikVz_|{;h<2UmSb3@|BD)w`+HVAhgZBBvu3Is!aFN-Hz_Nv{siSWDhNMt(M9GUOb* z(R>@3_mNIe#-0xARe$S9&%>;bYKG2_ea-X%+*OTX@5ry$f+hhTCX~`gBVn=V%)#Sf zvf`p+X@!AqpzXw3lC!XO=V77+2hn!QEwQeo&;_)u0xI2a?gYBSnzVRRXwRMSQ&8QF zW#;kIS+$2x{8_KgK2fOnU3dH${B_J|t684>#kpa_S$Vu1=YI!i1D8E08?MKL8}xYa zJ47#5hTh%H?}9rB#b7Cfk;|@~h0lseA)TV_zoDpjNNB)e_G{A&rYmV9nrVYc6tdf9 zHC=TzuHn?>Vqszy5CcbMZu}bCxEBi1vns)Mawa**hrFcKpDnQvA}o9%7IKW_%@%bj zc__PbFmY;+x_=;MX^|R-x*gxeyL-upk*1$fKo*mZ^gJGVo*M+0>J1;KBdt4Ng6zn^ zM2R`E%~ZjpQ?3>i*CqMYN+LOHnNeS29*x%GA*Rx}C>+b9b?NL+^-xA8ucw#;^;huV1NHs1Q+}^(mGK(seE{3l9yFL z1l>l~ZI}(iDu$L_*_eV)&ur;KFBu8$?1l4G$EXcvW6&}?0MUm=g1dhqzxAR4L3FY! z+ckL;7ta2So+~k$OGZW?xZOS{0-rtR`4CM^3}^krS!5g1BY) zSD0zCtKZ&`shP3fsE2Dkb}SMzuZ)Ur1A&p+(ME0+^U<%0p^e!hLOJtbm^O>NI^%^l zdr!C}`Eet=4^;*+?4#XqwZaQ;*m%6I0JW1|27j6k`=x^Zg=hN8Aj?jS8Og(e-hb+g z{S2{?LtE7xXLKyeY`-qU(Z_or69c=>jjc}1ty=l^C?gD5+=n|Jd}xS-#S@)1_cDgN zD>VZ!G*|HSLd<5`$Z&ok^He!oxN7upFxq5HaCV^$Rc#VDYpN@msA{PN;BKLsQ*~UBm$9q~pQD4An8CyGQ^@4@82iZS{Ni z!ot^`i3`?@eVW|uvD_8K#De=?fjXvfDPmD&kTQUr4tg58y@w&IKU54GdlBtJ80}nt zjq-xg7w*l%!*B8iI{cwb((+ueCM9O%25ptb#fI$O{kVzWu*}^-C zMI0d85CI3nFna9gW%-7jxvIZwTz~LDYZLldFft9X!7d?WLl1!P7uQKpc83)Q+c3Lk zFMJaveVlre4l!wV)>WqZfX@5s6oebqL_UVlO1^r3^EcCrFN6%X**=U@E(tfaga_rb zEi^pu0v;*G*h3eLk#T%h776^}A^g$twJto}rwk9JlmM0;7u;3qz$qA`$$uqC>xWdR z{>Eb*Z5PJXzc@{$y!0idnyx;?lsNOdFz8`O6Wv+LyBD%(O_|2Y5W%)Y10w0n~55~~pwi|K_^K4)b ze4eg;ALpThJCTBK6uU*ZFi$BC2{5_FY5Dh`&v8H71$E;22+2I|SNI$9t^#1+kwq&VBoEn)?t{zt$!z2^-FeFreF^mg$+|t zzdUXOY`dhv9yXV`i8{*zm_jNc->)qV~dS{(>?m#~rwZ4RJ7k z;YRrLSw6;5vOU*LamfX>lDSNmA0XG{+qkR_B|IzVs#rE*dph78Y^z^qf0!%oK^=r# ziR#zHhriMV9DgDt(Q7{yK@*0DHY+qS@u?~E=zJPrVH~FSDxp6g`n?YiXC)TcQn?K2 z_owh6q?)Dp>-6kQL4$-or}&G>0cYL#P3Xa?y*~K0GCEPA;RqRH6_(CGIn&N?zzd;OC91yhxziU(bmlqJojX{ z33Y|RL%6d2K1{c;`bfJ99|lLw_H~>-W=wqT0xFOcccbF8Gx9;CC;G~EzLcDoG1_cT zUVn2m%CKd>SK%HY@sgb3bS-u{4eFp(Xb%m%B)>d;3t=i=+Ar_v??6XE6@C-RyBBR! zrusHfC%r4};)CwuhxnQ5+(h}@DP66<7U|B?2RTzU&!+s86(#wzoxj3w*|w$rs$$4v z?r60SMot5*3)Cna<1=>zjZMabQ(3hI-G7)M4wzHdEL{b)k+N!*4pXLPF;QpZ5Ht%O z;$&(Q6E%$^Idgk0qExzsExZ_!kTO+X=fA6satCQrbt$>0jJnA8?Qc{_uJ(hK(mvW} z&0PXbOq7NPNZYgaKjHNdfMXebL*LvZARyhy3A}YAmEj5vgyHeJ1BlRV?#b)LR(~nB z{5y>dAy> zccdg9>X{}=FtiJwjJeE zBrxs+#r5=8sobSK))6<-n~P4!l%sKoq|H7ATAyZBKSI)$)rI5|FK)7(5cs2U5PvrK zy2L>eG(66vl5WpO!j{zuKY!gyfWx7HVICI{bte3+BD-*1*+ddH+hdL=CY+5+qrfgq z*E)%Whuz0~HX_XuyHMG^(-JDX{IH>cp|f#m71@RB7nO(xrX*~h)F&m%&&H%yTo;~S zF@c1E`U8uv&PJhLUKb)&)xt6`2?^s&{A?^51$JRF9?c~@(o9bPgtVUJ)4r$9%(z+j2wgqNXp&30LRTg%Uee75&ws|;hiSMQTu^u_-h)7f zHGrPhC1j=ZJwH)aziL2Ff4<7CZpZoFOurqw+IyGDUsnDqK)ecOC^EVE;& zZhgLuO7g^bc49#b!8p_9XUcPJ@-V66*-$jqN!|Bzux%IGNf49KY$}Z$@HjoHZfz2t z>(;rYb)oqH@qd?sTatt?k^1E5j>#DqGz#p(bVEsWSBS@hmNkWmb|HDbTB4`mE{wF) z>e3_?)f(r!K|^;&bW5}$yy54=O~nm>$EQoqfO>PUK_+lY9^*wlK3|I4xcKra46A}i z30|wDzWm_u`d8ss6+FuCP9+uaGv`>Hfsrk$3x_!{OMiyi{y5tQ)Smm*D0zsJ{UQ0V z8vDf=Nfm=M`rFyMK}cTS^UX0XAMz;t(zg>rgV(vp@jK>P>uekXIyZTOub0_Ibww%O z=@cGBmT+8K@suUoSK$;m#gEck-rK~}m@f0E%wHak+g((?GV8#FB2i#@2N~aCMwS`_ zn{+$q>VJ$vn!1b*9(`MIdx7HK*DOsQ#s@Cu!W}e;U(d?0QDi^2Pngh$RhGxQI1N=x^Sn2&tK5Em zpMQ1gYrk7}$YDQGsvhk_mc*NvvoLHG+E4G+CcVX^5^j0)2z`aTZ(aJ_wA}Lg8QoE; zyP=ipU1U^K5*npveH2@T4$x9bp~dU-5a!u2-R9XteBRDZN3jF^An_d}_F-5g*>h2b z`8mJz%`*GBtyIbtq?8jY^Dr&oRHY)@e1D0`4hP03V%J%4KgD~Ke1*w-TpPFZkFPaz z7*S#&q59e~r|6LdWll;s{OTc0!gQlv!ZXz4UFEe=!HHY%Oe%iu-C=zBI-CLtwI!dS zWMbdprL(PVJ|V-t*?b2Xd-C4N1B)cTI9}e0lisFwX>CNXB=d{oV2(9bdOSdjIe*;i z)`lX_SQ<8&PJgLwgn#I?S2pd~QZNp^bdu?ZDAYym`pBFXLZsqJJwqhM>;2aqe8J_+GGZ=-e-q`khKW^7&?QUFrZh zH1;i!4_bIcYAkiYy~^$*4=sQyUPFmm(SxLE`Bfq1*Xc_Cq_j+ly^wmH>W`7=Kg;SI zgldOdjgcEZ;7USt;E=0xv#y_dC6Qp{E<{Jp_B4xUVs48Z3ELfvF#>w_; zlozAz2)`$xX1@s&;(z`{aic&t@iy-`^lvsbEBlRtuT(_O8GucQ=c*8fY6DSKpf1Zi zOAbkxo}?bA*>3}dxLb%D1$x@*s=uZZR8rftfF1715xy?`7a#L{<#s_d-j1T0z|-Q+ zCSleE#;igkXyi;G;FQ#ZU!~wSW-vZZ@uQxcwx!%zR0Ga?NPqKDr{T7ttuw(>Jm!`0 zCR7u_$9J~6uDirO0;1Xv&+a9ICw^So1+@v}x}xDeD&SXSAC*tpc6_*-kVB3&Wm)Ty zU^azDX$>sksN@sIj*L%tK}TQVG4C;&k3wKd9i)P;#bd^^gq|~nJal>~hXLRoXsOzS zfHUC^ssj5NP=D3jL%O`<7Cze z`=D&zqRqL4)k(t5COf9(zn@ET6Zy6tQU*vriFJ}oGJpJ!KkvyQ{0Sc5qAbq)u^rU2 z0^_M$S@?XoU45RyG>wul-@VEM=9JD|C6St+mt`NY_W>pcu8fvQL3K0 z9b9GN;(ue;PksnHs~*D0t6dy3G#qzgth$hX#5Cl`!EIdea}ZPVHKrFLx5czE8z27? zwAx?8`SAzsg8Lb1pAEhop%QonhRtFJ_(6^1%T6y^KR3H(u>t^j zm+|8d<|Y+1%Vv<&jiP@>FC)hsNJs;bLzHh+1MWG?x5aCU5HzuPh_bvz8&}H4pJ0O} z(tpoqe7t{VJl;S1Jl;*iOZD!Tak?uGVIJrFc1vGLUNzs1-Fvhf;gyM^+FH&SB^goi_vZchnOm(TjX%^;aAs=s6yU7wMww>nbQD~gZBO#rpxs7Uzp1cMK!;Fu?#{JRt$$Tm z1I(?87p+e_#D`O@c1F`peDQ&SDbK#Wn3|fu$`!M%eQNlw0-L}giD|qr*Sgls9>St1 zpYrUudn%K!#Tf}TOCDl&tJ2<6+WVV-jep4gI!5`6s3RbKFB>H^%Ksf=`HlL&j`8Mf z?S}5cS_I+^v>z@-?FTS@rgnW-QGXpAr0x0~ofYikQgRo(tIc+44LEn`_CO_I--0~a zXJvHSJp-*Wny4{euzvuLKwvnz^Tu15Z$VX2W3KDkDCzf8R+P;B<&%L29VPa2q2Ir% z)ST_*J@gKFoaHBK47Qlr!p2D5>V)Hb=-qb9ZV5G;vepHAZr=K7U4GdCc)l z?-K%cOX)`afl|Ps;cVzRofi})Fr*o!>nQ?aujQ^d5ZS>oJn+EOXDugp0Q68VW7kYwiTwNq4oP(%5hrgPxrKYXzFD& zv1256=M0(Js2J^ajy2YXnSa)hYpt`%;k#vaQn*qHw1Yb)4gP{1&44n}qJ&6d2ez6w`eG?VEH zQ;T>O+1Dt~fzXXq=2QOF(rx%@Le$hM^Zhlb@50CVw1Om~NC}xjES0 z{E5ClwIUkD-)|0fo?#qo-D&+PS}e^XnsDoW@W&CWH)q?}hs%L&vxu;F71ksGX&QTe zM_C-V2mKLd6Hr;!=DRO&>P$qMGqJRo`7@y1uRPpiz42o`;q>V$&4?DF~neD(mH2f zGz#rNr=8!!F$I@4p+7Ii`3onb*Eob>l;zkt3|z9yZJr(AV?4GN_SDRS8W5oj%WIYS zv(7BhWb`Blmo^w*=Mj8XJek*ya_As8e2haMe!Pe3bD>W{JAXHypjrF~KfGBgy*`PJ z$JhLpKBCIj{*a~WQ7NPxZIK;t-s|5Y?BLrlrhzKPK*EXG1Z@xl{J=A!PCYjC(8<_Y zd_3MJIThnJh#|(#O6ZYxOBZ8!r}mL*(r?aHwe*!dz!B=uPneWn;Uo{Q@CrJGc0js$ z5WR+GVM=B6oPY0MSLt1xbh3&Y@Ae$iG~C0c!q<8XM*ws{{)2K%c_>Zu-AZ~cvYq92 zanuP7NjWw1+?<!q_2nAQT_|ce?jRl zOn!aMp-OfFvJ+6gz}V5(3l`=(yzV88JB_Q&!RVFrxqpc9K&X-LU?VGz<~$c`m6yYi zHmuv+n8Gc%AK&G3@evQ48v5vUbGA>Q?j7noi>#`J?jmkb2j0Byrl&oBL0jKITy4u9}o)V98tyhL%hgjOqu`0r?VB--XYAY!5d&eB?IP7)#pb zE>UYl%C4^+UL(bBe%H7hVspu50oJ^kIK_2wIK<|Du+Wd6McO65uxaMvuOCh7LK!)m zw2gZ66b`$WItg?twHN;tL`z95vveEnL*sw>n17GX;h&CL(2Zr7@bYtdjhU|8Oi~#} z&r3NS>)L@SJtT+EN^vtuD+J%lV5lY#RRi{Sb%G`xTpP(gL{o_bedP}jTvn%c()qcO z;7c?{d>MUHUq&7D+A0J!FdmXD--7`iB-6)uC-!TgOje|)_#q99uVjz*iTQo@uVbU& z0e^aeuVvk6Ro$_c*`AbO7nV`ZRb4#34p$@t>&&Nf>(M#}N+itqnNY4d;Z_4z3dri& z^BCB5;DVFvJaF^9W~YkPm*RJ!^cWxd*3Wi0ShOwTbkI?Y&V!3@a6*VdLFYlw`n7V} zIIgoDjzw)(DxL%UNm0#UaoEEVRx5C}gnvw=&{tv`+pi|&J4`vcKg6Z=0!xs-o%n9J zrF6ijSni$BKlN7l@pr?)u765)-#aWi3vT11@oD4Al>cg=up&A>x56!@jRD^YA>>oP z%7gE*>?KB1jH8q1K-@SMxruq~?BgctbBH{oF<0U;+!cpt6FslW40dh}{|PM7^*MG%HMSPYL+= zVT)B>)SuP!R90if_i?<(EcJIsP>GEc>%_mZ08YGz7EU}%mhwrxB~Mv$uIIT`UI(Uo zlScAXp9}v0>=CqfTYkeM0JHO9bKnti39Ff7^EBK7baXpv=o|+DoUTXy5PxpWH16;R z7E&U9$iX3?(wVv0>SJok8~K2mWQQo<$3<}>XpZ$pxwke(0C71o`ZgVA;0&d;p)QAp z$}HT`mFwOxYwOZ2yy4a77FHgooA?kWCqZV7H^G?*KE7pmET3RK2#io}Pl`6E7uAP- zdFdt-FgexZYVmhHt+sT|!+#2YPXQ6_Hp;qtcX`DEq@I9nTqfCW7pFVMNb?ksL04HF zz|}LL(%n$Hu>oe&xL)hl_3|xX|zpTNV4X!_fKnlYk)?^==yJ(q%MRV;kSPCk8 z0b~s*Yk*l{4P7t1ab}-Y;1z~}GoE667LaVIBEH7iv8W805UD_QOQ24}Hd`8#uhOLl z(+HDW9l{j^meaaBn}5t0-}sSzm=)_{_#vG6#60enrbf9OaJ8~`pJ>@pxnH5`iIvJN%-EZjG9;ohOo8anh zOW6;Y9g#XckE*C92s;ucz`HzG6nE;*nhvI;XdAQe1xBhdIP~YZ^{5$i>`-UjQ5k?!9pzX=KJyre4WBass2J~ z{~5h_uyjsO99?yPBCah6ql}#s9f#NA_w(L|#TV$NgEL*m-lG#y??N%k{u5>*Kfq%f zlm-NNy_cE)7EgG6>mTJ;eZYI6jPkFy874jOul=YCAAjcIV?E&bYORxc`J;Tvd$~uOgyS}GZi-FEi5;{?-6jrDdCdlv!60a28LDn0Ys;&p zb%*Y3U4wdgElN6?-7Vm`(w_@^%dx%#eB85s7wYQSgI0$Meh4>Tvd71>vI+V?46v-8 zK4|%<;D2{2&*#TSA$vHIgKFe6Gj<9dWC`i$6Ch>wYB!U82PfP%$$1bbqS$#lL_bm9 z@euuVIp;&1h-ve*h<=iz$3;~9;Kv!bU@G&oQ>JHHtz&gvM+J;iaKENZ03-9 zBG<4i^Z4O>bxI%U3WtdOrOD=rA%xih&*IQ~6-U<`?RD^v+EV+v!W+xYPt%&F&xMVGf z7$UiR%){N-=_{vY8(0Vu+RG0**Es(&4>u#HcFpr{nu3}D?kRj6>DQ-iaiW$4ntyJV z_b(O5Ko#fZF-*=j@!BY_1)8GS6RX-B3~!$eI~LXh90tzEQ9noV?x~EnXH&gdU=z@v zI-ae2!=TxLLBVI|6V!_zVQ2PZP;f8T5;lq%S1{2w-0tIa%DR$ zYpj=zNXLEk$%1NbwCaevwHa4N`+66(c+bM)INzYh-_uyB%^UNZQQZC^(F z0=|$t%c()yma1*DodC1WAp%@4rHSF1Vug@t z4efb=*UIXFPm6T9BvfxT-G4-BaV!K3s!Spht+JY6KC1**m_P!*jFJevBEAS2*nDCV z%@VtK+?zC9D%Cr9`WLrVRujzX%gdjXfD0dgusudq1o%#BE&7h4nrLA7BI0?7sxcTD zbFr|Y8Mnr(TnybAZmHoN8g6NV#J1`=kYa`d$$v#q9sA9q|NAav zzkrpQWf9>x-D4aj!=qbsfDY=V^;1}`DB%Z8I8Nw$d{A$&KzYg_qERcO3E+P)azuY~ z%pRRexz?Le)`hA+!5b{OUw90UNr?$`yony-Wh`HGTgGoOSzh;)%}~M=LdRML+C*SX zkV}Vt_~)6o@#rkFjf}T&u$>PoR~w+-?EK}#d^!qjqx$v! z{?^`}_mGIoMXy;o+wJKtvzw7#A0xj(#-YiXS+xr7qeTg2ynl@O$0XdHnohl}HWtI+ z1H_BLFOMm>5zO-Vdyl)q6EO*D1&`2L{^2C%a4a|Htr*(nwK3gac~lE!Qk?C@sh8D3 z;ASOzO=lb;}>3xuSG;ofA!zF@MXow?14ayQRaQUwT(j5Hpnt z$4Q)%qS=g8Uh3er3#=i!)(L*41l`LiYB|UhqEVeeZTPe-x{Iu#BK%j7M0G(m8$J`f z-^cXaY#PP(F~XMRPXrro2A*x+>!n(3QvIF*zFt zr^r4UD}S40gh`quS-OKSx2`}=UR8CLSi|&Nc7rKwoi$!rmC4s)&`m}SzDm6|srkTb zWzjfrE?k6q6{CBf#+SNz+u6(SYyg@d@3n^0*q<5yz8{Mhd>^xr5^R` z-Q+M2!oV%23++;mE_Uy8=tQo5MCrgGTr(kei+|}vu714N3HZqMOwx&gn^O94>&YrH z>{CB2jgm&-%bpo+*qkqW9vZf^5h~_5TQQw7%y-e5?ujmIgvvdp;uFy;g16Z|jMEbn zsh8D9M6W}>##B8-%*xhmJJ7V`ugXEdW+5xsbPIt+hQlzbnS;5(IF{W4t2u~aU@*FD z7JugAOx-9x$iYU}Ht!Y=6UJuMFV4{mu`c)O!!+0}p9OPZiW$Vd{6wk7Ind;uHm;|8 z=cmwFN|V7#C(vbWI zEC;YxUEzy-w8|g~@=5~@KIh@#(6bT9MX%GbvDb{dr6RsRDWZ)p`c_6M93)rh34t{n zJQd{y?kh3-OYB@hC+y0`Mcu{)$IEIUb*> ze>#g=dY4oUs6$5Z5z(eS)uG(@pmYOck@`SCopm_f%d{paL|*fT_L;v0xq=$X3EGkW zz1|(_{g%NO0QDK5BLG*^9yPFl(|@cZN3r&c1{SEV(T8Z94K3^fw*?cPF=Grjg}otR z`tXc1!L4fZh*ECelqNlJ#(CUtrYZuf^4HaZ{^rhrX$sYigH|dA7H5txUGEnSj0VLsbTQ)?ULxo^uzufm1Z{$$ZlF}=q2H8@NiR30xKp2Gr7z+YbtATKug!ImF?$cnq=YcR%P|Ed1+ct2zr^o&%W!kmq@ zhQV*xPV64kWx~cJu;wmW=0J*e8BATQU3-LAU`)8@dRdr!hUToV8yz;NmN_nR8SZv@ zvwzh zZ!i85befwYhc*~!g8>@kNz+ShPMM11gGuyerD|goQCuA#v|@!sGT513m?IhrzsCu) zqGuBLvG!F4bDPr}it#7MLWkoV3c=$-b0J~zk}4hJBtj#230M0t4S#oR4bawwV+-54 z_HwPQvBf}p0UE$D8Wf}l+bE|?xP+0LPn2(FahBy1jGrE|o_WxyDLiu{@qCT7gs@G|81tzY@ z#5-+b9{D8i<}0Yy_kVhhi^YCH(cK8_kHs-n9s3-YPecAR+u|5A7jEoY+YstvY|(gX z2c%&Z?@jEVDod}!O}P>W)hFvch2nJ;vC!no+(voN@fK}c)xlHB81DYm-_YSRX4~4> z^!Ty2R%N18M^LF`-DpNA;Qmzoy&pKCmLr4>*+#`Cj}Lv@eSgoUMHe8B99D;Gn@_CB zTN1-VhZ9M#?B5&rNV_F< zk!j_zs|l%>g7(ez9s4wHq?bVnJcFm<8Pqi6I6>F3! zgI#&4M^miX8|KCLvVy??{Q-VlL+Xi~^+Bj_iGSci5^13iN}Z?+dm`iX zdVh4zVhrlQo5JAnSINFb+qWh~;Ghz#qP}4&^K1gqlltZqa$(6OqL)alk(t%hrg6u5Ca368F4G-WB4ZJRIj(Kic z0w&xE=E??kFS_jF>Y=XkggQb2fiV;~hG;&e4O~k8Qioqv!P6B5uQ~cyj55!Xgu7bp zZOGb-UMj;c+R&9X#F*)sB=FKnhjlfqUN|Or{30HcUi{d%AQ{2_+yVBN9tTgU9{Ev`5 zs4z>SbujD1-`0cBK*ghC)~)+I82T8NbrJ7Uy?-=b1?x~9 zC>Ez-)Tq=f%U3RKC(w2-Xe5%iK^f)nG~1>Wgs(N5@1%OPYA}Ll7~)zl79F76lBM5bc3|~4%?oH zVCQU&xb1iO_pxk$s%Lv_H(>6L*m~}5x=yl;Hmz(^`02x0TS3~!qJJ0jZ5lvkBwvHW zA#k-#Z`4n*26TqR-mXbD0X|CTtaiP%HSQ&c&TQ9NH;}OzUFm?CrLmW9S0j7rE0(Bk;$dEf@ynR0-4-;XP8FA0)J&LJjv@F{5~(zi3F%4Vv)F}EaG>^ zwGn-T!_Oj05cWHvKYzCzUAS0;-cv>zue!E&g&(Huu z9>vz{=JiD3X*+9}gkL|X%)4omsvY)7IP4YpiG~)*J2P2i&zknI^P4Z-WVBTf{t7jr zy^v_YPXgNRh$WA~yUOyyj}&ji;_0ZhcPI7|6l_eSymo$c9j9jf^qKgveOet)T#o0=%?98}>tjveZEe=v`ru`KIudYHmw+uSFs?ch}bp z`^eMWVP8YWrE~3E&m+nVUDdNnCG4^e2{^UeIwMHEQ4hlQ98#|)x^sel= zrImGQN3@;Tt?hNm>fOxl_cz;Fl$XAJ9%xxD?_SD&ZSP)l6IQLgriRRAZN0R8SGX~p z*Z*Kjwt$PNS5ED{)XeOZO(qvDvnpl&vSfCOCR>a{#fh1WPf~^BB9QO6uuT2P^7uP$ z#?jv|5r1oIO}jqUrhT}pa9q{$9TRr}V^O+vbL!9NJnDFK6wV~iNbg`sA8GfXW{Xyu z6j52m>8^Ma$}}LcXwWj5mCoa-18G=48>S7 zGN4so6(F-YRiF-uL*%{Ab!&2Y>j6KfJQ$}Cq=|{C2#7JqBLYADCbUi|$oK?Sha4W0 zRvlt^SD~lUf>nJsr0}aejS=$hqq{fYWbK%|g=eE17Kacy9Qt5$-a$@3ZT3+af}c6& z8Gp{FSEUJvL*kRp!#SCmtAxE)okG>N4>!@<6DR1v=%JUr{>_^4lTd#L)f2hTw*ECv zWo8X_Caczf#bI)5vwX_7f@-Jk_bhzKa@i=rG%sh!yzb+SAdJFAk7k#Ub`n=z)xH(p zfeS~Vfv#YE^?)n9cr^(s1fyVoy}!Rj=6?dBaAaWdQk2nt-Q3;t5Iu!oV`1aGZ4h;6 z7vm+0G82%Q)(#+xRz{VEIo|2a^9r|ocsYbc@nh*1XwXw+T)smaGpqS{Op+Im-F2@o zsf&D)t{=dVbl09#+%VmS$#eKp&~h4ZeG;W*5~VxgUe`Az{2;5jZpvl4y~ILj&41Aq z6>@`x%zVQ-XvB|c1WlbVfBC`g(+HVKx2NM)e0==P*q-^W6lETT`{$=9J!GoQ`H)0E z*q!JgFiHIt+WS-4yVdrlDvl=%V<3fjuP=B7u?MlsWPqcUR~Sf&`>i?XwoMPgk0EId ztBfW+n^MVkn*$Dor!*T1jva;LwSU$Ep4DZ|`DmhY<3N5&6QCLl3;Lx_?a5qS;BW8O z?^G&u0%KA7WpjY}oz(ADs+lUYFG^caM**i&rUi;c z?&9=q2vS4DWPuvwx0pvD1#CiljH6@=N%HFC2n?%&WP@UzRwr(`!>x8`GpKA*8@+*4 z%=H6=y{|0HARk0Dfcexp=YQ0(AF`M|xHxWzDz3NsZ0mKD7=_1tY~uo*Sx6mmoK@UG z)M5?vicpjo&nmgDtO+HCUq3n9P<@|L*UlUwqCID8E$2~ea`AfR$VeW2g$0;%>^|5zAYac;6<0#P7RYN$Io?F!O6t*S0n`63vUIJgg0$FVTYnlAfp7?}Lgkt^ z%z~UwA>NXL*`P9HzA_E8Qo`_c`G*R=x1pyHQL&EG(r0bXt1BARpih@~c?(8S;4;kD}{E)i$(wN~M=x_eNtnJzE$1(kqX3r@)j`lbT=*+Trpp_E-gG``vYw6)V zd=Zz}&ilc%3^eHJl7B9-VJcM?PU9=4H@DEt9E}1rBx_Jv3KLpT4H>crm=b+EGH5&! z89rkcp$yN_gZW^npK|^x6OL3GTi*OtW>e(@5DsXl!vBmO1dPAy!P)Q9f#>gfK=!-u zc>|`J_W;RLZO8_*#mMb{I#MlXnz5Oq$=t z8x^g>Cm>}MD#X&1+1f1M_Z;(T8*^AyA^h2m#y1~XMkzPspw8q`uy2@AAcqvuN+R++S zc0JWm251|)uHG#$E}38P8n>nM6^Re)GTiO-xk2$kUx?JGY=9PyMIR+pt4U{v)D<8e zfseQMbTL^0`t{~?pkGoo=oeoT>U!5-I2?q^Oo&LBrhhq*r&WZHNHo|`uTmN~B@}Ti zEHiuM=9J6-qxOp0@jh$gLVAAO7^?2Wa`PnL?E9LUI*=zQ`U$KEHw82F6gL@OQ^~`~dN7JxPZu~^XH z;|ekfpMNUX%DF*8~L!+iL_`! zV#z^vC*#la5s-vE?tc;-h@cNQC zSbtd9?=U@dW4y`RckONTXq$kTGT2PA9_^PnN!EIWA{c^eA8*;N9Z;iY*GCgDV3tlo zdKVa%%spE`!PHkML*G+-pKc7GvD1Eql94Fuh(kQ)dQNOi=qHuXoQ$q~m7 zA-5OxBaRY6sUyH{j-d}3uSGSpks4hkQ<0M|hsmJo{28*-FA+t`0xa>D7f-SQDK&s` zq@Q7I>SuqB9?ig0Fdb?AHTg;#el6Da2)W|*sXJKM{Hr{(h_Kvb*%#Gb1lOW(Nq>;Q z#pNN+@(S~#%T$3->3SRORp%A8O6j*u7GnXGvF5zgNdwA_0vRwY=%3ST{5_HRW?Q@| z@_s7wtD}rFxd+;!~iyD7>t@ly+lsS9iMH2NHp4f}TJb^ab*lFIv z>qGhz8mV^g&m$$q>8MG55ne&oLF_(a+(O(Zit=}pP<5%+e;qSg2Vna-81iu3e2Gf0 zGku!ILEct@K0D1So5juZp zvY1QwC0%~pz9YluyAiYv^FQjY1T{*hx<#~s^Yr&iwd!BY>2E)FH5GJHneF~uE9>U0 zyE9a1(YHga`dndA#Jd!Ro4x$Yznz=Y&u6wf^qz{iv_;7M)X#UDmU(n6q9iQJD(*k+ z)&*T0Pk%d?cTnt&Dz=I{;Vn+H|CoQ5u#?JcH|)3Uw6C7GQ-W8#0W8M_<4XHEGZ>fD z9MATn$Z7HVOKA?5lgVgjuKXtDYSVEOC*o>TaO1OYHS``+Zr$v?W~@%H!st|1w;J+k zt^6Ux0WbI~(?DfF`e49|xXOr}q2w`mckeE*{7CuT;5o^S-%E$2#~nnEtw?_tf60hq z7NkmMyvSl!q)Q0Kp^}?ff0E1NfldGjH*lgylI?t4eVv4T&Ct}~W9a9AOy$Fa zOu~LAYZ};nC~&b>KIQRa+1w0_Zo|FyJ-6*4>2@hz8laix?&msK8BuhCF5m0iZOq#l z#4Cu#@&VCJ)6eZgw=MBf`d5%@aCLn*E!o=oZW|Qp>6+ygWNP7+(Y?n|A2%&L`Mkc~ zZ$QS;k2p_G`FGs(XV-t=rWXe)Ob7;ubgbI~4I9>d^fM*`G=Uz8YXJGgOvn2Q0{99& zhs7SU!(WjckO4$M13uItBc#KU$Kd^`{<28H-oq%3a?HMt)8c@iMRPK`4d8M$_Acu7 z(6d^-1fd4Tuy(0s%$NhzE1)uxzp9XrCP1dxYt!iFdVTP!BY=^Pt z>=Mi^?Zqx0f}--(-niEc)%m1c+6t+XI~%CHN|ZW&&eIuMBm7%1GWq$gK{TRWYxw z%&W^c+Nt4cDer&cu!WU$cwS%7zOD~jNOniaS}c>I{#8~1{wO#6olm%bpnFMiB@ww2}Ky-6F zlO#(#dMr|@@e*26@nbys%{q}(K_6N#375CV8eXo9wMo(*lQKRek+Y%rn2Wr%o_@mAlZN$=1J z-krDhp>se9b&-GOqRmqV+2OBL0>}g0(S|2=$O}oadaUF8H*!Yz9a(-u=iA@K zOpTEXN~bOQa{fk6^}Zu<1BuJw{WtUk{#~TP4u*o_jecCJUHucP&YH=K%AtWa?x~Ho zs$YMG%AWzVHtpl-TdmgZ;q+}mZ=UTvV4&ZyL|sC%P8EyoQp}?xnb!4;>07wKy(Pd7 z2hL)93}tkh#?$D{4De5LtBXd>eDF`Rs*4uQjPOrW)U^`8{P0h+s{18;{6b5|;K$tR zqEU3RiN(yRE?UHOWKH1S68sZ>%%d)Tt!aP6>M1Kqyo}Ssv79EWHVcZH5@yj<8^edS z4%dhAugV0rJU)Vnc~mqLYZR20`OBMEvIDXYb2Af&ioORk^C;?!3H%sOW(%+nYiI0Y z#;5ZTmQO#Bk`1^%jBk~R*;UN5LzI^$U4lf8ZHJf?f= zrj!jG;5DmP*GZ+VTc1TIm8S+#!tECdkk9b-spK&^eqN16Cd&I1x)V;Ax9m(GL2v0a zX^gm~k8BjZ#c$#`dduF|I4_T30^NVfHzt&eOv312ln;8hGHEh6;==Cq^c-G6BX(=5 zw&^Pg=C*rO8RI5(3Le8FxYxm154I1}a7T4Kn%QR$aS}nQDv?ejm8z#GyXm6?g{O|V z`NLTwr_JFo{un7gt=@y#PiPj#0;|PzpD4{-_vAn4M$D=H`6XXIZM;3ry#0UM5OlGd z@zyMV-T1k(@xEPgs`95{5^lG-D%P*Af5SJdo8O$b?4vH>l1iBOQ`3FZ@Cy%~D31Sm zH>}NV&YOk(jul!z$BinYa&ye{C@pDG{wB)HZB&MF@}E>G4zZl`=B=Xgiprt=3|Fe0 zYbxiow-F8th|~Y1x6Ck_^Y(w-lg-oKisNCIhui2suG*{fn)9~&L6+yQ?);YHznOb5 zzG8nwYLCVH0~TpJd2~o#e&A=jMZ!-D+8hsN=6z~C#tPqrtRq8+1B|7kh(qGh;h*r)&xni5b$?X2 zPv)^7eY(q5S;#S3|GNr6)Y$)(io(&q-~C7of(iw0P>8R~;uE*BHv$I%0lc@mI0E(r z0rt1CJp$MPe=LfB$0YtYZkKM4(oH2}@PHC=HD;NdP&988fs+iif&LM?qEuf)<}N9g zC2uxW@FF*_KST|lXPa7F)I$6T`zW#z9pg7qfrFxRQnXiJ!p08+edp{=n5Xy5OWDJA6)Xfm*uYDdH5&Se^L|X_=T^5UK&+9jC=}5*SnjW ztPJdj{>7e2)HZUzPw40eR36g5wWHD5g2}ept+M^TET-n>SVoDom&ZUSGm^&fZ$#Gv z6JLbT*@L$8#&%@d4sy*G^w{zz3VNdA0)I~_E+S8(bE?%HLL3`@OKE-Mln361J-SV* z+px)ie@AmkWN-`j&e6|8I$*rt=P3CKh7H_4p0C>UM!4&W6a)<5`aC8s$8H&TJipmU zj_{ti9JOVD;lq*p1|HRgjEw^f502SA5bnTzH0U1JouREWj&mnB%2=+3NPiE1B~P~q z@5j*)tMGy4=b~IEH4ZjsD~uH_T;+3`l9`Llf8Z<-<+@49MnVXqJ_{5VpYv?RG{9VS z#a{WVO)(du1+PBSMw#o%tSfV^YpOR2bt&`B0;mVEmzv(JA}+CL!4>8fQ`&<<)mpsqTCGhswW1|y-vFTAgA zfAhX@9hGxZgoU4!GyQ{lBCRJPX$pTnM2%(HIsWFGS?8M+D=qptu0Tp*tiGhmkq(vOScSD1 z@vQieeEA@LG76t~6s!6+UfgDjPe<8Zf3~UPD&Ks<4__wt-G~f$A8$iC=%Ue0Y+oogA04{=puD!(Tu|u&m;;mlxC5e#V4Vrl2o&_Vyv-pT3oL(f0?m3 z)6x>R!F9c*0E}2d;_9KQvvn+o;vkuZA~U)H>6px`J0SZU^Uv+t)jMLr<$8*S9)$$G zC#1+srt!!D143PauM6JzS)^mIM@|LQsIKz$Rw!?4rNr^h?J1?N9ez8){Yct6F0@k& zu<;5L!@Y(f4r3LnR2^Y2FJl@(f5RmTa6_f@2K~r`ZGgEI0Q_l34stI-MM?$5F>EeL zBd%Pq*fQEN81qntYGsTWTD3zRT4syd(5sRr_`0K2eG^QeDgITu49|8*k1+dECUHHP zCFSZNmfKa=yBb?@N8M|^`B$Z|{Atxa?_M_>eKlN&R}n<*PyWBdCe{ zL8kaUELG@!9W*I2oEsOlPlc6_N`PyfFQA(3LCjkaxT&m#8RB5+%0_vlbVZ;Gw~jgZ zk8sC@OgIO$xzku<~OBAcSDbA&s(Q9f@eH_EckGRD`9{)j}R z{-zjr$&c^?mE+%4jzjwwf2EHDmzF3` zKe2NAU-6V&hVAWP{Z{4|0^}DHg#FC&%|FE#J4@q*_@IkUZ=S4RXkn9;`2ry2Pu63w z>6%Lg@C=mN5Z5c6k)bn^ia<{B3$^Pf`Z>};MY5}JPe2d-8t)#Ge+TbKos*qIdO%Ea z3$*Ch*YImkj!~;Gn=DV+RZ*YqDCemam`xVHJBu=3<{QyZ$+zN_uQS@kC|liBH{h5s zCeU?2>K6{8Np{Z9mvmf4R8ae>J><%=wR-n|-;ZE@4ARy2#VAdV0=ju?uz4M-n~(=DU0&fBK&r9KNE#m7`>}D(>S| z4&^q+C6qXVkI9ruiM-0Jr+;qI58kvS$6@2B3aS}=LY)!mq}8A}Z82oZ7`MEJ6%O>)D=e4Ex3l+ zqKO);uGBmgUa06;qVZHReXDiO8=c{^C_+nwT4*u~wWtZGL1qlgVA=_*R27ly3gj8C z!bnlq$tu|_^39Tlv2#(hsSglWd78y)k1Z7Y4g7zdf78kg%mZ0e4$Oe}eeN81rWko}(s^y~e_5$canKQ&Etl1#f0j~Q>C!@(=si@XV%}k~G%1g<`8_0X z4s0IMxK5Upo$gRjL$d*g|HO?V$1uZ7@iMW8@qrIY(p<}e>slI_LP=xML6hm#h6c^B> ze;enec7JAi@37Mm++&}w)4dDp%ysOX*h{N+*HwlU8T}gTERx0nAJRC{MWh8kbHppi zmMi?V7l$0JuIUFiLjTwDP}Czj!evMAujvOXY(56|6#8VlBF;D4U5$$<^0L^hVa(w! zDf8rdB`0h+4JoB`-cmZZDFtWZZLTkse{R)^BHfXpJ5su3f3?%F3bdHfxEj!?LRi5x z!*(m47OpW-tB)|#NJpxeT_UsmsW7KGQAO-Rp#jE0cE4`4sC7~AAk##5rlO&iZ%}Q% zed3O^a1FBcO(XyAV$aUo7G?d{abLrBtOGBEhP}8DXCJC!S1z)rUjQv+!yJeTf38r$ zo{As^LQ*@4pSlBWY{NWA8q{v-L%Hw>R!vsf624)7Eq6vH^U1C~f`y$|q-~;`Wh4Vw zaPY)SX^&};ofOCh7gp?}bW$Ke@noL5*SbW5tfVN1zX;*I`0TIoIhpVw+2<#OX#52l zFkPY}Jhrc93sI>bw%K38XARL2e?I#tg!kdIx=c0|JiWh2ziohTkj)>Jj>&zts#?i_ zxK*;5;yIxRhh3`Gemo`=$pE;T7~7gRo9ZgrO!Y~%yM{IKPtYkXW^8+|NNTEEc4huF zi;78%ZOw0G9#&LPJjP3k<)W5J#B#ZXb-4)JQ*HJ0zIwSrtqU6JL2A@1e;i}cNF+5{ zmy*mzd!)CVWR$mW#W$m@76}Z>C#&sk(xi;_uvRdaDw~w4PSuJcsk%v-jWYIUm9lT= z9hKQK`|{UvVMLs#Ir8Wdl#Fs`zJ+p~Z^wEq-{Q#ncB+f=EeHr6Y|ihtqYNGs1aHXr zDIxKO9N`O)$FYkQE^kOtf4SS#`8tblN_j*f%#c!=N*e30u42{ zp+C|Kmz4HaCON&Unz`aTvY~xVa!xHfN>|tV6&AmJ&Qy*0zNWd5)|C}#Wx7r^;~R}~ z(lCpJ7F|aHw{VNztgcy(frA~&tSVM_S&8#jnVP`L#4UA)HxH;>e`M;Mqbl4R13%&x zUZA7kGz%q*Ggg_Jy0UO(+X|CbnP}u+$~%l1K&!$o!H@kp57l9# z%+8f<>pA?`gY%Y9Ri+!gBUY`Zs|K*_jWbnNgbpy?x6*`mE>glUE|XaToF*mQZd1r1e~yzfF4wi$a?Lf|cS%_| z4lMIKumpB-83A6)hizS~n@_t+kl96U(dfJ_nDJPxAakWtw_`La*PWymcd!{TZ>1L9 znDKBAcg8s;e7L@#?EjuUd_aYx-TgVKwQ})$pH3F)w0{9+l52$m?bTtPLFWD=sYkf+ z^DbYQtyp*Tm()DG;d6)e<7YXwPEpXsSolfN=77!E%zZ} zUX!TGq}l8%Oyzn<5H4zCBBtB<{{2_ zBUF-Wf2pWls7$XZ&*M4#NM79}>wNX_SAPhR&6@o`m?L@h7Gd`Bux|1%5EkZuF9ssS zLpcJ&Sa=_o-<}ZfyajECdsDn*5Au>cu?I5w)$u;0;J2oPCiyB~=e1~tRf{s;QdG+? zTiFm)X})J+S2PDj*wO=qOh<#N2vtRfst8obe>K{Q6W@?GI?e5l>tu1HNB?(QYPCRM zGFYI30|_!M-$IJa>UEA#JJ<6cU9~ur&`DEM5Nw|bgl6_bX@mJR(1v3QR^man|0dJk zZDEbr2g>U9C(KC3*=Ct$RS8+SuAf9PL9LiCN!*WjS{8f8kzu zClfDa8q2?R`EYbwRP|8-Z9MUfP0EKD60m$jBBf!{7Gm}-81YF_?;K?2J-rykx(CMg zsZbn&NCY|}(t!#1jt>$JF#1=Kc#dg5L(+xP5#&ku6`RY3AQci-8n=wL9obT=J=sbP z?0qyk9BPeREe-Wu^rf>U> zV_G-CQPt6Ehn0i)GtEiWT&TbZRl8)WYpO^n!FW`=gzpw@%ljRtZiD@u@&L|dnQU+K zI*TE#!akBpq7=@7qm90KM;~@(I}l6{L2h}}sL~LT2JGJUNwN+6NhV!kiuagNLs_xS zHgTP;vNgWgct+yp6R-3be@<$v!LMjrakz^>L8KMX(TJKE*BEd`Sn;_}DxCa-zX1+_ z>|i#EhZ_rGkPA`W#QqR}J;q?LqDbKc0ij8`WF$A~3#_(x*~E_#%Qqy2XA*^L#tSg4c+R}57 zqB6%H571iVV)rTnX)0cIHDj@TE&c`?if3vcAHxFBFW8dABQlTiQq4GOsc=uU)VHQp z)g3u3KHg1u1kv$vgb;Y?t( z0Nn*0?Ph(5i=N8H0q7zA;l6k$6Cc;ndVeOJqJp2Zzq<1yn@xLsAbKAwog9Pu10NE; zVX=x)BA1SSc~A*^cpusbt*WO3KKiLpjidC)1*a|}0$qajj*7uD^|ipIOhPIAZDu7W zI2hM@iA?Y}e{SBV(cZ+>Tq5%jL6&v@5PzGQ)qVJC4@L2io(e2vrk|#ks4}^auXi^$ zbWESPqKk0RzFyH-2eLqbPHIw;n=q84D!Wpe)mUIcmtk8`M3s+)rX=RTf?y+LrgQh|w`nGj` zgVVM0NPAl1RSV$}exdgw?9>{IJLrXQa^o0x-YEE8D>x?w`*+t-^-$H>x-5zsvQ{N z2xmns#$!AR38;DhZ@1A4cp62}N{C~L(IuH!6mgqtzNoTAnT>Y_iBI-Nn+%8kPb6`L z65~A3Y;0GX*1vYmZeheRq}f_8j}a}$IiyM}e|iF=n@@W!6kR$T6Ry&Vio}$*)6;k- z0$zqGZ$Y)qMduW1b6JfCOk56DkTGeEwaUQdcf(E@WXtl?#k;p}e}wPL?@D@7IT<1& zM0Ub^#X9kyIQF#M7@5o`x%B8GXnKR1M!J^*0Vk^(!s;{k;~lz+wv%FciX>mJY6$et zf7xO;s0tblO(W@RyQIU0V*oT>8j;aX5Fg4_vHYqnxrPPPZt<0VUo1zPyiH0`dfKtwe-#-OM^f@v8aYce3QBV|(k#5n0_fMmHW1+*bLeC@c zx;DFX8*dYg$cJ&zaI{?{%6NX1c9Xz*f1(GUJ9@fso=+sIz=M<;OLbfi2@MgcjYt7{ zXMm#5wBORL3^w=&roAP(Q9fE$#Wj3^_Twa>Ek<>Fc9WeY!%sg|#Sb7D;3zdnk83wn z@7U-lH@hykMX^G|y#7);arMevDxxT%_|uGt1zOquQi^HKiqvLwq-|tb#>#GWf3uVH zLdfIHaftWuKe+^Gy5I0Wkpmai?8jsHpIqS+<|}0yEa;i&rFubAGK)R+6y(5&Us%k&pfeMSNs4(wHqeKlg(L3_xQj0u_E$;db zbc=eYl$Kbk8R-=HK6N=cjeyrke=SV;l?0}{;V9YFg?zOc0~ue#D^Z7HsFRLf3wc=w z`Nl7JKFhwq3A=gy#QkQW8SJ|srH;M&Z&zi_sQwdo;t&}2$*ruW=`i{WV6+&f7q+Igz^eV5MnXv4f45laO~2xIe_(WZA)&W0 zi{GOo$qQM%Y1zVJfbZ{%RY-(*wRLfkY?JGJmDdkt2HOA^{OCes_E)M+l`dEd%X6Lm zvdPY<36#9C59}@}^W=J!Rfjasif7?vY$N+!Lc$Cn(93B&ebyZS%G^8Nb=o&$gBnMp8U#&WW#Nj~_2|>W`#hqJQ#KFu~XzU&$*bfe>H3({d9%AliXX zq<~nNg!ts+`M!#WXmV{uW%Sq;L<7q)`%>n1*tn~2apP+(oN>Lwb8ZGFrnFf?2rW`V zv05m}vQJ23dJnS0f9bW#FgVTRvjQtO8C>)$SQNG3J=S5*T}C_|Vd*yWRZxd9k#K#s zU1ZK$XvnCq_~_V=ZTur^W~9G{fhM}o#*go>L+S zk8`-memGJUr%vA&?QTWh=FP3R#YaBRQmSYkg}n{1!|4rXf1&z}Ye(_v5pC##b-4Wc ziN`(7t3`2_QAn;dTh)n9;k*DkGe+6ax;TdD-1J1O$TpI1AnO~I;(a@u1~Q)1p)Bk? zH>ZhV5Amx!Ki;Do`P9D717kj`v5)CtldSWFUf3qSX`-Q==toqQe`+;&Awl%VJh23oG1yHP5_qs_ z3)e#I2a(}}%)mE=)wno-DZS=J*A#!l!jzz;=3m2@F0zFj?Zgc;XjyI-5U5~RJ*F`x zs)f`~;`SBZ<{5FDC23ZEjkl$XY$5kEW(j*^NNx2s%2^M3(4;D?q(O%o-pEHaMq}En z5I3O)f8f)XzIkj5H0*#8@^SF(fY#0GD;Uz?4p{P0X5g8Uuh&_cCw2BU-V+PBh2lGv zE9_m7v_x~1Gt97O%Pim)iWfSUcer85vd4dDHgu0|A&*U!@2_E6AKOAuy<^ynjD=6cSD&x<1 zC%_^~z?p$VThoFXvV;u4xd@IG%0mZ!9$lCo5A^`}{%@;fz1sV;p!YTpSrYO_8_$>X zd6{C34XVe-C`#UMiOY(jeB@^pLV;oRujO8zsXj{RG3++LTozubY#du)NC@hCU8^3< ze-H~&kIj3TM_1jWOgM18H;Csq$5#`siX?4f8NwA_aB7Z56wlKsc~*f`6K$~%Xyx@@ zT;U;5-Wp`k9!6!cXM;L*!=OdJY5>kW$QMP&%1)o z_q^WWMx4}XT2~OmM6W*cUPlm)P&h(i94gkR4r)JOrgv$WL6C+?n8JE;dpB>0gM;>^ zNP7=S|A3Tn&(aPnA2F@Te+qtx+Ju6gA`1rXDcHM*j*{zSlNOsN>aVCnZ<_axe_oTe zL-`VKB~_I#aXZ*k_2~f3iN3{KueH|cKHkBHtjr(=Q1vyP*yh3Z(r+MkNn-nQgDh@M z`cv^s)F(E|QL;!i>2A-V-j>Ta9S5D69K!bpxx;isx7*MnrOovA8is6Pe$Dr0jOEL1 zvxf7v9yaGF&8kJ2Z{dhP|J?8af9#9;1XuM`D2dORYU@tQK6t6`qFlqm+5QgYh!oOU!Zu=aqg$ zKXl)CmLt6H|4#Hh*BQEje!A_YJZNmq9GsFeXqtlPqhHd`VW#x{(?m!ve_Ab$&B%%^ ziC|>Nib5(|c+rEv%cG4;3tkWzN*5p6ZD%4K8=F}v6u&x6( zU=w`@yj8=HC5*~okEV3q^&wk)Z+9cN&B{k8ZEchuiHodclqEc(wHfK6Q(rkFn3xk| z;LsVg0b^V!(Ts3)FuTOAf7Iz{B9nLA(q#^J(DFc**+wf}MzV$~t@g6spM6`|dyTBN z4ZlV8!#2~=vKB@0DYx^7d^*|}<#UpT{5qVM)Z4;3$21S2ZBpN2@+* zxGltIY5{B!x)Aq2w(bX80Eai1U&ofHf%aH+^sCA_!M>w)RxYz@f0b0X12GaF$JnUF zgKhcI2N1g=u_{XCCF5E6hBiMsnK@RucLEaz(#ed}k zZku|1BdypDL;nH!ac9;@W91^q$G5Z(>@ZWV!VI^OS}b3o$PNJ8ZKTX&3oS`g=V4K# z*+P75sz75&ItFpFd9=yHJY2R@KkZydorBbLCp-cBgH0c6fA!aRhlh||mX3IfVYhS0 zck?b;?ZQ5oCPEh-_DZuqk)Q}-fNqu{gh?WpaU00S`wDZg*{`!YNs~GW;jUzY*mr@t zL_Wy-W0_+sy2_R?U;AiQL?)=mB5W65QC`1w8T+q)uvkR>KS7yK7hDRG`dQ6Bb1 zZS;4Me=XT0f8jZW(1iR!EKPteI6QbZ(=uCTU+_BFq}A@as`GkRXDrqz8$^2ut;^~X z@}Ui{H|dqm7h(?6^HXfF_`V??=6rFzEQ+Q0Y-J~pz&mQdToxStgxM~CJn`G|DBmRa z_bBjNB$VwIbs%FQ5z5#Au`m{Q$1x860!?M_{Q9&ke+m2cU>$wfO1%Zq#s3{{vY&ye z>S(iDt?>6F@QxZVmjy?^h-~k|F#yx!pxQ0}o;`#y zX1)OXWN&!|?3Qre0Gn0$CVdoB0B4xLxEn}XZH9a-@@hw<+X%HKGSrycqN*Rw5(IOb z@pDmyf0iO=0M>|oK)phbV}eE-f3`ur#{)*_`M)yREFF~&biyEqpQxVf zBaI4$ruZ%)ZJ5eUNqY>E)i#4bX0?-$%)_G8*Q_w#>N^*7XPDk?Qr&KgRlay|@`7wJ zq6cDT&VgE3n)9D5#uSGx-yVvt)^Fi@h4sWHG zfBC^^zg%F(;@7Cvv_#U-8gZ2;-_)lk`+PqQg$m;xBzfLWA@<^I&pebugU5?A508D< z4c!{STMy`!@DQN0&Xx}zf5_ai%Fbfd2T|~PrTvw>6Tnoplq+F0ta#pS^7>KOM>gO= zi&WFO63^nJ$o<?glBj>S1MXbZFM?%u78o~fSbNxaclHD zNXXG0r+;J~>^0C&7QR;Pg2#BRe@CA(@y@}}s*?uho$I`FeTzp2#UmJ7Bq%p6SQ3GC zwE8^|6xulcPd;;6tJ#PVPj$uRs_-KNpUF7QMshXq*t&l&h_9XtM7~Q6E)0@Q<}wB8nz(oHhcdTe~Z6_!FD{C zx<02ks1)F!98G=VuV8xmG-VD?So{K;tz1uC<-v$U@^=iStJuKKp&)`9kHJkoQlIxI zvQ&)0z`%?3ZJFQTepvby#7|)|=F6Vy-U zo1#c@>ngOQDD!0we*q~(4WDLpws>j}ND++0H=!ZuGYe-zZgwkG^mMy|RlOj&MX}v78cc`?veMzhSGJduA zl0i#hs6ify!C@t9yxt}o@hr+>o|KE*7>=;I%d`7=lHLi!vvjVc^^dq24EA!A)fpiE z{PE+(40q1V-tIQk+F@`;;aEE8P_9IfNP}>EDQnEfb*BWC9{ojjpTnJ6RjbD(E&wIz ztE=~X!ph0Ue`kkY$SkyL%_$k8>9L+Yy_%0evC z;1065CuDeW@m{KSz@SI(Wm0DMWnO0o=Auv>Y(DSug;~tf?0UD1@A4`iIw8?g*g#1f zFia2m&BBJDkpc~1o2N031tgD1Hcz7l)5lc+6gRQsf56Or5kw%lD#gnR#ty`LwkRLA zbrCy;kN3rn03!m7`~$}ZOK6ncWTj{$#YvjNRKsI1)u53Ab+9!eiy8qP5BF{x5m8M% z7sKmhab#~xbcl(J$O{BmTtr4z0|GZpiQl3tlpShN2{9st;Ut5rKjMM->yO`2l!Qd( z;-*b6e|Rj~zqzlBK}!aj@<2`fW^y5vNTWC@)#5j-x_^}36T;yle`dFd_-)Hv^up`> z@YD<>7b^geLrbuDHg>G~+z&Yrl0!wfN?!u{IF@ShK&(%|iMOkrc)@%xj+|laiO-jX zXj#HCjAXUFP2?rth*GUNh_uQ`GIAJG<=bhqe->JSCf=yzaIa`WfHz%%hokt%xQ&x9 z=r|P?5j>#9JEToBUh%{osKX>6tNL!Zc+l+Xv}b4PXl85!9v%tspI^PIjuu&2$9g4# zk1|H=g23aVtqAMtM9Qj?i%Qna0WcvE0cx}U!N(Dn*{~w4V{+IoSJm&YyDcN ze*`vV+z7~-D#Q4O?r)xsv54Pd65tV$y8ZAF-EC86s|?;g|+d<$ysn*W8=0@!edFQy;TF7u1Kt>(W+$6zUiz~i=D<7w}4*l5{lIX5% zVD^f)DmMZGUfv>e7EUvh(H^q^f{5hjv)YL&Dh;JXQpk#ah7gmGUT*kJg{35cf9ya6 zU&~b$KnrJ35Y0;rzAUl+v;?wi3*#rFSXS=kHCDo)C~8=ESqqw3Sq8GDT0yq9p_b(H zlXx6n#XvN=L-7JUFRyy>h^0?}F$*8mlYx}{b+MHbBK7$+Lu7hF+qn+Y;MEMZ^+bVR zFVRI->uP4WtxGezr0*8q?}W&rf4djrw`^I(h;x&;U($va0J(^89whh4HK+p*P3@aF zN|wtqTMq53HK3KmTuXS{6zwe|)pU+h-Dix1EPV;I3cON`-K)X6cc&3F^)cx5vKfby8`!F~0^5)Qve@!=sK zHgxu$e$U?gay3j#FPcgRf|>+2UpsvCk|$8_cyf5k54&_>?&c(-5JCjxU;@Kp`Qm_& zNCI5p9~X}@U(^RKE(C(5g zNx1DH7dN|z2~`nlrrj@asWktdlzFnLt66a~t8cT}mp50l zk7_7&b|JO9C|5;&e-Or?c;AF!LmMsL=QC5RVwuo*ey@}p zACGb@jMY{Tq7qy0m6f6Pt$`5iv_{XN9(jXcKJ7`Q_x_Ag;p75XTBCYSpoI!Af4uq_ z{oB>Azs$D6eHg68$*lQO8=Lp=Imhxr)8aDDo<3tQpIw2Pf4u15aeeO_1Y_497L-Vq zl!48FE(@z1W`P4NB7u%EuBk{Dd5PX9tLCueK4ZBQYT8C;Uc`m={&uy`S>g{9MVBUN zB8t}?tPR^Nb|u6kdI;KzWm7=&sr_^geRQ=Fj!afwOV)WsGoA&Ed#nP@=tz?dox}hG zq-3PX_}H&-fBd`7bnQ{a;k$7Mwa{e7z)ikYN<*YI48FT<>+Y*~m8`GRB+MKwhWzyv zpYVMZNn8d)wZON^mz!QNE(X<(yyDzR4kE9X_$o>sE3T7GdY`BDEv+mMvY;c2Ls#u2 zHghdU3(ozlD^cUYvF(9`l^AhVR{=DI2%a(TWw^V!f62l^CXom-!(V(>gyms$n4S6- zI;{75k#6EuQEbBqNg?DUfAeXjn+Oqo%pmkZwF?V$q=cIFi86stPr>@=!2+`?ue0C~ zVko5|h~WjFoCamEJ9vb%0fK`gTpfnEbAr0E*JYkALp|A(=QR#Hd{GPabR`Qf@xX{O zAVAdIe?x2?VrAuJ(ht7ys4*REw6$!cDfz6Z%9}9SLI8P+zkFhV;$!j^VwTvbIzpCM zSU+NDKnq#Vpmv+-n8gNd%0mkdtT*^ZFqa_ottrCk7n*MoMzHWP5;w6K^=A+%Ej6c1 zbit-3Zbk&kU?-F=g2{o93~~Ysq;Q`~_XI^Be?tWJ5WGottFVSQO5pek{9qFzARilJ z$Yw+%wlCft2MTQ5nnORlhVF8)#j+F@AVy2!Jh8f9(-aaBf%@1%(6+rthO;q3ARimt z78gc`zp>87iU57IpmBARXR9<8`Q*tKVJvMLMl{s0frfe_g9(Q|{5l@f!t62e=?jk zij8$PVRG2rXV>A}gpdv^DSn4>14IwAk-_tjU`JMlPBfF)bX_6xhFRA|>^yVHL);KI zxEraV^y{KImC0{`jxia^T?_JpRoeOLe}I)fruh~Qsal4P)HY(cTwPzWIp*6);d&TS ztuwMLbcKO!H;v7iDlL8~_~(5+qSd9PM$}nCme=I^l&@B?>uALxcBUW@G_Tn-K}a98 z=wS+Nqg@jC(N#jaNv0Cm6g8}m9`2RYXX1phY|GLPD3ugATR@vA8y-H|yRi32f837*l0sVQf=>-r%^;|co!UB3m0?|X zQxG{C*L<34X91vln4(Tm!B&-cg~s+*hLnt`7cpNXRR#1~jQCQYcSYd0rz@<^+%nVH z78sGIhzWyvc#YJmi$>H!?D_|Se^-Su^M=Q=(E$`6lb{tQ0Y`Y)_^?)!R9P+ea>v8x zJ`M);?FiGsXzesMUm++HD7-I+`KV@^DX16+H_w1Aw`o>=-X&GoOgV`lJN(7xMOZ#Y zUni8ajjt<`vyJ(eu)c%H--L4d!mq>u$3vw~!p0G6igi~f{4vBj@s1$Me<(*|`z(EN zBXrW3ev1sE6wq@~``cnXnIwpPTNHzrv{Kltb$k%w;9<3L{H~3*z`M!TMc))| zwU*N=jJRhn?l9|s_I;oAf58g@}O5k2J>!<%gIF}C5Su4iPKyd?CVuE z;YDppV=Zka1W|{8Y@D}L2Pj|VcpOi)3R?81mPmKRX`6W~iNjupFGo>~x$apBXo;^L zRLN-m9eLR)Y^4QR(1e-x)iOHzIvrgRx<*A=&=C*o)#@PZbdUvOe}Rf-y}Q0H!q$6e z#*HX0oMh9VhRis|ZE0Pq+sPs1l_Z=0=yE+_&|Q%YDa9c}@0w!Zf9SjBvb zJ&O^A2cny@e`y+rB^>_Xg#o_C`3nrnA*1k$YUn_`qUITkSCsxNL~Arqk5j0}FzRC9Wsnrb`#WHnTA-nnWj8WR?4TFa`QquJvkPFaY9mT^k! zw#fq?|GIDUEP8S1yPq6jpp*`?uxW7a#jpvDS!qSHf6|3Pe$*S%B0gp@hhpk`MRw`- zs5xEpa3^%O*}z(;Fl%F06|A|qs$5N|%s$8Wd3`Htj`;H~^Pic}Fzbm@f47s!<0`}=DHaip zKI!(rH!i}cX!dB@m^x{q*&{uTu+ey|6}2>P0^eW=%wxtZ{60 zFRW3M9+(bhO+;+03u$(ln7_W@rgRhGJ2n8O4u8iL5;c4Cxw)nToj zNZB2(6o8`)SqJ&Fwlx{T>?3{5Elm+Bpo0{L4)-wuF`is62BI^pyD1L4n!KDaW}N-h zf08a0r~?j71u^_oScd>~ggR#da37lMD1a`ldT~X4bx>Vf4{w1UN;z1IyA^kLcb9`} zad+2)JCx$??(Xgm#ogUq3q0<<-+S+$J$u&dS(4`Af`+bDyGudCF~4iM|VFG*Ve5d6V8~V!Rhl3CPW+|Kckc+HK^=5BU z_YplHfK$);V&7O11XlfdV z0A0^}b06UxhhgY8Xr3CGKPCxJcuU>(6_d^uy!@9y1PD~^xVe(1!mV`Xfh!T4m$E_| zYX!k<3yNmj z$l`MI{z%kE_i)6X7{*(oA;rL98#Z6IY5d73RQJr>8`V_5X1jcMI=6C$KTLnQO({JB z2VXah4XEQpVpC|fkLesn#7)3Bi5kjd{MWuP?XR`zEotRlrUpT1spdfv!43F#%D zUq1@`cXQM#Ma(;v&W~Z8%XW>beQRC&f}6%-E#9Nc3zigF8jEv~!~3lgd+TZPz;r}j zzq9G4XSIS9p| zVNW2kS_UG5eoaFE;aRd)ol*LalL7gKCXx{G~X59Z@OCTzE)4=uX_Y0q9|wUG(pHPau0&?_jN_lRDW zI|_BM?DX8h#GC;Tb5f~J%3FCvr;vEv&QR^*vNAdIpX^jkab^eYDSjK=*Glmj!oLz0 zd(2O`nC)o%a!rjJUgn)v4FA=w<&725gq&T6L>9yDt#NFNkHy4A&g6s^4fflPEgk)# z%k!NpvOk-wa38PV&HkLK&m(4ir%CP_c!?k7msni{(QzCu%}kWnP4J4sD?_;PL*mhb z4f=Qt!yhPQUxuvbk>~ayjVPO98ipA6EkEHPj)O7e=Pr zWe$(IWgpaB$g>N357F3A0>PQKGIo(d#u4(fLOeSiq#WZ@5=I=Y)ncP!Vfce(J|oQr z(70AxybC#UGunt28YRCi=ukalvVr+80r5)mdK4}neteTFc&40Fq}K{Ooa@uPz+~e5 z+|;ebnuJX;=FiEv`BWEI5D8Oaite;|cR!;a&xowQy8fsa?$S$Qb_7$2K$WV6E<=9t zW2Dss*+<2&lHsWo7}p~z4*~Tl21T5Y!$b&&8MG4ZY#DA zKwlf^f~bhoC17_A(#ZhU4Qf+{aq4B9r;L?@2gW(bH2NbdS6s!9EvN1 z!juWrnNH%0v6D7Jm+L{K4^lSSCFQ_tG0Nd`1_gHxO{M zvNU7B2W5!DZ$VfDUT=#c)Ri#Q_gige_6Y-J%rMz&{_O8WCM$19BIJI%{iMnvUqw@! zT1H*V97IW9T0(5v8;yr{LdesEE?IhgotQ6C8k(0fl!a_QEc4di`MuBLvw3K+Jv|yl z^BHlB*GvR>>e)<%W<;yaJ*PX#Ysq~Bz4Z`Bm_mPT{s|AG`U(CD<~I#DVNjIy|?hSiSzW z_7@mNERu3D05ds&!}z2f`BFGu9H1Q?@lhD?dKeqkX>!hIA&Skk+)f1Jn7zFK%_6h{pB^wLT@ zN-r?|M*S;4V5OLAJWYShkHwk|?{M}>!ovLApw4zoSS`iWAS2azD zZj%aZEH#V>d`Ij_H!M%#C%c>%%=0a1@I8|nT;FZ(-9!uVXi@g^_c8O(03|-xEVL3; z`eKcq;{)Z4Z6x*jaU1Kl@de|F)}EqrR2;ON2{=O3NZEl#bObmEqTgs?KfZC9Ee6i@ znP+DY*Skzhcn)6tbj%~+QJsGF$p7y7;S^IvZWW2$q<>4B-5G)v7zh1D$b~6F13Mdi zw0D|vM9Ks%yo9LFEoKaz1d!GLR^)<%a~cp_T~ek#CFT0EE`M&kS;1`eL(M67xL27@ zqnMdTX1NPqTSjd&G#T@P+|&}3{=iZ~?wrJTzJ|zJaTIJGQbfqpZExVw&uhiz;)^rj z9{c$DWotz+7CVRhdr%FA=(FwZNgVr4hP?ZxB zMWCd_8F*pZ@Wx6SIw4Y2K`2l%7qM!r5Waf&b$+{INFYMeaqmU7mm)xc2`0n~#-O$4 z<=yW;J7uyAZ6x)a#pU>pEsCG3hJ%kNdV9K(-HSpFxz%v1H1)}vjA0B3cbk7^8v{i8 zaCIkJmoaKfg{8h+S60#E3Tzf<+(bgd53WHwo3m|^RP-LWbiq)L948!Mk6oB%(Z?NI zF)`*#Ul25}&i|e8Z8olm6a2YrWxQcZOTG`I;L9NQUV#Iqc;u6sQ#rEpn@OhW`==?0 zIX&k?3CoM*EDQ(^h~gv_al6564?oI`8myRt*+){}`?QTU zl!iMN7*|PsXc%fqC9r8ZFeRu2@uq@$#OhDO-YavCQyak6A`UuwAMhEY94aoXW)WHj zxx$?(v^CdXg2@tN(ZLx-l-v^h?~_`!^)#z=Au6Ky&s$BdxD~Ia`8qj|nS1P={9#ZG z(lmb^;lH74&Ih;!S8XpVBa5pnF#OKhGTI1tJl>=HG3#Q|W^wjMj%&3~3U3Hre{@vC zh?~vF$qsq7SC`;&xdXh8|LE+XgHJ#?34^819%;f;VG612wjEvhbDN-jwa2z@sk{x} z{``=4b-{yJzWU4G^ErX6Kn=u8uNqoJ$jGqv%{eS@oDd%+Yhps)S9>+A+}f*#Ir3^Z zP3ejr7R6N@35g#fMD2F_q)*)FS@zl2YZTKG;ehC)b)mJ|%y96Fy2jZ0c#&@vRqfKR zXgwA5TJ8Ap;}uKN+qMqZ2Qc>8GG3{-*Mjg6n09dkWz57jtA{$-s^%p* z!K&-}!-M>jok@LZDq`jH!=RPoYTud#Z~*iXJ% zEQ@1;dIyZ3Jzn6${8%t*#`kycWTU%n(}szd$S#rE{8P9F3RU>S*K${+NHOZHGaT4k zy@a@1(?fM%5y%3?^YQ8TmFwR6B4->j?zy|5W)F|$#YCj zwfPl36kR16@Q0vAY+#i*k{7uN-_NLz;A6qOdFrs!91l3sb+n{hmN%44cT6SFwwSy> zT)!Qa?(30qep-Th!BWE*+IWf#lo7oFsAvnbu4X*Ka_*FMDUa&v2X&Kr%h;+6|nQy;7hy3-%PeFfFQtlX}^zkMV@S&mrd6WJ}x9Q(DdbJFl&Q=_L%b3Hlp2M+A*x zlW(>(ZhK(p3&ZnSh0k!M)juHth!Um=1>wg>tV_!E6`9K^r84J1XqeD69nX7fr=t8t zAU{fMNYC)F^hv>Z3nVF{D!~xSB}H^~CU~eRuhcg_kuwyshwZg)f?Ay-?>7OZAs>W3hj8rYG8b_3=MdI9;dH1amT`&QU?knDSFajSOrC`ghbRp7*;%U2pDpb`X(lj3PTP z7w;Y;lZcjMpA{OjqpR%CYx+_liliI_NgHx4){mOHH~Q^r(URH^;*`oPr9 zE{!X**I$P;xN3>{e*nypfk0uI}y*f&c{}*H!R-{ zI^S9|v~?!kKaBl)elrzB2Z^h|50lMgobQ{Gh_0mbpQ`-@!E_9}!;1T)Q`WELWuJYvDS zIj^7)B0s8ucja~&dVElEC16TUm`@XhTyNGrfjZU`iW0AEchvIhnt(jKFF*GfS2GuW zHA|g(D6*nRAir3fK~;51UcX78e!<9GvRMPQ9(F_R z^dnEE_+OXG{Bg7ql4Mpky6;d9;R|5wof<&`=*PBo{wz~v8fRs8CN^q9^#y|W1z6&a z?HsN+% z18$FamrX`f86}*Lyz+QvrktFWyXltFZPROE|&g{-UxL{fApK$9O3O3G$u+^?weM<1{T1wCcN0Fy;w+6cOOq1uBYjAaQLB67PGbTUGJ z0yDEAY%UC?XD*_$nFNa9c>{l>F_=O)2SXttA`{2JVBm#ldLcR_wa(p`Z*e{Ai03

J9{c2_U^FlQH@oVIz^tF~snqOs&0sD)+%Pe%a%u|;_ z+Tv1>`M0lTBHw66z76C2R>58D3%gs4>1A+t{F<#mWSK;v!az1g>I4Ma7AZuAP+A7W z;4Mr=dE{y$#CqV)8;Qov$|(y4CGo`$?|5Y?9cIJNBW7D55&9lYCCfvN#4n+pXg$A3r8sx0=yWGuLbqd(Al1t>!e$z`#_nBbvgI7`G{= z&9&vQH4tUXps9^CO)*O638GZKx7#WlQeR+?iZ3qlbyi}ZP#J5aV)pvjJzBYRto-Kigs!;}*`kA3mWy0_ zG7zn}9OIs8(yD?|0WD5c2VCc%Ob7 zAbrZ4tfbvQfKqFGbz(3q7)mp&>7vlK+0{*63(`2vI>Of7;k<)EI(uFK zZMb5;%(H0e(F;A^|#aNawB6 z_7##{+;w?S3lD@aA}E^HjQtyoezp>NWqRPy-o@yHILhn;qm92y*W{b7q)0(RGmuwS zPFo+OykhHcmYmBCj~DjAN2mu~iob1Kfv-f~4ZSScRY1n{Q=e%}EYc!rDe?RZjffn^ z=D~u!86Nj|`&W)N8S_v3uX}SF<=p5P=Wr>O%%sQWGUG2x!ACUo)R?<@*)vOsiol51 z+te_j-RoyU>tCKvZQ_FIAV50z%Tgddh1Y#B_ewnXi~q>a+}0ZuDi}8gVWFW8^mphJ zh~I?g{f}2YcfHT-Ft<#^B*~mJ#c0ka!QkVYk#Xo+xa`=!!NH~AHhgDa;t>J#vUU@< zPj%%Ns&;n@y6~#_A33XuM*C*%MIZSC8l!+$TPy?y8M~}th3nKYp{Yn#>YZ9CCo7>2 zSu|_;h%C;4&(j}iKVxq`!6KbHU2%v`N5WE9siXKhneSd`TZN0z8ToGg#|U~8AM$4l zatfy1>e({W%B`6gt+^D?pJE*02(jGl7Vx(eMVId`0?E=)Q`+HkqE|7pFS+yf#c}wJ zA^C$tq{voIVJl5+Y0@D5ccLZNB6W4c=Z`jC`}7s)EcLF>k>H5s5n?@Ssjdv}|Gq4J zNiy<}pR~=v9CZ-3rLbJq)-*wXK$nRBIqUf&hL`uv`yLy9X6wrZ`0b>#v=KT2@*V>6 zi7)Xj67t74vRBLsqc;=`JRCb0BtYIfsF5iOlJzrg=EJSiN`N<7t6$&oMuqn)V1LO3 zKU{9f_Y4v2G(>JR~0k1bU-Q0^}+rn8zcj7^p-? zwQwp`v+g{}Yydf=pM$1OArJaT6zuJMFga3b`3_VKxP%e36xXlUb2M6O$pewf;8o)@VP z=W7j4TfwituKPS?GpaJ)cbniA2SiAcOuJ$_}FCn-MsNdjR5;N$WihO@I#BzT3o;TJSSwt zcnwE_1zf-A@?_=k2}$t9IZ*(Tgqpm+r{!7?r(aD@Z1M0M|QD0S=7H{i4m;N`|sLLExB4 zIW%RR!N+dfmbEj+PsV>>+C9JJ+u#q8J~G?w>nQm1;l7KkI#$3NU1^)?Vc3_}DS-*P zRSZT$?u+A*WfY<%KJpOPs@YTmK3s|R7I64q zEWDOieR#d*abDy(P6X^^Lu4_s1WNY*Skro~8Egkl`kthV`+c$Ea5R9P6AWsb@>e#Y z3N5gt<<(;MIpqlG57pzS40Lc_y}Y87t-B|rZg5bcCIcHZG0(fpgugJO9zamw`AkSq zX2dE&N8MlQ70vMdHOaos3m4Hgo|p_9+djK2$`yp3E%Fy!74w5jyV+8-!~;xoof=%i zAr=nI3*hhT;oTc>YPCf8bGIBgElzCPmMEGyO=aT@xTcAeEOi;-=7mRQS5ClWGCba~ zN&o(G#|Ref(RZTnuezU?Ak5RjWh4yTWl#RRL`W{+#6LfrQ`GUROiEkmw9NfOLb;jVE{=kD~Uc6pK5IRgkVSr>Cv9W6t)y zI>uH?HU|ouP$z=oYPT*>`$gVilc0JI@=mp!ycDk+_O7w}wAz;b9M13y=nT$?%N0wU zaA(bVUKwOMeY`nVx<3q4H}FTHw*7a%(_N94DsF{){P$m{eT>{;*F%h2{n+eJSC`!1 zpx?j_RhV)lhxG^Y*+=PO<&iLqjD#yV)Q)!(BNQ71O4nScjAj~sz!l0IUfwa<{&DI! ze-RVB5y9T1KgY6)_4LXx5yQ?FBAkBEUM_aCOD{*L$B{H?AXnyE>-6M0G#v}lafpQ! zsoE?vo(3~kDxwD3KIGzi0Ipe}dn<=k%RJckDQlsWu{o*yi>x+oKWuzx$Ejs|smoWV z_DZ6 zClvK5CkWq$fV4# zs+uG+YVR8wB-BdbeRtlH;-0CeBpMWO^+7QA&zZTJB+-lp5jC%Y1|H*P_wKLEX@{s* zO#IIomcB#S-!*j`IOO(!M>>>Qf&#;NU6N zq(I|ghUu{JX@1K;gA+DlM8#I_0z)D7?gT*)q}%n)FJ|K+Eo7i6H=u8dQ-D7Iz)$Ap zH>|S5@R8%3P(_L_F-sfGZ$XuPSK$~y!`%Hu*m!)zEFSsH@TqaEkjNK$Z!hy2Oqd4t z&VV6C`FnHYbA4B6rKtRHBn(q7`ikMRVp#tuDEB#5@^JDK(%5TBR`1U5IJ75Kef6ks zE~o5?B@!Xdnb_vbTSA-+ux-IXjkzdE;%7s|3b`)iG2OiLLGR(1S^ynfPW0kMTh$Ci zXa|P)WQ)nIB;K3#vgU`f_0W5KaG7eBw4fN@z6L(J&xNDAo#ZEq&zrBZ2L_5b1iYSZ78I4EM?iEfT9=^@pos zp`Y}j`pEd4#IgAhenI0Ue;KVp(FaJq6@#sp4V81iq$YAErE%o%_X%qO>~ChIkPEjE zc!Vul^)s8I(=DXbv$=bxTdS)5CR$HB(v7HhLtJy#G&g|C>2-V~b7|YbtZhQZqO78G zxKG?nzPfeyt~MiPC)ehR&!NDX9(jDFr&3QuOIZ<9!qefSHj||n%}3GOSa5o}r^nyz z3)T>Wzmrh>$;=BodLlX%V9L~O*zX&EiNY`xd0yv5?lhk_f(dF_96O!Nxb#mf*mM1L zZALv=JfZ?RYmrF}+SlWkuzCh*t-O0Ub4ep~-Wu1A^_)G&2t4}=JT3WgfSIQWIq%#b zz7U@@TLD?P=-4H;PTFHg*ikCJzwc-jW*bvAgxBS zIEH&iFbxyQBu%m8bLM|5`b!nRd(B|Nr=f4L(>1fx!KWpPvW#9YQ_+r4LG3BuB;Xiu z?e8u|*^9ov&>J@FkMla1-E=N-=I(nItT4z{l6M=>f_ticZOc-eE7_6Av_g=f{O(k! zxd>xBx4j%_>EnqSqm~^{H`Odvhgo6z;_?N7#Pp*lb40=L>eS!l0V77~6FX0CX z*mFRHgGqjZljLYIvYS?F572I0IKiQpm`-;@;LzLpx>2dEA{(3?_N$C7I|TtVxI716NU-&fI2_Lbt344s;(7Z zaAha724&Zf}_tQuEB(N?VM0n+E036Uf2v zQ`R+KJT$|eK^8s&Buk;_XQCCr1ho~R9;Wl>ofjs#oI<2hYx!@!xXEmsE(>wA^&r(B z1KNRVUpt&2yPke_271{Zdf8@-LTKpHPZZruv^~kbNNPTR&y>>td~(z4m}UnTf$jB! zpQ7F#e1|M$I9@06$8}|$L}i{^jW?fW_s~h)#sb+{38IoGRBH;gqCrr*%(G8#etAq- z^et9oCzgl<4zvRfP(tw1-Us|$)%+VknPkT+4osC@8ZOGzoY3BV=9VCtter&Xl#S_k z-ZMr`p*zjQ2I7W}po>Oh!`X9v;q#G{oFI7)J5Ai1>5KebUq8T?FzOr6X=YDJ?}08?4;jcK7ELr z7nk#gxY>Nb)N|EbER&uczgit1n|$z;O+X^^pJg!C;5flYSToMfdd5BiF5XYow$E2Y4 z^RL=nhbc5Fo5(BS;#BulL+^4t2Lqobe4b?MyY~`pKJCQ4JrI6ylEw9SdcP9dNp$?N z?#PFD zp;jkqMI=HGNU5X>NOWuqwlNau96>{!c>RqEze@ML(k|rU_Obg=2uOwv1uZ-dV6z+5 zM$TMgPva;z94^hk{{aC9+h&ad7-%(CZ8m<@SmrJ{dL3z|?qJD&rin2175$*khhs~H zNb)f*+}=E^E=WYz?&sp({g@BOjxv$tEeHBev+q?~eZk6?D?i{>kB@72sc_t(6zzZ% z)Q*un$@WK+22rRT)Izfy@aN7QB2N85#v-b7Z(czo%|>pNpqA0I8-jCdI}L-LtmKV-pFho>P!=Ah z-FR&cACzOF6~P3x6QL|ZA#v|O zsc3tspth97QTHkV9~<1}Qt{XYyk0;>FQsT)21=!NqRnEmY@rX3?@B=%fN_hMurLPG zDHIV0zM}8+b;%34PzU_0IWti>^)TUy?Ed2k~L*qA6JS0KoswNG`$bb|Ii4J`FIKriA4XC zqcPSlhA(>o;r9AjX||eJ|KmiO{Xc4OCnpV)+=MWH=%Z~;1hnuBl52mrYj?k^-p?X4 zs|3{3#;ttctW*eD;twST=Kb`6q&1!9x+h(>bOmJZIV=Ucd*ZlD2K2o}evbVFMH0^* z5e^1+=Hy{inw$X4AICcGG5IIX*BCf$=A#P5%fILw?sg&>u|U z2_k!bS3d0%M0FE(z$k^!&g;+Fq7{|Bw+V&ks*|G9I?J0}YdDTO^K?}w!P1ecgY8ToTJ*q=kK(KRclSQ{au8Z9BJ+m9CMJE& z@83)jX-2zUL!sZ;>ZsKCA$;_^LsB!D2lxr%W-Dw=)vH5bk#{8wK8;&R)0(C+ zO&^b+41kZ{-{|0+VK%CoI8Pa0y|fiDNbh&dS>pWQ@Wk7*u}6%F@o3tb7@Xe1 z=>k6Rhvf5l_-!-csoy}oyewIYHt=KeLYE~9W!SS0x0F;EttmBAmUPpGDMCx~x@%~k z7Na{Ecrkj_p1ZdgiB7XFN*)myc5way&a{0zuUu=1u34t8M~MOQ#y}&`aLT@(%|d>1 z1IH%?K~f_f@Og}KR+T=us-iX`S)D(pOwcRR9%k7kp^6G<8c$KAkQH=K0}M%^C{wOV zV5J8R#VD6mN+IZ#Yxbv!sPkt^+eP-Uw5h7|7fIWd_tXQWM31$%O%p&6`<^yhp0F*zJGl{~%NzE%U6fSi>%qcxs01LFm zJOJ}F$|B{@(U*Kc-!uxFLep1^G&Fe`(5zB+L7Kk?Kd;O`hySBu4&hrDc85AmXt~8| zI6+O56<5$C3f@WqRG2{wGXol67i;d#AkLUYWKhg|o{9j%vnWi;NfcH^Xwed-YPw{& zJqgy~`qVR!?q*@;C?$IBGmt$WZ>S|kGP97d=3y!1vjGkupm;HbaS1(WS%oI6xS*=p zZyf!x6reOixtJ&u+!enP_Vr7>k7tS>7Qoz;s@?}2mC{2B%c{OvjE1BH+EjulENj-_ zSC>&>3QV!1wP+qGWXUVcMEJC31S2R(v-wNKw?lw4z%j9oy}Hgv;Xe`-6##H%{vkmt zKQGPC^n$KXNLe-9dY|BwoB~*uz0Y%y#^zzk6k`!eD!`@^3eyUH2St6FpOpn!fskMt z@$z~fUyZtfqc0Hig<4J)7m#kQZa8F0Ep zIrm@^Ty!pqAX-YZIa81&>WigOM`OCU-=twPPII)57H93CRo@#lX9si#H*r+WbtSMk z0*jg{DuU|UYBl-iW$cgxQ!mkMAiUW6Wl*h0JlX*P>nLoXrX|RkMxX6e$OBk*leG=V zX`3(&@>#z+U!Z9hg=sOr)I1_B0d!$eykNPSL6gs_X8yDL1=8GFk&s3wz;WXru=aX% z0RWpgYA4mrMsu5fvS3?;GUp}gsz9J=4@I5wP{KnnFr=5lI>$B^AZiB@&km49wH@Ic z0PJp~uz-p%&2Z7DB0*DHzWZgtTKxR73cx^(Dr0*H5)Kg>RP*8H5x|c3kR5Lns zq{vcvT^2mQ7VH{vsAeDcv~8?F3skjD;TDO9s*PC3A#DGKv!dEi70 zZI)PJQhpD$giVVNeY&3tY#ouzG32xZ>aoS7ki3flp^*^!R2E1nS04UE3>_&Kq*N+T zVIbFN@%PC9xnVtOXT%Y zS^~qurs5tM2~ev~PWrz`Sv!NA20QyfcJ0SARY1LJXb@gfACB2F0`|WepH_j>4i`L~-Db9^D2Slh!lNd)4ND zkri+Nq|jY;14A|`?6af8NrGG#m`9&{H_*ku;#wZE#$Oo{DH-ekgy9EpHVFO)X;y7N<>E)bx-kC2casHaq?LO&l`;Rh_~vg!&yK$}8R;UO^0 z6FkppX|4X+?(>kbtpTt|gt-DpKca9b41KK}Lbu%kttxF5v@z>;CCJ$^1*XzW9ReS3 zC~PZy98}8ae$Eya1q#xr&2{(~WacEm*5~cMK+b!?s#6Sw&0GPKZj`|V7ZZpKYZvz7 z`5it|ng1eWxWh*~b6X?O!tJcX$0l=|6qZe$U>lwO@<08YqT4kr_m6(AuJMMD;u9H1 zHJ3el0kplM)W}Bz$ZpZ;pFm@ZdI@>kx?N{-0#pEv-_zh`jc1mEgCj(wHTdDUcHN2= zugJr%4^YBjms;Gyt;A9`T_N}Vzn`YpWO^QN_b9s-d@>;UJ~=Mre`V;f4 zM~jfpS_bl_tTzLt{yYX8KMtR2?~!UfL+ZU4daHVao8AB;m&1P>Ms56`(1(J^ZpgIX zek6f?X&f2B%X@MkgG~Uk8x!p}>Lk8{a+}zv8(J{lnC>M))$m`D#7>xfIyb%xK457R(hXpE4Xpw z?kNmBJG^Y@jqQD&!_B1Y*^|2{I6Sj?v$UK1WQ~lMfhL&_$SfkA9BWLxtgDqj=6-}> zb~EnC3HTBhsEFQOm@v$A!}Ejtjw-GNju%!sBl!Y*i$gnmHr~T^p>WRawQ6Z&^tdYC zz)KbXWUb{smMwhyVAr^PW6kQqCJ1c@7>ogaLvQ@EAl&(21HLKt_Kf3md6DB2cTsAvX!?S&hA^;|3qSJ(Uh>*szJ=Iz+lk`OJ6kz6=f;b2rqQw{zi}JR?UT@b{|s z0+=;V4{C8#2IpqX5Z+l?KO-8#Wv6DjFPt+t9+y@%b}hIGmKn33(+xV6=l(5f%u`io zj^;jJC^cpqf_ObNyDTjOn?sD_g`Cm`P?`<}uR1?C*YZ`UTG_tXfOgDhq)UQduWE#D7|XI8dfe^5Ev)skMj7b>g?tVe|Q8@cXg)M*F+O9&V~!^S&w4v07(?jeI-j z{KK6|j6M7r#Thoro+B@-hXI0r_3QjXI}>~gu9hx+kzjPQ+>cv{zxGG8(T*2iVjJGA zQ=pD^jJ)O@IwRY_va*t_J|pI@CQM!x@17n5GncY#R^sSur;Te6iZ`;WeS_M$7ai{h z<8VpT}YV z%>{gCDavoNICk8c;X_CBeeafyzSy8{h8r6{*EdaUM@HDfv&FFVl=Tc$6NLL ztmU>-o%bqhzi^>YyY&Nc;o(g0F?UoCs1-Jq!GYtPl+t|C^LWyVj8#`%)gy-4&|L0x z1@ZDB*d4t*1@Q`;*rG}Anf3?qrJzYSrMA$;DmK((n>Khnm5vZ?VUFxb(#+(~zH}32 z`fm>p$kjA|-ugQ*uG>$awTdN_dyPX+}|JmSJF1MN9_GD_Z`u|2S@z> E0O_15kN^Mx diff --git a/docs/inventories/v1.33/objects.inv b/docs/inventories/v1.33/objects.inv index d2f78b035fb9cb616597d56a9533c1b7c4d342e4..da58252da22e324f5fc821e06c53f32d70537424 100644 GIT binary patch delta 121507 zcmV(`K-0ggiwpLP3y?zrH?c%Z?0?0jk{|Qs{y)k6c4=hv$chPqZ$|$k6vRB6uhRNE zZ<->@)$CsRm%Pu_l`Q#DSI_t5IptGEU)8Y8kNn>G-ZU^UlXl!jRt(D!^$qw$jeO#J2_c$h0V4e^5Yb21 z8V~DxN5SL|x~48U%nnv562TQC1d)up|q z;JU0}zZIBMNA97C?9K#57%2T_IHlI}>NgeXm`!3<+UpaCC_9 zYrD7{b4D|Yx3Bj8d%oJMAV&4yF`KW_1Ks!jeZ2eL#IFC`i*r99$6;JVKwE&JA1b66 zX2~pN&bRq;v0Oe|<$pGOy>-at;;(nUy_ahh28_z_@&eY=f+B++5&NM!;q*deJ!Z$m z@KnN8FV*~z-J3N2LF5{vY9i4P3ver>s?!12?1?W@ovjpp0<=OHPeh{njN8!Cuo4vr z*2WBwCy=XT^CTqYP|3K0e?1o?yzv=GE~y+UP|{+<})X8ncQJ!VrT*Wa}%d> zHm?RuWw_s=zVZh)22sk(w=J`74nyf&o3BIGA$= z)(NeBQiTAtI$eTgZUnW1TUs>RWimFSILzf6z-^dEb$@{8)}o6Gs1)5p9_7nsSGo!! zI0(JC(8; zw%zoa(a}U7ZHB-ao^RD#5~~nu!=|A@ApD}>04f1n-xfq z6+#LODKMl^A(vP@wAf~PT`vJ6jUsyhN40&%aAkX|AsHaOMQdAICn%&p6ZI<>0pplX zX$dF5KbR#eOR_>%C1DY`*z^n_dVmR%jjrM*?=7|6d=|c;I)cjx0wcgbwn(<;gFlkf z(T5})s$GXayQOUlbBOEvx&2D_7T@;^mam=3_bW_jrefBTvK>;L|5BytrDU#w`QIMRlz3kollJl>0$%Hr8}l*^#cE$@a9yo7xRy1` z)RS8C9}1_f+^~Uo5Kt$mlY{dy0t@1kw(~fDH3n$n8O(a14)*(P>r7wE2;AMT5r#zT z)X_)KUUoh>sxC8Y;3isfPHLtY`*+rL91|o zYQq^={!^FoBDNj}8-QBHq$=isz?%PjZ7)1U-dJ|svJ;b+sDXW`dG6hr_ryeH}CEJ{$YQ+VQ~Jb2QvK<)?nsajt=k2 zo#pMhDQ>pCpP|Uju*SA4eNlDsT`wwsb)(neUAbMa&ehC5mm~+Zy|ITvb!j&ofYKju z@xDRl+oiE9)Q95k!wVf=ZLE-DUpv`Ahz@RB9~p?~Ec=myfpfsLb3S(*A33X0eV;R} zN?!OjAZa7Aw|%xnTFFl%42W!m8Tn+W!pPZVAQdqTX0kpiffCa!0SN}8!)DTdtx>7h zoM{iC(ZK09*XV;ZKMo5#Z7vXa)Phe2TOf%}S7Jn|`tqD%T_e4|79D5e$0E=%gaZ|? zD8N(`&NZT8nero@(!irmX@f10L>?%2G^K*Erlc0SyYo#C-|sUxIn5UFYQZq$_OlB5 znIcmZe=!p5J#S-6;izK_e;Lq!${$+<#vCHp2vCa`QxRyx;TEGvPL-uG<@Q4>#?s{rQQ9b>)h0UI>+WA@z&%Yd6Qh4dIwqf^_;8j% zy-QCj6KIt(^^JBfSv`P%-dZK-_3V``)o}EeQ&?425!s^%YWUM7#H!q-kh4a2G7e=mc3jzDvm~VNC{^E=cCpDwQ3aK zMkE#@Xit3;`5c;mkHoH)PvT_%ixD}dm*hO2k5E;6PgEM&1mBOZRDl?2*b!s_&{C`3 zPGv2g=Em6N6P|neb9nv|9mc=M(CI!veo5c1YSyq*@hv%j z=I1YqX8rAS5Qsn!)y6*q=cf<%z+c<-Xiad!96wWER{kJZfXTM7y~oF-5vgE}0j)?~z-1oS-yvh14u(D%{X^ylUbC zhoEh$C>l&F)lniEULy6QsEQVHcH_#$^tD|zQ_38!fG9dzcbVy4@~`xV3d!uZ)1|tJ zAyky-Q-N@Qri7M~%Xj^k+K76^_VM-Gx)IY|0zZ7frhB`W4t_c^!~n@%5uQNrvgBKx zp&^r+^Y&7P6=e;>jgF^TM0ce&tBGtW&Sj~QfdsBi_Pc7Oti-zmbDf?kjMQj!W}0Mc z1nz%Y&M6Ile$Hxty(CX0x%Lb9yb`s~)i)z5=9)E-TKB} zR4_+>Gtn6qK; z;>Vl|@roaMd^>Ncu$mrMaDxa{~geWfEtSYi57u?&b>rkodWMNi57z_Z++&K*ugvYQAE!q1e`m@I%ewX(6zO4Cursuh{_0@Sa_J{FxV4lUmp&ne5f^uI%taFDd9VdBND+R z29~!pJ_#VX-OkeZR3#DvYpt~7oSL&&W5~;p_w_2@bTp*|(nI;`>PsCq3(IUTuP-KP zo++ZG*uIGYyC#ydzHHxM(zh&NPys>v_|D{x6PH742ryfDNmrbfI8%y$M+4ldR;m!x zE1ReE_Ipufu$-DtiE#x#goTyeFs#Yo%>THh@)A<{qmpY{rI)COf(UfVGNA|-$Xo?- zZ4ZjgH18qzY|L6Av1i~J8M$iETBP%r$@@_q!hcd(aOU@Rkv!lL$fI014d}v2mY-*b z(hNX`Xp_%FwX6r;^F*G1GPn_z61U42lisG6;&5p}C2 zUCnmf(;Sntt_GTaeagdY)HK+X20{DyuH<=zxeu<+&a^ur>SKM{!6C!XF|EEjyp+=%&_tlaKjjNpTqc)7a$<)LeK zSYFb)%HO59XO#2&3wW`Itm*9#Bh`8pUD{a;bPX**Min}$CUAw9wG3I0KYx|=<>ewg zffdNmfOD-X~c%-r>45;~WP|Xjm`4L$2ctjtK zq&b)Y<8g>I2Iw@;9?Tm2v(3A==3Yh~0`=Mw1t$m&{|%`lvdHrH`z3+(n7Z1v$P2rFc3R=oR6N6FHnt#_V6K_*33J?G z94WHo0$)v!Wk`_;jWy%P4D}j2n#ZlHlTZ0*Z9mhm+_il>yb%Z_G*I7}zd*WPJWu!E z`wSrAoRdHu_Zh+!f~j*i+fAd2&#x<#6j{0dxe5^a{4|MH2)m`ws)?N#@|ffJI^*KU zRi0#jp-29)n`$P69vL8nSL5!5gn|gIwXE^0sp}6lLu2Pl7+KVaZf2R`TcH+_)tjzO z@WJ)MdwN{AZkL~BT%ozi|At98RsLi4^6e&?aD>D$`zKHHlq+Pn>9;&#uI**-vl>7I zfT&Y?OtwZOj7S`1WV77%|hJ?rz8gOY~UA%wND-;`KHFkEG*0 zek0L%rytzl-R|pCaR5r?1NHLL6rFQt%tm^lgNCrw3(=XKHBacDxWakI!IZ4NU}mv@ ztSzc9n<+H>ThL8O)vT2Aui&#mM29Ifi_kFi28Tc3P#YMoBJYFOh#Fv+5CY&B4h=BR z<)iTR5P`soIN-~H0S57>Jb7yn_Y42t}! z8P1gOkk5eP51u=)s6v!u(8t839#l+!BfcFxZ*oFCHLnH6ILQmBP0}_&3ASo@Q!S(I ztZNQO0FD40k+yCLK7^qxy!_DoB1_CrEz|69o1m)l>oQx$ow2qMRzBM z!A)sdCTikcR1GlHN(R?c0WtU-k%O*yRgksykGMtib>(t{6-JSs%X`~#8k$(tFtC;5 z(nzQ=h=UTo(BJYuu!Djp)o!nUgyRYw7c1|lA%=&JqS{A?j!Qa*7#=#f=~-U>@icHN zIK=G3JFrvzD9VLE)gp^gfU}IYXRaC|G zeub%X*fHDHi7b(yzmi-1BcB!ZN7DT~?Q~WFK${L`B~RyIksr>W2}To)20hM*CJ;^3 z9|F*<1Xvmbudo6pEo$-VpoURCh-r1hS|*mK%jNQ7>g^WPIGW( z@ey-8%SYUSJhy$&ZKJ_|O~g_AYCrLPAGgw?@;g$kU$?Eim;&(ll!E*SlwC^0+_ zmNC@fnT7Kds_q`i>vh_+fwB~*e#bwH^w=3ib$;%QspH?n@_Ol@N%7hy2swP}ZsbJf19KZnXif`3L* zyG&(#4)qH9^Q8H((HX=AqjrDABo@CV6x0l; zr3L!#pzdTZ8N&|Ezj`Mt1oUYGx^9hk>@i~k#qGMH-yqw(Z57$S+ zY5NpO$8<$~M1Xw240|^)a}s)S+nmvy3NOPAqx+M;N<9{w-E}!33;x%s3pP>Vn~Y#a z5v^gnxdIMDFK&buLyUqTsyMHQ6U{+dBx(#p>5!grh7*z)z^!m|PRN^pfmB2{&bo>8 zl&BkiNT`T^Zk)U{eV!%85>J~$>!{``Q>R%LH#t_RM}kPO&m%I2i7kNrLf6~VQo#P| z8xy$k-W@ON5seW zc-9q(9_!wH=2eGTf3nR12f+q^`9t^bZ~5Sz*I>Mlv4<#5ns}MdCcoBQzFn10^YW6T z6c6ikBLF9Q&e90O$u>U%oQ#lSnSq^%H?8z&R_8j8=G(YjqY1q#6PglA_QmG+4X8-S zC=|?piBFd3BRm&m1p=Z_FekofmwSJm`(5BrD~RAER0$xAtB*YPVtXHX*arksAw57h zueOYMSJqlI{l*mlP3=?u$JZ?zym{856R9)Np(I{#RPwK2v%N-cdv4(?9qHT<_rZ zVkP4cfAt~$;t^A&5gIpkE^NQYy=t->GDOuJZ1uZoY7#wsxPx$0&kP1fx9Tbd;R`xz%mH z)0IZS^`$msaTLNWJr?PMHxR;YPAd42#Z^e%{G?5m=w$M6Hp7(uvbcP9u@4c`^hxgF zsxxR_&^l^|qF(x9v_yD~Q0RoH9Nm$*{Y*1?HSTlbQE+|Y4Owi2WU{n~dD`E9>RbLg zr)ek&I;`l!>Mb{J8Tgi7UNtNS=kCMmEh}zpMwcaZ8NbbWB;I?SJ)+Rh1Q!?_{_)0# z*7bY4n*bdiUTj3r?b&{OW*~SotbIe#5Srh8J(DUdG{4)g^zeN0)I7A!@?o1`>%bPP zgw3Nzt}G7dS5y(HB&Bk&$WJ?eSdu+n;e8NasQ6rHAL6*n$^XcUXD=-noP`)5?kbAv zJ8yQALD5-{SQ4`c?r-)D5k%VB|KPd52`z(M*g~OlU5pjh3lEV5kvMom2Uc%RD!64 zrg}oW!Ut%jQ6K63wL4mW0L@40BhdrRbFL7smtWjdtO3z)t`MdEOjM;_{xI8Bq54xO zB0)q8q^q>^j=05}79YDkb`{T>8HrX-lSoUfHuC>-&zr|BZDcXMi(g@wjqX-)m=_Se z+&!;kW%+wvTkOK#ytGw?zJBsKxAd8FA-Ov~hO~a>d8$^E?WbygDvlX8KaCH0P8Vmp z@q?QQB#3@c;h1WTG(Ct*r4fIb<6~=`dSI8zc1}bCzCeoGb5q=4QQfcnaS+K0NdVH2 zFo^#%Z$bY60!4y>AJ^Bht&QGu&H%L{z3W5n_CkQgj$w8)He}FFO1-bqt{+*RWJ_2*d_|EY5RpE#&Ir|#hN#p$s-aq zKTMI#@~u!xJL3JkegB_C_lUJ$NtstWN*|z!@Bh>H+_hhS0??+k;f(m-;~Me5QzQO2 zj1hZQU7e=8zLao)I_hSX(<9YNH>{2xryjad1yl=czlvK@d?e{RG$8IP5m-d=Ar#91 zZKcfDQ~tJ>#|$qg{w>PE_R>T*nC@PqK^~!b234CUtRb|wM-beORkr@p`h6VX-a10s z;1)X;Jw9K5Vs#X~ls-Pm5p0e&hz$q0ACCWulp0Q}g z?(G_jMuctOSTx``Prf-5ws|BTpbccy_z|GhgY$4Edp2A#gKn=HF|ERQd`&V56B!=}1kN%90)Yf`SZ>02CR+U4A_u0sUk~9%|5$ZzJ=VKUOK>U7o$AHF1 zP1oJpUF86Pp=ZG3AqWyt?x_dj_i_d_K5B5am>t#NA~sr$N#mo2I;NZarzzrO3K`3x z&T<7XY$E^3T_sXnIxjfa{YX6KFcjA!C`%)T3I>Ka*_ z#umLj^gwi>qH7X69bNNK(?;Qu)#hc6drk181hYPMu;NLaS%d}60P%ML5S1b+@T2hK*1)> zz0NrWV4PngB!5kNbQ;cToAw+oAo^>6rDT5baskW>B?>+Ne-6$^;*Jl&(Q|LzqYi(K z1yr31Vjn?RjP4oc!2HBTnwB{cB;zUoPjJi<*d}pvhRg^d4l`}Y5}=>ZTT|3c(LMH& zr=t&Hyrif?(|g+H`xO<g1;hc@Duuh2g|{gH!#3P-^y$1)A!>}Vt}HcwlGHtJ zx%$xoq#=&VNo%rsNmbYGeg{qwtUP8~$nJ+r3tD%ia6>2Fj-muN`jC3dfp?fIDkAkT zdDUqIVy__HFk9T9aQ1^{i7{p$JYjlG5X6mWHx}G*yNTciH1??)-246GL;i^kC>G0y z1x1HONL9xq4r;jL^}wEE+RKf9+CPIEI-*lY48sm;){uTJ&9a#2gE~Ltg@gF>SgT~g z@ape;S7nT_2-;ahoReqXRb!woY06LpK$tkKGcUgGBf@q8bc`|JpM`TNF>b zk4FkYg$}9#?5VpZJr~s_9C)WJ zY5)rKQ?+^Y#}go^F)@M>X0Tk9eWvZ_PR9vCt0QD!_$c7UNBOmiN2$SzczM$mdAo-! zZi4K2guydQ8ANrzJ2h>vxE(@%52hv)0+>QvrM>K^07(>MXoz+Pg! z1TA(NiN`(<%e+c%U4UkuJ;ib32Vs~@tEJ&y-eS#ee5MXba8je~T*i4_`_!!sISk-e zt)2*po>SwQs8tz%HJ+-BKcnlZ&b1S~=CzJe0_`Ysl&xr-tZ1!9y`#OKd_$Tb4?b9- zr--x^@`5Ujpf;T4-~xR+)xB}mKvnrRK%7Mw&Br^nsG4os`o2HKTBWQkVBPd`S80l2 z4s4Y;o~JEuue<8w$>V^rfaj_*`t&?Q+F)9q^K?8@M0GBI?^&LFOB3`YvFObMOd-BM zjcIJ{X&%m9Vp&u=qtx#0`Gm9Ftp5VnUHxc<&V)XQFMG6rC@0Q3Edj05N%yz_L7&R;rVwVZJe1KM z)DDK-SzLpEl;7Gx?+|R*$;Gum09ydw#)*CU_w3A=>-ZaBueanF7sAMktu76fxhw8S z^T~1=H1K=?<0^$q$y{XK<+;iQcrMKo!VH$PviOOUOi`<|CJm%SoGLgF!Ev3Y2O8iz z);!GW#)>+|u5FtETQb#%@N3aDbwiib4x=2@kafa;5E^3v&r>DsMRj)VGum(lW$g&W zC+c=;Lwh1J%t*yK$twA8`?s{>`{w{?z&K^LqO%PWR zJGF6tsIZpDg1rU3J-_LZe>S4d)FxeENri_0gZIONiQWb_-a0uUNtf@H0U-c;>oOWi>Z5`A{px8V0$%q~6=yWGM>kg%Rmr_Q!pU8LZ zD>f=Hj_&tTI0A7jkUh@cN z1~F%;*3#IqC;1pO;-~ooUl(J|$+KSf(05Ju}q!(*kTK)PA z3258AYKyLjm}QCR*nMhtk4o1>>^{PtTkxhan#&~eQPk$p=mssW zk(0(5sx*VjAva6rs%{rK%HyaKj-;PMdz@k*8&m z5D3f@v3dqa_^yQ2NvbaY(?zC#myv~vY*4uK^AGWFUMm7FaarW*B6c%sQ8PHA$I)A1 zbgC-VL3H*wddo(q+?TBO&eWW2Q!UUA5}#_*Qf!yx3eWi8rHk&F=s^6$+|>pBcJmwzn#lMUbZx3Gg1O*4lO9O(4j{tPAcwgS6`DZ zjWc#pE5NV#Es6k*WTxw*0<`({#ElXQ>e#7(O!QT$fJ_l87YHv4FTZ=QaCBMB6{t*QDrX4;2?T<%a2n_( zvabh4tEXr4QlQbMb*d(ljV zDy&1d*?>A?f7t-rXAqwW9{B-^(B4na{Z}+IWo*8#nJGQ;q;XT{ib>-G1-mVIHV_kf zxZw+l@z&6Kp)$l+!#S-x%$=W88gQWDSY^@VNmuToOooPL{F8yxOEAkCS|* za<5Boqd}5Gxp60dI}Zh}nCv_d5pBTQ0N-`Unu)yQ@^Pky4MwJ#D%BvwnDYuvd1^>x zKPYtsWFtsTMN};Jmf zb-uOda${9XpNn*=s6H38U+w3)#NhQIXB*-b)0~|MQD=I8<;QNN^H**JFR!~hahy|Q zqcZ(-OLi=6KKEmT^5=6W=w*N5%t0?cvLdg2Ggh-=wVSaLH6ZsZe?%O6J{F|L3B!0Y zrkH~H$m{A(Ryg)M?=ZeP-%OY%V!HGOQmC;x&(iE#RBcgxVXg&CuJ*L{BY*xE{&l@# zdQ}U2`4f15e-aVXDR9I-xDUETMzoOJ_Lf(9^S&jdB^Z$m#9mAXr)gW+TlcxvD`^swi*_o7Oh$Lo4i zU{zxdK^$CPGND2Vdqd5$v zVqW~&4VHK~!-9!vm2G+E45JAdjn5Aq*Ms;GmH45FAD+Z;&~%qDpL3KzD4q^r&{bV# zphQQ+@PcujW>rVpNv^8B%_tp^trIEBI`SF4pGp;fPUeu!S0~qa_dSETM!tLsFH)|Q zz1vBDJZgiO6C30-=6&sV9<$K-6M2@-St|b7=AEp@mRr?|M&eXRK_T&9XYQ)*A|4MJ zjm_6_or&uvB5>U>uZsE_SJv`wca;Gc>Z+>0T zJfY$Z;=g8>FZ#Z`*)vfGQGN4v55f_fMQ2kmMAd&}26h3aLllXaf+^%d=x5B(0uI!F zG*6Y^eNWF{c_kl(wS0LB4nM~!!e5V{wETiOlXm#H!ixOFj4L>9a zUv_E*)}Z22Z`OdqSp$?y&guCx$5hS{ML;nL17n`)(~!eiMw>U^Mf@YdVd+4a3^oE_ z)KFGm^nx5^nV&mZe79JkOv~VXIBFPwL>4-7zaZI|WsMvd6=r={!s^kXr!?-0U~Gd< z8xTzlMOF9Q0fV~)=c^=yf)LjT=~j!?$b$(b56sE`{d_cJ7$s(S!Qq7tKjyK~Ro@`Z zQkh?26ghv0%ki>7R+aj z&=E%jj{GWZQ3Cx-$u+HtkGzc`Lj}g}Ezt*_<#832V|qaPVjDvY1r#daAigKO^)(y@ zou9dVY(H$0{FeSiw4GuKh$;VH#a%bWrKqB#b69$@5%5oOlaJ_CjUcpt3r7WJ+)zy* z3tF6RsUgMaz*Ck0a+2@7XqIlLR6%qU)k5!`(9!3qoYm1n@I{vV&%gfP_ac@m zdbh{~M;%ejseqQTxAZK3D<*AOUqFZcgZr51??k?_y!0^atG|q& z4de6Q0zSp~BOX6dyv7VhaJAm! z9Ps5M9rzH-TYJ^wg3TZD9&m3UcVXHt6yhR@*Gz($1T$H1uQucdvP;qAD|t!f#rMK$ z6_LCE9G(}Zah}tLbO09rIEZ>gS*G+<{VWmxrW#e?>`AKq*Ze%WyzL+vVg3HMd!TC-$a#OIXfQhab}TDbl_?>yq43lRj(;U`(`9*S@WO zTHUbCZ=P;{rP7_-`}*6@u(fZ2Z?#z4BSO+)X*ly~dM|y7@_)Og=^A)=ma!2G}|ch}KA>p|Y}$16fRWlBO6itLkY$ zv_{&0j*2k!YJOP`--{nY!#`{In;de?>~+1U=={1)2(KmxsqEqu0hcuKs)vwtPnB=S zY$23B%b^-irlJ^81r&IQqp1=L4iD&nFofhH+gWGPFK<$0ArxJ6S>D-O6+;Y})~IXG zpZPW4NtFtYFKblj)`dY~EJ_Q=yfWPmGAKTO4qHMdtg9So<*w4pj*2CKAb_65MG@7F zEb0ak59^p|v0^YD!MEzzPMpxgeWI5MCI;w%NP|+r1TT!-bDib83q^%w^dD4&zCiS zroBxo8md%O9B%rS&W1hiGIWAcWP`#- zL{+QdhRH{LuVSB%Rjn6Vr|@GQPfdg6TK7^mSWC9oH^b(slI}zgJ;pb_L?+OG1@qGk zm8UqGF16F4qiI|EkQppKYU=O2DeDv#hO5#`9=iml!V49C%;Te}!I_e z!Fim3p_6kG#uDE;tx%i17g)qnErSCSa zMHpj~AEtc9WS{HQv!{7c^8vb|h@)jCveB2}+f zNH*N7{D4x(M_K>uC0@s$5UrB6Yh#-hH)?8Ipj#z$$7Z(ilq+JGC0i+fk(Zg>rRXr3 zWTh~c_*QD|ng^Gd^FQZ2&-S}7AqyAlHOo^{JL%nd|M?mdhH%q0=H%(e*v=C5<8~l( zhR#xI*&4l-XL$XE&2H zs5~S+-oTC}`n9fqw0FwJj~!J<@`J&sJI!=rO1#2@>Z6u^X8UVaAZo*3Q+2;4=#+e? z-CdZZ5k1X-&0nItG05j}0c&kz#Y?ed?b7RQcfmc0-dZ8+ z>DnZ*6amE3RY_jz(2bt=rrceRZl47hlgvRMUaGOkohQR$`{4O; zny|Xc=ikClb$KzBgAHV|xPk)8+hDJPN58=u1;rzGikNs@&_OmXt1KBeyU;M3l zmNluRqBW)+`D5QMCsO5q)rbr;Tpr@~xCSw(-xY>kNKbS0 zZN#hts||Pd*9-M*#BRS(&mwzOCuI$tlu3W9+~d@#YC#;vjT|@@_}qnZS@GkpCf=Fo z(dG6u!@C{RJY#j2ZqqcgjZCMem?=Kr;P)!gsz*L@3Fk0MvE6x1N_QP8E$CGXm3@G2g^dLei5 z&Ju_v|M$SeyE<=2vls8|eNf);pjQ{gTg)?CPw&8>o@aDVe!spy8z{XMJB6he4}Q8Z z;y#uJp~F0zhH9{Zd_$&Cyi_2$! zZ09*By|}P{7fp9h%dEbpMfH|e?GH4YMR;Tl0t*U^&##`rUxzC6MOLB1sttbyQSLrN zdiTdz{zu+xD@=U@v%y|0gBAi>MdaCO6mbs2TEkaW|5QnP|M)2WY+drfSVG4dhPEc= zqn6NN+ZdUH2^DMi4g=UUBtP1m7$dwDcu3rYH{Ath8IIa>{GFEM)-T z(aMvS3r;dJHwQ)8dFwhKtPQ>k{ za5OyaPw$eGi|{X3 zxeLW?yQbX}(pQVwg+sMny3T;5`x5V>%`aEz=^3mXbpE_oUt7@6g&wYBM4_iNtA%ZN zM|!Htb=e|YJzHMGPX!sd+lM57D`%=I$V**D=?uPy%h=ev}GwWJ+RLI3pw zUa7)Ap3WN%EQapjFjtr(zd~>8^H<&tA2kjoUA>yO1N=-#vy^LJw4GzeAqH(UZVpE; zKD_c6%7T}5Z8H=%gf%LmLkb@q)@OPs1wqdApQh;Y9qh-rhW{fDJ1J^^40hdaO0Gs* zV;FjI;e%6ab2iQ+ zjNJ!Q2~bL^0T@EB{Qq!rjRV``g%Ep7yU*juL>l-fgfyBOaLBWlCNY@j@C4S`fev2J zc?m}3e_*vs_$GZ|yy0#F?D#LaW9(Fx`(I%N>`KUez)!}E#v7-8)6s_VF7N6Yo(r_8 zJ*VZ7-smBh$WPmU&!nhi-0!q>^@Mhf=LQG#_Jn?qXUHrtKdS`-3k^IgVU?e*6E z9^+sw9EKMfeoj$n3)?R35?OxwDE=JTEWi{RQzM6Vqf0MGb^-9@|8A-;&FxHsLt%&~ z{Ix|f7xs&Zp3BzT0N4kOEnOhpu6%24l6UzwszKojwy%vj%fe!PP2_obOiPGQAfLe+ z+6G=&7j8~}c~ax*6m8N$B9hA?ZQ*(}@(Sh^9VAq_oStY2Z5zC&)<`|1PxuW5Xwq)u zgt^GntuBl6t!+Ql8Vr7LBrn=px-?OC{_O?Qk;{No~ z4Ric{CP5e5oJDDt6;QUu*>Qs*yZhgj7nnuQJRWv`tnSP&Rc&bEaMCCr8S{TFI*u(q9KOjn`9Tz5%VD5#9OFKFs5Vv!TA_unKaSU!gRC zIjH43`i;qz)^$zses`~*4dZ}2@{=|h2BY$1gIq%F#Z*Iu+&e~AEgfrD6Km%d`*$MD?&Pyc+k zc(A|MHH;-sZ*SOJ0+lz&NSIf&$cuVYzi0L#e7(QYtoQ!cWbdGT8q(Sby=S3zBGgXc zH)HNWZ;0d`%6Q=s4}y_r!{yTC7g*#5n&jx+;h3J6PZagNzx2LvcpNXQV=Z6pM(EvO z+nb4`f4`#!@wB!w`(#UsOB$)Nxa4gj%QtONU1V|RX^ycu)kZodf6aYx7kc{dK=d$F4>BID$R`5)3p!T&MPEXYl0Ae+_fS@?LPgviG#jt%o{nt=Rw*0A`GA zFfqd@he1V06b>VxG?xjvMs|CHu~V1_useWS#KBJhXN2dklcodEh0@mLw=Cn>l}@)- zOfwhgk|r=!OkG5_cHvRUJKq@!^gn5n$*Nra=P@mz$s$1gBX^yad3%--`$?+yg|^vH zf9ncxyi38m6u8T2VGikqrWYpt6J?utSl}AwviP7fO_ zuPEQuU?EMufh$miF#Z1}=0GvXJe5vke;pfGb!&2d3ja2@dh*_|88sVtW*ic?vgNLR z8D|z2K}RZVeQNToz(Oc)%(jX7RVs0R;0A82D2w9n;cHVuF{*tGR}=TCYP#3~nSSbf zcWg%#R>`etxa+9=Jrs33$pG=FwRU2^_Ri|S}5(bV7m6VZQ! zxUcjCu&k)cqRNdB2lI&d43AC|VkZ}j(+|$R7nj%(?(r{)2N#=pOJ7hD*e|&OpB&g9 zMaZvC`sr+&dz{hG$*=s8f7sW{f{S0mQ-d-k9@NSPuwnGK@Mf3vdp@2AglJfCnm~v0 zf{LJ6Y&xP3RAy#86V^`uV#fmvrhuN-bJ3jdMfWbNbYIZi1HD4GyvmB|q9y{jmcA_Z zKia|Wtt zNUTnmv4pS&K`|Dre{YZP3>3o&RYQmM!lCP9M;nmRzIVe`yfF|Btc3u-;G8gq)b-SJ zQo@?$KZjv=$2OSd;O5;OaxR^3@V%rjsQ-d!ZDBfHV1r3>*LM7 z8!4vR2lgFVfAmskRgDD0w!DI$yAl>-)!4wk{{u@Z8 zey^5Qh^EM34SVVzOXNc`xmSntU_z|B`2?)OiNq5Po4NHX3_?hI8+c{aG`kj+&Q%F7 z_M;_uMOEIRt3+O1)c_FvD0PkEB!>RdAM51F(4XQ|e^(2lY?g-fsydm87CUY@32m}=fDiCx`9>|dY+*5hp zJr3)G;^Wsqs(*?qtACDt1`s11e1q5Bfh-UIJTdnf$OLnj;h!lBCa8OF0|V(e=Vg;a zmYZ|hS*#PYt2OG$0`Mw-=K%hdItLps{}i{;f3-w!d7VY@)6r#wd-F00emS~?=&hA! z&Z6Z0J4u;;=jHK~8{Z+q33Ff{Ak%D@Uml0HLPO4x2QcKCU+d;^&~t*|_;fHy0|@tg zoJP^T{xOP72@&oFI4hiTPJWcI=3xVml0)jJG?_>#h;qUm#Emtl ze}4=g)?WhuNxR9VpO&}JRDa@iCD4zDw*cHNf8u8Z{dRaSz`g2ER$dpc-B?pX*vpil zWrmj)eWp$JlQwx`B%1#PE-7p?UH)lKOGvM%>W``T?X%JB?-ey+;DQ1@_MDcGUh#6O zzw4~xB{|GJJCj7|zhAqFoe`HYWvZDLgA^GDai}0fWH|@HoEo0igNEOZhm4={qfpEbVGYQc_gK^?uc9*uevSPraqT{e}an)LIFZ z%`E`J{ndy2Ya9*?njkosg=3)lfBg&ISD(vP{&YzW<^|AS1UX}UFWgkKvaWS@=d7jt z7QLgUao0&zcXG#d`|?5>?GmSWjiOk)qh@&V4{>hS6i;Neka&XdOx7^!ZKjv*pxSmm z=|@rGIjN@m<&ga*ug)~bum8(NChtp6>eIhQ!Tr9hwek-2ls>%+RNem-e_AZenLMmm zgoA(9h@}tpd-BeTPl`-uYRrzMf66O}S7_c5|2FQxc=4k7J??1U5r1HJXhh-fId_P+ zKX*p_+qm;<&K-6~^N#q}xTEG<^1iNl)yZoM(pFLj2Cahzizgq;r8#a&!%4j{w7eT~ z&#KwPGYo<;AOt?Ol6zDBe-h`0^!Qj4K(A!DS@x0MOPq~^8(Cha5BZfpkoo|&9X-LF zfE~13UnlU_c#&x+flz{=48ZkjKl2m@bstPFQL$bValPPM-kjyxlwR`V$TgVy%{5Z{ z>0flRSWPyJp|_u1MrSmE8IS>0( ze#z+s$fEcVjBE<9H0ZPIZf|Lp-n!x&GgzMQO{40o>V5NVW1Gqba~3A8 zgUEl)MaK2c=7^lFgb+gQN*KGMR09)ngRfB8K#3D9?xp;#e|)Dt;_NrOt0eI2R!+gv zpoJ{N;WY84E=%j|k4H97sS>>^l}lk+a0rXl-us>R2|`Af!Yysm>#w;1ED4*r3$U;y z#j$M0nCG-S-%FgGO3?=g;(p6u>W=M-wZG|D%&Q;liPZNC;XZL@=VJ!*tR|<^{|}B9 z%s87|U#D3&e>OcrxTr!WZ<&(tzvaG#t4DP52_ZG9Th@%ut$l?dEHdQuoTsT8{|z=T zN#qGCCwke<=>M9#|1+z#$S8O8XLkQxblrdXdCd~(WjCWaJ(}9jf3@SB7fx#(Y2WP_ zaGpiG#ms;85n!df0Qx}prtY`t^#&`7UoK64fg&q+e@a-a+Ie`tNt@8xgsE*=x0~PB zqE(sgA-YOz*>W;Md=I1GJC2@?c20(lBl^0@`%!g#l@Ze<7Y2F18Qvhj_NLw4S=Gj5 z;|o+(njCsG;G0s)d-`73B#1kjQ&1DrLWC(~QDS&En_Fu?r}1bGN_b;B<3LJyr||9w zS;{Csf5~t2O5qEIKa{h9U(N45vD(HsuS_8u*mS4GmCp_2RxQ$BXBF{_o_{20Gs{!} zS&+M(f4hGQUx1k2%z?BxP7ZBVN7Jio@sQ>YomQtW>zmQMz3cGP|C;j`f2zd{q{VS^ zXzPF1`D^N<{fy4v8O=_v!*+#LKTvh9OSNX4e;%))viL83GpTP-YIU@FX>VxxB9y1~ zYJWoSkJnqUFB>2;$$`4!iX_GE+WsJHfw&bp)7&;#;ia-x?&q8-LA@1WRj z&A6vp?IE)8ve=h&( zl77#}^nox9J5CeuP<~KrBQBSHR4=F@lMzi|e-BhW(70EAstZ=>e_FN1F2C6y1(k27arR~uNSQQ_@9&lx#l?HVAC8rn^+2s;M%^YZ zt}1>U!@gjJ6f46p4-HJaEAKGve~xN&?JukPw4`w1tP&4sO zJ=+;Z`+v*-+=_+@rCo8&f3tt2Nc4&XDjF%=#L*_dI1j`;jCl-CFPqrY=FN9;&J&l+ zod+|CB~X4(Q_nVr(QA^Hms&oCKCi#kHGVa8jFoNT-@VO~dj)^xP|w8rf95Z>P)ZR> zimFbZ=Jai0WZz#p{lV|_v+qxx{@^r&v#F~vz(khK^N-@sFLx7^2(3h`a&hlHt+JmY z>pp4nEUw_J-lBJSl>z6*zR{j>#pY2kKb!Pkc$Ph^+dM#43nlPc_Zoi_Uz)tV$zSJ5 z*Q7=1TBF$CB*iZ@|B|qj=KOF%=1FrY)M?N!6V9N9Q;ilXilFX?LDtX(3+_ zN?SA=m8wicHQ`*NS|4VQ95fqA)(6%*XUw9=tY|$72OG=OP-??Ps-6Xc8+sB5jp6=I zn}=67ke=hQWEY&praN`!cvqX?b*#4&9{wm7m#S`ZeJh~pEj&ZX=aIdg zb|UTbhTwP9Tq-8DP_x=GSa&1y8LY6KHHf4}CYXFqVzVkK>-vUzvkErVa7OuwE#G`13ecVP5fy;(|`Tn|NR}# zC{}#g!j1M<_|Ts8R!9>l-%E0@=yb~t?FGS#9(GLcq;^~O`y|GGYpL3N9UJN;=4rGS&=z~}WxULyG6`KFa&$5a_Uq~_S zkzO>`rx>-F@EK6Oj4Xo=xr1853EDU<+kq|NEOQ!kz#Y^Q|DtwOL&6ll2g{Eef1N+; zy3OUUo7VlT=$9Wi_ULazzx=rI7XbD-g#uWe!^~ zHmyx;YS_>!pRTNZU0RW4(9s)C`-+F5%&SZH`HO7g9JY8uG5l0dDD!wTDU0_e^(d=F zvPo?!%qe*wLw>F)&hE=8CB^4np znwACO>G%umnwAD}Ejk7t$Oz;YkC^%;=M<0onmMT!bOd$jH=b6r8cesL;=u?yuc32GO0RkMS!c&ls(1!;L6p`_aVaWJj6kDG4x^gb ze>j5!4SzW;QU`J4))e26H@nKapStUfDJV~UgJGy}2N`mP{WpVlJj&P{e^cG1d6rnH(Unp4V z4-QDYZv8e@;O9Bp>oQiS1K!6%~y9;_85YTfa*;Ox5Q5 zQ^?2Zy)%kSZmvwjqDeC}o}Tq-$kd*O+3xha^psGI+^oy^;^~#}ZS4O2#u^H?HVY~_ z?pfasd{t$$EGwY?Csk0v&++Lb_k?D^o;}sepQ2n1C3+~Kf1swE zD}}EqkZdA4T!CaNcFlun6S3hQO!u~{uR7xf>c+S9JEL#-O->l@1N|5U_Ou4~(l=v* zO9TALHx&MYEEn&xeAuit_&eOdF>|-z+#rmfZRRd;cyhkw05T7sc+y!_LuQJqmBs0+ zPaEJdtm9dBRV}ob(d4=roxuz?fB*0rY8KnX!5<2EPDL<_f{YW1ZPTXXMQrREU$bc@ z%T!&_PFlBrgN@^BR*M-o?|(aPt11oJ(1=ku~4neHuz7f|aNfaVjo| zfun^p%*6n_svNs|I9gxBT;@QpCpQ(ixsN5R!0gz>dR!xwnmLIVy`oh_hL*O zHx-P&Hl9X3(6xbo+_3r!ed8Ag|)0XQ(8KT` zXO7&`^H-9#M|J}cMcT3x17L3#C~uuI0TVpPkNck<#EAi>U`*qurzv?LOVqSgebUw0 zBcTK1+SM7$9yI}1UpW$4^vKT@1+opsa}FXL(kY-E*mRn3e|!5O|Df$-)_oP;X7ydI z|Glm|Sz=0W{R1E6yRTjz!3_=Dmt6=J*D!x7WxZ49&$PMZy3<4V1;cVHhdXZwRyXbH zvLC@dl@h?IGEe1Rp~ap$D-Y)m01BE*OMnyP^)5iKxV%RBQcbS+j#i*)puO*Cjxa3W zXM}0fB>>^hikN&`UBD0E3$4UBshZ1Tk}L_iu6-TDAzD*%($dfazmychHMnaf zP5N`x%ZdnvB<$y@PN3Ht@sSqgy`i;FY3+og8Nr0Oe^M)zc~4X5EsRi)wBz*eJn=+5 zodNc#lmJfoPbi9EO{m#LHsbZY>DVslo9t-;KbS8E_halsIQ^IAc23&7`7X|fE2ILO zP;4gXdfD*NQDx&tip>OFFT1E@{WycX|1dBGW*L0IBBF=0fH?(l3X^k5Ksalm-CL`Re)u?mo?vU6b=lXZjPw?j>Cu)-T-&Kew@I2 ztD6q@@GZZ6z-N?(#62j;S@Zyo{I>hZ>pMty8#^8Z;c!%qk!%>0iG&_g| z2Ip`Lpt?X#v-F$zLS4(hz!(Od=MQ2HuE%?*f~e^SE*;Et25AuG@R~Qty(tbToZtk) ze`!uv*^=qZcgMV`(h~lrIrf~27uxAnUTS9(U~kF;jO1?t{G4x-Lr|4L7`huY=nQ;d zXJ8p`-ZRE&4{Q!BMb4~(Smz~#vnb0y3@RnH`ymk`h*9x=Io z)KMIlc>L#d4AP>I@Lm)?>PC0!#zqDN)BR zvA_%_2Gzxt8Tf$C{0djbj%?=!x7^k@zoyklc5n-{q8wufG-TZv@i=x2hlZ~ke+#~B zMg0!9rS!chi|&D?m}A;8;KTyhX^I}s7T&_eY!2&54@riMpu@SL8u!z#Yl`=KchqY} zXD{hFr|2PV;rTqr_eD+cH;tLV2Xv;dR43`#YvgD6 zG_>QGrQV?%+ZB3YbNyh8?K}uK&|*on->S@!RIgl&+0;!14{o28XAah>e^;ld*uaBX z(9p>$p1TrY(sVRqHkm%H>``}JzUjX8!PgA#+`yX=sOUk>L7lVsp}bLl_j{&su}8FL z%1T3GY1r$Aj@+x?~uW8MaNsa6%nMg^n* z-V9NP8MY900w35El^^9-f7qf@y_m)r0s>ppHEB`)8gH0(XpSi%m^<9q`716bZmc!0 zr!jtLUw+9I#m)>bsi}m}?);XEitQO)RWl-74Ejj#WrvIIz()FBHyt+};bbx=KX4ad z2JO_(0{ktmouh%csfd6KxV1V}st@?%7(!KQ5+pM5R!hYO*aIC>e`+2kAOmi#&RgD` z^Qv>rgS?qcgQws05($6NAA6s#nuO0&{}XhiDKW0?q>)vT;+h{vr+F6=if)lRh#$s< zaX>$eOL*kR40jMe_!2sx7fd$tVZ^)AgDfx8$00Nm3H}>GQx~2NuzULeocf zo;ZjNM?AgBh4JY_jD) zYQh;>_o43c6aD&5zsSAP58ZIlq`1=PwKztVMmMtnmmsbgf7bBo5Bc<;abr>zu+Xy7 zExj5QKS>W^jb24dL5(S$L>IEi&_3kPuDnc1zkJVo{+WIkb@TTAxTTH@-A(t4PE4bD z+9G!(Xh*#GO24F!!WN88FTqXuxR<3`+U3_-gYf+3$yBnbO-Wj1Nm~A-k2Wc)zw>iP zNuT8PTISWIfBXE^J_@N$kUBx?1gjIQ&dH15M`AWgQhX#;4$b{(^Z0f4&)O`C57A3{ ztva~Td^i62%&X*9w{79ND8>=2jAq=Rf!zuZAq zq`uCICMwtaN_SZHQQeG>Z=Q)QG`89ZY|Ayj){QPl;S!xb_4wU=A|2{e)WP-sMTLQ# z9G$|y*UHiLX?nS=aa%Lx^XZ-^pT*@f`AOxDu4(h-u>kJjyhU9CbP26XC|#BgxHx|~ z-!N}re?@C~XGLC}^S66bI@zfA0`B#@^fOKV9#aukv`9B02|$wndux+_;P&8AN)v`X z3cuS4p5x@X&dg~-2e!kb9WJ&LjOfuA_gX)WZ*Wb+8QB2*8Zau@uog6VCm)Tsx-8C* zBin$Sf;mm-uy**QB8u#ULi9*LWTC(Q$}1kEe|u;XfRnp4PbRdt9k>&`)efE&ZShZj z5F^Hf{FFe#9(J7pWa1l4lsS@W9#4x{@J|qt-)SieR2~T^;)q2&m43oxbrPS~#SO1^ z+>nUhh4ZBiKSil(A3ieSw|F_@h6Yg^D@6VI`0y&yZ6Hgcs8U-`wN4t}jbL}x{hD+Q zf0To=oDN07_6A`mX|1mg+Bn`3q|qb}3xBHc*K+h_X5PL#!algh_`;Wj6ecJ>$V zjQ{kt0e>ubUwp&`g9!=NGltXa-0l}oF`}8A>s8;%`=zM7uItTZ6Pvow2c*G-yFYc_{)91!->8icESfE7*?F+ z?YSv#UERRSM@KeuQG@6;z+z6Pp`?xdGmcd9{(w=!pLO;-Z8T5R_lIC9vjT&df6Avk zeuTA|tY~j_Tj1x}Lq180v)|D0$d*16B3MX2o_ws#*-O~^pX9wMvP%v=vZ&%x)lCka z0$Ai~uKhOE@#8u0UqQ9nPhz38iokz8t>U~Z`g0ZgV+$>RI-g% zdhj$f!Fjcx9>6m_N*qL&i%|hKe@a)bjyYS0Aq1a27cwcjp~H=!J{&`BLOnmo#F(>H z7%mHp7yv&%(G$_ge`}nvkbK}Y!by=*M+5jBepbI)KU$LvJ72{&G6slNP76Rn28Lss zq%QA`I^6|CBKw=j=k}Bin6dS0qKpl!Zccc9wc#Q7qOG3Ie{I;pNV-nw zwE0bh;Sz=cgq=unXl~TgR6W z2p;%dm2&zlc+*>4)2)DB;wCxEyG>GDAjqXI*5O@!rp=g=E19|HbXB-lSjw}axf?J%;#(9V6gt0DIH`n4z7mEW@_a`g0Kf3-KreczzUO5}~x zPt0-t4wmY zHp7sxYhTp*uQDNDf441f0bB=y2nC za$j*KQVKGC)K>)krrKID?+dqGu8XzJubra|LzBsi1gFcxf0sVWH7T-8)JG;iaLdRo zQ*PHMVbayeu3e}DKQ6i!UD+Eoy)*g4*QifD27?;+2Ow5DE^1cn<8f|< ztA&*SU8}5pFxMqd4o6BlXbT)*J$Rt7#5k3x_&aOxRDSU`%SziyAcQsToM)K(#L#IZpFo zf_~4RqGTf?sI!e$PC7@`dm;mc#xIdx<4l!TXuAj}>XwDaCO}H9W>xZ1+qIe>y7EM? z;$;>mFn>$~wb80S3Ozs_26t~lPibbLS)x>%l4ctAfBn#vCwg>D-ir#3i#kvtUX`>~ z>Vz|lwK_-CFC|mFL7~;uDqJAi_6LN8yXHY%iKNq187Q5MbdIX`Mn*OFhL1)ySNGYB z>7NDXUlltBK9jR7Ryefj|Er?J{OcYh=3f;f20l@Sicw`0xtl63&5l7_&yun99YL=Qe(T6i+7Pkz3uBr<~t8UF9qPy z7vY9R&$_Ns!O4y~Rv1`e+Dd=>nxT~mc0Kdee`z0vq7iJCyb>`(d5=cM4B_=p$fWbq ztFw*5htytRz4~a2(@j_2xS0a@fq0o$38Q)7!XqDD2tO1c{X$_8>icj&1f%Ix*cvOK z$|wKD`p7aC)eFy|7Sn~1mAHk;&Trk8>*(exnsC;fX zqv>F9>6m0lI{x>@#ta?1X1qQO7Bdz{J{TH3AF^U&yYL4`rY4t*PjQ@U z2{bdMnLhmDa0sfjI}W9Jeu$*UI85ZFf9N9W*`W<~Cu3qsF)e>!Xf0ki7-DAoPC&f0 z{DC3AyefVvz7BTxQJU#vCXTE*M=(Lkr>ans-{~t&kb)E4&xB!;R2bSUoB_xr7$%`= z&$LQ4qYJ8R1$#q4Q)tNx6VExh{x>RlmB^DW{+R#p-joYTmv@<5t^Z}V^as{_e-Wf} zH)v8?qWbjZyo~EQYR*-0{WwP#hbo^f8Gu-(#4;2+kUxiuC?k0meFzNIFTd$8wB995 zWSb(;u+n#9AxfqafbESywO$urI&%H_ufug-E6=qbw{i)7o!#|qGtY3a<*(Gwjf8r2 z4yVuTu4`MnhYu8K3HC-o%^XI-f8c|~po&;ZC4Klt5b|BGMd1AAb_;>7MVVc5xRH5X z=Y#rev2)B*-}mlI1&(wm%$h~59R2ix$RJNQF4Vie`)<*dzPO!ZE}ey~9Rb1e-rg}6 zr3rw*f8?_bhBTV|=hs*V1lGiS(7voa(bps6YeJuWs|yIMQ!~k2K!-l{e;k`jCNRS2 za9E-Kf`cm}dlruRK)hNbG>)V*w+KYS8JOFYWQ5J7Ps5X1gikk(uFaNT%H}t6p8F;+ zwCJWg8O|-6>w%r$HW&;=)jl}4S#Sa$_crBy;dp9QoGqw23@6$lrp81 z8KpNI_yZ&hgwXiJ^O-FKTVavKSEH|^b^(G0mgU1oBs9+B?H3!J6M4Ud=hAy7KF&=T zGRf1-Wj2=}sZtr@v*xNa&@M(}`wImh&ybC?8BD^psTrFG205=Ph+ zP&t9$sB7Tt&>ri7u>|68)Qu4ZcJ(fzkj3KC6srFLev3jWYWL+a{6;12R;fStsyA-1 z_SFaKv$QS&pqvL}**59P9gTT|(w6uM%O#D_Q_5_aOI+&`f5c0CO$E=BV4iha7;A-@ zB`=2QrqC3TOPAseeAE4_DNKLjzF-) zB};w!v>KK1e{WXAsY_q`?VK~EQujI?7w?BlRa_z(o*CSo0<tL~IYACy%bdYJ;qi(#AE9KERMyXmV zy;ZWlZNd|y;4i?j%WkcU4FWMVJje$TNuwu`CDW5_Y}J!HmLjAs9=3Z_$Sj3J(Oy{8 zR}5Vrf86nJb*Y6VZmniqH5S0B-{@+t?Ph1{-LLg^)UJXcDyoQTwL*u%3SBdIy5YbV zAbl1_ah^t@wP4tM+SZIbwOTaB^?RoiP>bCt6x7#I>kEPIc?i?M1V}*3gX`yHYxVCx z{|(x|lxJ)8J^(67+$(-h#{L8)XNmG&1;e>95f05C}83M_O`d?h>;HB8(V#KW{J zjTvcr!Ix*dms}{%gr0Z%?x5y7>uPpqp`I__qB)yKZCKqNMkRXf05J|BxPrnsh&9R! z^vVivtS{IHo|Gk+F@iE``z20;F z28}vk3T`9hK1G&AYV-egZc~$9} z6^>lbj!>!cFp>~I%*g0wYT%YMP|9IC{kpLQds zzNmY0A`9%t+DKct?anVnHGG<~OAkX%4FuP+yDnBD^j=iS5fLffJs*A{(H45@ht}O; zXwepWZVOn?$iOXUYw&ARhZ!@Xf3*0{>!#u{blcB!hxfSsiMAx6f}gdPm}P0Yd%x7% z9AyD1hM<;pag`T`O!6GV0YA>w-g1`ZzZmDCMJuee^4RTKbn63RtSw%ipSj(4`5H!Y z#%UUTpJfp;FPh^$YPuB`HH=l2h8P%P(op*hn(Ev)Zx!^ho9%({su-4Cf4-+1zWlcLFz=1~Rz1#^aQGqE-2!tGHBI5w(oyb95^5OyoN| zBn{-u(&OmJVp8vB$vRk4e}tvT)s*X_&8H_1k1FFx_at-c+UL=h7P71(--xl;pVi8U@?WOqF)eRYv=10m#*5-4;V{)T;;wn4 zVlM@Rg@iH^s!kj!e^f<`Iz2Gr5tT>}fJvmc5set|h^KqyhRmpY6B+?^%ZdkDIts-b zk1JkL4&e~e;WJ1b0XmII_CNwB3uw;rmFD9d-rX1{I8f@$&3H_*4-$H^)^6F*p(F6R zNc5z$-IA>iv2xFZ2T0}_SjJ6&=Zkr8gFJJ>jEeRNWA136e{C3mDqEr#$5hi%hh$ev zGD}{JIu3kV*{g>!Pd6Ob;v+Avbd7}LSgB&9%97~8v3j`)uF68am1$jFnI3#!>t5L^ z9P8J*S1vpa#4ZBR)_uGrnSfzqA`QWPtBa8?`37+^3cXpz;&YT1mpF`C3EMVmV@g{` zsb~Ap3{i*af1ae-I{kXbBws>%=^1c9nccS^Z*M&}nCO@CfO+UTg_G901_%6ASNH`C z1Ao;um#2>E^{|{TaS}We6xr%sk49eP2@f6zsk9WY0VKH6)D0xvqSY$JDmdq0UXhA7 zfq?*JOewQe`ZBI-DFbw_Ygkd5t#g+5JWBZ`&Qr9Xf2-vpO=eDdW70v#CQ(P%Iivm2 zxDv%k6#ifAP^Qt=dPLCYuPLg)3`>n|H3-uh2dcfWpfm#npoQUw7po8>zPL64dezF* zr?cB$sJDr4?(m3I@{*qj4c_l`;?rDhI ze-0Trq;)6T?takgrh-X4o)|hgWZGeCcU9=BL$WG$>(z%Pta@FmHw3in@j=w~4f84^f^2AzC%y_!vcMHyKwmR2)M<8-(I0^7b z3|-$lMy63_0-2qT*?XL2Z*lVJ8g%g($4I-hBQuUT-{}}s9D1~7aot!a$P*p~^vS@d zb+MdA-LHBi^5Ur;5_vKDd>D7RGT0}-!;BdW;^tCuh|>=B3?i4we8t&e85=9ie^?p1 z^9z$USM~j>dQuGuJJ9Qq?Lt?(8W%lREAn#~N)QeoqtccRm~vpb@yo1`DOMuo$9*_!2ircF z4Y#8`lnt&$4`dTg)|wAT1rqs*e<&^U3r}6bI&|X7E{-VMi6v{zhohpS{4h$((yU`V zJhtV7o!d#YJ|EBLh^MK6Hu1jt96&c1y~iTERy=}UUlFtogoj2+#NKJxd~q6x_5i}V zCBle4{#cWhtl2qN!RRZ)d${aV9_ zG%c_r*aHIBHuBZ2FBn@mZnX`uALc7X8+qUFtA+9HI-AL+<~_`2_5j0zd0jRo;cX(9 z>Mh1Wr}*g-DiL->$B=-de^=qMmsCBjv1Li()j#o$% zlic?Rqad8076dU8G^Wzka$9V8n;C7&v(>g}07Bs3EK9I!g{EjJfBntli%47!Atr#% zC@Dv8xHGz=C8bCm!;Zd1PT`#xLhkY(_~2<&{o~dpb|v3RAJh6+^^Ym_-_gE^iKJRJ zQF0b?r@D;uAV8ofhN74f)m6FBawQT-jmvw3Q=7tSwm}#}VXPH4RJ+XnwS-{gwQ8ga z3V@QPn%IoAQN?~Bf8gLMU3sXRCSba-fbNF|3yuoY)tWONmkuG9_j?PThCb#3(xF%^I8L!??6fov zleRkworHzK$a9Gz^T0C2EHC4k{UWwE&sw2F?H+*4k9V;h1JX7-L`C1JS&p-;_>Q0x z-*+XN;9Q$!f7HoZoju)NScHEenB~+tAe~F%rXVuB8`?_FaE=J?s_};=Ni{% z@Tr#Kriqg?jz27mEQ8umF*AA~rG$nlO-HM^GioaQqvVdS zDiK(Ae`W9^-xVnpTm~r&q-afxeDSIg?;@FfTV2PRrN&xbWRNEBOX3{oL@%32u5}r8 zwvuC-Wl+jvBoEgrdH1w0VUk`eoQ^mE|3->lSmKMwsID$fO;zidBwea+j%lbGRlCIg zMMM=(iYkq2@oxy1^F=Tc#86OI-x8-~CBC39f9NOw4Zx;S!$6ItY>C18TwG!EoEmXM zx?_paRjnjY;059_=dE12o4q+gzv!`l%`xjByBL6rD4*9yG1-IJ$!GK=XbHhRJ z3PTHSwJ(Q3Yhlu~P6s3TUesWV?Qc1Akl!wZ`Yu%WBjtjTixFq5@#B}W`R(L&e^`iU zrGxTx%i{_-(O^xC8Y=ob0;gK@)PqfX{P3|a#CG`cmKUT&@7Ncnh0oIk`W@F7K!%?VO$V?afWZCT zti!IbC4QQAgBcA5nW*JDUcF>Re-dX=Ct?k*vO=?6bEtow8@65N@Y>4(ocA-G4M8W) zFr{uFo34DOEgGVfByXE*Q}uT z81;~=qi@lipZIV5w@fPk;8j_PyqVFiXGnGO z!FrQU#_pVCI?SYlH71q;J++23zx;YdoQ8HAHC+4Z+!#5;(qm-qNbCmKd z{yh{VrJRxSjt}3Ee;gi*K_FW8Tr_x0Z|%rb`nBuSR9a4_PcLDF)6dMEj!B7``o5lQ zb?!KwGZUa(;vcK4dwo1S(g3p!^bDMh5Z1-(~;M`8% z-999u-sI#yAX58RB0G{jAi%a^HP~ua0Fyv$zkk%NF;FA6f`LK@(ih@@ue8m~R_!fO zv?86_y(f4N^(3&I&mHh`&ozC6Q!G@|^bHllKYyO_mzkr~cQTK^XsI3H-fStH7f zNA`UsY%E%G=jM1CHGkp_ldeykRZ+eV9#i#+Qai%E;W*C8(m6*~IW=lti8vGgVjPVF zoF5&%bdn4$_@m?g3bHX4Kd&2I5Hw~8=Xdf^!l1sHzRX+Ve3dP1zhzv>^yJp~6)MVw zOs;z2Ke2p$!j-||xS^e)cACEHWcgShS{3IX{GiZKyMku<@P7=gJ_4OuVXzf1bDx_0@H=LVVz1@Fq)9_ei*^J6cg%{Ev-sM7eNtcI9LycsB{{h-0UHIRF%@`|A zUmP2M*SAah9OLs&FmC$d1$tI1|84krI>|e#{n7a5;^Pd{*D20*ut2m@W|R)Jd%)6t z5`4&YWq3row|{;TiT}L=!0B+_}Ngv)BsG$O( zL(nqSrw0u5_B3+}tL^O5dy|$oZ-%PJw&~q0RM$!!ea!SMf5P5F|AJ%rg_hrnqN$rI zF3kYk2z}Rc!ntY;CW}|vPUYteLjHvPl>UW1v}9%^w}0g(l8l2_?i%ufOi$@~fyk;j zuqaGUdX7@iNh8iqL+O5q&=hs5$4WGJuD6Y`P_wBL+s^!U!-N+=I3;Y&t1mIXbhQl? zoZVI{wB>s7FLGIIm#19GC1Hms_uH~iY8j~QM8Ush!z&}`nLcykhkfus*LN*+M7$R$ z3)+dcfq&treQ4agiHCxTIF?7Z!C<6fB3kOGfthGNV3>tSRAEikWcaDy>LmS2X#pjb zsxu;$t}4N)Dh;nyUQ?jBK85$B;yMlM94;i@SXO^ zB*_dzGmOmi?Jc5-HAuX&W0TXWT;2;jJQY>?08VG+37tyLj!@nz_w;( z5r4y=L=KpC(Ax1uO|FoS-{u!riM+fvW>s{MlWSwq8bh8R%`LdnJMeSub@6TQNb!?XbaCzE>`e1IqS6qQ$xmCc6(p|LQQba32`@ zR}gH8_X=f6=i_~-`09FmpUZ+)pM9|SX$86urK#d%M(nVCfoQSn(-VlrVG6c};eR(| z!96UCLl^9U#(x-t0U}RbI|pGFW9aFy&>4X7u^YpEY926>{a`bs3RDc ziqj&{9px@K~Fm5sZ9+~3S{uYaD5qGnpA+T%1-?gdCD-m19zjYJwG2qh0DyKa?w zHSScGx}|j#Xsh*Nzs#;5B6ocg-NHX9G#x!`y*>#z-TXK7Pt8!R)|uX+(b=jLjV^H> ze^9+JCUhy@M8;vOb|bxw+sSbwN8P+WCdQc@&W2^h5L5|bN5u#37R3*{Lw|J~rF;Ex zAUMYv`lx1Jz%qKzuJt*>F@axk_M~VTx@5-XP5&E$FG{CywMQYY?F}8T&Nxkb(>>X{ zLro)pF6e36pSr=?o%~Khx?f) z^D~wV$tdk-iYeOYJql|d0i2ZrL*x`Sj~oYK1dU!fWa!Y0*%nWOpifW_*Ef{I0vnh6SG4@4<%Vv#-9HKBa!iK@US(?0JoSQ|gKOU4bi zUc;UWyY^?jh@M6~uYZmCoLuM%lNXpOGyNg;yCcp+tn(c^K!4IxV(c&l{^YoQ$ds1m zDtF1E`ifhQMJktvV5Yts$yTOn7us_u4)NUI2E zeW{-ke#b2Xw@kUUobQAFnv0*PE|O2){0Z#AF4J~x?`zYi#^Z{Y@~z+rZ!^?lj`s8& zX6Sfr#!$-F)qhhe5_t6a_EenVT}Ri-DT_>69CyAtZ(e=ysLo>fe*0WE4|K+~vyRWT zq2@((foT@G)98bssTylEZlUXRZLUQnK5&4HD50G|?e?UNiP|g^B{OF2#>7W7);=0= z#G`K^|M5DBOP=b>D~gk+tE&RD49qfRR^M4v^vTmB8h@)F4Ov3s)fdM^@vY!VTeh@O zrj6Q7T=yufe*~Zl^I!kx|G-|2$glj#xI-^)X^$CuL&w`NhA!dPr+n3KgO6OzYyODm zO)yiAW;mrxQC?0Y#$`}l_}p#7Oc_>31Pu=vY=0aoeks1VoroGWOpPK>*nwntXo!KG zh{eEkE`OOsYPSRUM;)o&A=#U~9%~W3XYt1$atO3%MxIAWY=1y#91QfZ<~fWIFnSV) z(BB6;Ff>ZYcyEsodA~KxX6>?!E`;@$emF#KE^?z2RpZTQjpUhjG#0%oIhRxMeIM>-k z>*UNYT#s$RdE(xoap37{g2|{J<QJFJx%v}M zYczW6w7x@Oqa*NiRgMZc`D#6`kF$xAYgOTZt0y0O2Cvx4>*)Bi2P`%?6e@Sh9P(CK zzkk5;vmJ|DX7Qk$;NPyq&#}n=9OUR0|L+Ms&Fen~Ie1O;UGFOO_3giM>pup$@k^h3 zqQ6$+kHHRJ<=^VKKSde+yuU{jYv{S~N^eYhW7=ES>*{FT=W7WYtCwkA9B|^~WxT42 z3dWg={435xNC zfLY$Z;`|qjH)Q~m~?x52DtyZv}-*4pF%_|W|})SF6{eN4V-@r=;5 zM}kfsN4>9&+;Qr(pb;;dVa*lci>mml<4c)6DNiZ-)9>H^n7to~_rJ!GDbY z82YokZiN>{(BUu)nQ4^q{Nu^SUTMrQfDp%{NS{pk9Pz#tc8I1NXW4V#L6ph%7SeaU z6>Vw#OQiGXwK@c4V@@w@MYW3aRNk$g`V=OQ?HSzjycO!YjKA}CLU;K!e@fiwvz^hN zd=9;DgF+=(zF=%pQ<<39@aep|qQ6IT3$M&&CZBB>Nlid&q+VEzu&0Rpf2lsC*H%KhJPbIs;r08%H&4wxDnj0pNZ$l6Niz<2N2d|FE0*tZM?i!@yCVd zjsC6z)O^L+6+^&RancmebEjyXvz~Juw+EfG*7-P)U5^fGF;ZT5#$lU3=NNVUGwok} z26$+qnwPP>xc{UJY5X9umc)QfNC!^jDgXIn4;Hz{{~;Ze&wnp<&b-Jy|JZ|LC_t(A zB>%!ZME`rsYY&vgBE*~Bv(!g89i_D^F>W1^`k9H>C$lsY>u3D_8Aoqb@kuO2`WDwb zr4<$bu3!e4YsOz-ocvsbcH+RTlbJItOodS@u+uHcIOP8X|JGtMe`0DaHgq zG1H3s7S^DX@?0DWjuPB6;1SJxQ6<*AKk7^kpAhP9=g85z$L)CJCDI5lZ1uAqccXKP z;2IB~o=6$G&_62|8Y4p&Q>=OI_EERBl`#{a2N~wQ4CCNQ0?lSywhA*-Xpsy6_LFC`Gd9)Y$_Oh}Nf&?O-_` zT%};AGRa)PYtPGDQ8cxDQ7j`0FJFhtYTN-c4w!Z@@U$8|wZ^HJ^6uc&8mbDOJ4dwy2qR>oC>OERNt-W-mb(a%VK&(C_?sv^B6$35S)eru9v z+m9!1xF$~Jjj|Cnj>xS;KgDoOE19aDdKOlq<6h;m8y%F~v*44Cxed~s*B6Hl!g~-h zcXOJ(8)c7J@ky#J?nMi#skX(`YF5=$eG@(bnSZEP>SlNdLMD8d5k0UmlM#+kjHkV-jCZ=5oO^F3sYhy@pj0iS)c4<%r0JAX#y5I3uhvjhtq zlUX3(>v9lnq6osu!yN=9Vu3J1J%K3YYk&Ah#cRWYiu-!Cx`wdK7onZFsvQC=ce63& z{$B3Rlyo`<6qWxwE>uaDAy4IEXlxC93r?vJxNUf%$vrM2hhkS!cE8Q_QcV=)4a2coFEl0<>RjiPo|w|HZ{&E`Qw3 ztdlzW@MHKr7THz4ghQnu^tt&B)w>dkHJS{C4y5}b(t5y_RxyA0@>WP-iK$uxrF1CX z50nKDIr?R^GKdw>b@~w>Uw&@QLq|Zg&E?JNkrV+#Slj(HwlD7`ob9 zT}#~Y9Q)1T05+HCYlt z1wV+eiBFFeZQpgQ0jbvOWXUUe4krP_!?wVI9eX&e^}>vy5~ZEHX1!uAiz2Ie(}?_| zetEmTzso${vuk~hTwg9XM}KQuU}S-z1@i(r=4(BQqX+L`7)MXf@zZiWkZE2=Ni2)^ zj-85kW+>$|l&|{~_x-F#PL+pL-vcZ>*9W7gN_xryBMW1`R;PH5>vI!-d^j|hhQZJ_ zF!Z!KKiH(A+r}~Z*#?H5*5e0rh^t3eE&k=v8-FheY}Ppk8K#m{EPpjyGPq zf>9k0RmB)KEv;FdU4L5hxD{`t-s5W)`s+T3FeBsq~)AoyR*Voz@Rc@5oVQ**yCtKd)Dt;-x zcy!QRi0{wDI)p;U~izRMLUAMT8;PoAp?a1kr0 zUXF1Uw}KZ(gP26cDKNxtNZeyYOoD;`T|+kQ28I4>)g2G(L2?>#v@ao)+^YA+MmK1N zjiXhm7X0~NFg#*g1b#+N6cC^3@{h$rtWR5}(ITQyUv zDaxX4!809uveDzvvFA`d*%mz0S#l}u24|bgs;OeRCk!Ml-u}yzCd$M+OlJ`1$021r zF!I2_149qD?Rnq`FI+h0(FZE3t@cO=E-g}r|2_G2Yt!1wFR62Cts3`B?~=|{KpXic zl}jsk?tc={!O^0iPk04Fi`D0UN4p;^oq4^T=2_f|Nk^&kq==I+IM$Br0%B3c$T$o< zz0^dU!BRkxOp8>XKK~#XXlnKW(5e z$j=#wOi8W7k|l>7NjZbt0{^x;sGkO2=3)|MWPi$+CeB(?ahb8I%>`_YOky@Ao%E|r z+C*4`Y~0a^l9`gEiK^C7%d}ecxdIQD7^*wLK&cL)QpYi*JmbeXEjnsfIW4+89HO`H z#KLXT@^JiSp-7L}zA2#bUpSY010!O{=a1LD%s4Y0nK zm5`Yy?*W+^?FQPw%}Uf<`eW<}3gtTV!he{G<65T2yrYwFbNY0Bc!#A*;^w(Q-w%OH zmCDT%P)YAuS&Nu?cpQ(Ic?>G)Ju7PwlgFh#M5)w(Qi|zgJuJ?bH2oB8p)Ka->4}lVy8O@4WZ4;0}9hbis412T!wO4 zQ_!l@(19m35Jiq+n2Ls9g2n<7@n{L9c9k#3ajl!;BL3xR{QfR-(ZKYIP)4Xjg)$J# zv|#nQ1{1lWjItt5qqjJV^MoIV4u42zAf2_+duCQ32FK#}CFq;ZxMp?d@pQAf!G-#c z9Sn>TO&_bFf%qmaeL{DJ13_9)w${HIAbcJkj1FnW|EqB^FK7p2W9imQiy37_5@+gN z#Btiqji}g47fr$W074m8@}g{lz3Fy1v|`QDVj2s^+zb&c>|s2#zjVyaEq}jGV{SI{ z>pte@hTmmlZnpC6Wz5YD0?P-NY(>G(;F3ug+yr(3shV zP&qToyGGW5Rg@fOy!;aJkw_`o3}jmt)?p-{f%+&Mm|(A+d(+q(Gk-l3ag($+LHI(;aU#n(b(9seFK?3`Fl!TcW+annnP`2C^fA!a zO7-kqP3A6gxtBb7LkFQIq&ISJ8u5)uy@ChNN9!C)_d>+6VQ(7@%i8nC4bxd=(=?O) z&X0$^4F~q3QU<|>q?-}xf4CX|4oXTVyKp;@hQeuhqVt-zw8Fzj8*v365H18L- zTrd8ycQBn!5zG*FDVsoVn%J$Glrp1qOujcR)?Bh}bhao}4bS0HvL?rEbu**;u{A#g z7ez7Mh?d9TrQ;NUDu<~r!UO>41<5l)J=vzjUWznHYsZ)Jtq_n@hEnxgwyoO>kp-1E z+i>txWixJGE`Lx7MiyXnv);kpX+|vU_MS6_^MD24F{FDJhMTKQEfe`i(Dy8((p1^^ zWcy{Is={vO(AFWm|tiq&}iAQDJoR0wo ztD9iwx2uG+Dlo4y132-I zK~Ad03-+XCdtvg;#mBjU-jq~18R%)GWilgkAlxesmFUYcs3?^!oGqBp>O)k2+~7p3 zH>e!BPcYm<)O~KQebQYR(Z>-fDdqGrm(;lu?~PKef286Cl1m+$m$W3bg)_GJw|`bGgd&`mUMnnkm=xu@`!Wi26t8 z?iQHe8*y_3hkH|9#>pRd;+wTCfgzN=4o}5D_z!hRlI8sGN;H4m@j(RCJ&S1sBUtu2 zLN0Okj($j7WA%B1?$iPC=+w!yOXtKT+*Me)sDHX<^9M#85V;8xkA6Gux1=ufa~y7c zMCQ`%qJi6sQ5Si15p^x{k3R)B%+jhHx8`@iURJ#3dGiNh*N$8BTVt>IrTF513UcL^ zK761q<6n$>*ki3$Td*s(XUmf=Ei-cTD5~6hRtf$+z!%Ob!!JZN*mU% zxg95OHEahvFkWlf+|c{0XFC{s&vk8+>HDv33m^Q-HEz?{!>cjnq04Z8$`OFqWXi)h z?}FI=K*(?BB8~o_w+B25WSia{ECk#0_kUa?dJz1p)r!uB@3UU?IPll08=VJVM>+b_ zZaq5S6Zy6v_&5X*Z7UNO(E#}Ni(5G5QOYJ!V2i=MC=0(xO)ij3`(;VUMlA`S}4xi6JFgLK}7@ z23g`Up|Z%vW2Z~NYNBp4xOA9lSe{sENDF3f8F%V5cgrSD-REr?b-HZUmMt86nXzSp z_sB!XsZ9{*K2KfU9)T^R-vwzY}!0;7k zB8B2Y$QMeNh?d-5F9Q=kIN8(J1xdx8yRJSt21U8;T;yN8YQiluTTD4Q;&`6OBUVYnum`@ zjUfZ+OiO1d{iZ38;2_|(s&$lThH+u@^wfZ|#_E1_kp6@SN=M|`^TOc~d;Twh#2 z&f#Oz{c&v3BSw5;I>vJi*sS$5TR0Eu_9T4GgnEz2lECAe1Mw7u{C^G(^_%0&sM`}! zziGW)`98TEr0@qwRxR>1ReFTe0#w4krOss%FLcj|>f%}@p_b+og30qP*^cW{vQ!v!Df7JGoLs*I8H`W4Z1L zW=Rm&@3_7o6!>&2uz$m@;2D!}whVitRrpjwoJ!&U7R4v$@E&ZAcoxg8lV3@d*XJTj zi!WYPBIPed=@NOimjih3XX=c>B-9@KTk4roPai8%GHZ?ssx@Gimg6$3XiduB<7?JL zNLr*rDCO`` zQGfSCV}?!06jP?CpMRhBBl8R&1+RL4S!tZH~OMxl}a+f^JZq#j7;{mO%{k)naqYEQ)8+54x9HxG7@Rt0&U5j zLC7zS++D4MJ><1qWLKPs`3R6Y25^tofCe~fYgLeVee*npsW3Bnf?vz}NEq>cMe>=J zKVoTBgm}QdAg1rU@ya3a)7s4t<-VC!$x+`mbJBlNkAH}RUCGoN&s@)6)a9e?nm1z4 z8&vFm6FM{!siAZvdj`=xyC9(|k25?14V16LCe%Hxw0hi?)DI1<%1`8($oVnpk#>t+ z-;6(U^UJTB16o{Cm4B*0UGo}#eo24x_#%?%y{Nw9Ds7AR9XM~-_ji1y#lEL=_?R4D zRgSNtIe#L&Q7KLw;ZK$BDOaWvXDadbZJuUq1be+;{Z_Zyny-!P1pPmfkauoLC ze}6Dav@hBd3su&fJH%#76uLNUBz7hH1)(a!RL}fW)CsiK{|3xORlVugE~B__VHHku zdWY}FW^R}8c??_vIPAw_Y5azVY?i)ruMETQ+j7r*bIo&}LECS*r-RXGPJ*6jPb}nD zdRobcm9C7m-rwHk>&!V4xlHRT&O!t=Vt>GXCq)Cy7`SO|MVyq8{ZgDqbTswgex4qM zEa9}@`EzxuvewHK!~S@i3&UfB(&}J)qE~1gn!(Ca{riw*&XrRWy9e1lD z{rQc~@>)0!K?th`f?Mrt^EuGdQw6#L!L9c7_*A^9eh>B*ftt-rM90C(pmcHfElxg* z_xB@m)5Tn6p?w$YTG|LCl&aOsa(@&z4ZoDlA!))(gYvZ*dmq$&9(bx5k5GR%r+?MpSJD-+#690NDpG z1j_yr@V4}l6qgIktMRv5!r%4J3ZGmT&8wB@2t12mQ2WMY^SGbu6JA2z?K7xw8_ zNDM8k!zn8gob^NH)yPAWzQlQvF=GQ!) zMmAu2pkCY9n%q~JADA4d*MBy)Bv&65niMYoHbj+(=Abt=R1W{Pq*Yw=raCGxC0>1Q zh)vWH+y#z_P1JZVJ1G+zVypOvI4U)zojztVyTm^ik*5GnE$UG(@F+>&CN;hFv8a@Q zi%#Dej7k8u?+B!aUiwCDZMIrp1mJ!bGyxE32-s@95x`T?Y&o$WW`7?Rbp7Zp+hDh2 z4t((ubs6*tBK4W`!_xY|zPz_&%{fZWJo$X#Ul1m$7WpUE#c+T?8{qHwGpvU#)W*=$ zYzh)PpI0j%sE*+P2J@Rtg_2{K9K+-oCI>Y#9QL{;TWt)z=umdo#SB<*u2eh~HI59$ zg$YBYdMUi(jyNh5Q-5&s4`&7Lj-x_xVcL+Wz8#90-OeL1XEMsZF-oDGJiy(WisWtP zjc}ZO@}b$O^A2t3bnXO04?Rwv9A!h3^JhUhH%}xaKk23=_k6|8U&k}jH?9#0(*enSR5$>tg{1 zUsk8^B_WRK4rqLVj zSEmj`2CsEAWjdIHktSzMIWsO@h{Eex1wF7@mU@+1b172s{%fN9>w_3inr3$tY%fp! zwrR^)22-bIVeFb>WXeo!pwC!k>aOK=D4Q*g&DCt7Y=87@t;Mc;oEF?&gFx6lC(T`S z%;Z`?{XMUOAiDa4=`qu#Pon@hZu;1{R^q6fK)U>!!iC3G_N&gn=yGkadF`eDooc=1 zDzio}OnYw}&E>WKUGCV=cpfRtMqOk~r!n|Wb>Ws7)|xR(Q`jl7REEcHnx#BQ5aU_C zaMt(^u76j+ce9;(3pd{*h^zsl(<#r1L)Z}PK*DQB0wC>bng>*&Ym;X>H3q4{&UYNP z`(Ypv7^F{mYKIR9Y;z1S6lcZb8XC&ZmE7n#$YT^x^2L;|QMWTFf5n+d0bv+MKKIhvR?Syp^U$@!Xp@-)hL{xPvl zC3NIHqYRBQWt1tSWA0Zy2J%vZ$>tiWY^J8q!=K{X6eXigjapq5F6386?^XP9fgS_oycGT)m0XN3#1ESL@ zP0xI!z%NsNnejUUVc#P%yuP3QpbYPLr+*tLrW_iP{}*G`MM=d|`Ct-p2Awo>E{g+j zT=Zi5^CZAy$-b(zfUZt<9#owwvr=U$DcDmlT4LKppET&u9e{)qN*~Syiul@`{|5l5 zB|XDwyNx>wN)k}0#66Iplwe1-q$g;#1P?v<=3{RH>#-v05TNW$U_Dl`os5SyL4T>k zBGSWwQsPIwV8C#cN#o@A~nh5F)aD0&D ziK<_er=d-EtUvGX08@VGDqeUim0x8_Fc19#fHD!l208eECDVc3j8b~9hJUqMX;-;N zCXi@;z3AIObS}y|U@)*k%GLKbhH}R|ct)g?PDEOT&PTH$tpoKw$fyJ{y_aB_*eVr` z$pql$!{4u2q^DI)isDmniZ=jDZ*k32^&@Vq)=vV_PyLnlrPut&=B0!oqBh9nz^6nksl^0xvO~ zl@-SX<7!$VH0&1JgM$%zmbP+%9}hL6 zpNeCg_Bv*?N@i7xO5ZO2_qeH@Sc^p;yIZ_=K7Q9Sg;|aM_t>?^j*#?@TZfbDF|&ef z%1z~~e%_qp`Ybof-gMiJ{I2%p(R-Xs2uXeOs5nR1yh+%Kw0Xk-gYRlz`FchMMog`U z5GDYC0POIv!+&R;+Td6mVUh#w0w3(!#Vvb_iDIw@(fk^adPRG^W^WV2RPDjCuiva_ z?*`eM4oY>$n}3l17CDdN@3`UzBM8D73b)XWxmkx9W@6U7$0CDS_uk)SNfw@;aW0a> zVC;Bd;DsqKFt(Mvj5^!`?M38Kl0o}Ug^{ifN>$om%6|q%@jCT=ZNU;MI7)gk2}%cp#nIB5&%g@4!PSXy zOiBuS*_&+oDsl=~t>}?HlonN#uvbM6zv6eIs5m`EK{z zmeyA7oxMI1R*wjeC9rPS2d}*xdL0_9?hC6H%5GBg_F}ycwDn%7>+4(1u_8h((QuNA zr!wG0 zos?h4QU*f!^K?Kub=|d$QfF4`OsB2}89;BdsWCZjP|11oT~wa{BK?)gh(zDcN&UOX zn#VzNZ-7yW0}HjNvt0^BB?r5W$!1D6eXK)f%ESl3aY4}&W-wU5q~cuQ2)6unl~4oEOaLdd-T-V7j@y4s%fvNcwrt z2SpHcPGb%JV+XTUsWdUn&r$)QcNXotw9GmL@YY6+^j|nrsd0c zT^|&ek*^ol165q!L_R4HNT{qV2iEdx#L}XP)mZ&=6_1-i0_8;7@&9Uk@c%*ikaqmP8lP)Y9)FY$D3^chk!jxl z-%-(kbojRx9DdL;Bd<^D(~*oQ;oVLChoIC^73UxBC`5^svgLB$qJ&-Ke^AAgDof!~ zvrzdGl@)&%KLMEqRm`X|3LVYriZ>iCq?bkh#VhB>t4;=o3+W^m`#0^LFl0zCE1~q^ zlK=*|JpcgGiT@q#SAW;M5zzU!qFF+*2P&;ItNPoxg6XG&T~Yh_F9xMjWI9Fcl-hMP z*yhxiu_DbS)r8>?oLW7otKgF&&(%m|HK^z%&ECwD7M5pr!qC<5!<1iTYUV);DNiP% zE8yES&9Eq$j(NVq^0H2HGq5~=xqc%!!=j47A$;jv_dE4U}ME|++>NkQ1EyU-qVS0u1XfV+OQy!T1 zFzReYgw^rRLIn<$TQ1gsq`w{wQLEc5t%9e3eiszcomWTXRG68fw1J_gHOO7lGJ>KI zoWIAr0;PH^)M@oSH>&`vx!D+JIo0nGM?+Wh_UeRD4S&YRO@}TxKcMC#twjD_095Pi z5G_o!IP*oK1Jg|kT6uz0nT2W0kls>GNM3zDTO2_}-J}<3j9x=7oJ!TyjU21yw)2O#c6f5xsTf*rsxHhHWY*OR5vaf8xdfl*=ofet$A$Lk)6V2uvnnSltxu@l=}#Y3T{J z4<)CQ>7T1e>}t!Dzg<6~FHs8^pbNj^^xw5Lh-KEiFOb6Pt@K~p^x^qn|dV%edysCH_L4k(XNC;Z3>f%}@>LtW%q_)u!%jp|d zwSW9}*G=MiO9DV_CCr3Ki87NYQ;Fg@hDpBIh%deFq&{~foaS*8Ju7A~XIR@#cLY9V z!pp;fMpF}}r}PC@lwbdMVtAyWS%ME8C&}`(9mW4V3B~_d6#wIi;=A~PS=e`aWMS^n ztu1EHoBojXL$_Nz$lQ>7eTE%_`)W_N$A3ov?^Dl98*jMIH|Fh`{`=6&iVI7JU6}&iS;vyRPT3;uXC?Rmh3;!uAESi~h*5Z^(mGN|6 zA>CKpvYgQ>0f{k8j9H1nEV~t!yUaR!5kz)1dqYviRsFb!F(qsu)eiycn4mYs@aL3C9bd|9LU8x3h)~}Ovnd2{Cq72#Ln{x7 zQPoOxDRO~#=d}3F)tT2e9#Dmn`NjG{&#D>!L~4$}@dO?t?Fo4uPY0`+#(yQwpig-* zofm6Uv|3E4_UX21>@lP!OB_$&^bpJJ!$T$HGmlGCI)^XTVSukV4?^_z+i(Z)Z5C~j z95Y-17*k=8iYa!tvJoWy2C^B+9UM3n!T23-;rZjCPlQot_d1dtupC+K2vg_8bds!15_Y|1Ot&Pr#((-wA8{?N4RoT^ z(~Orq5ptvI<)g@Aj3}i##E`9N)en^D>mborO4M{rPV>!)Uu!`#Maf#MBIo3QD&1 zJCdnivMWCB)FQMgCd8d{l9H7V=Sroulv_Qm>*lu-ViG-ZtIWUb@(^yqDEv9vBJ&lVv&$>dS?1 zl0&&OTWDv~fU-K4&~Zu!C_KrHE=Pd_Zy%^0=czF2$4&W0H-9b6NGPb3+DVZ|EEGk_ z^Qhq&zhH40!lKLd>aN0}E!0-+3B>G+W_tu{TqzaDy5OX^=8YOsmGZ2K z!@gEXHPfo$ihoh6Z~F1e>n!S~fP44Bh_$+h%*H%Y;pDQ0%J{XD z@#`>SoRxSlH^Em(2%~FdbB5}fbeKwq!Tz{8e73^ci)^5EnfH>nDMfLD zMe;fj`=Cu5XGYto;@J@JX7$%!FhcbQ3&ODCuYbSrtL}kg_8ROzA5bU1PNyUNi|QP( zgdX0G|N4tzCa~WkTJEy z_th*ws}pOxY++0M4Qp(~8bfRFZx60hUgZwTb?Qufi@BC@T{q{dxPF{XXN4zVYS}V; zPk&=x*XFzYE*l(M|MytDnMdd#DKhG0BG>2@L#os2FNQ3;8Fe06Jq-(R(vwQ3L_JIH zxtUcR;sM_BQ!-49{?AJsP$YrEXWQkmC24hoY%=VYG^OwVkS7i$(vdN&d$T({94sU^ zzoFdj;whCgt$f^&cW(0i24ax%xXOMbw|^(j_Q*&yL($lju8S&#@ce);QN18s7jPY7S;sAb$-F zV`%1#Ul?L&Xy5{TsF|Bh3Di=z#OCrMrgx|QONUKT4uYn6Fs@TY`zDJe5R!5b9BmsK zvqH%2g~B~f+z14^BPP6R#JfmjN?&m%Qk<_L`)l14mq`6kRPK+GO^KjtW>lL8&bXUZ$YIZo zsJ_0zNV6!;8j2zxI5~c@;M}MpEYbtqP zjgoULa>^98n=s|!&iGI^L)ok&`<9>e;6XViJ_0T%ip8f^^D0QxiEC{Wo#Q(6dzZQp zt!)^pzTsvoa&`GBjzVLXoy)lq0-b60(wui#KjbvRQS}JR$nud`(HoT*{d%fv_ zw#UJF_j1(Zh)0m$cDgO`Vg6B_)-bDJ09!z$zqO#wJOK7X=1dx6WK6&MPjT<>cu+k< z+tD;Qu2ex{2^>iF4Fg+Z?I$_U@G%uA8f;Cr3nW_Z13TWZ!Q3xd5!@9CbI5;yEG5sI z-2u=3#Ti_=V{nG_?>Y79v8lEAg-&b0#xIF7hT)wdGEmA|k=}fVUy>Rr9IaR=I%0We z_o9r|6RlIcgm(Hx-NL+b8&j$K7TDduhQhsaNkxr4@}P;Azh5(X2x>?NMy_5j<)SLk z6+tQ4Ov`3UHnU_;u(lq`4B~&)ACM*JehBl1Ij=P30h328iF16y){)Gq&P8+)^`wB4 zdw>MV3?ySIp=Oexl+29e2bR3zE0P*Jf0Xi=l|?3!-w=s`N=7P~QaKdvl?zSt5G9%5 zxqQ%w@;qUZ_dU>%P)0(T7CI{5D}u`AgX#|O`OB@#mWLLbid zRVvE~bW|~|3O`(pwo@4ES&m=c<1BlNlh6HI^M>M>5vLbC8rKVv+orTnM_8PpTPQg?5_;$+vCawUnRHK5)h30UXw+? z#bTjrkJa_QjjviyUzg(jodZYH4c`oAf^L^-afwB~=shr^JO+RL{CyC*rC#+W)#^K5 zRzgLoFS{%5N{bA5xRXxeM2F<IBVc2=+LL?bN@o~s5~7R z^`t)idM`v8s&9~1h}5s&I?i!eN~or#K1TYKP*?j<+tNP5?JmL8-+zAqU4@+`Cny09^XL&-abSo1kVv!Q<0UJSIE&PbM$_hiUb#WU zXk(~N&$^^0bRN;W9Kw_t+ctBJVkXSNHo;fLFNM5%!aRSvB(8UO#}qH%fE_D2OpEeD zt^84a6-@|Z$2;Ow#{{Otb)@=n&y(~VCD-aJJntZlDQT8WKfY`6k;l!olBZPm0h6nq zFTnvY8kwzeM7SR$P;qgIf5hc_F{9&PaC05RIPESPSgEvH0Xdb{dqzB>68UjZk=7fi zZWvjBO0|CgPy+ze|GzA1wD3u0AdT8AmNZhBh?DksSO`E=@tl7Yjfey2n>rM!;wN=Q zjtKXO<=PZ94SAi50D(w(G_N_x>xlIY0eYrFO;y`!5-1MnVheR^me3mpJR%BiIKc>= zRR(No6gqDg@RA!@pXPV35J62!@2z#&crV+uPu$;qBg zf;16~n*XJzknWvIp{3TFdswe0+RJcW1c(u-V_HN>oSeD#7BHgL1~WF=NF5AqFm2YHthuTKl-Awc!1IV0eFz!~1(Pcn4-Tj&2=ts^E1bVygH!PU@Z? zFTnUunTbR+lts`_QZ1D>Qc}nCdj)gUC%{nu4o`s_5dS_n#BHAjHy|FI;g(MYO!-|v zsWDVa_?wn!>-7SlJNxB9P8>5^&-m$b-;;kIY&DOpd8bSsK|dy?XnPJV!%d04@5vXo zHix4=KW~`W;URht=ikqObKA%1J)F-#)Axh5NoekzWI$4+8J{{vx&0}!}uGOS=Q=c|F`F6g!*m#cx+yj64mKGpShIyLYU8O@Gq-n8_JnM%ZQ7YrE4i_g= z#>RQnKXoMAsMd;SMVxMbc~idna_*>bvQZRG^mzD`PXjVXSui-MoLxkJUAE``buj@Q zFY|cQF;dbYZb3(EGF`#xRfH}E1xPlU)3SX&Ub&HWUiH@ zNcl$UF)R2tU*l$vQ%mg9N2!r-6|o{y#@fh+l{ahi9#u5gRxYod2#ZN6SIyiPQEz1o za%WhCOSx)>$J}qInrp7Q=I~awkr|zv`kX6P-h9PYw;*}Tmw9216J^3@&8shw@Ru!~ zP*#5JEWI-xO}5@z#~P9KHW8p8-*f?=KWh3fIJT9Rc*~ zQtKyNtd#U?H)(L%%WQ^cN|LDr7$rcVr3PxTTbfa8OZN*!ZWlo0KR8v#!irG{Dye^0vmbblANE+( z*S^^e!w8HkpvqKKV6=E~W!B14K_z(oA{QfA{@vATUlv$rB+Cd~>|dlZ9U*tDcJpdU zXcs*i!^3&AGGSYXcnndC7Uk1ue(RNHW0R;Ozwy2^%N#UH?0V0E)(jM&mH4m};0VX?O} zk0A!{B`)`OM_L$YX=QnGSchV-R^IC6#)>+CQxa9czr}uTRLXyB>PBi9uc?{k#O_GD$LOIzAPtiC6}-N zDg@I$zCeMF40V4}pYB#3g%sb$j;-QB@bGE2(8itzNC}`1cOPXX@|+4}jA#Lt7*~HYYWJHVQ?~Gg`N6(<~u4r_c}PmXM12Q74t2?yvo;lWA!Fe_?V)Z&OLe; zRl+A%U@U);JU8{X>(jbC?2(8B1lzQgwdCWS;YS|$&B?u^ErBU}>-`Aef)VnlK z<5GPC2+aG?wg<<7IBgwza#sJ=4ZrB(MU-xKtunjdP8&iI ze}&Tho&{PDW!d{BxV?-Fo(gVHgD}cuD;0mo_AZHeEQIx~>~VAN+v(iT-EQQAdpNW) zRz((-S)A{1`l-`SsbHj{qiKP+oi3>*rRDugO@0eZyO$Z(DK028``#3kArE&2YJ4#@ z!}9v8n<^H0Q@_MHhH=v0w{m$~5tE9Tt*EEai|ckd0K=A;cG0uVOw`RwSjV|5u5*9L zeIM?;XaYOQrJ|1GooKl0oP!FyjBQ_ARL9rL$l zv)|b{$ht9s{c_J3NHs*)BnTep;vF zo8ps<$5phm1r$L>T0L{@4Eo`1Z)VU3?=+?3y={c%FYI(;k2Iof{dAR}J!X`2bUAvX zqfFz&Fdpu%{^<0hL2RUEpwH2#4zLr#QPgpNw3ePWM~4%7{I6|na@T*`#z$2qw8t(M z+U(ur)4?-$aq5~9P3iFO-AaE~it0CG1_5-HIohjv6NERZ!x*zP&2v@n{IKe&aDQGw z&vSSf>`(yGScQpk9Au_1;dj4E5>m z2MQI@9;KO~Cy=5`HkK@RZ@b(DhQ1u{1w%h!944o-r;;G@kD0L)yc-%QnIB!@zOh;1 zRW`7qNtHm2^r>7jeJnA63f!U5ChKhzF-3_bH9qPV@Ry)y@ZDGsp?Q-M1?XZ0> z?8sa0bDt8{ZKFm{U*LZdtEv-n7^kdV5bH?u;4ql8w)foc3-n+$oD)~~2W`*XoN$Vi{|VHy>b30DkI)jx ziR-oWbR!B)I5vHjpZaD4I(@yBp!D`(v?TY{ENM%Yn`SE5U|gyE)zsO^ zma@nb^nJt181sKaM89lrP)lLv2er@XrpQ^=X$77T8y`w5XHSRG_F|vu^|og0Yp;9B z)y{T?2YXvj!_#o&{Bw3EZ^gO130F;27s)4Yq6z@>$=AP!FdT_R>BRj2j)VIG|>dcv__crQo$@b2t^Ug74#+c36bY7CQvN5@{nbaju zXo_rogWG?qJUS-A+NlC{1xNM0vf~C1?;8?)J-u%^+~X+qY7-_MtE`AqEQZ$PCQk8-DT%1t2d=#9 zrA-L@WYttZupgF+Yx2|;VD4%ppd)92t%pUEmE31j)mww^m$mmsL2 zbA6m;(XJ;ms9;h>dsYv0-7|UNO(ha^NOdY|g=(^XphBNEs_dVsR~_umaCe5g<2YlLy;?ZY$6OPz4p-rtc2EZ<7RAZK_Qe&PjcZaq znbOoz=+!kP`4Ydyd0ONlG9XDzDbz%|g4cgQqL_;`L>lV!km8KYH5lMeQC!#JBfrR- zNWkX@ZQM%LC&~>AtI=w6(wA17HS|G)35YWBVB)Ji8TJj>Ou+!mtb_(`7~77ll^R4} zY52$Qaj06U8Sx{AmeIVz^Ph^~wZ5Uz1%bcR`{J_I={p*2s??1r_RgbSAIcqn1WSLr z-v6EdK9l@<(G}b^yx0`qJZL;pudb!9nbtdIVl!woW#?g-DY+vS)+B}x5T3=UwO4F3X%w=U$RF9uKxFflmV~RZ4ZgkD5ow>EV zz|FLy|GG~7(b4!Se8xzpL98wBxlsu|+@odaQH0bJJs3VzB z;WEqIwW^@ljhhAGk_6E`<}mSbFOM2Dg=id&F zjWE5i+_CQJ{8NhR@lefeP3w-%t+sa2n{(CP9-eJ2OnrJYJYfvXE`BEmcdOvt?84Ei zTFm0#2fb0$mguLM-0xEDh3eHJWrhD|ihO)a@uhK6*;&1j;y5-T-~4}RRG9h_)k#s_ zS4;bY*rc8;R=soL(6u&G^@UNUwgLwOA3W!ke8c-mYc4&PO()%s>PU1c1X5m`RaR(^Lpn=4(1O)@P7hi zvz70{Rucr~9Al6K0T6$fP`(50y919uD`li{oyMQ$GY~W|%#|Y;HBhs##6Op3Nq;m; z8`K;uRrLy4)lDMW<>{l#nBr7 ztkkBw1zJ=@+y0)Fj?=!sQd;5-fX_@}Z$inn2N6oU+uMJ~~GE1sbTf z*Xixi1_xStcK%DyAVKTj^d+dF@StH9@+{25EG}Zd4ICa!U?*{Sxh%~@`_)VuI6Ro} zZe7dL;7!BGsf~ZYg8=r=cbkjwAm4R59e8|LEn8iU4thaj7x!kN&CIed@xVY5WWIvT z2#zuj!^1{3l%S2upu}*$p$pG3>{-k`4<0lR|4H%m?b16BoPiB_YhVB|#+Q1`@&j!Q zrfyIgy?HJ)#2<5hE)R#wl)o84#?Y30s|#LD1m>5QUf-PV+v_W{5{$r{QPmd z`RV`pzyIs9Yz-*P7AQ~wg6aV~NrB5=*kV=v?4`lYQ(zMAcB<`H=oDpjKXhwyJ|Mv* zCBV59o~ii@*dP6o;N4}Xha}Po(YJ70iqNK~!$Xuif~`3V$Ql0cjuaU#g_NA({}QB+ zaRTd~)!To_z~#$C9T^d9GJ=in$Ps+ozrIZ<*Q$oblhK#xejI2WhKQ>o(w54UJ6T3~B~MO~|#0TenuFru&!Ig(TVm+(dh+ylYj=&op`K`2~KR%G-^lOxtOG0Lk^v4JCaL0Onz~epb5wJzHht<;JCf1C& z*|mR5JFCe6D}*I+lSBMpf)_q0=tKOt(6i{d)sIkl9g$kD=&Ocu#V);&YUagafGdx6 z0226FUb`iRzbDP{S}_jkmZ-iV)%{Db!?WOAe?Ue@$d(_sdLxha(KkE}(_L|TD9X4z zm63iIitwThN5DOP_4`o24yRBsKl|ptlZ&fM@|85-mY|Chk5w`XBn-!MLB zd$!(|HU9Ju56GvY%npkICU5k|9jttma|W!Aqnvf5@jlJ+XtNEAXeqqpGC-G>dv|~A zs+am0e_IMRd!s+@V2kh(>Pu<;Fau!l$kjyU+ynUOaY2=}H~b?6d)k)HEh#GI4z=>- z)|zU=bnS!9gxI71RmU#xea(Q_vFC*u_3=ZNB@QF;KK%jPUjY7i=)H37jGDd+Es2{v zGIHC!Gj&-CWsRAsDt_b*!x^22%Q&w+UZxz4zgK!dj=Z^NMk#oA58#x& zy3YVv{POMsAE!G#QFbBJxU(I5%)>2oBVeK+_P@&zrbd5_^9*CW_QU0pIBgJ1ZlI_DFBinwgW6?ayR?3L z<6iHg$MBStn~@gu*;oV&fLqlyIR31Lzet~t%=q-zPU!T_`ZCvozn#x^8JNqGSHS-K z?=F54mk|GIDX`id|MkMUUi5zsVW*;gZzt-(7;a|(Z2S!cY8!`pndi~Gre=F04Ig;h zElvZS!hfEi^^eV9!}d(zD;CPRjl_*iJwDb_Eb76!8bP|;2&jKcp$1p#UoSp0CmJUv zucM(`8op^^E&&)b{TWNZ^0QSmaMLzm6lFLxKWG9FZ8;p61_bkdbJ~AqAWV)?zNMC3 znjPXaEVFzNn9eVQ*76hBeyrbaVAIn9)*GA|YURcJ8iM&07Ei}4iMKCndrI^mL@2Z2 zLNb_@7oMjUkQdvf6H1!5Jy>1N0~8&N_WSD)DF(e&;uwGLo{_B68MGrPB)I)=qT@MXI zsE4isN7|&$m8GsCC5?PLe5KyDX8n+aDeO*?pOR=qA1-RPyb(fd`3%@+fIe*iZqRE1 zba9V|-r%=qAW;kGiy_$BQGE?4KVr%RSO5dBgsg>VX#rjZ=Zb%(C$lp95~Z7gy&2Cy z1byla8EpVV(2M90re(b4&_wG)_-B@HXnEowa9wbtOUht3`~~PQV1KrAC(v=aENJj& zKwHjTKp%&{3(kj@932P011fxY$IuM}E!AXr`(};NzR!gCEJx5%O{%?_Yi^}jVFo51 z7v}^D6F=EYsZs&3MI zXLKUh<#D|@l;EOsi8U~m%v&3k`2S1tm}ML>pv%0<8~^ce#E zFFaV?m~5;6z!U#DMJ%O6A2)T%PcDhg$$}|MeTu=UN-}jcQ8VspQ`Cp;Q?&h3oDPPT zPLOHkV#`@0Hcs&+v@IizNg$v%e7O4M{{EJSIwq@w`?F+FOVBS5QMye`(}FDFxE}o? zSa0!QGUJ19 z3dmD{4!|D$APWD4-#Avi1C(*dY$x6|^L?)|yi;oHPoC3@y^C7~w9Njxr(iEKsP0l1V7&Nz~ zm1IB6pQ34RRn6+~Qv8*0Wd$=Zt3yAP#_Ua&2rY7*2U9<-LjwHi5-fn$I{x`=-_qnL(~1J~BDfE8g1Y=!M*={J+FT% zwTnDelMZ7uDpI>sOc(UH)T3s))H-D@wHgM`pjegCRLw&n4qvyw!Vq>QOwZNR%TfK= zhN&TDQe;Yb8+KMqdkQEDpY{|OyGFSxg(&=@k5^pCM?o_Xk)>&bpLRA6q3VTgqpMx= zU|6c(GT~h9IqPKxG>n6Q9R$j#5et8Q^AK_Ju&OezICI|Ul6y#Z%;T?N8Np0ucxJxF zu!Zf_Hh(#m*`cDU6J+{%8Fdzsy#%=YP~B{3d)4**Z1P}Sk4=>B<20I~PIENpEEC!f*uGQ!<)eQMwF~vm zEX6U}#*eW|nJ^6IW7AzFYFp|ZW{eZbz?g?lU$=?Dt$uF`>=e-SjmK~+Y-Y))1ic}Dq))1 zBaED@4!s;4-4rr>wY*Y@T*!Zn_0ypPLfUzAcRCzJAe-5xIB9wbl+#c#<*iEa0=p@m z!aUkJVy>0)fKJ6HFo;u}Q6m$(ky(frO4&kxP{(c{^;S%x+qRKe2-1|&pLO-I9OWT8 zWciB(qMcKSkBaD_P&{x!rfSD+A%kXR6=TCP1{@wapi{4_Z@64ThOmE`U5XOQ;i4Ub z6jJUWK@Ju+ds1(1*tt^zwv}B7mdfF7p}H4~DJxoZB!*jtq6gb#6T(yZ^$<-s{v1<< zbro*6QBfp3K~NtIz!Q`k#>+LODT7(efvz+U2laZVKolo>V>mkVoP0$4g;Z5gpxHh4&j73D}6fPL#Uh z)WU}u{d8kwmvLsoKWl9v$982K5{-a4v9OD{lHk>jQBP@Ca%?6rW|-%1l)f_QVuDzmT)`j#uFk63djfxYBV}de&1d@FWVr(`A{W#}MbCr zW{>vHU0GVeEeG9E%n7~TT9uZN+r3}2Km|`Z^NGIV%t+eNbtA91$4Wb~Lo;Su*;?hD z<;SNm6|>O;VGb1PMci=fvJCc}KK5+#FrYnFEH3aJ>-iQf?e@mU-<$;Iwk@3juIWdF)8QlyC>Higo~B{r>sG$`w53-e!p$ ze7%GdcwK)~&xqs0Rd%HPbltIk!>@tv3|i$}dFc5KH8$VydmwRgF#IV?y&IWM|Y<) zGrO1%Cn{fOLut-Dti6ghw2}43-tj?1YQ%;cL(6|yK*n^`Y^G~(wL}>>lC~@N)9$Fh zX1cZ~dx|?1{fSMbsG1*A zq+EY!wDGEZ%Hzk<%-sDEzwiGrJ|EcGiijl-kdiqw(U;9R&h)LZ#peDtk9M#`E=+KA z<+<3z;bENPSXmJ>>@ZYDFynI(C?k5-h{~|KF&T>0^&fYu57(b2FvLtSInPUqdO#tx$gvyLY7SN@X-I)V)bR#)S|R7xA}yS-4}I zDz5Hn{-GOf>bI1a{=SYkqROF<$0-e$6tU4obPjV&&S7v^C;9O4<1&#)gM*&0;P)2n z!sYZ96dCa6*m?_EboCh@u7924t+-V-SkRdpSg5zi{`LEZo9aGvYn0j8pw(zy19yLN zy#|~~LgUlAh>hl_Cs&?sV$D{O58#ZI6*1KFU971u^}!rH1x62xxDy+j4KrB6m4rPf zMm8OW-Dj%H4(&SpAj`kULHCyu0oO(F^R52PUv2qt^(joly}U9vG4ya$BM}JST|$K4 z6vc6n#Jo*mUJs_b-ZuF|xJ4N1uK<5}E4K`_%8r2HuWrnmR?aoep1FZ(xG?hc`OWps ze~R%(902%`rE!_%s_FJkwc1n@u z=jg3Roc7Kq@u{|ILM)kS6Vbu^guTydaD54aLKysf&4O7xOlU%Y8tO=;Z|{_^q%CHTsZKO6{H`Q5P753ig4TOPXH>s59)giub8w*GOq z`tRU#_(JzcE{tbBLf>VG(Z#a_L9%t z(@gpb1Ga-|Bm-yt?VBIR>mwWg0n+`at)0JG-0{JW;qc2#pKc?*ig5o3KeFR5^OZf_ zh51hXfYg6N^XFm{GAt#)LD zYkg|9^@@?u1)W!4SG^5K>OJM%d2`d>>b+F`miB+94O?lztS-z}*UImD_Ze_!ZPBe? zYotBfRn{M9lyuLkKCOaad-4~V^H77o1hL&Jns!4Q%C_Qc9H)IgwRk%4PxQm{9vL#? zt_;sC{)vCo^`IHXI&R91H-CDR!{Q~~Vits79c~UZT}-@_or5*GB2-PF9n6BNREGhZ z)m48coPa)+p6a%ps?Ia=sOG$zAg6A!jF@rO;~90Zrs8XR*5?GTPup$my-z>ZhvD`q za*{%7&Q+4$$^Wj0b`7vg9g}33*+MN>C3GQ$;5j4{qHjLVX&j zK5$|`WWtqpeQK#WsD=5+t9hml({tLmrDK1mqLQveyGB)Y7?be0iaY~P^z2vqph_ii zeY;Xlbl?1R)R>DFX17x^P~YrSCvsF8Jdo{jDp6w>&8o+cxhaa+cKbAWYvu7(W#8HW z7?a%f7&PRi#J;t0FeUNgHSvDI(Z; z?x>L_6~^DTgHkxHqjD0k!K%LoYo3~Eyy%IN{O|nW0u5Q;jTPR#>CoSdHS|#P4ux+$!cv{ zc=XpPD#{gRq7R>x$weCT;f}jm(J@L@=Wt7XD|6(wVUfs~SQ_&!kb7*#4k=}h%%{;3 z=g#Q#74O-wb-ryHbnuekXFmAhrAU_vUmfTUfv<%4qtDn!?8kqt!;6M! zj^>BP$4xjEYIc%EUtx65lx)#-RMj>K?U1yr6J}k}nJM}dQMsWcjHQkv{1_J2OPdjE zzPc#0I=lv&g~AloRtH5d1A2ObI}D7@8~Rd|bc%B8ArWpY9`3?p8Gpq%j@wh7>q?<3 z-DBT!ck|97;$$9eFR<)UwAFu(bRJUUQ!wJHPfd{V5M$emc96*^6iGADOF+3{U+LIb zz{W_oW}+62)2mgmzKSLI^{S#f9(k~{82i_#j zJJk2Z+-1Ozpn194FH-D^)0@+MMrs}CF5M(qM&EPzw-4W5GoGw>X#h5mxc+T(fBS3j zQKe0$4eQEI^Glw6>><*)IX`)t9|vp4db#p;`U|9gc39U5AAvj^cuLkgA+7Vo(B!nKYEJ!t z=w)=8YNMYPvB}B<+b~6(bFDa+w`M9GdyL8J zIs$s4Sss7){z_)htD;*C9)5d@&~3(F0et-qaCneL-3#$g=%;X}Q{fG1@zfOPQ(Q-$CD?4Wc07)Qx&qq5}HL;&w@zsRB| zf9UX|>7X**>iT0}|2^b_%9C?V69|6&Fvpn4sI`9y!l2o{@emXRnq5~vtbbU&!Ax^# zl1E=vax}9x!&WD2#O7sMeWuK_X!d6TTjVl14E3>9Z~ELs48bE`=^TttP!PNr0V}&E zb_pF-LI(f1`|Z~i7g$wUW)Si$0-jemv0!rvg@N#=KbD4^Q*9}O`z$bl-X`{u?WlVW8w2~B^VWZFPwiF6d<*V^mITc;B~{_2m99F4-B ztWQ`&z#k@e@}GN}!GrcA#_aW+5ZGzKj~SW5sK3_qzuzX!{8QERE;@uMZTqDUe0UBR z@}vtZw7>{5HV4c)UA@KQ)!SJ0F;#!h-2W?OmdEP7svf%{$8RI{v5yj?<~;RaJAtx; zlGw+r3MZ}Z^6k`j9~M(D@S+I!(Od(oQlowfVbOrC4-K#0@_vAragGtzs>0s z)J*e`OK#RrFzZEtwse4!TAH;H-bZ{n{0ovNNmYxi;{Ey@wB#>HEmTYGH93F73sSf% zpuD&z&yIZq-(34oFVwqr|1`eax0?x1dc52BPhR_c_aW?BP1#KIATBrSCq~z5%~o2^ z!p({A5TIdq3+-c1rH0Mh^HE1^)>9?66|gP6 zM{O;w+O8IoSDdWJ1$`CM5$S(JpK;-4VL$ddw!PUw^gi?-5-y+e__1sbnzU1W*gBc^ z)B>$F$7DKESt&X(Ivf zrbmkVaqbHbYeMMn0$qc%g9{Y|)EA3-X#l}tgYh?xkb~FfDJ8ldNye;Nc zX!4MWgUJ~bI{VOxp@S3WO^^nja%-h{sw6Y(uavbGU`vrT8Yx5jR87&VOp1CPTubm& zOJdYtD`l)+t=AK{@$-N2Zk9?tjmqaN|DsnULM#H*$;q zx`1h}hh`ty>B0{yimJoudUV;FMGaV-WF7Kt0x4WW&nL*(mhXRFmgW+{-WcAdkGF;Y z4h2mj(e^3Bg+%JFpA>Bi-V%TbT!jRGd7X{=If>s4OV1>>{5cOTK>L+4^({o3BFrA% z_wknR;p&r>PuM~io8CgPaehLouVA&%g+EiK+Ou*^uiV)lnL0}x?I@^1Fty?w@(mcC zNkj6$6^~u-nks(>b9C$-RF`>fEpat~9<%siMlHJx&#NUZWZ>bDAFNT3AC}fq#}I{B z%`RJI_*tDvMID_KVn5fm(CB)uKk;T7XL_*bX+uhE&LrM&I}&a+&hNhhzMB=Up|cX^ zP^#PJOiJNWJv*W6CYw{92`$YbTl2|bw>G<;wb`CA9EN|ky5PLmlo_FJpYoH<*N?ZP zb_gWe0*E%z(nI4Nr>rsZ>gugM_yp4!xJ!JqJa6Pye>+*q-CwN!_mY)9<* zbH_a!tJi;(b!czkIQh*z|9mKS%ibbgW>%CTn8tcH801zRdI~mT&tIlAHoJd?lHRX2YCi_34Z*{RO4@SR|vFv~z#K)vAM{9K)9+3wKRbI+AC+60T0? zy%y}Ic`>?@`ExvSTa+SqmXFt5-{G>dB-=NTsxn4Cwavwdx?F_<>yGhk{S5gH>t zG@JE213pbI_VGOGv@OmiQth}ys|mXJ&uQ(q;LUr+nXMY#_bmGoMMw3PHy5gr=zW$un-rSrBCsH+tvpBX9f8NBouW z*SiTXWx%Zd@rBe&JkA-ecs`F_YQjIdgY?=GuYkty?XBl#>pXR9Lxbhvu{b4BHF!?P zb7((qeY<;q6tJZLEzyvBGf}9h-ietDuduM+GqF~^zDFV*0bC}AgDJ5d zwdikXGeDb^T?Y@Zg@wDpuy7wU3@RV3?o@VPL2&#DzK)qMa_&m>+3=D8N2%}wp8X}y ze8ZbSle+8Gn1CPAZY$nYc?_X8nox}+xUj7@?6V`^?y;PaEn3rnEDpsB0d~dmO59L6*Vrld~_nC&Ak@wwKR8_!^lDVE}Fh# zmP1^iV{+QZsk=sveWG~M4b9sd%=L*`NvyThovlCu%Ep z^(v-YJcrGo=GInIm52Hgmui1iQZ$k#s4X=FA|e)KC^KZ!pz5^B42a=oSvK@@LeXu>O_ zTYztmxEZVZGg-@~sX260#-J?xA$b4&{{8IAw1S{*v+PUEoeKEnAdS$Ln>MY8X=I8z zDELc{g2BP+LA@P!tD+fCZAO8r=f(Ls6xy07Q1zhIo-lsF%_)CSoYKnSjc#IJg-Mb< zZ!qG=ZiC-@a8#!wdE?Umoz0P0TJ5pwJ)mg{X0oFXTsX$mm0asNUqgl!WuQ-B#Y$UW zY3r*a{Mv?Yd)c>TQD(lvCk9KBM$$yx9UV;2Tbs4CZYDKi6w}GGYg~kns`Z~|MX@Qi zPtk#9+cy&@>g<2vWP;XUI6%Vz8OGVwt;G6>kUD(>XYcUjTzY?rUZ7KO;$cFpu3U%9 zBsRoqDPsW|qw{F2H9Ypu=;aDCt*T5oE*4D~9mA=!4`C9fTiACNhc9CF%x#mHJ{|0$ z&2tp*pSZG1;s1x2J~)l!kqLQz1meqp^K}iBKtl=0O#pvx0_`S1HvziAOEs2S7%y31_dKWZHSD=xm z6{m$T{9SH$MuojT=(<^(uH4`U-gb0{@;Or-g4F@48L+uBHdi#(SvBj5IYdmNuqf?q zX=(}6B$a>Io-8ohwD-TMC-8VXq?sLX&UQy0!hI5br4QloYnpuB)+P%^#^~cZ{?gyp z;oyAQH zDs#YUfjGaY<1-3YZDpktAlSW--piXfJ)TPZs1fH`dVqE=%Cl>uT6m-zbP-A3D~j*3n4 z;;tk;f7)G884lPm4?Z+gO&DN4vEmaeHZ_OBv|+S#w`rM`$qLc#(`N7K54UqN_Md<5 zZgH{_19Q{OO!FDF$xmq+AEM2pwJBXQZJK{pau1WWW3$1dwFh1+jhkJR>?5TK@tYPf zGb&5IM)_5EJkr}8e{Ae?GWq-1zzi){NPDmVCX<1yUg1I1H@0IWb$zc$TtZd$rqcGi&01jY=m{p7h(t#kEBdvtnb zPWvz0%T8qyM|m|_VxyXXF-{7rhEbzD&+-kfi;}76XH~2qo400TX!F(}Et(I|Jgb-G z$EPrztV&u$+fx~TRpr1%p&OX>)ER_waWs#AcE&cTSLnuUBh^*TV^}^>E8^;u$D1-b z921U%W*<|_LMEJtNwGv=o0=YhvK44sxMtKorYyX8G>=#Je1gIguiO_UAgMfh&SS-7 zkQQfh(8}Gcn_gUWSTUWcL$l9x%0sokPVv^>+GQ6#oc5cqaRGNVp2ZM*`1n*uGU=v& z*cR&t1??cQ=pk{wyIWSUd*}ToGZ*ZgWU0MgL8O87D7+MR&Vt~oW@0|Zm6E@e$r2N=zSUDU0_V% z+nJ|=Tb_HfcVChZZ&xOZ_qE7hj%Bugp^Yl>R zN&-B;qVv9jsO;IJYT%yoEw87jjveF}H{&J-mJg^r@8VV+TT)>9iqd^0AUQY3JbF~k zooKg#-bz$p6%S)H&SJP2bd!ZF2gY*1ma!*cEZYLTRjGF*58pPX@QMqcL$}9&_?t@T z%i%N`Z%$wHsf|wibJS*|;f25gb6$fgw4kcbi)|hsX=Ts1Bh~ckuS{UEA+dT^C_>9( z0G4RyqhsEVQCQ`)!jw1(0^zsKSf$zi7~&mdd0E>MnbS5-yQNIEFP9I3ew&d{v)3{V zsVk$k{g-uGeFqf`6|VEZ2z;1-?pBb`jFGy}e$1nN^i3tJVl+Cp&$4|2JqY0fp-}^J zeZW${mT&+HEva<91n6f>Sbcu?qZ>t>W29O^SEo~qbMoM?l-@vL2Wm9+Ni~O{G+t}? z%l)U{RU62O5WNtrF^1!5qk8rU?<$53mwJ+vt*>PVDfn$x4Objbfn^VW+enQh{_1x7 z`^rk4CfP1~PR&m0x-m-c^3F590{Z!xAZKOPYKT))qWcUFNt%;Z2x;%%lzf)DJ#lkqZ zDYd&wyvlA(Q!BZ9*<6)@@5LfYXcKl9r75_&UReU$xW|t%?lFJDM^OC{swuW4SBzq^ z>$NDA$w1k{)c_|wUFPG-DJCO~j&mrteI6d4V%5RL5p!&oHq*5fDa4Q$+Z+`ZDa<0lmR<|v4gdGJ%y`smAJas zi7QmcIi#LN$USuXU|}ETGX!j>2%LI2!ujDJDegcD*Bj`;iq6OU4)c6+pUYL|;TGy6 zxGkzX(6oN(^EZD~hd|nxf73cIQ)E_WV*S`_Q1e=~q>Wd99aJ3ix6kX2oX!Cewy4eh zmUDOvN4h9tPp4nt0tnolbG=tN9kt~ zuBujN7OuyC@QlJ$b#q;~sz#n9Tw37A2bwcjs2ic=8$#OQl-O{QgN*SU$07hDbpM!c z<@Lw=yJ;*j0_zVySlb8ak1_fTk5>9h;OJn2J{U*nhaaqs3-sq6eTF^h&jR{O4{T_0 z^~3rH_Z^GcbWIEt?VJV)8;QPRx>%o}qzSEJ6vQEa$Y!D*g5-!PM$btC;?>)rg>9D9 zZkYNhUkx1{OpwvqG((xI-I0w`jT@5g!&^Q(O;4N$pl98g)4t*jS(~5~&KuCP_Nvna z5)xM?ahe)=_`G>IJwEc*dFIGhk70Wg6j7!EGDS=C&5@n}@Vt713Dfi_e#Abh`s1rW z)4~LQ&dLThI)4nEXHIwED#N@i6WxHu-`*U1ZB1dzhPa(gzfFTWFYl9L+O;j|GhQkE z9yo4c0^5>4{gvjM-@V(%z7BBPV>PGP9C%Y5ur`JE_E^nHt`4eQjA^9p-qdb)v|{Bs z50A&G4>#Yjs#Wb>-?vOm(Sq)EurqCy2w7cqQRxX~lPh%n-LGrD|C1Af9G{0I`a+|qzO&iqk zKeLJ}Gy9=->H}K}%_xq4YANb==p53Fne!C}8noQ5?UvGRjcE>=A>g6HQlHL+DOOucraQWP3d_|liwazmKt&)J*{D>o zP%Pd?SK)RW6-AQm>Fe9j-8@`mm@=0QOj-Iqr|-`F=i8eVom;7sE6%?9kL!zvMmCZ*oK-@?(U_3mSDHA+CXi+$NoRGV{;h z2WNe`7!XpVs&`wf!Hgw6MUGFb_yh#ebgj(HE4|uxWaIMu3CfEZlOb!*lIGJWypFW_ zH1>2vk6K558D`$)8ah9J<}u^F%c~m0T#;YiIy4DzAEuOE8i|NSX9*b(T@)uByH*$& zLEC&-OL7s`?lMBO5L?@Pa!X7UE{vXSs(?!OkDncMhdF8Sw&0+r@YA8X8!Ig1$3;0f zD*mijXP+q5`B}H(8T@t1XsKDA{3W?y!$oDhtl$S|1E)PG8+OEhgO3>T;9qchb*Jfl z{`fD4D+q4T3t^P9YZsBTB2q}FXvc3TDjqI0B2|TKbTgQaTpQ6s8$zN`+%&7{sH<@e z8&(%9eP#t`V7Jk&Ut=5BLLqulCD_g`BnRb?muvNBJQj`!3txzZJ4OlwjJlLElwBo+ zI5`+Gh*=t>Iu>z%$9wVfy~~S{K0l*?A|@UAWjy#hHwf;kH@uuqH19wNvZH_yC6>fC zQw5VY2wTy)F3E51TqGAwGwRDMqtTi?G@>*FGd1JcqZ`2X<{kzI#mw+_Z4*}<&!!aY z5soQY0{}rHX=WvDi#|M-CoAee1Y=azZRjPo>I_X(GG_{ZIX%4y4u=jfcGDQEz7hg5 zdZiqWHBe+J9@^osQPOpCO(5zNF5`uLXC3gji@A}Y^0Y^;37G*&v;(dNW?^RdzSXScO`3rY~HK*X4lM%I^l40)y%Hx%%x5 znc5Vat-853W7|gw%eqnF1`imiZ2@IhF(3S@7+QtxL?{<-pwniNS9{^m%I*o5BtLE4 zu0vJ88TQGnuDZhmZ`imEu>)!=zZ+=U6qy|T8}~kcc7yD;v(88v3H1Kmam;H-gdA2( z>TRD+MVTEoWjK0!4-^t$=hE0<#?q=uZ?=5Ggw=hxm%)dINLW14o_sH3xVv%-07G*H zcX`BOx_J-#JPLQ;GtO0`M}pC06M{3dYN%>+fwQ5yQi!US+W{O`$QDNKcS03ihyfp? ze5*Qttpc#MoHC$XM8C7?NDNK&i1v{Hn3Yck3ky`+vF;-WNIdEYakbU&{fh`+cOfZQ zJ7`B<&1gD^^U?S6(I7y0CsIVwXDk+b`-AZMKbafc%FSJ9`o4)N}r<~pkg<=MDiS~uOw>h~(2!pl+HJhc$ADIOBp4xg2RzG>5LuQaJbzPF`1z=R zoZb0Fh)u}=OLn2}1|wyH^R70>Fb@yKIFEL284I5Eh2=Uqbij}?Fdz8Gz&A2Va95KD z+K`)mWoU;&$@b@yU~R;A9dPP~bdzM;zWq?f^E)Buk^>AHU>upG;Xy3CmDz~{6dNL7 zVHie_{k$ySQsh?kcZ0JVXd*%%3qhfOAvV}0gkl)(5B}n$2r6!|l3*KV*X)IFqoj{h zZ`L6u&Ca?iR3FfJS8aLlQ8kfIA+(Zj-hKQ}-HR_A8SJt{7^hMac5W9QRL-=}aB~Z| zr37OST`)$*@kK>k;13VskB+Z(;pyIuc_^m~V7G0RySxr;c`=&Z1!;Xp3f13#c#NZ+ z`Cc{rxvdLGZ|`&@vkT^SN7YZ`-U08C%uZN6#=5)Q_m2jT<#s{qHxO(P2x?@fn%J!d zmH`~UK^=HheY|`GKqvA;vEQs!!8No`)?a^G zn;zPfKB2PO-6dSrd|m705lqm3EhF{)x_?bLmA#sq8kpVwMhJU|)IprwLv0hVtv4X!sarfX0@CcI;oq-o zA~Pmyj&!J0As+5E&Cq%4gQq=oqWnlF-N3GQaSpf2*XaDPgUZ(sf%RK|olQsuTjmqH zntjmGb|>0j)tM21_?|E$7#zf6!pKPzWT*Waf_upEPUoNqz&)VxD<||ap&a~$&L;IW z=js7#{H+eK<*JS4H}w}*2Ykj1J?KG-wQkizMHVHxAvUS2t08yvbhZ6X|2I*>odO}? zU3Pj%B7AX*fe$yk`k;4zc% zj`~Rb*Z-P>$ND0q0uP2>m+dHKHZbtkOY1ny;MNnY`sH?2reF_$8qS8Ps9zqJ0oGX3 zV2_y6$e2mv*QkIXG0wHU$_wdeAbU~ zl5@GNOK0?`_H z^!-HM#AlnV`Lf0=>=EY>_#<5T01cobzuNZMi(5|6!%K*CQb^d*1dB!VV1 z+j7k%ev_ep<#%mx;qIWSJC*Ap%i!J&kMvn*cRCz9C(C02JA9YQIEWDoKth)X6{bBb+#>z=f@k^ zZU(Tge^dFKc$@`wH^xCk6n1kA4d)U9(l#qFoFV{!;_(D;ilF`rJ;xfR>@jW` zTEm{6hj`0pmck!2+z!xLzoo2v#*H2ApSv`1}@L_P&Y~RG`V4MM=SH=dbWvwvE?c)ENqoJ6i37k@G<7 z0yPRp2gn^kW3tKMR920nk2*;L=G-+)m!md+Qc=y)VM^C5`qW|^f~MmkPP#VHr>1eF zU~ZQpO5R=A!h;bxQl`pl`K#LSJ4lnNOP6aZsEd4`{ziplYd=^i9il_lTqV%NM0sR@ z*q*Wf36F;WoXY4M2I3w80r^I@+pQz13|D9%4foO=K!h=J&t5OKycqwV@rv%%4H9CSGDC8R3|OdoA#v^df;x;(|U-+qQvH^>MoAIE67%w5;x%V4>~^A2}l zw?Ta$T4(8Gu_UdaAH@h^eTQ0S>15$91uc)duoAr>#)P0XTW&hgcFt!T%4plKNYE+S zo!c~HZdyEXZqPy9TR#PJFX9O&LR4daEySnhY=90`jRH0>1_wiMGmq6-hAotk_Cci$ zA&L*jB%<9k#u`kxw}udpZMH&$skBMQ5T?_^pV77q6Wl1F>{x>~;qynQ@d_cGz1C;D z7owT$Wq8b^zfMsxawiVOe6OLi3>qi*;qf!24InwC5LxS`4D-FZGvVGHsf*)(G%g(; zjV}Af`R{b{o=(C8QMf_vNIN(BjULSNqrV@=EBTexk(7bh3eZNTKs|(3B9(>I9j=&#vfcVAWv&TUaG(0Y( zlJ1rxVSIJMPj@cBVF$o4j|(_|wGjT6%Pw3uCX)-B-6_Y-9v0)$aM*?EEoX7zVb(D( zMx^Pn3zb2C`%Pw3$t4uU7<-+Dky;7olF(x&4U3h-M3@!}RADDc# z7=^mOE<~!Tg=t_eBy=$G#aJ{Pc45*H&0Tn;8Gm5fK1JIvi?Qi++lB9c*Ni`N-9Sbc zX4!HNNjCI={O0sbU5w8_L;N2SJ|96(SBvi(W&|CWI{PyNKkbS zao88*(Q?^^i{2nNDw7Kvm`)vq56N<5njX7Q-RnFfRLopiZ1_U&Wr%>u4Fsy90sGo{!O_&Piu6W)PRUABQw4`*T%bOIQpxW2B6sCRwe zrwDi6(3YY7-7c;`P(g9m0$M=tv9PNus&0z%9H!QX<54ziE(ja zK?}h+)Aesu=B+Lxq>g(-(Wg%8zAwSH?X;61W}~mEG;$#0^r*VENx0Odv%Phpc@O8W z9WF@{zC`Mk!yS`<1sF6Oc47KRS-2}C<3ZD!!h}OeE>}zRIPStoQ?0IbR;OBHxeGLO zWt=Vv8^Q~|9By(q03PoycLvm(y9AlQ@;t_idVIbVcX9FMA`C0XqXgfotiJqUr}~TV zs~nH=`>e7$@YDNPEx^dQ>cXKn%yL6*ek}F^HT!-wJP&byGCy2itlECDAgN-IMt?h- z8-x_)J>Q<<@*$7HFMTT^7(ADv!0%XU!^I>7xHLtAulsDHx}h9zIEM$3HEh>bJY~u5 zBAf!t{V2Wly~#X{={k?f{N>@a+ehVvSqC;07X{Xzq2L=VC{kl!k!}ZFF6c;;eRS~X zTY}pQ6xY6gW@+*;K5#J??x5kam&Tg*2Ko3fG9WR^3YN_lxZ*K>6W}M2(92OC5DU;vFHqB~Yv}WpbJU|(; z^XzM%8t4%2lj!TB3>z-{xqZTnKCH4l-p6UETAIsVye_}}{C?xyZ~ZRaF^Ba;sk*g~ zSrTu5Ulw85a@tSt)?~fKtS;R0=n?t~dEdPBxoO${`WbzuT%U(#s&|o5O-X2!E_y4r zoDR@ZS)s-2a}(y-Dc$ASL%eKfr^D?4Kgj$UGW#$rlI*!C!+gm%ebZ+@w>y>d4syB^ zEAucdU{|Fg+kT14jsV7IV%O=opW?mFeuvqAdqNwx%a6}BvlvlkM?&?vWtQua31wDJ z*!=1tOu}@l9>N9c@h*RDRIuaL8=XsDdv_RLUxriQLTxQ)=<;FT;>E=_rko?gzOVTf zGV#ZIs|-w%{9;9UE6#eE+TPlTU`pl}E5Mv+tn_q*7IS#u)`lW4m>M>jPQTYS!rwW6 z?~TbjHWf@lZ~YV=k1x?nq;CGCSm5>4izMhm;vmEN7byRZ%a6UvZ~$igB~mBDGkW(6hM>;2vF}{VeJ@zpbna(=%Kb*=9(jF>xUM+?HjRA^|@Oh{}sm3=9GxS310l#_RJ_iOb$L`6-EtDwu*!mr$;m;DDUA zQ3nCIV1NaySPKTt7{C!G2f6baNbq;H)xQ zc|##tDMHKr^M`@YAT!w!z2+2u*oW9fVz|^>M z$9TEByy2@!^BB9`*RY}#;;qP`KZJ!F;)aVRVmSR)ofaZ~2)AFd$48j6UPk*D8DcEr z0=ns?0pbmvzT?y5pyPBW89?@~t}O>msOrq^B^L->4HkdjK{eE>$56)do&gfjTVnEIB4&dX{>iX1@&-&fUVf zQK09ouKH^#he~Rf7O=uSIlbT{YmmgFGKNkF*VKf(f4EHm{5~q3RQVa(s)`b=@BO2sqV# zxOXoZJoD|+cGM=2b44S)RUod&Au6A;-S}`fA%_whDzf2`U@?V;w+0pnRPqVWj*L%t zLC09(vFtXQk3yim4pPC;;<4af!pND9JUG8AhXLRoXsOzSgoSVimBW4pRC_{#6PJCK z?UQIpGM2{yHa}y3t_gJ3+b~JCd9+g<-8f8&<>>`Y1R}cY8&&G2Dm4>*J{5b6lhZyz@)UyJADI7jR%|fg4I7BIbDWo5y$T;nWF*-AG4jz@OP6D*$ z#_)tgMy{%kAM^~HGf#Nx^wq=e(;j zbYC2Q!#q4hV^IrcrWLfk3y7}oxYVsKC8GY*g4gdS!S(ye=lU(kK|sNWfx|E?WcL|f zu-$Z^mJXeQnNuE%k*d6|D8YOO!r$|F6y2Y&sVCNE4)+4YGb`f~=lE=>^rk2wV2=y( zw(ADAf52X%m_d4He2JoCn8aTrT_c?9&Tcz@Y9RTi&Y)`<0d`t|A0CfUx;w{6NW()5 zF|Fvo#IAf&bSj-Y(XL=yuj35O1L^aqZNW z0MiS#@w;4gaBywo=NP!)5SK1j!MoajYM7`rw~`u&s@rEsnJWZ*%E$9^vK`xlj4vedkX-Z77}{7j9( z7Bk~)jMOb>9OpwD3GK4eLvo(0Q*+S7O();tNh#LHC@fDo?(cm@z_yoe)bA;O2W%iN zhMv>jL16;Jn^9VxlR(Q?4-J#=mhwr-oS(ula7VbOI4ytr@r-EMK{wdnKfuXRti|>z zI`E#87|52!V1!+GpC-b9#|E}L%t^!S_qCkkv@o{rdDqj_eKfJ-N$DyYGPPA_I0Bt$ z+zktDpwxzoxx=@8c2c-e893N~osfon@(weg0`AzmC-4w#;oKeD5Fd>0TQVp3!16i3 zgAax`EE%SRi&yum>vIWifpIP)i7Q?qzc*Wo%z6>7>{`h54s$#4EV8drp2xf8Zqv%+ z0IT9R&NNQO`eHzJI(;u#?rTFYf+jyJAANkd!+fI@%k9zh=Fjy0skvx>xWC^X%{PZ} ztn~o)=V-AsT{Pj=W8#k^R!`2Zu_jjn+Z1ua-sP-G0P-}}|BkXa?T-8s786iKHu}Bq z5a5}JH2pQ;{JuN#D_;no!(T7>33ba%{DPr%v>1Ewf{hD8zY)5A!ANf*Y4LmLvX(0Q$WFd9xf&~YGq*s|c-Wc24H z*o)z8^cov7jItctlR-*$z00#Byo|@@#h#maPy^y9!}_f%{2Lc`(PVU22b(q+-{cXz zRy>*4wsq(rH@u}oAAY=s>UF`pqAkrQXu2QahZjrb=Uv%keD!aC*IQKCIvlf9-71AE zN8_>s&O83?gdO4>#xzhR7)Ur1o1hJ1fFDFjki7A!QC7-`8?_HcY zTg6Rwc}{5>9$M8l&C=BBeg~-O zJ9d~F?;lq_$85Y4_&xE_N?&3n-8T4a_ zcfH^h=2y2d{gBWl0|6VLC3))pr5~#ic(^F9mlT8#gN>H(R^67d>Q05vr`=Jfk6%@t zQx7cZV~3%CC0zth^@Heue2uw3htI$7jvqOF;pp&#Fuv`c=+rkRbuzD=nOWn`byHtOwDI2>x~EYQhoFa8@i z?Mh;F(~$EqsqGrlLuYuy5WA4;li>Rl3_Su)_rLjnU2P*tySGMeHSkm-L7)Etg6nGQ zO4>v=a;SpGh_9n>>XpDrmsTODf$@-J{SFLplAAs{M6chQd9ors?uRtc0fRkW%=-7@ zuZ4!=0eTLviMr9Mx)aSWJuAU3ETf#Ox_Ep7s*?<&jgOYrqqP^3lQ82OBiZI0=h)j) zKvB=v!WhO@R?q+7GffWK96l|zv!HAFz4vP2%FXm%)R+` z=Br_Q>3~mXrB{M~@_O*`XT!qIKV6ofTP!+%9k=n(z^snvDStFjSSLC@m%{ea#(>X+ zBjj^G%7f3b+e3_|1p5cifw-|Za1-;`2Ea|!ONczAu~gzR+!x1a8$ZTpmAK}njp9Ds z-|5r6sPzmA+63wGQMG15obEIJ5bB};-GUsKiFxTIVk;fOXzO3+uc{mhwqGB~Mwh)cxG@ z*MaF?=W)5Km%={)djzdnkKR}cFYJ7n61Y!VB5LNCGL7}{9o>!^I%{RTr0bDCgj@an za`*)cIT1gUkPuM$^he3+Wvcy+yg+rfW0W7_qBs*Y%X-7_tvTZWaXm8nHXUYvU=5|U zp{|F9$_(7mDcjyKYZI~!yy0or238)Y+xQqJXF+C+H^J!>a(wIXR6fB(2pFNK;(}K2pB10cKs0+RrnC{jKZ=Bh0D)9!>AZ|`E{@s#n zDHmVk>{L{Sbc(A$bxWX5!?su&U9Qrl2h#|XTTYP*0yAIjMM!#7a(t&fEQ&QR{BZnM zi)HN9M-9JCczV&1&Ni}tDPBb@Q>Mq;mGe-ke6`@KQ)A6dop-0|4ApNM9?6;qapkHB z;;lX-z>BL;RsE$96p^5}HV^bJuPqjs=`&{<>)7d1G-qHbA~kPKC^P}V4Y=TSIV14K z`>hUq?46}^>usz?KYY!DyzZ_EMsJ-p{Qb+qzS~DjRWY`+Hg0u)PFl(6d0+5?fM;YW z0zH14@bnzB&zwz4s~+NWu^Xz}Z4+EQ!l?KLGh=Ay=TW(8f-qxu4tUo~RiV{@WKT6} z(66OcX_JI{D;H&)Vt_GjvMkRl=m0TBRlUhg8E!=RuzyLzL%bFB$InE)fnc0B6@U)> z+rbWeFX=r@9fQDsyDt~uYdIgK`ZMMIXY}I1(%STJbe+JNxV9jSGPX8i99})p&-)M- zU!a=~ac>37gw9003&kk=PgsaT_KvM38W7-e53~F!p78kAU&@!bxJ?A3Z0jwAVlwHA zKGnTY9A%jFlwbP!c6_p@KGPhxMGz?TYFe#Sh?da)*1-Tx?G`mEs5 z5POQtLfu9q`~A#K((>9*?H85l8Z)^NlEkT;n@%%QWe1tjIF$obF4;`h7#tePnyTGY z-pSsz+$~?MgID+0qQs}gojcjy1#@97ejNRDB^z>_iD`3tj((D(`*T$M;Ku@7&`k?B{19SX?9F63>%=R5Csl^lPhs)2 z*z2kC8(4k^xU7Fs*~BlcPFhw}0NPx+jHBXGT!T)3FfswGfB?6q>;zS^FL8819nig) zIpm(mH7v_Keps$f=_6g?aAJS0i+RgHA5me2+2tg#F$n3?=UrHM=TCjH23$AmzGhrE zVR2)wo2z_t!?SYk-T`rpyKra3P7My>HwrDdJLTcxujHWZeu(p@@Eh&8@s@MDapkeE zL!9S-S$>K4cNc&mzC8H$3G@5B(ND*H9`2&0W}Mhu>#m1b{!Tfib5VNv=|;=N*#>nW zV(z-J;-my6IzPPbOzVz1N!{34g!myM$U@f&U3CJ7I3z;6OMR`We03t0es3{m^wY7} zoSVvZ&~V*PNIwDcxi=L*2sK(AN)}hlO|u(+!2sKzRe|bobnQh4=`w*>9A)&aycp{q z2m`e569^FkCER!`Kd|+IU#&-lH|~{Ruh%BLJIv@)5%#%QOQ*KXPA=%0*V0FDEt=Re zL~{L@hx@VZZqCa#Fc4g5uita2asFi{X&U%2u!1*}p=P2GkmCvUFfH6LvrJbg+8 zSstR+7jSprS#~cBFxv@M6i9X+)UEKao$$xQz;ZEF0Uu9-kt1L5HT!kfzu~EWkujed z%yU(gmh~=(k_wUrb5$$ztS_MsFLfAqI)nH%R7w{A`{FH|3-{US{phNEXv_2R-&nOh z1Q4MBc9OolJcr2_;nvDnjF$UaewrX|@T3$nOjX-udk4&1!U=HQOB2IeI_n6TCIv48 zyymM1KFvCol2Ew86F;gngeuD_tsBg zeMcGJW5#hp-{Yftf*q8n0!}n)KAHgj2TzXZuQvvyeKa?`JY`d;`V+$VQWT2E@RXF8 zfzRvHL%g)*t8UBqG9$~I9^V2bv=iEhGhh>eHbIds`r*q(cuQ7rTSQ)zbH}IK+Tt#E z;Z{|XMWWu-7`c!Ss72R*sT-8KG8u9EE@NUy3MdzttQ5_#?yZgI8V^1~dj)bxD2ONO z&BvqDWgD4n=3ToSRIVmLJ=yuonfY`$Y@_<+{{Gfno_CN*%7rI=EOvRieRebA2`26r zNXKC}C-v1kVG;k+~W^(lq;k69jnfA5Jic_t=7&G87W z_3u_@3CD7~Y{k&_*T!^z<54Y?NwL_2Q}@+D;NzX!V^TA?-ooEU9BjJ`rJx(Z2+{RT zRcdzn>*DkPu>r%Rgk85UuSU=S9K8x2+_ag^_(l9~b0*S-(@ zC+UxsEI#Sq!|l>64?cB5RJ@Zre&KERxttnGh@ z<{jnx-1()33T8P6EyRhYJKC=LrFR+vF;j(boW$DOTFgj)m8A||+hGmSTh8zcW$2!d zP%A;E5RK{#vf=Zx=yq8{Mfh(Zi|T?h8#xoa-lueFHVwCZjPNe|U1xJ(HB#5lOvb9) zJ2(v0>22s-(JTgD`|E?xRhgUsS00b2WHAnw%RU-+Cd&wuG)uB{4{vU+K+axOb$YB} z`ZfEAIZT~@HC|bj$=6~q&O{Bq%DvIK<-lt`YTobFnf`DQn01%ZhMH+nh7ZZW{jPH0 zuwYtjFy}Zvl@(tB+O+NOZCczzq72oVNBw$N3Cx2qu-$Z_UGwN-_d-X1jr=rF>co0@gD@ z!KUp5X6X&XsJ#Z*Ek3IxW~r%bMO2VI=wU*+;JwJAWw^zmX2lmR>G0lU7z({jw} zE;=`2bkT?RvpOk9`<%yRbY{5ZqYv*Na8?3;*sHGaMLt?(5C!*20}Vds;qlnBlEy~Q z`NY_3#%-^N?+-fB#ut4nqZD=kEck=K26haK@&XrT=mi?)TR|u6%EndQ#ubzWGH7dv zNo9gRZUk%sS8wQ592Jal*s!p}e3^6P4bfKCs&Nl?qHpls8FJDIcLl)Om9mD-8fDaf zTL&-{C<{=a1xrlmoheB{Vw|)|PUdH zd-`e3!|9%;H9;W?J2$jY`!&cF)KE^)jsn>AF7fWS42$Wh&j1|(IGT2=fd%}`Iot!k<@Qx+(gSCl$NhGyA}}j| zQ%&e^t_+x_P~A9arOv?Q%<-w~{i1=57Rfi*?aEE2QT1hn>vQzn*bg01*>Y&Pa>F^vDXafHFY5-+_vB?j% z{P;srTy9>2F%J6=^;gFGA)<)?#s0rQP<7~AihnD-dGYMW~xE|s5(?ny_1EO zVj0*#M2uDA97}Z1AL=wgI}vOiv-~;CcN+!z+l&9L-Dz&hZO#S*HW;8m*)88o&FA*- zvsIiPbf#A;RU4xd#k~_7cROKG4A}xdyq_#At+%y*D8}y`10D9c zC>(AV`o zA&kgO~zd@p|`It3O?Ps!HzXyP{O`Uc-&^O;pEPKPMZlIS@upPr+K zc&EBmarv@Uw=Vn&6GiubYrGS@r&+&e)U7JN(FRqmj?b$REncAJM}H zHgaQ(+_DiD@t%vBdfMuu@*y_70F3V66C$rGnZoW34adg1gE z_<$w+H0XW*LxVJgd6;p&J;mjNs;|EE?RD1{rMH=bO=Ym_C{AyGGp7%y1662AgNYk5 z@rF&zBcID_{{pJ@z4^z*62JQ~#1n*6z|U}e7Tym-F^t>dXfs##*$vxp)J5B(PjDTO zhFQGRXW<3a8|2tsiDQ)a@BDLFMGQ1|Wp1OqXG@{Bt!lGBWefubaPxe4clNe6CO`Hg zj8!*Ls%`&Nwr(_kBNQ;C0e2+^_I8&DVN!OHYCXiqz6cSEY0(8pB8So8ttscM$ZHbA zLx(d-u93CwF###YaN{8>LJgh_0YD4Gr>3K(lM zS5)GvG6N#8ZMg{ATtFp*${fx!CsZy(-e97u7_fcIEOOX}W)Z|TD3+v2$5E91_xRY5 z6_Q-!fc%Yn1Fd=p0p%L^1)`CI|5+uuk#7p zl>nnVyMNIsu~2P0YgcvJ(p>pU($*sw(xC(V|2UIxK8RlQn{~+~0h)Ems02+40uk_w z#n&*2ccE%*7Hiciiw~#6#(X)02;!8clT7Y$bugZPVP*ZQX&oeLc@)cqA8ab?0b8oR z5<*DwKJ3mae4;e{;q>1+_n^RfsO^yLPW;t~lPE>jf^AsAQNxB|p=f&0kc;7PVF#XJ z25%|p6Q&4SwNaQSFSN{}ii(MekT$T(qa{IQ!;XJhrEYkaP@xW3kQQfDkuIB%dMR*B z%Xg4}2=Sl$_IK>&1REWrbQh&t8c;SzV=|bv3OuN63X&?us89y8Vu6R0jR8`{ zppp`KYmWTIppz!8FIL%wMCm{$B}QvG-daWdMbhK45JfW1BUsq z&np#1k&n~ksSJ}Od+rTJ@QTz6Iv`IG6a&|Pe*k;eV6Qs@Lcas70P%5!AG;_CUF$9^ zi0fp~l%H-`7N5%sh5+C0b_~N>$T-~CpGhRj> zYs<_3<1XM3v)L{k4@-W&zn^r`4l#}+Z53Ue`fe3yie@ ztyO)gvF7QJ1k{~!ZkMX_U!s?P4Qzyicla?@hj8R3qh$t_v(0*mrOqn@0T|%?8kdyH z^)dcu^m46^=8!`=!~IgSbWL*?$|IWQK4`02^Ygmov2aPLREv@P@7$_391slI_PTYb=?RJR5B{Mn)JCbct6BV5${u8aHNtsl@p!CX&BWiHGTQY#dZR= z!^?jgm>o%9KNq~^;~gc=FXLJr&QO|}oobTUo;G?6l5tv0l4Ui7>-smLxheI}1#9PxE z!6WCcNo9kiF&6z)QN>Mzssbb<@CJ_DIwU;`cs+SbC^7n2^(f-;6k*hPR0V&zNr6RB z1~TI%0TxC2gkT&hh06CQ>37}FL3aE?H%Pl*VKcPh5Rafn+zjM@_z&8c0h*qm1Koh7 zaR%z8cj+d{GFl3_OW~&vXSRa0wM8%HyEK5pNWKO~Lf~eXepEl5HK5Jh4rZl?PViBJ zi<(s|#<-UpT-dB$X&@6by5WSGr7?%ES0i)iE0#HQP%S$gvm)m3m-@g>BVCFY*s?t@ zfplqJZ_8*z;BWMQfhT!h>frMrok@T?A`uB*oZn;NoIt*NSxoF%E2g;^$jMX8pBS%_p5Zp_hi5qSFAF3xEaFVBbP?9v3? zI9&zfHT`e38K1|jQ%3GbzkVHifI17wLj>ngvN*y%>VF4+DZ7z+Xi0`<7gNVADPEs? z6*O15bR3mpx;|c=%|+xH?R@sB7VMB;2P8<>r^-PZL5tit;U&`HpWh%?bN>x8_JqDsvxRR`5%LNqy9SIFsGu-4jWxZBV$a`DQ>Lm z)=+?k11~MmhIx^oEOn3$^lmUozf;AO6AyP9TISAw{=j~8M>~^>gw2q9TawIH+DqX>0Q~SrFHAlj%YivTL5W5mcQE@ z=-RuP-5$|R{sL}KBBeYTMi59D|?yID|449GsPMEx-*H(azxbV48*3bipH2I4SLrw%=sRZa0w$t#ZI|Ts$2{tI z^sp9^XQW#-q>pRAs%DF(=oC>|#_7Iz70NUqiD=OLf1*1sZ<}2)|=eaAxVh5<5IV}l(!!6bIOfz4ndljgo=O| zbKD~Ef79r*L z6lHYSG?zs^L{H(@*s*cmHi$a3-FS(j%mienwRFm$b)!nd9B;Vryuz&?UXEc={Jr!G ze;D)>8P{*n#>{Fyo|5FnV_D+mCAE=H()B$Ua$WA|DsGtW!sI!8DQF%N1fh!3GKtc? z<09c#CHx?(xh~3ey1PavG+FD0oP0zlGheU{8u4QqK~pEpU;bv-X@tzA%hPcwK0N-a zZO?pFiZYMF!}C*=9y8VEd`P0d*_G%Ze=te?JGA$QvUkh&rYa7plt^jb6EiL#_8@jQ z8Q!bZJ4__S{U&R4+oqe~?;&Xos~b(aH(e#$Z;v<>p3>J)2(jxpUTZAi){(}Xk0z=# z4&7 zXPf6y;wjv4X%`n51;jOi$)e&8qITARXN01}xNFqg%9^9Z@aqR_{jTp_e`?#ALqxP^ ztx1;LicKzF_Z%6?qpvUlbB<-(y;kRwiS4>B;U47c*{PCB=+^?dw3Opb6se>htrjr- zXOX4GvZ@l&Vw>$~bOg@BX+B$>beFit3#e@Q^i~?o8=)(M`X$s&!dDh}7yYAvS>ky1 z-kkJNzFYChQlClUZfTt~f9=-tydo;raa#J!in_R>K@IwJdDpjK&v|Z@gVx+IQEifV zhpQ?6p1SwanBf|5YwO>}_H5VVlzvIG=M-a|du)fdujrjm5!cwl z{+nqTFzD%$uCYttsx0hCTTE~0qM13GV`#{&DQhT9XuCFK$R6NhfAs5-f$_M=@EaC! zl;Jsg&@T-2)1AL6gk!|omN$P@SXcP~L;@PB@IRsl2gcudSp2)|kpFic3jgjq68@bB z!oLp<_cOeozdH@~Tck{IGnFk-?cn5cEQ1yl32hU+PG$QDrQ|x$C!@{bREB!^gpzcM zlNJqYAWPGMk3wW4f6z9nB?<e>%oPSEY;{)~K@Usg5#0 z0RXsqH^8K1e!*i52q0G^K5oizzvr#4;v*k8sZrSgEi8*ZN~l&77l+&xAQ^!VxA$}~ zSpoX>>U5xAu4>S)nKbd3C$*e1Ba^0j^*O3vuJfm8fTCV4;ZR+sQ=CLUdPhiDy z(YioS=Z4iKl^kqZ2{d$TUL?ic`PaB#z zLaXdl6O@~PL@a2C_6`a;-c`1hKcBx8Veyh~A0zd2e_vjT1|AWIf2cCoQ06_9@fHH( zL_q-dt^45KnY3s^63T(GtEyuDiuf*TIF}rf6%9=-yw)?cgh;~pP-Y&D^|MJ)LnIah zO5JD9ZS#g4uSf?+0j4rnkiW*Sg}VVGWq->Brt@E?S$+tU_`7PTza&|>dsTu2Ep)C5 zt$)=Pe{RWwzhp4MB+jFQs*qoWNH!j+ET5|~vj`EUyCg1NogNyNhb-6W?qgicqfVB; zMsXOGhc>_E6Qr3COa3gP2!q7eIQRyJuM5Fd({o%t>Gi+GE6}48mP{5d`iCm2*C-dB z>Zm&{DKPBpaT`35MX@BI{tSQ97KianIJ?X~C3cAPjn+ST25&+4{omD={i zf7~!wBBkOgN>r0n{rGBLV_t8bWFs>H5F`N*04a5~FS<(vk(pm6NDx1X%%sVRe4nF1 zu}GHq8Klb%o{_dFCJ8~N0Va{;3nV?19{Rn9q8nE79!fk+b;7ka_Q%gACtN=S>LArm zxJn38M}WOQB_YZLxgO1?)Tl2}tDL{ne^3cs=Qlu3zr0i=63`NV1?fpVpe6?}j`U|( zoBAeP$ADqrIW!#^{q^qXH)VOx#)}a8_9Yo4QgHz7-{l83AgU`22raJJrJpSnK4=b=Z;(YegNQM} zM?(STs?5*)dR=YYErMXeSum6#1)CNeReIEzG@h_mfQLKxr;QThWi zX`@TbV@kZoZ%vBZ@fpl&#U5gee`~n+fo_F|@o1-1@uyQsegJZwgC)18&3)Dc<(%p> z2lEaDh8P-{L^O#*Cb$@4L+zu!oYegtO1?)%{@JR04ZEbvJiR^Th40qai!pT6*J3Wi zFX{4K`aLneTtm=d)jw3LL>-mR)kJj6_5AI{M)l7kJK>kzO+{K&W^13(0Rb{pY`>8zds}~%);WIXXQ+S7QONWJg7&oa%ANZx1 zQ{oLbrAU70XGXbm6}BnYf7y!1(Va?@)cv}1LCD~xVs>8;_vtySG7 zxZnkU{cOMpP<>z!q&Oo)ok8*#yqoV|U4J__!~alk{ppm{cbJz4fB6{zNlH_sqa?Q)uR5Yu_f`$~I({iID5C;qT z4@~N(HthlX?Psm0Hemzs2{O!6o2miiyWm{^`w#94HVH;PV}HDKWA!m)WfB&qjnQGE zox~i9jsyFccm$$r?y7v-^bZ4LSo@%J&qIEw^iWEW4UkR$fAn(~te>J7q~HInvz}RS zFo@4!G^ZF4dNsqsKInOQyV8FKQ(3+1^=kR~*6VptX<%rU&tRqjUO#m|VrfX27B}++ zeZ60R8Am_jZszp=j*Izh48e?Xp+b~kftMY-yugM%?jiOQEFxrqahp2;-4zoP?<**9 zx6or!?|~fte|nh%2*3!)AVhT_gnB4>4Bl_-uai=6_AonS6_UsKp+4eg5#!FW5?SD? ztKhfl^27LZT?w8x5R7?vEx`uk&~L27-=)>IhdezXKA&dqcApA z1CGN;cG3kirL$P#I<5U}rt<3el%{pKwWMEZN(anTe}F!U3E$G!b*P2HJ#L2GxTyMXf20YU^%#YpyAXyVhLK=s-%hirrAGKOlX5lxV#qJ@NzAv z!6ynv_d9C&gu%Ce_tsP}Sy4UCF;wR#3aa-zDlQhR_XBZ2?!WrZCq1?3z5xU{GG zCv=@1ma8_P0cRd)8_t!#3~f9E$KKSWXK1(D<%iq1HNAOq_JD<9%Mx7^5_jrYf8>;6 z9y=0i-p`1+g$g{_1UTWqUF?9R3@vNeCH-3L0DnEVb&;vq5B_>q>mo<7BmDIg>q-;A z{_xkcTK7KL-jnMX{FvLi$P|NYqL?|YiyYC9tPecc1b>4c^H>+Z*0f@ESJn+)=7-~{ znPyhb7Az_x%wki{3?J4m+z^d_e`G9hPv!t{h}O#5#f(qqF=_6;AWQb(hG=}vSj=w4syt>@^ZX@QatJxdnw-tt z7UdD9dC7~nW)E(N#yp7j2P&E0ieJWKIYd0wmNPz-byhv(o9qiR=MZs-f8J~2GK)E< zZuE9dIM-Hh*ML5oy(aAfwtKs*7!O_$w5!*(6RX?hK8u|gO$VZnZa+|g{|=wYN&%bW zm$lKzM!CsCH=Y~j13uGN&acFoRUu$`1kXAs{$Ts$knE_BM>hNN zHZL-$)mGwld`)E#B@caQPz2f$4}T~=a-1D5A_5-qowZPVy?gQ1Ct4;nm z4Kb(nFK_bY-6lBF%*$_vNT=P5O|$%Q6Bf!QxViEJqdz1?lBN|Ce;d}o;eU zz2g#Ik%W0aHTp)wFFZt|IQ{V&Y^d9ujfL}$HFCd1L)BTcIaO75XvisllT}TcHA!Cl zkvc`2mUA}VI%}>-4xMMXVsc)Sobxs#Bn!w7f26leXf$W@d?cRdZHm)zS0!oohwJvb zdd=A^zYyp7ySp%VfBYBI2IC(4Bc={;-nVe1aQ)?ST?uwxGlDz-Hd3Hejvr zMVNJD3DKgl?<%6rc(l2ar;_~3wB=BZK+_VVcdy?F^7$-H=j-;#@%V*yussz*Elf;4 zAd|VQ%cd2_Ed5fuf);(4_G_e{v0LDP25b2>oZtSEO>EF;f0Ee;TNd^E+;ef>ttsj+ z-SYKxL!aXjuj%4Gd-hCl^9fNFQ(a-_YYZ-`J~bMV?6*- ztN&+u6qbK`e|SR(ydDZXpb+0yxvhLmEO(U<1;z z4B`PKMywwCzDvIc9^YfZ4e@Xe>*QlZI1K-#7!k2fG$I_=pJYV5rpuRTHx-_TR(KAG z3>9FVeTEqm$WvxpR*y-Q=7(MQ3knRSjtPS8&^xhn*Ul1ulaesTD@(sju)2v=XvV0rOWe?qG$d_%1QEEKD>(A@R;@Vx%}dw;7O%evWBSuGjS`znfq4AkW*JEWedKwAke z(p=OrbpiV;e9epfEjTStrm)#eNg{=n+_PnB)d=f%Lb5|j{U_v5luD1}i0tEZP7^5! zvox=j(*N(9^R?)Y++iga*8tfxfj z4eY_WXENlmVspi(u2>hNRMTaZ=Sy_14l#rGnt&-P0}mke2tvX*$5N| zAg`*j`a+vwsKI;-8dKZgtZFOOT!yp5->K^e^@KzbEUD;ghSOjzf9(h5 zp|$Su$UH^`148q(yqYR$17fhDHmgR1v2cSimeN|lezK_;lQu*~2cx%&S4hssn=_h> z9Qt3l%{a(lqY?cKR!g%Yd+85a7o)d|uaSJd2Tj0v(GOY=WU$d@d(f(^sq*aMg+FS2 zl-_FIa0c@|ZY`u2{lE=iPB7hUe-B-Kx~(@=e*40ox&cgYMc0DEe9xT%>P0_zL!48r zH`}Afe)ABSfwP0lSZ@H+ThWhI!lQUjnkwjR_p;yHAAR|9mC0cU%8 zPsjAdPrtety;b}L$>)3M1e_QB!1X`|8*S2qCMT@P=5B(agppdtlT9UOf2oMfOPMPm znQD+z-IV+M_bg4e=<@yiGOaU&>1QfQ|BBPkZnvOhAfL&2qgg;)Ea;yDWXKi0#QFE= zMcS?d&`UM+cIThTiB<~QX&ahn(k8&rG^0ChLq+^|+6=}B+iAOuNyc~D42B8VX)~B- z(oWlDtmM4YW-wOxPMg7Ie?dEKm$B98PMg6-0XuC2Myw<(BHTr~=N6rpQtLb<%$wFY z6Ft2zWhD<^Z>_neID4Dy_VoOMt@ZRAVxy<$nJfc8LS2(DYNbd88e}o}5#*CxAM%(V zdd0vLhn!z|8?0r74gm_^PCaRp*R=b`k!>v2(<-$0Rk3Kn@#&D!$nY6CYgZsT8@F%VhmdANJy?a zeB1=|U0N$F%R`!hNAU|ZM@iGvU%z?GMv=ZgmLGW8rJ6_P#6Bi@fAvRitEi*wc^Xcp+P-Eo zF4l@6fuX**)*Fi}HKo8%*_f8}#-y?MTU^TeIfHqXq#sI+b2AE9d83SnVSI((<*Xz$o_t`zMZ1NvlW zH>ehH3arB^^gMINI8zT=c8ub3mbtHjzkh|+2w~n8=QqW;XNA@v0e%%0v&<39;!>va z4O?L`-{dG2T9Zz4R5`yDot;#)h6{I5(b_7=LFN25e;Rd8(b~q}HKosnuETs&`c~=i zp2;{Jd>(pz#Ona}6up5a`lnpZQXU>EdXr6YQ8C)?>G?%l?CCkkPEXUi?j|73+C|JV zl0a=>k1Cz^m`vSNJ7?$YvzyjaYtlZN-9!_2&@N~&kF7Ji`6g_dJtp-YjmZA`+6rjE zM#v-3e?&lwrUCg5IDcb*y%hYtEbp`Im{qOy3O3_CY@V4>v-++q(()mzsyy|cne|wM zDf-d^ts>d9&yEqapYHF8%}2rJXU=A-O=VHg7ww{!>_PR@^FPY+Z&>91jXR~sWqPQ2 z3?5*@u0q`87^79o2#ln#^|TM;6{YeTD)&J-e`)giP%)DPqM%tc)(N zv$(s0<>4Rqr6!r-j<23p3hEsKTVZ*7+HSMTa~}GIwMo=fa^4nNeviz3=C^ujlv^-4 zf7YiWoA+f=Ik#yUxujW|fig1^$M83zZ-I#~g75A@*La~5nXZ9s`vn8E?i&RIQg(sA zr#vpKPRnzu);&NjI{cE7f8&$}?}}aCCH0-(X28Wv5-HgHt+V`*QG2ZSj~R-;f_@9P zm$OwDUVypQ#K2<#cg$k!GW5v6YM^ zIRHK*_B%*D8q2W3vChDd+UUy`LefaftZ#43DtvU6GOlLi-?vjSs9GgFNjP0*}Z zWiS?yx|&JQMvMrfJ~JscJXcxasDSEq)-zX&*3H#cf09<& zr}!~%?%23A{&dPJp2^}9FT)~t#RuFdhecn6w<#Elh_i^01!c16qIB2qCj0aomHi!x ztfty!C7qzg1aB5Q3`RnSUwB{KcKgEhSgwc>KK#Vo(LTs0l6)efrts$`Xil14 z;jbUyzR1ky@I?!-6wpAVALv`if7`!q$|Ox+umvL%QC8S$v;7 z?ejy5ofiEJdmuS6c3+%jpg}n~c3~YvZd!auo<6Xj4i6t|ilVuTH+R|QewjUFhbFG` z!##fZGJfucRlxgr8_J=^m~B+XD}^z9?s2IF1vr|Am_^7eLS_*%gD-x@e-F;+QTnL* zBUZSA`)}Yjn-XPfR>RqV=nV_WePmiAA1k5TFA&KDMj_@w$6icbB$5^_T+m`pA}>X0 z7rAvl@l}W z1-k-PS^;2By<{)*qNqr)pg4x@C2>U01&uDjhQXMJB2=rxnxU3EfApbMwrLc;qG*Dx zdtAjgK@~K`zJixx*&gTswQqQlt0l9fDxPD0Ty=kHa1^)fU(3V4qQuFbTHdSvb$ifP ziu1853K3^{1&6`4JlHE02sQ)_aX;{qaSL-6a$W~RiVXM0S?^P0=OYT>TGsREW(Oix z9T9k_tRvIMz}%EAfAdK2ihvg$9kbvMFvm47xMJ6DMLpLZne%^0iabr4lJO^!G{ba} z?V~Jf_#3)qzUnYno@H4j#MUkUh)6j9_A%~*53m9~$G?gi=e93Wf9>g7{-TW@X*HUw zC6+K2`P#=peOmLJs{EKVcL#Xiiu`x%-2M=)WK(Rm#`>kof3KO4pHv~vZI&PY!M@m8 z8gJMKolSc4q=2P`LssP*5XpZ!HG_`ViZg&V5Nv%+FL*`@&xkVuI)TquuOH}Vpn=Nd z)ZBdoeCSuWd59jY!+B0N4)Fmpj?Gh}pI^bRnG7SmFWV|F*;LUGZIJPV2WDGk+?-{V z@A3nir{qWWf66x*onqvpZt5FwO&AO4+GFsb<-Y20$BA)AoR58lfG9skQh=Cti2n22 zNCQ965ES5_dPLXpgP!%%b_)#IpUDPgJiv^=ak}vs7a(eJd8za7+wELtX(~7nl5X;} zs$ZUQI_P{&^pS|KfOySlP*3eYPuNMk`e) zz{g&Kn{+`W9<)272kD{b75@4jSa8pwHB=6;UHdB2ubFJuc4h&+*uZve&t(GXp(k}# zezwaGZ2oz`SA#Z*d#Zk^eH|4PFjtf?uE{nk;1sCMxQ zc}B#Of4o6)+rp$uh*@4i@p~*qC(_!XQyelsR@p;do@#}$D4J&M9%H^*q83dyvf!r} zSc~1)0N1=|f?4Zio3VjZS=VvBxy$yn;?D}PjEX`nJK&9Bzx#!gtqU9@Twvy+n<>|kR!nj1pg*Ky* zi`alNB6H9Twwr&%n{*urCffd6lE z^31?GP({?h3V46aoCdk8F}Y~+F>H>FfibuwhDc!G^PdR#%k#w%@{f=|4kB#2&tzYk ze?P5R6>&KE1}faZ{lG@WGtI(XBBe&eGEo%XZe7;YPCapx+l9_}3x3oNUHE}k;HSO0 zTTL2fUBzXIRb~7R4LI?$O2w^PCu6j3po@~xl8UR6396UISCY+-#OD3&l+H);#ZAk+ zd49PD93b@4?>(nJleuJp=wiMcJ4Qz6f0GO>3q+TCF3bO39=#MV8b}%mc{ba|s2G`I$}j>M%u5myVQ) z)AVf{kT#@5MgAf;r+={robh*J_VFrOK7%`zu*aiF!wu)eehLN17 z+6JzG5t>Ip^wsT#UBHko%u3z)%=Fn|Zz4G3oUb>%^P9}|^qe?Lt53Ieh8-FG3N;o{ z`OeBD{~VQlKG4%q~`${}eK(8Bs*+LLviVe=ogXwOoW> z)H|p&(VQt8sO1M_n;&1eAvIXNbbZ~@zq_8yX>?0$d!)8sD9BOF2FJ#_k!0V;+ zN5NzAoUN`49uT)q4pS`07~!%@UCd)K#)t>NmB5^}d3~tY$ziHZf9lgM_{6_JqjZot z>$4`Rsb)D<`OAD%RAA29{8Ht9j|!5iTvR@6^a}Tw?P+tqu zpkByPoJJzfQR_;w2)4+;og~QGckG){)tdws<&)xgm$W6J7M2WFoMl@w)u@tD#96l` ziy&ox6eV*TZ&_u#f9&bYGGRoRrx|j215ARS#JKjBh#eO~Wi=Tx1^w*!(qmUEDeu1`<0|SzQ(nS%v#nnb^R}*e!9#Z68pWNaeXg zR(LiBe#9Mlo`!;K7J?RctTM56rNQc~D{NY2Y>OuLY8h^liq3rCk9mxTtZur298y}X>qkP1UOWG^r0GpfRr4&7UH@U+Jd zS@VirzGIhR#;(iFeb&Tyq-L9JGTIr$m=DG;OvbBt7>!fd%_b!K7>?7}OxH#0 zs;*+b8>-@Bz$$+LP2d!l65zFZJ~rjP{j`e$UY*rugU-9sF&?W{$V%{(;}|K`)ttl@ zPp~O5e{VS#IhYy2?r)4MEckGHP1XOFJ%2!k!RG#yG?F>{J*SZwJ854KGs(1!fwZa_ zrgx5Q4igY*W_m{$xP2GI3nB9H9$P_&b^tDAX}G za*sH7x{Lhu?qojNPBtFnahufnW)8E_N}u*#e~d!ru^*#RA^WKMJK{B!`{oHNEs0&zSkyTqbkw&hFk&GSn6sW2DseD zf3(+0u@TrcU3yqWb+rLmoPB<>ZB|uT8p9+f ztFgC)l`>*ZwPYn;$HPb_F*rw&V!X^nEF;M>;w!LbM?Me~Wn*ojXS4!FIMM@# zj)n$S5weODRuQn^4($!00HPEJP}wLnxi@b1A?7+#hip@df*e>Dzc zyONtneYUs`(<>AEH_kR=656dJ!3{Pefg3K!Xn}j_{tGXAcLWE!4^-7|PuR|lv%@Yw zWRu(lI*jJn;YNlLXXxr0Fs6>1LqL}ctksw0uE?tF8$T<+Dm+rgj5JJdSY(&NZ4iIJ zS~qXL8PN=ngtH0K@^s2E?hE|of5o}u(of4}1=RR@05@k1>7YBC`2iU|`x+2-*uSv9 z{DAvAmn9t7c7P#Gyk~Ps?0GiFQ+#T25h)obbH|fX;%bZ@<5iC_&g*)zoGryCFM@Z( z7)1&roapI5`)Yo5JpIy^1lcn!9}m1sYNz5f3YT}38==?9*Ni(BZP#0y1PsMQ9{=~QrEVz3Qm7;AY8e46y&{jKnh7vAtPC;K+l^YX5&n`H@O zJob%Es^=IA@cD*9D#M~9e*`?-I0Sb^zAKEA|6J0HWvvMmmJB88mRuq{K?x&tk|?I8?(ElXXVPl%ga$(W4wG27(Z92{iI zB0*Dyo*mS->BRmt%#Z!+4O#W|8Fq7s*Etu4P* zj~`BEdm6U`pKoNC8If76=vlzJH$;^WP5zEF~Q{F-tFm8 zjMQa=U(qgOe-i-Jc4QLB!q)ld{pwS}m7aNpHvTwK%<*G^}oI1ymMrdgoDUJJHjp7WaDb$E4r z{Pjhv}HW^1K7 zfkem^&u8+OJlCu)l}%|5!IsjP0Nc1c#JqHx*#&D#TcShkrSvOg@$+F#WwRJkcA_&| zvi%m!Zb<`VFSTVS?`2Dh7QnsyYxWQ}{9$Zr2a9#7e^)?7&z$>ufaJnY3e*u$)8p0D z3n#R%*k4aYF(LWaUxWAT6OJS?zv$O^DRvwsmA@rA>^s}4;tpRH4>uF$Z~FS{2t{DR zCYuI+#=vx_kPr3gS!}h+$P%80mYH7!CR%-_!Wk?*;7<$CeWAf-mKkv5RyHm`oACSF z;vFx%f2^V9;Z{mPgP*f6-T0ACrx_bW9s;JcJILR&k?;+RMSvIXI{Nf13TAj8x)M5F zPfvJot5A<4_;80)n-ZQT!G1>su$lT=peqw&3V+*O$q5EVUoUZ5p?#l%t%=@Ttg;E9 zlXib+f7_kaIcznjWAiq$D$4z zRI7}{bNg~lWI*Vwp?JL}nXDnl2lmI`G!1!hH14h&LxVKrvjOs5aDGgVz6x%RzDMaa zf0_y=sITN0uJz_n7V*W!XTr`X!q$>SLX1&gB{z-Y|wxtqwFVYEFIMq$hAv zr!4H(2jgTTB%e`_pR zdb;14jbcRWWT)$QZ{NOw@5`@(deU=Z0>em7%zEWM8Bf>tvdkE%$S0X}`4Kq1Moxj| zr6|ft(LhcD$MbmS?xOXeoGe9@uZjk;B)A;0GqQp~Lpwa zD0iQAB-f&F)SG>!-;~${k5bBwm_ZLP^rn`2DAN3FvJj( zqdnF{_z?-&qY-Epxp@CFrZ*ZmE?UTa1h=WpDLux=1j89(5IJ0JXN5c%B9(0u@F#j6 zGsl1z?(?xi5w(#@W6sXiLX1O1Y$IZT)-gaFQ|*`Z$RjoWhGlPwF33i^f4aPdFVH+j zV%%b6H?x`aC>`wdLtTCkgdT2|~aSPgWlna5)IANTO_ zvz1T{9C{{NsoBt$%w`4~e=#Ov%VHi2!OjJI+cuu|;YxknOtlVswRvAP-8zhk=&I(i z4s=-5Mfq8WE5&-KiPqsSmvHhZk9g|a(=6hh5?o@=CeSGSed=SfDgm#Na7_7`2&S81 znVg!EzuFE98K1){Q4gZ8k(RF*J@13Y)-T*_mOVjw;=Fm`cGJN0f41El&SO^lo$9Pz z)qmkeG-36&6TTHQ547Mrc#d%vd=4iJvwE6N9%Z#dhu|-OGGdtiu(hKF zr{2FEB>43G51T?B`ena8L-R8Vd4!q$4i3Z5Xyu`04GII^UpIwMcztnnag!XA+q}q| z=PH9^fE)MdLLuiXf5o9nn^+CXD_Q-ft?tkh2zuol*h5m~$!(F<=TuKCPlHQ2M)s?y z=cLfFIPLNav{Ofp2FEqt_h^YKE6OB2Kk$wm4UQYU?*Sar5jI}Yx2C|?NYh|iE44gS zdDx#{frq^r_OE*nu<#ecTIS;&@D#kN7!3+I;k~BYBdD9re_dMQ{@FG!vbfEg#Y+;e z9+tSRy4-l+X_ddTw!|>v) z9;R6S`0?Yle=L1N946W)PZ<&nI`WyUq5|--#XCti(E@A$`$8TNEfOD_e7u_L@nB=c zBkPPV-9fZsUDUqewJkcHnmatP+c0C?o-n(SaYs$6#fVTNK@-&!M0yeN4xX@7H|qeq7DXUADRRX*d|!;VD|=;GXfA?YC$NX+f?XW87&{F5pu-9%@75y6Vv$UUE(*?HL z=V>sg=R>m3H_{`Iebd-LImr)AeHry^^0kT*fpiGGY6+&Rylj6L`K6v&Gn}Xo z$I~Fo_V@eT{W-VTr_K+%B5O-NyM=~;d~LKwe-3TQ8LYI-o|yUT7iX+U;F@Z)B4r z4a93%YjnB6q}k;gO(%UsH=kw`&-dq0Z75pb8wZ z6kP|q#ZZ3hPUnP{5`kog^jN~2j_#Zfxk21e3##}=RQwU|cxXfgxHE8WZ91Y%f0~d2 zxEJA~g|N_>+oLaLfI~EZyZyT?onGzvG#I?iCQW?aXr+B!J}*h$gVp`g){ei zMtS4vjP-=zdfWzKge$yo={Z_be@p~axoHJdZJ5ZRKrOEK>ok~hfdV9hXM5$G^e?B3`w=O=p zy^cT}A#sGnxKu2qTA+Q8mENU(3PBkbVTn`A&90sag9Y{tD|-(`e}|H=w$zK|O-w%d zFToB`7m&A6_=7=b3TC&^GPz9-X?b{|_KJG&rdewJgj*j}nl4KOF# z7H_?hT&LUk1Rt_0gWyH=f9Et}7l*TzegU!@BAd$${Bdi`Uy5C#A+R7r@kgpHw_6VR zc1-3nagdeCAnx`cbEt;sPa8U*q?)6%29qw1U-Q|N(R{ge+PHkJ&FU=Etlm`l5polb z?+u?pzi0@+N#W&dNjJ8CJYoS^a&gra$!+kp)^J!H|}U!2Q6ZrJf-y|f3=8)Vy$Y4cr5>(*1meuwM$PjgLXY(2A$|TFxoYkG;!z*W>ls3 zuA6ijd%Ih@V^&?@Y3oWEfVj>o%d^xxA2S(MX;YT>x!&ARPez5JdRCZFUxt0+d^@tP zuxtd-F=_5FLhH7y_Gb684mhBRyF~6tH3B<;uG#&Mo%`Mze?XGo>htIlwW3F~TK+6* zPS9_;&#GNk7fF3*IFf!DWup!bXU&%%fNV`os*MIq(=FsAC zH_K0g9BSRXy#jKBd3Z>AJYJiotcR^_k@Hb~UI9;Hsi4APJ{U?Ms)>L(~a-~^!HXhRO`?24x1#~G!1x*;Yh5{cN3G*d#R&J=u3wK zwa%YNU<45^4?7>gMB$CND@ccXjWwLn@3SUJlP2-OE@-^a_XYKVeBk#(k>l9E&UUb= zcQGv@e^uy+MmU;ZQ{8dx4x%G*9q+RGUYe)^`oez_osvsCl+}4()Ruo=^3RnsNN6V? zm{8vfr7EB=92(vkX_f7=C%jG$X??n_o4h$SnG%2Z5mI+ zjKUYOB1D6j-3>$R{RNte-um_FXyW(n!9M!Doq9(^U;eLf)42^)R?EYwDDd|Ma7V2$ zn+D6DST+1@(nSnJltImX_H5CBSMnUi@S5r{2E+_7h;hr`vS&ZUjxWHR=ryl^UK5u$ ze?X^Ien>B(3dk|zXLmh8ixYE~0xyou*_9CI=6sd8E9>TBnxHVd8b6k`?^9%r(s>Rw zggm<@#y#N?WlH;)bY@k`c1&tiq%@C5n=0AB$OiUS+4EQKn`CDO&uiljE7p!#^>Or^ z3^!V(kiPgUyz?>Hc_3ADVO#{Ynhe9Ne}S3`!$%uh8@-GoT$Wh}T6^_@UqJTAq__-z zA3qk@!X)#_CoFEN33z=`_ool*dhIg0LcgM2GH_ujFP%WlFzMM7T*r<^hI@hc%KC;@s z9CAy0)Y(3PT<{O9gR=UZp*tegjd^7!ZTbR);59G*mCDTsoAN$8(D@iEI;g|9%c>d8z$DWyfx8k=xMW$9sg#= z4W4sDdK8eB8ykBM=J0&Q8+bX&>N!SrdE%A0D0e$ktTi%tFAI#!*P^zd5E2O?5!sY# zM?y&C3TN5Y<70=50BrMne~BTB4f1VSVh?q+VUv{ro4jzs*7CQ2;Hx`U`|vtAYoMP_ z@+E7Vcns>fywBJ>2TQ9~7+7~D>#pQ2H#kTh!P+8;vcm$G2<)T9Z$so@B}W`@bMi24 z$q1*oa>Xj-M~Zw$#Az0YStZ1v!Px}d9TZmN*o3T2@)W`#+aJZUe^S~#rjfQIG(0V$ zh_PVeR>85js|62P^H^5*G%#0k5VNl|oKux!_Teoj{9Fu<<6WW4EWBP%0WQkX)+he* zh9`3cyWj-p7dVk)Yjsfv!_x5IF+5%60gjh=0hIC_u<<4xvmS*XiZNmoSh2aQ@+}^k zq+ee6giHr`r}VhAe`Qe8G%zE9e=(lK1BCLz3nZh8gk(3M@uk}tAUd@*x}lghR1_0- zM;NOBfIxr0^2i3uY@U%pfEY9-Vn#K&qztvDO9>VLS2H&up_m6F2g zJBc(t&m<5;st_BXQ&OdDCdKDu^_j-8LQEvYSRkog@iKd0O2l=3xOcKuht>rc4^W2$ z5ekb)m?OZfIzO(FX9`CNn}k*M8{7f~j>F)G8z>kUkfc#Ov^8Npo@zwarB!x1Wbgxb zv`8399Amh%q$-|c+JBmgt?~LVKYT=m5Fp<>izL7?werJ1n7}L@?R$)EBI#n{#pguB zVs}*pDA&FUH7TonmqQQ(*2AY+lWksF0||f;`zEvi$JD}&k?pAvkDeS?ICU=wZc`TS zD1|)nBq{Qop?Z#6@j2=fi*p`oS%4M}1KIq*qhCOLii$N08-F0MUr@_xW1K+AnUwEP zR!EJ6)JTzPL5q<#Z<8W9z?Lj+V&&O6mUuAsr<4>)NfvPYXvvN*{qO@TU2IQjJ@o1q zzL*ZMgbcCf!)3Uj;yvEr%nfUcs$3=2<}QY`M-O@SxJuForg)aF1hxDTw`;?r7{%jKncF(78;BLLw=|#g@FsysSC7P;Swm_-xwWsC8Xj7B~~g zL9f^E-2n?DE1w;DAv52Zw$t+<%-f2Kgt%xNWO}G!999+&S>>~20d#bY%aZcS3o;{% zq;LyZJR)NDHJ+tw2N~4#qe!akvC5n5%vgjJ3z|=-e1D@pW@&bN+Qkofotv`iX&yFU z5__!LLw)sOL!prn>VY;-V_XYJE(kVHqgLh^Rwkg_#+D?Da{)v_+(~5=6|5bw_iR%= zADc3^tR~Nejs!*|FdAP+R#3vAY@1bVj1==Q6_-FNg^Ji1Hnd7KN+k&3`QB|Mil!>h zhVVAoEPwT5i5@Uk5pe;56Bbs{X#j!er`T^c70S-FsDv^iA;Ss=ok3zl%n!AJ&%@&HZzcEmzbA}PfRsbRmt3I8IqClrT1|Bllp!gs84HVbd^ z^Fvc4*-(K1zO)3sw6VnrbRKX(#FvWDX`c%m!+%%_UxHX>O^J`iiM?QBFAm>u9FVVe zB^z0SS4L7C?-G9Lu0$nV5F*Jk;)pED)cJARu7zYEfwwGOu-CL9;I>_X2{p#oxRq=P zl!C(v2qyIyUDBqbqVdE7sb&yRReU#WIB2tVTHC2S+6`Qf#v=mv_G^lIxyh;~mW~Ny zkbg1k7zC?kV?}VYVh#GB}MeGJL@*@>@&zm|?+tZV=zGm*To6D-83kJf;pUplzJG)e@u`Vk0g+x?{ihlY4<040~;WrgrNj%X33BHy^ z?EwpSP*B<^u&&qE1zf(gfPqoeq8LTZU}lxCgBtY;e6$U{q&q$?&jnX$2u^n{Tp({0 zSF^d`)5nB4K77zmdO{lSi?x_g(ti+7yF?~8w5@KL3a)mkZ9oe628A}Tl2^OKt@YIG zgMQeIekWKJIlW-N`N%3pIorhklD4owkPV1SL%OzHE7j0w;uys;+3l)qXF6u9h!zwp zNijO6=$_b!T2U4}>7jN;k{)WYbLWF2?Roq45j-D~eZB#Qm&c?^X`1eiNq`9~R~O(=D@ck$W86QixYX+&jL-IocXeIr&7j zO$WD(czup-X%P1hZv|mC9@-kB-u<2*18oeXJqsf@N32jc^1~TwTSVHotT$EO-jrdw1AW8K!P7pm}{YxDfU}>NSo(A>PIA=K5-(lGRQsw3eS0 za%>)-bQQroU6%O32JLk0zG>hBY(rm4`8JYGdcklGQ4@S z{uuq+`sbe(M`k{Z9%Dt;eyNq?gV@e7Z)kFFb2(M0oF>#W5ZfoiJGSqAD?vGTh!0A{ zpA^G!M4N_n4*Sp^8WBNH8QW&44Lp}V1S@vY_(^B(j5Y13wOa^??ty!8(wfUR14WZ2 zX~G__2k=fiY=2G_1W0=JIt->`Ks&m_au@h$YC#;Ss75u}=QZuQmay(oc&gE(CLMZ( z9tv>ENPrnbU*HOSlgZwrj{VOA8@bSSis7caR)Rw$IT+vFu6D;9osb}*w4Xu>;fi8? z$!mAmOa{0tq4Y7Nk9Axm``a|}!zsxSrMz;-_*h3=u73kU;S62pyTc%knFG`wy};Zn z_5v^5p#`K7EpC%T`k1H9UCgu4duY(3#YMJmku!2hN6z`K*fDtEj92GP<{f5^w1TupC3gZsIWNcP~(qYDJak!WkO78Ie#2bd2f78ypbvfH2@phG%;E z$tTAUqTmsL+vHUE4ZM*8SAyV&GawQ)hDKRj3K+x=$@?o-o`YL;k;-kLyW1S`S@H{} zBY&xIM_XJt!(+xpBF`J%eHAkrxF4{_1YOG5Xsz|BS>M)cS<}56M{$% zHAR6lL@9O*9-fz#X_EX^(dKw5~(5`qL??{X77O1kvFycU&ZE4AJKa=dHtQi{`CE z{^U1zVD;N@UQh0wILH}+(j~fC0gVXg;c?Xl>TzNkM7X|Ie4-hNQV~1Nt z0qBy;$Xc?*1+QQxf}#s74(J2tG!njbUgJEVkP5g@ZKMXH$DD2ORpQQQIj#MGkDP`! zqxKlz4^an>@rS7G<9szb#nZF&NAaXY8G)bDm-zbL2n~AVezRH`h@X;~I5^%&)Ti6q($9}YB5q01A*8+Zf(&G% z{we})wz(^PaRLo`hJUcXKFCm(10>9Ay)SQbc_L*He)@9-xHc$8=`j#-$B7U~1Y!rp zeVuh=g9Q8QNDUlZb_C4M`I}4RNz_B`q)T*x?d4A)@rJroNSI?@6$0NE@uY`8-1o`$ zK8bIu^4?!3l@>QelxrXKNEdMou8{XxeHR88DCLvW7WpGa2!G>v1LqY2^i10&0=oOO zLg3$*hh5;OQz6BG3+<&3WF&L$Q1;LDry>w;ONwyYOE0)U<_z~(*3FI$WWo@4spV7M zE%pH~D4p>KKi3l$-33^mr`TudT|)F+eV4fG3-A&W#`OwncZIZ#5a!+3Nao(s7zuIz zDG+gonsyP?5`Qn;oYEP3=-z@%$S~9Pf>6L?he4_!GC-U?nS=qd$SL81^^l98I^Jko zQZ#aV=>_(Xi?}?Fa3`I3P{A7yJ{WKMD&~6zLZ}HbZG+U3gt*kR33zxQ!mTq*C1J+- zlW!RCDmgeDAp5Ms3#h&e@dDb&TD*Ytd&x%A*%4Ek1%DW_M~?BnxPQIHz{A*>GP*;JVV81yO0XV{h^my^bE{Bz z%zsuAMpMd@y$dKj-+Y_YS!y3)ngMD!c!9-Z(nxRX!#XFCvIq1OfOM8l$(%aJniOK^ zv`*@grU)5OGEGy0CsiOu^czH>vCJfC?<^Br_Wr|hXQ@TxuKwpaVSn{7sq?V3>7{(|L7^7MUKAmry0OAAQ?SE97 z8GG-D+BadyjR)4cN5R-gijvSmL-VJeTFyxUEuU3~j}jM(3P$yj9;BGBgEJNH4+rO^ z*VA@8K^sO5I5hPgc~7CS`kVk z4%bs-_VXbxPj#@iJqG+OQH!Q(DcA*SSSMTdzE&mVQ)UCb@vOl^9S1CMAAhx9I8{$z z7$L)m108A#k((cq;*=>9*D-x0jWShrb9aW2&q%3EQZ=A(&*U~KlEVfJ(yXONx8k#Zv;SGw6Vo{``gAWTm)f2GzD|uBOAR7|<5LbC} zJHBKqVRl%pbgU?AHM?yyxYULCMZ_;s_(c+$O);8@;x#VORe2_^&fExm0xLvEAX;46 zAfu)&;=AV~`?E<7&VMb?Ww4SAq-T#TacTf$*Q(Lt8PkDHPmad|28&R`^~9&)K@uBQ ztTO*8o>pfa*!-i#V>|WPS7VbEF>G^?#4|rO94eC;flRt~0GYC3LVh4ykB5CdrmnG z>C%%3A0Sr`jkDUAyAoM;Kl|`~eCW>!eZ+UZ4;y_w;$u=Jd;LmF!#)Np{%KI+PWZw? zIT4pL4of60qBXO#A`>}|geZ4#O_k)uh0sY^F7Wu)+(nGX_r83r$KhSZd>o&L{csh$ zidhfvSzly=5q}{J2hcC!)8z9_;($N*V1Pq*90zdF@Nm8W& zX2wHKe4C+H>SXLzA4wkxd@gEvbk03BC}oE|U&j!py?-B;u*4u&|5Uhx^mUXT0v1$W z4@-4AH2FS@w~i5IP4N4CaLKb*=BEy)j<)95vYOyWv;>(g(_%DzfF|@2r(Q8?xfsNL z+kk5V9&s)aU@(J*X(bzAl?Cf9a3Lsj1*}r8kdpGiLPqBfR|nWI!xZ%+Lg5H`lT_o| z%UZ}tNq@;KA(X%*$b`ZX@($jRw8{_LG6=XrPo7lra+(qC?R|h3y~8V&91pGx*xB>|M)a=Y=Ti`NFU%bg>QrTqRo+vis}--|rWUVkS4_wp zQ;pZNC?~NEwfl6+H)^MpX1AwZ{E*iu3JJGyJ9UL(6PM=*9Y&K($0`l)$_3_V{(7y^H;nxo}-tPQRyjrrpj;> zIo6JNa8^EV<>C#9!IiGs=La^5Vg^!-nWr&&XeJK97yAvN(qddO49n&uYE;J#7qzYO zG=FLV8?;$B z`t_`?moP9RK2E4jeDHvmWHpMPKTVQN#Mwj&9A8bg`O~<2%cv5_B{tP?@Vv6?M<9o) zDft4@tlm^Pd-d2TID0ydzAt*x6_8RGzJH_jJx~%3DC7}J*5HJ|Kyr{SBR<19FNY-` z3@;>y=6&i;3~62_#t&8v7}s`qF2hN~=`sEKPnGSmC-!@nAF_J6E6ZI0AK+0}@D3dg zv?Qq&ACN_yEFzi+#El_y-a+mH3*0yE!nExciq05x4-}73D32%q|}f{LS4bPs;bW_SZwUzy2}`F;Q$5FbW!-UJF5&yZUiXCGb7(il zW(8GO16n*2(=W7Z!k9%+P4!a-77?+C2$PpKSm?U%+*hYVEcNM>It&IZdSRhuCt9zV z^mzAeqb^~`c|Ndpq_@1iX^vH1viWGPf^W;*G~o50R~il-RoY_b#%W1fjeit;8nxhX z06*@Bj{!edm}X8{x?4g@Y>!0okev-UAmFF@aAB25B7wkwxsuM{5Pd%1<}ku7PV9T{ z7?YTX&>3*?4^B*+r1Q7r6cHYCu;MXA9P-_nw5T1E-;H6{=fi`UK0ipGmOENJNNoWC zSl3YHn_6V}vA&>CfuECS%zq=!+zMh>CC9s*%^WO96r;72s~#ogwe1u+LKRd_c<-LU z8TRQ6789JU;yG`e80Lnr{SZcv$`KH!ii9jHu=1E4;wCFHpnCRb#x5a#;W{ObV1X!V z4tp)Zd&S`-T<1^WSWJDai zs}<^Ge*|~RWl}sQ&viV$il*0F@S)S_oK?(A{q+;LQaf)k^J- zZP?>KzP2(P5djrF@%Djh>xRfFBb4U?4E?3Q{@N`R=n!FtytCaR?(lU`Klm6JlE?V=#Kx|bzZNYmor4xvez+N3#1Xgv zW*>*DVWUNVxPp>@#_+cvR4Lm9s6(1x&BVkh*Y6OSKH;wh)aK~sQKEq+NJU6By4~zo{6W8CgX{WLXCu;@#C{Fjhtz-@U({>} zg@a^aC;e^P&_RAL^rY&lyg{~2J@M#JBt+r%AxK5j7;anaz|&tl2HcZW6!vNuWl!~( zI+peqM1L})54}0mUJvUq0O}}E{7;i1&=aB|EUE^d>>=Xv=(Jtk11zxi*?5ALeM}@^ zjG`X|PaVa|D8zRs+_d_Dsy%G%CHKSz;p%y>5{?bT+ORR~{x1+%ZLaqRzTGab4*=z9 zhXNl?rLDsrO@PXi7>zxcxJ1rRMJx}eV)R4qx_`C~_vLX5WIQ7L;a|@pnz0=b{Fv;k zvxr8A*+GM;vuWx7Oc47e3KzxK#qn*vN&Xq3rX7w%MY6>gXPSm&`DEnlepjRl4gM;86$8VvWS7AaX|dMSlhm!D2xI0$D}D3N%u?*%Pm8SC zEEoGMIWW1XHm6;{$>+Ki`gq40qP2)dXn(hc5c<4GDry>PE6|9EsfBs7^#641aLc;g zZO*m5J>^BZy3G$sC45j6q20SeV8+DZQ?kpNg}B*aSHcEdT^9y^;&!V6J`w~Up0n?< z#(Mo;WSPZ_53Vy(Gj}Jmuu%m}bW++q52&ihmSi z#rC0wHt1AaDAnr4U2;eZ))E@IS-Q*Y0-?sp3!2mm_JAQPoT}*rZ6O#cD{88;unSac z8U;h81+SzNS7Z-a5jT&eU6!oopy2{5FMy{}OSy}Hp4_!vc&~D=k0Qa~3k4e}n0KLd z3}@ZbU2>`$**|qT*N5CLnpH4rynp`b-D1l`h{Qv+P6B+3%F~#JqLxvXsGt?Wx@1jX zq^)EYK=*b0e`mc@oIJ932jkX`iW=58N`>2F+QISIJNAq>Wt^V&M|2L3 z#W%Oy(r3Mo#e=kk#rhnmwm>&xUJbrM_-yqdK?k4L#3KId|NJZXKJekSh=0Rbn^Cz? zx1D4zp6@z4q+oeQQ3KqopMU!4&DF<+AhCkv#PMIh{?-+lN@9bnF&}= znWXS$eaA(y{u7+WA{YiGgi0BENBuz8O8`FBOQwQ_fSbNKK7{I6zlbF%=Ng@2@Bvy5YwRPY|( zW()XmXJ?%;z~^-fv8P41*k@s_+@geH*@OHatr+$dXY--W-G4r*?%iY!DU{hC3^#5e z*!2-ZVr-a^VH_t3purS0kNF`jA8YsxccJcPz z^?E1`dUIYQOXF?ErpB5lVw^(go^S5NBP)1;E#Rvli4=50K#G}dD3of3cD71^F-=Z$ zf2*=;yTFKd3duy%0+0zJGekUb4KBWpZYw0W%i@$!Bb0 zXpkTGccSM4G}wz?d=v$XH5MSM{+f+Na(~qZg{$Jo}Z3cqEhSVVkKhtwT`ra?7I6hRvVb=W{V9;|LzR35Bv5fI4iBRIG$ zc*XjGN`FW2_)rC9vs)3|it?J)^$i1 zYvS@yJjbVFI*4?wiy$fA6ZtC^dFu(05|btZ&JpMQmijUZRs%N{bmOaCc3?xZtarjs zl=3+){A4wo2G_B&LYqHUy-#R(NrV(X(8U5SzH(a*HMEM`g6N-k{{z)9u7cdNEVoLp zH-EBZiVhBZmfj5WdJJy!c>;VsZus2(Ba|bfnEOPJdsyTDTn%*p;DpGSUwqZJ8y{#Z zO-7F$D?j1ZBfQLC!Ln7-cN4&ch!wv@690)cI9|#Lq#%tudv`V-{34PB*HwmNn5?s+I$fdiZp1l!kAE~0Hp%8LTHVH5z=SL>U%W&zqmcYPVWQh%gw zGHJvKUa$FIUR@`(Ji*vob8KKB8f%j0t5L2}hrK^=K_i&OpV5(F|MC5Lksa`WBzxcg zq65U!LhwUSeP6Z#DxSH4sz;ln5n8|E;x(1@COCf9BF7Jk!%u8~S1E8?NkYhNl=jJOM` zR;p5E@dJgzP$q(A;XH_|lY9|~)($~%kjfDYI`cX1~Y$ z)2}wL+u7rFrc%9m1MM6mU~ahi>4)VrleI+2>VNj)}yO zVN}y7S*e4I2HAoxpnroAiBmNwYIYwc7vLG397jIHR5^mm5Z2#>rB`jS#_I)KGo!%b zIF! z0w1{}=x@GT{6OK;GZ;So_~F$R?5S5-4K7Rmh8g{ zdqSMmg7O0Md4F;3uE;JwoKq2CkBa>DJ6NlG1n&Vlj*(^$@^Qg>9+=Bhb5_v6A5s6m z-?0z-ZUNWibq0`KfwIYXdg3W^NcFQ}Zbe006vF@CeWSPa78C_OL>JS{W`0#r5^D0V z-_evu)gYheEZRWX5d($!y#P@^ay|l$X?^S zkEh*WJAaHPFJJt5{nNX@n8o9R`SlziBI4Bh!rf=j$0V=FKa&lk??j)QmV4Nc%?|0Y z%=H^eD#UMQgZPacFgU&;gR|v*;jDs5Fwp+OdS%=(*;UDYaV=td{P~yH*Sdy*^RG^m zIy^PIF-|V=Hs|vj1PZwRz^E;C`!?P%f8W7eMpM_EflBz2~WEG@qytk0|x^SDS)cKC!|E>2y zBZop?S@WohA6+L12Lf`Ec*U|}F;5B%sI0A5xxYilffPa#p{J_I!e++N$9|zZg%Aw33Xu?SclwQjjM;`=w{BUX3zVulVE7igE~%3XYiK zmR6FCMl>cxR%{)v>Nr2p*K!0aRY&^CJkOpKf63bgyIZJMH*wJ3mQa!9m?i}7U z8!i6`(6$~ga{$n}@{`}WBJn?~MGn$2k~gF$t^Gu|bbPEOuN{PHLSQ%(@mEMr0X1ap zs6VaPkitdMkc1xtBmeZ=3dzjqP`9=E>2fQCeYkFJxLeRx|U5*esggpqXG&`iM%Vgh^@8E2l2aI{boJ$%?1KWW|msSxpa+ojKVAgAVyv;SQ?@ zV-7a%fQ<)YPb1?OAPgjs+JQk04=@dz_TlO6FhG*r3QE>;2UZ8+sVy+@wv%xIrzFN(PiMzzuusyfQ9Wp9)IcUcJTcy_6Z5qzpa1% z2{!N-AItmfu=w-8{r2%M_=(Ke6mjG5jRenjUnmL<9}bv2pG3sjaa;OLm76 z7NVS?m|3*X3I z>7mBRNyW)!kHJ93S8sk=v*Cv*vx}v`udxXH>MXZM$F~!@QDp6s`;p!-ChNE})EGTC zf#9b4rn)oBp4c-r0gRv*JtyZD21dDb*spct!n;-(Zd8ekY}#LSVC?e%S-FU1-`-(l zA9nmy^?xItYz{}&VWX@@!}sh_oSN>&mG%N!R{1W+NlYD#Qsu$d8hHuCMQhlP@qVDs zl2yQr@R}4WQ~0!-Vjb>pF$JJE!YWU*7y?sIfhU=?*q{glUV9^QaWNaCZ*drRf=w(e zLBS`m;j73{xR8Z@xT?H#83K;cb0mTrhC=k~t$%6=XX&(WKF)!6q7dqmIKlwW56$Ve zpNb)Xe9&7$cw@Tdg{Dmz5(=p0K$!kxkXghBP%Ms*2f~r`ihm2x(HjH5ori8G)9 zxq|0LMlo6UqL^5?GE)}0#{ikv=N$_tPO~Q4jDHw7WC-EAfxGVS@PJax=Xel)QEZp* zI)4uz5RkNA1Ua81)NayTz4DBNJ?Y&LNCHHf9gFfAoMGeU`3UjAdIdxAqaVC+xQfLjSv;p0 zD%kLPI}jOhDC^%MLbh&Z(cY6y$gjT|Mt>+Bk`LmSc0-n0J$CKhxkbLk;G~HNcROS- zs3IITw-}8y!LXB=98d9Vd+}Xf<9Yc3zg`96_A3=GexyRq>+vqpC%@3#?uP6aF%Vd_ zSo`AjPWiaKdVj*oQF|{UhJ!a!Z`Phny4o}rb|@E80LV_W5`_Vhta z$LwJs*AK4R4Non*`u%P%s0dKYETZCwm?=K9`>aWDPocxpDz80fqo?Jv`OT=u_yaHR zGG#!ZIRK3Mt-E z-`D;KwMC`F|yauYWm{ucZQ_ZTN5 zXX9L+>sV#6t>bNx>`bV{ZJyo-VmDLl&IJ~KrFY%!4*X1Y1`fW9>*wZIJTn6Xmd0lxLkHXYsFQSh45)IR#k za=BP>1(!F!ay%yNB2jm;*mP*v@d&V0tmV|O=|Hg0$zH4Mu@k}8bG`#^?RjyNJp7+; z_Q1~$k1E-2VLgStcfF-FbAK&)9s&v%yinm9<2x72{?OP(w|(iK+R_M1qn6sCo9#=C zp--)+$&H9dWEI0FZc`-*Hg;k3s$fk0iSp=>K5}vu8Q(s~`=q{~Pjqz4KJmcO2Lgm2 zVIPuRf4DFe2=I-FuMZrN2V`C_l4}SQ+<~9JrDVnv#@@5p@&oQM#eZ2^&xnb0jex5a z3LdYTD42Ly#n7%J_2rbBa*{-aU4-nMg_rj;iZ1U*1s~_=k}!?Pc!zYyhM-mc6k~dw zSXq6WAemT3$TH$Atsvn1*c>_o9|xVKxS6_ODb}q6?w-aC7u)i&i&IX;P7ubqSVgJB z_Ha>xi;F05yveuE^M6Q;I5Vr@j)POUNXceI7_M97hiy4o9xhrSC%eeu8i~I!V^I0_R}giJ4zX@RsSS>$nNq64`29%m>CZNm<-w74L;los zmJdaDJifweFt_M}Mb}ZMb$p+(L3r6{vY7T#IV!%Sm56l57(|RgBpLiIdtQhOWY0U- z>?zqF`^nNA1%L2fRj_!&|2B{1cZ>DwwFvK8XRwjji$RBFVjl_bUqjLej*1fQQc~HP z_IBuLQvyAhOl%AC@Fxyg;U5Y9k;0z`r@U&bL7Z%?_LZ`lJ`3V7OM|D1( zayCbz--As9LlrfPAknldT0@d`lBM3UZ|+ z;s4*ETr_!8WdHwH`ZSU@0ZO7tkxx>aBhtpBO@AWU%@V200BPkTGDLP#LF&>xTDgcc zkez&wBZ(Ys40Sml2bmph*&40P`&k{G(l(A}VYG_WrfhUf$2gi@(L?gKwn|phEE=;X z+QfBJEPA9-9LbAllc`IgXiAW1$$DrN(MyilNq=a`X=vlwPkpFMZfH+e=)he~Y-q?^ zXn#pYXcf@QS=h-+sLMELWhOEbQtH9}ZNn$ASAl;QMB!KVl!P{Rn&gH3+=SY+gEpRR zUczqvLAOkTHqMsZgZ7kyBT2~YGKcxf206(b)BBCeF=PZB&-16rs%I6(bNs2<{G1Z= zjW9K2@-t-U(U|C~9&+#uBnX7IA`#tLGD40T}!E0Q*`p={1RT)2QdlHJ8B zLz4)`B`KXbZ;Mr0H@k~2fr}>PhK*w*eOl~kTCAB@Mg;Uyw2Y)+G2{#xlOfWIjDIIt z8Bmv-rpm0J6<%d@!Xt8!7}$smB=%e*h6Exu#%hj{K^75Xau6%WP6iP*ONc)IhmDt# zA*7!OM3>~l%1R^wp==+@dYp!;J;0@1q>GiMuigruviS8UEa4e|9ah3(k@3RJy_153 z*o*8HoQSWJaUmxZN}_r~_Q|HKpMN}saH6gdSlee`m!H@F&PCvIgE<$Lehr38Qf>}c zWmL{_yWD5tuk1e#_|rC|Z6RTh|d557HfpN*}S__rjgCr$R)G|epM-};lAue#T}wh!ZpKiC~lX2Eq|a~7k@Qy z^-Im3i^N(D#9!f2R$o91@wb&ZKw&}LTgdi?+FQ!D;8Y~}tas~C*X=`-)@Mgvw=Kh@ zwT6z`|)Tsl_x8we1nk5uYYjLq#X%vbY4V5`LMebx4Tdl6uo^Y4Gd*RtG`Lrktsr8 zOx9a6k`XlMyNj#Nqn}>JUOB=!1xLH<*4s(z$m{H+S;Ter(lpW}AKf;aRw9lrSc}wi ziH;;gdEA^1UCY3HFzXeSY{>S8bgn_DkQtlHF7~J9l+e`s&#+tc7k@Y$ogKC%c;9b| z9FD{)o_x3kqQs~i!5ec9bHa`|Pa}FB^oxdHsp&90t>vZA&^cAK#L{^S0jK* znOW;a((rYyeFic8lQf022ZVe5)4LIzbK4fuw{n&|JQ^4?X=eyd!1$T1fd|+GU<%7$ z>1U?G`tSezue#H|i+@MjH3yRRNR?&q z$x#>_+-HH&^0o~uIgn{15hpw$BM%<%VDiUL@VUa%jL%FSAA#^2T(n#>vuD*EEZwwp zz1>4K8M$0}H|HUjYwvx&uJ|Nea@`Q2~#yYuyGoa?)Zx9{+ zsN_>(KYIPX(;jk;f-Lz=OC$TN+Cq#OBIrGEfPW95!Kee!%(%mtI-v*(RXAAYtPKKttOP#^y_&nvGlSNHAt@9-?sGfkV6=W5-v z_aWQr{kK20zx(L!!Vi>(>;EL>U*93+(S$~G&pQ`40@QXK|*Ajnl9kc%&eik0yX=-U6;p%?~+nj*J z`x(?w`+R+lMnMg_eI6_(TMx7k2pQivkxb=y8hI^xeghEc7Ip@|F2#oF|Rl63*M=n4eIXOHh;}0 zVpH|Wx)!hARri%&82jHVyD|CKQwY<(BmiAdtkujXO4b^}Laj}US3lN6tS!}T zv{EY|ulzQ`jS6%h%%7(!>7UKZpR_X?#&O+i ziqeM-Q_gAG(o-%5#;RSr+U*VxyLx|ZH$=_pDHj8QVyICXT3Qxi0b!X@8XD4@-T}c; zqcpViEW!iAGov&#%veGOglzFBP0zO&2%LO5r(ih+a0*yvsjXJBloBZAFiT8(9DifY zG{twXDMlYQ%xte^OV8{W7;E9HCEW4$?^WT~raXlq!A0SKOB>Bp6!wPi6DFqR!fp|N8r z4k(TrMWLx@86FsZ!6-_P(-;VZEM9c5UV{|fYYNea4MVlivZaS=42&fgcz<%DZR5&YhGRxiXy{pjMO|l9Q(dqnfj|raqJ}0Q zU=6)jK@t#=A_Rl<-bFy9_ZvC}#DdaGC=z-RDU#4dQ0j+N0THA~RjE>a5!ZX~->mav z?#%4jd(K+toOKz(uWIOzHx?j5#>5F))ILCVQ2Ri^JZwlV*xAK68We5vzEZdy+%9S- zpEQHVFcAj^s_9rFqi9hf8Ruw0&%eEJ7h5*F_ITX4Lf{s!Z2YIPBoRPam)eSf*UbHW zKl`2%VTu#Si_g7hapPfpNb^uzE;Nv@1Ksk@jvU&nD=wMz40O>vWl}J5$JE+I)erOV z_t@Tz4^?N|R8!X+HrJO;gP`_=B}pm`1cP{GUo`ypy0KuBY1{oL!ocjKty#M&9NiN~ zb`XgFSFN?G8aqIOS^O8r&;q=@8qNamkKY*(w>!m&XbYA!xa!IFjP`<6B+B>(C^pxs zukeEAzY`U121t-Zyw+>iUL2lLeOi!Wo+{8LBaPyg`FhL@I{%w6R zReRwJwC_AlYgl!uO=LvP(R{EvuW(r$5+^`|YdOxfjyC*oM~nEP-YECV$0VS`6;#dC z`SmF4LG(<+C^CnID+xn#&=!lJw(Dy2r`tZP@Do(5fq2Tn6<*X&H@e(~VlvMU>QSR+ ze;gdaS$89 z(Ram1U%xVH<=|lKn-R3f7-U$|+VP3^RGa0Wigo}v**InfdDK0GTS5HhZ>6#@{%kX# z(-o8R@C$aQIr$`gD(qGw+<})NcbHdVTK-0W`0y z&XOusNd_gv+05Swx$L80C(yLm(X?ZQwX4uotIuvauNo6*33eL#&Z{N_27;9&Kp4bb zqX*l{BT$?-`y@TBBPTu^h*7<-LmL~1`C92l&EGC(`2#?W7`s3>yWLP#b(1sh>URX^tcBG8OyV9baSM1}59v#?^q(-(E6SOGbf}N^UezkE z=NCqM?)oQqgi}XRZ zvv$KrEMu?fqJMN3O6hauG~Y^WF;1cm%15jyS#K)7tr9|5*CmrkhDawv;+W(Kyg(p? z(Cd|yNPBhBh&Vtw8A2Q1ugHp;Xq|fTT=~tTvN~Z$#uSkt^KUx4Y2nmb1v*nF^tL$t z`&`Uz7j5KWn&>!9+s_DDS<-=RrPQx-pm|R!)7B&w5AY^7K$~DkHBRu3k?4kx zZ@p%v4SOz<$+>h_h#ml6S@ey~xz{QQvqnyS5tkM*xp^x7^|b;)j+P{dD+u9!(@iFP z%@VhFP-*k*HC2W#uu^Bt#VMJ*^A{rDN5A4Aa`?XQc<=25-zf+YZ31qk?a^C)nht{y z9GrarwObz5STl)dh+lN{{fCT+{T%$F6Q_c>C&tz>#uvhfqQMHMj4yQv(1UaGeXDZj zlhj>7r+>T*V)`#L?uv#RuWYHFZg-Mpwym|W|D`)lDQTZpaB#Yh9v2*w+uneMfF}Dh z`Rs8V(Ae+^mKv7rS52{^s6I)RY?MNWs&V0)5ZQoBjN)FIMIq}~wnKa|RRgZq^|;vca8);X{?*!);&f1?Sqo;uoeK)r9)~>UxprQ@d+}vnydF_^@q0dhQcl ziFNwZqv|#F{!+J2c`?6h*Y!i1Ec;Rddo`vs+YIWxKLCrdm@fJ zDT-oi$kclwEFBr8T9fS1ZaFU#<#t4t~cCG*w61 zHsB2uAu_O`fpg2?*(KzNps{vIF(Z^%GFC;mj~ww$Pr=<}e|m#de{<%XrH}>sQs%5_ z)P43s5@S~Z&YFbhDI$sTT9X&|Ln=a*yv1Pac^RR^s7#V-4*ddH` zth$kGfmXG+{6u|-1ay_Bzsaa=z!xfZ$iPOQx~zaDSCB)3*zTnYMrZ|2ha}EZ)FsN- z@z3#1GG6}LU&pmKYAn#@nHLse3Rbz_MESnzK4XkB|M_tp{Cpi*XHb8+Vq282yWF$0 zZ53xeUB-5=(HE5COSp$D;AfqLAR-dL%_2R2$IxB=eyg&Y<#=wJHC z2>pob(XnxSGf2UsC_u2+PRg zZ_*2pck==TMk!f_ne2#Iqbj>czXe=@@yDo}3YKWetlV=^F2*7Opwj^a7uI5j;dzMt zyg)IoFyT`=J0gvgVrdg-8fJ+O%xYVJ$yyOL#rSwD!aKnmxUX(*v^J1q0@j^cJ&exXID-nT@>NAK zqO6{TR8;CS$u02yCQ{mns34#tM!cnmVT71Iy|WE2-VpRI6;gq$turKgZh{pz|5XQX zi4OQz9nC-hBocU1o*T=Mp{0}ZyeMNIC?OG3!M(TmgFuiVSenp4aM+thJggCReq}%} z>>xz=qMjI0TTlP7s!WD;Bk_(h!|=X~Y-w~O(O;RtkbK|SBnYG&1aoCAzZ|s=L9PoF z;)n?^n%D;@B%)CE2$RkO=6^xFe+jsjTW>DR43k2neEqt+G}+h0xN$X;FWvF{p`dQN@QZz@(iTA#^$rluHhlal{SX z;)u^pg4N6&GSI~{pcV{m+%+}8piLT9#afn>a99p5&ttLl3%7 zPcT9Cgm1YbDvbbaj$K5Qfb*__@DiENx*q-TahnX~Yy=)c+ff4>ef|XwE`TG41hAbA zGSD$;>|f?BPV-q$qEDEYzzjBI{>!|*Gfx;mUJL|t)ST_3l?Xg0LhHPlw9Yf~B3^Tm z9@I@wxQ{HKY2>E6%`IO!VpnZq{e$oON=p?mY?*#JfhF9Kg?rM)gZz$8wdE+x_P(?B zXI1EL3>Hg5^V~!7e??&a7Om7L67NK(-ivg3pQ;J1zlH5Fw^_(!6I~U z5!6pZ&;xdP3uwxn!mm{#KnJq^V4nV)A-^>agLw>=(LNNSdn_dXX2ho2Mnr^;B22}% z()ZDaC_EXW?h70LRm%|rrN2*3pnm}a|44{)LM8WX3s_4_x}dR zbi$cSx5r%l#h5^6nFy||mGe_FbgnX}a$LQ8*mN}hKl&3nXXXZvaGl8c$_IYy_ZWSz zs5G1?4|s$&J$HbE4h@;X7=SV`aZ;q9S*eShgE%$%vv4N)*R3fuzH)~GUU1GyVd>ef ze%tV|sp3l(qV_-Q_);9R?#WLx21rvxIxekNz3m$eR(kola^b93(e1>~It7+rB_z@t z%O-V_n_9+gWC5dN?;}PE#Bp;%wmGw>8T~R?w)y@h`NJWjeU#JY0U+C)OgmlXJysj4?$vwUvVcM=&>a`pyD(k5SBKjZ5&9~V zOyN05RGStZSWfHxBFg0Jd9RWY8S1!MryY@Ler^>UkT8BYwUGMdI%8;{a(c7Hxz)Kr zYxcv~2eJTJdh7%6s#Wy&!!Flj-+Psb+7T8%Tekn-rcguqw=S|5L;gRX;W2doYjYo< zTFf_mU3Hmn*L~If?YiT8&x7j5%!B=&Y;)?4TXL&uYD1-D`n0Z@Xt(uatxV>=1;0;8 zMH^j{07$Q^XbuP+MBO=`Y9{=3R{o`8`WxRD8VgroW1_mR`mQ!|%s+dJ1M5D*6~$>D z+z7CDkHH^(HCXl>OvIi~oj7mJA^$RP;w?1vvqkxJOWp_ee$C0a?Ht9sF(ob;lw;?k z?_bP$Sa^5j9;n9s)`)@rF_ZgGE!S$lu6f^J>dVImG2ciLfVm2fuit^t+Y(Xo%9Mj# zflo@zr}aBVhmL+n^(C9;&HA5rAw!@QS?ei=(u-e{_p67e)A|jkeX`4r{{y0o zixV@%$l5h;P_75L#PxQcWDde!QwXqK9`Yx<`Iy|$kkP!q^-FWdsfhVW=T!xxn3bcM zo7XKxcWaNsfxh8+CDFC^^iOL3Y+wE} zGR>=(?Mqr&4m|p_@(EcCD&56w*dJkC>#9Iucyw@=o9}}M38WH>vy+ErqxIx+ z_ThtXOOm};)8IbhdsSK8pF*}5$`$wub=N#f-AN@WOsiwl=YOm(U*23>JP2fblhq7N z^SGb)l^b3ju6yw3c)R#PpyASJCwc0)g%w|A!StgT*9faf6XEp`EE}&IIjA{^=}uK^ zaux@cgQ_oD9u0&R+wSgii@fuB${U)yKlJCr>6@)Q3sx~lF(E#U`x^cG3nX5HFGa^m zLJ9OaJk&cTOvOf|<$`^kJJADKgA|N@Uox&yZb6)5;z`p^W&qaH^C(PH2BH~q5jXwr z3CkK&%FfY;{NCo#?Xaz-ndRKYP)-G5T`gGv|8ae}E^v>szc$aQ*L$t`p6ciCfz4Aq ze8WFVSAP3Ud{2MyXJ?^v-=U_23F;pqD^ZRmD`BKhxh2rK$uaN6j*^YpU4`5|9Rk;^2A$Q4AZFal*-GhS^YM}2W zzPWsp_}ICBxWdB5=2=SS29!gKWBh9x8m2}&O8a()?^g3FR9p|4w3roEl1s15l42pX z>!|mp>TSPWdbiC!GMsTKN~iZx$R^}?qe`*VcRTs_f!c5=qN#7#ud|_^ccq$CcN<7d zojt!^VPzg^Y;KgDFY?MneMM>}(6_vy&Z%Wv;kyOyPx3Rhq_L&r#}aQWUzS*G)=p-u zSG0LI{0W!fmMTw=UwQc6Z>HTn;9Q8j=&I+QUEJ4(d%us5raQ;aGh5YTt;2zi=JbSM ed7d8&Y=jv7Iri{$q}|r8-PRx4EaH1m+y4NaH9tK7 delta 121431 zcmV)AK*YcHiwmoZ3y?zrHnBuY?0@xl-ZVv)t2wXoFM0LXl`Im;@=%e{jer*&h-`#n zQ?qrEP1KcOHoAK$HYX*%c0qMGk;a#g0x${nhh*c~1G1(N{Grej~qk zzBdgFSEL=ckrl(@JUxU^5c6y+mA3i$-oa8oMfG0a;eOu0s%5w~BTqQvKB#?6P<(>< z1o7bllRQIC@i{A6W1ZUht$!&fYd=TnGkWacm-0wKDYN<{Bquxe5YF(`c)w+k^uh=M zGYIJKq_rHHu#r!EFCj$JEI_2c1tR+BTH|4T?OG{`_lN{pq@*y0o_xT$k0(w*oWG$UQWX-I<^W1AnF845!q3w)v(a z9dj(qN_%~RST0;0Qt9h+oS zzmIp{o7nZAdvWfEsW^-l2xtp1^aE%V!z`Jl%=wm3E|$w@tK5dKw+ZO_=vU`)pKZsmoR81rrVgYW2RCPMw zN;dIDsek54)4gHKPC`<5=K zRoktFz;B#I$RDZY+11MI4u~$}MOPtuj1y%CfcYFfV-V#b&?}k5t5db4hm?4~nK-~$ZD!^vX9TtvU1`zt)Ehh|SNd`-6 znqdjfOX(iUe1B%@Et5OU*9$Gcf5zTa&gRvCsSNi!)K~t%#vn=r`L<;)%3&y-fzr05 zHzI9v`9T(ilta;r1L^hNrJE-v9S3vHOFE&oPc;yLRwog#%ow0{a7&A3yZpXp6o(mZ z1Go*diw^MIT6A$)k)nIZqkP%yN>@Py2cZ`iI$5|#{(q^fd}BTtMo<`z=fW6)4?|dT zsZ4HfA4LhXv0akRxg)B*3yRh!mK#NP0jKPgaq%fV=2*lmiG`G^&hj_Ti}jJGooyms zcL5Md<>bDHdkaN2 z9m4e{d2i*NHNC*?>iu5GFMZ3aYqJ6gvO-9KAq9pMD&!K2hZfuXr|TtPq)}uK;Hb9G z7;bMhq{ySUXvJsiw0-nvqJHHfU>wsaS>FWs2TF5CWl2`Zsw6Cp7Mq>{L=P}Qve8xC zV8$1Jr0TLngZ5iN-z)C zwYY3OkZw+`WK#Dh9KFR%0&|D;Om^rNzQ`};xH7qujq*Q5*If?4y=Kwn34i;U{_Fq# zZzOUR3}38hr8v@tYsVyQUh?Ccbi?@uIb5!{uH8z5MxfMB8i9`koc$W%C8VQhxaHxx z1CtT+BLcSPlQ#1*4JBM(XmDM_HMo{Fi?@??^B)Q)bKJ0jco0yhZIhn!F#^lPlhN}y zf6V(d@eF1?PzU?{wsoejWd!c-*9b$Rb?WFNXfT9)7eBDNz%CN$BWT|=IHqhiVsW_y zHI|28Hyi#lh^9u4p7_<7wzz%&ANh^z%`OFW0Ah$JIHD2VnH);+88$XY0>^;Z2!85g zJ7Z((xb>|y05-PTQ@}p9J2qc_v7l8rf3@KZEdQxXc@bNWgAG8fVp0`zKw!;(zP1;h zB5y24ZrO>+3%9^N)I571JqClZ3OO(gh`cnF`FCFKq=jPRzh3ONW7Rf5rx9v)qtocu z)SLJAe*dt)-7q-+)B~A*2`dxxEk}oU<<9c<+!Qz4-p^3vW>{m}mAube8={!N56S+Bu&)j*pzxsJ_pcRwXZd8<4aS+1ozbBCT(y5e7sy!i;<}RAJ<7 zGLVWG1~XY7l|YGUmVg8U(P1;`f7YnfE3veP&}iWFn``tznjeQ{k2V(wJZc#vgDsFm zrzX{Y;T5ioX~M_MW$~rEt_ShQADGf8~!Y0%Hyl zYy_w!eW?hv;c$ylB&W*Km~#7}6=T{p11j+AI_U*}Xlu0oog@EDOgGEtpj~|r3BTqD z+_M`un9=)~*Y;1M>bTaer*c1P>1#Dh+C|q0gVOH)(RFTWK%Harka%nIkGx4PO}&FK z3N9dc&tW5i`w!=`2dDS0e@@!8N-)#?#*-eNfCvB)5=0mvGjKuVR>htgWpstHQjK1? zK<$rPz4uY4n*o$e&P04#!n9D&$tiSh3hN9H?$4%iD63Qtd6nI2SwI6;&TIv1kfm)~ zT&gRKM&Wl~c894w;SFBx)k=W+HhehCpx&h?l?k*;nfgY%m#iK@e{Zc4^m_KnmTEZq z%PB0jI^MFTzTtQZ__*CymH-&h!wlI%sZ~3CgOSsh7uj_piB?QPGpUW>s?k&)mG)xI zo!H{>@Ed3&)DTvvFD7l5mhxHi@gkpL1Pk;R5lIlz9A^mq;I+j6E}(P|iR?a7c#iFC z!I(-g)dFn@BYyJYfAR@qCG<*|vba$`FE&JQLSgmmcrw-!ubUUp%hh_7HUKwia;TPj zOUCG-${9l`yu8KElGGv_18F9jk3_f&LXBIkeG^|E6X=zBPGh7MveYh|pT@!E>2-%z zK7;4wDa&528x=>RI;4a%fb&snfLb+*ZzB>55wxeiiF^*te@9|h%O`QN|HX(L(@Sz5 z&qt`Ly(cP-Y=ZB{SE@jaH0%hn0BEUIZ>O>rPjh4J@(Is9{c(77UC9S{>n>Jr_asKH z;W<2ii4No6W9W1rAitzIlFP?V*1*y znki)tS3ndUt-H*0FZoycLxp7a+v!r>#1JaV^Qk~Me^WwB$>qELOKn8GV*B{|ZQY3J zE`c9DVAH+bO9ww48DfCst_V+{cUkhS&d`ua&3St%!-}$o;YP>PETX$oo7F_N6z8(k z$Up+uCi`8rQdZ*Kfw@l46h>+^Ix|hOH3IiPE$5VmKR;)+zh06jl3e?RdtQm!=jxjg z74kB)e@S*0MU)1y$bV*vx>qQ5OHa91I@ZfdP>)h=fVBK)Oo(`F1~u zYDqFsJ0e@9a^DB@P-plD^H{4}6>t-YewDv@LD&3xkW*BW3{KGz*(#O07e9tlw<>|B23Um(Oh|v)BE9nGO@4WCLm%w{CprJf6EMBnsfFK*{`dGDgFr9=y{u4T zJ63mVJ%iD@mZNlMw0#t14im{TRkKz@e;#o9+N)f*Ga_M!3GOjbyYv>k0LPQ=Ff(q? z8B{k+J}v$nS32_zXu}xL=JI=8@~XjSC;3Dth^{AnBHbJbls9j%=tTSW{V(2laefbf z{1^V_ukU}+hMhQblu`~QEcr|E{V(2lz3gsTv|V1oLc9O=8xg5?fX@)MGb?oUe{KA5 z#puW966}+DZKcFFr`JH&t&T$Ne$G7|Ko3t4H=$GHkME%;4JQ%-9OsCvV17#`!ZXD&9`;j|5Y` z@1O{y>vIeLAe1Scx5Rd5T`h}ge?1iJbbS!M-$g>;I_D0jBH2xZ2H|JQX-pPCoLbq~ zW~J$;i-f5ZgFDF(S} zDH!Ytw66~bQa;ogL>)B6@RabK#Sw{M5(CRy8lMD^+-_%Se5w+OfwflJaZb(It1;wd z$oqPgZ#tS%0_mZAb@inVn}ubzm)94QG|v>#Qf%MEfL#+wSzoqqFzH(sFsOi_eSBwf z$BE0KH3XQgyre5mOPndif1?3zRV!5p>Xpq?di%YoGFVQ{r^L8|AHu@QZWz{NaOQv9 zQh5of{87m@tLqP;OWtmU}3uLYWxwZ$zW}5eqdp2gRkk~WujEr10Xf4wD%jEs2 z4>kEI9LfyGS1J2;@;NoCb8^B+JjULum#eL$t}~p<31h?|C9me;Hj=;MO+Z#+Y@Q z5l6sMN9s++(M>Qm%&tDDRaDJZ(}=p&lCEYu?rDz6Syuzizdq&RHEJ4cN`s(%d{^?k z!rTYfTX()iWT&u#!kP@8{7sI{XmOwCECOTGLw!QyDrefA5cRP>?ck8%=a|;$YIhRU z4wN_-dOw;xheBISe|i;CZMZTQm#S{^YH=VqPSKAP51Uwt^6r*qk*& zZZoKV?NB38vHNPtgvM3Q_)!~C&A2FV8ndj`vO`g4v3L`zNCQhJ^kv8vs&vr8aqA#~ zuj;+Zzw;`lYFOmKfPzXVK|z*b)#pY~_WaJySWNy4t=nO;f8Q*#Pe1kwUe})MJ|s3Z z_SMk)2P}Aj_s``0(M4?+yNxQ#$U--HK`bw6UFGjm+%w8~{sp|)L)P?mh>>c&iZ1Oe z2D*lpAfpN$RTH?v%UXu4$DhB-`touSp1=xZXu+Xr;hiyykCu<&kYAT-LG8q=SMJ)r9o`585*n!Q%wHf~FP^9S?|lZ4aL!4fj{6MZ3c=L5o9(7i#pl-*N{X!9 z|6BzKeSVrmD}>!rXw}3{40+6Pe4TOe<0?_v1 z)ztNenxV1tC5$X;L^rd{@U2jb$m&hkCivib;XOUBTer*4GOp0vC+w@zWFxU37_gM`f0zlL$JtkWt5=JDBRyro-wcT0w*a!k5Jyo+JG93zx(m0nN*rf4ZYW=!*gy+NAB58{i)Vus(&gj`1CVq z9gLW1P0-jyweYE@NW0@sWb z&_P33>V@dc&YCCmPh8==<6ufwUof*+f7TY&m(3I!{w?UHq-s`5`B(7SAfm$*nnh?B zdV|9saHtIoSCRL@YeWq&Ob7vR42K4o=kihbdWb+^MI7+uzyO2zQ=Ysv2zqLerr#qm>EuS zm{2RU>GM26&#ra0t3-`MhZS*V5LXE1<)g8&0mjJ66C}&aF5UGU=7p{m6r9NnwTQdI zf_}m^{8X0J+ZUCqt>yQV!Z9ubf6Zdr$;R8}th*yei1r z`bXTN`MPqs!3v{D&*i=CI1NoKY8cqcacLyf7{oydU+8c7AJ{>`lWMnDf5LHvj*FG| z(-6Z$M^WvgL&qf@Lktfc-1ICj|9Bd>6&zyr;T_nieiY?GplXrDD8N}p+wp$^S$&53 z8SHTDzvbsbeh#Bc|Hz-eTxoALy%|(sP+myS0Pw(X@=N|F9yo==e?4I3AKTyC2fXqR zzN>TSC)6sT31HLorH}O7f7Q)HsVb`CdcVTdIqaD2>O_{v&tJ){{*lj$`XlLno_0E` z0H93=vy!KCu*eT*&;+9iMuQ$_L=%W6>JI^ERst*yf>&4plNPmjbx^}7AH=k}VJ#EO z)8%q`G4*x}Y8_W?SkkNQ6uV6$89of^?D&W|p5-I%K%Uz^=(f?|fAPqh)56J`-qP2D z1j6dzz(NI1U-th$!{_Oxd>4#xi;O`WrK8Jb*{dv-S+eo(FD_ViJqr5(;Vt)Y1ZdcTjh-myJqce^id+a=X&27Nr3?6UTYJ zD^Azvy7`32vv`~;9=D ztGR6ME{f@ve>c~nZPBqROI}WH_J`{u;k12#;kIKv4^4B%F{IVa>zz(6XZ8)w}_dP>v{KO|H{e>YBEnm*4GV~MBDp>@t|p!OY06%w=** zpC?5O#9Imsq$1jI)@5;iKyD3MN@ycUj3W9dddnWM7us$LX~r?O9YC9+Iv2OJ+?cZu z({I{Pf2uEIjiSi5qEun9IssugoFn36dpzrkM2~gvKJ%)>tUuZ2fP-Lzzx<*5_qTlT z&TBB<$Jj#@Cr!M}XOmy+F5j+7r+InFQHqCkx)FdAJ!ffz;bfa10Zv9pvCP0u#G6)n zG^=x+NAqo5uF-^El?hD=CHrFY`vz1bWE2YKf5azC^bwv5vH}57D3}vpw9CD}&iyWM zs1-zT5~>6c#??n2d$GNbJnRDksgNF^n^#*#yen%hnttO7fTs2-|KsbHjq&*E+7wS= zpqyK5RinmN9YSqbu<@y&&IJ9)Nj7b68$}iUhH88pVXRR?A4C?yK}QhJWQ@j+@r(&s ze`>hBeg7*hZ=Wf>1@EY#^64M^0%Ru#s6O`>Sqrt$sUQ~T*ZQ6|po z5L$=Yc;;Gt?{c_Qc;20!zi}(?m!hJDe?wpP%)(CaVu20k6tws&_+*|z^bC4yg`%S6 z{6No#zHY3kXoaRQh^%zga&OcSla^)ulboA8gR1AN_LxwLbbNvFg&BWB>}-|0%D;QCSj`Xb8>k zzMe@H7MkDfS9*9pd1@ZoX8Ev9uytUIRl?@cBUcs&^ed`}RFYCTSmdW2e=Nx!ukb#I zFI0Rkv=4FI<>Y_l#j}?d49-Ff5O)ld z*x9$;N8R7`W;m;s# zEa5zbwbPzma;|gZb^>!6Mx#!K}mNv4O-o>vl%tm*sILr%(UhbY(vaPwct{MEHCp7)k8r{DG#gxN^HTS_q0Wm{x6>h@f0tlxcEBCPE8I+Ua@z=E zaOq}Bwn8B81$T0UQ+Uj@!HN7#_I{`HGvUEcYD0Yf=a$Fp8hb6Ah;)Bhj~7O8#L;W7 zwJI2gVQdqH*R=h@5#u-)%VN!&&Eye@njfY}X8Beqr5*8p-oF1&qI<;JucXYY9iDJ*8^(w|tFBJdU0+H#Kpl0n%IT46r5jd9k5dob zr~;}5wqM09DL#_)9U2h#l?W`N_z;R^fVNWR>nVTR%VUO@6aNUP>RIgfw zgug8hBOI&UVu@|@OWcM$9lRX=*m_fH!jhNQx;$0l!CO#zE;MP5o%e~uR6Tpt=?K;$E8m%EM4YJ+pcw_EvuVYDp_AHF7;go%s~1OjIn0)aq+IV?9} zJQFScZIJ`h-LHpmqyH?r7M_23mBpopz=8uC5bpH!JD6)P%P#RXPBU<_b-%vH zzBw5pI6S?$iNJs3f>TKR*Nqj{`DuzQ-+73gf5Heo$Zjm}0PWsmsi7Od+b&Y7iC&Tl zX_;k04bE2m-gVnWo%1n_FCczDyJJA(qo(U_?XGeFz|b?`@el-wDEHI@@q0M~8Xq;d zTFj1Wa1k4=#-#C4Lmksi{?in3GKGxgP-nRU81i@sqN$ww>7lu$D*k}RON}w5W*0Ta ze^j5-fW|}34zu${dd4&HJZ9gGHFb@wO=FAR9(o|UP|-DsosO<~sA;3{$ZGR4$Gs-_ zQG!{YI#}@}&MZO$h@Pk#h(4lpR0`-Nva1KOoQ``b^5|-1XrV$I7_JJ`l-eSbb=Qa! ze@!WBzArH7NxySozT$S)HJ0S521>pOe-?dlv>@#1Jw1OV^~XnSWq=|Wg)cNf5rFap z(?>Dy3EzhO$ldg_mcQeq5E@ILVd^I?1Ct3DN;J$xjN8d!p&Fr#UJnD&SvUNcejBqX z$rRZWc(f)hNQu^Yu^_~0ZthToe4t>H=3eKV0x-_65t6^AJvt3%wM}~t7ZClme^N5P zc)0-Pg%X9H|33%kBXP%v;OM!x?oo%o#saEN1+kAHEJpVXb6|erB2CMj2$FFXfG0R+ z32c+NIYVZI5QmvIWC_qu=&dR0rsy8~$kWk>FkVtrq3Jzs^Zkm7W=RQ1`U2vBYn8%X z%fj0ffMFYMIQn$nsSq{BSXY)Be@W^dw_N?`0MZag<)k&)yrimYcfSLt2v#05EoAq@ zr3I}!Qn;ZLZ%0vr8+}N<<-j}46%~OX0~-5O4etH^@ge`j1{90s!-AqiBc!Th5(hQh@p@p-G416>f9;>a4IR;` zBZgrIHET$}mS$N@^g*2;^1?yq z{-K+S)5mTJ&p{&m8&M60!+-4=p)HE1-Nz$^ph5@L0QS^flb(y}5|3B~Vq%jcfWXn&3@|}*)pTiYXEgu?`l;GH`r`=@)R-8-2s2o&%0AQfbEo43 zq16#GFnknnjq#iP_O)EwBiKrQcjHF=`v+qB!@q$wfgh&0&8*NCE$> z7u0p-{(1mH{=Zs{K6Q_A;%S_KXJ9WeUV;`ojl^T0hh<(Rw=O_4&z|DA@q;i-rq$AL zFK@ACH$GE`Bsi(jb}r+*u6^p(h8za)t5#2hM9-=5Ow_83e;Q9!#-GvkROi|WUh`T< zDS>vBIm%WvPFA#5qu$ZpPre~dkOv>E&{ITO3VA`5Mo=5ha&UpZo$B7WYM`oo8z9ai zjOOE=T2#$8ZGGRLVy#kE7O-x5xvMnAFbB3u9M991x7S_u@#Jy9Sio~t8GU-5A#E@% z&v`nYDWW=;fA=g;zNHCzl34WS0j3b&pT;z{_B0RYF0m{sol$D{_I$!wZq|Q+>#lyZ zLT5rB#Fsr7SRTq~4{8U)?kuiBf68y|pmzv1?BwEFAb>3ZZ{x&1 z{d;z1%ys+?u-991j0<7p#a5Sw%G?!qr1@ky4H|epfN_<=rDQHL@A6#b0z8-I31J4y zSy}wVNv5dPS(64*B2E)TJ4_sz70iDjl|ZTG!+GC+B)3JmQx=lis*FyI=gSX7je==0O zI#I`Zxm%^`7z+JP%OZoWIQLrIdWkA{UxS2UbRJ6M9eZpi(5l*(FY&0xC-HRSo|wu zcOxs|Mqw3wMB}Jsm(>t^F=19gf9&PJ*sjPDFeLorh#GSlfSy)Gb*;-2bJW?|1nfRF zyGNyKB6c5P&nLgW{|LG#rf6K^1MK&nh z`T2+VH?I`|m$)o)brHK6wWt{!(c|c?FgjJ0>L5CM9KB_uQ|?PvduM7+wy73q2Z>L$ zX(_f#a)oF7Z}P5kxk|TjUCio|?5s&B9zi^UcobSNx$PlDwkN%{N||-r`xb(n8sZlv z)K!wntJiY0<`z2Se@viRe^x0{w=?6t-L%m+hAcCDq4g%ao|rSD>116ZwUN(xm*381 zAun4RvKc7>G=~-xTIkRt6ekt;wyUp6m&O^ps1;yXfnf~<7xMZW5*C!Z8~~2pAAvE9 zi;za%XQci;bWrGC#t6km1++WA(VGcnV%)3+8A7QyIn*Gq6)rV0e{&0e%$BENWS`cj z5qqp`JR@+Yr#=4`n)IV(A2wpTWgj+S-qSe#0c`49n)4JvyC|W&{oR=#loENyh z>eYyefvtOKSHn66e`mqzDXOdPh`ng0LKW7b+iXA`vA=A9?K6na1dsdxMQHD*=l(02 znKCwC*UXe2dD6J4bH$|bfr8zZJR67!J>2kx#CU6Hy-*oqtl^y29p=u@DGfN#aICUu z@}w(wQ6@t}GyciIa96O~l66Bh!N*CyQn}Zqx6vTUq1?EWf1QT{S4?&uh=?{|ZGi7O zWX(k0arrn?!v-T$O_gd8V$6AkraUzyvLBQ>0Gn__+b`v#ULqzB=F9bGfmqrO!n=RaBn~+OPKWTw?J0kh2Z( zifPVHgs3yUfAV9u()lYlf|u9bojA^^u~C`+xg|T6HlO>kLHYB!6ZEpbaOR*FA6b#t zz8R}ovD(d8i5igml|LemJs%5F(8I6sRq?c(Jb&)lC~ce~_O-V|p@VL=0!v1fvs_qU;+ zi%Q)k)WL8v2s}0L8+zFD+j~)^&Es{wDX^+Bhae8FFPTuGgz^C4-G%a)WyR4$c?!Kj ze{xf`e-Sn5kZQvYoy&mM6Z+Oso6#JGQZX<7>;_9boMFMlw92+TbB57`jK=4Oj_X1E zh)Vp>#1BtmIB2>{n9n&%AQVprFzBi-Gf<)GT%HHiHe;&0#%!v(h8uPyPJC9lD{E0kE=PVWf zZ1YZ5W6P~-MI&)4q@a-auQPX5cM*?=jK=2cxX#3N6A`#>m{&!8jVo(;x4X&!40Tmi zDNLF_ug8`7lbdm|x~$@g=8utYa6+?2QMZ$#ZdOs}rwHo3F%)nd_}7&X7gBmLjU^PN ze-VqfY-zE$ymJ!#97aDG`X7^l8Z9EThev?;`$@;IMQcOa>bPFls2PFM2_avdqt&EWTT;P^M+@J{&a+e;4yx{OchadCU=&Em!W~t1tFp8W%#N~L|AS+FSoj59+0idOV6@W?O zs|Xve_Edz;Y6`%l@m191lx!f$fAS7*DD5t~6o%+ArewYvX&Jg^7hyU!y?RSW03L9^n_*dhB4$n#q1^>A6y;)zuVIZvrzR#1=5KxC}G!QWjNga$sf3?3n|1_z( zXJ)A^ zX|a$fWlN1cjxcb9!g)^X>A;JWv75@Z&l~$%NLK$;)Q#OQZHleyX_hteo6*(vK>d2G z*!Zu2UJTv*LplJ9e;hJ3 zVyV9WT7|p_<#Q4yaz|Hzp#_Il6uv6(zF%ZJh`@&tMrH;-37CzctL68bwoA;?3{3!t zt_(9qbhSXBe?bw9<|&+B5r^>Mep5x;L%5)D)a;YfbK0N|bjNa_d+tDxbD&I*btwSP zvnyeNH-HJv5tKJ`a+_cp4|A=f*u_hImNlgO?ojf(r}EdG;boghXh_tuloNYXy(KJX zslyLx{1jKdo-q<~L8be^Tkr?S1|2XV}`ez_(hg?eZy+ zG|w%d@|~FkFEuAl!S6Xp|R!;50TpQ;z(s0^$Y2TdFjUY>ec6$5Hz5WUJ zrYw6h+dZVzIR<@9dFJ~NX@xehW=~xZpEdO;c6wl-rhWrk4BzPFh*?&eLI^%X4TuSr zw?M=@f7j*HVL}`0Qw(~f&=|^F-LqjQ8;eq*pNuiFl<;Ihz0Ean>}N~l&8uM9#*HDp zcb|1rbdM-XChC8!rrO94?s=6)8wn@VUGAowyMCz#&vxs3t$1UnD>+K7BL$IJK4|1iBOMG*X zVRWl>&AUt1AQQAzLgyddk=v>!s^`lZf79Nk6%AD?Dh@Y&%knaPBt-=SpCiZ~1Q!@w z=-@*ZFEtgo(bnZ1Cya4dWNcLxp1lmAdQ4CAY+fq+vdR2Rx!8jHg4F!PzSB$Ml{V<^ zksQ{J-%q~ow;_&2!j*D)yoLNc@AebRqd|ybfzC@PPc=!Ntt7UgLJqH278~>Ue`tcM zJ$PG`d&cNscCDY8M~BciI+aKq%IzE`o&$Ewx~tyB0hkEf==a;}VU>ziToR7rQDhaTe_Um_Fee}egGhRRbMO_$o~(9yIleaH+JA2s!N-jsC;3&U0E zC68SKQ{jaQKj!h#)Zk1>Sl3b|Dcq%W+2A}*z|hG#31f+Go!00N>|UP?ZE|?&&~qu9 z`pS9P>24HTm7e1%K{#JLgDf-pDAqIm%6zBtvYvHV=AtKTH<7B>Dlo@e{rmym^v^_t}= zsh#xhy#IWS2}8K)8gugWV{B)M`f)puIYVbDwQP;v$}_xv;F77vyG7gHBUEh$C}I{x zFbchdQ`p`yCDS1!Y8HA8E;32WE=~>~2em>%ac1%nWpMp+$FSeGe|u9L$pOX^fF=L; zk^Oi2Z~4vYk~g=esA8YZGP*FMk7#@ZQJcJBThyEHKpk}z7%1lb_Zg>;?pqG++DDKL zBulEFQ2L05WEAJ(_6ce7?nM{-_5`UhD7>KXV;)~kt^5$4%n^pSPZe=+7}`E$@m5n6 z&r`o|tfwma1n^@Xe_u_pX5dccsK^Gzq6qHJkooJ&v6OR$O56F~72i4G z?k*L%gux|l5LSc(AR>8d0zb?8RVdsFVNN4L)cj7jF8 z4=-4L{`8NZe>W%#4{pZs#mCTI89hx<@0ahr@FkD%5pS3hY#R^fv3O1ctaze zv4`+v_;CJP^~ZiTdHY$H*@5gCmM{KRJIN6mGKO2HS;m74 z-zbOii$UVB3tW;Fe?;GQ&?kS5bCKo%IL9&%5AR`If8?ND_ex9RLivkFS7=Q`3SDzR z3KPjm8CC4FOb-TqRT&7bit6-PriZ8!!Gy_OmSqip8$}*9`XwD%erZz3bfo-%Ycska zMWK%qQp~csOQbrUKDl=~3#kg)Ut(tcbHwH@alops*L`%-8+1?9_Yp!_rd+33p8TcTdt8GU)b9$zE~KY9`Zi+Lfz^gP`|E{zHe$D5sArMAs*|#YPRgXe zRqk=>RJ9-u<3mvrFhmhy7IeKHyLab%M$y$f1doY{P;$5A$quGmh_C6?Yc+jhh;w|Qx zt*3WjP|q{EC%<3cpAD4Wik-sJiw8el7;zs-dHvAR*vts?U5G>SNf zVXfh-s(-4ay?=ZZf3`09U@W0y4MSTK^HEFaux*UY!GsDn3cd*4r8j_v6uochf6LUQ z^4mbl%ZpiH${)bHm=!oxxkl4h*+oZCZPyglWjiX~zm8e-)C<^(kVX zeCB!?>g=2Ftk)L*{PSH(!CKM|r=b7(0k2fyA5Z5E2NpwjaF{F1kzb*=_4zCBhL0MD zlCECO+W~$iq*=@A74(l^Ll!72< z`cG4I`40ADT*Lnnhn*BPe+Ij5Hzil2tuYL}xbVTLwK*LIfqz`d-ky*D35bUuo}Lc% znPIdT_!fxKWuV&(D4xNaLsAs{*BLI(p{6U_>sS+IUS-Lv9Ogk;WkAk+dFo@^anF`{ zqLdzH3qLCg5wl8O46NNo1W$>0I!^XAdW6SunDQrn@25#`x4gk}e{`arlnH+HQh@rc zJ-!(dOVUDxq>oNB816EZJ@os84T>U1h32E7LO;QBl1GO>@^PY|<0CbT;v;6Cqs5{Y zj@MJPIg!u?AQQ{zIcaXFh{(@bAbll~0 z-Th8Di<01-K!$r9e;+;I5zIp`Aq4*2LdNccsRSq`)c_2kSN?xExyFI*@j{5brQPRo zWFigx6G9qI4LIc4OOqJPb9e&l>_7*v=ez_X@;|WJC47@UFy3%C0e1YC+%a}4%l)sg z0(K?jKHw)~M&pfBzv*a0d6#$f49^AH)SlDwNN@CzOXR2Re`iuuGVXU;x_Uyp#&d%M zdV4~@$1`LWn4i@GfrSR1m9ddmZShb3WYEj8d;(Y=LNmb+?GF#oJ+dnbkzYeQK)0%H zsiWZ_CK#0cW@sy#{9HHLk!@f?dI>KdhAY;$<-Bf(aRCNfD$oJ;CZ6!V-`>;nSN-wv zYb;_;!Q9%hf02$&J%g2ExD6_StM+>9evfgm77oJ;4L_$Sw1sV#c8M%MeH4F=Y!+Y& zjj54CyV0eWBf9{2@_#qgm*#e+!J#n36aLzwm<#*GM9*dGZ2;_p#+ELSZdbmwHp#nu z8`Yq21>4ugoMmCLz9#a#Jfuz4Q&H2tP3}%e>|yib&59WAQ8#skhX9=8hHit ziVhO0Tux84gtiUdQ){Fi(kJ|e0yJs2al%|=>QU9?)?(f-B40~IlNpXLA>4rIeKa-$~ZO)=J%L*u4klp?7$_vb* zXC4nbe^z(qm#Q{2aX9Ssm$*0_JUeUStgh{SR3lw~mywG4nUf=BVXfrV3F)r`n#SuX zGT(sK&xr1PXdmYB!r4&Ya##hq%&$X&xUcp9r;O{4Dud% z*aW*3dbgOa`U$=;@cYe84O^U&cyz0t&Tb55f6toB>=-`nbtPs+3lr&+_q(i37FB}2 z{m!eBr3jWHSjxP@O-=RgLpz3%0Xo+l4U>hE`re%LYHhJw*9!4=-QuOHkX1LK8l((Ar?)rkErH4#WF*WhTI5B&soyjE z5We1DY1VuHYqEFHJ`HJYgx<4II}vIp@S8FBpf^Nv4`saYhzG&Qv*B`S@(V0-15I-D z?r==c%O{HZ-d}oOI6RJ*)v=bZb|ds|u#7V zs4lX&^EAiUoN6N-lfULZKa*Y+s?=$6V3GSu5MQ5+?3Dn2Ye0(1=`Eijuz=F?sz(tm zfp=8aZswwukCuSfS@3t!Sqy25A(}~gsCB~1y8gP~q+{2jd>la^0SN}0Ag)t;v@>{e z=6{AcV|g#QUfFxv=GH?Uw$^Nb2>>%jHkg=Ul*6E+BMOHRP@2nxTqC=^!PqIx1K1rv zE#lxOfHT7L*Gba>=t61h@>`a1>`JFwE2fzXbV(DKDyA+XTf6Y6)nWinrrXI#dB|zuRRsx>u3v4D{V(IxacfLe-vk$IcL{=B?SVLfo+WWgY2<`82 zNmBQ}QPfiMDJTnf7TiJ3~zl<{ri=ZPFwmvm^R$w6%H)h+!{3?~WKX3y# zR+L5Y_wcnTp%~RZhO3GDR5e}ffJ{I2y*sue3UUEHgfHX9sORgd@8-<7F|Eg36cEB4 zTm?n1U3qYiaPbzs0O!=H7h*#A1%GcfP?uJFcW&W`;*`SFCTYw?0h_pU&=YB5PtUn5 z;gvy@*gkC^m3-(Hva$>&;h*r=HLcQ%HmZ1S2=4ALV|O@?PXC$k4jr7K;W@YqO#FcE z%mYG}ry{6gurZaTkh(4pE}cjPk{Z2Antt4$KTaSLwn|?=$-jlOAKWvIMtblI` zfK}An+R{=|602z{$MJ`$Y5vMY$7YVnPZRZV($!yig$cwG8sYRS?314g^|3$+l!lBY zJXh#u>`yymA+aWS%z!o-M1NFY+t125Xf~KmJ%Ap%sG;q&1u(IHtEHRwL47kgDQ%SI zTvQOk9hyHoqb@mrrbTr$lW6L1|B2{7Lflt+0$5g5Wl`luh=X}Ve1=D-39*w4#_0!V z--}D^2>1Ax#Dj~?yrnNF3GA2LfKLwWk0Rt(C;fD`%{|U&=;T-aNPq0>Wx>TS;i*BH z5)W!+1K2S7TX?fe`aK`d141;cI8C5Kc|k=`EH)j{2P!i&o(XHGf3f2M22(&!>$zyo z_o923Rk|-|?txyRTV7>Fbx{+6TT5RSdmwbTuCqUjJrE1{*vrNELgUYA3T5A<^PPYa zCOWcplTLU-7Ycn*RDXEyyoS6U!n&Y?V%?2%8&7%&$5xIwb@%96RKM`VlGM|aYAhwZ zS@Q1KJghqt58)Id>#oI#i0~f$zLROyz-J$W+Pb{MC^y?-RtIrOVVeWeCSt<+g`Jo- z13h-P2)ko}R3V2o0;)LQX?f3o%{c>AG$dB1%UD8KgP<4-)_=FhcLs{#gsP##dg0LZ zv7-%0Y2UkHE8ZB02G&A=UvN$sL+X0!IVoYy@}I-7yJH*7a&YtR4mp?3H~3!C7u0{j zxps$yQs*0d&!}^>rv*WFu3gja{8>~NTH1m?g+3$v0GGGmH{H%Kwco$YPZPCMSBuo% zXmN`vW&fr+nSaLEf!yHNW167g_%)E^KUtd`TDAn#(hb-!@^5+5$of`(cpDVxIy<21 zR2J8w13$|8oR<2XEN{ZBq9l+H9{Y&`b5}HtG{2Ed5p~t zWav+Es(-5mQ8r6MdR3jwL<^u4lG4eV_)(-1j-JeH!o3!&)?|Epmq=xy->Nain0oW` zUVULgE(^74kAKmR|LXS$2JjwT3{X21^jp#I5PqfJ1Vl_BcIs&Z$yW(P%c9Ghv;=QE zxtru#XY%GyT@GuCN{Gtfg29Cbf2Aytfw??YVSlhD?Dnu`F(jIEGKmA3P*k^jm%Phb z)K~IeSoJ&XV+4W<1QiH6CJ$uDf9|O~?;eNsLGkfxAk{xbmDNATJ_Cr64!*(b?m(7@ zf1a583}k}2%ka;X1ryZ0w}F9lob$5DAxmhJyH?YBDL4#BQ4AK^!(-jblb@;<&#hfj0fElbzyDvX?oewGXvMT;bm&Y z+lq(T)PcYJl}}}hAdjs@$!nffaetHteJU;akQJE6KW!d|Gr&OWHv>ps@$`+NJKS@2 z$pN2RUKHu8Z*JrErM0)War4qj$>ZjwaJRTw;rg<%8+aUF`T)@UcTjCRpY)?B@tjoC{c^~DlUHY&?UodP<+(1*-1<3V$sY=1d+|EW*J*YsAur`aOAP#V19kGc{(%(m&-D#49xK zh<_V*V7z$I{2q5S?}$IJJ2ay3_nbS#+n+ll{%zd(HRleyqj^XCYur)uEqPzpyz1n& z1!*g(1B2E#PQVV@t*;aKYrM!blt3s!PzK<7wV!zkgSrnU zm#A2;iMU?yEpN{9Y)UWrapW3I{pK2}{q!$7S*#`-#?af(E~7J=zzoQMs%aDdO}^e= zXBF8&KW);#h}hGHF@J)uodX_!zQl>l#0(?+SeJP(JHVyh=3PQ>B`~us@5_()Cr-|m zcAPsHRBAD8eq_LS_uvKX)7J~RM}7+@=H-0>vIiCnjPvOY_${od8(F-7p~e;y)ed3~ zA`3d`-PLIBUFSsgEU6sGY7F-O`iK$l1cRui};zA4z__b-(0v0%TEq2u3yqSQ_-%b+@-POK)BAjTtP@ z_oh+xRrS94wy{lR1G(38p2K2{0Cu-7(m~|E<|5;IXLCf(Rze7&b|s8mQL2H7xWQMb zY@oym7WY#AR)4-zA941Z-Bl9!bt|V}Y0yFz;&7UHQGjv#0G5Q!+yz+JlHyo4W6X0}p6?~jPNnFB1987)Fm=av#oFI= zEaue@_C)IYg>auZv-2^7c~+Ct>Hh~u3uc^6uCLRq8-JS~AzW0UlebJs_}_Bh!qp=> z`Gk;~)Gcd9=hnW$5EdD7dd|~SjsFIlmn8B8l@q<}X7qo}-T#@@T4a=fB!<&I_ltjoC-D2jy`UtR6UI2ZddsFw@^m>C8#V?m8 zzd(_dJAWlCR_#2z-=s}wZNk*HtlQ1+YtgFA_7Ghqwrn{WA-;!E@Eu1_M>{7&#}R$q z*;ToL8oh z4Q#s8;>za+a;p~Uud|ByMbAGHw3%fpfGo(}&cEG1g)cx%Z{|Q+94Cjis-x-EwRlK# zhfb^0m-WqP-rjZi>3_}ni$B$32GZg-;tK(SAnf?~Gk%Gmae&2dDv>X3aB^RM0~Rw) z@7*V!?zckziGQ7&JcF8eS~?nQ>=L~+LwMRJzX5Bo!Y=q1OesuCV>^%s@OE3@n{$3- z58!P@X%L6;Kri-&lRfe*IhWANb6`L8s()`xEEMrbL12G=#r2}S+4Q>6p8SgIM|-lt zb<|t?MrYm8Z0G^`GC9#pAkhwEmv>NXw`SZ^t#X@AlecqSe--)B)M`G#eDo4VGEEmb zu4Lw;moSq5bI+T{aTOCD{_CXor%lTA`ktk_ z7xMSC$cfd0SJ9RCe6-fphQxG z3ZzUL$M<(jjpE`x;Sa}3%zB_!GNW!27grTOj$vQ0LW-4Pn1=?Y-IaHkc7I1Ty7re^ zhhl^hBb1nVjhons6-39G_Xjf(C8(MBrk?E#qy4|-e{MxXh0?CL=D*oLQY3ms0u_xE zZsKT@Uz`VG9>zR|rSQf!{{|h%S$aEL!Z~*>KeZq zI>yR2@$cT|$-RQVa;RrweShtjUk#(Omc@|f2R&UWeyvl%cW8Y}cxMK4tn4e90 zFFea0)@>djtA!GHt$U5Xi7!pw-sG?Iq-)ZmbgfbBZ<68{ntw@HSbzKE*Gs>A13P*K z(ESY3frPN`xTiYY+nP0*4=qg@pOHQ{@f{r+Uuo*jy&x;FclQeFVTsTDtUWy=Y&}0~ zBqOXxz6FCF{RvV6Xp6HRrhtFpAMg(}WOC=3$3TsK&t!>?e79@ml2X@&W(F+2@e*@^$m5HP3)pZ14-I$65 zHPaT&?xbqY`=fIljY&H}!L&P1v9ypc2&FBWjY?G}qMC57QLPWNM-G~eBc7^(1BR5z0P z%t==qAL3E8!+#T9-3Cq21p!X(@ItA2rDyeqIvv#Kw^UZ#urJ;9Cc%5qi$3?e^s|Y7 zt`~bA68E12u~5V&{wDskpXtB;@BjV|XA~>GY~e=xD|~2AdMl&}lr;%{O!y3_UPhKdhulFe;RJ1*mhHfn zaF#g@I^Yg!iGNW$sv%*D--G4Hjla&Hb=~Ij*G=nwR`kn{8+-J(pVaSmHNp%{LuCzN@-nUuwQlX{fZBH5%i73P#YkRiX|oEe-Mo17JgzXxx5x8)|- zq^^>@OD|rHrICzaR3XbMfT~(c=M@Aor^&Cfc7KEu=5Aer3uD8;+5>w;#Da*0B34#C z)f31uYO~gNdEatx9J8nqUc;)=?~;m;7EQ~7@O1nIc1=rzxE39Q4`c-Li$_fTl5>j3 zea)Oy3p#?j^czpBS@LM-)!4CL^h8{;ZjUGByqUl82|DlT?oZYgV>+XG7j6LOk`K^Y z-G3BW-u|xVg2vwK0kLk}Pb8NDjRSgRfj$_A_MoTKTmCLg?rP?B^eb-B%L?M%n&lRr zQH?|?i}QmeC$C{;WIx*$sHrnnRpCq|%AC5KT>Y=4}=frh`F7O8`{achci$eUf|-A~VXW{VC+*^xhf8B{x^5VbP=+8c)yqG-PT|!)$l@ zU3yBWMsC(+eDU;3_%?R`eq#*HptqcyYMT$VM!u@DS(X)0|C1`H z;OF>sl6yikV9%cFc7}oJDyQ&si%xH4mjLu*Nn}2_J4K<5x z;@}SjJf|XMjj!1>lVz%|XeX`Pzrn`wHLJyp8}d(!GPm~EfAGXX zJPkC4;)Qo1`eEZ6wrMx4m1Dp8blY^yj+&pO+VrG?Kaa`!o>|rQbK{*In+t)~&Bpfh zkf&X#woBaCWC>5Hqt63?(|@x@!opkErr&vTzqMVHr`JT*R2$chjRW}yVuTVSw3s=G z8#sA?PtK*R*~psj?>-Hs62VH;i8vJ(#K6(Q8RlXDUR91=JshpCVJ>r^*OQwH+}y_! zR$z8)Vm+>rO3j?aAXdsVolkW2Eaua`sEQ7g+Do)wWae0pzOq4&P=9*nMEclyt+RWX zx5j*MdWXI|`r4Y?BnL8WRI%3?$a^s+j++WbUmH)O9_ZS@KW4TZ!b+rp%xtD%s48iI#1h5H7EOP?S6q~VJEaP{`d$um?E z#V(j=(caw$jUB@|m_4HCU+UY)PhEfeO(&qPijGggv6@Jx;T__3%d6~H+K2Z$!hfwW zu%)^fkaua8c4_j_)W73o)I|>_7eKDh$fvrzJ)~r=ZQgZ7b$@BqAlkIS5hqu9mv9|H zx1DK2R5hTMP=!LB6%fjubt#skITJYN@-s(n>G>;3+atRHh$3y-i2<;;3zWA`nSco% zxBh{T^4(W2kKl%e?aM9%i))xa zm9pNc^Jm&za^2~n`+{M)mBXDk1go2Nb=i+#pGpbfRGFu8uh3#oot1}k2LJ`lr6s@# z@_HAbS6p7Be5oeadq*qKG|=96G)EYg?=wQd3W9wqC4Yod)gwt^j1)fmj^|DF5NW5L z+@}$40R3`D$9@d;gnd160=?dd9M+5DW^T9_9rWg!^Adn?XGKiDtuEjP@P$@loK($a zF-ew$T-Uyi;SjAUIcaI=fnQ1r;Tqhvk|zB*>SaZQLK61#R435ujrd55^4`$er?hs$ z(Tre1Tz{#R%Dks3^cF^_N7`}vcb<5np3VUKR7wD+{3jH}uqM>(A{+7g-gImi^iB4( zfFI14gZnY|A)Nk8b2}$(-h3D5!xd72O(-@KbiHi&=%}*sBgJNdu9sa@vVNRF-hUXF z0<#Q0U=h*7S-_kEIEBf%Bp{qMUD-;%+xCDZP=Do$L=*~f27A31y5y=FxnX=xdrQy9 ztK{oqxN4#|P@l+H?-8}D{355QY3P|>FC~R?jh5T^b>7jEA+H^LDQ~@xzRP(>@G8Kv z-OHNqI0^@bPB%x?eaB%$3U7eBUO!IYz12;Jd-#^$KHxJ-L*gD3~ zR6*4A1D6hFI)gNba(K;~t-0DjK5$swr9APn6N8gvFeursiXH}4tavov~`s3Lejpns#9 zrFr}3^s%OIRFT8036PTRlTE8 zYzWpzx@^L#zS1Zr1nV(fHUXvq@sy}zmsns16NBpF$_#u!XMTk%V@I}ggIjLvn_tsv zBs;hTT2YR%0~)e!jCdS7hC{>GjeiASwxWKA+fw>oltuTzQp_>!7;s_%>@-CWXA5uP zVm62Mq=zI!M$qBhP>uU(*EPlay*uhPqqCRvoKy6Ww(xwO@{*ejxl|+fMCukdN^C!yvk^%saomdCoQ0t2r`kWamB}ODF6vHmsYK2!haH=@}mY$ z_YzzL2lRQxNR&7(h8d4yH~^bwPrv~yNF&5eYDlozud9i5PsprC$s-Qcj4~jlDl?Pz zZ7H+-Vcj|2DKau8a67`#f`itKhBjFljoPF`G=ER`#g7F5h(D`rvB@ zcW&U#2vqc-=Ah15{7~MgzxzGYxY#4wGi9YAu{7*;Lr3n_Z}LRZ@@ptxn*5v>-^ag* zH0NMy#SFZ!F?~4(iZO44yi}_SW1|960B?q6)}Ce~mXxJ2c0X5X>EJ?EDp%6F1hH*V7n3v@gHpiehJmm()~3Xm@_gMaA}vuBsUk zE(U$1_p-x9cVHuZubYmWj&L%WlOMPXFoSmLX94~e*Ur&E+*CwB2HaYmD%A)4aSWj< zH3<@#c&nvi1MGngDStH&6OaM7R_85m&Uw|j=0V;}roq#1dWnR;=#Rb6S53m_ss9N& z(v%q2cGAeINO8@Nqtm<#2}QTa9mEgg!Z@HG#w9%RV}?73AAAWN&EjTZi3I-*p()AkjT-)RoCAw!LZRs+J5Lj6(i$m*YpSD#R+ zb=~t4$E(Xi{8h^jaLF zN~4=ufJ+e941a5Q^@n`=&$uxu3s`7b>6TuNil3y1utu+;e5GH~M_~)brkCKReB8@YE$#B_ ztU-8w^JFU7)TSh@vLr2k(np&V)!+HKqohyrdM)$n(tmyaY9EDECrF(jb%NCiR_EkJ z@FOuBB`H3VDu?F&w0ZnG`)6$y#fRu6y;dFEXucc&eCAbhtJ}74T@>R8*77q3L1Zl$2ZT!78+Y^1h(ax zU+YGfqi~5%pL+c6K9LUfDeB;Q|DwXcPL59D-)rUQ`ZT><*0`;i^7(Ynlh5Mvnf#=3 zN7uCZ@>l@(aNeRW0lI|NC6q2p2V9)LoNt&nuz#Ypyt5*&&iUKDDV=Q8dja?QUHX|O ze~+mMD_W$RkOUyf|Gl-zKX7~SD5VL*9);iS1kZ8uTxaGqp#$6D(GC~e2}bm2jC-vg z$2Yj9;f!nmehnBEY*-7LypxZ{TU{3C$B}J7PQjcebXYrlQV~UVLLqu2AhOV3f8`Yq z(tka)3Bbu+nkN(5+Ya0b-f9QWinjPCKZp@yLVijhVGp~`05b6nCdwR1HIJu7Echpg z$nUh21uBmO6mi5No=QJqvO0;+>*9u2J8nqC@51@ghM%HTwGSVe@LRl`aYKWsjTNH) ze0+En={ArhQBV8eS27k&yS@K!m+9Sy2TM-DCc!Kc+;>|HTnNgQ% zb&+nQlwr8b#C{Irx?*p z&h@Hq<^57rUf1>JvWZPy=mXMV!rh<1v1B8eLAhFTt20~BUfV++bxp}Ww8P`yu75uP zaPJN6?(J9>m}t6L!d)*+uh3sN8VgKcm%3T&CeQ`KBB+E zd!;Uqp$a{JcKqc&-{C}G5If<65ezHN^7h;mx2|qr<)b5;xu`+(8elP}(@@gJ{uxIq zd4Iqt;m^$>ia{mlv#m6On>E59zVj`OjfkFx-IbY>>-~d#o2FYcw|eT2@x!$ zA5T73=IkYG{ZI1V6xk&QA6Zm!sp=+&P5~@(HS$5+xsEiS>_3cYxJN;IgrD&VN5le& zg+aWaB$QG2+oefi-DeQ=e*Z|i8t3^P*eOO93R!eDe*d(j#nY=MhxIgb!&$Ro?*I?- zf=n{LZVf|(bdC3HxHs%K;6ZE%Zz|cwD?NA`n&7Xk9wiPURO9NLvTZzs;YQH@IuDfyetwXMIc1x8xGpi`0sIS-JrRYMdr<*4f9k(A&R9r3a2nyHNU5U% z{0={>U#%alNrs)T;u{$QL@TESARz<8u}xB!_eP!BlPc>=duVnW$X1d4P2_WXN(ao? zdNonT239vGJiprT5PZ>A&*nC4VI*BAblUtT!f*-00K!hBI5anEc}v=MV6ErFZATKb zc=t`a0Url#e?RiB@-5;Lm!-%*9J#K>bDX37RFmSF7H>OQ304x94NN3>%|G+vJNNMZ zy)!^%h$%zE*Yih?R|73ieId{P9BNj+c*LP4QD$2o@iYZD%yPrP4byJ!dR>cek;|J= zC*;xbsFH_HSh*2jD-l%nR!?&$Q1x>+Zv+qgu1Yz5e-^yyEw1TSKreBVoaNmnDJ~G? zQWxv+t^06L(G1gOOv#nZ+;h4r+^a0!!HCd-mHw@!ED6*FYy_v2%>s3Yf;C`n!NPX0&$u~-)GTKVE$v$ z)6)+~e=p4P(zUh;Op1U(2NB*P>L`YQ7)^a}uoMS`PF3{9Vh9V;z_dEIEN>26{=d)* z9A@@R%#Agstlc%f1^H6m-g)(<8pBm4xm%lINZ7S6YW-K4kgwa8w*amKLGtfRKD1MI1?!anLg?(f__tNt(f5;o<(d>(Ch8-TAGl@YmMORN=1aL+Zl@sG=`iVPWY;d#fgcxLi>~aA zf12Kz{NZcVryherjr#)-D;*a#EB5g?x5CxJN`S6a);^f)k|&2FB^|Vd4ssS^lj=1czqmkHfJc+3JHv|IfedaH5JqH){@oz11`au!TdN zD<e=tG6=TA|x5fRkcMk^X(u!-k{KGY85UJZTkblf5Kh! zpsqyHX{rpAPDVOM)q5kOntQ`XqnfMxY{vA@g7dG69Rr`qSr#iC+VuZbQDXje4-)gQ ziV*{!C_}}lGK$UV}|hhCuGuj>DAdr;X`UKuwH$%#p$LiZ`@1)fBZna%&Uaa zJaFNWk1m8C3Xp!Gun6^iI3R-2bSi9(6;S1q|6+Y)8H?(L=TM93!pKV8!enQ;h!hM9 zR0&y;Rc!4{X{V2M@XW224~C6H-TZVa`giKPHoMzzFp$jet&gF#br4qkga1Sn6}aNx zm1qvi5RIr<$J)qS0UtSfz6ki9s`zX!ye=!qB)|?}lAmvk4 zsLAj2l_p5RiSB2@Fi9#5Z5GY|WD*RMP_<`TrJB(NRknh?A)qO=}dGF$osYrY85xf?VoEm3{?a$d%D9X02wxPF|Yi$j&qmJC2F zQ(_s49mt=gPs6y*h`}XLi@Mt=+>1inIiKqo8IEqhRpCVo*ga zrIJ2;BMAAf*CKF!bGwB=*P_g>Io!y+uJb{Cw%9r5sqcIDf29IPIuvHjqE?Q6`aoom zryCdQUEh7T=t^JQ&M}wH!q$#}V0mxvn2XW`K;S>}*#<)zP5$$1tOEjTVm@eJ)}H9= zk?}R5&%V_K1lFmUWG4`e=WkNn?~1W%P(c~8#&K?6Bt@_)13_Gmd*9R&TktGhN5a8oZBoofscEe z^1g69wJJ{{0TK?z4Ftw?>;@aCZIQ@6S4}fAi#>%W~n% zdn_`Z%9j!R8l~4Np4}R-5`(T%MoO7d%8b$*4*UU<1wv?i;`z)Lf~~N~;;YfuQM&*^ z1IzN^e=G$fZm12EOV3)fA>babK_}3Ouf8 ze?m5TNQ8$$3Z&`e=%IERNcIGxNIs+blYd7wJV?_3PY9`yfkLJg4n=!mp=u{+?oJ3Y zsB7#(L!zozNGQZhG(vA$@B^r*zT+wl4u_JZK7Cq^%J?@c;?$+D{dUfoQmK2Lj*Iuh zr7A8F4bKejP667O)@BR!=RDAdCOX&Je{7-toKtw{AdM?&mP{|U)$2pR&jD3JwjTgP z(Oy`Hy1s^Y`%|ju!;8%@(lzHsC-(4$yVW|vWaOgohe@S12 zud8*i*fcei-A+2lwCqtgUdWa5XdI(dEtTFXS>HC{iBa$u;Miri*2M;a7#bergNUTj zlgN_k$u_p?$sJ1(QWp=~Jt}0D!l7s{Eb1$Ut`F|`x4P8A61P?}t{MyA)Ngb(*LJfr z_3qdDI%-!z5EWHKwOXOWV1=%ke>>f9;0usG3!^wsqtIF~Y(8ykMxI(N8sqxC(+Q}> zZWIdY>!|gGK=(X^X@^YhY(yrVI0I7BBTt znTIrj!tzZO{6<_?s}J|^V|1-VV7~E3kfrtc@LKT(W;Q7@k^Bbc7o{;J&DOcVw|Q#d zFew~Q9)|0VFdFE7!vEgPe}?#&@B3cwIe&vj9WVvA5ptg*%OW-UAB@9y{WX<|&5w|0 zrwGP7Ik?$}Buu~pxrZf^wIa=uFaP#$E{!W2lj!`W?mVWhMl@z7l84ma{eZwW-658Btn%=XF!@ z7`pA}xx;(h{zO}nP{GeyOU$w~-MwGxZH}^l6hlzUy12@Ve?umDj^ThG=W1^`%kp20 z^U$Id)>?V&b}hQ~0WsDVFVD~1?z?;qBRS(VjlR#a2$>hn@g6nZ3X2-Xs!Br)3^8e_ zeFjZ+?whv?`q<6(KzLOQ%P!y34PSoY)y?cGfE`h3wR2zpr(kGYf&uIdqhUs~(eEG3 zwLTORlnWnze@Ps&&ZASgv0g34*Eu?3ap3FRDG_vC%p!EfXr1t(tBh3PE15fin@j^4 zTwUXF%01Dl{Locgs;r1wM)Wy46?rD|ogI<}a%SmqbYwB9ce7+2EGfcL9GQmWqQM)=&a;)PcJE7PamTM>3*oY~K6 zWkmTe)AE>>H!9i(3@YPAaguPD>Kbv^yiu{20>VN<83|Pccc#w2?nfs+L^XZcF= zaSrcpj1wFvb>?O~CfNrGJy~nFZ0OJtcwHoV(%EjwR)<)*XTk#{^9(HGCcyK>Jh(xg zIblXc`-CxfG|)B-K$R`gi({(ks6(==C7C5JMjZz}t?bpqn5P?#Yw?j6SGq>RajaA^ ze^O;h^x#;%+yqx;q29{0uC7cEzOQw!Y!#06Yuzgso(5tU0ch(!UXo0}urZN_;J($x zNSAzrI2ncBEMxIGN{dSzMy-Tx8?`Z|t)tYleQ1WL!*oy5Y@L3+W0EhSz4Qz?pv>;u zkGHp;8%*>|dB8k$ox(|LU4sMusw?~ge};j->YB?_NA-GG&X+g|o(YO<^{z)FFY<&3 zkAqZNiq`-VTxseCl5Wvzm0}f~b1<(+#hbuDfHJ0(St@-Q*R_-ZI@dLzvX4Xk3Y6Bntm8b|}+mYds?9^VbwrV1}i}f3_Ng zX^jKbURY3?0Rqs%@WYE$h!J00n*hCPW$M$}Z7T{l1D>3wIC+=ujCBbA8c#vCt4E4dkIfhY2B%k$l`~jo2nkvS@aA5wzn{$y` z>+}$tc2)HDOBu`pb1T!uad2=if2I;h9IvQZvCKS6zk4}Muw6O#ol! zc3ch*C|bD8?C9(ajCO1TgJ8GS)NOu`@L1B0tvl?Vn_5$Y+;>0c2v{TLfB(4_4fd=z zgO_j(jpeF&(}?_|exa|>Tj}j8vbkL#`q=^Ffdn_&R+s=x24m#iaiT`7LH((AGVrzm zNs+3&o{p?>7944u@LGRKuC=@pBV6}1#BGO+9MZazZFfKDbyLA49#0IN95U^&wYw^G z)gf7xy7lVA5>~yg)f3iKb+9@|v+|=VlgMH8dT5CI#uymWKi+Y`p1)o(@m z`&@i6DYRt_?!@*P&t6PQ8M91oPuNG)nBZxz7+PlbQJ|)N2u%fj0x|yg8$ZWiqBw40 zT6tovCuTg|@w)}*Hd~$Ry(190G@Jx@B!;f<9V62yGl9%b$Lu}Mf3mkY`E(7sc#LDD zUD}ZuN1X3;3@Q#iTC=!rtP|u3j{^E+;M2NTPNVKuJra5GR1b-~7=1pByIdLUliy*+ z3VS1P~4f?5^R2=N^jepE|

%}9k@Dj{oV9~(AIyf^(H_bM*P;iq2`6jKhob_C{6v(N`Gu!0 zVI4YgWfw=3?ZlF`=EG6ZQGOVuWogzi9v<8B!Ora@TAz>Se{;ms)IghfUwsas8;ss# zkzFeuL9ed}+6KZyqa&4MckYVcinp$tMyX9trDyt2GW~du8EeLX?f!Y&7%9 z6n2g+v)jT_B1eS#z@f_Kv*V?1!$G}bpgLQs7w3K&jyHg?YUA$+n)#E7Yy!e@){xsK zo#Lr)Wp!zwfAu@IuXO~GcdM$X!nA&^VMLl1*b(djfomK2>ed&GEgZMnhS(4Dm7Y+&*5D8U zvE!w>W;27s_;x}H@c%Lwk@FLH4M&|v?m(Zj)A}5zf5mqc!YN2n%$e9#w$$MM=cTfz zgjlM)SPSN4wQY8bi8s_b+lK*jpE$=Wq=`xHdxTLC&QA-17zr9v>1w$xHoVP@Hs#rB zTQmS6@NbqS*tJ4aw3Pnl@kJyqhY%A$XOxtqH{2QB(UMZ6j$udNBB$_93?X;<4}9=6 zs{V27e-gWrZ>5iEeXRP&l=|;zU&KUGt(qt~3%OHW#(5ARP!vN^Oo{5MTxhux38cp5 zy}_wXVKv(zjG-{r3LC0jX8&43F!EY8QUwJ-NmEU1M%t)iKM-(mm99M0O%pI(SU~qf zg9S&0>1t2ivI1h&t#YcXMd+@jn$aCc_NZ-xf8eB*(a&1hs9rw=vf?8w;~>aZ=gnqR zln@@F4$dyq!p78ku}?GS$W&FLFYnp4K1bdB^7cD@1O=*ZfuV&S$GrWnEKD-G4&zRy zq{FRG_10uNObN3Qe#g`tiZJ1h>Zb^Ia}GRpptwBh^{1OftDiD(8|3Cj5T+4Qoh>mL zf7nZhkjwkM1y4gCa{=j4EEXK6*fe%p8iz^S9feN9!eHdNM3H%5nPQfg@yvb^+nZ;t z(4lq@K<3B0*p2~dn;oK}@6;^ESyp^U(24K65>0Tf%`)m_t3=0OL5c0$r;BVmPM99ZK#+TJ&;mD!<43@ zRoof2RZFcjm^&$BO4_($Ul1C8DYJO){cwE(M%Rc|Z{8hhJGZc|WDS)rGM;46FR%*2 zt=6JG7x^-M-2ytArZb+YukL7^f^}H;ZF)k->MHOAEd9_h;$5)jIEW0xJk?)F>3NC{b22!-9MZS2|hTR{{~=FsbQeTQntikeJ-xBc}|VEA>FY^8Y5};-RhR+B^jwVN6>M~D@?_4#3 z$>egL%zo(jw5e`Itte)Rx~F&<1U(>2e&yner}&DzHv~O;OpC(z_|rYbvml%+@!mu@ z$wONYi~H0(lTeH51v_`mf5R|H6{!sKa)g8lF`Pi6t)A_OrY>qH{O_BGI2;VASa`<( zEgnY$ftumpau~AMfGq%JEUK5erJG$)*ov_PG_&M0fy2Vay#29wZ{nK(ZGL0d{+t|} zz{Y972!NOQlf3Oh0f#V<*4b0FJ#ruE`_z#zFeAF_!4nvoX)HR%f5Qf;kYak&Sn56T zkmdc0sB4jb90Z4aUD1MD?fzguuj;wspm&9#1-IIl!=SY=XW{K2?k zFw#8?)DUyq%__81fBc-|;!=TuG%wrF3c#8w&TEJeen3{OcC+N4P&q+Z>kA;mPlu)h*bhM9{%+P`SJ)CiO}oL227^r0aviT;vLcDIs1vaU zS6QLit~t~{&kftIb9n9L0M7fF&W4~9XP8nqkWE)UQ}Ru~fA*do|GXSxQ-s25S)j8S zjGE$;=MhDLJ{ly{t|D5WY$J0q6_xl9xzt@(81zDahp(5o`kW2MP7tVcGH^$tlVLI$ z*vrz%P$&GGYhKFv`Hgh(TTOrd^J`YndyIO>)zPgjN&gbA4! z3pL|;Ye>DZe`!NZ8S3qJnq=EIYv|kv`NCiix#OI1$03kyaTTx*}PoJ-0GB1Y){c zS<1JomMu4{0E6`BREP$H3OJ!~?O+W&_0h1*3k*4#f5nm)oE?dHdbw$`Iubbs2P-hN zhFsBpSJO}YH~w2Dm4EQ6tVG_-XxB5OI{9F|Nhf1>PBI;4(!m-N%YdF*LmFT`12?Vt zB`9*y2zZ&}aVlS|-rpe*#*FUNdjnMZ8R%!EpL$>4GBy!k&YSO|`qbko>N<%sRzT+1 zA`uQUKW!3okS)16?T*XO9V!(S1oYMIepZkwy=pF*UWy6~r09%;l5E>5+h|orq+Xb7 z|N8b;P(?CWPph<6{v(>$Yqt9~L2z!T?`|IwQEzf`9}ubiE0G<^9uQ#Luo`SNt3T@2 ze;B9{Tfsn~1L+HKz*pL4W~=s=C|Z$D?cNi-hk6oN&gTwzx#ya`!6_E1Y5Il=;h#Ux z_{+>u>N}aoU$oSYaBny+0Ion$zt^l0WyT}>z7jSTExB`ZJdGOhhDp~a&Z;Qi2al=x zM5!I&-f$e}Wa*qEtDG7&uSA@Qe=&~60nU$(UVl1Ch8FzMaeoEb7>l3RjV=fpGlcUy z`6yvf-%MZTEpfie7Pj9qu4H<0Yy1io*tuWY%7jjU=9u!VbHWkt-z#Gm@t={fGw`q7RvTR0WrNRs8 z4}b4+A-kl@!=<4{GQj@;ZIUkh@4;q_6{jzbjlb*LC4G+Zc_$b*eenW4tCjyY{5+lH z9o7D5d~@+}hUx1R=Q>y*S}8M12iiSg={^ZQp9_EH3pN#D{ZIpa|R)Q!hTBs z!X8>OGm_hK6G_IwD|ZcfL8hnlyg+1C99R@4Cp||g=%f*6r=fH|L}-dS)ng@^JAc>P z##pG?REce8e!F493m}{lw&vBBm|wcuh6>JZs}^qA-o!(}L>$Yb+h8zKF%d0w z)WA$MA27^9B&x8cYBK!PZ*`J>rGK=5l1kMXkxEyU;8c}{*D9|mP+XtFds1Y1VAAD7XLabhB7SWT~)C&F9lkmEZvSQ);vfQ?tktbYoFIz7oy$tlW(!CPFf`6=+I)ts5pyGDe zU@PA%7sml*`ykO`-3F802cds;7+Saw4E-wzw#0jdvZV9zK2&^lJ-*LnL95R`Sp2jC z-G|ataWW%z*uFrtSoP@%#NsdoTf^`hvfv(;#i0xKK;u7*!2pq`uAKuq3%hs?sCew& zIfa2+2hTkyEa~Jqg@44CsG4h>MNoNh2p~!@Bf%Z{OYx}0Agz}$c~}Y+0Pn_wygk^y zz1q{YD}U5`>ZmlU=t;y&89_OWo2s3bfUFv43A?*AJ1qzKL$(pA?#o z9=2Ye1e|XE8~Ueas8;Jt@6hOMRf~1;h4a$ID1mG3|%tg z@}~a{!55`dxPRKC5ZCsGj#p=#roHK&?A@WJkv|voH0@8_VC_zRCotLKuv}|iMe@hU6g^tlcKI#e?~8i%94H-h~Wy%*JYTz{op-sfga>3k&IKg@V!=<$a4 zwUJZ1ze{k&pea+|2DH^WT%YCTBDcf+%#-;UONL~W_A|v4ZS)?6wT}SKN`WDAike4` zgD`?duN*RTXvS=e`d%G&70UJ#j@-aN{=nUVOZ4hGe#*f0ILOw7#De0soQ^+Q3$qDajI1+fRB zlsB=+p6i-WKJ`RZ;FD>ecNnaVAKNA4hFh;;Pla9kvtC3`Bc9jBd`>QOg~mWh%Xvvy3XqWD(uq%B+8DAPvmCa!xF);|K!h54`l^M7EkM&wuiWPjYD z7q_&>jJ=`bZ5TtB@at2)>bJp1uI4p=#PcSYDMvG$Ql=;`Clcc_s4jf&wqd3Wt0RJj zhYYqq4i&!?U))YajT)v#ktggxGCVZIz)r+sU^<(dGb7KVB(^^wG!6!OSo0i42!9woi9_h`gB=(eC1kv}M~J-NBeVU1y2_k$m}2bd zUMBj7MLK2R6y7E**J~qph@u!YSnxAHxZ-?ly$aK3?7iQwE7l%wc;5=Su#$aB-oi@u zH0F9M($9QS_fO`nPT~b|TEph*DV*zUqIGiS7p}*);5>2f&^YjPHNj+5kAL#%8@)qe z{UcC7wX<8?x4@BuGaW9j<8yVWP@7!+38yt0y>(jOp|H^rc)BV_1)O}f9@od&M9H

m2H~^S zhXfsbUK5M>umAI};QPRb*CGyQZARrn-FA|>c)siGkb>nIMGbJTe*WpFH&-7Qg2W1v z6UTr3`de3IDu0O$4!i9n8YVp7z~*7r_(D)gEl_^^`0;x6&4TJVVN&85Q+yU*WJ3lP ze4_F~RyKg#KT~|@_)s?S7UETo!Wxovfb5^~^%T{DDFiVAn?siLqfuhH;!EfCf|0Jm!bAe5~Pbyv>iS z`+uXEXdi>A9!Y-Pj#b%X@f+0@liJ1Gch~EoH0aHFjVz6~8Jikwo``V@p?ki$6OXLm z1-5{%f+SMV4FM@;wxLj}8QR$@1;#Wv&Hb&)s`Yx!3sdM08}?>arvr#}kbgSFN!NGU zgrHNCFkB_jeSxq+YqJk8>lxNpABHmPjDLMZ^5)qlP1Mn>nh5GDgK+LRy=0Fy=>{>9 z;)idwo?+S*ra!ULh!(we3`fD~8$$$M- z8x*e6d#>Wd)-hBEh|egBU{Q^T*N7x*&mmSU*On}Xk*iB68Y%pinPL&~K^;#QK4EK(vGYPv2V=le5rSs5<#QQPZSn1j zq%{9ErP#DAZ9ZVRG+;{6X)!?+4^&$8Sqz23-@DLOdtS$Z?f>oK^^=LzunxZ!jAk5G<` zV(t???qQApb2ZTYgA*cSet+>*+irZItuz@ucC7q_TaWNEe+A1{N#9KX7a~^t7D@ak z*5G(4Cy;_P?(E&!c<_rz5?ogqj*S}*?KO<6szts}c3Ca?;|DLlb!IQ>U-7><`fk|` zW?(&@SX~Z=1k(=H`}}ZvT75`1tQ{-ZgS=7hNz>qU0J1Cs20|BDU~PYb~hLG^vv2B>)E2C5!yjz(zxii_7& z(wpG?S&Vp(Y<`kCAl%ko2)DH(LdMsC5Iz9)GyAyib@15aB8JStzuRHSY9=_WLPUJt zJn{V$xGXCXwdl{1#b3-%HMz@D^qIk|w2z5AU}a?!vR<{tTYvOvZm-Q?D%Q3x&pKAL zKk7=A#asAI54uJwg{+8&POp8bR59W%s9LE?mBkMf3PYI)nuYTqu1@krAX+;F!I7g7 zmu4WJng-L3PJE?SF2q#lPXDrR%;=w)cr$Fjg_iBl^GL|Llu?uWdG5tEn-_os&H67|oEr=_217Pl6Sa+|R>SIMcpD4~1~qBv zbn!js0&73Rp`r;~-aNYQvp%v$_I0-&U--`-5xTlfF3Ia}; zU@+SE?4Pk8U=`v)gq=}w!=O4A0K>`%iI*;9sRrHtx&Bnx(O?ymbfW+8y#D)pvk5Fw z4*J5nXO;~@yZnA;S0Ck-x%)Vlb+fCokDWl|&o|${y86o^!cVbIc$Vh1 z({u=H8d1PaF&(;r3yY=EM`fQ^RXHXSLxxdJqhzHHE*fMDx_}NwBu>?!sM&p(T!3eA zavb>(Q{@OMLs)+kmR_~R8m|{{&5Qzz<4{V|jennCvC-*Y#(~AGUpT_%-8m3Oz#KOD z7Hjrn@xQ)Xe1Kgx@O*|OX-<|SfIFts=~lbDI44vRBlaT^^w(d1xA=vY>F|U1-~ahv zb#GR}w=eL9U$O6y9z=MDe>)h z?0<=;AqngX!*kELEJUU5y4Z*!cl)spateIpj-bE!Zt(+!PtRcZ^y7zDSFopEWsNIR z{5qTuDzPU6f48`*GDNzd)20hb##yotE9?nzRtw4t%;&|myCS>%a85;lJu33o?_jO& z5xfWJI7XU1$j1fid0;M2%~?SMe?}{%_z+!8Gn@HUK}o2|zkWwk9#w;+2IpT_4XO;?GS7ya^GCG*!XBIa z0i2SsY*VHgY$_dg?jPDScjihT&bsh5UcmzbE00NjppBCOP(!Sr0kAg6j|o%DX@A}R zG*1);ks|scAsmE37SOhyDn;@PBVge|_2-Z8wR3rh9LP$Kngjb9(UGib0nt`kz!LO3 zdG(%eQu6Ib1Db(jfewdsEzlzX9w2*-?>?S(gY7V$ynONJ^-u5qViu1N=GSw8h=^0~ z3wNJAACtTy|4cTFz7u_JTJB*(Hh(*$$1>M%D5(&?nGNDMa=_sDh78V@_l2_xCc!}a z3+t6}$7EL}`^B}0?eXVdUSI1P2F|}aP3rK}?8Z2`#M_+DZxAT->VNzX^Th5kyVZG? z4P=UHMyZm|Z`mz*km+oyi?`L6#RF{_1aS`kL4VA>%oX2E_{~?m?r;e?v}nuF&*EI%u>S(2z%73yszV$OFL$4bP$^YCu?5d=^R_ zNUE*`kyVhc@!mq->%wiSQh(<=g8#SP2aOyGePzv~Dt>gGARGwDN#Yg18WGZfYXLKV z?Jh==a6$6gE(!zD*LMlVA->I;$1FPt2OnqQHYNmTO*a>q0)f}yo#F_6xR0B$a z@&gac@qw3q<)1e<9D>ZcE5*aYkuL<{i8TR-V9^7^owlyPX{&|<{eNOSHPT8l=C%tO z3`;?t`0SUSv3fPiSiRzpKP$>1L@GF9id$MqG8)mC6j`x#xUw_+)|unCEz8xnj&N0n z{e5y^6A~G}*F~hBT=6Aq?=RZ>Baj^XjRAoo*48JqbnTYElbCknpM-GF3>X{3DNDK2 zZ{wjk!0kk!h~*__L4T(soN>$C3@9oq0z{Ekg7VoL6j(;Dij8ZI?MY(%+6QK~0 zppR{VP0k&giQC63T%M*nQEd0vP19nXCi0^DWS+za&LnZ-odjg#$vGLd@ zKpK#_NGxw*%70IO=ZeJttQI*)$4K6g zp0xH8-O}-~mb`WlstJMNOvGOyIR(^^wWI#DVnYfSNkbBT43uAu3hKD?iR~;8sXBUs z0HKGvY+;AV`n^^d-<3^gW62GULM2XwHeyR?Od_+Fk0_`v`un`e6OqqwOicUJLsvGbtxz8PbZ~o%eO34^7hF7X zWt%rEiy&SP5#v>-6Zy@`1cWizy97y9C+ON z3IiGv1wOh?V)o@>=dBbH@pTFK>8Mig+E;4tT77tAp%addAD#z*j%S{5zjG6bo@BoA zTHiEsK7Z3n5_@~?@d9;=#3Ic|$PbH&BM7h5BM74qC}vcuICnWh=n(cGu+r?1vM!T- zPrie*aUL+*{d;d9t(US13fAxd!%w>4L6 zCo7%`lNCFnWHmiNcIIRg3_9dvg*&Vsj5*l21AjIih&_#rUw|->KxzjDH9WvHY}$vX zx5EHQaw{lV%NgbQtpUR?f=JqLP(v21TYdnLF!H z75y9Tbhtk-a$j9InHeXqFp6OiRLzNi&wqXS)rgR~aOW?=segRGwsXaOp2lrwNK2&b z3^kT*A(>q$*|CY*4puYM7$EPG?MNCoy#}N|gs+Yvd&m7p-AG#((>PK1)^sGs0_9tW4q4Zi;odzr_@Q-UzEa&0+{l zJq4a*(qe-m40!F0$i>BMjK0NT+zB?ZumlC4z=p3PL*YUe`r)eb(q#xZM$eH5ZWs#D zueYipoTbyg`8WsOi9)DL;s^sgKQyP?ekz6l@_(ic@zUw@EKtR%d5#)T5P`gQU^~y66_M~@1APEp@ zb}Y(gaE6VW=Oe@e>lF;ekAISg@vkUdV5w1HKg8RJFr|98HJeg|;rZvqwhejp&v=YD zRieF_ko4nk*?}mvO*j@u*5WD_lVtInVyIxl>+L{f#G$NziwN1enMHd~HX*! zh}*AJxcHF@Ij_gNM4$XZbGsX|U&KIQ)ne_7*E{9o_Uio!D@X0Uh!_suNWEEmGWCZ2 z6BI)r*hIt>)|h%g%2PO{*``bfM}_^wVUW3RBFXB1Ek)udI8wb?h#MLZa3GZ3=20Fe zfq)aC3af9Ic!pL+!+&4!LyT>euiDcGF&(pqfm}bhYBxN!?CSTsy`UmMEwhMRat?n1o zP=&A0wIz!W?V%KvrpQg)c=%iJBiv)0jGT>gd9GuX#kP*OMY1!Y61RDJABf#du{#%7 z{FUByw>$7N)fqVWF0P-OJ7&Vi3i4i6UyVB5x;fa|TiKARMqh)^?%IN{?2fS`POvI9 zzM0xXV8%*)2Y>k1H`{b{cSpf%N>lsjE6e3##T8uM{L1l|u!}_9$zs!?VaFrDR_TKfD(#*Bwc?c+6@Ir-a zjPG15`$JFBE&Id+M;{0feuRBUcKzYPR3N}NBECLwL>`cN!APzlP;du+ z{+5y%PZ)d8X3Gz_#}sF2JtHR0H3F_yD0sYTqF~}-6+^p@)R$9g%1IIxb`i337GB=Z zD7w5K6@Pr3qf5dxBI6y>9UFpH`BRMPbz)`pZGvQC86nGvv$TSM^J8=94164Pmf~jW zf~8ou4!C<7H(YGX$1YAe6+1x~=VBG54%@>;2`(<8!0{&EKF=dD;>@gqI}T3aA|;y< zVYqIQAGYOWdAMkSoa`cpYb5@{kVi+%VA`(ZK7W|Ft3o;)Mkn;~rk~kHGo|maXZ1&B z_%UW~qDi|l)z?YrO!ieVnAM3`M8v|j5)cnp0(8=bYXPcAb~kEyI4u$kvd-$H_9yeI zOqE_g$5%zfj}S&?kn_f0RwNny#($_1$GRtVT|pHf=!Q!TBX5gljX~wxUqRF@I>fpO zrGGX!mS#$+3gh=9!KXjlRF(%v)(!bn(^)aPRl(v7|Jyv4-!0a!*CM=Y zoxw(8F9sc!iG3uze+@|^I4VlGOG#yG+JD=jr%eg;U^1~S$itsFWQBhu_(uwV9-Q*3 ztp;(jvD#P4YWhrQ27ofV5MispZ-a1!C{ojEd8pRX+&KK(qwd#xkSDiO;BRyWXfhTmZ*fd5ZRDBm4EX+ z?ixeH-ep}j?-Vv_>b?#iHQwSdZ6DS7bjsNriGB|@4GdM(EP_PSu4oNOx@nb_R9kRP zB^n%o3}T>J<^4`RRoklEFFLu!oKd#t~E^A2P_(FOIxbR-3#OMPhTBf&!MZO zo}cKwRBhx`v2w)UX+Xl0953XUWpv&$UjD;wk_ zb4>3yD#wr!a6HeSCaa!R7|-#iX7h7O%s0Z+kjc-Gp--E9&nBVG&ezStXHBeUV>ryf zXUMQ;%A99ou8rYiK`qnR8TiR0cFx)Av>E8EB6?wfj8N5_aW;Pa{C{)i1apH_Cz!#@ z!W%1y5i-<;8LUX!#D=mt`*7g`@9yBWk6kSnkut?R(O@s36ID@VqhaOkl1sL7!rus z7^^u(23bUm$w90fJAWBO)GQ(T{2w-6N`{brA`o4Y4=XE?1cb7EDC=<=s`dbvc9AYt zmcDu`e9Ge2pRj~y0Crdji$%r@Gxtsk5@Ij1S8yV}PR50tP$-G&3E3x`vVQUu!il;< zU~Qj$U4CBwI~Re=4dz@}`ZX9XNx3;(l~Fmz?Q)-mzq0>0;D1lskhX=up*%|tO+T?B zOD0~7NYl7FOb|&959rg^o;m++p@=fV(d^a)0U7uN|{DBXCs%;7Wh@A ztcLrt7ZrDiLJ8Ll!=boc`n7;^UHsL+)h{)BE)r`s5PyY7S$zR5#NSrt0EGo{Zz0V*?vwz;LM_soMO zts}3qlV%au*-O(%lYDgBY+8vpx?n9*&m}sN4CQfiI&>`q^TDiFRI(x48`8N3p+aVC zF1y&Dno~kk??1zC(O=+jbavR5;C;U-aySyJc=F*Eh!Uf61aHha%n3W6x`seHDF7{+99)e6DrIJ^7fHj{we}gr^iR?h(jE}*^-u3caL#R8 zNZ-m?^6+S2%%q(mI055lwgw(x6M!i!f2E(93hTfB^S|m&`z{{Y6Drf1iKU7z+|~!e z`9r68LFmvDM~i!e27uxC)Er3KBUP5cCr4p$aDSf#M$6kau;f6djYORAgp53Rz=O#j zKf&h;PcuF^kD;+Tk>?efIQls{R!4IwT7P^!4;_&lECyaJYcq<@n~dQKcFV&ihAoPwnmB)2`JP znXRFb+&X`G8C{z2#|-Xf_obvJL)gmyvwxf8{O9*C#MBA?^ZQKlyWj4&r_-nFFGR#N z;g1>IzB<=?=r4rzNxFY#K+V11AUgcVNg+%BZ_k?WCs%%P-ly&wb-zA`G-LUYXBq`b zH}bJc0g}ebBkLjWoRYzx@oe~ip}0yjbvj?9!=8Qed{)c_li{=HjZGhZwi-Trb$@=S zkN=wImDlI1`}X{Ic$VpzrcKIoweH#bkZtw;n;+ZXeROx>2g<|spGo=oTckX?a3`Yw zCn_U6+o0R~-TKk>9VbdY~360!v9}?^=e9=EApOwIH}e3m;TLl$Pl!< z`v1Rrk;J^YY+vwB?QBqY-?sT{J`tO$Pu8_~{jRz{S9ibGv%=W_UfD~Ne}6TFFzrhM z&;`X>&3vL{tsyMb+O&B6Lp{XWQr)Fi>SgzuBJ^QHxtChDH*~(C=5_;reSh5DuClh^ z&2+(CXOmmE4;u0@9lxoH$jc7~`qz4c=tPz+2XX3M;xw~Yl# zz4^bbuKIQ5lEF9@;{fAUum9ElYOozh_EJZ97U2Qmn+Z{$J(Ub0V+k1$vYyZ_YAHm{ zB62|F{j4q+LctOWAQZSKu^Wx!y4Mt?4;!YO)3T+fTnvm=yLPqP?tdS)_5Rvk5;do% zTnq$?p+;$FX<38?gk?r)Xh?5*2Lwlr($Lbg2oDI)jMC6BV+k1$vc;n`J>Oy=aPsAx zg5?yzDPWnUwpz(jN}!a(EHUkIj5X5~-@T?7eb_Lwy_PLKvtwYa*~jA;b*qGih9wvv zm~d!UG6>5eEFh>^9e)}+mf(QE&FavS{$@QO{E}}XV+k1$7R>6 ztzjVsAb5_YA6JIfmc>}WSauYJ#*U>ppg3+6g{GcmcwqPiqbNO2V;~T+c+tUn4N`Qk zDMTMO4Anx*mL94xFqT~4$%(#ULSw^H3{dK^`d#(wu{#IK7>s2x7BH3@MWLx<84ehZ z8AYL?X9*q%o_`!gW%rsw^kKs&Dz$9sQ4|AX$>nebQs3~QsbLug7-kv6vJ49hyNuyj zh64sQfI>sh5{PB&V%^f--yvFOck;n`{1 zCA2gw!T`dM8$YylEW`oCE#3I(ffNG)6OZlsH9Nt`Sbs%bc{o&k*fwJZ%~+-y`>rrk zvhVBQrMDEr*h6+=URlRdnn5TDmF&w%j4gY1kt`LmPL?qtA%l>H*V;FEukZW*IM?+% z=Q`&(=XvhuzVCCL<@y=3B>KAq7Q&`|qe@Rv!9DYC%V#C~Oxd6w4e5ie<-Y6UDahjf zwlycr)IoK@xXC4opyn)kLsBH#$HWfnYx@B3AUvQ^CbmYV7uZ`{sMCOx=>#nJw2%ttWrBLtKAFX(F(0elyufGAPb0kuL8lc7dFKB#Kp zg15=|VO-@jQ_rxHczpvSu#^bPRJ4nF+B{)CBNHYNkv10vTguvEmvB4HFIFpmO^M}6 z-2)+*M&44oKrzKvvSU*ho55k-pO(kLVC6qIbGW{9la>wGL2)iDXzbsi@0|6nt^KVQ z=MatW3UwcUHb34g&$oZEf$3EGUaR0@>H4DWedhbnx&mido>3U;U!w#3-PKd6XLhfS|20*e!Qrer&(}7)Jt*&RA|LM* zzt>||Jmgt=6R7?zrIpbIMJ}gVVE!#D2s|70bc~Kd`q9s~*a%l)A&Jwjy`*JiLJ^V& ziEA4(MSHU;&b^h#$lrwOI0&ORS&}^vc|~EwFdWCJ$4Y5W0g~@j?st8Ykz&0jG6C~> zz%5hAWUMc&bU#h<5dvV|%go}V>u1}`!k6tudZ)zB;3b1S)iV(c_B1ov#8onRLOU_S zl21S|&6VKl{8=NxAhg%{_JHJT)1HRAUdHVT)g!X}=^fR;zrfY^Ibf>kY&F0Oc-bkH z3#!WpN;H^koCb5POdqf}j{Z)btxrNo?5oo1{+_Kj%`T2Lj+9n1{4|f3Urf>OA>?{c z+7sq;cwCLrTZFAKATiqRg~7Y0lBp;}x{UdXl{^d3)lfM38`T#w9M4hiTq5Ui_yg9qxE|5edf*>h>2yD<VlB67wXhvO4cKhHdAxDQ zgSo%cr0mW=z8CJKcwXSXkX8guKGt8R3(#d=?&`f_cc1nCvUSg}vKv3YyrQQSJL9kU z6lQTDVOt+#9+?+Rf9YRpEAaRraTS$X2!68vX$3DCz?{R;zS+>2XJOa~O?Xt9ZI}8!8XTY^vt7{pa<7E`sF+2$8&_UMuin7 z&z==6|AFsJla#-E(>V9xG~1C;7O1xt4uzRiplS--PI0m&*+sdU3`uBw83;w_YixaJ{(V+6iJtuYfA5ql`LDT*;CpA}RnXvOBUKv?qtH$i0kN(l_>1*}Ci}+91qIWc! z##L$2UqPGO51$t5-H+9z^o3vUc$wdUrbb8zoEu+l9Q%3oItO13z{x$Dvd3`%` z{(f%@(e{>ZKEm!68}#|o?L5cZ3XAT!>#zF9bzeXeLUe=5d#&9#Xt* zFjaTadrAwbzt)dlj^C?*;uCHZf4^o1~^;LL!+>`DmFSDH;r6G|a{Pjc2l9c??e7$tvo7wcm{lF-x7Iujx zf#CCQx&W0+sc<#kVR4%RH_4w!?1Y^$(E(-R5Sv8qCJ`gOPCdZ~073#FKJbzPk3R6P zUSx$;bsCQZ?=ZVfjT?CrS+TCFAT1?JlrRl=+@;di)O@kj^Q0PCpE=(U9yb|0bB}xu4!$U|H6}s9W0s3Qm6~5NY))xHgO*V{~ATsTD`|T zOlcuRYZ~DoQ(L1nU=|HNanWHY;T5!`0yBQCz%%Etg<#S0QOLK*OkvyaJmw4y51d|s ze@58Wp)4Iy*K>h4z}WE25I|%|!YaJdEp`G7pFoz`l;k~gL0$UinU$E?l)It$87)ugbSb9X3IB2TS-u0{A zyOm(C6+6g{eS_+CLIZ~!meI)$wY3}35gS6b>y-u1=fLOZkkwXAY2$Icuvik&G)mLrk`qcQ?+-t&95I50 zL9&p;iPovSDNjk&&C&QlUhe_ugMQ4M0f4uS)<&4o?zzP6*NlpHLJ{(Sx8a*{R>i!q zCpL`R)}b|xXJ3WU(tcTgeHBQ z`ypf~VjSbZ;TygZ0T_(<(@_gOYhcSYWTj10UV0<%@M{vjDYI*khwTd#LB-5D0G2C2 zZwNa&Mwj3|`Uzj5CG(hJi>S1UYi|g;x<*vQILE~tIbuMSMc;*8%=iz+$B&0jD0<#k zfmq)#jl257cR4HQlMc0zz39<@83n1e6U&k#rkNGIGH7T^d_%aW+Y28N3fpWu#q-HZiTei7L-`^@A_P z!MAvaDGWvHIYN5xqIi(qa>P!v6Ma(dAWG@6evZJ(@|Mt{AAbd5Ur%^O5jqHgda(_V zsi#kmf%eDnaU{Ag;SgGKfU&H?qjiu6a>QM;Kfu=*GXXi7;3_sH8onH2bEi<|&{%ta zPXJIB0I##mkh~=-HYbSESAzr_3P9Mrf0qx}?Ei+>->FVf1jGE9i6zDb0-vQ&ouY&n z_OU)13rv7Mri2xE@wrzZkTwWWVnfVR=7srl6N#C?!LU{UARmBF$i6s}qb3IP7a{(U znJ^O|Kn|F2)&(?-{g1mA}p{Td_Gy)JZ-(EWj_|lYG2<#O6Fv3eZ@)6jfGW66iwk+7)^5dLBMO z@)ZQ64M8vjBu-5Z=6{LUWIb;``U%z9$51jb%{GP^;KiIk<1Sm4;R3aBB0P)bl}17O zokxV|C5ZA(*GFP=@u(-zSO*z}tFTRF^anSa7-ZnCko+y2*jym$1ec>I;s)S9T+}7l z?8W{6;PUWFG*Jr=WNj3fk=?oulfOos6qtT$3IXy!{y=m&;v!qd1vI(}rL)=~=3Iv| zSBlLFIEDgyp>QRe42_ldV$MA%eJI#IMT7&m#15~wBrcwrU;(tUB(#~o&z98XROFNM zo_j*?0yW&JmHg+u*jz60XYY?wnC>6p_dZ(ccV3TrfoE{pHXE#u2XmIwKRb+mf<~u7 zh3wXA3I_Q=4t$6|T(0wiZF&&@Skh>e$Z~V?g9~KlC@@AL3=i|i5sAi8S(0g7 z(N0`K_N&#+?v7%hHBm&RRWQpZLk0%WN6O=$UKtp3s@|AnbXB zezeTekj?H3xgGw8I4 z{wjcHFt_Ry;Mu7JU+&69sx$~Iji|&l`9+Dw5>A7`JCMmbPHy05I9vr&!oO-K?rg1Z z9u%8}k>vsIaKmfSDd1&aac6IR1(R62r>49>9$t8GAxiD#ZY<$?EJRq)>YDxmCj3)} zL1z==Y_Yz!m!W`*&;%duG7lYD(7+`;q6|}#6xa@{ZY8ET=|_BGHSA=HIg$5V1(1va z;*Y$KUNmG0f*1y}O^7^?+*b7(WlHN_p#NV3@=%EtNtwv`yrQ zWq)&8!2g?&0$@#KS?utC8%;r5oL&pUgCfg;uGK1!JpQ43wzorXXq z$9-Ua%+#Ud-WXjDJ)J*zn{tR#WX$sQW9qPSa6@Wa4mOoLxIsC*$Jlt~)6}6|wqEu? z{A|hyJX=B{|CBqWdw2T!2b8er##>+G1lx4%y)+ zZq1A{vK7_rqk5-RdGbTiTiM~(%)wb%4qV`^YH0Tb&+X7`uZRPgf5m@dk8!uEpP9rs zZa!<6I$R%hmQH7BogI8 zbnHvs&-XKrnc}-kzug;EH5bVgy~rZ-WT z(nnX6^uyi#I0^i-mbAdp0yB}!Y$oS?wdWCI;k3xnMDo5_u2+Q~ z2=0aH&QkWFnpVqWP4!%qS-Hyco1%Vxw5CVy3vU{d%~q+msBy3G2h|~h4L|rh?%uUu zH!W|x-d&b#dvtVkAS$<32Hm3s7qv!Gi;i|0=Bc7PB%knhISj%oevaOmU7^$c%5|oW zQ#(gsXPIj^u%x4}JellRWc3B4o44QjaDO^@RnsT3q+?H(T2lQklAK6tsegBmj$hs2 z>@%Y*goLyoZ-wF2MQIUc%RYD7HSgLUy}o@dr#Q(N;_U)Wp5rdLKPIa(>0M+3^l-n_lW9oJ2Nizls(8B+AuC z-CG%qq;SZ;w(Qb0G`Tdix|3gJTv1M?oAi-)YE89xSt8AL{!HUtB0n z9J3=qOD?Z1*Uj8crnF)pzZG#1-6sJMM^>u?&*TD3er!8PcSxzHjI=O6A7-^u5-@Hu zS|=m$w;z`cB|_~zpl@V*&dZJrr0Kw>9NDafQ@EN3f2@D?Z<|(qJJ=EOn6esS-mWJ! zGX zORcLq!ViY3tRu&sUG31F`6u*FB~#+MPneDHs#O>nyGOv>8hrEmOBGcw$4uy_QH=R) zw(u71UsMSUU4d;rDeLn$f}X-m2kob=LbNB`-h45)q|Z+@>tqj`Dw~qY zhC%G(hXECz48bYh!e`r$+S*$?UhRn{ThS-DyDMA=;`bS!yESfDtLYv6d!3mQ%6hJ< zy6{nh5q8}DXl1>1cfG-TEI!%zgU6l7eM161WNdRaJ3C^OtkdEY*{bCzOnZDVUfDx; z+2RXwr0VL`x$8TQZS2yeI?B058~&Ms)yNgblPWWzRlN9qrnt2OC>RyLKKW1X+-Hx$5=mv!BCC^LTHUh#{i0n+|V z@Yj9ls*mYYgW{#`H+w+*p6$8~W#8oRsK7^$?dCF#V(2)-MV}g@6o0rDz_mLeCu<;6 zS#CC(Hd^t5p6RcnWkaPX&Fu^Qs=QhHyZ^no$y)I5UOxM(kK~5%8-7WQQ2N57XIEGlWEn|DdjKL2eGR;+TfLpjc23o<}pU61IPm1;;5btH6!imWV5 z{Gs@aw84q3ZFeIniqStioR_Akz3xci;Wwy#?2?jjs`szkAHeNJ%haQHWBxTay7)!w^SFDaZ1+Y%la{*bSsKF^fL5Ub2cr)raia#;y)M4yC1d zb=7hdQ-@se{@NQjKi~DJcQc^8c{gLMwl6(`LAul+{qLVK;luHS>oSQ9^iFvGzD8AldnApRt zqBnUddAXN0rX1q#DfV$R<1_Hk<*dfN;w}45W1>r*j69Yt?P_uM%VGZbzg@<5>H^_E zmwB&+o0a3KbpkcZ%u38oj^ndX*NPkV%CW%)?T+PacUjsM#b@6Jc`0kp%CotXZK}N0 zVq;Ff4(u1b@>fg--u;oj34H9N5iI=jGVpI6f5?uzUYW4@FH`7NZywUWZFV7~+t^xM z|Jz-ZFgeZ}-BYynQW)u%N?VJfd7kufx{73(vz^XQ?KMraoRy*;jMF+WpR}tSC8%u{ z(nb32SL>}MF6aL5RRux+Q0z>RKjVH5;QnCaw_BCv+Kq+FKt*+`-O0|%CSwaj&u#># z0dq*=(YR-aS5f*w{BCMu`b?AjQr%Ox>Sj%>$}@A9R{dbyILnaj@W6y?Dx8V{!pSce z%gTO;ipty4!p~B$5I8sEb2R z=dStccN)puKDPwKMq?M@R;3-E$ZeFT$RNoe9BeXGMRz+Y?%|=>EU}0^D@W_W`_Sx^ z&4wJ(MFiR&7E9G&)Yd01Qa4Yt*>T7szK{`!yz>VVwSt2vh42H-J+O$)CovK^sw9KU~k-+gtHdzaIA=q#wW` zZEZ?1m)+jsQpDEQ(oQ!QBHhWaqwj{ZztMO6H7|7Q{QH`bVb^1o?Xt~bI23QQBSq;O zG*}rhdffHe$JP0~?8?iIeLgxZRbSB%*KohR%1UvT&(qLq3#g>?`(yekO_}OgLLAJC zb#PQPU~LVtBc2vmap3W2pWZe;9C!ZOJgeB&+$ZPF+PW!57P$!REWxz=OYkgjDJyDQ z_|5Mm*>}|hWl5kN6>OAuXC8GIyG_2w5wQR;Z8F*LG1hnaXD-NXKzWS(_>CY-Z-r=L z*JPUN>!-vt&=PTe;-`zn z6E06&vGk2W4#9rldSqy#q$+Ebhi?NZ?RIh=PB}_}h6Qb!} zN~Wbt!i4Jm$cZxdTqy(Imyrnd+x?7Pu_2Ze z9^BxgHj8zXiB1)o5wP1DA)!0qyXr%ve{{mNV?&A^vF)X^uDT{&Kp;s=*_RNSz%agFh6`)Jijeo*|7eSt{ zzhCM~rSbUnE5~ZD`PVb4dAD;Dr%6z;9k)MWY9!NUc9KFW<1KhSLnBLT;U>+9`0umL zZGmEk?4A1Q9-(7E-Rj0z9wOa?d(uWsB^gHBY4}XIx2?u&zZPN&gx|Q))dQDDeiubO z?!?o*Y9k>Lgbx#p04CnHZ%uZz)>B2e-^&A63s=9m&UZXiSxoE{OP@1viOJlz*xf&( z@ST$jHeA|GNR^wr={akxVQ2{Bi{<%fxYIy=n@}r099%KGcb2AH``k3b==15D_UAy|n{w;In(y8!9~Mz`$xm}?XVd6O`MbExm%0&8$;3ANW}^Pk*xB$_ zK25mvA6uC%t?hkmIJhXk(zLBioj>u)vl`7NXvc72_*lKVFYlC{oR?7{_rmm2!z5#rPG!pmPiI2-V^ zx3_;eshV#!smq5-oAgybNY`xJb{R)%pJld0NK)JMTA%!S;X=vViS=SCt!nPBu~UrE zHkgEva9`NMjtc3Q#JW9jf_TK*d+yE8%2Or*Qdgqxf?c=o8*#qs74_n4 z$3|K%jkKV#xw%|{!=exS@ceP(gMsg<5OC&~ETR1UzcD}XWlH5(%POZl&dQd8CBF`^ z&%rJBcd!5}%FAM^`oA@03z1*FUIK1jn6j1!s9jwG$6rs0z4s458JF3-%0#nhO&$1A*qy__w#dD$QC??i^ie z7X^hoRgmz!YeMewTPHjBhc1Qzon>F*pSVmk9Wnru+SW?NH{a<|#y6X@EPbl`S>)DE zjSMH|!iz6YAcv>K4|g}jr;4~VskA-aT^gGh!uwNeI%KS;EUVsGW|5=^<{!Ae{nP!E zknNJ~Fr8R@^H1EgEkbh}Ha*_y4#rFRN_l=au@=8TW&zZ?V`4RWG-oL8eO^|NzCrw-3})#b#IIA!#IZ&P~QN~YI7P{7=tfx^|t?A zso(+oUz^=X29uaG>pMS$PPxGPXCgV?au2rYOGAYD_~`h$Jo$+Za>Xuhq5b!MJ{8g) zkd$k`;8ka}!i@b8=secscQBcrOL>mYx!9*MU3JXUA1-+z1gZAkV=dFU!YrFvH7LM8 ze_aAPDC-t~ICs7L-t^_3fZ-%Tcvks-es&5KIG1g)q&&?aNTh1`wS$G<*tWtU8))p7 za(8Ird`4`+DpUNZ*NCytIpKV?oiJ%1U^?^81$Mca^B`$0{%YLeO` zP8o?JTT>kCXJa}7hg)tpB&^*no3ZOlQtLTl#GlhgxQ?T0;{ube0{sWp5Ne(x5NOtE)*w4@y9!F zo=?A{AEd<;7dC4TwENR~Sbk{m%BrU_|ONur^G+Z$|!jpDPJrtEg&D(9W1uW3ln#_AP zi|#8gxSU|UmzBeM=DnrzNw!@ob|byVWlWy`js%BDK1S_U#$@c=l1RD1Zy34uqEs`H z=!;a^8f;|XW^%Krc;TF9yCA7uy++X_KVVw7XZ78fy#JWlg`=WWH#2pBH?;vy0@ijv z8s5Eo_cB;H#-}{;r-r8IEO6i+Z2NTe%%WGD#xof?VIb!yzHj5|Y}pJ5d6H*Nzy>@3-T){CDC~ zKD}zGELNrYnPz$`V%r}DF;g&%Ia>j9JX4G%#X}7nDcCw@aQ1B@D}mt~kC{C+ z98MRrG*fRu*(&&WB8^qkw?}q1r;mNQv4>ZQC;T7@u3ZU^ZR@B{__n4h6TuS^L6yGd-dt2g{wvee6^D zKkipzui1GEyn2{D<}f0I6eo5>0I&7N_g0O*y{Js?{bk9x z@dr{-Tm2OgK42o|VBs?A&Yukp{7l;kKGV3HN53||{RSaQHeP^79t4Mmv_=$s{!Xnj z0_Qp8uUIr-aD8&~`YS4nh#}vbf2G?h{r4kwmY=LCCPjAqBfK=9S&hV9zr84sK)rSk zIFb8?x+a4&xdWt=pJN#jPg!y#c?>6be&M_RMEyLQ*j;8xefxHs<&`J(7GA8%yL*T} z|MR`ht$}8;_dHgoS6!B<2=~hQ&$Qs99ogn|2y>8r!j6Fb51MbHC;1y@8}F~i!++Vi z*DnBR3bpcB$Ergo`|;s--yjRih%zk71MEt;qvJF$QXCkl=|mr?%1hz?9g^ahq7Yp} zTxX6|s4!^(p(CJJ?lfOPO`g+|4%dmBxquA$PP_=JRPvA`0f;msaobnV#rV=V_gYh-uT#4T^Tb#a3VEqgn6m0}U? zdMsQ$oa;r^OgLmhdpvRZ#ipk{fy0Bv$d|7-K^FiLN;;jB9mH-Lnps+dgWV5yybrgs zYu~Fb0ZzPQk?VAeuL}%S!>Cs8!+GbAEBE{I;|Z z+y9Bd|9aDM_nydg>1OHTU0wyu1mu-vvr|)jjs8;m!~aJ}w*4&d%u_d*#qv??W@R-2 zaE9=sKCDl{*gi9L_2BK462Eb2EPo3Ya~jse5MuEB0FNGx@5KAKy1Gz0OI7S8S{oa9 z;ep}NI@y>U(VZc5`&3MlaJBnZz^~CjGCoJFuJKR)8TBUP-AA^(_rE^@Q6jB3&aLx@ zjM_htAA}FmN$2w<1XZ^zI!Yd#Sb%fnf%Ju%p8VJps+*}w(Cpq|lH2Yqb>i9KcV#!M z*hL;Zb=LC(3B0)Rg&Wh!>xXkMmRZg7?|khJv%;d(&1daK>JPK$`qV6(&l}0`b2ekn z=Vz9uo9+r}#;Q8ko9*sustP?CcfM=AO@4gytBI9yv3csT>Y$j<7e~Ej_6=O*Z~wcShFyq$gQ=WtmjgyZ29t%t`QNZKL70=L&+}Ll+CKRZ((ds$wD| zpSpOj&KCg}g0Tfsitr?)dHhNdP6*=vIO79QqFlF~Jg?ZisU z)7HGbnnyuq^sX7bCFbX9$|2p~TEs zOzlPUOqwo#LBK%|W--h+VorL$`Kb$>hM(UveUb zPG3hG-^EsA5)8i)GfW@BEjc`X8&#_s3YBUrUyjC>4%tYfFHb&qV&(_OWJSkG{al;i zjSnvE=W-&BN%}$E!S>GHtKU6*$s>IvxFq6ZZz6_q)RI?vv>KRGzBkpKXel{PEott~ z*2`-5vlBQrGaib`>DD`L(LnzsDTal)HEzaPk4%|0tcu+cbH#}lv6rKfyX82 zcj*rZlfPqO)!;wJqA@R0jeN=QWjNS2e|~U3!Nbc>87@>)krSaPG|y}ldd}%2lUSRJ z+`3563gE22ia^*@)|hUl)PCqY$MYJj2R<1ch6w=V9MVufhjLdZFghzF4wj*@Pbd%< zO$vHdl*;;NU;~U+y<+{h_l^LK{lOP;nq(@WUxY05GULM39>tg2=+GIFZwSa&^vzbj za#&n38)82trFyO76a-?0$UrZ7_XaiNV#!pVrp9KbL^$vZvWu?L=dK0BTsX%3qH!>I z1VFOY4u#6#YxG=0tEm?zrbi^q~49lmlk&JGXgaC@2~id#5nL1+|Pty8_y)Kyiax+Pm? zxf;-l7=E2WF3q8AaNF{?PQW$;)Skn^2Hg7_kQ)}1rJ*r0Rp4<95>@QQW5RVBo&VSk z71Bu#-?&d0&oQ1??@0}AOzY9GRtBLowJ|M=91W*Y&KNaKe=h{9Uuu}|Ii4t!(xBAQ zg;sjBl%j5qOTKqf5Q5-@#(&z>Rzm+iH}@MnmFAs|+Kg!A9oEQzNJBwQSHQ54EEA2d zsiwWR7|T@vcy(#tCiS5aIY%~(a0*dx2x;KudzGQgobL7W{qxbL)tGudm)iPm{jqYX zEc{@1I|-9T+e)Evr{TGG({JexMZK`si}>vytA)Uz2x{(dBMtIcGNrH$SNqg|@ci@4 zQkOY`-fS%Z%~HQWL&=c|z`)vRU}sX+Fb=$|lz;*?q#X2fX@O=tQ@~XO<~?GX@P^+s zHC+Wr7>>GsQt?fA+o?_s>#b!(`b;T7)6me$~c%QuR*e; zNU^2Kd6Fq1Sx8b=>9}u+lAC-Rg%r2#wv{!4IrmAm`i_ulC6Hh;g21ud zWiR=`&BV*R-`6s^WZHRioLFtg?(NQT~3mHkEd_@)sXVg#K%Mwe*g8?6&&fy zjPGap?EPif{LB}Q9C)( z10A(Z>*3&3LUFS0OMGJ?rOe4=+<6vcvqc4?BdGD)%FT-j1 z5M-oCu1Th}y$j_Cf60-}9D(m);qb+Y9Kjw^4**6!{i`4|E{MtKJK|4#jwduM_jqwh zc3NDSC{^8J8MaEl|3Y^EKR}Ap@1A#DXpp|V@*~Bhn`+|gwnyRHdXX^UeR|AX4)%K> zmm*W%2WjxjY&(Y!lM<%bJNfl}Rs5bvc@L(DEP?!IK^*Ex6qNNjk}$zYE-A&kC(b6eQ#`LWxqM-3;_vk3cwRCxq?VcI z-M_ma9#2;2OS79qy~R@rvOXJy`e@uYy3)=Li7$+w98DUKUNv0XlVTOc@7U3s`KVu~ zV?7HN0xHf*u?po^?BMWBO(m5N78QKp-g-dx9pu5tIb=a- z7+YO!*ykQT%cPd6IHF z?1Yl{=f6nD;?^H|9KV3%AbuH#7@*7?4p!DUa<4ImZW_ft2&=3UT3}dRQHA3wPLG^- zR)R_T8!yNyKs_rWhHt(?$eF^yssPg7ic>*_5dNR*TG4xm&3}|({M|H`-BH7m^1pf} zy#P|*hiPcYpfdG#xCHLgh74NQut>^|NZ~sk9*_!9%Lwp;dc2Th2_ch<1CQ!7n7`Fw zNx@&&3K-MjdoTGZ@vxm?ZQ>0q?^5b`K zMC*>yeBsE1gD+g8Wmqd^NGYVX)Vg-LHaUz{peHJUklPK1&vmdAY`vqM%>37rPeMQD zCPzLCo2=tWBoGpC@=Uieu`{){cfDt-;d`d~`F~8sGjkB=CGtTN@Z|>^K?(+I@_q+G zJXkwai)#p`!yq`VUxvFbn@MfhmBF!DadA=_892v5G>W|tCRuBkePVV<3d}JF=lBbD z7zZTF=N-)6AS)%tL9q$Paf7125RwmCvTHh`&mF`wi)xwuu=`)%gS^W7?paOxp4BAC z?-|Hz>%ldU(PyVY0Q)uN(CY^Sr&%?Ne&qHuh+sUct!@3q$%&7`W9bSH68NE}A}>Ot zE12>=O2bj650xfYY11@&jE9$-pv%8f{Y6!QkM&&2Igg^h0FvF27BuV}#lI1N5I)qR z0KLxe!N#m>FTj4T@IQ%rrNMb$Ez~`yE)D}N@BF;v9J)cdko(RGJ^5c}c^EXM!Xy8H z%9od5_rT+x`9HyP=yRPE4eP^W>rt!`;8v5DrVg}-gJdIVSdHSO`dnQp@CzUrNotj= zpJP=OAWmDPyIfQp#?nyl60uEa9yje!wUEvmNwfR2->yBl_IZ{(4&cEz{=JYX&OskQ z{--@hG`XA?41pqVmCFB5r zrvo54a5HbDB$_!!AmC53H}EY@#Mw9hZbi8*K@NI_3=5DTCge4>b5meU-Z>sg2Z;#qpC zDiju7YK(!qZ;1oWkdc*U#Y73+T4XNR-pRgp`Wiy(1E;&F8abG}WdaJCUmHFLP&LQF z8GgR_A3gynp^M-OPJiWP{X5o~jPx$o+AR_zO{eg$sW+@Mm5eL+L63ho|6!f^&bX3C zD4bf+*b1M!mi-lhY4OYZF2?4RMA``_$pjxG#^#m;K@g^%kK-FAY^Z^UXe`VJO$#rcG?<3y^*ZD2us}V_&(O^K5_(#acaHEmb7{=y= z0$3DSa5TP8hA7q$f(R4!9SdgO&KJ&E1d8d!lUj>miq~|;fs<1E^is%{Ijm!%;JC1Z zl;z>~+#r-G)@wU$5!m-3Wn0pz2hm6c3}gHtPN_glR1P)(v+S4BRC1Cc`-&Noh!`Z) zVv0t3WB6?l3ideT!Aaph3D})nc^ni9%<35E7eRU}v)C~qlv49y%dZNOeBm8fT-A@o zp;?r9-ze3rxTAm0Qm{Y-y2v9zsPA|%$NuOs&LZrXUJ9wT2qufVC|@`T2P$k)Ct73! z3(dhqas$-XzE%$vm|wKxbF^WhYM22Ogs+s;_@a>w7@&MYk*+61a8d!E zI-1TQwa-|nH6obxu$q(7g%nvkR)`MYAn27$H1eBIm#Z0p%yhr0snXDW4zWTWQr*omy*%QbBru=!Y7@lP&lcKPl9OYpiv+gl|u@%=`$R_OTvrk zrK|W=)+P;U;;W|~5syax#_+?(d1S~6M!}&ln{LA@yxIGx%u>HnFgFWy{owp~P@vkd z06Q-o_NE<+cm^#7!5HEL!vbKT=9mO~MU(;2<_ZK41fr2$7#;XHkJ)waoAJKR zAcMwOOB())!vgXP9tFT1q0sowygHQtIEWM~Y*I&4M$ZjRJsV;A)frNGRL`JN!? zjgne?H1ZV)6i--(JY$2CCixUl$d*cBp~Da?<7+Ru{zwP%a#Ne4c&AelmgZpXAV|X1$zc zI!vLjvA+*d+X+c`$&g*)LsA5O(N9!IBS%14l!Vn7pLyWuI-d+yEN=CE0u+)LX5FRs zSc^!OjD|4esYQX45~D1c5n)KZVFG~~LYC}30p;xHT8Q*e0GHaC3|T$FzqV*|;e%7O zwE=DO6yYa$KdED^jSX$ii@LzogeX&fm~(%$rkbQI*)ky{2{A(Way%NTh?TWL_yqTf z5S(=CKOCq{5TVwDVAg$VFSLSX$uNmSbP?nDnj6u`7%byqnhpB#ooHkZmLCuG7D($b z8fobt=$b1eqbBebs_`ot>4BAn9|Sy7Qzk}z7lB##t7$6b%96Pg|3^dP`_ae>tba6w z`&kT*{{3G-2U`*pQXFR2=kP*rUzRM9B;*ZZ9)IdC8hMGeGE8$ouLVXUo9?5mKf8}& z`#}9H8aa&huLm7cNl;)3m|eevrrwn-SszJAGGd-^3WNrbVDQQYp)l@*G#riX`w!k~ z%}`W;%zwvHl17qkLql{BgZSg*Xyo5}*Vt0`t{+p5W22E!@INtd$c3WdGXJ?&dxj(% zh5j#L570O@dpWKf&#NXNF7_2q989c$C!=!OQY_4;(-)}B6~md%wx)m<4|}EJ5!+bTE(}QRhB2;vPgkB4}^Xkq__O& zaZGQq)VyeCs_KY78tH%y;-&s=>_-+3&*J2&dz?%LO8!h2k`xB#e+1RyQ$xtTmD4by zARN-K5P8n34IkC@t-BZT{E!NTtQHVjASh+Ik}GEGtJHkT@1%S6H zQG#z^4t+i^v?0bvjV;4Ny#|W)K_g28&0NoPWt6J; zapT^jk*(POVZewAMWN5f=hn4CKjnc&u3YFA(eWBEGaq-5hG zViY?6D@lQQ1OPWiK&wp)SaXHI{Wpn7v(lm9HZaR}DT3E?@-@bS^wliS9~dU35QL8R zzIqwN;_7S$LJH*5YbK*h#R!Aa>j8IFNZuC4I-*Qomhrr*XsU|M&67;sN!$&*yKkZ+{%w zLZ09LsJ?R_xdSc5*p1)G+`J9=lfQNDWHRisNMe5L+@a!>z34I#jZ+-t-0@c{`|tmI z-r&#vJG76tl#WM-8*x4LQkJ%a_9xy8wdc3MZV?mFE28ayT;>1Y+|gJ4uEAQt|E26x zqng74K>tZjdl6IWs^){|xBt(cljr~06Q=g^Z|H3f8BPwe4X#q3l@$kZy?$c)pj+xc zYl2rqGXZ~3)$gocj~LW+jHy|47u<1iDR953*Dt6CM0X@f27dSBnmWgD`IBQ6J~C;yM<8l!7x-wyZd#uHd5-4ne4hMemtd!89jh zw6rvHK8<5DA8qodfzI_IYftX@i+A^o^ax|xpHH>c^ z2XO(J`rLO{<}U#;gSW!li^xb@8)4O|Gw;0EA)CrX6``t#CHu6PGl?seTm_r3wI7TU zO+YLgTVHE1i@tr*i&-vvibL2}BMkZcZke=Y?8V z*Ok4rozTSrB%aB9&~#VfcN#-AL%jC$E+AlTaq5xelT2ITK47?I>3|`=@nv&T^O7ye z9NXe;ra@WE{>$UZBzw2M&g;sw!j-1e(IxS|h4T*u>*k)(+Hl9>b$oH2M)T4Ev5|z~&u-t#{3H6bgI!^_ zoxqI6?Y-AaLD|&GmeYqdZf?q-uNF3MHi#|d_88-ncUO-aR1BJL4tmNTylb%7F5X{o zY;Ff-SSb@yos|^^K5*H57?oRS@$N*gQIg@D+R<>N-t`Qo;yq%avvZ@#Vzrz}sd(!F{IjW%1dHwRCPnos$+o^PE#pH2~am-k3E`OEuD1@NaXsFQgiUWFmFPONucWXt{SEMZAu#=c5-X~&88S<%;L z%1_Aj#+1f*b{8`HPKNxm>oxWDstr7L2H}kfFTLjMb+TY4 z*PVIw>uy6YW;NcvX=|Kklsw>d+x>JVAW}8i7kH~mvCo$L*ZO3vCA^F=DIrREwczUP zT-me5%3Lz>PP@8Kh<)+x<_CFt;D<+4Yn2sQ4BK|zw*2mrx?R%wRH&~gqrmFwkGUSU z@TtD_{RTX?nWd@t9nnfv2Kz6#Z}Bg7D22>6>gFPlIl2;O7A~a47TvkDsNq=a>0-v; z7s(#6T*-__={>sX4w4qf`!#q6n|Wuasr)o}2OnB#on@4w2A+;)7U+JnvceP26+i?( zZ&Ri_Rq47Dt2|lZon_dPN!G15DC#`+a09l(#%=|UD=tJd87%ZaQ61zIrafhE^nFO2 z|I$yu>~gvDlfHe=kicX7onOLttqsxlS3T@XvP4`pBp#ILIgc*6jovX{eQe?T{{WRN B5R3o- delta 12605 zcmYLuby(Eh^ES=W%TkNdEZrdpN-wcUry$)SU6LO_KspwbZlwjJQ@W(38>CaEQ(pA> z{;v1Gz0S^=nKN_Geb2S~y9%$P3NKy;RWJx13P-Jlqa73i@XKu!Mzrw6`&NsA&_7v4 zKZljo->&Z!?K<8bE1!5?do1$J)!<#&9Ur}T^Hj5U3TEs&ew#?@l$brqnXZ3TRzs5e z%$lmjv3&QE?`iWTviwnWdfcQ6-fy9+Vf=|*?B)C08Q`aHE99Bj6-%b~4>AXBo*z-h z@wqAcB0#zUup`UYYpkiUT(n|Qyno(}XY)vM^Cv|cMjszVLaT#fi#L;cb!W+<=mds6ex{nEAk(a9E8oAUCZ z-Jz{nT@SNdzSqL@ms1(>Pu@ctofmkP*C||Em;DCt0QIf2&<&@lmrMEjVkULwWqa7h z2JTHb;!bhzc=l?lDq72zg^14g;r_yrrV>F3F9-Khxezon+ zhK23$bUj@7Z73$a#O?RsO6+f8X2v^B6<*E7yFg{Fq2tNkk8RqoG=2NQY(||Csb402 zJN-+tkCOK@^|I$$9pE7ZO>6qL5XK;MW_2I%rF0I@l5Gv~7Gjp(Mv#pU`=NX{8X18*;&=%u$K(im0 z`yQ}FFL)uOc;*>UA(2LAk?Z>i7k}D%F5HBX&VKFZ*616Kll${`{pix4pr48s0Vna6 z%`Q*hC{?udNuQCW?mhlerXh`i^}h8j=L3DuY6%~>Do^oDU$bO0LZ)fYS9lj792gL?Oks!H-doC9#9L+*-!#YD0hLUlr2UWi3@Vh0P$eeiL$p zpLv@s9d>O^PUD>~)q3^I`1_Ik8mi7eR>k?IKp9b-N2?2-pUG3}?glqg6=wbLt^%Mk z#%xIH*)!jnTk(1lM+KhjB}Ee!lf#Z`Tg7=^-}s5Kdkgg7TZ_0XWr}0*B}^Xlqu+M@ zb|rX@1hWFS&dfd|vzul=Ctbg^;xer+Z!okW<3!@#tE zKIg5LFy$O+#c!Ys^{|SYHcv(gr*r`1)zcg4`0mM$WDTzz)5_zC#-r)F<_6g7&i%e; z#Wi5my?l$0F<2|-@YVARYKUzz6*S!8{p730`IX%nsIw5-tG--(4Ewm~x3L#?UWPGC zlF2D3i@9_`&z;TBZ$`H+6X&P|?1~o_4$nx!=qT}bWPAhH7X_C%TAAy;LniA1y3+K4 z*o?w1LHlGLhzvRixvc{kI^9*(RkG=g1`whUu$(3}4YQi5l$*M~K z0p}_8=%K0Q5pPaG7xG-dD92+ebZMJEXqPSJvJcQbO^+KK-g9XcT}&a61Qa$SDS2t` z-aX4|SPy?@_o_4!y|muuv&0cr$5)kF(+j5h!nDFjvCvD)&{wbM4|avwEjrJc&r;!| zEh>$A`@YSk9>t7KN~eX%3p(=`o*L~`@D`gHj7%SEH1dPD#-j%+UwM`)NHTW=YTxV0 zS3CECDTV?XcI!L0tK&>B-UFshHreOJ)ji>N1{PYDH-~`a)7oh-cBM@|)>=_$=c0q~ zOd^k>b=5j#&-fS8XQfcXcg1$?H#WV5C3aw!d>=lM&)*o6i5so@v zmS!bctfBKZa?Q%a4gr^8jsf9KCVASQ`>XiJLREUR@P@~Is_oK-wgB&Aox^YGt8&e* zCRL1w*E@W=?vXenvtmL%QNy<4>Ud@Lf@>H=Q|;9w`JNv#cg$z7_AP~X5dlK)viGgr zpr=&`k&XeC>;p<+cbj(}UMaU0*{WX~(FI7JXT3>0BUu$>(bie!dv6vj@UCE?@FFIA zD}HoDbW?LJ_E7cMdK75rsII7gRok*->P7T+f%Cl85K#T&*`htjd>B4jQA{-1-@D17K%D%BGDa6@yxg>|b*HH=4HT{G9jdcua?FIFjw zrzcfCLN~rtpqtwtdwZU!o)DUUTJrF%Ygv9hB}sblts$bWYzF}I1T-eviu*>;OB^~n zkr^r+n&=Hoox7M@dZqnw(w(pmJ}FxI%^}TYlH7PV3srX^iA~RK9iZsbH|LHRzCfcm zZpp?M_TOVtxnGM-S50TWnY8~h*LzoklP8Yf*(gQ%dSxacO7gtE!Jnf4t}BkBMO$pt zt=%dtIJJLhEC@&?KSom;+%L%Y{46JVYxFcrG;3nyRYTXnGq;p&w>51R%bNAqtx#j) zh9!4UY-{XhwTgwI|@FBivi|Tw~31h(u z+9PP(6ME}Ucp`XizE=nC(!v2;sz-e(6XPc9gOz4ihg^X3^iIjk#g})DY?`Cay_;TK zg|(h(0vjB>#!-4-luL=+70vkLhAYs*3Q6gvBOjk1I=sy?8#&qznDi}Cy(lpci8a9^B1aX3j8k^T#^ zmvb3u8_FCyt|c;`G1n(nu+x||sgREA*AYjTw;NbMEfISahqx6Vl_935O?>9%NoicR z>v&Xl=Sv62%|o9~yeeg<$K>hW+O&Ivmv1|o%7U?tORC>c(`>lki9G(ZLcMimBjFd{ zF&5x9=fGkbH$JBAolog|>iCOkySwCT+md*3Pv!A1_X>uDGeZ2|?wZC#xi)v5!dke_Uv6(t$?x^c!ezntf$7B(AA z@v>xrxq^YY!;r-U-Vu{L`7bazQz%Z54pVx%?ui}IUD-YyW-E}$JWsPl+ z113HDhdiAn%etb!%fy5Qu&|%-`@QlV`W17hNUcL}lgypwvZ_N=rT@D~+rQC}K!{DX zYxkGu?oc|r(X#=z+SD6<7Zx;?qR&OcwvUaE^;C*li@LSW^?xp(xm=Po`&TKuP9KTK zTLEv|d=mEGc^qQ(o-5xion;PMQrX1}53Qy0$xRO}Prdt;rMWX};e9Bc?rbzz$6_tk zB{8>dm>e3%AU z5cG5C+=vT%rUxN;S)ej}E-F0zdX z#cpPw|9IcS#$D9TGW>R<>AvZgfqc?Z>X&Cd)P<7ARU>ao3mfvRSB?K9AM10(Tt!GM z_~dV=ShUW!<)}{YDd|}njxUsE;Rp%6j863sbZ8{*@gq-2Nw;<5^}E@{9A8jX2Y%hX z5Jc#=!{b7{;zF2c98McW6_DB!uLt5VmdmYa}`|}10yI?VL`@rUA z7uCKx&o@+aWH6oem*0 z8ZHAGQov?72W-{Y`pzC{8>}b?k|1L1VP8E(UV_Is2`o;w5 znVW18+|~vtE>buw3zeU3Z!Y;87Z6~~>P)3xj{FgO?zqBCv0~KFUUj3d3_H(T*)?~h zL1Y6J8|-Dea(grVb4SCAu>hL`Y^-aRYb*GLmU#YnA1=CW^ye5uCk13UaGAE}`My1dDor>ohbl)8J@|?QRS`EciWXE9VoN>r} zy?&b=Jn@@ve@ahxJtP(bvu2|uazIb(k>%p|lvqV2hMt#vb79lNF3*6z)|n1lr@iu2 z+HgwtN3&mK7{v%N(UsExni*xE8f}=F)~Gqi#tyxxym8Tmw_4 zi7*rU{F+HEr3EpkNv_f| zGoM&SU8p=qoQsd6RHc)FVkvLS&pX2mve3WQ^dpu8gNiXSno0n+{FHgPe}}6oJd4v@{!N0q=Em!DSqhn| z$QCsQlT1bSSXO3!{&3Em!Vk0KGWfRCRlOPHdBkD|*)-m;bI9y=@Uu6)QS`1`XjKvZ z+TA&;^w!nd@B@II*6dMOhNawDJcU4XfA;U8T#b220s>O~^qJd4_df3Z={i1P?Y&&hU9aHH)AbIhc=U{sq*HfR^5|QS z6j!)z zm?Z|x1}xIz(gXc4J@p<3(TCA3{xk}^tss;l-1LbtLtxfZCHSo+{4=cAIhfhSJ6Y=J zaMM(`I*u$IHoxYw$HHipagI~r%FkffNm;PRjDCky*Mm%($v21WC5F70fBFiZ{*gxt zf}}8276Gn^^97`P*U=j12@E==aDORz#Ow^B@M{Wku5#+Bv?|4D=2p0{&-%i@uQ>c<5o z^kdcGlf&ew`x=ngDqlG|ISpnN%+>WNH=JwGvmHqIqG~0HeLf6l6($wg;JeP9s8pfX z0wTuHqPVhx1YdBUmUMc~+$@CT$SvUvQDkm}e-Ut&q9ttq;=4>;idXrWQX)KgXS+$= zy=CG2$1!0m9cum*Ug~S?Y|6s1we7&>wT`2RuE`D#XJ9FeR1W3$gkkv4Z=y{ zb5p>wiRd~Dy)vZ>k#DOL-mu+$kJw6mo05#Z(`ng~3C@+z4bRzG-FB%lOQ^`r5WgRC zkmbW#>msYjFwf7z-Xfyj^a;aMtwUnnA&iN(nkW4Il(L@wpoaYmPw{Qak1@B(hiWK)7u9vupx966^ zlMWF^w&u!CqK(gJVqZ*L0iU)?zv?Vh?+;Jue7ynH7MVe@QIW1(slOz^-urp z3uT&g$X@8wq6uPV$&(E0HivPaS9%$E6g7kv6Nt|ExWTA1(NmM+#!-D>u!r;PohjsUu@L^kK%Csp_TJJ{VYX@onXu4iNo|{F| zhcPvCe2`bIB4Fugp8|C>gKsR3(4Th&Bxr z5wY*gtX(-m1&*?b7tgL6VU`_Bn-ZV3-HAR0k>}5mrI2=n*sL?KFpozF89%^ zLT9<&(h?+AF)0#^bWd&$I%%>26<3`D<3U`TY60Kn&$fvJ2LOvz6RMJrIwVi=VCgAN z(qxQ3zx`oskH(vbsa+sv%}{HK@0-#BLDRXvUJq0KeB^%LInY z71l(lT(nMD5%1*jujo%oaffNmR^&Qt;=oR~SwEW(t*B25vfnu8{ES*TKKy*YCsfeP z_>H1Ae8{m!n;I;UjY?KKTH2b-u3^*4F#I^Zw)ga#AP^kF;mG;9B5NbSzjYkVlFBou zzf9*`O*ynDAn5w}USTXkZCyxYgdABBZ*q9p6y%n(TkR_^K8O4(8-gmo`+K!Yb zNli6BTWO%5OnPGF+R{|?ljv-zuRtgKG!Egz{jEX?XGVb9ohJ(sRV0LGzc0m6frZv}5 zrRom#wAU3+-$EfA)V?-TIT%a_cTQN9-;rbI)iD=5<09`7X&cIl9P5Wz+aTjQH1 z*4B$}mi0Kbs_q!-q_zyEqWHzG_-DtfVHC^tXL=K?q$jDRE!;c!+b+C!!${0ci8iU) zm{Rpw$>Ubo6^ZKy)Zr@N#uBjdPuo~9Zju^U+7zciJ&InDR2>4hwf6`GvnQz$OUq`% zc7xX~wglw949v49yG;Mk9$`5(vTmw<zTY8_YEcb+Qiq>x#!` zV707gKTUNmubLqL|svZ)w=?QlZBf6 zDVP`c%yGRb$~@$|U+=+!g@YcKi2d)XJrW<_#r%NTEA3?69IzB!O;AMs8BH8h;sSW0}aeejLVZwa6cvz$6PSq?1VWqX>5K(7%4l*8V8#i7I*MXSvOG zNE;t_wIo}xT3Xe$|DB8VwIpURLS0FbmrWe`jA|!$SQ@`bqy0i*NBa>_AA5XqGywoRT> zoqFifbKz{heIdR5JrV0e;K}QXvx|(c!LG`wqa14CbYQ*|t|(It(nN?-BQf}uMDkEO#U zRR_b@B5i}{{!IX)`O1yZJWGF^cJTp-GT$D6h?PC|ER*mWy`}GW(<%uhOcFPK6l5Hh zGedtHn!=wX%X%5=UjFfL9)y8@-^~`(U>YExPSb2m8QBkFaI4Lg28%@Y<1l20u&TkO zz=r@G;YxgS3llCI&PS@RBC@<>k;R|_hS4ZoHvNCoAmYz1MP?afMvhVK{B!kuK)AF2 zKkN>h^y)*%@Nf;4cY*=!!8nJSWM zLX>tFz(wKOtoaPlxIWg-BHOHHDqy$!PL!!W%x^Ejy?Ha#G^QI5#PCq{Eujb8rN7D^ z^UavxBkK4{)-;6n2_#MYaoQ4$`4uWvA(tU@m^2z?th8;1(P+C3VwD9%*g8JiF#h1T zW@Tbb8mZi&>S*5-Vo9O0hZ{_zS(1jRyHC6Kftey%aq_w!5hvG5Q<9l#B|b`cW4=QI z>80|1;zCKmYAOZ7+iCsCo6Q%fJY5&^K&H!(2iUIV2|Rj&?H5}gB2J$Rs?oR^`qcyS zdGdqGA>YsQ)<={A{ut{-rA3pnU}azgwOM8UjQih=zDr|GCMl=Dlp=je zvRUf$ibj21RY%78zzI5I zET@FY7Nk{Z&tvO@#OY1Lmq~3y67r&xco)a0;r(iWv>eEBLuCWRAWtkJb(zo%ks@Wy zqYFp#S85n?X5+&7M0I+|n1uUDD@0oUNXeLao9#c6tS=P}E_z^$2W`=AdSHywng{hL zzYTw69BH5u#DF0+=7kcZrjdk%C`Nv@Z5X0d8~`!N{AHp1qztuVwoj}^wGRmcHpUoR zpnNzblWBvk!w&oEyc%&ZKw!dS<|uBCl3w=N(d~f)nywy->1_=UJ(O?wucbC@9;upt zo#VdONEVPGrj)XH$>yQwmXtsux9m+B{-2gOmD*sa=Y=EbL|@GuaM*`v=4M1Xi$0da zd{syOpOygn^$!eepQ*ajYUJ+olWEnhW%?>41Z_q%oANJW!p@g9@k5MNw}VBWG4N{O zCTb||9X!uwghAmVw$@Xo_zAh;(RBPp+U_E5qzNSO*xE>L`yhVYPS$vxaZ65hX$0u# zkS^5DB9wtWxF{!VW-}u{TtsT<83Ds-dYAGKAlRAQxvR7=%S?6#b{yj<^nID9hw@XNQhjdEjT*9m&gnV7pT_qTZXqyS0^BB8`GaT1kf@Oj)}MD!z)I zs~?z`V}DpT9ZV?E`NmE<@5fi4W0CL+I-*)9z>kg*7rScr1 zSEA+9w{xhfTk3y!u4mW79C-!z;dF1mX(axpyr+BMD2||qVHv?*7l;%dNvb{z@N(=zS)SFG+z6tyhE&2Z!aVJj`brxw^jT=p;FWoHdBq;4p$9)f_2fvpf4>hhc zJ?YE8yFlB%V7wdcKJfDtr_cEMdVR%hOaMGLTDg;E$J!RMSckGsV~o=`+}*CoU7 z#qbWX@`$7kd(eLGGT|r@NnxUsId}UYq^D$NlR65V@qH1U!_~8n?N?x-C-u-M86E_R zPdEp(yq$641q4a+qX1tx6I^P9q&ovYHE*Ycwi+QT&%lD#IU?kvMo7tXaJ5MaCUngR zK#rY*YbQ$^`Uw+G zGEo9Yn8BLMDHBc(k;^u|SFHSWG5`aK4<3ef5V^Qb=y&I@zkra_n&F1AwZFMSVtjj- z!-lT>1$2!J8F`mN*)`Oja*f28c$XuBKKzCC1{pH*E(NoTv!Ht^8MZ18=caUxkpGbk z!;t9y40R0c-AaZA;>hbbLndv}vzk`iz(s9likQ8KJweDEM_j)?DtCNg*D;qubE%HWPj zoZpvBINd}+nphb>h_9J&hKXDR!qRj3ZkTYUiPYV~(#+LwnQ&H!`0&E?+FkCLa5_fK znx!sfX1|eIa0<1-q^6!pU=c&wU5^AB%Z2$u8LS`~L*Xku4KuBN73}u*Z zIY$GC&fgCWm;3|vbW|jT6dEH@?!el-T0wFT*;z=yl_~8adykW0;S%s+s9l)sMKY{R zqI-zaim>k{88#*n!bSO7L<&_BX>!Ne@VHz8!ze`qAO0IihWSZgkl}0nOK*qBQ~)bo zIsB9d5e|Sd1XihH?syPmK)62dB$_6Ayu)Px;T+B?ElQd#h_0*+MtrGfB8&xqYzt~C z$8M3`8~;_M2u~B3q{92ngLn;u>+uc&X!zGW zh#CN-&p!r9LXC(0k-+#2wZX(iSAcY7hkE8;zRR%^hvFacAhdwL08arQ86%(GgP&Tq zv$3PlAvPX7@=f9=V#LGoP|UXQ1+Zn&VCvX`Ihg2Nl5;4CQ#3l80m(reX*6W_t#!vz z(LH^oe=ma>3bF`AQmX?{!(=9+E9OSQ+AP=3$d5!tDq@IoCd3y{}nh(5@Lu3GT>XqrQnQ* z7o+?bp*->n4he$IV}jpw1X2_g1;MV-IcrNL!Fg$+RN(+`5G)b{ti`K_`hrZML_N@@ zv6O5($0z7x6(%&f)g%b_kwS?@V2~zZM&2WAWcXuA1H$wlCD_P*YRSduHLC`~U>F(* zENtB%QXWkg0YmHNf;#d^aY#WDFhBj2xDr z6Ig^71~f@Np@1dGn-m)cg@C6xCs92}V8lv+4Z&-;1_&t)98CNn!!J+ed&pqg+U@NJ zOi?&Kct{YJJ zHSqUTumtD8A~KoJY7W>4I5pi~M(zk-Er5-%prP9eHszMQ!$y33^wLJRj2`0&UX>&P zHlq76-NSUC>3YO#ji92t>2i*+fW#C^eg%G+D`Ircbn7z|58DDlFd zSvR<;tw=-Ia36vI`43U5l;Qc(5Eon!JG7`>n*)|m8rZkoqg9k?3^3Ssr6FvgQ`?p|#fYxIfh&ukiifInU!?8Xl zXnLz1pRBQrhA9Dlmg_I~$c-?V{$p^uOkob_9c=G0SkOF&l64TEkD$T+ryRH*3VCCw z>Ud%LCf})%HlC70NYf8FDeqwHG~gPu95U9Q^bzIQ7?}cNSEL<8h$L~k<6wH80)@bS zo$9yfURux4URGBzm2c8V9AFLZ<2r?eTZu`0?4yqWW5dbtwR3Q(k&136FOTecL^$W^ zi}kVPtSVl%1EMrY&>P9sq_u*Ss&_CX4OqZDg|g_3KBE6$T7)Hl0>cfe6dsno(l~ko z9E8D;jNh1%2WE&61i{OpuA%l}3Jm0EfAvgUN)`^e0)tvi+M{rq7?28qm8<0-1<-3x zN4j}BWO%ToT8Cs0X)PFGDa|YB)$xOh3=AZ|MKB)JS}2o&jUnO#=${NlMJwcSqq(?+ zrLR{pB6ngW7lYTxNkSB0>U2TvOz7O|wh)9M;va~$%HWXqkZ@7!A~%JvaL5t_)Myfq zr!)qK91?$+)27AY8y=xjOM*k5K>lICQV}-J67&yUYY+tK3*axjs&O=!kv1uks~M=< zMGXLT$(0-u>B@M^z=kZ!mmI@H zHw>&|L$YR6j+OT!Kz7Z?DW?&zG?u>`Lr`R{LS8VMx@K5f-Z3k3Cr|RPvc;Q3!W7xS z{MPY+2y-q&geUIbjR7^XL?N#LP3i@felR}=k~QzaAG0FJZu(e8gAHl(@qw<@Fkx8? z5q7vCN|Y9n1H}q?`DlCsVW~lA59X!+@$yFG>n9pdt>l@QBn4$b-&GPm&*I1*^k-s( zTNMj12Q$2yf)LJ)bK%ep>x;vO0eIapBUL4%Bm^Z*TPlz<;x#4$B@4QZqgDj3`^G?3 zna}n28`Ah6;jfvbpPI?TV3L9-Z8`4YuVrOW3ZT}wN=k5XkikA9$XD&H?w)&pjU<^^ zuM(c6K8CU?_y}5CE=FNG!_sdVJuiIp?k<~dme)>V>U<*S4kve6{t&R94_qMC_j9#rFiqP zM*RlQ0U)l*&Ql-njoz=K<-FbvL9xl7_LzvrN)L0Fp8cqP(`2jgR#`@reruq}-_5u4 z!n!ly{C}r_jHs#gMv?!L;Kz;v`pn98tI4m9kG`8s#H+mQ5w|lICa|rvRbb(irmn3> z4-=df{OIP_v-tn*kInwiK6jtvZvvE@X>%c)nEw*MOb>hAIr-1p;=y}5Z|8G634+qF zK^BTZ;+cIXrkYRNH%>mek6xNW+oa}}tRMod2%|ND8-5gTp1Hy=YQCBGrY+0#vQ z{u9|6ewl*7oWKG<$%6Xu7R!EjvdNYtqJAp!@o4e1%aiW+!b+i5o&0gjr?T2?hC7Oai+v(k0t?)^#lYdX5aRTLrT=!R2+Q4%o zW8vLpxWKCw$1JP;J0+I%ISYZz*H)BmE6Grilx}<; z{<_3Ov_I%mP;&C!7r20VEv)B$NI#S^a)?VObMAVVDw^zkAvjTJJ-nOx#n!*gSMfCU zqe$Y8zR=ZLdM>h})iKO8E)wtjw9tySddsC{7B0R#}YjNY9emCQEX46ZsK8 zZ8qQF?2T{rk|8&sZFW}w+ojR&(bUc15qJw-PhSFjGnw5r;eWTK(h8n@W=OTaP)U)G zLvXWnepGJD-*)4-vWUtxdAsiF=5Js$Gf?Waa(C%rR(+&*ZRcBW;KYkS3Wn69z(q5ZF88` z-S>HaYoWK&av!vLm}cDAYXd7by(=M<)U7S8*dL|)q-@8whXS9Y^&Fmnc8%54o$fNO z=h$qD=4yn}eKCfezPR<9Bzb=QW~}JC+0N*rSKlDIlW$6uLk83ygFQJpJ8kRac%rgz z;@7#879>-#$=flV;^S6-8A4(r^{e;AjIe|-?Ld{clQJ;Q866dMkP{;CYsN76?uAmPuZlL1P1~HFSWxqaSa-Qp~qJo8se6 zF1qx#<~lOdIdf>UjtEworWG3IYO^=`{^5Ea zZF=+1r3=vb3Mk9&NUfFQJ^)JWgnLePUuB&ey5Egmy1y2cAFil(x;{}Bz8Sb}D^dO; z^81fymw*}YW?JAjQ#mnS5FxBQ^Xfjg&5#eHZlh4L}5EG{J5qQdPo6C*J2=j&Ik z(FFhFH`UKC^&52SD~kpCmaMuNr%s9`N~2ziP4G-1Tt8^_8Qlf8txTp{%-x3HKcBu1 zxe-Zps*iD#5N<8}sr7+)JNBZqgRa}6t&I3E(oQzrF3VZ-8Hw8)jKx!_pGo(ljL$g! zie*M{r-?a9`h}JHPsM^#1^x!3m`R diff --git a/docs/inventories/v1.35/objects.inv b/docs/inventories/v1.35/objects.inv index e81f4ca2ce7171c5ffd464a38cfe6ed14e644632..dfa0f394822e8232824cd93c6b14bdbd4da40518 100644 GIT binary patch delta 15312 zcmYkjcQjnz7xy0wMhr$LQAQ`xduNOiEqZU!JJGv|(R=Si?=5;KqSqj!gdlngq6fj_ zlkfAa-|xS3&bs&PefHk(*S_oCbw`G=dq=PnU?^Nc(xK8Q&C;l? zD#qq<4HKK_GVwOgqdKc!nWOYn@#a3<6+iOzS5lDm$d&zI%k5Wni3{V&4ms^_5ZG{q zkA`hEjHL6ymioVq(|eexS3h^7Z=63LZ1X9LE-dkRMn?0A&d%LY_$*f9IXnCoR}emLG&^bil< zv3)(W`b^BYB&a5iSvTA3|7|=LSG3FgM@11xSD8rbgtFN|w-N3uudN~w{cU~ku&iab z-)gd`r0*xON!LABdlHaI%?F5&Y_#!R`6v1##}e9v)fjnd;lp zE#;h%)H0Vxm=$BZGo_Jyd?}b$Ey+@`%wBNXJnet4`R1TB$*}WpK)Jwck6p{C z;OEzKU!B(iuMc1wNuQug1BDaMdAYMfu;o66O;`3OS9u*@x;OxNSqR6d#r?gnX;oq< zi3suEa~c%H##Wzvi2O>BOXqpy6LGYEu`{m+OZgFxjHJUgt-rJ4`rO;#9o# zn#rs4+|W?`LmOeAiC*i`sc~35H#a7CX!7kOR^PQ-VXdOHz6-sf)UaA})Yn$6;X#v7 zO=AwEpHcp1*+8O=#50(kK<)E@^m&n!*yw>p;-99o1Fh9J)l!$a{uK1lsV%}zI1Syc zt!M3`N7t8dtDB!!K*;;~ww0dme|JqD#Tif5m|iJwd>b(ysx|(lCDc<*c=_{rSiL?q zatLYGzRIC;Sk#tcv=Se5K&mv~3A@H#vHo-w*{qTiz*)MiSa0Akujta1c=N}~uQN*e zo65V*1oTbsS*_!mUrOGoa&zu0BaJ%I%?^(amLxOLaJ|42g=AkB_xCE;#1B$ejh10a zq#o(4wWNo!uBTv7povMuYqyL4SuY=d~4Q>vWp-8t}`yk~i;I@)D8w)Ld4IKp=G^tuoip1EmEEGif`l*gX@fi{SG#s-8uL`H*`=2>6V!L(WZGo zCDMI|RA052i#x|c;>i}an>cGP-v!^A7}j_--13OcIDufEVShVptHvBotLi;+m$vSx z*NiS~EBRYVE)@*t8tf@X@K1@3mlnofrd#I1IXpO!8huQ(GnZ(zt(nn?44l7HtTN5E z^Q9+Wjai!y|8`Ykuej1F?mRT9>3)DOMacMx4XFay6bbvQLMwZSs;}+GG3%L*kU_EMT!K_BCn5;JBo&Ns9-f>A%Ba)(-vfz&g);rU#R9$LX?5-@o*v1ZJCCX3*!IUiX)4jRzZWUPAjj z(2TMlrDv~)`%xX`(m0EW`bW@~6!o;4$FKvLs~1wX-}W}KND$!&Yepsi7R7B!9*xv5 zUcDS)O#5xFI1zhVr1+vnBj%+Qfs+B8cB$A2CH%!))}AMcYX$YfG)eai+fI_-rU4_E z!E#R&f@VznL)A8DQ<-=&txVnHl@aws+k+&U>>^`?)B1CPkpaWXmsV#)&C6*DIh6yy z7n7&yoPA>EsV2TDWxxO1_R)q9Vlb^usIJjfH%d@t%$t@asBriP4~OS3pQZC>1@bZAMeQ(fhyL@9k(Sm@6YKbZXe`x^Pm zAFi897S??AD?h{|zB$birUD)3e~m{zj?ag)(>A#1SBjR+pI?`<^N3Vd5Jn2Qcp5od ze5*dLe&H$SNUd|v!WJ(l7N@m#43|orJ!gF3M?c3B$Z0}wxea=WOZi9Z6Ut1T!+p`j zMJdli?)Fs_(l?PtL#(gwYBoM#yKdEXSw%HI{<_8a5lXob7n0jWnfJU_;>dDO55iyI z>Cl_Q*PHEVlbknUA>#A5*hH-Ii+^cY4atfvsxM?CRLnA>H(8?X;XovT9bRG6-MQ(% z$Wfv4+sWjx<#ZXh|Zs7`UPgUroQh7wFyEYB8SLBiLN>FsLxKT4v!e;a- zW#ax3;O&-(eA(Tlmv&tTL(xNL?DYI3vR_M@N-WR4v+pWEroX`H;|Py)7Z&_#812P$ z$HWI-pEK1A(ZS@D+V_G;T|N^O9SJ`)Vix`0K7B|1kc>B;jT1_TqrSP@`SmIw>b7I0 zlWpar52*>>t{qR^g2Uw8VXCJ&w}waesj3BKvzukGrdiV8cRPkjaX&eK9H--+u6#W42Tm2mehHw&wdge% zll$7SfOaB7gQH#s z#IJ4JT9YJkP^UC^@8WXl(ihx33jSLBnEa5UauMH`ryM``%bpKDU93OVm+RJ{S<`*^ zt=N5nA1u2l>{GP5dDH*UJk=<0!qI~})Q%M4s$|S2C*0Q8;JDrCUuV0FiyWH;|~B~=k1};E3d=*z?ZOtd!pEFNao@mG+3C+L=%0pcn(dCV#{Z) zU6m)8v~whQk*sV?mt_w$ILoETesL`wkS-vD6IWGK+Ie~|(BN_FA<9W}7@F(rb8R4< z@oM*g!Ne6#^Z2GReN^RuEj#O``r=K2h&5_g+JbursK@AUQo)NDKkAC$sfP4X4y%l} z62BkL>)_PF-2`{OXPCL(Tf~l992)|?5E$2j+XHv|bh4RJ7h_qMYVW92`cWb& z?Z(c5;wF z%t%_ot^GY3?A&)|;f)zDHSN@d|N2~)3V22)zVex923Ph;p_-(sD=aXRh zXzw2JFZ-4KKa(3R4<1c~nU3>$$YS~chjyd6gOb^u7x3wap;V!YeoNxOg5C;Hp)A$Y zlZ21UEVlbQjY8vhlTOkwF20ZKSrXwQ&%4>!;2m$8od=&OmN;5fcIk*+Z?pKHW( zMg;gYpOlGqVEP6~%cZv+m#DFW@Ff~ecDdJgyRDyy&L zkEjKFVLoD6zNc5ib>XMN=2j-O5lHU?(RJ~8yv{*i=N;=YtBcqwH=SjXOR1LCYR_d4 z_@7V$9Ii(*nw_4$XK4wmOK0qcFF-+BOC}aI)oU4sC!}7ZBCS}XjV8vu*!P@v_pgx^ z8e!voJtf8(_A7rYuc!hqB_4Tl$WIQ(rw1CSW;1cryYoyA6?uYK-4$VX2oF6^*e8^P z%ijX$YwsD(zxH#T`Kyuy6Q$ldpY{8R!<|}N|A@RZuQ6%QuIZStz~a$3bN5-IP;vZv zyd6(9{f+0~@|1tNc4pdOzg(K*OC)MRo0p_7tBS$FrriMaa&#hCner`i{jE*u37psM zV0!vXq*Os>--n{igoO~RF!TvPNZ<5@dJ6i=BzbJSJo)q4jAY7u`C`&r!;P=a{cy44 z)`AMU+r~`)_ZMshJlgd??q@!tq0n=>(f8D^(IymS=|P+yQHKA}lWg^#GqcUQwCU~D zOmZA<1{gX2_)A4LCB(IEn2{Wr7G6)%q8@{8V=}cmy0+^%fU{rR_!{fiosQpcha5q% ziQ^L93+i8i5Q*d0VIA~n)-3+ri`SVMG zlbHA!Y#?N2@1Apl;MtANBG)~Mhf?o%1QTA(T-uNwM!5(v{mp%r8Ikki#Ki_B$*18$ zmz%<8{Uxu_k4avBCp^1zq#Jqf${krFl*hYEM-#-S&4JSA+N_pbn`!^dG>aULiD72X zFvqMjE^<$VHYN9NTQKFryQ4(YY1=ZAg}Fr>_aVSfTy(6hpqJ-s0sO;x6FV9BkkwVE zI%-aU{5whNEHsK;*{j-%6vG=}g)>xJByqbvI8xl3-|4^+M3LEa_*#d5;W}3ov5fMC z{yTx8IHEL(X5gsgMT3E1?OYZ7f^>&6=mn@7L*YgGyf|RuPTCIy%)fM`=)Ii$2`>$Q z*0Jhi66r-fRFLi7lDgZAHvM_^<$GF#5dU4CgzA0g>Z=C%poCj_hpL&tXoUVbaK*0) zAF1j~h*&x=Kho}AGRs>SIGwy&^eqYvg{ilfl*?VSzmiS4wg)L>cHY7R0}MHG#vDN3 z{tBVa|Fua&{%+h~Mw&wJrNK449F(gVoD9_FGe9e|B2oM;v-4eQUes7kWQq zH<)EYbid(RueVaCGyJmg0h7g$3zM-?q)9QNxSiQtS@S>UlHC7P2eVms9L^MtiXWvP0kG9kGu@?%sZ;kS??- z1&Ccu0Yn!ud-Ftj4|J)-~o~nVRs$PWsUUn(V;1bqXuMVQi{G{#Xik-dhT{0a`Uy5@%{* zgiR|fVnL~D1YYY|j_r;rHZwa*lT8i;%>?m&D+-sIA)!OmD>_^}&mJC>7W-77){l>0 z8DyO+%f{+w5#vY=cSv#kCO61}C&8!WLl&d19|vrhWAgigb986gf0QjDyd$^v<6|~H zetg&HaJEaT5fck_MgtlCgqr8wMZ@VZ`c`ry)aSM6r~aZ1Ax_iZzYdSIC)sbC*7|-j zMmn}0o{XBjZMB;(rabjAIb8qgbyxGT>h~{>lS?A>p`*2vN%%KMo~!yrWt+m=&B3qE zbI72r{wwot`H%Of3wS1nau#fz5sE*_D@u{^IHAS$lR*V6H=+g)G|QYF8-%6e28PZp zc97?|mWwjUIv2Pcf&I)H0iH1hf=6b~&Fu;LpBo6Oj_!vlk4GMy4QB17f0wVVzm^hv zm)_o;@)p^GRR&jHTic5^@8(J$D7`}^J!{GXdEGB6QatwO@>2_N-z?hKkA`hFVa$;E zcD6&Y9M%>Bqa|@$+u*J7ci{r0T{`z4cO$yVpEJ@rhs90U)714gwWU!u+w-Arq<=X@ zuBTjehl=EMafkbew{{+shj`}HG!E(joE9h$=5?@rR`}AYgwv1a(`k|ra*y@yVyB3i z-t(5>8?bhE@M^>URY;dP*&8c4=T+m8op6yM^U1izFGqsdZX)}?4nwZ4nnl|?2Xj_I z{NgyT(^gkecVpj14d%|}S$_1D;$-ix5~^t(Mu+vFp4fA7wAfwVi32nE#|u^Z<&^b#1RuR-2TF1Gb6e!(LX^0o zOPn{z{0T+35Z`0}VmbX{ZV=A+6TG>xRM+~3kQ1J^D!b9OFGe;zr;XVh&v>yadfca7 zXcw=%smAwvNXD(>mz|_2txsKx=4O8cHe-WTuG)-zAB!XSqu$3Zi~x&!m>7zr|m5xbM0 zCBpFN^mSu}g}lbj$IgCH>Z9;$0$K?45k7YdqE0Ih61^(5S=}vxbqgGIBm8c#M0bIQ z4K$j0muM+XGY6+SglyqO0U<{omKQQC0rWC_d;*Q;FM^aM;trv z&M@7kZ##PRLbL=>%a-*~oX*j084>7pjXl8Ez9zPtO+x7}!n+B`duk}H{tN|{;8wvY zZAhJXHb2)KGc+%$Rr$6XUCuMd_wTP9ogq6bKZ*>pG^hDxwh;zFkP4bUOHLd&#So;r z=0>G=E$PXv;~&CK{{}80du?i9V~+{nR!3(?%k|)u*8R$5uA(KXT~5i)d%K)Op+>Ju zmx48xCjW*mt6XKl8q4Km+u>7{D{uI61xWgyq8lg63$H?CeP^UxOVhJzXG(Ko`b+QB zz<6DtT$yoY7QDX0zN*0&MkHPp2K#dhTkzIooo(wnb(~n{Y(c^5CVa=5f;;u{u0kHd`4+ z81RQx)T4Ff_sfQT<=@JyVie9>Y+Y-w`)cm>+-KSN`_dj$F?n6TkhFL$PzY`^4aqY0 z%_2K2Fi3-NUU)El7I13}C&4kvHgao$^{Ol`;*lm-{CwCVZ<8da37hA|W7EMPrEb)< z>OPxR-{P{5((`m+;@wp#<&s}LXfmUm?tf7`fi-rLrpzRA+?!y{}qtmdyT(1Wuc zGg7BuJm>f2`a9wkWQhr%oJIhzqdMB0Lprl&uCMnC0X}hc5_1tJ6$T*z(Fr2r?#xF* zA1l9SM_4jZ0mbKqJOc|%X@ zl5Xe4>3?^MUD!%p^m8S>JgF&AzDuejQF;3QwsE>c91+ta7UW=9x@2i*)Br8NG&kAE zN~QjpC3cLh)khVr_4#NH-WEU1ALvb?M|=m!xcpLR(|CW%yo(O4h!i-i3g>_+)$ow~ z$ohHVUF<~|wC@sqxnp-{@sX-&`lGi6JjOy)>CVQ~cjYSK+ITouN}sBb(zpJX!U3S; zg6(=%e72udpL@)GNnS@n+Q#FGMRr`CoV3EFFBTB-@J2FXo*FwJ{>F#j(O)tcAlAMN zZeGqTQ_2$mF;Rcu<8EHvxvo%GZv8W;WB% z5aE&9F)Q2?d@cz>0H}4KNd?8e|%e^wOAfATc_42mf zb{ut6$))kq-M*2BJL@5|a6jlP($m6@s%aTx0>^_cc>n4B?@`UPTdLnao0iBms>9^Uw`KGBs>YT9EK02BZ$^FalN-yq$3B(Okf&xyMV*=@ zU3O=0UQu2{Pn7*MT37zQ`Jp=bIgPsGo4EWq>n-AJoY%tDwuu!z&E`*EIL+3kUPcDo6>TPAhT*DNGaqwJL z2u(fYl=wA@kOYau%A`GDsgy4{A-orP6v8?Y59^$nwHYu)39x;mV!|3k> zcl*TrGs?RIS3gM9eZ(B!LN7Vdm9~DF-=|ukOSxP3+FzjBVd0zZ%&cjQv*ShRF{ZYTdYK8XN|J}c=iV1?`rZL#+Gh-?dp7;j zO(t-R0R=NqnKglq*M7+=d;DEiK(%hNP55wR9;nS_mZ@t*Ubj8uT(L>n_kba|kiNP< z%@s?F3F|QKeNP0pyv_%DdiF0Jt{Zf+mLV}i=<0mqtq7Pq0_5*8bUiY?pmQ5ROocJj z7oxF5cD0%$&UKt?7p80>H_EzIT!1kbZZ5xvxoI5CLXXftn-n6aAR=YWnc3-hiAJMdBGYRMcbTX7M3r#vJ!L_H@BYEDe+} zh+%KTIm=hb(H4hYs^T{iqcAJ3%bSCvG@Dffmzw)(F!~pWGqQtYR9~qTeK@&pS>#N_ zJ7c$&>M~B;x5Td@=aWHe&3^&4I?UE#Ht z-kB}47HBRxcjzf=XyJt>+!7z9Ad(!gzjf>`%BHmNnCWY9*{q*qfon;!=pLd&PZ%m*Xz|^Xe8#!4Em~D*tYcmp9d#`K`mvSqH^Z zd`V5=7A{Sjc6QaSQ+~k_k#`$M@ri=H7u{MN&GRKIAC*@oWWK>Zpf=hM`SMJE z1e3Ykke*vB_uqc)eF(6*?-}i$C@|KZ#7S%FciegR8BdrSn~tdFbVTVZ5WxA#|4>nS zmUZ9kMIL`t5Z09meaw)+!l$Mn(HaKS!Sjr?@Rj%Lqj(a#yQ#*?HxM6q3%Z$#ZWDF$ z=4FTgEJj($n8YY)HjUZ9}Il;JaeDnD;XLf_Cju;=vjK>H|a zj(6%vb3Hil-e32yTNwjxu4)iSnMW1oviU&v*{Cj0L7nP{(Sxbjz|Eb+$B0DShlhBS zT`y{{=>GM)?S9;u zgjKwowDaTpDg83suE*Wi@YwyaHB)i!y9QI~&8xa!!RKlI-j{FdM7SECy%@8-WMJv- zDos%d^&>QWJQv|{ciJ;+eJerC5AWI|zm6w6EBo@5h4&Hv(GxFb2N*e2_orvsX};d3 zW2hT#MfWel`Q#qnZIE^xSFVdB;_d|Ncu4-e12I+u%j`uW`$l~OKd zt5?Q-;JjOsn8X70h0$q#qK{kk!wb)lj)p0vC~MNoW8F2l(U^MTcCX6Wxx<+UFmXQ~ z_?hfRx6xE?MmIMzTC2qSO52Ky(#~Zn)YnPe9AG~m;y2~vhkIvlHZSlednGU+TT}R_ zkKjAE`k7Aq$*d1NQwE~%ocGY?y>8;mmc!}CKYYmRr?Cbkj{3QFq}}h*zXrdFlX68J zO}3Wch&M=u>se9I3*>Qy@Yy>BO!-8w`8w~xv?KjTWH1IOdhb>fRJqk-5=71^dIW?D zMwTBtjF)`3Df)<*OCcGwK3B=c&E-7mfm3t}L}~=m70*L{iA{o~LJ3|;m9zF~+Hnm4 zWR!qrW{Q_YG)ih;QoyAb@=0HX-kOS=6WPxbwIj~qBpj}*({e_8OHTDdY+L8T5}0Oj zq(aVbn8{NVjm9Wswg8EA?MQ|Y=Kv@W{l6swnG}E;?bA}Vs+0_HZqM)qhx2N}d&W&6 zjT9b+9F_{Jf=+%I3y)MLUkUxUqYP1O4TW=ZbKS;Li}ajU@6oF;@txUL^To~$0xM=3 zI9;M-z8!$ zgXEx2%Coyfsw+sbhzPN4lD{{u1j38d9bYaOQP3()SWoow*`FPRoRfU5TAdyiDad7Q z(e|+AAxgpr9+{sWDWnU_aS8Qp*|57tVyCEs6@s>D)0?Ep8B9~?T-8MLd|^`MfAe9+ zt_c-4F*MbB$y#Mk=heOp6W?Mv%K0rY#4x3*Aj`~M_w-HuSed$9ic=_R6pqC>?3$>k zpC5zZd`?f=9>So&j8y<|o0;$*0?${E%KTSQq&_g}vug67E$1%9tb&*r&IXql3d^mK z#CUTe<{}7)8SQ`fnOa~(wQ6+J1S#1h&IjN6Pz_B?T7%3cv;2j3y9UoI1TLUovx9aK zogD0zVYJ+ckune#XvH`4=CH=d5tY{~Du6g%xVF+QzU%H_K`t-GIk8CTtw0Na(^dHgUM@*s=u zR!c6WI5Sto=**8}4brEQC0oOoWC9lbi`g3|FRa%oa8-Q7YZY>Ld_p2Fnut;60U{YC zEHk^;2cnzc%$pdLYCVlr?kR(=uBQ;ZpSP3Sm7MsxUd|&m`ZMXL`Ytmg6WJPQtPEHr zNsewx^hW+YmST!30phj2UL@odks7}Ac7tswgpt`y3QV{(ndd@wj*NQvIbY3!BectA z{GzJ>jwgI_iTNjD)3Wa+fozxsBoEvZ6Jsp5!!fW`Kr7Y9QS8B>yub+K{H>Bh81ZsP zfMd-3x=Ios9ZFQotAsBdNvnWhmZSM+izlLAXN&y^5UK>Um~|GC;nX1FVaQ6t^$K_x2j`1Oq%|a4bWp#nG`(Oj3VJj{4aZOhhV(CI!kEW~s4d9n@$KWxhaH ziBnZbQ72G{oTp)T2~~e3RbfMkYRbrLCB;c-5-zFd5XD^@!WFs%V&4YAWhQ`TJ1;@1 zJ~>4(LZ%ZUE9)q-w*T{~mEp;!mH&K_9~R|q(b^-hW@eyEiAm`|E&NQHJX19~Rp2{T zHpo%x!AIV1y9;EN6Z%gd3>yTb%q5VN`A>VGzRx!;^ce(I(uT9oEj2^bns?lX!T)lN zr5)K;tN~BqVu;x_ z47XX1afb)vla(@?;Ck1fJ@kp~9~0C@Simk_xEEm|i5|v@vSdPIBUt@7E6@;B2BMIk zvd0Ys&=lrEdZ2`>02E9dRSqnaq9$bL%28wr;oiSIqDx^>$Rv19+0GLH&rB+tP#ud= zwK}RjcxGlNZvN~E%=;`)kuUBp!1F$kL;f+`QnzBJr2{TujDQv5)Lo@UXVStH4f9hF zs?T{z+XomFSg=YclA||dmR}M`e*4wT51qum!?dN%cnT3935_p7 zMK?bL0e)VLarS@RL`sTVhSI)5l>dA&!jzYvgSD>o`^5-DUSST)x>DbKtcvJA1QaO0 z%=3*i+X3*%E%V7(!NtwN_VdVa@~4DTKS_=EyRscF;4cNP5M2c5Ym>N;KO1>B+2j1$ z>O)l77Bf9l3$XlD72d$A_xep1StjViJB`a~DmY(kIM9 zMPV6ojV~EyDzJ3-Fm9_5E*{597SxQQ4?-wy>1u9q3E5xa8Sp3isQ*Vp`6t9W+pjgp zIMTKakSmM=8DNSz|4W+e*XY*d;zX05LVsUARY(!TG6TD+0+bouu)*knU@!%sVfM6C zqbe&ymTIj89s*b@0nJfU9MYYlP)h-vlxhu|smTKLA>eJyc<> zGVl>NG%_qi=}8p(Ewf$lNQsVbDNCk5h6L4m-rHG0vafBSuE|{4@X6vAhefpuc0nFe zYkSl;qku{il))EcLnD~N)Sg5*$jo-h-5S)-JFMBf{XjjKjg>F%F)!7$7a1)8Noi(> zTbO7OcLJ&y1_RN$ABRh8511vp_g1QS598RSIBzk{nL+@u( zJ;H=aQ$y@VRTY(Rq`>6B2tBTe=kwuU>9L?ec*`J#)MCZxNXAewWCIs0VBYo}IEM+{ zqJq4i`rxLCDFsFWM(A@QQ8mKA(gdhxX`sfCW?Dd^$5WzB!@-_bu0(~`kceqC=}9uX zuvd~m+WTi}ZedwPSzts2R1%3OAjwb&ft-QCjTRXU)h}rx-T^{#ITxSsg7xGUT=%`f z6%F8Hwjrn-3Zz9tf%0Hv_1%IIK$zqrqK|}*hz^h#_2DxE8oL?}7Ic6PVmGMzT1iWa zmm5sczyQF1mbC!>AQ}Quz-9eZvkjKY($UWt2!<@-g89uqeFx59LXrQDa*odpM(jyQ z{zRaVmUD(cqQKy0i*g1yBQZ^cEMTCT%nCh94p{gC1Di%kgz?xBLXl^<=xka>;h)TD2@2-*>@jECHKu^iN9Gcy>q;LoU6}a_X+aS;p4=ODN zc|ZC=QS<0&L%axmF649MBUt(m+J7kkXaVr0p92ctk{=Mk=YaUq6oA4hvICF?4!$%y zz-)?qhXRR@FMSpq+9D$%rOHEtjYP$l1_1t{Yz_)YMeqCkgV=hP4gdpaJ?~rmrDaXW zD-FQM3z`;!O+mHrp1dz5PpO{H?Fd;NzB|sv3P`(?6FeaZeAd%X%z!4=0j8tL`ahC_+ z(+8E4!zNWr2%z)|5W6W=H>FN#@C?B}9BK04OAi75!ye#L8Gz3pluwLS^L~&JTKpDr z9J2oQJq{6cKm~G~vi{aZiwL@<3jbFYlDR}sdgUkBBk2Kr-}v!s2%*w%AvQyjJcjqu z;O~SH**rfe7GU_&K=cg~Q0r%6bwHwQP#Z%(8+7t%Lv@JFpyX>!85!^mQG~E*IiZq{ z3>ZorA!M1Mp=v7wRwE)=N|V8YPFCxxvdMrmiT@${7X5OR^NYpYNbu>){f1g0Z zxYP#V>j(YU6yBqgKudHuIlTtI-vHG}pmVyM{C;!a$#O}c==z-AQ+?-Lvup^P7D>1R zZf>v{JEFWzavBjtlHU~#>0k#pS>!Xkdin!k7F)W8%q~>^GqCU;m5T}Fh8pz+Scrl4 z4-8`iz(PDUs5Qu)Usg~SJV+KHYCUq!rOsVA6S)4F?K1t@{DecK{g)>?e>q!1Wv403 z{ED~V0i@kSRpSZEDp24+D0IQ!>HeoO-M=!bbEGj7#x59#eLz|OT98{)8w}?)&;L#~M-JV#;^g(} z`!4iKnl1trXJC@tL0mRV7Oec@Un3%|!j~?=_^%NSY}*57YJ%E``)g!@OTa=4v>+ys zH$veDu+R}rtqkN56}1X1^h8s$26|+ zLOV1U9(Y*xx~l-<;K#dn$5D-LhA492{g)9rJU=NG2JodpnE#aMQAtJBH90Wcl=@$T z(Ef`rofAITvh5?K%QOB`?Fe7G7879w;tlrjm!|9LS2LIuK`CV^Nr1%L5V;GQDZ-c} zdA&$9=J8{RaKjxU*8vGu2xi(ux);hXaTnE_v7Sw8@<<-a^1c#y#_@8;GXFN#X3I|S zo#H3PXS^D25b~EZdsFWR(%@%GA8Z(jKlt(%suiMSeCOopC$bwT1Cb_ReG#v~SMw0w z5{6ltg&A6pd62k^N#R&ccgBfghl@)ETTb_4Nl-iji4&lY?N@o2_wmzsWEUnjk22Gb z5jdYQ@6(syfP^ z$s??_Jp62W(Cva2jH>#@8UDB<=KWzM4W2g6O@!tD@9NnI=wpZ7NU#=6+|24cA8y14 z-|DNR$y@)%`TyOpFZ%zsN6l^G*)rUnd^gW3JE2E@QCk&8tIJ13w|b5HpDFz67g6{p zxEN2S3V_-;gAs{s&_@~FBtu@rxaxxMG@P8oj3o9QJ2IE@!Xz}*eUNEOnL{lPM~EXh zscD1oj5~dA5FTcz1I5=n#qu#y1Q^3=nV@qzPZK6ZUOiZC8MHwAX>zI%@)lNW4ZYNO zn)E3Y%fo7SW$P{iT?|*NTNcdf4Wa`Av`!8u8=OSa%Vt#uqqjZXntKA*)&EF;2^0|!QQvNM94d% zC16zWzo~&9p!ANpjpiZSx0;30|5|*V`CL2SI_%4VJ3LrV^^!<=8G9s0Db}1|;`-Lx zwIKe{|K{4)M>J<;O*G;Xip*A7#&jtcsJh(I|3MMoY4{)+e(P-$?%DijI9e;fr=us$ z6V6c>>F6MUw||>p*NDt2Sz>LDF>$6!x}>>zt4BXid($6|cVfI1$#t{#zW6Yu%`x`r^mNPHIRiqamX*>5{_fKI#f0{Zq z^-BzH#$S5Xd~WH~-)16T@=X5AcOTfui>B?KoNG z&@#7jqwDv~npnjBm3#G|l^>DL@;58=AHM?&=NW#872mqQQYjlMi@iUlnXxADVVtpk zxc+s10I?4bxR;tIi2inJ)oDUa{qf|&65RK0Xd(jLE%4+1V~bBZk<>gLWyrIgX@G~4g988GYuic_WwyWq)7-+2(rw@$^W@D@Aj3f*$^PIT- zT$=}0BpE)k?XC9FT&`3(@LreP@a!}k8HQju7~lnq7=M4ZMF{LNG#ks0lo->BZzWy6 zcP)sSd*mJ(RM4*MJbED8L6grC1V6%gKW_Hd2D+5J09+bd58v`r4CWV@_AafijJ`VW z{3_yu+0^kTdvNErsjW8Ix~|9X+`}xHO83^zuT|Ii)3frL$o0b2aeYBGuhn(kEZ>%~ z-KD2bhVMp<5%bMem@a2U;^SruA~8F^KwHCJ(|q40xTMAx-vxfJuA9Gnbu-!k@A0{& z8($tbX&@SLYvk)Iy}7Pd1I@@CPVpwIegPtJeCX8+}y50O^zXhy+HR|3rKJ$ zBh@>woE#Wb9FLh>`KZ%C(=EXk-*wVssUgI*3e;pxqqe+k|GRi{`et=KlzV3Wtlja& zo3l5sjx=)jvUT9Tr`mz^*xw~x;d3s92^}}3!dSKTrMBa~@Dv|oab~;ke}xZL0ShyN z$nj)5vMve}9B1^zoN+xyo|5 zBfEb`rYu~q8Tn6NOLcmc=}!%sd3X~+w6J>Hd(uMR8qd7)=@w^gJ=+n7?{(<%M=xh+ z1uP%w6+)6PhGV<7y&4i*rWZ(lv*VVH_q+D?ROfw`f5}98#i7+?$sgc+{;eRkR$?^c zZG#&?9on(A=O!QHkJeyp*^^$<}Z*-|Wbn$|$l#lGT~)*kp(OhYBY@>9tN zi&fOW7qWemS-0Z<#B0>3wB_;mbf@-pr*@Z}XeI^yeA}tz3^sE&oR7qnnJa8yVpX&@ z!^QhxNqzBl@R7ISe1l_&$_8dxW5|Itb?IJXGjdrHqrvlwuQN4?tAoy)IM&0HRA@^|e(s`hHRvmj~%+2BvB+ip|T>s<6Gq4CYv`2PT2 Cxi$9y delta 15192 zcmYj&WmFtXv~}>o!XQC{J3%r?aGSwBXprFU?$%gv3laz}!Gi_&5Zv7@xI+RAE{}Wf zd*Ay0Rn_WKz5ATA_pY_NyQ3eozYjBB9DzMh;*$hIodjY-F<{ZK%#*Nn=Oc_lwzY~m zMH8Rgfvm-({tDwp69=BYW8a;s$&AA!p8bn{cQyh4yo{|z%eyCl+hYnaDE48_zbIWqY=@ta{ z_v~SM8X9v{KT5MLo_1#~i*O-UV1>q|N7KIN{K{XbH9y7&sR(Y2^^=45@Jv3DBhN3q zNU`h_y%A^p-bs(^>HaIl>+8as`lMz*t#gaLPm0aDfW?Ls({tArA#Uk45jSDpCG5B_ zsQJ>qH$(3S>LmCg1{oxjuku#jxQC2dCv9T|ffne{7V~l@_$^zyoiFAh9Y2=)>vo@8lO!j8vq9@(At{rm@N+6H16}|K&Z_zL4l1o*l>G{KW z53!%P0ktbCy@p%r5>)>wVxl}D$c#7hQk#23U;5wT_(?n3CMS4HNrR2sj#-4%r@PxZ z1OJ;xcv$x6DbC;UiPb68Ec#?8>VR zHR)@b@WWJ;ShohvQ`xfo4WAhOH{&fkxqD8sr~q* zgyik&ZEsyIdb5lK0zUr8`{paU^hC3bp}~AjH`;29nX5DRc-FbagGR1?dwYj%7dHVi z;NbXRVjD!|INP|?vG6$7@pzZo3S<{^MnGt#N$$M8l;{3xWEPWZvPZ)URU%4ytX;G+ zd8D1_!to!?LTaIvK;7XL|c&R}Cn5-Pqk^{QF6 zO^)g_{1bL7g^iYMlibUK=QY;sf#0I(_W?igrG}vTdcTbV+Z1oXwp|aMb;Du#9DD@U zroVMZD_rQ0k^4$EX==)7o=y_;V&k3PV)qjL=;$9kff|usJKk0Q>r2tvy4F@VfYUQs zN_IuRGI>7KhVbsK)+Uc!-9iJ^6GeA_OCuRhx&3KMSRAp9R#5b#y2qwmiO-SSWl6Ho zKq=)eW-(>7#Cg?1g$GW|t%0t?<&PUK+6jLw6Zg>j!sD_*>%ZyMZo!LNVcDyCFRe%RXwF0htiDx6^u^L^KoFNHj%Xqk>Xn?nhZA;Z{86M`IMM zb%zhF)}R$9+REWBtFo#WPqnXxPVR_Ja9vpyu_{waZ&a%~E7=@cf0#A;KAgudOrJ6Q z;1_XzXMvx}?NoqMH(5E+B~Ncr!p}^ed##R4q>gHl+Me)HjSF{&kW(qc1;F#}hAa*Q zysQ!>&++m$v6fRvr2uDEqh;=#M7Ij~njaO2?;jPF7`6`0`KMEUMG3l5#q|`e4qOKr zTu^=mN&--EMiO!C#hpud_lj>_c(9s8ZSvP^@4L0hIxlkt0u}Zpzg9&{TC=I1dK(kT zUpLY3bYCyf$IQ|fDsrKx0AIr0O9X#bE7dVH4~tb?ObIL+v$yn+of-NMA?JO=%0x5$ zB_ATlOzzlPmbc)nS?XSp-aC94=V};o9JEJK;h3l}oZD>0@Lpx1UVUBtRp@S3NS4=- zN$rVgmic1P)Gl122x%eEy*WN@!_E$vB;twKC~Rbp_?^IOZ&|wX2{3>4^&Fh0ISuZp zSiALF)XfiIj1=GyF)EcoV=MP-Q;4Z+@hHgR@l%qGR>bW5j8m8px~`L`-n6~*RmPmV zdTCWSa>`#AoD8D3xtxo58mbR_OOwFIrjey~c!M_e(`^1@1B*2ke$| z_vo_6q%VE>S$(Camq4z}zCV7$Mnn#MDM5$teTcnZg|iitFF`DhPt64v zw-~u*lfVykeij&Au$~2LuN3q-5 zwWYXE{;fussY^#|3F)c9+8-XxDj$od#m7pYwepru(Dz-n^t;h`m&G@5_Zne8|C@7X zdY~`Z8}%mZ2%aN#IaA@DeJFKV>E73(2->mJf1Unz`c$zz?DPUa_+{PHTz+ge=2E*& zEOlD@K+Qi7sPVIpq=210ENO}}ZGsT#G;ZOQrw|gTOJnSdZ#_)VWPiV#$1o@8pX3FR zuGa+@)M_twecP&^KAwZ!JXHNof8Jpu)z-h0ca?7HmeLnJh}!R@gItJ(-r+bv61~d| z9KOum&E*DsM@;ndsOs3W2PeOh<=ok~7JaR=#_nYT)L)?TL3HChAbpJ7;B_~yH@^;1 zqm^&TBa~NOq)B_ZwBdYWL?aS-S{J>kYF*Ico226QZ-27QE-J2U36|f#{MB;p-TEQj zt&M?u&QN_ZZh&#v2l2L=gE$Cvqa;jM|!4_nMx;G+@UCmqdc-G!=anG zRP?$Fn6601R*jH7%hz_1MGe|?Ooxzfv}Bz6f=2UWe)*B(Y*iTyd>k`pN2HXX##S@o zdo5;@u-pn<32*>m#ZSxKO3k&z+r^WjgK+`79gsuPg@yuoL@AP9o>@ze@&wVtN`?+($RltH2L~EPbsxkKW z-uy{xw`b`p#Q<$ncV8j8bjW;1qG@${DEG$GlO>ZwMLVrzYD@4?a^wN4CDNqRE;cSt z@cflvRH5?w!PFQR%eQ0s3t2+b>FFQg^SO5+?+8xbsFtharB}0?E;O92Sqf5NcT)ue zngqNGvpvY{?`EkN$|KfZho3xF-}I4F#_*8jr=N+6>Ob}^{Z;!(hqm9<>|hWFZF%%h zUK6=?*c|EepCfa4>Gthv<9qM?>X6_$n$K_M2-(guhO{8(FW4qIMIJG~t(H;PIZ!Q5q(i`N?MmhZ4jrSE3SGoBeU7Y{DhoR3~9U z$*k7$HXkT>%ql)T`&K;QR5ydg>;LfKQmG>rjlr~~N)zYQKMtg}tt-4G|8|=akcBhf zXbYREv1BJxym8%82;ePUK_0TdqG;}%kH}Dr#fh1)KaP}d(N`1k-U~p+WUnhC{i*nobA0EChnqH#Yvwl=H&=;BB zY7F7COe$*Q$GlhZ&aEuvHSzYmfBEhwgB+0u!;B3MY(#G)Wv!oTXVACdwg=k~Q9t3> zxmR3wc(8B1YNs!+s{NNCyl6EdYVP?Cdg(2zD`jXu;O=c}cE50v0L$vAB#m68#Wou1Nk`r%{>d9T$n?JIu4i z@!{G4?Ev=IY5uRwWNY~I|8mfa!(O{2Af!onmt4{N8}Ke~8UaK)0(qiKJ!sNv_yQ)c zhE^z7xWQ0_8mWzscWj9KrO7B~7rcDEMAcMJnbKCDV|Uz3)Y1)R`ofx5o8iLj87{`Z zn%)WGv*DPq+2#{tj*DcprF4v~gy2uISgg@ijTs#G)>v&^u=^-ajsvwfQ2+Xmj2jQW zvx#EL1&YKkD*^NGg`vNFG~dT{HSM98XhyYtDC>EhEc?6sqepMw9tv{2rKhN?j0E5ILgF6MdX_fNFqETeOTBj1pN{+Kh*v}9Wau}( zOCV0&3|3>CE5_qT85zSUZYF4zuFdopo4MD}RQI01zdyd?T2j8zax%Sr z`ld5N)wRIy_S8czr1))rZ5Jn(i1~h4&hb{*mQxCNAvU0e$o^n#^hQ*CB_7_w!fn>j zx>zi|4;cZt5V=Xbk#wzewSDl}$MBDNr~*bCtnNp7gP)S^5%&bn+wo5A3v-v8>r-|+ zkj9}W*p2aRA@{$zl)sZZe8>4A9~d7hXK1I1-xp^^3Y-xvW_Fij`R^Y1alr?rY1XzsoYfnmK5THTB4kF#Bj#`DJ$CX+LX= zN#B0T1ekiyuYjJXIUQ=;uoyc=O&FlK!V`GNIbgNy^O20t65g8zyt&<;ac=RS{~p({ z^FX<^5y{Vv>$h9aXfKEt>s_W%5IEytX;<+wSl8e^+{i%Q-eaI8a^+LE*>=cByPJJR z=B-~qECZaPO~!n3VDac!zFa=j)5KV)ZSpeD&mtQ=HAaTuI3cGf>uUg-&*oKB7(-^t z$y`LIYsX@gHe-$BQapJ0&~fVhCy0eZ*9l9P>ww6yo<$h$T|xi%!IKdWuo4?Q6GP1m zOOEYjDEn2*@yJ&2v`&)2kkUj@P{uQ|u_>Pjm#=FUZYq0I@2>D1Fd| zsOPJO11w=^XuN$6nmxi^I}vor#(j0t)o`&AW(i`@o=N-8j3mBCaP*0)VRos`mUH`I zE7|*vgBbDgufT!8+M)bDu?a%_pz6x`Jzm=^LVWnoP$_IiiDHH5SDMF%4wxKg5#=-#{Q zS6&pnM(*xi{wu1ZZBCwmxB&pzJsN=H=_TWioQQ+5l#a)|FE8mR-6;?4&Njw6{H}G@ zXl(c;bP=v(>c06~GkuFbei_X+u)A=Evk*3coy~r{aAw}3hOgqtwE1?iIghLLIz*-L z=7>bxX)&cu!f#3n;J124iDpvSPOSwSD09v27 z$;$|~E0mX8UZNx?w&Nt`8lt=W#_vOeKJ_Q&(w=MeA41q1wxGvSBLUZ%>z)UmvUkhB?3DD=M})G6Dg;V$ zGA#}Zt|NaQ3x@q(KGfoms^10T(mm{iT~Uk}$ggvX(~U32T94gDLg4iiZ_-bc`nf_s z8@pfbq{uHkI4*g9AK+ur?bS|QVzHoPbe)1@}@K!0a;_(?sY~V+J4gDBca`w9^6(u=h?D2D?0! z>Y~D>v80@&BOMhn`0imNBT_iVX^hgce)COIEt2%6f`g(P$I!Kcck`6)**pk#DZAHJ zl#y<&PdSo!jMAR--)(X^jYS!SPQS${+D(3~XOs?M<%mjl*d+GD6WR$Hkb1=8btlxe zQ@HQ7aw6vu{Dw));y?>Ht-8MKwJO)hKeH4Y8`-3=r7d-~eH~XC%*&QGrD1@yf!>2w zUf>ZHoUP;*}p9a#?Cls1k_7ed+GSPGO z?&3{K+r^t`O)utC9(;lR*;O9a`ajJgvt`#YouS{I(JH6)?_W~@Nv@mx=?`mmJ2!iL zzREwx9}gmzU}C`&;~HN1C_WeVC-g+!&8ut26f?$JPQJ@!5~gj~;=Z-vhfmGr5vu|i zN4sC5eujHp%?X|8K4yzD%-L0xiymC1%+ZZ3YtcP)8~9Rnd$Y!xLI9`NL&OU+YMJ?- zTW6>kF}<*z4n1q&WV}CbWfu^;d$3J??WW}$&sUeulB`!fR5{wVq1vzN-@mq1#>qb@$0uC}J4bCIlSL~}8X?H^a8CAZx_>QN`ZTcpDV6fbsa{!Fge_c;ukSN-Jmy7FvI zF8Z^cgWT}aVnVWE9`WO&CdEWQ`p5YRy_WT817cEbWO?~R7Orc&`C=6S!MBCS=cr(v zG?Cka_wp_z=E0Ri8{@dHwrjsquXu zQ19D*@N@Wx?NEOq8XD-elG*!ofwXx>s{=Up91LD*9E;va1Urot-tW5=puGwkP(TMF~Fc{fbh1lL{v1_&`Zlq@z8d7h0z;O^Px!y}d1F}vAt7V-AmU;w#j z%4GJirlK1?6CFclzza9ArkHcEv512tIaMt3uW=-HTl(=OiATQ6)atAruP83BI#<Z}FHviVuPyD{9Ye~b4e}ju9wuYsNumf#!?(X({z^PkEMfSBz zPD+!rTKec% z>MBkW?4MO&rU=5--LYiGG6(T)JKw-DJ4V1&KU=kh;VGv5CQ0R|{wB;~hD%A@VDGSu zu@B&C7T<7LV&^Q9332@)_B{Vyt}rnxB#w8=n(TulpJ}2ys`28_O^iP1#t(wTA_H)X zXz_w*Cj($JqOs$Hh=BX{la{3D=(_T)gT$hP!jCu?isAJxiDUS=)V&v6NQ(i&y zW5qlq3Pyj0dW#r+TZj|wMNEf!ZPk#LVhn*dVA!D+)@hbKr!s%3<%a&SD-kh2d zo4c4|Yja=j#2Q* z{$r8k-hQkTZq*;Mc>2$oUE0(K+O<lF&EE-5nF5+j_S89q?uRc`vde248R3`ii@-rv*SM7iQy(?y( znQdfER4E2fp;UPH9>;9bEH1>D0`gE%o;Tlkd2AhpY~h)VZYK7J|u60%Ux}~n%wQ45P=^G z4;=mxcz;H$yQ{4qu=5Z?agGwv>_H8D-jUB$I~@l)PVDt>FC!3UikC>7KCi^>&5OKY zK30e=NW7c+Tl-G@iRi#;X6|77$lIq)t?WtDgA^|JR$I21vNN9S>u1kT@IUljO66k{ zdv=o?Q*C4vh&~C@A>-(9>Abx@p-@)^t|sre3w@*47o<>A@wCo#a4m)FMp>WZs+tb4HI|iH| zq2AiuyxNo44SK-{YkU37(aN>Gv^7Gs;Gg}69}Q>{E|cFDo?GP;Ya2dE{<8FQA(toZ zKli3l7J9$$H6MaG)_%h;S_xlDic7HYp>hucB=58Z_1}B4yG?yL6mI**eB{3a=mxBe zJzPDcp|JMj2a2fl*W2a$f7@O;|NX}4!tTz3G2e|3aUoSGrChH#4!8SycpF*9fuV-W zhXnPYuCk@@k>>X_zYD^==h4n*sFYwB{&jEPpvg3@Uf?qNI_sh1f_K6e3>VuV= zz|n6qkf?nxAMn)2#WC5r_QbJq|G4SD@DAtDf~J-9st;uUk#d{- z_AC2g_dPG7>R6WE1#sgw(6ItjP=7HvGHlJpxo zyN6ga)oVPPsV8V+OR;?49_MlW-r&^)V9Gg7qIXwein!nYZNV1BKIndDu>IN3aWw&_a&7-gX_z_Si?a?OJ7}<`JXrKgIHKz5W*Dmtzj@hV^8KfB zN(fqS7hC9k$sZex5um$cByhr>dg7Y5{nTSgku|OTuc5do;nS~%tH;&0FDLcIfYvk~ z=N(PO>wxQB5@n6MR{K`v&tivg%T?_~fvLmE`-9@X)nj7uA{4(z{I0;mj_t(tGL%+8T$?@ zourFd4u_LGowQHm;19{I%s=kq09pU6k@lC=oDaAN#I%$)JSR-A%eY*sOYtE7pEVT1 zbTV9Wv(m?iJJagcvs_l&10U)*4)O1gAFG<=naTf1@)^2RP1M+oECz6meiSlv*h8AN zxEU*I>7yG82d0cu)_KMFWabdO}9A3Mu&O-G!39jWA}+#(_? zV$bG?9Op{h zKn;7ryKIh7Zkx)Zgy;MHXv>Xjx_BVI{N5NuBG(V1cF_Y`P=fkZB$UA88pjxfOu1CZ zN2Tuc>jw37;m(5)mE4d>FoW()#WmLUFvucQ->%{hS-~*6*~vk2+pH9E@=Y}EcWs|? zjf{rtx*cr4?pN;RP5*7(1sG`xN%QlsZ%y%|488#sL2VLPbn}uDln3<{2R%`BQ<#4h ztFHmQ*hGCGu5*%ehmpl*fz8&Q!&2UhzoUCpQFa=73s|2_k;VG7d^;wSM^zM**!gv$ zbk`9J2trg1>-t}@sYuBZZ-?j*R2HqqgPBG5<5S2??M416>4zEqT{eARR5$pik>*Uaw9&S&pT7*?H`VIyf?!0c#w5y?w#xPS4S!ZB?5C>&pM(d6D_G@PQF00g@@Np3pX7TXW*fe7%jdU43 z^CH#5W;WD&)awrQa<11$sU=5OZD+`wiH>)tjyvw=4GD>2~ zr;ElbIj%7LgvTrfIL@h|l6PZC4ugz&&^e@WU4l}VLIuY7B+NxjUf9g)JCN+M`L}tA zQ##J>OYcI5*M6#4gd}uo2C-!3r)C)X@-k)9MkAULgs4zGuW99lB!HLez9fV4#Bg81 z)GN|HfQ&mz z6R6-y2u5`AZdDv%eHsRt@*MF?vbzv)F{bi284Q0et%JV76w@AW!E?>k%}K=!YI5{* z^w}jfA^>){q^ivAxU?KsH%4-JFK~&D9TV+P^aijbO_5=t=_ts7ICS~a37JbfNc?c9 z;Jl8i%q)3U9}~aAz#ID0)mmBtVlfg^BP||jf5OIQ!VodaKU<&zi8u7QNtUD=7@AB4 zG)a;5)L`>aV{>G#b32fF&kmD`60uA1*l)SF%0PDz6=8eV3%xiZrp+Msx87arxKdUk zCdf9kJPq`_Y^%%O;*?IZyF#4xntK=)O!Tx#(YkIZ5`j1j`O=A*;>SslC`yH0OHSv> zQC#I%=jWcDkm`Q*R#^_llxa1A5)^o7C(BMh8{U}rYOolTfAD=jmfD=jSPIPb9oI>6 z7x)LuxonI~E5}7>NHw&Xq2f1+Tq9KoX0d_l*D>OsX?1KyJzh}_A*k3c^gPq6+CrVqjjy@D>kh z47jCzRtF@ln)+86POBT`&ox3A>u22}3+G!!^%not?;R&Y8%<`m6|!Dc}d&4d|N06$M;kU$J{HaR>iVu}`DRUx8|c0X0GKdXnotdBV5pXIUQzjgh|!^#p;;98t`>Ljv)t&oI#VQkGt=o^$= z0!udMPx48scyjy&ggp>D2N|%Pv|%8-Ig^PL@kuq0E5V-`c1GkiY(pGlqyHFXk2(7B z-uXOKja{@{v6DaSebqR}3UUUNcpppgE zf9BGrDM=en5}ArCu{*=PWESJN!(^evmq{eWRd27CI!4@+R;Rgw@{E4wnX_<7iwhAX z<5&Z?)p+IKWuru)|Fn&`^eI2;uec%?XeKW}!>;-=(OK@G)vFyU!yfK@Hd@+6oCn24 zfe|Q|?a6&%%A*U%vw5XA@sB8}P?zVi@QI^yi8;0flQq-qG8rp@U5eM;=!uw&Vc;mG zV9>*kW1=UFkI1pBj8eF#w1VR-#-8JZX>mh0L6 zy2M-6!K0gS@~MsgI*(+qA4D5mu~5(COGP4_FbpZHhg50cV)?UX2LElsJ)%=YPJB)h z)Hw&`3Vb4mpO7Tp$cLNM=2*~%?WX@7x5`8N_r)w=v zZ}!KM4&jGa?*~+5l!*ELtr|D}b2Z3wBmB$uZ=*CCJgc@|;$kI*`Xqlp43XjuW3^B> z=l$2(?!2y&L`)_yV$7+cG}-`60!P@36QgMWMY?~)Vz`6bhP34Q5aRHyH8-vy(SyyT z1ytb}s>&%gFwQdiDs)UyiHYC4r|B1p+#66qKqa4MvjhiyXVUzu-N+A2`83gkT;?E? zXFi2+AXV^b+Q%a9AhTyX_VkcqJIH`A_hv0n9VeL0Mi!%*f4BBPte?+GC#LQ-nTUYM z&b8z*HhKYhn>NlU%Pc081fED{EFrAkZTu$zZ#oup}wtilNMmPx|)0nEhU! z`z%iS;?MrtNY)zOBTZJBy&BKX`P;*7+nFF99~ygKQDOKG8JTj{>Nx);6)+chPWYtv zPsm89nPyHX(ya7rpe(evAMInTV5HQ+ux>`-?Zh*T8k<{?$?gpC4YbTjdIFmH6;nO? z{o2BBnwcmj<0}i3E!xbO{{p_%IC!g>FVGMd`QMVYjF8e&?mj!^J0**qjanA&X>_v%AeR=6n`}~B`o2}FbYV=0G1A&VFAP3WJ(pyk9O3NKgitzsA@pBBDzc!aQb3#4#G_q~YH|kwqI5Ye8QZSN5rbW_iN!y2Zz% z1I+=)9Z#5QulRgM=Z@oBFW6*z&Ak1_6_|&&h3hNO2E~UXjXoF_dcjnO#m7mIGL4#cQDg;hICimI zMCeJ|s3JDCoq64S!*x@m2#1&;GR$7UzuOOUKxCY~Kxtg#WJ3ZFnP#tWZT4ZrVR48I zqBlr~a~y9-0U{&k9j?tWY%N#e4NI67-y#vuQXJ5S$Sit?3t9BL2xUKSe?)x}wEp%F z)>RN)zD3iD>jkyFl}?oB7jM|)l=yJ8k-6cjHw%ot8HzUBk9=JI|Z0if?65@2WYkV-_E0L&UhAteV-9j1@{xcNWSR5y=&~(NA zwC8O4f-<;%la1s*XY&~``!wRv_vdW-g==#T;{l^}5E&g`!X?FM%3p64V#Ln=!)K1g zEzb3fPk=IS2a8+U!pn5pZhTPQxg4k}DM1I-EdxRNXxOYZTdb96*I7 zRL4mBMlxM0TihLQA1z>q136ybAYS2`wJIG`G~``eZ56>y&{pq%d7&F2qWk!7UPP#4 z+No~NsU155FyB?TQ<1=_tp}9lS!dd*_%Er=d)QgnZ`!G}uc-H;14n3g{9JWv38n11erd^y+SJgdGQdmbsUz%g({F9KW-4ee8<|D?k9>|f2BqDrh{tX zn%cTonTu7iBj@IZgURFj0)JYQ!FbXGajNh#meLMHh7fqJ3$RS4a0-#p2S7UPb^|hJU|NSe+gXAbJy7rsVz_`sv5WE?6bwTGH5=w&s_#R=5lG?Qoyrj9 zV2rW^DD5f*|;W#8+_r8@xyl;0p>4U;>$$3~KYO6>yz7sN*y_9#F! zo-cA;LNhkyKtVE8{{q3U#YM)I4ERZp^j4(~8D@${W!D5{aV-Oi>BZS#+s`|a zQd#yuS=5JMU|h6t0h3}b^%WRc`+4}B5rtD2I2SFv$uJdD89@xZj|TGYghHT-AlMe^ zGmxLuz%vp|YCSXh{i41P14p2Rr*Tb_P5FZ*E)a|fv1(q-P$7Q~49KBJVuSgC zU?J51-cgrB3|s;V7c^<)(iIm2|9u`ltCOyV7?>aZpSHkMwh#l$f(RF1eFDKoeke+? zh=D(YKxrJ~SekKQ2_D3a9V}j;4^D@Sn-I{5(#7WZ2_5#0p2~i}QC`_a3|x&4(%~4# z(8vW#_#@_x5+7hq6@Vq;5sgPlcF5FA!4m30pWMyp#guE93DwiV66S~-=2*O4a7JX@ ztbj)Tt`V3d2J9OXm1QRsQ$1e{?1T}n!#RzoRt}b^Ks5eEgRN#GzEo#Nb-P92BNF>hQOy$ZRB*5g6v6yd;EwMF;P7kfj9x z9VY3@2+VsORBQzu=SRv6<|GZ;vw@DIAn7UKu7V|;kZ26px1!#tlI6{e{{Bf0kA6OV z*hbh`gJ^)xvt~qM>OAc+oPA>uO*n!IS7=(U97&LzsiD?CG}96iSDwL&9;R?YJ+uPR zd_xFy2~9V_APthSf&ODVIXj^Ml`$!})-;E{_!o8fJ?cMv=ax(n2g6>53z_uSypbah zl5vG@@r!3|E|Ld@yF-^zy7Uy3&%qMCNQegPzoXD^DS~92s(x1xOM`4zm!a8y98%`xa4d%6I|#6&UY=%HQ`*7I}g$FcmYj=|ztm^295nTs^bT;OW>>j!s-y zlGMK~p&ldwKF0l*Ft6xwC1Q~OF{uF4=gS!b_<{1E1b7CQaB+ql z9X5jDArmVBCI|4s(>SKF@R)EVz9Nh5U~%@*$s!fuIV%R(*cR{{;n65?fXiw^)Lepqa1!KQ1JSw1^PDGi^l|A2qD27rLXz=(2A{s>6qkc9FMp zLz_S3xl*T$ypnJ`bSp&J3bNtyg{|1o*WVVY>QGD2?isG=0hPN1UUP%9niXlJmepnQ z!(hwUAroP4CLMQh{KD7QeRQdm7nfVA4o~odQ~1GrhVZgTq$2IXanVY?<-xIcO&e}Q z-=;{4sInSmy1nJx5CF95&S@5dg1L-=*58sizmrvd);7nB6~5ZPT`V%sy*H zZM~-yY4!Qa*t@mX_1V7uEWUn7uxIJCUQt+hH5Ze?+9IRA)$nNa?O*pcBtGuQhZ}E* z`*_H*g~0Wfpb%a-e9WRB2|r^SfVF zZx3dVqTZsIhewVHAG{{U37^M@qx0s^39CsiNP;Xq(tEulE#8*7NmmcA z{ejRg2=;93PJ-bBNoDp95Rb4KRg$tNv*@8ZTlK4!E`VbgEwa{$>d{K5ug~w{Oy3Q3 z5L^)p*W-&+5%2PEYw1W)+_}oWI>WN`+G-d&91KfQPVh1Pbujv|dzZRAs zbg9gGdF2!r?kqXrX|tC`}2uxw|6?Qe@A93QK>7;W)IcDlJ*?5KMO(Jggl+D{xxwszW!Xt9==? Rn)dR5y}T#Upl^A!{{xSsTV((M diff --git a/docs/versions.yaml b/docs/versions.yaml index b1a5a2a34e1b0..1397646b8b5f3 100644 --- a/docs/versions.yaml +++ b/docs/versions.yaml @@ -25,7 +25,7 @@ "1.29": 1.29.12 "1.30": 1.30.11 "1.31": 1.31.10 -"1.32": 1.32.9 -"1.33": 1.33.6 -"1.34": 1.34.4 -"1.35": 1.35.0 +"1.32": 1.32.10 +"1.33": 1.33.7 +"1.34": 1.34.5 +"1.35": 1.35.1 From 64cb65c7d1a1b8d1d779ac2424ac530addac5762 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Tue, 19 Aug 2025 23:42:13 -0400 Subject: [PATCH 257/505] Fix protobuf namespace alias (#40753) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- .../extraction_util/extraction_util.cc | 2 +- .../extraction_util/proto_extractor.cc | 10 ++++------ tools/testdata/check_format/serialize_as_string.cc | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.cc b/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.cc index bea5671d9ad9a..324375635bdc9 100644 --- a/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.cc +++ b/source/extensions/filters/http/proto_message_extraction/extraction_util/extraction_util.cc @@ -413,7 +413,7 @@ absl::Status ConvertToStruct(const Protobuf::field_extraction::MessageData& mess } (*message_struct->mutable_fields())[kTypeProperty].set_string_value( - google::protobuf::util::converter::GetFullTypeWithUrl(type.name())); + ProtobufUtil::converter::GetFullTypeWithUrl(type.name())); return absl::OkStatus(); } diff --git a/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.cc b/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.cc index f7bdbcefd4198..66673ccb85370 100644 --- a/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.cc +++ b/source/extensions/filters/http/proto_message_extraction/extraction_util/proto_extractor.cc @@ -44,9 +44,8 @@ using ::proto_processing_lib::proto_scrubber::FieldMaskPathChecker; using ::proto_processing_lib::proto_scrubber::ScrubberContext; using ::proto_processing_lib::proto_scrubber::UnknownFieldChecker; -const google::protobuf::FieldMask& -ProtoExtractor::FindWithDefault(ExtractedMessageDirective directive) { - static const google::protobuf::FieldMask default_field_mask; +const Protobuf::FieldMask& ProtoExtractor::FindWithDefault(ExtractedMessageDirective directive) { + static const Protobuf::FieldMask default_field_mask; auto it = directives_mapping_.find(directive); if (it != directives_mapping_.end()) { @@ -145,8 +144,7 @@ ProtoExtractor::ExtractMessage(const Protobuf::field_extraction::MessageData& ra // property. if (scrubber_ == nullptr) { (*extracted_message_metadata.extracted_message.mutable_fields())[kTypeProperty] - .set_string_value( - google::protobuf::util::converter::GetFullTypeWithUrl(message_type_->name())); + .set_string_value(ProtobufUtil::converter::GetFullTypeWithUrl(message_type_->name())); return extracted_message_metadata; } @@ -164,7 +162,7 @@ ProtoExtractor::ExtractMessage(const Protobuf::field_extraction::MessageData& ra // resulting proto struct keys are in camel case. std::vector redact_paths_camel_case; for (const std::string& path : redact_field_mask->second.paths()) { - redact_paths_camel_case.push_back(google::protobuf::util::converter::ToCamelCase(path)); + redact_paths_camel_case.push_back(ProtobufUtil::converter::ToCamelCase(path)); } RedactPaths(redact_paths_camel_case, &extracted_message_metadata.extracted_message); } diff --git a/tools/testdata/check_format/serialize_as_string.cc b/tools/testdata/check_format/serialize_as_string.cc index 705bf5dae77ff..ed2eeee7503d5 100644 --- a/tools/testdata/check_format/serialize_as_string.cc +++ b/tools/testdata/check_format/serialize_as_string.cc @@ -1,7 +1,7 @@ namespace Envoy { void use_serialize_as_string() { - google::protobuf::FieldMask mask; + Protobuf::FieldMask mask; const std::string key = mask.SerializeAsString(); } From 200abfb34a579dd2dbf8cd5cca63233b7819e753 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Wed, 20 Aug 2025 08:46:22 -0700 Subject: [PATCH 258/505] Add danzh2010 to reviewers.yaml (#40810) Commit Message: Add danzh2010 to reviewers.yaml Additional Description: Ideally should also have an opsgenie field, but we can't configure that right now so it'll have to wait. Signed-off-by: Raven Black --- reviewers.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/reviewers.yaml b/reviewers.yaml index 3442794413f16..d9b49d7252b64 100644 --- a/reviewers.yaml +++ b/reviewers.yaml @@ -15,6 +15,9 @@ botengyao: daixiang0: first-pass: true slack: U020CJG6UU8 +danzh2010: + maintainer: true + slack: UDR2MA31P ggreenway: maintainer: true opsgenie: Greg From f2bfc97c8757f9f4dde973c76a2cb2c3dc312787 Mon Sep 17 00:00:00 2001 From: birenroy Date: Wed, 20 Aug 2025 12:00:46 -0400 Subject: [PATCH 259/505] http: adds BytesMeter members for decompressed header bytes (#40684) Signed-off-by: Biren Roy Signed-off-by: birenroy --- changelogs/current.yaml | 6 ++++ .../observability/access_log/usage.rst | 29 +++++++++++++++ envoy/stream_info/stream_info.h | 22 ++++++++++++ .../common/formatter/stream_info_formatter.cc | 36 +++++++++++++++++++ source/common/http/http1/codec_impl.cc | 7 ++++ source/common/http/http2/codec_impl.cc | 8 +++++ .../common/quic/envoy_quic_client_stream.cc | 7 +++- .../common/quic/envoy_quic_server_stream.cc | 11 ++++-- source/common/quic/envoy_quic_stream.h | 8 +++++ .../grpc/grpc_client_integration_test.cc | 6 ++++ .../grpc_client_integration_test_harness.h | 9 +++-- test/common/http/http1/codec_impl_test.cc | 12 +++++++ test/common/http/http2/codec_impl_test.cc | 15 ++++++++ .../quic/envoy_quic_client_stream_test.cc | 12 +++++-- .../quic/envoy_quic_server_stream_test.cc | 8 +++++ 15 files changed, 187 insertions(+), 9 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 1335481ea7766..21de35dc6af0b 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -35,6 +35,12 @@ minor_behavior_changes: change: | turn off HTTP/3 happy eyeball in upstream via runtime guard ``envoy.reloadable_features.http3_happy_eyeballs``. It is found to favor TCP over QUIC when UDP does not work on v6 network but works on v4. +- area: http + change: | + Adds accounting for decompressed HTTP header bytes sent and received. Existing stats only count wire-encoded header bytes. + This can be accessed through the ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, + ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%``, and the + ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%`` access_log command operators. bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* diff --git a/docs/root/configuration/observability/access_log/usage.rst b/docs/root/configuration/observability/access_log/usage.rst index dcda517865165..f46144b0fb577 100644 --- a/docs/root/configuration/observability/access_log/usage.rst +++ b/docs/root/configuration/observability/access_log/usage.rst @@ -351,6 +351,13 @@ The following command operators are supported: UDP Total number of HTTP header bytes sent to the upstream stream, For UDP tunneling flows. Not supported for non-tunneling. +%UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT% + HTTP + Number of decompressed header bytes sent to the upstream by the http stream. + + TCP/UDP + Not implemented (0). + %UPSTREAM_HEADER_BYTES_RECEIVED% HTTP Number of header bytes received from the upstream by the http stream. @@ -361,6 +368,14 @@ The following command operators are supported: UDP Total number of HTTP header bytes received from the upstream stream, For UDP tunneling flows. Not supported for non-tunneling. +%UPSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED% + HTTP + Number of decompressed header bytes received from the upstream by the http stream. + + TCP/UDP + Not implemented (0). + + %DOWNSTREAM_WIRE_BYTES_SENT% HTTP Total number of bytes sent to the downstream by the http stream. @@ -388,6 +403,13 @@ The following command operators are supported: TCP/UDP Not implemented (0). +%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT% + HTTP + Number of decompressed header bytes sent to the downstream by the http stream. + + TCP/UDP + Not implemented (0). + %DOWNSTREAM_HEADER_BYTES_RECEIVED% HTTP Number of header bytes received from the downstream by the http stream. @@ -397,6 +419,13 @@ The following command operators are supported: Renders a numeric value in typed JSON logs. +%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED% + HTTP + Number of decompressed header bytes received from the downstream by the http stream. + + TCP/UDP + Not implemented (0). + .. _config_access_log_format_duration: %DURATION% diff --git a/envoy/stream_info/stream_info.h b/envoy/stream_info/stream_info.h index fbe9ff30e0a03..f4ded9b4a7181 100644 --- a/envoy/stream_info/stream_info.h +++ b/envoy/stream_info/stream_info.h @@ -438,9 +438,17 @@ struct BytesMeter { uint64_t wireBytesReceived() const { return wire_bytes_received_; } uint64_t headerBytesSent() const { return header_bytes_sent_; } uint64_t headerBytesReceived() const { return header_bytes_received_; } + uint64_t decompressedHeaderBytesSent() const { return decompressed_header_bytes_sent_; } + uint64_t decompressedHeaderBytesReceived() const { return decompressed_header_bytes_received_; } void addHeaderBytesSent(uint64_t added_bytes) { header_bytes_sent_ += added_bytes; } void addHeaderBytesReceived(uint64_t added_bytes) { header_bytes_received_ += added_bytes; } + void addDecompressedHeaderBytesSent(uint64_t added_bytes) { + decompressed_header_bytes_sent_ += added_bytes; + } + void addDecompressedHeaderBytesReceived(uint64_t added_bytes) { + decompressed_header_bytes_received_ += added_bytes; + } void addWireBytesSent(uint64_t added_bytes) { wire_bytes_sent_ += added_bytes; } void addWireBytesReceived(uint64_t added_bytes) { wire_bytes_received_ += added_bytes; } @@ -448,6 +456,8 @@ struct BytesMeter { SystemTime snapshot_time; uint64_t header_bytes_sent{}; uint64_t header_bytes_received{}; + uint64_t decompressed_header_bytes_sent{}; + uint64_t decompressed_header_bytes_received{}; uint64_t wire_bytes_sent{}; uint64_t wire_bytes_received{}; }; @@ -457,6 +467,10 @@ struct BytesMeter { downstream_periodic_logging_bytes_snapshot_->snapshot_time = snapshot_time; downstream_periodic_logging_bytes_snapshot_->header_bytes_sent = header_bytes_sent_; downstream_periodic_logging_bytes_snapshot_->header_bytes_received = header_bytes_received_; + downstream_periodic_logging_bytes_snapshot_->decompressed_header_bytes_sent = + decompressed_header_bytes_sent_; + downstream_periodic_logging_bytes_snapshot_->decompressed_header_bytes_received = + decompressed_header_bytes_received_; downstream_periodic_logging_bytes_snapshot_->wire_bytes_sent = wire_bytes_sent_; downstream_periodic_logging_bytes_snapshot_->wire_bytes_received = wire_bytes_received_; } @@ -466,6 +480,10 @@ struct BytesMeter { upstream_periodic_logging_bytes_snapshot_->snapshot_time = snapshot_time; upstream_periodic_logging_bytes_snapshot_->header_bytes_sent = header_bytes_sent_; upstream_periodic_logging_bytes_snapshot_->header_bytes_received = header_bytes_received_; + upstream_periodic_logging_bytes_snapshot_->decompressed_header_bytes_sent = + decompressed_header_bytes_sent_; + upstream_periodic_logging_bytes_snapshot_->decompressed_header_bytes_received = + decompressed_header_bytes_received_; upstream_periodic_logging_bytes_snapshot_->wire_bytes_sent = wire_bytes_sent_; upstream_periodic_logging_bytes_snapshot_->wire_bytes_received = wire_bytes_received_; } @@ -493,6 +511,8 @@ struct BytesMeter { // Accumulate existing bytes. header_bytes_sent_ += existing.header_bytes_sent_; header_bytes_received_ += existing.header_bytes_received_; + decompressed_header_bytes_sent_ += existing.decompressed_header_bytes_sent_; + decompressed_header_bytes_received_ += existing.decompressed_header_bytes_received_; wire_bytes_sent_ += existing.wire_bytes_sent_; wire_bytes_received_ += existing.wire_bytes_received_; } @@ -500,6 +520,8 @@ struct BytesMeter { private: uint64_t header_bytes_sent_{}; uint64_t header_bytes_received_{}; + uint64_t decompressed_header_bytes_sent_{}; + uint64_t decompressed_header_bytes_received_{}; uint64_t wire_bytes_sent_{}; uint64_t wire_bytes_received_{}; std::unique_ptr downstream_periodic_logging_bytes_snapshot_; diff --git a/source/common/formatter/stream_info_formatter.cc b/source/common/formatter/stream_info_formatter.cc index 4180bf34fbf8a..31d07f793dad7 100644 --- a/source/common/formatter/stream_info_formatter.cc +++ b/source/common/formatter/stream_info_formatter.cc @@ -918,6 +918,15 @@ const StreamInfoFormatterProviderLookupTable& getKnownStreamInfoFormatterProvide return bytes_meter ? bytes_meter->headerBytesReceived() : 0; }); }}}, + {"UPSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED", + {CommandSyntaxChecker::COMMAND_ONLY, + [](absl::string_view, absl::optional) { + return std::make_unique( + [](const StreamInfo::StreamInfo& stream_info) { + const auto& bytes_meter = stream_info.getUpstreamBytesMeter(); + return bytes_meter ? bytes_meter->decompressedHeaderBytesReceived() : 0; + }); + }}}, {"DOWNSTREAM_WIRE_BYTES_RECEIVED", {CommandSyntaxChecker::COMMAND_ONLY, [](absl::string_view, absl::optional) { @@ -936,6 +945,15 @@ const StreamInfoFormatterProviderLookupTable& getKnownStreamInfoFormatterProvide return bytes_meter ? bytes_meter->headerBytesReceived() : 0; }); }}}, + {"DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED", + {CommandSyntaxChecker::COMMAND_ONLY, + [](absl::string_view, absl::optional) { + return std::make_unique( + [](const StreamInfo::StreamInfo& stream_info) { + const auto& bytes_meter = stream_info.getDownstreamBytesMeter(); + return bytes_meter ? bytes_meter->decompressedHeaderBytesReceived() : 0; + }); + }}}, {"PROTOCOL", {CommandSyntaxChecker::COMMAND_ONLY, [](absl::string_view, absl::optional) { @@ -1010,6 +1028,15 @@ const StreamInfoFormatterProviderLookupTable& getKnownStreamInfoFormatterProvide return bytes_meter ? bytes_meter->headerBytesSent() : 0; }); }}}, + {"UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT", + {CommandSyntaxChecker::COMMAND_ONLY, + [](absl::string_view, absl::optional) { + return std::make_unique( + [](const StreamInfo::StreamInfo& stream_info) { + const auto& bytes_meter = stream_info.getUpstreamBytesMeter(); + return bytes_meter ? bytes_meter->decompressedHeaderBytesSent() : 0; + }); + }}}, {"DOWNSTREAM_WIRE_BYTES_SENT", {CommandSyntaxChecker::COMMAND_ONLY, [](absl::string_view, absl::optional) { @@ -1028,6 +1055,15 @@ const StreamInfoFormatterProviderLookupTable& getKnownStreamInfoFormatterProvide return bytes_meter ? bytes_meter->headerBytesSent() : 0; }); }}}, + {"DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT", + {CommandSyntaxChecker::COMMAND_ONLY, + [](absl::string_view, absl::optional) { + return std::make_unique( + [](const StreamInfo::StreamInfo& stream_info) { + const auto& bytes_meter = stream_info.getDownstreamBytesMeter(); + return bytes_meter ? bytes_meter->decompressedHeaderBytesSent() : 0; + }); + }}}, {"DURATION", {CommandSyntaxChecker::COMMAND_ONLY, [](absl::string_view, absl::optional) { diff --git a/source/common/http/http1/codec_impl.cc b/source/common/http/http1/codec_impl.cc index 343c1e8b28448..fef23db545003 100644 --- a/source/common/http/http1/codec_impl.cc +++ b/source/common/http/http1/codec_impl.cc @@ -120,7 +120,10 @@ void StreamEncoderImpl::encodeHeader(absl::string_view key, absl::string_view va const uint64_t header_size = connection_.buffer().addFragments({key, COLON_SPACE, value, CRLF}); + // There is no header field compression in HTTP/1.1, so the wire representation is the same as the + // decompressed representation. bytes_meter_->addHeaderBytesSent(header_size); + bytes_meter_->addDecompressedHeaderBytesSent(header_size); } void StreamEncoderImpl::encodeFormattedHeader(absl::string_view key, absl::string_view value, @@ -838,6 +841,10 @@ StatusOr ConnectionImpl::onHeadersCompleteImpl() { ENVOY_CONN_LOG(trace, "onHeadersCompleteImpl", connection_); RETURN_IF_ERROR(completeCurrentHeader()); + // There is no header field compression in HTTP/1.1, so the wire representation is the same as the + // decompressed representation. + getBytesMeter().addDecompressedHeaderBytesReceived(getBytesMeter().headerBytesReceived()); + if (!parser_->isHttp11()) { // This is not necessarily true, but it's good enough since higher layers only care if this is // HTTP/1.1 or not. diff --git a/source/common/http/http2/codec_impl.cc b/source/common/http/http2/codec_impl.cc index 65841f3bd8c50..713eb309af3e8 100644 --- a/source/common/http/http2/codec_impl.cc +++ b/source/common/http/http2/codec_impl.cc @@ -258,6 +258,9 @@ void ConnectionImpl::ServerStreamImpl::encode1xxHeaders(const ResponseHeaderMap& void ConnectionImpl::StreamImpl::encodeHeadersBase(const HeaderMap& headers, bool end_stream) { local_end_stream_ = end_stream; + + bytes_meter_->addDecompressedHeaderBytesSent(headers.byteSize()); + submitHeaders(headers, end_stream); if (parent_.sendPendingFramesAndHandleError()) { // Intended to check through coverage that this error case is tested @@ -328,6 +331,9 @@ void ConnectionImpl::StreamImpl::encodeTrailersBase(const HeaderMap& trailers) { parent_.updateActiveStreamsOnEncode(*this); ASSERT(!local_end_stream_); local_end_stream_ = true; + + bytes_meter_->addDecompressedHeaderBytesSent(trailers.byteSize()); + if (pending_send_data_->length() > 0) { // In this case we want trailers to come after we release all pending body data that is // waiting on window updates. We need to save the trailers so that we can emit them later. @@ -1517,6 +1523,8 @@ int ConnectionImpl::saveHeader(int32_t stream_id, HeaderString&& name, HeaderStr return 0; } + stream->bytes_meter_->addDecompressedHeaderBytesReceived(name.size() + value.size()); + // TODO(10646): Switch to use HeaderUtility::checkHeaderNameForUnderscores(). auto should_return = checkHeaderNameForUnderscores(name.getStringView()); if (should_return) { diff --git a/source/common/quic/envoy_quic_client_stream.cc b/source/common/quic/envoy_quic_client_stream.cc index 841547dc781b3..53773d3e33107 100644 --- a/source/common/quic/envoy_quic_client_stream.cc +++ b/source/common/quic/envoy_quic_client_stream.cc @@ -102,6 +102,7 @@ Http::Status EnvoyQuicClientStream::encodeHeaders(const Http::RequestHeaderMap& } } #endif + addDecompressedHeaderBytesSent(spdy_headers); { IncrementalBytesSentTracker tracker(*this, *mutableBytesMeter(), true); size_t bytes_sent = WriteHeaders(std::move(spdy_headers), end_stream, nullptr); @@ -119,7 +120,9 @@ Http::Status EnvoyQuicClientStream::encodeHeaders(const Http::RequestHeaderMap& void EnvoyQuicClientStream::encodeTrailers(const Http::RequestTrailerMap& trailers) { ENVOY_STREAM_LOG(debug, "encodeTrailers: {}.", *this, trailers); - encodeTrailersImpl(envoyHeadersToHttp2HeaderBlock(trailers)); + quiche::HttpHeaderBlock trailer_block = envoyHeadersToHttp2HeaderBlock(trailers); + addDecompressedHeaderBytesSent(trailer_block); + encodeTrailersImpl(std::move(trailer_block)); } void EnvoyQuicClientStream::resetStream(Http::StreamResetReason reason) { @@ -148,6 +151,7 @@ void EnvoyQuicClientStream::switchStreamBlockState() { void EnvoyQuicClientStream::OnInitialHeadersComplete(bool fin, size_t frame_len, const quic::QuicHeaderList& header_list) { mutableBytesMeter()->addHeaderBytesReceived(frame_len); + addDecompressedHeaderBytesReceived(header_list); if (read_side_closed()) { return; } @@ -314,6 +318,7 @@ void EnvoyQuicClientStream::OnBodyAvailable() { void EnvoyQuicClientStream::OnTrailingHeadersComplete(bool fin, size_t frame_len, const quic::QuicHeaderList& header_list) { mutableBytesMeter()->addHeaderBytesReceived(frame_len); + addDecompressedHeaderBytesReceived(header_list); if (read_side_closed()) { return; } diff --git a/source/common/quic/envoy_quic_server_stream.cc b/source/common/quic/envoy_quic_server_stream.cc index 08583f3ee00e5..abd2d709ac4f4 100644 --- a/source/common/quic/envoy_quic_server_stream.cc +++ b/source/common/quic/envoy_quic_server_stream.cc @@ -83,8 +83,9 @@ void EnvoyQuicServerStream::encodeHeaders(const Http::ResponseHeaderMap& headers SendBufferMonitor::ScopedWatermarkBufferUpdater updater(this, this); { IncrementalBytesSentTracker tracker(*this, *mutableBytesMeter(), true); - size_t bytes_sent = - WriteHeaders(envoyHeadersToHttp2HeaderBlock(*header_map), end_stream, nullptr); + quiche::HttpHeaderBlock header_block = envoyHeadersToHttp2HeaderBlock(*header_map); + addDecompressedHeaderBytesSent(header_block); + size_t bytes_sent = WriteHeaders(std::move(header_block), end_stream, nullptr); stats_gatherer_->addBytesSent(bytes_sent, end_stream); ENVOY_BUG(bytes_sent != 0, "Failed to encode headers."); } @@ -106,7 +107,9 @@ void EnvoyQuicServerStream::encodeTrailers(const Http::ResponseTrailerMap& trail return; } ENVOY_STREAM_LOG(debug, "encodeTrailers: {}.", *this, trailers); - encodeTrailersImpl(envoyHeadersToHttp2HeaderBlock(trailers)); + quiche::HttpHeaderBlock trailer_block = envoyHeadersToHttp2HeaderBlock(trailers); + addDecompressedHeaderBytesSent(trailer_block); + encodeTrailersImpl(std::move(trailer_block)); } void EnvoyQuicServerStream::resetStream(Http::StreamResetReason reason) { @@ -151,6 +154,7 @@ void EnvoyQuicServerStream::switchStreamBlockState() { void EnvoyQuicServerStream::OnInitialHeadersComplete(bool fin, size_t frame_len, const quic::QuicHeaderList& header_list) { mutableBytesMeter()->addHeaderBytesReceived(frame_len); + addDecompressedHeaderBytesReceived(header_list); // TODO(danzh) Fix in QUICHE. If the stream has been reset in the call stack, // OnInitialHeadersComplete() shouldn't be called. if (read_side_closed()) { @@ -295,6 +299,7 @@ void EnvoyQuicServerStream::OnBodyAvailable() { void EnvoyQuicServerStream::OnTrailingHeadersComplete(bool fin, size_t frame_len, const quic::QuicHeaderList& header_list) { mutableBytesMeter()->addHeaderBytesReceived(frame_len); + addDecompressedHeaderBytesReceived(header_list); ENVOY_STREAM_LOG(debug, "Received trailers: {}.", *this, received_trailers().DebugString()); quic::QuicSpdyServerStreamBase::OnTrailingHeadersComplete(fin, frame_len, header_list); if (read_side_closed()) { diff --git a/source/common/quic/envoy_quic_stream.h b/source/common/quic/envoy_quic_stream.h index de3ad82507083..0111a1bcfa40c 100644 --- a/source/common/quic/envoy_quic_stream.h +++ b/source/common/quic/envoy_quic_stream.h @@ -218,6 +218,14 @@ class EnvoyQuicStream : public virtual Http::StreamEncoder, StreamInfo::BytesMeterSharedPtr& mutableBytesMeter() { return bytes_meter_; } + void addDecompressedHeaderBytesSent(const quiche::HttpHeaderBlock& headers) { + bytes_meter_->addDecompressedHeaderBytesSent(headers.TotalBytesUsed()); + } + + void addDecompressedHeaderBytesReceived(const quic::QuicHeaderList& header_list) { + bytes_meter_->addDecompressedHeaderBytesReceived(header_list.uncompressed_header_bytes()); + } + void encodeTrailersImpl(quiche::HttpHeaderBlock&& trailers); // Converts `header_list` into a new `Http::MetadataMap`. diff --git a/test/common/grpc/grpc_client_integration_test.cc b/test/common/grpc/grpc_client_integration_test.cc index f07ae717a115c..3e07e29c84d3d 100644 --- a/test/common/grpc/grpc_client_integration_test.cc +++ b/test/common/grpc/grpc_client_integration_test.cc @@ -264,12 +264,14 @@ TEST_P(GrpcClientIntegrationTest, BasicStreamWithBytesMeter) { auto upstream_meter = stream->grpc_stream_->streamInfo().getUpstreamBytesMeter(); uint64_t total_bytes_sent = upstream_meter->wireBytesSent(); uint64_t header_bytes_sent = upstream_meter->headerBytesSent(); + uint64_t decompressed_header_bytes_sent = upstream_meter->decompressedHeaderBytesSent(); // Verify the number of sent bytes that is tracked in stream info equals to the length of // request buffer. // Note, in HTTP2 codec, H2_FRAME_HEADER_SIZE is always included in bytes meter so we need to // account for it in the check here as well. EXPECT_EQ(total_bytes_sent - header_bytes_sent, send_buf->length() + Http::Http2::H2_FRAME_HEADER_SIZE); + EXPECT_GE(decompressed_header_bytes_sent, header_bytes_sent); stream->sendReply(/*check_response_size=*/true); stream->sendServerTrailers(Status::WellKnownGrpcStatus::Ok, "", empty_metadata_); @@ -344,14 +346,18 @@ TEST_P(GrpcClientIntegrationTest, MultiStreamWithBytesMeter) { auto upstream_meter_0 = stream_0->grpc_stream_->streamInfo().getUpstreamBytesMeter(); uint64_t total_bytes_sent = upstream_meter_0->wireBytesSent(); uint64_t header_bytes_sent = upstream_meter_0->headerBytesSent(); + uint64_t decompressed_header_bytes_sent = upstream_meter_0->decompressedHeaderBytesSent(); EXPECT_EQ(total_bytes_sent - header_bytes_sent, send_buf->length() + Http::Http2::H2_FRAME_HEADER_SIZE); + EXPECT_GE(decompressed_header_bytes_sent, header_bytes_sent); auto upstream_meter_1 = stream_1->grpc_stream_->streamInfo().getUpstreamBytesMeter(); uint64_t total_bytes_sent_1 = upstream_meter_1->wireBytesSent(); uint64_t header_bytes_sent_1 = upstream_meter_1->headerBytesSent(); + uint64_t decompressed_header_bytes_sent_1 = upstream_meter_1->decompressedHeaderBytesSent(); EXPECT_EQ(total_bytes_sent_1 - header_bytes_sent_1, send_buf->length() + Http::Http2::H2_FRAME_HEADER_SIZE); + EXPECT_GE(decompressed_header_bytes_sent_1, header_bytes_sent_1); stream_0->sendServerInitialMetadata(empty_metadata_); stream_0->sendReply(true); diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index 678714029532f..9f0721c4f176b 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -188,12 +188,15 @@ class HelloworldStream : public MockAsyncStreamCallbacks // Verify that the number of received byte that is tracked in the stream info equals to // the length of reply response buffer. auto upstream_meter = this->grpc_stream_->streamInfo().getUpstreamBytesMeter(); - uint64_t total_bytes_rev = upstream_meter->wireBytesReceived(); - uint64_t header_bytes_rev = upstream_meter->headerBytesReceived(); + uint64_t total_bytes_recv = upstream_meter->wireBytesReceived(); + uint64_t header_bytes_recv = upstream_meter->headerBytesReceived(); + uint64_t decompressed_header_bytes_recv = + upstream_meter->decompressedHeaderBytesReceived(); // In HTTP2 codec, H2_FRAME_HEADER_SIZE is always included in bytes meter so we need to // account for it in the check here as well. - EXPECT_EQ(total_bytes_rev - header_bytes_rev, + EXPECT_EQ(total_bytes_recv - header_bytes_recv, recv_buf->length() + Http::Http2::H2_FRAME_HEADER_SIZE); + EXPECT_GE(decompressed_header_bytes_recv, header_bytes_recv); } response_received_ = true; dispatcher_helper_.exitDispatcherIfNeeded(); diff --git a/test/common/http/http1/codec_impl_test.cc b/test/common/http/http1/codec_impl_test.cc index 556574323f0df..01cbae00e8921 100644 --- a/test/common/http/http1/codec_impl_test.cc +++ b/test/common/http/http1/codec_impl_test.cc @@ -218,7 +218,15 @@ class Http1ServerConnectionImplTest : public Http1CodecTestBase { auto status = codec_->dispatch(buffer); EXPECT_TRUE(status.ok()); EXPECT_EQ(0U, buffer.length()); + const StreamInfo::BytesMeterSharedPtr meter = response_encoder->getStream().bytesMeter(); + // Verifies BytesMeter accounting for header bytes received. + EXPECT_GT(meter->headerBytesReceived(), 0); + EXPECT_GE(meter->decompressedHeaderBytesReceived(), meter->headerBytesReceived()); + response_encoder->encodeHeaders(TestResponseHeaderMapImpl{{":status", "200"}}, true); + // Verifies BytesMeter accounting for header bytes sent. + EXPECT_GT(meter->headerBytesSent(), 0); + EXPECT_GE(meter->decompressedHeaderBytesSent(), meter->headerBytesSent()); } void createHeaderValidator() { @@ -2612,6 +2620,10 @@ TEST_F(Http1ClientConnectionImplTest, SimpleGetWithHeaderCasing) { TestRequestHeaderMapImpl headers{{":method", "GET"}, {":path", "/"}, {"my-custom-header", "hey"}}; EXPECT_TRUE(request_encoder.encodeHeaders(headers, true).ok()); EXPECT_EQ("GET / HTTP/1.1\r\nMy-Custom-Header: hey\r\n\r\n", output); + + EXPECT_GT(request_encoder.getStream().bytesMeter()->headerBytesSent(), 0); + EXPECT_GE(request_encoder.getStream().bytesMeter()->decompressedHeaderBytesSent(), + request_encoder.getStream().bytesMeter()->headerBytesSent()); } TEST_F(Http1ClientConnectionImplTest, FullyQualifiedGet) { diff --git a/test/common/http/http2/codec_impl_test.cc b/test/common/http/http2/codec_impl_test.cc index 1a824d7cab318..b69fefe83c31f 100644 --- a/test/common/http/http2/codec_impl_test.cc +++ b/test/common/http/http2/codec_impl_test.cc @@ -569,6 +569,12 @@ class Http2CodecImplTest : public ::testing::TestWithParamgetStream().bytesMeter(); + EXPECT_EQ(send_meter->headerBytesSent(), 0); + EXPECT_EQ(send_meter->decompressedHeaderBytesSent(), 0); + EXPECT_EQ(send_meter->headerBytesReceived(), 0); + EXPECT_EQ(send_meter->decompressedHeaderBytesReceived(), 0); + InSequence s; TestRequestHeaderMapImpl request_headers; HttpTestUtility::addDefaultHeaders(request_headers); @@ -578,6 +584,10 @@ TEST_P(Http2CodecImplTest, SimpleRequestResponse) { EXPECT_CALL(request_decoder_, decodeHeaders_(_, false)); EXPECT_TRUE(request_encoder_->encodeHeaders(request_headers, false).ok()); + // Verify BytesMeter send-side metrics. + EXPECT_GT(send_meter->headerBytesSent(), 0); + EXPECT_GE(send_meter->decompressedHeaderBytesSent(), send_meter->headerBytesSent()); + // Queue request body. Buffer::OwnedImpl request_body(std::string(1024, 'a')); request_encoder_->encodeData(request_body, true); @@ -586,6 +596,11 @@ TEST_P(Http2CodecImplTest, SimpleRequestResponse) { EXPECT_CALL(request_decoder_, decodeData(_, true)).Times(AtLeast(1)); driveToCompletion(); + // Verify BytesMeter receive-side metrics. + EXPECT_GT(response_encoder_->getStream().bytesMeter()->headerBytesReceived(), 0); + EXPECT_GE(response_encoder_->getStream().bytesMeter()->decompressedHeaderBytesReceived(), + response_encoder_->getStream().bytesMeter()->headerBytesReceived()); + TestResponseHeaderMapImpl response_headers{{":status", "200"}}; // Encode response headers. diff --git a/test/common/quic/envoy_quic_client_stream_test.cc b/test/common/quic/envoy_quic_client_stream_test.cc index b77bd9529180d..e36e0161d0e27 100644 --- a/test/common/quic/envoy_quic_client_stream_test.cc +++ b/test/common/quic/envoy_quic_client_stream_test.cc @@ -280,17 +280,22 @@ TEST_F(EnvoyQuicClientStreamTest, PostRequestAndResponseWithAccounting) { EXPECT_EQ(absl::nullopt, quic_stream_->http1StreamEncoderOptions()); EXPECT_EQ(0, quic_stream_->bytesMeter()->wireBytesSent()); EXPECT_EQ(0, quic_stream_->bytesMeter()->headerBytesSent()); + EXPECT_EQ(0, quic_stream_->bytesMeter()->decompressedHeaderBytesSent()); const auto result = quic_stream_->encodeHeaders(request_headers_, false); EXPECT_TRUE(result.ok()); EXPECT_EQ(quic_stream_->stream_bytes_written(), quic_stream_->bytesMeter()->wireBytesSent()); EXPECT_EQ(quic_stream_->stream_bytes_written(), quic_stream_->bytesMeter()->headerBytesSent()); + EXPECT_LE(quic_stream_->stream_bytes_written(), + quic_stream_->bytesMeter()->decompressedHeaderBytesSent()); - uint64_t body_bytes = quic_stream_->stream_bytes_written(); + uint64_t header_bytes = quic_stream_->stream_bytes_written(); quic_stream_->encodeData(request_body_, false); - body_bytes = quic_stream_->stream_bytes_written() - body_bytes; + uint64_t body_bytes = quic_stream_->stream_bytes_written() - header_bytes; EXPECT_EQ(quic_stream_->stream_bytes_written(), quic_stream_->bytesMeter()->wireBytesSent()); EXPECT_EQ(quic_stream_->stream_bytes_written() - body_bytes, quic_stream_->bytesMeter()->headerBytesSent()); + EXPECT_LE(quic_stream_->stream_bytes_written() - body_bytes, + quic_stream_->bytesMeter()->decompressedHeaderBytesSent()); quic_stream_->encodeTrailers(request_trailers_); EXPECT_EQ(quic_stream_->stream_bytes_written(), quic_stream_->bytesMeter()->wireBytesSent()); EXPECT_EQ(quic_stream_->stream_bytes_written() - body_bytes, @@ -298,11 +303,14 @@ TEST_F(EnvoyQuicClientStreamTest, PostRequestAndResponseWithAccounting) { EXPECT_EQ(0, quic_stream_->bytesMeter()->wireBytesReceived()); EXPECT_EQ(0, quic_stream_->bytesMeter()->headerBytesReceived()); + EXPECT_EQ(0, quic_stream_->bytesMeter()->decompressedHeaderBytesReceived()); size_t offset = receiveResponseHeaders(false); // Received header bytes do not include the HTTP/3 frame overhead. EXPECT_EQ(quic_stream_->stream_bytes_read() - 2, quic_stream_->bytesMeter()->headerBytesReceived()); + EXPECT_LE(quic_stream_->stream_bytes_read() - 2, + quic_stream_->bytesMeter()->decompressedHeaderBytesReceived()); EXPECT_EQ(quic_stream_->stream_bytes_read(), quic_stream_->bytesMeter()->wireBytesReceived()); EXPECT_CALL(stream_decoder_, decodeTrailers_(_)) .WillOnce(Invoke([](const Http::ResponseTrailerMapPtr& headers) { diff --git a/test/common/quic/envoy_quic_server_stream_test.cc b/test/common/quic/envoy_quic_server_stream_test.cc index d798aeb92f251..197ccc5d27d1e 100644 --- a/test/common/quic/envoy_quic_server_stream_test.cc +++ b/test/common/quic/envoy_quic_server_stream_test.cc @@ -375,10 +375,13 @@ TEST_F(EnvoyQuicServerStreamTest, PostRequestAndResponseWithAccounting) { EXPECT_EQ(absl::nullopt, quic_stream_->http1StreamEncoderOptions()); EXPECT_EQ(0, quic_stream_->bytesMeter()->wireBytesReceived()); EXPECT_EQ(0, quic_stream_->bytesMeter()->headerBytesReceived()); + EXPECT_EQ(0, quic_stream_->bytesMeter()->decompressedHeaderBytesReceived()); size_t offset = receiveRequestHeaders(false); // Received header bytes do not include the HTTP/3 frame overhead. EXPECT_EQ(quic_stream_->stream_bytes_read() - 2, quic_stream_->bytesMeter()->headerBytesReceived()); + EXPECT_LE(quic_stream_->stream_bytes_read() - 2, + quic_stream_->bytesMeter()->decompressedHeaderBytesReceived()); EXPECT_EQ(quic_stream_->stream_bytes_read(), quic_stream_->bytesMeter()->wireBytesReceived()); size_t body_size = receiveRequestBody(offset, request_body_, true, request_body_.size() * 2); EXPECT_EQ(quic_stream_->stream_bytes_read(), quic_stream_->bytesMeter()->wireBytesReceived()); @@ -389,13 +392,18 @@ TEST_F(EnvoyQuicServerStreamTest, PostRequestAndResponseWithAccounting) { quic_stream_->bytesMeter()->wireBytesReceived()); EXPECT_EQ(0, quic_stream_->bytesMeter()->wireBytesSent()); EXPECT_EQ(0, quic_stream_->bytesMeter()->headerBytesSent()); + EXPECT_EQ(0, quic_stream_->bytesMeter()->decompressedHeaderBytesSent()); quic_stream_->encodeHeaders(response_headers_, /*end_stream=*/false); EXPECT_GE(27, quic_stream_->bytesMeter()->headerBytesSent()); EXPECT_GE(27, quic_stream_->bytesMeter()->wireBytesSent()); + EXPECT_GE(quic_stream_->bytesMeter()->decompressedHeaderBytesSent(), + quic_stream_->bytesMeter()->headerBytesSent()); quic_stream_->encodeTrailers(response_trailers_); EXPECT_GE(52, quic_stream_->bytesMeter()->headerBytesSent()); EXPECT_GE(52, quic_stream_->bytesMeter()->wireBytesSent()); + EXPECT_GE(quic_stream_->bytesMeter()->decompressedHeaderBytesSent(), + quic_stream_->bytesMeter()->headerBytesSent()); } TEST_F(EnvoyQuicServerStreamTest, DecodeHeadersBodyAndTrailers) { From c0a39b8320302f5a99dde8040f86b15e10cfa25f Mon Sep 17 00:00:00 2001 From: Ali Beyad Date: Wed, 20 Aug 2025 12:07:23 -0400 Subject: [PATCH 260/505] mobile: flag guard the IP-reserved range filtering in the IPv6 check (#40802) Adds two runtime guards to experiment with filtering reserved IP ranges in the IPv6 probing check that were introduced in https://github.com/envoyproxy/envoy/pull/40345: 1. `envoy_reloadable_features_mobile_ipv6_probe_simple_filtering` 2. `envoy_reloadable_features_mobile_ipv6_probe_advanced_filtering` Signed-off-by: Ali Beyad --- mobile/library/common/internal_engine.cc | 44 +++++++++++++---------- source/common/runtime/runtime_features.cc | 6 ++++ 2 files changed, 31 insertions(+), 19 deletions(-) diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index aac77e59e2719..c4da556ff596a 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -594,25 +594,31 @@ Network::Address::InstanceConstSharedPtr InternalEngine::probeAndGetLocalAddr(in return nullptr; } - if ((*address)->ip() == nullptr) { - ENVOY_LOG(trace, "Local address is not an IP address: {}.", (*address)->asString()); - return nullptr; - } - if ((*address)->ip()->isLinkLocalAddress()) { - ENVOY_LOG(trace, "Ignoring link-local address: {}.", (*address)->asString()); - return nullptr; - } - if ((*address)->ip()->isUniqueLocalAddress()) { - ENVOY_LOG(trace, "Ignoring unique-local address: {}.", (*address)->asString()); - return nullptr; - } - if ((*address)->ip()->isSiteLocalAddress()) { - ENVOY_LOG(trace, "Ignoring site-local address: {}.", (*address)->asString()); - return nullptr; - } - if ((*address)->ip()->isTeredoAddress()) { - ENVOY_LOG(trace, "Ignoring teredo address: {}.", (*address)->asString()); - return nullptr; + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.mobile_ipv6_probe_simple_filtering")) { + if ((*address)->ip() == nullptr) { + ENVOY_LOG(trace, "Local address is not an IP address: {}.", (*address)->asString()); + return nullptr; + } + if ((*address)->ip()->isLinkLocalAddress()) { + ENVOY_LOG(trace, "Ignoring link-local address: {}.", (*address)->asString()); + return nullptr; + } + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.mobile_ipv6_probe_advanced_filtering")) { + if ((*address)->ip()->isUniqueLocalAddress()) { + ENVOY_LOG(trace, "Ignoring unique-local address: {}.", (*address)->asString()); + return nullptr; + } + if ((*address)->ip()->isSiteLocalAddress()) { + ENVOY_LOG(trace, "Ignoring site-local address: {}.", (*address)->asString()); + return nullptr; + } + if ((*address)->ip()->isTeredoAddress()) { + ENVOY_LOG(trace, "Ignoring teredo address: {}.", (*address)->asString()); + return nullptr; + } + } } ENVOY_LOG(trace, "Found {} connectivity.", domain == AF_INET6 ? "IPv6" : "IPv4"); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 01eb4ccf1a8ea..9f594e0cc89da 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -136,6 +136,12 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_use_canonical_suffix_for_quic_brok FALSE_RUNTIME_GUARD(envoy_reloadable_features_use_canonical_suffix_for_srtt); // TODO(fredyw): Remove after done with debugging. FALSE_RUNTIME_GUARD(envoy_reloadable_features_log_ip_families_on_network_error); +// TODO(abeyad): Flip to true after prod testing. Simple filtering applies to link-local addresses +// only. +FALSE_RUNTIME_GUARD(envoy_reloadable_features_mobile_ipv6_probe_simple_filtering); +// TODO(abeyad): Flip to true after prod testing. Advanced filtering applies to all IP reserved +// range addresses. +FALSE_RUNTIME_GUARD(envoy_reloadable_features_mobile_ipv6_probe_advanced_filtering); // TODO(botengyao): flip to true after canarying the feature internally without problems. FALSE_RUNTIME_GUARD(envoy_reloadable_features_connection_close_through_filter_manager); // TODO(adisuissa): flip to true after all xDS types use the new subscription From bf2c671933942ba04ba41f6b761644421207dbc2 Mon Sep 17 00:00:00 2001 From: Matthew Leone Date: Wed, 20 Aug 2025 09:46:32 -0700 Subject: [PATCH 261/505] ci: support variable number of CPUs for building (#39701) This pr updates the documentation to inform new developers how to troubleshoot crashes when building Signed-off-by: Matthew Leon --- ci/README.md | 10 ++++++++++ ci/do_ci.sh | 1 - 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ci/README.md b/ci/README.md index 598cffbaf5fe4..b50fe1f7ebf61 100644 --- a/ci/README.md +++ b/ci/README.md @@ -90,6 +90,16 @@ To force the Envoy build image to be refreshed by Docker you can set `ENVOY_DOCK ENVOY_DOCKER_PULL=true ./ci/run_envoy_docker.sh ``` +## Resource Requirements and Troubleshooting + +Envoy requires a lot of resources (disk/memory/cpu) to build, especially the first time its built, as bazel does not yet have anything cached. + +**Memory Requirements:** +- Envoy builds can be memory-intensive and require substantial RAM +- If you have less than 2GB of RAM per CPU core, you may want to limit the number of parallel build jobs +- To limit build parallelism, add or modify the jobs setting in your `user.bazelrc` file with a line that follows the format "build --jobs=X/2" where X is the number of GB of RAM that your system has e.g.: `"build --jobs=4"` for a system with 8GB of memory in the `user.bazlerc` file that you created + +This configuration helps prevent out-of-memory errors that can cause builds to crash. # Generating compile commands diff --git a/ci/do_ci.sh b/ci/do_ci.sh index 68223a6a664b8..4502baeaf6052 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -13,7 +13,6 @@ CURRENT_SCRIPT_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")" # shellcheck source=ci/build_setup.sh . "${CURRENT_SCRIPT_DIR}"/build_setup.sh -echo "building using ${NUM_CPUS} CPUs" echo "building for ${ENVOY_BUILD_ARCH}" cd "${SRCDIR}" From f5446155d7e069e2775a55ca557103500ed34bca Mon Sep 17 00:00:00 2001 From: Issa Abu Kalbein <86603440+IssaAbuKalbein@users.noreply.github.com> Date: Wed, 20 Aug 2025 21:25:54 +0300 Subject: [PATCH 262/505] udp_proxy: Fix crash during ENVOY_SIGTERM (#40677) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit Message: Fix crash in UDP proxy during ENVOY_SIGTERM with active tunneling sessions Additional Description: The UDP proxy crashes during ENVOY_SIGTERM if there are active tunneling sessions. This issue arises during the destruction of `UdpProxyFilter`, which attempts to clean up all active sessions. When a `TunnelingActionSession` is removed, it triggers `resetEncoder` in the `HttpUpstreamImpl` destructor. This, in turn, calls `upstream_callbacks_.onUpstreamEvent(event);`, which tries to remove the session again—leading to a double removal and ultimately a crash. image Risk Level: low Testing: integration test Docs Changes: N/A Release Notes: Platform Specific Features: N/A --------- Signed-off-by: Issa Abu Kalbein Co-authored-by: Issa Abu Kalbein --- changelogs/current.yaml | 3 +++ .../filters/udp/udp_proxy/udp_proxy_filter.cc | 11 +++++---- .../filters/udp/udp_proxy/udp_proxy_filter.h | 11 +++++++-- .../udp/udp_proxy/udp_proxy_filter_test.cc | 2 +- .../udp_tunneling_integration_test.cc | 24 +++++++++++++++++++ 5 files changed, 44 insertions(+), 7 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 21de35dc6af0b..f99f54ac5f76c 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -44,6 +44,9 @@ minor_behavior_changes: bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* +- area: udp_proxy + change: | + Fixed a crash in the UDP proxy that occurred during ENVOY_SIGTERM when active tunneling sessions were present. - area: geoip change: | Fixed a bug in the maxmind provider where the found_entry field in the lookup result was not checked before trying to populate diff --git a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc index 859e4fd5acd76..0d2899dc53385 100644 --- a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc +++ b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc @@ -343,6 +343,7 @@ UdpProxyFilter::ActiveSession::~ActiveSession() { } void UdpProxyFilter::ActiveSession::onSessionComplete() { + ENVOY_BUG(!on_session_complete_called_, "onSessionComplete() called twice"); ENVOY_LOG(debug, "deleting the session: downstream={} local={} upstream={}", addresses_.peer_->asStringView(), addresses_.local_->asStringView(), host_ != nullptr ? host_->address()->asStringView() : "unknown"); @@ -892,21 +893,23 @@ const std::string HttpUpstreamImpl::resolveTargetTunnelPath() { return absl::StrCat("/.well-known/masque/udp/", target_host, "/", target_port, "/"); } -HttpUpstreamImpl::~HttpUpstreamImpl() { resetEncoder(Network::ConnectionEvent::LocalClose); } +HttpUpstreamImpl::~HttpUpstreamImpl() { + resetEncoder(Network::ConnectionEvent::LocalClose, /*by_local_close=*/true); +} -void HttpUpstreamImpl::resetEncoder(Network::ConnectionEvent event, bool by_downstream) { +void HttpUpstreamImpl::resetEncoder(Network::ConnectionEvent event, bool by_local_close) { if (!request_encoder_) { return; } request_encoder_->getStream().removeCallbacks(*this); - if (by_downstream) { + if (by_local_close) { request_encoder_->getStream().resetStream(Http::StreamResetReason::LocalReset); } request_encoder_ = nullptr; - if (!by_downstream) { + if (!by_local_close) { // If we did not receive a valid CONNECT response yet we treat this as a pool // failure, otherwise we forward the event downstream. if (tunnel_creation_callbacks_.has_value()) { diff --git a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h index 850d6832b5be7..f2b6f64606fa9 100644 --- a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h +++ b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h @@ -293,7 +293,7 @@ class HttpUpstreamImpl : public HttpUpstream, protected Http::StreamCallbacks { void onDownstreamEvent(Network::ConnectionEvent event) override { if (event == Network::ConnectionEvent::LocalClose || event == Network::ConnectionEvent::RemoteClose) { - resetEncoder(event, /*by_downstream=*/true); + resetEncoder(event, /*by_local_close=*/true); } }; @@ -360,7 +360,14 @@ class HttpUpstreamImpl : public HttpUpstream, protected Http::StreamCallbacks { }; const std::string resolveTargetTunnelPath(); - void resetEncoder(Network::ConnectionEvent event, bool by_downstream = false); + + /** + * Resets the encoder for the upstream connection. + * @param event the event that caused the reset. + * @param by_local_close whether the reset was initiated by a local close (e.g. session idle + * timeout, envoy termination, etc.) or by upstream close. + */ + void resetEncoder(Network::ConnectionEvent event, bool by_local_close = false); ResponseDecoder response_decoder_; Http::RequestEncoder* request_encoder_{}; diff --git a/test/extensions/filters/udp/udp_proxy/udp_proxy_filter_test.cc b/test/extensions/filters/udp/udp_proxy/udp_proxy_filter_test.cc index a951ef0b97636..3bb1a51c3e25f 100644 --- a/test/extensions/filters/udp/udp_proxy/udp_proxy_filter_test.cc +++ b/test/extensions/filters/udp/udp_proxy/udp_proxy_filter_test.cc @@ -1851,7 +1851,7 @@ stat_prefix: foo auto session = filter_->createTunnelingSession(); EXPECT_NO_THROW(session->onAboveWriteBufferHighWatermark()); - session->onSessionComplete(); + filter_.reset(); } TEST_F(UdpProxyFilterTest, TunnelingSessionUpstreamClosedDuringFlush) { diff --git a/test/integration/udp_tunneling_integration_test.cc b/test/integration/udp_tunneling_integration_test.cc index fa49b4863ef40..635c84c91a5f7 100644 --- a/test/integration/udp_tunneling_integration_test.cc +++ b/test/integration/udp_tunneling_integration_test.cc @@ -538,6 +538,11 @@ name: udp_proxy return deflated_size; } + void drainListeners() { + test_server_->server().dispatcher().post([this]() { test_server_->server().drainListeners(); }); + test_server_->waitForCounterEq("listener_manager.listener_stopped", 1); + } + TestConfig config_; Http::TestResponseHeaderMapImpl response_headers_{{":status", "200"}, {"capsule-protocol", "?1"}}; Network::Address::InstanceConstSharedPtr listener_address_; @@ -1553,6 +1558,25 @@ TEST_P(UdpTunnelingIntegrationTest, BytesMeterAccessLog) { test_server_->waitForGaugeEq("udp.foo.downstream_sess_active", 0); } +TEST_P(UdpTunnelingIntegrationTest, DrainListenersWhileTunnelingActiveSessionIsStillActive) { + TestConfig config{"host.com", "target.com", 1, 30, false, "", + BufferOptions{1, 30}, absl::nullopt}; + setup(config); + + const std::string datagram = "hello"; + establishConnection(datagram); + // Wait for buffered datagram. + ASSERT_TRUE(upstream_request_->waitForData(*dispatcher_, expectedCapsules({datagram}))); + + // Send a response and keep the session alive. + sendCapsuleDownstream("response", false); + test_server_->waitForGaugeEq("udp.foo.downstream_sess_active", 1); + + // Drain listeners while udp session is still active. + drainListeners(); + test_server_->waitForGaugeEq("udp.foo.downstream_sess_active", 0); +} + INSTANTIATE_TEST_SUITE_P(IpAndHttpVersions, UdpTunnelingIntegrationTest, testing::ValuesIn(HttpProtocolIntegrationTest::getProtocolTestParams( {Http::CodecType::HTTP2}, {Http::CodecType::HTTP2})), From f411d0ff4e4632be7d8f4f78b3a0ce5631d9fd9a Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Wed, 20 Aug 2025 20:27:20 +0000 Subject: [PATCH 263/505] get local branch up to date with downstream int changes Signed-off-by: Basundhara Chakrabarty --- .../reverse_connection_handshake/v3/BUILD | 6 +- .../v3/reverse_connection_handshake.proto | 17 +- .../reverse_connection_socket_interface.proto | 19 +- .../extensions/bootstrap/reverse_tunnel/BUILD | 3 +- .../reverse_connection_address.cc | 6 +- .../reverse_connection_address.h | 8 +- .../reverse_connection_resolver.cc | 2 +- .../reverse_tunnel_initiator.cc | 1225 +++--- .../reverse_tunnel/reverse_tunnel_initiator.h | 196 +- .../extensions/bootstrap/reverse_tunnel/BUILD | 5 + .../reverse_connection_address_test.cc | 158 +- .../reverse_connection_resolver_test.cc | 75 +- .../reverse_tunnel_initiator_test.cc | 3477 +++++++++++------ 13 files changed, 3185 insertions(+), 2012 deletions(-) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD index 932a885a352bc..29ebf0741406e 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD +++ b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD @@ -5,7 +5,5 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 api_proto_package( - deps = [ - "@com_github_cncf_xds//udpa/annotations:pkg", - ], -) \ No newline at end of file + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], +) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto index f914680ea12b7..ac5b20d4a9130 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto +++ b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto @@ -10,12 +10,21 @@ option java_outer_classname = "ReverseConnectionHandshakeProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_connection_handshake/v3;reverse_connection_handshakev3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -option (udpa.annotations.file_status).work_in_progress = true; // [#protodoc-title: Reverse Connection Handshake] -// Reverse Connection Handshake :ref:`configuration overview `. +// Reverse Connection Handshake protocol for establishing reverse connections between Envoy instances. // [#extension: envoy.bootstrap.reverse_connection_handshake] +// Configuration for the reverse connection handshake extension. +// This extension provides message definitions for establishing reverse connections +// between Envoy instances. +message ReverseConnectionHandshakeConfig { + // This is a placeholder config message for the reverse connection handshake extension. + // The extension primarily provides message definitions for the handshake protocol + // rather than configuration. + bool enabled = 1; +} + // Config sent by the local cluster as part of the Initiation workflow. // This message combined with message 'ReverseConnHandshakeRet' which is // sent as a response can be used to transfer/negotiate parameter between the @@ -34,7 +43,7 @@ message ReverseConnHandshakeArg { string node_uuid = 3; } -// Config used by the remote cluser in response to the above 'ReverseConnHandshakeArg'. +// Config used by the remote cluster in response to the above 'ReverseConnHandshakeArg'. message ReverseConnHandshakeRet { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.filters.http.reverse_conn.v3.ReverseConnHandshakeRet"; @@ -50,4 +59,4 @@ message ReverseConnHandshakeRet { // This field can be used to transmit success/warning/error messages // describing the status of the reverse connection, if needed. string status_message = 2; -} \ No newline at end of file +} diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto index 5d1cde3cbac38..6fb9b6553f9f8 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto @@ -3,14 +3,12 @@ syntax = "proto3"; package envoy.extensions.bootstrap.reverse_connection_socket_interface.v3; import "udpa/annotations/status.proto"; -import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_connection_socket_interface.v3"; -option java_outer_classname = "DownstreamReverseConnectionSocketInterfaceProto"; +option java_outer_classname = "ReverseConnectionSocketInterfaceProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3;reverse_connection_socket_interfacev3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -option (udpa.annotations.file_status).work_in_progress = true; // [#protodoc-title: Bootstrap settings for Downstream Reverse Connection Socket Interface] // [#extension: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface] @@ -18,19 +16,20 @@ option (udpa.annotations.file_status).work_in_progress = true; // Configuration for the downstream reverse connection socket interface. // This interface initiates reverse connections to upstream Envoys and provides // them as socket connections for downstream requests. +// [#next-free-field: 6] message DownstreamReverseConnectionSocketInterface { // Stat prefix to be used for downstream reverse connection socket interface stats. string stat_prefix = 1; - + // Source cluster ID for this reverse connection initiator string src_cluster_id = 2; - - // Source node ID for this reverse connection initiator + + // Source node ID for this reverse connection initiator string src_node_id = 3; - + // Source tenant ID for this reverse connection initiator string src_tenant_id = 4; - + // Map of remote clusters to connection counts repeated RemoteClusterConnectionCount remote_cluster_to_conn_count = 5; } @@ -39,7 +38,7 @@ message DownstreamReverseConnectionSocketInterface { message RemoteClusterConnectionCount { // Name of the remote cluster string cluster_name = 1; - + // Number of reverse connections to establish to this cluster uint32 reverse_connection_count = 2; -} \ No newline at end of file +} diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index e86945536ca90..0918800e50091 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -78,9 +78,8 @@ envoy_cc_extension( "//source/common/network:filter_lib", "//source/common/protobuf", "//source/common/upstream:load_balancer_context_base_lib", - "@envoy_api//envoy/config/core/v3:pkg_cc_proto", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", ], alwayslink = 1, ) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc index 02b40eb549f57..359d04dd47dc8 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc @@ -17,12 +17,12 @@ namespace ReverseConnection { ReverseConnectionAddress::ReverseConnectionAddress(const ReverseConnectionConfig& config) : config_(config) { - // Create the logical name (rc:// address) for identification + // Create the logical name (rc:// address) for identification. logical_name_ = fmt::format("rc://{}:{}:{}@{}:{}", config.src_node_id, config.src_cluster_id, config.src_tenant_id, config.remote_cluster, config.connection_count); // Use localhost with a random port for the actual address string to pass IP validation - // This will be used by the filter chain manager for matching + // This will be used by the filter chain manager for matching. address_string_ = "127.0.0.1:0"; ENVOY_LOG_MISC(info, "Reverse connection address: logical_name={}, address_string={}", @@ -48,7 +48,7 @@ absl::string_view ReverseConnectionAddress::asStringView() const { return addres const std::string& ReverseConnectionAddress::logicalName() const { return logical_name_; } const sockaddr* ReverseConnectionAddress::sockAddr() const { - // Return a valid localhost sockaddr structure for IP validation + // Return a valid localhost sockaddr structure for IP validation. static struct sockaddr_in addr; addr.sin_family = AF_INET; addr.sin_port = htons(0); // Port 0 diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h index bd737a17086d8..79cf2b0009ea9 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h @@ -22,10 +22,15 @@ class ReverseConnectionAddress : public Network::Address::Instance { public: // Struct to hold reverse connection configuration struct ReverseConnectionConfig { + // Source node id of initiator envoy std::string src_node_id; + // Source cluster id of initiator envoy std::string src_cluster_id; + // Source tenant id of initiator envoy std::string src_tenant_id; + // Remote cluster name of the reverse connection std::string remote_cluster; + // Connection count of the reverse connection uint32_t connection_count; }; @@ -53,9 +58,10 @@ class ReverseConnectionAddress : public Network::Address::Instance { auto* reverse_socket_interface = Network::socketInterface( "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); if (reverse_socket_interface) { + ENVOY_LOG_MISC(debug, "Reverse connection address: using reverse socket interface"); return *reverse_socket_interface; } - // Fallback to default socket interface if reverse connection interface is not available + // Fallback to default socket interface if reverse connection interface is not available. return Network::SocketInterfaceSingleton::get(); } diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc index 80b15325474a1..3cbb3f66ca049 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc @@ -17,7 +17,7 @@ ReverseConnectionResolver::resolve(const envoy::config::core::v3::SocketAddress& "Expected format: rc://src_node_id:src_cluster_id:src_tenant_id@cluster_name:count")); } - // For reverse connections, only port 0 is supported + // For reverse connections, only port 0 is supported. if (socket_address.port_value() != 0) { return absl::InvalidArgumentError( fmt::format("Only port 0 is supported for reverse connections. Got port: {}", diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index fdddf802dc141..3058af32e6fb7 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -9,11 +9,11 @@ #include "envoy/network/address.h" #include "envoy/network/connection.h" #include "envoy/registry/registry.h" -#include "envoy/upstream/cluster_manager.h" -#include "envoy/http/async_client.h" #include "envoy/tracing/tracer.h" +#include "envoy/upstream/cluster_manager.h" #include "source/common/buffer/buffer_impl.h" +#include "source/common/common/assert.h" #include "source/common/common/logger.h" #include "source/common/http/headers.h" #include "source/common/network/address_impl.h" @@ -24,87 +24,72 @@ #include "source/common/protobuf/utility.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" -#include "google/protobuf/empty.pb.h" - namespace Envoy { namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -/** - * Custom IoHandle for downstream reverse connections that owns a ConnectionSocket. - */ -class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { -public: - /** - * Constructor that takes ownership of the socket and stores parent pointer and connection key. - */ - DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, - ReverseConnectionIOHandle* parent, - const std::string& connection_key) - : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), - owned_socket_(std::move(socket)), - parent_(parent), - connection_key_(connection_key) { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {} for connection key: {}", - fd_, connection_key_); - } - - ~DownstreamReverseConnectionIOHandle() override { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: destroying handle for FD: {} with connection key: {}", - fd_, connection_key_); - } - - // Network::IoHandle overrides. - Api::IoCallUint64Result close() override { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {} with connection key: {}", - fd_, connection_key_); - - // Prevent double-closing by checking if already closed - if (fd_ < 0) { - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: handle already closed for connection key: {}", - connection_key_); - return Api::ioCallUint64ResultNoError(); - } - - // Notify parent that this downstream connection has been closed - // This will trigger re-initiation of the reverse connection if needed - if (parent_) { - parent_->onDownstreamConnectionClosed(connection_key_); - ENVOY_LOG(debug, "DownstreamReverseConnectionIOHandle: notified parent of connection closure for key: {}", - connection_key_); - } +// DownstreamReverseConnectionIOHandle constructor implementation +DownstreamReverseConnectionIOHandle::DownstreamReverseConnectionIOHandle( + Network::ConnectionSocketPtr socket, ReverseConnectionIOHandle* parent, + const std::string& connection_key) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), owned_socket_(std::move(socket)), + parent_(parent), connection_key_(connection_key) { + ENVOY_LOG(debug, + "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {} for " + "connection key: {}", + fd_, connection_key_); +} - // Reset the owned socket to properly close the connection. - if (owned_socket_) { - owned_socket_.reset(); - } - return IoSocketHandleImpl::close(); +// DownstreamReverseConnectionIOHandle destructor implementation +DownstreamReverseConnectionIOHandle::~DownstreamReverseConnectionIOHandle() { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: destroying handle for FD: {} with connection key: {}", + fd_, connection_key_); +} + +// DownstreamReverseConnectionIOHandle close() implementation +Api::IoCallUint64Result DownstreamReverseConnectionIOHandle::close() { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: closing handle for FD: {} with connection key: {}", fd_, + connection_key_); + + // Prevent double-closing by checking if already closed + if (fd_ < 0) { + ENVOY_LOG(debug, + "DownstreamReverseConnectionIOHandle: handle already closed for connection key: {}", + connection_key_); + return Api::ioCallUint64ResultNoError(); } - /** - * Get the owned socket for read-only access. - */ - const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } + // Notify parent that this downstream connection has been closed + // This will trigger re-initiation of the reverse connection if needed. + if (parent_) { + parent_->onDownstreamConnectionClosed(connection_key_); + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: notified parent of connection closure for key: {}", + connection_key_); + } -private: - // The socket that this IOHandle owns and manages lifetime for. - Network::ConnectionSocketPtr owned_socket_; - // Pointer to parent ReverseConnectionIOHandle for connection lifecycle management - ReverseConnectionIOHandle* parent_; - // Connection key for tracking this specific connection - std::string connection_key_; -}; + // Reset the owned socket to properly close the connection. + if (owned_socket_) { + owned_socket_.reset(); + } + return IoSocketHandleImpl::close(); +} // Forward declaration. class ReverseConnectionIOHandle; class ReverseTunnelInitiator; - // RCConnectionWrapper constructor implementation -RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, - Upstream::HostDescriptionConstSharedPtr host, - const std::string& cluster_name) +RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, + Network::ClientConnectionPtr connection, + Upstream::HostDescriptionConstSharedPtr host, + const std::string& cluster_name) : parent_(parent), connection_(std::move(connection)), host_(std::move(host)), cluster_name_(cluster_name) { ENVOY_LOG(debug, "RCConnectionWrapper: Using HTTP handshake for reverse connections"); @@ -116,7 +101,6 @@ RCConnectionWrapper::~RCConnectionWrapper() { shutdown(); } -// RCConnectionWrapper method implementations void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { if (event == Network::ConnectionEvent::RemoteClose) { if (!connection_) { @@ -124,7 +108,7 @@ void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { return; } - // Store connection info before it gets invalidated + // Store connection info before it gets invalidated. const std::string connectionKey = connection_->connectionInfoProvider().localAddress()->asString(); const uint64_t connectionId = connection_->id(); @@ -133,15 +117,16 @@ void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { connectionId, connectionKey); // Don't call shutdown() here as it may cause cleanup during event processing - // Instead, just notify parent of closure + // Instead, just notify parent of closure. parent_.onConnectionDone("Connection closed", this, true); } } // SimpleConnReadFilter::onData implementation -Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer::Instance& buffer, bool) { +Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer::Instance& buffer, + bool) { if (parent_ == nullptr) { - ENVOY_LOG(error, "RC Connection Manager is null. Aborting read."); + ENVOY_LOG(error, "SimpleConnReadFilter: RCConnectionWrapper is null. Aborting read."); return Network::FilterStatus::StopIteration; } @@ -149,35 +134,38 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: ENVOY_LOG(debug, "SimpleConnReadFilter: Received data: {}", data); // Look for HTTP response status line first (supports both HTTP/1.1 and HTTP/2) - if (data.find("HTTP/1.1 200 OK") != std::string::npos || + if (data.find("HTTP/1.1 200 OK") != std::string::npos || data.find("HTTP/2 200") != std::string::npos) { ENVOY_LOG(debug, "Received HTTP 200 OK response"); - + // Find the end of headers (double CRLF) size_t headers_end = data.find("\r\n\r\n"); if (headers_end != std::string::npos) { // Extract the response body (after headers) std::string response_body = data.substr(headers_end + 4); - + if (!response_body.empty()) { // Try to parse the protobuf response envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; if (ret.ParseFromString(response_body)) { ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); - + // Check if the status is ACCEPTED - if (ret.status() == envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::ACCEPTED) { - ENVOY_LOG(debug, "Reverse connection accepted by cloud side"); + if (ret.status() == envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + ReverseConnHandshakeRet::ACCEPTED) { + ENVOY_LOG(debug, "SimpleConnReadFilter: Reverse connection accepted by cloud side"); parent_->onHandshakeSuccess(); return Network::FilterStatus::StopIteration; } else { - ENVOY_LOG(error, "Reverse connection rejected: {}", ret.status_message()); + ENVOY_LOG(error, "SimpleConnReadFilter: Reverse connection rejected: {}", + ret.status_message()); parent_->onHandshakeFailure(ret.status_message()); return Network::FilterStatus::StopIteration; } } else { ENVOY_LOG(error, "Could not parse protobuf response - invalid response format"); - parent_->onHandshakeFailure("Invalid response format - expected ReverseConnHandshakeRet protobuf"); + parent_->onHandshakeFailure( + "Invalid response format - expected ReverseConnHandshakeRet protobuf"); return Network::FilterStatus::StopIteration; } } else { @@ -188,7 +176,8 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: ENVOY_LOG(debug, "HTTP headers not complete yet, waiting for more data"); return Network::FilterStatus::Continue; } - } else if (data.find("HTTP/1.1 ") != std::string::npos || data.find("HTTP/2 ") != std::string::npos) { + } else if (data.find("HTTP/1.1 ") != std::string::npos || + data.find("HTTP/2 ") != std::string::npos) { // Found HTTP response but not 200 OK - this is an error ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); parent_->onHandshakeFailure("HTTP handshake failed with non-200 response"); @@ -218,18 +207,23 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); // Use HTTP handshake logic - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; arg.set_tenant_uuid(src_tenant_id); arg.set_cluster_uuid(src_cluster_id); arg.set_node_uuid(src_node_id); ENVOY_LOG(debug, "RCConnectionWrapper: Creating protobuf with tenant='{}', cluster='{}', node='{}'", src_tenant_id, src_cluster_id, src_node_id); - std::string body = arg.SerializeAsString(); + std::string body = arg.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) ENVOY_LOG(debug, "RCConnectionWrapper: Serialized protobuf body length: {}, debug: '{}'", body.length(), arg.DebugString()); std::string host_value; const auto& remote_address = connection_->connectionInfoProvider().remoteAddress(); + // This is used when reverse connections need to be established through a HTTP proxy. + // The reverse connection listener connects to an internal cluster, to which an + // internal listener listens. This internal listener has tunneling configuration + // to tcp proxy the reverse connection requests over HTTP/1 CONNECT to the remote + // proxy. if (remote_address->type() == Network::Address::Type::EnvoyInternal) { const auto& internal_address = std::dynamic_pointer_cast(remote_address); @@ -268,7 +262,7 @@ void RCConnectionWrapper::onHandshakeSuccess() { } void RCConnectionWrapper::onHandshakeFailure(const std::string& message) { - ENVOY_LOG(error, "handshake failed: {}", message); + ENVOY_LOG(debug, "handshake failed: {}", message); parent_.onConnectionDone(message, this, false); } @@ -278,38 +272,30 @@ void RCConnectionWrapper::shutdown() { return; } - ENVOY_LOG(error, "RCConnectionWrapper: Shutting down connection ID: {}, state: {}", + ENVOY_LOG(debug, "RCConnectionWrapper: Shutting down connection ID: {}, state: {}", connection_->id(), static_cast(connection_->state())); - // Remove connection callbacks first to prevent recursive calls during shutdown - try { - auto state = connection_->state(); - if (state != Network::Connection::State::Closed) { - connection_->removeConnectionCallbacks(*this); - ENVOY_LOG(error, "Connection callbacks removed"); - } - } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception removing connection callbacks: {}", e.what()); - } - - // Close the connection if it's still open - try { - auto state = connection_->state(); - if (state == Network::Connection::State::Open) { - ENVOY_LOG(error, "Closing open connection gracefully"); - connection_->close(Network::ConnectionCloseType::FlushWrite); - } else if (state == Network::Connection::State::Closing) { - ENVOY_LOG(error, "Connection already closing"); - } else { - ENVOY_LOG(error, "Connection already closed"); - } - } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception closing connection: {}", e.what()); + // Remove connection callbacks first to prevent recursive calls during shutdown. + auto state = connection_->state(); + if (state != Network::Connection::State::Closed) { + connection_->removeConnectionCallbacks(*this); + ENVOY_LOG(debug, "Connection callbacks removed"); + } + + // Close the connection if it's still open. + state = connection_->state(); + if (state == Network::Connection::State::Open) { + ENVOY_LOG(debug, "Closing open connection gracefully"); + connection_->close(Network::ConnectionCloseType::FlushWrite); + } else if (state == Network::Connection::State::Closing) { + ENVOY_LOG(debug, "Connection already closing"); + } else { + ENVOY_LOG(debug, "Connection already closed"); } - // Clear the connection pointer to prevent further access + // Clear the connection pointer to prevent further access. connection_.reset(); - ENVOY_LOG(error, "RCConnectionWrapper: Shutdown completed"); + ENVOY_LOG(debug, "RCConnectionWrapper: Shutdown completed"); } ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, @@ -320,15 +306,10 @@ ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, : IoSocketHandleImpl(fd), config_(config), cluster_manager_(cluster_manager), extension_(extension), original_socket_fd_(fd) { (void)scope; // Mark as unused - ENVOY_LOG(debug, "Created ReverseConnectionIOHandle: fd={}, src_node={}, num_clusters={}", fd_, - config_.src_node_id, config_.remote_clusters.size()); - ENVOY_LOG(debug, - "Creating ReverseConnectionIOHandle - src_cluster: {}, src_node: {}, " - "health_check_interval: {}ms, connection_timeout: {}ms", - config_.src_cluster_id, config_.src_node_id, config_.health_check_interval_ms, - config_.connection_timeout_ms); - // Defer trigger mechanism creation until listen() is called on a worker thread. - // This avoids accessing thread-local dispatcher during main thread initialization. + ENVOY_LOG( + debug, + "Created ReverseConnectionIOHandle: fd={}, src_node={}, src_cluster: {}, num_clusters={}", + fd_, config_.src_node_id, config_.src_cluster_id, config_.remote_clusters.size()); } ReverseConnectionIOHandle::~ReverseConnectionIOHandle() { @@ -339,9 +320,11 @@ ReverseConnectionIOHandle::~ReverseConnectionIOHandle() { void ReverseConnectionIOHandle::cleanup() { ENVOY_LOG(debug, "Starting cleanup of reverse connection resources."); - // CRITICAL: Clean up pipe trigger mechanism FIRST to prevent use-after-free - // Clean up trigger pipe - ENVOY_LOG(trace, "ReverseConnectionIOHandle::cleanup() - cleaning up trigger pipe; trigger_pipe_write_fd_={}, trigger_pipe_read_fd_={}", trigger_pipe_write_fd_, trigger_pipe_read_fd_); + // Clean up pipe trigger mechanism first to prevent use-after-free. + ENVOY_LOG(trace, + "ReverseConnectionIOHandle: cleaning up trigger pipe; " + "trigger_pipe_write_fd_={}, trigger_pipe_read_fd_={}", + trigger_pipe_write_fd_, trigger_pipe_read_fd_); if (trigger_pipe_write_fd_ >= 0) { ::close(trigger_pipe_write_fd_); trigger_pipe_write_fd_ = -1; @@ -353,44 +336,33 @@ void ReverseConnectionIOHandle::cleanup() { // Cancel the retry timer safely. if (rev_conn_retry_timer_) { - ENVOY_LOG(trace, "ReverseConnectionIOHandle::cleanup() - cancelling and resetting retry timer."); + ENVOY_LOG(trace, "ReverseConnectionIOHandle: cancelling and resetting retry timer."); rev_conn_retry_timer_.reset(); } // Graceful shutdown of connection wrappers with exception safety. ENVOY_LOG(debug, "Gracefully shutting down {} connection wrappers.", connection_wrappers_.size()); - // Step 1: Signal all connections to close gracefully with exception handling. + // Signal all connections to close gracefully. std::vector> wrappers_to_delete; for (auto& wrapper : connection_wrappers_) { if (wrapper) { - try { - ENVOY_LOG(debug, "Initiating graceful shutdown for connection wrapper."); - wrapper->shutdown(); - // Move wrapper for deferred cleanup - wrappers_to_delete.push_back(std::move(wrapper)); - } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception during wrapper shutdown (continuing cleanup): {}.", e.what()); - // Still move the wrapper to ensure it gets cleaned up - wrappers_to_delete.push_back(std::move(wrapper)); - } + ENVOY_LOG(debug, "Initiating graceful shutdown for connection wrapper."); + wrapper->shutdown(); + // Move wrapper for deferred cleanup + wrappers_to_delete.push_back(std::move(wrapper)); } } - // Step 2: Clear containers safely. + // Clear containers safely. connection_wrappers_.clear(); conn_wrapper_to_host_map_.clear(); - // Step 3: Clean up wrappers with safe deletion. + // Clean up wrappers with safe deletion. for (auto& wrapper : wrappers_to_delete) { if (wrapper && isThreadLocalDispatcherAvailable()) { - try { - getThreadLocalDispatcher().deferredDelete(std::move(wrapper)); - } catch (...) { - // Direct cleanup as fallback - wrapper.reset(); - } + getThreadLocalDispatcher().deferredDelete(std::move(wrapper)); } else { - // Direct cleanup when dispatcher not available + // Direct cleanup when dispatcher not available. wrapper.reset(); } } @@ -400,48 +372,27 @@ void ReverseConnectionIOHandle::cleanup() { host_to_conn_info_map_.clear(); // Clear established connections queue safely. - try { - size_t queue_size = established_connections_.size(); - ENVOY_LOG(debug, "Cleaning up {} established connections.", queue_size); + size_t queue_size = established_connections_.size(); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Cleaning up {} established connections.", + queue_size); - while (!established_connections_.empty()) { - try { - auto connection = std::move(established_connections_.front()); - established_connections_.pop(); + while (!established_connections_.empty()) { + auto connection = std::move(established_connections_.front()); + established_connections_.pop(); - if (connection) { - try { - auto state = connection->state(); - if (state == Envoy::Network::Connection::State::Open) { - connection->close(Envoy::Network::ConnectionCloseType::FlushWrite); - ENVOY_LOG(debug, "Closed established connection."); - } else { - ENVOY_LOG(debug, "Connection already in state: {}.", static_cast(state)); - } - } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception closing connection (continuing): {}.", e.what()); - } - } - } catch (const std::exception& e) { - ENVOY_LOG(debug, "Exception processing connection queue item (continuing): {}.", e.what()); - // Skip this item and continue with the next - if (!established_connections_.empty()) { - established_connections_.pop(); - } + if (connection) { + auto state = connection->state(); + if (state == Envoy::Network::Connection::State::Open) { + connection->close(Envoy::Network::ConnectionCloseType::FlushWrite); + ENVOY_LOG(debug, "Closed established connection."); + } else { + ENVOY_LOG(debug, "Connection already in state: {}.", static_cast(state)); } } - ENVOY_LOG(debug, "Completed established connections cleanup."); - } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception during established connections cleanup: {}.", e.what()); - // Force clear the queue - while (!established_connections_.empty()) { - established_connections_.pop(); - } } + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Completed established connections cleanup."); - // Trigger mechanism already cleaned up at the beginning of cleanup() - - ENVOY_LOG(debug, "Completed cleanup of reverse connection resources."); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Completed cleanup of reverse connection resources."); } Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { @@ -454,89 +405,91 @@ void ReverseConnectionIOHandle::initializeFileEvent(Event::Dispatcher& dispatche Event::FileReadyCb cb, Event::FileTriggerType trigger, uint32_t events) { - // CRITICAL FIX: listen() is called on the main thread, but the reverse connections should be - // initialized on a worker thread. initializeFileEvent() is called on a worker thread. - ENVOY_LOG(debug, "ReverseConnectionIOHandle::initializeFileEvent() called on thread: {} for fd={}", + // Reverse connections should be initiated when initializeFileEvent() is called on a worker + // thread. + ENVOY_LOG(debug, + "ReverseConnectionIOHandle::initializeFileEvent() called on thread: {} for fd={}", dispatcher.name(), fd_); - - if (!is_reverse_conn_started_) { - ENVOY_LOG(info, "ReverseConnectionIOHandle: Starting reverse connections on worker thread '{}'", - dispatcher.name()); - - // Store worker dispatcher - worker_dispatcher_ = &dispatcher; - - // Create trigger pipe on worker thread + + if (is_reverse_conn_started_) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Skipping initializeFileEvent() call because " + "reverse connections are already started"); + return; + } + + ENVOY_LOG(info, "ReverseConnectionIOHandle: Starting reverse connections on worker thread '{}'", + dispatcher.name()); + + // Store worker dispatcher + worker_dispatcher_ = &dispatcher; + + // Create trigger pipe on worker thread. + if (!isTriggerPipeReady()) { + createTriggerPipe(); if (!isTriggerPipeReady()) { - createTriggerPipe(); - if (!isTriggerPipeReady()) { - ENVOY_LOG(error, "Failed to create trigger pipe on worker thread"); - return; - } + ENVOY_LOG(error, "Failed to create trigger pipe on worker thread"); + return; } + } - // CRITICAL: Replace the monitored FD with pipe read FD - // This must happen before any event registration - int trigger_fd = getPipeMonitorFd(); - if (trigger_fd != -1) { - ENVOY_LOG(info, "Replacing monitored FD from {} to pipe read FD {}", fd_, trigger_fd); - fd_ = trigger_fd; - } - - // Initialize reverse connections on worker thread - if (!rev_conn_retry_timer_) { - rev_conn_retry_timer_ = dispatcher.createTimer([this]() { - ENVOY_LOG(debug, "Reverse connection timer triggered on worker thread"); - maintainReverseConnections(); - }); + // CRITICAL: Replace the monitored FD with pipe read FD + // This must happen before any event registration. + int trigger_fd = getPipeMonitorFd(); + if (trigger_fd != -1) { + ENVOY_LOG(info, "Replacing monitored FD from {} to pipe read FD {}", fd_, trigger_fd); + fd_ = trigger_fd; + } + + // Initialize reverse connections on worker thread + if (!rev_conn_retry_timer_) { + rev_conn_retry_timer_ = dispatcher.createTimer([this]() { + ENVOY_LOG(debug, "Reverse connection timer triggered on worker thread"); maintainReverseConnections(); - } - - is_reverse_conn_started_ = true; - ENVOY_LOG(info, "ReverseConnectionIOHandle: Reverse connections started on thread '{}'", - dispatcher.name()); + }); + maintainReverseConnections(); } - + + is_reverse_conn_started_ = true; + ENVOY_LOG(info, "ReverseConnectionIOHandle: Reverse connections started on thread '{}'", + dispatcher.name()); + // Call parent implementation IoSocketHandleImpl::initializeFileEvent(dispatcher, cb, trigger, events); } Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* addr, socklen_t* addrlen) { - // Mark parameters as potentially unused + // Mark parameters unused (void)addr; (void)addrlen; - + if (isTriggerPipeReady()) { char trigger_byte; ssize_t bytes_read = ::read(trigger_pipe_read_fd_, &trigger_byte, 1); if (bytes_read == 1) { - ENVOY_LOG(debug, - "ReverseConnectionIOHandle::accept() - received trigger, processing connection."); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: received trigger, processing connection."); // When a connection is established, a byte is written to the trigger_pipe_write_fd_ and the // connection is inserted into the established_connections_ queue. The last connection in the // queue is therefore the one that got established last. if (!established_connections_.empty()) { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - getting connection from queue."); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: getting connection from queue."); auto connection = std::move(established_connections_.front()); established_connections_.pop(); - // Fill in address information for the reverse tunnel "client" - // Use actual client address from established connection + // Fill in address information for the reverse tunnel "client". + // Use actual client address from established connection. if (addr && addrlen) { const auto& remote_addr = connection->connectionInfoProvider().remoteAddress(); if (remote_addr) { - ENVOY_LOG(debug, - "ReverseConnectionIOHandle::accept() - using actual client address: {}", + ENVOY_LOG(debug, "ReverseConnectionIOHandle: using actual client address: {}", remote_addr->asString()); const sockaddr* sock_addr = remote_addr->sockAddr(); socklen_t addr_len = remote_addr->sockAddrLen(); if (*addrlen >= addr_len) { - memcpy(addr, sock_addr, addr_len); + memcpy(addr, sock_addr, addr_len); // NOLINT(safe-memcpy) *addrlen = addr_len; - ENVOY_LOG(trace, - "ReverseConnectionIOHandle::accept() - copied {} bytes of address data", + ENVOY_LOG(trace, "ReverseConnectionIOHandle: copied {} bytes of address data", addr_len); } else { ENVOY_LOG(warn, @@ -546,7 +499,7 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a *addrlen = addr_len; // Still set the required length } } else { - ENVOY_LOG(warn, "ReverseConnectionIOHandle::accept() - no remote address available, " + ENVOY_LOG(warn, "ReverseConnectionIOHandle: no remote address available, " "using synthetic localhost address"); // Fallback to synthetic address only when remote address is unavailable auto synthetic_addr = @@ -554,12 +507,10 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a const sockaddr* sock_addr = synthetic_addr->sockAddr(); socklen_t addr_len = synthetic_addr->sockAddrLen(); if (*addrlen >= addr_len) { - memcpy(addr, sock_addr, addr_len); + memcpy(addr, sock_addr, addr_len); // NOLINT(safe-memcpy) *addrlen = addr_len; } else { - ENVOY_LOG( - error, - "ReverseConnectionIOHandle::accept() - buffer too small for synthetic address"); + ENVOY_LOG(error, "ReverseConnectionIOHandle: buffer too small for synthetic address"); *addrlen = addr_len; } } @@ -567,17 +518,16 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a const std::string connection_key = connection->connectionInfoProvider().localAddress()->asString(); - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - got connection key: {}", - connection_key); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: got connection key: {}", connection_key); - // Instead of moving the socket, duplicate the file descriptor + // Instead of moving the socket, duplicate the file descriptor. const Network::ConnectionSocketPtr& original_socket = connection->getSocket(); if (!original_socket || !original_socket->isOpen()) { ENVOY_LOG(error, "Original socket is not available or not open"); return nullptr; } - // Duplicate the file descriptor + // Duplicate the file descriptor. Network::IoHandlePtr duplicated_handle = original_socket->ioHandle().duplicate(); if (!duplicated_handle || !duplicated_handle->isOpen()) { ENVOY_LOG(error, "Failed to duplicate file descriptor"); @@ -586,37 +536,39 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a os_fd_t original_fd = original_socket->ioHandle().fdDoNotUse(); os_fd_t duplicated_fd = duplicated_handle->fdDoNotUse(); - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - duplicated fd: original_fd={}, duplicated_fd={}", + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: duplicated fd: original_fd={}, duplicated_fd={}", original_fd, duplicated_fd); - // Create a new socket with the duplicated handle - Network::ConnectionSocketPtr duplicated_socket = + // Create a new socket with the duplicated handle. + Network::ConnectionSocketPtr duplicated_socket = std::make_unique( std::move(duplicated_handle), original_socket->connectionInfoProvider().localAddress(), original_socket->connectionInfoProvider().remoteAddress()); - // Reset file events on the duplicated socket to clear any inherited events + // Reset file events on the duplicated socket to clear any inherited events. duplicated_socket->ioHandle().resetFileEvents(); - // Create RAII-based IoHandle with duplicated socket, passing parent pointer and connection key + // Create RAII-based IoHandle with duplicated socket, passing parent pointer and connection + // key. auto io_handle = std::make_unique( std::move(duplicated_socket), this, connection_key); ENVOY_LOG(debug, - "ReverseConnectionIOHandle::accept() - RAII IoHandle created with duplicated socket."); + "ReverseConnectionIOHandle: RAII IoHandle created with duplicated socket."); connection->setSocketReused(true); // Close the original connection connection->close(Network::ConnectionCloseType::NoFlush); - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - returning io_handle."); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: returning io_handle."); return io_handle; } } else if (bytes_read == 0) { - ENVOY_LOG(debug, "ReverseConnectionIOHandle::accept() - trigger pipe closed."); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: trigger pipe closed."); return nullptr; } else if (bytes_read == -1 && errno != EAGAIN && errno != EWOULDBLOCK) { - ENVOY_LOG(error, "ReverseConnectionIOHandle::accept() - error reading from trigger pipe: {}", - strerror(errno)); + ENVOY_LOG(error, "ReverseConnectionIOHandle: error reading from trigger pipe: {}", + errorDetails(errno)); return nullptr; } } @@ -649,7 +601,7 @@ ReverseConnectionIOHandle::connect(Envoy::Network::Address::InstanceConstSharedP // Individual reverse connections initiated by this ReverseConnectionIOHandle are managed via // DownstreamReverseConnectionIOHandle RAII ownership. Api::IoCallUint64Result ReverseConnectionIOHandle::close() { - ENVOY_LOG(error, "ReverseConnectionIOHandle::close() - performing graceful shutdown."); + ENVOY_LOG(error, "ReverseConnectionIOHandle: performing graceful shutdown."); // Clean up original socket FD if (original_socket_fd_ != -1) { @@ -660,9 +612,9 @@ Api::IoCallUint64Result ReverseConnectionIOHandle::close() { // CRITICAL: If we're using pipe trigger FD, let the IoSocketHandleImpl::close() // close it and cleanup() set the pipe FDs to -1. - if (isTriggerPipeReady() && getPipeMonitorFd() == fd_) { - ENVOY_LOG(error, - "Skipping close of pipe trigger FD {} - will be handled by base close() method.", + if (isTriggerPipeReady() && getPipeMonitorFd() == fd_) { + ENVOY_LOG(error, + "Skipping close of pipe trigger FD {} - will be handled by base close() method.", fd_); } @@ -670,45 +622,35 @@ Api::IoCallUint64Result ReverseConnectionIOHandle::close() { } void ReverseConnectionIOHandle::onEvent(Network::ConnectionEvent event) { - // This is called when connection events occur - // For reverse connections, we handle these events through RCConnectionWrapper - ENVOY_LOG(trace, "ReverseConnectionIOHandle::onEvent - event: {}", static_cast(event)); + // This is called when connection events occur. + // For reverse connections, we handle these events through RCConnectionWrapper. + ENVOY_LOG(trace, "ReverseConnectionIOHandle: event: {}", static_cast(event)); } -bool ReverseConnectionIOHandle::isTriggerReady() const { - // Note: isPipeTriggerReady() doesn't exist, using a simple check for now - bool ready = (trigger_pipe_read_fd_ >= 0); - ENVOY_LOG(debug, "isTriggerReady() returning: {}", ready); - return ready; -} +int ReverseConnectionIOHandle::getPipeMonitorFd() const { return trigger_pipe_read_fd_; } -int ReverseConnectionIOHandle::getPipeMonitorFd() const { - return trigger_pipe_read_fd_; -} - -// Use the thread-local registry to get the dispatcher +// Use the thread-local registry to get the dispatcher. Event::Dispatcher& ReverseConnectionIOHandle::getThreadLocalDispatcher() const { - // Get the thread-local dispatcher from the socket interface's registry + // Get the thread-local dispatcher from the socket interface's registry. auto* local_registry = extension_->getLocalRegistry(); if (local_registry) { - // Return the dispatcher from the thread-local registry - ENVOY_LOG(debug, "ReverseConnectionIOHandle::getThreadLocalDispatcher() - dispatcher: {}", + // Return the dispatcher from the thread-local registry. + ENVOY_LOG(debug, "ReverseConnectionIOHandle: dispatcher: {}", local_registry->dispatcher().name()); return local_registry->dispatcher(); } - throw EnvoyException("Failed to get dispatcher from thread-local registry"); + ENVOY_BUG(false, "Failed to get dispatcher from thread-local registry"); + // This should never happen in normal operation, but we need to handle it gracefully. + RELEASE_ASSERT(worker_dispatcher_ != nullptr, "No dispatcher available"); + return *worker_dispatcher_; } // Safe wrapper for accessing thread-local dispatcher bool ReverseConnectionIOHandle::isThreadLocalDispatcherAvailable() const { - try { - auto* local_registry = extension_->getLocalRegistry(); - return local_registry != nullptr; - } catch (...) { - return false; - } + auto* local_registry = extension_->getLocalRegistry(); + return local_registry != nullptr; } ReverseTunnelInitiatorExtension* ReverseConnectionIOHandle::getDownstreamExtension() const { @@ -736,12 +678,13 @@ void ReverseConnectionIOHandle::maybeUpdateHostsMappingsAndConnections( if (host_it == host_to_conn_info_map_.end()) { ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host); } else { - // Update cluster name if host moved to different cluster + // Update cluster name if host moved to different cluster. host_it->second.cluster_name = cluster_id; } } cluster_to_resolved_hosts_map_[cluster_id] = new_hosts; - ENVOY_LOG(debug, "Removing {} remote hosts from cluster {}", removed_hosts.size(), cluster_id); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Removing {} remote hosts from cluster {}", + removed_hosts.size(), cluster_id); // Remove the hosts present in removed_hosts. for (const std::string& host : removed_hosts) { @@ -751,7 +694,7 @@ void ReverseConnectionIOHandle::maybeUpdateHostsMappingsAndConnections( } void ReverseConnectionIOHandle::removeStaleHostAndCloseConnections(const std::string& host) { - ENVOY_LOG(info, "Removing all connections to remote host {}", host); + ENVOY_LOG(info, "ReverseConnectionIOHandle: Removing all connections to remote host {}", host); // Find all wrappers for this host. Each wrapper represents a reverse connection to the host. std::vector wrappers_to_remove; for (const auto& [wrapper, mapped_host] : conn_wrapper_to_host_map_) { @@ -760,17 +703,17 @@ void ReverseConnectionIOHandle::removeStaleHostAndCloseConnections(const std::st } } ENVOY_LOG(info, "Found {} connections to remove for host {}", wrappers_to_remove.size(), host); - // Remove wrappers and close connections + // Remove wrappers and close connections. for (auto* wrapper : wrappers_to_remove) { ENVOY_LOG(debug, "Removing connection wrapper for host {}", host); - // Get the connection from wrapper and close it + // Get the connection from wrapper and close it. auto* connection = wrapper->getConnection(); if (connection && connection->state() == Network::Connection::State::Open) { connection->close(Network::ConnectionCloseType::FlushWrite); } - // Remove from wrapper-to-host map + // Remove from wrapper-to-host map. conn_wrapper_to_host_map_.erase(wrapper); // Remove the wrapper from connection_wrappers_ vector. connection_wrappers_.erase( @@ -780,7 +723,7 @@ void ReverseConnectionIOHandle::removeStaleHostAndCloseConnections(const std::st }), connection_wrappers_.end()); } - // Clear connection keys from host info + // Clear connection keys from host info. auto host_it = host_to_conn_info_map_.find(host); if (host_it != host_to_conn_info_map_.end()) { host_it->second.connection_keys.clear(); @@ -789,13 +732,15 @@ void ReverseConnectionIOHandle::removeStaleHostAndCloseConnections(const std::st void ReverseConnectionIOHandle::maintainClusterConnections( const std::string& cluster_name, const RemoteClusterConnectionConfig& cluster_config) { - ENVOY_LOG(debug, "Maintaining connections for cluster: {} with {} requested connections per host", + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Maintaining connections for cluster: {} with {} requested " + "connections per host", cluster_name, cluster_config.reverse_connection_count); - // Generate a temporary connection key for early failure tracking, to update stats gauges + // Generate a temporary connection key for early failure tracking, to update stats gauges. const std::string temp_connection_key = "temp_" + cluster_name + "_" + std::to_string(rand()); - // Get thread local cluster to access resolved hosts + // Get thread local cluster to access resolved hosts. auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); if (thread_local_cluster == nullptr) { ENVOY_LOG(error, "Cluster '{}' not found for reverse tunnel - will retry later", cluster_name); @@ -803,7 +748,7 @@ void ReverseConnectionIOHandle::maintainClusterConnections( ReverseConnectionState::CannotConnect); return; } - // Get all resolved hosts for the cluster + // Get all resolved hosts for the cluster. const auto& host_map_ptr = thread_local_cluster->prioritySet().crossPriorityHostMap(); if (host_map_ptr == nullptr || host_map_ptr->empty()) { ENVOY_LOG(error, "No hosts found in cluster '{}' - will retry later", cluster_name); @@ -811,23 +756,25 @@ void ReverseConnectionIOHandle::maintainClusterConnections( ReverseConnectionState::CannotConnect); return; } - // Retrieve the resolved hosts for a cluster and update the corresponding maps + // Retrieve the resolved hosts for a cluster and update the corresponding maps. std::vector resolved_hosts; - for (const auto& host_iter : *host_map_ptr) { - resolved_hosts.emplace_back(host_iter.first); + for (const auto& host_itr : *host_map_ptr) { + resolved_hosts.emplace_back(host_itr.first); } maybeUpdateHostsMappingsAndConnections(cluster_name, std::move(resolved_hosts)); - // Track successful connections for this cluster + // Track successful connections for this cluster. uint32_t total_successful_connections = 0; uint32_t total_required_connections = host_map_ptr->size() * cluster_config.reverse_connection_count; - // Create connections to each host in the cluster + // Create connections to each host in the cluster. for (const auto& [host_address, host] : *host_map_ptr) { - ENVOY_LOG(debug, "Checking reverse connection count for host {} of cluster {}", host_address, - cluster_name); + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Checking reverse connection count for host {} of cluster {}", + host_address, cluster_name); - // Ensure HostConnectionInfo exists for this host + // Ensure HostConnectionInfo exists for this host. auto host_it = host_to_conn_info_map_.find(host_address); if (host_it == host_to_conn_info_map_.end()) { ENVOY_LOG(debug, "Creating HostConnectionInfo for host {} in cluster {}", host_address, @@ -838,28 +785,34 @@ void ReverseConnectionIOHandle::maintainClusterConnections( {}, // connection_keys - empty set initially cluster_config.reverse_connection_count, // target_connection_count from config 0, // failure_count - std::chrono::steady_clock::now(), // last_failure_time - std::chrono::steady_clock::now(), // backoff_until - {} // connection_states + // last_failure_time + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + // backoff_until + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + {} // connection_states }; } - // Check if we should attempt connection to this host (backoff logic) + // Check if we should attempt connection to this host (backoff logic). if (!shouldAttemptConnectionToHost(host_address, cluster_name)) { - ENVOY_LOG(debug, "Skipping connection attempt to host {} due to backoff", host_address); + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Skipping connection attempt to host {} due to backoff", + host_address); continue; } - // Get current number of successful connections to this host + // Get current number of successful connections to this host. uint32_t current_connections = host_to_conn_info_map_[host_address].connection_keys.size(); ENVOY_LOG(info, - "Number of reverse connections to host {} of cluster {}: " + "ReverseConnectionIOHandle: Number of reverse connections to host {} of cluster {}: " "Current: {}, Required: {}", host_address, cluster_name, current_connections, cluster_config.reverse_connection_count); if (current_connections >= cluster_config.reverse_connection_count) { - ENVOY_LOG(debug, "No more reverse connections needed to host {} of cluster {}", host_address, - cluster_name); + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: No more reverse connections needed to host {} of cluster {}", + host_address, cluster_name); total_successful_connections += current_connections; continue; } @@ -867,10 +820,10 @@ void ReverseConnectionIOHandle::maintainClusterConnections( cluster_config.reverse_connection_count - current_connections; ENVOY_LOG(debug, - "Initiating {} reverse connections to host {} of remote " + "ReverseConnectionIOHandle: Initiating {} reverse connections to host {} of remote " "cluster '{}' from source node '{}'", needed_connections, host_address, cluster_name, config_.src_node_id); - // Create the required number of connections to this specific host + // Create the required number of connections to this specific host. for (uint32_t i = 0; i < needed_connections; ++i) { ENVOY_LOG(debug, "Initiating reverse connection number {} to host {} of cluster {}", i + 1, host_address, cluster_name); @@ -888,12 +841,16 @@ void ReverseConnectionIOHandle::maintainClusterConnections( } } } - // Update metrics based on overall success for the cluster + // Update metrics based on overall success for the cluster. if (total_successful_connections > 0) { - ENVOY_LOG(info, "Successfully created {}/{} total reverse connections to cluster {}", + ENVOY_LOG(info, + "ReverseConnectionIOHandle: Successfully created {}/{} total reverse connections to " + "cluster {}", total_successful_connections, total_required_connections, cluster_name); } else { - ENVOY_LOG(error, "Failed to create any reverse connections to cluster {} - will retry later", + ENVOY_LOG(error, + "ReverseConnectionIOHandle: Failed to create any reverse connections to cluster {} - " + "will retry later", cluster_name); } } @@ -911,13 +868,19 @@ bool ReverseConnectionIOHandle::shouldAttemptConnectionToHost(const std::string& return true; } auto& host_info = host_it->second; - auto now = std::chrono::steady_clock::now(); - // Check if we're still in backoff period + auto now = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + ENVOY_LOG(debug, "host: {} now: {} ms backoff_until: {} ms", host_address, + std::chrono::duration_cast(now.time_since_epoch()).count(), + std::chrono::duration_cast( + host_info.backoff_until.time_since_epoch()) + .count()); + // Check if we're still in backoff period. if (now < host_info.backoff_until) { auto remaining_ms = std::chrono::duration_cast(host_info.backoff_until - now) .count(); - ENVOY_LOG(debug, "Host {} still in backoff for {}ms", host_address, remaining_ms); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Host {} still in backoff for {}ms", host_address, + remaining_ms); return false; } return true; @@ -933,7 +896,7 @@ void ReverseConnectionIOHandle::trackConnectionFailure(const std::string& host_a } auto& host_info = host_it->second; host_info.failure_count++; - host_info.last_failure_time = std::chrono::steady_clock::now(); + host_info.last_failure_time = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) // Calculate exponential backoff: base_delay * 2^(failure_count - 1) const uint32_t base_delay_ms = 1000; // 1 second base delay const uint32_t max_delay_ms = 30000; // 30 seconds max delay @@ -954,8 +917,10 @@ void ReverseConnectionIOHandle::trackConnectionFailure(const std::string& host_a const std::string backoff_connection_key = host_address + "_" + cluster_name + "_backoff"; updateConnectionState(host_address, cluster_name, backoff_connection_key, ReverseConnectionState::Backoff); - ENVOY_LOG(debug, "Marked host {} in cluster {} as Backoff with connection key {}", host_address, - cluster_name, backoff_connection_key); + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Marked host {} in cluster {} as Backoff with connection key {}", + host_address, cluster_name, backoff_connection_key); } void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address) { @@ -967,40 +932,42 @@ void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address } auto& host_info = host_it->second; - auto now = std::chrono::steady_clock::now(); - - // Check if the host is actually in backoff before resetting + auto now = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + + // Check if the host is actually in backoff before resetting. if (now >= host_info.backoff_until) { ENVOY_LOG(debug, "Host {} is not in backoff, skipping reset", host_address); return; } host_info.failure_count = 0; - host_info.backoff_until = std::chrono::steady_clock::now(); - ENVOY_LOG(debug, "Reset backoff for host {}", host_address); + host_info.backoff_until = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Reset backoff for host {}", host_address); // Mark host as recovered using the same key used by backoff to change the state from backoff to - // recovered + // recovered. const std::string recovered_connection_key = host_address + "_" + host_info.cluster_name + "_backoff"; updateConnectionState(host_address, host_info.cluster_name, recovered_connection_key, ReverseConnectionState::Recovered); - ENVOY_LOG(debug, "Marked host {} in cluster {} as Recovered with connection key {}", host_address, - host_info.cluster_name, recovered_connection_key); + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Marked host {} in cluster {} as Recovered with connection key {}", + host_address, host_info.cluster_name, recovered_connection_key); } void ReverseConnectionIOHandle::updateConnectionState(const std::string& host_address, const std::string& cluster_name, const std::string& connection_key, ReverseConnectionState new_state) { - // Update connection state in host info and handle old state + // Update connection state in host info and handle old state. auto host_it = host_to_conn_info_map_.find(host_address); if (host_it != host_to_conn_info_map_.end()) { - // Remove old state if it exists + // Remove old state if it exists auto old_state_it = host_it->second.connection_states.find(connection_key); if (old_state_it != host_it->second.connection_states.end()) { ReverseConnectionState old_state = old_state_it->second; - // Decrement old state gauge using unified function + // Decrement old state gauge using unified function. updateStateGauge(host_address, cluster_name, old_state, false /* decrement */); } @@ -1008,11 +975,12 @@ void ReverseConnectionIOHandle::updateConnectionState(const std::string& host_ad host_it->second.connection_states[connection_key] = new_state; } - // Increment new state gauge using unified function + // Increment new state gauge using unified function. updateStateGauge(host_address, cluster_name, new_state, true /* increment */); - ENVOY_LOG(debug, "Updated connection {} state to {} for host {} in cluster {}", connection_key, - static_cast(new_state), host_address, cluster_name); + ENVOY_LOG(debug, + "ReverseConnectionIOHandle:Updated connection {} state to {} for host {} in cluster {}", + connection_key, static_cast(new_state), host_address, cluster_name); } void ReverseConnectionIOHandle::removeConnectionState(const std::string& host_address, @@ -1031,18 +999,19 @@ void ReverseConnectionIOHandle::removeConnectionState(const std::string& host_ad } } - ENVOY_LOG(debug, "Removed connection {} state for host {} in cluster {}", connection_key, - host_address, cluster_name); + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Removed connection {} state for host {} in cluster {}", + connection_key, host_address, cluster_name); } void ReverseConnectionIOHandle::onDownstreamConnectionClosed(const std::string& connection_key) { - ENVOY_LOG(debug, "Downstream connection closed: {}", connection_key); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Downstream connection closed: {}", connection_key); // Find the host for this connection key std::string host_address; std::string cluster_name; - // Search through host_to_conn_info_map_ to find which host this connection belongs to + // Search through host_to_conn_info_map_ to find which host this connection belongs to. for (const auto& [host, host_info] : host_to_conn_info_map_) { if (host_info.connection_keys.find(connection_key) != host_info.connection_keys.end()) { host_address = host; @@ -1059,7 +1028,7 @@ void ReverseConnectionIOHandle::onDownstreamConnectionClosed(const std::string& ENVOY_LOG(debug, "Found connection {} belongs to host {} in cluster {}", connection_key, host_address, cluster_name); - // Remove the connection key from the host's connection set + // Remove the connection key from the host's connection set. auto host_it = host_to_conn_info_map_.find(host_address); if (host_it != host_to_conn_info_map_.end()) { host_it->second.connection_keys.erase(connection_key); @@ -1071,25 +1040,24 @@ void ReverseConnectionIOHandle::onDownstreamConnectionClosed(const std::string& removeConnectionState(host_address, cluster_name, connection_key); // The next call to maintainClusterConnections() will detect the missing connection - // and re-initiate it automatically + // and re-initiate it automatically. ENVOY_LOG(debug, - "Connection closure recorded for host {} in cluster {}. " + "ReverseConnectionIOHandle: Connection closure recorded for host {} in cluster {}. " "Next maintenance cycle will re-initiate if needed.", host_address, cluster_name); } void ReverseConnectionIOHandle::updateStateGauge(const std::string& host_address, const std::string& cluster_name, - ReverseConnectionState state, - bool increment) { - // Get extension for stats updates + ReverseConnectionState state, bool increment) { + // Get extension for stats updates. auto* extension = getDownstreamExtension(); if (!extension) { ENVOY_LOG(debug, "No downstream extension available for state gauge update"); return; } - // Use switch case to determine the state suffix for stat name + // Use switch case to determine the state suffix for stat name. std::string state_suffix; switch (state) { case ReverseConnectionState::Connecting: @@ -1115,10 +1083,10 @@ void ReverseConnectionIOHandle::updateStateGauge(const std::string& host_address break; } - // Call extension to handle the actual stat update + // Call extension to handle the actual stat update. extension_->updateConnectionStats(host_address, cluster_name, state_suffix, increment); - ENVOY_LOG(trace, "{} state gauge for host {} cluster {} state {}", + ENVOY_LOG(trace, "{} state gauge for host {} cluster {} state {}", increment ? "Incremented" : "Decremented", host_address, cluster_name, state_suffix); } @@ -1142,6 +1110,7 @@ void ReverseConnectionIOHandle::maintainReverseConnections() { // Enable the retry timer to periodically check for missing connections (like maintainConnCount) if (rev_conn_retry_timer_) { + // TODO(basundhara-c): Make the retry timeout configurable. const std::chrono::milliseconds retry_timeout(10000); // 10 seconds rev_conn_retry_timer_->enableTimer(retry_timeout); ENVOY_LOG(debug, "Enabled retry timer for next connection check in 10 seconds."); @@ -1151,10 +1120,11 @@ void ReverseConnectionIOHandle::maintainReverseConnections() { bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& cluster_name, const std::string& host_address, Upstream::HostConstSharedPtr host) { - // Generate a temporary connection key for early failure tracking - const std::string temp_connection_key = "temp_" + cluster_name + "_" + host_address + "_" + std::to_string(rand()); + // Generate a temporary connection key for early failure tracking. + const std::string temp_connection_key = + "temp_" + cluster_name + "_" + host_address + "_" + std::to_string(rand()); - // Only validate host_address here since it's specific to this connection attempt + // Only validate host_address here since it's specific to this connection attempt. if (host_address.empty()) { ENVOY_LOG(error, "Host address is required but empty"); updateConnectionState(host_address, cluster_name, temp_connection_key, @@ -1162,7 +1132,9 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& return false; } - ENVOY_LOG(debug, "Initiating one reverse connection to host {} of cluster '{}', source node '{}'", + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Initiating one reverse connection to host {} of cluster " + "'{}', source node '{}'", host_address, cluster_name, config_.src_node_id); // Get the thread local cluster auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); @@ -1173,61 +1145,56 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& return false; } - try { - ReverseConnectionLoadBalancerContext lb_context(host_address); - - // Get connection from cluster manager - Upstream::Host::CreateConnectionData conn_data = thread_local_cluster->tcpConn(&lb_context); - - if (!conn_data.connection_) { - ENVOY_LOG(error, "Failed to create connection to host {} in cluster {}", host_address, - cluster_name); - updateConnectionState(host_address, cluster_name, temp_connection_key, - ReverseConnectionState::CannotConnect); - return false; - } - - // Create wrapper to manage the connection - // The wrapper will determine whether to use gRPC or HTTP based on parent's gRPC config - auto wrapper = std::make_unique(*this, std::move(conn_data.connection_), - conn_data.host_description_, cluster_name); - - // Send the reverse connection handshake over the TCP connection - const std::string connection_key = - wrapper->connect(config_.src_tenant_id, config_.src_cluster_id, config_.src_node_id); - ENVOY_LOG(debug, "Initiated reverse connection handshake for host {} with key {}", host_address, - connection_key); + ReverseConnectionLoadBalancerContext lb_context(host_address); - // Mark as Connecting after handshake is initiated. Use the actual connection key so that it can - // be marked as failed in onConnectionDone() - conn_wrapper_to_host_map_[wrapper.get()] = host_address; - connection_wrappers_.push_back(std::move(wrapper)); + // Get connection from cluster manager + Upstream::Host::CreateConnectionData conn_data = thread_local_cluster->tcpConn(&lb_context); - ENVOY_LOG(debug, "Successfully initiated reverse connection to host {} ({}:{}) in cluster {}", - host_address, host->address()->ip()->addressAsString(), host->address()->ip()->port(), - cluster_name); - // Reset backoff for successful connection - resetHostBackoff(host_address); - updateConnectionState(host_address, cluster_name, connection_key, - ReverseConnectionState::Connecting); - return true; - } catch (const std::exception& e) { - ENVOY_LOG(error, "Exception creating reverse connection to host {} in cluster {}: {}", - host_address, cluster_name, e.what()); - // Stats are automatically managed by updateConnectionState: CannotConnect gauge is - // incremented here and will be decremented when state changes to Connecting on retry + if (!conn_data.connection_) { + ENVOY_LOG(error, + "ReverseConnectionIOHandle: Failed to create connection to host {} in cluster {}", + host_address, cluster_name); updateConnectionState(host_address, cluster_name, temp_connection_key, ReverseConnectionState::CannotConnect); return false; } + + // Create wrapper to manage the connection + // The wrapper will initiate and manage the reverse connection handshake using HTTP. + auto wrapper = std::make_unique(*this, std::move(conn_data.connection_), + conn_data.host_description_, cluster_name); + + // Send the reverse connection handshake over the TCP connection. + const std::string connection_key = + wrapper->connect(config_.src_tenant_id, config_.src_cluster_id, config_.src_node_id); + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Initiated reverse connection handshake for host {} with key {}", + host_address, connection_key); + + // Mark as Connecting after handshake is initiated. Use the actual connection key so that it can + // be marked as failed in onConnectionDone(). + conn_wrapper_to_host_map_[wrapper.get()] = host_address; + connection_wrappers_.push_back(std::move(wrapper)); + + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Successfully initiated reverse connection to host {} " + "({}:{}) in cluster {}", + host_address, host->address()->ip()->addressAsString(), host->address()->ip()->port(), + cluster_name); + // Reset backoff for successful connection. + resetHostBackoff(host_address); + updateConnectionState(host_address, cluster_name, connection_key, + ReverseConnectionState::Connecting); + return true; } // Trigger pipe used to wake up accept() when a connection is established. void ReverseConnectionIOHandle::createTriggerPipe() { - ENVOY_LOG(debug, "Creating trigger pipe for single-byte mechanism"); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Creating trigger pipe for single-byte mechanism"); int pipe_fds[2]; if (pipe(pipe_fds) == -1) { - ENVOY_LOG(error, "Failed to create trigger pipe: {}", strerror(errno)); + ENVOY_LOG(error, "Failed to create trigger pipe: {}", errorDetails(errno)); trigger_pipe_read_fd_ = -1; trigger_pipe_write_fd_ = -1; return; @@ -1243,8 +1210,8 @@ void ReverseConnectionIOHandle::createTriggerPipe() { if (flags != -1) { fcntl(trigger_pipe_read_fd_, F_SETFL, flags | O_NONBLOCK); } - ENVOY_LOG(debug, "Created trigger pipe: read_fd={}, write_fd={}", trigger_pipe_read_fd_, - trigger_pipe_write_fd_); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Created trigger pipe: read_fd={}, write_fd={}", + trigger_pipe_read_fd_, trigger_pipe_write_fd_); } bool ReverseConnectionIOHandle::isTriggerPipeReady() const { @@ -1253,199 +1220,162 @@ bool ReverseConnectionIOHandle::isTriggerPipeReady() const { void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, RCConnectionWrapper* wrapper, bool closed) { - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection wrapper done - error: '{}', closed: {}", error, closed); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Connection wrapper done - error: '{}', closed: {}", + error, closed); - // DEFENSIVE: Validate wrapper pointer before any access + // Validate wrapper pointer before any access. if (!wrapper) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Null wrapper pointer in onConnectionDone"); + ENVOY_LOG(error, "ReverseConnectionIOHandle: Null wrapper pointer in onConnectionDone"); return; } - // DEFENSIVE: Use try-catch for all potentially dangerous operations std::string host_address; std::string cluster_name; std::string connection_key; - try { - // STEP 1: Safely get host address for wrapper - auto wrapper_it = conn_wrapper_to_host_map_.find(wrapper); - if (wrapper_it == conn_wrapper_to_host_map_.end()) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Wrapper not found in conn_wrapper_to_host_map_ - may have been cleaned up"); - return; - } - host_address = wrapper_it->second; - - // STEP 2: Safely get cluster name from host info - auto host_it = host_to_conn_info_map_.find(host_address); - if (host_it != host_to_conn_info_map_.end()) { - cluster_name = host_it->second.cluster_name; - } else { - ENVOY_LOG(warn, "TUNNEL SOCKET TRANSFER: Host info not found for {}, using fallback", host_address); - } - - if (cluster_name.empty()) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: No cluster mapping for host {}, cannot process connection event", host_address); - // Still try to clean up the wrapper - conn_wrapper_to_host_map_.erase(wrapper); - return; - } + // Safely get host address for wrapper. + auto wrapper_it = conn_wrapper_to_host_map_.find(wrapper); + if (wrapper_it == conn_wrapper_to_host_map_.end()) { + ENVOY_LOG(error, "ReverseConnectionIOHandle: Wrapper not found in conn_wrapper_to_host_map_ - " + "may have been cleaned up"); + return; + } + host_address = wrapper_it->second; - // STEP 3: Safely get connection info if wrapper is still valid - auto* connection = wrapper->getConnection(); - if (connection) { - try { - connection_key = connection->connectionInfoProvider().localAddress()->asString(); - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Processing connection event for host '{}', cluster '{}', key '{}'", - host_address, cluster_name, connection_key); - } catch (const std::exception& e) { - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection info access failed: {}, using fallback key", e.what()); - connection_key = "fallback_" + host_address + "_" + std::to_string(rand()); - } - } else { - connection_key = "cleanup_" + host_address + "_" + std::to_string(rand()); - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection already null, using fallback key '{}'", connection_key); - } + // Safely get cluster name from host info. + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + cluster_name = host_it->second.cluster_name; + } else { + ENVOY_LOG(warn, "ReverseConnectionIOHandle: Host info not found for {}, using fallback", + host_address); + } - } catch (const std::exception& e) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Exception during connection info gathering: {}", e.what()); - // Try to at least remove the wrapper from our maps - try { - conn_wrapper_to_host_map_.erase(wrapper); - } catch (...) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Failed to remove wrapper from map"); - } + if (cluster_name.empty()) { + ENVOY_LOG(error, + "ReverseConnectionIOHandle: No cluster mapping for host {}, cannot process " + "connection event", + host_address); + // Still try to clean up the wrapper + conn_wrapper_to_host_map_.erase(wrapper); return; } - // Get connection pointer for safe access in success/failure handling + // Safely get connection info if wrapper is still valid. auto* connection = wrapper->getConnection(); + if (connection) { + connection_key = connection->connectionInfoProvider().localAddress()->asString(); + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Processing connection event for host '{}', cluster " + "'{}', key '{}'", + host_address, cluster_name, connection_key); + } else { + connection_key = "cleanup_" + host_address + "_" + std::to_string(rand()); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Connection already null, using fallback key '{}'", + connection_key); + } + + // Get connection pointer for safe access in success/failure handling. + connection = wrapper->getConnection(); - // STEP 4: Process connection result safely + // Process connection result safely. bool is_success = (error == "reverse connection accepted" || error == "success" || error == "handshake successful" || error == "connection established"); if (closed || (!error.empty() && !is_success)) { - // DEFENSIVE: Handle connection failure safely - try { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Connection failed - error '{}', cleaning up host {}", error, host_address); - - updateConnectionState(host_address, cluster_name, connection_key, ReverseConnectionState::Failed); - - // Safely close connection if still valid - if (connection) { - try { - if (connection->getSocket()) { - connection->getSocket()->ioHandle().resetFileEvents(); - } - connection->close(Network::ConnectionCloseType::NoFlush); - } catch (const std::exception& e) { - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection close failed: {}", e.what()); - } - } + // Handle connection failure + ENVOY_LOG(error, + "ReverseConnectionIOHandle: Connection failed - error '{}', cleaning up host {}", + error, host_address); + + updateConnectionState(host_address, cluster_name, connection_key, + ReverseConnectionState::Failed); - trackConnectionFailure(host_address, cluster_name); - - } catch (const std::exception& e) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Exception during failure handling: {}", e.what()); + // Safely close connection if still valid. + if (connection) { + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); + } + connection->close(Network::ConnectionCloseType::NoFlush); } - + + trackConnectionFailure(host_address, cluster_name); + } else { - // DEFENSIVE: Handle connection success safely - try { - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Connection succeeded for host {}", host_address); + // Handle connection success + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Connection succeeded for host {}", host_address); - resetHostBackoff(host_address); - updateConnectionState(host_address, cluster_name, connection_key, ReverseConnectionState::Connected); + resetHostBackoff(host_address); + updateConnectionState(host_address, cluster_name, connection_key, + ReverseConnectionState::Connected); - // Only proceed if connection is still valid - if (!connection) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Cannot complete successful handshake - connection is null"); - return; - } + // Only proceed if connection is still valid. + if (!connection) { + ENVOY_LOG( + error, + "ReverseConnectionIOHandle: Cannot complete successful handshake - connection is null"); + return; + } - // CRITICAL FIX: Remove the PersistentPingFilter approach that was breaking HTTP processing - // Instead, transfer the connection directly to the listener system - - ENVOY_LOG(info, "TUNNEL SOCKET TRANSFER: Transferring tunnel socket for reverse_conn_listener consumption"); + ENVOY_LOG(info, "ReverseConnectionIOHandle: Transferring tunnel socket for " + "reverse_conn_listener consumption"); - // DEFENSIVE: Reset file events safely - try { - if (connection->getSocket()) { - connection->getSocket()->ioHandle().resetFileEvents(); - } - } catch (const std::exception& e) { - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: File events reset failed: {}", e.what()); - } + // Reset file events safely. + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); + } - // DEFENSIVE: Update host connection tracking safely - try { - auto host_it = host_to_conn_info_map_.find(host_address); - if (host_it != host_to_conn_info_map_.end()) { - host_it->second.connection_keys.insert(connection_key); - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Added connection key {} for host {}", connection_key, host_address); - } - } catch (const std::exception& e) { - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Host tracking update failed: {}", e.what()); - } + // Update host connection tracking safely. + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + host_it->second.connection_keys.insert(connection_key); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Added connection key {} for host {}", + connection_key, host_address); + } - // CRITICAL FIX: Transfer connection WITHOUT adding PersistentPingFilter - // The reverse_conn_listener will handle HTTP requests through its HTTP connection manager - try { - Network::ClientConnectionPtr released_conn = wrapper->releaseConnection(); - - if (released_conn) { - ENVOY_LOG(info, "TUNNEL SOCKET TRANSFER: Successfully released connection - NO filters added"); - ENVOY_LOG(info, "TUNNEL SOCKET TRANSFER: Connection will be consumed by reverse_conn_listener for HTTP processing"); - - // Move connection to established queue for reverse_conn_listener to consume - established_connections_.push(std::move(released_conn)); - - // Trigger accept mechanism safely - if (isTriggerPipeReady()) { - char trigger_byte = 1; - ssize_t bytes_written = ::write(trigger_pipe_write_fd_, &trigger_byte, 1); - if (bytes_written == 1) { - ENVOY_LOG(info, "TUNNEL SOCKET TRANSFER: Successfully triggered reverse_conn_listener accept() for host {}", host_address); - } else { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Failed to write trigger byte: {}", strerror(errno)); - } - } + Network::ClientConnectionPtr released_conn = wrapper->releaseConnection(); + + if (released_conn) { + ENVOY_LOG(info, "ReverseConnectionIOHandle: Connection will be consumed by " + "reverse_conn_listener for HTTP processing"); + + // Move connection to established queue for reverse_conn_listener to consume. + established_connections_.push(std::move(released_conn)); + + // Trigger accept mechanism safely. + if (isTriggerPipeReady()) { + char trigger_byte = 1; + ssize_t bytes_written = ::write(trigger_pipe_write_fd_, &trigger_byte, 1); + if (bytes_written == 1) { + ENVOY_LOG(info, + "ReverseConnectionIOHandle: Successfully triggered reverse_conn_listener " + "accept() for host {}", + host_address); + } else { + ENVOY_LOG(error, "ReverseConnectionIOHandle: Failed to write trigger byte: {}", + errorDetails(errno)); } - } catch (const std::exception& e) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Connection transfer failed: {}", e.what()); } - - } catch (const std::exception& e) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Exception during success handling: {}", e.what()); } } - // STEP 5: Safely remove wrapper from tracking - try { - conn_wrapper_to_host_map_.erase(wrapper); - - // DEFENSIVE: Find and remove wrapper from vector safely - auto wrapper_vector_it = std::find_if( - connection_wrappers_.begin(), connection_wrappers_.end(), - [wrapper](const std::unique_ptr& w) { return w.get() == wrapper; }); - - if (wrapper_vector_it != connection_wrappers_.end()) { - auto wrapper_to_delete = std::move(*wrapper_vector_it); - connection_wrappers_.erase(wrapper_vector_it); - - // Use deferred deletion to prevent crash during cleanup - try { - std::unique_ptr deletable_wrapper( - static_cast(wrapper_to_delete.release())); - getThreadLocalDispatcher().deferredDelete(std::move(deletable_wrapper)); - ENVOY_LOG(debug, "TUNNEL SOCKET TRANSFER: Deferred delete of connection wrapper"); - } catch (const std::exception& e) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Deferred deletion failed: {}", e.what()); - } - } - - } catch (const std::exception& e) { - ENVOY_LOG(error, "TUNNEL SOCKET TRANSFER: Wrapper removal failed: {}", e.what()); + // Safely remove wrapper from tracking. + conn_wrapper_to_host_map_.erase(wrapper); + + // Find and remove wrapper from vector safely. + auto wrapper_vector_it = std::find_if( + connection_wrappers_.begin(), connection_wrappers_.end(), + [wrapper](const std::unique_ptr& w) { return w.get() == wrapper; }); + + if (wrapper_vector_it != connection_wrappers_.end()) { + auto wrapper_to_delete = std::move(*wrapper_vector_it); + connection_wrappers_.erase(wrapper_vector_it); + + // Use deferred deletion to prevent crash during cleanup. + std::unique_ptr deletable_wrapper( + static_cast(wrapper_to_delete.release())); + getThreadLocalDispatcher().deferredDelete(std::move(deletable_wrapper)); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Deferred delete of connection wrapper"); } } @@ -1468,22 +1398,25 @@ void ReverseTunnelInitiatorExtension::onServerInitialized() { } void ReverseTunnelInitiatorExtension::onWorkerThreadInitialized() { - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::onWorkerThreadInitialized - creating thread local slot"); - - // Create thread local slot on worker thread initialization - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); - - // Set up the thread local dispatcher for each worker thread + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: creating thread local slot"); + + // Create thread local slot on worker thread initialization. + tls_slot_ = + ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); + + // Set up the thread local dispatcher for each worker thread. tls_slot_->set([this](Event::Dispatcher& dispatcher) { return std::make_shared(dispatcher, context_.scope()); }); - - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension - thread local slot created successfully in worker thread"); + + ENVOY_LOG( + debug, + "ReverseTunnelInitiatorExtension: thread local slot created successfully in worker thread"); } DownstreamSocketThreadLocal* ReverseTunnelInitiatorExtension::getLocalRegistry() const { if (!tls_slot_) { - ENVOY_LOG(error, "ReverseTunnelInitiatorExtension::getLocalRegistry() - no thread local slot"); + ENVOY_LOG(error, "ReverseTunnelInitiatorExtension: no thread local slot"); return nullptr; } @@ -1501,10 +1434,10 @@ ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, const Envoy::Network::SocketCreationOptions& options) const { (void)socket_v6only; (void)options; - ENVOY_LOG(debug, "ReverseTunnelInitiator::socket() - type={}, addr_type={}", - static_cast(socket_type), static_cast(addr_type)); + ENVOY_LOG(debug, "ReverseTunnelInitiator: type={}, addr_type={}", static_cast(socket_type), + static_cast(addr_type)); - // This method is called without reverse connection config, so create a regular socket + // This method is called without reverse connection config, so create a regular socket. int domain; if (addr_type == Envoy::Network::Address::Type::Ip) { domain = (version == Envoy::Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; @@ -1515,7 +1448,7 @@ ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, int sock_type = (socket_type == Envoy::Network::Socket::Type::Stream) ? SOCK_STREAM : SOCK_DGRAM; int sock_fd = ::socket(domain, sock_type, 0); if (sock_fd == -1) { - ENVOY_LOG(error, "Failed to create fallback socket: {}", strerror(errno)); + ENVOY_LOG(error, "Failed to create fallback socket: {}", errorDetails(errno)); return nullptr; } return std::make_unique(sock_fd); @@ -1528,8 +1461,14 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, Envoy::Network::Address::IpVersion version, const ReverseConnectionSocketConfig& config) const { - ENVOY_LOG(debug, "Creating reverse connection socket for cluster: {}", - config.remote_clusters.empty() ? "unknown" : config.remote_clusters[0].cluster_name); + // Return early if no remote clusters are configured + if (config.remote_clusters.empty()) { + ENVOY_LOG(debug, "ReverseTunnelInitiator: No remote clusters configured, returning nullptr"); + return nullptr; + } + + ENVOY_LOG(debug, "ReverseTunnelInitiator: Creating reverse connection socket for cluster: {}", + config.remote_clusters[0].cluster_name); // For stream sockets on IP addresses, create our reverse connection IOHandle. if (socket_type == Envoy::Network::Socket::Type::Stream && @@ -1538,11 +1477,14 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke int domain = (version == Envoy::Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; int sock_fd = ::socket(domain, SOCK_STREAM, 0); if (sock_fd == -1) { - ENVOY_LOG(error, "Failed to create socket: {}", strerror(errno)); + ENVOY_LOG(error, "Failed to create socket: {}", errorDetails(errno)); return nullptr; } - ENVOY_LOG(debug, "Created socket fd={}, wrapping with ReverseConnectionIOHandle", sock_fd); + ENVOY_LOG( + debug, + "ReverseTunnelInitiator: Created socket fd={}, wrapping with ReverseConnectionIOHandle", + sock_fd); // Get the scope from thread local registry, fallback to context scope Stats::Scope* scope_ptr = &context_->scope(); @@ -1551,12 +1493,12 @@ Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocke scope_ptr = &tls_registry->scope(); } - // Create ReverseConnectionIOHandle with cluster manager from context and scope + // Create ReverseConnectionIOHandle with cluster manager from context and scope. return std::make_unique(sock_fd, config, context_->clusterManager(), extension_, *scope_ptr); } - // Fall back to regular socket for non-stream or non-IP sockets + // Fall back to regular socket for non-stream or non-IP sockets. return socket(socket_type, addr_type, version, false, Envoy::Network::SocketCreationOptions{}); } @@ -1565,31 +1507,30 @@ ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, const Envoy::Network::Address::InstanceConstSharedPtr addr, const Envoy::Network::SocketCreationOptions& options) const { - // Extract reverse connection configuration from address + // Extract reverse connection configuration from address. const auto* reverse_addr = dynamic_cast(addr.get()); if (reverse_addr) { - // Get the reverse connection config from the address - ENVOY_LOG(debug, "ReverseTunnelInitiator::socket() - reverse_addr: {}", - reverse_addr->asString()); + // Get the reverse connection config from the address. + ENVOY_LOG(debug, "ReverseTunnelInitiator: reverse_addr: {}", reverse_addr->asString()); const auto& config = reverse_addr->reverseConnectionConfig(); - // Convert ReverseConnectionAddress::ReverseConnectionConfig to ReverseConnectionSocketConfig + // Convert ReverseConnectionAddress::ReverseConnectionConfig to ReverseConnectionSocketConfig. ReverseConnectionSocketConfig socket_config; socket_config.src_node_id = config.src_node_id; socket_config.src_cluster_id = config.src_cluster_id; socket_config.src_tenant_id = config.src_tenant_id; - // Add the remote cluster configuration + // Add the remote cluster configuration. RemoteClusterConnectionConfig cluster_config(config.remote_cluster, config.connection_count); socket_config.remote_clusters.push_back(cluster_config); - // Thread-safe: Pass config directly to helper method + // Pass config directly to helper method. return createReverseConnectionSocket( socket_type, addr->type(), addr->ip() ? addr->ip()->version() : Envoy::Network::Address::IpVersion::v4, socket_config); } - // Delegate to the other socket() method for non-reverse-connection addresses + // Delegate to the other socket() method for non-reverse-connection addresses. return socket(socket_type, addr->type(), addr->ip() ? addr->ip()->version() : Envoy::Network::Address::IpVersion::v4, false, options); @@ -1603,40 +1544,44 @@ Server::BootstrapExtensionPtr ReverseTunnelInitiator::createBootstrapExtension( const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { ENVOY_LOG(debug, "ReverseTunnelInitiator::createBootstrapExtension()"); const auto& message = MessageUtil::downcastAndValidate< - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface&>( - config, context.messageValidationVisitor()); + const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); context_ = &context; - // Create the bootstrap extension and store reference to it + // Create the bootstrap extension and store reference to it. auto extension = std::make_unique(context, message); extension_ = extension.get(); return extension; } ProtobufTypes::MessagePtr ReverseTunnelInitiator::createEmptyConfigProto() { - return std::make_unique< - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface>(); + return std::make_unique(); } // ReverseTunnelInitiatorExtension constructor implementation. ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( Server::Configuration::ServerFactoryContext& context, - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface& config) + const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface& config) : context_(context), config_(config) { - ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension - TLS slot will be created in onWorkerThreadInitialized"); + ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension - TLS slot will be created in " + "onWorkerThreadInitialized"); } void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& host_address, const std::string& cluster_id, const std::string& state_suffix, bool increment) { - // Register stats with Envoy's system for automatic cross-thread aggregation + // Register stats with Envoy's system for automatic cross-thread aggregation. auto& stats_store = context_.scope(); // Create/update host connection stat with state suffix if (!host_address.empty() && !state_suffix.empty()) { - std::string host_stat_name = fmt::format("reverse_connections.host.{}.{}", host_address, state_suffix); - auto& host_gauge = - stats_store.gaugeFromString(host_stat_name, Stats::Gauge::ImportMode::Accumulate); + std::string host_stat_name = + fmt::format("reverse_connections.host.{}.{}", host_address, state_suffix); + Stats::StatNameManagedStorage host_stat_name_storage(host_stat_name, stats_store.symbolTable()); + auto& host_gauge = stats_store.gaugeFromStatName(host_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); if (increment) { host_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented host stat {} to {}", @@ -1648,11 +1593,14 @@ void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& h } } - // Create/update cluster connection stat with state suffix + // Create/update cluster connection stat with state suffix. if (!cluster_id.empty() && !state_suffix.empty()) { - std::string cluster_stat_name = fmt::format("reverse_connections.cluster.{}.{}", cluster_id, state_suffix); - auto& cluster_gauge = - stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); + std::string cluster_stat_name = + fmt::format("reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, + stats_store.symbolTable()); + auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); if (increment) { cluster_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented cluster stat {} to {}", @@ -1664,30 +1612,35 @@ void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& h } } - // Also update per-worker stats for debugging + // Also update per-worker stats for debugging. updatePerWorkerConnectionStats(host_address, cluster_id, state_suffix, increment); } -void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats(const std::string& host_address, - const std::string& cluster_id, - const std::string& state_suffix, - bool increment) { +void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats( + const std::string& host_address, const std::string& cluster_id, const std::string& state_suffix, + bool increment) { auto& stats_store = context_.scope(); - // Get dispatcher name from the thread local dispatcher - std::string dispatcher_name = "main_thread"; // Default for main thread + // Get dispatcher name from the thread local dispatcher. + std::string dispatcher_name; auto* local_registry = getLocalRegistry(); - if (local_registry) { - // Dispatcher name is of the form "worker_x" where x is the worker index - dispatcher_name = local_registry->dispatcher().name(); + if (local_registry == nullptr) { + ENVOY_LOG(error, "ReverseTunnelInitiatorExtension: No local registry found"); + return; } + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: Updating stats for worker {}", + dispatcher_name); - // Create/update per-worker host connection stat + // Create/update per-worker host connection stat. if (!host_address.empty() && !state_suffix.empty()) { - std::string worker_host_stat_name = - fmt::format("reverse_connections.{}.host.{}.{}", dispatcher_name, host_address, state_suffix); - auto& worker_host_gauge = - stats_store.gaugeFromString(worker_host_stat_name, Stats::Gauge::ImportMode::NeverImport); + std::string worker_host_stat_name = fmt::format("reverse_connections.{}.host.{}.{}", + dispatcher_name, host_address, state_suffix); + Stats::StatNameManagedStorage worker_host_stat_name_storage(worker_host_stat_name, + stats_store.symbolTable()); + auto& worker_host_gauge = stats_store.gaugeFromStatName( + worker_host_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); if (increment) { worker_host_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker host stat {} to {}", @@ -1699,12 +1652,14 @@ void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats(const std:: } } - // Create/update per-worker cluster connection stat + // Create/update per-worker cluster connection stat. if (!cluster_id.empty() && !state_suffix.empty()) { - std::string worker_cluster_stat_name = - fmt::format("reverse_connections.{}.cluster.{}.{}", dispatcher_name, cluster_id, state_suffix); - auto& worker_cluster_gauge = - stats_store.gaugeFromString(worker_cluster_stat_name, Stats::Gauge::ImportMode::NeverImport); + std::string worker_cluster_stat_name = fmt::format("reverse_connections.{}.cluster.{}.{}", + dispatcher_name, cluster_id, state_suffix); + Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, + stats_store.symbolTable()); + auto& worker_cluster_gauge = stats_store.gaugeFromStatName( + worker_cluster_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); if (increment) { worker_cluster_gauge.inc(); ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker cluster stat {} to {}", @@ -1717,7 +1672,8 @@ void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats(const std:: } } -absl::flat_hash_map ReverseTunnelInitiatorExtension::getCrossWorkerStatMap() { +absl::flat_hash_map +ReverseTunnelInitiatorExtension::getCrossWorkerStatMap() { absl::flat_hash_map stats_map; auto& stats_store = context_.scope(); @@ -1739,16 +1695,18 @@ absl::flat_hash_map ReverseTunnelInitiatorExtension::getC }; stats_store.iterate(gauge_callback); - ENVOY_LOG(debug, - "ReverseTunnelInitiatorExtension: collected {} stats for reverse connections across all " - "worker threads", - stats_map.size()); + ENVOY_LOG( + debug, + "ReverseTunnelInitiatorExtension: collected {} stats for reverse connections across all " + "worker threads", + stats_map.size()); return stats_map; } std::pair, std::vector> -ReverseTunnelInitiatorExtension::getConnectionStatsSync(std::chrono::milliseconds /* timeout_ms */) { +ReverseTunnelInitiatorExtension::getConnectionStatsSync( + std::chrono::milliseconds /* timeout_ms */) { ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: obtaining reverse connection stats"); // Get all gauges with the reverse_connections prefix. @@ -1758,24 +1716,27 @@ ReverseTunnelInitiatorExtension::getConnectionStatsSync(std::chrono::millisecond std::vector accepted_connections; // Process the stats to extract connection information - // For initiator, stats format is: reverse_connections.host.. or reverse_connections.cluster.. - // We only want hosts/clusters with "connected" state + // For initiator, stats format is: reverse_connections.host.. or + // reverse_connections.cluster.. We only want hosts/clusters with + // "connected" state for (const auto& [stat_name, count] : connection_stats) { if (count > 0) { - // Parse stat name to extract host/cluster information with state suffix - if (stat_name.find("reverse_connections.host.") != std::string::npos && + // Parse stat name to extract host/cluster information with state suffix. + if (stat_name.find("reverse_connections.host.") != std::string::npos && stat_name.find(".connected") != std::string::npos) { - // Find the position after "reverse_connections.host." and before ".connected" - size_t start_pos = stat_name.find("reverse_connections.host.") + strlen("reverse_connections.host."); + // Find the position after "reverse_connections.host." and before ".connected". + size_t start_pos = + stat_name.find("reverse_connections.host.") + strlen("reverse_connections.host."); size_t end_pos = stat_name.find(".connected"); if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { std::string host_address = stat_name.substr(start_pos, end_pos - start_pos); connected_hosts.push_back(host_address); } - } else if (stat_name.find("reverse_connections.cluster.") != std::string::npos && + } else if (stat_name.find("reverse_connections.cluster.") != std::string::npos && stat_name.find(".connected") != std::string::npos) { - // Find the position after "reverse_connections.cluster." and before ".connected" - size_t start_pos = stat_name.find("reverse_connections.cluster.") + strlen("reverse_connections.cluster."); + // Find the position after "reverse_connections.cluster." and before ".connected". + size_t start_pos = + stat_name.find("reverse_connections.cluster.") + strlen("reverse_connections.cluster."); size_t end_pos = stat_name.find(".connected"); if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { std::string cluster_id = stat_name.substr(start_pos, end_pos - start_pos); @@ -1800,11 +1761,13 @@ absl::flat_hash_map ReverseTunnelInitiatorExtension::getP std::string dispatcher_name = "main_thread"; // Default for main thread auto* local_registry = getLocalRegistry(); if (local_registry) { - // Dispatcher name is of the form "worker_x" where x is the worker index + // Dispatcher name is of the form "worker_x" where x is the worker index. dispatcher_name = local_registry->dispatcher().name(); } + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: Getting per worker stats map for {}", + dispatcher_name); - // Iterate through all gauges and filter for the current dispatcher + // Iterate through all gauges and filter for the current dispatcher. Stats::IterateFn gauge_callback = [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { const std::string& gauge_name = gauge->name(); @@ -1829,8 +1792,6 @@ absl::flat_hash_map ReverseTunnelInitiatorExtension::getP REGISTER_FACTORY(ReverseTunnelInitiator, Server::Configuration::BootstrapExtensionFactory); - - } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index 0d2fe397c4bbc..0b110e8b54481 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -49,6 +49,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, public Event::DeferredDeletable, public Logger::Loggable { friend class SimpleConnReadFilterTest; + public: /** * Constructor for RCConnectionWrapper. @@ -118,7 +119,8 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, private: /** - * Simplified read filter for HTTP fallback during gRPC migration. + * Simplified read filter for reading HTTP replies sent by upstream envoy + * during reverse connection handshake. */ struct SimpleConnReadFilter : public Network::ReadFilterBaseImpl { SimpleConnReadFilter(RCConnectionWrapper* parent) : parent_(parent) {} @@ -129,6 +131,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, }; ReverseConnectionIOHandle& parent_; + // The connection to the upstream envoy instance. Network::ClientConnectionPtr connection_; Upstream::HostDescriptionConstSharedPtr host_; const std::string cluster_name_; @@ -140,10 +143,7 @@ static constexpr absl::string_view kCrlf = "\r\n"; static constexpr absl::string_view kDoubleCrlf = "\r\n\r\n"; // Connection timing constants. -static constexpr uint32_t kDefaultReconnectIntervalMs = 5000; // 5 seconds. static constexpr uint32_t kDefaultMaxReconnectAttempts = 10; -static constexpr uint32_t kDefaultHealthCheckIntervalMs = 30000; // 30 seconds. -static constexpr uint32_t kDefaultConnectionTimeoutMs = 10000; // 10 seconds. } // namespace /** @@ -166,16 +166,14 @@ enum class ReverseConnectionState { struct RemoteClusterConnectionConfig { std::string cluster_name; // Name of the remote cluster. uint32_t reverse_connection_count; // Number of reverse connections to maintain per host. - uint32_t reconnect_interval_ms; // Interval between reconnection attempts in milliseconds. - uint32_t max_reconnect_attempts; // Maximum number of reconnection attempts. - bool enable_health_check; // Whether to enable health checks for this cluster. + // TODO(basundhara-c): Implement retry logic using max_reconnect_attempts for connections to this + // cluster. This is the max reconnection attempts made for a cluster when the initial reverse + // connection attempt fails. + uint32_t max_reconnect_attempts; // Maximum number of reconnection attempts. RemoteClusterConnectionConfig(const std::string& name, uint32_t count, - uint32_t reconnect_ms = kDefaultReconnectIntervalMs, - uint32_t max_attempts = kDefaultMaxReconnectAttempts, - bool health_check = true) - : cluster_name(name), reverse_connection_count(count), reconnect_interval_ms(reconnect_ms), - max_reconnect_attempts(max_attempts), enable_health_check(health_check) {} + uint32_t max_attempts = kDefaultMaxReconnectAttempts) + : cluster_name(name), reverse_connection_count(count), max_reconnect_attempts(max_attempts) {} }; /** @@ -185,35 +183,41 @@ struct ReverseConnectionSocketConfig { std::string src_cluster_id; // Cluster identifier of local envoy instance. std::string src_node_id; // Node identifier of local envoy instance. std::string src_tenant_id; // Tenant identifier of local envoy instance. + // TODO(basundhara-c): Add support for multiple remote clusters using the same + // ReverseConnectionIOHandle. Currently, each ReverseConnectionIOHandle handles + // reverse connections for a single upstream cluster since a different ReverseConnectionAddress + // is created for different upstream clusters. Eventually, we should embed metadata for + // multiple remote clusters in the same ReverseConnectionAddress and therefore should be able + // to use a single ReverseConnectionIOHandle for multiple remote clusters. std::vector - remote_clusters; // List of remote cluster configurations. - uint32_t health_check_interval_ms; // Interval for health checks in milliseconds. - uint32_t connection_timeout_ms; // Connection timeout in milliseconds. - bool enable_metrics; // Whether to enable metrics collection. - bool enable_circuit_breaker; // Whether to enable circuit breaker functionality. - - ReverseConnectionSocketConfig() - : health_check_interval_ms(kDefaultHealthCheckIntervalMs), - connection_timeout_ms(kDefaultConnectionTimeoutMs), enable_metrics(true), - enable_circuit_breaker(true) {} + remote_clusters; // List of remote cluster configurations. + bool enable_circuit_breaker; // Whether to place a cluster in backoff when reverse connection + // attempts fail. + ReverseConnectionSocketConfig() : enable_circuit_breaker(true) {} }; /** * This class handles the lifecycle of reverse connections, including establishment, * maintenance, and cleanup of connections to remote clusters. + * At this point, a ReverseConnectionIOHandle is created for each upstream cluster. + * This is because a different ReverseConnectionAddress is created for each upstream cluster. + * This ReverseConnectionIOHandle initiates TCP connections to each host of the upstream cluster, + * and caches the IOHandle for serving requests coming from the upstream cluster. */ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, public Network::ConnectionCallbacks { - + // Define friend classes for testing. friend class ReverseConnectionIOHandleTest; friend class RCConnectionWrapperTest; + friend class DownstreamReverseConnectionIOHandleTest; + public: /** * Constructor for ReverseConnectionIOHandle. * @param fd the file descriptor for listener socket. * @param config the configuration for reverse connections. * @param cluster_manager the cluster manager for accessing upstream clusters. - * @param socket_interface reference to the parent socket interface. + * @param extension the extension for stats updates. * @param scope the stats scope for metrics collection. */ ReverseConnectionIOHandle(os_fd_t fd, const ReverseConnectionSocketConfig& config, @@ -225,8 +229,8 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // Network::IoHandle overrides. /** * Override of listen method for reverse connections. - * Initiates reverse connection establishment to configured remote clusters. - * @param backlog the listen backlog (unused for reverse connections). + * No-op for reverse connections. + * @param backlog the listen backlog. * @return SysCallIntResult with success status. */ Api::SysCallIntResult listen(int backlog) override; @@ -260,7 +264,7 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, /** * Override of connect method for reverse connections. * For reverse connections, this is not used since we connect to the upstream clusters in - * listen(). + * initializeFileEvent(). * @param address the target address (unused for reverse connections). * @return SysCallIntResult with success status. */ @@ -273,14 +277,14 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, Api::IoCallUint64Result close() override; /** - * Override of initializeFileEvent to defer work to worker thread. + * Triggers the reverse connection workflow. * @param dispatcher the event dispatcher. * @param cb the file ready callback. * @param trigger the file trigger type. * @param events the events to monitor. */ void initializeFileEvent(Event::Dispatcher& dispatcher, Event::FileReadyCb cb, - Event::FileTriggerType trigger, uint32_t events) override; + Event::FileTriggerType trigger, uint32_t events) override; // Network::ConnectionCallbacks. /** @@ -300,12 +304,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, */ void onBelowWriteBufferLowWatermark() override {} - /** - * Check if trigger mechanism is ready for accepting connections. - * @return true if the trigger mechanism is initialized and ready. - */ - bool isTriggerReady() const; - /** * Get the file descriptor for the pipe monitor used to wake up accept(). * @return the file descriptor for the pipe monitor @@ -314,7 +312,9 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // Callbacks from RCConnectionWrapper. /** - * Called when a reverse connection handshake completes. + * Called when a reverse connection handshake completes. This method wakes up accept() if the + * reverse connection handshake was successful. If not, it performs necessary cleanup and triggers + * backoff for the host. * @param error error message if the handshake failed, empty string if successful. * @param wrapper pointer to the connection wrapper that wraps over the established connection. * @param closed whether the connection was closed during handshake. @@ -332,7 +332,7 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, const std::string& cluster_name); /** - * Track a connection failure for a specific host and cluster and apply backoff logic. + * Track a connection failure for a specific host and cluster and trigger backoff logic. * @param host_address the address of the host that failed. * @param cluster_name the name of the cluster the host belongs to. */ @@ -357,7 +357,7 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, /** * Update state-specific gauge using switch case logic (combined increment/decrement). * @param host_address the address of the host - * @param cluster_name the name of the cluster + * @param cluster_name the name of the cluster * @param state the connection state to update * @param increment whether to increment (true) or decrement (false) the gauge */ @@ -374,7 +374,8 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, const std::string& connection_key); /** - * Handle downstream connection closure and trigger re-initiation. + * Handle downstream connection closure and update internal maps so that the next + * maintenance cycle re-initiates the connection. * @param connection_key the unique key identifying the closed connection. */ void onDownstreamConnectionClosed(const std::string& connection_key); @@ -392,14 +393,13 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, ReverseTunnelInitiatorExtension* getDownstreamExtension() const; private: - /** * @return reference to the thread-local dispatcher */ Event::Dispatcher& getThreadLocalDispatcher() const; /** - * Check if thread-local dispatcher is available (not destroyed during shutdown) + * Check if thread-local dispatcher is available. * @return true if dispatcher is available and safe to use */ bool isThreadLocalDispatcherAvailable() const; @@ -410,7 +410,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, void createTriggerMechanism(); // Functions to maintain connections to remote clusters. - /** * Maintain reverse connections for all configured clusters. * Initiates and maintains the required number of connections to each remote cluster. @@ -475,21 +474,19 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, * Contains all information needed to track and manage connections to a specific host. */ struct HostConnectionInfo { - std::string host_address; // Host address - std::string cluster_name; // Cluster to which host belongs - absl::flat_hash_set connection_keys; // Connection keys for stats tracking - uint32_t target_connection_count; // Target connection count for the host - uint32_t failure_count{0}; // Number of consecutive failures - std::chrono::steady_clock::time_point last_failure_time{ - std::chrono::steady_clock::now()}; // Time of last failure - std::chrono::steady_clock::time_point backoff_until{ - std::chrono::steady_clock::now()}; // Backoff end time + std::string host_address; // Host address + std::string cluster_name; // Cluster to which host belongs + absl::flat_hash_set connection_keys; // Connection keys for stats tracking + uint32_t target_connection_count; // Target connection count for the host + uint32_t failure_count{0}; // Number of consecutive failures + std::chrono::steady_clock::time_point last_failure_time; // NO_CHECK_FORMAT(real_time) + std::chrono::steady_clock::time_point backoff_until; // NO_CHECK_FORMAT(real_time) absl::flat_hash_map connection_states; // State tracking per connection }; // Map from host address to connection info. - std::unordered_map host_to_conn_info_map_; + absl::flat_hash_map host_to_conn_info_map_; // Map from cluster name to set of resolved hosts absl::flat_hash_map> cluster_to_resolved_hosts_map_; @@ -502,7 +499,7 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, std::vector> connection_wrappers_; // Active connection wrappers // Mapping from wrapper to host. This designates the number of successful connections to a host. - std::unordered_map conn_wrapper_to_host_map_; + absl::flat_hash_map conn_wrapper_to_host_map_; // Simple pipe-based trigger mechanism to wake up accept() when a connection is established. // Inlined directly for simplicity and reduced test coverage requirements. @@ -514,17 +511,14 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, // to determine the connection that got established last. std::queue established_connections_; - // Socket cache to prevent socket objects from going out of scope - // Maps connection key to socket object. - // Socket cache removed - sockets are now managed via RAII in DownstreamReverseConnectionIOHandle - // Single retry timer for all clusters Event::TimerPtr rev_conn_retry_timer_; - bool is_reverse_conn_started_{false}; // Whether reverse connections have been started on worker thread + bool is_reverse_conn_started_{ + false}; // Whether reverse connections have been started on worker thread Event::Dispatcher* worker_dispatcher_{nullptr}; // Dispatcher for the worker thread - // Store original socket FD for cleanup + // Store original socket FD for cleanup. os_fd_t original_socket_fd_{-1}; }; @@ -555,14 +549,13 @@ class DownstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { /** * Socket interface that creates reverse connection sockets. * This class implements the SocketInterface interface to provide reverse connection - * functionality for downstream connections. It manages the establishment and maintenance - * of reverse TCP connections to remote clusters. + * functionality for downstream connections. */ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, public Envoy::Logger::Loggable { // Friend class for testing friend class ReverseTunnelInitiatorTest; - + public: ReverseTunnelInitiator(Server::Configuration::ServerFactoryContext& context); @@ -613,10 +606,6 @@ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, Envoy::Network::Address::IpVersion version, const ReverseConnectionSocketConfig& config) const; - // Socket interface functionality only - factory methods moved to ReverseTunnelInitiatorFactory - - - /** * Get the extension instance for accessing cross-thread aggregation capabilities. * @return pointer to the extension, or nullptr if not available @@ -624,14 +613,14 @@ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, ReverseTunnelInitiatorExtension* getExtension() const { return extension_; } // BootstrapExtensionFactory implementation - Server::BootstrapExtensionPtr createBootstrapExtension( - const Protobuf::Message& config, - Server::Configuration::ServerFactoryContext& context) override; - + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override; + ProtobufTypes::MessagePtr createEmptyConfigProto() override; - - std::string name() const override { - return "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"; + + std::string name() const override { + return "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"; } ReverseTunnelInitiatorExtension* extension_; @@ -649,7 +638,7 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, public Logger::Loggable { // Friend class for testing friend class ReverseTunnelInitiatorExtensionTest; - + public: ReverseTunnelInitiatorExtension( Server::Configuration::ServerFactoryContext& context, @@ -665,9 +654,10 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, DownstreamSocketThreadLocal* getLocalRegistry() const; /** - * Update connection stats for reverse connections. + * Update all connection stats for reverse connections. This updates the cross-worker stats + * as well as the per-worker stats. * @param node_id the node identifier for the connection - * @param cluster_id the cluster identifier for the connection + * @param cluster_id the cluster identifier for the connection * @param state_suffix the state suffix (e.g., "connecting", "connected", "failed") * @param increment whether to increment (true) or decrement (false) the connection count */ @@ -676,7 +666,7 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, /** * Update per-worker connection stats for debugging purposes. - * Creates worker-specific stats "reverse_connections.{worker_name}.node.{node_id}.{state_suffix}". + * Creates worker-specific stats * @param node_id the node identifier for the connection * @param cluster_id the cluster identifier for the connection * @param state_suffix the state suffix for the connection @@ -692,7 +682,7 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, absl::flat_hash_map getPerWorkerStatMap(); /** - * Get cross-worker stat map across all dispatchers. + * Get cross-worker stat map across all workers. * @return map of stat names to values across all worker threads */ absl::flat_hash_map getCrossWorkerStatMap(); @@ -702,7 +692,7 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, * @param timeout_ms timeout for the operation * @return pair of vectors containing connected nodes and accepted connections */ - std::pair, std::vector> + std::pair, std::vector> getConnectionStatsSync(std::chrono::milliseconds timeout_ms); /** @@ -713,11 +703,12 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, /** * Test-only method to set the thread local slot for testing purposes. - * This allows tests to inject a custom thread local registry without - * requiring friend class access. + * This allows tests to inject a custom thread local registry and is used + * in unit tests to simulate different worker threads. * @param slot the thread local slot to set */ - void setTestOnlyTLSRegistry(std::unique_ptr> slot) { + void setTestOnlyTLSRegistry( + std::unique_ptr> slot) { tls_slot_ = std::move(slot); } @@ -736,9 +727,8 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, */ class ReverseConnectionLoadBalancerContext : public Upstream::LoadBalancerContextBase { public: - explicit ReverseConnectionLoadBalancerContext(const std::string& host_to_select) { - host_to_select_ = std::make_pair(host_to_select, false); - } + explicit ReverseConnectionLoadBalancerContext(const std::string& host_to_select) + : host_string_(host_to_select), host_to_select_(host_string_, false) {} /** * @return optional OverrideHost specifying the host to initiate reverse connection to. @@ -748,9 +738,45 @@ class ReverseConnectionLoadBalancerContext : public Upstream::LoadBalancerContex } private: + // Own the string data. This is to prevent use after free when the host_to_select + // is destroyed. + std::string host_string_; OverrideHost host_to_select_; }; +/** + * Custom IoHandle for downstream reverse connections that owns a ConnectionSocket. + * This class is used internally by ReverseConnectionIOHandle to manage the lifecycle + * of accepted downstream connections. + */ +class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { +public: + /** + * Constructor that takes ownership of the socket and stores parent pointer and connection key. + */ + DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, + ReverseConnectionIOHandle* parent, + const std::string& connection_key); + + ~DownstreamReverseConnectionIOHandle() override; + + // Network::IoHandle overrides + Api::IoCallUint64Result close() override; + + /** + * Get the owned socket for read-only access. + */ + const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } + +private: + // The socket that this IOHandle owns and manages lifetime for + Network::ConnectionSocketPtr owned_socket_; + // Pointer to parent ReverseConnectionIOHandle for connection lifecycle management + ReverseConnectionIOHandle* parent_; + // Connection key for tracking this specific connection + std::string connection_key_; +}; + } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD index 66736c4cdff84..e43b22e0129a7 100644 --- a/test/extensions/bootstrap/reverse_tunnel/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/BUILD @@ -58,6 +58,7 @@ envoy_extension_cc_test( "//test/mocks/thread_local:thread_local_mocks", "//test/mocks/upstream:upstream_mocks", "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", ], ) @@ -68,8 +69,11 @@ envoy_cc_test( srcs = ["reverse_connection_address_test.cc"], deps = [ "//source/common/network:address_lib", + "//source/common/network:default_socket_interface_lib", + "//source/common/singleton:threadsafe_singleton", "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_address_lib", "//test/mocks/network:network_mocks", + "//test/test_common:registry_lib", "//test/test_common:test_runtime_lib", ], ) @@ -83,5 +87,6 @@ envoy_cc_test( "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_resolver_lib", "//test/mocks/network:network_mocks", "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc index e12bfcc12ec30..712e6bd7ed994 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc @@ -1,5 +1,11 @@ +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/singleton/threadsafe_singleton.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" +#include "test/mocks/network/mocks.h" +#include "test/test_common/registry.h" + #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -16,80 +22,79 @@ class ReverseConnectionAddressTest : public testing::Test { protected: void SetUp() override {} - // Helper function to create a test config + // Helper function to create a test config. ReverseConnectionAddress::ReverseConnectionConfig createTestConfig() { return ReverseConnectionAddress::ReverseConnectionConfig{ - "test-node-123", - "test-cluster-456", - "test-tenant-789", - "remote-cluster-abc", - 5 - }; + "test-node-123", "test-cluster-456", "test-tenant-789", "remote-cluster-abc", 5}; } - // Helper function to create a test address + // Helper function to create a test address. ReverseConnectionAddress createTestAddress() { return ReverseConnectionAddress(createTestConfig()); } + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); }; -// Test constructor and basic properties +// Test constructor and basic properties. TEST_F(ReverseConnectionAddressTest, BasicSetup) { auto config = createTestConfig(); ReverseConnectionAddress address(config); - // Test that the address string is set correctly + // Test that the address string is set correctly. EXPECT_EQ(address.asString(), "127.0.0.1:0"); EXPECT_EQ(address.asStringView(), "127.0.0.1:0"); - // Test that the logical name is formatted correctly - std::string expected_logical_name = "rc://test-node-123:test-cluster-456:test-tenant-789@remote-cluster-abc:5"; + // Test that the logical name is formatted correctly. + std::string expected_logical_name = + "rc://test-node-123:test-cluster-456:test-tenant-789@remote-cluster-abc:5"; EXPECT_EQ(address.logicalName(), expected_logical_name); - // Test address type + // Test address type. EXPECT_EQ(address.type(), Network::Address::Type::Ip); EXPECT_EQ(address.addressType(), "reverse_connection"); } -// Test equality operator +// Test equality operator. TEST_F(ReverseConnectionAddressTest, EqualityOperator) { auto config1 = createTestConfig(); auto config2 = createTestConfig(); - + ReverseConnectionAddress address1(config1); ReverseConnectionAddress address2(config2); - // Same config should be equal + // Same config should be equal. EXPECT_TRUE(address1 == address2); EXPECT_TRUE(address2 == address1); - // Different configs should not be equal + // Different configs should not be equal. config2.src_node_id = "different-node"; ReverseConnectionAddress address3(config2); EXPECT_FALSE(address1 == address3); EXPECT_FALSE(address3 == address1); } -// Test equality with different address types +// Test equality with different address types. TEST_F(ReverseConnectionAddressTest, EqualityWithDifferentTypes) { auto config = createTestConfig(); ReverseConnectionAddress address(config); - - // Create a regular IPv4 address + + // Create a regular IPv4 address. auto regular_address = std::make_shared("127.0.0.1", 8080); - - // Should not be equal to different address types + + // Should not be equal to different address types. EXPECT_FALSE(address == *regular_address); EXPECT_FALSE(*regular_address == address); } -// Test reverse connection config accessor +// Test reverse connection config accessor. TEST_F(ReverseConnectionAddressTest, ReverseConnectionConfig) { auto config = createTestConfig(); ReverseConnectionAddress address(config); const auto& retrieved_config = address.reverseConnectionConfig(); - + EXPECT_EQ(retrieved_config.src_node_id, config.src_node_id); EXPECT_EQ(retrieved_config.src_cluster_id, config.src_cluster_id); EXPECT_EQ(retrieved_config.src_tenant_id, config.src_tenant_id); @@ -97,22 +102,22 @@ TEST_F(ReverseConnectionAddressTest, ReverseConnectionConfig) { EXPECT_EQ(retrieved_config.connection_count, config.connection_count); } -// Test IP address properties +// Test IP address properties. TEST_F(ReverseConnectionAddressTest, IpAddressProperties) { auto config = createTestConfig(); ReverseConnectionAddress address(config); - // Should have IP address + // Should have IP address. EXPECT_NE(address.ip(), nullptr); EXPECT_EQ(address.ip()->addressAsString(), "127.0.0.1"); EXPECT_EQ(address.ip()->port(), 0); - // Should not have pipe or envoy internal address + // Should not have pipe or envoy internal address. EXPECT_EQ(address.pipe(), nullptr); EXPECT_EQ(address.envoyInternalAddress(), nullptr); } -// Test socket address properties +// Test socket address properties. TEST_F(ReverseConnectionAddressTest, SocketAddressProperties) { auto config = createTestConfig(); ReverseConnectionAddress address(config); @@ -123,34 +128,101 @@ TEST_F(ReverseConnectionAddressTest, SocketAddressProperties) { socklen_t addr_len = address.sockAddrLen(); EXPECT_EQ(addr_len, sizeof(struct sockaddr_in)); - // Verify the sockaddr structure + // Verify the sockaddr structure. const struct sockaddr_in* addr_in = reinterpret_cast(sock_addr); EXPECT_EQ(addr_in->sin_family, AF_INET); - EXPECT_EQ(addr_in->sin_port, htons(0)); // Port 0 + EXPECT_EQ(addr_in->sin_port, htons(0)); // Port 0 EXPECT_EQ(addr_in->sin_addr.s_addr, htonl(INADDR_LOOPBACK)); // 127.0.0.1 } -// Test network namespace +// Test network namespace. TEST_F(ReverseConnectionAddressTest, NetworkNamespace) { auto config = createTestConfig(); ReverseConnectionAddress address(config); - // Should not have a network namespace + // Should not have a network namespace. auto namespace_opt = address.networkNamespace(); EXPECT_FALSE(namespace_opt.has_value()); } -// Test socket interface +// Test socket interface. TEST_F(ReverseConnectionAddressTest, SocketInterface) { auto config = createTestConfig(); ReverseConnectionAddress address(config); - // Should return a socket interface (either reverse connection or default) + // Should return the default socket interface. const auto& socket_interface = address.socketInterface(); EXPECT_NE(&socket_interface, nullptr); } -// Test with empty configuration values +// Test socket interface with registered reverse connection interface. +TEST_F(ReverseConnectionAddressTest, SocketInterfaceWithReverseInterface) { + // Create a mock socket interface that extends SocketInterfaceBase and registers itself + class TestReverseSocketInterface : public Network::SocketInterfaceBase { + public: + TestReverseSocketInterface() = default; + + // Network::SocketInterface + Network::IoHandlePtr socket(Network::Socket::Type socket_type, Network::Address::Type addr_type, + Network::Address::IpVersion version, bool socket_v6only, + const Network::SocketCreationOptions& options) const override { + UNREFERENCED_PARAMETER(socket_v6only); + UNREFERENCED_PARAMETER(options); + // Create a regular socket for testing + if (socket_type == Network::Socket::Type::Stream && addr_type == Network::Address::Type::Ip) { + int domain = (version == Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; + int sock_fd = ::socket(domain, SOCK_STREAM, 0); + if (sock_fd == -1) { + return nullptr; + } + return std::make_unique(sock_fd); + } + return nullptr; + } + + Network::IoHandlePtr socket(Network::Socket::Type socket_type, + const Network::Address::InstanceConstSharedPtr addr, + const Network::SocketCreationOptions& options) const override { + // Delegate to the other socket method + return socket(socket_type, addr->type(), + addr->ip() ? addr->ip()->version() : Network::Address::IpVersion::v4, false, + options); + } + + bool ipFamilySupported(int domain) override { return domain == AF_INET || domain == AF_INET6; } + + // Server::Configuration::BootstrapExtensionFactory + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override { + UNREFERENCED_PARAMETER(config); + UNREFERENCED_PARAMETER(context); + return nullptr; + } + + ProtobufTypes::MessagePtr createEmptyConfigProto() override { return nullptr; } + + std::string name() const override { + return "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"; + } + + std::set configTypes() override { return {}; } + }; + + // Register the test interface in the registry + TestReverseSocketInterface test_interface; + Registry::InjectFactory registered_factory( + test_interface); + + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Should return the registered test socket interface. + const auto& socket_interface = address.socketInterface(); + EXPECT_EQ(&socket_interface, &test_interface); +} + +// Test with empty configuration values. TEST_F(ReverseConnectionAddressTest, EmptyConfigValues) { ReverseConnectionAddress::ReverseConnectionConfig config; config.src_node_id = ""; @@ -161,7 +233,7 @@ TEST_F(ReverseConnectionAddressTest, EmptyConfigValues) { ReverseConnectionAddress address(config); - // Should still work with empty values + // Should still work with empty values. EXPECT_EQ(address.asString(), "127.0.0.1:0"); EXPECT_EQ(address.logicalName(), "rc://::@:0"); @@ -173,7 +245,7 @@ TEST_F(ReverseConnectionAddressTest, EmptyConfigValues) { EXPECT_EQ(retrieved_config.connection_count, 0); } -// Test multiple instances with different configurations +// Test multiple instances with different configurations. TEST_F(ReverseConnectionAddressTest, MultipleInstances) { ReverseConnectionAddress::ReverseConnectionConfig config1; config1.src_node_id = "node1"; @@ -192,29 +264,29 @@ TEST_F(ReverseConnectionAddressTest, MultipleInstances) { ReverseConnectionAddress address1(config1); ReverseConnectionAddress address2(config2); - // Should not be equal + // Should not be equal. EXPECT_FALSE(address1 == address2); EXPECT_FALSE(address2 == address1); - // Should have different logical names + // Should have different logical names. EXPECT_NE(address1.logicalName(), address2.logicalName()); // Should have same address string (both use 127.0.0.1:0) EXPECT_EQ(address1.asString(), address2.asString()); } -// Test copy constructor and assignment (if implemented) +// Test copy constructor and assignment (if implemented). TEST_F(ReverseConnectionAddressTest, CopyAndAssignment) { auto config = createTestConfig(); ReverseConnectionAddress original(config); - // Test copy constructor + // Test copy constructor. ReverseConnectionAddress copied(original); EXPECT_TRUE(original == copied); EXPECT_EQ(original.logicalName(), copied.logicalName()); EXPECT_EQ(original.asString(), copied.asString()); - // Test assignment operator + // Test assignment operator. ReverseConnectionAddress::ReverseConnectionConfig config2; config2.src_node_id = "different-node"; config2.src_cluster_id = "different-cluster"; @@ -231,4 +303,4 @@ TEST_F(ReverseConnectionAddressTest, CopyAndAssignment) { } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc index 7ef3fab453900..3fb9f3dc7d237 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc @@ -1,6 +1,8 @@ +#include "envoy/config/core/v3/address.pb.h" + #include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h" -#include "envoy/config/core/v3/address.pb.h" +#include "test/test_common/logging.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -18,40 +20,44 @@ class ReverseConnectionResolverTest : public testing::Test { protected: void SetUp() override {} - // Helper function to create a valid socket address - envoy::config::core::v3::SocketAddress createSocketAddress(const std::string& address, uint32_t port = 0) { + // Helper function to create a valid socket address. + envoy::config::core::v3::SocketAddress createSocketAddress(const std::string& address, + uint32_t port = 0) { envoy::config::core::v3::SocketAddress socket_address; socket_address.set_address(address); socket_address.set_port_value(port); return socket_address; } - // Helper function to create a valid reverse connection address string + // Helper function to create a valid reverse connection address string. std::string createReverseConnectionAddress(const std::string& src_node_id, - const std::string& src_cluster_id, - const std::string& src_tenant_id, - const std::string& cluster_name, - uint32_t count) { - return fmt::format("rc://{}:{}:{}@{}:{}", src_node_id, src_cluster_id, src_tenant_id, cluster_name, count); + const std::string& src_cluster_id, + const std::string& src_tenant_id, + const std::string& cluster_name, uint32_t count) { + return fmt::format("rc://{}:{}:{}@{}:{}", src_node_id, src_cluster_id, src_tenant_id, + cluster_name, count); } - // Helper function to access the private extractReverseConnectionConfig method - absl::StatusOr + // Helper function to access the private extractReverseConnectionConfig method. + absl::StatusOr extractReverseConnectionConfig(const envoy::config::core::v3::SocketAddress& socket_address) { return resolver_.extractReverseConnectionConfig(socket_address); } ReverseConnectionResolver resolver_; + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); }; -// Test the name() method +// Test the name() method. TEST_F(ReverseConnectionResolverTest, Name) { EXPECT_EQ(resolver_.name(), "envoy.resolvers.reverse_connection"); } -// Test successful resolution of a valid reverse connection address +// Test successful resolution of a valid reverse connection address. TEST_F(ReverseConnectionResolverTest, ResolveValidAddress) { - std::string address_str = createReverseConnectionAddress("test-node", "test-cluster", "test-tenant", "remote-cluster", 5); + std::string address_str = createReverseConnectionAddress("test-node", "test-cluster", + "test-tenant", "remote-cluster", 5); auto socket_address = createSocketAddress(address_str); auto result = resolver_.resolve(socket_address); @@ -60,11 +66,12 @@ TEST_F(ReverseConnectionResolverTest, ResolveValidAddress) { auto resolved_address = result.value(); EXPECT_NE(resolved_address, nullptr); - // Verify it's a ReverseConnectionAddress - auto reverse_address = std::dynamic_pointer_cast(resolved_address); + // Verify it's a ReverseConnectionAddress. + auto reverse_address = + std::dynamic_pointer_cast(resolved_address); EXPECT_NE(reverse_address, nullptr); - // Verify the configuration + // Verify the configuration. const auto& config = reverse_address->reverseConnectionConfig(); EXPECT_EQ(config.src_node_id, "test-node"); EXPECT_EQ(config.src_cluster_id, "test-cluster"); @@ -73,7 +80,7 @@ TEST_F(ReverseConnectionResolverTest, ResolveValidAddress) { EXPECT_EQ(config.connection_count, 5); } -// Test resolution failure for non-reverse connection address +// Test resolution failure for non-reverse connection address. TEST_F(ReverseConnectionResolverTest, ResolveNonReverseConnectionAddress) { auto socket_address = createSocketAddress("127.0.0.1"); @@ -83,9 +90,10 @@ TEST_F(ReverseConnectionResolverTest, ResolveNonReverseConnectionAddress) { EXPECT_THAT(result.status().message(), testing::HasSubstr("Address must start with 'rc://'")); } -// Test resolution failure for non-zero port +// Test resolution failure for non-zero port. TEST_F(ReverseConnectionResolverTest, ResolveNonZeroPort) { - std::string address_str = createReverseConnectionAddress("test-node", "test-cluster", "test-tenant", "remote-cluster", 5); + std::string address_str = createReverseConnectionAddress("test-node", "test-cluster", + "test-tenant", "remote-cluster", 5); auto socket_address = createSocketAddress(address_str, 8080); // Non-zero port auto result = resolver_.resolve(socket_address); @@ -94,9 +102,10 @@ TEST_F(ReverseConnectionResolverTest, ResolveNonZeroPort) { EXPECT_THAT(result.status().message(), testing::HasSubstr("Only port 0 is supported")); } -// Test successful extraction of reverse connection config +// Test successful extraction of reverse connection config. TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigValid) { - std::string address_str = createReverseConnectionAddress("node-123", "cluster-456", "tenant-789", "remote-cluster-abc", 10); + std::string address_str = createReverseConnectionAddress("node-123", "cluster-456", "tenant-789", + "remote-cluster-abc", 10); auto socket_address = createSocketAddress(address_str); auto result = extractReverseConnectionConfig(socket_address); @@ -110,17 +119,18 @@ TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigValid) { EXPECT_EQ(config.connection_count, 10); } -// Test extraction failure for invalid format (missing @) -TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidFormat) { +// Test resolution failure for invalid format, +TEST_F(ReverseConnectionResolverTest, ResolveInvalidFormat) { auto socket_address = createSocketAddress("rc://node:cluster:tenant:cluster:5"); // Missing @ - auto result = extractReverseConnectionConfig(socket_address); + auto result = resolver_.resolve(socket_address); EXPECT_FALSE(result.ok()); EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); - EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid reverse connection address format")); + EXPECT_THAT(result.status().message(), + testing::HasSubstr("Invalid reverse connection address format")); } -// Test extraction failure for invalid source info format +// Test extraction failure for invalid source info format. TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidSourceInfo) { auto socket_address = createSocketAddress("rc://node:cluster@remote:5"); // Missing tenant_id @@ -130,7 +140,7 @@ TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidSourc EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid source info format")); } -// Test extraction failure for invalid cluster config format +// Test extraction failure for invalid cluster config format. TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidClusterConfig) { auto socket_address = createSocketAddress("rc://node:cluster:tenant@remote"); // Missing count @@ -140,7 +150,7 @@ TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidClust EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid cluster config format")); } -// Test extraction failure for invalid connection count +// Test extraction failure for invalid connection count. TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidCount) { auto socket_address = createSocketAddress("rc://node:cluster:tenant@remote:invalid"); @@ -150,9 +160,10 @@ TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidCount EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid connection count")); } -// Test extraction with zero connection count +// Test extraction with zero connection count. TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigZeroCount) { - std::string address_str = createReverseConnectionAddress("node-123", "cluster-456", "tenant-789", "remote-cluster", 0); + std::string address_str = + createReverseConnectionAddress("node-123", "cluster-456", "tenant-789", "remote-cluster", 0); auto socket_address = createSocketAddress(address_str); auto result = extractReverseConnectionConfig(socket_address); @@ -165,4 +176,4 @@ TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigZeroCount) { } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc index 7922ca64ad4b8..dc952fdcca527 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc @@ -1,3 +1,8 @@ +#include +#include +#include + +#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" #include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.pb.h" #include "envoy/network/socket_interface.h" #include "envoy/server/factory_context.h" @@ -6,7 +11,9 @@ #include "source/common/network/address_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/network/utility.h" +#include "source/common/protobuf/utility.h" #include "source/common/thread_local/thread_local_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" #include "test/mocks/event/mocks.h" @@ -14,13 +21,10 @@ #include "test/mocks/stats/mocks.h" #include "test/mocks/thread_local/mocks.h" #include "test/mocks/upstream/mocks.h" +#include "test/test_common/logging.h" #include "test/test_common/test_runtime.h" -// Include the protobuf message for HTTP handshake testing -#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" - -#include - +#include "absl/container/flat_hash_map.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -38,51 +42,53 @@ namespace ReverseConnection { class ReverseTunnelInitiatorExtensionTest : public testing::Test { protected: ReverseTunnelInitiatorExtensionTest() { - // Set up the stats scope + // Set up the stats scope. stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - // Set up the mock context + // Set up the mock context. EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - // Create the socket interface + // Create the socket interface. socket_interface_ = std::make_unique(context_); - // Create the extension + // Create the extension. extension_ = std::make_unique(context_, config_); } - // Helper function to set up thread local slot for tests + // Helper function to set up thread local slot for tests. void setupThreadLocalSlot() { - // Create a thread local registry + // Create a thread local registry. thread_local_registry_ = std::make_shared(dispatcher_, *stats_scope_); - // Create the actual TypedSlot + // Create the actual TypedSlot. tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); thread_local_.setDispatcher(&dispatcher_); - // Set up the slot to return our registry + // Set up the slot to return our registry. tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - // Set the slot in the extension using the test-only method + // Set the slot in the extension using the test-only method. extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); } void setupAnotherThreadLocalSlot() { - // Create a thread local registry for the other dispatcher + // Create a thread local registry for the other dispatcher. another_thread_local_registry_ = std::make_shared(dispatcher_, *stats_scope_); - // Create the actual TypedSlot - another_tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + // Create the actual TypedSlot. + another_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique(thread_local_); thread_local_.setDispatcher(&dispatcher_); - // Set up the slot to return our registry - another_tls_slot_->set([registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); + // Set up the slot to return our registry. + another_tls_slot_->set( + [registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); - // Set the slot in the extension using the test-only method + // Set the slot in the extension using the test-only method. extension_->setTestOnlyTLSRegistry(std::move(another_tls_slot_)); } @@ -106,16 +112,15 @@ class ReverseTunnelInitiatorExtensionTest : public testing::Test { std::unique_ptr socket_interface_; std::unique_ptr extension_; - // Real thread local slot and registry std::unique_ptr> tls_slot_; std::shared_ptr thread_local_registry_; std::unique_ptr> another_tls_slot_; std::shared_ptr another_thread_local_registry_; }; -// Basic functionality tests +// Basic functionality tests. TEST_F(ReverseTunnelInitiatorExtensionTest, InitializeWithDefaultConfig) { - // Test with empty config (should initialize successfully) + // Test with empty config (should initialize successfully). envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: DownstreamReverseConnectionSocketInterface empty_config; @@ -126,177 +131,186 @@ TEST_F(ReverseTunnelInitiatorExtensionTest, InitializeWithDefaultConfig) { } TEST_F(ReverseTunnelInitiatorExtensionTest, OnServerInitialized) { - // This should be a no-op + // This should be a no-op. extension_->onServerInitialized(); } TEST_F(ReverseTunnelInitiatorExtensionTest, OnWorkerThreadInitialized) { - // Test that onWorkerThreadInitialized creates thread local slot + // Test that onWorkerThreadInitialized creates thread local slot. extension_->onWorkerThreadInitialized(); - - // Verify that the thread local slot was created by checking getLocalRegistry + + // Verify that the thread local slot was created by checking getLocalRegistry. EXPECT_NE(extension_->getLocalRegistry(), nullptr); } -// Thread local registry access tests +// Thread local registry access tests. TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryBeforeInitialization) { - // Before tls_slot_ is set, getLocalRegistry should return nullptr + // Before tls_slot_ is set, getLocalRegistry should return nullptr. EXPECT_EQ(extension_->getLocalRegistry(), nullptr); } TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryAfterInitialization) { - - // First test with uninitialized TLS + + // First test with uninitialized TLS. EXPECT_EQ(extension_->getLocalRegistry(), nullptr); - // Initialize the thread local slot + // Initialize the thread local slot. setupThreadLocalSlot(); - // Now getLocalRegistry should return the actual registry + // Now getLocalRegistry should return the actual registry. auto* registry = extension_->getLocalRegistry(); EXPECT_NE(registry, nullptr); EXPECT_EQ(registry, thread_local_registry_.get()); - // Test multiple calls return same registry + // Test multiple calls return same registry. auto* registry2 = extension_->getLocalRegistry(); EXPECT_EQ(registry, registry2); } TEST_F(ReverseTunnelInitiatorExtensionTest, GetStatsScope) { - // Test that getStatsScope returns the correct scope + // Test that getStatsScope returns the correct scope. EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); } +TEST_F(ReverseTunnelInitiatorExtensionTest, DownstreamSocketThreadLocalScope) { + // Set up thread local slot first. + setupThreadLocalSlot(); + + // Get the thread local registry. + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + + // Test that the scope() method returns the correct scope. + EXPECT_EQ(®istry->scope(), stats_scope_.get()); +} + TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsIncrement) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Test updateConnectionStats with increment=true + + // Test updateConnectionStats with increment=true. std::string node_id = "test-node-123"; std::string cluster_id = "test-cluster-456"; std::string state_suffix = "connecting"; - - // Call updateConnectionStats to increment + + // Call updateConnectionStats to increment. extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); - - // Verify that the correct stats were created and incremented using cross-worker stat map + + // Verify that the correct stats were created and incremented using cross-worker stat map. auto stat_map = extension_->getCrossWorkerStatMap(); - - std::string expected_node_stat = fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); - std::string expected_cluster_stat = fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); - + + std::string expected_node_stat = + fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); + std::string expected_cluster_stat = + fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + EXPECT_EQ(stat_map[expected_node_stat], 1); EXPECT_EQ(stat_map[expected_cluster_stat], 1); - - // Debug: Print all stats to verify the stat map - std::cout << "\n=== UpdateConnectionStatsIncrement Stats ===" << std::endl; - for (const auto& [stat_name, value] : stat_map) { - std::cout << "Stat: " << stat_name << " = " << value << std::endl; - } - std::cout << "=============================================" << std::endl; } TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsDecrement) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Test updateConnectionStats with increment=false + + // Test updateConnectionStats with increment=false. std::string node_id = "test-node-789"; std::string cluster_id = "test-cluster-012"; std::string state_suffix = "connected"; - - // First increment to have something to decrement + + // First increment to have something to decrement. extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); - - // Verify incremented values using cross-worker stat map + + // Verify incremented values using cross-worker stat map. auto stat_map = extension_->getCrossWorkerStatMap(); - std::string expected_node_stat = fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); - std::string expected_cluster_stat = fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); - + std::string expected_node_stat = + fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); + std::string expected_cluster_stat = + fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + EXPECT_EQ(stat_map[expected_node_stat], 2); EXPECT_EQ(stat_map[expected_cluster_stat], 2); - - // Now decrement + + // Now decrement. extension_->updateConnectionStats(node_id, cluster_id, state_suffix, false); - - // Get updated stats after decrement + + // Get updated stats after decrement. stat_map = extension_->getCrossWorkerStatMap(); - + EXPECT_EQ(stat_map[expected_node_stat], 1); EXPECT_EQ(stat_map[expected_cluster_stat], 1); } TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsMultipleStates) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Test updateConnectionStats with multiple different states + + // Test updateConnectionStats with multiple different states. std::string node_id = "test-node-multi"; std::string cluster_id = "test-cluster-multi"; - - // Create stats for different states + + // Create stats for different states. extension_->updateConnectionStats(node_id, cluster_id, "connecting", true); extension_->updateConnectionStats(node_id, cluster_id, "connected", true); extension_->updateConnectionStats(node_id, cluster_id, "failed", true); - - // Verify all states have separate gauges using cross-worker stat map + + // Verify all states have separate gauges using cross-worker stat map. auto stat_map = extension_->getCrossWorkerStatMap(); - + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connecting", node_id)], 1); EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connected", node_id)], 1); EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.failed", node_id)], 1); } TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsEmptyValues) { - // Test updateConnectionStats with empty values - should not update stats + // Test updateConnectionStats with empty values - should not update stats. auto& stats_store = extension_->getStatsScope(); - - // Empty host_id - should not create/update stats + + // Empty host_id - should not create/update stats. extension_->updateConnectionStats("", "test-cluster", "connecting", true); - auto& empty_host_gauge = stats_store.gaugeFromString( - "reverse_connections.host..connecting", Stats::Gauge::ImportMode::Accumulate); + auto& empty_host_gauge = stats_store.gaugeFromString("reverse_connections.host..connecting", + Stats::Gauge::ImportMode::Accumulate); EXPECT_EQ(empty_host_gauge.value(), 0); - - // Empty cluster_id - should not create/update stats + + // Empty cluster_id - should not create/update stats. extension_->updateConnectionStats("test-host", "", "connecting", true); - auto& empty_cluster_gauge = stats_store.gaugeFromString( - "reverse_connections.cluster..connecting", Stats::Gauge::ImportMode::Accumulate); + auto& empty_cluster_gauge = stats_store.gaugeFromString("reverse_connections.cluster..connecting", + Stats::Gauge::ImportMode::Accumulate); EXPECT_EQ(empty_cluster_gauge.value(), 0); - - // Empty state_suffix - should not create/update stats + + // Empty state_suffix - should not create/update stats. extension_->updateConnectionStats("test-host", "test-cluster", "", true); - auto& empty_state_gauge = stats_store.gaugeFromString( - "reverse_connections.host.test-host.", Stats::Gauge::ImportMode::Accumulate); + auto& empty_state_gauge = stats_store.gaugeFromString("reverse_connections.host.test-host.", + Stats::Gauge::ImportMode::Accumulate); EXPECT_EQ(empty_state_gauge.value(), 0); } // Test per-worker stats aggregation for one thread only (test thread) TEST_F(ReverseTunnelInitiatorExtensionTest, GetPerWorkerStatMapSingleThread) { - // Set up thread local slot first + // Set up thread local slot first. setupThreadLocalSlot(); - // Update per-worker stats for the current (test) thread + // Update per-worker stats for the current (test) thread. extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", true); extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); - // Get the per-worker stat map + // Get the per-worker stat map. auto stat_map = extension_->getPerWorkerStatMap(); - // Verify the stats are collected correctly for worker_0 + // Verify the stats are collected correctly for worker_0. EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host2.connected"], 2); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2.connected"], 2); - // Verify that only worker_0 stats are included + // Verify that only worker_0 stats are included. for (const auto& [stat_name, value] : stat_map) { EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); } } -// Test cross-thread stat map functions using multiple dispatchers +// Test cross-thread stat map functions using multiple dispatchers. TEST_F(ReverseTunnelInitiatorExtensionTest, GetCrossWorkerStatMapMultiThread) { // Set up thread local slot for the test thread (dispatcher name: "worker_0") setupThreadLocalSlot(); @@ -304,26 +318,27 @@ TEST_F(ReverseTunnelInitiatorExtensionTest, GetCrossWorkerStatMapMultiThread) { // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") setupAnotherThreadLocalSlot(); - // Simulate stats updates from worker_0 + // Simulate stats updates from worker_0. extension_->updateConnectionStats("host1", "cluster1", "connecting", true); extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment twice extension_->updateConnectionStats("host2", "cluster2", "connected", true); - // Temporarily switch the thread local registry to simulate updates from worker_1 + // Temporarily switch the thread local registry to simulate updates from worker_1. auto original_registry = thread_local_registry_; thread_local_registry_ = another_thread_local_registry_; - // Update stats from worker_1 - extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment from worker_1 + // Update stats from worker_1. + extension_->updateConnectionStats("host1", "cluster1", "connecting", + true); // Increment from worker_1 extension_->updateConnectionStats("host3", "cluster3", "failed", true); // New host from worker_1 - // Restore the original registry + // Restore the original registry. thread_local_registry_ = original_registry; - // Get the cross-worker stat map + // Get the cross-worker stat map. auto stat_map = extension_->getCrossWorkerStatMap(); - // Verify that cross-worker stats are collected correctly across multiple dispatchers + // Verify that cross-worker stats are collected correctly across multiple dispatchers. // host1: incremented 3 times total (2 from worker_0 + 1 from worker_1) EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 3); // host2: incremented 1 time from worker_0 @@ -338,54 +353,64 @@ TEST_F(ReverseTunnelInitiatorExtensionTest, GetCrossWorkerStatMapMultiThread) { // cluster3: incremented 1 time from worker_1 EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); - // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again. // with the same names increments the existing gauges (not creates new ones) - extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment again + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment again extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 - // Get stats again to verify the same gauges were updated + // Get stats again to verify the same gauges were updated. stat_map = extension_->getCrossWorkerStatMap(); // Verify the gauge values were updated correctly (StatNameManagedStorage ensures same gauge) EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 4); // 3 + 1 EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 4); // 3 + 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 0); // 1 - 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 0); // 1 - 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); // unchanged - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); // unchanged + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); // unchanged + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); // unchanged - // Test per-worker decrement operations to cover the per-worker decrement code paths - // First, test decrements from worker_0 context - extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", false); // Decrement from worker_0 + // Test per-worker decrement operations to cover the per-worker decrement code paths. + // First, test decrements from worker_0 context. + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", + false); // Decrement from worker_0 - // Get per-worker stats to verify decrements worked correctly for worker_0 + // Get per-worker stats to verify decrements worked correctly for worker_0. auto per_worker_stat_map = extension_->getPerWorkerStatMap(); - // Verify worker_0 stats were decremented correctly - EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], 3); // 4 - 1 - EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], 3); // 4 - 1 + // Verify worker_0 stats were decremented correctly. + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], + 3); // 4 - 1 + EXPECT_EQ( + per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], + 3); // 4 - 1 - // Now test decrements from worker_1 context + // Now test decrements from worker_1 context. thread_local_registry_ = another_thread_local_registry_; - // Decrement some stats from worker_1 - extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", false); // Decrement from worker_1 - extension_->updatePerWorkerConnectionStats("host3", "cluster3", "failed", false); // Decrement host3 to 0 + // Decrement some stats from worker_1. + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", + false); // Decrement from worker_1 + extension_->updatePerWorkerConnectionStats("host3", "cluster3", "failed", + false); // Decrement host3 to 0 - // Get per-worker stats from worker_1 context + // Get per-worker stats from worker_1 context. auto worker1_stat_map = extension_->getPerWorkerStatMap(); - // Verify worker_1 stats were decremented correctly - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host1.connecting"], 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1.connecting"], 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host3.failed"], 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3.failed"], 0); // 1 - 1 - - // Restore original registry + // Verify worker_1 stats were decremented correctly. + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host1.connecting"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1.connecting"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host3.failed"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3.failed"], + 0); // 1 - 1 + + // Restore original registry. thread_local_registry_ = original_registry; } -// Test getConnectionStatsSync using multiple dispatchers +// Test getConnectionStatsSync using multiple dispatchers. TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { // Set up thread local slot for the test thread (dispatcher name: "worker_0") setupThreadLocalSlot(); @@ -393,31 +418,33 @@ TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") setupAnotherThreadLocalSlot(); - // Simulate stats updates from worker_0 + // Simulate stats updates from worker_0. extension_->updateConnectionStats("host1", "cluster1", "connected", true); extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment twice extension_->updateConnectionStats("host2", "cluster2", "connected", true); - // Simulate stats updates from worker_1 - // Temporarily switch the thread local registry to simulate the other dispatcher + // Simulate stats updates from worker_1. + // Temporarily switch the thread local registry to simulate the other dispatcher. auto original_registry = thread_local_registry_; thread_local_registry_ = another_thread_local_registry_; - // Update stats from worker_1 - extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment from worker_1 - extension_->updateConnectionStats("host3", "cluster3", "connected", true); // New host from worker_1 + // Update stats from worker_1. + extension_->updateConnectionStats("host1", "cluster1", "connected", + true); // Increment from worker_1 + extension_->updateConnectionStats("host3", "cluster3", "connected", + true); // New host from worker_1 - // Restore the original registry + // Restore the original registry. thread_local_registry_ = original_registry; - // Get connection stats synchronously + // Get connection stats synchronously. auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); auto& [connected_nodes, accepted_connections] = result; - // Verify the result contains the expected data + // Verify the result contains the expected data. EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); - // Verify that we have the expected host and cluster data + // Verify that we have the expected host and cluster data. // host1: should be present (incremented 3 times total) EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") != connected_nodes.end()); @@ -438,12 +465,12 @@ TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != accepted_connections.end()); - // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again. // with the same names updates the existing gauges and the sync result reflects this extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment again extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 - // Get connection stats again to verify the updated values + // Get connection stats again to verify the updated values. result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); auto& [updated_connected_nodes, updated_accepted_connections] = result; @@ -453,7 +480,7 @@ TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), "cluster2") == updated_accepted_connections.end()); - // Verify that host1 and host3 are still present + // Verify that host1 and host3 are still present. EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host1") != updated_connected_nodes.end()); EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host3") != @@ -464,114 +491,111 @@ TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { "cluster3") != updated_accepted_connections.end()); } -// Test getConnectionStatsSync with timeouts +// Test getConnectionStatsSync with timeouts. TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncTimeout) { - // Test with a very short timeout to verify timeout behavior + // Test with a very short timeout to verify timeout behavior. auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); - // With no connections and short timeout, should return empty results + // With no connections and short timeout, should return empty results. auto& [connected_nodes, accepted_connections] = result; EXPECT_TRUE(connected_nodes.empty()); EXPECT_TRUE(accepted_connections.empty()); } -// Test getConnectionStatsSync filters only "connected" state +// Test getConnectionStatsSync filters only "connected" state. TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncFiltersConnectedState) { - // Set up thread local slot + // Set up thread local slot. setupThreadLocalSlot(); - // Add connections with different states + // Add connections with different states. extension_->updateConnectionStats("host1", "cluster1", "connecting", true); extension_->updateConnectionStats("host2", "cluster2", "connected", true); extension_->updateConnectionStats("host3", "cluster3", "failed", true); extension_->updateConnectionStats("host4", "cluster4", "connected", true); - // Get connection stats synchronously + // Get connection stats synchronously. auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); auto& [connected_nodes, accepted_connections] = result; - // Should only include hosts/clusters with "connected" state + // Should only include hosts/clusters with "connected" state. EXPECT_EQ(connected_nodes.size(), 2); EXPECT_EQ(accepted_connections.size(), 2); - // Verify only connected hosts are included + // Verify only connected hosts are included. EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != connected_nodes.end()); EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host4") != connected_nodes.end()); - // Verify connecting and failed hosts are NOT included + // Verify connecting and failed hosts are NOT included. EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") == connected_nodes.end()); EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") == connected_nodes.end()); - // Verify only connected clusters are included + // Verify only connected clusters are included. EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != accepted_connections.end()); EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster4") != accepted_connections.end()); - // Verify connecting and failed clusters are NOT included + // Verify connecting and failed clusters are NOT included. EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") == accepted_connections.end()); EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") == accepted_connections.end()); } -// ReverseTunnelInitiator Test Class +// ReverseTunnelInitiator Test Class. class ReverseTunnelInitiatorTest : public testing::Test { protected: ReverseTunnelInitiatorTest() { - // Set up the stats scope + // Set up the stats scope. stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - // Set up the mock context + // Set up the mock context. EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - // Create the config + // Create the config. config_.set_stat_prefix("test_prefix"); - // Create the socket interface + // Create the socket interface. socket_interface_ = std::make_unique(context_); - // Create the extension - extension_ = - std::make_unique(context_, config_); + // Create the extension. + extension_ = std::make_unique(context_, config_); } - // Thread Local Setup Helpers - - // Helper function to set up thread local slot for tests + // Thread Local Setup Helpers. + + // Helper function to set up thread local slot for tests. void setupThreadLocalSlot() { - // First, call onServerInitialized to set up the extension reference properly + // First, call onServerInitialized to set up the extension reference properly. extension_->onServerInitialized(); - // Create a thread local registry with the properly initialized extension + // Create a thread local registry with the properly initialized extension. thread_local_registry_ = std::make_shared(dispatcher_, *stats_scope_); - // Create the actual TypedSlot + // Create the actual TypedSlot. tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); thread_local_.setDispatcher(&dispatcher_); - // Set up the slot to return our registry + // Set up the slot to return our registry. tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - // Override the TLS slot with our test version + // Override the TLS slot with our test version. extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); - // Set the extension reference in the socket interface + // Set the extension reference in the socket interface. socket_interface_->extension_ = extension_.get(); } - // Test Data Setup Helpers - - // Helper to create a test address - Network::Address::InstanceConstSharedPtr createTestAddress(const std::string& ip = "127.0.0.1", + // Helper to create a test address. + Network::Address::InstanceConstSharedPtr createTestAddress(const std::string& ip = "127.0.0.1", uint32_t port = 8080) { return Network::Utility::parseInternetAddressNoThrow(ip, port); } @@ -596,80 +620,53 @@ class ReverseTunnelInitiatorTest : public testing::Test { std::unique_ptr socket_interface_; std::unique_ptr extension_; - // Real thread local slot and registry + // Real thread local slot and registry. std::unique_ptr> tls_slot_; std::shared_ptr thread_local_registry_; + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); }; TEST_F(ReverseTunnelInitiatorTest, CreateBootstrapExtension) { - // Test createBootstrapExtension function + // Test createBootstrapExtension function. envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config; - + auto extension = socket_interface_->createBootstrapExtension(config, context_); EXPECT_NE(extension, nullptr); - - // Verify extension is stored in socket interface + + // Verify extension is stored in socket interface. EXPECT_NE(socket_interface_->getExtension(), nullptr); } TEST_F(ReverseTunnelInitiatorTest, CreateEmptyConfigProto) { - // Test createEmptyConfigProto function + // Test createEmptyConfigProto function. auto config = socket_interface_->createEmptyConfigProto(); EXPECT_NE(config, nullptr); - - // Should be able to cast to the correct type - auto* typed_config = dynamic_cast< - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface*>(config.get()); + + // Should be able to cast to the correct type. + auto* typed_config = + dynamic_cast(config.get()); EXPECT_NE(typed_config, nullptr); } -// TODO: Add socket() function unit tests when the implementation is complete -// TEST_F(ReverseTunnelInitiatorTest, SocketTypeAndAddressBasic) { -// // Test basic socket creation without reverse connection config -// Network::SocketCreationOptions options; -// -// auto io_handle = socket_interface_->socket( -// Network::Socket::Type::Stream, -// Network::Address::Type::Ip, -// Network::Address::IpVersion::v4, -// false, -// options); -// -// EXPECT_NE(io_handle, nullptr); -// -// // Should be a regular IoSocketHandleImpl, not ReverseConnectionIOHandle -// EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); -// } - -// TEST_F(ReverseTunnelInitiatorTest, SocketWithRegularAddress) { -// // Test socket creation with regular address (non-reverse connection) -// auto address = createTestAddress(); -// Network::SocketCreationOptions options; -// -// auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); -// EXPECT_NE(io_handle, nullptr); -// -// // Should be a regular socket, not reverse connection socket -// EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); -// } - TEST_F(ReverseTunnelInitiatorTest, IpFamilySupported) { - // Test IP family support + // Test IP family support. EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); } TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryNoExtension) { - // Test getLocalRegistry when extension is not set + // Test getLocalRegistry when extension is not set. auto* registry = socket_interface_->getLocalRegistry(); EXPECT_EQ(registry, nullptr); } TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryWithExtension) { - // Test getLocalRegistry when extension is set + // Test getLocalRegistry when extension is set. setupThreadLocalSlot(); auto* registry = socket_interface_->getLocalRegistry(); @@ -678,12 +675,221 @@ TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryWithExtension) { } TEST_F(ReverseTunnelInitiatorTest, FactoryName) { - // Test factory name (implied through socket interface) EXPECT_EQ(socket_interface_->name(), "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); } -// Configuration validation tests +TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv4) { + // Test basic socket creation for IPv4. + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v4, false, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle (should be a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv6) { + // Test basic socket creation for IPv6. + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v6, false, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodDatagram) { + // Test datagram socket creation. + auto socket = socket_interface_->socket( + Network::Socket::Type::Datagram, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + false, Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodUnixDomain) { + // Test Unix domain socket creation. + auto socket = socket_interface_->socket( + Network::Socket::Type::Stream, Network::Address::Type::Pipe, Network::Address::IpVersion::v4, + false, Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithAddressIPv4) { + // Test socket creation with IPv4 address. + auto address = std::make_shared("127.0.0.1", 8080); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithAddressIPv6) { + // Test socket creation with IPv6 address. + auto address = std::make_shared("::1", 8080); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithReverseConnectionAddress) { + // Test socket creation with ReverseConnectionAddress. + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_cluster = "remote-cluster"; + config.connection_count = 2; + + auto reverse_address = std::make_shared(config); + + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, reverse_address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle (not a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketStreamIPv4) { + // Test createReverseConnectionSocket for stream IPv4 with TLS registry setup. + setupThreadLocalSlot(); + + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); + + // Verify that the TLS registry scope is being used. + // The socket should be created with the scope from TLS registry, not context scope. + EXPECT_EQ(&reverse_handle->getDownstreamExtension()->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketStreamIPv6) { + // Test createReverseConnectionSocket for stream IPv6. + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v6, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketDatagram) { + // Test createReverseConnectionSocket for datagram (should fallback to regular socket) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Datagram, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketNonIP) { + // Test createReverseConnectionSocket for non-IP address (should fallback to regular socket) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Pipe, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle (should be a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketEmptyRemoteClusters) { + // Test createReverseConnectionSocket with empty remote_clusters (should return early) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + // No remote_clusters added - should return early. + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + // Should return nullptr due to empty remote_clusters. + EXPECT_EQ(socket, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithEmptyReverseConnectionAddress) { + // Test socket creation with empty ReverseConnectionAddress. + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_cluster_id = ""; + config.src_node_id = ""; + config.src_tenant_id = ""; + config.remote_cluster = ""; + config.connection_count = 0; + + auto reverse_address = std::make_shared(config); + + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, reverse_address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithSocketCreationOptions) { + // Test socket creation with socket creation options. + Network::SocketCreationOptions options; + options.mptcp_enabled_ = true; + options.max_addresses_cache_size_ = 100; + + auto address = std::make_shared("127.0.0.1", 0); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +// Configuration validation tests. class ConfigValidationTest : public testing::Test { protected: envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: @@ -703,53 +909,52 @@ class ConfigValidationTest : public testing::Test { }; TEST_F(ConfigValidationTest, ValidConfiguration) { - // Test that valid configuration gets accepted + // Test that valid configuration gets accepted. ReverseTunnelInitiator initiator(context_); - // Should not throw when creating bootstrap extension + // Should not throw when creating bootstrap extension. EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); } TEST_F(ConfigValidationTest, EmptyConfiguration) { - // Test that empty configuration still works + // Test that empty configuration still works. ReverseTunnelInitiator initiator(context_); - // Should not throw with empty config + // Should not throw with empty config. EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); } TEST_F(ConfigValidationTest, EmptyStatPrefix) { - // Test that empty stat_prefix still works with default + // Test that empty stat_prefix still works with default. ReverseTunnelInitiator initiator(context_); - // Should not throw and should use default prefix + // Should not throw and should use default prefix. EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); } -// ReverseConnectionIOHandle Test Class +// ReverseConnectionIOHandle Test Class. class ReverseConnectionIOHandleTest : public testing::Test { protected: ReverseConnectionIOHandleTest() { - // Set up the stats scope + // Set up the stats scope. stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - // Set up the mock context + // Set up the mock context. EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - // Create the config + // Create the config. config_.set_stat_prefix("test_prefix"); - // Create the socket interface + // Create the socket interface. socket_interface_ = std::make_unique(context_); - // Create the extension - extension_ = - std::make_unique(context_, config_); + // Create the extension. + extension_ = std::make_unique(context_, config_); - // Set up mock dispatcher with default expectations + // Set up mock dispatcher with default expectations. EXPECT_CALL(dispatcher_, createTimer_(_)) .WillRepeatedly(testing::ReturnNew>()); EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) @@ -762,18 +967,19 @@ class ReverseConnectionIOHandleTest : public testing::Test { socket_interface_.reset(); } - // Helper to create a ReverseConnectionIOHandle with specified configuration - std::unique_ptr createTestIOHandle(const ReverseConnectionSocketConfig& config) { - // Create a test socket file descriptor + // Helper to create a ReverseConnectionIOHandle with specified configuration. + std::unique_ptr + createTestIOHandle(const ReverseConnectionSocketConfig& config) { + // Create a test socket file descriptor. int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); EXPECT_GE(test_fd, 0); - // Create the IO handle - return std::make_unique(test_fd, config, cluster_manager_, + // Create the IO handle. + return std::make_unique(test_fd, config, cluster_manager_, extension_.get(), *stats_scope_); } - // Helper to create a default test configuration + // Helper to create a default test configuration. ReverseConnectionSocketConfig createDefaultTestConfig() { ReverseConnectionSocketConfig config; config.src_cluster_id = "test-cluster"; @@ -796,95 +1002,98 @@ class ReverseConnectionIOHandleTest : public testing::Test { std::unique_ptr extension_; std::unique_ptr io_handle_; - // Mock cluster manager + // Mock cluster manager. NiceMock cluster_manager_; - // Thread local components for testing + // Thread local components for testing. std::unique_ptr> tls_slot_; std::shared_ptr thread_local_registry_; std::unique_ptr> another_tls_slot_; std::shared_ptr another_thread_local_registry_; - // Thread Local Setup Helpers - - // Helper function to set up thread local slot for tests + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); + + // Mock socket for testing. + std::unique_ptr mock_socket_; + + // Thread Local Setup Helpers. + + // Helper function to set up thread local slot for tests. void setupThreadLocalSlot() { - // Create a thread local registry + // Create a thread local registry. thread_local_registry_ = std::make_shared(dispatcher_, *stats_scope_); - // Create the actual TypedSlot + // Create the actual TypedSlot. tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); thread_local_.setDispatcher(&dispatcher_); - // Set up the slot to return our registry + // Set up the slot to return our registry. tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - // Set the slot in the extension using the test-only method + // Set the slot in the extension using the test-only method. extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); } - // Multi-Thread Local Setup Helpers - + // Multi-Thread Local Setup Helpers. + void setupAnotherThreadLocalSlot() { - // Create a thread local registry for the other dispatcher + // Create a thread local registry for the other dispatcher. another_thread_local_registry_ = std::make_shared(dispatcher_, *stats_scope_); - // Create the actual TypedSlot - another_tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + // Create the actual TypedSlot. + another_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique(thread_local_); thread_local_.setDispatcher(&dispatcher_); - // Set up the slot to return our registry - another_tls_slot_->set([registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); + // Set up the slot to return our registry. + another_tls_slot_->set( + [registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); - // Set the slot in the extension using the test-only method + // Set the slot in the extension using the test-only method. extension_->setTestOnlyTLSRegistry(std::move(another_tls_slot_)); } - // Trigger Pipe Management Helpers - - bool isTriggerPipeReady() const { - return io_handle_->isTriggerPipeReady(); - } + // Trigger Pipe Management Helpers. - void createTriggerPipe() { - io_handle_->createTriggerPipe(); - } + bool isTriggerPipeReady() const { return io_handle_->isTriggerPipeReady(); } - int getTriggerPipeReadFd() const { - return io_handle_->trigger_pipe_read_fd_; - } + void createTriggerPipe() { io_handle_->createTriggerPipe(); } - int getTriggerPipeWriteFd() const { - return io_handle_->trigger_pipe_write_fd_; + int getTriggerPipeReadFd() const { return io_handle_->trigger_pipe_read_fd_; } + + int getTriggerPipeWriteFd() const { return io_handle_->trigger_pipe_write_fd_; } + + // Connection Management Helpers. + + void addConnectionToEstablishedQueue(Network::ClientConnectionPtr connection) { + io_handle_->established_connections_.push(std::move(connection)); } - // Connection Management Helpers - bool initiateOneReverseConnection(const std::string& cluster_name, const std::string& host_address, Upstream::HostConstSharedPtr host) { return io_handle_->initiateOneReverseConnection(cluster_name, host_address, host); } - void maintainReverseConnections() { - io_handle_->maintainReverseConnections(); - } + void maintainReverseConnections() { io_handle_->maintainReverseConnections(); } - void maintainClusterConnections(const std::string& cluster_name, + void maintainClusterConnections(const std::string& cluster_name, const RemoteClusterConnectionConfig& cluster_config) { io_handle_->maintainClusterConnections(cluster_name, cluster_config); } - // Host Management Helpers - + // Host Management Helpers. + void maybeUpdateHostsMappingsAndConnections(const std::string& cluster_id, const std::vector& hosts) { io_handle_->maybeUpdateHostsMappingsAndConnections(cluster_id, hosts); } - bool shouldAttemptConnectionToHost(const std::string& host_address, const std::string& cluster_name) { + bool shouldAttemptConnectionToHost(const std::string& host_address, + const std::string& cluster_name) { return io_handle_->shouldAttemptConnectionToHost(host_address, cluster_name); } @@ -896,15 +1105,26 @@ class ReverseConnectionIOHandleTest : public testing::Test { io_handle_->resetHostBackoff(host_address); } - // Data Access Helpers - - const std::unordered_map& getHostToConnInfoMap() const { + // Data Access Helpers. + + const absl::flat_hash_map& + getHostToConnInfoMap() const { return io_handle_->host_to_conn_info_map_; } - const ReverseConnectionIOHandle::HostConnectionInfo& getHostConnectionInfo(const std::string& host_address) const { + const ReverseConnectionIOHandle::HostConnectionInfo& + getHostConnectionInfo(const std::string& host_address) const { + auto it = io_handle_->host_to_conn_info_map_.find(host_address); + EXPECT_NE(it, io_handle_->host_to_conn_info_map_.end()) + << "Host " << host_address << " not found in host_to_conn_info_map_"; + return it->second; + } + + ReverseConnectionIOHandle::HostConnectionInfo& + getMutableHostConnectionInfo(const std::string& host_address) { auto it = io_handle_->host_to_conn_info_map_.find(host_address); - EXPECT_NE(it, io_handle_->host_to_conn_info_map_.end()) << "Host " << host_address << " not found in host_to_conn_info_map_"; + EXPECT_NE(it, io_handle_->host_to_conn_info_map_.end()) + << "Host " << host_address << " not found in host_to_conn_info_map_"; return it->second; } @@ -912,26 +1132,30 @@ class ReverseConnectionIOHandleTest : public testing::Test { return io_handle_->connection_wrappers_; } - const std::unordered_map& getConnWrapperToHostMap() const { + const absl::flat_hash_map& getConnWrapperToHostMap() const { return io_handle_->conn_wrapper_to_host_map_; } - // Test Data Setup Helpers - - void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, uint32_t target_count) { - io_handle_->host_to_conn_info_map_[host_address] = ReverseConnectionIOHandle::HostConnectionInfo{ - host_address, - cluster_name, - {}, // connection_keys - empty set initially - target_count, // target_connection_count - 0, // failure_count - std::chrono::steady_clock::now(), // last_failure_time - std::chrono::steady_clock::now(), // backoff_until - {} // connection_states - }; + // Test Data Setup Helpers. + + void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, + uint32_t target_count) { + io_handle_->host_to_conn_info_map_[host_address] = + ReverseConnectionIOHandle::HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + target_count, // target_connection_count + 0, // failure_count + // last_failure_time + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + // backoff_until + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + {} // connection_states + }; } - // Helper to create a mock host + // Helper to create a mock host. Upstream::HostConstSharedPtr createMockHost(const std::string& address) { auto mock_host = std::make_shared>(); auto mock_address = std::make_shared(address, 8080); @@ -939,14 +1163,45 @@ class ReverseConnectionIOHandleTest : public testing::Test { return mock_host; } - // Helper to access private members for testing + // Helper method to set up mock connection with proper socket expectations. + std::unique_ptr> setupMockConnection() { + auto mock_connection = std::make_unique>(); + + // Create a mock socket for the connection. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + auto duplicated_handle = std::make_unique>(); + EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); + return duplicated_handle; + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Cast the mock to the base ConnectionSocket type and store it in member variable. + mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); + + // Set up connection expectations for getSocket() + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); + + return mock_connection; + } + + // Helper to access private members for testing. void addWrapperToHostMap(RCConnectionWrapper* wrapper, const std::string& host_address) { io_handle_->conn_wrapper_to_host_map_[wrapper] = host_address; } - void cleanup() { - io_handle_->cleanup(); - } + void cleanup() { io_handle_->cleanup(); } void removeStaleHostAndCloseConnections(const std::string& host) { io_handle_->removeStaleHostAndCloseConnections(host); @@ -956,27 +1211,26 @@ class ReverseConnectionIOHandleTest : public testing::Test { size_t getEstablishedConnectionsSize() const { return io_handle_->established_connections_.size(); } - }; -// Test getClusterManager returns correct reference +// Test getClusterManager returns correct reference. TEST_F(ReverseConnectionIOHandleTest, GetClusterManager) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - - // Verify that getClusterManager returns the correct reference + + // Verify that getClusterManager returns the correct reference. EXPECT_EQ(&io_handle_->getClusterManager(), &cluster_manager_); } -// Basic setup +// Basic setup. TEST_F(ReverseConnectionIOHandleTest, BasicSetup) { - // Test that constructor doesn't crash and creates a valid instance + // Test that constructor doesn't crash and creates a valid instance. auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Verify the IO handle has a valid file descriptor + // Verify the IO handle has a valid file descriptor. EXPECT_GE(io_handle_->fdDoNotUse(), 0); } @@ -986,123 +1240,124 @@ TEST_F(ReverseConnectionIOHandleTest, ListenNoOp) { io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Test that listen() returns success (0) with no error + // Test that listen() returns success (0) with no error. auto result = io_handle_->listen(10); EXPECT_EQ(result.return_value_, 0); EXPECT_EQ(result.errno_, 0); } -// Test isTriggerPipeReady() behavior +// Test isTriggerPipeReady() behavior. TEST_F(ReverseConnectionIOHandleTest, IsTriggerPipeReady) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Initially, trigger pipe should not be ready + // Initially, trigger pipe should not be ready. EXPECT_FALSE(isTriggerPipeReady()); - // Create the trigger pipe + // Create the trigger pipe. createTriggerPipe(); - // Now trigger pipe should be ready + // Now trigger pipe should be ready. EXPECT_TRUE(isTriggerPipeReady()); - // Verify the file descriptors are valid + // Verify the file descriptors are valid. EXPECT_GE(getTriggerPipeReadFd(), 0); EXPECT_GE(getTriggerPipeWriteFd(), 0); } -// Test createTriggerPipe() basic pipe creation +// Test createTriggerPipe() basic pipe creation. TEST_F(ReverseConnectionIOHandleTest, CreateTriggerPipe) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Initially, trigger pipe should not be ready + // Initially, trigger pipe should not be ready. EXPECT_FALSE(isTriggerPipeReady()); - // Manually call createTriggerPipe + // Manually call createTriggerPipe. createTriggerPipe(); - // Verify that the trigger pipe was created successfully + // Verify that the trigger pipe was created successfully. EXPECT_TRUE(isTriggerPipeReady()); EXPECT_GE(getTriggerPipeReadFd(), 0); EXPECT_GE(getTriggerPipeWriteFd(), 0); - - // Verify getPipeMonitorFd returns the correct file descriptor + + // Verify getPipeMonitorFd returns the correct file descriptor. EXPECT_EQ(io_handle_->getPipeMonitorFd(), getTriggerPipeReadFd()); - // Verify the file descriptors are different + // Verify the file descriptors are different. EXPECT_NE(getTriggerPipeReadFd(), getTriggerPipeWriteFd()); } -// Test initializeFileEvent() creates trigger pipe +// Test initializeFileEvent() creates trigger pipe. TEST_F(ReverseConnectionIOHandleTest, InitializeFileEventCreatesTriggerPipe) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Initially, trigger pipe should not be ready + // Initially, trigger pipe should not be ready. EXPECT_FALSE(isTriggerPipeReady()); - // Mock file event callback + // Mock file event callback. Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; - // Call initializeFileEvent - this should create the trigger pipe - io_handle_->initializeFileEvent(dispatcher_, mock_callback, - Event::FileTriggerType::Level, Event::FileReadyType::Read); + // Call initializeFileEvent - this should create the trigger pipe. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); - // Verify that the trigger pipe was created successfully + // Verify that the trigger pipe was created successfully. EXPECT_TRUE(isTriggerPipeReady()); EXPECT_GE(getTriggerPipeReadFd(), 0); EXPECT_GE(getTriggerPipeWriteFd(), 0); - - // Verify getPipeMonitorFd returns the correct file descriptor + + // Verify getPipeMonitorFd returns the correct file descriptor. EXPECT_EQ(io_handle_->getPipeMonitorFd(), getTriggerPipeReadFd()); } -// Test that subsequent calls to initializeFileEvent do not create new pipes +// Test that subsequent calls to initializeFileEvent do not create new pipes. TEST_F(ReverseConnectionIOHandleTest, InitializeFileEventDoesNotCreateNewPipes) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Initially, trigger pipe should not be ready + // Initially, trigger pipe should not be ready. EXPECT_FALSE(isTriggerPipeReady()); - // Mock file event callback + // Mock file event callback. Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; - // First call to initializeFileEvent - should create the trigger pipe - io_handle_->initializeFileEvent(dispatcher_, mock_callback, - Event::FileTriggerType::Level, Event::FileReadyType::Read); + // First call to initializeFileEvent - should create the trigger pipe. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); - // Verify that the trigger pipe was created + // Verify that the trigger pipe was created. EXPECT_TRUE(isTriggerPipeReady()); int first_read_fd = getTriggerPipeReadFd(); int first_write_fd = getTriggerPipeWriteFd(); EXPECT_GE(first_read_fd, 0); EXPECT_GE(first_write_fd, 0); - // Second call to initializeFileEvent - should NOT create new pipes because is_reverse_conn_started_ is true - io_handle_->initializeFileEvent(dispatcher_, mock_callback, - Event::FileTriggerType::Level, Event::FileReadyType::Read); + // Second call to initializeFileEvent - should NOT create new pipes because. + // is_reverse_conn_started_ is true + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); // Verify that the same file descriptors are still used (no new pipes created) EXPECT_TRUE(isTriggerPipeReady()); EXPECT_EQ(getTriggerPipeReadFd(), first_read_fd); EXPECT_EQ(getTriggerPipeWriteFd(), first_write_fd); - - // Verify getPipeMonitorFd still returns the correct file descriptor + + // Verify getPipeMonitorFd still returns the correct file descriptor. EXPECT_EQ(io_handle_->getPipeMonitorFd(), first_read_fd); } -// Test that we do NOT update stats for the cluster if src_node_id is empty +// Test that we do NOT update stats for the cluster if src_node_id is empty. TEST_F(ReverseConnectionIOHandleTest, EmptySrcNodeIdNoStatsUpdate) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Create config with empty src_node_id + + // Create config with empty src_node_id. ReverseConnectionSocketConfig empty_node_config; empty_node_config.src_cluster_id = "test-cluster"; empty_node_config.src_node_id = ""; // Empty node ID @@ -1111,142 +1366,138 @@ TEST_F(ReverseConnectionIOHandleTest, EmptySrcNodeIdNoStatsUpdate) { io_handle_ = createTestIOHandle(empty_node_config); EXPECT_NE(io_handle_, nullptr); - // Call maintainReverseConnections - should return early due to empty src_node_id + // Call maintainReverseConnections - should return early due to empty src_node_id. maintainReverseConnections(); - // Verify that no stats were updated + // Verify that no stats were updated. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map.size(), 0); // No stats should be created } -// Test that rev_conn_retry_timer_ gets created and enabled upon calling initializeFileEvent +// Test that rev_conn_retry_timer_ gets created and enabled upon calling initializeFileEvent. TEST_F(ReverseConnectionIOHandleTest, RetryTimerEnabled) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Mock timer expectations + // Mock timer expectations. auto mock_timer = new NiceMock(); EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); - EXPECT_CALL(*mock_timer, enableTimer(_, _)).Times(1); + EXPECT_CALL(*mock_timer, enableTimer(_, _)); - // Mock file event callback + // Mock file event callback. Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; - // Call initializeFileEvent - this should create and enable the retry timer - io_handle_->initializeFileEvent(dispatcher_, mock_callback, - Event::FileTriggerType::Level, Event::FileReadyType::Read); + // Call initializeFileEvent - this should create and enable the retry timer. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); } -// Test that rev_conn_retry_timer_ is properly managed when reverse connection is started +// Test that rev_conn_retry_timer_ is properly managed when reverse connection is started. TEST_F(ReverseConnectionIOHandleTest, RetryTimerWhenReverseConnStarted) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Mock timer expectations + // Mock timer expectations. auto mock_timer = new NiceMock(); EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); - EXPECT_CALL(*mock_timer, enableTimer(_, _)).Times(1); + EXPECT_CALL(*mock_timer, enableTimer(_, _)); - // Mock file event callback + // Mock file event callback. Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; - // Call initializeFileEvent to create the timer - io_handle_->initializeFileEvent(dispatcher_, mock_callback, - Event::FileTriggerType::Level, Event::FileReadyType::Read); + // Call initializeFileEvent to create the timer. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); - // Call initializeFileEvent again to ensure the timer is not created again - io_handle_->initializeFileEvent(dispatcher_, mock_callback, - Event::FileTriggerType::Level, Event::FileReadyType::Read); + // Call initializeFileEvent again to ensure the timer is not created again. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); } -// Test that we do not initiate reverse tunnels when thread local cluster is not present +// Test that we do not initiate reverse tunnels when thread local cluster is not present. TEST_F(ReverseConnectionIOHandleTest, NoThreadLocalClusterCannotConnect) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up cluster manager to return nullptr for non-existent cluster + // Set up cluster manager to return nullptr for non-existent cluster. EXPECT_CALL(cluster_manager_, getThreadLocalCluster("non-existent-cluster")) .WillOnce(Return(nullptr)); - // Call maintainClusterConnections with non-existent cluster + // Call maintainClusterConnections with non-existent cluster. RemoteClusterConnectionConfig cluster_config("non-existent-cluster", 2); maintainClusterConnections("non-existent-cluster", cluster_config); - // Verify that CannotConnect gauge was updated for the cluster + // Verify that CannotConnect gauge was updated for the cluster. auto stat_map = extension_->getCrossWorkerStatMap(); - - // Debug: Print all stats to verify the stat map - std::cout << "\n=== NoThreadLocalClusterCannotConnect Stats ===" << std::endl; - for (const auto& [stat_name, value] : stat_map) { - std::cout << "Stat: " << stat_name << " = " << value << std::endl; - } - std::cout << "===============================================" << std::endl; - - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.non-existent-cluster.cannot_connect"], 1); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.non-existent-cluster.cannot_connect"], + 1); } -// Test that we do not initiate reverse tunnels when cluster has no hosts +// Test that we do not initiate reverse tunnels when cluster has no hosts. TEST_F(ReverseConnectionIOHandleTest, NoHostsInClusterCannotConnect) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster with empty host map + // Set up mock thread local cluster with empty host map. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("empty-cluster")) .WillOnce(Return(mock_thread_local_cluster.get())); - // Set up empty priority set + // Set up empty priority set. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Set up empty cross priority host map + // Set up empty cross priority host map. auto empty_host_map = std::make_shared(); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(empty_host_map)); - // Call maintainClusterConnections with empty cluster + // Call maintainClusterConnections with empty cluster. RemoteClusterConnectionConfig cluster_config("empty-cluster", 2); maintainClusterConnections("empty-cluster", cluster_config); - // Verify that CannotConnect gauge was updated for the cluster + // Verify that CannotConnect gauge was updated for the cluster. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.empty-cluster.cannot_connect"], 1); } -// Test maybeUpdateHostsMappingsAndConnections with valid hosts +// Test maybeUpdateHostsMappingsAndConnections with valid hosts. TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsMappingsValidHosts) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with some hosts + // Create host map with some hosts. auto host_map = std::make_shared(); auto mock_host1 = createMockHost("192.168.1.1"); auto mock_host2 = createMockHost("192.168.1.2"); @@ -1255,36 +1506,38 @@ TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsMappingsValidHosts) { EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Call maintainClusterConnections which will create HostConnectionInfo entries and call maybeUpdateHostsMappingsAndConnections + // Call maintainClusterConnections which will create HostConnectionInfo entries and call. + // maybeUpdateHostsMappingsAndConnections RemoteClusterConnectionConfig cluster_config("test-cluster", 2); maintainClusterConnections("test-cluster", cluster_config); - // Verify that hosts were added to the mapping + // Verify that hosts were added to the mapping. const auto& host_to_conn_info_map = getHostToConnInfoMap(); EXPECT_EQ(host_to_conn_info_map.size(), 2); EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); EXPECT_NE(host_to_conn_info_map.find("192.168.1.2"), host_to_conn_info_map.end()); } -// Test maybeUpdateHostsMappingsAndConnections with no new hosts +// Test maybeUpdateHostsMappingsAndConnections with no new hosts. TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsMappingsNoNewHosts) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with multiple hosts + // Create host map with multiple hosts. auto host_map = std::make_shared(); auto mock_host1 = createMockHost("192.168.1.1"); auto mock_host2 = createMockHost("192.168.1.2"); @@ -1295,221 +1548,265 @@ TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsMappingsNoNewHosts) { EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Call maintainClusterConnections which will create HostConnectionInfo entries and call maybeUpdateHostsMappingsAndConnections + // Call maintainClusterConnections which will create HostConnectionInfo entries and call. + // maybeUpdateHostsMappingsAndConnections RemoteClusterConnectionConfig cluster_config("test-cluster", 2); maintainClusterConnections("test-cluster", cluster_config); - // Verify that all three host entries exist after maintainClusterConnections + // Verify that all three host entries exist after maintainClusterConnections. const auto& host_to_conn_info_map = getHostToConnInfoMap(); EXPECT_EQ(host_to_conn_info_map.size(), 3); EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); EXPECT_NE(host_to_conn_info_map.find("192.168.1.2"), host_to_conn_info_map.end()); EXPECT_NE(host_to_conn_info_map.find("192.168.1.3"), host_to_conn_info_map.end()); - // Now test partial host removal by calling maybeUpdateHostsMappingsAndConnections with fewer hosts + // Now test partial host removal by calling maybeUpdateHostsMappingsAndConnections with fewer. + // hosts std::vector reduced_host_addresses = {"192.168.1.1", "192.168.1.3"}; maybeUpdateHostsMappingsAndConnections("test-cluster", reduced_host_addresses); - // Verify that the removed host was cleaned up but others remain + // Verify that the removed host was cleaned up but others remain. const auto& updated_host_to_conn_info_map = getHostToConnInfoMap(); EXPECT_EQ(updated_host_to_conn_info_map.size(), 2); EXPECT_NE(updated_host_to_conn_info_map.find("192.168.1.1"), updated_host_to_conn_info_map.end()); - EXPECT_EQ(updated_host_to_conn_info_map.find("192.168.1.2"), updated_host_to_conn_info_map.end()); // Should be removed + EXPECT_EQ(updated_host_to_conn_info_map.find("192.168.1.2"), + updated_host_to_conn_info_map.end()); // Should be removed EXPECT_NE(updated_host_to_conn_info_map.find("192.168.1.3"), updated_host_to_conn_info_map.end()); } -// Test shouldAttemptConnectionToHost with valid host and no existing connections +// Test shouldAttemptConnectionToHost with valid host and no existing connections. TEST_F(ReverseConnectionIOHandleTest, ShouldAttemptConnectionToHostValidHost) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Call maintainClusterConnections to create HostConnectionInfo entries + // Call maintainClusterConnections to create HostConnectionInfo entries. RemoteClusterConnectionConfig cluster_config("test-cluster", 2); maintainClusterConnections("test-cluster", cluster_config); - // Test with valid host and no existing connections + // Test with valid host and no existing connections. bool should_attempt = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); EXPECT_TRUE(should_attempt); + + // Test circuit breaker disabled scenario - should always return true regardless of backoff state. + // First, put the host in backoff by tracking a failure. + trackConnectionFailure("192.168.1.1", "test-cluster"); + + // Verify host is in backoff with circuit breaker enabled (default). + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); + + // Now create a new IO handle with circuit breaker disabled. + auto config_disabled = createDefaultTestConfig(); + config_disabled.enable_circuit_breaker = false; + auto io_handle_disabled = createTestIOHandle(config_disabled); + EXPECT_NE(io_handle_disabled, nullptr); + + // Set up the same thread local cluster for the new IO handle. + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Call maintainClusterConnections to create HostConnectionInfo entries in the new IO handle. + maintainClusterConnections("test-cluster", cluster_config); + + // Put the host in backoff in the new IO handle. + io_handle_disabled->trackConnectionFailure("192.168.1.1", "test-cluster"); + + // With circuit breaker disabled, shouldAttemptConnectionToHost should always return true. + EXPECT_TRUE(io_handle_disabled->shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); } -// Test trackConnectionFailure puts host in backoff +// Test trackConnectionFailure puts host in backoff. TEST_F(ReverseConnectionIOHandleTest, TrackConnectionFailurePutsHostInBackoff) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // First call maintainClusterConnections to create HostConnectionInfo entries + // First call maintainClusterConnections to create HostConnectionInfo entries. RemoteClusterConnectionConfig cluster_config("test-cluster", 2); maintainClusterConnections("test-cluster", cluster_config); - // Verify host is initially not in backoff + // Verify host is initially not in backoff. bool should_attempt_before = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); EXPECT_TRUE(should_attempt_before); - // Call trackConnectionFailure to put host in backoff + // Call trackConnectionFailure to put host in backoff. trackConnectionFailure("192.168.1.1", "test-cluster"); - // Verify host is now in backoff + // Verify host is now in backoff. bool should_attempt_after = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); EXPECT_FALSE(should_attempt_after); - // Verify stat gauges - should show backoff state + // Verify stat gauges - should show backoff state. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); - // Test that trackConnectionFailure returns if host_to_conn_info_map_ does not have an entry + // Test that trackConnectionFailure returns if host_to_conn_info_map_ does not have an entry. // Call trackConnectionFailure with a host that doesn't exist in host_to_conn_info_map_ trackConnectionFailure("non-existent-host", "test-cluster"); - // Verify that no stats were updated since the host doesn't exist + // Verify that no stats were updated since the host doesn't exist. auto stat_map_after_non_existent = extension_->getCrossWorkerStatMap(); - EXPECT_EQ(stat_map_after_non_existent["test_scope.reverse_connections.host.non-existent-host.backoff"], 0); + EXPECT_EQ( + stat_map_after_non_existent["test_scope.reverse_connections.host.non-existent-host.backoff"], + 0); + + // Test that maintainClusterConnections skips hosts in backoff. + // Call maintainClusterConnections again - should skip the host in backoff. + // and not attempt any new connections + maintainClusterConnections("test-cluster", cluster_config); + + // Verify that the host is still in backoff state. + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); } -// Test resetHostBackoff resets the backoff +// Test resetHostBackoff resets the backoff. TEST_F(ReverseConnectionIOHandleTest, ResetHostBackoff) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // First call maintainClusterConnections to create HostConnectionInfo entries + // First call maintainClusterConnections to create HostConnectionInfo entries. RemoteClusterConnectionConfig cluster_config("test-cluster", 2); maintainClusterConnections("test-cluster", cluster_config); - // Verify host is initially not in backoff + // Verify host is initially not in backoff. bool should_attempt_before = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); EXPECT_TRUE(should_attempt_before); - // Call trackConnectionFailure to put host in backoff + // Call trackConnectionFailure to put host in backoff. trackConnectionFailure("192.168.1.1", "test-cluster"); - // Verify host is now in backoff + // Verify host is now in backoff. bool should_attempt_after_failure = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); EXPECT_FALSE(should_attempt_after_failure); - // Verify stat gauges - should show backoff state + // Verify stat gauges - should show backoff state. auto stat_map_after_failure = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map_after_failure["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); - // Call resetHostBackoff to reset the backoff + // Call resetHostBackoff to reset the backoff. resetHostBackoff("192.168.1.1"); - // Verify host is no longer in backoff + // Verify host is no longer in backoff. bool should_attempt_after_reset = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); EXPECT_TRUE(should_attempt_after_reset); - // Verify stat gauges - should show recovered state + // Verify stat gauges - should show recovered state. auto stat_map_after_reset = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map_after_reset["test_scope.reverse_connections.host.192.168.1.1.backoff"], 0); EXPECT_EQ(stat_map_after_reset["test_scope.reverse_connections.host.192.168.1.1.recovered"], 1); } -// Test resetHostBackoff returns if host_to_conn_info_map_ does not have an entry +// Test resetHostBackoff returns if host_to_conn_info_map_ does not have an entry. TEST_F(ReverseConnectionIOHandleTest, ResetHostBackoffReturnsIfHostNotFound) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); // Call resetHostBackoff with a host that doesn't exist in host_to_conn_info_map_ - // This should not crash and should return early + // This should not crash and should return early. resetHostBackoff("non-existent-host"); - // Verify that no stats were updated since the host doesn't exist + // Verify that no stats were updated since the host doesn't exist. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.non-existent-host.recovered"], 0); } -// Test trackConnectionFailure exponential backoff +// Test trackConnectionFailure exponential backoff. TEST_F(ReverseConnectionIOHandleTest, TrackConnectionFailureExponentialBackoff) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // First call maintainClusterConnections to create HostConnectionInfo entries + // First call maintainClusterConnections to create HostConnectionInfo entries. RemoteClusterConnectionConfig cluster_config("test-cluster", 2); maintainClusterConnections("test-cluster", cluster_config); - // Get initial host info + // Get initial host info. const auto& host_info_initial = getHostConnectionInfo("192.168.1.1"); EXPECT_EQ(host_info_initial.failure_count, 0); @@ -1518,10 +1815,11 @@ TEST_F(ReverseConnectionIOHandleTest, TrackConnectionFailureExponentialBackoff) const auto& host_info_1 = getHostConnectionInfo("192.168.1.1"); EXPECT_EQ(host_info_1.failure_count, 1); // Verify backoff_until is set to a future time (approximately current_time + 1000ms) - auto now = std::chrono::steady_clock::now(); - auto backoff_duration_1 = host_info_1.backoff_until - now; + auto backoff_duration_1 = + host_info_1.backoff_until - std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) // backoff_delay_ms = 1000 * 2^(1-1) = 1000 * 2^0 = 1000 * 1 = 1000ms - auto backoff_ms_1 = std::chrono::duration_cast(backoff_duration_1).count(); + auto backoff_ms_1 = + std::chrono::duration_cast(backoff_duration_1).count(); EXPECT_GE(backoff_ms_1, 900); // Should be at least 900ms (allowing for small timing variations) EXPECT_LE(backoff_ms_1, 1100); // Should be at most 1100ms @@ -1530,44 +1828,49 @@ TEST_F(ReverseConnectionIOHandleTest, TrackConnectionFailureExponentialBackoff) const auto& host_info_2 = getHostConnectionInfo("192.168.1.1"); EXPECT_EQ(host_info_2.failure_count, 2); // backoff_delay_ms = 1000 * 2^(2-1) = 1000 * 2^1 = 1000 * 2 = 2000ms - auto backoff_duration_2 = host_info_2.backoff_until - now; - auto backoff_ms_2 = std::chrono::duration_cast(backoff_duration_2).count(); - EXPECT_GE(backoff_ms_2, 1900); // Should be at least 1900ms - EXPECT_LE(backoff_ms_2, 2100); // Should be at most 2100ms + auto backoff_duration_2 = + host_info_2.backoff_until - std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + auto backoff_ms_2 = + std::chrono::duration_cast(backoff_duration_2).count(); + EXPECT_GE(backoff_ms_2, 1900); // Should be at least 1900ms + EXPECT_LE(backoff_ms_2, 2100); // Should be at most 2100ms // Third failure - should have 4 second backoff (4000ms) trackConnectionFailure("192.168.1.1", "test-cluster"); const auto& host_info_3 = getHostConnectionInfo("192.168.1.1"); EXPECT_EQ(host_info_3.failure_count, 3); // backoff_delay_ms = 1000 * 2^(3-1) = 1000 * 2^2 = 1000 * 4 = 4000ms - auto backoff_duration_3 = host_info_3.backoff_until - now; - auto backoff_ms_3 = std::chrono::duration_cast(backoff_duration_3).count(); - EXPECT_GE(backoff_ms_3, 3900); // Should be at least 3900ms - EXPECT_LE(backoff_ms_3, 4100); // Should be at most 4100ms - - // Verify that shouldAttemptConnectionToHost returns false during backoff + auto backoff_duration_3 = + host_info_3.backoff_until - std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + auto backoff_ms_3 = + std::chrono::duration_cast(backoff_duration_3).count(); + EXPECT_GE(backoff_ms_3, 3900); // Should be at least 3900ms + EXPECT_LE(backoff_ms_3, 4100); // Should be at most 4100ms + + // Verify that shouldAttemptConnectionToHost returns false during backoff. EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); } -// Test host mapping and backoff integration +// Test host mapping and backoff integration. TEST_F(ReverseConnectionIOHandleTest, HostMappingAndBackoffIntegration) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster for cluster-A + // Set up mock thread local cluster for cluster-A. auto mock_thread_local_cluster_a = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("cluster-A")) .WillRepeatedly(Return(mock_thread_local_cluster_a.get())); - // Set up priority set with hosts for cluster-A + // Set up priority set with hosts for cluster-A. auto mock_priority_set_a = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster_a, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set_a)); + EXPECT_CALL(*mock_thread_local_cluster_a, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set_a)); - // Create host map for cluster-A with hosts A1, A2, A3 + // Create host map for cluster-A with hosts A1, A2, A3. auto host_map_a = std::make_shared(); auto mock_host_a1 = createMockHost("192.168.1.1"); auto mock_host_a2 = createMockHost("192.168.1.2"); @@ -1578,16 +1881,17 @@ TEST_F(ReverseConnectionIOHandleTest, HostMappingAndBackoffIntegration) { EXPECT_CALL(*mock_priority_set_a, crossPriorityHostMap()).WillRepeatedly(Return(host_map_a)); - // Set up mock thread local cluster for cluster-B + // Set up mock thread local cluster for cluster-B. auto mock_thread_local_cluster_b = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("cluster-B")) .WillRepeatedly(Return(mock_thread_local_cluster_b.get())); - // Set up priority set with hosts for cluster-B + // Set up priority set with hosts for cluster-B. auto mock_priority_set_b = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster_b, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set_b)); + EXPECT_CALL(*mock_thread_local_cluster_b, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set_b)); - // Create host map for cluster-B with hosts B1, B2 + // Create host map for cluster-B with hosts B1, B2. auto host_map_b = std::make_shared(); auto mock_host_b1 = createMockHost("192.168.2.1"); auto mock_host_b2 = createMockHost("192.168.2.2"); @@ -1596,185 +1900,281 @@ TEST_F(ReverseConnectionIOHandleTest, HostMappingAndBackoffIntegration) { EXPECT_CALL(*mock_priority_set_b, crossPriorityHostMap()).WillRepeatedly(Return(host_map_b)); - // Step 1: Create initial host mappings for cluster-A + // Step 1: Create initial host mappings for cluster-A. RemoteClusterConnectionConfig cluster_config_a("cluster-A", 2); maintainClusterConnections("cluster-A", cluster_config_a); - // Step 2: Create initial host mappings for cluster-B + // Step 2: Create initial host mappings for cluster-B. RemoteClusterConnectionConfig cluster_config_b("cluster-B", 2); maintainClusterConnections("cluster-B", cluster_config_b); - // Verify all hosts exist initially + // Verify all hosts exist initially. const auto& host_to_conn_info_map_initial = getHostToConnInfoMap(); - EXPECT_EQ(host_to_conn_info_map_initial.size(), 5); // 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.2.1, 192.168.2.2 + EXPECT_EQ(host_to_conn_info_map_initial.size(), + 5); // 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.2.1, 192.168.2.2 EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.1"), host_to_conn_info_map_initial.end()); EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.2"), host_to_conn_info_map_initial.end()); EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.3"), host_to_conn_info_map_initial.end()); EXPECT_NE(host_to_conn_info_map_initial.find("192.168.2.1"), host_to_conn_info_map_initial.end()); EXPECT_NE(host_to_conn_info_map_initial.find("192.168.2.2"), host_to_conn_info_map_initial.end()); - // Step 3: Put some hosts in backoff - trackConnectionFailure("192.168.1.1", "cluster-A"); // 192.168.1.1 in backoff - trackConnectionFailure("192.168.2.1", "cluster-B"); // 192.168.2.1 in backoff + // Step 3: Put some hosts in backoff. + trackConnectionFailure("192.168.1.1", "cluster-A"); // 192.168.1.1 in backoff + trackConnectionFailure("192.168.2.1", "cluster-B"); // 192.168.2.1 in backoff // 192.168.1.2, 192.168.1.3, 192.168.2.2 remain normal - // Verify backoff states - EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "cluster-A")); // In backoff - EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.2.1", "cluster-B")); // In backoff - EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.2", "cluster-A")); // Normal - EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.3", "cluster-A")); // Normal - EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.2.2", "cluster-B")); // Normal + // Verify backoff states. + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "cluster-A")); // In backoff + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.2.1", "cluster-B")); // In backoff + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.2", "cluster-A")); // Normal + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.3", "cluster-A")); // Normal + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.2.2", "cluster-B")); // Normal - // Step 4: Update host mappings + // Step 4: Update host mappings. // - Move 192.168.1.2 from cluster-A to cluster-B // - Remove 192.168.1.3 from cluster-A // - Add new host 192.168.1.4 to cluster-A - maybeUpdateHostsMappingsAndConnections("cluster-A", {"192.168.1.1", "192.168.1.4"}); // 192.168.1.2, 192.168.1.3 removed - maybeUpdateHostsMappingsAndConnections("cluster-B", {"192.168.2.1", "192.168.2.2", "192.168.1.2"}); // 192.168.1.2 added + maybeUpdateHostsMappingsAndConnections( + "cluster-A", {"192.168.1.1", "192.168.1.4"}); // 192.168.1.2, 192.168.1.3 removed + maybeUpdateHostsMappingsAndConnections( + "cluster-B", {"192.168.2.1", "192.168.2.2", "192.168.1.2"}); // 192.168.1.2 added - // Step 5: Verify backoff states are preserved for existing hosts - EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "cluster-A")); // Still in backoff - EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.2.1", "cluster-B")); // Still in backoff + // Step 5: Verify backoff states are preserved for existing hosts. + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "cluster-A")); // Still in backoff + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.2.1", "cluster-B")); // Still in backoff - // Step 6: Verify moved host has clean state - EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.2", "cluster-B")); // Moved, no backoff + // Step 6: Verify moved host has clean state. + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.2", "cluster-B")); // Moved, no backoff - // Step 7: Verify removed host is cleaned up + // Step 7: Verify removed host is cleaned up. const auto& host_to_conn_info_map_after = getHostToConnInfoMap(); - EXPECT_EQ(host_to_conn_info_map_after.find("192.168.1.3"), host_to_conn_info_map_after.end()); // Removed + EXPECT_EQ(host_to_conn_info_map_after.find("192.168.1.3"), + host_to_conn_info_map_after.end()); // Removed - // Step 8: Verify stats are updated correctly + // Step 8: Verify stats are updated correctly. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.2.1.backoff"], 1); - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.2.backoff"], 0); // Reset when moved + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.2.backoff"], + 0); // Reset when moved } -// Test initiateOneReverseConnection when connection establishment fails +// Test initiateOneReverseConnection when connection establishment fails. TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionFailure) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // First call maintainClusterConnections to create HostConnectionInfo entries + // First call maintainClusterConnections to create HostConnectionInfo entries. RemoteClusterConnectionConfig cluster_config("test-cluster", 2); maintainClusterConnections("test-cluster", cluster_config); // Mock tcpConn to return null connection (simulating connection failure) Upstream::MockHost::MockCreateConnectionData failed_conn_data; - failed_conn_data.connection_ = nullptr; // Connection creation failed + failed_conn_data.connection_ = nullptr; // Connection creation failed failed_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(failed_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(failed_conn_data)); - // Call initiateOneReverseConnection - should fail + // Call initiateOneReverseConnection - should fail. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_FALSE(result); - // Verify that CannotConnect stats are set - // Calculation: 3 increments total + // Verify that CannotConnect stats are set. + // Calculation: 3 increments total. // - 2 increments from maintainClusterConnections (target_connection_count = 2) // - 1 increment from our direct call to initiateOneReverseConnection auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.cannot_connect"], 3); } -// Test initiateOneReverseConnection when connection establishment is successful +// Test initiateOneReverseConnection when connection establishment is successful. TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionSuccess) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry using helper method + // Create HostConnectionInfo entry using helper method. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Set up mock for successful connection + // Set up mock for successful connection. auto mock_connection = std::make_unique>(); Upstream::MockHost::MockCreateConnectionData success_conn_data; success_conn_data.connection_ = mock_connection.get(); success_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); mock_connection.release(); - // Call initiateOneReverseConnection - should succeed + // Call initiateOneReverseConnection - should succeed. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result); - // Verify that Connecting stats are set + // Verify that Connecting stats are set. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); - // Verify that connection wrapper is added to the map + // Verify that connection wrapper is added to the map. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); +} + +// Test maintainClusterConnections skips hosts that already have enough connections. +TEST_F(ReverseConnectionIOHandleTest, MaintainClusterConnectionsSkipsHostsWithEnoughConnections) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries. + RemoteClusterConnectionConfig cluster_config("test-cluster", 1); // Only need 1 connection + maintainClusterConnections("test-cluster", cluster_config); + + // Manually add a connection key to simulate having enough connections. + const auto& host_info = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info.connection_keys.size(), 0); // Initially no connections + + // Manually add a connection key to the host info to simulate having enough connections. + auto& mutable_host_info = getMutableHostConnectionInfo("192.168.1.1"); + mutable_host_info.connection_keys.insert("fake-connection-key"); + + // Verify we now have enough connections. + EXPECT_EQ(getHostConnectionInfo("192.168.1.1").connection_keys.size(), 1); + + // Call maintainClusterConnections again - should skip the host since it has enough connections. + maintainClusterConnections("test-cluster", cluster_config); + + // Verify that no additional connection attempts were made. + // The host should still have exactly 1 connection. + EXPECT_EQ(getHostConnectionInfo("192.168.1.1").connection_keys.size(), 1); +} - // Verify that wrapper is mapped to the host +// Test initiateOneReverseConnection with empty host address. +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionEmptyHostAddress) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call initiateOneReverseConnection with empty host address - should fail. + bool result = initiateOneReverseConnection("test-cluster", "", nullptr); + EXPECT_FALSE(result); + + // When host address is empty, only cluster stats are updated. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.cannot_connect"], 1); +} + +// Test initiateOneReverseConnection with non-existent cluster. +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionNonExistentCluster) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up cluster manager to return nullptr for non-existent cluster. + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("non-existent-cluster")) + .WillOnce(Return(nullptr)); + + // Call initiateOneReverseConnection with non-existent cluster - should fail. + bool result = initiateOneReverseConnection("non-existent-cluster", "192.168.1.1", nullptr); + EXPECT_FALSE(result); + + // When cluster is not found, both host and cluster stats are updated. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.cannot_connect"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.non-existent-cluster.cannot_connect"], + 1); + + // No wrapper should be created since the cluster doesn't exist. const auto& wrapper_to_host_map = getConnWrapperToHostMap(); - EXPECT_EQ(wrapper_to_host_map.size(), 1); - EXPECT_EQ(wrapper_to_host_map.begin()->second, "192.168.1.1"); + EXPECT_EQ(wrapper_to_host_map.size(), 0); } -// Test mixed success and failure scenarios for multiple connection attempts +// Test mixed success and failure scenarios for multiple connection attempts. TEST_F(ReverseConnectionIOHandleTest, InitiateMultipleConnectionsMixedResults) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with hosts + // Create host map with hosts. auto host_map = std::make_shared(); auto mock_host1 = createMockHost("192.168.1.1"); auto mock_host2 = createMockHost("192.168.1.2"); @@ -1785,23 +2185,23 @@ TEST_F(ReverseConnectionIOHandleTest, InitiateMultipleConnectionsMixedResults) { EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entries for all hosts with target count of 3 + // Create HostConnectionInfo entries for all hosts with target count of 3. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); // Host 1 - addHostConnectionInfo("192.168.1.2", "test-cluster", 1); // Host 2 + addHostConnectionInfo("192.168.1.2", "test-cluster", 1); // Host 2 addHostConnectionInfo("192.168.1.3", "test-cluster", 1); // Host 3 // Set up connection outcomes in sequence: // 1. First host: successful connection // 2. Second host: null connection (failure) // 3. Third host: successful connection - + auto mock_connection1 = std::make_unique>(); Upstream::MockHost::MockCreateConnectionData success_conn_data1; success_conn_data1.connection_ = mock_connection1.get(); success_conn_data1.host_description_ = mock_host1; Upstream::MockHost::MockCreateConnectionData failed_conn_data; - failed_conn_data.connection_ = nullptr; // Connection creation failed + failed_conn_data.connection_ = nullptr; // Connection creation failed failed_conn_data.host_description_ = mock_host2; auto mock_connection3 = std::make_unique>(); @@ -1809,26 +2209,27 @@ TEST_F(ReverseConnectionIOHandleTest, InitiateMultipleConnectionsMixedResults) { success_conn_data3.connection_ = mock_connection3.get(); success_conn_data3.host_description_ = mock_host3; - // Set up connection attempts with host-specific expectations + // Set up connection attempts with host-specific expectations. EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillRepeatedly(testing::Invoke([&](Upstream::LoadBalancerContext* context) { - // Cast to our custom context to get the host address - auto* reverse_context = dynamic_cast(context); + .WillRepeatedly(testing::Invoke([success_conn_data1, failed_conn_data, + success_conn_data3](Upstream::LoadBalancerContext* context) { + auto* reverse_context = + dynamic_cast(context); EXPECT_NE(reverse_context, nullptr); - + auto override_host = reverse_context->overrideHostToSelect(); EXPECT_TRUE(override_host.has_value()); - + std::string host_address = std::string(override_host->first); - + if (host_address == "192.168.1.1") { - return success_conn_data1; // First host: success + return success_conn_data1; // First host: success } else if (host_address == "192.168.1.2") { - return failed_conn_data; // Second host: failure + return failed_conn_data; // Second host: failure } else if (host_address == "192.168.1.3") { - return success_conn_data3; // Third host: success + return success_conn_data3; // Third host: success } else { - // Unexpected host + // Unexpected host. EXPECT_TRUE(false) << "Unexpected host address: " << host_address; return failed_conn_data; } @@ -1837,73 +2238,68 @@ TEST_F(ReverseConnectionIOHandleTest, InitiateMultipleConnectionsMixedResults) { mock_connection1.release(); mock_connection3.release(); - // Create 1 connection per host + // Create 1 connection per host. RemoteClusterConnectionConfig cluster_config("test-cluster", 1); - // Call maintainClusterConnections which will attempt connections to all hosts + // Call maintainClusterConnections which will attempt connections to all hosts. maintainClusterConnections("test-cluster", cluster_config); - // Verify final stats + // Verify final stats. auto stat_map = extension_->getCrossWorkerStatMap(); - - // Print stats for debugging - std::cout << "=== Mixed Results Stats ===" << std::endl; - for (const auto& [key, value] : stat_map) { - if (key.find("192.168.1") != std::string::npos) { - std::cout << "Stat: " << key << " = " << value << std::endl; - } - } - std::cout << "============================" << std::endl; - // Verify connecting stats for successful connections + // Verify connecting stats for successful connections. EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); // Success EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.3.connecting"], 1); // Success - // Verify cannot_connect stats for failed connection - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.2.cannot_connect"], 1); // Failed + // Verify cannot_connect stats for failed connection. + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.2.cannot_connect"], + 1); // Failed - // Verify cluster-level stats for test-cluster - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 2); // 2 successful connections - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.cannot_connect"], 1); // 1 failed connection + // Verify cluster-level stats for test-cluster. + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], + 2); // 2 successful connections + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.cannot_connect"], + 1); // 1 failed connection // Verify that only 2 connection wrappers were created (for successful connections) const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 2); - // Verify that wrappers are mapped to successful hosts only + // Verify that wrappers are mapped to successful hosts only. const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 2); - - // Count hosts in the mapping + + // Count hosts in the mapping. std::set mapped_hosts; for (const auto& [wrapper, host] : wrapper_to_host_map) { mapped_hosts.insert(host); } - EXPECT_EQ(mapped_hosts.size(), 2); // Should have 2 successful hosts + EXPECT_EQ(mapped_hosts.size(), 2); // Should have 2 successful hosts EXPECT_NE(mapped_hosts.find("192.168.1.1"), mapped_hosts.end()); // Success - EXPECT_EQ(mapped_hosts.find("192.168.1.2"), mapped_hosts.end()); // Failed - not in map + EXPECT_EQ(mapped_hosts.find("192.168.1.2"), mapped_hosts.end()); // Failed - not in map EXPECT_NE(mapped_hosts.find("192.168.1.3"), mapped_hosts.end()); // Success } -// Test removeStaleHostAndCloseConnections removes host and closes connections +// Test removeStaleHostAndCloseConnections removes host and closes connections. TEST_F(ReverseConnectionIOHandleTest, RemoveStaleHostAndCloseConnections) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with multiple hosts + // Create host map with multiple hosts. auto host_map = std::make_shared(); auto mock_host1 = createMockHost("192.168.1.1"); auto mock_host2 = createMockHost("192.168.1.2"); @@ -1912,7 +2308,7 @@ TEST_F(ReverseConnectionIOHandleTest, RemoveStaleHostAndCloseConnections) { EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Set up successful connections for both hosts + // Set up successful connections for both hosts. auto mock_connection1 = std::make_unique>(); Upstream::MockHost::MockCreateConnectionData success_conn_data1; success_conn_data1.connection_ = mock_connection1.get(); @@ -1923,24 +2319,25 @@ TEST_F(ReverseConnectionIOHandleTest, RemoveStaleHostAndCloseConnections) { success_conn_data2.connection_ = mock_connection2.get(); success_conn_data2.host_description_ = mock_host2; - // Set up connection attempts with host-specific expectations + // Set up connection attempts with host-specific expectations. EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) .WillRepeatedly(testing::Invoke([&](Upstream::LoadBalancerContext* context) { - // Cast to our custom context to get the host address - auto* reverse_context = dynamic_cast(context); + // Cast to our custom context to get the host address. + auto* reverse_context = + dynamic_cast(context); EXPECT_NE(reverse_context, nullptr); - + auto override_host = reverse_context->overrideHostToSelect(); EXPECT_TRUE(override_host.has_value()); - + std::string host_address = std::string(override_host->first); - + if (host_address == "192.168.1.1") { - return success_conn_data1; // First host: success + return success_conn_data1; // First host: success } else if (host_address == "192.168.1.2") { - return success_conn_data2; // Second host: success + return success_conn_data2; // Second host: success } else { - // Unexpected host + // Unexpected host. EXPECT_TRUE(false) << "Unexpected host address: " << host_address; return success_conn_data1; // Default fallback } @@ -1949,16 +2346,17 @@ TEST_F(ReverseConnectionIOHandleTest, RemoveStaleHostAndCloseConnections) { mock_connection1.release(); mock_connection2.release(); - // First call maintainClusterConnections to create HostConnectionInfo entries and connection wrappers + // First call maintainClusterConnections to create HostConnectionInfo entries and connection. + // wrappers RemoteClusterConnectionConfig cluster_config("test-cluster", 1); maintainClusterConnections("test-cluster", cluster_config); - // Verify both hosts are initially present + // Verify both hosts are initially present. EXPECT_EQ(getHostToConnInfoMap().size(), 2); EXPECT_NE(getHostToConnInfoMap().find("192.168.1.1"), getHostToConnInfoMap().end()); EXPECT_NE(getHostToConnInfoMap().find("192.168.1.2"), getHostToConnInfoMap().end()); - // Verify that connection wrappers were created by maintainClusterConnections + // Verify that connection wrappers were created by maintainClusterConnections. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 2); // One wrapper per host EXPECT_EQ(getConnWrapperToHostMap().size(), 2); @@ -1966,13 +2364,14 @@ TEST_F(ReverseConnectionIOHandleTest, RemoveStaleHostAndCloseConnections) { // Call removeStaleHostAndCloseConnections to remove host 192.168.1.1 removeStaleHostAndCloseConnections("192.168.1.1"); - // Verify that host 192.168.1.1 is still in host_to_conn_info_map_ (removeStaleHostAndCloseConnections doesn't remove it) + // Verify that host 192.168.1.1 is still in host_to_conn_info_map_ + // (removeStaleHostAndCloseConnections doesn't remove it) EXPECT_EQ(getHostToConnInfoMap().size(), 2); EXPECT_NE(getHostToConnInfoMap().find("192.168.1.1"), getHostToConnInfoMap().end()); EXPECT_NE(getHostToConnInfoMap().find("192.168.1.2"), getHostToConnInfoMap().end()); - // Verify that connection wrappers for the removed host are removed - EXPECT_EQ(getConnectionWrappers().size(), 1); // Only host 192.168.1.2's wrapper remains + // Verify that connection wrappers for the removed host are removed. + EXPECT_EQ(getConnectionWrappers().size(), 1); // Only host 192.168.1.2's wrapper remains EXPECT_EQ(getConnWrapperToHostMap().size(), 1); // Only host 192.168.1.2's mapping remains // Verify that host 192.168.1.2's wrapper is still present and unaffected @@ -1981,174 +2380,198 @@ TEST_F(ReverseConnectionIOHandleTest, RemoveStaleHostAndCloseConnections) { EXPECT_EQ(wrapper_to_host_map.begin()->second, "192.168.1.2"); // Only 192.168.1.2 should remain } -// Test read() method - should delegate to base class +// Test read() method - should delegate to base class. TEST_F(ReverseConnectionIOHandleTest, ReadMethod) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Create a buffer to read into + // Create a buffer to read into. Buffer::OwnedImpl buffer; - - // Call read() - should delegate to base class implementation + + // Call read() - should delegate to base class implementation. auto result = io_handle_->read(buffer, absl::optional(100)); - - // Should return a valid result + + // Should return a valid result. EXPECT_NE(result.err_, nullptr); } -// Test write() method - should delegate to base class +// Test write() method - should delegate to base class. TEST_F(ReverseConnectionIOHandleTest, WriteMethod) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Create a buffer to write from + // Create a buffer to write from. Buffer::OwnedImpl buffer; buffer.add("test data"); - - // Call write() - should delegate to base class implementation + + // Call write() - should delegate to base class implementation. auto result = io_handle_->write(buffer); - - // Should return a valid result + + // Should return a valid result. EXPECT_NE(result.err_, nullptr); } -// Test connect() method - should delegate to base class +// Test connect() method - should delegate to base class. TEST_F(ReverseConnectionIOHandleTest, ConnectMethod) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Create a mock address + // Create a mock address. auto address = std::make_shared("127.0.0.1", 8080); - - // Call connect() - should delegate to base class implementation + + // Call connect() - should delegate to base class implementation. auto result = io_handle_->connect(address); - - // Should return a valid result + + // Should return a valid result. EXPECT_NE(result.errno_, 0); // Should fail since we're not actually connecting } -// Test onEvent() method - should delegate to base class +// Test onEvent() method - should delegate to base class. TEST_F(ReverseConnectionIOHandleTest, OnEventMethod) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Call onEvent() with a mock event - no-op + // Call onEvent() with a mock event - no-op. io_handle_->onEvent(Network::ConnectionEvent::LocalClose); } +// Test RCConnectionWrapper::onEvent with null connection. +TEST_F(ReverseConnectionIOHandleTest, RCConnectionWrapperOnEventWithNullConnection) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Release the connection to make it null. + wrapper.releaseConnection(); + + // Call onEvent with RemoteClose event - should handle null connection gracefully. + wrapper.onEvent(Network::ConnectionEvent::RemoteClose); +} + // onConnectionDone Unit Tests -// Early returns in onConnectionDone without calling initiateOneReverseConnection +// Early returns in onConnectionDone without calling initiateOneReverseConnection. TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneEarlyReturns) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); // Test 1.1: Null wrapper - should return early io_handle_->onConnectionDone("test error", nullptr, false); - - // Verify no stats were updated + + // Verify no stats were updated. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map.size(), 0); // Test 1.2: Empty conn_wrapper_to_host_map_ - should return early // Create a dummy wrapper pointer (we can't easily mock RCConnectionWrapper directly) RCConnectionWrapper* wrapper_ptr = reinterpret_cast(0x12345678); - - // Verify the map is empty + + // Verify the map is empty. const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 0); - + io_handle_->onConnectionDone("test error", wrapper_ptr, false); - - // Verify no stats were updated + + // Verify no stats were updated. stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map.size(), 0); // Test 1.3: Empty host_to_conn_info_map_ - should return early after finding wrapper - // First add wrapper to the map but no host info + // First add wrapper to the map but no host info. addWrapperToHostMap(wrapper_ptr, "192.168.1.1"); - - // Verify host info map is empty + + // Verify host info map is empty. const auto& host_to_conn_info_map = getHostToConnInfoMap(); EXPECT_EQ(host_to_conn_info_map.size(), 0); - + io_handle_->onConnectionDone("test error", wrapper_ptr, false); - - // Verify wrapper was removed from map but no stats updated + + // Verify wrapper was removed from map but no stats updated. EXPECT_EQ(getConnWrapperToHostMap().size(), 0); stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map.size(), 0); } -// Connection success scenario - test stats and wrapper creation and mapping +// Connection success scenario - test stats and wrapper creation and mapping. TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneSuccess) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Create trigger pipe BEFORE initiating connection to ensure it's ready + // Create trigger pipe BEFORE initiating connection to ensure it's ready. createTriggerPipe(); EXPECT_TRUE(isTriggerPipeReady()); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry + // Create HostConnectionInfo entry. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Create a successful connection - auto mock_connection = std::make_unique>(); + // Create a successful connection. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; success_conn_data.connection_ = mock_connection.get(); success_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); mock_connection.release(); - // Call initiateOneReverseConnection to create the wrapper + // Call initiateOneReverseConnection to create the wrapper. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result); - // Verify wrapper was created and mapped + // Verify wrapper was created and mapped. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); - + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 1); - + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - // Verify initial state - no established connections yet + // Verify initial state - no established connections yet. EXPECT_EQ(getEstablishedConnectionsSize(), 0); - // Call onConnectionDone to simulate successful connection completion + // Call onConnectionDone to simulate successful connection completion. io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr, false); // Verify wrapper was removed from tracking (cleanup should happen) @@ -2158,225 +2581,240 @@ TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneSuccess) { // Verify that connection was pushed to established_connections_ EXPECT_EQ(getEstablishedConnectionsSize(), 1); - // Verify that trigger mechanism was executed - // Read 1 byte from the pipe to verify the trigger was written + // Verify that trigger mechanism was executed. + // Read 1 byte from the pipe to verify the trigger was written. char trigger_byte; int pipe_read_fd = getTriggerPipeReadFd(); EXPECT_GE(pipe_read_fd, 0); - + ssize_t bytes_read = ::read(pipe_read_fd, &trigger_byte, 1); EXPECT_EQ(bytes_read, 1) << "Expected to read 1 byte from trigger pipe, got " << bytes_read; - EXPECT_EQ(trigger_byte, 1) << "Expected trigger byte to be 1, got " << static_cast(trigger_byte); + EXPECT_EQ(trigger_byte, 1) << "Expected trigger byte to be 1, got " + << static_cast(trigger_byte); } -// Test 3: Connection failure and recovery scenario +// Test 3: Connection failure and recovery scenario. TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneFailureAndRecovery) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry + // Create HostConnectionInfo entry. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Step 1: Create initial connection - auto mock_connection1 = std::make_unique>(); + // Step 1: Create initial connection. + auto mock_connection1 = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data1; success_conn_data1.connection_ = mock_connection1.get(); success_conn_data1.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data1)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data1)); mock_connection1.release(); - // Call initiateOneReverseConnection to create the wrapper + // Call initiateOneReverseConnection to create the wrapper. bool result1 = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result1); - // Get the wrapper + // Get the wrapper. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); - + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 1); - + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - // Verify host and cluster stats after connection initiation + // Verify host and cluster stats after connection initiation. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 1); - // Step 2: Simulate connection failure by calling onConnectionDone with error + // Step 2: Simulate connection failure by calling onConnectionDone with error. io_handle_->onConnectionDone("connection timeout", wrapper_ptr, true); - // Verify wrapper was removed from tracking maps after failure + // Verify wrapper was removed from tracking maps after failure. EXPECT_EQ(getConnWrapperToHostMap().size(), 0); EXPECT_EQ(getConnectionWrappers().size(), 0); - // Verify failure stats - onConnectionDone should have called trackConnectionFailure + // Verify failure stats - onConnectionDone should have called trackConnectionFailure. stat_map = extension_->getCrossWorkerStatMap(); - + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.failed"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], + 0); // Should be decremented EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.failed"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], 1); - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], + 0); // Should be decremented - // Verify host is now in backoff + // Verify host is now in backoff. EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); - // Step 3: Create a new connection for recovery - auto mock_connection2 = std::make_unique>(); + // Step 3: Create a new connection for recovery. + auto mock_connection2 = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data2; success_conn_data2.connection_ = mock_connection2.get(); success_conn_data2.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data2)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data2)); mock_connection2.release(); - // Call initiateOneReverseConnection again for recovery + // Call initiateOneReverseConnection again for recovery. bool result2 = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result2); - // Verify new wrapper was created and mapped + // Verify new wrapper was created and mapped. const auto& connection_wrappers2 = getConnectionWrappers(); EXPECT_EQ(connection_wrappers2.size(), 1); - + const auto& wrapper_to_host_map2 = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map2.size(), 1); - + RCConnectionWrapper* wrapper_ptr2 = connection_wrappers2[0].get(); EXPECT_EQ(wrapper_to_host_map2.at(wrapper_ptr2), "192.168.1.1"); - // Verify stats after recovery connection initiation + // Verify stats after recovery connection initiation. stat_map = extension_->getCrossWorkerStatMap(); - - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); // New connection - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 1); // New connection - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 0); // Reset by initiateOneReverseConnection - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], 0); // Reset by initiateOneReverseConnection - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.recovered"], 1); // Recovery recorded - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.recovered"], 1); // Recovery recorded - - // Step 4: Simulate connection success (recovery) by calling onConnectionDone with success + + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], + 1); // New connection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], + 1); // New connection + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], + 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], + 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.recovered"], + 1); // Recovery recorded + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.recovered"], + 1); // Recovery recorded + + // Step 4: Simulate connection success (recovery) by calling onConnectionDone with success. io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr2, false); - // Verify wrapper was removed from tracking maps after success + // Verify wrapper was removed from tracking maps after success. EXPECT_EQ(getConnWrapperToHostMap().size(), 0); EXPECT_EQ(getConnectionWrappers().size(), 0); - // Verify recovery stats - onConnectionDone should have called resetHostBackoff + // Verify recovery stats - onConnectionDone should have called resetHostBackoff. stat_map = extension_->getCrossWorkerStatMap(); - + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connected"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.recovered"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 0); - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 0); // Should be decremented - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.failed"], 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], + 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.failed"], + 0); // Reset by initiateOneReverseConnection EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connected"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.recovered"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], 0); - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 0); // Should be decremented - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.failed"], 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], + 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.failed"], + 0); // Reset by initiateOneReverseConnection - // Verify host is no longer in backoff + // Verify host is no longer in backoff. EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); - // Verify final state - all maps should be clean + // Verify final state - all maps should be clean. EXPECT_EQ(getConnWrapperToHostMap().size(), 0); EXPECT_EQ(getConnectionWrappers().size(), 0); - + // Verify host info is still present (should not be removed) const auto& host_to_conn_info_map = getHostToConnInfoMap(); EXPECT_EQ(host_to_conn_info_map.size(), 1); EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); } -// Test downstream connection closure and re-initiation +// Test downstream connection closure and re-initiation. TEST_F(ReverseConnectionIOHandleTest, OnDownstreamConnectionClosedTriggersReInitiation) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - + auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Create trigger pipe BEFORE initiating connection to ensure it's ready + // Create trigger pipe BEFORE initiating connection to ensure it's ready. createTriggerPipe(); EXPECT_TRUE(isTriggerPipeReady()); - // Set up mock thread local cluster + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry + // Create HostConnectionInfo entry. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Step 1: Create initial connection - auto mock_connection = std::make_unique>(); + // Step 1: Create initial connection. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; success_conn_data.connection_ = mock_connection.get(); success_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); mock_connection.release(); - // Call initiateOneReverseConnection to create the wrapper + // Call initiateOneReverseConnection to create the wrapper. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result); - // Verify wrapper was created and mapped + // Verify wrapper was created and mapped. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); - + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 1); - + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - // Verify initial state - no established connections yet + // Verify initial state - no established connections yet. EXPECT_EQ(getEstablishedConnectionsSize(), 0); - // Step 2: Simulate successful connection completion + // Step 2: Simulate successful connection completion. io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr, false); // Verify wrapper was removed from tracking (cleanup should happen) @@ -2386,165 +2824,164 @@ TEST_F(ReverseConnectionIOHandleTest, OnDownstreamConnectionClosedTriggersReInit // Verify that connection was pushed to established_connections_ EXPECT_EQ(getEstablishedConnectionsSize(), 1); - // Verify that trigger mechanism was executed + // Verify that trigger mechanism was executed. char trigger_byte; int pipe_read_fd = getTriggerPipeReadFd(); EXPECT_GE(pipe_read_fd, 0); - + ssize_t bytes_read = ::read(pipe_read_fd, &trigger_byte, 1); EXPECT_EQ(bytes_read, 1) << "Expected to read 1 byte from trigger pipe, got " << bytes_read; - EXPECT_EQ(trigger_byte, 1) << "Expected trigger byte to be 1, got " << static_cast(trigger_byte); + EXPECT_EQ(trigger_byte, 1) << "Expected trigger byte to be 1, got " + << static_cast(trigger_byte); - // Step 3: Get the actual connection key that was used for tracking - // The connection key should be the local address of the connection + // Step 3: Get the actual connection key that was used for tracking. + // The connection key should be the local address of the connection. auto host_it = getHostToConnInfoMap().find("192.168.1.1"); EXPECT_NE(host_it, getHostToConnInfoMap().end()); - - // The connection key should have been added during onConnectionDone - // Let's find what connection key was actually used + + // The connection key should have been added during onConnectionDone. + // Let's find what connection key was actually used. std::string connection_key; if (!host_it->second.connection_keys.empty()) { connection_key = *host_it->second.connection_keys.begin(); ENVOY_LOG_MISC(debug, "Found connection key: {}", connection_key); } else { - // If no connection key was added, use a mock one for testing + // If no connection key was added, use a mock one for testing. connection_key = "192.168.1.1:12345"; ENVOY_LOG_MISC(debug, "No connection key found, using mock: {}", connection_key); } - // Step 4: Simulate downstream connection closure + // Step 4: Simulate downstream connection closure. io_handle_->onDownstreamConnectionClosed(connection_key); - // Verify connection key is removed from host tracking + // Verify connection key is removed from host tracking. host_it = getHostToConnInfoMap().find("192.168.1.1"); EXPECT_NE(host_it, getHostToConnInfoMap().end()); EXPECT_EQ(host_it->second.connection_keys.count(connection_key), 0); - // Step 5: Set up expectation for new connection attempts - auto mock_connection2 = std::make_unique>(); + // Step 5: Set up expectation for new connection attempts. + auto mock_connection2 = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data2; success_conn_data2.connection_ = mock_connection2.get(); success_conn_data2.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data2)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data2)); mock_connection2.release(); - // Step 6: Trigger maintenance cycle to verify re-initiation + // Step 6: Trigger maintenance cycle to verify re-initiation. RemoteClusterConnectionConfig cluster_config("test-cluster", 1); - + maintainClusterConnections("test-cluster", cluster_config); - // Since the connection key was removed, the host should need a new connection + // Since the connection key was removed, the host should need a new connection. // and initiateOneReverseConnection should be called again - - // Verify that a new wrapper was created + + // Verify that a new wrapper was created. const auto& connection_wrappers2 = getConnectionWrappers(); EXPECT_EQ(connection_wrappers2.size(), 1); - + const auto& wrapper_to_host_map2 = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map2.size(), 1); - + RCConnectionWrapper* wrapper_ptr2 = connection_wrappers2[0].get(); EXPECT_EQ(wrapper_to_host_map2.at(wrapper_ptr2), "192.168.1.1"); - // Verify stats show new connection attempt + // Verify stats show new connection attempt. auto stat_map = extension_->getCrossWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 1); } -// Test ReverseConnectionIOHandle::close() method without trigger pipe +// Test ReverseConnectionIOHandle::close() method without trigger pipe. TEST_F(ReverseConnectionIOHandleTest, CloseMethodWithoutTriggerPipe) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Verify initial state - trigger pipe not ready + // Verify initial state - trigger pipe not ready. EXPECT_FALSE(isTriggerPipeReady()); - + // Get initial file descriptor (this is the original socket FD) int initial_fd = io_handle_->fdDoNotUse(); - std::cout << "initial_fd: " << initial_fd << std::endl; EXPECT_GE(initial_fd, 0); - - // Call close() - should close only the original socket FD and delegate to base class + + // Call close() - should close only the original socket FD and delegate to base class. auto result = io_handle_->close(); - - // After close(), the FD should be -1 + + // After close(), the FD should be -1. EXPECT_EQ(io_handle_->fdDoNotUse(), -1); } -// Test ReverseConnectionIOHandle::close() method with trigger pipe +// Test ReverseConnectionIOHandle::close() method with trigger pipe. TEST_F(ReverseConnectionIOHandleTest, CloseMethodWithTriggerPipe) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - - // Get the original socket FD before creating trigger pipe + + // Get the original socket FD before creating trigger pipe. int original_socket_fd = io_handle_->fdDoNotUse(); EXPECT_GE(original_socket_fd, 0); - // Create trigger pipe and initialize file event to set up the scenario where fd_ points to trigger pipe - // Mock file event callback + // Create trigger pipe and initialize file event to set up the scenario where fd_ points to. + // trigger pipe Mock file event callback Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; - - // Initialize file event to ensure the monitored FD is set to the trigger pipe - io_handle_->initializeFileEvent(dispatcher_, mock_callback, - Event::FileTriggerType::Level, Event::FileReadyType::Read); + + // Initialize file event to ensure the monitored FD is set to the trigger pipe. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); EXPECT_TRUE(isTriggerPipeReady()); - + // Get the pipe monitor FD (this becomes the monitored fd_ after initializeFileEvent) int pipe_monitor_fd = getTriggerPipeReadFd(); EXPECT_GE(pipe_monitor_fd, 0); EXPECT_NE(original_socket_fd, pipe_monitor_fd); // Should be different FDs - - // Verify that the active FD is now the pipe monitor FD + + // Verify that the active FD is now the pipe monitor FD. EXPECT_EQ(io_handle_->fdDoNotUse(), pipe_monitor_fd); - + // Call close() - should: // 1. Close the original socket FD (original_socket_fd_) // 2. Let base class close() handle fd_ - auto result = io_handle_->close(); - std::cout << "result: " << result.return_value_ << std::endl; + auto result = io_handle_->close(); EXPECT_EQ(result.return_value_, 0); EXPECT_EQ(io_handle_->fdDoNotUse(), -1); } -// Test ReverseConnectionIOHandle::cleanup() method +// Test ReverseConnectionIOHandle::cleanup() method. TEST_F(ReverseConnectionIOHandleTest, CleanupMethod) { auto config = createDefaultTestConfig(); io_handle_ = createTestIOHandle(config); EXPECT_NE(io_handle_, nullptr); - // Set up initial state with trigger pipe + // Set up initial state with trigger pipe. createTriggerPipe(); EXPECT_TRUE(isTriggerPipeReady()); EXPECT_GE(getTriggerPipeReadFd(), 0); EXPECT_GE(getTriggerPipeWriteFd(), 0); - // Add some host connection info + // Add some host connection info. addHostConnectionInfo("192.168.1.1", "test-cluster", 2); addHostConnectionInfo("192.168.1.2", "test-cluster", 1); - // Verify initial state + // Verify initial state. EXPECT_EQ(getHostToConnInfoMap().size(), 2); EXPECT_TRUE(isTriggerPipeReady()); - // Call cleanup() - should reset all resources + // Call cleanup() - should reset all resources. cleanup(); - // Verify that trigger pipe FDs are reset to -1 + // Verify that trigger pipe FDs are reset to -1. EXPECT_FALSE(isTriggerPipeReady()); EXPECT_EQ(getTriggerPipeReadFd(), -1); EXPECT_EQ(getTriggerPipeWriteFd(), -1); - // Verify that host connection info is cleared + // Verify that host connection info is cleared. EXPECT_EQ(getHostToConnInfoMap().size(), 0); - // Verify that connection wrappers are cleared + // Verify that connection wrappers are cleared. EXPECT_EQ(getConnectionWrappers().size(), 0); EXPECT_EQ(getConnWrapperToHostMap().size(), 0); @@ -2552,9 +2989,89 @@ TEST_F(ReverseConnectionIOHandleTest, CleanupMethod) { EXPECT_GE(io_handle_->fdDoNotUse(), 0); } -// ============================================================================ -// RCConnectionWrapper Tests -// ============================================================================ +// Test ReverseConnectionIOHandle::onAboveWriteBufferHighWatermark method (no-op) +TEST_F(ReverseConnectionIOHandleTest, OnAboveWriteBufferHighWatermark) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call onAboveWriteBufferHighWatermark - should be a no-op. + io_handle_->onAboveWriteBufferHighWatermark(); + // The test passes if no exceptions are thrown. +} + +// Test ReverseConnectionIOHandle::onBelowWriteBufferLowWatermark method (no-op) +TEST_F(ReverseConnectionIOHandleTest, OnBelowWriteBufferLowWatermark) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call onBelowWriteBufferLowWatermark - should be a no-op. + io_handle_->onBelowWriteBufferLowWatermark(); + // The test passes if no exceptions are thrown. +} + +// Test updateStateGauge() method with null extension. +TEST_F(ReverseConnectionIOHandleTest, UpdateStateGaugeWithNullExtension) { + // Create a test IO handle with null extension BEFORE setting up thread local slot. + auto config = createDefaultTestConfig(); + int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); + EXPECT_GE(test_fd, 0); + + auto io_handle_null_extension = std::make_unique( + test_fd, config, cluster_manager_, nullptr, *stats_scope_); + + // Call updateConnectionState which internally calls updateStateGauge. + // This should exit early when extension is null. + io_handle_null_extension->updateConnectionState("test-host2", "test-cluster", "test-key2", + ReverseConnectionState::Connected); + + // Now set up thread local slot and create a test IO handle with extension. + setupThreadLocalSlot(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + io_handle_->updateConnectionState("test-host", "test-cluster", "test-key", + ReverseConnectionState::Connected); + + // Verify that stats were updated with extension. + auto stat_map_with_extension = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map_with_extension["test_scope.reverse_connections.host.test-host.connected"], 1); + EXPECT_EQ( + stat_map_with_extension["test_scope.reverse_connections.cluster.test-cluster.connected"], 1); + + // Check that no stats exist for the null extension call + EXPECT_EQ(stat_map_with_extension["test_scope.reverse_connections.host.test-host2.connected"], 0); +} + +// Test updateStateGauge() method with unknown state. +TEST_F(ReverseConnectionIOHandleTest, UpdateStateGaugeWithUnknownState) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Create a test IO handle with extension. + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // First ensure host entry exists so the updateConnectionState call doesn't fail. + addHostConnectionInfo("test-host", "test-cluster", 1); + + // Call updateConnectionState with an unknown state value. + // We'll use a value that's not in the enum to trigger the default case. + io_handle_->updateConnectionState("test-host", "test-cluster", "test-key", + static_cast(999)); + + // Verify that the unknown state was handled correctly by checking if a gauge was created + // with "unknown" suffix. + auto stat_map = extension_->getCrossWorkerStatMap(); + + // The unknown state should have been handled and a gauge with "unknown" suffix should exist. + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.test-host.unknown"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.unknown"], 1); +} + +// RCConnectionWrapper Tests. class RCConnectionWrapperTest : public testing::Test { protected: @@ -2574,7 +3091,8 @@ class RCConnectionWrapperTest : public testing::Test { } void setupThreadLocalSlot() { - thread_local_registry_ = std::make_shared(dispatcher_, *stats_scope_); + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); thread_local_.setDispatcher(&dispatcher_); tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); @@ -2590,47 +3108,52 @@ class RCConnectionWrapperTest : public testing::Test { return config; } - std::unique_ptr createTestIOHandle(const ReverseConnectionSocketConfig& config) { + std::unique_ptr + createTestIOHandle(const ReverseConnectionSocketConfig& config) { int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); EXPECT_GE(test_fd, 0); - return std::make_unique( - test_fd, config, cluster_manager_, extension_.get(), *stats_scope_); + return std::make_unique(test_fd, config, cluster_manager_, + extension_.get(), *stats_scope_); } - // Connection Management Helpers - + // Connection Management Helpers. + bool initiateOneReverseConnection(const std::string& cluster_name, const std::string& host_address, Upstream::HostConstSharedPtr host) { return io_handle_->initiateOneReverseConnection(cluster_name, host_address, host); } - // Data Access Helpers - + // Data Access Helpers. + const std::vector>& getConnectionWrappers() const { return io_handle_->connection_wrappers_; } - const std::unordered_map& getConnWrapperToHostMap() const { + const absl::flat_hash_map& getConnWrapperToHostMap() const { return io_handle_->conn_wrapper_to_host_map_; } - // Test Data Setup Helpers - - void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, uint32_t target_count) { - io_handle_->host_to_conn_info_map_[host_address] = ReverseConnectionIOHandle::HostConnectionInfo{ - host_address, - cluster_name, - {}, // connection_keys - empty set initially - target_count, // target_connection_count - 0, // failure_count - std::chrono::steady_clock::now(), // last_failure_time - std::chrono::steady_clock::now(), // backoff_until - {} // connection_states - }; + // Test Data Setup Helpers. + + void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, + uint32_t target_count) { + io_handle_->host_to_conn_info_map_[host_address] = + ReverseConnectionIOHandle::HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + target_count, // target_connection_count + 0, // failure_count + // last_failure_time + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + // backoff_until + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + {} // connection_states + }; } - // Helper to create a mock host + // Helper to create a mock host. Upstream::HostConstSharedPtr createMockHost(const std::string& address) { auto mock_host = std::make_shared>(); auto mock_address = std::make_shared(address, 8080); @@ -2638,82 +3161,121 @@ class RCConnectionWrapperTest : public testing::Test { return mock_host; } - // Test fixtures + // Helper method to set up mock connection with proper socket expectations. + std::unique_ptr> setupMockConnection() { + auto mock_connection = std::make_unique>(); + + // Create a mock socket for the connection. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + auto duplicated_handle = std::make_unique>(); + EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); + return duplicated_handle; + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Cast the mock to the base ConnectionSocket type and store it in member variable. + mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); + + // Set up connection expectations for getSocket() + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); + + return mock_connection; + } + + // Test fixtures. NiceMock context_; NiceMock thread_local_; NiceMock cluster_manager_; Stats::IsolatedStoreImpl stats_store_; Stats::ScopeSharedPtr stats_scope_; NiceMock dispatcher_{"worker_0"}; - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface config_; + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; std::unique_ptr extension_; std::unique_ptr io_handle_; std::unique_ptr> tls_slot_; std::shared_ptr thread_local_registry_; + + // Mock socket for testing. + std::unique_ptr mock_socket_; }; // Test RCConnectionWrapper::connect() method with HTTP/1.1 handshake success TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { - // Create a mock connection + // Create a mock connection. auto mock_connection = std::make_unique>(); - - // Set up connection expectations - EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)).Times(1); - EXPECT_CALL(*mock_connection, addReadFilter(_)).Times(1); - EXPECT_CALL(*mock_connection, connect()).Times(1); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); - - // Set up socket expectations for address info + + // Set up socket expectations for address info. auto mock_address = std::make_shared("192.168.1.1", 8080); auto mock_local_address = std::make_shared("127.0.0.1", 12345); - - // Set up connection info provider expectations directly on the mock connection - EXPECT_CALL(*mock_connection, connectionInfoProvider()).WillRepeatedly(Invoke([mock_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { - static auto mock_provider = std::make_unique(mock_local_address, mock_address); - return *mock_provider; - })); - - // Capture the written buffer to verify HTTP POST content + + // Set up connection info provider expectations directly on the mock connection. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_address, + mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, mock_address); + return *mock_provider; + })); + + // Capture the written buffer to verify HTTP POST content. Buffer::OwnedImpl captured_buffer; EXPECT_CALL(*mock_connection, write(_, _)) - .WillOnce(Invoke([&captured_buffer](Buffer::Instance& buffer, bool) { - captured_buffer.add(buffer); - })); - - // Create a mock host + .WillOnce(Invoke( + [&captured_buffer](Buffer::Instance& buffer, bool) { captured_buffer.add(buffer); })); + + // Create a mock host. auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection + + // Create RCConnectionWrapper with the mock connection. RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call connect() method + + // Call connect() method. std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); - - // Verify connect() returns the local address + + // Verify connect() returns the local address. EXPECT_EQ(result, "127.0.0.1:12345"); - - // Verify the HTTP POST request content + + // Verify the HTTP POST request content. std::string written_data = captured_buffer.toString(); - - // Check HTTP headers + + // Check HTTP headers. EXPECT_THAT(written_data, testing::HasSubstr("POST /reverse_connections/request HTTP/1.1")); EXPECT_THAT(written_data, testing::HasSubstr("Host: 192.168.1.1:8080")); EXPECT_THAT(written_data, testing::HasSubstr("Accept: */*")); EXPECT_THAT(written_data, testing::HasSubstr("Content-length:")); - - // Check that the body contains the protobuf serialized data - // The protobuf should contain tenant_uuid, cluster_uuid, and node_uuid + + // Check that the body contains the protobuf serialized data. + // The protobuf should contain tenant_uuid, cluster_uuid, and node_uuid. EXPECT_THAT(written_data, testing::HasSubstr("\r\n\r\n")); // Empty line after headers - + // Extract the body (everything after the double CRLF) size_t body_start = written_data.find("\r\n\r\n"); EXPECT_NE(body_start, std::string::npos); std::string body = written_data.substr(body_start + 4); EXPECT_FALSE(body.empty()); - - // Verify the protobuf content by deserializing it - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + + // Verify the protobuf content by deserializing it. + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; bool parse_success = arg.ParseFromString(body); EXPECT_TRUE(parse_success); EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); @@ -2721,608 +3283,652 @@ TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { EXPECT_EQ(arg.node_uuid(), "test-node"); } -// Test RCConnectionWrapper::connect() method with connection write failure -TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWriteFailure) { - // Create a mock connection that fails to write +// Test RCConnectionWrapper::connect() method with HTTP proxy (internal address) scenario. +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWithHttpProxy) { + // Create a mock connection. auto mock_connection = std::make_unique>(); - - // Set up connection expectations - EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)).Times(1); - EXPECT_CALL(*mock_connection, addReadFilter(_)).Times(1); - EXPECT_CALL(*mock_connection, connect()).Times(1); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + + // Set up socket expectations for internal address (HTTP proxy scenario). + auto mock_internal_address = std::make_shared( + "internal_listener_name", "endpoint_id_123"); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations with internal address. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_internal_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_internal_address); + return *mock_provider; + })); + + // Capture the written buffer to verify HTTP POST content. + Buffer::OwnedImpl captured_buffer; EXPECT_CALL(*mock_connection, write(_, _)) - .WillOnce(Invoke([](Buffer::Instance&, bool) -> void { - throw EnvoyException("Write failed"); - })); - - // Set up socket expectations + .WillOnce(Invoke( + [&captured_buffer](Buffer::Instance& buffer, bool) { captured_buffer.add(buffer); })); + + // Create a mock host. + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call connect() method. + std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + + // Verify connect() returns the local address. + EXPECT_EQ(result, "127.0.0.1:12345"); + + // Verify the HTTP POST request content. + std::string written_data = captured_buffer.toString(); + + // Check HTTP headers. + EXPECT_THAT(written_data, testing::HasSubstr("POST /reverse_connections/request HTTP/1.1")); + // For HTTP proxy scenario, the Host header should use the endpoint ID from the internal address. + EXPECT_THAT(written_data, testing::HasSubstr("Host: endpoint_id_123")); + EXPECT_THAT(written_data, testing::HasSubstr("Accept: */*")); + EXPECT_THAT(written_data, testing::HasSubstr("Content-length:")); + + // Check that the body contains the protobuf serialized data. + EXPECT_THAT(written_data, testing::HasSubstr("\r\n\r\n")); // Empty line after headers + + // Extract the body (everything after the double CRLF) + size_t body_start = written_data.find("\r\n\r\n"); + EXPECT_NE(body_start, std::string::npos); + std::string body = written_data.substr(body_start + 4); + EXPECT_FALSE(body.empty()); + + // Verify the protobuf content by deserializing it. + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + bool parse_success = arg.ParseFromString(body); + EXPECT_TRUE(parse_success); + EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); + EXPECT_EQ(arg.cluster_uuid(), "test-cluster"); + EXPECT_EQ(arg.node_uuid(), "test-node"); +} + +// Test RCConnectionWrapper::connect() method with connection write failure. +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWriteFailure) { + // Create a mock connection that fails to write. + auto mock_connection = std::make_unique>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, write(_, _)).WillOnce(Invoke([](Buffer::Instance&, bool) -> void { + throw EnvoyException("Write failed"); + })); + + // Set up socket expectations. auto mock_address = std::make_shared("192.168.1.1", 8080); auto mock_local_address = std::make_shared("127.0.0.1", 12345); - - // Set up connection info provider expectations directly on the mock connection - EXPECT_CALL(*mock_connection, connectionInfoProvider()).WillRepeatedly(Invoke([mock_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { - static auto mock_provider = std::make_unique(mock_local_address, mock_address); - return *mock_provider; - })); - - // Create a mock host + + // Set up connection info provider expectations directly on the mock connection. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_address, + mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, mock_address); + return *mock_provider; + })); + + // Create a mock host. auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection + + // Create RCConnectionWrapper with the mock connection. RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call connect() method - should handle the write failure gracefully - // The method should not throw but should handle the exception internally + + // Call connect() method - should handle the write failure gracefully. + // The method should not throw but should handle the exception internally. std::string result; try { result = wrapper.connect("test-tenant", "test-cluster", "test-node"); } catch (const EnvoyException& e) { - // The connect() method doesn't handle exceptions, so we expect it to throw - // This is the current behavior - the method should be updated to handle exceptions + // The connect() method doesn't handle exceptions, so we expect it to throw. + // This is the current behavior - the method should be updated to handle exceptions. EXPECT_STREQ(e.what(), "Write failed"); return; // Exit test early since exception was thrown } - - // If no exception was thrown, verify connect() still returns the local address + + // If no exception was thrown, verify connect() still returns the local address. EXPECT_EQ(result, "127.0.0.1:12345"); } -// Test RCConnectionWrapper::onHandshakeSuccess method +// Test RCConnectionWrapper::onHandshakeSuccess method. TEST_F(RCConnectionWrapperTest, OnHandshakeSuccess) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Set up mock thread local cluster + + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry + // Create HostConnectionInfo entry. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Create a mock connection - auto mock_connection = std::make_unique>(); + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); Upstream::MockHost::MockCreateConnectionData success_conn_data; success_conn_data.connection_ = mock_connection.get(); success_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); mock_connection.release(); - // Call initiateOneReverseConnection to create the wrapper and add it to the map + // Call initiateOneReverseConnection to create the wrapper and add it to the map. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result); - // Verify wrapper was created and mapped + // Verify wrapper was created and mapped. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); - + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 1); - + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - // Get initial stats before onHandshakeSuccess + // Get initial stats before onHandshakeSuccess. auto initial_stats = extension_->getCrossWorkerStatMap(); std::string host_stat_name = "test_scope.reverse_connections.host.192.168.1.1.connected"; std::string cluster_stat_name = "test_scope.reverse_connections.cluster.test-cluster.connected"; - - // Call onHandshakeSuccess + + // Call onHandshakeSuccess. wrapper_ptr->onHandshakeSuccess(); - - // Get stats after onHandshakeSuccess + + // Get stats after onHandshakeSuccess. auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that connected stats were incremented + + // Verify that connected stats were incremented. EXPECT_EQ(final_stats[host_stat_name], initial_stats[host_stat_name] + 1); EXPECT_EQ(final_stats[cluster_stat_name], initial_stats[cluster_stat_name] + 1); - - // Debug: Print stats for verification - std::cout << "\n=== OnHandshakeSuccess Stats ===" << std::endl; - std::cout << "Host stat '" << host_stat_name << "': " << initial_stats[host_stat_name] << " -> " << final_stats[host_stat_name] << std::endl; - std::cout << "Cluster stat '" << cluster_stat_name << "': " << initial_stats[cluster_stat_name] << " -> " << final_stats[cluster_stat_name] << std::endl; - std::cout << "=================================" << std::endl; } -// Test RCConnectionWrapper::onHandshakeFailure method +// Test RCConnectionWrapper::onHandshakeFailure method. TEST_F(RCConnectionWrapperTest, OnHandshakeFailure) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Set up mock thread local cluster + + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry + // Create HostConnectionInfo entry. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Create a mock connection - auto mock_connection = std::make_unique>(); + auto mock_connection = setupMockConnection(); Upstream::MockHost::MockCreateConnectionData success_conn_data; success_conn_data.connection_ = mock_connection.get(); success_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); mock_connection.release(); - // Call initiateOneReverseConnection to create the wrapper and add it to the map + // Call initiateOneReverseConnection to create the wrapper and add it to the map. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result); - // Verify wrapper was created and mapped + // Verify wrapper was created and mapped. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); - + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 1); - + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - // Get initial stats before onHandshakeFailure + // Get initial stats before onHandshakeFailure. auto initial_stats = extension_->getCrossWorkerStatMap(); std::string host_failed_stat_name = "test_scope.reverse_connections.host.192.168.1.1.failed"; - std::string cluster_failed_stat_name = "test_scope.reverse_connections.cluster.test-cluster.failed"; - - // Call onHandshakeFailure with an error message + std::string cluster_failed_stat_name = + "test_scope.reverse_connections.cluster.test-cluster.failed"; + + // Call onHandshakeFailure with an error message. std::string error_message = "Handshake failed due to authentication error"; wrapper_ptr->onHandshakeFailure(error_message); - - // Get stats after onHandshakeFailure + + // Get stats after onHandshakeFailure. auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that failed stats were incremented + + // Verify that failed stats were incremented. EXPECT_EQ(final_stats[host_failed_stat_name], initial_stats[host_failed_stat_name] + 1); EXPECT_EQ(final_stats[cluster_failed_stat_name], initial_stats[cluster_failed_stat_name] + 1); - - // Debug: Print stats for verification - std::cout << "\n=== OnHandshakeFailure Stats ===" << std::endl; - std::cout << "Host failed stat '" << host_failed_stat_name << "': " << initial_stats[host_failed_stat_name] << " -> " << final_stats[host_failed_stat_name] << std::endl; - std::cout << "Cluster failed stat '" << cluster_failed_stat_name << "': " << initial_stats[cluster_failed_stat_name] << " -> " << final_stats[cluster_failed_stat_name] << std::endl; - std::cout << "==================================" << std::endl; } -// Test RCConnectionWrapper::onEvent method with RemoteClose event +// Test RCConnectionWrapper::onEvent method with RemoteClose event. TEST_F(RCConnectionWrapperTest, OnEventRemoteClose) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Set up mock thread local cluster + + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry + // Create HostConnectionInfo entry. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Create a mock connection - auto mock_connection = std::make_unique>(); + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); Upstream::MockHost::MockCreateConnectionData success_conn_data; success_conn_data.connection_ = mock_connection.get(); success_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); mock_connection.release(); - // Call initiateOneReverseConnection to create the wrapper and add it to the map + // Call initiateOneReverseConnection to create the wrapper and add it to the map. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result); - // Verify wrapper was created and mapped + // Verify wrapper was created and mapped. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); - + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 1); - + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - // Get initial stats before onEvent + // Get initial stats before onEvent. auto initial_stats = extension_->getCrossWorkerStatMap(); - std::string host_connected_stat_name = "test_scope.reverse_connections.host.192.168.1.1.connected"; - std::string cluster_connected_stat_name = "test_scope.reverse_connections.cluster.test-cluster.connected"; - - // Call onEvent with RemoteClose event + std::string host_connected_stat_name = + "test_scope.reverse_connections.host.192.168.1.1.connected"; + std::string cluster_connected_stat_name = + "test_scope.reverse_connections.cluster.test-cluster.connected"; + + // Call onEvent with RemoteClose event. wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); - - // Get stats after onEvent + + // Get stats after onEvent. auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that the connection closure was handled - // Note: The exact stat changes depend on the implementation of onConnectionDone - // For RemoteClose, we expect the connection to be marked as closed - - // Debug: Print stats for verification - std::cout << "\n=== OnEventRemoteClose Stats ===" << std::endl; - std::cout << "Host connected stat '" << host_connected_stat_name << "': " << initial_stats[host_connected_stat_name] << " -> " << final_stats[host_connected_stat_name] << std::endl; - std::cout << "Cluster connected stat '" << cluster_connected_stat_name << "': " << initial_stats[cluster_connected_stat_name] << " -> " << final_stats[cluster_connected_stat_name] << std::endl; - std::cout << "=================================" << std::endl; + + // Verify that the connection closure was handled gracefully. } // Test RCConnectionWrapper::onEvent method with Connected event (should be ignored) TEST_F(RCConnectionWrapperTest, OnEventConnected) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Set up mock thread local cluster + + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry + // Create HostConnectionInfo entry. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Create a mock connection - auto mock_connection = std::make_unique>(); + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); Upstream::MockHost::MockCreateConnectionData success_conn_data; success_conn_data.connection_ = mock_connection.get(); success_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); mock_connection.release(); - // Call initiateOneReverseConnection to create the wrapper and add it to the map + // Call initiateOneReverseConnection to create the wrapper and add it to the map. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result); - // Verify wrapper was created and mapped + // Verify wrapper was created and mapped. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); - + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 1); - + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - // Get initial stats before onEvent + // Get initial stats before onEvent. auto initial_stats = extension_->getCrossWorkerStatMap(); - + // Call onEvent with Connected event (should be ignored) wrapper_ptr->onEvent(Network::ConnectionEvent::Connected); - - // Get stats after onEvent + + // Get stats after onEvent. auto final_stats = extension_->getCrossWorkerStatMap(); - + // Verify that Connected event doesn't change stats (it should be ignored) - // The stats should remain the same + // The stats should remain the same. EXPECT_EQ(final_stats, initial_stats); - - // Debug: Print stats for verification - std::cout << "\n=== OnEventConnected Stats ===" << std::endl; - std::cout << "Stats unchanged after Connected event (as expected)" << std::endl; - std::cout << "=================================" << std::endl; } -// Test RCConnectionWrapper::onEvent method with null connection +// Test RCConnectionWrapper::onEvent method with null connection. TEST_F(RCConnectionWrapperTest, OnEventWithNullConnection) { - // Set up thread local slot first so stats can be properly tracked + // Set up thread local slot first so stats can be properly tracked. setupThreadLocalSlot(); - - // Set up mock thread local cluster + + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) .WillRepeatedly(Return(mock_thread_local_cluster.get())); - // Set up priority set with hosts + // Set up priority set with hosts. auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()).WillRepeatedly(ReturnRef(*mock_priority_set)); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); - // Create host map with a host + // Create host map with a host. auto host_map = std::make_shared(); auto mock_host = createMockHost("192.168.1.1"); (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - // Create HostConnectionInfo entry + // Create HostConnectionInfo entry. addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - // Create a mock connection - auto mock_connection = std::make_unique>(); + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); Upstream::MockHost::MockCreateConnectionData success_conn_data; success_conn_data.connection_ = mock_connection.get(); success_conn_data.host_description_ = mock_host; - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillOnce(Return(success_conn_data)); + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); mock_connection.release(); - // Call initiateOneReverseConnection to create the wrapper and add it to the map + // Call initiateOneReverseConnection to create the wrapper and add it to the map. bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); EXPECT_TRUE(result); - // Verify wrapper was created and mapped + // Verify wrapper was created and mapped. const auto& connection_wrappers = getConnectionWrappers(); EXPECT_EQ(connection_wrappers.size(), 1); - + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); EXPECT_EQ(wrapper_to_host_map.size(), 1); - + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - // Get initial stats before onEvent + // Get initial stats before onEvent. auto initial_stats = extension_->getCrossWorkerStatMap(); - - // Call onEvent with RemoteClose event + + // Call onEvent with RemoteClose event. wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); - - // Get stats after onEvent + + // Get stats after onEvent. auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that the event was handled gracefully even with connection closure - // The exact behavior depends on the implementation, but it should not crash - - // Debug: Print stats for verification - std::cout << "\n=== OnEventWithNullConnection Stats ===" << std::endl; - std::cout << "Event handled gracefully after connection closure" << std::endl; - std::cout << "===============================================" << std::endl; + + // Verify that the event was handled gracefully even with connection closure. + // The exact behavior depends on the implementation, but it should not crash. } -// Test RCConnectionWrapper::releaseConnection method +// Test RCConnectionWrapper::releaseConnection method. TEST_F(RCConnectionWrapperTest, ReleaseConnection) { - // Create a mock connection - auto mock_connection = std::make_unique>(); + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection + + // Create RCConnectionWrapper with the mock connection. RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Verify connection exists before release + + // Verify connection exists before release. EXPECT_NE(wrapper.getConnection(), nullptr); - - // Release the connection + + // Release the connection. auto released_connection = wrapper.releaseConnection(); - - // Verify connection was released + + // Verify connection was released. EXPECT_NE(released_connection, nullptr); EXPECT_EQ(wrapper.getConnection(), nullptr); } -// Test RCConnectionWrapper::getConnection method +// Test RCConnectionWrapper::getConnection method. TEST_F(RCConnectionWrapperTest, GetConnection) { - // Create a mock connection - auto mock_connection = std::make_unique>(); + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection + + // Create RCConnectionWrapper with the mock connection. RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Get the connection + + // Get the connection. auto* connection = wrapper.getConnection(); - - // Verify connection is returned + + // Verify connection is returned. EXPECT_NE(connection, nullptr); - - // Test after release + + // Test after release. wrapper.releaseConnection(); EXPECT_EQ(wrapper.getConnection(), nullptr); } -// Test RCConnectionWrapper::getHost method +// Test RCConnectionWrapper::getHost method. TEST_F(RCConnectionWrapperTest, GetHost) { - // Create a mock connection and host - auto mock_connection = std::make_unique>(); + // Create a mock connection and host with proper socket setup. + auto mock_connection = setupMockConnection(); auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection + + // Create RCConnectionWrapper with the mock connection. RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Get the host + + // Get the host. auto host = wrapper.getHost(); - - // Verify host is returned + + // Verify host is returned. EXPECT_EQ(host, mock_host); } // Test RCConnectionWrapper::onAboveWriteBufferHighWatermark method (no-op) TEST_F(RCConnectionWrapperTest, OnAboveWriteBufferHighWatermark) { - // Create a mock connection - auto mock_connection = std::make_unique>(); + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection + + // Create RCConnectionWrapper with the mock connection. RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call onAboveWriteBufferHighWatermark - should be a no-op + + // Call onAboveWriteBufferHighWatermark - should be a no-op. wrapper.onAboveWriteBufferHighWatermark(); } // Test RCConnectionWrapper::onBelowWriteBufferLowWatermark method (no-op) TEST_F(RCConnectionWrapperTest, OnBelowWriteBufferLowWatermark) { - // Create a mock connection - auto mock_connection = std::make_unique>(); + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection + + // Create RCConnectionWrapper with the mock connection. RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call onBelowWriteBufferLowWatermark - should be a no-op + + // Call onBelowWriteBufferLowWatermark - should be a no-op. wrapper.onBelowWriteBufferLowWatermark(); } -// Test RCConnectionWrapper::shutdown method +// Test RCConnectionWrapper::shutdown method. TEST_F(RCConnectionWrapperTest, Shutdown) { - // Test 1: Shutdown with open connection - std::cout << "Test 1: Shutdown with open connection" << std::endl; + // Test 1: Shutdown with open connection. { - auto mock_connection = std::make_unique>(); + auto mock_connection = setupMockConnection(); auto mock_host = std::make_shared>(); - - // Set up connection expectations for open connection - EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)).Times(1); + + // Set up connection expectations for open connection. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); - EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)).Times(1); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); - + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - + EXPECT_NE(wrapper.getConnection(), nullptr); wrapper.shutdown(); EXPECT_EQ(wrapper.getConnection(), nullptr); } - std::cout << "Test 2: Shutdown with already closed connection" << std::endl; - // Test 2: Shutdown with already closed connection + // Test 2: Shutdown with already closed connection. { - auto mock_connection = std::make_unique>(); + auto mock_connection = setupMockConnection(); auto mock_host = std::make_shared>(); - - // Set up connection expectations for closed connection - EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Closed)); - EXPECT_CALL(*mock_connection, close(_)).Times(0); // Should not call close on already closed connection + + // Set up connection expectations for closed connection. + EXPECT_CALL(*mock_connection, state()) + .WillRepeatedly(Return(Network::Connection::State::Closed)); + EXPECT_CALL(*mock_connection, close(_)) + .Times(0); // Should not call close on already closed connection EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12346)); - + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - + EXPECT_NE(wrapper.getConnection(), nullptr); wrapper.shutdown(); EXPECT_EQ(wrapper.getConnection(), nullptr); } - std::cout << "Test 3: Shutdown with closing connection" << std::endl; - - // Test 3: Shutdown with closing connection + + // Test 3: Shutdown with closing connection. { - auto mock_connection = std::make_unique>(); + auto mock_connection = setupMockConnection(); auto mock_host = std::make_shared>(); - - // Set up connection expectations for closing connection - EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)).Times(1); - EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Closing)); - EXPECT_CALL(*mock_connection, close(_)).Times(0); // Should not call close on already closing connection + + // Set up connection expectations for closing connection. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, state()) + .WillRepeatedly(Return(Network::Connection::State::Closing)); + EXPECT_CALL(*mock_connection, close(_)) + .Times(0); // Should not call close on already closing connection EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12347)); - + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - + EXPECT_NE(wrapper.getConnection(), nullptr); wrapper.shutdown(); EXPECT_EQ(wrapper.getConnection(), nullptr); } - std::cout << "Test 4: Shutdown with null connection" << std::endl; // Test 4: Shutdown with null connection (should be safe) { auto mock_host = std::make_shared>(); - - // Create wrapper with null connection + + // Create wrapper with null connection. RCConnectionWrapper wrapper(*io_handle_, nullptr, mock_host, "test-cluster"); - + EXPECT_EQ(wrapper.getConnection(), nullptr); wrapper.shutdown(); // Should not crash EXPECT_EQ(wrapper.getConnection(), nullptr); } - std::cout << "Test 5: Multiple shutdown calls" << std::endl; // Test 5: Multiple shutdown calls (should be safe) { auto mock_connection = std::make_unique>(); auto mock_host = std::make_shared>(); - - // Set up connection expectations - EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)).Times(1); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); - EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)).Times(1); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12348)); - + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - + EXPECT_NE(wrapper.getConnection(), nullptr); - - // First shutdown + + // First shutdown. wrapper.shutdown(); EXPECT_EQ(wrapper.getConnection(), nullptr); - + // Second shutdown (should be safe) wrapper.shutdown(); EXPECT_EQ(wrapper.getConnection(), nullptr); } } -// Test SimpleConnReadFilter::onData method +// Test SimpleConnReadFilter::onData method. class SimpleConnReadFilterTest : public testing::Test { protected: void SetUp() override { stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - - // Create a mock IO handle + + // Create a mock IO handle. auto mock_io_handle = std::make_unique>(); io_handle_ = std::make_unique( 7, // dummy fd - ReverseConnectionSocketConfig{}, - cluster_manager_, - nullptr, // extension + ReverseConnectionSocketConfig{}, cluster_manager_, + nullptr, // extension *stats_scope_); // Use the created scope } - void TearDown() override { - io_handle_.reset(); - } + void TearDown() override { io_handle_.reset(); } - // Helper to create a mock RCConnectionWrapper + // Helper to create a mock RCConnectionWrapper. std::unique_ptr createMockWrapper() { auto mock_connection = std::make_unique>(); auto mock_host = std::make_shared>(); - return std::make_unique(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + return std::make_unique(*io_handle_, std::move(mock_connection), mock_host, + "test-cluster"); } - // Helper to create SimpleConnReadFilter - std::unique_ptr createFilter(RCConnectionWrapper* parent) { + // Helper to create SimpleConnReadFilter. + std::unique_ptr + createFilter(RCConnectionWrapper* parent) { return std::make_unique(parent); } @@ -3333,128 +3939,609 @@ class SimpleConnReadFilterTest : public testing::Test { }; TEST_F(SimpleConnReadFilterTest, OnDataWithNullParent) { - // Create filter with null parent + // Create filter with null parent. auto filter = createFilter(nullptr); - - // Create a buffer with some data + + // Create a buffer with some data. Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); - - // Call onData - should return StopIteration when parent is null + + // Call onData - should return StopIteration when parent is null. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::StopIteration); } TEST_F(SimpleConnReadFilterTest, OnDataWithHttp200Response) { - // Create wrapper and filter + // Create wrapper and filter. auto wrapper = createMockWrapper(); auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP 200 response but invalid protobuf + + // Create a buffer with HTTP 200 response but invalid protobuf. Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\nreverse connection accepted"); - - // Call onData - should return StopIteration for invalid response format + + // Call onData - should return StopIteration for invalid response format. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::StopIteration); } TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2Response) { - // Create wrapper and filter + // Create wrapper and filter. auto wrapper = createMockWrapper(); auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP/2 response but invalid protobuf + + // Create a buffer with HTTP/2 response but invalid protobuf. Buffer::OwnedImpl buffer("HTTP/2 200\r\n\r\nACCEPTED"); - - // Call onData - should return StopIteration for invalid response format + + // Call onData - should return StopIteration for invalid response format. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::StopIteration); } TEST_F(SimpleConnReadFilterTest, OnDataWithIncompleteHeaders) { - // Create wrapper and filter + // Create wrapper and filter. auto wrapper = createMockWrapper(); auto filter = createFilter(wrapper.get()); - - // Create a buffer with incomplete HTTP headers + + // Create a buffer with incomplete HTTP headers. Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\nContent-Length: 10\r\n"); - - // Call onData - should return Continue for incomplete headers + + // Call onData - should return Continue for incomplete headers. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::Continue); } TEST_F(SimpleConnReadFilterTest, OnDataWithEmptyResponseBody) { - // Create wrapper and filter + // Create wrapper and filter. auto wrapper = createMockWrapper(); auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP 200 but empty body + + // Create a buffer with HTTP 200 but empty body. Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); - - // Call onData - should return Continue for empty body + + // Call onData - should return Continue for empty body. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::Continue); } TEST_F(SimpleConnReadFilterTest, OnDataWithNon200Response) { - // Create wrapper and filter + // Create wrapper and filter. auto wrapper = createMockWrapper(); auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP 404 response + + // Create a buffer with HTTP 404 response. Buffer::OwnedImpl buffer("HTTP/1.1 404 Not Found\r\n\r\n"); - - // Call onData - should return StopIteration for error response + + // Call onData - should return StopIteration for error response. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::StopIteration); } TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2ErrorResponse) { - // Create wrapper and filter + // Create wrapper and filter. auto wrapper = createMockWrapper(); auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP/2 error response + + // Create a buffer with HTTP/2 error response. Buffer::OwnedImpl buffer("HTTP/2 500\r\n\r\n"); - - // Call onData - should return StopIteration for error response + + // Call onData - should return StopIteration for error response. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::StopIteration); } TEST_F(SimpleConnReadFilterTest, OnDataWithPartialData) { - // Create wrapper and filter + // Create wrapper and filter. auto wrapper = createMockWrapper(); auto filter = createFilter(wrapper.get()); - + // Create a buffer with partial data (no HTTP response yet) Buffer::OwnedImpl buffer("partial data"); - - // Call onData - should return Continue for partial data + + // Call onData - should return Continue for partial data. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::Continue); } TEST_F(SimpleConnReadFilterTest, OnDataWithProtobufResponse) { - // Create wrapper and filter + // Create wrapper and filter. auto wrapper = createMockWrapper(); auto filter = createFilter(wrapper.get()); - - // Create a proper ReverseConnHandshakeRet protobuf response - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::ACCEPTED); + + // Create a proper ReverseConnHandshakeRet protobuf response. + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + ReverseConnHandshakeRet::ACCEPTED); ret.set_status_message("Connection accepted"); - - std::string protobuf_data = ret.SerializeAsString(); + + std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) + std::string http_response = "HTTP/1.1 200 OK\r\n\r\n" + protobuf_data; + Buffer::OwnedImpl buffer(http_response); + + // Call onData - should return StopIteration for successful protobuf response. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithRejectedProtobufResponse) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a ReverseConnHandshakeRet protobuf response with REJECTED status. + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + ReverseConnHandshakeRet::REJECTED); + ret.set_status_message("Connection rejected by server"); + + std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) std::string http_response = "HTTP/1.1 200 OK\r\n\r\n" + protobuf_data; Buffer::OwnedImpl buffer(http_response); - - // Call onData - should return StopIteration for successful protobuf response + + // Call onData - should return StopIteration for rejected protobuf response. auto result = filter->onData(buffer, false); EXPECT_EQ(result, Network::FilterStatus::StopIteration); } +// Test ReverseConnectionIOHandle::accept() method - trigger pipe edge cases. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodTriggerPipeEdgeCases) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Test Case 1: Trigger pipe not ready - should return nullptr. + auto result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + + // Create trigger pipe. + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Test Case 2: Trigger pipe ready but no data to read (EAGAIN/EWOULDBLOCK) - should return + // nullptr. + result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + + // Test Case 3: Trigger pipe closed (read returns 0) - should return nullptr. + ::close(getTriggerPipeWriteFd()); + result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + createTriggerPipe(); + + // Test Case 4: Trigger pipe read error (not EAGAIN/EWOULDBLOCK) - should return nullptr. + ::close(getTriggerPipeReadFd()); + result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + createTriggerPipe(); + + // Test Case 5: Trigger pipe ready, data read, but no established connections - should return + // nullptr. + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); +} + +// Test ReverseConnectionIOHandle::accept() method - successful accept with address parameters. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSuccessfulWithAddress) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + + // Set up connection info provider with remote address. + auto mock_remote_address = + std::make_shared("192.168.1.100", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_connection, setSocketReused(true)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + // Add connection to the established queue. + addConnectionToEstablishedQueue(std::move(mock_connection)); + + // Write trigger byte. + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + // Test accept with address parameters. + struct sockaddr_in addr; + socklen_t addrlen = sizeof(addr); + auto result = io_handle_->accept(reinterpret_cast(&addr), &addrlen); + + EXPECT_NE(result, nullptr); + EXPECT_EQ(addrlen, sizeof(addr)); + EXPECT_EQ(addr.sin_family, AF_INET); +} + +// Test ReverseConnectionIOHandle::accept() method - address handling edge cases. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodAddressHandlingEdgeCases) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Test Case 1: Address buffer too small for remote address. + { + auto mock_connection = setupMockConnection(); + + auto mock_remote_address = + std::make_shared("192.168.1.101", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12346); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + EXPECT_CALL(*mock_connection, setSocketReused(true)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + struct sockaddr_in addr; + socklen_t addrlen = 1; // Too small + auto result = io_handle_->accept(reinterpret_cast(&addr), &addrlen); + + EXPECT_NE(result, nullptr); + EXPECT_GT(addrlen, 1); + } + + // Test Case 2: No remote address, fallback to synthetic address. + { + auto mock_connection = setupMockConnection(); + + auto mock_local_address = std::make_shared("127.0.0.1", 12347); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, nullptr); + return *mock_provider; + })); + + EXPECT_CALL(*mock_connection, setSocketReused(true)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + struct sockaddr_in addr; + socklen_t addrlen = sizeof(addr); + auto result = io_handle_->accept(reinterpret_cast(&addr), &addrlen); + + EXPECT_NE(result, nullptr); + EXPECT_EQ(addrlen, sizeof(addr)); + EXPECT_EQ(addr.sin_family, AF_INET); + EXPECT_EQ(addr.sin_addr.s_addr, htonl(INADDR_LOOPBACK)); + } + + // Test Case 3: Synthetic address buffer too small. + { + auto mock_connection = setupMockConnection(); + + auto mock_local_address = std::make_shared("127.0.0.1", 12348); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, nullptr); + return *mock_provider; + })); + + EXPECT_CALL(*mock_connection, setSocketReused(true)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + struct sockaddr_in addr; + socklen_t addrlen = 1; // Too small + auto result = io_handle_->accept(reinterpret_cast(&addr), &addrlen); + + EXPECT_NE(result, nullptr); + EXPECT_GT(addrlen, 1); + } +} + +// Test ReverseConnectionIOHandle::accept() method - successful accept scenarios. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSuccessfulScenarios) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Test Case 1: Accept without address parameters. + { + auto mock_connection = setupMockConnection(); + + auto mock_remote_address = + std::make_shared("192.168.1.102", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12349); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + EXPECT_CALL(*mock_connection, setSocketReused(true)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + auto result = io_handle_->accept(nullptr, nullptr); + EXPECT_NE(result, nullptr); + } +} + +// Test ReverseConnectionIOHandle::accept() method - socket and file descriptor failures. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSocketAndFdFailures) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Test Case 1: Original socket not available or not open. + { + auto mock_connection = std::make_unique>(); + + // Create a mock socket that returns isOpen() = false. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + auto duplicated_handle = std::make_unique>(); + EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); + return duplicated_handle; + })); + + // Set up socket expectations - but isOpen returns false to simulate failure. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(false)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Create the socket and set up connection expectations. + auto mock_socket = std::unique_ptr(mock_socket_ptr.release()); + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket)); + + auto mock_remote_address = + std::make_shared("192.168.1.103", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12350); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + auto result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + } + + // Test Case 2: Failed to duplicate file descriptor. + { + auto mock_connection = std::make_unique>(); + + // Create a mock socket with IO handle that fails to duplicate. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations - but duplicate returns nullptr to simulate failure. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + return std::unique_ptr(nullptr); + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Create the socket and set up connection expectations. + auto mock_socket = std::unique_ptr(mock_socket_ptr.release()); + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket)); + + auto mock_remote_address = + std::make_shared("192.168.1.104", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12351); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + auto result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + } +} + +/** + * Test class for DownstreamReverseConnectionIOHandle. + */ +class DownstreamReverseConnectionIOHandleTest : public ReverseConnectionIOHandleTest { +protected: + void SetUp() override { + ReverseConnectionIOHandleTest::SetUp(); + + // Initialize io_handle_ for testing. + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a mock socket for testing. + mock_socket_ = std::make_unique>(); + mock_io_handle_ = std::make_unique>(); + + // Set up basic mock expectations. + EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(42)); // Arbitrary FD + EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); + + // Store the mock_io_handle in the socket. + mock_socket_->io_handle_ = std::move(mock_io_handle_); + } + + void TearDown() override { + mock_socket_.reset(); + ReverseConnectionIOHandleTest::TearDown(); + } + + // Helper to create a DownstreamReverseConnectionIOHandle. + std::unique_ptr + createHandle(ReverseConnectionIOHandle* parent = nullptr, + const std::string& connection_key = "test_connection_key") { + // Create a new mock socket for each handle to avoid releasing the shared one. + auto new_mock_socket = std::make_unique>(); + auto new_mock_io_handle = std::make_unique>(); + + // Set up basic mock expectations. + EXPECT_CALL(*new_mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(42)); // Arbitrary FD + EXPECT_CALL(*new_mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*new_mock_io_handle)); + + // Store the mock_io_handle in the socket. + new_mock_socket->io_handle_ = std::move(new_mock_io_handle); + + auto socket_ptr = std::unique_ptr(new_mock_socket.release()); + return std::make_unique(std::move(socket_ptr), parent, + connection_key); + } + + // Test fixtures. + std::unique_ptr> mock_socket_; + std::unique_ptr> mock_io_handle_; +}; + +// Test constructor and destructor. +TEST_F(DownstreamReverseConnectionIOHandleTest, Setup) { + // Test constructor with parent. + { + auto handle = createHandle(io_handle_.get(), "test_key_1"); + EXPECT_NE(handle, nullptr); + // Test fdDoNotUse() before any other operations. + EXPECT_EQ(handle->fdDoNotUse(), 42); + } // Destructor called here + + // Test constructor without parent. + { + auto handle = createHandle(nullptr, "test_key_2"); + EXPECT_NE(handle, nullptr); + // Test fdDoNotUse() before any other operations. + EXPECT_EQ(handle->fdDoNotUse(), 42); + } // Destructor called here +} + +// Test close() method and all edge cases. +TEST_F(DownstreamReverseConnectionIOHandleTest, CloseMethod) { + // Test with parent - should notify parent and reset socket. + { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Verify that parent is set correctly. + EXPECT_NE(io_handle_.get(), nullptr); + + // First close - should notify parent and reset owned_socket. + auto result1 = handle->close(); + EXPECT_EQ(result1.err_, nullptr); + + // Second close - should return immediately without notifying parent (fd < 0). + auto result2 = handle->close(); + EXPECT_EQ(result2.err_, nullptr); + } +} + +// Test getSocket() method. +TEST_F(DownstreamReverseConnectionIOHandleTest, GetSocket) { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Test getSocket() returns the owned socket. + const auto& socket = handle->getSocket(); + EXPECT_NE(&socket, nullptr); + + // Test getSocket() works on const object. + const auto const_handle = createHandle(io_handle_.get(), "test_key"); + const auto& const_socket = const_handle->getSocket(); + EXPECT_NE(&const_socket, nullptr); + + // Test that getSocket() works before close() is called. + EXPECT_EQ(handle->fdDoNotUse(), 42); +} + } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy From d3345b5a5edce62fb71dee9161fc5f6a8c829703 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Wed, 20 Aug 2025 20:33:47 +0000 Subject: [PATCH 264/505] sync changes from reverse_connection_upstream_int Signed-off-by: Basundhara Chakrabarty --- .../reverse_connection_utility.cc | 9 +-- .../reverse_connection_utility.h | 66 ++++++------------- 2 files changed, 26 insertions(+), 49 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc index 572dde306bbe4..b221d9adf33e6 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc @@ -2,6 +2,7 @@ #include "source/common/buffer/buffer_impl.h" #include "source/common/common/assert.h" +#include "source/common/common/logger.h" namespace Envoy { namespace Extensions { @@ -13,7 +14,7 @@ bool ReverseConnectionUtility::isPingMessage(absl::string_view data) { return false; } - // Check for exact RPING match + // Check for exact RPING match. return (data.length() == PING_MESSAGE.length() && !memcmp(data.data(), PING_MESSAGE.data(), PING_MESSAGE.length())); } @@ -59,7 +60,7 @@ bool ReverseConnectionUtility::handlePingMessage(absl::string_view data, } bool ReverseConnectionUtility::extractPingFromHttpData(absl::string_view http_data) { - // Look for RPING in HTTP response body + // Look for RPING in HTTP response body. if (http_data.find(PING_MESSAGE) != absl::string_view::npos) { ENVOY_LOG(debug, "Reverse connection utility: found RPING in HTTP data"); return true; @@ -68,7 +69,7 @@ bool ReverseConnectionUtility::extractPingFromHttpData(absl::string_view http_da } std::shared_ptr ReverseConnectionMessageHandlerFactory::createPingHandler() { - // Use make_shared following Envoy patterns for shared components + // Use make_shared following Envoy patterns for shared components. return std::make_shared(); } @@ -86,4 +87,4 @@ bool PingMessageHandler::processPingMessage(absl::string_view data, } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h index 286454693cd5a..02e024e641689 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h @@ -17,70 +17,52 @@ namespace ReverseConnection { /** * Utility class for reverse connection ping/heartbeat functionality. - * Follows Envoy patterns like HeaderUtility, StringUtil, etc. - * - * This centralizes RPING message handling that was previously duplicated across: - * - reverse_tunnel_acceptor.cc - * - reverse_tunnel_initiator.cc - * - reverse_connection.cc */ class ReverseConnectionUtility : public Logger::Loggable { public: - // Constants following Envoy naming conventions + // Constants following Envoy naming conventions. static constexpr absl::string_view PING_MESSAGE = "RPING"; static constexpr absl::string_view PROXY_MESSAGE = "PROXY"; /** - * Check if received data contains a ping message (raw or HTTP-embedded). - * Follows the pattern of existing Envoy utilities for message detection. - * - * @param data the received data to check - * @return true if data contains RPING message + * Check if received data contains a ping message. + * @param data the received data to check. + * @return true if data contains RPING message. */ static bool isPingMessage(absl::string_view data); /** * Create a ping response buffer. - * Follows DirectResponseUtil pattern from Dubbo heartbeat implementation. - * - * @return Buffer containing RPING response + * @return Buffer containing RPING response. */ static Buffer::InstancePtr createPingResponse(); /** * Send ping response using connection's IO handle. - * Centralizes the write logic with proper error handling. - * - * @param connection the connection to send ping response on - * @return true if ping was sent successfully + * @param connection the connection to send ping response on. + * @return true if ping was sent successfully. */ static bool sendPingResponse(Network::Connection& connection); /** * Send ping response using raw IO handle. - * Alternative for cases where only IoHandle is available. - * - * @param io_handle the IO handle to write to - * @return Api::IoCallUint64Result the write result + * @param io_handle the IO handle to write to. + * @return Api::IoCallUint64Result the write result. */ static Api::IoCallUint64Result sendPingResponse(Network::IoHandle& io_handle); /** - * Handle ping message detection and response in a read filter context. - * Consolidates the ping handling logic used across multiple filters. - * - * @param data the incoming data buffer - * @param connection the connection to respond on - * @return true if data was a ping message and was handled + * Handle ping message detection and response. + * @param data the incoming data buffer. + * @param connection the connection to respond on. + * @return true if data was a ping message and was handled. */ static bool handlePingMessage(absl::string_view data, Network::Connection& connection); /** * Extract ping message from HTTP-embedded content. - * Used when RPING is sent within HTTP response bodies. - * - * @param http_data the HTTP response data - * @return true if RPING was found and extracted + * @param http_data the HTTP response data. + * @return true if RPING was found and extracted. */ static bool extractPingFromHttpData(absl::string_view http_data); @@ -90,22 +72,18 @@ class ReverseConnectionUtility : public Logger::Loggable /** * Factory for creating reverse connection message handlers. - * Follows factory patterns used throughout Envoy for extensible components. */ class ReverseConnectionMessageHandlerFactory { public: /** * Create a shared ping handler instance. - * Follows shared_ptr pattern from cache filter PR #21114. - * - * @return shared_ptr to ping handler + * @return shared_ptr to ping handler. */ static std::shared_ptr createPingHandler(); }; /** * Ping message handler that can be shared across filters. - * Implements the shared component pattern to avoid static allocation issues. */ class PingMessageHandler : public std::enable_shared_from_this, public Logger::Loggable { @@ -115,17 +93,15 @@ class PingMessageHandler : public std::enable_shared_from_this Date: Wed, 20 Aug 2025 20:38:15 +0000 Subject: [PATCH 265/505] Sync changes from reverse_conn_cluster Signed-off-by: Basundhara Chakrabarty --- .../v3/reverse_connection.proto | 4 +- .../reverse_connection/reverse_connection.cc | 43 +- .../reverse_connection/reverse_connection.h | 71 +- .../clusters/reverse_connection/BUILD | 14 +- .../reverse_connection_cluster_test.cc | 1035 ++++++++++++++--- 5 files changed, 922 insertions(+), 245 deletions(-) diff --git a/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto b/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto index 6784031157c4a..875d92a54f76a 100644 --- a/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto +++ b/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto @@ -3,7 +3,6 @@ syntax = "proto3"; package envoy.extensions.clusters.reverse_connection.v3; import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -13,7 +12,6 @@ option java_outer_classname = "ReverseConnectionProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/reverse_connection/v3;reverse_connectionv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -option (udpa.annotations.file_status).work_in_progress = true; // [#protodoc-title: Settings for the Reverse Connection Cluster] // [#extension: envoy.clusters.reverse_connection] @@ -30,4 +28,4 @@ message RevConClusterConfig { // Suffix expected in the host header when envoy acts as a L4 proxy and deduces // the cluster from the host header. string proxy_host_suffix = 3; -} \ No newline at end of file +} diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.cc b/source/extensions/clusters/reverse_connection/reverse_connection.cc index 36cc1bf7bb870..7be59049ed27b 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.cc +++ b/source/extensions/clusters/reverse_connection/reverse_connection.cc @@ -10,8 +10,8 @@ #include "envoy/config/core/v3/health_check.pb.h" #include "envoy/config/endpoint/v3/endpoint_components.pb.h" -#include "source/common/http/headers.h" #include "source/common/http/header_utility.h" +#include "source/common/http/headers.h" #include "source/common/network/address_impl.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" @@ -24,7 +24,7 @@ namespace ReverseConnection { namespace BootstrapReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; -// The default host header envoy expects when acting as a L4 proxy is of the format +// The default host header envoy expects when acting as a L4 proxy is of the format. // ".tcpproxy.envoy.remote:". const std::string default_proxy_host_suffix = "tcpproxy.envoy.remote"; @@ -68,19 +68,17 @@ RevConCluster::LoadBalancer::getUUIDFromSNI(const Network::Connection* connectio absl::string_view sni = connection->requestedServerName(); ENVOY_LOG(debug, "SNI value: {}", sni); - + if (sni.empty()) { ENVOY_LOG(debug, "Empty SNI value"); return absl::nullopt; } - + // Extract the UUID from SNI. SNI format is expected to be ".tcpproxy.envoy.remote" const absl::string_view::size_type uuid_start = sni.find('.'); if (uuid_start == absl::string_view::npos || sni.substr(uuid_start + 1) != parent_->proxy_host_suffix_) { - ENVOY_LOG(error, - "Malformed SNI {}. Expected: .tcpproxy.envoy.remote", - sni); + ENVOY_LOG(error, "Malformed SNI {}. Expected: .tcpproxy.envoy.remote", sni); return absl::nullopt; } return sni.substr(0, uuid_start); @@ -104,7 +102,7 @@ RevConCluster::LoadBalancer::chooseHost(Upstream::LoadBalancerContext* context) return {nullptr}; } - // First, Check for the presence of headers in RevConClusterConfig's http_header_names in + // First, Check for the presence of headers in RevConClusterConfig's http_header_names in. // the request context. In the absence of http_header_names in RevConClusterConfig, this // checks for the presence of EnvoyDstNodeUUID and EnvoyDstClusterUUID headers by default. const std::string host_id = std::string(parent_->getHostIdValue(context->downstreamHeaders())); @@ -135,14 +133,15 @@ RevConCluster::LoadBalancer::chooseHost(Upstream::LoadBalancerContext* context) Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::string host_id) { - // Get the SocketManager to resolve cluster ID to node ID + // Get the SocketManager to resolve cluster ID to node ID. auto* socket_manager = getUpstreamSocketManager(); if (socket_manager == nullptr) { - ENVOY_LOG(error, "Socket manager not found"); + ENVOY_LOG(error, "RevConCluster: Cannot create host for key: {} Socket manager not found", + host_id); return {nullptr}; } - // Use SocketManager to resolve the key to a node ID + // Use SocketManager to resolve the key to a node ID. std::string node_id = socket_manager->getNodeID(host_id); ENVOY_LOG(debug, "RevConCluster: Resolved key '{}' to node_id '{}'", host_id, node_id); @@ -151,7 +150,7 @@ Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::str // that envoy reuses a conn_pool_container for an endpoint. auto host_itr = host_map_.find(node_id); if (host_itr != host_map_.end()) { - ENVOY_LOG(debug, "Found an existing host for {}.", node_id); + ENVOY_LOG(debug, "RevConCluster:Re-using existing host for {}.", node_id); Upstream::HostSharedPtr host = host_itr->second; host_map_lock_.ReaderUnlock(); return {host}; @@ -160,11 +159,11 @@ Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::str absl::WriterMutexLock wlock(&host_map_lock_); - // Create a custom address that uses the UpstreamReverseSocketInterface + // Create a custom address that uses the UpstreamReverseSocketInterface. Network::Address::InstanceConstSharedPtr host_address( std::make_shared(node_id)); - // Create a standard HostImpl using the custom address + // Create a standard HostImpl using the custom address. auto host_result = Upstream::HostImpl::create( info(), absl::StrCat(info()->name(), static_cast(node_id)), std::move(host_address), nullptr /* endpoint_metadata */, nullptr /* locality_metadata */, @@ -173,15 +172,14 @@ Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::str 0 /* priority */, envoy::config::core::v3::UNKNOWN); if (!host_result.ok()) { - ENVOY_LOG(error, "Failed to create HostImpl for {}: {}", node_id, + ENVOY_LOG(error, "RevConCluster: Failed to create HostImpl for {}: {}", node_id, host_result.status().ToString()); return {nullptr}; } - // Convert unique_ptr to shared_ptr + // Convert unique_ptr to shared_ptr. Upstream::HostSharedPtr host(std::move(host_result.value())); - ENVOY_LOG(trace, "Created a HostImpl {} for {} that will use UpstreamReverseSocketInterface.", - *host, node_id); + ENVOY_LOG(trace, "RevConCluster: Created a HostImpl {} for {}.", *host, node_id); host_map_[node_id] = host; return {host}; @@ -215,13 +213,14 @@ absl::string_view RevConCluster::getHostIdValue(const Http::RequestHeaderMap* re } ENVOY_LOG(trace, "Found {} header in request context value {}", header_name->get(), header_result[0]->key().getStringView()); - // This is an implicitly untrusted header, so per the API documentation only the first + // This is an implicitly untrusted header, so per the API documentation only the first. // value is used. if (header_result[0]->value().empty()) { ENVOY_LOG(trace, "Found empty value for header {}", header_result[0]->key().getStringView()); continue; } - ENVOY_LOG(debug, "header_result value: {} ", header_result[0]->value().getStringView()); + ENVOY_LOG(trace, "Successfully extracted host ID from header {}: {}", header_name->get(), + header_result[0]->value().getStringView()); return header_result[0]->value().getStringView(); } @@ -274,8 +273,8 @@ RevConCluster::RevConCluster( } } } else { - http_header_names_.emplace_back(Http::Headers::get().EnvoyDstNodeUUID); - http_header_names_.emplace_back(Http::Headers::get().EnvoyDstClusterUUID); + http_header_names_.emplace_back(EnvoyDstNodeUUID); + http_header_names_.emplace_back(EnvoyDstClusterUUID); } cleanup_timer_->enableTimer(cleanup_interval_); } diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.h b/source/extensions/clusters/reverse_connection/reverse_connection.h index b153de39c5f34..3f115f3510676 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.h +++ b/source/extensions/clusters/reverse_connection/reverse_connection.h @@ -28,6 +28,10 @@ namespace ReverseConnection { namespace BootstrapReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; +// Constants for reverse connection headers. +const Http::LowerCaseString EnvoyDstNodeUUID{"x-remote-node-id"}; +const Http::LowerCaseString EnvoyDstClusterUUID{"x-dst-cluster-uuid"}; + /** * Custom address type that uses the UpstreamReverseSocketInterface. * This address will be used by RevConHost to ensure socket creation goes through @@ -37,10 +41,10 @@ class UpstreamReverseConnectionAddress : public Network::Address::Instance, public Envoy::Logger::Loggable { public: - UpstreamReverseConnectionAddress(const std::string& cluster_id) - : cluster_id_(cluster_id), address_string_("127.0.0.1:0") { + UpstreamReverseConnectionAddress(const std::string& node_id) + : node_id_(node_id), address_string_("127.0.0.1:0") { - // Create a simple socket address for filter chain matching + // Create a simple socket address for filter chain matching. // Use 127.0.0.1:0 which will match the catch-all filter chain synthetic_sockaddr_.sin_family = AF_INET; synthetic_sockaddr_.sin_port = htons(0); // Port 0 for reverse connections @@ -49,20 +53,20 @@ class UpstreamReverseConnectionAddress ENVOY_LOG( debug, - "UpstreamReverseConnectionAddress: cluster: {} using 127.0.0.1:0 for filter chain matching", - cluster_id_); + "UpstreamReverseConnectionAddress: node: {} using 127.0.0.1:0 for filter chain matching", + node_id_); } - // Network::Address::Instance + // Network::Address::Instance. bool operator==(const Instance& rhs) const override { const auto* other = dynamic_cast(&rhs); - return other && cluster_id_ == other->cluster_id_; + return other && node_id_ == other->node_id_; } Network::Address::Type type() const override { return Network::Address::Type::Ip; } const std::string& asString() const override { return address_string_; } absl::string_view asStringView() const override { return address_string_; } - const std::string& logicalName() const override { return cluster_id_; } + const std::string& logicalName() const override { return node_id_; } const Network::Address::Ip* ip() const override { return &ip_; } const Network::Address::Pipe* pipe() const override { return nullptr; } const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { @@ -72,34 +76,29 @@ class UpstreamReverseConnectionAddress return reinterpret_cast(&synthetic_sockaddr_); } socklen_t sockAddrLen() const override { return sizeof(synthetic_sockaddr_); } - // Set to default so that the default client connection factory is used to initiate connections to - // the address. + // Set to default so that the default client connection factory is used to initiate connections + // to. the address. absl::string_view addressType() const override { return "default"; } absl::optional networkNamespace() const override { return absl::nullopt; } - // Override socketInterface to use the ReverseTunnelAcceptor + // Override socketInterface to use the ReverseTunnelAcceptor. const Network::SocketInterface& socketInterface() const override { - ENVOY_LOG(debug, "UpstreamReverseConnectionAddress: socketInterface() called for cluster: {}", - cluster_id_); + ENVOY_LOG(debug, "UpstreamReverseConnectionAddress: socketInterface() called for node: {}", + node_id_); auto* upstream_interface = Network::socketInterface( "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); if (upstream_interface) { - ENVOY_LOG(debug, - "UpstreamReverseConnectionAddress: Using ReverseTunnelAcceptor for cluster: {}", - cluster_id_); + ENVOY_LOG(debug, "UpstreamReverseConnectionAddress: Using ReverseTunnelAcceptor for node: {}", + node_id_); return *upstream_interface; } - // Fallback to default socket interface if upstream interface is not available - ENVOY_LOG(debug, - "UpstreamReverseConnectionAddress: ReverseTunnelAcceptor not available, " - "falling back to default for cluster: {}", - cluster_id_); + // Fallback to default socket interface if upstream interface is not available. return *Network::socketInterface( "envoy.extensions.network.socket_interface.default_socket_interface"); } private: - // Simple IPv4 implementation for upstream reverse connection addresses + // Simple IPv4 implementation for upstream reverse connection addresses. struct UpstreamReverseConnectionIp : public Network::Address::Ip { const std::string& addressAsString() const override { return address_string_; } bool isAnyAddress() const override { return true; } @@ -108,8 +107,8 @@ class UpstreamReverseConnectionAddress const Network::Address::Ipv6* ipv6() const override { return nullptr; } uint32_t port() const override { return 0; } Network::Address::IpVersion version() const override { return Network::Address::IpVersion::v4; } - - // Additional pure virtual methods that need implementation + + // Additional pure virtual methods that need implementation. bool isLinkLocalAddress() const override { return false; } bool isUniqueLocalAddress() const override { return false; } bool isSiteLocalAddress() const override { return false; } @@ -118,7 +117,7 @@ class UpstreamReverseConnectionAddress std::string address_string_{"0.0.0.0:0"}; }; - std::string cluster_id_; + std::string node_id_; std::string address_string_; UpstreamReverseConnectionIp ip_; struct sockaddr_in synthetic_sockaddr_; // Socket address for filter chain matching @@ -131,7 +130,8 @@ class UpstreamReverseConnectionAddress * Also, the RevConCluster cleans these hosts if no connection pool is using them. */ class RevConCluster : public Upstream::ClusterImplBase { -friend class ReverseConnectionClusterTest; + friend class ReverseConnectionClusterTest; + public: RevConCluster(const envoy::config::cluster::v3::Cluster& config, Upstream::ClusterFactoryContext& context, absl::Status& creation_status, @@ -140,7 +140,7 @@ friend class ReverseConnectionClusterTest; ~RevConCluster() override { cleanup_timer_->disableTimer(); } - // Upstream::Cluster + // Upstream::Cluster. InitializePhase initializePhase() const override { return InitializePhase::Primary; } class LoadBalancer : public Upstream::LoadBalancer { @@ -148,8 +148,8 @@ friend class ReverseConnectionClusterTest; LoadBalancer(const std::shared_ptr& parent) : parent_(parent) {} // Chooses a host to send a downstream request over to a reverse connection endpoint. - // A request intended for a reverse connection has to have either of the below set and are - // checked in the given order: + // A request intended for a reverse connection has to have either of the below set and are. + // checked in the given order:. // 1. If the host_id is set, it is used for creating the host. // 2. The request should have either of the HTTP headers given in the RevConClusterConfig's // http_header_names set. If any of the headers are set, the first found header is used to @@ -159,12 +159,11 @@ friend class ReverseConnectionClusterTest; // and is used to create the host. Upstream::HostSelectionResponse chooseHost(Upstream::LoadBalancerContext* context) override; - - // Helper function to verify that the host header is of the format + // Helper function to verify that the host header is of the format. // ".tcpproxy.envoy.remote:" and extract the uuid from the header. absl::optional getUUIDFromHost(const Http::RequestHeaderMap& headers); - // Helper function to extract UUID from SNI (Server Name Indication) if it follows the format + // Helper function to extract UUID from SNI (Server Name Indication) if it follows the format. // ".tcpproxy.envoy.remote". absl::optional getUUIDFromSNI(const Network::Connection* connection); @@ -192,7 +191,7 @@ friend class ReverseConnectionClusterTest; struct LoadBalancerFactory : public Upstream::LoadBalancerFactory { LoadBalancerFactory(const std::shared_ptr& cluster) : cluster_(cluster) {} - // Upstream::LoadBalancerFactory + // Upstream::LoadBalancerFactory. Upstream::LoadBalancerPtr create() { return std::make_unique(cluster_); } Upstream::LoadBalancerPtr create(Upstream::LoadBalancerParams) override { return create(); } @@ -202,7 +201,7 @@ friend class ReverseConnectionClusterTest; struct ThreadAwareLoadBalancer : public Upstream::ThreadAwareLoadBalancer { ThreadAwareLoadBalancer(const std::shared_ptr& cluster) : cluster_(cluster) {} - // Upstream::ThreadAwareLoadBalancer + // Upstream::ThreadAwareLoadBalancer. Upstream::LoadBalancerFactorySharedPtr factory() override { return std::make_shared(cluster_); } @@ -214,7 +213,7 @@ friend class ReverseConnectionClusterTest; // Periodically cleans the stale hosts from host_map_. void cleanup(); - // Checks if a host exists for a given `host_id` and if not it creates and caches + // Checks if a host exists for a given `host_id` and if not it creates and caches. // that host to the map. Upstream::HostSelectionResponse checkAndCreateHost(const std::string host_id); @@ -222,7 +221,7 @@ friend class ReverseConnectionClusterTest; // If such header is present, it return that header value. absl::string_view getHostIdValue(const Http::RequestHeaderMap* request_headers); - // Get the upstream socket manager from the thread-local registry + // Get the upstream socket manager from the thread-local registry. BootstrapReverseConnection::UpstreamSocketManager* getUpstreamSocketManager() const; // No pre-initialize work needs to be completed by REVERSE CONNECTION cluster. diff --git a/test/extensions/clusters/reverse_connection/BUILD b/test/extensions/clusters/reverse_connection/BUILD index 500bc29a6cf38..24c6ee62720ae 100644 --- a/test/extensions/clusters/reverse_connection/BUILD +++ b/test/extensions/clusters/reverse_connection/BUILD @@ -1,15 +1,9 @@ load( "//bazel:envoy_build_system.bzl", - "envoy_cc_mock", "envoy_cc_test", "envoy_package", ) -load( - "//test/extensions:extensions_build_system.bzl", - "envoy_extension_cc_test", -) - licenses(["notice"]) # Apache 2 envoy_package() @@ -22,14 +16,16 @@ envoy_cc_test( "//source/extensions/clusters/reverse_connection:reverse_connection_lib", "//source/extensions/load_balancing_policies/cluster_provided:config", "//test/common/upstream:utility_lib", - "//test/test_common:registry_lib", + "//test/mocks/network:network_mocks", "//test/mocks/protobuf:protobuf_mocks", "//test/mocks/runtime:runtime_mocks", "//test/mocks/server:admin_mocks", "//test/mocks/server:instance_mocks", "//test/mocks/ssl:ssl_mocks", - "//test/mocks/network:network_mocks", "//test/mocks/upstream:cluster_manager_mocks", + "//test/test_common:registry_lib", "//test/test_common:utility_lib", + "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/clusters/reverse_connection/v3:pkg_cc_proto", ], -) \ No newline at end of file +) diff --git a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc index c5d2882c038d7..e101cfb119709 100644 --- a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc +++ b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc @@ -14,9 +14,10 @@ #include "source/common/network/address_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/singleton/manager_impl.h" +#include "source/common/singleton/threadsafe_singleton.h" #include "source/common/upstream/upstream_impl.h" -#include "source/extensions/clusters/reverse_connection/reverse_connection.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/extensions/clusters/reverse_connection/reverse_connection.h" #include "source/extensions/transport_sockets/raw_buffer/config.h" #include "source/server/transport_socket_config_impl.h" @@ -58,7 +59,7 @@ class TestLoadBalancerContext : public Upstream::LoadBalancerContextBase { Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{{key, value}}}; } - // Upstream::LoadBalancerContext + // Upstream::LoadBalancerContext. absl::optional computeHashKey() override { return 0; } const Network::Connection* downstreamConnection() const override { return connection_; } StreamInfo::StreamInfo* requestStreamInfo() const override { return request_stream_info_; } @@ -75,28 +76,41 @@ class TestLoadBalancerContext : public Upstream::LoadBalancerContextBase { class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, public testing::Test { public: ReverseConnectionClusterTest() { - // Set up the stats scope + // Set up the stats scope. stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - - // Set up the mock context + + // Set up the mock context. EXPECT_CALL(server_context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(server_context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - - // Create the config + + // Create the config. config_.set_stat_prefix("test_prefix"); - - // Create the socket interface - socket_interface_ = std::make_unique(server_context_); - - // Create the extension + } + + ~ReverseConnectionClusterTest() override = default; + + // Set up the upstream extension components (socket interface and extension). + void setupUpstreamExtension() { + // Create the socket interface. + socket_interface_ = + std::make_unique(server_context_); + + // Create the extension. extension_ = std::make_unique( *socket_interface_, server_context_, config_); - - // Set up thread local slot - setupThreadLocalSlot(); + + // Get the registered socket interface from the global registry and set up its extension. + auto* registered_socket_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + if (registered_socket_interface) { + auto* registered_acceptor = dynamic_cast( + const_cast(registered_socket_interface)); + if (registered_acceptor) { + // Set up the extension for the registered socket interface. + registered_acceptor->extension_ = extension_.get(); + } + } } - - ~ReverseConnectionClusterTest() override = default; void setupFromYaml(const std::string& yaml, bool expect_success = true) { if (expect_success) { @@ -112,15 +126,14 @@ class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, publi false); RevConClusterFactory factory; - - // Parse the RevConClusterConfig from the cluster's typed_config + + // Parse the RevConClusterConfig from the cluster's typed_config. envoy::extensions::clusters::reverse_connection::v3::RevConClusterConfig rev_con_config; THROW_IF_NOT_OK(Config::Utility::translateOpaqueConfig( - cluster_config.cluster_type().typed_config(), - validation_visitor_, - rev_con_config)); - - auto status_or_pair = factory.createClusterWithConfig(cluster_config, rev_con_config, factory_context); + cluster_config.cluster_type().typed_config(), validation_visitor_, rev_con_config)); + + auto status_or_pair = + factory.createClusterWithConfig(cluster_config, rev_con_config, factory_context); THROW_IF_NOT_OK_REF(status_or_pair.status()); cluster_ = std::dynamic_pointer_cast(status_or_pair.value().first); @@ -140,84 +153,101 @@ class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, publi void TearDown() override { if (init_complete_) { - // EXPECT_CALL(server_context_.dispatcher_, post(_)); EXPECT_CALL(*cleanup_timer_, disableTimer()); } - - // Clean up thread local resources - tls_slot_.reset(); - thread_local_registry_.reset(); - extension_.reset(); - socket_interface_.reset(); + + // Clean up thread local resources if they were set up. + if (tls_slot_) { + tls_slot_.reset(); + } + if (thread_local_registry_) { + thread_local_registry_.reset(); + } + if (extension_) { + extension_.reset(); + } + if (socket_interface_) { + socket_interface_.reset(); + } } - // Helper function to set up thread local slot for tests + // Helper function to set up thread local slot for tests. void setupThreadLocalSlot() { - // First, call onServerInitialized to set up the extension reference properly + // Check if extension is set up + if (!extension_) { + return; + } + + // Set up mock expectations for timer creation that will be needed by UpstreamSocketManager. + auto mock_timer = new NiceMock(); + EXPECT_CALL(server_context_.dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); + + // First, call onServerInitialized to set up the extension reference properly. extension_->onServerInitialized(); - - // Create a thread local registry with the properly initialized extension - thread_local_registry_ = std::make_shared( - server_context_.dispatcher_, extension_.get()); - - // Create the actual TypedSlot - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + + // Create a thread local registry with the properly initialized extension. + thread_local_registry_ = + std::make_shared( + server_context_.dispatcher_, extension_.get()); + + // Create the actual TypedSlot. + tls_slot_ = + ThreadLocal::TypedSlot::makeUnique( + thread_local_); thread_local_.setDispatcher(&server_context_.dispatcher_); - - // Set up the slot to return our registry + + // Set up the slot to return our registry. tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - - // Override the TLS slot with our test version + + // Override the TLS slot with our test version. extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); - - // Get the registered socket interface from the global registry and set up its extension - auto* registered_socket_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); - if (registered_socket_interface) { - auto* registered_acceptor = dynamic_cast( - const_cast(registered_socket_interface)); - if (registered_acceptor) { - // Set up the extension for the registered socket interface - registered_acceptor->extension_ = extension_.get(); - } - } } - // Helper to add a socket to the manager for testing + // Helper to add a socket to the manager for testing. void addTestSocket(const std::string& node_id, const std::string& cluster_id) { - if (!thread_local_registry_ || !thread_local_registry_->socketManager()) { + if (!thread_local_registry_ || !thread_local_registry_->socketManager() || !socket_interface_) { return; } - - // Set up mock expectations for timer and file event creation + + // Set up mock expectations for timer and file event creation. auto mock_timer = new NiceMock(); auto mock_file_event = new NiceMock(); - EXPECT_CALL(server_context_.dispatcher_, createTimer_(_)) - .WillOnce(Return(mock_timer)); + EXPECT_CALL(server_context_.dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); EXPECT_CALL(server_context_.dispatcher_, createFileEvent_(_, _, _, _)) .WillOnce(Return(mock_file_event)); - - // Create a mock socket + + // Create a mock socket. auto socket = std::make_unique>(); auto mock_io_handle = std::make_unique>(); EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); socket->io_handle_ = std::move(mock_io_handle); - // Get the socket manager from the thread local registry + // Get the socket manager from the thread local registry. auto* tls_socket_manager = socket_interface_->getLocalRegistry()->socketManager(); EXPECT_NE(tls_socket_manager, nullptr); - - // Add the socket to the manager - tls_socket_manager->addConnectionSocket( - node_id, cluster_id, std::move(socket), std::chrono::seconds(30), false); + + // Add the socket to the manager. + tls_socket_manager->addConnectionSocket(node_id, cluster_id, std::move(socket), + std::chrono::seconds(30), false); + } + + // Helper method to call cleanup since this class is a friend of RevConCluster. + void callCleanup() { cluster_->cleanup(); } + + // Helper method to create LoadBalancerFactory instance for testing. + std::unique_ptr createLoadBalancerFactory() { + return std::make_unique(cluster_); } - // Helper method to call cleanup since this class is a friend of RevConCluster - void callCleanup() { - cluster_->cleanup(); + // Helper method to create ThreadAwareLoadBalancer instance for testing. + std::unique_ptr createThreadAwareLoadBalancer() { + return std::make_unique(cluster_); } + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); + NiceMock server_context_; NiceMock validation_visitor_; @@ -227,29 +257,31 @@ class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, publi Event::MockTimer* cleanup_timer_; Common::CallbackHandlePtr priority_update_cb_; bool init_complete_{false}; - - // Real thread local slot and registry for reverse connection testing - std::unique_ptr> tls_slot_; + + // Real thread local slot and registry for reverse connection testing. + std::unique_ptr> + tls_slot_; std::shared_ptr thread_local_registry_; - - // Real socket interface and extension + + // Real socket interface and extension. std::unique_ptr socket_interface_; std::unique_ptr extension_; - - // Mock thread local instance + + // Mock thread local instance. NiceMock thread_local_; - - // Mock dispatcher + + // Mock dispatcher. NiceMock dispatcher_{"worker_0"}; - - // Stats and config + + // Stats and config. Stats::IsolatedStoreImpl stats_store_; Stats::ScopeSharedPtr stats_scope_; envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: UpstreamReverseConnectionSocketInterface config_; }; -TEST(ReverseConnectionClusterConfigTest, GoodConfig) { +// Test cluster creation with valid config. +TEST(ReverseConnectionClusterConfigTest, ValidConfig) { const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -270,6 +302,45 @@ TEST(ReverseConnectionClusterConfigTest, GoodConfig) { EXPECT_EQ(cluster_config.cluster_type().name(), "envoy.clusters.reverse_connection"); } +// Test cluster creation with custom proxy host suffix. +TEST_F(ReverseConnectionClusterTest, CustomProxyHostSuffixLogic) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + proxy_host_suffix: "custom.proxy.suffix" + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + RevConCluster::LoadBalancer lb(cluster_); + + // Test that the custom proxy host suffix is used for Host header parsing. + { + auto headers = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.custom.proxy.suffix:8080"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_TRUE(result.has_value()); + EXPECT_EQ(result.value(), "test-node-uuid"); + } + + // Test that the default suffix is rejected. + { + auto headers = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.tcpproxy.envoy.remote:8080"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_FALSE(result.has_value()); + } +} + +// Test cluster creation failure due to invalid load assignment. TEST_F(ReverseConnectionClusterTest, BadConfigWithLoadAssignment) { const std::string yaml = R"EOF( name: name @@ -296,6 +367,7 @@ TEST_F(ReverseConnectionClusterTest, BadConfigWithLoadAssignment) { "Reverse Conn clusters must have no load assignment configured"); } +// Test cluster creation failure due to wrong load balancing policy. TEST_F(ReverseConnectionClusterTest, BadConfigWithWrongLbPolicy) { const std::string yaml = R"EOF( name: name @@ -310,7 +382,9 @@ TEST_F(ReverseConnectionClusterTest, BadConfigWithWrongLbPolicy) { )EOF"; EXPECT_THROW_WITH_MESSAGE(setupFromYaml(yaml, false), EnvoyException, - "cluster: LB policy ROUND_ROBIN is not valid for Cluster type envoy.clusters.reverse_connection. Only 'CLUSTER_PROVIDED' is allowed with cluster type 'REVERSE_CONNECTION'"); + "cluster: LB policy ROUND_ROBIN is not valid for Cluster type " + "envoy.clusters.reverse_connection. Only 'CLUSTER_PROVIDED' is allowed " + "with cluster type 'REVERSE_CONNECTION'"); } TEST_F(ReverseConnectionClusterTest, BasicSetup) { @@ -337,6 +411,7 @@ TEST_F(ReverseConnectionClusterTest, BasicSetup) { EXPECT_EQ(0UL, cluster_->prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); } +// Test host creation failure due to no context. TEST_F(ReverseConnectionClusterTest, NoContext) { const std::string yaml = R"EOF( name: name @@ -369,8 +444,16 @@ TEST_F(ReverseConnectionClusterTest, NoContext) { Upstream::HostConstSharedPtr host = lb.chooseHost(&lb_context).host; EXPECT_EQ(host, nullptr); } + + // Test null context - should return nullptr. + { + RevConCluster::LoadBalancer lb(cluster_); + Upstream::HostConstSharedPtr host = lb.chooseHost(nullptr).host; + EXPECT_EQ(host, nullptr); + } } +// Test host creation failure due to no headers. TEST_F(ReverseConnectionClusterTest, NoHeaders) { const std::string yaml = R"EOF( name: name @@ -398,6 +481,7 @@ TEST_F(ReverseConnectionClusterTest, NoHeaders) { } } +// Test host creation failure due to missing required headers. TEST_F(ReverseConnectionClusterTest, MissingRequiredHeaders) { const std::string yaml = R"EOF( name: name @@ -414,7 +498,8 @@ TEST_F(ReverseConnectionClusterTest, MissingRequiredHeaders) { EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Request with unsupported headers but missing all required headers (EnvoyDstNodeUUID, EnvoyDstClusterUUID, proper Host header) + // Request with unsupported headers but missing all required headers (EnvoyDstNodeUUID,. + // EnvoyDstClusterUUID, proper Host header). { NiceMock connection; TestLoadBalancerContext lb_context(&connection, "x-random-header", "random-value"); @@ -423,8 +508,18 @@ TEST_F(ReverseConnectionClusterTest, MissingRequiredHeaders) { Upstream::HostConstSharedPtr host = lb.chooseHost(&lb_context).host; EXPECT_EQ(host, nullptr); } + + // Test with empty header value - this should be skipped and continue to next header. + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection, "x-remote-node-id", ""); + RevConCluster::LoadBalancer lb(cluster_); + Upstream::HostConstSharedPtr host = lb.chooseHost(&lb_context).host; + EXPECT_EQ(host, nullptr); + } } +// Test UUID extraction from Host header. TEST_F(ReverseConnectionClusterTest, GetUUIDFromHostFunction) { const std::string yaml = R"EOF( name: name @@ -443,16 +538,16 @@ TEST_F(ReverseConnectionClusterTest, GetUUIDFromHostFunction) { RevConCluster::LoadBalancer lb(cluster_); - // Test valid Host header format + // Test valid Host header format. { - auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-node-uuid.tcpproxy.envoy.remote:8080"}}}; + auto headers = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.tcpproxy.envoy.remote:8080"}}}; auto result = lb.getUUIDFromHost(*headers); EXPECT_TRUE(result.has_value()); EXPECT_EQ(result.value(), "test-node-uuid"); } - // Test valid Host header format with different UUID + // Test valid Host header format with different UUID. { auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ {"Host", "another-test-node-uuid.tcpproxy.envoy.remote:9090"}}}; @@ -461,40 +556,49 @@ TEST_F(ReverseConnectionClusterTest, GetUUIDFromHostFunction) { EXPECT_EQ(result.value(), "another-test-node-uuid"); } - // Test Host header without port + // Test Host header without port. { - auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-node-uuid.tcpproxy.envoy.remote"}}}; + auto headers = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.tcpproxy.envoy.remote"}}}; auto result = lb.getUUIDFromHost(*headers); EXPECT_TRUE(result.has_value()); EXPECT_EQ(result.value(), "test-node-uuid"); } - // Test invalid Host header - wrong suffix + // Test invalid Host header - wrong suffix. { - auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-node-uuid.wrong.suffix:8080"}}}; + auto headers = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.wrong.suffix:8080"}}}; auto result = lb.getUUIDFromHost(*headers); EXPECT_FALSE(result.has_value()); } - // Test invalid Host header - no dot separator + // Test invalid Host header - no dot separator. { - auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-node-uuidtcpproxy.envoy.remote:8080"}}}; + auto headers = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuidtcpproxy.envoy.remote:8080"}}}; auto result = lb.getUUIDFromHost(*headers); EXPECT_FALSE(result.has_value()); } - // Test invalid Host header - empty UUID + // Test invalid Host header - empty UUID. { - auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", ".tcpproxy.envoy.remote:8080"}}}; + auto headers = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", ".tcpproxy.envoy.remote:8080"}}}; auto result = lb.getUUIDFromHost(*headers); EXPECT_EQ(result.value(), ""); } + + // Test invalid Host header - invalid port. + { + auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ + {"Host", "test-node-uuid.tcpproxy.envoy.remote:invalid"}}}; + auto result = lb.getUUIDFromHost(*headers); + EXPECT_FALSE(result.has_value()); + } } +// Test UUID extraction from SNI. TEST_F(ReverseConnectionClusterTest, GetUUIDFromSNIFunction) { const std::string yaml = R"EOF( name: name @@ -513,75 +617,152 @@ TEST_F(ReverseConnectionClusterTest, GetUUIDFromSNIFunction) { RevConCluster::LoadBalancer lb(cluster_); - // Test valid SNI format + // Test valid SNI format. { NiceMock connection; EXPECT_CALL(connection, requestedServerName()) .WillRepeatedly(Return("test-node-uuid.tcpproxy.envoy.remote")); - + auto result = lb.getUUIDFromSNI(&connection); EXPECT_TRUE(result.has_value()); EXPECT_EQ(result.value(), "test-node-uuid"); } - // Test valid SNI format with different UUID + // Test valid SNI format with different UUID. { NiceMock connection; EXPECT_CALL(connection, requestedServerName()) .WillRepeatedly(Return("another-test-node123.tcpproxy.envoy.remote")); - + auto result = lb.getUUIDFromSNI(&connection); EXPECT_TRUE(result.has_value()); EXPECT_EQ(result.value(), "another-test-node123"); } - // Test empty SNI + // Test empty SNI. { NiceMock connection; - EXPECT_CALL(connection, requestedServerName()) - .WillRepeatedly(Return("")); - + EXPECT_CALL(connection, requestedServerName()).WillRepeatedly(Return("")); + auto result = lb.getUUIDFromSNI(&connection); EXPECT_FALSE(result.has_value()); } - // Test null connection + // Test null connection. { auto result = lb.getUUIDFromSNI(nullptr); EXPECT_FALSE(result.has_value()); } - // Test SNI with wrong suffix + // Test SNI with wrong suffix. { NiceMock connection; EXPECT_CALL(connection, requestedServerName()) .WillRepeatedly(Return("test-node-uuid.wrong.suffix")); - + auto result = lb.getUUIDFromSNI(&connection); EXPECT_FALSE(result.has_value()); } - // Test SNI without suffix + // Test SNI without suffix. { NiceMock connection; - EXPECT_CALL(connection, requestedServerName()) - .WillRepeatedly(Return("test-node-uuid")); - + EXPECT_CALL(connection, requestedServerName()).WillRepeatedly(Return("test-node-uuid")); + auto result = lb.getUUIDFromSNI(&connection); EXPECT_FALSE(result.has_value()); } - // Test SNI with empty UUID + // Test SNI with empty UUID. { NiceMock connection; - EXPECT_CALL(connection, requestedServerName()) - .WillRepeatedly(Return(".tcpproxy.envoy.remote")); - + EXPECT_CALL(connection, requestedServerName()).WillRepeatedly(Return(".tcpproxy.envoy.remote")); + auto result = lb.getUUIDFromSNI(&connection); EXPECT_EQ(result.value(), ""); } } +// Test host creation failure due to thread local slot not being set. +TEST_F(ReverseConnectionClusterTest, HostCreationWithoutSocketManager) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + RevConCluster::LoadBalancer lb(cluster_); + // Do not set up thread local slot - no socket manager initialized. + + // Test host creation with Host header when socket manager is not available. + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result = lb.chooseHost(&lb_context); + // Should return nullptr when socket manager is not found. + EXPECT_EQ(result.host, nullptr); +} + +// Test when the socket interface is not registered in the registry. +TEST_F(ReverseConnectionClusterTest, SocketInterfaceNotRegistered) { + // Temporarily remove the upstream reverse connection socket interface from the registry + // This will make Network::socketInterface() return nullptr for the specific name. + auto saved_factories = + Registry::FactoryRegistry::factories(); + + // Find and remove the specific socket interface factory. + auto& factories = + Registry::FactoryRegistry::factories(); + auto it = factories.find( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + if (it != factories.end()) { + factories.erase(it); + } + + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + RevConCluster::LoadBalancer lb(cluster_); + + // Test host creation when socket interface is not registered. + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result = lb.chooseHost(&lb_context); + // Should return nullptr when socket interface is not found. + EXPECT_EQ(result.host, nullptr); + + // Restore the registry + Registry::FactoryRegistry::factories() = + saved_factories; +} + +// Test host creation with socket manager. TEST_F(ReverseConnectionClusterTest, HostCreationWithSocketManager) { const std::string yaml = R"EOF( name: name @@ -598,52 +779,57 @@ TEST_F(ReverseConnectionClusterTest, HostCreationWithSocketManager) { EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Add test sockets to the socket manager + // Set up the upstream extension for this test. + setupUpstreamExtension(); + // Set up the thread local slot, initializing the socket manager. + setupThreadLocalSlot(); + + // Add test sockets to the socket manager. addTestSocket("test-uuid-123", "cluster-123"); addTestSocket("test-uuid-456", "cluster-456"); RevConCluster::LoadBalancer lb(cluster_); - // Test host creation with Host header + // Test host creation with Host header. { NiceMock connection; TestLoadBalancerContext lb_context(&connection); - lb_context.downstream_headers_ = - Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; - + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); EXPECT_EQ(result.host->address()->logicalName(), "test-uuid-123"); } - // Test host creation with SNI + // Test host creation with SNI. { NiceMock connection; EXPECT_CALL(connection, requestedServerName()) .WillRepeatedly(Return("test-uuid-456.tcpproxy.envoy.remote")); - + TestLoadBalancerContext lb_context(&connection); - // No Host header, so it should fall back to SNI - lb_context.downstream_headers_ = + // No Host header, so it should fall back to SNI. + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{}}; - + auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); EXPECT_EQ(result.host->address()->logicalName(), "test-uuid-456"); } - // Test host creation with HTTP headers + // Test host creation with HTTP headers. { NiceMock connection; TestLoadBalancerContext lb_context(&connection, "x-dst-cluster-uuid", "cluster-123"); - + auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); EXPECT_EQ(result.host->address()->logicalName(), "test-uuid-123"); } } +// Test host reuse for requests with same UUID. TEST_F(ReverseConnectionClusterTest, HostReuse) { const std::string yaml = R"EOF( name: name @@ -660,29 +846,33 @@ TEST_F(ReverseConnectionClusterTest, HostReuse) { EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Add test socket to the socket manager + // Set up the upstream extension for this test + setupUpstreamExtension(); + setupThreadLocalSlot(); + + // Add test socket to the socket manager. addTestSocket("test-uuid-123", "cluster-123"); RevConCluster::LoadBalancer lb(cluster_); - // Create first host + // Create first host. { NiceMock connection; TestLoadBalancerContext lb_context(&connection); - lb_context.downstream_headers_ = - Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; - + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + auto result1 = lb.chooseHost(&lb_context); EXPECT_NE(result1.host, nullptr); - - // Create second host with same UUID - should reuse the same host + + // Create second host with same UUID - should reuse the same host. auto result2 = lb.chooseHost(&lb_context); EXPECT_NE(result2.host, nullptr); EXPECT_EQ(result1.host, result2.host); } } +// Test different hosts for different UUIDs. TEST_F(ReverseConnectionClusterTest, DifferentHostsForDifferentUUIDs) { const std::string yaml = R"EOF( name: name @@ -699,33 +889,36 @@ TEST_F(ReverseConnectionClusterTest, DifferentHostsForDifferentUUIDs) { EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Add test sockets to the socket manager + // Set up the upstream extension for this test + setupUpstreamExtension(); + setupThreadLocalSlot(); + + // Add test sockets to the socket manager. addTestSocket("test-uuid-123", "cluster-123"); addTestSocket("test-uuid-456", "cluster-456"); RevConCluster::LoadBalancer lb(cluster_); - // Create first host + // Create first host. { NiceMock connection; TestLoadBalancerContext lb_context(&connection); - lb_context.downstream_headers_ = - Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; - + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + auto result1 = lb.chooseHost(&lb_context); EXPECT_NE(result1.host, nullptr); - - // Create second host with different UUID - should be different host - lb_context.downstream_headers_ = - Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; + + // Create second host with different UUID - should be different host. + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; auto result2 = lb.chooseHost(&lb_context); EXPECT_NE(result2.host, nullptr); EXPECT_NE(result1.host, result2.host); } } +// Test cleanup of hosts. TEST_F(ReverseConnectionClusterTest, TestCleanup) { const std::string yaml = R"EOF( name: name @@ -742,63 +935,555 @@ TEST_F(ReverseConnectionClusterTest, TestCleanup) { EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Add test sockets to the socket manager + // Set up the upstream extension for this test + setupUpstreamExtension(); + setupThreadLocalSlot(); + + // Add test sockets to the socket manager. addTestSocket("test-uuid-123", "cluster-123"); addTestSocket("test-uuid-456", "cluster-456"); RevConCluster::LoadBalancer lb(cluster_); - // Create two hosts + // Create two hosts. Upstream::HostSharedPtr host1, host2; - - // Create first host + + // Create first host. { NiceMock connection; TestLoadBalancerContext lb_context(&connection); - lb_context.downstream_headers_ = - Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; - + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + auto result1 = lb.chooseHost(&lb_context); EXPECT_NE(result1.host, nullptr); host1 = std::const_pointer_cast(result1.host); } - // Create second host + // Create second host. { NiceMock connection; TestLoadBalancerContext lb_context(&connection); - lb_context.downstream_headers_ = - Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; - + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; + auto result2 = lb.chooseHost(&lb_context); EXPECT_NE(result2.host, nullptr); host2 = std::const_pointer_cast(result2.host); } - // Verify hosts are different + // Verify hosts are different. EXPECT_NE(host1, host2); - // Expect the cleanup timer to be enabled after cleanup + // Expect the cleanup timer to be enabled after cleanup. + EXPECT_CALL(*cleanup_timer_, enableTimer(std::chrono::milliseconds(10000), nullptr)); + + // Call cleanup via the helper method. + callCleanup(); + + // Verify that hosts can still be accessed after cleanup. + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result = lb.chooseHost(&lb_context); + EXPECT_NE(result.host, nullptr); + } +} + +// Test cleanup of hosts with used hosts. +TEST_F(ReverseConnectionClusterTest, TestCleanupWithUsedHosts) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Set up the upstream extension for this test + setupUpstreamExtension(); + setupThreadLocalSlot(); + + // Add test sockets to the socket manager. + addTestSocket("test-uuid-123", "cluster-123"); + addTestSocket("test-uuid-456", "cluster-456"); + + RevConCluster::LoadBalancer lb(cluster_); + + // Create two hosts. + Upstream::HostSharedPtr host1, host2; + + // Create first host. + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + + auto result1 = lb.chooseHost(&lb_context); + EXPECT_NE(result1.host, nullptr); + host1 = std::const_pointer_cast(result1.host); + } + + // Create second host. + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; + + auto result2 = lb.chooseHost(&lb_context); + EXPECT_NE(result2.host, nullptr); + host2 = std::const_pointer_cast(result2.host); + } + + // Mark one host as used by acquiring a handle. + auto handle1 = host1->acquireHandle(); + EXPECT_TRUE(host1->used()); + + // Expect the cleanup timer to be enabled after cleanup. EXPECT_CALL(*cleanup_timer_, enableTimer(std::chrono::milliseconds(10000), nullptr)); - // Call cleanup via the helper method + // Call cleanup via the helper method. callCleanup(); - // Verify that hosts can still be accessed after cleanup + // Verify that the used host is still accessible after cleanup. { NiceMock connection; TestLoadBalancerContext lb_context(&connection); - lb_context.downstream_headers_ = - Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; - + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); } + + // Release the handle. + handle1.reset(); +} + +// LoadBalancerFactory tests +TEST_F(ReverseConnectionClusterTest, LoadBalancerFactory) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Set up the upstream extension for this test + setupUpstreamExtension(); + setupThreadLocalSlot(); + + // Test LoadBalancerFactory using helper method. + auto factory = createLoadBalancerFactory(); + EXPECT_NE(factory, nullptr); + + // Test that the factory creates load balancers. + Upstream::LoadBalancerParams params{cluster_->prioritySet()}; + auto lb = factory->create(params); + EXPECT_NE(lb, nullptr); + + // Test that multiple load balancers are different instances. + auto lb2 = factory->create(params); + EXPECT_NE(lb2, nullptr); + EXPECT_NE(lb.get(), lb2.get()); + + // Test create() without parameters. + auto lb3 = factory->create(); + EXPECT_NE(lb3, nullptr); +} + +// ThreadAwareLoadBalancer tests +TEST_F(ReverseConnectionClusterTest, ThreadAwareLoadBalancer) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + // Set up the upstream extension for this test + setupUpstreamExtension(); + setupThreadLocalSlot(); + + // Test ThreadAwareLoadBalancer using helper method. + auto thread_aware_lb = createThreadAwareLoadBalancer(); + EXPECT_NE(thread_aware_lb, nullptr); + + // Test initialize() method. + auto init_status = thread_aware_lb->initialize(); + EXPECT_TRUE(init_status.ok()); + + // Test factory() method. + auto factory = thread_aware_lb->factory(); + EXPECT_NE(factory, nullptr); + + // Test that factory creates load balancers. + Upstream::LoadBalancerParams params{cluster_->prioritySet()}; + auto lb = factory->create(params); + EXPECT_NE(lb, nullptr); +} + +// Test no-op methods for load balancer. +TEST_F(ReverseConnectionClusterTest, LoadBalancerNoopMethods) { + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + lb_policy: CLUSTER_PROVIDED + cleanup_interval: 1s + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + cleanup_interval: 10s + )EOF"; + + EXPECT_CALL(initialized_, ready()); + setupFromYaml(yaml); + + RevConCluster::LoadBalancer lb(cluster_); + + // Test peekAnotherHost - should return nullptr. + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + Upstream::HostConstSharedPtr peeked_host = lb.peekAnotherHost(&lb_context); + EXPECT_EQ(peeked_host, nullptr); + } + + // Test selectExistingConnection - should return nullopt. + { + NiceMock connection; + TestLoadBalancerContext lb_context(&connection); + std::vector hash_key; + + // Create a mock host for testing. + auto mock_host = std::make_shared>(); + auto selected_connection = lb.selectExistingConnection(&lb_context, *mock_host, hash_key); + EXPECT_FALSE(selected_connection.has_value()); + } + + // Test lifetimeCallbacks - should return empty OptRef. + { + auto lifetime_callbacks = lb.lifetimeCallbacks(); + EXPECT_FALSE(lifetime_callbacks.has_value()); + } +} + +// UpstreamReverseConnectionAddress tests +class UpstreamReverseConnectionAddressTest : public testing::Test { +public: + UpstreamReverseConnectionAddressTest() { + // Set up the stats scope. + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context. + EXPECT_CALL(server_context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(server_context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + } + + void SetUp() override {} + + void TearDown() override { + // Clean up thread local resources if they were set up. + if (tls_slot_) { + tls_slot_.reset(); + } + if (thread_local_registry_) { + thread_local_registry_.reset(); + } + if (extension_) { + extension_.reset(); + } + if (socket_interface_) { + socket_interface_.reset(); + } + } + + // Set up the upstream extension components (socket interface and extension). + void setupUpstreamExtension() { + // Create the socket interface. + socket_interface_ = + std::make_unique(server_context_); + + // Create the extension. + extension_ = std::make_unique( + *socket_interface_, server_context_, config_); + } + + // Set up the thread local slot with the extension. + void setupThreadLocalSlot() { + // Check if extension is set up + if (!extension_) { + return; + } + + // Set up mock expectations for timer creation that will be needed by UpstreamSocketManager. + auto mock_timer = new NiceMock(); + EXPECT_CALL(server_context_.dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); + + // First, call onServerInitialized to set up the extension reference properly. + extension_->onServerInitialized(); + + // Create a thread local registry with the properly initialized extension. + thread_local_registry_ = + std::make_shared( + server_context_.dispatcher_, extension_.get()); + + // Create the actual TypedSlot. + tls_slot_ = + ThreadLocal::TypedSlot::makeUnique( + thread_local_); + thread_local_.setDispatcher(&server_context_.dispatcher_); + + // Set up the slot to return our registry. + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version. + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + + // Get the registered socket interface from the global registry and set up its extension. + auto* registered_socket_interface = Network::socketInterface( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + if (registered_socket_interface) { + auto* registered_acceptor = dynamic_cast( + const_cast(registered_socket_interface)); + if (registered_acceptor) { + // Set up the extension for the registered socket interface. + registered_acceptor->extension_ = extension_.get(); + } + } + } + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); + + NiceMock server_context_; + NiceMock validation_visitor_; + + // Real thread local slot and registry for reverse connection testing. + std::unique_ptr> + tls_slot_; + std::shared_ptr thread_local_registry_; + + // Real socket interface and extension. + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + // Configuration for the extension. + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + // Stats store and scope. + Stats::TestUtil::TestStore stats_store_; + Stats::ScopeSharedPtr stats_scope_; + + // Thread local mock. + NiceMock thread_local_; +}; + +TEST_F(UpstreamReverseConnectionAddressTest, BasicSetup) { + const std::string node_id = "test-node-123"; + UpstreamReverseConnectionAddress address(node_id); + + // Test basic properties. + EXPECT_EQ(address.asString(), "127.0.0.1:0"); + EXPECT_EQ(address.asStringView(), "127.0.0.1:0"); + EXPECT_EQ(address.logicalName(), node_id); + EXPECT_EQ(address.type(), Network::Address::Type::Ip); + EXPECT_EQ(address.addressType(), "default"); + EXPECT_FALSE(address.networkNamespace().has_value()); +} + +TEST_F(UpstreamReverseConnectionAddressTest, EqualityOperator) { + UpstreamReverseConnectionAddress address1("node-1"); + UpstreamReverseConnectionAddress address2("node-1"); + UpstreamReverseConnectionAddress address3("node-2"); + + // Same node ID should be equal. + EXPECT_TRUE(address1 == address2); + EXPECT_TRUE(address2 == address1); + + // Different node IDs should not be equal. + EXPECT_FALSE(address1 == address3); + EXPECT_FALSE(address3 == address1); + + // Test with different address types. + Network::Address::Ipv4Instance ipv4_address("127.0.0.1", 8080); + EXPECT_FALSE(address1 == ipv4_address); +} + +TEST_F(UpstreamReverseConnectionAddressTest, SocketAddressMethods) { + UpstreamReverseConnectionAddress address("test-node"); + + // Test sockAddr and sockAddrLen. + const sockaddr* sock_addr = address.sockAddr(); + EXPECT_NE(sock_addr, nullptr); + + socklen_t addr_len = address.sockAddrLen(); + EXPECT_EQ(addr_len, sizeof(struct sockaddr_in)); + + // Verify the socket address structure. + const struct sockaddr_in* addr_in = reinterpret_cast(sock_addr); + EXPECT_EQ(addr_in->sin_family, AF_INET); + EXPECT_EQ(ntohs(addr_in->sin_port), 0); + EXPECT_EQ(ntohl(addr_in->sin_addr.s_addr), 0x7f000001); // 127.0.0.1 +} + +// Test IP-related methods for UpstreamReverseConnectionAddress. +TEST_F(UpstreamReverseConnectionAddressTest, IPMethods) { + UpstreamReverseConnectionAddress address("test-node"); + + // Test IP-related methods. + const Network::Address::Ip* ip = address.ip(); + EXPECT_NE(ip, nullptr); + + // Test IP address properties. + EXPECT_EQ(ip->addressAsString(), "0.0.0.0:0"); + EXPECT_TRUE(ip->isAnyAddress()); + EXPECT_FALSE(ip->isUnicastAddress()); + EXPECT_EQ(ip->port(), 0); + EXPECT_EQ(ip->version(), Network::Address::IpVersion::v4); + + // Test additional IP methods. + EXPECT_FALSE(ip->isLinkLocalAddress()); + EXPECT_FALSE(ip->isUniqueLocalAddress()); + EXPECT_FALSE(ip->isSiteLocalAddress()); + EXPECT_FALSE(ip->isTeredoAddress()); + + // Test IPv4/IPv6 methods. + EXPECT_EQ(ip->ipv4(), nullptr); + EXPECT_EQ(ip->ipv6(), nullptr); +} + +TEST_F(UpstreamReverseConnectionAddressTest, PipeAndInternalAddressMethods) { + UpstreamReverseConnectionAddress address("test-node"); + + // Test pipe and internal address methods. + EXPECT_EQ(address.pipe(), nullptr); + EXPECT_EQ(address.envoyInternalAddress(), nullptr); +} + +// Test socketInterface() functionality for UpstreamReverseConnectionAddress. +TEST_F(UpstreamReverseConnectionAddressTest, SocketInterfaceWithAvailableInterface) { + // Set up the upstream extension and thread local slot. + setupUpstreamExtension(); + setupThreadLocalSlot(); + + // Create an address instance. + UpstreamReverseConnectionAddress address("test-node"); + const Network::SocketInterface& socket_interface = address.socketInterface(); + + // Should return the upstream reverse connection socket interface. + EXPECT_NE(&socket_interface, nullptr); + + // Verify that the returned interface is of type ReverseTunnelAcceptor. + const auto* reverse_tunnel_acceptor = + dynamic_cast(&socket_interface); + EXPECT_NE(reverse_tunnel_acceptor, nullptr); +} + +// Test socketInterface() functionality when the upstream socket interface is not found. +TEST_F(UpstreamReverseConnectionAddressTest, SocketInterfaceWithUnavailableInterface) { + // Temporarily remove the upstream reverse connection socket interface from the registry + // This will make Network::socketInterface() return nullptr for the specific name. + auto saved_factories = + Registry::FactoryRegistry::factories(); + + // Find and remove the specific socket interface factory. + auto& factories = + Registry::FactoryRegistry::factories(); + auto it = factories.find( + "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + if (it != factories.end()) { + factories.erase(it); + } + + // Create an address instance. + UpstreamReverseConnectionAddress address("test-node"); + + // The socketInterface() method should fall back to the default socket interface + // when the upstream reverse connection socket interface is not found. + const Network::SocketInterface& socket_interface = address.socketInterface(); + + // Should return the default socket interface. + EXPECT_NE(&socket_interface, nullptr); + + // Verify that it's not the reverse tunnel acceptor type. + const auto* reverse_tunnel_acceptor = + dynamic_cast(&socket_interface); + EXPECT_EQ(reverse_tunnel_acceptor, nullptr); + + // Explicitly verify that the returned interface is the one registered with + // "envoy.extensions.network.socket_interface.default_socket_interface". + const Network::SocketInterface* default_interface = Network::socketInterface( + "envoy.extensions.network.socket_interface.default_socket_interface"); + EXPECT_NE(default_interface, nullptr); + EXPECT_EQ(&socket_interface, default_interface); + Registry::FactoryRegistry::factories() = + saved_factories; +} + +// Test logical name for multiple instances of UpstreamReverseConnectionAddress. +TEST_F(UpstreamReverseConnectionAddressTest, MultipleInstances) { + UpstreamReverseConnectionAddress address1("node-1"); + UpstreamReverseConnectionAddress address2("node-2"); + + // Test that different instances have different logical names. + EXPECT_EQ(address1.logicalName(), "node-1"); + EXPECT_EQ(address2.logicalName(), "node-2"); + + // Test that they are not equal. + EXPECT_FALSE(address1 == address2); +} + +TEST_F(UpstreamReverseConnectionAddressTest, EmptyNodeId) { + UpstreamReverseConnectionAddress address(""); + + // Test with empty node ID. + EXPECT_EQ(address.logicalName(), ""); + EXPECT_EQ(address.asString(), "127.0.0.1:0"); + EXPECT_EQ(address.type(), Network::Address::Type::Ip); +} + +TEST_F(UpstreamReverseConnectionAddressTest, LongNodeId) { + const std::string long_node_id = + "very-long-node-id-that-might-be-used-in-production-environments"; + UpstreamReverseConnectionAddress address(long_node_id); + + // Test with long node ID. + EXPECT_EQ(address.logicalName(), long_node_id); + EXPECT_EQ(address.asString(), "127.0.0.1:0"); + EXPECT_EQ(address.type(), Network::Address::Type::Ip); } } // namespace ReverseConnection } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy From 64f698ba37db06333f60cf472b0bdcb757663798 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Wed, 20 Aug 2025 20:42:47 +0000 Subject: [PATCH 266/505] Sync changes from origin/reverse_conn_http_filter Signed-off-by: Basundhara Chakrabarty --- .../filters/http/reverse_conn/v3/BUILD | 4 +- .../http/reverse_conn/v3/reverse_conn.proto | 1 - .../filters/http/reverse_conn/BUILD | 2 +- .../http/reverse_conn/reverse_conn_filter.cc | 60 +- .../http/reverse_conn/reverse_conn_filter.h | 11 +- .../filters/http/reverse_conn/BUILD | 7 +- .../reverse_conn/reverse_conn_filter_test.cc | 553 +++++++++--------- 7 files changed, 327 insertions(+), 311 deletions(-) diff --git a/api/envoy/extensions/filters/http/reverse_conn/v3/BUILD b/api/envoy/extensions/filters/http/reverse_conn/v3/BUILD index b514f18ab81a3..29ebf0741406e 100644 --- a/api/envoy/extensions/filters/http/reverse_conn/v3/BUILD +++ b/api/envoy/extensions/filters/http/reverse_conn/v3/BUILD @@ -5,7 +5,5 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 api_proto_package( - deps = [ - "@com_github_cncf_xds//udpa/annotations:pkg", - ], + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], ) diff --git a/api/envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.proto b/api/envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.proto index 96ef2792d8ca3..e081ba51f8b8c 100644 --- a/api/envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.proto +++ b/api/envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.proto @@ -12,7 +12,6 @@ option java_outer_classname = "ReverseConnProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/reverse_conn/v3;reverse_connv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -option (udpa.annotations.file_status).work_in_progress = true; // [#protodoc-title: ReverseConn] // ReverseConn :ref:`configuration overview `. diff --git a/source/extensions/filters/http/reverse_conn/BUILD b/source/extensions/filters/http/reverse_conn/BUILD index f572fab5dce50..74f6f219498f6 100644 --- a/source/extensions/filters/http/reverse_conn/BUILD +++ b/source/extensions/filters/http/reverse_conn/BUILD @@ -39,7 +39,7 @@ envoy_cc_extension( "//source/common/protobuf:utility_lib", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", - "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index b38091d8360d8..9d20f4c8c7384 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -84,8 +84,8 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; getClusterDetailsUsingProtobuf(&node_uuid, &cluster_uuid, &tenant_uuid); if (node_uuid.empty()) { - ret.set_status( - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::REJECTED); + ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + ReverseConnHandshakeRet::REJECTED); ret.set_status_message("Failed to parse request message or required fields missing"); decoder_callbacks_->sendLocalReply(Http::Code::BadGateway, ret.SerializeAsString(), nullptr, absl::nullopt, ""); @@ -117,8 +117,8 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { } ENVOY_STREAM_LOG(info, "Accepting reverse connection", *decoder_callbacks_); - ret.set_status( - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::ACCEPTED); + ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + ReverseConnHandshakeRet::ACCEPTED); ENVOY_STREAM_LOG(info, "return value", *decoder_callbacks_); // Create response with explicit Content-Length @@ -140,12 +140,12 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { *decoder_callbacks_, node_uuid, cluster_uuid); saveDownstreamConnection(*connection, node_uuid, cluster_uuid); connection->setSocketReused(true); - + // Reset file events on the connection socket if (connection->getSocket()) { connection->getSocket()->ioHandle().resetFileEvents(); } - + connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; @@ -186,7 +186,8 @@ Http::FilterHeadersStatus ReverseConnFilter::handleResponderInfo(const std::string& remote_node, const std::string& remote_cluster) { ENVOY_LOG(debug, - "ReverseConnFilter: Received reverse connection info request with remote_node: {} remote_cluster: {}", + "ReverseConnFilter: Received reverse connection info request with remote_node: {} " + "remote_cluster: {}", remote_node, remote_cluster); // Production-ready cross-thread aggregation @@ -203,7 +204,7 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, // Get connection count for specific remote node/cluster using stats auto stats_map = upstream_extension->getCrossWorkerStatMap(); size_t num_connections = 0; - + if (!remote_node.empty()) { std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", remote_node); // Search for the stat with scope prefix since getCrossWorkerStatMap returns full stat names @@ -214,7 +215,8 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, } } } else { - std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", remote_cluster); + std::string cluster_stat_name = + fmt::format("reverse_connections.clusters.{}", remote_cluster); // Search for the stat with scope prefix since getCrossWorkerStatMap returns full stat names for (const auto& [stat_name, value] : stats_map) { if (stat_name.find(cluster_stat_name) != std::string::npos) { @@ -223,7 +225,7 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, } } } - + std::string response = fmt::format("{{\"available_connections\":{}}}", num_connections); ENVOY_LOG(info, "handleResponderInfo response for {}: {}", remote_node.empty() ? remote_cluster : remote_node, response); @@ -231,8 +233,7 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, return Http::FilterHeadersStatus::StopIteration; } - ENVOY_LOG(debug, - "ReverseConnFilter: Using upstream socket manager to get connection stats"); + ENVOY_LOG(debug, "ReverseConnFilter: Using upstream socket manager to get connection stats"); auto [connected_nodes, accepted_connections] = upstream_extension->getConnectionStatsSync(std::chrono::milliseconds(1000)); @@ -242,8 +243,7 @@ ReverseConnFilter::handleResponderInfo(const std::string& remote_node, accepted_connections.end()); std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); - ENVOY_LOG(debug, - "Stats aggregation completed: {} connected nodes, {} accepted connections", + ENVOY_LOG(debug, "Stats aggregation completed: {} connected nodes, {} accepted connections", connected_nodes.size(), accepted_connections.size()); // Create JSON response @@ -286,9 +286,10 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, // For initiator, stats format includes state suffix: reverse_connections.nodes..connected auto stats_map = downstream_extension->getCrossWorkerStatMap(); size_t num_connections = 0; - + if (!remote_node.empty()) { - std::string node_stat_name = fmt::format("reverse_connections.host.{}.connected", remote_node); + std::string node_stat_name = + fmt::format("reverse_connections.host.{}.connected", remote_node); // Search for the stat with scope prefix since getCrossWorkerStatMap returns full stat names for (const auto& [stat_name, value] : stats_map) { if (stat_name.find(node_stat_name) != std::string::npos) { @@ -297,7 +298,8 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, } } } else { - std::string cluster_stat_name = fmt::format("reverse_connections.cluster.{}.connected", remote_cluster); + std::string cluster_stat_name = + fmt::format("reverse_connections.cluster.{}.connected", remote_cluster); // Search for the stat with scope prefix since getCrossWorkerStatMap returns full stat names for (const auto& [stat_name, value] : stats_map) { if (stat_name.find(cluster_stat_name) != std::string::npos) { @@ -306,7 +308,7 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, } } } - + std::string response = fmt::format("{{\"available_connections\":{}}}", num_connections); ENVOY_LOG(info, "handleInitiatorInfo response for {}: {}", remote_node.empty() ? remote_cluster : remote_node, response); @@ -325,8 +327,7 @@ ReverseConnFilter::handleInitiatorInfo(const std::string& remote_node, accepted_connections.end()); std::list connected_nodes_list(connected_nodes.begin(), connected_nodes.end()); - ENVOY_LOG(debug, - "Stats aggregation completed: {} connected nodes, {} accepted connections", + ENVOY_LOG(debug, "Stats aggregation completed: {} connected nodes, {} accepted connections", connected_nodes.size(), accepted_connections.size()); // Create production-ready JSON response for multi-tenant environment @@ -407,16 +408,15 @@ void ReverseConnFilter::saveDownstreamConnection(Network::Connection& downstream return; } - ENVOY_STREAM_LOG(debug, "Successfully duplicated file descriptor: original_fd={}, duplicated_fd={}", - *decoder_callbacks_, original_socket->ioHandle().fdDoNotUse(), + ENVOY_STREAM_LOG(debug, + "Successfully duplicated file descriptor: original_fd={}, duplicated_fd={}", + *decoder_callbacks_, original_socket->ioHandle().fdDoNotUse(), duplicated_handle->fdDoNotUse()); // Create a new socket with the duplicated handle - Network::ConnectionSocketPtr duplicated_socket = - std::make_unique( - std::move(duplicated_handle), - original_socket->connectionInfoProvider().localAddress(), - original_socket->connectionInfoProvider().remoteAddress()); + Network::ConnectionSocketPtr duplicated_socket = std::make_unique( + std::move(duplicated_handle), original_socket->connectionInfoProvider().localAddress(), + original_socket->connectionInfoProvider().remoteAddress()); // Reset file events on the duplicated socket to clear any inherited events duplicated_socket->ioHandle().resetFileEvents(); @@ -425,7 +425,9 @@ void ReverseConnFilter::saveDownstreamConnection(Network::Connection& downstream socket_manager->addConnectionSocket(node_id, cluster_id, std::move(duplicated_socket), config_->pingInterval(), false /* rebalanced */); - ENVOY_STREAM_LOG(debug, "Successfully added duplicated socket to upstream socket manager. Original connection remains functional.", + ENVOY_STREAM_LOG(debug, + "Successfully added duplicated socket to upstream socket manager. Original " + "connection remains functional.", *decoder_callbacks_); } @@ -444,8 +446,6 @@ Http::FilterDataStatus ReverseConnFilter::decodeData(Buffer::Instance& data, boo return Http::FilterDataStatus::Continue; } - - Http::FilterTrailersStatus ReverseConnFilter::decodeTrailers(Http::RequestTrailerMap&) { return Http::FilterTrailersStatus::Continue; } diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index 583f4d79b1f24..85df4e3585590 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -1,9 +1,9 @@ #pragma once -#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" -#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.validate.h" #include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" #include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.validate.h" +#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" +#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.validate.h" #include "envoy/http/async_client.h" #include "envoy/http/filter.h" #include "envoy/upstream/cluster_manager.h" @@ -73,6 +73,7 @@ static const char DOUBLE_CRLF[] = "\r\n\r\n"; */ class ReverseConnFilter : Logger::Loggable, public Http::StreamDecoderFilter { friend class ReverseConnFilterTest; + public: ReverseConnFilter(ReverseConnFilterConfigSharedPtr config); ~ReverseConnFilter(); @@ -98,7 +99,6 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str static const std::string rc_accepted_response; private: - void saveDownstreamConnection(Network::Connection& downstream_connection, const std::string& node_id, const std::string& cluster_id); std::string getQueryParam(const std::string& key); @@ -119,8 +119,8 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str Http::FilterHeadersStatus getReverseConnectionInfo(); // Handle reverse connection info for responder role (uses upstream socket manager) - Http::FilterHeadersStatus - handleResponderInfo(const std::string& remote_node, const std::string& remote_cluster); + Http::FilterHeadersStatus handleResponderInfo(const std::string& remote_node, + const std::string& remote_cluster); // Handle reverse connection info for initiator role (uses downstream socket interface) Http::FilterHeadersStatus handleInitiatorInfo(const std::string& remote_node, @@ -136,7 +136,6 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str void getClusterDetailsUsingProtobuf(std::string* node_uuid, std::string* cluster_uuid, std::string* tenant_uuid); - bool matchRequestPath(const absl::string_view& request_path, const std::string& api_path); // Get the upstream socket manager from the thread-local registry diff --git a/test/extensions/filters/http/reverse_conn/BUILD b/test/extensions/filters/http/reverse_conn/BUILD index 01a56a335a70d..a074544ef3975 100644 --- a/test/extensions/filters/http/reverse_conn/BUILD +++ b/test/extensions/filters/http/reverse_conn/BUILD @@ -13,18 +13,19 @@ envoy_cc_test( size = "medium", srcs = ["reverse_conn_filter_test.cc"], deps = [ - "//source/common/thread_local:thread_local_lib", "//envoy/network:connection_interface", "//source/common/buffer:buffer_lib", "//source/common/http:message_lib", "//source/common/network:address_lib", "//source/common/network:connection_lib", "//source/common/network:socket_interface_lib", + "//source/common/thread_local:thread_local_lib", "//source/extensions/filters/http/reverse_conn:reverse_conn_filter_lib", "//test/mocks/http:http_mocks", "//test/mocks/network:network_mocks", "//test/mocks/server:factory_context_mocks", "//test/test_common:test_runtime_lib", - "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", ], -) \ No newline at end of file +) diff --git a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc index 47395649c40ae..9181cf9f57447 100644 --- a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc +++ b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc @@ -1,30 +1,27 @@ -#include "source/extensions/filters/http/reverse_conn/reverse_conn_filter.h" - +#include "envoy/common/optref.h" #include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" #include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" - #include "envoy/network/connection.h" -#include "envoy/common/optref.h" + #include "source/common/buffer/buffer_impl.h" +#include "source/common/common/utility.h" #include "source/common/http/message_impl.h" #include "source/common/network/address_impl.h" #include "source/common/network/connection_impl.h" -#include "source/common/network/socket_interface_impl.h" -#include "source/common/buffer/buffer_impl.h" -#include "source/common/common/utility.h" #include "source/common/network/socket_interface.h" +#include "source/common/network/socket_interface_impl.h" #include "source/common/protobuf/protobuf.h" +#include "source/extensions/filters/http/reverse_conn/reverse_conn_filter.h" +#include "test/mocks/event/mocks.h" #include "test/mocks/http/mocks.h" #include "test/mocks/network/mocks.h" #include "test/mocks/server/factory_context.h" +#include "test/mocks/ssl/mocks.h" #include "test/mocks/stats/mocks.h" #include "test/mocks/stream_info/mocks.h" -#include "test/mocks/ssl/mocks.h" -#include "test/mocks/network/mocks.h" -#include "test/mocks/event/mocks.h" -#include "test/test_common/test_runtime.h" #include "test/test_common/logging.h" +#include "test/test_common/test_runtime.h" // Include reverse connection components for testing #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" @@ -37,11 +34,11 @@ namespace ReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; #include "gtest/gtest.h" using testing::_; +using testing::ByMove; +using testing::Invoke; using testing::NiceMock; using testing::Return; using testing::ReturnRef; -using testing::ByMove; -using testing::Invoke; namespace Envoy { namespace Extensions { @@ -53,14 +50,15 @@ class ReverseConnFilterTest : public testing::Test { void SetUp() override { // Initialize stats scope stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - + // Set up the mock context EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); // Set up the mock callbacks - EXPECT_CALL(callbacks_, connection()).WillRepeatedly(Return(OptRef{connection_})); + EXPECT_CALL(callbacks_, connection()) + .WillRepeatedly(Return(OptRef{connection_})); EXPECT_CALL(callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); EXPECT_CALL(stream_info_, dynamicMetadata()).WillRepeatedly(ReturnRef(metadata_)); @@ -72,7 +70,8 @@ class ReverseConnFilterTest : public testing::Test { // Helper method to set up upstream extension only void setupUpstreamExtension() { // Create the upstream socket interface and extension - upstream_socket_interface_ = std::make_unique(context_); + upstream_socket_interface_ = + std::make_unique(context_); upstream_extension_ = std::make_unique( *upstream_socket_interface_, context_, upstream_config_); @@ -92,7 +91,8 @@ class ReverseConnFilterTest : public testing::Test { // Helper method to set up downstream extension only void setupDownstreamExtension() { // Create the downstream socket interface and extension - downstream_socket_interface_ = std::make_unique(context_); + downstream_socket_interface_ = + std::make_unique(context_); downstream_extension_ = std::make_unique( context_, downstream_config_); @@ -145,7 +145,8 @@ class ReverseConnFilterTest : public testing::Test { } // Helper function to create reverse connection request headers - Http::TestRequestHeaderMapImpl createReverseConnectionRequestHeaders(uint32_t content_length = 100) { + Http::TestRequestHeaderMapImpl + createReverseConnectionRequestHeaders(uint32_t content_length = 100) { auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(content_length); return headers; @@ -161,31 +162,36 @@ class ReverseConnFilterTest : public testing::Test { } // Helper function to test the private matchRequestPath method - bool testMatchRequestPath(ReverseConnFilter* filter, const std::string& request_path, const std::string& api_path) { + bool testMatchRequestPath(ReverseConnFilter* filter, const std::string& request_path, + const std::string& api_path) { // Use the friend class access to call the private method return filter->matchRequestPath(request_path, api_path); } // Helper functions to call private methods in ReverseConnFilter - ReverseConnection::UpstreamSocketManager* testGetUpstreamSocketManager(ReverseConnFilter* filter) { + ReverseConnection::UpstreamSocketManager* + testGetUpstreamSocketManager(ReverseConnFilter* filter) { return filter->getUpstreamSocketManager(); } - const ReverseConnection::ReverseTunnelInitiator* testGetDownstreamSocketInterface(ReverseConnFilter* filter) { + const ReverseConnection::ReverseTunnelInitiator* + testGetDownstreamSocketInterface(ReverseConnFilter* filter) { return filter->getDownstreamSocketInterface(); } - ReverseConnection::ReverseTunnelAcceptorExtension* testGetUpstreamSocketInterfaceExtension(ReverseConnFilter* filter) { + ReverseConnection::ReverseTunnelAcceptorExtension* + testGetUpstreamSocketInterfaceExtension(ReverseConnFilter* filter) { return filter->getUpstreamSocketInterfaceExtension(); } - ReverseConnection::ReverseTunnelInitiatorExtension* testGetDownstreamSocketInterfaceExtension(ReverseConnFilter* filter) { + ReverseConnection::ReverseTunnelInitiatorExtension* + testGetDownstreamSocketInterfaceExtension(ReverseConnFilter* filter) { return filter->getDownstreamSocketInterfaceExtension(); } // Helper function to call the private saveDownstreamConnection method - void testSaveDownstreamConnection(ReverseConnFilter* filter, Network::Connection& connection, - const std::string& node_id, const std::string& cluster_id) { + void testSaveDownstreamConnection(ReverseConnFilter* filter, Network::Connection& connection, + const std::string& node_id, const std::string& cluster_id) { filter->saveDownstreamConnection(connection, node_id, cluster_id); } @@ -196,12 +202,11 @@ class ReverseConnFilterTest : public testing::Test { } // Helper function to test the private determineRole method - std::string testDetermineRole(ReverseConnFilter* filter) { - return filter->determineRole(); - } + std::string testDetermineRole(ReverseConnFilter* filter) { return filter->determineRole(); } // Helper function to create a protobuf handshake argument - std::string createHandshakeArg(const std::string& tenant_uuid, const std::string& cluster_uuid, const std::string& node_uuid) { + std::string createHandshakeArg(const std::string& tenant_uuid, const std::string& cluster_uuid, + const std::string& node_uuid) { envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; arg.set_tenant_uuid(tenant_uuid); arg.set_cluster_uuid(cluster_uuid); @@ -213,17 +218,21 @@ class ReverseConnFilterTest : public testing::Test { void setupUpstreamThreadLocalSlot() { // Call onServerInitialized to set up the extension references properly upstream_extension_->onServerInitialized(); - + // Create a thread local registry for upstream with the properly initialized extension - upstream_thread_local_registry_ = std::make_shared( - dispatcher_, upstream_extension_.get()); + upstream_thread_local_registry_ = + std::make_shared(dispatcher_, + upstream_extension_.get()); - upstream_tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + upstream_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique( + thread_local_); thread_local_.setDispatcher(&dispatcher_); - + // Set up the upstream slot to return our registry - upstream_tls_slot_->set([registry = upstream_thread_local_registry_](Event::Dispatcher&) { return registry; }); - + upstream_tls_slot_->set( + [registry = upstream_thread_local_registry_](Event::Dispatcher&) { return registry; }); + // Override the TLS slot with our test version upstream_extension_->setTestOnlyTLSRegistry(std::move(upstream_tls_slot_)); } @@ -232,16 +241,20 @@ class ReverseConnFilterTest : public testing::Test { void setupDownstreamThreadLocalSlot() { // Call onServerInitialized to set up the extension references properly downstream_extension_->onServerInitialized(); - + // Create a thread local registry for downstream with the dispatcher - downstream_thread_local_registry_ = std::make_shared( - dispatcher_, *stats_scope_); + downstream_thread_local_registry_ = + std::make_shared(dispatcher_, + *stats_scope_); + + downstream_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique( + thread_local_); - downstream_tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); - // Set up the downstream slot to return our registry - downstream_tls_slot_->set([registry = downstream_thread_local_registry_](Event::Dispatcher&) { return registry; }); - + downstream_tls_slot_->set( + [registry = downstream_thread_local_registry_](Event::Dispatcher&) { return registry; }); + // Override the TLS slot with our test version downstream_extension_->setTestOnlyTLSRegistry(std::move(downstream_tls_slot_)); } @@ -264,7 +277,7 @@ class ReverseConnFilterTest : public testing::Test { NiceMock stream_info_; envoy::config::core::v3::Metadata metadata_; NiceMock dispatcher_{"worker_0"}; - + // Mock socket for testing std::unique_ptr mock_socket_; std::unique_ptr> mock_io_handle_; @@ -274,50 +287,54 @@ class ReverseConnFilterTest : public testing::Test { // Create a mock socket that inherits from ConnectionSocket auto mock_socket_ptr = std::make_unique>(); auto mock_io_handle_ = std::make_unique>(); - + // Set up IO handle expectations EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(123)); EXPECT_CALL(*mock_io_handle_, isOpen()).WillRepeatedly(Return(true)); - + // Only expect duplicate() if the socket will actually be used if (expect_duplicate) { EXPECT_CALL(*mock_io_handle_, duplicate()).WillOnce(Invoke([&]() { auto duplicated_handle = std::make_unique>(); EXPECT_CALL(*duplicated_handle, fdDoNotUse()).WillRepeatedly(Return(124)); EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); - EXPECT_CALL(*duplicated_handle, resetFileEvents()).Times(1); + EXPECT_CALL(*duplicated_handle, resetFileEvents()); return duplicated_handle; })); } - + // Set up socket expectations EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); - + // Store the mock_io_handle in the socket mock_socket_ptr->io_handle_ = std::move(mock_io_handle_); // Cast the mock to the base ConnectionSocket type and store it mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); - + // Set up connection to return the socket EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); } - + // Thread local components for testing upstream socket manager - std::unique_ptr> upstream_tls_slot_; + std::unique_ptr> + upstream_tls_slot_; std::shared_ptr upstream_thread_local_registry_; std::unique_ptr upstream_socket_interface_; std::unique_ptr upstream_extension_; - std::unique_ptr> downstream_tls_slot_; + std::unique_ptr> + downstream_tls_slot_; std::shared_ptr downstream_thread_local_registry_; std::unique_ptr downstream_socket_interface_; std::unique_ptr downstream_extension_; - + // Config for reverse connection socket interface - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::UpstreamReverseConnectionSocketInterface upstream_config_; - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3::DownstreamReverseConnectionSocketInterface downstream_config_; + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface upstream_config_; + envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface downstream_config_; // Set debug logging for this test LogLevelSetter log_level_setter_{ENVOY_SPDLOG_LEVEL(debug)}; @@ -342,18 +359,22 @@ class ReverseConnFilterTest : public testing::Test { } // Helper method to manually set gauge values for testing initiated connections - void setInitiatedConnectionStats(const std::string& node_id, const std::string& cluster_id, uint64_t count = 1) { + void setInitiatedConnectionStats(const std::string& node_id, const std::string& cluster_id, + uint64_t count = 1) { // Set cross-worker stats (these are the ones used by getCrossWorkerStatMap) auto& stats_store = downstream_extension_->getStatsScope(); - + // Set host connection stat - use the pattern expected by getCrossWorkerStatMap std::string host_stat_name = fmt::format("reverse_connections.host.{}.connected", node_id); - auto& host_gauge = stats_store.gaugeFromString(host_stat_name, Stats::Gauge::ImportMode::Accumulate); + auto& host_gauge = + stats_store.gaugeFromString(host_stat_name, Stats::Gauge::ImportMode::Accumulate); host_gauge.set(count); - + // Set cluster connection stat - use the pattern expected by getCrossWorkerStatMap - std::string cluster_stat_name = fmt::format("reverse_connections.cluster.{}.connected", cluster_id); - auto& cluster_gauge = stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); + std::string cluster_stat_name = + fmt::format("reverse_connections.cluster.{}.connected", cluster_id); + auto& cluster_gauge = + stats_store.gaugeFromString(cluster_stat_name, Stats::Gauge::ImportMode::Accumulate); cluster_gauge.set(count); } }; @@ -371,7 +392,7 @@ TEST_F(ReverseConnFilterTest, DefaultConfig) { auto filter_config = std::make_shared(config); auto filter = std::make_unique(filter_config); filter->setDecoderFilterCallbacks(callbacks_); - + EXPECT_NE(filter, nullptr); EXPECT_EQ(filter_config->pingInterval().count(), 2); // Default is 2 seconds } @@ -386,7 +407,7 @@ TEST_F(ReverseConnFilterTest, CustomPingInterval) { TEST_F(ReverseConnFilterTest, FilterDestruction) { auto filter = createFilter(); EXPECT_NE(filter, nullptr); - + // Should not crash on destruction filter.reset(); EXPECT_EQ(filter, nullptr); @@ -396,7 +417,7 @@ TEST_F(ReverseConnFilterTest, FilterDestruction) { TEST_F(ReverseConnFilterTest, OnDestroy) { auto filter = createFilter(); EXPECT_NE(filter, nullptr); - + // Should not crash when onDestroy is called filter->onDestroy(); } @@ -404,32 +425,32 @@ TEST_F(ReverseConnFilterTest, OnDestroy) { // Test helper functions for socket interface access - Extension not created TEST_F(ReverseConnFilterTest, SocketInterfaceHelpersNoExtensions) { auto filter = createFilter(); - + // Test all four helper functions when no extensions are created auto* upstream_manager = testGetUpstreamSocketManager(filter.get()); auto* upstream_extension = testGetUpstreamSocketInterfaceExtension(filter.get()); auto* downstream_extension = testGetDownstreamSocketInterfaceExtension(filter.get()); - EXPECT_EQ(upstream_manager, nullptr); // No TLS registry set up - EXPECT_EQ(upstream_extension, nullptr); // No extension set up + EXPECT_EQ(upstream_manager, nullptr); // No TLS registry set up + EXPECT_EQ(upstream_extension, nullptr); // No extension set up EXPECT_EQ(downstream_extension, nullptr); // No extension set up } // Test helper functions for socket interface access - Extensions created but no TLS slots TEST_F(ReverseConnFilterTest, SocketInterfaceHelpersExtensionsNoSlots) { auto filter = createFilter(); - + // Set up extensions but don't set up TLS slots setupExtensions(); - + // Test all four helper functions when extensions are created but TLS slots are not set up auto* upstream_manager = testGetUpstreamSocketManager(filter.get()); auto* upstream_extension = testGetUpstreamSocketInterfaceExtension(filter.get()); auto* downstream_extension = testGetDownstreamSocketInterfaceExtension(filter.get()); - + // Upstream manager should be nullptr because TLS registry is not set up EXPECT_EQ(upstream_manager, nullptr); - + // Extensions should be found since we created them, but TLS slots are not set up EXPECT_NE(upstream_extension, nullptr); EXPECT_EQ(upstream_extension, upstream_extension_.get()); @@ -440,26 +461,26 @@ TEST_F(ReverseConnFilterTest, SocketInterfaceHelpersExtensionsNoSlots) { // Test helper functions for socket interface access - Extensions and TLS slots set up TEST_F(ReverseConnFilterTest, SocketInterfaceHelpersExtensionsAndSlots) { auto filter = createFilter(); - + // Set up extensions and TLS slots setupExtensions(); setupThreadLocalSlot(); - + // Test all four helper functions when everything is properly set up auto* upstream_manager = testGetUpstreamSocketManager(filter.get()); auto* downstream_interface = testGetDownstreamSocketInterface(filter.get()); auto* upstream_extension = testGetUpstreamSocketInterfaceExtension(filter.get()); auto* downstream_extension = testGetDownstreamSocketInterfaceExtension(filter.get()); - + // All should be non-null when properly set up EXPECT_NE(upstream_manager, nullptr); EXPECT_EQ(upstream_manager, upstream_thread_local_registry_->socketManager()); - + EXPECT_NE(downstream_interface, nullptr); - + EXPECT_NE(upstream_extension, nullptr); EXPECT_EQ(upstream_extension, upstream_extension_.get()); - + EXPECT_NE(downstream_extension, nullptr); EXPECT_EQ(downstream_extension, downstream_extension_.get()); } @@ -468,7 +489,7 @@ TEST_F(ReverseConnFilterTest, SocketInterfaceHelpersExtensionsAndSlots) { TEST_F(ReverseConnFilterTest, DecodeHeadersNonReverseConnectionPath) { auto filter = createFilter(); auto headers = createHeaders("GET", "/some/other/path"); - + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, false); EXPECT_EQ(status, Http::FilterHeadersStatus::Continue); } @@ -477,7 +498,7 @@ TEST_F(ReverseConnFilterTest, DecodeHeadersNonReverseConnectionPath) { TEST_F(ReverseConnFilterTest, DecodeHeadersReverseConnectionPathWrongMethod) { auto filter = createFilter(); auto headers = createHeaders("PUT", "/reverse_connections"); - + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, false); EXPECT_EQ(status, Http::FilterHeadersStatus::Continue); } @@ -486,7 +507,7 @@ TEST_F(ReverseConnFilterTest, DecodeHeadersReverseConnectionPathWrongMethod) { TEST_F(ReverseConnFilterTest, ConfigValidationValidPingInterval) { envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; config.mutable_ping_interval()->set_value(1); // Valid: 1 second - + auto filter_config = std::make_shared(config); EXPECT_EQ(filter_config->pingInterval().count(), 1); } @@ -495,7 +516,7 @@ TEST_F(ReverseConnFilterTest, ConfigValidationValidPingInterval) { TEST_F(ReverseConnFilterTest, ConfigValidationZeroPingInterval) { envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; config.mutable_ping_interval()->set_value(0); // Zero should use default - + auto filter_config = std::make_shared(config); EXPECT_EQ(filter_config->pingInterval().count(), 2); // Default is 2 seconds } @@ -504,7 +525,7 @@ TEST_F(ReverseConnFilterTest, ConfigValidationZeroPingInterval) { TEST_F(ReverseConnFilterTest, ConfigValidationLargePingInterval) { envoy::extensions::filters::http::reverse_conn::v3::ReverseConn config; config.mutable_ping_interval()->set_value(3600); // 1 hour - + auto filter_config = std::make_shared(config); EXPECT_EQ(filter_config->pingInterval().count(), 3600); } @@ -512,19 +533,20 @@ TEST_F(ReverseConnFilterTest, ConfigValidationLargePingInterval) { // Test matchRequestPath helper function TEST_F(ReverseConnFilterTest, MatchRequestPath) { auto filter = createFilter(); - + // Test exact match EXPECT_TRUE(testMatchRequestPath(filter.get(), "/reverse_connections", "/reverse_connections")); - + // Test prefix match - EXPECT_TRUE(testMatchRequestPath(filter.get(), "/reverse_connections/request", "/reverse_connections")); - + EXPECT_TRUE( + testMatchRequestPath(filter.get(), "/reverse_connections/request", "/reverse_connections")); + // Test no match EXPECT_FALSE(testMatchRequestPath(filter.get(), "/some/other/path", "/reverse_connections")); - + // Test empty path EXPECT_FALSE(testMatchRequestPath(filter.get(), "", "/reverse_connections")); - + // Test shorter path EXPECT_FALSE(testMatchRequestPath(filter.get(), "/reverse", "/reverse_connections")); } @@ -532,24 +554,23 @@ TEST_F(ReverseConnFilterTest, MatchRequestPath) { // Test decodeHeaders with POST method for reverse connection accept request TEST_F(ReverseConnFilterTest, DecodeHeadersPostReverseConnectionAccept) { auto filter = createFilter(); - + // Create headers for POST request to /reverse_connections/request auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength("100"); // Set content length for protobuf - + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, false); EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); - } // Test decodeHeaders with POST method for non-accept reverse connection path TEST_F(ReverseConnFilterTest, DecodeHeadersPostNonAcceptPath) { auto filter = createFilter(); - + // Create headers for POST request to /reverse_connections (not /request) auto headers = createHeaders("POST", "/reverse_connections"); headers.setContentLength("100"); - + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, false); EXPECT_EQ(status, Http::FilterHeadersStatus::Continue); } @@ -561,42 +582,42 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionValidProtobuf) { // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - + // Create valid protobuf handshake argument std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); - + // Set up headers for reverse connection request auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); - + // Set up socket mock with proper expectations setupSocketMock(true); // Expect duplicate() for valid protobuf - + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + // Create buffer with protobuf data Buffer::OwnedImpl data(handshake_arg); - + // Process data - this should call acceptReverseConnection Http::FilterDataStatus data_status = filter->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - + // Verify that the socket was added to the upstream socket manager auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); - + // Try to get the socket for the node - should be available auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); EXPECT_NE(retrieved_socket, nullptr); - + // Verify stats were updated auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); - + // Get per-worker stats to verify the connection was counted auto stat_map = extension->getPerWorkerStatMap(); @@ -609,23 +630,23 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionProtobufIncomplete) { // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - + // Set up headers for reverse connection request with large content length auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength("100"); // Expect 100 bytes but only send 10 - + // Set up socket mock - expect no duplicate() since the socket won't be used setupSocketMock(false); - + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + // Create buffer with incomplete protobuf data (less than expected size) Buffer::OwnedImpl data("incomplete"); - + // Process data - this should return StopIterationAndBuffer waiting for more data Http::FilterDataStatus data_status = filter->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationAndBuffer); @@ -643,42 +664,42 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionInvalidProtobufParseFailure // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - + // Set up headers for reverse connection request auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength("43"); // Match the actual data size we'll send - + // Set up socket mock - saveDownstreamConnection is not called since after // protobuf unmarshalling since the node_uuid is empty setupSocketMock(false); - + // Expect sendLocalReply to be called with BadGateway status EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::BadGateway, _, _, _, _)) .WillOnce(Invoke([](Http::Code code, absl::string_view body, std::function, - const absl::optional&, - absl::string_view) { + const absl::optional&, absl::string_view) { // Verify the HTTP status code EXPECT_EQ(code, Http::Code::BadGateway); - + // Deserialize the protobuf response to check the actual message envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; EXPECT_TRUE(ret.ParseFromString(std::string(body))); - EXPECT_EQ(ret.status(), - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::REJECTED); - EXPECT_EQ(ret.status_message(), "Failed to parse request message or required fields missing"); + EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + ReverseConnHandshakeRet::REJECTED); + EXPECT_EQ(ret.status_message(), + "Failed to parse request message or required fields missing"); })); - + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + // Create buffer with invalid protobuf data that can't be parsed // Send exactly 43 bytes to match the content length Buffer::OwnedImpl data("invalid protobuf data that cannot be parsed"); - + // Process data - this should call acceptReverseConnection and fail parsing // The filter should return StopIterationNoBuffer and send a local reply Http::FilterDataStatus data_status = filter->decodeData(data, true); @@ -697,58 +718,58 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - + // Create protobuf with empty node_uuid envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; arg.set_tenant_uuid("tenant-123"); arg.set_cluster_uuid("cluster-456"); arg.set_node_uuid(""); // Empty node_uuid std::string handshake_arg = arg.SerializeAsString(); - + // Set up headers for reverse connection request auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); - + // Set up socket mock - since the node_uuid is empty, the socket is not saved setupSocketMock(false); - + // Expect sendLocalReply to be called with BadGateway status for empty node_uuid EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::BadGateway, _, _, _, _)) .WillOnce(Invoke([](Http::Code code, absl::string_view body, std::function, - const absl::optional&, - absl::string_view) { + const absl::optional&, absl::string_view) { // Verify the HTTP status code EXPECT_EQ(code, Http::Code::BadGateway); - + // Deserialize the protobuf response to check the actual message envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; EXPECT_TRUE(ret.ParseFromString(std::string(body))); - EXPECT_EQ(ret.status(), - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet::REJECTED); - EXPECT_EQ(ret.status_message(), "Failed to parse request message or required fields missing"); + EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + ReverseConnHandshakeRet::REJECTED); + EXPECT_EQ(ret.status_message(), + "Failed to parse request message or required fields missing"); })); - + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + // Create buffer with protobuf data Buffer::OwnedImpl data(handshake_arg); - + // Process data - this should call acceptReverseConnection and reject Http::FilterDataStatus data_status = filter->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - + // Check that no stats were recorded for the cluster auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); - + auto* extension = socket_manager->getUpstreamExtension(); ASSERT_NE(extension, nullptr); - + // Get cross-worker stats to verify no connection was counted auto cross_worker_stat_map = upstream_extension_->getCrossWorkerStatMap(); EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster-456"], 0); @@ -759,35 +780,35 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionWithSSLCertificate) { // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - + // Create valid protobuf handshake argument std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); - + // Set up headers for reverse connection request auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); - + // Mock SSL connection with certificate auto mock_ssl = std::make_shared>(); std::vector dns_sans = {"tenantId=ssl-tenant", "clusterId=ssl-cluster"}; EXPECT_CALL(*mock_ssl, peerCertificatePresented()).WillRepeatedly(Return(true)); EXPECT_CALL(*mock_ssl, dnsSansPeerCertificate()).WillRepeatedly(Return(dns_sans)); - + // Set up connection with SSL EXPECT_CALL(connection_, ssl()).WillRepeatedly(Return(mock_ssl)); - + // Set up socket mock setupSocketMock(true); // Expect duplicate() for SSL test - + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + // Create buffer with protobuf data Buffer::OwnedImpl data(handshake_arg); - + // Process data - this should call acceptReverseConnection Http::FilterDataStatus data_status = filter->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); @@ -795,7 +816,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionWithSSLCertificate) { // Verify that the socket was added to the upstream socket manager auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); - + // Try to get the socket for the node - should be available auto retrieved_socket = socket_manager->getConnectionSocket("node-789"); EXPECT_NE(retrieved_socket, nullptr); @@ -806,67 +827,67 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleSockets) { // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - + // Create valid protobuf handshake argument std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); - + // Set up headers for reverse connection request auto headers = createHeaders("POST", "/reverse_connections/request"); headers.setContentLength(std::to_string(handshake_arg.length())); - + // Set up socket mock for first connection setupSocketMock(true); - + // Process headers first Http::FilterHeadersStatus header_status = filter->decodeHeaders(headers, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + // Create buffer with protobuf data Buffer::OwnedImpl data1(handshake_arg); - + // Process first data - this should call acceptReverseConnection Http::FilterDataStatus data_status1 = filter->decodeData(data1, false); EXPECT_EQ(data_status1, Http::FilterDataStatus::StopIterationNoBuffer); - + // Create second filter instance for second connection auto filter2 = createFilter(); - + // Set up headers for second reverse connection request auto headers2 = createHeaders("POST", "/reverse_connections/request"); headers2.setContentLength(std::to_string(handshake_arg.length())); - + // Set up socket mock for second connection setupSocketMock(true); - + // Process headers for second connection Http::FilterHeadersStatus header_status2 = filter2->decodeHeaders(headers2, false); EXPECT_EQ(header_status2, Http::FilterHeadersStatus::StopIteration); - + // Create buffer with protobuf data for second connection Buffer::OwnedImpl data2(handshake_arg); - + // Process second data - this should call acceptReverseConnection Http::FilterDataStatus data_status2 = filter2->decodeData(data2, true); EXPECT_EQ(data_status2, Http::FilterDataStatus::StopIterationNoBuffer); - + // Verify that both sockets were added to the upstream socket manager auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); - + // Try to get the first socket for the node auto retrieved_socket1 = socket_manager->getConnectionSocket("node-789"); EXPECT_NE(retrieved_socket1, nullptr); - + // Try to get the second socket for the node auto retrieved_socket2 = socket_manager->getConnectionSocket("node-789"); EXPECT_NE(retrieved_socket2, nullptr); - + // Verify stats were updated correctly for multiple connections auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); - + // Get per-worker stats to verify the connections were counted auto stat_map = extension->getPerWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 2); @@ -878,54 +899,54 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + // Create first filter and connection auto filter1 = createFilter(); std::string handshake_arg1 = createHandshakeArg("tenant-123", "cluster-456", "node-789"); auto headers1 = createHeaders("POST", "/reverse_connections/request"); headers1.setContentLength(std::to_string(handshake_arg1.length())); - + // Set up socket mock for first connection setupSocketMock(true); - + Http::FilterHeadersStatus header_status1 = filter1->decodeHeaders(headers1, false); EXPECT_EQ(header_status1, Http::FilterHeadersStatus::StopIteration); - + Buffer::OwnedImpl data1(handshake_arg1); Http::FilterDataStatus data_status1 = filter1->decodeData(data1, true); EXPECT_EQ(data_status1, Http::FilterDataStatus::StopIterationNoBuffer); - + // Create second filter and connection with different node/cluster auto filter2 = createFilter(); std::string handshake_arg2 = createHandshakeArg("tenant-456", "cluster-789", "node-123"); auto headers2 = createHeaders("POST", "/reverse_connections/request"); headers2.setContentLength(std::to_string(handshake_arg2.length())); - + // Set up socket mock for second connection setupSocketMock(true); - + Http::FilterHeadersStatus header_status2 = filter2->decodeHeaders(headers2, false); EXPECT_EQ(header_status2, Http::FilterHeadersStatus::StopIteration); - + Buffer::OwnedImpl data2(handshake_arg2); Http::FilterDataStatus data_status2 = filter2->decodeData(data2, true); EXPECT_EQ(data_status2, Http::FilterDataStatus::StopIterationNoBuffer); - + // Verify that both sockets were added to the upstream socket manager auto* socket_manager = upstream_thread_local_registry_->socketManager(); ASSERT_NE(socket_manager, nullptr); - + // Try to get both sockets auto retrieved_socket1 = socket_manager->getConnectionSocket("node-789"); EXPECT_NE(retrieved_socket1, nullptr); - + auto retrieved_socket2 = socket_manager->getConnectionSocket("node-123"); EXPECT_NE(retrieved_socket2, nullptr); - + // Verify cross-worker stats were updated correctly for both connections auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); - + // Get cross-worker stats to verify both connections were counted auto cross_worker_stat_map = extension->getCrossWorkerStatMap(); EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.nodes.node-789"], 1); @@ -934,23 +955,22 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionMultipleNodesCrossWorkerSta EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster-789"], 1); } - // Test saveDownstreamConnection without socket manager initialized TEST_F(ReverseConnFilterTest, SaveDownstreamConnectionNoSocketManager) { // Set up extensions but not thread local slot - socket manager will not be initialized setupExtensions(); auto filter = createFilter(); - + // Set up socket mock setupSocketMock(false); - + // Call saveDownstreamConnection - should fail since socket manager is not initialized testSaveDownstreamConnection(filter.get(), connection_, "node-789", "cluster-456"); // Check that no stats were recorded since the socket manager is not available auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); - + // Get per-worker stats to verify no connection was counted auto stat_map = extension->getPerWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 0); @@ -962,40 +982,40 @@ TEST_F(ReverseConnFilterTest, SaveDownstreamConnectionOriginalSocketClosed) { // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - + // Set up socket mock with closed socket auto mock_socket_ptr = std::make_unique>(); auto mock_io_handle_ = std::make_unique>(); - + // Set up IO handle expectations for closed socket EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(123)); EXPECT_CALL(*mock_io_handle_, isOpen()).WillRepeatedly(Return(false)); // Socket is closed - + // Don't expect duplicate() since socket is closed EXPECT_CALL(*mock_io_handle_, duplicate()).Times(0); - + // Set up socket expectations EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(false)); // Socket is closed - + // Store the mock_io_handle in the socket mock_socket_ptr->io_handle_ = std::move(mock_io_handle_); - + // Cast the mock to the base ConnectionSocket type and store it mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); - + // Set up connection to return the socket EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); - + // Call saveDownstreamConnection directly - should fail since socket is closed testSaveDownstreamConnection(filter.get(), connection_, "node-789", "cluster-456"); // Check that no stats were recorded since the socket was closed auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); - + // Get per-worker stats to verify no connection was counted auto stat_map = extension->getPerWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 0); @@ -1007,40 +1027,40 @@ TEST_F(ReverseConnFilterTest, SaveDownstreamConnectionDuplicateFailure) { // Set up extensions and thread local slot for upstream socket manager setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - + // Set up socket mock with duplicate failure auto mock_socket_ptr = std::make_unique>(); auto mock_io_handle_ = std::make_unique>(); - + // Set up IO handle expectations EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(123)); EXPECT_CALL(*mock_io_handle_, isOpen()).WillRepeatedly(Return(true)); - + // Expect duplicate() to fail (return nullptr) EXPECT_CALL(*mock_io_handle_, duplicate()).WillOnce(Return(nullptr)); - + // Set up socket expectations EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); - + // Store the mock_io_handle in the socket mock_socket_ptr->io_handle_ = std::move(mock_io_handle_); - + // Cast the mock to the base ConnectionSocket type and store it mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); - + // Set up connection to return the socket EXPECT_CALL(connection_, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); - + // Call saveDownstreamConnection directly - should fail since duplicate() returns nullptr testSaveDownstreamConnection(filter.get(), connection_, "node-789", "cluster-456"); - + // Check that no stats were recorded since the duplicate operation failed auto* extension = upstream_extension_.get(); ASSERT_NE(extension, nullptr); - + // Get per-worker stats to verify no connection was counted auto stat_map = extension->getPerWorkerStatMap(); EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node-789"], 0); @@ -1052,15 +1072,17 @@ TEST_F(ReverseConnFilterTest, GetQueryParamAllCases) { // Set up extensions and thread local slots to avoid crashes setupExtensions(); setupThreadLocalSlot(); - + auto filter = createFilter(); - // Test with existing query parameters - use a reverse-connection path but with GET method to avoid triggering the full logic - auto headers = createHeaders("GET", "/reverse_connections?node_id=test-node&cluster_id=test-cluster&role=initiator"); + // Test with existing query parameters - use a reverse-connection path but with GET method to + // avoid triggering the full logic + auto headers = createHeaders( + "GET", "/reverse_connections?node_id=test-node&cluster_id=test-cluster&role=initiator"); // Call decodeHeaders to properly set up the request headers Http::FilterHeadersStatus status = filter->decodeHeaders(headers, true); EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); - + EXPECT_EQ(testGetQueryParam(filter.get(), "node_id"), "test-node"); EXPECT_EQ(testGetQueryParam(filter.get(), "cluster_id"), "test-cluster"); EXPECT_EQ(testGetQueryParam(filter.get(), "role"), "initiator"); @@ -1073,7 +1095,7 @@ TEST_F(ReverseConnFilterTest, GetQueryParamAllCases) { auto filter_empty = createFilter(); Http::FilterHeadersStatus status_empty = filter_empty->decodeHeaders(headers_empty, true); EXPECT_EQ(status_empty, Http::FilterHeadersStatus::StopIteration); - + EXPECT_EQ(testGetQueryParam(filter_empty.get(), "node_id"), ""); EXPECT_EQ(testGetQueryParam(filter_empty.get(), "cluster_id"), ""); EXPECT_EQ(testGetQueryParam(filter_empty.get(), "role"), ""); @@ -1099,29 +1121,28 @@ TEST_F(ReverseConnFilterTest, GetRequestInitiatorRoleWithRemoteNode) { // Set up both extensions setupExtensions(); setupThreadLocalSlot(); - + // Create an initiated connection by setting stats createInitiatedConnection("test-node", "test-cluster"); - + // Now test the GET request auto filter = createFilter(); - + // Create GET request with initiator role and remote node auto headers = createHeaders("GET", "/reverse_connections?role=initiator&node_id=test-node"); - + // Expect sendLocalReply to be called with OK status and node-specific stats EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) .WillOnce(Invoke([](Http::Code code, absl::string_view body, std::function, - const absl::optional&, - absl::string_view) { + const absl::optional&, absl::string_view) { EXPECT_EQ(code, Http::Code::OK); // Should return JSON with available_connections for the specific node EXPECT_TRUE(body.find("available_connections") != absl::string_view::npos); // Should return count of 1 since we manually set the stats EXPECT_TRUE(body.find("\"available_connections\":1") != absl::string_view::npos); })); - + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, true); EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); } @@ -1131,29 +1152,29 @@ TEST_F(ReverseConnFilterTest, GetRequestInitiatorRoleWithRemoteCluster) { // Set up both extensions setupExtensions(); setupThreadLocalSlot(); - + // Create an initiated connection by setting stats createInitiatedConnection("test-node", "test-cluster"); - + // Now test the GET request auto filter = createFilter(); - + // Create GET request with initiator role and remote cluster - auto headers = createHeaders("GET", "/reverse_connections?role=initiator&cluster_id=test-cluster"); - + auto headers = + createHeaders("GET", "/reverse_connections?role=initiator&cluster_id=test-cluster"); + // Expect sendLocalReply to be called with OK status and cluster-specific stats EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) .WillOnce(Invoke([](Http::Code code, absl::string_view body, std::function, - const absl::optional&, - absl::string_view) { + const absl::optional&, absl::string_view) { EXPECT_EQ(code, Http::Code::OK); // Should return JSON with available_connections for the specific cluster EXPECT_TRUE(body.find("available_connections") != absl::string_view::npos); // Should return count of 1 since we manually set the stats EXPECT_TRUE(body.find("\"available_connections\":1") != absl::string_view::npos); })); - + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, true); EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); } @@ -1163,22 +1184,21 @@ TEST_F(ReverseConnFilterTest, GetRequestInitiatorRoleAggregatedStats) { // Set up both extensions setupExtensions(); setupThreadLocalSlot(); - + // Create an initiated connection by setting stats createInitiatedConnection("test-node", "test-cluster"); - + // Now test the GET request auto filter = createFilter(); - + // Create GET request with initiator role but no node_id or cluster_id auto headers = createHeaders("GET", "/reverse_connections?role=initiator"); - + // Expect sendLocalReply to be called with OK status and aggregated stats EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) .WillOnce(Invoke([](Http::Code code, absl::string_view body, std::function, - const absl::optional&, - absl::string_view) { + const absl::optional&, absl::string_view) { EXPECT_EQ(code, Http::Code::OK); // Should return JSON with aggregated stats (accepted and connected arrays) EXPECT_TRUE(body.find("accepted") != absl::string_view::npos); @@ -1186,7 +1206,7 @@ TEST_F(ReverseConnFilterTest, GetRequestInitiatorRoleAggregatedStats) { // Should show test-cluster in the connected array since we set the stats EXPECT_TRUE(body.find("test-cluster") != absl::string_view::npos); })); - + Http::FilterHeadersStatus status = filter->decodeHeaders(headers, true); EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); } @@ -1196,43 +1216,42 @@ TEST_F(ReverseConnFilterTest, GetRequestResponderRoleWithRemoteNode) { // Set up both extensions setupExtensions(); setupThreadLocalSlot(); - + // Create an accepted connection by sending a reverse connection request auto filter1 = createFilter(); std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); auto headers1 = createHeaders("POST", "/reverse_connections/request"); headers1.setContentLength(std::to_string(handshake_arg.length())); - + // Set up socket mock for the connection setupSocketMock(true); - + // Process the reverse connection request to create an accepted connection Http::FilterHeadersStatus header_status = filter1->decodeHeaders(headers1, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + Buffer::OwnedImpl data(handshake_arg); Http::FilterDataStatus data_status = filter1->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - + // Now test the GET request auto filter2 = createFilter(); - + // Create GET request with responder role and remote node auto headers2 = createHeaders("GET", "/reverse_connections?role=responder&node_id=node-789"); - + // Expect sendLocalReply to be called with OK status and node-specific stats EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) .WillOnce(Invoke([](Http::Code code, absl::string_view body, std::function, - const absl::optional&, - absl::string_view) { + const absl::optional&, absl::string_view) { EXPECT_EQ(code, Http::Code::OK); // Should return JSON with available_connections for the specific node EXPECT_TRUE(body.find("available_connections") != absl::string_view::npos); // Should return count of 1 since we created an actual connection EXPECT_TRUE(body.find("\"available_connections\":1") != absl::string_view::npos); })); - + Http::FilterHeadersStatus status = filter2->decodeHeaders(headers2, true); EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); } @@ -1242,82 +1261,82 @@ TEST_F(ReverseConnFilterTest, GetRequestResponderRoleWithRemoteCluster) { // Set up both extensions setupExtensions(); setupThreadLocalSlot(); - + // Create an accepted connection by sending a reverse connection request auto filter1 = createFilter(); std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); auto headers1 = createHeaders("POST", "/reverse_connections/request"); headers1.setContentLength(std::to_string(handshake_arg.length())); - + // Set up socket mock for the connection setupSocketMock(true); - + // Process the reverse connection request to create an accepted connection Http::FilterHeadersStatus header_status = filter1->decodeHeaders(headers1, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + Buffer::OwnedImpl data(handshake_arg); Http::FilterDataStatus data_status = filter1->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - + // Now test the GET request auto filter2 = createFilter(); - + // Create GET request with responder role and remote cluster - auto headers2 = createHeaders("GET", "/reverse_connections?role=responder&cluster_id=cluster-456"); - + auto headers2 = + createHeaders("GET", "/reverse_connections?role=responder&cluster_id=cluster-456"); + // Expect sendLocalReply to be called with OK status and cluster-specific stats EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) .WillOnce(Invoke([](Http::Code code, absl::string_view body, std::function, - const absl::optional&, - absl::string_view) { + const absl::optional&, absl::string_view) { EXPECT_EQ(code, Http::Code::OK); // Should return JSON with available_connections for the specific cluster EXPECT_TRUE(body.find("available_connections") != absl::string_view::npos); // Should return count of 1 since we created an actual connection EXPECT_TRUE(body.find("\"available_connections\":1") != absl::string_view::npos); })); - + Http::FilterHeadersStatus status = filter2->decodeHeaders(headers2, true); EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); } -// Test GET request with responder role - upstream extension present, no node/cluster (aggregated stats) +// Test GET request with responder role - upstream extension present, no node/cluster (aggregated +// stats) TEST_F(ReverseConnFilterTest, GetRequestResponderRoleAggregatedStats) { // Set up both extensions setupExtensions(); setupThreadLocalSlot(); - + // Create an accepted connection by sending a reverse connection request auto filter1 = createFilter(); std::string handshake_arg = createHandshakeArg("tenant-123", "cluster-456", "node-789"); auto headers1 = createHeaders("POST", "/reverse_connections/request"); headers1.setContentLength(std::to_string(handshake_arg.length())); - + // Set up socket mock for the connection setupSocketMock(true); - + // Process the reverse connection request to create an accepted connection Http::FilterHeadersStatus header_status = filter1->decodeHeaders(headers1, false); EXPECT_EQ(header_status, Http::FilterHeadersStatus::StopIteration); - + Buffer::OwnedImpl data(handshake_arg); Http::FilterDataStatus data_status = filter1->decodeData(data, true); EXPECT_EQ(data_status, Http::FilterDataStatus::StopIterationNoBuffer); - + // Now test the GET request auto filter2 = createFilter(); - + // Create GET request with responder role but no node_id or cluster_id auto headers2 = createHeaders("GET", "/reverse_connections?role=responder"); - + // Expect sendLocalReply to be called with OK status and aggregated stats EXPECT_CALL(callbacks_, sendLocalReply(Http::Code::OK, _, _, _, _)) .WillOnce(Invoke([](Http::Code code, absl::string_view body, std::function, - const absl::optional&, - absl::string_view) { + const absl::optional&, absl::string_view) { EXPECT_EQ(code, Http::Code::OK); // Should return JSON with aggregated stats (accepted and connected arrays) EXPECT_TRUE(body.find("accepted") != absl::string_view::npos); @@ -1327,7 +1346,7 @@ TEST_F(ReverseConnFilterTest, GetRequestResponderRoleAggregatedStats) { // Should show node-789 in the connected array since we created an actual connection EXPECT_TRUE(body.find("node-789") != absl::string_view::npos); })); - + Http::FilterHeadersStatus status = filter2->decodeHeaders(headers2, true); EXPECT_EQ(status, Http::FilterHeadersStatus::StopIteration); } @@ -1335,4 +1354,4 @@ TEST_F(ReverseConnFilterTest, GetRequestResponderRoleAggregatedStats) { } // namespace ReverseConn } // namespace HttpFilters } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy From 90b7e05d517e4b1c16583b050c4a9fe2b37dbb57 Mon Sep 17 00:00:00 2001 From: Prashanth Josyula Date: Thu, 21 Aug 2025 10:08:35 -0700 Subject: [PATCH 267/505] docs: enhance dev container documentation with comprehensive setup guide (#40763) Add detailed step-by-step guide for setting up Envoy local development environment using VSCode/Cursor dev containers. The guide includes: - Complete prerequisites and system requirements - Troubleshooting section for Docker Desktop issues - Debug configuration with LLDB setup for macOS compatibility - Visual examples with image placeholders for key setup steps - Verification steps for successful Envoy startup - Key file locations and development workflow This addresses the gap in comprehensive documentation for developers who are not C++ experts and provides a complete walkthrough from initial setup to debugging Envoy source code locally. Tested on Apple M1 Max and Intel Core i9 machines running macOS Sequoia (version 15.5). Additional Description: This PR significantly enhances the existing dev container documentation by adding a comprehensive setup guide that walks through the entire process from repository cloning to successful debugging. The original documentation was brief and referenced external guides, but this enhancement provides a complete, self-contained walkthrough with troubleshooting solutions for common issues encountered during setup. The guide is particularly valuable for developers who are not C++ experts and may be unfamiliar with Bazel build systems. It includes visual documentation with 16 screenshot images showing key steps and verification points. Risk Level: Low Testing: - Manually tested complete setup process on Apple M1 Max and Intel Core i9 machines - Verified on macOS Sequoia (version 15.5) - Tested with both VSCode and Cursor IDEs - Validated all Docker Desktop configuration steps - Confirmed LLDB debugger setup and functionality - Verified all admin endpoints and proxy functionality - All pre-push validation checks passed Docs Changes: Enhanced .devcontainer/README.md with comprehensive setup guide including: - Detailed step-by-step instructions - Troubleshooting section for Docker Desktop issues - Debug configuration with both GDB and LLDB options - Visual documentation with 16 supporting images - Complete verification steps - Development workflow guidelines Release Notes: N/A Platform Specific Features: N/A - Documentation changes only, though the guide specifically addresses macOS compatibility issues with debugger configuration. --------- Signed-off-by: prashanth.chaitanya Co-authored-by: prashanth.chaitanya --- .devcontainer/README.md | 282 ++++++++++++++++++ .devcontainer/images/GDB-launch-json.png | Bin 0 -> 200639 bytes .devcontainer/images/admin-interface.png | Bin 0 -> 934332 bytes .devcontainer/images/build-success.png | Bin 0 -> 634952 bytes .devcontainer/images/cluster-endpoints.png | Bin 0 -> 1163426 bytes .devcontainer/images/code-lldb-extension.png | Bin 0 -> 195025 bytes .devcontainer/images/config-dump.png | Bin 0 -> 620071 bytes .devcontainer/images/container-status.png | Bin 0 -> 889579 bytes .devcontainer/images/debug-active.png | Bin 0 -> 293251 bytes .../images/debug-configuration-run.png | Bin 0 -> 796195 bytes .devcontainer/images/docker-settings.png | Bin 0 -> 416841 bytes .devcontainer/images/docker-space-error.png | Bin 0 -> 768472 bytes .devcontainer/images/gdb-error.png | Bin 0 -> 193198 bytes .devcontainer/images/main-breakpoint.png | Bin 0 -> 176394 bytes .devcontainer/images/proxy-endpoint.png | Bin 0 -> 462265 bytes .devcontainer/images/stats-endpoints.png | Bin 0 -> 1033208 bytes .devcontainer/images/tracer-breakpoint.png | Bin 0 -> 674083 bytes 17 files changed, 282 insertions(+) create mode 100644 .devcontainer/images/GDB-launch-json.png create mode 100644 .devcontainer/images/admin-interface.png create mode 100644 .devcontainer/images/build-success.png create mode 100644 .devcontainer/images/cluster-endpoints.png create mode 100644 .devcontainer/images/code-lldb-extension.png create mode 100644 .devcontainer/images/config-dump.png create mode 100644 .devcontainer/images/container-status.png create mode 100644 .devcontainer/images/debug-active.png create mode 100644 .devcontainer/images/debug-configuration-run.png create mode 100644 .devcontainer/images/docker-settings.png create mode 100644 .devcontainer/images/docker-space-error.png create mode 100644 .devcontainer/images/gdb-error.png create mode 100644 .devcontainer/images/main-breakpoint.png create mode 100644 .devcontainer/images/proxy-endpoint.png create mode 100644 .devcontainer/images/stats-endpoints.png create mode 100644 .devcontainer/images/tracer-breakpoint.png diff --git a/.devcontainer/README.md b/.devcontainer/README.md index 5367105d7c717..b738ba814bb5a 100644 --- a/.devcontainer/README.md +++ b/.devcontainer/README.md @@ -35,3 +35,285 @@ change this to `minimal` or `all` depending on where you're running the containe Docker for Mac/Windows is known to have disk performance issue, this makes formatting all files in the container very slow. [Update the mount consistency to 'delegated'](https://code.visualstudio.com/docs/remote/containers-advanced#_update-the-mount-consistency-to-delegated-for-macos) is recommended. + +## Detailed Setup Guide for Local Development + +This section provides an exhaustive walkthrough for setting up Envoy source code locally for development and debugging. This guide has been tested on both Apple M1 Max and Intel Core i9 machines running macOS Sequoia (version 15.5). + +For developers who are not C++ experts or are more familiar with CMake/Make build systems, Envoy's Bazel-based build system and dev container support makes local development much more accessible. + +### Prerequisites + +- macOS Sequoia (version 15.5) or compatible system +- VSCode or Cursor IDE +- Docker Desktop with sufficient resources +- Dev Containers extension + +### Step-by-Step Setup Process + +#### 1. Repository Setup + +1. Clone the Envoy repository from GitHub or create a fork: + ```bash + git clone https://github.com/envoyproxy/envoy.git + # OR + git clone https://github.com/YOUR_USERNAME/envoy.git + ``` + +2. Open the downloaded folder in VSCode or Cursor + +3. The IDE will detect the `.devcontainer` folder and prompt to reopen in Dev Container mode. Accept this prompt. + + You should see a blue label at the bottom-left of the window indicating "Container" or "Dev Container" status, confirming you're running in container mode. + + ![Container Status](./images/container-status.png) + +#### 2. Initialize Development Environment + +1. Once in dev container mode, open a new terminal (**Terminal** → **New Terminal**) + +2. Run the compilation database refresh script: + ```bash + ci/do_ci.sh refresh_compdb + ``` + + This script refreshes the compilation database and generates dependencies for code completion, including protobuf generated codes and external dependencies. This process may take 30-60 minutes depending on your machine performance. + + > **Note**: Re-run this script whenever you change proto definitions or modify bazel structure to maintain proper code completion. + +#### 3. Troubleshooting Build Issues + +If you encounter "no space left on device" errors during the compilation process, you'll need to adjust Docker Desktop settings: + +![Docker Space Error](./images/docker-space-error.png) + +**Resolution Steps:** + +1. Open Docker Desktop +2. Navigate to **Settings** → **Resources** +3. Increase **Memory Limit** to at least 8GB (recommended: 16GB+) +4. Increase **Disk usage limit** to at least 100GB + + ![Docker Settings](./images/docker-settings.png) + +5. If settings are grayed out, perform a factory reset: + - Go to **Troubleshoot** → **Reset to factory defaults** + - Restart Docker Desktop + - Reconfigure the resource limits + - Click **Apply and restart** + +**Successful Build Verification:** + +Look for a completion message similar to (the total actions might vary): +``` +Build completed successfully, 11415 total actions +``` + +![Build Success](./images/build-success.png) + +#### 4. Debug Configuration Setup + +##### Create Envoy Configuration File + +Before generating debug configuration, create an `envoy.yaml` file in the repository root (you can choose any name of your liking).This is a standard envoy configuration, you should be able to change it according to your need. Here's a sample configuration for debugging OpenTelemetry tracing: + +```yaml +admin: + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 9902 + +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + # Enable tracing + tracing: + provider: + name: envoy.tracers.opentelemetry + typed_config: + "@type": type.googleapis.com/envoy.config.trace.v3.OpenTelemetryConfig + grpc_service: + envoy_grpc: + cluster_name: opentelemetry_collector + timeout: 100s + service_name: envoy-proxy + random_sampling: + value: 100 + access_log: + - name: envoy.access_loggers.stdout + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + name: local_route + virtual_hosts: + - name: local_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + host_rewrite_literal: www.envoyproxy.io + cluster: service_envoyproxy_io + + clusters: + - name: service_envoyproxy_io + type: LOGICAL_DNS + # Comment out the following line to test on v6 networks + dns_lookup_family: V4_ONLY + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: service_envoyproxy_io + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: www.envoyproxy.io + port_value: 443 + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: www.envoyproxy.io + + # OpenTelemetry Collector cluster + - name: opentelemetry_collector + type: STRICT_DNS + dns_lookup_family: V4_ONLY + lb_policy: ROUND_ROBIN + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + load_assignment: + cluster_name: opentelemetry_collector + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost + port_value: 5002 +``` + +##### Generate Debug Configuration + +Run the debug configuration generator: + +```bash +tools/vscode/generate_debug_config.py //source/exe:envoy-static --args "-c envoy.yaml" +``` +![Debug Configuration Run](./images/debug-configuration-run.png) + +> **Important**: This command may take over an hour to complete. You'll need to re-run this script whenever you make code changes. + +There are two types of debuggers envoy community recommends to use, GDB (GNU Debugger) , a widely used and powerful debugger for various languages, including C++ and LLDB, the LLVM project's debugger, often used with Clang-compiled code (Clang is one of the many compilers for C++). + +Now click F5 to start debugging, this should have generated the `launch.json` as shown below. The generated `launch.json` will use GDB by default. + +![GDB Launch JSON](./images/GDB-launch-json.png) + +However, if you encounter an error with GDB (which can happen with some Mac Machines), try using the LLDB debugger as shown in the next section. + +![GDB Error](./images/gdb-error.png) + +##### Configure LLDB Debugger (Recommended for macOS) + +For better compatibility on macOS, modify the generated `launch.json` to use LLDB: + +1. Open `launch.json` (Cmd+P → type "launch.json") + + ![Launch JSON](./images/GDB-launch-json.png) + +2. Replace the GDB configuration with LLDB: + +```json +{ + "version": "0.2.0", + "configurations": [ + { + "name": "LLDB //source/exe:envoy-static", + "type": "lldb", + "request": "launch", + "program": "/build/.cache/bazel/_bazel_vscode/2d35de14639eaad1ac7060a4dd7e3351/execroot/envoy/bazel-out/k8-dbg/bin/source/exe/envoy-static", + "args": ["-c", "envoy.yaml"], + "cwd": "${workspaceFolder}", + "stopOnEntry": false, + "sourceMap": { + "/proc/self/cwd": "${workspaceFolder}" + } + } + ] +} +``` + +> **Note**: Update the `program` path with the actual hash from your generated GDB configuration. Ensure the CodeLLDB extension is installed in your dev container. + +![CodeLLDB Extension](./images/code-lldb-extension.png) + +#### 5. Setting Up Breakpoints + +##### Main Entry Point + +Add a breakpoint in the main function located at `source/exe/main.cc`: + +![Main Breakpoint](./images/main-breakpoint.png) + +##### Custom Debugging Points + +You can add additional debug points, For example, for tracing debugging, add breakpoints in specific areas like `source/extensions/tracers/opentelemetry/opentelemetry_tracer_impl.cc`: + +![Tracer Breakpoint](./images/tracer-breakpoint.png) + +#### 6. Starting Debug Session + +1. Start debugging by pressing **F5** or going to **Run** → **Start Debugging** + +2. Allow 1-2 minutes for the debugger to attach to the process (Envoy is a large codebase) + +3. Most of the Envoy source code is located in the `source` folder at the root of the repository.The breakpoint in `source/exe/main.cc` should activate + + ![Debug Active](./images/debug-active.png) + +4. Continue execution (**Run** → **Continue**) to see Envoy start up and begin emitting logs + +#### 7. Verifying Setup + +Once Envoy starts successfully, verify the setup by accessing. The ports are based on the configuration we have used earlier: + +- **Admin Interface**: http://localhost:9902 + + ![Admin Interface](./images/admin-interface.png) + +- **Proxy Endpoint**: Try reaching to the URL http://localhost:10000 and you should be redirected to envoyproxy.io based on the configuration file we gave above. + + ![Proxy Endpoint](./images/proxy-endpoint.png) + +- **Admin Endpoints**: +Try accessing different admin endpoints from your local machine. + - Clusters: http://localhost:9902/clusters + - Config Dump: http://localhost:9902/config_dump + - Stats: http://localhost:9902/stats + + ![Cluster Endpoints](./images/cluster-endpoints.png) + ![Config Dump](./images/config-dump.png) + ![Stats Endpoints](./images/stats-endpoints.png) + diff --git a/.devcontainer/images/GDB-launch-json.png b/.devcontainer/images/GDB-launch-json.png new file mode 100644 index 0000000000000000000000000000000000000000..a96eedd6466687389e1c8081370c6e781393eb90 GIT binary patch literal 200639 zcmeFZXIN8f*ENcW5&*e_n2djIc8qn*VAEP;$fnr zqhq;!>*fPGI_4NUx}#4)$ANcV9IZ#v(J>Xe-neo9_Kh3o?>~k(xq3L#(cO9#k7T_6 zaDns5K}g>X`tXSRpCWjo&Zp8nxXz~anl+ z=F6|3O957|wY1E*m@_lir7uT}!^jiKP^Zp)jMCQLT*^WFzH{fXC-ib{N;2EIZUxb4 zW`IQ3vr#7_y3Q*%pSgSGh$jEd<>PHvTF#6;y{!B6?8~+N6MAXW87K5o9?2zcyaJK0 zCmyFuYo59D_Q-jeQz|0S$e3oKpz|IVrkS-s(d+?j-%T5Jwiy~PzGSl((QS6VK)ax~ zj<>(~)8TQ=kH=}sZJ#FVpFi+XhPE7x#2rYTTll)bckkwHvC{{ouR?Eih3Q+IzT|8$ zje70Mxt{BmGR^|ocM<5vf_4{0?URl@NMCbJ zkUa5jPWNr#m)s8$A3k48;1sLM1u3p?kBG7N^rc*gNfIrQl2Y|<#oqNoesBEc%>Hsu z)p?!zbN98-e%r`%zMYBo_aJzXV6`lT`R4M6#9rT%ZVqF*X*y4AY zd-s0@xEfc7LN2cRbS|^RZ(WY(J*C{C33_^jYwgOhHd)cAEpuUOA@+;8kFE@VXE}3O zQ8;bJ<3((ItQy^!E&oN|K>c)7e?xW1il=%rf{Qc1r0ovr|*JHv{UF-V0>oh&L;WL;6MAq=Pqq=sEO>t%mwF z_dteY_n9s!-(hnMx6eS`7s^vKJbmY>`LmxlI5K|Tm(ROsD6x1opG!W18q=Ej+2!~s z{mRo#9i7ae`RsZ5d8zr+eiv$4$Dg8OS8uRoVI015OT{R)o@@HnZ2MNG?Q%_`@I9qj z$yxCnM%gDjFI(&vOfL?yFCk)Ea_mj)t8BOI+`k}8t%k#vL9CH|4Ic=WK0=Dp(r1v- zxMwOa>Rv9jvP`N^ajew_@}j`%tl&mS1J@K{8a!D?0rq_ADfEk_@T->C>m^r|%j=k7YC}KevB=hG~d{dRG0N z;Vq}Xzz)Yr-l5_xwb0kY?$AEnGAcLxb!nYrNIXG& zP%J-h*Sg_Jz|~jV3<~lnNhfWv54F^4zb_Q(e?vWM4E|q+_}3(5qN(Xs*7ZSoG{_ zVSc7tE>Cu?WrZOH0QpoY0U)b>6c(_rw0d^a8^Nbgcwg0J}eV(`)2NBZf7o0 z!RlV&9_zB?vg;aMvE^dZBhZ_%6gdBB@$8~y_qqP;#o7fXe`bI1BHBLh%5aRIwoKM@ znZn%cxf0Pnl}|$%3OQZn}UPpCoT<%YQOx+tCo(Yp4;6oZJV#$ zks0;ucaw8#my5eP@yHUg_x5w=ughg02HLR~ADw}|%f9G%5qj@Sj%1%)A1o);sq{m= zS(Mr55h>r{v2T_x=q{A|Rj0~6kDlePBU_TUI6a~zqurv_@76lLo;ltY+@|1ra;~{! zL?+k26Dko>;8!4Gj3_iJJX)w=s$hmGlPQ}Tc|SV#2y}8YEpG(k?uaF92X?i{W4(2Y6`#|%6 zpSGnq$|sN;CCfL-U8?-?!t1l#0;Z?8CBIAFI^BQvBqJjO@no24mrI(9H4Frrida4w zbo%E>D;{cF=<;6oPBu9`(k!xw$(<$l1(;QXhbGe~Yj4qiUBginE*EYTm9n`&Rn>)knRrzvWpu3GZGTM9w4_B~e_>`oH$I#UrB=s!A?f zd2_UC+;K|!T3hPDd(d!tm zDbE_xJBogbMl3{kbo5Jy9gem#ypp*Bg;o>uB=1Xqm!8L;LzNZ3Hb^wtwi}wZ^3)2@ zVhlI~Z421qWaLm-mKiI9bq&3J|2FMGSMO-Od58j$e;kV+s>eIPJC3Xz-C;!YofSaA zzZ36Ueef~sv0I)hZ0bVX!K8Zaoz!sSo7nNcRc zY&)c4>k$h5ru}^R*+aAGbfS+$tyAwQ25lKmexB_s?2~tn>0DO3tCnoSI8cNbG3k&JKT zK6HLKG*-+!zB-PCgy7Kuk-l?IU8uC;x;IcFJ{mI=k`6zZdA7j_5p+`H3n^cfne~}C z^YdM1uDO0&nCyO0sL?zGSis)#VToajN@?Bp(ks z;=9(|pIwDrMK+lj6t~4D$5zF5@Ht}dN8@ESySB+`|R0eE!;_{RhMqobq$NdKRAm}5R3{m<*8PY-{1FwTdfqtm3j zee;@O;F0C=pmHmtR50}eTK^XQ^(p!j8N_Qm*R)D+oH}d3lhM4s5IC_^?O+&0EHHqe z^0%x9`29-;Vt5F~xyW!hwQ);W3 zmZ$#c%EMp&)Xzo##}{qf3#TP3K#GeC3$LPKyPIyw$ADXH$c3+0d993AsIBx`vi-qL zKWb|}C-JaK{J}&2efN1KdU}G|oOSK#KUuHCOZ!2fm?3Xdq2FBM|2&Ik7yBu0qS97x z{BQ5h|9dI$h_NTeq1#Fe;>tgn%dk0w~|NwdEu^&5#L;gOT%2hJ!Nsl#*J6-f2}wt`=V-d zDc!haBEh(5G$~+Z^xaCutv`hrk%u33jE0ueLjs@SdMd_!j zFJShN?|QS5_wuGfX*(=M*CuDLt$cA{G_oTpdT+1M7NTubg`|QVeS>#qjg>0ntV&)r` z8-KKplif@kYUR1a+AF2nYF z%}<&$Alf!JagYLOYy0InStzdDwJ$6f8V1FqVFjguF;^e|`rgSl%B=J9=UV!~-rU2` zfE+8I7LJ8a@AMYiPsLsMlLh?Fpp0B?Kd$^fx~Qe4FJ4foHtBjq%Rv=*PuX*{JZp5& z!)|B2s?P*N4K?>)s`Oi_=*#z7QL0=Vv$X>@bYSoqduXvLCL?RfpGJ10d{VU&EYB6-cLdU@%!7@yEqQc5>^+h;a;9AUAVUw zEY=5D!Gg<^zLBDV+ydRX@;e%VYm;tHhjc8V&ev|L@wt|5sJ{D$9UwLX<~|4i8g6>Q zau>_zd(X$y#LC}@o%3KFi5bi2-gZPv!2+U*vct^?=NYY zhGOIR7q;LBTYWd!)ckDU`JDZCJo@i^sTr%edpcDYO{6YE^6Ftu}ZbTYKE>F~}c;YIH%psNCB{rC|*T_wuTT+y9qr5zE zlS81*FR95vQEh_B4PB?>r*IWMrS ztpH+FXdnY*Rt<B|vHUEL=a07+T81ewQN0w?cAAz>f$@iI^t$pKIy7rMPB2SoeySsyi@R2l7IId`AVclzozK=_%LyBP3jgoP?o z=d+?e`Y*o>;pOPX2QL-bTX(cBcCPr)^x@RL1r_{`p7K&*SyVp3K#V3~vva2@B&j_M??D|X2^&a#D0lS_BJAVPiH(;H+Zzi_`Mgzuq*=F`dS)&gIrL(! z|5EWrGQO~AknNEWoBEK+&p49sd3E=}Lg7mm8etKi2$1$fnS~Ao{JpjWsRH7I<*tH6 zol8|_ZAX7nV8Wl&-TL$FeIt+}sIWZ}cE~T9X{tw*cKjsweTKL0%8w)-=ITi`PLJf+ z%d~>tZAVXTG(KnMHMT<3BuLS(<)#Lhvqyoev|LoF%{DQV-n(G=lfuY-9Qhpi)l!r( zk^9=p89l`eMVoz7c4{2vivu=i$Oc{y+8)|^MX79kx%BE((4LevO0meY=4;O>c_A|B zg<#0?7a&=mkcSa??4?O#&3BK)rqv}Kt#!RXzoszeeWR8Tr_x(9mu4Y}t>4Sipk^h7 z_s8&Lh(g^^~$NN*-3Inc{wi)14L!r6LTL_;pg& zv|mJha)l~Nfa4>XlcTJSb86;_qyV9%nq9Bc!f;pm=X`DmW*T4zkC;S}W$math z3PnKH#)jbC$h&*-p45#6BU4rS780^5QKvmuR%-VCix!8JME8+Kk=YLxnEg$hRy-x| zcpAPS(cLT?rK+ypv=t-UnRhNr?sHY_sX#*(NdI~WcblWBYHQT)``uQQzVgB+o;GcV zfVs-RSqO^My7B9sK4; z#7h-2aM?`(2ew5u!*af}Fa2=NTgJ^3Umcx;f0;-qhpxX7!GFHY&lu-s6-O6*x2=;E zafY!!^7WF0nhr?ydVP=ZJg?DL^8KKQm@MjcL-^5Xb#`u>GAG?HmNZeeQ$q-wO)(AJ zVsd0g7M!7lOUnHHV2O>*^X@ErO8W=dwy7wlLH5K>T=T0l?oU_P?Zb9vknZ^}b-wQm z58n4H&r=k@{u=08nmes+P!lqcZ)BvXLf;z1tvt&KV=bQv-vQ9rXzmrse)-Bh0coG~ z^`*F7KB1kwp8`^i>q~=05(xwinS(q%>*E9wTiRklNlu0PmT?I}oODQjI9AhS9JEQ2 z{gH$vPhk(*bTpXLZfV`JFGu$-fRW;zf^%{CGdnd={EQ?Gb~I)oCppS?`#G0&qE|g- z@N9f5v5tt|Sb@OnKz%yt7G5{72&m{)OX|G1%lfUh%uR*3cYOU#4|tj0d^*qia} z{&-F6lH&Dg_WaJK=^pU)a&}2+3kLX-g#dkt1{w{CC~PyvD+r2S@9EMw2xSkBoB66W zA2{e|k9Q2Il^0@2xR<6{V;=WBRQij+RSDz5yc0e; z@{3~^>Bk-ORN@v~+PcgjXY5wLw#d)ek%k5A4ifK15JV>VzpbIJ2Qy5QYqU;b)EoG* z=(R@X8P}*T#bWf#x6M55gE8MOfV$4}Zn*I+@< zO}`7p!=MH}YSw<$JG05pTk6Qixs(4pk^k#E-QwOijk(j6+;6%co4?k=65~OJ5-n3! z>$hSD8Q?(W=vJ(vY?j+BBEDu#Z-$rerBLF6T+~yhdB~nV=)iNfw7s3( z6y=!Ax1l2wK&Hxc3#mziYlGB7+nzwf^fPTxwx>8o+A0G{(=hAnm$sgFOn!S7J)l}> zy{d6G-3Ml%wb!Xayf>E?;>DiNR+Xnt+vw95j1p54{innKFP!e9$%$p%Oo3}iHNr47 zKMMO^gbmh#&B+Gt1k*IR>|uJaL2}Q{-aXYuV~|U z_A7C2r*E5rjb;7=lUP&>mD9>|67Lk2g6u( z<06YcNHL&O^XlOuUmLd(VS7&I6~XS*dJ6=E#dJ%8=2c4?1~9omMUt}9)pdusYh{W8 zDoARXMmj+E?QXbhtq%6iFm{hJ31Pk26$MlRJfiOVY{WA4dRD03wsz?`1(&l)yjHT07{qnfZ~JYH!&=bZu&mJz$4jjg6=%pOxayzgA_o}CF<`dCVbX+ zbmo--;)LiK3>L7)+cYQ>Er_^5rNylof}FCmWfuTrnC088e3oZ7)w({|-@MYp%>3)4+vcc1pJ2*>N!xgfGi*&kLuVho*8nQkc~b8| zfsuVSxo&n!n9LD=5d>XKRcD9Z)cAdZ1g*rX<77KKQ&sw+!RW-`Pn?I+y;h==JU6sA>R!SD_n}oIXJAnwR{$xX+@&XT(Xd9#P#ka5c4KNs_6YNeQK6U}4L)m9-r2_g$k{3YX{w_AoVP+C6dJk*R#eSdIFDo_&6q`PPh^2c~PrW$n z1Ycu>cbku6eDU8F|N0|3#=sOVQrWn@Gly_5y0h156?1QufGAn)mg1MovjJ)uZ~u0Q z60hO}HopurPz|6v88s-jdU0|hU;tf-LSzmwHj)>A^<)&~Pdv=I7v%hU@L(`n~8Vg|&CED9^0+1x&f-Q%OE2jTan z=7d%%JIyroHmpi*uNj;}k0E(mD)-R8GKgQ{w4jY19TNe&Iv+x-8&rLjR$MVsX2KHi znsZ_cz4bq}lUh;9#Wa1P5@i8g35G`9P=J#aTF7s<%I^IEJ38O36fSc0a@f={LcWAe zxr>AQ6DZ`us+$fkb6*aNC(GjM%GzQ<@@6q#!vlu&)hqxGJp>$EzTn>fLx^#*Jhqcz!ki{NsqatOtH0_Ui1_ofZ+F5gN4Zq|5t2 zWnUm2)LkQMR4(!!MqS9wmF-l_0%gw;j74|HucJ$7DRz8YS7@y<=N_J!m&U&0qPqx` z_r-(U&8>h!YP?I`TuBC`1uH|HlB<={H(k^)`YO=Xdo_1AI*1SV%U&Zm=3F50n|sy8 zmgwmyiKx;*RP(8>7SF2j1c9JmZ}!uK(>i#)s)ag|6-wqqRw{;aFuQda9M&Ckbm70T z=>PCe_x+ER8~#nwk@(g#`g|iim&PpwLYD?%61r9LOMvkE2?6tP8*tpGt}Hy~QZQU% z{Q5fbHTjf(42K;FkO$e+jK#0LN<%x|1#mjkLF2$?ps z*%HlF)#(q>M4!B@Bfoq_GA&)Bu`9@*3<^iu&2yI(oqrr-RS8nop{!6jr-*auaP%yn zkEa7RuBf;`)d{FM#pq{)+#!K#aX+5*P{^GnGStBmY~|M#qILa7?_Dhy)Ux0aVzmiY zAjE@Y_M)ZfFY4^XjEqkzI}g}`fl3h2s#ey38xq1+Yv!V!z(y3*$?mapAA8E~Z+5XP zS^ZQW->C_vEN;wz;WeOsIE|dHuW_)`r4m{j_-(Q;o#tl_z;EzmIAiZh6&@fCeE)~g z{qG-@mNc-N*&WJ)@+Mb8HotG=!XF1ypJ}Av%s&S`>_CUkYAx1u+ZnK8E0Y@)y+PALZz zH0K-htx;;#Ct?e?9^D-n!vQ|_UWoko$``f#1Pnmk#GcMkq^ckrsx$j4y$Tw|5=fC> zutTA#nvHR^k?<~k?~wsJrs&CDcpOpj571N-a(2GYoK!7dWMwSwCBYD)cwVb}Tc7r; z+;8xML;gZ}`SLx5an)S;Pzx))iW19hEIiO8Np&YReD_=i=XQzSE8IvExzhNPimi)Ux-|71Kfa&YTONDqgh2(>pQxrHm-UaX+nsJRQ_ts9g8X; zcO4aMe)BJt-an<`a1qTz`YvFH)7bBG?yH%L)5YouCbS|1Qzpzw0m*hGkO_PVS5kSr z0Ge%7P?^IaQCWGsVykF5^zy1%JI26qDK4$9aALfNP+JC%sK7CKK<8>4miJTtPRD1j zdJNx}s;W4}(Xb>@Q8j?+L4&&7|KRfhxWZa_7}9&TB1-r-Qm2ftjI4Z#KvsE|bMM0g zt9E8E>h)F6QNtpOc{O_Rn60#sl{>%9+BG3uioy~xTbs$VRF#X~Kwi%Vkg%VxzqeOd z(ptp+kJ|1ZMVU5MUUAJNf!@;_SfSJ<(SU?q?mgA`HCq12*|qtJaS#rsbbKfsj31T^%meUd|nTH3cldos1^xft%U$|mhdWz{_Ed2@t^Vwu($v^ zx7MvD{dR)>pHDW=afr_U`-uOv!T&dQaf2AkwUTtgFT0^TW52KY#IwHd21k3RTP%8C zu;7weHGHNg<$R`JmwSzGmOq{uEce6}=fGC}DJ1?WzWygzyUhUF(#f>>k$?rbo>P0G zfn^U+%=QAh16y>#5+D_hmN|FX$sj{dWBCcW>b6%y0_%++L7c*v8sCn16sJQW7R$_reO58{peT6yT}+^AEQ#D z*BMd0dt8>@*G9`-A1;-VO-F0}-Sy{I)+qeNm?Qk?Q;ffTK*MjGKYuw4)Xg^Z&^mY_ zdtp8cA)T`YD3bh~;iPNNj%OE?pp^j$16;qi-WJI+KK$ib?*SQ}{zf~7+q=Pc5m%*O zyZrTbkNVp)iJMzH+jTqW7R04R7f@b2KtUS9ISQ9K5GBju; zL@v?E(@k=YmSjuubW+X6aZ|3i0ki5#Mu z7DFqz=27DWOG0q0rXd{MH0{#^l-(=xLlbGt{K|eVQCwyhb(0KHidSqK!Z9Cv(#Q+H zZ%_-)1kg+$RiHMXlomMssvPKitA$ zS+-Ni{!cR4;}(2#t}7c(%^h`H=*wj*AiC9afeOtl#1G9swY`US2=mI<5ANQ*TYEs; zwJ0DGC9e|>tyHIZwjTX{D8!ur#X#Hd5}!$y0+z9jhNEnshO9%1m|_K?V?K;QoV#gW z+b?MYt@7@b*^X@!#e=xAwIxxLAwORE2Q$BTUR#$x-d(B6Rq~zv1el=UU|MibcGc1Y zd?>kNgCKZN4T=SHJtf#imZ0wbE^(h$;eIOhw|TH8m=kcew zbH=_TW6RWSHCOhR+EJ{(hKtu;?y7p*V$;X9$+7tN+$AcwLp*|QjUxk=hu_4hQ|J9= z;!X19CQ>I`FaBm`3>OgT#^hT50F>juyHJadfo}Cgx!XX#TYZ>NW2=d!kJc9@@x6(# z-4)lawEFnWNH)PV>AK~wa=;&bAK6mnHJ$`?m5>6#^BIShE~=gTps0RYigfLKrkq`4 zgzzsu6#}0{rN?c+#Ha@xgh2DU0M8B?iiD4qOe>(%xHrC$>3qS$`*+iaQ`*uLKCHeZ z(-|^BPLuOr?01vy5u05XJRk}3=X>#mk3j2}tQG)QO7V$T+IcD-!0CTC5lD!I&32El z$o%cFnnrh|D9LKM?1eK5+yWW_!OoGZYoz2dCc;t1O;46nTb?XmSG~3rbz+NI7QIGM zS>xCMe{6L+(k3h@YEHiKfSnf0`E4w)^$;&NaClnflxvqNx!rFfXpUo-6Kri63g!v$ z80X${2jID7)j2KbqT0@{cSb|Q0=ro)&}jhQ^bTE5q?lO1yUSEc9IKH9{2LZ6Fu-&g z;vbsze4EuKl+@A^eeCdvsXqV7YSlcDmpb-g@kQ2z(ak4jaH0X9YaRs%6wRhaFr2djqAf*bMPHWUSzw zp7Q6~7hjuj5KJnkr0M;=v}U4R*5)hyP~qn{%Ja4bx5UC89%|zI+O5O~F&r2%FlO&@ zmYs5i=g#^Juz-MnMLMiaefc#ZXmM#fzjT%J@Jh&Ur@h+&dS5vicfPz zv}11NriTT)xw^XY+(D2;?w!jRK;`>LV#n;4LCwWB7__U4>eE#Ai?Oer&P_{|h_=3( zTm-tgNPF~QM%A6HU*<~3R=yyV)UDRa0WP+rnr1ZM87UD3U_M3U=}eEkbu4|lOslgx z`GatEQlvK_G4Wx<5@1HO;;!Eub^lUx*Mi}J4U94{Z7%!>ur^{3-PN4mW~J47!j7xV zyw5T(A@di^Q{OQrQsjfD z&O<}U9SVJs8hcaITf*>Jg7Wk(KcSqW<|T&-#T}Zt+C^HUpM<4=Au>bBUbUY=8l|fU3(W>h)#QHgH_DZ)gQMz#O8KrTNn(ec5YzM z!Rw1amsY3-@BWK^1g?hykc!;wyGYJe5{_Glmgu{8)#djSegm4G`2O?+beFy6!qaBQ z=<^;HQu$)Y6~GL2i7VRH!?391M!uugTAr6>B}iNQk}7>aMe6DM!}i7gZ05R`y0+hT z1Ec!uPDMftjM@o!)AKG_Vnp)AhZsdf5O2k&%7BDE z#0%3lrM%$v8Wz1N7`{tY(i&Ey$Bg$(TON944R(|p3w$s?e-4cMptT+1xRpLSkvCUD zq}&7K%svw}>~F3F>as5Nc96a{=x9)Tl73Qrp5`_1!-Jyfyv>fN;wSjq*cIb`PC7>D*ngHl4Bn`Q39j2hH(ueNP?67m5(8CvJu5&p$oRo5 zo5X$u2l#6<@eZ^+?+P3b+sY2SI?cyEk8r;J2g81w9P=1rjtI03Fua->R>euYY;Z8t zjk9%xMQgeWfDSq!VGsS401tJ+3`lb#gjg@u_{uTbJHYUfG_DT6zv_3ezlAK&npb|B z>=1~O8nGKofyWS8#TMFD-1!{(+@{2a&= zyYo}s;JMl?-vF|%Ha>&2#zIsi9-b6fzATgyte_<#vYl1&Hfa&dQd4Gc8Qq0ixD zrC)7rNU%O2zw75aqr=o?N)jKc_5phhMso#4!`05yg!}oV&=LkU8u`&W(K4A20u773 z2B)hgffH&Mr4+x?$PB)>L)20w0!~~BDD;Q(p7DD-3isL@9f8lErv)&+1|-Z$2)0es zcdoNY3Cb|tHYXWy({ZzUXlCn*wRjEik8G*DImlN$470HqM76PW7VmN+^#L!tkP?wgX4q}#y>+)T1 zK3@!EWz~)*I;!5?*(v~{072d5$M2}x^5g4)u3aHhG**VBwhbVsV6;))d}eh1j5hP3 z_fXeVm8weHCWu{cb4bqc`KMGqUqr7aepx_4hCb6Vn$9kZ)9(9MEp8QvqyNnCRj2j|@!p_xpf{Hb z-$BB~Xn?aI-Kb7D??a@vh&OH2J+`U&FdIi& zX}b#0-^}30H39=K+Bk=d1m8++Y0b;!i&hP+ufYr{Xd-%-Cjdd`Y$yP>Fytq88oy{I zq_Ce21GvMGXD+V7UElozVam1pV_1t)8a(U<6_43??PwvFYHg5%;v;P zRB=Ye0-j5L_}*IF$)3+>12s%&Tsly$y>QU7Re^u_I0DU|`j$F8y!-*Nb91uJgH!_g zB~`L2h)3+T#Gq^#3bV|iJNs>ztssnPoU^j^S=atF*yf0vFEk>HP-k2T^44*|pbr}+ zdDHyBffW8xa-rmj08V6kq7X(5!556gAB6QUyI7sTpuUEnHA=h%rdIZ5kSH4yDQx{K zXQliGEEy=U+KYKc6@NQje$)YNR5t_)& zig@T3*7E+UmVpH&&JDoGlYSky!>Uf(kpXV z+YPbU#C{SonEBwbfL;+1Y4SMk&Z=icXr~WbZJpL|*w6Q3Ev|>vftT8Nf|N=DNnhFZ z5w)MvXK{nd7!Z5t!1Jng)n2-L{8@p_Pzj{2H)McxUb4B2PiTH`1dLG`hf(v4@r7EZ zH6En5Hz$K=Aa2YKijSybvM$;cwi>;Jpv z^ZzNDf-^M_(gF+sSBPZ(5rm)yy1G2CG&%B`zQ+E>;#=P553;_J`aeG`xF5uDU*zLC zID1}H>FFR-PdDaN>gf~NTw)ggE3~k>6AWAEtd5NM&vyab)y00svtt8HUdk39$~L-9k!<=tv25zw zw)+cpe*1`nuAl`Jxiu%*;@QN};~Tn28+E0M^5r`=2il(A7&X!TX)gU+qUoyn^R<8+ zwgKP&AzNgWTva~TExmFEeDtQ{>Nek%N4H4Jb6vK`v_k%8E#wrFAH^DJY)VS>Z!5oidh}|=je(Q1My&{- z(%~WgcqeMIq_4j7sKQeECLI~Dg}AXCsd}HB-v#Px4IHw9T2T*;BboW06YHh^hD&ji z?m8Cd_M{Q+5{2fQKaQ3MeU}wKjr0UOGc)#mU8u*tu-r~VrY@^R>`HsE04L((5>N>z z*Qzws`MKU*3Yxfu34082Tqx@j=$mTeRxXDpsf9f99|OZHrawluWIf$BGO>y;u9-~| zzAOONX(l5hiwjN&G(WFwoc7cuXrfg-V@+07x_91Vp|i4$LxAL>LpptLUy-yQ$22Vn zu+?5J%yx_4)N`&us4MKV9TB1#a+EN0-V-*5qYi<764+XufsciRt;0W0*{0x?{t2o7 zQQK&EbH1A(9>W-Hh=U#M;?t>=C8Y3%B2d6*o+ieelg+>E5m9JTY&o(f091Xzw4^>z zfZhh2DPc)h9PbzeDG~XM0yQ==*s>!9!xW_~t4oJDIBEfR22K&KQ?N1^*{*{SNChTj zdG(~RT^fumJcdQHQ>48y_Tv*a?h?bP2oAz>NwBY>5F!fiV;NCXR}1*}f%+#WWVI$2 z*EGE&-wyYJ1#h*SiPC+T%c`5D&3cRX>gxBp@)|xn5|E<}VF_T|?y@0oUC-Ip=S^$dC4>z>D$&ct*=VD*%5s`l8oy3{jM>eN4UT_ zZnkDXsZ-+zcJ{e5gP0(oi1@Xhb2dbS>o*=$jClyxf4~OdS zfDqF1@of%n#1p>>VHX7IoEAmdKny_~kMCeQ^ol4~)OfG8C5?r~(19i)eN+)?KONri}# zov|Z>z9n#kW?c!I$UN&>E9o&irdist`K@Zh%t5BAjijxK5XdMX8h%UD=1~uY*oF=js}&j5Km%M@mlRNE z=B3zpl>LZ-GnK1*hYEK7R2GxJqIPvPTFYo@eWw`DwX{>l1H-w^Ff)2m7M9To2?=g5 zZ@;@})E3K`NguScuQHqHz~iq}Sf%wH5O0ZK+WMYiNe&2b(XfgScH3rB}>RR8w7(|ykmDZfmj7msv1P0Twf^($6qekj zfysX%0J8?`zl-iiA;w7(05Us5k=6$IPeJhrMW zg=Pb)WDI<_u2b8=?~#QC#>g|)w}r#xEIFp;YDmx{(sWBv7k+{fm|CA2cn!?N79AKP9mIvh$xEtqWT+Zjv<9XBp%_i>w>2)!kDlQoS1t=2S?K~wiv{XZ ziN4L=G*=%mYsPCm1DqjKPt4y0pV|Pe5fPWv;aJbRrwZtr!g*$^5*oXJ2UQwy^*yfG z29Us^!dlQ41;|bo1qMVGZ*457ROfuX2mA0oF!Nu|`MU9rO=Lc?MCN}<5+ zdZ|aDP9k)7vp&A?kmSJV%YD=YcfRW+9fvujxER!^mR#hI|Ddl%>4ye59mM7@$XFXf z;xNTbC+2|p`AY&EU)X>tLTQDP%V@{D*!*ZL30JuihsbA9`p(fxCTgo9f?7zAACOX& z_BZ<42418W7#HP_2!O9O%f?sbP3!~qYXyA2XB+$D&ZfRYAAb@sp4+iwA4UO3sIGq( zk%!f~W!GbjIy$+)HqAtXJuBb~hgu*yF#Mr{ba6iQK;kH*o?_h5CPT6a0^qWr&46K! zpitsL8vh9&`neLhF3T3JV?^4sc{BersHN@f4$*CY7)VgAWs6~Zt1ZMb?cXMJtX$!% z;2j)`3D380d5`&}8q?VmEdevWx^t2W)C-tEz_Z)+qSgb@CE3{*wCE~NI_s0Cj*hY_hJk|!V`-Z;U_$g6x)(9;UC?FMA1L(War4)d#_LkZ;ZJrQ096^&8 z8k*+{{|<80i56dEk3%p`8}O?&#!!SdKy?R)B`OS4b~q^wXnIu-5YGPn;XY~b?)FXxbel&7kgt){-~d~V@ni=nD{huYPC(euCN*@ zVNxuaM$D@eb6O@D}So9LNVIRo}>hF(k?3cQ$P#1H8j<_B1!{NF_>{MujQ&R9!f z2L2(#gYj28LyUNp;0dRF+^)sI@-_g##Z>;6NU&GkO69b|d9<(3!8G(DCT$ye=1`$e znp(vi(B2;~(;wCw%<0=KFFCi0X*O=#J%}(v+13o}9{~K-(UxouYAtfkV#;QS@ICl6 z@MQ@`9YJ2`o!RLRaj~Sw_XW%m#0PtWNK80Fo$BJY`S?M{$KU^sAx#D5{sj8f*?0Z} zYeC1RDqCYt`7=n6IR~IPFE8ULcSLq$CaOdTpn89V5!(sOoX3uto z3KYkk!4jK*d5U`J^czaH78rTQ^h$L?%Nta(%Bdm85t zI#dCn(0$ft(9C&Y?|2%Z@W}5L{eCO+#s%-2$6H12S-mjL`nl?WP#f$gesE6vJi>LP zz0%x}7Y$55N0)9ETh;Ld#EPR2rQ4_|Tr7Qt&sZvS!ptx|_A)e!)8Xc}a;xj0a5wLf zO^~mGo6pK2Rin--U`Cu;R`RO(2se*Ww57yT@IX_6r6e1D01SHdZeb4guS#421HDCH znj9~lUo<3$@1Y#FTR<(XW5C3=8AnYP!O#Cd2~p%$WL{s@4h-?e>BBb<(mr&mhullf zrLINhe$t?7=y}49*gYB`7FA8?A=F1}Y+>@IjGWUWuR_js*=KQX)vDj)|3;*8;#)xC zSZHp~mJod#ey0=ac6}zc^|N5rNU$L@*aB_o72TD$%J*%~DSo~Rf=`>SIjDl~RwV_^ zIFvgpp`UqH#O)c&^N5Ds6@D!kU+mBsYwm#v;lNK-q6wr2x5uKLq^v=&cF%%8_&F}M z*T*66>j4SFUKvQ2?&KT?{n5i_FS$L?XFh4rv4|LjNcut7II) zM|m{!N>Gf9$8hP{Z_SB1hDVCoq*ftgiEY3X_d`n)!_YXUUVi>8RUJdmI3+EPH5Yd6 z*lur=D!`gs3fc<54yS%tV$@K)FupnR|B(0IVNIu7+vtd3Lq$aerRj)((iEgu$AXcj zqev%66=~8-fB=r7R0ZjTAV`raT?h~q0qIS8l@>}MKp=tC^JMnSKJUBF+3ybDKj(bc z_g^k9e(fo1t><3%y4Q?-ZYVv9UX>>EV}wEr*of%^^o))i9VMciecvFuPGs&>TOMM+ z%lTX_-DKH<95Md$%bm(x_gz#|!?vAndthzeuRizi+3~Uk_-w&|W*;qh!c?WQA|TJH zYA!DK1Q|rVqxork#7m$O(0XkH%C@jTl&d4Vz|)O9!@1BGT+keY^=`_#_wQ2y7XrI9 zTGHi>-2NsU3cvrW=gnA>_xd?!xe0H}#{#3%)`1kZ51+zeXXpYEFyKq0J^+vn6JpG4 za(53)$W2CQC~)Gc@WnR=!}(RNfW<#_&E@NxfnQbwH|w9b8Hrw#D?A_&qK!~2lSxp? zm-&FIl`*G#t|uO`E#^Ap_mdrZXMN*V*#QxadxlExEbGD7YwmSp8$X`E@$y4X(ggO_ zEANlOxdZ`h{E4H81Zie@z4bpO04?S7wWW!&k~|yF zH8D=qK?L^0+*i`F@QgY~Dsd88+OZoQJ#eds+_*!xEP;JX+sgu0jwV>yTH@m3cEBUs zt&UZJ)Vc~E_jP^dD)J0aNIZSZK)xT{XUWZUWc}y-sOugFMAGar$l&$eUHD6o z;+|7Y%j)_3zCn9Go|rh*-@-wSP2R&abnxdUEj$IDZm$xt>s8eNq%kR*TC1?| z6yPiw>1HsUGyCg{ral3wN;L7 zWyV!{>5mrHlo*x$3)26epwxOC(A`9>-{-z+aWhHL<7udFfg6i$%C)kyQ(Kv%AUW56 zlzn%v{+9r(`*`bYOH5eqw5gm0j^A!!s_s-hDFT&iz1!Pe;~Gl->NwGyy7$-uAY^*{ zNL7LLw#JI~wMn8)97~@~v5b1HDy%){gY0T+rg0t2xiS$UrxZL5^jPjNToF{pVh&#YqPaYj|OE^%2 zsd;NR@*$|-fuFuI|G#o4lH8;DtGfX<^Sms9_tzjbs_uin*@JtZcG5__j*F=w1DSM>W@DLA=8s?hutnV_ zY0h|4!ZG=4EGQy&81t%kkuVcWgCGT(bxBEUHEpoV-8ut`*{@3@bV zF_~VIYknjg{j=E0*p5!1U(=84i!iv7=#ewC#VUVPHh>d zRH%63qbz&$=Igiela91`YYNaTbQ!AAsjRk~o0OpwTKI$}0jmKX1#x0BDQ=q}{DURup#t+j=OR zgMVm0`z{}}!XV}D?+x-iqw41!inb{Tm<-&rH_2mVYc#%a$m~q`nYrSED`LBIt50sE zIrEUQir-m)n^O30tL&;n+*mfwYvGr+zNbh__|jj^kQd+0P0zB6^p6c?YF0=XmE~wQ zUA=QRO11XV%2>JZ7H&{@YcZzxMkO-gQ4yIwjKaxRwYs`Y>B<`aE?3KW=eGlb*AFyy zvmHOShwWzQVBQe9F_@M=BswAb=q4-nh*(Y_OX%I>2LzAZ31q#adk2R~c5HF({6itJ zrBebjG;ZaEmPEGH%%xQNbzzqTx|Bzc@yN+Fg%9hkUv_}I;c*c8NOA{H-A`mcU4SjDr~IbmDv^LW@YtXGs|6e22aZ*Vz8wgcD>opceSb2 z^|?eAmwxGFo+t2+g%Q+w`J8!8sj4Anm;NlRjr{;OZbM+tFS{H{_eXp7%pkT}6uEY} ziA>GZ>%HUY2Y&f~O&9@P|G@6DR%{Oo>fE`8ZHaSLAN*M#6&S^uKKT;NR_r?0N-+GfOXH|m4E6$I z`={dB-43@g81BIUn$9kll)CWgV^=0#3l#45e9>JFHiOp+2DiD}6=lI#QU9BK;$0MB z9g(Wud`u)S=T+VFeObw-#IX%Vo%+b?I2!(Nb1BhraB!e83y|xt#;R~G$XVTac$6=? z)@P2wcHh{v)|RszZ>l0nzTKtjUy>&~AouO1Ufv;3(97bJ$faSL>HDRKWQ(@>4z?Mx zQHK7lq6O0)B~-!7rk4i#<%Q;9d&!4GSG$nePc`)(4tj)R9zJ_@bWB82JSw1;lqqab z>*C?iMu`{ohY=$9tyM}os$Y_Z?$xTw%_9E&4*T!H`3M9o9G)9QP=oJFT;)^o-Fy|Q z)$Q!>@Bib+kDGdWdihYvXN3_vN*$XII^|V5{kl+n__6Iq$;K42z@1TCEg@-P-S5pB z7=amMXTJxEStYhC@c}cf3q-&AZ6w-9ubo0xBRHgc)-4A|!IhhI6qHduPc)$O`0VOzJjOADvo3Y-|nb+<8_*>3&dZtl8;C;xc>dR9XhJ8}r`LwjMq)hI+O4`^7Y64+7WdsqBC!Oq^E`AE1esTy=fWJr{TPAP* zJ%L-n-0I=G*yic}FiTqNj?3VTS7UFvrjdU~oKU_+u5SBR+cB+ZX8}x5*gL$B*x*ONs%9!b=~UZ z0|&UB_hJNLxP_h!%eAR5J+&~Rjs6fQ&TB`isR5;jA6S`v2TpP>m>F$njIQh)Zfh*; zCr-0fIF7%)y3^P-5FqUilt9gkqgO|z!?@f%)0#RlixUMqlSLhT%ZO~WsDvVII{0Ts z6W=LkwH3bMb1PnE_{f}sB5`i#j;59vozDENPVTGbH)HIYkMeOzwuM7|Ta#xB4ZRvG zovSYAKFv!q864q*tWo04=&|34D%ik=>1a+f0godd>l5~qwQXNE$2AWjTRK+;CQv)f zTI#76Y>J+nQ|w6RB9r?`2j}@@9Sp+0Ot&;e=g)w0#Bfl~w;Jnj^bV|DQ^*vxs5&3= z$(y#Lab!%=$$L^a9qbRv>Z1ar(iSEC%e0cD>rdD-X`Ao8u0(Z!beF7ly7LPn@0Z>P#s1lC#|65`SaWqw2im zv#9KbOy*Im#)qtrRb!;6nC9h3)D+=~GA#7Rw#=5>=gjmF0;+-mWd2 z#f48zd6hS&yeIQ$!utqk5=^BIn!|C4xG)@j1?E`tB6Ut>rj#o{0s(u_k+r=FMRP{A zCm(O-^YinY!gAb>K3`J?GxVF$rgLGSK2E*`Ory!}yud&^ZszCa( z_Bm|?Q@3W0bSRGILVBESJNlqmH$t$~(@D9u_|#>4xuVzb&T7#B?`D}|-@c{bGx0@G zexkCEF4*e0bhwQg#AoifZG~a|c3xC~c9NkVDDPPh3U5j8XD?lzkewMYD7DiTB5&)L ztkkKHn;!4y<&P3iNpvKKFl+u4BLf51WxXFk9<3Xe+LX)V0qwiwOfzhA;caap=u*Ja zWPDP3+k$Q1VS!YgVyB&rGPC^N+I+Fg(ur#^zbEf(+}LW0Xq0Fp#Ogi#HgqY(*6cxg zjee2A=61gK{Lhe#-0$%hL$!PJN~A7J5ie#wZ6M|34M!K~D*yarh~C}OgM!lyP!5L5 zDl6{|6m4}p^M}-cNpx8&ZvOUW@6lI#F1)nG41aR97DFh>&8uxZDKcIFCtUG( zswKZVl+&5e3ES*3SX*cxAL;5`#yX*-@Gs&*Ls!sw(Xbfw%TG?ApdnbZXv1thnhK5P zCmUCq=^Z;fAzs~h+%ob`b4>n7QHrY#W$ve1wts=%PA{%*X!@aXrDKEul{&J$P(_!7 znU)Y|^-T50r~P44-cDvsTWB>;+p}V+$;+oCeQp&d`J=c0&}0qgdi8`!vzcaj;AB)J zmK%m!L**9~M3~fj-x6AQbiO-|1&5+(*vbA>^IKWIN?wH}nXZ;q)?Lg>B`0CG=iB3X z3Vj=Rl1-9Xf1?xi>v%5+J9NE6qRd+tv#s;mkp8j(gkoK*y`65BjT4eP6pY1>FPtSe zi1bzB)#XXA=1lzn@m3f?>@(%VAoN5Ymt>?s&9Vv`6*8lT^Vj8dnHSA~2`!)u?Alr7 z)z(7PnoQMp?23OnOj@heohKbVYv4}lnyk5OL!%1ZYTi&nc`Tpi3Lrgjc_#E(3C&BZ zX_?nLwjHIm(PM!2yG46u1Yg#pb5TQ%v{g9o5WFnfe}*)IQbZl3vD7oli=r^WW3*}x zKapHHhdVgOwpOnqnhO?QpAdXe!gnRlqQ7+-Bl7u~z>}1K?K5mI`%(iwnd{U2H+U?c z%}oW@xkV~wYqK=5pSH`o3ZJ6{zx}!QWpm9b{2`K=gXNvMH{1ixWLxpXWoRkg@XFjD zZ}&HURALJk@So~o8)SB#0vW;5BKIgZ1%*xII)(z33!Of9vPW!L%Uwcw=`&;w$f?KDPtbuaXm4kw6YYQ2@uu#3bQi(OmqN5dc&pg)!18L6_@vFRI zscN>!puIExYSpqrywWmg)D!B^V5&e!s_WhBX>O}u18#&gjn-{-n79?y#M??$d%ctL z1)WD8#TT0X{>D`KU`jw=OMKQ$RqIsUi#@YdG=ewsiUpZVB)UAhoxuJ`;>ngZUOQTb zKY;MlJwkAX#3kXBbWo+GW+Kmm4BdN2@)5J$o`U?%(!3QX`~yb$;LokCt=|efs{%}q zNVtgb6X~Fl+@&Y^MY@=xfGt_OT5Fc9tt=R)yz{UEK^AUNOeN<#j4$p81>vfS zXGt=eaq~{2wv&T;1z}0mD@dXc=C$LZfotGJ`?!-T8Ucj0xn=g!bT}csD;rq_@1p6a zDDS+(^47vOB^32x?)+YB>x)ut1L9!?qe--sEH3QhiwECz#U_!Go{Wto*f;U$20Tb| zQJEC1GB-f~1beDxb7W~`DcJU&G5R8(=H)!Og3!>C75H__pSf&omQ3Rq-Ks1sO{2|K zEtf%(?823DRZc5oJ-z4i8AH6 z&A#ckqqsZGZn2yabt3u^5qXaqU$%>)Q?}}ew@(~MeJ5x@scutEIMUr|ipOp)u796& zimLP{=Q^BQ?Y?ShF?~?@TMQ`pMtvA23L4ZDzd!FpnU0@M4Dqy5)^QTS4PS_ak1rou zRiTvi^?I6WYnxCby{w7vmQ5(%IM=5-;Gt$zQhCA=l`7gtGL2KW5$;;qblkR1igaZB z_`~F*CqD`fH*x^_t-IAkxW;rmvhG($VOzNGNZIGL2gr89)7 zr5{;|t?LP?pt7ks0RCVJzNvt@c95IiFjyoet5;D}S0P*Hy1LU5i3{7SPhTOwtqF~- zep&6krQanX`>;D6Dem{6BT^E>I8V&HxgTOxgsAoQq%6Kq?h9P+T^&US-oJ8R=~~m_ zGn~!5?poEoj?zxr%LRsK2AmBP$K$H`u1`SD`JA`{2JRlcRn1?;Om=bhT28D zGaRZ^^{}p~aWy~v>PV(TEG%D8bZx1_pqYod5DcGo{rT^IfFk7TbKhn7?w#*$Wns7J z)Uwqo@!=8;;f0%wsNiw*JIhsfPuxL>(n-Tz?7@w0)Giggme9<0ZIul#b!pl@lWSIQ z^)sPb2*lIROgrMX2fN^Jy{vB*wYCO(o~Sp=7c{K&I;t+|Ii5=3bEEm#5%5+V@XsZ7 z-JU1jq*|$W#m-20I~E#k`r}8+K?L1$t7Xg$kkV@F=-uz_Of!9gXtm_*=gWDrR?8}F zuqF*N{96Z=mO| z7vQ>C0veH>@e6h1Lu2^l$)+F;zF1R>q0cToAXGameP-3o+B>VrcCv2R=0u7gU4WLr z(^|)IR_1cYwG?-UkGYW--1f{SVyCL2tqv6xOdS71(P}d?oK$5WTI)P)a*AWpRkQeg zy1yuw*d1~kj1c}{($9{9&sMW1N}3;TA&2d;j}v>H6p`HPKc~;%X?0R<2GANkw>qs< zoIkdMSS!6D@3goM8OAYm`~bqU;`*GhoC)Vl6W_xt_z@ZVLnCC@4BKHs_;w3_<&QzD zN?#u#gPQ3b8Y7%CK>29DoArMg6GkHBhi@sdy|s0A%7E8BYl*ioM+OZK#~{&B)MUqe3X?dkswx_zM|qz>o+?WxR@m6mA2;+a4yaTr7vM|`Q(J0MMXeJh zqskr*h#4BWd-pBz1&v%BM{(6=l`GMAqLhC1@%T|v<>|HwQ*HAGP=UpCK+N>J7RfGt z+r^QK>nO5w>j3_FPE2HZvZsNqr`ytJ)wH@JC!6hEH^Vk`Iab}90;E^TMtduzYiC#AksLb?Bb$F4&N!2aG^ zvcW-1-3=AvSh2)~(hF^FifewEPsbwzClJl9D<)}vg)6n6)dSw(11I)QC)@hoWi$# ze0&J!A|fI{Qxe^q8->T7I0wPt*%F}K8*%zrl9^kb`P1E@FKN8Xj51{EWnJ=GjX%4VT5#2~_1(g7 z<&|Wg6AxA9!uvAlYme9QQE(~Kyn@S+bKY*&nBs4ScCa9@Zu|-(5zkDjr*Hz>reeU{ zIqDPgwU*1bjC*~JA9X5jV7-?=I%~#%wkAQR^@$WI$4b46YHKLxt~!^E*#{+>;wI%+ zXq0YbueGK$fGv=trfbn3-*_$%s1tb*9H zy+7BQV{eXJzR@W(eQB`N_!0m=TZGYKSt$X&SUEe3vslIXPYo7BLsyF}Xu*%hU8RPb z`t8$kY1fB+L_-ccdD5% z{S}mpA<<437i~qo9&C{Pjpxy(;=;O$3aXT)w!Su;|3>QefVh6^wXL^Xzio3K&Atv;tAkclP%;02!;%dgYra3E8!TB$Z9E!W}Ug1*jVXc zhior*^t;yQWgcWmC+YJ7PdUuV8!%!w9JubHp#{<11i`k>@=k1HVwZEFU?M7J3QHOp zF&R`{PsL(-lvdm8Zu7d|t64Fg)Y=PcMsH?1p14x?crKLNW9<*@&i-)jp8SUIm?DTo z4o)4tU!rFF$W@nK&0e?u0jJk=)P`oyy;)7R#arZib00HxWrjO!1IUR()s7lXl-b~! zjglygEx)s?Th+|acT%hSc5L?maL_B@2~+>KzGc|SuquASn22E;5hcS zYFiHnbEd7S>cdwTvn|Knx-!YRykmX@+-AB;&aADtZpka+>LhwWj9~!F-~hz2^M@9t z;FH*==ZfSn_#=D<>@9}Y=J(DJ%kdN#0iFK7Sap0Lzp>Q9b3PX83v4@eUxW@Sz>6M< zd|Or;dpSl!;4E~fs3>a>hJoGDakc`(8N-^W_>~_2NJYIVym%Mf`f z^6TGBWLA?r^o^X`TF(?ID|ISjYBoIxd0kNt%mR#zCG4D-%tpCC{S$uk29j``3<{?$ zQrcF>VWLLCG4I$=GD|;??6(nXC8>i*d{A5ON;^_Px_~QB3%ylQM*gIqa&`vl>pn73 zCFQ&E!5dFEJCh--J>rw2H^Kn#b^P&}!&;a|AuX0l@)5qIqXkA~@&%PPb6>P>6Pjuq zM!8Ja7lrzSVJm751|x8&S$Dw5$6g^8h|oGLwMG~L+X#rU{83K@4!vq4f}XtZnedlB zVplENyr%r@{-Xi{K&DG?(Fh`hZ!3hsV;nFA`Bn7VeVcG<%7b4f^+$N-opY1bnAs^r;%#N!7*j7+oL3!xQK=Tls@2 zlb@dI5t4wl@Wu+zUtKV(Qkn8ZzYh6EE=0-l*Uog_X=>v2G~o3cD_->L=aI8%?mZeS z%k}3TjTi8J>WKigIgJcVdyKX)X|Xb2?y~VA=EA|*&RFBD$>_Wa5}8Y42fWPiI)0$E zMxU}xRdaMf;3fzw3552t(?!EEUj*@_5U9V;rWh`$hjj> zL}}_AA8{1B;@nuXJ*|z55|yAhcxDRTA=P}u$Qf=;XbEiyj0Jea&<2)rL<&R_o-(j8 z&*G-3*7J?kPmnQ>UdDFMhITIpX0_Y>}N$&>e@Hulrs00nUr=CfRT zAP9sVjR_4LVIWg$UE(eGEw?euq9sQ6)`|Ra{!C+`Ja`H14V4(Rry)e+gm>-JpI;4R ziHip1PwvAU-kV1VKEMO~%wp`g#!Wz^vFynoz6zhuxUXNDIi(m;D-85==?Q?TvoMH) zDsOI<8GL&BWn#2lwZt`=O8M@h(e(N8{-&8Q{;1(F+gm5@Or~af&C^51HY!o zFSF?mPiUGI(b?tig6Xs^HXX&CAHfi~-#Evi5vK8}Ph@~kc}=$S{Ui6U&U1j*@B0V$ z0ieg#sEwvtk1!8>s&I;omyVA8-CgjBY0%d4z-?1gQ-{$C@c{P@FJmv)QYINiX<-cR zNIJ*FKYCi#*9omP4IB_9-6 z&t~{bon5jme+fzla}ZXtuuFkrfX{OQ#>YDHJtvcymw%2$S`Ju{>0*kzVnl+m>t1J2 zMJTolth=O&91~&CokYTPm<*l%`9bb}Aco?jpHbW$y&r@k|3^%tx?PVM;;*>~sug+m zXWFh`%m%vi|p)D3Ul+T^=-WxTH%6W0v7n)Q0( zXw-~!{VoSoU4?{ffniLf$6Rau+Y1&8L&Xf%gV>G!ml4J0^X;a;F8)oO@%)QAqe-mF z@n@|j;UTJ{RV6;-)r`!ky-fhuX6OW!Y&|+!;S}Zp7~YnAA69HdUvJO z>@ohc8}hS%%w!l>IFXzsiG(YT^C&HRu#a0k*=>wXfHbW?KdLA)--+N^9xRgde67mD>UqN)01p76 z*2J{Gw&nMge=6(P+WEV&UM){)RhbOiZQUepvUW-WLTab&P{Eli6G`N2%##-v92l9G zh1WuR-a_`RmxHhh=nSP-RLG9%u(U9E4?vw5>JC?BcQ|p42FfLG-nemtXQio(wfbfK z=L=C<9MzBKT0j515ud#>UhuD^5L6|qE`m)NDZ5Wrg~{1E;C}Yc>)?e{^=A#o?EP4otbPkO zaa9OE_o638_}1k0y_Ox(nZ+P<_4XtcTK9v*9r}(GEGp&7dD(n}<9GqY8Ft%_P)Fm+ z3h$S+hL^WCtY3e~H?C7Ar(&%)+H^vx94glyiJNeDDR17(Pe7kjdW1!Sy{_RC#lLv3 zgl@9p8 z{NXRFs}~;qe!}|H+_2q}{c;lbMU14lXj|l z=gbF(4nH63hFra2-?^zT>(LLO{LhI3d@WUv+K~d%I10=YKFsb(%GQ|o>igs41IwwL zw>@ezhB52L*X%vP!Mt?1Jm!+Gbsg)2o;-a;V=3K2L8_8kvQ@q!Ua7bu_p+Da7nr>& zvLrN=TWM~s-Ttm;R2b6xSF+FKXJ3ymNlJ1XYR<`0aFt()TAav(&3rul%Y)4|8Uhh) ziO3*RYE8J(#w+ft0e**DDgCcMIJ7Hg&z91EP&sZ|&KEr_)BpIL!mIa)AZp;$-+GG8 z@d&d{bRmJIG2?>LyrJS)VdXsAk2ot9$SIbUOIM!!$nkE7M{`qO9u=>4@E78wHB?TV zhNEdO(`U#6iVC!4c4SmZP2kGxS5C<)c^)w`GC6?Di#nTq3#Y9(32*SQtKZh|R8gDQ zqT;fymsTY+0Ew%_FLo|7Ty+N5ejyg3&*6NaHA)TClJ~;kq83cT{cV)NmMQ)Het8YtGUY zIDIVxn7=z^T-?w_;YnQ3o*4Us` zp5F36v#u(s#{h+`V%)n0APgBtQ{PnJMQ=2RLx^#cbO19qB5B0r9aFnnnN(fZRdzM% zM|pY9F$DCe8nw*9%}wY4rCDI-Nj}s}`JN&jALkvRK>3v5x6!hQkx!i6W`}a|JSq%d zR$Y6aGx6y>JTaK`PFg3bZ<0n>=*jlF4ljJmnj-1z_lSa>L4NlrUnHX@@ImtQ;4t=q z&xHMxuc7n}VK#rJBmM4m)|;1bnYIJKS>GuM#oUc{F*)CD#saxVgca6i4V$l92|&(m zYeM~Xdc-eYFLox829sFBFcLZ}Zn~crzIv0r>SC9lu2cCYsh)u1F?NJAGVyE?ZEC-3 z2iI1r)wWY%*=A;hqcKz-wf*Y((NLlpxgi)>obnT;g6yzDY->uDJ$_QuclG-SVv_#b z7Emb>6hgRLTz}@ani}1X%Mfhv3s9JDmk!+*hJp6M)al+`97V5h=qf0nVNuKCi8Vu* z7%Lh2lw`nwpn)>H6!MHh4sdrAL{@QKZmuIx+N*RgEhVxpqgRX@_fE$6a42p4z}i+< znXk_#&DuTz0F7XO?IYiL>sOQZ$)Bz;Yqx8j>^ai}z4miew_B9+4>_l?&v$~GVxq00 zO=DV4<{x{alU9+dcy@WY@8`(US4r-N&STt}*4D%89$hjWgp`SdkB51bgv@AJa#^M= z80P^rjSny2BRC)q=3n5x*>hE#*Of7uG zzjs+Oa~1bDq4*}G{NSTr7Jh_2Y3q_Hnm;8Tw?3n5u$dI z5e{8Hy^V&#{RO*Z^o44%AGqCy9uM0@e<7=($)-*s{z!cNb31=bYnZ>PZ5?sE$F@Gu zePpgnl?UW-?HxcacSagX6y)^VNYqK~`I}_2Sl)Q~xkgl{XIIORvd1L#e(Fw@{9<%i z?>RE?Qr3Ix;sL=VX0*$DP^q`>8*vp%1#n|Rsv%nNHt#jnqspWlt!~m)23cVT%@K{H zQ+_WG@F$VeCGhbqCz&?8BaF!7=T1}?YsVui7SR~ zaSJ*BLI6qHgnBn-_tgPhal2(sAYu+bpXncF(-BE_s=0JjdFi|NPNwr+vRka+8UPbh zSbd=MAdb0l`aR{%c;ji6K@-Hj^T?#cnHMZgG05lkKyJz5jh7Qb7*{1Xfk+g-1gXbg zmsC-lSCto+OYw($k~V`0j7Vp1Q%v9#$V!%**JL(5AX0@>L+Kyl8H70LGeaRCR^l#0 z-uMS}Z$XRdggC?fG=1AHR8AhJyES;Qof${Px@$I%W<*nHhHFEX>v^K8$@@4l1KM@x z-YB1{iEF`i4qyQ7QHzX+PVZHtx)4g=C?hkv6qLwVH!fjh#%!$Ub1A6M zceZe6Ba}^Lsfn2%~pJnvBzAC1$SKGOWJp#h}Ov4QCp@@g0ZFk@HSYH@%@wL{@U zv66~o(K{z@Y&f`C|IIH+@}UEE*=xk!CYau%(^l{4Ur-aAJo-hQ+Ha|bcjv`g5_A;T z|0q*K_ukXzf+`Rxl)_+=K%J-cbz`QpPt_IbkU`Y|a!Q>P=eZ%27w(Q!7-oN%bBk2~ zLcz@jh>*PZm$itMkbJ|6J<6@B?D2UfWN@AhmOVb)TH0s(%_H9b(lUimQEd`j?wcYq;)w;W8$FRz>}nx4zx>VxxRySbupGqtlG0AaiWQS6s zlUb$2K2?D$s^0Xt(&t49a_9wRkfg|>W+ozI{mVC(DlZuL_J4iR;Us;q7ZVVX?ir=HJ+-|Mfqt!>r{5f%of--@cZ<#GqN0Kh zbV0|mu8M+abUf2p3xsak2RxtMr0RWuHRhXCN%5SU7#d0#cYr`3vVne+6IJ6L`+|Zp zD)xUAvNc3o%sC0z0d8s*QP2<{Gc`DWck3nJmx;ZehptWTqzcAtv&Z(f$BPsCqXkTA zJPq+d+gq?j$%BGjPc4Pc`FOP&;^0sUF&8t0f2`GTdzRif@X9M{L z$u0SawgCSntGr^Kx*0YIb_&>ifBw*>Lq z45l=V7(H0I-54He?i9r=O8ChO;EK3g^xWKB_pQ}<#3jvRaxP-^26WcUkPE&%6ua zf2QtP0bKYBAzyU9Ll*}LHbPmemUghcCFbXA6`2CcwGl2nwt6XP!Ejg(Rz?w9RYI1h z>$jcB;E{$3w!~6?nKprLOn9xOQEZZb=+<+I ze-I#6oMLb6lS2*ulm9S*TX0W{z5E)(r&cXNzMHxQTxa+t+Z6u&0$vWJx##@;zRj2D z)R)_su7HWVc}XvsMe?iD0gO|-{UhewI^|b$W$2Asan?ue$y^M=pyv{(8^94xEbHgL z5_}`e)m}4sKIGf9aH@!+F0v+n2awS&`)b=R=8t?*J;E)ZV)uKGC8%Gxc?)NDtJxK? z^MzRT3ueq<)qm>y+p4F@wH(86y89}KCq6#;8Wbno60#)z zfjzPJcK8#|k8iu6F(&uW)|#b*1*A6d1{l~&>buv)^ShbU zEakhgHwCyh$P_>M862$2{2A37u&A8d5Vp;X6gfwX)oEvu=r3}$>Mztq546MGZ4@8-R_FcN8C?mU^0&PkEVIDK&0A6%IzlW6|9@FZktA@z)Y$ayuc0jshR=-~;NgV8p z#E3T6t_EN04!{(f!1|KPtDYV{Q>w!0H?r<$O#w|~#`>35oGy;{DpWd*q=36+2sc_8^qtD>OPY??7Hc%y7&Gen3 zGH2|&OK(|^V&Vm32zhGTL1lTqGff8D+xcbVXGFcs;Qq3BU)PG&%*^$9XA{F?ysFpm z}{mYiUqY zg7QN+d9(6IvBd<%{qy9f_xBaNpN%*zw?2p0D4fODy>aU~g>)*JWgKh4*3G0sfSQ5` zgh0TnlHM*1{`Sd#<3*UsZ~{@x)qjHNR7Cyifp@E&jfLYfK>+9leok4-Oh!hg7?dY4 z>h7+|%HF;ulu!W`8YtSs*hA>q%dFOmTZMs9R@w{##^#$#P;FT6di?Q7Xh-u^QfSe(C;vI zQddo0T!-xq9jXKu7OZdv!&YZ+4X>(@$#DY=mPkLOyMW zz<2Q8Yr61A!R5_AK1z0|#>cHX7ZlIpuQ*^6u^O&sLIjtGs~7e*x}-U##T^-&^4jTAmW2Uqa>{@3#6{UkSNWP zzOB(jh#jtq!Qktb3nMgepQWRVuZHlQW*E6@r;UptR{7$0C%-(Oz9^}7k!)0I1(~pfIdi07gvo6j3JOdr2d;*#ZXIk^Z; z0S~~>VlM^N`Akg`XgY)Q(>PlLo4T)YYhxrfnssQxWyOPm;Kv@JXa~cytysRt40c-o zoQbM5oLcF$uT3DdN%}t!OzcS(orzLajMfi;1h3#~R!L>cSw(&_6QmA$+rANDgbHAe zC9HlwiTLbjR4TMDk~eXp)XjSC>x<#TYtJ>DIdpXA<#&$I^_~q!3nN1Xr>ev?Pt3xH zM0K>EFOaQhzy20IuIw|{3KAt!L7i?F4vI|1MyJqell1dC06M|WL8iP<4)iXj?fD`ErY_w zY1vR<0r=7M83sSv#A|qehD~2q`V8dCI->@Pg0)17D5knQjaHWr7Y}eh$#G2LtF7`e zwv;rM4r&@SB?Kj`528MBsz0ZpY=-6;v+5`|pxDHO!7Knzjt zhWQC{YBBfynoX3tV%q(?ir}1R%8ye@9OZ_n_b;er!|6iIiX#Sj9{&e*!JBq<6reLj4SU_y> zI-FDfQ5{t8X~iuZbg9=gI{{FlVg>w*5W!>KK0asDJ?)RDYLnaw*Oc5boZ*HsL7cknyNW+aQ=;E+GZKrik{B}#f@ zi@_-r7a{d*_7%6=_Rp*C?FkO&$c%%1EReA;vTSB9!1~HgBjl>~N1<*gk4lxHFK47O>nOZtt3+rsm^j zLht5C-dtufKlDq`G)rb9YO5kn{RD4n%}Ew=u6lH>!ok}UeSx!r-rfKsL-?=c*^cp$ z@BVq7CZ3VMa@m)tQ(2OJ=k&V!l?R4Z&mI$ECoAQa?Bi9qTJof01sk?|72HaSYJCbZ zpvPWxd>s_N6cyySMD zFU@MFAvVh&9KKt1>#}SC_Hz=~_TuKU<;}^r+7bzso`W>f^%x$H|2a?je<$Jp3&#PF zCH7pn-Sj%%gcs25?}LRa8B^=)ln?q=0b_KA5ef>PX>yy3n%tf==?CY8jswai4!4z0 zNGF}?*Z$`%|HBUyNW%N+XPRgLSw+)hcS>GysIApw^M>Z4#sXkssnnar=lz)t*#XHR z=n;c|u=GJlP(4lb5IFk?GML9NBNfiwZ38MLz!;uR9xRMdGuw$^L?6LdnGOoUIsyeC zfGeYE>c)Al+nRMi5_)_PzIJ069|x*)1AjJT;HIt@yMFmPRA!?c@AB*(vqxz_yqP?4 z>`I-p3J2=EdK%|}AA6XfhyRYY#!so*a13dTz~cE zf0(R)ors`FF_6W(pr!)boow0vM^DTY4?pv(y168KI4I6RJqON61Ju2lO+?Hw?aLU! zvtkmEQQ=#8JuJy=Ao2I^^SrNKzb)}wRXDRT_}|OP+iYogAJnp~KI~r9|cOwH9rCK~&A=%uzAHE)3iQ3IjbQ^+F2Cq2bMPAkeA6P;_ zzoCUv`dd3C{Y#f{h&c`6TW=;a&PQlp(zh21koG?ay-~7b@X%H zO9xID8LA4)cEHaq$rVLLbWK!ZI8nP{Z*}hhgII~bp~=z+nt^bSS9@scPXKNGYuB!Q za0FJKV3O9gM^f8)V!Pe{DzVvFi}CQkm)U>(5mYF2uebkbO=Xu7NF4!~wzgJanG>)R zR6_Vt`0d8A=uGBoju`esAFQ&8NL~N#wCju{zNbmg@2u6S>JY=I&F&+5d41JP7cYWu z0EQcw+3ajHBcrpRy>&-n1z;q28ud%DR#(&yysR!fGPMg?AoX~LN6--n0^OHyLRvgm zfdqABUoO*3g}+v7nka)O8Ilb(G&}=Pf%d{OznzVok00$q^u%{577O&bz#BCo0~tp+ z(Bn73G_$z)YMhv1ZekC-l` z0AK|c+Oc!`5c9#a074q9e@4-IQB+Hzq+@@*cO{>r6e?*0wgw&4r%f zsSB7-rC5vus7XepPV|xe0UJ}4;`(29A2QxuBX7b z65GyxTI`kJ6B7_FY_VlQubx-3^P#`JYTheqxjC$FB^}A3^waVF1pJ{gIgeODOSjn# zkJJ4eW4_lu0oqTWA?Ss5vPBgA?%lgtxtX-*M_c#B4g&5PWe3mR1nPCbr&VvYSv0}} zc#r7WTVikNTRU@K*=b*xD1}}daPacirgDH#W6l$n+n8x!!+N;#WjIOr-^3LKtS@zlP7on@(GqJ z^D5}!zgdz0&H?^cl5UWW(76V0VOUxu)5WxZIe?%PfZeA2;ROPfkotk9P2P*vD!bm7 zfax5nJDzyZ-6E(uLbSIpR{yBxZbt?L_L9n5j-VaS3q5g2n*D(vg~loT?rZnCZdLYf z?4kw)eAvQMpue|LPyXt|19lc@TTcG^2pgoH%{g=hQ^@Tx5>kR$QlL!9PlqPnuXTU) zL%$$WuP@*f53(-14>26{A3frKnUao!->*!hga?4}`=Gv6GF-gz1^NLdd8y!)>VDo+ zdxdJHe2*aC5q4*Uf~g&+x`PYYeh78_0huuVj8a=+rwp2@5wX^fLDnreM@ zVLlRNoDI!u{yZD13!lm{q&*arWIo{uh|{rbcdIvkBA8aM`g;%&hQQa@22^+MQm0%! zo}mVqDS&R+_6zOSMZxzUEK)QN1^K7NgjJwA+*u;S**!+{yksUL)KYYNt>3<)$0BA>aHGMefzAk zvhMr3mYl_6m+l70*ym6`49T~)wcIDq6;ESkG@K+}4929!>ew0DJx!G8l$gaW7ZD^g z&CE5$2N^g-$8hCowPut|{uMJv-%~t0;{~E$mH|yKR z!dfK1vA)*R8Iv4u@1jHV$GYw~x0GqE6YqIeHw^y4$;|g3 z3#{*FKW9!^I&#EzZF5sl0Qr@kG5##D@T$0Ygp{{Ob zB9b=vf06cSJ~zo?szT@=-*pngY&QCyC(AX?nfPCMm2Pu zbo17JU0yL_&V2Q#@`}@U9{vYxZz)p6)SGBOA>=L*c-{KyGyITl5Rxf8R|jbx!r0FN zR;p39Z$du8$BvNl(Y}C}DDW|j&apqhj?m9OfjcXw zZ20W(33yZ65g8GyrL+noZDY&z{-Dxa1^nYH{|2*B&9f&!--Wg38E;#%n z5X|Qj=ZB|v?A(_ckvxPZ6(FSfwdRSe~c_^cLC;d3l043$~V}y3xgyzwp}R{?Dq<`{ z8^QJdAK~U7o$=oV$a-KQPVZ#K-(q8D*YfbFuqHM9tG8>4i5g}a^US93$Zu;nVI{;% zt;ETId^-GLYFcQyT81`n5U^4-)hn5|e;gbfzS-ztjoTz}6`~514J9Cbwabo|1K#bg z*8ca}IXODRub(-FUKEm3BskvbBZhy;oTqPnQgL&2&lrU`Wh!n@4xTMd<7t5?8()*%;^&#?8bYDX{_x$+_T!Z4 z`h*9O??SU~$NCgXkrELReJOuwv8tXbA|>^C$U(nZYRtT(Hn}VG8{+DBxT<(edAY#0 zXj5=RicG$0|AdA~3fcK`S5F@&Dz*{}(&%JM$#s%7nPmDIiAtW7ul3c7*Qu>j^F$6d zZG$TJzv4q-BX;P$mwe)QgvB|&p+fDs9qn{VZWCk15EM%%TY3QjcEi-a z@V}_(ri~Bxj*qg&m-WM5e9E3-_trAh{if<(Q(vd${zR$3uc*6oI0T66>wC5Gv0vl$ zxAskUOqY?Gr;N}0mDwo*g*h8|;Z3Ot33^-hD{D(Rvszd4uEv^0mGsRO_&S61%kTTv z_zp~rmsf0$kKP>X*qlEzB&r_pH*NzT8&4a!nuKt0-XD6CNaN^7>rBZce$)3WMG7ub zlfM{iWR;Cd%Z8UPwCu)4r+i0+7q~?EZlXohKb}gO)_4TrZ*7Wt?mxW!@%&R*b%@A* z@O9(ULxbsW6P01Mw;dfKPL0{Ji~?rPQU@O8Mpw~5cT;LyjE!LJZNKL@CLgk5TkS24 z3{D|h)97WTB70QgT5)=v>1LW7YNbC&W3WFZG3G^HV*7dONTls9a6Yf%8n^1b z02JM*!?R<8O}mixhwbWCSh0Nx^JWWO2-KNa`)a9QSPN&+^2Vy&P#WJ(+||5&Hb*oA zwDGK|!#;O~9j|*MEnzR$Wt&lN+Lf_*QD8ymG;#jy6n8&7Dg55PVed=VG=U~z9N08~ zJD@eN5}X4~_DwPCx2cq`0DA}OQ%)U-7`;ZkAjAkOM>eifZl4xntOMh)@Vj@!eKW~W-Ar8wyubWt_tS-LkxAKHzrQ4D{sEj!b7 z@?kiu;w31#&?Ranx!XNg5%H}oRMCqm3(cw{^vM6NOXW zErF<2CRo1@Ufo5C8>hG}Fp+6D3dY$HGHSM-i($P(f2AE0-W!OKPaAqmj0m#1P4Nl3 zSKb{PXGuTMFZW3xq&HiRfh3W^pa$02k9Lbk1olSmV&2h_-fm*#EAol1dgomAH3yP` zI@*!iwcn;Mg#bwgjipuV7$x5*!Km+f>iLXn-)2=h`>y}cvQ!s@UcK2L=7wHWv$U69 z3uiIY-BpuTG&`-6HaX$g7XPU=SBRvS#U148<+=~^=Bt`ba54J$SezZ|njBjmA7@v7 zj+}jV@M)p8|_P3A!qrc7q5LA!v+_T+}i{lHwgmy&BSD*vEst4t( zr3w*e##rf(AH}SnL=b|S6MsGR0vB6Sn=1 zkproM?t9!fthSv+dCZ2hOFthW^Yv8F1>yTJ+Y&*$;a%?JrsvHC2;X98$?WSv_%GzJ z6ZkpU{2i0-6HW)zk5l@4Qu6}oILD)|7NyS=EEFTchU@`NZ2jPty{{oo0bf6O-L)Cl zo18NfDnMk4bTrx>)T_%pk-1*#a9Ca8ws{RAfc#%~*?+8C^%um+TpONo^{|7zJ!Yop zl(Ct{M=xL38a<>T0_v6)S@Q#SCL^M7m__n2xJzY8mIF=#zdSceQ0hYgr;=W*wS6<+ zs&Ki~%?YPV5)KolI8AMucfZZeJ0<4h9~D>I(TL)lc><1CD6Nr<7l61oS8hfx(bpnK zBP9+bQOTH5Vca?{lu4fmc_1blm`q4{{Ohx#LBze$H_yYF3>EN8IecTH{xU$=U41Cc96ox))6b$e+Mw33r1k`^Um-+9vGH94VJ$UFW}XmC^@!# zCnG5Nr?HKe@a|grREdqhrI3Dd=i&Yw92-9=_{I`i(}ziYP;;QHOc?~o-j;Ls%a8bDoVLCP{YELRyp(-R@!Z4BQeZJ z>f$ay>YEVzE2U(m@~871lJG-%tiduA&z+dSBd?S%n&At4^Lccia=Bsu0NCY^*93hKFE;#3g$1#Iru9AC++L!aRrLlE5^6mrgxyNAg zww8F(EGGju+T>8HD{E3R1*G+&A15XWDg5berxJcGHk`M@nS3lyhAIt2{5*T@b%Wc_ z-ubJx7au%;I?rKKV9ZqGj(5M;7IV}&;YB2^Kuyhff&G@q7)h$T6Wjy zVw&plM5V?)ORh|M357Ow`xBoL=SNB`vb==v^ellsVrXsWW)EQ{9;iKwYt)!V#YoMd zu_DauGnvrdX=0nTCCl37l~v6)JkDch?}m5)R@Bz3?W*G(Hm!F=+wc%iy7*N?yIMh`)FGlKq1bOpHGir>Y(^BC?4{qRn?3QSHX8HI zV=Fy-<@&NwvytjrBty=(&vcrRH(I;-9zEY&+gif}%*n1r&}%H!eo0M!=EV4(5|_!! zmUv{Hm6bTo*3tI$D4{c@CRUUO!%@PcYlTH592E*Ke#$Rv%eiCgu$DdqR3I^}6v%ZeIk9S8VFKuV4hph}*NHJkHhCgn6@^^c ztazJ0ro#fBsaI8pP=4MKQ?%xE0#dePXNf?l%wCds$KY-FfE3_pLJEeT;}kDaX>s#! zbWKWDB|zBJ!6?RsIH!F#1x`7YG%Ry{;wWAgJybrN2Q`O)?h~-?Zb@pB-4qf}onkv~ z)FXOFYje5=fq!eX8KYY~c@ff)^5#?Niup?lWvJ6BnIM{Q>5{$l=#BRR{)cB`;V6{l z6o({d@~KpdL1%qvx^@PC%@P%oozW|bl}A9;>VcVJNIwIc*J3($>e;F}B;HRfz8d}t z{-6LavAn%gBy>3El|13QIasuKYK$DoEbl4plS}NU2uQUF5Ym!)kMQGZo@5I;NeeF= zY>$%=pR;r0Nxlu)Zw}wkK6;T)s~*`At}@48j~O>zsvy1nN+FFu@u1c@ZIECJA_=KT zUtd#dc+MBDvR8KGFdKflKxI(Vzn(;pTDvK>NGfZ!VD3!;jZh8yu5Q7(dll=~`1pX8 z4h2tH^n}H=ZdX;FY_c%6~DF4YU_l_)UZ%>&%++?Md=>_xDXGzr>f6v&W5O)%r+rs_#<2dqC)0%8cHI= zV4DibIGG~aTCZWjbtV$nKKDgC9eq09b^1JmV}Rt(;>e2nrOQiW^9l>hcln};MIJtU z$7@pej9o3Y;>uP73G6q={Yyd0%zL=0_(X*j>lG{O!6a{rn0jGnv4QpSykQRM{6{U4 z4#PIz&=bav6mZl`p*y>Hm1RzMvPDw0I>?{E@oYz;hgNP0ee*62aHbnN(T3;jgFg;e zS!}dZpAavJNrryS-_O*Fgj6GiGaxJ$-%cJB|`{sxbPUg;fs98{Y%74UEO8 zUZwS+-mmnBFI9n-DAOb!zGXcB&X*lvceAv&S?ML`1@=I^*W+sRTV$9tMp`qd=48e{ zAd%$LiL;0-albp&g5eDplgXR){e&Nw4kl8Ofpgqm{5Q+AE3(sIP<1>c;hq>_rEh6I-B$WF(ojX# zXM=@&wwg~t4c!JH-2%Jlv&3>@wdSIABXZGON8C4h`{XLi_P~*ZEu>y|GKoL;c-5|` zwDN!aI)?!chZ}q7@`bSf{3azA_sv}sXtUd@r?5@Qm!1*4LRz2vYX*PE(QD1pS{PcX zXDtSsbNaYCIylhPqS(4F-dUc^`ceGbD zK8{Vzi3FP7*?&uSz658goVP@{)DAtUdEbqRnPbO7qgUQtkz9qq{dx@w&pf{lIdk?I zoafQMt}bFRO(RR-y;2>@*^XRnoR)!HTJ zSH4|q&;x;qE=tEe!n?+z`dEDJNdcIL)Zh@j9YeZGl@?59n>$AO$$hH&!GHeR-pzYo{tP+krX|=J1mTg3o3_Y(=xl#G2Cb@_}%VAS~2DsY>2P3n@7gV9Pq|i zn*l%lnU|R7=JRuEyR$kRqxhDlw?EAq68cdrOUit|^7I2SzUneBy=?LMr~Otvbma(n zt`YTP-nRqC5Oi%3LhOzSQxyC#PS_m#K3ahiyx018m{vt=msXlDfaYw07>|3rpZ$X7 zWg-`}dM{FAp~cS#Fa21Y#_`V*P!~tyVDYb9`kE_kmxA!&G}8>TKUqN<%M|@_<@P>U3Pv(*v%B`qPOkV_ee<$$&6zxd#mY* zx_>pTt^_puXMPja|7pijUX>qQlK%TLvaE2jN*VT==frWwjl|L*!bDUt$5IVuQeYG? z_nVZzkfLV#S5PlH&`vB>0NW$0gZIbojzt22^WZ1F2M=s~R-q)%!F@S?OvrtZ1^6!i zR}||j%pl0!Vf#YAfuKl;&4$2-F?gqomqW%0lPxlS#d5!izo!f)muByUdlYiRR){Z8 z`w+zfU*!oOthHux7Avo)w_gxpad3nuKjEBiQoT-Yo%L)ntI!HgIj*JlyAF z$~Skd9W_H?3!%pNv!^7ci;-o&JJ*@Moyl3f73L$HqLpfCmBX%{ z7*crP&9}kG$50oR%vZUSYu9AjqI|?|372@5b{RXGp5CEYUHhH(naj7d-TzevIHW}5siNhWsInUn5AFr^ovTA@poUCD&6e(&3XqlLpK%<3sYwKxAPKk(# zH43jZsHj!8nggLt{9>^_ZAj44#}Jy#;$q07mGGyc`8%+vWLWND3?^C1fbS zh^w*=YwHm?SjJhluq)L4f$^dA*vZ^MAd=5mW)l*?m6Fvs&)Se;IT6DokR-E9PZZlStRugAC%Jkqq6@WX~&BytmeZ7 z4MPPj~Cg>hm&mq?FC za}B90awzz7lRpcYl2LxXF#)x15hW##SGd6Z#rpt$%COI-h~%y|8!9DJT3+L-hR0s7 zT(CyG>N!0=spF){Xmh?0`O=nmn4j_7dsSxA9YpCUQ`I;gxM6-S4jSq@bW__0Uq9Oo*6y za!Fiy*CvzZfGy?PC)8^DoJdP%UQNG6MNM;e;C@}*C8*ftfWzPKq)*P6#mi@`Lr zSU*2_Ayg?xV#Jl~Tt6Mjs?&tWa9xYMCUUnU=!E|C>|GbK9v!;70Sjq*0HLacJ|>Op zd7XM&zv@s}{O2QkF;Yr!eZtI~P`lKdbhC^?823~|fH2&Ts)63Q$x*W))HlWi)p^WV z@>XZ*%Th()#1}S-n&c-9nXaq2(Xw}kq7;Ep`{R3TAzQa8X zu?w)bW@p`lkP+DWj>@P%saY}?((_D1F5=bIw$CfTMfosbCcQtQoLy7dqIYmCYRjR< zH5K1eKkXwx|4iP;&nFV*+o|+F$%krfHeHY`dwR->VKfy*;tcA(3X*{>cL%K(nlFo{ zL*FD=9QCa0Z6w%^4c=Rt<@cqMi>O?ya%}aga2UO|otk^TddYq*YT}^i*lZI;viR$U z0o;reAH*X@@i&a-U+=Cp(nLMpVHL`FI+tu$gNBB%GX5T6hxCA!OXP3CBUhk z99$c@J^sQXNkq$k#J5M~#UO8y6O2aiXup%*FA;6N!o#IE2oPo!8~#^mc_#&T{1{>r zQ}TElYs>?Lx|FkI$)FyCeuv>#hxk;ZOkFoQB+V9HyD98tWxz%*4{UDG$JESkZy1hKen3)`QXjO!H*W!a_<%sO~(Oao_+PaK8csjG^&qg zYSB35nb&Iw2QRaM44m=!G`5B-wZniYFTQGdjh1-pVDky&mtazMS63CIM{iJmYyD^S zL;w98M@rSCZ)l22+CE)WYVXuECMktPJMD&*U~=b3JPUPm2AmFKMMiCYW1#}4tM zTv=Yth1%by2;_C*8I9m7p1Dz?=DJp%wVPvNZ`aYHRPnvKvN~BK;h$YB+fa7UAy%|g*Pv(i`t2LtLv_JIGNxpn#*7Km)yA4{hllERr>S+CQm3#vN1C#~mc#07sq1y(8f z2|Cp~_s;@IdMtpqEHd%ZpMtdtlGfq8@^Mnlisb+Y!%iz>!N2{!Eu2%{&$U<%Du)!M zAP}aE7`08WMnR)?35B9R-^R(`ucH5bciq~{mm+@7)jxzMB<~6PGxHMe)Sc9}pb|YJ z(SowxSAA(209!sTX#EsK(9ONa3orIEfXP?O6q>r%UV-*WH=MB0oh;nx>ElDklTJ9N zuB4dV0@rk%y)5@^+tm7Yc<-}Ga{z;sKj!+jseZkmW4=Zu$v(zKwti}4uaab zjdS{vVq9g`7r%QOR?R&OJ(U9zWWz9Kl+hc24M85ZoDk#v{hKY15y?G!<3>(3I#RN& zzZPSpQyvkt^Dxoa&*e5Q?63UXSJ}E-_Z@oA(e6N6k8vzi2+*AT!5opD05ky&TYZST z#|G^J0^$6X`ImDqvY6a-0zizT!zBYgEwunZ`P|{cJi4`9WjEvGYj-HGPLMW3YBEpT!)!-zY+kn(HQIyHH+i9X3Sk=((S zHy^LCcs!6v1ATxfekQjU6aq^YZ_6~!J*LtiFV(y|Zb9W+ z3$|;de}{vmrWJjvXiO}B=KjGF?`zQ(KB7bv>29Yh@oWltK1hlfqZEWfeEeh5*^s5$ z!Q9>ScQ{`LI%}vGI4n6D5Q`ja^7bRL$S z&$mWg5+Q~{)LIMn(U+I7fxi(n@b%tbwPg(eg6H?ls$+F?xqsu3#WX!ZujyeuBA)Q; zaQSfe)QpjR!98^~D;5z*?lW>;g)FlqC|gjkL9M~jidp#cb0~ir{6NWf%h z;Pw#FC-+qsBjtKn;;8Qy4NpOhb*boykWh_?8~8$-oF(7f=W}_N@H(?M0x%sFA3VzYB@tUY}p4Ok~JhB19_$!?|Ybs zp04SJ<`+fT+I=~Xv}&bq{X82lm^q=98>IK=f;G&o_JH!LV$d{=?7B`S7DDANd29&s z)vcy7pHPR1Rn`Y=Plbdion9rsn9aSu>6ZYCcom`HX%GtR=Bt5v8AJ8$pB4MOoXH}u zX}O~SVU#skmt0u;^gbzEkvkkO^u;l2VwUsmk1Q_I)bpAp(j-cmo4)#=x96&wuWX^z zFU{u^-Nq#Gy$^afP)ts7YhDru)B7TU>%tF&A$MoPGG?4H%!fNUC-MU3|6x{n} zbMC)$Fq#x>`aBb)C&75b*b|BS@L;3(*@ ztnba{4>E2wn6d!f1L#T3(0oMjb<8KaC9OprfdE1|gM`*Kiag-zmtT{+IzqXhI5Rp_ znDI$U_)m;r%G&T|LXAI?|H!6q5m7zfxnwURBa?4b&0AYrdl$a5xcF2xNtkuE=Sx%+ zbHVt9Brtc6fL4vhy2fF=ioEvg45gSBa$L`hjaF}}EYOs^>jNLKTQhL{ap>l zTe*^M4`G{PJ*R2Rb{lyAlGaKG{MjT$RR+@#F^RA*coI=qYN`8bP^7*=V8P^esUy^s z0+}*7cYv$b_x=oIJL$T|hDl8MsEKpLlaj8e#4k2Ex)Ik>-vkrX_8EHITJH51Rg0vNV3Nx^1QpCaVkeXm zO$j=!+uuxN^1bkimk#>{o2%4j&ob$5@h}dELcgzDa3EZ3zkH2EH{xbeGWnJrg!sA>cg9adm1uRv+P!!~3!cB$!K2J27ItfGIkIgv!wN zUkB^LO8GkDDps7|M%~>rX=`=2K4$)8OlzCArm|foDZZ|;zkQ=`8K97xEf$LQ&uxc3 zF#K7ip4&i>Jt!V`A`Uz1k$l!-ks|I{kro?Et*oY&)7z`EU9jBP(C~@BYN!F`kZjjj$=?Q#o3qzlGzd2`o{Z7eY+ zP9XqtEOZP`fBZ;5R4|s&49~-W-Ev7yL5y?RcoD|WdQl3{EcT*`E6X`${&BoKVSiE!Y)^qiCS!2l7i#CstmbB`m#OWD#n=y-Uu&Tlc!+u ziH~C%6M??C`(2)yig%)1E@M$n9$E!Wpu!9;e^n+N_P!MBti7@5sqb0g?Fz3GLvarj z)ymqMMs8R3Y>qWkk#m2Z6wOPt*RUqfd;%d_?9tH@2G3p$=GvBQ3WkS~-gujj$jpB5 zJSKR|lc;Le0nN z2m61uV-2<@3zMpJGe}t(Z^&i+!h2SVUAuN|{bz}7Ub>!Bay7I#{z+Qr9-$1=EA+<> ze^F&3Sz6+1_rL={gTg86H5nMPF6=5Z?qW{pDja|}7QAh5Ha`HsQ+5?A>>Si13B}lb zi}Ixh*@oOqd*h1$DSIy(;$9=8Dfp5^JEq|A*EA_t~>| zl};6Z)00LKtVJ?rSW0+lJ|FwNHRP05P4Cb4e}!*)PkG73C0`oDLmDh{%aOjqrU*NC;yk#f zwHnjw1~Ulh6QFcgXSG$Y%5p)yk)HefU_K$B7iJT^;hl74$5T5IkbCo}N3N{}`oRZ` zCx0iJ1>=G%TSWs;3Ywd_x2f5d#7^BDN`7AG2Puy5i~aA>Y&vFju2(&2<&ycseV(VN z`)x(2Blx)Jqt4LzdVod-h0QuN95p(lx@@ZtwVKahv#es6VuKIQWcF!D+LHk8sR+43vSR^T0DY1MpY4)DS>UgLH|rEC znu*;(8lFbIx?RF4_&w6@18#BE${m_38?QEsi+r#I2z07eHX&OD6Nc$Bq}=Z5lC}Z? zu4jjAOS8CrhJ4-~;)Bana6!CzGY6Yx&+AUplE}ufp1aFu_X!{iq~yxihF1GWC1jdZ z`^f`L>#O(d&9@JG@L`;Pc+gox*36o7&ODR-3g3;EzMwhQ zIA{FXw;ezgfn!|2#5LIN|MX`PqP!!+0RA?*jnR=@7gSG5m64FIzm9+&tt~klu8&nU zH|33^r(_yb$+BC)?DtTHll4OcOLP*7bI-LgSH1ji^OyN`v1 zNP`a5T;HElx=~Qec&t;ctgPG?p@#ge0yj=?p^%g0G6SbjIGoCp4e>VzHcT5YGVe4u zbM$1}Gm5rZT0JSEoe^*^cVDK8=8&w<Z?<)X94Kb!lkM()0>)0cE8U%>=WN>@rOCYJk!;q__&mA2uZJoeriAgnED%Rr{xAv zGEQVxC3~K=rpYkFe{jCkjab=C%7A%b^RF1L%6cCDo_#6In+;StR%^X4kI@<}^zkkJd-|g0=w3rjBhh}!W?}~KO6v+ez>o8%r zE*mykCoZfdc3wyiJNzFj!)OX+bj<<|k~%|!@AZ+%T;E%n3tt~=Z2sy!QPICy|ApTc zmm>&(K4C8-%Kb!bH%vKa1r*;0t130hJheK+59X6Gb^bbq3G-!S*cb$gnK#OPCYc<; z&Nd94TvL1OjicW-d>vz1arOysv1an1RmiNGyBJ>Fb~nm;f{Xut$xNl<&Nqi8&BgT# zPQdZ~<%8^B{mDf>t3Q+~=53%Zt%fgPDz_3l1IEhgjPA8=C%dARVTdMa^ofp_)8Otm zE)z;7Z&@oJ;ebbh!Cj6V{!BIA@Mi_PdU)>UW|Wkl^$M&?CFk>m=j#MI*e-)GSNKgH zf^T9|m9yj61}x*k2`8!al%`ud*!r}-wW9y2zj8yn?H7TDdvTNj=oVz-=dtSf$g{~c zJw_Ou^)|(oX3Wz5taA(I-y@k2v44FHQr}gTo!70+`IDy*D(xU1} zN}VFZJ}dlQX=`i&MxsCSmc$>!m7B81)Ya5PB_z<+ z*4M`*B_*K(!q%3T)fE*<_G#L+(_be1R%rvO|Lm`KHZQAXE9vYs&d-}~6WqFWi-U)! z$j!`wqnLs>tA&$Pz7aUt2%t7JQ=+JPp1=6MS7gMolWd2YEHlkc>hdsX_Ou7K@F%`L zV687TYi-HW^3fI+G;%i9ja6Y#X@JmhyLp~veS5ZCG|&%s*leHBemOIEmb-Tuv@H&i zg5*ImD75)X8Mh@W6Mkp>e%ae(@5t-y?TnnR5I_{0hEODn$ttxQkG>@->eHA+{cP+Q z1jLW&3>`sly&DB8DzvClz^$GOQ`KHSV|Lz^}w>DDv!tSG(9Y#6ZS7sP+bN7!@!av#B z)4yC`QD2%{Zf_h=J$5<+-G4ke^v-Dh_10V6E3ryJvpi1PcR%s5nNl0*b;fmCPg<+e zt2C}ArhOzt)Vg?015!{kWbIty9-1-+EOD!rEE#pd??f zSr{$eEgiSvD4?vH;BR$ zb`uJQiXxamz6Wr2gr}oS6T`1XWy0HFvUkGHdD+V$w`TqOr025J*%XNX1PBD&VK-%4 zYE)J3TxgRou*1M;*|ltwH`Tew43L3EIv}^^wQ1E zO*03NJ@LIDytX*hD-DJ6HM8=+xy_}Tcq~XZsmcYVU!X?+62wfuPE7UK^uxI5?Z4ww z>1Ee^YJ4@*bVclBR>!_3CCHZ)`^C8(y7kqUQvR($Yi24<_E;y!;r>OH-D2MmAid$4 z9K3WHe1(W;B>mkxAIJQ+Sbuc0h*?=@#n-{b@0;6B~E34tB4$^$6`ERzDy4?h?f`WoL{aVJx^dufgNYpR0JRu-BED4Gyk+&kk7B3=Iw28?KNR((zKrw#QPH1_uHz9YmpFjO2_I2jF8Y zb1U0=%$0q?DEzO~_y7A3K?OGe7j(g3>(9Sd!lR(0LJx5Uu;F&b9}Vw+8UHcUma|E| z%Uu8OWB$e1{MUC@0!+QrH}b#U`mUw{1f2`MW^1$g$wd~TEy{lN_VFQ4#NKL8Uu z0%)X$Mf(Z+zuBq(^tC~5%z)?HZSR5k)qiUE-~E&RKHyeV%6 z=6}~=e>iVMp8}0UsJAEoyI=56&+G{T+=Z}T;eo9GI(Ga|BSYo#4rqkodzjb-iTZzR zC-%aDo)AoX88~F@|2)F;S1$Owr?=fN0MY+rJC8^SidW3Z^$Gs=7UM5k3P86H4vrBv zFj#k1=D2=LA`V0xUGBb6{&b_8BR26HXecseQz;!}&I}l^?P!w|zbS5XcOw^5Oia2< zY{)CqsP8HHiiv@mC3Ug>*si{;J-?yyAr3%b#53GJ@g57oA@ErvFJqI^3Q)&!fMsYT z*M>hX!P==2bgCB5 zX{ysT+^03w2k-lydGu`J{T~q!{}`@f`-|=$gzfI^ylQ&zF($y@-~W+_NJ3e8IR^*F z3k=7jN7sBfGgub{0ShZD^&R}t@JOzS(RR;i(*ZjDK9bX<9rC8*2j2)jS~cm-v5|8D zM7x+Th{Js?DyJmUYmj4q|7h@C=(TiQAYO3q`v&N|US#%1DUZq@=MTps54^*sfoX8OdmP3s0j4SIrx;xZ@XUaZyh5kbYusj zAJLbX&$`Vw6u;M3#pLg6rM53FErRv+oVGOU&nC<{DZsrSrqPg%yX1IoJT11*_{dMK zKrZ*+nyK^R)Ij_RHuGR-X9rE!JRv5cCV8Bg2AJi(%6YzGrApTV}C9OMREd6dBGRP*U^p`qJ&%E^hPzoiU#+V*;k# zQNX<{Y*W!p?B;y$KKgZ2$*w%Zzcr1=%4ORlu5hiDBo|z%AtNV8@Q2Y>Ycq!Y$JSAE zGswoIUcHZmyh47n+6kfnY{71`J$}7l``Pcln`^nS`ucvNIzXpa8TqHOn!narP#9a_ zb8FJ3*8nXcbd^T!`EzFc3sqHCI25_Eq5ufF9y&WalNJ+bU7$`EE7QC{))dOfYWuKY zA@6S9pX+%3^MQ|mFihGA0SSj_#m zfolucE?gy;=~OjxUNIng4chyH+jVksm)F)dy)`bzTHT4Lp*@(7F`=3GJ`YE9nE-!f zW##%r46@ouK^h8;b-_zA%+-efh+yRLnvtxs%Zbn~(c$Xp>-hob?$<|}Ah9gSs`zw8 za*hfmO1GP&*prjF#cA3K`58&cuI@ym7eyLVwb)4SO3?DM_IO(S*W6uAPxk#jO8-V< z;9<(f2~x#5t|2IGBma8}vNLs)zA=`T9H`#A*XF8H4&2--gbxGqNl3ng+YgpF1DZLZ zcbNRK{4A6;D+h1HfxG)kackA(%R$Rqi$7M?)YLKr_lxMp?DxG+vhUGVd>6-i=Ej@x zC@ZV|DD7hL5JW!8vdy7|U5L+$dEb|~`{|0iuDWL|Zf+DbRv#W5aIbo}dVNPqBPv_n z4&2($$mTE?2WqfXkP?#;Y57>)*_MIG9^XxA&F$;&j0DWm=>zkt%ZppeYm4xq1^2)E zrE4sb%3}m7ivtKfohB6|&cBzR+X)kEn~O63p@!qHk!*>(O0AG=GO;h(Bimv?#6S|3 zE@i-L{OJ0dSj^uEvquD$roM@9<>f0@oG?y83}|l_RsXf~t{E6?`KDhagS_h+e6WFI zSY^^TB)9<}&FW~3i+8vDJE;u}!X6QJzxpU}5K* zo(3^aW^83pFi%7pZu`q?%vqp?n)It8rv?oPRA~(yK&3igGdh)a9#?G6MWUtlE&;xb zJE49*(_s1q*^xbg$2AMQFMU)689OV7lCpUY}X!M z!RlY$UIWxv!}TW(C6(?is780T#7|fAZYifto1IPo75#tORc~w+@nNB0=k5BVDf}_o zrd2%cusxbj3jjYq;OHOYH|o^v#zIp*;L2PtK>gxk@4Wsjhscj&3gu17fMI-WH<)CI z;19)F|FLP0zigQ>y=9U5;Ig;3cV$dUiYg!s1s8`<9 z_qgE+7kU;$Y}ZZXgED(FyM1bdE=QhJC)1;e*s}|PykzrSYR%ybkWPu`&tWN{t-Cz3 zGlr$2OucdkEOn9GUa1;Vio<(Ot>iM*fX+Fak`1E0wZH!N18@E~ds1cx&h*MUEVHYS zHkV{!ktd@n(JNupDbQ85HeGQ@1tK8zjT>@#d0jv3ZgGyVNn_y(k4T zls-W*K{K_$C!v=PKqL67sWw-~N_^nFdEGG{^QQGT--u6f4cHg7UG{`eBmspz;8I|a zQYN3OVug=vFRrrHGt^af9`6xg)DjCv6M3LY4p^_+#}h0LDS2My*&~@+O2BCpI-j4E zV2>7*9*j@x3AtwjvM59)&JwuqEp#S3u?^5(wqd~tAA=WauWlyxkTJO^zf}3sH!1v5 zay>Jk<7)m+m$Ihe0~~bETO7I|ni3Jp?5*d0 zBX%ZiXG0*=UlP)F!3onH^OHl}set1b=nbr*ypu}}>g=v6us*wCOU5+pUWhi98F#)W zRrlt@0zZj2{ZriJkru=*(XPTD#xL%_^LS-tP2+HW)x!w9pGb3gj`g)L! zlbc?1@}gf^#FwGmjsJLtI^pI^MyK}^C;e@y!W*p=|5g%QY2LW%H$cxUPG7Y3=v#H~l4> zM>D#c?uJ{phCWuSk^97Jh zz|2Hmaqv^eu%#v>iG60Ijt>V}=L7S#zHS0MQ3F7r({wULNpso%brwMJX!XemW7vzZ z?@FY7BPgR$M?2T+A}-AMqbWvBNGF^r%fPHJvoM((;dMHF->?xUK?jJegbF9rD~$>o zDi#$cZ#EftUSy?cd^ghzk}CJTGe9_#4=vsjZE74Jb49LcsdQM9{#&UW)gx*bl6N@b zqq`kA98Ray=jqe8G^S&(YD%@OJV)+kt-H8~Q);#b)KbbZuCHloVx9N}3 zzKLes=7FHTwVRXqv?sE9N55)(iysrcS^wZ{dxOq$1#8?u&QpY*GD+`xEok4Mt z0cYyO;jm$scxU|REnY12XulK-wgTjehF%_wt(Iv9=ua<7MXO;4o3mzbcFYYC}tQvq;D4IkGlICW! zn*QLtj5pM46&4wQ3)v%n0$gZ*lXW|%&X}H8v4MPRs{hkDtCPCMVs>8sAuGq^O8<>R zK01=&r0a#u5@x+=^0TuFmpi+=LvLHHL>Oh?64L<8^ZEDG6Y?=MP5oyMPP|UY%!`_> zE`t+W{ZXUi5c}3&xlctWvC&?yM3tR4^|68Co0L^hz*2Mo2L}#mI##4qo&Wz)_m*K% zwq4t>Afbq$NC*-tpwiOPAc6wY3^k;5cQ+^~DJ|VO3=KnvNSD$ulr#(tLk$Dp$#uv3 zT-SEr&&&1x`~I-O#+-8=v5pn{+SfWx4`TrweZ;!IkXwc7nysz=75dI^V7;eJDzRpz z^wM~&hV^#ijtTKNZioX-1fRnS{-=*0O~o4<8@qu*H@brwZ-SAl_+87w@8rd>-s-~G zgOQrD4d?rWzwq4+1E<)EiPW2$HjeJ#DLEBu3Azm#>TV~CIKNi~WCqac3wZkn48PCa zV!ea_-bSi=ZL-qB!V4uqbw~3ZVU`M4In}tf;`Yb~Y~Zt4+Po442VQ_SHjE=^sC;Bg z$V(Wc`v~_Fm}z}-ol$SPe{|-eo* zX)^MfF2lD`yI%Xd3_T-IoGhg$SlhK`Prc4sw37VWPyLgVDKA&mjpcrM6u)}o65wm+ zqiuXxVYeDAFrC}nsFFnDe~rs%}U9wO-O?q=uvA?T|$*PYNY zGd*4TjNqZXjLfi0))ikMefn1R4>F@m7Bj`O`R)9yw`NXkC4PSzq2Ty|%V?EUScNBd{1wHNQ9gy5BI7{avAKi>=h*Fk zV-NoWj{0xE`XRJiI!qf7DFu$>Hqdq@oj)D!}l9;xn(xS@_Vbar!)x`;gZG^q#^yA{;Y@kg2CRQ_ktlXXDx!SlkILmZwh4|gF9Cn`ufhBw{H~Q!HTE20mZHT ztBNjJ#KvAL>L5#+9TaD>65u0QZ;S*gSpAeo&y$D34LxPQ) z6~OiQ#!?rQTL;)fYrozq4R(xLo|o8Z+w;T5{@f;!}yY@^L4gtRrSlZ~`5N9Oik;oZNd;Zz(kR)f7UmhI5BPaQ1H z%?mX(MSbnk<0B#>q{bAmLYX*JfWk36R$KEqVJB?Lm$OAOCP2-_r<=SE6&0hqfHMQB zYZ_V}5IC$4L?-uT;=1{Zzh>^Rb>1uFHdn9g#qrRJNQTr{sk-xjvYN~cbOkZsHK~Rf z$A)Gbj(%_59WTeH6pT5W9nwXIrrGXPX@zSKc(HC5CB8MDRK1HsVv?8n{-_{9!spIf z5KqCV3RWoZPhO1?gQ#F?bAYj&AtAzhXl<9JU*GtsE$jP8jL>TjrLe*=5himz?1Dp@ zm!D6(n0#>Vl1uU;8>{?_sC)lbnBZ##NDr*PU?eLuD+IF<$X|5N%*+@P01#FoTlsQN z6pQ~;zMqs=2`^Ejd#^m!Ubd$Qvo+WiqFCQn0cA<1!X`*V=m9#sY0(TX+zInsEhCc7ft*< z5{({Ra&)0Yy<6KS8Ho}E)aon}Qek#ihj)aMUfkzdxm^O6#4bY6_IV*J@&_K%!w@GC0CeXC*W99?4!Y{&Sr{X~S zz40R#$~iHBvN*hPRjyZJ;wj#|bs6^k2RjR*I+MMzBPzZ=o_|c!=$|A;Xi_IzN^K}m zAoQACV||1>`_aruVM&$v)@*7@lB{Q#{9O;pqhY7}X^p3z&klFt!xZ1J+Cs@*&^rFvw)-6J*-CFF(-qU@uaUSiPj!oU;T7c@7?%h8hKE~aZ9kcjouaI&_&tw<2LL>6b+b7s-`o15ubRT4Uu`5C zvD?Hl#w84Ka^MAA_AZ>i!u?w|s^@h}Ewh|`V=65zZNLR;M+7LDh!peo7ETd#Q$n$C zynO_Go!>s)*XUT##`5Oby2;sGHtGdnn;@O`yPH>yEL&`|#DK8nwS~w@*UOu3I&uVF zrxOnXfu0Zh5(=ke5d+zlcDg)lp4yPPbCEj7-wkf@?H8ju@~=nSf`v(*a0IVv_OU#2 z6-s*JiyB(h`6^3qO(wkm0_wJNQ@Y`ym8rht485E?_RW*3qEPy$E5up3O|I$gc2trN8jJa_kPE1vii`cI`w?Tj^A}9o#HuDt=odv z38EN)x9-1G4a6Lt!B-XR_l;OGfOap^sj_ z1}7%71MQ@|!MY8QZj6cR@gn}IvqZ7)+2Y~jtNhY#0vaJlRaErKKbFUSS!wnqSz{b* z=!LvDX~&n&DkPLrUi|oEC^s7PQ%t+g@t3Oi*`ZnRmoESvSAWh37Z=y!!Bu}%%|xTG znO=jccE$lR?QYORCMTk~N`)(S=g$=!`{Tpx&=Hkj0gt!=D!!+fwVX)ty9iIuEN3f* zYzuwW74ge+fM@i3YGT#rRI2y9PoU&3rKPJN?>;3GT$Me)(qFX)padiSMNn#m_np8V z0lKfMXnxdU{2A}>R`R|q`4pmYV&jL0+I>ntL2}sUDp0Zh0I&j@0=aIvsWIhYPMBj9 zd!eI~=T23ZA@;}~K$J_nUM}1?vd|XP63RE*GFA~O6?XG*RW$S@rV{XpVa?I58%s&RCN zE^D$$dBin2`Tw+YDx?7ZqZX$|G>-9qES+A3sOdqRIp7xIK{d-%{w9UMuZM14Gl3On z{7=LKFcuLTy@Ind4+$~xPya#TvgLcBf05?h%gq^FPg04qmc8e|Wg3`%3a@u$gNeo7 z1pDUSItpGE^k^PF*!GF5@NgEq^I<2Lq&?VQrC`Y87RGC$p@ZD#mnnAzY`T*$mt+@t zJ$0Ooot>SJ>TPBfQoa0dVBUJ{`=5WvDgi40nHyZ4>))Sg*}J9X{OfR$FWKO}=nV|4 zd)N43%7F>^XbIr<*MB@xNaXrq#cg46Rc+Mz?Al-Q$9rDsW8ZoxqHiNa77mPUh^S_P%zf8+(>2J;WUmxargn`+S)DK;HeVtAJ^NX*Z zFaaJ<5i))9Uxe*{UypuCKopG~m}>7`OXU9g_7)8w>u5r#`MZ#{r1%CV%ub`>*RHL9kF8;xNxMo8mQz}Wh(ds)f>*8T=id$SCMGfIRXO*?& z2M4&F(S(Q*44eeJ@mAE8aoz6vEND`Hdb1KtBK=?H=KQSeLrFcCT#8R+e`II z4WsfO`-;xo4qX#|{oS8YSU}4}yU_v^rt5LhbV0Oj>#6CS81tyPh=}4LBg?twxBkqi z58dTPn)MS;uO}H{a==~^PDlCr-nh+2RO-exoR^muf=8Wob)Y&KUoNJ40KI)NR(@|B zEQu)Rtrq~j+?H2rOAtVJjgaMvw>0BcjKCay-F0VQt#W&9$TqV?xkZR%z&Us7)%Xc1 zvf+fXe9GgG4BE##)r4!%w2hT+Ov2Ieq85ks3X&O&zGFjM)?X?8SLjmeKcij51;~uUf=m=QXSA*U+}^>;HaUa?xIPx zH80@#>l|ahj%NT(0(biz&@cT*dpi}fZ*p={NlVLfq|@%|aL&uM^!D}^z~OmMD{7RV z-^IfB)5((T-gOvcXW?PdWM*nUFKpFn2sdnjk6XXNt82_V}XsKvY@&hcEu;@wN5D{6zmLQ%9A7nYFyo@_J^*@4-JrYybS*Q?X?;Z zr*v=X2p>I*w6mgr%A>kpQ9*CF_-wMmyODTg-=SBe^b=Ol+i!PRxTtf>jEoYHHPk}c zsP49Gqa>avi}RRIUP-X7IC`1FhR4mmHyk|UTLb6?SY&z7)$f!ZJm}wRy0}=_T4XWG zF;Y@e;R~@;aILxM>+kJz^dMkc6iZDned(YZSvIin+QWG2^BA;$QAS2O`!So^S(>oU zl=IFrcpOXgRGMyz^!?x_TQY_m7?;LH{Eu6I7pxT2==O$jdtowVf9Lk2rVyK-)` zkRloNl4Fg|LTE`u$r~(?Cn+EG&Z~|x>NT1dtr)GwYR=xyu@(nJZ0jR+(T7_<No+NuNTKszAP(A#k^XIKQ_z!$^eGa;k zF%7I2y;amGJ81^^n3p@)#)%$~(l&;9Jc5^pz4;{B?RR*yoX@OcQ*M@?-iW@qt-l%; z4|@~%CeaBT*{?M`A)F_ruJDa{>M)5e``I_t2imEw31Nf&w4sU*DErBThT+Xs-fNmp zze2!GD4FWW^3Z(L8l);EB~|vv3G$PC^72CmKDjX3^7faaTeA*YBc&CC97%5E3HvKE zE;46+0paybqd{pN#mVm7?Z(Y`dZ`{LD*G83Hfck6wVZ)`s&{z4=$4vIg9fe`_~tVm zkFb1nxY3~mS)v$XXZDz_cBR&&Pn)p|RkqGa8I*t&nDtS^4He;9?vqA=IuDy?jIgvK z*pCbJ4zCn;=gg~B5bficx6)y_o+>|UeDu<5ZCXx-={ZlodY&E*+n+8*tUKU;d#NLt z>XO>vJlt>mvNmOr)?szcLCF5d zvDW(N4v`U7p+KCSn$8orT2V{{jc5K41*_-0_ZP&k8M~TdSa1XxceBOmLA>r#Z(geN z77yI2&WRJ9xv((3on}8Awjz$fhF&fK=|sbCMgZ4{BWz;VIazJ_&qgnW*k~G#bCu`5 zjD2JG%sn^y?v#mHG82oujaXVQxddCKSJW?t=gMP4M7$@Xi5@8eeVVxk>qBNEdC8i7 zJNIl`d34=TYc}1M>6eRyugo&CX`@7L6BggXgb^^ZvBl>#xhpm4!df;sU@2f1_D)D3 z1t&7H8-(KrVUN%`t05mL-q0;MlTJ;#EGp!WmAX0jRUmg}eT=L5h3>Y;r4HxAx%J0c z?915<_UPJ=VU z=UXZDkYw3L7vWk2r&r_U*=}07C0t49B9PNM#?DJV{#Lw4Cho)7Wq5oyn&uKL9h&ab zIrOA1ps!ZHc(O`FNNTD&bU4i+KF$4;=Pn8rm72uLn`##=Y&mA8)}5TD6HOTJnSSMF z{L3}{-+xmf-7TJ$h{(gn3=?g89Mo4_Ac>=jcjZoh!@@~n|7BHLvq%vDmh3{7G%$O0 zrfy7V8=&_)sSAjit*Npx%i6$I<%ugt-%*z(N~Ja2qDCD}``w+;6+0_*SkVYK35|#d z6|;3%*k>yiHNm|a0?W!XQ1zB~UWzd{lE=H{h9br$qqrN0zFLN?7Ci%-F+Ot^TA3nC zg#h0lrbs@WH{%Q$6)d)L(^zKyZvHw}!)r`g{vD`wVN7bY4OjoyFV%`!m>MuP5&|nG&_vT<+F3L`I z%+wnqcJw)edA7${p0oH#MJ`E8@fi=K4(29%jb~;glzeX%^K)1pqX9Rqba9v z+*UbIyrydZ_R)bsHE$iWzCB0JhC^DflXSV~Qh<|aU9Z}Kq{^EUr_X86r5(1EYk$TErRI81=^ z0)$y@H5G3gD=8~NfLgJ4ii(Pj$??&EXL>+Z3K&t1($Uzs*jPU8QoIuoc{$Ynm02?g zY7gP?w$ZMBPp~~<*5rBfJSY18Zc%wC3LER225hiy(OHqa7Su7DC=EFY=fCw5?yCOG z456xs_-s!0958?}Ek70V7*uSXVERX*(qQLmX7rM>l+?Sg+igL;^9<4L<8yQC59N7} zY~arTr%d|ULybXk&FYan8QJ$Sr-RKe4A`1g7Es5$C{&n$tctNU#MRBC_tWJ?yiNrN zyk=Kzavw#+z`iXD^dVo)?l$=*=`DE!b$WR$@3xHN!J}Cd@Us6wdnarG>^V2w(K9|M#I{VZ6O^Xoqdj7$x-Mi~sZ-JOt?6)B9;)qLZ*_{N z?Nao<8O5sTcUYK@P(+*@tm^h{?v!cs%LFxfN$}+tZGcERk8|oe!|B;Lm78rs@bD;I zxTorR9$Lj(g5yBkFh=q6Dv^@MgJx-Y6vyu`gB;CAHRPM08^I#kQ5KVRK9G;NpJYm$ z8x7A&9VD>hJPPw~=*514Gxp5)e{wJqUy!`bIRN2sN;Afyg$!{P=Ov45V4j+G2aWAY zgDs$DlVL(sO`(m6o>Q_YD3;Mk_CXV zlEyt(=FRpe_j}SXHnfI=;6DCs-({PnHEIuz$t{F{n{LW&7um{DKdq(slj&Fjz&-h? zdEbs0TZB32lvG;KR5r85R7z&3vq6XVoUv8Y{M0^>CSt}{z+dBCV%JD~Jp-T4eg~*m8gzMUBope~Rhk$Tr8LMi z?+EC_Wb758i#M_HYFg?qB9es~d(hzmDnD(k-RmqhD<{g}MLQbxa;o0Qs_C<_N5(BR zc<-t0S5!_H5jKorPFtlM9jq7g;-|>WVSH=zepGC08qFHWzgx)=H%>=!4~jtKPurs}W0$n+uk2|Yc+PuxGh*G8 zut$|j*}6eY<#7!oV~zU&3oN1Y8&!u*y=qBZ)t#nzNSa3n{J-i8C=)hU#Suu8blQ=Zqe40VYF@8!WW3Kw+VDCkeIFGv8=aIp%}icPE{EDEw43Ym z*(iwOj9#9))ZQWvh4{yf(-%d<2OHWbT}Epl%a3UDg-S{{($50OagD|{ncgHo%8ifB zrMjgf!Fj4!PmZm};hQe!TL&ZujxDaoJTvrNBJV6EcsidLqx+tiY&6k~U*;oJm&Xc@ z`p_Hh#i>FvcrtkXGf78QF}h)T0GHYuj_;_N=E3{EPLVp{xYVhp)@$yTBMh?xmtt}T zq)>@`>9^QY@O*N7UxLbn3^u^&)6dKQ;Eb;=xBl)!Lc-vCM#iy(q|G)U$UzLcJd<4L~Dr zU^X^mqc(TuJY{f0z$uJh`B!)KA?tfkyaCnLg+j_{v%!7H8K@MH!55lUAiI8V;k8gH zukUREa^2$}4OsHy2dZq^r^{OZ#bc`Kz&7b@w_wxXp~z0=$B@3&m&@*>{$M|0e9hZ_P+f>PKagG&kY~^|- zIgZ&?jd2FOA4U}gmn&lo1BT#iBZ3X8?No<$U4QG|#KQuASD)`(X9XIdvL19S_FsB1 ze56@_sETa|30(k@AoYBECahzN%e0||!_Gc|XpC=ExG;p*#uE(4D`PJh#{d|0UAX7g zt2-zByk>5ik9l}h(-unaFPUO+Z6#Y-!%PxldLuc(k|tJ_6Trly`JBY!zFcBY9~#YlXi4n)z0@p^UI)-r&?ajd?_P zgO8M3&gjS)|Dl>j!>BrhcxiHpj>&gALpRJ0zbM>nCpl-De|D-ERc3!=P$iE&6x9CX zTiXcwK&5-IKlW=JOaJ=Y6cJ_TBCRK8s6v8=$Ps?ZRkVJqXE*2AvN|dHtiqr|aoi@& zIS=a$WSA*3^{J`(L`dqL?9U)RoQr`|v+(VbLFu_8FXXyP;99X&T_W4)y3u)gFl=vD zt#x`Ui;3D+fjr-5b~m~TZU$*OQrRuDU|?d4p7z(`bf}uj^G|bm2B+Cp@S207XB zOY{aq9yt|f%AffES?zg`+h4)8dcrmyLMGmpPDyD zk6^(DJg!ONN2fnqrhEv?S3ZPX&zDbr2jmjQ7iS1=-TFGO=h4!aL91bou)Cd%2RMEC zRib%fHk9+C&|9sGpfE*r`=?J;1Gi?UZYjW|6}|mH&`Q~vB=v$pWvW=r zjxbR>HkvePj78NOwXm{5#x2xgb>WKh{#_p@bG1>0gfR$Hkn@gRJv`0|=st^3t4A$5 zXHxLH6lpO8JOdfZ5#ryCMd-R|>;pYA=8IFxJ^J}4PY@+lO{?6=g=6(F>&X`zqbj{4 z(VG~(Z$0jYz?jD{7H4&4iI!-x^CrI4h>asEhUlw9gj1SJnx}m(Zq{jQ=g5#u=8dv5 zzGx`S^bdxH4tsZ;YK4$zd(r7N7`%Ubn=tq*GdP!;$LQCFC78$Sa zq&8JJzdOXS`1?Msx>hW~FDk>{3l_OWVemx(xk@oL@t3gA-2Te~4>iV^goj7ak47D0 zs7uOSJj(M=X=>)h4u}`e!lUz=&q@H4R%LxGH%U3yA-21*(B8dy&%Xb}g6>%n2qf<4 z6T(Ox`huBt#9%*U->EUZ>!PuxjGFjfey74UvAlcv%=6l{A=L7>E3IcV<+W8*=y;NZ zJThm+uz}4q#llp!u2W?7IuWVDBUS4~a$r8PP~NBV|7Jl!Gg_QNtz=qZ@@+KbEn_V? z2-mVMTxhnMpv|(NI|z)l1dM2Jcv6D-uggD;Y{(q%>Z+Y5;JL3iol3!f1p5tI6!s+;vq_GVobju_0nN#|M`ll5VV!6kr#R=XPI;Oc=jZVIc5o`M?nsUdRN-IY^ZwXa&E%G69TOYBQCFDnJGEV3P6B|mCQ#!l_@<{v z+_^a}b=yG6<%zU)s(pyt5_!P0UXPGDZp3h4YL1C=9HRof>J>SKPZPw7fe9w?iaLwK zgYYwrsdI|4;gR=7@AG~Xm&3_>q0RcLxsAH#On1guz5*K1Aa&tfk*sUTO6H9bzer9V zy5a&&t6Gfs#=XtBPBJdzvLiLgau7Ed{iCumDlvs|3^l*kn@SuznexA7RsZMKDEMH? zieQ#p6on(+-@kum99Lr+(pEtotc5D%*4LR87C+R zJgRBa+iM}DqIA4H3dA0`>va|q*e}LaR1_-W+e}L9_r&z|x9bo^J1s|4?yLYpAq9`m zhWBTbyI;UEbqaqtZ!_O~F89@Yu|q24t6qh?&?~2b8J8Xl-Z`L0F4P>OGjtdfQRp^! z(Ke7U2Y&lQ+J2=qk+5j-zK8OIYAiB&B9xqUqGv_IZ{U_19!bf~ zhn)FtLoJ+#r6tpbWNHG@1n_2OFwWbxy=_J@jHAKg>^9W&-AGWqs+5jcDi-V(Y3zM3 zl@jHp!H>wHMk_+0i|8C0gu4?7jSVV|8)}zhG(bq8j^3`OVL4U64L!D+Q}e&+Z=?>3 zb^;WWqStVf>^4Dc!E@PBG-C_8Syw0r9v=HSJ?nDzx2xbaJ;)n=S!BQs(QEzT>z^kk z)V;I-a%fD=?WU2Nf1pfvU)&qc2oOd^MTpovVlKw1v^2QX8pa*bU!E_Xap#!>GEw+< zV$U~wCcWXu>(EXRh{5HvN(2B1C3FWd-o5)Jv}i;vo(jcdGd6sBau%FsCkvRQx{@*# zt%?Ae-nuB4oj7c^<_}G*9-H^S?99z2KVxLwR?ijKFbGT)eEm$G558W*yV}J3#p6Np zS)zxy(f4Z1$k8f-4X$@hVDKfzVm;wxa~${+%$#`hQ~RfKyE&Zo@r;E=x41}<$HhiT zj+3i}gVzS`&c+etjJ)uqRkMMKouAN4fnpDrPHkgtBeLT|q#@mN z8I1y=;hm*NHu;s|fg4@YGQ)WU1SP@-<<#oEJ(MP}J_Yq=#6X`$;vk}xW!)i6PMUQnD3I71eu%|ye7e&d5U$Q)Q*>NbMAP;SMnpd~2zK68)#;HoLX|aP9>%Q7}$_c68&hPBGaP%-f zkt4u3Mb=;?yfQ0%&v!tHPUN?$3l*~R^kVgMxK=j40O@$t4q}*V@e&7E2Q8sXu-EoQUPN@Uc+grkpwE_dPe&dM z0oNRok7!2-O&w*-cpN_Y4FyZ7J62kct0cJ1H7aSx9s5N;+h7RZKX6KsM&A-V?&myv z!+7&>Zm_nq?=w^&LPe!zXU61GRuU=L?lf)(b9uHCBa7l$ce~&|xTFJeJ-|wv-<8)o z%C>Mxfsxs0Fa!AHN`qpCA_scO0m&z<%Pv2z&BO?Y^_*G7J{qWz^2hWq%B>9xGo@Wk z6%;>4AFf8!Z5IQ05d-+xX0+ZPz=E7eDlg!8Xr&bTf!^!+2~+l?kc^wK2cJV-?DYqLyX?q zjL!zHOEi87gGEGW?WYCNIqm3lzZa$hQW>#7^9uvysMwqrzv~(uMvCsKQVH}pu{FLx zc%MsQ`uk_knHkWRTY)=&Q$u_%dmuwT=j$tOps~Xc>KfgsYRkwJpCZy&MWIaDqDr6; zk)M$AMJo%FKRFcINow@I!3UwriK^vLMbw>!jnmr=KkF8ZdCF+38*9}Y*Ihhn(O0)< zBlI>r2FPcBVG#gVm#8z~x@>ZV%fwl?1xlIFw#@xbeWOI;6k)C^VjH6cjbQSKZcPp!EplV4LiOcTN{R-p>KY ztMu*yZpd=Gg$_q&KEiEv#bue6R_3HNG+?N}>A7M;CE5$!kKP#cDmmY^uR175p*g>3 z60~g%kXuwKb*ILY$l>{RHh8CD%)ytUY{##p7cVDz~3~EkD!?0 zar6Q8_>q85qRd9PQd8V(?o;pHq$O~{w&JCDEZK-V{=8^dY}bs>Y=0x7M7?eDnp}#0 z=_@Y9+<-0ZgOZYx6h3DNXN27^I zC|JCvj@bt%_#3MF__qq(`90dr0AD`p?TV14;j7E~le3dA0HA~MV`KE|a>a7my04uD zl?;pp%Ki>)bo27VGMW8AX)qG9x#g2!o5KBR_^5qH=j-OVWuCB07(LjBx55$kr0QqA zh~|Dq@wmw{x_yTaI~0PyAX9y=vqf}qur6+VueuJlQK8v5S9F~0ly2YE)&Dh|oeEm) z4kwKx?%Bj<>)A4y)lXH%4kO&+f1fs|YIxw<;%aJ|FPsMI9)xLts{f~#_}^W5-%hLs zAs)^LNtnNW{nE@#PZ!-kIB-h(Bf0euTSegj!aMU61+#LgZ}_lSv6+QS%~h^sGmMf6 z4smR(3yy`>)v*_&s#!G{9ju#1Z>`Bi4Mh<(3b4^CU!0sh(%5T{uPe#^iRSMKUDRnt z@-WyRkQe#qh?o<48&2aq_jhTHkB*`;Go{H>L+;?s3>0$=)jL$-KrE(# zEJuP@zwVoUFwpGlx0e#ls>SANDaq8*SS@dFw63r|4qZLCq)r~#wEHBL!0lH6u5RBt zOx6|nLj)rDNwafciON{71o4=p(lRzPD!A`h6{QYiY;*LEJV@(Tx#wop6EY{ncIR+Uq3qvMm;1WGf@RPsnD~rm8{QB^Xu@j zI^k>fJ4RZ;-<|tn7)$ODFIp&L+dxED0-1lavqxEY%Br`n2IR>_GVspou}VSrVjo!- z+Pmq@&JJbB+k8Px4)^)ioBevqDO%Tab3^}a%$^gqNP6=}NeS|Cm8S(LB6_o4)oxk& zlAwz58HT5tu(+c@t6m!AG_r^msa7oNL`3Bt|wWk z#JfjJOMPK~h+)efUZ|i=?vLZ09p}V}fs~vBser>K?mMJw{3L*dNH4gBb&A_PH*k@p zv%OE%n^Rh&&jED-l6}tz6Eny6e?<{GrSz2D2^Drq9&WYiJ55tgx+dv%UJ8RF)I%x0 z_7C1xI9RW1gn>vHA;~eu(!X@F<n?S+8qh28Y3 z0p``{gt6S)kx>;vDYRCa)v>c%?ubDSr)@Rw{5idaE3$)F3XT+zgroyt$|g^6q-+!T z0BWtw=j=x<(cIBs4`MLf1829Q!3Y*O(*)^J02elX1^((l1@ z>34=QdH4;GAyUp>x7X(Wqy0y(uvzO(&+G&IynTzf z75Vk+J%?wp=x~2guRHjUR3j%jo;(p#Qc~JL9fs|D+S%Ey)csR|DHfMKA^jvHp3fWZ z5GW}j)yq?MmFUKG-i#@ais~qPsd_yT|JP_mX-OWpxzaYWGvB!)JEoV54*YJ*)VXF3 z_1`pv{1ji8tw8oG`1x97&Od)Hz2Nq}m$M_=4-wZTHvIV|<_th!#**t~V$m`}3OodujhX)xW+ZKL_a4 zSM~A3!~Y;(|MzM99JylBo4bS}ujwiOWreDUfhvGF1$^;qj`q)UNlXOBF1r<8rt|+M zHE~x-5TaoHzYOYne~KzU0LET0!#;M+oXcONW<;q47Pt5hk^6~-h1vF+{w3WHEi*H_ zFNQg}{80X<)m5$@YJyCLy#tZ{(^`3Gu0qmVA>pLDJ|YgHV%Dh>D!C+W{fB zQg9W+_cgrFGXjWcj2nq6lTnrJ>+Z=os>8d-$oSoKTcM{c0VJDv-BA& zN|hN-CXefd8T_4Tb3MCaIRCc(`010BY5sk~vCK~=D3px8eg-iy@jGMV+zHEScXbQ^ z3GsU%q1PdF{4US$W?wH0K)}0vpOVWqGk$Vj>$Z)kYjoTDaJu=c(sZgOs)I&QQV}zl=HhMb+2jF^f(rnyTtC z^Rc4H3Pq?Ms4ow|w!Z=#!=l{2TJK_jS(>orWro7%M0to3W?mPzzOr##99K+iS8>dn zH**|T2Z$)O?(3PRNMlDph5%M}cURZfj~}rZtd|l@p;Z+Uz;UOY2U^cps@tRm_bte! zRGEg>@8eye5PbWcd?hkNanPz)g>Hm)RY-P@P~PPaMk%o3*5h|8c95Be)jB#y$0hC$ zGlheDD!0|O;NhtJKMd_(MDxG>83sx>dt1Y;3Np}clHAqXnQd(E?Bts$s;nF-C^71d zBf59*aT1SJ)ESW_6=gU9>sNdkEXqQ9qWK!9@BiS4sH za^do4q6%m~-kt#pgBgq!YI>F^$jF`pbf)chvl zyzt1QMvq>B|njM{Ob-W#ACOA@I(N7^Y)gU1<;lSlUH8_!< zZ@PE1_e*)g(k&`J2?Ccb$lP{;RnHii#%E-DM|A{KF&U!#tXAkxTv4A(T-rSfOS4O- zdV|A0$F^z*UQrp!tp_zV8a=9jU~djQO1)WLVPq>qKIss{H=gEk8H4l~`vUD+;Rt^A zH&*ax1NP>9zkU=y0=Xd_=KHo&Nk?aUV#KM_4ixq)px|mJkaV_f7A2o`MSbBFcT=2m z^W!Z}=jV=l2SilYw;$=aX?TWXC0<_qep|k~<#H%IE`62X9tyh5s;5a~R}S94(|5$@ zGQ%(vc$XXTi1dO{Oh04DXjf0D8i3`DhMasNE4`%l&#YkUi-$MjdwloudPl(4&Ul~I z#3gkdGxGJ2HmM#uW0!{&y^5(8-dsBZdAOnb2UZ+L-x*Q`GJ=e$0dgsI^P$}yvP?wF zwta#rOmyc%EjkRo6e&X;{j){kU~^T7TbyH`gAsZKr5fuBfIocKT=!ZHdo@?od~rZI zqm~rhY~$PDjHbLQ^q{uxN6t*yEMKK*P=74JbtST2yQRKXS5I6k4ex@Lm30gNgP0520n-FoE+W16 z4FrFmTs&B6RukL;n7gt$m|a&?XaZ6-^dEeEng?t<)BEAd0Gs$5M7~)PheB+`{URV0PL7{OZR%*Yy4a?T6+4 zGPQSFhRLpOZtG}nkY@waEYrbwU%W2w#ZxhiR{PfcJ2@`(!N-~aq0ex^S85+zCZofuY+-(go+BP>=j6P`yMkR zqj?d+iUXnKX9X0QM*^)e8jVS~ia8>1v9LZHjMFj~+p=0*YaK1;tU@awl>8_kc&rN^-r2)dZ@r3r{A~4&|#iFoK9;kL>J&&%~M7|=y;iOd1 zW0GWyHNwj0Y>UvYk5NZOHM})92sn3r zeZRw7=l`iu4wdSDI0MuG4-o7U`CG(jvO1>@>OZ90{QEAa>GX!D^+m-#vakfm#CR=s z@aA|q;?5j5@90JWgr{b;w5ENHD-50QS^ur5=G}w?r0X>!`9G|nr~}Eaburo4&+#08 zQkU&%2F8;~Mn*^t-eVVh(z!Y(rq%`0dtiX1qKe6Qrv_9<0PVuGu7YlT<;>FrO;(v# z0a{@8x5DW{cOIoC$>>#X*O*U@1z9@q*~byJwLN%9YyQL--%??Yww)!9N)3*LWG2c#S&0$PRh+dbKXW! z8|%4A1`5Fo>+KG&QiZazddq6Mz3XcI9065co?b>kxs4H8UIfvrAT|lWiW^6O`WSO^ ziPc(k;6S&uO4s*<_ATLt;W{pa0%)3wVaoO z##q6)NyuVxoZb#yA5KK-*%ngGL`FfO{d9z{yn<86i7}$@5yiv8RrCmb60B;mH&(Z+ z_W59GVr=zR=G1x<&6rmSB0Lr#kjf}ZMV_F}1f110bQ_E!;a&ju`YJnjzxDpgg&dT> zdtfQWx^w8ue{*>LgNwvPcIE9lK3`l|c+*%E6&3Zgpr8P#!DPn3z!)046@^bo$QwXh z?}RYM2?NSe!T-p>$m*mw6umzx0zcOdQZXc>@!odK^W9@7)6FhnU$w2v-kgEJw;5|k zJtd8w(F|cM>a#S~B{|jCNuz|l1gT$Mw0hX6!ahnivb}ix&a=Vm zkm5LpexuG{S@aB}(>TZ7(X?_~rsx9!_v79;26p{{V^x|pC8_sL&7|DS^a2vNp`CnK zkoxyx5B^55ZOVf=+rJ`B@$1tGMS>$pv<7rUA@&tOm!sn2pG!zc0FEXtyxJ1U~E^KIYFK*rZL!@FxFn;Z*c5`%)w8j@N#<&uyH}ZMcJC8~O?>Y)k|^Qv)k4 z*SRD@^gM8E@~F7EdwMM>>|XEKkd5l-`qb*@aQN0UEq^#K?BMwEM8?fnXH>+Bwl{9s z+8yRqFj-)Y0-02^fOkSdDn%x81pb~c@gAT(QP*U!gy~7Jv9UR<3=Jt=6?wud=$<{3 zc65|529X$26B8Ta#MV>2ze03>Vqr(QY!Sth3(|26ooi7#{F2y5GnGgKH4)ho?<5|> z@Sf@L*yykn7cV%B&WIv7)wTro_aFeZlZoy0gK-@<8UpwFzQgo_@h49B zMO{T)EP!1a7)s>smz!huHfC?2cH9d$#+2=vf@!6Dq_qii{(;3_PgJ=CuB6mf23%>H zVbVW1IPNqqEhY5@$koxL1&i`ICHK7k2h11UvSHI4t<2W=qapjMPzfhAqW0v2*OxDk zc%{GW4U?HOw%-2@BDftEK7_L8Os-HNTUwE}eensl<~k~cfPkCh z)9TXdD`Y_+z+d$KTsS0`MGJrRjDv1ynuJPo?_O-Z-ET3H5JiP=#NaONln9JNSa)U8L@hIJP+%D2;(NRrRI=C1j?W~zd@Gv5{BEo@U zL^MobyGj1_>(|K12Sm=jaGQogcv!8Hk}6OoDq$>IqiNDifHqpMrjL!A&htu>_6ny0 z60ZDzFfu!}>x#=m-eRetTYRZqvx#UP>`djr*)!PdQXMA_2nqj9cu_WL@IhC_)6t?! zx3m6EyzQzqzeam0Set0f0W(nD18&LUe5Zu{xt0{T#5P4+Ym4c{3tOt!kAS5zwe>qM zvTO|eJTX?M0}t+@29j?$SF9qzrA&a18@mn$=+Ayz=rSADkghq~$Z&h8QP#zw?*~S-;Wk@|8ih#i@xwjj9%Mup)R~`} z6?)Hsje*yjFOIcLn_h4twZPM4U#@e8x zx~*Fnmk>0;JtSywcMA|a1b26LYb=BSK?A|1u>ir{-Ccq--bjF;jWhA72vhpob0=k{54jG#b-|B_I zCWU>yRDKHp`*J1DS||= z7v{0f9O={II@j#e5w*Q*!Y69$&797_V`b0aTPaAJ;k?!@=h6ci3q zG?bKV((<8Jh<>gw$uoQq7J?oDKM~WI8%F{Qrms;^fW7A>HG7ip1nesQog# zr|J?(L0N*z2yh$$x1YB*{w_>-Gk!}|UUt0N@K^KvjvAsz()ko-Sw9p|e(TqIa4lTt z@YwwEyK8drj#@Gzl|R~qDBl`XzKs634vP*oN8vAzdUU-ep;S053vPxcC`cKs!n-WuXNCEup|9n5v9 z$0Z-DgE=Xo&fmLE;F*??jNt04qZ#!@L^%x>1LZ9`1LsTP_rVRj7n;>vpc=2$kLL)0 z&@*zHYjshq`tj+1o^S$x)1H`1(*Yxzg>l}A~ z;SdbcrN)3bsXk zX(=Z%~csbQD-e0;UAAN7lqZ|O6 zpG(RBjGXLiYXk?!DH~lJl&D#15kP0ZPsW6#Aqu%##Gep$=yxldZHE3td8X&aj{1lw z^uBO~8&T3xuy=RfD6FljS@JNsRWFGsWHGwAe^ci-{%Uk|dR9W;KjR;10Lai+2t7bF zz7~VYmgc*1Zu|S2;?u^qtEPqutz6iiJ)#+a29%hD^sr5vg@e7e>|&D%KU06)d-&Ve zi(ubbQIDtLC!h7*S|2FQ&GXyC*N61A2)Z7+1WPCTzdrx}d!5`6d{ayLd+H|TxE@(z zg1@7j{|1kJBX&m!9b-g9giTNSia?}UugGglR)iHFKnZ!gh$#itruHT?9m#4poi&1= z@>Uxw0e5GGi1tZL;$MJosqe176;&Eq506O}&FHkpPGW~VvZx#TeY+(Gj#A&7|GG#n>iMBpQbU3Zr=xH6w@P@kQtP?nM z?yh6@ozAfyhxDT~Ps7m%`?vw&9{W)sqkD{JG*8I$3 z{~Mb&pN1e!uIVayqW3A6eHUW>-kV*D(my4kYe< z!&c2{KNbG>pE5%UQln--v?5W{bsnEeZHB-iHEHAa=m|DKGHQszGeE0}hN69~*zIUI z!Z>ZWmFqY2^8Wf!TKXPgGj1np!pcd`ngKaM0Y2mL;l#pX1mIqP1L`2cr0BCsHUYxc37EufL zTM{VodKtE?23Pw$WKF6nNyw4x`0hVl1jI4m_y_4>xI@I16T4+j=`Ya^4G}UO^F5Xq zL`1LOy!p|k4rZPvMM!n3*bp6vFXCT~G-;TqP;)#>6B)2#MLYaJhsgL0A{vuO9@(uB zDj7san~MJBjQ@&p-qb@I;R=51K=pSs{sPY_XigCVh~l%-d3DVH0@4nZ>c{pIT>B}^ z``_I3zn+PBa46GXnM4tX=l_i6z-2~I#;Dt#4*$hD{P$M%BqM0k|D!7T&rkBd{z4eW zU&Br+JBRZ{+nm=Lv#^zS3l$t{2#5`OekX01nDG76fAcj} zS-LuB%Fda!*yk)`oHHk(d34zESc0p&*1JjHvMZqci%Kebu_guxmd+4bG@8$x{t!|4Z^D?*5rMi_5uB<5IAjTlB6`A_U$-Xiqf+uU6{&d zJa9{TZ7c8y(Hst(Y!vS5lBjm9CmEv3k^-o7yo;2}!mM7e*HIc*N^mZ)@%oMc5w0Lh z;En=WeU>^-_F6?#W6$iHQjjAtAlAJQ6VAr%x4Oo_*)o*qB%cO0fb$4xspd@wW}F*y*kOLReWK2kAujr~h< zz&39Zu72%R-m3h?e48QJK54N>zHKfEA!gZCw9bRd9ls~&=LS~GxAUXX9lJfBsX@%q zbR~W4BX%FJ9y|td(x^{Z#3UXov%uU>Z}Zi(C}U#OTHnhElBhi8x85&&h3DV@elay z_pQF2b4i&i*Fx+Y;c@L#ZH9db_xr_1_B1)rsQZpBCeW#+1IQ~R-u`1+xXp7Q%bdCd z=vW&_e8?OA>Z2(Tq!*~R8R2N7oEMVk|LHO}lb+n4JXcg7mp9>~ry>!) z(cS!uYD=1sr)ZqufL2m!KJ%5Vfs(s@bSb9N4H^FMB%+?)YTs5@WUAKkB9FyJs=^Z3 z9-ycnEevcAYCI^Pyq>qowIt`I3(k8-g-!ASADdczv-%=Frozunp>h{dF{q@Ws1Y~* z5$cfV4#e=5Pz)HletGStYv5DXnhF82mtKTPU)y%jxQkmM^nF99Uvl2C@);mX*xoD% z32-}Cmtq3v;e`T&pj8k6eB%I8ZX*kmlo$dY37)PpAJWJDi+k3|vR6yzuIx7)pVQR= z04Lc-lIv-kpWss7Sl+PU@>4PIPIYu6uc%W$t+~CIzsZ39lDhsXp{}9N`Sz$cf?8ny zt-|)n6>GJ>{J^eaWtidfVh!r;nmh z84n=KjmE(C?)LecrOcs0xuFc;w?pI`yPdEAVye^}pmnh6hK<yKJ2h#!^+7^JTSm@M$|uHBH$O zndW)p&#qz4^`-&u5$?vL9SFy80~ek{DoO{K0_t3O@VF+3Xu&Sg7Vb|7?SKo~<6)B? zZpY7qy7?Cd4YF3L8ezU}*ZY1)U@{lKle-TASqBld zL_fDFMmjLQ20XGTWh?GA5|%_c=J|o7o|8>m!kyYrnu-zq^^3KBepFOPmco00L%MD5 zt`2Oj4?o*16-Aw^8lk%54)7<+;?m_6{2WL{r_(=4i*HAC)-N`A2vD0pPY`zr&Vf0L zjBX3DIG9Bm`*7QCxaGV+3_tA7(1lxJrmtFr5Bd2UMYH4Z;f_BP`>@x_dBEg6JzhfG zFOW;p+0@#9jXuK-Tn^1FWLD7Ft8I(oOK_@1{yg1IUy+3SK)TA56|gctx8`f24sz(p zJ4eMq9umBUj_bmZbzY(mo@l;oJbsETps0QT(!k}7QJ;91CnGezqvqY_R6;!J4`;eN zkA~c@HWadO61tbPSPfZ5fmsy0j+uo{e(jbkS-xHV!(vwkK&nQ_8;C*&e#dTw;p8lw zYUkSL)KRz0S*3HR*m4JFA_f@C9lk;F2Pbuht}Jk_Jm~W55-l`WJfd6u26k8SdtGhq z>9uFCJE;L(kg(t{PLf;S-a_g%xC&J$>Zy2h37eDr3chWy-J`*|t)0L=jeqXJOp9f{ zP{WJJP10ov@5ONTXJMEJ3Dc&+Vh8?7*qhQlN9=f_bA%2p)6b+P@12X$NZUMGd|a~v zaj-vZsndjRaE5f0qXsa4zm+`P+Qt5?Eh}+nxO90z=(BsUp7fdimp=x)kFG~(^SFKb z;M;u2Y{1f8lxOziqQ6^7L(dA<;zrSNr2za(R#d+vecs!SgTX z4}Vr{lOl{e-RoLummeaExJ~vox(~bd=26vo)3TRFuR`ig&1j|FSnW89fEk?>83GEq zj&@m?Cc$)W6AEUg6+ixX+_vsN3Jd;_D-F;-%9>*G<(|s!qJMFV&a~#AZJJ6B9}G;3 zEqAI{Ln6CiU5%t)R7&X1`Ori-7&H99{?%Z@l*S!yrQ0kw=r~s8MJc(Ut=eWdd1ZYf z;g!=0k7x%#3zt*tm|>e(?#(q{DLVpDZ#1wTYWHb)%xnDJ$I_ilnUcIVF65F9`KOGcspx=qy*Fu#O?%LIwd8I~Gt^Kv7F9x>r!Ea{m zf`|TlyW9@~)+~@jeQ!p*2kI{g*whOa^vQaEd5z*xrl}%kFhj785vrU9Dz}-KdgJr= z9l;NG`K_+@(m~gU3%uZ9cx9ox7@r3f8A$5y3+PltQR=;vUkqqOQI*m@Nhd}fDzuOK zC3a^$`0P}+;mEnE& zlEh#w^@V=1CHt8xW;re)%KY{A@3=sMZ_~bUBCc;~oHRWs1y@Z@0!4e&Kny4fYZ8Q7 z7I^wjN;}?o)#OaSxiV5=HJD}@`-}Ciym10{ zNH{TuWv?l2(q7B4v|5igbzRgjqOz<0)XC|6AKUQy9kTvV~!e_2JEv~u4TKwuP^c_G|mpnMQZRL=3w&WSJq{Z>up!$PgzxE-B599bfD#s z`6Be(Vy45LaGPSu%7G3ecK_#3hxyX2z1Y22#7y6;!5C6e1Htj{EIW2IoceV|Eav?E zr>*lz!harE zhj1z%MRSFEuMvkR3@@pbBiYNZ7_Bf(f*z*jWl;-e(pd^GpM6Z+cj5r?A1%Jlh%~Oh z0gjlmy8uVZ`3j#4rkslurhR1~^~Xi}E^Gs|T;Io2algH3T}TzNUbN!91d-dEj}4O0 znGAag@ACLgqG1u{Sw7W1tcewRRn#B7yn7V%EY5)1cDM$coF&5^s=?IA*V5x zeECjLR4N@BKLZ<{M)$DFt=AIJ65qE)gM;nD)=bkSNuJE%tEM_``E`W{@!`B!n;z9Z zK`KWQ>^Roma~aJo!3~~3P(W65aXjx4s9F$iSSjY)&^Cwco;d7m3wD|Mvpf(-E86Es zXZpZ?{}YBy&0`)V-9ks)DBhMsxtpSH>a)I$MDR|M$lwv`aXFHOpT+6?WDWkbz-Ro7HIbE!pGGRU4W~UcDO^q!?%iy2l;Bwmb77VMB13 z@;>HJh9$ocoN#4kHWTRj70Lmt+7b#eMs*LFYt*=3Ls)t+qg=1!SeI9p>sY~dc>UtM z*?Gh`Njhb2=SE{G0@&Q4|X#)?z(x{uB7Sc*&b z65+oL`T#${-;3D=DW*U>maCQhYT=c*-C)f&2^(pGECy$elX~GMRV|2@*<|?hJRB^y zO;1`eO6^5=3Bq})e@t?=oDu3^9>xmo>Z~{*tKF_DL&7&8|KmgBw)*9%AS7Md6_+n2 zl~d^%u-PgX=C&7UV+AFxI5GexX!QrJJDId8HU0}C zw`TQ@*AB%_Ka>{hrk*CMd2KU+U6~H46ZnfdMVH$joJw$acJD%-_?1aHygsq0KMW0L z8kgyCBSv^~U!Dkwc;BPdPsMjiYjqj$Yc|gk+9+g!kEbPg!K%621K>Ub0CTHqSaffr z<0JP|{mNmVU3-oXPaq8-@n_w%gw1*;{}lZGb~nwY(i=XzxSGnddZLHaK@S)<_Vq5* z00&>+O&>1U>?Wb<^{EonT4sIxF@Yy~oc{f&5B;D~^<#lWK)rfO&~pkN`t(9sa1hT) zl0`0|W>dP0i3PrsB=DiNJc5Dw1>gIqVzf}?;CEdfE%A%hd9n|cN>00W)tBR_>|AoH z#J**Acy%_zzF>df%M@$Y!VEs$N`}@3bu9=!*UwWILf6R55R;3j3 zR*G%AH;`)kYW>rdCNGK*65sOpB02;k%5JE7j{2lp`eFIiWPB~&t` z9r}|>+xMqU{L&GYrbl^Fyu3Ky7K(^^^p_vd^y#^);RT1Tjcs{l zgO*5w`*t2NG~|Xe7HJX{P;T7XRCw*0xljf#WY;Y7GWVA!OjU-zJHK~Ua@mQkzjj`q zkq1sbzCCfZ15x{U<2A6RR$BRN1luZzoHqSTTfI-*u)nhue6KgV?IPp6iL z-3IsNl3FjtlO!7aa=?j5UE*e1xSbOG*jF`MYKwb%l^X3Hcb?K3E@Il^l&@c7)ipQ8 z2C`!0o4nO2|LANRyW$TwK5iBR&AuOKNyIyFb?aj97xe7rmb^djM7GPub2e{s8`=+d zpgFed&AoWADj&RTujn$D`f`0NWC)@e`BhDZ-_;npmd7t$c7ePk{*X7fW*5%%++%&k z9g5?7uqxwnXfg7+cQ2E-%DYc!ekbx~j&9o+ufjd=lB0hA!HjV=K+$&UJwGXd#OZi# zG0dDjTVd`-PI|d3q1mZ57SnODN}#_|F5CPC(6?)_O6M|=!)si>xy^Abmvh}VAUn`> z>=+ddIOtK5WXz1uhAJdFi z1gq8c{Fb~blv&rfZZ6$Wc%~f8KL&CeB5By+4XJ5*xG3TLIHi#k2@RO~=4`}yah?U5 z{y@>m1Q6dqk5TU1IizJ$+eaAM#R#OGluC@CbzjcF4rPQPvF#C=flzwfr5jUXUk7!n z|Dx*6_L90reZ2%5nvKGp0VNbT(Jn5PPK2P(dC z9SloOGxANBt>&#MPMk83Tp$xZf{E=(L=tRbuTX}TDSxcc(tn7M2Sf!}KAeD_ za^g=SO){ADi(;k0U z**l9*)}X{35Az(D2B_J9@zkx`j7uUAuH@{amouz5^-71$rK`r1L=d$xbavUdd87x`!^EY+&w4bA_ zs9OQo7vCSGhw<5BH1)1IS8wQJ>Q+;{4^x6zJ(uT!T^>h9;(Z|fH9u8FusK?wGB}On z)%0&}4_`Jh{?#qTVxqNzZf+9UC%tk&up?XF?UbGq%)#=hkp5dKrG{Hcj=`{nqc9aoo^H1%xLPHm*kkuX#*QB5Y1mbpb>qWc5s-TrmAOi74 zQG<#nVT_5S!xX?;ozjUW>jC>|p3KoYaNGfR;qcRW zbsS<5hEWj$s^aI|c*@HVwogKXnfNxy@EZgDCa~ckl(|4YXPc>xtpLnh_8uceKaUdS z2}gW!r(!if!;b7DHDb1O9NI(2CT$YB8_}-KJZPZ?XL{N74R<@J@@OFFX?cGFa~fY+ ziBpi+K}&Fd!?PKgtLh-JST%cet%o568By4KP1Ncjxbk9E{ z5nt;nycvsuCn;BRO-?(de1~o#<7b&qbttqS{4EZchV>)#No3spswR$;m7!)V2z0%Ox`}d>XyZ^0txZgpi-`z)Mmik4*7Rq zvrkkgOHR=4((YyN$O{(^3!A(1W}GfnK{{E5rjz6?OF*HgThP&RGZQt>VHDC3ymNUP z;J{yJk75*jFltPd*xDTOUQFPk8LwNI9fQ_>%E>LY_4c!}(a_J|44|KqA=UxiD{L=s zCx<%JhaW)59c=cO z$clqIUZ&1^&;RZPz`#cWc9d>H0nnYo6q*|!94lMz4$AwJ7$bVmj{P4|@p|}J%=#zm zX~mMixn=!EHgjjgc@>6$RMQHt_4{}_AFX<&Glg1Y#($;><+UAU2U1lwZE)?ys@sMf zUQgYc;1K_5n-(hMBYJl&(Hf5_DDE4c;fQ~wN&ThhTuJRa!;QmlyS2SN>T=^pOtufn zcsW6S%7QD7I-br1Q6q8Re}n@FwU#_$*mI~Fh8)F^p5th6N?%2wKRq)Od!C){2uB)m zwv--zm3XL2gJ)Px5%2@m?FJ{ogME3$A&&(2O(s1xpN2aiSyik)-e z6S_m^{N9MCakVMQV^V5OL6%uKDlQw4eOrXVs%d-mD_3(-R;e>p8})Z^`y^>iE3G3{QE zs|aq}091R0dTt}zcOIq)ZhB|b;Pma_QLA}IynA3WHI4oNQHEgq#c-U8K&p2xAlsqM zpd8s&Z~Rrj8oiiZ_gMN^W|L2-6zwM?ae1(&U4m4u3{r5FlSc|9I8o@BxJ`U{lJs{J zarU@+r%atv8_G~3bPl-zj6m|{P4Z6*j$L2=UMrm9oj4+ZPet=G8RRZho>G9ZYo0bm zy#gtqC>78&+uur>s=;=N$)U67cB;O|kskdAT34Wy^HCEsCtGIk| zSk-edS@;2sHUR-ppBZ5oiS-!Q(>b}T0d=aRIyRJ1UGNLMb)@G6&?`RAaEmerF+R4Q z8ei4diMP|^-z}~Ch#xVXMOmlf+X6PLTx-9}fR)qgb|tI~-7{EYwRzag zZrAXxZ+bOM_qmFeXi)m*dc1IT%X13z{K;ivQuV()YlLU+5yG9g4J%Z9%n;eo^{nVK z=J~TNqk|kxHfSQe+UTDDDL{;e8jN_t_nI*<4dlM4JTa!eoiew5Lo@S}VTHRfNbLN< zV=?qBC+&hCXj88<`XeX+!NleEuiI3L6zJteX!mUygX*bmkjNJ<)iYo>{xpi~G; z?o)|J5!@a4ZWX$m*+a95n1%M_$NG@-Xq2snk3F68MN*Dy4*iaz45=clwui47+XWU$ zAYMydI^+@H4eR+~25Ovq5sp)%>A~E?yIA;x-{q-UW!lB%$C+l?4x>F##v@ z=~=Ak;z%dv)tk{h{S7{@ub+CtiAd#7^l_(C4WZ9?$>YMz!NSfek5qb}2{F~Ew2+U_ zMG3w&AQ9tNdZ(}5nb10cS4rQh{no@2S}<}0ob@tKDB}IOC)>T?!h?VDr95CW=WxHT z$`Pchd+|l_nv30B2LOMBzYU=A4&=w$;&!n>3y?d=2n<-hBWJu77_ z6+;rkE)k;)uX6@6j|G&We}#t)j%M|*?pKlR*#$rYbu`OiB+gjo^F24=`_)vrX!p-z zfX;dn-9V@D@2YLOl7S1V7-W*M27Jsjw<_5XcIKh-QFL~(2hIRKd%T4taTV$AJL8d3{ z)!7$q_2|ji;!j(i+g^8^M~)3aa?+t2R}@%zImOR(0-FlE(8WY zgr2{|t#b)YkWEA11U5u z+rud@NRl$VL&!Q7N5!i1)@&6sXkVhDE~?3;YmPFP{kfib<+CM%vlsp_LKM1+7vZ63 zNnd=&5YEHjueyYGet@rjk@$XW$iTOH9p|Ofdyxh8`-;3xC_S?|_&KgYOTMaFa&X1s(+cUXM7eerIpsrc2#30sDVZ z_WJx&f*I^rdl-a6@0d4ZXuIEk&2)s@Z%Nx)B` z$~TR_Xq?ff3~f%YS3>>YIz64HNl;4;K_6316Kax7bChTR-Fk`fpEea?vqQq9mz*)C zu)6b@i)^v1{bBoUireZ%DZUcXr-c<9KS-mFWz~$1A-Zm@U@Y8Q$J0gSuNVPgubcR5 z91cE)FS^)0++8a!BYjHcLV3KuZZ2|b^>0)+)htsXZ{=6euUxVoBSG@FQO&gozI_Y( z;N7_(b+$t~s$wlz>zzkKE3_p|mX zSdBy!(v&6q_$l7z-ZG(GUkx!DuinEwELvA=HdBpSYJRpQEFx^8ds+!YS?F7I^yC2HmaqLGQ7E;Ek8+U9(w)y;X;HLAlxzW8L6q@ zClYT5+>lEdZYe4>p)K%Pkgt0-8)k;Wm8RHrFx2U*lJL4_E~Ug*Sp_y zXZ|9Ryy3<|hN_3-`AQA0hn}>DGq9$kzt4;=-&iWDiy!cdOW~06%ZrKTtD8UtX5BptJh+$ry=La89ZmsOVX*@2wKuJCWcc)uP(1!7$5U*EJw7^Dd0_N{0Y@a}B)+ptt{?oos2}xL|M4ID zup|o?N_n&uVTn45oJZsCDeg%YgPElkuw4YpOlAh2IS0{)*crO=K|$k!wT9stUm%~U zK5q(=D@Q|~Lple6H+;pm8sEx5HOh)Qn;WyX-qMIau4y>|8HHiufBccwi#CEEE_E>h zu>!_O_`mVZ@NCLWfk6k!X;i$i(*6uZ(*B=Qowyb_phlOlhd=u-BLe&8&-cdW+Jr4d zyr=1Bp&_@`a`Ed-8l0S~0arwkq8@gAzOjo=e0<0={YI9?Y+jy2^phV^64Nbb*60VC zzsM5~q3vB6=oFgwi{MUfdB-O*E9!<~>t_2zh^lkTOPKf0^HwZd51~rAqKwEAJa@Z* z>rfUj;^kM>W#UKZrPT=BPQ}lK+LEPNWv2)Q>q=4DDZh9H%!f#9rI)YuE(%I<9Jo%% zvM1PC%j?mZhWYX*pUvO0*YmoAE>y_yMO*E~b)p4! z7;&%|?r<7PV>~2)RaOtdxmq#c;B?^NN)qE9N`+WY;h6*f;`zk^!aWno!Sgg;=G%9%-{cFfwx0QvSE@$^ zVR~i|n5Q4z{K8!fphkHigY~f+!MfS}Wq#wSr#U4aiT23>pyuqLEc@Um@-CgEf^F;f z!Yy_2o!bqc9>g8r+=?U6^>7x$;tJuBXGnKp87_A2mcQ;uk?;W;{F!5wCZ5;=UtJJhfyoEA zyofu3&9HsCPtL0N_7rxl?-Q_-D{qVt{i4Sjg9us*CIF&Wj(0AJBujg#Obl05Ii{V~ z-?)M%8-lzH^kqL(L-c8$FFMa)#aduRT~nd-OIupIZ}RVYy8b*WD_y%TTU6i9VK-{( z5qsE}vzaOoE{;dn@~OEOT%I#yiEo-cx@R71J%;?)tJ3g&ZH@kH`gj@Hs;Q*YKPJOG(2)RF$xhH57hmKtS z7IAh^U%n0{Llir2?j3l)>&3a+Bi|J_09tbn2L{20$j}!KWuSHWQ6X?wn-8eiS8FzBJcGN$k4;GO`5%8MMc2=GBczkc7i{+Y zCqtp9rrWx9upBH)3py2tJl;88 z-m^EiZrVi~9?i%;r}N2Y4TR*Ny$ZRU4cn^+5lJO+4tH8}1a5O<_ORPGF>C0pPG<-* z@}VJ*orcW5v6&o03(W{{oNr4JZgLLu8Sl>&vkjHua<;z-J)w2>`q7OxKB`2X=c=a>-PJeA&TWi$UQ)%v$ z+z}tX&vIgnPIrMJ3|R9AauKswvpQw0y^n%8!Hat>{(^XQNR=o^&|kkHOooXUrWl%y zTps+rX2>01NBPXVkm$N?uhvB}cfQy&^jM3{NC?fKmJStdT+)i!wi(PEZxcu0=Xw`^ z|515Tk8_;QI}pZJd<5()KpH^bX*F30s7mEi#0ix{();a>P-+_OQMe;rc3FZCupJK* zZqSkNW<-elKQ-j29S;oVyE=8=aeKdB3*05BI2FO#{md~yKU;&paTR3H4~HN|_jh#xBaQJ(r* z{Ng7x*W(WLxwmS=IjCF38x8%PC0|gg#OZ?12(&DtK!i5E%>V~G5AQBM?E?1T2TXwk z_Bd!duSYLL?JZjUpq=>?E`eNho)fUoI)+VWR0=KcoM@>Y8mr`$N2Wu%AJ-%D83~Bt z@8v+-%)3lfrY87&`(Q?17CR`0e zf@ky8PM?A(1>Q&cp*KCjh>Uu7s23QH&AINiI9WxSw-ke6wE1k1P$~ytjZBY{2wA#C zVS9O5){f`?0xq<|!d~Am0gxcbK1^;%BsF6c7wl!eAxb50K*y^-@aak^&oZ%$s8%~? z#O)aNVt*dIM~+sEMnH#6aQ1$fuX7-c&6D=1_uINcMlQ+sQN80Ir5hzJahOQB=mR&y z+maPhD{LFO_#FydAM6$~wWp*hVgAvzNI2wiM}h*zU%WW@NDpsAxzI!3!+AJxM#B8C zM2%c0c><$RwepojiAnHMxvFn8L%S*76KTVd7^OnrJLabH(47fxJOj^w$prs|49|-; zedvy{VE@UlEqqx_t@+L`?i@F4NYoJgMsECw|0^^-Cio9?THEBS&SwU+$7p?(-U{UVKYU@oBI8g7tyGv!mUHpa?l_D~)n zam#obyfr1`Xu(o$w54Ixf-Dp^NE-ahW?+k}4NRHv{;Hum7F0oqVa&7iX>r(UvP2Oc zCPB!%-2QGs0syh&dMQC*X54jfZkpiRAPBY?enr2?8VpC@Q=iP*Ud=F@!>P^PrHK*2 z66IDf@sKHz@uouOl+8Wp{G~u3u~lQbN3>1%8aq)ly#IFIee2y)_wnMk0ZQJg9_2S((vAR|d`7LTeB)#$A2#Gp`0@SI_ z=hwSI%#s8PYnd^0bv8R%jD-C?b3y$Nw?S%v2AE*!dJn5OZ1mZ!({AXB)k#!d955ob z!gMK_i#9OLY09Ovxjuzo!%s&1<#a9#Gq-!s*U#k5l>q66N)y11B{5AfZCv=Hz-7Ys z{y@1z6~Cw}-pbx3%Cx}S9vLiqUvhx`r{TtVp|3i6f;B^xHlX6*m*|``oZ!-XE9VW! zqym*WdJbnW^Y?UHf1yl|bvA`YfkkT~-{KuZtq$_g-dOwV^3$UU+|HG2Zs)ruAH)pT zRe!l#gR}5ziWTG#Mu3tfq;;SM$T3M>35r2#$Q@Si%Hq; zJj0`1g+GW-k1VIjItEN+r>&W(M=*P#FJ*p8Pp6$G8!G(7?I0f#ym{?&WD>P>dH$kI ztEp~$cq_ZN9pjr{FbIM9cHB?cMDqJ0BV-9V85;V`rd5~fRr|kT0~xmqA;+Yko;@wp zHv%PTEF6$J1A8xa4!G@Adad#Guh@0r#t$;6Mu=R_j`K?HYq z(d^9AShc-Alm=dZCEm+8a(#v8LxEq;t-~7PoE8 ze}?!yWDblg*3TH3lNl>|alGcw|E9ISyN|)_p1i>G8ZDVZ71u<@v-XM~kNXO_ zC4SZNO5DX%Mmfwb0OWqLHPskY!1^L+RhfY)&P_UUq6Fm>bUtHqgdTI`MrJzSK9j41 z#AsZwey2}ROVz{uxX!&T0R9cT3kJ~YpyeXbN4(?BTN~GQyo2=xmrS6W$kYdl447w= zEX~@_*pv=WW16&r(F2eCT5JvCwt}VRH1XeK{XjmJzD#B8;p{Z^pSebf-Cih&O2N#> zHdS})-QFG+f~PL963PGm8AhNhxgd^M0ef=g8KUR2Pw&#-^*vOD+M=P2(vOrTDBQ^@ zkGrx3+5tjV-vx2q!0m02H<@=RJr6=_MV!44eUf6LrDPuYwcwR^-c5Pd&N2=X| zw2LNPE4u?^4gu*- zrIGFi>1N2Gq&o)~;(nfU?p^m^_}2RN`|e*nyIi;xOiLj*XQkg~VLba-DkZEuCvy;b zCNk%&mo9EyoyHqj%{4ay&a_cG+!O=JONfD=!=dd!Q|G z`lY;bW9gsM*4j?bP8cM(i~Z&ZG?xO!E?#;PG6s00Rn9&ZCHmb*^1}N?7)Sy8h1r*H z@$I+o$PrLo^)aJMJF|M{;NOUgZ}iDLod^N{ci;>$L!=UxilOJOHCV#aArVUkE6>#9 zHQxFEJtpCx#_H|@R`NGbdOhW_>H!!grQ4KIRWC26-oWi$G$s8 zIv|Za7V-4pAq5EjgKsbKLE-UG{BDTPUvMpx=z1oQ?tr;T zGHVZ$fN2to=I-N=$;HB5tqaRVxrS6RynE%ZP4dO^Ar1qrGzsYY@5oOF?pqluTtIkI zMQv;((?HbO05tsl2LI-5x6wIQv0IJO4(7yN?s<#Hp8jv)25E3m(Rk{mJOX`8uiALx zBG-6dA)e!(j9e=wSpcs-Q5`uUYbB#LX)!(~VJ2f_9im`)cj4=S?{^R>70e(D+ynas z-%0vE;wRDEATl&Ksl@MhETvtW)sBDkzj=^`7`GR!cYowkj}&M?k%hoNaWW8qlcsz_ zSJHtgFkbaeVirPQiyL}^x~uR?3LHd@Dt1|L3b&_`;nP_cOJ0yo`30cT&YhMLm~4MH z#XYM+Kox{bkJBV`e(?Ccy%eMD&!GA)8-A4{_S?7XahJd$!%v^$TkHevzooTbW_V8` zCqWHoQ@WzVCHf83i56AICFQe-OwQss((78w=SGyxFT4Ip$$HqyaH7~}T0)QpGhBkT=1Z)@tMZgN@eIZx z2TjG+g2HI0sg$1*hBQL^qhX8Sif~W=>S4E!+rrYG8O$yG$pz^W1Ngji#A=|E^(!gS zNsQd6#IH26hp_x(nAHeGv!Ox@UQUzXgH7byFyqI4aZRq~4Pu`7pu7 z41q9%8WsQg4D7#)#oghSD$Q9s()2RIYZ+k4%Ai-j0|TR`qI7+a29v%~_-4k1h|oLx z5UPP{^GV!4j)II1+HG**L+PhGxb0gX z+%!r|xjA%B?c5hk%#|weq%3Ya2 zFPAq&LAQG!;(rY6E7(%d+nj z!Oj5fJx!V@TzekxY$zf6b6whsf_wTUbI^zeTczoqWCVG|DOPOv1Ap3jtfKkZTj?=L z+Y>Qv@Fw{05G`Y8W*LZGdxsXbfd|>-UY>hCa=BfF17FxzE_IUTN?5{`V%bqpsA*bA z_V?MUuwa;K)e_j+7xO*P#@1b{`&Ht05VMEk4LK4iN-_7DYERCVAfRaP>w(@eG&n7| z6@DcM|6ZgBF%aq0yX;(x(CjL6Hl!ovpW+qVtv<18ruh8F{xp_yfW*t=pz!03k~`_* zR_Bn_O#RF)Pj3lLli_jM@3jYUTPT+8^T!ev2^MPknH_|mirTk-448yzCrwc^ z+32Ke0!-aE=zi+0^Q}4VV?_ypd-@&bcI@S#ddFAA_Dh^h`APk^Pphf|1 z_4ol{UTc9GYV0O^%kkGkHZe`;!G;oDTJ^}X_{mGwg1SB%8nR)LWEgB^mT0b2uZ$<(X*M2ch?$7 zJy$+JxBT#f@1slgNu)t@;H2e}Ha=5W6_~L{gTLo^Hek9YWoGGxnWr~8h6|V}N@$&# z?h|qX!ak0WCc6o^@iRDZx0q;rJoPRt;D+mk(4EOa$#8(MybRt{ea?m;)hqHro@%;x4_@m={_absNg6wvU zUt&qiaH!-wxuQI)(tUC$>-+WpmY)5myd`WZW1#|L?x=Yf4H7uCP4OU!OpYIXDpA-$Fkitve^Q z^Ahd#%3h^xIgJplMG<;kb~(D!!8MC{bDiIIPA)&PoN}-R|44UomEkC(Sz4XWwOnCb zWUHNaL5QBvbXePGIrUUKV`y1tn+$6-4hW1#3J2eeU4MFEL0u+Eht1Ot zhwATS0h+ELXr}-<~ur+yL`M*y4sNqTb%1(-7wriBNWJ8TAJ1ac6?l=aNhjAZY6!=%H{_v$W zc359{04$@5F-f|dx2#PPgWECw)Ie3426SHS^jubSiSBVE_3_^nT*aREh%fq9;_x&# zV4d-(^lQIv%&1dCYpu9iM25K6!g%V&=}6AsWXtLK zH$CA{zPH$=c-W-zj+&%5raqu8tnSMxfAfYL_^!2&MZ5@P?obujJ;cCmm*CANMyg)O z*Hm=N#Q3NT9^>OI6|fVQ6h+7iB4pe}Z3aqC7Ow0)?bdXa(P%lVReGK)+fM;xhkAqR zE&z8R;a?2xI5(BJrd{1T_684}Nxm;Og#YPl=e$dv0EA15d_R3tY$9bm|Kr$vU+o0C z3bh_rVQoJ)<{9be*-m!aY78O#bG}+WShEff$g*OP(vDA?=o%ej8^)`DQoAHySHvQ4 zVUxJsj{=UkM8Ox^7(Ga7py*A!GuBITs1*r34U^XjUyof9P@SfZGQC)2VX}* z@NBi8CA|{(lUmkNlxN7jHYG%HXD8yeAey`Y5nZynBANbM&qqbevsmLo4%8D-AWM(C+rF$z~*>^ki@{br8kE zuxGzoflOXrkQc$Yh#$NiV(i{z#P1VWySA8}fu?w|SF%&uBXu0N-Wb`)`6_p}zvD&*}=ExqJV z{&$67+bmK$;c5(_%<&BY+*#KMK3w&CcIV5*(V$g4IRc}j-oga-f+~VxD)gifvu6Cv zs`%%C@+D5@>%QquSNgu(kdR|rE=>&+j7H(vVXRN1R zZLVHmZsnpNdQNb2hG77%xB3lkj!cqA>{>GnKUtT3v~;HuLYi?6Sp`0__Ec^yIVh6n zECiiijUL1EtaxgDiT(JHyeu*%7^7%DJhi9wI ziaEuPjOgk8KE=v!TQ)>*J0*8V4Dt!>cl3_6!I!< zEO?||6FRu;JQ&1cZfG%Vd$bo#ywQ=y;4o4!?jT%OX#D$;~zGJAY^%axUSLvIxU(SId_uYg0AGJLpjs@RF zG@FLG{_a;ZsQ4S5mxL2Z;QF|Eg~6$~8ZKiK>9I)kRS2YkU09xiUsh%`3>-&3lbQdGEVt|IVz zWin{|`j21wE_1pEI{0ZQGwm^& z8r!e!5e&yuUvo%!I?|G@s4~7VRfY!WeA3PVwR@A7TDgUDumh%COOD?SC+DW-A5qlS zr7w18MtO9HYUV;8i$BrP_!($P9^~x5Ahv7DMf`*FgJ#OmWZ_pn+>% zGrOe-3vsF_Xrp)RSma>UM${UTX zsP0-SHDUDE!zY;q%}@!v%jL>JV^V`Y3hgD;V#dHy$6OE zI&ub8=B;N4ZC%N?^&h%Z*uzJt)+oK^qVYju)Z>0{how(;6Pw>jGyJI!<@;sdu0b|B?Dz`3a@T=w*ya1zsxH39wzLh$cV z5BeiC47gQT)1!oS1G#mp2Aa+yV!8s5v87G9m=)RGk#-*KTLR{$(qCCG_Wg5brj0IF z{ETJIhaY0C1Bi$LAY4gTz3Uif#I?}?@xTmVRFerIdP|yQs{yxM3*NMJm(vZK%}bnV zx7~@N{M@uV{xTwI7rl;`+y35l7XkX&OaGGBBph0=jOqp?uUyTQ;tpb~y2-62OZ>1G zy!#FSK}cfHz}6B7ltVTq~knK0`s z{j4IbdlN!_V-9=c$a}}d!SVm^AWS_&C@{!sO(@$!6@Rl)6c|)BGe6`+&(5;>?p@|2 z#+CZ5$toX`s;T)J5^m5Mmmqp+%YB@)R%N$_kagOzCIe5o4`!?$Zv0IYlZ>E2wt6+; zK1kWSb5s7id_&2lXCB9?Yx*2Y)R3#FTg*Ra1)l=Czi}^gK2dPPzQl1GSQUIMT$j-C z>(L+nzb*GKz5+n&x5#EHT(I{3=GomX+*J9pb09@%^!jq{z_g0)E@J^*0#DLk5YHBT zTB;OuVU816t+{lhbUf1Pzu1f!Y8-1&h4#kZJ-T0}%;6{WUQ@tZ&ggsCw^7>9mi&bS zU!M@AFh`#4bSO)jVp3M3_Pru>`Z-gxifY1|7>}nE)Woh&79@;@&%e12O1O92?2iV` zoHVBGUwm61D%Vt8mYoz~2zl<@#f!zM2mbQ*@kv}G&A@Ok zDsC|09~x;_!v=#zxCUGXWC_G?&q-}fofe)nZNf%Whfmz8zq&mz9GT``oj5U`&MVfRp_a^O1Ynowqa}aMR7a(BF6pVlfkNqAzgqzY?I7F8}zWfeVq%OeX;gEg25G=)$=@L zBXu)uPhjs_WDYBwkBPt8Mv80pXh#Fp@9_%5Cm70(lCL@HrY9L8X7lfU?3r}xBYfLb zbQbo5LL&&Yq&&R1^kyX--UHa2rIsA2w0URF zUu=n^_(I$Wn~OkP6TGi`<}(juURThs^8frU%5Yb>Iem6Lmt-C*HNq-#7Yb7X{T8CIUPhto*Qw7{dlPinGhQBJ#cmg-Od`!m{i**{T zzP2;B$}-%aqm&bFzN@fOmU{NyeaCi$MmG@0KITOv=bJKQ0|XDV-!weD-Yj%h^QDj5 zVyf6+!(2q{v)@_9I?)h60=BnyPf(rU)kthYNR~N+i)ofl%Nkj6imOi@%>O%k2cX?2 z7qAoG$wf}i94ED-6uc^S#IV}Bz9DliM%4F!an!8pzail=rQ?UWmwP(a{#9Yo@sG>W zAiomhJdLw4O1>9jM)U_o%z1IT3Yk6UEiRI?nelU3tdQQrEkT}8C~fuhn<)1}_YOtm zg=|%)(Vb5{TR*;TsB`_i9ffFswFIn@P0p{2=Z|3S7vgZeOqGZwoz(H%#?`pstyb+XjHS3wxH^>x@mfgA>&+4uT54-G>;#C$ zMDGX~zV{vuFR@!t^~jRj{t_!V(>{tP^YoXpR<8xZ5~JOMedtRF=nygsgVz4DB*QCR&wtxHXDc%I;3c^hiX7BTW&6O z-zO1J6m3HiltN+yX)4_be$3WuJWU!JU13*pmU1(KTCUA_A_+t_9YC#~MhRewvGucy z>Pm~({LvTq;UNFBo!8O%%~_B3*DI_Xn^?7r8@3YO$?3+MughSY*nW?QEI`Z?^tP4v z6F1=Ip1An`4C55qyF8VTt1&$oMC z6tHR~!qe-zgR}3zL*&ZoyjDAh8dgf`1V>GL5FEPa@gHuK;e3HioNsgI4Y(WJ0_4Aipik89|iO~5NBu9yqW zrr||_zclD>qI$Ck6VLdoVx4BWZg1P;TO^q;hYNwXys~VW=>-5!}X*7Rf z?aaRZ@u-Bp%GNf)+unYjgVU`MWMz5M(#_QXZKRG}cgz>0Pu($Z&OjY(bo)8h?Ao4~ zUmR3Yrc7~DHIj8ua`#GQia{i;Gaeq0`rw3WM_RHhyEA+RnsTLEa^Uw73^X|_&@YJ% zQ_5d=n;j$LAg3pQD&v29j|W!zPTUVC@^vxe?_JKsx%Y#^u|S`H^x&Il(Xd4!-7Hku zc12*#*m|ot+hPB4|8Kfshg&y&U8jy&g+O@CI?^5I`1JZO&V5Dtt>aP_&k`h1H5t~) z3}IVzZEw8nqA~rG8!3vR_ouNI$Gn2Ovbv_et6NqNYUM`*nTg)6cpwqEjMd%bt=NQn zq@40C-)i;eIafWmODL(6Q-?EW^&U8VUdSF$z@&fa)@c)v?E7z5fBXE%eNpKqWE^^o1Hah`882~wWo|Jk z)3w%C2Z4v%R1;VWszORcW8W@FWGxkudS85ZXIM+g{3DTE3&ibRQJ_`z^w2HmIja2? zJC){_C~;3yfTNU&8!bHAmHFl_lQ+Xv&%7(dko@-pw*U0*0e_ID0k`@-kLq7et?(PP zebc&9`aU5Ao6H*2z5eKUO}ow^IN9+>6WVEE7L4bSyypvUKk>Ti4R2mh*#a9c+_Mm> zKBT>$|NZG0dm!!9$h=z*LZPK#vOxYSEUWK6XX2B|e(Coj87eKm+x%A;yCN;MGoncY zQLwSGt2HbsjjNIVWQlZipkt~uVI}DU=@aT5&CuEFWPrVH+G)Egv$&plW&F4qL4Lu)8Vjxxq{ewDo|f)LEd1&qC%#?;IGb*sHU+O)63_#LXd&tZY<#CzAy9^ z?^`9P?2v}%Tpj;i{g}MdTXG)Hn#mVjAk*#hf1VzeL^Qpj_3_coA3k2XQWkv;BxUU5 z9zV3u^yPYzPDahh+|+<;US~~Tg7@RU==_!q*3w5ju%Wbg5J^_~vkzEO#Z@w3DB+U@ z%CqGMH`0X69|`|3zpzfbT)k#kkPieuoPYa_Hdbqx2Edp_J&|2D1U-dPtrw=Z@YX~s zak5LRT=7`dq&jn?T;ej^&_U$hk+lkz_FR8`?SJL_`$-cFiP$J7CF{ccwHL#4EB$%X zM6Ie-q;mMHVE;YKq3u-$BI3aWp3)L|M!>U<%BZWSj!pmC&yIJMOJ>M$=7RH4MkD@{ z?IYm-pDmd@`x-48Qk8@Ir;Hd6t4l)*6PF|N#)Z5Kqn5((a4AZ_VnpJ3OjbpS?6kt> z*{}hn+0w^ISFNSt^{c8r)!?IJnrYX12*6<>KS-3(FgBwr-NeEhH z?uYX6a}zZC3@M{>=9iNZOj7zfn~O=b^#t+@noGTgB(EFnjVFG1d^1!tERG3E9r|H}gKpH6n&pu-QXM^I?P`L%J# zS9Hgc+6}5GBE~Ym%=IKYC$tWf%pGjYAs6+4qj0P0-9vXpbU-mPB`ju$jl2fd0J2plW|JVo=XS~2SA8!z66Yxi#_pwL=E~5o2~!M z>s9ml?Pbk;#znAL))Jw6e{^J%Vzrqd-Y~uq9e>b>UNW(4Tk`h};M9w+?Aj}kK0Qpj zj@|qG-n5$)l29sKZ64h0I1{+Y^AQ zS6>?6_dbv2h z2m-pi1|JKdBzn7V)-M2#CiX{`-?+$$q9{Du<>qUi?vsJ9rdcoj{h>B;$!d;#Rm8+(Dw3Q0duuys zCmXcLyY^KshXvU!P;I7w-}bA%JldWEci;Z|K8cvISjvjtZiVsPvQD4Ip`6Q1&UxLm zOp?lx4CWkg%?cZmaIDCBpnFVo!lWwwp?x>V^8k0@_JQ?p*>d-%`HMLr!AFFv$n$J3#q+swQB5aUgO1 z$~NOC7-A)b8xb1OG94bC=e%Gr?@ihxp;=)N`3haX_@_wH6xdChMV`vqMNQ%Pe+=Z6 zkTJi=JQCIt>9dqZ`m@F>1s~{**U;}-0^6fR54Qff!+g);=(PV0^!(j^={)&eSekP5 zZ=^31+qCOIWWrpf+VU_VFNDOd6`7&=S`fqVBhLcK7vOg`pQ(u_gU45%lx3OzfWSMi zhw`RK{6(!4GMKo7t_%8}ft6RTf*zgyf%wl|8W)hC-ZhUJhmQfA)PaK^yvM6IXGX}) z-t6~z`TA!<*we&cBVYiJrmf#)BiXsJ%`|Ls_xZgtKJ&Y=GAFE&+rl0!vi6VlD$V65 zS!p!A40|Ee-dF8Cy$4jXm{Zp(t<8k?i=$sStOUz(FE<5nu)=_dbe9X~+Ju(UEMex> zD>{znmwG#jI)4j#42kshy5 zR9^ao8#o;Kdt=JhMo~{OGeu#B{%9ew7#O6H$IZ;AzT-6c=Un15QWr z%>z+#;J9S|fF36Fbc$&;Aci8-5H6ocI`o37u$8^<1w4;Gp|q43g=lkHT$gwinr&VV zbC;y2ua~d8sbro6re`4wwTTLAKd{hs{bCs8p7bcq2|Aa!w@#w^^}giMOVbVraw{}6*^%7WNd~+7lH)4sP^r|O;wJiYYG2`_^y^cY zxGpS1Fg@ILh!R*3`>I|##_U~CJhJ}AE2XbeH*f<>q$%;-elGu0&ZU7Jygj#Uw9#0? zD7)e{abm#*|M7Em?VgTsy_on7x66c;l}X4m$*N^g-2n{g!JxRy6&+34`b= zH9Lg>DR%eC^!+*OmL}`{+;=~C&vuZ`BxYL0P!r7(y)7ES^RWL?a$h+SU7yMO&S(M; zv^(z-a3C9J@WZ2kOfd3`MZjnNas|mEv*ZImvwbDe+q2 zN4{`q)qTX@6zjZXS$pzX2%woR`1@>-2yMNwA7v&9Sg-4jz+|08UkM$?wkI*l@C9KL zPJ$o~SFV5SErsd~`*P|)aJ zgc(Y;k`I~&dVos?0r+3d{qdP9NrVv%t;!;9$D6>Du?_fQ5mz74RS13^Lb2IzL+=CM zSbH3~y?>4{#9Ccc^}CnkT&XjVbAN(pR_(95S!471);?}Acx%k2Fj4J_IuKTqhG^in zkG=+xsiQwZxhMHfYdm~!xW)wvX-qIV&yDMsk^BunTO)Amg)cjgJ3s?v5fmkE%z+)f z$qtU+%->)@Gy_Qnaq74^`czOfaU#$3W=FORzK2-WwWq^*efap}Qpee!^TsW1pJ@e5gY49_{JFd$gF8KDs3iFiTQDYa_Nnx!VMN69JtW-J6zb=?5^p)CJ=4M`@S6 zk)UBX=~=ch1|v&&noT^?98;FU)1zlqwe2o2g==bv%{rKpki%Iqx25$cWGK^-3eXwH zp*Aj06)>fO65b~}$p!~*CpYc_`{!kQo_aT{gyGE5o92W<*5jLcbpoMroOa&7N&+3< z97+6*FFlfquVP=wE;`I5^#yzGkWML3M`31mho1)9H&vW1tdGTr(5zcaehRlA*Ab*a z{2^qYQp9_ZDLX?l-@$Y@QleUiNP2Y(kO7-?-i%2=Mbj9hz|#0c&tGWZ?T~drA23x9 zdtJ{Drk&Ml@enc5=$Bgk4Wd(TjC{DYg-)l)Cp#G}3A6)w?7=x(dFa1=r&zxP(#)*- zpaFKAdbv5_ykUXNLHc4%nGQAzl(VPNoO~rgMc$F_YB}*}JC6C_cxUZ(rpUtuGc;nr zYRw6$zN>eXF^AS+K#1+E<{Yxmu{~RTVU_hCB+|}GMSfRj)5uQRO~8eFsd~}bGUdG6 z`PYCcwkw??N18%M+!ID1%qpxUgF%aWM1*Sh}Kln!sIPZ;Rh&tjnGk2*1Rt3 zN8hGVk02!%Wt0bR9Rx2JRH3#J(;$LnYd8Fe$04-ifiat}C~QoOAU0?7Rz+`0jm->? z%AnRG6O+If`vV`z*ZJLA;^J%=w&D39%(ZD2{p!?MnfeV$B#p$c_@zktoLKhHedH(W z8_wyaO^N_9FiaTAlO>;wi5|k4PDi<0skR{5{{ji+?qs7^9yZqWUCXym;Ey%&z+FlK z4-@ZnIB<&LWW3{xHPsK;hr@j--@>}KQn-;#b{cTwZ5HGa=X2EK_TX7+R=C4O{fL0( zvu{PBLVTvfYq>u+#`UHEl0_t1+`f)m1>U>yW8I|!RW#9h`3}E&eQ3Y1YwW?pjYr7V zy!Y6b^4njZ3y|3g*T~shE!3Ot%~qKnt#kozY)t0834VY}dI{iUqdGHE3#Ed{D4B=2 z{)<)rQ-^D+l41^$dOf#a)>LOYfyd|EeZS&*SaR^n3n_XVBNxW6NXbfN&c~|EYrglb z8s(&GKNw`Rj!~85pjd8NseW7V!vRbSK z0YKhoODcb96vjQv9N5SCVK%XVPEf&y2(3E*;x$o1_Au}*s$BgUNR(K3k=oL#F`b?F zt8ybPZyk)G;r~WRCB`m!9Y2t6-KSZ!`9^r}cS$u&#nyZ4?)s)?wdOG1U;tojtk(w0+K#<_`OaE@R&4U@@yT`P#(-F1ZcfCcn}bt_zYTZ*BFWP?&D}GL z-3(R9l_3UKW zQi$K0OiX4IQ46slFqzrU>SX;W0=#KeKBs%}_pUpnZ>wZn)eKP9Ikf_?6{)y)Z+GeRaGw#c86a>->fN4O< zbCtYd_ryA+_W&P-Lt4kcy=uo;4k0%7E0REyl0;&@IppfPTc+>j6VQcwWguUl;Xte#G3uy(A>(%V*QpwLH zU!79PBR3+pC1x8>dqanerlB;%HZdKKsZu7IB%+l1=Iu|qH%e)mpLG*>cGMF&dk@)- zgj7egRf{D75~;}DmxY9GdXFtq!Y5R#=A&PTudPxTlEUk}H2~n0rjJq&!^Pc3LD-;ch&y9b1rBZ6%wbW^ z>+xIb^YLCf!7#HTsY8!rDu-Ufp2jWO!e`}B0AUg~-+ja#JF+@ze7dkc!;$8U!m%M* z%we7>q-Re$#e%;6gZF}CLAKGi~1C51A@eO*ti0SZ&%VM z4bFp|;E;H8cYa0Z8W|$Hi_jVO^+KR9Fjv?3?tOIfw}k|UVdaMhuO-wYAb9u9i@C0B z7>s`Ab18!0u1@*V@eipvj)nuw3A@FF!*K8h(Soj1pCKt>XZOFlf*3~{S@4aF)4~%E zI`(QK)E>^tj^cLDegX(PP74~7<*aQrEdGXZ2BO((dnNY!wx}a}!gp*W{2UcrYlgDT z_{Wd=Ju^PXJA`K;@}{f4H}ai`?C}hpyEk_4URvxK zej|}G(7~xS8eW#CqcJc<^2s+yi~dl-BT^?mpgsRXLqb#9s$SwA50p_UYv&1Ggk<2t zEA~|#?WKGDNvJSC`6NgKop+2cC5thYm6#;Qd!lcWJ%moMDO(3Tu~DQMh}o1&;LCuW zJjmKiTW*|68t*?-Ez!CnSyIu-XA-J4sJgjt|5Qq}dlTD|c1Z&Ft2?X>jtW3XVBGOC zd8W3^n_v}I;e5!nynB8+F)jg?^AL8(?9+fnN8SE8I#1%0K=UW2H-{yWAA?rL7AFed ztb9f&FJN0v?0C(pZFe3>UjnZ1j{{||ny5+kE9vI|Q{(zr-X`UU3`ObQMM06m4u`Ff zq(u#=K2vFA?W3GTMK|)Bbil{9DjX%R-3-PL+T~OK?&74^?dtHg6O>}Plo%B|V~u5{ zGIp;>TR(ywcv)Y*IlSj@_9toUaUtHCR)ZM|j;9g(dBLx5Q% zz)~!=nps7xe8u`p_gv{RgB{KFzWK|r6>bF0(k^E&1gtxRvvgN_YgSbur^*uhe0cbW zAoJxWJkP^s?D*^7Ra&54r7sAlF19gW(#0NA-tP9Jbck5cGWarVkmn&e<8d~w6(M(& zx|?+R7Ou0S*1#Qed$~+s{Avm-a3jYZ`AcMkswjT&-HP=e}FF4F~W714=Gd8cT;BfJdOn?{{>pWxL}2YxvlzAl_RQk)>w`CZ!)=~)i$eRc7D0XlcI-6FUZ zO%I{llz{Ig2@r#t_15}I(vjun`=zGytyt0Qi(Yw-`?xe#Q>_$)BGa~TBn z+ux_LFU5`^Cz3LcJhqIA4lfq#a1XCXG+vsyNuqpHN1)Hw!!0=c!Ie@{YH6T+!xzDI z7M0M9UMV;qBPXNQR}nGx7KnjsE12^gP3zJ|R5LsN63+S+eI?dCtP${h7dQFX?6mO1 zb6*d>-q2bOtx|_(>DDyQQ{a^tw#0;3A#_-CQ^_u9uXtbw(BMqr?eEq2EN~#?lxU9mR7?0^s4_-o(=vx`ZQ5b_|1W2bvjvbGmn{} z62TFXd)re$sTSjiFZ9NYRzjx76+zh7#FPLrfD7_PQS>E)d(X?`<-_~-ZczJtL9d0O zzcB^jMoMnrRds|U>bGtBmdjqeJeQ~Wm~>EE;j^Q)`~1#4dA1|uZz_*~*e}JyFQD6V z;E9l`R-05&>zCDee9h6%04y>08NXnvYsI*h`ANnx==S+tE)~r9-LOd!2#H#Qa{?l#XRQzrE^np?$@AQtZg!_VMQk8v^I6 zre`Pp65yZnALts1Nrq%04Er;pBL=TGk)S=J0a%f&JSj?=jz_D}LAiuDM3KX7}B&y>t zuaPQKgAd^}E(Im)5ek#dw16Oy#;{j1p1^cMV9rooc8;_1k=s^ne2Os5$cuXF=XRm{nb5&t>u7!Baknry}D36>dQi5S)F}XvH zsr5rl^Zx6XBZiP0HR3(G5r<7O&NwE2FA=tc2Y~nnxliYiZEsWGId# zZP@;)_2Ul<9UR%|(na9wSkBzO*X=sUF|PWrPnAjzF;m5=>s{m&INVVlSwb7k>Fn%4 zh_nQ5jA9Ns8a&YF6$Sv9AYX&i5|oPsT`(O z7mbZi^=jT@WGT@Ia(8HxDH|7@fZI^4?=oKq7!V@Qniib)Jy>t=ZgmX@-|er$ffnv- zqS$F#Se8&THg-3VCG`mHHuWpB7|-i6v|XeQ5&!q3Oh)Zwt8u)65zMo!Mu*qBxwQKA zXi#y#_;E?Y;KUKR$Ld{!RcfNxy6nmRIR0M6liZ&thxT{Ye*D=6+EI&c7%|jxs9;Z0 zOFXx8Hoz8_8o(UM^HpL5N*E#@dEKNpop?uPK{1Dlc;crNcuj@gz9F9|AGu5K5~+Q0 zd4#DlXo8)=nw&=A2O&*f=UmU9H{riM$PDm*N;>O|!r%Dp_sA!K3b)|0>*ENAG&&u~*+6*JCC{vq1`z zpC&hXDSaKU;>T_Kj`g@^ZZqFSX41o_thE`?%dfu7ZuV_bLTji!cr|Hj_dlHOp4Fs3mM1DrDem6!<@Tp<{lj8 zn!BWFpPz+d#`h(=Fg~mvFOK7p+@q)S4r6|cr#<={SmVcC_)<4(A%rAeD;^tFJ?W~C z7f-i|)Z>#sXgWVuZI<>ulZlf|W;iR2E^dA)c-_Bth`2k-4#+;MAP_x;eo$BEA1_~b zX672-;nn=W9m|~FAaj~V++y9)(#RePg#1&NFHa$F;RXr8k4E=d&KSl2j@o1Q*gxXs z_;7bzU#+rGkUwk`NksIFX6WsS><*tY;cs)ac@|oAq@14%btD265AH0Cmu#^}{zUfv zSH96ryF}76cl{^l?LFK)!?P=k&KeW8SJ?UP9I!Wqs!evdu8+sBuV6f1CZc|>HdV_u z*~lj2CbJF~gk-!7pOp(yw5rMqTa3=E# za7zA9KrE- zwe@xZ|A(~qj%#x1)`k@uf{4gQ6a)mM2m;cjqf!KGCdVmmm;0x|&zh|Fwo^QX~=l$>g-QgZ))~vbKTGv`L)3moDS7MF5!u4{% z^W8nH81{I(cJKO~vQkEs;hoTm1gumS{oZj$-D|>m&PiA8p4FqSJayx{Iu9LIm8!uz zp?y^9#y4l3(ZquA1@}>MKnSTgISDE%0nb~MP`qO-S$OJx=?! zXjEF95U2&SlB-@-$m+mG`*X~8aQT)uNDYWq{7_^)=5nB62aC~z5+2Rg$f59f26^y&w1@wAt##(>oDd%b zEDGl+leTFyvUfL4J!?T7jDMfL_0@(M`%r{{NNK(ZG!rqdJ9H?>YHOxv`QY@Rku|xE)2D`o9m-o8cdP^sIPK;tkvc8nm}*(82X!x@aqSw4oYiT zE5P9R`eN>n@>Oz8J*361D(Tp}2BB(PI_fJ4y;il>`G^JYm~`sxl-?`=q$}b?RB{FL zq^|_q>eJV+C(vRdWUD7rl8)P)Kv~(rfGt@uX}#TkGrCmeqDb~ri8>kkVU?=UMCft; zixF;9CEZ(u9BSTUbmGeGLU{M=Lw!P3*Io)P%aY_xdH!vOLqBkv-<8|zDF%a0cFH?d z7W)TCf>)DWrA2&&fA71*ME`0#6RZt^@p-f2J4^8g%+J4;`Ik_OJNgomtmQAv;Tykw z+oRZKw_nB#ZF&w{W0SiM8K=PDi~jio3MF5ai8sd$TP2efl`V6n)uk%EIPrz&Pn4B^ z$jQpfmcrOK$<>7gcqolIiuy46WGvzH;etn{17*^l4!(1`j(Ie`O%189zp%|UrfiC< z97%b3N##xKp*>HWB;A*}SUFO=M#q$okYD%f!CvT@w`j*&;Pi@B4KWehUwU|$C?kG9 zJrYZTPvwk2A1L=czLS-xa^zq?!*1uNGT)fO9D3b7K?^TlzmaE`BQ3F0^_jq{#34B4 z+TXlh^aYd+A2x@TSO?u)XF9D}plnRwk^jg7Qwf1|>rU-K^B#|yMl9_m71ML}YrB=9 zS>+9bd7*0(%}wj7i(}Z}9h~X@mjZ5+w}zDgwB(RItmTVQEV_ngw|)t(HD#p-ZW;=q zCS*XXJEC+QzP^@EFal-np~FrZ-}JTIB1w#rt+DJ&tyiD7X`d@Lc=F^}=ALdXH6LU* zKR;jDcrL1rcz-jB838fjJ5c!To&3!u1Z04F_V@tDHtaRpCMO^uAbCw+Uq3#L{=o`T z|IW8O7d-JAMvB}y#zvJ@hiS=*-7J~Yhbv{iiU#gghtCXh6qtd75MS5oLX2}w!Kp_u z$9=x?sL_`%bKMc;LrryCCsvY$n6xeb(eJ^P)`xDaC((XkeC51DH(5VsrW`ZA?f2Vs zb1cejwdLU|!>`_qI&9lyat)yT?enb#Ub5xns*GWY#ysv(^5lRICB6A72CD*HptPFA ztLqJRA`BtAQWI@n zMPn8n+V_O|-;HU1e*doM$_nG1MlTfUXhOSWl~4-V%Qvm?u)77hl{|E{vBobXM#xjc z1$I=T#T2G!RnHv`9K<|!v^iv*1m!sLEZ^WS5G_H!IHY&PbU(v>bAmVwat-knH_|iv zB6O#76>KRqDUT0>JEDc~w@OqR>g>i)hCY5eyUJL_ci!BKiC%ncLmQQAS#pyWJ+|oL z(0F6y+9Kg`j_KCNE)J1qa7mAXrzoQYUOc7AD>db-K%U(B%4R?Pw{tLXcQyr0o|-XB zb;(vGdWd-NrgmMNsKUz2O;|37ztkwOX&fo9fRQc+-at z@zMvIAu*DUbqx@fz0Evr;Q+-C(RHv$MSEY$651lKfDZ#lb@W=jPa2kI5);UJ1P1>W9_t#fv|&xfmWZPntzgh zfOM)}POb;rkW60`hIo339Riw>a;;$iY8A^NNGMUq?tlG=`#F!Zr zAWP0i+XTT3A-oz@`O$2pk7R`UAF15#Sfx;rlESZ6#t4-nGy<{+hDN}9J=x&zaQ;lf zkYDXJh)l|yyVrEyg!;U(i44=y_*kW;3RbL8=6Xr2Y2Y0We8-&L3n@Q$ezP*4H3#!@ zs*HOjGPZUM;)9jB@C~19Fg4iLWc4$Mzdwg2^Mt)%ih&F+DKv4^Dp~H3V*&$`+2h6< z2;2IgpKxNl&?+iN#tH)Pf=yRXO6-Br=c2D^LU|>utvLHJ%m+1D1P$Lv0wg--Fq3LW zExota&RC)apTt>Zj*n@=#WWqNBGNy_WB_I{Un*CaKyQ8CO*QtQEZ0Ch3AbKsm)Gl+ zBfr}AaRyzz$`guMAFD@KO9Qad4#={Qro&{B}pEcbT+?0I~rKJM6dY)8UmV~sO z`&GeOsp`{5j1xH09M%-;YesMCZy5TJ*r=vPdfReDrL9uP!R&5ZPlRMe2`z$6VdtIBwX>g=t{9vTl)Jk0a+@`} zp|?aK*o*_^>i6P1L@q|fn^g83$&KI7UA(6Oytu#i5|}F%ee;J8H+og}k~G(j<}fyL zr!i+X^5jAEbsL(*bLb$zNM;zsI0xc0T=q1F5zx_pGOF{{Q}B8)dExDyAbOc?_F3!P z@{n!R_y7&BktIoD(z!W9bHrBp&92;sX23fKsiJ{$FHX-h=3(kA)xIhN z)71^lMrEY`PS!>+-GWXTwa!W$2x}&)Gf~dz)O&JI)X%(@tZdoLW$2PK`*E{3czo%i zIJUkZ-5tYF+4r!c(R9N|U%)k~6bRKzt#;s%+Fj*ac|A2rjxgqn$XBgvv}Zn(|2Yx~ z;Xn?)fNsMiX)4l7Y2@=C8l#nS$+{JoKlZ>@Dj{K$n;r1v18xk50mZ_~SNI&+%x|^`0=FYk6dvpxUBEe?s-7%@AZ&y3(pZ z%D5zxaCk>9Ec)`#PAsUr+Ml8IVcBZ3G;+`==tSbYs)qLQr9!}_j0$Q7(7=!3h47M- zjsE?(E2pej7%l|KaW1e}?i^7VMWSM~KQ*2+Nw&sz^ghhh3d_ei_ZBXr_>l2p$m5^C zjoVzcpQv>&klO2Znl9?oB z45YHJ6sZPADR=lf+4(*^tSAk+p`G+cyU)|VUiHo5bhjI$D6(#ApxKTQbs!HjyF$`+ zKQ=X$%WkZ6x7Y|~%VxS|{yndpO!3?|ui(|2bQgb)x{Lj@PnW5_xLs}a(g5(K-PpAv zAS@bUQl)@u+>_RSWMTW9PT~(?2WDh^O@tdW*Vv7yk+z87Tp#I*Tm&9&$b0W0Ja3l! z5kl}+5l=4tWoG{M$o6^E596Q;3y14TKFd6wy{cPVsWJYPIPZ~PG1M|R_G+Orv`{X^ zq2bKrRL%BIvU+!NLi05x;to%e3a?gc%PIwY^Y#E;scNo&{U-KC;QP1ATDSi| z-hbQ4pKA7Zqu_dY{^A@>t)2D%*3Q5C?7y`e*h+fuwt6H}-d{WSi`~)IJF{Q*h=E7{ z$CUhH3q-+(QOQ2aye*^r>>qdi=d}D)>V=;#-iQQ@mw$Tw*SCKz*nimWP1fIEN%9B0 z5BUdb^xq`;U)|Aoef8dL$Yj^c-buY=Nh?sSMmJ#KF6A)9}b zhEZsxKL2Z@eIHHi+>mq5Z$wNEBvbmR7IgTMgQw39nWUO#G2NZWyl(#<_44IQGTP+M zp8hzBRYYiRM^%oyh1=>PjlPh7h&jZ7Mt$qUwumD_&A`nXyU>^3EUU|FbX!YI;K|2I zYU_d0l-#k>nT+-je0_X!#=6=AHensQ8taW+M41trp$N$3D3Q(S2N0iUcQi@W2bzXj z%H5^60BM@O#gV zgBWCtsMAWHsFDw+A6S7k@zx3OTE}~paPpr9T4gXdGPuPiJGOt|-`+Led#@LA?M5Nl zMcx3v_aka0m<;9qmC@~i`e#!%crllccU>n)>mYlsi|E z*I&)>ONz1}PgHaM+);AJh+91OSy`VI10WkNyhJx7iPv~#H-fxy0IC?nsAga8ohD>6 zOEXbv5%D5JTt~!VO3#QU_e`-lY0gV@wcS!H0xs!KZE!%RrNb0fCu$SB_^#q|Nl4|G zZv^lGL>b#lQvLVw2K6V>x;F}K3Ec;OT`K>#^`U)@L`U8E{l#*w>+0(2$wZPQEWBOC zZbj3mZFcZQ%y5;JdWr}r)qealvw_I${{xo34<~B$IeY)3U5YJI#@M`8PMTCtENXgz zo0Bv40Eg*0#IMQ+&u56cZ?`US(E&6MTEnP~fxjg4|Dm1nPd@H!R3$j?kQpcvRnVws z1h=;~Q6=@ME+Ue7pxQ=@LmXWTO6&c=|E#jI(j2$gS83Ttmm=nxUy?`Ul3qf9Qg!P8 zHv#^Quw?~Ef4r6?Ya?p4ezkR6sbO7zPh4guBb$|zTTc>?@%Qb89*ep5CkM-Q6079Nk+O-skfH%GSHj(xsCG4$scsk*DUf=Zx zAWx*KNE*L0s#QtA^ZUh#-$bO7v>nSD+%4*YuD|zy`E+fIxz5A0z)7VG+~GXBb+4a^ zhH)TXpsrThT3Wnou)IWC^XB;26q$#qTn)VPJVc+_bh%Vt0N;pZb3DRjTV_lG84N`n z<9O0Uyk|b1+Kv>nP46yqWb938RRYT5ZP2IpxM_KJD)Upr^TI(pBe1ALg`x4mR`l3O@4>;RK*pg#|(0fsWNC|+xp9ka0P9tK1T zk<8sq`>hgoSOZ9Zb=+?jO|DcW5meqhMmk8j?V$rDY=AdvlpIQ)&b&T_!AYwc8y9*I5(}dN4(g~;7X0M>6<_@vcZkIY|X_eC5)9l+qU)9d44)#k=$dzs;r)mXOh(0WpK;R6}Gvl32LTR-<)+p zSauOZGY-2X-iXe*nCI;WOTr%As-hw9O7_Gz^kSA*Prn$eH7-~dX*N2Uer0_Y($$d2 zO;FwZ?t{M8G;?|Rv#+D)da!xJXD8F|NY7Kl#YlSEcx_z?N9a+J_TJTY91b`Cf%Q6P zNsA`m{|bHncCBkXAuhbTPyE=<9OSM|j_G9P9=4H{ z`0kae;Ea+!2lDW)@FR_f8!~FJ_Ne(Gj#CaPO0jV!W7Eed+yo|#JeI5Yu!*CfKol?21nH%5I^H<{xdAhV~eeG$grQN?&5B8Umc6JtpyRc zR0zGs&$2NupJY4%H}lH9liccon76CTct4#bs7vS!(TVcvl9ssVd9K_Ky)FjVDOo?n z!}csT_OB|)qBIWgy1(Zr9KEJ0C@{ZC-k;2uj1h{z|H(n>zBJRx1}ZJMxbjDvF)Q!CU0Qf5u@vSx0PXzxB3H5 zB-WZ5-PRFswgn5T9=IcnCk2N|!;J%WB^Rxg%7{lCDU#ncmwe-is)DEhn=PY`k9Q?1 z-Nx)~1}lQrJiA}nR1*#=JHE1-&(fN7XD<&MpI8UpVwh|U=o0}}(ViX@cxDKJ5?&wL zQWj}7cOw0&#czfIC>OzWeCs`yrwfFEe#rv zNI=(F)8Ng0JwU5y9WS1F%Q75CSNqgdtgl#)*LcUjaj^e3K9M_%M(9#5&e|Qe1_Ye{ zLiQb5V}}`qc9C+>-WfC_pDP*-zb7oEiCw%Zl$K5O1!?YW5}_>0=T@4C!}~^c;%%bS z?A6mCfK7U)gXcoa6~=fa6aR(XGt4wPIj+jIo>I_NdGMPn(trAT)AHrIw6sLF9A4-+ zb;D$*jm$CUm2~HZyFRFT;D~gPT09Y`*toKzEqgG%aRq#Q+aCy+4_OQEW@tN`IA}8g zjhRwXpB#wJ;$ShSj-Rq^@mfIZO!*r0D)mBQnxpfPV0&cT8I=1_JRWJgbSawAIV@rf z=jS$lpy1T>Eh0_O0ot4OSV^tE-s_t$(K<`bRF+w1KEM%?4QZ@?TY4kmGy%u7520e; z+nl|E-uLugnquZvum0Vik+6SgeXy|rV5vNVOI;q|U8*eWx3vIytdHv3w91n{Qk-Jb zK9u7&#Np5sG8dhQmN|SZY1bM6#khWYz=y)M<1JCSV z{@4vVmA*lBI$8w}^Le8?EPh=Q7x_*yOkvG^ji34HtS1)6m))(-=wGS_LAcY6BwK=z z4KC=W&1~uj$3`bb^?CNO3;y_Xj{_C|!W8V>^`+Bty*k$B1S#?nB ztig|DPt?}iX-)EEf!AwCOc%r3K<-@ZCIYVc(}^BZo~|?TBwOj~j&peA<@x+OqZe5Kd2`1$W-LuOpE?7zw<TNpgC>)G19(;f(8s0`oGyN0r&uM(nmWm{yZ)`*pX#^mGOZ=oV$=4n|OtSRKT z-nK4B`@8`P`8T*N8GH3wf+pqWm4vb_3e?KOg;kQ3Q4Q`6=*uHPN6N!Zw;0673u8eg zyv9=}V?2h$jVD=+{@_b(^>ftcg;z(MM+w&K zf)^(~h@#(5Uzg_O>}s>%F=1XtLQ+H)C$W`#z-G^jPvUub^P@D`*~-tRZ(N`c)7WGLih2LhAu5osi>( z2YszIqad=jaa}k2m61G_&HJ(E6?K=7W?546g(|$)x4tv3-zXA}Xq_9}w)T_6iGWY;13DlP zCjOtMqT2%hRyhAlkb&XP&cwA7Z1M=0qd;MUtS!r>`<6Qi^~SaGUE3pXCoFV-)Ym2^ zie&GxlL*@)JPusO*ay@Z-RLY`J@<=vApY4TdJN!dK0<)!>JN{5Jz7EjLPp@AoFCKBQgh_22~bbLYr zYY712p{QMvV&bH$q48trCpL_0UaUUmECpepBQQ|1Qa>2#~zefW{A5?b#mt> zrJUPbZNwfVoJBqVODq0PYR|a>hq%Y$CnJk>QcNB>z+YSna9!-JXhhXUQ$-x`6sF5$ zJUU~3X*)Pu=xwI@+-~Zz z?bso)G^F~T`g{NtwCDD%LgdFMdM^ey8hT%NN>liCaCK|m=Hdk{ytzb-sZGZd=QI3+ zwoHK#O;$+xZ>($Tmkp7RvTjW)Bp&SkKCJHAp@ChYq`bp!DC+3pETRE<{fs`+n;w2( z-k-(v5+bncTV5CDBh|shnI&Tr4}EnqGL$M5Cv};TxsfU0gOJViq%OyWko3@3Q-i;@ zp3alLzeFU)Eo9w;;1Q)|0fX7{H#eR@2R*)JEl$|CItM^1YVR7Jsn3GyJwD$I>d3mK z0p`t3t`B88q7AS7+MwP)9ob6Vsk?fbcjMZKwIr72Us5XpG-dOzSP64>#P~G6#xGda z#gJx4p=z{!xW?zZuHCGJuGb0CYQ9yhCs?>HHaHbiF(7O-Ot!0BjnXO3oG|)pQ@WsJjKf5$nfl4O#4Q=}kYq(ZAj10=K%K`=cxBSj5kBm_Um=dw z@nU$}kzCyz&_{P*vqO(UH*rwLvxb=bpwWcS4Yn?`joxuQ97Rk&w6Vb(R}gukZWXx9 z!tT|7<7xaIi>#9%t2`=M#^9@KSZg0wTKW({N)yCq(loV>l%>vk%s=b}X*-(??TaLK z$vm!oOBE(y+TAOMjQ;NnJy)$oh}=qYuBjdkn%%Z$cqmr~QBF0gt)dhs(zxTam7-9} z=#VC2@1}WYx}p9vMWN@`<-RoJ^t*KvaHOkqYTbHyT($#^Bf@cVWPzNr@QNL`5#Sqv z8Iw+(*@nc{s(%`gel#e@n<0#3bD!{qmGAy8vH3niUI1^rLfT0FPj;`S_NHPRh4gQ&V1sLDo>$R*Lm6c&B4$dw#NM@2xC^R z+FfKt@@ZcfLMN6$u!9^Wz?@DFS=3Qi(!CYr4u8;}GHOC(hKVpNCnaYnL13yA=R?ya z8&u_|yY4mHyZq3V(mNF+77^xWA4U7`IvvqHUdX4<3)zweru!f42xfBF_vK_0s;~{i z5&;@_%Iv-lFuQd3iC$&{y!+zL4XF26b3d-&wZGs_FY;c?v8ih#X?ZsdW8#Dt1q~}) z7ZcSULGKl^vgP>Bzr6sk_I>puxWytSQ1Pu|Bf;TlhrAx8%cnp42U7ovL;PGMaKs#- zN3)_8=n0r>8{<=cA(#m&D;jT%+xlR~BO_z780=kbd=}~o%zmX4w)L85a9d{KB7^t! zB_1mLJ~4&q65-%bBqJlUcmJ8WUeh4qUhGRwB&Ss-l7&!@YtW^qHt3Rq-n7SE)JjW^SflS2A+ELsL08~4k4$H%+g=o1>95#8EH-fj?%dd{N397Q88*Y>F7 zGh<8SPhrxUl-tXTlXbQIQ2Kc*T2<@MTYr`f{A2TWKjMu4jvtNc(4}!#6r>3>Wd5?a z6-uzkzoTgm&yE=FL`Xx@y+=9IQpo{dv?NM0;*q}wpIN);#MYNZL`vQVq$wH z=o_#b?B!p*=DG3!=*@%3es)EZZ(vNjw8>}dCM&6fSq@8WLet?SslSBE851{D%>(kB z9$gp~zx5)8g~4af!+9o9QZQv{y%D=58OBXX7_ME)sv$CnH@{8hPpm_*O&n!?t@%X% zyECF#v$6Kf&q8JOY3bLl3^wh(zL5T0qD+Z8redKK^T}Q(9r9+ovKCX`q`>PpPgRtm z3zvBB)4u21f#~{8{G04i^Zntl8`DSFRl=o(QQxIL@Ci3(*dL_^zp&nvSYzX>Q;Rj^ zE4=FQSq|05E5d#&BSo12XK(<8T?)|*q)7WW*z>>Pzee;^WaU{tW{)d|Wb#dL0~CZ* zIv|cFKKcStR`zz6=tag~b?)xPNbjy}VJNy@c~m#m^d$GF=b%Z|BK^b#L>a_veoy9D;tjdKx7Z{Jz5Lg_}y#fdZuJemyx04)RsEj zw*iD)RFy{rN0Cn^E&7chk653Dde4HTYK37QBRwaA0HZqsnx-)Cq)=ovQ$Xz0?_S_0 z3veI5d(`^{SIl8fkB~iNLO_Z%@fY1Xn&_XkxuB{tWfc|N8!or@cokV#Cl{KS`ST)i z!9R?4;(qVk96*4+BN})WOG``ZS+$1bxVV{&dNtn8zP@Rt2XdJrM#Rz}ix<-&6nP!Q zl!$kuhrrPu+5+`9ERU|aI4{==SV2T7HsL76H9yuupvBweh~CzeH^(fm9h5Nfrjin# z$bu}lrBRin+mPX^00wUQz7KQ}HuRJ0wI${|OEcbky00N*Z&mD64eH{F;cWe^723Uk z$mew+0enA9q;aJx5x11u41B&xFI zeK2Y-OB{^#t=b2A56I28BJbp_a08shuDrJjo%Y<5EMKiJ`2v*cz&>(u#L$=D?CQT8-ZvcHuOX|SRu3-if}fYJS<->YjAU(7+LjxSj*cR;k)O* zM?B<xvzqnKX;4!d}I1)wqXC!}+=l9-!ePWfxc1G@(_Vm6#^Q6MPaguRf1x@}@ zo?HFAI3^}A3%#rBbd$_yL`BE*meEIZUk6SXYFP3Mtn8pVH ztatjddCbUbFl{Zm-xS*$U0^D_2W0xl% zdVL7@BPiD=iVpR_kw0_e6kDO0C*|LLhs3NM;|2cui^|rWL^OSs3o7eBjitt=t3vjJ zPkksJfnBUyCoKB2_)H`TFXa5Z;K6yG~ z`HnxYJUN*QWsK{)6o;y4!Bzfh4E{=yTJ}*>j_>btKQT-;k9iY;ZB{`VdnQiW*f4`o z#C-4;XC{XX^rRuuA4`a>-puGS0kisEyUS^#N~h?xj3O3G_0mb`5=+yXEBm|{Acec= zVfg!zRAFjcpgfHs_bD+Zh;3h9j(-XB=@cslY!UgIPGZ{X*%(BhI==nCYAgSl6a&MR zKN?h7_SH_b=YeRy(){2bW_fKGeUX?h$1s4Jw))djQuL!0%fEzncXn>lB_}4b)z{b4 z)O}i*68Q37(CIqulaB_<;Z(oXy;o4sPOq}9DK+}?h(-M&6+TTQvAt|aUP_lQgOF@5 z{KmX=_C_HQke0J_f5MlzYf>S`^UO5%t?n_iYTBP)dORlXzJpmV3t;); z+UHAwJcpq=FGvn1#Lg<_{=owI3tte}{o-DpfM{mzFB+i#HUL>SVo_I474xNE9M@lD zAe+bj`zz>6Po}8Qzr6j$#~T^MRk39MoET31niT#^AR0wib9Gn7hP{4LMw_JO=H^~V zqF2+^*B4CoAGNwktXN1VKmY$A8X7jDXu>@n7F_zTe*Rr#{@>>2Pf>h(jQI2MKj=yz zmokxOqgmHeBmWP+{HT>W{H$)nI=rJkyS)3u6 zSY`AJi~y zJtiLT#^UcR`P3Z4*Euv)i@ThC8TcNIlF@!Wu>W4boFLIa?~HGT*CXsOL?6_=GY7M= zDH1Ar4|Rm;z0m*uf~OcKl+N+=$Ohe&;dm=Ug81Py5 z&S6Jwjbxp__-^8=8dQ2Smg~06LNmved@6ls(xtZ%#C8VkH2OpC9$0oGn4{>S*argE zS>FRjtjeTae(3wbm>gxA=Y}+q0X=j6G=#j_0*n8*8>n@&W z*ElXx$#l-%lrOo}{aN#wG3d(9V_63&Jd?v|LvnfCRUG>l|G!gKjT&MJ4PU;D7IEX8 ze8jEzxH#s~5`d=|Eg$fqN;0qe5!-H&O4?QjY$I|3vB6%s%9D1qxoupyR zftK64>9am1x1}Ix_ah$nMvOD~?(4rv{}nb6{lP0cW#KKu!^3$xCAv3Hs_{`gSh9Hfo`pB<;H?Zy*Kb`?-F19=(r=(`O#Nh=mbX& z;95yX>2FA2PvXhrS$Rn;gn^>@xn6U4Y19KF$|zr>8ef5@OZHWupXUFkkRFUihZI+niEO*%(|`W>gwO8zG<%HO--JG=|Xp6rNgxN z@?=d(lqLBex?1RTG4o($nGC^Br;WdAB(QnYGoC5tNRLc}_6wo=x5DB*_`ox`XZ8ef zDRouL4|8eN4d{}-50{-zbzgWleWjsN-A}qZ_$TvSxOTC)yAfc44b8|S7&%I)sJmwV zjh)aKJgdVUdgkrzovC3YkFs4}Ue5a220ziN}y}AEl)`>d_ zhXdnqRf{yVDA~@O?W_F z&^fi>YMypL8#7v@uh>w#!Y(D?^L+TQ&wOh|KGSpjPDFvCww7vfili#*EJ#jJtH~p3 z(gT5X5QZNJuL43_gRvto%9a_xb+uA?z;z!1v#o2awHXF17Yt*3d?6+UO?8d0hcD|l ze;T;p9=gbo>sTPg26JvG?b2rzOg?!){o>Sc*cAdO*@U&2^yh~<5)MY`T_pXPfB@)G zW6iXxKx*|?_;TYgIa->@mFB_d%ifwHt=)|w_#F`*75lP4W zCTX0T(TYW;g=;TvHAW2lejobTUC433$OBYWatCeb4bRK7OX_xWU0-!|!i_!7#4g@} zDuznsf~q_g8Ex4P7Mr?^k{=NF+{VcyAKOp@X2;NQ_dZvP!&w`FQOV?-s4OQmfgaS~DtElGD`qHu?bw8lYLOGWIacz&}WwLhk4pk5!PjF8$@U6dABH z=s|h3*YK?O9$B#jYD*Sdb67);PH=0x4jZGKSicbi_ta`mtXZ6v1tmusLr-+Co1Gj# zaO!o`tBb2=Btu)^jdif1{-?vMx$-Ty1iVk~r&Pas88)@vyBdz2mVB9NEGI=J|%?H5eH;ZpL2=AH~V<6Sj6 zZZW`|^FUR#s2YA5*QPtT4q9KoG8J?UJ{5p#mf2e#?|`0SS)zvNBBEyw@05Mn8y;99FjKTI6HlTZZ{1DXi!!w)deEbKryG{28mVO5n}<9B{&oc zb9o)zwFrzBL9O^Z_9fLF%@`6Me!MoiO}@?MY3AT{tB%R>bbmE^!L>jJtORn7V);9e zlVCW*Wn*dYZF5cdY}f~~wqzbdcEj4%6INxGj+}=-J*qXMi#ws4nzYgJixdW5sAXzS zZGig|kSu3swoB5D_=rON>&<4eBh{O4X-{`6smC+-I>m-^`gmOkVF>y`uc+8kE>cD* z%WBCZ_goI#$@F0lPr;OJ>%yn+_GPbdNvbX#X?6794)~bym(~jlG38YoBC|1SPr5Qc z&f&9w38LVDmON24JC+wLmCQR^Mqcli>hEsBTUcg=p9V7l7{N7nk#*0lSK(jG z`%LRs4oZ}NyTLet;jEwi5C^(s zeu$M1H>>l==~(L9`sYN+$7{^X@xU)+-B#4niKhWxS*l#PGEf2IQlkx8T+>hKigY#R zTs?93ZpJ=x5%2`vX$6V(PH_ckckaSgWt=RsjpvdX#hzYXcdZ0$Ojlq#=dv#O-clPQ zP!D~5xpv=9l2m+W`6z2$HiSA)2B);Hb0k-e3ynti9UlG&D}u!w#p?a2({$e~QSbYOYuqx>yY7{P z6IU`=t=7Q#fVBvvtR8j2fOw=DtS`#0R@&dg2!EWY@Z&T&YP;58xAX#h_xs@*iDqLZXaaYx-~MPCBhr~TwMQ!>Ve7WwmX%# z{o66ZSPk}znYBrqcmPs-b|PtUy2k`;(-EX~n8nr7%XQnfDyjdPw@kxYVROpXfh`s| z-t(foI)4iwEi;tH`D)JXXkT9a9hvy3gCG9#o!6*KZr_82eHmbc9z)c=`CL$KswZ(9 zXUP5K#$ahhM{mMn?0&q5@{uG@Im!zSQiZ!4!;(^{Hla!F%7OCCB05sP`OlT4s}^-`!e1?T8>!RccDHDs}5_CBGE{3wP~zS z{g2NxsB*G_P)VP1RTm`j{1!pMz_r9UNP|zm_x_qGM@G75=Z!t+P?&?2jQ0MTE6v}y zBt-DJP4YnF-Tl}?JtMoRY8z_Pt>@LPKb;TRo1}$+-eicEnB2n+h%UHV7m_W}JxL!k zD|)@*!PCgR^+6`=-kK4o$9A3iB^J+2Z@@=ABV5s@(eOIu_DSW*W`!>!2PE20s+jn? zSn<2-_2^@Mw23;)YnoB0(}7ChnrA& zYpNsjqw(BmPNq*ol;sKyJiJX9?%NEb<*^%@Lkinry(txcSdz35V=PqEqWP}pdy>`}MlI6UteOjsMz6j# zZJYH;*KNmb_W+=?at0@69D=20!D_cOx5{W3gAwS`CxYHHj(myUhTmh-N(o*atL9OT zihE)TnO~N=WGlX8rfuswFA(EJQT+lsfD{K-VmvHh)NZRzt2wObnBOv9qdM%Vc$iX_ zy7)KNPPIpfCj3jf_vOw--Md%g~9#uvW9Mkf>Xgwf?O6uPDo7n zkKGw8(-$uM1Vh=WP{MZQlzTREzkbeGpMGF3V>R-*@bib|-a7}luLGg;)daOV`Kd9P z!7}xZCe#WKFaN`jEPB4zKt1F7%^?fVQ4ZNyU>6QcTzuG4X32=9p6a$qB`$QSGG-Da5wKzYP#GCLam=`}tzh1ZqA98vPb8WrL{al?PAEBEFgDh%?|9-OL?@_mRq{iG#L zj&&gAK&iKSwwBi}oE2$m}&VXR6Fkch-J|90CPJ-=4Wiao-Ftu?ZV#~jAgI*JTwsU($XCU?D z(aH86Uk@>VnF|`Ob*ZI#<8G_J#A76tzY?=W^!I8ergh;*#dGBzM=PInVb4|tHo2<+ zbf5G@m(j51HH1Gnx#Myr4nd?QreAx))>Rc^?b~$s{GA~7o5qT%Pm;|jD?f!^#~psn zFQOfwjQsHs{!kNDHw{c#ZPXhx$|y zsUd~yOT;UAoJP-l>jhC(kMV+4Y2bS@`0?zOH1)c%gxZi%!%BR4F=EL33gzI^7u8j< zxo<3=oU6%r#kOB23-vn<1%!80Mp{|p<0WKVGuH+yVmN)*1=X)vvh)0g5f;y!lj||O zwWnTfCLf``=yf9?a&A`~6-Bw?4}ift%))kJdlKbs{1)iL+(egfcm33!DNw*Cq zzER@&ibkw>`TpCUnEEM0epUlx9H8G5F2*oNkFa}qwD(w6ZN)QQw5jNawtUEnh0N5- zSh3wUh09=7QeQmnHA8>PkrHFLq>4ljaYvY})-^2k#p$(6IaD0G{_73b``&Uk@C5VVj!~a#Go=k8M?9 ziFRo^?#$R)!(z!A{pFd!If zkXnw|Y(||FEX~LG_Mg-t;D`OCh%eH}H!mQUYA6H1CIKH#g6dIpohg?12!}=Em#S#U zNL6){-GM6P8Ooa8T0yxaf45sZf&so{+?xd z%qc@SNH|&>?18#6IidpBJ~-fL>KJ@FAMF{Xy^{9reFU#|Uv#y?xG{KAMip`oZpk9! zBablsb=X*+nw5I3|Btlq4r?;o`c)B75K$2jsTQP*Ql*26C>`ltrFW^J1`!kmDI!HW z(tCi=OClm5-B1!*2)&a?2?0XFeK~W^cb@OLGjnI=`Ug)iyk)QbTYc@dWH9QoNTP`b z#;@Z|SzN`~q}>p+254W6CZ2$2n##y<3GmN+f`=}A;1+Ej&|v0tuOte}{g4&SBp!^# z-rWK$*v2RNq{ek2|Gu!8CI2*Ae5#Z|;}Ou)W39tjc)FT1lDS`H3Y z9Q+eDe0w7A1oWD>32rhpTDgWb1E#Vl`;D1JOdr3-<1n-wXxb zkUmq1o=w7KnwtB%G=xV%yPuaWZ7Ta$%kAVi2IN?iIklQ*lAvKU&!7FDCH()f6I|fJ(fM6R~ zxVQ*79eew2wO?CZttAI>M@MHM5C^#ps95UAca$ z2dib~Ikk~7lFueg%%m8N3rD-hffg}Ut)FZ84+m{9o>4!PG?cmcrGpQ@@iYf9YJBfT z3TQ_hb8qaA-d)YQTsgjtt!P!y^?X^C~_~>n_ru@FgVA9s2 zxSQW=xXI#Gx!k2MAyb+7sYqLLfa#mCIvCjVA<|sL=WK(#{wpj*x03;F7=u`4G{He4 zW9oCC%4zN7&ap#2-Gvn`Pe$C;7X-J?G1pi6uYTj(it;-z>nJN{`h4+S4w*?rp2w*< zdU(BJtBdwl@)HHC^iFT{^!x4OQu|U8sdXcbWh=RnJsFMF%P{fng`MPL zl#9uRm;)~L-1DAg10Grjv?Kr5mg&vs*Ib_7ZQezA-pC+KF;@!(^@g#_4Oma~6->?+ zn`P9P-42|69lP{7nt>r|Z$gtvCipAm)+Q%s!_sSkb=pFde)?%!m-Tf^IX8sQ>javu z!`JS8gpWl-uo5!J^y9>)JFRV)(1N&mAFr6(MIL~wESV$gM6HVSGcxLWwZuTcSo5*`2B?s zYrZypO}IYsrZM$u?V(MV;^g&TT5~P390D8LV#`-HVFBDuvOnLm5q%~M{cF}X%qIx+ ze%k&1%jeuaG<=(6_Mto(bjytNO<#E~5qC3AoMTzsuJc|Hb^S(^DcX)tE{(MQW$r8B z)bppRr@pw`Vuw$5C-tCId{u(?=E9r1_{jcocR6m(kTzmjkNz}F%?+IWd=H(z`R`1v%-Im=hj14s0c6>ki}&oCX;wI5bbX!H)Q|@4 z%!cwHsmHs7$9T;_hw?6e_qnPjOhXStf_;jAMoos6iv_+I$=yFP%ks^f-iN{hOm+KSap;M~6sS+dCKadaYQvOC zNk^HiTZ0eARcnf1&3c(JU)ZeX>jsZ#><19UI+~gc5@<4s$iS86K_?xEhJ`wi8HBoA z1F?NJ#VvJzDHt-u$eSW*k1f`wKWa*O@*YVhv@>W5y3TOg2J8pXXj^7KQ!rbd#tTO1PD zN1l6d`(fdqI?uz8!o4AiQY2KlaR4ZH<rAg#lA<~ofx1nLK z?Tp$d>;1#^WZZF|=F2i4D8s>SUJQ#-p!*zskW*6d$C`6-Hh9Mo26+8$aHawWXoT}< z)BPC>{hep)=u@^ZjHBPxhi`+#G6;j+U?d1RQm(3uC^-7KlsX z^JX~{C!@MAbcyx)t;zU@rOBA14N~k`K{Cy_gv*+bXy1Gq#fK}yCVQjSbKYBTB7F4X zO^gLI{uQ2U8OO6_)PZkb>TG<>piPfmy*8m~vOJn?_2VIH@Rapi!b&5gFjhx{sG~f& zIoiFhZrteO@bDsIN--~j=GBCxu)o1WYl(|Rd_{3n_t3t6E_2Q4PB4wsNLjQ*F*BdD zg?-p0Qtw;|j$?JjB!)9`g`dlx&UDD`bIb0AH^kw9G(txA4m#K&+Y_zU001QdUiM&IbR^ApAdT4XnR!yY+FBluG;7#lXR_$=>BIK7{+mes;@9jh}d*GZZMH$#*ZPgs1_KS{JHlYXYvyP?{2@_A zIXQ{LFZuhdT(d!x$z5?ZIbn>#{7DeH$dK46A9S;#G@@&DxO8sNtLhE8{RO}LRzO8m zUT<_S1Ijl&Y*VA9_@J!b-Q&&0lcue{teLMcmhxjWYE%}p#dyjCUj%ru5rmw!$P=4)x zG%t75^Z+nolN4ktUfRqwJ@swImMl34oW@UC9Ub)bEaK+Y57V-;Ez*Kt-yc?=V7L^N zaj+IcKnt+Ug&gf&MRuJZ0FypQ-d=&hGK*JK8DdD79E*F)aG?1)c~j|44OyS{bu_D1 zS~RpW<;a9@!#8%F$b+oyOo3cCa~nry>5GU>;iO=X91#y6YUmE>)2x3NXOE%Z@GD#{ z=0$qV#)_xkEJc07#EmJ8Go@e2%iO?cNP%$--{B%1)8vBs2Wt_!e_8{Wb?;Ow{4JB= zYq9@SO!!fRac=JY@c6Yyd$EmZUC-!?5*nW+ zTW=+-7`*Z3S@(V|(;;dpxACo#>TnkFO9VMo&>>(dkaljska4%iQMTTCI`8~|p)M?9 zl@DV>Lwj>jVfCVAOH2pQ9;D46@;Y`$@=41@1+n#uJf~1y%qZB)8U?k-qqrwBH^0ze zzl&P%SOq#^ntxD0B3{&`oYg@%d-ppg4d*+&rA^XTG;IF)MBGtYXSM;78Aa4~0#3#X z%`q43^90zRYaLs#(lM;lls$OAYB&j+km>OjpIp|-8l}i9=Vcx z-;0xM#MhZ^-WDVfz)hE$D^#4c_J|=0me*&0y5$FM)UQ6IN}spYFzl`PW{4MA&%A8A zy=NGvees3+BIkn*@s$CHz<~3l9&dEH&8_o0I9R5dLChS|>qWXHm&@Fz8jT&az}Q^t zt+|njlwkdH!K1i51#a#G)br#=X)Jxng9G85Cy3Gc%+twD&x5LGpH32=`(8V$xsbs$ zK-6@YYUy^A{dtyNTI#zSAeGZoccx?NW{v^qIT#?G%%t&|&Fh2p2kI_Z@au8o@%jj_ zmVKVn$}*YunT&_0Hs=B}&8s<%zVqUvIbFN3nV`N^J>;Q)$+F{hG|;E}$+i0)%uoLG z5b88gt?JHs?)7g`hY+q)hVYmA+Ft7Js~6QbY7uphO*RJoWctkv=P!Du@|2fgM;b=X zjAtiD4EV&CML!r_R|w~k=j2xC+vCf(4Ua6SbDfy&Zokguo!oQhS-X`|_!&1V_fwLl zuczgcxyw=5X#}V4FMtQ~7ulJb9TgVhn?u9v=jxkt zKK`c{zzTk|e-vc>c5|}uli=`B@i+^08aEFC8MaObC$6V`-OxzWY4R5{^|0MN>kGTk_+ zLUs>9ve@&@jQzF!K6B#wwTalJz*nORH=%AkvE@M&-p8Ei+|FJXlmtDdFbA!;;q8*kCk$K+{N9`lbQ;&}17%a-ga2DhP zAfFdj_ke)spy5n9jx)PescD0ww(Gcoe1WA_^~mY$nlHI~z8M8wSLpe-NV*@(>*4@~ zwL|#um>5qk@Haj#yjU)lkiJ_IY20=H%{b7~I#^*t=GbBwBjuEsnR)HCPtE5h9t}(d zy;9LBqhkvmddzk93ouZ{-!1#q>#Q?O-)}QLtay$?VQb8Yb}cB23XrnWMZCX$sgZWX z&UHDjGeTiIVe_e=XZ`)IKA$wI&R#o=(V7&s>ra!~P8}P=Z>ED7;x@t)(=6|L?v`NK zC+XwvZ8Tqhb>h?+uHXAH&BXO=vP=o661bpv;-tbU?72R$0rg0=$98wtK?3SY@GPur zs&o>@qKcllC1yWwQHp4k;Vo}wck)r-adLU+o9paD*_l*V7C>4RDp|-vwyfU*)vACp zQwrUBN3BJMZ*kwGoV4-Cv4(0=&`q}b*uK$fmwY#3=l!)kS->{JRxdj0eGLU=%(72z zuUe|W)eG48v$~x!`rFdEofo9+rXNGiK1SG5?K0mfZy6z6pcNaX2(8tZ80RV}Gd zd`PPT6a5?J+wb1Wfee*HG-j_hG53^ajuLN5k*A;M58Pnj+)X8+yejx%#&!4%gRy{5 z0h8lKkRK%J%Y?cbQ`A)|66J{&p3^k%TrOdTcgnDq(LbFb*wS4Hm=G}rQs#e8mrA)l zHS8^G>f^Gx3i8PO)K?|{b$g!q=xz^IHHYdfw*3{J9Vr~!{0qOmn@RPKbA0BG6gl>} z$HSx>>bKTgk#gidPRxZMh?LF#RQRNqRKA6JUU@(eBy5&c<*$|^#e-iPq3`OfqLK#_Npib6N<|S6mqq>VPA1Jg#C$W|D*Z=_rs}YPuY9w z>?`al+Jl7lTy>`i>;=I#@PIe7;OX90KNq$MBaSO8q^yW?*5M6a7M~wyx61HbVem`E z#MX#Df!<$?`?sG<@aN1jp0;?TV7>q|m_&Vo_f4W+5y9G~7=@Y@|LrB?j}k4Gu9KBI zDUz!p>v{b2i(-b^pRl)hxS>GWXFfWYw{4~V2#<$Cox@JL0We` zlka%HF49#x@f(o;h35bDgDX~X8Z%8-O}X)JMyMD#Jvru-{-FW(3GpE`>P09m|2Dcd zKM8%30h?(DS(Y_$-a7rt{_VVW(vNr38I_*Y=W8@4KOsgjX3{r7clwNx4^E7j!&2~; zP+Gcf_Nk+D&}Of>r-hv z?GBwTEuDSrP4J}NX__c$$}s$F=W~&j!EQB#{|k(Bxs4TDx+Sc|!D^4PsWsd^^m>Aq z{r(F(fZL<{ieRsEK-Tt>WCUcyaW^G1{Uf2gnFF71DhTZ%1gVSdPe5fT{Ce`sPI;HT zY@#~6muI0TSI}tL{C1X{PtR2!Iy`Z!hR%1rzwP08E4we_%g`2q*DaP!o$d;}cX?c* zovS#=Me6PYV;~~(eVNA4ErAn#d{@nqrfIl1h<$4P{18LB3b!lPU+V)N^z}l<3UEhz z77aUjYRyxIE#qwKSpI%Uw!M{?-Um|bN5k-|W-k@&4UrT^;`g{^jD&-6K_;Bv21|eO z?8qb3pObdIPjXfnH+e^`6evMqV_(t}4!&k)I2G*4f1Rx^z^OC$-CB#EA@#>X&ERZX z3znABCB+*x#h4byS+Mq4sN34X?HQRzx`s$F=meyR!%{(hTI#lwGbTuXcY9b)^BAKC z;4IXku2qHvfsyX}h-IsLcUb}YRtVXYOOFt`z?vl01jV_Bz^GF+NA%9Nld^72DPRM1 zDlXS7_|y8p7Vw@&b=`acq0pFB`B7(yyI&vNA8`jy!moaz4_YCZEh%{fJw{^M8f~-n zj%DcoLf!xTIx3*}^dQJO*g>3b=RN(TI%;BRfRN^#ij`6-+5_-KQ#zSH4%(_rofUr7MX?~cXeTi-1m z5z?TIlPGah*-r47ds4!L!sz*{Tubo>I(Tkrk#XZvJmgCwykTIYLB$vB{*~@$nGFaL z(4adRQmL6rtPvqN*#*#D@e=WIoEUW@Q9H|!di+NOXUQB)gIT}YWH?^%!xnF^_&49sPvpnApf~?kahRrI5@7x>5-H|JG#$u_FlLTeLgV?L~tjla`!j^iu zdW!%kVZSNa!XsYf=+V;>j%-c^gxYarHQs$1Q3y^)0T(PlRJ; z^!nDm-d1@hLwi8fm0cS4qH$Lar6pS&)v@S{<~Sl6G>!M5<^&RIOQUCDNI{`&I1@ho z{zemBl?X<%3Y60-&3Q!rh`TLNEqhS7-Rs-`mby;vyTCI|s2-82Z*M7nJ6al3l!8jt zY-#9LO17<_F_>f#OOS z`WKTpK@GY!qRvgw)f7g?!byq4-KWWK#9wJD%vIZGdLz_^X&!xNQBOkcahBbW z9fr;N*KrM~Kn0vkK@-L>sG?`Tec1|F)k)6Bk zyi}`Tlfe7U_q(98gf=xSUcV@O6|BvU<0ORAcjBeXhnI|vJIzhY>#7!w5Z+gJHeetO zsGnr}&XW1)#VVN}knFI}n+;Tp#7W!E4j~_n{7U}Xp zo_(pWzvsEr)zvjvh{$-wI#K5jFX`-H(xXLV%zFeZTR!pc-jlW{?U zxD)cRK_bsu9!izzHx*KG8tG;!Ok3(aE=QnxiFWTu_lQmK_S76_lkxSL|LPe^^APc@ zN|#=)Cca1}pvdi&wUW-4vZh>mtdGVhsV~~u5iSVN#i#%fsp2@8u^%Qb4Nnwe$ z41YB?-?&nI^kJy?DH}QP-ca~_C~L=9CI+E%cWZD#IFib=D2i&wtGZ)lVn%yq0tT7C z>{}I1?C&zpfH^nTXz&EM7czdvTx$qr46FHS?K9L6L)>^!&_pVBVIW@-UZNXkcvot? zY|$84YL7%5W(Oi(Eq*d@eRWk()Vm93VWo$9-9I8ZY7pA4RvPS>T@N)pLN!LGan*HW zO+^D?p6GzB88^-!w*;I#nFVr)?@lg#o*DMpEgrKSD+&}PvI^9L2K?j-y@h3H@hF2> z%OHW5xUeZ6)uqMs^zxIIC2OP{PYaksasxJ_d700++V!Jz|ETriR&Q{o1j-G-l=L2V zr-dVo=y+k}g%ez#FF{ISC{Y87xzT9Z!rbghYTDXJbK7X}avOWlFXs_|_LQ)bYp2Oc zO)OXc8>BFcnb`d7tJGXmENskIT+x^!MC`MA&q!N&4I~D)2)0YlS@6j!n9}vHTeHGs zRu9+>-C9*^uo+F-kNFix)3(a^f5}%O5E#zb8wzn}f!8^h0~m zA&Xe=et(c@miuH-;f;R<5Ppq*S6N69uw>*(&9$w;_c@oaq@j-DxGyB zl_o$-v+&+FE(SB+pO(N*l$qXQ#^T}>#pIY@5s5qLD_cLlhc9Fr{A%E6qVluPVu|+%l7%30&gu?>_2BsVA8ju z*{4^mlU;^Nqn0yucdmtuU%6AhP1{b=z+`Hv`%An~dNrfN;#2b|o3yLQVk3je{jqu*t8SJ)$@x-S{xq)1WJlBdI1=g|+J= z<*N&ord#8?!5OQgU-q#2Bg7E$Z08WOf(tqIAupXg;2RipfXdb_5vWWc`A z6@O(nuX|%da6N=-yw=II!C1!I zlrC3h4P*DNU!!i5ly*Me!93~>Cz1`T^}A|FD(9ta$8G|Vpa zC{xG(Bhzy>-tE4yhJNNJ8*@Hd?(I0hpbCo6Q2jPUo{RVbhGP+ZP3$bqgob`L{kq;v0>AdWM2A@wnq5~Ji}g*8gkkYojk?b7*A< zDwFAO-j&8EcxG*Bp1et*JWQaYD;&W+0KzkuU!EgGcuyexf-+VD)Npy?#%Z3p@K+3l z@pyCzKY@ZERc7B(8n6+>iE*;jg>~kj#!VGqeDtPcI10uf-iPqWHSZbI9cI}b&vw28 zG_o#ic3ZFWTsugZy?~z(8X3)DWw(xWAI8>#+~|Ba6i5rYi*O3DI|Rfw=TKjBglC!l zE_nJ}ey7-0(ZyY&;7>VC1p<#Iv0Cq0wdh-%lhX6{BO=dbLTGVwa9~WUF}VQG;!X$$ zjb-wX%dLVj?;YFli@m{hnc-j3yc7IJa4t~8zO8YuD#nK#>P6ApIT-P@Y!q$@8T$Co zIY&)hUF=8_(e>6`TYK{eadG|pO1L5yFj;HY8mz9S_GxG5>&eiNT1ezZQBgourLDE~ zV;`TDtjb2;-c~k-+j$9h_*^`)s=v2?e}eM~%GG}%knCb}gmm^6XXm}_=+t+9vdE9e zA$|0b*r#n|uTYiGgo$yDpZ=R@4N+|%aAwe$@59Ir1Qb_x7*h@3Q5lZtA$lWHr0VU~ zLf4%~BT+($+(;=8>MO`$GcScqG`Yc^3M2$EGR_sx@$_cyt0s<*WGMFPXvI_qBjxpo zBb!9;RXb|w0kgYp=fBd~I=9G6=X%9P^QEt20lSicZhSIR%?3-IQb~xEfr+u8#2*_% z1K$?w?H-CbjrRKEfVS9uCZ;D3oz~UMQ}o>}nSyZ3X>km3LJ)ssi**ZWI+|*O^BuPy zp>A~9NG8XpU@@H=O{0jU&T#yu#~EM0GupGRTcFfvCx2JgxiFHxemSExTw+-x=S38avfdS5Bzw7m`+^T}xsYvx2+Aeb%lT zCuA7#P2`5%T(LDLrnp;n4rXmLrW%}1I5`1w)i*}YIi`=AG#bNCe1U(6b&(6Kb|v~7 zJM`ID29+Bu`0mITVCYT69G=@1o7IYRJu>6rqjjP0Mmm;dX3;<#pDJ)+Y2; z8jL}|imLLiXBLd?qf2g2(eHSg9|b7k+#4txkahtn_@JOCZ^%tKRZAmdw*fc@;mJ}L z$|aX%^%unTmX^Ng(3`?-#lL1mOeMKif*HeJ|50k>m14!I(;uh>l;MudT+f=t?kauF z)2OCQ8od2EUg8VTz_poDYrtg| z;>T~iv^|2(r!bV)@Z_@8Xa(;KU!{vJmb=tDuXyRFV*dc{@affIr)QkCw)te|6cBQm zqAS!29ZY$w-=vBLx^_>N*1cX5kCe;vI7L3yAs{&j!$bfiB(t$S7M=DlX@Hg~Eqx;I zzp-Zm3mx=47B%cGZ8%%O^G6CSgk-_x0arM6{(r)gidpI>=^~m*I};k23P~j68?CdA zZP~NvU9EAapmj;%RoXnJvp2ur`n)ZQp!tl(1b@k5LKrykr)=zmcyg8wUTNGU!kdNR zLgbq6x#60VVv*||8?5VX-9o*e1`4!_ox*=?vYj}UGD7%1#glx4v`2_hPwx&9`U-+j z5D!s12+x+05B22NZD>1;)$4XVGwm5B2ur~3A8pPs_sLToYlCC+M*j)9hP0eQKW*w- zA-z@G?hwii=)vBqS2To+_&G;Oq4BNk;70Cl7|p{jR%*efR@zk?Y;->n(h^6lumk+Ja*ng6o;A5#PbJ z|D@%J9~GCF%;)PZ9;o&0VKNo20mmW)Ml>l-of+l`nT?AZ7iF;p=uz|N+2fdN9!8yD zi*3GfbKWCgk~H|*H?=pEz_XqmF~2J^#NdJlNX@@^lJ9K{k&aGCo%*A<2)TNU?2fLn zYyU|PYLiZJ8!Ug;75nVGpU=3}#mVrH;vDZ8F6}1DM8G+-lXY(lGd|MGn`d0qxACl1 zJ`rMaYa0CdAv8kRqHdHt5?d|gP~)6W#CUmZK?(3DqE@Fb+KWNfX9>>sE?=HV{e)*a2F&{KURNTsU(-%Mvb^JP7=|DJLiQPG}XJ zG(4YgDIDbD4dhrZFujqfa;_qGke}nN4k^q0; zhb5gjId}V9@!xyszn7tCehJvY+vyt7fI#{WFZ_*9FV6zu-fvkEe<%e1?2BRUkROd+ zci3nF^t{ZXDYb-?73I95S^viKk4e&ffve4z7Qk2rM+RM6rs-63~lO*F~((=my z==YAvRe@O*%fI;oaVK=bY|{FE{d)OCRW%NfHSgcOyCa7xGv#5GaK6(6V?>t&eSP9S ze_pOhcY_~KhpTZ+SRb$H0WtOfv{OttO_f>q!&za!tUNopo$qgw^X2q0Z!V=dz4TR8 zjSzF2G85Zt%H|dkc?!%L=s~MPqd{v(4JKg=^`E{CCSHGn@jnDtNCXY=2$fQ;O!-Sp zOpA6J?WsUV>f-@=aR50}bj(5#sS+;yLMGLBLcOt*#*6*w0?NwD`B60g4DI>=tCG$% zhPI3U2-p~}@u}SeB)mckNpfL+{zs$t8ZcflM~~VCbz%z`x;C~Z_D=TNH6@@Ak3q38 z-QT3%Z?IIf0XT%7tKcN&Dlg1)NwY~sRaNy>Mqa9T$=+*9T2;u)n)T7jw*Gq@3=CFv zj(4O1NzC<+B(b*5@!Br*r%Dc-U)+WA=W6Wl@6Vq8prWD@?&VDN;2$yQw`;sYu}MjW zjg?nTfSzV1P7^U*)K@he3?zlKx`c$z6t#4XTK#X8|^28l0h{V71a(`LKX6>F0 zL&5k)qF8DG@s%Rx@Z!8}R~&a-LV`_V(LcZmfTs~5#kcMX-~OFwJWER}>NGbyt1c%c zWef}$uuk;!^t2f%*0*hV-u5;wKHfU9X0TXa0AhooWVZtPn8Er4e+%IMRcQX_?-Gtn z1nJEmJ`DTb*-12p7Vz=&tL_Z&VH<1TgePfEaxP^FJ;<{LlUW7rGUdDOFV@486jnN8vzomHR3S6Y%=_`uh`3OWn@8GwBs40XEY< z8`5vy7~qnSl*EGpZzmYC(*CcT{F%-A8|}4aD1QLDwfXYp%RhEjhDfDn%lSk_p{f(q zbp3J?? zbKBIl!xjJh97@GGH*!>l>hu?a{w}fqgibZ4Szcn#H!_5w|I%D%?oY4ONm3$84sV+` z`bef%Rrz#<#VFkA`IC~T-{qC8UD^wGEQkXaMIQnhaW`49BYNX0AngEAzct=7fP?x~ z03PG-UiwEGv@i`&9toaS0>E|CuP)R-8)l*Y?(Px$_aHH>AM&fw{}~(eKN90Fvw&rR zvn)@tDg2Y`hm8TTw6TfXuc#?JB)s3zP=m=@J%<{g8HUtkx+tP@W{3TxGACF7@dA>AyyXLI+^sP9|xj zW3-O&YQvv5564782^CEhk9~ldDm8VF__{7}z?M3>Jw!lHEDRD+2PE$=o=4zIjO;>w zV^USK5V$J)qfbnI8m7o-_NTF_c8NKxVzHx-&hC0Vaeu!)THRGzQkGy#mzrE;vuLdf z)`1yEM@J;SHF#AEm}Hm68l6gv4K08$-_!FB0q+>I8q5vyAcBy9ulVD7CHfd}?(jij zT;Wp}@5*Zu(guw+>$aTZyQLdd9-a$AYuWUj^B0$ajCQq}FDg~d`e8hYnUz7HNaJaqVXB45D9x4Nm)|IqHd>Ub zy)Eme!c8K4n7g9a*)1lDRK8CQd|PjJ?&ABgX)^HdlGFbey0uZq-ofmLW2-JOuz9&8 zadOg(kC&Gh)C0H*V-xKi9TCW!?Cji%3hk|}t((B?A|E5A$g907$0gVIxnCmLL64gr zoUaWZBK91m2NttP4>r=9A1$)l`XM0j?t&P3*F*wJ^+idd$QCSMV}*HfsmIDLZNZz@ ze-Z^Fr#P72TVPJ!+hefZUvI+2@3sV_E`)0qqgg7%3j-!KI8*mE({_uRclsi2_Y-y9 z60FWkBLz7LU+?BySmZr1WAIx)}$ zU!LIyijH;4Ieenz1_z_m7E%l$G_8f_F7k)OKjO=#7uU;GH{C68?mk0myO|Ts#toE| zEr9rSnaG0lL0efEZ$_8qxeqeAT142c?Eo16Ay8^NGUB|B73qk83bxrm*2G=G=mCX4 zz(~jPg+gp-p8g9bCv=L(Qnqn-47Oous(_I7h29_g-k+X5xaYKJ$4!BNeOgNex4&!> zdg}o4PNcusc1Gj(A`)c&7JobtkGK+CqMk|>Q;?T87BZLr@z{mBaQ)=cHDg4Mc%Q1N@(b^^0 z$UP$AiP=##5HD6gSYp0qZx(#=+UHm9b)Rr{&%*}fhR{jUe@*yk8v;s#;Asn-4dmul zPLXuGeO1gN`4Wqm9Zn)@^pn0R7h=>S3l(qJ^698ETXRDt$IxXr}H^n}4&rzZb z89a5ge|VNRNkC7%NQm`t-M{QjOCk1o`9^06tt)_A{&Y5 z+m?R5rrgwXlos)R>#*^Wrjl#IVn@dry*foDoshsCV!a1QG`O$XgQ%C^hMh&nC8s(_ z^mX?E0fT_kwb*f6-johW@xLBDXa!6fY-cySUT!0qU!$5=%$=P5hkl z5l}0e^ywf?5ESg21TdUk5!gojGBa~hO^Ww1x|+Yq`Vp2uyZf@A6`zHm+cT*3Cou>L zx7K4%@Q;kZ|Mi6>pdo^kcW(m&aYjRCQ`pVaR8_mD#9LeTXqiB6$v_yf$!8;OZ_l^M zI20kyDs}9$7M7i&V_?WbU!zv*aYf&pJg5m1Dlt?WPiv@hSWp#RSROTUs35=+f$7tJ zNXv@65d0b~0>7sA9yO~CPNlv#%SsKoYd2OmDEEj89Hw$u=N*!kUv z{@|wXhNGJQid2Aip$%=66>ASra%;M(j1(1}sJF@ybDK01TibdqzMc2LgZjxk7i(mA zRd(xg3ffHVk>(@qv7U62)^HR+=pd?Wd#>(Vt>|_A=;sB=2D7Kl z{q*){^Oq$@UxIIpG80ygg5 zuQMwn`AIt)FAJUfCi#JClUV!&iju9ZC0nV5$|JVMCGwU~sbB7o{M{BgXYb^chD+hoclG#}RHqcjwAa^?pI(m8t7JXM9xPdlb zNV&?n_?fy%K^=qGYIvND-1-)J&F#nQ%z_^mZ}cbL=x2EjnrQY&X!b|r$r76rJ{wMu z$GuaQ9=^Efrkj0@%rXmmJ;I;JcIQA$8-{2t3xis9-@S{F-4vtxtyR|f570;c8>=Ig z16}p>Q@f5OeY8t#cLz^LI!*t|6E+vDyj!_76UAv9@HSEB&i_>dv^+ zo0?eDSSK4*xb9-vu9+z;C~W~$9x$-`bAdKf#Y+Zl0pFUAXC0b&syL8kP!L<$inYsM&5efZ4h*hxP zugUQB-4RoR9u;^HZyi1SK_FDjsp0?+v2>!0Cejz8{GvI;#?QlqYd*Em9aOaTxnX!s zMe0tkz8L>>DQ^Ba*FLtUkyDbb)HPSy5S@8YSu)b(kBGhNLDpf8muA|?Lv0J;CNKZ; zZB{8Bf7%%zy@jLAtcGq9qjOPjEhfnQQEr&x+iPvq!WQIgF{jVgZ?E2+W@{=(sZ=Oq zED4$0uh@{4nHUXQ$ZVckP9!KRjiP1=#2mQa1-Nq>09Fjh^h~`7P^dY?Cl;8 z#HkP-8z+~dS;eBA)-BE%p}y)C?6{&jixP>&$+hWKd{#NSHI_$y9qHL2qbbT0mWU5X ztth`o{VdDu>o^FcsVpi%=dfQC%g-oS9wfHc=oSvcVi%A&DWV1B*`^(tSdDqM35=q! z5W6#;PB{g7X%6yTItlB`OEfhd>l*2lG%}NsD8*<`)h}wSB#xI2`;5O_{Zf#?a(p{c zQoxZfhUO`O)4nvQI&G40d4Kw?`^nJuni$(mh2US5CPMmN=ryF7c`>MqB;m;ja)i-;L%t+7!MCzGNwx^kPyYpd8Ylm@-#w zA5w>`HTr)<9K1++R2h}#m|)ptq*S0e_OS(Bl<1#cyRL;$G!VkNsCw@>EDudFEX(t_ zlp9X~N2f%pQQFXEZc+0o(!RMd)H_O!+}>$+{py|ag{`^r3W{pcs?eU4a+W0Vy*hi) zm&1k~Eg4^n&_VIFy_xj$l0-qsrCZOpeij~W)BFOjLsb@tewc*uY9%iUmMPr1AsBF= z(vR3FsVw@&>DJzE7rQl3`Y@>QgCx^BGU4L_bPf+}^H~{!#e87#s0?yWks_5tfrgo~ zpp3BsH=BY5ala{RMEIG(LBp|-bvYA!EG>0RE87kfiMMM`KL_lijAp{a2bP_@f0YZ{9S?}K8 zd)|GWz29}N@9+7S3o?^AXU6l4G4A^w_Z$aCK72dR$^h9r-s_G>f}CciZgmQ)}8AJng^SK&gXk;cLOUCC|h7pDGn8*j8O0Kzs=a=)X6v`6)c=kTuqgWW2lw z{Op%%$Kv;LOWDnOQtD`{nq%EuLE=39@SZ2ak@La-TPl)JiPj2{-hu zmpM>fd@Uv}Hu*{}=8_%4YxHy(n{=}S)1l(g<=mYlMTFgo6Ay_ySMA|8rl#SQa{l6$ zqX<>!@$+t0U?oW8>p&q|MtHQV;Zhdo`zoA3drC=XYDR@a1^XfYbw2AC0kn9aFmPP{x(bIaK<<1%zBs+ zLVH-t0>1W@usco07M}L5+@DtvRgrE@^-i6N7vz2$C4zjs@%AR>`JiUJN&loB&?=6e zOGO1&%!th5je$Ap_rUmp0@apXDxqEqZ^s@%T1cjCmsj0MD-#n(?a!PqmYjlwrO>(T z?*OwBx#k$v8fEMglPu_Ob2V;V6 zFJ6!^(@CqF*yu;k2+IGmiMFSk2{YXx@ey4O*y@Rp;LFP<{Y}372eF^2T}I$~tMSMo z;5L7cUo>`8n6NK9-k9QS)6AMp{)UPeM|)=DNW1~McVTvWMrlasVur{K_TGs`Oj3X# zt%l#@-$5Y%fXJIzibqjssV0^(8+ar4Q?J6@Xplv+p?-YqQ{dA(L%pu{r(W;}Jy%O&I^rl!ZRxVIvc)~p) zh%FIuilhyf6CAY-0#ZKGph4|1@UP{A)Mxq%dgI3xO8H9@l2akPJjirT3nFXr;&Fu) z|AFl3*$h2F*BD8ER8?ogv!e(!a9P)!JoE2?4JJU}ITyk{)|)N5L$ZQ+HQ0=3nS0Nx z2irr2FK_7*&=Vl_GAvT^a9{T{OSNiVWUi|PZs3T}uAf)Qm+b7k)2J`#5$?QG%S8+@ z6!T{e0WJzicQN9lq0>W<%@4Uf?=yltHJYbQat$6IyWl;xm|K=>OVVQutJwp8L|0oN zSQzJfzQVIfsDkuR(0;I3SP61=d)tB2TUm?I@DD|=?at005tnVRgMqS(L&^pI9u%qd ze!nE(at0Wx(cW__8T~5f&)*E)TsQ-8x5E6A|0wxxoX)$(tCl>xG2d0{K>#K9+%-%_ z7nmeRy_R$?bM40^?jRsFr328utl|!7ra+<;F~ss6omGF8lq94!@EJ^Zv<<}M1k*j! z7>zPbIDdp(G>mC1pi2`9GONbQL~JBGIzvJz^QrKNRqIj;pP8`nha8JO%2X!rsF|_J zZG>uUeEG6nannd@S@?~7>$G?1ESe!Mp{|uW^{JnIPkY&$dV0eHiRhTAON5ML#%PE;9u!Mv zD$h4J3gm|6!BsA)Ug8}QD_({OpU3Nj6c^BfTm+T{ryX2R6w-Oxqo-DUZ@shLxh0F#jr zv_wgp^0HLV`Z&=4xr$?d`bWQeqe}ae=TQF2qk0=qOXlZ!#rsYH1@UOCg|SWAoWH!* z?k~?Q1+tFP#VLy|x1j!eq|nk!&+*^~sXl1vf>*LDBe1syIQpr>)68%8KI$|NO`PZn zF2zk9FV=PeOdCv6Jb(KXKy36V56~AhNh3RF)q4VSauoW@4T8_EZrLvC;n{+jnfa48 z?dI6R5(e{_`+;zCf?@BcmAy#;(E*Z+Hl=)!LZ0KTUXk7{xKSn(AtiI< zTT3xRWl-QQ3u$yx{AcJN#bG%qFUD;c)x{uOjfNHoER;M?6dwfX<8zMquqv97#01r2z+15 z^MdXX@paHWo~lsG^|tFUdE~Jrzj)va2OAkgO6#(SZp*>&%&N`}ZOL-8=OpKf(RVi43Z;bYK53z#*Aas> zkM!z_t-1j(tX&9l2C!mTMJnFUb^0EZ3XE{ni!?4}s0|u71shp5AuS8!6wbAUtqiYh zEa=Ykemc?*KDKH(o<Vmu|B|Q<|9Sb!mB=pz1$d5WWJye&^^cYo%7OLtQA5T)1oqG2DYWJOHXP&NU42$0TKH2_|%Vl-D?p92~{`mY*eX2}+GD%YFrU`V@ zv5wh@cdSaLfuecx4fJ+@Pc%mky$U-uSC-{vQH{@#w&jY#%Y>epieSBzf+EW>iWL&@1`s-S*WT56w$$mQEB2np`F(u6; zpoTB6`eJx#PIQMjK^(m@1LIwF?XKj^q8rozu5_hjk`$4H-e z@#VKkR-#4DUAvU!*@dk3UjzI`e@&s)dgUODTS|u zrv>BBy#*YZkTKf3PwUz{pGtleIw8`LA7lI(7j@~qwVI~e>NlR3&j6$`^NWV7E5;RQ zSOx&M4z(e;5nDYV6D=E7bEymRsPphFTxA}G5%VG zIsXDm(`4o;8_|13KUHdu&Z~9AT=T6T0AH>n#@fcBaOCy| z?;IiFWOkQ=m~F%GiKA4p%7NkOV_2F+?}ZhlSp`km_-mJB>ThAAm2)S~ucQTIe&{Rd zqxXmMf?gjm+C>TGKcX>n1>c?fsiBIjpUuo@ggt30&i=a^vZMC_!sfa9F!~Q&T|D{R zkIo-OX>Ai%be*L4M+357ar*{Q5^5U-E6-II20IZUgZXLC*AR^Y3EdZM$fqZd$@i^q z$iNe#vx04b>29UihY5Khw@d@^FAYsqZq)}+tj(~f$h(PiJzOQ98xuIig6rK$s&y;X zZnH&5v~bUE$qhBAn{r6@=jJ;2p7s?*G1az}&yn4;$vZ{!I1bVnwNK!6XS0VOLbLzz zT8H2HuKo7C5l{QQNA(jhab7lfd6)vq>h1w%5vuSsaI9TqUVgv1>rqNacB5y;yqI5r ztoiUVqEfox^ex5EDb9{^P9J0q`H56+Tma<|7IbB+%CTo;7$VTv(kWH~n8BEG{S>5l ze-w}SrL6tA>-Y2JFz@&?>vQp5qa5r=9={jc%o4AW@-){ieojdMnyWIAx=;%^b=iY3 znaRe}ov>98TFS8R{bl<=`q23knD3N~JZlVK5>80FX53ghu~g@|*_eZM%6=`F{!{bP z;J15D0aZTF?>en0E?&L``IZL6s7m44;)mw+657oH=*;=Qf_hS9W zokgzmd?UfIwEv4=`To9C8M6L}dYAuLkO*hngxJvUmmh-yyl3@X1LC?b6K`lF;x{k7|F-6~~9eQIc3eE5+vP2_D; zBeekjli1=x7N=k$o%Jwk(UvQ@WmoY1aZ{ZMH&ZY4PGvDDb8Z-cR&wE4UF<5rM^1+- zWTpqn(ch;Ov+;KeNpi>mUM*bA-V?h{qwx^{hxNw6jxD0ju)=eYW16ZM5 zwed4&fLGDsw|l7HTu)`~#StI-Q1JO68|UNbGI@;>WeOz`pAlMqg8$dZWLWj!K&5Mu zYP{yCkNlvilto|Ihr~l@kB2s(x{y3#j(QjhunC$o$)LK~Kgn`^7yDL?cKJk4*2=+{ z8rM1YlqA$p{T=_Fz3tTDlh}Lg-N!HN-Kz6ysb_a5n^AISZ)VAO-~*JA#A+*$H@=Ct;Qyj8;f#xTSa8QY~N>TDB0RW!DKq!1khs1Sr^ z=Ehz>G&Hcc4xBjdU+=!_kMscc_boU0aZ}|hsd!EIRh>;^dCN2ifA_r*IrSrXsSAuBark4v#yD_~fv0eHc z6}P~_IoCBu6YWL`qr2EC=d3eg?@bD8n*d1UG?hsLXd9?^Q*2nx@;TIx_rJN z?bXpol^a#Y_k&-YxLk6Bt7s7M1s5Qb-Qe0F(*)gbKLUEu>hGb8ZF#+)ZT)@(44fWg zSl{`}peG__F&EcGztP{cXv+HdI8gsfdp``*445nZ0=)?po*}p>t9$$j5j?xJrk=#JIy7 zm%aw1OUlY$zDJ8Kf?XObA@|$VcMEIPk~Q}!P`_}{?7rnx5iKY3KP;!Z*Z;Dd>LLCJ zGt(n|3fRU0(3xq(1X)9Wgck$7Ete>3FqvKaFBI_qKox(ri2U_T0%|Cs2aHna1S~mL z5|*C)ta~Arn3$ONLEc*x+xZ#UdE#Utj;A`FwOFqpKj>+1pG77#+I-HAaI$kX5mzxs4+894loV#w~DusT>v za2=~h^LkXTpQ>8kL^H3^e2ac_x6@gPX->a=bMX7-qwNkV)Rc z+=xoZ{LF!?vS7_B@PuDPs0Qgu|1qAJIp(@SuMeJhTGq6QD{@Nn6dR=oycq7DT*+t2OL06e>d`!N$0kX3a(B{O8OFo$P?;%*tkZ1#$( zT$?QQ;a*^NX$;^T1ge5mZ@Ln(@^9>;dMDDF0 zXC>T7q0Pk@J5}v7Wo!F%yh6F;)rC6ECPtjvN>Y@ylw-y-9>xbQO!DJO%<|ek0MqZW z8JyKPqn%do_-%pflpCV7B2M~_jt2GI?&&Ck=J!XbCE9(B$qQdy2ES14{x9e%Kr`bY z{QK``)*z0>vG3j;WBR>Au6)-nqb*}anDRx%Ruxx$eSJHZe(3C%qHWyyP>nkek^U)? zwX*X_H@(Z^#AAx@2E zAhhG#ZuXjt_QJ4hIhuy4mNVOMSP?;E~>cAD)c{hk=YKfKCwV9+iPTb zrKv*`j!-qn?MrZ-WhX=P(534?u$YYEIhgJvKZmzTzdWdfr_RAx(g0efT~FE}3;oNQ zByqH8S^c&pn=@JFyuRX%)-3SBRV+ru-3py!>&l(ONO|#@v;Vm#0E-`fG15IP8@sh9 zclTLhif@NXYG}Y9o$3$wTNr*qy;>jOp{Kg`WM_Ug;x3@clh88QoCFjtFD|mPHva@T z*QcCcF6oA5Z-|pWCNCD)FTrX~kfnr$o#5B_SLv4Ozo1JAL}tl4erww~zH3yzP3$Z` zEQoV5AnG4BGt27^$EA`jOT*0pBr2f4_uEPas1e}J^s^?KG3d>D(_g z7yY5^2uA%mYmRM`j?OOMZJA6#~!vC&{v=uw<4LUO4o6lv`x6oY(WsQDykET-DfNb=w)zz-IrG{ z=pJ%KnAAP~`@h^$$WxemZ_W2XOY{I3&A;JFjo z)+0|mFzey@uH_qj_Sd?WJj)nf;gnL`nMb2PUk^b^(+9E#@t#t_JW6*4f86W?t_Qs27Q_`UX$DPKe77uE5nsYG}_h=#<|)9#jv-x}ILU zRAvw1{gY8T2x;{6tSprda$0}!BRs;6f&k1xE}VsnxjMHB47uV!II;q9^9N zcSV`qE@_R=5DPxr!o+1Cv$mVsRNRAU>XXBnErV=mXQ+~ra?1>_mLXsTHSo(#H4svrybVtfcXk(#mEV!__BQOU^luq>4lVM#5e2B7MwOf0L?V>zF9b|g zH7#db{jK~82#b%V0O;dGP+My&j@SAz#4Yd7o2SP*Z(3nG!;2!U)sH`c!B8`^vp8BG zInOg@pbQK^SNk*F6Pf2zrAiSsz!ps}>}suDVnv_Ge8YN`xT&=ou6IZzLB1JYbP~zK07#8|w4=mqiQ;q} zTjx#$dWV79XYC7cYXK%5hdPc)m}ABQ8zr>tvSPzx?hiTSI#3iQfwm4I$usKC>w?`B z-_)80*uWs9!GK&vayO!K!)*>qET%O}dOf_F;9uo_DHmxUwEO(WJ7f88OsIMTQPj8l zO8ecbQ3qWCv36$jMB2uJb8od2!aK!niS~WUxy!hQFk6jOnTKC28ng(luK1fnBSSzz zHKtQhud2i^fHmAtP~~Vopxx3ReADLH6F)bs{0T0*VnlG@~=tDz6fQju4wiW%Sdwx7p;xg|7Kv10do$)9){Pt1^*(4BANFtb3Hc= z+Z58yWv30C$%|62Qazy==i%-wOTY-cT>RttWq!Wmv4)2aOJa6$7OM=6W$Ymhcd*j& z{J7K}i@7bRdA&dFVEJ;CQoNo&29}I*Wavv`zDEtpb+5d75TfBf6 zj{dspr}#g#PhUAAJwW)G6+vnOfVYk`5k|T9RdEdNbPbR5_!_S&8S96(3i0~BU14?ji2kP+%)v-24$X=z*Ry-J7BNpgPon7 zot%kw5*hP5TgN##5B_%a^yTLV{^Lb;|HmejTwg=A_Db;P7L>M5uU{tg z)fyo4M_hWAgdY3fKIH%Vw10gOnge{ceXyCr+yD5sKD$VU z$hcGibTeti#6j=Bp3A=;{hy}^wau=KFC(u1b%y_W+W+Ub{+CNT&cQ*-Y;rmO&#V1A zhdsXx7CEX+z*4hm$N&8`{^wc#_0`$`?;HP1c>VK+|G&HXKZW7{kI4DDv@G(NxgURh z=as#0+Z_?t(;}7!82JsAS@j1hTb|PJbbn;w8D{A+SWoM(eR8d1jZo|N)3x9xrSAzO zb*qoamUK(GC?9t3Y-Hnu$K6S?57dJ1Uw8ZYS=(>7TUtQ$lH9j%jCm}+_KAbLb&aA; z7{uKC$SE})d>Obx72%0XpwQdydKh~g`PMP<+SZjYChn$DDhrx>(|k6UI7qBMb;=Km z|6Vw=-AleFp?~Qnzi6_QY8Z<=I#wC*x<&r;ANg@oTc+r5-BZt>hp;OK*8zujoI^z*X)FOk z?wBu``5E{x%krN=_|NSlvhgO6FGM^cfOEsp@bHbX{DHo{qsGR@b|*oou1Q;EXW(_9 zH*IOSKb`O0gZ;Z}7r9}u-TX0d=Jy@f0eYuQZ>XyV#5^FNVFO9**qR^rHL~@?v7H!= z)$5;YST>IY#jOHEY%*$oW};cfIEOGl(n3d~!Pf>Zqd9lKt#Ee0VCg;lSqFpQUS5Y0)~)$@);bj}gl;U_q*m+iG|+x=rzidMHvczU zd~h50!5FW3;V%je4s9`S4;?>$9SvhvW&skBxICkvi)Idog$!rjU#q#_5yF<7V6tyfCnim&GE z=N<%_Jic}1jjkph)z5hD5Epk;)v}g8L8i-Sdo3L(nMtt5bL}ox&cZbD+#Eb-HvU!)w>?(eR^NE%h|0 zD{iFzHFru$h-xX4G`0ttS4=~`#t?K(YU)D#zL@5?69yiA9s3*A!LZ+6%}|25dew_#2d;6-W6NUXS-~NKJ)YM8ZJPRL=tiQ>1EZ*kx(L_7{P65xAPQ0K zwLT=BMO^hU7P=jHzPtti*?=bJrIv-4D7?RwD3m!f!X zPzKT3Pg>G1RY3e~G_XIKI>-6c)Z(NnrE7e8dIhtqh9exFSd(IBns%Or~6?uOPvX1oUXW~ zUOTHQ?%mp8LHn<_$2WSGEsEcq;1m9Nt!6?}_Gq|i^5*BEpW{TM!8je&ntmZ zQkvi?wew)F@$V|Tme`-gBIpYP%zAp;DTl?D_?h_FEIsYG&?(UmS$Wzu1<*oF$oCo5 z)>L_>FNtAJlMniOZUa^)(DBq|CoC1S z{GVrJGEZLf^V5T2?bcQ)LD&7v%)W%-3{!XXk}qattkcoT`2~oxx8mM)!aOuGd@+4( z{HH>f{PlIbZan(Axi&~zV8*{qXI=7X&#h^1F_P@ne^O#+;1ysV;FGmu{nx@gD-t zIxH^bsW`8F`dC9=Q;hXOmv-dl|9r~}KglfGZP(ved0SUkhd{V{5KC^+6Di*-2B*tA zFz*hXJ^$0e)If}FyK3zM8p?`No3KH4(`)&!8!;0fR3U6J>T_5`^oMU_rtzbH${dc%(bMhX@#v% zKY{0e4r9(6o|65jnOqma4%=H#Or2d`j2Ak>{87^&EpkNv4Bv>NxZZlq;Ks0!5Ol)X zAXUmnYveed&fILri5bA=j5@QXKe6d7t<4ZjmsHrQmu7o4n~_$@e7L$%WU%x0HV3J7 zb~Lq79UX?DMZ^#z0vKt~K^h#kn5Xi1HG5jNGPDxBUB)~8T59k9$cR}o38SlN0&Q7V zgZpQ-*ss2Lqlr2r^_|saYL_B-fzZE0+$!;!<9y||K7ra9sc9cN8~@9WbjpY`bg);tQ+E%?==u1&*Y@=MhJ!}2y+qV2LClEHW|~r5m{+Ze)UUm9OZy~hB1>y4 zPwB00DZ_kxwZzNWqi|qi-or)Fn<+uOm|3-b@MVB-O&(+OZ53jIel@J(T24v1v70G; zYxWzP1rH{}gQ~rHsS(>)Y_f-GY^HwKOOC-fEj>lncKbS#e|e;xZnzp5OiD$a9KI1r zeGT`$+ptaXiZ+a(hxyjtZR8)KFxur#_t=RC@D8;MS+WXDFf}Y_02K_-M{f zs=&h*B5W_QcBjB{Hl8*kWr*I|U9c2VCiIod_UbXeWa&ZTyP-da&XOuEp*jznf^r(> zcFKCVk9obNvsalf^C_P3>4A^Jx2o~5l(C?D96kG00VShr1@7JVb}cKlLG$Jj!q)VC zhRI?Y8nV)}RsjzG&dk|k;q5oKv}ViA97eMTsO{6eHHN-6dzfMNMBe2^Ab#7h#P!&( zC8a(2!ITZ9j>e!NG5F4K0U+-2>K+TL^zGoY7b$}g+$yOB(|#qkHL5HoFEv)WC{;)^ zb?DX+Nm0v&#djz59r1jsi<3L;;P=#xOv4~nqnYYkiGRP9U)DT`$ZJ?>I~Ydln-EpV zQcaQcZsG{ZFR`g<1AK1iH&wCMpEue6vHBBAZ%ruxf4oBkw>R!VGVMXMCJvQn0|;_e z;h;WV%oEp-n@ ziwNEmtu*WNUYECg_nrmItYVSz;3g#u73EnZ# z^_yO+yS%DK*vl7ao_3A%FYS2UOIDtk9FI1qU_Wp!M@O~tMP)&IaUk!|oRTtqua^M@ z9&Se1s@o#*__R>-0Csp&kWYE=lW<>CO!KBgysUb%`yewMpG;IZB&@XJ{bQ%>4O2i* z*=_7NHZimK>qBup`=RloB4_cnAKQD<;0wUJ6l%YL*?Sd{!+B{GzV_%ErXLh(lci76 zUaN>UAh?zXryJ_ax0@K24w^NRKc;$UTIunJ_eQq2n-VvwPU?Q&h+(}vZoA`UnF8E| zu|XXc>62iq8`%3!PT?&?0N3&~-izV+d$fGtZk4HCv^*eez=nFDswwK@68YIh;`!)_ehK;NWca_{RYZB@f_ki;xz zyJ2f$yuO9!JNteOPd1Y@V`QIEA`K#Bb@}U4vv73>)^mJ@qV0tSeL>Y`qS{Zc8XTav zc}2)9gTH=SOVK>>EhIW4Vz+8sJZN4)-eE6h(Wgn}R(m7{7C7R3D_Lj=I&ee8vj*RQ ztJ+VtNt61s5d|EH{A4(gQGJDleD z(fNp(7En2BsvzrF5PND@z>l)Dfq2rBzTGlwnbe)C>Lv2xy4P+m-IwlW*0BcEJ;~&P z%p`4S(_}M+D`vm!7(qj4O^FSv&v+0JOIWiTcmidV zy2UVLUcKJ3OWO&n^X>mU&NS4C(_(%ni<#Zr_D$=>FyjTUqrV{{R1JbRde$bvUcHb% zrG#a&B4A(0q(zoznY*bZG{Z8QojkLD-NQEy^1r8#%I<>^BVfE-1>t%T%^;Zj=T_2J5R6p z%qrBn;Ji0CNH`Y7bEK1fggL*%mY5Hpo0U*4h*%vLOdfA9@@$lQm_qYuX`AID$iysc z+h`r0mv;|p->~@DmGaNx_g{LMe=fdJP42PJ5nDaW)c&HoYmvSevwleg zInu5|R!Sn``HL*ti4i+pE*;#lBB?^x_b^13B7s4Yy4k6a*;(in4Bgvqk&;~*DO#F` zZb#ulHA?MH0eRu#2TnV_+2#zd4qi|A-WYZ!66zjKhN~wqYy5=1I zVV}2kJHB-9rh&IEw{gMgRe1P}VU-HL=nG5s03(bV7Ex@6YWU)IIG-3X@<7_dRYo5! ztEH1%Kd$!RmnWRFDI$^YhskWOtuW(9wTbo~NScE*0VSkoq~D!0nh%>oH%jv*p{V&8 ze>A?Y$W6$Kn)dBB0w-|CD5dMxv}nI$q!bmL-ko0G!#2qAttxs_??OrG)oaOE^qGO` zeAW3Bn_L5tPs}~r=P94CDwGbvavMo1dc(Q|xj)zCMsDB?Zs4)ZX_RH41Ch6h0ijYd*XU!GGk51o{Hq;}z9 zKKW`02}?Zc=68kkveJ<@z0J5*(>9BZxa35M@Xx7h+2W00UKv-V&k0;vkG4>Z0ia1!OzKvU+_6nVL=;h6r-S9?O&fH8&^RNUKCQmnI6Um0!3lp2Y;X6THPDlVuU|i%8v|hc_3d4-gF_G$9y*u!6mo>ETV3 zW-1POKVKrmF{i%8A?IcLPkhCSNwIZJ8&~fri3xQ! zH3z(W219DQr(e2yb?8?u!txTb+Bd80Y~QJ+7f@eLKVBOuyF|}8 zayXLJN*W4M@b2}QcgpmvXXh(eHT2cGQz~nxP^S(f_3Moz@vV7PO`Ay+20VTOG+zA$ zHe6yzIjUekK2-{Udjb3&O8xgR+>gA^n%Z!JM1d?W2Ogfg3RqMS~ zgiPa9)o2mkXb}N-LZ!ArNKZQ-Qewn+?T(0Z`#{%$Md|0$0}a)6gCc_O7=?cW%deLQ zESH10bw%N-(Sj$HPe=HNC@z%d#v-h(Z1p%=iIL%s+GWDE9YGasOz-tZX| zShf+h+Wing){Yx(>PHXer-%ROS9{1 zN8-~dEfQyTdcXLYDjlDr@>Fzn0x1qhOuIIC-E|9f?HRHa#|4L0R>T{m)T^7Ls6 zcp}6Omuw%#xa2ceEa5D#q#G4iV3KM%J=Y{-kMvTCKDhH%8!p%kA^%!YkIV=pd%2U zgoMIIkc2dfSDEUw^_hegS*;-2KpqIOeu!5>NUC<%xdJxZX|>mPO$DeFcez1A3iw&;+{q-7NV?(a(LgHDRv3zvT@lCFEH?n`zAa7PJ6|B27FcrL! zl3(nx(T2F>;VS1z{792MsO8LG*GX7!H~}79`Bsp<+Iv@3F&GiylN;z_)3yeHJN_Cs zzRZ7x2CkdvQuDbinKKNeYrejru}6T1L3yqB+)H^8;cwFT8%4s&WcrYak(-g;`pj9M z$!)HUg5a$f=XNiHZRG9cyC9S^2A+vg$l}ZhdSn6}arIerO>J8^;}AG>iD#3zMH8#8>Bm*?iQ}evzstJV{m z_Ji)k*dml0K1Ht~5iz#q0gUyHc$h-^JJ|B|`W2xh!;LyjY-$6;ZcPfyQYEamVs72#X5G)06*scuMp!yo! z2GyWL7f-C^_!*ARPR>g}sbyci7-3(T+M1d*jR#dKE}RNxz>t-OAwx-aq9aebCnEzu z__0{G%238#X8!J$@z%f1jU1dvbD%Yw=&bXoJacWV(kHGPGHVQ<9x(Xj(H0}Rlf8bi z?m*qn#=J<7xeP!;tDW~I#%i|hw+*a4*^fK%#BC=OZ2F~$qnkC-J;dD>FZ|d_>-`H8 z@Y<9hBy#%Vq3#%i|MUW=6LFTTBlUg^TP~@1)-m8>i#8wzOm|)nT)_wIC=JxmFi# zFDfg)nU#k*zsYliTo^l4Hq-JW!i;m8D!oj8q02M3les6YZv%Lu6N$Gx3!PxJT?9P z&}&EI4S2c;mH_imG}?J#RpEK#yB^bS3thJ3Zg5n8xwi3c>y`jQ!i_MtrFzF^xfE-S zx5FU_?<)MwF92o#R}<|% zS}u{5Q|f86)tvO!wrN|S&L5y(1P_hFCd#JkM9`{I=d@h5%Ws1aX0N8Mndqq4G?Pzx z{#t5Hb^z}td?nNU-`lPrDV;TFH46n>t8rpcWaML8A1>3dFP#s;cM}L|czTqbj2=deGyMfM>y~n^0qyu&(>JEG_ zJi{Y^+lq<#SPm`_xo?K|6J68Qca<_IcMQN|9`6c#E&TR&ItKUBsOVeqJ6JLvWyI&9 zUuVpLF=Q~zcT5jI&C+&t`V>A|2xK_5-1=uWTRXo;-I}S21BbO=k~Y$I8v)^1v?}&d zIJ;-Qk~!U3K9`0L0&Fo51kdD zx?9zZS?cu*Z`-MTMVyQFUi%qPM|}U`1&9xVBgKn+YkY=J#Mn$-E!w3kJqii|sN-S9 zcxXP4XR#N9pEJ>^R{v5>!xk#tQ`-IBqVuqoELh0|J>HJ_!c^ zAslO^_{(YLK1{DM+f)$2bz`JFL(WJl%KiG^;$dz#o|8Qub97X5m%y(}!o10* zr;riO6O~&p<%OMSMy5#hBI-Rzvze*m1V(H6C8)7>y&(qke1A{e0!4r9Wu(s3Fo_|PXJkm&%jHO&Ce(3nR!4fRaDiQ6+SAf;yN_rZfKq# zmnBvRHBAC=p;jC4HsYkgSM{R}+v75l;ZG5anRLXw&ZYe4l%5+`rk#6rEiQ?hnK<~#QQdn$|Q<@Js{+A!-85%dYRy{PgXaq(>E zNa5G@Sz?3=K10Katwq(IhcGDeuEx~hHCz;oVRdY%@c%8qO`>t^3XoZ7=m12u~j=H+~ zPXHO_Ln8L+cejJqHr7u&S_Ip_q^WISlQ-9XdRmMP+ zy%k$F&-T3Cyg}XWts&*0*=L0fwjU48S7ycQKW3jagoXlD>4y)M1tKrpqh(4@T~due z`S+Sfi?la{IkgYml8i0sv6-GcZW<$G3$M%+>7<}{&2#GUH4(MbZfi@Xus;mF>a+Gs z8y~t4?ygtZ;J0 z=%)Y3YEtAL0N(l{Q&s3AHfI|zzrTC9lij2QlZ>A024?InW?^yG>y&-y@577jXd`xd zIyvp4r_$b$e8fKWwwB}K`RttyY-{7TVGXkAOYwRZn=Uz1V2e zdMzR6fFPO<)h@inRLin{A)ZcJ#{<~e(?rJ<-|$sZ90<6XiQ&sXv+NEb*Ih%3Oh z`*pn2cba&mvfx84w6I5|3+q=LIiRsLCu+6Kmz26{zM1!83>WsTEg<8w>vge-P5x0}p${Fp0}_%}TXFt& z1|SoXx3$e5r|RY=_N zslNVvFir!w0?+5a$&78gr8PVY^87KBcZB{Za`@ik7l^Jp-K(D`wM>Y$P!}8Sh-jS3-WI zrxWR4HBcPyK&p8o8Z3hvS?HB|1!E4996|J!pXS?wiGqo_FApGHC~rj!aS`1p2}SRb zy6@-?fyZl4VC7k(PvVLkAEx^{P`(MDUR_k*rKkSBF+S?dwjFM=33=$mr8LO~*3+QS zAY3s%ibCp6#Jx9Sb0vL$XzDAk$>zSxR|69!5Ln7~$#|kH>!xvLZ_crlkOWPezFBt* zT1^W5%`8fc;ZfG>*Fksraa5=uAa(Fle|-jEEVL~ zVAAWQfhSCNC|@pa{xbHErHI&U4FQPpzMBBjI+ znVL{;DB_ovzg@Ary0ts8bUDIu+_d7RcKM7UBJ_B-y#Dg)lg?n=Qgl_;k!mDzTs6Xo zxFqulc=qtd=vtrE<9s2JuYIiR34{&fa#9%~XicLjczJxtV6nm=Mso1}$|%wAn=XY% z;B#gE6MM&U!h_W&fkaR2Lr+22_VjaCV@@7y$pN#5 zdWv%`PWD#b{`49#xYl=2#k?>4;%MGozL?$8J`;SDz{t0xXD9YWMTxJqJ`)G2&IPVJ zeC2E3P;7*(%%e>Om=G@Uu{rDWZld?SRYa3K$3FPy+B82mGV>ls`}@0uf-G-huGi}7 ze7Ho;@rbdK;eJrB^^`?WGz6bE6G*Nd&#!osIj*5d)RXsZQK*p1@U&*FnDoNihx$}h z05z4#d_X$$h!Bw>YeWB4BQ6bv=Oy&b=r@x}^>w?H+$VZ|E9X(BY;__XE~;slg8M#v zEwnIepLqG@v2n?}VLZ~Jw~5`Ko@lF@kJQtP`>n0pG?BZbB-|D|WNkjY7f*M*(Wt*} zCdyAVZ5s%U=4h9%<8wW$h+G5Xuq8RNy{$G_(|Gh?4C8s(Z;;wwtK^Cv9bHqNV`m?V zlJKk^zQi?hJT#U)e|&K7ZV|84h7{vxrhGrs6Cl4~4KxKjqOGzHlyiCne68FocXZ^Uc_+3;+`NhmY^XeYUhLVVd49KsN2>! zdf+;l4{T)^RT}F$P15iSI={PFz~d6nPu1~nR&PrZSkRgcllH^0sW3L{d{UFU7=F>B zu|wdxwy|;E0LYQ`a77c(=}(KcF%ZMF#{`7@>T; zVy$2)JMG~JuJ-(3YWRG|UM6#Lx^{(g6UX@<5d258TsaOLT$)Mh2i(vzjP^h&CK%-K zQ+m~90%!>1QfpAp(?wO-h&(+@)1H68{I_$JT?fv%yNOqcLX^2kgH54 z4Hna82>ds;RMtiqgcMK%IYM-*PlYG1$oTwuAR2xlm4j(Yr1isFAc6^9p$(uk97ACM?Qp>K689!8G@n~6Yfs=~8evxo&mq-{ffFhH#n6 zN{GUI=zMjwda#YdAkNPD>%X|UxrG;|0q6IemeyDIi>x5Q zxr2rK-JqiXeI6OdklNbX4_P8x>5SQXiWkv(&baa9+pU3|^0qq6v97m#NAF($YCd{> zyfz(~HHp1i`U?c`FROz}?*5YOD4>3=8e?Kk-aNaA?-s+Cc+O+>N?pODoLLg!fk;jz zUsQ<-Z(pf|X}}q7Mz+A(ePMMGeq@7V;xpwfwV(CJ$5!wu2acP`M_i{Nl>LK|m$j*N z3D{{tASlLZJGv-RAN|S${M*#jKr{#q zp&1TvN?J7r)?X=lAu|B8n;_8{@=U4HeOiH!8T(L@jkf;%gg+sMBpy165RYxyLMny^ z2Ic@exn2w3P-dPE4i3zKX?f&Ot8<_&MpIZXho5?Ivu=8h^>0Y$A>8es)q~=%{!;@&T((ceCZBDp%b4=z$n-~m`NlOdvb27WEz)A16ZmyOW3p~ zp{(YorlwFNYD}#rXkRX9k$B<@nyz}h(AxRgU@{;fOuWU*Ektn^%Xw<@^ZJ{UU#CdE zLT2T6Z>rLaNXF?Ux+o-hpP~w^m`e8fR%!ue^Y5NVI-$S|3`grg?r?$mZHMj7X=A#5 z+MVLJyS&7wVwhegx5LGe-GgpYv~a`kpQ&!%6__%hpF7y$2gdxaWn%r6=llBl22bVN zGEVo?MYIsJ!IkfQXjk$(tuu%;wl~Q?;f%0lk9B|oQPQt~^Q`Bj-(1D{OWYZ*KHK?p z3)*-e5FtA`Oi^UZ-03dF%#?jC6xm8FSGG*7x~GWRDk37%J0&DE7{sjNUoE<;gE>x5 z!gA>S2`Jt7D3{Ifw6MTQ7Vmj;EXRWp@ZqVl$0wYB$ASve>uXu5vK?gP&| zwXA@jWO9Oqg+<(NWBr3;M@PpeU(!r81&nrAly>N24-E}nTie09pA+YE2}ZwK~2EL(`k7Q>rFain=sQ9b?-~? z{ign~B8|Js-Soun&?Y&AgHhuDo|-8rD7b1jt~Nsg#f^(;Z{N&w6J%+rjpB*-~GXPprey)03 zxJ1<64t}?(_tC+u;CmKFpI1x> z8UvE28E!zRZx11q#)ofbl>bPFKR~(ISb}}sGAH;v0Rm~aBIyN@g!ar32;cdgPD>91 z?F{#>rJmv{t?KeDl7XU6c@j(hdf`k?DVekNU0bV8ah_aamlM!mv z&b+<#3$Hqol;YldP7&YZutHEg+wr>{5+VD?fVEAd6yDF z{HU<`_I9~nR>!gMWLtcpHKIM|vUt*Mv*QXuO0s;DKAd~SZRCr9=jUo zOD0+>z{E`Ut4519Ef?utKJ$&*2pzKjbe?@tu0`Di3k!<@KML70%YTnJ<{e8J6cGhO}+!zYddvJJVisr5SRX?l9P>_pQ2Lze8I-h<2z1vS(SryaM3 z*IS;mZi?L}AnEDR0ET3%-mB5gHsPJj2lK^I{KRVXHsEd8+1ZsL1#wVp!`}%13=j?s zPk=S}uMN-N)j*eX;6arKw-{ieMw~!PHY{r$ZK|+pigmOU7kk!9W1#OZhWeumR9D8K zFLF0~c6N4)Oc;+$*6JK9o-|Wr+I8G=AA(OffwxiHz`!8LgO-AdzZM6CkYfnwFZyOV zWrMWPTh*|CN>d9oOownw3F1kk5gJx*`yc~f09~)(mR#wY074axB1NU8ay(R<0t7D_ zml>Ej*`%bTdMlym*xye+5ml_gt3kswXYfu~O zYqXV!f;hFkfF@2(734tW~|*S6~McfT8|b)Jg~1Z5r_5i9#R{9rwCF z=coS_7ENuwn0OIj4q&3c0JIObRb_YRS?TY4v@TFlgBk8lEOiXsz-@MmIYSCH^e+$}1Odn) z= z1pK^P6##8cv=*lJ}A{TbV>s}0nr#E z{_+TE1*o!o)%|dHduHGh_5(H!1jWSGq%^847$faqa6?Du0&ozqb02qy)qoNiYUJxZ z4lqVA@bT@hlIDB2LO(|`U=WEr0@Xh}G~kDZEeb?pK~pXe8V68w?_*B8SSgyx(?5b) zvx_aN_G@S8oCj{9Qv_7P*G(O?=JMjWn6__N0>4pkgk5_9$c@`2K)o#rxid_4O zs8;kLi$Za1l+DJ0ejz-M9@?I89W6vzTZ)l)bqmYOED1($Ob>$|ZL|A?o3!q`F+7nY|t#cKcC$I%Ax)XRUdm_}KT@uK2Bw$I> zkV3vWWHPx7&Ke!#dg!O1+$22jDr5Enk+(AYY#%i15r_{}s`&Wy>VJ8!?q|RvCIG&y z^k~V9fojPc?@67~6pLq^-ij8`N*Qg@?3t|>s9Jn27R4L~IQdH@4KEG+eNWO8YBH{U z(ETk$L``df_%A`Ls0?8=%_1|9^OZ>f7b5BI9kLbLLd))3xoTII;nT#;So!-Q|LuxB z*3{TTe$kLWM6~4;QC+@%LJl6HvuKt`P0qCpdBfCyhTzS2sU8CUSCMHF9*?B^7_b=3 zQ>h?e;G&AKu@7D1F~sKjtIba$-Ue9;#gT^S^~L{1@%=M7qpdFi>1fS3WDAFJ%BM=C zrwbl*9IfQyFw>hS$B__)DtrS&;k^5R#x!cZ?7fx_|Rf@bSxR)XY=-BeNSQjvY&!TZFq z`!#RWdpM4mT>oW0Z6)Mk@P^M9MT?QM(5zHyP-4}65k&N{FZswe&ylkwZB>4TR(O0? znds2`BM(`m2(f3$|^I!Y=xErFy2x*g~#d2Np z3q?aeH8;^Fs3|Aq=EYX_AFJ85_|~ATwo(eNJdK=ySAOzKk2(u*i6Y&y0}mT$|8hIGUY1a zky_E9yWy*r`O`q13r=Ugw{A_74V6x&ahcTHS$OB!z@YjJIC>ORnn_YRD!(gXk7pfx=$ELde(WMh{$cT^6mO0A+u5-zFLg6R2)@p! z8>84y7g_NzKhj8Kj6#ukf?ny-*jNLL&TlDtl_}oYrB*O#wg@oPLAFu%&hfgcDedg~ z3j;_(1vLaeli@0QhoBNl9Sj?!geer~<~FoYRy)7nZ?xKT?3oJoNq#_W$mKXWzG+5i zV%6sc5UUEFxG-64Ag6-2t9z}O&!nopv1J_{tg={CU5-dWjBj`y62Z#e-CcIalcC;= z?L*>+DbKw(9w?u&Y1Z8146|_%9?&&=-KxLGc9DhgXcYauLLh{X7(e3W~ zI`bc<2Xjx_J2zO3<~MCv`L;;5Oj{SOfAeB1C6Gz6^F>MpMaM&+2}(9L&Z-)Ua@vg` z4Y-`#E<7IZlv!*t+#69jHysf$55`gojbx0$ZsNyr*Rnc3badc)w4j-j{Bu{7&DNi8 z?2M0(zllQ0D}to2NLSFi>Nk=;^T`;BEQ^LBN#xPKf2+4QX_!qoImL0}RDv`qi=Kmn zf`Wps2^PA_49 zQGo_L{)59TIF`Ha?(QEZCT#AjFKB^DGEErQI>Ln4HAal@>HXfbunz%z>>tT1a><{Y z#m4l6pkbJ;*aYy3H{YN%qx_W6gF3#!vc=H|XA#u=(t_&3F^G%V2=kvD>Z!5kp;uRL z{(uSSyko#JGB>90>2!@n$&uHe;48~$T_Ek)_!64TxOI&GWI```(0@jek`La%D@DS5 z(=nI+!o$x9nHo%aP3QkK%h3rUAu+Pq#NDm-?4MA8>*~ zr{~AjqkHy36vb?-evGcn%*-94zE=kkbGC`{nuy@87az8}ahFGvJAc|G)40Kll3&Ec^cmt^N=G{?FrY aeOs10o|$y$<@+t*=kj^=b6IE2?)?`K76V`a literal 0 HcmV?d00001 diff --git a/.devcontainer/images/admin-interface.png b/.devcontainer/images/admin-interface.png new file mode 100644 index 0000000000000000000000000000000000000000..cd59e07344b08f44a1623b85feb963c13aa81d76 GIT binary patch literal 934332 zcmb?@^;gsX8#WRGQVJqSiW1V&-68@K64D^j-5@a#MG%pY?h+VC=g1);-OcFQ7!700 zZNxJ_&+|RcKj07BdGEb*c3yG6?)$o~`+6^0S6hwZ4#OQhJUj~Zm(TU^@Mw1N@a|BO z+{WE$ny9qFeW-9!QPEXbQF)~6?P2faYKMpSGCC!VSXUqZ;KNPuvhOBAJ;CY08PGX%{eDK+wkV>=(rcPe ziwgEiByXSjX?&8rpkroI1lXI^nv?5YCXrs=iBl>cX%b8;@qH~YgEym0DfIz22uLD% z_Ggj%-sE&P$G1$bYJPrM&%S<5_q2iTZHIebE@d6gFhke`wyWXA&rImmkz|svK-Ojv zB-!(WjPxn`K(~-^(D*lMMwk$c`YiS#sBRs`giVxzylGN);T$2Jw3BD+jPJFmMaqIRk zLSsC}bv*MA#3#3IJtBPm!MKLxMDfl59(4_Q1^&L0zyR@5mw+xl<%gbpY9?Z!qMRhL zz$ce=&Rs&e^?SQS1nXk-w^_UB36&(jkiTZ5cu6PxafFTW3sH-byzbrmw|^^>>I$=e zw4LB_e3DE>tH?3IR(eO8R7^RoK)jSJ2oI_BX+ma~?Au56XB2ahu^Up)$n1NBJ&1-}(y69B)JL4?kY0sTBt97VnDf^6ygnaBl1|0dP61)k+n4=5igo!7+LPAzjO~K*l!DzJzvwpN zHwD+*P6bbF2=8=#S${>sc0$TavP7arq7`8lajTpDb;baDEA^8vWxdGWckd`pc}|5+ zJ3fB=2>zJV9YR#lE&ci3XPP_nw3z$yNd_+XnulQN$3}h&7HE%RPwmShRCwW=?+c+HpM@%b#jt9wX_=z=0*R9GnfRHte5>-C-Vcty zgkK6j6?GJ+7oQO$7dN*vcKb8&_|VS zElogDF{d48z^mF4zG=~EKuL~$O-6^wSCg_uexHTqE^|llc)N?Zebcn-34$A@V8LfTWggeso;{q+n;vZI-dPUjoku3PR5SMQcOB-N zRk!8J%y*1jWkiJ&ul-owB3eq$8Itb{-E!LDK9${<+S@s3gzP6u3@wezjJNfu{pOki z_QJ}l!5(!UjmI^49cvn$n%DFi^PbUsJIeR>vS>OXt~d@reI z?voP}6CRU?%8oncI$8oqNH!u4$OEZ|$SoK!!yyNk6X;?@UX)2xiaX zx5zuQ-XAZMUYgkYBY zgHOoNpYV;8!q-(3UG$WuhHdA!a|Sd;>SzXWKL(3!g^bDqCjnnq|tKQOd!0fxF=Cjz2$zQK(e^)R6cZ}=WL7q{e(b*gE>M66vP{TFni#-*We6eVk%z1{2 zQ4^V(F%OHKpiN8zveUf=qFb}k)3+O|B?Xb%_r`>sU<;&;gp3k{J(7k?2ows#?q4s| zF8U*KN7oR40wvBW&tlFx-8bA?PLq&2zZGIVv>=e$QR}7a!-d1b!+?P1<5E6dfdPTt zwTJEXRSB=tjs95AZ(6vi`l}NA(*z9rqaF~`N*o9+*8|4q6O$8j^~R?l9j3t&$IL7J zYx5mzHesW;4hhi2V5a*l?O_AQx)vE;CX?0&8x=j{@z0r^t}>85hAsAip=i*Z*Qy?N z#&()1HiomWD}OBg+;BEQuGjvt$?5NimzXi0VftA-56#2lvgNYOc_kT$GFUHzPFGBe zIeZ&CkkgdQG9sR>EM=_HDLZ!i;d5h{i7aw<*_O8~~VbdG- z7Ht6RqSaxT+|tIx>ww|YH!47V2mSfwDzcTMl{AmwHL!n_56phNJ-4dud%*EpOy_)X zUf9jfr*mQtR(m<7;D#e1sMjjZP*Ne#RA)F;7=Uu3cH<9CG-^QH_7H;GmM@@HN(Whi~yQ zE!0QbPd_N%*Ve#aw;;mXHpVN>8Mv%@>ztc=-*J!iZQ`%6&9aPOJtn+TrPS!xUpgp1 zOtaw8KhXda{_3T_zj5oWnOTeWI5^1%6Y=)DLMnsV4+ZT=1zjOC;%hd2kxQ$+YuFvm zLP&U6)eS!T0Le_SM*1)gzDn8|tJ`a7;qlL*0!fl; z!S~yedzg`DGNd5LUx>oC6}oSD?qblXV>q};G6z|^x_(hFp-1|Zp z-n~i9Ev)HP8+mrh|Bw_FA@vUj|M#bms*fN=WWRf#tGm8x=*{^2-}>Brh|j>)pipg4 zhtT8z{<0;{P?XoWx;OC)%y~MQn0=Q+i$+UVAP~?Pgdo{1H+0vIRJ6q{cc$&WSXW3f zXG^Lsc%Yeg1pgLpA8>2%kKRhx@LzMvJ)Mg{a`XoEZn3GChOTMZ$K&Q;_^7(Z;9@&@ zXmy!7NzlNm`ePvWj-#YieUYQnD!T^t)}K&hV_BK>Er1xua5KsCe8um#5w!QS*v-IV zPfjkLar~Z=caij_e*j1Pp^xS$t?pXZ7a+Vv_}J``Os9drUE0ey6Mcp%#iWR* zP8m%6gZ5fwQn&Ci&SRZhCh%d{!QBOwqRJd}Bg{7t@e?{lL zA7%Z$N?o7s=9d5OgP!P?GUn$8RU^W?jt%$`2r-D6)gc*IQ8mQ(Lh*l#MiSnRU%gEi zR4$kHGzm<{y8peIo@U6Q8~sziowKOArujK8;Pf=!Sox7i-Tr53_P-T%OvWemVp0Ew z5*>1Z72Z?C3s)gMSTK5QVqfq`*D!o0+0n`EfyOKmF8#MYRC{#yH9o_av@EL*Pw?*U z(@DDfTGUhy+)sIG!^1f^*pZ*7Q)>Th0ES2MBqZlQq>nfko52qIv3*cP5?(-4hoBa- z!*oAaA4>f!AoX>Gf45hEO>tP~d>MorsMkB~4~nCt?>ma?1VN>yT&1zwC%6Ts*ejnS zlp^`J>!+CinzV@h_t$=vFS5L?| zm!_UDqUFatzH5z-)snQTC54x3Or|Apo(eTy2p6(_lp^|F=yKj=x{F%X0Gw)B)pTqf;VqNI~6QfZwbk zQM__VRicU2w2#~P2SfAOL}8)|}LV`5V|Nrn8pnWfOb z^^6VlxM0wte+j|<&IC6Gwy`JCrx7Hx@om5P?kVP%5Y}C!4#ZuF<;^GMbXdKqv=G=A zuS#ie&*rhve)o<>eScYNstuXAy(?SzYZ2_lK+B*X7-stWI2h++odKqVZS|t3?ZAy2Dha- zfvx^{(0&4O!4rH6#Yder26OJHx!sg)y6wSDJ2Jc3y&Y>QogkFuR5eN{@opY{>M4DZ zJz;C(=}Tp%wd#Uh>Iu59)PTERo`oN@zvJeilv@#}?nW~yD`S{Q=l=CxbP>L@Dddn6 z;#?4bFqD3XM8q=7T;!Ke=Y!RgIPXmbB#={3n7rMhthR-v%`I?LS%UN)*pGbgF6^$! zeIg*P9S2v?Z3QAp_M6Ec$cJx7JcTbqXu!7^PhL(^{DCx!5;7Dieg`#ZY=n5#PA1Z` zN>M$}i5ZLj$H4xPt_;43$&zXsM(^ua&F3QG3>w`0{InMBmd8q(>gv(Eo99kX=gnvL z)202KCsah6J*{utpI*;f^LP(KZa7WHF63UgSI z&p$_AGwr|TtwK3j!3vd7o%?+v1{^j|z5yw)x(w}fw6u0~@%=W!5|?SayN;8;;WQVd zGfB5ZgoSys%OcNbQFQ>1==WLzc><=u=S_-pU_EYewt`m24)NitgG_8lh{!&fNn=o8 ztW{jD%D8IutMJUrZ>msQBab)V)0Pc8_Sc^hGJO7k`jzHiO1H!=?|t)ifB9nP!RH|E zbCrLL4oV{x-^}@Egg(mlnE9Qi?(Cf9{7nxV<@hYs-tE2Y>&CFNXSuIGp%{WQr2T&G z>a7&s0yt!Qz4#mja$9=S_wC`6Cu(sOH98i@6K~~#f97(UUK*Fz*U$8YoP&|aYn|fS zhC4pHh<|L?v++1JgXZ_gX1Jlsc zOFV~9!=AlxYL4363iCh`>%DjpskJuSD4_kb7(v8z5S8S?bJouqcA(%G;eI$M;2joW zB>o$RSe)kAo9YB;kERvDq%@pgZl8bF6Rq)BZuSzd5KO)f2V6k!tE;Q`%0=P>2gUzw z9o7{j5@_2s4_GZLbK3?-vCvq|M-|=*7)>fqE4W8G51f=IA|k2_MA)0O`BxsSb*|k$ zcMA6PZ5X}B&CUJ2xmnU_x+K>3U||wkBFP4TjFX~cBKFJ1m^ihw9T9JT`nVd#PgZ1b z>z5cHYfRyteDw>*vK=z2+9yR&@2EBmuef^>cXc+?HqL`oc4^^lBscEL&ele?;Iq1H+hv;E0r}mIC4l zj2p22RV>7PrPXf?Nizl0NH#nCIT?adhDq8N|OibuTpSRL%{!EJi zz>Cwq-aaSdW#|QJu7^^bO)Dz6g>6Q2ePlLu${G`sSi2#%Ehdhr@mU_7AKd(=I#sLh z5V)U%QjshS^&K1^Ppa2Z_^o}hj1WvV^JweId2feZ){duJDQ9*OamH=4NBjESuS%hT=uz`^eTSvG+RFIx&&R zLrCNB?LT53tLD@+G%J9kTP1p|Js8o;QEt|-%UXSkeF&+$x3ELE^!q3DuDI;x7n*{R ziZ1#9ZpB;7Gh(>#1YdrXHAxrZDjJqDc(hw^VdPJpqtbto!_FpOTjzdIu6pYVGdXUq zp?CFiclsF^656L`plJ2>kNKN7Z}>yaAKw^ANl7IpCvR)}!l#OxR)IRKpvqc=B(t>pt{?#!1AtY(dAch(Z*U`z~s5<%yV4~1>NSY-Pj zma7t=OLX#%ZeK_t1J(fZx6x8pRE={jP}-NqVN3@L-|Z}={WV-&ue21YpipG$!u}K> z_~PJnUvE*qGcMNAW-$KY*?Ce}qH7WhtMNOVt?dUio|13Z*MC_MyWPO7!qNh6FsXmQ z+tN9r`5xWJM~&7A+GeWzS{aNxzhQZ)v*mACW>ouIHlRzzYU7r~hX^<022XJN$+AAK zP=s@|IO#tO>t8XX#F8;Zx&6y9cycmJm&fcYWEF-E>>%Bp9&~}eU?)D8Dlp{W;7H8M za!LF1=e?7&H=gKwkIq54i4!@B{prH1keL3hTI&!<0BkJBzw`Df5!sf{*iNvlA7MB5 zGw~Rx`k_7Nut6qj?V3>(0kr5q? z%qYpLu`{Wt;*f?*J6Xu4Z>9}vWzGbla}22f4$X^OcN0oD>QJ#rxMy2@q$uhFm}Z~I zQ$T|;aG+aOB+4QPUM%bbebvUi$0`lG>^_S)){XyR)kB?reJz@C*5`6j$SH?*fUmT9 zGzvbmnZ!r;9J7|5{CSM{;dWM}X4gBeo#f)tT-+VX+K!65bi)MG9<8yp0m?pNl2hO`x*+#48z2((Iah&9HpShm{MTI~A+o)*}<&-`w5e3_zu zhm6b)mw?4l>>M1bLC8Ih!NEcCA{~P2Y%oJFjM1}ri2(wP(GTdejm5){ReJ>drO=M> ztd^At?yNBFkS(&#{?*Z4_>TKRT1s(eT*Be5PJ`O!<~t6E?6k%RqPqK;0t_#&ajZB1 z^BUT+Fas1j-H8}fLUTb+)SAMPV&{VWRhmI>VZ2Gj`Ohkijx3u>Bzf7v{UiCqYU@yjIpCI~Vx9oQAK+GmsqYw$yZ)T@ z#2zlz_lJavL&!$Phs!TM-;PB1$vn0glia8CHt76ehbVc4-oTm&ZzbIcd?i zQ8}WQ`3Ry&1ci)KME0`-TlidM+hv1mbjbDM4X$2&zGybG4APF<3;RZhji~X5mwXh*IHT5O*$NV-10^!x2mm?kPlXO;`CQG1U zBVverNLZ$Mz*gna^~)+pXr#Tzd)e=FkGC1MQ?jyn_vfqAva^|JKBRM0nt@V#d!K8X znVa)5tOFPES>pSfoLIsm&)`jQKTHT1CV*EwJYZOPDb*p#Bi$REaH^s8%M5C)@UuY03fW`>ONS zZ0iJvrqMvRswO)(_iF(LKkbR*2w9PSm{rg;^UZR7m;iibdf9DlsDbL5BSttCa?1Iw zZ7jg(N7=rEwnFe}?Q7&_rkG2GxMt4H-lOd5J189^k1>xAHPSqng{s9HW{Gx5{3?Wa)%Y3ZR5uZZiK>9_J+**g8@eAynDb9kX< zO`#It7>uoI)5N0V_K!;Q3w`EV^zV{H{VM0=8|MbZ?{US;UNmRRUfyRk2C@N+Ed6rK zeO9!z=>oSJ(_X!|{N7fX(h-arSS#s-HCcqfcf7awLBqBE6bVp%(}4t<$UzH~JiCgH zA{87Ruk|e^jG2sFgLer6VWUfn~C@`WC;ND-eHust%uNiCM8SFnD@{ z9ajKQfsm-RoV_NC>vCS(16m_Z)OjvcRaPB?R4_dXJ`qwso}50cf4j;A(kA+M%18bw zsjZz`8k{p?oSQ3N($LrI>usb{9!5`jbhY$we=wZ)kP5iz?8cm#xhBnLlZ`ooYrRIRs7VqDs^~Fv}?9*#5J*q15(QxAwDWbUG?)5D< z{VLK8vwDA(b@#T83Bn_EY7624+PxLo-X6j@2BhfGVPFtF7(ZP8#VdBY=UV~*wC~?Hv@3o(rQ+aH|Ep}t*LzFxV$~82AHeB6 z5eV+>X&r^bpg2Ye?MU*6o9@^*=W3V;QX1E!$Wx+y;GuM+NXbQ>luya=vy?f%qt9%& z@4b=Mr47L0a@D2`Rs8`oVAJz8~&)A@mMvRnC~ zqW?0l%HE=Y3=6Y);?$+(7%XOZd?o1Tp#F(P_FFKO)(5L&uv!Md&27zqh90PjePLR= z$XNSboVPZR)@8mbMa*Sx;Q9*d_8}KavRinF%ekO}V1_Z^A``>Ve1(aKM3(X=97$Pm zsn->yQr*w2E`0bPQzBorf2uHpz{$yJs@_2d$7E~WkcU*GfQM4vMc*EZlz_Ez(2sS0 z;Gd7W@x8PkH&E-wA49T_1a_2K?>ULuk-jxKc((_^#T{sI?I{Tpd4z~ai2MwCrC0KYhf_=x_DtP@%mlsMb`q zJKvr3f5mL1a^=g+HzK%jDvjzcglO*0(G8|qzMqRI=a+Jnri%j`ySJmoaaD9y37dWU zYVu@k$zzDIy7MtZ9n35amo@3Eyj#q@7k9v;?iMOntC?r5?bkyw7aT(?);t!|t%K=S zR%|~6TW3HmLr7*5le1rdfWJw2E8sw=pM?vxd{a{dM4h{!R*dbGp}9AR>9ZZWJdF4f zCb~yEHOsxlBJN-XmJiVG`G`hrpDJ8mKQaT@TlkGqob9ifJ6T@KY6qZ^J9NWCw8JZI zmCN2+Vn-KlTVW1y=*qTA+QaHCzh~iJ!KyvfIa8?8P^BJp_EkR>lPv+p7rT^Ug(f<; zvv>Dx9sJd$vJ&)GHO!bL;PMgra$4s=0C{v|Q!dz@!8lBvmXw$|fU7GcOx^AQd&{b= zzHlB!@d}XOQqZ?1r%AjnT)p|ixqv!c>g?X$ty+nzxkAS0$OJU|@%%Gvi-%94vfe{g z!c4M>Q)B9$$#c0@*YPs>o!T9_S9YFXiuhy81r=y4KGHJo&X>q8{fH+$WAuBCmh6fv z8*I|8mvHu`?CP7-1sj&X8Jw#$ zr5e-7hxV#nf|{9hx>w3#POj?g5S)w=FznWEkd+o7E7k z1>6;X13%{WH2nJ4gc5KKB+{AsnG8BOzdl!x_DaGa4FEEQES=N~R|!jP{>QSmd2gAsUGIJZ*6Wj83wpB#7X!L;Gqu?9@}juK8J|8jOtvQ;W@sfmAb*) zqqAXwgn*K(mAStKMu{N4)(;ln;zPISoF>3L>hpNkscC$Uymi zaMx#hs5Xt|{vRN7nBNZn+4R}0_o|?F+H1O8j-p3*;XN-aieS2d2 zI~cR0RNOD6>;8hC&F$-`w>7za^rJ8{YgP!h&N3z>H`xDMu0G#XNkk^dUwz-Xf8{m1 zpyBkzgVb;UMzi(-j3b~-i3U9=Wp3~lPStWJz$!~s@%T{LwSUF%jTt`$t@>8BVK2!9 z6KS-W?5X>fhX2+B1swRPFt1&{y}J_FFBy22LAN|14$Fr_Ri|->wlj<_uJyULEZi2W zEP~h<+*!N9v^mnRbl#u?;L9yB=77W4v4XSsPQW^j%kIsX^jUhPoFDll1FSP8P{e^p z<2n$Vn=>3JIfFS2eeb|F_eYwdUHiD2_A?xEp5P#mMQcg1I|?GR+3xFf6GvC8kd5(+ON9^xO)!p4OSx@7^v~6iMOOgO*k8>*<5Sy? z0u|%-0vakoE^Dh*NGh%98-J+L(FHIsWSeecewm#@M)lan&aRSF@0>q)1PKzqu~yQI zNv&MAD1Rf623AA*fCzXQj$p}$#Fm6Phi+!WDu{EDHzrOlQ%5;tB{Kr1m~dxdoxa%*>)T5^eFGaD8WRSN?s=9B0qF~MRF|S*e!{f zSQ%5-l=k`5&TS1Ec_u~dl)vUDvAX9vwaaxco>rZ{o&@TL`As0c(rn~rg4(e4U^6kpd-seWf;M6C(a|I% z=QqJhmq5;`Wwc#Eur#nXEk5-IaQT^{6>EKj-}wP2G~;K0-qz+|2D!-3+HidR$Spwj zk!EV;xyw9-9E{PULvVl2ZitnoMPKyU1nB<#WTI+!NS&cO^UVi2(DAj(?0nVIQzJ{6 z)m*h6wB;qjMhw?i^|^y`IM$sHl*A%~RR}B_9Vtz;h&rTwDrWx*lJYsvot=O3S+ve% z=rqm)Fa~nHKOtP@;RHR_`O!m|o>!l`8YFGz0nw}GeeKCQuNNxLtem+aiE!BeRb zALCmQBiLbn)Q%0sek@*s!{v6Gw}=N!6j-hE?lB}9>1~QB_zrdM-u&6^xoB;?`I47o zulGLBCyWFM4^GYwxPIEQ9{?KWV!fJg-*rt*T~x|q27189y|vRcCXHLj4ear@j)rm*dBzSag!#nL$8bNj)S^_*NsRE4GC#gme? z$$pF4Vo$%|mfs7XY`9G-)>tBkoP&bVAF^3jfd~ zqu6tQ;+HJNI(9E+{1PAe!ot^NBCMRXRQKW-eRZRCGsU4W^n_~laNcnI$1T8j-T!2Z z7H7(jw_&t&bW7{9D|3AK6jRf>@)R(fW1zMR(B^-bXg8cXIF!Q6fzu~0)L*?y#_{pR zt))g62dqDQO7$;uJ0ll9+>z`G38Jhd9#+69Ays2&(NY}(w5X&`%x(Cr?c^z!POhs8 z#`#S48?*T@QjL*;ff|(QC+xY1;s+~FL63AF3B;&KiL`2-g{kkMn00=uq#J{4TEbny z73rq>@d7uQfThNIg&72{uu5N__9Fvy>K#w@a3^wcZ5)J+J6h|P4a*wleiAtp6?XFy zoQv*Q_5}p?O`PqNuL#|yl6xeTJ3z`@2vlW>ksG4I-+V8+4)Cvis3$0l<0%vkJWh$Q%2!AP4Qs z@<5QmeEgXf+u~oPzXydlS=u(b8h4IG4mn+2QQcIQ-x((5qVz%W8$UA=XgTl>XyZva zr8$z_{mjEroI(1i-M9pdjAVAcYW3TU*m9CwxdEIhELClUQz>B7B(le)s=@gy9*O64 zV|fk)7|~yz$GLJ-BkVOUi!D!v;d{5KTPaEkyMponV#A;^Q>4sspf33GQlIgq^uhMM zP#fRfiPzG8M~^cYB^J`AgOA!RShCKO;aLase|hZCN3_osM09(GyGNUW&7=LgZpHjB z_Qsymcq5ugLrWO?P!m@HOLrAvk`&?R{FxfZ$>LCsg1Sw{bzs-Wg47)a{uH{rFvwx( zC$#w+32O**#J@ah&&eF=t@dZc&o;2r%L(!n3+39SmNlMWEK3MqQB5aA`Hoodk0$6= zHrF#g9hk{G{K|Ll-nlAT;b;(!-&tN9E^*-~Tp~^#S!iVe#z3hnEZXLvgpS5m!>RnL zpD;LSkR4Ybac6L>CEIUZD(3=IGxtFpIOD6BmkSgh+c2lv_YQw3V!zP^WxeGsL_iSrzj+v~_PxYkZj=Hi!G#krmz`=gxGhU; zx)xw21utTQ%3Nrhv~P1|T!U_g(6DTQjv)VlcvR)G)CT8YJ_**MotyVqV4q+9BeU2M z9N*wJZE6{Gt#cvGEBk0f21gIc5a-Jq*^2U@E`#$Hy`=F(Q?gx6ji0hzlc>V7C?h=V zNsut4faoXnNWku7_q@$yH__2sE{dBBEYYqwODRs&5LJLe7Voy=65E%^c`>J{-lH4| z(1E6bMC47yW-@A6>rbA5A^%wXeYvVur_R4>w-xSq&rh0C{@uO!&QwAIB5!sau=Jl24MH~uR^WvO+<7dRXolPYlfsFqq)cvP$f5J_5g)7xfLDWH=6G5xhwM41E>CgORuYyD+JVG zAOo294g?c?iVdNZymnN7rQwU^yK!nX>pUJaqiQXYM7#?96>$*@K44h#_&wC9M1V;g zNvF#Wh?IF_mlDe;F+3~rs$nC9LH5s-PuQ~-wXziEDMu6>rREk@HD{`5l_w84h_z_- zEnB1Thg>l*ZoFt_!UqtO(?7!Lph(LZlwi~~$LUqAVNMJ}YjL)=LMywD*|rlFf#OGSh=N81@$*0ANuy*gS*QatE!AOxh**d9IiG_ z12()MzH0MTPX1wrHv>3V%3?h@DbOb@ft5~B*eapTu2Wrl&2Ee)4#&Q$??kD)XC55! zibd~hFShtZ>8A|E&1=gAo%>>sa2AeA6nsfXn>nyGM0|^8>Eg0pCt4s!+Ap<$i@ZKO z@{^WsZb|#REquAST=r~Xi?it1pAnpvmG#6bRK7<53}b%g_$B#$hj@+7QkJ;eUfa@T zf24k|*=CB7WyoBUOa4aK%@tLreCufzZ}s=T28eAKENcdHmY}c#wEn2Q*wk@=*mfnZ z0w|c#60u`ge&nSEQxV>C#zyx<4y&eJPJzh${-M|5wm`m85K8VmUH0tPiu=pF+ebJS zB=AE3JVN-#kZB4v@Ch|A#Svq{HcHWa)Mv&k*LP?>oB|;ayVGAB_$na<%KKbRZE2&O zb4{`5qQS8(=}957yIVOce*IwHW!6)kE3crbr}}{1WtVC+#7pDmdS}B#+pKvW=jBiiAJQWuof>92d zb7L!ohlDKyrrn6%@NmxV$^419?~H z1{tREp@XoQH8}olN4j=Ilgcp5?i!=7qlh?1Ji;k^mxrw0F5X00<<7-v|-{oZc(d{!U3pOq) z1y%QsQ)iUHpqBn}t3G;>`-zsMP2H<3ObM>-?*V`J5wE)C+8#bpo79d@GdieBzJDVW z0s>{xeI6RRAP7%@^rM>J_StP`_*4vuW%JLs^dC7LpKUW zXPJak3SNLQXClFk4DA6HdzC4cfpZsUVZ_xNAt<>&j>T8|-VT5PDsN>}_A{jwe~757 zAWq+=esKT(!in4=unPcDBS8ClY2X~n!4*wXTawuQEmHzWNKXo-gaYS%g6=it*LQSS zxje@oYJEcY#j_r#(G=x{N7HaYYUB@r;jtL0(%A8jBGoS~f?uUN)JlZZYrcF{@kTLE zKDdF;q~(SDpEX$GGP}CQh{zC>mHFk}nYUn^Vvc*L;qe%vibrI=g;`tbC>?yX@lfF! z*M0!!i1jz+2)`>`%hs0ns-f7$?q!)k1I-=}r&asMGfS@1gQ~_Ce%tf$!&l-xmk4-+ zI^=?x*vRPkzq6(#BdHE(JVKPY^TN=TR-pGbrgW+b!N`JL#4;&nrqO-=Tm<}v0CUbM zspPBu(n?!9F64YtE#jOR%4N`luB)qCe$AjKnP-`NoL1`5oEzL_Sn(%rL&l#rs;u!y z+;=>97f)uinG6{S+z4bCp*z}?DT&03G<9an)5!!mZfHB~r;bid5|$ep2urwo1{4>G z`s_1kgY1z!jPhw|XCSB2ACd4 zZ1|0Fg6jbd^$>&rCggacJIN7z6S`z&%`o(KT3*R0W-dL+K)DR0Omp@Bmn+60a{Ou*$^v5+?^(|XRzk;oUila%Qq!;tv8~=dZ()9=nx{F7)7iaz-J|r+GXi~YE0MCxJ(%)L;+e$dt`G1s7e z63cy^Z@@ReLR`Am!$I&Yjv2n{nlW`1Om@CJ^8zWHY+s#W@-2m2wvI>faXd4{JlUmk z)zIPG7IJuzTMTJ4`cQ#sUpLQsm8WPqmPHPd1Hstrrq-PI*um$7vLInZ;0FdkAP$fv@7C_sitwi?Tyi>VrhvOtZPRniHx;;P~hK*nL zoUZgf3ZxstNku&URP?qV*M zgSPs%M5>2S~NvjgSJBgF6ea6rQviWsZooCOtzCwSn zg);mswUOEgfuORgBuWwMH*sWN@8hr&e%8`&8d+&VATuT1~< zUjPbMz8oDYOT{)LxfTzCN^E4dqP%?#p)5o1yD&@vA%We8KoNN%Yp2z>E8G3QAJ)0d zYqwSBk!onZdgY6yco+35FuX zMPu9kD)H#rj(=0&RcoUXR;qtja+bSAO3M3pwLsG_GiZ(7(&Hr99Os~_247|ef4%i- z=vqLMf^4+IyDxC(w?hu}(_D~;Le6RJQs{_Kf16)rZ-2ig4z4t5B^|;ppACC-*4Mfp zGAy=pPrGw+h<&GIrlfS9VRcO6lH)0VlS=fo#7{=~2(bPdJ9YT2hv8q^uI{`F3(E{X z?ZBSz&(Fdi!;b;}2McVB z;;sqp?XozKoAlRgHJ&S{>J#8wsp*k~^4$Kerh$6|#O+1+#jMS_F+a}ociR>nXJs@` zABS*`{1yo_yubP&&ga>S6_P*px0v^?F_Byt79$Cf_;2-nzh8Xzd+cVKrm&{+(AY-{ z_fShw5nuZFVv`Kz<-ItE*M=}?a41mT^Veiks~eW`uigQ{Omy|D>*)n*CrqQZlZco0 z=0!T`EE>oed@C%l*OR~isg+Q%@g85-%qcU%+^-y)|JUa`EwhJ$Vy_lWWma#XZcQ2Q_=-koiRP z?!#2_>XBo!q_q&dI0c1kMCnk{t3EITPd+!Bj^Rwlor2}o7 z@hwrTwXgaIco$Y*R?hOY{2DBsds4M^cX#{25>xcB-27{_8{4JVWP$n;KD@W=3~zbQ z$tkxg2$Ly(AzJYpPFP+Lv3E}Ka{YG+u01C=FA>(S=czPxj6FKv~Tm}qQ`iYjW4Z3 z+fkw5z9%s@LlZIs36PmK9XexF+NagJylEV@9nj~n>p@)%Vn)(tQ6|s=5$1`C~vVM35n^52f-rgT8iUsoY}j+$mpgmrA@xSF zpPg4X3~%3xlf7v6fXw6N6ey}ZwKtcihF&iq-kHv_`>o+E7k7hbfyXfxT7lUe1H8Z1 zcP$5!mql~fW8@1NHb%JTZ2Njp8Y-8`cXsa?D?6=DjCH0ezvU%RYC)@(;UdGFt!L5J zu2@~Y>U95XSO&tmw=bnPE;P(3SVVFC&;jY8;bdD5dFEjW3?OTpv5&@wmmjyQ$7Fjf zP38+7`-;FP3OP_^Ptb51z2|JcwE`sSy2p~K=jLfB#d#m&s?lyYE{FLJ9U&ylPvu{( z+~DRmtbBEBajtZpo}x1GlS>fs++;Rnk%Acp4`GuCovjAz)sVXE~sC;|5hdQllcn2rZ@AKJJhl9WoQdpP&=0KO-;7cE%FlBd6Xq z9^vR7VYhg6X{7R!t?YHEhOaoTDY-87q0MQE`Hr90vAof9=$l1-|5YFuHGviUDRt%# ze*1dbx#EEXX4y8i^K*WNG9hOJMq>}WHmKEMPxKa+a9W;WLaSx^H;ZkFojIw#`tr`f z)w$w5eSD91$;4?*^W*vb4h<_dvt)%JqoTKxm|k8tj&kZRncmHHv(Cuae)qcR=4fOg zA+YiV5!&IWA0{5)P!q?qVR=0Ny?IRsAt51cODG;XMyqk`jAlOg@Z)0NYBOFw1Srae zb7Oi1{A-qp_ulMH;P?EW*)|;f!_E2o%IVOi^R%?gAY!{S7`|FSH@-$bz-AnU$vA$V zr$eu~hHQFt0FPtRevlMPB^!Y^f6$X#$G5(Xq1Mmqs$rb#r*ABUa}KQLvTaGp-4 z)-Jfhc)>q<=0Y5Y zu#D5n%$)PO{`dAa!G;mHBK5hV={1LlzPYF3gU^;UO*`2~vuemje}t{ic-RbXwj?$k z+@yfvA1N3W8UumoOYzWEQ^ODa<9+d{daW*dkb2FME9y=caBLdRvNxSAiQ+N!pPlcc zsq^tB>lt>>3O`aptnOC4n^>tjR;4sqRVEPrM z`mU+C;Jz=t$mqv$z2MZ0tEBeZ+qvhiJk8ja3g;##Q+593C)UkCA{U-3YX5UGR^P#Q zZ&I;udERYT*X|fQweF(KIm6q75p6YPfqDyl=uz)3RDtZgTsUjVdN4r`6Ir%9C4-aA zSCf~sWNpT;muydk#5EG4({lg^Ivk4-ZwOBRSsg;Sj{4EK?GWi&gEV9K{sft0A0v)g z_Nac=4VN!0Hg$$aJk3trIPlt{uON54b42v1TbORmfT$uOf1$gNVsxAz96eELF>O>h zrvm*ufij$X`DI&8+664o9MsCBagKZS{<-T(!UC;@%{}80P+`h=Qnk&~Egw=5`zIX} znj|AR3N4!fLYAdvhS9zCcD@0xt!NKta|(zF5QTc=jP{ezNF+u zRbXq_ZVJB>>kF9qY`*4KaQ&VQTNVK^; z3`1aMsrbj9h)PN0pRRD$e0h7u;%IciG>T@N)2E%YTWjxzH-i{X&tvIk*QqmSm^>ss zPfV~~UA+IuWrF;>T%=$f^b!3{1V>HQA1;b10nyx!#Ow7Vp{5LEEA65s4)0de%><(9 zQ*BQezxClL-R%6}QOS=Y)7p4te$%!)9Jrr0#ltD+{*ZI{6G!-5 zZyKc?OG0zFap^lloLQVk#Jpf^&zEcxQ)9ZO24 zb7d#`RJ#TlXB$aT5AOj~G)6sD6^+=9dVrZG!%w&4M4VRrNu_knt2SQj{AwFP?KJc) zes*sEX~lpume?g~{?zr%uUKq;cjX$bN#e@GQ4r3{G)I+>)-lrum@oO$XlNCfS=`>s zpdx#emSmzZc<9WR^*X6Nzrw^aOO(^WE&86)%&a zF>zpy$IZm&B=$kfJ(s+h#%srDrEF}J@68X&sHN+xGGXbYZlWQ3QL-rPZT-FQsif6U%-PqzN z`DI=_^$vBItkLV{$$09iT)}$g?(a8Sts1)p_pUgwfcp8iCor7p%Evr2axt=j_6iZQaZ+}gvP8)) zoVyEdhv!SC6GUeJaE4y{jVMl?m6@5HoPq7+b(*JV1rlDjg6_MUx;a5sdFCt*^X?rqp~_j<}Pt%6XB z4T`0kbB~A?N*H*IepuuBoT3XY2QIRyZ(qJS=22jns@8@@^P3WOf5hA-jJ){HZ#8&% zx--LXpw#hxZr~VS;Jm^Cx6d`7$o4N)`Qrd(%foVQ%c6R6iI?jjO8R*0r%-+7Ku?P} z9*PIO^wW8ho6VeMS74lgOZZgT;AO76!;eye;}o?6^va#`U7*l&nt{RU;A+GNHr?r1 z$u7Y7JycpQ2iJK}AO+5F_xZHN6W@HUmj2;x%MQ#K;G3AwYnMa*_-5%vS4_=0<09K_ zkj4!-39#i``&32F=RDYR2^x%ibi(m#79GP`7s~nynlygb?Wg#RbLY<8upYjHFOaaf zV|GPBw?7k8jLk6(SyOnd+8d4fz`VEfb6&|LSBq6lC7Qd*R>t|TrMj!#sPo99k)Jc| zoF87Tx8$N(8M4RLsKWmEKC3Cj#K}*1+b~e1tZD3F z=PBC@E~jbUI6l~ON9N;@-%Jv9bdmW{Fpo>=v_G-J5+R?-*(8h>vNuuxE|bo`v*Iuf z{pJ*edH>!p+b_h+lO94B?D9Pn2u&}2_vqU30yGtgG7_BGT#8q`S6c`%OiWmR^&dfB zp2`Q^ns_8G_k(fyo4<34o^n%TPP zlRml7G^q#0)=n(8Ej1%0ZRpJUg_C9p%Rf~IaYM4Lz1-{f5xuGnC1qu-X0B1woKtq^gR{)9(i52b&n_C9Rb~l(cA{*Q zc)7YP`Yn{}(gdb!#|a1Zy%Gt5Xx|$8wnTT+M*mntc{$DJiKKR+L35@ekGrDia?Dm1 ztIj7oc_uo}GYKBK|M=L1@ioQ(uAD1puZKS*F!Anu^Sy!UjyE9gKgxINjmm+{LY39g zU?yG98?}M)8VgS=mty^Z;*}FXT^$!yiB8dL_*7#cwqNZJf8+F9&Jv4)2xfV%eLm~u zN-)Pp>)~ZcymQ{@A2)WmE32zwX_;Z(S0D?b^lNezdPSEoJTaM|f^I9Y(1uQ%(*qft zk`^~^+%SI_o`H@{@;b~bX;aac^X(B{W`2OB#!Bck-?HA#hEHR0W03kJ4fpR=?DmQ} z%xK`NR(2)pMbc8Yg48uwrwg2SbSm=~8q+v0+b(TBA){^+h!nI73V6NC9*?t2(RI(` zgV}kc@_ecmjV>@3YIW;QG(-ME8DmUl!5sVeEyf2h=S>{uyiJi}O$4HGCU+jS#@r&C z-1iYrj3=+2G_c_gyK7>3_lJ(xyLXqx#85n;oUAGAzrGgIcke0mHDxzxZNW7IGCDf_ zpH3LMy&_5L)?pv?O%0Qac*gdcT_dY|3r+nb<|dGzus+L^+Gu+sH%ZD_ z{$U7B-(Xf1+szH$fClC83()`Yy<6&M))7nplT5l=U4zD(S zTU)PKr&GPNdWgCf;iLRY@u55n>LO?d7q%s6=J8l52}OUru6NrTGM+X-=zq?}@s3DL zc{#OH->XjL55rMaQ`gw~UM*ShT)^GtupF+m1-THGN&bWyHi`dSdCSW-1i{qn2jQ%&kv?YsLp{00F^ zF^VLApN4leGtvtgqP$2dV>s(z<$e3VJ@HQ5ed^Ufb@g4DfLA5=jx^VC^1Ur)I(4-! zaDV+fjQ5rN+XTWW>5nItkk~PGhY<}UNV`!>&qR89whX`bj^Xxx(j{ z*EDdsT$}TroTV1lU{Ys`C_VhHj9KnPub8!n$fX0AmE{^Pi$f|8-7NhmoMlp9eVY6s zJ8WQfjj10!7NV@cUXrknh0eb{O2JS3eOR6AP5%G@>VFo#Dr!e0YwbQ51FfkPu=b5+O@6EGhOE&t{LGJ#g=;}SR#JYv* z9Mu7gYHKVf(WxsjpB%RyNTclUTf}>eQ$A(Fw`fOBS|8uv81Y>E(iv&4As6~HZBl>o zk|zTOlv&ZT(hS7zRg@D(l^drYNHZ|mfkodgjAbS|#iF3_GpK)i3iI}^l+;Jh1gT+z zxGE@m6HiVEKN*}Jt;+4}MQ4_GI*ZMC@3|a3$teE(j{`)9{?i{cGKmIC6OO+x zS#gr3z9jx!JfF0zu!zg38CB}?$&3)blFs0M05cVG7^j2FFQ;sRNB&P<@2_uXC*YnDIUTD_ zJ>)_+SJQX>08#qs&^1?yvhT}^N7Irk#u$>k$@wvXywoRK3df9^7!`tuyh1X}Nouv% zLQE_yWIMXB^2!=0Hc!l$MSD`}HDxTnC0+!n?`x>4*;Xs)|daN*67a0!YWT*ZNputOm#$#bZ(q z1+!~Y%7kR5r0{AU{~y@WKP`g$?Z53J*_{WCXpMedt zbZxo<8`hwf_O4pSV_9{yG5hL&ZqontHN=llPYmXBl-Qka>iX<8OSJ&8~<#bNdt_xXF#A@kg@2eZsYU&fLJodwa5zDA}O_h|H z`gTrtDlTJE`vM#d_k3!Nk}|GAm%vB}H?TYjIQp#^p-QAZHb#melB3+>_$wCf$x`&Ac((o=T%)dIF$+)a;Rc)5Wu&G8? zcsh61jFp?ETI$kny*RXNG2_^>c`WbtLpbFL@qMbYBFR~wIV{*w|ZY94p zoh2eOBO}4vh=&Y$Dg_C7Z{5I!o0RI6bkk&@0Y$cfK@xxIZOYNQira#h>Y zNlNaNvbQiYA?fdfWCXOLry)Qe;sDL5L zmrcI4BKyfData-13x^+B(y5cu*0)K6d1@-L-q|La$~7%1QyL+vd2%s0jz_s1`K@ti z+2t9vGc57)nr?6mI-~R1P9-_HtEPtO#gchvo2imad(E_WtK7R#s&{}{qbx6vO7r^4=hxv z+Hte*o2&Y#58#UcizYLkum6u>#((w6|MX~xa|)8M!zmL+8vAx+|H%~01r8j*&^8SQ z9s5Uc-p3ze-W`Iu7p;w16u)I-yPv??@I{ofo%z45;D73W#VL=$)ce?QeU{&{u~|c~ zHWmWT>R0~L7yMUK`LEA$XFUy!fh2#G(tcs3e|pZtDp;GoC#x9`_9wXg%l@fe2CC=;=aV_w|DMG^K%{z6L7Qnh>-cXmd&aC=#AY<%^@nxcy?%@3 z|KaX%GL+j`jt>n@U|PJ+7O8j7-T7bZ_kXjye{wGW#_sW1gZ~L%Co2&7ElXt*3BI}W z<~hmV^7i3H@O0Vj!+rGs-LL&mhw1SF|8lbT$CbLvD#v{Kbit@Gj1mGs;}%+df1djwm+f|FH!B{txc5N)HFio@ol8dLzK17ODCu{^eEn#{}{&XFdGiL z!4<{}3w!(?OksD~9f}5$1_lPM4MdxZ6s*5zbNmj$kbIRq-2)iO^EAKbBNQR|*Hp?= z{jDFNmZ78hdq0Bs(6W7pkQL##ERq5etKUex{4HKYFaU_-}bU0#7NeO@7Ov z7MG$t+0vyrUxxWDF$Y; z5H+RBmsVwe%j1!B?41D5zwg`s8;(3Cj^yaXbduvB?)PM4(y%h8JP-dj-ss<7LOT@z za&#+Aef+=W@f476uno8T9yH;@s(=^e+uhxouLU`y0SxNndbap;CLp5^@3wbV;K{?8 z+-A{ig6o##{9t)kt&NVsrBfO>muLO9%_6NWEgw(|&kr1YG+(~fRHzCJh_?I2(s(Uq zZJ;aVo{;0*dCcbW+fNdncQ;Fu^W=Vju-!|F0h4F)t5u4DuFs-SSCR1Aq-?RC&AMHd zpHkN;vwZd4&Kd!qB)`8t)jWl0mcAu~s1vvOJ+r32*fyLO`P5tk!uA-y0f-%5Y=#9* zX&f1Jnobv3{CdfYPsHZu*Qd~!^llUE-9*S8`f;llY8mh~XDo|HgBQx@F`RM&L$4;< zunjcP1V1_HA(u&Abq$9B`>vFu6X9G2cYAu91V)Y@zMDC{t=QDNhUF{v{v%=HW z(mCq5jB!V6S_q(qRx*o*-?7J-fM~#DU3Ps^v{S1x2F`At4ses^3u>Vg&cq&4^1;n}j^aWnyO0 z3)@T0{AeMU^3kyU(&T{bHXawJwDh zHK&jDNKN%ia?!IeVdkwTz0*}z;uVpNp8;IZS@&*f;?K8UVb1E(b4HM7tMTskMo;c` zn+#`q(TA;hyj%XQbV~Ut#z^C6j6>Pp?v`XUa>!U6qUY=YZetF~=z)vV>_v9)7kD`(F@K);rI-~f?3DNZ*u{fQP z{4PB&vAvDv1#mhwa53|lGgltGNiXPSbpT(np6Irj*!^rg(x4+rQBherKnOdrH5!8Q z!SBpkNn%(SCtosbKcu1$tvrBoS*V^_=j$^+1B+$S>cV1jJu-X8eTfgapGoJ3?C&;!n(FIm?%o;0h|{f&quVZt$%m z+|e5kI=+7&l`~xxnjN2a+jBPBsAq$l@8-(a2Ge_$a{~mSC|gPzZ#?>Is47?9Ne{Ex z9?jwW8ue^6$Qq=Y>N*WjUKn;iLjPvj{C+h2YpxPm?Y`uE1v7jm`VELORfP+)xXZ=n zipQg7wh;%199lTAO;K@^A0wjT(mygsu7O_Uy3&R6oz5ubaCS%(?_Jir*Ic*EEYuHPX&V{&)Pmz;#=ZiI|r;1YOIr{e^ig!9={?ve@)1pu2a> z`Sq!7L+PuYsetZeX!P!K;=;hZYhhBUadXtdp!0l?$IQ;0Bi`$huW*iuIkslVlOf7u zE1ogA&1Pq%tF{ZbnjbqyamTU8Fr*sxT)QJ09bwmY&#y`5z}-uC-@lsq?pAD^2dg=*m^YL=f_N;kJ=axXQ0hoPN0 zRWiZsZ|5=d&eqVW6HLc8yWZr8J0rGHCm&l-Pyi2fbAtPEmN2Hej)TvPx0l5BY&99x zEfq+N?tgm8!k(>k?~@u~y@r2yEZi!?PN0ofX&prp$;u9salR29B;D#bh6GNEu#dZz z)WH-LAw)xJ>aN=(493l2ZCp#^&CM_5Nw<`xCjb>_FYB-fN2Q{iXY>7{O0muHcETR- zqu^r~yinU0`OA9d8Mc2MvEJPn=XVzNNKY_!Afd6yh+k85QcIK{a#H#*{p0gXFS*j~ z#fIGL#m$>ge@(vW2_L(_Ng1e>=-<^q@6cYK z8?r-olNhDs__Z&T>N<)P(xESi!kyJAn-%~TN%f9Yk&8umv{KOvjlAa`_Lt#cnW>+$ z!tXdlJgGd^h~u_pj(_I1GmWC2<#bGI!_&5{wB_zi#Q8Rnv2DrCuc08!wnA@ij=?^M zv`^yoJ~CMOXi<-Wjm;wKk;N62WKOemgGqg-KU@5p3zjJQ0~Dry3WyHf| z+{^{u&Y!RHYAG&;c79j7=P>Dt{Za14iF=wqAHvhsoo%3fJVGd9W|YQRJdDLk?~VtGD_!4Tm(>pL!H`I z7WM+DIRp*XSH>t6p=1p0^`8~n%8RUYs1Xn9La-`U4%@M8T*)Y3?KLMf$}R4Z$G23r z#l$yol%}bouSIOt&|1BxNXjqquMGA_%P`GydZ2=W8FnV5Qpv{I=rU#D8fDVs^uhvd zOSrsv@n)T85J-mO1LW#?wO1meuq==Bv*K}`ua`!_p30UUO?4y}8?8q6rXL$;6E+0| zuK8R?A7v^+Jen_M+9-5MBwU$M-#M7#L+EWP8N$tLx=R3Oyx~uCvHGcG7ubb2!0Y&o zy>KV3P2N|M!JYS%N&9o$P1~_RU1xwD-eF;3IlH{G8f8zdBW#;)8YZsH^l)<&|MV|{ zn|X!{@jDjp=|xJ+ACT~tj0S7hZ?f5&LqxZRW`{5My)AsLkI9Sa7y--cfFEqD?-@~|?r|8&!SCyRY zSO>6vUS4?N4wa=nga`HG9rw{zviG*+^i}x>?35$yJ2ffgH?|0SdL7Y~B^>zeMFdfS z8}eCd7Q^@KjMi*i5swihE`S^-$Aj|qvjjYW}Jue#}Z0e9piw6ivWW* z$N@fc9?q&d(XiRRdqUvH^Q&axtjqWG-+Ij2Jt8?@HuRcy(RLnw$?pYuyC`Wx{JntT zq7fgq8P?Rqlj(40Y1!2unQnW#3$s>kr6%Si^{nhH53=(vH}k0HGzC#`Je^8T918>9 zrTge1o93oUEN*vmT9ezuHh~e>=1(Lcw!7eKJOGH}Ym}|fOqN9J5}U_Y>{4N`S!$Y? zM+Q~!^6`7)3I0U-?YSHx=v6>AmHG={cr`4E5&kP!#aM%0j?QNIC!J%CtI9b1#q5+1bxW7$U@YiOv7YhtVmF{6pD-i@3=RCpCqVV6?gAP78?*oRdVW?PU5Ffx1%|JG&VaJ@RCxMeUz7BsY2Fo6?H-*^YAE`Z zwUj1wwF9N-pT(PpA&2p51Sgra`#po2_bjyGl~W0Fky@RoZok{}BnK1V+OIQG=dJGy zeMobi$*vuPb`3xvU;QpM)Bpx_HpF<)O_u2hpr+)}dxdUWg_RdHMTifKRl=`fFc?K4 z$4W?N!c&cIy`o0BSW~#(ugZqdb`m**(E+LKD4ejm#p)KsX;zYPnS*Q|cd!cSm5VA#*j1<%5#YcdW1XA};9@JAbrbfCbHywr|3 zx&=Dq-*X0%O48lgv~8I~<`ahHe0ElROm$mJr(IdwR@tvI75wH@>e7%)a^#$|slubF zW@7P#lH312oA+5BE3%2vuVbXG?ky<9j^&;>GA>J|8G3~#qlt=o z2Efo9Q)Lqipi$~Km8G0;s3)I^C2OOc=Za$;OfL=K+Z4X=7y&`RNtd#}{B^HRjO@Wp zR^q&Ju#D-l2@g{0nl#Pa`muYrWE+Dl3VIS|S~`-I8#YOVoR%jPyT47r#Y7y_XqHeG z$J-j-RM&DI zihY7|ndw;hJ9i-mfXDsf*)?Yw>%b?FJxfY)ehO7>?Em;B{Y^rzXi!wgT(NA%sQY zT@5kl_H00nnT@8`qT2h*u+6*ucRY-WarQeL$M1h@RGq|x3&E{Vg*y2YThQfqjpPBl za8bzy$$kUO)sqOoy!G;MP&${##`dJV+q;A0!dWvK`n3qh=Xu^nT3>w`K&H~0W+2z! zZ7N@C46pQ5dV|6)0_Y94SJy)I#PH1|B`2F!^>mu2Py~O6h(IE8Uc||625{KIXL8r; zcfD!yjRG=9Cm;g}iu^cdWjh+_IA}We!4)#82R{INB^Slc7W8pU6JQe>d=iZnIj(2U zJiI4G6VA4>vcd(o%dgj~<4z+czK!q{&@(uCLVa5gXuF7~!*7ugZ&b_XQKsf(r4o_m z(UgDex`lrI%rCgsC{8J9GRLr?UQT|#nO?*xa3vEhgy4Y;j`Rj)Z8=DDw_ddPB8X_eKAYZSEF8cZYB*#AdvZA`VHji>hrpObp8Z2A? zKu@@#Im6COU3{j-H?Ffm)9XJSV zWLAYZZ~=Gp74+wBBk)IciO^V1yL7NK$DdS(UAVk$i_cMbAf)XE0QK$<2MVy$t^3RD zdl2P&c-yD10Vjvs8ki53<#yd(XD>5_o5T%km1+TEX;1|QZX$sqAv5hbogj~TqZ4;B&{~m!%>+0rD zA}!9+nVfE@L3xRii!3X|pX>^d6J!w@pDiT#AV6aSO|6z78y?Inwwmor>0rD9$m}u= zEv?rk!DXpY`qoPXm~D1+6`JBKT6x3KI*tSOl;paYmG7{zWetbZC2N6gYG}IuIdjrc zAz8)AC((I-)q3t`l!%MStAl)#*=cn~vw%QhX$MJ9EoyJGOC!%j5dm`GTm6X{Fr#cJ z7Ft4~72zz`qdU00Py?U3F54is%(5GnxQ#I#?k%|sx1i`|r-(8;4rrN`_(l+!d6iFP zMHyd2K~FMCCckl0M2>YPZqrPW04MYmwXU5a{Bq!7l^`+=Pajyw!kL+QmvNzmUsdGe zTkR{HVD0ZNcx~JQbxRt*`|`|HvTrg6k|%p2Z;ROuJ@X*FuOCtMnykT*?A(pZsAg4H zAjfJmT~|_(mub#;c|!22kKj~NY%>6GKf27+RIg)at^i*Fz%urxp#4-}xfQ~h$L@9@ zY*1$*9LFHKt)=L_^H_aH{CYKKeGRr8E8e@J+t%CW6wIL;hPNYOXUC8yyaaYr-t~cP z5cn!y$E2QJiVSrYlNBHl9|htZGoV0*Ag_k8lw}_d+W390F*3Su7T_%5sOGj50^3w< zKIJ@L&fk{EI|?NRA0T1JJ?R~~^|JxS*8(_u>Vp1v! z?|a_Sd)woRXCJEbJv=ilec?XhEm|{nfrRBIO{C#5QFzZFCfX#nw;d|vXxSRtp#hwp zCQ92r{yI*Eqd4BY1d45j`g$y(3m(*ZZ~n}!-=Bae`d*yGM#lXaTIo+{I)oq#m%S~5 z@A7$8c1RUnwju3Cs5eCU6^4;I4>@~}DV!&np-D}cDtbcrSA_s%sc{fc{W`Z=B*+a3 z9xs)j&d3SP2HIm=IuD)@h+#jv+@UP*J)MacC4CbqigD^$u(NUUu}E6{p6SZl#+)va zp4pargZRvqu1clJowb1I?aO*lvYGgvsvZH^vLcGGD0a*Yjm~x4P88djtehMHM(@2v z;Q(K$FM>~p0olGwjCL(Cd0-ZAKabzrHQd=}ay9>GUPMhU726I%yTGVA3qF%%EX$vs z1<1pO*She&KwLWqt|Vp^!?2?BP!gdWM_amRuc(vUF-t9GYYcc1V1xB7j#)DrhvD+7H$R;?f$HGcCR0@#P6)06|^(ysZ3qu6^&8b2EO2|Cue)j1skl+e4j`o~47kDPxZ?xigZmuofD{0W<&CY7ItPZv~@ zRx9DW7L>QkTikW6aa`a4(JWgQka0D@iVu^b)^AsnVq1zRe(*j1`r%zIo4uZGBd=t$ z7e&@uDr$#yb9GkR^l2_;^4a42-tN3)ttS~RRhOf>z^Tv%4Kg(9UK+>*FU#XF_-uUa^~C;iy{Z>lI1XS;jak^| z0+r?70v*HwCG$)werF^mfU7?}9$_ozU}?)dQ%G>-vgpk_3sBHjB4?LkCYb1zWzo=U z#FO@PQ(V;0VqJlY{F3c7@*H%A-m<8qI#r2 z!QCJ7sPZIlUQ4WhK}!!&!*;UYrB>mYm3Z3XNc%M~;y z)%pjp^_}+~%I@M4$G<{UJ_`}{F%)0i-XMwN%rm8u&`5_~mMF|>PtkIlj0`ztKE&8A z1fPunJmQ#=_jcXctcK+AB%E@mp6oUs3Yw=Q-uyKTd+W9Dn&*&U!UZ`imBc~iA_AN$ zy;afVWf#l3thR;wOM!Dty7*#+GCNMBw!03r!TF#u`4etieT0kUXmxeg^td)#eqGLT zF(r*hDVZ6FljDLrD!UyCn1N&*D2JU^JOO z@ig{B6h&`WOUp@wN;iNEvOyGBLyeJQ0$j5J1m8>*=9aZx^Z&FsR{BZHIIQjL|_na&UD@R3Y(1TesPtee(5!=NBk}co`vB zh3e$`VgqL_QqM;U5UU?oL!+iy&KB}A-7JTE%x|!v?h5gz6X$L`PA7bXyO`b~rRH3j z`8BLeNR1TWaB2Pbbs5+{@SSNrXZO`9Wfc&CqM}Z27V6K{EHI--y#qf88n=v;zw7gO z*s@BVJ>4?Y(7H zX0fkjx4-N{JR7vVkI1j>>pA~x)hA*QZSRD4p~Y``{8cK@_Rf6zJqDxhFJQoc~I zzuf3wN4Of%_KM{F_1}G^W@26h8CWR#BMdIT4(s~!W#^;si);0?5aOemp<;2n4FF#kS+# z5}#T5S=>RKxu3k&>PqIm%I4iFYEu&4*y}0|C=9LR*CX0ct@em zo13g8KmcZuH6ktVN`=vRoiJSO;FYT&=wv==X&#{4TFhA*i6a9({R}A7(5o?*tWZ7=|15RSvlR zSwt0;9yN?`zQ7l8(c(c8^#!yFkz#8bXZrJVdZsG_!JqVOpiYp*rFMBKC;Mg;f{lR%=?>Oo!ZLhw-79*R*UvBrmv z7Gwe5K(Mm_VLbvwhc66zmmK1DfTChH)K|v_ppfbp86YUS+3H(^(BxtT*(z;>K14Y- z2n8pBnXIZ|c%R1L!Ct}y6b9%6uE^G(55A^Ng@|~~ffJ@}SWVA;N4&d*-xH$Z)H@IJ zeHJ#F-9$^^4&;UqPG6{eakS0z?R35-XV9w_%Hr7vQO1 z^^I*V9aOpDPVwIFMTFAPCZs`psgWOaR^69K>z_g|K@Jz9U!t=6K%>Kb+U+D`)~TZp zLa$%&5!+oi$AW@SXZksAZ-=nwjcBmLjT^2NzW>N=oDniW01nX_tiY(N1aul*S7YX( z-{C!oyF`T6VE3<)OvuzCRo$6xexNDYRm{rGlY*%4eSXFAfLR?WD6uDTc3IA@fdXPU z=H-cca<|bS^>^nNkEF!hu(n$h+`D_P@am3F7hhU7iRFSI z=LKSc1UzYSd`lt4@kH~p?)-yKFSX&l+wsw)4TwCM9h6DufVv*9@dc^$b{0~LL#pIy zn6`V&)zJ44jqI%JQaAyTk^5caCypAuFN1HTFhdk}!Lu8n7o=zjkytL5Bbp>UAf;me zIwq}O&k`X(yp%u~1j#`pv4kA7mz3B|=E!wf-`EEqZQe^1{y?07h)58DL{6#d*_JMy zy#$PQm$@UH5bIvk#A=XEE80CmWS$FO&RD~48t>Hc5;G=L@*4a)0x!|4`vcLU?$Q)L zuW<3KzsvLs!2)+rN?96TGqH#rt=vg;KbqzLmFOHHV z_6V!=E4@eMouDmZcpA0mRIrG2g8?kiF89hds15d5%HMo^F!laJ7!c0|Djbb`GgYdX za3c4@?nhoJS_VUpkQzIC45vpc%BGIV?*;e1)F)uz+?6veUHykw3fX@_HH*??i40nH zK!QjO6-=*%k=jCG_fv>B25}2GDZTjXaVl-x&r;J1%tEF^?RJhLlalG(wijj|F>H0$ zb~a1u8pfSQHvAD3c6!3V%atppm&aXO<#gMSacz)zef%v&QW5Z;aND!)(oVS9sMzj^ z*rU%chECX0TMUT)0uDLCs;jf}ZlYXd zjzbC?vMgD1(C+ zz*BcNsdMj49fBDaL1He@J5|e7dp^J_@jiG>P_IkY@{QF%k&PN0{j&lOkUa_kNvD_> z8SENoh1)Q4-A1}c5i#eY1trn!wGTv0pv0b=xq;LQwt?+8pO*=X-iOqVPYKq5cG4T& zVAvcf#4k1gvZCnB#QP+#%%&BRVo6O92q&IPgw!tf494Xu^24aad@}EnDBhMlswl1W zG4=~@L*Unww=-BQb+}Kh-8DLQqj^a6!e9qeydKR40U)=0WFKjIb}NyAzo3>!|l1LA5}$bM+`=*38kg>>8Q`%+_jyoTvJS zC?n!u*D?*vp*&cnijdi%Yuttdac;XCiJA36SEaA#79A?+F`~`gS?vplN;08reb~zg z+B1!i4pJS@ae;liROSz&h7T1=v@L}utrwRv-F6xte7sQ&XQZklO|#uR>+@kFI661r zpO)fVx2;)zZkUt2wgv5ojbIl>e4u1k27%xW-z5lyVZLI!-4G%9K_M%c;j3*~jMX&7 z2A$q=-P>6k1MA>Q%_vDxe1i0?H3H~u1kH`n)b~_ltvnO`Fn+73?pjV4=xrJ6Lb=&n zWaM{hHQo6{lmias+Jk(v?=GtRs?pmUN%C;bG!Lyso*(ynwoTC;5IN}Q_Z!1}6(6hx z6xefpvSyoX#NRkcQ3# zj|e-=X9SgAc3vMtUL7T+;TqySy_TZ3B5Q+O5X*gZnC%Us8OiB=(=}Ok*Oz{_M!y`z zv0Qpu5RsCxE?;z2bU3izXm2joC8e7tjFP`1y=__h-Dl@;8T=LWRF zHbTqyKzH(j-h6h>yBh5s6~IYDu9{mDkui=z{VQ@UrT68+rs$NVTZJYYIPpASS^PGw z`BrW5Z%ci7#zGRmMT-$!pawaYIDcS|qoXwctmG9z^?^hX&vUO#ckx3-kT2Xk=blG+ zm$T-0dNQYzs8Ms&ES0_dgb=fOYw2>Fuc!?{5_&)r6e~UqCU30XD^&Fx7Z|v!*--6z zw?R;^a}~frn7r6d$Ify()>)Ns-|02UO50ikAj6@W@VWqI+K>F`&Trn_9DQ*TGv8dS!vK6QFD^s=V9(>aBhum^<L?yl83B(qa3;Ugl>IaY$|+^&S{tVLFkVR{AR49 z=UlXo9#bg_0LWL6Gct0F&Yj_6tP#Q5ySwo0RQNsaUbwydueh)Vbff@~OlriP5Sl+dzgN z(v9|8a;&CQ5A4o*^~D+ys3?fdNo1^~#PJQ}MCW}#{872rXeX3o`OGWS#&*qQb~=g- zUIyIHUjliF#|{i6Q0LEpj;khp-4f1}Xw^Zeqi6XxiK(}q?aoJcDezmOmS~(U#LY4W zsy5a2o-yUMf|e|6u(|t3=4o0Vim5NPlP#ZKa)YkPxjQ49p9AFPTHT$A^3hKN!V7N+ zFzsskZFsi*Amd&@sBNGP|DLtfXg&S{_7(1WTmexsL*D17c*mCXPy2cKDTtxpm*{1~(5QDp zh`Qr!GA(6i{$@A##tK9e5(_!YVd@(Pj@>d2tKV)4X~f7W<{ek2g-*0>+VtS7R74Z! z8=Ia2_ReLF8$ zvjhaA)pxSX=5QpKCn|~d@%-5-lee*bw-$1o=rShC9*&ReH$z@HsM0*Ct`uP}zt8#l zaOtapsj>l==0?Bw5-o1v``6q9IEWY>KvW?%w#URLbs(W9bo|nuNkVw5hlMlb*bemx zh!$_HBI5v2K3Ym*yYe4wS;LdA;g0EqqbyuGs8w!_a=If~d0F}HH03zcJa#$3l#IwsG9(RWd`#}PwL+LHrUzV?XsjfhxY zCrZpJx@U(1L#bm*=gE^o^nnfQUT?vgQ+Zf+7t)?UBBHbNV-y%-y=)+ZJP&EN>Q&Yy z(ycio4#92!5%bx>alTn92uPk=Lu~K8xTB9#Vss2 zxaQK50*KI7jVed$%cG;P`FMOKu;Gk(O#}pILTyr-HGnb>5_t znFc4^#mns$n{u^lSm)E2vF=@n9xP(8QT47)?HOI6f~HO>{+NO}@R{qF_C@90=f68| z_=3oqXb>y`BvTx^CoVKYy~E^*>&|4YW2M#!Q*oHa97uG1Ekjgd++Jc}0fd3<*xI%s zSR~1t{z^!AU*}D%hc7nmi*{n}kB@&ICc9QVY!{W6kXd(XHDus&PVW6IhrOhEi<;Dc z-6tbDCkTe|SgKpo*=77@4_P?H$KlkkmVtLjF zqbe3a6OYVu#jq!tGYb;T^+AWj<|t`RiXo2Sic{a{m>;)p$6^*Dw_U}1d#%=qvYdD{ zL9g=4DRqW7M1esUJ@~XR%N8%`>^ge~+lyb>h2*Rg=FM`$#&&A){uyCDTt1zTr3pLbIa=nGiBS?g0>osIiD!?+rO_AF=nx2~9myOX>(qP7% zoXsrQ>{d2=F)3QH*Ey{bF)eU_kTr(Og|;4MCoZ3J39EpBJ{ea#oo3bIO%WMoUY0Ij zv6@NO!=vb?HptQv-C7IQ0z*VJ_DMH)S0h!DdaGq?I==EV{cnu?&wL;>PEoq`ZBmMF z=lV%5`qzTTpCfVg{96KokItV7$x0>>2LPdiJg9sGHC*9NYyz9)#EY4U$Go7-R%XYr+6pVj z%$t~c&Q4)Fen81EsQOBm=7!L5ZxqQ8-~hx2i_EOAh#XhJn3p8XAAy)EwBQN`W|EW; zP}Z<#?_LyGQ`Unr8p}B{CU%rL1_r5) zPSl;|FWL=3g?B!mY6O>t0mSsT3cz7dsxV$3Y(L%vorR%%!5?S>oE4MON`eIHTc@&e zrK=0sQ?e~|-f7}L&_Kpr8nY3P%2-BMe_qG8hv&HSd0n1DDF+0HaJaSHoxV=+2OtfW zMtD%oAn+|a_w4|Jzu|1e_tX#jxEbsv6p^yZ?+FaX6OZu{dV;dI70Cj>s@+#*SS^`~ zG#T1!&HB1s-`mX_Ulk9P0E&vFIB=C%#-g5ln!{zNTRs)J6p>-WJQqWGTEJLk%Lry$ zX;^;9j@s&RNf6*7l)tQs{*W5aMkP7#@b4^u;WfSolC26*Skbtoa_wW8)IkN#g2<~H z5HiM4sJkOF%7UL!6I$-{Cc^A0n5!;KbG1MJC{5aG*yS8iPf%R-f;_9jb)%v0lHSUzqj9mHEteV*DhcYr-BOWs;Oh&qxU!>V+4-9N+?Ez-y=>T{6&X|B1OQ6l0p}kuHx*H_7`}{Qyvtsh z{Sjp1OD*?p*IVRA74}D+%@YFL81{k~l6FvLK{c`*c684bwaZW(>&rU4)+n)7vULc{ z1ojxX`pF{ZhBNJR1T{A@=VQ_ntwaX9QXv%D(IDx}6nGeT0=3m?os!$cMfGGWtxl5n zCLTRcosnyBKtx4$5R;YX3Ruu7Fe*OV3cQ+c!{44mk@JlmnJaeYf9tg}$`%?IJb@fXJ zv}(RHlyC2DA3!Ek&^7{IX|jRN&F#p(i?y}bN;ikp|41Q@5n$b!?Ge1dfAsn4{yzMq}B&Bb~rVo6-uiLv{%GE!!^V0_=P?%d&1UEAH-#x*_Fb{J_n zotn4RSbp6XR)W+U2${rHPRCeiQ?SA&2K2mMX2#=SK4i3I!cuX_Jlrr%QyU{+;g|#U zU0;fI5%`+iF#4FHoe0RA-}fC$l&<%Fvm;?{{NhFi7gFB{I zb<(-LGIKpd5{P2N%KD`1a))Uc4~7hBFe4#pVfdmijzOIVjjBv_Y^psRe)Uo7r2|#9 zS_ykS-k~9LDR`-|`P6Bp`gP%PQRh~Za-zw#sNt?t!eMCHvHPqQrPuKfZAR;bb%QD`*bA>k&|(+Zvd5;(z8WRQ5|N2_ z`3C@2T3Fh_2Sn%+ZAsu&Ic^Vt@Gl>Yuzr*USY7Huj6U(ZaG!HUg*1*G(9qC6nQA( zTgm%TWBk>jcYr_MY0OG=!*s?ZO*V5{U{r90D<$vxd=&kG#M2sDAx-v6Zu8sLy&FBe z+4gSg>wKHG>=Juv=6NG|yDhJR^-c(mXO~zgU@nHICGF1I<43=FuhGt>v^MwZ`u)E7 zWx4xj=yC-45BR54`1KBJE9W-d)HRJ80JvcWl5-VZp+#||K($x+?MBqgjm?ua&d_Fi z?!Ggd8aKoQfq?i_9u$Ri5ynSbCK0XW8g%%G<_{rQ$6y%9LJyk2Qe$YU6^JAufkdV& z88z~Q9m#NqiA*myLLKtJ6juE`l19~^E}i>?Wa?Uqsz$WUHySRhnQEI_#;X~;_$z>j z@sTNWT{Tz+(CT^xa2JOe_jr%IbnR;s(tS}W+TD)AsJ}0b4S~sPg#<_+kjtG&oDK8? z?35SAWpkeJ>elE55P6=>FuN)h-Wr*gU;w#5#9a5$)pX4MI&V&|g9bJ>ht;RLFG{MJpu~E9%{4_aOLZ!Mt>vfx4ZNgk`c@`0w9`_-KNzBU zzSFoHM^W*@CGXmESFE-1i`W1n60sqBT-uf&o_Z{CFYC3AkY*r}0ZO5jXZc>z-YpH& zGw<@W1+)u^sMxV*m~JU`2N2~mYz)mPW7QkJ){tRJCJlx^;$p{Z?;n<5)ZEkIO;V}< zrfP5^bVzxkm=_WXq}b|uM|@*(8{%RwJ&c|H*qwRs9f}RDF@O5$X$0Mrw48{6LKDm| z4St4V2b#OXi3eDIjByk zLJsr^wC6gv3zK>6WKsFXjB;Tzb#?o4ot`6_a_4p{PZLRTR7i5veU<1R+9 z^$}?612&m0eCzLF@-;?={S_<8m(vn$Z*;$2Do4i8_RN((+$to}I6r^-Jo&|`PBu~( zVw=(0N?3i_K&Do(fG|YP@yT{rBzVpOqgzBv&N@osQ}1Y}JVi z>`3ie=2%UX1%6hL3!Rpb`RNc_b7u5PF zF`ZBqCv<_gE3@)&7w;H8HDCda=kvDD2uaPr9g`3gCu8WzY!!FF%|8qjwf#)r7pH0( zL|ba_vtbE4Ac^N+^yVqjG|$ zKr__R>_*I4+I+kP?IM^6sB&{x4BWPW9*pk>7&}~aRCFsnmDlIt^4E#dY%9M?y)a#@ zC$YCNA67V!#RCM=OCEBL7f5Bt+_?xX7om=G*WUlc7CPlpl*!GQU_n>;iJ=6c)0{bO z=#opPe?BF|?>1On4AE5j%1$kwqDx24qJcI{n@`r{Mq7cQ8P$86__}!U9WXnrK;={-q7jbEn2OL*uJSsoR>0 z_;qBup8>n=t7w0ynK<^P#MdD`|68dB>x-oPVk=wGv5cB_qb^%buldcEhe`|jp`EWm z_aSKd#4Oq_#a%K`4t3awn(jJ8(Z;eF1nK)faot~em~@d*QY1sabO=I&m-?5I83IX8 z<0d=_I-T3sx<5R=R2d%L!0&p2u}{Inu+(p4HiVv!UD}L}-Rg0O&Zi_?;xZ*>6P`j- z%0{uozNBKBL$+-Dw7};?JQXZ1ha8#RC{vIO>6QZ~980;g0fFvj+!6*TT(VNgjlcW-z4(DKEjLy$ba0D1FaeV`~NT2c-wlB{gDhQL2E=Ak&}H$oGq zuC=^+XKXofeT4_iFHb^BGq=11Ump}JQ`tn7o?wJgp1*4Xy&{*#LhT3I+V~@1q+P%P zyIwBwG-}6auqdnj$TCMO2r)M1ReU-J#AAO zpE+=Da1xfrO_8#9C5w?IN$0C4Ji&2lSD&5uRMuem|5 zBHNMs{o~_Nq_=lP6<_KdCGDggKfKAfCBrbMO6xO~?46}{ z=la%x6qYh)T4Juot$^t{YXyqQd25GadK)YgqTTwWJmtLWGGx=DHw!!eGBFSLb%L7~cA} zo9#b85fwa`)x?7(&g!z4z{|!u$$j4Bi)S_qUnVyd`fZErqVk=Sp*VLubg6tS@yN!H zhTyE!+>0+?vOUwftJJd6*Jo6GN{a3w7E&JFe9;X~+h(q+q@(`$#r2Pw_QD`uBq^V8 ztb^`#Y}zy#uHkF3WokSDJR4nodun_9&v!@9Vn^ZWYS#$KonI`QKQ9^^leIso{ zy1(In{3Q|&8Nnz3f;!oue@gIBm+a(4x*`E8@zf#+AeDYzV}FtZt;2|oMwDXX(6?;) zwl-)^nIbKe2c&`JsBAg9G(p+op=V-bC+$JbcwXB>-7kVkqbwZo|CBTXHs5H&-lL}FoFI_NY3F&e+yzD120BZY-ts?}ba%s7 zu>AZWTi`bV2~a2Ni39mk03>P0!S~s^4hXbcVH`>JeI3fk!sYJ8Jr^kmdRHhpE=u)0 z3^<1)oWxHyM{Q@PIf=c3wwgKlA?@5czn#mYSq#MQ6bNa|Gdm7)Rz#0?eL+!e)VJG& zC@7xw_X@CvfbZd$N>F8>kdVKF$UzHPA|?MgLU+91`rH}S=qa`d9l zDJaND<7oV+TjMkpeCSJt8$KnWcpo{mtU>(KG-&F4gwx5kNb$ROde-u3pwDdEfX(#S z_swmK5}S&KTV&(ZnA2x*%w8{VTqbFOy_xsS%KOb+-|uXqCTnV?pPhj(d6`62#X}Nl z%0*z!RMUzre^j$*#!`53(_b|N?9mkT=-EIQR0QxJfjYXqK&JxI$SVN6EYWF(*eM46S$rbMZe7SfzPzI*UY09`1YP~C)}AHk0X z2Bb8jfI2%P$CXe$g~sFZfju4x7+$WAGO-bedR$(KOS_Ej`4UKA?J~x^SWVJ`O z+6u8|+?g)1Wj6SYT+#c6Uhm;DB)7<3_Jq%MIe$=A!@!EKUSTC5^t93_E3irMgS7a= z(t$SnIOY-hg8;@_sf4&vza^EUW}Jl}VFM8q3~GNk+Yed!+y#Y}1h=xNS)GS;X^_mD zjWRbEnXd+qA3q-B>9knuT;I-PKe-+V;1>&lIQ%u2^hXzm^R?a+i*}X_rpw)Q8xXU> zRo-?Mh;us?YUp$5^m7%T)X+K2Rhyl8z<0E7ZQXYN^knAc(=Tzd+3u^zBDE4l57+t=H;j@n)c=a$w?taY@x1a4l=E&N@A8zQCBCD0jF#|sg@Paq@=%U<{FHlr z8ou@e%jbk?KxJ?95}*?h@DN4maYJ26h`Jf%W&C;SGlI>L92!peLs-;H1Z(U3>qoou zIr^ZlPk~n2wV$(aWS+Z*LV1@hnvKEJm*}5bfc0p_=d2td zhTc&0_z6&6vw#qt9rB5XTqBTNo1nMl4Q0~&JU_~#1G-AB4cH)1wr4`IJ3{4OJd8<0 z&>BV1gc3MU%D~kLZT1HxZ_aBz|3OHmnj~<+i)0A^GzlBP^7%}->qXjh)xC;@^wH@P z^rkm7+m#&}=u=BZVX{F~jb^BVJh7R4#sFH+Y#42Gfj?V`D>1RT67tSfZQ|;(5rc$mdoanC}a1=>SrDLWdt>jFzAdk$LQm+WL%;_xf^)jR9M zGbadZh=n5`2P;6D+A#QR_pq7ta%l0JKP_&}#~^TLufHx+R#VvJvNd|X5v){FGb?N} zbYE+bs=**7jlz)WUJt{5fr3XIC}ub8n@N9i@p6} zrt(hhXB-muT`QM4{ri@=79k1UJ;H218T9+MO1C4+_hQTyU3AV#aJlIN2aN-ffesfT z7``qUE@@#g5SuiCpuRYF51xxLcEIqjPB=P|jY~m@NvC`H)n|04f!A@J1rDWPwP>ta zWIr6r67ZDI`wL#ZqVI2Lbh4ehQ7E|PqPjW ze}(Rw1H#8Vs!xvnq+UcY;}b(xKdQZ^KQBXEvHfFihuIrMG?s3n?_z*0p@TWCa*6d5?u3gbtlrJW8GMv}Ko%MDO@aEhfHNFb(p}V z=FDeMO1!Sf_)3|UxXkZF>ZOoHLB;QSWs<^SwnJQf64P%oW>hLbqFy}(G7zMm>@!Kr zk>oz7z6nre%O9P13(~VQYKj4Xj)NmoIUGD-d&RG(1upl<$Sijnm%450|ZD`L9JGVGn5RehNT zJYdn+{#2k~db@O?@yykq{2nkGpkEyzq}pBt>gXF`Ovsf1+S8y2E-Rfrgv95wqtje_ zTpS7GWiD!#!C0dd`CM_8&qk<}GALtoNJPNJHjGSk$wXA1%^B-g^b6R(A;o$n!1{c>sLN=Y+>k%M$8TyL>|xUsN4 z8o_nu;b))HYJap~+ExTJs#8IR#Z*0C@Ec^kYFm6AwzoghIWHm@B?T8~V@*NP{QNvA zj{LN`7ZC;9>H>hk`VznQW%ALxFTT7ad1eFsGL%`1US7Ppc3G`7)HWx@j@i%(iD5PZ zF54s)y%qErpOze#=DsRx2EZnRDe$UwXELI6MvODE_7f2kUAWS#xPfjivM|Vp%i9<$ zC9g$hWaj&+$$!shM!16ME`<^a%}6P#dx(90w|-P$H}uxWnUOM>*CAvZI6NzG-|QAW zy_Lte6_@OvjmZgg&&51CXIa4;U@x)nNNBtlZ(5oCdNyCj28N+{b;?*~j1==7<1o!- z3+CHRLy)gEI9R=WO-f(HsoGLms%RBJq99v2epRAEZLE^HP~(RkrPSC@iL6#7b~{7U z$EUwBE4^4cksj_g-Ih;ug!Iz$=0vJVlj!bs~7Tmd4LHs1p~Ze zCGp9xt;+1$dJM)LZ=7iq!V00U9VxK6_z6x3N&GjKvzh7 ztq-IHUM~9x?&mi&MX(hp77!mlc{!;Hxy?=yQKGB2(9%g4i$MNdp3BXf>UcP=^$v`X zS@Msb+$n>WhEH37rvx0H9LieZOgJ;p!OB4*A=d=mqUjMK?jxkoXTh{3|HBR>bVenoyRtpqK0aBl2Ok)w zpE01DtfI!*umd!Ovz|6K&GG=_KW0A+y#%+UtzuJzWc@(-&0P8+kP4@U&~xt;(3Cqc z8GyVn*@OpD(lr39T^D>m_Bt^W+cCc$w6^s|Fc4jo5|7844V2hd;E53J=>s>?pJ`V= ztzI6k!PBAVzQ4F&mmq*T8iWGGeu}6RS+BKvNUPzsGpGY<7A=7@7M<3adkXi1kowO# zjy+fr!)xD{9~MU8A3~Mi2z@MhPfGZQU0E@Dzb{jTZ4L6ENG^5>TZE==I3^1Dec**e zd9L?M)Gm!U4QfqoeN?%47~G^o?B+v#hDTt9D{ltToo-sj#Vm-`yW#u%O80>I@Umoa zvR=%K%?MUKzroBr2e1=Ofyd4N94iu*%p2TurIWrzOx|Q{ZNazzO5&8ex5Zi7C~@7&1dbk0@tiqp9KG)=r= zX4k=cVydmdjAyDKlH5(PRQLM1`>QEk`^UqQt-{zXn16QLs&&UvPlDqV{ftCw2>$-W zhpo^$C(U(@i$2u58!I3GZ1ouVjI{WlbIzAgp0gP>q>?kttxJFp_!pJv@l@3HEJGQA zPt}qx-&5;GklI(Ei(`+x-%3z7XAcDNCXyh|?@ehD)2+Zy+AOz%|78Z#5L}ZjOK~(4 z)kH>kqwaW_E3e$i-*yIgkg8qfp*K4lMd$wDGf$~!2rkhHIb6@lr#~7*{n3^4N!WvN zS3%gQFE^px;&B-4?BQCED`I8*R5Zs=uAZZdf8b#N{hBx=x6N>dvNXj(zMp3onp}xg z*sMN51yv>^;O}ZBqxD8G9U66sjxaMV4Nmo(S?I8+cN3P7dRzZZ^FdJX4qz5nRm~2TBGYZwgtbz7Ro1ZxG z1-+ECM#Ja)JaG=Ln<@NRn~I4@+w6h+pB<1%BRZq`m(iJfaFXBHbpjK}#Lyyaadw2E z-LklYrBh~Lg0SyXyOg%X;geUzN;a-myuXt3t>|FxIXW`e*_sU-H@YS!rFLu3`q{{w z8HeRLp6ydKtJ1@qF>|O$_nsLcjh_3mdQCkN8A;`89nK&w_ah2?kyi8Ql=Qe*7q6N0 znZv+(d0u~pfz(WQJ~KC{j;OmQ*WD+*Js+mP&Nl>_NR_D2uiSwZbM}0D;E4S?f%&Db=0xROnaDlPZ@oBL?<8$(t={7We zM4*Pd_UgkjryqQFK|NewrqkpcmDg>9Aw%y~gs)|-ti>p#v$lE=h}{H5mmnYM*Dz9I z+&F{s7N}NO%CbY~DIY?KAXd{Q*vNSu2tJPW43DG}99^3_^72QzQRF?mV|(xChsKuA z6Rykrwq*=g*`ssvQaM@_NOGn1<+9;$S>Z1a8cPK( zS3|hu=|-gX=mMBEzYaq~?J2nJP1uoo9NUFU#pyqb;c3*#sOvSzEDjiUwCiUW=XU{PkEIO(jt30w>9vSwUq~~JDFfHs>oC3V>9fWC_ zeo~OJ8TbFxbF(```3u#i^|djflV< zIo^QbGjY$C#@1xxbF24&OHPv`*~CaLdCkc2a4hl80-R86jz!j_gpEjNYzmkNVlVfS z=NZWh;DVm**1pSk^n66A4@^n{1Oyl0_NrvC#{HD_66yiiLDy!_$ir1tQ$2j$Z_HD^YiIp2N#fwirklck0XbS?G^mm}r*xffqeO7~Zvmc^OeEZooEKGP|M;Xh6M^x{i&E*1CA^R<5 zVJVe};~U;6g;@ytp!8x@xi3n}I|W6_rR-oqLMZK>?#$N{D}ee#B=i(26D4kJc5)~k z8wFo};1VIJR}+0eDzubE?knvyz-4FvKI|X2o+i$BLmOtAdYRK~fZcu(oeu!`j86wN zZ2AG`^!8yy0n*7>7?5-GTY1v$lHi1tia5$R!MAQ`GYn*Ju>$bl)oEmR?F06{8Itb6 zY)x?6#~4ttD5lr3**&3ZwSpdeKqsAb_b(}b13NL@2g%lgrJEZ3ffQb$5N_8Xbe|=@ zJpeO|*WDX7akOhJYXwKF88l}MY^3H@+MkyKON6%i1Y~haTj~ce8OzS4OF4viF%r}# zCPMXcqqa04cV2U?3!unmM%8rj7DJ}R1K*}#4AG?7(ppZ0`KtKLD-R_t8jh>x$y*(Xm^*7?IKA_%sVtvAS$B za&W7S;|Wwb%nhHkMtROZbK$R@#yL`&$V1S0mnGtaPLiga|VS z8P**Zh&weVYejloAa5Dt;%3y;W&f(~a>cuXC4b1`ZAa-}DqnlS0DT~)wk)2SpyyI^o}0?&?`jKS%RQLWR33t+hs*f%H0J=*O_Ux0cP@p-`BGajX!qW#s6$2>@a<(P~V~Ewow*; zIKlD{2b93d$sS-)Cu#A80FO5kY1upv>?9#jxYY({w&hC%^xwqx;vYWC|4e`-Ff;5{SL4f|7WED+6dcVr2TR|JEjfI)U)H znGBVJ6rMT&P(P#g-#Bwi@wglFu9J1%mFO4O{{9YgsZcY6y8xTEG{9PoJy-*l&ut%r zZ}hh<2!Iq&%99ND&=B3zx1PWAo8t30lIm_$N~$sgDJci^qBzFu0@;xMp@)+Ukq7Ql zTSZ!;)4RXFX72i#t}L})m}vEv&7;QmdJp3v!k9|%xxxw)J+KhhH{^G&{JHrNu4@ru z2Dl|$y;P^}rd?DkwFjudn_0+;`$3@3~dH>68sfwDeJ9=y|SF858vVhiOl+8k4`vRo(V)^H& zFu$*i|If!#=xYIo6T8Nj3*u0MY7lueLlk2H>@y?eI?%yNshvSzmoCtk=!7fb7j^>< zlCpT0wBIOD`1{)bkN-k*#7jk^9{hz4#GLzAetL-DRW7CBGi}2U|NM^^|BVarfBUPX zf%CJj;Kg9}FMgq0*6=#Ft-}I{|N7T{B6%-3^%W9CqyF#q=KuDU{MX)JV>G-@;}C69 z&A<4C6s|!Cppe#agWzBKLRG9c1q4P}?Z3^i{A*uGK;aDFD@bu4eShOs@t^!vxlLy; zwiP#NuyP0dC;#`q_K^Qe-}wLALjR?&>7T#x|F?zyn+x;*k6VZ%BT;7H0Yn0!A|5~| zvo~5$Ox|VJs&W@yY;E~(F0lW?j~!h~Q`BiZx*UPz9ijXllXt?IT|&;xiTUUL%Z?3l zHiH(bdayse5D$X+KsS1N#c$;y+v8R}L8I=gVZV!fB~+ttqbdJI2k|XEg6^>V!!~Lt z6~?C#@Ku>RoS(k*o}bw*R`^TOo!?hn|Hl|fi}2FbcniYv@6k;Eq7U}BOI)A`uI7HG zOyPfyEB`6-{U7`h<HA12RcyCO1`Qy9~Wn+J$t5N7WU zuZm#IoIf^00W$-V6COr2XQF@?*F?7lHJCCyu+w_rSBB{`TW@C&B5M<* z9y7!hb(ALIAZ5DcYi`+e^f;U2-M_N{P=?WtP$Fsu10;e;5Qjm!&7dQYfUHUUUY&W_ zY)T5`-Ji`s3u#W1)d%CXn!%s>N70?%nMxzaXYK^ynHja!UiT}%p1yoS)l7R*GY}8Q zgK|NvsK^z+4E``yq(x(50E2(oVDn{GKRL>o1vz9L6$k^(zd-V!n(dB<9$!B)Biwux zdNg!@w56IsdHC6&I6zQ-=vRyhsUK_7SaIoXh6f!c>@f zXn6(`>KOrh+S{oR=z)yl0-7qlGf-h=MMcTCyQsJ4)+K)@Q7Su!vg|5|Pi*5PtdR)~ zsDhq|E&`ifk{I;|_j(WE`WM{=C`MX933@pr9JDBH>VUO2FICEUG6gyKnZfYiSjzcj zK~Y|XGr^f`=J?;X<^;*}-PzQd8#EWm6m)LBO!kK}sqw3r-?`6__ZQ0T5htV>{AC2 zCfeYV)}!P!HwFJ0ZzojYEsIVvs ze%DVFoaWIgC6);)1~ImX=D~mxYpN_=4wl#q2N*W5t`UJ?JFP2!)z^U=rVlnq{cZ&% z4us;H0kSuY22O- zfIm_I7?A?nP5pNg*mTP^ct=S*77{M)Yj>PBO^ef<{v18ngI0G0=zqTM15lV1VMrpy z$tLJO#M;xiQSoPewO-h|ZKJwi@Ud;YZUZUK@PXwFpd+aUs#`v>3C?v^7?AFk@4zKC z^c?Z38;pQNg0lrpVw`TEw3W7GUkdW2xh2=$f^_`T5H}cGPU?IdJ`up@@MxBpZp9y+{_+u@)G|4KW@KB5_|C zM|nCG8rFjAh%3a{LmR}FGlA=TXL(O_I%P#xcsyyu?BCduu@@@roj@!%on|WdKL{@V zlMSt??y;IokyRoYeHTK-X#$k9oXo{H1e3t0c}j2d&_itZcIzbIP}z|}vW%sC86A4r z8)MD_En5kTXN`!yt`rnL!~0Nl9QS+)*P0nZE0oXP zb^ec8fHj#yAOZ57wv~u}EvB~ah-nD)gi}!YYaN*Af#C;T2=)z}r(6ax2+K+xECx(f zw+v{@?LWO1O{_<30YVmqm~b!I z+PG~yO#lgp6?`2QI^~zq@;z`SuR+H#489M&oeW96Slva=w3=3v{^k1K|~DdmY)eDu0??_Nu33v znqTIoyP(}~1_e}TfAk0;qAH#$a%QxZT-j4RZcjPQapfr~^)$euTF={budRVesB~B) zh-!AElU1=Q&982qD?TSt1XV28W?Z%atxoL_&pos^S#Tcr%|PbK+bE?j^4C}RyMjiP zklok}nuc(STt_&gBH+L%6*5L7ahwRu%K-u^A1=g=U?|8J(T|M`!d^_cUey$k__ z2dTW)3nDDbuI6Y;}&;GxT1Kn*a0;P2oegz6HKGEpSxBfhK66B z>+_8{Yn^~1YO3Hv*C(6_QTFl3zyCw1j1=Q6%-<7|zz*v>jU$3(muv z<7eS%86mujHGGeY9T?k6s_GC{oxI#(Z2Kt{!+SwBJEDtKsNWi8z;e4P&DQiQJ;|&h zKnXa3ZK)Zw2FAdHV(WwsyeuV(YAxAmYss~!DV-n+jj{##0miEv0bJ-UC81E$z?(>w z>3i+x*>?G%%$W|jAO0XN1pihfBIQC9EQnbIB#4aHwr5~4FFWue?tr;bH!Us}5j51` z-~Wo z)p|H!K0{IyxX3V@k6X9fZg@@5uV=xQW%|mrG!1!KGn@ow2%m6$>24TlN$Q%v81%5! z>H2=9r$JOkPh2(>iX9*zL8vVN+G(X7kqyNUNQe;a2Az*|N0z= zs%2!h=5sHYReM}i%k9j_sM6=BDr`0BE=nE`@w!YnOFv@@5Y}s^Vt*snMM{wkryf2T zh9E|LW&jC|kihQ>45yXW(5(d}E)uSh0~e;R)hcntFo7YqJ#B~8fJ47N!IAZ?Z|on0 z$@J_>`(zTYeC*S%a)-6!)kWV%(VM#ZT9|ABAGIdK2nfORSIu~kQB@{YKF)K3T5^<=( z6iCb^!9WTgSM%sj-jwM{$Wl?)%*v(_N-Ff^q~$6c?evS?mTVsJI&r5eC~0)_k~tde zCa&EDAIPv%HJI?^J!}}tyvtHhshw$U%?V9kN%^|!kzy?6bn1n-3hqCS=r*f*Gl&QFOGw}M z)Fy5fMyQym>Im%&;UkSpGZVS7%Jd8Ga$FOp!*hr#n@{~L)phg-!gKNjWQ;3O!$<^7 zi+#l;W3jo=@5_xnMxUp#*l&q@3r%+~M=W{P1PnM4?TTVIlI_c;h>2SE--keUuh#B% z8b8*MuB+g_r7t&fEB8$e=HFNM#T%Z+#D=G(V!Iz|{sKS`pHkTQcWm2|!r!oMH530Q zwv8IINnVs5*vM3#*;P6OJ{MnZoPp3VN&TxF83YrIjVT~{f!gEW=#tZpic`tey6;QG ze9qRCJOV7v$Q9U^qC0r85Z>1eMSjA&gjgbR@vaD%AKaIMU6(u9S)0B&*Z;ko`S0-CrU11OQsV09 zYAdeEo?W~3sc2A|ud-hPVfv9^!o#=}_pjt$^V5zZIx7)CjZgSH!7UjAD8PAFid!%N zd~JBksy%#s86#o#NZ*%eFCe4D0rM;}&7g+xlI@u8_U1ZM?q?5QM<{feCB|eP-mrUg z`zi0ZD=RKbqm^#HMD!9=g~}qv>`U*6aN<-C&#jPW81OT} zD-zj3y5z@M>cnQQHmzU74PoH&?C|$i1-Xj(F%p`Z-h$6QwAk-C>Z2@HQBA+OY1xQ# zUu9UAvy<$Rir`<#DI+qCN1`akPwqqxtl0Q(caea%?$kG0ano(Y6qBfCP-BA(RUjE$ zyWJniY^91y8~E(8J3@eV;)r^wyiZ)>GjWAkh0`V~rU! z!f)V;9$6kUa`tQgzl=9Xn^iI?pQS8yrlg zc`-~y77)F1#f&mCGS6Ti_eofd++18Iyd9Yb)(J7F`iT!_&+tH9fwNy?#p`=SnG$%I zZ{V-q>9tN>bJjK;W-&VmlI^_#%84SV(KOs9boxWnjI2>k{m z5dK2ClfwGlbuU*@FdJ&r>|%6}hP#d*42HxcI_(G^cJzlZX$)-a;p)S|pVcO`<4Kie zUk;N;vK>nGCb%DAG4LHmZ+jAEX>`?+Eii;IC_G!lRmS1nAI$b-Ma{=Mc{GYaffjr@JBCb7eu`c35JkxP3}47MkfG*Z@}`$BOs z^|(6aHhCJ?i7obtMx$(#bw_q}QGaeI{SDye-H=*|((68uf;NY{eW7?T$$vR>kw!eF zzD-NuDAB{)v2uN!#;*_XHrAuj9xo4_7Wxb7D;c%aYSP%r+cFH@V^19)_(CjMFzA8j zIN3=dLVhbv{6uR*=xvjtj<(DpCQ3Yc8WMD#r{=P(>Vox#J^eFdqK;?I{*`+(FhIla z5E(Ck;K^uDiM^zChso$zs>XUnz8JJ9c!dsa)N2%w8-@`r8*Fg8!$>*ul+Bz)hk3m3D4~rjeIH~8l; z-++g1Ou3Mf;JgckO~ta;JVzXMYQdA|RSNbNmj%60-@sbLWcU3^+Ex|CrLr8-NDkz{5(jna`9f}ANLwAY9&^1HX zdp&EP^E>ZZ=j`)4du`YI{UYd7;zxm-zMr3HSq5 zYxXM=^mm3R&z>FUZpE2;#nC*$RC=PF?s?`OC3Bw!KOj`wV`GI#p*wi<3u8?CH=W^7 z`g(ZKkAk~!sM+&TA}C&SXY97SF>B?@-8OD$<6;;3A`EXq$g>S?^I57fA>MrI3mg570bFS)?r>qouX}_RQC4 z;C;rU^mnsf!rHsg)YWK9+aER`gIQiyP%n2#CLAe=2?pLEE<6g}xW!uo1li zyQ!wxup=^4O`)wHIBi<(T^`}~781RmquT{4MA}RIa;JVHF=VZHb9n<4zSYcxeE?Z= znFmm*N1OyY?(Ov~m4#s8{R22(vgwLy_@m`>uT>l|J9+YC?A3aIGVB6LG76ZTKpCbe zgI?zp^kBjlo?~ZMn?e}hk3R;iyxDZLu=`*)p0d51BYGZIOing8btfy;)Cq8zBkvGW-Rt7q~@)Z0D0`Uox3j21KL*Ko7LV~~NNPxqSCe;(gV?-4`N>iYh8N&3sQqLIJ z?a&b0Qy+R%)j&6Za|FF2)HSPW>-T-2M%Cp2jpS3toRd3HUok?S`5rn-_@^*f&--Gd zg3n)}SNMphPbHiDmaT0;Qeo*C&ZOLwGri+<-;RqmyB8=aUKs z+C9%3q;4GwGexgm5>Qeqxn z3+YgD1VT0DBiRZh-b;E>06O(6WkhZ&b}G2->+ zbnN<|M4N!x%M2`yH7s7q$ft}9I5B#k`GaeNI5FprOqSVXIMY}tRzV|hBM_&@N3Q1tr;EM0X>#b1Y_{A?rESW z5|(xAPVNT~w7G-gph}4!ztN-UzIPqNq7!6HkIuMnEMh#N20}^!XW)Svz@gk*5X!9T z?=kqvl9?)z+iIA%FowXi3VIZ=^hyA3=f-kmPz$^DlcixqJb|g5BIDD3ml1ftM#R?ciHj!>T@P8Qv=6vD(~jw5rCN)4_wF25E&6bC zLhHoL5HO(Hy{e%=?GHD>zZ7}@WhnM@8nESaGCRgb5Ywq0lVANXC#yxDF3~=_g1j## z+>3yDUi1A!~I-i-Z;76<-3RV$cQ_3A>+l9>-dokMMl&rG>0Qy^87j5%^~!C zPLWnrd`ISCGGsYY-qX^jCs~11={b?s#508fI)#3{_)Jt>MlT2mA}4x8Akv_87uiKI zm4N?ff;K4wD9W6#VsqSvu~=3H!4_Y0mU^LJ-L`!o_L4x~)1Gh^^`AYKJ4o|Y$%()= zLN3UkrZYv%Wegq7H*t$OTgInvVb|#RZt|Phi^U>XA;;00Xcr02k7-8&9Br#h9OJN> z%Zm`_WWyI9mD)V+L+v4BUcQ4+pW`I{1ajc<-mwD_t0}SoM%A3khaM&$(o}il2wn|( zKQp>>T6xbiQzc97tiACe=JxgL*Jt)b^w~ew@X>ni<@3E!5aVqOgqznaTXa2YVtD&1-TE^^iotqYI-tnZQ!5_|#A zeSN2z9Ly!h$`tnM0%F0k(<{|sV?n(PIC%!Jl6xh@p4pXC^Vxm1NWWt?K0fMM09@3Y z2$Cxz>Y*W!?vJEa!qC)6R_q<3|I>9^#dNqdpYi|(pOY{`x@~#b1XRGA2!}MkOZ56p zm=A=)*3?*sZt7is3O1{rm_yr361&iXnWJ{>LHHD^0^Pv06=*4YLnFZRqX7Jrr9suP z<>`|riOPL?qQp9a0;X>vjEt4Z{<#tXfr|Lwz= zIkBY>#gcwJDj6vAzY-b58+WX-D-fN^{6h;?ls7f`%h#_%AoVD7TpX*Z$&8`6h)+lw z401WqL#qfZ3{=E-AsFey$sH6xnfzk%M+#( zQe}2iSsS46V6g*>!Ez2Q-5hpPyl!_P(G}5maqMzKBK|oRtu|R)8ZzL(nXQb2GoSe& z+TZVt*^NkTq_oM@fJO;q#T$gzfM^{Lqd_TLwVwu;+aln%iU-^FphxAnCk^!{TpNk=TuW5`KPDmKHdG7}r#KY2_-r0!#VrXx+W>gPV zWbz$1X#EAl5f|WBcT>IK9@k5B4U0~t8hEtc1gEMnDsHna5=~2Dj?NV(VrM3eqBJs< zh7-$&#jw)xVJ^W-b z@MJ(9Iur}p-s+Bdy8Aop;&=DwUoTcBP^@~BW;?F--Ie=%8XJ>ZY1wh&k9q0O1a|>ZOpfMdF;*OFut>i z$t4gpJELP1z$vSUcieSj0m(-`eL2hkCEJ0;qv*rJ(TQO<2|S%>{diE*1W$S1^P?%= zK|7UZ!TONSW^YOuxEPSHd1$XIbO5rI^i+$YI_N@NZUk*Hm6`({Pk=ijzNnga{1DKTLo9lXgqYc$;8Z!! z9uXB4FJdCAUemhcr0S!G1pB_-+wME|=L0_sC<)TO2H5YC%cb?@=YHH~wfc};i{l~c z{7SI81IzYc^s3=`T=qEGFAb6q7%hMa6Mj>e{EC;T4jC_WG0Tb&tZO&c1&IuVg7cuB zyD(DGS3V34qL&_({sif!dRkVbBSVyt$>XL-?Z0k&NggkND@3{uT{KgPluXe0GX(i= zbb2EFeUZHtAF_=kdLMNB9oHw2Gi9I2gmZ0Bo8Da)2FQuyS^%EQ;?~^qTanA^^#cXrg%wzn^G@NiU1U~ShE+TWre7Vq9QIPPzn7pZdy8N9X<_li8;HqIkG zv#)sWC^5QAw6%qlSOK!1l#{C6#jsh3OY4!GtIBorH18z~(K?ctDZpKx*)IY(v>*|B zHLLe9Ym@i(Xh(|<78H*3e09xAKa#r(bG5K4bZpAu;r0Uj*be|G)Vtq)%RPL3LK(N; zHFmB7?0_F}<{*5Dst&vG;rGv2PtzEY2tkb zr0uB_oJK8qM_Crzr7h2;^PN#4p&66$H6DIB9M5BfwNlNwg4xs>V@9I@T81u{ zKvFZz<7ij2ts&5PPJ*2ni{iGQhfFFIO2pKQPD}6EbgS(r9zTBEyN!+$(d}kXKt>5H znx9(MwcPjD`;1)TgxzI@6p-pP(flZlM6NYN2V}b!`eOHry9OM49c24vtB8wg&>eOF zB2i0l2DLkx#jS}Nh;xNs)^Pi)OvD#?LSP909n$$Y)_WbXv}eygR!xTEtpFf^9bTNd ziI{ZEE}&eljMzLa-Hqcv=*u9&xp9}~L-d>N9inkTQ%$C}8K}st{;U`G`EisCQ|2tB zk9I(pq05CB7)JG7bM?mfRs)UfgQ6$kj~7Aesu?=@*<(2BiR zw|mKR&(^pkGv~7n)w`7CxWXCh{z_-;y|G16ai1wXT9V>=eu0Uy*KM_b4WxzdelA>04Sr@y}{tmZMOyRk;LT=Qs_IR}bzVjDa>q$@=Et zX;+6pWBXGWt-1dNvF0CoiIsOAsjjV42ZESf3-qE{;sH09c#6>IXchng2Hca7K+2#= z0EL!JgJk>u8h|4Rw0BiW{9N9s^Rt=|*fOwE*nVlixxcn&N(RY>(*V4yz1Oxf{FUY!+6Kr+HmCETD8KubCbXcIv z^&TR`E58U+6BS75T092QkzO1jo>B?)F4Qqv`A@{5Q~Bm8KBM8fnlU;$e<{e15R&zK zfR4FBq4PB1>$h)44l;fGRT%T$thXSP<1b94!DRsb9yt(Aqo=Yb%cADDm#p5NzSw;C z0nWp8E5Sve8Q>izBLc(&W(MkK9>Y7WUB(Z_MqbAjLNU_>q95XMrtYe^ z%{73dpnQ+V@;fxS+lzzW0*8z8%Ti_a3AszZ*UR35bZ2O2ZbC7^u9|2`_-k)8(jt2%s^*^?O~mkp4_O0c zH-jngc3{tk4_Pb({o?2Pf7VHK$x#?el%T7i&m7yAXEDH`Dsse~^)%K0ZDstQcleL> z`j7nNEKXN=#C_a(>Py+_U%qMo<8l7}Q^6HzOF81ykR|nxT;o6Z;$Y)rCuW*COWqOv z>hSmn7D8hnLagl2zxkJb9WT+?vvl!nZNt*6$9`?U=nr2Vs_5O7+^7mytNeQgBwU+G3yMI{lzxvmIZJV;H(5;wbEI)jOi~9tFnX;R;Aceel-r^4>`dk zLKa?|cAv`l)p7I>@5jLidCB$9A0WB@vyUh;{nVR(*8=#%*Z6OL4ZaO5-sY&y(9B=V ziu}V@JJXm1IZDJaef~fF)&AS-|KpMWug&zo3kr@MpZ%5Y1+pm~D}4IBX?sHZ2gvGjn6%Rs>TR!0DW=F$cBMdt zUB+euD0504iw}GXa55z;B-~A*F*5`J83(X{%w3@GIRyknA_qq7f4bBE?A874$$6vh z|FEWQce;LOa{BSZcOfk2&a$q3x$;V}+@OgM<->axdA!~WL@lvGn&362Z;5zFd#M?AAiG zCw_^mb0+1&?(D0l{*38>*;ctP$mHMT>oF~`hPfHt~gO_4IRhr zkI?>>gABj7nDM2nJ9A!hqpFZ`EJ%$y))(?6~9E#OXQBC2hXEiCKM!!%> zHm#%IceK#sf@UWnjSOX}w`Tc_iUUsC)zOSd^TbAn=<2qI===BUeGjj~{A))Jx4(sW zE*H3NTJbrrCH;=p19kEG0E&`tRR<`b5jdBer$~Ps4gSGiMb`_Uy#s-!JI)2WB(bSLJgx-U?4?f7dqy# z`v4$2S9UDJL0Y=e8}E2lN=`>`ZB_`3nVVsPYzUC;-tCZ^nkrA8JV^pjo?>ZU1MQh0 zpBZP+G<^U;%#ad#*iw-^mS)b*vL)qr^Q&NNd(+dQpc#B(S{>%M$+|@x0~0rO9&9cQ z=)3!qGG6Yrp=%bQj2*hgqd?R zG?qOMHMAaEcc39}GSUoRT*K9Hy?QQXCwd;0C{9C2dPA=V6u>P;*s82ym>LWu7tOKW zAGC)Z*luI3n>~onsN{KsX(%G3r#Th@pfk<3 zlEu`tu8<s-;Qp#U1l^28|-`l3ugf zv}IDS<1f5%<5!%%xp7)`cJ!9irLx-({mG~@8lR5~b+TexLV|9i;LyRK@>&g*yo-;6*v$+vs5*%v} z01|&4fGC{1CZchE!7xi`!ewifDMsIM?bAZNA^Vbg9`P__=Cy*Eu1al`I!;1d3=eQn z4jrPL6~mz4q#_wH(z^_@JLDwVVSuXUcyYQ0DOhlaSOULn9MX@^mS+*AfDR=U5d$^iY1P5r;XLcWw2dSZwu+OC1+97E1MezDW*o4LQjGF z%{xj?qyA>?F%ltMumg!!3_ao^%K%%b&}a;XuDw`+Ctpu=V7h9CK~4AD8UnjV#DhHj z9pnL-#RNbFsoNT{2di!IW>K}OB-E%8)QADQcn@NSn^@P<#`}N&E8M zu`##90weuWd#W>J?9uWV&r|+?T~@}x7Lk#|IQ>Meakp7=gZBLG7wlzb zdcr43(W%WOG$-GWmPmYWA?dvP8)tvmV>l>&M4y+GmF2?VU@8|tQ0DB5olOFA-b;cV z(+dE!vfVoaN)>H(Ub~8y&(_{r4pjtQ4h#JcK`LpYSliFtMK{iQnsWXCpD@1b0oT_DK_9)n59*!KE+c?O zJ#_({YEBDi0>l<$ujFL8F+6?I1692q(llUAciMX(Jky*$>5=9dGTk-X;fvCBTh zMuxIJn<;21qI72E%i{c>q{61(C{E7Ydg~F79l^p4{N}#$x2vWa*c1%$LU*wGDGKExO@ca!RkNYj8=2xm7Q1jXdT! z$d=?=mGJ9KOTCipfHioPJ?SnSsPqwhgR$H3}!UTb4%g!%k+S$2AJfM&jf$*LN^ z{fyo;g52Yx`_6P@bU15?;G!n?2irFR7k$ak5%E!IoV zo;_ROzU%nAEREp0Yl36cbiV6w$PLC$)FX+I{}oJ;LtTm`KBMmRTGd8isqD5_Ec9#%Zr7B|LE zAyBKBD}#sY{-O>_PK;0%1w0Zf_bk{_b0_K887IAQY>KY!K-JjhEU5HmAL-H$rcd6MJgFNlnP zD2)z!kMdEqJGD^6Z!XN6YMPxHWl%y(uO^y4cDRj`e0S$cqQPua_m4``Wr@c9l55gx zW=3(ZcdY>mRu{$2^Dwd-n>-ou?rIz>VL1Iqr831R=m0vBvw?#K0w%uBEXHt= zZbovhl7xH*ZLRlCsO2`2u8tC#^!I~u&@>_MMeqPQMa3mqy|*SaU(U5BCjyXNB9|Dd zctnf@;bghjY@60(-l5ngHoFi-U}dTnuf0@>m4l2hh|DI{9l>dzoG1q;oki2@TRDJV zK&Zi8v}WRBlhKczs0>mQP-ycGQ6b{VLa`Raz6ZP|ADdIL7==R}{2lC7ufm5ER$RSy zO&me1ocAv=?YiEq?$iE^j13?YLmHd)!p6j!*cvP1V?{D>b%smBWj{~hEdY8)3sAuLlVu3WwCURVsjkA`QI0mNoEuYXp%i{Xvb6 zymC+lYSJ1?d-!n@IFCioE;?w%B>=D^!gjIC_$w<_ODZ9HZeaA>$w?W8V$#BOuHcPAqb?8f$u{Z^p`QhdFI zdLm;8elYCl&cc3y-66m$e}Z<8&?UE(JB$kPURBvMoK65AY@X}M%oZkQ?H+pt0F5ZV zM}JtFzv5SK(WB{%&ffPq2M)hwNiwgXb$D!}1)}A5Kf0B}*+6IrcI z!HOkMjpaGpAu^u+bw|wW%B|VNQvZ=-uR=V;W z20IG-CSKF#jmu%uVG$?5$yTHYi5TB}+O&IW2AN?W@E;-GXVUzXHGk|&UELHyiXpyP z*bH)^3mKRag1#!iTb?_A{yh7c7F2>R2H=RZaIYQ{kCY>RNG*^qN!`8s%oOveo|1zC z>IeMv?H5t$ul(W%rT`05a(A;x2<$66P+f@$#s?tNl)JkRGIe&ou~ncRz)zZI(4d0% z+oEEXivzG1M#jM97fC8dLICO)>2iat%1WU90mi%n0@-Ys*_jbwDO>Dtms&yfma?eZ z(aujC@H%i~-`0_o*a+px??f$*HS(d;N|RCD2HiiXov!O zb6d$MQR>IQKEUTb=Qi5~3OK8?;4WbD}Eg#nkakb*hwtXIgiUlrm-?q68!(UP7 zoDiqG>CPH5K-r>R$zoZ-bMsxY)f>__vYSy?WipMvD^|<;uMccW#E(3?W;(A4=l90V z_d9bWcorHE0<~!GSK= z2Zecak0%i4R0S&DAQklQB-f7i;>+UxAK*@UJ5M!-mk9G?;6e4~5ugXe7n?$vjc;p@ zQFZo#%~My2&G_AujzR@nG0I-Bl;z}1wH~Wh z1Y|G}sBsGeT|LDpjGXGwzy*H$v_jLlxxT!|VqKs1A4pthc44akLnEtDf?4G>h0i#r z+0J@04O5b>F=O|zg+vUzX>Jpk@9N>JK^5J9$<95F-$5F<@H2BL9)OxzL;?fpEgbQ{ zb?*eWRLAC^hw$d&5Qds(y<(}HS$if%DD6(5;{X7xv|DjbDob$$TC9MCq?U~?k>c#5FnJg+E@y0G1K(T!lC zy4zoBRdA1j^c7Bu9E&z5=1UpaK34r=pt#iVuG>NCBPA6>a zipfj+Auq!VPBa z6s?7$Iazag?Cgw&y-r7>c&k0}=@zr^P5ao}FJHYnxpQgO+K;9s_5O}v#*x1y7F-Y3 zKjQu(s2oq;Oc`~22w&i&t3?-ysjIB3$X(odGrk?oK@Ci#;x)x2y(7l*({tAXQXBiv zzFPZH%9SA|@x|Z^?!^4Ziei%xmhfV^FxJKQ*HWHL=L(>Vzgi&0W82v@fa|y8Z3mgZ zjP}fnwgLhOg?*gDanN|7v@v`1=uvHc^o4eF6uB{PLZOI)woh;L6kz&O3nL!yL(w0L zDli{P5Ia5#I9Q-XH!S4dc?PFC_agKN5Tyhw_sY9RTki!mf$6PQ6@VBWi>s(0b>SQV zz}_?8irFW`WG(6En)v4P5wi7^n3>ndQ7HGeM1evbo9=#^R(K(jmPN3W`wbBv+0GMd4Wz_qfHLuYhN?p+I=tHHked;`?Gl< z0eNdomFU~c;?H!%0G6*k0o9US@#6h^_huevZcybefAJ-9bvR^n2R?=^O)6yRIga;< z54~z$PwxgXT-`d5bO~7)oO2U7wp#vOey1fCxX*gEHq`*M#uq&9 zInm-L;bIv*RINTTb|{47-_&zAZX?)gc#+#-N@ zyPscA_9bg0>2~}bymYOyg6_13Vo<9Z0H(OW;QP5gK}%jd;^IX&mExFi|3gBKmXpc{FDFStU=dsbms|kIo{d^?Wy;XwoAgPlhd?cCL8nFGc)DZ zNg34z#m!V@-a;$FJsZ>|ok(QuSos(rSx%B%XOiN`lYe)0Th4kU%x2rdv{d%PrN?ON zxr(!EwK1>W4FumUJc7_>eo&u*bxMn{_>Z(193JfFB@>KT?g-^=Zuiv{Zt>$8`_PC8Z^J(iuP|;KIq=}1d z|9sLFINr?hE@l0FwtV=8ROdu*k@?_({)g`Dw>-B~+XD8HPWCW)Kd`ae#XxqY`*mNY zsyu+ejRu{wf6_h!;Sw{`p-m!CgZy}^TMbcN( z^;zcgGkheb0f&>`JTb=-c1Nu^RDfJ42Z)5BN71cBcyo`#k^Hm9V}BuKUUNBASVBkK z=W@(9X4RZiTNY;Qx}fLO!h>{)fan*sQKqx%Ny2^ak*Dj?P%>tfMus@IC&crEh#p3y zw8$^tRVV25j&aEK-BRMrDKd*Bm%MH0_&i!_MF-pKx>WbcB${dxbE-(QluOHTL5}zv zc5rH_l!bKhf~`L zu5J~1{#~Cfb+IEsxgdl!;uG59(%oyr@_NmVo2yhk4~91PozL3MymTEF{#seT^u|nC zM$@=$9GPtc30f|immV0z714sTyLX&OElDo&$l4FH!bq(o6Eo>#U@$oL8fZ>Zc6Mg$ z7HJF@f#sxKDC7xZZ;1(x2S`C34jEG95(rVYbVF}ZN9hor`6RG5SA5G-4Cu$sLJ4#Ll_BtqvInX6^UcQwkLWH~UEyQ%E6?QC(cORqdM zQ+e?AZUtZctq+cJLb;Of+|tAK0>zM`fR`2@;lsjIEd(Ym0e-JcYa{)h zSdLYXXraN-{3>i!_C-{FCzP@%4VNYG`%XnP@4)7oSvlj;E&b0-ppp3w@sxS)@rIJ~ zJ}5uXL;MVZq_G)9FSI_pfR0=5!A309W5FP}qSUr2eIdyFw_nOzZN-_Tph~?+n``>2+Bxy zFq_f1PGy&(?;_V6&USkUF<$8wOYhFr)pY>|F|5^CZtb`@5L?phqd9;63P_tgFjmcY z#5fE8>&8%A9||GUgW>F32jcm@+!ERD43Hiv0MeH_5Pr%;&_w${B};-Xd9SN#mfEd! zovQNrfzEb*?p`O=Hxm;RQ@{eZv!XxT^gP6v#j(9Pf=AE@O60AsPhs}c2prcWm^>>c zNuJ$?7S|-w{RRPq2$}NLZx`#gFX|Db{S^!G64JX)-6g3JdU%@p)O%lgi^)H#_C+QP(O~>cf8Zbj5+H7v^OpR!=TLkHMIX%62_gM*~ zy~pGY>}GM;%X7|8iK|?Gcpn#RKqsRirKylJhQOkt>4PsuJQD!=O-FaQYOP>v_PP*v zp$O*qNY+NP^UxaQ@Hfmf0oGG-Q%8J!&LWZU&S^pN*tD0>F6ooonww zfM3`w0}D$F;S7?c831rXNlplP)4`4Dny0<-wB@8Q5>uN}+2{mo82G2*){ zYI*U83bE$qrO7)(-r+mQqfV(nBi&&zT)&K%gk;?!mhEnXL&?o`?*& zv@Px~)r{*02^sl{>}dDm^^)>Kbv@4y?*lb%_J^jaJH zmlK@@r=$b8tbhlYlD>ZZnnc7vwC=?q9~%Pr zHyz|;qPjtT@gg%)@`Ny}vL@XG6xMC?eIP|6Wwas?9v^nWFeZRtd&&S&Zh=Ev0d5=|FtWa+m0_Vb&HO^}IxZJ34}|k$k3>kpSic@d&PbUC z(j&b(J8mlJiuHh4Z~}?T&F!7+w(M#jmuz6*7RS;Tn*$ekdF;(+AL_O~^XW>sYrkr0 zd7$N8T3RZy=|xS9yd_-&K3D3!fa%lDp@z+2W#uUD_%?^Df2$KQm0qf%V|<>S(R9DO z)+oCQsBzZM1ql0Vg@Mq3C!UQX6`idyw8vMh96NyVl|W1PHNV5QtlQB4Pnq&R-CGdV zAwSX9OwmyM_v7x$;li-9mx}Vp@fBM3Qv!{bnfwV$y){|Oe&me5i=>>Le@A3xYGz0k zk&+UTTvoZ1Zfa^|6sGR?^Pqe=l8BY@+0QSRchSEsqgaK*F_cDn_X(blqvlp)QJ}vT zi!Ix9{!mkW?8F&5QLo>Q9Q|`YIFNx2t}5fiKld(w=dSR|`}O#ZpQ=FY85ojftKyS6YA@r&=z z-@Zr~{Sok{Zm-KD{Yx%?Ywg%EoV)YJlI$wnu$&A~wHF`RjV zIUhZ`Q!VJ~bp5|P^?znN|J!GJ8%iQJ+BkL=@FD*T?tZnPw}1I)Ih;8TG-lL)#V4FN zqqYQ#---E?-d}M2NZ2?A%jf2iM@r{@!TtU(cc6BSfiB*9+to~2 zFQ5D?o;QmpEY7eRW25^2aSi|3gXdqj{_iijf8F~3Vafe#)&JdC_^*KTKb)ig3ON6N z1{|ia+GyRUO=YMnORfekEsWGkvnBcgX%?dfI(42%%I@`>_kBk8l9l7NAcIE%esteA z0Eb+YmX&1@;#$o3ch~%%IO^0s;fJMrRhxo-e;>&%3&q8ag^c`Os@Ann|CZ*pZyf_A zIda{@oj&XvAWX6JYM5tNX5am#Ic8XxXjihs$8Yv=QC4wO0v_h}8)aK1?=N=sE+F~Z z8|fclkoX#LcHO0hR?{0ZYo0MBqHSzZ48xFByMnoT-RX+u>L|}3fW;SYoo6-hgR7*!DhEZ=FS?z1 zA^4H3Q@dp}e@Pm2M(sL2J$Hx@>tK5=n>2Ji|7x0xBV)W$k=LxnMW_`ki`h_ zytyBGL^;-OkI}QfWexHlZaYQVcZQU$&Zarf z&vmA&KkB|5nd82no$=I3O*yG5tN4E5OogFgk;OyoVCS$>YU`U<@25x1lTSY=%tsNn zVss)Xb5BQ*Js=FfwN*hKlWo1H~+Nv_<9Ww|ww?7Kh$_AvR#A4Mf1s0(f7}aew#=i7BYi>w`V(%i_Kel8LE**8qg9?KtKO_oFmKvS7AJ21j^H7n{TIQ0LbDf{Kgdw<`IU?OE6#H)-)G> zC}jwW+^gWB)BuZDbE_)mA~>_F0L|hyu*B3k%*K1{7d5S`$Y3bQws(f`&*}^t%DTT z?4nNTf!&a5d6*k%RRSh-z-g&pKjpSOfw0E3#|H5H_1Cl-WF4`3?)4J@A3s8t-ZGHu27?}v^GR^jDV zZD>rtt5$_^n$`5Xz-*0TCYlVnU$pT>VQJB|C!KLqdKqB8wbtjFQtv%RqdEVTfqL{h zS~yudYtX^tj1FOvc_F%Co4YPno13UWhQ|7!glT6%kS(5}n4zjGyZ1+x?%r||@9ypM zU3t87@x8Va*NFTU_vXE4Z3mst7tmE$=oKF>jFr+-`NX znx%GKR=L!Kn~N%ZQp-4DRtegI*KG$^7k{=amjoDLDc4SVdVK%NyV)tFzMB~5@Y1Jd zfGKe6bLrEq@6O(`vtNgURN5L+U5N!fpPcfrcNtaHkV^1#I;=)n6mD1MWp$$FAQ_fC zidZ@igOfYuH%jB^vo(8DZ064+_)taw0KF^{es@!GOC{d|{6E!$)yz_BOG%9!f4*Wc zdTdgEtA66G#3f1)uvIQHE!6vALiPUWcY@Q@7hvScs-x&A>um`%K_~Eh=W#xSt#JvS z>*LWJo$c@P9_MNR(Q*aCB zpi)0e&^SCA258&1L;AaCc!<-tQHp77WRny_3~9}FtMyuNJ*k|kl8NqYF=O{l{Mpd3 zdS?lb18iIabX%hyICY3q)Pu7hwFI^8J;cjo`{vv(W(c{Og(_M4aPCkV$9{S%(7h~h zx`}_g7Z*s8TLY@^PmoLJxe|fgCtHw!HCW%fCv~mLSmaKqZ|9Blrd)#8 zY>ZTmNO9=c{*sd|aJ>2)HAH^h!Pe|u+xQmCu>b(%M-yfsRytd7kYbokVA2xJeY@JT z_qnehHhD;Ny=N+Iu~R%KwtxLW>_v>0;H}d)j#0`*l*fzB3g36*5OACm zNnwf3wWmamx(ZdxaW~V2v|FerL+%m{4kdDoRgYpIfhntven;E7bIePbR#RCyv@PQ3 zG5~XGsOq*m<3;wyN#5SAP;As)Ut4QtlOWv9ycx~*MxI_1%#SP)0?hVQPv85vtx82$ zIpl4+jsu2<<8Ji_o%)0F8cLR*4H=UbqEYBqU>8r9BAdRw$%CJ;Skxs)G@@E=O!$7t zFkBlsp^|0P;ypma{M#khg?v$7U8)bg?~jfiz^v8?mCRljDLp6;Sga=t{eyK5=H)s4 z;dd`0%v&}txEO@rH*s-n>pppyY9*}KxwbTy3fy2PDtXz?R+dl@zJjNk`BN>b@Gpa( z;Ig-1a#h$YjbTA6?W?)B{H(r`jD2(A)@4^!>ALNVG0%sKI2xJhVqa|XJd#-TgB|%# zARB9R+jGatFAo4nkDO79y~mt+R!C-f0_1mNNEk<~N7b_xsg-uL0^EE2di%44d3=wi zD17mScX<`aH~m49KC#faEyq?T=6|TS|G|Ia6884@8|^H*s92_}-#SPo zzpgiQb)cVbb+<jdWsrzo}wzu^6y&+%j#XN@qlZTY6y%ox4h`Jg zEMJg!m}hU#x5{mi!1fID5+yv&97ft5eiSnbyzZ^tvBOy3`D7F$@50yf@~?pjl*?PR zGQ`7By}xLUSvT^VR zh{O+z0b7as1P9@iA61CqG;Q2Mr%)Gm2jcTjuu*VN+E#J~w}8Skbx3Koy>(4nD&b}F z@)JTXS#P_GmPHTAzisAv?lX6C%3SkpyygS2J7ECi&=^PC-cRx>nbbNJC-c}3OyCW< zfGKfNNy}5L@=ASK=c+$*&J9bWb==;ZhT_T;ICrm&&kkC9V59QEp8P9-?h1|HK4Vmp za+T2^gW&&VOo&XKcLWZX5BO5#c#M6J%FTdBFOP6fz%}(`j0VeW8LeagV_-W4v7~Xh zljM|5M-DH8*Q~$TX}+tFUa476{1hU`@Y?*SEvWtCbDIB#Be2Vn3=q)hf<${P)w#FF z+)(5?5!IT%aCY!UH~!A~!EX;foHyP#dXn?$n_25m5faBYa?ISVyVXtxQT>>ewx8Y& zMh5PE!-9Ms>)_Yw73J1=E?ZFR#5d-!2QIgRFv~Yd>IJrc;>%z7_L^7FLGPc_+E|HZDFk81Y-97Z5&@C-7w_oNt)JZ=q zT`qbhED-eip+2FhhwoZyjeJ0%ylHsP{tF2DG8%OF4OIa9$OlvOsgiO?P4$8L`0B~a zVMN8ptD2NLya^W8JKs?fXTyqKno&Gh&rM(-P$35iR_6Ec+pK%=&Uc(lK0A{`A(f<)lYH0g#F!wK0(K>SEf*z$UyY8h`cszCl{DgEFTt-62R|T?hXMCSk|nHje7Z6`QNBkfk?uD zoW=|OMPax~+NVFfv)Fu#lfCLmZA!SL34bt$y_Xku_Wn^}a1b@NcU{p&lj-)bjTpjO z?f~H1))bp(#JUhztvH_;ajM3~@Iq2jc<|GcYL12xt?DAUQj2#5pDG8=qje61IDs|g z88CQnv7hYy_BgGZO;TCOh~toj7U6R@$QLjBs>RxTIk{b2?^O**$KEZWa&RYF%m02I zpCcu>=84ppH)((P(X#(MzEseAy77~JViy++% z1EK;72m;cLq;w6p0!_`7iVwR+r@HV?)w+l^}W8a&YZta zF;X|l7o}WJuC7cK#ko*B~0N@xuZ$Z$T<|i!(tirEwT4&v|%9g9m z=KJ}Fzb28$_X;ibsgx*lX0jQnN%=+%Wu2(Wn;(b=?eZs$TYB+jWaI|L-u zg{-!}VFkW|XBT;MYzB&uj?|}DJuNENmBzKYLtqIr;v|h8X^g9;B~>?cBYDyxeAKEI zX%0y{AG>Xy>V6V&UV~IF?a0(inPGEGt@%*=tS9Hgv3sA?ku_Ae){8R3PB2BMxqCNB z2iNV8DbR#;iS}_IhN6;X>zjlQUwNYnI4~|AyWrj@fNo#$8o6h0)bQ+Lh~ za^LQrmF?);SseVEZzRoWoIPuyyI69eOw(6IugGBN)u6W&2Wz%s#yzg_nW>HP)H)nP zByReJyWsd{Dm$lrqw&y8r$rI7NKxaCnS*p&L$tkXIRX2mph8pa@l_0dXJ@aJNDo|p z>2L+Xq)fMOvx_ambq`4KP!u>ij_U^}ekJLSiyh^|_w-R`KCk!=rsBt>p6kFR{n5g8 zl7@F&4|1>kdt`*z#KLNpeQtOXDWynl;MQLy#hH;El&?By_;K)HhCGhL-H-8T@mlx61sZaO5xl~>AUYBk?1`j6u*cHIa-x- zc2Qo=55MBq-jK1UjVsRBXDF>6wwJ&eKZ!p)aQHYd4$bFw6_hNU=!V|@i1BTto){8} zSqeOMXv_@anU6q~@3%Eh-vAsZeZdW^S^R+aAG)4g-!4Rqj_O^jVzu-j|8w{-+EZLo zVre3Iz+kGUkE%V4BuS^tdx;PfpcxqwgEcxIrYUv@Hzn%rPKD{uc>jgm_@a=R!sRIQ zLE%Vco)7(=S8!|T7LSLXNsLD@Tq!aS@bUCoG8;}6{{DOatii*EkJNw34liYdbS3w^ z**C&qiZfZ&r|(e9`ehv6zC*Gn8};b!2Xzaj%Yf-MZS>_y>~B8jDLqHKsw`<C8rdYz(_E#$_8oJlWb-+rSS<+UA>BP)e&JyPWW6W)!=tI7}ql^WC{D`LH=RB z6e)=`NgdIal%7c_q1EPe)KGt=}#oqnTEt5G&`Z{gX^c|!rEsgTHIV?Z1YBielt<~!dzhm{YFF0Rz zZd7-^d9YYJgK)SW+GUe9Jkxwr4h~B3<7Z5Bzmbr|r0;CQk*lAe%XEL<0k^A3iyZjt zfCT!$^>ceSsU3kQHh>$Bl)G6!ZMN&|(lVho;Pro!;FLV|NrIfoj6Gk}e&Nj_RRwI) z|6mm!cD^)fSeSvZS)+`qnKLrwQ?1r7^Ej^&@_zylYo+R9TBmPbO9VjAo~jx zO$XLJuS?hlh-O%i!XM zv9Ka$Bl^uO(&-C7;u2F0ctXmANRlTZ$N1wz223HnGW&i4MD|E6K>A1Ey}Q0QE>p(H zzt-L{d;IOKx>=E;)%$CI4lQAMExzA9Lv@VH^}f?>O`;vH;&s(!?wS6wZiBYOa|Q#P z*~0G0fW=QQ;_Zlqmn@r02)#4GB?tXXMeT|`A9Sx74D@QwR1No!XQ~E!wp*=zGkej= zAk?6YledZQoa|`#^O%u+uZ4M7@8HfQN_trkX%(t+t3gFP4;>~s9hD#!qAv7jQlCZ~ zmb(BN)Bxh}i45(1c0B(H`;Fz5#$M2i}EH+zq8;wkMzixbsiO15a835>& z76pWB?oaX55iCpY1KI*cC@ndv&yj#OUv&QW_OlG46{bt$l`dgLVFq7%OLs6r4okEF z!YhxWo#)c~Wc3#*4xp;we?VF&MeI?K6;Yfl85X2jp<}9iXhwWF8}8ZHv(7{S-?g09 zd#6p%E=b=AM^Pf2-ButV9pHHxh(SaP)HLQLx>RYZ>H^xB@ma}n%k#&n)@h3BsMNo6 zcL-lZs>P4o$>(Y*NXp<0Yk)<-aP6Ugrd71epWC(QI5^zR(qTD@XG^x-u|nCEd$x1C z)kJ&7%5F>DL>XReVCZLzb?G%dSERxAg%l!xQQ^+ z1f!W$GJ#}k1^#**mgZJMFig?rlO!eAuxaCM*`ewufYQ@#2Z6P~qKw%h^@$*EbKIo? zI{k|X`fi%v#JCJsES9L zduXCKAWttQpEm%ID1=byIGY@n|4QCIKlFh_)wQD02{MP&PgTJ(f=vD}2XF*NYCa~l z60D(u$yy`cuq%Y?g6@@CKv}&3$~#f@0Eu)(*c9}=oUK#QaA5j2{n z_&VBd`{NUQxzJL{HJEe;JHnuoJFE~((XXNwq%e#J6-4NM{pVPPn}4i2j9)(Ey3A8z zOeHeF8aFo?X!GI=>MM%bsA_K~bIWwJ;!36TE>A#+5I@_Ua>u@(u&0gQ_|ydLnyW@& z+P9yThx0g@3vVp=mFzDWS4hkK!2iew^~eW52Q*E+CaWg51L$HE-YKd{aZ!Q=GNRId@#(d-CDMgBd-?QL z$V{9&B#!6SlBi^*p4CNBD%&CCNH z6Dq5r4rL#TZe`ZRVZINQ4ki&8q#cQNUaB}3;T;!!-iCChHTwwkx$- zwNjtyNwS7nn_bwNnp%Cc+8xP$CspD(Uk-L?;+V;uSnZO7$r|DGB)O_}mp1%!qtm*F zImLci8}u<9T)$$zKH7Z_&qj{IP;EtG6JQ96a%zDTxty|4uw1iCkbwH{V9%8_bAB*S zuOFN@R||d=_C88*1@z5LG@HjT)BW%uuTM#RYDT`K-yq5?w3sF_s2?)4t~M5(GYmxl znS5xkD9ASeMB$HxFytaRDMrdD)$y`V5S<$^&1qTY#VEyeO#G3pRE?0;U68E>wM|IwE;l4j|@L znbMJ8K?`cr1}{qM$oHfZ)UWVKtgbX ztlLU3pno=G?wdTm6aryYLUlpovw&&}?Isah0r`oHafaRqe%#8mH>Th%=1QszEAm<$ z(`4hl+X$)=RV>9~Bmy~Mm!SHF7mwHpX>=TTf?(Za3CdqY9l*d$U z9@}}6-1|TDmOoII@W^H`=NpK>YJhvK>0#ro+P;0 zv5i>px{FaC+FK`eRu4CqhRHPd2lsz|b7Y>TJ!~2?Q5vyLTZ|XU!m3l&Y&CE4xY#ew zf3>@C^Yl5x-eWOB4(*$pa6wG1cQ>cTxuK~wZJ!wp+?$6CQf)|}EUf1Q^Bg}U7EY`f z2K&F(DdZd$iv|qhpwbf|=4hqU*YmqHl^QFkf{pa+`D{WFX9HH9zXZ&gyi84nFP8>Y zgg0R^QD*2jcvc20q);3z9`0%GbOpG5KE)O)EoYc?t{lLw=`p6HY|-Sa-49lM81u%IXS{p&vFCi0 zF&HD)=A`Y(7==}--NnJgbHl;>U!3apc5HH5{pPksW@7r;8E#Jm4{`q9`|wO5r6ul= zlg)gqXD_$r%USbaZRNP;{wUrKZ@j$9W*R5&Dbjs2IVVSaedUaHm~8w#n9;Mzp|g2k zHhx0D!4_fpTVu!oHQ7T$|G2Rs!YM#{ghyA6lJ&t&)e3fBm}fGq4Xy1@S;gamIe4fP zipEzh+;`PQ*%kQ!;i}Ml#(8*3C~F&T$mWi|VrwW;ro#N7MuD-m%9fe-?c8~A5wSt6 zg0~0Ze-g~uoaN6QXiKK;`TEOGcv1YQ=&qP+&9bdAw|9) zd5GEvD`79VkrJySmbosz?zuZSANM3=@_ZMP=ll7B4~z)t!Aek5v<1G;$jMkK!HAkI zWcV^Y33kVQHSmz^cUXo|1>`^Vn`E^w$BumozwViC9(Iw445X{ zg0ZeEO=)a?YoLhthp2!Vy<)g2E3*F_Q%!u5GCWSB_lV0vrMV=nyGqp7BEyX5?J>8_ zLPv|Og{^6Nwl58llrSGFn5bx(22fNzR?N~Z4PO)bi7S+R2&Xt|KTz?h^p#fRW%Y$S z%vGhYTJAM!eXo^meXopXeNOePN?ipX+|faX+L;$I!YD3JUL39yG~sWVcAE2ySSEU> zG<=b5YkVd6^041YM6qfoWc#YS#CW=o1>LHuX|Bww!1SknPbcOVEz&G4v`P9Y7OWNUSH&@j`vP&z#oW+-L_c$7}c=puVO3rZ0Me-MbbK@rZ?3_LA!liz2__Y z_aFN$=n>duY5$R~m}I%_(D_q^{!}5p)35p}rUYW|^}c-M^MUH$;HVMOcOf*7ZC-?7fRH;Zz|wUZ`R27hZ$>)wktC+}h`}WwO3w~Ei)JDw( zoT992;cVrAzarOEbF%)UFIdS40|mkT*NiW9N@uw({$(*hw-n`J5qdzXYB5Ea435BE zn1I=X0gS}2xj6WAxNGiUxDzh(||FjFu>lZ9$YP2UqLulSk?8 zdY@VKNb~D&B4;fHxO3m5h4IGF4#dayv>w1{@;%7>Z)(drizX+7!(HI9G5OL7AC?!u z(L!LG`iNJt5tR<8W&h9PIalWpLc}WXAvmnG#Y*k?rxF!bT;|e&kkbgj01r-cg`Eu< zq^=t5w7Y@vdvjGs1Fg+dz7F_3;oj0nU4t;l^nXUpRz7NxtDu!m7kdK!Ju|qrah~Y{0m2N_B+CXZnS;WmACEL!aU9) zqhxhQ1_o!eVpcM?3;T~%wT(w@q-F+PibGWo2bXOo;xE?M9}i&L5k;!hFcOEhn*Ap? zMP?>GIQ`bLexg+rvdR%h@k)~?58I=^&vgBFk#~9hlf|gebrYD|TsgBhL5+J4_?=6_ zC8iQ0!ega~4r@jR7M@#_9K&!fx72L<>=)4~98n=nWkC%{=_$NdCvE>K_4uk2!Wqjf zl;5_PQc^dgWa7yz{EJrLHrZ~Jpq+8jZ|n<*A5qCH>Q}3qKGpyL=L6DTET$Z zc5=BAa7fkHs zTkIGNaR%J91 zni7OxPft><({|fD{`nE%;N_&JgAg$FJ9H?a@ERJgO(K(TQMhG9TWYp~9&0u$Dr-_g z9sFXblR~Z(94$iDlOH&9_#Cx?l@9Iuoo9dXJe6sh_YGZp1>Ci#SDoybAY32-Mgaw; zgstVt)%}pz65tg5eR5hlPE>>}hXpmtN~fH;IX}Qr1w^EW&N9h2Fmc^zg>+x!rbs?g z6=Oe~ZhM(5D>eQb#b4?F-=nqvzb#bm-WjAeSGP@-nToKkixGyMU1w}>`uiQ0d@-^f z?>=ycT>#^DMQ(_W?4uc9j$Z>&t&|n$F-B@;yp)tv%GqO;s=_uM&3W7PZ7s5{=dEJdR#w}h_?za_yOTOAb~j@tw`!+PafP668SPDHl3UG(tk&-Pq{`=x<#eQB z+>JC+Ln7-j?sFHy4k{#;^U(nam}4QF-+T-RMwSHzs{>kj@1v8rWz4CS_w$86e@&sG z-;Cjl2(+w&vdbZQosU7`+5RaZv5U*_7DZ&l_Sb@9 zSBy#L(ZY_ukq_=g$aqY*%$`k^O!~Ln+d`&-^YVkLX30iH?v7O00G@|C4ZJ7cYXa}9 zNIGIY&bIq8jFBx^&$Wliq`byOnU^sEd?~FTEY0`faBoJ;ijd%44>hlP&!@~B+pOgE zZnC*D+}r^F<3pAH0$Xs0a_OJlPs>8+daCF2jDVF?o@R%Pcb8kaJHEpqr8U{hRKekS z8@!g=x3{O;S`L*60MaAD2&#>`qG?`FK#E>~aV5Io)qj|h+DaX@Cu2blS+8qK?tEnB z4$?E-1y2(`z}4U?o!YVkEDHR6Qm;&{?#;OY+=1QtQpH%le#?SO9{77tWBORcc85A% zz>LVM_u0d~9oimVJ5F<`h!N&Gy)z+!04`4J$)QC(LLqPXJXb^V4FA~rgU&;GnyNWy zSXWW;yE?JmM|nJ)GB~C6BfaPAN-Y!Rm%6svS9ViPBPJPJKPY>*`kWPwrDLM79HXb~ zav3xJ;HIz4I=JQdYr%14J7T%pq~OI|VQE()*Ne73mc)k0wig*W&+D6GGH#G4MZK6v zDqSA`{WYA^#vDp(9_MV;Jn=@IvX^_`?<@~TDK5v=I6rjfgZAGHJyy=^>n4P4e6#me zx?H90Oz`yg0**ExsDUEJG9>kZ@;qfQ6w9~RBW$CVNmCMj#DnsI&c?#ffABc~0E-^2 zBX>9-6tILrt8YKL=WZE|g6~BBlKb8yLmt@8*1_AMMXU=E6AI5G-3AC2#F}Q(#ygPd zwtZ|7=5OEO#EJ4O{75e%NVcjDB*gCd10U%NCf3Ygl+_k4ig89*K?qgZ zV3(=V9+;Oy82R^Ou)JyQmYFLLTGEs$4~{s(U79am@i>@Kzaw2aM@v=bC-s>_ma*Cr ztH}uS9Gk@ zu+)wgSSw}K|McDU?-iJRVVgqy0W67#lkL(mg1jRR&T-wFh8bB{pAax+ODK?y7T`om z=>?ZwF!6Y#>(y6FsUY`aC;LVm#X{KhI80BQk1?f6M}=nT0*NHBs)1=QduKC`z20|~ zMsbwT8sUjMPIlCF7V}6nJ;^S$GTFfdz7#vT-St0)Lh9V1eB{KKZVNNcdOGA7)!&!m ziO*S(K_k40+?vz96rII2rsEI(7?|*%UFf0zAinA-xQ7?5FlM;-$|*#=Vj>l`eib(8 zG(sh{>~Ajl$GF=6Ri$|7E5y&{m$GL3{l^~P|Mpi(DT6Myd)=P@&-LE_xENI)oMc8D zYubpZRVJixA>_Y*{P0hST2$tap{P2GdzF{G{`3A@N!N&YG3?+AUsH?;u+g~6Wyr4m z;ivbRlqW*{Rx%yJH~&-L;~$?B&v_cD6-FKa^U8R%9r9{4`|*XD$#?&^clXDBw~`zf z53ms47MuMmFX$FESY|9G{2SZj=rNWwupOXW`!>S&udJ@mU|hkn+4-;RJ`c+0u=z-L zewao5cfNd>@J;?;NepI zM$~cS-|>>LhTSwpulC2b=RY4p?i*5YQn|}eVRrE!=fxj;1>&W!o2<{W{VV5y%3WBH zS@CDbv48er{$E=rUIUDdO1-K6;12rllh2GlMrk*;3G|$K!Crws{CKLZIXXdHFy(fZ z?>}2?{i2~7?&pJlkGIYR<4gGj4|e{8yHLrvNM=-u4+|<$vYl zqt(JdyXZ_EEHjIYb1U+L@#PY9vd>Zmzo!?ykb6U-Ru8)rjaI8(bX50Te_0u}M zS7q7Twg1kMY(@HP_|N7~ znHBXZ<$?5pBSWf){h05K-!QWO4s3}c6`Let15nG0RcuO1md`v_RIIxeAbbG=irU;{ z!LJ%U6Kx{{aTVVIXr+OqR9);Wp)LDRD= z`S|{bw^8UrIHY_XjVBp9-uoUbKdHF$LSv}$Xt}xEX@UvWTdln-OBg3D@xJ2X#mo4i zbgOqnjXQ+(aJ~ZOkyWoT2cHn3Lgo=1LX$OzkqCm0a=iz7`*ZO)<-{&h;k8Z)Rm0&4 z(_El3Sb>C-t(_vOH47sqZQW!gI*0jLO7wesjo(s`+G znRTD4Ae>hWflI)zRqnZx5|#IzKjSskk|y4xZ>!nTn!n_{v465=J2awB_4NN7&2kyl zfMV01qO+CT*#36bO>SP`=4sc<$3Qqz3#g@byNofys(^rKbnCbCat6!CrrcsxpDtbZz$HdW0Wm3`C;Q<@mrRrZUyEs!`}~02Ur9P zv;CS$hrI6i{f|mYh2&(tKOGGu?Yd&~!6=%4kkkdn{lro*%~v9tXmpmGj0KIE>)Y8F zL7<0y0gfTK_xe`g@)SwV($fOpSOuF!blWWN!kTHVT9^L6UH~KYSjk=0`V*nOxZ~?X z28dw*P!j@>mxHk0kW4#7OSB$Qqw+_NQ}6?XlJ>+__=ld=^Sc&f*X)OLg>_O7u_Af{ z(n=lmw&nv|3>p7xcm$G3FarJ#eCxq2K7)r+nm?d9ZX-IuY@r@(NW+R1rruqYd5=tt zRq+V@*52I7v^Dw;HxS?}Txapy?G7tt%@bq@56TMIm--ir%*ULUZ}LdIC5;BaSyfy+ za*Z0dC5Z^DQG&Rp|CWIN7mdD$7vdUuwxfMfjrDe!)NW{?=zo=N9vpw?!U&Jua>zI% zi)yw-32=P(2hrgz zL@hlCdxx4f4UvcapDw=ten}O^6QPFU_{<@jiCWHJJwoG$<=K+-u53m9%zXI_l~;Y_ zcBDm7BCpI{xy+yZMZ?R49PP|eyuL+c*pEvwBlXR6YJH^P*--*!2KH5ot3HORL#!F8 z2ZgblqA{1ip(dw}UywL0kxrbTA`X zJ1^1n{>mel%e=a3g(gG7O2kn{!Q$POn*EfHNID{QY};THcmBGqcBz@IX@SmZU90`s zaIBzPvtMS0k!}v1nzF%qR8T3b+%^)3LX8@4<>CZdM>WHuE=89KBmZ#_=7zb-#dg ztbfbheo3gx_wU2Wty34&2$jl4$K)l&Pu@>@|LCCz8K3EUI+|Ol4u3n_ul<&jrI6fD zPqTbOnt1xjd8Y0V8A42_#O@TgK=6=772e`PaHnhA zIwq+ry|!0pqUHxUK}!+{*`B)+8k#f0&TCtnS{;F!?$?8S=y9e)Ttj7c8AzbHao^V) zK)JPR(0_nrpd)cLsuhlTv;vmZqq3f)lt~b)JMAXX5vYm<_?>U2XFF>VyyvA2J0ZXo ziPS+d)NGu0{UACu86xvi%peks(a>;zXB`PENQa;EW1i(v$DEF==SIpJJE@IMn3yh4~*5_?lRP$dp zrV+}W_jj@e929-q6Wn+FXVEQ>y5?O#uQWyhi_do5Fl5bDtoI474@+>kHeApX`V7DkF zI&WwShi4DWEAT%Rp<(q+)!J_L^EZ?WIc?AYPV1KO1+~b&TTJ|#8VV0OG;Um+$>JV6 z?#%O9kW$`j`5pc4tIe>?5he>6m6vZwC1&JuMn?L{&FpvQv5SFK76*h4u`=98GI86F z?$4{j^PY%?=l3pX$`?nkEy^{Zmg54)=O;yIZfN$r*tQ>61QeI(%i>4!VbO z*D6!h+QC=k&QD;I)-8={NjGj6V}8V>GhTW|6I+^{etkjev+g8y6L##I4(%dtD>~mm zbE-Ws?+QA`_f7RIYkUF^jMl^8JQJ-mGd$7{I)vcFF^fx(`3l;JdY<*!o`*+*$?_D)WtA$+M# zD#6Z+yML0m2(8SY2J-_BQR z20c-mg9cFUg6jTWs}5Z zg_h&C-3$k#-O9}bGTV8{%4hsh-1Kt`{}<_aDl+`;X0fHPiJ^ zA_X~9zXQK88nUSg#Ko>=+%fqzEBmS?A!*s|j`do2MI1%S=J&(>3w-a|{QF)P3*p26 z<_5ylsxYcvD+tJ^S$=&MImJa(^uC^MOMbwav=owFzMv{R8zpU z5$|r=;9t9ED@Ab}y}diLoM;_^TSjc}$Yy#DhFGwTCX-Z+{5F$Qv(E~yWs{-C$oRdp znbhkKIUkl-iqfr)?b%r${!Y)gnh|w5t$yOb`WU)8<(p98n@OJD#jhFJq%>Nu@_0_P zP#t25%>uDq^~PJDyv(yygZC=2tA^q2(2ZS#!G4wo@KTXKJ=3cWVhp5sXgfI2JNmvP z{6??)p$9ir(8*Xtvr;j>#=c@%OTwr4963zl}2PIa1yk|1C2&24d$mK>ne7Jnddw z6AaGjPS21z_@aNLZc?*H%QnofI)j2pI=r_E!-Ok7xC2HW>}X>O_UMlGwshqYwA(K3=61 zsy}4kwi9w)o~VNzyR%nAxo%xJMh{VhIl8!N+8x_)XyZo%!-fc@$XZt-O zlyYoe=yzV>7*3K=JzX~Cz0T7sBk_=Tub1P%`Hri=9a@bX$>Som@TV;UG;jg6wmMKG zmJ=&gyU)YJr6CaK-&e{@0SRph6FD62^y&c{S=jjp4PN5~BID-kZl})DoA$pmD^TAj zH+ub*#A0rz+d)iYdvCQvx;oljONgC&X{5Mu4u2HG4}2Z9iwEiJk0fz*I~J(J7=Io< zjdCwHK9l}dJLw3ny1qY~8daTs<6P8G*lJ(2<7FX}qA0A6hK!MXWl}G*vWh)X_Vb6w zM-9vzv5&YADM)1I8_F>3O-l}uXq*mpQN+4{q=d_Ce_)e?hpvT}H` z)D5k{3B|l&HBL6AclMg!BrRhp+TzsJ`k1bj+SE5&%-fUH?2kVpbubCFjqzNa3VQK) z(wQgY1^H@DvSe1be4-A0Q!HE5_xhw*Gsi2-@AvkXW~E# z6`G2g>2^C^_?eLHjN+Cb9YM$aY@10!d>JGf6 zf0p5@o35UhRvLQ-mu;u(if&AE#}W!|X7Re4iCnfcJXR|{73a=LU9)*D1 zxpcnw%46Q{%>gQr@v~f}kd|3W5;FtU4Yg(z)Gpk$eY@a*cOGTf5-YNY+uk$jA_lq% zO-@YQue>P}Z79nEjH7pjCId20KHs{k-~9P}IXT2O+wnh$bAj`$trT)&W{0mSt_dM| zsHb8xvb{lxE)^^6)LN_-m*s_%Bn|7C$@pf8B`l*O)9}|SNl+$zCWZKRP`W&2FZppS zT`u8`$aQITl-g<>2AaQX^kH2@ZxZD>G*~`zwB6y6lOA~EW@F|A5AC>a_#qI?TQ{3F zcGdU!h7#{4lo|9&cIe_oG+EF!{H|M;LcM0Z@y`Z6v6c1noO?F##_O6)Bu|q_92oa~ zduKW9FiJmZ(X*Ph5kQue@qr2xTE=HH)vWJ!)9g}Qb_6gEo9OJpJ125eZQ%1EdAcmv zOx{?FiX7UE>BAjIi_RX#5`^M^zJvVoFer|rh(7=&BaWZMq^`&G$u+J~p$G-|%cyLG zP}n1Ma`F$R%Rp;$;`B>naeVA??_Y15q{j43u8gzrYhT&6zUjTBF`WBGczxD1qTD*; z@@C%xueGMUxHdLP1ogpXa~D6h-1mf<=c>`cGF_0rMX7Cpu!u4Ca_Ut~?M?Q;U7ohF|o4t(zC znhsN3QV~g!-5u^uadWcCDa-M=fj%P8&E2z+$;@yNzGu2d8?bJ8eMU)|T&Fw!J3k|9 zs73J7_RG&Mg0Xsgi=`tsMG8b~8Amh=`l{<2ocV&RC0ENfv_mZdQ$-`DHmJW_gxPdF zsp1$|et1JxUVO4sJ@_77aLpyN(kwH!?U|be`WrrMDMm8gJJFRdGI%oOTgi2OtF`Zm zznwR|6g>VL&W)RxowYM3o*O;-=yg8EFEQZ``rNd4pHX-h1iBuFPZ!w?|G|VZ>Pbwn z9?-D)cxJ5!gYsRGXewkYG`te;^$eDn6KG7mgm)JTQXa?foXdpP#r{zw7CrIuZOqyc z6sjC@@<#K}E6I1|U|5i4)U#@Mr5k9>Q}r(uC5e)?Z+s}2F050aCsOV{Lx-k%yo6IP zkc4|E(Zd<-H6_Nezla#DN*jjy_Z(qEss4p>F0dKQ@-hUc4|f}rXK{I6*Nq$Fs8CI6 z1qL6_M0d}3i=o8w;ZP9`9e<_Yv1qaGgqWkcDSWjABc!UN&_5*ZEwPJi_6@)A{1z*qftRpmH+4 zlds(_G_205qTZ3-@U1#~uxWx|TU8jB&DeAghR(2%%@{@8@tv$($+z2U<%T%aa5nxF z#(llY3;?0KKk%oqB1KsT?8Avazj>c!2pt@Jx*zw;-WmHxLz_Mw^;ozpz*m=`7j%rs zbGsw-s0f;*X1h>?kFng=L~V$ib8^6JL~o;^^)LFvEy|Dbv^mE+GL-I_8wJzSb31jB zs1{>#qPPpKpT%$`9yKksp+9S!zaP_{aUI=n&@!#LYsOnU@(%OCBe%x4gNeng5=vGN zue3GcL)NaUOm^RarB9N}LZe3X1PzXJ?WuHk^z?qUC!PED^mzCP>1x`pb{tWV=hNWikIFeS0Hv^J;K~|(F zia^SS?oPStgWYNv#2Tv8_@(PHKTp#+R%m)DMnp#9(mGv{qy!o7IeA|aA{>2==)2|rzjRUsg*6eRGYC0kpL%CaW z5`$4;wklC|z>_#FSm~2}R4iJyymu42cxp`>>|pNG@|=VZSRTX9>USp7?J*;K5oQoi ze7}}zzbNr;bk`H-s=mPKuK0Ec|9p>{>9H#F;$7?E*ioMYV>j&xF8yP~MlTf2p2X8D z*=CKcyX{}`NB19WCA`~Fzqm9am!-zr^+`wlptU@{0fGj5WOT7RW=U86Xq%sY^W0O- z<{#^AYI${SayV+{!qQ92a~h5wY?4=KO0EV9o9GH z?b(zdsqgbEWYy#|sml`-)3*AFoZM3{<@E*_n-V@Ae6Ay#wkk)*D(A>spYxf2^pzko zl)o$fYbI@8<~V(A$g#((4$Ikk+x71(YYioS_)&)Q7zHhiMbX+LWA+CX%3>#2CgPti zb;dKHNXgg|JTPeS=~Jac%Whkr$7i5;HBeQnS2xF-wr(+Mwg)V9$PTiQHQRg`T)kF$9Gd({IeGe+DQ*BJfILiVP5Od z9e-17!DzI^$|J9A6+#h9I`5Bd#;ty4QYdVq(0m2OVZxYnUf&NQFxcuh+#hDVe!UUK{u;$qliRD_XD{|w%j}L5!r?G@PcLTD&+1T7 zsQF#3#ZiDM}1=?Wx5wQG|!k9>>CsV?ZZ;y;^`Jtm1wJNqyHYM(0xR z?CLg*WO*geS^azx__ySJoDFuXLvr9FiOw*DWa4rYEQWJ_x*lx)24O;hck*D$jC#z3 zPR`vpBU97N0qcsdM1SqSF)q;e&wCl^B(bU5;Z?VV;)!#>c>^~Kt-z}iUXS3$T3kGV zMgJ~=pg8f7xS=!q_GaVJdpP&QR#)1$|JNCT|NH>eYoE9xt{$IRKHkP0_7_8RVvot~ zaj}Db0m~G<$1VrUZ5`}%gtKEGS}0kHnyEu2mm7}D_FLeo1-~zbF;mRUC4{Whtu$5i zjXYgVxE5F&c`rc9%zd(b-@I{Xiqu!jB1t~QGTLx!G#m3F(CcLhW)b_VGYdAy=kSFc zikh%tN}qSc#+v>MTIb^2BQ^4xE(h&o{vDEJicZFr%2B5`<3_Z%wU|O$_AY< z?fTHr6sNTfnIw8s~{m3Vs7Aa^|CTr+NHATz`1Vk#Ggpu%GUcixgbqNG zY>+!ggFoH;bblw8*r(RA+1J36xo?ZTXm~CTRi<9$T53jxAxCowy!d{)htGM_Z@!)KKuo!HpP6A)#L+*Cz?6wS;y&U*$U-% z_bqT z4@Qlg$?JmZ^$S0<1o6*NOa;Zh)#f7(bA&uevS8b7PCn_0v|`<`A+0 z(|dk<{++M+a2y&KNU8W4`O$9BUkrWCb5l}?@frr5X$wZ6uU`64G*B^JxO0jBp+5oF z6sF~zPDbeY070~@V4HY*MgUx$fe1#ugo-K#R`tkY~Ze;kAy{gV+ZDW=r@(socPiEX203VSJE@Frs=fb8e{nd+ zM6vdvUE7xA+x2b*_|ZAOTYMt;Il~!+x4k|)$s7A;VysQ|87Y%@RF@Q@n>5BU1$Yje+Hc4ySZ@osbaQaRkfS3korA;j?etB zjJ+Q{eagqrxcvLP@+Qmn>ix6W26gj zkBjYngX*z1^A2i{3YEXEon83X#ikR9B^q4=5`-dJ0SY(G}LkNqo_bLD5A)~5u2LDyd@ zzrMMznT|$mRHr`*UKDW@kRNz#f_J&?d}%Nn^X*{t&YSs_Bu#;v4*>Yux+@!4Z7R^=`dC4Z(|YB20pdC)=r*O#)SKbf>y;|9-Fvz^)f5^LPyq4P+y_uDhU;sqbK z*jwHPssoWpSH7q8Nj-?x9>~)6p=?|v%0K+!N0p{gn(unJzd210`2bOKmGun`se+6} zN8NrX8|%qFKLkkWOYD={az67>Lj7kp_5MDEjI9KN^lhWty?fiMZJ*Ko&%yS$H|6YF zoZ$#5CG&}Pe6kd^5l|rFKgML9FCirQ9@BL}=l3T{k^vi2cJ$1;)4R~QzKj-VAfB$m z5hGEqumJXy!$sRBLws70!@(YJ0oUaUK*~|KMY2W`^}5xWl`;wBUAerdi-mU$vnKm;7ltW~Tg#I-iY$3h{HEZa`$NV3=9-XtnXOR|-Hsb#$ui5e+F>QwC)=<~f5-ae zm1qmlyfZ%H;p3Y+e7f;=oohvd&tiOmoI|ZJEkoh%A6!*OJQN;Y(O;>KtH6%l(My8a z9W_t!EjRDp91Ye5(=)plrw)E9XyU6`(2r}G>y9^cXcuXI4P_?Ozf%ge7@cZQ#@rw! zIeu`jA&!6%%e90dpEaTJ8Jue(3;LO((X>35?8O;*lzt!EaRWk)bF914cU9`lA^JQH zb*#=nd*z3qo3EPnZGRCsxAnI}fBaC;v9M$A2d0sovXfH!u^@8{*t{9d$_k+^(xUX1e2K4o`qsD4HgxhN3aoJa0 z+&MWpyK(OBO@VJMvcE~qxLeP(v%xiCr~6VHvmSD$zMzLto@H{Y5NIZKC)bR^hot$( zD4?IZ$;j9Y3uSR*zf))=?WZ~T(S>@FQAehLc7Bk(pf9%qYU2~b-T4>M<1m+HH3C<{ zK?&Yyx#QEOT}SSTb;^uDoyUSg^W;j%o5CRJl3_uDiAQ~K$)pRx;eMQSQgwyl|HIx_ z22{Cj-3kf{h^Qb)yA3*|I}B8$R7x78yFpqEP*ha9JEW0jA)zQp#{w3$03{blNay0t zckgq~x6eKCmEK?X-#OrB!TUbXj4{U;(?4|^Kkz_I2)$$Edp-a@G&X%r(^f~Ww(pk8b` zMpE^1T_W@FjAyYNre-f;r{l(s(2UB?xo}zmvoDb8mCBihAa~rjqJmpT|EO6Tl_+yr z9MQ{1&2m)H_gh_jOD;(6lIDE<;N|(nG$!o|hp#T}bq+tZnioAm*hF#@#<8eV&rw?V zjTS3;N$;Ndop8tEzRjvTIo>CV4T^1k!{9%6aLQd7IU6od)>p+tPMoVD?p^nW-sK@@ zI%#92z`|f8n<}-f!;bIobKbu4=X)7kSvy97bf+u0*vBs3p%t=~OXF#xKY15I=%&Mm zj*ROG=e|v_CK;~>70&5@1i(NqF(6?;mIZS<{UluobcHj8 zsQ}vqU~mt>*RKDiM7S-CT6Epx!LKO;cz^xSCIh4EEO^)o`a#~i5XVc!7QX{ld2ZLC zl(`0GcE;s?2po?x$WqM=9*URrD6&}6PFn`!*Ta|7k;Nx&7O$A3bgT3O@dMvB2Fglo zTEaP5<({+b)2m{X(!SM-z$%FdLL$z0QlR=&v<6|d^Gj%M^q*6Jqw)deYXOfBf}e`5qdkOF!vj-2v84F0B(WVeh^tU%8k6# z%T>2|+_jE^4AT-RPw=2j*TYD?iPp>e*pORMIo;`*!|$ubjNWnGEtYc7I!wX%CK4~A z@~wP#ug&Slc-KRgt)_QwqPnFQ-C%E zl0CqXH?<0-z*G6D7kwv7BQFM_ERy>`&t?kHubly>XTq&fa0TytDHd+KShXna9#1b~ zM@9ablx8a3{~oi?>Kl45u#v6sG}E|uFJ#{~={Lpb6W-|r!E`*)BQoTAt<5Qm_P~N3 zW?z*mMM#fjbp2L_3C!N^a1R~}ZG$J>1UUViiK7 zwn&*uqIAA*wwmA!n&J`qA_@ZEAs%}eIZP$^?AJX=i-%pKl^H<$mHf7`3D3=KyyOlL zdXQERsR`**7FE*fs#>>wEoKs!j}DYtYeI0ZG--)YO7NUz|4~ne>_sTF9?>t&6h*O09qBa9Ys%obLU@yT}P`*L9|fQvI9L=jN9*nAgb$%oI;Lr4tIF1^_@AxGa@G1|8nwlf+Xv-(2e{1ZN= zP~iPEWw%wOwmTL{tZlDW3My$whAT|bkU#1vojQC$zwd2I4~M~~i2=v-^|8lf$Ueao z0->^1;LjmUt1N@s8jB@hxm3exDwFtD20by0%a>y_L*)fvxYBg!Y2Mv;ALHsNgp0WEOke0?p8O2T)ZcYt+vSGn7lC-wyqQ(E=Eq893OK!Fd(H9;4JNB)9G zTPO&=cP2loB$n9EvdOum3&y&oh%?WW6HGOE$f&uFlRxED&kh4#{1q0Z7?Xvrkyqlg zbS*(C&O2bAWA_I9^b8QD2xb4|MtbH5h$~i)iWslq>xuL;yi$%Fo}rr`D9(HjUV;86 zPyq^IY$q&=B^(_cmw`ds0&HTF7{MrIOm+Ts^3a|$ZHUOheZv_$fL-YgNG`GL&*`_Bl_-^}c|JiP~~5@GTyI*t2)i=%L^df=a1Rb(=e1tvywrxA7%Yb@R zCvv`fa#myu&Y;VBdNcmbY1FkQZ*l^bV25gf(?}y(l^4;@9#*v>XY|x{+ zd)%V&Em`2_ymt(NB&M*MD?osX9_7@Vri;s5tbZ!&U`yA$V`yUU?p5dy$$%@?|jRQ3v09B2Bmt6-`AUo>oBt1+D&P+ z?|;Y3{?tCuvM(=hXS_r|`&QiQV%IIF$)_aq;uqFisGB$`+_HEJUh15o>&%opxODl- z63<($n|(Ieal&sQ{7Xe?CHXqazAB#7qj*$bYrzMXL}i^f-*inw@+Hh|)}LPT!j$Fm zkd3>4DZ?IaeK%LW7~YXtpvb3^*${5h+N#bzsPcrkdi`CoMqqWARXSNSxx7&T)ggQk zA>9HDEt6!E-ViT8A)7>BWF;>l)y&q&;{ak?BC;JM-wWKG^X)k4q%#TZgaup55=nK) z?YhrM(PvB>ga%0OftXS_`H8QW_AH%Zy3sAV9`h?5f}iB~FDpRDXbMXu{Kwv^V%Nc$ z{$d9@;AnfCnCdF8?(OU3N6<@+xonV$_>DB_P-$|H3RhL?zk}6k!l_KjEN6XKmBmiD zE!fYajq6T-ZebWkt`1`|;~=r!afIiUrJfTp8kRBwXIr*2{@4tR^@1F6mQSBO<0J4v z$kAky=!*(_WSX#MmxGA(JQQD7CRe@E8m;SMsP|Z&?C@9`SRBtNi@youIgTl8SCZHc zW7neNjK~%&sR#v9Z`+e5++exfbOpp8WOJ6Fl6Xg*|3O>#pu7M@s|su)JKfFc!>c$H znI`}8o~YaRsIB=TCh=N)!YLkxqq=>iqEK|vRAieadM`gCQ6P6$8q8RHLM$1;N%z+L z;Qp>JxjuR^mbh~EhxWCXbTE8#EJNHs3s?H_Xj89jERv1r^51rRCgz!4NBFj+3y}D4 z3Eo-+$7_BcRKl7)@Zecy1U?g-pc7Q=p(Ynd|H(sPcHn;Va`I^AN_OY@>qb(2qt5DK zQ@ufKFm!dWk2mq&jpX-YlUX?(p`5&LV^TWoEwroC-aA|o$hyUqIBGM?HxO#iDa=xt zaL@406-7m-Tk~C@AW=lk-WOJQrBBqi~V#YS~zwd24XFvF`D5( z{UR&LG13T&O0%B#vSjQs{B$GTvG?Tis*qBe!^lM8`F*CfijzbuUur#tluqPZOy{cC z6iOzp+RUo4-HScHDz>SS?6Z)R79_*t6*f&dC$(bHaT{Z{k)gh;dT5r8V{?PEBb*^C zH@5E5_cIOwB)Z@i&64{TqM*^D;+64hub8-jFpw~Zkxl6AhNTTSSiNFVJhX@@NJLnh zfX7V_3O;V(#n%{YG;aE<4l*rhmq@K{c8DF3$Fdh`r}@=L6B&&AG0E9pjP&CO^GU=r7z< zXXuo<58Uk715agv*%%DTS~atb?|X1Z>}zArN|_ttJ;kARL^pCYG66;0jH|*x$b1@T zDLR%WA36cPm&$w@U?4Ze1h%fB@Mb%gTA|~Y|L~A#&rEeAQ9YPJ?9S>AIUe=n)kQ}@FJPZKz*f!$Cdlq#|k`#U1z+5j0=?#tQZ|>R4R=65=OcwCf=I`Md zP|Uau-c?aX`uxrDkJX2x9Y^ui+iMP(&^Mz5QW}Xy;7nJqWIKomQ#_!7PdD#KIEizY z=n)+jnxotK8pu5CA-MYLCnt{#*|M|;FP2DXf5TM43w|BZ16nVl*5e(TgBIt^zPAUHFho8 z>NOnlEPMzK`sgs+r4UzTi8@B#`U35#Xd>da}r; z3xG(sWOYjEgu)K<^j-JT&uq&hO zXbtu;)9iL7Y?D-cZBXIW93-sQQoE0@n$b8&0o5H9-z`qgc0W{W)|@vanyF|25)^|@ zak8MMU;~HU$k6I=U_fe~R&fJE%2#t(;i25|H7mGxLlx5pByPo|)PMuC&VZPiWH-*r z_+SbQ?E4<)x4|4R%06Tyv&PF~c|zVbSk>`Cjq%}Q3>S%oWtA4yYlncABovwZ_5Rn( zd_tl&pxB&JneM6+^T9*b6fg?3itXwKpg$TIiqU2hU*2>>Ve?isA$RdQj1{h8YN^Ss z-UHtP5qa^$8p>ij!KZnkdu4gcEma#R9+}XqS2oCS%#|&MgVN|*45CDwXr~=t&oWUwqbqCBU^ZcK=(s5Q z&_|-xc*~71duJR{4hi-Y0~=?-MZmoM#U_QS$kUrKM1sTfu!zKMJXX;1-epp~N19y^ z=0VY45dnp`0!;FUWZr}WDs&A%ZDVB**lyMYW}eCuIJ9>@OkXXfqx_FtJ+Xv|sG*=+ zz43F<5K*Z^M`k3X5-2sFL6v%y@`k;vflWzMHySe;U4RzYeZjc%`P_V4HO!>$;_+RI z?uisG*{p5W;ch!+P9V10GMRO%;w0ywasKLk1yr8n(+yS99F{bN9ls5pu+%GlRA777 zJd%^amSg)bG=MP*f7sL~{v4t!W&5-se`d(**Jr9d*PKGDfxGJjqN6Gw9WmGz3Hu;= z7H$H0P8mdC`k%ma_v~M=*Jh};Cm}#afWItiF7;tuG}lEqlUijq(UqTh^iap!-C1O8 z7RZ0b$@zo3F!tj37vF2cpV{wI5{)}GYo(J`aMFu;WPP&7j<1&%@v?ui-*m5S0*RPj z74x^q`en#_9y+SPqrtAt6*wf}ED70?La?SY;|g2|?}}Os`o1 z9DfZ=7<29|27gr@ zLm*nG_-PX#J$>eaLWE=~Z&c2epE*wnzVg6LMWzf`QdgLlC9(xkAGPE6^ zzo7ZM#8}@q*rX$(&7NBKAVW0jk!^+(KkXmwo^ldE^T^1dT;+l@5hC`{DYJP4Z?@{$ zbZhkZtZzENcgx^z0BnL6qu$-KP(>6Vh%ew^EcF58p@@ku>%6uoA0g}IF<5jVkeQ`j znhj{h+|{@c=bu`5%Mugub0_gW!ZyC)%07*mn{*%3nn2&c35$=KFsT= z_5{zoX7Wc6Zdgpl3O+yiC3aZtd&XOdqqrZ&TtBlRXH_^e^e!zVBDCP{yR+Q&r$d7t z+*_2ne;2y#H&NdQ?$9cU{ORL>$0LISDGev2={HePQ9TrfhyL{K|0Pf$8*>N*Tp<~b ze~ha|U5OySnDFG^cyrc>*9j_X|MmVlCJ8N`q&MDzdop}!BTFcqH8FK&Zx&FMbiB=5$QZ=9-!E%t((D9Oh$kvw7qfEw^RGAmF^v42;Ng$fg)n|p zQug5%|AWTlBWGT-6Rt~Ky=9Q$z)$jv0`Bf-BDh|UiIxD4GW*D-=nn@e&0q{#4dwky z49NfcS;_G4f7Ee}GhY1~bgHLL3)@7|UJ*6ORy!(tz@Lk%aP-WMQu9YuKA~Ur(GCq{ z5V{&Pf_zUQajeU3oNKcPqWfRP_ZbC!SrVGm%!yZ3Aq*@CD#`OC? zzC}A7W4Uy|zlR7~whPvMxqJsZBo-yvq0gB;%t!dIPQpJ1v;T4o*?bPCb%Vy>z_2u2 zh$KS5P(y*PX-;|#z$H@{9GT_A-jQaa$K=e?aSv(~PnexN)Xj1c^ch=-f_{v~!28XE znv!>Xq(A?c!+(PVzW15tK>4e`-0m(S*iB4HD`XW$+kdhXBTPFm>F#<5Z zn4Pz`l0RDd$qfH}VEXH&`iE2b-}{EF2_&ntL!HP~*)=_MGlGj9cq6wz?ex}wK(PXk z5X4Doc)qXyTsxCL|1IVZW!DA1vQ!-YwIwvcA%2eIv0WshOurv6|J5Vsfj*i@K5O&vosgDF@*vhRsoPvwB+>)f6(B*nI9^T z&6o68z5xPHMZFFoKfJg6jT^5)`6{1$`N|3?OoV#Cf^c_IE%=885o`nG~qvkw1Dp5M<@vds}3#XoE%d zemCn#&5G#HGWT9w@I4S~I}3@qnnz;W&<>H>g8EA4&1e@Q~(J`h0>)x#DnkFy0knXev*qXNNm`0Gc!;DbVd zX58MANUc2D(7k?VGOv6j1R;zHu6-X+P4Jka#q62yMsR7J1wiHH{Y7r=lGnfc&lOZs zdW5$wZDf$CA*=VaK&qLfgh|lzv+4roysY1~ge!(AYHmPo=K7mi-WQlN!}ii30(tUn zrk7xq=kgb;Jb#D!31CE}%ymS7TTJwE*(!uGPMQC9huM3{pJa|+)FH{bcwA6&2{4|B zU`B};!*-YsHX$;U@*%6cnZAcFUpbrTwIJpJda1Swuz|e+Oi0_l&oFBkepi+K-iyHxTR^H@$#fFl>8%(`&}CYj$;@y9<>ooY|p%;17LOtJmM$uzTm-`@|&|T z1NZP5a)vobR6!1f4#xGRAd+nrLWsq%QJVh9v~#?l8sIeN!FEIG6PSbvo3}IIfG4Dw zASt%$P%HyzaV0D#JV)GvOM+m16F6~K$uB=A?x}`6>{L%Ka`osm+8A-`nd-b)*AujO zT)b})E~rJ)(4xZg#E~6j4f@(hFXAs2vbnigSLwnku&b)L%}QVNP3$U)id^kGz_9(` zM_>k=zXmSd`|lYjr?C%-;L zNO#=)IdMJ^wv@_j2F{Lpue>C)Ks)3oUkPjm4T)7?Odhc>oNs~73<6V7$b>@`L#ev~ zFD?oXve27Ag`5QR{WS#0L&5SL?Fg&qC@+i&CqP?Y!VE0k$1Auk8_T}jXhHiCU8jjJ zzky* zlZB;$aRrPsXa$A<{v^WnWQF#C8z|fxn~!_oYCShq0r&pum2I$bvZH7Uv9NXN76>~^ z>_l`i09SZBp79OCnR^eD>y>P%HEY~C7WM7Rxsikj~znkjN%=)}2eQS6}j<^=vR zwU2=yS7%M^pa-lXu0+pz+7A?^lZ>MsWV}=qBDmfFUabON20S8t1^uqcwtq3Hir$!n zyFe+W@w~kkSPTe8i?FIPUhewexHVYp&}sfq31Vw8V2g)woHFL z;O$qFq@o*mYj^qOWJe*S&Na|*Ypa3ag9T;|4z}8~pmri#?RLlq`?p&#NH~6a#oSGB z*9K@rEK5AX!dvF5(;M|$5Ei4UetQT4@lYVt4icrqB1P+OhgV^bT(4e8!u2aeLc<*q zkf3xCL6MZ_>P02b8lX(e#lWa)a7ef{mP=OmqW@9akqTHgmKp|_>87sW)$~YIeGVo|sUud;80)~x)*~o%H|3YCb zoPqCkK$1RxykFR?^|aQzdr#)ui)_!=va4o%foL)8kq8?PWJMF_XL@rY^J4M>D6N{f zKyb;jJAGB^Fgf8WCNw|>s0AY6>{9Lwd&`?aUlK;*9)V{Uyx2`Kjiwc}>EcB=EErob z%TdAL!FK=`0K)g?-g3Hu?s2R+2#GRFYi zDG@)2a%OED7^x*$0#U(#FSq~M#B|^a&I3lOwCk&M!fy#&5EDH=NQ(U9{4Fxy<@c|S zKl3~m%A!P?TLqr8Lf?9=ZegGCz=q05pjl*y+FBSU68`{&!*XI0Xb;^QXLpe00q{AM z5O^=gw$`+JfekIuHhd~gzxgjI8ChQQGhP_9_{&gyGn5drQ1E>d@WVLhgB)Bx7{lc2 zr(PpRSm&Q=k>M!lim;n60y^Wp7Aoy{YKyFTIm&fPt<=R_W^R45z6mV>&>2uaI5lz| z)_^=*fzl9E%Y!;(xlhNw33PgsV4|KOqmm$*V&u9_Lr-r#2xZm!{&(!*_YCR-jX$oi zC2vrl36r((@056&TU$w7<>gjxf*MdBLebjH?BR2QA zrDtM|oZR$X9psQ@5?*ynV`bGByREL^>22NS6v~#dkm_eC4l#WUU(@y_{FyH194L#;i{G= zXfpGJEUC8!pOOxmHBp3^@7)t_*%qR_$`j%DV$F8iZRy}Dcg5I4R~kQ%YZQ=tySs7t z)b-BY<}|VCxZ+le%5g4OT2WaqDBJjKU1mraDciqp9{rgf;$HAB%qItA>7o;vc&v^@6sdY3dEio3&N15QP|^iM<78Q zqUD0%B0QviNFpvm^`{=&1kjqj#nHGS`O2~YHd9};wNIM_mu)+fRi1HWzRy%mPQGBS z*Hj2b4Q{lV`mdt!Yg6j>_a(|7F-PSqCVfKK2P5AwjCc?b_Aq8*&v~zQU3WFd9aheD z*X@ZveeQ2H*T1aE|GVFiEr1<21_gt|xyV4iv-l7YpT;9}o#cV5+Hrxbrh(470=Bqh z4r$)2dqA*&D7GVv!IIJqGza#RrgxHRPHF1$ZGn05UL0Y+6j)|KIhyaRspqOLz6W>l zB1tC(+<8h8wW+-Ap<>F$O}oRI5Rru^H2OEZp46%w?y>xFFtL|b$bBj0InQhYEPXfG zgp?63kwE+&zddIMT%9ISq`oS$f8zJ`GS$(ej5?K!)LJGd+~MwCP&gOqX$h#~+O;f+ zT~O6!NhnuczYnJAWafyZ;X>o1mxBAdD>|G?zv6J^A0XJCJ;_IioGw{+Qsk~%KBxiw zGuz=dRn%O0?Vjz)VdZnkf^X#yWA|8zCW}`Amq3AVwZbwZy1~=c64@rT5N)0yzYX96 z$_{L(+!3QEu&8w)jmsSK4rFw@+g-xkak2iW9R#eV(QXCa`CzfBD3eY&kJB~yZEHAy z=t}rXJ))Yi+=o`P&vzu9U4mZo;PZzOFBv8JEb&G$qK^0I&hRkw-Piy^JNkf+c4CSk zuhCKc+HIM(jgBo^f)7~YbsMb*OkGD9; zmNe!PVFwQJ8vrWnm`6^zV)Ukw6&dc}KzqTjxRqZa((&Hv-Fwe2bT@g!ty_SAq+C@W z0s6=`K&B=2ScoQ6@5t67XB3CT?y3}73!?{ou>qs|FnV$$O^S>}j8k1+6Yh{RNs7)N zi%)=m<`OlEaG+|7ac+KfBt#C!0G{_pP~{@fBsw@2BN;?jZ0)&qcbyEr=I;d@4()h^2o zU_TCnJyWz>qm7o)lT*V0izO;AgGnZ$9Mm1ORqmGRRa31D z*U)BXT%VTNAMgP}p=Eg~+v!n=xTf)TP+P#6+{I0oKF&L^^?!%0tYY(1^N>y));VanM<~mp)&NmPLTDfJOm60*E@LnW;XSv1%N4O*xZ3&PY3Brp-b` zt^*(mmP%FetG>tNDR;=hC>5DK!T7bOC(h{tP=dB2V)lkAAY`EyJYSLMy8v6(vUDtx zpM=PI(YZl}tU`8i?X^KJh%V!Wo2L9>0XgAmqe#1iprhqb6;wgB$m)L-*=^?zE=ifS zw+riGUd=PF@thEEi9&F;Za?S>F>JcbMt^nRg1;zgXTr&@vt@!NZt+=F#9` z7e#~s+a$T`Bf|LZk#TIE(-nQKA=1q3ZfRBXUajbmVqt#PhQ^t2yHVxbfi=B z+B3)BD_fMh?1x3jh9vIoV$lcL=A_g~;iP26A`NT&ZmA*D7E z-n|J{8OKyO7b!#5ylmtL1s#DhC092YSAziggK~XaY&X?L+qNkND)fnW!3jhna z)dy0j1ad?r<3FaI@kV&5{Sr8Rn|Ggw2@W%iDZ@$)mkJ^aMK49GE;s1qGp!z8*siZC z)+0DnfSS#o;MEPLHH-QX?>1;DM8H??ICJf)U?kH)W=6LDd(XDwQ%GjP0%J$h=R^yFGNw?5>g~Aol48Jg`uu~A|TLn74Bb9yb zCCl2oL%+ovUTT5UwTR!w)J~zei@uy~D$@sH6gq2jsKIjqVrrA4Db{Eu>CrJKNLue> z;Y6V?eRcfqzB7-bU@5hb*--5(vbevwv*a#JPV`K2tw%Nf;gabEB9@+-K`8!mKdk;- zPVgT!04Y(%rr8}1hH;sL0P{`qr>?~~f|N8mcMd|CXPbC&3KX=_gfKN%ptb>N<6HAr*qmgut{t@@x2q8={^f7!58OC|VLR4=$7r4v## zOxQz#YKK(K3S93V>mcVH#4*|%8^Rx9gG*R$3*rfE7Gs%VA|7)sCnV_XU<72wTrV&- z)dg3dkTs@@hO*yo+1K#x&b3{s-(M^6t3>J;OXi;STL&sGR-`pNFJ%U4cAU1>-0Yk_piku3|y{=!jr1=rLG7FbGi+ z&CpAGSI~oA48e-x*IgL}#POxIoNO$A;DA4;m-oL*8007WyOYz*0AbK#Y8Xx9G$@#J zv@Q{@_BwLrMe;?^;*#V!tUXxjPkIx9T2)4x?#k5#{UK#J-r1Ic^Pw1$y z>C5A?NgE`BbV&s&i|6jW{Kc%5<1-wx4{GvRR(}O{`=^jL^Mvrw%-j?Dc=cZqC;$9G z|Ihv&)wPeVX5s(wemq~-Ikj+4*Q~@Zo>$0qJNXOhuucwt_L}IhX2o65-SY@&7too5 zHmhkn_%vUNW}XNquruS&U9{;hG%<36%~b7LY!Qck&Q{;IEPRggz)7ydzxFSZEhjymRG_mJ zE%u8)Clfl^0@boZEx(Q!`ukJt%tJz{hOb%hF90|G)Jt@-BcBt-{lV!^U;M}S_`g3U zE;)c)p~4fRe+4n%Prsf^5PXifsX`&cpT77j{ihY{3%J9pJ>};J>6UnQ7f~IACD{G zIRzsSSu!FniXzFZC&l-=e^pSaGvS3y+2l)E{P0(O#9tE0-+?~A?oqOM5fH8_t;a^4 z`W2(cKmFcp=itHd-+b{?DEan!CftAZ0{GXr^x^>7@g)1A(NDQ&{%0}pznar!Y5lXB zUwrxlkPR)b1DN>h0`LdfIK`lwu0SSX(S6+I!{5L#ay-ok!MUB=gfzoEF1`^ZL_mTn zn9qbhYePmkz3Q4T1&lJfHT=PDpaBa_`2s*k%2PSUwg7zD&GA1LAd9pFAlD77F-WiH z;Fy3WMK5HfHdx@dkGFgGnOdQ$SbM}{nsEd0oU})R6m4^DBBL%8l1soCg87gGGLPtX zWSOS+xT`M>j^7nR7~SG=&5dWQ2@XJax>FPfWSTS`tE_Z!-)Jq_Lns}?-OV2h0LR{- zHqMAPb3(9fciuaV9f0sJID@ULM^Rk7L&Ep_7pX658UiA+0Eqm}z?>I+lVPeE*uE6! zAsCK+LvZCx{@`FVfDNNtwTtM?S32hLu5mHga4^`JXM(wc$@+7yqNh55+Ekg|uCV(~ zy&hmTIP2XbBV1zW(Wr5StnG_(<0f#q;%;!keBTb>!>ndRn&0q(Hq<4ua{Z=Xe+o6& zBfvDB-xV7h1t5!#AS=uB2hIqo-4j3Vd)Iv71j2Dqk=`;XasaTWSjRFwT-^B*D|hdN zZZIya=w4UDV#$hDSJ8HTMgE461qIRXYnV4K3J;i2ip-aw15(3geGw`lKwz=Dk;+jQ zKg@$olpRc%Tz#1&VAO#+rExd8XO)hYy|1#2b>hm)3N>2Ip(PlSsIUMys9M2Y)_-=z z_iDJu>iTFvM`=Z1|F+aO*w3u65NoM?CE%!IbLfp9M9b}mU$)9`*p^hgyt;&0KqZ2w z;dNA2Mojb8Bp=p5_x{%>^wBO^j?94VZvd*#GR_0AyAnq1nQJh2Y3GZ_vJ@vRdVR!Z zlh=~s&wNWMOJ$<#pge0=cr1}>Lq)sTf5dZ+8yV<^$83VD+9I{C!=+4d3+$F+RnNyV zi!|kGyRETD6d|5u1vT5*UI6i95l>JA!IY+kak8LZs4T3eYgVR?fWa$+!P>n=FAXh2yy8*QCyos!~|n7`q|+pYo&KismtbcB&j zlk!q#e!Bx^v3WzY$(t=F%68U*>!)YFR=E7zLi8k?Z&1JqRFw!)

?~Dm~d9+3d*jR0zxX$oqy{|>ZZyTN1y^tHx!c)~6@9>cXmn5_MmBOxi ztxth)kI|*`lDwZf)hsu`_UbY!Z-dS{x9c3?swKTXU~NrhgYZ!#oskP|C1+mqCY?!h z%bnX*dQjudNnZq2K@~D+!F_+clEzKbmcY6M{tFmg5%zx9(~oyU6nGqgKyA_1j7ujX znj!NmkS!%W+M_2QJ^{Xj39Y{HQWndCx^zX{Fif|6Yx3H!*BhUk>*uH~d0|PYsqc|4 z0hcgDnQBk1 zz1#N+?fMT~Fw3Gr+<9tE6p6MFe+Y%$Y_Dt4aV>oDcQm*Li{jm+Ikh$XPGi<;i06~* zVC8tX*Xg!HJQ{_hL`uk3VQZFZTt+Ml!S=4C#zwok*^Bsl@z!3KrKyH^>^(^pO*ak- zwL@^}&)c9}jwoi`So~yeD>YEuTEy%=>?rRb@-k<~61cNY(TRM@^8TLFk3vEn5%&F% zd7@9qt2djqU3)4-3rj7=p6%1q>iA9d!B;TzcEO{}3wt$mgoG-yr~5O^nqM8CAt1~{ z@lIo|XE)1Am1IAh->I&}>bQ=+oFwxi(2+K z+DI2#alj(Fne_{wp3c&mRV!1;Fi^Ni0ND z9dyClD?4VJOb^$U<~8FZsJzhyoZ~Xr7fVb{J^qwU|L-y?NdSNs4DFDA`XAphEIM^- z@+AaHNi7*7mI2#xEX$Cq>1RB55)FSzo_e&ryurvGV)qU+wbjKF{P?~pe{_GNab2plC;sEYJJ8<3ddiyv_PMeO;8X!WDj={VkH zF3;f!s;Eo;)?rj{Z%q;)u-kE+2k%+R*w9y!Jp5CG#hax-0n>D7^;@5|bzbl8C)8Ht zFlJ_oyzcu6i+6Pso-gJmyDy3wJZF#gKIETpHz7W*ed~nqZ=tevu7fK}cc%{$tsx6^ z`ad3Vi90Zz96WTM>o{`#>r8l(UVWcEmrJ@-3Zpvrox$~~qPpJ#8SYTVbqF`Wkl!v( z9-($CNxSHx(Q}Kkg7Yz4KEyl2jeF04b&>KFaSfCR-coc4!z#bXb_Lhuz=;w%F6vlm6f)B0=7nsqXvj8LN{)b6?AA>ei0w zF5ghiHwu?V5yps%%cMf}JZCko+1;Y$(=$pe9MnV}EVx{w-L(HWBvA}RT&G{=#S*H{ ziRXwIobv%EQ(S2sgLA8qpdd6L{%;8yPpC$}H1e4)+6HKpJQpP?@i8&givf4{U zF#2y3hR*Rx0|z7~e1DSH4@Z61kRWqsI<5WG%(KaXCS2TTr5CY6U+5w6d5`ysu?d}4U>6gV!yfqFDduUv7Eu~_>F67nOe-uJh9X;SSd+(L%!z*yfH<-Z?IG2-$$| z4Q>e{JEjdGZisLrS%|H0Han+p^$t;9X`gmZMxyK6Ze0x&1bOF!t5U!>5|U{mo6rQ|!8~f2SMiPwwAKM#zoTRqw~q8kFo)@>?wblsu1fo3NKjmefIe}n5hH%|x?=YUv96autV4hm~4>my$F8-vyb7slUu z0L_Yq*s&$cqHImHCG<>00pI;VeHrBf_ z^ZSeFyho70T5>w7>D(B}%>Cba8HnR2_?XUBBBcWDHXMFWX$ya!xGw)it!9P@Gimjv6j_hG-Q; z5V98(rD;RbIiE)tivrLTfBozK?=*v4f*BkFMdEZ`Pa=21GpY{Aqr-6f$B?1v2IRCB z?suO~+QDXxN&~%C?P}hd&5zY!9@|7C4jUF`R$Yf-UNVAQ8LiaFg-lB%(==@Y4I?iW zm~SC&+;fm&a3e6@HW8!IvEeHRYr8&0&G6y1C%1^m(aYQjvxJ~IBPJW4rBUkxM3sxOx6mORR?w_@$!FG-M3>raJ53`U1u&i~P4rBDQ<�ZWqr{;<)LIFb-?dY;#R} z-%q5^i;TYzm}V0dNoBUl-gy?fwj#DN^QnWHdp)^{zL~qb2xonr zO#N6dUtR$l&15nDea`j{n#0O|J+3p`Sl56$A~yI!CGPnr5byYOalrl?y-7xH-Qos( z(B4YozDvRT<(vH6YnXRwGLt8?CQ0|p<>tl9!d0}oHNVAjyIW|tMa+K}?b+&XF5{2@ z$p;6!G25BE=Brv+(avgpE&{jSN?p0I=;0dr{<_zWQvZv0!Gp}|3Eduw^Vw(echj1Goa8arC~tp< z8bM3j%1;|rQNMLp{)X!6v5F0KmX2|?>CNA(t%_+1EXq*rQQ66E?m#K`_#DtPnA6Q& zj?8CX4hiOyXmD*Ea?CL9%*eD>4&QOjv#YPiX(goK=^B?Ql&*M0v}% z^YxZ93S57z45s{uW#EaFKuLYUivX+NPf!SQM=aT zm}EH{m%F24wJpE(bX|#YMcg1;H)XeR;lk#)S*dm6t(sI1%N?BW>-Ig=6!*<$ov>G1 zlZLLfa3z|GW@6OPUGG9%^-|_&!UIbdB1-IMhYP&T0J$g}agFuZ%JOAnuJW53P3`fV zV@TeSZk7nYJ{#5EV*Q-@V{neyqP2^Y7>lmGRwD3?W$+L^L8q8N7Bttu0t`*o$b{C43Py2EMv9G z-y0Wo@hi`yE}Y(~Sf<1Bstzc5gfG*FV_inM<_4Z_33D>@Mq`!?cUDN&|IPxq~x|Vsv^ z)3@}~d)kZaiZSU;4~3UhCgrMLWsP4oRmEEOmTHeU%Z0m|ejOG%Sd z?4VqIaf5g;abgT6<-|&-TZ}2Fw*yd}0$G4uEV%k$^_R7&?NG!F>DQRkm!*Bm?xsU#i zJ!is)2q}s!%;egFT#H(ndg3dM>ij<8=9_%Y#@e<088(sITw!V%pyWZI@9yOOYkrJBnW~pO^-D z_tiF&7%W98h0u0xhK*K|83C)SplaE%Oe1WYZuyKSrnz53zX-Rb6n)pDqn5Z=ikZCF zvfn<8fGBb`sN8?UT&3Mr^JW6+F0G*)GlWlshnno zm}$t93CA?5GoX6po#(N#Tp#?BXeO{BygNz*w@A~Y{Z6zOy)e(eBd|xkKQw!tJm!60 zWa;mul9_A%fF_PGy7t^|YN7vnkL@@Xnw!Sf$Oao-bu~l`-=@iA8x`Y;`yN@lYq~&o z5MQA+k1Vzyav${xy#yHuB>~la=wz>^Y<=3z>jjYmJ z_4VG}y&(14tv35%0L12AMGWMxX%te*;1r&%mtNgEM$3PmF*k?<*#ZJ(?0C1YQ44UT z=Rsjqu=;t*;r@V~I=?vN=3yZHNAH9(y7hmU2cS-Gc(wc4zUggsi!R}kB&V;3KvlZ* z>DH;_T`FsFyx^XjPvtVQ6y1}(Kb3IeNz2%)f*_6TTd5_0NmY)*>K*)8#vrg$+XQ73 zS(0d4Prdl4qJjIejT7zTGu;`60%ERaqk3^*tOV!x#uXr5o?%uKDVzR_?r0^E^x6#_ zmtF6Ts?jwsS4+(cS0;J0XJ}ZqtR!HAL&MjkG=$QnZ0q_y`(gGnvAQl6gp4X{X9LN>FsUp4$mIMa@hsgJe z<1G$Ayi{0DdrzZPS{nz2{le}_2S$ZowR%rwI^tZg=tn(Z|3%kgoOWk5Yj1KWn7vF| z$?)LZmjq^L@ihew$60S99F!&nB*6o36FEk4!_I@2nFHsoW3=t!o&8o*nI~()G<$2! z0*DyZ+eu< zr43I$wz>4J({pc|x5OJ~;%M|U-+oVVzRrmTHB<;gC|FDvvRw0D#hynzR09hBos6A`7BoF%TNQoZOLt? z`N&h9tk$$h0kg4DyI-Br$}}QDGM#DdV|ztmaP;Hc0*C1nehdMEa}N6M|JG31-MSpp zW+M|D(VVAICW)}=p_6_y9Qg$$t(kCd`ctT~ID2J43GS{chR}(JV-9vcZ29M3Dh}~Q zsDqi4lzt4@*e)rC3zI6IjOQ$%wZ z(Fm8tTN?slR3?i62o_#yuT9u$cdrT6<>egRh3YLXc)XmAxzE-7TvoHsOJ&~1s4J~S z_rfKwwWv;x$aigh2lnL6MSCWvFTXW8-tWA0xcB|()5J45P7Ki?`>n~x9DeOK?AT}$ z;i;UwGc3*$u5wo!`flrlQZ=peyQT~}!a~Lq@eu-9xmCCk?L#|zEdn5pKB&Csikzian;^$XK3Q|mzexzk$Dx5jl5VX-+PHG zwgWkIjWsgXE$L=eiKR^`&8}Is-{s~>P12S_6DUo?H&%y$>)iBz_FuIf;qdTV}praXV)Ih{hqeqP~IG^3$ z^PJx~zvp+J|GX}DT`b@Asu^M2qeJN0-|r-Q5f5ylIp>X?Uy17+$qp4L0kqWT%ZT)q zsFe$;CQVokLEEGTb>NBJ1gReQkansi5X6;%LMza>uT#!;4X)6y?48EbVxic4X@J`7)OU0^1 zu!wycxWdS^$5^u>4dxQK?8ZhEBBqz@={Sn}Mm_KJLxKx*rReRu)SAj#-7{q)IZlcw z7;Z{N8|7!gn{L3$n;#q6U9Hc9Jy&}VU)#~d1_(Ka|>VVefgfAImoqFLR}-IDcghx_+OtVy0F4_mt0ihL7w z$l|MsNeM0?^PO1i>dSbEoX1>Kq?_D<*>NYzVcb{8)n8Y+!|*-R4tamkJ?z@eG>Mp)L!Fc#fwG156=&99?PlrX zT(_SA&4f_OJ*6Fv$f|Ldy*PDXv*e#OyLbD_2F$by2oi^xS`bGX`0LNO(Vw4dbJtGf zn3I-sW~wBAq>2T7HG`M7>)>>Miz;yR38T43*LdKa?Om+dLF}F9ffVB z516FJah?+8>E#Fbm*;W&+~UCiJ-RcqTj@N4LN7LKz@F-N0XZ1cxduBm#ifxyyI7=S z7|`#1`{ukvYjq_SX4I#12c7E1_>ge43f&>gb{~#d(LZ7@vY~XQtn-j#x{6)he5DT2 zkzAx}yg;0ie*O-fA#kruLV=P5>n}|qxXVJI&(~iuf*FxP5!^YRROmKa>;*9g*N3<=azEDJiqvvANggO$1`5WS%{7B;VQqzbM2O1YG8t)w zzE^AhL_K*}zJT{-h^Hzf)9-`mllg{oqDMClDm&_CXsbOY&G>tdai35t;Tg*6lKj2f?<_9 z4}mJGa387r)zKH$5wLs@a^T9d2cuiew&?yd3(Dg+cb*hXEuuH-{-E&ALUf0d)H^+g zA3%-D&^w_=WHIX3EXXU<_m1m;+eA9&Tvl+ShUXs!N`6r(ow^}vmn>CnCJp|-7eztf@r@BPAN2tOPoCE{@5IgCMg(PkzP6CE_U@%7^DA?E%_yMXml63> z0<@q)LFOi>@Bc})FnprcVKC*5%_?2c8D8l_vc&KS)=GjG9#y;zrMlaZ?m8T;8 zXqEl`hs6y&r662)FH0=WY@jMX1?p_D zlJt;F-J7b^{T<*Xd-46yptuadzwu6_-s<;usMdwnTCoEQ+vR_Pua9r3*Y*r^ULK8S zI7+*PE}6qybZJy1V6UE(moxT)Pv+CP3$;Y zRi5it>94><#|x}a5rd9t{hN%RRsxvh0SCGSMS5ptt8ID%;<~{|#V@;6znl$X4Ug$- z_Jn?PHy`pg3gdzqtAhg9swOpaDqHQF@FgmVVQlzC9-~r$IJGiM>tp;KN{=@QI>>6n zN#?NoL!78NN8^gLt1xF)hTRkAFGsgt-Ox+EDZ~8rzMu){OHyh?2cK{)m1RbHhkg}t zkC(Hz7ILvHsIOWEvPbe?Q>4&xla{kL)7*v%A*oBGRIs)t!m>11sV!t-J_Ju1@+T%o^gCL#%RXP_E_Ae8EpMI^C?!s+ z24(@IHDj*Z&?Td#PxXHYvV|)4Z^dFCG%gj)+v^W4#t881iFPRU=f^9o;GIJnzA)Rug7iYoYhv^ zagSfQ&Q->E^>CAPc^JLD+)4?@1=#^$K$~R~Fkc~et3=kitw_ZZSrq$oMK0x_56oB$ z&oPQfX#skwUIu`GMl!vBsxaCocpn=d8ujZqQj1s{PQQdOY_-4=MD!^SZ-5BDLJb&>)mbs zCPMfv$<9O22rrS1@vsW+^m7XH{zM*HwuXF3)cmVNm?TkICLC&LcI%<^6;Z>p7SctH zJ_YZxpOyt_^Ih{jWB5D~rG>SZYuvp}ASwYGgiqc|lsa3`K^cQ`r99o#qN|Z~Z)7#B zo^WsXHc_%I600Ogd)}a35;2cYwwT+xH z7{Yni5>H8Fm?uC<{WW*49I;H^x#s+~B7*xHeX7ZlKgG(o;PdqlHcgupsjr_+7EDG9 z>Bnp+n+|%|e_{Z{R?&_eD0MkYd4IL0FdxM}!MeGwVBH?rmsU77N~CQ}Wt1jhbf;A^ zO3gqvYV_G3wTtNpALX&>dzvCF0EC38CzMlpl-wQ8z32GiWHDdgC(FGizL6*csid10 zfY}svJ-V|9Ku3r~GnWJ(n*bpH>q{0d%{HrqgFEnw3612KjihIB(Rcs^_0(i05(qBBdUrOMtJf!i+8A5^CXWS|huBQb!eZ8S zc7yej{Q9%uqdnIpx_a1V1!ba-jgjlS+g-aCH=YvP%LZAeRkMUo=Hmq~MCPFuGuzku zZlalE=!}4wSUV9-s+Wx?MYQrNfGoOeOs|k@#ZD%z7P+1hH&rVPYF#-kounp_`SiuY zAew_`1zq1glMCBZ`Q_*PGZQlFzBDrcvWLoC(xXQ9-zWs!vx^q6L6e%PjI*mlqe_bd zHFs#5b!Vi#)9xPTXQ`N%_3qBR!SXoh4KJF>MY^=I2k#Thc4{q{w<#>8-46BLZ7mCp zDOY8AAA$}|mddka3_AI`B7v_3y3ncHpQx%zL7)MhO;Q;oAtfjlwLfP%YevqAIg+$^@*4D=PKj#@H$E zM07ag#lpEERh8X@;KEPXv1w-gLPwmIOlQVD##^t5_a&ly(ium?g2E}12VENr)~kFO zNyv?3Zpji3?+2#NS!I`Ypy-Yym&w{8biO0sg(Q9Dg|@-^+A^0ZN$EQV&r%;b0P(Wq z!avQ=O!E+jb`#8V`tL;B7`oC{oH{6wCRv7Xy7r(70{QOWYcEt!6ag=5D;_pIWhG{Toz(k=hyE zr!b^;QJuv3!&1c>N)|R_gEuAOrtb{wG(7aRO1aH`&~?%WZbJ!Ke<7;sePsW~yuxHL zD&hyq!=Z`o*f908V^nB)s^{l?!PV%h&m%eRm4HT-jUR%WbpAl47I?pcA2jQFUs?$5 zeXHmC*2}$*7$8(D@Y$)*FH)~--iP3l;1IiP_R8;nkS$I-?Av|s)7xg6-2bmLzBA!D zOnwX452V%q^6;jF-9+_}V6Q2!7}qq?B$Oqosx1 zOjrS`ra21s>?qu^Crl5}rYboSQ1|jb!8jX#s@y!8QqKN$hr85X3%hD^r3F(0=My&h z1c$_0(9Sei&l)rpt$yZ~!A<`%3mmiylTO~pas#KrpZL|!3jnH57CO=ts|hK-@+Oh% zlHqRm*A{74A~A}q)X3q}t7A$(P~shi8TS>{<5MI$XM^nzU(AhzuSPAFw4O=2N!LUf z>OlltM(#&dzJexqFUrCj{)~$wj|$04735~dtrdAF0(b`U!697gJMBQBfg^*1b%m?hKu(Xq^Tk*+{ z$1leyNDxZ4uPs(tu4Ix1@!ZQa0Jo*(StV2vU6|6?zdg-Ox&%ZvY|G><+ zH6QlI=$EmMk|$2s^VVyusN_w2TI66gxtz|`aMq0`V#9h(g9)h@ow6749btZTCb zQGhS`4l^nWHd2P*r{$RHm%5aH&Ra=ZpfPCZ4NDP-^L{sak_s%=E>US_h`QRm6}0CG zIL@oROEs7tDspq}M|P)S@PPmbGYtq=$rjmgYKwI$BO6k9B_yXuKZ;Q=kZxS9Tf})+ z?CO@yE}vv2k4a28E_5Z@4!BK~Rhrtwh0y;TyiR5WFImK_pQ9P`-?i-e$vf~3BhRmY z<9-#h9uX45(GnV;|MNQvQ3Q#VsEm>OrHE_A~2mtZ;;KU z8d*jEn~O#ElSr~l(F~gu_;=Bju)Hrs#@VYB2@f2@SXJR2$qlb?oKE-&PrFKjAgHBi z$`9WPb|dbiUXI8H%?(DS&aKjyx^u7_Z|qd^=T=e9pPUA$I2zB?Nk0Ye_tq6|XRf{) zOYz;k(84Tqt5=wyk@gxgzNZ4F;4Qf*;;sdq7(FLJW1b+V--B&IGX^yyfzZ2O($ z-p6p+#T1m0OA_d@_!-$D15u&Aw3l?IuQh&T!Jtcx{D^HbHNeyDw026?nr<(8V}1YX z%qarKKuc7rlBKtmlIj_w`Nl8>-9#oaQvPi^p2Q+koBm#s1x&hwY+P8!_lB?78GXe)X#B1 zZ`M*9O0Bs1KRH3X7`@P)vw@dD{F{5#P2Gq3+K0(AZo2{e8I%K<7E}~+8ckaqY-CFD`)Rsj*QCl;P>IZzzmBk3HT@You zR<4?Vk8iGG6#N%d8$%3PT6_Ugc~Pd$o=x~Xwi%z( zw#M<(*%Laqilvxs*=X(})@KME%WGY9`AT(&XtKeCM0y&$M9&n; zxYiI@^yuR_stEXo$kDR}*4P?q^D39_h@WC1V?z+kCJn2#mC`4*7F6OL-t8`)&Ya~= zU?;NbaKW7dj>Ij7YF?a`yME*uNXT?~7!^a=WL3g@dRh#d8%5dEn&bqN&*jI0sHTjH zasd85o@~NB&fQaDn)h&m-dy9CsiMAn55e`=Xx60fn1u1cU?9AsffYh}VAa-k}6D*&JXc;9-i_y2X+Z@?TexCjHBb_-fxC^t> zm14hbk8D{PW3||i>Sv3#jriK=DaLN6ZExHkyqcU{3zdQLjj$hGm>t7;$7Ijv4D58o z`rFx@y!hiOE@b*cjdl$Uq@^}4R zyG*dkR-k3<+R%q82bd4%`*x{WPv2mI3J{@yAq(8q5JcQsr$TKb^xBJSSN4>1h4ox( zxM;#F2%{VVU!$Z{qVbL|>6BCQ`05GIe%=g~>^S`P)4W2x$N#{RF6YMXORZ9JN!i|p zQ!O@ZdEfN#2<9@1VScU`o0mxI>qRnbmfcS2CM9)9V4MEZ6w9|#xPLp~P(khPak}-4 zP{_PYCH$tIFa5&#f4|P%z8K|v8_L9ZV_y0S8U;?&z4{H0ag1y+tnKz56d6v*+>yy+ zq0x;_6Bfp-s0H8G8(wSUN2#wW{t!Mmv4^OAs-oD5rj^na{xOA?px4*wy$_Hi~nZa$1*ME#9Fe((8!)j=4vc!1D74GJgs3-Pk2%p)JzL>WP59&6 z`s_@+!aRz-0hAY+`mwVPObp62Tf>w4*rKRat^Y?~o}n~@QFJcDx-PZ99Op)D_YLzT zMXUoxU(w`{HqB9eW`B9?c7O?@uqJy=U(GQ$(#E{E70c#5uy-}oB0zGM<~(HS*e_N= zz_VP`S%Y1@<2#{hZiC;lQ%i8EumttpXGe2R`c>8Hj?O+!gZtZvPW8$kjpphz!>AVh zM71pJULsc*N-nrNC)z$y3wrFCmleBW_TqnBXtFre(JZ0Veva|TkaT+JBCb9T`)!Xb z>Pk~D@XT~B_!+je(>68pe7D@KdOXAh0-anYtj8a7PNxA7-DPrs!y+7lL;iZ)aJlFo z-uA92g8podz|7kD*qv2qGd`2}_dUpa=8JEuMt(4d6Acepz+LJRW=H4ZxXRkgB3PnX z@l_pQhvcgFL4z)u&jgk@%7hc$AUk}7795lm2TL~L`df$l5r6Gaaeem7m4rIcZW&?1 z4^?3^h%xsN*Kea*H5k8<)+l3xZmB&L;S8Gux8*c$-3i#IBb-3v8BNmD{l5(n6=h%8-0-9?xM!Ho@KO zLC(p_%bWIs-K3U7`|smkBCx=Vv3n%V6C~8gu|gV5#un^*;TrRpVYjmPW0LM^;Nx|T z<+$bRhRTsXKM%Y9Lwm=}5?Ej=C;)9AAf5h|!l+_#thWN^tuBOqO$GDk%^YnnTchH; zZE2oBzvNT=vV0S3)D$<~`;U0VNVpYwM^O2Vo@5(1$ITvA?np)^D<<^y&o5Vdc}vy zaVZ{IX#-ljvH7o}y}l|H|Gu|k(>83;$DM!86fC6 zfj5dEr0nN5S&UCb4fgUxO+-!{lr-J_eD=vf;U~{`N#&}NAAG~NB>+stEP$tWNP0Ru z+z#{Mx==X+s2wwXCVuN1`95DTmfsL3cALphM(_)Q=pj!IESeKd0Q963;x%+sk!X4s zp{fs8dVAFOd2GJOzwlI06MkKA7?NB_JZbyk^81W{Bj}|W@N=l1v=^06SxPja*u<{x z-M?!-3``;2AI4?F_}BL*S%V?OrlsVJ1jGOsyii)dWrJ7*jF0;_4V+rQ_mfJ=UnyI?rM z*W}DW5dDvgO4io^-A%$qip$XKIT@c>YSY6W!H<1kpuA(G6T(YY&S4Uf^H4^-K0!U- zyKy(X+kYvoIi&SgU4$qGxiVzsFfzv;tf!gm`o;KK`Pw8_z|e}Gz%9pSpW>`Sty9qy z(vKi_BsorwD#2crx^(22JIVOb+1=V6%>8Nju$=c|HFQebYW;p9l^Iz0ktU_=foC}P zY}=*S=Pzj9YjbY0^bMcF0z}D^&MzOfAW~k7|L3aC+`?y2ko*5%1$pk@f^1`j1O@pW zD98}|_3tR>k~sB|5DRJt>_QdJE!BTFW0rZ$uO*V#UV z`+F5pt`Q%p++$D7)2c?dWQ6|*p8h5Hi@Zx?Q2UO5Nd-z;8jv%z ztZUD@09(J;5Dq}navPqyuzjX^Mlll42kty=xNE~(e<9_Gewc)-gBaoV7#LT|?rUu^ zZ^3|-EIo0Vw^~})asgbDB@YpE_ITmurVsvoxYg{Dc#uV3l!Vo6vrtf$Nz*D#t)Z_V z-3k5chR~SjZ1d%Y?RmnpLLwds31bopde5K>{4(ClOC(!QXG4rau;cG8r9b*$tMOpo z(-KpL0k=~sz~QZB6B2E?e;LKB{w@td_Kl@AjeSpyP`82JHEjL}T7dctM>6V<{As|J znhD-PVW-_jO7$8Z6i$q-OG5`rix68cHonCJq>|Kmv`Tmd$nC( z?5OefSON<>`7KQsII(IyF$|FL0|stCFVCx8V$+Ohs_J8_p?NlRduAP>;M+3MC;use zyl&VHQU5UcEqY%8zx&40;k*@+T2>I0S)!-I+5+_AIN?a3r+z^?EX=Kx>#($O%gS%~ z%q+PY3CSMZB&zf3-q(WUxTxBRw#h?4J^uC_aMb!HfjZ$2qIt*1p2;Ffxq5;^oM3Ow z$In*Dfd$_Ssu)t=6)3Pzutg#thXW451W=%tILhfO&0O^V$|Z1dZv@oB{8mg%PF{Po zuS);+Go#R#qfCgGgr{NmC|>2Z7?oM8Nk*1(Kw>DRzI%|ks?1^)pBYx{swI%DdC15Bn(geodZJGNj$GF$-=@c%Rh2y8lja6V#OBTljQ7-4+Rul)`D0T74rF+0OIh zpUx_nKYk^?uwVM;r(BhM#Qm{vXo37Z#0~Y`DteEYHlp^wya4KFx^7N{YyCn6EdMBU zV6<$oT31N2YcGNU0aQ7mp2*9iwwcaoJAj&LiCPE-c9qG?ESn=94;iMd2FyHNa6+)?< z(Y;i$$?OD|)k&V&*!9nkWNJMT8>acAnwQI-robW&b;)(a@-@xKCba@ifRSU;z)i`5 zawCr?WI-?&!zoTSk*-vGeA20{4#&2eB`aPwtk5ZM+Bo-V+?2!?Nma4VY!VW1VZLPD zSDnz$h`k2ih;so>0c*;`L!&rQgHL>NDPw+6@2FqLA$4=c(mEs+e%ulDDdA1cANJiI z*bYl9xc=`j{M6N4nOK`>AX%s*N4=J3?b&tJ$9mS>gaBw??K7vX9Zpk)NEL>4MzHk2 zBtqeP&2YhwKC@d7_9~PYnKd|dvTBN|?5t_g1dlK+pDM5-*C*B#MmY3o0oJ#h-8!8!9RH^l6Nx8J z2bm6%=%1Rccb>3lz6t^FN8Xhp0d|k$VE5U6W9n~ht=ERGdlC+@z-TO}f5WjV^;YiA zco#?;&-A$8Q_fg#@>9!qfezLV(qqpTnI0vT?a7DWO2_LK8|fwnbZ~Fhamt&YowBVx z*4KKxU=*)*#Cc6|Eu0utc#e^Z9JpD4i?b(1Qcaec>mv(;84{>VO!uaWA zReFh|7t}obhYQnlTL3z+1pjRMA^iS6hj1Z%yv2SaA=yHPb!u+)<02WMf3f{MNeB)}7fpBymY zL&;NpjB|>hmc42d1VIlrJ3FH1Gq(wHZ^AY)D=}4KO*TpmXdv4)PUGqm;rVol;8qJk)LT>1;Cp2=W^z+5F{&yEq~;Gwo6`n z1~*N{2wQ4%6QiEC9?C?%{@=@B8RaidELwqSuN3!r%Nuq{N_O}R%o($U8rUETM8hCR zL)bLEQFPIj)k%8GXiQ{CfDR~x$&F(LagU&;#>c&FFeX|O2WPe_F3;4qM+DWuxLeJR z(?4g@1F>B5=-d7D;bQAvH{?JeqkcdH%? zr{%ave88_?IGpSSlE?b~nyv$5C&?mTc;cX$2h`#dOfkQILv%YRb8toDU2M+@Zx%Be zQr6`X$mQiJJG1>ri>1B!x!`D!81WWr8lKQw#Tr6sdM`;@q!TH*6d zju&nnNZGVBig;5|L_brXh1#Icsy3C(lz%?8(Ap8ZKP*<-RLw+|2V)MXvST|b&oGss z2`nardXi=*TGPy60r}xcHR?%K;pkn{IA3>|Op%UzqOCVLT$~C|5L(X=rOtc2BKW49>j65etJi^8Maa#S=9!Nh+uPyU@@1>NxjBc=Uf-j#i7nZ#8k(I?Vvj zUcb1lp4tQD8V*~6^B^`R<>hYVX*nXAoE71u^aZh8q|mSI*C6a^YG}!U#HJ~YfMQgY zF_QCWhd+H0=+t!94}oOS=RvWnwo9L<&dR6C<->%U>#P2mG_Y&|syWp>oq2Ukg+tEU z|4u9Vf4p`YjMEJkt=-9|ITL6)b>DlFz7hu(AoKUewHLrIbbuTK+3To|>Mgs+2_}>G z;_x#-=ODDus=iY)44ek2V7VFSL*YKZ+D8@!rY1kzPFOH{%0YMj^@qzQUnN=&1|x7> z=ku=L&5weg!@n-`5W@hYFzS&)a_=#V3uUtlM|1kGrgK>H6n+r8bCDezp13fQY! zbf92;)Q~Lku3!1Uo!!+|U(4;Fvd-LuSB&)zaFCPn-X2g5gWWDeGTT0HoBo6^`Uyu@ zO1a8=r!HZ}9t6OGi?4mLzCh}$-a$G6WY-J$FyA|2ejTBt#LxT4Ey=yoYmB|%PX(Gv zQqOk%Po85@5y#74-#WOmPWa^{m-2r5Qdid)Ms~TB^+Ec9E+)y*u#9i&uia{i#42?u z{2SQfCXjVou+z+3AxWC#HUxwJd~8X?MARDAUnffy!=@lxV%1xr7}K@Iqk zq9{AgZXKse{x;T6_xSUSQf{}UV9b$2q`Uvg!Iy@r*Qd-Em}_E-X0!ZK1L)FWM?D=A z?3jbsWqU7*va3wP1IvG?I;zDeh}t+^ep0&c+a%W%;*U~Ed*j@}{)f*O@tM!}uSJP& z`v8BSwfhj^Gx;i$1RtYI-R%IJwWzj+9tdG#5|GTjm**_=+OL0KDMJDe_OUYZADV#V z#B|~ip^~FmB`x=zh;2h0h@Ji+DftJh=N45^zuO&AueQE^Bknr$MT>iO`#eDq!H^to zZ}VSe-CwCIWgwcL$rQb}lY$Sr&v)gEuqr#cx_I(q`0OWTpbIGjD6GrS;a3(DEjJ@- z8MUM8PQi2md+Ilr*ukzc;?0tcH4ewp1H7kR1hAlczhYny;rI*F#zgGlJe0aoxspjZ zWHXl#E;DT9duBCG##HT(L0N8t_8Ag@oWjUr!lpFgfrtrl>rwoI=_v(oj68z*4P78b zAF8*5#|`;3Wv{1&U9J5w4^mHnzQ+oZ&DptrK2Z&2s3&8YuU@7S54L5ZSU%=zYiZ3U zHUHM8gtd;-t?G+0L6t_d1SI+T_qnMegBzrdx~ml~&1$WtgOP3tvvT&L6ZdFeOj!a2 zi2vLk-^EILnl}V>?AnahGAGOf;yo>PKRZfg=+{Eb${S@uur+FjrcO?ZjxV98JBqoZ z)#FR0ZNu%V=R0(0^P@1H0+F@p?RiVbBuASI!?Jd99bpR?=TvB?zYI~2>a}|@#0!hi z878kKmdrx?k_^aCxE_-bJ+1&*3^kpk1z6El)S<1?+#$);YyP^DK zr|lWs=*OTh7VNd1q^;rgcC%#pH@;Ddc`4j)QMo_;D&{Q>Z6sxyI=tdY#3 z*W`M@9y-DSbUnVm`KPALC@Y(zxnTb~sQ!c_(^{J3`^dfKLU1P-^EelDF!@#)p#D6FbFGxL5) zZM`dfd3xFa8*TFS0o+$Ax_so`*BH)`(C0ev`6335E0KMA6WBTT_?n?VjUbW|Hedtx z0KUR{L-X|5*~@i}KY4_e`k&?nfz^FpDp&I&NDm z?wba4Xt3fBx;goeePZ^?5U`+-W^#LhgoqS^2=OlqBxuL3{2e?*iyP_b z8SQGuON_@KcA@Sf``_2+em?Yly{M|b;HJ2&cQ|XC@{xI!=^0TN050#AoM)WBf$@25hwybsR2>CG2t}Xb}{j%mbEovGc@s zc@rKAG97>j|2YpC-RL~~rKJV3@{QB}o$!6~nlhph;Vsa7tx^;Zj z@G9S%0@w=Nl~{KyPvNN0nX8&*G+XuJM+tFn0}orpns)%Vg+kyz52tvefYy#QHc(+S zl#wnLo7Q2+N#)=W5PS33#+0K(23sJPH_#cJcFWQ(c05rWGBoWD2Vnmv5oFLbd2R<@ zCSy4=PB@-R{{liv8&`$H3VoAm3a_Zz-^c&s+}h}VBOGdaBoYgDzOoH{w+5WNy|89u zL98ayPu!Z)YF^b{HF#aWJ&4WmZd<4TKwx^bkVo|=E0BI;&EXRw(5lMjfC|L!Iqe$R zP=uItAl^fFmxl0H|Nb$)RryPi3HcD|#Z)s~7x%BC1P;VzZccB=2gmZU6?oR!lUAp$Y$oY zT%63LKmNF!8TI@=?>D7g9d?v9E&kkt?89w-B}H%V_C!2Qn}yFHv-UA1L5d1SXLboO zR&0Np6`Yy}$aJ8ejSfFl!*B#l`;Xl`d-V1*kWf^oCqMXI8lVOartkkJozSD}0%tYG z9yh+QP~{9|;)kal4sz*~y*s~kdjimjNYQ3jEY|B5YV$9F;U~3U=eTXwk@s#`!P$ax z3BlR?tSwGhSJc@5C#!3V!O>bOXpD))S^wsQ7G;*cM%zPPvOxlc574ZpB4h<&N~D+k zyAH=1R+oXt$>RgAWm>P{M?D`Wtgf{D_;|tHNdM~!2cd2MW#s^?E7xRRx0yLI z2qh_}dRhRz8%dwbadkhptHy=B%A`YBH^bul>hk~wD2(36+-!^OU%;G`LsV}8hz4d2 zb)Aw)XfJNs3C8}-A;eaJYz!!j2sEd|K~u_OT062bB8&bbUZKjM#-(uWb}xS-0I!th zD?dWSFv=E$Vi#t`7CrcnOHPWsaF$1vgq^A0Zr3RCxsFkcd)-e(h)(Rq^v8SmT4)@< zdptJx&AZQc#V(vJ{`>E!*zn8Mmrwn5@z8@9@MIr+sQ)eoQFQWqk(L7)+ZoLxQAsy! zZa8(O))mr|_4}dy{#jMHy3}QwCOdA(Xm>oH2R`4RwucS)|Ggw!SIY0ji3+y<+97_l z_N?b+E_%xNrdikvRp;LiSJjRg7W;t z?l9uUVL;Bkj}G>K!w-t>i=P6fk1762$~leQ!v_k&KbC2X=nt4y zB6!+T8^EqW`j9_R2FS|EI`>AX-GwKLz=vLO?ZjZ-=^IIh7poY^Ve@UNIk2Nj+h}B! zyh?8ANyL1(8S-zIPi2yO5GFmED%|Dgy7NiMJ!o#b?Rw@b<*gSy?DQAOD^&D{Pp=G5 z_&nZ6y*wQIcuc;pgfHkOx3Z}aX?EnTsu|Ti9K~BH+Hk!va@p5YPmD*}m;uKRaggSm3GOMU^7YeeaS*H;7#zf9q*OrIJ(k+s5k(wtV_q81P!Q_{9u@}G@^-12EZdQB?l{X`aJcT1h5Ysp8gGA=KaGGs<0V}r+t z73Se67g!;7YB6>!-agtRt43QT<(Zk{L&BXKFqvLYTR!(;kqeUbJCz+)^NV%^dbY}x z8D_NpH4k4m3lqO>rhWs@suz&CZWd-mFS;r@Shb$6ilK$>c9yrpv4}15P$RZ~!+EDQ zt?$6=Z&Un}z%?@V&}trr2`o6~jpY5>^?B!fe%B?x%tfvHD7dY73Ts)$VBYc zHz4>1&t$% z+)$2<&m1y1sfj(SZOAmKt#F>;SZZ$l?fQyyA=U-fs53>)+JX9=L%&ylVRq;2r$E=b z$hY4Z_VbF`p;cz&DzAP*cgg|@f=N0YtPvEjOOz~%uTrymTTAw}ZKwer7t!bUc7h$D z;!|2r5v27uoTjMMFK+TydG!X^@a1BZE07Wg@97`Dc<^Odv$=0O|AU|M%RzawDTjFJ z`?U_)CX!yhsfWv~6ZRGITy?QYtDPc*pR&Q&(vtxg6|U5FKRVwxf+u_A?Hb zd7(yx?wBV9fKise((uG&^rH;LLpWmWOlH_}xb5JFd3fJ3o#({wWlBtID!1|hf=5<` ztIDf95o!Aqbt1&Dw#Yh%G_AYpT|X~HcNq1%++v>(lZv9-{FapO{1|$Ed6^R>wt-fj zVVzAeCYZN2m$udqglxKQf4X-Rsn4$OVEwTv3eca>9@~*r1^GXBZHp5FN*iydTK=ON z-rOawZ}$;=mH?0v<79LBNntqcb|ZBmlzmIwJ^0#+ey6%mZNcK*o!~$_QC3ODP?+Pl zbns$e=l`)&9F#}kOYYBI{0AoVmy%7Tw3h8~cVU5G2+2d}!pBu5Z}D|&-zu3|!=ebf zy^7TtPKgtAu#u0c5;}JC*Yn5VuXgA->iAi~_LLB7=Wc;tBhQhTL)I=4H3Vygt*;+k z>gFHv-S-_9gkxqqyG*q_6}ElKc1)0|FMd=xx|%w{2LlvI?E zp5Y~0;v|ax06Mjr>W|&eRxTfyDN5v-5C6z&k}nz_Yc5WzRm7YK^P-kGV4w2RgC1e4 zw@3yGWBoqFN)P{$6HhS!Uu-fSEU6MIi*{dly?BI2d9GM0vvipP3{Io$BURj%aei;cooNJo?Et^CqfsEs*&8&D95X8aTw0ytDtK<9EJ3`RgE<~uRpQ-{sL zA)styU~AziSPu+1;byCbs|^*60z-~T?un|WDd+wVwd;RXwD>QF{^ak~`^D2Saf?&y zzI-|ND;Qe-_agvB2EW|}C$^8tfh#{}iUwx{=2!P3Ahnz+RVP;M5kvH#lR)FZDZp|# z@0FpV0N_w@09pBM;hj>Ejz*X8ylA%zG7*mYx6c4?5syi|u&-l>0(OeY61VnQap!7^Tix6wfaUc<*Eg zDmx9EkDEUmHx1kBa4{t8v@;QYSJ%m5$qC1!es}L9me$TTKiLjCu|Ur}tWE|Ik0kC4 zkT(@r3j9bN-6Ica@r`z89X_!v^>oX@z#I1}R-KBE=EoGd$60yQNNE8CDD5Q8^CJo3 zkx%GJyGz3Bp}>S*%HRaj^~}$-+Q2q@ey`lVDzVYn81f>o9=Y7Rl%Wvx$Bn}nDWirI zsO^~ST2S(A`Va0-e$VWmiD3W5^ke*Yyer#)8?E4-B@CP=kUd#by2rn&yq@q=hFBH51-gdq|AYA{ z7AGZQWf9*|DKjU-+Pf!=4vw>xRJGyKN?hcWyuq_Z46_Zc?H;IZ8s#ooSWqpv9T<3G zTRx|BHke-VTzlW?PxS19<1GdD>aEAU|7(bvILWZS=~oX}kcVGkz{?Ywyozh*;Xlw4 zocmX;VI}sLd8Hj*K6_zA3$ObI8j13<7Nrl~CeIJulp$_`hDZ63Tq?R$12V^iwkuJ` z^YMTk@!O(rYj4u|kCI4|tSQ?{+K(q# zYwl79mgO}8{Bs_~^@>{O-|!cXZQ3c%5ij5HF4^jlD)aWUTPxX*T)1*j2Za;b4*Pvo zdCbMCsg>HXk)bwP%aRdX8>+Xqxs+0^-ZGGRat3$OG5kN3ML&md88dY1!bYe&tcnok zpx}$xxyV0JYv1oF!N%8rH@IVME)Ohw|2^Lr7b#O^_@REa9E=P+p>*ZaoHTUp9Dm`zmEwQZkpFE! zy7o6XiYfekJwfv|c+9mAhqi%*liP9DDH*%FoQV20WM-%+y4v<*DgQN|Q`a*i39y^v z_lC}Z%e~1Ph;CeJE2b}O^ zyKEkhv;WLX7EE3|MicM?oPPA0WL@%uXRVOZ;=?GvW(aI@_1s;_tJ_dwJx}7r!188( zE7|WPsbkVO<>~ZSTh9VGj*q|(lQM{GCV&;rp>^{`Zp}pT*;0<4`d+dXs!z% zLsV=p_bUgz&VV<|D+F#n8J?#U{3Xp$I}m%e>+3<$l!aN@G>Tsy%v0w9WE*D;}eTfa5f zZNRYiV@hms;oZk~#Bbe#z-BQCiU)SDHP%mnr4Z=_RjdLg<&Q^K4e={?MR`#<41j>w zsrQpuC4yEB-Ay>@bx{Or&-k|h!h?o1!cCQuht=!J9cmKt zyMFU2=Jqea;qyvUo|2fAbonPZFrB~qTW|6rKPS&|*tWG&Ce;g)Pe<3QB*)sQKTqEM0!`G zNDI=H7U?x00-;D1QIV#E&^sc%LqJ*-2uSZOH0fQ05K16$*Y<7CIrqKip8NdI^SfWp zxBM*GJ8SPX*PLUHIfiOcFAR4s#j3x58AO7oBi4aHp?0;_BjQPsNNFbU8BV*Zjc@od zcT;^hukeeA)SWX3Z$giX-nYq(VeL7ly=t@FQOhNhIrtEvzWj5=Y@>#?-rh(wF8Rgk zt`~P+PpG3)ZS?c%+B+AL7iC5Y>z4bg9kfMu z0}TOc{p8w5X-nYUIfaTmwP{l$xi|5y6KSK}Xo4m}^!PJ@F=iT2hy2V!1i}S0_SqQt zw$hiJr0BD+X4PicF>AP+iLjxHc!tO~9Yl1# zN7_X1&RpX7b6cS8_3J^M7%%bmY;94vki{n^q4ibC<*}mNh8n}W(q01cd24a;kym$t zD6cTp=bv#8T5F1yJzXPygvCd#&MBrW;M1OvEuX$JAr?Bfs6Ay^(Jfmn#|@m>r`6#c zj>5DCE(cau0)RUm45N^Ucvp5|{$>{BPt~Gk-XqZzu zbz|%-MpCMN?c~_2*D~E6*s=ojSCtK0PSRmho(OumERpwB_WF=6P8nGOiC%q?)gC+o zw2{wjHUTl&%aYQ}yt2hc8{E&m%Rvz3U8yk-+AvvkyR+9I(Ge;|XJUKN#I7#=_Q=4M z&ozA;u+@mV9W(EE&;P2JJVe3faRde14*h;X`ga<3pY1M4Tt3&@Zu&-0c=m(JQBy{R zDesZ+Bm`wkW&P^-GVZmzQV&b=c;47&!b}r*)W*yn-{JiUzm6B7>#%0P)p4P@IcvC-P9rWREt@`3hZ zv`+(om{1TD=?3OYiZURPGQpD)W^^Pgd8QKz8|r2nDNMQLvO73f71x%qoeC)p3#;UO){U1t|-Woi!=lvJgb$XQ1kTa#S9z>Pca5 zW&wO8V00fBs_@#S{?<#ZDV8wLn1gbi6g8T1l!o3qn81}nOra&oq+Lkw7DH~(+27!` zxpkfSymG*!7!(un*n3sa5In`Wb~F}QW~~8}+yPQkeWAC;L0cGClB=e-; z_*Yp$GbVodLh~ed1>1RznHC`H7U8Zo78oe`Tr*ycDH9i#EUc>LTK!y-*2LkXWlo%M zhVm+)O9%M#bWsn9Ho*2Z=QLHbggvLTsX4V8+aL`+D{?kRGi?i|cstv+vQOUmmABX? zEQi;Z_@KW*Y5LKOVoC<-n4@PEVy109S+6##FhR|13K)Q>Zk)%CfZR6zz4-Up?i87! z9GdI4{hLcu#`a~I2iA?5p&KwNDwdL*jrxnn-{U&cOR-zI@x@ivE_>Yp?#n~9N>T;>h%-C0X- zP-J*Hf4StAtl%WX?(~u#jc>y<3=J8(LcZcI3L82r*md0%tk+5A5)DFqzCpNuW#RVD zNq(1!mf*b1Wy?67=?XK>Y25hY-a|urx4DY0ei!D0^#s;g5puat+fD1AGK9~%EVsHC zOX(OQ!CbJn_53a{wT$ksi&`isC@JW`E4OWV0?CYplxm=n)tIuGnxd zB9}fjIDps1xI@c@G4&d8v0SpDcxDaJ2pt7xFRhIVhaRNIy--|-#AtyJ1kBndliU@G z8jOom-35;^b~B#g?W4GS#jBxe{lpQ{#O>V&EJN3eluGVC6>J6RbR;pCVo%`zYu=;_Yv^D46OR*sj_w2Lq_(?Kueyxr zILWX@T5|~!@q6NFR=hRQmH;0xsZPwM(Gl9KpO`9D-y|+Oqui!#{2_24c$zbOG&e_~| z57T?#7wxl6rUx-@Y887s^kjq6m6>`3_CoqbdOecI_u){YIZqug1C5#oT=>TT;uL6rn0bS{!d_Y!&j%z9c%NFi~cf%;ag3wUspHxuiF~{+4?s z8z#7WCw+0`J8&H7ewGN_7Q{TeQ&uIb&h#`sjD$JWv4xs#2|P^Mns67g8ov{Du<9`< zhS9TPw6WE6u}ghwtaW0eEn!xES~GzqZ^2tL_bI*p+yBSJ8!Ggl)iMKA@-;e9{0u-X zeJR6yXpdQbtfJLxQm~b#QV1MTV2=+!g}r33x=NsN>yf|Db~*)DOw-hv=t2_E37E1{ z%Z=LuCl7349C+WvczwF*z`lE5p4o`abiS^T3_^w2C6nSQ4n5DR4B>h>jF}DcZ|ZJ7 zAw+u8CUzmNTb_~TLby*mG>?BuHTq<%46>>-1S_={g@{yFeBg(`dUC6M&U3D+s$5#)aHAoT{BnFZVFl@t zjSJN_yc8{oryqSEb6s(A`ydifJ53HYnB?q+Hwn+N>L$`#U6 zM(nS8AMCy%>CjKm(HRdR%^Y42RP@Q?X5o!v0Rn8DllI(#g0Us7Z+e(#%rS~lLe3#3 z;;E9KbrNs#3Ki!Pb2h6aJsFrTmUfK6<2{Ei7me0pR0Iu`eI?U)k7GqU7X7=Uy(A5}`BA|pQ|bn&D97mQ4rR8-5@Fc!%$>J( zCB#BPhvPzhO>?%Fa$Sdum0ihqNIN<6gH{)@Vve7H2ohv#00_e*P4+e7WVvL2v0J~hEref6{hAtAeU#HdvFjl!&^|zo7}U?R z6(n2jw~)5YoyFyz>co^h(+tdAA-`&{c0-hU{d(wJH>*J=IN4x($j@?+8J9!p5z09` zL*`a}M2<~c^z)dVfT!NZ8#|+>BS9*h17b!?NNfF=Eq(X7q+_#~jGE>6oS!;hx?Uc4 zbU%?)xZL5j$tQ-c*(IzVI6d(EKp||)`*K#qqOo2F%@%O~we-0P*;VvLO`_$Mu6Jn~FRY+H3!!3C;tKL$(eg`Ebp=~|=Tw9YNhBi{N9hM2< z|9}t6OYiJxm^Vb&SR~S$pbXtHPgXftY14SaiA&X_tGefR?LJ8bRgUt$P#zXn));dL z`a^#0wTp^m+Skw7@|A2g91A7peU9etq#UjobqHL4xY7d(&B$u1oUKZ*;O!ml3qKw9U( zfB@=2Pnzl-z{^=FSkSIjqLIGsNb(=C$*&f?WXwrmHz%@3JJxN%m2gk&jgGK6&h zUdMvpd56f8$?(Crxq)_wG!)>)%iD1~0k8@S)Ss-pnIfoJootCwjf9tH5J;}-(gAMm zZ-jt(hclGWA0;7Mo)GapU6v3=aeTe)pn*WOQ+l z(UaU?J&mI@p=z;u(%GCirH@cEmzPo1M4{@Dmw2!SnvL7iY5+HBv6db3S}4}ehrwE5cfsamlx=F=B9q_?msPA-TlbyZIl?NV`1hp{=Du?<}Ew= zw^wc2m889j^d8O;o(|LsS9>#gUz6&y2skw0AbA#>f0tZ17fF|BvAEho&~wTgs(M2` zu=;kwKgbh5EhIN|c8W_h#E6q)8HCHxFBdv^r&mMCUgsk#h>s?aHu|fHV)@tJbkI)? zakW+m!h(wO+=Pedif*pQEuRhexeBIn0&Fvx#T2&$v!~WCq~>Iwz6PjWnXZMkt&T;q ztk$9cB3&-(SXwqkT^%2rE=AQyP8)=dQqQ8h05W{xVrK9VC!x5lJ8Q{oGp9pm2T_(E z@;gksN6Ac#WCuLrd8NQUC|lwssU2_`T`43D($9QP5V2>>4%waSSTd;JTQPL30L?R-bKVl2?{X3YZ4ALg&iL0H>>liyyore`t-y-Nri{RGG z*VVZ+2{~`NI=jXGJq4}?=ehiKfT*zNkqQ@6M1qht7N@5QrV4^7hiM4|&Ha%Q*hD(H z92WsCTVHyNbB;q`&C@QSQ#6Y$jx>AS)RlICvo>TlE;QJ5_h8whOIy%n+aSCCOzamx z?kMgU(JSUP4O)HCJS)f5cEhjgUZhL=&jCR&059>&Xa>hv$F}8}7}}9=`_1TFPlC?o z#YnHm{go-}%XRBk1J#8Ma?W#t9t`9f?;427Ap%6k_cAx+#~ESI|H~ej&)1|Icf070 zh@mecf%PY!Ws;`b<6ZxI)fXEfq0$WIc}#q)SEx)tCg7EMrf56LkuynO;Jfn1q< zD}ZFB2-K^-Kz3gPka*Pm6ocojR9TV|cd6z*AV;G2oQ&}V3`q54#+l^q)DnNDXWzM? zhTA%TK3G%bLt###v^busU$p@gi5uC4yd$9Fjb2xOs_tH|Cv8T$-cSh~8YRv0ogfpR z+dbeF<>R)WT?LuFqIrzfXZ~sc62nufKKT3qg6dI4)UvOZYoOkmRvFFnyWehbTdvh| zY1Pr^?1z^@))e@CFimuaENnRA3R(+xPc+AsJS52*J<}k3KLYbNnbV^#<0>uX6tWxN zOfJ!-!m`e2Fhcf1>CR7DSwi?9j{rm#g*j@C0`5-1C0Dg~MQsNQN>1~?Jd3_mO0edH zM8|t8@y8q>IZ$=pdUK;&Oz5|ZRGP>8;28$JiKLnoYFzE}OYNY282={KLoG2?5M$8Q zb9b+53ef$pE0syo^rlEkl&#LK|15TN-q8~_8y5AHep>FF_uDlJ^0pHP56~)F1D+?@ z?A@u$zGpYi7+8oe{LP@y@C>g`-LwV$KG;r%EwL=nY`BzkWpq9jKQVqAYP8*7NeSlO z;3Qhd_Q5g{xrFn`?48ItsRlk>CN4%T6LumT*xj01r)#f>Z3O-R%|{K$lan2g;XDo1 zIpcSMH-$PQd>CSVtx#ogG3Q=%4N0fpd+}I8CG-(aT1c+FMP-`wr!C2a? zZCN$QZ&q~E3&>gacs(+4LeGJg>Ydowu3B+Q&+K@J3etm-+t;EN&{waR7%KsV37J|R0K*V1wc!^=Ah`kyY;?S zJ28DN0k1~6xe)KSj75%s9UE1H?TgZ1H53R<`?XGSvi6rr>*bPR9a4#=8`DoR-AbdY zl+Hz@cYJ79XatCvOpK{l&}nJ|6+$y*@qLxL zh{`pC2SQ(*@N9I&zNT9^dPZE#@VvRm^*jF-oc5*k^VvB2{5J#YZUN=|Xt4grvmKCo z;xC_*8v;KvynOD%owc_?pHEcjSpnsSa|B!R!z2-3=H%#E7eUgyOE8m+8F}4#44_xIp^bZa+JWjNtdLj^5gY1R&$ToJ#BxacfsDV?o1(yZH&lZ6;XhbgzWZ!n z>AzqdeYXE=7KG3JgA4bQ@(&0;7a_)1hEkH2Z%x3G+;{RH*k4Eed|qp{B8r;W-VrXJ z#{A)LJWuKaJF`sT#5-KTtj;sf@yOp;V~=HgcHT1Ii~9p)Lq8Ah@r3)?Ft2~R;{SJ= z**`0p-`9H_|MgQ}_2h+rvC^JhKko{T2%1bGY9KK8W#SEE7?>2frL+%7GSMr=NB{VZ zs?Pvdx(UK{5=1B8-3$W`c@1!LroVkz=Y4Rq$FE%Z1LaNmKDb%-q}FM*e@B4(k9YQO zPT2c_z~9g2JpI@|7ys-18_xkvg&j0K4HBpGfT?AZPR%-6a!%y%AMf*gl3GQ zhCqUeLTl?%-ul~e`>G#ll?tDnVE*SDB1P(LYjP%l*THHekEk#DZdxzv3VhX~HV{`@5q)oV59`9TRPV=NHpfh?!v!ksJbiS$| zJ_By+iWiCjl17B3Jfi&9bN<5@{ZD*kJ9h*~wSJ{oXAwURF5>%5=?8Ggf-!jkLO{F! zbMS@=_?Phn|3eEPF0o|doge08)O~F|A;$}U*=_x&jkZB?n1W<&S_e6^j!6LUgdzDk zCv>};luyKZy-to${_CCluNVK%uh}!OLHK9{Fegp>d>a3_8~*ur{UhA|58jLW>#y|^ zVQ0hsLtOZ8zGr{#r_SpfIk`dP^kV))wEj=bmjBrm_BFf#j?esQiiN-QGJkj|zFw^0 zir7i^7k}wW{^94$UxF6(|3i%UbIM z21#ET$lsoFTEX=+Xu~F*AGE7nIj$R~!1I^q3iD4vknQ`<@OsDk>y-9MknA0{d3$a# z@D=L*e@Z9*klX*ye59WS$wA=bLvkTkF5kHL3W~#>qQ2Fe_-tZq`O$w>DSttR@cXA- zkNjHy#X@8#{A-3J=!9RY)fBg>n zQYJuEmj^Au=Pw9L|MqQo?Em$XmiWYp-`nK)317fa;Qs;?S7RlY0e}g4M1gK=0JubLFp#tqQMce zLBp=tK5V)b5H~+S>>jI5U>|Ex1iF7n=9p%q_iI3I8AVD2ve2lsNW+Tt>I+4UK(YMZ z?*S?xY{~(#V!J(bO@al&)}|WS%SK)(k>(etbe@`_W%Tp~jwB@hd;)A-Q3`C)pYUzl z)&XB3Y8`OWy;*Gm3F191yLc$!#v$LsvPqG)UiierT23UEO~4{ix(3jmjXgjUOXR9t zF7n))ufJc2E^u}%wtpp@>Cgx1XvnN2HctVX-UkSEj(^!R5)_Q6SqrvTKG$JGz1I1V znl)5n^ND*oXpL=6i-)H<7udfJF$1;w@86vvV=Of%%A^ zI7fS$^64<8Flc;FWdzLfL|g$zq!N*xe$#op-LrEqVWO(!pq*VQAW z11cdzFO!Zk4$xDbJ*%i$^eFYpR5#CTUjWR|rzsATz9+6lRRIfO&jk6+&$dpEMH2#J z5K^(y>oc|wh>xl;31aWYW#qW03kAttSO|K2YFbuH)d$b9v7Y3Kw@e9Opy`4YP4590 zc=wE6xG!!48hC4ik>X$(mW-G^?auM`k#atbFzA+`ya5fzY8`mM(o>LPOvCGy$R2h) zHIdfqC-vX_=_tZ>9~`bKKGDrLfA@med?8N0$igQS4YweJ$P3e=cF`p#KKIF(LzEtX zyVnH4ZXSS10B|DZuq)nsYtR;E`^rA^QS^b&dJkpRYmrXMs`X}0&-$I?BtB<8GM)bO z2heO+nwsKiGr+-JFyE;E4Y{yWiUWpC0L8{M%Qi=>=XEhW$v5sLu_q)~Gx5falE0yO z5at8Xd~>dRhty2wSAj$^402;`-kLan#4p;1;;uXxjbielgT|A|FPIs=xc^l-2qbQGPYJp$ifk3<2sICjF}_f7-+PZgHd zxly3wkO(p7n}A+ZN-ungYSCJ=ds&ou)d4@OgT_}9e_zFCH^C|n zzKEOqQ>&;2t)k-TgWo^qyf4t_kQ{pEcjiUnHuwnhC!Gc2ThkxquQly01I3#rAd(yp zgz3eHM8KW>EhNoL9iiE{D+Km23+QB(UHv=^Df>n0zfh=vC}->%suIq1&S#q`UA@*t zZk*IYOY!Rb9r8RH=<~Y0wZEy@u>gHs+Y9z6vl>iQ?!F^{YkM_8HqFZXT{1(dP!q8U z8dwDCj$9&OwNOA*i@y?6cUFuAv@+f90p6hb+@SB*XDppLxlBRIuIB&8rKqnv1kW~x zRzmlBTK5QF>)nS%Kw+63nhd-L%)F<;!)$pH2LR(H$WHg_KN0Wy2j{ne#zE2dIUoaX zJC0vr=nld*3K$6T0;Bu#t!7Dz<5zvn5#*$!wMYLH z?)x8(mR>Mi4oAGEfS&HN=NF=^voga>LPXfyKxjdM%_QZ&1_B`W4)Cn~*a{B+%W;q< zkQ>-aJyXyCQdde7^A@lXWP>_~?rs1NR%QdXxUEZ2DgcG#g*6~e6R9jR6TYwy#0TQU zHwR6AXA!^>=t>h9?@O>NX2cF&1{-u8QauOqZ}*`G%mxh?ucz^N-j23R38*Twh3^9c zF@ou206VPYq%N%EIhYz|GieM_>EN!IPx+1S%Um)30%RZVx`BTb1}xQC+#tylKsyqE zHW*5l_9@HxQ0DXvFs2Z@Fax?0Y!LgW$CH}`IS8V_E#FllM1p~g<>>ddgtYARVzXB zEUU~;U%ppqGMCPo?AF9u?S09O&WE=LAUGWa7u6zQZ2#GeuS!UptTsf$DAMNlcCARg+ zn0}5nKUHns=-gsIx^A+i_i8zMMR)|WC{=}BT!Xsxvu*QTsXe4zL8TSn#piuU`IV^V zlGlvA$V?Tj%6p&>kuJ^JU!$dfdVO8fPD@qGPD?5$H}eH{$0|K&uo~0nm|2sxGEjr} zN=rx26&A!GfDPtMNjnFVCJ!`CTXOI?K9>ewxsxF&PlUsW-$|UMjf*Ye=`U2$~GC zDFKO%mDk(1&(5e_mYQh-u?5|~#B0*Xdk@ z!~2tu(dplP`poxO_dd^RLXo3n@cLX!4ptTO9$i*cV?f46MfjUdG@nJsr_Mcwr-~MW z1Xn97@l@)lsP&o+r=F7AE@a1%j#Kx}x~YYy9R0N3bz7|7H7hSh;&x4k)PV;+;hirY z_*rGGRN$FQ1Brh^m;6aH`vYlkNo?Kxjw@+!qPvy-jFQ%KqF8k?;~ zqO~S)Z~hv!@)yS0+rNnjpSAQEUb?1xXnH>f9k$Pih=vEvenpt?om!37tPUH9?PjmOXV_;w@2P-%T@J%!m``Dwp;} z1C!Thg3dIbsx277xeEGQ&D30ac~3boMC+}^9d*i!l@OA%i(gx)$mMC)b}R)PG0Zvs+7oN86ZR)lG- z#tTLyXZ`fhEWLeaZv#EJQ3>B{sDMSvc5d586}!!P^1ei+Wla8!>$lO1he#3`VoJ&Vtkr+wRPx%#ZPgS>@3P+7^a_n2a|8p&FE z(bml+)$eURjt%T{i0Vak|xqrc;(S<0n5|Zk75| zM{(zkBQwoZSKo&}`<*L*>4GGGR%lwT2>5%NQ6s^*!U9QjA%R^A9XrG|ajybZ3mcSo zAh}0AmXCuRA|XL?F(WlBSP*}Ua1W@RIGrzoEn|l57LH5GF+NUG&!h)BeUr*qs=4UF>FQzJPwuBs;h5y>x$NXj)61S6XbY3>^uBfr9D6UoaKUj}MX zx}Qp#*kVo7>pYt7?AgyPX6M6@fDXF6p`~MhzH_n-HoXivG6c|mdi!&C{J_gykqUVS zY@J^(+&!S_BS2AkR$+N-BWWEf$Y=fSutTr=rQ1Ve=)o-qF};IK+3T0j*XfDQ%Y72_#4AR>Dc$VB54 zP|tmu)7LcvjizgW))#y7{Y2V~>;%pOLL99R7{J4}8GJA-+v~qArD!A6?0OBA;;3tx zA-V_NG>L)0=4Qz6+!VMEf3MC%>6Rm*asv@b=k-g-vak}Lw}KhYGy0gkl}ZK^Dm+kE zw&G+nTtn0gO!c!tmM>BU`UV}z&Svevnr{iT#;8-Ix+_mKGK$Sgmz0?w5 z5?jhOg!t8I!~ED#Fymv?um?&^RaxEM{+XF{{C8-iav{Z3DQI0lxsul0`uwL6h>U;{ z(e2FfkD1kETBq%W1DGO!be6kw12!|SgC%L<+32YP=(1J>2AEc&Ci66?1p(1g^Fw#S z1HDrF{)T`p@W>MGoZQ-Dna)0zm<*``(-5bOz6f{&Au4UW+-!hHAL1tWSw!hCIL4PE zBCvbCCvl&Dg1l2Mj%t0pX8W6Rz>-HciO3h6-@ zom(ixzX!G_{98a=EI0Mk!%4a#)jsMOkv{6u#N^xsG7^9G<4K^Gm>Vvaxp6BW6oomp z_mVL39n*A)yBpRImZ7=X0T zk%op>H?5k6x16E(OL^F_bPK8wnO3tHfytGvwJKC>TkXc`L^@;fh0N)=wdTf@qU>F- zjZ`L9fV`OaZU2BK)g!E!@+NgEW_q^<>09?Q5^lvYBZ2RRH9j%s+^bPKyCwXdk*jDP zzW?o3Kf?Rs7+S|L8nbJJ&9W)7>Yd92J5$tlxO7;~*;xEa-C0`~@w6H}v&S%Ic#+k# z@vtIqLLno@j&rK^VlUl+v3P84mWisaZi&{Aw%*OPU!7J#DIy$g@vaXz0z@*r*Abub z=*Qcd6HVs(V_P+m$8x>&r$VD(j>==V+qB|sOA_~{*{!_uUb1M$&EXMC+&L9f=c&^B za=i}85FWa%q%IcBZZ*q9U4)C7eL_2BtritIL2Ui(oFc`aD>Q2A-W=>=%5F3j$YEkVK} zhze;U;NAOn0SjPkJmx2p`+Rc1{OI9q`(cMNRgf zII=N_WqW_j)CJ!bNwjCGx@KxMm$BJjpBngr_ z*kq;6ANztvt5qLm5VVbQQ=JsS~LOj;2o2A;(btQ*f}@ZGU34ON#wk9q?NhAwh*NH7+}@1yMhsBr&#IPTx8sQZi* zY<5%E?EVfPZ``=9b~)f=6sPVL+kqC0ZjkzP$@RK88A8bi8EIiR7!|4HnGFD~ZeKL) zk-iq7AptplQXcECvf?C~?iPRST*`7sS%)24Cj;tjeFz z2GIj;K^XL(^r(1h6(Ov2sjQwxiJxmEY#tWPx5m8l(Wei1;ONg*_m_e&DP#b`%X7WM zHb!Ny-;@*xb|{q00;wGbqsv_qx;fd$3eAqNxf$&`=GTy{V?vl6BzLsjG%pJS&emQo z_li!g6vs`ey$Nc@`knX8-L;pwJ@_1I#JwSnoD}5OInR03z|!4Qw93 z4Qp;+MM?;r|7kjUFD0quyCx!ymX`BpXJ(M%;3ODnq2?*|@Bo^ztdP9VPiZ|WW!ut| zeD+;7IUXhDCATyuEo65x{kL^*?ci3ohXLutda~k9AHq&3*ZR`+`s7Qa^ zNiw9uvx;`6`S>lRKw8P>2K8~RKK~<5Z0n1w)W>dWs*ZUOR90C>w=nVbEbH|{Q z%=!CIeTojVYR1eN_o@wrTC+DVAMK;2-1~0W}@nu4119&SHBN!YJ7Jj;3UX+J&VjJ7^USytWRs;+ZF0A7`7#zt}O4Qm$z zC3m*6f__fM9h<`*YV-%&jZ*4j1v$$ch5`4#!}?#jJ4)sv+wJR?jMLrK8(<3`KD2;W zV$RQcFyDqCM4?ScvfE8{&)EC;0cMEJnr{01F(X^%t@LLt6g)lny~MQ;qZ9p?Rd?pr z$R*<)Q`Q4@;wM9$?Sm|qBXXB|;JAeMYqrLhTN1*5yu+hA^9sZ@D{q~@6mZ590BlIn zOJ%3#^jX#|c5JU{$+On37{v2dP&aN~ddmbyfHUyRX2?#*Fh_9AYG+~q%-!1=@6Hsm zQpR_!@TJ~R)@s;ub+z5!?9$0J2=Os0Sc&*pdni`_mvdIYfMn!SNgwT#(|YW)gX7&Z zWsn8D-!m}C7r4dewYPoTLDHawQRBPeFMd!(H_ju`Xf?)s#U91cZZ_tpEGFC1`uw0^gY;Fb5j>EOk~m`Wzf%H^K$dO zKK+csaxm>s?Q(nP&#@=-lkfV`%@Mpx;RD*C-=x6IS|JHZsj%?Y{(XZ~g(~J7$lt-`lIP`Gv91KgAJf$qt9Ap&>tkL81vr@w?!zu^XK33{??T5=(``ez zXE_^A*6j*Lq1PlT9>l5EzUHWNGj3UjPxrDZ%G^)o&PcL~?qU*>%+v}1MeCq{=(wM?@MV5xQ9gOTd%k6QanYY|u`ZTWWNwk#{zk2c+X**sBU|fh_6upd3GV%=R<7^8 zBd7?2X@U^*;`Hk!AGkGe7>5FeBNkCFL=KXWa8-XGqgeC>o zi|IN;347hEJm4S1`xIoh>JDO*k$WJiZhzg&Vs}IBY?{?%0HG8~me!$UxBfN=EQaGp z0GN5ER!aBBdi<&f`(;rlORKO_ANjy$Wqnu*CrwqX(VNSp5%z?HKnkxcValE8?-LM& zJIZWS4vJycXn>g&IeN*zlA8^00D{4{E?w+C;(Xyq*Cbzno@L=17hSGTIPF>00nHGo zr)3Jry-IGQ02v#q#e({4F7v}U$mFK{GE4HsH+NFz&`I&lD`563F^EBcBTzmtLtED> z%@oYK=U+sMC9Kn0C{o<+xC-iwGwE8?P$zCVZc#m|gToP;3P|zi*Db%vds(DVaP7-6 z+9%hk>Q-H0S}pdKGmVoga+k}>n=v%QJ<*{(I_m0sUccGor2kji^?=W>jBiM2T|<3INU4e z#(u4Zt5_MosvB#sx0;XIm89mnHXhQKdqS5YLw1-Zu`)l;Az-6I~J5jn)4r3y(P;dOSA{XhHq2Yj;-pGNa5@^JaH+6K;jCD@N2@?MAb zV)Z1t`IJUxKRi6kyPBpKV3z}0D?>--Adi{MLs8fTP+zRSU8uo_0!*rSqH6h?W0A&s zTyr(r6Yc1qysyB_Zump9RxGO$nBHm7DhG*X;Rb0s?xk0-?%sDcS#M%jEqMlC0fiSV zu=nj5#)w-7ZO%Ps3x(0w&_^9v_x|Qb>IGDaZ&zKe8HT_U2Ue%FHB)8LAK?feGRm^jBHhtA9b=Iaz@}(wp-1m7*p~?~ zIsR%k?AXp6qHlI<;`Q!I3DFtPgyZp5W`r+3AqT805Fa6;%Af4A719N)>W<$z(9#bQ zY;H7JKv;-hX*s)G@5&L8dvWPX_UH5yfo$gW};{ zyNv3`2cOrf;~MT+r{?m6!%HWM$Zhe@Ybl3ZmFD>2rc<{F8ZNsaMdGKpF)aBxd$@lt zEiHcSk)d!~`)#JSrn6m9CIEX1pwOx+$dO6!Wp6r8$g{h=X5{QHC8u|_uD{E%fnhh2 zw`Xv)KDKW_;gjs9k4SbUGAFm;;>42&bFB(29w4p6)JYC!evaX|6r-bW{kAotyIfYP zH)(r@-N|{EbhoO=gy#^e5qIec8k-8R1MjIxwy9W(CyUs3C?iuTyxTHW!iBdXt*!S{ zR+0d)k|?Wht5+r@yjU50P|;!Q+9%a^&<5T#tIEvH{>iYUvh}=6YV7_i2E~#bayvS) zQ!9N)Tk@cZS4UENP216(yZoE6KnlM{!x=%O-}A&bZ?g8UG>R~=TU~QZaGO=|E|)Pg zAjE0!Z?r!|8je*`;Y>`fu9S)9GdqZ(Uj`}}J-QC_3>(bCc8kAV%uUn@$BM!bQE`i3 z#vE>szHgizaaO^65<$<{dl6zY=@Z+=7h~{e$d)L3F(=96Q?PcC%+SuzGnZW)J|K!f z7oBql9dFB0S}JMJFWGk`^Ywy2dNS|xPmdYqD@6?kU2Em%XxS({s_@ril{ zI^7!nrPOdb4#wFHm>R)^BalHUv#n@{4{bAqv}SbpQw)rx3lwZCGD)xhMv3-A`OrP? znLNdfTr)lwpOk`Qr3vb+edtI!=N)N)EUa_N#`)-a7zGxUWUK*6gYOh?Swb{ege?wR zt-Yg_jvjm?Q&RF+ua*}RB@=jD5X`HA$=Mr7y`Eg!ba%Cz+}Cx=X+vrGAd#iteJ6ly zcq`QPOmcENg^%AW1C5MyV+Khk7=Wav0aKyPZWpvM(RVmnfIhM1;n$QKO@XvMv)rz~ z0&AyLjW1|H7*izB=(@JR%!#F!H)b+yW#i$Z{6+@y+NyLjL(bffQ1e0DV?8M;kCRjb zh4+}LDMjB%JL=wAqC=1;sJ$N@v*AkM&_nZFVEX7yiLzWPhHGY5g$u`U-$O;I+=|d< z&C@2|^4`)r`~->x@JiB^r4&qV(vCtjK10p2Z~p$XOOr3hsIT{z4V4 zB?k{{j%naG)*lNkark;L(%t_`0cQdU7aeyvMH!IkS>zt!b{1(IexCa|k;<|(L)C+Y z%@pR000fBU#gFm!&e?+B=lm#)yf%vy&AwUQ07%AVv_^FQ5tt3iWX6Pc;s9B)tt~CF z7}^?u#dBXM0;dzRq+)s;?b>jPP-$dVi+Z<@lM&Xz1e)rY{6-uXsE)|Qgc#P$m1&Ju5{O#(J2IFsg4;; z5JhYCvdcKFZuk|AsSkf^Bp#(d7$ZBLq-UzmdS+Xjn-T#1iNOH|I)ddPQ^r{eMF zXNoD#v}T?mAV0`FsJfqsKU(TMdlndXNHPayh3ek5VW!IxYipp0F98S1=Btl1h93@n zqLc{00qZ7>Z|r?cB0~{0sT5W_V6!S}thGJY1J8J=_uaYB>8MMW}as75~ z=zLMCvar_5`{h$Sznp*gp7@L@Bz9P5_tq%BR-KB0)CFi|MeVvh?%P^mD*YMp=a4m{ zh*3<Vo3s|`WxV)BdJN3)Dv-p3 zHz*&GDzcw84g7AtJ{dVSR`8tv^U3(KHtFG88=Moil#4C5xne6n6hsmaPe|;S$JdOF z!=2%RA@zj4y>yCjGx$(k;cO_Y<@AbU8zNSt`eX2oE;C1Wxgr0ewcIw84*?RuICY`F z(2pe~YsVR91Dj$R`e<%rE#Acy3Uu=jYD||>_jcENLvqKPc)c&9wDT6eY#2T;dni?8 znwOV*%@3QFHq;+jlf9p{JY0EUG~3H?W^{m>@|+?IwzZTGItMtXP7Tk>k>g&^USScY z9ae~XjPNh>?4?csBR*%;tR!V7=NcZpLS(H9M&>xgCB}BP@zT41B1S4aWrNYBRE(xz zAk?ySu@|QMGUFu<$fP*uY+WjPAbmr~VCnUerUcDR3BQJ)n|8mTuK2L+RE8w0YLY5* zVU6l0!D{91W8L1>Z6->TMBaYW>;XSENh&b`#CtOnwL2Twj^|t+R2zlA`4CfEf9` zXL>wstLw)TIQGMwSmDRJy02$(nbWFNcdK54M4fC@SHo>tD64{W0IgX?|NiACdfaEN zakmk(CD%2m+Us1M45)6AnO}p-p~0?Y)LJcuwqo$e6#`4)iH|#`n+3`#EjQF5 zom=hfMy%K;ipmciB>jm%MxgA$bu}UwCzhm4Z3;1o9OnWei~Dz`?5l~|9CwWrG@~!R z?Nkxy)6Ap~wRiNqjP~Xc&wOzeCy!hY>ef>#bl2!vq2q%GrR*F^Xc;0Y&qS zf3BxXMXY|ZESE%0`SA?~MRBVS9!rJula5uZJ?RE}AZ}O`wVe_~hClzClBF;8{=WQ^yTBx)zx%D_s zmClS#v3_6#9D3%J=rV{g$#yn7HXK-Zeah8zL-vNy)|>> z(c`*6!a~e4W1pIoIqHx-XPzD7rG~VUcizGK0-k}YsRHzyQ_0FtKOfb65n^SL` zcBw{OECu~b8Y}5R8DDR`R4H)nh5Ntx6u%Rz1h(U_$@1n*y+cDOP?b%U=CKb@p~QtkTm{tjor(J&J^nh_35Eby;qwM9CVLJV`^Fe1L|Bb*QPpxO45xE^N*TNc|)zI37w? z;W(h;E_qxR)f$TRbj9S0jxAPRpu9&Cc@nU#c%35-_2F0I*tdFQQNY7t_PDw({j~1s z%T}kC#{K=B`DmwLts=Ku!IP7c=?)Q2v^{>|t&(R>$0()m1CC9MBu8|UI% z++O7aG$mzb4C)Xb*p;l@9adEC5F5)DYpxiocB zzyJ3|nv?#OC6+}f*d%lEp?8x#(igDhPg9Uy$#2tc>$h&Si>(f(N$OFWwE+mgvwf)^ za*XyM#E!S-LB`fYUd2~&3v{2X)gG58wbXW|Jm;1J9oGe#R~#=ODczr}{;9HVvwPAy zVmc+nKrY~U=gkHPrgnZh+%GBsrLov?^vU;6I43tM{_uB?m0Jm6Q4#RzLck9*T{!Df z-x8S&8E|ZUVgk+QHRl_Zzpz)aQA*3DQRUyAQ}$?aGaXwNmvuze% zHb(nq>CM7M;DI4YCUi_oSgn~wTXsWQrLC3S>MWQ{Oo?rmRnWbZW7D9$ViS>IfE-FQ zO145y1jYkv$J7VPz3}WJZ-8$LxN21DPqXM+IrqyLn#`t#>PRajpF|l@9}_D1$`?VP z+VA_n*n7*cEZ22ic&I3X3W5j@5K!q7P(m6Jr6i?0rMuezk?xRA>F!oiK%~0_q)WPA z_VqaDTx-l@uf5kAW9_-VKi@ycaSYxUp69-=`?}BT3<;yp*6}Z#SDItDPHbjWmALRz zNczQ#HTttS>F%c7BiQ@kcGt*3vfA_q6zuqmX`cDh$tG&DXDLn=P_a_olcWUk`M(7m z=?q{%;QjV_^5yDIsC1NenJZacZqk(#Iw}mDj8^Kg0u3?q+5^%Fkw(=N@9*L?bZ5pf zMJS(`=RpJ6yilISUPpgmtnPORJjdOaiKx} zb4c`)&g79vhlvMoytRafoqGKBGP6*F%;lop^rv&_YB79NhSCzHeJF#I`O1v@_@$P( zHNlB*Dq%n}Y)5ChQYNiMz82u6GyJ-iJ03UvR@bn&3j0?TVuFzu%<!*Ueobcp~%va*nWWfd~cfr_Zp2)O%e|gNqGg(_Kka>tk&|r_ls!q{?#x^j4Y(kJ+E397>Gr&y(+IfAe+hp!|tC zsab+065knvSd zo}th$xv1#7DUTSLeH#0MQs)y=(H(L;>)i7_%21q};uGR3b4zbI>8y~gMa4{=P_pOO zh-Vcjmk#J`=5O6z9-`3AVfJgH_Z2)DD1WCjT=aA7gF+?jgd#R!Edu{Bo6aFM;vw5* zFN%uatGeZTs=aFV#Zayv=9x~as}=oDxu5uPQ2FQYj}x0gG%0-pNBc3hSa;ym&oA?C)JekvKKG5!E2JI%hc(}%Fp=dJyfl?jLRwH8S4`WCtLUqs|_+& zWy7`y>v)eyj=x5)?z#M&kb(R>!iWFu^<&99c*aBzbcKaJ7<|^4)Fyk%2{c@N%LNA2 z-e#$*pBY8l%}`U{fVqDw-sn+8ls5yXJHT^9dEvy|z(2eeIRuu&?`D7UYrmT00Un=7 zh2rPDNQ`A+%{KfQ#8uT!tZ&U8a-V-7)7z7!4?{5cd^fxL-8b%K*X(IoHNs*fm?XrU zc7>1qpus4bTEt>DUcu|T_pnQ2HREa&(^M3*&PiIYYrUc>Ne6z=HSk+Fgj>BFp?Z$5 za?}dJ+epvs=2PXUhy@qNp<>SlbQDRr9K&MKQ(N2wTHKu#!NXlcn$eA}2Pn9N>$UZ2 z7bagEofpxQx$UV|IiFBQBy6 z%n)ce;K^9mHc^xDGWawx4q}tZ)h9k!A;|M`YY%9&s}#nQ)XJ$lT6SGF`RcN>qzd_b zCt8he!(E4Ed7pKN(7_^J$}SRLE`md?elgj%y+*KhFo!r>1$&uN{$5mk!Up4Z1CmU2 z10&ApbAjpyevN9=)a7^H%o*yL_m^S?r4XK(pljBsb6T1j)#F$s5v*42imP}6@x)dwS!2E?_eOSrPozD<^05NXHVWLQ;g8-4 zUeFDc;9N?*W?1N4rRSyS;-*5WJJam{Wb+R5wT{9g67M@18a)Z^k-Or&-;z%yMxlrq zf6m{SEfH2-ig@pt=bgT#^v3gPvggw-4V$_Q6X$cm_dd&dF0~3z-x6|M-Bv;kmWRBtKqJRx_rTtl_isxMA7+ge{emqymxqtyZf`5-^?%ivta-n_ zIhRhX!h?VIa;bbp-C^k4l9#E;NwOshn&1(pNJErQ+1l6aMKwQ;(?rRU@m!DXropkt zcII4T7FYGP4w#d_-Atn~A(M5h_5J*4J~k9BqLFzCsH#c_PsCA5K6|GwL0cae(JO7v zkcm0o^Ae@>?4*c4o%UMjXwsQeu%?^uZ(SlT zuI=kEu2*)f*P1@cZ8r#xqfv2T`sV1!`}BCy?EN7Y6JucbC2#gDli>qNzOX`|cc)o@ zEy7?WiGon%z8XJ{ceGA!-~JMZ`}NE~VZq-y2PMM%zU*K}9!Ee1!$9Ac91WF< zmB)2JPJxwPxu=kW;pK+S?^3FIbBQKNc?2VU0)ZAG?z~2 z)?)a*0KQOG`!V3{BCA}&l=}rNTy&pC8pRE1>u*F4baIZna?9;!m+9cT7^joSiVK1J z+_&&u1^joTcdW}42LnvU=tf$K!s#S9ZO5x(OJ+qa7iR zn=GoQ)nI#7?23V7)RT*`^I`FwhnyLVu)k`I2&fNqK{%bV1$gFVNg!r`ZSc2;rYSfg z65Sn1s@>Qbn&7?y#oo5;Qs2lo&~QP(-V*Vjt{TB-@?Fj- zT)vEz_IA+^of_ zCdwF!)3v!(=$#+jPC(QidzZt@9Cal9=>j;HGju_~XL|XGtqbT-%pVaP--)H`+4d|G z@Oz|FhLnx4(*2gED|U)RJ>CzrH*Jkn%5(QzO{=$+@0N4woYBVCe9tz~FLkFq#zkkN z;&Y21I1BQeiu50(88XwDl5lEpjAioco_`T9g0=zthprknBC__B@^nN(G%@x~Vr019 z;P#*dx1Ou4-&Q`$K;bSI>%6&_+$0a-6amJ2XScQCWfaP8ETM)aGOo|%b&D=wAcl=6 z0wX+6hoT2QBv)Qy>>i@O+MIi|ww9T^Bg+8-vjV2&69aj*7UqT6hNH9vF1U(>PB(f{ zB~d5wI2Y%V?z7EiR_f0c)~72SV2 zmm3`ARx9G-ib(6E9j0wZY?Hd}zB*3O?(J#DY-fe!*AW}rtCF_77!+#TK+Ne+7KQlQ z-B!gG`q78SV_PmnTZdN|OmbNr{__6&Q=Fq;eT*U+Wx&nr(|@1I=fN?2^$k9@JWj+H zGYc+K_me^{+DV2R1e^BFinkuYr1|j9@hUhsl}wL=NNLhS)#f|F47&=RuGYat;n^1d z;=XHR7KQeW&C%!xp%VYi)(LpnNe1$PG7OP1e#tWhQ=kzyD*LR6w@laE&dECDjubXA zXK^O9R;3&9DqQ2+Q7A=~$ng0JO5!O@YF9FeKW$BL*%Db#18&gxNu=;-CU_nN1SNhTNg z61I63isQRvcosGf9$C+S{V?bF(y>cdeM(WYcGSV)J0sqb&rQZEe^UHwt#3gfPyrUU z-D{8_qyAfV{{|jkYJ#NS!Wm~NP0F2Wqn`98JyIt0DnZFV$Jt$nD8gwh zjvqlyi-dGA>>xRFL9&t&XiU4tmyMuJ*vF*`6-d+8D2JGS1nzsBNe*1ZwUOjj9dIw|8a*%E1 zI$W)7K$TKh4QW&_JTLj+d?-EfCC=~oU86{wK1M{_1uT#Q2ntJzycE2};~`N^{ioxn zSLdcvLQb2@)~up3n2PG1c9-X>?ADfL2MZ)UJabdy3>e6hu&n8FOF|qw>hQUfyurvq6hTrjOEw7-keRV;z>@e`x@TBFYhjmI>Af} z-f+bC%dTBWEnR^FE;OIeF~QS#N??VE0*@fDBgUb<(Ph@O^hkQNeohhR4CvG!hBiJM zZnTes6|uH@ef-shfW^lc@dB~4+iPJoFOvJS3-eXpcjiPTPUT-yv;ThGAmTA0`QN>eEI8>i6F5!> zj;tn9MMB$MON};8L3eaNfqww>dPH*!kJGg;K2$C<`Moxs8Plc3s^G~#*GSrvGkXn0TW z_r2&q-QW{UY3xb69Tf5NF81sD(09GN`=Ezg5R~SM=+jz*VD)5gixAg@!CaMU zghxy2P!H7dafo{k2@No7C|Xn(h&^oKCytP`QYsBD;HJck4omR#)G6}3>1;Y# zd|0|#wVl~^C%e7rSlRBc{OCXoxWE`o)M%Ucx3El(#1enYZT`sou*KI`Wp{O?c+tq{ znzR9yh-l6@Gi|&)$I5ih>L=y=^cmYO`vf`S#>%!M@j4f}Lfh>$BHoTHGo_KxO%$1Q zvCQBc;X+94pn&B(Tn~c?oPzF{md2t{2~eq+z`PveE#?sg)-hxc9Xb$_3TRau`R&e) zVqc`g^<{G0`k^S?H)g?La;!aIL?&*{$dDRUTW8g}Om7lraU$K>Pui|@94Vj&qd^Cbyh=H^%K5y*JhOq1< zj$;9COrBclCnf8SRc0Uv;POOMlzV4UmnHw9NSIx$#fV60jib%28m9FV(Cv_R5`l&= z_pCf)Z*446b+;gwpfAv;Pz3Yly#!*Z4mZ4r7tZWRvPwxpQY}emHkb;?v5?Y1yJJdF zCm+E#j{RKp4sYuRHJL!y2_?rax}`BiMfnv0vHY;?mREJI$49lorM3 zsf^+aYKLUD?%e-N*e~@vz0a;ZI7>qoIROuJD!0hywC)9iyuD#X#HZ=Y>m-94p{*Z~pHu@L92v?s~U zRm%IM7@oqPnwvPd?AKQVc#jsfea8wmmj_yqgw6LNHTgo==OrJ>i{5EFifwv;v@+Bm zo2YD=9^6+0N0a+N};3+@d&a ztU*G*_tl6WAlp+m`{y7ecBy1G5lIu%Hw`=dt{i3vPN268;&ELV1w^?J4& znvpbGC^!yep5KS^HTbea5PixxutAr}+2rWB$lJLubituPoR-X-?|z2LL&#hvLo_cw z3T`ehWnR)5(aS1!gZGh>AT-c2Ao-mCnQa|hdx&HbCB3E^*=V#j;Sl7N{*iSnDbi(1 z;hsO`?VEYwA(O!q4~_b%&xEZ5>n6S~3J^Wng~Zv$69*~ZstC?!%^kAeoF36}6-2CL zI@Dg7(3fj1FokA;L6*un{#UOsyAldbR8MX_>PUXPD6fcsRh_C5yeK}4{KkkUA>yN8 z79|)5)Q4JOlV{uS=fkxxno%fgvxT)6fc5rMXY|tBD;>G+b^DmPp0g_#F&?(brTG7# z(=Y78?0l`onHDghG|XvfHkWtW=!CZ=c2Z=&G07XfdIpyx>d~0Xp3LmvVDP2R2`-@4 zXh-B*?8T2TCXCG)I-B=Zo@ZF3h09x+*PoWT=SJ~dFD~5?c(jo^H?}yfRC4A(ELOTZ zYrLnNb2zJ`S%cL)sbG|?@YY>!@n%~)?Kz~s_WdM<>)4t2P&kdt4UzXj=Nf@PA0CJm>F78~4ar#NKK zQh8`Ox$%Vj>t&%pbRqfA0edKjYjLv&x>*${gzx)M9%}+A%x}G87y3RbGbrp5t~}pb z2eEdChxEGW4j<~3-hVDpThT3_t6T}`h;3&(@AjxlHeBGYcgV+-!nDS>l+KEe^_T3F zbj9ze4cuFa6~_Mc<1dxZbNZz=KA0yTE?lo#88r>f#v=Jx3F7CEJXyvSSRp@dEMCFR zU(^&YyzdsY5obSXi4ZlHS176VaaKS1Objg(V(#!9Ev6t0)V&7sh%+eX=9BMg-+4(> z6r^2P$Nef|ec{qo3rb#!$4T1Q7h18o#9mQzTil-C-|Ap=)*`*q_jnAR_mtUbY0pt0 z7FrCyMiMIfNh%yON;VmY!2+Z5t2^id*UXlCT40GMwYX>p2>gV}$un{Rt!~6O1vAnj z0gHM0j$8;4w}XXDfeHl5#I{)7_~{HX#BCBY%%`O@7%zLC&72C)NvsIrauhcfZ5H8K zle(c3FNYKigY{?7!7{)li+Ppvgl9QVys%If1_y2wQ_Rebgy_o!+qh!%IK(!6ikVIy zIc}f}JDW|H-a;ye{G?SruDUd7Sa(3|=o+DMPH=Q=ilk-Jmfo?R$&G zDLnZ_#6{YRm=z@wv;qDCdtJ{x9{4DFP^~5qk~TPbvdugrGR5=mSkz2wA>{DqTN^89 zyqDgaqB|fou)lVvQ1DRTm=Vuz5n3smSF&jXcVz|`=!ICXQn)=bf7$!JT3p z=*gkCDu)a2Y|dT1P^_6#c@QFYfAikxQ66VWUN%SR0AMKNXFF<)Rg3q|giqDpbQo^u z*J`X}53(e!jFp=wKT4SKm^C<%D0Ca4r0kA-X|AZua^M9q^wOD&Cvo#X+7@!n)MjC>nEA1cLlrwT$l%`~Vb6STGY&xo@PS0ZGl=$9kH zd1#!uRTIACwNZ7abBwOq_>UnGvN1qSNm-VRW@!`g=!!K__veFsl7}6#)|;)sxDRog z9m%?G;a|Rkb4s!eMbv1zWWpkE0{lPgZH4)|FFs_?DVoDQ(-ksWYCgFrM~|{&#EpDa zDi3A~6hP(Iqc~Yb>o^K}3puZ-P;~&<;W7Lc)NLHfR7=>{fMvycJFf7Kdkt{j#pA*r zBHCN`a~i07T*vdw+bt&aeTv7oxe^ppwTi&A&E2@#l+cyI6*6W zTZJxOx?=DQ`p%ia6laX1^h)Ku6o=nS6l_6zd!V^?X6#S#*}xk2bID;#LwhCu@`WU| z^wPq$&tAtkbExBIG;?us`!zm#Va-(q!!>x4?pG!Df@9Yz4`b?4I?034H^_f8JpM-L zb$#)Q$n;;aKD|SCzD<-^DNTa&7jcKF??(6IlnW?43T7NCImI``Nfw?Bt4#hUM+tLl z?omUv9NzY7&>7o}NezKsxa$-YqTYHSN-wv(UTaz#)k6kA;sjge@}~kU zdXe`sd>F58t|*tAtzna>oJf7`ZCEurf4*wyG4728;~%ISnA9R)4V&KM$j4DC5N{!b z-+KXe-?K!TE?v$LA_^>T^CEGg4)5rO{<3PPfTHPBBRF1+n|%f|y}^{&@O zLqRtwCgTK*($_%}gFz~Ug0}wK?#2{fRiJZ`0U7SY@H<|WaOLW(5zpg{x_>UmN=^0E zeN&U}&$R_zW`)i8yd61pI+b%>N420iW)+n|*Gd=`!Q4pbUj#o^UAKd)QYI9P5nj96Q3TBZ84`lxsl zC+`#eFW;y-aNT!Iy zN<3m2wj|x7br-u6o6?3@l3)A!^hqJ;tD923vg})0?z!xR&ih)N-W|)wQ&_rnvnzXi z*8<;86CX;4Yf(*CazJT`tyrcrzU>P)xS34zHX`cV8oL3cMe6Lsy@J(zC`-Af<#8-i z>%4CVL$N@DSKZbexvk__(hO8ux+5<0m#}Ux%B~BPMYgB9vRfBbk{6idMd;MdeVCIo zuI#=akWRdwX|p~);@hDTOF#BL?Sq}^K$hH&u=X7h34!dxrdc}T?BW7j+4Y=3l*rYP z2J!>Ij>ZH7$%}OFpS&X^Ds81sx6?W=gL&ml_;oE;in`ocMZw2`r^igwC}^2^R)bYs zcL&Jo(XMWAJ7BJ+DgfJ=^_?h;`|z(B=b!ufYW$IMzJQJfGm|;%>zlPP8`H$QvgY&tTsMbab7JH%DSVtBS0dl`ka0((K?>o z$EgIUCDlLqjS_fWtqzp$aV8=n{*hb)j4|N4r5p>8U|fxZ;xEnOjVJP*Vx7E<4QSxh zkLXp%_7lK2>Yr8 z$LsMt&YZ+$SK}HaA5D8OWq9-Xvh^lEy) zrE?@H-wTZp;uvyp7sD+K`ne9buLJ`EFUNPgFOCDRd@&TiRTcwmjyjRsBR9e3p}s*^ ztx`uq;-22P?1Mpq7}z776ELLw{prv!PC)q{zv=TgH>NqOWnX)Uwo=pis&%Mg>uaIE zEQ~L5lAVoyN^A^$Ov4@DDw_J7RS|!(dELmYgs7jno-0Ri5LBPLa7pknK-tbeB883# zl5SObY?ZV`8VrNUO%U1D`(q5ebu|9qMlo)<@uWWWl%bjC2McAa^Liym5BViBbzB>7 zuC-Q?FLbH|G~Yl9wA}yhs~*RoN_1(R5jMs6S<%Vy-dYTqEUA9598uxPmfDkVh`=|L zPd<^2FmEihH_HY=VWlgJl#i(fm>Eov$2*524!f`bDnlhWX`CeAJl`zU zVpvVg`0aPcB7-xf;UfTIpHwTo51EgkKU+(cQQ^6QYG(74!jsh25Lsc)Z4Ths8;&K< zF2s_nZQK-dorPT29l!ZayIn5 zYJnE06*8G`>ux~D=KWKj|3K&pdC(ES6$^rW^|?ljJf``=!NwzjR+#%k;uUAa>uO8b zLY{UKz17X{46#Bda%x+;m(=&-J1w2?_j2j?Z5v(sPBxhx(Uy(kDviB>OcpqrqHPhGohdTw)E48jEneZL`Jxv4$`Px zyg^=qPjatv#)nR|BZ5IJt3};;ZSJWf#J^oRi^sYo5@wv@&$jio?qo}hYV#^F|HJgg zu<6eC4zC=j_!US-FYd_VKz3w)C>jIYYt{F`ck9RH z%ZtDDBL*kbzR%YAXzQEE*7(Z>FEvXy+|TktyJ6EUE^t1n&p!8EN71Qlw*NwQd5fy| zqjp1+5g=KN^Px7e)7hAyB5)ArL?n9bVmJ3`eV6(|hleXe$Z0~=<1G=#>Dcp|E1B`W z(-abvINv9KY(7?&+n4loSDz~=!zxqF4#4$&A%7)KlguaY4^`z&b%CX43*lDQEDA^v zi-a~aA)PI?%;!$hq)#*&%sXHHD9?? z=|RKtvLi3}x?c;rKd@gh2QWDhV4vx~n(%A_7c)6a*?dFyw{%?WToE?)eGQo5tQG z-KFz)25>upK)w!o=5g?OyG~I(<#s&x^=Z#r?s)o^42P|`9IxV{3v_Cd%_|{uuJX1y zX}KyUr^Q(+5qqh7Xe=ac&}mNr6{~+t4tF5vQ%1|Il%}B00L=Su$SKXp;aW3Oea;4k zQlnXILB?PfzR+w!{23&|wvDVffgB*E&?`+eW%&g$~}r zEgPy5s;>xDqs0mDhT814G&ssgBxj5@Aenp@_agR?X3_p^S=!+3@Umd-l}uNTvGf;Q zJyj}v{&ToE(vDXu>01yC92!Z_Wg^}oH^uSh=9*pAvZtyi9C$yy(}OqEb%IB1l-&`V zoH}=6+kR==V!oW3qAR*r47!xqyjLHL=uW$J-1WLWgRiK0&bfK)yR!T6WbK}}uCd{U zfV%_#jFfWdm&pfXl8mjM3^(QJxP%?`mY`gRk0RyTxK=;J^H-BO`gZT3xT30c(%y^y zK?Oyvi&HJElgd+Aea<^QLbZ$O^T7oh9+vH!#t^bwKN*>OU*(BTCaRPFEFj5^ovbqF zmV$Ga$ZWj{Rc^;zi5Eq%Dh4INYzb)+Yx-yqNA5$LdH|D-_=Isa##Cw!O+R{Cj=ML=IY zg(sV7#Bo(~zn=W$Hg1A|9l!iagLa+gOa`B5YR{fH%Y1eqjjAzYDe%6ks%*vElrFhdJ#6)}uS^FTB!c z(B;?Mlgpp5N&nzrIz1` z!TD}<|79BNeiTJ_y19v$C^_MEOmvTYI0Q<~0EG;ELs)yZ_`T-n9R{;Vj+nqZLkYiP z11iHM{Qkl7aZhkQ)V$G?T+c=ce_Xy7iHv?OwLZZG~UtOPk6Ht1o=%##f`?<< zRIW;SKk8;+j1A*7i?_x5x5P4G)cmTq_&1gdh7nOH*>G^P{c~D{+J=5CO7Uns3@)Q_ zcCE02=eYW~<>U%0mh>HNiH+__FRDZPKKE$1Jn*Iz?(V?yTQNd0sU5O1W_F30ln_ej z_?plg4;`*vn`7+J#P|_0+t66D=N6mRKp}{OxufUmFu8@54`nfJ6Po`%kys^(=M;)D z^DOf%&4$K$Ua8@k{T8KO3}wUjoWzs0DTfIzqLzXk-V27TCgz~!?uNdXDIK+oa$oFv zQ`lrDOQ2G2K*G{f$;7yAjMaPh?3vAsJ2dKZVH)VOyS`kdYmnalplEl%Z6KfG)tz$4 zN<4ZpPI*g@?Tug_MK=}XqnG9P28a3&1Hiu#cqX*cCM8IRsu|ti+|2ARtQ+1E(G{JE zU#6n8$llXCrHBuhFYdnY$0u3crR|5=m#51U>q)G*tlMsu|&BWA0k zAzqe~D%Ro+Y2@<^@rJ8M6dV`<8TB7Np@2s+-Mse|tCwrERT;2PD|O_WQ(LQR9V_^n z+=9Mm-RP0GxUh$$u}^^sAzAOBh$pHr#pXFO0|Ep+oi-Oxalr8T3`I|JdoO`A=JS-71oq3})r{Ql?q^;`9LxnNw zd1jZfk+_k^6R91GHnS5@msAPHqfJW$oGND?T1gttdNA;*IkV@vB6+mWz58&@)8p*j z%T3!{IX=v7mij@`qYF>jNR=!0Sc>eT6B=sknOwaan}=$Y) z^dyZS7YWh_A)i#EA0?#GBwZrD)ju6UUJkg@VdEXdU1G;!Z^Sx1tH3Xb&uN;m3-JWp&iD^=6q4!yl}&8nTT6P#lu*5RgS!AXs8ue6g8B)1s2 zkairTHmn{plg0496QTNz*6&V&fA$ji*7BC`4yv$=P|{0MtSMk1sxpK}B)I2=t&c9XKN)fnxZ%rC7DXC~2uMm&U3guOcD&=oY*^L- zh!cI`wT)!9$}-E|$O>BYuO#Q)qo0zyC(EfwW7*9@^_p_m*!xP88vYbBy)*oFH}@2H zeD_Cw^6sc`Ztm~a3Q*xtdbfyZig-~zp>pO&-yw1N`FIGy1+k5I0`vy3$)lWL z#v^3w>pXKZ<3~|pHKbgq!i}3+sX=B3hh| z-p5njc|Fr}PO(Aab)Yv^&@Oy~`v`FalZYLRz-cuJ5DpNu zCKtuE&nosl9)8$q3JJX_6Z5K9{4qF!Z1dO5>@0+B=RHdtMYWX)i9%OJ)6_(WL}*o%qfFFJEiZ;swHd~dCtdfB ziV-uSgMt`7%1NssZ|t6J%&f5cxx2YpYv=itQkgeLZD`rq?XsS3^9{S@{x;vkG1n8q zy3n26h6AmbYg1Qde{9ECWXvoEvIvtibsC;=-3&v@9nfpMRj0&GGYyEOqbG*nf+m+2B``jjZ zg%5Od`7D?my98?-#u^-*BA;Z8v2wTj_BI>#WDQA&To{fYnckO4=tBjx5L-`|7ZwN% z6?{$Nb77n$?c4IMC#{RTIV-v!+wkBWs-O;IdeGDQ_1P5JOwIQ#Q(7MVk=Jd@M4e5rnInAM; zicz%&(4vb@@-O_|GQuLpR25&G|*li&q^v>^@nLK-VM_TZ?eaD9K=Q~NV}Lp z_4pOgP+su0GaHcy{&CBuyH7r9*2a*g@(6D5GV02bU3K} z1PW9Y#tlk`;F_EAil1{Kpu_tO-CY0EzAcEqn1GXIbvv5dv4~(<$uKRv=FVeZe1>+B zGNTRQnnn)}8;b?tOxY`iZ$k2deGy;(v#^&y6G9vy6iTa}C-6@A6SB6u0##`poQCZC zK8jm&{-oGTT9n1VcmRXb2{1$ZvE7@5M|{Z`F2-H?Q9DGHXUG*|9r%paVDWDa`HGgD z2loP&C6gWrFz@D&OUSRKN1N72o%T}>;OFMPPa92f)Ba$S$Qb`|bf-J%iK|BMF=bws zxwb@37y=ZZp5rEdDT;eeuKE`M3p;sc)^IiSlb;8MsHIW~&T$=K;J~*CWKLrsqhrOa zDoT?-Vk+JN$9rOPcl#?WXJZ9Nn#H#bWlop^m5+*Vt%%X&kA@AB7Ci)y zT6R8y_rN?;t07hsRW`Kj_&p`7l;m3jmMjlkd(#Tr?{WKb4vr2oluau2cW$*e#Gil& z>*OHS^67T|9y!Z1gaOQ2nw=w|q&85emte>zSe71Z@)USR@2pLexQhu_uFSpgUjUDb z&|eC8PPx6e^9aXj;r%#Xd%3*n4;WloCb%7C5^-3iGKSQJ4z8trHJ|ev*gVqLTA}WQ z3+(0=Yx`-F_l>w!qEfoGV2@+6UHX(&vXPgxF@qzxtwU~()GtHxU5dm@HBw4Hj;5H{ zjF=huHm_F>jbgPcB*-M_^`MFic8is_hpf5;bLdJ3ioa`oWgn_b9VA(%!VL?VsDb(0 z{AC}*=Yvk2gIS{s^m^R)KiCU`{ z>7O@vjE-eAnZjhpjRZP~GedG(hPtAa9rJ`yl^``b=1%P+QF*wA4jRHWly(s7i^q(@PlrlcgdBqcnD*o;D?=i1XXY!RL4?n*}$NrXi z=e#S&BcJ-miTMulO^~OYC8qi8=3@5!@b(vyH^?)%=RVMRKEdK>;(-IBP6pST8w4Zz zd6+UWO7Xv$xAO`jwA7cN5W%dyN z++gFw!F{8hUTsOXBZ6d?KU7r9^Uat$%~LVK>rm~U*#kIod{2yNBgu;-tKvZ9yz5OW z(La65CVbCd_pt1m>~o*LMdUhO4xw}I8{dmWgPRJ<`FFFL$8~9`Lj024|y6Ns85CF|V zvR6DDE3Vc?e+cdA9!C2pnXrDezd?EvVe|N%IQ*$M`1i1lUns-tGfB<8vyEo-zgv#} zhPHL%0H#3`P}VmPz}6lt7KDPU?KjpVKwP{?f{pf4_I%0a@4Fq+>qa<>y=h`$B`qkx zI0waJ*cdR6Vah!LwRi$L>EAsWAW7Qn7j0$4ufQUI`#Z%kSd0k;FaKlRToIjYfvd!Q!sA~ARzN~4v4}YI!6+)OGEZN|0V zAEbIent~bq9O8aReV^ptKI*sEN-@9f{m3~z&E)yFr}c_|78hQ!?-)$Zh{|7uUH#Mh z=I=|>ma;qN+hOS6KRNL(1`=6g2A#f7`$y+kYXIt#TDyz%#LC-gvnz7TM%xi5&&1cC zo> zYNSLgdKrJ$){$iU*_veVhY}%vd2y;%9xy~w64Z1EC60dLE1=hmoK?sBjOVFwl>?ep z1)BX1WQTqjNCr}~+1Ds$UY+! z|5h@7eVgVbvR@;SQ;R=75o)jB_H;S=9sZUN_g8+ce+EO1p8oc_4pW#EoJ zAk2JZI!~SO%Kyn+`lpybe)&KD=zssq|NaTjetXSJCjI&5>m1DQo3#H}ZU5RYetqdK zlk?lKx7z<$4}UD;|NJ8UaD4o?{<$m)kGg7x%KG0c#J}c?{_$cA@E|~nwLLQN_P_R7 z{`+4ch2$&`+~oW4hl2eteZc%F*ZC9krR&h<{zYr^e|vJTt8n2P^A6f>|JBOaQ@*fvYf|Jh&lA1m+AzKm{a2=p=zV|>ikHat%n{^14ipKb8h&yXC`6c>#4|FI-{TO{ONZ8MbP ze`*b}V4g!eBAgSG!urpi#(%Q>|1U4`pWj0U9em@mPr}##=DGb}Uc8CYKxZ4G)_7y} zFRgKZ2w>z_gH&M!g%jPsr_}wIf7O3}Qh(yd`~~39dUl8#_CJu@{I_57|34=G->;_s zPmW0g`JwS&r{t&S!kRz61e*;PXn}W*rP*kS;mv^prQ(-nki2LE8V5wkm`lx|{?{CX z{?sA$MH1HYiHid!RGmcf^Pv8YK>US7Hh%chzpjVz#_<%;&KEfCR-+i5n!6BOKpkSN z-Yk6u@`%~ziv%{l_p35gU;=rih3Y)oOY-vw0~M^de?B#vs47*lY`$r%eB!jAk=qWe zu33crz1e0CQw}qboaf2QU+lZ7<39wv@bXv{h$6zQdq^jUBvOw5LKe?Xtl15F$;&~N zTggy9-s{_0x6>;|^19^=NK3;@K6C-E=B;Ma*}*~M27BvmYrK7{3oS0ktBr>h{m3%8Z@>3ZMuJDVN}0)01Y|o*O#(|xoR4iV1)JS! z1T!>O-7oV+dKG}r{rXH00agigUblB7I@v-#Vfq)(gMCu5GmO4m9{&M9w9^f0V+>LT#y_Kz zuHwV|J!F#N0UBX2;7Q!ykM`D9e9J(wR{=V+f{)EP_NalZRp8yufVl|Z=;;!1%e3np z4nH;RLBJt6b?Y_n!a8{9Az;yhiyMZnNa6-8khTv*a7(W(YRzCL<=$TlVFOfBb_kNL?*Q0Q1*}un+g&o4HfyCrRfvi( zOd-0d76LA7ObxLiyjj8?R_Cy(w1U4{bR+WV$unY#%Mi_GO#lRD?Gq%l6I0{m2fcB~ zR-Lz-uvHk!QQ9q+C9E{T3FCCCJ6`9qhfL3B6pN#!bk?$h7rJtuX|4_zO1pP+s%du& zSm2^@AtI$$=Pp=-0r>%(=@-@^&(3=crraGO@9ghL-8he1`)g6}EcH#? zw*ESuSG7!A4pv%&cTl#Jc5I!;5n5A;+{^O!8vWW~RA; z_LAm23@>x~B(+V8BncEXU-ut%P(A_+wz#H;zLvPMVP94d+O93m)U*34%sEBxAKENR z*+W%2NF~2bH+BtB$NtDqFd&)|jLom3Xzz5DSKZd?S|~fWUPQ%D)bY+RU%hr5e4$;n zp?dg@8Kn3ZiA2f%ms_m=!v^|=U1uRTFXu#ZGGW> z8-_Lpd{da^SH`BlNSCmM6x!fWCXGd857-0atQsgay{2HEK23IV-Qd=F7;<&sd_RQg z7STr&Jhbz>_cYI+i>ODN2Z!taSCY zi?)-KMzXUdyXB1FKJ3)iw-aDjyauZA@1Chh05E0OO$%6g3&WSd8!oWiko8iT(Lg(m z>Fze9nGU4udtbf9^eHeDF$uV+=Vtn&NKbtv3=Mw4F#|s}-QcG(+Bg6s_lNMi)ByNq zt+q0ltLBA8Y^3DZU-Pn=m2}U=$ol)^XJ`gGBd-u6J|wqf;YR4<-G73c{%Q#`FhQ>O zd;3W?*I#|QD#-8kX)c=GJl-*rLA--(`>G5s_tqCOH4vZRCb)rqQavMIAzytRC?kF| zJAnP?f-E`@FlOmne}gOyRL|okJfPCbg5cHxvr}6jJJ~|M@2h>pA}UX>BZ8x=vQ6^N zkMyXARiF9+>YYZmzJ{T9>wzrAyj_2dAAR_ol}R{0H9Cd(?M>c@A26)aDkjl$m6{$b#&mLgX z3Mvuy1tod*@KLhxx&%3%BGL39o&-7G)IJ9^qf$6h2Ij}SW~o-zN13Py{vX^_evrXE ziD9!A&A~5b9SFJB zU>f!uE7N|`k!k@2N#NpmP&N_Taj51V1pjG1RxfaZdLOV}yv1TQQj|ru1hwuVhnB9pFpgv7EFQ9Q6+mfeR*$no)f zXABoHr?@pj=Ri{VPG&(_(T!NwO7|zYqd0I?K7a@DICv?pC0v6tj+i{IgY@TT!{hAy zI;R`w?qX!QK&@GaPqPPgLB5KPKWmLt2ZY<;r;$40Y0O+ej!pvCo`(Zk5bj_G2N!RS z>+zmhxSYJ@Oi=iXQ^){+vJaL8^r{@i*^SlLu++;J@nO2B( zF}IOTz5}q>Jp8dvh;ZN@yR7X|#MxlFk zwfeSY#|NeT2b=r8wFxYSA?AI6>+idebC&>1oP(LVOgzg!`wR(Zty9ac2STK_nKwnm z&jv!ypBgzY&SaIr!y??A3O8OxIjzcSRG1rkz<6h|$4xaz zyxALxh1s?%gKj3$2@LNvDyO7pgOBQCkAnU62-#V_EyalD7(rgCwNbHUx*cuO#a%{g z2=i31$uE@Tt7MWWet8&qz2%9{8$~3fhhw&4?xs4}IE5`h>+0GYt>0fR*9t_7q5YdY zz~16%$f>Q5bxUNHHkDJbCe*1z9T~e51>BfP=ic$(+U#RLgzDg`B;1ZJMo!7 zyb;l0V7Nk>D|c>9OK}))bcB4$J9F?7%Y&)Vdg5CwA0O&-OOv(ELi<}aa2WK|wzR{B z=B|?5Hi5%|6=yM9ZiMAs+dC3gqcGBRmO-1<;hsP~L(mQ8s`VM2r40DN!-DlvTw}XJzx$N{idrLq3>8+(`+&z3h?1xB=OQh5@8}lU=n%aXS-w ze7OY;m?)!_&Jz2^pE<{mqwE&XKqzyfEN$mC=woytt;AF;yPwU>dJy))OOb;O)BnZZ zTSry7uWQ4~5*1KUT0js5NdZY|Md_9X0g-O$22l_Z0i`>YknRRWx_i=7KpLdGzWZ^X z{eI_+v)^&{yY|}uoqyI?V~xdx`8>b4@9Vx|<-0j~@%4r<{L?%ceFH`{^-$kpDIb$| zI>U~Lt(sm*o9%*ukXAh0LYE=#?oAF?K{wUaFg@P>%2#@-gBDpra#{ zShn>#q)LQzO)|R7F7=Y9-jB9@r{y}Bc``tHyPn=6`x;x$PIOOAKu+;9^1n7gC?l{LRv@pj;xc#Cua^OVvoPzz;Bm6 zw~=YqF3tIw`S-af&xyfn=Lr>E1@bIXloYw64;GN}ZA zgJ{rZd5*TP&Ag%ePpAONxug~KPV@}rA= zX+f26)J`iLSJ(L7k3#Gikf!N*X^(yBxWlFg);s>K?neqvV=3QJAfJ&UAh(L>d0or@ zCB-QcF`uda@pfF*C2ZcCoWp6|K6UXEeEhWM@Qu4qhMl92VSAIQN4 zPm`+T=Xi$wr6KA1V+*ceSK++=1DwD{-qO&0`+%5EXJ|Dx@KE#8F{|^0?bhSV*>yoo z{PSQuS}>ap8RHr?5812gMXW*iT&@YyoIro>k`$+1?c$st;Pl3H8r&vQh_B=s9ptPR zNL`hzyKe*L2wTUp$$vn{P=cx=c^G`L9YPou`gf@XukseBAcAENX;vaUmSvzT65P$S zUVcMn`2woUV!2&NwA;4zuIc&l?R83(uvd-b!8fS5`aX4Ju8xw>PC%VnPMmdVU*adH z1nWA`qin=(*eiuNm|-GFg}aax-qlRI_eK2g%C%p7!~6xc@wNhuhoNmHMggF_`;#)Xvd z#`kvPAa{*x)SX7yUcAGBx|G-=PukzmD~Vyrm{^8Bh>m@%{AKcs7MI_{Hd)!|N&~Ux z5>+tyDGpxThqHP=pI&f>F=tk*182O#Udn~jD)JoB;r3DlzS!pMc{1}K-#L7v;wVLf z1@7|6IG6|bk>9MO)~POd9uitxCmENy6}b3$|E`HZ%A7{qQ@A*L$aC__Lb7j?wH!P? zDsSY^7O4|VzF$DtPw^9hLs&dAR!#LXJl9a39CM5TFD7sj+E~1j5wBsHbL`)pqHzaK zg6qL{F7ZgCu;s)VbY9=7t8^^Xcit=qQl~jErgG)dG+Zl$Ty22`1p<|9kE;f25k^p6 z)#!+ev)X-`LrUI~5z|c8`vW?bWDzf)k4YRU36(>-^7mbZVPU{Pif|Q2L$xfK88xX| zDCiB46ECbMXS-w|n|wc~VPsR6G;ApL^YV3X=hXd2nqp?Iehy}FG5w8*4F~LmQRjP> z!@EevVu*h6tU>~Je&L;KCzsO2jx%{g>rtlb#iGq+(PoVw?6XOH?K4FVdm#@C9{pLZ;ZxVl z9{7~?Z2=@W-I?7QA?9^bd1C#VvDFozxe`ik_;K~vt&2K6>HCDql$(pHg~%&oJepWG z1Igz$c>N(|2GQdF+QG(tBgard|M1Zb#tUYBb)XykHE2rez2b8}lM6$4J0wTn_C^7% zQ|MBzLriGGNcuTL1i5J|Szdyge+fxp=e$;igHNF8*GBCproVmTt`HXHTicP{{@r1q z`HTTQXCJbg^*b9qzqZFXcz4ZU9{QcLpq{v+8&HO`nZ84EJzQujQ(8SdrB{&1 zNPloPx(65 zoU4+?GE-U-?sU>DzgP%_R`x+V62;J&#;@eqfYtPhb(LwzdjX8P3W(WNWg=O>tyJ$$ zWGr2uq0&wGHD1Yw6-vY7$0o%}*CE@@r=e&P|51jh;==%tnW_^VgYPFyC}@6onT=KA zv(TKouQSsfeJ3I0S^4s~Q^Eirm5^UWX1m0c+q=w?EI|fAYuaz0YEO?>og4PI0tbWf zp30J@WRBxzwI7_viw_kDD^htPuu@(f;*f1f#x1HFlh4X1w|C5tuU=>OsCGtip0o!4 zV5M3#Zy=j#KS#mWxSwk$97FVxzX?NmXa->Vxv{`Z2s zFZ~RCvk`3k?lBVum?+StUhzY&BW=4|*i5~)fX?z@Nk@jH$DCVHN<*ly+e;`G-gAg~ zRrzJ^v2Kf+{aGS`%_X?=Vm{HIZ7iRQuas~?3>WI^jluoIzph>#!!ijeh@JwX66<}B z8e;?AWS3C5@ms&HyP&n5Wc(=f^Aj6=cKBV*3Z(B9E0e6#1PnUBY~V{6z8t2y964jN6M;xnH0BQXAGWlEqB4923ih;x7m$O4q;_oybQzb9_vVMp9{#ESB zWw`z=!T7=+G)9T8P(#H%u99|}0W@m&7AM{kPMmix67)wWPEIpx)DApa#nZ6^04n&W zLglJD7BrF4PJwsB9MWS?MiGZS?J8N5Dk!6Ptf#oa*%s@b&&ngT1LA*(pzdUlkZzPx zg@(uPbWO4%LhYmXN!@DRgv(MnbZB*@?(V+wV^1)ANhyiIye>gb1q3NuaK>F9N7{dn zWdvOugPP;IpV1dBaaOUqCpPa&;kMeZ(E~GhY4a~|F(^du^ONp!i2BI#!+>MHNq-5~ z;qtU{AEn11ZHTGltbN$dAASeoYNF4@@7R3KPX(5iAnv}ub+nE!Rf<8ldZT9yFogNs zA9ZkYp-tR);A&2QqN+#2>DGZeh;{0BrRKG$7z)2HC5>r98XQIK`c6Fu`9XPs{ptS<|d??DTOn(UEtP<_=~V=D^O$qUTuIjAA%#7C3@`l!6)F{?6@n z`(hy}F?&Ql?amkS!!S7HY7x)2qxC+FP~4n_UF9%b@piDsL4J=n+>VVReQXe3&1Kk5 z;t16_k6%&CZ%5gM-iBNn_pdsq84f~uRr<6~LC@{5l#8d|uc3fety4O1@G<`-Il2d= zyJ=wgcZKH0mc?|?k);x-`elCz4I0s>F%y(3R4}(^l&dkL-*Fq{O4}aDb2D*0uN%uz zyG+P4TB@L7+E=2QXq2>;(^w$GJ>HKKu1+aWzOCt(l2QF8hhjT-faKaBdqOR_tBt6M z-hic0G=814$dcB|$09&RP8H6rn3)7M%<8R(`NhpPBXg#Eu6}D7u|#5<@0P3KX>>HT z?5-@U-|k3Jxs&r3pi7ZaSR64?jAG-zf$hYSbHX3lu~a3ViPf15*x{k~Kp#3ii1?3? z-LMh(RW_aM>P+2BL&bxy#0Nm|I4l!VKS_x*^fE6x@Pc1@U+Ifh^YQMbUZ%ZvAAd2p z`#ZSOEF)$vuGv47oqg+W<5hgP`1;C1bjba8^*zfsR{`bgf6UY|W$26;qr}#mQWMZz zYjpdCbQ*YB2nuAI?B~bh&VuFK(7;PQW^iF%S?q>~Af%El7uPRA^*@c+#>aB)0PPv2 z1^LGcN6_#!_!kygj1FeFN%9fQhrE20FN}w`QU;#9$wf48ZhdPi!@)eaCH7&VAt++ZlgQq$naB8d$7;Pcol%Zl!)@P&hL#HEb5Q6ci& zvndRBq_LzBk#$$NWj{;3hIp^hQpLJ4`*Ur8mSpbjCRo-CY(~L(o02tvx&m5=bV?Ci z$*uIuKIn(OKXLE>cu7Zyg+cFGtiV&u=hu@?*#>Si?$5t@Qa`79NFJa(8_2&Q&ho+J z76YCphZl92qHJ>Nojj^Z>Fu!Rag80G$4fd2cExFk3mA^5M&h}dew45RrK^g6=18r# zGuUCovFE6a;O@X6EPd}zH?2b5lRcSu{$ZaLog+a0W@Asv0BUuyzJO1y;M#ki*d_=Y z&q?z7?bj%_-EhS~$wRf-FsSD<*IB3*`V*fVmf?LdqP)Rtm+o&XnLVb1%Yk|$9PKkj z?80oARG8mgr}ETVghiIPQxR^lf<8G}y=ZSEng^dx=&yxql$(aiBrD?Ku%)?duZ(iz zeNZl|*W+l6d=}HlJb#hFIFilfGLUd znEI8eL&0+M^F}qSE3JbO%^~G5O6Xewi~o<8*Wj3%xwvJ}(73_49nGcMatExgs0AsA zJqM2}z?D{{qy_FoD`M;|iLK69^TUU)&(BX(c)BN>yI!R6Y^Tb zHci)};bS(9Ly}Wy-J=K*vQjI=j#)fW&P;b06;@_r?(^xWKy8zLTr__mWRV1yaWFnN zwL`r%{$bV8x~pG2RG`W{o56$3j$_thvP#?QV6)0VD#S6-%*Fjta$9p$r`vx!-7~xK zEjg>mSg5I7r?^Fy#)_C)@dYE4EUCnz0J2m$Bom-@MT$&~2G-SeBnfT;xOcUY3J6ZLEq1#rpI@ zJq>oaPYi&@#69^%VD`9H|9uP`wbzpG=z4~}(4H4gBKE7QKYTMKIV3AAF)JEKZldiO zw&!(jwOvA-ieOH04}snr)P*gH&^b`$_-R0ZY_PYAFvv0bc0at-qWJ~kQ}(8-v-NZ^ zqFC#U<8ysTTN&{(@o6}^r?({Y++!rmQtBc-fy~FeXEikjCWNkGF9Xj_w}a=dJWHw!i$$7d>_TtJbg%r`5dQ=(U zDa1~E)N|i-xJhZLnH(XCxdLq8+U-Hp&}Fu67d(;8kwt3IN1}&OIE6<%rx+E6xO&Fl z)~1~t=$5$H61&XnM{ClF8#nvR&*IGy4W6b2t)|AbL1gYm=nW$byNaMuPW60+k^3n5;>&0R52`-BnJQ!k0;|8k`D?lU}*;c>5CB4vyIocF>gRDAL zki4^2qApS6)SFA&Z33k2Wq{44*tFfI(iv7s3Xwm77M$`t=Q^q|fSX?Ws(fJf)vEY% zN5jH_%O7eyhi2^)e2`u06-I+rcD;?n@5qLhJxFUL4R|=Ymt=i+3@t%AZKidq5pazs z?_C*vQ#{ixb(UpKv&MBB<;-L8s{650oO9kQU9D8sGcTBL2)GmpwEi4{jd+Lf*55YI ze;yS5C-&Pv`LFF~fZ7>zRuE4FBvUt8Q?9=CFFXc}Q2B1fx#kjZlDXqNpP2O+yB($$ z9TGp7e@$Je_1v5Ebqbx=enkScxRM>E%b=E{Rw+b0h&}{`ipfuwp9=AKxvXiAW)N!{ z&=K3SYS|CUStENjc1|4~>pUAJQ?C-d@gcG43g7aFt>)kOXW117-`L~}p3acqK#IBW zY!|`!4$H)Zc_d_$+3=27BREs!hh|{SI3NQpgPGjlj2T#G$$1EVv7x%Cz=wrf)#QU+ zw*_(&k5c%3Vh>@Q6Lhp8zO3-d<-o@t`}V?B7dm}B!4S{x#D@wW&aG3wkNQa+-dkwY z^+`;S$)AhO{{d=TDT)-x9JT?*rke;3HPKX!SWB0*x z4+@V0b+wVYKvUO;ur9F~kz0y+I8*P1gdIXnLQDg$G-5n{c+@;tE$Q!z9cbg7o|}fN zZ@uoX_jg-sXYYD^Z@`G=AbNIcT7r(1#4}A>PoHQey(p-mO+Mf-tFiV;tBNJ1)s~@rUK80&^|BmOPdp*EG%nhnB5K-)jeAGN>r=NJ zbV-q}QDjrq?+A($9$IN`#KWonC-k}g@u&hyr2kN;DLCz`uPrVKQ*(~aG$NB@45=e) zFwAG`G%u+b$kgC6%6C1l66mHn%!{O8htRFNldVKi2T)E@d}!=^A@pT%J9mbp=bT#n zOPiGzehJYa(~kSCdn|ICqd~JY#}Ch}B#0lm!!Yrk(dufNbkx)x+1SXvtlqDpF=C9_ zxT}8!7AQ*9Z7xbrH-qf7GhU6fSBV)lpF!nR2zR|9ddRMdL{e~>>&um}odmq=% zIBsp|#9!tbx=9ggTMNph`}p7X0bRF=pQ*ggZYbS3UG_m`PacCE(Tb5MDc5>m@VAaJ zFYqJo6@N!oAU`fWMnj+D%|`w6xiB?ef+YS{2#Hv9$b(3%CPeCN($k8K5Q-|njV0M} zy8|)8h&`O2mFogj{KkaJPf7t7yRDkX*G7v>@W*ML`wi`#o+6A0J76OOjkxue5+cx{ zb3PT;ro`8V`*%KDy<&8^V_oCqiH%<9&ro!VneIvsKqjX=CX(JP9VYGaF@zyDW5Du@ z+SG`qi@${c8!`vx;n1BogAw$#iP^nry&v$Sw(+Vqn=mzgoC^kCJR7vmTSssv$+;+n z<-v@GHur}Xe!NgPNcu>d_rm8@{uqc@k2${uR%!N=xlKt0{_KMWm+-keZ^oFoNJ|M zF+yjoM6)K0q%;a*jVrY^%vG^cVv&F|a$tGZkebWqr<)zh5G40LxVK^sD1dEk8YKx> zn?BQ_k7ucwOk{7lNLnGY9t^vKLA)_D81|p4R~4Djy}1!|+w}#^hy7={%~;m+t3L#g zC!~l0rDrPHrL_{~?ipP3(5cOETp4z|o`XZp#BzR+mRbYpdR*>JBD%JgL2dK=1~*OR z${@bX2p`o<%J~>yX9*|41jI|!wx+lt+lZ``?UPnpK4EWf>n%69$r?UIa~W0Ts%%`I zN`~n!9ov_@BKsF^0;b7TP*M(AWw!^gs)n1%jg*R44!*XoVj3_N3YVk1Z?1dr`f7=9 za{e?dsE+G}ceRO7u$v0g@lE~$BHA<2n=c=r->-$y-9~oPb?>juHSDW?jaS3OR>bud4zxHtTI0f7?WReeO~~@(ToHhSN?tVqL1?8k8TAeJxH6u z*9Mp7jI|PKPr8!4dORto{NyKi>5Yy`CwS2kwqWpWG?MbJjz;`yg|K@e-Y;FjhJ(Jx zq*JS^y|_~*VK$VjwhiqjNoA2(R~j~%wr+gk5q)DoUy4+1d6xz@j5trip48YJI8`5} zKdwc3&nI7^oS$OZ_)NJp40+@2eUy*zz+(%Ue_ykYz)E1n@{N2{^m#5&ui}@+D;;MI zk=#w#cCQph2)Fms3xY18T?p%r_Bx8I;k8-nB zrYoSODi6HDM-;aOOPj1A?AaP~<#O=t;LI&%ko3|8E~{YmEktx#_GyUJIqt`Lw{_GM zmNOI$=%)}B41|i&jb%He30`-!cI7_dXC5LH1oX0P9Jrfd?4si0L-pRus(yk}q4e>N z*#{4+ESSrG2I~?=?-|70DR<(X**X1G#E8X+Qc0)o5?+0S=E~%Z*kCfEU{M-;o}k)> zfYFJO1w^CIHt6R4Vd}@*1Ym92U)x|Ie2^nxaoKBE;Q4=y(%KTCNBM%q_kTYhY-Kx zv!6A=_J+QSP@ zlc?UhRN1)bJvynL%KA&#=K!z?RJc^^jDLbq1IM8)B^5w`;#;0X@$y9s1PhWet#ix{%peodFt2t1P|{ey(RgYN1}jwUwf9- z|GK@_xP1U)jSX8+qo>d&XgT14@ z{dS-AeIr4|>dd2;HA?Q(8fiBlYZl@9tRtT0cZMB4LQeAL%oQM6Sw@>hcXEeP z1{*g`>ToZd)F^(IBrHAEN6GMZJwr)k^_Ey@ZniS!MuKl~fDrqZ^%{oJLPGAd2!bwX8C}n(~RFk`oyhZ{lMZ~g?4z&K(9{>_(XFfN8_dqGOnxA~@UK>mAGHU+fu zpNrI#w(OkGRLN$`z_8n}w2;3o&hJvuCb^1h`ptg$$MK=p|9zm(F1g{={O@L-MyU zm!Cp8Vz}|M<>U6wQGc!ungav`mu|c43>$SIDK#c(QBHdamseT_x;20JY7I3+RfxKg zkwqHsel%W0=lTt%X{eOj7?h6S23o_^a8K`UyYu_iJL5*OZk2WIO^>Vz>OvSus3^wd zyWNeZc*6Y-6BDOPN0qZR22{Rh*lVL^>|7~U`jfw8iMdXY8{}dbUcrX_nU-HuH~Sd-4`>`q>rizhVMuAICndK zh567kprLoZD4yWM?%82rJv7*+3t$k7&PBx=h>o-xXy01X%E?1WT8i={Y zP4KS0^m+n`(0sZS&Y}}!NF5UmVd+RFt_;gKn%j)392OXInSl%@eE3*iIIxoVcFa zBo3#7(3Zo3(pMfjPTxJauGw$QVT{*`xnvyt-pg_J~_mSuAt%oq7 z>t5EtRXQ554|6eYOe`zg8`S9#tUYuW2sAmFw3&OmJqXC&m~!)>P^_FT3$l%K60dEO zo&I50$)e?m&C%nYl>97N$zY~63`^B$k<_F={o|637Xt|TTM2K?lb#E!YFsJ}Kpnex zM6uJ>@UkJnfYGqan4hLTNJg9p^cVR>9h9Wmw-*Qemz^i;eBhSh{b+E~4$%om!x#hX z+vIKa?(&I$tZ|J1^{|RZkD#V>DW_62e4pLr!V&!CmI`jJrOBbH*sehai);1*v~v6uYf&s2tD{XGr>Ff>WAg~N?}k_h^j2{u~NJx zGWpOIW&Zvy#o~UN&@uhWG-ODiQ#3pv%!E|v#fX)r#$r@K%hoyr>poZl>kMU&UAROd zKd&`^J#|S{2%$*qW$yw9F%k@q`>MddKIatDd!iqobwAiqY_|Af`^(dazDT^`G|mX} zI44&*GhQW6p(|Q24#r;MsAp(ZmMlPhw3m`&7mKj+uY)9N&ttFvNTqLtT*3(k+^^Ph zZD)U2JYK!9Z`xi`e@H)nY<0-k)>p8VZP}%G6g@mx!{a}_=f8Mex69gE&i{KEUC=(# z?H-LbgDOQAiShP6o&6x|r2Vi_yBD2;$#bXV;h#N&k)u12(4$JY<}vO1RkMCDiVwy7nacHfDL# z25J0hm1dE#LhmegmZS>X_L0<}XKJ|75=BS(hy{Ik0+eg6t@-dG74RXElib80?94<54hV*7HU z6%C;UWDcP}S@@fYq?)q{c$_+?JDO{Ma{|{gcCJgiA0Az~2dfjemUtD$BCJ>C=GMV= z@ZCALrD!AxX|J!s-pm#bl{dagj={p;j*U_U1TmKvcp}s1E5&z%?_$HS)0Z2u|1tz7 zTS^;f0q%YmJ>ik;~GGzO7tZ#~yxm9oHRO|67 z=CRxrJi=o#nTp!YJ0pSv1;INMGMp-dR7l2 z6`#i8JlvIKpql!f6EYr#qc&Yajezy1@1@}xY-86SUKf_l{h|>mp&_g?tfno1cw-P& zMz+~lS$^i6vO=OiMzs0*>nkg4e8p7s(WYrJo87QIudqB7=4+|W z@Up+>iSbb52(%UJ-ebBCI=;HROO;DVo2c^rYk|_)upC`MMvtrSew8AzTqd{`EXU76 zpiCbr2C7d!J4uE1lhV-PY&Zs-=6i%E=AkY z9-)JN8?@Z!oNQVUezPa|j%mvfR{my1y9TG?uJPdcNS{E$`Y(qI;BNS$nvqV-i@_rU zXrX(ZC2fcs^V+!4oT7}_do5F`FMsy}AemHII##T7u;5PclPqbR^-O4{9blgWB*+e} zkA3{)eu5`3EZpB~K#-BI34Kb7q*DZw2$W^>zn;mP#`f->iBZNRfV z681vj^=4y~o)Q^NtCg=#I+dRUHU)m4@Q+3l)$;fs?D=o}$ALcr2R`a_SE{-zIIQj{ z=uGgoNkl}^Zu$*k#ebpLK6|dU;>=lhgX2rKZWnLL>thfyC|%qQW2(<){UhIf#GN2D z_sBf+%qw8ki+T`TOnmT%4dQZ_u(BI<+KoFvbshVn4$E>v1&&0s%*lS-oB~FI za~pttj1J>*DxVqFIoXJKss|^2I3UJ}nmK18k@0=UoHD&mO;tG@tXk|oL-hQ&wFydQ zea|2<1Dy0NC1A9qLH%+KInfwZvR>$whJmaj65)b&MuWgI3cS4pteC^gQTGcuM)D{*eaQb8m@vw*pPU6iSO2vlu|{(eoz~Ds0vPN>G<0sUQY{R3Faf8wDIUt!|3 z13VDJcz+gdIh=^fH&_fJ$K-AO?un1q(H+=squ?j?>b7)My65SMrOzu$&_PzL#Vrw? zC@8#$6m~Z6+17@}k54l-)u*~?qb^-FH{Og5?n)Rit(G|}Z>`t@>z4KsUdd(l?W4kD z1Ka2f*P@$xPpe&u6^3*@JfW};v2k3tQtVh76<)QA>w;T(_-Mt-(|;>zzcq|eEZk%k z+DN;$txJ51=_&0n5&0F~z_>Zr1*iK?fcKBZNf`j{WkA_8%C+AfS8u9*X~0hX_;bG>h#h7)IFuU87}bq=BbXMlxqlOgL~3d z6wT~{8cJRzLQgQGl&D_#)nN!7%->GAH&Ospj2Kc*Q}04jUr(8(XbFP!ENg_=ZWDWA z+rFbUltEea<-wx9SN4I!mZ#7PXno3-lB;k5a$<8V!(JHVGhG=ewv1xX@PMo*k?;m1 z$tg|>O1;!soJ~F*^+T1?)X@WOBLzxN1;N|PJj}mL6v&8Y)(^Z;E~o`ETJ5bX1GRp8 zG(D?6Tx)78PvDX|@=#(iS?$@|ixm5p3bHKhqxd_@DnWtM!tgoo&H)eId$|^XeMRlL9f56MOf;xnxKlKb2A?9TywmKDFr>NI+ z=&X|zg5MCDSR52TZp^SW4q*srE)6q`D5Wh2M2F@@)mHSseWki7X! zvSRaPX;)Vuxy-ky=&{f81IJ1WO*5=At=jzNa=3i+Gmycy!`)(GM~>~Y4-&%;NEIAg zPq%^Tp4coqXUfe|gjLv$yCU|GzayHH9s6mkoI>+^%1DD!gfL{zIjuMzgl(^P1tRVNuIS2WN;k-L``Xl%(B}DAmhbZWJ=ie5us;Z zI?oT3w1D`y3daOU4{bgsy)G_jNbvsoBXj+9J%mP7Hy3rHb_!f}PWT`Emhz3d;tg}F zcWgGJ?g!-*KF>iEN%PltpdazQ{n39y9eYRN<~Oi-9p{nY?El-1*?n(8z|bE9O+eib ziQ;QK<9WJ|Dj6n~&OXF0cAp7Tt=q<~=&iPc$f-!!Dz`7)@UQ)2Dk%nwk9h_M$2I6P zuN&r9299Zul7okF zZf$i9;WkB=+&+}H(RSo69t&hjT^59KuI{*WBr>{8Kt;It`q%?*xwT5p9=;XGBX8l1 z1-tEvrF7`t$_LX5Z<6Wt6{<9)ec&R*%$AAfpm&?4qqE=Nn3=R4bx9AHSU|)W%Jw3w zV{jIBx>qjp$<2+PFMw9Rs|u-*07|ip0W}}vMwK1oM!NB-hr-2tjJj=)QYyQXgI9y> z28!Lsw4<`RZ+9xCYsD7$4yOEBuKeM-%@=`j6`Cgn$Lfp(I2al6#4}j+eY!K|`4rAh zA9(chNuuv+r0o{hY@4?%xvJ>8VlVU^YS$jp={MurD~Tu8eL7AylS4xoWX2d!X(zc~ zcYdC*z;+oFNS({OD@Jbp*okFiUs{IGeo>!b(CiQDZRWwl2W|FUi|#pA&kx;Gju!DmpXYU=e4yXuoScaQGaY;G{FVE zIv0p-9+gR=XG^jt{0=A!<~?P5An+i?vrj@4OSu`O_INKd@siXit>lq7+M>e`YA63F%5=3T*OS-o22td0B3`|4E4fP zO{HE7Lh4(ENczrXBwL? znL9~m@X3tlS2xpB0wrBM_g8`k2xE7EUg&*=t6A!y$bld6jYBkO55!-X-09SF6Kdee zO)P-ctLzNbI6l`=3uT0G*w65Ef^A!-kX^4jx1;B|Jec=BZSt1^cJMuqnyf!DBm409 zOO8?CFK5iI(3vMgu1sM8b?$AQg?r^Y*3T3=IKvgQD%t|ETLWaxB2UUDISovZUyb+(Q z%M|?gQL7wCffup6GK%uaV`y&2W#2sPV@I7jtfOX>(Ll8S{!HlbIJ;Zum@bw%Qfux(MR{0D|gJ)7J;>}pF>USBlAGm=-IU|wXX z>Lzj*OJ!JhO`==fE{>lM1S+Vtr`PqG``vUs<`~V;i-UHWr?X6p z(=4q<-U3Yx0(VWPlXwPO~6DN^$A*U&2YAkzJ)Ly-a@F_bqHh0>1}v>AbIVQX)v_HtxQe zA|!jaJ?J2B(rr=mu-UMO@@kqU!9+1qqJYm$^LtWGhD(~_M4d*5N^jo?#}F6?r_(Kq zdd6zxY73NBJT0HkY^6-maU?rZ$WY5q)(p*xdnIs`{4!nN0Q}Ntp>dZe)1V@R$**Q> zqQ5tp3l1ShqOCjJ8BS6u1E8Rd0mVTK*pP~-p0kZA8K68#WjJw`m^CYnC={lN2V;m& zbJ`YQmTL)_A2bL%Wk_bcUx@pp-2QUaJ0S{BzR{ndin1+)B+pSMi&oR9W3DetWmA(h z9?fD^?iHISg2xr(+Pf_fNp3)J6rMF7?FQVMx-;dE-RIrtnwiymc)A5S!c+^AYX}9? zUUce<%qi~z!?joo|CHQB_fF2W?UXZ#U=dG!xiz#6m@-BLbox@aC@Yx-N%Sukc!qXH^KfG8Uw^*iS zOb}u}bAvWE;FXz0hH_?jc7@5Ec)gm}I*xqn3{e%h1d+U;7R{YA=KMv>Jz)@`)eg82 z1-FV1G!Im(~z}=L6Y5vnA4|mOg7M(fN^mNA(Xc0(j>)n;9$uK?HfQp@LG61oIA+o2P-MPVpwV1kfjDS>BE%ZSe}- zyjyVhZm)r$F^bHp>fS(32hjZufFl^iVXOpjCgmy72HybpDJSZwUcCFx@KY*JkIJe= z1itLOvu?(G61c&=mHYWIx+1DzeK#uoSJ3xdTGLE}gX13n+qG{8ZjY9l53^m`=&QV| zt)IMW$E(|q{iMJ2NkQ_`DY(r_xa7_sDxr@AT(-oAd@ynlF~z5)6;bThgQd%Wn>`~g z&p6H6TFUWKUH@Zq+G2OyQ3o7UxlN-KdN^m}^JNE-7aB9aMSDwV53TZ)N99w`A@$ z!CG8lTklxdjhiRk+>MYO7s~Y*M{}J#-EI0&>TgAf&bc30OBa9bV=KcKvX>f^k$M$6*-#tPl0ABVMa_d z>;RyZ;lb9zqyW^bwIrBa^JV%_jeai*WWf(8F&}=uWs$O!YdY}75R}QRoTmNFjwtN> z!lZlH=MTUS;QPtOxWZYkp(^LXC?4C?N)`R#WD);0v2eeWNWPjF@F9zm2)W}!G%|7C z>Hrm;Whc-X#ojbeLMR(d$20@&Gbea3XbmOoq|B+n9PWLc<%S}3+C!U}uF9xk5El}? z8JYKxX`&IDR@M|?*&0I?R|DVM2NfdB-B+H8l?fcao4v{m{LYPjqr2j2$`mraJLvM z>p21#XtFxX==CoX_n;+#0^kt(q8VIp50dVRaGsdImqF#^c)FvRHA|S>x|Y6IdnkQn5GZR_&q)y-sv3d3!IEc7nO zNCu6-`i6w){+FJKG=LRoU(rs+BJ}Q;CcA?_a#p^ zj&Y#L686|rF>@xteJ2X!Fx_)>>3;)?^OSF@KR^!>^m%>pEGZ@48KPWol?+V<`%f3jB zJwK`v7&na!Q2v#HV%CE%wJ9YQk+*(N#Lc~q&TlEx4f}qd|NDn}1=F*d4KfjTrd@+< zsSFz1#P`@}@qt(?Q8o5nD-7*8$K;3K1m;ZLrj z7x?}0e*!cA2Y7p^yO)i@=~W)#zklzW?1_9((b6sR+8}R4}QxjK{_p zefJfl8$Yio?>4|yWX@$V@-y6GxS&BgnxiEa#LbrKAaa)hsp1$v;km2L@n?38cgz>A z|7*|n?~m{IxN8|(iLTPO@#Fs)A4Cz(qjD1z#C56=3c$KZ`|UiLi_0K7PK6`wR}B;! z7uo^GGaD(jvQo*_wn&wZdJe%NrEeQRaBBw7no_;-62?V+v6rqKd^ubH(#`Q-Zyos( z%+|1#@6-SP`(MU>>M(4O3XJRFajfdw^1_&3RI*9WZ*UrSe+_uC(EAx#%(HO1w-a{m zBJq880NfUTeg*555MF)`OZDx4@D~5%S_qZ#!Zz52bjvchro$|a1^q6bhIc0fsCgs2|g;8I#5`q7jRf|_=@V5r6J zmih}Mf)4ip@20zT_E*oXSBBgdLlw?eSFWszAdXen1thQF{531WEB&hj&qF_ENq%l% zh}1Kx{nxkWgaL9=Rv3k|VHbV^Qeg{h`n%3^-q-%m;`!49DEKf!V~F8txj}yW5pr&b zOFe_xxo%~g!w9|ZAq)|i3aW(l1F!#mXZ=1~5<0MQ2U>M?*Eyl^-lHW%bKZeqt!pZ!vCo! zPV*Rk51!2}lJo!Om9UPjB<{EiK&C_~{mQ@j;a#P($C!~Ee|w$v-}|M`V5nccnaF~Z zZs+$;J?uaIF69r-U7TlhpL>7pFT6kg(U#JG2+M&fv6trG``{id;KRAF6~`|6{@?rH zK46~3I4F228S$qd{XcWeox%7l2hXk7v6JN9zxlxt!9r-mV9@#ti^zYp4nhUtxk;jV z^y>f35AJ_A(4Tt1|GRc#dI-&me2KwhNg8#OgKVW)ctIvlpOXYoSl;N4J z4jQbyM&T?@sOXjX)mi@G8Lur&K``B62QJNv*GLK?5R_Su15ErL(Bnn28wExI5|kvG zb(jK}uFvA@fNMZ?*2lmhX667grgE7}(+x)saAAB_kjjJ>J!fNM(+)VhA#mBB{iZ6< z37zurZy=0+1=bM`+|x5FVyp>rq_}%2*lb6!A;OiHJM^(>H|X zXfg@0eg%M&3zK&l29hx_p?)(un6B{M4tmH3$NHuz`shsnJ=j2D|C$GUnmYhvO~@GU z!TnQ<>>oX1dDC-m4H-Gp7})>ND$@7ona%o~Q@D@r=d?GAaNJaaO47>?lfq@5irsuD zFK-`cCRp=Q#DNZ4!RkJs$B_tY_7bJw7~R`SfHoR< zq;~@Tp;wXv~gfu!3wH8iNgvfU=!Q;Y<{l3ce(BT zSNH)lQ&i3kilFN7*7k4KH~-rn`A6^lpZRYONHGX|jUniCxU46#M-Npwty692pP?t| zkUCkEz#Vlj!RlhuSP@kkDvqDw_ir7I{W{g)-vNdeb<-tO>`@QEuvw(0(gYOeHKn?* zd+&b8Udpx041M2YbxCkTEQn&|e4)#>DNwO*aO>bP0=8z`RR|j*yq+pN{T|`p9sv*u zOkq?p8>aIbfdIk^`Nb$xjS1zbI!Kf(pmR7Er|)5r3j6FxnnMET{~2oOoFO z3jp-5boyV3n@t~}4=(cW@!F^B?+o1)f7g~`KBC_) z$Icz)hqmHSOtWHBW+3a!F%api5E1Fi^VnG7wrss86>&_#B=3G`lM3M-KCVwZ6+K3b z8|B7~36x45N8hC?7rsjsmVUSr&NOPSavY9-eX_1WvwcUIJBC5Igq;sSZ1uUWcFnS3 z>By>{_PE+%rOb*rlb%nnhSS_>6q)z$81A>;1)4Q_SJeo$VOWXwH78;je_j)v_pLp$ zdYHrNDHZu<4&U4__g1;0Kev@eR*xuM>YCdb2oCy2c10Pm$Maq? z-(Eih8q+M;x^N6+s&WH(a1RlP$KO^5s%1}*Bv9G{Fa(1U6qw>vI8i|08f|ShRGV2s%Tk`yP`A6OH9+}zcbW;#F$cwQ@LCheS z3NsQ9d{xxRc1p5)=;5^2F--iTko(gIhd3H++hYKA9z{e%77>1}klES}lfb$J*c@;4 zEFclcNt#ruO25?s^gN=6io-B{eZBkKxzMnKl-*%jZ4*Ful7LAVKVLzO+J0J}=TB!+ z%lqmEDmO#m&CS9vo*iyhoQS5=LYSJZkREw(I6Ck z<=C?Ntw7@hCfILOcq4czc~2`Gj*_SMfSuj}YQ(YUH!>Tuf>E3cT&>R=YD?_LNA*4w z=O7LRWoEK-wAyxVyt0IGm5(isEbNYW=NKw#Aa-XZ*I^rI)seq7GZnRPW*NZO($j!z za)K;pl9DhE4e+;*Z5X2}7of}Uxc%A>S3o3a3elUs%?JAIq-_xX`+eZV0lqYLwH;+k zBK-dd6Y`^_-M9=Sz$4BSlWKep%f=%m7G?}8StKS#MxZ?+oIU8X6`#{am3Kz)^Fed~ zkeLmAiK7+;d)#&XN0#`h87j`(ne$qXE1IU6rQHCuvapKJOg?GP{+=ge23nxmWHr zL+kU`!Eg#f6y&?Ll7rEbPTP(C72>kJ7or2@oh)(b++7@CR24em4*ErWNZvg}&}o!=+alfG zL2#Iz9d#v`DG$xZn{dF~?<#^e+=*fAG4!eS#M{m=N}4Ei@idlp!EMn-m${&4(we2Z z3Rr6PZdF;@F>hb#-R!QIO{;xuVZXYh$t8qVSog5A#MuzY^#E3L6>Fm0HbTFq+qyUG zDr!OZm)%AWqOM)6yIAl_zc(=r$LLRSOoZdX+83&mddAo6PFG*N$@U`zDj(Py4o zCh@B3+EsQIt?)v(nb}zX9Ig1G+zat)gx8y5D6?cnRGRwNn|(g+IEWr*k9%m>SuCxx z3(bAzMh&Hwr^@W;{3toJZfqpK;pzXngn9FB@u~AYzPp>F^-H{W2rcGvHH-9ZbMlQJ z>K@r^FAM(6x7L#ld><0mC4{RMUZ^`A?mhjC3aCXv53Z^O<9k=oadM!#ye?2g;-4#< zfiRq=Y%*RuWBo+rveR^gppeId`|J;!L(J0LF{w087GrNRHDn{s9GyUVz1_CFX9}mx zCJgRCL?)ZDiVE zp%jyal^&WG9iE`@*|Zf0^Jfg}+eYq?#79&TlVKUv%@aW=W{ph<41e81JRnVcnOHjd z2GzG+u~dS!_4#tni(0J)(4pD~0OB~FTZ(A)4OcNY9c#3~?{OSEyi_EPn$kPi315&i z=(xL@yTp3vMpcPJ`_egL23l)0#8U`@H7;7d{3-0^fZl;qjn0&Xlt*fq^zfaB9pUw7 zNYkcB58wS@d6W9ptqM;EBB{Pq`S2Fy-h?<e&$Gez4l%TfCk|2OQCMkaPh3mdGY@Wj@VmWlRV>wU29;h#v8vI2Mw0R%@4{ z)1kTcvjNFPzq{iCGQNVezt>%9}Y|*%@8c4BQl!X^yvA{ z6$Yh(DOWuL)cj0pdxQK3;JUph(6J)aU!6#hE||&P{Ec*UY6OZVAy`$tUF51E?0{zI zgDvV9i@Qy?IjUfS<^~9ZGVm2ZVLDT?F7q;ve}L^nZp|X%;IqUlb$M{zso~WcaGL-l z#G_#y{S}s)3D!Y@89;N$Z0~gujcTqCEmgupnM&iTU9Yf-@Ql8cOxLaQx7kOsKZvuy zGOBgIKO|1MD`ve5Pu6He$o61~H1vu8a{crF^b6h}IrE-;^3=-CP@28wVZF5u~F~uuQsufKfHNe)=~Torm8;1Va_($LkX(iEi#{< zVufIYh=Mc|uJI>GHx9+F8Z~LiCGA{a$?pMLbX9yhV!4kpOC(?TBVDcxRbY5lG&t%a zp>t{@9T!9hv(s?xcJ$q&M8Z6%Nvk7StGEip$^Go`lIpQTkSoy&M$WmgZCdV?&cv54 zpxGjR+sX)=oAx5pH=s`rWeU z6CM_qX|esXOP)V^wsu(G zx08IaSgFFE*hE2ywtlYO|@^h zXBTHu2Z;cGFaleVjr>VKcE8;w;)Tz37%gpT28a;-7#=bW8~gr13EEA!9*^$>Je~>K z(eW$z$gF%=?}dN)XB^iRd$kCtZ6s4m+yr-6}uJ7|j7!P{op*s(5 zLBL}!%n|H-aHb{9UbU|uo;|AXz(&4%0$2VpDgtR6SS5O50D|;&g-ff3?gzov-OY;# zaZgNRbWL&iVMoY`A1_8ZE)F`YnRXx~GIUNH*E>J!DHge;lKtymB3>>9J0LF#h%0n8 zYUESsa+~-ZB6}SerN-!$0O#G>5tQq+Js7u04|_bs9UqP#E8U4}T_|5&@j4K3M^1+7 z8(=~-_u;GD(*Mk_H@L#Sbcq^=cg!m&yxdhdgf{rc?fU<@)%w>}z^BXJIdfOf3uoSs z+ip9-Trj+$>K1N0y>&4w>LnrTSr`xYX`HKmK;#y&-i8>Cv*IfqDQw;&zK%i@sSk+U zC-Ms^qi$wDX`j{UTkK0simWm5-*z5x#s7F)JZ?sYiS6==+U%v z&G9&9Mz_ka8kSuy>s$vSd(}!H>*C5+tk+7~${d!#_qRaC>UQ=oa#9nw^3_z-PII~J zUFq2uzF((%Ky)`92#?bnUDPd&+1^i+nVzE?DCD0r0;XMJB~fb|J>kp< zG1(>=E<~JfVBU?#%As>jWJv=eM%da;>7zx<$PE=-h{yv1GrzoF3y_G1&3sOL`IbNu(pHeXfgF1u?A3VG?=!fZMR z!a>*ZM?Tvx0%_*#~#hs*i-)jf%S8n{(bAG&o(Foi|hOFsVXeo6Ge=c7&}()f&!I#j0^mQ(UJV-s^`9##*=l3;-$}Fvdq~~ zGwS-~h<#)>8YE^EK%qpysN!a zX+L+y69N$P37^p(VlS`A#W5aNBzm;;9`uQHVs7->f(GzmwWLK3#@~Ll1|nOQBR0nR z@OPyM7M^}2*IB^xR{E~J4cx=@WB$EQ4wou{ohVsuY8F8#WW4Z*_Qz zm9Dp%z=Z7_P4)_v4&|ms*39cMhD{-}-FziC853Q?kHg0ppU^zbocXw{qSgBbO)aL^ z%^kTF*t|}t@(H%=!mH>9?6fESC&%AE{U0+5!p%Js1C~UD{?d1vi{)dsZ)Hpz;n2R;o<^6erfXL2Z7;^sNyc-Y}qMM zPleB;K2lv1W(5a6jjlr;TXPkS`$YjbwBxSJhmEN6eQPcq)QmRf>cCDpUa)+_7W%Ic z^AL`ME%BoGJ93&aH^in1bKwgY4IbXq6}$zbQu#|Hh}%K-XSW^7Yr93y)`u#v5%V&S zzI3bvDAOjNWvD(+43p|V_~5YLy0h`s?h6(Nl=QtmA<1*n&pfEoKjNWjxjT$V`aTHE z^OFD8a{RWDw#d>I^2p~)2(`aI!xr(fIyj21)Eszz4lsg{CiH_!<%Tfx3DnuWja;vQ z_1|9Ioid|;^%nY!uh-EssTLlm-C8A`Rb{Crr#DlYp{P20-hcS$1uG%RS$$b5fru9xqS0k(HdX>&IHPbJt zl4JJvNXG-q9hquMUOq{WL84*1tw0I>!Hw1P1gKAQM8ug6VA6dNi#>m^bBg4n&k8yR z$07MWdg0CtKl!1;=<+|o924&2n7w#ZJ+C_irPvY4^bTfdqIU!1(u@8&~$CT+-I6p~C={X7aYEQYx&o;jr6fgd(jjo%2j^p-dMQH@@m z^)Rr63=~FgKN{RULX_U4s2WtsT?a9ob0&K2?<@cZ;^2hGTuQhtKV@yF?Vh<7?wIGp z8OCE5URbeQe{3()%tPL5w`7IcHu4hG7t3|iS+Q}uTH)o8`^RG{s+r;RCBzXbvlc_Z zsl1D$E;(|*glKy!2W4J<7ZyA_`k0JE@=*N3ordIHdzkQjKtE$RINRmc!5dlOwLWUx zAxTwmZu?%*E`oP9PcB(qkvP!F+^D#R+WLN^vOF3g!G7@kQ9nNrDAl1@Gdnt81B5)L z(2Nxqk&>;_CsbCZYS*NGQF8>umVg)gsXD0Us}I)kUH4h0wop?(s8b#4g|=OfHZIzE}a{dO7X)+F6<2C$<%J5q_H&ZxP!a)yQT4?L%qWnDyr$3y`ItD*vb{D z5Z~XO*Sz7dv*JXMOXd0TwYl08KaXL1!^6n<>EAon^Gb&>&CH`}c5>t(t!j)k+)O6HGxnUmS zufZ~T#3=Jw3v2+_rblNS1!U+|-=5fbAsgD-)S&FplG^de^OVj-I1z&Ry;)o95#THO z0P$3jO5RKbww;L8UI!Cg7J1_Zt4K57-8&g;~q6jErZSR6R3_`BU<1p8szqK))xC>sg| z*j&}PJI6`fq)V+ve_xvK%`o^g3R${DGA|_hbZv{aPAKao&g;36upf;?Ot{}x><8$8LA2sA3i=omRC&W75!vir2*#v<3kZ@(%B&m zJIK^4bCu+*Sm_X6$Zkx9dA6XWiNUiWK-3s%mROwE=!XykYEss6L$FQRZ6sxrdi#xw z853L}+$9pw1Rd=arc|el?m=ke^cC3{6CYM7!Cb#Mjr|*U2+~xHhH+l|E_fhhRhGD> zvVb_)N_?~#v4Z(fi4N>RObDOIQc*~>npB4d(@So%0~k-dDs&at!Xi`AR9J77WJDkJ zHaGhD{j1eJ;QDis&2e;)nh)zW>Q^5l=le=MS+WAg6kLxEt%1u6Yo^&F9T&ZIiqbZ> zVYhL`-4qWXGuKI1Qz&`SchKtjPbZ0y^TJKVt1Of-e_pvA^?p{4T<)g8-9VYgpY)GC~VhhkkVHqz|18VR_Upr>8UtvtrS8 zgPZ(jNg+oXQY6$9+!4_<)y{0aI85x-(m=fZult~XECl`!zweWZx5>QXg`l;i(*xzq zuJ$<=n^sy~ZM(E&9ZZf-43obL5cfo92v14`$FvrrV!ehpjlyF;o?gjjweR3XwLf59 zc5DgNIwHJh`AM#)ysrPntII7VTUq#QF4mPgxzeLkBQ72?N*MPaZ8W6LwOv|wj_>0Y z*Cf*HWHXF31+es2rwD^+!(RJszrBE=6)xS5umh%nzMG+3Qg?s! z2QWQi^*Bt%wte`~kz=Q%EAnga`&B?{jnF+w{naz4Unm{Y5LK4Pf(en?N{MMEjJqjb z2xwrH<_l`QD}a&OlQIGb#)oa?8<5v7^=tz&(tpSAzpq_G&D9S(fcIFw&%KF|&Tzm?B1aBF@ji9*nL+9pZUMEoASf~E@U_Bl+?|M(4H zTFPHNJP(b42TYs6a^~1oz^9p8#pWQ`sS^6v6G$dV8{OxRi`%^b2^fgIy>*7nGSl1Z zB(F|Iucgu_S~BaM4sBG`4e>w(g?5{a)^m=|S4NDu-m{{9x$Cs!dqE5&ss8Ys%Q?`zPnmV7c1y2^TjBtSi=dI*rC*QztEigni19z63qz`^QPVsGuXFEh~ zI1|RJYDXy;_UDiFaJ=BrFv;?fUs|QP^hfW}Nwe=6%lWU4MSb<9e?#)bvK$VJm$(nq z2OqPY-W-Vi1jBKIRhYSE=kEQEmoTIf675(U5R^+w`Z5JOFE-6k^T@a~PaA_ONl|y9 zQR{Eg?)MEB+;kJambAvBaH^5NPKs!#%KDr_`|xSP!iqozcZe@O!`o+dpYZf%#KlH& zzWq&)Kpef%jPM30zqy6+sj=LT=keRGZA>#?U{X(puox|zrPXd6tJwI;x~5>%8u*$- zz*PS0RlP{jpBYM2N4Hvk;$CjsXA2u?{NX=*nX8Tde%;Cb1JA9dsI+R)=zTYr3+}6j zmxk;Y$~6iFy!KZyz!CATJuV$B(B_cvBpDjo%57(sG%z&&yvRU~uR#4|$MJsCWOch9!P2=(-4s&ExZ-=KJ{w56Ve zbe=s)Qj`Wqs`_)V^fWQ)9;smn|9X4=QA2R1{d_OS+`KdU)Xs+1OYh}-{C=BGV|p3M-GdDMcEPKRsY9?Y=( z?Guf2YCPbY__xAQW z9yk(Z3+!qWH|ZE{8!t@5Z+6NFf?&0uTd)xmO?Gf)QO#Drwzv6UgE%hyKykIsopR#i z=iMT@j)-d)yH#<98JJ`CdZG}uG%nz(IvXXkE~6N++i?1D(Mu(pG_ir5qvu7P^WFuG zmITPrsz;l=FVPVtmB)F(nm9j;TK2{UQ)teL%V>DXXNG4c*c-pFBu$q1@kcZXW7Ch6 zt|t|a++5RH;Zl#2u!6(M?s3=^T_^MCjGknD7sm-Uj@s?s)TiIpN#0p_?XRarc6kU4 zTYJ|CckB#12&HQFjqKtK(`+A>=BQtA+Wj1W&;MO(pT4%e*l*u??fL9YsYBi<(p0(l z<*SOm%tQAesr>ybo}sCsC^N6QPat{v+;i158d&UXI%%{N)d-(a16X{6JfnPc{F?y_ zAQ|Bc=2TOBUv&>V0fxLI^(TB;N z4qb=f1g(>4fV_&Lob3_2_WZ})9zc@X#BNT!$EXN3s$;cCZ}5a^pUZi<)T*^FRc0Y;z?nGrc|y zz@SyKeSruVpDpCxIl>++mwy;qm`_4fwzw!-4Z@ZPPPGTx= zi*C+znT3pNmEGAn#-rc>3ena zn*4H1?9?ls{k&aE3yTH(?!06D?YrZy3;i>L-#(aT+LS%0BWZ1oC@w#wWjXq+uKo`L zw1$|-1$Qk%Ol26i*HT9P=K0E2+tV?Zp&z++7$tu>_DOi{(Q(u76jYB(Ki^2T-+k0) z1?nH^VqtA0@NvKh#+c|hHAKRIZbItu`Jwd5h7#@a_4uBtmMfm9G-~mX`C9|Idhs?J zeamYAtBVq+wgS+?PT?Dr$zns z^g#4>&673m_74jeNb-T--8T;_o@m|&DFD?owJaHR93sZ~F?{A{&;7tcGQ%yKm3b)Z zu2jPa|(jE?J>gD>5G5!b#54B?WfRa1fXfTJ1_ zZq*6LH0X&A*}IE{LFWanVkj8{SZYX?VS2(-2&1#em#2gquWFa^ja}++8DfNdlWFjx z3%bf0UW}1@+3ALFx)OgAkvJalq&_LVivmM-T|zr7r$rS)M8n%+MFxs96jS`N=o~Ji zzJ7aGAGSE88L>M9*h3(o6=rMd$vnauzLtXWjXO1gzdhgz=g z=t(DN+R?HAy7@&eANDK~+UpKaLOG@G$aAVS!;&rYZs~z#+gYV#*B?}@SUfMj^ynnN zWkmj+{LvYq9F2>@(^#}D>dAeL2Yp$WPu*>{jgzjOXioKd&L~&=@)<1oKhyktIoEys z3=Ew;oAv zwx{SyWuW!ZsZQq{x+O^OroXb`!{}wYUfPgBsD;!cllAIVfH+3L{2vENs@K(m$Kd#- zKN{)@fXsTYj$zL;G8?gWwa2eSI4PT!;NU9+@zo7;3chg9?z~ZuAEhQ!wZh}INMLfq;;F|jR1LnLH zUr_-{wFR9Y$G&c3Y1a3<>=YzRHa(1YMUmZRnrv*XU5>fT%x;81;PKpRShk^?OnL_* z<=|>=s<3UDup%P{Hun>%SRUk<2mHc@&B1#w&HmDFrroT=eO10%(%7(v^vC>bB8$4N z>R>KgbS64T^;|leCn!jc%hIZJ?>=Q~`#$ofL$VgGOmeLRt?-(wjp2UK_ONH4%#^yk z{%fbm;^jxlUj2Nt=e#YI6JTjL4dPLXpnZ6>+LiQyY3u?Ih&M~^CpB!6<^d?XQb+n= z{n`c^Qk`h~+iDgDsNSo*HGn{h$i?h%jwtJ^BHi#3TaKv$w*F30J52KJ8ZW&0%&$sM zE1Lk$?+~rftP6DIG;0tJj*dS-XUsz;Yz4ZK0TkSiRUt-(p%6^aHV)t^mv(m(L&2#QZDAKe?LN6MoG&G5Dy4JX z!^+QfZ-4($at+F}Z=o;Cc>P3SM?Rvt1KONmRqE3277UYb?g)Vxbt3vo%z$0@=@})7 zX=r;4eq1me9z4zVcu+(9EaxRW5HrcWtRNPO@22cm9|XL6=glbxF)pab4CNU z-95U|;a9Owg_+A6*Jlea?QNUY9#zUQv)?_9lEG99Gozlr)F_%Hyg;=HX6mgU_K-11 z^a)9`>X!c)))k*47_MFO`(8OAzwaTIw!yD^R*zA3k=nc9YJ$XRE%CjdcP5TKADnW` ze31%*zu_V69^0uB%xS=-$D3E{B*;g7RILwUiMM?K_H0;AbjntIJDsBt+zGSr5Gz-} z5J!QO=oRY7(GxaHk1{Rcs=`5;$Z4enK%4NCJ&HyE zzKH(Wsd{#7d8E8Bx|G&8c<8$Ad2^HLcz19k3Z@2I(U5Ft7fTk7gUe&X82vTXp9(6p|%Lk ztntZiSuf{kJa@fV#&n%U+`X)_-_j;;r3>LS13572I5pc{bWYWnh$jnzCyegfAi{=_ z?Zk{yaur%*K*7ha7LYFsGh+@ER(O9BXSa=cL*NBzBoi>)!!R__@){^^QIa9@wJ780 zGIkpOsMy-o2f-^xB@?8{iQq7j%>irqwty5s7yE3})JL$#$jvmr?yorcQF+W|CiarK zr`}@C%i>G1d^6G>_qRKUwVoZj$L92u_C>y0-}zr<+?JQ)vZ(HxwS$SRW5+aZZ(3Y< z^^E(2VmHV=*DOC2g`eeq<@@}g~ zyj@wx^Pd&WK@%8AEiyv8w72s2uvGuYI-?RcZ?7|-uG^^YIeoQg03x}N0W;JS0WEyO;4c8}Mz_)M^ zC}Y(qH>@Sa4B*e!nqF>)htw*{B_$0p?4+D7 zW9tiRc)^eXHdI3-*2CI#A8^F)mp7noN)>JMqvg_s`9{)4)3{TYU&Nzx0;v-9d=WPm z#UUH))%O+~9jp1vkHd-@nB7`qgD|n(WYkxV?W6VLcWQhm0;{3ax!X2Z`yp9&Tlx4) z5(jeMH>sRal(pqDN>PnSJlRlGu4_n-j!V<-W8e z?phlgKB9Y$9km%kVR^NS+ADPOZ(=v+Z*7I5a&WH?N$A;+C}N3DEEsO;nr~7xmrdJK_s zg=7b_x0*1=nCydbpXIS*5R%h%3mVM(a4Uy@BV*$zTY~=K{f^^8KR5hEKZb5}JXRoR zp5rOZZ%_!1s=bWgp?fW9xtQN$nRW;bXWxCD^_U%7P+RPp)#lc&*9J3*g#hPRZZ?_B zw{|C4(=Jej_B+KQ;^9v6uf!Lk~I() zP|cy;8xE6?oy^LEWZ#paljc>Bet0))L!13AZ#e?Z8zT9AVx&iGp~8xyb$tpdkDzM8 z#`5Vp4g_3fG4q}9VP5dWtkTb=X-=R4$BKcxr)%6n7lgD=ix#<}j;zP>!AJ}@i8-0< zdqM@#=P%7c*yg*9fsv3s^!v*Gu0R3h_FEJ02Zgk7x5q_p#h~hzCgzbH$0StB6Y%z) zX?L(AP20);`OC~Xd4 z>%nM^uu6`0Z@X|t(L(&3*Q0RGr)|+RrSFvX8Csq8iytqA@Tx_k>XN77`PeV4TD6D@r?^WT%=C;Unuu!|~L*YW3c2DtV}dmmu}H z5zoQyE+xswd3_KDxl14!ce)@!kp;P0YG-aAGEB?gQjD;KQrHPJm3ZmHcR67)ngIP* zyYCpxhFbt3_6(v_on~e`?gv&htRa}36QVF0}?ZK!Lg$JR_{G&lIk9HXMLoz?yrt4<- zPwY|zrBno_JSnkZhRb-rIdpd>TF%n9_}TpVmNsG<6&K6oXI62thaBm-F!#0^Q?TiS z2QrdR51DYK9=fVWQ$}}m*EFze13v}H7q%TEt&ul$LUtAy`AertkUh`%km_JRK>HS< z&&vnz1Y{ze2mb6@f{rK$VQZ<#cDM#HizV^tT4ovF{~B2V)$sxDfEZtmtWQ05ldMy#&Q`zl=yJdA zwrP>2Rf@Le?8G5cMJN$ibnXCTS~?%xDykTF7lODu#1~kAytb>1r(!nA!uxGkvrIZt z2ydIw88ies;1_E4H+TtE3ruNzcgQ5!!a-u*RNYfVL`GOu!`$ZW{iOx9ztPsGd-zJW zS9I9RO_e;G7vWUG;XOwvveu<8XxAn%7Nj972;9} z^KKhwkDm5<8z(aJYOU2*Doz_b);-3#&n4Y86D7on-$Hjp42Kvxly8#FO{od(y;w?m zf${b4*QoJ27_ZM}y&d{PL&~C&ns(`}7k3GZm+r!F9Mf9b951@aT&H%qJkfn5^L^3M zsKB)?xdBP9-9?Sx8(xT?Ovu|dCiRU4n=hKoanwOgNunFZD-4#&5|}c1aWYX3c{Vir zaAY#1H($9CW=?1GJ7<#MtY5dizBblr*jDbZV37hhhSrzsKs?Y61FC zXE2DwMVW^5Gs<_!@{xqz+H;DQg4*_vM|No5hocedngEn;?8T!!!8ULB%oX$;1hC z%j)Bq6@oNx(~~@rq?%n!Ik>oVv}8Lfra|fL(eGPodZhYIt?}5>rL7r=NwiB$l~h7! zy6OVrzJ`5P4qrD-F{`8=i*ADATi-P|y-~vJxzxa&MB8lzh@Ct`H=X|EF)dNou8n`_ zR7yg1-6@e)Bs8R-gHOS0Cr%;HT747l=vh~@>VxUyyR$Lt?XBibe>f?pVrGbg4!qk* zyM-_V@cf|ntBOjACt0-YQFAxAYCIGeHkB_|PDI&qIOPOabm-3k6>7r*JkM@VcvZcXEE>GIP=m zAI7M6)5?jfvh9TgDcqck7%%so;8pm2!{rTD9=4u)w6l;uOevEI_P<4M8hQelAT=5S znUXg&#_RTK`k`RDpw%f;^!0T!Xm!U)l$yi18ThZPT+u$Y&~=o7Q!0clQknP>OWS=` zjixo}r7)&s3$+EojjCf<0Uw1A0i@KZaXxyECtZ`SUJ0dniqj%-L`XPV=%8>O2xqZvA zs&dLTr5Ebzh(Vrb7_>0fT!7NN9eoxWE-GJHQ;o#*rd>t13Pm`}=>$^BMN|}6LrH`- zm>=?h_{C0NP2a}cmW6wPxo0o^MaJYA-7I^8cM0W+uZ>8J+|bm`AnWGh)rR9iO#MXH zgJ|~}HbRbkq7TQVYbwWg-#FlE^0s%Mr|k3z*2B8iBm*P0=ScBc>AMba^4yiyqkH)K zZ`i;d;yy8itAY;vkql09Y$)?452!VF#^fWCPJ2m@323W6(9!0z8N8xHL~3hQFObnd z`}>M;U!CAl>vqjOaBpX1zr>`gwtA+A?A!bf=O^U>VfXl5gI5!j3!c>nCmXU$@^Uw` zRz7ytThDmGaM+arMkKMoL*}SyyX_AWurFlssXMC5>;{>;f{a=tqG9h=*kje;9V^ZS zO{EM9&HhL5uN&4{P?AXXTeELFB$@X|$i!lXG22$f+zstu(y4K@Abp4s~Y1 zg}mGdj<SzW6SAelV6I$#C;=S)nqWiLdD07+D^Drvnloq|v7n`jg1nn#NUrSjWrjZqi{#4E zO@{Yu8=6%wPk|mi(v#MC5V*vHRE5$^){jSnmhF7m=A$40eu!o^#SMdCIm_ExT$W%l z#X~BK9f6`1$)%Yz#NX}_r0!6+T0t?HgF;*YHmvYaM&$q#7|f94djx3UZW|ckSvsYaS>OZIWIo)VTGIC>c$mNH%lf=wx2L|yq2WHoX zP@d`wpWN;=8jg%;MWEXX3|lOa(X2Rr<^3dUUyM~)?T`4LTg9I6qVc>~0U=uHHh!j3 zhDJ5rJf++nN_gqY=n-uLF((RNB)DA0+jK`3BGE(ovNdiDmu@ESs^CZ|43$`)tT{*fxU3N{h=M2gnvUP#rOeET_scbU10gOP?&6}r#uQxlG$JmtV~NjMW)>4vY;hl z_Zpp1pKjMrkkEdh<9YJ&;g%id2r;*kIq~juVDXHhYTg4DbNND{&G>Bsb8m4VrFh>t z{sWG;a`=d84D<@4AoerW-&#+NdCZ1Mw%4<2CRAZ4*O?NMjPKy(By|gARt>a%*}cR{ zvjxx82!d#?n@$&pA5%K|5$5RnWyW`8fBQoyG9(~7@B$NO-R*=W5fNL*>#wR!U{d;|jcO>J2YY={93M;VoFlYMrzYZju zS9NsV(6BlCL0kOwVy?}?07^zLXAUVLk1`AXL1e5* zK_gTCn)bhF1SeVZV22P5I!YouikqOV9fAQLgJl<>d(;26KxI83GwaVj@0$s|SR06O zq7IHtk!z)Vft21eu>*)S6duF(VSi_P`~s<>Rwdvyw03Ey_x|1_7A9RH%avHQDfQTotm5HeFJ58qm;=euX#R07g&T5l8Gk<=m4{7LWa}b@LO-vk-O|25*vw*3a{N_V5%xX`yXwZZ3e) z&>$2QR2!)x^)|3ZlZ zpbksAC_7C5Vz%Zb3aZZV*{^4Qm7MsWYmdJOa7swv1YF03EdTbn{l_2BzxV>)cj0q8 zBc_gor2UKE@+*E}@E#fYEcPC+XxguXW&P7nE|^_HLNDpqoaH|H=m z9l;mP`py*n$D6Z%|EZsW&+YO0ljFbQhw!hr+fNvPByG)5{WC`3uYIm1lHhZD$9(k{ z(zgHEkJlm@0MC}mba6fR{@UmI0S%CYyIx-YE8iVp<5?;LnAUQ=)^7MOey-oa=XTjO z@72F~^nbzMATNO8+0m=OWNSq_XlRFm$$^ASEBSV&6=^tEPys6GSfQ(R>Or&@-^N&1_E zejO1?f7xLK-?kOGl zGrFIIu$qAaLc*`p8UM3qYS0;Z8Z7sy2G9JJ-{PM?VqU1*r)!SB|4TniV31IeQ+2A5 z^N`&6XW#HI{C9(UBpT6P;1$6*Rv0gX1-1xaiGzR=dkRt~uwUt4}`wZOVu^gS( z(a37GK9Ffam4kE@CWr49&SF!I6~5YYg3lu#o*uyxT>tP^_hVim?9V+K_e}GQg@u_1 zIRnM25gE2EN2$gn-*qDrMDzY?XFE>adHbFq)Q(gf0-feKw> zgBh`W$otE0k8x9Zk~m|Vd1_J4jzZ4QnwbV(XD(rHSJQ>kOz%PHx5 zOriv>tw5q_Fn;b_@*ul6&`Ss5O&%?QZOTx(2TgrIf3DsNMg*MkANZ<3v_1&Wi~$T( zi($KoWGGsI3VyToM#mt$iAfj)6pVx~Zurw1aJn9alPb&-!KqpR0iXot{E6c@1LqT42yV=KeUgE#sPNwv-~X+f`b!uOJOW{!WCr!QhgkIj zg{IHBfv%35YoR9G^~WFYQYC0Z%Yqqdm}>s~^3i(V;q>r7`W&dNQXA6B?WhBH5ulcj zq7hHaJDq|cOJyXDv}n=>gUH`ND0YHN@$-YvNeNZpJRJm?p9QEHvPU7TxT^xusf@Yf zWt7rwGHu)V2L|KZmd{seUhsy+Q{gDQ!<#U`zVC4}5D*Y|Ta*QKB@X*zz-C=mV$yA#MA$a8AMzkk;uXw6+%-f{(L@ERK^ku;FoqGiQl3BPFEsqma-SKl^@X3e2H+no zR)2g$a;eKyKvPxx;o|*aAj6+`Y;(|&d;!l&9#9c`$&Lil^EX?HSdHA$0z5HXF`@&z zNd{G4;MPf^1qN=wJSJ%&b48lsmk&y`DkKt5%_2M$Ae+~D9uS?f;HgC(V&dyru$AQ_ zl;45%II8oJ4h5Vk$@YLB z{4(R_n47iJqBi449)K8;lirk*g*aBRo~Xx&uLLe)|5)6f4gY|NtYU_I;%%D1luhuN zl%d+Z5V0G+VtP5oZ(5@bMX?qIhDvPOrb4x=gP<2DBPXxa%m(}ohvAA^@u|L9x(wS- zE35VvPsNQs_Z+8)&0MF@u?xuHp2>0WLLb}lrKnw;>jL)xn_U1m+9WO(7NKs(LgAgL zCLk1q0scf8?DiM#>MX_WIi@VT;9b~dO0Nh8NY(7eM&wOIkX4I3TLpYzq_+Ji975B} z7pqy;6u}zh&=cRTwvq_vOofw-?q*14t~Na7Gt0$LGid=}EeCeEB><*O8NSruSUy*^ zvEUzfnk8Kea#%m@&!a$o)+6`-6}bx^ZO+jL|N%ZYD4BR=EW5$}mXquOL#<2C|v zT-cW5)(lkj^wx0uGBvW{M}^Pgtkp5GP$VdIF1sX@ax z$6tMjU|)Z!zhXR@j4)1-VnBz6?+kM$Y_c2?7>&GWG1uaK@B5s*)$1Rj=VPb1X&b<> zuOQI?&$Kln`n0yKp}4829^=;^4-`l=^FHFWj0ntF1Dzlim}KAQDP-p1w$2JVf1_Sj zXo`j|`v?6#A*eR)=!tXReUfV(W3ix@S_DLG5pqkxVRSwR4W4I@)o*k>qIWM`K>`B` ze_pt%&~P#|3tiESq}a1d&%=RN3MVw*;+X)20E!hipkYgo3vnVXYOy7@zt3)G=H+Se zJOs)^K~1p>qT&8iiRTPP&Psjg8GVKxweo0Z1w3q?f9HKJoLatG>f8xh~m+~F^ad{ zZqi?^=bFLbnA~@t@%de40> zC$R~BTnv&BIzGy?0ks=*ie zlbGi%6v&GiFEUfMK{1NRHg#@Uj_lZ5B8GAJYdIa)vG>|?n*=#s0URoqvj==g{J?}~ z=5|0N6y_-1k=>s!ByKZKk*no<+^W04!+H?5dXf6m0_a29r5lXqeYrcZS9#( zCr}~`!e)Ft8w1<2lN_goaQW=6A|b08fkgY9go>^C6^N!@ zh?CLk0#j{hS*phRys5jemHK*hv}gyry#}tFbLVKUC;ydVaB&PPCptIjcXu_@gvvys z_>Jd16^CFUIy#c<)P)fBW=$xTR86k_^5)swoUTdmDb@Hn&9Xlp_QHDBNZ_3(fFP@;!Ke9YIJ|@g=3q zMm)eCux~t6>!9hjJM7w&td<_f`{x~YDS&cDDIOY$G8Y|hx#v>)juafAQBfT+8%TZ5 zsV&p!NX8ySQ@Q3;&zDzBv^2<~C-8tt_o>fftostSaHMMbqW6pKeGt=#{ z45h+m4A-9CRUXi034=aU9h?vaZ8?|@xZR}3wVx;IVdQ3M`ipf}XseYxUc}?rwh;l1 z!}!xCY*xIF1+7gqPmCN9;W~*xiil;?$IF`18c=P7If_>74+nW&NgYvWr64Oa)gn8S z%2|P;<%#au{yZ$6yF?)(0@w%K86Z3mn6l#xfdW!=Gmdg*5K)whnMdIiY03EK z-S~yruP>tDo)^sB`i`pMVJx(!^dj!qNNdJdFpRfrfu`&TsxhU^zbhl z-u>_C#arq|Kl2f7OA43r*(Cp@I)o77*so!%0hOF(?W^OCP%T80#3{4zJ$XSn_Ez{H zH|a$sqN0YLU`kVbXZE59AXv2H7NT8Kf!!lh^ko7seqY!JMA#uV2T zI{jj3K05U(+(+=xMxgBvM0^8QT4V$h9H=CjlUXHb1McW+A7iw6p{2_DzCJN82@npI z*L0o7eXVpxPzYF@Qf3dq9sN|&W`R%f37&Gqbs=XHz-RZ4WT@rFQN9BWXC|WE5(mC0 zU1!=UILYF4%Gd7~Kkt>=ciO0&E$_PDvB zZTO*DK$T1wrS_b-JxhPngleM;!vj+l6Ai)#lFyK2r4IreJ6s5eF)Jw9RnicbUt5st zQRVfjIp*HN?{^OI^UhUjrofbK*-2@?X>u>)`PTE-2HhixLLYyf67zrVRV8FeG=v=3 z8#lz?KWL}|z||rsoB~eeQvF6I$w4kR1)_Zale0=D!C>Y_`Sysxu$`y#p`3^ZpVFWa8*i+9QYuXOyq>pZ)!~`~P6?J)^4JlC5Dy@NB^Vk`z#a zMb|3o3 zH%9+(42QDWd#`7$T2-^=oE09zN$njc8ZJ)CpGwF}>V0c!GgH09syFXTc_yFm&9{u< zmr41#bU$E<(jRkrb9Mj}$TAZH*Dg;g(+3G_Dag&=7D6V`h39r29LtlkZ;*Q5O(d9< zi-C~=Uu?|Xm>VCUQOmf@MF64HB7p@r?p?Ypu+#C7^PGBzVft^ERnVDqri+DA*486G*Tq zqy`e;Dhwh2GW<%pMI))vrR|ocEJ3B!0d(6$SBr12&CN9PFr~@t8cOp@95@EyE%6P@ zaL@aJ4Dn?tn+vkvGypfq^%pyA1MKsc1idodKAyAHR$%I{0>QTWl9G~<|EcMvkDoe? zi780fNqq1&H8dczt9%F{)J*;q6PSXXBG=HkDTH5jUv^RRO!EW<&(7PbKz0{nQ2V+m z)VV>vK!JA&%1xbP!!CO?_}5Whv>TuJ<6+a}V5j zFFqF;AUQ-CjU69hpJXynl6^D&ja_09fS}K0&B@K-;x&gl(fx@Aq0N0%x&daaS_MZ= z^3tSk$Epm)TFZXYnM}3Cri_ zF`W!HG9J#A$a+ml&z-c@0brV6`|YQdp&EAvxeIaO*{cukR$HZdgN$RqCc}jfZqHor zW#g#hB#Sc*pt{pw&(Lbl(!xu=D9Cdyc;4P|YrfVXa2cP~1yaG&KJThZtJPO3(r8-0$5-*=z1)ib_8FleYzEs3Mg~~7 z-E?q$f>nPj>YoeO$gk7;;IebsYk89txo8putu+vkF+b92b>kCs=MZq;%9$=vIFwS2 zdu(Evap&L+^Zu&@{w_+x#1n;|+On}UIuM5>PfP$+&+3q-2BxB!Ryk=T^~khWN2%#dY-^E~%z}riB_w-8}qXn+_CJH-{ zJSR~~k_bD^#Ux<@ly$#gNbD2E>Sw}QUjb3LI~~W5oQ>O?Z_^4nBM7gI_zK^H{6QP0 zqJ*kt46$dk^d~{pWCxa!K9aHmk(WDCv|F?36Y8HVB!-)ic7{{UlFwf#aRW&8B9BM| z*xUz3%mC0o+>0`0%4kxvMQr_3q6_g!0&CqDXqA~%m$3EV^f2jZP>?eEiU0UW+a~ho z$}Eb6fV;kLX1oUV=Vh;nC@5*alz#V}jfOhx`#4nylYGj{);q(#NJL3sa9oMLwG~_R zW`WrI2ZM}~$Z+X9G0n_A$QDDcJ`lgDer+5snCX*2RA)k`H?}SPzYiN8@ z0`|8=%d>jWB$;h#er}0htd&m$YnAaM%puGwr)?XuCU~z2$=o~n{Ef6*Fx<(#Dp#++BG?;P<>wXxUbM6CPT;fw#&$IJbPUvJzPj z^vwL|PdTAD_OVF+$CZM}&zl_msPh!VqRp)?{og(h|C9axvA=o9<9J_+U1$;9=cLBX zMMx5bMemvoEi;!%r%m4;tm_(bc!l|*p>|r1DpTv{iu{Ftv(bEqqYrZ)qs%y{_ui5M zaiFPikOv7=mFA$O@N_yX)$6b;Je#N~w&c^~zKG!ZJ^$T$$^eEjWW(1_C{;VcCF5L>_NGi>ALjnl#Tf~jB9 z9U1ltXU8s(uczrH5)jGpnu6y{d{qjlU2EqqsUg;EJa?1hR6oh%*n(Gts?S-JGOkU z|0sUh+F{q>a_||3)q(e}r^24rf&bxa^XbYI! zC%ikGi=~fT&1XJ)C|UM-#~JC+XsT-sk@5UlX@nM+c6QOq-p7%I^)_35DlV(XgI|5LTsDegRxy@ zGa*z|nz=>TKDSRi>=+HWG=mN)HkZh0WiY?%0KGu|A7f*tuf0Ou61fVxD~H zc2kU7v-s-q#E7oyLlgatXORlUhh4uuFeN%BXweaJoc0%T<`GV=JCz#;=Op=GWqJ1+ z?)}SHl5Fql`zz}pQtf^rxEK0kQZVT{HWllJE2F#-lqmLT)rUgh zf1V7y-2zxU-YK;n4uv|6#1AL$ZH9EwL_pg=r^&Ixm{}gxbpW~H%JCg4>a7t9`tC+q zRt_;oB;vf|_g6?)1Pvu9Y-fl=c`ODmMFoz3DHi%waKgN?nd=u2v97K`XWzVWyr=LU zX)uM|@tQJZfS>7`k@n(LtMA;)TY6^-Q!}AYVURBZ$1T2;QD-B(y3C4^&$~CV7m1m; zVc@beRB@)@9^6wpC6JBjY5=35g5($F(sE`2r=qt#;Bul*V;u#!;#UM+RD zl0DooAh--D3U5~t7G7OJlF=LcM8aXX+Oc^2c*s zO9$ub@IMtDTny4j2F!{EOaVdz-LesR=>0fhZ`08QfKD08MaBRVzNfqoW1#!sPfTkP zo_CfD#Mew$=#4(@d@_7a=bPA9om={7ytJ%4*o(|>MPf9_TFxA$c}VpRXUirUHefLC7+)_W>~5a?9pR znc}qit3d)X8cy5`jtV3!z~s1`nw;vjaC&uVRJ=p5qyoxj**7?&F0q}%PpG3=7TJ%l zh@D*XvpX%124-tBSSaB2f~8iC9SjHTM!K;*lEBHD>YYKb4mN~zz6k#9i&!x8R5((Z zm;y?u1V@Y#gh^ZNA^3u2>(Z$+>{TED40?1C^(9e%!vy7Ck~i%TH)9J;%SQ9mOyFUE zO{xdjk&LCtxcyQpSTo&7Wm2955cnSE*8M};P^iAW@s1I`8x}khjmdmQpqXE{wKhj- z)&?#9lxR7T_rmyB!*95jBG+#_kkR)-K^dJLR_$BOo(laDULDsoa7s(7ZhK!k zNy*(90LiA823X6qp~1(L0OOhn!u&VlPSoF53lOq8BL}7r>9?Pqj+ny*RzaTEqZ{7I z8fd1Xbq00hsn{P4@7$muk9w%^bq_`~imswTN~`ju-o%Wi=0GUO^b;0i1B(awf%d{D z@6#-oO9xL~xD#Nrjrkb%Fd48i@dC!KIYhz)!Bw%KS%Q80C*UYTm>V;{5 zkUO{|+M+*iTFceFFFfex9mWesq{h2RL+MQ5sYTi10ch3Ed)_0FiO(*F&((|C#y;;V zEyq&c2IPWMec#^J3>$f|6%tMXpgUU1$O*_(CB4n3UnUsx@4e>-zq=g7b^@gLLCJ}T zZOFFaE;(s=m>w~~`eFd6mF?Ds6khVMNC}IIii#by+e8OIR4C*O^KIen-K-~8Ayrlb z+581RlgyGjD`Gm*IrdXQ?6}#GC!xt(*Oa^&D_|VoeE7zrO7PNFgA3|MwtXqxV zDc}ZD{fLu1i3xvxwmtd9Hu4K=vmHpW1xFTz{3x6Pb0E5PKe}NHQB3|TkA?`X6aIHG z1rnTfxDiFutgja_;x>dpGkEjiY}TN0xLU;kN`c+*!&mhI>s{)YR66WhIT^_{C@&JH zcY~8%A*R^Q|NV=mCx?A@Nodm6Jq8POTEk9JidR}7Z=1=1^YeFB7bz}hiEFOWKKeZ8 zwh4P>NrC(uB}>9Pufq=jxX55&XVs7m%_>@Y?>4n%5nzkAOGOPJ@v-E0>~;OYKo9wq z{{;*X`ZSjm@m2cfYaK@@x2tOdR~OIAC4b*d=x49RAF!Sh`>`CikX}yaEwdHh+HNDV z4je!iSwg#;ff7wIcvlnyJpLXT_5jUxEZUbwo*GSDCa zNm{0BS#ajNVY2DKHUE8Zd=A*sFO5G`gPKac891lL0F;&_Z=R@$;AHitxc^h-c=zO6 zXRwaBAKeIKk8~J>ibSO)g5K}-OPQgJ=uI47j29WzQVBl=^(6Uf)4S70UtC&u1$NHc zByhs|N$X)rPU8e)Db@~=km9-JXWm|CsI%*;1@0>6D z_(S`HfSh=m^7`eL2p%>HH3-MVYiC*IQ)FmqT@=^7>Va8aV-7Bh8D9F>Y$)EK@#Uq} zxTFMX>nHw9_#!KIs#*4q=Jn8+K5YwB1@8(tq44JVK=?eiz5{BEH)SNgW1emStCFXW za!p6iLcRegE^EdUPa3dOs!Ms{iAS2NPM8Sg-Z4GJrwNs#ZKQZt856q6@z}OyjE91| zv|wjNA9f|)j=!>9Qe8AQUIZDGERXjKDPVhpiQZ&{l-`d-0G2Dmv#?>Ig3Gp#XQ>XD z_NyI1{8ajS@AKpM7b(Ex5p@N7L}kHy$@!bdFSEcZ`dlb=0zsM}O%~|8<~_^ck_9BB zo=%42q8<|X?)c(Cj0&?bD$AOdqf&s0sR1kkNp%wsz5i|nt^3ld_wsS~KkvQ?Ayr?7 zNtnuKXufaLlZ?YnSNPN9Oau$ANiU`^iUmHMPEEM>#7pWP0c0gP(6zkN39Z8fu6>PJ z;3zN@Us8~f{BcItUibnI#?8V*W$RVjz1pA5k6G5!k22_{ssiulRTEI$Q=iHCZ=duZ-A2vHS9E-xn3^X zMe&6f;7ef8cY74I-QU_(TqhAui+Ah{xphk5D||sU7((tOy%q0@m=JDPwmKpsS=HI5 z&&VA+QbFRvt5fY2syQxA1B!_iP6$tNSD{!W3c;VkT6s!nL8iMgL=E%dwIWR&6H zt)Bmps8MED2yu72HXr-r_^nT{a?#yaSTxJKGa)%J(!#gshdx96SifSmeYUzaeon)j zTa6opvKa?(ERo~IMdiXQcrs^$jRIGk1_7MqA~Xgh$-*ytGD7rb6P_#*PoRl?HuTuzw@eux|)^UHn$rW1))fN@@Kltlf# zTD(*Qi`cG`rReL*UXO0WiOgedX!Z zM(S@5P7;Nna<}h?sqku$YfE@|T8=%t9L>HvmPCJO5*hn?e>5`P>R5ubEjf@3-|`;U zI4sCDyC~tKt0AfMAMSccGbv@-+`I~$Jgd=Gt{&J!x;%15r-8jt$m{{t;{c%0CG;-R zI#T#LP!3cOq(wl^bK=~!ui)faHu(YJ*D6S@J|>|6PVmHYV%9O98{q$<3nAKe!6!%W zW2qy<^a|E@ym7eZi5e1!duMG`;@h0#Ggr-X^|9MN>1as@P0W^_V;KQ4N@iblD$qYg*qUJo*D@J#LjZrz31?l?ypgiFi)ENU>U#Hwj`Op}k&rO@9>D#wkBC##D z`%{`-4x~Sd!FH)QhcV%5iBWoTq?MS}vMAe3F?4@ot=j~Wx33(>_Cu;a2i6chDZ4Wf zEAYJv0Vye&5fwD!)j8*e;y=`l3fw)hY9^?RUwHCr7E7v?vq`!`K>&Zs$zhlh~Zg;0xZD`J9$ z`{YTY*S^Y0mtYqi@V}NW)lq7sgfApNV%XIHYO#(Ik9$+JK%aL8!vpr?6f5VL6jC3+ z$W?5Hus41sgAx|sPVP`xp~9;e&;I*CU|?`3&J+e^6##78Z>zwr1NX#zvvJ`9bL_6& z3{;!9v+1P3N~?TYdm+;fJ2QT^ob0y^0Ye(n@4Ps#v+lKZ z^OtiE&}}fa4n#ExbhTkY57LTRsRvO%L*f3;g(H6J=1HU_oj`KD^O!hV_Z4 zYVsV3XUIJN*DSdI)<72l8DvxbnV<^+yw%=g4C>68^e#$WbKqeug{dRhCS%!Zx$IkQ z{mV%zBZy}9-4|0$A}NqZI(5OOSTS{h_r%<`Q90PizT&bN?B~(n?g%AqOfo44TldNe zr&X~MM~8F1GwGv{k@fsnDw(f zcedRQyctLH@{Q1|RZ20bsC+lbpN-1|mOc=h??SAIDAY<)Y7XQ02nIh>cFs`vpmaZY z>eh#O3piD>MuDE`)r1M%CyW}O3IT<2z^x6>PXD{mEbd|4$SOcsb)h0GKqP2LwonjY zWfr?>%!l_>|Fw+uZo<7c{bhGQf;_1d5ddlF5#X~1+%_bUQvVhtJX#;ZMt%J`qPe3f ziV#=}T{f-cLc^*z8I>}r`UJE5;hIH)C*GnMx2?}A3}3|$dq6u=PSZXlcOTZ?6v}*V zG(@M+Gz^(Pb;2Afn8_nrZ}uZsxJ!K=pHLmLg+6&&Yy9J=r?|2wS9z9l5RqZ;Fn7J*y9zO3lKnW}$OFeS{ zyFhAjjjc?qZyiv->=NsVa0#$QnXHSU(hj!!#ZkS4FM1UDU!9%amYqm#14i6UCu{PWPR2CjAw}keG z_X3U+x&ER-sxcF|9T%9LYdg`Jv1FCw%}VDzHS3Ux71-nd^hov z?tYXRo`r}bwN75-Cf5fTqcP&MyGN8}+4P0b%U0w4UAhHWw_9a6{7)6>toCy)_v(ti5T7G#mXBg%w6B@ExLdE3#0HoLR~+a)53ROb|>b3%39c- zsTgXR;NbWyarI5(hh_frZxDkSCY3F-Qtvwu(Fi?0bQlL0L->1t5j^d2iMqAu>wWP= z$Q0SiG~m!g=oOjeHE}a#men(+HRjBe68_y^@ppdv-~BJn=R$8zO(IEC?}Imz6rzSl z-y*YD>#->XPu~XtS8IGzapZ>k&_y@25`>W~UC>lG6vjr{ES8)>2 z{EpG@b6(b6d?~25nb%otV95Q4e)->i1e~@W!K($2fvlGV!GRauctCp8T;)o)#E{@D znTk9!l%)OBr{?7H=ulK+L0ZzD{I{9^>Kgv_8nkZUPP4>j!Nsm3Gz67Pc!pJwg5o^@ zC(K=#xZhs7%%hQ~mdV&UOLFzNR!qinF$_)9IBB=}KF!%U2O;oN4b zt}R^-g2EoqR7pS&3I>K?Cbo$N-Ni5c^;-VHe_>C?o#u*VyEFiFKH7)Y)AJ=K|MtfD zgRA~ELTK5E^0UytV=ZZfVviAECQYh&TD~6pgP-$nzC3mh7k8y2Ch^su_u_$mi~oH1 z-@kGGv+}=t8vnCx{{Ojc)QXa9{_F+t_Y$q2G3Gz}|L^VpeA8-c9$Q$%ulK$I7M3Zu zpVV3crmB)U;p2DzK_2_hhH#_PI5=D3AIz@a!@)JUqpf*-yg}ec!LjKE5z~XdbMjch zAg*&R^4?=1V&XIG+Csz;OO46Sz-MnRe{=qy{owyFb1gV+q?x994O0KuXZY&S+UjYX zsC`tatX!Gt5+%999mf5;&){EM<5*b?+}0#T?|=Qb+^5>+kPJlh*;lO|^n>}YBPol? zHzmnqKlbzRwhG~ZHe4DSHKyEKAUBCdb+bxo8}v29peK+x+YfkB5?~q5!F9&?mn%R! zGzIl&Q&KOCGR|j;t6QYTT*}w&REWW6=bgo`oSufYV$hF9h>+*fiIOba2;$=8p*BLs56xq zl4;rBcEqw7#(4OmRPsR=6NTHaL4Xd?RscKFcxCd7F^o`~fPhb9&(?lJ++f9fT@ME8ABpKGw!79Nf-Mc_XxZZME~~Vqpl4+Hl~bx^8u3xdqt) zHQ00;=09*vt;$Qe!SoYkd!E7_nFTHb?f|wY-EiGX0EW|d$<^FlnBW%4-T$bD)3iI= z>1+$lzScKrDy5um{^;}j7wJF!d{-~F=2jlP`llkIbpsDL?BOu}OU*|kOUNgM9_O)(11x4Q@|5%+LD4E(! zAY5a+j3L>S8ebRdF4n375k0ZY%!HJMRsqapPi%{L%Jecp<_!Tg) zub_p>wYz?R(KD3PBX#O(-c?`gKR;}1m2WVd=x*Y$iyw3D-BK{`X@|M@THJY)LL3#^{WlcdkkF7>PI8G<)G8g7?HONboj)gK_?~{35yLCf9^bB z+m#4|?NWQKIXfl4LF>M8B z95df|{}laWa|mu@1|bf~NLa(TNog3Cl76~b$!0@(?6TnIJqoy|rlD!_g=)eDTI02D z8cd*>yer_eau<%N{X>vPSZ)CcUhAuZfwVTXmTM0I)8m0`3zMam^V)3KuI*IYMT^3V zf3TkYUoRKRz*X%`4Us}ivG|r0B*iW$YN7#D?KlL?FX=W+5$ezs(G|J01u;1h;7x80 zwMXyq(6h*O%7;l15j{h?ek{RwVYc)Ad_d+mO{yfS=K@6;$xTzDSTeo3GvdrSx5++` zzBjUE$jO8-&w{+PfVnPZ3_(ePDLq>_9GaZdS0(&ik);rt(P1zu9d(V11)wWq;E_lZ zu;k15PXwOdfW6|k8bHazDnh8z$cFO~hGWR|7AUTwEdfK^$ks0kPJuY3VcsPDx@Xfv z#$iD?%ACM%1>@jaLFVBY+jhu&{?|s!hJ_i zWeA!ce9kxODbjk30lwRsvv7|<&6tr%knp{+gV?6)uE=PKg@ZV{0%)#bG8XQwysHww zMG>!$fHdJ#UCU65gVcq)?1MQDN~2Lvov9WcNnV^E#qRGe%mNvQEpkL4lGFG;+<+mu z6N2+*yz;@599G{y&Gwycxn14>@7j>5(!TnG59W#_o?*=-Uk+%?9oye;>2*+iYZ16n z_;t1KWz@!ydnLT{3h)w=fv6~0TP)5}AP-=E*KsUyP9ZGpB}&@CcMe6>TkzFk44RnMd%auKZzV4KLMRPnQ%oX@D*7-6+6;9t<-l1B z{S1+>EfC_8z@>uG|GYqH?+p|~dg1KIfq2UIW#+@{d&yUDrhvfvbOjbze(JO}5^A?W zS4wkC*^Cl-h1me%E$PmA$An%v)Zc0>NSZK2cRLtSHH^P{LZx^zA2O8$U}hQn(CP$D z9EYYGBGd#mp*yarm+t8tMA;N8ehRwSCFp83<8&}y_u7R+|I(XV@qEMj1!m+Ta4$r| zPGwNOP(#n33r&iO@XiZ5mog^h#S+|H0pv|%0E5%UdKfZFr&Afm32&Op>Q=1E(v`Eb zS+ZRyW)Wtky!C8?U26gkU6eOZG{i)PY8s{nFqViE$OFsvcl?1cW21`GX0kPX7wP3Z zC($jd8_81G9nT!g<~fa84mQxqS31jNF$uT)H6RhU!x*?29{oPdVj448Qi=Ft=^>Ds zsDhk0&z@~?iQZC6Pt%q~XE|bM=TZf%yn>Yf!Uv$8MKE@FXjc*%Ki^n-&mFcG(H zAYVv^gd_8exRBP(IN^W#BK(~I9Q)-Mr-cp2Ra(d%8}U5gTyobA!Du(t(GIxRcS$_d zzOYqKP2Z=RL|Ue_1_qTO-U;~s)Mdv!>uPkoNN#Gt6Mj%I>~h7<%R%I+BCejuV@-Vq zGfIAkN3c((t2al=F|2Ti2ikxuqRuB#NNorFd|m%xmoLU3-yj-qCB5D2n|@Gteg3I z)EQrlZSQYm_apFTkXwkO+;3*1l^=G`@>xA7=)!CRNtELR^^Nl0QKIPeG_Bp#x<{3~ z44FAFb0rBw6d82?Z2y@S1L&ttbIN-aqr|vp2xyp^$<`**R5~vmpV8FRoo*(#4!>sm z@J4|Rq+JhMTy5byFyLIh(3+KG$W3hoO~9VK`|Z3$nvO8SyOBMTt*#WZ<#q^RA;=H^ zlt!8v?oH8WgjMC=%{JZ43WvYI#MX!KjdnJq)ImF{(mDYrOiBM!+rkjE*&^3~S(5vx zlJT<9KP;Pm=K=rqMv0X@mTxMbcjYX4glr<-@qsA`VDm4|hk1|qL7dnK$tKd{I3dWKN~NO0^rSQ;+RbM)7_@7JTqCB8+f}-nh^5x4ZrwDyCjfME20=0pean52M~B)s6%yf) z54$8DhA3R5xpo|8V>5!zo!Pl^bccSaTni{8#t~+PpVv&brM(P;gCTfE8t&Q%lCw zOV`a=>EZZn=7Td?3sAtZQ6pi#giZ986%cb7w#lIF&u`+_+Uk%r!q+ggxsj9(^tqlT zRKfK%Hw!LZe*_Vn?A8a0k#o;1q|`aa&n##LI*^YR(d>*kW@dgUO33B(naHz}T06Mf zc0&-#v3M z=d~*G3@mk{WuL|7D68EFnWP+cg6^fEr7G@_S@!#*?_i9RNZ)ftxNhlB-uX5Fg2E^| z-0XaQxE&aT>*8Z+KDU8&3QS@o!E48@lO?(XBfwN4xVahB z=MaF5bY@EvX-$ZFl^$w3YR=xd+k-@;ovJ1oBab4M7w_! z^XWNFbNL4fIzo<9!Bm_^GQQX_Jf%8ovV}2}Oq~is#SBS{yCz*XYvr-c?E*+m4ToM0 z?atdz0kyTE)O!?$5(jyI6RElKk?KvsolgemTgfw#r(frdvVDngP6iPnV@QUnjIll`cjz@V>D1>ToMoNfL*)<2VGE+kpb+rzpwCh)^Vcra z+MQO?_i!L;B&Bst9D_z9;{XeRy`Oeb+oQ^Iy+%XmCpOq~jOr$bi+R1DgVb8z`k6Vz zUMWTmcifL4fGiFtO69IymZi7^{xRf=$0q#p3J2`^m>1cphap>$fbrwa_IZ!qyCg&F z(y_pl^1VT#KGflfWhd^xn26banqso zs4}TN$mY36x0249xN`2I#TwTC0%(Ay!qChMNLf@;~0iFJT~m&=xi!| zZ7Lxj>JxIwD}#}YM5Q6Wh}2ojpKT^ze)_0FPKxg$n8zlEA~RXJuW4x?t~*14nvfWx zSt^A+*WsV&e_%j?hYvYnYu933rVwD9grShg-^X1L*#uvnHYh>lxWN^#qM-Z5xK{(Nr(1!$tp)(`|xP}uQjC~kWrV}3E+^ZdQgX3W+lt-4l zg9SdUmRQiu3^TeDO@{tbK4$%No0!&`t3uonTT-F{678QE{u~LN5!*hu=o2V0GkV>= zoQaEGI;jv0ZfcCc+RZl_{29$2jQ?`s5S!=8<INi&xf^7WDm41WF>OvR;-o)e%>Pw3|Le~+{YIvaGPO z3xtr8)sw$>0Vfd|l}{Q$#9|a9s);urU3`-J5X?l{j#8Sw{83ebz@uF8f^86zn187R zyX59pGr&C?h39@OmKL`-#tw;6ngxmmP=)!EuD_Lzxxvs20=WpJzfz)2lN7+4xfV*Ro~4jr{}EjHJ)0VAGpqv-zvPB$#QV;y`&IK z{2?yBmvr}WRV0zJSwY8r1bn7tRfYp;cFhLvxMVysWf}q#KcQ55qFA2m7lmW!0<*3r zuu(gkL!??2KhmKqSY0@MAIZTDHG?J^=?U4kU}|Rkk3hz41f&0y?88d61Du;mm1TAd z2vr8X1t2mJiNPFAlYI8Lx*XPmg<ZxNoa%)v~$0!mAlOvXEVK($O}!sKa|jqz{G9+CU$pruq@EB)M-U zqy^qShWf>`k-+3nf|@P^lM*rJvFAJj=>~s0Eo@+=l}+F=`#DJlO>$h1^B{te*)YYO zeE^c_DbQ<45aB4Pj9f!rU28=Mr-ynmU+TSm&}fH&yTMIsE`M2yRwcQZ@ZJlvIjo7` zL!dtZ>C~uvm-c(ipGceRTK>>6;kbj5(fY|#r_u^j;!O^cv*ya$CqMo5pM z&k7;zG#q zj0gw?^J5kQSt`I(Rj|``bPkpVV-QZ6N}2N-uZmP8i2*=ae{yV@$t3c9GbFDXcAUan zNbYQdQfd%OBpXIMULv4Rci{$3eh9#4*cDJucJe*Xob^1BPdxKU9CvUI>dno0i6Y>) zhr?ZP5*kvh1Cn5~sU9Uc4>P1WA+0ryEY-x$j@WjqnC8^_KKck_2fDTz0gMb@jp`t* zb$N*{AV{_{$~7UZrp_tJ=^5|$mj4EN5GHlq#$KPT4x8QHd?mO2k)l}EmYYb@V|~{3 zppF9cLvT=Awo3A<2%vM3RWSBAoGx?V%%sKpa)ih3BSihn9Q`}ZNB%=WnU1khD+O=jsmbq2ug!e zy5yfds-7PxBOf+LHRZLDrxzYhYtF0z)MuL4l#AtM!0C?$px*{wos6oV(GR86PLpwT z^0}SAwRi*&MQ;H7Y^daGI0Hk3O|#Q73ws~x>uCW_YK*Rfpy6lwQDSy*nano?R-E_^@k`P9$<sYJUf$v;5n=24Xi1l%*kd6UJhamQ zpetPfflH4H5qBqHoQC6FEqz{1mSoke0mdV#bonOWca*tAam(lUJ?J4c27D|*fP=rQ z;aC;8zbHo*exmbB0EFqX$Qeyr}vces8AcL*GD29&Y$G{_Bgj4^m|J{YP_C^ zjHd~{Z*LFnN1sCtv-&Nr;HWmkYva6dC!9TcV-SEcV`Or%f}rrP$fpz-0>2QcIzZ>eFa&N(k!xdtau3g8R6-o5#Q#sV^{?MERgvT=H>Ql5TWUxFUuZSL zE$r6y`wCY??j{u^lJ7wMsc*JgAV={)QA@A6o;QeA6&6O%zeWNY8pzge3bX`Gdvxik zl?|Y>P&j^8l*@Y=NhOWpdx{K&DS&aaj9v&ZhqHLebTl~dCmFBpCAYo3^Fo)$a~U8z zg;^!V^Kf8nz%!r3&at}(So*$&V0c@E!B68CtVZ4k3Y>^yE>dwtK~deZR`(jfwPss0 zTKlT-TCg6KTjPgeL>0LW66@RR3tF8MJlIXit&f6xvYm=0#CCAZG@al?``sdXe8%IM zb-ZcmRFZzkGkZp1IzxG6RfXVn5{<$hgNXPWX+fZ?VswS7v?F>C_E7@B9EH4vUqmTM zS9=vvi{5)^Y}W#QMY*az<>6p-C48v_jI%lCTNyYJ=M|f$^Ho}N1wpeb!9fdDWIkZex5?@hS-uH8Dx_bccoD!XH3^}(s+E^1eNflVp(j@yW3oO0ON@!8`- z5poUAzPZ5)=fOxbFq~`7-F2BjS9=*7f)U+P6#MF9Yj}oS@)RdJ3gjBoAjPgVCSoRE z&&id5zHgMvkIy33xEIWehka_@%$VS)ivu}9No5@rFNu(GaEff`=s%+=9}T$9ssRz8 zHm(@C+i1@6*d#)2{SKNDwffb7Ij!A;KPq2>m2^)Ku{we@bWF0x4(flVzL=mWj12!u z>n%BcwZw~Sz>40;&Hm)iGgzE2o-w^7xeHQAjTQfedU*QkvlBrM_BGfQK0bhymTOK_ zBEZtm2^!4$&u26i?_M zv4DMQ4A5=bz8_~b5p2H&8@QRshMmEa-3A;_WmKVr%*`&vd@e)$3GmI7ZM=a~D|V~S z_eh?~6rc%LgmIsW5DrOQp9|~+>IZ5lq7#q+cx?IP8zpGoM6F&zigkY=mg&<)cW$7W^}UJBzp0 zX1}keO>V^0%icK`q!L`%^iZJgg(1UuE^4P1YZ0~aK{r$PlS6bDfPuPL)*y$%y`2fc z2Ym_^EH{&qI!KF~u zhLI?>7tsY7eIdj2Fj_9tX@XECewHMw-` zNL=5rCzeJ2UIhjaiIVM*&3##bPu;i&Ggm^}G8wA#>8e<8hUqXFoJQ;m#pr$q-2Vnk z@i$LLxr{=h8|%;}Fqo)2HcYMqp%S_gS6M*pr2nMmD$d4_s#1V4X==43FA6u)Ib>$) z1NnmmXRDgYv%Na0^2iolYP`ANr+S|tY?!VZ!hr1>LAnC&51HO*{eU=)QB`-;>QKI^AN* zPtXyB8IFvyuYjz43N_G?m?zhsGxN&ZiR;l{Ad+HB-*FoCp{|-YW}Nl~QQ=wljvyd@ z84NY3oCr)emoPiXS_H6EcYFhYY&_~NzkK41#A`^S;cwx2g7+<801N`qzCh_@<`N^3 zu6^~f%L(8y#iu|nMS9cNks)KkEU~X`nQ1#3ELq+`@t8Q!Fpc&k1t3$tX1HJj42l$4 z&a9I0aFuUEFpEJeKS+@-1=S1UXvZ2`E3!qYdHE{@15lh8x**9j5Llg@)CTF14U`WL ztTShc;~wWkL)ce3&)E0kTN$PlwFl~ZP0ENBuZT(}+GHfIPH%;5DR$W-O$T(k1m$qc zJLF647ozbty@zIlF_OrkJukMV0Kj&i8fg1iKR;A|)_YkYlWE@8HQ3=2$`bO?MQhXD zKW&fQ)<}))l90}fyTvaK2(ZzKJ954++Z-~}oaZBW_Obhckv%So-~+P)9lk`=N3Jue z^}uu@GjF*kC(l9Y;?x9AtO`?dTM~-r*`oApXP((Ff~c}FI*##32q%KGdhBzrKHw+~ z)Wqg%T9q;$9IoQ89NV+9AK2Sy0UlumQ%R@bS5pKDdGU*!W!J7cKCucNlmtYLLSYle zFXUm;d zVn@2>TkZ+u7B&Tq4Cy5`k}eGtY@nzQA%m=VWTp5Ca)sQ2YVkg9Rz_|;BiB(EP{y&G zID7S1$QQ1mp)m}?$1X%#0Qk&O7Xg6OkbBG^gqVsvfYoDkl7om})KNJ|M$A4!@3TQ4(r%0FE$l$9`F+u62Nd~J-KrH=7Ck}fAK`Z%V7xiC3garf6uR9B-;r}A!{lyypyH{SQp*Is9j)J*V>OUSZ|JIH$vchSK=zlKx^9K1_Kk&zR zR-BJv=N}c~`t{%P={W`9`jcFU4!iR2`St(#@V^(Z{}N1lnm8{076fCoO6-G3DkWR&l(3g4~}g4=P$OyiyPk6 zb@d4d$WD+ByMXx%uPM(xqP=^m7o5|Gv<`pTq0-=U4p8U;M9PEc*-0S2dv_ zkjhLMYIF`CD)Pzklps zJ4Aw_kb4N$m6h8eirylNn4jeD=XF;<>IyUdgSY)B*Gh=g z;}Uu6I>1E9(CxUa_K6MXeP46OB2}sp4IT&&Z}LF{lLUm)bo}p;rf06(nfhv{(<3y~ zmpzppI{%tZAQQ>kx)fph8jaTL*u4cct`A``^vTahr~y!Yc@u`;GUW57IocT3QXv4T1x4K>0O~c7}}i5_qnV;djb6SrjGTk zio92pX4Ru&v4LnZbR>+3n>(Q_qyrW7$2C& zs@1s%?a?lAp&>bGfuKy#;2<`F;po;Av@0o+tH3ii45;lvrdA+3cItImZlavH-Q@en z_w4_A_?)`v$#p$tnJ9UOPWZ!AIB0V`#JtCZD){pcf*9Va#OOm_I-Ghd%7Fp0}L=!9*#X zv++S(btLz-zNh_Dgq=~)sb1NeM_se!EkMmWYUyFquIe z$vssqYf0P1m@)!YVa81-k6nBV%#D!)-WkH%eMcRg)j2ZHxefwF2N{_fEc=_-gLQTN zs^8)1oFC9{Mw&;13#Y6;(;3C z2ofSa1F&!0x1inka|5|jk4AtG>@P}ZFIA2%&AnJyMu*qcVw8s_lX9p% zT&%o(Df*5v3^0D!le;s)GPplUJhbjjuE{$?z76eGsasD@N-k06LXRRD5n#6kK3)5| zEXWa|=T@>&SOMRqXF+-ADC*PoSjf4kk*gZTm8<3K0*(4=-$wKp;*2%86;;PWX60xd zWacsh<^-#p(70?ggt1|gNPJ_5O|{vxxCL`rvaro-)mQhMp0DZD_#}e(1(e+gjw$Brl2iXb4%Vq-ohS^TCx1^Q(mR7Lx)BJg)y=<#cPS+pUX@@%V^dxgY0vm zEm_tE%`~Yl;||6jSB~6r5NGr6jU=C_A$S zv?p;ieYU8v2DD7Cuh9WUaP>#`8#E3484vac6|BWmsh)4ZA{%$AL8OlFnZ zEGfht7x6%DZUn7A$>n263o`|+0bVmFaJ zC5?L`J90y$N=LI9v>f>$9MO-Hb5xtMQ)~oAY7_*(3Q#$=72Kv*@)8jMDobJrW7?gk zI>x+OR48Dkrpfih+F=@R;lN4$RC%lesM}XBEOL6@0ddzRg^~cAmJwy#L?qABA9ksI zzb{W0$>w>z1&bKq|!AsRwEJJ#{{SRXB3r?+7M}x zzi#t5i&{T-q=IfPN2Jn93FKwDLpjjvtTpfH&GmV>$DrX(6+qaIG00$zWD9sA?$s>% zZ5SlFl#=?1Hsy#_vF)Zv-b{YERv9%p(cRQg_sO1)`HCC03I2qio25D8sKcoH*D;Et zYamf;%nW(5tY8;OI$D2amiPectEzIA))bsA;N?Wwz;FVC5u!CaXyYXSCnN#M*9YJ~ zL}awg%s(Tt4GP=&z+Fp(k9PI?7zixsg{RT@2@)L(& zvpEcdSPY*($T?yXpt$dNxEi8vbuXwAZe052it%uhHV{tA%vu1ki=mfpWe#{m(x{F7 z5HelMou?N9K2_ckxpj__=nVP)$KH1aMVW5vDg%nBhzg=0!iY#vK*>1_DuNOuN){E6 z3=*5v0xF6GQF2CdMsjWu1tjOtfUS~ga+8~G?)qk*U8m~aTXpxG+Vkhu{xdZ*rG&4) zcfD&p>j@Ytl=ysBYVWgyzZK&GYkA9iX5fCdw$$_=obW)>1ssF(%dtF0Q0erBpFD4E zve!4hcz+pmVO_4HrIzo|1fNa|^x!qxU1( zKU|SGqEc|4j>!L0PD-vxo;6hA7&O#>=#5xh3<~8orB7u4dtWr*f?elbg~3P-^<)&$ zBqB0cl|mqBS|anz=Qkj3jfzo40T)d5lT4sHm^J@O zx_L(L(oxF5l@DAe1$2i_`MRJ!J&0#EMO?YHuLn@)wka&nOKdKzqhZDrZ*LH)iiyW@$eEeHG=C&u#rq6u#aNCG9*dQ%j z3}m^&^Xiq6+{qg^#jf5zIgb8b6}O{OtW?j7GmG->nE05ca{0Z*J0-p860*oS#pK_q zvsiTKB;)A6tO21$P$iCRBBe`JA_cFXP2`6Fn#znH)+;C>?MQ|BTdix^d9R zRwHh*!af!aO=5ujJz#jBF|V1+h--)Y!xH!yj!tlD0|*erYRNdO9)id@#c*T-jC?N} zwiik%=DD{Qd2;g}TExW0GC6@|K^!RlrQ$OmJcD+ivgdk>vIHls?4E;L;_UYi6Zvdt zWtwA>u+!~Jzr&~-%of%@MrB9d; zq<_qvNPlb|8WTa9%b7pad>mxrbQ{J?ZPVdK8tLToa0jB=Kr8-mcyYsFYqOlSAZSY@ zA)=Dk2)Om;Fj&~V0jrkhP=VdrA=IfIL*C#Qm9?IPQ|>6AOwZMIqSInX(;;7Wf2Yf} z7X-84f{E_}PWN6P=ki0Sp!PKYYS#&ucf=xwM|mL>S=_hPr7XY0&@jFBHEMJY;*Uq}iS}31d@}bh;y!>2 z=hke8xRlR7!QATs$Sm{(!8ynw0q)R_e1rB^dgK`jTmp~64sl^*JvJO>99BU%V%8lBR&X{8DzViQxK_O3+X4x08rmv>kDcw}m4--88`tvOd3i zpDG?|>Px1SBRVQk2n;_lN&;H3*vA%-C-y+z)D=g)Y(WU0@ahAr_%8$Wl$*fbJsvex zR`=!jS92b@JQZlq!$v@0q*9v?EnfZ(+*`qQvM~5|7HIUZAYmjs&U-q>C^ON;(Aj9j zK!Weuci@WI(5n~1%i~k-U?@)u32UG93BrwsYRit2eiVW6*6Vm{7@4X&bgZ+818|2d z`yJ&edZ6*(ets6g0)~!U?U&~LFC2fpjCuW6BEcZx?_Ub3>rSSeS9w+sC2F_h zWZs=oZ|SO-&&l0=AGQiCu2>}3UJBs7u$>51B;x$zD{w=;)LGaTgBY}(?Vp1_$t8|O z)God!bov_+d@_U(*5AViH!6DfZ|xoM1|*`OM=fQN)g-P$OOWbbsZw*1`YwDDr~Q=? zm6hW_ZNe$h&vz;3KR)w|#HJ-bu^b9q%i`5}TYBX5iYi-63?YZ?u74o%1iCTtB~Zunp^Hz%XgRkUw!g_<w^iK2vETV!81`5p@TPgAeqN}p?+duZaAQl z8O(KCQ%d_`dGiI&FK@1Rcp!Ep9dVhO^SACllapqMmT<|*)dNB3m^-!wU^*SGXEL(0 zM*4a*Y;FM8!~r$34~qL`UIRWt6cEq*pY|@XW?z{s{efKPFr5U&2wA?nvWlcB?cUP| zPlb+8zQ1(k;e~-KSA^{o_o7z;*r^_% zk9Gh?rEA}dTlBTpdGle)vwU;6ELc;to#Jn~9}jW7JuhzY`@$b!RM-x(M>CL8dlCR< zNgsRwc^TPl#b??fLhe-jGI9!_>#FE+wM`bII&_s&%w*6N-zPxzt+&gByvCTC>;?4q z4~Ryg1KbdpbeupmYkD9RagNb3kgu}Q_>={`#dlR5mn=3kD5;KCID#rF7U9L3d7{L% z)1T4@$}v#EYq_8duXG)=8nd413x?h^H>XEML6Th|gGTdkah%MH3Uy8zEnAf+W>%EDCtx+P4t zI7h<_-mw5Z$;CMVIK;)(MuYS9mz zSO$$6qQNpu99jb#Cm4mI!90WQ<*kd*+c+ZVD(ctsvVG@viXXEyLd zUB|$Ss94JSgJEW#fZj_vg;V$8!sq~e{WFhRoJjtI0a>^J{ZKS!+aOT9aHP`>gu=1@ zv=S|)AOIZ9L1b_Fs5ifY(j)bGj#=eAd#+5ww%ab)6^#TJ4zrcfJaLCJbz{ju?+mzM zyuK;}{8bJA_*()xmJea4AYfG(LH~FK{z6`FTw5*J~|-Hvjet} ze-;(EcP7{9X=Y~x1_>vr#zw(~>a)I85==NN4mgHq>hkOKY~K#mX@2?ueb(^eJ<#@! zZ$m3<0s19V0-To@1PBbdSYZPMh+7Sdpk82zZADyET^e>kSIEFUlz;!%ZRr0RleP61 z;oT5Ibe`@DrL17|B7&q;iG$YDC>wx~AZC6cjn|qf#d;xf3MbW{$;AEHkGd@xO6pl> zB|E~(Bu5z2e~zZr>OBPk@h^Sdu;a|?4vo6);7zM-cnQvp@2?|HnnPI8GBuj4%;Yo( z`+M4U=g9rhdT-B(ia8`Rbm~%Yd%SqxfRb(YQUoePc<_EBL*|cufNg*{8yKrlrvsnB>8872Ia)XW35|581leuvl`9COgWYG3_!Do z7CXidYy)gQoJJetRi;51oF02v%RtGX*-H+B!tI=FFYkS3i#bOuq zX~+Cmx#f~5_>P~w#`f_nmHQZs4X2{gJFX6K=Sxkq!#n5PL7am&Nfat)E69*EW{X`!%D%@PY}Qy4%GE-Al~eXodaRtJ(zQ+}C7f z{e&-XegS-nuPv|qY;1hy<`cKf_+itq!6pJ!D|Sdi6@P)d;nw3g$oH{8@)Kh~A^D{< z@EBa%OoyV%1R3JX`n7bM(g)w{{Y!1~U;CgAP;96rTYBdr`hW|E-r~XHCO-#pJ3CdR z)({w|q7o}~9f1)qwS;1pSogOT31A#~tCbbbSrUii*dbo!qff&tH6qMK>=V!1e*{wK zG+=i^py&4f6=_C-b~^^F%B~de!8YT4PiT@1dHazls{ML%G^i^F*XIY?ItYpg)!Y2DUzt>L_eob8qmQ!FD z2IfHr%xFJy_QCP%D{NrE-TbGpZyCN>a%VFe;qL5Z17A zsBUT9u=y;iK44eBGyR2$rzOX47+d=7a@=r_!)%2u0>?a#xlFG$kO6>m`)p$Mg9Zx8 zw&TdIk}+OQ5I8u$BBz8uINARA1B$b2Kr$6FgeQDczq&q6=WB%d4 z2?5b%6aO&!$9EhMEIx6GeMj&Kn9^0iU?zy7aO8mVYO-U_61Z^EksoW91LK zC(CD#>O-Lo_TwV~QNSDwLJ@q#942Q0h`AH?S&=}G3RHm`PCHUNVP$%U9RtQmgIy1u z^XQ*1gSGi}&5XO(1+?YrVJkU+bVOmbt{*f?pihhe&VlgWy*jXcwh~fnehQG1pg<@b z0f}_%Hmc2WZO8)f5Sd!45YLkn-mZs*7vN0i@jxL1b!p za}L(Y!x@PD{MOJfxCt8Bk`Z(~zk^FX0edYU@M5BV8*^_ESOWH*f7x8Z*u|Up;#wY7XrWJgMyI&HI@yhc!LGr)E-?5lxoS;W0(H({Ed%W%*#w@QsbRm8o+x>f*x6V)8yt4> zzf<7;egBr+KqF*ZB%Jx{&&sTQ5`k;m0ZX+(mV%Nqf+04+7^+hugyg@1-O0t<_m04Fi75JScyMw!## zYwAA-$|UVqU~6Lmdo~t92wv}l=A^I6$)W^)%Qyf*YZl?^P&0>x)HE_-0ujM)#G&!H z3Yg}Mt-X}_V6cYZhe%>G0S5Y5SU^jUVc^Y+hAI^URI;nbtfI@3KvPb0JWj~+AsA6U z0E}(w%K}IPgHeDpG(M67;ISLA5fBEi$!j!|x>0j*WCW42Sgq&-aN#rntjF0V->FT>^wY zgxB$1xd`7ootkSUfnseglTQQQj9{PQUhq<}LyXw+t{(S@@tfzS`{2{6LSvYf^oNo> z9W0j#E1Bxwt@!PcjtHLZw&tSkl&RsOgoe!DQr14hn#_b{)V{Rm)-;UGS3Ps#O5*i2 z(z$Wq-*?*oFJJ05BYfX#741mCmz&nXd!NTllk4yJ4gVV>mD{0EX)}osJ}LKq`FZ}0 z|L?vt<`QP|){~uqZ8Rel5pqE$~8=skV^{SW4!pFVUmZ>^unjBstAJ=k*QW6ASz z`M>o{F!{>$-6{%QxcGOz`^alcMMd4M`}WnbfBvF>(<2N9VX1fUPp*>Czxf;e=lA&^ z)uR7=KL5k_@;~p}f8IBE0{=Nb|2aQ@K7s%L>Om}HyZj+!A?Evz^0I3D6L4S?7WCeA zE_u-4_iixQ!tQ%*6^y*8V9Xvm2LchV>wW*jci~_7YvMF?$^43U1OI^T3(OeJ5P8lR z8~u-E*b394%{${Q0Vm2FYu!AWlbwAX6bd4cY2_*Ai9m-SVO%TeXM&A+!8u9Syf_?8 z(QUVh(0fyiQ<t>9vRrp(9Q#Q^rNmh0aO5O=Fs23^DJUBB?9;E-${0~(cpQJbNH z1OzO?I}>g4oDYsyEQ+!l&Fm`h4k#aAj1k}uxH(tlZ!J|=a#24dam3laSFqHFwGYp5iNT$5XiIb?VX(-NwdG5^nKMC*SmcFXx;MMxcZhP$2f6aRZBGx z&8i2$VqRLId-0)CSNBce#S_Q?o|%fqGv zI`k$7&Q*p#r6geX|%`WHXbt?E2#R4MKRSW-6(i^WuTwxKc*}0F#ed6#rr=zuD zpw_{~17>FzA|Z#^Q%=L?_&TJ>sEL_0d7wojpxECl7Oa}YJG#-XOG@XlVF3yfigYjykUTT2}e)vBL#RR zTb*^-gpdDeF4wabu&-6Lk`5m|YzmZ%=%7I^yJ9wqdR7LJhXvf!Cf1L4Cvp>3w9k=+jq{hIQ3GY_ z;)WA1o-3Oa*ndQb1qej{cnWe28m@wf=;yNBf;0hO!0W*NkiTT|D6s|JxtRlaG=KuJ zARNOqd|VsD{h&R^5OUc6`0q?u_y9(DKrPQ=%EA6zJR8KsVo?GYxeB4Hm+cXUs zW>4R=lK3C5F0<3P=5DE+`m3XydJ-kF0M@ZU?9uWD0aaut#NEn>{&RljGWY>pjiW=_ z4)qA{LW?P0?M3#nh;)I71(DCM&+l9Ie0YICzE>Q3)0B{$AD2EQ_W7cPOavCsQjpWp z$h4N_rap1xAZ5;#C7bbh@V(uO>tFg%2T*JZa6vc7*XBMQF4&hns$S)@+Oyxt~u_%E&sFz)iOjwh5I!@fkEWc1Y^e2Y-U)vP+@niXDlZgp|d*p`+%_K{yn z$n2sP1*m?ELT2T{TEw?!_cLD!`BZ2J=jWMdsB^qzkGngg**AdtjA#u4GW9^ zdS<)c;Rq|T1X6M`b)JH;r8#Kq>`*%2fvZyO_2*xr-b?xf*N7Du22YsJo@mJfqiDO> zlaw?^q=3T4_r{MAG4V7<_E#Vrh>q)`hUW%_XnPR%Hq^Lu$!WU%2<|%KXy4)o&~%#( zNMX#u8&4F$^AW4Lc5tiy{K;!GK@-ho0j$8IGZjE&Dwa9@7au?Tf^!s?kHAl$ z{_Yt?H+PxUKu+35;5VDL(ort+1Pua00}9h_3So(3N?rz{L-1tTX-F8=vU*kzxb&#` z(Ev-|y^Ar?SrrtaQfsdeW<}#}_QXSB4I`UWrVYNbcDQGHY9V;SPS`I+oaPpt+=G*6 z)SK01k<(@lY>_pK>&7W^kE%j-TEeR(e6odZ@_s7h%D9z~{V|?h3NJd}H)aFW(VuFu zpP@`!Bk>LaZ)#vOj`R?vc~xDq;0@dkknZ`&8n95EGM1s@lk!FU8@(UhhZmU9_~x(x z#m4Oi_dJ$&J(V%0GQ__Q4an`1BnWd~bkhfpl2W(n)vr^5?L& z8}O*7{UX$Bk*e%rO|=dV6_tP zIXrXKVsl~SRzt|+5>ThS+yS%fJA$qY_y26w!D=!FQFQ8vBMTtJC16;50;(^qBKLgMgoC#4;y=9rfKxfPIdu&- zj;T(LAi$*#?Ex0JMXr&kX)JqP3jHy9?w?UmTY~OaOmAzj>SfzTv{ZRpj&iBPNsHt+3f@eWtPe&_*E^0DHjQWJv?CYy- ziMkZ@l~sTMI>6Q!o1aEIWyw%66xG`ManM_3D4?_KVWFnMt?OI*XeCNpAdI|3&#=!Sl?##`_icS;a-GO`q(F!SJ)m~?D+sE9^zqj!lvnJ#s zIcCG;IS)fnWd!?~;H!l5JA$H8EX#gE%vA;wUJ#Th?;>sCQmn$mZfR`XoKn9N;Z&%$ z)+3y6eUmJbtv ztlsNk_beO}>^IM8Z_#^>H&-ON1Z(d~oyJ8b@NF5}4)MFSl=zg#OJm-kLW(#>EOb=x z-YQ+q)gg!$d?mJ@@C80K^O69C1gG>`wVOJ22TrH^$o7=f9FNX(;~-t)C@ZTLof9`{ zzAYc<9E`8epCL)TPbBtd%%6~&t#XDuild|bXVYxVdi<-0WOIE7qw!g9bgSOO2&xwlay!5-+AlasafV^NOo~q zY9Rsj?pPtmVrHW0Iyoltaq6;way7ZQK5l!WByNJoKF=0QMgP`?1Wfgz1=hHaI><^FlfFBXv6fNCJhHJ+ zG-i=%<(*r)QQY{j&~eepXl%X-n z?)j6GNNbJhnfI~mVl^t!!|19LxlW8r_D|2%*j~pyIkUMDH6(gjeA-2JD^$r#s?f8J zcLAtEvmTUgt!*2kF<9eKh07vYL_S0((dlHoLbuxD_lQv>>GaML zXqkWa+8>n0$)sNP4k+r4bjO?}gUx*@a)Vznaxt z2o;RZErr^Hh@QC`t?ve6%tDtu&=FUyuCjHT=Py#SlvyD$w*4ExeZ;Kn=9N9XrZ5yg z-gNNrdG*uIcME#NAJ2RZkPk>sdw7w+Qx)PL^2u&gKDl*8BBCxo0DD$8;?Y83(u_Nu z7pIiHtr01u69Wb=nU`n1A}hZs7h)jE^xL_e(Xt8s3u^M5wXtmK*7F`90&!I7*5j|& z7c){NM%-7oF;BNO%&Tnwri=}Jx+zPo58pfS&c@(J8j7VsN?#QLd_LYANZ87}injA` z9VO}A5+8cf?Rd>4E~f@780TC+>ZG>lrOza29@LgOb6hsNuH5X&S?70Kj8Q_y-|FBB zN^;$x_VXX4Ofa1?jJYm_AzEUl4}o!Q$GS0g(%H43r|ygF zWmm)IB}fHO;^L6VeJ4^JKJj+S!kXT>wQvWraHA__vHS^*U=EVmktpE>2$klj_qe8i zGP|kXU{3#k&ELv(L!2xJqzms4m8Pt1bI&fAI02pQae*8BOaWb?WRIz!s8OB63FSs4 zKQ^=1ah(%;0~^sBswsH=E>k6LJX7vE>T-RZ^3uR+@w<$YC1EK%=WCLiv3S?X@=~yB zXiJztN}~!L+lR~4%FEMp9-Erp9)nx>GT<*(O5nXqqQi%_-UFEpYfA*$ZEo2d8{M7Y z?<0FNAKfLh1=jCss`iqxYksn`>Z$hpt`aimfn7cCnT1(Y?&RKQZUi*XnB8JuGSY<8 zyF!B)AK71zgcilPdYE7ULt(!;ON_-Nq`C2x`gp=u7}ZUd@qln+%=@v>;}_J z?nXj`9d3X6QfOX3294GQX#^oDEHB--Ei6Lwa_dIL*Ey-;=HEl@ndOTLR;pyb>EpQ8 z<1@C7)pV2+%kxbJi+U}TF(Fg+=mvA@Sf|XQ2U5- z<5kn^L+((S*LiPu)hcbqW)hUPo*4b6l-+AFuUx3@EvS@RlVHE>NS4;bVcxy-NlGC` z7!9$`8{~ff2?C4Z?wcY2;Tfhyzi=UG?*?-h607#@qBdxazSYT4T!>r2oFm#QUX6=e zN3)t^t}_zGSSdY@C8732zRBte70iVG2z@v}=}SAl*?R6C42r`p=*m;gjcGLI2m=nefjjBZDz18c97~|?zjwI21%B!>Io-E(A!r1lHdOosRX~n}btD98__`pt=<$9pbDymQ+t&_ngAOy+5 z84RldI}gJPF2m{?MO-zB67gT(OC*m>G37WVChgHq&l~=7b66W9G~3rKieRWk3qq28 zsPD??IgV5;}*yrU*lKm@t5f z{`&g74`tX)7Ip%f#$e8yMXBuLk=F6|cW5kjeQDpdFGx|{dF58wmvN|FS9^fr@K zRgyEACs|+P`?eHS^{Y&c(ZcOrrM|C*edTtRwuTy2N`$}>9UbDmdGeL}xwtbUq}$9H z<8l2brSk~-0%!FP_^WE8Je>JqmO zQqlDa+u&^iKnV4)lefkg3w7=a)Va<4_e~Ho_IpLre40VKU}9oduSWVm8d9|l%?ARq zq0$$W6sQ{etD?i5gE{gix(Lgbu_p7V_#wwEd!PC{DW2Z%>ZZBhzO+veDv%OkpoyL- zEVS12t#4C_C>?k~u|DNU&god&61Cm~I$q(|A11N`HmQM@Y9&hpWju-3*#CqaZHtr> z*=;Pz;sp;x$vcm`ZpKx}NaIH(MoiNW?(*#T{KANS@fXbUp;Pd z4|?ydmfFspQ?u38Xq|{(>q<$RDRr+a#gR!3gLiN=fvE2vr@rD|lU!W9O8o4;bS=Uz zBw%0#*Wtn+$VsIj4nYxbBIuTcUY&%Zvr zwy~v+o8H42WhHEArsJ}-BheQkiNOtpnip&n&_)aduL7dqeodT4{RVOCW143=>)8QW zJEaL49TqjR@CT7DG@~+)0-?9SU#fG}o%E{@bsi&?5 z_{0Sp$aXa%0FcIv>WmZZqGb7S5mkJd3{k{4&Kzcmx(k*(jVSpUYC-4O?v^#dPO--I zg%Mc8^fghkR0nUOKum0!2yqlG$5>^?C=&!P;^`&t*~$*EQ*ZywDFJcU3s-r?dj!~t zRX)lmy>;n6_ho9J1(8AlzQ!EG=+tEomr-o|T090>gr9BQ@Pi#DUxP;pih}(aS$Uv5Yt7<4EB-XC z%?(JeaWIfd*UF5yKe)7v7n_yBGqRR*Tb&N)xgJ6v+jyfpMewP2&LXqG<5yuNSbvD9 zY#M%a&beL`LB~T?+9G*RR~UD0Q~(MU2he;B0{0@(?FEL`XPrG<3H^hIeVc+hkHiV( zyK1=ft`4G7oir_B`*98aWZ?*~#BDeA8}l}Eb*7)6a~WyUP9<@b?sFzMza#W79cB>> z4vFcUN$yKNCv2rP{L&y6l!2{)+A_NeoX=T23*k4zgJ$m@MtIw_mCr>;{CRS`xOS#;f-cre3p-2cY` zbI?PC;b*}ZEOi9f_3Z$1ot81lN+@4UEl`n0A|Fv|(3l$Ij4|?Wao} z-ZkS0*7Z1V6SL9KHF#5D^yM(BIsofgmk=e?@4`s=sGGI$n*7^KLrwGBc0jE~7Mn}h z{#|*8kfQuDv$=ZcA|;s;`aBNx)nT!-+jto=uu# z*M~i8HVwL7?Hd2$^bTFaFk~C`6N?fZH-a+V@Zbp7Ic~qMnzww`ST$FhYLhVQFSK>v;@?)N==g4KIn&{?dE-p6iZqM9o47)3V;){@v=iA6kcyKM|_sp zgLrvVmCI6hTZoK2eqZG6d3uHt&9)?-VecdmVPRX5?+Mvn}o zui3>NSe5-^)O7Fy%~sfke`k=ed_ZiAhy15n1QAhOqe_Uni1MS&51Yye4U(Nip$#ap}3&{$# zSNLWPmm>24h!=)y=Z%56q8}}pFLdyPg!$;rpVwyZPDkP^FLR(-r_ux_xM!1>TYFsn zR0G4VDh+)sXh<&6zJvpqo{4(~;ET|!U3iHQlbIZ+?w;byvw3Gmj4w2WQMAQ(yIl1g z(3H)=bRL(T!-m&%q#~vilNQRT=tLYJ9Az3h6DxU*^oN111N-u4cYXrhR%zW(*sgo&l8@3|!6v;5qG zfMkDHM83>E+KHFiT=pHP)>VXNIYp#(sgUK6yqDEfe@UuQK}w=@|MW<>F0)>%W6Ro6 z3e_9)%$TU`?>SC;#`NeV8o$jOtw%u6Xha*}5ptX&=*C)0=0A~$U-iXG)kBKvf|vI! zmeL+Ep{IL2-+vGN#Z6sICvNV;%+wVpVq|HMk8d~Dly}H(F<%oyZ?xOA4XH0*U8ScC z36}aT9`-!iuR1-5+H^3WsPe z=nox-H0U1u&TH`4r`J<=&+~;2*E;D7rW1+#YZ38d6D}}bH4}MM%ljJb`EjTBCDz1q zK}d`F{C>tM%JG~d!JZvgDe2Gw!RBsb9k>1}_pFsD&_g*A_iO%@yP)+!xslYP(l?>!UW zkntcl$&YQ}<^f+{lC1lc9Kpn`w|Sm% zm@WxXn^un{-3uh2uEgAG*Y``9YPIdD!|40p&X}xU3w31+#WBzmNo>^gbB2?tGx=$g z=+jY2=!B`&VExhcE(OoLR#MYjU4xmV6FKj(fuPEj`XkNt@^+)x$!2%vRLdH*Rr}2H zYx^>1FuJ=_xwP^{RyDEAs)gMx(1c^?G0R zN~n`mal`Z1wIL>nUDZC!7a4IPri{vo40~bauROm|?b*NB-U?&8W?FUgpF?{fKTQe z;#YBok(S|ElPg($Cec06ElU#I4}R&5l}g}-i-9*|C~Cs)bKnq_s}fCgir0MQoSVm+ z!<=i9Dw$Rm6eCY z$$h-Km^(fVth1`1(c&2FPdwXyh2*) zxoK&Kd18ntJdYd>(Bhxvxj&9uep?P=!G->DaCiN|?DFWNQ0d6>m{`PGtX6{GtLtIm zBbP)%A;!HZvbJEtJ)qisMz!WW>g;GS&$-R9Vsi^Sg=Oi?xfgZQy2D@BVk^UcjW5(^F^Bzi@DO&+|^Lj~-5K4}bN-^Dc}G!z*5H?&!L@dSNZO z5Dg8f;oDNz0(kGp&yzkWS-l~J50zwNy0A&efPxER9ukbe;C$%3%l63vRE$b@$dX=T z!~69a9vmF9a*0^e{qav|(IN34oZf{5ycqbBpdBCY&F2<|Om6HaKgW2FpDuZaDO@F5 ze;j(Mv*W5~Os-GL>n*r$+l9UygdRP6?ZGobpX00jkEaZlVUN%~)wkIT2)V3GJ0YeQ zm*oC{6tbmqH){MIVpzYRn_a-x!YAwD)idB`E%bbA6~Uy zfNj0%SS^+vciVS)Pixiyv$nf+eP8n7-ifNmB=T)v;sUB5Wxr-%TlmAW8F@KsZ+Ew= z(IawQGkvDgL)$*_xbS_l6J)reSO&SeS(*fnAU};?vz;f|&BK9k{!F zn$qA-duoiJdHZc6omM}q-4PE;mh&CpVQR+7-U#Tmr~nIPD=@TnPC4@l^Kf#PJ?Z%z z596iMn;aQ?z-8PE{E_V4_`r`A34ZF{KLUJSi7U7vQd-juHmm1hblZhy2{ZuXO^t#VsgLUx|gR9WHR4s0^yO=K6^V>?z zdd;3m0O!?PL*5$il5jp$32Q-UV!ccxhv`cIqxZ;WBmUqz;lB9vq^g(OV}$?KO2Kd-3X& zbV_eI)>h2)QX#=D#w^k?9gkw8j<@ssF>9B|0=p}j)I$gP7Z%>VoGQNuy=0Wu4n+)! zc%WC{h%Lclbpd4OS-omh}K$Z;JO~px1Wrla6biW3M|Lt-f7UK zjUZA&%X?yKqZQoSspqC)A}D=tH!G{ih1vJ+G*dncvUSBVL+RA3;Nog00lSDZXDIdF zSbX!ASk&h;S3vDFS7>)u1hX9oK0Vu!0Sq2cO?69l=+8N!Y3mQq%?yW@g^=}B8 zU1#X-r*4qO|-6QpddUT*_i2b_8PU0SQjYuioqxTL4cGpkSc=B&o?B-`QDZOJNhS1HOb z+03;+t78#ZMsa*XAC~Jjw*;WjIy~I`A)6cxXfr3@6<720MY%E`-M5=0xh=VU8F!$^ z3}Oe^&gS=2J$S#LfYHZgUD;_;&oAer*0Ee4dmA2UU?-mH)Skgcoyn5#zKuYf0{sQB z3Mq%@QrvKeIhw69A&!Nz&UIq-PbPAy)c}u-WIXVWH^%q2ot&VUT@f=&({EOb%bnEI zU8WOBCy|HvEMEOp7?$mAq1;pZUtSgRmVYkTkKdM)PwB5}xhzZfg7y5>3t#ReDA+)3 zL;S}E!Y`JA-K}N&l5|?hbjqAQ8el1x8Y}~u$#r7Bbb-@lNvAufGzl@vFiW~->UVD@ zGcApl!!qH?0P0J{8veajq^v!tjGGDxh|4X1fp9&*c|);LBJ5WRCEhPXWA?L40-tyK z%qq~Hq5<<}axvE^`okqT$nA^js7}hxz#5?f&w2-4-vst2Ofl)+WtOes-0=BmI_Lx* zE@*F!n<++Ih&0AJC6{dg^f3h^ZH-iGJfgUd$`$khjIA-L^pj$kU+wEH92%#>ootE~ zPTiqt`tabKh?z@w7fp9J2onsRuNE@z$Ev@qEqKIY;xeeF>|z>UYJ^Utz-}iD^f&O} z#kN`cwK@TR`NcTXl#3$m$V)g&4P>Mb=p|tH%J=A z(MA*Hr1GsXWWeWQOOj~80Wf*Xm$kT{4j6DZhkGePx%$BWoBois_9q=GO0AqhVWu<2 zC-$?a>pZ|vv{sqcG*jksRp9}Tu(xcEayS6#i%gi9MgA_RSxt<>4qhd-=g zu5%^%W#ePK;e@&R8Zv|{%Wu*f8a2c@^P1P)X~UtH2R(c=Rw`hz*VDnXNem8&t4EKd zd6;vsm{6@&aOZZ4sBtvrSyv4|C9H(nU%``dhV7YuJ4_qIh|geHsp$4@HB&vS7u^+p zWFTAk3ZA8+0Ox6?%@-XuRC2F&;VDMDsg2vE8oO1eCQB01NZ)3?waQpf+N-=2=U0D) z%RPKKzZNB<8Re9}yTNNQhB=Xa{0)wMPhcazYkz`)Tx=C=VT49`JqjGE86%=<&!e%T zgL}3048+l*2?-gpc=m&uRV0z8Mvq2auayw`{p6yXv?t$e)h*ofjb=AHuq#THwQ~XQ zx=Pz{K@Ceu^?V$|7hD+0o3Ov)OF`)a?E?AX#QsM{lCj2eqKG!0*@XjlHfLaPr|XOB zJ}G72@PpHxhEl?9vS6~`oeYwxPz|r_v!wm_hf$*``_01(Qj+UQ&7@Dx`o?qOb`@bF zd4sFD>w3D2 zw7mbJ7Y!%J{4OfebA8G{P~zFlVIgQPzT~~|V@PL-vNCGc+sHmTapRJ`d9Cy?aQtf1 zUnus4CQ(R(6k=Bl38EZc z*^;$2Y`AaR>-}|k*kZ=wc&p*l*O#Kn?{YAmUTU`U9#O{tK=s3?=#u{=+2DSPogpTo9`LP zRvxu7Q0=|OkEXg`1>AXLO*Ah;fW{~04PQ0aUe8@B7Y(_KR2K^;x4#trUeT~0oK_dA zjW=e&`Ec~Pte(f7P24EK{;IxKFnK=9*+|+mt80 zrJ?i!`?@zg>bIf&uq`is`C`d`)#9o&bE)+ZpN#?O_!+`g@L(m~V(%@(s$AE#VZ{U#6h#yX5d>*bT1rqlMd^_4ZUzHH zMFc^R?v!TGoeBcdASo%`(p}&6xb~duJ-+un_A%#LYyaE-=2RJsC+_>cuJby>7S@BO zdx;s}nXFu~FIRBSJkE3Kk=~~@;Wy(uR(*GjXBaxe)lwEB@k2W4=%@&1xcYk*|MA1f zm~$a2#ZoIhUuMRV`k{Qn#S^>ySs|1OJj{ zVuWT3-|j*RlpH)qC9g&X_A`$xdk}HP#yL#ThT2l`a*}Ig&S2-VP8NU!iE9~Fe9s2( zo=qG+>O=Kz6CHNGf@GL_0+05nz2Ss_BgeNfX{Owh{z8j}oExz+YX`#Wsp?+OZnMi_ zip&9p@;0O8zM+}*^LUkiNgANLeR>S_dSG&CyE_V|I^dhyN&Z?~!l+%TNpp@X zrby~xwMs+wcLVj~AA)9{SRO=sZN}SP6n_`3c`2ZW<$(%%uE1yV+me`7z#WnqntD{C zRl4Px!Ot`_Ulvpw&K5K#KEQAoW5i=k*T6L`|-R-XC}PK&QtWsYr?rcnb5= zKz&6XW-?RZM@)H7X}@Ggz_3;&h}$eRKahK22u3s?rS*=)=LMof(nDf3i@||(C-8~i zesow*DL=iQ-T5Y!?C*NqAvmtq!0GP8Sd z!F2U&a#owpf^2J1jk!>*_OFYsmI1)}V^OPAG1HBo_}Mp1zWw@M|A#%OS{)B=2+o)s z9I3Xj+)ch>>oO?T1vrVLGHw^M29cD(@Iv5PD0lmEoci6BH;gFg+=>&mWKVL)z4-LK zh&yA4r%hA!$e%)}1&}0taI!Tsc=FcS4UvOECfa*07_a(bQ3nTlm+}QPVR|dMjZ~-F zGPZ0CD=@T$F-GlSbp@1SgXz6Ck9*hU3w;B(@}axfhwg&Z&Lm~2unD-~B#6R)4c95T8 zL^KcTMc^$~>x)my-R(<6ybI<{l*$T9S{~nQzrQ&qNn}rodba4S+-IFT*xEd5o;_sq zrI=}>Qf83O;o+)%RTxU2tUV~H!cC8~ugrBhx1oo8de?L^RP|S}c(sppeFl1TJ=W`a zwRY_LrK+6;qH=SV_UiBiN6xlEu%heWgZgry`~RbJ{e}PC$riA=1#%WRx8LEKfmf+dw$NSm*uMLESV^rw`F0_7hHiUmx<(Im+dVMVrBPn)Y>3 zY(G3K_iOm-Qd*##Ldq~$yattcOfDKk+l3&i)7!X&rgEf_W%f(Py-GS4^TFgR90FGm zdt<7A>?kke-Ca9chnqO8Mh|O#+!AmtJt`TcZHUz*nwT%KK{y7KA2@3eq0)3(N(_!0 zqEu0dR9v}YCq4{sxG|$d#N}m@KA~v%;b4aUSWI)L`VPoelbUtfIUW|^t{GFBIVIsC={Utr(5@`kcL^V$pOO`Z zyBg@VHqYl|PKgJfrQWfitq($xEbay4t*>Mh;7w&N_mzjSi+q_~v`H>fG(ABug(<)& z+%Re!^|Nl*tX>4m*)Ov*K&-_dC5m;LzLB{7+41QmqoqE?Usdy&CHGQ{f?=J9RW{SJ zluuJVE_hSQ$JOIKtkT@c@0)mdm+^s>5(P{kVRyL=GHz(IL|@`9Er5pl+S$nPds>1! zQt?rT%-v+IF}x3-E`k_|Sh^wh^0lq}G%Pf2iO!Tbj;Ceo<#K4C?!txDBVNX4@Bja9-ETNE%~x6`?8A5%gT0*`#-*! zXAI2{mAl@lH6GaprovQu@>XK^356;LmKnJ_?cG@k&q-EauMzGQWg73C{M3w5U@@-? zif-UY-m%9ibXYBF`^OGohtBSM*bE_WSC4W@dUU`-a;&%n5Ru^n2o$q@-bLPwkT7-k zq9bBL4|J>R7H&LhKev~aGCGX7KD!nLG&Gx?yEeUF8+)`tv(1!t0_`j<7ik52)RM!# zTraowOuy08jGkUJu(;c98&SFX?zU5k?Y<9B*$*E;?YpQ-c2vWtW{40o%8{HT{wsJY zX2QsBbw+VvXLs^goc`{d8&XUJURM2~ zHkEC_npf*Bcd+Q2+lDuW1)q1rKf?o&w}C-kORIu_H?n0*nLH-_kRCiv%G>SLxXh}A zSqf3j!lK<3i;kICA8$UKv##%XGy~C}))`ySzw$uNl$ZPG5tntTPzyOyIZuw80@k2L z2royHEex2l-+Q!1a&XMQNhG(^R!B(&DZ`fo@V;h82-z7mfLbcrzT~s}^jtuAkk$Yk zhVL6hS-qvt$P&4>Wv6y=Li@smJ02eA&lCA|*Ho|O&kHu^gW$hZI&l8HJ%krA6_oW~ z?9;nhd~X1s|K~eyVeqh>&_Z2WZVBt59jdO!IYah5r5(}OR}5&x@}X;PW%a7o?pbFu zcE8=XW76Ys)tuH)_tsddz!8pOi&0L6EjsvK!|@Vx5HH0gDAsYv$L56O6h4E5A! zF62iy5~}r_H4NiJm$e3PBGkz%GocUihbCm(iUN8Yo0pIC9jI3{q)^A2bhm@vi9b&E zr}!9uTkQPY_;Q2+Q=cX8^ln7f`>dArJ4{)-IN>Rh6oUGtx@45Prauq*4ETGUdq)hG zM@!tQ+qf$G7VHL022326*<7~yFzsUW^VD*B=|WC#s!BauwpQb;=rfl{p!R-HM59h-m+r+NAG(y=pht986+)S4{>Z8Q;Q zg?fh#7r_CdF<&RqO@{qKRFs-FA-Uk`=@6<{u7DTPl_T=?R&1K67gVW}QAZs$Ad>p^ z>PfcPpu)H}@QNBMWKhGvIG*l`Hk+mtUon*VCZSuRWaqTbte_dc(P7@P-3fEKB|)7;cA9#lnkokjej848@l|k4lS~-{&CkTO{hHBYI)){M^6nepCqh?+v(Z3 zLviBdd4UsHmtLMYed}-hC(b3q=eK;Re*b9LYwQb9mTeyaPhj<&|JAfpc19qgw%6~H z;@A{JoCmhEK{<`cEmy`Wc*Rz)kt)zm+Lp|}Jcakp6^tyD@0v(`=eC=_O3G>Nfq=!MXtBH?VcS9KdU4%g_m0N+5V(i_tVjd+?~sjv*V1MNxF_PRiblGX zGgg(?i6$uIp7F}efPutpMVcb^vl4^2T(BAT>2@jfxq#niG$d-9;UCE9VX_W^=s0>9 zPE3r6T4f);myO4{St{%9YPaKOR;fT%qz=^D8H#Z`a*`L_kXUGfnmU2p_d%(1duI+M z_oe8msD5Jw=cLuep5TDyDw*3Cl%*$Dp=elXY#T8(Hqqrg){}w##;>Z?C`MLP1dFcC zV;>>(%_YcZr_;zNHrjm4II7s0>WO*UEapw%OU_^Q6Vq6k74>?xC#%PUIE3i9`f$m@ zRWp{==xL_7gTN6OZTr00tNA*qL7F_Zgum~NIj*+N-886stE{mspDU;;@Dofsw$}H- zK-a9B61zr>WC~U&2gtUz=kgfo?FcOCCTq}7QE69FW1@?UR8Y09qG2-Q4~@oMobefp zn9>fADnc=FQ+|0gp7R*2X{Nd)R%aulzrKp5*B3HrJzw`JM8nz0A;ayg_xUp+=(nT1 zn+G8Q9LKtvP1rOI`u#<^Tm&rTAh-_byyI!2C*QkwNN;qdCCefxzEalLOmpp2hE~0^ z%LLAuxo*Nkxmbqn4k7&TFR#z-FXI?%@|w+O+E3jeU+dsgnjH+=>U*k=nbFi34GTD= zE$F4S=yi=@pt(TP*X4ZBW&kdR?0f1VHc&(qmjX_r-mwTuZ+)PUY>qwU8CzBN=LUwdZ7zJ)&-;%0&e71bD!D#m3~u#B z8m_wxazZm34W%2rjQBK{AJ5b*+cPm$7?U1=fMFsrz^0$(*=(bZ4^c*$LVLDSW!-nZ zX3ynw1Q#noJmx(--30};?s8}Y+QIh;!QWhre=J8{=Wy{2ElfS;@esTL0j zPSe@uP+r}_T^sC|Yae%m&FmN@t+&KbkYyFMcPNshCY+lsX2D*!){8Pz0iS92cfLpho zS+EC-9!x3l3KLkIL3a`kc+TzoUzQBCfq0Ig^GG&Y{(PM7wR3vVP(-%C-0onAw&2>1 zVDk!9gKoT4Yy(dg(ZthBAlLhB@DN}^-@VW&2%Efme8JYxCdO&Hu}LL=2XPh;#S{XC z`=}V7h8HnwH*IAU5xB3c5O2xbSK^#a4godq?JE5{o7w-3BXg`f8pi(E^Cv^QiY zzy>*@CNbM2O9O=&Ca)T~TbM3;7@uZzIddb%60Mir_VStV1_S`yw?U#@atr*?@+y?g z%Etvv9)f1@Dnu_&M3`jF9TM1t!IT5O08|>n_tVoYliK6c#oem8m|dL;lA`WY8IyX? z!KSbqUfdqR){I0x@u|00Mpc##6b>jxjW@opK21GT9<*4?P+U)J@-={JOO07^xw34? zwWk@5)$GIlXQk~`X)~cKV41X+h&$#GowI~dEoL9nQ1|s^rufY8g%nMLn4_b6Al@i{ zyKj(vlhD9Xkfl76|81PAM4|eo2vZIJtN3jJnwA7!B%QI{P|SVS!Q~)Kc;!Sr%05!%VsJ>c93C|^SE5F{L!dwUep`&0Bt*E zr>^n!0@{V$qv!40+pOkHOw5Ddf;k>$Z{{#kL9PXQzFaQ^x0)6)Ueb^ExaNH%E6K@W zY$R_`NZ-CA`%})O141~$R4S_GkTN69h$$~-ojKb=GHdCV%AD)3Uoz!wA1XBjKgXZX zs&aZe+Aesxw17RO&cp4N&?{?S4&aD>1&5h>nc~8~ zbc)`(MB{(N|9Qgc{3GND7Qj9|P+)XrDuNH~j9uE?Jl#c@qRU}6fAktL{738>%NRDta}q6}GWAQEeZes6D&C#LpoC+wAE#i){@ZE%MSa)9o^d7u<)#}`S{!F5pK5zahe4cwnG}QRA zed!sxbByND@D11IvFuRd%OUBxLLdRGiw{WM$7sMX0RjAM+Jh zARLpeq~8D9LG1I)zK@JUwrA?(*7m*A>KDvYYq-}xCYBh&(FPc5ojjUwr zya6W&65pxF69KIaA9;x5i&<%4!Q8vPt5+@dHAy4u+5x>83MRJN<8M?%jv%6#gHGD* z)}zrE=~hkyL7OheI15jYGj@eTtiHF;@1WmI34V(QYK!qpFYhw*-_ zC&hhtVdVOqXsU`l&37{|4L!xSAzH!;-^t?s9wkTd#5P!fb@-dZ}GP51w|_l)6+>b z>SPO_7Z23k7sb4WxQULwyj}?}u~m;8=a^T)*yVWvgV}`g(NaevQ{VEX=+?}F75p?> zwM8H!>2g)7dRFs)UuFpuEHB%J`3M_0fq60uo2kQ?%Y_qPhD@hI>7nuFfp?Fp_#Tqb z3SH?-B?WY1&~Ws@aNd2XXzm`-XB$XSy*(S9?k|wljA$YwpSpdYx1X}~_pSqTGfd|Vi(2$<3X&(?wC0wivkHQUHdY0_kQ1@Z zpM=D@Gso~4OLw3f8FezT558XiyIb3~m3{2#e(oaiRj&$B(@uE9b`q$aoBPSjSGXJ zyp*lw8o>T5b6ILrp`2>qL!Wp`hN-Gl^C85TklwaCH)6*r?PF{Bti}em3`f(A}R)pOX9ObpYf>YEwldTMralkduD1 z5)9@R$S^>IEKKB;0l^_LzpIPn3Hd3Bp_FS`usPw^tL)dlZh%69{-!UU!~6?KrjFVX zClU3;zvFsqRnjZZLy!Zq&W&tuWh{C>Fqi!i-^I-WuvQ}PXRkuBt39Ma-4V=>PGg(S zz1)YhpAb_Aje@?Z6e2NtB1oX6ns>0NHZfo6I(sPz5B<;`moyy(CQ*rp+Aw(V>-9qD ze9LYWi7?0-GKKV-&O?k!p*P;5*!9QK3;U3GeLMaNhLB*U<2nkAwp=a`1PW3lJGaS^ zP6m~DnPd#4zFs0Q5BzEPU3k^Et+Q4mnzCi|{r3k!qOqs-*j#BO!!BJR3&tSvW?$*d zjZG#I(>UGYMk6vYS;d-k}Aq#)z(tG8d2e%JW{Js*;1Fztk|8xn7z+jEq3@Pa z-GXxC9Is$e*p_hRG1xlUhpQF`i7Y7Hz5c1>X%wEKV!i@VIwk&59!Iogvg5bpXQc!0 ziIiTre|wAAN4mAkp>%ED>r|>$ZqJMF1$&ZuV>H8D$b2?Q<5g6vE$Jf_(zm7&Hs;q^P9eC{4{W1t9GuokMu) zyk=cFBdpbLNTR=meYM-vpvnyjR#2hUzB|}cIqJDBF`Hx3m-X?IZl0TTH(d*Jb=B0f z@m_euhP+1*enmLUl0F}&ouu}EF^#N_Mk6Od2)-@Jx1LS(ghEf5dt00Cmqr04y z{YmCmjLM3Go}zV6f6$KC#4VKI^1VFw%@6!m<6pmBvmKqKOB33jG?MRKKcsKpc0kvL zobaz&XcYS?s?gP zU=YXS?xy6to;=Zl1le4~%w8K^$}R)mULrNYaL7-U9dwc`dNaz+$rTWdw0|NRkSQ6w zSI)A1L{^l2)on+_kyW}t)0mkY6mc63cVisKv5$S(7-VcDs;_hu??Fq+C)u>2h+rF| zgtMr;Dle)hzw`{66q>B1mTndfC}$K(qoR9BFgJ*a_NbXrOa+P0Ebvy(bdlCN%Wh43HT7mr|5Y3 z8rgZ>)z0^yQoN`TM!Af7?V1ePyc=Wd1GQ-1rowY-Hy0l%#?qL&eXj!T2km0Qv1 ztfqv{J$F~fY3b2@O@%NZofq#qI<1W>rhd5B>K*rW9{&_rP4C0FzB9xQ5^#U^vJQAfd$Vw5;jR-b{_RPlQ?ShAI=9`<-M zCy!X*x9szzH{dXTnwIE|&mp|9w#_ZWwY~#A`lelvF_}q4SrJi0q|-e<@OE=i2ew!W z7lWQU=DOf(-b`}(=1mHx9%oa0Z8kdo?A?@Cg=91fJ+4>Fp7z1k!V+RTm8sc?>Z(a9 zO6eyKRj|L$P;oNEQ`Iv#?r2#ATBv`ETX&QInl5)GVtm44eo zV}f&t-lR~GW-#W0sut<7=|+Y44F@o?mA-bxV_k`|*$K~MC+!hZC1zTf^CYVu@AXwD z4|IS4(KN@i{e4Jcso@h5m#R;^fjA8BS{Ari*<6!;ZJzXgrST)ksNG_|JME|nh9pIg z79>@wbfbE+S2Q$5y<&`ejeWWLVpvt_{ZO3(aMZ*tMdhPHPJ|a++aoRVQMsyA<*=n%sRgPA# zIWJ$nfUdT?Fx=yP*-3hgM5gK{tvp$goRUbq-KYLy@zL1}GMvJJHavc4=EMP|f{~f$ z#X9P<>1^C{YdL8`cs*@B9aY7G5slN=4tvd>n7scLsW8i4Bw~2+qI%_TFsKHd9dXDr z6#BhtVmi0avqEB3wKHE>hv&dNmVwfUl4`vvgqBq?D0!P2?I1JV<*J>LC!T5^v*9?Si`qm3@gGp} z8H))FYVJp46+CZHjXSFgr=(M~Wn&ovx;% z88MRIIPauDoWt^n{_BhE@5J*w&-onsZP(+}Kif>a|12b`NddMn2nf~6EaN{I!%qgU zqui2$&(x8o1n-MH^R>rx<6w%xXAC&Z>Jh6<7{^9=1!7p7dv4m7kj7fhH*2dS8u96C z0S6*&Xi7(5A1eilqeJ4xz1tQ170fO2-$s)ph!C64>-5H9;ZhUd$h5cS#Dp;_b;av~ zOF394^t)5#>TxD_)&%_s-B>`Lp7#U%|9lBaaRarFaz1oqOKO!6yJ~U8^DB$oXEZgm zuApA`j;^l(@r(tlv=Gx8LKWz*Rj>CZdQ%qxg){#(rfcUHr1+`@&7w@QN?YJ-87+>b zXg?2gJD4D^CwpNUWC0+>eFf8eIhX74&WOYE;+SmW?#HRO7jNn>p0q(cBRQI$rusFu zjFp^Uw%J_^YZ$8#&8Y1OJ~yGet2LYz^E3;P=A2USqilsdO8I;H$Y2nI6i;f2E?TOB zZNB#h-f1uNiP1y{*{d>0n|Skfn=GEJR&u%CQI_EJ3AQ{j1+D!+CkgDC!usH+iew8S zT!($@WC-)t^QU}dN~sBc>hG-G{!`Amn+#61z#%pQ1I;r!_|ta+UHWkXg-vvT--?b} zpJWk{aO#C_FBW>bBOO3Ci4^S?jqweMQI|%L3_Cu)()y6vexiUCWN$f?Dq@j~ZZskB zw0rB?L-aO7ojzcx9cNIeuAa=CZR@jz@ikwwC80cyF0~O8-Q1Z=_i+xh%)q2tQTKsf ztJqW^V?0`o{ke6uVp&rqXs=tL49I$s-Zet6nhS*zA1{WNFZW$a#LT7M!K*tS>kmy; zFP{!?1lA?1!Y!Hy>evgJ`5%6JH$p>=JKgo5FMkt!j*f2MuQ6?*Z<)%^I_TMh0)YqE{GARGM4|RQsOpg$U`rVsV!E*;Go_0bk|jrU zV~B_3-hSXgjirj}q3<2XwQ=&I#C{Uo8B51lldQwqThnz!nyh8XTtB?`K3u74{}dc( zZ*e^ZwU$G>aCj8lhw@WWqG)c}zL4apCRF`>axKTV##-q3xOc_v`0a#7uE*NZsQU2? z?z*Sz)Hj{c{pyH3G=R50iw}7Ld4%y^1duFlVmie_J*7yuDhEo5iO8H+Djen% z-gQIbCG8&iv9(mUM!Lgmx8wa$CY0?GBzZHaE$@P#U2?_NdPfYN(?e0G#m%hDr`e4T zd>)(VyUm1=gL_QrqwBg{OXYdhwmlIFX}`DE%>(sE{fg)ZD!`9I2kn#k`h8n5^kB40xG8}qYxZ&uPtNMRc(6OFmEildg%E9Uk!7n znrq?ak4THE@V))SNfKyzY3jXZr#zjZ+ka;*vN%7A4{rdBs6>95suu~<*PMHl?ni`n(ck(0SZGpj& z? zuYn8M18{W?q&}~h^PPlXfy*yLuLAr}g+2Wc=3Lm0`km`lAUQG|61!&uEd9=iTUw_u zngnU-pLyeB5untjftL>?FVBzGbBxb)f}OkL#kr6Gh1KZgNMB( z&KPoMYH%(Nasql$3)}!Bs+?SKN)Q&T8q?xr@sE2u4U&3hvx2wfY^|^JV!%_KE@GLk z9dnV}G?s^fY~;$`0-Fe1HkEf$ZILzcdtyyxPw86r={bXJCcosgp%G)`PZV^Dd7w)Yg+lk1aR3z&ntQXu90@w&oPR&G7< zN3)QI2+fR{ID3T!D7(!b*6i!eG@k8^prw#qG7w8)(_BUkP!=jSw|&3fXVd3s4nC%9 zA?YQ9Sl7!eU8z!EXJY8Y z#cH5S*|Zh3(gAGaYpqsG7J1B@AFku9Ka=7}*47ti}YV(Mx zO(mZdPw&0hWLo#ON&^o*Ob6J?vo{B}k-p{lP<)|q>--NlBX-*Wu}ZUf-NQnhX6jxN zf>Yaksa3{2hz+h>;a<_l&FDgy3oKhm&a08_JH;DxJ=@w7G-C)#UQXH5NI^du#V^pr zBWAt3cj!|tvk<Gzi#w=w30OO!BWx)Ngf=U~^W6WvGb#xBaOvC_Z-|QoDRIM(9a@Nm}@o7un|1`2N#Ee~kX! zsig(nF5Nvi%W3)Zv!t9dHjUV~K`!jgITR}%GMb>kGQvW8tOcI^+gsuv)Pk!tvRML} zk>gJSPW?$YDB!_*$_Vs647!0@CI(UJjMcV5!7>{5n=IQ3Mj935_@^KL1UteltPk8i z?@e}3EAguwJxKQa{ka_#*g1+E%QGSifA;eN@-!>ZtwvA?z1`6tflyC<2>0I5n%RXv zYyrK%uU7~$;Yn0`*XL9J^2H#O3B!TYDr`&Bo!oyuZrPhyVibkoGSTe<2wrXzA80^D z{g+|LwXzDMSKsXk_m}5=h}oKeuy86Fm|4^QLU<>eNCaMP>fkwkv%UQL#ze54+?v-v z+%e?&lagV$b{bLYL0~ueXxkNO&M$99{e$m88idW)%OYWj7GVZ)&qwanAH(2(ZH6or zc>)V9wZGf(=S3Mmj?-!QpbvoUX3{8Z%}9o@{>slU`tX=IB$!G+LF8v71TaUn+ceRp zguzBW;<+jya2oO5M!ebAVP+H|9nF1G5AW9JJ(hDkx@G5o-}css6DYfUR~J^YKVJt{ zTr7kxVle}NbfU!@*xqA)fT=a58;CzzU{b%ZZVJvs`Y;aL)Z+Q$z4{l}E66=!HN!HC zuwOSM{qv5clDfn7d`0Hn$ZT8g4p33hRCyr^6D$oRIsiwP6i|&%TVf5Gmt#8d&D(Cn zPPurM-3S=hyX$-k$FztO3P%Z5Ga!9M_zZT

bu09LhDb03vb1*gLX`DyW;_=JP*H$Oo$4?hzA0g?ua3c`ktq0(dOXqrp%bMo1%{NloGwfHe z7JFJJA9YIp`Qmr@V9%;6j`|H280ml`ls-akN9Du3G8|-hHBn#&js*O&KyOwpQ;V#+ zxa;l^-BZH=PU4*og$Q2|Oy3Io89)8GA^q*8`Q*H)sxT7oF42l)7c`8|80Rou`#(Of z<;!VTSeBxh7BHq_g(-X=iR7y+_yVNC8xhG2sxQVKogMp;9+4O^Uo-6MyuHat&=c2XYbVq^%ww4Cl z$F9!uoxUZDeX`e2Jk{#IR(PE2>Hds`2C(V*gSGWJN>spY#lxc6W;`&Z{ona^9R%0~ z#$M40GXKtp{PDH^5_aKkjeV;_k%?vP|9D*g;=2B8KPK>=3b-=wT{3NP{#>qq?I-`z z_58nH-X?^dQ~LEA{{QPQ|9p!7^2h(*pTHOZdpYA;?swWh*XiGSD1ZNZ-VKG{I7L9o z|L30i&lmcCh>B<6quJ{_-pRzbE5gzEyu?KfW6(5NU03>mLW> zRqA_Ie*#WZlcEPO?~TfiyB7Tp^M23Zj;IrlI8i@Fp>F3n<1c5KZP?ML@2kKm~&{ zq}9@$Cf^Em?8G{>PPK^h5MR_ZBGYU|G7JNsdCmufje+{^S{-vyzqUS@Sgbp(95A~h z@qY+$L@rLq6Hk9dwUOp!X&*Uh@UWCmBc6c#F%U|B!>dGp>Q0pt0gT2uS`b8w%@ure zSm-eYPXm{~fv7^S-uI>f!jN1CUX#dvHy{oXF69|!KY{7*)9YA@MElu-40hmlWXqv* z48k$)j&VPAE&_awjf)DGfHrmS3bo|Bc}>H34@tmd3{+Jkbn2v9dsCZv0=sX3ooT~2KIz^k^8fAx|Lc{TKF7&!P5tdFajwvl)m;kX zv`QeF*{>x(x`aIhNPAKG5j@}F3ZNEGLj(M-=@&HnbHn8h&-Idr87MwOJ2^xHlv(3x z==-j(?= zfDzG0%E(W`AiX!?bc~D0>ZI_`P7!i8crP`djQ~aQy?~~Pe&fpK$d(wvRj!{3ip^Uue6zOVN8W4&|l6aIhZu|{CID@es( zE;tFzjex{0ND13Xy-6?w@B5}?A*dT9^->vvX=mo&VR0Qj048t4V_S&mB3uVP5@F_} z+pO^jm8=E0)t7|X)+9P^*&gn1mX110Z!iuu>e7qpJkJ!IvsKLB=(Qe z+#?uraQF)M#1SH{t~Xc>WxEyCtKr=t?tbe0k$_Ojd;QL`dDepe8=0Z70jmbmz~S5f zAWlm~eU8$;$-3GguM*3GMp~-)0+$3VyKaEJ81o(sjX5B+CKun6jPw@%dKoMB z%0(C|pV8??||4OUUSh1ctF& zXp0^Ve|f5vbvh!#EYxIX`g4tVuJ4QhgYAv~NV6-Dk2KHuE~c!+fP#9TrV^m(gFv~V z$QdB4PinX`%4%PWM}eC1{+T@_H0EB$Ha~>#hGU^&6qDXgBNO7U$#BJ;TH+^&r0)Yo zSiZZ8P(dl4dMQ(cl+DO7+{1qEdmRtFmq$#G<9Kj*E`{k}lK_1d30n5q8!a^Hqi!98 zop)tP)$+@kR-n4MT*p7Xb~^`F?OvrdjGfvu`ni&$xEgy)fChR$b^#uv79f&SUF}>m zBoAD6EXlJ94Wx6;OjKToJ|nZWzdqP%g6ThV>`Hw^u+-JG4r=7{^4&ip zBwwn`bvQmn3i%=CIUM7ENi(8+z3rjz8>a6=;M=d$30RxA2R17+R(y#VMn%Jq+qh@T zy2)&~tZ;6y*n+Frp9pUG*y#`;!zIQ}|Adp1W3&YUUH4Z7ZpmQbG8SAy=@AO#vZcQa zoxs?5n?+LI_kJbtp5pU?1&d#vp-7JJ``foq{YQ#%cYUD~?p6BhsfKsq^V|mr5X|ug zk|K<7eZ8q_IN)VRwik}{9oX`>tdKYbuGOzs5?2t$F_LzTApTv^G_*U#5S3Z-sbvAi z%9`tlu{`LZzB1%}yPYf(%cl=kKw#YwRE0*v>5rT>>|lkFYXk;+%8-ND0x}$n=M^2$m1~NA2vVn4nSRdX)e9FRM#+Bzy_wWelwEsvChZ0N@sbhd- z+zLpoWt>T=_Ev4*&s!5l5!w+XOthZdxQ;M@6m3JGYu zzG(tORlnfLPRvzsvU^xct(=4Kmbra0q;)iYp}1=8HdhoX@->6$#O3Q9r3S~jgo>} zyy>&9^XBW`>>=WnSC0-nky7swRWH`7_8pBR2>za{+6nlu84UMZPkAVAj=^B)L&7zs z7bg?RxeE7TBJpm3$^91ZmBNP^zh;xa@&~s}KyA}@0Czx6jQCXgJ`APrBQs{!Y0yb1 zBMB8sQd9Ro3`f}rOgw5=X%}$yDm3Di=PU!f9v=BUS2&3O8I?|}O0|~r_NWv#F8J~A~j{2%@Gs?9T%9P126UmN&Q%L92mZ3{I zT5>;X>nv|G900jLA9Pl#(0ALf+Dk8Zsq#NJkKau^oI~`GFjsfos3ZziS?{rc_S@D`7=~XFFz*U`C3x{b6?^k)MHMLp0kBd zq|x6sQtUbRDNS1UDpQ3+RhI3>X{epqBPNukbrOc`I57-8!3}&N3ik5v{FJb(L{z4fB!HsQMGeo_9Zo@A?u`X{KU z`gijkWHY@oipe8V!1W`i^BYOo81bJjIGfH?s*RF2%=TDTZ?q0>Uy^su4pgUNQprX_ zUt7p{162mjf{Ez6UT)u$7!#1(tLSPP@zVDg@ph7Q?kDY~xMo)E%_A|%^o8%bU5F#w zuF>kBOIu1;WhxjAJQLc??^KN&sv}>D3g{Ex#^`csak{u&-2QmauRd_P%tpEB<@84s z4NkLo#%b=%Z0CbU#t~;j5?>lT%mR)QqkRCz))JT z^CM z6gpzyjswE@A7_HR!j+J-^d#NL;aR^{!dJQgN~O`bnds@vj`(T^XyT+We#FZ&+JA^oVo2Q#c zp~T$%Q`vxI3=bf-Ug=-7}TjJZc-}8)ELjurbK;z;lZi>#N=3f>(SIFF5l*y zMYxtegNL(muU!Vf1&z4Qr0wl)plj={bu=NfQ3qdWp=&zc(x`$@@fYvQb>5>8Zi`bS z;xb=}#|xH9RZ+%X=V)M}U{aWYRDM~dEClNj~upYSxQLl2Z2~TZV&0EYC zP)CEGx9_ybH<5`cNRz){v3>;S6-Z_eIc?+3=(ZHjr#wPQS~HcE6|hq`*eGdG9Dfuc zn;W!((v4lIGgfl{QM;$2E3hNR`47U-p0@$K9E#)==oM5f`7&Au9u$r|3@tXh#Aia! zO}-TQ;rUt_cvR{QG-aVx5;H$nE<5C1_;E_%LaQG0e!3kkLl@4zeux!_9`-5_hGL>i z@QTH=cfP4#lf^^im#Tspm@kk!3|YmzuCFH4#|@-(`)&@NKDESCa$n)G&NP3Ia$qt$ z3e_3(uwlbT)fQ%SY$7tmbg9Hb(e)v3ZV?nF%xDQm{SLcw;pknpLt+bxWlO$q*+tj# z&e2CFD%%HVXcpzFY1kBWaGY&;MgJcuxK5t`itPf`?Zv%Lr}YBzXggdtl^;Udod2j- z1s+3J#{TZ3BV=3aXq_R0SApCBpEr_>*Ex)_c<6h>Fvwv?mU)1<<(`|M!(^D*AH7Y( z3t0`}x#yBwfe#xlxi$v%dc$vtGKq60=W8xl?yVsIY*31ZBq|8qhMi>l*oUwx&{;C< z>TYdGu1-S)k_+Eo+wQwYTZ2OucJkEOFjj>$4yxN2&VbxkC-fom{ei;QJ0JI|r^+{k zy{bjtEIsdr1JdMZBZXg2k3)gy+XWKN4yDT>Ej;2S&^oomJ$l^|L@Q4`m7nm8uMOwA zV>OQ!Dt!zT3^_GG451-@ppeS!v*n7~8Btor*E#dpMQ!%7A0h`w5&*Ocw*5%BzAI_n z)2Z`Jn86stz}Q{QT}0=WZDSr=Z}EUJeP9p&ut}X@g4G@%RGv?Qr}`=tUVc@gc-yjX zUNUx8=ZR1Yu&@U2%Jk#ss(>w30!#PZiRH`3>-@($OjSGM-IF}iR!TX9@m|wu)2uMCb>o$H34=O#vAVgozqTA0q_sq`R zt^MSE(9PuL@spYgaWFvDW%fP$qI?yzRr#6{}`fBWMIb~N%rPb5|ZK=XT8AjGS-@TW^k<@T7i{PbAt4FfWzEQjUDxG=SMR?dC62V@tCd(G-1 z5-ORRU1ckJKe7%gZFbva<8B-Fkgh#bI!w1E?LBOpD)cK|ix_|2u3l74s3dL{(<}L- z9m(HK+^{^LigjNzskoZg{(K9lL`yDDGUc7Af>?qv{8ZM!;Uo=|64#Bx5iYr`qxvS@jW(@@zi`!+=d zm8kSwB?Aen)$tgVHzUS8*&BJ`v3R&|6>k@JHIl*4;_7_pq7f#^VOLsB9#QA^`LHKg?CcW2)v67%|9?{uhPGZYV5BX%zD z9>;Z`^KvD%{CqO^7vkK+xAG*uLvU^{}#COI7Z&e2t$9Mv69j2P?1{Q|TV)j(408@xT&69{)?NOX6zjHLaG~gHz`h@s3CxIVtf{9F#xs>M_JY1$Xz6G33w58 z`oUNE+b0Q{X?wt>L@PJ*J!4VW959xz(om#*a*TZwN;Tb6g+?Kr9r32}D}8J3eplE% zBlFw1>2X5$WiY#GyaWWc(%O>RH1Q44o(=PxYzk#U$TLW3?XQe z9|V2j^y@d*CMO-FHw|4prLjZ^ECc+5z8XT;Ty!;vn8^0T{T&I!;ep{u@JA*HFznA#z~mS zQp8_Zl#VxHTbHe2B#^W-M?iGoHrW&~88PugM?VcJ1g`+Lw&3I~2f%I+e^vsnU`LPB z&OuBxXQ2fPK^pG_9ywjF;~_++X7_YL58hsO;$@Xka;M45{3&0b3hGBtuD3jpdG@;3 z(yKts@Uir|%=*SRN+u8w*7DwX)?Cg_ zIi2LNz%Vr+V^N;Wk_~IZ+#x_q*_eNzGlSiftkp8$ZQ{hGXX;4e*ZN@@UrC8N2UD1E6o^@-P+uE-e)#K zsC?6NG;K*+qO2%;B#TD$!*# z3Lta~KoV+CiKxmxtNmeiTJZ9Hsek97@`ls5-ow^D1zl)5Fo1H}$V< zA|80CB^5>A+@>p6LnX?h)FP&B*A6uoC>Cv~r&|yRydUT~Ne$^q1!k zP{yM%q!I7;u1#*4w?1fPth`z3q_RZ9SjXO`{rH~*%l`&9{tLqtRyiz%7OZo>|0UNY z&iT|t;thFv#f3HXa*U(u>*2fva(cY6gv13<01#)sdo5F3qbXOx`;Fwi8zRfyR<^q8 z=J!kSsN+ZNG2d{HnTHB7!c@Db`kMDAd9%TpeeF4gm&_sNb!Tp7Dm`cLBUCrZIk%#- z%LmntQVi6k?YXvvv_Hr;zmRQxm_h+Cr9E{OR}z3E`)b~}(HCbpwTqR%RJ?^`%K9~B z_jn~TR2*+e)|PiZVY^|DAWLqA!o6D|eK@#ZzZ2%%rnso^?CXrG!?4}Wsaz}-zC&OL zzE7H|%a$e8irAy4-umg5N$Q-XRW<3Tpil2TwjXc37=NU613Xa8UK1{RP03Y(k$c@5 zAubP~zL0ylp8qO{PfAY}^r%sUH&%@l1k$tscjs$$%FOxLp12Qn%tAmy24T?JoO6~D z(_$iLTFa+=ETbxt9vhfL)aQL_)oFc1?|P}3!+P?Y5*H%4)Sh!{otWfNjKrK*drc_i z)f0MdLdl)*?8Z>H@V3qqE8+qTk2aj1x?UCNw@I`@-d?5@-nkzXGnvt%@*u$Fd+#fy zFSPEKu4!4~)A4)Pf6=QfLlZO%?abwcP{Plm`d*k|qeF9BA@Mi;hIl12x1=KyE7^CQ3L};0Yw235Tp@78l(j&=`P6!5F{lRC?E}zlG5GXiiC7`2}tvRbi;Sv zuDxcCUGID|d%gSn=lgGtV;tal=Dx4%JbzilE$B`@@7kD$$Ko6M%3V@-hPfPv%9425 zJgdj|Gwh<%hvdQvv;{%cdhWM%--Iw2St^re3BSp@rru}U9@M2wDiSy7&Ba=9E_4^> zwaqtjaj|*}b=<-;ELP1y;tsDDwkAHb?E+ljsjRas zWXRikB3HgDvg6XDOqw@TlTfafBc7wEV4nHKyS2gl+0Ii_4nVzi;RG=>6fyMoT!j>= zU8n9yrElq1aweOrRUN9u#aG>P+LFeD9d|EHCVrT$eB`bE)kzvH^Rc;l(0iU$$yH-g zWA;*9{!(6oLB16_?pZ1m;Rxx-*B0w$3ypLNoO99_SjzjtH30? zvposj0UcLUj=3NU?#h%DjYAsFA7{(8pBNXe5dJt;_|{SdPBR{p20>rE(TyosxdcxD zAdf(Vv`xH#E=(|V!WA(0HOi#GOXh^%3}6%%g}Ze{#(0w{2x_2<^ZrmZ`#1mHR?8u6 z&;2~SP-Z0A@gq#Bj?rA`(b6Xh=1oHa^E?yYHFhqMO~iR-eZ<>SP*CEpSE@spZ=U}d z0)y~dbQk^%|1`P0S1D)G;lO@5KC#d8us{v!3kVZ#$4zifIqN0_<@P2>9 zZNK$CnW3nQe-23W9Sa58_MvcVk{tO{r}MQAS-(k}5Fz=Cet7C8FJCEJ$R`$8+%;(6 zZwFfc?l$+`&K+@gtU={rTO%8-T#afS2j!kdnpC=xLIfVyZSd78-CiE-G-R;sz}{nj z)u4!02Hwpg@h||gk#rlLI2}RP)%A840-3eyj{Yc{b`(*EE{QlwQ`VOgZZh2&dDA`z zAG{o2mM2Ct^|)_;pU98yt+{u|yND0=Ov~@CmmM|MFAb;q4b6^nhPA?&M-b;TDK#w}pt@xwz*Jkn%*Z|hr|%-?HU5-&2r!a{NUtRjB=lDg$SVnu3rbocD5ck z-OTy~X?AY=6uPM0$9~epPPqJs5#mo2`G270O2cwhV0jqI|4YICX&841kRTmX5-=V@ zVyFYIZSc2X%lM1U+`D5l3GEQ~ha#u_t`_;;OWab?tKnril)@e+0qbQ~ixJA7&*Js2 z$ZUKh)sq-YQ?#n1oZn3m*Y??svYzT^Ox3`MRooY^5DRH$_Y$YA-s+*hRVl`ncsD*8 z>Y+Pmf%wmVq{heZjT_x7MO8A_GrkQzwAT|EImJKb2_NKVB3Kd7)k(j_U!CA2@F&3P zaZgaD56Ho_#unCNrOGcz2!&!mvwclUIDvk#LoVFkFU=Q7?TwSg zW6hI~U3+A;zG~m|jFSD;3iZ?jFFkf7W{Le3xi5a$$3d=vO(gczkvl$>*!Sx}&k^qO zhq4$;+|$eM=4w?rP=y?-j1-Pgt%V1QQKbdl9A3YjE#jt)>ub3R1f$J_cTQ->*UHt3 z*1^;rtEIkX&*0b}Do5~|Q5MP(h5d}P#2pgDCMbXGH)Bpx4tt11Sq)X(+y{)V=sQo$ z)QVmqwc+$FqG}YGSL4!!iMKn^n6L{Q7}Mb@(kMEz7Js@QRIK7je)VR@`u+Aa4&}Ne zM3rRB?r!3tvdueu4NJ=dRS)@Xp>5M&2}x$lq@(Goq%4K*=MkbtntCv_LN%vDfg2OD zLp7WrYcF(nv2LHhH!$8bFQXae6!>6Z=L;r@p!HyjK3&n^zGSN1hLY#zNYjhR!5<0a zpYgGkJ+G|vB#S?P$5v!f=lHC)emA=JE;q0Th*MQ9q*lyuXxIVwX-=cjqy{wP65<8j zOb)%K`Qowq6ZiXW#+%?d97xMDCL_0>A45`udfxp;k#YpFK1-Rh#m?@HH;lev z(aVjSZ%u#1lTgNZ7yG3A=#4r}@e{Fh&9%@Dqi8X{C+*ES&Gs&mt(xB+w9ecS+Pj*5 z(2K!{$3SZC^y))Iu5)ynfn{{!5)R^C`zr(_#^S(rk8C7cAz*8}|L^bI5H--G85TA> zf%jVqp(@r9L$dI81b}SxnwN-R{L<7~2t0UWoslbTJjbj$EF{Nth%jbXDwb>ba5jiB zy8c6fGvtra#hoI~Zd_6^OH@|AaEf$Ty(YhcwnI+~_Kbd8gmxV((g>#gn(P$3Ja-!O zgl@KEzTE=2T3`z*TrvfPfL0zyjJm>}JroL5`Ja=nDJZBnOrshYvYt4GX;&RRo4UT; zUoLI+G~qXQwHIXt(i2?07p~sDMPmlZ1ipf}NY=sQQn1_JP8O$?)j4+%^ht|-6;A!F zVG6?t7K57%XKrJuaVU!3%MRpg0ZMAcn{lcNYyRD%A1ndejug0|b4y>?vL_hnhu0vM z&%K$cR`7K}<1#=u^P6I6&yKLm&AG$gw}HP`h05Ve5zO2J>e;m&MyAw1AcpG|`Ta$; z`1SdX5X;b8FQ{TE<9qoxNpBv!;3joZTmyNBPUqA63LVe-ULu78Un(>)p%`lS93=+% z`aPyVwpKV)w8<4L`{fn;t4!gg>T9yENV=%0R4SOnPp~RdyyT)3cQjQ)c_t08aPq>v zyp=CJP6vDDq*5T*yX1`$YkRTj0K&0deob6@#N+Qr-me3~F#tXU$d%AFKxdvhkLGhebG$ZJ5qlb z_ZjI{mhD4DGYUnlI?hz4lwJB^K14`|%nL3q!A{@HUJg6tL>uQqW`g9G`$hC@soe59 z+ppuxKCNg~U(z4GRY6(Q4bDnB#h2>2{XaWfQ!@H%LNB~<(AhI1@!s$w;vATKjf{S~ zq{E$(?`3VQsLV>6A4KgrZ0x*j*X)=5HbIq46mQC7*!9V+^xfp|*!o3Y?k116Q%7Fi zjK4y9nB2vgFDSi@iM2(hZB;(UCX(o}`B#m=eIa~NkztZkf8dR@SfGKz*C3w-d7t0G zz4+ge=)YZ&1nziMEv^Qn3ahc)(FCYSiP`|VNJ_0|>gNq><7G$8LQ=m+b zI&E&zq?*7YGMEk0ifD|FQZ&oP88jYOH5^L{jnON_A6f2ck%>k{i8CbA87=26N42Eu zlUSk+TLxduNtUC-(}W=qjILU2@>+IL(7k)X}0 z%lJs#B@sOc%U8OJ1jBk|lVX<|wsGMID}e1@+fic&cjvDmLo~2`?s(yzF;Oyf}GjOXO^e z_0(~@o`2Y=$X{hvn6zV{4@h(n44i=1u# z-3?-wBMSmO)=5XpV2Zr?N7jImziF-TsJo{(zUMFpvc;r{fp`JWzCB~I;DqzIb5uWC zu3H!awx}-y=HVxhC77pd(SX;EU`Ed^c)T)yOc^&Yn5ZI!h+56gex~!}(K6p=A1=tI z#lDP;O~z2AuliXhtYb{Sw$Po}4x7YnEGISi3G@|7%Mi-bBO0BWbjPJLX+2~P+lwrD z*4CmpvdR4&wQ>8b06d_FLs$&-Ku@uX&Ty znK!S0%4;XAeNzEvYHh}J!Q5An1rcK@xVygsjdu#JzV_|@g9gpB%(!Fy93O5jWt1Gf zSj+9_ki&^jc}Y?@r~gRv7VI!zIih)QdIa04F)6l0%iVTgxtiRHztW$nNY3-%%>3i< z@bUP9Ow{(b5P@A0u^w4zdNtbmqIwK;6jL!ocu60dR9dipez)uus{1a zie9N(_sa|GwBq7ka-WiY^^LS(h*SCXu|>&KsuOuLX7Uzgn)#7%1!oontS~NqmAtKJ zQQ#Bp0O|#@HTc_B5)$%L`1YEx$9DbAU4qT+>C`E9gdd{!VRO?N_8!h~pUAIs^B#Ul z=m`&}p`jt;RHYNsnejZ+j>)_8X(&#`KWO3q@$dt_Xx3ty$Pa%k7v;DMleI2ci%0~R z1!iAp9$*eh*l1J84A%egEvUO1HYg?z!(;d>4+?+>TseN@@WHc5ihVZZLuS{Pjq~_Q z_gGw*o_^_z5_|uAU>DSoQT%QXV8@roO2+Se4fFi3Cb=*f9UoPbe0OD-Jnxf!>{n22 z7rm@qy*=PFn@KKBG!eH0Pia7G zzYxD*Fji*a7kTdsJ{BvYEBEW^x&J{23o@?a5t*{eKp&fz@9d&6OMp*teweRMfA*F+ zxA|E~_tmIJdSb>KKs>F@h(DYM1M}|wtg?<5h0fILv+(r7!rzdw2MRGCY?KoO=$#OI zt^Zj3Fe9b&4Cobxa_`4eD&vmONpvTBJ-!mg!8V|D%!*!hTunVzcGw3E>#fX*>@%>I zGeQ*4V_dfG*m$147M5b`G=<|f>eAR_ob$8TUXRL45MHW7bzQzL9@kv5!xbXK7v94*mEKYj%_jP=-#lgDivWDrUURf0d7R_B!9ETrQ0th|HW(K{^k+k^RAaQ77? zALRiI>wtHx<{Z*>zC-(U?P%5gTj1P?V;Ok+>Y0hZlU1*kGnK5 z8>zNQ{touO@U{xX%>!`OTrb5+XsS5&3A$oA=fO>_^dx$(QDeyz_E3iFDbm--=``u4 z`*NVWg#RfnpBVO1+NzF@V1G$&dbU9SPU_g<^6)9>x4$5=0GS)&%48eYQUMtduh#OX z4$B*YlHZ_;MxaJ*XQ!jG_bDZ#mGY2IynaJW^qagoVr^ok}( zTz#Fdvj4coj2g%i{j?84aqr>vKg(x=ohKjeT<$N0yefiL{A6*A7x!Zif(}8;;fHY< zZl%{Vf|+`Ez%A51heWq;^i7jsl{DLQyl%EFfubo9Wkod$A%>E){SC-zWyySB(dc7oQ;Zk{ zQBkf00ws1vr+sX@lYd2x z#lIHc{GV1?S4XU(mQpscKQc+f__Y?g;%jK;qb(($Ymti^=Kfj3vWxKF6S-fv#cA{3 z;mo6-dH;qKq@B;Sg9OdCGnjX;9sAy8FVLD$A-4gnW8r6wC2|*Urf5*`$z(f#drC)0 z^m78()AHE}?0~e2E^W{dVETyUSZeVKkY>8wwtOB!H2`HMxBR-10!3UyET6%>VGzCD z|D%oNC*V$(3h}qZ)4Ix$)}}YIxwv;e>?KEWf-6PAxJHa@nLA*)q3l+`%US`_z#rAP z>6T|zn~Th!qx=rxgbh~KnL-$NPeqM4dTY7iA`Tw)6491!AL*m3j2*>3ca=jP^~f8` zaK3BEwJo&Uew83+-TnfiZq8tf z8&Oy(|IvMt0<~$~aj#p`6i@Yh*i+{-m?CG%ooDM+3pYY=NpcKu=Yns&jQlNqU`EHm z;^B5bvs6C!W;11+FN?_i%Gb>-E;b`sK$$f2xOZ}2_;LXot=n8>DYo~@VZV$ z&E=9CI6Qz?lf~CCG8v6}8Wr~P4ysx1FI~d=j8~8gt|kcjgcoUhmOVi5Yf%$23nS|U z{m3P&{rAz_?u{iG6@WH5`4wc}^^uN{MKx_L_Bz!(4yb<~qunAc95cu%H|5Bxurbnai47)rG9 zoHTjxJVH9J7>Vrsvh@Ntcv&fVk_s_UWLkE%iI8(a7)l~^+ly`?F&cvD?WX<@Dg>|n zRZxo{KrMu>$x6SVmKenL;zUq$dg8FQHd$NS?RrQ{fPLt`Yg#g_uUz^AcM`H$mDqvw z)S$h4fm}Ebc*u_+^?!U2^sQ&bTry3_S`)CBIb`)SZGPcwv2Yzi-y;Kw|g( zOz_PD^EV0*B0JBb0;9^B%b|G>vWPhjn^mGeC@T1T3HR*BH*+6#)s)F=49=gIf;9K%CL(o_U!noelsuNwj9TnXZK9McqgOP9vxQ;*l!J4XeySc0xJ3_ml2gxXK;yY{5(BN;6r znj2o!q6L#|>2cYS3`B2!1m$Nf<<>uJ92- zZC`8PO0EX{vJ^DDAkjK>{k{&)t1vN)`t#1w@wLY5@{Lw2t&N1?)&UPT%O}xki_nRUk%N(wJXRz7HISj8C4K zy2DKy+TibNNM}ggSCz*GrEZ_6FdtkP;WUoJ;{1!`pjH8V`M3hR8)SOOtMWGN^S2f%@MPcP?Y&s(}FZl3Gk*9ly|-6<3?()BFIZwuu3=IIxdJW882H3X~1{ z+yKhp*_!?KR~4Sb_EZ?wzr;Pe$wJeTUlzXCwyck!a?hu(P{SoY$vr=?+KvQ*`>2q6 zkTLOj;fRKqX&ECtb>^<(Y3wB!Dyp+EJxb%SD}!d!I|XMSMBh2(Ps=u1ycR z6^BPZ`Z8D|x?apphU3c^i1z65_5+oY>pR?r0Wus%#$vM>`TLl-qFBOCU(Q~ly=I0g z-`RFhBbY&g!Qg7PUtfcAPh+nppc=z&qz9SD;@Mz(J>!zumenU81Nw1Pa1Hu1y2e3l zw9cah`sC9xFsf3I>2K%mY70jQTxBQMr#TY`lt^J-j88ruZ%|riR$&L>OpDI>ja85= zMr#&60Xl70SGqs3@siiYV$lOZ#xRbvwR? za$8bM;&NZ2-8l~11((w$etAx1*B9HnMw6*S_VcpW>x)j)I%b_FUHfpVHI3(2s>IQS zs%|w-{WvHy1NV^rR83eLcY>HJ4?d9`FNjo+jauaK^ST@_Yl=^<#n_BI40o(Fr3)7& z88ZQ4tr?gE%cCFDpZ@gZwL&gNt5PRR%>e8CYZPG|2U8V|`O@{KrQ@vr=^}S61kH(y z2BEvK$$%4JL+tbDo8N)x^qzW|@AiT{;I?DoxBEUn#H8gs313lgsOg(b#xp_{i?MbW z{NRQdNOSD&^tNiw_b-3?{Ky5rdiQA&-Ja1E%KVw{ITk0ankTP++AO)C$CgJYPi&^_ z#dX_(o5Y)W7<2C)KG7Yexj2^-wToEmUcoFdez_m6+Sa0CUhi=14Kk%hUY`jYS%bMY zdL};V3hU6l`IK^(pogP453%ozEk%sF7jaZ0{ccQH?d}M4v3o#z#%rv(`l{?8af1Qx zp|ZhYY^UQKGkuKaGPi{LQ-L_9u8D4rq2LRD(Tn!@!OzqFBtlOzj9)+S@x43lv=Xg_$c^#Id=e{2K3kqS}&cL5zAQ6c|(J)WHp%}6HdgaMWW$~Zl zrqg#O_dHbX7n7NT$h>l&8Lk7)>D3?`RnUlSl1}$b?j`tnTI+d3Isg|Mhj`&lD!Fu< zPZdbzQVhloa!DIt7JgtbhMsgf?=VM6nC{d#2P|u4)o6~ny#Zs&+v3H{Sk>)o^~W`v zF>7pC)MDl`Iya!5^flrl$lYab|DKlU|9VOM<<_d$51IRxNH*nz7YGznaf!a{9wj!J zMT*=Cy+o<%E<&2@Tm_5XM`e86sGCw=)`*|{qf*j@tE?nD1^!dF4?=Ek2vY8-Nj|p= zC7YEb+$}U)f{E- zrEVzl#;A5nRNjy4GESYY*c+9u#S@$;0EW6vT9DqOec6V}p z)$qku=RH7BY;apH2|M|YVVahd8##p`hxw=PvCh^`yM{vuqV|j_$DWSJvCGVX3 zs2yGS@tHZQErRKzXjJ3!iAlYrCAHV#0#Oa@VwQEf#v;(>HE0>o1$Qg`=8u#dZS07*c~keeJHfoN}rP46{T{>=&(lh^T6`znvd+G4|a-A4A5P zbOrLebw?H1xN8NuRhe+Zi&1S5@;jU^N$&VC|5df7_EniMvtKuLx}y`f*+Z$~#E|ZH zST}y)`HdhOc`(XlX^q9E*ceWc;z$E!yK3gR!?F3XSI(PJwC@EAis$;OM5fClF+I1% zlnJxT28%`FPozyLj`rLpMEp9DA>n~O2P7>bJxBV>zS2D7qs~_MsuQPfm+}7@p85Ym zBKUtG_xZxHwzPibSAD`i3#vQC0D`A2Cr4-IVxLUdCC*rddh}o~QU}yL*0}en2}fYP z)93QGU4D*-&`*8=CjV&%CXW`j+QacRojqag>T5EWD*?0I6&v(X+O}Iyyww=STkJp@ zO3d)RkLF60CxOJm>?@+GK#jIm5{*&~iD4*y{^%>EQnEGSv(wXo z%Q1yz5wN{?Zjm*;e~ZDbYsUSNX_hGTn zb{&-4#G5Z-VJ^}9+|#oSGx*ZF8*6z{9rIA;68jjzI!vp*2`(2EZMZ><7_~I$L!6Ye z+vT&eHFQ8tlQ|ZeO0fTsS~B3kEul<n1giY4Z4Sw{&c|+UrN^wvdg}>{UnBNXOJN~A=W>kpDQ=ShyfW0n^TzfQ4%-oVUk!YG&FBjvS#_BB}UsoEMZ zU6`v&MhP-}h}|qTx=`7oJIJPy^&~u;paGq4N?K1-X+MQla~$tudXnd)#9>1aDm1f< z?CqJfuMKVJQmj~>yc$Hp&?U0HOylN+hF=f&f2j>-52brfG!rI~8*~ikb7!$;vFm-^ z{q&Ba2UN^E$KsPN4M0#AuD4ETCI|2AE;yA~=RgINwW z(xi&-$~~wQi7$4lpr@fO9jkh;N9v*9n((+~qFaBi(Yh)zn~~m8>F(bWWB*48`Q@i) zITW*NVIs}^xdu}*I^X5%vFoGDzvhHKJ}n@nt%0@H2>U?bV6IVC@3gEsxwIf4QGKFQ|2|r^yB(h4NXs4m3+0DfzYujJSeyKJ?)zLpp-ERDLtwgU z&tvoKxi9I1{g<@Lks)yv4$;ae80YQxN39GZjZ!pD2EH_wuA4+qA41;A0-$Fc^Fmj| z-=-72`Qp70_lS^(i#J*^^s7&F86q8dlkXD|Ta1MEm~H%MM#O^FC+3ygEyJe7137#< zH8-4DiBM9TqQ@prdv_u|@HmUzk%X4?7!~@0SHR77ko4GUL^M2D)(11$m{a1Ns8=d3 z@_Kh63ZN1Wjc9@c!w`4QgN4Kx0=fk}GcXLko}OyoO$dNW&17lVieO$Re4aQQ-`{|FIyG$c)@p=QDv#CF}z9RD!lfT=-6EEsb4BVpCu>+1&myB zYi8hr57<-@l89^Pky zYQ{lKV@A_>iMbrvV#>?k`sMCwZu%717Be(egaplgdNkONGsxnv>~GVdH9ngEWLi2b zWwt+!i#4kldiq|WH#ou36GIRYT-;;W{>diUxmaFzv&be&^57)IU3|RXQ#o<_Q{zs- zo8&p_8M~O?|}U zWD9)B{L+X=ze?MsLk@_qqm{D?gPm;6fAcx0V z|13Adq1~wZn^kVf(s};zRG#g0lh~g@0gmLt$YztMjvw_ZalIsm8+%)GM4&f1A!{uN z){2ydy)>kY435osJW`Hg(S8ZG-6CO6wKiIYFXS{~T zAoAD@K~cbwX>_xyM-$VG0K%W2K!^_y!F(p|&~NLG5QD)SMBVSDm}AXhSW}NHUWRz} zwwuni0jnbSAmpCwQ!j(`35tnFF!l~e9)Z5d3YjK=&hkdk+%cH`%m;|GPqhkBDoHkEK|x@keyPZvcuSO4K-lvjRU#^E_;4exh2kj%RvA>Q zq0FGBMcFA$LR@hA9LXM^o`nV=n7iQFDFgPp_Zi<)od@X`eQ>26q$|4|kiM6fYc2ej z=zajc_&w{IvYtMR{m!hz*uxpf(`w;{BLZnVXSjK4g5QdWhmfVugjR;g@NQsWD*$zq z;_ox4CH$V^aBoQuID_YEHH%(R#fT!6H?-fILoT^D+<7T#t7dTxdZ8>Kx7vEi0g-7@ z28HYUPDpL5+XqnGPuLmFc>^M!f&$U9Eo5jp(D%YJx@%Ozg`OLyiXCYN+~7OJj;umA zX30uSENmWxLd&zKVBj*S^E9?3ywmX9jhT?ZO-3W*M)4~@DcC+o)Ub#|^WQ?v?@i;G5+!QIJY99$YxaCK=WLcq2PW`~&o|l3?WgV61$J*j` zFa5NS4boCN^%5+MQR6Simn@0FS%+W|tqISP#QBjX1LFrv>AM0mg^gm{s@fA>&xxJb z2Uw`3;LK2;QA#YhD(r$)Y)tpig2j*1_!L*V?=ZpIwXwlfzo=10GjUyP)6j2`5EaQ1 z8HcK>1OlLNKWHSp%#fZeh^Ad8`@M!tg>}c3kP}E?``F&vA7`YI{U$P&2Ctlk+GlJ6 zIvZ2h6*rmN`ynt5ZBmoKKEkn_C5xX;XKSIzGZNRu_0&}K*r_n(>PZW@809qsRNEhA z(5R_fR#vp!=#e?>W1|SNr>Uo8YPsi|P9n+%3on02NsjfZOxn0HQ8G*Rgkt+-@rgP# z)kH-qUQV(tq8k$YYhq6s1+g%yBOX=12axum$OYG$yI0Nr%#6K7jRCT%?;&k>E!(D$ zBETLIUYHuk5NY+k%T^*uI|jelxfv#MEYTun;3;{^Lf7YUuChvMO z6!&rd4;m(3fKMj^w?8B(Ed~SKf?z~*9nc2Ub_k_t)}S}CQcBv&7Pu}%)cF{%P#J?)f-$OMnUbA6@M3{pD0ZD_AuJL9EaH3tfi!9F#a6wuqmm}SKNbPz#xM;TQ{o&qY_TFr^geiC#@4~Mp(f{zj{`0H- zr=*vk`6wA3Kk@!H`}e{t^fgiUzM7rl+;Rd!rr<}tPOfB5y6+0KFy;u&or#tI@u--YW`q!ixK&T$AKGeb=CW%w(K02nlM88dYNqdOg@q=QuoTYq@~bWoW= zQMxsv^+$99IuU@qkAX~&bwU?P1G37dy;q?uzyc8gM!|*U`XByGt=tsfQGLAHr|LRC&1Uq}!9VQ*YzxI;~Uk$^YV*lIs&XKNo9b(FISXV?}W`DbD)%A20Oj7h4b*Arcz#mE!eZu%3o}CNSu24(dj>u=s>fT|k zg6yxIcn0n#ON6VNB7tBch&h)kpc zSq3G*g^Yk^tH>C}k0EB&Oc8Dc$ z9|PR3fLH0yx9UH?dH>X@^BaZ-uIrS*qV^kwzeq6kkAFSi?K2n$E#JOh{rji-AAgGf z<69u$4Ow&o85M7SajJhltAE)y_+R{PDl*6jynXwxyXgMGAFU+{I-Xae@=tL7=;QbY z|NLKjc>nzurU&Oc4cXhjip=}>Km5P=`!7F)?D;F{OLN-)hv|W9CVB18EP%h_L;mgW z_~Z+Zklsu4zhBOO`>+1e-}C1Wb0rl5833vLI2Y|-boBhgFE|8|g85!v{lELc{{GH0 zCPDb}lcbC&&%a0x^!FeA-yA2dkC6I;pf5y!kyPWqc=7-J>F041PC5@c>&?9XtuIwt z7#^EPkIMeHszg2q-v6C%GBCr882^9kOKm|iyM-^<{%_q^w_YHV?2G>PuYVEc@ec>J z|NnygZ(iVk_=f+t|KR_V3sN}j&A$yf=<5-%WLE->G6qH%WVGznxPR)y^7@BpDZ-_L zE};?C$_|(i%ATnv>PG|-{x&!~d!GeN9DtmJcn-a;LY(xSZ$4|E z^oM5YC%w;^*;SibX$yVtKxL*xc}<)zMkXS$LfHvuRf}s?!eZ}DQn>fBHsCB=F=1|p7eSUL_YgAVnEGv>N&a&qem zcY9AW%!LPKG=Fp&L~IvT#&Zp3cxrK{FEF2Xa(YY88lxR$^UPGp&&TxH~Myav}lAUpWt6 zoFe)TS|XweW!REA#R{o6K&ZbA86vWHN#T?CeQ2lQ^OipUYzUsPwOL*=B4{f}e;z2T z*F{=~NP&g%4Ls(YfSW=J4#;WVF0CLU*4gw8A6IHxP)gQ}f_J*$8t#73HR*BTv&!)Q zms;2gQet-%;*Ki{Z{aR3{$_ja$@9^t%)e!fh-ntR)o&5Kbur{R8<3(%QbEin4-l^7 zz|Y2(FMdJ*!+A;YfT%^l&f8-O=ID+R3$Gfa`?1{o99r1Yd-8bIRyiNZ=SI4S8%2gd zTRaATRrEO64o*I%sczkUhp$>XPS|unIEpk)@a#8B>AQunt^p>}4}vd~j)C>k+GA5& z5cG{`6%SE9kGQreHL65&+n1PoVgPHQu#v%e-A7r_iS?uN&XB!#{l6c+{^4{6Pg=!A zsQIN6M{0NJo^Js6*is(QHg54pHKyqeBzLx;40rzUn+Q*j4F_ui#tFX)?xHO5_|1jF zHy|?vE%;b~^A?$H9Tw#;G7*XUYZs(Ghr#V8|e}!|4+Cg70wT77A3$7Pzd(pD}s9 z>%)Iu@IQa{TAJtY144)+BAG4jwLLIL2}-p0owoBR@h)PVZExG=ABwjp^4^R;ksI{I zTN@O1QD?5v9FRA%b()K`+`G>6Gbr6WKVgn(>b)Ufw z+4=5ZXVS&R7BI0UMj&;4006F1eceovIO&evn{}>`d*zN za~f}cCwItwX5?vYZUU+LXC&`xJ`TC$rJOf{?MP_h- z7;Q%ms8S%kUk0#%R{zV6U3F~J09xyIQ&wOB#>3wI=iE$61hCQt_2@(M=NqMaEgnSq)YMKrDYpJL56TUf#w_{vRGp~zb{I?_KpR49nKfsgL8t3d%RP%*E7q#ypP$Gr*+DFF zo6Ln~hY?MZ8IbeYAk-l(sFHTMZ2^C7a8O3vw51S!jRXqQRcONdBf$SDU|T8cHLdys zt$7O}%W79f;>$bxqTx||wUW;F{P6_za)xs6NWQI;5xMf))D_n=!oR=y{97iY_h|0L z%kRpaYtOQt!)8ugHWZ%cJr@{E@vi|Ge17mmXI_8s3`rKh<&6P@AFC}eNo7df@+uhK zTdzgij2NwcdV96SOA=-U&Q*AJz8&Ei0Q30q800$Ua3WM9fd*r6YOKt`%YU~qHkQ~H z6du3Cs}eCB{p}#nHUrV18ALu>0N0svhrPg&N;Y=tQ_b|1JFK)R+%U%O!v9u(7iqfQ za)6PdaD$4MXhjp0_+ywnKV5I-wk1>{JY`liL{3IT!B0Wlacjt^S=z;aDO3nG4AZ4% zXUi@yz-54dbF_*qGJv7NOc+Zm%^#T#R+K$(NG38Rkw~i@ zK@|p_aZlbO?I(vTg-_ZAtut+Yy^f{=Rfw#t6gY4;qB5h#qr=Hl8#pHeq8=N)P`GNL z23E2$;6=XoNw)eCxK z&OE(^$xo8}SUz=1gDbT3#4W1s8}}IMC{X4^OiFm>S^r)lM_1tjci&K|g}76%2=75R z+ld~Q^?qE70~kE@rez?s4FBL#%J_lok|-m17iL`6pf)|Vok}_L<2>lezB&5dM!G zFwr17@`jHnhyRf=M;&eqrnG}Sxo8GE=Q-v$3+PWvK(<6?%4#VmZ8?_~aTMnE)5s@A z=ufs;qE*Zx&(!!yuFvrsyTE%GBRiQ1nR;;tSyspRJzf1N!8uJPWs)m9+*eKI_L2Vb z;k(ka8e^Tqk1;Q!x&q_oT9#Z`H07Xeqs#E}n^m1-t(>_gT4}PShW3@Waq2eIY}p|jk4CXZVp^eG zs)?NC(a)T8h7P6KIBN^nSM~@86b5*QzFIEV(9-RDO+qaC2Xtr#w-IqAs9p_@Jr82_ zpJyJ67>d}3X*~|O>LBTNAl!fmCB_j+gkRxE?VyGQjl&+gPm`*&Wi0L3bKZC-!`{$( ztz@|9j=Sur?1_*AFR7VkN1`ekQ(pM+q_5g`sDmpbrjz3AasukfQW{m@y-=YgV;u+nFn0xN<#+CxM!$Nk+?IGWnyvD&cbAt^BUo1h{ws6q;X9yx0us_ zH0z||WR9&|O1D8Bb$G0L<4)qox2J=Cw(7H>{dVvvSZ1d7Thv1>NaN@Hvt#W&#?Ke` z7`(K9Z5p30oSi(Hd*ZM)NY{(rk~d@U?wRq--rrkXTy(T->tQ8Hdgn3Nfy{7@EFYJ5`=vY@tPJUu8 z_s^Warc7>4#%lDVaIOr_WB=yq^_st_v9s)2&q;pmLZon*aA0*u9dxakL( z!J52Cxk-42(7E^;sdTNz(z2#O8Vyq}Ee|}MO0O#FLixt+}5l>V5`FEpFbg)QfCwX{Ne?MoA)%m8X;>e9yCYm*xN1W2-$ zo{WRZX=q9QwdPBPp*w@qKX5M3MexG1PiicySbeFa?c}Ecy~g;AIsN*FD9Oe&$gA%JO>ME6&mj-!p-axZ8`fAC!R7y2VO8*p72k# ziKZ4e0m?uBuJ%!X#e)!Zgs%TXpUCn|3D3MGh6ZX|s%d|sbK zffA;i30VfgA>B8_Ry@1qo!fhFCxx1S42Uk;XEE~M@!#Pd7*lmBw!Wk%KZ=E-a8W81 zvA%V*B5(SIWQdOT8IdKOpBJIHPvec^e6Z`6h^$o{ZKoDXJ@F&B@Gyq?z0W`&v>eJ9 zT^~VX^1GGfj3|ePx7+f^80Sz1`(x^vDs-wmUTsE)$Vx7*^AcWLM(Q^&1$1u}2XBWw zGBQ|;AKnjidN0|S;aU}2aM^8q$LXA2)*+B29s&c@vg*Eg8 z4)3z?Pb_W&2=H=|kSe765^k9Dg-=@{aXh;Wk2JKHczo)XHr*a=f{&Qj;~08{;w~u+ zRubd(bBIj3KOC9t<*7ro%qz@?pT%c5FZ}cH1_6HV0=Xy!hfS5ILADdp^m^$226bCztX5nf$}N_^i{8wCzuZO0k!snCUNc zajqtveKe3Oc8~JMLv1(ni*0k3jkgUzS9YyQWBa@*k&Q{y0$&OqM*brHuoT>Ng(940TU^BBwvJTrQ10>iQwYBI9r ziq9oetcOYaXJiWE^bs^KXgSC$?I(LqqDezD%9h@Gzhhq^m7+vYv2G+PHM*yKJO?H3P16UgwyX6XNMyADX+fvJ_x)8tk1qyn7FCthg;Qy_RF* zt@+TyklLk;ilE;=JTG*6j2xfO7Y+SMyS*|T-^Mj!5*59Bun^evd{6t2bACtBU&WGOin8;z(F%c2R%TruvIj!-y%u)-y{{&f$x z#dz|qWaCtzMj|RzS1uJzMWopK*4tBda@^Z^a$vVY)jpr`_P)(n6j8MR?||AU~x1HfRVLd$?~DZz@N91Jp?K zA>YjwlZJCX2ZmAllr~t8M_3%c)h?)z=M6pMz1Cv7oEzg@_OU#6L#*jsc7C>uX0PZ= zAvLR?Tt6R1;*31@S&7L?9T|5p?3<9yACPRK=4`rUxSXEAap%3RkYQp)2~C&5GLt%v zs8ZU;@~n;16$9QoLLMs0%o+4c5dk(MO+&2l+}zoTw3GK8h9e9oPxW_%OechP%=%p|Vgr>by@QAp=?DR& zg(AI4uK@)Sk*@UKd+#0TO7Ecs1f+&4gg`=){~h=K&zy5+&zb#u!wW|=$>e+AYhCNQ zKI`G+lt;+w$q|9oO2LtJ1`e@w?d8l;caEm2VOJmVB9C*{+MhJ7{>+a|Q1cp zB9Foz6xwwhtX z4{cz!l`O0xVL7SRQ*JLkvb-b^eBpMr&?`f>_z%k1Yv?%HX|Z~lRE3Y`Pa0hd!+QTH zpbG!g`XnEg6SjF2MKqncwJMhlMXZlhX;CTG0p8BGhf?QjR3_sJp*-?RD1<3PDyQ7s zv#90~pN|B+KVUgyKVxY$CJsegbrj+2IU)S&0QtbAOLokCquD3#86P>#co1F{rluZU;~H% z^EP5BwC2pk4{on@jT>%ULZO)bZ%aF^$Vm+b<{WmfWgA03e8z{Rki`0_`8TsPA2Z;;k z*Vy_2$!Hx+egfCc*wg1%a-M-;K-j_A$Q|Geb%=%gcwAxmm)^E2@_^!8MxsRAZ~p1G zH^^pmX@TnGOE;M7$Wu=g&}jytiY^8A@!;+CpLEFXkSp{n3+xJw+o~&Svl>Fh`%Bl~ z=-w&?VUQm|trCyS{14;xF?Q%FsNRoFv+QV1N1s2Ne-}T^!S4AQj-GUIDsLMg{AgcB zq*WcffKBr}3E6xHpd!v7R3A+EG}o*hhHs~Bxo2&5`hjH)!fS>I6g&mj+|X!j?xqLO zbNc2}<9PF^ zst@s5!9j-iemu}lE@OdYG@rj6d)qgHWi5M+p2tjab&_LQ&yQj5*k4h3g*+KWff#dT z+}C3?gB}3LWF}TmiSyMJa$e0D+kZ}YPs`+B@V+~sTy{mR{_Xg`yPd_pXhuM~BzoLZ(ny_o2{g+(R_&IP~AleQ&bsde`F}XXB>W zWx_{>8;6YE>rzlh0NVJ0ORYGbB#?-^qzWIwx}b?%3BpDZ8#&YMd(sDAy1OB=a1xft zZ<~MzY8s=TK$GX0*)2lZ89x3z0`8pMAe63uzNh7Gt?=!@ZKtSdG-KwBrECJdC)fKa z1HPSg0?Qo=KJy9_EN$y?m(AS7fs1hJ9WZa^hfiuhdB{(^=VYcr0$yD%WbQT)LoFj} zb}@ESZnKwbqhq9;@(p>3cHrwWT|DE+BeQ%6xN}f{tL9<$W$A9m{?iZRHg|`U+Muro zS8H9vD#3KBfy}t660Bj!+nq=lf*K4?${Vq%rRF-5lVQ<0W3-G3oV|HrGxN1_APPpaOfgqHMUvH>gx zj_?8pRuXO4XD27leHTrAFH9dAh2h{Z4bo3vXVj3n*lbaqEm#OWe84I_(AO9-Hziv}P+70sA zio=eSu}Ji4Y>W#zI@1bWt)Af=(HTtuv!?lZGuMIXjytUGR!{-D?a-UI8#yNDG`&tY zX-mL2xK8%5na&N5#WX$YW`L!Gl%3C$FGGeEDhx%5{K=sBSz_Zr3#^TRvvc5gi= zH-u)^z7-h1+?U_ck%hm(u3fG_%kMF^>B;uU8q326MY=s9GgnRV*hQY(+YqZJqhSa2z?DRws$m&`Pyd_BWRFXqt zxkJi_CzTj^bm6j@a1N~+mWC)X5 z?V8*Tu4H%c)ELEC-# z?aC>kt(N?st{a6*xF=s;gIxdJ{*<&QN~Cff9GcH-k*cdAJV~;JQzDf`#_`wx48vT0 zNvqp%dFCi5&+vdzs$N|c!|w-Ca~jpr1+KrOuNu!=CVwm%ZP=&y>aXQmy~0^2z;%sH zBhbos^7tH7%u*KzzA6^}hsPZvT%i#$v{$x0K;>g1*z9kh$V9sXtP^3xiesrpAz$Az z?zK{SU%I@Wm^TDDtI?V~ZV#?>M&Dmdv{l!->(9?Nk(nA!L&=V66$V?(v@%1#AsdIs z{?=jz53M)vKsqJHb7{LO-@I&;xJlnZUZoBK>o)XSURB-DUtb)e!)Ii1YzE(pdX5+h zDjNpKrVZ8}V3;82&BA;Pe(}@FtSI$(;Tf}bZCEi{Jzi%2tI#ld4e zO8XPMRMrS513W6Cc-Hyun0Lo&X#;0MY#!$&TSa7*k1gZ4v8AKi*0#xP+;IFX7D_{ zN8Ep={0|r+yA^!3nB`2S_2kNEuWBl@{9VAEjfg}ToD@RIF-#{*OS|6}J~?e<9T?-o zveD&w#td^)q8geQPGZ_S4(Zvory<1C^o6+wd6S^++HwA(4d;>-X-B6bUdC*+ET?h; zy_3dZRd|i*W+xHEFP~{Ka+b}p3i(=y(aN9~3^&&)qBM1YfFBs8oLO%m%xE!qM-iaK z_3kAD8fJ70Ees(eC(>Ngm{MS}n?B;5S5jWEj-bDY&aW!jB0Q&OeIb!+J<`xEt{ab< z%+!Ziu-mM4OCuV)B{{XJ@DNPjByXizk+ryv7IgVS%kqJRa&B|WxO-bRoy=A>)-V)7 zl46M74xVv0J+hlrdy_JWy3EtPR(z+BcQRmYVq)jIJJ(cF>QTw-<*opy1B+sh;(Y4? z%f6`r1YflNvh0si3r2k;owZQ(H0X6E_QQBPa=phiNBTJaRl$ToTx;=I zy-e@a4&ks%R41S)6Iw-hZlS)t#W2YiUV&a#P01KyGG>BlH|WdKyfHU`o#gs>PP*cz z4xJu15Apor=@(wL@{0}g-!7USYc8-GtR5ZuO@MgP?6jRgFN7d!H|KWT*6Yz*tZ1Bf z+vW5gZh@KbGN&fzmg#=aA`4Q-;BwawlD1YjDZNgc*+CH*=(?b~`;p{8DLrtTFv0W%!BXdA4lEbPeTr#^i_5YIw z_@5{8X}g!!6`P38*9z8E)+D!6(f9{nACmn#ZLiX1&w8Si;nk!0&r`4I&vL#};N_t6 zdM{&ixU!?M#q_b7!UIIrpcHEcT6k$|27b9vF~JC*r*pV`Q4nu>m1&O6j~D@4U#@qY zz`ukK=|=fpv}nD^$rYj*axL>s4s``94?h&4ws5CULhQT7iuu@+%2|J@&}&pI_I<-S zmaRWZ&C8j^<{p%P<2He$eAcJBJCbgI4>lmbX|=Efc$nm;xcm2YIdc*LJX z$nY6C(=0rbeoZ>SaT7OX5TT}(T+O>RMfr8#wp(rJ$J%gvjO#l5Iq2ujFBNR24xb|)UfXCB@siVZ zuwBUao{5L>v-qE)?__RT$j&^ez~uNBNOuqBI>&LxHLR*rvsZ&@%6?BE+Y%qm87nN} z^QBwbqxHlaDxxE-8lF^Da#1}p6=$y=-8Myf*V=@XSyoxA1lVnT&`iu(U9Pe5l(8Q5 zuLJSXAWWF+rGICMGJ#XY<-6JqjFpSR<+GxPiW_%dTUu|G4HXi9e&Gx}Eq<3if5X~F ze7oO#TTjzEhm0O$hHlqfVR4FHR|^@>kj9vKXcU{;!Wlcw(Ey5M(+4xPs)gF|A{Bbh zd8LUE($6%88;w}$)y~~v_+0DY-;Ba&FnB>iSEXD+VXll%4bGX0(QM|e3lDcw&MKpC ztt%|}JD*-WtrEYsB8PpE@P=oS4_cfV{_27zldB$?R1kMOcSm-M7>givv|I32CDB&75WUV7aYCETOkSN6jI z*-%vCmUW%}1j(n#*I1e^I_8t5>!j2;iJl}MeVy68781-MXBuXjuNUtZ!OL^S)ZN7ri@zzV)tI4Y z=(xfl6X9z$m1etr^)a@!2~ITIg!TF=id0JLUa>e~d~bs|JTCGqVk3O#f^q_S79qJ0 zVJ0-?STRKJ%uXZDi#%3^zr{MeFj&;7v5WB4-)$hIKN*d$$C(|=JB?~k{Zk%(sc5P1xi?`jtekf@P>k|O5TRlxL z-LePs`D%l!+ho2UdBD>B!oxj1sa=q$8hh~Kaexou=RVl_@Ges(l!a{+kXfivg(;?( z2`x9WE^0D0{%4}phi~n7fMx}r46X7gZ&_b!y#n3NHzgxbfW6P$`N-I2WS%Ua>;Z2{ zsPvx)B6j;-wBgvv3gDX&;_Nj|#`TK>XLV;&nDFM4HArPQ-jKXXHHnrkc()h0KWLf~ z8pv28t|T0ln0@4kNHthNCCkYvxV+`XAlB3c6?X(nWE;WfK{hDQn2v}rhDhwiTU#3# zvbkd#a8fS@p@u;_0Ie)pm3yn1WI)H{GPr~Hb1>@W6U3d<$<9B-xU1?!P(nDXevh}F z&uozfXWKdhCh)XEB49soH`uRwWfda0GLuYu#I7W(hvqiLXd%7Q)+oE7K91xDvTi`1 zOfp%6q{*}x{9s>O*dY&V?_^r(#epRAGQ#Q=KA23Myh^YHwlGHfjCxD?>l> z7M2)P{q&HGrhADI0el>Hdv;=kcZq};P_K&I@=?(BP#+>y;w;e1mYb`uK*i@yq+BNR z3y)lT7R@LpLb>EmYR1CM5-gc>Tb|Gj)DtAz-zDnv!AF~T=tQ8U*5cXaLzh=SvCRPv z1a!M?Nm|O0pfhpG*=dPMsFA=A27-!DuS~dlnv6}vYqAr6wH#3J>V{4_A2Y>hKPbsO zmDDD$N~P(>yyy4NUrvronr$XwIvD0S0__15CRC&mFNx-N77P zMENi54D&k*I<;m~rcd&Rj0n=WOc zG_awWANIfxIdEYlq2uzS-*e8((g8~|Ef$0YRzHXJN$)C@cz4(=vFA||EeC)0fNry# zn)9%r@!G`5vTsZQVuaU*6^l@lEsn}%*#eyzZF3hINM?YR^J|1%oA*`#0>&A4J4s*P zdXQLEI$6xc|AL3y=c7Dj71c7U=}n@kIcJfdZx}Xs=-cQd7A$R_viM zu|}OERAssyENqo+xP4U44-xNht{sQKEG|zy) z4L>|i&HmOhy2Cela`Hl_+YaTsOuz6$oRwYPm+Vy|3&WYQ-3NvxAgFIRuzCTQ8ZDbt z*m3 zcgOP1;XR&+{k0bMKR-*&SY`(3MrE}^c!0kH-xnDlAaST4(S9s+R#k`pm|Q#|^Bn#< z?@4|Qp_4TTpt7=sCNef0wEhe2C}}0)MmYK&i|+?*JtF~m5={=MJaK(s6att9kMZB0 z$QQ~O8!z2g`+DzD`Z-fzvxxmxH$|p9KEB_^az9P;U`z9uoZ#WLWOZk5Yva!3+(7TW zjDID4#b0g=DBZU*pM-RtEeN?5MUg3W0Vr&Cb=$qw$*#v_uQORkk1+=fxX(uq`ef*B zHGa>z)B;mK+iLnB`8hK%?QkRJlpz zx#!gLthh?!2>JG!tBEz&0-_lHi5|{Mc^C)SHxIR)&VCfu&i7h?dI!42ZsVAsgQxH3uLh}IXo0og=4$)*7DkER zH?#{TgNS=6;+KCXw(zCg_6M8U+KmNR=BZ3dg;wHmpOkhR`DC7^y3R(@giPMW1I@ONW|q=Ke)zf5oZ(j7^oDmY zCHMM2#n*&%9!72&j+;-{8@~fKtmo(Hkq3jf655 zJCu*9Z71WgR*EV5y+*|Nk!5m!^=Q4Hm~#^MuxI(^u;ZPUWPF)8r2|vOYcsNyM6kvx zDLTIrT6W@E2(9tBIlZmT*|xxPW4^H98EQ|Vr=tPO*ubZGH4CEwYra}jp0W9c{=|}C zj7Jbu13vcf)x1h#zUX09bOmpi@UYgnfe&h18y*k#bFj5cdcvGcE)Bln$}7M;pJ=h@ zFT1J$A6KLAVhO1j6h{A^V|w{W4F!6LC%Us_cV~QSclU5g(eXPllq1&sJ+dfpz5*`A zeGQnfEYqDyZCG__WK4SEe;-yy;IJw!N;>LME1H@IX)lwT1Et$KTix{bAwEX)PXh}G z$I6;dpJdbgHLUc;SC*cR|eQpFZN0x!|?Abi} zpZ7jY2*6qTdF`7__$_wfk4z2`WW+N$#=zdaBhl73^HE;AYerl$dR^mU?m2nMGWLtA zQ~qwI6f9ES`u>7%-+i;_4-`L4f2WHFhl!xe=D3~^*cTc(hwvQxA#oLsB)9>@>=q(s z*ytIUbJdTfhG?Vj`Onibtj2+pO{y%XVS4*iE*mz8hxhWTHyG>0u$D8Bb)I1I++=mAbvM5@&&ir&8wH6ozSvu-W zO@?1rK8&ZnkxckC-&ePsSw7gB;jaYB?x9_wVx z3bgEpDtgaSK6^QIhm9J71B09$@-)w74#`XZUQ$qf|V^(loa|y#>RI$(0YUIpVy<4WxIKWaT zFpoUOf*{%Yq;_=JnWsg>sucOYn0ZKd`2$3^*)CuAtNzzZm)k7hY+Iq0VdSqH7Z<0@Mv#sl{wDpLL7bosIN04=(OXz%R21emA!n9T#zD_tqIa%_OUZE9T zN(h6%Af7F5@!{J(4T7W^^oT6%!v#dwassbeU8j7P1y@lm)!SK_J z*f?D|Rf_(@zCG%7;gu+LKPLq(24!8akF4@sq3M!0?!oc%XD(5do2o8`hSJRBF+%?| zrP}$CXsVX=1V%@YHmv>P2WzON&P{fWW3(GtTxA*iqN)cIF2-$u7=@t^Nd0n#6u6y| z7e5GxWcx>h%E82_j=SexyY}kB53#C9-Z_BHix%c{v4?o@)3lxcS_g~2E#Bn4Isf0s zf=$xJjU$XZ)gRjxD~QiigUoXZ#aSqMZLfdEjy{-Ljyo7O{XG#hNR#A!xkokVBVLkO z+;lk@n$169GnrT{ZNG?Ew}8Y~f3wYWP*L1!Dv9^0i9hGP9mN+qHYk{sqvpI&%vCVv z`ZhonY_;A}JTJKtTbB6okKZ&P68Z5pP70-deHKbH|97pjLBi#a=PDedo+#9YbUxg= zJ0VU2&H%c~=rltfryq2SzPA|U!Oh>Aa4DQZLTr{?%D&S@V`5uRP5Eyz0QYJ3k~io; z6~{dIJyq11$q>3ROC&>C{C+7)6!b1)V5vLTtc;&2r8eJM@Ff>R53o|r#O9J~jn(EB zh0Q!_GtibXA2k_zdM7%4*5z9a=bW3@Zn~}sER*<96z*AU!Wf^Ek5}Hb2fd24cY=$q zNhseO8U9F4c;1qUT#r3J*&PnuB{Ks-JVcYOq`zGEU_@pYoWG;>)@pGqwH3{uWbhd< zOa5i>bX(PXMrk28%;-Ncz-~o3>0b%EeZ`9G*sU&_C=3K9ziV%W-3dhUFRww_O-xj7k;q|i34Obeo%dxL8 zk*9;;tr!jaW-Ut0I%;@QcYrEGNXnTWve*j$8dbiYRk}5~cDcsj%hqP%CUTj;7{fdZbyeG%`ST{9PJY4IyEB=qc?dAU* zI>3|k{l{&Cvy}h!oBn>^$@J$#+J17uS;Vf7S=rdGU1*7o`*_XTmW;X&Vv2c(tHyz9 z>E~ahmhJ*hQ(=Sl0wceTcBGTK9nP3YjtaLNW^>kql@t^D9xKt)3s(i^hFM##eckMv zD!v%9{=A#4*g~=cUb;|uf-a`ty{N36^7f6OL^1~MzFcdQYrC-MFo@*eEy_lc10c8n ze>#wm_HyC`uV^jgVee?`V zf~#>RbL6ntTk2A;FH4FH@quwUol>A@gNGrPnTBEHKN`;l z?!K%by#1`TRviWmeUj+-`wZNzK_9+z(D_t>cg3Gp9Qt|nR+VtEWG(Dq#!`t@BER0Bt5{EvkfTz0KuHdd znS7;o&;^*XrDislpT=YqOXj^dp|t;<7+xKX)*o zri;f0*|E-msM4<%V3{V*SB5|s<_#B9ke%)U_#EoV9hKAT*%&(IXf;N1_VJ3b^k{}j zU<{~s1X&xEWc=O%f46Oo&sVBXlWGZ2f!S3|66`NI+(TfK!tn#elv1M;JFDkdzi=mG z@9w`3s!t5Jj1GTIuIso-Q2nv4QTnv!qGyYGA{Jz-oBokET)9ha^blNrtMgK|-36}b zsxXhYtTu_4MB=)?n5ERJ(G{oj8CWUZmt-p5t%jNg#6^EP>aNOl0U1!CS*%8OYE4hW zYUXxTkFyx{5p!X$J)!7%w9D>gF9CF3^dEuBz})&2Vvb_`5@_rxv0x-B_Qid=>9FIm zl`MG?1<#r=?u+w0cP4hCfv;O9tO8lhf$npAv`vreYhW>*rNwR^nj;2OY~Spm~&F?lr2;Suf5Si-uscTEwt%$bD-EX;e-paeTjm{b!*Dd zc4Ni@GR8b<>1Ed`?U8L`L;TODONNGI5|`lwZ8n)|G;DwA6gU?KqLm(aZPPJyMm^Jd zMqTqYPs_9HC2_#}1Qbr&Xt1^h1yG{j2xKqG4DA6yufiH;7;r%-gdF@;{8?m5snDsojPZIb zkaT}oHUX$S_qRPSfzWL<{Q!k?-3fVF#g|NeK7cb;yel468ZRWvfG&uDqmWh2R$|%2 z@_xkx-u(W;p}9t&V=i@*>)}HOGH~$TXKS+8)Hv!XDozE{BP5gr$R^NaEN6 z&_ZT4CTqf9e{5LGRH9k({qX2Hxzq1~K02A|5nlzn1S2%R#w{8(0v%H{isqU9O_dk= zI6SC(HmhoL_f?%b$eUed#DIV2Z;0C_^tCKJvgE|`nzg0+{n*|eOjw&|d&!-$!aXZhr8 zWX9qC4@~F5bImWRAh0@un1*~>%WF8w_0WI`^_@1T$(nk&j5Uu4H%cHrP50^*GnkQ| z=hQLYO6=Dib7!eEP6V;#*!#XMe0w}G^e;}?`T^Q(+mc?#@WTb}U9bp!1OJ=RL3aBBEdu^9Dt&h0`o)uX|1ov!!_E!5c>>#yGk*gF z|B9SJ1nIwU1RJ7=Kyz%jRX_r#miVXG_g#QV-uJ>m{6YhW)tOAS)X2TJ1g5v<^xmTOo(<$*?9+yhVTPo_`Z43ag_1)x0%o=8oe!VtpK*<2xB~kGi^Y2psJ($c3 zZiFqfN=j1mV^1w-ISD@M@54q!(CCx}MV-sur^bwrgIu9}>grVS%#u^2`N~Ezr7v9Tl4?DjR#%?1AS!C&Fjko_@xC z;&xtc04=i6Y&a1VJ+5S_!$gy18HAFlcTLOLoJpV(QjdN8P*NPP2RrB+eaRyF$ifou zdTGiVFp$}A`Za=(Jj?4|uW8-`aS};6<4Ri|R5KB3lQUMYsU3cvL$jZ+E}(GrU&&71 zx(P(JN!98c%s6jzwxdZJZE$<`2(70zK}Z_N%B{u#LJhS)e}Y8SpPkN^B2|Z7^HRR_ zg*Not!5EE77%v^Tyi=>$lDfN}VJ|QJ;xFp10r7$F`3qGC$1>K=i8AnhSzDjbE!Ulb zBW+Uvrba2MK6~c*>jOoBpIcWc=ce3+*n4Wv5~N~o2RTN^gXCafxtJKh+1DFNrmcZq z+<|%AT&zRzjVyd*;b;Qq7*cK9_{}9=DK~Lfj{HIr?_NB*-S&6io5iCBb8L381sbS* zcRMWY@nB>zw1YY6wJI#WMcAwwAMqW3lOkg|@EK>V!F+b%DJ&gWEWFWW-sp7~u@={NodbM3-ddPa)SgOuxH zT}f1J@9%wn|J(3I$ma(qiM1_-EeZ1}WsS{^mFU(KiX0~`QbTTonJXTph+!{rippnn z7#a#lHR>MG3hu}j#Oo|d#2f%_ZnoIRy`iP{Gek?RK}WMB3HTmqSgPTkFe&_=*_(l? z;FH!|s_L`_;Ej~jQVCdWSlZdP6Fn_RO$SY7W!u|UcBfe<9<3tn#ecsU(8SPUZu42D zzX&_VjOL6^uZKI`bU{#h2o{C?bN1rB_y5Zu5s(igG3jsN(b|9vNcH@mGmq2K3V|~F z;}l#Bc3;)#J~C#p$?bQXIZTTpQGI9?BUEERH2iz2Mo|Z>K!b}sceu)Ym&YvR754iE zxFVA^1PHHPYq}u&7J&BAJ3*9h{asAq07V>*MBVby{!PU1+8_S&SsoaV{al=z!vJ1| z4gz`7)axs_4AOhAbh3O1xVAb*(Qp>Z!Y5$|OK><~UI)IZG*i-W3284Rj~awZpFC!{ zsJ8Z!bePt%pm~fhR!#TY4`-5)jF}08QhI{%1ie^DWC3~Ao@DaPI#|8qibn7)3s0Yt z>VV6%2>@5blc(Ynu1mwlv3%C(rg8SDqlD_kM5uVWmsCNbST?DV_~+YotmKPM?K@1P9&{bwnB6u;nJk;q9wv*pUDJfgsWsF{ zr#F?XCx8X8{`Bm8rHd4|$4~-q7i;00H_X&$YVDzHIfi-8Msnm)Y?+NEZ_B5OBSKy{cQ8rpZYvU=)^3B5&E(ZPnAAf9w-s=v@KB=JHZuansyVgB zRlI>G1eJI7#x)tD2$jzh^+mspFRfziYq~kQoUaJH&UZXD$EN*&okTZ|%_BzQ(m|gM!Sh z;hhOp34GSf0W7vtW%rkBP-nYFpf32{)d^Bk_FmAth@{p~P!o>MfwTKVIQ zM!6;mV61{w;Sxkax+9813ijWT1y81a>Z?>Jz}nB~Q@+puX6U`vV3v*Di9b$?(?`|n z_1&2IBEf}+;I+uFB=n61&#HX*wiB+CXX|)IoKgmh?;&CZa3)G6>v(qrT<<3MWUH69 ztg}QWm&AQHHkVdcaBj6-6X6_#uEW#0o&(iB8U>yW8(l78bHp!bK3bnow`Jk%9HmQ} z)*I&Qlx{9vB%cu_r&65v9{`qURLk^Io|Aa&OdpP3yNnB2`O?yZ@%8<#gmeJdj{eZ@ zKLrv^F`MDX>uV##AyZ`#q%%y#J!C9-k~S1z(`ZR7^oiLaZPnQ?w6tyQnHPYC?xJyP zkSzS%BBxfI5ytw|nhiBH&CTFswAt41zkk5NLD0qd{5gC-u~POt)sxJ#91+UCDsj0ac9`kgV%bq-MV>c1{aA>H$1To(gj2|pNFN9XbQ z^V@Ll>M7VhB$Lit^5pFXFl4x79!)^rdVqW7k7yb>0DYTu#xE<{gi&oOiPiJ{B5<4V z0EIU&@hzN>ko8SjK0#COA(5{LF%OEI$VP)^&+2`D+tWbJDnHV@e!x9RFsB#Bmi!=r zW|>dz{y)pzp*+Cyo2omW=%8t=0aHEs*J*bHF#!185^9W5pj8CS8nGe zWAN`ANN?4_$gL=gV*2J_&D)<}vtSdxU(?T?_P+Q@K5^bOd%BS0p69=vIx+0v>jIXx zR8D4XCJLhI`Fz~x-k&+=w;?U|3!6)GbDhx{hB^WnB+*8#cWKb2BJuczU98rye~$mZ zS1FmFMrD}x#k9HKJqOlHAx6!BJQ%@Savc*&4rok2yX$M#;HqZ33!rsI=ROcz#@*CO zuMhP1cctuf-ng^dz!eYyfbjnBP0Eq05>HCX?z4a6Fcg@2exE|8*3MQL>|ZxzC6i@R z_PnY)7K!Zur(=P9`o;BLp5mn|dO&h+Gr$PFFiKt=b_(#s-%n|yO#dK=8%tM8sB7{1 zF%Ip`_JZjVew3LOIAFq2YxkNrh2>!KID^OqYsEGp%2$1>3twnhUo*HqLqQHlp#yR> z{W(-37pUt-%S~hj;?_jU_sqMO*2Dje{%QRD!?@4A#+@~gXg5jW!{}#2U5oDhZg4@b zzA4Fj-02Wjk)KJDeR;EnJl=g&oU@~d95 zV*P^ms&-zmr&$x@FBvj*Xpsfi`P|xQvpnXhZT6$nYZ9k>qKb>V;u9%#_auB5=bOFo zndR4dCVcW<6Nk3O!%Xo#m;ZP@XL2BNPjDey8`(>IoRhW2M&3k}HiJtUgM>Tr93pxE)Iaf%M+Cw7T7#)1m2(}-b;@nr zdC_kiA%SN0~RST`l80KIAJozG1*)6(960#eWAI|1< zNPqCkO>&ff_GUq{#&(vU&dvAZkdi7@YRk97KG2ldfshD`@9W4b=tgJK8VtwLMw(8W z%@>E@7tS?qENWrC&ADAyTjOaGUH*?wI;O{}<-c7AQm#M$=R*Zk8r&6LWf2(uAr%Ep6+GicO?^OcWApLBmH##^Wd4gBsP`Py+l`ch*X&6?b z-#9~61^NT#3uX18EH9UV7{?FtfQgp#P4$U-S*4zPGLT1w77LeYIe5vYO3TTj_^Z2W z$BFHN8Uk8>S)6ebg+5%mv#M%xp^W1iRNWknTgD)uV0H86ugzcfs*>gyG_tmJih+p! zLv+mc(3ZSSDLMy`o;DUA*yh2F_$$JheWPK&4>0ya+AB4j5tg?vTzTp&4f!ybz}F`V z*j%q5X6uVV?|yt`q*67^m<=mY574s#0@l$Pmx=7UFN_wGF4@?WFJUUop3h!<;BMfc z`I1YKqmc3Bk%G}JGKv({%&3j5o-Kt-jAgyLL4PxCn7bY?sp1otp*aV-K!0of``VNP zd0M3@BmO*~<||)Qh0wCHshfgSkc^}crRuOhEBJ=`tEq;P3~OhK$n#IJEvd|BA$f!x5Zvwj*?By=q_frlsvQpb=T7+J>@MFU$!SAM6T1KF`-uoQJA07al zW|NqG@GbRq!VZP!FJ;KT_14Eg+O4$p#qOYNsiw1Def#QnAM?wBAF}?tN1>05)R3Ib za;T1M=$=r{V;CclH>`~o89#Msf;hJxEX;bADQ_n*8oZ|GcH5cD3OsZ%1h`I#uVE^- zRjgK*G0)@u%5O&Gd$~4byuX|br;W?nW5-~}Yb;2VYr}|RP}E-Kzd^Hgr=RV@InU?& zU_^VZ#9T}?mjdrBh8C~&K5;w%8q~CSsYp_rKgHT571x9IQeE5X=&KseZSVe!^A+q# zRri4^jGNpT4wEjG!teA<4DFRJe{GRH`Lt<{N0zQ`Fh+1(xnDwzfy>)35IiXQ4psi_329aE?>0=%N?kQYtb~2m9||nhHm+^mgR-Ng4nX^X-eZ^ zV&nE>)rC}=n0UgFCeCJ&;wg=^i0XJxk`*48l+M2nvMV*gKcrJvXyo$tDSR;TeN;-@2Iy5&Iu^H*d&zP zYjsX{v|_!Ci}&zGqq1^^xw zg5_i1J)7(7J8sT{f&)0AR_498h+I(Q@19?9vxMVpa(3VA1!WcwyXYk?6q@3E3hQ>t z9S|JB2V!4;G9!0jJHl-2rA&*t|JWlq_JfJv)$8(<>VY`+l^I?6MlD8g1~Q?tU~(+& zTa_yt&ba#i+_f^oD_;YnPYO$?rUmwv$2&EGxDkgM|M>pO_*4Z#p3NqGk5I3f1XH=< zE8-QNuofLXv#x36D7F-Ll8)bzUU-8(Xr6hCFfWy$&P=UuOx@k2!{}=rLwGt}wq}&| zB;doY&R00bb$arL0&zv95~5`5y(tDI&7a!S-cvf{i|e@8P|E5}03{Lka!H~x5L$3xjgo~D=HNcU zH+xqfHT19p!|}zTx*X@d-tu^KD33<3G_`A^aSIfP{lu*fi5v}#DhlPeDADxQiXrFW z|F&5r|GlV)=S!UD)yb{ud1IZfC)$Thkc(zez4hVzW+& za!au%{-zzsA7F?>)!*0cO{RP{8Fx|o9<=QNM-G(@E9zuaR9_`1@VuW3>O0i;v|MQa zy+Zf49+(ofaR*U6p4)7*zKcxf&%xR)-48K@=ZCTGe|IiZoD$5_NciB4ly5-ayB=06 zbp7bYmI#b6cL-L<{mu`V&$VkICAd>P(&oP&RsCl7g0D}3(S$ki^rWr9?%w`8xiX&z zszXX)-k62NpnKt>eIfJ$98;PFo^=~RzuHC7)-RSMdkpE-@b6f=jJDv=KTjSeet5r6NxXrxB%X_7=ST@U^junJ8lUEJ>9taCnH`~#>H zvL%V`76Tlcsk3_s#mkTU zQ^D)PvAK+kXlA|0mk}>hT-tkF=W{wIzK#}P`6aew@A#33Ce`Vmq;vaI)LHDziY5H z(d%}bX3{M&zndS7@#Rnkmd>7rGdV&AArzt~rFc!HjTFX4vMJrBv7&TU;ofn#X=QR&eIa z63#%$WoQ-8PHKty`8cr!%z{IEF!gL+3Aaq)W2BcrxY| z=x~@>u_23hkr&V#UweXT;p0RRI}X}YX$ZEt)+Pj}ua_k{G@6&!3s1H!3h-%1(HlHo z4oB70XY3LQyWJhzl@cYpkkeGIO>K=OJJ#jn6Ti*qEXsy^vyR=D*abhH`tp-V4T+xa(`m62zFMoV^aBFz?Xal|!-X%jEJ5VRK{t1F# z%>1h=C|M(L-=J|44=+UqGXDzn2i8dbL2nNNa=lpZxq`|l%OiM}=D zXgziO=3X}%!XPraUYefELabrcDoL{95)r!|@)q@)J*(9$)%|-X5r%(Rr%=$f1&6uu z5D3-@5<8H_6_j-VCCywK0u##)e#ry)^%a+5`@Y2l-KhuKx8lW5H|Vv-EU-yZ5V&`FevP5Z7*{L^~^=qB(~Af-ZUbHc*S3 zDXEC68c|CMG4DT5)@2*Ae&F8wh>=;q3Y+nTloB)(sQdVu2}yX2&tN#i_01YLY#;k= zC$7rJVGg1vM(~tQ_G&FzM8jt-Mlu3`pGalP!)^9TEAxwg1~R0B6@duYUTI9PBD!t@ z@bmsrwrMjhFXd#0%}2rrCYQql*G`ldJ=7?!_uvhI!>h)&19&H))t5!suTz@?DF%_b z42cE!yY7&?LfoQ4blC6?sO#nNVqIht7|zt#ujNQL7x?}G-B!Y6vF=*@w!Oe6ZeMG! zR0162@uyd0Z97s|cZY1Xka;sdJN<3!UZ-fG%RG!;u0W&`$9KV%WLm zTSEs0E#W)1pwWV?o?xyq=iJ^a)ndP8umHsdb|m&!CGY)FTXtB;Txtk&PHEqzuZG3T z-z7Ztg@)1#@S_@B4j#vUQx<*-U~)3lMrp4aN9u5IHoo9!g6{QKVa1C}hm?c*} zBf>e6bzBr<>kN^b7@ENI?+>@u1BpjzDSaY}VA)E&nYh6NFUZ(_#7M;t+NhtEpGhr$ z0uR`2N?Qr;z;KWc3*?ugFk_b%D8EE+2Vxd2x2f&d)ji4Qetg_hmj+{g?n&2$y*oE+2d1~#-3RY!o?^GjrKnjg ziZ&)p-Fe*TA~FVyyk+@?V5#=dS+}5_f8>$@B$w399rs5g z;Upj@vol5M5|``RT>Q3tVfmSEN3N}F)*b8Ydp{n(xM-#so>=o^nQ(p-){x|iCOs(* zH7nnGxpn&MF~PZ51tWLr6Ic^-hcXHdb z@#W_uxlH87CYjLYux^6;>Gztq6$jsYJQiWy7-HMTNutls-ECbj&QFNBJ)MKmiF@Wz zCssi=vL7UtILo9plstcx37tRXKD!fm=pfdcNn*Y=CdJ1(l!2*=-;evhXMb9AzW8uh0rQaD)1SedXP1!#HYH zE&KjccLtTd1u%(kN1ODa)?n8ba z^atB?tv9XA$j)#-Ak7N{uL<3`A{CC83^S;?*vUw)ssj@-qp`SztERv;As8_M*aw3w`o@S6;$i$il&5%6irJ%6rxG z3U!5Moh&)l!#B=T`_3@kxjOJjO`&fCj3VZXREBP@(?@snqOnxM_c4bD8VnTZCD192 zWS&Pp`C;m{=S?^CJA7y=u;#wvsVzy_a4e|@+8a`ng06%vD5T2kOKI&gcV0ivIs0BV z7#vJKBcpr{g}FOP>;7Ahio4UIw;PN^ygChdjH42w|aTJ*LZTH84O zI90aY6$k7}uKSfd6EkTF?$o`EXZWKOFW={X2bF7XjP2^(v;|g_18d5*l#ROII+=;C z^e*8ldNsCqOB%y;RPH!Onh-2gF|Ae{5b$;11&G5!Fw?wt;Jkg4al22dHenIE;Xaxm9g5w{5}BOdex59f zPpVS^a|y0N*%@hraWe;}xnBFNY6ote+}!lIx69}rgZWP4?jMJHwo;ZT;y5M9rmYk% zrG>t2!J=WqriO@!F4flrZxY4!qhH~gydLF+~ z5f_UKT=D;!+hXx(e5HhJt0+%|Yf4aJb#+xZzFER!CS$a-MZ?~5H9B~qU@Iv5!n32R zf|s{w;#&N+f|S`)<@rgoF3i-401*7ggODQeR1smYa!a;6RMDnJ_*<{}sjmOd&ojy4 z3CE|ryeeFp{=r(rcSS);oPi}a^S+s)!iev$L686!s?v#t51@bGIn7t7tEzzVo1l;M) zG}Zc4M80AS;5hT7iJ&2jgz_@6^^FG@6jhA4$6k)E*wG>b^5<%fNlSiOluhmF2@rWd z)!HrJULda8%>4wq1;bE55cM>{THbTrUt2yS+a(@ozTH29K+6*_^^z3bnro`WWi=?I z^!|qLKHK8ZdsyE=IP4YyyNM5vtNR`KQw+fG|Kqz31VmG;f|IY$|M%zVt#}~|=uL)~ zshpjA5c7z01ZK}6d?|aD&8Rq+?SxEwx;ob~Xqv(x7DV(Erl=)@stvS)=;^7(^-F-lNL9+tAG|UCm)=wXHJSTNL5KQmgr7b zCu^|J+`apn&}D7zG{Fj+M(&sAR9C8!X;YO`UTa&!E?(oUmFYytWR=fQC+A@|8)x%B zJ-$Dz?D%I;?X9r)!$`7(IoeYakALU$UIySJ5PphwiNm{8C@<y-8=XX*&I2r-h! zhyg+Th!fcf7g>EwFnz;8M|?frTBK+zK_%^8qRnWnF))u4kB*BhnuLRgds}0S=n$0i ze5L~De-MK-fj;r3|FKG*OyOjc7){6y`U?oS9-{`s>0@7?&! zmIZmS9OkX)~oC^9LJ3A5acP8iQnx2Pp7t*G&NAn-DpBQ5{_TiDpXX>RW%T z%K3LMc74bJJa?m6w};&S`w)xC5i6%C)~w9+w!4A-Auvb+iRiw3jc9uuDv*`gJcuc` z?Ec(9r&ik9w(z4-H&NirU8y3J)$`EFeJ24_=ENJ<#dD(xiyv{d?cw zw@bLo;7!4LuV>Y)EB$oQ9&AQO)+XwTR0Yo52pIG4ktIPX$NArJv>wle$VpoVsTUEDO z&Px2-Z}WfO+rRpMq>tcjxx$cr)y@Nu?PiP5#KX^!$i9yjRy?f<9QqU$DQ%psT`kCMV z*MI2<{N6`-XEQ@w?G?(Tq4=x!=a0oNF%d$dsfJ5b0e^~R{`0Zqtt=k?R{ezYc=8{* zN3wKxlmF8T;IGHQCFCZGRI1VZ-Yx!le->+jf~3yd!YbkWXX?B^7+C+?y?!YVH*x7m z?Z_W{wtxA{7%9aX^!w-ORpJATYOxHxUnGG2wPnuv{$k;j$)F~Od9EN+P(gyEOFdjv z=NReFyPN;>aeHf>c)}Blt7fK;IL&1;R{v4qIDu4xmk%2tjGEgx|6tLuG69?l%Zo=+ zzwiv-#S$10Pibc9T_#tp{f}7&T{@5%3KcD*_J5gU~y?gMtcrE)M zyhsHRN|CKy2Z6WZ%V326{{g{4}bn2A?n(NMZlKB5JICX`Cf)bqI4+x zHD$q6AF(|`k}2vrU1MlRPTgh@y_mW5=n4 z8S?b``fPZi2;adEFT?1l#$!5RmoWH6yLs37w|WR3&SPCbIkfb6xyB*OBKZsafdEVP zL8I!QbkP2*Zt!&WjzUebN}G%V_rnL*mo6L+JL@r*X*J~N8?briO|XOc{%j#A0uI~L z3OQMGrh5yo^;8FS!?6L3626a^@mFcBfrT588PpH`&V0S>Fb80QKfnBt*j6k3L^JUuq<0r&UpJIs3JQ~wqG4dW6 zSzpTnI2#QBw}C$lj&*x|Fll-B@$s_hBM53dh@npw`p|#eM}{0PA6xAd-HLMR=esJ` zi^+chy2DU`e~rEs=6r_2!?{c%;Ou`r^daxTw<_i2yJzQZ5Xuxe3ytrD`_gsFun(d` z*fb+R?317^&(#euWVd#q_4{w-K<(*w4}p__4A3K7muvt3) zsn%eOT0aIHi2^caVQ;iK+ZjGf3!sy`?;NjqH>{7Am{c|jV9Wnvn+~GUh-k-8c!$-< zXp_2ZZci>Fv~t|=^848d7`EU=FzZBsI=NGmd^W)PPrBgg_f;UkiJF(;{k8(un6l9j z1}4tMu30Sf7r}tnwFwA$+%UJs4evtsymDf`+99)m&hqK9gf$gh2~4_R*DD6AQ=Sd# zA~0=q#&}!aP_gLLZrb{Hu$l=qdt(erQe)u8^W`)ifVorlzMV`jO+eQ-kB-FIy(Ne$ z;TZ*k*r~nP{1354z#epoXJV#$R54nn66P>Pk?$cLa`{S*aZ~nsI(R5`OT({67)b-uxDzmX*Q68) zHpg`RnB9CS zSXDSgbSZG^)dkTiWi;CnNJT?K28+)PkU@Z3UD|k-$iUCFsn|#7CSl~TZUUx4c*!ow zJ&($K3UqGiX-G5or(R%ZVcFO>Od9Vl=;@#J2l*iDf(xCWvCuvxfOT=GhN= zym={L3++79992A`*cUf2xfb*X|Lq+UWaVRlwTp`h#Nb@-^7sWYs;d4|K((>Hjt`w9N} z7`G+KIP=C}P*D%{!|Q6<5e3eR6EG7%Qd@n{#dB(J_}Kz|ap?B#x(syT_G?l3N;P14 zvv-4&8ETOHp<|_i?EB?&-&*;It7BG5B#8XV7@Nt^-39xEt#BFa3|u|Ko`>z|yLjSa zn|4B?9S5(qupp!2-$a9<5@lR{kLn9bc2{hTt*_Wy0%8cCav({M( zinRDWQvYu=F{Zn#GxEFXO~4zPGG-o9dUg4%ZFn?xk=;ukZh=~6WE z%$yWCF^j?0$WYGtYOP#R-*ZhdqN1hGNOBd4hGsg`=7ngJ_KH4OlMrs*3Lddjp?ZQ( zvfFx7^zN-XrhLW%vb+IY`acH!#Yrb%ZoxK8oG9*jEB;mQO*I?F7C zh9I=&u?O$!Mr3yNUioiei^o#+=2ALoHNij~Oe&mm)lNV;wp;3W?%Gq^QSv@{kE*Q* zt^F3X(YNeBnw(ZaQnpXwcbcL(X?%rFX?*@L5f$6{cKm!jES4dT?76o`Lo>~{4om@ zSj$vvk$Di`ihRWF%Eb6yz4wIh=a!q^iVQDv@Z7VZREb757NPIF#5aQmGTUnf)({@? zVY9 zqTP*f(f8&sY#F^BcbAodHVK~x$}eN2=k?bX*u=f4MNspu`0ys-%s3^((bwnOkQV2tAMIuw%mHSO79!^ zQ}xKTU&BIi9ayE^@A7aH8mM_^RidX=DdbyI&u&=lv|iwgRwbx^?NwC;+3S9$r=u3F zfL+#n=AbKT^GCyNO6~jP?Bmb6D!@FnKiM6+i!2gnS9n{Sz(lJ_$90~fQPtHIlmmpL zHpiI8tB;Lwk(C0=%+tT4z z%KW%#$Pb%?tlnUY=uBI{gLfg{6yUflH>3>WmhHAKOm>d|xnXqrDtY0>b#TNMGF9kQ zn%6EwRx|QJsprJ0zTN7qD5i{1{aATba%|%GvgX51-F3!_sp1~!5Ye9^BH4$)W~1nv zP$uey?d{zF=&nl?mO-O)iTS|YZhs8%>6x zaC;dTTKZpSdgt@BQ@0F);~T6%`0dq$qh^NWoHJO0PL=t5jD23oj5JF>)+)_Tj-o$A z_G^p%SiWixZ$0`_r#ZY)dk(h4JIqeqt{JKtGm@-Ku;gWw6t`{35{&WGJH z7`$+JO_R-rx@vd(tUg3~`?y4@U>08PDJbx-ZY2q%Yvk1znzO6D#3QJG`RV3y;rkv? zFMWT40pn6zkVX-VO3>Im{!O!5+vJHHijJ?ZpiF6g>zkE?va^)Ngtm$Fr{M+t`LXn(v7sJQ#Z}FDb7tj^9h7yF;skJ zx)fun)~b_7dYV!7y2L9p_Tsh}xopkZ&K*6RYZ5 zfy_`iL^N+gX=QQ@)@$j7C*uteQ!I7?;GhHueDdujnT9p2;sFf(<^FuM<}%ogTpGZU zFLgp+PrZ^zJME4c-Ix^J4>zeuVLW>J>gQ%fr^p+X%Ettz7;M2wvQK|qmp$)1MlM{( zUN%Mky`GRNc~%O8P`6{Gpd)4zs*xsW1aYUHW&|pD<-mbK=7(V=zsrAO~_X6zSCGk!|%GGB0 z5re--{&u7u=8ETI^HUfEeJPmds*g|FHn8M=A(Yt#Nx9|2%bAGZMb&2iAqrFvMq5yD z#%H>}6jovNRRRD;FzjaePG@@^XZ0wPoIANS(VCfERkT&=tP*OPI26I-v|OeWe$z<` znJiDX6r5FU7HeQ;U`houz3M|!raF_&(Q&7qMkQLm0r#}QciRB&NU)Dqo#e5FnE$GQ z^MrRc!y=^Pi@pT3FbN_#?6yF)N~g3K#)@ixXf)lHVA*O1ZbT0RA3c4FmscV|Yp=`+ zjs?z@)=>vNVpFR^tA^dMq4+O%9E>)X#;;S@y-;`($!Zd9fA5{ONRtxvdoRcjeq%ms z{kb2URKC3S$=QKAL}D@n0HaFwUBkA|C(er#EISOjJHk$M|7Fueti=G?_(VOVtFc2l zE=@+BzTwPN&A!XiUUqEB$A_g-N8O=695~licidNH>K(D!TWu(FSZB77toeLl6q8K< z8Z$MB@xp@PYB4%KGRbATGUCh&RGi9_?=WBSNcO7@xE579X&o%;2)geogSxX; zy_x%NFw*0DQX&j)tGax=h~YH`WxXUi2umm$)iN)?OH&avoL|XC*=>HkFIi^$#i$O& zpoHW*Q9{8joalf&Tv(?{jJ)0PhqoJ8KMSZR2*x|W<3@Hq18iyPzVDH+t=?gBc7S!q zysjchsndJ<@1Ml~!YvWp(ezYuSX!_=MMyrFTN0}1lsIJ2>SW)SFt57iI2<1+0&KyPw@y(=zt~fUVQxU$ivk~;p8(XRLHpzdz)l+2Q0F5r!h^t zB!3zJLryw6C+Je=;}-@>E)h!kh7!L>JGPaS4FyWvtVFlpo;wtb#-IpZ>&!?Zr9t5v zsfb+<^|%JpV!Pks^$FkU*mtTpM3~d_e7Gy(dmv>FEF9K&W-6@8HyO(UQ&B-w{RlV@tjoJZxS~U0= zbev9ze|!yEA)~%4Y_XiIs>&76h!!fu9q3GE;9!gOy5`#h<6pK8&Smc&)-yZsNA5$p z)BOqdZc{lE!Mu85IH$f(bb&?h)i~Gi%ez;>08>vH?>+!V#I+P^lh5#-2Fm)u-U&7R zW*(Uayi^83QCuIb@ZL#7Y%+x@fL@>nJTpdPN)|m{2rb<~wA+W?*jHFU%;%)56N7-; zOY>rI`{7fTnTn~hG3;vqp{}W2#_)=Fw*$Fq)Rn1gwVelNO*8AbrygKX6Y#ATFHuZe zU&kg}u#nf4)ep%_#)x+Nt3S}BAMN}Gj>(&%RL>N_PQYNN%{BXK(R@**&?I6q0n zhlUWsyMhhe&h!vV^O5X4mMTiijzZgC@APmoce+;lb4ff1LrC`kDB<%J6(Y&P4Lo;U zw;#UWDrAh{MU@O-%6b4j)&yYk@)0^6=K=U}A7if%<%lsUrswR5z5YmOIVb$C7H02S zGO$0qD$*s-tHi|v&lvd~r>86GhcQdzq;)`w9(oi%MF}7_YfVu8zqGtEarW*6VL22Y z@rE)K45_~4gUdh(U0};RL1^z=T}(c;j9|M!Rdg|hSwX#p@H>q;mi=UF&~3!arUrUK z-_VHE6E|Oy8>oN-61Bw{isutUn!soqS7(xc2uWoUlB{%N8FrOPwMTIYtGHs&TXmyV z7ChSTZ9NpkOp6W8Ks7_!n&hB;HbG%s-!syZUv(EMN-NbGD4+e7t2@Y}CJ(Pn3+zDy z=d()Q3J1!KVs7@?jRWny#d>-LrGuV(&bICFrp54bwy>$TszxjAzjKGlzQlnJq!uGT zIY*ixkY-|h4IZWW4!Ctu zxly8RFjKY+o7oS&0SN5DqkW`yigPwgBR_!QR1|&5t>*oc3Del4s4)w%7$1ggHh?Wr zr_j)Zk^~bm##7y;@@EAX3O<-cNTnvxp-n{|1Gb|6># zUaAqmEWg1B%Ts)qJnWNl0~OyOzX^j~n z`jI}chj0rRGthx3+7Ol){|9n{|VK;belX!@= zWB;%&U_wBZN_Zl=x(x}OjvDeZT{4Ef@A80uZLP->GA&O&GYR|C} zA_ifa8wMu1Iht7RNC zIF+fW2M-fC^&cUi;mb69z#m9byC6B~@rxb=8ZPI(2(bMRu$_Q;=zG9H%Wb&NWec;n zrj+0`5u*^+GxaU533B`Ls}6r09Tv2(T1pLwdDLYu>56Q*T%zPTNr zEhAIW(!F4&L(`5h(eX_dU|T6Us&F3KH6vgVEjjbMM=T{!nm>SL$rp=!k`uT&75AbM z{QAOqIj>+G_#z*%J)jP5${#IM-P~sWx=iV@kMJLv8Wz>6S~k9?`7E`pJ(u~?dByeJ zKpc~XG@(cQ9l((2O|e%SREj;@2^A!MKRfj>-ett!+TkojHi;RD4S{;U5kZpUS_OPR z+As9?9^xu`Bk-V=A?`qc^^fXB7#$#er)@FnA%++mn*f7wrpSu6&WDg#25HOzq(4z4 z!%Idyn)*ptmHbRQ=nweLlzKn`G=b0)qX!Qi<%IL&$|--)a$kbZIo=uCswSY>%w7Nw zs4#)RWg#kGVx%&4%4EQ8)Mq;U5P5TQaS9XZI9P{XQK*y!G7H64jO70cbQ;1+95M#3H8p&s683D}GZ;2y_SYuL4jU&iag{JOA z-R5#NyGjzmFczDcCE;M3Zd{8n#%dR4j3W??IJtsWg}luX3cqkNIsQtd1sY_vujp_Y z{=jgDwq$GIClkQ2>8Q6)y~-iaM?ja^o5e$jL5f82_m&>&Pd7wxjx;acWQ42~$ z!S!Hr_==mO;=Hd7lGPN{z5yf;E)s@~r%j^tk;*ro1sOo9+<@dub5w!^k!bM7$}d}% z%=5;zhJz_?L{lVR9JHnxH|OE1=II5G`;%%w6Dz)7Rx}0aY=R= zEOev6Sd^2w)Ppn5>)^$2LF8GfzB+8sy3O@`gk~04K2DU_>h=drcJJeeVk6ttPOCc9 z!^~&1g(Li)!wxssa}hqthyqjuXarRj^aK*@%1oMn19)g##W|x)Xhc0q6};k}Rb>D^ z?U@5l#$WYFEky^SAMEi&wua2vuL3a}8LH#*)v|$Y0}eY`>m;YsPnGC+Uu9mbATLt% zaDt7rSE204k+4C)7|v%1Hf{k_I~N0WipZKH~y40QRK_p-(^j7GsESd?;yU{+RrX53v-E3yPge zc)AZuzxxo+okImj2svk~gC(rZB~nqL8)Uk(GnArJBQ$yAAs#?1@`+* z2+0csdJ9{DoO`%>7?1F90!wNP@uCt_Ox0VhA2*)>g&9o#Aa&gn?DH)8#(>Hlh8)}G z*Ndz<5+9aifr-UD?^MfOE$7uf;ZDiP%LDF``dN?+vop%OX!))6y8IO*b}2??@we=R zFKZQYrf|f%x)e^8eaMoc91}EYj>^SzFXkO^z0*Ake*O9Yu96R0yn3OUcCQJL`i8<* zEcBHCGha{K>;qzSV|4!DV=!n-I*x008fV9b#C`4|9N<-}!vZwa}NouAMgoqtR3*CHKFcv<3Y@pG#_awg2(sscZ1E z_L08QyYb8$Y+1hAL9%b|Tq8fZ1Pna($1z%gFo^DnYFsYaH*RaSJ_#v=DVy(_5QVExn&=;B!=@0^P#nkQ!xzZ`hWO zsSfceDLAbnv&xs(AP8Ob4ZMfZ>P@D{(l89)`)z0(V3%NW9Yu`RHCu3rKHU_+ zf+~v?aWCFP*7r4f0Ot2-Sot7osstfIs&=((Dm^^P^7ieFK+03kwQc3O9qA0H%+g~i z)9b#zOv$%a9cl_z{0DXx({x3fSf8YIwU?7`y(j$usmWYX5#dk}2JlVLdF@^DWJg#5 zP1uJ>F-Wg|;H*)u88Y7Ju^Y4ka6Eo_EI$WU<{}OquwcZwR`x1vAM*6k_bjQr1*fV8 zAJR7;v|3Kq1bjnoIqokGk)1q<8Y=?QZ&y+rM-dEN%SG82s7G4>x-|hlLGw8JV#fEt z4nUNsK!ooN5*k$>8xkfl3lP%O9#53gV7T(ZOF@;KCB&@PI&$GgD1yJX$4MM7IAYr_ z%Xhm=vk!>L2U$`0{p8Qy4viErqb~LXqwm4@%4QRSS{N8(v8c(hD-8QW|G@`~oVf!i zIgW+QL!9D_Y7#SDK2F~brRr&!r9dG5Ovb2G*bBe==q-W7z=TBmyCLWKE3vL$k#=Q*ae})GIIa9G}rM)CJ@$ml%DSRWKRihf@Z?_J(o5_qRTjh!>g z#2~(}wQ&ou+vh$BRS4idELph$vL>@fOS!VXn=mHd-CQyrqWOF;ffb~;(tLe(b3Nbu z>X^S6f)$}POd(28X3!<%YKuBeuw!IRT2Cm5c*SP7EC%Wb{1 zZ*QpYEOUYhMGj=ncn0=@bk|Og9s7Q}GL{vq*4XP4V2hqTxd#ovM}42v82V4-c^;|7 zB4B4CzRyJTRvgcFu!xin_|ap6!;i^iAa$b!<2VHgRg2q79IbM|`>ppIlwZ9}QF5~> zOb3>qoDa%6>j*oU(!vGoQ=OqSezfWE{@NxS<2- zH!4zP=>#1tNXs2zom3?FIY%JmI$~6iOsmW}jWmCA(&%{I3O(@%@3skg5pvO}Z!t;c z0xEFt1Fyk^{QPRVksU`Ek9o*7xKpywY0Z^Q0m#VX!4!`V`;Z5e``8=p_WN&ZYa%`H zyytJoGat&b!&Q9s-u^VWSAN9liYjLT_AmkcHM>mSxo&%${Q4fdjNr+lM>LUCARG~S zPkbvHXnbKSvxbgP1wlTe`nN**X$DS+G^64pcqoXw56fI^w|{H8%Rfmup+jLJ3?(rj z$I@ne7zrjC|U zi=K>8h7)iL9%Pkw8IEaAK_6>YU{_&xdtQ+6=c0W~4TxBs@=|V9C%Ma;m=Ag%b}(;D zw*mCZ#$yf-VV!dG)z5?aH8yS1wallmIJyI)-RCz{^n+gqKvf(+uVHmA`CgJIIl*2% zKI&jG#NOvsFSNu$s`^(rv?91o4G>6wIxGk@2hHr!FFqxWCodSmT(96KXS1x4vc`UI8(FxU&QJb~+@GB3 z_CbPYStEY*n=v~30@aZ6)V_|9_Brw?G^ z$_nEfrZtJ<3}vNP@$t_eV5@p=CjGc?9yABcK@=C8CxOAuoWGYY;id6BPU~Fq>T|B< zWPv2mp%nBdm=(c|FwMy8N=-GNuZKl(I-RQ^I&ADZFO(*Ha0_aya9?3G=#{47;~Ii& z5Fyb_v-rZrLt-72k9R8Fsf{8e}5%=}Mi|yY|6dz;rxgHOO|xl?deMUFSZkYZ72;5JhwdY%MEd+%;#_u%+*` zY*&~?JFDhRhG9pyYMjz z0{J`%d`}7oEwhWEq2k*e=kSy~5g!r?Oz>DhFAkZ;2@+cRl3MJ-3Tnx(%_grU8BN=0 zCheg0O7cCWku0gHb7GR>x<^wWAFgkTFNpT6Y@pO;|GAyKqLXLcoSCgcyJ2$3&GeHO zUX$Nt*=yr(P2tf?LqyqpaQKV;q5Xw{G*SC{-Xe*(AtDS*D1^1_QVmDv?5~W{5ZP=5 zAY{(uPX;3xkpsz$FGonGy7RRm2W3yq;sOItC0QPoneI$oEY$H41H15syt9M?hnEl= zk||l{T2waiDqDNro}(Z*G*Wm|(a_m*d|WZq;A82&i+i6y-K|ff7elpP-_y4590|)K zM#!vUh&yetR1s@!$?+ls#HV>Bci09b#+TC_wHpL4)2Eec7s*REz>x@kp{s*&Y+Txy zSw+vT1{jLp*+8hkk+QDjTWT|)F^(Q_S79HYOc}HfD7QK0%xPGTCTI%+(@5gpz)wwV z`90^X%r>a?Gn}W;)pBS4=3)5HA2;+CE0E%>{?Zjy2jclbivoD&9Oj~+^o^KLdUe3N zix}A=tqzSXHf5E1S~8aQw^iLMV5F7=Ej*j-l^Sx>#BgINK$KliF?RIpBiox+pldPd zBcT@&k_9t3Q&{ILbK3^$Ycum00*B*0~8cD&wzrs3kPC387S|x zPaWf(j(@{D-Iojjq5KYjmi2ouIQEA8toVsLydaA;HjIFVpBk;vQOA!gT3&&Fmx!RF z$lPMDGh&5l`myE|>sFrqFj&{ffV;coa7bk6!7yy`K6W17%H6rB5dlv)m(2JRBLdJt zFQp{B%)q+yXyByw0-N>iX8cL0Lk0>sN*8ZD+h+G+9i`I+mE_gQZ@ng(`KI$_6fIUl zp+DAPXIp}k$jBz*F;zEJ*k?;;8qgPp%@>{s13jof+0Ie}^F$X>M}UcQuTf|QN)~E< zt9FQep(2oKE$HT8W{mez{+f`cD}A1W=lnM-yCIc%n>jc7d7E7W-H$O&leJMha6F8< zt-+>S?!-iIhGxNzHSH2L?vayY-R=)~VeYTrZdA9SX9K})uVBi}V-`t&H&_T1iQPvt zA)nHkM|e*4tknIj4%UN*kEN%cYE`Y#_Z6EwN!r?7gz^9O_kz-YohvmKFue3A=iE;TfB*eA{q})zj0~|>9i=ObzvAP)KProf4XL^4N1yup zk^6srbpoR25n?5TE2}^l3ogNko;aGog^b~@DuZXpl1ZB7rQpB&{D0?H=0+mFQkJWU zyEpco`&zF9brkIhs!+lu6K2o+S|j2~xj&SpZ1GQ_|F0LoAJ1xfGDNwWVnYykVgel@ zKTJcyx&!bj71^lcQGCN_F(JVpM{9D(FT$58CbPfs^Y4H_xLC{DnHG4{!$r0h<5oJ_ z<&7#0oD0=l=Z8Fqo(JF)bL3h-Gm$>~^AA+)C?S?Dmcy@j<*Ia2O5!^fVIVH2As634 zf@fWf_jyvP1_GCrsaFt-Be>x&i6^NWFd6MX{ku%{zkyx{ylv!SP0U-I)_P5> z(5k!t`>FqoKM@Nhn;IM!xA^o+ZogRUK>~sm`va-kC;wI}@h`4ateXsqf>liTiJ#Q6 z{PXV-J4{40HG4q0UXgkJiIsooru2$&>oSCnQ8KBa#D)yIj_D59T! z2D~vWtr$G_-R*UGXjXMq^EfT>4V4-2FC$#t91hTF$ypGvQ3;nnI`Q*k`dzkGOFVbD z1uRvYU22Ab9VL!9uph~siBmr>7E4NX#o(3;spCzQDY^=3;B`$nTzbAr(Z3W%)#L2p9koNq4^;> zef5H1Cv2p2TvFl{!jG0_@HAdBNwy7ae(=w!>StX3b3y$1Q?2Wu6)-Ua4E~JcN))rV z1L>ET@SW3U{@Pf=pMKWx@Z-)R&pXb>BJ%H7@V^)Sz2(kBB5Bt`9sKEy33B+oW0aul zZb`xQ{QMID54hEoz{Mfr71e*d<*j%1fUZQ=fHz^2pzX>9?wxlo&HI4&$D4XExH}Cx zIZ2=%WdP!l2M)@426iljiWb52KM%tD^*T4gu3A%X!c$ZUwl08Fw}amDB{~NN1Cusp z)5l?bgB;>j!&?gQkFYG?fL*kGGF#9r^3EfW*j8Y(z4?y=0zc_d2|N``LQS~>snrhf zXvnv8@C7i1@#%#NGJ*a;p*Y4PR@P0N)kjT1&12sGv194W`4{o91k!}3VtW85#YUUc z6RcHz(d|QeZkrVIjb!mWM4UVg$^aP{!IKvNnUsY6a_Zg*zf}-{#HS=iuw-P{v#6l& z!Oi7lBt+~85WU#kOXST?ZuT=?<$wip)f70r1vW23x@7=~q{xN} z2lhDIfozi9o4jnBcauyRPmPXjGnUUD`k&Fn@ z3M2H26ao|=2XG7I1g{bS&z0l6dh=&x3@TLu0Tr>Kp2r@@IcehUyDXRhqD~hJfjl{P zc2Kg&7l0EBZ>`Eb^#r9Co!{Yk-#z67l7@B&Z!s!OSL$fS85;<&7rqagk;MeoWqpDx z30(lnXC(Q=W474L?^!>q=I1;_Q2fH%@cA2mDj}yue&<2abxDLitsy-H104pv_<#P{ z|G)2|27;Epe!0ee(HgS2$*4B0+HMDsd?=yTGV2$_s-04NVb8(p0=E?)6gh-J^F0k( z21#PJ+`AE=;81))2mHq(NH*@kgp#ofFvacgHie_PKnIx!P7+zY^B-&=g!SfUf(+`J z;r<9^#h3gT_{WN%`PJy(1OEz@Da7pSW(L7C}`#YvU-pzpp_m62EK1%g6Z+C*P;;V=G{w9K_gEl#0wX70}(Mx<`viXa#bo*3)!%Q)^svrYyY0C{H|b-2p*D{T^a+Z}BeNFz8xa zb_08)%bLX|#mSaF;2Xl4(thk9;T9n%S|*Al8N=h>-w>MI%%R(ja21CashWJ*14IsO zFnrc$9fRz-bph5oXVYQq%PZ!IRVTjB{k;*kPigCHz)fM5`$22$3MgNaK=~qsVDzTV z*Cs8T`a{kb=nzM4G&KNo^{VWVfqQC7qM3tRX6cfY3k(gn!(0C*G3sG`ZjV8L5zeRU zof6IYie`jFF{WKMC=D2i?$8;ZTxr3*;ylvA^n;ED^nYu|v`rI&Qx~EoFGc6pSotBL z({;VJJfcKmv>2ggdR;FqlsN6zEOS*7kbO?HZ-BYGXg{Dj@@fQyw`v6^K^610{OO3! z5C}YGEHyDS1Fo#)%p>K`aG4+=Wft7?A!ZL7P`$F3|JKQGghNW}#SR_Np>^4~{0%?I zctves{t}^{x26^+*!^~WsLM4sqc60st?gmI=W(G$v1e9|8|*swU)|0wVk+0v)HE1G zCN;9Rxyp47_q5DX5}ujF^K3sgVI4g2V_+9_t4Y8wF-DG3s_A)iS0CldHKx2BQ-~WW zHP~YfExa^RI&$s70yW>eOgPQ_u9I${o?{+Vxk6t{L*F9f`gSK$co6T${_{frQT`vh zwEOa==%-e#`#Y1Orm#`2ce8exV%=>=_kCW1Fh;kuZsgjFefh`kZVk=6eHKWbYnaIE z3QEY=)vC@c-%3q>XYhuEXcs1(jBy=K>!0`CN6Ki1CVp6|{G=LCG)b&sT1vEi z>fD$iOp?kYQv5e3qCkTN zvV1bCZQI1dj4x*TWzPN34@*;o;P*jUR)Qq>BY# z2Mt;(s_yT=!5wgX#^Bn-E~s%tZ+~e^4spu7#jjYT1?myz zy$^_7-4yi2%s^El<=7UuOvD71Ng5`MR1tH?fcs!Zw{iy((M=(?%bze-(KLqbFm@0; zl6GkC^$lWIWBNpWE;g*+X&k!Zh=XCY8fF@s&nKo~*n*|&ILyG$MaCv4t3PS|{_y2J z{@rPL&(s-;N!sqDHLQ4&?%qB-k2^iDwN%fJnG7?|Y6wf9@O#q9u9|F!tDV>b*^#zgnQbz|@6Tnte= zrwzlz>UwH#YWG!g?J-XWa#!ilvulCP89MHdscWOCmaWQ8uGc_8rMX^Szg@ROXKNu+ zH@3QoL#8gYM<;Hy8DIjhAkG^teCA6fgD$fP;CjH#Ry6in7CWQz*|7uk+(+Ua0y|TB8aaxZEs!tIc0?1W3lz19#hvjuBz)ZzRNY`=any1 zy#>|F_1o6sbj^IApim|Ja_f^4f#)sGTSacrBQsZt)(^X#D7<$p@C-;7PpK(!JV+|d zobb7DPB|g}mRAkrFb&P<5hq0X;R1rlh}_!`ZWHvoL1t0cj5667zlg7NP6(rO`V9s& zwGH?r4VZDUIQ}{!j^bfI>KT%})CEMF$Q#8WAaO_jZJ|RRo;JAKNT2e19ce@>y?=}7 z4#DY~Fin;d3*>vw{6h$j<(u;MV5|n#-vK{b{X0Z{Nu+(Rwl1e~6?$``{~m607pWF~ z?~C^++FrzWxu@eiZqUrWj)diaPNxYCO|xx;mp6q7Zb{WlxgBU-Y!sr-NGy`!h{UT) zNO@0Ey=f5XPv^o!OmDU_m|8HD-%$oi66UJdnKI(#T}wpU^IDqyt7@9Z`CN8aTZb@S}NSIXKS|#X%@m=fC;*1TD-&`hJ7MqJ9|yyXCDf8gGfbOF(tkjue9D zZe73^yr-t`n?4U|LXJ|$Nk2bopA3(~Ia!yW=l1_$?=8c!T)%B`MN||~K}945M5RT# zF#rXT?vn2A79^Bbx<$H6Kw3dSy1V101YeQnCC+?2`**JW-+O=9`&_K^>HlS|buAU& zcx4-d-1i2ri6*Y!U zOFDWH6EyOOLBGtb_szA3T+13UC{~#GOMS$7`Ho=G2~mWB`70HG48LmUncq}wG{LF` zfwV(7PXjmJ6$5xm11AgvE{79brhQ-&(zwL8ovGYE?d!XoXk<(FbRKk(YFg=cR`YWqmH%;JkoFy1Ac$3 zerhOXc6$KnkbE{KK+57&Zh8nYFVDb2Y)ojWI4RmLxaTTs+Fkz`ds%qNK;WkE4is?S zoPd3$d`A4yNWa)d`}LQ6sBqa{1ywWo0rrIZq8OwGUFR^_Pt<5<%}H4yPumq z!l?t53n%9Cea%IjssMBts1&Y`4KX3%Lr zW795xa;pM{BDJKGhhEsy#);hDiK8~jM7-T%M(r{RVIoT0NZmGjvJMWf+t_&jMon3v z+!}Wr-6uY|1Jpo7W={JEu$mot>lP{Q?OB#SzoD__daX;p-N#CBh#ua)1xuo%M`QUo zByp*3<-c2R;u6jHu6EVNsKWHij4$nD{W)H@H+UTPV`sV6Cu#jm34b?lJek)?}NVM&Jz6_e94zJz@cIKiwB>hTrOZ;Rw45AXOh*R(EX~E2N z{9`u$a}Xh;i(^9jrq2ao^<12d4Dxy!qO{bV?u z084Q|;Q|xw=%AWS$9tAC*Z6hS3uhTdO+w1S6LixoqA(|WO?ymCO1wwo!qJaWkIO?` z83!u9(liW3ElTv?yoHmXZR0X2@V-ZA7f~4eK0>N)wQ?SljeUcCL^9ril(~*D!m{a; zk#w|~q3voV*jVcC_IZoh!+jK`_4yi> z+0{&M;u|}Te5?@8#V#D zr~(#kK;K&zN{65+F)6hk1q~cO>$)#YPVaOg&>0VMy$?|xBNpSw0BYg;0=2Pkwm^hb zcJ?-x22HBDE={0=uBl*lTAB-ezC-l<;*BY}^`l%ymd)cDcJRa~aov-4CfCxU6BD<*lwz+PHC} z%evybgYMq(!-&v+Yn!rh@*(EH*125lS@sxN*xr4Z?UHp6A9XA#U27ikbvWB>*7#_1(Ci}co-)eUoBLOaeSA@N049Mnu?J7fkYw}>7>wjDg)zhSJXZO~Jbwn{ zE(Enk>L9J0pe)U+d-C;9dqG#MxY=^^ZuBcJHu&sybEe!eW*QSrbrF^U*LCQlV1?sD zd9S_VY_Z>J6|{)?aAY4+`(hD>EW1o8%UdPw%w?|I@{dbHb$d~Pz?a4%Xn>~V zF0{}OZur2y+B@=I%Q7^pDZkiV0MGWSnB+xRzgbeez}e1OuS&Iu0T zG?S+3(3BXLR8gInl2j}Z4E|fLl!-IIJu_-bpek|*qQmKuUkQ(So+pn!`t2up{pVgi zqC7JP*2tCJrH&6uSfjHj<9AmgbSY?(HBnX*NXpf0VZ`lBZEixuVy0a~5FAbSErWL9 zn{|xthv&V(-$vFmGOs6+M)bxU(tk5HN(tf+tJ`g4_Luc{(SrVmagZbd4ehDY=7l71 zc@-!Lu6^#4p;_Wo4Ji{FR*u#3z2(2H^cHgrUgoS(rdq*R`t>|Z=)5yV^y3)EYAb3} z`UvOpu`_SPDPURm0Y#yayNF9-TKFg%`}AVYGJJ<(5f4z>ZnlK8?gt$f?tQv_yY_D_ zURNV3-z<@A@en32Y)8YzE$<~2u=R)ZRzy&3n{nME`qNpB0zBH3wOt4lQe5L%XcD{n zN?x7jV}Wr^S_JrEs3$;5E?h2lTT2B}G6S|;lL=riu6`ZD6%9B$p#b-FB%-V*01rjF z)h*gZylRr$>r$(Y9sRlA=-{9+tKna9Zz0wC-Lc0Sh>(TltEcFWj~M`y(0TgM*5dx* zzVoZ&_-LoD@mR0*kOCeRZT4Ry&U!#p=VrSDmdqZ^JD~|mleduF!|`Y?ZTb*t=4Xr? z3C7u3{`~Wvl&HcWP_?sy8Q4lV=?}05)l#`4Uw??v=Y{*ow8Jj}&G7V;CiaU)fw>*n zz}oJ`{U`JbVhkDHHfB{;hr^XmtwKWO5fzYeDXdwfwXU`8W|7c*#dT zd8|F=Hccaa5V;fZF~WMd75oe_R4;@nA8=gg_mv$ycR8YqJ#hlCF?UXOYCWL@(x4(L z`m)LUuJ?$i09a|q1*_aYZzy8f4PMHG%MkH*H#yUaX|DpIZ5l1LHCoR2eJUo^P_o^h zdfeWEZyfGdBK$zLrf_(4ZM4{ZSj&%n-1WUM;d2<5SPv%F)oIf-DPE5A-_Zl2dga%> z$B|Uund(zNsex-se#3eqNGu{@K=7BR2)Z7J1Zh1=O5VO|z-i2L^HaBKywRvEatwx$ zOr?;omDNwbj)TiFsX*aS8+L7)L<^MK*FvHHDio_Jtk_msjY74|MY|#8^jS)(SF8f*f-Xw z8Q7QsSajShnF4fEs}yp(%6eC;=XaeCj&>l1Q>@*S#bExB`p(0oIh{`WspI1@KFqDK zWMh_K>m?H>QYZlGglw^0C57U*)F0Pd2|s;4i@5PsvD{nKiVNx#TnIcM4_<3c z+veVf(=8JyDCVM8hr`BveqQ+ZB5*@0_@^czVDDsjk)~9k47{Z{SdILX=V_*d8SVK^#2ZF? zq(X;ZEz1P@@fQFiohu;{pml((mJjIMetr?`zWzw-udhWAg(t%z?({UGO6>O7^a|3uH^j&B1UD>t2zg;cp`AEIV?zQ*n=@%2xC>UUr z&QPXDYx{p<^fK6x!TgE?va#gVm+G2r2e9-pW9|PPcv#Q>U>Ghd)2!L*T+zfN-VbpL zVjs-BxZyutZ7rlZ-i!n{6g~GIK%oG7OQI}CaT5HyYee*bR>?Q^pPqI;?bgOvu2$md zB+q**DB?@HmDxsbhGdd!(J%C!uooYwrWqZ6yt)0;-aPqXVuQ$Oiz1^nH3Azs0p`+w z!LIVJvgJ-NcgR(xh(O&g0mEr!w&os*HC&9Q+mnIQ-*A@NpRCOiFP?U@3K^WF#!n@D zl!sqUOzCfxn-a{Ey|PPIL7-K*RU5aVBT}g5&V<@~U}5pA+|@&L$+()CI0DBrsBS@Q zjbHtjDoJG2`S+qpz|>ipwbJ~0BSKSap?a}5Xs>8n9f?D|*=1Pc)=V1L6}B!A3(U1_ zzggLczH+F2Zu9Y$cB1sj@#ye0{v0XUdV(w_z-_>(He#y2gC;tC)u{p~v*NGmuKdSA zw}YWQ=gIpr>u&_ZE-~Z)$BnL)L)uB+q$2jm`Lyczq0$A17ZoB>(i*Kp_X|(Os0}W!D2EFfi4 zbAS0~d+k1#+86Wqn#_k<12|vdQL_fBp^kxSY?%8cc7DK)WE0|M9)wVh|~J z@ss*J6=GF07w&KrpyfO>ror=g#Nkv=|JtbVXW1Qvx|s9FsZnWVf%WpKOv-)RFfJt!)0 z#;t?N0i;ctF`_IxoH70tIxyCdgbd@S`18uYZf=MktietcBLGwF3kiHbK9jb~O{TNA zv7CpVYM{WKU8SnvrX>d*??p6nArHjaiX0zIOfKD-tqD87iI}67fjxT;mH5@*Aq4U; za|B@0)WB-5ra^{6Iohv8L^i2f#7Sql0C$&Di3m63e{LzX&V(WzOAS+AcARN(i^?kJ zkebbn({A{KaZ%f`CZpCNO-iGcZtenkhhz~SyIqs4f>wO8P-~2bgOhPcB2F=PNd-3_ z7Q@`$t!sKPc3lZ=_`c)eU9ymtCe%``X;TLaUOKiq#sFguoZF13+t|=4-Qt{NK{D(7 zKLWqoc?`$*IlOH(!dca^d%ybXjt|izngT zeNVd~mnc3Rf#(&(s;L6KQ#MwdJs>Ds7<_U*V)mOsEN~K|&2qxrAJKxxdy+h0=361> z>7@25qY7UEA~0txgFV8`it+p$Ka8?rT&!Sh{R7bnn1L5k`4HHp1Y~ZQEwH!FIck_< z3!xI}5QD?dTL7sgEM!je?}evu_5zAQ?v!pmQF&vlNa`}hI~QuNsFeuB5S|(Q;NvJk zBt%?kDUf~htlR6bC`KXuB5%2&B95({=Y_k`AGv%E+?nZADy}|qEQPU1d_^bE&s3bs zz(tc}A3`x?2F`K5+`1gE3KBPSwNxhy2USecc3qHB@v9EUNl+pzR9EaGHW*nVn6}+g zR_Df{pCn-^FDnaQ{5fdOdUs#qVapwPKkk*xl-^GSgyltMhySsh#Kwr$xcAy z9d>4AYsij(GJfK=(_Sd6(nU4a${j<2-7@nebViE1%hrl~>CfG}s*r4vvl6SStmSjV ze*rnUwDlj_^q}K>UU#@=A&WiS0p()E!qsEIJuISp`C=Q(k#)4`9vS!D<|&OK3%D$q zeaRMY*f^_-x2vwZ)k1cHzE*ir9nRDkG(<8fAEzA4Asek_r2GK5p14^I-?lW#(k^Hs z45qe`#E9*~?!ltb#FG#tf<}uDOGj8p6Pur*v|onSYkHQs{s~ooo*HDBCSK;>?7mKU zMH(KTnpGr~zuleW@S3NqAF1`T9@1~@d9?g4M^7<8-yu;iz5qkN`$^~)ggK@WGbpI@HYKdOEzf+cI!+y?MZ8(-=jNtb{ZV71_qzlL!ZHDjnswOn4)u z@Bv6q^j(fYGfUeP7R6^o0ZJ*X(*Fan~Mvq+tl~GY!MBV>q6=OE;J3FR*^>gA538_1kyg zU5*(XD`rjHwFsHwvd2zu)(lU6;-`Pyj0CgwdK_b>a+#WLO%0=t1N88YPH47eTPU=1 zdGeTO%#Hgx5+}9{eWD~HYVv;_iqtyIDrmqEi^;EV~7|XF`D+ z->mUhBcmd*4*$5Lz6K!3X{;G>_Hu@7qoEO2H?4wjh75@I<$xl_Abd&-_EGd96PM2x zU`}rQv&0mb{}aLQe~Ls-J@fv?2XPxCTsqbGUJ+=QL1hC8{DU5~cehh5+uL69u7$(P ziQ5G7KsWi7v?hrHksbaeYk183MA)e80b5 zPo`sxz$tBQh(Yd<>!)8{^vq|Hx@-|3^vUrhAoq^IMcN}IE;x4#BoLYd{EzJrjFw&L ziUI=c$IYKdBDbYACV{7MEowo-zlKto3b^18^dZBkLqyB!WVcOX^Tb;$!Lt5>vXo{8 zi(p7`GibpQJ2X-5rEN&Qf>kwWU@OWhWOIjnf0S-&_;Wwx3^Wm-OQXl^09np8@Pz^v zp)}ey-cY=5=ds&B;g52qd~8Tv$iU3#(Giu@Y!k^>4 zS0^}k6heUZ=9_08oP!VtP_+_t-ZX<7HZX}vlMn<)v!p7{9J9y7doD$!kJVQ{;^BfT z+qi*?0+cMi)czJ@IJKQ!_i9ll;@BG^T$Mt#*ul5FB0kdCBt~^6MtG?AhhXw56^ER;FT=#ac=&-@_ON$j?<6U@@0re z15{}VCZD;2Ot@G+oV}^`AP-_Ypn*2|&H+!Y8KIaJG6=^Rqd#wpECUlh7Qsaw!Okd? zzgicca~vyEqeym>Aa8lK2R2UU!!`yZ7`eBB+Vxb>-+9|qS!9o0(45E*5p!P0-_xJr zw$_^qTqlRly|J5W(-34y41*+$Fwx~OiqVT~iPiByz?1*)%=^eJ37_DDeE5+va5sJM zVwL+>A$f!LvDmD}Fx2fn5WSX^!S%+An@Y>WQF7H&1nC)isJ%?7OrKMBN5I6DF3S40 za)rR-SgL3`W&|0PMGJ~M9m3xi34Ir$B>)%xLMsBH*#tqi3=G)}{6z743AQpw*?fEo z25sZ3Xo}-qQF&D-y&mD4j0Nd98U6%lziMPB9in1xSByKT1-6OS>&eF4A@p<-`?kLR zqb3AepkM(Eu4wl%g{Rq0?-+tFS@M8(J}coWJO51=zdovN%>VMSsuIM91Z3m*;WdcR zY{yJ7;~zjoUV(@@Z?%9&d6OsA+oB4qsJdjT;R5?fqKI!zHUr~oSJ8Xb->s;yS;SmA z{%z#xZmu)y0CXAcWgCDm>7(7fpNfjFZs@h=?H$HciGH=NV7qDP3XNk#mHi0nPYM2` zK1qQ+-3gm_23(^XGKqqJD$5SaKv(df!X?xbVT{~C1W;@H}Tjx4f;K>{w)Bp|DVsb^xP-d{V(v$6mpn-<2b?dnJdTHTS`bcvCL*yLuah*u4W^o zlB%)&^?k!E$DoKD7ymY)XEs!#NAhk?dRb|abPCKc0rPb;d6W9*RqbC=1I}=x0EA?I z1j>yCSw$>dhhs^SV441BoFv(s3}1{5RG_I)1M-MWyz>TdnMvVh^S4ZcN>Q;yGMOS% z8SAlDVFu%IVfm3vxFcyve?}l_y_v|7Vr_uivNp5rCIV29{4`hgMgiX9&$bp3Qyx}= z&5pC=nT&h9`~`?)R`o_<+)lwx6^QuK0M#XD(=Np1%e`LyR~EqTuSx(!0sD9y!ylE* z3o6p{b_`X^nO_=SV)*W0&K++CAL%m$xrI@So>KSDKojO$!n0Mw6R8fHr#RLk`k_D+> zt_eJ5{$6ftRsk0*B1qSii<){Pte4<}Q-B17=cs5iwG_B{yGOP8+|*FgV2qrLgMPVy zX>e?;c(~~7$yn!vSg|JPDDP9p8Clr%ojy+*x)pRPrBe!l)*66D87|Rb4eLYW;Ooh= z=U4|W2Si3~8i(WOUpE>WT5VzCLH(3&8_Dl7IDHQl8bA0erNUj)ZA;!6s#i&2HbB=J zI@h#{HIZ^NTeS@xH&{hQ`}pELn6q7<;n}J`zfqfa=mt$>iDfm;VKhWKsg^273opqX zG}Rzd?9Y2VjQb3hP=5ePjQxADI@tp{%Xn&8Ei40_!S+~GY4p}JEYnSCB{yILR;5oB@_3krnE4&HoNTwXdZkb`ZN9QO^H)oreWb#N@=UE{>U#D#Ai>7PC05o z*i+q&xWoOSy3Tx6Z&zUO57UPCYyRc?K?X9p=8|W6k`1Z@xtTIy+PAtQDGm#`5tzd3euPt&|Qg(Of zZtYmB%`0#Er~(P^_f0Oh6N|ox{sPHTb_I=~dpjk7T6;nbV$U|liMe(4sPh#~HH0?M z@N`7k!}nwwh2myfn796|=H7n5*@=c@*QG$M3wnw2_BfR-)h_rVwek_Dy$_LgDyxF_ zL_b+-tHVP)K!}|7AXm}2z-~=V-hwp6`EZs;l*q#AXbQ;9l0Cu1hV$f(AL;nmYR_wT zBHT|gWix50Uo2;Aocm7IRGQlo5NnA?}#T@Yx#jL!Cq?7zr1nyE|MN!{bMuO5Vvil1a;+$`71D+vlt7Yitp~wR{ z@AIe`an$SDC1jaLI;e?qC(|WXsB%}}9;5Yo`{!~Vf5sBUj1FQhs$IT+=nnUj5%dNY z#S&^Ekd%}`=bFO^%>HYDq;z@kbT7kwX>MIT>W?E4aJ#|!wVGLy$j^jt9=2!pXXB|z z*U=uwE>_O?#J9AhJ0bu)+`+v@e_okmg~C$_-&^UjP(UrCPZay8X39SDfHDc(rp}~) zJP2c+(HoS`_?zt6X&OSBHW-`~Sk%pa;j-D9%}DRR4VHle?ol8a9gKWk`(u6*U{fFX zF-Ci}O12Sx#0aFzxho_#s~`oEmshmVgT=xvUSw^a89mJP@2UHX(p(VY`{iD_bnP*Y zap0anYxJchgx@c5cpg}hMu6^wQ(By@>T-6o6d;bLaG@^tV&s$k>~m@=?+lph2{w9T zU)PShaFhiV{%~wY+EQgAP4TIld+VLR#e4>#F)GLXgvh%T#s}G_-6lja&p43K0?#6u z+g@W-*tGSb#1RO;{v1T3NG2%~BPQc*JV1{)bO!Nk5gsI24X z+%VMn$F-yL<*w$y^BebS4pHA3WU1Z>p0wP=9)k{Yc zRf--f{TqhXe~xp80c&N)BF8&>%bEUtDB>(DC-N!-Ew91QN01$FkEDo(Xb+`4oYYQ< zMGDuF0L-k@VFf{Xqf|SNX~3SAZT+6HZv@og0)$nBKSLG$@Ual})xt86d;d!xq`2n1 zr}4II6jL!?=UUJoM-3U+ksZ-uL_$uLf17cGA~>>HPJ;>k*XfMx5UZfW z)eZDV-sJ_7b4M6`eMSH>qm4@5AnOhKKtdS}WSY+=ocwg0 zRb^;uWX*=V;Ew7;+*&>_83Di<0WdZ%o&x0oCGL*^_abBkvHr{}_+*{JYJ=zyG_(mt zDg%*oBLKn(PEQwB3$nu9^aVg=#T1EveXec9j+F==$4#L0Gr+IGBmrwjvOq$D&`FFC z%BBSiYnCBLUmTIfwa4M2jDN1fnu=JTyO)XC?gtUEP~l2li~`X!;{fg+al)J(&2bNR zoyZs>q#rpv?3b0)+fnz9K%8YUX4rc{%e|v6^odiBle36?1|E~|8{F_(Gs=SD>Dze; z&JY#*75r`o&>SJ%3>_}JD|Ebli1*3oYvVfAZgE<#hK+?wr1 z)l6C;jXrwq7-(V%#E`aqWVAfd7kgNiCV5a!TV1~f=7-kAMVzpJ9qnqxCOM;@TW!s^ zx-|F}Sww}qXP^&w&yTiZw$;7R{Ka9G{BLfa+RxtsbIoo9J2TkVUUa{IQfP4^*z*_f#vfLs(`?ndn@fHcUu4DbGF6zw8vWtunGRiqNSrgzd~~NWX9?LLB)O@Ya)OK z_vAlX`P(^60Hk9;tJ4N#YxW&+Ut|47Z8z6T{! zP+938$=&p{Qi6yMF4y%0o`2-CIks0uGYK%>C^V#db3Sh@U_nUZgg1rZ~gZFY1#N420>Lx3=IF!Mauwzjij}^FBATe z&&D0{8Fs>aXifx9{f9DkmB{Zb_GVDS&8e)DkHy>dSRHq&mKZp0Uhhh1f9PZKgHOaa zRgNm=B5m3S|JplK9}4yd%iRqhho7SrmhqR7p?i0U_9@Og-B!nr7CzL=MF#=QC}!2| zm%w78O+p*0c5u$B4qP9|EPatY_-MBl*|U>$>a?2xuJOt4n)pwPRk)RIbM%``RXf>a zKDp)hpMLp-{`UACEC}M~K^J)9!aKvhiX(ZOr+Ow(1o`j3|Kp$e$8`O5C`|R$1!_02 zPUxN7{x6q?3q@mLZ~9zlviwKi&M8k^Svc>w8@1N*|LEH}g{5`zYWK~%L=7jq@aaE& z+e|M`W9>7wV_M}Y|I5$y#GXfQTA%}?UtJRYXP>w)56+}jQU>C}VFm5XAHS!SAb9lseU{O*S ztjqno2c^BrYEERN)~!mq4n{+%u*EiiQMJ-GD_6Zrq0DrI>fO6{y|DQ-ORb{#rxGzf zj{NlZch?@;EWFTh{N{BwO*nv1M7{1C#O;(l6&7y!>Uk#3a;84{WeeBI7S`LQo^Q`> zlJQ-qk*uDME7qI4-jc+;%5Ej(jcvcSH5u~FXotG?%ehS&5kvj-M^H1KHib|ygZwq` z5sT^Y1FU_=`%Frn+%^k8KzigLGUNcXY#TyXiP+4~zfsIpq68VB_amu{mt>GZ_WQw$ zn1{l!gU+Bmb;eo0#{%Ph;acDX?44=_^OTAGt+Dxe-8r{tE~`%|H4hg$+) z`&z}Kon2k4Z*(ixx;jy(+JKbl(>J#_=dX0OZ<4+_*$U%*=PFt6{d51P4ll-hg~mTk zHsfWJW|DwgXURZ`8g}u^Y1s0k@LL1c9;Ja^oib?^)<;}FwyX`kqW`LlfGer?z0<}* z1Soz;-1iR{HEa1)m5Yf^^vnBFh^@_>+csnTuS)01295gVAH8YfK?&N8{=$K2@K3ES zd01~*7&3DTyI5=*_{mV%_f68bvob)R+n1|URL=s&t)!@8y*9A~9y`*tRb3Cy+Hd`Aj zkAjIn*Jy^9kiy0JjyOe_Cu-edGYmBy|00b%x`=qARrVq0|7|(@FX6_#l;;wu^Mo45 zzx%1&FJD0(*C2b9PaGgVv6cQTorA{aW>uXI|K>TCoKHHmIPnsmutQNPgG9jf3+z!H zhgW^FkMdKo+Z;02&c-cH&)iooqZ6|~zCqJ7`RuEBj&rI=gj`G1y80AXWA$q1~yGZZl& zs6NET4pQ8VDwB9gxTmN0`Htg|%`CI$ptNE$#W$glDCrW_M9;bh!R3zc%p_zVlkMWa`$9cJzC` zioONq4TEsgVFE_cVE=HsnRQ~9z`R2S<1g+u;Rm$>Di`NBe&|iIpjsX8(3$aIq*C(d zwkChFUcVML=r+uIEQ59%F6C@BWKGO#&HBI@Xh1*l&Jb|6`0Yl_>G49XH>M-S!haUK zn4{FJ-^pdmwX9r`Y(4$;bkD|9C(WY(=5681qxI zfA?K0^vZvFi7Om6$v1U;-b4}(A0DtLUL zqb3RKu2W&A*|fEvL@iSWVkq{`jE%UmdyYL{YqqFhsF zrrxKfj@L-Ab~OLxe#VXr+HX?T&3;w5U~afbr>R7*EGI8tSzM$m)#-(T`C3<*z|I1D zW~qR~g$oy&SYe+lO3hL}FR#a<*_{AG^^AB?hS_A|n6ZvEcUp>+^xNEFhZXN+F zY#WRq0}W(rvK8`HDhGx73>I!}C5b0lxLMf$8aHxW+E6ameLhz;cWhQnk<+xVvBckl z$rMfsN)wMFMn{${+i1X^;Ez+%nD}oi`}`P~vjkG^Ut%*EWSFqT>~z;MmGINHU_yTM z2@hoqeH5;{5<}~Z9xTwb;M;I!-c-%$N-*ELWktVj@l*s|vUg~W33}&UH!0Zn^;fAI z#(qwH(BN^>c{h%&oxbWW^C3Npz8zI`RBZrHRA(~!le@`Q6;bArTd&FBr@ESjjf}1g zch&wc@;M4kJndFI9Q_ulodrLYOZ0=*C3+lc^*dslEPOk!8IRO?)WO7yqN(l%)I6>B z_sp8Lm#z#UTUMXneHm{^ih-oo7DR|YV|D3-`^b9yA8H>&-Wohx_Z_X-H_r{+U$Tvj zow7*DP(Kl?X-D5BHPzN)ws z;jt4G)=1yGs^P|?%=3BsE@2|m6VayDX3eyTspiUiZ5@mm z?jRDW<@y##!n$#bRX>pB7o<9dBbXCB=7O-~KEf_nIZHMpxEjP{!FI83Gp1L_cp}7jhDKU|G@hq@iS6Cb9n9&(QRBp zhTlo8IKllc*@JcmQj+WK5`nskbYNDXWfZyF^%)A=X(a3qn{AQ;~2T zd_s0*Kg!?>Gw6@sg);pfURle*-bP2d?HH`9Yy)kCHum-i?-udq2uHx=wHi?{zO%-W zjzM^-NTvOnu@5&7&y(>Ubfz-feEX$3wlP}_DC2*?Qq~~ElcbEU^ljLS0wak3kx|S8 zEw8QMy%3wRq1R=gh-~AD8jBX%VIi3M_H6Gbr&^tX3iJ_F`}xZ?58qr}8%j%l3$iv} zd}Cva@*#GHZBPVW+2;B%GZ*LGDpoRTj** z+^E^3B|R{ki4_r`iVSd%!tyDNZC*nAxhJuE_iJoA%q07fe;{O38IDu`2|H{bxchyU z&BIx;(ffpdq78JX&}~M$wM%z#?3elqzMs9c*f)3gWzhQ!&39YASQTBL4$aVADB{ix zQBpz5hX;pBPV+Hb-0LA2(y7jOkyRA$aFJhg|6><8zLCUbv8%EFv|Lw{Ji(!(r?-zp zX^{}Fy%&k()N56!58esOi#t}v>#GU4H9mqOSp)(%})V^ksy&!fgAKmXi65E6>X(?*NKZ5eFME6Z7dt-k?|b0jV5>zxOvQ z*_9ZSZbxw|eq4k5Fo+xL)=w+q{`AxKM?)WOlo2nbYU#UduRbr=J$89$zp6xENIx;% zhe!N1RRsCDPtijFM}oSGuidMraIe!ATm+aAR47z#DZu|?vA6W68*9L!V@XGCN9L5k zwrM~6E3qUqHHA`+B0Rn;`9p`Z9Gh@HnMc!(Mh>uCGiM=`ZHaqILN=vW|#JUe*GpDM}V+YZXSY_4olTuIwkh}nMNJm~9gZ;y;& zHBj->06~Ysghr9al{GsIQMoghP6#PC6@+3ccEc<8n-s;PgJetdo1GX_3X`NKT@lJ2 z7``g|wTJcVw}M;!d1mw42$XL|t78rW-SK3P5D{zV#aj<)tE z!?)@D@sj69np5Mxrg@+zYnoU|@57hhZBYp4=a3^C$@eura38Kav#__NYQ7z3=2-?V z%b0;Qo8>yy`~PJ}@LzIO{~cye=+0SfYVMe0wLbS}ZO8Nq->Jz|GQ?sWLrh1=X~OCP zSiFX94^l03QibQ_jNJ2>+nzaK;+^1zQ^;niHp9Ct>+79VxCY}l5q>%RsXFO zr=KNLBa^Mgs$(9D{xem==D{+-9-TajjFDpsp&QfaWGHkAj)AYfE(`AGgCM4JJxpi*TW9SwG`p#iu>7Ip?^mKWMcR#|=K$c^Vec-h5r0(7lA)oFUjutmnb$PHJUwrI z<4~3O!}H_zzMvCo9qq#)8)u)($b2{ecUbUMVZ8O;*CLGj)yAh1d|OA*ix76IyQv8p zJ>$%E$KXXMl=Ln znYGREV{F=Uro17eOzz_K`?sOMne@DV&ggvH6nKkTl7B0FjtCR%d(ODWq-VMTzJXR? zGK9}u@A%}q&)9#p+%mwoBF5a=6c&Lu#6C_61Fk5B!z}j3=S=iGe9}hkviWKip^GFu zwwctS#Q>hHA)6?`eGys$T8Pfg+NwcJ-f2K1G&u;)U(?lob?0C!PAAg;2EAC0LSCv= z^5do*V`%5}qmU@8rmdAKU1kWV3ZynI0ff-x^2x?*xbV>?#;7x;tN-|L>iAtgFVE-> zS`*{CpyU#FWWQnonUFM(_eECthh9H-d7U{)e@OV#LA8$AX0fxh7XKJD*H7OZ9Gv0W z!mu0n-^a)V3JD%g8vRJzZ+T`F*TV}~^ zF0MP~Jel;5C<^QK8a*1mO0yC9ltjy8;UmrDG(VmTYul#PyUDA(Q>3GlMH2peTQa%P z-(18M(|uNBn!lK_U;l-XBuIP8GNpEg{F>8r7FSF;7vpW6Bj%omQ&ov~6}jJ>pIE@n zSo_rG1Oi#DnF30MxkVCZ9Hftqjh&EteWzL zQH{E}uZ3b?pBsvKWIy@`T!}4E16Fa4 z_dvynLUJtc=@QeWp4Qqfo-_#=Wpyxr>e zG8x{tN_dv?nDAO%Af8P4P1@(ozNMZN6zq>IZ1R@b12r+JmJ#s}TYw3we#S!Du*x0< z7E1QfO+JV(O2OAPz-#^Fuh9nXBN||Z@tn`$UG0++#4~J->cXTrR>t!=$pHDR`^(?g z0i=udR&{)n6u%*o^aph6K~@k}<7fEelSg+Pd&_bw@W`lNRp_!r;hJXRx9OA~Dr|gW zPZHVgyckOJ*jVf;2khU@H11-z-ya+_88Xx0$2@GC%0+}@Cv=erXl{H7MTQ-fcvKna@;Y}FbM zNBOqL2q!gzj{d8X->q|*$*+igqd6@!s9j$)%(H!#2slT#Qblkh;%MqN@umSGo>~7~ zSL&|dHJ&J*pCwv^Zs*v#`xxFki?HYRALaF5<;No~xmhDf{3GLZxC)yobIPY3%{qQ( zk5b#^Ug1q1pbO00I5$aBDFcuN%_4o=`|RJ_8HlU1A9>A$i&D7t6XjES?B^Tx*x8{c zCo=u^1!-w%MV@`)J_5uN2|lo%arQFcMITODu=Y!z!L07|uyA?tzW*~cb+b=ADr2T- zACuBmqrB;`4CdAH$p`>-T=hf)Lg<=3h9yp!x(i6ZQ4Ot46C2NB>hrLN2X5V%yyoR9 zGLoMd^joRg_r?}i7F{44JrM2bL{>TQsvcSp)vinrp(*(IQBaA?FZZBBj}nb7bClaX zEOJ#!TTL%kmY&~Sw)g?okDIo92`5k*{v9?E;=(dAvYsKuZyL5vdZKA{7bw}^aI&9cg+{#xU4MqCiUaWTOzWS z>-XB7%y-~o(rbteeD2F1HjlH|r;}3SS2HT8%=WR9L4P>Dg5urUJ=yr7-I)glTuF&3 zau-6XS?|yiWZ=34gPT|z@c9LEiK|BBcJ@Xw^jLM#=annw})hS*apk{TNgIl6mbaHcs3d!(<0tTmj`iSv~-UYhYMFy@X#p^m))4ryLa!Z$d+16O=g=2Kgm7_@J$|hv(EOq=TevI zXT$e%L^XHeH*+iQ{XwCijIlWgpBZIi=w{fSW?NIOvdkH9x-|_&C(wj7FoG9QDzp$ZV`4@qSt4`D1!$Hu^RjWo^mC-a{pVdM#uKc zU#NurfBbk)P3DJ4q=OHo?Ab2$F>Hs5l&qPW4Rn&5E2W7=*k%k~<;Ij-Z7g&wH$APS zlsN+8ipBlS!B9q>1eiQh2XZ}Kx4T8~x>*A{leIFAy1cecgwpxDyN}|u$sr!C!1w7& zJbYQ0Xdyei!M+CyB?p+PE7__(BE$7hMZkKNkjtEo(XmN@<^Od)F;S9%yz&iZyOZlv~V zCAou3!yeOiP-#~>rCVOye*Km{^V`ShIt^ zzyN8MVw-U34s5e4l*^R*R;v02)7}g8kgb-#e$u(9QuB$?@dz;C2Aq3T5drY01$yI! z!3d`5WpH5U&lS6*2#iJ0E845;Z>d1P1W*ShAM1$FjHOs;IiC0w7P-YVcLi)Tbk^ zzm+-sri$%)p9a-dpz-}FDE?aTwTun9Uliq!?|z0SNUvV`dCt*h5!OmrdcPSx>|nWN z*75rVSw^zQV)k_=wP7n`yy^beO2^iahR^~bXT}GI;8!@Bz@G{UhXC`#Gv{XZj_qT= zy%7y2eGf#v>QHJOo_U=Pk5F9_@k=AZnu2e&ZjhqzdA=pAnUs7`p+Rd+%O5N=7agn5 zom#0fi-ZakBOe2EXZazi37FZbV7C2_68(rztsY;Z;5WvE2w_tDPgbkq`2y#={%myU z6N7c4SOR>E4!yZCs1B#yt7Op-Uu17kn-`+G!z9r>nlIf08o)hHD zJ-ma4EqZ&V=AV78RZ7?fIppcw+rv5>Z+coRQ7{pwj#Bx9+G3AlUaP*RA98MQL_Bnr z!ANe(?efMhaRmQE3#-w|bTjvBac__Z`^hUH0S9Z(t$|RSX0X;n_=&CYKsF76iaZn} z*A!veV`qLmohREG)1a4%uNgN(RaF-`17o%F9NUi(!`TkMN^ zeUCa~*~5HrZ}K!538f6;mT5gHht*#30rDuOvC zdJ5T(T?{S*xf3Oqt0WBy0Btsa6|JkSy=HaphxM_VQxUIFunGuwc#T3VCOUeFD91A# zOh*q!*{~(wbV9%MDyYa$m)&f%A3xTxa(OzKjQ5-^$GyJW0<2F>p_|n&S#s+R{RTuU ziJ5Hri}wh)SsC&#i=hd(iP1S@cIK?>vLnVu*W)hLUf_zu*JIU>JNh8mMn*9`uLST! zT%-Ead8%3d3@urmwu?r_jY z5O+xh5HdbJ^CaLVv$<Eks-P~()8D;qwJrgf2T2`I`6}e8oQ;JnJ2 zM8|}0s?QG#I{yB+Th4v1@TBMdl%Z*--O|J>{V10Au^LYq879{7@!amLjng{p#^;}O zn(VkB{paXA(VmmjXXF^^|@bwWaTmvWV9c3F;Wut#^wY2~SQtJfRf z?40M3)E{e$ytwAt7@)U(sdkR-3yV_L3LY+78wE*xSNKRL;c4u6tnJseQ1Q5V)wiMR zwoy2Q4o(NE~^%hGEhEi?CjvG<-)QD)t?u%L(( zBB&sUD4?QbkQ^k7fs7zI3KB$uk|Y#Jwnc&jksKxG90UXuP$Wr?MF~>mLZVQFZ#{j+ zd+xp8JI=UcoMZpH|GG_8RPAT&x#pU4u3D{wy>(R^sVG+?xxR0uF3WmlkDnmByEsx* zlh+{)`mf_(t$WvpTaGv{#ZsePADSIKJS(I&Y_4@PonCee5|%oER9t%A$nS`ze|$b) zvp{cPp-V|*0p=!;E_xUGeFMR#;QV+^8H3b{a;c=@HPs}}-7NW*sW@SKZkSmJH4{`Q zzkFA|y5~GWuX8?s&ck$4YQ26K^fk^e4;p4VV!B6N^X5c1^v!pz!;=CTc4-qibf)qT zpC6+6%>i_&{esqioAHdpA+$iZlMg-M$b*$Y~xno5HubGG# zA55L6Yapwy@ZGssH}9fgu=HUz@-Sg!b6B-_kq2iWPd?_+H$-k6)xgEim31Z&MksK_h) zOEcAQD4{N?jW*kSiS~JrAKA$nj4d(0glX)vi)V9M9iF78%N^pRQ%a!riKM^3e(hTA zC1YT~hPKFaN~C>=V;dMKI{TRT%RHgAwRmuj$LI;kbL)57Wfq#sAhqDn|B7MB6$Rj9NgR1~m^fw*Va}4V$k^MAU?=lYQ1y0&+%=JD4 z2lp3%du+hLR~?3jZ|x`dnUKmiH{N}7xk<%zBbwWAlpY$jLpo;^KZ8wT;htS_X@i2QR zAOECywG?zuI=H?U-44m|ASC#5uuljP4ZYYg#aKQVTUwZAbmjKzaAbOSj@!U$uQOQ+ zqnGYB3kXaRBA#C}-69D0FHu%f;Kb?34q^OwTtBqe@^D!o`JTtH0jrJ5y?akZ0_YcF zus`;W54WuSn4U)DU|v^<@o^Y$LdCq*{_HW2F1Z{1ZhMWomK>k7yOsZF@$exxW*Q^e zh+aRA8|f%0(D<3_p0kx1zCa%(?C#5xpei>yc|Kx>e#`ZTs%5rO@!7o^76m;)vYQX_ zn64UyXa^(JsVn>|Y}%uuLrG}$XMY*Tqt7i%_5J8P4EHy*ljO$!% zdo-+hzXQ3Re*=5$inUdYF5jB?vzeEBQ2JXPDDK0sD9O$0?pT?vexZSATdiIFrdAC^ zfHK%FnTLD?jst&UOurab>{)-m1vX#DMSpjxJwz5_{`nQn?R98^_v-qV?Z+xRAD2mW zSeOB*D|pcW!|Ha3lXyKPSr9MZmXLQQ$5PX8?RMBDTf@M>pY;&vQs@(P!2EDfhC4ds zg78-$iRZsZ4weJr$twaFs3p<=DzG??2px24B;vJPB2#c{G^@I-nA4oe-aK2s>Es7D zWZJf97}~HqE$`8X zZ!5%9wfDT!TXrt4C36gWLHnD(s*1*S_H>%G{odYbbloMmePN0DOrVce<7ApS^bYu2Ut}w3M!7%aVY|X}z;i$Zz#S{UlYbrE##}!SRz}(HR-#W{2Yo zCoAY~d<2H#4v+p%hDC9Y-O*a*rZ49>H#^^_zHpa#!!D0GJnh%j_qjzl!=%_+7liNGz%=eRTI*sa5Y~vU5`zsdoVG z@dss%-M&MZY=XtK9EOb}tH2Gu8+cMCDEEt)%L+tPp@r}(<0Xtw+AclLG}Q>AWIQE; z9KF~Hfprn0Uu=kH9~zEJ%9GFT(2+M zgYVt!>pBR>wyP&tu;!!hqeE+5@!WvVBcU$o8gAJuXnB%e`Dss?QGU+5Hf;qVUE?+r zdmc6l*B-)ja{ihLj6Xxui!^iYhwk599`-KVs8Vk{+VmAJ=mHO$LUq4&0rNr5twrIn zrLko1gOP>{#Vd?G+SLx&7iRN+TJ}S;%EB7pVSX;OF-;{`knm2`?5gOW$6F7m{?XqjhM)L&>gHagIg4+Te$a6m(Gzt6RWvol^;I4{%|Mr;LW!=QuM&y$vwiOaTE zlhhA;dZCT4HEIRbj<1*E9_8+jV4hoHPdVV}$m2Au?O!M*&D9Gzuemg|;!Sa$fxdSI zM6UYy1L)F-y9#`4wm#k=Y+vPos+i1{qW=DHAP{o?AJB=Bx{DkhGE(4>i=S6Pr3)+pHW>G!$t0HFoIKPp11yBE~L1C=pmGB7? zSVO@BD)oxDqA=ant#(MQu-5|YbEQc(+Q|Tj$8Xr%b3@3;b=gMV?=2!!LL_|Y5_L;R z*5-WkSAi#Y<<`$}>X>kqL0hdQ5v4GY``{;JgH!}U99v$g=gu=5V-ELA-Wbr#>zkF9 zEyHefivmYL!E2x}bMtOQH|ks9`g1fM{rL3PY$2j+(vpaXen*F~kC(K8z&MHNdBF^Y z7M7O%zMjwdoVy2aIkdaP0vfU`tcMB{fx#2xEz&7@sHG3ec7qU5IPyT+>0$oU0=WEj0^ePmP z6^4c0a6zwuq)l(x{Qwyfk5X2AFE*94nM;!o&fgs=9QI@0B+#;cat1Out?7+Lj(%04 zZf6AM-Q69Vj|uwW6Cd2xk(q8uAr=_*x4tCg^n{X(iz#K+iuRr`{ z&M^v6Wnp7_zS__!xY|gA95i3-4)@?54)+0ef!4mgS8Pf*|Df;@UP5rr59<5sfLgi+KEc%v)_HFZM?1(>$KJ zqQzyl@5P0LU$ZrQWd*L*x#jk;moeW|%3|x8^i~$46-NaW->}nwUIerm>w)J+hkm#u zb>wC#lw7_v;>~N@IoP9&L0g>@GxMwbdOtNI;qQh9e zF8`H;PKMR?D`9tG+z@i)28H2wM=Ls27j8&Pj<-sAXXK%&8D%vUE5Qj;U%fTh*6WWZ zqgO%_fiJY>_yqP%fbZl!TeNj|GsRXwzia)mXs^hi+KMXdVPjnsbrv&Y{L z;m7B)2*NP9>w>5 zDo!+R8E*q>qE5E&wwng@8`g)Rb187g7y^|SZnrmL_wp0JUV)xq?-9Pf3{XXWPn9FR z(yru37sI804La!3-AL)OYua7jqbpeP|-y9?^p*4U>uesx! zx!jj6dZjBaio3i_ntl?)QCKa@u9a_P5TB%`kvlYRjNS_)CH$wE6$m{xweQL5E z#l~7_Kq5t^9`xU{u(|F<8xo~K5ew`5=IvCAyX9$^E>KF`la=-D1@fo61EI4$iv;d! z;9~-1MloCz9sM}AGL|U&86=8)?_geZqsDryvcT%)G9*Pk-V<8j-|Z5|izM|zmNNaJ z1@F-N#`InL7eE`eS|Jp`I6RkWjrI?6HE$H|fc?kun0s8?@zDkThi|_f(~4^={gWOO zz|`Z%N*_rlb8q~*#1>J^uW*i2nH;NM%cr-|U0_9pc}a8+JP$>}MZ!_G?UDDs<90;y z)a5odx*Jb=T)P+8$Y|p~W{u%5`mEsBasScx_K!p!^hUy67mnk!7C?A>xT)Z>`0B2H zArTIFOo>)+?HBd*Db%PcaF=IyTrgc ztiN!DOeD;4V`PlKg=D~FV02@skYj#8kj13^$A~_grR>z+nI5&mCO=X|VE+mNY(!%8 zS(A@nwblvO@BNqvk>ED@VR?Br|-{RbKfT<;NK{_yrm*TO~m%=a?x7VnbK67+=| zP&dViUoP!8Eg(*Z*XQ|f3uJen{2d1>hPh<#UaCBpk@udE;UkpREh9>%@op0Gb99P> zR4g9h5ipy6&<0yH&A;|as;0Pu7%F6{1vKmD<)D&M_DWHdL9p8*@kN)(N+gMI9+U)h zJUTU?Z~h4~fihW|?WK`OyHkW;P-^*nYnE&eoGJ3kf?isC11j1NN-W#wN8g6)z{Wps zbH1;w7EwScz{hX(ZW6?e1@_~R6LkfUNjOM@cPMEnO#6-qpp7~$2ffvbjOvL42|Hn% zm?3AI>KR1*$X$=eT~1MLF%nEzK?DzPf5WY+3j@nT*UNunCE=C}n-^ETDZknDF)34A zERQj$d3L@r7A9aRzZk5N5A169T^=WU-%YIy(3jo0y&wh=fD|QC_}z;qG!aBEJmI8K zyMoxFVC-06IkpGLwcndoDOqx&aikt9a z_b?v~`sbpfuHL*r-U>3eCWu692|E7|ydEnj7O&^*L=aXD}CMoFcIT@j(1 zmUdB`yGO*{C?ehJrAf-#PWx5s(RK-Gb^P{=!)uDk-Xz{G#GT6G#G-~NK&GsL3GITZ zy4^W?df`W3scRqzx?p8kXY9_t(<11xFVnZ5%|`a#!LJwHZSZUeb9#*lw#QTrEjvCQ zj;pUOkSFYiZA*0}q{Gxc%~YMfbVf^n`kov?z>25rXW#`pUfCFE`Dq+b6ms9!sae&S zCf?m0hCb9Q<7n*sU(3@@Qo}mSLm#u?1bjTbmc4ucUJ-7@kjVy}y?4ws!}&zjmWFRX zgtic^{7B+_!Pp0^N+wo+>!J50M50;{G+oqf4odL?wvF?4qvbgjc&%PXkhQYT@fWqt zdq{!1#Cjk%dQ2cx2;HzOf3#s~v2;5?uj<0*&oz53y+UvHy+*?Lg8*IG0yaB&QA}XU zH4WNOKH$$FFI1nQ$zqm%ymEJf!l`k?=oB3<(@f3y?2r(l9>JcA#jp34y3KEIH*X#T z`fR^vN}J*{xt4&M16a@QgD}>q*e zVbb_|n^Ub(ROhG>n2WdqP&9n;`33t2JKnDOGL;Ifn7imn@84L`E35r3u-Kye!|@%G z-3cC}57j`{s&8QEd=vnihIrGy+xHnfL>ha!*Y=TP_?Ln&P=8j+7Eb2F8dl~1Y#hWB za_8T&n1wQ&)oo-Vs;x0N}t;39qFH=jYM>|BLvr|y$_sv z;D`;xJ@=c*joQ9j@VLQ@PfsIbcY7%~;(<;2OgGoU<@?+B!?tVhvxM;!v1Vw@-(2tj zj~g||(wkfwi8IFI^Jl-`(iNCX*}i1d+eK?vzBG1=?S8vizT3|@EBrnco2FVu>9%Bl zy}$!*g=EWUc@8tZW84NlpFZ8v1+hlHLCyV8kU+x>{4L;Zh57IATWaT`qNqn|o%8aI z8;$O3Xs}318X=x2dQR%WPp27fLSJ%T+$H};`tglTJjPfhL4+9yhZyJ}I{*iSFx3Df z9~?*}UkZOzZ7^T=3e0{Y0Hf14d4p*&!k46;vErnHOVt4GHoi{s4m5wf&EGb55Qr4Q z)OeDc=i$UIr#*-wo$`EwXxKHwrJGbwi_g1>yphCtAM9j3?G~~dXN7B}WRBk$z|M3% z1ujCMosXHhNhAY^=Dz`*<8R#y9+};9fD_CCPPGy|7W&!PbW8uv^}Szaq1-08G+ff+ zFyJ6AIIt~^*#~&jOkee6gpcih#>>qKFlrb5N)%|Uhq%=@f9*!C5EO`dd?fQN z1nk~J@@>OI&8Ys+a}rC_bC}FSf()*v_RjTiQgX%pn$`mA$BdOEY=&dtkR%niBSPa$ z&Wr9w`4I0u6F||19U(q_)`5I3cz8z1U;5P99<^===j^OqfLeHbFDOTll~jwE|FVYKi3n(#q*n3w;#Bd3`8|MU^Rt@fei~c_X=^1 z828aXFiE45W~zf&ju=Dy$wh=Mm8Cr)oWditk>eMZ?`gO)b+oH&QduhTtHWp7Q9;Y+ zO*j+jtN4~U(X6Ykg^muV6VCko9()+C@|rduTYL;sXqV<4&X6Vb`H`|LnjT@`d}|=Z z|0<}fJUBxiFopYk1U2)+kh#7rO04JGEbboII!_kVIJJ_#%iOT#xt%B>?A zB-}MKm0~YPURSL=0uQ~#K#n=34}kfv2EpyemA(Z#2Zj!C z8CUNSwLe{RX&~I?Q2@K+<$tLKMQ@q>`tkXD?gI{_z1xEgh82Z+V<5>lUDo&_No-i_ zbeck>Z*6z6NKrvSVM~{RLx$6!t>6NUxUvWOQ#J@mH(dLiRv;zu|%@tBgslPD{P8Kz;ZVO+ehCZ zV+8=m8Mb4UBkrA?+?M1F;x0m=eipk9lQUyS6k8-$;j*m3C$O(&00?M(k1Tkj{lW6=KR&lV@zWwM_wbNo zX*Va&e03MHpJe#T+xp*j%>3Uh^R)ibFn-~Fxj1zhrujYzoW-tqqvoL1_k6dn&xl&z=k2kN)UW{qILp1Y(gK-HZRRe6jy{io)ec z9?I3Pz)UMZEb8e$a{~U?^P1pF+>4udrOW$=kjsDhes!53yXssDAIm@cLLYaoLrCO~ zYq!pgfA)o>A^pE6h9q0*uYW%%|Lf!ZpZ}M`0U1?~>%j!S*6V-vg~DMQ$;Klhc8&i8 z2><1G`9J!N1aEkqMDOj_H2?79YVHG7TldA+sQ=O1{l9;MI3(i`hmkP*{13m-|9gb~ zdr!dsdxZYG2h-d~`bh?E5A0OtUm{o{!o!)qeEISwDQSnQJxUq^YN9x_RSIht*r9Ce@;ty@gnRSK5xPuZigh{F8Ox zJW=`+1ltpqg*g(6fGYrQ&h`tCI)eoXv8PYSG2OVKu2p2j#c$aqkkrTb=<8iz<(l95 zr2comfd6~-Il<(RN`C9k0&xr^+bO-rdIDu3iuHWs`zYz<2`ilp$(UWw$2XFPUMh86 z{YT%0%n76k0&?gG^e9^-L@n|L?}%sDttE?SXCM5tQJ>-GeO{7muw1`>0oM&*hQ(mh zjS~qpMC&^O$wOt&?yLM^7XSbJQg8vtk?0D}d-Ud?{Cts);TRQD3eS;~o&WIbh$=!p zYl3rQjov@`JVQHogt&xg)cW?{?ZK2U)o_JP43fCfS^+}R+n^p#%2^Zx!@wSlFk4Gt zoE3FVInMlXk^`lf=kH=po#Kxo`R7q6NWE=FidQ4=9c!WJg z)lULAOpAAriKX<4mdC3Q{cK}r)61&555{XOEG+WST(D5yTz$c*TY4)ZGBSjhhF|R` zC{flrg)uLWGY=FQV@@|mq@S*NevC>4M~sY~K`BDNSPkoy`7ZWUfwl#apxjUe#UJ7| zwEQ{Ru(zf-KUfg|v=F$5K$@OynAv>+*;|MiIHAq%NGETF& zt$4BEfwc@->CcHg-ES%AuOsTVmH|nHt@QQIi&{Z`18*qUkx5+A0F26$Xo=8alDpZb zzh!zNYt!6HW}i6Z@w{YNnyl9c{`J%}=G7LtJ1hr!{X!BxbtJ_Err|cjV5YeW5@Ufa zkBvEINZ%mLZDfbZidQSoQRdm;M3BGYJXq#ThhaKcL`2Cw6Md)1|x{iFl zuNBNn%iu_ITn0t-wUq9AtCVmphCBL{n6({`{Qcr%iqBV!g30eytkA>IxxQYaPFbqeWR>noMakt;YX&kKga20-l{0%dOS*U*KyCyJjY#Nw^g@=O> z6KJ9zy-KeE(ldYblmGLI`2+R7_&PaNPt|pAaqr$5+lg91ku?Z0pz~kPDFI|B1Sil$ z>ThP;=fhb#VLJm}HyD!mx!XaaV$Q?ebmZ-b(!3;}G7I^V!#@3|X`=&n9|_46Jd7O6 zK}t7*sO~_4St;hcpmVUdqu~yrAssNOw}kZG5|AJDh9HtN8n*jae~K)RgN^6{qVeu4 zp%j@qBHRE6ODkI~_2l#b4wf`k00`3oy#w&Uwp$=FjcsLw1>I(dH1e*O zo^iq1UQ*LV;*6H_AW7H}$wMiV{PFTizDbjB$+Xq2BR=Cau&tBl3A}$hE>^wr>;cfH z>XloW!lX^nok^k*wxjxu6&<5fM zUqDt$+#qQ|3<=77IXZJOPTaK+4Vi>4?aV^R{8_wLGOXg``7ZJFbpy9OavV?m5wa|du$ ztxT370@gDu3K{fowBCyYhHFm@#}2`bx)1}O5VSR9*~rb)wMSyVD&yc)x&UErRgo z&ZXFA^@A1G^=iGlDHVpe^(Ior>cs(jJd_)YUrKZT%G~_}1>$c;x|rvLIalYLDz$p} zSI~6WBR0XnbV-nIxIpfgg_U*-BDB^vbdDx}^p{KZa^=_(+-~H=YRv?iAJ1T4+9=3< zS~_J6eYnGJuD!enR$ZBR_E9ZJq-j7K9(e!?sIyx()8M!*0l^Um^9uzcXAt2!qd}}~ z1~UB*^|1Dy%q*CO!vcXP&QLs44Sj@>;6q!)T8-5CL_fR$n9LRj@?ypkL>)6H;Nk)+ z*|SFR-%CBIeiY~VK9LM&tNUo96j3pVx^E+E4X{Yf)H#ynY(!++)n{wI7Su^%6=36$6?%QSpk9i{gXGK1Y+PCo`E2=U@&u6Y>#i)6(FXfS}vKvcE3D zLG;J*je}D_QpjmeZ79R}LH7dWcP~6D7f{t! zr%iEndPA55DOT<2et)I|S3w@?kd>rl_6rC0~Mq z<=kZdlz@&WzJ~_QKycCVysW@AnhbaH-!RUvayE%(Z{J zaQiR(*-6}@JL%?JZ;QRf?*vJ7Ed_%}4*=*W(`5UeI&7%;ibIoi1J{a1s!458L}FOi zCd|+NLbtVb(%NeDVBv{bE)=a*MIOy+iJh6qS&Yw9bVS8`l`rx07J0nje$L!Je5-_2 zJ8f+>eSkKAyo@@ERViY3@>Erl%tE>!_txn)di)p+0jOMKDWSU>9~yn3J4`kL4_Q1> z-O_NyEW^R4^imBd(rBDNPI+l5Zewf}p5`jB&kmEg2NH4$ZN3Wvxgb%?(PxWp#D+g4 z8J~ade(A@nL4y%?9d13RL)Ls(Q)4lZQg<-!+^IPYwL~v7HmCqfgE{Mp$tK!9-R1~qh8F8fDT?gZ8AIaBG?#q_f?ygt#mpTAZe}KUz>NN-ioYBIZJLzk=w ztIl6f3+)4>F+TTFsrTcqnK?sye0FRP2Z2t@@61B)K@v^_+=6A0vrK}wlak!cIZ|wn z^<2oqAA-1pKhZ-gSk_Tci`o0jtCen$^k3h%jd)_dN9x$t@C(VrWLZ&a$&H^e#&N!n?HYDwr-JK1l;K;; z4k5F}poOgyBAKZNAsZylB**&dfv)_A@2m24fC5$EfEnFfKV-et9<<9w=KwAtJIN5k znrH75L6p>B6Ijv|D#eaOn2^7@FY>DEo)0`Kctsjin&Y4s$!Du^NX|0+n9>SMl519W zAB1txbA;958^)+jGLD=vEb}$+JkMwT(y?EV?L@b6r0)v#t@l$=5LaE@li*<04}OWc zQR>WewY>auo!$^ZN7_O?%VJ}gPW%R#hM!wG1pwq_8m;8l1?(rsFFl_kLK@n-O5h;m z>qezdkR4Uj^xIMYWwqW0?6%r#$=o{5azfIxnEWcPIE2BZfsOJn}#C6W=-Um4E ze2_|#$x-LW4SeJ(NUUve5Q&`~*wagfD8BwFI@ATtmpUT9*@t&Lz@vF1GFpQKGo#wl*l9AbVpv?0Z<$wiEYWPbi)*7iFd_rm^6 zseyEPOc7;3pGZB zOI?}yamMP)F>axQe`Ns_;O;ci(2UOp6JM=3UJoDjie!l7BI=6r1L_mYxW4rQ%nkRh z=I$3;i;^J2v&qfjo5+$DqnWUmaNpo9kV7St(w13$8_v0Aqli&)OEh(dCas9@3MecX)$zihE z)DN>h#vw46DGK%hw=bUx+Gb;AWf)IYI}`soRyeQNA>P*Ta8=toOvSzpU%L}~3Xajax z6I4>UAReo)@T9yM#93iS(R4|^OP=cQB78MG5q%)}hg~QSN~zb#X}O)+!U6|>ABgT~ zGQFad(##H#HT7hJcIS(d4?D^$?xtHQ+lzY`jqkt{mCK1KQFIOGbS=-_Jf}pL582h|h-1@m6yq_bc4!4E}AOai#-Qr(YN z9Qh!YeyU+^)wf^h(M=mby6~Y{9`7{)t18s-g^pdK*T-2NN$jm?NGE=U7Gu77^8Tqk zwB<&Py7vS|(n@;__5LIQ_tPWI%f!!RM5>^ONh=_-?;QZSW`CNc zrH*3Lmhrghs!cao?_Gn@sXf%(K+m~qLEOo>OQ|_jR12|Q#?80%qj zlCP|2H2OGkHm=OMCKA(K5U`>e_ZG_}R_51t+^kbvO!t!8NfXpu4Cg_8@0WNBu_r@L zt>-PPHw}n7QU02}dPO+dZZy!kzBZci-q)y;XekVx{mOoILz56iwU=vhYl2^_k_YOB zP(d&1$%Ec)5rE`qX+W2rpIHfdRrWPDyqq=R&5v#+K=R&x;b!uC>G_cj0Zof1G@26~ub@F69 zPIEC&`ns`a&s$7aLAUVa^A=?mMv}TuGyyHY)6{aS)0pU+cYc_I`_`4D5Im|TvH=}z zC%G89vJxTFF@;?UVyb4 zN+)m{!u5^l@We`l!fAGcK(GRwB_NSQaV+EEHS$YajUAr2x!UQm{j8htfixI0yP(K6 z<+0(Ym=3$%dM+u(E*y>xlAM}%(_Bb|v)Fk)toqhf!5>{Ha@>+{WCkeyizxy6f5+9S zCbA}IP7camK@8VwvJ&<1#Z$OGH>-WM7bXY^*Y_R&TT{MK4*fi%RpU=z6jXPwsWFX& zHrCcdk5-bE5`M;n4gCI&20QmmnKpb#e61U6~}yw2m5zF`Z41s9eye$J(bsSIyj zKv`K&eyBnJ`b>*3V}x1%ZjtMT@lwW}7b)C-odw%mAN6=zLv7bMcjNw6e8ABdkSbGq zyezgB>1P|S0Vsx5UI0Fulo)mEyE`s;@H=b(Aawex23$*Y9@OPlQV>V*pZ~{72OKzI zhar24+77iKxz{g@#N9M3NYY$;&&wALXRix=`%sU;7f*-1BHs4A`!@8-x`VeNz$wichEtgj=5nNjm+^gB zVUiDnLsL`o^4|g`WI5S;!^rcOJnc8S$yC?u!-ll&FKk%}XFhC0`ZV38w`zy*Rjx{&j+6hMZCp$@VQwm-iXO zO3&I9)?AaT&SFf*w4s7FKx$vK@!`%8DMm_Is$%kYn)A1y2Lz$R9LIi-_8?34Va?R| zr!s}~kxPf9UXqf3nlh$ZCH8nCZ4A(QU-X(M`|B%u%|vLFKY38IJYjbkyrP6$LIPwl zAd9AiASlRx%SkvQv8a`BgnodAo|_wTZf-WhS(B5 z#aMY`R;2PCv4F>hb7&28WMC+~M7%fo!V+iDyoAfEHU_p$dYu>!u_aPi8suF!WqkZ1h5oHkk{S zN`s{JbN$i1orQ_CBch!#(P>j!B$HgarJpE}Y~zbgJu)s3Q!)&ZigtGxp89(f&DW`% z^MB7kOrh%F`8;3gtkOu`g@%?Z3@+n(JXcF-I=`o_-zv*6}*$P9!ELVOZ#0dW=@m=!IZjM`gRghwT$SLEUCA$ zFMvu`bj7gURBcnB`99ya(+%rTZdmsu@7^lXZM;`@p(l&L@xU6a2vo=4EgWb_Ta4>5 z7TMHCXViZB1*H1qD zGscAfZ6N6L^5dloJu#f$*q$BOtphtu9!Jyv6cS;Nk9}cBS+D&Bwyy&Aun;<@G@5QB z6xl_`Z#M>kfFl55?~B&W@%M8CK07Ho_1q=>e4Ub$W&q>jQVU=app3qOv|{o4_N(TX znm=Y;#GkE($v*W|SBsKO+uVy1V#Pm3W z<+#a3K-vaids7225XU#oqvcMCUhN=4$1MUOhY%mJl&3Yv5WX^b0adm*T#}AdQ?{dZ zZ+VREU}O9Zw0G~6NM~ep#M1s0?gZ)2%nJ(H>+AA9{@5OIOw!VNynVyHN}&0jC16^w zB&J=u?O`O*c2D(c`IWsT|2RWIz~jA{CgQ@$jLNyvRq(kDZ*ac%;5l~vY>oh|B>Wyx zox>|q@KjQh|N3@K^W1$J3D<^WOes(8gLNGAo%fx!-G!tOVvp#k6hp!PV_M%=2(-HzG5l1cd&aT=Rz5+k%G@0uN zlOeg318F$DhN6?Fx^vdO0aH2NynYsZ0h44iS9KID-+%0`?&*PcjdkpLJv1tih{e z!BVDHXFd)6m??1eNwA*4a0|?YmUEfB;`@kGU@%kp!Ugc01%$n~sf7f`WgwtCd4~%7tiU`DbSj(jOK{APMJsxV6n6CX)8<+t) zX2ujUsT-%sylId~R4q`=k-gQj{TzmZeGSLGmyVti`KZm6SfSSF*3xZMo9fjhQ>y;g zB!tdy6zAWx(X;%+3t>R?Fr#TwbYf29W0z^rMGJi6VFN)!I#@QbSzhKgTq_<_8yURJ z(GJ7+svC|iAz469Qv6|&B)06SWdS6ItFj)cVWlN`+jam+Q-WU#Y`2tR>U zv*7yV$IM6uow`W>qzddX*;yLBn-q+a-zF3|J$yqWI!W__p z#*xqUB_LT`uxY^j9c(YeSHY-!q5^U?*;>5l!F1StTFpwYnswC<+4V?q7VZ{R;oF5oA~#o2XTMm>wpHT6h`_`R^p%K3lk}pX`9; zVmrDElfSYl>e92fvOLCVNqkl&>&5*-Fh$*S^pTM^b|akzw#oIn@H%IZ*GbpjATDx-=b7u#EHnaF`k#Ut_=nR0Fp zyn_UhVYpJQko`vW5J4o9tm)&0TI+jCb9n=d;={1J#T;^rpCR+rw^T1_m44rmCvrm> z?!u^d!i~e+0(wz9{OLOkrnE-SO`Yz3MKZYJLUW!C8M?;KYJ^Al?jSLtKvPvhK;*KDA{giF6%8kL`f=){)Dk} z1;9QM0uTe2`ZXRP?bA{cte#K{%VX_P#0E{;!SqW;xL(*(6lRrZ!QYzF$vm|d_4X0b zu*Bi=2@0jb>xKKkIG*b23?d37u+c3+*{uS?C9VN1&f&4dd(Dr&y}MBYE&ADm&=#{F z3kQibRjRg!`*?3ZLo8Ei%8kr3r^@=aGkGzZKOvOnal1-)yTqp*&D6vY8T!p#F7T$y+BqYk6OE>cvr|rXWd9 zHLM1d7l%|8RI>YQtflXHbLvwbC>J%EBR*2{O!Sj8L#fq%9OfE6@nKR2)dY>Z_w8s& z>~_+aDm-_780#($6;%N(yi*wK#m>N^OV-Fpea0EIJl7WEdM2T&nh;=mUG_J})%z7j zg0?*=GCqmKIhxdIVzBN}TWYgkqX2Sl3ojj9_hhJmb!L1Y#8VG|&bam@t1gx5!D0O* z_)G5v!Poc|(Dk_`?IZcGe2H3E+>Lk8h^EG)ZFl*bB#mz!{B*;1DD`!h1&2Xh%g&b_|J5MIVIwOT@9Abb!iQe)L%-%NMXUH-;(@<1K*hA#8WI+m>@iyS9 zCqrx4&NcMdH<>@0`smYC2oz4NcamQ#rzVoE)#rFx8#2OevAiFbj&00WS&QtgK;mJj zc$7`w`pt)*UYdBrY^DGr&YN6}v^K;CVqn!RCP0j^JeTF=O4w9LeeXRedb``t_79^h zpL#_m$>lko+E!u`)Ui9Kh5)v{2gwr|7qZ@#Eg>E7581Mpoauc)N;d+gc1mGuMGceq zaxe$frBrBbJ|Z(uk~$=+CS`>Kt`vTf#NSL}m_idNk~-EXZe1jCBOk`Z=Uq5N)R_4Y zZO5u}7V7dmv^3(bBowVQhU>sfWOp!~le$e@WtTJ$ED+*gBr4j;1zH=tq& zwNNGEq1k0D2Lf}Fq&XK0|3f+2Es9G3M8M$n8=JW*X)G`V^>A6(uNwm6^>ZESQ_PfD z_8RW5VqxAx)z@Kg0t?G(e9?$(#yOxrumj|j&GCf?AnqMTCegb_eO!o?j-%)UpWHT# zK!yQHoiFFmyuq+av-C2jT?4ORyt}o0!9&Fuy&1hf&3L#vVbC5cYf+}xjMuEOa4E8I z_S(esB~3dOG7Bd$25Eno_9^a<@Y$k5IVm8TH!h1V|HL7X_v9KhXCvknI^?HVV!BlGucj z?lsOumP5oIL_`Cst)XgwD2{kyWoly3OTb#X>Yljjrzn$J*cYUXy@Go2{T)=h+D2d| z>zGk{BY;iES5ubLg1Jj!Q(Mh6T$M2^?}8Yfy<|Ja`(Om3?2wwnJ@*rKpp-x=gC1Gj5A$fK1gMhaF$vxdF_*$@d+gzZvROW&CqIzsB(3 ziA$(6;8nzM2C$9VGK%xa;)nGv{(W@>*_~Bm?Snb(C4W5Ib5-UiDCU8(UBHH%jjvJVd*uq36O=ny`Kl%n4h6T{X&B%2IU$dO_=2RFf2KwI^ z8R@}ifKsJBG0ZD(-jfl%(d$pZBe_L&nM>ciKhtOrL#EQhUFGbwP1q|s;?hiZy&97U z8Xdua$ALq1B%F&izsnSWnpei7&OpdXK0Jq+nAF|G!Xvi>bO@IZH4mj$_kZ8| zgGl1~HCNfF#1enB**Ih?(a_>c^5i z*Y4Fp7NM^sY9^TcCj?X0*S$?Kqo*P1X1l5+^RfXMhijWjId}j5SPON(c75G6fIh`U zVqZR3_VlL2PH{2R+3!yKz_cpON9HwU!0vt(uV`Kg2@6NL&S^cu@U z=XeUo!O6ybmDkQ#%yt*O2h3${xZ*`c`LW$#4n4Ufx7pZgL$}c_y!YW4iNh|i+)3~o zYmEFBN}>DHvzZkCQ}Fr!JAEb?>h>yoBOz_j(Ezcolmdvq^7*fabu$r)5zaSA?y-G( z0<33A>Rl4lp7B9mbMyUZhwKN>6Ixlrc^Bb-W=!Jy<+?6{3p!)@+Y-z0{E+lzTmhmLQs75H zW*gUfRXns14>hnHKGNeF{@unQ*kuPpf`AIfwsdFU&QBm=om1Taoc_iHN*yeNN|U@p z!$Hdci0u+CgX$g_{>L%j>fP2($>V_ybL9};GzQ}Px%e}Z&PiezV3Dtv+gvej_>?Tx zYx96HvB>v=e#PVWox^F4TH(nJ(@SrGEgMEw!#h3yJ^o{*Wc8y1#$jUnO9*bbJ9>fN zbICzM?Ajjsv2nRQaw0fMj23F{Zh0WivjilTl;i>y@!gN#Iqx}pU+?+x?SucmKVG`GPS%=pK6i|J zjB(e^9l=iC9+-N7;xEv$?wUl|Njs=l7Z52>Gi&A;efC=|dR}DsXdr&x=f@Vs+~lO1 z7#**vfxgFrKX6-`ftnY-$_MnQ<_LbP?;C8EKLt4M>9OPr&fE*L4? zF#=NmMH0`%3s4JZAcnc-r)${o>LcR}oDlgPvC&uRpo9up+@xXG_^KlSLNloA9F}k% zR6oKx;t5yq{Scc5%Rj&}2z)u8Wp8Vc=;Eg+1*T_^i|4K2$0p5Z$-TMQe2G5$xI<&& zmzYKRWOpGUPp@yO?nt1s3ImVg$r7ksI9)E%|CUTpo(>2C8Y-XjJWjj>SlhGkUsJlG%Yu!v3G7kmw(~}2xpz|KuisQorTgSO2s+)U9XS%PU zDSn3toY01m?w~Me3Io5#;Jm`sVW+G8l5Jm%1!Od9&liEusMKI19W|a&=>^m7>$n<; z;Zc4o`Mn|S^(7O9YAWL8Gqy&a4@{I4MduUrr5H%49DwG%h~R=xp19LyTCFm2{q~EFqO8JgR&@>H>`Qr zfB2t2RWTRXcN~_7pZzA|1X^eX#-)}8br(r@IS2eDB{1Vj7RR?k8lU{U+|b>WBf5I`|QYfHRNeeFo6G`IY3+m zuu}0O62PwSabx~LLprss(zYe@KWjsLy>!P zg@`b_UH+}k%mc7kepq`f&;{6+B~;saFdG=J>umIq3?gxw=^d#)eNH~&+k`NTy)t0a zols2pfnA42|Lvw3v{3hg$(l$pRCKj5-#`g+wBMd1PBB;EHFs5#Vr-1<9)6164&wd- zD+}n;upJ74OaF5Nf58Xy(K-IfTvFd>P!w~e1-d~ag!N}YJoDOG=^2cQDW>>T0Be^> z5I4`M_s(NYK=gCPj_muDFP6bP^{1`};ykRI&-Ub%;~$ND`2}D6Uje|UT$LF+>~=?o z=2u!Uptz(-2|{=_t>s;Inf~kD>9qjIrvZx!EzX1g`j)@qcg$?adq*k|^NXXndj?q5 zxX-FL`0qCL@z2?U)JO^>v+1U7G{53*{VPWpWKlE6*<@{*7jy42Ncoq~?URn&o~SuC zez7^yOg_8_v-$cQG>?8=vO`yXK@A>oIq_2ZzxckDtHFyGZtovrxg_36c) zH)$?%zbsnL7@~k|s4p1)ivtST8E zkROqa0I?x*p#n~b-2k6?XEyM(NeHWcUjR+Bg4sG~eJeDIqCIj7BC~mMc%a7}qxWTSmqdc-s`7rAKUGLcVu9v2>D%`aNH8BO zYK7+a>aXb8k--Ql51vb;uVjt!rx&L<51KjAxVeYM#=U_dhD(8(PkIczLc6&Y2 zd4yDrMR)r%=$}F7@l1;y+#;Wfr43kQH4$KK-vAI$ zboJl#WM~UG4Wivmu%5jD9w#t5Ytumrs0NdcUd%`x3^v|ut1M2o%x_l{Jaw_9&%R;6 z4iOEE?b}UWvPgLphQy+m6?VUY!gX2>j8|Yqih(l|gUeSR)_Q4YFW{4`0xP7X0<2uL z$LgMETz>eQ8b~Zndn~OQuJxo69AN9GT8`08i+?z<^hGE>1b>^+Ozl|A)cP8Hm!YJ& zrz-e)&~2Lo&oURJCWAl$wgNI#A-I|+(~kv@N#rik6Fz8eA+w%xK;R2t3whyTUh~dR zV$<;1AO$Tg6z_@`K&^+W^qCZMBzWLcd_K+u+S4M|tq0#4~kQ`pQ zAI|eKoBedNtv@bbzWxXPK};?>kdsnY!a;NP85N+>SIsza;ePj}Eil{fo9W9P%7xX| z@*+UvxpYvSNw)*wa7$2h&GmI^y_XoWurmhKFSC!S1>ctc-qcF%$g ztOds~WF%_IemjGQ(d)%=w+xF8x3}>tmn}-0Cqb=k+mnV@06B85%UOr(f4_zKUpu5; z8seO=dwE<>Y@d@dXDgDO{~<56*MuxYR*mXKBKVzvj(6+KbfG{VaEuzdfewhAj4tW~ z{j@1LB?5`&(v0#|*brz5Y5;32__OG~Xa_Lg3b8RBZIfw63fjfzLvdFl&UgNq8Ei>) z0&aK-*p(=d4YzMXS!+*mn7T*Nimc~5?06@y3|MU|76p*c35XomoD<74n6r_%wl0X_ zq{xIXIcGMEDLY9jYMs{J+4bj{Rn5WXS7Jx~z9PGKM>B9(=QiTo z@rTof=i@6?4*H)tGpBTHfcL}vjXhH_m7j!R7?>h+5n~$+K$=;FqZUy;k)stPvF(CL z(AC^SOxujE0L^815>^io^54c4z#wh_EGEM4#L`_{Qjd)it*49ax_GaVwsa!G;%?8M zT})aax6XhN=jQrBhne0sYgj{J0px&3vNHpPS%(-!!OL(+2qC%v%ezbe#sEK#WEO?=_!Y*oRxfR1A@8%paUd`R~p63bLmdGh_stnU?C zHsu9|zOB}8osLC(^HWbi3e3GL< z*Yx3(Ht5I2(eRtoLw>JY+fi%8MC^i4$RDLR2G4T8$oKc}W?&o|s4!MQebfb)7=HH9 zr1Clc&p46dsdyk>S$q!geFMR`q2l6|e|iC&IN6-cBODHU$T~7XRBEK0U>OU0?7-bYX8qK~Vs)wmq!cvjeugcp0sXuZO(aF}(5sckneV+zpa1wWhk<{f^m}^ZC0Pmt{ zd^@+O#2nMk+GE}OpU-d}Y%E-Ffh7(DKqPww{vMu>51pKdDTM&uf8_a=${vjzTk%7! zc<({G`ZvvDX;M{@bZIXtjHK`;5O`;Soh8?OM*SatBIgcGc2s?fwe=Z1`U2(PX!jOn)O43-@8Vx)2cD}!ivo!jm} z?aXo1_lv#Ug}TBZWX3xn%OjpYyO9m$R;~pdv8taBT5g* zdtJHxeYY;MVHDRks*~P4#}i;y%xZEHoK?iNvgXT{6ljV{tOocc*w+qLJT`i}a-P1K z#vx(XYir4Cags)n@=!1s#8Tbb6G0RSdvJ`<7D{L_&OdxeRPS+{RJBBE!~^7;gCmRX8ZbRf=e1B{F+s z^jf=v6|0$qB+QftQL&E1VRo>%gQU>^Y8EGEZPbtX{2`^v!Pd7|A1;vHC<8mpbP!Qw zS^;(Zrx**Wf}sM;J94hF*8V~pre{ypJWNBcEK+Tt6zUxH!&Mwu=uY2LlKYVilp)4J z+s7TeJCJcEdHX<_YcA`Q1#E-0#sf26=gI3#tiG&ERCW61mKv;Hw}8qeTYE$c@%lzo zFt@AhfLmJzK6oD?*6Gr;Ccnrtx@_j9lhY#Zx$!$O%XcsJ2SaG)OqS{~`t;mjZu~+? zmZIpwwP|P+xTC9czzitIK%1ImigjihwsRtTt;n*ia*klc1ciDQzu$aM*BB~yIdXmPcQ}kO)xLZmmX6)8dbu%7^;=RrVHD`r zPJ2T!-uGh3+946O42sRy)Gg~od#?6bzyIDAPw2#^L7Cv}V-8E33Q<)BH;%%ghYr?G z?q>t`XKRv-wM6}aSLgajAIm^T+VOMH4=bZVa>MzfYX$AQb;3HkL=3ul{j`}WZQs-q zSg|zS+JL3ca&N;%Omy!gKvhB>D|2NF7{25MD;^eB>kIWvvxrz3vv=qu8E==fN9*PN zBwN5TV~!5Mm^3ASl^E(M!Fsf_U?4%r`@`E<`1G@S=5o@8F0 ze7mAFT@I^|WlQF%Zlv<5wOH!3MKE%ZDJT8~O#koyNC8U`^rOhEpn_;QpyP&1mF!>MT8n3{ zJf_uq}pDCH`HSLOR!Yk$Ej&e}~< zGbXsp;vXFmr3dC}7ziSsOavaGMuL+LvZK$$1tPAWvYU+c#>BRh?D%gjEeahz9Fc$) zFP#K$4f0#dy2}i#KU(+SH?JT%Q3L)_OeA+MJZK5OQ}d{puij=_`OZ5sgU+qw`1z|o z?mrzzKX1DNO>NNaE1u2h)}0sIWsVhW2KRvkj*%@8rw&UtTz8yAnt>``GLdC`Y*311 zM`O1R7|qo~PWx>#o{yJ)Ety$<$dIgCS!nFpB{)8y)aZvLN;;9uDVl>$UNjL~f&)>e+jD>H1Y;=rB3cR}kkzeuI%ZA!SKXHE$d2yvjMx3zTIh z(bb6m-zNHht!e)b^zY-T_;u%xr>o@_lL4ryla#z{BfdNh6u$x_;UTD?CFi~rT>ezX zXL_&ib%zw^=p!kfpcwmEhBwLvO8w6z6K({=t!_-Q74m-z4p@0h5cM1`-x!v)BIA=o zwihpQY@b9Cy@zF}nSOVmkyq^1gG88}!CeS1>2Cv=_@&!ZVO(%CQnKp2E|g^eRrbJS zd=OckQfm|!nXz)Kjo6Bi@SUVBBP!JrDJ3GkCQ{yFH@1IMD#TnkV0?^4{lU9pqT& z?;7w|mQDqG#myBu1P~1&=C(sQFyJrxEt#1>kNR+rq7|EM>;73Ykt`XITU`_t5LOH4 z)Rkkzr0bRUs}GrgNcX`0n>lZ}+aZCSo8h<}e~rQ@nc*bAWj2V4h&}I5uRqNUT?}L! zvAsGQoGH@Av#6qBl6U^2!u(-3O^#WTl;1{RmV8zcq{SAS3EGWUigw>j6_0+ju# zp@9)wamP*}LcC--q%2X=$)(v1*ji|Ng?kc&kBr07$&UVW>t7|_ltFqq0HsV(_Yo3O zh!#A8;UG8Se_yYxR_j(5R3||5KE4erXk)TlY{0i#q~iexRz3D#z7r7?dy=zD z9ApHU=a5qd>1;sIk^OV5q+FJnm=Z>RikWnHxJc8S`ISaPJCj8>G@GqXL#6*NLEeJ$AT&(j}=!?T?BtaohmMwSyCSy3ntQ7 zC8#TD51$5i=_Kx4;K`CKvGTHK1y<9%3Qdxa{H+x1J*MMgKjrD#M#ZK04K8-$=L0BbnN9H*(z2j?{y+mU6I18I(V)U?h}@3Y4i^! zbqYIy?qdJINI)~sCZkez$`yfE)a4z!FWF2ueTz9-VHq_?u*bmv6G}02O4Jk%jXd>5 zaJmL&fiLg4^3%-Vfzmx`@dWUoc1mIv_k?HN)tR}d{%8re1~i`T>$j-V!!OLd2aJRN z{JY-@*n$aaf)+wq;jN2taIpxztI*7sUJbEoK^4iVZFUgZSH5OR-R zluprBWElEi?e-|$5d}rmjNdT@ZYJ7-drfo|Y~v<^>}jCaWgP<8W!4w(!5x*k)v2s_ zXd*nZI$Nb#3_nO*itKZ?sA!WVbBv_kszK2u0EQ7tAlp;^Is~C@F#Eu-m z(nuPHw%Ku+$US9zCS0X_1F;V>d}*73eiNvQ+|( z9r%Y_$gad|2Dr1a-JWw`_l)f1|HnGw4fh)UP{#Ua-|bETwGelR?(g+cK(1 zLJXn-2VJEhZ?aF%v;*HwYXUl^#Lyf+ofVS?P`LH3iPUd7_SDBv`E2 z-q1B1EJ=t%TRMJUHr{;)2_vF~r#C;lbs&%4nOY*UjoW+L5$FW<-)igCBboruSuTG2 zJW?B-X4UT(HgkCLbQAA99}Ymt};6O(P!G+%cw$U-~4o4mv!;hv`Zrqh{Mi zBc3CMif=B~GP=+3MDkgvQRvYO$6AYl0fYeO-!*`+$G@+b??Qg?_~er68DXaxQ% zwJ(*KXublqfgDz!S5RTeC^3XfU)&fEQY&09^1NmrV3*g4`mSM!?T<1(GcvlDVlMH|~*HnolP#k2eNhYjA?xzIb+(?9q z=VjPOdH*W2=Sy!Rgo<0JrNdLFikHrGIkM{TW%^;+giT2PNV-6Fi$kx><;QkMd1w#V zzUUnaC+93;E_-7pRuZ$Z7ni<;;fnnys$IEbGTA(~88Nrx6Ptd6{blbNR!Wf%^X{|x zR8qLq0<8h1e3jd(GAU=?XRPLLh7@dMp#E}=10cz;n>Xyf%!E2gxA^Fmd4+g zPMjTcWemnmqFs{ssLAq4=^a-}X2}P8_7V}3QvA)|+!EpNKLi)R_!3EMF9heRUgz!u zy+=zrk_gcp1sKQbc5IuBpN7;8{Y^L+4Vo1F;S9|*7G|>9DmoG{)>(U#)X3MP(~*~7 zFcPY+cT?N)gH*rKEBSV?s<`E6kiWW-v^4>m+9df7dZZYMP?` zER-~6wK&qpjk3f-VX{IV9KKar7dZU;yGp!5Rn=~S8?$7;S#or$(^Kx!R|>+c86WEC z%)mfG-mpF>V~WN?7-D3Hk}O9kC*;Y9c{M-p{G@BIH8LbiHaC(C`FMH1C7W-D?b|SS zO0{DlVjak3hrf4;*Ta2wtXnP#RNEOiwYKD80=l#Elya^h&FnrnseSk9nF|xGgO>rn zj1Y;AX4^lFWW^k-SzT`vZN{&VbEw#vWjL3q(cTq`<9ep0%#y&*m5*6iUw7NAt9WX~ zDqoSjt^oP+G?F4_M|pz-=+E zhf>)2JB&DWc^6+`NDTrd-&db9|U@SE^oT zFYRSntfJoLeNSpg%>*>! zDrwqn!(cTS&lu|AMg6>qJ{wP;88Qdo%x>*Rn1Q(@2D@5SERi{TXs@FNQErc%xo4LJ=MW1sf6ER;X7E$J>};%Nm) zi>)rriQ;m+s~H{Do5I2g0gPgk|C2E60=($OT^66_b+_?peAsG$hE-?q-H$fL@sTgF zN%Qj%8($`wWYs!LpZe<~{JXD0tJ>bZo>tTjVta|AWeh+dbCdGf@hT%QL{~j78pibl znoBRej0PK_1g_sUFV?J&Zc|36aZAq6E+JLr2 zi?5K>&mtux_NoQZ21^uo^#q8;o?1?20UC#U|1QWJ$FJIggy>xTr=zmXo_;O%-W+4n zwD%J(Q2AnEmSU5!1o6)xz*)k3Cl*vY4&V=xjPT*-CoY{WwS+AntlMCLUQTuD?zw0O zB_18(r$e?ihg7c?Faib^uP+-4)*R5O{EHz3`M2idM`b_MIAKXptrM;pgR*Gkg^rj7`G6E=bQ1wYFcWJ+7TT>fqtb-)rzN zfPeqrkEVZl*8SRX7Vg-}HMrpGK4PZw!Fy+ZhkE5cg=U*ZqSE2qz{yqkK596=d>oYK zT$YOl6)7en(i!g{>b~zZ+x2$h3F{S;qDed}a8=KEmmr6DdRUyc(IH>iAIw$WL72YMd`%FNf{o27p+ z32b?SW-UO>^{dbRq^HNu@z0LF{;!hczdhDU2XfM>Nb8F<6wIxCB>Y1T9RXiIX#70y zsU%`uH7r*)gs+&<4Lg9DQcqMjG>~Cla9)y;^C=EIVx;uObOt*zK}5S{bE z?elc)IqrR$K1;0_5^SI{<?U0#&&VFOYS_j})(S0p`$ zVVg(WGW4j)pexJ~wAOM37e%(=b+DV{oozoA6zS&OM=0VuKaO{k#<##*t8SMzQT+}1 zeFk8f7(TkU4Z6F5W|S&CtDxVU726^;=AeSGZ7M>%Rx!wdl!Xr3N)v4W5k!O1%NeG8 zDy6F3#|i6y$a1na&*yb0q=2%%*3Mn6Ti1E$?wYcK(3#o_f&4EY>KU~?vRLw#10xJG z)=kg-+Y|e5p8OO&QCCNhaD9KeFI?u*@2%zT_&hj*YC44Id5`4LqDzd8!qe$E_+V^d z$L}~&p6$s414ACPE(8ZPGnc|FpgB_IdZG9CbV1MdlI2O3nJYm5%6@l4Wo4_(D1{x{ zq-a99K7TJ9cC!$kihCHas=ql(W0qMwaUm!&?V832oNjf8J{S(R1C=3QtnBEL7&v1r z)#P=lX(z(ZkPyM(k|G0E0o3{MKAa7l67L24z?6N|fDq#DrLnmUZwq9tY4B%NQPVUI zjpy?{!UUghv`FVEMKu^$Cz@(`u7D8xZXkzRp42#ul&;s>(Ib0sv)m?r*##YKZ6wFc z149CZj;+LSJsAjOx^0Ya1I8a@jb00taj}NKSNrC4kYN1xC=`tXY_9kTAWXd0F(YFc z2nADgnH=S5Qj@s%4tbt~5h*=}JM3jYs;LV%Ds~7J0b_zsT8m>hzn#;J(_S}{Z8=56 z1b9K;;+d4UZ%=Kl7FNh32lKY=CL6EZ_boThTsdp#CExJr<>`)KujO~~t}tc9oy4w5 z+YR>1lzAi4Q=1rO9?qVVU6lG=D}Z;sYxSNyXyi)WoDisBwWh90T$q<<+@lp`nyv%i z9S5W1^ARjJ)ORge-#X$mw?g}o79#(YB@yK(XL#w28a6h1Dq@an8og{T_?SBV^i~o? zg=A7};Ma1}I|HWgp66tjzz8oHXmNsD0Q|6KN z@!rmzDuq`q3Em8@pEYkOg(!yI|7S2S;F z_UZ%ZU)xGa8@8W-N=a6tnb9{=Pg`?btWkSGC*kEm76}#(9|U8M9NmIXG}y@DyObJA z`W%b{L~=ij_CbIM{8=he#)XH!o?Z?iO>D%zqc!oTR=YvjS=cVamI#A>qr*VuyIbpV z`YVs`kEFton%_^`a{FS#w9Hf3H*LUQs6#}jX`8`}sVB+^cTH?nkvL7-^e!WvE1-o* zz#tKxMe)UXewelT>}kJTdiDs#5%>fR7!o_rp3JV?G()D3rS$Xn%4oa^1K0rfT0sbc z_ctIL#vBo8ZE#UChtGOK=9u_Inl)FC$_8ByI*A2s3EF`^FcxV1z;F zI2&pChySymJ=Obr>nC&Jwwe&`O3w+L?ny8Cp2|9L0{ig%LbS)Xm)F~2TK2~Vem<7O zLwe5`6#M!InYI@gRQ`6`_t*H?c@>5WU~?_v&^u|EDwO$ zc?Wp-MI*cZ`#tQ}ru}L3K2>M37-iG*zIKiRNoLN2RA7uv$Y*SzLmmw_B{3|t>@sVR zZtn19J(t9YhFF2)8V;Pv8aAZ4M~KMTZ!MJ=hwJjAeGF#672({t#;l)z3zJdMe?eQe z?E`fvX-wdYY|<-@4Pey}uAa6neM65?19>`Idbw)c(V?hvTjZ zPIuE2HYuTdf{PR7x>?RtvLF=hZ!~k7jADcV&5n`V*^( z^h6YB-g|RK*Re}g^ONx)n+$!ue*RJH3z%4D_op~niGUea?w;n&QrfDR1@#QS9bhy} z@)OigYM=aXuz`PjNh;NqOeBf8-|TIU^HwjXVC!Ah%71 z9x7wv3(JiQR~o^IEhzQvjiFM-ChzCj*%LBCov9wWI>&rGn*0ZAb5WC>W0D6-PL*jl3?=Dt@%%5)>b?RnP;EgE zRZmj*Xs7-ZXh>&Z%F3FV;ux!e1>0wWY!lKamH9>EWA?;0bqig zyh+koAOaImTDeK$phb#O5v9;p)Qw_1SMi%?<}F@3L= z$bSBEgXetRH(ErOj|i0e|6$2uG|9j&U6Geb+joFGRX@bh5>lqoJINzR7&VSp=8xDnhp# z#@OwU0??w9&~0e$k|F({o8Af3-(=YWyufC)pNn8*(Ia?z$pd&(xy<>bRlps)`yFf_ zwH(@{a^v#Ch(6x?=9Qm$Lg>Dc8w#0#l7)|AV7#Gt(kkz^7I2yaWk*jyCVPdVu;yzu zzq&56Fj(+#A4;^+c3@q^BH9+!oqLqc0>Ck&8Ou+EnO2O(i7SMy+uYNkHCmx`0hLMfgA-I{CbV& zh=%*MM$4Z#&w_))r{U-Dz}aiJ`vf6(St5K=j-SDv^r(63%XAU966s@`buf$+hDXB zg;?E|C6uksC_5gJ*yJXE7C7Gk&34G_n2Y-9B0K2@V5LSQWN&m4idQywCYG{A_?L~V zIvzEPo(%3;F=w{9D&dYq#DLMmjL6aX@rw=Yugd2~sCO8h{4U<9_M0J4aNeQ1;}3q2 zpSBqSm?ixGn`-^vAy7$KB0vY5N;8z?j$f&KiiBn0I^XmuA(XZvtZvJ-&>%XGt*EDwS^1YtA6<;*E z6(El47=U|lV_NMzAT#|VHR}PNQ~xeF^sgWCmk*n#8Rs5(og3X&VV_DUXCgVF@a6>z zw!BUy*+l59c@NQY#~n*=Ji2Se#6Q1;78`S1R=&~(C39;ENr?mQ4=2dC3gyy)r~l)} z{pUaZfBY<_dT|y@$q$>mK0LDgC?RUG!`yY}~Ar9WLq_&Ho%Vd*@F-=F^TpKjlO@e=p5KuF+l%Y>7< z``7nTI1N|t5S1a{wLbpeKc-IsDe06&V2s7CO>_SJnZ+~So|r- z`831Tv+Tvy(^&pJkL}i7^1)G2vyS zj;Fvq^lOs2J()w+WX@Tyuy%>%~`bLWp;hbTCCRtY3c@J=ZB-Vl?B({M zKAkZ=GWfh0G9s{rS8%uu#%-@v?E zfytwFZN!=#W|t-r#$lQ{c4(m_;wKo-f~HG$_2ifUuUBs=;5{YIS(_#}IJWXYlWp8+ zf(NV_D~QHR?O-(irirz>^R75(V4F5VcP2qqDU0yb0Bo5D3`lSQihVge7C}lA`SPd* zJ)pXDJa@0riMcsM0AUDC3SO@BnjCw?^Y}ar*W4q3FJ?Y0-hHCwcgwq5x9<-KhKGZZ zVSmY-bCT1_{ZF*t}1NE9Q+`Cf46 z&%tvJ_rR|3WSChM^><#vx=fCVHOj&uB5*A8`Oe5u?@LOfC&WNlhJ%@dEEs{@fTJS| z5W4*?(iG)=ZPC0r0OtML-%I$~Vj=HgJuASu?4FH(Rc0%Wl6a8pwKMk-KtxrJcvSX-f+~@_xl=s-wW^1Jl<6k?9_Mf{zlWO zS4xHV?%PP0^`2pHyAr&-ywvfCXvMnGw$GyHrdb7(oVC+4^9JGdvN@b@ns{u_TY{X- z$t;mGTcc}?xThw`?m|e(+&||<1T-8lgXhoYTl|FqviYaw!ip^pivV%N&TU8z z+(6VKHEpZ>(KT3<`=z?JS#+t<0irnd?CqzO6~M^7WIv!moXL}T2TaC!Hh+|1TyMCFty;esZXhCJH`8}Jk%sGZ?&UNjMUCoXv;+4+8obnls z9@?TMg@+*kFL_{KUF_D32@X_D>4Mny%YK?M5E0OnKBLbO1YOM&rPX9?oioP>W8oE> zZT|@w^jR_FH&2oMgLhKUq72G?(96^#a1enJcF2-|4L%!;v*Z-DuX?o1B|{>9M7 zLHSanmPxS1$>_cAn#}e6#3bHgy3`W}yvGS5GPL8)Pa6uiPJ1rj>^f!6uMoq#()mu&QC?(bDA!z2e>tEP^SXZMNC8_<=YbSR zwqIqBzUDRiUcV4wk$IC+PmLprE6Ew^&1BN$z{;eg#J6|M<8a;pU+2MOOwDg;e5+wA zp2IiaJe0IHP%#iZwZFmqc-h?+;wFwA~mtYk`9(d9xL47KG zIJX_dw8F8$uXgInfCMRFG%uY2f9YhE0VOx><>2vl2i(<$XWyES zc<{K)d|=xAx}SCRaxt&xz5GTrDRcnBcQSmaOt_2BT;Z+0_ck=Y?mV_oYYU~P2@SR= zuFR(^b&QB)CDBB&(mQ4x3~EbpL?uxL4(5*WwKGm4d}CzQcYnUuyeVx$Q!8-s(zR zQaGu!y^z(iZ+4?;=tTk6Lq^NR=h1Te6en)O+o_>?Wpub_xRb*wXD%dfL0EZTVEop6 zp|kw;ZLjakZg?59$&7Q!m-o@Nr|r!CG3Q-mK{@C=J*3;gNx;kX#ES5&Oi`*U>KD%r zr&PJ8u}hq>%3BQq%A0O`#oT-Z3gai)tM?ocEV*7X&lQ^_r>RY%Wz;az|s<4t|#(U(Ncp%+Eg-l;Zvh?7%mO zcV;Q>`oy4dGT3|5PcjpdMcLBgpl z+#GWJgSIu6jijS!S#BV6_3H-kq={jf%C_i9*=d$**-Bl}1;K_gh!@*|a;7YF!wSY& zO(j{NLg?a5v(WZCh+=i^Yg7QhG}c(lD!)q!IkMot0q=_SO0U;SntmdLmUED5xx3uA zM^3hga@hsDNT8HDvqg)VxO$20m(f9SxhOV~*GEF2%`KQhyC0H(B9ZRm^dSZYtwJId zuvBF7YTVR0+m1ez^l6|i=CzF; zB0*V3flQDOkq23U>Ai<%TT2;<@YA*Dhs!$zD%P9wDv8LA3^##D&dC`p*8FF(bzVv}o0GTwh=^aS2* zK+K1F0hBo0dG0m7{+X97kVD4Bj_3US@2B+V#bPSl?H-cmJ)7?af?x+Q*VG4d>DS&! z#3HJTyW)~$Z8iZ2f3G|h1IQy)`Uxj`#)dc*i#MZ2#hy50K>XUL$G+ce8z^-OkVstv z#6rT|W?mL})GxZO?bdh!KtttYKl;r)DO2%j`_3hj_BJ$R4k##y%njs1M(^>|Wh2@U z-~K&u?2$sWmfu9Q>r4XgPT8S#ij=n>+^RK)I;47>8v0|rFtQu?hq}4h74aPoYMdgo zxp~d0$`6UWG0rlR`du8+4$YJHPhVh`GG}5A_qn$_1f?S&@t%SYXFrWTzRJrP>YCu*qqOPo%GgTdbN^CK(uwE}sKB*d>S>XIM+a~zHFyT0 zCW#<4a&5~h+L|Lg3i@&E;f? zCL-D;X9746Dt-tb^$a>XKlBXDkZA zKMGPd(u_QZ*M6p!^jpKe{io@9j!c0ZfswETU;hSMdiE7eSsuVN_nM`y8X805Pyo@> z{e^Am>~Yv=LSR?n-l*LeWninoj!(ZE)@v!!n|JD1uUo)Fap(XJ-KsM_s1zJXcHM#4 z#YO(3A$a=3_5MYMhRKoeUBWrz0Hm^NF+Qa8{uIMf?iX835%%aqy7nM#1y1X&#n)fr zl1PV63T!VGkgkd>351S#*xfM_*;;&Xle)@lXPznc@$c086t5cx+bCv|PJ$JeefVdy zhkVJ8R-^4*3#s<{{-eD_(2JCye!9?=Y6YS35URJzu0jCoESh&=No(nV{(tfwge z{^B=v4VCfu7@hW`JZ75crSRucTi4p{K`EISZ^ZS=R@e!;BTMZPG<5 zTZ7iAU=ff5D%k*vdRTsJm!lXft|_QDYzMq!*L>>=8eNCmlzGP=*4gF%$RSk}op@~+ zK#)E^08L)Nn42nWMpWkM1Zjr4T@;fg@R(is2%d1Z0>?-ho^cnJc}$96Z|xa*TzWm25jTL{cCrf&*Y_%ZuV{1T3P0?B z91XC=(4O|aRI%{fhN@=VCsOJv+lBG$I-h;}?~ORgR|qT&1w3dg17jYB=WknL_e&P` zFiL=Z0~=HU!ziBwl)nmpU%wTJsW8S*5kN~b9|EOKcbfUq6@B-W3ujyf zoSr$C&M0HN%U5q)Uk_5X-?f_I$2eIYKzZ8|QBn7z6E}$Vb1k~k%0w{`oQ%N@&^nSX zudpZcIWX1bX0;hPu59pQ4a{AJt?*9r^BDcPwvCO;?h5dLc^+S2C>rSGu9{lz@BOl_ zR(|U=3Uc>-^1HRzq_Q>h+d;FH2a98=lTnQwua|Kjd_7exVloSCJg2qIKGYshb8CWR zui3T@V5k~>;mTKp8X&Bbr|}3-P|b)s7GF`4t`5z62}sCM(xRdiNct)h;Ffjw1X45z z123xM+vm_7HR;C?Rs;~w`tvr6U)u0Exa@H~8Uz?j*;TLh>5eLL$`43F#qMYk<9Q~#`kQbKkR3G4yID-Qd3`1ACYS#WSV&|c_;eG)>3|!r&WZt{5}E; z1?LsP$gumQhN4TLl-S0rcYqk8zAz57463E<`JGBq1mIHXc4{j>6@$7Z__(eiDtWHk z>119ze}|Z)PJj6Xu%yi)z~D{kKGE7g-SaUA2ZhXSO1FrXLfq0**X|3m>(8KsRFA|f zdM&;(Z+d=tP*;ig?Zlaw+j`&guYbV?axIC3Wi@c^5=bRkPdPOlqrBc<-Su!~6na0N zmBIR0xoD|xgl8VE=6i-&woXPI8q#*NHI{6Az2kJ#KC~`I`2K8vNt*o4+$Jr;W}Htb z-X&v!@nHqO<92?Q!y|-yWmN(jZ(!!z{v(V!QNgzF@L2B(bLQ>~Y3c2jwpu(l$U~v= z!`ur_sxkyjDZS5GS^?I(C5`4Z@eibr7U8N=(=xT%mVrW=0R99jc}^~IxmjS-XWNb>sg9|ZtD z7gXPgP}s4c1>~noIk#DBok=o(4wB~h(d|o0VX&?`B0O|*4b)XVGwQP+LE@p-HprWo z>v10`z3@ZM`o*kb@V-*luk?>CM5iBjp%n-e`y)IFn_X6(;%;B{#JFN}V=bfpQf7Ur zZj7=Xlc24EUi5@Bh;kHRk8wjkeCLi)4-^m9f~W(Pc8eAo}#Gt!W%%0p6lFXYpBzvykBDip({Fzy!$b4C1 zU!%rKpi7;VYhh$&Y9d~QNIWgnZT4l*4~Db?ajRWut5H{Cg(8n&(wydb zZ1OlZtw&9|q^&Sk%|co+lPp`wtLsx^6ZQ6pFBE;*AV`R=<7Ol)LMm(ff+aGy?U1Lh zRK*Fg*TA_oS#IaoS3f*&ZbjM+ieIfkd~Qq94pZ`p;-sPxnp=HvM?0iwbVHzwQ(CdE zd3;0>X)gLf(An|wI^&zOiZMF**k}A0C>5#03(jg}((l0|6`+oO)h{8bb`Z6RRcg>%$v4DoA@Lqa^K+4!t(oD->rQvrxUKV&W@$ki!jPe3L_p)Ni z>doPWfkfGXZGu3Z>AcBcx3kEE2B+u7GAmO-iC&A?qOo_qR=Fv|ZjJRYw|wUGr-rob za{Jun4^;=wiP(q;lz5%_5JGbGdIQMfY&4Wo8dhZ$#p_$_s|X;cW6LO3EZzyfjfIv= zX%hvOAt3YOKx?Py47CBTG6X4$cJ|!HKZ3+Jrp%g~OlzQAQM1D#O0E`}w>uP>0TyVS z(>bk*cF?wi2uGDir^0KiJt@*UB24H0XI@ZC=6yUWYcyhqIK@&Gn+DB7lZ|O+VEZOj zt~L%&C)F|aYC&O-_*`GE$%kQ=BPCAJn1kQB41;No#T>Y>;!-%B-{>~~5^{+e*RiqP z8V7Z%$JLN5AJQqhXkb&?l$^k)7Nvw$6*w{5M-y>mDss?;ATS)!Z!$u1VY1gq@G+d8 zDJmia{Pe>;FwZoGg~Zg8$8~J00>+vhen8^Q&}fE@;~@~xmFzDY8rD5y-MDTH!or9R zwS&D?hhg1k)Tj-hwX&27Yf$|sL;4ki2HUk(jtk&*2be!3-+!THcmKBwluqiLlo$c1 zSi>SOd|zmcf!Shw25zPHDZk32!wgzF45#eC;nz;fbv!iLRb3pU81ecYUqFN#F$Z+p z^kSTQXPyl`Ojk;@meeyd%C1WQl1%0Ee7v>%;*BzLvk)6zt562ECQOx4m=PF*k|v$h63xh@Ty)XKTqS(;@u!+i?Lk_&Al}=edDMd~e3ZwRP0>(HZT$jkBQ1lx54vQ))6sYg4Hwzl`|nmMUxsjDt@{`joo3%hcP) zUmi20dO_Gp7M0|_vX0yY8nd*=B8kQ}Jk7jhYU3bGJ^P&}ae^skWUF*RHi3M9?=CwvL6oW=gXokMssPbX~_L zz3~$5jwLngcfXPDD_fcCr}8e_T-sAPC1QkoM0M(Cqa|EgSplj*UQlbLHf#bVpdCaj zx1zMYw^jn(Ow!pww}5hHZ98hdtKx&#yFejavhftC#R7h&g9-f_I@|2>oY!j#GZN540-@j7@SwP^M zZmvNEOiQWiSKfb&IUj!iykW7}cjV;Tku-|@QaQihUT@IfRUaPshkT(KWllBjl$Zz4fHi8&L3e3WtMD*_XQwMxFy_VUn6Zu;k2R!In z$CcMRd-v1ddPZX}hz3|NG*ZhO4+W_Wk1k9>*YEuFPC=QTzUN&I;D0Iy?O`ION?(7O zm}(nzL!W&QHJodhACqCr2>C+5A*AGIVd}0{0l0WO__!L%OxV48={f5?;%&$`)lS_F5FiKu1qop`)kK!)J~IeGT)l1o}% zDUX(;XU`_5S#OGZOpRKUCML&B|4}gPBBNz6{D>Eg(=+#%Bt_0g&_xx_96f|{A1LGy zwRv3bo+N*A-5OmbS4Uf+M0pBktDdFLrE+eccLnDqnH z+yNt^Xp#?7%-X~aFD8u#&-B6|dj zku{97=A^)I)9V(vR`hQN z{||fb8P#MPwTX%#VgbcUM?_Q*RHSzi1O*jD=^dmurMG~Hf+9_tNbkM(4vNwVolp~y z5+Fd37CN)@o|&~~zBS*Rb-wZacm7$Qgyeblz4x`RLKA%bNn|h>)K1!W@}Vve0!&Kb z+y4iaxjzPpn(@mZ7PV|4LRPiVE1MC0Txwl6a^=_UER=w?L7KBQ zn3g>yu0npft$Q=?T|wa8F!Dr64v|sN3o_)$JXqD4HEm}J5Fu_k*r|BvyMt!XScNEX zkAjCR-Q}`D*Drx9cVIZ$c8;AXkHb6GK3OP~UHHS8jdJyu`oHC;{P(-FyO2!y)qUNw z`|kOz^8>)OaP#$K3KrP=lgECL6^^b|5?&kX>g9Z4=b7bTQMl9?q*V21&^o}g&oRI) z2B9^I=U!^jfVE(E;W46d9%p3U2q){-GI;*yJ7!6h=7QAs;#%cW*=W%e#U)Ft`?~Mj z0kSnCs#}roP8zt&2?}@J7oxU`^Yv}K>cJ8m zXeSS$AHQk=^6m5&dk$t#BCYUm>nH?70rc;K6EbRCQXOD>Ivd4s4Ox*TSj5E2ROTq|9O3ci=J-JklHY)>-xYS zr;lhn#HZ^xY{Y)>+ogHz5+vc;17Rl}yy}Z8IFD{;eOUeFcIkVtoE-JF%UuGSrcCdh zi4HMa*(wKH%@S!)K#B#G^Tl*d4}Id;a4p9@gq4?45MHfz(2(ITaeBN0*%Zb8Sd(Li zN;PLbXh+f3YO>Q6m;|-qerI&WP|p8;Aucb=Bxp7gni|3EZed$Bv-)Y?VxL|vH(s^c zA$nvma#*Q&v2JbJUd3=r=lu$Jr{?mpjXQt;$*Y%`Ii-wC403Y~03 z@$@_(RgbC72TG(BRdm`mYPb#|E_IdJZ+Tq)P>|P=Lsv5oi^A4(1)OKmB4*m45k8)( zAl|o!_9G3}D<#9+Q0wDUK^S`no;oe%UB=f9B=hiW8V%U>I0H160xTM#jRn39<}`EM zVXK0NlAZrxjA?7GdskYQF~H_esYeEsh5?D_g*vQ8{XRmsZ*aR=kf;r;f=yDN*KwxE zGnyMtM4tyDcwf9yZO+(+yM@Z$$Q`((A4DWa5cQSWj`N_jB!acVzdy1nEye@?N_FXS zz~m*vUwi{{W2}S4aJkFr(a7q(y|xXaO$(VY_=<3^+C9y`ql+4I>tEN}u5w@8D|Zhv z$As7D+SOB6UBZt-dC@K&1>`NBXnR@$wj~OE=}c}lmTGwdwLnRFaY$OBQlF+{luVNk zBHpj~0egQ9g1IYVyUMk8bjB?Vr5k6XbEm7=UE8CM$t{HmQ|K=K*X*{0gYJLzY3hxd z@u%a<;u{}H?ILon#y)HJ6|+{SI9<0lJKbyX=u{^vcu+l;<mUEIA;tTMomEWl-JShD@-y8CoFC~@k@B-Z3?ib03PCUG}(=C>n)OX8U zuScg88aAiFfGAN5jy&u?%7~*1vA{zEcdFC=8ng?Nu0Y=G1H*zSqLmA=IOm$VUOsnd z@6${avBp7dyf8&HRWbX-7V(JsEb%EWHE(GRy^#*Uv=FdM?aY9@X6AM5QcF|j#YI)C zZot@$*FIv1a2HVosw{OrTU#@z48S)DSUVXGV_=RA9T$19_Kyca!Y}uzTN^QlKrOx3 zzQO?LjBz0VC&qY7qE%Y7jCR+rDB@Z1j}rCGRFe_QJL0%`DNU7%?(;TruRgp>qr;7| zy{Ykpqsh-{k?1c3YDb2|A#b(#X{1E)Nzo$B-f7J9ADx&878H4tHf2*JV zAB|HtI~h#m{p^GK)bO!xar_gJrRjmGLuB7OP0yc`RBQ3;3sHUgw|_9W;L62|XS)d( z5i1ekIPouhap7?PafmVeJK6%(mmo<|UH`7h|1Z3AGK!ZVUC3U4E&Z>2FuKoy{jA$_ z+-CS+`Cb)?l9b*?>VM^faesKMs@!qho1F6BkgNSapGU)!8{H0R(S;}e71hfTFUPY$ zil@r(x%PL;)BpNtdVN!XJF|n((ec*|@&1>Gb3_t!1|kV`A^*#t{;m38EKVfmV|aKV z7xQmj^MAUI>2bLH(p&RK|H{=Px5>!XJKeiF{QuT!;(vPUpr2rb%a@X7vHUAn*PA^L zQm-{J9-hDMqCo6j{$FqU!}!=;s^TcqT|tlH*i-^X?Wv=^7tWGAl$O3PO>#`~S72R) z>~tZ{P|9+sFfr-qyOU}SehEoelrwu%30$0(Vm8Y;t&g9L+C^wDIOSP%Ui;SZMEu+I zgoMQ32#T2adHzZQ{-+zHb^YB$tNZ^UAuHi5#4_I^ds!v@AO7Mm|5or1ypG79I9eW= zzkKEY@Dtr6gZ$@{B;mLJ<(%nfqVPJ;YD}8^|K%4tDG5^72lrFu|HggwpMUmV=M~^} z&f~vv8~)2L^x!NU*Jl;y&;7f1_W%C~{a3SUZjyOLzFXuGYh(>IVK^5gdoAl@ON02Q zbBx--tlgK7QcSDrE#qlJVxkOn&}l9)FF6&&O+2_N^Crmd@$k$5akfwdvOubT{=6`! z5IRoi$*@G%s2g|1Sy3q$8a%87FgK{FV4I0mOiUY=`<8pwZr3uU+8iGvSVKp$T4T+^s0miOzAJ@;|Uf<=hn|;#S+PW`5jDNXy`!y53UXCHh1?!)SJ^wLd(_Xad?T#vmd zTW*P1$aNfwWy{awVDqDYjDS#B!P%n@qxi6m=%NmnC$y?6I~$y?9oU~_XNRgBvR~%w zjQb2hgeWmW87|4OR!}0Zp;=10xbgW!lPa${1m{9#@N+wgiIIUK<+*(^5VmB%!jM^>$ z+!l`rY%8R$0M*V6NX&SSGjkifhm7LQp(pR3|K(5S?lH&ZF|#sG%`(e|TM!nF6=s?l z5ovX#N_R_Z<8I?9ZBHk3S%$IqrQtD79N-w-+9wlB{4G3=)zUPYoTN53)llztd+UTWg}w(GVWvoI){`PD?9y7$ge3bM0m)sDFxu_7o@ zq88u?*AJ0(!0Fl{YoenGqM}dXuWCHJ_BxC1az9-Fg-B2nF|8L94PWwXPgGxXcEg{F zvXgCod>V=&>)wAk_;}*N6_U@%3=JTak=(5WxpW$FQl;atz3KTI)jIkYI5T&@)=vVWLnITFI=M!?c6 zC8e6DnhK3OUmD<`7hp)qkSgMq_1B~#X!kF2M@Sy(Je*n44`O(< zihLX&k9;h@UDR{##gS~~=JC=SwHbJPy(2K#7PX;Xgmj)2ju6MoY#5}dY(yqJ z+tHaeHBA25bb)((U-*FVwl2F}g$^I{$NgRauH>+f{->O`@b_JmJb}LJ&bV5a28Z&; zvgYp6wdUT_>h(gJ3#h;^5l;;R2-jAGdG5?gG(Wl0u69#sCy9m)PMa}fI_5Npwrzn7 z>S+jYCx#!H4Hu<`LB_Kv^PGg4nHljcii1%5l0V~5@9xG*c-BEB>`+y$(20+91;(d^l+=g7u_g5Y%(m zr21@~8xj(7Rm5@et`nqv+tl#5cxpkqp%GFSkKusOK?Mz+MDaG^vm(p&wx7Pys=w>Q(lcmcvC4&z(P?3Mtvd{JyDb?G=0odK7|nIl-!8NkVt;i0OT-TV`qO1djUhV8?0{KqshlmZYYyn3p=Oj<4fgAbfKHA8!8b51Gn(e%Q%RB*I@wYbbaZin&34X%fu zFY(2H9vo1pXWQ|Z7m!BHfxa^_eK84hWB*_u*m1K2X$%IE!gdh(Ij8IckNsgR-Ra9k zN_N_7TcK-)8LA--Q>oU~q3?FL6K6ZuxVGQp#MSR4?P;??(2yT4GFtKs zoqMw+U+)Po!tZ%#F_2|+xO-(tRFIhP^cU-)^fkTrZ!V|}7mYvS&aV1(Fd84WM7!}S zq!urlzAhs2|N`qRp!jIfMc+4^mo|cX1w#gb^!utk7IUZ5-nG>GxM=Ub_Zj zKM1@KWuvpC9BIxaED;!l7dLuLev1U+>&o6ll+yEvq0prg(+;(H=&5bQo2s>Y)d$@) zcsiPWb3bgnm3my>zEky1AN-Fq*gEmPcQJmV3mianGoi!;V>#jqJCkvD6wSKd_#(zlbkmQS|K4_!GVXTkc@t%i zp8UoJ%o{xz4^)3)S67o%~-EF1Cz34@R{1X(h!s zxA`mvosB!AX1L$YFB&4ZX%f|qJ&{!Fk;MTv```}$n*WTNz|qeSHWLx%^jyG$FBvU^ zykJAJ^De;euwq_gJOnD|Nx`(WiRso*F_|NJ4dUy=Pav~vSTw1Mx?_4l6>kV8xOs+1 zA^JqWCIaWWTXt85^rv%@yK|5s-b}$^-^p{%5cNUQ@rSl2vOQqsZWrkp(X;kwFgA~9 zreLtw`K=1eKG*Jz%s^mj1!8Jtt7IT<8&?U;UvK1#X7DHY+Ds9;79G#D1zL?o3%B*T zN$z(9QHUTZ2%6v6u@;H1wn0p{d?DFI;u7+VFm*Az0^|0fCcB$UlGUwUBSpe?f#a2S zCPCDzGeqv|QKYQ)`uM;qJhI2Nfrq&2H&AP#sfc;L)K9UqMzo4&L4|uT6I00)WMq6S zm?rab6*2m?o;cchfiVgJK2)JYN96!PXY@EnVpF%thORU};R$Q+5aIbV;!;*(vm%Ii+w>7+dA-9J+oV2N$|c$2w> z)p1I?SNTsd7L6|Dmmwiqx6BUvtP8#aI(tq=o*|pCwJMS2ipJ$Wb?zS&V#LUv?t=m6 zAMZ~f<+V0o2pg_b!H}>@_xC~6_->?8lIBu7MYw}@7u8>VxUWoH=pH-0-{&8A-xHJp zq0QTujo#B;(5Re@BVC=AXP4adTx;~UZEPWhrULT{f51@rYEEan%kc5R4My1mf`MPj zT$#K|e!DG$SlPgEeVTl;c(qac=3>J6?Tw(*X1y-yPxe<8yZMDC>42Krd}ufLPMuO9(}NtfDl(SYAW|l z)$ST!9Zfo2--kTtpC0pYoA%Z1-5+5LAT71{`6&9*n@vS#k0|4m_ruj5;qw>%Gq(HU!N^v;i5#C+gqE%yueGLCkk#u6&_Mltnfg zk8kN0!95Q|s5~Iyo!R8hHh8a~u54#PcC~UdRs`&hV(jr~ZT|#utbVmM*_lt&HEc3- z!HAqI97wklgSrX)GTo6vx~$W8hm35&ROpj1Ifu;as4?4iE?bbae5Tf-$@sKw32NSZ zE}(Mf{c~3@`Vkcx_?W8@-b!98je1}92Vw2%l@|+Y!mb)@Sl9%Hf>lo*MEciwj5`XN zPnaxEmJ|xxmr<4;OjXv`{Tb5(_|I%I z4%#^526H$ zF`RICJ+o4IT>zrIHwN=CgA}MRVnBHF@zXSVsL~|NhwD$HTKY3zXg9}-fJx358vR6< zgJp8J^4vOT{jSL9We{~KgNbi7_XF-7710PsTIVnj_u7XIdWf937{ zilf|<{2dC_tvt4kSdNIGknj8FQU}erWrB6mY6y>`7&+3v+tgOyc$9B_B9FzoityHb zyH?<1j@_e(rt*=ze+59el;ka09Xg(3=Gb_|S(S9y9mztqmf?al&t0Oqy zv!&LlR)Dfab4B@~nHp-h;`%d@Yg0Ge8ab<+o&~Q7H_7+;a2GXFi1szqbk!j@P*+Nh zH>b2z^rW&Cno@7$t=KvgtG;5Mmc~n!Kl{^LtQByB7 zFL1eS&O~<2d9$Nk##S+;MX!w?;%w`ehRSQZ8ij{bB>lAnG9veixiop*kteJBOvdv~ ztgplkp32e^x%>PQXDj8oe#M#(?e{v|&h*y{Yd#E!wZKkwooU^Wp-5F;7sAo?VN1}? zO;s|vZapSF^Szwk1d`wV{6*J7B6pYGDvQ?mt9E@?ogC_qkx!@4(r-3&3%yn;zkHm# z&@T@aI<)hF&>yhCakg$(F>afY`Iw-*uH&QqyhAOtFvRec$9~lnDe=9IU9|X~Wl_vH z$Ftjl0_durHoH5=(ZLOph|hAxGKED5)j;>10Tz)OB@|)G@Wrb|!_>VzY(wGY*W}G+ z-OnMBnV68f3R;~JuQzlN=`70MAGELEZVF_?Iq}dvxM1c2Wbq|=-j|S-Yn;U5EX;gM zS`oVjeBe<-^NMb8JYp?2?mS1S(A%3JNlH8ywFPdm9E3(j-Xw;{bsiC=@21WYe4LG8UgXU|% zxaDM~QmP-PdXY4cNN-hpQa1JJ{Q%)bk9B-}8+19H?HnpOHz61>0&-ScAxe4%q@l%l z&BjT4G1G=`#iq{jT6H6Qxh5*N>ua|A^09C9p)rqVxZc$ z0Hq6mQoZkr1Z5A*T@?fUrD7rYxxMYR8F2h6-R(0W(!U?W$k%CjOEoV{RmbHQ)dz@L zNTPKfEH+VCbH8TM&U7uvZ{ulSDFULa9)G)MB#oWda@s-8yV*{DxIEjVd7yx+3JMIQ zs+55gbDKJE6~!4y-sS`ulWc<|pJ< zJtvSNr?m?@^$-5S)ms~~uAesR3aBO7wxm{jMI zeU2@-CE)jA4(xa>hZF0;*B_wg1w>+!^xa0#w4B+J?sN&Nd0Il-U|`na)V?#j;3V&@ zFLf+M81+?no}gYozB9UfTC891;eKb*U!14@f!a7H*c*zB+#+PNtl#X@es_tR4r4&w z^vvs62{SDiuol>p*ww~jxt^4FnR%ix#hB3W8FPc>v5giI)#^9rm9zuwwXp60tJufh zX^Ew(b*gOYeG^X;y*ONYW7H<{pGoQ#adaWzG_Q9(Djqe}brN-N7Szy9`Hwn?gZg||T z*UvZEPkW*eSe2d4B8khDgVR_C7MLYi}<$ge>y>E$LV3HRZ*tJE@f5C=m8x9D$`HnY--KilY z1-NRJHjAg@XOkp&v``C34E;UreN~&%@nkCGZw4v6>ge7|yS~Z!peo_f`55-*ptsbV z#?trv_D$YXxRhDhNhB}AL`q%vs=Q}Y=5;XcIunp2Q7%@7@6}ue^L1@%2xtex_hOYJ zw360&9{#}sC>Pd*Hbb&Al_MY=Yn-w)dGA??#0A1t35M^Zwqwr_?nm=mEqeHOU#)NV zf6KXBGh<3->C)e!?w@c|wHo581r^-AQz{^dy>&^h;QHrtCMqpy-qp zEZoQGyu$Nvxs0rf$N?k;WAU?Z(Cq9FI_T{7?s7jE6s4tIwyCc}4MuvQZ>cs*I@+U= zrHS|g>Nc!-u8vH?SFwn)^1AcKO3RMcM%Tfg(-?Psud>-MqmgvZ+x7rGah_upp7YoS zBj1Dm#W((Mk#F%~JA%z_;Pevnf*a?O%Z0(eT@zW{MP_}bE}J7f?c1>YHm`zxMV2va zcY?3!yLVGPYk);geE_|{2+Hi&HX{C>ksnS=$D*IYw`6zV0I^#pTn&<=B}X_WH%wyB zl=2-_Te8^Ly_h2y53xJr)8@wSn??|G)oGYh7z47H5vz3_|10-ZLtkU85Vw&|y{MNW z12$gNNoGMNWa?E-z1x~y7C%2y=h-F829 z=3(Bos42BTRqf~>|GQgGMUu|h9*It6igg00%3WeSpUX^0CWZ_18BV7jhKHQ{^|_+S zbmXRrkB&}<_$I-JvpO%ln)zuFVYK99C@PMVtEXp^rFyl4G&M!HD{1p!KRI-1r!en{ zbEdyP-SY<=VRq-cwz;&^JX~7h&|BE{7Il-R;a!!~!(R`LI=oYJv|Vt?-XYenO4Mh{ zAAVC&2F$t;hiuzWWfOKX!UbBQJak0p`Kw3IEMu3usyy_V@jTsz(dAY7#UtvYld6|O zALoA!AK^1d`RHb*_VlEKX5N#qjC|$m&(_4x;3BQlJ6D-dd}G;~?+`oN0xyhEaSV34 zT~9rdb6#dI>ZG{ZbkTKnyTno(n-Zuq&UF~K+Tzy+|2)fvIskWNm67S2>QTz*aeO%9 zNBU~xo%z*`Grmj7p*pv2aYZ+cz|WzROY?18-^D_e2z~20swCUoh=7#&sa$P4&CCa3 zV-DU40a@}g3q#EX8w+nefcts#!JNDJ;iV{(ND6PDZ_xQsuhfNi2!4h zTm0c=48@fY2#l-n$p9dC46KJX3t>0+iF(Tj&)nVyAn`8>+H-t%5wPF;NL^vXeDB?< zr79JWb3SuB1g%sEwBm9-NoagT9P}e8G?On4$hd~B0?yv6j*IuBe$OVe6_Ks5ln&br z12Xy%?E}bYcGSKFm7s=3^7UpR$YA7%Kr3GJBI`=)B4*?eJRe?dEDQ`GY z!w$6~YJTM8OW4rP3D>x+8Kdg(fk*;mL7rz-dtzX?U%y|s#5(Q?=cbm0A((n9m07B* z3M`~r$5@f8%XAO0uUw#+wxouin z5F)K$7*s+HRUNp?tEfb5M;kMuN~v4%Vbtd4+8n1YaR%SV$GFbLE5}&aAY+8?IV`-y zg+W-X&br&ACh*VifSR}POg+>J7Ej!}+EEzr>}o@yu9WSTaO`kZfL&7VctL%i%vPEx zaMw2-c63DW1HxaR6O}1QrP2R5$O5V;lSS7AKkB#zf*alW^Q>UUS&;2=#Z#5k@xQu= z{}0rb|NdLAyJTaZBq4V0apE<{B+9C0fv($gWJ;pZc{CAyx~KiNi|_4pfK zzy3_}il0$o&EN`I{aMS#YNm73>bUMKLLBhY*5CCtB+i3x&x=1T&PtkmkK8?+^TkR_3aDXtFQLjGN^woVfWk4 zr|u(<3$Ju4pdFNJbcj_&AeBT0yo7u>A0Xu_H)J(eV z;XYya7>UNd=}@S$J85f7qAHz=a$Su;M_*Ob$c_(Ru6l8ku(Ii>9!`PuXUz9^u7}_K z$cKca*lz$2Lcqc2hWVr4pr}j~YUwriRDGRG{P*>&s z$&H0=jfV1?OFT%DI%ybo%tbl?p>`kU|0qD@IA_x4{JiS}{&!;%Rwfg$5u+Be{X%x6A zo9wFpm5e8nt6S~X;U-c+s*N{?Ybf5QDE#I!QgAdyq?Kq~u1vyjo6q-N^{z{; zt`xT_mG2`9ss~<|uNu{Mi7%cyRiRHn{<#f-x-b+C8N8=L?vK-75K5^Rpm^;4M|jNiUG?-3{|;qZ?lqu`}rK52~?hL>R6V? zzGvJTH9-M}uafcp#QXa0P<)?JPtwCC0%kXQVd17fqpmELjV|p~cnPn~qs+kcDGj5B zw{H}e8SRjq^`d)-vY|L()u{N0ECo-jR6zyn}-VD?B|KQC7gpT?8Zy&bTY z`q4H;7CTLL1`R`ShB!U$o91NjPOdgAB~6E>D&9;PVw(rB%C%U+>%1@A zQt5~Za&U(k8MfEfU{quobO_mfEfHLri-_DOvBCpr;tt`Lz)Gh$ZAwyCnhmCIQ=M{t zoeR$MIK(360^ZkQ@1fJrT4pw>yO{&2xC{g!f}d)Ni}b#k=|x`XQT z%&I?6Ysf$Dq`bB>N>OMrde!-^T7vk=9ktk~?|8RAy69^~su+=*JD078of_zm*kP>L zrgtmni!6<-=Ylr5EjIPn6maIKY|ZEMqpXru4t`%NhPne?pB5ys*xjiM=isRmKWz_d-}ol`RZU~ukHBw@kM#ZrPeR$x{tXJ*Czmp>o7s%lgKh( z@VH}VvTM6|V{ja*E99KFwI^!_2B1EEu}n?2Hy5RA28c zV6CS*5L2vk-_}dN)>}}Vz<6=u6TniwF<*HST7`0Wc%KEKvXt9hgu8ZNB`)nfvHAjJ zJk;w&dTZmQ7GH5uuV*!LHTZU;!0CH*<44AO4Nqht-+BjaR3u7kb8*;Epyz%a{LeO! z;Vv1DV8EHq3UBci1@Qb;h$-in%3nNBt-_mvgU2e2mdCi_9X0D>lV#p_gKh0wlm6vy z1Z!0uO6Jcg7Y0Xqop{uSzS?<=EI;~;cj_&dz^r-ICDUnbfsfWlpZ4vjtxeU)-9$8- zg%)9-x57OR@1c+H0N8EQ;MB?;WJH_Uj$Ek$d3MtP|5z+Ekdc#)BRcVYWmcmp z<^x%?GoLTtxn#1k07N6L@de0%0Lf^Q=VSz8_vj%#Z@$wmw8?-&R(&KF*LYa3J1Fpk zbPw`C*@zBoC03(@<{{X@?cIw=*TQ!Y#m{+@DWfH$teh#_2=tjBwmv8x- zBsRS&87kYNs%7@m<2GA2MwxPrH&z}r`CWHzth@IP`(b$hk|SH22qQ|-w@)l7(R`b0 z9&IVXu6kY0BSuMQxhm1QVc9;WTtfWjvbM=b?16rNX?^T`xU#b?)i#(HOh5)hZqVO-wV*2IP8TM(w6 zeda1-9hqXYR%4mRsP?38Cn2Wf#JT%I1j6Y`tmk7mfu2?BPm^%pGg;+iGURZ@tGw~S zt2eus7X}tI`*$=Dl2Bos9($q|7&ko$Q7@x_+6D+sTcLY-G6m{T^{+A|M90O>l`L5% zmuseix=?9n?KBVSd*QST=K5)XE8iPA!ZuMc;n*3C%|Md01X^|{~CqRyE z0HxUY)HAlf7O%ygyvQ-_fkk%AW&$V~kGLJ; zC!T(eO>XF`DMf-Z_;DC0KWsc2TOVs~f31s8Ol*94RJ|29Zat6{PF%tC)_Zzlji95H zA&!)0sJvMF#i8d!)@1xCW%Y9FSj31+{HA2Q-&*;7g=4$>Z8)*j`3UX5%g&zoc_YgvB9tt4KInlQox75Xlb!rUDsKYycxsDaJ2P*v_d!!Qc803A z=g3d)GZ7)acnkgv9v#Rwr{Y1no$-0f9Qj-OJ#%2v=`Up`gqQv%cL zr}+lkH|Op2pPP-`m09Tb=PoNunthmMu2z_a48*uy8eZbPKFbt?GI>_Yp{RDLk2GIgCH z?ETi&)!)g9q=SAm`I;wKAKhW&6EMZ=X{3ha^(FVP>$QdrKB-V3hc_YtoTy!phqW~qdcGOioXLVf9^H` zPWFnCc_jEMUx6b#^wEz72wQkjIiD7-g)pPh0}@0E%=t<{+Og9tHhwCkgT9CfF4)>y zIqXapaJ`z(g_E2ih-7`YAeJ%RvxZn?ECgBKR;qTiG8-yL-0slz*fxUD;uOADiB_Q@ zA*+j{w9{!8tIq837=(Z&RdWn-tkTX1pm1YFG%OvL*f-~Tq&QUbEb+2Rj~_h>hBF|F zCDwJExC9~a-MAr(_B=#X-=dtizl3r6=~{>6Ph5bt!bu0==}K5!My`zkjrkv{Ho<%_ zN8Q8AYljjCgF?qQ9@%wqsc?f|HHm|nnVE@EQCRTYpEOU#Ox~Yy-cCCfMc@2a$K#3V z3lwpA4*tt1+AHbb&6rs4aK7wDHF3#2h)-tdB05(Y*V?V@{e|Q(~)Heqtd)UIUhHpU<3jd7e@g6gjH8>ZYcQ13NsW92N^R|K& zy3d6Oi!Bd)1H%#vsaH`I9&al5t9~c3gs%nM{|>Z+h;-dQ;>CqF>1}hn@^bE4b15~z zR&2BRY>R50wL-7d>e*>kf8RxZI5~I9QLI^k!E2`dt32puy`QO(2FA<)oz-qxsVn_H z?3uMy%~w=Xz8mLJopfmycyG}j!Nnq#C)#vom&hsWlJjl~REFT{FJKbW$WRB)m8)R# z#PsK-fq_8^SSHS5q|S%|gOA;~VBqJc^G3ieaXbW|$y}NQflQF0yuSxFEuGx%-r2pq zy^Gv|4!@kN<^-e~$-KjVeZJfdeh!^|(76am9gnqANGUby6sgDb*wk$|T|}l&egVjZ z8goQ}@kY!QUJG&AqJ1DfuhkG+U`Kik)+Sz%JRC+=Ro-q}-~i3e0ohN0RA{5Nq%D|5 zD#yI84Aw}gjNJl&|MaX>LNWKt)8yJg6B~$ua-S@sH*=BY@Vzx>_}??&N%6XreKD3p zIjaSrxK0U13nF#|^aB^b%$F+fs1@8_$Ai_z2_Z(xfD%8nn~u?Vm4oAXgg9)|O9`2O zd41EY)bPUl-Sa5j|MQZ3eUscPM=g}iTvR_xU~Ddmf-I79;x1FFs6;YXqx5K* z2;K2m{g1-=>+9W^1~}-42UQB z)a~4%3a_BuP=WsDB(QB;i48(kJTUBr#N*@TpyU$CwwtM7YV!d+lWuI*1;z(Y>^oID z{Gipy#3U-Rjc&!0Qd*VPZD*_Go*WRJ5Q+_T*auW-9+d{yvxTIiw%$~EZ9E?MwRfuDisk!XuTq74fHh*g#kl0^}GoJ8| zpQe0)^L+FC)8~yd*@Yv_XGSljHxKtk^5Y7&d~%0x1hoA$GrPAl@X}>z-+MNmywOZ3 za<(vNeEW4sN(woZ`)B^5lcVLEftQV`f`w#k{i?eZzx%$ZUnej7b~*n3VWtk7MwQd1 zPb&1YMT}1}SllniV#TmExq((wOXJ-6>2k&qqwV5mFM)db%R@(EFC;FXZ)a`qbal|D zzISfrmJ0~9uM?b|n7u%l}MQ(fZ&E6C9^9sMEt2Al>* z$1Nygk+;-(5`?o~=BPa%DKRr#V%o5Rdt#CMg_6=Vc-;~A@kCfzU31d)&!0c53)%Tm z2Y2fCir|QBCMdbpL%{_=pGg6YF||s^M;FI{VG~kY6|vBtnYV9POJsGrodoaiBnI(C zDwVQlb>KJ;D5c{=M8zOWt+x@)u-FK)#zMhn0OxUcmF#=!Dd#>xIyV3FSdRqJ1Vc^hV_Hfy7a~W3NZJd-^hYxN4@&Q11Dn)4EG z%Q>RV?Aj5>7w__kd0>{*CByJQAte^7uwqPr0bYk*Rv) z5=^G9OMLmVfW>0%GXiP2zG?+(x*?j-S{6I(@$^tDoLvgPLQcN1^!z1~BH6P(Q1JB+ z3R69GXbWa0B=K~Et?6lL#Di11OEVSdCMp{h@b+9WA3$YBkBMl&E9!&>eO~jBy?k3M zQgzKeRsniI@JB<}sYvDXhP9TzdiAOWOnz7`26GA(AabNTkGZoA*t>dX$}Ld0i3Ht; zSga;*jyWv9Hz$uXyDR!#;xflu%$U+>lEy(!NpH659Sc>W3<&O!VnVJTni$VvvgGFz zq@Ea7RVHjdrx))ABO58Y+UJiDX$P=+uJ;6b0z{DvB%rK1KIpo_X-u9bVUfeeZ6OoQC6QD^aeGgRW!9OlEsI32btgIeLb73#mW}P(|xD!p2VX8O*6sW})R-|lSw(9q&rB8Ze!y^^?XLH_HJm_@gAK5c!8cSU0=WMyThl4pCd^O+Er$K zy2g1I-tMhy`tas4vkFilbrnax+zaP?F0JEUQesLG6;WAl^60a5^{bzJzf!C_Xc%(cqRQJ*}`ON@?h%y!9<|89kGDUBysVTol1muZ(7LIv;?3&yo z@>@d=F5h@m`19semHqZ?y1nY*;CoEuYsK3OQF=PeGo4pUp81ZInN3pGYv}ts%{#cI zKCe})v{p>&&sG*}FI6pn|JIIftc!jOJDT9ICTK@ldmw53dia!0TH6mJ+ItC3NiXxy z5xIUXs!cmFJE;P9@g2s6wrd01noiz3*V~f2us(_NZqM@@sa$sIlzL0_b1vLb`N^=` ztlKw}+*LDWwvr&;T;m6-2g+RmcLmH>M=_`Nr%i4{DU!=kdxmCdH9I<4DJiavmzlTf z&$&2sZin8#@0|$X;4AWtQq!Ivr|Elx3oqVM8FCUZ_(=iQcXo^WQ-!_YJ?W+)OaPC> z{+c_K+CT$~L)^}ngN@Qd(tr}v?lG9~Qfz11Y{Aj(vAesw&R1W=0TFZa9?V%0qeS;5 zqyTIdnW##X0TGE|MW#JhtGmDja^Ox*ySRGGMM`&~-5Ze+$0OUz2ZyI?PeIm5sYSH@ ziv@n`F+sQM-;aI^j40%zrj&}|HuR~?*4H3T1KvBlrdf}^Ts1!O8$tkQPNwv~y+^53 z;zw?&j{6Pfb6;Su^@%)eexx_y0cFMx(Apl7R_EL^?Y@$2ZoQ_FOh;k*!H8%$R^+}- zbX>2eeU)x#aX+e5Cx)>e_`J5jAp7R^?m6|rO=3hLG7olsx4!_DUjZp`=w3PT?vxhx z-4f`5)vRm&$n;D+0D@p9`1-GNqndyvH{B!4?4W%B#t>}ER(QMqf5_5t&B{dfnMwmM$`Wd*x2+0XZOEnF46$drjq>yLOUGb9oMTI9k?tabI324AHl%{$Ob8$jvo>iw(9hA z6PqR&{;n`Uap>rWP-n;Y#e<54K|1WLUr&$Us@|NAtTkJSIs`x8kuw7r$NzKPK<@*#`~EIx$Td@i@yt(tT`SdE3s1zJR*= zF!$A8EFyQg!h$xpSEo`t3;0Y9wMBlm^W?jDAHnS16|h_m#C?wbZhc2WM{dDs#pjB- zTKvT!>>@Ug-j8_X-}A7w)|+U@GhNshsVK`bePnPg)o@f$bqyA3pATaDZX>%I239B> zc@u~y_ViMa9bUJ(S5H{`Mq=9(AtKB{Mhy+9SEn&uS%#;V+^63UU-jaQ*jU8xoypGk zaWI@Nbdzf%O}0aQBA*$zBzs1Fi|*XqX@}E;NMVnG)K9CsNv8{s9(Q<(CfLvM4Huc2 zGH2VA-KcATmCtnQSDlm2taN+pkU~Qy>Lkk8Kfz+svvOs>Pw)GqqdUCLtuFO2NT&@i zL9oE{1QJAHVWIKc9^$fVA>U|k>(6X_<-VI9+#uPf1$aMz^OBA^af>5daoI_dfd6}|Z4`0C}V_S4e+8%YoI`|5!@ zOTNxee{5R;^k$uU6~K6p+{T#`Bm*?^JM)u$Rv{Jo}M10lu`%!2xCf4j2`G24Ii=or6cXuu{d|9^w?HfF^K>&tNyZf&K9E#quPBh@o0Pcj?4wShst(9gNY@Bmxe^m7XnWY;T`7a+Q; z$o_5Pxl5*+_)1MF0*LqbY-Enjk0xiV*%s>n3yX6*Ey><=imGJIDua+m;whl3-9ZS8 zadWI$$IWBP2MT~XwQZzv%uMk{K|B)i+ro%Q2$PoD=Y4-$@l)U?lan~%zLoq}|B&

zsX53pD4NJVnG}KiT|&@K=5Av3Sjy~OZLKJhj8EQ7wa}kY2tS(lSd7{Hw3y9B3uc2i41WtkE@=1mPg(`izvR@B5Igs_Z@QA8() z?}l`Ov^g;VMi~dk`=o4NqRi=QkfnUto^9GN1zwkXQ8T47z@;WV1IEr1PPt6orFY-_ zmWI`u|6H|tlJuvyOEFAdamo0HXT;Wn@rfS^^5Gn8J7Pph&O4oKFMB&IlGtbNma=~= zy||395KL2!!LcH*gIRWW-(4#I?Gvur<49J6K*hJh8!~ZP02E7Cn`ET{~ ziA}u+19FWtnx*D5bV#9yVr#xCm_1(s&qEUBSJr0}<{`lMsMiTG=VDTiBs}ffzGUK@ zuqKRgTx9*b`uxe07yi(&jWsnV#UicO1}(QO9MU+onap~x$N;M`9Hive3Nr-u zxQ6y@ZKYLmJ3|0eGu{>EOHO@x!pT{^z~a;{cvlDI?1{)n&=AVZFo;+>LG@U&GcTr4gqdC4jTT$3J=^(lR?)1Dw(^C{J0AAkjl4& zdd~-t^zn$w9MaATR&TzNPd(X_hDdk(BjfDjBm;W;mLEpnk_azxC8lPBHwPE{Mz8K^ z*!sy1TD9G4zOBnIx6uFbOUBgHmt!@bNLz(gv2C0nO?}~r@8o~5oHSjM)zh2%qQ*2> zS27|cjA0w`JZ-P+W+Q`qe7Sh&2wzgFOQ>3=?&u%IRqod#EJ2(C=yC~FqgFq@Z^oET zI$F@qi#i|_pIMVoKGg&=gG(q-h$>ABx?vSNU5&2`h2AcjMHqnCOOys#&y$-@_ z1t5>m^>ur8-MSjsGc<3NNgo6P()I#6L{oR@)}awfg+=ZM^F$cl19|;#v9e0R{d5D! zvk?%I{#Zxy$p_)WE3x?TYSn|iHH9@BqIA6817S9p^NrW6SGp~Ni+-AeFqv$XlWbyQ z(heP{5gax}#+`Jn9UZ*!Rxk>t0=BYzf_%8oBvsOt&OAIK!kAobp*rcmG56L{RqkuM zup$@}iKT={=~9uB4v|y@RJyxUx{($XgA|qSZcq>=ok~b5-5@gQl4cU${j9zBIcKf? zo^kegU)C7kSbwY-E|~LqesSN|eMM&ubX*Ea_x!G?VrV)ng64+~VC-iM{bnI_wcl3D zp%dI$+x{VYZo-c#E3aSJ&GWx~|Ni=Ay6l>B>rN=o=5b`!`gsfu5#Y88=7h3BnQrq zzllg3SoN$pgP#1?pu@89UiHGAZ^c>T$_G{7SF#T0+*kHZsK1G51s<;q{O8p~R~`-D z>G3vzU3(ksXuD>jZ}I;zT=!!nrdP|BJCo`F!_A577bp1L_J!mK+M$>&q#(>H>VZl2 z+;LlUoQ)m92|c~>g@i;R)Laukn`!Uv2_HqdM2|uG!2{DU#np~7vpRmtN0=@0*R5P-k_0Ld$j*&oFI#I2Jd^8x&>6_SK!QTp1X}x%S5;L-Jk(@{Lk~ zre@;84O*#8>p6tOf7=*$CzwV!~R`~Ld-hJ@`#Z^%MAmz3(SP%S^#98Z zRC`q9LTjr*@{+RY07v5c{=bu1(*I7TWXUdm&48rhn_gZ1B~7j^7M}MtX2hiT z->b=qgtCY|{_g%#Gs@DAQ3d=p9(OBt^0)u~wxUPQ8q$u1 zuj+quX=)@7XAQIOH>&^sXZ^SR@n8I?L|YVzEavgjp=U@`rJnSM)~%rI7z42Y-1U~s zpI_MDev|d4ZSBv98kFoG7IVr8=WJh4+EP`NfVGNBtp%!Kd$L%71V-X`F5oqeOGCY}FiUiG{8{fAS?NVcV%?q#CS5_4?H~bOd;y>f=iYkI zSCFN)gRI<$Yk4!*a=f}qyF>W6_Hv>v{&ns|n})t6jL+4Jr#|}h)7WIcXCiI8nevvr z>4CWLfv1#iX`cYE{R{1$JZ(>$Jr62y^^w!V1FT4T9cDTMhd^kXf^{~)^stHZ0t8@x zDucN$@-#gQbgJ4QUG41$0;VZ^4^S~;AUUgu0GTpF=2O5MSDD{oY% zY=Bg`<;nxeahG~&1l@?c$gjOEqVT*%aG9%l8JV}TBl-0m&XES1M8L;DY?ew?QOqgV zC9V|2pK6)2njCHgqM8wCg$-qM0aL>Of>^YPaOdAt1Gq7$*9~O8NWj*}gidsv{V$f- zzaMM=!IL(?eS5i!ylBQFde>m+!ut4}3 znc$-A3M{?#B7Ulhr}!fvpXP~_$gl%*spyp8JK0YYej6R9#e*T3+%usN8yd02s)^WR25&&%>d$LHWb8i07YF3{N|a2LPqJ-RFY+ zMF{c0$eXI@C5*@mnBUhAgviH>yO*PB4dcu9tFD@Nvo zgAP^73Ayes9v7N(*3h6RnmFHid+Pi;5^@=t@m9d6+7lb?(81TV`~fiJmSH=gmB%1F z$3SG>hpO8UoGFzd6Zfl3!f#>Kb(4x-%iPt42V#zcU?}<DF%w2tq>v3=_@ zC34hy(EX5qJHE!BUzM+2r*Mo}H^IbtDX%|Msqs^;=HUBVr0#>g zFI|~hVO;NA1i^)=`?iq6^Fq>Do z6_JCDA#Vg8h&p3`4p>S9+c(66P8u)}!XbVXV4iAi}0w z=7I6cFji~OYMc@je<6?2U<_Ym*hE;73p1B=wT}iROECL0Lp;-woeJ6&(*|}&s+vq9 z*c_c$=L|Erp|%u0?|JTPv1mt6`G{ab!#g z4qax!f?I0tPh5ih$yu$zbHgAa4=&!*?-AEzD!b3Wr2`Gs*>#5&5r*}P^h=JP`K1{7 zFiYXv3We25f+5_%(yuRgdvKbS#crfnWGy6F0oA>Vb-t`0%LT3SU zsrf_m@2RgJ!<-ld6Y@Ww^lXk+AB5QCA>*G%VHeJDW0&BBuwqooB&On*7c-PNke5Gl z>hSs|n9XyU=`tr{v~Ho%>&=l5`p+JN{)-xpk?>7kg88-Jk05=-dUWkLi1k05VhByM zSdeuhgr*uDu)nSg7R^gDz)D&ywjBDDg?LQYWC_v+1u!V4t2qdEJ6bvFnkYG1bDDO1 zntHUI8|z2}XL9Rl+82Tc2R9n}#uMf*hg_byV-r`@co+0Yf$^U0(cJjFA^Zh1C1bK~ zG8X%D)Hf;?Nw%5$1QT7t8!H1xu~*C!)LnzctyWkAcn`H=Vs*}J#}Ah|WDKWOg^YNT z+EC5$UDFl3h|DCKf*RxEcb9eWooAIt9Ml3x?xdSm=l8>;uN|C8EH!m(>+qcCJKDX& z=hTyknW+`~MGZw)f>+ggJ#SkLaiuJz3(Zv}u7tIbj5fI?m{HABB+Vo@CUq15F>22F zs;JdewT;%POSoFMnC-W^Av8M3Xd&x7;I+Q)T)MPde-gj@m;`cJixO@gN zPPAgl0Yfe!#Tb)mevxe-0qwPfIqN9lu!yk)^9=UI>RTS(d5YiEj(~Hu=pfhW5JX;O zcrnQENG;o<=JGqY`1!+re%Tc=PtF^RmwAVHQdTnWclzwRd6%w#?cn6dFzoT1V{0(g7(yklCw4X^9aB3ma`j^K?QhrcZ&rG>Iy=m9 z>YmoDbR9jHZZIh9`?GIJyC3Vlz__HnHN@Q%^V>VJD3|IeLy}Z-mZsu-!+gQb3CEK* zYr%H?6X)DTF;td?v>I+>P2=3QckzflcczZ3azp-9tti6Dn^XFQ?ZJA+l)g{GJB zJ&&iXb)0Q~XV89&2d6`sl|#pGLG5BqJRz0^Q(F5y-p`y^bzB3p)LnIJ+u934IGMIi z<7S^P{qT-p!F{qQs*VG#A60erscPK!A;-tc!>Lx|#_{_`(Ysz9jOaU&jHxU6>xA6p zDqc~yU5Z^N4qiLUW5s*hg*z-wb#^SpZ3(?Jt=ttmMWu#ce7h>*r3sbn8x0(kR5^^m z+9PzA-P0>*7;i6wOPzgDXg64>pSj8c4!B{6gzooY2Kw0#4TSi8V7#fyqt|i^$)>e> zMVipTeJ&Cd!zGu*;mN?9zSnrp@G2lbzmP3 zJ40W<30^+jM-VP-IV<~N?T8WP#@w=kn@Uo`4OSeS1tK(?oL|+3nW!Fl-i9brL+1$Q z;Z~N4HmTU1ruBW$AfxLZB10l|7@P}^J-iubbZU>p{)g^0zik2^1)M27c(-=vQv>%J0Vy8lrSDEpKD)in7JqZ#5&#?!a`?0dj>0=;m7?7M_et)vPO2g68pzlT8RE zZ$~8<>|l^!R`S#|@xuO6)S0(p)S^iuh>|dPn$c}+RzmEm0n7W=ybxY$Zu9p}eQrS# z+N#>yApA}pzJD@GR$%Qp!PC7T0jzD~kZ9h#{%wm~+flxJsaQl`meym{r)o>yP}0gM zz4q!Tx&Aw&!TH;aE9YNx<@;Hc^o;maxL zQRf(f-Ezb(EFF=Sd5%5bPT57e5TvN3f5ooFm5xy2xZwTJui~!f+e1}0lpWv8Qo9V@3md`^)E zn`rPP>bm70HGkj?JszbXZ^|Q?@oVx}sZUbl`uVd%WfS~pW`Xt&m#6V%h1&%OpkwXE z3!hhW+lq%;woV^98=DQm6#GUB(}9nvmi2qoUmt1P2G{+eG@<>Yh zo{+N`kJ~sx6S-yJe_X>1zXyqC9G%nKRadWg4KB4aUHKeFUE#%hboeCNbu&PH?%tAC zOo0h=k(KjNwGDrsq~m$Cm5wy2E$_s^LzA7)exWlTo!4!6+LqU|B!4)!7``5+GZ)K! zWEt?${n@#d-5T0%zxAxJdg3E)%j{i!8~X9Ml|y2RjtplMf2F(4>}2@3vpEla^-*-y zOa>2&9-G-l&DX|H)R=sin~~d1?L-9zG$(Nt)I?5NqR_9&sWRkv@rt0ky0xrMKhQ*a zw7U}iC5FyChb_3~aI@fUX+#YXp1qd$!KV0C6<{Lh8{JMAV){7+JAwz*v>xEAswF?s z3Q~CL?S02F6q%x&taB?o(IufD6c#n8ZiT1Xx6ObXTXS^i?f{WGVyF9`7qoz&iHw5l zrzU-^toWoHX}@^?0&FidftI8s_L^2-UU!c$1{@)R>gAH_cY9Q@3gb?rT5D*R*8Rug z3kM~x@~V-6jn0)PxcSVr3e=0}W@SQX1bxdHUpKyO45U4g;kjF(ugN?Y}bQM^E<9ZXX_89+SKK09B}%8P+JS zB!4OVo@fL1^&N4O#z!VYrCvK$n^X#NY2H>^{L-WznR-Q#2Gsvz<_kZqpUjuxm%cOB zWz*rMhLTP4Y;pDHQ=~qPg~bk-)6Un_hl60LrL)`xHsvLEfw2wyA6iw`X~ zb+n=1k?c&%G4b?HmosQ zECo7K_0fr^d&wuhXTpzAeU*iCu)qCoI3yhvy1$-qM8z8`YsDqAp%c8vv$29#EWJTJ z9WuDehsCx8Y)cd-gq8`4JJnpDqE4}RpGp5_slOp7AS@$s z)y~l577?N6P!fT3@vpS@AH|w&P?ivc=d_33vWU8-(Q`ihOHQog1Hta{MsX6n5(|p@m8VmE6Zq>L2WjD2`emRakfY3c4Fp znMuzkmnPNn12fQ9EZvJrYhS!U*_OJS^Q<9fCBLUYXUx$|Yt(YAq&sk!ayerm<<~-X zJCDceeoAzCI(zpQixS-RUrQsE=?uE%rBQ`?c~K>{Rv(s^3cT6R@aCFp^kh*nr}&=0 z$zn*XCGuNm_*owYyza|*AL-xRJ9!^9s~9O?DRK?1U6_F!(xb*@_R~^umr8@k)l!$F zXUZQ(P3tjK{CvPYwz`y1e=x$wKq65mi!%0S^tz(c6inR?_oz)n+#z=S=(1H#vZprO zy9kQLNy@17YDjv-80D`}`)0*uK>y|7(@#hbCzT*Hid;2yTc~!01oOVO9qmh&@4tLa z2@$$nh_nBR6>pZ?dSu|mIK+hUob{!ITbaOJ>9)-4 z3pWh57EDM!{q)b50Ed+}s5pXfVN~-~4`%w-^%g{UlCFOav)x6!5U|wnOTBhu~f+c(!E+q}X!p!K^)x)w(lH%nqD~ z#a)F{!TcS0kA{@CF*g%DE-bD9IQg*?6@(YWsoEoc(r2{7#Up}h)2(NoJETW(nD7N^YGo3g^yI@>I3d%O zvJ}KuY{?rlObu4Xs-8)YR%K#ah!}eh#z4$>(Q8Z?f(Pm@b<6aKcPeVT_z9cS9=c0h z4Mv(U!Fb3c`VB7vq=Ia-&&KTBXaF(hR}0Tf{vhawS22Sgn%B9#(IqMkjr)?z(`9$^ zp==>R&>HdNvW|HnhZ?#da~h@ZxNv#9vqJ+f~u0b>Pj zDy1`hAh9riwtoSy%VdK(&Cp269(#~9brVYw702!do&c119`jKv_Y$0F%U#g(`PUby zr?w)@ve_r%edc5K9v)n_(C6dD*IQl(0 zcOQ5kEa*OyCVi86A}WBTyqTrjj-QGS1dm`IfU7uwG3gj{M$vD(ESW6^V74;#bx^I~I%%u= zSyDT8-L2yYlJG0fqO~4j43yM=g-Ta^5`C|oWG^jQk7<+%m5)!3cTkorlCyYvxXkl< z^w%|LdkZIR^5d4T#=T@hjXGWxwpM?lQE2qgT}UHeM24I#gYDMf^%O+6!jAo3lx@+U z&tB12>IEM4QV=oeJMG3YJ5-u{LfJc(p{I=$wyx5yz6*-2_aOf%2f0`J2L^9iYj^Kx zZB26fbk7!9L)obTQo&P3^SbZgY-Ygl?ZbIK@Nv0Betgqo`;^c$U@=E54ojnspb=o7 z^l%#+gBT8;SAE6uYRSG6BkrPC9m;Ql1aUd~z6>XpDrn?3K7NrKwRP#_=?WLW+%h?F zya{dRL1T7_I04r}3U-70AEdT};%k;Q=I*piCLHZ&P`@*$PuU)GXKmPiA5V%>%u_AU z`N>&Ntu*Q6)hj%{}O-Je#udGXUYlq-_HA`76mQ=v|RvsHbxTH07_X~tvYhZ zrA$j&-3#)i3biJs5BXzG2z==oVs_;9CgvV?|EZ|Ax4e_5MA=MM-^+xPD3@+te;o1A z9d}UqTaA-UTrM!$6ue*~EZ<6sn)mmOfe5x06T|eDJ;GA>bXF loz?b&BBy&hzaf zy>wG=(IWi)JSK(Ft!Az&?TWan<9R_*?XIF~iVcT0_NG!g@gy6s+X;JgN7HGM(D1jodH?L=7$s6PGK&(SXoc`%rW^}7I>o?AFtlZ z%utvq&+>@ozvB96?DRnzRh4K2zi*7=~p=smkA(}Hy&)4S$ZWiZ|cl)VqW-k)- z50iIffISQ;_f6`;g3&^!*9S4Z`9>YX6(P3Ys#%4sb#MRZY~_iJ3h4KXVGn^5=6WJq zGTSW-hgx7$u{jNw*y=ncVhk43G2|zA_bWaxn(CN=E74x}`dc4+@oL_LS zbU)cPy^{V;LGC_18*@ss$OGY6*(Fk3%u7>-eN(8`>he2oPX#9C`{PsmB3~Y>8s4dU zQck4xWDJ0NgOYE2yOSQ)!eDL61prHV3^!^=K`oI9M$nGR6*6@~lfTwGg`1vJ?G8U5 z#yIMn6hU=n>(+R+<&(^J!zrT|h0lOb_ES`>v%t11;a)8a(8#(e@m|9Z)yUH0z>_U6 zw4Z*YTC6Cn^vFj6zL!Pjn_Ge}wOVEeBega09LjBPP)lwX9R)f!*?_7-o;ZgIZ1tR# z`IYHonNZY~V5MnLzxzpsg~G3yv8OX^YiW3Rq7^(yD#V-_DTA&FwrZ_4RcT^mi+)jU zqFc=cEBdc;HmwCgi((07&q)LoMEK`v5%Jdg|A06I>26k3E zMMR-yR&WJgt~P){278}C+v|O?2%J76UGc=k!@%oY(8P{o{1zpT<%bm_m#0hxl^mm- zA`2vX*(dI4Td3~aaG~20OlAas*d$~wkJorLTRe#|@;rk?>z+P|#r8*b^G4jG(f)Rj z#U5iOm6g|+LEDjGyq7Ll8+SzIl!VqO5Rvfvts>cilyIiI96}!&J%phm=f}9tlx%0f zM%?G2=yg~>2-WOt9=V*-;?`tjwA{y(`ki&JG3l>ltG_Vi{^NfYnY`GHep($6Y-RFj zk>FVXAJ`I@EO?Jh(wWsRZv2py;N^z7*E!6=qYM-7KyRVL@{#NW zTU%|#ibsQv6{_^fx+I^;NloNNEznj?EGadsGzA;WLmbOx+lxK)CPir$=*Biqn098} zSOthGDo=BJG{YM^JpRL3?yi%oHiGAnkdU!V)(YXh*@cV)Pl#XA?v0;;=_F0tOD6E* zHhdBq*Y8zOwKWv!1hbEzC|NE}m=Z_!MrheTY^xMb`5=I|K5GgJpTq3beo{G7LiYfd zH#zy`U+G1dv*~Rc!=Mfo(2h*j%y0?8In+Y%S1aP+nC%Rp5wHP#SW-iu3GSD-GjjkX z@Kxg~X_&NF7SQ-)Hks|5U3*29gm~)Z=fF$s^?9gt;5HZ%M`!vSI?-^NNOj3fErS0! zA*O*8Z+kZ>6lPTf(O@HdgYL5>jBo1hsIEmYoNpo0cd&ZPT?HXq(x8pI<}%|B2F)v) zEQNM7%z@jnc`&NBb#xWOdy(zq&HAFLCcax%XgBrX+{>7$`elxeg>CrpVy)$hj zRah93#pgfXacgvE-PsPlXLq0g433HTCyU^m3zbJQ0zuTow6fyD>t4RKchzl0-_BqRoC4Ju0u`>q7M!q>o@S-<4psKxf<+ft_;a*+i&~h|L`|jQ!m%p1LrDVVG zk8MJg((P&z#((rj5?9Zr$_h89I9Mp97>r!&&C_5} zLwn9FC&n{|ky3s)D7RPZzRbRU7VclVZKZCq<&;PS<2tqG(WcFYkbt#EIqdlBZzxAU`BP`EhRA& z8n`p-lm7K`8fa@PFwy@_C(L4fl8whD@q3zKgT&M(KUFOWtB2B6W8<&)g=wAIY=ud> z`aeBZ?2miieFKz&xgq3V)5XD%xN;ZT7lWahJ}3sLE>a9!cB%v>4u|>2!76tbDYIbT zhJCiORdE0Y{ME0=JPP|>qeya|yxQ4X)b9hxQ<@P@6Uz{|?`ekRbR+kZB(}fmZ6+1; zz;>!HMHyTc2Y%~T@p%vBNr84capf(|l1Ly@ow3?~bH$H(_pW${bP(wTS?A!A)Ljpj zN{g{dSL=@i4IqDl9FoToa3{5mK&*;%MhqpkV6HjebkF$%oO$CZQ>9M>zqKHn~I5l=P^Tb3nn%W#Pwqu#3~ zipUj^Xc#te61v%c_1nk#l}u0x-Y~bWHT^L9dwx4;C9HtYuj4)oF$*1pOAL9+M=!O8gMByUS&XR*5 zH-PfZbBKaLwel1W*~D6f;F^@Z}(=J49X7}Q7J zv#2xc%MxZ@5}sw4d@-n{e(haTj#j=BPsnPM$!1Oj?+uPp6#}A6V%&{enrLo`CPPD9 z;%4oW!ifdoU`9cc3s2tla#zNbaXLbA;%xs>0`qa#5hsl#y=dSUM1h8L$a(V0yZe+_ zD@d0mrFalwh8@v}kQaI5J@Ukd4aM_I@^)goF1hmf2Yt~V0}JZ1AKv&WzWx`AJLm4; z6>33Cz&9%0wgp_t9V$PxgZam4 zCuQ*Ry4Yrli5H%DddhbTOt?_<*~rx8u1G>-nQy8_iRI(r+1p;15{ED*4@q#tLrtx> zm?~`qPjPU1^|IVF28tjC3Avi|UoHz9J(%uMIjMsTmk2DWguOh%%O_tpwWIijf8xSkPh!U$C@7e&_Y!5jUAp>`>aF#*7n@0W zSQ1_o#mXHMnPp=$HvR>>; z60H(5SEUDTf}7hBhDKQ> z+bxj$dz8pZB)P(5xA?B&Pz$)kU&h^FIAOKWCtPnwYVQbL!kMN)2q+_FPVw{F(dnXB zV$kszM{7RufR){GnvOx>(KHn1L^ylE@giN!f;*pQhhFUsK53lAU3%1Zixh)G>I0ML zG>am~IR%F%YL|hoMn|TivMV=BkQ4_nukmgx#di_Kx)}0Qb`Tw*UWWS(n+uH{1!H6%n_|S4Q|ccxL#%U#*yxX1U|sM6_Q5e!i!P?`N&yw#o&k zw#9J7zDfXqHN-O^WkNt$i7Q*$Ib!#26>xRhYQzYT!UObNACTFx2%efbPRyY7{g`Mi$^AgcD3EbyF{R&ilyOw))n{Vu6;riif z!l|{b7&F&OQzMfC)nw0`8WG(tQpuhYdFxHR&>*Ble>i_!v`tiLZFOpxfKaHVNzhL_ z))b>Ug_#kQqtNU1XA?K$z@WH=|?KQZ};V5VsX!x8QzS> z6kFYXG7TBPNKyN+=S!p$$~u5?@La^}Az4P&);Yd-&#l3`BIB=qyViyb=Rt^W@q&n! zCUy%!srT744EKB_qRvGFjnMdmu%FVNn2%^V21o<%wFN8(*c^aDIXuPvBJGR!QET&OlJ_z$dZ~=U4SqQP+$m^1S780(GV>Xx zBBatxji<~v!cZ4N+WM7Tm0@F^o=)m(1sMsRTTx|Tm}E$p^P%aT%$=4`0N3{v=#GzF zyb}U$zn?!z_66F+M%hsv_CZCbVx($sAyxXUP}k;p@(WM^Im3v2po?NBa2DIK!Yb=dWjKR&&0D#Fg|>MrBTc^3oUim zD4Ii;E^t&BEMa0-t`#+XwXA@FPh?z$H}4I9(x8f#`JiE6CvL`wbMsKkUfIO`gC`9X z;Ng!@+8GVhf%~oL0A0#yuL)Igt9A1OFn7B^^T_8ulS=N{A)^~_nu)kun`M1C5RzS! z{1qi&{`wl4q`&PifzIdETps{Hj|l-?k2G%k8C+}EL`{CNWE-e-(T2f%jpv~>x}BIW zQA!_c1vE?NHJCiq=XAGYeM}G4oC#oo^<4P}c^FU=b`+Q5C~0xh&+6Jpc0=gmNtm66 zti}6se<_p*b|bbn+A3FhJH` zk9_=OQ3v9f(xEA5x7zBD0w=xG8SxZTtLS?wV=wD`etr0XbKmJfmFgKnDl_o&dt*%n zG?|r7)|Tb?>SC>P*s|$Er8>iW`sz(a;1PO~Vc5jY3N$n50jnsxac z9Vd{E-^t$|isf^V0yEa%x0C!PSJHriI$VNcrv~bJ-a^^rJ<}!Md;1~2JAqP-{B$`H zj)4Bw(UtQu9M1{?_WTa+_Y4D)Y6q!3ir(x>)_wfCkfdqWpK zeRvhIfVOVkDqS*R(V=zG_R5FVo%8sKh+i{{<*rr69~y||iPOr@?vUaVKM*`A%w;lC zYA1e@dF`Goi3vnlEtcL)l4DWbKY@>KlScA|RHdV`@V^A~C((NEvzvs~dva**cfErP zCJGETfN;ntW_<`b3X#wyL)6c3Ngf3_i{)ix=XHqsNU$tQ-hKHRY@%L_>_U~=HsXa{ zN{1l!P%>sI=ET}`u!Uke%f1J;U{-AL!;iL08s$pqJ(}@07;v*(R>mgj>h_UF@TW|eAJp^_q@%e3l(JGXkhoG=kgz3^B>+|VRtb%P9Kw`9@<>BNgN?3Xp<&Vn_0$puO{Gx)8DKi%D9c!=eotRz2^xMf4Jr#>u=htpg$>T< zKe%tLwgUZ;)`3tlU5b5a7#*UH=`3C4K)2z=l+K!!Hn#1_C zX1&iqp4XUJF4%!!O(lPOUCD&VZbww0to3l zwC;k=p*W|21EsV6`J!woU8v$wxdgXdW*(CpS?LPLk;dGx+)CYj{dn-Q;z4+p6?Xtv zmxgiHs5O4irz=9&-mL|cSf%R_IQ^(t+ifBC(e{H|^GAMxT)NQ*m}}2|c($pDjyVcUp#3D7_LaOlym6_+RFSMH z*Frs_rj+JX{dpMJbit7wNpmnGeDoS>>M^&4Ti!g{qeR(}cbv@2H#I)EZJHzObFuu^ zPCwMhC2n)25f+5nRCmWOzU)ebp1$v++t;nY-Z(Um)N87Kp=aXxMVYfhX@yJB_g&st zpN`PwfddVNX$V8GzVjdnIfUVHxNS9?9N7%4bqdQh@Yst&(EP}n)q4DA<+`x2rP;7R zWcp0NrI-S)xEyqWbULeDaFbqKR6OVkVLH5n4t%_P7M3Ezz{h*(`+A*vU&g+|(T5-< z2V!Lks&B%XUf;XS-SHy~BCZ;96<$5AOkOR1a)as~ukA$b6X_++T!0(viXPP^`<2ZO z(VO*#0Z=>&&bU}KMPZMx+E{Wiq3MF(xjp^Vx^r|{KVCkXcW>|(e?gSA zhIx4<9w;i4bgn!g4!VfPie0kbqfT5EJQ`f<5+(X$EJfwLzgFkkY6D4;bskF7F#6&N zAa6PZzo_m~Ibm%+Or)U}H{A)Pe#SB07#_7xW}#~dq$pda%rsa{2X=2qU8Gdh$zDek_RvYTrCFQfn(lc3Ric9+7a)(Dq(0ZM=xd=U54mq)kLS zj;gFLW(eagB{QB;Vy0$Rc{4sR$mHv)3>2xReTxC5B6cf@wqHt7yHDy1Fbfo|-_@q~+E3c;m6mVZLSR|gQ z-w-PK00;Th3HlDo(ICdqD!?jK{pQVNn#k=yL zff&A0tyg!%2!}_YE6rm&YY$$F8m|+%^@U)@ob`o$8mdPwV25hA6+%}a7}mc1h|LySx=S=$gYXZR#a;RNphpvviU^Mb+59qu6RFFc}WkK1bwa)_tmNLHCgA zlk3k022A8L^B4_xY`No-3g_d)==0mZS;oqS-4u#1;Z3zEgOVbep^CTC7SXHpy#I37 z=IeWA>-;-uPHc$BkAkYm$!jQC`)P#d2aMNHBrQf>uL+X3Z4gp0`p)tO5O&aY;`wz* zxF-yo&Qo65cyayfzq|l=ybnFx&*P=1+Vg?WzSXPX4s8Hn1hAMG8($Wvu!c6~x^G5y zT8h;@MdQrX zKf`^jMi<5o8t4E=MQX{D5{C}=gOGW}*9g{xe9yZY&{Vy=BDW4&D>g)n2g(;-@QyBK zP%kuk6!!?GanBBChZrs?om2&Eki+e?EXYHJx_!lua*z^&{*vTX1DFcyJ#i|TaTU22M%p^cF^HFPquk=92@%`&ArsRw*J4kU<$U|S20aw~VB*2X|l8wKGR zJ*OS#c7KHQI`Z$2`_}AFv+_J|_gi6zRp{Kl7JR!Nf+*`wU#>nn#5NM?f5*yo&eiK| zobTUpZiL4XLhz>BLGh}cWH|H3{_izSq(gIOjM9=racDx|2AL2%L>%P#959iJGJIcV z)ic+40f&wh5qF_ksmA8>EtgI$x{FSFAk3z#X)KAWhynGugmerKq=2HeE3KO5V%q)V_#tql0WlZv*@>G>EYRBHF_Oz1;3Nu=JbQ75u# z`+)`SiBG`0uTaMdUUldff1z=NP~}&O6O&X!)5cx`*Q$^@=gt{FhrO$XFb{gY_UvqN zS-pVvL|zHsW{+afz1Ypb9(UDFVn5%#&NzsA81UkBf5~dwtK=@e*Quk;iRTM_`9Lhh zRHnnj+!_rJbdfS)?EzVnZ@L@L&Pm@o6yveg`4f03Z4uoZw=hGNuiFkP6h+%JiF?W* z7F8{L!rr}->x`+}z8Mwtn17MoiP^m}lID`b{eWl_kWz?B9!2J%c?DMMS=!t94KcV2 zHBn^(nH67QNFL?t{%l3X@_|EufpTEQ`dcx=D zS^D=D;3LissL_l+YFbe)7Qf*vt@c%JB=YtTuSaEIRmsb_kot8p)VAZDESt_^Qy%d5 z-O!4RAHV7M1&KEtMCoPe)>IRO%F89-J5q3&y&(wr6_Vrz5xZ^RV%`~98>NJ<0)@ol zCW2Ki&C#Eg5|$SWhO5`Hgeql=Tt@|<3d+nh5jIjkt2v3JJKE)r=XhCH*8v)HD+ds7 z>INgqTCpn-Ul}e~v2xFyVOT=zJdw@1Wcf^IJBU`k?*UKz=16XBJJX2#NxA& zjTc0z_eQG9A8lMz{yA4)o7_j9Zp_hFq3L6HnTXNeF?`a2;AP{B{*3RH^`~WTPd-nS zL>X^9a~VYi;p2TRUrSuep!F<3XeBdCI2%7xZ6f*BbCX4c~GMLW@bLEHmWk*H@u#G1c!Z{x!(oF|2{DLXK)Tt>`P-Flis>a=_TJ5LsWo&#(3vo zbvT@!Y*@@Yu4FAFY1ckYGBO~XIf&hOgqcJyr2sdPH1*{mD{&t6@R*a11*#X9&?6 z;j`Y+iOZgD6P%$nC$!OV7#HsWWMvwUrE~&^(p~|kU(MBwJ7&;zq(kFb=Z5F{ycN0V ztZNRoR)6Rn!ZpSdBD9yupy{mp)byhPHr~N}wiCOlchj9|(o|DPw;uc5;|c#QMfrg~ z&Q1YC5*l)4lCLRULU>EYX!=bN23C80_&ghKD&TvO#%2G$Fz#B>-mTW{NCc%2Bp z%rMcsqB=rwF?Tg+znteB<(CR{Z{IjiPXGPRN~kw2cn4Vy*CgN5|K=im7>S>dP!l@d zQIG>G8bdxVhEHxjBjCXD)&GY0$o zKs%;Q=HTOGe{q#JRXY$*pKp`eoG$@bd~D@roa0-b*P4z5Iv#6cidhP2j#m2)s|%Aa zq6E?Rv8&s2X!zK^m0UdaQ;k*y3kRSciW;`AX!pYZj3tzFALVo_`NDMgWEJ~!$Rc*( zFrc5jxO;7yX(rQir**%a|3%D;po8i%o~Wq3&Mmm=SeEJdb_v1Gz)@S|6Ln_-QHT`;0BsV`^6T(>Q})wQbUvu*^ctmZkZw3Qzb(isqFZTrQ0*ez+LspPm&1$5 zfa$G7SHG?hP)mjVYKT?F)Dh7QF4HHj%n3;hSIg*@b}*|~e6f@o*6*y*DYj4F9h<1P z9nj5=J#zqFIDvSO-lh-JUgLC`ICFqhM?8sRnDBhr1vbzQ4X(oV`Y3CI)W%oK1Ibby$T#xb{ypn26GV8h8J93!FT5ADSt*xLbLAE z_zOxl11{x>Nzg!D;(c}V;Y;Q>72j?raGC~JnINiVq#(S!4lE7ywv~#^qohYLf-a1q z=gN{z5KPA-8|Liu76-%yn1p z{NCd4>q`9(`z;Yi5WZ}SUZ}lm z)7VrLrYW*a-&Egnlr6Wx*p})Rj$*k)I{-=Px$W_v= z@q)BJnn4oFlLw=ZNe?`yGdaL+Bl3$MPa-RZIqG4wh?0ozcjt~^xG{Y^F1$j`wr1qp zs^Ow4pWYJ$fBD4;0XnHj;_U`5v-@~HQfH;2xmr%AXJ^$bM^&WM5v4HWxO!nga8>qKTP{VJD--=wqcGes(M(%TYdM5a8mA8q3q zO#S|+qYGki;A3U}A=T|dhbkNEwW?#XyS&nk zBgQ%U_Qn5E-9N`Iu^co&tO9s!#w=lhn;_Ukq8K7e08HJUu?r@$dgQ1{EOa5y0H}fx zRUu%6b=P6P949q4J)Z6H})5F`McHMo(}1(C(hja5~E-;7%D zb}J$A17jaBaJh7lNsp_dA4YOq&N1{OI1lk>v8#Q{ewzM8t#VJ<-(3BT;2+;@fE5=` zX=9`yJNTi+*HU>=?$S62Gb|1_07^Uqv&{T&vZaU>1k$UdL%%+$+;;7$2q7*><2Ka% z(cm!>jpRcB*boiDFx+R{jTCVebSDrtbX<@7gR95*J@%3B!L+Xwn}nOK%4`*Eq1a^5 zlc{tXc~XgTXQ}L)uVQkGItpi!?*RJ3!77&`PS9QL>0Sf{MK^F&y0ev;9Olv@qQR=% z)a&M_`&ZuKAXoyh>p4VUoM#7UfOj3!&WU*4Xd+4M$b1$97ztW9I^)VykzaU7L>!Ix zzFiS`P{5pH{vhfD^hqY*gunH9p=WohGrvVuF9aJ<3pHQRm>{$rnR7$MISe|nx+zPn z{qgJf{{#Nd|ND;&)ZqCq4r+3UvUwlww{fKq{OK@$V~PW;3LdsB82Pz6OA$W*pPpd< zBEn)rMBp;oPIxyBo+c-J?lFFVyU*PO;rR$Oz%~DcnU#jK>HMEQjNDUP7_ny_qlMK|Mb8WEEp9IFMPXuTs!~2 z{=hz!#Bd|AzUMprr#JPlxBPz`;QuqER^%%<9Y_3%ct!Y6hpyvVhkyNqKmEXi(KV^< z*v;Ml@^%$;z=!XB&3#AWKeyrk?+yE3zli_aPr1U1dv>-J-#FOk?|NeYc(HGO!NN}4 zzmfdxuTS)U_TvBTQ@dUjf#QnZ;r!pcu-}uz!k%XRjrw?w+5hWXYsQD2`s-el;W0m_ zzrKdlN?6zo-mhn`{LMR6=Pc}0@~>2<{%=e2c$PRoL;e{aMED|SAV>ELPM2i)s}neW z@)J;2(FbOH;rrW8^4;HI0TK?J!?d2HiTVAhhyw12!>h#VRNKOff76m2=mh^+$@&vd zb|zoG`#|oDY-JdT*-fwr6QAL1E6!D;CHrEkSSD1dxSU( zI_v&ZW?Q%kJ_bWnwzVf8@`*Dp8co*wA+zfeCa^u@0Aiw~pY@jweTc9(0fM5lI%w0R zVZ3k9moYDO_k*-D|DKQHAjIdqpXz#vK;q7Rh}q@e!a3V1hPl-K2YX z4nRaOao4phJwhQ9LjbOBHJt#1I_|y0TVVOg&^G>=@5Q4~>Oe|fmM5KaLz5GPQt1)0$D-*NMn>)EgTLb?norGIo=JV!%{GhSMb#b z>J^Ok*fGFF;06jI8&JS_VEmCECE#k`RRdk|@B%sWt4uR2v`@Gej=>ZM)sMFp2Tj0x zq>e{|+UY$^K2z5sOihIA2!ACdALi5y-a1@a08Gv>T{gkmMH#@}?vI8|i_1LA&U>RB zkOH=}hYVERsp$5ok;Ghs#t=dk#AgsEX52D&LQee>J^Tkf%$75=xfT`M>cMd@Boru-9p)pLklLcCrv?SB<4d>kZtyrhBAzy=Cmkb zGP1C!-lse6mJJEfL{Q5wen$EfrL$^4~p!+B#19jtO!ufb%v*$ou^)arF zw2cn{YcFpL8pX|5MqsC0Km%+Pnj1vZ;;85Pb*}yCZ$KdY%c+E`Z}N~4fE0=GP>D2C zg8>qr^|7q^+Iehh8ixrN0EvJH4nvvOiaypo>AKLN@(>=eueiHHmya>YK!pKEMs$`@Nfh^(X^iwNjQ9Hm$oB z`>a$u`p40Qq85`wcdC35^BpU%>Qy&NR9D2gQXKt>M%{Hv6(V614%ci^Nj3xar?eeQ zhkCN{M?Ml)6_&C-B45Yvd|&MQK?qFk0{ljYAmBqWW1_~PM>10$sNDuju6cr3?4(nW zLz3asQ}esH(bLIK4Xq{Z?9K?0%tk!1E^A<8kUd~iIdgjFTj;+(tRKF=vK&hX8QjVg zDBnMCP2mg_6rX{2!+-a={J+09S9-VKbV{j~WX=8WQuDcy3Q&++_@CZY0zkV*W#7V- z|HhSl5C@k8#qu=**zWzKSN@6|F=lV|+SJScX?^cUHv%%U)9K?wfC#0evdzB`=_E*~ zQP+MDNfCG{vMeH71t9bsrAyJ8Pf13kBtc9f?~mTMBuj0ZCj2fW{wv_oXK0JpxdQ9t z`98!+8Bqe21N=ujcPk|^Y$UiV5irT^{T6K6kex40ZjdI$Z^G~M-L9NWpq34iPwcoG zWsKET+ODZ*l5UM*2tyLx{b2=OiS`Wb<%?N_J&2r#?JMu5i+tzzj=x`PbASaI&Hr}4 zzUmEt9`%#;u07?3n1Mq;xyUhTd8x!O1Jw=KB1xP90cY)VKZ_gM3c&hTNigGoU911s zSC^9SZoMA1B1Dqz#QT7=L`Dpa!fJ7~f;o`I0i!^*V)IjnAE3;U?*wHVmD!&NdVyO2 z&?!N%i&zvP_tPXe;)kbxGUUP3@ zQ|K{}Td81}d!P(t0wM5*$N7e0Pk?Czf{yfi&jfQ{T=coB*EbE+Gh++8V6$Qq{Sru4 z5^I4y;lp)z7f*pf6fM2EkEKn~89?SzpOx4Ps zLw0$&Bw+B2eXg_UCv5Je$+~BZRl8??1NoWLl3)9hr3Aj_c>oPl8)m^)JvbOduhV#c zsb6^3?-Ow>ZjvnRl023}UO)L&FB4;NvYnun)($kL62GI>-;x8meO$G&qYJ3)Dw>IE zXM$}hxmQfMexFXDE(`4IRg-V;uoQgmV35vKMa=W_k8uA!O3L@q`ku~5jAXbE_?So2 z`9<9-Uy4V@c_)i zWD>9EAK|;!!M(HVJ4g`%od&BFiK6ETR*d6qRTCbO{Ts9I7#B_pQ6=m`|5tnV-~aLE z@AHQU#jNq`UzEV}cNa>zC{jtot|+_yp`s80D651KbN?Pd|06j|C!Yg8g0V!UD|tRf z#K_WbaP{5)%Jb+j3kFOL`Sr8cgkJ*Ba*CC`zyK0ua_1@SeeT98I49dM$9t(@QieDG zBdPDeO23^HdO87&)07ue#wUTAY#xNEMvjNt)d+r`QEgZhv5|Hf;5K|Yq^HqpnzuBV z+g?`>mL6usX%>2kerTUkl{d!&fDDePY#hF>VgT5Wu)T(VJ7s%geXSzK#@*k+vKsi) zlK_3>b`bbq-5OYVjlDwDu((PzubDwH-}(2^68xI;eSf;#r7rkfRywGvH1%5*=>Spw zYwH86O}}_;ZVMpYi8IehYL{Vf1~~W1EwGyO6};F4PSr20pL%HD1r8b;m(BF}r@=eC zz5@yVwUM$5IjII`iHii$KZ67;gWdn2OPiz``Jsxw#yN>r9 zr+rgKjhc^5-D*o(r3^P`Xe~=-bl%S-pHY4tc7=g*eSKY!UD0q;MDRS-&x^E{c(ULb zcEgFzDqX%@&m31D-9D|JiKN;MJaOG6udp!a2l@#85e8hhi0Pu)ch9T-C$AgaH-qah z1mCKrjCe(Q?OqBVvrj27i2eTZ-9O*>*S8}YU-5pf$G-|f|ELk>6diZW*1(u4Ounxpd$<;8j z@MF&4dLY^vdY!GA`dz~-#WCY;ED*`NHCo@KsRIsToxn8J#4iSr)O45J*{+?Xqy68n z#VhCb+F0w{84I#KkYa62zXFek7Z+Fk&il!oP5@Jwv9*HYrb|l%8pL69XoI&gUtxdm zuE6>!t?xpbPpkt9&fDw`J|rU%J7d98!-ibSt36F%IahXdQ9{-XJ*1Gd?kfxU)Irwg zzJt2E9IblmI_J%E|H13m&9fJGr6{$2s{L~-jJY;}SeFlk>poiMKLVX2FEC}%XcE!W zl^(PG#6{xR#gaBMaG)%W1@aW>S%XQi*gmlxc)(Y{s`2U7vGqQ1PmEUtJgAE+0giWo zi91g~*3{Q6_l;BH^eK;9-JZTU;NtNr5&C0dL52h$GvK=lsOg)#X<7=k%0uPkYPXB4q{JJ?gbv$WEMdL504) z&heg6)sONqZ{&jN$sZ$<^@P*p-IHW+p`WxX=hZf?%)2~6y?FgakaJUoxmTdUyYQ1z zWsTc<117+Cn-gA&8k38PcSkAgal+G%Rm>Xid$fL zUJEO@?^fQgE=Wkcqxt7^6i0)J(IS1dtwts>*q*5lI4Lg?-@A2WO7uuR89%i$`dbsn z-7rnlx=1gBl^(9e>kM~V8833_iRkfm*bLFfkuQ7aRW*4wt=SWLtXSdL`W{^MhRIwQ z%>jO&Z#Ctpcb;n)X@bJK7`}S*b*XPeB9{GZPZD1eeo#OwM zPceQf>!^LA5jc&c{xbM1Vo!WdI0tu{f4W^0wYI$XWpVJmd7BTW-_rDB;4nnTC;C`} zsk&rtJS%J~*eo&#|DNNXpl_uudJ}Mk?qH`}swQLUb!0gv>w&FcEXjUX!Cqj<9~`As zF1#Qs!uPMdu!7UvyN!{ubUfdHjZ<#A_DE_T)@`-l?j7UAvA7!+DNnnkNRs0IfUA$rU#y(&9 zTaVAYk}dd1CLxOKQtZ>RlptOgw2|ydC2{fxtUS8nsMs$eD87eI!si}pMs5rF?OsZS zI)P@6E=6G0Z;uc)#5eRdl#8flmp4{f`NT7B&N(GACnz`QXU7UgtjRX#gN+;^HLB9a zNtOI`+)U%TskD!blU4m|?~ov|z(4lmWQNk>G~+M}F7#XbwlxL{JgP>HAlTBJ_zLex zxG}f!efYjn-i=(5j|CVDkGd07rn98moY=emXd|@ZifeLa2+f+ZL}0o7%BcQSg;9{3 zS9IYAzhWcxk~Unt&%5}jeX{S-a_-uM>+x?N!X>9OE<}i6wE@M5u<&kI;cjv z4XUrY#ijeb2Um#x6X@f?t{px$Ma`+m=2XeC37fGa*5175af2jb!j<0C%R3TGeT{@{ z(~*UbhH$}+8>`NhY!B(#XDuW=<4Xt+Q7%R36}v(V@&ZXzFy7b6p}SBJ=h^FGo9b||y5iFJenHp2S>b8hc-rB5?|ORqhoZGQv$~Bd-|Ia~ z{f8g_XYIs~sJr#g)vB@|FVX!|t(j;^=s^6C)s5V=U!b_x&w-L8ck zuXHFR1O`m_13MFLAn|f@r40>uL(P^v6UsV%J1;+0ey8jd6d@gbW2bDv4)8HgBl*-V zNgs4-ECb4-XH$DFlhwW8dZuHWQf+$U?U>#5`lIzuGoQ&%EbnOc4uF#Aybk;g{Rm)p zC6bJg;o*ZcnVnRi3VW|_fhm`d$P^y}rcLV8hrgDb2E!Wk z{*PXYintGtI--uSpeY#?1=Ux}1BA_F{yM#D63BlrGQ|9Ec%B7d6q?b1-|7ViF_Kkw0nQEoeg7LAEd4tkDeVR z>E3hJXwON&+wQoPv@&#p8({F{q^TJ6L3ZQwe}88-;CtL+Ngux1Ti!n;hENhn1%NdCWO9(1Xcj6!G*B) zTKwI-z(4xqZMRM3jrdIbz8>(?s|A`j=`r{K=8#H%vOb|FK01Sk$Tfa_1xFh#{Rey~ zh2*pQPD<FS4qrj_PT3|`z!k`vg#_mg^}U)D@6eNDvx1d zcP`g{_l&Q6JjWeUu$!VnZHFxo=XE`w%oKiYFYsa+=nit%?th@AwOTepZkue}=wYX6 zMJyW3HpWN|#&eD7+jPX(dRf z-aDmsfUhsaAdYQr`~i5_gS4f4;daw~R#5UnP>CVYC2!?$Sg9pX_!~{3ia56KX!PtG zmVx@%v_{i&IPbRBFa0AeU&*4_ut+SBDk1crWKv%VYtIWU*)cH_M`dfbc98AT?;tCk z`tBTHdUlWtNs%|*Li=uu6rux579yBdlI}u0G>VK^GCEmQEX6eUpomvwSo>E z`!u3|!y!$Mf^a^fFu_Q|u0Rlq5F9?XL-h7brN}6T8?G_Ad#|vvd0vXE`Sp(A80uUR z?J{p>k}vnee)*?5bL)+m@ILMd*GkAEFASY|5lrDsMp!iDsxP zo4KQebCL+%(yAWcFEMqg_+5Hn1tu_ig3f3DQ^}pB^eEHz!PTSd?(h@?(rD8+bHsZn%O7Ls~UR5@M2a@8o1rapRYf54-EHGMNI|pqZW{#DBuIjbD8IUj6N{#V-QF?O??v)ioLvadJfz^*5h00&iqaH`2p%;%VBQ5y_ z@l@CwwMF(vWY9VWgX(h8h;zq(7#liR7n@#G)`7iWmNiYu3M{h0tXu!6MGV`P;a~3X zbIW_A(-a37Yl9 zuK$@ZOoTllZJ_PxivGo%!C%#Z@vzMLWZ3+Yq+V20{O)%Rt-s_vO|xR zW*o8kdP+Ct4T@-@2PK*ayNq4P6H%wG6|xuXPUfI;eoS%w@l987IDgsO&=3(s z%RRZ7>fs}x&z34Lpw?~eKR&Ab4jldFONut`mtK71@%j*~ux zmoAItO9JOk)AfjJ^KYNNS!iRziniHKWy1nO6EFQusrTV(OMTAY8}6to60uWZ+-_WF zgQi{C;$*FC_+TeMqzHO+Gu7l?v9KTrh&rp__T|jW)ym2=&$yElrgm{u5B&lzXw1TG z3hQ}s1Z$=dHX?wXXC|&XC<&kqTId!{2B$x-&-INoGx+ee`FR(h?F^&8znL|XXh`7` zRAJp!PTaA_d~_&?t3V%qUlph|KnQNg869WUj@8&BqWo|ig^U7jEspJ$)}AjWWi=f7 za+k%u*-SRfSoUne`K>b)BG!g`hEfwCzAE+Ts#sy88Dw-;WN*X1b+M>=ac5e%Y_d0q ze=9{w0RdY$I{LhprKHE*+b)OkpX<5fF6hnjqzG9Rxpkgi>(S1=K(zmrr~~sLWV8Fx z7bt{5kM9(UX&XW*%r+n6a9>M%Q?DttJ+>XP3Uw++zS$C!v7Vp)d$@b#)kN@j;fcZf z5`Sdpe(WCgj7RDDLQV`1kB>{d8w?`$3KQf?Rtjr{iT5_kIu>K_K3Sqax=&CDPa&@0}cNU~frvC$7ExRHD_>TEX$3z;rjy-O;kdurwcapqI@WWC)e}gI=C-Bx7Ps4&*GQ{H=&N=- ziiVr6OB82g(sG2kPZ1pyz^~-^>vO1u_(HSyQE@`dD3G*v+P-17FMe`cBnBuNl8Z@b z(jUa00>h~x%=v0cS+I>PMB4xCxoVD_#z5f7^F%7+DW%HREaB-B?N4oQG8I*PPXeIt z!RjFFBf!hJ@1zGTVtZ*h+ifzsJ@VqGYoxl zBI`b>8am$|SZLo| z`gwX%7Q~Q(v~oOU{>ULX6Q)P!#v3DgK-*o-@LDwsyP&aeHK;9P=KT%K$=oImVO#9h zzV^s$G}D)o?CJZ&FtPe6SXs|%+)L(t8fL_^3g^O_oSZs5&@`qFM`EZ%sU`br_eYdaSgjpa@5`N{*GE3+eJzq=Y%3%E^Y=p8jWvsM` zhfZ(gvhDN|8QMf_kS>ri306;}6^IuJY1^W=Dvh8ERqAi$jJ;o>*jOV)1Ct|%oouvOkv^Ho5AZ6-`S!Dw8^GC9hqmgV4Jt7&#G3*W$70N+w~qtQ z56=(MEYxg;T*R!1yJlT!O?2Z4G&k&P*KN*oIvq=ldBfRki+}LF&pwnlzxphH%gy<7CH^_9hr7A> z2a42WfN4OZC2?fVs`e^YVlCVlD-=zwd&XvOi+9l2RSK_D4r$0H5SVOzlZ{9V|471< z(*hM;kBHmgxhd!L>5 zu}bw-R5e(?qANe$=jeky9tlPt#u(<*lwr@ zPSGl=bPQY;dj%l>EcLjKXfJE#_&X@I#jp2J97?_7-GWB3{CyFPNqVQDuidnXBYs`MJqPu{6c1_Y!Tx=BJ9voH43cS*h$v5Ceve6a#Uj`N=v)^D26^>Ukk zzR2;I75zd~to>T*%JB{e3Xh2;`7dTXXnjONwr=#F3w8RMo)5DNKCOK{dbw|mwc*9% z4*z&kt`hJ3&u`Dvrf=NBO~m*V%Ykg3K|+5nbBW;jB`tKw4~pDb&MyxX5_VqrYOJ=U z?ra~#w(GWW-9WgH`HI z6jqj8it+y4In=K&{eU9y18}vZ95(k~`}9^JX)!vx){JPs&4s(VEG$7_lO-CTcI;P` z!VCy2*>5Y)yPv6LR1I7#o0W776zC!X8|8#3y@)}oHv9EkWgWUQu6WKk*do+xcphL=3X0@h%#D6&_K`;aaPCIR=I%@|Ker9^1f(X}a`C0c0b|`3{?3D9T zixMI7OC!B2##zWU^k=n_#I~B_v!+AOM2oL}N^x+Jh(+AR5xOXij;702LaHstrWdSf z=M+5Ua~rxwZ(Tza%Qo57&PUv5B&w_ki0a1k{R(%C@6mWKJq`_0&B9nCT>^r#Chvug zM&2j{2=a>qk$^&a@4@_ZRYh4;rvR=%w9=p7WE&a+g{q&vEqP6(y?O+@-1382OJ!&2 z@^n?0)tKuXK73(ECm90$l5W{nYu%(BS6`KcLbM*g;% zRYdnFRE-7B8ftC$o$?JaKh2ldAse~NM#Al`D)%|#|(QN?LMb4 zWv;)9`W8^M-aHdtS*MND9#bJI<1(GNHEAZ>hb{D$-WQ+Z*l%OYbA!F)D z3p(lM2NxH1FY+cfdS`30GT}!{Ftkt!u7ZF=rb}$JB03W%nJ=NSk}S}G>Vh0A6?Z5# zXJLqE{TNu<*ymjl0s7UJr>T6`79v{#9Ofsp4-BTbCnCpgIOpqe^*S8UL7O@!E;|Uq z09*7Mu4YZ6yiwuhXi(}B-f~=Fbmymk($>#BA4fhIKTIQ;mTfz_OV*jo(r%w*N%VaE z>g<_6lu^~%t8Z;6x8dPeRDWP1$if5CsTJDV=geQU?o^5fz11fn!_!>Ce`yxFUhwo9Y>xCzdg?Cp@ezQ~9vGApl zEj(O^sSaUW;8NUU*kgt~^BL!7u^PjL9DFh`ui?EFkpc&A{7=WLodo6#XFGNF{XYSr zJPm(V=Wsu*&@6)b(46C&@@jCJushb}HpSbVDREXJy$*s-G~e=in&j8PyQ#XjboIlH z4c|7M@%tjMN1ja`SC&~>8!*5!HD?ZNr7C)0ZzG~*R86h1fF)y2&+|tg{zf)j#zKQY ztkg*oqqE(JP&cuQRt&uZ1o+Qe@S_yE`w2$*CwIrBWcR_sU??jg;KmL7o`H@pqw;(6 zGJ8VH+H;n?VrPdmjD$>czvQ(A925KohpvQbGP)vj8W|GLNIvH$`+IgMVMJ+r$?0Vs z+fq@&1^WDp8+L#rqaDzY=F4P|#1SxeWW2l8BulA)g_Zq|@El^vy;ku+Y&n$4#hC9% zyM&3$*I616eX!4a#91SURwRC>Dtd6KAu~>38nSmzkAc_i!RcV+ zj#v>{3fkd=PtX)}{fhhfqizvBebpf3E9ZtkGE zb@QCr?*Nm*u49v_J@oyXp6B6qI1<31^VcX87rFY`WDEXntR%|qp3@OpHr?#qu{yg9 zRXa`PbiAU#vWQ4;`yrH7*W}P!@WH)L0r#0&xQ+u{6jltE)ms?r-fR9ois?tp7-J?0 zc%glI3Yu;{joTW?J{u8j8TbH3lkh7(7>po#!F}h)Fwtdn(V%E|=VSLCXVU@;^mtT>5 zV&CU>z-op;(`B-;IC{PWhjHXoMQd{A%F{cP5G84+c2+Zmqq9A6D~7l&`@+d}&+&em zD}xh-cpE|mradfBKInX3gU!ZMmM2f!usw+-MF@*l(@!#|WaO3UV&|-a5?q(6I!k&iq%c_o-`}fwV{8lM(5-_TXoIRWEwx#S|Kp64Fx3VDnHc z-kd{AS7B;zJNitp`%wvh;af_njf-7KICaqdp%y%)CfocD^ym=P9Jy2C28!@EJT(qj z{9F6jTbYeu6xzHiww^5v`a+r%e(9eaa#ZT)n_Uh_w%-36h|cE<-Dt&+w$uC+zaV2% z*w)ujo|h)p$GUU$_LgXIJ9*zWsB?1`G2ww)eoPS-BNnhPJ*Phk+e!WwJaR zzEHQ?h%i9Er;g_Oa?gip$_=N80HjO1T3VWJ`jnezs5{`jL#()a8i+|iZK@MxhdylA z8(RIbQdsu;y!&N|b#gv^=sD`Bm{+I!RSnq)S$;_y+0(*`VdI+Iwi!sIi|e_NG}6AI z2PITFnqiN1Yoz9r|A$nyOWS)qwZwm|U~_>>7!QJB6|sAu6|!HMy_6wNDILmiX`iEI zA#7C;&FIJ-D64mk84?g~ZNk7nVdysh^#p8-_@N9pnTpDh>FLY~}Za+s1n$1p_;2f6IJ#KM<>q_rDC37C*Nq~j*h znPX7*TCicxA2;H|Q9ie8igXEIx}C>oeUL)8nWaSp*aRk4nfQ89RqvFaYP99y>aM|q zbAQ@pkN%DUo`xw`;x<^za#5)((dzM_m@`1CgA&3UQ*^T!(4)S8)qY+<+8}t9PG5^G z+1TL}PhHqVT3*KSvFHx?xV2cvO{*6!G!MAdgS_*jV^W;F)N7bGHEt2+}hufpFKW94EOT}q8V-q))#jfkPC0`O5#rS zTG7=!xGyiJnq(hY;N^r^huxut4r?f`Wb1dgo_Bpa?WfU9NtZDM4kRuTF(0_dvVpFn|VP4}Xv>7K-SmFm-ns*I)*0wP2(j!B9zhbe9llytU^` z;X3x11~Ho1bQUGr_Xfk`{lnfK(H_8iwE}ql4CGRWVZT=@trccIziRBz+(2d-ROhJG zqqw#abWqzgO7P4#Nc?(%T2zT~Uvu^4vaM3pAGO!k2~xH8dwkX^ z@Do@DsS~ruve{LnezU*rU_8KBf$4Ce#Sc@Dj!AKMIK+i{D;}Q}RMH(O^!~93I?4zC zc}LmC`hRqkuIB=-nc7m4`R+8#9Rd3i`|!ihzYwa4Y=;|{Adk1{Dlhuaem3V_TT9B&6WS}6jySD;fexMWi;p?DM^(?0!5$@iX|(X^O%86X#O zv(5VFqiN6Iy&PgOK98FM^qOj3SSHH^)d;4H>G&S+l-NzQJu_AmHsyVoH>(E8^$>2j ze=^c=Qo)-H_WDBDw*J=(2KL9|Qh&Ia@MrlV6s_7HA$$K^PNRQU$k_H4r~CmP9w&Nv z>*lY!=FO{Pp%dsvWhM&jmrSw-arU4NE!p$8o65@|_asC8eui>`CnN6^bi>nB5i?)6 zfOk+_JQpfNZZu`lk|D|DmZ$VqAEjQ>NwN3e2DJZHD(!-RpH6CR2WRA*TK{mM8YiqC zbM0c(2hruLW#Y=+;=$K@LDpBf5Qz_bwbIBtO-BeEYQ?N3gaY&8HG8aBZ(r>NRyq@9 zSfo0AeJvh9T*<%^WGTX(C(0`TlXCCgKMp%&SU;2H&9Rk3L% z+@>kyjviss{!voHU*%FN$v6aTUOx({5Ry7eB~2TB>*{6+0rjMAQQQ0}D=8Oohnh!> zKvqLXq2L~$F_C0Q9vudJmUY6YX-hu4wEavE(##{K&kV3({|y~Fo+G*tH$c+VD@jG8jJw%PD)peQ{9mJ>Z0iW9vp^@5(jR}a} zEo&_X3Y}m2RfFj@fCcTm>_%l!j&T;D#6C}(!P5S5uGC(6*>LNEO`ETNLQ}99(-G}+ zu0B1+54n7amgjy++JT+v6Gqn=?s+oWQjr@DMo;ZrzC{^OcKf39r?nD6Ah0~W5=}Qv zdn8f}EpUi0=lr$===yMI>y%@_9SX6769v>un`NXjdrPxQ4x3h@yOf8_!e%<{gU z;UhlIQ;2ZL`OvgrxAS6lH1zmMQ4GUy4+&vDPBi55bS+=ApP;dRZ4dVbqF>QcKv1W*3~iQ6@3vpJW<`NxcV&c!LCs2s5KN9K$|KS#D4tf9RHZ&{pB2zC|z zG@Oj=Ac!-TMcctf^TXifV<#aEq>7(5{~$7D!QqW(V85cN!uWXchRf3Cj?k*WbA@K_ zV#nxMe0*sDYYtg3REff7X}eozNbkgNZ#aoYDl`3=y`85sQEpg3)AP3tP|o=GD4P1R zdxh2&ZS6GZvkL|wOYPmgo-K5RBJo#7Ibq8UbAY$AVQ%x?cl|=| zqGiOqaUKVz0%5U|rzur9_+@EsdI?bp+UI&^J{04gh=_?-qjloh&{z?C zF7nEvD5~7EiO1`j7P~-X(Z_cAI}T%ubrm~xuXQy^?Ii9d38C<2 zZbRECiN=w$);!*&=4bW1PE3ptNhv2zS)*-`lWj8c>FR8>y=Mvj`K2hn7Z!gNspwOJ zTUQdqj<%uZ^&$eLAR4~K#|Mr>X6!mO{9DiQZ~4amDdqU@zTOoFUE|*N;FEC@Q{{6w z<+Z?9-9m>kTFoZgIs&9Vq{-qL3&_m<{rN3po5~!`R;{=I!EzYk*oogu-Dz?T!2eD7 zw!;YtV+R(@QV_!S7d%)_4J!5Gnx8>GYZQO&a1uuyM}Xivo*okNMTQkdEK0_fpaZ=zBEa9*qhV}QK01G@UryxQd4tuOWU@Gf`oxpE z<31@g6Ym7=qf0__^z0%YiJR2q5oDoFQdWvV3dcNfME?E8ccOr}5l=HNvH}oRxXcdd zXl!d&{`RSN>oK^06o{M5K+k4!o95~B{&_Gl>wccEE7i?JTldqB&74h_{fA6+UwBsT zm^Ws+8}xMP?=VmRAtnvRDVdi?izdjNH}1+eN8R0=t;R)bW&%TbmRP`GmF;#WHD3%; zdnWwHv24il*P0z7S-{g~ynrEX3O$Q6h*)h11qaO3r zn8T$IuH#VOhYEt;guE=epV{I&oci_0SUK4Xk9ogof=DrC?Bq~szBXr*{&J|Hi!ow1 z#n=uF7^Yc&I~N?z_iD{uULVS)JU81i{?MZO(>C^L4l{fJ%#f&S7e8{js-ev3OBXBkPgZfo`T%RUkfo8ol@(gzd(_%$qEKGTJ?!%g*cad0*1@+t zs{zKeqxWD)XcjZEyjW?ST&J2QG{I^I@JPp;oYE`JgF0+{yKd#$659n!g^k7l_1*Y( zExd|uzrhDAq0yFMN8d5cczn42{PZPyvF%qEAJM*9Ab^vQkMh11<=vDmvI}2!N`XW} zTA`8y8pQwlBy`VtOaoZ7on*B)*0N1e%OEHE=26mT! zy_LVMiO)2xqwgfQaJ=@RTRVOy;mgPJOD?&e>YTsINEgKl)8FKV zeHiun-}I-pcJS|P zYcK136x5c6g8no7Z&B@B=7Dv_C;NYXEO?6R(R}{XmomrWb#hDB!){?W5OmdotnE`^ zV=YJtxjI~yakLfPw)dw);RJLxwzYVkbwD2d{K$8PzWPJK=~RhBtP(P(P8b1gOx|t#iuv zF$-8f$fk+uiNRFlx<8QSmd{)fB2si;Ns|>Xo_sO|4_KY*87@3#oboiR%u~$u)44q> zwOyGv+zCw4?WUFj_gi250hu;d#w6VobSa`F^EON2buLIk;OC8%5c~C>5sINx6W1EM zQXsA4X?}CXxmuehO{Y7R`u+;{N3F-nb08e|j=~98n(>rp+5?73SwT+5MJpnT4O#2~ z4pu%8SpU)ktmlR)r}1C&B3g_OIhDJCQ*QU`tZo2^ezsSb;J^LEDvb_h;8y$LSlbjx zrgS|fy+(NQ3M!3Vhazs?G(>~xIJ<8doMnAiMhX=2%74S1+zhaZK0*y5`4mL42J<*X zKqA^}yPXsum|s5d@Y|DkH>$uxKQD{gqn@lSfCKD3c=uy!eK-8AOF8ifs8!O`f@iLu zO9GIZ?iX2$x`j__(jM91s4*4rQb9@!<&&+HaP<`Yv(eW^uaSz6;ocK#8#6HT zdghn9#jWBPWt_i_UG%yb^Ge402OJS8{KN6JC16ZH)-!oHb)b`D9#F(TSx+;2q^36O z(g2YuD|#myE21>_TQP57{c!7f=9=^fY!13Juy_FfaE5*qh`*0YZyw)OmJL@n2`eif zBcoA#-`ISxmweqKM|T?#5L+|YH@o%8Z{*EE(nm~^5CZ;8bN=ZGAQz%iuzKTw6gE6| z;wMlL?Glmx)_b>8k;UR(}{5RfQXNOm`z26CJf6a=HGt8h?J7JX&qt@=8b z`YFeTUqs}az$_9+;1)}6MP|XCSCF~9%^FGGxUBwHEt6zs{$o}_Pvf_CDAf!(VR^D> z15(XD@cZP(O4yR4ckM$9E|GQbPZelqsnVi{CiYulcH{dprMtwMO>`nW^S3wbW^aE* zX0*_Agmq89*AI4>og(}E!i(B8;;T*LC|EmFjEqN}PMC|2l4Poa({BB{WH650<*)g8TCd;-7sHF)W_Rv>rv(mIe%Bs|3hhnpJvK*w{!5}I zXXPtx3^w_F5=%JkpA#sNW14TD8UKr5t1fhImLf2~ahAsn?*cDt4?^ckjHG%(x>LqWa||744g|DcZVBy0w)=Pe+Fnsx-=X(C_;PM%;;W z%|j+6zx5UJrNb>hr%Nk-r$}qw%7-;&D-{Y5lRC>0AP(ZPAkND)EOFg+aKVGkdIAPe z&%Tw7@+6qXvI0e^cPET_J10<>eksp@LPv?X+o?h&6qks*p~99$(O*CT2@tJa2iuMh z1?}du$s~A0yPWdlO&#fWR!{CMci;=E`_;f9$u2(mMU-o(&I8KCc)1Jkl52qVJ5$=$M zn6K2Y*^W7Wgx(##zyfDP3O z0++E$szn8BUzF}9QMGGQJ_pGX=!;%QfMOFryg}Kl=W1hE=B1J^-7|f!_DEZd`H9=j ztO)vBYpl2jsJD!%xG9oj!kj?^;n{1?9i&9>qFdF=JN9^?x<^Xv+#3?=Rf-nbF(=@+ z+TO~c&U+4|cCOlw3a|Il44r4H`B^3*aP_7}%WSe&wUyS0f`xcdg?9oEt zobRkzK&4#pC;8G2Y%JW3H?mKf;MWHlk@K@>FDuuHiuluoOi-TG(km|jwY!2cZFUx)zp`@-2+E0l@|yO!~F2^js(GxTMY< zw3^0zA|X=s#Ci5_eO+yFb)p(0o$}IPdx{te>4|P%`4r~5O3}g^Gg5ncBFkO|xslVL zG#}F}dAL@b|MGj36Q513Qd>Q*dY?y+)CgwEMO37bhQSi;Mv~MIdbLrWXq@rod#r0J zd#6P6l*7-?(*!x&jE@u6_TIH!GTS(PKfKZqwsXmkSqLt;H!N)bi^CnA{|6-n%;IHv11${)ZFNInspG^yKjk(oti1jpvmm+iTW& z+o;Ta5STQ|aAV4yz5NGJZ&&Un6a#`|&&10^U&`W1Z!8ZGk#}9ecIZH<|I*B!52|3{ zn*u~TE|8|@$k4NaI6WHrpxCw-A<2N~%er1U78Rd==nQI*GY`kd(3pyJl0N#f&Og}e zb|!?#uaJvzA2HyxpvT2BLA!VgyXIwV7 z43kXue6qSr!fs14Ve(Lmn5z%|7kghBR#m&Lt%#zC0+LFp2uOncyyd!K8cbKYxz=lza*|N8!T5jxj&&gU7=827mE zdlW2D)?W4b6nUx8_wM~!>LzRSto~1p*Ee~5zFmBz_E_g*%GEZ6bm6Ou*p8pN{P0&T z6k~c8XnDgyRrt%**fHBVqS=^&|p^`Wok1$)W-LQR;z6Z)=aYC*;DTVU?opU(nGH&fY<7pJc&Ce|Ec(Wg9Ayd35q=9>}{))x~u37{e*Pa?AO z4l}6}&LeC=F}$U|&8_0q zk2t6{v{jXj>8$IC)2;MpiKKTTUufH7r52Eq33`W1j{0xOjFEcOp$rKEYm_N(VFkt(vdH>?I>1f@1|W zvv;V%fet(gk?gJlqO0yHyW;PCpdGfS3G&3yq#z*{y~^8kZ>w1w3k1OCr`wHuMnd~F z)^g|z)StZbOPFU}9fFtZ-P^xTY}g^1`QflO$TX7;{Mmkd4Wl%mqN7`wdbXv#;t)XgsW`pW+kKcGLjNi>ta8htFkty*wNJ{9{ZHl((X&QX~H7<6Wu0taj$Ws zJUUJv!hFQ3CHd_$^?5o!+sltFT{Y#vq^MPx99&Z!^XUrmnhIXi>OI7*=0r&nCW+6? z3TZbrMkSq&za@-$D%qLQwd$xS;_gwhd2EQAc6)o6eSsU3@Uv=TX5TuJym+r7&;-w* zLg7{H`-=L=;e=p4v|8ot`Z*c4x9uikFvR#ej+@W^X8z!w!LnYMit5~ymI?FHWPyB# zhNgZ+dd_1LKWz3u%ew|~c&bBBYdD92px4J&-L=c>&btIMRTE!^O-gZR@>Wg5HxWVV zZo8GGRHFmtOSVaKYL0)gJUW4MZg$~y>IdFGU>nkNpKsLRV&Z^QR%=E5IS&mPLZ{em zl)gWE2pl-c8`Q#-Ld8EG&WJxQv0}4+RRh~)Kif<+z?<*|F%|PQF~26@UyVT0&8Xd! zHxe`Aab4+MFrh&EzBl%l&|S06x}I+u2)?I>)~=m6d~>hBEMp|Vp5qa^1@)qm-zI54p3eG$?Y~JlhIkPVxJB~nyMxel%775nEeaWN-?`+D%i|WLfXudyISTV` zEBk9p_W307`?lIObVor^MxaQ>nOQ4F!cq4V?=A0bZLWH{mNlshX-$W_eEJ^>1A95g zkU@VBt;K40gc{=OoEP1B&So0Hb8>j`Ewt~}Nxn-DdZk?+Sr1>c$FPs(Gc2~^Vk)iD z>AZI^QO|sKp2l@~b7Uy5bunVqqI_r2U z;`}g#cO}?>QAdZQ^bx)4F1t^4hQ0C$HgS53b88#Eh9hgK;#lV4DX(t@vBz1Fgy&{_ z^AO)!Es%$_h=lG%(&gpivYg{92Zl6HLRsZkR}cOGycs#37-N3|#XNOBK&eu&^q41< zH$NC{G$A=2j6TJzvfA;P`wc>a)i@(r=Jr9P<(FBKaW=C#i3d(aeX24Iz0&k^t1k;J zs}JSelt9B?8Fq@k)&iQ%a*dFUD&gym%Ia7e9b|1>rYC&H$(mKDG!#S18P0Y-ecprm?NYVN+2&<_i&?(}95aOrrRR(6q2Zb0(v41I^Uq6f9}Y(jI6 zR0mxY4cIiMr$Iw+Az#_fjDDMLy344k-oBlfUh0a^%KO#D*97N7AZb*LpaU!RbfPEa z6E%krtg;4jR;K*4&K}nk{SThm$Jml;Dw}k}>4kW%5ee!AukFYZnu^RR?W8BVIc>U) zEmYN&*N2176oM>gATMuvR!D=eScsOB#p73C%9LjcjE!7hVH+x=t)SC<*Dv2rN1=^E zqiv~rm>WmvZ65GBJeS}{7q>6Qat^zX1#hz);2rU6)FoFa;Y^QjbH?f{ibZJ`n|9=@ zVWb<|Ya9yP+~;PhKUFTo0^P6MVQA~+YbSB}i3xPCbEZQ;-tdmpOb?Nh2)r`QTB%s6 z1IvDWp06@@AO+GHX$89RCF&IrYEQkw zbY>&g1^_MDgaGN54O^#?{OQvD*F2enP@?E(xP=Q$MdzwGa*+zv`Br=-%Dj2yYq#kO z*H=v@En7CalH`7emy{@b^na0l-MngV@sC*DS~hY0Y$iX6tFGro)@^lgOD6_n2~I~N z>x0efYd7u0_Xa!h>+IJ)1A?OMC`dA&dt`dQ#d})pP!|N`ZGY^~I(o#0!;W>yN=6Uc=hQeGLQ zg*0vX;9$%NzQ2M@1hlv&2JQAqIJMe?*g;e>=-d~^oEmfOv|p)Y+@p``}3lBywe+a3+va_uZZZ!myeQqKkMXVV^)-%ieKIcv#?KJ524c6};EMc%17sA+u2OHl6 z$#YL@CI#|o=C`n9FJj2|9BX_azYg;eP205QHp=( z>$**H-D>Oe>G=i4s)fMq?1*QtzcIZSN%`cOXiv_yf0$us@>a@On5hXjC+V;xA zqw`g>u75E$5F)7y;e2_@ud+(Q5C?b~))<);`&v-kL421$%iQ-efvm@eJg_whqZSTND z>GxinL3Pjt?%0};Mbq5MKSr;1^C;b6LMq|FqBFrk-gnh9ycqm`Kr7g0fh>f&vvaCx z`u;`}?vWj?K4B9&Fk?G)nIXXqZlJk%*dlsKibxNVfUm`SHpe|biFDD%6d-ClHWMFC zSs2?l$5*p|P=Ug72up$DGyT;l;t8^&n~0cv6s+rKvE_co@ueuZIC>CePt)SX8SFza z{%-8-%eUvpNdr$tes^N4dUWHe-$3(zNi$<~ug^6^P16j7qvg;jzauf=X8689rv1yI zg)F#%U9TXX*@5DHyE&X7a(FD`_ip>FghIN#0GK2ir=86EoE7X=DQ(=`0q<@2A! zI)(&DcFR9@?Fo{q=$$L)LcBpWYJ1h>0)DXo=Q-4(3NZv zMgDsJ5^w_* zD(tGeS{K20l?y5Gxi~f z=8oWoS+?Je;u)|*m8-q57**+o&@;Dv>ithmd^^UH7E=t`295 z&8^{5(d{2!V>d^vmR7_^{H0G+|7SL_0y}o z+@*&wyDwW~V}p*Eq;-$m2jtPr2tA=7w=hB_Gt}mG^_g{(TaUiZSbDHoiZ*_Ky@vJ* zd2mj1q@C;zl%?OL;IYNx-*#6e-Comu9dPoKv{QJ>;nI$d>O zF7-IE;?kWJ-(QJxIzR7pCs#L$T((43hOgN{MgW2l-rsdyI+;QG@P)f$V~2wG|bYu>1_A6 z8tqGI#Psa^W)~(YDDe6niVWJ!rnJ6Q$Es(|s}>7*^_0PCWoUVC-#)^ufyVk6af>iT zreVtN3;x!9dmU7JN&|az0hc)r4aY_QOXIj zyP>5Sc-?p~!;Rr3#hy0j#N)=EEkr-`JsD$neu2iIVtB`S-Nfg|wfOHXDA;Gi-32~h zKIjMr_eEIFNsTs-_R3d0Hc|O&rbf=MKOer6a%OCnPWu(yKBwJ&^x_obU2*s8Gx2w5 zovvuW8KRtUHs*=dufpft;px>C!5`0$U1%&sIzEU5M86}QDaPt1i)_(kh)haQ#mQ4Z zFmk&7Le7ce674HHS=Zn~`pX6{o(RlqLy_GK`ABFiKnu|WCp|KORC%gn?R!Q}b<{-x zAIA>BIpTy4E-h{XsNFB%lnsrb<_|Ys<_j2P){g`AGR$S%K*z>t`lVS+y$1k=DXzrC zHv*c4J+q64o;E{tiI)t#+6+bsaTYcQuc<5|_b~%C@;l!ss!wwMc(ic*ERoVxlG|S| zqrc(nyZCJU{3;3!Ifh9Jv_SCs)$x~OJ3e%8@z$v9SH9q-j=!4pz-1<~yd{9gOT+}h~&RC&WYikp9 zhXT6*(1yZPM|L%~W)%I+qrGa=RtHccrw*UgRsy~0ieW=MzyTkFH^w7hkhrv%JhiCKAinNHTNdJ8bt8m!Do`F905t)8lIs6R<`_r}A(t&x^eV~JrY8X1jv zla%+}n86wDdE*uuyKRK2->-3!aCc^EqE)NOGtl{sty5C9W#4?*s$sYWBT2Y0^msxM zGToQA0p%BN2;s749scM+T&_P}*6?}rTAohqVX3@xzpe)s#!u$R5q61P7LnO|{)qgt zXFvK>=jJeAVD%b}PXH>Dw_@Zy(JND!w;2EQQ+oG|>{#C3B{9s)vG=dtd{PJ3rz$=5 zNBjATTlz3XTbV>R65~EQZ9rZpjSQ=Q40PYYg2Dx2T1BdPvzVBnQOlI9Bvc_3Uh3zR zh&krzTP!mAmyztR`qBhdy+7DPl^2d^!?=sYR?$Va{64Q}GeRDa z#tW;G_0v`&#oUB8iil6=kb+@=`4$|vDN`NA;xOb5{+&wgW6$Bz+7UdH)U1Xb;^&AB zZo9X@OZqq&y6)53b>|Z@KJ}*yUdHTCx(!{jJixoQe~`GTZa@{2kQMv!tQ2L$F5@&Q zrML}2ae!~zRU4H+cQn#!rMCTcV~+Wq0(PRsuuiqci9J&rhJXP1?n?#;dXr&%}H;OhVP#!hR6!Kfm zjSn?38o65&e$AVRLrN=m{!>QE#CdlCpRLcGhY_O>GxKz+s--k8?C0fMyR>Z+a<@b& zICMF4cIq~MrOF%PZsA@EX+P$$POV)frs>g(RJHnjFE*D>5lHOY!_Z`zRMO;LQHhOm^wkOD~ zvV@oQ+~bl7Y+0sSQ=>G9d|P#vSfyl zK*}fMYX{VTuW<|5XmR_IJ{qny5pEP$Ou)|RGseQ`fW_d6#h_B!4zKC@z&8ODp{qZM z$+?YXhl5urE}Q!3KN2umV;z+=l8=>a(i)_D>A_a4vV80(PK*ZeJWt*cvBWJpB`p!3 zBQ!viN`INQ^iuRP?!kM=W(4g^J3|P4h>d5-dAgYE&&g7<$x@An`mi|Gm8~H*Yq53g zhZAPTXC1`Y782BNIacO^1bexEZfFI9qj7%h9cz&oxUshligu7x*hvYjiPIrfJUhBYE%$9xGSiu z*h!CYjpB02zEcwR=C%HuslR&xNZ=fm53uUZ*jEfT@VQsLzt(D^``ny*WIbktchlBb(30^_NO$Bg~?SEnikJZU}e47gL!H>00SB;>n`nk2g2+$sLlz*3`pu-!#afiYx zpplYlSlzcg%=-8XWt|V59ZO*h1|o5(Qxv$Pm1)s6gwq!RblRqC%&XVmu^(+}MIv~hjk&cDC4af$mlMw8uCa;|e2m9ZYd zy(X1uPmo>3dq=JR&O*+wsyfp-H$X99)lo--VB1bv{9?bONM)17_nqnvk2Lw133OUhtQrEUr$}GZWbQ$7QYgdBmmft)5WKM}p44WNt zx6q)WS|87wW^*aZnbas=(9Wrm^2lj&Zu&kS<05)iWx8j+p{rve4#0P4 z4(Wy~iiSsUtaSJ-^@5~#UVqz(#KLf>dqj+^*Vb@eXr8?5)K5N!USF_}F`Nz1*kG$&uUlu6$0Y>^ zyK=E{7yFpK1nMl{6cuL}2|{+n1S}|45ev^U<7Jvl$=~)xcQ(1Ghjs2Vb1otbg%Qx* zpTaSbh*wiYB^?Iq#JlcD<5Imq%+}=(;uqbyRsc1!5}{_ zDOKg?Gx$zf{{8V&@qGwOV!9%6?R6cYp*f|@908Ar-Cfgwx!Q{!q$#5T}4QLfP8&dzI#HH{X zqQIQ+alf>G6TE3cIeFYgIkBO#*Y2^5y)4yGj}O7K{`!kd3h)k>uqbKJk0VZ;QXZMK z^g+6i86~@kb-(Pny21n>5nr&}NBea6SDT~iOPlANpCwG*~z<#N}xV3*A>Pijyu z-Y{XCnCYQN8ErztFKeyDPg+t;*$p|(pL)gFf@`L^#ILLy?PXGkMVfwc)wiumh`CvS zS}Th8Tc_y!53COO--dgfX*l~Zod%=xpsYoxeYm2(p-3r@sV z`?+;zWsYP0=UF?F+>Aw3c$pLpWx01JLz!UGyd;ZiOa%FG)Ac7c#?j_{!(r^AoN-G4 z>FBC=UcUS}2G{M4$S^$Xo-J`S<(@rs6bcDnPh@F)g%JX^y;_$ECeM7SW+?`^tQWVH zgn8wttFYQT`FW8;Sz@vEahVMRW*I~BMw)BmBhGrY6NVEn@(ZonbWu6OPQ8~Pd)H&( zGTK`U2jtdCXgiEa6FsrHK&}uVn8-CI!l*ZPNkR5{--GY~v-6E)TjrpMze|@GrBY8t ztXV|2lzSV)OI8#=;(cmz$mt{%J*BtT?$;)hpBZdeC%qVzj%~fWHW_xA3WU}rQH545 z+#cT^peorjo*ZzaE?!=j)%mX45~ZEga;xDugkHrNAaUJ?I3A-*EGa99o<^ePFImQFI zh6Ih|YGDj+%$5nyX`3i#cuJl&3c4>^>}g>39t&3vICqMR)C}^4m{JTP?LL~D^w^H+w~7Qlvs0)}F%^(1pB zV1>QGm;71S>D?_r(Z<^&E14>Vf}~ZpSj7TNr^ICkLoGq}mj4dh#?u*t;GuR3hfo)V zATVCDO{Zvt*sZt$1d%v+i)s;jo<-&K@yM?X@wt}-UG1BXdmyuyZEZnxl&|(>#u|=R zOGnMoBG5)N!hb;KG&e&f6@@Quh0blYxg2OKT-IeJj!<_o1dgvJKB@cS!>JH-&7u1mW+5l_h1$u-Q>SokuN}I`Mu6I_;<-Cy*lGmN+G6WSwxexA5!u}E&WdOI%38ySDkA9A=?d_OiJGN zw+Gg4OCZ27uHrkS{y)PH!_EuYH^wzp;s%kaL@8ftFIz}I%*)g{e+YL@Lf!HtIxW>? zAU)Ok^tN2^WrjOM_r^%Eh?)P*WRNjh}h?Nn&tqtbt#=Q+2WKN8#e8jzLiB}5U zz~)F+wNtT#e|Wj!6N#pI&yRB%sNPeJ8w)0;j?)`SCYDYoe0;mI-*8qwv4=JbO|Xjl z`uK9A8%)lW93o8MNL08-CGU2-CP+-4EJG;eIr~7K*tsRTfyA7a%A52^W}1xE#%Kx{ zC^dD@a6aoGoJbi>pp()3dS`@n{J9ghXk|oEZ+Kdel8{>`rAEoHBZ1=k{h8Gf6Q0P> z#JE(fHaIs^b$B~%n=b0N)l4kHpD{FWRkq%Pu$QW2K)9xBB9_Ip zip%4D6Nl88PhZg6YMscW0(U75x-9X9@02#SS^Y0nD8YqyX3DfCCmM4!Hg0`|dZ=pb zsd(X2DiVVO0Y-oMBJPi6DvjJ|Vf%+F@enz;p1P{ce~;WIhkh^xMjE@B%|E^Vlp!1X zIl_I7CC_q}#7b07sI>k{LCHt^AqD0CAEuzO7oW#h$^KyqRdQ-2i%xa2W*vsR^p1SM z#XPlofO;dLYp06OjC1*$4o*^(gszJTi#_qID2@}3Ta^QablyqZAc?phshR9-R=d-l z2zx|uJ}s$x@?s-mLuW73otSb=krC{^5ad4n>(j2|L|1-M{px@yp$zQY3ew|!AS>{s zrN4jW+kiny!sI^=qOs-n6!EO)khh2`L?$C38a)!+1qzr!^E$-ek*3y#@NUf#@x?0;OjB|4bV8kDvdiUq66i#fuC7@}C@pqB1`K=as!*0CeB& zP@tS}IKd3R9+%xOgzj%L0h17Q(cL^(-K!*HctZz3^hr2mWRbmSh5{?^cqE8l4|<5W zQ(l8W$`+vdpPud?6!1qEiFcp~4M9A8tCFFz;X4oPJF4m`q$@KWLmwn?`8){M+Qp_X z6~hjmq&wWXQ|tjuujXIR2gG}TBL*C3OaZJIrzt#x- zoBNGt2N7ifPehl>pWN{WkCP99bpJ~yJ2U>va}lIv+k@iw?JrVt0a?*V|Hv-}H6mkQ zZ|B!tLuLlmc@rwoeA&mwS=F9urZfon>0t6_i}nP8ClDV+H4s)HGN?d9-}<=wVY6bun2fy~_MPW_qV`PCn?JnfI8HT^zcy(eK~dq}+4 zOFeq^J=U%VVSK!yh9^50fB#RH!TH+!-bJ$4MtV!S$2= zJ>Y;n(XsI6LLq1f48r7tb1`dp<#GU0r>lPkfm}E;RG}H9u+bO0jZZ{?g&@1R%mc;% zzwpakxhH`iDxl%vX5|nMhr+DOV&*mz_2ZyR;N89`V9|4B?cJ&`#SuS-TEK5{>K*|j^jXc&gQi7!h>H=!_(s83aAJ^Hb|WGZsHO045%(moYC5ew(~ z|M+VE+rRk;&Qaqln(ERQGmbk7{l%W_|NTY%m-qJHzAb`5WUb6gIkp9=cau{Yw?b+qR(IB1sCkMp8`m+l?VT%tPQBnNI>g8Ykp?_R|gBD4& z#(0$d{$CEb|6On!l7RJQ{`}L`fB#222g4J0M!#on`1fx!^NTP>l}|$D-M{~%tM0%P zui9>Vr~hx-;X8+mBQ7HY>sav>v@5Q=$qQHwBjrOlB*XfNJyZDw%cMN|9H{A z>y`fPI!`4eBy`Vw7z+89T)kfmR;4M5$438OvMm4qqW`t`|7=P8|3&{#!r)Vh5AJr$ zWws{uxdSL)hV=Z*#iG&at`7$uJVz+lbi{e~rySgY&v^%n>BA@}S8u0g$;OL`#sOqv7Cqe_-GqRJmV!=elgQxPe0zU#c6|_$ zHa9)!C-59{m%8PBHV_$Nj39}T;vViX(4p@tvzfVmtd9Ag-1A@l)dwZdr*b!L3C|nljN%VXA+Y7b|HP#b5*!_!OG(~)l4e&*6pk-q~Tr~;y|HgvmhrorOnV!1 zBuGc=)E)q9>>qM&-+uWUP^$d?siif)w<;$0UF0Q}S70bg=ssB0# z0sP8?u99IqGL<~5qO%CQZ%VV1DzE~qU)7T{d!)k}(!cX?EMmJ~6P}}H5D_irq7&d~ zqhIWiF)jCWQHT#YY&?q;et@m5U&1YKBRurCggQ-!W2Sq%141hb)<3|>tordL{Q82H zd65dD6JWqz_?@SBt`UB(rUdHs0)L?RL)!=07jJW>-oFGdT8Q-vTyZ=PpV-S|UwT%h5rehUv^tfBDfwN&n6UH`3AWnQTq1&L_Z;w^XmG%C#xaq<-CdVu|Am1c~utPEv(7v*5vusWjr2w_V3Q2;dyq$ z;dz6v+mm!gyY1*W)kzD)b%=V5-D1%E9zPQ!g={SPb#koho{Z$~n|J7z3N$Lj(1M;* z&%U@H-UCg^n1E*HfB-7v;Z&WW3ui^(lUz3Sr!S2H^O@(W$D)OJq^j0$v_)dAZO2^e zW=l0Po^+?(C}VHgYL5~YAJeo)qh)um+6)!it$$CyHTh(PD^%*Lo?Q*N1wT{q6(O>+Y z$8FpZGdomd3bsQWUFCKQ((Kb6u~a<99D7vNnI9h&HU?4|?;(y&+|MSz8hS*}*MsmQ zJTMg-!Le5nh5_9fHd@dPvw?&&K1=9bbxeP3gat*!S+$`QK*i4?WWN|0YYd94mT9uX zNNxiuS7<)Jtv+qopQ*uZ()}^B3{2squ$ZaCz^iS#VQAX}Te|dK?Je{JLl;KW&pL18 z8Cr37SF_wNC-R^%Avx0#Yk=4S|5S>f-ZxnS+j?@#s!bT{4DN%Ch>fDCKN-hHO^_`i zo%@bnzb5?hvYXPq8QSYlAJ}h^eu|9q5OOfwe$W1C1#uw`M&dD0M2O^~`2qnq<^xCa zlD3T6-pXBwV-1x~>-qN1)pJ90qt1Yf8*I#Wb-|7nn0#|KqM9x`$?ma^Us1^iW4x_J|7S|@@*9d!UUzEE$!(PZ*J?wQRMJ}2g!Rg1L!PT7I zRqeL-9i}%Y%0zIySJsQO{GHiS8jYt=Ypt~!xs7;kP&p!s8{*`xWJhtorFrYxLS$|$!m!VFk1sSLw)5BvTB{iZD{it_Pk?>K*5 z@vUcL+3LIfY7V|=x-zwU+W~@fO@=jlE+T^ZX7@Z2R*OW18zq~TC>Hp!mODBL;%**X z2J)_Rcs0%C-A-}k%ZK_udU6`Ff-8w^#11S4lvnp@M~een577Q9C(fnp9dwPpoIthK zVp+nC0;%c`-3%jkwg!}Zy7C{_;ZGIcIXpiX+EP}v<##JQ7CT-M=SOj;CZdztsp-8F zHk5M4A7aDK$mvDsAZR?-Der=oMniA9@&w@ZEjRmE#`f1);*v#P-8Kh zt>K6fhcyJA#zQRXu;Is-m+R);;^J@+vYkqazGf&*ino+}q?oieq6JoPer_T36@)Wp zsIWQt(64AjJTAXO3t}yS^a#Ixy-%ffUdS{ZD6GjUT8n|5)GRRj;bnfF{nAha!fxnv z`QeF|=zt#65I&w!1^z9&>IrKwyF?0A?baG6+CB)TSq48odos|*Pwq1xSq0V#hYPAb zn!mHd3gWi$PiwCNvTC4p90))MvtarZQw$NJ@Er&1#sKhmtKv$Y+=Dn7gmy!_Fu0LX znRJS|VQxDYlgT`jb=jEj%NW1kzdTmuvPGNH2;3A3e+teZgCIdh4?35vMQ967(6we~ zeb?yYk^bo!ZCPT;fbbOpPUGJng{-vyhc^9W-_28TiU^J5i;sy&2x zA;z$T82&UqKYDDfdR*FB6+AAqkd|1(==^Uz;-YXunG`xy3!nCVT5Ne|sr+!Bod0RQ z4mX~awb#SXU1-_BB#w%bZmVkBVv~aD27ZsVMt?uP3!kB45MKqtsQ z|2(7hs4G!&7d|bbCV=!gpI+^&%A8VUl+zvj1}b6uhTNX<8aWfhbzS#dhuU}JdtNnx z%+Is(pFw181dh-{lh4}ts-qHQbgN(nk0tDxC4KWLOhsMV#kZqH36Pb;STVS-N_%9 z)JnAqK_VOBC7klP=GjkI2x$C4FloLNWD$uwvCJhX=m}mvzNNAy7Otf{qSnX5Qf)8f zfX^hmt;!L@x%B?#raVj#xw@U{pQG`Rv)UbB5n-vao|%zZ=q^$wdK646s=qu^)}WP6 z@@KWnKRKuW*{>wd;P>WysZw)VU}#m^=)g7@?Cz_!N7vt|u=5!evN(5Ue!zb<)Tlnz zgC@@Vhql-cbeDOBecrAVRXs(x+dzgEQ=@zgtwPN;G1NrwE&KNQ3Wp&!w2Y?Y;2L@f}@v-4Po_^!HEZ{vp@Br0_dk7UM0+ zqpbHS9KhQzx}nt2*lBXG%gG~ZJeM)$(!xt%v=9cL4~*FG0<8#F$?WEL!1yl?5KC--yDSbR?-AgjJnV8iKQmpR8SBukmCQWR(=1 z;)kvx5aqlQW_wZ>64}{+}DiP`8)0vHy+f{<^&)YZ! z=LqHVyie{UO=oMcqBJ%a|D7r72czTtKF_Q9$6_y#h(*3f&3*QFxihS~FtzkR@M(>q zr&PoUNsm!`D+aG>#VDrBVEcPT>-3=U_XYIiQ8(rv=!!eGtQzqb_(gYI$0DZp7c+Aj zf|mF@_LQb9>zbrcx*~C#$w#X9;+;f0#GT_q1j(pe*iIi^bQt&SvPjxoPte)3XFhdo zfA4FF3=T$2C-*866nFQviwCb{?`^3i%J~~Pq4Gy+OAik8Rx6lv+c8S&C~=)V1?tlE z{@s{oVJ{s}jMW~GOTHIwViZ$5Jd9m0OgtO-b_Z7Qr8hUfA@y*`#X{s9g$guyXF>Nc z>e9!R3es=eeL3z$((e!l26xb5*Q-Lkv}oA_N1sZWe!~}1(rs8>e5X&d1?YgpyR2mNnu6Q@SJ&2)fjoYHY7MA^uR08U?IjD9r0oi z;W*YG#iJ(5a6TZ#gu^mqI9|u#P0FTrRVD(P^bGisQ+m(or2@Xj>EY{Ueu@EZxixsP z-Nv6`eFrLj?%|AY?x6G=uP0GpE zDxLm2fm?}o{NAj=B{lQyu2vijezL~I3D#HZ$$8}M7n->7I0#dmEa%rGYHEi*ReRU$ zx+7Vk*py#rP2o)e-3$9I7Bu6P@RHVPF->XexlgPimmDmea<(4cc76w!5fpZK61}7n zdAN*6NA_vZ0e_VB)tMBR>T3AcQSa6=Fk53xTPTwZGdav^lkuII&1Yex1d%Te_=c^V z;BTl=HBNOT1w-+z_2~2SqYOV?=Pc&?v!cEHicESKYsyG}sH)uiV#Lg40ebC&dN|(> zNpT$@9SeWRa=bkGN7>DLKaJOCIyrg8*U_Y})UIlm+xm`MRp0a|u^80{>O4E|1Q236 z7BZB|KsvJat%UTGBm6iFZe3LA>i8M{5hAcTQ?H)Vb{GvCXjPF1D)3#;XASU4V_^A0 zGAHDvv|8DaU^_Raw4-A!psQH|383*&&xSn$YJuEb!$I_h7&3_XI&DY9i;K#$kN38g zWIEo~(zt9d$8HDGRO}y;IT@3M5sL3~A%b_;MnaFBx)7`CS_!D;>AenJjKab z`M%^3&00|}#U3@aG%k%lx3|X8dhA7shdRja7 z*o6FF&M6%k1$d~1mi~AxB)RN+NTO;u^Pqp%TYUc#oph%m9Bb{v4Pm6+4wG;1Ol!kr z!nw|e8H2gOfef_+R5NLZnrj>iK*QZ~zcA7b zIBlC$7PH@OA%|?>h3hO8+hBV2Zd)NvL@*~udJ5)22Wu1vSQ%G~*CZbkUQ%LKaAVMhw4*vU@i6&LFl`<%BAbvMh(Hf)4|h-=6H$ET7udCm+r-XXU_0bbdu;u_5kMvV z-ZaJCyG=nf1>dSjmDHD&sktJ^1L+2K>m z@~MO!J1cOJj#lv5V>X>ifj{up-}N#j+D~Tcv}m`-T+-yTJSQ%;`gv#7GQJ~+%e=pG zXVZYwIKH>cv`KFKIZcTlCwl18ka?lIn57Eqq5I5B*ZHbjI{q6PeQRAYQ(tb84Ll(C ziI`57`0~tf+`B-goO7p-gkdS{x>%I5nByk_qTF%XBE5&JQA6;)MsZ+2Wv`uJ395mI zuE@R5ZhoKoiR#pA*7KPxla_WkORCS_Kc$oRbY+UQRT_aew>!psKgSYP?X(9&v3)=? zA>zEX`2P6D)Uk~FP#`!+8_~cHK|U`+-PVA$rS)rkLeS5;Gg^>U4eS>X(^uQwl<#))NH24Km@RuT?Rk9zVzL zdV0hcvZ)uAb|=eG@u%5l=6i07$EXZ`W7$-*kAo!oL0L6pU`A!`4IJElY0oo!-#@h2 zSb{c@VZvs*joF0a!sdJ*>jUw=ZQ%5|3oN9TKf2B?zkQgYi)BGf2GS@?RZHvPnNlNs zSg40tkkt6*Hj7*8qk0A9=}t~MjHb$6ZIuBkev5}Hb*wa6xsPrP3fe97k9lZB@muO_ z5yThU02;VUPUhjU=9wtn!1cMs%r86*VAK-?*yk|6L<|AHX7Q0Le?#8RISJ;hw>`u2!oWEcB z>~!>X<};fzU!2UfvYaXJd&_Bt58H=fp0+rKaaf!?ienn~Ip93cClNFtk@v4vgXTM| zFrxx8&-ufutYse8ZmiN>-FPv#aUg>FAigumOqfL;nEOUnjL@m+y(Zw1n_VTm> zuu6eR%ibc#K0J^t6OoUNFDw{$!fY;-v}h$0RY$o8t4?uU-^{*l+Rs+Azc^U1?ra!# zFO)Hi0P3skk6C~3)c=-;*~ghHb$o-&A_tp)qcOtd^japMv4xLLG z7lXUFIGEq*u-`Sx6$2F_ZKs1QyXOpL|T#+H2NvQ$$UH0n`xl0c;$y58^WRnLEH zvcK_j#$dVWbb(WoTe_*)Xt80Ksj9IRHYG3-l40%{kG-1JQqEnKQH^j)OIlGKtIi z9>>&FLtKWKys*ho9OpbZ{|(9`bOWNRXqPiC2iQFk&{2&FA@>Ia1hO}R=dfv+h)4n? z64hn`S?rV#_&m&)QQ(!aHj%m)$73wd3+o%5q3(o$4A~so<&$=hg#ErkH%-tpjOnm< zq-Z@>*WFZUWN&*Qzf<>c*Jw;PFJIe>tGYoZ;z5j(NyYkf>&ty4E36bXkxI7dIlt_@ zKeaClCro)O$FNz5rPDS_$5+yywI*Vi7HjMt4j6IC5EKJ9i}YepZ}5-e#Gm#=bYIZj zP}|Zm>WDcH^MT#O5U-vYyRa!7$j|%^uzO9=5FkguVj$=7wBoV$ZovZ#i6fma`IHR# z_-^mULvoIN%g<(G8V}~6IV>)^uE*%?|3 z&OFHw6n2-AB^pqN2ir~+`cp_B0-3;tULLJ*_?KjR}_7?mt8(-eKGi4JzTdl358!K%`nbWb^ z#sIxNin~Ykkx0_^UKz7(3+ve$ie;$_obQl1?)SCnYp8giyoq0EpwJCqFgzHWCi#>X zl3fAvl1X92s4wr)mlu`VX&UJ)8KCO|G>6G*>vXJDrp0c_X@XYf$7I^EgXjayp9zDW^YC&sq72MXBn*eaIO4rP6BZOu|r zl|1B3>5QYebqE+Ql=be-w!tWYN8XiHLSge@GP*fRh+riM5M#$?!gZpkz!9EGrt2?0D zcZL(E>3g2R1ZcFtH1+1ZlEg67YWiQ_T-u#Nyay}eSXhM-nJukxjJ4FqBcC52yNwd6 zKV;BDSGIOVq>$ay{V7flU&sTvs1(HQVc3fR>}6QLsz_(M6rAYRR;oxVx4{pq2`mdK z5d)4&aDB4|>yQQzny$5O&Gn?h;1thJjVbW4_C=h`Dl$l)y~m+ezOUyD4OPAXWMCl@ zHSgBAc>OY;kK)y!z4mZ+Tkf|dPf#%+2S4tHd0(;Q#$1{423BE6kkpyyqcO;=~ts^ z3|q>IKjPV0^7+*%l5z03V0H;*7C=nQ%gZeIRUN~%@JU=Qsh*n zKL!3BzG&AOVX}&%-$^k1@EUhsb*9>G{-Z$URI+>3)bK!-mR{!aT3+FJZ_W}q1x*EN zts$&8XedW!#Aa2otI{Ni%qYhCJ1y%5nZw74&7~@Zkppa9qRKjB!!3qQtiuq?iTzwP zSCfb>25h?Gsu;_NYV*Fc za{R{RzEk(Lcg}tHob#w3Uu*YQ?NVHOvDTbpj?qW&ePn(v7WP^3oF-noH#g19SdhUF zs7M4JGUwU`EBe&s@g{(stfA!|^C*URkD@E3fLA=%ai=av({mz@KrU3JpD|s5x4mxF z02))@TiWdKuQfRd%tq$A{@Yj##*rhgtU0lt@-(eyOnDG=cOE zA?1rO57_@C0sRI?y2o0gb#vWxl^%V1!UpkB#K??%e}=U&SIkJ6hquStMrT1eF@i#j zfOk|iK)pf~9W)pMJ%+Srx4tj@1qRlo;9h@#5B%*;{PUjP6Zm~drwvCrfB7gp}2l|2E{qxUSzZ@M1x3neOuuJKtGE`by z4+Kp3`>i;W`0{1B#qyUDS&J|NW5t`-u4WfAatDH6yrVv0OgDeh4q`2H2~RwvTjlrimdx?U~M#B`OCT^${~m zsW`R$$8P>LK}~X!GYtxMr!^jG%qf)sPXG6h_TT@L%vFpy^ip|@QsmR>C^rA&oYdGq zCk0PpFuo~=+V_lU4rh%U&58e)Oa9Mu>Rq(l?g2AktSth^aBBeBb%XgzHu7B19&h-hCPrG z(>j#?RZ>oyZR=nuCu^o3_LKv988F(zucLSZvVZW25HwuO4{+_ghw6LlR-T=6-Src9ETj_q8U!l^!{H@h-4E`M>9pGO3f% zd|QOhle;hf<_+b1qYKE!45rkwN9bd76QAX~5s;4Cu^M$VAD^>bnHGkA87@nRI?WCY zcC-Oc2Kyh=yQ9_KG0-{r4jtHTn4?C}CciE@6E7JSyuxAJ%ZkPXr1B#QEJ*JjLr6f7 zzQ{~xns!qt7mHzMs*yd6uX!t^__Lk~OGYDjv(dOKU2PTyy<`E$AW)SqY!BfbCn))O zp(9QKXs+Fh$rdgD*$JRShm8sBZAc-+<$Zb?5Whr#l@*hnS%tvuX3nsphpi5h!K^em zLqN8oO6nG*ikou{+OoGK7OH`k9Ta8(q_A({qR)3(spra|lVRkEFq!EtroEx~5xu^| zM=`TI^i~6`OniaMjJ}it{I~&7*hQO9G<`BJVjJ7!hj|TXS}8f2thHK>0JlY;ZeMA= zaG(vi^%rb$%ePo61_B7zA3T6sp@y{N&q4qW?C z1};$Sj6}Vm@SxoOanuYv=6?2p9VdU!R_Nx|+Cs!i!j{w*hoQ~Rg2$6BQ5*e2)Qvl} zQjQLz!ZeV?<-z@C0=P7f!my6of_t}}X~@zab1jtO zklqL@11MM`XI$*g{nh(={LpjIMubE=;)_$^rT}7c!W$(}OW7#{XR0v@bOhRu(P_|> z)MRRX9eMftsc+S-L+Q1C*E5(Gp!?(vDxq=gY2xd%ur67i{rH@{AgN_?{4(Myi~>GK z|H9v%68JMcTY#M8i;jL38sH-a&iSoAh*GAROe<^%;b21ZlI)wn zW$X-``cj>UIJ=Z&;IJ9{Te_5tBPdX6kdUQUC6*1uFl$dURAfkqN|@A3t@C_VP!pRJ zCZS|Io4a{SM-IZIqVtd_C`K9jV?CSYO&%@UwDqItY_}%Otg1upcE)nPpG*3@O4SFv z%LF>R+Z*pI+C9E*9M_&Iu{Jp#EB?h{tYV|JAEadL1f62obN=`j;%_Aky#ilTE(RJJ zgIO_+P3c&x++@2;fSHmIt;5;FtD#}vRGK3ccWvB@jO(T)Y?TL~5+Q6Yv&V%Dc~S7$ z{)`GC_Q_Xnq!tU1<#y6p3vzq|q|IOGr>dtm;;klt-Ns-S);&H!nCxK=dYNXQSE42j+jK{ya0+SKteMQ61RNRvM`LPw>4D z@{;UwG`bfe_(%N5ac2r(JF%6+K;a2HRiIh3JZ(=*g--PX8lgJ^Vab7CJu5q#xxfSG z*+;XUs)2P}3>n(Kh9g1so2IY*8B)^?9bjCsCuk ziV5cTAce}3rR^Tdv*`aYfsnKaHi>s_Ps`l@^2~rftPCZM!6OfbZL1uRpc%>VtaMf? z%9G4su(zJG>(sy=Xd1$r`Cv=qY;og_IWrt4{hXj85E#Q=pHdy#8eGfH8TSj6L+q;k z5o=a+upP}Rj$NEVV9}Ma8}=LqSvN-5?N-Zfzk>$R$ZfgLy>RS(#zlV^Z$D>c&bE zxa=jZKLxFs9KDZ@l+yRt%782KWXlrnz}lVrAhVHFm(NSffpS4cD91@wxr}c&0LS#= zz=9)3ADqkIACb}e9UHJ(D5W5FkK{Q zoaMn+inmI8mcP8U^p$d#84a^EvWK%rDN;p?*J5}0v=bZwzCij7-RD)Czk4 zc3kGcAa-9B>O7n@Da)Jlw*A-(8KO z+P|V&8lwTPF%EcUW}q&rfzTP2cl6{%BAP!^9|HR$@ZJmoA`UdK(w-_2i-Om!<5twM z5#}<3V$i)Iw|C{sYD)LDX(mm8J#pU;k3I^2-0WyDL1ZS6EYoz03~{IUxLN9aruH5{lUBB*aQY)mji+AzD>fbl`_W633Nv6V%V8VR$z^ z8_RKF3qP?M8?ie6sLzLrol?X8LNl8(b~;qp#$K)#y1yU-a)BrT{1@?=O+=rSZd5rD z9CyfDRGSS6w}HPI-lQ?g=q^}a_=<>lFnC;3>nS4MB5}r-W&T*~8@CUGZX37>(%|xg zZ189jqqY&%M+2xl+3^rP-g20TzcWE9BKysa!^?4Bh;-#tQ4<=irR;Q|$csYWjr)v^ zfNrzSt8|Yp1qBDWJDZ)c&&sEZ*E$BS(ma`m;T>vPg+MVt+5N;$ne7T~ z){PTJ`8~RBPgle6&Je^&hH)#c_wlXuBi3T-@|qUN5?R2yqawQ*Hs?hW?4^V-OXWB{ z)EJMQkh_7}&r!-LLsiY37ZNUie?A621)c_N@j4Me6X%au0ujQ*3ekwww<~Xc!hI2) zRk~42v(qSZkVUEH%HipZ!52Abci7>H1<<=ghjpB^6qfLkt(nf^NRIk4gN&XT_af>j4?p6e%y($7}c(s;?PFDIi?JGg15YdT61k}u@TH{zi^la~k zB*YnkDXB0b_PtO$$WVh%DiF7HmD#O5S4nMwCR`t?>l7xX$iZr&ev9YD|h!BH_r{L}G1N|K1QyuUGq0Qo@u=F;v&O+2jqpZ<4+Nm+)Mj>mv=;!M2rr z2St<-{SL!@Cpuc&k7|nEVTfiL%Umrq1wyjewM~_wP5Ia?L_UB}j5Pj@{BAaG3r;Xw z*zG9^vocv`(CO`rR_I{g(~5UH^L2Swj(AeRtPIf6gUh1tVkU7UU?Wp~TpWr-0hQyS z#ZchjEOq>!A2Nn+y)a2DSkg?4*Gp^48y~fZ^Hd;d4Xl>r-}rg{=97Eu37l`~y&dGK z-Q1CVd!Fsa$h)dXF(Sf%bINaQ(kP~Li(P5S%GA3ep4Gy*RtB>a#|Em_K3FlPK=vJP zbY5jKRLDW@)oBhuS1LYq?5YDnj^qg!usCMPRp(AVHMnhNt(_nlCU4vEQ&kmtA*h%X z>6j^aceO3FAngpK;8u=l%j%>@T`9~e3C&>qm1uJ~UyM$Dz(%R84d@+lmV3K9R~_W@ z#33`2O9&P{Nc3$FJiI34pdj@oRxGtPbIb=Jz3|%n!2ScgqJtO?M7;8<>4hU6g^+)F zlsrvSXN+Z9Ni!I>&pRSLEadOjD;Ff6&t*DTim2N-RLj@4!agaCRZIU4l(Nz-r1Y4n z@&`5-2}epQh`oyI7ArIXy*S>{vAGKpQ3|Bw(QXK0@lQ7d6+-O0hUQ|#RTij#*)739 zTqY9mWYq&Uguld&?2g=Ah>M`pN{U7ml<@&>Uh*d##7WT*>l~@%J+NyAEFd{yEunv# zHJ_GxXYQb51O(*pz#c%OqXo@=>jH>l%l-EipsSODeDMa?#%Jf>M_cZk_BMqGLA{gL zk$Ap!4J5&$)0e<#!2NKW;IeEnr5VCSCOcs8r41Z2BanT$!;i@Ih9+7 zoE%hQW%h;OYGmUeksABC1WF1cw_jyoEl`74d5Bf=0!~mMcoU&Ku7=WS`&OB^Ze#FR zR|KD(rFupxIs-pME%SHW-2exKGI>0LM-JvYYZ8r2NPM z*G+vzFK8@hkVW zr$yNx@Gt~%5ciM~$ zy)~1YcieAzLig>+L7C^K+YeZRQg;VfCk3y-F+xXxQ-PSke_ie(yHSuYlTvoeg_WYdr>b>^ZpV>rs~;H8q{&@RE=^M?iww%+&(Xh)ByHYC6)`5o)DH#;Ey zB@)eMS#15V2{B8pRULrIPE`Hjb`hT!>CeHmi|2s z02PK=XDRI3m@@&L00<()<9J&%~U=6g%8o}3WSt#2U<3| z7QhoYVYw}NqL~Udn%aX!sUIrFB>7g_OXsbj%T~1`YA40&rV>%Z6AN&WqSZc`pn#KH|-+nt~mHiNQntEdTs+HWCI7e+_F#ob@Kck<4V0PN!;ib^?uPBY4g(uKn=Lre z8uuv1!w!_0pDFFUNf)Mt2kGEb#mo51aX*q#I|`04e>G#sfH&l@%W+IPUlbA2JX*dr zU%y4*Pc+^MdFj1jwIs+FuI>u(tdZ*pTkM@)$6#EJv(H9f_Mm#qVflE0*lzZFxAsP| z{_M3?eb#FiwLMt^DhI0uv$Sqkz3wLH7JK+;c|yBl+0>|U@zM) zr>yYBkEk_4}S%0euyTg!tBB+=+!j%tfIrL99ifq z1IeHbK$L)am^4l_A+JXDn>pN{Sk@lw{s?1rP%wIA5z4NE@*@`T6gF}&P695sWQR<< zv9D=3rqSzi^Nqz)MOfKwXcYuNpN+l{_en3jHvAkKkmy5r#q->`fI>j#6EKVozIiYx zCC*y@#Y`syAB=DKBxUxF+aJ?if07CG^2;#1L9e+OQWQNc2UI0no}7o*_V_iND8-3Z zbG>X~fEXC0q~+IbB1(VmWVB~Iu+VvgU;cnf$PZ01B^vtloC}=|5*7zoC7jWZhB$pq z=z_>g!I|TC-*zB*I2!9g-#}M^t)uQGJZ=f2PGS|*ZKyAys)`k$^8{!{rSq~HI&DrR z5If{uM0ltNcDfa|9lg<9(H%1iee6OGRqK$;>gbzqWQA25lQ4DQJA!(4cHV=u^bicd;^r^X%Bm#wuR~87C zG=MoAH04Z$*GQd^)swPuUPty~N^154ZkSN$>41A#zwRS(PjF~`9F!DN+|VFtMZo2V zBGLvw%19@Jn!*5SyXQ@$c`DYaPB5Ql@e=$D12$5=l%x3%X1?vTEHwy^qH0)xF%=nw z87XTQK*7@sa2RbdIu?iyc@WZG97AJt%o=RRU}nez!rv1AS<=HlgSCHlCCCl=r8Wy% zPUlX-AUF`)fDs*tn!?fQDR-^a4@(K(=%(_dZ@nCv(aC?VuM4!FL|U3Krbz5**Zc(F zOf6A1TS}A9FVMu^riD&Gi%u^H72YMUbW41O! zg-5C0F;)y-q(kBVB1{2MhDl8qPtY|FKri=5Up@I))=D`6OF6HUO~jI_j5v#M(Wko6 zc-Xx!;PSC6T^iWO;zefQF&Bp*VuBV`7+YQ+LOcEYkrVd_8N2#hKiW_=;DCtn03w^y zz*h-~@JfY)&~*wMDPm!XgUoaa>-DKvKeEa~^vqIa8qdVNH(t->MS&uE`K>5!+>woHJoZZg_jg&0ZSI#|U zf^FDNdL9gT@?l(`RI0$Y01`s|nNH{!i@}<{2T?){4F}u={d60e!UwfbAc$6qNLWJO z-A7scGQ=W1Cp1ovgtiFU3<BugG5<;OhUO$9Tqu{n50} z;gc6`#tPjN)WCmpT#`svmWFBT5IvYT?@U@pIwhE=NWopn%w`X zCGjtVHsXlve2n;3_+N7Q-dMOgyNyy9(Z76S|IEAl&zpC?b}SSG>^+6IUmamHD7}5| z`n#?1!E+p*Wd~VD>~CG6$ls5^Zp+OVq@e2Rtzi*3@L$b&93#FsuolO4t~(H3%P62f z9Q;x4L#RhAx!tt-$A7zS{H$6Yz+ zQ!z&!f(~SzJJ0EZ%pU&pZd=H}dA;#_4%30Z8g#+j3vhMgacOSCzvS-qePGXwPxhc! ze{cxw-?mdPDuvn2X~Hmn#nmyaqTr}+zC0`T|9r|Nj=od-n-{=8x>aKl_@zz^v^-o*dh{GZ$P?>_wHPo7+P zGgrjx{Chz1!bN;3!hp}-)!G)4L5vUj;RxMuoAGwA#b^iWmpt!>zeFd>JasHrUl6$r zw*vZktt=-u`r5I(kt0atyaPClodK{tj9VR#{1xhlNCr%Smwk&v2gbi1i6MuZIs|RT@rXxztJu6gXtYt99Xs_`NGY8o#3QTlHqjCYyNh+)am@BJ`w>9+Eknyu zLPb|T=f61!{uWdJZUO%pL;k@B%~lfqte548jHuTO*v9=WuQZcVybZR7j45j?=6~s0 z|LhMN3!-1M_obW6f2Pm>;MV@x%l)6>);S^z^390FDysu^KL7I$f4zdsQ_{EpB?saU zJ^GemJ^Ojdu>IGWTl^W^7y~HmX0v8Ffll)Ps7+QmKFCR6A5%4_&-{#M0D3Z`PJ7F6 zPG{ta;tkB$J{utahy(I5R4KvwX?6uZ#DWt@hT_}UHH>U-NFjm@m%(@?G_X0)XvW?#a1{7dz1YDP#qC!EA3B zm~9&X|B*gD<^VgaC-JW(y(|ZSi<(uHN% z$v^b2o>|B*#TYeG+aGAo?0jD)av-*dK80$3#rk3QR}fOr%-%(PX5bm;*Y3rJ9{RW6 z=|5Wd`d{(Ldw&(}#3tl}1ScLD<$`D0%yqRluaFk+v()ux&;%zwssT+}kK*IbwGx`> zouj5`*6ann(5%G$kx2hm4Ey^)5y=1o9mBX38?Y8DXl;l`6_sG(&d z3u!(-rw_9qriZY5Kl6=d4zTF@e3(Go@{q$m4l3%?u!{&A?U0DJ13iy*)a#bd+D}9X z0O3t0QAE}dpw}Pbfh@HQTnk+%U`dOCM8dAo2C45*dq{Vb1kmUG6aWG=LOfY5XS-QD zWM$$$=>{itbNDR6_I`r1g4WB7ujR7nC*Xv&63K|aM-ycBF;<8gYyC9i;aaaRWV5X7 z9(#2?+?ooRx6^czIdg%3kEy&91dE&jpw$$!!bI@)5Fvyy1^@92NS`{*iAZl?7muWV zcDq$gK>fQ99Vn+9oA?OF&Gx9Tr!zh-XXO*H7Eq3IX~#sClDTONo}dKF5YXa7VLV8AJ2WV!wMLDlQjNELj(shx z9$T;@`vqQf&G}Vq9z&NOJvQ2AblJ3|?R%+TqQP$~IYt&5M-VyICe&X0x zaB+d^b)};vXQ{)L7DzK^FQW*H97_6@QrWuA_$kvzYCMTzUQhIY3EqDOc7=yjs0HN<^&{u$U^ZU$(7 z3U|TM3!`#PDZcx%15v@3VKPFTtxTu7QC3wpoAA1Vg?mfM5({DrynuW9uKmBYPix*t3db!X?FL7haDAYLrjz!XAr2l+b8$f8aC~>euij7vI%XDs4mId|E<@ z2k-MK-d~?{VNG=Qhg*ph4k2!cThN%phMsFzbqSM8Fe zj^;tPjwmA*{y`_g3eqt+8NcBXfl6>P7$>a%16159IJGc|UpoSeCTLnj&To~aO#Is9 zW>TllGe}ny3SK$w`8SOl+0kxba68CX;vM?bTLD=4HxU zQ^{xE+Udb*n_9%T;Pvv$I{CRPUpsW5Ln?_Hr|hDxHNx(88S*!D&5f?U<8-0Np}9OH z&J~0gfreVI6EebGW$M2!@f^N`KiaV7J<;ZS2j`~N~m^DNH zsg78?&U>9)X}6K2xoJK9V|`_6OsSLh%6fX`O5%zN$Ev3x8bp;~-E?p~2gg%*bJqg> zkh~`6R|2WJb(G=~bjj4)O$&!#6W!*M;#-mZ9;iTdBT=4H!^l^&d_6@D`o1Z-K<(ULSUbV=&0$GMSr$)mL zwD)2yI+YSeY{DpWY@4hpKYrbKtm>L;oLzfugOR2p6HKpEa#QHw-`fc*xMs-*A}Qcx z@*u@RGVJIA6HblUb!cZkiPA>RY8ELA>L#8+0<%U~oyuN6KEnag)fb_@w6+A^PVj^7~NFTCeovCE$&Wgy3RTP&5_Ob0@kz> zJnMpo?X&K4Oj8F z4Cg4XxS=V6B)Q~n<@Cjfp>y8wHLl7=_#rT2=RY;UK_a`FbZXR7v$DDln6HXP z^FWZE2G#O+lO}GD`xlccbFP%rtyFA0?pmKW2Jh)9@bxu*axLT^rC9$~v6M^hTuT+n zRB;E%8-#X{d`svNm9-wodzBuF8EpfPr47Xl(D{Tso`tBR?#j)O+afgeUXsK}ebpDi@ZJ0zxm;YuF z1hCRtWX->AS^Lei%`2XjM!+TR9?iL$-x}*;-Vrm{-hH?^SWjgn!}m;6aJWE z+g;dQe~va7a~6yuIeiPe&5Z{oN zW=x;w`xH%1QWQ?bU(3AK*4PHdm-OgU?=5_8ffa#_!|| zz&*V>THsHDKo@~orRgyY7>#pX9ld|?X{2d1|aR5>@v%oW-K zgbHPP91vX$NhtiS#Niv2TAJYq|AZ(rM9z2inK+ROr>2S^GyuCzWFFuD*C^A4>44)}^3z@wxK2Dy(3dinXP) zT9$;G0fE->yK|;aV#q>%up>EQk=IwSpfnWH02-ItI-Sb5ggtgwG}bg=bXhLkao`)) zMA1pv(62CLCa4$)u*SX*%O;y&HKAge%08p`uA({@^D}hTQhWd{h;qZZKHQqm&cDkCE)cyUgI5eMpa}-B5Sre!Z+rd7 z#?aHfIXn-!SC2*g*RqiT8!+%7+HwNk#1!JfefL?p`*Q9@n}otL2(TP!n&>pdvZ7?& zGjpCl>^&<+{~i(2J$|bK6%r$wQ=oK4Yxd$oC*=Lt)AD^(+3&XM`L5aB9empl^CSw2QXz7-YBLmg>j5!>_-7Y8~pF+bwSbr5VCzZ zDkp^tRn-w~u(bEbEtmNKIB-06LBhg@`ECmt5nc7iSEsMCrja!To(|OwHjqwbVL~(` z^|UQeY47Gxg)$ux(N}UE8KG|Z}qWq`r{RNWKk;02go&u8&B#$Lu_6qDpYw<1gE^3nGKyOE;0#Lm_l)AZN_ zG^DffSh8r#!?c^=XH7aVrkRLlJns-NqQJ_^JEO? z77UA#GglF_6uF_smG}aHkW?NA-UO5*Jl;Y%S$hf{)Ow;GpSzTGK;_C*JldV-vPf0P zv_INN7^AQ(nmG%VjNeK3mK5M*-=qw$(@Ob%;mX^U2d-HniVE9f3ty(Q%$imz&R(_8 zC!<&e5}({GMHffKz=$b0pQm*PaEz!TJM~ho!Di>*kH%Y5cG1H0-lR#N->OTIWx5Sp zl|{H|`G$vO(biyFLhadZPfwJqDc5eVX(8`)>Sm%72&8VRcVgA`+~v-KbY>M zfb3JPnsog_bI@}^jSahQ>6sfOvN1OyI*^uS1z>W?VA2WHEF((G;OwpE1n&AT2Img$ zkPjga`uY22owE>F*r>#iQk_<<`~4lX$38u_=PFE^+}6+mL3i?eGRFNAAYB)Ye0?zM zQ;-BT8jsGTS~2F~8B--Pxjc%#`%tD#`qWwqhX?|>rjH?ek*avi@5ZyAZUQnvs;!c; z1d0X{nVOtcNE4fc+NtiPZ7#G)2}sn_=ZLd7LiQ|NR-6shshkz@9LRc5wn{Pw&~IF# zs16J|qH#Ha%l>lY($9{OTNPSYRq5)WU{@iWUjYb+WHefusev&+4eHJ*5Y2zvMPnU> z6<(d~ic%}t%vf3~SxCt!Pwp0Q`5lF{Std%-D{6>Q346!17+C(TATA4m>5qG|vt5eX z!)~PMB{m>sOz&m~U@%(kRJ$4^8J@e!{yeLkDTFiC(}vEEP1UU#A3ia0$N(ALuo%Vp%hOKh(E@M%McRC72DQK0j49&M=M63byv8g|Lw05jIoLL5=3YP@k?D9_CvB=^=tNuqKP`{RQH&f z76)u0G%e|_+5q2}bPltnqT?^;VJVg#6O@}QO+IT6Qmwdk$1u=SO@YOUIP#}i#Vmlh zOUDUKJPH;*xFysFd16vTtE`NK96bx(;zc@}?q=3DaleyvZwBO!p7Wn@Z}~WV6Ue|M zYFVZr&qO=&Hp4j?XqgQC9H`UAWqwrV;mA+xw1x>W-=u-fSy-~}~6=K#qi_JJ2|FCYcd(@ux_9A#O=SL{G{ ztCwYZ_$dQKXknfVWWZy?mX=k05uUP621eDpC1w2MbW4f*Cpwox#^T9n)W@JweD-+U z-C-KPw>p2xj;+^*=IEk`M!$l$zwMXzsNqm$0zDs7VLN;8eXE;0!MSB*^h&4fQVYx} ze1c4!;C0B@@6~C&8ZBu;jOlW_Dm}3tdGTJ?YGCGSSjm=cMUuTcKjdv)%_?8L=JnKQ zs5;+2L&NKm2Iu1yRSm}tow_@-o2zpn_*@fR&jEi+B0FOXL6o%QG#MwezY{M1C%4Bd zS-FudTQF}(Ktm_G&kjdJOUrVVG)#;kPgdEYLk?wHY=fD#kIx>QuaaMpV99-low3O9 z=b4YvEa0)$D_I>bx%&y8bWZbn0(W6T_b-RI&QgfOG_L{Z;}I@Xbr<{$TP&l$gLVaT zP4&rp;p`&ZyFlfmPiM&ty}LkO>zpmPp~MNLWdKJxre1)eGB2 zxslLLpHnfQ#~9n2m&4{VKt(MGij0fle?rKcNNehUe_mrXyR5ZNZP4#%9^fu zsNI%gsjq!;rP?1Wy5fSX+mau;vtbpzUA_P{i%sB>m1(Y}Lkv10&0X!yn2gXC>D`ku z5C4&hI4HnVY;bx49(YRpV|x!eoaq?{BJ2!5cwpbcTwL<_{$!0K;l03Ui}zI zw*u5ftA56b@YXa5>}|J$!b^JLbcgjW!Yro%>D1u{bkuWYk6Fn3fVwy@1^dqF2hp>- zhiSXswOAPBBd92W!DlkAj1p`evM1%aU=J+A1V6nU0{TqB)gB;7Jnn}IF1+pv4b;=E zMc^EU(_Q33A$`R#z33V;j)C3v@m26rdFSRV;4sh!Ot|?5snHm~a_ZzMSd9v7lWjnMUFdF-nwnChbBq1R0)O7>kd2;JkbWz14#4vd1AI2Z!|)gCbVL6uezH&V)yZsIR{|78r=U^L=psV( zFoP^{8TtTmSABW2yE9aKU|Y6`h#K9VR6c=P&=X6M>$U}-?*A-q0(p;WKrrk4&dcyq;A8>H0|s(qr1+YivdU zw62p_PiJVU8_!jun@ohyH&83B+GUq2w~+0@2G2#@0wgg>Adx)hkXRUab$cE_&f4*} zL$QP{Rw(G3qtaEFFC%xEd&%a~me;$wb!45>T4*+!tvQLQ@fjMlK{AgvSR(!Oe)fzJ z2SzivCg*JFH(gOTL;L0kg8HYRgCI$0d+v)pAr%`4OkXUNt?8DeLJq4Gq+Y%U0^(qW zHk3u3;+~9r0iik$P18oz)%`A2bBQcC3z%au6`o5dybRM4wp&5$PC)uggDPSLaa1bi z@6@d80gTL4fe&sm!@1C7Nr0`vGyt;JPc;xkceUxivOpR96%Ua%%q*eaGg+Ob<4&es z+(!E_+15!v-*D~gj1Dj$1dI}sk#0_oPk^=lkQ|{b2c&Y8?45}ymFqF*2_G1XEWLQA zrY{eA7sT3BktP7!(+H{KvVly|dE#^l{AcM(k6pC>c7`;60(cI^f#NgP_TG1X5UjO9 z;Sjh}WtTxM=2|>XEi_E^ET3#M*wnL`_mA}ct`93PeG|z5^MY=krlyBGl;T~yE7!bd zY6(5%suCV1D4SGaVP3fX(k!D=W8D#6H(QN_zTU<~0f_nrpt$swL?&U6x1bTH0IRJA z5UuRV3^^pse`=8ske$Y5Ltxbe021*n6n=>3o?jIgg_gwp(=1zymQhGH+b8=ML+G)- zBRnc8l{hM<#Y?Q=?lzhl%Yk2GaAs*)KKAq5w;Y?t4Kq%u8bd+oF%-U7vH=ge$*PuL zrM`UR^1+QHaTIcUIH5U z0OUus)vKT-Qv;=!@D@bw`(UQ$&_2cE)0r^1zHR@ zxn;N36tq0+UBs5us17IOfyWV`eZZ4>^2YtyM>NOO7&bW#Z*&6y^*wsqIPKH~&LH5e z7z;&`VMwmalGn-d*Ftep)^GF>`tehq5X1*M@?K5x zQop*mK`!BE8m@X{ki*N@rZ6m_U`2wv8>!0mFbh(uF@W-#Dvs4Vq&?CA4XUTXr~~Dp z(!4sv-kHWsGpRX}9>2ndw#PYy z6V+Y4k&aubP{Vaw_!BhU=vKWyN25+TdY4Tu8@4c#+87OA%MlECo+-`cmHhaFbPPmg zVZ+BRFA*w_j4V)vkpLM769Fm0w^|{^_IFeDf0h0e{|@m{G}>73q%&%rGh|hstqO?o z;ig4YFvyN7%@ea)vd(k#8Rd+9l{xG&2s>JshnCPN4+2;`CM8(`&AOp4r5%Ev4CZPI zBa0|+3hpMjYbC%tW-*mqo)EcYEIVrljSHfcxBz8Z7#BMIdUWhUf7E1`-Ow)~NFr~U+ zq@WH;t3Z4_h2|~D7j&?9mUe++z=C>jHn&o0%0dHSE0%n*KmuNA*JB*=u+Xx!b1UHGj~=I?0NYcP#OT^7w90GEp0#2fD*$aowM1td2|WKWO?JwLy~ie2gdT$ zzk^49EzaEi-KT07T?oVB%RoxFE_|a7*!D7q+fc$lvuTKrt13c<&IYe9=-xvB0XK*_ z4a4Vws`6k&?=kkbsIEkByv8}m;o}5OgB_1^OM8k@N-E!e{;VXnD9sM`Ka*61W!B~-Y6HqKt$J>EO%(w|gei|ez z(+>`x8*iQo;;9&R1mB=IFw53kD8PIzh6my~K=p*Z;+#tM$5-dIPZD0-SGrptty-}G zmJh+&lG$kQ5cDoSIhER}B-6v0Ml+uW*4Z~hZrUSdDt*u|i2o91L;gcWD?TNV_UJhm z6H;9mb0J{7hiow{Pm5wqOJ8ZHKmVb4c+~_#{7QUi;x3|8K!@MBr+oO*nz-xXnoX+I zH8)cAZ)Ek(ev9Ovo+c-Gj0)c{wWmagUMln{FE4=bIv6&2{4%(qB`9OrJdXV@^jIaP zY}AKG_lr9U`0T(Y+1n!0`nI@z0fxX@&Lv}gVI2b8%Z|>h9vt=f5WLcC!3m7M&yXFV zz73>0vg@YMvG1`e9JC$Tk~`(*WwvN?W|nQM+fE*)Y5qv5iH|JBoT>ADuTa9LwoD)Hx!@(Pwu0o;G5O1 zxeg~#IFj(EV#ySVz6e51ri&g=D>VB);NOs2u!mBCRE@B>EqDx`h#g6L8|eC9KuW{G zxyIQAMt(VpLaqwP&^PFzGv*eIdcD&IO)QmJTWGAsuG0mgh#{=0Ue*c~XYP>WR-C}j zlvLHb=ig)oFASR#Mg|;xKDM)==S#uY3WsAj{*y5W9gK};SGWRE!yD<^%;puuCcN;+d&y9C}bjBeT#-_EbyrN~v_mn?1m znxVdd-P^*>I@aAeb=8P@7Z@1#JYQx9U|!HS4?(R-AGrj%DP!>{pL&L?fh((gAhH$q zKF>l$5anfThHc-Z5Pqp@FST@b*ng~5I)98yC5B?yZBgYKFO~hRI*<=!W0w|3>bIxVnc4c7*+c_R>3P|h&!V~ftWWXezf_Zb2zyzduoeM^S03o1reE@>1H-)J) zKFK${x~JqBY9)0FYNeNgmD#&BUwK3UZfxQ4uwZ%#EE$Q_2)Q}Sv+HP6o(w-m4U>T= z!eUG0e{(x)?Dp77;LI3{P1&pxAA2ft*S6Px)ogtox%2dtn8Dd;n#s3tgEB_7xnLq< zwB!^@6g|$ASQp3-sSuvX2PRtlzK1h+{X{4vpSY)s7jVGy#8+y0@?9w=8)8`;*iR-v z`>dq8bJ5DbIZw5D4UrOVVljRx3M1+snL`+!R5sBda_b+?Jr0?z59s9j?XniYk0*Pp zoVz~*x{AbajE?nHr)#X_SL5O8CN4PJcTfunjg}MmJuR_bt+e_D1|w30XM+RN)k?-Y zt~mvCJxZTASIIrHdmhc4?f7x4^Gw$S^OZ{TS{+pKt&@e6cB7CK ze?WfTBbjaDwJm>l2ld!7v2*>E8y9W;*uIdYmY3nj~~VxHxYy6_2eHbAPPvMfxE z_lk-$flVyc0?KbOG^W8U2!ou4Wf17%Gb%K2NJoW@KIG1|nz1=w2^c+E`$vi~> z9*>M=fQ?SU6(ztr;Q=902htirKr~t;WMl)1a;hU>WbqILGRN;%@uJFibsLd(Wn9w$ zYq3v)X`pO1T{B)bX!_?eq6#3d6av*Sod6~2!$Bg<28JIoclJ9HNmqlOy%#2->1B9? zjOVgHcV{9>aw|06{b2xsKVm@#1UZ(PyG}tA_8Z|703cqs>v|KH5$or-i5)M&fx-o<&sk)ZR#1v3SnG+p|H=h^SknAQLd{Dvj?fipMY90X_y&EE z%dkgFF=b4p!=*LD)T{FY%szJPyHsSE@|>z=7FAODypdLrCrR3zQEv!4dPhXRA7CPB zQ;$?Ewb3O$K>`yppp$JvbZiCk-N(8wuTY?c#4#lMY879L;yZQoz;kO_swEgpNB}c( z?5>w55H^u@;c95pihN+EGCj($do=77sCZc#pc~LM+e3+EIsnXjTNR(`s1TCII@hXP z&gO}}TP>A_4AVU3PZ6iFcX!*)q~&M^VocrNm8_RQMnKzyQUyc{{GI9BZU$FVc(8^`ZH zQ>6H#lguqh4}he`-C!Q6?KfjJ+fwzAlPS=12|ZHb4rRLL`>P1!<%x}mzI#t~n@t|D z=|Hy^!uPacWn8z1E<{d}9;gy#FIr8uTtOt0lcy9;#gPwfrGsIzK~h{m-R?#4<*OEz zJCwuaiv)q|o#v(t2e!zo?)_rO(AgxY-j--7snj;{noaf)<+wf@j_ewx9xL>(YYIiGPc0 z_m9q{mTLT7dqE9VEbLVtNVP1d(o5zapg!A0n4?3&omY8QEEe<9{Y<2?PI6NG1F-1P zXoIF;5QY7(FU!y^jAzlVjzxLtZ7xEWbB7!S70U_Ty!64g){Rcw|jDfG}SAWk6CvbY}lOeol- zc*5$l_r?>-02*M&5QT>tA-mfbkY7(E_@U_xv*pknEe_ZCF~>5z~P2|)=Jq`O2y5J5Usq$D;e zAl;3mbV-LGvgrbd_ z4QY#VAwKHU)stC>&H#NJpFxxzQ~_9)EkI^YhI-*m8mM_51_f9L{W0WzXa+b7N&q)? zKO(dIXT~Buc)-=>I2V`mTmYDC%J@TF%M94|CgT55Ry^ot@udPCB6Z#5ka?;agE<%U z>Hc3=aZYl5PY(rlUDddUy6!QS+KBI$>dhp+}J-S{WWw15@W zhW40Q*%Qa-OzXbfDopZqITr%XJxuXB@<1O`ph0Ih#dtb!=$i*kp0h1RjIlq5mMfulT zDKf|C>&XoHq+E}p|8IYq{=IiUa0C()Dlg18asCHv1Hguh1?)Kz zKbic`SR7TjLH18qcLgQ?`&-SwvpDa(fTEq5j^cmD8R-8%^8euj{r?~N|FCXVxOw7P zUXf^D;egJ0b5t~d5j?nQevP1g(#q5z`-d&{KV04am)A75g3Tw1yz**`F}{St$>E+@ znl$?UYD8K+>HK4?|CgWiU+?R?kDz_@I$t9sV!Zw>-V1yS@k1`)u#Gj>Me|R2JO6kQ zPi{_*Y>x2jc>?K!ASL4$>)MyMz)3Rb`spK959Z2+^ymLH$L-%&WsWokalc;D;@|e_ zTzII8{$dT2R#A-L6+zZVxg9SK1&lT7EV-S!mZ6^v>OqfR+q`bdR**%Pl2XZ%BaUQt zKWBJbZ}%;s+U_mSaozEZUCOH4TPx;hlS?y}t}ao(PxJcd$uLW8OR&Q`QpT)b* z|J=I&job5&&j^kSdPth}z}qsnw10V;{x>g4i~^nc!Q$W7=6NmVIRH2v@P&~Pl!6Y0 zu7Ei`4H~CSpdYa015vGfU=ULcjK+I=f%AbCplaJjD<#eqodXIv3?i>$?1S9IC~eS= zvgoO7{ZwGw1*mTa)CFw=8p_em$5p{On`lMe*K5b3C>Pr0|IZQyy6%2J`ByEVq6U-SxO zxzJuAzP$(C=#iTo-@z6b5IX`vLr%CY0OnwzSK4}mB(~H6gRexOw&*xN2J+@#R$v&M z@U9H8jGr1mnW5K*p^!vBpn!RPRMh~3s3C4q1Dp-}pG%Oc`#OBciyRU1WI5z9;3B!k~I4ba#)p)ftnQjK<#x=+#^xWo$l0d6(b6xaP4eK2bQ7kV4; z01xr~a3~gH0eb*T7`OB%?d2}UF)&&`dHE3_z%aWW?v87@Uq2!NtP>38yT|9)kjeZE zu+w;PxlAO&lEXbE)=&GnGfbuyA;jzj{L`lu0USB_Bc9R?Ovh#b*J~Ac8{en`g4!Br zPQT9APw19d&9kyTa3*??(EkIdM+Zs{5%7R|0l;2ax@o+P%P@d#_nSDgzUZe%!=ZH9 z!Z`LaYizN*gF{Cw{1Hs zpyHW$WHqp1rbcKX4+Kwa9&>9A@HJ+Ul_zD^+zCGj2T%@bymtV#%f}TMmkST{bQvj| z4kcke&O3NQ;b5IHA)2=?d)B5mOmW6i^&s1u5N)LymVw%3jp(qz&o z;R|WEJ}_K86}~i`?m3w-S&%e1KiPAy%Xw${c0ux9FIm!s&0VSoB>%-W_%%#SBwF>5 zYfJI37kY|&T{FRfj3a)@ok7s-o9Df&<>DJ4u)_|rFUZu#@0tTsm-$rjEK_v17x6tH zCmOfNf`i1fu!LBZpnDD2OS6^KKng*AHtCtiZvqRP4-9|8a0fta_{!q@=HsI-rf8gZF1G~s zfns7DA_a<2K*K^=xD(&dEUsHa-p&v3M9u(YXVqJl<-J$h4!}7-glrJ*TZcXw-97f+ z(jVcbz#xD?8=5fnSFhXLfU=m{V&G&aL9@Fltw-qWYd2;op*t8xxJwEp9nyU(90RG_FiRDd?P8!= z&nt&Z%%LtoembpI3DBlv$+1vKeoJixXa#F=3`_Pj(FhQs(p065xUN&amUf=mnVJS`eH?WTS07=J}cUth&N8hqz7;)lhp~KVJ@w9d~ zTc*LVd$XfcOk5B=Y{YNV$@y)wu6D;K`&t9#;3d3gi}spYa{pLb{+;@!f{Vt8DDX?F zGldQ=jcKyiya$!!qQQiXziLp1vKq__e*nJ!@e-1FRC1vG+Wt4;hM?3qLBGR_ez2kXC% zhW}YHAMn5=7uUa9PRJhrv#{-iznSJDzJyCJ0@S0c7kqN8!0g%)OtXt!0iHMm2pT(3 z?ktBQ^wFL>Y3G{;3c2{|iBS3hlIws}1CPcX)kh7*B?h%OKY`9#1{pHH0THHuQVZ!B zAG1g7TB1J#s7{QIU~X*ECCkaf4esZq?6vZT^s5_JC1sq@{bfK$)Nlg#6b8Vo^ z59btJx$o`*o0>`{Vxu8I`kHtE9O52qZ@EL-=!7_^c#7+A0gI;};OQ2!tD^kZJ(_$P zvvj3}Udq%ojDLl7qw<9Z;$d<(z&d}ev9HYib*@drCv<`m)lQoL%A1Yf&=_R_mOYtn zAW!cpkO4Xp)t>%YhcuGwJ(a;lgAnSmPJQtBDFO7~7b1yZN#}|H7hyv70`QR>fnQN2 zkOgmioPaWbzP)uY{=c}3snA{YSV_vB{Oc|fI026+>fEmP;N8Kfl4^6l*go6ZBn7BO z6@awhAa}F|M5w&!2mU@DRX_^w!qd<*Xocg6CT0MnXD}DTDY^4obi{WJVmSF`L(zon1nMU}CXA|HPw0WQo@s?9XPpdZDt}a|X7HK~-c_O2Kj$%zt^WbCZ0XM(CVB_n zd0n_zw19rJ;ju`0ti+#32kzZiRe$)v5!?bt7M|d?KeyyMI+7d){)KbbEc_Pbb#P`4 zJp+2h%`hO&y<(Z`NVnB`dhWtisJv#qepEL>>qu!6-2c}T_8&G-65!m0HA(2gi^U41K6Pwx0vFt!y^^Uk6_P)0eMiPn6&jCZ%89R z-6uZakk*3tnI&NW?!xz@r+4B>!@%E}#D9ZK`yxo+G6P!W4R^4rZ*yO>U`=0NyL&xn z#}RkEJ`7WJ2heo7$Bu!6S~J89bGs0Zbpi_!Pv8k;=mWZd9zNj>CR9mE?Co&xV; z3#9JI|Ji7_L265sAYf*Go4arU3wh3>;F1r|m{P!+UeBQ8F4ai7K}&v)p?z9q`BkuB!jp4_nnoP>^g+>QDfYqr=qhyS|`@HOa*$VOR;gN z&=Vi7m8^d9gw7pBK=@(>-1>&XH|wuof8(Kp_Sp5$ZT?T%+$aVEbT|3=ipD>^Fv1!g z;=5OTxqm8pbs%a5V50knFF*w;1d`e1=@R!t_MI!pElUur=*(M@gM{YeD-Z!*4Yv5{ z3t*682f{?`TDxQj14z3ubA!b5_rR;$Al@p#UUTdo^>BFu!s_WX&~<*MYz5?}W#|lk z1u08m(a(7T8vsN;HUs=2SIC~dO)w=*O#zmZ%zR&Vo1oqblKTi^UIR|MZ}@;(LPG$E zvFB@2T-Mo+ftH(p=*NHrwsT1HQ^C^8{l)|>v7@OaFz_6rf0xS+v02V zqP>-=C5N$wMq3I=lV-+1&B77fiaP_RjNvlzyJ#)7LTzGb(~;1LeH#+zG;pFY>LDcW zh{k=+bw~IZ2pUjha&xPqSI!>F@QDgJ8f5{qf_27z*4!wO?sia(yTAJI&wJw+1`kLw!9!z0(r-3fP6?fIDj^!m+1x7F*eZ^o8_!IvQ#-HY+$ujzO?JFf`4ozAc5`iO_NdB^wndkL z4jA8<*5RrAxA*`P$IsgJ!{{N~?#dL-B;KUa`h-UP{+%j7bgh9Z3vzOA$K!mFHtc&K zG4mSZyJ%KQNUD_QkP(e(R>0~FJ}jly3SSR?VWFZ`vM!pEd1TLYm?lNHp0l_G;T?m@ zwRebHNLcziyk2IKb4%1gIXS)0oBd>Hwhy57)wy=6vux%%(wD%l;f>{kx#k@QcRAW+ zZ(g!N%VM9iN%InCQPAZkSYv!xrJlTrqF$#m%hrc%=$0#+&GUJm$uhW+&K3D0hj&zt z4kmq|&MNLv_g&2hkC<F?+H#4VA*gayM}%`0WD~V# z$N0m#wCR>kR3I{!4Q6CdVt-?$cOWm%HN^CwU2vaUYiz){lX)eaNvZmk83x#=Q!MI( zKR`!AQd<$MB=>Eozk^EL)6@F5TtrB2{KoT}#$@|nE^{|E@84LBPP%_6+tBZnaw^q+ z)ZZZY@=a5CitQlxz_rG$MsPdWg zC5MaQN1w)i*cRMjTy`6bZqp~n+e>d@_$6ILyzb605+CEFI-=J6o<$vbXGo(GHy<8* z@3imO-W;!%+F>gN|5mc0iFN`;+u$ zAL#V2A?p3!YULx6P;S-Ao<%;U8j@+0m;_u^}sMWov4cw|csb4VQc)K?IKY>OwoNge~^uhz`F{S<{_=I z2Dzt04@U+^n1t0!>K@Y!$N#b{5KLGk+Ene|J05b98oP3jZ-^6GJ7mA0g5NQ}A97|k zrm2uV_vWF1GIBh7_z+RcRq4vIOzRd>em`R@sZ~+`RB3d4PqrcD?T!XaPhraXHZKwl zSP*}zdLrd7M%x@FwSv0m7GsCHJvy=1k_ej>5}JEpm!w5&xGj$2m~G>wp7JiYdlD5} zYko)f9%rGzwz~aiuKN7t)MJzS*ZWU#lIE6bLL`lN7lc~ymrIG0*w<+toC^I3ZwX)> zJq+e3??gAfANz1xAkVmrYhcgR@+Qys+WmVj*DY~SB+H2oeibWqnTrL9vNQSqE`2eF zq9_*hZ@>dGK(biv23UrKo}Yr5t#S~39Ck9YHnj8pY&(OWcThj5Ie)UlO(g*>j(T*v*Z*1u=?0Q#aTpHk41R9V2^JCmO_wVUv^ zGH}otBR{`A|CzA^G_PB9`@vmcXIL8r;iTh?I}o$B8tmG`&=|7X-TkD677k=@^v_mG zL6t(?)YbEQNnnh_yZJ4G^tK-b=({2Csq)E*E9fGdJ>;Bp?Op8-$vuy z|DOC|eHwVrYSos_Ym)w`ns`H*>Ogu(-%2TE$B{ z%t;oiLBDgB+mt;XCs&m{mECf!6ejbU0opC0`$ek77l&0}f(Y5v|-u zXMYijrhy=LHS`-5fGRz7wd4v&iB^svnQY0ejs^n`Br&~)b z&;rI=2eBRG+)$1*@o%P-#zjC*q>doAXVd?M)}38Z8C6_so?oA3MN7A)Fe0K+#FBNR z?ii%k$1-(AyF*l0yiA4_3`V%@S3J)7vS zrD3{wj|hhc(n!$~jSB1fJBQo)y35rNe_xDno9|ka zV*j$qj4V*3=y zPH1oH-m#Egi?~#p4b(ye(Guwthnff_CD_>dpO z^Gi7=lSOt!q?H8KFEgqDqlQ)2fJcQG5qc7D<`ld{`kt!cbigL%I8k({YEpZQ?$4M{ zzZr@sleeUQ3m$Oa5J<_Ok{{12L7>QQtF4+@|BOh5?(=BeY?J}u+kr_n%t*|L%UgPsiwW$%$F!SaUq#=#qS$|c{( z)m5rDZ~P5SARM@w+Zz@vGJh=W!4x@WhQZpxfS^R&b#7+HdJscw0;b$nTa{xD(D08X zeAqpI_8VIKUT`Pm_w;m*?Q&9=jWZ(b#n_ZsTZ?TKtH67e7~YSzT`FFuhz#_f=FfPF++&tDNRIiRZHwDcu*u^ zi+eyk*NS7bx{@f5i^m>5H1y3Mog-DMr024AGB##_lRzlqKzdDXF9g>t9k@$Tgo*l` zvLw*rUvydXVh@e_O6U@Mas~7A>5?T3r;8E{UZ5Yt+OvET@>8Cnf{J0t&-X1=W-1G< z`aH?zU#(0S46(sZ@y{{<|M#R?ge(0*6r?|%Pt({V7lM%!UD#pRXI5d2m^^#waF*VBEbY*e$Vh>Svlm?O$>+?V83vV4;=$ zuoJ#IKhPeGx;$dlaizE z_JVFe-r{WZo9p9b8>A|X2>rtWkk~FZ;$hcb;m8(LChwm0)Lq8@4Zz5DN?HImqQJG>6X253O|@ ztY}~bH0%6oqih2dWyUqYk*itxXv1|})-W2|J%ru9<{sy+$WeiF6j74EncTpJX~|79 zQ=OYO%mU2jEM;ZRvv+wMzD>S512D;+iSOMTn~@c6d`mkOhv{POxm)Sv>}xHZ8{hX# z&l+C3{4yvL#XIQwYuxe=V}pNlW)QogQ%Rx7@Tl)negD^NL4^>lt_)XFrH)I3S+0|f z>vv3pkgbRuiKbWx#S1whf{)@PM9~1X8?*#Q$JLb5OVl9(kXOa#lCTYa2{}PjiVzPb zudW1Lu5w%qmnK3KjQE8J)qB!N`7n>U=nT2zMMXOd2jp6+~;oK z<_pP`?zG1AHCp<3(xeh9ZM%Ox^LPBNa71OPS&5u|t@LHLh&fq`P+WnJf_q>oYw^v+ zRB&nMhVR;B-rz_Ge70J$taHcOt^eWqdz)nzvI)yS?$tW;VBXo=I|uhWv$`4{h%)Z>Rn{grfo@b$& z;bx|4|Ha~Ewq;P{LFBDTHPp*>m*;d8=?{8_eVzTk-x6jk*}YrUu(*?38)S9q ztGnqpqc-%f)GOFvgu(R8`vxA?>SB(hfaPta? zMFCgVT}NN4ufvh+$UBQIhY_)}(|-P9#zAc38yFlr8uD^88yklOAgL=HD_|CS#yGyk z@~Qf=;}$YM_T%_iG@0>+T;XTqL`8(+X5pp1&Mm&|Nf2vKR>ar9o z0{2p)JdTVOMUxc9gx{KaS+wI^{FC_v8caS|`bgxbvl06M%fC$YfWX;U5UF8btU1SN zXuqNLk*HM&;dzOC zmhJQRSmCEfh0EvjmurqsDtdU=cPIz(zoXWeb?b)DVx!70`|fYxpe{1b1Qs2rtwh&& zqP9y5g9OLmC}zW~=GfBbIG$GYVs%eJe!x_iFrAD69=p!Ly<|8oduD&k>GxltO4;mR zzz(ZxOWTBRwiA(RtVq2M|Cyv+$|JOc@A5NZB*y5YLq%o9==~3(!$10FpuDNMx;6u z<9+QM_Sh)I@U>Z+yNkV5ykqRXKFN6$Br>S5$ldLl{~f+g6}ME=cMxNDUdKf{$j-+FZS5_)j z94oWp$A;z&vAd~UW>GgUFr;(~8CNG32KzsJwf-@haY(qy^mK_urcc&o;3r~uX@EGn zo#z+^`^;k#v!|w^K_B*OS-(orv|jw&XQ%R8b+cZKZG>!}?2ljC>k^v9_xkc-&u7Op zENlozX(XEs@OqkfOFCn(3sTr`XjUsH%PNjaCWrreVPRAe8qkiD#EsY4GW*%v=m4p( zNxR=H7pjo50lk$ixhBD_ zc7M#^F`&m&qDPD7@LTXW9MN#JSZc!zAJ&m)mv~BU3XTcBp*cVvIi$1=bqAt{n~);E zvxCczod`#Hd@1jyq^?{gS59N8x3rm0MS!774Q_xy?XF&GydUAUImN_7ukXC$^x;pj zAYYE-_Gu%I7KVMG{#@YFLd2F5Qb=In#8w(!XEN&qGuc@iRi=xNEKVRYL@1?JWtG|{ za+Sa;=Cfz#l;))7$(SF_7u6p?pYk*$mwU7Z2v>N@(Ynd~&ytbwxbi_w?_H2 zG&e-tSo=umVVg}Ox%m}$kUu#_5h4SvQU@QB<08IG%of=esddo98?QabZoeHd1E#fC zyICS1Wdj0_QWxs2_=(CThprbx(sY)cfNb1FY{GiGc8a$#sqS{4n3FT=33x3D&9bNh z(J+%l>5iH@1$LN*IDRWz2T)!yv?{wnZfHUjw3PCgWb`xv*TBU0!`|$kdNiBiZ&|@k z=3AKBtlpTX*oMTGi%ika7XTVf>Q5gMp;>BZ1Z2nI?V*vuymU~oea59x72wEi-nye)Vb^X`ce7#aw8&=?^JVBT0h`S-Ro`#Hor!C(Lcm*F_d>Q1fTG5?b=As=&f z{ZAB)DP;V(IgD}5Je>LhyOGrd@oB+^OY*c|4=cI8kR1A#XDdg^^h;FffV_L5K~8i} z)f_oacZysy+bS+y=LX0>CswxNCnN%2d8IKI^@)ovc8}F6V-?amx%aTcp9}6wVu5=h zMF`hVOEu;|Pp4kA>y8cyoH)l0%nAu)HVijtmCUTMb(ZU9c_3z(d9P-F!xA$EPEzUIbcOxLmSI3pV=M25b-@w;1Nd zu7~2g8L(C?o)2npt)R8UH|*9iyFb!!1fuw->u@WDmLKs|CLv#M@~F30BW)1I9~~_i z{oPrlFVb<=ZCDTDL!{rv8{RsGKq%`Uk=%T9ej=S;jB|+?d!9a@WjtSoKNW1ID5#x^}4^46a*4S#ktq+!~)mn4{i@J#Q|s zRpiFdWuE;7Oa5L1rp*Zl*MrM9a7;h6C@0(0v<@o6L$a!8p7_=$T%U4St623DdygL9 zF)YP^@Ics%cN@$#!?Qx>&Db4hU>b9@Yy2w7IS#0hqa??<*1M8=I(diHnnHQpq;<(Z zG>3HnC`x^B($i#qcD-}ewEjtKu}~F>TVYR!yjDW^TinxHnmMXXdE_9>?e&mD!dqla`YyA{-$M`mfX}pmg{tP*=W44J&je-f zLQdt$BH7it+?kD7kI|c&%5gT2j`WZ_5vGA(0Dd~*IPbSrG7d~}1DzjCVxUud9$s5{ z5wAv;^e&~W?_sk56-JNo6x{};Q09y`=Bp{=E4nDW_y-uy?kvqBL9qhr9^o!AA0-DXt*CfpMs4ijvJwsE$Nx?Z z|Ht~yQh}C*+!_L5_0xn{?U* zN*sGBE|)hgNxbI~Z&5)_KA1`9^cUEnq9?DoInZw4&^_S~texxn{DY3`S5n;T=@Dl! zCxYCvPxsrS3B+ySX%WO;+)kYbN<%7boJ-Q@FGPGW!>lI&u$+$`S0{OC>_g{6OK$i= z>Gc;_Y4URnF(TykH5_ng#$q`E!!Gr_ z#nys@@VN+5gLw948H*4xE_8EMdx884Lh?a1YiTa4K*BN!cn05%fs`PFaWBs@OiC;6 zapFw6X>KPGU@XDIKpk?pK_XN3A6lEUMODCCNE&Q&3rcB0w4vpf`zGNIu;OP`TCOpqtWG45(ZtqgT6B3{??N zgG5Lc@$-~VBHg_l5iG4LF>}93t=^}37!9ZS*Z^q$RFUk&zv8(RCTct+eM$=xTYCQ- ztZi{cM;2M8JK^NRWcL7)d&;}f`JquKMjG{TJGr65=x)eEIL=M#_U#F~3C6!izjTw&7ZIxp&Z>KVrc;%&G%u5q zDVSdJj(i{<`bW=Hc!8GEu8CWRzAesDRP%*hj#+k(I{X?=Vg!1{I(kC?d z5ST7%ki7i)2<3#r&LURD3Gkz<5)Z$#Y2O$lJ4rR^itY{D3g^a#r_scfMc!`CVUT~} zQ6bLSDjQK`K0{=y%}W@dB*EW4{xU8&<8gaRq-e|r;4b7Wmsx4#Bec=mozyA4jV)Y( zyx*C}IWVMb7);0pqcHXhlQiscCphG5fpho=;99F3tmhl~*e5Z@9Q}q(_ibbPcA}-= z5UjyPx;TjTQKx@_zb`^Kc^8vhS~Z3ds~~R!;3G?+OQvDs3x>nQ9-u)W6EON(5;*r# z18KQ_ZA&?xCeRz1#v(C0t)z-z&ja1=nyuo|or)`hS)RAdi(?MtW6pZgEX<wwzACjz$&*-ySew#HErtk_GN{SIS*r9z2*j#h8tB~92PY1y|ra&<$-Mkoc| zo!yS{NO<2#VlSbo&!rB^;oMxf00Afv9&`N-r7xs;4SX);@lkiAM9W+-=i_HpST5>j ze-Zg5WL$pYHYSJ!?g(|J(|&?$GRmL%g}XncTzz)@sW(U;Kg__%l8n5H6IP3PFw{7I zP3tSRMH*51Lu%l<;7+4BeQP0+0V>o1d*vx{tkL^kj{o8X(0sSTT}2g>;X#%dkOCQ_Yc@Z z^sjRI*X)xO8uSm{xz=NnjhdW-VDd%EfLibDUaZr6SJeF@cAj%SKMz(z_meg%`vj+? z{EfOSPL0=Z-}&p#*wpyUae@L}^`}7Jo^mkT@?Q<{uE5icd9&gPHQ{0(EEo00@ zGu71SABoNJr>DU4;3u)SoK8gJ#uMvl3Q>PM(go3-#Efuh4{`rr=A|Ka3CAX({xFQ! zWGvJOA)dIXxZ->VK6r>ma%OmT-Y`!}MoD0{iQrKT+oqwHq%sbxO``0b;o!C>(p=a<(`2fnxHNJ{1op%l6>?kSD&<@qg z5w?{d`};zmY;%Uny0~46aEh+Ozscym;>_wb3RSDpE%g66O>SnWs8L1H^V!JT_ad?I z^N_w;n1t){uJ-4rJ>q=-@j`>{~m>C5SXNas|^_fnV|c$;^sGR)QB z&t7~fd&_43nfa#&M{hEGc|ym~oZei)C$N{2X~ktG_6aM>rYulAJaW$PB(FAMi53L(G$ynlQDoEi-!s z6R&;#u9ua^o3i`!$U_~;D(^92{`sluL}83#=INvVTqoptDe?Q!#b+IbqQ4bqHOvpT zUr3c0%vCjY-ju0FixJELzk&7fQqFy#N$4zU5CPNvi5+la7kIzfEWu<#&Y&!MQ8B%u z$9>-vJeXNGTF@vGFGUY?b6(U9(ulVcD=!Cp$ z>&O6C77fhH$NaQAAa%~u8}r!07MG7u@_qU;U_6e9o^9)e2(*^UiWrQS8a`kdT*Nyv zHK99rl^cFe+@whxRkYLAHv_#gA0rd2hg~6Fg`b|>_-Gg`uEtL6t?&0Ao+@dFHr;Uv;%z1p zomXGfuH=*-!N_`_npDU_?lklY5jsJi!{%YELcKnUJak#a+!OzlD;@1LB;$jkai>oc zmnAzLPQ7HR8e|u^E|3#(Fpov$W1y(#6(dclvd~8^wZXtyhm3MM9dq%QiwP z0yFrX(e_Kwm|Csh774jIpg!S5za&CLd%sgHOy)+C`H_Y1oO_c=*$L|J_;E> z&*PghyRuEqxa4vyfDxgNRp_n_CPj?Py;jFe<&ESHVkVVW|2|%ti|=80ke0$uKZ8s~ z7Fe9n%E?E1T=00jy!Cc{ALs*S7VfxFnmtRk4zyr6dtv%KF+U~NQ{ZzwQTykyTk|D( zm4#fmD96wIA1>TKpEc#HIe6Vfp&M_1zzg86q){*velSAynq@8Iv`7$x8vBvGd4BP6 zV!e)OGJWg)^JJsxS!MY1lMCktHAE6yX|IBQL-nKFPLyqRE$XO;``giazt@}LreX+VeWlF zk=Cf*Q!3x;;PR;Qa8umaN)y6;(A2F9`-=u}>8D$MZPnEu^w7-2+j=oMF_V>;Ic7Fr z|BOO;aLi|Ipy5#H-N+LS>Xc~>iny*CX^l={q!!*rq~YcMB}6JNkIl3sb1H73(@)gH zXXxWm9dR!sLk8+mhG)MoQ0uX2+ZXw()x6bm?#9tSS#8*o1FO$)4LGkz-U8g!wYkqv z5g2Cp67!`5-Mr2ZGsY&{6!i~AGb>YT&p^F$*0X#h^Rdv{!1zu^363V_OQG+6BT>uJA85<`mcN3xt(J z<6uyuCamABa`vx0i)Jbh>$vN#>Hb<_c*$xUmeEg_w;rFRkLR&cHG0}oEjmhf2#>Gr z_k2HjbZv?zt4nD8m2j4o|JHpBMt>>45I(Rk&xJoo_&zmq)TC$xb&b`AlX`@crSWwo zLY!KX?b}j5^-AG2WetJ7Hl=t)P$IHr+2N@FJKmA@xUH-F^%tnK$r+7M$?%c&@xls) zR7m6SpOA}zf%<$LQrmE6u~*?t|S5g%BO-$EVj!jL0e5eQ?X9rHrA}8NHUY$^a&eeOyAE z(!(4h8%|eKG@j{*-kSMlE+#gYGVNykP*X^W>HI5B1E**|fQ|m?&?ylS^|ITp*m98) z{wYJQ|3Y70F+E!FNr&c5V=Y3`WA1likYTV%?(+l6mdg(<6x*04k0-gd8j7zjt^grr zEj28f{=g^NTup97pm>8Ui^};h9`|>76Q8t83zzC=M#Y|MWeKw%S#0#cu*G%**M#da zNz<;p5AF>^O1gel*~G>$H3ird+oh3)k{=21c8v+9_$3~60{Y7zAnI=5$~OyZ-#vkS zjxegR%a#1t%=kgThSWRaL$j2`uQKN#K={T3N>jRb>r&%cbP}%N^lZ0y)5ZGeG)oCz zG6}6kx!+gjdj4xmh{XjjOUy6*r zx*(JBogtcR0$M!5ySj2c3>R>xoMhq|0j2?BQSy9;4DI2EX0{|)EWdE~hj3o|$vq_< zScd1-%Pl;#leTW>is8N6V%ZrC6O<-L(w^-!G_X*#jZ=CUooh3P4fKPM?=?LBC4wqo zk>(neK49==|I-WMEdnM)iqB9$odPZQf9(sd_OamEET8LOxoXcF@_zuEUIE#?9T2(cG)K)dK!ZC;urP=aCS&AvNBYbl?+C|y2UOG&d&G|(^LNxiCu}VMV+-Ax;wP+scf-C0 znQ`_aj(%-H42}1|54{aRU?C(Xy7Fu)f^QakQQ;4>Mn3Q7lMxLSWjLFF0JyXl^Eb9FY!gk}mjqOsIb?K;3cD%TQKrK4nTIlNlo;1!F?|7~-PKMu# zFFcSd#6yiMA27Wn)9a$@-8RR|<`;(=x+IH~JA?DOV^dfR8E;`EwfcM~yWZ&;LvkvM zIy1cdiuty^q({4aLUHUKZ<^o1@s0F;vg|tjRCVg;ocvtV4+`letqWb|-n&z+TCX^8 z7hb{ebY@Fjs0#&5S)4Wjd+EhaPxPam`x%G6FYQc-97fD%_z^sNyy|1F^7_T_J{2GR zd>dDQ5=uKE-og%hUyiRo1|ZS^E;^FlJVXsfNz+c-SGUo7o<7Im#*Cyqn*no5j+7iE zKeYxix!sBW;9c%T(g%<)G_t?>?3WvdKxm3Jl=VY}asDolaA$3GTBEW?o?DhS$9GP> z+i9krITp`Gp>pN^d{^cAkLRx%McQW=Vf^1|YXO zR=9TWhZhxW|16{R?Rh=LR2EC|?aJIpFSwc=j~n-12rWbXxK=JRoMGo_?PF!SqL7Kg z-=Yi2xjF`h6ZNQ! z#n)bGO7)vV$<3rKAwxygq3(1yIW^~By)N-@gR?A~H4CUkK01-ywRFt2oJnlW=@yB4 zw_q;7^Dy&y0K&G!vi=DggXxQI{vB>Tk|q)PsT)rQAr`9oNam7jw@yK8!Y^X>_@bKlv&0gk(pHr;QbWmA4Uq%x3xJBiN%)~`+2KlU7d=JH9`5Y*QsVQaRYjYDF z%ZSd0yOKF9`a`$Q>()?;Z@b03q?p_hrH5V*tfXZ)_mw#H>4jK{0$5t(RaRdQ3Qp?t zftF$oD87G*vOM)HU7lwVrDOc%MUS=o@bRrN6V*x4WAdls1W<;MZ@3obJxoRmS0pz1 zYXhHjEMeq9`LX(jlas2!i;o~@Npo;fs~_y`IPCUkXn6t5QrXlaOrn#YZrBo7rpeBd zRH}myw(?ItH9XkV?7qqcT__R$5+k|)@Ah_IfIW_vQPAAj1%ac_>eMfI`<-+od|oOl z>1EHf4Pdt@_~333@Y0cUd!_P*oB}V|`P9AeUNXbE&%!;`^RAU25)S~0azUO_j?65# zD5t)ybY#h|;uyFq8ycnz-nz}L|9Vj}xjyFD@O047oQiv&3{XYnonR#{--x9s4O1!n zl#|#@^5K2{m(6p(6j99dw{NE&Q0{XLHNpVA8SZSh5u49Bm?Z&2eFB^jwL_`YplQ-+ zbeeZR54y=s;wq9=nI&fgHjm};wvrJe1P5jEGQ`f63OsvlQb5e_Ov7D1s{Dl8tO}K( zIr;O4A_(BHS`6ho@*tNgM@!@mL~QvqIeil4eFps9nxpS30~)WTcLyecL^_lrvc?_Y zPI$wZS8vE;Kw~AaSd`%A65+_cNc%3*uz<_sNx0L3nI#bBfs%JLw{E>ME8(6_~r6fvs$D1%;-%ZMGgxs05v5|VhgL2U3l3O?_9mUJEj5fV`p>$iL|CBE+k`FSz%W0=98TMeXIQP z?2e9zgXOiE)`_KQf_XCe{BuS;`xw1c(I7*#TZrGkWQ)8P<8DX<@ixxq%DbiPVtjk~ z*T!F}_%9oOFtD~R`%q95D^2dK3d0lPtS#U6ev!*@wzUw>?VcirbKma1i;~Ro3~Z%y zf8oJ~o+BRoxsc+>q25s3M&Y9+!>>Ov-Sfky&ZOhITIg5wH0GZBT5?!kAZ|68(AY?y z2upA2BC6Krp#EI;1y}w0Tf>J+8;|CHh@SJVtdRfghL>!YNH$2Lo+J2<1drTjp7?1B zq0S2WMBAG0RON8pqD_$f`~&%!yPR}%QNqaPLT4^_+xWGliLh22=V*g8-7cG!GJ%Ks zmX&JHpu%0`lUFi_2jgy_PLSsO$kwv^yt||Y(_!AJs#%x(*vg4cSDw;IMdh#Qb5VG* zJlT6lM{QkmcK;}N-tpDQ$YgfWjNMEq-*6OJ< z9?G>D4Yk(3daBI4=jXuW>`b_zYtNb?!X>^C$v*#%60=DrWmPw6NPT~S-L|Bl;IaB; z@X&PEH=(4055g2RVL}Oj1~qfCx2R2%TWpNl%~R314XYPg;3EnU){h^}+5eh!$fevd z1gn3ynQ7U9ob|~mrTBV!7%P$Qu95?S3mJBFP4$w&|NL)Oz2p0WEjK0qm9oIVk*c3%Y* z5TqrfrKLl6Gr8(%n6&ea+|jziS=u+I#Kyiyu6| zV><8q9{0G$IM3gyxy@(P_t9bhB=D81|EJ8T`}*wb^g_~+H1QuVNser5m!8xB>!~@~ zbIE6*|ir)a;y@tURkfE50{~E(N%)g$^9ILJr z6K%>Ee0wgDfvFCoLX#g6$@$-Hy!?AIrh%Hm77LOP8g7m7t4?+-+_#};+vg2NbHpK7 zdeo&N-8UcH17Xym+5`n$9YY?{B2Siwg}-!7dAh_#S`(bkIaO9VegGnw3u|_& zqd6Cq4Om}LZ&$sxFXgqx73r!-?Ewb(c$`1t?`R%DeZ3bEefafX%CK(?vNYpC;8l#~ zMOji+P9$=If{B2?06%{JhwVSWHo0<{<<$&q*-vBS-)G;4qwQN&WbMaW%$XQ{s=LZkoHMG`_9b|haxebi&9Ate_Gbq_2fYK9oZvb&F=kx}9}FV-%QReL74mi; z`8dN;Y6y}(hZn_Eb=^#+`h@!t*T4R!LAS}H_JtGPRu^&ke(62XSaH^qoy&2ggb-it zS4;`OKfbc+&;2!Zi(oL54UJ)*@^aYB0{_Aj0b;!{g9zcE+5tYjA%06F`qaY;c&I1+ zfymkmNg~--dQ=!%_cl*gI9+q(_kW3GjS)83W=8mR7y{ga69@~kQj8tA*lxf5K>kFu zaCTwy>Sv+jskmCBwfJJA_$Kd-US26$`)JFV01~8ZK|mtyHXJkNx^Sg}JtY%njBF1~ z!`D~)FI&pZ7j&_LJ1HC`Rr<$fj?&E$jlA#V*=(57Wg1<#Nx|%PtfQ_+rQA0Eo&Jl6 z*e%Q7;u|f0NB3u?48~XomD6HMi@LRN^djE3SkfB_qL1iVg=$ujFR+Hw^@-MV(KJv+ zQSBKtKrlv=9rT&}wJ>5hQAoQM@pzq>l)4!9;eGIsO>)=ziu0kS%MFq5B@)`2IpHOv z8ds%o77!7z_aUDtW-3)~TfkrMYY)ivp{}_r+_=lPO&zS`{*G{%c{mcgKe>UtQZnLt zd$QvS!zxI_J_QCH))W7QAk^x1(#u!QFaS(RulXrq+XBi^XL3#Dpl5z^thERIt%07f z0#st(`a7Q!iR6qG?>i=)bO$^Otp8gz{*Q(K#{u@`8(7XXE&>q&`uJf~Bmjc4M$;mB zTrI?K*_x}!6VmUm+4MWlV8yAv@EF)lFP{}L6_tH!0FeYbJU^&DU;#j{ zJGEAU-Ug4Akb4dKYTOs8TbHZ)>4pq8x@Rw)8=lEsvYF(2x4g8_56xzd~#U4v#1=v_%waY0K|E5sjvsP z>er$bZ!R>Nn_(#aDv2Ug-Yn@?xhxv6UGR@TN^isRhlT14idCU#=2Lqfmt2hor z&EB8M1*a^~B!|VC&8m2^h%Fbjg&pT6g@pRj%yb`9c`1@i6H;aYoLhG}yOcsw`FUih zbd9ez`nM8#|%&10efrg7Q}Vp|}B`?V&r zs~+Ecbg2&MG2qT}4C>tmFt=O^~iy< z146V#p?^{x;^PJ8p!rD?v=d&!Jz5x$K&;4ZpJ`N`f*pV*=VRE$L~tL5M+*Uy_0ZB zjaaJWY&m2ybQaUqOnjd7E%r!INTY*}7gKBvYzuZ@zD zMm5{M2wdsOYFQNC5ax)MLc^P4v?AK>YKmBC?X!zaN*j-Z4aTUgFcUF1{7+jGNomFl z{;ic}kfK+X{Ypma<8;nRUW_-A&Gg?`DAv+nbMTYKoypB|V!GfHi+VP;AYAtGGh2o( zq=Qu4BV8L4I`YZQ{?KU8xb0>IQnx=%p?|dKVJX`U%%uMtvh)8*ha}Q|L`OEg$>RL) z&w1;M8-jzh3-hMif@wrK&C!w<4&SNSv z>Er}33p`^^BvPtk;%$nqNh-_1m}FkIbRg$29WlEDV(C9+Jq;r=bh8m9^kx_-r$Ivk zDa!kEYnuAn%oXSadp+FSFAi68s381FfOa8_;}aPGJi694z^`;}ng_rJpW;F%-s!M3 zY|wFw8I7g!yt6zay&CBa${}Jlnr;H`8TXZaMDF1}U_X7L5~6;pOuYy&ehVOO<}amO z{!0m>n2VB=3|@Fbheh83VNw)L{84t3U|N2E!DvZiuXh9d0^T~ z%upierRT*a7>Vyk>z+Lf!6TC#mA(mXek^gUX-1Jf&ZIMAhR7IG*-QUAL3b3x9$Me zOF=%|A1QN^p{jic9y`S~q`--Ri(!`9 z=^*woessjx^u>!xi831h-@pxAY0LIo5|4;W1gn={JuYjMVz^8eqYV-GR+^kqnj7gj z$lomtJQ8W7FTN4#O&0pAz@j7!Mg)i~3IupF+ZnS2*TQ()D;8F3b6%aB!G6xR0J&}P zKE3Fbydw9eax7VwXNtZGY*5<^ps{R^c(Fy*YLGqd!B;VL%s7C@sr&(i$LY-fyfZx6 zX~z=X4QioGP@x5Npoac7OG%o7slkHV3UAXVc)bRZDfKB@eTriJA*Fn_Pz9B*XxBOC z(9577EdhZVT~*8a7fG2`e#xx;o62q`Zx?JgS8vC!rm#+A2PVXMSa*oO5nBHSJIFmJ z*h^r?O&;F(nVl66E0{IU$p<53w0;RqXwDnmSrt6X_X0PE&7Vblmz<8>ff6>=@a=>x zaGDez1srIm`e3#P-P#nEXtA6qZT9c2KWIDhsvX2`XW5K}#4zVZboSZb^4pyz#e_ z#{@|QCx8yFeH`2FAb|*QYE*hhjFk1tnYUnlv)yUxR_|9SW3blH%6K^pZ6&{u#BZs? zlWVGVUMc^i2(T)`uaGD45RQbF+#Z3~C!(&L!#m=xTifGJh?OFFgg1z}a0#?79X!%1 zc2o+L6<}#ey|m3N-J-dpyWKvo9jK4pFO?^B)-K2?IF3k_o%VN}CbGogFxGGWId}4b zv3x)WdBlG62E%^pZq>7F>lL!p@N2&j_`NG_QQgH#hM=(4L-9Aju5#ULKD(_xwYY>O-~LF1Pw* zQn?Bq@eOTXR;Earpt1*p{;=4#C;o`=6>*7ZXJEgVme1^C4mW$KS&PQ2g373_|29RA z059~>G{Zm}Lj{Q2sYRd%)*-|7etDai;{g($no?i#$AauF1h>97PIQ<>R+L9Iemdf( zNy4MH3;itJ=ZjpY@P-l@8%^aGzDu3jMtj)YaS@5uEIXfP3_hhQ0V3d3$TSm#|WsA_f1WlRuBGSsYwKK z7noo(Z+jkrP%{TnuwWFfW6k~`5sSPu2Wn};OJZRXnL?gd6DXses21fSdR%NC)@5U8 z;uJLGms6{q;~@xN_I(DE_+ZZyG;5*M_;8_%e`J!NeH1F6h++2vP@+KqXz6?Us31f2 z)q&rWIV0_bOJQuN>cl~2YS-T*09tWA{l)PfWa0?5>Q8TU-5`QP_7UqX#4?pUE25k+ zyam9@2Ju{sQVPPNxrVksf-3|8w@QNx+L_22OT(YBsib^Ss{ur;@+}OZIP715UMy@} zYj)+n%#w{zRv3;~fQ|0)3hc^KKvyM>nU)Z-nb!TvsyBe7`UZW5 z|O2O2gbGPqU4+xY5_lCMy<={x?+PQUL~GH6`#C;6PWDO}H34+q`i7=fBf z7cD2x)e@H1CP>z1x%gx2S!riQ7$(LKJbY?@!m>x#;02{`-$$LE$Eqv$wwc)M1MbA( z-e*3n;c#CO^z5bN*u4iP*^w!Tpv)6%T~&A8b3Ec0&I`1tl*q*$m)2z0aZX4o&k-n& zrx3je!L5T!lN5gA4pf!;Vu(Fi`h37z+F{iq%iU_>3LbBX5nn;qEkd|xTluL5dmT3Y z#sLHhn)~8J5}kA}aTL%<&q(kZkt!!eIYW7+Y>;V{Rt?yOD4-zgEsa}ZlJj?}$SIfz zu%&D;CW{uFT~!<@TivORk8vh|qkLZnt*4s>i{j|`I0Og}m5g%QC!mnUTAdpg$JFdG z{!j8IBfoSYO$^WA@A2Rc3y>$NB6TXSZ4Lty>sr7Ziy;II+s%-dzg@HPLY1#&(i3?sFRXL0?nEH$hGkeHn%;0_#vC2CYpfP)4a&@*2O2e;n8nO57q0~$g;?p^xE}UmS#P$j@4WQM z2O0649!)=6IJTpX(QKqgOZEwx=JwxjJ5+&_Enu#$jv+XFXb)(}KwFhI|8a`V^C*NR zn`!mgs*@{{eJi-(_9;ws5$RL)hukxVdTqWQSgmpvh|tO-BySuNIKWFnRC+Ezr242R zA#x7E5UrPCptRR_dhEYJWl=2icE4+i0U(B0ei2A8S5*S0I-)tKnb9gYpL+fcw1T5C zrrWqwwF*FMu*v?$3nApW!u~fhzw`4;mQbS6sA4)l<)ISZTqI?Kh7wA6MGF;uQflNn zc@)VzYo|hj|JkeD9TgQ*=uoT%2>snMm6QyF?h)ib1k~op3y=g0*-AkaQ+5^x>RC339o6#tUjZn`)TF@($CqW|(I06zCSY;(y0nnx^3T zf6u)8!9@-|9Z3^Qa<%|u8C#3=OY$q{W)w~dUndi}RENey3D~H0O12{i;5)X!yf?yT zl?qy_w7J0?>(fS6n-Z!63}G@i%(eyq@iPn2;>mcsZ|c*H;LSvf#x_iU;g{zBEH6js z6&Y}P_Aeskc}UWMf4(K)8z+3-8k( zVI&*!F6~#iXbI1-vB|)3;kX$y#C_y@*h1vm{idwwaWW0%Wvp}D#V~b3{2JD%0Q>@k z|BYOn8Px*Rpe1oB44{hqq+Hz8{V|y|Z|lHxl&eB*s~aLDapNP>!5cK#ks_w>ty#k? zq>e3d#W?({M?W6C-#c34DsK$-^F%f~>Mp8+4vC*`C6RN7=va9dob)L|`seQi@9Fut z`RTw2L+(SruDb=x&o^#6m&Bn0W@JKr%|E+Mk?WMzz-nvYB6mBczhh!hMIBLy{k7{M z#7nLd_U>#uoY*Am@*_z)dQh(C)vgx2E|Ndc9wo4iqWE)&3IO5lhKw{>bU8s$10vH>MotMK(yCZC$BL8-cLUiYoq^G z%w>s-Lgp0dB4Ho|hGz?4)We{E17RPq6fcT3pHk2>C6kttD_M0}gs^YDQu=~>!Mq*g8~n87hh1PtpUtvQaxL=X7jaY zQQEAH+hpQxCtc3?ya3eu&tD3lWsn(`or&cMKRX_Fwqmb3nhBt9M(bYDypW?&j(cqW z|7$`fLK5~B`>>u(4rf;k{*N?z1JzLIpR8Rr36bvgNoV@`3e?vij%-)hrWzcM<6w-Q z2pSzr>*iSDsSm=+kiMV4kW`xvR>KvB92#a^c5g}m!&R4B>SpKhThzR}%Wl!GZ$~z~ zi(j$?fssRa3#Eg?HRQbRq0`aB|CQ>9XzR~(ByCU_DA+m5g zQI_7c$Rqk&7t5E}p=rLuR0JY`^LL=xgTrW!OV~aNv@!8wRYQKi?bb#JIPCY@I-Ee?faOKnvL&se_X+NaUgZhjR`8^Mfc%K4A ze%MR27*9ey@9J9s;djZxH7V5H~ei>7?Q${>L`0CJk3vd3Ty*wNRnsctvF@@www5-4^dTtacRRD}&6 zmp{8f<$b6R7)W*H?1K|-->^{w*gok2@gAH8M{dcQLeu2*~?8kfUuAC@gN+P3dA|-sxq1eBZbmU=Nup_ zP|zzOybdP1Q>x_%pL_{;nM(Vw#j9$cb-dOT{4Ha|FXeM!I8fOCB@gz*m48L856>|L zh}%0*2NIW+MP*?9xo66LM=Z%q!xZ^D<5zZrL09<*wi8}zMF9o$B`J#K%dQaC`W}w7 zFf=!D)nuSLZUkV^ndxJ&Obn%MZ+J!~P~}I;W2^s~_bU&U+IJSc@M$ScCpoc^i)wkB z=x)Yi75Z$gjR-mFM=38!Iqjy60yOD1c5+47EUI_BaO5;q`u`?M7%<{RTyFjP#VoId zr?sFwnTV_yCCdouqbnOV%1xpkGkRB7DhOtygEo_A&RZ4=2Fm4w*tx@2)$>3Eb(JQ_I)1P3rP+GmbS~+&UXGnrH*^+ zFC?GpWh~V2cyl=Z77%UYX3wK+gOkzRn9-V1pfg6%9U7%2BmYjw`+*T;$B-@}BsYKd z>z`ukmKrW_0l7}ftW__rBj}8RC+?S?V2;oZzML!7|A3|7tx~#)_hE`;^N6T67bu2@ z>~nff@Qt`%gPyj!kzMWlwW~cwtox-k-0+xPsVHpw^*4}^aGeov+M*uk)pOxQGMKas zQdn;ux<(r|>rnW9yEaUiT7H`?6xHstRyX;ulf{|rO}#?jF-(cX{v7?&g2v9MQ5xD3 z**+=eYp{@XXJgzZswRIqt<_CK>a#XuEis=r_6kKjZy-w>4xa&))1TjzD%X^h4kf8F zu4to;5RjOd70=+rYg|Gdu87LnP1ihb(6)+UQ2|7-a4d1$ zzcCSR54}NoEcVlQu!4(fFrDxsn$nPR$oK@PXy%Lu#EDXf5UzCqH0k&&z zPi}`To)*t?a2eVckkpZ8h|EmlYtI&q$g1wNdyw@`xeNnz6d~7Oi>~9E)#5v{s<}b9 zia~{goghxBA$z*a@kH9y6vu4Y&_p2=dmnJyT|kDl7QrLfcUi+YSNLfz;c=XLa6!yV zZ0^n;iF_C$nnH15#Ei7)HD+Ypr4Hu?7o97obgbJ%0m3$c1K9w%PpM zC7#3!U#>nGl~&S_NHBYZgv%0{)ZzOKN#GA+RBE!Q&>&v@qj%&>6lZNarl9G5tWOxv zEW-=BCtpB%iR}3sJiTGBci$fq>ax3k4oB!|v!Shm3FJrV=d(zxf8jThM#~P zJSzY=*r%bQNJ4oipQDk~Q^8jvIF!Axw9FmwiIVf=G}1hCkZMHY2e#vXMW~@ya-5OsW+#4N#rP|SfA$+ z(%z3qmN@LbMa=kJ()9<=(p^?~;fo+#Azj+9B;$<9Rm}6p2?C?MyegkxL9y-6nbG~# zEi0Ig`(5efae{)u$Wm@|z$xZ&1A^sk55EN3D&bZc4Y`;C6-1s7BCEn-9eK4UtehYhB@JfV%8 zm#CF(Aq{_SQ7IGlVl8NMrWUi;J_?)8M84o)Nrv|p5ooeAN4(9yV$>rdY2>+wB6{gf zvBPoy5>B%63}-YHv#s_W`o3FblPBE;<95U%5k@bUNl(HsMTNb#RD^eD@!)ICnQx}= zYU+RvF9s2tpcCz1@=d>MepyT*_y&Cp7J``HelALs%qEX7IFK+N^%aTOr-r05K{Mq! zkP5af?3wSON&i;!5jPGS+W)PRPu<#n2Z~>N=gN{AMU|L;dSdpyg04MA z2=V&I?Q@6`c}G`!q?V;HM@KHAkk7H}oi~sofyDYkrfb4*3z{cgJZ9~~ca$QV=0=OM zz7X(#%s7e@@XNzk{F|)WCG$cw}7PqP@TsM;C?pSXyeVCK zBB_om50liiG8%g?ldgP~b4p60D{gjb^Yu#w+oh5l;0_+HVb8b9Y}>ueues ziTt!v&v0jaO)BB#3k@Vmw^e^(Ocv|JiNXVBFw+(r{a7;Mo%yA*Lhol znkFH<7=u*U`0eBv8(JSMXkqJR_TIpU!bF%pZ(73cTPyb-)mfAhcU1%t&gW<%Mn$vbz$+?d zjQ#uztI%xG47QO+QQ$0}1N(~YPQe?>*8T_0FjGbEk2~)Wpv-DrtbP{C8&s90^!VP4 zZG~VG68I?a3|b!32fCP=pd>?n0UHP(YsUH^oCW<% z&$x}{zgs1VYT;{V28LA5r)*Zo%f#@hWl^(Y3Cp7x?Sb0_)=POuh z$fqqr^8cljI8!i)3UH6vKNTce?e|y!+p3K;;2cDeXTDNO?h_|bJAiy(ZP?`$r88!w zrOBGSOR7~F!TeP5o@dob!tGfincJ7e%dm2?TN*dD+Mo(Da_oT}kzIG#wSI%vjdobo zAsFgk*CpH3_ts2to>M;P3bcB;5@DN%mFE@v%*F6Q6otvdE{4mzrs0)&Z3(q;iqU8C zKCxU~;*q3(mEC1u40D-@e0O5MFW`;s9DUcx0;b%uf7zcOBRy1XMuSH1M}XN|_X5~V zvRK=Hugd*GFMa2?wb^+^z25t)sJ!b1+slEIvb!VU{#IZ#~>Y9F(LM|BW-l9v)#X+!yE&Rw>vx~lH%oF6! zouP;svt?naS|*9*CR<_@tfvPbH^_%3W|{nX;QlJGFM(v72gk4uxR(fN+2G956#cqU zbUYcNV*yXt<6Bcu%`lBTgI?n*y~C#~30_bt^lfzOwS}P1b4enN$X5P|$tGF;l)$CaQ(?+{=Bt7kR9R@L4JXg4)G#^p7z8{Ppjj|%p z(~0WaRk^IPL}^B+S#wf6djZ+;Gbm6uNkJ7s`r8Lx#>VUf@XoKH9+?IylWmHndb%yf6ds4-4U`@f zk(vK-!K+WiR6jWXf#UR{?`N!PA4iALjYS5O9~dWvTj}>NeLDO_F%%kDlrE&rno*Ff zSz@U%EEwYfBrVl*e8T-WRun!4-m9H>5uY4h%kxTQU@v`^^pI09&i1H+WQ5aEfMNXb zJBeXxQ?qQX3msrtrV<-ZM(z~u1pKW|e+)Sl;+4QfCHJ3m07wYS3<~RP($V7imibd$ zirM$usvq5(QH!XGoP{>`z}xob5ZMHN^2EqzC_597MS(obctIy_XlI@&jR=#tlL`9OK*~dWRKPPWR{&))|)A|Ws=%W2M%NmPj+=p z4g?(Caw^AOG`JQgdl`Ljx4#Q?Ef7FbEg2_43#b@Hhc{-M8`mQ|gY3XF7#oBl+Eg2- z$+M?<^9+dNo)V-s#vl~Pe3C67Q=^^Tq^05gl*y504c+OQ#tw!+>U`ddnu}=G_9V2E zC*XBuab7oo*4r4#r}mMuFLO}!{I%is*#wiA5;`b7i3tYLb+VJ4Tlec} z?l!lDEu|(dF~;GZ-yUh&$&F0mODFev<}rlF4pF`_!&KdMt|bSDcRZlA(mP|rxOm9)$ zA52n|(UO7_#5D7_hXDlJKIpHXgeoz@QhN+XHPya*!85?b9YW4gDkkjrMtwKFysoFR z;rFB~IP_17f4QwGy!|N>`*Wc+dU`t}#!!nE68*Z_E;XW~yx9q)*H&*X6&&ZUt)TQq z1fh{Ag|f{M&TcIaPOIacqRCe`QctxGclFnRp@T)`s1%&}&HpTw6X7Zw(b@ganV~88 z0lk&@b{R+suTpwRUylH>BS8E8wA7X?H7%34=hB&38hq3%+Ml1S0QLS;dGw3@7Fy5V* z0d2)hz%ga$P@j8OYOLDZl{vy{eXr0_l{GgkFpo@eG(`Q3m7d_9l@|FS3+Go zar6w80T_^>AtDBoqG~Ke1w>Dqe6i&92g;-ZyuC?Dp38(1Wuz)Dn7n2CmO<-3?J7a> zWiun7I`&rrtkh$TDXmIeR0qWOoDL~mfHaHZcCngNE071&9NM-0;&vS@i0L=8oDu-; z-2|SIfXzxDK_D+EDo}bRY~+8&zH8vr2w%|F0~W(AzLR~9H!Pf!G{vzLJq%8BIR3Ia z3fCCDDq|8!lyl#lPC@wl@gB)-xm-gvgQh`rCYIcc$W$@C5%DD7)9Qj!0Zb@Gh-{5} zhQYS5l(DNsUAEr3LSlqG07^i#r(oKA%el9H^;Di}r_#7uU!EQHUK6<5BEkgX^_&xJ z&8Y+m6$kTL^p^7-q|INpP}Vnrq!qH{yf){+X6o@7C*3NgP!j}yet^Ft00pvxMZ}dR z5nx4c6^_09;fN%zg*^=Jdika;lF33IAe<#>S4>JcsMszs`$FXk8{-dG;a4S0`Nt{i*})0j!3~Ve`QqHh{J{CZ^I!v6@GRA(nd@Y5esQtVb+2VV+3lku zL1vygL>NmYft_mTuNkyQm*N!CDa_VzBvrbVCVS`knZ%XMataeBTnedT1BqtkMj>z? zk*1AEn7L=of*lOkrbUN!VyYgpGb?6sTVA@TJ`9~?^SoWUjTOfqVp475#hs|s#lLuZ ze{&cBonr{NUCDN9-w0}9X%SvBH-7x-rx(_J%$CFs%I!M1!J#oJ*+flk|qdHgp*mXplaX})(qcs;C+D~rp5T8eMRv&_z< zQ4x7!)^F4APz5~FM;rs;^b0F^&xJ1#sWPp*hgVs|s=A_Xo^KCrFK^Qf+wV!8V_FH57Xy^QT>Bfq_(dtV>(t*lJz)2Ee ziQvpo_6MHe9qz_IUshCwN-r^wO2oYyW=r$E;@4~q=8muByryjf{BIp)R+ikjS>E?r zLaiHWh1KCQMmk^ z@Ol)>oHg!VSa02=wZcjd%SS|{j~p9>GQY$f=}lCdc8i_hJ%_d?HM7%123^!3Q=KkM(`8yZDf-bpvRC7!-*J64ntm`Te>P#jJHM~7a~O|)fpXWV zOI-54G8ZcPVTrvrcyVaTy#byXXLrPs#U8Zmg0aLy_kt~Sqb@(}tYH^y47rxB+2F2< z2Mu)FczEwG$HwZqw_Orgom3#(!e1`dtnPSBDee-r57IlB9^cM~ZL6in?z^8}@ps>v z-HOOs%U|fn6xmErbROv5T3@yoit65&$2Z1>)s!r{OuAD91veksfn2WhepXy4V|KW$ zKns>a)!v~KnIKeLEpwS-$0>aSeaE%Ui{L4R=$;DCtq_5a;_`?%jfyw&PEydxsPMGs0e4=9ZWBt&p z!fsf27rNRg^xX(g7T-Pk4%c#XRND-lQj#f5>pbte9X`Jf41m^N=NEaFe5sZLezrf; zOowEWN*#bud~Rru#!Y0D6aJ?DJWt{Ks~2I6s-)ESvqu59&-_aBq&7Z%fqDshrFq>S z)npm9*tFcgsZMDL*C{Eps%o+mT=~`gi)muYj;uM|AfSY!rA3W`@L)ss-cjJgeV*uT zfq~M1od&e=0C$nX%jeD^X+NF!&fS=()y=n%!Eo2s=WMEWf8`GmCigNKi>#s1Gf zyq9U;ZU@-*&!+dWvKTZAeeYBl;Dnp~3>MK=LHtIrni%YFQ8cqQ^}_kyV$<9v$%+%( zFz?d-Lc~)oEYdc9%VqUR3Q`uegzOqZBP=j$jnf|QU1+hY3sA|Jnh9;L;#-Gbx|FT<> zI00iG;@gT3*Lk+WAs0s4HTpa)`}1{UX@ZE3$%+e6b&|oAkUHP%XmH-+1c8Z(BR@s* zf56*YQl4FJV%6T-MvqY#FbUa@WJ<4tbxwJ=Dis7_xa2>dHo>~2>$HOwgqpXPPh`PB zw4ZfTRjE#m4Zx>_%Zit5?9J88VOj6AZ+ja25XBhgEiT;jP$7V4m`#=%*gBbkTD zY3Z09G>fZInMgyQ4{a2s)UQ{#lx$|px5U!mLH5h)q{WGOjIguu)1m=D1%H680*dR zDc=4qy!%8ugCg5Dr$KShyre;4M+)#LU!ssAc90_-HwJ&*n-37E?^D$|4^`rC7m36} ztTr*cpF3mzas5{Hz^j7Cf1`k6lwx*kafwh^v|+=*wcZ?db2pFQd6t!)^>HZ8TIBXr zea?2c1?sI;M*2<_n_E|8x%(nZ(XG6h;PI5>H&4t7_Xloi zG0=Ecz1^Ygg7K(*PSq5Ev!_~wZ&O2VqM?yOi*Bw;V?&DYx-CRn=xv)%W8Bb?hachA zi#`?6=W8bl_y=L1yt2N;F%`N?dxmS##cAG`r01PFeusmnw(x$0V)qgnxoD6q>eUSG zni7^6%HQ9Ze^bR&DiBgZG3;1>mroTRylAd&ut%Z(%j;}=;^ShY>$y4hZBfZ}zNhmz zh5c$?w)^d-XQug^)R6rqe7}aDf8hM@yh8Q0X$u_{>FPgL8NB+F%v*CHpLZ=HM@Kp; z?5X;TQD=7PK!sIg=z5Q>q+L}nuK+G}))+l?UUBB~-t||*kCTucE;DiA;|6{FgQzu^ zWSc97MIUDftvk!ErLd|F=TReR=K(S9FRihx%R1p;bK=`O$rk$IYm}|KG?}4dHv@%( z(j6B|c+(rtMYf1-SFWdXrrqJLsHPHPLqu*Zi%sUG>E)+fO`atz!Rac&;JuURnHDmt zo$fMBXufs9TmArTh zWtBDfqA`ryS*f70;gu^&O+F;oqUbzTEV5BB6t``jrEzfW=Nh(E_x>Pf)1_wLF&^IN z+&Dz+fAPA|1iz$)FVsZ+Fe`xx>d|_^p7c8FazKHbC4=C<7h`WLykU1ie8gXR&l3zE zSZd(j{wcig6#fwYRfG}$2llYm1MYX?54=NB@nyseWM1fFyqaL^I}1R51=$`iU-}s2 ztmtJ|YFnp1Lh*NpKm9A%U7qOI@MFpClHwr!GjBcUS6S(~36v__?|JE-vzy7L znzO$w&AF8s`H|p1DhJI7=?d&bZlhl0*gekN%z9eWNo#AVx`4cyuDDp&PEP&x0aB;x zUyy3V0e>$~HAE)pJTRjdy4{46w&rk-|6>W268r?JX_J`75YzjXEdKf5`QfT1Lh3SS z^N*i_u2j)*)uCI~Ey z2rEo$)EU49|EO4zSmW2`Y1#_gUD*9y4Y7bz{w-;ph>G$*FG2=4Z{4d~i4nySr2l>) z9-?6nce^4!(rUAqCo;Tm{f@N~<=+p9ANKX`&=52`&MWYBVdyaRVhz)FvbP>zI>A2p zPDZ#BieE$Erq83ofR3(Ot%Ihx!r zFuN9hH$$%nB(a27W%eNI2}>Tchu~6J0j?!()zV%KjOT1;3Jd&Hu2S*9*nf1k1VO0;FJVbty zt%vm-d@0UPhqX*M?0cntI;p(nOIPTRW8o?flK9D0cp>Ak_udA)FYLYI{;+xYJ$-I0 zv3t@W(oYS33myE{#Zd-?R+h4G<9jsqyG!>MK-c%(yf1%|n(2nRlR&ZJYjc(IR6=lb zc1X0Yn8EVueF^u~=+VZuOU|nt#rW_Rv0(M9Ixd1&g%>bPflbO2fC}z@r~j1$x|Q5a z6cMdUS!nLJs$;~8gi86A^Ks_3NmgN=Df#2`7Y`pPME{N^v#h?EPvpFbKq z&A57uPSD|-&rrJsh;Ps0jKJ-Md+4)q+S*sM=*Ei@Xmhh!`X7R=UDClC=cR zr3v-$E3xuY96*Z|iZAL7u78prI^pbFk;i^v#9VaKy$HRXjkaak17u>nz|4p~?UnrL zr&18Cp3b}XUimfFbJbP%Tl$Ki3@kH=8K`awl;^CfplO?1m>Vs$@4T!4KfU=-nb+B!vO>H-?K+5^_>0K~HuDpqpi zNo6i(!2m8d;%WQue{{b2F@8s(@anqC9DFrz%kYl%t@ZCV30DDIc=%oVWtai=V!fXay#4Q7j-}1P56$_eYBozo0Rn0vg=K{ zkZVO9NOUvK{be!MrSbFKpP~=HUacpMN~8)vI6(-@mnh#fMyt0*z9pa1oxKN+ zS9Ex4_x&0B`Hjc_8OgeeaV^nP-)pRzka`qg-Vw|-?hLlUE%jr-)}+u3RAP-v4&Ejg zyVrfGLg5VVcx(m&q^FjnytX^HzRQQQgy2NqR;gRg*EECnZ@sEeLp+H^^L56f`JiC3 z3jb3uIrtw>hmm4`xmt_=lPMh%DiZUyKrMNi!%xMygvCn_cEIeX)vX!naLLkp(; zQ5j^Y*{t9rkZ1}Q)TGejfY;Cc)5bga&bhf}*j8l`u;MDb8$)0S&rhllKzv5cLXCGd z-@B;5MWdCcjQ4DL8y${*9sJ)eq3KUCz%i-#Wl@EWICM}-d%w1voTmM$RZ8v>wl$X5 z{f7Prn?Lm#4ia3g##sIlc2CiRhtR~cKR?fHTW%*eeQ=qyN(L-d9f5Q#Nx#W$t&S8O zKl}j&K5N2BC^6T-*N4c*x^?0{Pu2mKfEzSN5e>Vw_A3J*19o}vgx+~)@(;poDov1< ze;5ifB9g#daKiT8{1TO<|McHhPP4v_)S-@LYV3W{`Lr+!(Z$V_9Q;%<4XDP*o_O!H z1OCMW_(rsSNm=|q_hlUw_JljNQ2$!jQSSGD@6^>y#QO@|&vm2g|M~il$lsTc8q5a$ z^G%4=gGY=hdk%9l;yEh#vcEQKQ*>eXJonCrPv>v;Ym5w9Adz z2gQuNLDx^5dZ3=C{2K9An5(v~MAs_OovE^#89m)!n7bSMQc+>t`IO6kS&GYgmOINf z%`pemyj)<}&s9kmSznD&;Q`gvxiWYcvObXbvCS9lk>0sr2(* zac~jTs@CqY)1ZOdR?bJz5}%V;C-Yc;ZvSwmz~~0Pq5Mo(%<{sw{QZZgL!JK*d+!+) z<<@Npi;6%YqEd(w1S3&`ARrkOktA7iPy{4{1VJ*0NJb^+oO6~`0s=}FB!dV@&N)M` zN8fwizPC?*x5sJye)XR-7@T2I_0--g%r)m+yF8B;e?FdPkb5@o*#tL5X+IE$g9<0> z(=C_OXvJs77>l$@8Hxn87s);|y!mQet%bzMxjW+Gin_a=DcwF_@Xh6@{lbI*Q8HCP z#!;E|JejU{8GeOiSjSPCS|c^?_cYTpWOFolEx;+_oa2?=%Sb>H$UE~XX_yI3W@(MY zvVZr^p9Hav?mSzH{qh9)LaxG>gM0N|!pk)s*^sg`0#w9UHQTZ>bbC71^Zhy-bA8%$ zaA&s2^t^G=E+01L2PFIQbtJb}#_=oG_jfl3V)@;#2GhzVe^^J?d)aL++}eqKe-u|d zh)&^r#1k@Hs(@DlXa{-H2)!=!@%S>FcK#ISmdn3R2>Pu6g!&~0#rrruEx#hD^ik~i z7aFuKmhQz($Rn}+`ACGg1&nZiJ(9~vu#S8E+^q#E&6H_>U4CWHy9xjPgkF_Mc#i9( z#I-*CpFjCc_~iL>&h6yz$zzWk-6oi#S9Lbd6}$fd`-%H?)}LWOS_m608~i|88Ba&M z#6pS6i&+eNNFh!38Z{bC6-sa1f+tPtDewxZ7H#y6yLiBpZHYqgkN!P;NzYqMk*Y*N8)2t1Q&UFvw5xOdf5yfDIlNn`_XJlIvaw_ zUl;p7#kv2Sw0?aj|KNAu;V)a9)vq`k5Om^V#^s++;ZOZX`LZ;Zc)uX)zrXB1^An9M zoD{FX7+>U+{o^O|-~Zbu-jF%^o?U&4^C$lb9I7`c=)n^AjL84fh4^<+_)R}isls7s z3ce!9{b#v#F1=YUE&5fURYEkD`c-tND< z@&D|1pUxp6aQuGzslP(YA2|^&mx-xjbM9~VasJ_hU5tCWJ>-UntMxyKT>t(3{P&BZ z)8M8GH@4OP%H4k*#NU0+^M&DH8{IxzcF14!D6-d`)j+ zDgN9g{rSqmbZ}GOtQ464;e%~-hANgx)$jQHA3FlSjuefoOTKWK74rRTpF;?MRXvZ~ zN9mbumcEacTg+YfQ};^x6B3DTaz@;VjXipNl~_L8CTFr0-*v}p(_HsgE&IFAJd`PB zNE<+|SL`bA?RR_P{AvQ_erh{mPqun_^Vc-Fd247zbY5&O zsK>7A&G#1}EnRW68zEnBA-qca<~2Do32Wc^Va%{Z1bfTeKuMcPm3RnavfBG+f^uFv z=aFHo?&?H~;DFaCIX?6G`{G)FE>&0NJsWSl*LE@chtI?%eGoLf0-~g_CML{acCuCrOe1+Q3Qy)&K4<4efhrr(mkACKcTeIJpIc|C zTJKhM+x?K>&lle5aK~9q2$)3s(=m=+gbRV7R1-JXWHAM>wx6XQ4{;k3`vw zhc^!+#{9hZ@i;SzW}{b3d{Ja)E1{a zs(q#0$w+!OOQ0qERtp>-N_jC{Re@@OOQ=Y*8oX*-CBW;12A@rE)ZGfU)h>nt%NBnN z%K;FC&vw|sfB&KX*?W(5M$*)2zpkH;Dql0!e5}52_`XVLu|U{O9SHzxIDM~O@C#O!5f0r{hjG%@_-3j1H(e%ocFa&{)7ift2J`UxSJIe++8Y1abE z58bM*QGB`g&vfK4jt-pw@Er>l*Qo(mt9i7}8?=1(+H?;ypOUg0Jw;-dT$$yx{6mfy zr-S##4PM0bb1TTG{|g4L;vfwVorcWr=KO%3UeFEI?m#*PIwd1Ox^yR7qpT|+z!v)f zQjA2>P@SgWuq%F?HI}p8H!kVw1-*YQAs-BlOfLPbYMTA z+s9$t{}q@MpEYldEB=#2Pg*v?ydq%P5&+`02!erwfQ99P zfvw`;`^Ea&oU&IyU!atDP;6h;W0U*l^$AN})1k6k$@^s!nB4{La%^|*G$t{5OWx-2 zTTL6vGb!O5rY7*jgO|wPRJPtBz7dnD*&5# ze!S5gF00R?`7XP)+C9POrKT*PvUnF?!?)by{buy zU4Jzz`kaTq&6CS#D<8 zu_VN5w_(J60Ls38Dh!g0GBqmuA9UuAIPB}tflbRNi=1z5ln6;Jj%7Q(IOto392O$R( z1s3mIdjQ4{Lssl|$7$Uoc7I%lFD#yNF)9ZpE2v^_i-~5cr{a(9Kn5&cwak`?;Tw_& zWv(6sA2OUR!#J3o_OIR`Uzwy++-f^U$fI@9_Q#uJ-KJgXLGKsJW_@ZpvMV=K${S(H zdow(vnTP&s3O)6Z*|puy)Dq8bsat*#wjOZ&)Pp(PH(f0s-e**@hif|l@()yf?J-2T zz74KpL=uj`GByfOW*+fyvCJ{YWYc&cS$2S9%W9@#u{SRvip^$8Yj(1&C)aNoB-#20 zDz?F(ratpTloj&B$9c-6;83Nj**Kxb{WFjjGLzm&?g=ezpv6bJ#=~dtV)# zA(ItzG)!cdpa#hahs4ykjCfIPR6idy_t@SYKD@{l<`i0PYjeuCvGGb9q9F7jY{ZEV{iS}cW9-X@BE#JS3H#tO(q zDgl#su^pmqMm?*OiH0HukM`f&-IyOrb?`g2NrY|7hfDW6i-!-Wzn9 zkKQd3=tqH7Im7U5Qb7$6+k9NzM%`D_G~D}XW9c-gA}~WpX@)54UY&uQ&>BO0lK!NW zAP35&ALHc2JVd~tR@xp3dl~R*w+ka@_`r{#8IA*CiON#?5~k>@BgQjx>oGK153K0bWJh9WOl5CCb>oRgv%geJNT_55T?)&H zy~+pdz#aS?7_%l*%4@}n_0oMi*j~TO%fLN^|F)0zqr&F(`8)CPyDwc)L__Z^2?)tK z+iA8K)hs3VM@cZbSYFH7P9+uDpN9`NO4xC~N?PPpCG6C}W1B?23cnpXY_EEH?{hcu zUE)y>y%jBUIvgZ-f9xc{wLWkbCVu?lV0)7K}b6_O~C%e7gm&}+mhLW!{Q<=5%y@j4!oDg=x zcVc%g+Cdtb4{rvlT;0)UN5#N>%lJdb&uXP2WnY#m%1g);VP~0CEZ-|BCBVqq#Lz>9 zo%_fP|}0^Re`povs`SXm49OlEi&$9MsHRTz=-yx!I+WT0-1Z z*{2Du#_rExm7$&W`yLIu8@iRLBG5xW1_j0$`HWQsK{c*n%WOy3_gl=XBG4ckr_+yt z7B}q9soNhlJQ!`HMl{ME-eOX-%-&)|Q8K`h&sBo@OIqgDiLa(Xv~u+qH4j5+*ks4S zAkx2FM=xPkuE!SPBdk;5_YCvwuXRo!gx^ZXv4>~FQ^%gQ-0C?lXO%TIs6SLzB;y>P zy}dlvFtFYKDpQawlZ8{na&fUU#lLdmG2PDaYbPdY{zQu`*(5Pt zAbzl5silixsg*r1i?_J9A2RG;zAFk`qxnh|!OXITvfWJ89w!B}gqrQaDnkw6#5dzn zM{4aJFA}a=sOVw+jHLF(I!E5LlOppWjqC|(_u5#wnAE-$yz(=JGNJ_p&W5$O)Q2zS zAeF>Lkwayn*?U%$p6Su4yUS17A!I_5yR zZ?5`-zaf<}6QrA2srY ztpGGYX|hU2wv}RjL0=Wx5}+kfpm@xMUBn%6J(KB~B?KiI6Yn>jBx7&Rdb`+@kyF(l z3GySHm$C@mC{_H@eHh)}LglP@yS5G%6SpQXU*^9nIr7SpN)D>QW~7cumrpw@&uTFt zVF3kDJ-M5f?%iWtj;-Pf=>(`(&&FW|L(y*B616)^I^qw<{xu6KOB0r{h^M3YOch!x zg-_2kE8ZW5y#t0Cj@#o}DitmeA{C#<>qC}e18PulwTj6FcdP9YF4Xz8V>@WI4RG2m zt&_w!?j!!&+OG4K#`J~l?#kHsBAl^Q%-D4AJF?ZeEx;5p0zk0$qU@2d{lx_T=rEcy z`G_cXV_NFGV?bc5IQBDlZ+vpgPU3sxV(6aI40^eoe(HU>`-%8wo$DF1JUQ{XSKS?V z9!bxbwsOs8e&3oQmtoeR6OQxDrdhM>NEBt6e6aYfvPC~7N_V#B8A>AJmf^#i(}Id2 zb_)03W$O?}IjIa2;wlWEWkf1Lo3{kdEs5lYI7;l3HLS9B#=(Js6gCqh^N8Bcbp-0B{&sHuNGVo-?gdT@FfYPx66Vb{AG=5P zWPFC==9BvpQ|}@)@*WGbnhbKvm0KHwDb1h_0F5nc)17X%sPvWEZMFnZOiY07o^RR} zr4grNGF?R39DSu5qLb=?UumB+94OA>ePt3)c`8jG*j3L8eEfz103j#JO%6kSZ>F!f znVRT)Y^=eb&^6z3{$=g9e3p=RHs)X_bg2}86!zZuqqTdpt^61_cgOQfISnR5Wp(6D zG}-1(s(oyOv4Y3!$Q`Z}fI@JD zPR;^UX^cjVd*Sz3jyZCsMikpDKSnTQ4g>VegzL#$GI37A>NO4@fwM_U)H>PEVfI~s z`=pDN3 zInv6!Tuoyf(%uKij090%?0x6OHla&wcMsBcaG%it^L=(7xv}L&;K}+hsD0U|B5zHx z<V6HdkGi-VX*hFb3fBS z#4EKuDJi%sh^hAzN&uYyoRF>mqbggcYP}2tJ0zt>yuZ(|jWI z{3hVjCz_1<^6Q!-IGD~W9(gC^IvRw)0@pt=e!Dp>A@}_qJ&C&In>2-tU@~7@1*H%t zV_F+Y7d1LA#$zW=;s(du)bZ*o(34`$#)`r?3bZThMG-gq&yW(*HRoetN4OsoRwp8+ z8*hZSJE#?%Cb&okluIS4z}arg`?YwIUi<$F#JXEpI>&^-^$VV(w`IBj*W~E+5^~*-HQ>;O^kve1f`MMTFNh|Z zP))t!H*$*31GDx5L?;gQz)js)|B^m ztvf{4jSjp(^$)n**9QsbH6c_RO~tBKW3RrH+;e6q$+S~w5AJ{GnGX>(R>ghl zDtEm~F4Q*FE8Zkbr;eW8x44#5Y(3R}DfJ4^X$9Vq7w>$j@hMi1m7xpA8-W`-eq!Db z;K|4J`)8v3sUyu?`DybXVQ1Y?FJnuUauAE373-|s-GQ(5#O%(9DQax>*id1>QEqja zfC(TN&)t*UvS*ySbx}T4=a>k&`Q4gxw51)yhvep+XDcr{?Jctupr555sRMld0(SO$ z=ez5VviUpT2gW=b^`t)GjjZ&l&ZS&Q)B*7NZ1bvrIe#Xfn1hTANsmW5McL$4*7x8^ z+X8#DO%G|0-_p?U&3#ny*;=J5T|s*SIu?3ewFY3;YD}zkN)Z~NBdIm9OKH`X0V!g2 zjL@cg&Ds$w=*B5`$ejjnpt=I86~6NuIsEIwBi1}<|oe15nUKwv1N~gu>)-a9xrsTy&i>?`sdbPSdNdg(;y+>8qrK^|Hckj!uZ%w}G zCsp8&p0lNs+t*5-v1(w>>7j`xDkA8ccAWKcwc3x*oeX2uJMj+9IU^R>hLin327k{`DHjY$@FHU`m?JddU{QiPMp z;~(R5Q>F@d*r5hM@AnE_uDCb2ojQ&n@#w~JziMc69&87LfDf&iGwuXD!_sjqQ!L;*2@Hmm4f!6KBw!d7-D3 zFu}WA;3CoU#cvc0h^caK?AwP~D%hQSE^xTRza)r65J~ZT@d1dOW-o>6nhbL%$Y3cs zdTF|h=lYA97?IsV*cmVHEV^F!CXj#nwrQR{;ZF4fM`!7HuNo|wh2BzWj;!YZAW*9e zJs|9X)tLZLMA;J1Q?X#`2&+WLx2|!;tdtKetvE8v*=W#>E!bN&(cyjynv8McD|KWy z?tcQ_rMEbm)*u(0?-mH`v5}}#z9|brj!&wx$r2aH>Ysz}P1xPZfSM36_#`C@M0V(n zmlMpC5Ub2If+lzVJJh2?S39d5>^c)giN>byxJfLG9~y+~=nKgXo>J^%+oIOXyC z2Au}a%dSOLt-}oZCWuMNY-8X zNQv*08g>*q%fC2>C|Qq zU*rU|9GtPF*eVp3?Sd1~+45*<2vTod;!eL4r?8EeJ<}fNHe?C$)b+a2K=F<957=@Y z_jm3Vbc8RIXhTzH+fB?@4<%FaERB{CytuVZgCB+HtmrvXA_ZPiveV(p(4V&lR*1l` zmXsmTYXC-`uHy;hxSFb{+)NNMH%4%RtmSbqFTh7F&`-~^MTMX&J8$m-26m$9mQimz zx!qh|b?J$k`TLus{%IBG{b}wReE;AwvA5dB5o5pNIp6j*tsa`dbOl4E?u{W|QQlhNG_51RZZiDBmBxs~0p{Z$xRE12c1~0$C>|m9p9Upf9 z9M*i`JI?WRQ$ifaI`wHMqSemDr$I(5;>DWF6AGD1EV}s%SR<2xq1cY+l`CIZLB}2S z>qOC}JM#R@NCc;zxPnrENPT@q%5vC>pAb>FBm-2jK?)HyTD5s&zWNj4v5~Q`g;f_# zj@sYTy~3*qh$1A;#EZ5YAT{t(6L7INty~Y5xgX<&KSq=OiuUx~c^T1j=@b1W23>R< z=U3DBSDHZ4gs21dMX^aAmWCee176M!&$$Ro5yc3J$Vhq^>LYet8|4)!`l?vin6!sQ3}t5AH5)^ zlg~|%3}<73HlU<-*nZVl_3Fax+iT*Z4|+bP&WM(}yw;_$Zz5JtK{~U~t_SFO4#GnhC$iZWJ0pylu$7J^p;s-ZU#?sgiPkN(3+C z%l-&#HNl@KUr#9Whx9D7ITkj9!>V9vCUEDN3@`Og7qUf3kpG|tpD7e}Lp3AY0;(_X zycgUw#oXPu|K8KW{M(2$(z4iRQ;r46pFz&fX_~uO*oib~Ch|bp*OIvG;~pin_Qr5) zk^u#)ws+D3I*H)ZD1PT1yl+N9aXU zsxW2w^^XH4ft|qYB9V)#2?=L6CS`5${UkrBb-nSD2l-<<#cc9OO&G|Ck+!GIiuAnk z$_|^&!F&s(S7c1qM_sT0oaty8oESIr8@*8OhK}Dl%NK+H!k1FooFyvO;&F2*3wy6j z11yW$a^t;d^4v;-xHQperW_2X*tx~`Kfkw;+ptj%o)*1Z#(m_vtn;Z@$D zVQWAsB@Pev$GYRR=lf4Tcfq~B(-UI^^Y5a+P6K3w4>Z}Q6^=<^jt1j@?B0Pzx`?Z%5dLWEYt`3eB8xPbs%W3I3 ziUC!t8G&0eZ#wR6Y4!3yw>$}yNaIP`BaPUp`r(xI7c$lE9;@yP!P1q*j*I5((PJ7zTY))70`9nc^%FnH< z^vEAPnJ|+&?Avv7N?unEY*P>Tl`*p(kLef+fPG|5KT=f~iwq!X=l+%SB$vPDdJ8W{ zPMJ#W=MH;JYb?0NuQS*}&$;7`Q|m}cS+^=E&2sGbbt~=;3oDBArq+ie2>}#}fNs7h0F;%3w1SSak&r`fNg3kc z{2r7+2%!PHsc{LmvZCsToNErjpNxxxbUQ=n2{;#@`DzDr%rM}39Un8%f~z-ytm;d! zK5T9v$9u&%tSjf2cFjwk!gRI;X0sFb<_!T))vmua>ak0~T!4Fh4`6*l z*W*RDQHLXAC5WHPB>&;;R6gqMhFKkbKpm;ub=B4v?&~*6nqWH|N6z9lsr#Czv1)rJP>g$!Y zz~{7D-c}9nHeQ#*k#B{yOKiO4sO8cd?pXB*N(_W~T%h~#l-e#$wSa$$S zRcENlYHlb@o`@cUt*qxt(_TBgBBJ9C731`!PTswlyp&_K*S%q4mRKe${WMc>urH=@Ubdngc z1<;~M=iM3+J~u2%GeK;I!+<`~t5y8oVlo^CxeZ1OK;e3QA;eQ?2%Vn%3`PoJfXal$ z?ERolhIexh%L$S{BGUC%W|}#J-2&yHVX=zwEbzA20UypoD(fQE{3o8aFid>x8jgPO zL+DlED3WT?C@ZMc240{OyP*Ie+enlailRQqE5fhaW=elCDo?SUh|gI1;l#ITHTmt% zn1d(RrJ{|H@%pjaZ?NFUhmzY^v0)kpOROkcIa^>CwYXyAOXO%&8U^&hB*dqG6i2Zb z+z~Vytlc>eqiiR_SROg5+`Xg*=ID33eYt9(BW0*t6qjr*$(GAxrc+IZQYoM# zPrKpRL%`z(B`&1KY=~Ew@jE#_BFy0LarnHB0bXR${vLSeKB`p$KD*(f=t7zN?pF?B z2TC}kZsu5TW=gCoryVW83zKxn8&u2}$u)Ppl&=iVi2 zVaME^mtfn6F+yI$0Cp}No6=-ts~cp?f%b381-f->38)PMkH}xs>YAwrht8kKZjY&5 z{s^=z;JG#uc3?S_Llh*zLwU9TT<33u&Zt1}Bg)x0cLj=8urRD~xaUW%j}RI%;{>W~ z;_Ok!p1BBD*Bp}3s1|1u^pLSVl|FrcGskHkb}?3TBukQ6K>n_8MwAGMJwh{NY~vJq zs{4Yro??JZN^+u^zT|I5Ww&2;zsU>JOKS!9Iod=T8JIdAJVsZHlVA_>g0+C|()Vh1 zT+vl@;AG9po({3~Bu?h`Y6nH|?9`V8?Fzt}MqYNEf+=<+6l^%niUPqk`RH$n@nd5i z*UE^|nO4BlE0ZDHLHq161H9`P6?XpN_a5+6dGZ6&iDs|lRAf6ph7G#iS5vp~-PMHE z9XHE|`^;!aYLeRT?|Unv3sYj7+)i=Pd^6(C0+$W;!8UghgHf2_MzH;0Ku)XMylpczvSqy$aq`m6Axyi3Ywj={G|V)`(;6Me2LNt|S?l`!ix zQ=wFx`N&yQ6`Qb{i~RG2opZOI!=jd6$ypv4fg26#(tMSU%apth4?;!CT-} zmyT=tdOyuvj<{4{1G;01Sl`P57Ep>$?`*X4<8$&Ik5kq5?iDYakeQ=~?RZe)CAt23 z*sx^B`l#k*Db{0T&o{CKuvUSRIh$Q7ob59?RCX+@P*4&1cnm0&tsM>@tzC5uI^c+v zPC&W}9x#8yQ!ji9iLwPcK0`;~Bf4kgj-f6`!hGoq42+m>VV|YzZ6|i394xHR*tgny zRPwD)FUA;xuYn~45pj|5B_-I3=xB{|MPCUPaTFz-R0 zJlWpZg=msfsn3kNGcYkI0TfA8=d*XBy$`ByPXfaNtLMR1M zoJ0>7%H2z`=H5Y`7`v3!_Uiuns4?|7wyYejX2?U-b52D}P$8u3lVsQOpF1$Kxs8bm zpDa{*Qyc6#n!QaRXY3Zf55rQ;qNuEIpCidMVBfV8Z#;niXf1cQS8 zuLxXf!mWGZ5h*L&wY5_eN)rH@cK@*MAvM|@UVy^;bKbv zX{1Y%#3tOiw#PHxW>G7{L%Fr@%Rg6KP5&Dk^y6alhjEGd1u#FB(qRb(U!Ie=G*`uS zpclQ68bxQJuC=u^Vod@RHuC9g1OrCI0N}+=jR>M9V6!|MP((7*0H~`fDbQ^pMPQr) zpd=L7ZJHz;c?01jf>FIJv_i|W*?LNuBM{#5 z=Lao2C3T_Lnt=0=QrY_UMubuHP9c~?H%}D-h)_I?>tTOQl|S7!KO8i0+c4H@fgat+ zDOo$2PsYIr2m=ZI@_88|`))fDQHuz01rUdyl_6vyD+V8mXh8IM{Slr587gC}8=hHc zKnKut`^RQ?Jhc5_>*svudd~ceAq#O|jbBpSkIS+h z-YgtzgQEG-O~}Oyq;;L|~Tf z@g8_vndL%Mc$4&@R}6`nTtK84;c^V;1h*9=^-u(rfqoKvZYH4be3p<5Z|UVKHmNY{ z>7TjQ>z+&2Zyd!_1wxb9OK)HIJRnoH>C>1iN z4N}5>nU4XpNKXINy*)EQ_oYe@60)fFgM~P`FLDTO%I6 z7d1>_1;$=ha|bS3&INQmq33R>9JhN8B&LS7g77@6*@vtKUujlhaDdYUca;9TZtPPq ztU++pFEqJ`mCD~u-~Q3>^5tS-_`*U!Uv%hkmi1coCj>%jesmLj1XZ*^XlG4?EV*Ax zPUXkJMmjQ8UeJ7#8}UlEDqvxMp-pWic25NkL1W;*jJgnsOG|zZlFu)&8!0uj`QBA% z!y*>pc{JUTgme7lMbK;|gAWz^NkfPXEUJMG01D_MQ$g0KH(#;AS6KI=-5d)mV5}A& z&xj;eT^7GA-HeU&O+d;|53MxnO!h@&TtF`C!g6u=mupxlxc*2qbNQgN|8+wKEA{?m zRQG>JJ{2&*XM^ve2sdXwdh%N!9^ zBGay)D0|^+vnnG_)U^Tv#E1wAuUp9IHTuX;3v$`znz;CM>b84#b3got3s+{^|K!5e zW}$oz`I1qWnStg8ry-R`alSh%;ytj2o8dx)Pv$cO*t+~g0p4x%>f-;FXs~=5U?&@L zk&UBZ6j&^vf#uM#y)&EB0w53r8q49@uKlA$3-Bje8<&2kZ*U29@*+>^>5}^7(_2nI z2e)`c*F(2gCnMk{onS@FKJO5v4ugji{&TiVMDTM;pAcRJz3M7rtp&Lz9MK0tYUoP` zd7hCn5 z>pFc{w4)QJn-xFeIJY$5&ViFNqD`fV%mzs=%jya%us^r^bOl3(svOE`q4A^Dtg;u( z(BegAqQ)+WWz~mv1YrXkwM2DFVs!MsPHzRTp7?M1Mi&rA67B}CU?f(00{d-hpu{w0 zd!>m9Z%X|5XUl)|bpHE5L(>O>*r2(wwr^m0xqSNmt=P7CV||Vfzpr9M?&9Cv>}$&4 zSn}3>t?&6C`egr#ye_~gta5h!D?9%8kK~_(Y?rqT2&}-jGspe6pZ4#bz(4w(00LhK zRR8@m{YS6(cP}L%3S#b@tCSAERG5F}nIT^Z6~r;7Sgk+z2Y$XXh)M$`ttQDpuQ?OX zfOv8K&4K)FzY}Q13v7LVu2bvJ9&D`RH<7b&LOSj2pFP}En}|DCrS?7V--g2d{Tu%O z`SWZz%?;XCsCN$WF9qGc`T96ZT|hOD)GawS*`3&@XydP$G!9&GD)Iz`>4p9AYl`Ux z4_O6^#JYHbLodI+bk?(Z)y!$K+-fn>V&Odp$LGqc%NjX7pEV2t9n{#Z^oYRlJ(O@h zf_3yb?rAE4-}%E0D!7~2(vqUT^F{x9m)2kT=|2y>m>vjKshyH&X2mjxp|Nn?3H>lc+u_xGm#mc8|Kfvg; z6CC6g=IGY z&Mlo@^w~;tyA=vB?Fx$qasFI>h_Y^2;gI#fjfcm9p!bjz6kEj;#wA1S;EZu721rD*FeD0O$Sz3?3AK)x{mhQJ0!I-!A++j>=5xTHd8tKA zO6TqR0Z4VS;8WwBgh+t&VSLNf4?Bk(UcmIVU<3Rt-c>F8nxc34OoPZwN-t5EeZcC| z$tmhqnT8Cknu&V~Y^>IhslVzfaBxDaKl# ztLE$83kryGqRwuu1ha4aMSbdMrV*HLO@r36$!`uAi~X=mkVNa8$3J`SfA_C)ui_S} zpJlAM_49wa)E|F!iXt5G6EV6EfF2o{!SH1&W;j{Z;TcLgyI zOH7G=LC3ufy0)c0hIseZ9q^A}MRd^-4j@)FjVlNZ{@>pGzw+My;SVl#f&v1=qh=wQ zZ{Rh>Q$N6o4vmJv!syJ4jXCA73b?10DvkpOQ@WxJkZ+C5b4~!wlgtjm*X><~`hE3A z3_li@Lkz}l!3(ZL?k8N}{9HGNMU39fFBo1Pals~0(hbu&*R*L1u-Pq3#kK2^pqrAS5gPVwU(34REXrE{-TFXMwz|r#zT2&<9T^23?In6a-2ojl zmHmmvB~N3xte@KWeU_W)_$X?TZ(*rgW~GuoMy(xVr?2~ByC_V5@MYOo!=!HgRp0&; z1w|9Nyx_2cnGPq7u%KvL^LzSHS)J#|N}95>6lzoG{bFv>CvkiW57MyL(S0%BqMURq zc`m$1HAB64;jxx)qlorIVqd|mm}6GQGhRNHQ{@fOVQ*ex__^l`B|Qp9S7O#0Mw-^2 z%C(i*_bW9``RkFWuaat>l)ogP1-5|-J5R4iI<6|6IWOBHd$J#FBC>VwZfAN%la z^U;rMFsjmR84p&?UUSIY(GDbxY_JA(M_&;S*gxol>QFx^=%E;}z8(N8OI-!@akCT@ zJ!g7|uJP0)#htZ~isHI8Fa&b(z+vyHP|AT7+ZyVlXU4Xi4tIyAK~*6MpH&i8aoDx! zyc~j2R3LJ7_tg<;V<$w6h^)#9tfW?(hxI-e-pwxn)zwQg&?Xypth|L`bC?mq@?K{7 zLfQJ9wwh8sFCEhr5kCpIHqj}n+bmt{HuVVUcP{J#pS{gSW*sl+h7|iBd*7JJO4`|) zc#62%^sy2x3Mjc(1MC>ntzwvUJ%&FzA=k&y^ZCthwKfZ*qz~1tx@;L)qcdz^mO2@= z24c5FP;Mp#DQetapYEhq70<#0EB&BK%<{qHwFS8f5pa`vaK?b-n$K8S{9PyQ#fLl| z<`j>XyH!n-fR4&yoLhaOFDK8msfJIxZ#4Y?q4mkCX$L||1mk{gTC485t}k%-37EKAOTKGChSj)S+G*a@d5A#MfmxD>>t&~9VQ*8BO>D64K! z!_2&U32mx;nih^Y-<%Hj=eB+IZnsjl32m2f@lRG1akaSBze`GI$-qSQ+Pwe`?gXup`lFWqDjt;25s*#N5?NO%ix+Sm(=nlcvaa~=J76P znp;^+eAU6owNYwXNJK8?=_U8@^*Pxs+C5c~e7C2zOU{?f$Y2O|9+UEs9QA6BEs0)L zl#wji@eb=P?+hgs*3_NsXp?g1s`e*?q!z?k1l*6fwE2FxM`kSV#Ua_Z2o#5`a!B#B zVpzJunpI529^}vNtJB)2B_l*J4RQ;RL-Yi>ex3orb4WaspT8^$H)D$4{fR=eB8q^1 zBSa`{2JAYj%49>8zbIBkx3CW|MC91JPSI1!sbc_#Z}i|u(?ESq-<_6n>i=E=#KJ6Z zLq=>{h34l#As}fmg6K`Wn@*;=H%j822ii!hx`pKadcmaJ509gfY4rjkC9B&Xgj7O5 z0gDltDx`Y?RMiH6WhJu{p|WfG6*#&|k*4jjf>ucaHD#twy92_SMTfv3&+uAp*iXGE z_s!3$#grENLHGW$zmw6@d(UlgEDI~WXj|POp9|}U2SGy9blvhO-3%q6_sdY+$mKDa zR)AX;L3sUk53pj&WNmc#Dyog&o4yy<;GYQ9o&nC1%<7h`mhMm+P&vva6%aTPs%Gj-Aa+LAOh^Fsfb_^0~Goa8= zG|8oEQ_2#R;+jr;%uC3#B*2omw~MSJ=~j2zU+*iBHEdaa5F&){t!=3A_z*6cVr0gP zXrK_KF2KMs+v@3;lGsg_nC~L|J2K`6uwAkw8{Mc#Vwj^LUYLMEyM|M84G)w?+kcaL za674bY)m!G-y4L^`QLiC7zxfZ$39luW?4Sfz>yu7pF8ZbVrvRtOL&`L=B29Dq$BNf zyxz}mbPq}^hngDSv6!L$KP(&myNsK9V+jIvcOBDB-S8DdbyUgIVp)>B3p(RJEUqU~ z9@yK5D>eFOFy;_O1Z{9Vkto|-?Cc1(^AWqF5u?C+)$nk8f_C~7rLQDhk-@0!t)?G^ z%OUrY^bT1ICY(7pr%5F4AM-!plw=%lR|r|Tg;|?vE*$zsnIsY&D#OcQ7~}Lgajj`s zN=#(W%!q4Mk;u@`b9LVO`_$T?_<9d(hNUO}ZBrpqv-YX*>)S6&zH#5mDj54@IeDye zCHt{z)wijNDKF9KRH6pr-Guy^Mq}Bw@riH!5etzjd6+WurXh>XoURn(eyu3$t~-Tz zr?(<;16_N(=qpFP=w)d?+(7j1!kV_@=^5E#Ndh_YC^@>t)|n)J8DULwOy>jcB(R8E z6xP(Bb-zB|Wu%H)On(}}0e*Qk@+fYxq}ZyJg?Pj?FIhHMofNiyed!qt>Y(iX3N46b zx3bHhSl9J;E!^FUV%EQa-wCl>X5{OzjX zxToZ1Dvb7vVY%poAS(^6rf7P9d!NDmW-=1D)gb_^*N;;i?qUuj5IWm<%eg+sN$z1$ z4+?7~w>HVhLiEWn!~x6_glH)%&tq?&lSgHV8)m=PbxSt)lfAF9Q$tb}AU5K0OGv3acTJnHW*lD|85P;X1mCG&bIX;gxWctB!QyBF+c8ZZaqtQ z?j2Y-_&MJITGsit2tWG$YQTcc9mi9BR^)D4Lwvy$-L1jMjb5-vQ13xhe$(B1P5 zBD5H$B!Tid3g4n0x-XQ&Zq;r$J^j3GRV#Ku{8v_aQrTi(%puEMvl7tl{ohBHPnj09 zuumhJjTV-cWeVK#t?Uq?bB264d9M=uxaju3mx9n#_lYaky76t?={Ce8+1Ui;h}< zDXDGJ$9|^vlVfW;SLhRo?TXVvQ!1ACV_MXu)!H+57}5~{x3j#{6UY9$tQ(r#!I z9V%}jm~WbVy*g;wGw57Zdul3hG5?ytcMHbTSoXG_u~ooKOqrJ7XzuR;~8h`FTx}`aZfe38x>bZ zTB=%d3hYN;86nGLLkPvs+$-)7qbGKNBd>mrG3fcn18|S!$%5;EDDS7CbYnOPAVD|7 zCx)X{K#Pu{l+C;G9O>9efgd{q)#Z!5<%Ul9T*^Ma-!nmK!l5c|Q_lsiR^bTIn^^lX z1=LIu8QEn9UwQ%?K_e4}Sj{|snt7$BU^F})5tS*QS69;v1gavR!)nB^M2l6M21p~k zq$`+;=Y@C3P0FH)*zi>pdbvY7xnX65$BgAHblJ!dwre#?WEzVH^gk{}~p!O7?coR2vfTwk5VjPbd0YkkhD1#j$K%2kGr$MF@1Qj zc<42Gv+9fHPDh9=boJia;j`SQ+YX^7S8OH=QfffD1&1qFd|1V*T1aml=r5QW`^rsS z{!Iy1Ny(*5mjQ0QLI_l=qnlANK3Nf5#t+PcMc+++HD=d(QWwfOk&ThOQGa(lYE!oh zDPtcGit732^zz#_MwUgBIY`e9n=Hy$nIEj&OtI`=+&5BVx!!6q@V#-B++wBIYoBG3 zs7;b7CV8Q3AX(nW({^L8d#cR8p(Xn~i6H~#U}b-dx;d>h`o`vYg~hEV!Y%Z%*N83yj-F`>O1Jxg*mexKfMKT*nXyEQ$15tC)HuE3wx5sUKfhL>F0S5loLv|`^ulRP;8$v z4DPU<&oIzo`;=zj%_sN4rdAZGd#i8?Gna^-Q#*WJ4|%f9o_%5R6x^(+hzZ}MHw6Z> z5bL=qeE`X#nrpr3Avfau^1OFCRBJ~i>gY${vzJc&9)4DFQkCdbdNdT)Y%e>I3z-qITeS&I&~4G6Nmp%R;b{Fv89|y(|C0V|&q31ls9xWqsYemQ#BBu~x0}8dGt$iGB878I+1lTkJ=b2#f7&>iQv?i-RDwl8cq|Fowa^zI?ZDSg) zK6Ov_lvjHY6;9q`7A~Mwf*QFaILu#^8m?|#?qGdDpaFrdoD_?68fZ~1F#28tk#!A4=%tYOuz|=JJ8})!(Lw_BrUlFyIqx(OgQy)Fw&43dw?`!98fxI1P8+&M?+19L#H!c{8a_ zgvGF8IiHVAbQ=$&L6cPLfz+e3@Y&j1IAA$D?tq>>R#1iQa!xAGog}LBk#e6yYpIs^ zY@j2P7Rgzg>*aw6wre)Y%9jn;iH4~cpu@ZzicjIc0kX5VpxwJy_^|^(eMbPQXgzt+ zR5W2l^2~%7^&XJCtCIRQMWs>QRPT!VxKeX=KQ|(oN-K=JYOSLy zSpj$803B}iZ73!U<{<{LGeI{aKex3H>=sq;>?ZMerlt0#e|6zOKbSCzGztT=Mn~m# z>dlBgOsA$$3DG>Be00Fpr!t~Pw~A?QTzF~Lqm*64@TkRPrGjlynPk5fI4 zo#+nD+;%k->wMtXl7KV24?(fpW2(zmT29^f{hf6+p`7moR6Ja;6YAajT^~EnV0=mi zC$OW?Zuh!jN1+mqNvO{2P{s_@wV0j#pIW(pa<2Jlk4*JqQ}e-c0ORubctx_a)!Y%@ ztbBtBvtx`Jr!B*k%H49xK69N7h@^L>-OZ_TvcCQ8SoJV}R^^wWyzS+@fHSEiIgO1A zn+oy|>(yIAv2#VrQI0><=W;HrJXAxuF78pD>2oM+uy`qyPJrLo>QIk!c)CO(k?Ww9 zErT0hbvma@O6|yr(7I)PMHktLp zx$yAgczmGuxqwg$_<4l!M;Zu95D@SE_(}_?D_L{6mp0x=QOJVRvSRbN;E-*N-#%!> z)Cy^fd98;^*T7wsw)5sCUC?RxIlE4zehicYlhp<r_%_Lqv1FTDA4vC zsRv2K=>ag5)^p%P0zwSlKVozSa5Djgdi4VhqonL5#=LU>p3*Wuk$0XUW zT?D*0R@!QE10R>#zWhic!NSs(ulCA>d0&lRRclszux)$o(6GJ;$pym_ zqNt3Kdlu_yVmM_64yj!=Z6oU~)b{x-?N$chfDehiZRGvAUN(A$@~%3gub|6M)}nx3 z3-$K(o~8b@UElSm4|-4qR&1A(4NTj?Id?G-ZPA6!CRyR&aoCS~q291B+q!RJoHzHl zYKoYcCdMcT(gPCSoUvZKy!R8&urvAozF4~8BRmlVSa6f6E1=tC zy|F#!0=EU#T&mzBW?@}Gv&N=Lj##ST;+`2`Swl&d8l~oS0XR3nLVKm%#qurZ!->re z=z22CDnwOz&mRBqvP^2I28p9V`l0Pbzh1 zBcdSeUS5G}8pS9FMxCKYa~}sCiMrp1igF= z9w~|rHPQah_e+#Ln<;nt?%sZ|p4Z$x0{e#}*-x^L|-`>&iF zT&Rm+Y?QRIFnffUn!sEY<}`xQJkDnwhwAxn@ei#pmmXZ4x=%h+rPX;&ZB|GyGsoQT zee=DK9IYjF>8s9~Mzv)Rb=?bA+!~egZ{?JYH|&07bXddWNxA(PReF+cjdnMemc%Hy zC~{G}vPCmCHesBok7U5|x=ET@&>|e5tG>QZVv|l`<9{?=DwZy$@NG=M^F8TnD)M2o zkMmY+zl4cmD<@;m4uX+VS2XvH*@i|41W_G{Ho=VtSsajCPkU@XS^X;TWbRxS z2mTULFQYSRXL+jk?0GjUISqaw1M}D3-~gPz1Ez(lYtl)1`rrI~_~|GqHo%mc4F$8G z86bG4^CnD`H(=tx{vo*qtUuiHA-hVIu)7M-EPjHW$qC^clX(~ea`!;%=uWk+70TbE z@lnmCr?>or<5b585-@#jF<72kcGRzqUiV?d_$6 z5x76c2-y#-7;V1Tmhj3FFb?;fB;gjlYkE4{gV<)>OOI!+&YCk;TW-4M2vS&foA3AR zDc+C&LE6ZFCOw=d6QyZ7S_q?g`iFysW*%Hm(LHQ&SB8~Ir=zaTyeqq?lqN42Mzlsg zV3TGLjZABA#DhdE;6^6gL)5#hO0hcaE%a6cO}kOyK~|O(YaQ}}#TC+gwTt90`0Aqwdls_mf2LSi{h)e?-IERTI$k#wdmCgVnf$KU#Pi`<}bk^gve~ zC5qXj;Pm!>zq80$)HQSv{*$qL3b~6QDoa!UVN*ZC!+`1C>Z3;@%0~Q^-2pZf%7#vQbs0U#hc|HcRAlRO) zA`T=}%)S#w52^`3l4HH?Xr}A!FTP-7RXfIaNR0;Jduf30npW79@*Tq)?v~dan~#Pg zX9n-?T-NrCu5(KI@h{(1CKIz!bb8obmPy~^8z|4uy%oLI3>=Fso(Iuk=#9{%4$ouF zVMfFzbtJv@U2itK6vY_|T6Hn|fh5;$}B%Oqp z$32_W6L=OApPd!R*DXxZS~$wBuy7b*@#F~174Pg%wCbuT4pI=jqxcuQmCoK+v4g4_RX&8*uN^5{8Bt!pF&=;r94fAAxD(lyPha)^^4h^Q0 z#sUl?ku-o+m7YNXD!1}PFN-<6>3_1~{hv4(oOt+Tv3nb*bv-cr?BQaj)kz(SgH7a0 zJHLmkt#)~)<8O>`JjZ7B6+p#WULKnQ`K zLVofu+ls*BBgq&4=$zcyWdxZtgJ_U`Udo2nS#k?2m)PN?jTir3^@0Y zIi`n|27yPF$484uF?VM-n5y~la@n0VSOJ@u>TC6t>@cUa_QSYT?+#O88d&2zt|0c? zh~oqYMHN^;b#70^#Sv)V>mAGV5XGsp)ngCR)sSr%skYMTQGbF8>DEn zHs4x#jU|8%C!4GCyUxenCr8$5myd+vZ>`urWQ(`?DdW(wUeZcFEwYp$KT%-?BZs>r zKR+l-%iO>4BxohS-#97>0NJVL3)b2UAsf(0R(!TVV4x20v3Uwa6G6a)62=@;=z6c}PA}VE{a<9}6vy(pBT8Z!TQQgNR8@ts9VpBDpK( z^WTqp@J_?;cIPcFV@EnB-fn=a)d5rhD~#9%g7Fom91@?`MN<=RWf;FhSqX=@;xgl8 z>o7P2#00#`{Z@JNvK}FI59yTu6yGtbrh38NV!)NDRS?Sp>V?@l1O;!u&+tYq&jF7P zcytOdWwUYq37}o1nx;`GQACp2i;yGi;(${HFjDzELfY(QFJvB2y9KLcRZD4owHVqZ znmIGM3;3j~R}8+stkkmEg{YX`xkeGhy8p{Kw1SNl1y+P{b?;l?{^v~1@tA_dr+i}v zk0WEAGl0zVdhT0OGu#hF2H5FS?Ikqk zM|ay!kDR7eyc4b~CbTPkO?TJXp$6wCt5urcJh|Y1b#G-eAZN3+q=~%MU%#45Fw)(U z_q&Jc4z};ZxwgwUNLM>7k_6I*u3$?pNIw1qo`9XX4{FSBAR!Sb+s{O`XgmU9s`U$b z`E_&_s)R`>`|lUXb&Uz-CX4`Yx!uTFaHnS;EJ;UV5LyY&FYrJOq`jevz#*Dlq_Khg zmyKGXF?36GzwOcjjPBnedwibuv-83r&k!bc>}#{mtK-F$nb2pXiE?scgBBnLr4#Ne zt&widb&|$LdBU{`p9ijb+Z#YPP=q^$vmDT#oCGx3;!&+5pasJJfv$N4Qnj)xBb_1R zDwCmAOBcDq;0@ASn5LbW;yUK@dd@WUtB5T)hErD@p*Yhw->TuNKZXntF>VpgwqPqhvqy)62f-ws$-s1&k%%k>be4ZOt; zpTjb56XbTBvlF4mB=#;>Os=3;+z9663(YV3Bt=Tj^ z(wzvmanoOwo>V&_Kwt9 zJL{!Cm9TH7rijBN`F94;iLo;5KeaQfYufqnq<84b1=QZbMe2u2yCWTDX@O+4mrnUS zd*S7|=!Ai(+Hap&s@uz`v{a)NpTqU`T=JRV0`zWXD?iIHZGA$(-$6#e>V$p^Fu19; z^EXHW)<g#u)jypo$vGO&XTeXwnC_g+QpTBHwv`J~z9zCH_pl>J7( ziF)D3WvKo{Ltnh;rf<8!U^h}(2^)F_=#QK@g{%Xa_42uFd63aci}NvnYm0Q15C_Q4 z(;^n1)9R+03MS>j8lkO0?gP%3In!GMl*i4dZbI346-{V_m*ePF^TU|F%Q5{|S>8!{7c!pI_My+8WVSrM20pI9%~ z+&&oQYh(MaO+!&Bd*qC*q@9PVxlqUpUgVsi9;dhXy6XbIhcr^>OtXaVUUu#Q-XK&c z+_kudMkTM6ca;N{gDZE-S6mAF74HhP11Sf!eC7;LLCwI~!H7jXt*&4ThxM+WK4?%! z2dim3c%CpEy_pwLsM-%99Gy_eD362=zaXLWgcI9uA3jY*s$h{aBgtvJP$Z_W_5-Co zEmqofOTYH9^23a*V)pWE^v*1C{Rn^qwWX<+rK7%@6=i4wM6b>3?ZI+PWImVAX?Ey9 zslJ7TGhn~2Az>rS$}(%?4_fWNf8B|<;#<-7`eO{nH)aN(3a2#g@5$PBMAoN9H zeXL?yubfrKbkJ0y`@T5Wu>I!H((7gc%kV&4&rp21(&~U9CKa{Q^GR_=Nl@Xt;_g&b zO5y`-Q$x?7dy#-yQ=iaGdx~*lV@@Rfvu=m79zc*4oAa9ps>@ZSm-NJEuJ3Y&s{e5b zDlt9D2fjoMXR6IR1%dBh-tGh3ltQB2(70TGHqN>4!HdeW+t!UzeFh7Za@4&}h};@P z{rqOln4O-I4x}9tolS&M;S6-UF7Vu2gXwa{xyo#%IB~Wwr7QX17GrW9<$9_c zpt5LPARKZsSpy?+25wh5%Dpws5M=D>3HD!#U~r=8yrYMkRcFKRJ6Fi{ga}B@F-Tvc z%J`%Rxu?Mau2?#35QM>;iQLD`MSzghA#t$XS_lb*#&ebpvL%Do6$ToFgSA&Lo3_P+ zF}p|-k|2ffGTHE{GvtRlAwiC>Z!$|1;Ei_@`od4Tb zaBmPsj(X|`;eQOBgjOtCunNxxtKj?0Wa#0{X8{Is1A2IYe*MbRb2?l+B8#OD%K^45 zn1legP=R5`PEP%+lL4zTseN#ozdy!P3>c}D764AlXE4CP%=8A7lB=$6l^)Lsyp0X~ zj#ohsPgUQO{&khQ9-@Re2XQf24_4eR=0Fh{qvmgp!SUSEbDH^y>#N)^EBfV?-VcgF z*e)wL^5~&JEzluD8wiGIj7NL}QShKU;Z4kOzT~dE`Pf8Mdl`pldpFL&VD01#@FdbB z&W(It>444TF_K#Ea2n48p?`p_|NU~jH3=dAM?8F*(W+kd1VWUsy+qLBA>ut z`G`?3L+b+ElpL`*1AWa4byFXlm*>B33Xf!v3-mG7iqK%vkV1L}L3IQDY@GH*1$teW zVsRuLm4M^tuii{G60HWBzc!8WX-s{xM>TDcjg?RGjYHCw-DO5@f!h1go+}+Q&C1_~ z363eXa?ieHHBQ{>W=Dt}f;v4cPV;T)J&Q_7*vdFZc_~b6DA985QICpl&RK#!O}JoJMXMo~PAd7`id(M>;SYGDv3pKb5bvm9MUx>d(Z_fMerOUIe?8Y%`qd<>{%=Z^3ZgwX`ZbpZfd=#@M&QZUG4+g_Ob-Z4oj^w3 zvuHfyZ<`|;&vS#EWr*v^7a%6EUHDShAa&$nAVLJ{&)M4|VR~K0QphX!deHj-*9i$r zVJ+9jU$1;vMIB5ER!5%m;5ydp@51(Fo{oLF>E>fyCn0D^{@{I>2y95V>F$|_0t6)L z(6AW;naMz8+)<%Shocob1$%TwANZ3?EC9eX&m3nb8kGZ?<}+V^8Qce(01-)Y8(=riw6h0-Um6A8Je?{lVRZ`-n)DakdwDQ z?}d6a`n-Q;Oz7H7;yXG~C($F_n54w)xrm{q$yTyuNDQCN)mDUr zYi)`=**#~)mmzWc9(GM7Kp;(C4-LEI*ubFP>?Z|$cS-!C_si@PSk*=wApDWL8h_tap@z`*s zhwy?s%7QV@WwBsac_#96W6F9jx5$jQi&~Ug9826sH+l;Z!vjU?VHxiN2Wjo6P@YWS zQ=Yib@r~o`$qzaRme8!9Enqe2^@$}S`-8GLcb#ewmrZzY##B_VC}jvOvk95@IZpN` z?G)F3JSI*-7&bI~MF1!E(igy~YV^Sbs5F@+Ji-)kLvm8tKpDxkp{}RxTEY7+BHpS0 zY=CRP0@T5DqK|AFq`vwQsoqDg#$Xe}^}Nb-A8Y*1At3|Kuo;1wmcISzcH5~4 z-A7tu^h*fIPYX^GE9lW>k#5z`Dmq7vP4G3Y+ky+DSH&|BuIpw-V@q@0ggg|KHXMHt ztA))2W*`v8Z*v)UciOfp4}7x2Ej zX186|FxTzR?#-GJawBnj%m|;SCRZ&A;RxGU=T?pS<&ulh{#J?M++AePDajTxtOHzyO$`? zXLoXEm8cEUXk*D;?kF5Nvuby%y+}S|ZFH3*Nm2fO5-GR&-5#mOpHkR!!3*95Ps^?Y z))SZXn;uZ`yn)oC>ZH+{7bzqOS^#^hJbMJ3OY^wdf%oHvCokT)4OTeD@4@Y(i-W{>E|D$ywS9uL;1rVZox+A_A%_mgbb9|K6#@zSaelew+g#wrq5vnz z9XA+#DnBcK4hSwb8fl^p(yyrxwIXt^-U_G#dVhb(K@rgk=65Rj`Zd?;p%d;P<;Z*^ z0JG4-&&2diy`FK9WoLZi^Al*>?!c;QiLHVX%ILan02jxX9;6yt10G8X39tV{`0~Ae zkBgzUNk%fnz{!MN`{6Z57&00Ryk(IwcDT8uqam;!*~qdCUhF$ABb@5pl-JbIO=Vd_%iKkPV78RmEkLOAG?KCEz z#O}3;L~Q4yu(AFj(~kk>FgTclm2)7l<6bq&ZNAFmUyCaJgWwLXAPNk#V|{oc7uM|jcMV!2&l-5&1a ztAGA*{m<$*{`fQi?>jJ02t&rnV5gd!=?#&iGXMZ_*M+D<>r`F{hf=sp+M&(-Zy}$p z

Uk$~djUvX{A{rzJ)!C7{PDe1ox#ccH&}d}?wBbqNoDl_wWIQxc3WL`7_iy49i% zj-L7Bqx)xmqJ@z(AM7DZ&wJ|cxpRTso20JmdI5(Nx=2IN2@In*=Ms5%=&cIx4M0hH zRnJ?(fm-{J(4R3j)!}){1`CL5u8u%jg zy@1wU46qseoBH-|e_fIp*sw3CBoMIZFfMHU? z9y%la=Tbb(ALJvzh2z4!Z~2)+c^LooqiI|Qg)G_R7}?tn=8Ntuw}FZu0Z$cvTlBX<(| zcb@QHezaVD#J;7e`QESj?az=G`^7r7@t5pbAEJ}T+e-AU0}qQh{|^U>&jsYgo^X~z zQ5?+;-7y%EPdmDSw$+aih^DBP}INV zJvXJmD%vKz8vXCT)c@w~h223;pGi-r`~S^<{P!2tNy~?_B^s0$sTI_zs zr@5UK)u<1_R{g4!EhR9|I67s)t+Cog^>V5HQOlUCf3So%|B<=#fB*RYr!V+VJ`Kr} zgzvfHZJ>wfpFy}v7o&TQ<2SRsk+9ib?G-I}e^>?T-<|J1tsf-|h}K}aiL6>+K!xAl z&hLE-e|t4d!aJ`0O7!7*wEX#ud@e{LuRH8FvhZK<4B>Q%dkAMi+;|kWgz& zv*92sqcQ&#YmaG3h{kkR2<;rMh`c2K)KAcwbOIeLD$5$6Tm{(wyLZ%f5JDK(^cqef z!aszPbP$4j5R+-~cm2<+TAUm;{5G%bq|1 zpvJ}Be`u#Qhv-Zq_d$n~U0;-1)}tK{U=oeyAML1($2k2A=)JxnR3F{=A~YOC{bzVv z5iS*7{RgZi$Wc(`WaP8&c-m@C{gah1~;RX8Y1wcPa29mka zkrHb$!Ga}#>2-6DYA>bMnq@)osT}3w?i8gs(znv>MFxn>&0`Y3{*1$&oq=9-Sk_0l z$>O%%IREYl`rkaDzxqyF9$;X|F+2s<^TyS+qhUOX7GmJ)O?yPy;=H6jC6xv;&)uUs z07+hC`jo z@?4=|dS2UI09YhQu=i*UuETWZ4rFD>0f$8a{zjBdFR39pKB4$kpDjkA2q| z7g%U!Pss%?p{pmzGQbpWS*%6g!)APN`0gvL4aDW=8-zPI%ZPOfpA3X!U z4!05CHi1@zcZ-P65Wcf7MOv=}NITYm@}7)L{C5@WFj)!${pX#4qC3(@v=DL4&Hyo+ zqXVgsAJ&eL5uSn|VhFT*QP61wj=V&~V5bUDHMT`8dq!rk01REmbi3cP3I=-GDUFSM z#d#pKe2c(+;DZ_VGOlk8GI(>)aoDvQj9dyBo+By>FyV;JdqlCid%X24VvGPza8C=t z7ACQ@_YjT1Kos1M?{6rHf#Wa?!YJoCw^E}Ia%(8$VJ;^njA+&uNyr*%BD~fIkR5(E^DZg4YhX&1L!H?!9{WF&gNj zGeA7>QVa6VTt6A5g;()n$jtQUBIN^=PmRykr@UkovXH84q$C4A~9#R`<0Zv z_5js)@%6(H0})&Hn=*}-+KuO1oQ7GXxKXWhPSr+36HAxlb$LP(2<|SLfuy+1(qj{= z43J(l10Ma>e1<$XPS-G_vE4~9#F#;}^T1%Vq>0t2I)GbH39(4%VVLTN_u2`$r!{MR z4}++s#>H>i>W3r`Re&{r68uki=`ldSpU2wtY+)tH9@66lXj_*V@uHrwB21b7ss<6n z!wb(-$QRfHhjze+>HGBf4-`qC>H^2V@pI8o!Frhm@b`QR+pd?`=VgH7JAm7@BT+VB zF|N0zyu2Ktc@w`t8i78OEF$TTp^&O>yc;z;Fm333f~jo`pHhwHf#Gr$0}RWXSEX|i z6TxuAIDrb&TzNBh2pBn0f(2I3Dnq?RK3;91{G2{90l+!W`-$EnfCnz4X#BBFs{ViUm$XA*{U$q=^)rjPt-Ud*^^=9%6HC3)2B3v7=jG+)Kd2#&gv=9$bO#Gyu%<1ns!g`U zSVZl3CSs1#*{1ZGXG`bYmm=dg?a}75RU%lfOoEV?j`-^YLXOjK=toK*zR9JeB?-?F zaog+uDiYVzty3+cfaEbwulHnXcB1CMgoJxi*fEPPe-jpH)aar!P-W4!p*^1TnAEY40j8!I85G|!Bkfdru1HOp4ZU38*5|x(wBHCGQnbnnAO}Hq$Wn- zW}2`mYS86Kxku88;kcM1^^L~2BOz_X2hOTfI54A}zbj3@M(^?J| zXEB`2goH{NM75g)Z}-H>lj9U+(+U2TeR0GDzKGt-E+Hl#zJ4&P660WCSQarJ8r)wN z3xWl0blt_-|E<^cS8HIZM6$Ta(N$u9>tjVU_}0jSqC=T;0cZ*#7Zu(oPPe|K=y^{$ z8+{UwFoA0cR_LIL>EmeP%E%>w0v7N6J!{EW;)uwE4~`?srM3?Qhnfa~fhXDi+ck2t ztI|`CAac=4KWe5mQ=8m!)pvD9n2d(=5?zN$LpG}7JTvoWz6t2>-t`xl3>LRgo@z-E zfqPI(FBb!M<9TuM5k^{Bqgp>|XAMa5wHnq&a{a0lfcsKnRSi^Q0o8k01^sJr6kWDe zNH!I@4&M<_5q(yDYP}wPv9Imf>dYrbF}J>Dx}j1?x*Ze+*=d>zdywe={f71!jHTd&%?`m4}Gxju8xCvHHysc-xXGYG6!cw(DcCh_K!-lBpAtpQh=da>E<8uc{ z6mW!R=qB7es(maI(wf9`=b}qA=Y&|No{=!wQVK5m$K+k4h_$;uB)pwNYU=17^rdtl-QZ&e|*hMA9C*kw)->0Zp~S2IE9)oE`)k|J*n0iw#Rm zJg@gCfw(KuiD0w&B~veW73@%L^X?pIpj7Fl_og+ zlWZvj_037wz2d zXzZ5Y;37PJtruUr*m60hgMMRjkTL;0TaQ9h7G#s-+YB(RD%fs}&heni3z0jwH@u&I z6yKo0h%Ck>WAu5l2b^vR-fzRecl(xb7lR8l^NkQHXb9ceMya$v&8vO0c1cn4g--pi zlg&~7n<7pShO}`iOB6a0w6l4@T?-@;vQG-En=V3`>r~IFU3|wGJHnMD7ivFfXJz(&=@&T6pl>KrLlqoMC zS(f@_cIUj)&ED5EV}AUpjAjdAKF@|6J$m$dP!41en%<2o(E<7tK&Dd85@Y|7`G zEks>c5@E+nG}lKGjE#>g@F!S}etC|BM0QlTVB^P~xZ=Ea(kc#+19+k_e9#V-Pr>@t zv}altmX?-%Gkhc+yB}gNXZpo*PwPLgY`GF~(Mc3jA9Eww}*a#Y!2fxLrTduyk)1gzMFJi;Bp z)b!Q9v=-mD%URM=JKz9r=L!mnpU~Y=;zo1|P2XCMRQ3yY!%gxNTEAe3=9Yy;qU&$2f6 zx_(KJON)|EXPR^5j~%2!2X_*aAzL(*GoZ)(Nr_44)4!xDsn?z$z0ilGUXpL}GSGqk z{-jcb@mFn|X$-h|jEV#n`O(LQjAV-&(!o)uNW`w5JujjM#mohhmS{A(PyoOVj&0~S zpD=Df0oFKF<{(Wl(bAjn`8m{HVUW#P7LKICHe!Ix=wM$4>EWRuf^Wceo?INM(hlR) zJO_HbP>3=svuOMA6}TvkU>?i^$-rw_8BmdQ6q>2%=@rs}&bJuPla4)gGzZq@Npi}r zgwY^yC*Ft=XR-1m`{45n?olRN-J^z$cho;VxC@`pDI6g{H3CbA2~5V`!l(WYUYZkN zwtTE?2!OeMPiV?Rl*G4h7F+h8BctUG0XE}zIIQRQZ*xGhTZt5OAx@E^uKAgo1$7G# zv)b*7e!!*mBbtnmxDW@8^n+dm)oTFlz%b~KH>=s|7)2l5<$Kl|0&ad4%$dnm-UnW; zAb?U>tsF*bc-=v$o2P6 z61-yGi4@=caKrj|tkB&lGIhSC)*0Q%>?@SOq=GH~5&A6%fD| z%%RQ=*S3R^MN2)+f1eZdpZDdz^3#t!+Hb0Op0I;y$f>V^b|T-bW8B8x|;zz^PvL^i|{6yD1N>e59oYkp~TAYFVUP zXx}Vi1J0`xCMVfb+(ad3$e(5z6G+1L;ytCc8a73ULftO z%aEOnA5M4*@ET@>oL-?+vwn_^u5A+l#r{u{Vw3QXc`x$ev1;i;q`_8WXJ7eJO7{bv_t? zW4YYN5+Y3T5WjnnVF4u)9?Ln4*-c+Iy7LiX{1M~l`Vldja;65a$Qr<#Z{T(xC{FuY zTl>MAV6$ooEclIpcH05{3BV=LyXg;#lSKjTOJ;|r!XE3OtQ@>>H5ATi z5Mp{5yzlrZb4**JQx1;d`432PFS!e3Z1*G;l}vuPk(~0)IMb!=&VWlpP#TLcP*u^ z&-FF}>v`yIT&3%3@~L-W6friiL=#5u!z~niM#w(#T69q|lWY;oiC$G!JK{&4@y6Cy{!>)!J!|-(KMItN`k9CGmy${G0n#BL3*hIktAlFj!zc{ ziY!<`Yv#1e_u2*u2Bee}F^1;b`f}V%+vRfjAmw;o1A>p1^pVX}Q2|Y^_2BDnE2yrF z;A*uF_r;i%MiG|{L;F1P;K3YSaBr#ILy=ojnmMIoq-H&tk@Oc+MI2E(`@L5nEfhg0 zw2$ot`R>l-B|}j4Z8!x?-di(`!1zdi5KJm)s+={%QMS{ORjjel%Qk?MX&KrmDo` z4Nw~EfDF$}yn=YzO#iMMbxaP_Ne@yUW<79yviSNd|FnOFF zT2~=K{?$Ga2QVI1h!)Hy=fL~btY&*H0uZ4Q+LjbgQ17`s1qTy_M%eB%zLo3K?KM^@ z8)wN|uHt#_Zeqhh%2I*F6%wvdL#G027$yKp?3Ge{a(8G?o_t8KqpU5HxXXX{ZtE(r za?4+&E&!wW2ID?L=NF1rV(om4hDu2507f-_`_I`yPVky1TB#mUB3fS>9jo;puHoxa zI(R}&uGckHOW#6ksgvlrqeDo%mWC>|&$g_|^6~t)dXm3tbf$tNi&v+VOHUv{fj(=; zLH7^{6m1!6P{O|HgrejQqvzT^1ZnadwT$!LFQYFuq3B|&Le4q91vROqePHwU7poy9 zqmai|?qJGwpX9G~b??)M&EFusuGQ`x4kRw3hH+M`q=fO&-D1oA92M-2Q>HHVq>?Bz zOmEPssML;R1^UR#51tg-V8pxL+{g$KB6PxE?OEq4-)V z5ithDfMGXUHC^?4=dMY&#Y9%hsZ(w3*(edcpkn!uOQUmSmWeN{%r|+Kq6>dbt*Q4P zN1N+^9&KLa8h*y$%=o4fK!im$FWkC1n?|lapOTB3LqSi$nE%!fxM$iKK%s(p8T5b& zpXBDnT*#c)EU}J(6J8d%NFHfJTb&41V=z?x-!8uDK%^+IyaaKe!$r_47ZedG)$P@O z=xB^!OrJ2gx4kMq(GZH1r)IIN9R!N8qHOen){YABM;3*{*zd~$SbyRujWg{`<%r!* zclH#FRn8i&PBtf~xhc>!siQqyH=$^sSYbR-=r!HOybWSrBe(dVPnKBU&rbA3Kp2MZwu%lNLx4%+SP=KdX1 z66<#t6^5z{vzb}y;>ZSHmvXnf`X$BlB4NIcq+X70RU#l438PYUXF?*$ESj5KUKIV3 z66eoN?d8Ks+oldMZF_a*T@4GhQu$2EUs1RI+3{|vFwr0XB?r>q|5B!4YdlY=FSAWN zJVdieqOanuRz^-?qhlgY{>tb1$(8jD{9!0v9qrU|bUjCy?XE|ve-gEs+-|JoFf#i4 zk9gRX>zjU}4zBnd$f#K?YJqb&j7N`qd3iY!H=wCUL(?`TA9vMrq%dNNhfME;yv(2P zfKcaoh&! z`Mp2B*0(WyfNPv{;!WEVC{eN-FK7k-HwFsgi$Rz_JlIlrabzRYg~eERw{ z*fjGKyRx*^0gs3+etJ6KS8Vk^Uppb??cT@YF?ux}BzMTpDbW7nSl?utZ((Wb^<)1^ z)A_$yEZ1Zpk~@aQRPpIAeR@o9%8=-Eu&?j_l^YtqLo^E>{!R-eU&^6YtpEQR`)vpw zoYCTL&Fn9JMJ20L|2ELS^x*#Q2KpB-UZABI z27QU1!iAhPJ`?`1{@sO(w-Vj!MT1#OR6hJs9VKcqF*9FB*lGwZS9AHfZb7>2l7O;!}CKXFDI77;Y~10apbPR}Afd8Oj8}z%q6G=&dm_A%N>e_|&s? z5MqpbA3~;MRgBJExSBTYA#9_@1%K-ufXl-u^hgbi?@YSoWlNl7R<>nJ-tkf%W?w{` zDtRYgg}co{V!V-C!{Wsm@fFs=FdKRKq?J4qQQ9NtpgW_@{{)n7g!>hy4=kN$SPgPy zdc%AatYD;)??j%1Q5v_p@vM+!6Dh7UQr!}^6i(apkXhw@G}g&`*3G{jumV^iz_O; z5B9B>VqG%5Xc0%>6&Pr^S4;p&2;rFN>7~|zmlh`h@$b16t&?%0%~66S7G+?GW3=+~ z`(h=+!}BGlA8>fI+23+G6y})-UvmB>;Be)e&5l%@8f~5wcXsa-gB9@`0L^2*e~27A zg{mOtGmiwaf(`@;L>iz@m%Z!~mpEM}&=Rvvv{q$(O$!j}h}@Q%9Q0$BXe zt>8A`U*%w6V>I^ll`=eVs`~eV$dDVx@iv&qWQ=7T%u5ADZD8jpr`~1mjL9AZ|B71T zv81`LGoq2cx6;gXbfQHHh&hp|H7PCknf6G&OO4v#XEI?GyXho;Fool4aimT4iRVzy zcI@SciIEwss$}hle6%5N-Z0Ufe;;;&T~wqB&9SzNM9`8~B*IYj8;Bpy-%nRPDiRoT zXib--8z~fQvG1FnBOU!4HX;GbJ|^(253MMMe!eo*x%KS(?S>F|?rHOWP7!gQFa2>D$ZGGod!uzR)Kb2`zl8~G za(OZ^?^V?@HJB0p^mN4=*zcA*nhE~+K7ame)9qa8 z-+aif>jQ(F?aMZ##4`a*917FEMi?DWfSK~Uoa+4n`?Z-)8Lyog*6)#5Qx-bgWNog+ z5ubtys1mfs7l04-2F|H(koRX=Z*hDGwtzC>2zUs~qixXueap4RicLU}!&{gSHvkpG z@>7y84)K&-frEa~l_d+=6bPxVqUP!I7OTPHX2o^jvfMiJ$mE#t3uDN{yfMX$ESHLAU;=uJg{j9x);cuZSKK7f+^ zleryO5OD4p^~->OP#AeWW2jMt7V?J&^`og67msiO?|ly#iw7)p#wT#2%D*Ap8{!lx`i?gZ8_ra&T(K3#>4tC;qa*+;2^4=&Rhh)dOp60-9_{(Un%th-T^Is{#h3fi%J80Pzvuo=|8Wkv#Oa@; z`bP*@y-ziIdrtaGw%Ke~8X8CU?Dlo06F!9=Ugsi%cxeMafi7ykb{`yX!;dgN`c%x4 zmDuZ2TYZ4Dac@|eXsj5`felvRxx_#j9SlawaCEaWl5rOj4sAu>qq)8L7+tli zB&)2PZ`jJnQtNN*5MFJe6wHaD;n6N({eHjMK^8Y4^hCGkvs8-Vdil-%+za=D-$}EF z28D8Pe`hOms3l}Lo2e3nDq+6oH5_)HRq>+y%!&R)%NY$b9f=ew&g0vnGC>y_gECGU zrW9->JTLez&0iot6P)*1ab{y?Kq=amW+6nU#m%2;XLVpWkm+DKu=O45EmCR{3Gr`K zjtF)*!~G^A;u7#1?5CPx<5VczzWoL`kl*3NK<->+AgH#trGoC@x#$51UVZ|tcX1!i zE_v9E!>$k}FCu8j0t^*I#4x4gth+N1&hp}5_qvoM%+qE9Ie=;|a*H0wL7`{8wyyJ; zCW62BqMIBH8Ut7Nr+~rKQnCGPx+etmrj0<88%ictGHQ+8$oT@pcPX#EWtq)AIQku) zCc~R%flVXFAM!m@s-!#{W>}4I(??^g3~f5PFy$a z^Hw-Zeu4(hDUOw#g#(D0eAYu6q%@onW5*qW);y9^^IR9#B7lwY9)->l&jBfhQydv? ze#QY3P*mn7>7!f7A0~Fr?lcw66wOU3#Px#o>B6*$L{{sq#9KRMZSIK|h6>Vlt6J^$ z_qL@E?#MP4&A7LSvcfB)Ughrc^4x$zbB4HM#yuC|I#(ICP|v7IIKUt;zvcxw{Uq7c zRgtxFh>fO3I2fp2_^4I{J0Nl}CRkmIfNAj{ZHvidJChjsgf`lvY%uA%%*bOjlmLU< zPM;u>Qbp8d=QN{;bEauTFq<1W9Efpdw+g$bqz?+GMdS_&zt-1RXjg@gB*YPM`CuqV zcu#Bg+E&5I+jjxsLM@h#Qw&n5offo?&e;V*+-6aM@;GF6ELLbpoCUrBE%0k#`~YJJ z!RZR_j#lqW1UOXu=v(0W+Qn(ER-7-w3S&J?R%(J@vCO- znA;!F-fOrN>~*e5m%FL0K_cH)<6iG&jcMNcmY&_}(X&1><1QH&03)hWOc`B|Gq}_d ziiu}!+Q9L@h`s9>6qT?kSsh-5;o7mB!5-xrUG!hv%*O1ZKI}GK&0g>FIuf^FgA$WT zl=g0nQZ6u7P*Lbaj&6h!gV2M-urO%R zo40roeDb8qnaMeg(zToRFSIv_VrrV!d-1ASZ7|ec2|3jgr|r31_HdFbqbw=GP71~? zT-7)s41YkFygM^Jm0%7M1eiC=g_mg%Efh@obkD<4*n-DhhFd zhO95YZ$x^QBV>o*pff@z93vHvhlovrI$d!ec#FX~<+JRADfJe1_`)8ZijVzl#94pV zF9N;HGymk{ka|zicu1#sI{E#40_mQ8n|&^7(eb3_@AT-@qnnZXQGRcv8dpDBNzXe zeD4PE3>LOy?w;QiS_IL~f(j4oP_s+RRZoF){C@uat1+0PQ_C@!!AGF`n(qT8Xnh5T z5La(cj-G@_D-`$P^Mq6vMMfoyTX%bFk4*l}3t(t^%4vD57VRKC(6;&5CHw!e_m)vr z_glNLA}R(bQc4&Yh)9Wa3Sva11t&>YePqPsv6>>HYr%Nu_4!@vXx)}l;ypUcTYc3)c>B-wE<8UD0Zuc!-0t~a?nds5Oh$GbR*7lhAYxF6?A zYs2CEk_4~QXklPeD-@ph`(a~rOpKk7z#ViMHV`@rdj}Z>hBhIVmP`zdCG!<&o?8l- z!Zy{exx|Bv&0>~-rNKgury*$XqNVD_Zw04v=lUKFp%Q0a4?R7OKPKY#3v8XP0E{XiB%Fa1`zeSfZF&Lig+l7k?9QTFE?q&_iQi0b{=xktkHNEHU| z*-Y;KBhf>rY(IlI^o9Rr!3eDcYe3TmngT8o_>op{S=QoR#*2ZQ94E>g1IJ~>t*~#;EB`zO0qusnJb1?nzT>Eli zIsCL;IT^u}P?7X)onp;3aG!kwm--u+&1_YEa}LoRrV}o!gK!bqd4m8vuR6XE;R^YX zd0gCB*F72irml>ILF8G~a}j$OoWxokxY|5%D&M6wwj$A&$ojeVOE;I#I2FCcCEJ>e z=78uwxjR!;8QS?7!C>^lOaV}l5@Ox*DL2Hs~5Qs95^#Wus43uXh| zAvcNup_uZ;e$ixY}JPT#2t^-ees?Z(fyeN|T<&tyy+di_VC{VgCm)-9+la8K{#Kz(( z-z)iC(k_gzx5roDuC4Hx@egA)uue(=TV^8&<6KrgQ)Qs{Ph0+;Y{f+8>tP6t9R+Y) zfu@d9ML7Kh2LIAC_&+?!9T#|_tI6JT>`jCVJLQGkjgdM{ArO6v$9By^-BsOfkG*pt z#OYoY`q}nq*?UjyK*1g!yI%K=4Avw6_>`_w|~d`OjUckM}mBYwu0|6162kJIyU(2NztkvTB1%raG%8KM9jCG;QoK z40EFPQ7gYI7WgN(==d#qPn9HTN~^~jNX9IkyHLJ$=P*Z?R{77Rdi=g?8#(cOmq-dw zd=dSC36H<$)CjnJK5!ps&H+0%4!N?PxbS>RVo?rp_uBcsELMKIW$Qj|0#$245Wtj& zSs6YV0z~Z=P^#ah8TMu{-g0`j@R<@+juHB=HGqAW1cX%6i%9mK4(QsKtsOGIyPx#& zJZ0Ym+-TI8H4x@L!IwORI)LcN)_~tOWHYYxqiw6+By1YQzyD%S7+{0EML8T(;v z)`l9)2onga-X7x07c=IwjM4yfM08u#=f8uQK#At7<7X&?K>X1NbN_AX+ezXmaIv}r zaE8Uuu8MxYB;Zhhgw!o{9nS6)=zmILq&ENR=0BQ%n@7~(VksL3={b~wGJx+s6ieF( z|EPP4GEEV9f4?HRvm6KWP+Xl_L8E=)g9Y|&skj013Yp!-g@OfsajZMzZV7@UOK~Ki zJ+Bkf^0d>@u)LBvIm^o#)ffcBRpd7mNkJk235CM1#oa%Z*AYsb$W+A$j(H2kjwWbY ze?5NIq2Xluf?m7RBgmf-=YNR70f1*IEE_-i-q!qt{D$DfzJEK`qb%xEyT%(Jd=@HW zgujk(^YaA0x^FClL62fdh{wCKpP@orw#QE5@a;}^`Wo@0vSb?$DX}i=bm?co>f^Hy z3(WEdJ(!!*D!cpXRmV1>7n$ewGl@4ZGrmahFwzzkq+(XO0jjc17I8{ewM8Q%F<}fK zja!=wW(2Y@?dX2fEDB#Ode(pZ&@6RlF*0Wtp9b$~%A99c%$!}avl$YtW%?oA6Cd&E z4a$=hIF%nie$2s`Y=}Rl( zk#0=iZaE0eSnKZ3ZK}p&kC=VX^d{TS607Bcs{5u)xi5MUmrN&#TyFo|((ix%HXdbY zt$n47EI0c9wAMIr3jys*Laoz&%2FNpKX{;J~C*$=<2HE*= zlLHMX?UXj*<)JD=lX9~vF6)@G%K{n=s=Wp>kQ!IIoP*yK=$hVXvx2sLQtjN~GEL${ z;hwES3$)Zl_$Kbrxft%ck5T>+Ep`JId<=hX?7IZg#mc$s6>_w#4Wrv^s9XVhYutoCJzuOkPvMcSQK9Paue@rlz%xSz#So)KnnLp$T z_0j4U8TDqYswzO!y(om9wTU$1QbuJWm+d5wbhqnMdd)=}zihtdXamUYCGCYPS7H|l zpAE7zE9I~FA^rp-sp|lnelJp|0lNg8pT#?)m%bg2$!%X0n-Jp`EnjDr<^zqk|B8NlK zVDO0V^(WqoN}U=6R8@#SfENd5F0nc&TzEp87DR=jCf*53=sM-16a7*!7{`%>dx0RisCAHq@GT0IVjM?dI5=DNNo8@as74IVs55LjS1r&&M{VIE@m3}cV>W1}vRNdm z@if5BBneB(K-ilp9(xLly{xJLB8w&GJY9zJ-Xa~rdb|K{ytA!Kahr_p4qA(fCgsAm zQ(7J3E4@f4oWgTQa5+|b9wq%wut@r6Rs}a7mr4hQYWmhUrF#d%ZVf;yyf~4RA%=;2#V6g-GQse^*IF{q7<+N;vk{9?%c3M6A3w zWUOA%?=(&C$qc+;Zqf}6GVPoG>}0R)G-HpNBpt}Z1`R1(b@6rLD^CkzqFbOLo1k5r z|1D|>C{v+JcX482W-xIinMoPk(aFwBw1p;j_+;8H+e^vzX2@jQpq=(nI~eWKnk5LD_Np`PoCS&IGv1eE+Qo~()9E7=AblIXWLaZYx8s#<@_0d&W?rzf66NS1YSmTyP54XWF>s?4ZX{!kBpil)byJu+)c%+AXWa`*-ell)8*s zJubUEU!;`1{%D~nldPR;(fR>?g9FK7@IJ8J45_wz=HQ}Wy*#W4V%)o6xLe@oWL7kdeBxrC+6oc?GKK(WRnkJY;Ppba?o8t**Y+Drt5|-)46+1 z8?ZFx1(36OCHEJa1xwsFZV&pE7ZCYvL^{HzrdNWp?G|(7bgl`q5E0S6Pz=df58dy9 zAV>zWURh)zRym`f21!WfW!DGo`c&4ahfeh&;-+85DQM3x*1X#)?B*^7pr;Y8RlhdE@O-7W2Fiw!G)}Io`lhF2%6O zhl;iEsL0?P@uqUNh8ycyEcpKAHXN6~U)@5}pEl+m--u{-I1Rgr3iyp(G`7L_O7NB! z3EeY`W^mdvz&^;v2aUVB`U7OB1Pj@P1AF&X0?%L2y;JrFr)+^>a&a4!=g2-+d&n&q zQgKIZ4W7h%+K89wv&n#P#f40KVc^5o=G&QbHYTI&N_}kQ8e`g}S@LM5(j0MN+??Wl zm6w>>(ckRRhu}y@PAuGYVcYZx^WCQb$d<`;SgY5#Fh!WnwQVEPH3%{nuzl>XlwtN_90~P$qU=Kap&>@;WV{?FGm-7MJ198{7?lg}}R~D4V}o zy~hhY`g6h)j5bb?!M>;+YjWi49TrD(2n1Ltud-}xNmN@ctC`cFm!gb(!b z_twg^5YrG41eH<##l=|uaeBP)ew#UkNyN!>u@aKxAC<9tGcMv{d*$(tu;!-eZPEO; zY`fljgYo5IoAGz0o?M>;`=(#pIs<^e+z&Ea*t(&(r&{hyYt_yFLqWZ0bwjDtu5p6! z>b5PO8qIRfS&HwrLhHpjdu=s)qwd(5UHx$jhW55A8uxU^=h&*t%o-VTaw_NkOv2%h z;(*Mc337SS6#dr$C%OzoR5cJyBsr^^KsJBNk_1c1jY)Rcir|*`!N4Ia`m!Gc;XOe% z?ZKW=-5H9q`Ph_5(=QN`S7TyStfpZeeEHL?(`vYO0s5%T7y%lr>(XkC2LOH}JTv;N zMczFSnn7%9;!$pD-5J$b?k6&}V~E7EZH~CG%aQKN73{&l(W4Z^bsXz3VX(S?q|xZ8>s> z+LXs~^5>J(vwWuTd={#U-KrHNqy8ozCvud=w*chv*>29Z<9TWK%|-=gJ31V=-o@N~ z79F3-ykboqLwV;S@B~zrXVkFoLxA<*#dfkaFr=_jM%`iVCO6M7$EeXmFb65a(wJ2h zWg0z`_!TSc(mpoFDbxO|Z9O^_OEOWs)x*=8@&%=2xz-?TiQJ&M6%3F`hVS z{R1tNEg0N*Ts`m7^Q7lovc#no$xU;vLaGgbRCdO-#vXMya+dznM=gc0*uQIiz<}^B zE)m|pdR^tza1}TMojM!RHBozf-Xl`jT)p^H6)o@HgG{%El*f1wZIcr>vwxT1n*oc= zVPSMAII)582H)IZLArjiCin{#3^7yBPBRycI;0nc8}3)T{l)}-9RT;1krNwpPpvB; z1TxW4hf$R`gqJov0yR8?2o&z~q z^?g^i)w<8Ob~kn;ri!I=ZoKpvh|uP|kqymEO1Kuy#YY#5{mDyjuwp&B{p`0&__qzDFNu1jy=fetMkO%OlBJ={;YVel!|v&Aqi%QH3ni;_m} zrPLuf%XMXy&o|8<1auU;#P^c=9Xt_Ym@Xe1P1eIJ+W}W#*-Vu9eK(snF^X9JzN94} zi1)xV&JG6)`jM+oiLL#%?CPK;MM-qBRf36R^9g0ctIH6sdGpT(C-LvucsvxlYW?K_ zUlcPJ*R5Hw^0|3@DIkAc$0?WY+vb4`UC;& zWOR~Ya(jtqsA`mKV<<1(8n^w{sj}XuF%BaU1Id~rvnQVo1paBUI&VJ*Xe#?LNJ4vy zFf_Z9BcwEryV0{tGDa03);AEmq1r$NqT&0mAJ^tV^V01Ao7H3xu)ahqaVi2xO_wtE zUQZTQ>X$ZFx{Wzq#cSs!F9|!Be=QwjqOM667gOT1UDU@J)X~&{AJT&fFp0eOIJt28 z)5!y~$1r1vA5)fW*ZBRGn2h$G&WHPu$P~eCw(O~W-2W*WJqliSRK)R!AArZ{nKKlo zfrERc>c?6M#QN!ZTYXP$N`~$0m2IAoJkd&l*1NtUU|{mt@WS#SL0kBsBb)hNcp(mp z!FoO$1&7PZ8PQ`5RX}@$2}9D`Tu4ws<3r4jq?d97G&8z(k=ZxNuIkw)aRp@dDR1mQ z*^!L{%K#y7M%k49EpSvbRu$`O3}rPNQcTXZn0QpyU5zy>)p;+>SSY(1scNnW4c zGOhyLlco^nr8o0s&LGD%T^R)kbJ&?UDgAX$f(rEAw!^S=8`(uV4k8oSeH&LN(p^mX za>*s#LosuN;*JKp60R*~`|cgL2g&g%&zi6?`Ukx&(fmbt!Iyybfv@E>HDt~k!0o;{ z-?O}>;-a7e3&RBLb2Hb852V+fjQ-~NlelW#sgmD1+pNrX^=?)l^G=dh$Y3hLy8{JZKCCCv3!NUn0uJ?LaF8QB;5IUCqr94TJG35q9*b`UoR6bW)&K<-d6Yi zez?%TVWgF&`laO;Zox)E&3>yuSS+AkQs9>Rl{>%v56x@X9fwD_r}Aw6ThB}m%M*?M zH%lW6E~(RPvBHbnc_Wv|CS25Gmz?x0oxt`7q3ov7wS%`CvBGPDqJioH^im3O zhX6#hr+h(qj72Ae=7k*%?bYZ zYUzyB^x#B&rAyK#JzlKi?))l*G&VxE6nHak2tk!;pfXOGIRuu#h-(dE%XOmbp%TIl zvWGZAr`pXZYOOS!Y^@36Du8fGkyy7%i_csHwbA#Jz5;6g`7+DsO6rGm&r;pOHwT_9 zMcdp8bzvFhr+%A;>q6S{0K_{-{1`r0Pk6tKyPtD*Mi#>h#F4uyyta#B#0Q-gU>aiQ z1(!&tT|cB`CWAj?rI1-|RNF@MQ}YPkEvF$v{Sky?3CmPVRukaJA`2jo>Vi}QbL(djDUK;$8__auOW zFg!7WENX_?ZurwPp-`0@1LP_%0rnrQ(N5`TC?C4xDc-A&bIx5qyyDLZvxPowg0> zj)N8kXdSByD9%ZlW8wKKHa&9pkR)yCz-tp63wf(Bzv+Hx7>IgxEM|jao_J=VBhicI zykf$`j~`Mp!Bz=1${BP|rQ`VxGlTx@_@T1`eE|Mk2ddgS2`u3#_|^SF?22B$+OWf+ z#l$Eh_5CQB8I`?}UmCJys7=GEYXVj6t2WUrUeQ0fl`M)NYX2$@D$ zPEnMIW_FSMVFK!8yPhIBQ*f5pfkRxZ*_)hED`IBE7P`Mqpl9G@YB2;7;CML_SN#4A zl{dHbQ}?m_G(XQtuIO))HNsWC#H-sJ_E~El)-8WFWgYnB2hUTI zrcLVS&Ypd6x@ZrE_Wlt=bMUnQAFH?SRU1}W zSQh5pnA!fEL^>g${41Z6XO9PnLAl8EyQfM!in@848Ilexu<3IP19_=f{_h)l@6p`1 zC2CJ{-eyt>2kY1oG)1knZmR6Uec!PA z=duL)OEBEmWrbGuhvgXFF;VqUR`tuKzrsyp50;sf^3(7N;O5%FHf}xzNa@NF7X}a8 zA&U-is)3zj?%GQvGIfru8@Q33Ju{NFH?n_g?g4%O&rhyG71Pt9)48ESAol+9X;B*w<#b5*WZhm$&3-+G@0bSe3dp-(hpyGFCSavWuoZ z!f8GGe5fa0?4+{r6((vCB>1+>h587Ty0Jf|-x+Dk2X0rsz5C#O`d$BdrrW2vGCmS( zFIF`4FKA=EZ?YHa-(}AUZCKWpNT?qjZ=+6(dv`p?t>XM5`TlCOPJM|TmgP*@Z6EBq z!$>rTUMnxhdQ1sNsPJ~TKnvt}CIMPi(!T}dpQ==ORhym!!A1J#8I_h0YD zkWRg@FqnpXN#(2^Adx8mOeDR=z@*{rP?FpIQi3AgqOwoLN-9T9)gJzPCt%Ksv{pOi z>3FU;C?KWO2}$!#1v#X8pO3Ii>wv}3{E~9T7-aE&)mPGwe}AWUJvgf>hP={o0lhQ- ziaAtKH(X1F@NLE3T2q~a4Pvt=gCvq#90=?3w4AdydljpPdLX3P)!7LDIwG@l{@Zvq zVoaVgVmpL>ZD#x?9bNcs)?wJ9K`vv4X;n}N!rRw-UXg71)LVYi6R>OiZde!hG??hJ z-;zD!N&J+F@a7w!RdfR4tHQRoY*&@eHl*oA=WW7_zIPLI_%~A{9f^pEQxGbSjJqI&u%WCHBlN)u| zPDrzu?CMj5k#%McYyw#ao5n)K6aPYNLW)~;0A;&fXM7%ID#!fD$GH`Zzf{4RRc6^z zy7eljIyuU2WDEbh>^)V+*}KIP2c_4XuAtUTlGG%=JeL!wu~_bj{Lw)@57WXSZOT(G}cW7HV0mDkE=6d~{CH{}|Bh&wz`_cl^Y zf7m_(F5{}kN}BH}yd7-%JHX4z+vJ5JpwCRb*y0I)@6FeU0cI!sHs!9w;S!S}th;-y z0T_NxwJ4@(LR;fg2tPp(1xYb=4$!y{=*bd_P2VKwfWjY=rP~DXFy9$_@3_?MAA(%y zXI7&$fgBM=nI(6mufN+Kca&#=qbtJ)LF!FX%n31GHg(_YanmjbGcKJlT2XH@3iHEM z6W*(0)iNG+-2+k1F!v^2&~&wE3#m={=Dv@FT6wbr>CnzLE0kv9Qg*MB5rx#M%13@A-$6O0&JQD8suV8P(8Z)e(=w*>1VK65MMp{uc#pi$}u z+c$SMZKq9sOE}0`Zy(R#UqkT2x?y4n^M27Y6vIGNUl#4#J(x(k2i^$CG)+PF1WT6g z=C+{1f!~YNTI>GvxI-XtsM0D5oV*O-6k38=Kk`_e?H18?7i(g!SI%gl) zSYLI(vs5hJkl#_tkt);R6nU`PU2Hw1s-EoRDD)zu!8vpe;^VukQ1b#t>DJS~2Rbi% z1^g=Yb+QswvT#55(&K2oP=oW9YUxyK)=Tt}YNyuuH@HlbPS)Ni-hEUjZ%|XKvQ6`r zf~hP-7glfFIj<=RPML2hyNe(vM`ui0LDfbMNj92eCw;3&ER4~-zn@hP(EOYR`rqYM62a%`<@}ml8nDd`gMr=U3#`O`<_07Rm z!kEJ7b&(m0r2#C8pCRS2a37)=q)AE0j@pwFk$t}bBa~h#SgQN10!ASN!~vNcp@Lx8 zYP@k{LQ;$B$Ss_}gf2^;DQj=+oXhQ+J^Fs88W;LBR)PqvR-Qgt8NmYj40d1Lm>vA5 z!8Io-G?0(K89F^g@eaX{#_!I+v}hJJT+9AW zbj=aTRJkB=_p@p&NI-Qp4M?9~y6I~R-%jqvMrujfw^KM|n$9ybOSL~S2*L8_?)oe! zu&_V&h(uRx4Jy7?0tR>&?@Ux+AzV8d%FT2W6Z{kp+(>J-;P9ptlT2N}N!xr}iMSXW z3Nnl79)n!tOh;|YN2I?C;2VH&pvHOk81JT>V&l7=K8!hSSq=D+A80+?!%2G@%ReLnoG)Q zW(F?b#Y+@@jPF<{E`_>qCv?51QVVOmX0&sV+VDoKt#p3EFZ;)~DOYkvPCd2aZ53W} z_GzC_rC-^7j3{FnnO8@C#j>++!QjpkLqU3$mvbt=OIpIdT4(rNdPeRuN@d#7&>!6!Htp2g8&MTsNW>6pmT4I7s$TKgP8Z1Z?xuA+Ld{c?G{Vr&xfCf)40>aQ=?g>R0q=e_PDFhjFs zIIBH>-}YZXeXAH(RKl>!1T0nUFPY_G?pYYGR`}tW-aWkjgC}MavKwCRRvqH2yfNDr zS@I{xIUCC8on;=K|D7DF7V)Bv6D)>hw(tV)2q!LGY9Mp#nX;31iXG<;|JMT^-L8oK zetc%uCy;;VXX{+SQ_Z(Hp*1Pn%)_^qD&8{adq%19bDn2Plfv~3<&2m6 z@lG%ERc*RL8HIYL=GUj6xVs!GdaqR6cD%xS3!UqP->!W!sk+e@P_zdc~DcZZrI$`{I#y=PNeX-g$yt8rc^B$Mvap5t&*PZkYn}9H{%zi)S4QU9nX{KBP8vS#mXLC)otXkWG zC9A-htkMa8e(z}*_l4?GOCR3W@Q`Z#0C5rrWCtTbRz9v@iQ>LF>puEDc~0>gHh8)p zr{%*Oa@?qHXDYeZ?jDA+?bll&`Otc&!}JEprQLwd3_m+jo395_7ly9iMeivyRd!i5 zvp?Q!|CL#^fw{98tzo5FWzKSF>W3kJF}_cF6b0uUw-4U1-eMoG_HPGCTt1+2vt>>; zhR$f9j3Z{<{v(Ec^{X7D9aWk@7s)f16qt(g^gwKEepS{-`>N-4B^U6$vj&yy3clhV2~AA;QmUAL-vBRnoon7ZVQcr67l9Bu^@gzsABSqMCW9tGJ0pdFjuZ5#*CGfp{QcGNF{dA0*-BeuAO!z&5ng} z*;1iBr*eJXbs=G$uR@`}M!Nh23sr3gZaR`Y(w9fwT&^Rk^_$Vz8IfBSF2Scc?M*q@ z`==?isgD%##uQBP(l}nR2AskK?0DMBgZZ)qSZ2&Y0W@X{ z;=$~Idu}wsJ?XA+#FhX0@?V7`{+}mncB#bm*abG;$4FeaWz$_On%fy8>-?lS(dBhT zCW^eckFTXKQA$Z~GyEmtj#Q@8-dxdKj*GuUtvX$7<-x6F`x%4ikcB>>P37EsaZ`Rp z3@J0})Uoue`d{mYl6PkIg&y9)Jf>|D_VSf!J4+YJ$vjlFpHwo)InT4kyEawBR2BQE zlJ}bO{ysFA*BosdxfLN5RHKw^7A{JpJ+xIJEhjz7jxAr8E`{K#PT1B3AOC$f=f?%b z=e=NwFFZnbI7y-pF!>y)wk1F?CxuKext|IxMVcq;8@Aq>Ao-nhFqcTNR_$5t0=SX) zsRmjS9`R58Ag5L$9hAdFLEP|DAh;NoNJfg1RRs1;d;dyOBEOYKpdV@L&1>=>l@zOe* zJ>ZY#W#?Yx9x@Jg`wr0t77mL!4V^1vwOs(MMj!9F3m3UWvGRe}BUK!LBL!Pn%F zXFV9dVhsK3TOmM>ZuK`y37>*S&1u_}9~XjUn+{x9 zS=2UHdb!(z^0^x-I$kFht67|@U%#EHptA7x79-}2#~VVS`u%-Cr{A;%zU301eT8z9 z#RMEwZowf-0`qN-veUp}@Z1{;{6Meof17|A2dnr%5|-?x%Yr|~r=5oL`nzU+RoLiM}xvuO!0r!OCQ2&uebA5k1 zag~5=DY}LW(-x}Zb~3aQvhj0@YW$=Y!f=2Aly zLYu?I`Qxm@cWu|cw=Wwk^DN=K6IJ*MI#%B_v8>B%U=IQqe_E(~YRe z78Ki8(g>QhXdkQxtCKJBoAuWWP5feXq6s z>Pfl+j=05!RfF|*I0@fu++v1;l0kB8{{X-0-w8hynLtvlvnc(rNV9f|l(#ZY$k00d!dA<7|zN_5{GTtNF?g?)9a~lMz3T1Lkq*Tp* z3Qy z_D>>&_ILh=Kk#2Tc*JM!D~qVtmhBiAFLj`8l)k#)?{BS}b=927mulKD2qhV=ke$Eh zxDb27HSdN9{(Ml9;UWu+3z^*imKu6KjQu#_MoU;jIX_FG{wK=qm_(zb**G1?27*TFCAX5uB2OG3rgwwBi|<= z*p@)Hx)D4UT2?Y$+CkgX4RZK=fJssyL7RJF_|{*VKK}7djC*tHzL5xqEI|0P z=UKYWTteC<8KtYDHy|8sWO2R2>q>I)iOh|_E%UYi@>BSy-+Jdpf)>hlZml05=%dWq z;~sp4Is7Y#iG|-N&x{ff0;4??0Z6QY?W%{vs#vuJ!-PCS;6Hrr-_SL-4-=pxjcUO1 z3Fsg^>W2sW@7Fo0GVD{nig-M!->1fz1nmjMr0{d{{?mW&e_iFel11{4Zy;`I1E+u% zWLGNi;-q-oHMhOW7VL!Q?%<=p|L|1%GPWBZMS&us*#m-Pg|(mYre9LJT4lD5f9olv z$nf~@|4I=lWDH8@EqnCu=w)GQ5+x+uDEM?{itXQ1DhH85Tv)05@2O>!^zDW3X;W)& z{70qCf9nRkJ`P}A-2<7jpksS~g+p#A%Ghe*=Mt+&hJqP*#(`&+|Ti5_0w+kMxEha5M}6wRr{srINseO}8qBC7v3B z?NSRmSc5r>f|Az9n=eCIROdI+O}Bw-g@CQOZE%bODV2?L@*yie1&pTT?OJ-Zg&`#H zr~ez+b4XicvNCl;Ila8ugo1uj+R#=JwW%6Wjx;&29UA< z%?MD~=T+d5B^!hw|OMWl*W#;!^p06(D#p^9~XNgr1#YDb`qRMw`VbEv;sF z>-BWs5vO6OE-)Mjv!+flrz)_G216t&4Sdra`ZBS7K0Wb|U3i!-`{Ci$Nhg zl`Aelf$s$PH*kr23nb9%I@qt-29h83EQ%|De>|RNx{~47gW?Z?&*D&<2jUSbuP2EBat(K#Qw6!x~k=Jw6(xVlcn`s|6Fbw2Jaw z_*8`-SE@G)-j@EsX<+>PFEJnhcB)!t9WP}cWPe*6d{X#Kp z7+~PnmqU6c`ek^=JR%-Qkgiz6W>*)VdHLcsM+l&^pwy8YrHpqceMCM5LUqSd_~5!= z$)mdbr3ctiSZm;I_3=*g(M85<8t!ZLk$%btf<+2=GAFfu{!t(Zi;+$^1QA>VI)T=3 zKHg6C=qAjG_9D42>A`VLnETy!u~L?URpUdW(ayrj(Z zdeN7o^=C{X`!Zw_%B(i~&+Nd8WI>X`?VCk8DNo^ zQ>faN+oCm{wTGwJE(JVat9r>nK|N#^YZ8!Mtd#t9qQUo4pg-?)m^CP}dm@BP@;e?4 zpq{J$RP*Ri1?s>YK(%*7FQhXJ8l*<&+F7Dq`%?U~M*F%m9`{co>xw zzj(K~U3w6=x#4hul>QY91U=d-Ijz>^r4W5n1{UC*njK`lnt+FB)`;WHzO=l#`b|uv zx>TBG?CR(X*JMZ+$=w_Z8W~fgzP!I%S4hMFh6(B&%mlH>`v|Nxq_`jqMv5_~sR_T8 zRHDln6mfxVq?)1yH9K1P*u%XUYp8QGs;P69hWoJ0j3l3VPO|;6y{_E2VzZaiJ)J&D z9~QGrHSP(BJak=i;2y#5nnr^+u{_cFFfBJCho&Zg!y^$^lDB!K6PSJ;?&D+$3wx+q zsrEtTI*<=9LBZ*8eKp6|wTeh?1U}OR;#WS-2-Q$YFWROPKHn?p6gQ`TN-UZ|?~s0} z70z`&HneK*O+^D4DzoZfH$w((UfF;7+PhWBQ7EmQ5Egn#iXwS&8`(QIs4_*do~Tn% zHYt#se#QQaJmZJe%7^RzY1~n)DZ8Mi$ZIbpif4A5Dg(ir6CY3%sL#&${GkvJ0-x|D z;Xtqils6U9Qkn<8oA1}fW2?Y0S>qm-on`eZb`_tT21}kd2n8STc{#1x^$~ob^ z?16^9aP!kN^l@xXG^b~L7@_>{<$pgxlcZE-qlJfcUtaaluCua-#jxEf3W}uAY9>o4 z%nnjpWfyQgaM`_BrAZa=`U_;i{~Q{WBC4%v+Nq8@0N1Up#sk^*SOcdz1);EfcR;9j zV|!(oeU>x*A4O7tvZkl`G>2W(&Yy2SEkXSiD6!`0XPIj@57t7fblk*aK`P}i|1~vt zU%ZM)hYud(1SPYN8d2cIeiOOq71KHqy2&Qu&(sB(xzE{`ft)IhY;SuDfw!W2^qEDu zg)j2Nba1z>0wIE_w<&m*Cf*s@o9+H~Ki3Jjmm+CD!t&N#nqqHJHS<;{d@Q)X(KT?* z1P){PcOYR!M?VhhR;b}QN9C=N$%74J5d99z8UG-!J*Z4JobDm>kqZ1r2?D8#f!if( zL!`ue)vCthlp>G%!HEB*>%JREy+Wvdl#85Do5=Zh!3{h50F+x)2pME86T?;+5zoF2>Et%u8RQ^^!|h?oMpzExp^j1>c~)@n76%HcuoxFl0#b~^QK_S zC7(0eAAC*BQwLjAekics97vzEj4&RBRzdt$j_9s9YfoK&%bIDgHVp(4@|i6>=1?e- z_1rJNCDM6$I_jbBRf{ZfeKo?$sXw8afZgofe-eU z9A0m;9&f9wjjO7oNTldu+eU(>KyexRhvDiSEU(1K@3mcVe$0E7u1SLMNW+eJm`TY) zeH}u&(5fm6!Rwz`2iJ{u;GXKCIeW>f9u*OKv8tAYU+2LO(zCRf^fes+a>?4knnlQ8 z>^k)g2uxD@j`<&{AQ}jVYQjXa3QQX2cj15sKx@fTXt&tUe&#tfx2XzTc0Rd46Kls0 zv^j?$O_6tXC6S%7&S!D&oEHHaF~IG9v;LUvl}GpG0G#ET=W`Abc1}7dwssl)g;^2H_8Lpw82f2sbyA+q2H}I8ah~ zc?p8MycA%(ywRqwW;s{r-ChOmalu~ql`9yX5ep;I-TZNHrW7PS9-7iS{Dq)W)VoFc z<>EmP;tInQ0hH?i^8G}l??jicH8Q^QrQc(%IRp2>PEEzdBvDt9z~l5+S!*VMf34_b zr`<_Z@9Uaf9tF>*VzpA`y=0z`n8vWT?2g!*O0Mz zEYa$)exe^Dmk2KqFIE#cJY4Y-CPx{{9pGFJxzV|ecj{7zxP9!zDy!fjYoph{%Zl{O zTbFy#yI_<5Py{AmkG0F5Ps=wK&J~ z+x6~^75H7hO1<6?Mg`Yy7`Dicgj8uKpyJ2YYE(Pv2gCbam*GUet?44R|oVk+o7G-tN)I6Q=0E zZ6o<^JBxb2r?Ry?xGKgh?W>4xF$u>aEqMyKUQ9Bhf7Z-i2-O&;zwRQwyhd3t__prH`_w&*6ATd>=9;$8 z`7$Yump!M0cWL7C$0IG}Ls2D3Z=nYN~GrZ;!S?<14;0LT5Mp8SK#lZK{As=BIkGk1wAN8{)Lt1E(0-MHd+5vWQ;X<=QLy!$TAJ$s$Ss#Ie-` z7f{3bEdQA~CYVoF)YmKOMROv!!c-LnpWU*GFHG86318EE>G-(>*PA)&eiD)S;|t_J z;#moFg^Bz-BV4i>aBQJw#@^**-~Pg>JAStiPb;6(CWlS8B%ywhH% zYYn{BdE>GmT#B>pdW|P60iwT&kxuN<7aKG&7u_v<-vNZdNR(DC(L6GbzC=5wOt;>@ zaJBum+tFhuy6q{aj$uGkQXYY_YXHLE@oow~xnQDaJ{py`VgJ}1LQ1VbqS_)ho$JSW z@Q_E(qiD)4-u{V-O&?Jhq>6~ySmmhEd53y6i)$$FTq17^A{t50LU@Z5kq}oQ#{skU z@;9-THMdn?ACbX56=cwIl1&VS*QOF(Nt(6==8?MbPNdCLW7(uS3hIpNUb`@#84Ez` zwmZ+)b>GIxV{rNnh>ncf1x06d!{3C^U%j{33%#E4Hjn_-RBFMHh6!EJtHe0yywjwv z>z1WSH*+5M65ZLoS}<*FtUN3{bpc!G`E1k11)!Zg*Ge92`42lDf>R4j76GBP98LT5 zSBq4}xtrw_RD%oqwS34iIS9;i<}MP*)q<}SkpG)IF6O5irNp!86q)2>PwnRr`3#S_ zMx_!q7u3K5g=)i(yQPBW_wI>L+l9yeHC^r~Ich@c)bp}e=>)j^xgD=O~rk0Rv zNh*%-XQqJira!v6h6_ok1_P13!U~&@}hgt$`Wn`lbG0z%bC}I$o_8*T7IHsIZG) z)3mWoa6965+RgLbMB`Bug*$c57q9S;*l>1ZK%yfSXD#ED2%UTH0IfE&N2P8LMY)sL<4=-v52g4UPffmE4l?2dLiw#(KmR1CtWE%WOH*+rIU%o0DM<Y ze_p^R9o2%NfxPul-545sginkmRG=+cY?GrBgbXj&(as9wvSuD&H}r@2%;|LST7HHy z{pk7vamj+M6#-$4x5#?exof)E`nJwyIII&5mMu7+FQB@3IM!YFn)(<_P6aBdTdT#p zYN_f5(UgnOtjp+Zt(xano(>CAk-K6q6 z0aFjjY@e+gbjCCjuy-)!C;2M!d57+-WEaEcfT!BMJyK^Q8aSeBfaD;%j*^T&s%xM{ zc%P zk?zhuV&xgPTqc+fC1YK|aO8x&u@r*eq6@Pd3$ha52Dn7VZa|ekT<@hk}A z-UAIz`m^kX0f^jb znc+5IbhiLWGbPiMwG5PVH;t@e&1W`H0h>z;NN?5q1=U(ZhO$8;AIrP?)pIJdN&MVn zmwW5(dkXX9$4LuNt97F8r?QkrTf-dhVLU35v{9PMcv$J82$W~s63fX671M8rT0rM{ zwPLXzNG4Kk96Jkv^b`{`*=qKH`+L;24KE&tDB6Yut^ll|!ikL<{OL9q=MclR+bU)i zqz3hu3psaS86JJVyO|``_spRAsIInCB6PW8>Pbop5jKJ!YQB9T4ZD>M|{~n7;_R5q)^aWROvidmOUJS^(5hEbL)We^ZhVsXrW>i;KwA#K4)DpTy{y z$CWUM{#tc) z>&KOI7{V3pf*v$#5EfOemtP8(nWx@}y0iYE^h&9;!OO)8v$pYb*DOb; z=DgB*5;)Z^bhsbF3-%u&M{(7pkAGH1z}6=Ldl9wLJN&O3xa4+ z>2Jd}k{2Ibc#mg85Fbxw%_N=@9h@&@NAaHuWP#30f5OLZ29aFHop{dWRna`)UG>5% zk2V7aLV^#$kQ4z00x-{o5s$-6{~8nj>wnODNWj7hjqnE)nSgsnUpfz)7~cYm8~hTl z1|5C{ZO*T(p0t&Mi_Zs7fH@gb6`((g2a#Spn4*;R8W3G+B(OH{q6K@C^4?N{ygPf$ zp0$Tq+LdsOc14*g%>tN^&v05WPhENR{VnquJ?Kqtqj{Ad7CkIRO#sR!1x{$|RN+GT z;Gt|7D0Qw0n@MAvS9|a~+~|<&;)7)eZpw`^PDR+mfdSAAbNvEpsOyOr(I?bzSiuTc z7JwQi;J|9gI!?*U4rX?Rb#^GjF{vUulAe7)-;htRIj`R-ba)CZYno;Y_!#IaE)j4q zzIPk0*nkQ5J)LCWTaz#8%tu_rB70HLK&%XBIRZ9?xU$8DBLI@tQmw^)dupd_oIASk zWF=Yur!7vC>uM}CC(NMuNzjn?STp+yOfk%&cVqB&U7&{ zTu4el0CL{jaj`(YS(m+R6)aD9Ur_+ls|i_wDmjGf4W##F$Tw5an3Fx(m!qkx+IOD zaF1nk+Wz=ak->$mxSMO*GeN}$37h5i5yFm)!NZ*-`*~D7a_PP;e6{&(CMd!>EppX4 zcd}1iGs9A*1LUJ%Qr(UK7BtMq{!~=M5znSLZyR6(75k|Nc~Q6v@^@6%kuIYyZUWw2 z1_FXbZ|vREgZHpxN@^(Nf~o;w^tun0ydx7ZLZ}!pzVbir$>g}n{1z0?4QTGu2ryWu>#HMaOx zMzmf7J44YktnLGIXxCp-Yo`Y@u*9JOn2LlGH@u9@&Vy+xXJ|7EsN#{bw1H~ii3^q9 zhzwqec$%j4M#2?aS@fltW>k86W0^@|cvb4@RRcdbE)zcHQuZsSe%sf1=Cw%A!~`$Q z(NiQ5mADEqLK!#%1S`}kjO@PwUhcQt3SwEz|gbc~5mHx$sLS)qI z{IMz-P!~P}_|76G(t6IM;2my`P4wAeo_ z{|Dwjrh``CAd3Z2$pweXu_Gi8L*}Pz?f{#C)Ls5id;Aj_o|g>S6#=jLsG%LB?_>PuGP*Omy{`}ynEra*F8DmO)-SznR0!wAY>f)eAtel2Trou9capK+1qFCm zCm|M`Bq|=UHPsCQrGrEKt{MfyLt$1hWckI$Vf>&>Nr&-2j!f81{ z~Bdb*ramTWS53a2j>~gYP30 zd&w`GxSnMNL#VQ*Hs9woElvH$fLt;r+fmART^)K&(+qh7!8kn*!(m~M#$f1&cD1l9zc7K0KLGv=RQ}6vL<%u^?hU^F7&{M{J8a&| zo~BViRYhYo`2jv`QBXCKA8%zVm@ECrLXh^v4>Rf+8Mj6cHEWFk%We;%g3p3-EIvOQ zoOdh=k7U958Kbc^L~fOJ^QR(Vk}!NkSC-P)@??E#1MCH&w}K|aUN&qQLkE*yPnyhf zrL9vKG*P4vUF;%2K=T*Tt(xn#IA&JiOo`gl->gO(zo~4;$g38VRe!U``r1Mu#G{A> z;o&d~5XR^p^k|~qMi}k11q_WkYA`y?F_+Ik{i|ztJ3$pZB%5$!O^xuhKd|{XFKA59 z!ogY><2}%hu}n-UFC-hx88t_8oNq78eto)O`+!d*xtC`W`;2_>xg8AoPs8KY#B=)2 z@65R|`*J7W^LFhNMAR$6!=crsV_wVqZj5pxa8|A)VTb=oztrlnZjB z(P{{F@GT8GO?Df-#~x+Nhsh)kUb z)b@$zD$wfzsZBG=ue$UXD}RR3rsIxLuKF=n`RYNZ4^yfX3UXyu(1tR%Com0KS5et~ zR%$@Yi4n3!vp~hE`ctR~2p~?}N}9XuRH`4x4{*{5YJN z3Ltn2Nn8BUv+(#qK5qvg10zx}ye*wM=!_~##R^PMfr;UM3#(rqG~~0PZViaY+mH_< z-7jZx_L~RRSfIx+y{)$h=IB_!3E7a?z)G;}QsvDvnz`j%%mKjq3lLpq&TjiswM~qV z2fDVSJJI_;0Js0M>P;32;L!}t z)a?}KCo9cI+arJdn&Q>g)XtMG{&eg>=`0~XIV6lTpbd!naInM!=!znZq(C=fvNYj! zmV*wZ;dPBe2%j`k9I6HDki(S3a?+i#)o;bIy?GbH5;^C(|GR#GT=s zrUNC@{3Dy|&{GrjVA!W&FHPOE?3{2k-XQJh9)8ANhRNJJVF@Rsk~yumV44T&1hUV% z*2}juATO`&*o{Qt@HPF@Rl881IP%XA7r+Na3{j$Xu1@xZxZ%uv+oDvRedzVA8C#hB z@Ao=m&GP|6eT0vPHFeRzlS(#anC-&0xQ?#vw@3b{6o#1M0JY&j=2Grq3dI2EQkY@B zwCK7t_Gb;I{a6hu{hQ$mZ&IcAgD%k_aanWT+3RUC3|(Ng;#C0`knV6!-stB35+KbY ze&Kl%S{p09JdeE7vO-x=E+C*%Ae%%RTXgzxmh{4Qu$DzO50o&@8Ky;Byv%fg=J-d0WDp`F`&LCWIv z>A@0j7U)=I5Zl}&R3w99o->`!hzIHrvX4E6!?-?yv<5L*Nzmzb#cI9S&pKKA47p+L z?$HR&ARKD>We2BuuztT0oInQmpVeQfVdjwXF+-Z-@d#%peu&~|Mw~g&G=At=&Vc-g zSa7Fvv*ZjsSAK@)?8?2pXB8-sxuFUD7Zf>b#`+cDp`_0l=R8aeS1bZb79>R53>tL= z<}|JM|LJo7yM^XI`E-=XsDVtJX7(AhEXnVLoO_J{)i?EMSW>~gW)uEL^V_&ZU{TMf zJNZvU_XjGe8Re($dV=tqDP`a-EjaCOrlYHfi7qrpgI$%pa7N`$2$(e!7)yw62yt|Xw0BKN2?<5P<^f^jx8kh5`nkW$^ zZUoN$Fsf=Khz9y~Tl>8K_MQ*LMThitgag7$CxIz_0twLR^+s3rqcdWsAzGSjGY}UR z8VC22ON46)u=5dNy5KILuquM*fZV}hX#P_3+oFBhMa+;fzc%;+PR2;t4UB$!-4nu&fy-hPQOmp`D>EA)X@X zL`d6j^{bnU1t6JtKo9DKi~sx$o+Ld!f;x&u@>r^iy3gxX>W>fH`VBwig2=#Cf~0Hv zQ1Sl5Tf*??PYd$j^WiSH;k4*I{9i{m|0Bnh=KE*QgtHI+XIsSo^Dh+$wyXxDe-+~W z{R7>fn4cEs{(pJNMS3b3p(-S#sxAKpFYMmYAsuPuDWG*k@_#a(`Aa(N@LD;B`xn$+wrNi{^iCbSO@aE#Oo@l zFP895m9@O9Gley*X}9d^r!oa}A<&#-Jji<2et#@|Nf$0erjXt}4zb98e=1jw^9BAh z3t*p4kd|=dK${Kb)83Ct|GzxldWWFgCOvy{>$iM*;0m}zr5rkH&+gA<|DWDu5he`g zr@-z}%{QHKMWL&xsY0{mqQy=(0+~j?_v4kqfy2unsv7aKue_x;&A-J(E{ahB6 z|NeLT^_#=zG#-U|uX3>M?Qi*X_FqspLspW5IOzVDC-y%&ApU*R{;%$oivlrmW5?0B zSO4_??rVW|(U*awgbbUy(93_X4f}TSGoC|5P!Qqz>$iNmqyya8m_mawuiw(&M3NGA zOU+!40GUfG?9Af?c9GM1y7Pxn!8}HCkpKi}cf$CsB!KDDK_GF=`ucBp`CKN%G}8_* z^}zr!@$M#dkh)>*3y}oO4bxHR$EGjvZx_y1Loxr{Ca4?F~hlS1}Oft8q0 zR+rhE7n~IqbjLUOh;GvE|LcE&JP@)N5VBTj2p3&Ai}oOa6lSDBVrQDOsg3S8oP#mX zN*)pY3?UewB;Nl^h{{T28wz8fNOIZ##{)iHQ{@!I*089tj7$7~th4`j1uBWIF}Y2g zoBhB4*X*|m{y2Q>7Py7%vrJG_`%$LEyIw7=Ssy>_C%yrf4Stf*C4Dx5eC6ppU(LIUmbz}`i1_Fe`xU$$=4s3i!J1!;hh2FSNS6TW+I)z z>C?!fI>^dm8*T^hXQ+_Mg~qHyj#frdCCEGqe%B;0C9(9Xt`fgCEu!DLa(H)t@9Ewp z)DuIE^lJmX-%vonAZ!iCrc~?((E8CRA3`7+G9v_!pBEO~ONs!`r3{ke1cS!#T-Xc} zej%AGlj_V^(2(KgC*2vS`GMa`Q3 z8PGD=14o`dh{$FH8;W0l1Ia3AnToQ*gA}xuBH_)M%eZ`>)KlYRw8>MT-3{@ERamQg zDW<$`=I*IlwFOUsPYcqZ6sV8NEAQ0+!Nnfka)?an!Z{0I&F{b(_4t|K>P7b=h_|=} z%1K*~O)W&tS=4bUrZ#}mJAIRB#t)@QAhA)tA{lHg`uOIk%f#&q;axc$pFsE_*p)8$ zPnjLKLoPbR0CiFvEK3cFd01z7*M5)jZh|*7L;abv`Zd&!eLCQ(twF?!L!&IQ}7%vwn04$#i z&u3Tc&I0Uf*%EM&vEN=C(VhJc>xmvHC_Q{hG8-2kRldqle|cx9uxBp~qXKLl?OSwm z5f%k4fCE-c=T+qk6w$)T`MtjkT(YWGt6D-U=O7>?iyH5(f{*AtvkEc5^zicDGSl$8 zvt@jS>xo=DNe934tlKuIB*OZDyDqfc_;%9it>gLXO>vdv}%^P)%AKxz9IQ(@1(sGb*_=&o2iIh zYj=}}NmJwul#nIv4=PwRzNw%b<)|NIU#jRE2+(wxwifo^c^dOD5)@wx;8 zXCa~@_ezW#-(1NbEqfZUA58EtIKm2J3kt|;UIA4Z53;q|b$E=j=1;$u26q>;?-#A> zWfFJZkUzYOL^_vif!OdLLYA#N5OU(sw4=s|sN#+7S?7pDBXV!jA#f)e_JTy+`zl9h zvJI521QNV2vod(?8Q;MNENAE`5{cv>21Lb3S4G;RJqkKrX|q~-;OZ>8AAOKY+W^n@ zo=iFs%>2lZz5!I-hopdAHOnS3eNe8l1^WnZ{3KZwQP+yV9Pl{xP{mG3yLQ~BcvB5& zK^K!Nt`L~9f}D++GFHzp?nY-ng+bywE;W$qPJq>427A{pAm{1{SRiBx5?|m#?Y^*L z`N_0z{`?@SX@80rsT@#RvlPSR{DWCgr!e&M*u|gt=~k2$Hs?! z1Caa#Nodm#q?tRYBUW4%)NH}WCOu7aZ1KK$s`Z^zFPmDBwx?(_V6VO!+epa%??@#W0Q?IMvw$0+n#Ux)hThVlqvZa;>#B?Sb8#xxE;EYFq-li zu*FM5PPk*gT&kByH(JWR4eU~qUV|b|iM8@I+7B87eqLrg{QZG8jEwiGgKl=3hV6}W zCeZuWh^}b~6)9q8Y{7HZUJ!tGtdZcOAs6Z|yb#K__jbBdF64{9+2jmc%fKf>TiP+C zsx-xOt5#rU6o@eHI?fhJ(#;BqI}xe8?MUEumWv`W>Z0V3jhLV=e4W~GP^^*WmoI-e z8WNx^cCV%_^1QnKL&jrDp`UDdZJV?~=?(!`jdo&2vxM>)lUyUMWn_D%0yUa*FjQAw^ivyN6M zE>7C0?EErut|2&vin>WfPDLY9(Tb5*3jS)X0N42A;!w$n$=Bz5pml<;Y>Q@yPyq zGz@y#xKK9!O2-w@1M6NBu;bO>^{Ybuxpap)xNJ!RS;q-u#9X%4JuJ>ctFuy1@3tu4 zFaeL1)H$P!dlmVac@4n92jOg|Kmrlp@0)Z}uMKG{IPS9G2O-g>F1!vcv9*(}xYA8? zfa#=sLg!kspKaBR*UGNrqtSx+f+YK{P~lO>p}xfz=eHt%fW!8DlE{w|i+Lpl0zd@Hd2~^dH)t`fDzf96G>;#bay+LxbpB!* znjrfe7@T-+bZS_A*GRJX(m^(uh;3HcIevfU+~N#4`;Z;68O|j6e&4p5#h^|OM7!!# zdEhTDOSraIX3y=ZY+1Q_YR2y+T(@&@H5DJw?5y0H^n=F`-r~5N=RFjN zm85hjT%K|Nxro$y#pf0dwCc(3Uqcnhe<-FKoHd@Ru&Y(p^%o_`Cnq|JcdRDiK=)Wd zTKL8-un`2}Zm@_N;^-&eUO(|8ORNWkqOwb#a}ht!(U!KuEy^{Fz~neU%aLvx(#dVu z`Bm=3r{LCMF_9K9+f!cG8GTN~dMg5|`J+FR&R%(R>vF@HEwEDF!Zx0MD1n4^C{iU& zTl{q|idb(O#+!gH7cF_zox&b%D|X&Bi~!#bJyB-$^?6+Rm-xH+hR<%Vk+&lziO_Dnay&N z(vz%~{dp<$tu*ATkX(F@)lw1;!1Vvwb4DO}3hWmV5ei~)noV({n*7+c#faTr`k$Pl za|>5sEh%#-Tj}D$sfUh8m%B3K^R^NCHx9h76I`y?z1?`J)P9(n&GiOn^^A(Oc|$y$ zeqD>Cv%3Z57L<-O%!v=QyfBL1tD5RVVZ`9RNgmFzbJyjA4>fH8r6!Aj`ct;*aikg2 z!N27V_}TK_99lHR0t+OawM4@cS|=AT6Cun{pY$O3s2Iy?$b;pzWZ2xzM5I|;^#F=~ zy2%gFwthGP`l13pRp_q5yH>eOyaqbv7~BTLiSZ~?=#XE<7Fs4*;6O%Ti{$xJNy_dP z-)o?o4Ij$69D!P2lluN~WbsO+zLsRRJJ&ES_?)SvQH(o9fOq*eE-{^LE=h2fQKaA_D~`f}mQMkZD0} zHx#I|>Sk>1o1V|=Ca-|TRi1ONR{MOdw(S_DO}^c0fmKJ_He+&FN2f@NdEiSG732d3 zv0u=DY?MfT{9I_7tVd%8n7(N1pp_wwJ@b$oTS7)#s)e#_v>aUNQ6r;#Mw+li?0^Je zJMw|(&kcN2&e5>+83;tpUQY^4O$-E4xbjOI6=oU`29*JZfJZ%-mTkN0la^+oYhxDo znTt19YJ@@%igJ=j4nDoNXV4nFh815%9hJdUZ>~ii2s>m!SeUjPq!Y|Q)RhNWTpp&y z7z&RAF)%ywO>yw;yfh+gA9<*V9C2hL%gB%P%?9hV3Jb2d^TslLs5-dnc_dsXE3B&T zG{qF8>pgd2ekC!N>I3}vZz*1(?dcnX`9@q;deB%cK`N)R#3 z@H_w{vC7!H@|O26vWNY7V@=K#mS)iO2idu=8WQ%8j>7klM4Ro3f>|_Rd}0pdIN9K7 zW65WkNclPs+07yNg!E$Q zIj)?8Kyz3q&@EH!nL6cF3Br0YcC|ZqTwf#ULWME*j7`bGBP3Jz+)J7;S88AU83E(l z^ro-dX9Y{+mwuqSDaO^#p}dgdjkXjInu-FN43?96L@5}fKA7Lqgvr$`?^WzzCl#|i zrckMiMg0uXBkwS@x3$(8T5e{a78O6tu%~7Q#{*qMGiZ@IT#nBm8~cm)~r1I&qB9ma;C6^LNKAad~L(zuox;rsls(UA?KYf7mR$6(%E$U;5L$@{O-5R=gTZ9&aP*v5$P+4m~~| z?L1nNhmQ6xf6R-TJqe{TboWaz=Z#A-Jpa`X9s*{=FO(%5@l{NRjbB!SwCJrj#bNBi zeKmi0N=Xh%V)@TFW6vNj7ik|ZjvgXFD9$k=Hw_sjsS(N}M$@?5B~?D~eq$_3B^9`JP2FD1o)*g+oWn zf^f0`ZSDd6n7-NC-OI0!y6E4y(4USKZHM&?5cq-l$mFIjeoG#{rR3$(vg)Xh^E=ho z8?_vAsU1P(cfO94wsZw$)qPCbGDd3{)7U$n4nvF7M<2?T1(tv531}Yb^P|^JK>pwt zrHBW9FjFOH#bL(3$m49kK6rKP?0t2kOnbs!YMWlOiZxKe8bHWz(M1A6n!C(wSPzO( zaJke!H%<3@^?wLwca;50({PvF;WVTl{V4V`u#x@27@T$YtGlb4){l4q) zX!OQTO;2&nl`$$82iUVF25Bw@LZVb`AWVD8g>nm(F=|b7R7}WfiT!fsdc~^1bMBg` zDA^4Pu@XIy+R^s=q5r24)SY5+rWs%}=G+UXGW?(D-~U1vR3b;$Xv`=OF=UB5_9f5j z{8eEj92HxH`l#GmgL+@m1i(eVPoi{|ZqPC{qfLKH0OgQkNl@Cs9PY|mfe)|mF<^0vj! zG=ipicv@W1zzHHorY{)A&f|HbgIL*x&>LM)PIx?rFM2(ei5 zZfdqsJ50YrE}f4oDZqyaiAAcoei)+--z~WDT0`*DvV>pi48D8#8vE6twuoGUDFT}S3}oF>n6qZ-;|Stlxkm$Uwx(h}P~0yFg1 zo>R!2Pd?S=xAyB@#2rIV6D#lxCgf+@3Kdn2&W+k;4Xr*{-^RX>o-jZ&HmQX>{z`~Z zmNM+)b{{Ch6h1}Wt5izCf`k?M)PA)G5cfh$;K#rw`{QBBu@m!2lA$e{^sauF&ws6nL^{9p~=6pt_q}RdYC~c30f%%)5ogZzyG^>ytCI zfns=+nH;C6SpCorm9yos*^DBvIJfl{LtFt@Pso#}(DiuKA+Y0KilX~ww1UX}qzm8A zXal5p8^MZXuYKQirDznBIAh;uln@Yo#zQZm4;MxXTltwdkopi#@{9VJ4tT4TCG9|B zD}%yic04M-NE9g21hPr2uOnAh3o`wET!oGRcwjGvV$X- zcoH01F%n)DtN|F~x*8-{yRBqx15elyP+*TJbj#KYZyZ* z~42&#zNR;`!6qJi2YvKG8!oIP?o#})drbEjS$J}xn@P9NY5 zAK^`Ks`!n8T)4)A0QbHg>_EVgB|rR&(cJj`6JpG56G>(sbVS}MnlQ}Dj~ZmjK`CZW zGiTB$kCJPv!!J2eyt{2eR&4`_RIIsD6LK17fgREkChu5KfO8O?sy-6#J3P86T|Wxo zfahQ}wU~BTHAJ7@H)MEok8>yG)J0W0_r{1Ze@tbNQjn5qUHM8%wj&rH60`L`{>mgM zUI;q@5b9o>WRA>G3gvyYj4tMr4?iPHg4lDA7J1UTOh`n6H_U2$5#R;#9$Zc$P=FO1 z<&2{xjhOy!=-pf3kW-r`8>WISq80W90ogF~WI+GVeH7<_G_6k9QVQof7O=RR7Y$)tRcq9SV@~89=Sy3ANZ!}{bRm3-jxK>@CQQu5F4q$>4!fprcK0%S}pEkSbX`hlj*rIbi(J! zrtBakLwr8}GAyRo0I$p9%*6V51l#1kZM%YEqDCNVB%;9*WB&DawsBwDK(NYo@Dl@Y zsqf9t#mF}y*4c;*70BR;yTMRuf{QdUr%Z{r2=X;TTT?xXVa4DTvBrCar+N^XfTNEE z!$0XaA?S<}l-Sit{XueeY zW4>CO`-hWlQn;4AD$JY^%4Ldx8WcMF>3S6p!w!y}JKS@PI?I4(-KiT&QO;1{XydTQ z@o2vVt~a`t_wTq8&jNYKKp?Pq>ICF!$ihh#+T5WBCKS>J({U@z+YHpU?lsnhs z_OVeuL`bLMQA5Jpg-KI}T-|2$Lcg3uX$|^NWA!aZ5GX`jV*c@3!htYk}?G ze#iyM{Fd$cx<3HrhQ%=H^H*pPE+nCS)<0DVJH;CB0N;CQ-L~x#={43535hvF9uvqI z3g?H^^0A$*@vE`$;{*jppi>C&hfM9EIUrRu`<@j6+!On=1K1~UK>Eg$m#>0jjdU|p zJi41LxeI2k0IErdhm%BU9Cc;L`olo*9N9LRAEoep6EoW`n}JF44g&kT;e}35B?mKh z21?{~hR_A2Ja~Z8R&vM)Hl8dPg!&xfx1Lt2HAaCH5Xz>JDx4~@ym)GM1^Mu(YzJJr z@;3mek(plw7@db=^4T9JZegj>{^1x1JyA5oYrZ(%{OX*sQd4_tH9{s@$8L991C z;sk%37JiKk+2@f}zbl`|e_oo=Eka?s(Sr#!ewQ~O_d%sKL=`1?dM0B@1X35EiIKN- zcZiN21scs@g*EB13e^_*H@mh~GucZ)yJLD^WD1Q?vnab&2uTrLHnRYV%H+Xj?{ikg zkXC*F0rGAZH)Y*63WS7pM(b^eqG<+`m~xXs;r$aEEW0alGd!uw2yoX5pRYxEYF0KO z%^mbJnP0!Z;4Rb9qIJ?3p>?VPd*gm_<&t3pEpj3n#ORq(7SU)0&U3^P&g&bQA4B1* zPk_I!x*LtEhJ3JamSm9YUOn%ymnGzlK3d+=Ak6lA;fC{Kss2pOw!-4}P3&#|2qWsO zK*>H_5sG4ZJ)*9{uw{ulNh7S@nQM1PPc6QQ44E`70|#&-rcf1VlyuY5P7{ErSgmKl z6XIc-XZ}@|@PNAc4_dK^AId?Hf_L9l#Bt%rCDJk!tuz7WUv)QPUH0tqP>(=! zGLTgX&Ey5-Et6IFfG1D$2ggDzTx&WaAx0a9BL`pliE4_UR^YYRd@R@5(6$F5 zwz@E_b8JpQT_Ah94DR*MwzChQ!>M3L3Fs>)_KK{2v|lqCIE{J`IgdP-AMvaA_#lD9 zvrOC;aMR@!L*ce>W(Zr~koqCPM=}ixhbIe-^L_U4(xwYv4nP4aR^WQ;y!71gk^&0c zvviLvUC92_$^NbyZ8m*Jom8C5uQ#K6byK-dv$LH)1o6og_!KY(Bk>k zu#KwV;&Sz>nfDNnf-B)ogvJ)iGIbw0cIIwtO@kJIo%^OcDUrK)_v*x>FT917m$2VB z?QGRuQ>aW!4(dbVjy`0MDJ#_>K^QO&#UuhVP+*lE!9&8*jccS6_1#$c74ow82BryI zB=Us2V)Po+?L6^So-anVZ)`&rixi?1$^Igr!bg{fF5b<7%mNk^8887lt~Rj4K-CkNqE>il3x?9qkdVh%v4-6WaQj32*#LC6ZM{*; zH0*sC-?C`j_bcJvF%qusDB`$FL-6`N+|xxAEZ$Dmpy%r2cgM99DdxHyVkj#&O8z+c z8Kt1AIY2n&^r`VCId_{!1xFSaZD9fkp6nko!u}QPcBrx*GFzJ7ILQ^Z%&@%aN>Vs}HI6$k{=!>AA@~E&hhOPi{512Z3Q)UTgJ!cc^vFUbIGLIy+euS;W|0 zTvLrUNDT3asMA@q44w6QJ5XRb)618_?QpiZ4tL-(+aUF<*MiBHr>b`Ajt@Rz80%`_ zW`+RLFidr}_>aZ=RP=%S={kp=I%9K3ChD;+@j(`ZM|cbrVr=$oy2UD=5br_%{4s7| z6iT!-w5&Gm%LpEvhh&Z|wv%a|Mjz}8I&F|R0y{u9&Zk-OECVKFohc|f(uUz9R{&f= z*~vNVya02`ZpkCzLNsn<>}%PHJJ_RpH3rk&qZ4BE#pXvl!n|U=xx3@EdQ70D%IHvc zcx;4ampu^#EIAjP#=FX?4I@g*fGOO6P(^Qc;vUY6UNi<5%3ivL%lQeNW`pSGv=j2X zP#kg)6f2j>T}W~8C6?e!2P*;9aEgNafds%ea@*;Q2xAOfz?_^Kh=fGtaxnqsi(e22 z2;DxZM0oP z7hYk`c|FT17;%ZqOx{GSi%o*k2}q?PQmEMrq$mhxAy5S!%&yM)-DEq`={x0DcwYrg*+@L{ zl26{mbD1Tp6DI@`7UklF73f^J#nyU}WY4&M68jk%nVx8fQx{AE5}OoJ2T0(%#~U{m z7u*==K?0%_>4huxXdjtANLUOw#cM~AjU5GVF=e5^?XLA3U+=DmE=XfJPeWA@mA{v68SD}0U-d# z;}DeOjeE^SfdocN5aTwUPgVoI^DNA|S0(s&8O44o=lbH0fU=0q zp0cjdsOK0>*56v22QDo06uuafQ&)qugN~~U%Sx|o2qXRP?5MqF&sp;y8$~%cyKq?+ z+qBT)d->k;*!C5m3JW@^{cIb?5X(_pO1iiVxd8@DCK0{M3)vT+YbK=p05D6A@=Ejs6H2H7fsc~wVnr58rf5?O&ZNc%6+8eQh#@>$C7ORamGYxfg0q$Cx&T!bdj6U6 zwgyi+)3<9o)W)`3P&|AyiYGu(`W_;KWBw>seO19O9K|SoIWcbdq=3QEdnnw;L4Xa2 z096mo>d6JjyCFN+1Sxd45}XYbX0`WG0W>QUDRrH=!S#pP8pQhWpQ95Ej(LP)Q7Hs% zO(~$^2!=F`78Ey!79Y8XmjbZj3#BIzg{b6NPQ2&0n)L0?(C28{1~tRAEhJgGCXCoB zPXYrvd(q=mIC@>^A(U-pYH5xw%zcSjIr##_Ivi8y9@-!vQMS+12phf#0PSbYr=$4{ z_kc)WBXM~KG8&n>>qWqgbaDNH`erTk$;2XAzwVoaH_D73;{;Hjq$358=XlByxykOK zC)CfaD$nX>*lGw6>m7FiYjUjM2xI9C2$ItB+}v&S1W%5h!au{9dFrzDpGH(LGW~n7 zBIVG=4;iQXi8tr^;X5iP-n^^lYFwE!Z|pgj4J4!hQW8SA{V#-tcrK%|iK(on$2Rt7VSQteQ z(Y$6K%Y_q@Y*m6+?Cm3U#Dip@aF(2Ltu4%B<|AVj+mzpm(I{4Q=R-%<&(^!~)+Zv? z6hP=gLlo^z`~%}r2&o$$eJjupBBwF=R9$>|Hj2ey%B$ov0pZYIJ`{n&uw6d5jXi|1 ziDwsm@CUH3&ss1SGY#=qIFfxUsbj$s+5);RXL+*2-Osi%8AjocJ-!9vW{q>KZZeg8 zRea1SiEOqA;|n2ho=p8OVE2^dN;tE$%KoJjx+su-w=jTdw=;1#!$2V=K1Y_YNv!d% zRcB+lG+*h~P)hXU`#$7R;@Hp*6jH=7&}Q5HTkhzcFwI06_PkS1QYMN`tWL z4{8{&T6y*SQ*xnNp{iSA7!B$%TiE-ebM33$vq7|PY6yBB2oB-Q4<8bCAcL)*vDG0sVq;X32MJIN&N2ZH|#1Z<^;+!!wzh28hb6e-)*p`?Z1lE`m$fMIVk6s zk7k6~%hUxS>3oSV*=yqFf(!$m`C~AX^l=qJCbx2lVv)wOIb^_AKi@*qfJrH3jFM|4 z!biNbj6%RiM6nEqpkp&& z92z#^sn=^+l7AuHV)c0FNp92+BaH+RZ%t2i4bqjsaV<3gCn$3;&D*Rz-`N)P!aR*- zKDpH}$lPiMIf8njYK6UPS07@l&OEB9Y_7iOM)_VH@_V3J%ZM-ixItOH{c#7am?1Jw zG)_^6oTcq_15%4X-{yRqSvnh4y{MPXAY<~y8K%acYEbA^L`<-3-xK4IK(V?o3W|hP z1g`j;|Mni$Z0m*&fd<=41pwVx;jb>QwCrP+f-kuqM^u!gPZ_o2Qd1W@?DnZ0Ib)nh zH4G}uTbZI?f&~UqNB0ZHgSubIcsW*6P~$w-wT1IXa#VM63B$?44#^OlFlUg==D<5m z;|+;7dwL6iui}B&keb~pP68aart}xUgFz@?uN9Q#(8R{J0w0}$LLxxXt@&{n#gZ#y z+7YyO_#|~Gu92l)8)(Y-v;GPOB`CtB5a>5_+si9+MXv9HO;?>&HE`KF0_Y9Cq#bDe+LJ>4~2f>)|zCW@~GVd1^1K*;e*s<*++ zyOb{6%{E{kA-AVj3EnZ0MCW#~ga2>N${wP@nqhL|{c+R#Ksm4}Pu{O)54X~SC3Z58 zy8a*AO83tiqq%WPPhUhMf5KoxcGnQ{(=sg~q)uwV-Fm9s=>2LY&HgE*{svRFk`p&7 z;$!5qY5@h)2lIfQU+VGSV{`hz+GyQulX>a4d=KJ4Cqg<^xO~>XuK0nSQ06MXj%Xz5 zp#@!9XKR)DyRUwOk2dlw!3UPe6bJ+F8Uz(Vv<{^LIRW9`Pkg<9XU)G1fOFeNC9|Ft zA+$2&2LfUC3JUB$nYGdJk=A4+eXUCq{?1n6<48ljoPD0O=RW$N{`(VCa*U=?NA!Bo zgY-fm?NCVAmE2bxCtN1fHIdvO9@#d_t1_qmVJiMHa5-Y1vjEVqG3SUW*xlLedI&M1 zorz^K?XZAi2vtplP6DI&9t0dci60u>Vc&2g)HqaX_i}CIAvIh)I4^hq$e@4Tn!t|) zcn1+YNm$a0e|YKs_J-}pli$dK0K+mJ!V!Mq*!5{Wlx_`@u|Gx+Re_xmW-vj^mH}r3m zE@Eu}#(3f^6^=M(!ktNs1AZ;6FZpIFS>SJU*rZ)e6`$fY6rX8C(gs|i^+t(NT6 z>OB7bmHu9||4UDk3O!W(mzsI|Cv*E}mxG{=B?cIOHVTq;#D2?T$wC6LG@|T%zo+DH zz^C&#sw<}B{`Qsj?IyU89fe?ni-9xyb}Rq=L;~XE2%jDzoRXmYTRKb;qC*g%K`d$W zTdF~z@S$$0h?XZ|%F7N#MjPhkJlZK4)2^KOg3~JFBI3|;mK?*O@CT#;AWK&R^Kdid z+sh>;NS-~|@vxe=gTESe_<$9DFqDOi;$~#BObFrL&)+ssl)#9N(|3&00BDT532wF3 zF4KS&{qJA7yC~WCA4_&?ZO^wXKb7)q3-a7M1*7kjQqFrY1MZ(Gs{BRRhFnVt3+(aHt-#`>u`YR;;;t+`q zP&fG?ojY*O=jE8p#MbG`+5_p_VsM#i&k!ImEe|+|v>(O@g$D*X}T9zE)J2u$r4gyv+coNv}xgaAL;)GBCioHH{ zH0MOpl!4{GKF!vIbTE?6$@F|S8r^B1_SnYwK7@a>W6fa~qCbUw7vkiu#DFJS=>!R2iObPE3E=;@F$x zTgg+)B9VVMcR?w_@g2q3Qk^i>xv{>te10EyTiCLsUbto5)~<@lSi_xe{vuQv%crxe z`W-{zntjhwWhA$91a;q~N8_O;5uN6(KY^Px{-A!om0O^G>-eJD!!oAuHo**GkcH4%RB z$B`4Y^|U^z!1X_39VDr8KeheQx$u;BW#{GHK>oTn@VduZJK*$LXXHvBsBh%Y_?kj+238;yx<&ug=gT1MY$s^ zu+KsHz+;Qq)JYe#*_TsCvg~BctLD~1l_DM#k&ejY$tcG5;UGvN4zI|WF~g&E;QFv! zBk8B239aD5I-+{@--(gkzQd9Ud~W8{jW=p0lE3!x)C^Q1Wc={9Xjs`%h%vg&A(Kt~ z?Ap(`*75qF=2TrLhrs?~>K^C>So`c7vVSqL@LcS(?&3KpSy3Nd?NU`68vZoPsNH%HT@dbES%CXIWfCz5aqtp)8`IZgWy;t8j^%(NAhMBH)a;}Ds7PdmYxvO!3 zU<`Z-nTcf}oC`hFygbtH_Yp1(~g34b5PMf;{5Tmq6FVXRzHj>l9$WJn4sa zb1#*jmLU^SDFe=F>^Y}p1TO;;sM;iV563y@ z!IXRpW&Sr6p`|h)=E_xiQw^Sn58Glw8z{QqUYOnlJT)6#4Nm^csz_CXR$Bd2$V#$_ zwyG(M;P*13a)x~pw^5`83dLxOec(Qq33i1-J$s0!Xa?QFy+oOK^qwF$Vr#l?!%*nZ z&TGD^<+|&bMQ_kt{^+K0HGz{IG3^q_NXA261N^sex&dPjtB(b2VB*Six_pap3;v}O zgJB58Ctl5Xb09ClX_ptTH-Rs9{_yYv`2*8yc|cZp?qJCR&vQIqNBUetha`t9)*d3o zg)7}mNKENXK<{~NN)9ND!cw$UR~i^}uPfN4#Xhuu0eb+(6}_}T6Z z2PKowkv|MV+rRlC8P9X^3$-q25+&zrWu83KTDIMv2I9Y;t?bcU@rQ2rXDR3IA{}0hW8~i)1kMXu*sqM5#H#fd zTYmqj(l0#I^Poh|Oj>N#gb^E=aa;632!un`Hb*qoNj=Por`aoKM(5EJOH80$<#hTM z1yW%=iqgu26~+#PAH*U%-d?<}mHF|8sj~Xc?CuU5xKoTFL~uRJyjbs?qEpjY*iLo< z)U6f}g{#4j&bvXZ;pz+I-c5N2>F~CNT=BbIAWoYCT7BVO<(u7=GWq_L-dKgg_@X4f z-N|8YE2?_I#ac_C`Pz=@dA`lV)H}cyw{+7AmBFW%XW?mQp#sZB{IuN4YX=jsIDLU2 zj&0nTJ(Dt8PfBt5<6v3$^EBwQ6qcMoBE{5R!(`@!l?w{UDPAxw((`1`2NEuCM(C`g zFszb;HT9wtA?DsiQht*Lt#Wvk9)#*=fb*seqA(nBa#x=77znkbZo~6`2XxWnWjzp@5s+BnCjlWfX+X2RmnY`HP{$V??) z7WO{dLnpK$*RxcbfPdAxz0ztuf#>n6-&oliTzmC3%=d6XTMUkQHZsETLuK|DBmNaL z=?j_9=D%3*p;goA(HXyVhMP+lWo~VsBUq+(TIkU%`NJnD_e`|v_@DaQTvf3$#kY>T zIB-0^=#)C2>0;Dum7OK!HlrqS*ii3HNnzND4eQ;X`P*Z|%@Q?Iw<37F<|VHmc<7Xv z-LL;4t3TFpqiXb%Y=<=duujF^YJ=cYuMZRz7=nmYA4T%OaVrUDkO>(-Sr6`Q5=a~- zz9b}9=X0wdzm|75Sk~I(jI@rUcd?1~`9UD9!yzT%#q`q!;%~eWdl@uf0Z_(+c9d33 zWB_Q8`>us3VGHfD>RO4Dk+2(bzeMpX3lw~@Af|}Ew>k0zBAxq=Jn1b(beeD(a{~xs@?%>$>hhUh-+mLF>`Fy0@#qOksYX6c?9R_D@@*kdHxPUmll&jx;Vl26pW2|$kC?s zWT(OX^re^@{c6Rc1wYGN&|r0gDnWk2glZRsh}`Dqxi{69z4OV@-9q0R-jtKBaK2`T6u!s}UY!(bbF>!d8Fr zjtN*u3?(jC{WtdBGpfnF>l+<=VFVpTQ3#ATDheVZJv5aWkPgzj(mPTDQUX@6P)4eh zP(*qOy%!Y)q(gwv5g|YbMM{Vyly_g=&-0$=e$S_~mY#J!oG-K1%xD7F^)Gw>_OD!^ zw7b`DE^`p;2PDQfuM%-S{_0-Tb|&<(-nCSg*vZh%>5;b)*SBOW+Bj&Xsi$1krG;ek zXi_7ost2$Z0mWYmF6G4}h%`ABL@(UBmtQ^k(7eh26IS;%wa}foofagyk=eL@>3Q(Z z(d)^|hcewufS*RBQiuYhOG%qkJc{e&bV*+9)vh<-|ab=HbK54b}BM@QjHz zf^B5dnaH%*9`ez^c~p0B2cb_dJ~^&-3q7Od!vfYPZ&Rf(ZPpDyWt(#h@&HkrGFl-) z#6h>{b;sG^8{=@$eMQX0gkJ#ty4eH>r}@xOlS^)_{2SMJ@kSa z>7fyD#wd#k>aHNW3b;&8P$xkCwgfHD1*@E@_*w>A6)){uwli2V0eKeTYJ&*P&=dZY zWY1v+zGD_SgG$_G(j35E;}*J>P{9I>VrRnX(FeQsgfr7OuK_?5&7~SR=b_%Degh{L z2tQ2~+DnT3Hev+W#rPz}3Lu_r+Uhg_vANa~p3+;KxYwdF4FntKac?`;9h<_n(p3~^ z7J!xlzskmG$hUKY({8bPN05Xe?%VC*_c!je>;j z_4in-nI5%oo8fW?qS7ZH$NH;nPMB7=VIB*uSMRu`4c}Jq`{bWL^n{hce~XeEhKnyx zu9xwmRqW$)EEnu@xRWv&xy5vU-kaY=3nrm4;=)%<&(}J`?D1?IZj_A zPa^bJ4@A`z5o!~HBzifxsS<$RDNsI_onxI}48*J$l^tOHDEo^|HeJd{_<9oD6RrQk zowmuD-vKFd;^5f{gb^RUi1#D$ov+^ti_$gx9ESLz2%w0~kW3c7-M@iYO0AWnG!?uN zZW9l}FUya%kTL&wFe5+)n2;!cVH5%Y+SxpeWAmJ&frHxc7RZ!TwijUYlYKnjYFw}v*h})*1ZX>v2nq&J0zuZ>lCqYc4 z9S!m8*${*5aSxRIPk)Wqe|s4Eudd?QLtC4TOz3A0)1H1K4$J}-oYI^4o{2Xv#mie- z_KA@~oIeMv%kty6R*79-J&QhkeHo=@RymMzM|bwvTB;4SWThKqqE8MBe+5gchj4|; z(jz0cLo>Y+NsrdCl=hjhRavLXlJ>Kt7Zn5^IgdothKxK9kOFz4zzty&rpd_WEws zg=Cj6hszu)r*qa!(l^&v&`U3IMN!!!OQdN2q_JENX~xPUW_mu|oh2inFObFhvVQpx zMxS}t-m3g}P+S^%&NOVy{mDNsta|KsP_j5m^>xgHq;m1i%geXtpO&KJKpHbTBSWk7 z9C_oOSG0owRG+qVd0a|4k7I0Y8bEhp5unSl0}U|m6^m2fzn-dp?b($<22q_moJ`6^ z%|P*-b_SNU$1=b}JSY~0#xSm>e6Y@-f$L5snUE1we2TsVe@axf0lZ>JYxto%s$o(q zw=%F;2+`~5vq}#*Ty>$>Zd^@rVXC*%Ca+00B=XqLKhLh;Im_hXGQD1{@M4QF*oV1X zu8p@|RHeGoOta}$4hAcP!4B1cdi2ZO`!)g5B2jk8tyA{ywsKT`EYvP|%TK@|d^=UX z)6IQ*DYMq6v{|*T!lDq(rKNDMFA$0iPz30yAX*Aj*VuczFy97ly_T;2{!i{%gfXrd zC?1@MoQ(VxYR7UWNe=BM3?P{mh#>@lBwPekXPzC>Z^DzGo9ODXb^{Kq1l^%JS2G@2q$iJHr zt2$@!VLQM2{o&8A;t!ToUGE|pQO-j#Fq5uEnUY@8`8-xz?ar;sUvbJ5w^aCdp?h8T z0oI2HkyUqmFVLE;%0b3TYD5$-k!?m`PND3-np$+-R^L0MqxvJ{B`A410~7ZiLQnr( zG9X(vXw6fxqd3JBz>p-j_ORl&wZ>d4qsAv#3 z-}VRn`?XYxX`6U3o8X69=o~+9Li6?^gi{*rK4^F$`*;I1OIJ2Bs2-eQT(V;(P^K&* zu=blC|8X!WT7<`$d)_|!@1I`hEbZxhBWHF5vX`8V7q+|Y%n>J8KESsEpAzHA3+(&@Rd77^k@YiIrJtUa3#>re z=F_wt>e9HZ>j-R_2<8pMwb8O4Dx%3#cc1-&RqDa^aG&(SQupu}1D_iTu7vTW={14h zKlz)F?3keIg{tnE>TT6d+cS+UdcUoXmnzMRFRxq}TU;zBuHDlcm)bE~O55ZJ{CBk; z#Oc#q3)gxqlRuzf;3&s1LAyXwELohp11V}RH6TjH(BWg4iuK{~?S8en6~y|=)joOE z0Wzb=OZTS0C-NScr(#xIKz}FV)iE>4fVyj5VH7I2uZXG18ch!j`aDKLK|s#EmBmbP z%%;aJgL$=}({l=rxfHCiC5YBtPC z@@w^%7m3azlM4|a&6BR#Y1lkms)-+8HmUk@lTG3dtulY9hzZU!azf(bW0v7`YGq7y zrI3H0km^L4QJZ@!)u6x>{TNyMe=6MR&ox-A9^cAmfFFi(bk~xgMPsB#PbuK!F_#JU zvOep^_hhw$yxSMW9l^0s{MWaqk{+ zz8sPuQF3Jj$hK;@iA$Rk>70vcmqtgbxDPu|U!GaqG4i5$N_vKu_kZhAb7z*mdyKXb zGE>Pf7B^E@K(6uZ|2%GtKaZ27&PpuKatVZAUi(NG9nC)=@Rb>kE%uVz@7r;cBOhm~ zs#{&IN;98~+3cph5c+W=gzTR4a|G)p59m?c9C8cgds0TAAGXO*oADC|#og$Ic*m~+ zWm8C!hAJVggbReW&R~Az4E3rzl-g=DpU!B`SkD=E1OZ9C8roB7@s>*!m>hy-+t5xCBb01USTP6Rh-U~nNa`Vl!) z>%i$Equv2U?$3)y@|;INS!vO3bG9pp)w2n)bG9!h zMv~gA_2W8Mxjlr`;u#cO)Nk2)J_7nz1x7U^`0(EY)>66B>SI6)@^KclpDO8D-1RVc zz3|)yv?Gh~`(s|{F+{CeB0Z!}|M5$jt_uZS=vj*9yzJtp)^x?=(D?E0gfE=fY~N+G zOB2bv_LZ;C?el8dGpcO!*LG=J&%W}-Gy7hCkH}#*JwF`c zvFvb2dyX8cif+i&F;$K}=_r2y3$h@0#B7D}Nx=V=GYt?D#ip%h#8}_sx)^3oTQ=)b z!}{2cyysT{|J_&agBNAEZSQjYw$)RlEka;1XXw>i<4mX}0$8%L6MA+SrgLsY#9>DX z{YL`eEY&cqiU{yLkKsj(geyUsBNdxVLJVN0#*wDtR6B>BjURO4cwe~s!Z+sLE(_zK zz*-_cJGlHkyMHx>P!BrJNErWy4dxl>>RuCy+ly+fys4x^2^CCk<@DYg# zaPI!Qy`37MOuH&}O_Ec-U;6&NwRwY~!AuikDDg}uDB&0Uzc+9N=Jc%%r}H}`H8g`G z#{%MOeb0^V3wPxrSUzHuFBkrW<{wdD42Nd$ZMwV-w@BL(DEAk~$8+91onlO%|LR!@ z&VpTvcr(ytM!Wtv3c$>1p2vzAQI1wY(UYU9;1pzYGWEIdvM%kKOZ{-W^p27kZKBONf9cx3@*&=RRiVP)0G%mr8YBgsZw*Y}``~i=vu!RE7{^XZEu=2Gl=& z^iKZR^*`g@fy3DdxXpxr^!j{02C=?;UkhGQ&QSX}g8*L9#vIwV4tb@~>{stx2Y)=h zzqqh#uj0{|YzBDin?R^T0@}J5^;U!%1zG4Ah@Ox01+T2p8t>Hvv<@PYF$S}t_`=E} z*DJwW0`bX*g>2ehzp9W1Q67?b<~}E`J~IlZ0lD|CG2auAfRC!i34gwn^tNN!!>@e6 zoQVifnXor{5xot1YWX4-WF+6-v;!-{#m#BX_%_=$%V+E|e)p{p#D3l_u|pmS03kL4 zsLhN4(dk^f5(SQ8V;!5I7E${xz}kCMW3Qc;$mqM9hMr~z6Td$?!B;Q37;}O9C&JiW z%X^_m99sTE^#!!3yY?#W?F|cmL`P*`C{a0p?K>B3^);!d&Kex6n z$^Q+tR=QYt)(R<&OLv!gb`gt*p7HUQ&z(A%Q*v{etSd7|QJ#>C*o_XP6 z1dn>YwP5s(U(j>^SQY4}@4yj5@{@nTapYIlJ9!_vg78tqj7{hF(Hz4UPk;5|nVo{g zL;TEgwL0k6zEBMu>`k4SkGFsNuK&-agEM}>Oh<3*vZnpwN0)s(`ElJ`g8t!OwF>{e zppzq*x^9^9$iAEB{KeZF11mufcU<{bOxOR%OZRYlnAo>C4(mS0B$D)tU((Upd%H&^ zjbA8U{k0G8x815oVL4n#{^R_w{i5ql$g&IdYP%))i@)gj-q~dQq0GOY|Jri_ss{L; zNtDp-;9vYjdv~E{9d`3-{)*B4|6Jcv@I93KO~EIAW^wgD?&1G_Ou{$dq>Fn1#%uq1 z0{-lOMX4hv>X;z+r=R`F|HtS3|6Az4U+w?17yAE&Ei{LF&HLY806+C$^7wymJ0;u9 zi}R=@%pw3bxM|X#gE64BGx)eHl`uYs{=$p0D|@%5Bv2sN zheu(CW{5FUJhhvjKbe`I2Y~cVUu2322Eju;X9oI?7m?FRvur2)HxxWzzqW|5YV36buh%+ zc#dR84P$u*{@jgId}k&H->t%EtozSD{xe_9pIt4xyV0}pLN;neNyrP~TN1F7OD65x z6q&+jMXO&ugfM-6QEinRaS-XuBJLNk|J2{<|9-`pXv57@HT%$}{6`D;i+&#js@MlL zNbh5_U;g_f+ngG8@nlEdO|tw$gg1-iPAL(G0MH!)@>|cipgcmTp+Vl-rRUi|U0!T8 z+jcYQMzlHzLiM={9OtWs!P9r{MNkwv^c}$bQ@}H~079o&Il#Qto!CWp#jmoAd7&SX z6q48MdoL1;ZHDJNVNMi(nYPj@z%#S)>=^gRYe9=}pl5%-D`wFcZ0Yxszw922p%f=A zEGL+>eS=T=D@mFiMh-(r+t@iLSq7+JC9AG}%Id;7-zV2CAIh(yfjyTHf6YoMJR3Z( zszmzrx!n#w2Ug6{XWUnvhJMM1%ynd@4F>(LAJP!Eg=$H48-8-MU39ZcOw&W3Vy+g(vAaPDr%=PQX zbKW5Mas`-9w>Vs>2HxED6T4a%nr!iZd|l;rWDkKgqhJE{dgDrK)2L1$=&dk_<$h817M-p}N@Ck`}>y0cu{QZi>b|P#c&b*kAbGxx`w?NKSuV>ck{EXn8z?acb8? zYo?D?VU5`q_UqeahMR>$nV(+pM0bA3<(t1n9V~1KF3g|QZ>mrINZ|CI)<4NHsUObt z^(?;n-AxNzA<8VrWU?@^k2J&^!>QvRb-cMXM_7`}6-b!X$oy2%P@nU1jOjFqX#^M? z&cNmSyc+?FDFEwke`vF-x?bsaR|LaJT6Fc?(*4fKy(H7)G4*vnh_z5O$bq;JZwQF< z2q2Mzobgudn1df%nwnY^dJCDzygu@#aFi?7T7w#Qga~wC4^D2BUb6H`8#(~kf1mbd z@s+-}XE90%9G~lVhu{dtm`~3!2b_fabOk~}vdc)Bfb|_$a+XWRuVNTX=SC6CvGUT& zTwYg0$Epz5eTcY%^YNC|HXLW>DqG)tinwWFMn5Rz((?+ULLr=SM_x;$DDCK0M z!U_Ge^5Kwz{ry}VqC=ARK=FoxWpleU$Sf4&Ak2jQ46$^e8*#cELBx0-nMlIH+bk`M zMI^QnQS!LMNYey88kYIN=yVUHE4F~^ZEM!CEy&fAldaBb0Ny;`^8m;ZR~==3#jTO| z;LIsJXp|Ipjp2oS)@;3iNJUT54D@+8A^W;dga#;UFY6Le-i^El?gpKwaDrG#t^N?s z=ngq8#*_X)@kXcBj$oBcbARPj12Vx)KMqjqR}{AH!sKP3cl*KZZ?R8h=Z(=$e2D=qwwo9RZW9bqY2;Or{2=TRW2CODaks+`wEHt zGl!6^(yTC*RyagPv~eSFtR`K_XD+ZOck!6KdKLYLZJ5+5NO-3G>4c;UjM1pNPDj`+ z2=!_amW|_V4U)0>r49x>q9+t`a&v9I-Z+4oio`b`_Hmvwip#D0?c{W^G+$m}Mpmvn zIHjKJo~zjaS|FS6aekDUO(xBDiY;5qy;PwRA})qFGR(H-^ges7N&Bul3JD~1oyJEf zMqH>w;(^uVPE*3nvlA-eT$RM!$(HpQ)48cot0o?3Li*iG7U7fipXlQ1(U?VW$3wXZ zli9p+`Gx=ZL?d+EQ5Z8XA*nTsCFpyrs2hkKr$<*zOG#rhm_;V8#nmGOP2lvyS|+Ef z#!rKx@L;-zKiJP#En$~@&r2rPuXLHB)}kC=a~&*s@D4(d2+S>hZrTrlQ$0i4CLOBh zklSl$avc>k(6M1CU2DRRof{z`;zCbf;Q4yN?L@ZUJ1_8GwVcOqyRes2>n$_yfp{;v zSJvafRK&+C7rz0~NX#x-5F8QT7UIyfIS}-nio6r^U!_BG?LM?JmdonFx{P~Vv2>_~ zyYchB^8wm(;A2@=4QywlK)D6OQ0eu7bMVkhdTy#4DO7J8w&ShTat|L$*-qJgwD_2< z=EII~8y8K}@Tb4+M%_wIB^gK_?Y93AcdE%_`A_x4=e`$b>NZZk7~5{-1P%k9k)^7kRXf&<>>X=ZM{m~mzb-& zs27|iXDBfAM;N~&;9NTXe*MYRzmBTE)B7^OX48>C_HfD7-moIx<#?!j{5#OW3H3D@ zC1k&TGa~~~0~qmVnTSdwS#B$O$Mz-HCo24JMBY&I4y5)h0u|v_c)INVuD-|H1)omU zeS2yg2uy+tIM(m`TKFX$2d>t$H9Xr5NoldZAgm*>$wDQBo>dlM`!4|gq4i;pXu3?x zZ|zdbLjumB77PQgPyAWjYam-4K!O|j3mL$Lai-U$nbrFl7Mxt3|77Tp=K&Jc@nM#f<5L&XZ884R)O+lw<@qn7e zU5V< zfZX(JG$g6;gtpK6)NMsgHnQ7p`mLR!)+?;StPq;X; z?#3ONNpKHk7c_r@n}YlGBn@oec?i9C`BF;v@}egDmH4xecX#HvI1oc4!hBd;VOtOA zTjquU)FG^S2f6d;F{hC0C*xG&VKB4(QI?IpQBnBq;lbUJ@&EeskA45%_o^q7YsUXF zej^X`Vk9zq5rP$5VYdG9rrM!+g=EaW`^;s?=&zJ%pll!2@0K3pq`{tDGZkTOC!vqc z*H3E4j0|>sEn_qYIy-zgv9~Jjx`qpw*|yU8DMinjMa=wRbE zh-Lrs>Y!&Ofgz^^qAD)%;B|Y3)cwe8IYJcO(zFqJL_`V>X!7he>4=lt z2b=CqaP7JMql?l=`mHv!Z$`H$`mpa@S5Q~sUN!NFCvAI&WA;E&MQW;hoyvs^o@XCI z(qN^f3k!PoPcI;*og-+!3xL{k6kfYg(eJWHZCM|3O8Zo(iVmI=lYmh-e{4+OU^j4) zbm0FQDkt{{I_LFI!NaF-_*U#zaO}1@f%)#`2*9s&R~N2A;7)t*>> zDv45qS$Egq_82pbx0F2SA-*f|F>3LjS6{B}F5$oUxFI+F&^<1vGyKN{&i(tv)%>GY z<~ee?sRC6vcw#p{uZF4->7=Spkdm%mn}SE?p1;f`ORiUWoC`sFg{ga0dbD_Dt!m?KQQ1%988(RJ@rj}Dlx@& zMFm@i?213TGOsIRx-!NR`nn??U6Vt$DRLZ+y0!Apz=^_C-u$nZ6%az!jD`Q24;diN z?;h-mW#Bgq)o!%f8tnU&(Uy1Z&D=hNyK}u+iu)bLYP{80>vHm|>=lC?e;lsJkP#EX z`eFy+jV`(;F%pcRWc*Q|f6S_2)ity`kLUv}M_klTj{>{wJfZhD1~5`o))ix=(mw5X zQhu5ab-p-tD7Ry0?M8ccSfEgx5GJ-Z%;UP)F$aUo>5YN+lnFC?oIcGfavD_yV@BmY;~fpZwssK2W8a^y-7SzsTX zm~{B*O*g#8-;W!qD{{-)RW?I==ji^^u{PoN*ETh+aEn}L=480|X1B8zR1(CyRg+|- zE6ejh4CoADTOJ5|XVF?_^P3zEp1`?PYFjsGVMYBnzrTH>+LpdEMo4boa^`I-@3C^PrpImEg$$9SsK$E&`;Q&F!=)d28#7V<6{~{d@xFj(9s?%Rg*H zQjYXOe|fMcd?qhnIVr5ijnttjom1Mm0wq)Z;2Y%?4@3@eO?9;-_)&kiC^eT@TK0ZF z`?(p@YlO`VVRB_o3JVAgJbe85E(XkoY4!`QQ)VmkCo?Dt#8;2L`oaB&3oZ?)ijE|% zEpK2-`E`c)mNNXFE(+cqYZr(Y>GkvoL(+-Dg@5Oi8o&a&;MJnld;BI#fLZfP<)%hY zDaZDCv{F*XzEPHvBPMz+axNv^^5jbM7`(MHv9`W$r7Y+Ed}WrOQ5v&ZR2}G7WnBAQ ziIr*f_ue>ZACJR?JROd%UP-&wSF2~WD|W6<$7#F3p!4GCS#&QC^qa|}Qpj)f+3~s4K`S;V; z&OKN4zAVjBl*pRrf&WJ<%_hyX=eyKH&-{@s)m5j2zRP$kzi*wQeKy}M&bLDIDqdM` z8yA|E+bW%d^*h6BmSt10sEW33VVN6y>*kfV|K4^ieu3_rpBUkjI9D|e^<=nj&}d>K z1>5+2Ro?Z!jrTU_=aj!jhII%^>tXBUTX`>XrLLNE-r-N3F%a=?+;FI#GSF`=mM2y( z=2QjHlid|%(EfEY&7H*!J}ZZLSrDrCbNLWzB))4Ma|D5aRPsxKJ=W`d;dB68fD!fo zr2Ex&SR^$?zLISk%I$r0JW_z*KbO?8XCbJ=Y)j|k0OJ_N)U?wzKdLU;>AP>lO26pE z@m#mcj!QTr?;A80l6$0H_m;wXRfpe}!+l!SY z@02kI&E-o+TEujWoO`AJZc=?8Jri;0^bVObW$n_yBsq!S=Yk&ZaKC#VxnjeoPl+Zg z9ieTlTd)yr`DjDE^}AnsheY4jY?U6?HLd9J^9!f@FmGxSZ;Dv4RQri6Dtd)o(1L4*3%!WE;tmnDY=Lc&Ui-;)YwX64Ex>+ zxWxK6dIZp{Zur*Q%h%!qqGx56R!vJIA-qsWj_U(mhBPzG@He4UnmC<)XFA*>wo#<4 zi_2|KeL}*HX84V@o2JI)Z$4SE=3UJU&fKiU2T>cn7;Yh0vEp=TmyP=<&L5trWv@DMjF?GP|aQhn!vt)cu?WRq?5Yip>d@aMMj&^91 zJ+LLz))b+$qp>J4OI&R*>VhTXnOOh6M#o_P7=+zdj;HXc0TASU1mz{IEHyuS7 zj)ZJ_jGK3{{8HgibjQ9vp-=Wk$rNMS@gvxStMdjlqftJc@^p6-JI!rvCnXTg(L(%v zqXJ9E4mg^`t_;<+Umx>ytktPR=lg^u@jqtJwpN&icagu-ZM?Wi&+o~yx&))seQ4w9 zO&O`NOZ?^}8_Z5$Y5y&DkpQA-+n)>m)lx;?MA(aY`(#RNBOEqBVC z-blvgOm8KHy60In+ONvB+bevfbu&{Wn&Ncuy6TC8aiS|S&2hFh{WJfVji>W?j;a^8 zUiRk_4#tEGi^sd7DCpp=j+TtdXt!5pP0Yiq=(6F`Norz~DD!EC*L`Xk>*{i!dk6!w zP|$6WT464egB{Y2*5qs}Pg^5Ug9)o@a!F13qWIa#Z*rf^)CaXdT1{h;$t(Sx(w?Io zA7-oT-#hlWq`u79taaPLpms^iK$#f7(#~s!cs?n{tJF&3Pt4Ue4Y@bebrLK4=RKbd z@t6qkn(?ZqVKo@yQ38D(c|%82+rrEF&1@`MUsoLvsW$P+E%K@*-OQVz*!bZT_-W#K zc#2%g?f5ADCj1!V)>t8Nd#;isCqlIp-I=0HOeIrP-q(3imxu1w5(`68hn5XH3k#S( z6Wynr)SGmuk7XhqPHC!pzm1-;EnT?VN}AjPNW0DNFKNaSL6f3^v9TA+2%xLU(?;Bu zLKfWfjYng9Qdaev{(di`e&&)p&#TxS4;+JbRB$|vIOM6;`S4p@X1ZzLywYH|Zi`Ti zs;#Rv{|r9yNR>L>Vs^5_CuVA9<8H3a-Jv?3Uv)Bjw$DDlkaJ}2APv(utY>nts&kp>UHZUDJA*8JN0f5eiN87AI zVVE5xdQp2gZj%wPv$T^o8K;~3>=J?_KLs+Z0M0b`UB^iOYIGNw+g86x_VHWk zE+F7}YHo#1(brdrSsmur9Xf?DT0L;)Hr`Ir%dOk93bIPk2q&Fjg@h7&m{iw-l%YPk zVynvkJIEbMHT=2_F4mpkJ0W?>PRNY#f=l)zDxz_6>pHPHN#McVYUkc?#T^SW? zeJW2IZ!(#GcAn;)VWU-eJMCNuLOnJs)yN%Dry1E@(f#ZEs-yo0_TdQxTM-WZ8l-K< z0bWz;=+V#GP3(DESj`qe$grs;utq9$ zd>WEeqAw?U1&e5z`g6UWO)RAkauBg>O46jnOfPb=Pk?pd;lN0hGXLO2!$JJ#wLE9GZJ2vR6 zeP5us(Z_S@sd<`V)t32r*D-VWpz;sk>=1Q@LYN7XQOB|0aFrLr3)YW*ZGCjJkT5jj z!CPxa?}-U7dS=GMA<8(dN=F&H0bQLM|B#--Ty6z76Yaj0Ead>1nU#A|aQr7hkR`*0(-|Sw+6(hIvps z>7@EhR_MEUyUdx;d~V71P>TMXPa9K9#MbvF*$(g;yuUV51u&&h>cu)ofx)tqw+)8z zIVp4Qj<##3Emn{D=*}9LXKXl8I9AA4M5iuY449u8Oj(ED&@CmA@gQHQ8kg(Je>_lr zES5>}is=3_{=*!@P96!j+RG zQTk)9%|AzX0HUhaaFjB=xP2_jBW_ecRd35)HvZYta-OXHATDRJ?25JL=;|tt5Q2wg{0@Jex%h}CMBdd@4L8gE={V;)mEy% zRy3Hnldmn7N%CMh(kZCQBqvQ9`c`|pcqQbn;et!N83CJOtYMNOTVB*N)GT6GZWNYg zQXjX>*7=9;7EvohM-|;*b*8Y;>b-S8qw!)!WNRmxLt7?IdWlF)7%q+6m3_&EPH%Q2 zVHy6nsaLCLOQ7;0V<>pDBN#J+?-REhR$B391r#o?5!ZcDyQ1oKjp-R)hp12FTi*;> zOE+c4mGrxDu*hzH>!pJ~p9-kgF-=QQ9jT>B~&_ z==I%ZP%UKDu{ET?Y{KuY9P4zg>iin7`gK%BqCnM!)~JZS3uh_PD*b}YyP5XRS{orIzK%lJiT{Kar!GU~#BXB#Sl`753Sjmt1#S zcwipI<2Qs1i>h{%!V>w~{aw0k{rjsw*`}sfn16y|D3Zs#kCj*Y?la9RS?My8@M9A2 zrY6Mf9lfk8 zpO+p73g)|VnWYk4bxny)qc1Ql?RB9}Fl{x_Or0t8v*>-#nCxv9S)A-DNW7L~Vm2w5 z)OUBJv_z+@snFQ8+d1`Bk&SPySphlEy5?1llE}t0`IXeN1g_`z+mC16V`W`g?M2>vv^&P@FKuiY^(09d(+F~ z7Lf)kU;90bY*K~E+uie?T?6L9~ZPTM5_^C5^X}fu4}u7?sy^OVpuz)KfiP)vQEB*yH7^J!H&h~3fGdf#WeSs z!GNU1nv^l=!BtIW&z*Uxkev3S{LfcmQkkFDhH{pqlw%hg?}K;oaHSzdr+EFmgCXBk zECdzzu8n-A%MdcE6IaWly%hZ=3lmuj9kEq&DBgfcylhChmj)NJ!NMaERj1AusG)c0sGy?esk2#YT)d zW0&UXRAUVpB0bB*xa}S0_IUYPp2zPNi7X#s^aCKB;Jz0D$@t^|doR8A`X0O|`+&`O z%4=Swxh)&XS*;*H(aBU-%%(ZtJ?d?72cxn_7jquVe2QYNA5A=SgKrVW9%YI_W@@;8 z+tb50lF&Do?Rr|D*_UBJ0yyodl0n5DaFa1T;$&f&lvvR4-W)%r*x*ua%01aW!lfh3 z*!m_n{xEST&mx^=wE-(W{n|pQzt5k6nb(Li@igJu0spiJGE{n8*NCgGQXpF;Z^B?J z_1qOMJT@yM^v|s|!=P;+`!C^^I(y$790PH}c{pYG{WDp1zX&*=+%CH1CtCw!%OcTJRy(YPXYv?M zq$7C|(S@vk-A#*j3BDs6+44fqm3}8|5>jf(JQ;FMa=00*Psi0-4b6^iL2NVL9;@?& zoaUPMUi22Bkhpw=FfF^klxv+*)z0J-YdhH$#44&^?si1TkE7~J)N^XeP>i;Blm7CP z)!x{sanpVc8j3`6d}`6}W`8x6VW?Zc_0A@bl0jyRq)O_m! zjP(@Zwq2&hq-1#sxrk`0|K91yYKQM9t5rRp4$FPG)i^!43s$?Di1Q9A!@?pIys_^gZ%4M@zvX5q@~lJb3D@=i4T8(B)@X_Pq0hd)k#Qtz}U0Hg2t z7~7wt6==UA33_|H;|Y#?4htUA-g?(Zay?Jabtark?@{U;? z<-Ruihrp{XopgswE}4EQXWE|JI8y33Chmfjm8K*dloj8E5%t&w>9WUlY@KZJVFef| z8Qg>hE=0FQ@*+zDZNj9M_VC*vN4j!-Y4DMdX;w#zn6GBdt(V=uFI)!v%zV19%^`P*ED@k?UUFdTBr9^p(?unqA+%wCYY|{aef24+XHN}W&b1S)==s#kQ zs-+bY>l^#BOxfmYiP>7)>&;?;?> z9$Yremt_PKytP$PF^Sv;DRGP>+QISXy>l_8SV?~CExFqNzR*=_iTeChmUUD1eqTOR zNWzZ4?7Zk1Y$9EJHPGkOA7c?)8?4OK5e)^0y9K2C{1%j+58|6kxmDpc7P+2B{iQ$Q z!z5Q8IsJ*pte{!jjAZ3cOEgyJv27SESm>K^*3k+`&vRvMk4G}Iq0~2F=00@jiB?Q(gr93!-LG})Vj)heCX)p_d&0D($KC! zO8KjmCp}y_p_dxB%bR>(!dFznO@2}+QJ?f&AMEUHvteeVFIDp(VDN*H~uJ+xU~*KW=l!Gv3U0*r#qy106X$cteNSzn6~97YkCP z2R60Kw`3bd^7So@o7N2m=P)b_uBc%t`TpuRY%_(SCc)_MY{ZJ5HySRnnC+p}oiJ)! zx$BUtk&Pu@TGn}(cX(3&3O@6@MWnRTsIt(wfPR?LWXQCRqqkw>MD>*XYAUbIhQ+Dq z0~qI^PT5h=C#pode?v)cEJU(r*Im9$XsQ4_C3O&P_1N*ynT7He$Epmgr)*Zyx%U@J zzHt=>{8N0HJgf~q=|gwIG^I(Gs&Vo|9eua)_T{l+V@lrE z!)n)Zj_7jFxbQE9Te40X93zM>eeb(A>hI8%h+4Z8W|-9wU=ksUjT%boD;oDSAO-Ni zOk}gw!6Ajz$En__8i4N-aghtI@!_7)|2~2*$7Zjbr28v7JzS6_Np9AaD;&U1Y*oFQ z@#9{a+Y&76+$b1ps8ev7lGJy~dFB2tLu6gBS4??(z#&ugF1?X3t&DM+HOxMNZoruD zboE1fsACtSJoGM0ApG@1%EzdL_;o4jq=8kvE;>-K^T5}e2xoTo^=@4HV;N~b9f_0| zS9A>dCR3Gg`taj#Bhx0k%`}yNWa^4e->$vhyS^!F6#JxV|=5-E1Y>1 ztjumV``D!?R`s!|vL+z(KxHueG}EUI6U=zZa9ubs0N$q)X;*jV=1>^X3uOBq()Iqe z4Fzv_`?oU%lf`uQ?su7J=Cq?%&6U*xtUP`gYn8wZeXW2OQyMAk(JDv6ckJY7n!$hehUg=C) z)4&db7)|Nh`qITU0+!F=h5q2TV3*D`Z_Ch<8y~nCV5J`AJaNE3E+Hz30?B@#xL{@-DwcLRXn^hSvBVO z_`5!9M1Q-Bf*ek{##$z5@xzFoGGM6=)-0l{5A9PYCMy?bfGs`0BYJoWXc%Sxzp@rFm6-LVU)qWN; zPCfz3WAy&t@m>ZO$5Y+^_I~}%-yvz245x3{;iV|i?c5e&t{{%B?b*6xf#2v|MJ*Ag zVE*t~=;Jo^L_5KAt8#ww@T6^{NV?P0ndgfFbcc(G!Ew*)f3+!7z6Yg9Cu(}n)Sxpp zGX{|X)VJJv&$O63+XHr)lno@Tw426Y$Zrrk)7S!h&ElZ zu9x!w|M5kw?<&i~t8yrp@mI>ZHY)dby2>KeMpJvA-@m^@v+LHNRW1Q%GnVvw6#Iv+ zX6*G4<0uz`h&2k!d2`iKZh*~u-|)bv#d0pO-zd!nY*KfQ50=AG&{M# z>X=B#kZ>5b*QU@^<`V*9lN zTXeg5Z=UVW8R@WE&0OESFaZ}^$qc5>W3>*2WoPuZMSl+&abVT+onmhg9v<&czP;zO z8`K9rs=TTphC^GtVw@BM^Hq&?dUlywj`5iWZ$ZbEmPdsYtVN_&cGi*uo`I>I@#MGq zjiFLB6V9b4(?Ya};#(T__BS~~z1$_FOp7lVGxaXJnz@XJ9=7ErW$;a4iMN$^l#9a= z!In2v&Q$vz!&cX}RXxijXS3?(<8Z#;JXdSB(oE8H}P{17O>X|Yn{=l79_@I z-O~oc{Q4T3gt`8{8})O^q&qalNgwOME?cY)zrSa-_hjM9$BRRd-Oe*)=iS43AJZ0X9SV%vnS1&dUPHdcXv3w z<65F_HYV8b?KF9rcBM1=RMFU}4d_%XB41(5O3Bp8(wgBHuaf#?<`UM1iC6uW?zSGE zSbpXjb_9P0aoP9&` z{MJ%}EyoMz4wssFpOvpX=f@n_`B}e7+=UCupJ|eyJwNbaKWu9FmTy)DQ0 z`Ii4#;m-^dH~#h&u4CM?*^^(wLiky-i;t36x1^5fEaj6+_m@tTEMMfxW;`2e&cs>| zB;FW5H*j>4Gv3R2)<1{-@%6&d)s{_Oc5-!St|$j^mAvECy3HdEaxKR0-w)leNb}PW zf}DNRhH4V=tC=KVZn3O#0jLp-43cOBs`Njyi)W%KehL^ne*+`DHNG&{%SSNZ zB56#i0fzcU#4KM+>2Z;ZA%Z_JjRv}OK=7sp&19Ujf4Z-sD6R*^$92qNCo0kHEFKCX zPb|-yC6hJjqCAC&=Zg$cVR|Ay`day@^H_zn{5G4tzLR%L)37a|9CJEbqOC`aE_FH% zD+W3hl(2*()R)#Mzo6zmvoczQvZ!+`NMy|P#)gt_yR9+lHxj>7-262tjYK3DT22kE zWvbZ9rT#Cf-aDS{{f+-Vr{}az2RgJiZ5?VWwP#y3O4Z)0q_HAZdxkEwX6;RFB1Dkb zv{bbAOh}Al1~F;{iEw|M^Znhw`~JtD9`W(X`+8s3^?E&Df%}?+D5rXVqug&>VZ~bw zmAZTjlDWIFZ50Qr_5WUfLX)nl)*n+jg!ASZWv;Ymx$JRO6MHz22W+aleGm9o%?O>O zec+TzNB@)^1ujAbTi5qvn@?7=(!CyS?5s3YmeD_sZS;!9<7GDa9aMD(8muUl>k0$;wmK^I`Jq^ zg?a2X4qNK!`*Gz!gWLAQZUw!vrymjbS`oML5s;YtezT8$gm5@C7hKnsiY3waORL{K zO}Thd_`sv6{Q`LF6Txo61?x9obmZn<*)IRG6ENE8s8)}AVa{1FdO$Vag(fMapfAWM;xKfz(|1^GA*&L`OS|_>5m6Uimw^QP%;N18%48;30|Qr$mN0oFpwXdL zxXPAYT_-`<{2Evwr%+HBlmw89(Lc3MygVkpJnEg)WS)!uRXyxvF>F-x_LN>t3Oamj zF?bG=AJ^aUCCvacFLEqDcyd#}zc)y-JYv>Qsfow!BIZ$MycW?YSCiDjh!Pg4%)*pI ztR&i?2H0`&d!_fwyv9l`c{4xcPf0S7gm{*2r~&#wX%170aQr{@bCGj_mCD7fVIN|x zIwIVg+R!jgpS-%j8&F+d!LjRO+Zp>tFkGQF=8@^Ay zKM`yJ3_dD5$XG0BYs0d8cKL?PZ0MhJ3l~qVGGd@E@et7vT>0;sX4N?gOHlS0 znA|g-w&nY-2VP$W zakL76EdF=7xW24Gt{fFkGwY8ACz;;55)X3_-ecNYK2=e!LR#}FX^9hUFB=C)G*nJIrSuRXAOx*UB{epN zDD^>%6yZyC^S%}VFy6wCW`C(74;Qbc_IEUejc-#S)=Mjht9-L*H$8B5I(U2B1M!wq zp_yv+!Tb7L6>V^ib_Bg{)N%RKhKhCf14QAtU#DWvFZ$C)hzw4~OppG)H8NuGn+2(T zI-;GaW4An$RIZY1xd6Y10yE{16gM4)Xpi!k826`Y?}&Co*vGH611d;A)Z>W^i$igl zEjEZfR1w4OJfBP+L*DICx%yDYi69D-HXj& zbh})v#3;EbQ;C3EHZg2MMXhIBscRWA#w5o$7s{AF9+rZ61n zI%p5mT2MzEghU~YGKe0vQ$sv_dCNgP#*zd;I+wC$+Pe{*hj;sT;1ZH{m3&;eY-<#A zCP)cGI9`GBXbtKF;&=4%FDvi#d9P(M?`8*KoR>!3rp*vb8@yFGbk#u-rauM)+8y3s z90xvOzx&q9t^O3n6=S8}(e=oKywj8WSZ`Haa}X_?nXIxdchO-wSA{{ucZhWXxL#cD zhA2eLH96cHKFKKERqeBmBok(H=!z&BTqd>zrZVkFkdFCXb# zdfKYf2y#gS|CgiiHt4)bWNBCs$*y0`d@G`3e{V$Z6u$9B6r$kUviu+dF#i0E5iw(c z!S{M~-fz`G0VF;D?uPDRkm5=&As71Fm%iY19^z*UUgM*qHD!b6fErWhgj%2XDiW|q zzH}>RqOZ3Ebwe3oD2mqkAYW`5J)u$fxMsxp!1-VIi{YcmJPEgzG<5EUk73G~AA1-A zvifDP?d24p4A+^jmAJXbid@IIaUbA~19G-G-%?nH0@sm}v^$^l)emc)hjB}alzG01 z*XnE;c-n!Tb|_@0Nm<^!9+aPRv*UTW`}ykD=P9WzQQ9V)~4}#{*<+*C3rYRKDX;2yc(2!9wgla03&bqD(^4&4j zt!5ml6SEz~{P72;IU?#Qxda-)twIHUTv|aoP8zK8n>K>D21Z-?);}8%n*c8LDCkRF zM9#;fy$Ma}xk#zAMs7sj#DU%K?&5-hIvWv{!r_I#o*Zg@2d->jR^4qVaRpi(<}iAq zq1qgS-G~N3A6%jE+?>gC=jb)15TG9phybHlP-fiIa4FQT8vG}en5(tn85J{&Y? z#_JW5yA`_~mwb1wZ1@mAf0gaSOU>1)_L(0B`0&=?%i;{h?u3+-8|s)DfDCBYpORW( znh@@+xNsP44gF_f0w&w-*i*~b%cCSd~x}`-RDXAsJBqaWR-jpBfKJu_-^ z2^Ck{dM_NjU_mS^F-(G$mosJUa(osM57x)Ge!*Sk^Dyj}g~AX675|P!Dpo@sIcHog zv$`uNRxzfpuJr0z4xV4)rTZfDH?r@Da!%HGA|PT@p%ZULAEz}ROgKM0e756R_Q#!O zBt^k+lL}a2t#xpc)lIR$916Kc)OF{c}~i4MHw z*R+v6peDi#fP@o+Q#P#~N@Y~zEDi`xBu-dRZ3OPilvbh@e))VSGxF?8VCl30k{83( ze&4L!WZ1{KhOb@@>#n)j`|c#0xgPJ*>Vfcz8Zj+zL#k}zDf0N;mf=tn;Xfvv69B@B-PUBcq_F`y2*k1be;boPHX14j5$s;LgaM zHVDtc`z6=^rNmO{L<`NZICy&>iBOy2ynudGv!ywn5X+2;%bTzDYie`1jhoGlpisxX z_Rj zhbqgejoEEz16OjX+QCQD&1>c6(J9VM52&3acjV+Fd8fS}x5yZh|OB%=X=oE9I zwD^w+yy%U)COjqz9igD&g^~fnPLK9nXk@#-!cuagR{)OYUU{Q!Aq=onC6+l(gF3zW zkao|BwE}32x=BH&RM=tn#YAqAlhWts+%xp>(afkGQPnoD&R<**r)HmE{j&OX?g|^h z8(H{TU!F|!ewBeL4`LMXnxHoM2zff+aNVx$HSb{dNb+}#LJb~>sp53B?Uo&A*=8eI z#B6amrf997BnQVu><3%PB30ZQLqZTCPZ0D$C7|9}sAc+}j_k}eE2EQk?_`@-4K&!$ z?su7&_ifZ$zH*6Ahy$xEmH%oaXe*8D?8BERU4sy`axL^8`!Xvir#)qczbnY>d(D2g zFm_1Q*oO&E)gMf@dasy((Y{g? z0Jg3?DQ@N2Qfq&Y=LNvJ;olkpFAqZ6V|)?LQ{COZ^BTI5bN-POYw8GpZJ4R|m0JAE z{~;#P7sm*X><=8V`TU*26^M~B9{`Rc_~7K*dxm?X(HRAONBhrh01hevu~xr-IvLCy z0FBz&4C8rNKEil=WSh1NJE+f}4PS^p5djnp*FLgCiN^HuHx5{F9l=L*=rbOy0+ZCAAy6n`>YzaHCAHd%WuH^)4`0X1;QpHI z&^uOGl~H;jmxQ0he(d>G`)TEN?r?U{TKO=?S!!2Du3lW^nVt}+N zXLygl@%A0ZskzfX?&yX%fsxOKeGIb9oXijw*K+CW&aCl&tNA>wokwD%Inb?>0(plI z+Tn~wmQl;hr@xpBW!hCYT=g#p>4#-FHfK0fB2&EA>E-Jg9piTee}2k%mpt$9_ER7$ z+FB>9R}i0h@jfj+@ad(sG3Qmz^wsgM670C&(8{Eq!+#<&$G?Jj$ zSezLihz_ZIU8+jJwa-6tngpU^)N{CAPBWo`mp~kmO>HBof#`)vO-u$J(1e~Uh0I;H z7u;-J61 znpof955S7W28&tz2nb>(FC-C1PiTMzn>mru7|3=cveb`hx!Cb%qI&fAX6?EYZ%W@Y zaRS7|wey&f9Pa1L8D8jlyE<*vC{W(|eT^0sRy-260nt#dQNKASq#vlWt%O$INr=BP zIUnq)L=3T+AX>B#c2GN$B@R*dS?o#>{+cC5mS?$tP!r&teWAv;5W16;Cz^{!2mH7N z?X209>MEf)JD3M2Ld8WwdlQAavW}o(CgU1NPmrR(fb7o1Kik6OmtcXEt=a zt&(8hg}xI1h28bf`em8TArqZEw{n)u_mhSv8l_?xO)hYzRYzLBcNpfXmPpsXMb7L%+w}P9Suk8$o;M~(KVz(Xj8gOA^F7-gB zEA?L3dD&-GQyYG&R+$_T03WuYvM$~On~oGdM|Rmx{It;k{y}|eyGP28i#0u=QA&MV z<{v28;Z@%NVs2$sD<3`D-ul&*yK>u_enSEXz`D3i>f5gmCD%vI+Aas$|9Z#DvgL|M z777&&)r!WwEePC>wpSia?V|ab$4h#xoqk4(k@4v}2*!JaR>DL+1SF}dUNsqc<1yvY zmyYN&nY+&`JEp&_Uq-&XT%QuL&*R3@Xf`g?hi+aK^Y4x;V8`22-L#dejQhJn*NgVZ>7a!0l! z?pueqI9=tHpXuZY{*C zwe8u&PC4}$cN*tW$L7%iarF(7rKxQT<$**cIejT_TQhyj&{pat35>5zYUhI-y% z?TUdJ2(!-kOyc3mgn7>B50)3K-(2zw_q1Fq~O4)6^vU7 zDP_Q_ndhtsLhLq}`G@b{Yejm0QB==wUtjRRt=^@YIlT-l8*eL}R1R!nMcVRLDLe^q=Hj141?# z-CAoI{wVCMdB2p|@=-JLs{DH#@*6{#fJb za8dJ#qitWCbP{hi?wpIXksn;6)TKrOqy<^sf2tp3G*mJ&W}&vX&OR8RxmI*oi7`%+ z^P7`VO|H4a>8xk8Vo)z|rTB{r;J9W|d{P`tN;6%M;Nl)B~1HwDh$$g>bk zH_om_E~f~q7-X_YNEBk=eG`n+j;3IDUT{iwK=G{jyo<4U$~p5cAi{-G5w%=)P?`7} z$|w+N{HvlRF6zjg$`WS1S^SsT$r%+Qkl<7HI7ue+;j7Fiud-eU?PiQ9uNlU}uZWvA zB*7AjMmB~RjEoGO+#B(`!u;BpsfsE<+9Zb(8&eUgu9JH1!-}MQiP9FA1#v>BHOS4r*GB9=>q<$_iu*KH%Z&vUHF#xid|Qu{^&Dp>GJmX0 z{#-trECkV76iB_3Qg{{={2&T8QXR3}KXjndlb(i1s@XoYEiKawjOk9y;^>8ma7e57k2{gy&4X?E)yLR9 z&A477V)AFrgb<;<+D{)MD%Regr7W;#&{fUHPoa59O&o>sPiY7?CqkI{&*}2Vl0wX} zPKccw^msh#<$0)dStfJf)B+Fd`#~f@ROEb!5la!pKB`%|o=>4RnoDY7^@rMeNa}pf zGMJ-9R`&b*d{^vL4KeL+!!O;VXSL(W~Z$Wa!^IK7c~_~ayra`WIz6ApaE z8n@|}BIYO0!&h$$&ZTC3j+`QjVlgd6kiZb88@^uOAq}l3t5qI+7 zRYG>q7})^qc1lk^*0ZU!Q3wsCR@Oabe{IeOzM%Mb0?bq<%#^dhn4SJ0@95ba6lhgn zAB#kHPkar1t(C=6H1wrMTcJhOt}rN#gLsQ6!+Kk=+YSoN#LBj#FA8zbw$Y}y#487P z25T#GtX{cy7FJ~4@f}G5X9dIq#ZRVGMj#8d3>#HulY0J?t`nv|Y{x7_bPXY%h>H|L zXJa>g*pO~jHdABz*tY4o1L$l4Izn;OQ~{b{&jT7R{!v&{HxUf5#vmKtbo#ftj-K|0 z=}Z#TU+w)+>xEvSrEjdTZJz-JcHTD{1|oYtBpZ_7ztqD5)lP^@<=``o@L?3MXUco; z6w&dA_355_%#rXBaXg^sJ800gUzeM+;`m@gKWoRv`;MP`Y87Yk7Q{y6eDoRT>O_z- zSFS|I=m?II{7xS8f?Od$R@fl>kHF&$wSI^i}|CmZ6IvZKcy2|iK*jlU{O7-yg(WKj7ewU-OV&b+#2 zm6vPD58@S7k^2)hzc^U+4CA3K#?8(O;z?Rf2vX3vC$i-!vAqoz+A~G=PeI5pPt>|? zc5M!#XctH82z0ccec)OZaC`Z;<~_JZLA)bq!R|M2D8kqol#m9++4@^TS76#reKEt> zI5e|lY}lyQU*o0it9l+i_Qo{6^B^F;2FSyO#GxgoF|#_aXHoU|hWq^@gR^#^0U<&{ z`m0KZNfk07=>-`D+0 zZ)C7*3$5o`xtiT7GOE7SUd|~=DMt+uzAbe6);Dk7?;oWb4-u~_PzYedbTc3yd-6@46R(2%A{j-?%&06sXq2msps!k^B zR)6IrKb2vJ9#UlOR#BI(W!);2zIOLU${$wzFDP$dnPy~h7>-o`r$^VLOV{_$%L=U| zo%>q$r$G`)&vo^N_}0T0I_D@Aw=dyCRi?3gJn1+UF`rOCRmiL#MjgF;&u9P?+csk6 z49_KgvKDjd^83<*6kf9Ok^pCBK8%Sh^3hKU_v|o8(zd!i++jx4`?kZ!p)^#NHMg+4 z2R|POsk>bdWQR>!H`+#v*=c4I>lRFp3|X0xd&C-3Y$w*CoF&Qz;5%tZv&{Mwlmu8f zCOBrhNFVX@C!nsZwH=SLY84K5G$m^TaaG^m-z+QZ8yCv|=n!OA!O|^wMJPO@r%q_p z4b;@be-X zJI82x!9NUYhu^-mW3W;=HE~Z}`)M-=ZNE~GA>ie!X2gK_X|3Yzp){YhXH**q7cs#orM$b`RrZ@9DZG-CErPhO8xS z>Q(#r+IZK*^PmRUvMN?kO;VMTiMeT4^LRQyos%w8rF8tOGrFuSC-vNK^q(ugRby4H zUO?UCF6j%@eGj~Keo`RR2*aay+@OAJ>#w(4T3%TdluKPm8I;{L{&20c7Nj%{F+Nym zZUQhfIjvZ3^_Q19Lpg(u)rwIi)DMCSCO`XpeTOMo>eyJF_+_rbcd9?_6a|q-4(w=W z*-+b_SrcEec$es~FbWW|8gDo+aILj~G0$_fbms{)jcT#qZQJdUxe#@U`u*A5lj06X z2RU1_{z$a8X4O#5*2F(RMwIxwGNtva+~r8oq~GV$4L38XqfL!Bk6I0rH%XDh^6b=FeW?)d_tSXJnX5)V*v>Rk6~n9GxLMVpJdYbDqr&mp3+a3xSb ztt9ZiPj(_T?S!YfmB$D(+JHHlmL70lh@AS7r)ZpVYL;M3{gynYR`Ky~7;foc2(>a6 zI3@svQkSH{N>VFT7P0w9=Gbq$GZq_V&RoXr(&osc40$;|jbWq5wk3Z~wLyCIrziN@ zk}x++$#KK2twBFvI5qudYD1Gkzbx&6GO2=EBqmm`C*?7{iz3yHG%zK6qE$z2#h9Lq z23_xr#=}pfRgq04pmsz>%6JQ_7ID5P-M^Y=Uw&V5ww2HSf zm$p(v_t56)7<@k2SvK2eqenGK1!jlA@cV;$YcF+jWVNd=e~hS#os{246aSck>+40% z`P}a3u`-{2)y&#m%RSV6x!|2@v8}hB5kjI+<&%~ACrw`CI;_YkBCn=C;~-VZbF;R) z6B74Rgl=4AeI>zpLz(Jjkl2NAm_b)hV1wpoK&s`+r?HOpJxQqs}gT^a|B2Eb1~zJ^M&o#W?XmO zFIje3^PtI-I)yu$`?j=iwDdC{^|B0XtO>d84yx#Jj3Isw{IsIgB3tQNx}?AHmSrz6 z*3wbA$!1hOrIqMx--MqaLToHj#gV~wM{*iU*GCaBVM3BW5V5vcU*|C!`uX1G#<04O zwVRPDI~{F4801cm^+QStoJM3rs%xT-*OZpWn{m=;TO1UBf4?e?OVW%ArNYiC%puTH%6L=EFM0CQ(2}-b-*~B83o?|@Qnu&QrVD-& z4~p{YJ+CeV0+1=o3+_!cLKrYES?oESr*Rl-W0M`{(puNS--JnL=B!R|nr&*>UsI_t zp^}ORxXLM+SXUMHK->-3*XPcl86b&RLZ^zd)B;2nUone+>hnb9)87PpmEJduXb&DM zwQBXV4(zu-OYT-TN7r0m% z?!FIrZM1nZdrAu{-<>}IlGV&7R79|g212Y-ZfJ#Of+h3y2=crAwbjPHT zf?05wt0KDEUC#=MZm@NRC#OvWO)W+qBZ*(CE`9_ksKhQ!qO_`2_UIRz%MR4}1zVl&T z8=0E*P7x&r(^LQfXHLgkw#b^!qixG^QwF7o^fM~%F4^$baI{sx(BqaErUsX}JDGbB zp(f-npTma?CTHzXhQ|D1ZdK-2ZlXy_VIB7h2N1vxSEK+zfAZ!*`4^|);VWAXEkBvR>HvD=nGlBm-z>vcRTX3v@|pB5Jt~>-b=~#bc2Rskfm+V4d{T*(=;s z^b1xga>sWyuUTe!I*m6|LT~t!afFThA_4XvJ>$4|aliQgiVMuQ=lt4Co)v~iST1PM zo;zNA5Wa{-5r)M*$!lhiSBW<&hb>ylVS5(-wGOyRmBlv2(@13qu{$MP5*uP_DX#}W zpXN<)9+%``cBV)~b6`0LlycfeF9(}A)dzFzwYVcv+nj0Bij7kP3`L<=j_55U6=Z;| z_mp4WkF!|#`HW?Ds7*A3n5cU957(=DM`=Cze$Za(_;_9kg+R4+I&cF;B4SgzDh5@8 z-!wlBe7rYX_02y+ZqJ=Tx*HL%`UIqgDcVnJ7$~GVsXY@u00wcLad-?ch>N?Y3=HB% zfk9lCK_Cu8Qm2#!9sx2^?WM>PS%V`x8FRK?k5S*1hN6Mf{6HJh!DnY!cZ{AxTx-UbJKR>*dW}$v_-8hZqQhzii0mOE*e|a?Hjmd z85cS5E%>Zs*t+oMJdAa!lu}5r3o%D4oFW1*6PO0t|qH@HeJJ}AXF{Q~><&<*F)7=)}mgSjSa~!mH z)6SioE*j|!a5_4lNoOs4G}VK*~E=&FlD=WYPw>Zz771rM~|2Vea=orOxF6Yn@>4&r;W+ z)p60WYexZRJT8!0W~Cit^JHe5$w%z zKqfFWYbD=+^tiKrK4^=J==^)7(HRz zb&cfq`->XXFoLL|l*qLTF*Y5lNPAG*woI{ilhVJm)jSUgQ?QYVh>lDyVyPPlfL5i$ zE6a3ssp}boA&m!@l#;dEm9Yx|QqSVJF483`>*g&aCL}5(_ioHb zAx2%Dk36q-Ec5sK8Q}4L z3%&oSXPTHPM9z#gPT~@NwG}uRydx1qep83-23C}mz6kB3gEOd6Kh3I=!9{cwTNdKh zcdNHfw%FxHM9lQx)8U1Tc#!)G5{>x77#yjrOfpmM@gxX56O+?jHe?SPj1wAE~CR;XS(keT;QzYYJZJ*B50rA5L0!zd9YS!a_^IUmOnMl zm~bd22dc+kD)gAdHS2<@sZY6UK9YHwZ!GWd`@J1Hujxr3qS^E) zX9gIh8L5%x4qE!m1Al%u?)(1?&w6%&wWr*|lU++a?~4>rk}G|G zaE!XCJYRT5`+Qoc9r9}8=V9>DOABXD=3Q^>@~qL)#ay8NWX!Kgb{7Q% zm4@~CUSV-bm=nD42yhmOsH^a-1)|_c-Su7_`Z^EeHZ1 zk9e6c3$!|uV{-%h`3`KEcQzwO_EPDaot1rgs4d3wg{WI> z@v@$YSv~{KK)B5-n%mr~8N$R}M=>!yU&)l#g+{S0N!{L+xV1jatU7kaZlOc+200IAK|LuFe!v0Lnd8exMNR;2G zd?)s79{0Y^)cod^3byM0KmAkGcn;3+5Hem4fsqN{|eeUg&_CLA7n-_tQTd!;TKydTlyveuZbVSSF^*tDn=libS zw~F^ce^YLCZmr`S+JFWBu!{cuY!`1$3#aTw^WY>Pc-B)UAfEkL|KN<6u^j0u)A;4n zMRv3#^(XSm%HZ^@@P|}j#4%HY6qDasGrdS2~m+ZEa7Y9 zC*KB5@2|dPM~i^;msJ+;F#k;1&^D~@JA>=@c2PtG{k&w(jXJK{)5q<*@*0&3{d)zP z&Vsu;rY%z86szd#nQY@}_g|j*gkSebc3+9ZTKM*f3%Vtk9ThZXi|@&DzrkGODvYl= z>8-jLxW8|T6;@2lYRG?jDHmbnBP2L}$Y<*^uB4Y$0^nj@W_(~k<5KLUXKzVTz0|wV zzUE|dyF$vu8NL=Utppx~A8+?`*WAzAbbV`O|0uSn()Y9OC8|%X=A{?PFO`JMDvXDm zkF+DAmeqNw2I9KkXN|s=ya%sFNUI#AlhW%|1xlLN6v0Q9mn`q-)h|l|v%asH&Iv{? z{lylI4=*Q%(eYv2RQDad&fUXGW|I&aadx29jpN3TVITs-^iQJ3qdaqKRSi}BYnmU@ zrN+*kT7W@UChwLMZk}0naVkuie4o7k@S0fq^?Gk2c&e<8f53n33m}e%Y~H~d*Oak% z_)8j(%W&SSI2;02z67>={5901gb-nk!c6tJosZal#V6b;*+rqrbe!f#!A?l+-cp)< zuE@J6&eHuj)uEB@Ct>@qW>IftF}VP%JMb5DId$Esj?I}HcaZtN9n3TPw2DRi8AVU+ znfQ@*)c3++a}kNAm4XoE>sx{KXycw(Nk-eM#LI-x!vaXoo|9!-Rq>kc+PukuyN;~y zHrozjOTJh)9fZNl^4RubVE&C0;}lmhEo|JK-ubXea9YarE0{+NYQ<}?PzX#;H-s%= zC3hsS<%4LQS2hD1E5lm6Ibn^;Rc}`>FZ$W3EiIxqQ>oSzqWY%DuD{S$|7b``+B4;@ zY+TD2N~pJ8OF?hf0<-hC! zLGhGCpJbzHxAdelG@In^5W{{?uXRa=Ez|B+ zEW!@v%Y7=DTg;W#J5d`KPHJ+pm0zvR-&qkV&A!g0v|c@BopUEDxCQP1EZB=o0hf3V zZ%KQgWnbZCM*ZvBts=PbtX ze(dqHvsj~LZC(?xWLi&kqpUFPZi*(iPtKjeJFC?U= z%9{6j{FwS?RB{Tq!g7uT)iYl;+mH4nmp3=fn%4MDE9q{#3sDA4iyx#gP~)OoUoOJ~ z)=vKKUPM7Tn)KGu#uU3og_kI#tPHZ5qm75%+m4op32OvXvjahptfTRUe~p6`ZT7f- zcF`HR(JJm2E3vM+*hW8At{fMkuLg8TZHxbb+p6;0u&pQUhm!n5OUEv+qK9}Sgrc77 zncU5rsc%p7RvA`EH&Mv*sa!#*Pg)9PZMu}^KDl0tFJJql#WR4-w*O!E;rbUsM(=)T z{z`A_@X9|q7rKppl}LEQ&NdZWLHOo*5WYh8M60m><5@)2?x#QXI-Ws&(ygNYl6g3M zK~kvo^FL+3*W9u?8-(1Rlg|t^=QvoFYgdS`9m#+6w(WDi!~>VYH2^cuKC_crzu5CB zIrpB*>eD;IE2AD4zv+j}-vBc*@P@oT1mqf5r2~e(^_{^k=KyqCUta9CKIhK*LoJ7i zwoev~Khb$uCk2Cg$3&SA1l z%kc5Ch;+-_NiI!R=$AXis`r)uAr?foWgo}a4Y)lhI4Np)a(QdJ_hF`id&QSQam-3} z$nm@%N7^A#yhCVx=~c@JQt$ls>qLR5H6}vzt`S@FmtXX)Fts#|H5M~%q37AzI94|P z_V21TSva)3D7!l6YT>7zn_C^0v!OS66?pFJLTieIP zObg^Z?B^)B=V)&#)RVty%R6P{v+xb(3u!9mN>^|0mB)><>pj$UO1>gks2-bnJFg(_ z=~I`O(heZBOUY@t)unB}(nEt>KxToNaFoURQ=he?8>KjeO5^OiYryI~V19ohhOey< zV#>qZ&ncud#^$0;TQ$VCyyWh6pV?SDop)$0k@ER=p0)1zfDz_qC0~Yo9q`$i%;{-H z(=JV+bm_JB5#>}kSqb2}4?}@MY*( z&%D@kuopK`yl=+|lfGA>YO!HHW#QPanj2wGvG!KoUJwbYir1SsgtRrfWt%M9w~%CH z4S2Np0-IhLBM4OCj6TS#u0pP0G&(^yjeLePaTmq~#bM(-xu5RRGNV6bEiY}cK{rgi z3YQ#veWpuDKCzut$-3up-$t;5gfzGW%5%jrFHtWoz}J)LpFP4KgCdag!OglH%UzYr z8w*@|$*78XGrYJ-D`+b?M#CJfoN0uK3mi5F_WJE?k?@L*!o`yKsfKK#VdeQ1kgF$? zr8nWM#Wo2S38-u~z3_r3;0Fxb+*myTl$g?I%9Q`N#JsijXx)E@dp6JW$9`*k&{&~x zE3V~8TK)ZN4{I&M%*Gp4 zcu^xi?5g21@98%0E{x+Sem!sb;F}%W%X?B)DH5XQOB!F=36r6 z6UFNk?zFM+xrA=tlR;vw5GA1qjP_vPeL)g>Ks?<0w=r?gHaj0YtEj4>@_Y$joE@BA z0Mw&<|DSr~O2gOx*N`kJQrsOS!x8gh@oP55(u$)+XmUfC=`PI5+bj?Y@v-Y45OHaL zoWez|&7-?Jonp-a64>$kS>rksbab>kXCB$QZz{0KJmj6z_;I5ZpI$6HRot*8L!of6 z#{K*%a$4e|WdtC#cn>&S#Hm_pRKt9P@vFk?gL|z_v&Q2fq?FU>2Kxy`=bO zF18uTl|X#}ruyDmu^bFC0~^VB+=@*R0ued$_7l(x&AVRv1SL{JZeUUdc|;m~w7(+K zGJ%t{WEw1L&>?+Tn4CM4H5Pl%ON#lD@(Qw0RaU`68Fw-OHKr?9Q_mU?xDV@qpg)(5 zQEVQ##UyE^^>onYV3kyARZ&m2hYfxUN_%_f*jKYEb~tcMAJCOL05cTvffrAY@w9QpX zm~m{*{9^p|Y(RWhIv_|IoqIf;=UjL(u3=kmn*|T-$;D2iMsMW)`tVpGkL7yEnsMGG zv!jGM6gf9W_O8y;bSAg8e;S!^Kc755V(t!GeNxncE4X*zTyMskwvRlq7fMYpHxI{F z2_Kj}%DeSpgSC3&cS_Q8MWHER$xGSqsOp-B`1lh(a&!Mle#?pynoQo1gINw3(gBRd2^VT)faBs0ciEa4-L!EcePq?M^#xUtxoi{SOn58mhS^Bc9N=zKU zWX_nto|zuPHi4-Zv;(u`08|&wMNqrTO|247y_D^zs~atB6<4ZWWtSepxw>Nqs8F@d zFSB~s3bDMqd8L1;w-_m)+*-uztpvwIprYQs_WDV*F+eX}o(B!B=v(OpzR1GAM!dQE zVx^o?Xf-sR1x+$iR)N6SlIeX2pl@yEhq38Z*ovy+kUcO~%2+OSOpD1;VdM~tgOJl? zQzwEryC-mZNw&MR;T7FwqadDGFxM8kF({VN{j})yMu;s(e3OC{vhgO;%YD~fXvqoo zXU8kTsAksbVf< zBA68xKX>TDJ_-m^#{1iN3${7hTS#oWuY9Iw4h)vBSW+i%NfN#%}!ou=k!( zQEh9wuwp<3LAOX0P!W+JnF5I_0wPIbk&!GpXNnRLP)U+ACPsFxFY8gAr+Q&V#HYo`3 zk+CRE)x$>74R2Dib)ygTUWq9|iI;~D{5#>&k5prO4sOI-3ze<(4tDg#6h33~f=$gec#a6P*DM#t$DYwLKO?$QakIkj807*`EerPk>NJl4>zt z3N&&Z41Btq59HD!b*(C<{2E<31;d1?jC)=4m#Pw$KSXSfh(HA6ZJG$=%xJNXc4ob* zoD4B;oehV|Z?66-fZu*8|0<7cd*rJ6V3MTHM_1l`nVb1$1!+Ex&Kr02d8y4@LnMhB zbOOn?Yr*?Zyv##~F49*Qi$@lBt$7&lMl=EO`)F3yqWF7j9ts}lJ|sWlpyRfSE(%p1 zm<*dBGl`>vEiHn6V3$=}Z#p$Y2^n`7NBeI%c0Z|9LaJQu0BYAiwE>~2`E{xRjbUFX zs;>?K(1=}@O86c(HuQ%6^+gP}paW@#CCYP2Mi1?7XqlzH4zi}6p5 zSNfRK@AOAcjw%;f7~kv`e7o4W``Od;iGORb!1Vilhn@kFvNXLyt|62FwX+5h$!>N}6{IlTZ=`jZX+hH;lkougp#v;n%_mvCm^ z^M;fjua#Qa*M{=RlI~BchO7~6P;S2WLIaJXvXE)t#i1A=^me@FyBD|EcNXxZlEO^! z^>yUhFK*PtKuX!>90%NOGfuTmc_8VlUKWdT>pkC0rEav-)3W!^O$w(H>|2=wNRB@$ zhELyWfvfeDpaCiUXaN#4#!l7C!qoq6o?Oc^R16@Mt!j4$dF;ZtG5z1zZh?YgWzqG+ z_NWDB+yk1j)#Yfuq~{dFY5SVTMXK+&su73PjVrq^%UeH?ZKg>cgwfqEUZRcT7oUWB z0>JXo<|n7wE_<%9>sIs+8|MIJX(eSbyHkz%Op0aW!`)fhHdTBM> zRc0QMIjN9)d{7;y0oi@@wjsaM$c1e5k?tTVUNtLr_1Zuwk58M-+eQ6&73fa-e+&e-^D z%jYG7+P9H^aF)vTe6tw^6yljKHR!K0%I*~gT7|DKB1^w8dL2Ez#z$AUWpX}yGr(w) z9;Ep<)fRk4K}G+%t5g8wnyy{rO&%MwBSywzXJsGSg)RZ>{V6VMS)YQnvIyNKTrS6t z@`GjlC%V;f zcmzkg7InN9RdaT3khfzb4P$EK2^3oWg?DoI>6V97v0I#>Edf21tCsG=Q=367~@J6TFcV7@ZE&1x~nvJ@d+bS(YQHAi?-7= zI)^4+_qD`uxDz&ut0sL#7+?3_VMEASNbACUDYWc*YKmyJ_C`h{w+8$}@YFZQ6PYdo zzQ(nOHf}Q4OQv%}sAQ;$_~L|KV?zytI_?r?xA)-&hVn$h;YUsIgj1);>^{zTBPS4k zHP9L&!gmmzc_O4N7}#kNHerEnt4=`-Q>lh{@O0j<>CrG(>zfY-rrF1w-n#}`k9geE zv9(!Df&mHCiP<%Px!*fliinmG>8TuhT{5J#;ziA0eo*Z3E|ck$l52hlvd~z&`~gbG zGHr$X0ib9xN+{6iHsukw&aNjXdy9RU*tG^I%ous{o{>q07sqc6!6!#o~EusY(dh7&FD(t{9RquO{*%7yjbUB zVG#--Sozd>ze?4;=xoE&^a|4{z}!=BCb?Pep25s6*HwJ^oo`MVhb3Ud5XB-X%Q+2U z_L&K;1m02Si#W7q=QNBp;gh(*a?QHRf=_Zk9vTHCHXb52X%Jl4bt1ien=W)|8NJ6(p9E0c!zVA=VLKExpNEzdok%Z?4JM2>&)r_)?w9}U#2 zXuE&UWXvs1Oo&bA-5tM?CutWNIh4JMKUrz3H{TC1Now*`6{D1cXb8{D1K7*QkSz=9 zp;&(e?hE&|<4%&V9Re+6Gh|&UG>wXGxvn3Ba%t>S4+o8|D4QI;JZ`>EO)HpQCc!QB32%feh+n!c}sK%d#lRy`tVQIahubH-#m^EB9N z(HyI=UexFvyO6bKmDp+t`7VmpcFT1(dmp+=F+-Qn;xH1;BU9T!u17xiWx1*~Z8>4pEH>!G zYf+p&Zi!|Y{jKDrwafCl%ap?DwgSZucAQzh@v16C4o&1F0+)@@Y$lUp|EA*sY>N<9 z+nSHPz~rM~6!Un(2Y)Y9LVs*kju+#ahe6ynoAP40ZI{U2tnnQueo1=OfrYwd)%?~` zwVkd^8j)g2?x(Uod9BsI5~LNfR%+=rj`MDgtN^&mb3wGyMI39gc=++16jitwT~Y9n z8F!XcsA(LB)uFqu{z`CUWE?W2YoM&r^#}Lotpw)V9V>2{ekr3RLCG0qDKdIgj~3$w z{bL489u{GENBZixaLiQe!-gR`pKjfDW3b9sKG0b+_Jl&`z}}hDn?DXiQ;Y^{xr7Pb zD>mOF79TSS7FC zVKs`k3$R^YwqaSws__KrLTv#cXpXJq1v%!mRtRxtLC@Gn<0BXNo(oTx|4}oE1({d2 zr5aVF3k_ilL0BOl;r#;%dwop`Ug&VsS7BVB*3CRAQT|eCI{gQE&e~aCg31@GZpU)O zSr)p7-U??H*9KSu(a`c6)J-45I~aBdb>z@dyO9sk?<@}MDQzOZtloAPMSK=zk6de= z-7RxcwA-TOPd8%?&r}fJ{L!zmDMU+?W@wmS6*b7vQVs}K9TvJg$`f}zbX3!GS|H9H z5zGfv3m$y%aOQn2753Av(*rSI3b~yO+Zc_ahATY!k&R7NHiimq3dx1u$jYOwHj2iF zqqb2)VlDkeTERU@o%Cs2QOnSw%A1W%*|#!`zuIVJ3k*>0XoO0u!ZRNQFG>!TBxB7j z42Ap3*!^_w^P>+4D~pYVaYK$BkoH-_Qp(^wbD@407OQ3Dwc^)M8k>%8L1sja26|t@ zqt)fPUaus%YDMOlE+bQuK$MQia0x9@)_RlYIu9m3ogX*glyH|s4hv(>=0aP96piy< zTv`C$WLj4$ZKRm9cIKuzz2V3}kVEby^(Y!gzGm)_ zE8VnjKV&+tct~YHS(UY(P4c`m7$vhFa5A71zpOVZDz86WWj-g?b&v%)TJEJuPMbsI z%dT=|45)zAhI-$TPY1$rVl?|`l+$lJgNuG8FV3*oNe){OC;kYCLSngeoS!?*R~kVh zRV{k$JaynXTn@w>I)v7(GnDDO2E%2XxQv6hcTg6Amc|K`{As0a=%{GnQC>akxwE;Z znln8p_Z$FaR~?Bra_;aLEn(5?uY=)B`E6CZn_ulccl9H)ewt%I)&z2`gR7~CEFbOv z(o}d$;bgQlR>h=bsyr9r-c)91CbZ1gG#h%t%Q3L-s8e1L*t)8AUwI~8JaV6ypd05 z2zt_Rn8zDb_n5-&pemP^?_~G4TsNcJ4wYIPezb;&sFUHSEqTRgLS1b_pKS30*N!c* zw4jwVi~&6ri;0|*pSIsfWC%cI2U%%B$nw@4)@rl^mHP&Et+?c-6JW1jPl*6r)6?|F zCOuwiiB!@-O)-o+#j7rwsH}NQ;osb2wLzH$;a;37swd=a+0`}<> zP4<>6Cb+s>!!X61&8()uE|zL2Rq=_7$k1n(S`>rTVNd#jNIV^D_Gn?;m}|>*-KFwP z_Tr400(G?ks2Qo!?w!daw#51D86F*;H1&WQnYqfkBImvs55;;$eoMNmR0?iui579t zhtf}%aw9gCTHDo5o*%k*ZH<;h%??0a3+1|$wns+O+7j3uXotRatOLZgFG0lQa{X7yjVkl9$FxU1weygu7?|6|?M+ z*MviEU0(8@AUW1c)h&JYlDY+ zk#f6{87cDLte;n^^P(SQe5g=2&B}8wNcC1TFKJ;&+~B~rv3!5Q^akV=Y#^ux9CKO@ zEHJ`O1HQZ(S0I1W_knCY(~@6So?Q`?k%@ujH=Zp$ ztr#!KvB3;{Gg?SS4?r88xq+vhyXq z6Gtwk)hKycvj&+&GcA*W^V9?!5UkI3S-=fffkZMb@$7hT zi;p6{V44Jo9~y2o$qa_-IialYJ?Hl*SzDPq?GCbAPR$*QnzuVjj4J=rGF#|TVWsCd ztyt53TECY*L_xOlBW|Wi($w||zjrgtU#>2xL`{V2$Qo5yKHpk4Wb0#j^z^tYsCc%D zyYK7guGD2K{|`ixp1!8uy?Y2F=}uc(6OzB~lYUSa(MP#fDm7wFea>+y zd>M7PJMu~VLY!286HgY}$5qcFsV6U+gxrZs*HAG;*!%`2-E$Q=Sw?S`oKqnS%$}o5 zBu(vBe&&%!bI^+nDIpek&e4cVYMKad#z9P3y5&p>daU0yr@E!9Xh(BRt^g&zUVH*9 z%P%u`GFlavcePwjp)c+|(yT#YeK|1t-|SpWq__dS;R3zoNg8&-U`g@Bic%af)M|pd zO3b?QzBKYi>kPOoesVPL-Fz`XoiTxZ+06u3YV`hSqf_CY(c&5uI@<1_RcCCWrMqR> z=UEv^*xRr?Jy0g6i8lJ{@#n;@-S!#YBx6Lpk($ zY+e7O``A50*9d%g9wL}$zr+UubZq?ci}>1Bxr5gY8Q@os0K6rvH^e&o>)A&@*|gC)wu;X=vrE6)#isRgINo5n9isf zm&3HO77=XY<^d{dt$|H3Y3+I*91jgu9hlUD*+yw-k4sjN)R+tuh~Bx_ONw*_7kbiz ziZRhG^mKTu_0_F=-oXxpGZ5um&(hnUAZ~7XG*ISB-S%DlN%HjIy=;#NuC{sygfhjPHH0K-SM=CZD?Kj1 zXe(t)59YxucU;r-NZoe;Quk4BL{K--W~9`D&N;U25$L~%#kys3!*{F(T?5T(shlza z(Es(QU*4{3R1f!NnX&>>mM(4QhY;!Lwz$>Ua8-}XWQ>ajQtVfWGsf>R^a9Mnh~Uyi zf@`m(Z^u6%iv8omC#$B-d00#vNP9mS z;ts$1?kVKXjbKsS;`AoI{m8KKh|45QeD`MZr-#m+V+wGikE&Y*_|ojQV)i7!sjD}W zX}+`E`r2DNeVE1pV>SxN*6#pC%vtLozI9A`pCg++AX3!np&)f9ZwQ5NYs$=!(QCR4 zV)n-vj<@zw>5pGGlc-ABQ0Nq2o~p3~T4HLAJT%D>*|2nq-br63l)<>Vhhx~)Dy-L? zc+22&avh!vZ|}svxia!@D8)3(f`xG8EBLS!w8~21Mx}t^KQ7zMYdc-+;%d633=YsE z9gI6vSC1bkl(<@4m!U~7rQkSf?TwHEGHgtdMAy-`1MG?7u9RuJXBT zTutlKLwo;K&Y6^r^lyf(GCQfNR&}@pOL2+jx+&>je06ATLMBFOfPin!M|D9K|YHip8{m-dJ6@&MC;&+1UPrTxAL2zd(RZ-KlhilQ+4;~u?gzqzOeGdKAJD{ zbjfC=EPK36oF!XTQXijWxB^l_6fB1dwb`QkA6fGrL|(``k_REj9NmGXM)a?k_jozA z`07>WkFk@89W6v;Tb`MgDXsLN+g|l#Vo2%AR$pB>TEr-zzbkz*%xSq*&DmBUpT;<_ zs$ZhfaIu0*PNwV*d_Kx6n;3}p=v5XPvz_dIv%sTOnjsjqUFH!ADu?tqhYzSS!m9ES zllVD%qp~me1(|DE^zL<;=-DN?S@)@_!E*mn?F*oc0%k7YWaioQ_DnLXl4x>P5GFjk}Jr8 zW$&3-e4c_^t1=RC)P_)ry3_JzghHqR-#gefvWx;4c;Q_Wjc1TT*B!11GM^z`dm98Ue+!P=APBUn)x$GA0 zX*q2ZtK|{cq*CNWtT2>kp9(!0*^Z8cgADr;_O;Yp2%p@6<+x_GTybu|pj@m-q||JB zPU5b*OZcR*!}BVeApbGbV-T8U!j0#eaTW(!)nl$5(3X72(QF=&yyQN*$D+Kn5JN{MS6VMCFDamJQ#HZYaKbQYv2>90sH06`sBxqCU%RMYxPQ z4+%CC9Tbr{2LpO+0uC}3L#h@Zct|X~T!TXmImHLdQs}F8BTf5i3IgZykFD0+@AH%d zsgBco*mzHmNSaJquj}Be z>h{tZu~KnwjnJwRI0!`*>3dbpIda^7a{i^PvWKJS9m_1(JzZm2yC~^CyUFpxlcBjn zZP%7|uJ$`CPqrFT>5GJObWTPm<>tOgt6A}Yf*P~uDF2cRw68SSW56&zxTwxPX`U|q zTN8x-VSG$7;9FXdOk@Xp1ZmXbj+(2MHKRB(N7Fq^)X`7TRA?Ep7yqS}mb!da?x@_2FY}m$r#by;=%5CK*Izz`;#kv#~ zy-u5y6;!%O9fv8iX(M|%duRdT_PpbA^w7)33Bz`S2G-&XMhG$`qN_=#>LnN0gh@_A4afzH@0*|gzA^mu-Etvhp<98?k-#C9cng&^F5T7+o0No0UX}>~@yMLQCzkin_wvE!*T<7)x7ogSx-SJ5>@wn;rAxfTw=&TW zAzvwvjGS@Ew}?yUhFk5cu7mPG2#9>=D<@mhThLanhNFkuSOdY`1BtZJnOiwW0IR#j zLmh83NSB-e?U-9kFdCuTT~sT2p1uJwdeOaAY`5HInFtEDVhNb=ko9N}k(P)6)Yt7Q zG$cEk@S$!>(imapGFz<+9a^|_Zq!7ThJO$iE^9V!;Qxy~I1o~QW$Ehnb7z&#PiEPB z8zf>0m!G>K0T+B=6gp?Kdoy|hlh49oZmE++=bh!inQv^yBhc>+c<3%WfWhO7k;`2Cq@4# z0PVBq;X-RA%4=`shYIF-s#v;A z=iGL0rfq!k7rxiEg6C-Dreqd0{bfE$H<2u1R>FYwA0xmn|#2<`%P@ z(u?dZ*6RCcr{_k^^9OZyZFSr+HcFLX{I~aaRiS+sdh5JGHj`R&Dx`aKb{h+8YWuuh z9vYcD3=7AsvKCDti8$ILM~w77Us96)?4AZ0iCdLPcGLXf0eFIKZC_y%MqPFD(e#}! zHNq5WvYiWLm$ZNYQ7Rec`BFUEt286aP{9>>Lz7kLR&{WuXO><|-9;*V*S3pR?+!Zv zz}vH-B=IqYN2%$HaPrJXRYLO=s^SnO+ChD)SUe9#jF*9ZA<4tK0vy#?FO}m=GN;UA zGj8*}2=bk_)*Gca@X$Ejr0MGAa#i}g%K5k&_U8vy=wM>J{v~T3ow4kRYqQ{%X(i6&Ye0`Smo zH_w^s)^jbl3y+m_ovpG{^^|wGxPNDxmi?e z_?9XxqSYG*+v#Zg{;jr0KneB{$DQ^B_HFh`;Vv(b^ddVD<|W?g3)9(Fyi%$YR$Mw& z-Tv)ZQR|+Y?AAxf(zjdEsNB&4y?N+>2**fDE8OZSAdTJFY7+d!IENmI4t4NN4^vg? zbad4=mI-K>KpBoL(q{CF0mTq*Mye;=>8%lH>Kz@cps0r`5Jo+jK@|+9~*r4|GgIO<3+dPGgb0R>EKD;K}mfj3pXDlSp_H%!wLN2+iCk!vzsO=A=oTPyWknO{ACX6l-Z%H_6weM1HiMi7w9A5 zxHqY)KbVa5HqW)O{mN+;SN~Qb^g~sp-gx>J@S*kWkW;K@x!q+bDZnA~+ z1!{^HOVxwSj=CDKl3fxDQ3VS-8Dn88MTPY?iRBihNE4**pB5zc&HOzh^!kkWlSy+W zO^{J@nI)7zyuXL%274_QVh*!gJ#gkx_sLUwF8bn6^W2+n8~5V!9xPhi{o(K@g!k8# zM9;U9aP4gRyWH;fdrWZwW_1(~<+q!unr6DN4nK&7KYEa*N_c_Lt+nkJ`Q+1$2ST4N z#0^BhA)8ogxZd+zI#)G}2IJuShQgcOJ{2PJBJ>1whrH1#cIuh`;3w&M_Z#Z1c30M% zFqW*k{TB(CFNTc(t;)A`pS6wUf#A69{*?bh2p&PR(CU~qW>5bo!0e2-s((G;GScHC zVc{pZ_sS~kqNL2*>Z6)3+??qs{~-Ju3VB)b&CX}st>`ctn6~1|T_x%vwJF8geBocy z^efN&CuatHd^K_T`Q?;|8?BZ=$ahMg)I;4kf)wx(H$dZOLHG$Cj#;y2Ws~jL=F@n7 z7*i5++2!`9KRzdYeYSt~Z&#|1IA6uGsAbXGe0{L@x+`#MW9Vm>X?*ZKzcJa_{T^{D z-Ow}JbGK;&`-W0Lm(UJXmY{neeeg>);NNZseZ4#S`;O|t>y$ry_TyQ9Nt=O;I98_K z>%D}YtHdJ!6dTC8R*av}Cz6%+pp>t5GfaW{Hs|{@Ydg0+58ChreB>SfTS~5uAlQEg z)GfaNvi#{m^64Y&_i|I=8LG|e(BE%aO`iZDn2DK^Tn$2zc$B*@Ez$2Wuf3_yl6Z_2 z!%MK*&w1iO;fkH*=EfYE-uUJ5Z?}y9*#E~qu=Ib(gF||(BUosi((7o3J~}A`u|FL^ zH0No51f+UO2leRK@7H@}G|E<-^Nu*PbB_^e^ZQ2TW6xZ{%|CLvHB$x>*cXoV{jTHv zlD8+E|1d$f3*7(M2XZi!WoYwk+m+mMKZam|ls6k=3!?n1HQ3HZ8@Av7(N5tFLPZh0 zE8`~SH6Ls0hhOay=k*TJL*&kE*Ea5UL#>a1Dhhcgo|6Kg2ZEm|8(8@_OdnnUT)W$q zt1^;-t5ueN#Apd%>=Lh*8It#E7A}woWT?<51+xcvDdufut&sTl^B~QS4?pW}p174y(o`z-nzt896SA2JG8y_n^Nfuq- z$1{m)K(&IMY=07P@2BwSN4&4_WbO+o?Da5+gg#EHw_Yxo%uFD1x%2AsO9i&8e^aA4 zdx?#o;K8Dn^&?5oJOAq|!)wN>a}y~2Fuh6sT|zW^3fjxm>Mh+uM#S8U3m7B zIC8xjQ@1F}f15Mnv0mlo^$^!*_nF^deL^BWuSj_ zdY#el_Zn%x);**X0+vRs$I+YmnDgl7AiM$w#kN0q`|C`PJz!!1b!B*3@|3CAp@slx zyWzl5@aJvb`ugNg1uFb~2(R0P z5aAkrKgPd%?*+K)>VN};tXxQ<0R#%BcNTe-_X#)pl23RO0C6gf^JI$t zb7|PC+p9GwE`2&?*F@U@rej-M&3!wSUPS)h#?9Y$r}9q0sCD%mcJyO+1Hj}S-5$hi zh*uuPd;>01#MbJV5%=}KZRH%)d393FAfDu}e-j4#y*%)z{Y#lw*|}v`pxSm4b^f!4 z^oQ#EAjrA)^(zN;Vu`Iwb#=aq0Gae{rHXhQ>x!);?<)Y>V==ELe6Ug zvh@>mw{a3EW%+?70ep*`qWEmI)K4&fBubqw;82_8sQGz;qnY$WnFkH@_e%T^mc`#! z2>N;jcvnacug!ps&x9fma?}e`#$|qsZ2qVJ`uh>pjW3OX!ms{ZYoz`$fD{_{K70E6 zcYk||{_7P7^YPdwu!YSMi>G7b--;f%0ug#&Y?l~f;}$SM-68d0ztJR}Y-j9w#FqcV z|Nocn%eepmvTx6HT3~- z{Hn)VDHOlT(6#Sa|8e*KACLL}dsE;KK8MwZu`Xr@Qjz{krs3Bu-S}fM>$6SJFKXGT?m5guR)>U>;-@W)>nU??Zd;L!?ru@g_CzBB+mx=yvXZ|NH`_HFrJ__&W zKrG%<{@o?`hh_Mm-0nZW?mwS@S?MzuV9LGs+5RPK70h0Y7VtRYM|18N{C95mzq7SD z8PAe!%Sp!<{PS7(?_Bopr{X_e_m%bK&!26qi~ZjJJFELYJH$UMLl9oP?B-{*LjFze z_%9s{zaanLX8bG8^8dFP|8Xn*!#e+OoP}UB<_thgKu9g8l~LjI-?+m6**&x+)q@DP zVzuuv!LNt;OykX0^{9#OUv;2Ael>6p*hy6$J?WeOsxck$BL>&olKc-Fr+<2kW#0!! zdT!joi>&|o1@j-j?#~QhM5pt9|1Jae*FLN|AKr)zv_q9H{Ivu9{UD1+yE&nmzQVf$tPPqGbrZ5~*9o$( zct>iSvjfa5vKBltt0B%JPvZzh;60F7Z=cWLGG-^W4;m*#n}S;1IweS;R1b*AMBh8c zH}^&2<;VSNr~GLAM1YuWzpE!e$Xvx|2r59q22cK_#VckNfZS*h_5AYe0Z?MQX$=_K z!Y!b|oZK*wu7GCDhO7NGyNpxttjgD*U{}#|6^mgvr@qb5eUh^Fw<1SYCf9mIyg%7q zU`2*D<=m`;YoteZ#grdizJenr$+@O(b@}LML5$R&-pe)g1TRkhtD3t>Lv&uvg`llA zI049^PRZH0D<=ivf2-JC{_FxSC4l{k6s?mA9S%J5wN5Y}iUxOm!|-yi`}i#H%&9ja z-TSw7RCgP^JOK-kIQgL6)Lub%D=hk5IgmtZ5T3RAYv$pMHx)j#`Tm{MhJXp~+#%6= zP}5NV3lb=IzHY;p;~hS4Qdx|zn@+uF2!8GE3-;)nbKZCntBtug=SUu`!XCPeJ3$3j z3mTB%$!-jSLcj*dJ#pY=!(g@9Fw9mP2Pu4$0(27?!T0VdFxUI3kI%=FGcTNz;U`dz z+O+0s_=}tkb=W0fl6G2F7^RmaqVp8rRX0G0rc^m}s37A4?@H;_$58le>nlfsAsrW; zeW0}&?_UhMO$O7^odu@+4nBKUiG&mm!}i7-)U>SlDBJLm0Xz{MnT#(%Ft1KTff97- zYkq)~;<3R%rBCsN>{v&@6SSMcr?Znzc}VvarC+sj>r!2&`=|cF|JBjwJ&*vRaJ4>y zf-c=XzdkX0mn7WIAT23U!Mbu1!=US`Ah6H8HvvCK19HIV8^fO1jt0QG)U|zlSp8}jS*aeJ&;Lp-nD zd5~GzzFROKXW<9Vl-i-{n)BWR-u3o*44@s5e5eHBE!)TXP23{hAT4VfR_3ff<)vW* zl9h3yU$Uj&8xTzn+$)y8|Ce~3GEZOeUVwoufi#BZUAL~_dPifed7ZAr>ynTS;+pfA z^Bv2cCyJvwF8;PVPOQktp`7b#dBplyISM2lsote{OGgC3r-%e(-A>ufgEgli-Agn^ z`fbhhjZ3>iPhHVMyZAK{8SZX?+irFAI*jMtauMKMLiMmYV=uam<+Pa}$=Fpwc?D-{@vo35PPCX`t zxa9VZtHjz%Szb)Qji+?oIzHMq!gHEu3f9EQkv6NJe8VFXorXTt*@Ai{>aMMVS`ScU zswQUKmEr3f60idGMmJBOeWWZB$Ay{9;^ZcwP)B)5$-r;pC z-1fylp~YT8`d4lqpIpaxmOu+Nt~80A*j21ot-PhQ1o9D6o{KqDOsJV^!Aja-s;v# zeDTR8MYv)%Oa=+mt|@ncSapqdWGxLQ?O-^<<%+_Tr1HYae7p^b7*Ll%0w^&VzQOLV z!V*4*ZhC!EA^!!UqU9N)@n|}Lg9NGvbLun#PaW?jXQxzoQ~X$D@d@b_&}qRz*SZWS zQBsxf`Y*pyr7c{aJuMy5jUOt+msB{Uvhq*Ggci=St2&iV!8jWIKHhx$_TzgUhF#sW zjUV6F5_(+bdZCij67nMOe&MsATAG`D-yTpBq25y$>fiZDeKSaht?&#ug6bTOJ3Spt zk}JGXh}yt95ht3(u_*=LE5)(=KevEfV#@=0#35zH+v zL0%x64o_2)Cb0xk5J^7>6^=xUh!C_jq#M@XZO$T$7hf$TmTz;wyps2imyr%LLJdL} zF>%944AEo@DEP(KkVdH+d^j_)A1vhfK$fkO?F6-b@)NsJ>rI{T;R1VK-6_3D4PmTv zOH@~g+~Mw;!{iMf4=DpvbK*(H_3PwbGb4Mtxszf^G;o(s7dpRF3G*CUOVJVKFv-P5 z9Gz^$*Squ;n|95@>OF>Y*p4|649~Q1LVn3|lfD%;uBSg`J)_5~oMa|yHQ4t%^?(@N z?D(5%L@P`7y9?y|C#MAuU|)-9*SlErYr@8a#%|O=qqXf@X0eT4m>PzGF}p3)mqLs( z{YBFm7eCX3)#9$Ot}7^4jt#o(B(GffX;Db-<(M~r;a7Xm`QWx8a4&REQWla$U|* zk#|i^L;lAX`AMUYFRNwzj zI^@A8{cO=cm!`(r(0=jjEL(kj3L?(#0=BR8-6!`}4xq~odH&=YT%d6dA%X~7!XbHb z=yWL~5j-g0eJ>P&uf}7H$J=k7 zXpZo`s()jPqB4Ev?{vHw0w>0IAyl%T{=no1JO{2@@S{!ru?jmg8sc^w5YP#qvLwc9 z#IsS|F9%u;_ZzA|!8g7WhU>pDO>#5geiz7BLP_n~coTZ>+$YLWvy4O}Ad3F5iuI*4 zRjKA=+W^V{R~C}tUd<$m1|i3LlVU%43}2~FAUP}Ui2FTDzS@vX0`#tIXG5i;uJ$}d zm=EKN!&5*-RxX5I%*#{I@!{2vc>NVWa9Q4dQ#$BsU+WRg*?25+ zxLTa*LLq`b>}IPwNY>4l_}^;gAWn}lQ{Pg9TWh0XxNT`si!w2DuFtlqL6Eoc#Mc`z z+n}RgSM5UeYLN`3sHf}5AZWb*p0OepE|}(JXJQ1GyiI z@I8%P+TbT)u3h?<=ua?707G(@itfFj&hg=%!aAakfiJ{6yut-XGAMimx@`y^)Zzh| zX6BOX0w;8{7(&b=SaQ)F(Mhm$$T!vlA0Fvo<0p^q;{hmzj$1AaqC|u3N5?c)%b)*} z6Q(`we3c7EG+MNhe)PO-{dw6p=Q;feEI`fD_*+VDeoW$r+4rEmr?`S;v`_*m0RMQx z7Hbs_H`)U>XRc$4^{U6FJQumPydnDa`fClNm?+YQzEB@!BA&I2$s>720`$v6I;oD` zql<-`rrzW$6Uc7CJZqgeBnvB6!x% ze!ota!dc)OY~5CL8+isXa5Y1;!r+?0#LvguC!n!vkI+p>z3|^7dd&aiJ#>XV231-3XXXYUpfRh0~Pz^5%Gt9`T8;1 zX_Ku$#w5)K|3nq zisaUa7Qlyk=r#|o@VOCV3j#;EiNu`5>)FBsrliDo&sWz>d3JlB^;)6yJOCFd;5A=( zhk&P&&i^%A=ih98`&|Mntzr(pxvP(|hl`qurv ziM4&4w|A6@eBOLi@TNN#@)}A^R&xTQK~l5w`*PF~PsK(rHw-hy`OnoJ$ml8@I8RL=H5BW$(s%CL_qZ8fv-=zuqztnqRaVlb3Fn&t0_Lc-PmZl)CZW@%{Z8w$9 zsc!(I#J+|JZfs5ww8>b%rU|Br=(15OwAH(@UwFN~{sB8N$tZwsA^~86j*~J-yo0m* zl22z|9nSnk+bZyiwa8a`Ql&I<(#~8ov(xAN3D{zkqM$eDteXJk)h-`z^Nd7i&AW}a zIf-qMpV&!$fS!eONIb-7b_!a}xgisa2jJ-gvvftoV^`L1Q~&25{$W#W#3M8iOLgf( z;H*{~35*jEv3(+TZusg*Ea-W(+0?i2EFYv;cpeq&ta4;LT@WsF&1)prVmnR(0GYaO z1pGA2bZQ=W#xhRt^yPtHRl|n~;uEBPwaN{@+U?)F>oD$QE*363Pzo%SR z$&gP(f=QvV23e>#QwHkzWaY3?xEvB};#(WEw01wPpFKCb4fFZ_USNhv>_A${=k(1A zFwhC>Q@3E-J(t5tXa(N^1J6OFy$jUd?@^Co+BguxN1z?vi{1U>H)0n{M1atxH1X;8 z19h-WybQEf#ENmj?adCIt9v2((XM(w^Xy))fHRyH_))d9u46KJc*kb3`{mJi5qNL+ zCN}|-Kdy$bDTpSzd2>9$b^1dKrj+jV9Cy*ygwJ&|oK^#Ndu@~-5MzX=P7W~&{+m-S zc(*Sjtpbi00kCJz7?|DkcHH;0h@4~ZKfZ2Gw$gqCWNv; zM_lkTDU37Fx^HJYXI`29&~($`PLVPuWj<2ciLv2ecWv^Tyr8*zj7!q=4Y+DdpWVjg zHRS%~4p?4ot(-s+XT9~N1S{#d&`H6Peh4jfLkcbH%15RSLDJ+EsFW-R@xlz%)u~oQ z$z@X=m7}^7#h?A~QNQj?&SuQMcswFR3zMnfkD=u)aO=J+R6k*B8qXVYjPa9KaIbGd zTL++Q+r97HvegcqY#b_MCWcyGVs%bF)(-REhRgnh$DFwsbi8H*m+>RoG)!`vkJaz~ z{6v3sxKR3117?Hp+zQJ>;>SY3Dk6JjICQw#a+TyD{!jENWBk13wWa9Xj3`0yB1m?{ zr$IpWYQtQGz~_8uzU~xo9!x9D1I~JCQ);4kC_!j49(G3$pECOc`IDD8B@Wo73Ru&-v=ANYP4R6CLYi{a3U@AQ)ESPOzDT?OkO`bX3BLJlPw7>M@E}p+e}BBlOQu zu8)9GJ0Xez9==~b1+Z(z5F8yNyCw1>)ijx@h%>}5fSupeov(*@gCQcSN%q1m6@AxR z{X*XL!TXiAMNXk)1#r*_{HW~LK=!Alz78OA*)Hq5QmzjJ7^TOH6mkTY=cG=xvmBO^ zGIR1&oK%F2wwuuUmXhC;`>o(_K8M}g;0D;Uo2V$$o4&hN_$(HJ#L|6)*7m?z7-d{W z!({g!I96o4n&=vCadj(GxEkK3_a`ySdf`-pp&TSpz>L!BqzJ=p8&k=VfieCYW2N$M9rux|4IR>OYF49 zXyYf~Yn)ynCLHiJ{qgt($=Z)t$_F3zeg=-&t;O!x0OPR@3mn6E?Nx`J&85uw;Qevm zBM>8SM80V`GWlUQsRscs9jyCHqJqD>Hdg0fF#Uh*y$4j2YnL{B6a|$Ml_MZ6azN1| zC5Ti>(1VJIfQld;0tnJUKuSm=B8i2fAiYGC-mB7EC?X|DN045mNa&D+^52i|%>3_s zGw(b8-}=vd^R0E(a=G;Bx!b<>wXeNzO84ffWQ9S*!*6-^+U=u0H_ZBmO6|B<1~qV1 zdMjNkYoj}=&x73-n)*k5T8-%r{gG@n7L=;N&Qmwy8jMTo3j&JmZS^cB$DC2AvL-1~ zVkcaE7vP3UAPacKEXJ*j#vGX7ivC5Q7jgV1k@E1%NC&`i?s_MlWZ>npCNeRC0i^oM zX_BHif1VTQ%Gex;ESPdpjLo5)felq8Oh{|sNLr?Gam!xD#f#BnkE+P5ByOgie7nk8 z`;4==3t3MXlXAzZLNkXjoCx0@VW>(1s8OUcO{dc>M_|mlE-r`pH}qeOszPMIx%n65 z()?)Kbtp2?#o6W=* z5KLfVR(E0NlMQgx0~MD;F1_G?`|&c7Lm))R**knaQBxdumWL~aOncdzU}}~`rs)Mw z>j6ffgdHOHwy$$6{7Uq{M6BSLwh$-8$AKw2$h?RLoBMTOd-h1O)pUY>Fe^SuIQYQj zFyBTY&umi?`Q$Lzhc0A#fAGAmVdPsM;20&3UZ+GoKgZEFT07F-*Df{a%H}iSz1Dqq zW@qG~?$E0!8lnid8`f4gf|Ou;UDw_r>+oq;PJsCvnn#cuXBwtEgh3ek2_>o!IW&kX zLctq{SuAe{3%yc|g)K=Km%di&#P6)YKXJxve_hCLmN@C+Q}mL z54i`227tdkEn5UK2~E%aa%(sc$~}w@Rw!7Z4)?9dTm6|P)ogD;$i>MsF4CUM<=m%fMK5c{GvYFx)KpfnJ5Fjfa)l$jycoa%ZL>@@l+++pa(+gBrVcKDu`wEG!XapU5f%`(Ap4m6Plla>3ION8nQe?64^~ET#V7C(Y{Y>s|8w;G zFA{7KcHg@zu}hK)Y$975RlCLy>wx5)Cmz2;TLd^s1Yhbt7jBFAHIQ{)(S5eg;aU9% zf-Ps<8w`*?k|?2#50k=l4{efVY`adEreWzbDV+(v2WD?pfvw*1EhE3&QWXg6xhKH( zrNcK6fIlbQkcD7ST0R#n>B)@aE{Jl6oQn19>JU3tJ3Nqtcd;;w6 z6|SZ*YUy0|$r8C?p90GqKIhMjY=sJKIDRWH`Dj&I+8IcI{tQNdfLr-bR7q9Wjv^e4*-DbBMJA%kRis3sT?KqRDXI> zxWRMBP2gs0!`lGZh#M*c6_AC@4w%@_jP&SLhW7#Dz;Jn}jU%voh*iAsW;Mod4rFI1 z7+P5a+<6Z+@n@3Lz*MxD@6A%2wBIgzPX4ku=tn4I#ctTavx}27A`y8K0yw$hav`yD zvlV#Ut0j8X3#K96`JrD?yXPi$W{RD)tJ^PR%MG9DId`?JjW>x>FF)UgeXcT$5L-x_ zR)3}Rn+mhbkS^abOvSdzOq6li9o$s+UHj|7xS8(Kn~`WvcX|XKg zN~4FGxm<@e;__5+s+;K3LYq1Ue3?2eT0RvL=YOqwe*Ios6!>HjUl8C)G`|NH+zute zTP*F~Xp(?Flvz|?gMJlq|2|m1f*Xz)Sw-Eu{y;mWZG<%~QL(b7T{0V>l?y-OOmF-+ z4nct{kQ63&h`KuEaR;otwU8UPRrB&pCV@ae*mQ`56M-N@_IN3=29u`@K-GhEe`&Af zi4dfmcpj8-eVW~(A>a%jA=z&gijjpR_$od+JiJzD)A^S2e7bQYi(R(w1d>&0xd(*1 zUPq+=o=u)}rp9~EriGLOm?`qr;^H8PkB2QRRm{wODY9FzuAT0B*4Nmur#U^W(J)HLRlNDK>5L7eK13GoLWeO{tVaWIBVqKsFTuo7%#(DjfT| z%lD-INQt%E=P zhq%d*!z6F~iOv=9+z=TD3msaS-ixv2@U`a%1@LsAa=4I&aHGz@c+t4ppDATuaB%0m zhzk8Sy2fj!XzJ3{r(c0*G7&s=mZn{Kx+mQ+?@IJu=Dkx{I=c4{ArGlcEyn7-YwRHg z_DE>r${0@dlyhcf1O!#7UUN6z$a~6)X@EOa$8#9R{g%=rgW^nl9+V|H(^K1C{{D)R zv`_J}VYZ>mriqELPekd^Zmxt_cggu=F9sAMIiiQ7O`etgI3?wCMz&9l#aqX|?~kM8 zie=rhhu@cPXK^XdroO8M#y}8J_jC?$@9dj?MIcgnQiXwVJ49w*ivmGWWVpz~#gUqm zjBr`)}YjdlEi>nxpBU$8#cE7@-`G6Y6d*c2d1Bk9g=9|Z}l>$BY%BBnMg zKnyXJ9AV-;GiW69Oh;G$q;&76#@vOSFH9QS(vsETlr4Il}(E%TdRgK z4pXnmuqLYPg;*CWdTV;LzPqZ`x|bbo=WJXWd3>=l7LSW66gXo)T#2oIsWEhH3n$es zRc7D~ORsdDZYvF>%NHbJ1jV;dPeOGi8ogzi!rro7pG^N zmURC0W&wjboX_$A(C~leA1f(ede8iDa{KprQw>-OEM735+~wI8sX9k~S@4BmvORV1 zLx7m32gA|!0KgxLi$OBoeQBLwGo$+cM=qCyN*jaNZ5G--JN!Z37@$w>j}+O4Faz68Dixo#*zWQ>5k6^F+^;L`Tor*Xeqty*=zP;R-ivqb(8w|S{WGXh} z_@gvyTL+mPNQeOKCms0kl-82y2;3jEi}4B5@7V>o9S;pS4)Npz8>p8d zW#69RcEThn#n7oW3U2!WFx}`r|JJX&5NI~dgw193^9XvE%ipmr$<{!(hN+WMRIG5V zBc#b2gD;dkv1r+^dsnU;ResyPwM?s$aCWl6uBy4bffvR_MAE3`Nd>VW4s>7?l*vzh zI@+nFEZzj%@vW1Lo}sSpuu3L_GQ7+-B9WRHs(A>icoMqDBN(}^=ehb>l?)7_{_P#W z2ojlKN(eK({&US@ocZKHglDFDgv3diFj=JcYU=CkNb;Kkuz4loa{#Z*?|>Xt8YwFU zsJ62dtc>E8#M`3<58M|973KkDJox^;^+Z8YpV)6uyqcVgCWo|uG}2)NZfi3a_>cZT z_jOvw;y@43fJQBhT2>Kj{8%C;&N?8TI9ahopda;t&w)dlvBj+w3dkKOC6F_P^ya~P)gqXO^y~+RJqfpb!3P6CVY9HHH-Wr9C0=#_o^T-Xh1fz%j_d=D= zW)U zBfZ@oq!jG}U1B)fb0YvsRC=?GRVeXDCR8KPE#~Cwu7pVq9Td+BM$uC*KlZ@dx29h> za-ms@6S3z{{1eG}ppgCug-fj!i*C0oYN#b04nn31nJs?Rrt}gqJG$@%UTuCK4|1GC z$R4bJi5xm_7(u{kCeR_q}L@R3Lx9rRH|E+`bVd*UgiGO~2$i)Uf=8wDg{0knHj()74jeg*{d%#_(=E`VhG{E+_l zRKRrn5G#UZH`JO3#0t*=LhMKhh>S{>rqxfkyZ51q{_Ecd?Cyutd1`wy?&eHT0C&i@ z7^k$>rQL*tYAJOTKqM9y%PP7rLV|7B5Uk4Q?~KXG$oK>ANha{#T<2wW4wg%AuK??5 zI9~{qR)n2xhA93-{CS((%W)>|-8#PHeUM(~kurFk4TqX6Ru za@1v7J<|V@dUYDiRV^I>gO#8=?jx|%wYj$?*dElyWuD)3Se|HlE&5Os-tGa`#6-#q zbQGk;S~jHM8k{O=r@D*Y`_&{G>Ei-2uwc)+PI1CPE0&^UwF`ePP+SxiZntHkS4y-* z^WfA5YI6e*BVwtqEs{mUmAE67pNPxZ-`L6QC^!@Aerx6PctbC-q2Vy%O^)?OL+zu= zDIf*gVI?npB97&msw7N#L=?mcH3PR;09=*bZhXqQ{|r8|Eca-R`I zKI|)XHnVa!OkXYU9m-_Q;6fP=c`x_VovA9DMnZ2Mw#U;*k~xjLw|(?SH!l0O_6`#e zyX7#DKM(<)JYGqJ5rmwe zoqL#Bi<0}{oA`1*hic;T+%i6dqX01E0JT$uWQ?3Vdp7;kaIR`1;`2@-;x>5dd=}r}pk4 zp!2;t?(;K^5Mc0lw%^Dbo}bR7{JQhumdiD%g*x!`s4Wl^)A_->uO63kG#bV8$%Ol8 z^)ms{U*#iT1Cr0Onn3}5HpBYf%npc`-zYlJ_8e{f?rPw5%79y^hBk>~8SJfaIe&86 zisQX%uwWBu4->Np`4X*v5tH`tBD_-D80@oxc9Vyn*HYdtyl%IyO#k+7P;gVz!Vd6e zeO?99;R1(fpbV=&$QVDn@ycyP__FKr;XYuml)eo|rI2vmdLW1V9qBt*{sS8fg;S{x zTRqNIh?}xbkg7!^E4TJgnp5MS3ny{&`<`=p+lqXyM96(3To`!5N44e5=KFj~Y0U>W zXOa=dad+G??ASN|#cGSS(ZCOL4@k4|Roz78;VvJ+HY3j(BO9HAY_JLXL_sNHzIJNQ zHEn0U=ja_KJt?c3i zYClTRwoseJ5=xuFV{u;`o6W!PDvIJ!oRP-+AlcIpz<1x4OtEV^#UOOrIcOE*5KiBH z(FWiqC#3k9pa9F;aS78;c|K}a;k|a9%#+_x)TTJsuFh8mfeITL|7nX?eQKm;B&bwT_3#5;sHBXB#K+LlzFvSlHzg76A@)8VO zfx_&`b&pvPM7=?2Fstgj*>DHJ*#>I20DZxzf8tRlUT%Z?3HcJ9q(u+6rjrq`CyzsM z#-@?F>!cSlg>c-a(APSs9KlJ9BVfMD5LPWbj@Dlw$-Ip?^T7r#W+W6w&%1MO^(a}| zx?A9xpkmBp<5D*@=CI{WAVeiNMmgNSe?a(Zz_syh`dS7J87UjHpJPX}OUEX11Ozy9 zI&{|xs1D`S6|Ny0#eFUSd^CqDI{vxDtFq$W`e)WMxYhUmUJvbZO!zOmX`>H(Ewq`` zkSdtY{#k4>1+U!AfU>o-4N=6n6zl=O)AHxKO@EWUG?%)c=qh2uH{_GDssC{B z)KI95GV=@H0Kn@GMHNUm^2K}QeT-wP+;TcV+)796S!VcO2-%3cX#p{=7xu8-y8zmm z+-u5x>i(x%0QrL@kKZQx8o4gpzNkv9GzD|pr@h82;BG#ItJLUV4`ubHc)nZ!6*0x^ zfaTW(yKQq%DfB)A(i))m&84sPOxd{#6FwIJ^(lHRRY>;W-mzgK|*DTj6kQn&E@Xr5un)t{B^ zw+wxR4i?XXWO`vE82P0-&Uf3N86YaJQ3Q$pB0Yv`cNcBy*VVsUm{pr>qHv0x0(! z6))^C-4>@FKL_L)XZkJtHnyQnD=m56ohrb?i`*KEWao17KmDHIK^?N$%q(a-L{VC~ zQJS(c8DSbesLuAi1>=<8(DNs+us6U8`@&#Un_A>*!K0ku<@_m?I7c?5zK0PPkVvtD zJKB-571=K{Sc3yHU_i9PpAEw7V~^f*us(7ALP;T#NS~DgzLNli{SLF`=IF~3ayz?v z|8z?&W?_=<+?|!AVyB6GFE5f49{jn=$)fn4r44oe6b${M_Lu7NqTy`z(FULr;TR?t zDAVt#^f_lG=b90d7l&BfN7rvT)T-xj5m&w|zY)sJd*Hyde`uQrif zOLsyu_f-pjIks>^MGu?Q&|c}xzO#1Km}l)~3}R{Rx2ku*Ib3Oz{(!x$oO7@xZXe<$ zI~hk`|IVjt;x+k5NQcK()}|wIl?mP64SbK7h3U)IfigYU;H;D&wAR-$4;W@XPgM_4 zwH-$B(qNY*qAwE*0c6FAzhdK)6}u6M5P~);L(e2daKN#vw>AM*JbpEhSLa-p2FuB; zO8P9cMKuRc2f-b%zC>oX@3bM1rK+2k)*vo$tdKo|DVVw=s{7b{|IlK~EnDqSS0~7D0RPYI@DMDIzCkrT z*K*j}{Nf0--z8=XID8RoAIBCepxrQ=5XDe5Myz<`@hGS(%ld;_2A|v^2v&J~`-Ru1 z(w!k;;v=-1UNIbG2kAl>Clo_OV?T~!@Ib)a;RvNh%-(%~SabvygdLLJ{6=|?yZ2cxHYZS?|WK`y8rpHy{3=>mc6x1lucl!=PR!=IlX z5$-VId6eR}jfgzLB&{H}49c3bYoTbC-+%^dnK9d6VEupvVfO1B$a-Kc7Uhwp(WXhF zN(}+WwI5g~_z6~Nluyg+aaJiC^Avsn6@>jkB89xbAN?s>B*eq{zRLtbNDsWs;&G7a z0MO#3h`-&*EEoRFWNmSndXeo#9kO0=JU}{R&jYjPWeR{aw@m#l>JO%dO_Qk!e{@ic z!+U*2J)qFdVFR%tgX-MtTid?Fv|+H-_Ugi%bqS~o6zajn9AhqTs_tQAXR-5ANTn9| z?JpCZMVCCdhZHt1q+%KCqo%v`yUP+|P6z(j;xNSAx1R6km;N(-OoVTV|HTZBZv#LW z$Kzs(<>IcsQZMrO$-z<9oyNggpZ?uM^)7gRKh}ud5UAV7R(@H#I?4z$-~N*A`8djMfJ^Xut*I6(h{34OUHz4LIglqzN0!=a zP$U)WX*tLCYXAx1aiz?|?$C6sJTlf(bLqm)ipJ)GI?KsrZ2?y^mA(}GOdPrmtY>CD zhdp<ISnmAk{3?c*q|YMc*UtFMyzkeG%FN)H<;E2=F=3P0fEhPZ+%qF%3+FJ{My! ziQJm!p}mwWPw42IbM5zDn+;==s}q<6k`lIrPlgVxco)ApK>qEWLmbv5*4l^@in<>( zO69UwD5SFc?Y>Tl-;W1oi(MQmX|R%Ey8ZicdZW;z+*KVG`0z9|zbt>zlfBz4==Y0P z3RG45e zeEuAuSYY@~GQ0!r!n01ChHAQV+B60Ugw_NA`s9!NMh~JgkLEM9t==YXcl|@vNtMam zM#g9ZpVJe=e8lNRz$u=6<|3UzJwS=#6vM?pviVS7m(7LT-z(IYj7cDi)wTBBhfOxm zX(zBrLfQf#-8ER&lWHFOdBB+Sm*ZSPwdMU=HPyO%^O_rP^+XqucaS;E=%TzUt`rcD%tgk3{)AUW=v}O`z2tUw)&GeiU)IbA$ zEcp?RX5bUf$q^%%y-O}cXjwWQZky_uw$3bahd5h*2&h@SKu-c9i}{rd_2wP3->zb9STn41mxjK@cG(hjS% zS33etlz3=DBLMFL1P%d%@Xl(8g1Z_lC?Fu1%HP#Xj~p(t>wV<=#E9n?s5+TzjGYId zOBMmrIqCOl`7#9T&V8f;UsNKraP{l!V=WhdsQ|g!l#u6u|A?5khyl@Cg;7JB!$W`{ z;o`)7b4h}U)TUbv`vw-PI-8Q+ z>#pIi)2ae(58nOpb}I|K*MEs~7Qmt&qEjWi{~k>tH~suGZr?k8?J+7jBlab4(xNJc zw|35{+dslI14gZc@12TrGf;ZsuIt3sEcW#QmX1(<<3~Zd+#Zc$#U~$|f;}`kEkg1N zb>|J8-rWPgmwh2U0WrMT>M>heWg?02si>^ZII}u$vRPoHt!I^%T)X(PWI>qbt6`Qc z-2TC77(}8ICrYG>t%1=z2=`gMYz)jdqZ`*A5s&h3_sI zIKe?DpJX83DOucDFMNVrs6Q2Be|r;?>h{v0Tf_B<4RMaEN`BF$~!f2?Nqe;+q~UUj#ci+ZV? zBz5s<3&^&K_sJ<>9JikG8RXpBeuRNkiu>3;8-Z9X6G40S&4oeALC#Ym9-MfOk%gIG zYHSxg)hWac*`4^>3wx*v<(<{sc*M<{q?9C+wm)T=uMUp-Wrw{m;zw|(dQjsRS7a{2 zBQ;v4nR!*mwOHnFyr?UeZ{MRzg}H;<=l@)y6a>{5$ww9+Rl?+G@ zkwX@XKCaWtAR~+sd9iz+1RN!9Uv$f&+nW`v_J3*w^?!Z%iQtP^lUkQQF);Cuq8^)4 zKU${q!*`19pG&p;C!PFK{f&d86*Fhf?snPn%-q5M-bVk?$5Z@!vt-{mwb8EOj{azV z->8$hAi077%BIMjp>`xSx4d_W`*Xvb|E89OnDMZEv(bk#qD3JYW%?_9i=XP0g1BFH zOwHWg-S1IeaZ7Uc@O-==DrqwAa&OXWdZNCWx9flS0pcv3^IvNL{NMA{f6|vqfT-O+ znyv_61;WLRg|E|*)=PeW8#gWdz5tG%IAi4Y`AUZEP1CSXzy0Ie|L)0=EY-1sx5Mz6(+s{McV7)@w_gnEJfsixQzI_PVo!%HJ3D1ufAGUqr&aqj7-faly6@w=laAfFSy#y` zEyG)v9&OZYP^hMroXhrhgGYws;%l&Wt5+%E^hG7o@Qp`G24lMH1GeXtC|j-YeV%Zi z-K`DS@IkNlG7AT&e3X$&8Si)2>R8Wsiqol!g5oY21P2-3cGtjxrtpi~^|8uIvSh7Wuw&Y7D`sC=2ZhVb?~jS_(`DolkoSvB);>zBHuJ7OZf(Al zv8_iIEHudRo``yPj~!DpHTk9+mx+cMWZgwBLoci_TY1oKtK5^zlGT$T=rwg;pKOxr zrEtFpZrA6hJEs$@^Dgxq|eAs$Fzl>CKsjXe=yL(#eHK>?(r>ykv zIz45O z0tH+1aQE(>o2t$6f4%gt=Kb#Jm$?t zQ#!1=E2Z)_ygMVMET1{sts3OcYt7~*HgP@&SMauvh$%|H3+Ihba%t#eQfST4(s)mB z(E~5wpF7{iv#j^g#$?;-N*-*(RwoB_UP*mCAddySffQ}eKAsEiRDix?BJX8qIlc9{ zIeeiz-2{8zGrZxr1q{3aCDYH_fChIy$n2E2_-G-N;~n1K-3;%wgi(E7>i{J5hAvAx9wNB&W1i-CfKaeM z_*qW6zcQS2z|U797l04OoB(e~YwAI8fIDAV#5EjO5o85FYdG`t`lw0PY&Vf$4K>`w zzZ&kZhWnp9;);K+Bw~xrzAw6ri$KDYqig#!ENwOawO@7*+g{xr?QH3qz^+Ek$VkhC zwW(?z&s7#*UPb5KA?^Epi&!M3mI+@gOnnFMY^2);6!E@;BC3s)_?*FP0x22NUR zr>0yH*p5W?+_lK;=GoR$p0!Cxf_E0&jlbt0_T%E&Z;h*YmAn>N4c{8+x3pNrw(F19Hr(jdMN1PuFt_U7Fd}EgTT+hYwzN@4Cqow%%px#!!mU7+aTNx_*{lmk8J=B z`W5XR!8845DfzPDKQ4A(wV>;n2IlEntU|xSKOA?1V&WBEl;`u;PyVZye++Enc=()x zu+(=$hp%9ktU0!tcv;K;j1qT|%$d478oc`KKMD5yhpI#cevde!$;w=xBpU9&>W$9C zUETPiPBDWw+&|LGJ8RYRmYcD}wtzlvf$tV3D9IFdS#1Pl+*AHOzA|_8@)VU3vCY1; zQ9Jx{$1(rQe7uZpzZPS2V|p0A@DyT9Er*4COcw>-QUfz(%d7(p);m!UW9oNd45C^4 zJq`?W`w+ijgfm(f^xuVV7yck*M}mG3t?L4{8~cZa=tCcE3ot#Y&^w`q5nm=*Vl}m4a!Eahu_9tS?Ul% zRos2BfLnZ}^llcFM1}unA70gu+1;$DUdH%#Q}-);ou=s<%V6#oTW!#MI1GQLM@n8? z94MJ{*)IHFqy9U^U>PyFV`{aL2H%)(f05uv`h+4HsWi6+?W?D zZ?-*EFP66loimLHHVAC=z7-nrqP~B4S`P07hIdMp^bTrspaW^%kHo9y@tf-zsF2+I z7+age(w~x|EYGOdeLRBdukB58p=V0thm|X=%i+b!ywlhYB^j?0z1TH~DCgcFQ{h$k zRU~UR^f)7_n9h z3hLipJg3m|PIJ7^!bT9Y{%rCvxr3LUNj9ON1>JcY1=Uyj3be$CJmEd<)&lF^94o1v z^6PrhjqzA>g}U5A0%|U|*ELc#?r$G3&)F9{;69jF7tWkgOQBCKK1`tt1|lDUY*NVY)yk1Cm}J`jG1^aguCx+V(Oo;nS0cryyG^JKOw>E-vC8nwQ=&Ng+tH(n`bJFPtS=I!SSkPA9n*~M6c7Imzl}d!EAhD9C61B!MaRYM+KQ}L+_fL+EyY6e+U%cP+1}|at7X(+5)_7&t9CtEoV7gVHgTgSu8UDbl5x4U zm&^C2g8tx=dBKWEKZ?@U{4x!B0YuTS*P zHyS+*Hfj0stu&vi-PPSlG?TBh=Ty42E5ONQO zw7!ZdbR(?%%(|wm1Y(7Z(J02{|9Z)c%-XjK-#-dxpFz#dDgR!pV!aWDI^b=iY%8;_ z5>IhO(-iJ6*+11LBT2z7-772Y=TcG+gfQYt+=P)mn5j{aey@WG@dLw4gPmd7)q0>a#lI*1NoUT3286 z&jhKFpyvB7>`ijXw99tl&vbCn;p$zx)9b+j=d&y0!?=l8U1#mEx+w}-x0JQsE!hv3 z(=# zyRGcfyC>J$GAJ)TG|=c`kSO?nRdW4@BUX|>6=ISMY2=7z_CcK)53fUc}UtNn>qw5>l_(Bmk%sc9sP1 z0qAsKyj-QLb2&RLi6WSJPqN_$iVM#7@bh@Gv};Y(7!g04VK*H7_Q>Un*Jm!(hv@E) zd2{~g;ddAJ1yMENVmT_rHm#9Cjl02P#Z|v7l^c38(akO79bF$}G8@!d%i- zOQJPzNvXQaMjqK}IqWG?Fm*JJcj7iHeoAtsk-xj&?CPSl%E+shXmvN+m+InMQB^H) z*E`mJ$7?8TzN+W!BtEBIk|*1>geg+HF&ZZn>_3sN(GZWX| z`bE?cSM|DUJYkKe7xIpM9mZUNF`-YeJ@G{xX0E-+bKoETrWHz)*n1H+!Q9S;+=~W^EDy%Z8hMykTTs`!)r?X{{UiOwkaf(xP8KvccP;n+2MA zBUk}_Rb;8V|I^mJU27PclqUUn*!pSzZxMRyq3?~9*Qp3Ss5iwB!XcZp_DxoV$b#oJRGCx_iM$rmsbGDxA72&H$|hxf z%x~E4W{its* z$j=dUr(43~y+`hiuk38T95KEPS7YOQrhM+F+8;eKgfRb`TD#FI$gR}`eAY0L zrP=+a-AAenW7dUTqC(dFnT0T8YuUxP!#X3y)3{)C=7k9NfGhG8l8RpySf?-t87UGM zuk-WuPe)KNExN%z5kIbh{kVpNN8zWQ^nVLQsT>Oq6oDJwKD(m4t%Z!`^nCmQrN9^O zBSPzopOc!Q?MyQ$u?RkFhjr>$-m3`iCRTrmad6CJooqaN6=RK%}zyfn*ZIk z_rTmj@wM!8{UcM0&ZeUz8{%WHmIZo_V(k}YrulSDjg;`b@oGr0cv=`37c_eWXUoAn z)Qt3{gEzgnC4=gx>}E)KKped*Bv3<&@{Mlr?R>m5rmiJ)u=OQ-|Yy>h(>y;T;w_EYiI@*a{u;+-=SosorO*g#U8>{ph2XIA4EO?uR3^ zm1)YEGe8mWEcwwtowfhkv(8k+P5674fi-V;51Fe1lLcG8LbGi$3ng9e2==pg_;F~Z zs|!Zs@fijN1>KS2vWAWog7cL-pu~&A%2X>~l}Gpfh@ECZ$9;06c+ZDXa#jZiO0;jB zU5TKYf>~BIe+2CGCHi2uXmyx#gg3W1F+=-ZgJq~X_QPanZ3@e|w9%5flh1oEm%xAM2-OCNgB@XMb3Wmy|;*uV~FX6rWs=6AUY|^|fMKO!n%$az8#&k`y+t zoZ)5~R!NP-6Gu2muBT0lYHFM+@w6Q&71Y@l)hWph{FGk>Q@K`9k zCg`VaQ-;d0pm3G0X^Zu>NZaO=dY^mXZ0NT2>TvINS?$I<>IGRkGcvadKbG{sPrT`| z_Qn}P>wJ@F+!dpvHv&0V_|YH3hFz=G9w)r_!RmR-2l<%i7v-h}BA>Ty9c-Ap-Y9v# zcbq3@OpjIpm$E$_q{#-y_3QtXc{;#!Hr$uL{ewB}M$vy|%6|0p;5}x~R07c^JrN=Q zq2?%=>ndt%;xy{XD^t(lcfx5e>P#8!uqu(FrUXJ`^-CC+8pqM9WuKC&*}jpADjyk% z0qkme?{#G31?D(|YqK-HUn=)&O3jR<5jC3z#7R#zllA`ZtjKEC9QY#irqv-1^# z4`8l|vJAdVgef?xYwa#l#ApEst*ELQqS)xZ_&WAVp)+F5C3Pv~i^>%dwMTr+Ur73N zjIs^C{55>CXz@(2!Lo0H;Cu7U>N5nVYloVb4K`nkDocs1<@z^@#_{{8+|~>4txZv~ zZDJvK_dOqFO5yqOM7vS#_^rB^U1TmnlG}qtb~UuV2`gzi^(35U7JZfgi#6XQB<70c z_-lDBbE@2i8G8D3G}Xw7_}}vq_xbcL+{Y}Hn8kx~em=?;AVpBufk1nZ+ zvi$XNf3@77G3J62PN6;^RlVxc?*v>CuvZ(k6CdkJmvw(>LgZI-3)W^OAyl^g6Nn;f zgQ`gLYqQ!+$|1$}bnS@fiFGxE2@D>hXKIZ2*~Q_1!vGW~=R9g$T?`!P@H#=%TT4r3 z*uv^p%@Z=>dspRgw8R2iar5POtm?2;+h)mflcG~aANQz=tA%e|&RKi1W{^$k8OC@z zZ0RTx1kG}5MpS>#=5|RO>&UBlC8}>n**{L}x&~H=SRom{s4Ab`NMgynxND8&ZdB7R zu{F}?hN~d6T(FxD&(+#o5P~zFOc)`IA8(%^qOM(n?7)<-Lf+@5-JOpcIef&)s3Ro! zOv^Eum(SH2nMIY=QCX8UFJB}|$h_>TXI723q!R&f_A)zVX@{0p6{fCgO+A;tePE_< zBw0El3&|ZYtu6{4T;HL*B@JtNHud-Zo_Jkk7YX_dE^vA0KC8a&^64wilWfh}^hJZ0`v znrHuJ*x9dk&5aL~OU+j==DgqPic`mr7X2O`zpU-_Bz8yNHCb3#!zJ9dSi`vfnOAK2 z$DdlqpZH=3zBI*#|Mn~+wOa?XlLxh)IaWw83e zwnPpJ>Mt#9*oBy?SI$Ntd#_+ETV3(rh3)CYT}5uFk7rTmEDNemoNe27Z+p@Tz)?!u z70710!;k0po4!0Yy`yMdYXxAF_VjNMzAX)A>z|kW_}mpACyj=1ZJO&V2>E_hCD^ZX zTh^CUwMFGZK)I{rBlNTdVHH^hYyQ}v>GX}hd1VjmuCG?2D-|^(h7}Y;@#Ti#1FEXp zwR&rcT*M_xG$Uj@4w$-hrEVtdj2L?_*n0(OqxuZ&PEQqo`$>~4%*-WW)OQ9r93;+@ z3U8b=&+q^BpECvj0;G?Te}Q$~bntRmHo8qt8dHJI6_fa9o7Rnj%Z7-e5s~yReuNSE zWvk5Llv6nSvDI4BlP;r478kPV>Fiv}w{g8SB_f*m-~_)K!4PcmYzFq}-KqgI0)321 z)*I=>kAK{Qg-vKFQ;|R6$P}AOBLM&SI4kh`NLZ4Zhu)f`BD8Ip{C^@I0%{^yFQv>Ilv+_`eUTdXxS(Q6x zwi;U@GP(|pZOP>0k+$PG`Rf@E>tX#xrbWbM+bUbwqz?Z3-S5vEv$xaP9YZp=(~+-D z89JELIdr=!+q+5+zu$Fm4z&cABy4@j`J&?04bGO0<$;raF(Tk^*kmuRTkuoH4mf)( z*qEWiHz=YHJ)mkmWBsPd8aSKnIS)>boN9s|K>P9Lba3`zy#+YQET`53Js<~q^WAN5 z_N-vpdWLMV8u-%nn>gsr<+I?d@lqc+S)&p1;{iY3{MV=d_p~}mJae}7{jWKA{2o)g zv4~7Cyo$>@NCqJ)GS#OS6Qw2K_q3jZ18_>SQb~xEi~sBMraT{S*rVTzhLX zFOWbchbg)IlVrfc?@ZqJ36qMbh`LvGgV`_`d;RN-NRxQK;ggD;hviq&TBWUDHNi7S-Co_HI9Fis7QubV-j?@6*_DMQ||cphyUkX{Y?LoA_v>@&<>;V>kNg_ff+ps9}X-j z$5XVk?I&+BnTFLhsg7}*sN*8OjXd*slLmLp;F5Q9E`qr~!wC3DJQGH8{mcpmERWek zX5A>daPw*?y1;_-XDLtrJv;Lq8@X&YwJlsM(;@tcjqNkyWjz~8tH0X`bf@yzqmy9b zbUzP;2!3>VmEf1R$&I$+*=l-}jh$~Y9owV)Wk_^iD%}JN)vm zuEy&|TnZmo;i&t!eF(cVRMMuIW4Z)J;)RbTuuv)bi<1u_`h_M~Q<>o9@^#u;HjY2B z_mq~DE;v0cT|0OmWn^t~O6|c*lNh6Vy&qkE!1W!?InFCer0J5k!-HcMKd4OMmcS{p z`_#P<5tf;vCY^vEq-6j?E*jPw6`=-xQtzp||KA=e=(&QbxG~T@lc~z z_}$~P%`!BM*-*v=_D1@ZSfAys3a^&&iP9YNv&=CYkH0^7&l}{roju`+Tm30)mub%? zW>lP8HUV*(GaarMhhy&_`nd=Lo}YOO9VvvBxck6J(GvN)Q#)j^gVS#7w%o?>Abzf*22bJX=vT1{rELpW;Sq3m zP)rkWoFs_sOv8}dk&WB)XA7F3|DsW|0Zk-^)`D`$Zl=-(yt27K4V%)xQDS<+F5cpE z2LGq5qTHrN!H`-Tm#hgLwaWJSDYIWy;34BabE0Ay)a}vnFHhF!`8C(z24*i+iu<=b zL_OY@KJ)(>!g!>z?IOpwvK;&$C6zzX86!B#BSHJmyxu%14H?MGhvjW8Fz|Z%)`Bbc z!0@!FmXsiGdZ~T51;NMcPFW@FfzbnYGsbdtON^XT%YOOEnVO5@IinA`=V_OWbNjl4 z_Tx?Q=%=A~9cJ$w)Wl7iYqR)}hOyaaQ@(Vi9gW?B*fCKN8_6xADc*CA(8QJw~|#b`n3@0kHn9|<2_qq`v_cW2u|h8g1f%PR7wGOe5n^-=Zp zkJVs{yq?PSqMX1SA5f;xF#{Be>jPf)ku0k%y)>GEL|TuLqYox1H(d*Eux=0|Rm zX4iJrS2JJYnV3oRcbwWNoNeo=CMub&J0YS9Pa%otOnKsa)22~wYT`Lp*sA8AyWY5K zHcMm}k;F~r4qbSi!PBeoM1RPWPT8ToaLxLpy=l6>M}4|(?TDZBbaZhdm+RTMNH^Vj zc66$AuV+>UPNn3zxD$3Vw_L)TKE2ZGgSguf#Xgg%D5}CU+ahB!mp*(m+q~J(R6#7~ zMf^?_zLf<~j{Ps&(p}FzNoX?~FUqE~PyYVCd@YQ;T>5Q>MEf862-0-AAWwD@h!F~+ zChXmxjFz6w{?auUswoMw{(bb)P@@wTB+ph#wQsV6!#f?h~G0OiBdv6-mkwQ>?>4!(uO;F2jpTz&Ax= z2x2szo%x8ruZEP2luw2D3h8ndf0Ey6fF5qc6#$ljt@~sc`gpku_i!IJY$2TU6dCp#8M${rHw>a1r0*Qe2b1vqNR3Zw7Y|Y zu>mfOFv3j6`1IgNg6T}^0@cBLI^ZTz1lPsu5s5D}$tuRHQ+ei2w)=w*_pNMfTjimr zq7b>Mf?rky`V&3(9-!l+o7>G+V@yjiD1+cPJi@exoemYoG4&{UOXu6%ly3ZYG;bi( zC&heR*>Xs;B6%gLUCs+%j?ka4QT6pedHLh8eNJVjn7GCP+vFE7a)YQTDAwL3X z_2~FtrNrscRS*F9){i1u8O5UE9RfC*SP2JvNk`UMvdrk00|@+Q$u*B7HNV*iR&DP0 z0~^--p#7ZAVDZ+_5)HvL9=w!}ovI;YxfKg{18|;>SP*05LxV>QTXpFi`iGmRL{CY& z;Wf`AnWB7Q#lCj0+6dDF(`M_GrwgyPiw<=4Pw!SAD#+cEN%193+N_QH+`);m7|C(y zLRdUG`pB}__uSOcuW4@?bA*-K5h%tUjF_bPD2&jtd;IM(+c+}6(8^7g=x|oLxOLOG&4(QFkIjsME z)BpYT{(rcTfMQ0URdoPdAi8en4N{LI^4va%V7*% zv(>jz_|jk}m-?Sq=XocJJhpPg>WYL+z3t~B4&~n58IchX{6CbE|D@0Jf7tF+9_ZnC zQ7#pQ>@6Ei`Gfd-$JTfPlOW`0S0y<6=8swpiZZD#{ev2p+NC6N0D09y>cx&#$MczTV|u>R>RgxFd5% z#7_Z)RW9$!u){_LRp%yUxJ>s<^A5=_RG}m1%E>-Ck>2I6VsTUBob0T}lY9F@x`;EZ z>1xNc_rw`G)e+Bx;~B*oIzt6vxx?+!Rn$HeoA&IGvt|)4Lb_D+?topG-s4>pM*^Sj zA?xPZ=DvC~dETP5FU&a#2uHe6Qi;oDB<`@~j5%Lv+ZkEmLmQ0^_6B*`<(}Xnk^B8# zednl#`(xknD{osgdFCd;{`Z^y_gC;ASAk374VXHc5Imxz5q58RKaWX%V3ABkWtE=B zD}dta2+p6cdCy&YnqT>m(-KBzRgukmzOj#|Gy^(k@Pe*a*GtNzRbC(YPyMBTF%W*g z5lrX9EY(@(fv;Lu{~}##UA^2v&*={~@wb=%s%oI_@a^t@1eeF$&ebBcmz0l5gEeBH zCZ%!YaB|NN+)BomjH^89!Gy`1g7K{(C=pP%y>XTm-s;RlM{CwJbFx2o+fICblyGik z7sA#Rg2v2Uwjf_E_8j6RE%%=C=_?n!aUx|XR_@f(Nvxj$(9b(g}>;u9(s7Y_mtP$rmS7W#^__w5ZGhpq4)OBce&;c zM)sRTy5Pe?j6~apkP{i_!g`;)4f1Zr6lf-;iLhhs2>!0DGm8VYH0hC_b#GrbON&g+ zdTN~}b?>Zt8PT^JNC(75SAq~FOS|fV@xuGJ?Q}4k_f-H6@*I|e)6CqKsG(iapJ?rL zpoe^239;jU7#;ufcK`71)hOMeb*$*WTCXvAeeK)q+`;g{%b80)qt(NYxG1v!sO>*# zL{HnVpIQFwgZ4&P*Olzj$Gc)f5tYl{xr@=KsKLd}pU0s$BTgbQ%aY}@T!fexIi(A8 zjWYK|x8QRl>e9*u%KEq5d_Hnp?!)$p+|pI-Wp9vq>kbE(3V1cm<1$a!hZU-XuO`p* zN;PYd-d#fowudTQ2i>FtcTXaT(M6|?fffCMxrHfzYoWW+iCvQ)1~2Ut0rMC!Qk)}Z_0+&dsMD|ZA88>!mm=RYK_J!48=8zSV3ab>-yo#j^0 zwpzTTlSJrQrGh2;Lm-l%6RcXUDs3|!Dh3~ke0obpF3$@kIU{M*Cv?i{Z`mN1@B4vZ zfd%2tqiHH-`cWV3o(7&Z|FVFjo<{`1+a@(S`(=}fAjP1g-ctr5LS{$#B(UOLHBV3p zA~;HEmNN#P$H*_~b`=w6Q+(Kl!chT*p$8JCOTk9=u#nzli)ZLz#Y!e>A=kF(<(UrF z_Z59-4SCZ~7eD~bYc^j{5;*?86oeo|r1+ecJVKIH^sDn_bB@%xnaj{!_?ds@W$bbi zdAJW`kX$$^ywgM4o$$nB+EQ2t`?1H?l?g&rhH8>A^5tZ|n$W-r^*72m{My|@%`+bueX6Ys45x%_-)0HjQ zS*DfCS-Yu>dfs-iO7^<6Xw5uinJePd)7%?(=Q(K1fg;=037Hm~R|4d&MfO=76;qFI3nuYeWs}Q`}Jv@AQWU#14 zVaJDh{aaj_ZkpwR{v)CqRr4TQ5$=S_KI83+ZqFXuE#JTWLTkykFWTLk=uz}v4)j0$ zPax3~l4U2fO0(O(j*L@Cs#^xX)ghG0yvM_8dee$~e_W`Kv-D{?h}RckbV?NzT#&w7 zI|(74U&|yBr%ZF}B}mCCB0`^y_o=e+?Qkm)Y#Bsa_!+5kzONk_4Q%b_I<(8RK2kBmq690J6D3=CNg4{2Sg;g(Tle$Rkgt>bL3)qH;apfXB$@a!+} zkF&~ZbBpDI8XkUuC+G5-wmXJ{h^+9Q6E>@wg_$vI=>c;*7i2nzVpp>X#x z3oT*8?U~;hFGcES$>N^Or;+ZdAc)!zgsarM9QG!J{+gx_KPI{g!#z(Wh}qn<7gT`T zF3cQMUMm<~D=jOjhoLk=c8L1QC}HcFnJK|X1y6jMBz+*~cQgSd7w%v_M7rSqUW!p` z)pA8%)wGPf^jpHKM=U|(%tX3<<3#exc34|8hT&`AVP)TT*0cF^E^6#|tHquq?O4@V zdGj3Y@Yk7#{8kzD9)(L+!)!OQ4ORxuxl7G6=+iQ^tJ4;xsUJ=`nCr@Ph>E=tOuFRvbt(fC%7oZe}s4t3xUeT z9|TOPyw2+U6WJFwq<7fk5XsT=#ND^wXPJpuW@46^?a7t`ozo$@sd)oc}(^I?9!x);;{j3Mb) zRL^;`zbRoM1r;@M{0$-V1vF#0H&iL_{rpJmX<-*9SpbQWhN>*B*Tm;z98gaJLt^Ei zU==Tbd>rUGZ(@XNAU2`tZs6hNuYV5RKBPXn7+Y5_>Ny04YxF6H>8c#NeMI<6ZehpZ>dS2AfHH8!Xe9%%NwLAD-a zY#et~Di=_h;UK~R>i+I>o(oq$MoiteX*W%Q4ZBQ({9Z<=`-pEGKdUd>ZT0PIYi+M* zSp(5?zgo5}fJgUWl#P)xHaZ|)4UPEOg&DFi8H6XL@l#kE+e?C}vW0*$&?l7Q1y#(P zjB{~+Ph|-XD9Ndlvhhc@epcvyii_Zd)`zUHSzTh|-XBqBdUZ!DRo5d{cTa;XJVxB- z=sWV}owU;_8lqPr``yL3266uFPBq(2wl%nloVYi|!#Xu(rcOeoH~%h}xp|X^BbO4gLd}SFu8(VSwsY4uFJu7Zq*tmW}zC ze3ZN03@9t976K;w%%a%`=s;AG@`+Od5}QcWwik|03G$@!#)u}WR;w}-0jR(bMXv_* zW!^O+`cwPquHP$YNap1%8=62REStEK8{*(~!|dEe9N{gR-&5v&d|531XybBHU(nXa z&)L4=diiDOtpE6tE8>OxwwcT?7Y(r@O7h8|ocSqI z%Pv2&!i|LUbIMA{F5+k5@1LO55u<{ulkMI_c~8z@B`8(SA$NNRv*pqcV$P|EMNMVt zLZNKiLIG*`SK=Y=fw!_wqGa?=%zDAVbMdrUR;4ghXn@ z35UC0s4yQr-A^v5{F8>yW9psE-=O2}xq{fh1*SsA90FykvIFE-4nx&$RkQUlmxf$3 z=qZ3YS(?~oEBtzs`Pdbu!AXQd7!CrmA{gn`pOu6H|B^zYZWVT9Xse@3C%mxfYNT^O zO&GRL#jRsJgC54NHD>)Dw+=bEgMNvG9iFVL7eZlj;a#>mVbeVvS6;NE1&Eiw_y7e0 zu`g=amw`sP7%E(T0Qg=2*{*&}P}XS5f~-EWoJ}s};dxj;5c~D`gmR4F*8V;If~V$x z1k`Ub(IDD`i0^Y)Q45BfUyxhBDzuyi)mVvE0J_l>-pby2S!GxKI86Y>432Or z2f5(JtI^{sn6Gd!f{h2!K^5Hi~5PZ7%k2@ABCGKY=u1$JZ52qM9D?q9;UKy^eEU)ehzu(RrLnrmNDYt(-c@7QR0csP z#IR_^T2>Nz@6{vKGF+psTPIumg3i^KPv{SV9LQlPyJal~A$@Mq@rMC?_@{Xhi;SB5 z>`-IjKQvp|gwKg@8W7%Du;)FGSwUgKTGifKk~XHx=MNi#RrBxfCeAyk?D6frzv=77)0txm|tFQ19S^ zHMNpnM|BzMz)5+vom#1a6QhV7NQmkV8L}VpH7-SkcL|0vDdPHe0ylT4lxlG)FKFZR zZUv`dX%{%1)nRd+yNDD$(Q3&;6wiz>Z$5XIe%T_ROw|7f)+a{c`hN(7?-ha$s&!&?!5nui^8u~rP>duL{@3|mZY_iZR zCFt-_2;GVn{^0K$KzGrO4n;1DN^CX4Mul9g*L~e+RDRrTwU?vqNT5}YBrBCR4WIT4 z?2;YaJ14L@(qI&&SGip6Pu@>{G}&<~PQ0~y_d`pZUd<|N?}tA%A;DJ|J%RQrw1+H`Z~q1;e5W zr;ZAw-dmEWeJ|HDvZaz(vA{zzpsa_cSH!#vKg$r62FE;iWWpRVHUb@?lv zDT8gZ-#2<=uacwBrg1pSJgf_>eJ@Hs(=45qbFkOwO6E)64AF^Ufd=Eog$wdvaQ}F` z=i+<6P!G<&Pfw7&xpAEIB6`d_=hMfv7qjFo^Ov?kk{WT^82^fW^T~GM?EsZjYKtrbOgKG|_a!R(X`SO(SXqQChX@iAMdy4J!yGrqSoPJ zpumeJ3|2ay0eCkMxh^7d`9JlOO@j-mODY)bmt0dXVGp+zX5Rj|R`AcFUP+pHzi0E|F6g1Bk#w5%b zlG&;nlUAA_WbIAO@;z%+wrcuN@Z1%1c`Z{VWlSn&P?3{?$T|~%U2*@gI2rcGFu<~I zSG<3vdeqa38$_~B-Gu?wmYyH>*)F@dv7no&s&6Eq5dQ+6HQvw$AyB0Xxg^PW=|J5s zf0*gmm7q;~%zrP?gGUN(=;J)*3BB2FMsi%}b0#Rt#tH0ND)`B+0f7kKV)}tYlPUb7 z01VlxgK&%ZU~UDg6pD>+2{R=hbpa8Cll7wW(2ZlWVILUbN98jC@{9A`pC`3cg%c|J+qz%-iG!CP#!1my=7?8ni%LlqTKG;aO;A6S=NpFWIC3=C!E+Fw5GbY zdAzm~mO{I^1yYgO@FDvJOrjz=^sr&TqTlYi5(gQmsb#bg~oFZ^nzL7%G~$wRs-l7D(S9Vp(y821|P?F z6Bha5eQ2UlsjH}gInSizN@q=-yQ8PW9Gb2}tc-u1R_}bbK zCxENc_5t9su%}lomRp#9Cd12dJCHjp{Avb-HMnV+zVnZoHqhwne&K>U$Sd`xN41AU z>l0%(8DE0LAv6Pcx$%&=RvCG~Inur$M%Da{ABfPd>5snhR5jVT(+9*AY9#kuy$&u| zI?ebaNbh416cT0`NMJ6-f_i%84+$tBrhSbgAko>p)U^}!N5^>ByCgKSqHT>3TRs8~ z#8bC-ThNx@hV7#QOz946(}Ql!HRNfYtig&vKHv}kjt!ZYn z6R5{c`I96R1pa@9)1eEz5{`=;lW? zo)Bv2B7y|n7~~_`^p;qk&#coVHL-zmca5kc%Wozt@UjojHaU8_(LCQy%feDA8qPj{ zR?Tdh{+eYlYSQId^4d2LZ-6U_66K=z^I+Ts@DOiDnDHXWl)*{_q*L53CZeAw z(zw8paP7zyv#x&<*Z%_U@r_*xQi;kCS|e6GU*$?$pCQo&bd z#041dGh($pGXXI)6|dGu`W{&3KkdN;ZClj_D%2=c;8e8LI8fZ&`Bw_4+K;WZE4QL` z$6Tc!`ks|S6Yk{EJO#~R2pWN@k%Ohj3;c|Uky1HwfU8!Fs@C%(?kX(DEtt`VdY2V_NIY5pXCB=eK&y1AJ)Vnu^}+QP*g8h93wV z^k1%-+O2=Nid*U9#X)@k4*aF1xJtG*M639E?n>o=>c~(K4er$gHE9EV7@`au-K27> zse9IgFXA)@r&B|_Y)3r833$T2Q4o_kWDMHMAQ-COp1cY%DqN%W-yMpZIKcxkmisy{ z^LNlAn~Doko~p+7lq{Of{%X;dq8iZSkqE^d4*}$50r+d7S&O8>0twE95eXK6#RK1UYrF%A)eChnLZD!$Qu=?x zF#emIpG2(1_)fVXV~8?0V#Git7X9XsTH^Hf$OqRHoo*9MDc`&}?8nr@Cx;_Mr& zZM z&d2i`a7Uu62cJ+odAc}O!&Y+*aL$;-WeKxT@)b6Yr!N$8dt|Q%$9CU((eeoS{uPzK z(PX)T*l>!VxPq`{WezUxw%zDjy7KMC0dp;)FoH1tC3o!4#NIf^v`6P=3o}UGu|(D; z|EUng&1{@v+@?#EWsI}kY@NIxfBj5pdox0wiZQ)vVfyg=>iEOVjO~@a?DVJO%%~W3 z(J*RaFOw*|A4+(;36t2+alsDZ@hHb|IgZFuvmaBn-+cxjIemFgte&&@%}h-Tit%Gs z24~8>iXt%l?QSlWqC;~~vP{%qUF*N6vGj`-seAaYX@>sEu;v#qJp14#->E;7jaNUk zHfL@#@;)y9;Z%Ie?F^E%VbQir$u$x9G3&$kRBtoW@>y{(#q`|IYpSh4q*@M)#+3(; zpmYA6Qg#@z-RXt$%0fYXdZp65y_~yJXK6mh)zTqEwDuaN31_)isxna?EmdLpBX9>r zfHMGmUxv>qB7!7!haB&6@{UZ)@^FVOgj$MDh)fMSQ)4npRz(bZ(rijm*okXv<@-%E zJYRmg^0=^#zMxDMQSR=fg65}EsnPqS)$F?_mNz}TnXGD1mC3LeT}oJM3m_Dwf>_SU z(;$L2y4%hN05`r+usKAgFha}6clx|DXk!0rf>G88yz*?zs!tvqzRme+QaK*LG^WVs z=!(idwVK&Ot~=o60uh}^a5)+GUIZr6_@>vY4bMb0=a7D!xQY z2I!?AZI*pJ?zh4O5Lx>=`H|{kH)~PKLQ$=z_n_Ihh}Ae#VY3ag3(qxw5Ohc%-ke## zt|Giwjq#}_=lp^;$1PUS@&3GBcRk(zX{c)7D6IcMyEpFe-dIzD?{t-YN~PWnjx$$> z>9d&@cRc5Xa@tM1w|Y@4fyBFJv5&RGI!;aIt_dpLNSwr;FLY8lU+CY;HEju5JhkC< z-g>-L7EPhDDDs4d+^{#B4wpDJ+!L~|65miK-0#2Lg~Go%=qDX>x%OgP1)CcBK=`k)|9dP&0zb|}Zxcqqk|9N?!^8kCB zd=HrPACb21h-%$N2-K_lBYqeR7+}wn@ndygZNkhQ%Zn;te~bH@L;jHWbl(B>)=kEn zQ6Yyli*6uN><;w&VDi@>=^J+9v(c^er>d=v8WS*Z;Zn^T1%VUN$;_gp|S?aky zej>|+weT&y_t3CMAwBo-B-JpisRu?6at-o*h3nQhhEZ~Ays4Xsrm;$1N#^P!t!Rh; zwm!j|Lu-ET2(Z zIrpQPf-`{u6;-gbU`4j_Tnwa?FsdbSMt+LsO@k~L)&tv@q_*OgsEUxTfQ5_7Qd#oQ zRfKt#Y)$+uIw;E<_s)$Z0)&w}@{wBg0fz0b zAKc-U(mA^F+GO?7+2TtlEM^{iK2>#f&UZg3;YMV_GJD5wM0i1Evxc2i4sjw?^>as% zOAT923_bBmGeb`Kr-t=ihH}|y273s{>xUcwH@H@uX_W(kI=}rmI3WSa*M8>LA<)9#I*xyX#PZFTF`mn2Y%*%zpUL`ni}r{*I|}M;ATmeLL?2i2Tk9RsNX!B_`d3{YDzRW z04yDG^c*q~Oj&t6^)R=}&!37t>zGz?r+-6J*n(~+4#O)c%o>9R;I>V>R;=|=y@}%#%{046qG{QteT^K_Z*&#DzaMH};wm~aUzL&?1?B+?eIu}6$QanxIS6gW3*$DHoWfw$8&ePf?yc-_RS5MJLG z9IvLI_ARm5TJz_6x6Y(gfGon-)Ax?9R zPgYbf0Qk@_u*GNg9)&@buP&72;r%RtsIgM;QjqSG$1%!_I^KQozJ6q#iuX_9e=p(6 zPuaNGaVvA_-p%v9brn=PE3ETj{rk8EeOo`=`!SlMLC<=NKa+83mxDEoy#2frLU?~# zM*Q^SM$$C05>=g7K2~YEax~ua7FOsb(K(d*N8ZaF1TfCuw=z9o#NLaI9h$9d^$f4||Vd85< z_%{80tVaCok!c9?NCJnBwD#qKGKE@*E?+6<87>zM^N^vhf+2|F6WM^hwx-0y^y|1p z4-0mP&Tu0T<|oadSBAcxZgo&{m8UQXuR@^N55*L`$n)@vhG! z$>(sHmIwsc@id>|K%{+6%Il+{K5Dqe;H=}N$Se(URP~%&)taNPo~$m)PgG50GD~Y! zvZrMq;B&m7xpIwD8nOlw3E6WG(Rz=h;n4}#rEV*@ZzLXw<468GSLrZghts(7%2KRj zs+d?6{r=kBDu$v)VLx&;nkAPq7K#zlYW%dMTX_eZID<~+T%qWvM#=Bgi$-P3Rzo2X zBS2R+XL*)1o%k#O&WUgwaIaA=lSPca#%A^Hc2wl1%8CG?MOjKJU5qdZohAa2d$_!Z zW9#e}95J*T1qosUft+0~VwJJ1cu_HoB?wPH>>Izo^sxt%ya|4|93-fR>DQoxmY_xv z4>VjFhX>I2#ElzR|UQPtpzw_M?!GQt(RweEy3osgD5+g51Sg zG*R3=`KU6jvUDVTXsM21{(uYdj5mfkYam9xD|Ep{0RrAT;Ey8#eQyj;e6tGiXV?WW z(uGvI!7ZbN<8h<{baYqJpsh}75BB*4iLjDxz~$}*uEVoKfa$MFR{g4nl@YU!1oSFv zpZZWaSs@|=r|#psKmDzAg^N_O{OMXs&JWu)wd+nN;QZ68-j!_SA9B?W^8WLk)cxlD zmKfyJ4|Th&$S$vFwOf+j1=YYORzhqyoo~}oJ2N@8C)W`(98&ka6($-yVC%A(%(#cx zXmxK)94v`;h^s!UOns%Ps_n+F-6V>e*oww4>H%TBAtKEGandfuAJr3Cu+a-p7X~(f zc-Y5Et(R_RA|sQbK8}Ba6>GL*8P=$qCLVMB)Ct<8s?VHnMtzqTITsW01Zu|q|9T-_ zS}H0iuhHv=TO|5by7ETj%^DSBi*~0m3!ks2F7jWeS)JRD_Vd0!z9irX5qP%^z`6sTo9U0_BxEB-_Vc}G<@)&BmkR^zx| z@NmBY?}z|8(Go4i0@i_8aM^+QJ?Q7AcUKv~yJ%;zZM{Qer2PJf&(MD3OExKy;cDir z_t~%I%$e8nH{mRVv=;UuM6c3YqpJ?5-;b9REZojz0YBT0>nXXsK&hXt ztf{?rye}Y{y)#Xct6%DqJUo0uzk1@SMhEM6X!)#r#)YwJe*3f4!LSZ>yST?WRJr)E zz(SNnmcFvUp#yxuh3FlCn^gCzra{!Sg*Nw!lIpA~+CnsyR0SBd?#(8IBcqV)@(gUY z3L@Slpg+@#=so4=hY&T}41z(cbD%}ynNtE#nd8b;m+|0K`M>=z2)e)_z%X4mdlXH6 z2S}tcs4rYN2#fwE_rlZ(8+h*urFd;5f(Zfe`Y{z%2>?ngNDXS*;raxqL<4X0XPSlj9qBz&30xxU4I)+z=4n1^FosJiOOV%7aG1>iZ(Rm7>6bnCdU z=k6gN&D;G9_OLhXey-Z%PC=%k z!;KCh>tJ8!FmaAxQ23XT9>Yx@b}qONq%Q(k+cme=BO_=dt$k#5Q84h?m$kPvw?m?u zVd8-P0Qj~+>kQ7i*97u)kEk>pB*p2A3aV;X=EwAGtVn3v_p$H&wr#E_S4CwxB?-%m zcY_a?hLXaXQc-Wvuyg%ANeJevX!qS&Bt3S#X~``Q^c+(yGgf;QaAHp4)qw_=lj@d< zgYT~$RGv)aD8(#nKUbnjc*T0|0QZ(k>k+{|EsOYY+TP z)Q55{J?fhL?PXz?KWfNQy zBX!sCQJfsv^U@J5<4ay-Vw4)ia}E~&*EURvlG3NPYo*I>C>l??~mS+HLv9Y}Vb%eO{u*^S~w(S1N`=okQRd!R4#eDLl+ zu)hCVb=-eeTD_|3Yqjwj_tfIIj>pVlr0?O%vE~iu)9ng7?k_Vc8??8E?5Xy(8v9b! z)!1oz>G@W(#IrpbXVS@IHQSt$yK3TS<(j?08U&o4#aJpzoSS_1NbtxbuGP(;R84D} z_6$^5?dfOo>6f1>t=*E!?=w-q z!1i(V`nQ~+_-M7Y@*gLlK-ty%Q`iP1K)^Sm0N-FU>_;bLGbQZ{-r?;H8 zLoN?;l`Ec@U)v~IE zwNBLG?G~Be$rk1w@G!rGLsBpYVxYQg$;Q6dLpGlrKiFlV=)V#0tPK%6NZ}W?V6nJq ziCS5ihOETE{%DRCbIu{|>q20pIM-wE4}gZIH4-5xth;0-r-cwQA`C<}A_Q+XN!*t{ zEz&q`zCQG)XR4dJ$3rQfL`IIpRYybBsG$fZ9v)2YmVI9x(r%V1p?%vDa^C`|w>Ao) zVSa~kY`NL^^(_a6^s456?qdolg1f5_uw65~Kj1Q68S*j*0gClO;9{LJiO+relCv1I z4GlD5L0QR^l?>03hX5h0SfDE8o(xD*75bB#Yy7tT-sbuDN+593g!UD_DJWO!LlpAwsrk2L-qG zDqc%y4Ma_%K#pkdeKVyfSIbu%G78RBZgY7zQ?~gz}Eu7mcN!OhN zs3VO_TKLiLBA!`#M4iwAFdaYYJ~v*JNHR-IK(P7iPa`L$n)_5NK7EC~zMdeIo|i9E zQQJ4oeDOr)C8jP31se!c;B#9@0@g5OH8urD_@u}(eyjrA4D-~dpSQ(4qAN*a&sAT) zpC+N#U=`yYoIIr4{rRphO0Nz7{>`Cpw|@CB(q!w)%@-SPqxN?$lZFWf z+819wbh`Cqd(x8!=7-yIjy*K8-n~a>=fsW2+b18#n;eTec;egYD?c1Q7w>Y-czm!` z&J97baP(+0ezaSEq~kb|JO!=@A3WnMT~6^qVX63jX97lCBOHs+Mp1P|7X(hCj_K}u zn_N~mUD1ricSvC8T$N)QbVm5;NlLCKQ9Hq!UiR3MZ6YRweqteKCqa6f@tmSOmBo^M+cnn z|9j*>Ew{N=+Gb$k5vG{jLE^6bY;jk?o6xNaz+fE&hIF$MZ1Z^BM*Xg;sgJyHgrcjg zl8y_LUwcZ9?$X+}m+Y%wUbT$MnEO0^Q^RZ&yVx$4ZC7ga(ZMkr4q z$ZP$m5z=2bl8$()w$k<$@XB4kYL)hR&Ao*ar0AZ-mlOxIRY|v9(@J4}i(Zv)xNlx$ zqi!XH=NsZ9QY^u-P1$efqhJGp)_D2Kxe7=NX2|TH0)nwQ!kQPc)IuTUD>p-uY;F-* z<|}}7-xhM=WEGE4My24TlOxbDh+pu*Jj*ZxV8=zij^+4& zHOs*0P%?ReARgfyx)FVX2`OmDQI9(cDC3&~oFdPpn?k}`@3*NhQK0qU*jp|&?4Us! zE`bG=Z;?800}uN%LNuKmfspjmDyh;IYD#Z+{03PgL0L1>T~JQ5@?Q(C!H6?3b4YO~ zDO?B8l#7z6R!_}t_U@SIgBh`=(E}}RePHIMbD%rzI(fR8@cHcQXNswSX$<{w=x76yANIvsy?&6PA-w-M$gtC*jUN zn%NB;V7_VpV1Yc){u%71&>CSmb#+tLzA@d{uisz0-xfB1< zcy+%PDQ3Tgtus5!hi73BYaXdRI>{UjHK)+N&r4^T^fU_G&-2f^58H19`@kFTdRmrw z)=8qPfxkx$85(@b)pXOuDYB@+Q1nW#3*YKYIZF!rX+3$Sp>mVOX0mpOX#3Q!$zST+ zLLO_?Nde?FJ1;6ZKc?QLt0>jB9b<3eA0Wsxo>2}c27*T_KnC5J z*%*C?V*QbX<`-16sVigw&53M!IAp!mVdk!BTBgWpbOj^+&$mnG-CLgQ#_bCb>&sX& zgFc;v&Xj|s&WIzTrOU`iCbDEXU%s8Qg?6d^Ic?VBl~ni(qUD) z3fL4p>F{p7*}eT#-!zQVG@qw1-IgzxCHua2a4-*<`(c{@d2XLgUYDnlATsn^?Mu6B zb&Rf&jZK|@j2kN0a{ARV>S7<2gOoiKsR$osSn-RuRF+js%~b9o zhH*ZE9*l&z&G)2yeydjmJ#yZ<$~k~qgk4e$P#azoqnL$DQ#PnqSg~iqf;>+}@9dQt z*+V*qF#pPP{m>x{rBafClE0!~gn2i|fYsnK6*YYOR#Yjc~HJ^Bp>EX%k z{{-n)St;p|am(*p1bxo=Zn#XfZqRQ`HD-56W&}gg3ZA{9=*2PL#^S zc}1GRn-o&IVjheXU-fXINtUv7H(;X}xT)&6fF9(wvXUSZ1U35L}|v@sK|@B<~5=ZW)uC|TrlmA-@rkV z0=4=5hxBhrhFQq6nRVB)gPlWe+bpps!6nhPEADv(@W zzZ}w`+v}U2?_q9QJC)&9D*$5kkW<3N9}W=@lE1+4pE5%8h%$~^@a%=?XpfgoZ)wtm zi0X7KxC>fvPBel(4!wW`_ts11cXX`Swj*9h{*Io56mf4JcU0J9qN+G?*R4+g8BSH? z2Gi^GBM%C=5mam|9Q*gzMTh$pWz^2xx+%>4#qT#bopb%jf)(CrEDkO{SA#T|%Jjdh z#7NZCLYap(?oGyIh2_j8ax?ti@uvczv^f8!Te@emXp+o zG*7YlGu3H2JA{6Skf-actGaIq`g!h8JwQH+PdRe#pM-_~bq>tW-qBwf#`)u1%cK3e z4+o1kdmp+-F_a`>Wm32E7zFVLpZV=;R3>GFtO!up z30fTz>WdG{=|$v@ngvHX7kDI-Dw7gYsrgx7kOL=9q`GZ3HMS=xT?BxGJ-t7Afo8E@ zMU~Sc`chs&mQ-9NU33rVF#rNkQL3r;COA)xvUr1=p^v{Tz)}U+{mref)%GTAlGy-Z zMFf#iBc0Yq#I(*s3Uu?DZw_cdc=&(2T>{63)7{TCrHgUM{5?t`B2m_pTMwtkzbU(_ zqt?YY)JfQ0Hff!x46dw?%BpNa*=24;?cIT;Et4g`uxw1HpFgsj(Ts1Kv{Vbb5wb5* zniwBd2Gcv|Z5d8txU3b3ms@CW%(ijRnvu(uW6q}24=^x?%aN&d2V}K+Y?#~C7l$7% zdpe(H8ccOi0HqSIxxVK(WZPHC-Qw#V?7OW>^=ck@@ zQ8FM=cvEhT^l#hAdvDY|0;fg4=E^Hn$ADK&*)O!TzfR9QHH_%4cyrR!w?aN8w$}fi z4GYaRETQJJ#7P`SAztlD&BrupM+)dXlWdNfyJvW1m$8xJ^)`Yf7*kF`BR%Jnb%C#o5gipko@EJeOqpA1Q~;f*ZeYa*JQLG57^6{ zZY$xyWvQwkg9Y?zmuw0xKVLTI9M0HZxaD(j(!C;pnluy~TeYe@(5a7ryTvFxtmnjt zCty^$d(crI?cWujeG8mkevzM(39z{nn`&;J(EkC~przRffzx(d*r;E-cuN3oo`p=> zySPA>e&%KcD8ZFbJ3BI+j2VTtB#b}^ALP-Rg=}i;hEF-V8cFqf?MV1}PezLRT$!DI zP3UYDaHvH(k)xa962@P~>+MWn&pZpzbi-wZ%nK(;ytI{9I^dtdSpMFFp7al$QhxJi zu&d=I7wYMbKU#iw4bCn|SgpvPZHPh!7au4bcRbbzhDNIV_)DbksmbP3yQA(k6pR|c ztF_HIDNgeMz{a*VnA2mZH|lIOZE2Uel!JS=4_L0h^Z&5-o?%U9ZQJO~Fv2*Lj4}!$ z5FJ29k){JulW}+y5CtnBEfkT_pp?)diHHzUArz%UbVN{E0Hv2u#DG+30R=+|36K~{ z2qFEu<2>`c-@M=ZyxV>3y?^ZEcz;RYzE@(_y4Sj{^E$8d)Px_v@>l1jnhuF6bINYZ z`+q@NpRmWb=ke02O~+};BW_Qrt6ST>4Ydt@A}w17cG>08uIk~4o_J%D5ouolyJ0%W z>a6&<1q2%|7kLFCx3*O}_-S;Xe#1~aJAyGrZKSGr`1v#I_dgf!Q^(Q5>TH&`brFR83wyH(D*v@H42sMx>k z1gpw$H!WgZ|AVvr`iwQc>TRq8BKdMqpD*co!-4UxEyKM=>7dcf(I}%g zg1DpLFTjz0Rj$Va&Rf8JTCxaaql#{t?!4kiCZfbthkRoS~| z=E*~s=Mcfy3YXW0*Y-PAZJ!5a{hV=Jom=H2H7`*%qIO?TZ+*vm+wk$R-uVdX>kF{+ z`XEX~`;%z@QoV>l*Bh@>6$y-qUpT6ZTUyh`ecB1}s>#~qA12T<>GqI*HRAg=$Ag05 zclxY~PjK+-b>*>{srs81Hf?xzPq|yrAf@mC$PWp3@0<hocn&`(n3v;4S~qaD>GPki;G!5h7+ zTX#sR0B^-J{fe&5sl`j5)D~ z_LMgizZP?esJ#>yAz-phQL}J`K+hqq%-QzsPi06ZBHth*9KB@4G-Kh3aTbuNSYM-9$IkA!nWH)C8Rw^~Sk4i@&Xi5vw&MWw^5O-14Y5TE{aJB{~}4?~CCq;n`V za{^Q|%dq9W+6p32uN2mJ(j6O;WC(@KsSd{2c$yArC3aGy;7LsFA}zRo*F`ja%SAbP zJ2a4yS?_QS;6ya1yfhr1%&xs7nmvEkvNTA*fU{N3(wn{MbvG0nQKUs0mLml%6sj?ppRwI+(Kzp zNB2pEIW?Igs)qDI!d%a}wetC51ykpzAF_3DR6z!h7n6emMFfsm&?K-g{W@jL&v&1tR8Lfg1IyerE5U@AhO_A4an4Qj%t!Qd~18@&=A-aBJix4M{v^_r4-qeVQWXG^^|_SFhe zr)mDqi>hH??N+V!lv3(hHR-IR<<}>^jE)lS?MZNNRYrn}{Gw8tnrG~PZgWX3Et)zf zD2a@d{eo(N@$0WZc|T9kjP`)?M`g}jS4GVwmNt~S2Sweo1`%iW_P%?&0IG?wKv10R zmtTqwC8n2w%xcG_3L3jJ+-sU4+#b8bJH-~6>OcLK3pjLKzGT&TBPUvDC`#OsVOrI_ zKT?Ch7#+%s=-)#*(dbTe#RRHQa$cV~J26ED;@2{iw8yc2EJ&OlYt;6`=8jzVbNs3?As-(!>E%N+KsRG2WZ| z&Ew$pA>$+K4gFPbPpI`cDy)uy9K)oIu`eJ7Y4^skn_#g>2B*2@LWbXJr>3b)6!M!d zp}*Py7t~#X)nC_^-hT4DF%e#YixPBPk4P?=ztGID)L1|~pl+2QZ7xDoOHB=LUuwB? z@(WYPb|7`kRACig3%jr7yW`I@H!#33aJ@%6JQGO7&WeEkAqF7-mKO~__+syWBQOBW zFf4jYO5NyP6e#AEU?PR`kIb?-%*7JTqPcgjD1RF-0N*tj-6pHOMV!lA(9Fo&WoJKj zeT+zWD(CLX7oaz?_teOn%V zo?`$QsJ8q`vZ)Gq)gSZd3c;5HB>U;-eE;wV4arvP*8)%GH!$~QvH{&D2{!PO?}j#U zO3mv;p%4RaiC>Y^I!rQ@3%!4N965-{!AM1a=CU;h~@IT@_pR%(81F5DQw_yD~nKAd|#1IPdU13p!! z{JZ7WIWRNuH2abUrY1pz5Z6+S^Z2 zUFVzLKMQ#O>RPQaULQvcwJfhmFi@e7$!J_gJQ!0-HlZ42G#csCD}rsDAr{&Z>UvhN z=Xi2zc|YmrX5#PmhfVFc*|0Dg&Sdbo?ih#otnI9;N%DOQ%1Nb@ouLLdwK-ogp$RH4 zz@lq+uQ?0_WW8I`kCL4Z>T9==$rR+2J2oJ*HuZp#O_ZOVif<#%+r`eA3#UnQ~3m5{VBgC9(lr8p447Hjp&91<^k(M zGEmf&#iSRyK+Of)de*M8ZVRQ+ME9IxnqC1%eQqo^>I@muunIVRLqfG3Qo6o?ckdxvQ4&#nvZKAA^Vg@)P62b*S?LS~!8dhPWBFX7qksrPg4jii9duaDF<SG+k-ezrQ=$uth`p(2PEaq||%fhsqBn1+fMA^)b;`|lA`Wwc?XgShLB zfWZ9FGM+K^U&4QXMc03w+@4l)t85H(qPSm%4dHRL3xf!OHoyu_QG-P3Pm zfh8)&$*c0RzI9^B>hDF(y=$*yc&2zhI||dcHxV8-M-9?yvNT>SZTYg-4koKk4D}?o zyzQyGo{k^4a7ZfU@|-@g2^3pnY!>}Az4#u5rx`ZU-8fg9Nsx&Qtk?Jn29k6i7vH);TY z-c7~tX+QpdaIJZ;=pE3KcC%B@bhG7aWx+kplNIx+Z*K}sLRoV_H0}Ke2IYw`E@=gs zQ)#b%ub4HN)46&(FD7~60G4+4TQgQpu8AORm&V>sR&4r>v3YH*-Fp2Q(<-|oF6;%V zIKuL44ITTi>qlgCCf{ni_8%>ZuIT%snGOsvkZc!E7#X^*j)w>S8vdH# z|5Wp5?3Y_?2dRrZdn%f6GS*YrGgT0d3C=v(BJG~9|NB>oOO?if6l;##%UetTP!6;) z82v`$@(s^YO=)xZZ{bVC*p~6M=^MlFJb{Ww?~S;ZYfmiHHSUsr!hC4^Ww<|hhxP*+ zry)bmKCOY)b>M}wbl8UP@cf}<3mZY}K>L9x+CnZ|%W)XoZ->+vu-)k}(t2V}LClg_ zm9`%S=8^GB2~CzJe}oS@eYygQxDh0cwP}_-orgF6At7{3q9@h;I5&=3Wm9-ZwKX~7 zu(`f#d#*C7Y^EfKdDD=h(cV6d9&IDP@RQjMt zxbU6FuOJ&9S`HzZczbF6?bCup&ehOKAvaOd2 zC^*J2ZgpdDs+Wq@BZxK2-2^0mGhW80dnqkuqT6mDN5;ZLbFEtilOGXc>whl@xy~4K zv5#MCRL3{af~HcMV}7{bF!!#qQnKBY}pCXS>}7lWm)()PViZxz5Rk~_oVq& zzBkUR7*vvKg{qu*qe(w6*Gala>sUOlw;nB!gA*MFGBkJNz)JM&1;+823s6C^_yFIW z_APB7@FPW#`-#BN)!iPxHFGv<6W7Du$6uMVjE~azD@!W&(7zh(D+$)@#i9|mw?74_ zok6wAY3UKU`4>hS0I2_;QCuh?>(j13U#&361|j|aNmFP*%#`olPl#lbw@(=f)omf} z2%`}3iIvlZt)*Fh-`KS__q#Fkw`$dOtu1?aOn=cevFO%+#0mfY8MjP| zt-_dHfo+~mOjbN?Np-X*&f!g;)57K~-UM~#sv5tF}kmzqW{yEP`za-FHT0vWn0VaxOVRI4+tJ~7Wi5T7JyJsG2$8&hN7rRWs2 zIFL=e&V;OAl#7zZV&`3o=6&1?K(6i}!)`c%$5WO|QNTZ`-cfIyyHrZuV-vcpoNn3F_BRqS9GuX<{|6dM7V)o0C% z&fP~0QiXoM$wU|ZvU!2pO0pkH=lfGo-6tGzPlL- z9Am_(u8C0Z*V&D(dFfafXnr0B-&CfKrmF7sD82*>dOfe5kjEq%9|-@}JVRsiUla46 zPT#+UWF}IP$8j%H|4sSkZ|8R)&gWN<&nU*!Mdor)#Zl`+9*87f+jpDo4IeR3Uuahv ze!K&ck>*pzc8#>K?z&LC%c&}PKkblmr44p6mG@dB@e$MXS(5{A;wu{Q&6IDFQ{KsP zyVG6RrQT&yR@GEltXr!wwLrGnf2%4|VR@FNYBYePXtnYzVEySlmJ+EA$J& zwqx%wYs^ADla~%pWNpLz@4r(LNvKXM``~0x>zy(RO;-T4Wz|5?mdMHgqBpQ`hK8lq z1h}Ah#k|EDNA=}Pml1_1zG!bj9@M{k6(_`cJg22{=@U~s%OPi;e1Wsrz8TGIEu<8N! z6BczAzx5pXawdHk4LvTd$C^UcpZ2aGR&~v*dJUMa5xv6EcW?JAh1s5TS5g+}F0J{X z7RuwM)K}P5*sk%IVOPUk;~Oe~{HrIaw_gRWi|=gq9?D#J4ljw)sf~ZKdl-A49jS^a zoV)wAL&YJ>BHkbWMp*Uln7OB)VdYZ*_vC~MCoXrTYya1!`u`NGH|4}$0?&L!lu}!C z0VA%|^e{mWZl!NDfa#t%h|ISqMZRp(>n1NVj@yx?Snx?UH>drTzmY=O2iKsENaS2f zx$@*g5`v#MacGzIVTk2hquuvg-q?`ZV6-?yJZSwUWea|0yyJZd85|Al>P>yay?SdpJHWpvbH4P zTWj6H_@tQsd6WM?d|h(KVxAhJ@zblJ$8nxZ1auUN+G-3Gp&&v}Kggz#c#E!NJY(Fi zWUWe!(+n7^0-Efy=d~3MHW{cS?^jSAHdH@)RmLiR_W->Yl;M0`f5bHsu1cghQ!U}s zMMx@nhnb@?s@v8LenxjML7ZbfaS4mdv01LybA^}PzSh;X`@g}t{v*Ir^YR43Z>bm- zwO=Rx(+K+95pL0St%!fZF@M{X|IZio9H3;SSbhg@wlQB+eOVFWRkefk@)(jZ zJ=f_nV-cqQGE7?G;J1iOxQ6y_1DCpl5Y1YERkI54IUkXs-0SL$a83=R@Gv#|APH zbX32qTb+LaR&|uZNl@!q(P7hCs}k%FXdTUO53Fz_T$k{6+_j#K1ePBpP;7w99 zPtE#_!3;oFg?u5eEin8uuPx;>ukG3U|A6BD&*}c#{ydSSJQFLgd(D3!m@cJiu`!GC zr_6o*L*`5><%G7Q8TS_%4A7meEFahx`Bl-Jbmi*lqBOyI%Oa|-mz6uQ7q46wsW4aC zPmkO0)DPrr9! z%uPFCPh8&sHli$Q%RxM%wDCK98K&RLER-G&qTK&7DYKUL zwpKiy*mBOq=!-y`N*(2yAULz5>)0QFF%q;jcu_dXsRy%F!}n^HX+W z@$R+q#`SYbwiXd{mx~MiR~_>BNDm=p+dPVzHWR}%90fwto>#rqj$SrS~W*`XPlWjCx1(YCMs9A+u;{?O7% zX#Ix%&v60XIav4`?A4X7At%r2LARZGgO&&WHHI?p`!asE-ECF_u@G248?wlEX}hdo zv7u0eZ6Jh`^*KU&qVH1ey{J>k^wZluKvPeb=&n^J z&a}0P$HXI+Jb;hhsWc4d;n(f+3@E`CLDknDlbqKhl5JlL6v4#9`CL^a zT%^2r%Rm&ucijXxuR%N;8WDUW>&(S@zsqGYlr>W$%>`J7&-t@$UdHF_JodPTHWv-X zb8;X=Ysiv&vIN9QxZq`?7A(?b9Gkl%?BHZqnX2y06#A{>ieH)hXg!IJR;U)sl^eXW z+Qh{RPv*TE$Y%iZ*#7Kov>%Y4%QG9_v>Yef46^HJ`$*&`yAr~>+2ONMI`$^8Hx&&x zF;;VuX0B&Si}F0%s7-P~9D`t`Bljsq816;brJbkWI+)x)n^NBrBp$0eYJzG-qztIa zoww-J30n68d&g%>kCN?@wCn?~E12?>gps0ajhEF1b#U~)%t=2kuV=!gz5Yr|+(pVS zSvjg;L!U4XA}={!Hn982O|H-c261{oyJD{=DCg;x&0og&dt5+ZeeLCEkrC>|BjJY; z_~Ra{%rABMYU*tpFL%ZK=vwQ4`QVsj+c?$zMW~KJWv)S6=N=dPd{$e+2YU6w2o}mX zt~yZ_!O+WA)JaSNo@gm7$X1RnMXT~m)s-_gprluTN$sa9&V%zbxkmUnw=t#}{PkU%#tQcpdRA@G{i`%EA#wq2wt3r7wDR;_v)qT zPm);SId~B-*=k}4p7!V=oxg^&lqkWnrG$?pM2i)rz9mppyk((QV!Kmlou7Eph!1MM z2VaAs(Rs9)RUZy{2V!uc)(lTr@n!ES&580-LtwRc;|lrDNU^ZUF1;w(y0>eJpks?Z zT!HhQ7ZFRSKHWZN-L7>j${QbQ_xDo!bDiGSN~$xI+@wb{U$!xLasX7v#QDrvRh=dbyA=oS zNR>(~f8=9*!>E`}=}0Jq&>tfGe|RZp#ZZ0&)al%e!sKXhXGbfL(U|Hb?aacMx3u$N z{(V~UUu);b$|tHF1*CdliMz>1LYmEYCtMDDO6SQp-+vM6d-L@zXkL3B#&YO#MM%;zF*)QxCsja7=KxG zymLiE+DgKw5C|RgBhZKGfJGoxG=ev@0_4cxkN0z64dQi#1_#Dr0J}xGVlczZIIm2e zz-Uxhwz#Ud6iJWy${xCUPRacyp*2blA+QXdjjpK?+3HPN{&q9v#a~(g;w(M$hIl75 zkGE=fBt&rU-M-!VITP+2ldeXE0-g{2hk^Nr7?rfXt`Ya76`YCqZu&+IiMI~F<&}Rk zmz0NpR-u^BD+{%O2=`$Nr5mZ{E`&E<+DQ9lR5t(s8yszKf@ED<$tLj3HgYEp1JgixJ-gpei6oFhjcQv$MToPTr zskLm~>oot)mClX`1Sr{tHup~%*gJ{V=Dh#uHQp40OEv1MANWjn84w;eXMdJ-?!AvM3bAU zE|s7<9GR-tdZ_)U1wRk1stI=@m7a#Z>D6yHeCph9F*TwyZIpoa^{gtn17MBoi`N z?$#R;1I%;js5Vi#7N|iiySOS(#vqM~)`!;PUeH4iBgSVMsT5D9nPK&gVs6emuq^Ch zYOy*j=>=-;kOJ~K0U7;LLAl4VplV(@cv%M`)B}LbD>%>bT%VxPAhf$w>*b__ZR|-4 zb|+fGv)TMZa_WX!I@3_aJcKa&=*-lX+jk^CmKz!&1bi+@WZ(zjnf;RjHw$_3@mNjB zr1DFC$;TN4*B#f7_=_K>BYAw^$1w>Zmh)t;5oyS%A0SrFPSF|%{i;rNW*!ngwAku7 zariun$Wz4?&Lj13(m|ugaS=3Bhvq=R6qE$wCS6B8nT3c<_EnRBp|QJ{v!BwhWRJmrb|*kKlMmyqx>Hi zzGT)U-SJVN-@6BA+JB%NY4VA&mkTayC2gZe-i6!Fw!bC3K!5e>k%I{~llk;b$^~Uk zPiqT0HjhuF77(aGIGSG)K;!ctrJ1y+Kb?c;FNf!=jt1ph%%o0eUB3SzCYj8tUH|#& z3wObXl|6^KEk%P)YZsyq+t+OH$*&y9ew|`AJpZ;+4}PoaYyDmGKr1j1h5uPS$)yic z;@jQM3C$)O-&D*wxm6Gh%)H)3_Wp~yCMkt}X0r_ul!NPLINQ_BFqQI9_IoPuULT2 zCbM37PZgO)1UHr&W%gr;J@ybuw+F+_zEvEYI|x?`271UeE@#@UgZKgSd~Ja!S`&AL z&apxfueBCT3v=KpXzOKAEcb7K%D;QjHvPFWmiz4ii!V5mCy;w)Vw1+dpQa%yCsHO- ztLqY=Cd2o-5-uj2Y2$;(FkY(%ueQu8qwk&wg2R`eJWrfvRdk(cF8Htp3GjNgJo}__ ziIB!0_3PY9+bFzkF}dX7p!Mh0?Z=S-x&~#(uBZ(gH6J^W z(c`y?a}zHqg?`IA)Z*86DVL*+-1Y`Jq1oO*zERfc^Gjw+vZI0lv-7}GP2mOnDQ-+5 zYKwy!nu>nV`prDV|Md`jINNE-aHgamUMN~eqi>r>Tn}@KEp~r^EEd#k(C1oBJ=+ZGGU!fv%?!>S4EnOC-*XqhO4)|ww^o2lH5Cqg!6N!j zieoHg@#-A-O<;b5-S`;`vz<+vtPBTZZqM}ag3qYigjP@N!}3eyDo;&hM6wGQ>94Ea zl*;SWI2G1MLG-vh!m;bgBq~e&@Oj>9(^Z1f;Bk+^v1(n)sLrZ?OUHcX75jqOPjLyU zEpILmcn^E4;K7-0<-FJR8+j#5aW(t8^0Aj0596{S+s^qJUQKb$6~idk$IU0v3ANd4hBrQM^F`$b zij%;0-rJf2I7&d5jeKg)Z74F$Q$CYjKVgp#3P}$Wxxu50=JA0qME{xyKIzhHg-LK=650Ueq?MkzoUE}#bM zJdj?yT!Sd-FhH_AGAU^4hhKzWVau1tm_~raE#I-+LG)#m8ph930HnY7H{*bh&F2@t zJSJ~x`wHZ}kG`{#wNIvTp3<585XLgA+##i4ZWcs=k7*ZCzp+!uG)fTYKJeeds6_4f zu#xgyg0a1h`k0Yq!s$7wE~xS7zb}FN<1shy63K6;m0Y*nBjpgw=`shQkj!;OI%}NA zBc@%QaC|V=Q{Dg~_A*-!Yb_2U0Jq&1`1Hy6UFpVrw&t}1gkAAMNlfdK)rchu;JuVh~I2io`VMM-$0NAs~ zNU(t&1F{>R*)-9Tl_q4vPgM}o(YQXLH9CW_ODuYGGmt|-pFOa-r_jF_5B=@5G&#UT z9ak6}T=7SfYA(XQ7eC9*wkr`8oynD!tC9BQog>w~b$OVn0(iCAcO7lB;RWU!d9fm> zTMs*LK(wL8OZU?4Eg&J-uXXmCP?NQB^YIAa;S09qJ>Yu;X;I?G3qqL z^`4V@g2is2A!S1vc_G@W5jBjS*Z-+pHQ1wF3ovapsn0BfEb+FBX9=6qNGtRcySLKn zz^BL~N`{c2uQkUO_wr=(Tff1A)wU1JmpDjBhDtIRIypQ*>PG6T;Av&g#~? z)ESEkULjo@Ncu|wcy9={xUnljuxJyg?t~m>OVHi1kBt*F87xu7Y)?9S30tV*J*gYe8kiHnL?{a8rU>`fH7PO%B5*2*rEWXqs#%0 ze@y~CN7l}MiT7?zN1b1op-j1}y*oIvCDAX~pVE227HC&3LoG;YljqD1EG}Ei+)oA) zIZecMPdFI5hstgzvA;il)1W#Qfn%s_Eyn~>|4rNce~L!TyFVkocL8G*{ErO|V&84# z;_@GV_%fCr(^gv0E;|-FO)J};TPO`e%w(1+Pqx*>tRHnjb)9#pXK!2zKHOWZQp$5B zj+Nl^RK_rnH9g*CD@%`coAc!P9$O0&64Jhma;R!X6ONp8jJ(xNk5<4B#xS<{wL{-; zR2kgeTe^QWE8uYL+&ko_!+(SdX5OqTnp2Al0taLw6EjZ>Ye1{*Bg%x;V^olsg>N1~ zv*d5~iDnjtk=prIu?hQ5^#TK_>~8pAgVcQ+wT;~P#|q9z^7 z@io{5r-JdvdaXHDVFtZ19kT%V4N;|Sei?nX@_Q-Qx|?dA5;S(($AxW3op(Qeo;lA@ zX}tzY8WT{KzZfpDAeHo!FUQJLKD!V`GpeQ~I`b^(4||Y z=lvf{Qc6J?7n?(p?p?44dq_p=Nbg-+y!Xy6&MoTqlTY9KYIq>zy-Qkn&t(+cO{nE= zTX#nGq5haQXV)Bn-N&c;v|&L#ym#><&2uuHqtuQS+L~z$GCE_oWuLCwE^w%Dt%iZ|>`6`ON z?^h64v_Wf&X-s0WJn|dYDOf_A$S3(Sok&zU=7C-d|HqASTaQ9U&IKoW+kr$T!dt8A zB`So|LpAj5(S?-{a$uf4t_WMwS2WY?UV;abcssK!Z1Tu|6!8C>17XM;pwz*ucDhQq zv@`17Gg9EKUpW%z$;^w<5;cx|QOsciR?qZg zQ)(6yFw0>S01ANNQ1%7rSbp%^gPlq%^o0+5P%YoCNpx^imN!NmRwT-x`Ke(Gs(>CB zu?bK#xYj070R$w<1gnpHRu0az^rwPp08h7*2^gfWc$xt|K#hRpA#pl;rCn|ckj0fK zhZ*oe=mAU4)J-yyGaZNhy?TQn<`Y&VI$OshH(%nA*cHR*L$Qqt9^uoWo$I0fQNaJJ zzF7UOM+*}WG%Mp%j}c4*S1U1=WfGy!&FhemRU9Dr( z!T^pu{=Fp#;a$jIbp}d+$pJsHZ+Ati2j41BdtV)`zNCv|Kz@9BJU^o>V*UJ}FlP`k zfb~T(D6>POu--Tp-GbNbT}U1yxTSiyfSYP>>b$uDaS)nH&7IKroE)DSh-Y)|F`$7L z7h?RfVe`IHG!z5an*P*Q?<{CTHiaZ?{*W||42PqGatC{~O$W0-_ZmP467$e-arxC& zCyEFweD$`mZrFNe$^man73u%UPWE!}B&Q5?i*orec1JZIO&BoXw7zJ$!!%`A8;SK~ z9u(3xvaZX}tI8YjNvb~V_B0G{G+0e8ZK^_1+qO(oKerQ$U-k)`U0&s(RQp^T9!f#E z-SazDO*N~=OaKw0ou#G?Mx1k`^FG%HBh+y^+GeIb3p?{P!}|A(Ife#)8BXOKAKUym zU{}WN?Gh-O@y(xm93VJFOW|?>hnsM~Z9Ek4$PrJM6e_`%;tiBMB4$&p^;^x@qZd{j z2h_HY-{+!4G;}K;5P5oeenKLC%Nzuhs?1wX2RdPk0YTg86H4yCJd7loe|*=n@l1bu zOiO7U7ud0V`WT>K)xHTxH#JEdn=5C?Y7e7xHE6%;N6-15jH;TiBM5JV`?bm(eViG# z9R7CbzK%rT>M65ocyJAbT8*0qgfgcrH=UV1@pKCkx8jLX_I2>v36`?SN;4~g-ry*b zxOwo?q1<%Km3?9B_h9T2r%;LDGo}o^DuW(sp&H>Qdv>Mi$xT^GORN@)q9s=Bnx=sJ zNE6_iTpF(L^~YZYe4snxm3nJi!sru&@Sgn@9E0!bGd5x@+~(@9OX)uVbScmVTNneO zta4kU9bz3wuYK6@Ut13xce0lo5foKqudm8CXzrOPJc>tg-z1Z(I%-bJ&etrjMJsr> zh>kQ9kHGL5G@oQmOo;q=9CFuXdOAj>pvhMeaLi>tUoi2v;bv)MPEr7F#tO{s@ZJG! z;8&B`l3&S+XJN?7kE^I}?#mxEM^KLB#z-{Zc%Ch@!f$u)Js(Ex_BG}L0Ueax9@WX; ze%QE>(U;omzy6uH5ywv8C_4W&mK{)l8I_^SuV@31NcB-`y_Y?iKwS0$G`{zvgJ;!# zU%zCxtLgec1a|>kcB~oK=56(MK((Ro01SxriXqMc5zyGKgopX2!P#e8H^|63vEW%S z&%I8XfaaYT#t3c#-xbj_+_h9x9pe%1Z?7gCujRl`gj*OjLyT9;UM?3{voZ+2EEDb{ z^kw8K<+n`#$<_IE3jdh*#SvQXGCoQ$dg46H%rs@p*bx`{y#r)$f3%ve_=sz-6XFXE zbD}=?E^oT(dkOyBy((3t0Kb@G>Bk-e9EvtHvgUE<*{F7K!$ulptiIS|h*ON_6;I5z-^1Y%G9LWXPO%K@{}Cf0y?6R;)MMU$F7 zj#+NCgFb4>gsgQbg-g79F;muH{ z;bDnt19eSPSmtVnB0x)OL*9<{1v%9_fWqsUh#mWA^?4p)3crigcMW;*reP`Y+mpt|<`W&Lp7D zb_M~C#z~YNcW0p?I8k1hD??|Q0OI3vTxQNt4^izjvCC8cJ7h1aAsb3y`l?1VS^@D!;%;N)|mTl zD?Dk|C5?}dl_q4oO_4y<@=5Q|TP?ecZCCaXfszt$rN2SkC-h@NS2l&(Wa#gMFG$ZO zJ&sm`V>v?GNS8+1Pxcdz$Syi2vo5l=%HnNT)@-qOKo5x%H34bWSC^l)-txFVl}5<~ zw5z%t`p%*ocTcum8(0JQ@I~rCKYk&-n9AY3zIDOBCeor680mTnnDN?7T!vcrq18Jp ziXszw`h-jk5IYgy=-pk_Co=%Q@?|0l?p?on4Aqrpo%slaHk)SB6@V?@Y?cEcmXwcT zynUgxan7e$>F4e2BNgMlT#u~|B?bNOEC3VQ1o7P&I~ec0#Ko+Y-zEbY63)m#vwQ(} z&5uW7j#p%E_}+=-@00>O|Drh(rOhxKi9B)mq%5zZW%E5#q9S^hzS;@GjWri*JGljQ z`KtjMOC6T(C=7i%o$yr6!|fYj?cMt4y8Zf4@OMpjV>br%elorm9xc6bWOFcvdbHCF z-$2co_HJqF6)xU9escE?V8L1fs-14n4M4x|6F!mi-=*C`{pteJ2q%zR@H^YP#vD<_ z4MuvNSfj9Nw%gt8-{a}-lt&5#n_kabrXSzW_`nBnr2d7>GAqOK=7~1*0r07BFko9< zj*b)ThRqUvFJm+M*YF4H2FMtnWP5$w7^OGUcaB`o>oC~(}#IM4WU=GVu zL9fjYNCJpveF?#(9|#}BQPbTLm_@`q5e(j+cq3~Ayfu{S`7U*1Z?!mc07A@T`3j3w z-`bT8R-N-};mI}>iLEZYttx|<#kij_9( zTl3#wKgI}N)2;-T!`3n~CljC_6vQh)j49Z4GKRp0( z8Z5sMSUD`ce!Dfl>&iO7fT$!L4FtruMbymE5Rw5%%NqaJO#*HmCo>1VK-N3$sAZxll<4{rhr zz3-3i&cF0mx3n|nYxVl)pvynY?cKT8FwNpY?BFx%7~!Urz8(kBrKf;ePOz#lrO z+xt9}``>BTbC1{K8jiGKNFy=NO^wnn9Ex-wpbD*QT*fPZ8Mo{|4%vFdq_?fq6g_$A zlLjgEZfwl|TO!ptdXA41e$AE!|t((+zH2Ay|H zD}+`CecZpK1-x4x`Y3beJ3V*&X91gk^L97<^3ZQzkiRA<_IPcq>qRf+`+MM*Uz;b8 zn?5{$7SS3Il*bU>LnV_`hFT1u=J*!w1VZv&}1Zk(Ha^x=p5n*h*|zB$xc1hqy@9G$K7eO@{>qCInb5g z2S6s=t^KgE_NX#I-Nf$t&mXPF5`nd8`FzgGgm@O*%ukfU>TUNx1phv;ujmrl@a2SP zwcECAe${Iv?wCroj*OJ5>6G>Zx~H!UG&lDKf3qn;riJ2j7VI7g6fZ#0E2@tdWwS(H zRZYxgSS@KwjgvpxXFiG>S50m`2jiM}EMLlJ&s%3+vD`{oADhoS6Q?XtUD@DvZ`!0xYgIMQqSa{B~m$%+~5p6U*zcsQan zeA0po5G5Bdc~?E!N~A;Ee$Z&5$^|m<%9Uv|fL1$Y=K$@s?YdAS@{oNas(S_HU*LdP z1$6fe_WYGY|F=kmL~^H2CtdrWayyL6axv^u*eAXEncI_pu+JA9BXIktv4U=FpTAE! zAMje6-b>zk!xXNd(VV1!7@u3fHhQA-J|86@qGNUgoYY#TL_7F#z+|;=hU=!CUPB?j zL#cI0E$H=*X~_W(xGE&Ovb02p&-nxcdv^$cU2yygWGoktPowxru;s8Hp>|UaKlY-} zKJnq`^TWFgOU55Ld6))o$oV*ppz zUyGIIU%lDoe{l?dm#H zkbKp4Jo_`oV-4lKW0sUwsBBgdA)8g59-)9;Ub&)a5S_C%Ifx2djF)&zjPzQL$x6I7 z&D5OWcdgZO6L`TbO1DeGN3B$PdFurx#Do(Y;P>!W33MgNbj*StTha}&k$r&-Psh}` z)1>e6o6KY+;_tH-bI@fMEg~RsYnsPu{3sxyg`~>j7y1%GXnlE7Lj~&;$;!RymqIiv zm(0*>-I{x1T|<7MZCp(|2sZkKFeNiw5TI=0x2MgbU)dqyVSye5;PYHXWj_x}3>TuAzprwL;@SB)A zj+RasDcGzPi7HW!o|cH}GM7v7>YMIt&KeO64Wu5N0ey&yUQC|raa}lB5lWfZ1D~=H zCT(EHn^P@2_?Y=!oJPzT+m*Ag5sZ9$q2P$Q-;6cK%uF1L|LH*mz46V;gD1izz=%*V zM3_6P-#;2E1Oi{mVoTPhX1S9UKMuzCCDmNCqP;-<5>nQP9}QZxAVvORrf&X~HRP53 zrTQVwJeqxk-)c9Yz-Nfb7y1d%Idr!j6w`uB`iE)ya=A0Fo0CURbVA9AsGIV zX=_~Q_~rhc;T)BQrv&IU6b^ky{y}c-MRbL4v@rRjPHJxSnWgvXT{X*a{gIUm{6)!9 zm!HO-*Z6F2S@}|Vs3w+gz7V2jZd@1$Kw>KEv5z*+g?_?Pb|#y6tF9mfHk?lncm;rU zMo!wzkvyMwZX{(vw~CdXx4UB*ZSi1%{N%KC-uO=_dSDr~Y;s;zgCEtKJE9(Ri~wick?*4p>IDC z=L~P3Nk#|vjh_FJb?5@R<5onFo)LKdkicPc`t4<4bBAr>YNBs!l56rR>!^Sn4~S+B zV9t9H6{UF^HUp0&wZu671*qRYX(#0^q#53D8si0{!PA5=)NU&YjP1}@#QEfxl)uz` zRyp4fgfNX>^;Mp z;JR(mB!Hj@hzLjx(mRSuZz|G@(mP6#-U)(~#EM9hZlNh6(jhddLFv5{iWKR+w*Vn$ z<^8_>+?QsQ3hlN!DCrjxpw#g#lZt|A8_8UpmqMUiHD)=k>GUuPKJt0{(r? zM?ap{27%4L&4^3LsKs1Ou8Th0oB3K%GcPhh{G2ka5KEsdh?dU<8>2SdJOan36~VrV zP)5(18T!H{1<D6P#ENV7VqkE2PEP3o*dm;EUp63ZjJUoBlv1|Ai;a#T{8z`#5R(3!!NT(wg*%tR zeC^>ROO(vYj~_0$@-uKNU1ts2`bD3P=8BTyZ0>J|8j&thm4bbduK`};Mch>U;1f|C z_0t1u73gN~HrO^_lVD^f0NXH8IJ|$j0AhbBT=L5j*P{?h5+!mw&_J1_4=oJ70=`UzcE`*C#Ij*dB$ZNFA|F8fN$&Y*F4=;A6B{P`X z#eB$xNaS*Dz$@I+eI6>8dom2we>)e54y?LMpWYhGK z*f0g|8sCBN!F}3kE!4YtQnlm-Di=TeJ~nzfwv&e90l3hr1Q(+IHiYsayqR~8z%BQ% zJtlCo_GvOk-qg17XGNvA?*{33PyVt!Yjbd|2skv~29J)bY%;;LP z-CW!@dNdcO8?|^dXoxldQCNGBv-(bMc>QlEoIOfzr`3#UrU`eBB_CBMjd87*@U!e@ zzN$DfW88$ht)NQWOS&W;H@>C49ER#a6`DIgWiRu#I;8L?m4l^3 zpxA%D*FNER1AdFpuv;f#FJ0a9W|~trvXX007E42vH{MgBxn~-D91w<0fw!%ExmLEi zxBN0MVl7-XyXu&~n7ofKmZtp=#!hqld$+N50uAyDSFl}v-M$CDtowZb@?oprZeDFbBinuS$Eb7?17(@QrbUDIFz?n&t%NvDw-CsAFSUA zWrFZhOrF>jGKg>uegq~#z#hZnv+>i;uRbcdvA5$}Xi{67FQ;x|>IlbYtBW*>NE|L4 zU*BULa@O8MbI{ql^5>d@4?i}P4_!VT%+&**CkUt|v1&HGT8+-CZ1$k93OS~4_-aI2 z{56$X{rk4LI_^YuG=HSsSWi%J=01UHYA;+jyJ{#-d;9%!Y>q*iYp%$6Y16%CE9AyK zw>c4YMKPSE7$1%v&bIuk1bgSRg4#1@)h91K0*v4aV#{W1+ulsMVmQCdgd{QZ98s2? zTnQd=!DU7%j@^PAvO-vn0K4j4I28-Lbp5KGCJ(+`XS|JTns)1-_mdqOjZ&@uFTPab zgGU|C z`T3hUI;GFxe2c!g9ESa@hrD8%Wed#jaLf7;$Z7j8-1|lL9E{G?4m+rj6#TZE;pa)1gqC>xPk_Nwlgz9OZF@?$%=XN{NZ;tXaot0hr|5q zhK>6P9C^Aer8tIzayy0bB)(O0-04f>@qwahjeNoSgeIJx!bT^!6lhh*mWIVDS!1uQ*|&IMA`&_FGl$0G%oi3TDOX)E-o>oUg!PP>)i zkH^+Q+fAh1Ge4&?ui_bY8K$JeMEX_tMQiG>zPMY9MABakn_~Y3? z@x}@Jri?s&@|{q@$mL`j(*vf10(1Aurkv)gvW^ds3Rrzqpt&m0#~zbzqED1llIOJn zo~FN~ebAD82D&igdfd`t>OvzcErdRJPOjC8oI?+iYUWwTKj>d_V&+lMFt(%~?7OMG zLBgS>Nb6jkRvw-eEitu4^EUCSk0 z$zwN?N#L5>02{v}cC$o#(38*`)gWMgrjBaMjqOH@k*R&c7FfxeQBZBpUZ1?aLwOD& zcus3KzhW|H#HGT0J@q6BbIP;vCBGhbz5VJAUafnp<90c0@m`cal)VOo=xgTdc{5B0 zY1XVz;6V|)1)~nx>r+K=*3LldS{*KYX7M3O8Q}uO%+wkHhz5!O#9$R|Tl2CFqZjCBgk?a+Oo7_G~h@oA2@W z4_OJDCaf3>$gUI$#k>|{YcrWbb1|KAIoKO!#cOvoym8a7K(8dNH{X;h;%ckdGw4@m zi`8;1^)In)NE&-<{@J-B!j&uIMo#Io!3aFB_TD`j&nLx*If6K{63$#j*k_Wf74w)>u|gTk4An(uGREe zTvJdW{h->lS%vaCqF&Y?Wi7?zD>fHZQlVH+K4KQ_jdZ z@P>Ed2mJ?s1(!QQHQIi}*Ok%ep83?RcOde$Bl}jyWzeM}x(6C?OGO%Uwq;YcP{69bT*6Amp#QBW``IEG!QwABG>mw5yW8i_cKl=s zt?%sO`u_*zt6oX-rOwX+Q=PqNt!YeMxY1pD8$+bkmnP_)r%jL6dJO zdisJ=R80=00{MBDq38yrPuPZ0qr}G8x}Mih8O~V^Tc;bQ0H0S z5l}-W$s*h`A|);WDNUF3GKp(+u{^lI-SS~STUd)oDHtGXe;PvBpYcQWp*5s$S$ymc zMja{yCx)Tn#r4{d570li!J>*c00@e_7&$Mz21prg()3ZAa1l<_ED@qYNQh*0TpF9- z$h8-DyRSD~3?qMkaksZ0Fb}K?X~;7O1r}iY#rhhE@Hrc~7C16U3M6~lvRs#35Qpei zVSK0IFpCQ_G!{P>IqL=wa8_cHWrhaITtY;BA01Ln1>H22E*%U@6; z=g@>c)hpzJ28*+A{GI;wa`u=fm6>wdsNoG2-Vb+wuO|J($ny%3$Cf$XuNSz?94L(+&fNGjW%kcw6!a0DAi4M#4YmpVsZBKpy2d zrVoEOeJCD!zf*AshH@pcIAdH8DUw#2N8f^apd9ax!hW`Vc15cv)9A`=D|bGJnahAT zg=>kpA)R~M1f5mXyk3>n6><}FA}WvS0P2@+LPp*mejE7G(tMc1=PE>}FEwz3={xY* zYyq@O3NgIj`sm*3{Zl`lLrqj^ggP>amklEAQ?-~HD0uks3_L^0uwpoIF=%$a26ZDT z64YH9IvuGm%2n|Ip~}a^{MDIaSu?A@F-+~V(Iq)`G0(7zegWpP4^ZOpgJ+gz5Xp^g zP^Otc4q(X#tjHrlTaM5e8uI^CvnM;@?q+=6uWE6SsXKGJ2O+}}m0|n*Hk+5bZeuMT z1CLqsqac~h-WF+?c_^#*TjfB5SV>oQsB0|lrtebk&qdFIp^(PZm%*R80_VP6>c^1; z49f@hE7NIT*`-lXUQ-2(TS#Z+%){88e5wtWMg8G%uuAW86j+xUua5-WVUvpq=u2YH zqlDI_!~A_xXS7)5DC0J zz*&==X(->atxxQ3RMOnHtp1h3w#Vd5@||}lR$8Oy?2O9?Rmk= zcV>^uhy;?NzOk=`taRIARK1DFw#%QTioO;d=p(Z~O(IgL;w*9AMtj_*4Gr!>iup%v zVP#Gq6Fq_|2`ew3zv`Ub+$|iEacQd16v-Fp5MBw}Tot?jU6i-(EC^p_=8%8nbaxc- zGS|cqLtpz0n2R>cSc*t89=D^l7yLn=rix__Ak!AKt zKhboMZfeo`otC9m5V$d1%DTX|VKf3;)9K*pwa3$_m zjv)`eC)%Se z>NCMk+07cK5!8Fom|JB} ze7*oNJlUxB(1W_#szFuA)~i+v{sIr3ZmdNw>`pXvaMV(81!c&)i|leHUGADn-K4!f^9jaAN*`np zkq}#xOPPS|eM(!@O}+7!D~bZtdPf`R+uNWwZ}!W*+IRjzGDHcI3VrlF3i8PG@oRb; zM#w!64BqcDiIfKj(bjc?m=yrvb-|Gx;(=l`MTyrxnl^{EYE0W4L0?^bB%q0tC;7Gp zuvR9$levS{4J*s1AyW^|UB7_31D%C_fAXuKm&fmGkkxN;Wq0uZPgEmaftEI3ZV^+u zM%LI+1{-{`oM`TT9`*W8z}jDEcS-ME%7>ApTWMq$Uf~Wg1bGM=M#1b0wuT)tU#IB( zkP)pQvqJLWDY!11t0o~9v#Dk`NYsXK(F27v$QY;CoN}kIC(i+d z;qv|*yL!2$6IRMQTo|qPa}C|0C;IYmGH~;Lx@6a8Rb`j_<@&$iX)w)7Iz9j+qPoaq zebPt2d3^yruX?=+O+OQyNY%Uz3<9~idN5Z02Q{Fc@GKaezu3s!kiRs4bBEwAK97grFrhQWU7b#tQ#0=Y`QBVqRu9NxJ><^niUdhhV5eFX- zXNa8!sgxact43$5j~Um$aYE-#dL@jmcM>e|q@cEBQs^OLwO^xLqvI6gDH+5`I% zDZtuhUBOQ{lVwuZ@LC$!pNI7Zz{9Ib$`;8MDY@4J3iVYN%5N@*#Q;-ez@A{^ZV%Ia z)cM0A%4MCK*Rb28sJL#~TJ$sqS?YnEH<%mi18{ow1D5+<2#H)o?U-K3IrKKm+neo6 z8;A_q=DvMh;XrXD0OdQlhB}&F=K5OBYW7CiwW0=CeR}&M7H?bnAHDw#E{>||Tl8$WiwFdtV~_O=XiFAn5i%mG}1Dks#_ za;I#m?qnkz72r(L*@EjjyCz)en`rt({X||V0SM<04IbA7@jj^IaS)fNzjQx2<|@e| zMIU%g>7EACAyvre3}T!nrg{>T|Ek57>i+8%x0b1Cu2!ngBA zOJmQygAhN!J4n=Q{Bz!qg_(+owQwtX+wBucI zL7!^0w&JmK2d|sCF|tH><3XgN3#F;%j$zdKdFRu7VZ<8J)WX4~_8qc6DXQ!vmd6%hAQoJSoM3E<;=p#RM`L;vt&yq7 zPAjY^CPz2men9iCM3pt_PBeE8XxWWx<0H zn>c~DS2ezu_8(7-Rp?dGlv^W46SX!9U2XGM53lSzM%bwa3-ZJry0A*aYh_Z8`s0EV zjQ9$%%WwHiHMZw8%MBOAXBKzR0(E6VY}~~kOzx2AVCigeL%ae=$uIU7NT7LjUgs@I` zLIv669ZfiR8-1=zxWG_csBfg*s_;jAkTermP#)hc07)+Na-_Q>>~N@JP+foO2&2{3?T0SH?edI%%v=T<8Bq)2V6&Ejwt4qHU&=#$TeBl2BT^qC5`Ani=zc53&1`qlZUV7i&J`&erl z)UB|i3=Zh(FD~r)PId8k)L2ZYGK^NArT!jmy*vVYu{9Yq?`0?rlCtJoD&{cXgw6AS zQ3xS@Pr|Kj_x!^&^bId3JUM8m?fff^pn7rW)iR~`M|4m-ZciD1V75gvdMX^DOstUj zeFH9e++1A332&VSWEvveey9$aZq?`X*70yW!!1TXO75raO&SB{?xdV-yS&Z16L)8l zZVuGL4|C~8jfiMgY4I2QfMPJ(Ntrvu);^AaSX?kMvOQPY_aX{PJ^UGe&(HOIy(4wE zsv^fbn0kh`!YQcP+0Al}zuvE#a$mSLDU7Lbi0_+NRXJq6U3KQhIyNL5!?m(T0847E z$&zW9Aoe0q!KYil$c=Y!Krd!_KE<81=`~X!WE#!6agU8?EBjFdy|hkQ+yaYr`h_bZ zIV$eT#x0UiQmavumL}bd(k|Zn2 z$^as2uiN?yCsU?M-H2Z;EV=As!O@7ruibxZIrtA-wr5W2>TaXkr%AnxwaSpmTv@qS zM^96CY}-_mt()gq=zrD__0s1jg@ViuPo2hbevquGuQOgU!s(*md`UO2_@z3-tWNu; zxCqy;l!X(TXte3}5TyEL)@qX2a$Bg#atZfmKh~Kxon?&lq{Y;+aa!|TQ$15N!Z07A z9+xgdNYu6T)2!WLf17len;+6%g-x5s)p}env6KJPj>|xO-2)7cRR#CUri#v&VQ*D4DAx5+ zBMmRq!gQrU3pW1bs73MYp;Ltmk)F?HN&gCTWb15gvUFC;5ZmYdf-l${_x71pBd$K& zuEQUU8;?0_NsQXja-XZ`w+be6j;WoDhs=dRBADd-i#{cIgWfh0B}V_<$s%}vD4Xn3 zAG1qd%vgZ^NYUf4ebCDrC|%T74cCaWy4czYj`Y<1XJCnX^lqdymJyXQWNa;O;oZiw zZ4V{$QC&v~`HWUcOb2q>0PBV7s~$yyMVXP+idf-3tI--bvSzE(Qj3*Wy9;AGZ@(B?O5WoAHut8{~;SG#T=V4mxS) zGYy;(^k(Z^5V?Fnx9U+5&B{5%VH5fXItx#P%nt8MHzeBjjW)oG6K_I#!VOnK*+Gx7?;!1;9=$kkhBy?$ zU^b{Y(tSE_sIHGJ0t({-{C$00KR`%V!8;L`xWceR|Aok`v>hBWWzq#sEJYO4o#_{u z832&wz1x{)`s5>z!&B({aUh%wz~7lYri|~98HDGUee^@rYu;~R4|H8;vWr#c4O=u@ zUzLXB>{ScV0FRX!?SaV7msS|64nSPmLH%G<)s0k{8H*n!0^(>NKxXrK)eB2=4b#pR zRi^BoF6EgXOo5iarrU67kX`!HVIihlW35EzpUd`aSZp{*me><-4tNY{^ls8H`X{!)+{)^+_ybjT6bs5pOx$Y*}W{W^r_ldtnhNF*+v z6mDWV$<=(`1P}GVL(Y09R~8F*s$u!GipXQ!IKWJcVuaJ>G{rL2m9_Ya(VL~noSvQ2 z)AdD<1(I*lbBi8?(;K~M7*MZ8CGZ2zv2*biw;Vq2G(8m?_23IQo6Ul4=dq3cHlJgB zvBhm(YV*17oz=_e)Mf`ab!&Y5%;V6iIT7ofne0f{0>0qLhi<;jU>*_&O?BmTSX~Ln zCRr*5lL<9JxoXc!j;`F;V3TT^Urh)z znR=p(_cK%Z(PHtzm_E&5gxfL4ep{%2@xatSRpvjC5>a#eKf|g$ebVL?zH0a3e+xKu zPiR}A;*hf?Av_=#3w}@wpej}zpOZ0AygWw*B*bY|lvWt<1=1N-i%5<+X1wbJA1n)} zDXW1*7)?NT*h=?hSr%<-a|=RCEAJlhlBlth7z z*y!I-SMo<)fV@?Nc#>b@Y5dc-UkaXf$_qHV(-e$F|vElq>+GJmRwF_1R~NjooW@wF~6j6qV$ z+s|(irINgqxP2-{v#$ z!!E-w4G{P4mTdxt)1V?f1a;)p%>&gp1=^Xm%cER8!eh;%wUEC@8)w!vKVFt(=A7Nm z++pu?9Z09ax5M`S|7w#TeyonQH8$BmRr)Ou&vTpd#8XQN>c9dkB>lw zmqcHkyHBv*#+}RwE9V}KgHyNXyk0Rct;{M0v~Ft4eD+qbw}RX{2IL1{v8h8!nY|9L zv3b3Iyj8$_!ng793tq1DxjO4HBwmE$**s;1&o=J_p0Vg9{Yxn(VTOAD46eW1{Z|Mx z9&C&jj7hQ(GH>M&lMamfE^02Auf4+Q0ym8*!=_OA+J!#TJvFyRTOU5S==aw=AV_J; z7e9+HESL`k0D+YXvFeW z<137Cmf`4Qmga%lq7WXMXc?LQxCzlSmR)Uh{DT2^>AU-qxJ)h4!jMQFY{?l$SZSDB ztn!c5U!Evcd@S~=Pr!aP2(p>?+C55|3b>&Qj>55iU9U{rZrCEc2eWqj6a14{9pUH< ze)xW^<{R#xp3O1jz3f_zT4h5IMnJT^5a`58I&(%ns+${ss|vt_Va6 zDukSE?S`f)wx23R6|LS~ZNda!pjotiQej1i|W03<8{ZEDtF4GPp-vUkD=XG`{R-mVyN0JqRJD75GLc` zON}E0MzP<+{ub|OG0(mcTH4x8WAus`Msz!0Y#G!sin=-binZ;h{}t1*e*q|O3fp|IG=MNdvCVi;DwsP6zX79JoNM*W~UGE$Ko(M z^-Z9GKDhnDN*h$J?1^O!>q1%%23iiJE%Q7_#DK11@c6azRq`KNz5peWS;=Qk!qj0= z6~8YCk=EBM6Q$*8GN=a05BhXxqQ_-!e?KzNAGk%8i)wpqT1Gm z0L(*_#H%~#m&KEh_A~pC^pOh>_ywN+5TA{>Szh{0@vW1<17Aoxu|<0gC~pNwxdd-7 z5IM}L8(<=(mtpY~kXlNyn(HramB+fYkoVGZs4oF4Cxu7Nw#uacCx-GDhT0jA=9WnULxe*N-QCpVvFOo!o8e9lfkUmkRhIo%OPy0b$d-2 zb7X1cW^>l~krHudEPY8vTzeCg`x;%xmnx#a<)S{0Qu9Ij~v(4<+D&Ksq!M3!YJ_L3`b5L|#f&VVf zSmmzE4<<%yWIJD@GGd<9KS#*VhtqsWV!>a8Xni;l{L8I6g5e{K80F&L*}QnF{YAIY z?`aDA4HX!In&O$!(ECV5tA`%GUu~CjDXgp(u5Q~~yRE`gn>p%SHKO%`TW4trvEen% zQh6dr@7Ln<^?G&;l4wR>i=`&SXt(v1Bih>2#?bb6wi-*&Ta8KXlRYU>hjP1-$wM)0 z%lf}xa%btuty;@z#JILo2W{txba?Q&Abw~X1tpB=V>H_Oja8YApL!#zx_AEvJysk= z#1P%Jr0suw%X5zq(sMNI7L~2Qg`M5Mq1^zpgiQ8bsCNc%dO32`s?EJ@$VmN+II;_~ zJ6Xzz{tcGeryl27*!UIoC%Mc;Um#s+c<_drZR{8Ae)k~2EJnHSU*4ED&(G4ZKnju%PQ-dp3 zhmD&cuz?n$CIcuB^B22aL=Vi3p@$#+P_7fwL?ICN$QdF)lrPI>!mT_T7$GMeHgi65Yld zUjL~-7?32k2w>u}Y5LPxm+l2wAWP?19q*>3JV=UXNvMMb&ifsYZ4?IH1Oo9PLanyn zg`AZC-XG1Fh4Qh3wLZ8*yv`aT<7TtYk#XKiyUzUEKjpO!0aHq)qb|VcQBVXJ?7^zp z8eg!y^A!+IWH(mZY07@PeF&Zy@J7|8!kC@;8Gh*1OvdA6RwCVVdpJ}6aFMT^A&&EI z0gQCW8!x*059@dC7EC?>b(hBcdXYuyrqNEQgd?_1<;ekW;LbI3qt1;RvBt<0F?PS4 zl8n&syr?x(0y?lH>Z`C?@M;-L{zIbQ-1&Q7^feIcb z%aSo8G3*!Jvka@gf`QzUYv$$A&sYPoe^rVtLJt@tPokA3;R$9nOYe^p%KNQq%w7Esb5!n2U`KY*Exca1WN#t)1YKWJI5@v6 z_U3M}zJ=qxy0iAs1$stv;-Sw#{I2O`{9r|jFk#4|_s@f6Vh`l!&L8>!c+gG? zcSw1Be%I-xZDMX*F_V2q>E;+Qfy4+t--q;<7=(mc&-aN%6==#h>yJI_d&`NyddzQS zS&$Gq#OmJqHM%US2FEWyr35k~T3<56HxD@)bAI`Uc6M=imfubqbaWmo7BGr->lpa? zx2)vxNiqGt)=JI@tsbWa*|juZ4WlZB<%cXgGC!MQLS^nMs zZ0(2D`_D!)g87Y2p6kUz1wT27^LCGW)9=()Q9!zdDd_7B@_%f!>>8nK=L>-adLRjrBI2pquIm7OXFi_z+7xNuGptcXLuA*#-;|J zeu#*FsVssy-TA`y!@%7ZbPrvo6XnoI(r?>D@tt_r{sgSeY)$KP7~FsQc~Q5_>MNp( zzqi27`fTaT-*|nU>V7kx~ z5XP^81bNc}FtCLCfmmjtyJ~ESFdVT@vJ|}c(K#pkH_+Vh6ng3*u=tBg z>2-Oz@BTuaA-?Ub{bq^g5KdxT!gagW_w|210L6xDI<`wU*07EB58$L5w*EG7g-dJI z9NjAh;*zz^W8gT`L@Ggy@@fm0Wex2qzW z;@hvTAE=cZWVsnRb98pHnLCEIi>94ddP3r*!ZcCq?%N_&bw*!Zh1Qq;+I@ih)G{Uo z-jxR6lxD!nJH!LS8;=|iTNA$2o*l1lUpxU+TT{vX%#t+bAfroOI%Ozj!2Rx?oNM*0 zw)i}5ql5S)Q>%J#h(F;?O^^xJok#`z-Bwp5gvQ8|+SqCJAZH))#$Tp7JgtH!E2L~y z1NTiAvFBfg4$n(yo1Zg2c<-UQ!xP|QUfu{cz7_0x0RAvm)uXrXrA}<7HKP3%JNy2O z^)I@I#Rzz}hA)SZ0*F4p+3x5eau6?GOQSVq`(vl9D>q%=j%Ey{KJkTdrX z_r68ygvPhe)I-h&lOLKkxAjS6O{Ekb3Q%$8jz*88!f?&DSjxfm!J_ZM6K8)#=3k+?%y6zKG|gS#Uo&F zs2ktFD2BUz9H5AL*}8a!tG)u(B#8|1S-)m_^7y^{xR`u%TwHC)vPr;7d8A_7{i*v$ zxO_EnG@l}K+E{=;HOwpD(xQ4M)Otb7%YInhI%mKb#MU~x&r*cS#AJ>UdBuyK_-or=)ZY% z$4};OHJyYo1xvl6<7j|2dubM5L7siQBjDMX2#J7{L{ zP=-w2?2)?(;ka0g@ibBdCN0})%v5UzXAsG6K_!E2!yVNkAXXWla=H7X-gL|DcCJM6 zI1~YUalvnvB^Bg)3?4xMhMCOgb&DH4;F3BzR#Boc8zH~hIAFMZ?PA%kUX}DzxqU<8 zo~AJmo-?vxMXh^9PgTV`0PYsU-WUTP)fbRXh|O?o$q3n=pW1P=v@JQ(>P-Wf4rA{b$rsTgSPJyyNZf#=JLe7FDckiN&@zWEkL z@RV`Wi?j{7_M`j!n&D}*p#{OXX`j)CSwDN2m1{jHnVuywG~w3p9ESJ9&NU|7an9A3 z^S{KxwsR(h$8kyV%^4D)U?`Y;|9Oe;U&8bKyX$vTk#YpTk5`7|Z;cbU*H3h@k>iKf zQ%Hng$!a5!Q2mFGh^PCMNvsh=$y7N`G{yEIlkMY6$GC7S(5xwonN8NnLWV(LWnas+EO5D!v->&ZY~yZ~AHHEg%0P^i z$>Nq6JCAbqGrL>xGmS49N}&&QA?$~hAkNAluL$V6na3ZDJ_c@74!l>1 zxEiy9pf9jZFfCumE{S5gDmY9KDiWZfzeqhFnNWf(AU0gxPk;(syD2DA^_A3c5xwxz&FaI8qc z^^o?rUWHt?aL&%0ffMFz0h9^#9=(?d(=X@$YdZQhroa*(TR4zK6CA0J z$R#NR?&sX&B)PYC8!wL%iW#&btSeJ?1|#q@ z^W|5dk-5@|-lD&H5O$ij2*M5L8yDG;X-LHCy_z5q+_BJZ;$oV&NBBqXjr&8VCFH^eCE%32LgJY~YNGg=QUWGd?7)YTXc?mm^#fAof9}HtmSNxKODg(Vd&- zOz``fpcUf035uOx`;5or@{KNRK>oBFSDkjdy#J zo`QUMyu_ti^t(@kcqi?2RD|ob0l3B(- z>Yx9bX-*K`jIrD1VTx=z7Ta)s_c&o{up|fZ*9`8Rc4I0Y#*v?bjuKAw`$!!!7^v&$DK`zPL4X=}|nHG{A>O9-G27ZHp zra^VMd&hssIJ~qU>=R8nFTHtla=P0SN;IVb`Bm1YOc;tcb1iNX#4CcyN5S>y?vM*M zcjh36m$Vh}dykhhlZ<>Kgpy2b!fx@Rs@cJK%V0S@WKXyV3!uf5YV+Z&k54`glK)U+ zgFZ7Px8oZHx{BV=^`N7zEkHPCmFL$0RrW8?WlHljf`JGG?1k0dMU{i51`rcD;CB8E z95U?IsM@`FNLB147$Bd}a|2uo4W)3A(h9)oJ^HoP?Lc~cNK3S_Wac*m`tUMH339%D zVgTF9S}m@RtGp2?vIq5+`rZe0YHOzci#IzTIE^=hkxlb)){Ir;$@o2RVpl;J^JcQ~x_mw>XAGvc)0@-lx?IMmbjjcgTt!r)~i z_HyJU*^di7FKT%2**^FOmfW2oz6!acncR}$Mj&S^|1j;=61@Z-%tB=l_Q!(enjj7n>q@IV0mxHR4@BTK1{B4orNBhL{aXKPukkj%JQpRTa)HBqZM2_hVy$0nNbL%o+!)m zp~A}{PtWXCC3a%Z7EE$zq)inA*iy>RC?8e-81U!6aX7v=x@X;fYp+glkxZ^lFNqD; zLXHrk!!w{cbB#^jO4xq{pV?&zcYM$*jKb_6YPUIjiCfv20^a5xY}#U)!lL!(UChzfNnywM`RW|r1*LKwwwyQ76+5OXM$9FJu^5 zE$LC9BvKqE0NuPK%YeOq0t_4lBg{+Zl-L1RVd+imT)rI>;eadBHuKO~;iH2NXi}uJDETLWX2K38rzg1ejiFNaN#A#Z z?`60e$8$vV=h-8&NeXTc8R+vU94>(P#X#p=nA)}U+h5Cu&4je%_XnN*%tcFk@2W2l zB^4UQQ%~pd3y|kv&c?+?q-yDFHud$WOx8cW&GeNr)3+g%fIS)70=8c>eajWU+LChN zt*gHoF43j)SD)n-v-WnwY)vbT_5n`fL(rC-NgZlSPWZNwCjdP8(J052x*p;r1t59Kzh)~ua1oZi zMUPtWP8Zl|RAF(8KZ0a$pgTm>UBJPQo({1A)8AyY$@*>yjk{S*4vh77_vfzBp7et( zs*ER6(UBE#18ma>s^h!uo#;WB_n7GF~9*HOWn=z10l%$(x_b1@g=We?ocfBnlnI%5cXIyy3Pk|FpRyQoT2a7;i2g8`kwAYYUyX zrJ1T?U;Z8Hm{fRqD}63;v#W05p25uHp5x~<56u*Ma!jXUh2(wr#ZCf{ljUd2U_7IO z2j99_p6OtpAF(25Ve~_FW^9^~K?rNQ^9ie4Enpsb$0<8VSAp4Y=({oEaC7?*XIzl9 z@M&k?VOO~FuJpYddgrGWruj$wHKi9=;*ooh^4bu5dDFfi!>jb_)s{Cqg$K#~%_gaY z@R5*fpgePk6%~N!8z*3t4*SH7|d+EyY=*z@!)rB1d%x2$5&X~ zFypHu9Gsng3HtgcgEiwrzgVi>be|YnV!EX8z7H5i$;^HN>StgMo# zmOB(P)evp11->!*X+yNS$1AyU6~X^j3jbRjTyGr3mN_XhH-Cz|_lp95P&hp60*bT! z$hOnuuXTn3wJKr9`0o;36iuA2gsF*JX2S2^lp$cDZ1w3) zFsJd)^xf%pH1Z-U&R3iu2jo*|efqDLL$%M~W6GzK# z^^`$LU*n0M845X@uVK6wYSIH1QzTyqjC%d%BM_r;&OdtlOz7^@c7ZG{G^+UR(g`pZ ze?I2@@Cb&;yv*bX3NaPK2VL02^XAdwj>H))7NyE)#WSf-9e7>fgmH2`U|v0d2SyH4 zL)cKM6s0S`G3P*PGX_!?euHDr4haC1^X^PC-J=0;WZ3|lQX|FN{Gp}wcnXXU{syk* zFP_}voi~pTr;x~+w5lu$of}P8+9Zl09PU`lr&Pdwf|w(jJa_#{eF$KvG>N`#5{MAW z!6|~m?7G5O;}V#Bizs&l*06Bedg|+m0C@_)Dj?m5fDDs?jB%NRKnkR3Z#G4KCPi{-uq1{_9});wHe0=Kf*p+_(TkRgdB1Ez-7QpgH6qo6vS}R zkdb*)r7jzUZ7Edo^f74>>HAHPr4gQvBBnU4B}Ma_)Iiaa!0f_@MCF@)1ZtiFaX_31 zl&L$!FhR-Vu)@cpzZF6D6Rh&>KFo8Fn3qrhxGOvI2e-Otarr{)r!57|zvSlXJR?ym z!~x2Lz!xGL59^*x-y~cGX|Vy2Bg%SbNcWx2&wyFG*{wO;#1$=f84SRr`fq-NlZ96R zHsDsCL9$_(dTwCj>0=%AMp;y*wef<>pXScyH&rQdBQvgftK`Z%#VzdNq7Y6Sc2AnO z@ad?$n*|~mUM1boi%gfF>n7a0wE+~w8)Hh?%RZ*ug#KU6L_v}0Hs`m&UJZd%<(k{h zrT<}Y8!bcN%B88;r-Smo5PN6gqI#GYThTdJs}Z1s{Ir-P=qtqfr!H_(lW}1EzUjUgIjOnwOq~#)THba5Ai3?)ThImi&{&813 zb)`xmwe8<~@yFK(SD+@x9|~j3eEuw0&yCS4ge9%1`OQX3Mq!`KVgO^CaJ8vkRYfE@AQ44()C-)<; zfz|b?$NO2cwU7v;n%CEYqt)ZTro94VoGh{~;Zi2Sb02jgxaY3$?@^-DGIIBaD7tIfm==fQRwFDM6r{pyR?5H#Nz2s{5!>Z_` z(!uitgii$S-o_ve&G6IIzOTG0pJSS8jl9QmQyscP) zzyd)IU_E_fZ(g-@i~b4@9yPymisX%lHn@AA24Z6`85F41dHtB}cIKpC00@lGMs0K#a-N}U(e@+s>bPkD zJ+5%LIYqbuUrX){YU>D!8m){!92)Id6h2lURHY%`Wky(LJ6pnIQy8l-I*a9d0#+$}0o^+8_A9dY-3GrTVDb>(9p^9ofjoDq9*CyDQ$|TT)y0a{u2dK1Y?KuIfr&wsQaCOO8_aQhk(Z ze2lAj;SX6z*RL_rZ%2=u`jDlL59$zY*`lqvC0>jN9R(#`p(A2!(kcCLFRfPT19|yG zUe{Fmr?(unzGsmydPL%teoAigUo@Mel15odzP0~m#B?pzLX2obgfU14yV#6lF2-ME zVXKzv?!SzS$G=>2UFW~gKP?umEww3q{T1`$zcBwO-&gKG`_0(pck#W+zt|%GP?E2! z`;V_btv6qP&9jwaQkj3g|NHr;asKX2{$Vcp`Nz*c%mY9F<)8n2|7Bi4zW@6Et8;HT zBmDD^pTGV)KmYmsFC*ad-{=2-aD$mDv+L+YoV`?t2GuM&CnQ}Sx%A6W<)>rb}0 ze(LIzElQDO)mDj&@;>o%eXB#=^N;5r&p)1j>hgun9n|w215bK+pZLg#kb!KU=O52M z%m+IsG+**EpJR3|<$ZPbeE#|RvvY>}e=`5@I|TmoF)>d^jT#mH{n@|6sE1=-t1lk!AWo4ELqch(W+#~o%5-ZoWtEX zMqXZ@o+2k_pO^pRtlz<0s)t2Cq2<}}*=pKFFTt{(H1PGpmmll=q=DBopbvUcaW`q0 zy1rAAJeIix+RtpUDqoldceDbSx{y z60-^15WgRu7}0Upi_PxgB85D8_)YhopL%TyCzsnEeWH4IU!}wH;rT<=ee}CW-DWQJ zzg#lJdh+I*Lo}VmJbqkEMqTjSUawrg^ZJD%C-p`7XWv&Se>FpD4oi*2rWos6`vo>B z^R&qUzXcES-Z&3GR-syb{WKH9%n=z-mMUTh{O4KaAx`v%pbBGmF`Ow!glQ4dwA67Up5gx~JgI(5E| zkM^DWHz^a2`4gCKi1o>k2NTopJ|XRS%Kqip;NF|NHy;(ee=_ltl7?UOUdFOrXkL~M8_N2GjHa^?0Xw|_4s@9uC3=~QgslAm=cwF z(7Ws=^}B_l+SE$H1|PcR=(4-jg$f^Ob8iU4=!HJwB06)5tgcLvYy}@FDCBsp<*x~? z@vKop9yVN`4Ms+8%TeXFnEhnniFnp|yS=sJZLB~Ke|^%u*UwfSuW&)ho(7(N`tfdE z@6p&zOmyTA=sVqawQrA2Z7UMXjVJs!$*+eEe@|XAa=t6d%S)3OKK(&FwDA+BlX6~a zfo`|Klc|YM>N;PW<9GUn=taKy#y!4Wv&*2?PxG(I@9tjZCZ8r(AXoWl_>s7cK_mI+ zg9hsRpNcxL9q-;z?s4r2>@^1m2P1>y+I&f~+r&cNh0uV;>2S1CaoVpe9`I>OD88Ih zg0UIjlVodVkNeg6p33FUv$&=NBYC8(ztVZ$D{!^;Z;pMsajtJ%W1Q~XNR4|Ow>c{k zZgHA(({ZNjG~^4uxT_w)`G%I)oH9Rt=vBSKZ4D@wA$J&uC5NMi6l?~1rb$}xu4FN{ zP4}0^vl18i{LC*ojOxvW5*sf!Zf<}#h$xlKhD58i4Wzb2OFsygz;bK~81oy95Zc%# z8$M=v5vc3h`l0=y)?wozpUsqwolww}1%eUbfY89|Z?J5TU?s2ySQacF<26dwNWn;E zMl7S6;9!bH%7IX#_4arZ?3rM=aF6*dN1eG6ttu9qRs#zIQv+_qbz6jOq!q>rZyk;} zwlW!H8Op|ZuH|jeZWs;R9?9QmSO>XLxbbZu-xWTYh=9Bl$PE!FDacgJ8_yPj zqDG=e&{-zM7af6C-=DmC!XaoS%pg1>bWPaET+jYw;M3cVCrScS_9HfeHobyT!gKG9 z9M58l`hW9RC6D%YJ$g^$5tskS{E^4&3h3iu!C^mWx-XUHDTWl^*NH9x zms~0l(G$^csS>DKn2evAsdzYzn}Q?k%l&LE9oWmK9X-$)Hmr6nzmSvXsULDbbYyp$ z4h#+mv^tk9N#2U2>z-7<%`q!(fKDa^;I9H{O9~%uBMKv^~^`vnp`Mh^% zDMoUSV`FT~nA&+-x3Ub&8Z*Sln|le#VL@c*+?gfP>Gt)V83Cy#NtPHn1B)K@$>X1oUr~?HULzyBymQT80%et9^~R5!eBtBfH81M!YsQSY9^cKgfz$kh z%rO11QjjfWK`7sKX~uJbwx{n5J91yez0!a08n3DCs|_Bps`h|9hdB18C5;M*mifn0&sdqYUtC3F$AEHk;DXC6sJb{orx+}I|)u!t} zUK=4E`%`fyRkZhDaciY{#b=k|^aF|R^PqY8SX<5KLp|@uf2aTYz`4yS&nYL%XZm^9 z9u}|>G%{EnQ~jlS?{MvK>YDFM*_XMmY0lWBY zFR_%v$q@&8zR7IcZ z^!e7rR?e1(N8L{0V|Cu2yld#&O;zw1jU?R@)A2=PdwF+xGItt}9{1y0WOO2%0y9;9 zsPWkN*bGh7&{VU5kH`-5Y!`aG8EqEON4$0Elni-?mZd4+=Z?B@va|l6>E=R7J1Y7G zvo#?Z>k6*7@bW*c1!>4Tn(LV>CzydpHA-`*VGB0;*!hYRv-Ga!Xps@Ukvp*b@s&&> z_V?^>(qD^u9c#}Qtqhk83t2|=Z%Qglrs|T7mKHL>)rxlPKiRL@T(h!saIqG{hcENd ztseF#Wavt^Y?18A_J{0+Ptq&!e&(YzRz=RBo9a#n6Oy<+3|49(MwCt7gp?fwcj@L> z__%Rdrmd@kZBuK5M!@ibg>j=Fe$r$sKyrFvK*OVFPe-mm%TjB622L@%J)7w0gGRcC zxvpBEnlj*xUp;ov;Vt7nnE@Be9}dYJSuG^*_*8ETtT@lnbjRfs7^wC5KP8mbjAtMF zW_p<5t9C7;abAS7fW-52H@4Mhr(S~;v-Ds-`!^X(hs>M4i22d)wtJY0>>26!iwS(^ z@4jSd$#Xl_sM{=_++O164n01R$8@ZlQi9PRqa+APd(L)(J8_)_-KY{&sYy;t6NBLq z-7(@Mb-fn46NF}swv31luczMr%@HU|tExmYZ%j(`TaTzP{pVTvTbqmwTB{A#x3S*? z7K@U7H17}{1V>Qi|@CN0Yjxj3e!Xl;IQiN=4TCK?00*Ofe zfgdqCSq@Vb5if{{FW->)2Y#^2@Fy}8|1%E@dVHCD#UiNV!9TFhKf5(zJ5whB`iCCI z7V|vtOa1LYhRA>990CI`Z}1p5&|dv#j^Xl+pKLNeX0FLZy!;0a6?i8ZlFP1>RR2hb z0PiLn_}1aptJlH*%+?XL8Xf&J5l4Kv@&;Q{Dk*i`Ka^fTHu(KB2SD^sXTyzNbJl+% z4#F2mbo#wG3NX*E%ZOm=X^T0BtrwovA>>x(91Gy4;{;T{=wk! zcc`v{%-!ui;ptw2wTVHqH=@)40TT;<|K>lgl|MCr0u=T3b<|%k{F^IFX8D$(-2zEM zeSgm(c^ckFN-e9DIkO0_@l2Heanb$4{e2Yw18cti-|JQnC*2q=)(x-CP~k%m;SGy^ z=(GN3wM53AmW@Y~3GG&M`@i2#>7I;w<%8am-_j&gXdr?k6?kYSnl#L8hb!U`cH^xn z4(RS0+#9WF-yR-OI|h$<(Rgf5pt- zY7w-mS*leQeZsU3&X2GDYu~<82s+G6Y>X5wne2a((I6GJn|Q07NL}}s%jGst)2u_| zG#r0aew2RPTd(Vi_Uf5See!Dsm6mbP)cdcH`gdLAOX$y@em{umUJ4lMQYd>K@g2%Vl9%`r;I2U10uzgq&6(@V<|;kv`Y|I1F|B zpq0|;sfB{`j+z;0-9>BOz|L38Ov~JJuSOn&6Ac8ukL2$xY3f1N{IY2nvxU!QMOY+* zK-)@ha-91CJ>MI<+8LMd;xuu{n!3-Q=$ff>t^o>U^??9&PzvvExXD>thznh8x|E;y zSgOx_5ShU^+}QXhA;V|;mp789W}=O@cQjL~mNnqadF1po8s|4*>&C)+^2GQCzv&u1F;DWP$rIIX&)bdR|TAmC6T-hB1HV@qV4 zZ#T4CUFI^7d9IJ}I#`)xa%}pFt%0l!w352&mKr1s`x-hnBMcSN#oUa(3t{MPIk)}k zsyu$J!K9qE`Thi)Lkf_ODdzyaRQCqbEnmbk@_)A``5RUY!h| zOLaU)KD=X>*<(h){D)D9PZ2aVYw;=x=^uQd-v2wKi1tLF>rNa);ggNictO4q7i#7O zMSaj(c$H$@qwV)b9&1^5)vuD=$%G-5L8J~FTLy*=5bM#a46z#XKkr8il0F`_ z=u0uzDp2hcrJ`YT!j9@rE3&8mW@GXCeUnMpPH!^X2q+ZW(mf*;^{%T^UaRT4?tXc4 z%l8Ldzq8rSL1!PW$BY$Y)jZ#wJkpoumjAz>{=XukTR-bfv-em_K)|%yxbaqY7)#~p z!76=THlvet!U{meW9ou`4dEfoY1pSupZD zZ3doD^X|u&%JrwrlMoU~@5AzR_bE&OV{_`L>PlQi-ACJb_eqR+pOg_ne<7J+xpNCYy|*jwksYHa(6fh z>`P;Yj$6Xq-u+0^_A7=+-+F85v?u0Da~@Yp6fKHs@>RN2$LbZzv~!i87-2F+4(tv2 zF|)BH(Fy-f*ZhXE5xoulk7E=Tuu?Tw_#6n z3jWhw%v%_R?bh1FLAy;yQ?^GqOj$u%jrx7u(N-!s9T)9cD;X=T&7i!oYW|V9E^Ua* zQdEF*&!lChpWUz6he!K8eA8*qTo)gi>JeY2C6PFqFe?QY>u@GQQI)|q-WM!Bn*#X5 zVKpt)9`egiu5u)$@@8dP`=@J-c0eyih9V8L{obgESnF2-YTC?5<=msKRH^vls7^o2 z^*gUbX4a<=#VVOnvv0iD^D8HzK<7`!6+m})ff7~m3s(a`3$HRC0C^oPv$IaGQmhyf zBGJ!z3~H+$O(S0UO1bEl@C=U}eF zbQr6@mGtQ^wassa4iyO7acGLf*6vQg1>XJF!^Ar44B!1;9X?wOYwQUt8g}2jaoGH>O=-9{V!{XmM0B0CvoW~C9@a?#% zP`6QU))~P$WMH%N4t)D~L`zKtl$}33@HvF!bg474s&>wsdp0jZjwt93>0zeYxJf`W zC9~K_pBJXIc7>3s_6(l#tN3m?uuY8z+4Ls96^zQ9GbI~pz~7xEN#rrC`4wEhaZm#(g-Rr${qyDOvVW=d&ODvMx@Kg#J&Jl>1 zIvx|`%&o_I^JIIUzCWTLIET&Gm8}(A=R}k>PP_&xBl9ada*ZGL&Bt@og3XSMHLDpu z-?myij^nz9$k+5lffMTJhMZ~L(CupHshxQuV5Fw)rk^cDDr+4=Ghq3w!^9h4>eWm=m_!-$y}am_DLl%Nuc)SOJh*x`WQ$Ofh*}k+?5M`aK)B20^f_- zRuV$Y0u>o5ZE#Ay=DC)7?yBA;KijJ6aqUp$LZk3PFiq4shgBQH>M>iZ(0>IZ;*XN{ z>gqc>Z$TFCPg`M1OUg@(vnn2_u{R+PnQ#E+J_{c;ns3#vW@z5`)_}`c%(mUuW>sPzZlN9i5P!V zJapf9Q`%`>hJFBhAH07OM8>kq=k?-k9L3svmfvWtknPyS2P&x~NX*GbahXv_jmVs5 zdz9pnp6zS{B6G$YyRppmocp_M@hl0><+ixH-Q(c4`VUtqD*<}^pp$!qu-&-R@MIU@ zMZXMXL_VlvG3Cws-Q2?F-SHh+fTA$Lp6R=Ytja;F0UYRVQfkbiA}`4WZoK7nfHTjv z6|TAfU=dv^o&1-T?q#{A)w#Nt`d$!@Yk^Y0jvGYS>ITs??}SrC=TI z#ZMm;nw2WF5PxQBeQdHHDd~IQcC_9^W#6V1Jt0MQtP;^$WL%5uJcxd!kut5I~ zYqQA-1Zfw>s0pM7*MWX>C1FxQB4DL_L$oE!O&PX;pr`$!?aR+YsaUsz>w$Vv?b`pW zi)Z%>H{7Y!D8z-pPX~ICl-hC(O>zzAsVS%6YZ{<)*B*Vp9B}9lyOCGPnJ^b`SqDJb zt#~cf3Ng2hiRgecGp!R(fD>AaY<;>P<#ej9k~b3%^6)zxRIpy1jK9y#o0JMto`{w_ zN=ox3#!@B_ymAcJ! z^Ga*LNjq!9g7b8#*;oIjq6WAW3iiEt=_^;`#shoY;kt8G{+(|aXH|Tkh5~bfUWRO! zn1g((6a`EhGYy>MJeLZ7{9ME1<6wn)mp!<6RI26uFKT-4Oi7;_Ym+U2TBjOiwgRQF zAC)q?L`-%kMlfCKk|~GCogz2sv)%TixXiN-$Q||J+->zLtHB&6&0{0ND6<3Y*(k)D z3j3xIbSA#jv?QA>cK5UGAZi6@2=y*yy8M0%~pYE+nUrcU!wEq5FpeC{RV$oOGV`b1;R{HXx|5~FeKKV#e2poCd&Uzk` zq&sXKAb}~VnnA)>8^ZhkaA=@+IxiYojT?I){@`kdi%|jDRr0Chb0E7rS>gmsFEWPH zv;M&F2V=L#$p}e<(K>z^bT#9rNm1f}sL*JQ9}=3~l*zRAOI#PtHCtKD4A@3e0YJiQ z_*jGo5xCu*@A{gVY!s3<>`&t{GrnrLDkXM4US@)3?yAn*I4MGT%{XiK^d2>t;70(W zldB)gb!v05yZW4w-lHn>T^g!p{bbf7ZY)_j^|aGN`up@&Ln`w`z}umc$eO9n>nxr* zl1_vjJ8U=I(WCPhXEI0_z{8*upE$33$Vux#n4+qi%T)Grje#AM_@W)cN-M26q$vB<Eg=>22&U)O-(CM zi4L5ra#uWr_3*g&DQW@$!#Qz!(>3-qgxFN-l@uvE(BQ@cHB%6&ld3cUVtGR~H?ZoQ zcK0(y{@T3L@2?6CF)E^&5(r-c=kF}_jG;ZDqIJU6=@R{_p->k>wKodV#e{aB^IFY& z3qP`MF~M6evS8~!rSguRfwJ-Ix%iSfGjz3)-#1ziRjRBuNQx_vfC@MtCT(orD;i@` z&0P)I^ngqXog&({#4FLQFNxmQduo>*PnHe3cA&TNX3T{ zzR|7==g?)0-W~b@O;&<`(K_TTBD4|^G2-gvLZKR3Er*xD*>6ZY={ELzK5sXo`@Wu= zTu9~?9s1=2Izgdk1#N9eP6)$Rqtw$d7H_LX$%A3sv8;&Pz^Y1@ZU|8>4{lO>ejv<- zPz|c({8);`RNbae(=9i^d=c&|mJSKE>`zN}X)JDJ9>jJwkKyUBd?g4@bz#p77weD; zoe{T}6!sWy4&ck!>?aQO2UlOOa*Gj5oy>pOszOOousfrUC(NQd%KxB4|KmpV!~Xk% zvcyVgNG@4`87<{-6QE&f-J2*j1qD(u@PB7^tVU<}9Zmk(WNYml&blJ$^wjm{Xr1fZ zlT`)l2W3z*xrrRVfoJ0;fOwbZ4@2Rai~W;^yM!xI03a4#vf^w#iyrNzGi zlK=dX`m2Q#-}Y~xi~XEg>36g-wk@)inXYx*0abFKZ!`-(b@$IJ^Y&1w8*s z{)zSrPOXE<+kIs@ybUb+Be(_6@3< zAJy>r-Q*+ z4d-ue6AML_eN>0z4040(r`SSD+o0jNC1f7f;-y^ug0DB6C=nU)L@53B+JjegOG6=J zw1R_*uV7IAL14(U3G`4W@U*51y@(O(&pLGnhym$mFsBgjz;eOp(TieAytDVn=LlI{ z)%t6L?E{UfDd3y@jNOqA;ampS?}+jXJF%)7_AVLKWoV=5VB!GE)QWU($9_PFWwOqC zvPoDJrFaVCYq&f^v#Zvk)tW`bl7Egs9uIhg1P|e!r@)G2ttL=w5N{L$S&->3X01J= z!c8kRX8FtxSCNlOlGfN?0yQ)H*DvG-Uw}5{@w7nNi%G4o+{O*6DBr3Bq?F>1E^!6? z^cK4F8Vkl?JJr!@X(*oMQ-6U{QxSCBQV;+8I#Y2T)Fwq&p`T>vPl4aM&8Y@^q>i}D@qc+;rE`F@8W(I=!fYrC3&0sly$+wkmh#h z1=n2ps}(e?T$y5xR*oW;-GoTSw%m0HIH)2+SSW3fWDvriY-(w{E%b)0hAqw!BYC2l}Nid@)l9+js7z zf9iQPmDI_1i1FjC780(cr*;$k_}z9YQfXZBly#bH!8(mMl*@<&fen&`e@qPM2@{C@#AG8Um+v9PR1wiKTY2< zcjbB*Uwpkl^|MZgp%x+zln}}@O#f+)KV6W62u70(NOg^q;OD}Oc_WFj+b3E42_$Nu zho=K^s(c;ti4_gxGj156g72>#+lHX4O}MYY#3$Bx1^rEiR^>*yvHtWh za4kAyL!q8eA%VC3twZ&G7MHe7z`lyfHqIqg+ylPeuMAqmcgKNdFk}JPahyaUEcmG(srU$VYL;`XS8 zLtt*cqsOth(xo~ob&MXIwMOh)fzA0r0b9-X+k6^&aNB6bq{!^Z^Wl)z#d4*lQ0}Cn z9qCf7VT?kpNsScd{DET6<4*SzBu=5!kllE}r|^8;M{OqrnTkN;q&D!%cmy=tk3B06 z60iun+n|*M>*D$da}5O;4*Sh_BVGx?m4k$*)rUJFQkG>%91PzpFZXTXkg&WceCU@uWPNsDAqpZw z`T0By1;C&*U<4uN)(cShn|T`zxQMl;S5O@MfMvGP<2Y`g;r@+g4Q0<ZzySG_hJ` z=vQW4Jw58(Y`1jOm-ggWr-W~&VSn}qwJIDX<4RMn>@oN1b^c5LW18`osQG_Jfa>j+ z==Y8{f%K_Lscw(o&OLhTD!}Ya8Z-v}(Hfro&v= z)iO4@?&23D?x`CS`-RfM$1UH0YZ9J+vE}N3zB6r@I|JmrD4uR8#w(#ro!r>#tJ2R5 zYrLCZ!~UHq_Yjxd(^xCfV?Ye`==xP**43#29^uav-&>dgD(U#L-XU|LsZGOJW2|ib zhHE5fg^P_gBmM=qv-O8|DBl5aNPO$c=xE&-b~_w@n0RHdHRvwa>&4XICKOPzreO8B z@-Vt)3slBd>~@3gCr3crY7R&l&26I)ySrz9xHh=`ebJ;CEmpCYts9b{ebd<}Wu!?- z_79PCxCxA_Dk#J_zQR8wI)WlXh$TZZAhLN%p*9OX+2h^;ZT^480wFF!stHlpAEh+6 zSU(+Qb48Y2}yGmOVR7>kFCD;xHgE)ftn>p+2V$-ORE)qOSJK{Dzt9nsw-Og zCFr};e5`s|QK*!}X2DX4kRfcJlI}L9|CuXuBh0})Yu611O_g73>=wDrAzBzy>BwVH z%}=^F3W;T6X~Z%wUn=!RxjnrSa)U~2jZM0d!W}PTTv2nsqB2tL@Pm|ZCL)?kZ#@;M z3~8q%l_cybpx6Dy&mf4?J>3=@_}u~a**YM?E_Qu#D9n~71Rh^_tXLpL~7&Bm2fwB~# zBKfu8?dm0Ef5woydw9Rb9m{Cgyx-W}Fu(J0 z3X4d%s`D^a;0OyX!2rKJIQ=N1vq49dR69O$5c{h^^|+h63__>tcLDLMfYay<3;h7P zZ;w>l+M%lH8=zZ7Q}A<0b2(gm1o7FFZGxv-=Ay7{FhTah;cadR-wZ-Z`z!_4p! z$zS@52DGX}LJA>-GU%Yt`tlUSSCiw<0ESngK-~d$=aW=zcWWVbPEQ38>Q!C!rObD^ znnMjt_(&qhxA;RJX9A4B#yWm*}LJ8J~Ex$;kEE*C0s>c zY)p6C)XD;fdy}6Mlxv@!s9V2#yZd5cm_5Vu9>e~u78t5s{!=8x#1FwM{dhK)`W(5Q z_saUhN=sdFdLb2-47CyCI8}#dzVwUs|EiY6-x{qd5t_puuw?&k-zc zF7AL5Q7>)M{P>Q^FBF0PL(ScB8swVs4d0XcI}+6`9Nz&dLytg*^r5#N-swD81buw| zsPxxG;h-yP!?3H+te}j^qUmsSzSS}Y(iQ!Vd9_U{-y3cNH`R*a_MRE^B;2^xuDc*H zDG}{|u9<$ryy~%ZB-di7{mJgag7UFZ%^+*)IhjMkXOZjbYXaAnan?DR%A~G-;dA^l zt@f(Q42 z@Y87O?3sc4C56Qcu*y`}x@V?6hi;ELohEBHw&&W1HAX1Y$CE!hBf@euT4Oy*-akV- z8kB@rcMy#X#X~P%T>WqYf^na%Uo7@hmNjmRNjLh8R99bstkA>GJr^>EX4O=uONc1( z%3~GN={1k!&LXiY7#ALj^74c)hvB=lR|)>UHPOgSf1GS4%0Z_LX#$yxF4iq6UuLrR z<I#oaXq*EHFQY*G0qW zbq8y?;dS>kk~M#P&_)c2nCob3%Z;zj{lV{9>7bx>oJGiww#~3Ftsi-szU>3>L-jqU zwv61uU>A!|FOM#0hPG!vBDR_#o@>!7c9sVy3O^0O8gvky!2oaDmw$7)s&Rw=G? zq2f?yDGECpQYz!a(SWOh?xBXL$m1wl|z4j(WE8C^a?2VA`1 z&^=hcLhSt9ZR^7V_B)r-ZJ>XS!_Kx+D{YbGv8+0((G4ud;AXn+Q3MLKY{7MXwY^?U zn42v7%WSvG*hi=n90Y=`H;)~yC%v&wa3T2Yp^N7TF;4*e2pBQlN?hH_OzEMt&o>)_vWdraPOk=E>xEc2A4NpJhl@ndZHMv@@k!P@$_f3zd~#QvPQr6Tfo0gttTnZ&YMzENBo`zxER#a`eoO zxm}~XVcD5wH4?CQPM-bnttcN9q-i)H>U3r2rs6FR-id1jG9k1VC!7vl4)8BE>7Kq9?MX3DmvuZBkRSIU#@mzn}+)|_Z zCtF7ah6S+q?%Oky#$kSdH6<^#nqx_uL1}#cIv}*0FV8&xaHU@MbN5>UVJE<2m_GmM zBRDp^h6Xa`mN#weG;Bne)Bqimu8!f1DG%^N*`V zRqFJ;2T#oxW3YF)#qW3oMcLJ|ysctj6zR0YyFoRG4Pnx4eVX>t%5eNUbD{^rN}l; zv7cG$EIc%@CZ*k{GCXO20O+V0P6m>w74gTT z#xAP*WF;Lg&(_qYWEDN$RD=9^awaWI~GApx7wecuIZJEuZDDOu6aaUs5Of! zZ}}`l+8;iPrdWZB??f9qG?@O7$^^?#^VBLzwWy6});Uu$*<0hZrfZguOYOTZsG#y53VeRm{Ge71%LTR^1a;nedGNk2McGIj zN2jSc*IE%XpbPj*n3{#>)Y@~C;Z)<;X!dl7W`ff;pqD#J;|8OR3iY#RAjxcxZ~oMs z2WFqH3yvmv%E{!E;ld#p55ULPG5^eUMf+;yhHF_W=_UYcKCdr=6dt~G$YF1IrtQpj^Fv`$@;L#LGxV#OE3qu2>SViO|qRxf$(~@~b^trmfv|@#Pz~ zcay*3x+MHcJQW$^cJIdVLPRS2C_k&`{!)8+AnOWiZURladTeH=G}KU4@EVik!hX*u zDGPC92vP-$ixio28f5^7&akStBiG))Vz&mSdj+$AJK`Ic-mQKuPEF=vMPPQ{^+W-YtYF;dsw4uyb&QuN?)dnjKDrw z=ez`)`Sj46H+@@rCTHmhGd|Ae>qYUq3>5F_@uCfx>r#zfqmF&)u+;3VqwQ?B8>R$F#^)>y0;g9c%()%qrqbSM(BjjrUEQqFnufQ7PxDI(ffH$gei&Irsaq zYU^Pqr_NQbDvF#8lG5mz&{1-Sd(jnnikbf|X7uKx}?dME6ZqA=6m>Bs?mS}&Hd-yusSB%rnCK? zZG*)%kdV>shv2p`mCKsou;%Rs%#48ik4ptAsViSzy-Y-KnqWjd0KaX+JtxpIOw*y^ zo%}kEk#aS|bMbS()#gOSx&?QSvnhveNRvb3mawi9D$E62xW)X`;cula5atePB{osIE!vGjEQyB?{Ya-S@Yl|8~o~^@FLl5LX6jxcI+!ua3 zrPQsix4AkG)4NOn!$mWk7B1j;*2BZY(|W8#|6Ws(8>gOt=kD7^VD3OszoF9b80FdpZUZ$=p@+9Di@wD1sBDA*C5b&|Vy_Ts6B16;fyL`6FONyt$yINa^S zXKj3@|LZUw@1>7UM%kJ47+?22c2>h4X7}ErMzlX-;^iDZ9lIdcUu~Zv6rJ934w#-6 zign?im@^%+aPogg48FmU7WieUa3hzi>)VqgCZ6~74jP_YNEZrZk@xn)M5EYv$^mR( z!#B-IT0(yD8Gil))zqJPwCqoxEkt5*B_^>MIKEW)pdA|7Ou+?+J-6P->;%D=wNJLF z0!}_O9s!_d&wVxBgSwkXLPR-&yl|-0;blxwk)9DH0G^fdFdW( zz%b$)?+b?6GJ0O4q_sBawnxr=p_9)?>HM$ieNSB|c5dbE4*#)h-Wd3->gMPYv*WA^ zpk-w`_sCG6b}z`x4B(rf{s55Hfr-F02lAM0GV^!DoEd8m6f+HHjbv0h0oQOP|KS}G z3}7VOgdQx>a$z$qd4|ax+RLjm$D}us7(%}tTwTYTn;#VVuTSJl3;99ufcfyy%oCuY zZXU^lCz^I)+jh&xw)&oOrJ3LKWrB9gtus>utu;kIt#V$z4j2MD7?`WBOYF+v0bQHA z{qQ~Dzf$%#PBmHck;-&ETB|QTZ|52Haz4BxnHuAjjgA9In7{Ca9L86sEUjU(?$`0= zLCAsqY3B~K_E8k#&81irGooCmSa*_axJCTiPSdK?GaeI~Vw1nF8T`vw`~T-U4{9SX zr2hT$>-{ajFsR5?t(}x#V4`%$c;RGYOuuR9xi$Aa=n~B{Dswi6x`j}#XH;M#aK=Nh z)>owXc3peq7-FW`=h!`4DARQSfd*^^ALS{0^9)$p4`@91e$X2)&j41g37}nU0-)(p zd@Ach*Sj$~GCwkCeNpkZl^bK;=25LWAVzga4K2z~a-{lbyGNZBOR3xI-NLzavng~> zbcu!0kiiyN;z4L*(2Gk9u#5!Q`bX15WA~yb2JCdR4Q|SeETvY7f=@iN12rdf(;tM4 zf0TUW_s164t*c#c2ZiI++>?0pr?;VI55Nu#seVtTn{D`G_4@Oq(f)=H;?w3Z&O(XN%>;moYY zj|wgv%j@-l(L7>0oe02Nz)m@qUJ05!WL}IO2GXYmeAf%7*vi)Ve z%6(QdEV%x`BJWm}`wXazL zda^KZLm+RFc>%YyVy0($8L;R+6hG*Fx&?3CR%(FP@he+$lC#Z|g6IH^WmuqYpy#lM zcgzf`4mT-ltN(N1CBPb%#?+Vh@a4C`xRKgij$BoTFK~|X8kE#U=_8@H--&#HTOu^< zQn0ZCQ>0BMuF$4F8P*6J$_j1)K?;ke*8W(FXhnY_NOHDCa|VJ_R4x9HqDH_rWV9?R z;DhaiU|%s8sr4=I0XXL-O8U903fvMNukimpbjNe)}S zrZde2>w>vouyy_Qe*ug-16R8IU5*RQx`0;G-r+(!G48zCCxU+cx?s6*-+@7lQo8o@ z)er2aEUS>SLy=npeK*A1H?5>RVOx@$kL&}6qbegT1svUj%w3Y-xH7`P+l1Yz!$Q48O&c@q=%g2DM;wbc;H04z5gqgx0unv3`fRewlD)ZqH3X^PJM2*s`vRylwgEts3v;FL~$3;>(Y15rB+t zn*63vdV~J&+*>T%B02Z=k<=+z7ZW8l;cMJ{;!&Ccf8IMXR%)1N9b3|gX=wVR+rxp2 z5_#+3j~tH=X;)NyH5iPCOM>MW+y)w?49BxOg(C47lZy?wu1UR1J|&ZIZ;n^8Bk~k} zBV>iDOgYMsrTxG950?Vlv^pG}qg0Zn%s<}Z^Hm{4O*?rotOK&2U5((K7+2IbqT@+O z?jM1?%U1ek5PH724SHhHoAf$dk+G~?qd+yC+E0^VAHeBF6iQszijZ8FnS^H-az<1L z66<+!)WxHUsck3|-@Oouo}vcJ3AOwa3jNc^6^kk-FX+tZ?(DU)xXH6aXY-#i_^@KhLU3;M)*hsE=bV-%u^h&`q1=f1YQ7F zGoCM26+AgM{d32FCVR)p^F#u@loqUK>S?mzu%#syWi37C@)YsMi>oa!Q1ZP56@)Gm zYKdwF)fK?HQ>~f(&j1u=4%}i>_0_>6uM8NyG z?&})Y80R?8bGXFJRz4PddTHsRs@qONInh9z@c>V7u?f1xtZWP4rDRq)iF((Gx@KGL zq6ou#(vHjvA+}4XneY~l1A|BVnN<-RF=Tj4^vAN7FN|zZ)07O^MYyS$Q0q-sR~N<1 z6*X<_w!Igz+O5hedaYt!+LET=(i?++Gcn^(vF`F>$=Gf@N!r9bG<^!xo#wyW$Xy(Y z{lpbDFuNYNeEEp%#<$%CXF0kliYA3q+o3U$1{UwAj5@WP`>GBmClY1M_lN9CsJyB5 z%@V8n<_Z30#T1wujySG z56|Z4*_@$&6>lQv20X65kJ180Ih9-CW}vUKg9G0W>XI@2?xIg)w%;uqb$>(J%|d#o z7J$l-?Vsk9vCOXFleJtS!NeSy@kEtgTg8{jx*?6iS;Ir%X6_c!?7bNI%r?zKQ6TcX z)Fqc}`iiQX^06{vg>#cvGpk4_skeC)w1_1-qU38XvNs>WReoK8rZ15UUW>|173$^}*QF!&7I~AjoswY$G^cldKywI7Q4kB*_?Y zvGiGV_z(5Z`a>#AXY4S}Vq;=1*S+J^55@eMxHac%w%3}H%VE~vr9izk zQqmqF^Rjb|&lzjzP--S)EboDJ-H@qh9gPc@*S__Z$)jki@vm<1O4&fC305qh`LpEG{`R~VT)*aGMP@f&E1s2bGX(u!nQyp@^4 z$GEBfPV5baGeP%RHvH5o()EYns8OHqyYmakI3q#9}1SMS(`*vbSOA!*y?+S1YJm;`}*tX1u_( zm>>5@n6(CyFIJLjI$WkupNMAIN!IQHwL_?U7*knXKMPT0S5<&{O!tqJ*nVKgh7;9x zuN9ubsZ-dMRd~}a%Ow8!8OP9~==G*Pb}tTUhf%Ekc0X77DJiagdtxdHV)_2S!xsGk zdP{Q38F^uqx=Sd`;rA|^GjgMwpi+B)r@6Pgfr{j@O~>aF-Hw`Fy$SKWC&^_KU@B|D zE~4Bs$LCd-0g;jres<`;&a~u^YRU7;uv~sO*K(rPJVq%KKzwXNk(mX z;sw_6K?9yL$@vu5XM(F=FPdwuukY5~H5J?8Ct8f@NwA&0FWw!cN4)LYU<`$aVtu*i zu36@3zdgbWLs^SJP`0#Z@TqEbA{6zdFslBsnIp;7_?pv&?vT$?c>S4EC8>@N?#dTS z6dyW|*>p^RS^&+yyLDOJn?nAv>WE{RoQ4A}-eSrZZ^DwJ!;vFNXVQvXt$shFG#s0% z)OFLSfkGg?H@xf@v(1EzRlY$tAm--Y(3H0rHSjr1lyo%fNZeY8qC|7VEd_XOn;u}? zrjNd631sMOUScm?R4r;Y?zg#^M*a87+2s>9QD$|%l#8VkzSignJ!coyE@?Ce(n;1x zaOrq>9o1eIy$`xbTb-clb27coh!RJ9p!{yOO5kw_s+CdDeGj)4b?pzBT|k z)!mZ}Z`Y`YC^XGsOf!9p<3bryZ#F9K+z*_bd3pDIs4tcdJFIbniK2T*Q_`cR z`{ny28|7pqbxfmDr#m;UWgkKxncZu@6>z{1<;0p-6Lo&}IYljsS*obr!llx44o_<9 zKgw?K=0DP`J$2(&PC4`3G?vo{F&}}a(d~jn3i+XlNZ$aw*Cv7;KZuq*Eg2O2i(K}% z-aMXnPS;)wGl-tUE)Q3ZK_N_q+ger9g@l+Eg}vxDLa9w940=ZS`Uw;#gmN(j<1Xj8 z3JmR`EQ_GUwn-n=`VxQgy9Xy8@>(&KTtP%TH{g zmIqM<?uSE%ob!>tGRXJMxo~q zP@&U2F#?c4XubRXrl7&!mKaUuPzM$xp3L5D-c%GVWRCeN_*e+ftVhpsjJMr^#I zMwyMJ2!B37V0vkv|K)oW-gp)_fl?xYP@uRZK3~%)NjB+tj>vKOAxC_J**sji%Rf)9 zuHlx2`9^%KNj_5qqp+ihmY(l7!Z}_Lc6}iy`=q>(655;Lo^0m;kmnY%J6%9hyZGvo zdFot*n*U-s5Tu4Uc8?CgYBHeAl#~Y`UJN=Xrcqi0u1^r4My(&?$x7D@y}pb0 zA&herrc~kB%F=t0FX^2vAi`8Sc!cKCa-0h4Rv}sk2|5XOQTh{e5~`cmAJaUHyKzVy zKZot+Hsf)ZkwyL0UiwF(!ysq5)Vpp)sGCA;paAqZe}h~0wTrk8X;l482hnW9^%tqO zrVXw$`R_SgR4Zq8tGpja%u~$}ooTv8k$MhA|6xD*@Nv-BZok~LD?q8P+U2d?LGKC} zQ!9Ga-Q~cM*epqlSdxuzNZ&06aLruEe_8U>+E8{ldyK&L$LrE|ZX8DCZ!4Mh)a7Ri z9xwdpPMpFxL}Tpl+Lma|boLFOiBp~_!24#7E{o!@=*%vQ__%)HL(+6TFrt8*?Ju&@ zkzCE}yaOb`3(&i{g@dI~KhrKo-MkmhMz%TES!V|!BJr3uqNI3U_Db^e5OhjX807;) zOUb3zP`LJs{Y9MC(@hm<)p~WQ;VA9ee3BI}HF=sxUK9CdRk0uLPN14n;`OU`ZTHbh z4qY=El85z4BbF}fB1W9w?7nV#>zwMc0kZ;*LrVR9D5Km}uf!h9rZ1a6`^Y#wHHVLJ0IsyMSk{+2I~ zzp4=WI_TJ&ixCBFddbD>QtTQb3-|2OW)95XVLMn}=2I9|NRm-VNV+U@2}eHC1PW}s zuE%1iYIOplS)_X$gE8f_ntULa)F)elV1~?PvsW-ZSrPjgOM5{vspeBd^IPt_=Tn)m zZA}_q9>Oc=Oh-fEB@KQ9!Ui;egjZfP`QYM4VnG9*Mm!o6IvenE{3u}uLT|Aib!k59=Y zsd6d42oc4uPmi>7-B7LCwQ??T6Y?~!!xyl~67E^W{pq1T27RaG&nxFYeHf&3CiS^H zU2{o+fTvW+v{^r~nJx)a=ra8jp#S8z@&7u!=1$I>3qA||pjuFmT^aMHE?x;2&=}!+ zTJKMfT~_P}O@-t+R51!q`WvB4K-%6WW&o^>7D3gTwzGJ13fHu9v!^Fl=gWsotM+)2 zYbw%ZLF~p|^~Hl$jW!>jQl#kCza?g1m8v@d79799uJ*Egdh=8lJr+*0{2O^mt-*A@ zNB3eWaBODMkgF#h)vq+u8q-SHWA!}2_*u-U>7G%p5(zG*1L+FZ#VbSUuY_8$JTtBR zG`p4W9%L>{kXu}g{*6lTL)<_1#9ut(cTO)r5^V<*zD^-?lDn&bYN{{eX)pc5~-!1Iv$ zj|9X05s`Aao!K?J2mz&3a0>IPvb4GMHy9ZImZ!wVgT1I?*MNw@AN%ve2{25N#_4?I z^o71OCp|FZ@crMq2>!J;$di9VEN9fUg8y(rC{ow%PFE-f=L^;BPt&AwLi-_GY~(+? zE~kjJ5Tl{@Dt}P(yR6(nTYj!3YieI8k5em7eev)0xc=K3-gpo1wu8HX@JnRTfL###V{+vR$_W#s4`)|MW-n`ruDEpOAQS$`tdW^DyMI}D0e+{QY*L1+V8af`85kvgf%m&RJrueRqwLG^17)o z7dVe9dM>8D{>L8sk5B!7(lfI6jm7%YQvScS`~UCSrIvuy<9e1Abj*<`pQuyu=ZN=z ziXDI9Yq9D$^Icgc8m@LOibMNg{$=`k)=i(o%;pOHw5Z5GpvIqH)<1Tr&^w6vzY*d7 zEv)sw$E`np6%w}25vP(;%6!y9yfT2{aiRPTASNZyhhem%IBw!CbZ3DY_^`#$Jpb;F z82M}{Ntu-|7PB3u0W_NsSthFWgSIV8jmxAf^>K|ZAaieK=Au`IlRIxVl~VCLDSvrI zU9{so!&oR0B73&3lQk($?cbl_?=A{4vrL8u3MpF58ktJoxio^WtqB;6C@*m1 z_MCOM>J^j%PY7P<&{FJRa;nXNU!kHhHuCHXK@Sv{=oH9}dqn-HG!zdrvZC%lzik1r zGl3F7>GIBOg5SayLcvT{KAsobobz2ZVE?&x5$ z(?fs9o#oG0aO!33BKpvB*o5S3#X%$b?4UzBe?ee~gH%61)}a z&uN1#a! z#IZhkmLl|}6_}4)Pj{nxKPu9KjaU*Qu58U{fC=B8na+2cJSb+nM|LU_Y`ETNGHO=z zYC4SJs1+JMeu9`XTxfOl5K21%tMn**^MBrd|MzzvsERyLLTQFlj_=uV4(!udTYe`* z#=nEw&}4C-qy*ZuyW>mnEuUrhiXby#C+#MW2RD0 zwAaMJ>u1h~xw8qw;%4FiK1+5s%2S~V?=sScZ0dyXaA=YIdlme!1*Y zHSnQ%&nhgLXIZ>zU->fM0c&B_ytf75A{lF_&Rdk1e1tuIoc=-lV~*gIjH39YRL0rt{*I?;_X}7Qd(B=dml3Kkf`(PQJQYZiht~ zj8Uz(Ra^+wZVuNyb7`OH-mSPF5`@9bQ`8-}K2Ft@xwC*l?cL`8g$z$f2WK9bHaho8 z>!BVEt5KgCM7l=(pjf>)AmWt|WU41fgF&~>`}lGhCi{NwBGiaQ2xXLla{r+Al7&s& zV;sYY{#OK-77(a|i6vXZrd`CYSH~OmIH&qY85qwFBeHk7P!3bP0EA`$)PVD6rJP&= zoa;yU6zmc#@^|Fc_XIM*VGWqPujxA#3_gLMo$+2{lFN_X8BV}4dR2(__5hT!P&3UF z30h@!nT_*apg!6W3$h%00q;v)Q(#|=+f88KC~nJdeksM3cXBvWh3$xSZWR$lUQ%Z4 zD!!Ukc#LJuQR~1sqri{2hF1O6vRrZ<(kla{jIv(-d_{??PWK&LuYq{oF|bpeCXLwG zsljJa29}{jo%=mPes-fsx428k2Z8v#GzFj#;>K$S*j)s6emIvYVr2{=Sio+i5}frU zKd+X8iKXd2NQue0=x;Ly)paC^FM(N=&( z=VyVw5A7y&!4Exr(Id9sJ{)$I^+}h_ zrO4xaF^G1g)4QR>pILrBTdl;r7znDQ6<^Z(Q>x|T)U#wR=ei$1*$*_#V9P_eWIQz- z#=I2nqQdi_q<(WwY0v{9ne@tJCl48CWGw)${W>Cx(Hrse#hDrht#Pgda0|cQZ{s$n z#mjqFIyKFfDf9cOy1Xst5-rQ&HCkY{Yc5{g*s5PPU&Z1zSodfyPWPdD#*(vIx~>en z@}&}{cAYY;Pr@fD<-x~b&gSAvW{t9|&G8KwxVTLlWU}eNS|v)ONJGn=!wBn=)@&`d zCD)@i8;AnMCfO)D9&xE0u)$i7OwL*Q+I?6dZ-3~;=bOgTz1tLItd)~ZwodzhkIVmK zpbHeGK}nbx^@MG!W|z&=<9~UGoMl8+3f_q>1IoK-qU?EadcmKWuKd8LFFz%!AT6&q z43?B(^q-53I%|FJO#g=IO8cl*15R5{XCkeA4}ruWj=HblC=YBtU&Mw{p=@!ax;l+M zB^>*y;C^3g`U%;hD1;Q*IU56vomz#!C@?UfeD(&>>H296-;j`5WZd203w|0V!xgBAEWpyt2cp4| zklyF!SJre!_Es#fe(Cig!RICTc`?H_osy7*@K!%iS}g^+(HnH1K-yCA)ADGWPK9lk zo09^;IduS^8ZTGvn?GT*tym>4RnXhdaXU1566qE{A+Da$;;eSIF1FOH=_fboyn3zc|`yqnXB*kd4vc6rKTC~J3}CNJ*#7-lvA)&$I=<%6WR~(UDT0# zt-$qiWf5We1ALFzK#XJ8K>zA}C6;GQ6$N$1zT?d5zaxA6 zbFNIo<^J~c^pAO^YOA;#X3-uzN84^k26*0kTP;Th%Tk{bQ?qe=sqF$JpDOE7o)fth z>+$*q{f*eWLh8@n;QR2&IHuCjm10PRC*4n(pE`f~w`Tm`uI!vUckc3uwi|di_Rn15 z#UB5ZdxlTiXh?orzSYKF0scH#-hS_bQS8ogcC*cJV!vbElbM%KX1wwqSHd3dM zT43f_+h)0ILC4J>^KA}lBJ^49K^Fi*5qtNvjP-p&S1)9oQZh5bLNH=9yOlJVH2o>uOR z9RxnY2%da#Yd6gh;yI4j(OnETt=e|qa88Wt#@Iru_|UQ~dF$Sab(HaF`Hx-^bRp%a zeu>CFS*v>dB5(CX#c;^|%sdA^PK#m2J>8JZOva0$`xAbGulPQ0-3}0_92}sj@VwG2 zKEUyM3wgP$AH1p2kOF-F{{40{BHG?HZ)a>fj(g^m<4F+3$qF2-+{5r^9?ny{moDTt z-i^jjsjG6?pM;x=`)k75=$Rwybq36YT(Q~p{4`x4ldiQ zE&#Vo%PT($?#5g8{JKB_dY7UA>u>uHES^aiPE1}Ma{y3d;Iut{ti+J)8)~-+;*isIFfhs0@a>){>sf#go(D=JorMAJZ zdvcyE(w>^9+a&i__bPVy z^{a<%OcVEft9qnxTKLdy zS=g>_i5l)k7EmORHGYqwZC|G+4|VQQF;MaD%2es3m=~i?X7eMiMjP>A?xl=w^K8~X ziK1FoKPW9m?|*pBq3BPgDe3v+Y{$E)fc%74twSiznr)Ht#SL!gfPU>PwiuzZ)bh9E zmc+A)+B>B3F<@?Sj+h@Q5mwcGhx4as@HhVYz}7wRRFf^P*((Eo$!UV$_?>JX$Sgs& zLJQ630Kg(%o$!zhV-N$}^q zT|fMYw#2DyHInt$o!&2wRl-L9Y3jqDufhKa552zXf59CE^$^=cj!c|K+Vuk2B4dR# zg^Xa-Waw?(r&|ks`U5Ht=i??Q0KA7=`cOw#A@%XW`zPE(^dG;xIA3;$v+V$gH6n ziB;0BsdRM9Qv>lsEDy(Yw(LZihArXn{Wa(dgh2HgR_wq~=SR(zGEMrTD_w!XI#XZq9Z?`MyCZz!!edL^)6pQwIM31! z-ixpIFI3W2)2Qw5IT3PPN}~)!7aGY~4x8+AA3_O~-`CXC#Qyu|_ELDFLhY0ehcmk~ zS7!=E7HAtjL-Vns6XWu5l3bkCizQ?oLpk}p3QprJPceA?mKN`KmpW}4cLoU*tP&Z- zBETQ5T|3<3ulEP-5Ciqg&0rIe1_%asBGdUxnlT{{bghOhsw`-4w*S!;`Wd*&9}oMR zoQ{9F{clssKsmGU4|Hg&_I(ab|6wW18&zGLv9Zl?*GkW-qaV&}M9mMD6w7Sp z#(NgjA_OKhtJR=Qtyi1i7D&?(no~NCXRYoU1VjNP$l%lcV}O~-RNeW!Z@F%LoYP-< zI7QgeZ?~vth|lnE5flEjrygh^M_pmq4Ki<06z~m@8!Xh!APIEKtd`^V4dlM=O*cn0 zR{@D%Tvau^?`#gYXHE$U62(7cew0Y zL-Hl7T)#_ppK@_i=1SvlBA!ckBxc5f=j>NTKTn4O2mS53=ImKGPNdJ|VOwn(y-`lF z8)<*eV}|DxCCWDZlyYLT>Z) z68TWmd;rXB=1%4JkJlTsN`~oSa!{cwnD!WN1_cG_MFCS)fb5P{qC#tZy+0tqKKg5& zKY&O@4At5D=O9#;t$OarP@n_+!L^ELEne{WRSDy=h~_v;S?+5I|6{&x-B}|@H|{qG z%%L}FHxtOtcWX2PPViLEw`;TKWLFxww1jgsHc(J>{PuzXLgQn|`V1?E)dYuywOn_TDEOV^8v<|Y-cHTK z{SLUR!iGk=aQ>du1DkexM*zFBmPsmy*INZy0Bj5nVo*|DRyfop+|#TCC#WgJo$!?$ zEU~}NdrDr#T0d%wqPcxzfU2D=1V?nub>Ad4 z`xQ|&ZgT$}`=&pg79pA)?3))uGXg;dlv)7~M8~bfMqj3v{ocz3K2rziC@@3>R<`

5$3#Er^3z@wW^{6l+rIVhXC zj>MCm-~)eG({)$R`IOaGpMjd7-Ir{Qax0wa`6{%gvm_M|i%qC_s0q5dV^-o-h&aym zXYI6mt5rk9*+00SDObL1C~&BnvZp>7Wo#1KU1E^>xbG=fW6 z)XT9T7V^P8ZPIQ(O~5sHt|rdyfQFCPtR73i>}3u?^E*s%C2z;n2I1*hYVlHp#dMFI zdmFS#XYLG=y`;#ejlDDmSC@bh&fAky`<$_juXKK)86t9*W_9kA%hRsW6xa~o$G`bZ zb*0H=^P4CR;NX)?MlhiTcEPhT00DP!-$!#>)|eLyNJsOLeVlPirYj>rSio5~w31$Tp?ZP6@AdCE*1=HoXIabHhjhdXC?3H_q z>GVT=wH-Tk-4VsopM>TJHuO_oQevzV9VLSO9v-%N^kezRO5^TG3NpRr3_1G^bkzZQ z%?R%Fz4M?u?rn3iH;@#NCrQP=AvbUqD3hb9PkrMX~A24*b zB783>=Sl8V5o`50VOtPu{0c;LRVB8!HB9l|74?Gre7=*D*G$d=k0*eHNwpp*wl~Fm zDG*q+9%5=hU}K4K_ak`wd^a`93K`Xkp)8VY@S;^uR4p>jciuKHC;^a>E>*H%XPWeu zsni*vB)~hMXuQ~$r|bP3u+k4`PYAJ-3z?UvCA(%2Xz|{N68VOje-e~DJ@$~vC}axu#xBPy*V@3ZQR_=2q~NAO%&qXO=&Ljapl;Tq zc|PLQKB4{#={#07jx5hDw8gucu920oFCv~{g^U_y^3gyGtYPP$hPi=Qq@$EXE0?~m zJin-&wJ-Wm>}QgZe^gvTk6`lEo5!s6>e&3wTY+%7&KRR#0Z^^lcYQGm_Gz5P)I~_v zS43Xe`?I{W`GAd`xk*&|@XX&Cf%T`j^&tKjnf1rli!(`Jl|+Z+hLCMNgmmNDB`)*8 z$Vdt!u+mqz`hHC|Q~5T=ij0h`qr^f>kVR4pKIe;-vroT_-~Lzs z`dTXXsg1X#ybMl52n!3+dT_0&3k?do2H{Y`fo%Z!zbvpTJf9~dCcMDU?K$r1`5V>G z^go!Chv&|lJ^HPsr5XqEAkGDief@?&q1g@)&TD5 zZ+?!{##N_R&aS=x;ET=tNtJMi;EBU8yzvh>ZDN~mW?ADm_{FKSorow%e!y!a(m=9YHyqV^kNHr62ro_cKMpf@bkao-zqBi z8U~q)6{+`OzYymCeFaBjj=7_LsB~QX`S<&80EWb>v=Yl7wRfE69_E| z9xU`_=6&7k;QghKmWK!RoH-=dlQ0_OwUK#a2ulb6(BEv%o;)drkeOvGoor2nAejq< z!D+Y#&rVZ3golw7vf9yuJB$Saau7fxUd!}d1K>$o9mt^6V(WWdD$<{fO}}(WTvYe5 zMv80So~6a%?3bL~tMSx5%2(v)e&KinoqPv@MM?ni>3~sDq53M2sJ+CUhB%{u%)~O0 z0EqV^jNkaiUR7iF>6I1(KyPHBr}ui_whoTzB((ZJAi2Cy!MEu<52)>@ zCntA$)yB&neX|X(pW!4oLQ)u)`)oaieh(9k=(F<-hq%xFd|ZMDmp}jD&8I<{CyJTM zkKs`26EN}fSJt1L9uKHcP=%Oi1PurYKs@1IV6^%@nIhlw zeJBpz9%^%9c&}Zo>6v4sOk1+!nfDt1zODXk$NojS+Nh^c1I{#+psPAEt#P@Flu0#k z`8LHlb$7_$#1RhZLN55<5H1N_Dc#t!S56Qmz;r=3YI?xSWdX)QK7}zF(+=etm(rDT%=^WI8E>|@ zZ22B!>%~~FO+M_abS|+~g?cUNp7&YV5_63^P8+GF!xbtpZ{c`(qk0UibP%{&iy5P{ znZTUB3`S-?uG$&LZ#T_Y4TRc7OSRDOGLlWf4X=F2q+Z%q#Nd2T)=5Z+_PO6@==aSi z8!H2fz!0dfzQdck8qC-L60W2|=y#Q|IBDwZ>j%<4JU~jk57GS2Z}pqHt-$_7>`c>U zzCcH3XF{}uon0~5_3)2O3=|sClBz#*FH)@Dn`eOf&Ae)cDEat-W(ui>O+X}=NB8XC zje>MaFRQzvr;Hz$f7oxPr;)t#_KCEwyrk8Vhpg?}rB!w0T;_~>=3UFUE~L{+3%fg; z0?o@#3%|1ZLNq}q-X2msw{N&J3f&awlUQ;RJGcNp1j2)o2?b9TWc%OPlR+^jhA4fukNstFFFfK*7ji?y6i3DO5E|6i%h-+m2Vqj-SpH1Ni&CS`WR-ni zYC&eGjIAPS!SWwt`Npv8*f3(tsst#j_;HB{ z2(-)@DwLboWo5FdQr8y%OQ-M0G^`CcVw%G-@JgCEo<3EMj028HRk9Jy|sq~KmM-Vt4{-)yJ z6N-L_YsRbzS6OF|;N&Ptph?bq1cyr(>>r(Sncu8>Ch$v9Q<(Ual1ksKH3k30mV{$8Zr zLht3@HHhBhwl2MW?n68*kKq^V9?CrY07LC7+xVtj(Qc(+3udKox?#V4S<9gQ;QvD#!J%B96cFI zEGA5;2|wIVA2O>K83%3tCSd2FaFY%PK4_oh~Lz$ zEoq>wniz48Dm0@Gu}PrQO~vY&CC|-+@k0QhAE9PhNY@*0q39Cm3Vyo~ znxSG)Nkovo4^v1r3O0;y=}SrZ&bc;+b12^GhSq~*ghsoN2IW2shS1R)?cPF2Jsh_X zw3RL+9yh6SXWU2eQ`S(33*~0}F>wN+VxJKz@-vx&cI~$ZgmvuH3S*G@dYR5<)H$DH z0b61F+yIqYGjS*{i~-z#)*d^ExYn4Ov`thW9a=cT!b_^L(r2j_T{wIr4-#a0Y5q<5 z?4d1}^)i9M=*#<0!fpFo7Sc?_&}t6t1`RF!X)1mv&-|v1BQa3-uP(Xf>>gTZ5+=|w zKBerf!<{OKMW^w|XDYWp+gKb>g7~Rhy!gV#taLs-L!w+`6@%I|dEYldUoV|wz1rBt zxsqS|>MW&kzLAN{63la>UTd0T1HzDnnsAv@C6EAS$Y7Pft_yUp-}tq6r|3TJW&6Z@ zz2g(Q8u&2!N=H8qvlbE(#QZovOF-IN*DiRwEOH zYQ)fEpl})3IwCwAaf{IHUhQ%#&~HwJ!~nT6JNdOb)YvtT_K-+ zA1@k-USWz3LKqQJji+04`jUGp>>{kDysK31M%e`l9dI(K&v};Rv48Dc59Hm>GXwf|$k_hJC>bC|?7_PyF-q>2@odPbRRT{v(4t_=C+uTPS)ni zBT-RN2f4c?5X0$#x22zLVyM^z?VAqc9Qm{leBjF;uM+dcCuH;da7ZQp^POiGmG|M8 zi8V0~L5Fak2*cJt+7438SCLA}T(CaHUS%=han+*_>Fd+s3P%JXgkWls+0>6foP?4) z2GGT?IY~JN#*L(hy7(>Q2f8O(?6Ro2pM5$pJxzQDSP`$ZKAQdNYOU6=1}M+mhHJ!M z4kWlVNTp;X-t$Vo_j zqH;U1WSB^+%yOSbAUB4b3fWg@$e!TL`(EN|8IJOAy`Po$@(gE;6n>*RT)j{A!Nn#0rECfu33ZzGYGB={nCi!)rmUqOzMI!k1exvfMtu1RdSXhCLQ4)1Ed5GfFL$m z+F&E>=9mQqh9+>2sSp;F?K`cb2Vcq8O-%E)BRE9$9uUvsETP9C~?iXJ@W}_o4k#Hdem%1Jclj$S2gr@iGFoa!5B2^1AKmu;|Sd#y#`fxsG78sLWoy$-9ML>6_o+!T#pcBL59f0I6-l z)`0R)hj1FFU;s;k(SEaqD{c5?_Ue42PCDz?`X?k6EphKq@!Bzt>j4OI(K2SK7cd5x zG+jf%W-}`z=a(WYL$&&j;~;VqgKmVzaF#xS@g?wm-?`jl7r|+!K7b#e2aK}IAxK`6 zWrnQfF0?8nV@CkoV?jLIDj8Z^p-k8-tBNG;tXljK9c`|(d!R51L~;%i(7VE*%SU{z zStBM*cbEm2%ots+K4D%BTi@fjHw*5eX0RU? zw56KgI>6m6#?yq}0(nB%4}@@F)SDaESIhu3q=GI`y$-+I*+r(^EOa)dBE!P^>=fAt z#=gF}7$up#>9O*R@&U#BGTepu?KKa4=3K6o?u(gO`UFVKiWG zWcu>062=i|EOORS@Hxmt;_9Cy{-ulV-0K@F;(^9rhdvKH1{xz6zyBLsg2t$=e2Ti6z4`&V;+2e;Bsyt`_zQh)IHT^(n@*0vhW>#N*PsPc8aRE$>G98Uqw!lspLhQeI4f0v4-S?JPqtY>HKym8%PJWO@2mel- z#oPGu^u?xREzG^;hcN42vf6mnTkzmB^7@XiCqDdmH{8|?l7V(rEgpTBS_nH#3`*IB zrW~VcW-Jveckh6cYnC;9iK4@Mpcb%^HV_?%UM(|Nedl7~G3NwI_%*!pvq7He*abl9JT#J*(nfxV`e`FJi_21G?<^ zJ2ER(cXqtd#26G1x5_!V+s;1gsztMOwBv4Iss9kRD*M#Gv!|4w0RVZO8$Mg2DSCB*lw-EBh&+Lo&}s@ zZ>1Qm7+iUj=p2jgu#Lw^9IvwFBR2)aa(RmU6|6fiFRxOyBgcK!FI#(ilOLt8WV0-8 zLz2g8&_dDfd`=R?F7{8MIt%t%S3z6TzP}dky3Rv)3S$F>SPwPvsh9%mL8oPQpIlrK zF}ZO^^Fw9bfZFN0%J)fr_nWR!$!)Hb)fN&qcMJn(b{B{|wroo6GrEwVvO27cs_z$m z&e={ILQ%Ks%IxLNe7*h)u$xdj$&D>*#WsIKiRR~XV$WpS^(BWF)QXI+!AFQjdM6OG z^l_$~P)<;)CqnV6s5lP6@HH;08-VbdWfFbX8PHt;QX%KWa(_{Vp`spBcmQ|*s6nSN zmi&PxwPuP87;l)kC?Kd?DLWe*+q|}V4w~6?W`L~Bq&xkZUPIt{g8rdW%LIsbbZK$~ z{p9PcyEW{j193o{P%Oq!^4ck@1a5{U{D&R&7s7(j0rrXMT8p|c5eaP=G#2mftojE; zbN-@s*{@}gNW393a~~IR-fN|6uapKzXEyx;zj zx07RE^QmPIyN11sf3Q_j9Rw(#65xKiRuJOpfW#2;An(byOet1Y)~5i# z?Aq6#|Md?_Ba?dKR1=eY$;auxgiz!&Y((wG}&*D`J3s&e=Q=!HZxE7 z3;gu|BAn#nyd5AG_-QwieDJVxH|qV-+D$0?c!B*-cNg2Wl8+jGJXR6 zZ|+bRJ%BR(Dg%SKVz#=M;uWKw@Z8=7up5Y z?su3)`Gt^e08;)SWLjYVFhGrn2x>vR=+Tv#c;Qx&G`Mq#lIFmQlg8l;kjNWeg`u^j zqj;{t=&zs(fZ#>0WLTbC64%`JbUAfZJl0`#{CgP@`gHEG>XW-}))$QCj|?X;w}VG4 zeLTdTzm4?z3%l)q{}v+PcAstnyL#>5LoWGuI~u6ay>A5=;1eoAdB?G8$toj zG+N3y`3LRcet~~WjNr&U=`^=_fH!5`E(o;5#`429xeA3sfqr7EBh)j9%c2~DKyO(~O5cyL;_-lXlU_kU^94kG{ z2uTOo62pZ82$;H;AnXXOuM&h%eR;p{wdN?WSl|56_PtN@2K!&M2;%>Z7U6huQa1kg z_)bHPYZ+N67z{Uq7j{Pyw?2xRsrkR}JJ*(aWpQ za}2;|F8$=>{TyV+toBQT&s$HAWBrR9;VfPU>{Vt=-}|XP^m>Iu?{YkdD-b=`2$pK( z@~w=|Q`B1=kX>ZXv`wAs3|v5k;_oZ3u2u9ZN-4375I|40U^oTzYq|L-(hd8270XX6 z`Bz=Jc6319H74HFsA|7O?32b%$R9J}8Tob66<6tvnkNqLSHV)P`eK}69Je&I4f^) zRgK%y)F7=0tT_6yzXpx(vPDia@&~MD{p=?DJF62`i$&-L=pSAte-1sk+t!haNEHT6 zu40d^gGisPLr6g0;-;X20%*mi$!_e_)A~JtaSEAo93SBh@|gmIY*u%3yBKoq1Ed~A zJROtOWB#B>DD4Bpo@s3+P2jKqP(wD58CIaqR>6|*FVS?XeMk0KL)6nJ+UY(iQi=?6`>o8*rv^{$ZeFc)*KOiZ*4lRsi z6H@3j+{Q@7R0FN%+9bCi-*jsXb%%lGr9G-efM&nmL!<+GTeiH~;Esc^#7i`?&2TKW z7Tjmob9B2UzL|@l%W)|PsrY)$N{rU$&oA%W0K-4t?LgS4syZ4Z7i`HZZ>zQ!xBXi% zV10dB@M}MFDysA>U5jW=t2k@bB_ub+*n0xq4Vd^nzwZmm#E@lNK?xw-p%N>yZOe0% zC3pGjk48KXI5+cq7H!As3@WN8_7=zL)MtCEoUTzR*PWNvk#_EG~FgMw#Ot z(;f_cx<>FEmUx!9&e!Z*w z?FS5r<`X+2;r{xM{~&QlFGuNn7ahl6th#`bS~NK^CwJU%Av1-CxmjX?QFyH_vyR*} zGwdEMaWh|rN`6$|-W5u)A>I?az~06Jo)pnk&tti$aV+>6*Uv434%k7yec{4XnW7Csc-VF z=Yg&CPA&cM!LoKi^fblKL2~XjOfsyqosCURM9or$ z1_70;wU_ips$3o$fUyI3ek!@{jGbgtXwFXk9H7dsX69fgX{J?T9_3m}Lg}Yp)Mc6k zHp`^V*=i|Ll&G;+mn6=qf`eru_<0~A9JD~>d-7Rl;JGMEdJ|FyLnEPozWPxRz2d7% z0E{BO97Z<+L4y&3IoqL$klI{FQnOtlF-JE7^R#PoHQP7?s;V}Dwj+qFfR2?FPNMM( zX@HkE&Sd}=+17BQT(6M?1(#(K!spjbcaiWHgsVZXCtaVXhp`-7DnB6UkU2C7(^QMn zIi5FHrCE0#lPHM~<3)N%1>yz1%qsa`RYL>~P$ahHFx@a~RNY!e`5Q>@dt5rWY=`Y? zO$oLXJK+p^XO2LbTMsalG&;|5Gq)hA%vLl0{^@o>a_y5?M!|+9@xrq_c1%1}%{BXA z0HC^jSz|ezKy}2Hyf@24Xymdm(;nY|2-^u0+-EM==XW?tl|5^1r5uCqJA7ReaDig} ztE+xDV2IN_>+_t`P}GO(6J(!d!Ql^CS#=oN+N?_sYkPF&cW+l(^JVWW(JbIUKNDaVgy*4$e$$*MDHSQg&W*jVnAmJ>vmp~-6Z zd9!1vG-p2T{$w!!OmynGc6L4!$PSoca*lZ0*_EyrMep97+1;)_GQ$}*=9le*YdOfJ zYZxG--^~vs$R!a)81aKUfN83Go5U`8;NVZbxgMSC@oM7*nm7X{ z)121_ml~+F%95_l-&$(&*0qlILXa_j)6WQaD7efcPb-=OaFhLM z5PVj`CqSrwJZCXp*wx7msPabTH``)>8Oh=PgxtXv464-J8@6IO9&9g`j1*%(D#`+M zJ=-0HK-^^Z9NbHgGZgle4*6A{{a>7YWmJ{x*0!QzAYdR!t4Jy!(%qs+hje#$N(crG zN;imfcc;Xnk?!tpY53-HpMBo^@qYUkV=#0v*7Mvk=T&o`%iu#WY8bmu75ClMK8G0X zLB<~jstTg}oZEfU;`4Z+YDA6~PeLFzBPw3GO7EEH1}#zyQYq7tC!w`cKK?P=$&OvS}PoCt01l$R6NjxWiV~mb5g99>?Oads*AI^S?c0okITM@ ztSY-bWPK(s2h~j0YMU0MlbKS>_-&hDrwOL{E ze^h9Yn@GsA%oHo&IOcM){`hh|cq{BWO0#%3|H^MT{&nd>oa?B8OQhUx({zP5oh43* zFbwtQD=IV`8td_p*8xyn(d%_G%=TVVF6n`RcDlh9DUPQ)a)-`1)%b}R|-p^cijO225d_6G#I&81)2b_03pk}keMNhXubsS;0j)qi= z#mz@cc)3@`qBn155py{WadkMBg!^5ReMwKx|LO;>d(3bSziqkk(-D%;gS2Y9^OKs3 z(NQ7THc=%w(jk-lYVl

s=i%XDaQg$bf5Yt7STQOds}KF7;oGK#yfFhijd@93Br~#$6n)LSo4Yfs%cWB4ltcY2Sx>!`M>>y z0E)KbWDy{C9K9yv#Y>S)CM#pUY@S7$joyzJuNm+!{t1KNHw61tdla*{?dAkE(kB=) z{T|}v?s`Oln{YD4Xdv@0`{D28DAQXv+p8c-CQ&9$YCxIcwKc@YJ>I=FqRfZ7s8OG@ zNE*BO1>E-G-xl}BbKxepQcj>!oosP&W@cH$2}s*@%0l#ds2PoC7#u3Q=Mx4{)?9z1 zesM`qV&K8-e?pr6Z(Z+SeDICrT30C+R4b?KABr%q%@_QuNGW#< zE>d**zSs3Y2!n;ZJ(BTlx$XK2NOg6G{DKWSX1@m69z#>0SshAGAxrQ1it6NGGobL< zi*;yCUuq%U_-Pfg3@-+07>x!BGX_$0{R`f5Bs-cW45V>p$2-%2lz>4Wbe@c(3isye zppDrj`ZZMta_&)w;jiVp)nC?LPx~Q=UB_C_jm3GdZ0=){D#Kukm)gyDo=Mn2VCL@) z5aT$4LJ+Ql3&SQHA}4zwsUn?in{<1(tVs2(Ec~fs%O|_ua%|Eq+SNnf^F&Mwn83RS zM@97xuCoz7$gAO~fgWS=NHHJJ2?E0R^8Fp;HvLoD^aHg71&Wo;%Sa2`v*UeB zkmM*@ffYTLQ%H>q3ScUvK*-te-vXfr>?}jWuQ*G1UcLHa@cchyLGJlgNYzg8>4xin zXm+x|Am3>$mnu=$_ah6d-=-XB>pKb1Wcg(02-qVD6vYx#lWb;~xBT@)*OrB<^8^kV zgPWGMSz1GqvXH)L(@jhbtIq`yCwbr}J2 zw=hT~P;e_}(?yRzfl+Qncv9{xVP7vd<$m*AB>mDB#lIh*GBgj6K}kj#R~OrArm~3( zGYdTCP3@X${L@%Djx$#3%1T7^S%Vf{*U(2tjGF6SpDu{7`rbE|{!>MW`7Nx-TICoS z0B$3c3UTFk(Gm*T`##WD=qH!{EijVr;r^~$(L%d4>LEVV3 ze8R~`gH_)Inj%s44HyQl6|>yFSE1Q>YjDDy1!oY%YD)*Z_Zmr6FfCA@LBlby|Iox3 z?(ha@m-Vf`s+XK2`(;E<(MCT*4l96vi2(z6ZUUx^4Dk?_NCtKsnn=P z#eJd9^IAz2pLdxghb|xU9{~asRLB67gl^PH21rE`LE!Eg;JIc2wAaF5Fi@iJO&`7i zJn~)f<=zzW24}A!2rs%v=Wl=9cN;-29$P5Z|6u?+fO1>VIpPog7GT~0ExPg($Smk1 zk&SknMyiHZH9$0krHA?&z12JvGP~NqUnSBDxk#d%k-|>~4Kj(keFt;27z)w~kU;1_ z@+1+=_`+d7JcfHQ41`ky4#S={MZ1=2B(|r!{_zuGkVM*d8y>57a(0M-<0oZ`FX+zL zm`GpEcQ-izFK*mCjRut3$c#7IXO-uN{@#g$*GyoxN2X#?YvF3uQcn_64U`QLDvP>& zD{up{QE*q|-+Nj1kbU1M>qKLPfUV{_E8}Sz!bnkmz_C=blBm-q;p`)Cr`69@c-l_N z|B%cRlzc>rVujqMN4s$s&;LM@@Am*73t#hf`~{E;;kNv^#`RBzzq-I25x1CE-iu3N z4fM^YtH#5B=Hf`@sB*riH;BvYBsI9=Gs6eo3p$}?=h7*6wD#h6u}(X0@(SYMKKt2( zOl6UUCa2Y1V=qwoNZ*z66f7^VuV7)ceR7 zl)V#PAFd3s#jWa(EMZ%8uL{-|ckgxV@31u;384X76temYoKtUpUa7VsoRj_-W|xmq zm$Qi)mpq$>{|BSldIS5U)bjvpN3>o=OdMYXNhN0SKji#w1@N@UL7c42S zC0M2ZJ16BW!)T0}AiaMl9Q_E1 ze+$yrhJq8=aPU$cvXw#FMOTd^5>br}r+#D$svt&7%u4)4;kfK4(U#&e)*omG=b!>- zT26L9{M*Q>Hz)VR3>EaxO9%WlDEBWobrYfSZ5;5?gJL{HqS;IOL>IZaA^! zNaj^sb-D1z5AZms;KBR{tviy!=Y4P}J|`(5^pJ@LU8a|~ehw{-tb^Hk7bS-1!gL7L@8skx9errvll%@| zZ5(WtZaW@YF)#f?`uCAOO5;bSM|4xsI zfbo9D~>-NJJwXK!QYl{%T{T0Y?HAtb>=={Z#sf~@^4DTXbzcv=th0SNwx%YV+99AXy zY-|BVtB#$ZbJYP)mu=8$3ThJM0*GSMsv2iemwfCqtaHCcrj+e00^QMX;tUVYWP9%Y zGH;nasW_D?=5n#UVOJQ(YDu`^A!KW7o9(h|Xs(3sSm~_Bc*RK7irs!I9%><>yXED&|t0cqW zcIDwd0PxXMe-dmq^6e@EC-m;cT7mez7 zQ1WYoB|+C4HY}sUS4I*Gj=HYof~RsLC1z$i@5UkIMt|WKf8J#jDqsmyfDxy`3OoI(h5K?K?w{e)dUr#h7AYv;FidXeR1;Uo0Z zY9^2mPz$^Mqo)LT<>51=n&Vt7ZbFLpk6!GurXs_$9T*lKa;sj~_wSGWpa-P%j>zll zfB)kD7wSBuk{BDDSi0@Ta@Fzo8YLL8>^KWF>hFi#Z2LP4;E#N)U=sw23^xCEI`E_; z`TF!p-ll;6-#_`6z)GU;sxWrZP5Q~HoBt;b8LytUb~6Z^KQdo__37_F*+5yl$!qb` z;vWxJy7rVu-Sl#u)$kY!jEM>ZP*0J2`aPsD%|Yr-~n;BtftBe2DTlJpPpcR+F$lz1%<5 zN!9v*YD;yG1?L|%NdNuG#y8)FH$(P!7PRKaou_ywRT7$aK`1H@6bxvVlV<4iA&Ka%)>f)r|i z&geBLDv^1kwXg04TVOrpxm#r}c|us?IkCXUx(?{(Yez@Np2c@V7vm($@t4aV9We1Q zfBcSh(@lWWD({rt5>Q})8gaxw%{h=y zm}t31e*dVo`;>VoVeYPiH|L)>cI~l5-vz$&^9wGyI|m*{=T9X11`T*KKPLP>p@eAW zcesNBwNX3?aY{AkCmtmV-dLY6RAMF(mD%??|8rP|+fRx+OSNNdw3Q;>IL~Ov#bbiS zFRGpzURbR#hT<78X3o+Vn}xI!;+A!0Dd**%F0Ac}o^)2R>!>U^7OcN3n@O-W?XcWC zlss}7v^_E%w97szl0?Xy@9pTiHvJYEwlj}|sLQ@ANxAfQVg-?Q>!YNjwytIvX)@J; zg)Av$!<{+#Cm!QF9ie7f^``_Lqc*fGC7+{J7L5&L7Q-&C?D=?ib5LGa#ows8aG?YU%!nD(d@s(kub+-A2@yN&tNl6wT?YxY10`SRAh{SBQo@Vr zwR-Y&3PF!J-dfiEg^qIVsRWST4uH31X6WhZy@hi2miAL#Tp>4+YEQL7ic^231~ZFq z;pgCvny+=c@+QJaR-FJ-`=>h*<5onzB!kkk)7|mA5hN; zK?a`(*h9V6hw|!=>vq3eaq(bPxG1g_XCcW=0VP}|HC zs0#Y1o~Y%yUsH!|8xTK+)8vNSN_VJgU4P(s%}*}!?GFiuURq^P==nZKDO?km-^91c zsdOXJo#$ojpT!~9m9SNlv3n9eDEsrj@WK)gub~izpH!@FyjaM)x-en8o+U+}m29(7 z>Dpn3-d=T{zbbIWbv@AL>06@nxW~VBv&GSatIkG7EsH#u*Enj_73HX{NzmfN=?_>Fx67U5Z_b@rj#D|TyQ(pJC|gf_?kSk1)@82|Uif{Ro`@SU zUAciSXA{V=DF1l-aSV^u2 zo+{);T~iauzt6Px(#XI1>iN40`J1UMxr!IHfvQh{UMf)&;IR+E&vDN#IFLaXC|1(j zudb`Nf1aLf4BQr@NmY8#<@%Ajo#>hkaj9wUwOjS?pAY@?rJ+FKRaeqEC(zh*) zVakN1wPRm-^S`BhIJaS~SOciy&vpKLEiXzNkh$ayy(FY|a~yJsI~K=cFdm(2&@|zPVZh4~d3N~<}nm;C!ykaR`{_6wTXxAzBJwy_ z=4Z)en2z|DJ!q4YkvASHm+THqRVYeMbu|9zAeVf=l@=C$Iz9R_a>v`r1B3XUd3=^a zRvQ>AbB${lp++wU|cdJ>0TwBdM176Lc58r3Z?w=Eh(7dds(927e`JPWZ8PBzt zb|}||?I}9SoN>4?_VZzC)X}Fjf+>qpT7+k)pAwbrYDp#z{elZcXtpYieaD4GFLv>WVqEmC6Ty&Lt>xRMTiDfC#04NP-`+!iAPB7fH)_yvWpqlt>@FF{_r&v zT`Z&A;ZGiDY#O+KKW8`X8(SyJFSS`>?rxFP?n-kL5orDO65{zkENWTHza;-3FQl31 zYP4%u^m0<%fqJY@w%t_~uUZ+?p5S^WmF?KARm8WVA`QM!Y(VdB@=D=kIzH8K7<+OogHN%Opiwu+mR+BaJ&&70PtD}Z$JW+9v|GZ4Uxh4fm2m;=jv$L}7p ze-mR{ekuvf_jU*Kq$eg9#TpjTXSH$%P_pIZ!)O=zZpf0od(1h;GXm7RZ0rjZj;-%+ zfl8~C_QrWGKQ(6uoGRFDavAW6E9C5NZ^bemt~k z1AbELjWGot@!Yr3_DE|%imVyd_{!~i>jw{{Tdp`g_PCwwEEZZ)Cbd)y1;os!`(k&% zm%1%53=;hhegcGOy(S(FblF^b^ki>`&39Oi(fB~>(x9LhGe2!LReL!PLh9)NZh8`B zL?ZO9okZJ{%A?^C;aPJf=rx2)GKj%4eV6y-z!`n^0m6aTuSFL-u8PZj)ae1U$?#?O6C?g=>cLK!~ zMycF^`pch+4V0*6s#iH{K$}g)iL1eu{nkY)IdH@*=~Q1FDqHOW0dR8M>R2?F-jt@Y zy7#khKxM`1O(Ztua9>lRsdc+3UH`S>i0f_v>xXWOkwiU&KKn1TyNkm|3K2=?d~~#h zbx-{BGe=QmRC=@gR7IM!ojI6dTqU+{jFi4ns^t$8+)1>rey!?6%`*kq;R84W_6G2Q zQ7m|EMd9_`FY6-$hznYXv6#twzmk^H;}{TZ)AsBdW{XeGH6vCgqqzJFsmk|5OCO~$ zg36LI)#AvbsyE*fh|GP}5na^EC!FHnrqQMHFc#Vprt`n%@XBv=iPTWV(M5&Xexmhj z8lybbxK#VH_j^J)O>yTCw&aK6qH8h(U9<8U9p&m;Sk7WAEYeKx9x6m)MIEIrpP+r7 zlOlGE^Vz|8+QyIVtygS}^k=orL@qNrHs5)G>6Mg?w)KX5C|J~^CKk~&P=|O|QvRH* zu!9Bri&gOXy~w7!zB$Uijx z=&QG*K&g{k_GLJy^?ZkgPMO4?;pjIH#-#dkSU*RU#$M+4Jb z(1z>X*N;7@iKNJS&oy7h0%$mTf_=#*g`PI3IJmPUE}t`5ZZuD#RTv)12r3QY??d`u zXEprbd59uZq~AS5e%1s*Mx5mAoYc~L3gcZ^VYeTy$kte%32&F&bd^gOvv0|Hz^T=F zJ5N)^ABQ`M-;T~{D~H2TdV|d3Viz;jDbRi+TaT17+f_Zd)T)74FbMS;2LF9-dub<@ z0}>mxd!j4MckTR7fA~7i%LtH|uWZ=xXUkF^_*Tgoj~0pgp3U~oglqY4_uxFgP>k+N zE@<6FkZ)pD*ltQ$+zIe=k&(%kAAWn{*vPlN7B%a1@bR18rv0m!4K~}Ef;ZyrNr6Aa z_St6KCdYCb!r6=>!|$;)%8iQz=}T0&l^%R~?^M=nP?2*<<0?k(&fYwz)Uh2jH;~!* zoiI#I+?~~G!4qm0FA(nuQro`np0c+ACea5;+$R27g*%Tr_r-ne>a*WUbikhGDm{gv z>ODI49gKsX5Ws`o>i@YOEC~{zX3zUo1q#MDr=at=M_YZU`Tc#%J!FpAd||l1>d(XQ z9nX(=9bVQobY%mLhRB7_T8F3W4FA?WRnCX45j4ocXQ94}iFO|PX zj8u2$?9IW_^PX6az@|^KT6gyPlf9!{zlX;2Te8}B>AqcIdOsf`=UBvd!8~pqgq*~a zie+A!DV3yN;15Wf53qQO^Y0;%MF0%=m4^^@A^;SDAmE$*&TpVoR=rKkrThv_CC+~4 zrdh!a_s34z4l&XqWU%s0vxQG!$w-|KD#2^LDCp8mtUJUS{7n{JZ@-YG41mk-w`RBDAVffd@B@Y*Y!NdUVA1+te2yeB$MD>PJmDn)!w{Lk0KSPJ^b4mR;lVlxFvZuEmsDk%&HZ# zihS{z#VR3&@p!#Z{}z#aZ+!)edm4ekO?>`jWUOP>C^A@~iF{#XPigphx*cXq*Pbw` z$MRUZpRDJCb*67)-*$Mv(~w|>lQH-B?3Ng_#LY&5 zp=PM^>EnWn#mcyJ6%&;s%=K`oeS)+>=2;m~Yk{Zm0!iz#4qe@R>>tFHA{rIiM~UNL ze*9ESCYasrF?H|d^;=)S`0UWBqajw->_aR?3rg;y=KIe#rN$DeS(fi$*xoQd1@6~$ zMAQ%hgu_nBotfYTZSr(YJ;_s2t5!jWX8UeI90%esl31#tJ!fOpyTvV+SNMrh zhy<_USG}IVvV5&tEO*v`x8)wI&Rs4|({r~5lwCZ>DD$P+^fYN_@60|@n;5Rr?6WG} zmWb_X5}^xO&yBe*=}RmXnrj4F<)48uVg-$T#TGRCINlE5sfmK;6-sV0sPtrIsirn* zj~-qBRW#4rkKL?!;&eH{_-65D^F0qBDH!2>9BfNUNUmBJ7t_p7WhmW{_^ni>BRR>r zmmh2`!%DFjn!I_UUz0`9w@W7-BhjY8?jKRiA6n4wGbcSZsBM(XWGS&6swozhW}}RM znh-p1@%+dvQ*waohdNRFs=J@$ewq5{ovuW`&n@>!J8WI>2018(P=^fJ9`|nYV0E#E z4J`H6DR z`8@u15x=pt>1XPurpAsH-hVWO|E@P=Zeab!OPmp@C0|^WHm^&!Olt6YZ=!Ta=%C1C z_}wr=iGKR9n38#V=o$Tdsi>ZUgka@2zJ~gDgz=5ck=Rz0JBtH+E8H7<{*t~8;VC`sOuD$xwdx`sOPkOVk6cYO!QZ&@R-|fsE>R*Ey zz`OQR=TQ)rC|_(Gp?PzW)dBB?*l8n1eBFm))cPEk{b%#mUx;zZ#ABbsSX~N#_6-&~ zNM4cz%rWPNtvWvR+6Q;FzIr^f=q*;CzSXI5L;my%>hdQ%#(PnB+oM@~<>p{khfK=1 zDOBtz5H&2e1&KBEiRImaAZ~HlM&NEY*T0s43hgrfXPPAR3=z6}OV`VLuZwA%trc`N z09qz+p0+iSa0r6~lU=rMd26PRJ|b=qrAu0|`dZh-m1^y?E&2si$&TcWGYy))Dns&@ z{DX5tSWs-@e6&Qq1UU>~77GizoPrPH4cS-MZ2dYrI%KyWJ!Y=0#k5!w%4Logb7`eau~*2GyhOl! zv6sSq&BxJ#L(h$Kjh>ubXe#m9=~vh3&p1>Fi_>_FG7ER9eD#roZLO#c`AQfrI_4ag~PEiSPa;1zU$1=CQ_zE z*tC>9{jKCQmIrv>@YPM+&*+kO%x`UjnBm998V^Dutj^mfGI~+;Rz-tDs-Apu&+W)V&KlW5$IOG z8#xA_y<=*h8|M#As*G&rWi2Umm`n+*x8{0v22G35FCt?^-lLjS3#uxCEV(Z6GSrM+ z#v~K#w~Q%mb8Oj^rpuwT79#fKzLA;EQvO;r!{MTFXayA_qw?V*l0C+YDHiP?6Pk(J zjdm~u3|5P~SaAlHOt$0CoiW&w?chbw51Qfy-JeNvcXzF+sO9vhSLN;cEkwRurQFKE+LoN3({S3xl9 zFlp$n_hM;sVd_pqt~xuhkJfVr2OKmb{1m#sFrxBOXy0>6pHt#@km>LKE`=$Czm~Br(TmPU+unF+Ml%E zGSjAWexFL`NM>;3C}n*{{7X_ssBr$T2Pym6$~961lXLbtooFW**!PpG6e-lkZYEpy z^%GhhZ2Bm*-)p&mgswYC9bzCMMlpoX23zjcdAx^M1la@LF{j;**m`RHH7X{tCFfN(Ziu$; zcUOI3CTVe>9XU5SV~DRB5@AzWqDRetLhU?}(KGXOt1g4%8?H|va+-}(MLW_rSMcn) zz2@Zy{;wT#yR$llQbb=QEm=vS;-AF#m_U)9#G(noUJ5~aAj1tR)-7Y?(6B1JX&JAW1UjaKxC9JbuA{m8 z+mK)0qTln3De#vGj`I}Q3wD@p@;r7Xx!fY)j}G&(KZ!`mIc0uvgxlM+ixr#sMQ5^Q zyC6|ebxvCq1Wk0^eNcG^#uCh)@wf+^NME~ECDHs%xGD9(yk{HSxK-T7=1;hrn*w<4 zJEt)5ozzb~zzZ_-aFFyOaKNm@bbKYMpa`btE%}$32QuFzE8Y-}qc=qfMUWy<}v2_!c`?3}3m| z=f`C0@sG;)%`YvKe>C4kjP=Yp$MIo|9zE=@2+tzWVA5do|Ge!T`09HY#Xf1<+cMOs zOn>Vh%71NqQ#SeGg=vd+i!C8|*bn6m+LFt9g z*8zWxkId=q{e^HJMigU3+IpnT^G!-NRJGO9R`Eh3O&akp*6Xq@akL@&0 zdOZEuQF>S*F;az%pIz{EyU36w!c`r*Wm>FR$^q^zlS@BI!<6r>grlVxI^005E{S5X z(3EhZHKix^v3l;iLxVl?LQMOA!8q@@{kZAS_|vd!g45fqBb|}6+y!Jl55y{N3@xWS z)GrXJ{4hk{^mfHBHj!cQ{7o&6g&?r<4YS?)#hd4{>S)8QXX2mm-g@c#l6FImhyT4n z73-{0mu8!pfeaxZAu|Vg-%|C`)@r*+RXUf}s}C?qCJv`WL&gfEXZGHN$cudPBCs)f zN)TUjp<$PrXp=s8x2}dN6`H?YWu7`DsfRMx*+26o zp^uRHyTEA(1pJyPJqQyYDI69$WAI0?m%~5%nrFK4r~A|;Qy=oaLX9p@^-zN-=7}@} zONS)p@tXw5h3hl>){|@tQGwE=LPMA$^1;1?bg~N%Z!EvS7%*2xbbi&ioT9FIy(3%(nC<|VYv}dCq z%jc!&uF5TTAo@V$q?$vLu(H0X7pWt20*D|joh*VK_M}v^Co>L>a;oqWzRc3{y|Af= z{G8d(cz3)4hs9GNccrIV%SGdt0!>Z!`B=$TcYRa;-h@0vQHwstm}+PwTM!?LBkTlZZePXq zg=9Hp3&HOk#l@ExMrSv*nikian@s}f5EoHkX)h9v(lHltQlCg&M*(vAKjdF!$CPftI zXJi82p`VRrOE2i=fLB=QS zzdG8$g7`_XshR#=)swSRHLwl4gvUvLzWj9o{Z_iDj`n8kj_u{2oX1 zX|Ak$pNd1iU42?J`?2I!(*`ar=Ib{JgqP@87Zc0P7rAL*y$>z@BCe5 zgNdh+&+ZsLnZSW6Sm9j2(yVwR)%Lx`T7t# zV<*0WiWj-P*Z_>h`>sBafMpn4o({y-uOz<;-*Y~@ey5OixCsR`;8-w98Dm!HV~YH_})8h<7olN3PMz&#VFcF*)PqeY9SX^tm)TDNf0&WR2Xj@Ukq%y z%NR2PEilx%&;awUg~FH-_uX?i4bcZg@0K(M^L^3g@UB2sy+K7OrM=JyH&9x$Llx*| zXBTwIV*?Uh>;)yT0nkXY9|uzYvlYb9SeH_-Cu_X z2Fz;CY~2=lUdUv;6D6&~g@C=EtGP%8c5MaDHB4EB(0d>~-P#M!bSNt;`)n$Cpj72< z4Nde*i(kvFf8CGV7_3jTnRe+~KF%1Dcr3H%KC_E<%nRvA+L5$|9m_vTU*)evaJb77 z%ERjIM=CrlNi+KJ0Z~LDo%H%pr?{k9^zNfxTb-3ZTXY7m%8Mw~C5}FgJ<}I?4>F0+ zq%%ZWv?tb->ZdTRzR+;=^rkd#sL%#~ET`>I@LBBpjqN-x05xQt;5hcS_44c;_@Ta% z;5WR~(x{gt`d(WhX#3+x)61in%d$$wagtKROmg1Er6Xpd1Kbo_H&*HsYpw#45xkA1 zvqe3*>2kon8Px!tlNWN_4sy1V?L-ks<*2wIVMb8;o`wJCQt#RZ^O1|K`X({&MJYVTOk6gWLXUi+u0Oy#nE=Io7KcJTyF}w zt7D!vp6aMk;Wbo}?lv}~3E3M=bpzR%XE;lx7Hj?F`mXr4O0}sVn?e*J3V#IO4iizI59Zp}8TPlz;7j-b3xRjDXm zwEoig(ka*Ln(%V4kL^Arbx)D#Tz!7n@&d9b-vp|Ot`)+D7RDH-6ec|vd3qwx7~VyO z@m%K@VTrb)q#WRjt1s#pnn|QBgvU)s3f~X_@~tX8^$?kd>J}g$My<3EbM*w$B^yUX zyt!}=!k?eKm*i=n7Lwd=JF#d+s)XE#zfa%D;J$AW$tG4NM!q&u^vs|btVR@wG0-i3 zS@?M6h3${VfV)g}iJQ!36Uwp?h8!vdO*Ij|RKemBOP~2LRLE{APJWmJE0Q-U6ZJRV zSWjP;1-?U#XZ{u{10F_iR!hp)WD32qR&Dh1yOu4(dn|^+DU*wLA9-(++(sb7yGg@5 z8Q}iIk7zmPW2H@OYWzgJ%H)Rk*%S#t1J&?N9nbBju5Az9;5*trt^DOvezR&y%#~su zvff3X38Lh)8&B)8%76q-C9ujn|8ZSO$qf9|`oH4cI`i+SBndxot5Me?u`M|F?Y?r-+e$6rN?8I`;y=+xe6MpDYfV5axdB#%Qsb zugf;dltRjKLE|b04K);CJWiso4S0x2L>*pLjG8o&9m&s2l4_jjmTPZn`Iqj(u z+KvW@kZb(+^<7@f>{BvRBxZ#^qlKS>hY&gT@v${5$M~^YhusTp5I>LwO5n8(LCa~^FumyaaU^MEpPLW z3DnuYN40Hl*#~CLN=@DU#2rDf+$k=KkfuZglD@6fyE}uN`qo8<f|!}u`z1^!;?d!XDUO8Q#R_#TdPv$CO3*v2 zOgPc)gQdJ$ZYM9-4r!(@c@;M8<1NM&D)CNWXE0}D_xoopoV1Oe#gv1@KwQw{uB*fJ z<@g|a%r78f|5u)tW_v26Ti6*vx`iXQ2-LfJ7^KR`l<@c@%z^+`4XsAu1grDuqh<^r&M^p zX!)}?k<30E)FC9zn-m_V%poiGKUP_?!eVLA&`J(pIh*|Cp&E-4Wjys=OVge50V>TN z&e`zSWmfKM*_oqPy=j&Q{IL;7rAux~Ro_ z)axgWEHjgyndLjlIKFABd73=B5^5hAJv`LfwH-q;9l=~FHt(u!>S`zOEJq+7IGJsb(> z>*@vBixk?v|HO)tY(v+bp8C}BL8law&qyivs=wbOd<@_Xwlt1OyNqBq*E7-4A7S*k zP+*FLU9l#srjIxD=|o)ZeS}SBp@JH;LosVu!>Di(UrXZoBh3_`UP_PZn;O5i?VG5vTMe2G$7|Z*G7w# z%=G7?d>6d(YbS)P0)%LB6ab|hD@XM3PlYlL>|kr)IRx%CR$5V|$J zDZkj|z92zPvbVISIF2?|gTwv&n~S7hfV6+Y%D^Uq6oG`4tMJ?!k3ccy4aoITPmrK> z#jSA?AI?#AI{D(A&k176u}rCNHaWrIkeJD3<4~30I2! zY?m#97T<2gywS87H7U7S_GJ&;q5PGw7I)r#e|9Z^PvotGd-iTZ{IC63u`-HHBEfzW zD{gOs@)+q3YMU|l^-OGuRfj!Zcp)-HJ2F@=m7e_{=z8y3prdFBE7#(7oH6qZ6{p zAXDs!sB6%8uhuY^;~_UwuW^1JMHh#&lebi-?E70mKCMmel^<7C8n=JttZ!S7U|~`@5BsM``GeTthOrZJM5QE*AnJy3Y(;Olss{t7kr_!( z-{i0j2+|Fl@UqP(RQf!SWuDagUl0-$WJPE}m3_O&s81?o#-+kEDXda^UW#rm(}$y6 z4$(kaf?pJ5YfI_I%>85snsNp}76Ka^1pH*3cdTk@$*= zl*=rC3VJA!s^4vB4Y_u9f7shnzlVEiJil>MLQR0N(K0H5n%HT}t@e7*4NF8VcwHT~ zk+Ts`!PU8iU5E6r+7L6>K!6l&z}pLJy=h=R$R8l%o!@Lqj{iFGwKn$u83hgXiWR3B zK{+8LN7WMZ!8W`q=DjgqQKGl`njN-6BQg#I688cq6ylex%AIvAMLKm^%@sj>bqzoJ z^}JTy8PY{Of-#C5lp~0yk{6VE8zxf)Cd#F7y+Y1M(;O+>8khHW{6d+GdNulkPAW_$ zdWxnJz`jw+XYkVPCl|%s*B$NSmDW1eFYQGd7t}gu8bUbdxHY-> zsbYw;4CIgmG6}opw6wMD&I3?SOizs*V)vjPp-JZE?(wE-SmMh`mYUC>eIhz>Ksjfw z!-efZkUSf%HrlO)<>;lFQ9(+9?2OQ!1gF`I#S=t$BQ#QyoC(lYUP?2)>Rxm=q4Pp$ zXpvdQ`_lNd9AEF}cpc}nLOip&-ZOZ(ZylyjDBkNJ!IagFyke5nRG7(%v%{e71M&|S zk>4VgM(4bo6c(&y3UoC`k=7L>7T(8GG0qSoO|(A4eM>2&mLba6cSYfi1}zPT8Kv=a zPr>AW-7a&u4;t#9X1A#yM_Uz5MrOK7Olc%|sN;HX%Pg|Go;z*gQzuRjGr;7@O>4U& z-=9rt7S2&iJ@TnqKN!1N z#^aeqKlNt^{JgVmjTt4Y3}z@f)=ALa>%Qe~Ds%r3yiLOVe zU>;WVEK-cDc>8^)F5ZnVUE2c-?jG+Mn0LGZ4>{^l_8ZcS%v6z_;8b3wwdg=|g&ZG; zE=R8iT-M=iHtD`iwmRcv@qTYhyzqKbjQ3}H!lPX>>aEJhLPhpRUnC~@rfAHY^g?cU zMDXY8h)%G9I~^IDj3b`6J;|v)PEQ3BPLAxP%SqNlm^(t-(dgNB#&qAlk*-<1FncT!VH=fXJj&&Vp%tS(g8q0w~2fT9` zJ%g`!HGj-#+SQ4nS`sV4-AWm3!EyapO!kjT?#u`}#%1kSifv;qeo-4Zx=NXG@a1Zb zd}#+9K8pZkC2Qr@R)AV9z%Luq0h)T18BS=TFV@5J&d!SSZX}xmq;CKntzPCq`kP(= zQi%zT({oOE-mCU$C4viRhc$Aaw~-u4$!kE`C4qL9Y-!&0YHIG9Pdy`57?+O;yHO?@ z`?=thh{R`|j8)TQ1=uEuq5wDD&zmo1`5Pxspqib_R?)Xa}2x zR4jl>RXyoJUIzhMlAz&_JGgZcTY!lJ4hv+&xu;{#zU-S8POuiqE#gAD?l z_x-UTpc~YSxOj8>XZpu>M)mi!9HCoar@kfKNNu>bw0OJt2wHFgM5k{;wuPAR1g*iv z9W`*GhSqsI>Ci{vAx)v>G=9by_0a* zmg0318+O&eV9K*^S&t15Dvv08k`&C%ptepgj~O?dF%Psqi^)hpZ}@L3B*aIZTrRGp z53CS6&Lm4PR%5}3Uq%~KRR9|3D0=c85|YTGgus>T7d&p}YU|%epSlwXrDI*CyePhF zzQ_;L(aHVB9-vpp9bWr3m*D}zkC`t!_U2X^P*ldM>>B{SS}+F(+6k+KiskU{IaDE^ zxd4f(5NkG`b@A^rM&9`2#$R1>*RH}K)FkS!KKV#se~huv=oZ2yew-KM=3JJp(%l4iIJ zbz>355lb{HC)M?g|L4&ITx%w_&p`m8pt3Q(QsQyCj5i4RbOdHMq>!-h@I64EWGO>Q z-U*%GZ35VaM(S?!Fa7lp=S^wfZ$5p3E759_1$u~EQX0H0_`y}{^?eJxFVN3hZ&C~s z05sszmEUZ6wqg6tZ^Z#1wo5+9an@}OXI&E?%#0&mI3*URj>TTj{kk%MXMjuhVx%00 z3M{1shYbW2y-QslBCccas6b~_UMEqE^f_y%mYk_`ihBHc_n-!-Ewaw7Y?MJw3l>V$ z5=yONLg|g}+xV#ETI6D#HrpApHP5@BA-?A*z5Hv5`q%nZ=?${nD5dx(H?v5OfPG?f z)Js&TO9-Gn6*l)+50!O~?=ssN+da|s+=pi{tvR7q3N4dI&SLSOD@Ec63;lBM{cBek zdfWwtl!sm!R|VXeYPldqb-g<}kUhufSlaE>F27m154U}> znLDNVR73&mM`SdGz=6OLvN~2Zx4@9{)Lo|$eanTNYUQC+woWiKg>|c@c%27NkiCED z!O17}nk?zfzu(rrPHZEH=3vB^rgXE$?mJecPYGtkAxU;RtNf?s&SD_I);O{#<|4SuzwX=G{;8n*7yLF~5_bBzq?J{@j@(1s^4aqYAyC8DoQvdKSk z%@kx6FYLZg;zwfZN=6<_}&)R2m&{`7cUqeNRm2sY&tlJxP0s;DqzIW=c7GHg^>t(NYWqi8y{2V3vvRJ1^xmlj8 zT{+|rs#J8}CzsH%S`#atWDZD`cN;e*dua>Wb8#2A@P;RMBIL8nY>2w*QHqWlUIs=2 zzRdD`c5`fEJ(eC*Fs8Xa8Kp%+c~K~^gtEJa9;_1HMTQOVU@74SiTVQQ0JtJ!j&$@RCsbFD|9nDrvG zT~Y23g4qbpcy+JvHpQhro6G5MaL>Rl(ISD*;4C{tqWQB3Tm>J;VQ6zr>) zkZ(<(vd!Y?_~Ru(2A9at*MQ-wLoUtEwr`!V$Nz8_`vW@~8!@d=OYWthU;Z|Tvk5{l zI1>XgI*rDg@e-ZPS~9J7T6;;O)GM6rb=nnPJGXtU$fj4RUST;g5OvsRgAraR@;OR! z_SdBs7i12~uaT$G7@Mb-sW{B0!J>IzgN4!N*LZr15!WYG-k5NT`GZa@B6#skeFyyN zy{kOT-UjiKvZ2|KeLQ6wSt5eV;2`AN0w~cORNiMsD{nqTnYSw@-6eM5z5p7@U{upD zb&1GZC?J#L`rS>zrdAr38Q&;;V7=NgLu7nv3gPzdVDI4~#mGD;wU)E7Dc;30PrjF* zMl1ksse`TR#srRZQ5$cnn|cf6<1{bFi7s2Q23`X=Vsf9jeIt-DH3ZnM-w(GwYeDzn z_Pjn{o5d>NrdoSC{<<`T?|S%dRh>e0>SEV(BkJfnxH12AB*x{l{N3afwlo<5jWpaz z%^YyDe!NAl1lIlYe4>F0P`atYWTqXF3bPNw_A$sc49l)T@?vbY*BC(Dd61){pnDE| zr!##KV0M7o}MC=f`!rhdK3D(kf`TCOg_Vyj6v?trMJ>RP&3~sh7X1$Lz!hr z&~@(^sZ+2ESDe^{XLCW_x31`Qt>kik7Eym*w}cY!cBx|4)}kzE9jG+M^18)8`~YB8 z2k!qzQ4!Ypf}5YhFhL{~9jh08iCE~Jketpm+&f8z5`BBx+{WUfDdJ=bOpZ|nY^XNg z6pZbSj>>8cu{+N9U2UP;RO)rv$w-x=r8+*B4{sT(mIC#uBTNLy+H_v`kJw_UdkxGz z{`w$0EJ5ZY)BR}r%?m8J5H|UPB@-X?FYN}dpMAbMSmg!vyM*w>3w@ITO@{%vx8>Js zqmaO2BDF+RJ=?ka>r8~pwX1Whgw(4GAMV)~Q>Kjg!{Q$f@jOCEVxkenC7;#IvPr#b z_8b=}|Dp3*zEDyXqoRaR{;>>;-eBfEi4OtLxxA5_yGiaxtrA!o+5#ON8@BmYkf*1j zqF2x1YJ|Jq*Qwawou2$s=TEX@@@dt44_S`ChTqvA7o{2;Yjr746d#M((hL?Aatl0r zGm8k==|+d_)DdU&_(yS@wmgooXvw&*h}AJ*3Q>6Sss#%Lh)O;C@paM3Is9OsS5dbf zkewT%ezi^B3^f2T99-^4>!njN$Wn+S0A*vdQ7vHI70xQG&J$vqEC$ zX1=ovdE_J+^VBa>dlZda0665px%m4wrJ@~>AXLSJGOB<|(F}$;@p`^5`ODz5&Ipl< zE*I_M=hZE}@5Yz}A|m;0 zSFbYS#-{E}eH258o+X!2f=SoKQ+d>0#$|ZQ*G>jEdOQI~#x0bv*^?j3ivY%7Zvn18(Kbw?Roy(?!PrZa#-(HKgN<4mzB-u;%Z1PRRy&|z+ zr|EGGwy)!G64@9Q$ocwu@MM;@?K@@Z!ncn!7)c}yOV*ZKMxI7IXUJ_{HiH7*+f?~y zxpkz;Avrzdr;YQ1Qgz1@CsU>Fx~*_YJc~7A2RY=am*HDhEVw6Io=%ht*KH^hqRcQU zBfPr`tYRg~YAdml>03Vsrm1&ljTlqVhcRSg^6^qsDpC*g_w|* zN71gzmm;r!TE%XEs^hA3dNnIutxAGqg+ruA4Y;jyyD#c&I4=atXKk(;BhZlPB4vD~ zF1Cx`(5;kHx(Up@Z$quEQ*I+sYU}~|w7bNEJx|;+a%vA6D$7t3=^NL4)&f@LR(p9c&-xGNuo!xHkLbd;we!FL@!+@uLn#VQVQgOOZ}PkaW6IIcoKUSsSlDI(vSM_x7bKBP%9A& z#NIAyg{c@^)lV+u0qhbEXh7%`H-O#xBcJ8>B5D@$nVzTz zK;^^K6UWK9M>7EW`WVho&ivLGu3Fw+KO#GiqxFS^Z(!h$?(8GgV$lHnkb5HIeze|o zpMilX1CY=%z;FRgbhw3?U+w0>(#Rn&IPZVg2~yC{=rOURR=1ao5iGt0H^nOVAl$UY z)h*Su%(wNdeD6=j2mC?9`d=14qJmZ6TMEbtq@Oe<>*Sf?9lHqWZy*@lD%Ptn$T3L` zcX=<5`P~}Li+qNm=9}{GxmJ}F9nue?El~E(X z)S3zmBSt;$#CRqwM{Rf~byo$BQaahlTs3i;1+xUQ1s1X%a=nEzb#hTM5=}~TG91@x zzgMm1a}Wr2nzl+7l&n+(I>S@m+vIWs!dHUPUL052QEQ=ZO}e2Ib7d)MlYRbg$BMU$ z9vV`#+Xj!jre|U4%$QG+HOgI7prrhh#tXxcSaxUG01Kd6YYfZJ4hL1GyDg99Lrx1# za-G~ZUL7m>&Dqsg%x>eldLFZrKzxG7F)((Fx+el(PX!o5Y*klnQCGRfZ;Hick}1)P zk`^aW;p(;cn*EJ+;rBzrm(t;@QttHQ-$xC1I4B~8m%VB*#eg%>VLw;&ig}5<>;^A( zsf~r5DaR@{-Otv(WZJlY34FVx(Sb(gD>h>f_M=5uc=Y;h6vQvS~MxPb=2yS$fTyqmT>1J4Bh)I&>QI zuT!t(jvw&ODgkoL6l(*}j&p$?I*+t23jARVND*6QV!fe%>+<|YdHAV@JxfrXakmlr zb6NQkqMgxLfLu>w5QiDiQ*AXd>_YY(Rf;g-GuDLM*!r$FQ)>F}x%WpAG;sTiaRtDl zVa^sPF3mG2=SYe@u)Fpu)&_jzm_?VJAt_nb)qy>3xvGK;alCT60=*FeFwteFI|7L+ zx3ghrfBxuap4c^fxl6SYo^|E}|NaT{d}ts8j0luQs^SNA74P2R{Pn8;CyV6whxTZT z&=4{GMU#vFrs)k0NoxPM?^5dV6X22> z0+HY-ya)gru*duY@TEndtk;Aw{2N;F&o8we^-_O)=d2D#y;MIfLI@ZJN`a`I#%4n) z2+mg1&mC|lX!zq%OC38+urb$vJ^~*e-kfq<;6hN)I`2$x$kYPIkVrSg+)K*Hws4Bc z2{s!UaN~3;GMh6t_Rqd~x+Cp;TXOgsUiK7b?eSlq&oc|jdB8U(1$43fr&pkjZ49y* zns~$iyC~vszkB9P+Y(+oQDk64`TN5!d-Mb-*SPHFpV^*jx(O72c>^3n#wR}}7CC*+ zL*y4Nam0O{blyd4$V$z8eI4=k95Af2-u&kqL~^shZ2>^qF|Hvs{x@Q5W-JKh#KUf! z>b#Xqpawr9%l}66Zm$2mH6!$U*fqSU=gd#vl|pWuQSHB8OBHSUFX_%O&QuV@ zQwHGgR<;7w5rj--*n6Ih9R=YS|1^#UZ&0%Id>#qA_L&fwUE2b9x{^r}1OCNovBN@P z-9i9c&2=ywurKRqAIKSpft5riZvJ1~81N1~d-d&Qi|Lwv_fBR-C zGKR^itn{z{Es8etxA*mb{^3V@>{1h(Sf{{Qj){$F20z=`%8(VJTP?`88p z|2O}yfBnDvy9vJ=f~)3%RJHg2S8vDv?uY#ATXWGWGnilZrT)1L{$VBh8B3*u8Upp? zFRo|e?mp+UU+yxF31I!#17L_=j^hW${xlU(FdAuy2Y9x1;eT{~{9k{>f9uef-@WPF z*UuMb@4@~487O5sK=XWev>EJRe$7^R01;0L2&k$G$xw$JpjNth3-bdQ7X_9lKedbn zb63lCVc}2j0tW`4)`3I`G#~5`Qch@ zDYxf9o0{Kph;9UGBxBG@&qn*1K{f$GxxcXiZj2FPTGzyeab)gc|Z9_%9CU3nGJ(x;-b2*Z=z+-DDoI#Wm|jq@WtYQHrd0Qg6NAo z)#_W+&PBu-yqCoThg>?W3kQFDGCqc3L$>2RCcATkGb04FFV}K^eNbw?V6(o|;kTyW z94p>kF{pQI)T%bK{#^dF;5z}O(t7%E_0BlU%P+ku`%e~+IK0{-;eHZW9XZxX@b}i_ z;=8nj+>|;ST24OOt4_vir-B+nFL?9kBuDa9rsQU;9FoT4>t)RH!5AJjcE8UV+%*%! z8e8;g$1F3N_RDP4q$3F2`p)Q;WW_(RXnM-nBKG1%;9mz+@ z=DIvkNHQgXh6(GX1kYvii&onEzvSmUF82{q;7}FfqH==!2=RjOTs^&gC?MXk^*CU;m|VZ^wsHHTBYlAi*X?BY6$aJ&N1&#R0$S{aRH9Y z4A5h?=sg12ia|hnpOuov!;QxA=-Jb7_)~^@UqaIlb(l%pt~D8?vHpK9mX?ScB}2G` zD_#Q;RES{Qn^nj~@ks+Ei^R0@uydzDF2H+wq)c%Y`xY272Z#6S1qKmTMSt}EZIgP& z_jta-WG7}#|MQcG#dwbiXk0L6CAq6vt`8UO2-j(Y+TeY=%NV2GrpConA8OjnfMUDo z#>?d1+u2w|&db{bC5j#j(6*kR{Cd}dus$wCSKfGyb>`Wj&o3#se}_Wcub0pR??&U# zt|$F47P&ZQ#t@@h94h-6ADoiLSlpOazHK#@?qV1l?xN+Y3pZM{n`b;nsC9h&%5jfp z&FArKB9}~a3XDuK2P`9=*d@@0wt&7T)0|fp^GxRUJlo5d!DYCWIjNRX%mM%~ z6GJ{_(7gwMrXX&!;a_gcV6Jb9n2yYQgJnAK-lc5uK@?9mOVrbGt4>-q_j&gj=||+9 zT-Ai;8@ggGPCA@BPu<7%=TD)U?%@XEi&bhq+u8gt6IXNL)+WUf0oh}lwJQQ>#Zwlr zQyoh3oFys1KHFdHo&L{q=6CIvzWnIpbsXcvH$?ig%e_zvlQCPpv{+&dR!xob$e4|h zg3O*<8TRm=4E=t0SHZgb0khz!}G=ng4T zy=9YA5N4f^H1gtCm1J_wG90W16&gX8dRj;}S6}p>5AUNTZ1o~-jSAbj*{Dn~6#?}= zEUfg#MDUGf57R>P0K*yc5}R5xo5w9)0}73$>R?MFp!BnHCGB11nlQb~m$d)EWG+D=I4z9Oxrj5gzTpd^Zw1V%)uQ4^wpdhW(knZ}M~{JGen zXw79o$Fq;Vx2*f$K9%ZSN(@;I)6U~=6gVXgdFf5tq;9SB7tV;N2t^H;wBVYd>LN{0sr>Zw+YD1yLK zLcBvT2 zM`%A61(?|9%D`-ETO(|5b0$N%+pKMbflyg!)q7OijDkpMUVL@{JNrh&r=968bme z%d?Y5s10eLA*F|_+NQtGB9lXDLdp*u62vT6xvw5N|0>miZa7Nf9Xbpq=Q6fTa(2hHJg`(o~ODW`qD%V<~iAtU1r^G zBNKRD2ZJLi(2VuI1=y0*wx>Z|o{?a8%MW^sj&TQ2|9l4>S+cNYYpCB(IAq~Hep8;4oQ4(R#yUJk7?2AJ0~)l@%Q!Cy^kS-i{3{B#C)$=|IF=Rl1N^cnu*kZ#^1F3xbtoO?#`^PBVb8Nt>{NNW-3?E>;VTfA$^^2#(M1Y4Hf!mUg17=o)n&|a-7k7BT+W|(Okx&Kq@FhNzQc2 zi~~@u2K6CO)w&)&UOxxZu9q9#*hrY(K@@k)h&SuXa}QAMGA7ZZaw6Y|1SYwssU}1b z8fs(+M$(zpvwL7DEtM!C zbI00>Qm7boqqsl>Uc?Lv@c-Q->x+&)vnz`Ir`22b>Sy#-+~Q2TG^~n)rHW+ zk(a@u;p0FyO9ASr?Hkm=E?jC*Q^9wd!7#Qip10G|oGM$xhg)^6hcDmD7qzOQKsuV! zTQ&DQHVa3%;I2UTQ0`5IxNZ3zgFF*p4G;t_53UdZbba5Boe(FZMJbFb{ zt}OJ`EJ?l-{}suYe8~_1C%C>~bJFuw5@^k_61Y4T;;X_Fsj3?_5K0S3H&>|cTBHTrXKfVl&GYtl!wiWndQ!#O#!`@P8Su4)tIQ&{zvYF z6Vj;PmG5lzjXc2=w}gsp$EK_3ZLY@2@Br19;7vjD*+KuI1Jp(UL3vX11Uc z8x{!}gPYztHKr}fB^RjiOtZpS{k@e=Iq#zNhYsc+?r+&QoH0|@g)I2{tPCaD^9TJ* z^Le%s)#2bG%qj!Bx|P|HLVL}W$jfB+An~j9>h3gaKtX(Yeh_)UiAV~bgQDH^GwB5t|kl^$`y{;pO>nW*|he{zf! z&=lt=*6OK4g**^En~q~;L}?1{#vCyeD8oJe<*GM*=g2E$M|2Bw)24Z%r2pjIjz<3J zrQQ_9DK89cT07sET+Rqe!KyAI2V0O^^!rk94;3wf%72`;?`3~mCJ~H@D4eow)?)(+ zjtl|%;LNk|3rHy41B)gY6l(!9k7bZkksR%o#kJB_(=}zv&TJGSXY>9UKphdV1MHtl zizrdPD}d1B&d9~?f#gBfT)5-Wy-q~*^N}iE>q+&>ZD9Xf1SCHkB1YbAAl@Q5dvS9C zl<)T=giqpou=+|rl8}HK#;53ksX80$?W6bPHUy~PE*dVo0&Xjc3$gKLpJoVvyWy^6 zDt_a_J?PA!P((B>g$ur`Zg5qf*_3B`GU~S8pf=QfksRjLb-@HkJ_Ji6fD_0%aZ$Yf zYuw5Z)pBx7dZFuu$2}3=ea5v6L~e(Pj0k_wx19P}vzV6|e(;oBl;HDVpmm2KYhcOa zkPkr=r4yhs&X@OExF>T^*JHafm7`Q8=#J?1Stj84 zdDCPz753L~Jd8Q=4)M-BrJN{M*R)EtgWuOYD_5SVlLL0RXYC)t!c>e3LTq^O(Ws~P zZwc+~pozGnd`hQ^S-JN~g+WJ+%e?PFNgZ%@egKipEUKeb@jX5Azh__Fsdp0+59M^N zfh!E{NcT6g6k!^Cj)j3gld3R$`?LHi$3DHG-!pVmukR&Zbc6}TEdwOiLo@56 zcL#i8J}+~687IiT=+C0#lanLCwu3Y?rqr~(Mc==qg{DAGo=Jgt^a;>9{GX$ZqU8o! zX|Fw>vRcjMJAC9N-+3XB`pU=%6zXWrpA8$EfCiw6O^iy#Cn>ke3H$ZWWI4WKQUqD! zT`Jg>$m>IqHJ;eZ4`C>;G-{f*4KbfGaCGCb$c^55!WWMMw$65rw9u#6x*XX?1Ye{| zASR>v64H9=tU9^K<;|{Y%mH1gQ@rtRWR=@XSt`CU!@0qZLq4YFps?DL6hEsd86DGC zS7gTzrL1#5!mHR5epG)cz>7N-BTHafHOAj9^b3< zf#^zk;}h}CNxuv}e*o8daokk$G)?9o_QNg$NMfkkolrh2Imr2Fp0>oOopFeBhDjmb z=59rllG^D}lvDMO@tk3L*rrTSMDF~PkkY*=+huE*>`$9uKAJ4rTsGX-rG{NoQH&&B z^;-1!8$j6XC(FdpCLO*SmUy03;nZ`?g?zly^M_#Xn^(znAV6}}3q2g!_3kt1oA$Ia zxZ=Z-kD#C$$^yJTeMOex;=sDmy^w{7v%)c(?Tre-!Dx8x&F=q0s4)>aDXQG8MzeMt|>!CNDc+=n%xxa(6{No z0;$}YDmt65k4t)(Nlo$`3vTy@BA>M-+kYa>y3|3=M~Q>-#!bfWzNAO!KZjE6KZT!xOl+)SQYM5`3QT6Z z+MV3WLJdXioG|u1h~_g7&bJEO7W!a(`LX;DJy!KRg4iF9iR?L5VGh3~pn!G7HVE8m z8^6&ZPZ_2LM170d@e8V+kxZ@Ox|+(BdOeSYB!d|S03g;xM7#^u&IM*0W-Nmlao_T} zP4k6N8R_p*RVbQ<2OdnyD-yL^IAp(rhMQFsiFf^hi65oz3y5p&AUKP}Pu2PhY>;{(4rvTXJx zm%-Aog!Z2ME{R1&Q^qV)TajTh3GyZI<1f51N}QS$C@D$%ZU;y}Igxz-CE;@5hWL1e z6k_J&VfG<+HuL17c5@}l-6^rzcI0L$m}<-;{;usxeYLaChwjcTe zb4;C2Nu<34!1`U#((|Lh2Q3;5^#O z+24JhyY@0)UFyddHGIr=5nblS(RIU|AT*$wJt8dR6Tu=Q3h4rl+8=fZ*NxL5G*E!;3WXLzysn4U`tBI;lc1;Gb_ zgT!)>!EU54Y?0IX#$C*crw_c33k{fac`mz99D*{CgAAL7A%cKSCm3{zT%}5HO@X_1 zL&O7rA>E*)DhymrJ3NV&Md~Ln7=c-TJk$_)cA6fevbqJr(D_Tp)r)nZD9}QVb8tWx zXebx3H2u2vunlYg8C=-oOpeUfT4uqYo{4@-5wW|y1^B28FTZHf94G~xlE9UKU-Z~t zQ<+$82J`%pO)#@Yn*SZX6R~WaP+RUFGxcMF%p{B?CO_Ib(d@GRDC!{0`>9J|!kv7l ztdJE=@v_6>-MB(6fT7Gf{3eGBUl~x?uU{gwtyfxjaKn$*zk&eTljJj4UBey73<$_5 z=4L6ibOfrmU@V;4o0#4oBt+jeE;t^jDMI1B!C`3gHRq@yuhvM&5)}7`Q5p#5Kx5Qf z2)xAQY*2=VFJU=#g%L$ZVj!C$sHYqei@-I3eHo80_E=c|{l=*xMP7H)B!GuI*kG_G)RrD@!eC^`vAv1qemm4wcQkAoHZ^1%vF1e0erD3aHpGbLt&JQw_wd|c~6v&-V?E+MV-2T*6KkSYy<(59EDQ8V#2 znV1=z$aVAmfQQ|DR~CZD_OwX~)n zVgE45VL|0GNYUa`iqQ3}rX^~B)?MTsAR?H2%rp z{6(OuJfW}=Gtn#q_X4+p#t*c8N&HGEAh$l0ZLfWUU?9~_JnN2~U1a^;cbpU{StdKc ze=3|?kg-|6T{Sg=Wo_5fxZg?cW$ov`3Cik4=*GJ-Fbz&|>Z`QqU4)0km~e<3$RW5$ zsYjnRW81mk#a!1JJFi_!EhIU5=N1y2G`?Z$^HT>-a&Y${w#qd$X+>WGH`D5rnR9m}eX5>OD-mvL|ERH55l1gnGrr$$77#!Tif!FfY$PMBxFT7CQD4Y+wb*K zW`xM*D0Z&w58|*g!Yg8@u03G$_yAOMFQlXN%Rc>KQ@?%-h5fFUxp8}g9Ongty%n%D zGMYx#Et)(X@j!9I2g+*vV0_@^9srP$-cE|3i+gz9e83Z+E!f4n=Q*9mf?}tHt8+^? z21bPgV8!;8kw4M77@zl@HU~_f@%dXzqRA!41c(}r^SBD{dZ(?IbIC;@6GGgjFCeNx z=1G~8=0&oMhriikDHoAEP2BH_0DDnwcnK{0in*BU3{i4!;kDeB7$9aFqDLV-?d7Wy zd|o(OyDC>n^_X0Eep>mu^7b&CqT|NyZLPwnn+?B}Gd95$z*HCvX4SY>H7J(Km>U-* zKAP6oc7t+Xr^)$5eTu7>->CsuEH-F~Oe!4MMHqH}65EdtAo6D6Rx8+FagZ>!P|axG z+l`X>oUinIo{pP3Wkmra;GYX0+1kU0A7Nr{nWhdrBWu7ja#U+t1v&?E44Nt%ph|$O ziAi;*ZhDWnJYvzwbshK<{E%NNvz7`d#m$29)KcAWoDivwR6`j*>U zdHjK?^Mc?lU>y<4%=-a+g&apyPdxa310a|}WPCn9P%69jv%N*YQM(+ejL?N>^h!M0 zYn%b`p#F;0UHQuD50_8V6))_1O3AJ<}p2?KJmtvIuuT*~zek zA4?PyRqG3D3%U2U8+Tx|Yn(LxJPF=cW5{!Tu-}PgTdqFV;kVF?WlH)79KWP(MVKxelf=8(Ko| zzDC|5)wT1ZOQ|~na_nv%m!0WvRWA^1rhk~+rBKzo!)M)!&&@qQA|-rz5Z8R9DBNig z?*2{bo?fkews%N0UnNLRN@9Vwc^kH6B=3C4=SDnx5eO@Nza-%N{thk#gGlfV=1TdH zwU%&B{QLbLNkIK^qIz?SL?S8x)v%mkUvlgbAzh0P)k`jmve)vJV4%P^`=EyR>bU^8 zFwTFx1aZ0fEVeZZn7hP#2r3VGsNtf7GX$ASMCHEzS$tyNE<}Nb;E7Vh#b%+zA+hYp zy`u|QooxXi?XCoE&QtQGf?DL~B4`oFX*}(o_7e|}7ME_Q1vQU`_*}ZUQd|u>;=v|N z4<}M7y2HD$S4k{sQeYF$;g2yhmT-~WvDdO{Q}K6EIHLmC46z((?}V}JCJz!UNSCc+*1Rv?%H*2fOK@A=E=$q^Il0or&-SYOUvCb?`< z9jGpgZ6V5(HE?SjeN4--VNnY)dXA6+crc0yrmZL4wOLJoRy1)^Ys%hV5k?qZX1`QVvdQ)sH1>f5WxI9@`c)L@&i#_`v!Vt-l-jRN+l2vKuLd_!mhoo)TmwEUU!b66G|fOMyht#?A_mwQNMTs zCL$sO?kY%sm3bvv;Iww#aAsOel`pd90NbKnqR;D$o1igFd|22L*1r z$aVYpJ0e>o&N$Q?T**JbD*Ge_1ayra_Wa+zg^DtQiN&l(4j|9yn?)^EUsJr~f7+I{ zyCv$I-rvnf5)Y&(HG6Him6P}A0`!@dU%Zf%SXrT8-NVACQkQpPOaR%-g-5>!(WH3@ zCk+`9mEnsb4#E4@##`N+96KU$^5J%OW2g!1lO?V5OdQl zsZ67)-uN%V@RWf%g-42?r$7~m-B6!|4sldU;D)oxeg-RX!u*=1taL$af}{&|7FsV@ z8lgWS1uxfnf&82q@=(@>FV`pZeP2}-NMfwU6~cP=8O$kIa0XiZu}Jj;uPzSkUS*ZBzRqJdQ=M95GPYm%e)DWNX!M>|VT&TsRhtUc!k%Jmv? z3~qwOi(oretB{jSuA;&~(U7E-I7C>jCuw^VL#apjV!Qt`5?_@52X6DZGBv{$eV0UM zW@s*xzwNmN=}ziLCA}JM=6Xd34(R7W6qmE>gASD-AzAPOs7r zWHPSyx9ONyIe)4SJz8Z?;FQ*fw8`CyKn*)J$TiOovWTGZKEb;OPOQV-n=5V(opf9m z1v)|(N5x*;i}4{nnLYbgJG)YVhc8sis>$LRtP4V(8a-5gdGW?wA9dt$D=#AgC5&z| z-smB4Jb;4msTKC!#9~^V(Sn^6@lYvA;dQ)jcY!yThL0&7{HZxH56vGd4v~yY09~qZ zE)QGmg1-WrvTUwyMImS_f+QPS!&asDU^prlc?qU6U_mR}uPdss?7s%^i-J~9KA0i1 z|4t1(GPq84olh$eCr6A5u&p+o!AG=MvlM=qh=%CeK<46lcGQ6>^Df;uXq<9>H&;EX ztwESh%!Qymwt)s07|cdUgafJJ?Mv*t&$X@+J|IV6Jx&5fW5s$hU#&qtD=Gj^ho6_4 z!ncf^-8-}thrz2ED7gxH)R#6ApI-Nys(5;r$}EEJ97vjW zaFMp*>%c;{%0+bL{(@@il?X<8DaN%&hXbGQznGdvkZ@{I5w=>%EO7qKbjhEP_PEhJ zkJg>6Q49V`|~?N%tf^Ye~RFbBqmGXVECYzQmB&`i_yLq`HTFFi>>{EGV{IuneE} zE_LhB%(>0u?EkUuM(maQ5mrtTC=atat7xUZ)e0=XA>W31)$v}Se94k5bg}LLBK`Hm zB9l7Ks;^=&`>hY?SH0qsTbAK+1MF#96A(lrQRig3u?shAG z`uD8~sHY&K5c6RJ-3m3N(*r&Hs`w^w4KfDO0;*mxjotWyL6N%b@?;!)e6-TxtqwnY zM2h^7nOD4H^tIU^40QddDs<|>AH5_0B3#gGDE~qJ+rP~4Rjnn;iZTu@;?ZUI@(UO5 zw*slM&{(!ti^3rU&1Z`tUg5P6p)9M3ceWn;GjL!fFy$(@oHj86m=Dvt#?pVAi31Jn zv-x%6)8v{;3y;N)5rNUI4^{oQ6-5NW*m=Cv+Fz@>cHXq9^DY_gbes{w1qbUz*3;rK z$gixK+Xq#^K~b3pbZm15vpc&ZSNbXLECQity}0;Sq8?*6ouy!vjIy5|vq%xEJS$6A z4SmEyQfk<4C}GT27E*R<^Mf5TW87HGcp-uzgXtwPft2JA;+taGIKxsKA1@nznwL7Kn1Wgt9Hr<#|Vk}+Lk@PXg7JHO&NwE)!UO^7{m_l%< z#mHXOLJv2GdZX?*F5Z4wj9}rZ><j?2V4`$mF_H;xU+A{xnYb=6?DDw}HvjQ` zc!IHPZ!^wavb0-C_UU3=T&>Z#w@7<%t;x%G4jtxM+;oC6?R?!auVhqdcb)=d4rg?j`RFEktW(pTdNi(H` zZLuZTRMei>adHU0cJVvj%%;=Yv-zC}jPr=C)z$V2s*qk=bx5&iP=-P9b(LH1L~gG; z1%Ll#lzXV{4^6 zM7tzu;6A#A`O0d1+R|dmYFLo>w=-R#gyDr^g#4bJijsAwea#cN(a44GD=WJ;qn62J z`yS@Wf;SU;!jxrp8vsJhu^DecQakxFu}5MlVT4*&K>FNQIK&B4w_I6(As(~r2~3Sj zevvl3aOJz{rT?vnN8vecmO5!~Mb>HlXbnRE(OUyv4(bLq1!cGR9w5^MhnU^de&_q> z5jHm3fBqs#Gk+OY%d<9c;AUGcMO0~)8Qfoe7}s}t$>{Yf?Cn=C^4;&#u~QX$?bkJi z#kPTFY0e&NHMRn$ofIzLhP-pDHYdjXn__kn4$UvZcUL`guNxOur*tl+zf{@i!u(qk z5Xt!*wY#dK@*=&>fsI)l>sO4NU7tOuGv0@jC33pH-HqH69ALfrE~Q=~vCP2??@dTG`aMXwV6sF691(bQJ~ zgY`RtLKJ4y2UbY553(HJ8U2z=AB#WkUQ8`VX{s-l{rgy z9~iC9s=-)E-_1)2!6&^i`B)q8sXUVf!7Ss4sk!T37_|k;!K@BrGnI1pyWA->4?lIP zZI)RfM4VFV(oL$&6npP^nirXfc`w#kG|Ep6)$Cg&sW9PXr_t%t)NwTCx+YdRtnf+? za)}~hnt5&WI6AYHmXcPjrz>s;$Q4qtMss)>D7xRSg>X^wn1>3?``!|&0fOUf5M6FP zSUeWc;&(2sc{i?j%2-=bAU3N%^H?p?wRltQfq||7Nfsr=E=#AtEsj@Alm)lM9wHsV zs+y`*Wvi}8R=JZmLkuvvY$5$^2PsL|hB)~zUG zy$?^=v0#hz=OnDrRSl%*=r_fl5fJ>xFTS^KuJNxfzSOlQvmNSczJEIP5Gk}9gk;EH z!WS9%x;s^T5IZ%ooTJw;{k5M;KfcB%>APh*nf3P<>=(5M=Hucp>IWkRGfoSXvzU0( z$sY36shcr`61Sz)415G<>tQa3m`S!Zqt#UcS%<9{OId`EaHt(kI9xle;kdCJFZ_$% zN;m)=Qqvc3ms91isX2bgW|+WNl;QbU>+@X&N3q@M+FJ5WTspPrF^cjA5X*EMm%->L z$PcBEnnsOL>Odr6qgW|W5RLjo#HD$iB#?Gyi`KnDb$PTfLKo z@fAxpi|7=Ijujy@@m29F5WA=d(a{^Ek*2Wx{$*cJi_P2^@+Lk@2M?Aty}J5%)Sncn{GWsY!9nbd-MF315`8l;j;g|O*I)URrh-;kU75g3QutdvVk z4q~t5r!Cgwai~8?xN$xFHNS~9)WoFsL1`t!&k&!tDB@$I!eNy$ z6c>x)9=)GU#MsKUU$@ZXW}6I4W9JVMhK!O zdh`&TiAW-P@0}3DjNV&B5Wz?gL{Bh`E_#pNLKxj(^cubQch7y!^PK0r=UKnCervsd zMyxU4viH8O>(i*778#UIpo?p?GYZa?{pYhIkG2y^0r6aArnxs#qH=P)!{)GVyuq*Z zGzr;DtHqmo>b>S!?!94mB~|V^R$ZT~pMh8|cR2GKdUFd_WcQWWuHo zBh4F2-ewYpogd<*uiFZo_JxHW zc7NMBs5H&%f@s0?dcE|m;eh3Ed}lac|65RlT$sN9=_4v8TpO;1mG6rK-j&O_k!zI^tn?>WKoPbiz+O$;l}GltkW@g;=U!^FUAf9O}x=I92RHXT=)<(`XcO<>n+6 zuY+F2<}p57?*qCwn?vVRAhqsxq8cQt>|N?aYfxuIh2!sby8FYq(x7fB%no9&oU$0W zZb(Iji-`QKryt=kE4cRS29;5|xci@#Qb7>OfHC1FEU+XjK+g8Nktiw3bj*ze8$nq^ z8`O+DbL$uT1wKBHTPLb|RRYc6V36@Kk^+lz*!j()%cej%emTFt+N_j2U+wHroMhU8K)sF_cT;KkhYl3dM>e;0s)I-ZMm~q^ylPjd}Wk z*vVk$vft8o@hRRnyxMJjA%T9>^0`uJ?v)B6!7E%@eBzn%U#mw5RrI4}g%l&WubIVZ zH&@YqDP^{61L#NBu!ffx06tn~w3zV;(Q~Z2zShStD^jMCCOt*^l(aED8}|(7^0nA{ ze(5`t{7pdW>CO(7h5-$(uShwa=S<+xSIgyoQW9zBgzmA~r}cfG`D}l_?7>ly=8bd8 z`sLKM{thlfiS}2c@viCNt<3@b_2Ri}V?5!N&?;~}YNIV4LG&Mmb1kwK_|Jm$tpd2{ z+|4TwAeVY$qv5A8t<#*OGp&QTjcNbPS2)zQlLaSP&E?kr0^BvDhqBFgpcloT+<+q# z0c$CMNl!2L4JlITYBtIF1PSST_?{0K@l@)YeSLvJE%>AbMG2i+vSBQ2x6KWrf>*Vo z#lJF}HhVgD@!eve^D_J;ZH)T&Rbq4=v!-WMBTgsxb+F7n6`U}f5V{LZxPL!Ta`}=u z3hE_<(Fl?f_RPLUS-UJ0XE680rK;p7S1u7r zqJ2m0#Pw`Tr4G_Z8E)%C!l~T*>e~F+m7yh2 z%vlEd?WME%*v9(9kJH-`wDM=57ICC42wwuE!oBec%P1+WG2&bhgcQuU1RTnAT>JY1 z$cp>B>iSY7@_e)5_}@?aGKEB6earqeEBunWe&#P)lo?2vn7uGdlc=2gi8E#_$moCk z?KcX@!LvR!4q>zH9%7(1Liq(3AV>B<9*A^IQUKc9kYwO^y$85M$=6Ft$W80qH)sY= zJX|??)WoM?0uXPRKc{C)^6C{cJxcB+g#W!(V7`)oR_kvZD*x9CA<@1AV2=7%SeBB& z$oXEqs}y{2?lx+?tjzrrj_$&CC3;e_=)_(TjO6P%nb1{0wO9RkZ^kif9mz1 zh7oXoUzqy18yXiqRg+A9@}wII6V4o{R64CEh1;LJ%!9=38*=kVE3KDIPWDYXlE03a z7B+piTDzozdf~LlBbV0q#mPu_R}h>SeFxOL!#C*XAG*+aCxS7=t`!=xxPsrCAkgx< z5sV56@Eg>Fh_APa;wB(&`JjYpokVv>h6R9mrs&f0TdvTOVK;bP`InX~?_b(d${(F* z60lNyh+1-COuCz~hBUO9eKqX?y`k}P^N=>ZAd*mQLV=dP-w8=#Jw83LmJr9j?uIuL zq)3StRqeW*kHyxy%fU_`Z4>nsI*GU+R_jE^Dd$=qV|s?4|hZPmC0n}m*Je)Z2< zLFi**^xBorwNm`-7m020&)owaukCdwUA*jnxvscHtdrutzEWQV>Mrrk8B69C6csaw zVCZmNM+zg$Zygj`I5cWX46pZ-JD;yYo3k0*ocqok8j|u;16Tj z$3|Nu@|(Y-0sbDRmuFjdg{kJ;;b4QQ%mu#WCQ8XQ8{eC{(y+i~r6}3yc%_5s0oeI- zu=>;_TPNpJ>m=w>DWGIVogMnd0W-l|U_f)kV9f3NcU~EA0R(wZcSThA49Z>tp19x1 z%N*>&Y$~W)PIgftF$G+Nnk_sG_03W1^W&X~#J$#4x3QNmBBxgfA(I*vQ|{=2QM;A? zZ_~s)VyTpHG^|z`kf@br+l>}*wnO|a1O@g5*IvB|XJO8e-UU(J#VsUz-9*>SZ|}?m zk?L5sN9^ohBZL%t(bLK_IRH2BA%Hfo49<5NrX^gbG`yJUG_;TFXu5XXn=Gd32hI*V z(7;Ww?$1;~Vy{SP_n*zvQi zM$>~o?x+ShwAJ;0i); zz_~Uc44qhLmG9a4d7U%|&`mp;qlC#8abg^M;&}GD72u-YC~f42l&W5$KtROf{lPGUo) z7L@Yt#;k_d>jvz*q9nJ(-xZna;SVvQta>#x~U4 z-whZvD|)1>;^dAJ=CQ{e$tr9Uw%jdR$aV5HBvohGo9JZi9o*@Q7>Sg!Y=_dxkBv0v zeQd(AV!8K$oi>2yREheZL1_0BsM9*=$c?Ye9=<_&%A@W3mpcu0JAfV8Oad?pq{FyW z)bxF>{M6Q7r4?13n=QYiOsM%QY`&ky4wZjS<7aiXC@yk4ksC z7+t+#A{Ha;Bs|_{D5ScIc9z&`(4C8{R*d6Ok3pzv)NU5%bu7!IJQOZm;-{bW^w~$} zE{F71pD1PY(jwUmg~Et_*w*9O4SIhm(zQ1(F)u-77xR!XrtdaO@a4AkQ09@7h)pwp zOmabQ42_)K&}>?@XY{=^?>C&p!7Z#_qHzNpt5aHHr$PHMXlbC0ia4X+zPcMoZu6#1 z8pt&5zT;RtU#EdjV12`wk&h5p7WDE7q$c^MV5L_ zpcsK12q)MPy`$|agDfDj^X&pIT3@L;HsdG#zPvnYTxa6`ZRk)xOndyI!NQW3GGQjW z7nuCk-^iUvSrXK5_Aw4i!_aG!ex~blX#dM2GRXWxTdQE z#unRwLF^==Gk-xOO1`=ST7QF~At348DT2Saco+1LUoQaI^{isVp+JP#Z*PXiSQd^$CNRdQngR9NnW>)ZL|FYyh3~drUFX>ofaED)i>~sthh?GwvzI^A& zwt-(Q{=(rM{^&W~=#de>L-d+Azdx#OvENj8O+fcx2zOqHpPt|BNuN0J{*7tRd1CTI zy*U+D>GdZSl<-H?qv1g&QhBr( zRZl_haVQUikgC!KwvwgYyV6Ueu6t$KpWYmQ?zrD!ge2r-`(LV8nYXlokyQYKbr`7= z6MMz3)H9V39dM0#- z4iIWs@5S$ctNGeJ{b}lpI08hubxQ$E*m@%b#}ta1u^j8z%5C_4i2j7H==w-Ib!}nWe`hj6k5x?jATf}yAONJUWbU%O$tmpOJ zq|eAE&i)A|Oo_V4FP0_`iU>%@7Y_! z9}3PmfeKZua?vgoOpysSdsVl;viy#DPmIWzs_>HVIka~GPJ#Azr=EqNtFPUl37W8_ zfj`PV2rpHE8>*_?qh^9oQEw_|=fS5R#he_X9qM~48}LhJgmjZ%Ei;t}0*BW{C?^^J|JixZy`^)Q}F{{p?ExhwP>Xv8zIqSYJI zjxDZgg~h(|bdJ16+5?7OMFsZ46bo^n!`hN~U_Xh2PeLEy+x9J3y$tFm6~XI@ z2g%JgpWQui>hF|;U~0`wg-plFFgF@G=Mb+AVJ#@98&u@dWvMRvJj#tnfk+-kx{DIC z=|tafr|l;Fs2f%a2JGl1MSee6B{bW2bBt-%9Gm?=bw1^JFMGe{sOeGIw3PL3!HFL@AB#fLhn9%Rn`wTYQ-6G*W31 zf$^hDz}q9YyxtS9Ym)f(dTyzZ{AuZXKc7yj^)>u6@1=gSn?KN zJpzC9pAWh!p*a+Kv{WCH3U4G6F2;=<3C~wmc&bT%pWse(Fn0$9ItowOu6X*+8+C$v z6AhFEv;RS}d zOUg+|8ro4cOz)*h?-KHUP)>|{inX)TV;fzbM2SO1(QU( z&Bl^2fQ828dofrFcUhBi$Gj&PV^)}awH+(|W&n7R z&3Hfg8jc?b+jgOia_o0?Fs)#bl7e)gffe1ZWzy!B~xg&9<0RgzNgH)A|WeF%CCg8GCgqYWUk9 z1cgUs`exsq{>M?(oIU1h{LsbdM=huWJ1W2s+uQqi7WniP)jbkQA{ATsq;|!x3aUbz z_5+uKy0Lx20TYiuV*^z57p}g7uWVTyxCSc0;PIiPFxuA%sRC>Q-{>20S5_oAw_$+c zs1|U*7zUziiUxV5h=RhT%&xoa3QK^Q`D;xgB)pM(^_4NKG**gxBhycDbIY$+Q$yNS zQqp)e%4x4jJxV=U>5uS6_p5UAUfumiNj5y`+sCAHY> znpaSzrKnQ%M}v9Im?Zxl)x{3oPkzzbA8^cv01I!Xwr!5`n*8nvPhT*t3aGW6zw4Wny|RRPEoLjCI*%F@ ztMAvvUcc71IVg{j;Y4P4x;iJ`2IZCV{6*_Jxd%|Etw&2 z_eV8@bZ!#<8&3V-*EdWPNHc8UO=j|s?)T?S93>XzR7rgRTk2}hZGjd`tkN9I|JQE* z5L$cl<#bJwNb}c!EyGs1nZ4f-UD*(#Fh-fDIx=rdO<#&E@|rdn2`}o%)K)Phdl?$_ zv6fprU|Ot5u!+|(0ND-scKzuxcM({s%R~RU`~QGAJ~3P?JXp=#`eb54X!S3&&yhCJ z*kek21I#+5V;=Et$lj;?*MI&`MDU;ZVEP}jPm$GDX>AYE|NfTeH_tac8Z|)&3O@x$ zX?<@sb~Ub#7U=@{qB>CVR-X1c_|LOqMZGzo<=GWvqR^CmvMc=9Cb;-t*GWMZc(S*g z2NGPU1lo2LKjxW^0dH73M?50xPxF*=J7hE6=s6c&PD(-?&dRo@H9~_Yz(!s@F@kXP z@23=d?;0=m>eQ^eS?B)y?!S8?gNub%4<}tzhjX>LhI7=JA?Lv5U>Jz8d@J?-1NQuP z5H!6Gd##HpjSo`({-($WYQS+~7$!Oi zaM{p&lb-XD!{48WOY%~IBmt3o*~zBzo#-WKbQz1i?S1gb%61j2?*8K)&Y8Yh)t?>H zAbT((^ZB3e%ahwV@SE5HuN{c2=_2z3%FeZqT!o!G8Ix(z*8?x<9eeRA%J%;^VzBvABb=aD~MEK3BF zTG(4fKk-!wt%dL*%P*&#!vFP3rB9NjyTn$pdH^E9+P6>!jTm-SUXOw2(lY6<$Ua?q zcUh+R0m%a;a+gP$9YwXDuFjuR9= zT7%6;C(((wMB!ebhCOYjiHGJqiz%urer-hf)vzj}`gP6bcZzk*haS>C6DJQaYbX68 z0lHIbq%N5XT!^yDtS_c*3l(5klNz8fN~ffgZ<$SWc-fIWO4pud^9azZaejB zkM?4Hgjio@?YU51#wQ0YQOm5lCV=DEPE ziXjP$N}Pf!!Z%J;Y>{FZFnWJSM&?ycxhGxq-B4`wzwn*js@;;t&R`d;*548GssYI_ zA#o{eO8ha1p6~aNmju6T=mxm#KI%XZn+5DFKC{#?R>bbLQGNdqXR!b!YeVYDhZXAP z{h>6!fg_AdP+r;gr)43pV+@z_smcSj{L9dlgqU&DM@n}URTc4Wn-9sQCqT2(Y_9b% zUT)*N0Wo22;^Q|uVUIyF`hpSy)Lx|d6 zgjZLW0;0LtDk;7A&@wAL3vh(i-d-nB`*b~&42aisur-L&cWX+l&{=y1J#>D$UUYf9 zDbJpgskYVf5h`0fyso7GRqS3@ zyz7s2@p5AQ!x*s<<5&wn8o4*&pZRtR7}(jPLy;;6a?Y*_A|c?-O!BaG**tHbObsp5 z^;41NzY{wAW&~Ni7oVHAc^aR1dU4+A$bL~+D!!BRiqM({X2SQ{a~${yi9>8!6>{ygYol1_ykipkk>vmpLL zg?`YFl)g8h!e&~}ZFS5bW!MLDuyjT~6nWG**U0r)5j#HD)-_%%l>)sj#>6h}>ULQA_tw;gR)ele7le zjADvHP2-V~Rq|ZxbNI!>Vzy!MSgVIPNzK%^D$0B3Ky}!d^tI1-X-X4!`%w*IddJUe z2iYA%W%p)9SSg~p`p%l7F61}*zspajKen^ahf7!a$vgaNd%y>Eoc~pc@y|=KI+5J0 zns;9C22k<^t%r-rt3NrglV%(b zT9#f^mVS}T{JMDkKi&kR-<50arULtAHRj!%MMGV)HgiL2(BiK!Aj1)(-9@OT6`FSV z>x`aixpEslNA;I%$4>6MA)(k@!AhL++u)GWq5Gl7K{t9v>rhwHjWFV!Pc%@KMyl2vj4-sv5Ke^f5%6yRqS zKPVh28G3JnQK(Zt|GbF>`0`JxnV6ti8cDDk+onIQ69Yjc;xC~kZIohEpZh;Nl72DZ z*ue|UlJL5pO!4B$+JaF;_pK=BXjYMUg+W%R?CFWl)N<>foSsG}0S*%K66WlC<=S-*DytB6qk#c}Q4U1a0OpBOfjkIV~lQOsRCpz4UAw^di$Mbx-kL zOyS!LY3iwzQ~p3C=yfXj*zOO-mfr?(RXc%6IUGes-k zved>EWm=3A)Gi%1?h>DK<+DM4uo)UN)J}_%cHBxC+9Fv^pD3H2Al1x`lRC_)Bcm4K zj7{_cs%qfsUO)lU^any{^3o_n3L~McR6bs_HM{AWw~>mHAAtCrwmBSBM+r*?TI68&kC+;prM_KYr>7KLgKF1CKqgVm9$j zVb^$UEs(_=fT?00!0z-ez>qN)lpkv!nBm)iKoPq0@h;a8=-H_5y#k46pSRxexns|e z@;9UD9=WhdYoGOkN`q`CjNcJw0fw5-57=7`WBCQt2xkS@CB%gJ;h3orUhc~yuX{K$6xPDHaC)?DNf1z+oSA?@+fRe*zcU*3H1 z@h^}GI$Y&6uMp-JHR@b9{*7)oYk@+Zx(^p;;6TYN{uzMF-jd-UJE)r|G``*Z01s|{ zkP3=#wWXV`z+oZ&Htn8h#85UJM;vLSkZZngKW8BeXdm~;vF_H**6Mb^<6Z(=`=}MY zJOl39`3#`V>^zb;nFQiJ6UTb$;un$op(h95pY|?KR=dD|=;Y`h;N z2`I4&Q7IPJH$mj;V)cRNHeix}+iW<4LFx$OfX%$tER{7}e2pXcx`g=)I2{s?l!1;? z=^S*UKLv1Ir530SvCp9bJa#U0{@o^Qmx^;ugNp4h#diePtlqzky+Hl`1*RVmjhhkV zbAO536CjOiE2s*6jyAQyu&3o%kLBj>Q?Q}jVP=BLT6D6!1Mf*J*|lVsIgPZq&lVpz z{_aI$nXauCjmh7OLku}FCcJ&HO^7H{qc&*Om-GM!N(`jeZ9Xn$Mkw{7iVlJiA8EjJ(0#n730BmY?(E$lwR`tm_)a8@iLj9x^*M$qi% zU(m<{Nr0Kx)A9iAHbNQ%CUhndS&(tfKEbDReEW3yZl%CX`!pbA>M6!NZ}?Mzh7nW- z3OP(qO4!~$IR!?*@24fnC>%j~N9z5&Mi&&D{^tVTmW}W#&~9)f!#-$|HUa~Uv2cDj zU#e8VL;TW#N9oiDc$B3gwy0FvA#N{BC)aXMR0+T zQiDx^O-ShKWj3gd{hjq96fmn)Y$ExwiG^?UcK~BUY8WoDxw6PQ3Axyh(Y-9;7YcKF zKB|1&@BL)YA50(A@#$SZbx0Jozylq7LrJw4J4uhMKGHmT^&yRotx8Q!HAP&z z9!%^SAm#68-=ib@rJ^euIyLv?7h~PwQgg7`*#uRb|}m1wkC7#pwN@cV$&m2yr}Vh4Rap_S=V@G1nxIS+ zjpjI49DvvwBCUpMtOu8usRj8LWjiwbG?7Fi58=bLQoQkUQ^}Y21I*o&(eRo`(Pn>qK_^3)7SQK39Qa{dmU8(%>x2Sn_)9nf1b z6E3p9@wp>erqa&IE>mqkhi7YBiMS==kz#+!gYaq@tT4$gn;RSa$!rVZAW3s-&b%M4 zGAeBPgZGSv7G5D^8GRu5M(I987c%~gG9`N^=I5w zU39lX%^g--m%Zj?gMVdQ1d+-`_?wmt5T%M3dB%cn1wMUd8egPitWwoMN;~@K@XPuz zTlpLBCj3jEvbCe3+HdL*pN)3n@NdG0)5P8frMtVz z5ZFxBvQ5SKJBr5O;d~8ahI%2cz#c}|?U%q^@7oLWz^!r{zYJhNSwKrS-~ZfjEY^Lu ziyc41XA_tyD$u*@we>b*g(~Uytifb*iH9VJ7i&LZE;9s%{i?x%%ls~&&S0JX8J5KC zy1e&Ujv>r%@M)T~-_R}gWVK*oGcPcz$pLgBj8AA}j+D0+?6C08{TcONzA~sPd0blQ zk}%$1Onk+w1Y^(c*}sIpQNstRD1wiUvFSs^58mH624#?T!ys9ZlhU5>%Z}Dak~VPI zY&~zALovfepU#G`x&ApQU`gb~(*gL5;d2iGCKu2gBLPQ!CH<28Dj0%8cG=*TIk1%^h!t6!r|}j4Hp{ zxi@82V#@_xXX?e5gS;F>srFrlhQR})GzuX?aJt_)r`IbTzC%$^#fHlo+q0)9%jr$` z2^YIws6uq!Lk=fd>~d^@a~(2rT8F`YiiLG zcSUmM3@PwLeqketQm6JwH(E-6ORxJKef#bB2M{qPn*$y6&v)->N;ngrAfqy zV0=rP=UO;q9f~3sp z->{Bz&)n1T-=XuMu3sx^F~lOX7A|&G9UUASRqpVUiz?eT;&>}RnzjsOfK6vtTnO-x zj(WsKawk$zrONL(7MONwv*Yi*J2Vg4`aa_CG`im8I$u@2!@q&wHe0Sn&8uIv*B1Q4 zVNe)%hhLxhcASTPIk9QS%NIc9sw zd+M~(-~5h5i>?&F5y7zT=SCDdljleeRL3_eBJ#;%YG2aI>DzY?Nf`6m_{aWGRB%$+ zT9!^r9kE~%3Qu^g8)gfFcSkMxpl@+{TM z1`j(B2f#+R7}OA%;fAt+@_9r@>3y`hq0ANn?SB4bp$ClT792Rb!pufIM*dkj z>!EbcA4F#9%Q>mWm>ed`Y{_rMaMkp6$pH@JFwlbPTWRt>$pMu~fEvz?ML?6;O{r?* zPdjO0yqswysdYlX7{x|urnv*Tgr85s4YzNwpyF=~gzpCVtHRs?ee`pZ^Jli>pD%Rl ztH17=2jORBkQVg&+i>BL&?S^|Qf(E>9|0g{xG7iCsn&7~VT9YtHj_i^v6EU_ube>| zlgUuZ>GG3aB)=scUJVd>DW7f93(|T{D)EobUqebhvob>D(F)2vnIunvSVqPmZbmQ+ zejipn%qSxnT?Nqc!_G_bZh5e?5=77EsEXM*c4`1SDjd|qGl6IlVvE6s_hd>2_)ZH@ zYDW1BQ9#)$$lOgQo)=nq-Tqj9U9_m+&Z6R~hJkqgK^Gl~hvC=E z-)Tz;GDgyX1t2^hoSZNL4|u<7J?T5(Wc;wQ!U}FVEjw?qw?Iv}WM5he%K*|GPQK*D zkryJjH%KjZ-%uVqT(KCyu2mi+%(*%6W@w!Z&>2 z{0DNBGlhFY_#&PAq%XcgxuMGFFs6d|gdeq4HG0#gW`C6cL3gph{py<^`^P*&KPZW$ z=x*?w#T$_m9S^5MrVp}ig%G7v8JTm@DYp5E!nFitpPuon;@Kb|bF%t&PVul(D4+0< zhL^vot!2V(UAy;cN~`w5UHL)RNPcyR_~O_{L)7E(J0+P< zMpoBk1e4AOT&$Z;E7w+yS188wGVs_xXuX9K3{2l}RzUcVmR@=`@xvQD;fIQQVNupK zO*SC^kAV1&aJc!r6-e`w70GU!<;?SK+VIgk4nVTyj_bRe3%|6+6+9>9nA4)NnG(6&u4@`kxC!`to?=^y&R}Ww93)A5{bNd z7q20Zpw)_e%3q~_r?UO8EiC1R@OhGm!)AR(!0TkEkj5~on3yV@g}kB$4YYk}B!Ir- z?NFKDN!pdai(Zh?#s#&9;0e>AaO~~tI$oGjC!1iS{_tZoH4#e4IjTkV+?va5i1u_2 z9G&LG^{AWJm7KOiUF3=B-aTE{lo-+#{9iyZewPi;DepFn2Sxa;Yd=i85y zXx-?HS0ZQ=Am`h%MG@vrLU?qCn1Fyr6Jj=du-gRtwif)v=IGWFN1W2Dq_n-51O$fR z#z^huauV6J&H!qA?zTuh4vDJgMyd(sL3ArO9GvH14sH^y!=ds9QR8u9Wj|o0`d}n50ax{-Dj8eUr@24>%L^d$EJa*tEG9#`JgbRSF~L{<0>yDA z@0C8QjHXhMMJul{CDkqF$3Tz!ch}iH43VqtUf-j(K|OISvqS$errdm+IBf7<5T4&} z(e_N~8^!}A1g_6J=4`&|Qzt!=Yb2{0D+adiPufQ% zecJ8H_rd^b!Z6kxEoGW~N1)-oGBTLx^rrVOGPgS_(mYl{0@BcJzjE;Ed8_!YH?7F} z*^}t+-~7^<*6Se)J|IoeNjr!TOb;?PW5;>jO7 zmP|TFP&u2~NnAF4V@$qSV1md`{k?ZFbN+7HHnMC=hPsbHDdM^5uzjR6JYWplLdr}% zc1yCLQTkmLmGqcFPd6~g(7c%G?%s^kFQ8JM#g~vIeRV=H|+QCVauJ z#n$X;UCzG0-2EYGMipB>@>QW;%P39sC3S}f_*#H})hg1~lI4HjBjwi)Pe@$}aum87 zM^2jL|0$A4oHv_05dk(agG1#ByhynbRVx0)HFk7&bM#y>|xY8^0!A+M19`HG7K&5Y0F5uA{5}E65x#`|Zv*wH3 z%{R^qsac!+cq3NZJ`xsF}!eI>LTXW^*gu5Ey_b~au2yaEG~ZQ<1isIRY6^{p%m zc_OiP7qmZxG$sBN%l5S!*^`tCWaX|C(+F+1VNK(QfeWo~<#a4T6wof7Tn^2BEX;1g z8i(Y=>ULh38rc_a0biKLYDRofTq+IA0ajPSB`iA@P?Do8>p5uMIzf}Vl8qByP#Dyn zqn=SGd)KT3?^AZFH^B&9kUKH$e7V=@YIgaTgRmf;edX~_M<6~^v9GtTX8MI3<8{(8 z4pm}&hC~L~53F&+QA^01i>46&>%y7yp+VPv7Mb)H%;Tl$4XL12hcNL*&S4(Ke>J0s zUB!8ce-BSPADTxGSsGc9SP>=NH7mYHQz@FE{8pNY7>d_A~Rf0Jd52LxBW5pNq{fzT|zE)LQx`l5dOT2~^+{@@^ zpg213wo|RffWHxtQ`dPhpcRg z`flk^S?*4$sa!C{w?lIJU0k6N#3ZFqhlZp{x;8uuxzp|8`m#aH~KLaM}>Coc?^Wg_@VH- zsCm&Xr~t8IOD1+}A!k$CZoG1QtJdIP#3M+;|IC;;NC1;wQa~8A-`xg9#m{lL*v`dg z_AbS?AsAZ+JZ2Jfmwz&^pEBndCR<@LrHOZAhI)r}@CF}$4hEjqzGF2-wVUF>2M;)o zM61L-ZSj{{OOBIhM%z2=myVD|wqvEas?b-n{hEcB2^$_1q1?iH&K-~c-e6v**q`xG z{$h;rmU_vIOd=$O`>Sb82hCQ$x`le&MK#*vA6;?(gPaabmw$1E-K7)kF%Q-ogz*{Z zPNG9#Nxpft!n(Ixv&2Uk5f|x9A<3{9C#WI43lfynSLP_N$=K5TuxTLpVo2ZjW%)%R ze{)mE?%gjU#<1a6f+W!|go@R(U?~PKoCu%WO;kA#4)gWs2IDzQeGenJtgzF#$0rmm zn_6{&b6tmjY@ce9L;J&UF)bTbcj8lan<{wd)i!^}RyE>QrszmK1bC z2vf*ISEC{_E^I&6kKxWA{7EiSU>hW!nwp<`A(rZWoxo;R?cL0?XqD?CN%QZuYsBcb zM7R5GXVPy$S03Q66`^Z=7jc9fU&{8UU&ugk@$f~}B4*=X`1Jf;O#syu-S+lYz!mMb zCqPl9rz1_UIUgb_^9X?n_w`~URbKt(V|kPg>KNg6+XfggeV1e_XCD^m=Nmm`=5)WQ zivCl4DUKHvbnu#=9)248_iTC`7-_`$k^8&S#T-8GAeN39lA-gWRl>BU;4vCOv%(~8 zTLqA+oQ&Ts4>1S|)v+Gsj(5APZZ7j=9&~J+X}0gPp>!l?0~Z1NuOX)^%v*1n>`|k5 zp#x?DCelG$gu~jGNsxn!=BS5uul(Ea2cPjKTP4v>p+YZe*e+-|CW+j2yhL$vC7@Y;vVJyTk zO6zX)kac!B2*;ay%_x!Hf394jc~1l23jw7*3T}zhmMZ zF25{Z#lIo2;F=WirZ&eCae(h})e=hzmt2es-qp&PL>2Rny{Y<%OGUbmH-74tA<|xG zTxn7-XlF6~YP8@=b^1uqnolcDIbk&zsqbPrY~RyM0b7Nlasov-tBx4Zd7t@=vT6=5 z6-~tDO-BkeOa3C<(JAb%4<_-~JrXlYnJg8|7qgyzmo{vkeZkYAD$%a`H6!)7vAgTW zaeyGS(BF7}8JV5BmK~PY5ksw1b_LpiZ|aWkzD(1-lo0$Ds5le@qXWsBImDVj55_E` zlv%R4PJV#)-6#A$NC4Q_i|XA@i1;mXe+&OIEek9G0^RI4LCWQ>Kc1X{u-nN-bt->7 zS0ser#=E#kujHxR9+mwm1Kbd+j2oj{L(7oO0(ui+q=^5yCn;CGzBh0a*o7?&2a4I) z7)<`w7(M{l*}{`RblPf|f*7AH9bJw8i2iHNh4Qc_woD)(S9aPaQ-avJkWbYqxM_3* z%twk00a)!1l%w?-0Zh4#xL_!qcVG$3tx!5w@~eq)RND|>0#pt>*u7l^R#hFy-z^8? zGpuCatFw({Hhtm?Snu6PQmnr>q_>KaMAFp&G=IRY0`OEYDpXS-eA4R!U{onT6{(pG zx$dnQqiPd$gK!C5W;^e-ijJ9mnNh#^r-cRCQPndEMBoTu#*t$HtZi1Y3i#E^-z!OG z1AYb}hH*@3@)HU)qh%!Dh00R$7&BMDO2@2Fqc}!STW}$h#p%S|xD$!|L2a2;1ybFP zL)jI;$0aOUpfF&<3c}0SdwowlgR#x4)p>VqKr4v77B)JHDt zPC^^(#(C;e`9=Qp+}zVC@*c}%aWKXP^)hpI>%D@F57f-Zxv%@y6}Ciclb9_Tv76uGMNBi zO=~`9QvwdWe$-AY&{?Zo621%NXweNxsImL!c{OgX7Ez9a6Rvsff9& zBzD?W*m;NQjAi!6Lq2f)KkKV9S8f=Vp%tCTcY^n%*;cI?1b|&msf3r}x2qBQIgt86 z-jZVXlc=X&cbBCqxrKT)xUlU;rO8xxq&H!_*0kOe!JCJ}d85ent6k@QiO)W*9hzE= z+0zAgmisR}w2w?NJ$sn%GRAIuZBj!}Qj&r@eM6RAKfX*anYLoeOtR_{r`gJX{n-EZ zy4gW>$Tj?+bs;!)^5=|pL(+q0&!<-OR@T6fpUF)0M&gm2Tx!-q>z4v(i{&P6i zTFklDysqnv1gdGua>;<^4)T7aER)@hLGFae6`?He$Wsb^X$raJJo z6)9w(p|N3O!tgqfgw!3tfMYDH@#QlDZ4Qf5*tqs3FZn(vjpdUxsA*8aHj1E|l%DTB3Q5&y)6Pqn|(YD&jg zpJVIt4&z`BhALUs=`|kC%_pyR7(W)iqrsy2TC6~#Ucg^Luy?^FDm}gpR1&AYrN}%J zF|F?&+jFUaw}HIk-FCFT%m_+_#^6RH$-M#t4eU!sa+0ly(Dq<8QWl-ACJHGwUAq56 zDuEcKESVzBkK~J47N0m{FTV8+c6BG7rEerZ{#od}Xlo!btUVsg7qmyN{>pUuzF&EJ zqwuJ;-p0)ru`VfOhT1B3yD@cTV`XEWHLg@iJdF7k7Ug$&R%~gmfpm>ST$Xp*9m|pO zju$Si7L(@^`9@JerLbB&Tk zmX=)NH;>M~noioIE?<29SikLq`_}76AXqSx{+qleV-b`KA%XNbd zs$xfy`C`1Sjzl#Eg-YD#9{I%bR9Tu;?El&dG^YteVrat6c7jv`$gjP_KhJDI7p@#^ zBD}+X4eO)-k-|WMN+eAu_o6OTObw3s@A3UiX)h^y$A$Akt+w)*#a(ZQPaJr1gWNrz z-L~ZPXRSzE?9&j}r_ya4+SX^$8pPtVqz&SmJ-kbCR+SEYODz(lmAX$`%MbaEnU?x~ z{V0CdsynTl%0St^<%o`>?dm*NKjX>&(9mQ`Ue;C6OhyOHM9wnW*+$xm!-Cw59KkAG zJMpay`z0a4CTexYAy$h8X-m+4<{Py*fPm4#Zt#Y)a~GAC-LdX%9^BL100x8nS9m$# zYPwgE8^9dvhb=L|wXM^Pm`o3Rnv1U|$ zI~M-B#S`sW!Y0E%cN#)ztO+=%F|bH$`fy=ThqwBkhslQ%V`V6Z<`cj^RXD zPPn&}k+X-T`7{>v>0OS4viT@rY8tIp?suu)9gBF)`k)bEwoEywN=P2D!7@CY(vKZ2aH)%^UhGtgxm*`ElVHWX9l zW-6|n%g2;SiR~m8m5p$(cc(0~W#E|5Y9+Xq%I3y) zd&wkeFA@Lq)@HVGd=suvRV%al(cWs5x$0w_#ji47IL&o_KB35_9)Fu)Gk<;5cK*v4 ztV6UfAUdEaNc}36PBX~OFU5V`cZ073#09hOS9>3qJxRKuRX}j(n%J&SLxPpuJ-4Zd zat1V2k1^n{$nAo4$!gX4*)?|iZu<{}?2DDK0>?i7RqrVNOF|Ajg|s<7LYg$`bkE_erK#ZoNQ z#X+9bnP@ApOC7Ej9EIJ-Mu=Pp9Vuy+!n&UqKfW)FHocaOZw(k#p2KXNh~{?`S^;r?xP&Q&1ClyyO{* z1ahC>V(^ObK9gsEUXinUtup&{OP7?DV5nJ(vY-7!Hll*F1TOwV6KFV!jt8~`CViQD zr%VZ|!S3o0MQQv;JA{QjCiF{qvpJu?geE-Ic!(-Gbtk@cm-niasP@BpGi6I%O5AS2 z+bPI!Tg+^V^Bu1(`U{+-AU?B5mMZjmHN!8rEt-0cL z9fg(`89ErTR+y8wEITj19Q>e{XW}!agZq)6;j=4WMKksqkZC6-@4nh7B#z+-XtQ+1 z$oLm2Hi-6C8@2jpb;Mf4c6}fRTu*lg9M}tg{0biVZf*Q~(q{<~H!)c3@La;FxN&Rj z<-#Y-=ay_Rk-J^b@bU4lI8N&|6+R*~j99#cq-cv%umYAlsCj*pLDB?a-4^HGb_6k} zVoI!I**y-E`_VCzox7gcl=@~3Qkc9x*#4hB;g32KUuWZ;P9__D>Fry_I2gVI*4?&N zM~zv_mr$>7u+J4440VfLJ9*2yae>Wfl%vH(cfJYtM!anTF21}dtv?z&k!|4f9es$| z{jW=nINFKH-CNDlBX(ytmi6zlpVgl?X~9{wb{5{rIRm1u0_W`yTgLCC1aOpN#HUlb zu$X7v8epaWNU@cZ+(oOW$o@j#2C8qhH!Q%>zzULXp$7K5lZ6S zjHW;a6fLXa0PNtfLfJuu@vB(bXu*F4$w5&0eqGEev#G#et+!lGO{Mz zFSk3#b!!+8M-M_1-2GCd&!Nfs5ClTBdm~mOh86drMZtJayGkFZ|8r?%Lrv(quq zpbaBlZjpY#@$=$=Fgde58>0SEt{iQSxh1Tu_rT3t3za@(gqA63H?R4?R0!-jXlv@Zs>m#3yD}!>bf={vqvd6P2s(uk_%%_%5f1(- z&)!Us6tzKF?LILkLHGJi4ui_iq)sgX?xN~m32mh=Ni=yT`-I}ZliH*+6T!w7Pb|z+ zDhi@UI&B-6bp7wrP3lHJUd6V@Q6V61)ps06tFN8%0t9P-kW<^tV=n<5Z(0e~^s7X( z{S1kR@3!bd^-=Fca9H!DHm&4S3R~9g9EW~+i0)#cCe^Wfxw*^IxyG8{AGPf7471x`B~|BuYB%GdLJG@shwQ)dg5RBLbYsQawrUp>4$xZ?(xjXT0}|rvxOP6%{#HKL z?q>C04H@f>v){c9^@dCMB?B$l(#i`zRHouj`ZKb=Ggv`Wt&BJ8Sr9XJ$Tlh~@u;F& zkxH?W3me~zC+`2zT{4-xlx|M5dCAvWSW2OeH~h`hpHz~di@II$^9VZkEb*>Ur195( z`IMPxtogP;ezTjP(e)}^4<@6-t(P2wi=PtLS(w_xe9{BkI$uju@zBGk#waxx>r*8V z<%%(Z%x`i7EPz!HLRS4?MAN+Pm)BX-70F6tT6AH@ zoRTWxRN(68tZT>twJi-Po)W@6`j(t%3mz&`HvOgcNQR1?K&ON(-aaJ{DY*g5d!{kj zKvs8vGA*$0OG>YR)0y9PPtaNEDZq*6+Qai61jY^7q*Jd~cgnSOmGUeo^nV zKVP;<8K6}>E>3(LfIi-+6LI6MVzv2Da!g}Ax5+g$8D5EF;$);7UU(K)(oooQ;i?_B z3L~#%haWQ#gwQZBmEzxs$ERe6IzXO!&7bUyz&47ZqQuhdo;|dC0a%(W)61vhJxYw-m^iH4-LSH@BZniLL>Z@m@U){n%4JBQxTSKFZ>15@kJHA;t z-@(Ksx7@GxI`A_+_s`K#VO)yx*4%~bo+G_`1UF&DdA5U(Jw2MNQ}1;rKt^KY6ItlQ z<%WX|)i{g|yUqI1T*J}lf+JBml`VWfV?$_PxzonZ4r8_0ow&}W6%?PW($x?28;!6H zCQB`!-_Nq&mZ|wB`b*Cb;$uM%>$Fk*m_Y7QBtsRcHJ2ZR&^W%krJHXJscIAatuvKv zhMz=Qz<2Ks>KTEJ$-+xsqUlO8{GJl~5*M_CQy7CQS2i^@xq%tuQsYYwzKc7fkJm~P ztTX6&7zx+CG(a~^z+&)*by3VTm=iySbGqySy7hRCh1!=(SYb<8lB%X53Zq4Vu1=Vz z6BDFYF}$z{(Jx`FZGu)jJR# zGxedZ*}x6Wpckve>27679#ZX=UTk{WYFpY*EPBMx;>5X9G(D`h@RDg{M0UaHNBcaC zXl1t@)(WZ*MKXkHt?wC(JT3fXiyxbzL5yQ8kQPgoyTe^@$@C$sV++A}h0ZG1_}R!W z<%7LA=vuY3mj|UNjq-~Ea`RvR$Kmi=f&Qm6h z;rr}%2O5#hYc;MTZCK>&HQhbJEXGH+P-515H#QHn#Z}|C!j9vx?RY^m-mFYo%mSUg#7Oq4UFlf9CKNy-bWRwWv zy30~>$Y@BTdOVggJEn6YU?FZn`%)q8{j@I))=9#d=t{D-WQqnCX2LWYRJz??kE&V? z3BnKu-Mn?TDCK3>7p6TJc{>{sudC^bN4xj0`EedGY`v7^J$!Rcm-Tqk76N2yTEEtP zOP*oCK!%o{8D$d z+hXX8@tCWtu^%j>;g#QKut6)jVrdeWCPKu9Mzaj3_^RG({aSCN)^tP{UqzzZ9y#lo zRAtCml{gUg8q=3PlQn?Ph~W1GTgi#L+aqKVmolp5ZJ3MV{H%0cEayTaqVFSCT99Yz zX3?YJJeWfG%~RbAL;1Rrotx8*^Cgz}@jQl&jRp-aob&sI-1UyhX~c0^5?>)j=JgsP zZUqAu67L2HKEoaP9+B+`EUd(3&8p4<$)Zynu}8!PZ=wO#LC2ks#jTru=Ek`>`>nRBJ7AfGdj; z5d8wdS&2(rCK&F5HjxU$Qls%-+e!Vo#~gR4IeVo+!J{zfLy&of31 zw<^xiu>z5i-1}J3$belRrH7fT;FJbxu{qD-OwbE8(`gy<3j+QV7-IL$e_0M39{Lu@={&5B6i<1M)zQV>QUa>5sg z??lK;snQ)&tfJS~^g<$6Qy{T4!*bARh(4RsTe)uttcdRm;itt9>#_IDI&Jzo-SjRz+F#FEC@%3!i9J}0 zE2fr=WD%{RZk-1;^k>omVB3G57COJpX9z?pLMY~R(xT}$_mrgUMhZWkNMA*&&c zt3_Z*4*@i$g&8x&X4#sQN!Te7d5N2i?>4WmaW2PV@=bRwSndq}x!haOb^pHHSM)Ss zxue^BFt&RcRJkhMfjcEFim|ctxY|Aj8n0$U(lSE42%>>JRW}*{Inb(A*2{PRzaQGn-y*7Og`0dJbA`dn& zEx@hB#|dj_EScXoN1=-+r8^ZFRv6x@=|j5Gc_B%khSV7!LZNIGH?qH(ZCvy6g$~9K zSBXYX@6&HeyqOgF9^JyLD%M;|88>KnNx0GlRhX|dddKyW;%~*RK2HMW*D81?G+*SX83K`G z7$3F7+}Noa`g*a1O42Sz_)}H;C$pF9B*Kpp%4YhV+})Qg-w0cZgn8k=eAhcD(wFny zGhI1F=jT(}XDi3O-=Yr&ezCti9e16#bKGSc^*V0B#!WR%DJyJ+nVUv4dv%KT*>cc?_P^Nwil%obUpiD=Jbsx)T1iPw}*%;Us7V-kgm$97IXqg=&xgv4tB}3j%F!^R=#x`ytpwvKcVSsR zzjBOZJz2_>8V^zB=G_Y7A3uJ89IqR6y8rCEl|kPv*D`9Nh6xk9!MeMM#79V$Z}cMq z`aPU}zAz2$Ont{^HFysy-4^)G4iplwEjeWHv=mEt@TP4J6dJF7|7Hvmy<^`&Om$$O zVX%c%`G3*BV&t`gs8le|3PJEr=W)nbas!3$>^mf}x<68qc)V17X>*y4sXY zI-F2R0=^OEMyBo*hSx5}GknJSYnk@+5UM)Gp`(A5z#b;dAZZYYamPhraX^(|s&2n#|YP2$#a1x@j z#cgQp4j;$5Q*wCMM^n?60x&7is3kYs%&XGZ5Za4RiQ3fjp3Kns*tLD^kPh0 zcwF6~Lrj0neZ=P6=A<%)eW73^sdPVK@^$0fCq)6a1JpY0*)i+!Yj-~*y3NeNPJGVX zo7*e-9obLO+3{goPvXVNq_gO4i~iT&o}7V@XLscYE9xowFBiMH2;I4gU(`0sm)>ek zF9MhyoZ=R+i+7yauG=KAA8B?Gfta>E;N^l7LU*3by}1r_XL!56(bIm%niTXymzI0z zN3ZX*<1BYc^lvm?eYSuy#jLrRWz#-d?rs*3KE&2sD7Et5!MHaU;GpaWdv*&hwcAH*(Z>c+pz zghy1wRIFn0MbnwtSv{EFBRFPGxGpJanZ=jGO7Wnx{Hc>ktBFZ|FOdE$J~vSoXTuy2 zzPV|Oe(y&~GC3Ru7hBh>6cwplm`X<6Q;87_*Ea<4^LG1{-{bqbY5=V-6C^KwamChn z7lhwuTpiib;8@CiT}h!g|Bd4ukt)X9L`5@2;IaHx`))H1V-Q$5TM-3?$}|+H6$g-e zfg+6ah+oE@a@EOX0ng^@oJ86HvCKikW)=LAkV*}#s6M8NkFjinKU^-kZ{7W;^bgr( zdg2_((;92Li+3LxsvGq5ZE|iY^wjngNY2gFC1=eXjHTFw50@^s#q-Zg5$Y9 zil&#@0fgCO8b!l|R!uZxru}YQblgFEu5VQg=i|QWkvk0UBpI}-$g1^RU-zQ@M+;FI zX(7fv(hE6d*=52s>?vZ#Tz#rxu$yq>lx+Q7U;1oTKvS`#W_O|}=euyK)6B-k?#S^J zW}K0jP)9OD8pA{I*&MPL9%_*_Ap8^*^N=We58ZHS=Jgo`>>I9@I2z)c6Dw$@&4$$I z!bkkSM2;Lj(`^}!++nCn<2J|#cmaR;f~lVyP8$qb6iHf4fCp7f1` z{lNoE=t;a!S^3HzFQlFzdHT)yHiqQj;Z6OX>}6BX=*A(`TA(%9XsMG<_k$kDSH zd+p3G?{KBf1B*DuTseEL3)MfhJkjv3BvZHh(ghr;j}c&?mQJN~f7z2V1`nrwJKxaw zp;NL0o}bHow|E4(v(zbe@g%}pje06kY(-w7k?;zS$?~4XR&0ML zjxQlPkGp+Ga8dPg@CPr=+x(0-XsF`jZzX81*W5G6)vDQIANl@-BfG|BBZ_BoJ#jZ?9z4rP~iDW8Af<{od~ z;i>Q;j|}hiu=P`6UVFl{KkuzttBx#o}~)iar3=M#&m)ZOG5dTalSVMHe*KN zzM`?kGV>O}Co-`ZqPy-6;}lA+j;BI{J!|6z^}N^^0=sd z5A|dQ`1yBBQb|+C?Dh6eMDjw-Ogm#!Eb-=!|Bc6URq$Az;V(MF1hyZqX~_kte5C z^M)^?R`D|gmw6^6BlZf9IvUM2Ei=p;74%aGqtafnW@PNA*nj1X=3-aixuYaHqk2^JnBZXlc0D(_@{^N|COrzyOWWNd2}T*sqsMSZiR=3b0Gp+eR&Djfxoy3_8*Srnvgi%d*$N`ZSjGfxkH$jt##u0xSM{ccPcntOc z?hXd%zHIxTxC!@8#QUWhD)g6TS6pU)S9BI3oe>&XzuOk^sN$ULQwtT1IS-B5vsv6= zzC{&dP!;ID&RP!5Nox@k%6$sbJsyXbIchw+&?})~YKw*$oVTWdTUUO44w2!Wuv+Y{ z7Ykr@IcW?>**v1|kT{fLWuo=FHN|bb-AAmA5fn<4A-=Doy&%Rkz^~WN6mg!E%D45a zShQ#Mmq2Afh5$e|+B}?p+(<3=?-Jp}J?a%Cq(6%1B;&-H9+R3r4E*S<+Fw67yj$=4 zJ&?2|zdN)reEpby=b?EUQTv3=ix{n%XQPP?74xG7U|u*g%{+BzN;XOcprrJe zY}WZqgqJd3MWFjIAklbhttVUcF>tuFjHUcI$OCvdds3u24$mvU88(?Ko*g*Q(&lb$ z-!XR_>?RMWtG8>LeJ>waIVkRR*Sa|&{8S`iwPamWuSs@=D?bmDnhoujqjt%@cd76b z^8$Y*z`K2kcB>pT@FqmAt)yh?^Neam-ibQDb~kao3R=?UcPs4(ts}=Q@n!#(UR)kt z4L`g&_pi@l%#9heE8cxr?4l^uTAA=_>lJ;s77%r z+|_-qx1VOG=k33fB>seZ+0$C$YJ#vo{cN^8_0Zig1B?`V-<9Mjqvy1}k2<(r2W}Dz z&Xr+ZNg?Nd!tG%V*>n>ZxIEY0j{3NT ze0e)yxq9ZJMfylT5M|hDsde$__!-`hX|P*?LW&$R>kUzIEcf(i#3S8w_|Vk7)sYN( z)v{FmzI0n(Coq0pf|ZxC@YTOp?e}f_qWHJHaR2M5pyfI%p&RncIHRCUot@Q0(qGuQ z?afU8u(n;g&vbp{y5$9#|8k$mum2xkgvjsP{)@p?F#o{GzAg8<O zcfRqi24HeN`HgOP;~mL3VSl1@q)oe;tyb|0gMfpP(ii*p10v$_Byu?y>E}RysQq|b ztjhk-jP-5jeJ3-W4zXMYJwHPov}-m0zM3aOSAU$Iy0WUWp#_^Z&y|#fQm;8IzrtK{ z{o9lF@7MqHf8#h%4ys(HOr$dUXwQg=&1ti`lGPO9XR;Iwv_oE;_~bQsmmz#yk*_-G zAOAvm?p9r9x$KiVMQ#oD6^MzNK9DsizKF0~gw6QTWrIqJfGfzuYRXj^C*{7RX8p1fi9J9aS(9-Nx()d);nY!-d#w72Gg7s^X>wxm`6GtKUtm87p7oS4V6rVxl!IkRVN0ZLZ)l0psfr$X@dL5kfu$4aN0x99Eef*BAzv{*?v` z3BOmD4@o|Mdh*Jg$BX_M8u`82-fOygD&3JOX*CI&|Fft1f1PHpZ>9#imjVuxMW|5S z>9nv6j0ow-o{`)Te+{&nz-RI>70uxY4%2u~?1vZ^Lneo$Z<-UT zzPz{1*($5>gS*}AJOJa*mWgvWg)}*ac|GAK6!NEhRe<5c)JC_;>9cc#Dy$k9Y7s%Y zU{KYNZ}`&VainyI?CQ-s2Bf`y1!K+)I`4F28A_bq0ka1Y{&Ht*)qmhAthz#W7D1 zdpnrtYwDEH)UD zg#{#9XgH!EI*#;nc9Y5*SRY3zYEQ_hRc)(Exe8Yn#U~S+HIe8eEcZvcKjo20_y$gK zLPU#<*s&zMDtJ5DF7uFKTMJHuSsY`C5ld|?++of)9nutq*f}1ZNykm}0bu3_?EsB2 zvV`vz3m=#TCVbok;7i|#aa9&O!A`;Mv`pIZmr-q zj$~b0c2rX>Ut5PdL{)V=ne<_zJU&s7FpOo#?zU|+`u|#g|J%Uw|N6jsNyH7?UGlap zx&h=xMR4TI4SLRtSOrlZdf&pKeHrHm%E|5ke!PplNTcD9tV4Ol)ZiUUTEI3tVRmQ-5|M@Q@-`QaJ}-_j#JwYqJ`uZHiEtv zDD9>W5`IX>PdAkgb)KJpt`QuK;-Jr18P}>d3|*F({m65dg&61~j>a1NR2^f0$T9rZ zwCL3b=S=~m5|3p_kJ#b3j1t6k2zcz}?`o4knywFC6x2aTc(Vj` zeYzk=fXZYLT90;#VI>g%sCEjHVB6dZW4CT)QILGvT{+n2&9t&HSyzz==;}0AEZ&!% zXj9;Yi_h?b>l|^|`Aj0vGU{Qv8=j%-8p@DOP-cIxvBaFmlini9^`mh2;p9_)@&Hn? z{j3aA)3kxzX#dAjmbQL>xW=D6x$>!9LGUAng7Td%S@L&Uh+hJnb*6U{R2Fq0%I*b! z_n6{Fgcl7=qV{*eG?(lDk}4O_@36I{5i^-Yq?JCSES!*Ech!QgID++>nbCG*DT z%C`bSzZj0G#_rX*lX2G;-J}=?G70wEU>fcE3A%9t?DfE{unsE4mevyvKmqrGR^fh1 znp@^5!y(ro5cJJOeeTwMgtffyEL1A1!2QFkCZEp-bed$V5W-Us-3~DAGFS3Z>e;C! zOkv<>US>JG{}kqDTkvLEEDx{L!j2xFZzmjPN1HPBiBc(mG=9)FfB6tQn8b_TC&Sfc zIHZ7Tn^b}aN5L<1tQca)ahm|lKV2%+q|PdeIU%_o%g1CwdeA&)t-yAD#>5eFpXeSq zpsJZm2=ktwm=j`fKPSAU(;k_GR3!@mGTsN0baEnW@=q6rV$XI`o+R`m4ib;XLhPq3 z<;yz|$KDuPIJjScO>e4hFa>Hp%n?^`0sWFZW7`B!lX%nYOk>zNUx7p=(;mgHh$wIn z?)0z$%#JMer1-f!QY~;~1t&)a#0ftwvtI3d=~70};lnW{L{7>IIz4hVtNI>;@k)mm0IjNE)+D1g z-vNgrYB^yNS~w7?gFtc|uD{N2XWL#I>5+U)m&5*UWP1Y)JR}J9o=xqL z#}a5>aRf#0`!L1KmtT3$4z!HVVAy)RCksq!sN`5YiOdfTL>>r7NNV4&385EHcQv?e zI_D8AmELG@myAdd`N>5a>fO}#AI%c{SqyREO7JabYK`#6z{6q%cZx^!Ac|;aYAei% z5GQ#6yHj@AQhJ8CB-6JF&@K7YXcim&YQdXRgSOrC_o;VsToErY-O&u12mro=+!nXO zY$~7t61wNyBNE|^{JN%QDZT z-NmFx2|34NbcZk$6Hf6xgbQ$LXL0IYMd)&goFnd(9S5(v5s@eOd0i^B+0^_Z=m1~h zn9Vpi{82~Kzv|&ThI@AvN}@mzF}wwYR}ut+95bQQQH-~FgJ?G~{#t5fSh zAswT2J)@`o;@ut11f%5c)q}1o?aSxd{@kQ=%>15xwnRE*z&Rf+8^kD{lHaq z4w33|6CQ7u@cQ?J*)xCI-vn$E$Ho>Sx3e|w$5mZsQZ???QkeNfZ7n$K54+xsH#1+N z{VO|KF9M|sV^u%zZc}a zHJU-aa&()8+LXz!mw$>zA+s|@AMz_!Q^lLgMd0^-S>brIk@!8c{&XGUJ{d#n${fb! zAID2B>Rm@F`u?!x3?|i=5KdM(x8;(&mI0xT-zr2EV=9?1GD6d&xPP_S7tZIDhEwK& zQ+t}6Bxk+K9nu|eqKYslZ0{{ z8>CK0&tX6A{_Y53+q8Gtr4%VKL_Buk+u+3)Y4a+e#G#q81Bet6>#`9R19q9>mq@Vl z9tew=(y&B{5t6wGM-cN9S|&BdHwDxm_wSZ`>|5s7dV23q<6`mu;l)yEZ(M@ivNm`wbvsOfcy9 zZsh=r-XOxl9z;blQ@IK*c$DL2t#n7Ssng&Bx;+Q{#2BVF!`@Vx2zyc?A4Vc=!<@Q6 z8K3C_l8PpBwbC9;(W6^rBQP%G64;uU^tG{t<<Fi9Dn?sy|@?^oIX(>`X0n&0fIOD^OdduF3t6(7UY@`KisTSAw=x0 z6SV!3+7iTd3CMm-PR0!}zc@LV_Sf#Vs0Dy*N`gLkc(9pze)_r=&ZH#|rT*x9vzWxZ zqrJsuv(L$i)VGm{g@5Y{fEg(cA+BTG{B|>{qRPi`RK3_p^<4Y+2rk5Ywu`L#y&Kn4 zER(^saXA(KaHMC-UD0mbDiuxf=#G&BKI40KZR0}W+nG%_h59vTJYluI@%`s&O(%FD z*1x74HhoJl2Oa(5AAdEL7j4?Is&5wfz7Ath&;AJ&Ug<0+pw4~Wa%(3O64Y?rGoU_9 z2u7E4Qn2|LP{=%&+t@>dzPJogYOhX|p-$N;#0a+T+UD~=+nJEsIwhDEeav64T1<|T z2hK+YSJJBUCA7#R*9S%7_2ud(d7hN&BO<5S-`BQuAMTG<=A1;VzOx$r$!9$yE#S3Wx+V~#(?_4OpwfQQO?k&y;+u81=n~I^WxqKoq1Q->te#B=$y#v z9;)4>hr)3tcclu3hW6j{<|edZrIBLrQ0xkY2(*Yabvu0LkDqW#@DY=*AR2v;_NT#e zT)~ys;mXd_yC7bU>W8J0rh-2j+0yFS7R}i+L)DSm4bV%Nx|aJXNJhi0vO}I>iDIkL zmj@^;>7VKZi2xG%K%*AXaeP`oto*P&xa z$tX4YBXi>ujnl(mC_|~KF~JsMluf5rKKSFY<(vQ|pUtWMExQ_qZn?dIS&F=Z10QuN&< z|FZ=9-x>Im8_p6gw`krEXDa23OWlm65lLM1?m>uo{!2RHS= z-BH;f*G=?R9dQ_m7`MtEjhLlpmmaWsE(ro&|BE;x=8za=yLS$EFHy#42LE{&bg{#@ z@=zzqx4P#nv1fT zJkfLh0{EP zV#>1f&74ma@Av7iG|$$9A#&6bCdb5I(4~7HVea$>ac6-EB9B}CMcH)#Bw~=8h3Y_d zBApW+he@31(WD1)FW5`Bm1c-2*pw_u;VhSe-%9HzaxLYGBUFzeGY0OB>Pr;z(A8Q27sH+^|*t>9K(IsDWsOoR}T zJQMm_mIEQ6HTbwy{Vcv9Md5B3V#p*;^o7xEMnr3&3hK*?Z)S({3)4!Tkm;#klULo4 zy=O=JGoJ*5^O_ZRZ9NnRo?_4H_@=wIWHCNNg*^9}`Pck6ii$pRRH8UsVw!UIc0)QD;bGyC~rdoY@p4uKYDiV5Vn z>4*neU$*MVqiTGZ%Rn{+#LDUj`qc7JFXYBb`7ON$wn6z`J!#VNeInNPyGyfob-hR? zkmChHuylZ!%-wwmswH8=irxO?AxL_gey9rN)e0P00H2kb=~-c2sIrlsB&4$H2$L+* z+!Oprh3HgD7%A!AQ9j7Wll2V9u&G|{&x*>!5Fdwtm>@uVEeHCBo{gfL7BpHrupy-? zs@V!&#hUD_bU2P?=BKR9hl=A|V4E=$cRTLKX{bI0nsa6yZbCee!FRUlKX!t9X%=GD zG^A;WDA-pSAc{n^(42WHP;qM5UPpW;A?E*V&a>ocv*ZAVmF1>NAj3wAdM}{zCC)nC z=+C}sAAlGbKELk0`uhD$K~Im*_XRP6!|qNk(-;iBrkftZ(h(fyzY6Jn(p_DSZnCzA z5P1(9g`X&u8c+LpqgN39p!&&;k?z6rr(3u5O_cOZjWuW?#v@KtbvBKJ*792^bue`! z%hVQf!~ptsONfB%8cNOR$Mjvf`&$ZG>OiHQ12Kb2$Dp*2dA+pa*$F>4mY0mqD-s%R zNuFJK?e|2x`-<1^p9+1}EI)$H;wWEdP6dC^%XtNwu4+Q`n;#LxZI~#oK%E$U=?^j7 zx))3{g}%14E;byu>*!Z)2h=@dlkm22m>2FOysXm5?v3a_xnW$uJa;P*3!=B}sjUu% zsuNiVVBwUQJ4*29)t@qb0Efxmu)%Oa8d4W&mCvpRY=tt-^Hmf7EX-ApZ|rTOBMOFOk>My?0(q3;`xnwlmJxN-=7 zN#VErjQYpbA(v{3J6$3;BL~ne?1LS8&i2zC;}E!o_M37(3Mc&KzDqYORMlzLsnqlk zMjS|AjnkkMFxyTq6a+V%7s;scbc|b+{*&+oq}|G=@MJpoT?qoM*Gr@^ykVz3oeO29 zYDaeoi+WOn_lH|UW(ckLQ95R%F7#Ang$XU?U$bg{a_HdMw;{4Ry_-nCxkd0sT7O;@ zP8Nq(FaUtHbW!gY0~nGOlmQMU7;nz~iPX!7VF&^)l^PyVR@x9;+pT7NQiRp9h zDO6wYoqa5)1A$a(?dyeM>JRV7aL{m-EO|Gr&J!gwi0+10`EqoirqvY^IF<%R3r8$> z`-!RIDWYB8WnVfm`P!(`G?_!X=zt&MYBXM-UlXD>z&zBLx-B2(+bR$?f8|fV_4r$< zNI#dLRhnt*xqdMAi%;n>RgjdXLq#(kHtrbb3D6zMK5C%*VFz{z+uV^qqu4thZD4bH z-OQ^^z;lqwZ-+6C#%;S}2>ddj?#5#w2Se_%k5>zV5Qnc@q>q_e=ya$WPHYyF!h&st zLpO@6P9=Q7?tuB?=7$k5K+lQZ!0pJq1(QqJ;P4d(h0sU44fw`3dK%{ts(AwCB)s`I zppofF>~Ufjt|GIppue^trlN{!FSa6D>D$L*c9}2t4SD_Q2_Vt`^Frm+jZ`SdM{5SO zz7EH~d-pOl%+sGu02M*u^mu>2>;w|+)Uk^9jZ2QaTKz9WPICZy<|+@RtMYtuvCve6 zDI{w7wKcgbtkXB>=0$SJIJi1bEdl#K-jV2?y_nmw)UwImAU#`Yx2wGwic+4qdWg8? z=k=?bnxlp96iGV(N-aK0tT&XG1cm>oljeYqSlhX~h#E?WUfB6HNJbdLS|C@e%xWW8 z!2jcfNgML-(5(fM$0+wdb2*a;xF?PY4WfdDW6Iv378Z=w)4TvLS~+pOxQOY-ed@8?)fbQH2+nq(YAZb|?Kv{hS%}5yO zHquLgYOQ(q2_-^kpfruS0N({F>eq|UKD{4T`0$qH!k;dv`!`(Sk2A%|pg`5=iTrO# zhhTq}vhI}311rwWKqPoXcxK3Sm`k5{1hXKaN%e)x+s{fD;u&OyGcs*e{l&Cr<(E#q z-j9dcRRs|LY4u57;bPw_Xc}pe6oCQ;n4^&`!|F$u|M*7#Bb=9Rz5=3vl&5wDqHYCG zN&hrh{d?d=Wr{pr2Y)@_{nH2aKXeWsp48u{W-Qj^=(+a)>!*5Rr>aeDk^c8fy?@g= zNRms`67-ZA)8L;f1MHCJ^2Ba`%Zi}o-kB_cZwZC&_g`$F+TRO3H?i*mB3S>gzt#si z__Da_MYWT}C*oW&5u*-?*SPBj1F!^Ce0XQ%t6a^?LZwQCsnaz zP2E+vP%XeF)7M|3WZUu6i-08M>hE^{o4_Zd)-wp`<}ip6y3OKyS-o!8wxc244@LAN z>1q{a);}1FdxZ%P|Mq44A8y&`YVb#mwSLQD`R|tcxMlO`^9(XQXUA?~PK{rR<&=#I zyPmvR%QWr_6y%%9%FxcBNavr%z&FLU|NhM3v9*Te7*E++roM5ht>mk(K|sD$3>rVB zHO5KHQT0&J|IXIl+g;C>+QE1B)Zu7cNx$a*W9_Y@s%+Q2(N{%GKm`P(R8l|?B&0=3 zIwV9&kWOLJDIyKhos!Z5(xuWlr5luHQqt1rdR*V$XMOv8`&;iG>-^(z3{hduXWsX9 z{gO*+GpY^ag(zZxYC`*RA-uEBH!M`rPAfR0lwjyO*Q8PF#G&1|7y9Sag>aFYeuM#s z45j{P&u15@>Asg3%F#5l-4IFk)$+Tg(SNMJIpg`(htyGiFbVZTA6*Kv z$7i-xq86H~EIX7$5J1a=;F5;zfO3*T0s96ps)S}su;ns2@Gt6qzm*9vWe)V1N?sLe zT1*9`Q*x4f_SIu3fmc8_0D0x}eMnFkkNuk2ChP&tjehT_Uc-K$3uW<6vGvg03R;1P z*XP?J89WqU%+Q_>joe!SoXy9OOp{op+#PUW4D85w1RWV#(NlxF<0!d-DqGXi0Tp#e zv{zd=T`p8i^Y)9+G+z6JsPSM8l61&}WdfKsIX{mP*c5Ki3;JDq^M>~<^JM5cr2lR? z51W@yWNNwYDBGV^4ENtmAcZb83=~8gCNS1}X#>e}?SCL^qVNcN(0Obgo!H+)w|A9a z4>d?SC40E;9b~Ye=~y!gMm3oc%XubwPZrnKghQ$YEvtml;%@Aj&U@jR**+HToOB(R z+t~q-}zU|`)RxphsTj9t$)xrNEk}9!4I4;?wjAfev}@S4_mA}x zD1SO7X)(uSwv@3AjDHZmFi_{}TquR84$uPehbM-6JBW?=vT2QebhvHFvDJ087Q2<< zo^IV~gz|J=De@`bKZRl#CC>|ZoI{(Ujh~SGQ6;D_&t-iORResiGVsauTZB~PXK92} zlm;u9->7Um+X=*$+!Yttf7?5Q`36&u&)}+56w@X4PTPzj{nfkJ4!uOYtt~l?!@GGU z-HI@ne?rs=D;=~a3xcO=h{y`^xjNkBJe2_#jGIQpf?Wi@x)+g}v9wik%OLeMTJxEsCulOVh{qJ|fKcDFTyA1AH z++&9;eczQ0c+-gM%giQ3TsfTGQc?yuC8pk_qxLih{LbOxnQ7Cll?tGv)Q42|aNS7Oi4X)u$X0RTiCbWDMr9n5Dbz<Ea7Yh2zb?=MjH=AJj4tao=0r}n-K!iYFvfkGwl z3pL)o#$uQ`x;V78ZT*#NpAsnBAtp2kBM()`uI_ z8USDMdunjsxGf)hDWd&WIa{z$)M3ya(u`*TRT3Xp>RVI$qyA7AiZ#{=vzPkvuKXZ_bXurc9>g&ZZ*hO z&hIfxbxBpzR@v^I@QuGcz50u#P+vs}p1k%RP2Dx%4#8a-YDkcCTYt!5x%LEg5=6-5 zr;PUgPy`Z|XiHs`8ZEReF?#(Oud7bS%K6_gyg530r32 z3fc({n6%uS+)1=EO{-e1uXb9{4wpH}6PuOVC^fbG#ctLyTyCk29`i|5Vc0+6b*!wVRg#wr8A)B)TGL6#qyQzrBNv6}%pqJ>!7oec5>#f#I6-_@fB6*lDeb*Y zmtS8mU|_{pM6?Z?fy+HmRZJJSmRC?`Vg_Af1gli&quKj5p z2NcX%-NCWxk|chdc^ z9#bElxuC&f)0?R&HBjN`TKXfN#;Z8e*?hA)Iop0JPSHYux8aQIE~j;e7&q&+lY@@) zT2Um)oeJgJJ26#j1!r<}!kx56-D<1hk}n|sf%ybuYe{GgtYkc~RLEuc9jl=3z+{Hd z2zn=w5#~b&CXgBP-PX$H&n8hk%rS!gt>4k^=9@me*@Mht9-9{vpxwxzmK8)vo5jvU zo_qucSNuQ3-~tO+_dae0T;{K)Pg(&J9sn>4kEWS;)N~rOtV+!fhE5gIp;0IsQrhGu zAhG&{f!haJzKkzb40=Jam}eEFZQk9o{xDQZCuV#E$|-iSN^1eo;@d(AXbuP?g^bs0 z5CHQQKz!s#G%GHEBuNG zPWQ!DACf30wN%Vd;kxUOAK)c^78v@lMhWZxG9vx+3{J0hmPRKg9(y894wJn`uCYO? z;j}$!^zoog{9%wn!9>eKl7na>YNSX@F?=3J>DXI6mnOjNQ^{;&`KVJs!j`^ZUMqK@ zFaE~mj0Su;z7KlOQq8t=A;?>{+t~~@bbIrYqkY<7hk{WM{3!+9;^14S(BXGjsoCnr zaMkYzne?Q3Em)a=M%ZL?wr!GD?3trvXo?$w34`_ttVTo(Q7H4d_DDzm^kEWxm&UOu zho1)^H&`}r{#+PML?p*hTq(`z=pXIPjhc^8ZEUmcddgr518Md%zMA2o?eosKOYDb> zx^9bhO`qI;e#1$sYBCKnOGU890RVD~LzzZq7}Bf~y}XHt#ZT zD|z|#tYv}sK%3BxHwn?btd{1w!b6ZW&I&}y%)zTrhEV zWi?BGj>h2a1ZAkO4`_K~SWEiaNz>9@dp1SL)iq`3qdO(`55boSu|#Q~e@kBdIXiN1 zOD6F4Wv>b}(S4u(RTDQOIg=NYo6V0G`iftpjqj2MODrrk$AvXbFV3b|-KQ3F5>^DU1FTW=`_dZiU`9PLnZ0C68F`7z^z8#l5ORZyt4I8EWoiJYUCg z%e1lysehlBKsT^l&^$QcY}ar9OS!}Bh?)*#^UJ<|>~PQkqK4Q}@6^u2`EkjRB`K(@1R zAw(E2;Hdt*ccp~E#Xo2Jf3ckW9}m7r&&Q=Z@%4ivn%6C}imj-Ze8qkj($<~TO7q4Iz~bA5%!C(-)-B|jWHj_lDjJ1 z7CzPIaowDFi9YIgJq?^?wO_7M&-sd{p@$*e{bIzi(G}cTNnUigw|ND>f6;LAGfTWf z-%XqWWq1Cu1S#sLYYA8HCHNL);$9$o{U)sItxP=UPM98uO&h9Uo)m$c<-QKOcy(me zV+Ialy<@9NfZM-l26~}0Gi4J^=;A9J*h6K0>9&#*z=v*uWWbjw`;!o7&oYj(q6M@l zItC!RourL8Js|VF4Pz3xwhpdLXNWkv)B%ZLeO2E)$_o=>YF$s^_WP$}2@W}rQk!>i z$~CcWKwHPQQl?o>VdQX}R7ZqA>tVzfDWQV<#LTZ-j&DPR#$DkpF%E_M(T2W%MI2@E z2OE%%YaQpR!IjRPvNlXDkv*^PDX>NJaDD*r>g${DqIs9Cn3cYox?Lj+n z6HT~5xU@sna{+@74REywYV{ghOK-YZ@e7JjIL>!$eZ|#vxnr99#KXB@WmL$aGA7Hb z!l(A8DqZ!9deKs1L>+Z-6@6TB9T_T$t2@@;v25hxY*PXuU z<}cuR6p(=Lo|Js z9mY8<6l;@qhs9jc@3&-)f<^1NZz|(fck4EW|5*&;OT!!}1%JN7S6mXiQ_JkF<$ki2 zTx&O1{tjg7=i31zJ-1$~sExQR_N+);Ddy>`WZXJJ*CCz8G#agm#{@!B2$fOT<1Ch{{?69sHwnN3cSlFQ|~=DpS}olG}#j!JOZvt z|K&rcW2X8m=iEgovih*d&bnq&tEROOc zvCNtGyxkFDT?;p8W#aUD8;w|{huscW2cSntqZx#~gE`7l##Hj|n$z6EC)@Kzr?%Wg zX>Ew6n;-a7p=kUpfXKh~7a_#GgS^P>cd^Q1Kk+~t%?lfRoUqr`h*kC`nQ0Lg7L0m& zXk)WJKrXQ3w#iE3WxpPwd+*p6e2CBNE%r1J+YIwH=B|U{SC`H)zI>B)!X!7pAH>+9 z;ev~eO~cp&@fqyS_{C<@f%t$*WN5NhT^C-tou-j3ZWH3b((64WWLu3m$UhoyTAd#W z0ri0@Cj8{HW&MUQk6a%X(n&aVYajxL=ym9*1 z=gHiDva+vSZ`s!tfYRJ zS$oG1m!X-Asoy}ccFn|0v&OL6fzIZR_?<~Y$F5T5h^eQIa2cOyct3HP&|LBP(tJZ2a_R$iDdoJAC1*|mnD)%BzCI0n3rx1 z739`9eCI8W=&2{X5E+d(6hWlX*|#|wvg~wBMqAj8zmwE~L0L>U`c+9yo@#$K?rToK z|8GsN|EY}lUz=}=$&KM32c?&Hj`!)bpH&~(i5G%69q=&oTCW$o4gSxuM%PDQn7?rK z~^dl8OQ$f70Ni?>1Td^^l`-#j*}^^?fhj6eN3ya2&06lKU*+vuEQrbvJ% zHu^?7&;ZT1CB5@q7>_W52GayIvZGj&?$KS+h{hQe0d!26k9t>!MPbO#BnS7Ka&Ar~ zQ4Tk7FBg+YS#IB8p5|T#@MM?o43crRRYzm(fBh$%z3Z$+%b{IXWp@(HP6%e+!^AcC zP=tRm#q%uA$5o!N=BAe;oKHgb?|28@XiWQw_{1~)(1NEm(s8n{`33ca>l`XWZYL2m zQGMvF2UNltRR*NjB*$^E8AEtiEl;bM8!OK-@Ffv}ehxx?uQIo=$ioBkO*4fyX=L!% zc}AsTJJ%n1SL!UkZkvgCCd(R+-&7&aXBObY(c}If>hkZt(HtbEtp0l!h-`l^2cnpr zR4#0^-`7eNE%fic=IPdh!)BP~{b^>pP}QdX9b|Rpg0*6Di-4ITX}j5u)r82i4T35M zwLf<{_8+P+JY{26i+`p6MnwAB38)QY@6n)DHp-}l)>JpTm+&^F_k5_Ok8PK>9=&4J z*U!H*>2vbCMbL?IA7a<-C1X_)LT+QSV2Fw*SfJUpt|Ec*#Z4mdwMra+i;Z=T6R;Ge&(m-`#iYlxe?_d?4?o9U@Ks(oq8s6q4AQ=_Q5x= zD>4HIuEW#>zKaXi9!&bo;Qwk*Cp^Gu((@;_s%@6BMxXbi*r~m9g=d7Ok7;Qq9c`xS zq&e?b7oB=SyNV%K(+df9Hv`c6#?D*f67PWv1@qaEyw8f^r!zO)=ccO)ez#D!e736NJ}!sj{#rUuVHB0D8F4gs1q?zU zf6rHUPxHvvU?fmE+AgWoFpS5E=a+uce0N&;u@6+@wgt3j60r7O7ZzrnZ#VSK>{yzC z(s)?;m*;Lt(rdR4(zH?N#{q!|y9Ck;6ub^Pcb z@_Z(lBw$2acU0;#_a!G$k<2R)EbSx*P+cbbt9bn6~trj>Tdsr zV>k!a=kE0LqG9jz88d~7DI(5DIHigopY=HF?EqOFk7i+xGcm?r`wq)GmJIbW<0Ney~^QbRuP=>RCEi_r2 z1lBS>=71s6{qW$oMrmw4f~oOya#vSpg>UL&S@@)*iBz{5qS}-boS7@N>^W{q*cRvR zWKSeNTDH9>`1;4=60u0zmD5A_Q#rp6ez*roHySRE1hP=-N<0MW7OjMg%&`t(t=GlL zbo}MwIlCIKh@Nal*E@(=r#9$?*H8U51N!>*pGqGKm^1>?1hp}^_K*r!X#d!Fli9@m_6*c0ZW&6rteFHY zPbYN@#nP|i>>evJC9e2q|7!Kuk~`?M`!IC8Mb&+4sEM~YO4w~7M38)T&(!=uUf(9U zW@n#^ZS~V&Yqb6`Hyx$vckfET2CO}Nc>e3n_1}WJ^g19@{b~ZuDm}tnKec$T zjXIN{h=0C7OL_Rg-ohMX5J74A_;_QQPiAtnLLwotvEu!1&NuyYD`^2mrOO>JG_L;MIlgz$X!(v( zOpD0&opDQdALxBi2apSMVG;$rN_87mv+HzMBQ7)M({cc5`9gO8op`z}FOZ)A4hinuF(IGvX^2+`TPaN&9IUb2sa!uGg>vop@csU^9Uct%h4|07muXM5KD2_iX zAZf#qFtnw~jS?MBvdlYs-uKzQzsUXZkW63mV~5gg542n@4Ocm!?KWf=pS<@ctM@mP z8g$h)qN|T((yUTy^P#p0u^)gUJW()`Huo$;E|amWtL|rF0*K1_oG=TQ_d)^@Pm!P< z?fxv49e{-QmC_f7!X{DsJlE!GzYcme^|$RG+@P6Q3y5IM{PWCa3~|&`n`&r^vj*=D zHz#Hpw^Pm~bsV5%1>`e5k3Uc*Hvj!aAxAW&-LW(B=dsBy$hL^KlsZ&oYH`ZMlU}FX z+V3|F6+a0enF1~`DY1OqUdpYrvP^WftFw}mmhDoVZ|R<#d9ktE;gX{^iz1r8uIKyn zoPDRYv)blMi4=hBW^MxF6;mP7_zM-S$?3r2_RZu!vH%Ds;ps#boKKv6D48JOTGeLZ zy!*iK%ynZ`&UpV8Epk2K3^N|a&l}PUK`4TK{WLqsmZ+VkOSB2AnvXNJ&cOgs%pE+9 zV}mfbSqawu_ZZE@gKp_}+ajJ6gT9LNHiJ90AKKQ+8xa>-z#Q>3h~U;}HRp{5()?hC z%LZLwTulan6^CFFXx!x|CILl~7SLg!2=IJsW^@YO&DU%sDv8Iw_&$HTpB&`+jfquF zUl+fyAsJ;^d)HBeU)#o6A$a<0SD}wVcLGWFt+mRP@k3^t;^iIVx_#|Qr&_3Ag{ z;@^5}q^Y)Us+;NLAhin8d=?@#*D${z9Vr*-NlCuR=fBpoe(xmkTQ(4{h#hc8yM4A& z>KJMhGg(_2>GxpJ%O{oH=pTx%ITQnBLHHkPNFq%+CexD!jm;3RucE{|%C4jsf$cENAK^&@B z>|Nr%M*?tisBpQyV290%x*3p%1_~fHp~!w!lRNGFsvj+Nrbvs^!>{bnt(4}$5{)(+ za^hdR#l>{Uz6Gd*aXX!@Pwj%_Pj16{uEnX}z4PM7|BM>{A7Qco_yWCX#EBpI)4{Fw z&YIUy!eWs0UXpV&TW8|0QTP68OPNdjRe~prR^k0 zU-_hWJ5$J5n$KH4Yv$+58@|0O+OB`v>zP-XMKW+7O z-MBrOrEBXtl^8KzPMN*B@v}hF9dGgx7nVu02J8*KjKdRPIA?bfN?|}*P$C&jDF8w| zGr_^W=PRdJukpce*uNKzB*^+=C{MVP@kD@G>&kc{4U~&iIGWOmwd{na#HJ3Jawexm zXe$N3Io#dsSWm@uPn=8a@K)p<_Li`#YHa#Te)+F4smK7HBXb&VBJ#c(M^xeEo{c~3 zUd8JVVL{W==MUiNd9UQ!Yjs^tdH-9D<5uVV4#*(pI-%qR3&WOB5kxwaje=}`UO z97(SVnf8AyaH5>xw{DXQH4^n@p; zkxFX#HYvSredEVxoS20x(_RmaKjC0Ejj7g!pgr~Lj+!Jv_wKv#aq1DHHl=xHSy8m$ zDOfWWkk+yVOi9MWQfVYY|E#T>;dCHK#l-*`rS{S;rp8bK;C9 zy|_$x1i9Xw`eT2!QDciVJ})GA@?xuj^9Mt)XYKX88fQUmP3C4!?TIE?qF~~(4a_+YM^HeH&yL=0-^>+=>&78BsHg>;}1QR56fH!;Gfw)!xOxZN< zFtnELoykIQq54;TLTgAu3DUDjLuuLf_2j;I)`)m)c^Ow1G%N|%o}L`qMRhiZBLnA6 zeb+dS#DqdQh2D~sA#=@nZTxpj0gSa2nfZ#XGrCEcBWU`)1b(jKgMX78lCM3HYgFZ!0j_b2;vys9*vpJOHvVD8tFe-WrpC|XLCL$#@*BnKleAqa-c2cL z7o1B%W&2v@yW*FP41(2SDUnJ99qK)yx|e8ucM76c%Y_da7Z5Z2bIkoH?sp+1p`|?>d-2WI0Z$wp@>0_i+l33#MJE-87O-oe4EN)FkvxK`xs5nc=T)<7OCX8}dOB8(q92s1TYHb%D#*_`AjJKzf zNYz}sM<_2u22)=D+Y9!`QLLQLIt5pcPjTFZ6I~{+Pcl9Fy*QOkuRRgWV>{n@z?s#$ zra79cs^vgOCzEXU%sx#AmO6sn3Y&h33ro6_Rv4eYfdxwU*zoy-bQq#@WD|qf{8=Y} zcfTF~;eS3sGC7<_c_mOY_AJ(w9owrY7^WA>ZhkfMnz3cN$XkmKVrlW~(Ed zsyOB83qQc&;%GiLv?}Adi_Od%+&HJzMx+sFUROoK&(!zCwy~17`2aCG-(&E`Rq#Xx zIPbYTdsTc~+nJ&p*ABt>^gDN}8^%J@-c_7_X3PV^!@CeXQ+R9r)!75jvj~RVOWMP0 zx3Y*f>DCOA`Vf?iSSeR4ca_5CD}28ba<^PfzboEr@FH|V>Tv&tog3E9J_rFjC2p>p z6u-YnTCoteyz?nK#nHQq+UFnMFKRWQ^M_bU*G`-UYrOBG3K3z=6@a zOID(tqWkX#%J#t0fVzlp&cfg|G&m7y!`Ba525d<8|0OxTKldxDIwpNbtQth}ke1$5 zB69@0px2{9%P<_XgD?B&>rovo`V*WM=QnF+!=!408I}TIK+an*S4}2bHrlHXxyrm& z`DDkZR^>7eH@wKM1xB?=+p()p3W=r_OolW%pDmRfo0Yn6l{0Pa{6?koJ?qC)>=Gm+QDVrcd<^8O$l_p9i|N#A9; zZ}&|s3xIzY&FOVxogsa8x|TQ=UqL>y@MbFR*~s|uywrL;%01mUz&j~Rdt*2E6n6!G z;^Kg|rQ?D)S<%-Rwaqqz#~c0*pu@g!GNN6LSmZi#d3tS~XR?m<-Q8*6)r}L(9!HIt z8p5N}(Pe2E5;Vp`1}l4xen->+dxXv=>>*}Xk0G+@kB>Bd)9dctl0Y9^fOoUsdkc(W zUn>5(4x1tl(-?R+zHEQKv5J#5&2dNiDa!4gvGzhN?DPv8(%ntJ8g}pIY_%4BN8Ys6 zGHME+?E3fV3!GOr?$X5freYJ>K8?3>Y&GB`mjw`>yo=l4s&3U|bV`oM78;c5!>OH^ zJ_<RLPPXwTvIC-{V?UlPc1C;mI>@bGrAqbD#3o^1#`X)-;`t9d!yNt zSgaO&_&KKste|hZYrl^|Xw}7QdK{Hui}o65W1E*4%JQ0*aU9a?bL!@9&9UYj`^IF2(sUdsPFHESS<&t zV*X@lU0>fTwQgX1jEka`j(It4Hwz6F-K-SOU^nWA%mE|A?C%Z<90dW+-J*0QIpH%8 za5~cNZdU~umbp?kACuEEh374xSmiQ;HxEm2r%QS0XAgrO!RzvwNpK-uaCf~7F~+4c zBNMW^NbBoP z_FH;59b?*`y&oq1ZXV1i)b*Z}tD71LYi-mNS&_;3pfFh_>JLt+3byZFsES8Q2Y5Vo5_o$b7-)uTf^~yi4if+ZpmLh|$*tk&cW4 zr_@;~c$eY@qQs`r5?FmniZiP9#fDH}llHX6oTG?2 ztfkQbi$4Yqdec}J!o+K~LCcsVR1Z3DQO{jFl`V4fKZ)jKP?c84WbIlGZXVXUY`5WV z##fuim}sL&;Mlc*IJXCyNWrY%|A1J=-1w+%gyp_L z(h`BKUjYZ!l`Z93vFW&i7RQ;Gu5XS%naaPNC84c91VzAHVP?Ky!l;z(@GJ41kqEV% zk+PrxWU9Eu!HL_^!Gh)dh5oyUmqu|=8I-UkzBRA=_3etump5l<(TE@7o7oGl^Or>$ z=^bELSdJa|#TN>cQ!NIPW)vXh&VLla$%3s`$1XV2GRx=NFTr%E>V7mssSLrnwe|n( zNgj#@86|`!l+_G?#rRY~_q*wZv1hS~1vAsf=>TdTD76jk>Ej#K-PWSjdsR>V&ckfG zP_w$s@G~d0BXB^r4w7?FD8OoG1j%6s(59IS0M`N`;kt@l1@Kt?-#-Y~rUPR$y7h@R ze%|e9Lwo@8j}Y-Mud`QE6Y2@Tf;GE{KnopTXhw#ZCTrPa@phX(!r;;`8!$8jKK!ou zEVeAYwbtK=*OD~YWs-iyP9rd1Gr2L1Z6{jJ+6_ATNYLMrkV#6HUqZ7OjeZ@jTRttI zt;>c{d2Z>FdHM#df;mto=7@bf%`dq|MUHfck#mS6vvuB6C4O2;aH_fOaYtb%KeEmI z%Kn~Aq9c9B#qXhD*e=aSK4i+KXyh=7V@xzFCpC06iI%$&jrV#Rq-pADlKh5Aj+t3# zI@yH9{Gz7kA_6z5nib$3-5PX(26*!@+K&5-VzQgpZ>h!mop}QGDC?TkC{>Rd#>Ly~ z7b#u0Lj}5=BRJCwksGuM9*_Z8)8_J9AY<`IK566PSI)n}{k2?Je^00k9>M+mVzP|6 za`wg!WE#dTZ%!ifdHfdpU4L<?y)Lo~vCUh2blgLt!&Lv(m-z<&y?XqSQ_2~Rgl~ed7PMW6 z-`;vGkiHMnm8|d1NDTGgTM<(FFPeS+tLxM34yjq%EzXgbkBO-b67z>Fl}3!V(p8wW zNh0!JjxwHd36bx%9ABQdvfY^PIDt}_Ih)dvdD0rj(y9EQFhO@>MB=zrQh73)n%rS< zXN0Lxn3zhPRd-<0y6N207`CdD&G*F$PdO8%LS%NPJvw&#>6fMzTIxd;dONO6dmyH# zonncJvhu%1@|0R1AdGSsYbRktnM*tdtkc2S#T(fnIz?tTcSz?YH6g?zwhH#ipr4** z%~v<4v&VKQn^NRCDPX6>_H-DrVa6V?`^05BvSi$BSveO)_UbJNq7;Ax*8Tnx{sE`B zE#Y#~-A9nQXE{@6rWfw~^eWM;+y&Msdh{aq(lDlMn-%w&Cg)NS*hn)kS87iKRyVxb zJZFUjT>|_%M5;=n&DtL+=za|?xcT!<3N$pNIL%;Kdtx`ES$wUAKm$(cFfv!+yGC$4 z_SyIu+P7os2P8(Fs}&Aw4yl+>^S z^9Q(Fx*d(rg1N<&t!2+zRxnv|yv28A{czV(gsmGS4OZOa=a;QBuFTCCc)59AC%5mD z;R3BswpMhzSH@{MZgmfwtzK@YJ(RCXI*6z!3=uvVH87O7q_?C>mdP0mP+dK9Kow*W z4w+Llz3;F@pG>_okDYA@J_#0V7iU0@x$v$gKF~Agg-spPw5~sZt&(F$N<_f>9%Zit z@9zb%n@OnYPz@hoMxTjuKl$6sL(?TQMUumMlL3>yd}wcsb@iQklyz?ADY z@jSThlf^{y!HV7X&Vv@wt>~O(mMXdXzwNAE?hJHb?jAq28q%ao?dB! zLO&iR^)hMkD-=y{q%Mq|i&*_C!8g@>Nq5!`k_BcRJbQOq9sJ6lZ?qE9@qr^6QFqGg z{<;_cU{#*t5H>B6^(w_~gO@|ETIK={6`lx?=ryb(Slp!3@_l`@n)?J|J8%MAY~bA` zeg205I)%iRSfzI+WtzeRa0yG7RIcJTGRADn)fgP;Ux^bo?!t2)ixd5j_F4e)6!|Ri z%kp%e(Z3|`=V*E%a~7l zx*P9)?!<+}n>(%iL?_2zqRM(js z2Pm0$jC;8=7v9?NP7${q{)Aiyy;cpVOr>4RVNr9id@6i_L>`Xi!HQmu|4;@lJ0?Z$ z9Sh@fr+4~ZUiZH&Ve{c=kjj0xmXdn!Ppy!{pT4`;4(6Q$h)&pS-$bZG2x+1JtYASR z6cBR_o_`NTZ^o|Z?_C7DB|%mLNNCqT2nYNukjg}&;Zq*gT!@0xCs zKiv!>3n~~42zXDRX%9h?5tS-hPZFGE(Ls593+cfJR4K(tC(GKWFSN=#G=dvGNYhaN z9hLhZIxmF#?7*ON)Uc6pl@{N|mnGeYPv@QDbUf^ajd=$$&99WcuKl_;YcJUGDSd<} z9~gEM1YDTT&;y-fl7dB1x&_iHQvb+XIFq1))&dIP$QtkdpX@ulO~C}W2>F*LpQTIENOc`J;4-ZEv80Vmfp5QQlg z``LrtB#AXN5lv~&$_&w+X_(%O0M$~5l)lL;u-O!dP_}u0f0T6TxVV{{Ww*izT#i0b zbZtd!+cc)==#MjB`BepqbkThkJR?&jO!;!6Wl{IlolKQB7U{6X9~yMZhttXJ1|%Nr z0}+z}N{7XsH09@1W9e_(96p;4$wKz_u=8NMxYVo~FYK-f9J;-By-e#b+$#pN;Am$) zR9xA^R^_4Zsw6I5qjs7Y_#=Wlkd0BoRm)umF4*9rNHR20WqTpw#WtVWSvUL!m;Gbm zK+2}aOlGgaeCgI+AsNGKUl4{zsWkTkwt=Qk!#pFRg2f+)!Uamg0Vb3#Q4tSw90ldI zT%i>C=AmB1R7l?s`IUun9Io+{S&}j4~i zw#7u1qoy_#rt{3lyvn(YeL&{%1>lc7y@u>}2xqPdwC;7uXxTxS*wuE{r>5|q*U0Uz zP4E`~0y)4q{rPs9A0`@`B>NGJf02M$>p51%g02o@+mk%GExh=XPw!kBGa(9X|DiRF z&tC^r7sS01l_K}NFQ1bX_Pbbv>BG{u**#0S;f@8s(c&Nj6yZNe*_PG%=(w{Uus<5+CN>HxDY`o zTK9W{lH`(SYoK1pZ7Blzw#(R91feOuYyP%Vz~d#znEH4XJUtaddv53rhp4_I7Jg!c(!l52ttx7cm%24o1#)uQq9BUB!ZO zfY2ui4(@l=$B;6Ve!D*W26pNhEVt`VcMRXJXN6iS<2sXy7kaN`rFXFIO!$4 zx7bgxVxq5w@!fwaCl?JqM;botV-2c1ZytA_&HmlFam>Eph%$8nrYO~&8cR{=&8fvx zFSVCfdoIF;@-Sr-Oc#Wo(70#M3&GDS6w~z99cMhNEq(^l+UW|dUWom52J716fANcl z%YFD6>yiYplO@kW4o(;dU9hh%0cXW#v-tfDo82{f)q({0?brP)gWn0gfjK7B=oElg z?^?;1rM|3J0zUZH9^ZEJP;#07?RM+b#hUhP_HB4u(!Vi1@P2x>$)7MB@`4{J!^eja zET4W#iLWlsnx2_#+jly+-1VbU?n;*u>cii7GcMi^IeQjsKJyFpgLiN5yq@nQLEWj6 zTm$+>|J%Du#Sq~6Og8iNmCiU0DWG2F^FC^%KMnmWFfWfu?bAySzQdK0Gjl7q<%!S3 zZm7pR=2jl}giYZRk{k<317ymY41^YElDOUH1qqY656Rp2p1IG*s+>LV;Ev_=yR-$K zGa3orwwp10j>U_VmptAwec`RVjkfq&$+_0|_F=TfrN8q)U7V%#xC`+U{6sPicH>nq zUfJ2%om8F`^M@yKR@h^E+a~)(Y0g&NF(3k4KM5b`{qr06wCu0bi4ZfLQE_-rQ;B{g zlGPG&Y{|YkWM5xdBKaHd^%*Qh;oJA`-&e(c0+02BzQ6Y^|ErJ5<6Nx$%Dxn;6+ zA`b`V;C#L=%qMfPhDlb;jEsy@7Bw5q8W05$col$}pe0kJ21*Y5|A!Yf6(9L=qsz>h z%Et#dsu+3HP5VZEj7198EcH|JO>-&cJ!eI&$;I2XqZ+0j9Da?xKzUdiA;q{%z@qk9 zagzAB{*3a$=?U#Ug}Y8=4LWC0@mepm*C+?&{BPbj875v306txJ@e8u)<0smAbYu2rce0r_dDuFeEv*T`N2c%B6pB_)0#vbb#vOjQu zxT|y_&apf9cQNmGS9pDS3dsdPwD^s6Yx~X1Euic-lGb=s}i2tri1x6%9iem zqR+E<=STeT;3Q`W^$4D%xE4V=uD4ubi=BvbgZ9p~;KxvJHw%zbB%s0Saa@+j7sxsL zC51;t(Sp^|_Jqf7CB_Jq;I8u5GmCTo-go%;_TKqaZ4CQfi-D8I!8(UxrkQa`VJzu^ z9ou05Q9;ORynXC(a$e27&up&lV=~Qr96bzvkT$qd!I`X?$fY=1zb@bUlNWpUfqqMg zY^(O^;WIUM_iPP#mbYt;Z)Kyba26b9=6BK?O7G7tyEAj{JmW3_C{L~0&b;xCfq{V- zU-#F>^ANUn8}3xenmaH4=dber=WlrY<>7KYCcYAtEPZNZ@#RbPgiD5+)$W+1U@KmL z$_29E&(8{VWU@7C!&Z)r<KDb$a;F7MCh(r^!!Fxss3bO(Zgx=;4aufZVRL~Xp%3S1+ooi(H2S;x-pfA$>=dR z@87!m{_ms8wfM(%7dwMi!%}lyJ1nc)8PT`YibB;0M(y*Y-52G(`Zll={f(NvxMc6TnVz=bP>NB-H%{#nW1R68Ux^X;RRG2vmhB0klc8$ z1$C5{a$F1X5S8;pe0D?6Iv7<8%y6M#Tw~?c+L^J5`z7TvaqOYm#~4*b;K-q+FtCKD zWRem%%932s&gx?m`J)0&!NTIi(9k;oH0LA2s`r$F%*#WC(GcJzX10)%TVOq}GWOm1 z?qsDo2pm2`-g{*d%z;9nlG*Y-u9_K=bc+#N3H1E8U+6n$y%-+s9eOdQi^hxLK7j{z z_U$(NNW9|%EE=`*a9Hz>8J_Pu3bRy=tw~hdT`x`b@C0qLt^b&|bGG#H%QDTT+1$a_ zke1V_a|YTErEca&aEYB-K32%{b&Q^#eodr5D1X0fah^c;P zHvC`-rumX;SUpKtb>BJDzvP9?hI@+XzI~HW`9SoVsUiqMnA#!Gf$5eACKHnGeFvSl zd&Ko2GTp+eb=TtpMF+t8RO9 z1d;M0o^`AJKs}HMxKuo}1kC0$9=D^QjPR|je=)`W>nrFsgGVxzU|LSxDdXyt^V6u~ zLyb?m>%3<@ABMYnktj1?T-5!#vVLxNHF1J>H*RA43Yu%*h>Zra_8y3#WVHsDh6XF9LDcf z$OMQZ-f$w;g-srui+&{mc5Z-#yZ-fvJ50iObNwv!}TJ(NW8d8$o(U1CUuXTr|DYZrVfoL@tsG}s!0 zOx+Ob!wi^cBuo=o7I2w~sOH1|k;BbJLZYdr+y^tf9%w7NO+HRk+Y@OHsD@*kBbFGv zO9U2>6ZzR;+I=aO;)mS z81ZJMf33CPugzqs`~3t~l!X{0-m3Nj>|3TG2Y~mjY6OpEPGwqDoBi7pb1D(NjYnm5 z*?MRxBbU^%cWJs&PpWmF`B1C#DaU;$*4+6yRd&MTE78RzCFjnf7*%+PUgoyk%}DbJ zj%_eri00T=>Na{=aN;Ee(rVmGo#gP@yQDIZG7dlq_n9IK(p#;E-Ms6MgsNU}zWnkg z{ldJ7;FQZ&5MnBdvkk+RhvRq>%foK*`yJ{B_P>67wXg+eXz(~>nHaeL{N|PVwYk9? z=b`?2?vht6xUrn8<0$1qt=czVG!CCr`#|n8?-oDQzJ-|F`gjNe^mfQ=`H3Z9>V?S6 za=vKf=brh5AaEr-#cN~PFxcn{rtOZK$gd%Cl^oMgzkrCgB;mGBzqi#6>eR+d6$7sh zn65&6?hh?($gOgLOqy=jj8{ndi-uJbAsZC?WO3I^*EWlh{M(-xo3o;6xhkJbT(`TW zQ9|a0CKj7*-NTIYNjxOn5B7#bnI0w-&vifCe;c(lT$EOs4z6F$+wwj951<2%ixGZy zB26Gu;XGM|V*;|Rb_y*9Nqk23X`bb(+<&$W9>=(v_*iaK=E_((dP1Kxua`4n7pYd;h*QT&ny7Uy&z_0wNzvhwfxzG`t)Z7Q zP=?Z;PYY%YHb=I9`zmx~kzZ8lRNlP5Y~LD%GnQeHnA4q8>3X0|7k+A}(pgfZ(WK5p`;gf0lelqv;)%&cQ3SXRr|UGo`t7|5a%tka!v&IR_DkCG1b_CdZRuN|E1=b z6rRmT<>rn$Wxzw*0X#Uy_9=)df7Y0edpZeLdsOYlaJX+TDwM~e5)FK={@YJX(iMXC zFB;0Hzs+v1h0v|r(5Ac^>X^CQnJBodz1gKIm73J(dEtFbRa1a?CW}^0Ot$lMqeS># zd*{iDdf~JN3!oV2Sxfgr_5Nd(Y(<)s0`lLtUjJC>h8hx?|A)4>j;pfI*2V<{1Vw#R zL;(Q<5Ky`s1*Am~5G18jx>Hod0F-VdrKKB0lU-Oe-TJ!j^8X6EJj z{r*&H?|Xk^t!rJOn^VPZ31ab0?84CGkercGDnp4cL(ylrQ)V7P*m_@p{128$Ag&!J z%cFkr1=#2}0I3T7Kr1WxK%ktlyxEcyK}J(GlFLR*ZIaT-V!+K;YcEwW*tCI@?%U%K4n%AT$vFq-@FM72DTD&!jsej7d@*XZRn!i z$cydg0Hs7iDht>s)eR(QYU%Nynj34!Hc|63B|o}B3HJ5MIj!l)=l>1?{C68A=n(%J z%ShB=F3V3+IpGSkCA_+)cJrDeNwG*%@omSS3T2ExbCKyHA8UzR*_xcwrc6cZ=VJz( zyzIjUxr!7mE?vd(CRGay3!kDs=U&e^PwbMyre7~L*PZh2E10n$S71IcZ@j+@16NhL zE3xaa{R)zD#hdpQ0(4CCL{Q>&^8ii9)F z`vc@dHQ0n0FR`c)MlGeBvXAmg#&xG#`vRD=Tx*9^+_0{j>TE)7A=D_cUE-XXsSE8{ zS{40onbQ)QiAfnF%E6e0$E7WX*XHYj-%0nrP_^JlPQ_k%z@Tjku8sf~#V_Q+#O)v` z?}1stLD&#*g$aq9+I6H$+il39F!uzl$V^DSVM~;|bv>2&uRKWKiA;nwON>+U()X`! z$e`Tg#L)Y<_l}S6DlL(tS|STEPs@}(l#ydn9Y%1i0>UgQnp*EypT245)Sm0i%<9zg z@`_a+dUIynk?5w*=5ik#a`oQ%4^cy9c4?D~1U=lQ-Qr;^I!k=L@aaXZ!qF31X`~P* zXu8?c-Ch<6O&IXQ2P>-4ixX{7W|s`xSl@#q>?AXz{caaQS26HS2WJ@zemt{k+u8rRd3I zX|EqI&6~|?zFk9qufU1$k@oW~=XSL33s3|!u20MEP z-sUJ#Fqp6>*y0K}e)$FM*Ol&WNOZXNLv@`bUGvyU)PyRD<`Vdt2B?{ItN|TsxmEv{ zG*U>z^-oB)TP*?=PETrp*0PF#(DqdDIa4mJYzX3cXeR^Nj41#<8;S5Hb<_^#=}V}+ z4+wd}^{)3~!(ToxY%ku7vkR@vwUN#w=tc)%a0wD?J*>+2$Chv!)Z$2t_9s~4%l+(7 zo?LeC*Y`HKlrrq?nOtTDb)ORhIC&Ldp@?d$E1mLDT8?>HkMb2V`Z8|a9^w9Qj<#LC z9vIS{r@!G#|Vq-+^i*K#=R?=n98q?@x0np9R7 zo;4WIw7@hZ+|7_S(w>dedPL z_|3`yohunWBu}Ty#Z}B&@&jRW9;LdG|i_K5-sYGQ3QE)gXt;2WLp6o(o}8Q$Q>sjXm3lq+1b6 z1v|9z#+0tP)iB`7*Q+BKs`jWr0_neI_gb8hZpd9zDz;EZd%D9Q+5p=5e3PzgY1xb_ z8N8NSu5&3!R3mSiYSyDJt7|u?Gfk!NF8phJ`9JvTw;R^XxSXjywk5VH>ua=0%^f~w z+Cph6H|cGe9hC#9npQI|=2^^)qg&)lw9e-R=n%$xt=CM8Xm7=a2rr{WyCvH&{s;JJ zPCD_7=4uwFnVGG3kbpMzbxPe{fpm&)UP8@YH9$s*3}A)IeGgzjVMP}I-P*ZxofYjC{NNcN(x z$YlW*umchOwTz55chIR2)`p#%Dw0Zd4^F;qh56&zNfaDoje3%glp;?nKrt zj6=2dq|U)A*=2tFPXl^s3kYNkYKU7?rR@W7MNL7>D>0uD*9Z9)6B*c6( z*JkJ7Fa*oH)VYNPi(st4dGnDpg%@KO&%ik#%G;~1^c|Z49l*;=E@kF4n_DZBc&b>3 zh7`L@ruH$olB^!|KF-~4nw#2QL$^SJL2T&h-b*om_X3Dm%!AxbHDU0AiG+EY=`|Fn z&&FT?u?-~9Z=T^1=e?RJd96i_S|hFw8z)}~Odr)2JiWOcbw8B*S;Kc^`uJ~-=YM(g z1)cJ_W~}BeNM`C<><5DzsVp&%rc00X%nCdwhm~^0NQNA^b)8mtn238)+_W*^Lw6l~ zKt6z)zXf_UmLV9O8w=%rg%T5ql9~on>I+)ZTxnkq{P=Z(FlT3sH$8=jrt7-<-wjrRF`HqVkP3`T-NiPk^Pzua)6viodtU_L# zB%`yW_#c(V&JZvf;cQa z;&ktvm`or#{OeWrZ@=pEl~%FPT8mljFR!w{y-87b_^j*E_3D553IF~DFXX(xpzd)0 z&}9CLr`UhJy6=+$?+RdvgyNUm&s{^(?$KwV)MJ7o_?MvMRa{RZ082HRLm2d5>wsa}VIB2hf*r{+;D5D21%p9TnlHO4xAv3o zD*mTm12qRl>&xRhG9fqruvLM|EdWzSV)_afd5J!EZYu(63+T8pr7uuC5KGjPMTBI5 zN88y!ySNNjA~JEbvo(rdKc0r90|rv>OV}4Twvk~sGHvN;0S{V3C@`g$*otQ|RWj)i zRFnSpqt9QalG?s?OJ=x<+qDf14Rt+iS>w-Zm5n>o-+*)Bx!bLXyS}!Br!JkoJPwUZaV?OtCcr9Zrx+QgIU*L(KnDXc44f!UE(utv-<-i*C^r0s<-N|Sar~qh#>9FHM1UG^>Q$=E8em_%^|XEk6XmO)gH(z~`B>mw5HhDeCW>+x6=~ z;hGyj5I6S!U^Vlo?BTSMUM-`yoV3;(c7 ziwR0Pw)WxrgX;87$dlsehh`#D@bXc&*Po|eLIM%IBCGt*(VV8&YIgc^li`X}N|n0| zlk)6a5V>mCH)^f_Nh#&Eos^m%WNU>7cQiHz!9!DpQkNEd^}=Di(E{wQI<6lfI*`zk zC}uhQlHk%)nASeowB5q{0q zT%fw&Ukq<4bqhUZYbD7AFxk^l9A!>S+4@WsGY;>`#x}5z8Qi!u4-& zvVZ;-Db3$^bjM&DC7-Q0=V!*gV1l@ErkQF;8+ni&Apq0aE*fbP$`u*o_86OIIfYeH z(!NxP-(gxa1m8@9nubhkU)h%s)u%POc0ZP%7D7Xah(bIjd1fv`iH8kKmkBnl7nUEfRIPv5KCLgZ3t7b>FplTP zh8%qIi(PM!Uax2c9CP7G$KD&3>YL;y3!$8y2gnq%fy%8FV|~Z4c7XlKw-X(kka#xj zUeeQ10Rlbdgn;-CSs6KGDF?5SHNCzf?dGp>JRGMdvVP0+lOM9_x>w`zOsZ$!Mz!pQ_cj+m&q zPm=Rd3Q)js7KI?2Gfu2bBi(&_l^tB3y?3+)$}>>V&DRl3&-0akP0txL&rP1`Q_Tni z=&9|Lys!GCG#m)BHJ}Z)!_BLDW?OWnssXWJKkvNQS4?f`Tts264)u!!Uier1X)`xh zA!xo{7n%ASYuh`R<|b$^YWgzSX*6*<2jvNuq_eZ6vj^yQ#B9ojGLkCMst=sQpyt0U zsCYT(h%nKCb}#Er&aPEA%_wBrmQ}QKN5-?@T%j#hhFU2?V^1Y6Z%3Ix=4SP;@N^rXt4 zqzK8}u&3M^%LUf9n?}x4UoUG~)UiEJ?XMfbt*Z~q1~wYxD?KYEbG2%M5&HKZmzCyX zV-}V%dDR2gzuKJr=Z*ePY^DF@TWHLDzRj@(_lop@$ zgm=NSc{u!%0aENvx_4%USeJu-??cywc1fIea1I@kiEbQv&+?wyP@nEOlCvH#V2#Dt zjC9gO16!`VA~93m?DHo&E!tJce`jkzwPvVfqAYSO9Pmq_`{nnTYj#^XJ|j8uGM)-v zS_x5SzjrDeO+Yb{MQl^LArPmjvC%q5TFt7ztpCg0#MC{CTFd%^!`<=2v6xgQQw(F* z4rRti=li(%M>$ZA0Ay$vj=Rp?LN1W2o8S^+;%S;cplOLrAgsfdNS3`F|T zsuWTN+DeO5Cvp7qMEAiZP_Mmv!a}P_IaoNioZr|QLI<_1AKXd3`fgw8YzJySy)UdGSm!_np%<;J5NM2ZeweJ^KJ!$_w)*jbGuMD-hDJKZU+L50dV+(R(c$2VHC! z#zk%En&?5X7v(!Ud)sRgHBW&Iqqe@=4Nuba+4HJlsT6jR`0z(LEgjfpVhnXHjE&wHvzCUdGgbzl->zPAkPkUpEqNmOrRYbZR;_CHvh&CJU_O7= zg(P`@wS{HcpFYm|Ak8Zqf@OHbNh2~HxEiNH9O(2++kRYuoHHUe*77yM87hla@(?$$ zLy7hvaovNMj@y8r^m zQFkBaGOMnrlx_~SdI#PD8 zYH2|8#*RW9C}2z!ljuCOfkx35^f4tZExO~T&=zpA{Ce|FA_g2T&}YlPKagq!T&?X) zEW*C$V0D`9{5a$Gmf-%u+_shnGCcoZA=?ylZlU32l@blrFLy0I2ZxmaW( zw9Dby5hv6hNLz|#(JbxU&I<-vd6`7qW9)%HR-i^F)!$PGTggj&ME;4=odgq^x7Wf6 zer$-$j%bN$@yan%#>baQ$Q^s2 zzruSaGHOf0eE@(TN^7n!GrTFyRZ{JP!#>v+E|i(u`<%K!?rTNM4q1@vo4N&tRvR(l zh$RF+IVz0_cep8#dtviu+Xyzj_@ht2k8a38s=GqWaNk}#4q}snxHroBcg2;Vr)tYc zy-Mm!{KUmd*-%@_kWwtfW|3}9<4NRWr(fmyMbYc`&Z7*%AwQynVbhiB!^ZZ{fa|%% zf_DBj1N#vIB4bUCL5pC-OtX_jSu3r^=@dM+43&+e)7|2oIvPjCoX0=F;UF`bgy@OW znNpv<@>~(R#LQ~f6o8$Z!F?ip5_>JzZY{C315I1f5Z~%#duu=mA$N>2IlBXI@@MrM zd5J(d*sdpcunuP&Umu|;M7rVYiYBV98&O@5wf>smSO}v^Gi8712f8b8A@TD3zy)I~bf#@VG_ zBdpcjA2yZE@_5a7TQiu+$&H=vZfkC4pT2zg@*lqV`#bJzSL!3wA>8_SjbDF`7KJjC zpk4af!tRPfKlMIPK;9q?NZA=rAlx>CcaVUqR9_lVF#f#}DRtsb)<{lwMGnAGzP+W8;! zcTT)AQ35bdo=f0M%Y}mvL!~zQ*6)X&f^M8)1KO9{1G%5=$`~BNtn~v-Oa z=L65$m~{3shtaoQ_r$e)cx#{cEyt@zkI!gBNVpzmh%nLP&&^Y;SGjGVBU@-^9yoq* z)fZ-4QFqCumg$@fjYbEY%&c{vunX&;swao$U(fsBh%5Uxj`80jjK?$xYy&AZ1o6Z( zErBoD0l8T^iu_FAVH#Q3ILnR7Kgg89)H65V3qGXF`BKPJ8EyhiJ0*bb#nREB4v9{JkUH9#{2GIz`6O}$khBw!k$E#p>j zDmsBl%F++Y690DDWc1h5$KTL3GQj<#GDE9U|9(>Z-h-==1Ls;$!*`3uCmoM1!7x+4 z2${&RsAfep(PP%W+Xvmd{QF6JD#TJR8|;hW^ZcqrXxV2%OZ6)u)CH9_+Z@A}0?qpL z!|!XQ`$BYM+=3MClXsw$KvjnrR0r#qUEFnB&C_rA8dnZ_wa*RfqHrKB?h5|Y<@?Ws za{u(ugIMs1+g_JJcljPn0-~k6RYbT%kx&jCpQ2zo`45Q_Nr7s`c%^cadhCutK3954 zQ_GF>uB@lmR-F;vN-(aP_NSW`QjwWZxTP- zba50;EB;#azQ-kxa=Ayy6?7Tw*9cmpz(0<3KwK{J>?T8GR+c%f{k3UK=~q zu;6Yj9zoxH;Rlcy!g7E4!>N)lNz@csH$+w2uA6&eiQ^c#e zWW24r60Ng51sA>)5LIH0fXC0oVcc%N3Mv`9igWwSAz21qf&MdN(*3-9Ry^HBgAEIN z0IsIoc|mMLBB7?Z$+T^gyK8fMGmu)moO`4*Q~URWu1xUI!Lp~F`d^Cte~%N~w7`9F zjg{y6^}Dd#jAoz-%VYQ0u`hUP{Di2vsN)S?4QLOQvtdj?M;(*bK<;h&_4(QG-bsVd}TOevQX6dTH31fJlGlC++tnaoXTtJN| zamWdhWf=ei=^(Q$=;wDYPY-0Gjda?Pyf%r-4H#;XnQ4%(W6g#cdiqvSg-*-bJeZch zE$bhIW@6=G54YV{^tGRjOdypJmBoC6XX5e{0w%$^1I<=@(E7bgD5r9QKbSQN8v{SO z7VCKhGU!xS8pon;3fla9K1ZjSkhVYcgwe0*+gjxw#1AZneh{jW&=650e0j04jzN~P4}W#lHN^JCvFS^ z23BB}LxD6jLl+LE*sBN@&s?)-%Mk-~$Y^(V_D$m? z&%iF5S!Y{;q4+nZrlxVD1918lpfXu=sCzZf@ zIP=x;6{7NfP*)cAI1Ah#)Pk80%ybiAsNI%PCeybR~w3&7^8>=jvTZM*;Yx@zqXW@@cvcLv-$M>=J#@bb? z!c@RWNVl8#f|Iu_FEjyb9*?QObKkXK021Z>3-jYudyfqsZUr6&on)!(j3JB3Q%f0v zm-0)mU>RL`JoiFc>>k?dAWhvt6>SMb)zqgo>`f8jmE{e4?9zp?1`%}psm|>s@p>X6 zIzP)qeqQ!cK>uo`J<#rG;*Fa0tPU=!fgKh-@n~1Tuj;iM=j7{>c0?m?m*FXia>ZmD zjkg1B=y$luphWfbqB+9RGU-f;U9WhOOf8d#Dc`Pi)kYnRS_&=)K6IfU5qV?_MR7&A zL2(Jn_Ko-sThK$--}Rvn%~5N^G~DlNg;>pbcVI!V!T=l(Q^GzwJab^n_LEnAmsMr zej=&=!6mv)V$fBLq}P;9JUbbq>_A&0C9SrJ*bpcq1}cuK3_S^<(2MaIn(+d8Q%e4u zhXu?H1N^vyA|n~VM^CHOa=Yv0sHq@Td9yC$jEkdH@M0hW?K(^m%Ca=ex{01ILWIM^ zPl~nnYXC?^RKht(QgYi(z~-lT85sS>3jIot_{p!Q~>sd6AwrNFcWXW&V0^=$FS$2DjPwcY*r!)WUd6~x}F95_2C_~(I`Bs4Q1Ftl`k9J6zm#E}@w zT!PtpKR`V(3&N{4A;}RyYj1(P>= z{F)F$SKI@{`xy(5u1M%uQ`1&8m37|2e=tw~-@aukQuO1ARuwH0-b>sT5qQ}?{^fU~ zt3ISrb*f011M%rN3qNV_dIu!8#)R5%P29y(;0(HZh(b6avI;(gfx_eny{ zcthi3A26R5VJp%gw^+I(407Hal$iohD}AyR`h}{Ica`8^MMo`L554)p&kbkz1g2^U zsqJS}&}w)N8!WtYudT>0Ermjhn5m^D?FfE(?N>br7W#0wc%^;6RecaXzeC1sYCQmo zR*cJFhYO#>e8`#wI6n0e{Ulzp21s+YLF9m~bg;yu22IPd%r>rg&Z6;Y&vC!=*tw=H zcYo}`tKDmY3R980mudT!dc??a!sf5378LI&(mk#MC>lW0eYXLfLp> zj~M0+yF6%ma7HnKr6%6ioD8|~WNvR);9C2kJwVOTMg6%93Y!?&?g_@`M&MIE9 zo(PYH%}qFtMqre3?dBu3?KsD6b!duHzSw%X>$wR+%{Hj7O~`q|7Fq&Zu&N2FLxwo2 zF@2;XPvr9g?vBKZcvXY4rBgjrUTxJOnBbx(Ot#n|^RA?kNSIYXRT7WPb#sA1$73UO zcB?K0^mC0Myo(X8>+4zta^nNw4pJFAsA>6gZj~?CNSe|2>)(BOijAoos<=jVJ#Loa z6H6T0XS7tdKq+Xg>Uh#h8QZtP;t`wZ;{ z*JVBk2ZCHT`GA+w-dsU$|1)$i;&H_&kX2sgyuvutVAiYwY#8plKI5Cq^JH4*^o|gV zi%Xz{UDZlIFm(cU9@fYgO+K38M!B_B6KJ_~%WtCn2ns3~F2}R1j8QK|ESOujJQ-bW z-MfBjTX(jzW_s!B-&>zM>ygPBjhB-Ez%^7AL{4bKRpz z)9F;X?Xq#a$IMbxwr4xgfbSsQg34ja^?=HxRon7YE$?0@U2>@6-v4o#gc9o-Zw#_B z7-Et53{)_~K3wuxYQQ?=nsc2sIO+$jlF&F5s)3it&n1%q&4f78q<3B@T;<(oA*l*aV|_e@;!DP>1U_Qz6063)rXOrvR|R?rXWbC(^i#C!H*n%hAu z8V-lh&9tk2l=q9AY(4j@sc>a+j>a%Z#D(Iuj6MI(WnjVO6WOmqck+hdoXHN1M5kdy zAd^tkE3^SZzYk!NUw1hnM;IVuYy=?&VW~6|@eyxvvHW-zXG?jE6sR`LIB{jAgR9fh zAV>cIej>d3D!ZRId4w(#I|kx!e#uB{D4Ke3tX52Z(s1d< z)Jy~ffWizuQetK!q?&%EJ^^D2w)i>_3!JSHWfZo9@#k-Y98GwEX$Anu;}{*&OjdQ5^WFRZ)E{)dyye==SC zJMhp>d;w_IR-%Q`IlWP_u_Ox2M9FDsvVb96S%XW3EgWY zyb*-l5HmJ_i|W=Q;$JkyghO$sxPHF}ND6zD+?EmyLB!ZcA$L67EJ7m7465=nFXn83k`qfJMX>RJt5o82tvRiym=XJGhJNSo$Up0IjWH z4OHfQ{WeSnhK5aW6{AK!j{wQaKS%VF{x+11hJd-Y` zT9`~3j#awkyJ45C@1D8oG}5i21(n1!Wy{|0W}c+vb#L z(Vq5nH{t=i7O?;SaS5|~r-r)yHx=+N$St>}pgTC$!LjL#co>qu6(=UW1e{|{kBz=| zAK;M5#5y`u8D_TYp^uR9Mg+XnwahzIoLdV%=V zoqUS`;acYn#k1-?Gog8{rUAt_(mY~)djXkE^vT#L+TA01+t0PW7mNk_1Q!;E0$At72K>tL1;Ymop0vwm!C)@ z_#aO73b=25UZ3w{nu-C9r}8>W*o8UIzKKL2z$k!$L}d`&hOkO5;$|}yp#^ZCqua`u zK0l8uOE{BSyH)$thAStH2b5H)x1!{L?YFr1Uu?hmwP-N40-*8q+!Gifv4agokZpyi z?-gL~38l@#d$5J6#G4$NVQ?TSNX&nH2;~_&h=+pQc*b0$zq_?o^*a}D+EFZSJB>Po zTa1=-CA(IpI^JDr&nB3!sGR{G7u&L)<>Te|P{9tk&|}W9l+FQ&G!y$XY>xYV$IY7M zGj5tz!2Jt7Q6s+sx>XoQ zLkAaR2S`tBuxKjg^xpdSEx3(`riF zGa)vA1_x&H3^#77VN7+Mp_|21kp9g8I6fhsm(*cxEz@5FTb7^Mtxsokpd%V+0Q{LB zG1bwWQcj?(S;{GpPwDvN?V~OrXm?Ta?U2D}8r$i+=UnK$Ae=k30#1kMN;SzE*|K=d z&UJk9WK8I}{Z_;>MlPEBwuNHOX8L3&wf-k)f(OptJo5GL<9_38X^62fxwH0}K9co8 z(1h(RA0Fh+5~mJmImHt7_vuQK96wdElbX|>&QvuwZwfQWi&~=!zUi*mCCg`cToY3e zPa6zIzt^X1uV<%bGHuV#zgoKF@Ip0r9g>WB#S&fR8j>=dkxT`3tvnb#+k!hfzmKQu zZI}`ia$L-HR7!8HnsG)?gXAI%)W6ZP-3bWEE((TtKnGES8I@jr0wxMocNUYmJ%#gCxFtXqXc$7Pz-uC)yTTiXaM z0QIywKbwvtU%s>Q4?Mkj9uTRzuFw8BZcWH(?brZBgORt!I@zPiOi~!Lf}I6Z)*OO( z^Uon;Yk8?AXxdUOC(>zzgAOXfTl{od8^s`zSLj=vZV|uW!4Iq3v1`Z97-q-$3;Zx|FuyC3-_vp8GXrD;#aIlv7 z##wsXNhGeU&u+sbiOF{ioM_t5h?On^qS0EGOU`3uq1x{_E^T$iiDKC}Bp&N0aM7)W z1G^UJH8t%v8W-ri=3g0%22ZoSUlKs5i*?#U#O99En{h&JQCFFPWk2Q1;qPgLak_CO zFxq}&12m3rJgY$;qPFg*m;+8jYgMg~^Ki849onMRG$<^ITB8a2K_T8*m>_luJML9; zzVOqFa7|l(r27KSUwQ#(iRry<07Xu1Z8LF0!s`TAzMXHM57+PnZk{v2j9HLD={n#X z(GzD#a=JI4^?(ZGn--CZ+Os~)XWurMCEh^vc;|UDYTuAQO3dt<=Sp>b4Rm|+ZcIV$ zgZ)wODh9lsgz!<+u7_1X09OdgDds_r?=PAFR2gM;_2z}s9F8t~(u2b_ zcUoC(kB0R|pIY>)342%j8@0#er}#nEZzr`}0e<9-M7I53p>~PX=QCWtybnNotZvan zIr%~~!Z|!28~(7op;dx5sB6Mx-wqft6+UHzXQ)m&$D#OZN5tiQM+&g|ksuS$vT*^# ztv&vL)tll(&hlvzsR0p^oPmyGB)BEYiSZ9SN2xa>76dzDq_nFC7R#h=#Lo)2ETPJP z$UtU%Vy6-qdeK+wx|Vfz?w+$kj=|9^H1}AC#XinO>~4rBdZ#D;;KFD2++DdjC!&3^ z3;XX+ojVd}h4ijdPkj=%-L_l=cEIe5&EVMKhRz`^dE+N(ybSyAeG^lpA?5>JUr2aD zp=D~5EZX15^|}q%BD({>*+w>DyrRZKaqg_~>Enj>TpC#6PB*4*vnH{$`YOcR&khM5!nk-r|1#X$ zH6g6^N2daeOiRd~j%nklk94BhHKT;w982$Bo%U~kL(oY`@4-{Ld`4?uU5)S^-5hcH zZ(d*@6chYD5lgiXBf|kt#C&Mv{>^YHA4p(&Trme)VXJ=imEqALa3Kxe07~BW<>^i8 zjxb|psvfm?OgIi1j6AG-m z3z!UZa@J{5PD4g~LvZC}MmWw4eF?*0Z5ZLfqYMJyg2bG#IpX(L2|1(jGXV3>$IZO$ zTG$E#jf7h=m~Pn=C1<{Y-j{1iQv^+$ymEf%EWi=JuQPy)J`Dg7Qo~em zWL^VetLExhWIv~b9<%X%>A>vJr^*A9xDnNBBXG3h$K)_cjWG2QP`=fpfA4}=b6JcO zw-xY^yn5RE>AjttTK!u(@L*(!GE<2C{gK@3wf=+gPm1I#_*+f|FpMAyF7dT5$j_H^ zk(8ADrYlw>oFwOGW8^&Z^ZD*{p}|;M-rLqdr+m+PxM(Gi^bY&|k?{jnBxv1R?>7bS zo`$J5)A!v-EpW^AURH)!r--@WqXP*SGyy}HjCo9wbuzrzYSawZuBWF*C{t*?^KN2h z7SaN)ISalh$4#Snv*0tzbAn6f@a%~lYJx|^L_mnZQIO`B~V0| z6Mo$7lC;+GU%;#>!Wv8?B5{pHdgI|DS#V_dkwqr}G^mIu;HH8HHbrp_=*XkLpa5)P zwGi6%CdjxKtn{0j+7&VVkbY?3+#+gtvd~NM2h_DQK?f&%qfw!e4m#tDwLbn$TW@W5 z1B_cZ$O4DU>^^wJ$6*-CW2pZoT*$gG1`HtYfDJzxR0rMu0+{YR`LZ$*>nu{hWil%7 zc((F!{n0Na;#ASDXD;eZH5p)!@p91sFxi<$FNjIyv^mH>2>|(J4yL=gVr2-jV0vHe zPH*4j*A!>9bdmvW#?S@<7EhfzNUC->U4?VI@ki~>-@O2M7TsZLP8Z)Q2mF2cHS%Lu z7>1bakfGnhjUsezPv7zj-Vh(wN>l%u5)M|!rk<&?elt%i*;=o8Zfe|^EToeoudog;3J&2-U{ z#x8puRv^vXlOC82jXGHyZ?XwcYj%v5;IWM6TaWzhq~J|^)Ew+`JFnI9mVUrPp3CtM z-tWAbxzwS_Df1o!NA){Y0ro-7SQ7$eL%0Ti?E2z}8d$Tun(V$)5= z2AaqT7mr5E0_vgY67ksxiZrL>&|4hr>~fi#uM;&u$;)MD@qf8+i6qU7(7u2(LwyWC zOx@Ls%tD9YNjAua-D2=0M7eIvsT4y+mHYE~^Uuie=lpU%n_!`HXXnDW5IA*uo57Ll zz)Ua|PTTD~oizsbEPNe-+;aNDMo5#@B_a>E?#|)g;u63QgNf$mDL$FAMAsN;h+lgr zCLAYi{gg#ir}JRFr1WM4nS_{@#P>cfnwF@3?^3BpVq_OsX&A53Tt40;6-Fa=fU3_( zALv~>{<R0CZDAW6Hu_-BaPV7=wqy(p}=;txDD360W4@oVGYCnEOo~| za49jv=sk2?9&rmrhnXYyRm=00>+lFvdW^e*)?qN zK0*s&7X6~jZ?RR42t(eZn+-#Jx7sp5f{Wb{iFEcZlU^(t&sKj;AgCLMB_JTHXoHn; zP7wHXm6i2hf1OAQw2ywtR`0xfV)yd&_|wV(zltmId}`N?g|vH~S;x}Z-PZ=0%xqp{ zcY$%ot1R?+dIiqRZgvM9*2M8Ngh3Ow-^p;~0?;4~ngQv!GbH?$oe5$S{a_6oqgCy^ z^5n6TuP#FV3*TizKtZnu6MIlRO$XgQz0#kJ%(y+betdB}coF5|07?)?8{j%v2=%>= z?kfUBFx@fy*Cs&z&z(LHQj}i47JmCN9qdvmvs^Gf${#UxoN{hyj}@@&G0!Qh?;n)` z*d+xRqmJ*r-s-LE2{+5)Qx;^W6ywXggv^+WHvop_&#@ zVw#M!MzGcOw}dj$TOEs2?*b~}CmgrbcM2fSk!KULCbzHyCQEsyT{f5mH5c=N1>C@aT2zwMsa{S|vs|e-pIzmFfA)Qm zE^*0-SPP_S-}s&ATGxO@>Ui-1P6z%B}d8%r7vwnEDh)c~Q*!B>{gjF_vpo*?NM zT15s;=eoSBO(ZzVt3dbsN2bF#LPG{Yql=F>9>J*~#I67idhy+!W9QmVxOYp_OGBYj zY01@MY-I?brtNo9HRswU@`OF$p*4PeancZ|4`Zo_r#L|R*PtlWh@W*~6Hrzok+gdg zN2a{KXEJVu=xskejX=BwxX-Tw3F;cMKx9VEUk(9q?dE~9X}Ho2rr2HHNIUG@vR)1> zHiK`%oGrR=URSPt!l?r1(htDkZ-E@#DqRd>D+X3xi`)pIDmz-{l1D@}$~18xg22!G zSJ{Ed<`3|TRYlB$@oi%vPrMu6(<^hde7Q%iOrfrv-q`$= zlg>c6Pbuwi70U9wq?S%x7j%2eyCIuMES?K?4PIaO?m?1InwJulib4+Av^3 zS`&m4Z{-Qz>2D4q^5H(A1Oeg__2HHu;%lr;^PT{WxR-6cF&gTfSWP%5NiDWd=k{(6 z-At{yxS1`$Mm+K|81hx!Fcj8W0y2b!=JVCFF+}Et=g6d;p1mu)4Ump%{CVS_S$=JLL4zXfX%bD z+q*5ElLxNKZ#?Pt2NFkeJySU=3JBEjLqB)4fbxkk>JOgTgOBkoEzA|SOfLDf?4db6 zzkjMXh^7_EWgGwaf^`LWno92+o>qSz6)5-6c#yF+PB6bb1ibgW$?jV zu9|>zbXb``r)T01NgeWfp`r1LvB?eE8>zFh7j2oAjA@3^^d-Wru4^8Q!yZ~AbHYH# z5G~g9t-o+YOwb4SmNjC|bp4tv*XLT2DTXf%Va9hw77KeSvr6D@2442|jir60-L{2u zNP6YxcL_WXuA4j}vM`ZDr25e3N2#<7uOCV9~zN^O#jjyxUyFAJl<%=iaw3GEeM=Or^?IN@0O*pL` zqo+Ul*=Td(Edh~gej^)8)aIO?0^mb8$krgnAb_lJ`gZH2&bEhk>kp%5-d1O&$cr!a zn>vgy#FstHsopASTgGq>x#b_80Arn*D$UwkHGr{Ik+DZ?SH|^csI=?~t9-nJk0^p~ zJ^Cz~dOtpHpibB8s09I~JuXm~n}YS}Sb6S83=!d$okS|=obq|b+>b_|1wj^IJO1jT zDcK23rTEEK`CXjPc*lt&j>VVZI(}u>Ej=T&9)$SMQ#8S_VHzsg4(|tS$B(=Z8_j(x zf$tSIKv;hOK+_{p4vZiWyz=J!%h5qiAQmA4yL=SyP{yjD@h<9q5tfFQLR7_k75N{HXo2mHVzrb#|}ys3g3jM|H5vVV}%1f zc9%3tbK(7Wl;A9aoV!{vX$8X&ooTSNw1|KI#V7ld;$##`_g9^!v{K0dh2@au3y zd`=xvDD&Tb7qX0Lo*sWa-DWj-61VGjFcIjdPFk=+*t$AkfD`-|Q|UT^p27f5&49Pc zBOSGdu}h@`fW+cng%DE56o_qKIx9M%OV$|TrkMKndKbnA?V0!_Z)6}#T^UBL%UnQ- ziWm2~dE}=VBP9JFS70$_O{pn?XdD32KP+SB6GL(1;=y zHykaTH+-PWlZNEysxgEN0%XS1>FCP28Kj*86w_6}?WaGz0WjfR3MTIqhAS)Zec#$M;V$r*u3<^blr!x1gg8m_;Xn z0#m!QJjxw-qpKiFxX~HxoSIVyGye0#)!?t*4Vt3|_dWQ0#sr|iidLk4k)0PuU8M~Y zyD9vcLm&x56-W+}LYcU6Joag-5Qa&qb&ZziXwR%=R&Y*Pt#$<}{L{CD65-ZuPj_ z-c%h7hh|-31zl|8YPM*H^pUKkCsauwe4my9Pv`rsx0H`|viNWkUwHKe6|5knz`W>5 zGeJZ3CS}+6Df+;g=JUelZcYe1(&0AMTUyugb}B8<`=KLC`@sgGd}nX)>kn(XY&T)A zMQM6qwryuWt`zK()3TOyNpDQgR4|7FWo_`lyf=sOT{PFPnVPtD-#yIsdq*ugRc7$x zg}Oub&Rr&*YWILIC?HnT^%A~QCbQ11=yhwUA|%=4^tsa#&Js=^@6L{W_tRnpdh>>% z4@Qi?!fW;XZJL5t2~zX+?6dvzs0vR zn`CE^TB`|NW*Fjp#(4rUTx#s9*GhN^KBOOD+|dY>@+WGhH0o9(X8NPr4Yq@NenXZp zy+pqgYg><@v|wT41w?ELj`_9~Ttbp|wP=8-TxPH+yFdgjD4$lLeeZS_`xVca_I%v# zil-k^lVZzS-gr0IYg4;yxSX&PA^+mhB|$bln-64&M4z3VtnP%VgbB@}Ubo^g<NcJHiVoY@15?RfL?RA2jmx`pdw z=>$gGzP4PCOCE#3G8tOsM0IXo8R&Z}C#t*-*5Yly648qvpC%|eqmhd9e^`6#uqgMn zUwjFQfv8wWqX?3Mq>{2Elu)FR5|E)mx`YuiP!J4iKtfVFh8kK>x@)9SV#pb3VTj-T zxc7eFbM4=`uJdlsxi0@$y4D&|p6C0$?@xY$?Mp*mJ*RpEiZ^)BTRoqb>^jZymUZCU z_`uGECuu<798yPycB*f45s-SQe5BjOq+ZqkQprz#Y&D)`5wTLgukPR;L|FvV zge^L+6#P9w-Tu`^hoi)8~Aub7pe>=zjhd;e}i*2_zmwS=3=(VL^ z$#vz3=604(m9ax>M~7xt(_J3)6%@JqJ<}|qj#b9nN;V}_A9IPgs2f{^Hf&k9B)rxZ zvmcH&U(+smV2RnWCtTj#;5D}x48u6DE)`8Zaac@l?>hJ-C`8f}9q|QwJFH_*Tv~}0 zQ+ywQ5kzb?C6NW14-vc=95u~FG&IK?{E?OjkfX~7*ezcOGBxe(=ZgnC;x%%>8AseL zl9~t>Ms_$_n%2HVxn4liQopR=q@nM)qWI;#XVM|^8)#4o+=NkX0R_^X@F9otwsu&_ zj1U2XK&Otd+VOLOH8CYL>$)OIL?j{SvT{bw0JCU~R#03h(3-mNSWg`&nvW8>s@H;4 zex2e}eFKF`J}b}GBB_>buP1ZcBz9n+wgLfTD*l>5a)#Sw_Z}g4qIJY2fFBN8G+)(F z=pYfQ{9eG~;Zaf7*|ABh#B`p)E*GP(c5OEKy*xHD;~GaL1;}643PNHkt@?ie&d~%U zHV0C~2m^S_HNuC95k@sekBkkPjW|Jz=F_CFM+OzKcCxT%C(^qW&Fq*%l68Tz#R6%? zc;cd8iZ>teGBh<^Mlz*_6=>JMqIk_L?hoAr{;P+PBh{qeF6>I(B?T_mvPst%r}g}$$g&slv^m|E(S^D`hI#@%z+MZ3wqqTux!yz0^JF&Yv#DKC}?Oq4Q}PP9wMD;Sv;e3HCUZJD~(>FhVH(_&G&);}X5 zwTxF}-VAuKN;bjRTnLT4eL)%GU@uJTX5X8#=n&7-M z*&6k|jn%o)KZ}Scosg;}WyfdcPM|1Q@ShQN1ANkJ9}e{~dL|S_-+#TL$QEnTX*!r} zYts(;q0o{sU?M6e+Iro$m=$H`cM}CTJ5|S1kqGDg(+t5Pw_)71^)V^7!)ypql;1~N zz%DzAZ8n_<99?O}Oy$N|YmtSf=Sm7l+ zR%CQy?vG}t>oUJDN!MS7-u6mfe%D72Zp3!YKJdAUtv0a=a9*t43ID#waH(WMsG!9&-(HaF0ZbAR^M;H=DsJ}F} zeT3=9_>?%c1<(`nOd00*!!iNQ$#Z9EKP79+dUfM zGF=fP&@ps;b0(2P6;#hLiJx_MAFH$-wFPZptZ@S_JdY@cTfD?PFKRG*SBcr8+z&KA z>`-X;N|px!-_UozRN#(VJiy#~aOWNXgqqXk&d!Iwq?h3fD3XqgWW|hnj#) znj48+_58t4th`&&lxf*pgg3S|SxCSHi{9|OkOKS&?M5>knVb(-5RBEKa!tq42p~d= zq2w~bKJ!~{dtJo>jUCUe8ooIH(HzE>d*E0`%`hpg{cS3L$XakH9Q^LJ$`%jm1Pqp2 zE9^G2cF26T8{!l5Ud2Qmly6CA%T@j4o3xHjnb_O!?m8Yk*u-=fTQIz*b=<=RbHzTV zVtdkuw&e&p7`4}X{W6V=Qwtmxi)}>6wW7}P0pY@MU-2%Wj)7EF)?MR$LKe-9+-V=o z@U}3e(1zjK#I};U0rbU9MHpP<Rs7+FG4u z2de1j`uCg_ywB>)`RK)7eukr)P-3X~Ak+o_Lc1EKReAIiWq5O^AjY6EUzsuz3iz6t zTHHPZ7RwJi&=JE82+ozK(fLh327{X;zOqJmQJ&JNPl-}_ExMDBuqf{FnN54FX@t}ftX%~u^2yQ#w| zbZjiusl#SG@>)Giom38K4O0Nhs8A2zw_GfN zEk_8V=$JOb9+2cP&H_h;d?2!;(w56=1muJ4$lZ+i-Tn8tLn{t*K7CacE3vExC> z<@-bSgL&HU0M>+TC1wr|c^hl-=w_bCj}f@!$9jd-o@G$^xm_niqrHD39om%XKQMHN z9l*UtrT4I+)pLAQ86LTTARVFEW-cGgiif;z7&;x;+p^B_CS_3lv>8_^gg{S~2IqzR zgA`vzs?>~x=|Z3^R7pKYKUcHuOD2YSMAe751-_WcL(QV|Zgx0}ND+Hs3!5js0rg38 zK1-+DsAkVr8UxXd3UF?dpy@`Uv|6)bpF0`bS?)V?iishQr-KfMQ3m_rIhQ@}Y|P53 zb+_=wt7gZ9>XpScv8a1Tc>o>?{KNKo^9@Cj>zK~;Z^2Mf11!k9_!yk3t?Lf>L>^)6Z8s@X<;)H{n`UZyr@iuU(~ z!0@{P&Tgt@tiIP2Ae@u^`MLEKvBZ_5v0Zk}4(aOW$>oNe-ZQ?SjU)xbA8-OsMnX2M zQKzD(`-Gd@l((CCbH81IsI#FKJ4ZVC^wN$k*nbqPIRJL7md|o23DSF8tD4bpve0&C z6c4vUmn!~cSnaai&B-Y1KTE(*)*Mf0j>>#Ps$S0*k(jmWD6|fGu2E)pYoN@_N29($ zES*;&=*;V~#hfwsmO}1!tIg&k7B$vFJ);VyRLHuP!xdDot;cO0ETA?U zCwj}flB(7E;Rn=a4A@qzsB~xwOJ@>;?AYu;_cN6m5{du$S*FfrTNj&ONqthzdiO zZCnzJ@m;E+W%i%|tbAMm0c3_iiNnY=yeK-;+_s+i`BJpK2DaW>Fd7vk+A!llhw=ry zp}_Qp`$HTmtJkjb-s)8(O^~TPC_LQ(nk^IMu0hmhENWCO*{WZ&EyoAp5&efzLkQnT z(8RJu^Ht036M)+kTm3{ZTQe<$8I`q?NPn))3qiqEVflAKKW6ta_naaX5l?_HH%=+=Kh@D6{|nr`6Q>|fpl$^jO(MViaw-U2#J8MAlJiC zZb^A2ezdn-fdhD^Yo9O=~`T)KXL3C;K)kBV+#hG>1ZfxVmDS~3*31dZwzN?QU>!zpg^IPi z?wr(xo{4Et|?vElN<1#dCb00GBr72jJDOP`VVorlKG9BQM@tdqu^+v)O?@ zOC#T#IMDn=86!0C84s%cq%4Dyb}?Z&p|S+XOmoK>AR(4kHQ8rrl#yGsVw|A|HCSjZ zc1|I{S2S?0u;=#5lMGcxk71yhHz@AHN%i5w74zqjeRw{V1}*Fx8%0G;U{>g8qvmsj z?akEsOwg)bE>Tt|UZW&-;bpI6rO^@ECmbEC7l2z!1C>f#_2EY%Wa^2Es45{}Zy-FC z_Fu=zW$fn1bW|8;%IQDfSv-Zg^ML8)>b#>Qgi9bLsfZJQGy{sE8{>CZFA1=zVws^v z@+(TGkL^ljbiQykrs&;_B$mtlx={_-e8*px{{ z%3M7NKnouMhgl$r5k&qW77oTkQdiIZnbd5PP5mP4I)+rvw43YXel#u4>q&N6`43d< z2v*YlJ~6~za`BC9;T_$@bsU8Dh0%ooC077DY6XN&0jgr*!D zhUnIhDC2@01VZG>&!5;(t6D5P4b&@H=Ejt|OPZN5mv(u+HM zup2JD(y&}xb)E8^8Yl&^>E8a$sQS`h9Y*H}&^q%z&Ec=25Y2!=%eLqPP((0k5i#*6jao zlMriM7yW%83@LKV5T}`7Io)L{(*~_%Y-Sxm>;y*LaZ?mN4pULA|Hw=WwaCrtya)h3 z2XFMyNtepu+`sOEss+EWOl;w3-O7tENgdn%Fh|(_v@?*urX)+=T0Tni1cJr!iz-a6 zkL2_}3%A`c2^*)HV!)$eGf%Z4@w&@B*BbVTs!IOyD87r(0uuP|m3roIFSr+ahgN}L zdZ9wc55}xOFB-+;JPw?$M!EXfIzCgTAhgsLGqO4wN04Cb|7ICc+(Rn0Q{WOcZC5-9@6B*|8Y#N*BXg)F5HEZCmxNxy z{b#K)xT|ySjCjYFdb$O@rtYKrJqHg|HM1_6j&@&ANNTu~d#~#D^W!bYMEYqW1PmtT z`FF71QsBz4Ze_O4yJ;K_qlFjbl`DtkmG>q{(kKR=d6V#3v?VJhzuP^pI#Dhk!sD|_ zZU!72DF6w$M}JG!EGqZ49=#w8HfkhqkxY?aU-myOGwbJXi@0E3`p$ zmkrNdiDwlCM6Vz|6e1cMA$p(Ug;O(k+D(8WD&4Agw=$)`T<*X4&gdNJ>N{vb7(rH% z12$#x!f3{}Xno)(ndI*8x;M3!V~(ml%ro`?@PECmr}ZsoXM3f)n!7!=LyIJr8owR4 zC9GQ(-z8X&Xq=vPsrk>}$Tjgzf65JwCAsOTB5G4!G2J0IhD$-21}N&ADCs%3Uq9=P zH`pcdt_-nrMcr#aoZ+#a3fQcAp3Svj9t3|jwSMm7OZ(Ko*l*K9;PJgkxVml|drgH0 zM&4)zQN5q;JcO&wtZ19CnZA-4+7^)Sv}J2O*`Ggy>&&00zPPPG>A>nWN$bN0SvQIP zjfiJSz6Z{gz^h!SKXMrRKRSDri_)cUduPYLw34Nwe!{UQ-%G8*r8|D@4N-6p_xGOO-glAs81E5)@gTMDs^SJVh97&m_5GD5*sgLS2PNO0j1)O|({H${ zGRUI=4N_o6M0S?=9hhyfprU*k%pSbs2JzJ`!PZ;dHQS&7_x3m3qQ?jKf-Yf2CmsX~ z%V2i9iP%wA)KeXbO;0gpebz}OQt9LNxkYdGnP}h+ZjzgGH^FYIuy7A+26i|BGkqRm zu<_oqSfMD-rV5V!LFE}^@lv(Udz7=FW7{V4^Kx{GvF!UUWlpadX}(YUM=YNVVk|b7 zf|t>I-E{K5U?P9CmG}fnn`F!wy@UWu2>jUES?Q7@P~GXal{A(nLRo0M5v|`(qb|;f zlR@e8^yGzDK%lh098N-vrW8@0O~Fig`jp-yxOk=ywe}T1`#zA+Aoq`UrT-zU{9j2N zLJDk>Zue4yxkBsn@2_jZRTqbun7)h_#L#4XKM)KLW+)nYc=Z%z}&>7}?;_z1vRd@{K02^zDCn_9&q*!-V zpt$E~w$-{^)==Y?qI5RbCaBC2Wapr3V;7E#Xq z(x%}iKmzQF2^ix#9&g|BjVF0q{D*c*HwqFGh@K(m7YO!Jts~pj+N?sQe*1MNo=yc;e%q3H~Qbt}hg3Z%UVm zkkDUtvvAT|hTj*bvM%#mwEnzhJu;zqNf5t(M`6gcDXVUgN4zJ;=;qfWR^!1j3L2CH zBEs1yBUegskH^0~Qw}k%`oy+w;-4HXvg$ zH1cJSU79A%Q6Yr@AII`VF=0lRIjVe|e@ecXbHnLO=K0!d0+@wQ@$mpU4xX2R2GZp< zd>8hiZNHu-RH(A;Z4+eMvSQ2jEhBPJ&|&r)c)(QF2qUV!WXZdktHbv1v*(>`*X1>- zjxkwf&}vqC7y|4p#{M0A#FGbpDu^hX*0b)x(#4Ae> z&0IrZIGXdVHHP9`va+E9vg?a7=I?x|p6*n%9elpn=|i3i`-fzfN<~)Z~-a^m`!@j@CI4_1SWD&R^nfGE?Y#T z2+^$QIWsl@Z9&&H8D$>Q^wy#xPm1xvv9Lcw{n=O#9Gj~d#*AHlqsCZ#6L-WS`HSh- zlo1?%w>Qsljp4}MaCV-Bj=}Qt596nJ!}D88?1pXTwJsbG;YtGKjQdBbGXQhcx0i=| z0x0SWyzX$@g}G?vj<5u~aMTD=5VMt}KuHh9y%!N4)9mZ9N0SJp2H6NgAalumy$kNL zxNO_|=0b9i7+|LiL1Jp64I*5D97^nGJt<5<@t^Vtpb${fbGmziv@sk4o(DIFc^GDr zW%FNAy+d?Ww$L4gsi_&(YM`~<%kRh0%NLD+I5kNO|JdwQ&4-YVP?Yo9L6y19pLF7H zu5tl1yy5%!EjBko*Zduo#2?ZA>bhe2B|Q3$i))} zfaN*+cFhO+<7wxipw8#`k-^=)UDBT2^gW~8&#};Sbj*fft^j}uWk}+vkP*!@AhlF) zFROeaHALEqk36UTxnTUX2Qz;*Z7*5937}#dX|AAH)er#8pU~-8jHlHm0Xf za;xM{mts_9RsEw93jYAe)cfo`K3$rohT$IalRm+xQ_%ZegNN5U;x1N=r-y@D=Udwy zJEyGd^6;K^nWpw#(2NN!RhtZXp{D|)!z)#*qZjepg`|_{6B*Ujs!{mXu+*rd;iyqr zH%dKo3!U=s&l$I46l3vxuVF|$W=NtctUvPO(6Hy;-!xSs3fLEA3ZX-7f8k+A_HZ+F z6IZ_z;0=+uOr;|rfuSvxGNLx(ZKE=LqYR4~x&mPzAb>@2+ZB3{#`x@4kaHVZmv#{v zvKcZr9uUm6FPAR}Ar=Gk-EAlYDGtIL`?M7!H7rIs;ac^yU0u5vkZ5etO-by*^dVme z!MqkTR3xUhVE>9W6|+1T$|nG`5r77DBXj(KyT!&;Bo!tt6z_ zGJp4eloKT%63t?v9PB>qz-9wS>ld02qC>8WgQ7MG+13;BTf$#ww|?6v@_HUy(_D28 zqFO=5)*npAd=Au(=I9LraK2q@ z5&F6X&Y;!vj4<`DqOH3ge+MX6;I+?@>UkKFen8VV-oXq=#h_}h zPItt!(rzO&Clw1CX5VBOLfnlU(ES~m)Rrg2ru-+~2+_f9R91+O zMfszFg;d3VysasHmPP{&V(<%9l3NEqjj7p!kBbf|X)Jc&dA2xkKP2eSOipj&DZVbd z5SEDLO-(eDKQafEMDXJ>nq@oHD;N4ZMp#?7*5Bl#+;Vz4>eb#;@AlqSW{TKVjq9n7 zX0Kixw%BkRSc^?|!X{a?2PM>(Y96nNt{H!hdy z*0dXxW=pBl1VWOv-1J_^|BQKQPV;xbdBg-LpzaPptaHD<JznnJ@Eq$}OMQ&|sPp=?OkFEY}CqD4L+ z1xatd6zlp9$xa?p72YmWpxoZw-Kh2naz&T1($o)v_DK9W-Ode z@k4qT90_hPC#*L><^&;#ZNTEh`|L2&Qxps$>HcpaF+3a|SjGKQHshnbxfLh#v)i9K z9dGWkmbu(XcYJ2YB>uoX5!>9Vtox9)Fe?20Q&Pygq)?f`QQhJ3S-}^~>(X4Zq-Rj> z{sjIuh7tx z3u|xpUHo|TJ8UZvaE%8xY2*l~cCr~%Dy|9Vj5W0SYIuAaD_SjoT8-r9ta9*f?cA+? zKfAL5!{SnvK$OobhorIGZfy;C4Osd~c@VCo$G;og@s0p*Ft{71qxcxgxdgfU;mI$V_13YnB;a0Fb#7D>6 z{T6&Djp0P5ety6!DpIt}lm3{6V3bj3NkXc zlo1B)GUal+3SL|`sWKFqNI_Si3}WHk?P>Xop7)LXhSTQ*bd7MCoxMucGX^%cDR`UT zacerGwEJsDeX2eV^p-c^+_r8i>!?;O zp*D#lIYin?4_XSo-R=JVwsq~hOnIX8#>s0rdAXbN>-Mm5G;t&fXdf=4vtjhbHNlnQ z7)^+>IXhxC1O*B=0F<064RC&sb1bD)Ue{ZF#<6v3@oK9KL`6x?0xk)279HyD7m)?a z8}fwKe-q&U4}W?vz2-a_yKSKqO;q{@-hv0UvXiW;grr@kq7>tR=mK|i4RJMhno0Eq z%U1sXYAKpR^0c2gPYk?7sYJ=ircBkU&x;XP zB*t2l%j|pYGbpQHxLO=yrva!m;<}D}tx5S(>p1M#|?v zQP_TX=eZX@yzb$A*m|YGlfFzea~#%t3lO;(t6L4apGz{YjGyfQP2@%3A76I~5i$gc za^9@2SS=et1JG1C6Zt}cje7{H{7O3JPi+tgx8k|~nXL!JGA_qmi4NE6Sb`M)2Y_PX zSRNE~3>ivZPN4aDbL=IIHE$!ik>=vjjWWmT9Wi1of)KBIWm~|gohV?^)bVa1ANs&F zz{q}HJ40)U=(`nrJD^mwQ|9f-dhGePJ6(U4vH?CI(B(`vT|V5}b_(VGZkD2p!bRA3 zI2ehAy%|}9;9FqFFCM9e@`Gg%41DwA`6GSXzg$5N-d#67FnzWuIRM4?&kuS-PvM|W zgf-<*b6apvE!Q6b+W&O9z z9eBl@b+Fy(pWfu_dDj7(wSduWv>EQSMkrkhU@Z7kyWKy&-T+nj`U4i8x|DvVfR&(# z7Z?=Fc`d|$6ma)G95nwo=F8u}Z{X>x$%xqOZXi%v??IrXSZwzHDx>)587_dx*e@#{lD!yU2WF!=P3~5IcTsBgrGo{RRH@`jT@i* z@6SodJA@n(%3)mRk#85eEOcT z-oC_r%^O3mJDI!F)qs!4>gHH1ZaJGBwl*&YNJolJtc^yxjhEw6boji*R6!A~T6B?w zG4RwZ`F#DY{rp1@wsc(*#kzJG#B$h+=Cvbfs_i1Ygd-b6W%=HT^7bo@aK6{o$}!Z3 zt=ja(RiGLSLUq!CQvy}D;_a*7_Y3@$4QAg0hy)f;zqQ9renw{;SZp0K1%KH0aP6yr zyCntWJAkSnA-<3r@j-q3eaNjnuL>~g8=Jt&^d5O-0e3`h?*e!sn8+xI`M=0{qTW(g zbL-|pW&|AY~ zkL?QqPY~&vwA-8(y`+2A&_%p=LC1n1krj6=gzEQq6e;4I1;Nmzd>6v)S@`{*Hf!q| zae$m-En=3M7YWb^T>Fzt_Kh{gfeV5g$(o_>Rmwerha6^i$A@sT6>~+^J5{_X5EJS? zbVdc=_*g~&!J>+N_AcsM9NXW~8YQM{?6+JQ$f-N#UB%>WwQX0ec(~QxRl^sznbVST z^X-M=J%*x8aqN~zWe=P0+w<0sSlfi>@E3sH{7qL+bb$I^BWAZEO=C<3oJaAnYA7 zV%Ed|#WRvtJ>!XpZ4u)Qa$J3wKWN6{zkh%2uLVnG*27Hh%4$d+e^~JySM$o;QNSNZ zQQ+pGTT8uo38~7Q6l)#Ne&9sUhlltOx(=i?z zyA!pwXYHdKMWqD-2YR^4Ll46FIXaGe@}kPOjRz9sCaF`RH~&t0dQICV$rF48FmfJDeQ0w6Zbv|*AU zT$_dDCcGk+Bn^fRV?`sQhk!7&KtGGcRPzTyHV9-vR0=UzZ~r&W5Od1D3g(~G`}V&( zd1wL~&+U8hzzKpP(n~4fHWyfBH4bXamoB`~7G*WiyCUQp=s!U{fy-sKeeQEAEEB&D zjZeJb#9ofeEg5l-fe>vkGDsZeEoz@0F7S41k4#VAYCSfwOB?v*??1kCxK@837m=cj z2q8#&DXE7eO$915DlAOy?8^B?iOHJzW?{T(Y;W~3oUv$owU!?}RptPv_GD%UYI3mM z{-Jwhg!?eV>BN1tE$Dj_qWXe9=~7;MvMFO&=@jRpBclaiB8krT$8p~8XBq>0WyMj? z9rA{FkaO&)a|{37A!ud!M%~|4Bl4c61gN5G6fOuSK7{aPmOz$&2go@YMj*sF8Q2tp zhZZ(y*?v4yuLagT+l&IpLhO3XRx;yRAIeI)oCqxGtt0<<>fc=qw8iQT{5>)ESn<$P zt`qexCMHpLKi2w_u1XXlhA^`n7n+(_5WBr-4-f}t&SrV(q=Lv!eGD%{~U18=d;M{H$142&U5~i z2I30Z@=pdOIZ@-xMoS=Kkk1kq23o8PDUTbq13_x5nPeqMS5oxyDOq0tVoNv#-mR4c z4TvUl6mWQ60|79Nh(%o{|IEK+Y(Ny7&1l$KXejScon;?g zN*!!}G(AFA0$W`Q+yLPGeBljnAHHnBxZ!S*jkY9HrEJ-J>k+^i^gBhuZATWwG32O$ zerC%HEX4d7>0f}Ly@lV;dxN#oW42P=V1_wOs(#Fwq~l9DVN{ zj@-Bb(_z_d^W)LS%WiuSEmcyS_d1PhJyDmsl{zBMAtjG55JJ(m_?>N zBVvIBfU)fqiS!Jpi~T6|(Ed9@=;|oj+RFB%HOE2X09Fb1@kpySz5kr}SHF4S*Z}J{ zKu=(sDsBQvjKAJeTG0=(?klwuA8;lDWE7N^-mVb`9ZbOrBv*&EX;DlEK0SnG* zes^QuI~9Wlh@8+h_Fo2%`FO91xSh{x2Pv+apug8W6`GFVkLRE?uBcnzs1Hh-Y6h1H42+*=)k=*Zyjg#k?%>nsTn|KiJSP@E;c zSG~6*ASfAc|DnDaBqbLZ!jcu3Tf(^6(>^#Whe%UdtgeZ7CzK&5oI%#-dc={91P+eM zwv>Nv9lX8>-Qi*EjoJZLqUArq)kGv2BVJQX6(EM!`Va7XB0h@os025L6H73iGy*@$ zSU6~~zEQnrByyAO(~RgjUh+qW9`LW^s_E$HsMC!uStU3Ea8HSU(f4Bg{o#hh3H3Y7 zK?Y!H;`SJR>l^QkpK_D#x0D^tf1u2|6rxMg^sYX_a|eWRAswHFh)@Hyoa1672BRZJ z#QL4b^P*QmTWili`It{bKqZ=O$< zwg!ZMbVI0zE8OSf`rA2QzTkP0V42_-w^vq>Hv2yBjIleK(j}(SynP>)LRp-_8#v9j z364!f;JXac81H$o;9Kt%3%@3nlVr#jI6>i!u0B{9b-skeJZMsYuAT{EN77LoZ*JM` zt;Fx~0SA^uZ}vqio(zD*dPKG%PUt)74sGm}|9qP{k@2{GVoHJg9i3!Tn6KS$w@D>iRM2@s>^UJmItU;9OC{>Eabm97DONeTBFU-Y8R z-g&9FiJy`D5Jh>;zp<56L~waDwtDvf*fmUj9Zbj=FkIP7i4eQPk>8@TA4M z-@C7#U zR_T*9JKYi?`{s3nyXzY*kwy*SS){v!CBNw}+p}3l<^5XlMExj^Gf>z|AL8dsN(PtQ ziCn5|Yqn2}$)5&dMFR9M=+lls3X-^aH~IvA;c;}^J?v=o_47L~enK)ims0WPgdMAg zfhhlOq;an+>l1^aHj=oMsRcU6N;hIILKagk&B?~vDmFlX%uS$^lR?D4UIB9InijLH zy^E|`$ijI@sZALfc?Hb#sSKdn-cx4&6rA>->`S`>=4|0#U(8iS>B_S3d0p==|NEq+2D8%SfFXQ{U z4kTd@D7V1*KpH_Kx?2y;xhwm7yHESRya7~ag?^=RQB=*PJr%mvl`BTSm-Nwn7k{-d z(RJ)R*%`(!V74gE@H5;$=cu>5L;N2}M$3%R#SdLeU>eM`SHk^;1-=YJ}kPpw4T7;7Z@6OpuHtNIbRZ-(w0 z?X>3#49`M7BpR#^B)T2RzfHK3(Ufy4Y;hpSMpA$m{9tRi*cKyRvI3XI(^7Qk;28uE z{GSh{zyISSl{Ip7QRVJ^-uhQPFujhR$#jQ2fy$d~i&VVimKYP?e{=QHy@7HMNBR2> zo394;6_;Js8Q7gaR$iuxTd>P#oK)V9iQ zmd}Hc&IR|CX5CGA3BsZrg(jz0&(FXYNoN7IKF$z5F=S+YeLj9~ z+fv|!4qdU`KzB|{c47{4zu(un1fP-HB;&jF4V{2b7={jnS5&_+iE^A^#j37gGcs~V zvi1ftTfK$*&{5*_9->y`j%c#MmunxSeTqwBsVJ-xo>A@LQgm~T-F;|k%0Rqyq5cX4 zMl43X0`B)V@jDz@h7iEJz+qeJ#?&Ynbr#zjlnB(5UExytZp``>Q4HI{)$l#7pCRXqHm8Vk`$wEel*c&a9g~NR!Fc6jZPh;f( zX}ACmdUcMtll?_3g}L%X^WDW$Yn_X2(sLkAU-KXwn7jQi6VT6_j5C`T1jP@AL$V$7 zNTQrUs?@LXfK(m;mrwZ~!_*AJnK|G#>xrDJd6cU8wJz1;vKwHxu&7qD$@7x($8Ehk zSy^oj<_wn{-MbeyYF&pLYD;gwpJmsK7r@2kanWe(IAB6tVp_4?I|c}7jU-ZjV~>+? z%h)hurAbyxo@o(W^{M9G8kqrXVBPpwatlIt0&U24U$b_LtWYgEs}fx(;xPP;Oui%A zu(k2ZI3RUqEOkrz@qZrr_3+`5)7Q=&_xV*_KTs#L)_TfLdgP3_IWcY|pVGy{ZpiwD zCeQps1A*3Xc=~Tbl%~A!b4dAsl)t+I4|~wth@kvSVnXY!!SUye4uMu_7&A2|tftM0 z^d{%jy_p>-!f6C^->gNZ=;B&@foR|*fo6!Rby-lP{34>K6NCyY1IMs);o*A;^oQWo zX;08j+!M*gu&DuR`Z~QCcspj=qqaIxXg$0aO|NQj?Hr( z@%uV>>o+mnu%=Kmz1W?o+BL7>rZe{ZnC`8)u{}p|>etDxnNSSkwc!tGyq`hy4!#{B z96$eB@iIl8tvA1)tz}zd%7KvtL*bBrSWp637N5M~F*Tg;dj77_w{?;IOlU%aVTq$} zItQN}mv3z#&0gkPan$sI`Ed9SnH+qu{%{cObJ)A7W zL;28KaoU#{`YaYLgJP%Ucd$kT?2-eUP>e9>U8tP6QJY6HH#JOaT7CPnBhre%RWe1a zR2|}68PO=AUK!>jXNjOCXFZL5*R*5h!w}2^s5kbADX|q0;}EQtL69_1?cdw7mzbQl z>(@m`Ps1uROss~{Z*+_TF>VN4?yf#HLa4S^{m%p0#uI3-&InD%1~ETEtFH)ye#+{$0im&j-F>dy&EI#Td1QkYnvo$ngFI{lhOw$f%(f?kGC zvQtm|UX|VJkzzJ&FmH22Ym3gX_Q08JEWq0h9CYNw8nDPe9SRS5i@sTVSbuAk2Yri$2ixU=A+TSeVFpY4xL3%kxsBotoP?XTa?FX*x=(d3RSB?_7T~q;ziW zfh?I=1y7cT>Zbn2L0n9JYrO23*4Ld6L(jN%YRmeQXxQJ9qlT2CSYRMnHXc_;oX6BF z3(h1pcaAf>P(A>I<|jZa9DP(~+CM!pQg5sa z)f%R69hkno`O9E)4omN3B4;4xh_w$o6QpL6rFVD8{eShu(3M&sa2+$2$_=hF4H2v! zgb8nicESpZg(y8;*uhMPtf$^8u`E5I7G+aLi_BwlgaET!(6>R;k=P=)5pUYWdQBR9@@QSRFq#d zdq?>l*y76#=K*h64lW|@5j<&*3Vx-@6KZjefhL_LTD2cEscw|jst3VF_XaY?Jh2R& zu;sG0Kz^D+K$+-cMap~^-t^VC)(t;cGEo=WN$(ac$Cy1*SHFjF%g!^bo(5Z-iNuqe zbrrA{u#$XRtL-yb7#=6l*X#@o?~qMpim!LBrFA@X;g3d3n z@RI#d0sE(0AB~H>*K9Tc3z-DFCbl^vH_}1}Wgm{<3MTaY6 zTcdxV68q4vJX#>F>__`x8I^OHxzir)h}e<*0yvF7RpLIYE$u&OH7(|`a947)I?-=u z%e{!|#1|fhDBD-Ey!kO|tuz@zi!L!`Lxg^@k~IdcYuL^QG%b>=TJ><0l&6=pYHsA3XWg+44A@X!5gY8 zY0Ir*J1N~SP|4yc5UppdO(`*gU}KWDIUCH9&U@|gGnIl1WW95EYa!nUb1PrtzFg!< zH#9FRhow-cLwVz?RDO=hhGXvVr`2cFU9Wr=5n;a=^*o7g=sW9gO{>}4U1|D7+^McN z|GDSF|8Id4lJ>UeWw&X`*y;5dmuDVfmTuPE=Fjga&(k`(Qn&=2ea#$YAT<9_@+{(@ z@jRhTgw`@INS3K&??39zxe}#2z{`4>?c+ z{UeW!ey0nSx0`gKsd5c*1ts4e++Qm>Y&+W4I!Wp=BJ}Spwr;~9tSX96r+W0oVAz*j z;u7FJ;=Z)L=#VQ{)G) z(KKO8N&!w_R11x8u*EFd?;3G^GPPBqU!hkMe#l06;&F?$6*Aisx4sktr1XR8=@$8w zC<&c^oo9^SP1Y39VslUl10dI>qrm6UVe#eFe#>EUh>u!ni_3gBvx>uz5g`AxBi4UC zgi+mWxAI*6KH>k97UBQjK=DjxJmFYt?B*iHK%r?+Sf;w7GLw$sVC>L^>`Q}?gT}0V zEwOettCEpoL%&LczWh;3eRi>*ppHnX&fZel&9{_?<3!CNZwX7mE#l%(nE1IY)hgbh z3*9WXms|;ml83hZ$WFtK+1GCJ5>m49rD}w}?Ty8&m|LBEDi&oAzyDp1yHY~^=#03a zDNxn4wgdzwRr~qU=!DYO5$J6Aaq{#-MkR4tHRP`BV&#Veq`+#u47Q%2Yms0l?M8?d zF}o-{=Zr4$mgVnfHsRz~nZ&Z%55vx0xOAp?YPPh0rRAncEmAd9PDT{zVDT^~j3_&7 zD3>gLHui`wsW(GvG;Pv=7cX!V7u2OI^G#mCFxT(YvB)!>i6ak;F&^1+LBm3i*!xLY zF~Nz`J~L1bCm&F?R{nx2EoN=-7ht`wCzM}S-;yBya~S3BK-A9-Xo??pm{yM#*AGKi zUodv5nrNB+%Y5{fjv-vYM5bXKrO{==%4wHyt0C?#m;0#GFbdFVcClOB1?#D({E7()i3KhSM6wd(Pzx5d%8d zBQO}}DJ-Q6+PGkl@7M=$`nad^+Y8R`VLe#xYn--bMK`^RV7eH%|1B36+pT?99v?CL z`wJhH*6pu#AEd9{mOh3x`|FC6^TA(Ek1zc=O!4Z~r3-A3G`Iio1=hXkjN;T1OZU`r zRI25MNe6bQukXz0mi8QRwq%s`Y)c}JS9$_vlaRi;f2v8I`7~?TGDn#0hz@z3G$!yh zh!v}0Snh5QVWO`rY2il1f1k%I6{l6*Z!+f@E5jl--DA$Ye6!Rt(l9{0QunqQF3p$M z{991=g9oo%|`nqLx^{8=5ysdp6Z?Qjor0IewvvCDU#QpHPv@l;xqQ*=!GU^Q*HPOAxXk zkrV%#8nGi?At-QVA?X+ddem{f==rPt-RSKJR@w`7-Jb>sFgBlZk`A{m=6=EL@$`Dc z?NXwpW0~2yql#y&sI2z9%!5&A8#6ycr#uaBwR495YZQdS&V7h??YC1=VrtV8uqM;0_Y=Jyz~5^axS7;Y#rP#9m#&MfMNT5olBY<4op0^@Cm^ghB`XM8Wl%^2k~&rc6i%!e;h9r4ECo$vLYe{T|l7l{JH9i3vv} z#JaIA+K*n!C~^Zd^tP`0#9td;%@-~aF{&I5o?EI8PVcUS4$P$aEjOynt2ivC<}{Qc z&q0RsscX@Um+rF%z)IuANrIi3|#-wf!@U)c?ael1>WKL>&NeW{QH^I-}Len7q9>6k2iFOCVjpdiv0M3R#nkA z*tM)xHPUGtY*1;qJaBgN;m5yIgq$~Nj9fn`xaeA;jaSC&=1l9JH-XECuE+-d;6Zs@ z`%|955lRSTRl&GJp^FmElYvNvqS6*LvdrY!^kv+F6oxh2GSX^6dv?3x^doIU z1EmsC%}H|SjpNqW5=wWVPho)PHUY+nZ6z`iKw#aS{8C0Y4i;msT%>od_4rEPGxW~9 zNi(li3vW*8-|;bVK>If%1RmA3UFaa07u3s<*(qT7Piv+R zRvfFgcC%}V;3u|(JaO%ms?~^O3Rk)D`1h02{a7GH!7Ri-pr8%3UgvZN#J0Q*4{%(2 zcP$NSD0NzCXtlZ^=p?wz|H-QfH<9p{_W*Cq&r6pwzYApZWhLKp|L%_k^FeHR0 zOqVqvXFzQFIDfFkar{mNmKbwnvU#vTqfkpHk(%x@->-n7Jkx-w(TlVjC^5nn#+}|f zEM6AAayJfE%BoE>gj*?zh!gy^^-Ib@0?yI(+VSDoqPyq1`ow{aOE9{;4m6wJocjN0 zdkd&4_icSx5fns0LO@AH8tIUbP(nbuyFsP9K|(-~kZus9B&8b!=@L*HQ97hM{pP#R zIrrP=j_=<8{r0~9G2COUJ&@&E>wVX6&iTwIGGlcH=bN_6BhdOib=|jKG2tZ|G;MQ| zVuWA#tAB*f?^*wn+6*5#i&EK}A2jO=3CERu)V0?z-yFD#8Ae~~xw}uZVq4hGOw$`d zrs@!5(B5i_!!mNsP$cfG7lo(zcN)`bkbrjP^WaFMPf5lKYku^$FB1I~-am0HbwA#E zLsXsl8#n5Op*m(AWbl42<2VGnYYYKL|2!xXJMz4YxlmGc^+c}?7lVPv94(zN#s^sD z;zXa$;cYmIk{vdA!7u>4#249!t(ZDO*E`eaWP^3Qiiqb5s&R&v+7ln&=zFv$00k=s z-DIE!!oH)Q!Z5OhL^9GOQ_3hA=^7xL2}RTor1d=KqCk%OXGCYdpS=hiIldWze+4dYM!^%EHVl3CQ8NWi#YR`s{}u0ymc zZ&=O*s1-sBJ4KU@F!mB)sqqvv=UgT>sGF?t z#Km+fKzUNrvYIMA;AzqW`BcLs)f_qD)c#~X)e{Ss2+n_=l?};f?w(`c0OU3ey=qjaX<5DphSq2 z`I3=FpQwv7fj3E@uW2lhT!JTRYBZTrBLDKY;sVB;G|JfRv^#~muY!y-6}}ltI_Vgg zMAK146j0Kh?5`gL5wM#N{_YJAF8oEp9$FCWbwsEw+DX zY$m2kt?y%p(6E(n?cF*)(M;OBcdGy?#93TH!q!70LKVKs|6JGtRoAd&y-C&f?CdkO z`#~nvNVZhUu&wejn5m5)g=^6zAvneqOZQK-YEPPJG|}U=a#Kv>|{}n(wI&Qob%Wb;-f3+D^YzJf1H;-w!en5!$_PaZRAUBG;u{m zXhRynO-FtRwSE)f4fWKn^AHfw%oA*5Z8Vi6lkB7dRkpgYgz)Z6SF1uCe#jqOS?*|mD|gLc>H`yT`sFq}BhGOP@A_hm*PFQBBg&41g7JPUvQdtUhPR08nm%m>6d!Z?k@`*uNih~W#H=jgt!5Nml5u4bISYtQrduHIg%`1zb- z=TJ>9%UHpwodk1@#&7J$4fTy(Um88{v1gwyxlCR2vfiVXa3$aUD z56joqe7E%3k*CC;tqgw!P=!&DOg{Im2zZ`MV%X*1;*VY&6xt9hjWKB_QD*D2@4!4Z zW$f0<+G4)hlywPmy=?vFos=&xn5b>;k3SG@eeD35W$*b9S=_N^9ljL5Dqm5 zA)cK`34Zu9L5C6P*B4tgX!%_VY~ZB=>BujH+<>RitRm!yGDgd@$Yx4VjA`jq->|ph z?UfgoR{OfDPj(KsX1`IHk_gFjlM$MEZc19Y{p04sDf4n>m5j<&C422Zwq(dPKHR49 zy2cPMo3br^~ z$7)>9aajy=M{;7m7U(|aB3B+wKI`>ymv|4|TWGnEnwXC*OET)y4#ftQG40w~`!~o3L87Ih91_w>&$b*OQ+e{ual&Q&+*?<5!&?g85Z`Av zUMmG-WEnwU1=QoQ)1#dXs!kkBO6=(8HLK}!PZkH-MzN*Hmgk7}OMG|tioX^B=r@=n zPwD+infAIc9XBZ!v2xt-Bx@K5pdXT^t1;l2Z&m&?eZqZy)v33F)$0)V(Cc;8`l1YT z$3L#O_1&NUaUq^BD6yF(g^vSNJ(tl-2ii|7EZA0pO=AG+KyoFG0Tc5MdH^2v zBvN~jnuyC!OtoVEu<@P-)9l|VJnzGVfB+_WHQT^alBM(pZeW-YN9Ln&)@GV8XRBB=GyKkI#sv&>+>QqXnG%Fyq9FH z)H}V)O8uwqQivBLPO=*2r%VM)USeP4zw=)I zT*wDCCoYkKMU2MV2zM0VguZiF0glUJ|MU6Zkn*W)ipM%37m&{)KGw`2BXzukl9}CP z>d!CoFFa-o7V?I5x5%^KV78!&MJ|w}UY=I=*Qdw-dh9%k`QxTt(P5#=EWYvg?z{g2 z}aHW1CKWv;t~)pFOo|9n%dNz z997|4g@6dA1@8XP7cS|P8^54v$Kp~+F4chDukwk7tN9xbVwcf;yq&w=buupvnKnRI(uWJ%S6}&Fng8 z3uOdgq>nQ`SRIj-jA2~9wFo5ENU)xA)seba3`q#v@B#5jAV?^{c~bXyW{>ZM2UYCR zY0yS~O!Y5OXVb~aE3A<$tl!t5gE=^~CSRvsBZgTwg_8dnzzp z4U)hESL{n-H+xsdbC`-FUsykzo*^l^Wq3jrWMCONv?4Km;wk~eZin-4X3CH$u)?=E zEqx;K-NPZNfk3Q3+3EYTnr8?VF}@}Q$i$j$_j#Jnf2MT;?UkLhBLt*q&7y|r zRXBaAixcof$$d6)n2F^#N=Ds+(&>9)ejj)%{m){>ux1*SzCma1S63(QpH43LGy{?v!Mc2c^*ttx?D# z<|$yfKL`vti3(dwwPAnz?oX_X>#y7UBFC7vCTZNHTIK%kN!pQ$Iy1u3OX;3=s!=MV ztX}G#VH$E3|7oagxVqXZR(6NOnQNRd&uKP!h~kH*5-tv3I!H#?=q_~e76*bu=|(4# zY6L*;wSvP~9oOf6=H#A-?<%T@ZMLhoG}fMK8?AgBQ0Pv!`L#%QTE3%oAk0^JVv=N?R1c#P?2eH{XcsYZ zRs)gHUg6?ffw}h}Rf?OBz(v<}nW~@v#sdhL60d&n!tb{>t$ezOr96r*cK3L=CC`I} zx>|*riB?T||A@a+q~Uh~2@A&ws)lsAyHt{7gaeNVcYo#dn|jp>apix{?;pA4N&3v$ zRcBh+pP#iEeGB&6N`>FV3wGLU`J8@r+8iZJ)UFm^I>GLmo<0^a>5XHc;Vh(j=;{#Wko$#->UgTh2lu_yFDjElk@rza!wIA*fb1^p)%q*jR zlUgQ;7F7ELv@7laRAa=tfkMx3h(*}shTepU7@vGs-Qx?ZC?xr8`zzlVEN+&v?pw^g z<+^YY({j3@o*x(!-nPQzP1A6w%mIJ^z*WoxPud0qLMQ|yW;*qf_lj+hbxIFMSR@7> zwMY~~9}uIR?~7x742}sBG&1lL;~!1lp`zNTTJ{5?h(o7(qrl?X_$6%q8}FiO-3}}f zX#sMj5an#HYEeoO80WZBqGew=m*Vk0v&i>o9~B|G-rP zwYxAjnNDus@5J(0c6%tl6=%dS`KyJT;s>Q7io{`{)Z8C2D{WM#n0Du(8F4o8v#Y86 zX8V{G?P{}`s-iRr*;bQ5HSZ1S9ed|Clg_MZA zG%bh<@^t(90Lg_zwoWLoK0)#2*#hH(I+CDjz$q*GW&_AQzerZ2e-^t_wQ&gaH&OM) zdT?zs`jRHh8?v3`Fs$Cikf&M{1N_w`J7yf@3*Il%6w+KtJe#WG|aO|q&j+fSlXvm`o^>m7uJa1w(9{%u+LGl$uyg)rR zi9+{UW}~{>ckpYR&?coX67~c0%3>Y#Y#OYfn@s_?Zju%W= z5x`7YW_xFi791E%$m|%Evy0YZxRBukI3W{w#5oR1Lo!irSWV0a#9o_pOn-h0cFSGL zE>hnvZ7b(0hz5f}mOg7yF6Iw{FexQ0rxg9=?E4yJ;gFpofxyb*pFv}V(bfY_8&h|) z=lDCELA$z?k6_Ge+z*lLAtc^bMy}Rztw$;piDV?~X|#r#-}NqP zRqM$o!EfJbyN1Va81+_AT^U|N;BLgBLyg9!-`nj9t&C|xsdlW$u)onRHu34%E^AcY zieX>CXjwL-pFyL6V=5zIG<8rbHm29a{}<+kKmW=$x3_y{+{tVu=6jb_f0q1hny-L9a-~z#x@2Sulx&wbAOhsPih>n3Ljn_PwGseO}8yL&k0dSkl=Hfg^=#?yl#=T63=CluPvwTK<<624`?5SC^^?3erDaX5dEqx?~>;nDW|!xKKn z1OU-gMDf_e(#(AOIIgDvt9VNOf%w3{!WBhEHB)6XFZz-DivDVz9hDF(l+E;U2CcpV z;GX1H3MtALna2DQInZY{TkBhXg4eZe8d-g8d4E;1Oy6!n*o@iTl zI1}7QO(s{uK{{;qV3MyXftB%oz|>fwRQhUguj55C;)71l6QVAs{#7C;BvVo)T%5$b z&c_)E6atSpY~d89j@$F`cP>f%H^a;SXt!h3-L`gIW-wneP9B#1Y~YD;p!4882CS&7Pcv_;N$t!&U3DH9 zWH6>KT9w0+dF6|nr%9(8joI3Qc!niYpP@^YK_4FYAqw+i)3u;NAis3qkp*8vFlE2P z6J@I`Qig#aYNuFeqsix2(iezBNrLH0&rI^}{U4r)!Z_!!Sr(<8PaxDcz8NIYXzW9(AV(lz&`sz%&tsaLK?<&&15WYy0puiOOE|t^V+59nDz};b>!TLkmMMlxVBJ0`~=F1QGcOF0}BU# zW+*O8?w08mK~T+)$1V@t<#d5l zgPx4J{$zVh{W3l^tAwAjO9`XL<3SV4qYoT{{F!gQF!r@W58mehhdqoX44 zk05y>-qAwydJgsgS)&AdKVzo7m;ziz4Vh!dUeu1}{ ziZ&Vkucz}R^vWL|NcIN4+y(8(htNF!EMxJT{)RVr!Udk5?S}HLzkCw<*bVep0ikH7 zyL_}fhWy?Z^jcrGP;U7y;FMY1@x7iUywh~3RjhaMvkeJ;p8nL0bEQZoU8J&ixS})S%ciRi~fGs9mM8!ujBn{FAz+ zuDs`uUunxy=> zhN3-Kzwh|rjzB&k*(ZcMsNsUyZSp|@(OafP;{MPD+G zI~|;oEiEbGW~hS81O%S@w|y0cg`3n(lQUZ)e`4_JP$+)kH!r(CSNw_N8JS#4d#bHm zjY?28G;5(mnDjC_0y2qQy<>3~9Z&KNC{(^fJ>t(L_a zZ;!gRumy~uw}?6875$b-ko>4KSQ$>b&@Ein&an61{WFyOR~`#pKta3ozIXI}#&q&~ zW2>Ru_k(nq)WvvtTflIA&LnzwR!*|Hyr8CKxTl0_7y&7uW}OZnau3C<-{A(toBK;UuSemRH})e%(- z9YFNR_<%nNw8>eV78ioP?SmcH$F?sF8ELaUVTQMQq1650u_7CBVSgmUjLeGN>H6Lapr%;pn6ENjqGc*GnF?ze%t3CEG-> zJ?q8`9l!ZWu%8$odxCOxzDpkulNKl7+n83V@9=;WQlb*QX|EXnV&Nlpz^LK!dlj}O z;4du$90cWlkneAFtyZfC^El$LCLdsF$hrQxoBa!qx2e3{O<4&G>P(Kr)JqL~zvg?? zWpp?#moIjW9?;NCUQ}UJrwLv#(L}R1EjFB34@|?Q3L9FKd@FaQieKD8y_`Xfw&r}- zzg*L3H_%+v@SaAkYotsfeLv_UjKN}3#s*Yqwv69~bL1bVq5Fm{fN=E=V(QY(RLiJ* zH?u4W2^)?Ls0hhI=K~dgH5`oglSa;<>{;10i#`CW*>6mSP#VI4^; zlSz@YrFOYPWh@63$*8PH=%=s;Q5+~skHtb?`glh??syr-x4VH&LFvzXxn~S;WzFBj zrn!th)1)Z*^i_;Z!o2WJ&+VNtAmzLVfHd?JI@9_;*k2Ba%uOJGbL(`bm|AZK%Z^Fe zp?w@psu@XVP!1PpcCAU+fq94?@h3qByj5TZM8G@HNo`RCC6Nb~s9vS7sFPg_hE@Ql zs?7nT{qM@ zaLFmErt?)Pv18(kF*Dpl6zAR{0gJR;+FesWUJuXuiztZFUU0-g{I;`*)Hw2bC-Xz!62Q-tz~ zgdX#0w57JJq}pahJAzAF7NG*>kq%YYWx>mtvgEa@3;tg5vUvwi zmgiM2=nNyFm*k5}GvbD%2_%L~Xn7s700?Qjs3y=znZuc%k#UWy*!*#UCCSLbaEM^l zi1@1ZNkDbGTg+iL{IowqPR&nw{dDGhGeB_ZgTdPKiHZUtn`-bY2rU65%3~f5XEw)Q zYNXgH-j}XiWH`J0|p{$xYj@U}0bNaEmpQGYGMT78TFqt>P?O!|ICa}jO>{O}Sqpx!AH19TW zbNan4B%YP(BA*Rs{`K)UW$z{HTjY8|vfOh}Y2`muZ3jJnu6o5J+_Wo-ZV);HaRb`E zIngV@o?BJVh8t%jh^_Y1bVkZuOM(SReM9WlfXz_g8n~Nxsi| z)vk6_pk7KnJnvUD7Ebx}4F5t?4&p;HVNux`Z<<0^>}Xy=ep>wg#OwEgS7?b&^Ou4>8bh#GIogs=1+7!Br788D~UA1w3B8m)0IR*4L@YBt_^?2kS!#iJ$|pl}S|eMkvslg4w@`tltY3YEbD(KAEN} zu{*J((-e>jB2`u5)&0V&o|Nn^-KvGEB+zgwpI1Neu$xhpRVrZP``fB-ipdX9Q{W5~ zd18YMpk2`n$;G}`uvg3$+D~~mbFQd#H?ODJr)#~&rHbNiXT2%;5Fo{5(-p^fMKSjW!2Biw^$AQ@WjtbS-s*w|3}z?T-f>ofrZ#y zgW!x1{+?6Zt%+w7B3)9VlfeBkYt_p4wU&FTdPX8S1`ZLn%{wQ8v?GslU}HOli^vJ&b7GR^**do0U)`O`I4Jc^nNKQaDMa})xc zYJBrk`%?vV7mg!9h+98 z=h=H0b3(~~>uC$%qOiKKA;O3stgGY?NTBI4qH{|S zQBFn}eRWX7BGTxZBACkt%z+_v%W%~6DMH3lUs*DeYnAZ7EQzq68J?8^ywCRU) zoagjN{$??(lctzvSV(uFIXBek(l`>tGg&ElF)X0N>)2Vr;*WWgKKgC9Rfmd^Hiy%z z(A3u{utjgK8zCMdtrQ z(eX4>*5gyjA}H27-_C+*#Jw(C68y1gXedc+CNI9OSObcs0|8>KmINFADj_IQE5m=oy`n$d8??u)Ef|^Avk&m2SsL;1kA${xc zWkq6_m*R4!c@|T)_jvcGmTk!Hg#n4~r&-zho7?>iWCcW09?mTkvq-de80!u$xQx^(y?-hZWM~kLFN8Ab z*z_Uhe8q3jU%dfWN~xWN-b~V#<%+Jt%+71)Y+QF52 zm|g>Z03Lz?{Ke{*hK+mf(C&b@p5w4%Dycv@jQ~XUF{Cdsw8L^lN@jl?y0d$ z&nuK^(&Oix%|3=3!^n)uugdc#eN42Zau{8$%j4lzqubX)v!&JnDumAWImtwuAKX1Y8f*dM6M`iF`8faqkm0+ zh*u|uNo@@aYn}(6AR0F(_GPj20qpKOq96i9E9HSrx{&?_tS*jNEn5i@5?aSO6A%0t z7wJ`BoLeLhy>X*7aXx_EHDb|Hl_8eYa!kMN?`xhVs!NNX7*s8%k<9N>0;^6|DqGr{ zI*172C|ymmxWse`TkW%1k+CTps;>V zL0qtz@I1PvplEU$$A(Ihc$KYOARxmVKsX<0JN3RcrG-bz%(ZRZedB!?n*N6i6CID| z=NF&BacWHSuj3TjT=9JIxQTSSRM+Sb7FvM>WIw*}T;Xh#;v&I%29I&BiZ){QxGhEk zxAaQB#K+-GQ0nm*q`c|)v4ruUYEg#057zC5g_wYpmzTcwA4g4tHp@q_vPJ9$QEINW z=g8#=vkG#av^tDd^9T7O#hz~jhdv$OUm(zu{fu_Y?sZhg%y@pVo8>`i18wzb8Rp=4 zm2AaSyHfHg*-*XMQFP++UpPts{43j+y?tCVZoe&mV86sox_Po8UM3i0I@qpDT3+Eu zd$;SI@7Pferg*5)qG?P|I&&~ZV^z`@#?vj6!WWjxQkc>k)&4L;~0fUxFQ$nZa*}#j?|Sd=3hZaIkLXYv*(lDv62^ z3nih$7CbFh#HN*v?+bp2um8?|-oXN39288iE-ERLXhD1y(BsdH%PjN<=D4`xyri1gg8f;T0u_Eg2imzlBG%_9HZ%xB)qx9mP{hdB0{Xn&m~GxCtPJ$_F3UfO>0 z!*-7$%xgT>`^|VQ~D$8uO}d?SWy#&_B8tq*+bs787Mse zubSfief1I%ll~OaN-cyg3NT<7{6`|nMk`7+A)NaGC@wOr@Exqq$axhBI|KB?N1d2K zt;^Qn8EWm^Y^&*G zgFaaC2gvk&Klo<9<3t-h!_5%{pQcU9D}k`~RodLVoykx+HO_(>0|Af}x>U77!zjHm}<6buXuRJ6d` z$L(SCLw(YO?fopM+H>3BHqx%6U-HgQag`jewAu(Pv6$dm214i~gHKmI5K%?~$U~*l z)!&c2UApsMP}%?gy*h7qAqwT7YP6k;QYwGKt_Ni<5Qt2an`O@vfzoroeU&xZ_F#QV zDs$5L6D!%@<@f$$x21MhZd5^_$Nx`=YLjRh!deBd+FUr-Arhuo)Niubbxoc%S{x{{qGD8*ne2KQ|lxzw+!Cyqhl$ve5w}nFJML!ofNqk=sg# zgpTMH>Y!{I@TwK^)mX=Boe&>y209dA61XT-n5*~KWy1=BnA>u}OSk*$ z(36#?lKpYmQC{TFgS&wz9fXWbx(`i9U||WT^x{_!ST6Yp)_lG3q?O(F#fyjp1?RBD z+kK2wycfUEikY@B9EAy$EX>uN%Fs0yoy3n;)XDaF*=g$J+Nh;iwcHigd9JD)_B2U0 z`WJtM5C;m_OGH9k08i|Z<|7WtYhZU07%TLpoQ?5-MgJ|O&U*Z9?4-yuQce2NLl3K4 z_I0B<#3wb^gLrn(A5Sbq1>N~iHTm_84)oSZws}d3QkCm7g(C|g6GlH}8IleWT6U(S zsn@dx*D=?z3S-r;buWes>2KzdxV^3W8`2Ujuro&j#VMeg8ELSRD!_MiTvXUMFkZNaD|8`6LR@ zf-NQf*)b$LQko_^#Nb`*8t^(EN=+BNSy?uiebnm-)&^UafKU zCjI-!0?l%X%TvFz1f1N?H#e0P=vU*?N0Zbs=X*c>eiLZBMoLI}_VS^pd83GYkARDJeFB?gt#(k@5AB-0fO}IEzOp3Inn&D6EXLnb6lDB8caVz~1@lS(y!D zB#k@9K>b2uXq}?Iq(V%Q)O+nm*bgsW+<8Q9r%EVzy0<*kPMY5j>Xo#!-OtqFJ?EcT zX(DoWTz~1bmdi%*ef!Ta&BFfs7= zj?sSDscYD3Bj>O8Pg|2nVw@zo0yABwD(~2_?Q}?4BtDht;p0S&s20o2y8KZJqkG3f zZ7xunVW-emU~k$)pZuh*eQ&zrX}mh>=t#?$j!Uk#PhqrvbpS>%$6)LkT3dg-=vK@#U9Xf zdLUZ3I?__=e$)AQ;6Y|rRFvwK5GCPTE{w1j;6GlB&o*XmY;qy>M4)C-qV4&2ShFE{R=$r=99fBw0D>|jK6 z5qt*$R0`>HHaJGiOJnk>{pXI}=4$oosYUFkyk9nV>l*T|xfuB2%=GhZi@ti~sz2Y8xx zwnT9L__tgmK{3~KL`5!4@#B{}xul``{jUzH^sVl6nFe1tsktBFxYN1o_*3I~r65bC zHE!|V_lQ}lq&2h0^c4lygL-`bt#KHXqM*dLtF#=ygC{Ns^QYB6|F%rtL09t1ZMk@hF=bQizI_TKh29n#tD^k4}RHu5JSSe{GxR( zw!1=Fz%b_D*_EBth_b5lrS;LC_S`q&T-CT=qnsy(hev`;-+&-ZD&EK^Vd<4tiKkTV zDw->o`^J2tr27r-PiE~bkvtK^yu8{hQLPAV1iDFO}8)E>En|v zj+~om4W0*{((unNL+~UZ429Pb^Do5)m1LAPQ5qA_BH1%sj-}O={6tP_Bm)dV>OqnP zrn2^oyxFy0aV42uR*7_TmcW@A%Kp+Ic(xnq4kq{*%E_D@IHB*cI8S8I#&vCzu#1(j~`PaKJ6ouG@ZU8aM5Tao3KmEtoE>##Cq&z_?zi z@ggH3B=phV8HSS9x-6!+gUj?i9=oLt_b9QQQat+*;u!)ACRsOQ$ZR7Ln1%hxbzg(% zo3gbO^)ps%FuB*3uIq;+3wYF&?zhuRX)C(uQxZ?MH0fI+s*B_rQo#H{;L0@H9;Pb6 zALco(5*>1_9S&@ z#i|pN$aV7rR?Q72pYJ=_tGCp*P&GAIrM_?ymyC8?Izn~uTo{_{nsaq~BbQZJxe)jB zp{1kM0bfxfzeTU`m;&hzAc&qLJW(X}WQyi&dq=HPSj+s_v$YNO1t%tahoqGqkN0GE z#y)Mh5h-RBAG)Nv=TkM?rY5~P`RII{u(B9vW*BmnZ6T^oGD~FSa&$`j+zr4)K1lBj zx_?-~FH5~#AN$Dcr1NoS*e+L_z_x^cutQkhir#*nvvJ4$0`e@AG5X(WXDvNLYpTXS zoC4Jvc@DL8mCmVk8xMqq7qFe`ZOC@XsF!N*H$JUjNpCjTbGX^Qx|GeNV?n&Zt`Ce^ zv<;pgJqU%Wo`O|Z*qCpy4CAQD(**R6nT&=g`Uh^3pRr>&s zA>`wK(s49PrZo+aw}iztBjy5|6hw{(+tcI&F{aZ*{PZ7MCu79~7!ii!hn;_Fh-zMh z?YYTUSWOl5|8%h&y+EhF5|_UEuV$<2y!i??sq!xW{@snUk@M*AKYI7hw08$frw9;l zB6B34nn+gand-^^xXo*>pvoDH3AdM~E!iW3VkdEM7?Th_+WCHE<8l)80VE)}LZpqb z=U7cc)_O5Wu}8vzkVe@KOY}P;JJMx;2xZ-oaS0Jk_dy!NPDIsC9O&hdXo}-kc|q6E zLcwfT2mq>VpWOj5GWyamf#WBe%_H3pLG;3UbJx7f1|b0f{VL`0H8t@|0if0Ht-kz< zt4y(E3NU;|2kJmLihfadUl<`mafIVzu_{#H;sUt+ciUW-)Rts@4kHi_ zGeYFOS3GkKOD;tTVbCGg<++ODtc=g#UkB^C0eO1=lB(Fp+G#}j<87ogH_v8)ru-I+ zSQRc~ll{U^{c!HxjJSJGiRrNb^Nt&(f2a5j5BdS963{(~wr%51SgtHAgp(b`Spp9g zL@EAMEnz%|`K5ifC2d+kdqbzf;?WqQjUXG`ySJD8AFb`=!YT=OYu;n106MC>*n{x)E$0pjqK{2ciB+MU~K1>)SuYn-8~PTgx| z>=Pq1@dVY-dNxZtEDyVSWKKS|>1BYI(B-9KXa21+%X00$dQMQi@nB4E#z=`f zz}lkzLre*cG*9}8@e7l=N(+n0AvzwPeEEu#fQU|h+n#uiy0gxdk$Nd<#;+Smr=ZH? zOJqnZb6zL?cq9e%XwsiOrqXu5W_c$1*-L8Mgi{tLUC9uf=?~V zEyAmB}T;pyO`iXzT(@>te7_=Li=bQafpz#=@c zuNLy_Y|&$zHD=)Wd3xg(TD|Q4iMv^b_^4KfPbiNvd83)H*4!38$N_UG2BUFLiT<&zBo!l%WB zV;_%eYExDwt+agv@ESlxt^i?y;@9f%eh;OdzZdDU5z$qio_F>L@JID*PbxS#)aXK@pGS+WOYqjJ{)!NxqBK!pr>;Z;r#De4kuigd70Yre2X*rm(V;q1m zmpdO6n66%6r`^bjoilld7|?oJZ!2_(^6!QKmcAOhV4^W(wf-o;dbbyN`y#aScS$5` zz)KUqjz=q;zxd?d`J`bpBdP;p&}xjdmc`kEPkz6|O^6-jy6W?2guS1CR^3GHQVYw1 z9-8aS=hyPlwx6&F81={G*SO-)`+!NJsskv%5OJvBU$jni{04oD@a!-7dixN4Wcx%=a@jgOm2rId;` zvVgV4Gc21!j@Y8)L8ZUw@(9PK_ovxMwSzLL9F9 zWs!$De%meXewOFN@cvniF3%Ti^Sat%oBq_;l(!Z=ui!PZ_WAZ?S4a2nadAHyC<@5* z5{dnCa&^OI)@yM|nnf)qm6g!QLqbKcccY(q<@-<`_r2}f0M%pXmhG+@s}oPgCAT=1 zvirvuHX=*KAE~WJM!E>bXivM4sCn$M`Z%gk0iXX;nQW3 z&D2U<4W70!vpYwJgJPC!gj&&QsBL9+y^3okeS3H3Df%ncc>oeJ>r&bgxF_K8t==`C zH`PXUi%#8yR<)zQR>MDS#3^nE%#S_pY?)<65%zQw#S(4{esPI-W67dVSh7%wr2e~R zx>n;X+VmqP-G)gV(&@m{d1kMz{L2m3l_aYVlX0de2IplcmTJOq!4hkIkoEGv!^1)~ z==d_KpO)#JdfXy2JD=0=v~pWb2}#D%-EnhV+o6(aQCxZQuDLyb%hlL=v*}Je7!o%q zRk)vy54$;TMAEl&ZAY@rhps)%WbdK~D@n={(W$o0+@_vKH)gGZ-7tnujlq>Z;B9>w zi@*L;?t2y7rUvvjmwPV>a_JE&&2Jj|k8>)$YPH*CxT3>RZZV-k=uOU__M;3S(C6R~ zZNKqdJH7tvz-va=V$953C3G_nc9WiPq`j99ok(+Ry>0S;!QJK(l*;QD!xo?1~de z9`+m5HCG+q`L)^_3llnc-__$-O%y(<8Gkn%jK_G?JX0QlLoiTJGC@TX&GIHTN#Qm7 z?+@j;Yqz9X2_?lRDow3)e5!9GvN!41Av$HAl6KeG`9HqNn-TX1SSBZEuV4-qe}3g~ zc?XLNt*I`onpQr5RDSk3p;JTEv`-7R07A6vK+UTJDATcd>k>BCC&*x-N!n5Sy*Y5z z(czV^vYXnCc3zElkI)v+3*mF>>YaahdkJ1e_Cn6=~CWAa;$q=&M7@?)>yAWu=^+RqVkBN-%eYNv%eC6y%rq1}zw z_-m$sbJ$WEnB$l=PRt%u3(w>2y2#8M?gToBT1?Iv|C}&U@9gL%7y^~`uBZ0LErx&s zCqm(kBVPf^M83}q)LUerD>uFcd$kNTKxC4>`t)S;*mYz5bWJ>h93PwdY0cy0krqJA zoIE}~TilV_Pcj`M+)Y*>`o4#zePFRIqT|_Kpc$IBq3=^sph?!aSSKqW#>9Bg8BVQ! zV7Rr9Ghr50z?waGaAGM1m6ox;QvYp>QDoq>%EUtS(O09zY@}3QjR*j@pjq{)xuyN~ z9j({X-#^OJk#J45a${{(0aU*H%vm)@>qZtm_Q8PcZ|lW(eK!9OYi}J^<+}d+3W6Yw zq_iNdlyr&+NP~cYbV)Zzr_x>0-5rtxB&EB%ySwW=W5#c-xz^t2y3X1AFRv*&rtdqR zxZ`_&zA5lMR@>Dxph>_L@Oc~JSW(*mM_kRm9-0aQhXpgwBB|^zs%;|^eV5Q9ZGDmHvNP54Hza}9TFuS6BZOiBjusX5~Yc5yGDe2`fU{^Oa7MDz8M~mbDVO_kz7>3 zdKLh$A&4|<8egaMuZhIDCsob>8+=r|>-4R*j4M+x-Y+Pan&K5#AFx7_%WRXdt0%Kj zRe&Of&jQr}RcL2oKo0VWWd)%SkPar~hJ}?=_+8WK)?2t2!0d36z==0OVWJoEed;E% z<5-AgK9Ldgi94e47v>;e^K;`i8Gm&JBwLA&2uQfHA3D%W*Lg8N&2J{;hFXW!0+;cA zWx+|>oJ4XUD!`_3pf@Ne>A3bJ;Ni|E{R&WjyEVi!l;!H!DYl__l)g8H#fq^p8MUCW z!7V_Ry912wgJpZ$LXnR+33q^;V>z5HnNvk&Dxq-}Fkk>`3^z&A?30%V)LqE8W5vH3 zlq9@Zavf#78tj1(jVHm7tfAK5Ps!;Gip>U4y=>M>&_}uU-E61sJ;N7zL{sgfCMfrsybP$aVdhFSGaXspe3H5N;31Jnr68#e?uRzV?$ zD`73wC1?UVNs0k~p*flRp%%2oL>>7;-9RuP2Z8|^?N@N|x^3^i()P8m%L|y9?6}Rr zZHS_s@HZdSAroHQW)rz3hnE@2${LusmX&=0{AC*SX#P!?{9`N9KCYMJKYe+K`yE3~ zK*a)Y!J!qD!|n(l$HFH~fKtNHG-GG%38<*pkn~h+#2A__bMS8RWHHt6AVcv`Vjw9bRcDKJ>Z)RQoQ>b7~ECn=*nu~?0WRZ+^mmO@Ic$Neg@WH zMpAJG918%`ZYOuOw7C(7ae#8j^LQ3VNo^@F7Mb#`zS^S&0)Vi2uv{*1XKzZ%?coRPwuGd$yV&ZLsdGHitsNaVIdvRbV~xYFkG6lZh$H$$pUxGu~0Yr;!N2taO3l!on|x`R9EEZ z{YS+9=;?Rgx6Oxs5!_-Tpm2yco-O}oPo}D)BKBq`Z8D&?aeuC)jaDVU=G=Ge1c-(^ z7w*qFp!0PnOH8laV(VDw3NpKXkcwMne=Mdu0CLN^V-ZD&0;cI|+A)&#DZQ^z(Zmjg zIqz%&5|5x>@9UzEw{LlAsC9f*8GT6&N>vk7i~luiTb=<))gWIYLaMxM?(S*sF1B7r zSNU=Ynpuf7+X##}n#6rIZpVio0fuG;aZPWnR9F4gMzwoxl4E$a(nBl|M$({_bq@qi z+_HE-tF)#N2|C=(k+p2=kz9lN;;x~dVe$~x%>gFK3)v{&R^_8>?XfSK_A%~bib~Ki zJljM1lKN%k#c`O2lT!8chsC`wYa6o%4o7sz(4bDUlM%Lbu9}QO}BP# zvP9i? zVYD{NPUbi}FlM1h++r(`tygZf8jCE#4AwAamuYWTc7z##l$?pa&n8;G^>@AivYvz( zid(_)-P8daOs~V=FSH_!!m27A8~2saZ0a5O653DpTiW^D2MzRGn1VvRZ*QmOoBG?; z3@OkFTjzF3J3}vO&gVnnjZ#WaL&@x9jUrX>=2z&tmrZ+DFB}&Ru3M`5)>CL36dIs= zY(~%c#0|xI$^~8bXY$c{+s&%!$8}d(?t@4vF0!Peo3h>b>~RCfly$>kDn|wjR_NrZ40p|hLB?VQL za(JLX?3VKMs3_iAw&~0o&o(;?Cptr7q{Y7?`Pn*0IFS)KLq5&aR_%yK*KpdaWjVj=ddjgGK)ItgG`l7@vNu`9v;5gV zqGQV@D=PJ|T5?9hv5``#tnJ+vs!4U{CgxN?`-h6JXH-e-ipgMb%>mbY4nFPG5y0&@ zYE%<%e%e*IN+6{xNJ1ZDy8xxKecrpooA6cu$mf4TpQM2nz%@zC5?2hW?@mezQ72$- zjan^n>JyOhdm3EV+H7!-FN}(6Kv^1v+qD!2v$gUF#Jmo&H&XC3cQ-$AmgyDqqlDxp zMMxlv86-i3^;*!0U$pkvW(2e{e(Se-0(Y&qOE7m7@#&{Py|4yq6hka)c%h`(K-lKD zxl#H)SK~6?4DkW@AF_&{w3VaXrWk;V_%iTn7eK5Xnd0x5R0fHLLDl4%3T<;oexNu} zW=R3BrRjKK+$=D8<3{Z6Uk^3ee#bH`yq45?1b`UNdd1v`urb?1NmD5D`o4CBJHo=a zwM$g&0ulOW*QX~kbcw-dZ6YM>+Ys>Bex_Q2)3b`~%Q~>sg46H;w7^XG;uR_q4baEi z7UvNc@KF$W0%diw748h-kFTJ2T4vN{&-TZri>}aykjk@6aa#AnXT_- zU3wIOd28vROW6Z3iV%vCq1zF1%^RBqRGLPRk6+N~}BaV?^YHT*tpRZf&0>KpTdO_ z$gX3>FF3*|5aUGPn;p(e-343W*3hN~`%75+{U5~>rj#$Qi>N;-MW ztXFV-l4VK{;tuL8!yts_0z{W2iAf5~pgiJ71|JD#s(U^(ZC> z7*%kuE;b8IAFRazubz4@Axt0NOOW;CNaEJRomx*WNpQ)lNPEYL5<13SU7g*8XMi>s zgj2pt0pWfCOKPg0n6Z;fW1Y@`t|h;8HpC%Kn_Iqi8qAk7K8@BfXQdRBr#&7_+hv9q z7GE3GjPB{~?mjAC5Fv5M^CliWqd{3MXGqu3)~Bp%ieYL$dCv~0tFHgXie&K zo|Y)1{jeX|OF!~Z1I3}SfLaiBo??%E(&Tv4v0q?}rde&SKAJ=rImQ4Q7MD;608kVK zQX7YGPQp)0Fmo8ztr{lmlC&AmOL3+;)##-lW5 zwDkb`hpF?{QIPLOYp-{&Vdx;9_|%c%-6m`DWDP0E`!OcJY*(8p+Dt+;FDQJ2?eW<6 zuTF;Flm~-Rc9MMeDbDFw87Z!s`FPf67Y_o?6EN<=R=1*A9}X0`#pMH#KFFDRC?nEI zW#A)M8JcSOi%_&bLmi?yPkpA4{+`(<9hQ##{;7_T)4?x4vf;IXS;jhx12_AFxxM~h zGZ$_@QwE%?>#BKpZjz>~ojK~NwnR?}GOd5B<0Y@)YMD*1+qUEVFcTlJX^ZKrfcumKm}7Pja%5|t z2_0r>9IZ-^L z06;5(LaSP#DgXo}WnQ`tLY?E;H^isbX(q11YjdsT=)a`z&=HTY=M2;3y9GF6z@y^0 z&)Jt??|Cn)@P+VyXrrFE1LO5@v#WUMsF(|?+DSfW#7Kl3UmgxqXdFIna>JvpPT9_e zezcJ8L1cmrdPLFmuU~3?-yX^p)+)t(AYx3ed&XYG$g~WA`1pwnITD$--2T<{)SI~U z$t?9}8H)Lm+i-pAJYR1p%jnDjz435n;eMR!IUXK^{r>FMp)Ybgm>MNs6f$Q|q?yQk zg+xHL7Ff^ik}Hyz-<+39TMUSG-wxZqD$4ke=Jf#Y33^AN$Cb9ybH7S}w{nBn7%`jT z<5{Tm^AtqSQTG`kbh9E-hKmx_V2TK)A(e%#TbRm@N%2hgVt>(%ax+TksdTcFE%*)I z1+A&FR@d#i&jOX`d9rCV`a-qFk}sOFj z-G=EbA1`5uj!Rmqpvr{6?Gk$b){z%ggDfxsc(Q1|1_T{nQS5wC38~Bt>f^hG_bBSU z^V(;$Q6`2qC5hdCosO2iwl4EV$01aAPqgzVSB-X8Bu($%0*i}IlgiE9hH4Y$cU}&6 zqTFd$O`6xFBw|XQl`iQL1F&>h@&-HjgL{~$eeb6Yc?heQ16}^nXzX^kH-vF?NywFb zOubI_XmpG=I#kVFBzqH?)^M}Cg^^U)J%4!Z=#wx7WP$z8Pve_H2%)nx}r>EA~muk_^Fq9Rmo^M z&h1Xf4Y`13A7<(gv*L>!H$Raf`G8t%c+^Ix$!Br%d=f5Ya2pv>=`&a9FY;&%WnbgMPxI{Me!!jcZj)8UsyzN$a^vWxwgT7 z0Y5P8DJ&Z~Ctb9Zc;{C27)~$VIs;MshyGDz@9S?mu{#E*Ik*}S)8=%Z_B`snd?VB2 zf;vqg(;Ly=1J+&C3I(6~j#l=aq* zt?W9e+I-r7;;dAnLG1DdVLx|Ivh9&dsL%wd<0@uHC&rfURL%4E+&RZlnQA0p9@Oly z%Ip+pz65nlZbf-GiRSnG1X>5pC%@ai1;}T!jNZ%k2>3+@t@OzAl!@4yaq;^ zXOFch(ok`JD3p5Z{$}C92Nai?UK=6R=IT2m%OB*qS#V>1LS+pXO}OwO#YB?J#3N5#JgCD|$=fyisC|dWGR$9fEC2HePL^dAXSpng|O< zZfTL*4SZ`7xl@ovG&|aSY1IR+@ZnJleP72;58{0+RL^zT?!Tf<4hKd^;s!a6#OiHq zp3(G5+j_5~eA5{-Q|0`azai$|W2-D4jlacs=rK-kiyfuuha3`Bzh%KTlNN1%rAj;+ z(G~goGih6mj5qF?%d0sT^}$*r&cK1s3|l;t1Irjp9|{>I9OMhB>a zhpu^+pm_e{u$$g4A>;GLL^$%NfOiv=oW6YXRoJ$S>fCHHa;NgW-)IbFwPc1gXp+Zh zuTweK(XjF5hibO-3)C_Pb0OfoEVbSGs8nwTgQT95>RFTP)b5&S7T!d{_Bk3oWxB4fx>sDWr{|JbU^nVs?HF1= zgc{s(A=@}~qbEQ+JYqMC1{b(V;^j7EoRqG14#^>y%d`6VC)iGN=9 zjtD|r0?H=UwMZV|OV3L$2!80I(Xr;}`Y~O&=gB51)4nG}G z)5d_T>$=PUJBI=<16H^9wr=50`eR2Q(jmonQ_g@RZ!ZxdJ6AAp3*){CI0y(eCr)5; zJSnChUkS*~n_|R4v7#xpBqK}$2vJ;(bThe2fQ5!T2~jLpE2`?M4l?QUMI<|(l|)*dRB@UuJc@~wnYP44;x(a17F`k@LU7fH?p2n^_HW4`*>^=@p&f$|AKZfFk_CY z5>3bxVOVy>;J!kTm-Fgicwea3P=35L!R=3Y z`L3|#I3{f`-O~v$J&zBJa)0uB<=pcF_czO)*VQz%cfYV#0;TJ+w*R;#+~z7@GnQk6 zE#X9DcQpRm_!5XRtmngZ_|=p|DUNOWxkQUgR(xoTRk2Rt&dod9lBnDNZ^lf@4#Y0hRsVUkaH?1M~opjQ;$JqbufHZ0kl-+A6X;Tn?- z-p&|LEw^1B;uPn+_2BQMsg}=?CRcf-be4hULW{daiGV)U&Y@5c9)^$oMnV{L9)CG z)^foXIL9H?Am?H+2H5LinI(UDhE7d(yC7I}Bmyg4@n&6Rf>GV5>eLHQ*9=P5a5<}GuepH+;vn&NhySA)|t267DCZ0p2a)Y$epJRcm)wrTjb#D#MM zz29#VT(uMLXa}rXt3q0~mZK!9> zWzdx3c@!f|T&sd^tSV+Q$F*mN$Iy>>xxABJpR8hwdb@HDRDW0l=m$#_ok1FrTMdUL z?-uy)K~H%^+J@HOm3MaOh>-ocBapb-)B?OjAWq-SZng|JXWzuF?9Zx{J{2&}4vzBya-5^(Jwz&7{Y)vFLH^A zWbQ~fXYS(}X|@f1KxL8b#`jO$je4}O| zI!T&J3<{9q<&2T_(c9etMz}v#J|x&R>~%ytR_g%g3QAW$ScI<{9b2U4jugzkE@3bc zU$jQIws9Y2vrP|aBe36TG&mH!v{|OT z_o>bK$|siHEPN#+@ZouNH{rv{XufhFFrJ_R&BbWV^nBkudp|z+%O03;BM52>ZD&V7BMPf% zGcRQ!{|-j)_*lk3QU1kUehz5zr6%7)9FBC(s&L%KwB-3Hr+a3>oXAQrIqE<>o5XPI zIsRxB)VDp3A%Wzqq8Dr={hx+=6POj2ckFz{J6@1mhW1AYV}X5HNE%dX1o& ziv$J0F2NhCyYH5DtZvD3YVe*83Y8byCUdTmcT0Shv0Ei~sNTvCk*Pt>H(&S#Zc~-l zvr^oJ8TgtshL=Z#z9CRXSb1)0uq+cyw3=lrii_Cp#%Ld@!qrvQn19BPz;4|tJIS1T ztJSo2Ry2~@4&-+T>HD(Hzr zlf1FKNFQS~?O{aZnie8SGtNM>ev3WONg*2Y9bl4$@0U6}1ryLHr|{axQjUp~a;GQVhs0lJ|N9!j%FXOyk?aji?{9s)asxu4Zk+xgQ zhSg%lt(gTTlg_*{(l7LTc)8l-oHV00W->y!>G;Yp?CsifIj7YSKXHlSV)zL`v*V9V z(tl*eB$05frxl)7=b*FCY?a?XuuP{ zmZkO{!2|#I@u?hm(DJjU>mslTfhAG?DvlwU=vgzCytx*J57LY!%Krtr*GY;onH?FyVvy6mpWyKLbad3F*{WG(3@?+VAs^qjv5= zuda&@Y7=1zrFt3MZx6j5~f zZl$k@Sq;NJpgEAI=35+#w2(yS0Llmi_ZHp+kUz%UxF`+3*XFldD5={iroD2#K7Gpj z3nHttjCj_z3Ob&!TVH2hGEDo;PL}EFyUm)Fg1^MFdzOkO0IV{?_TdaIl3%uhMzu`Z za#d(TOQcmafn z$R*=AXBfl{3T;-5L4R!m0>zHQ)+eL>;ETTrw^<$~4(G6#CyE8|wi>R$i90anACuFN zHhTzQBi*$+7jq3Idar3*KU59(NUx1cfwMna=5|kVC{Edh? zYzBX8-oTLgsi9EzfKA2hDnex@b8rFUXgJ!RSHkIYs2ar=AQjk-Eq?o98fi=9GX@n1 ztZ|utwlb)H?yD9tTox4F_tA@!sqfiNvCi`Lgx#qSlL%J_4r_**N>$uYz%;c%Ha>$l zs)=j%id#*5whWF^os=;#m8)6n!kVKs620nr*XTfX9zpz7dWf7=CD+f-mgY!s%Ms8l zIeYSBZx)TA!wzQUUwZ)Hdn=y`Bun~AVq#(9QoU)@+>jmwy1yoF%i?c-&3D z_L-{T=LwHDW5^Muab4CfGzh{rQH_d?-{cln&$X2s#56-~1!a^Z7g7HOoV)>H@?SL{ ztGPz(+|+Ajw;@eWO5|n|<74iwd>;urr#XD$*!z~dfyVyf8c_PePmpJG-?|ulA4p7b zIri7Xn}^zPv8q5n79GM7t@?oJku%(Eefh|tSL3{9HFt~?puqwlR3KsA5>`rqDAzhQ03 zz(7i1JOdavFu}75Dl-}?v-+5*jEdA6rCLM;R1*bCGQUs(;q&pVVqo`@e?%mel(lr+ z`+CeBV6XVN;dk>0W1D$_!dh0wxAso}uY?Bre(gYtJ_m9EcF7ceVjzuP#!pZ8Bqu;w zdfEtPcYHuFBo>j2&gXP$i5u{{C&3?!x&_?PL>Ztc;S8p%arCaCXyj|N+y-EAD8-sHAGTd?*-M;k3F6BRoF3wQ1x)50^MHl+k zK<4YZ3GJ0ah-1`jPe%*q@*Q|)S}$=e?0Os|2>0(!G8 z6^V{k9rRf|V^3OH&Z_}}_o6^=;K$y>)bP-by6c_5=UjEzZ9)_)zWh5GfPlnXNnJR+ zR|w3B7}bbYBu2kVOu5JQYtxKZG6K25ES_>Z*aEgE@P`J>9%D>_B`ca`z* z?UHV$KT0ee47#GsNN(#*LN&`P0GQ92;C4IW=Wuo!f+$uXaPf5Ftc-#yT!n|$DlT7=dkTDzioPJ+h8CAq*GCpRjW68gc30O zw<~gnmfscFmsL6(Egym)tajU!03WJT@Om5!X9WX~CvrqR3l#t1Y>#_E)JRC;ersiv z7??x0!dU1G=Is_ib?oc5=b508`mH1J{<)t|aTT{(5Ks^D5TDBqSb0jYS^g%hp{FL8 z&0~bm-T5ZcXIL{=q}u!i;qsknlLt((j)Jb^MDQ!P!_)VsqMI1LpqJS7F`Q9*l#$%b z$VP*&BhusXpK~h(e`Q8dUXvvp!#7$t~jB3NI zsb=k;pVNsPJra%l!$QIt+9Ch`SO)Kno%{Vs3XJ^?HrfWEPQRxWXcE2Biw!)&UO@)s z_qH8dJCqKLTX-&)t%Cjj;_Qs59zY9Dp3IfqN{^z*L2HWJIee6?z%9lre3^;V2|qP<4Uo&maX z?dGz_m1!(>!L2;sLO!eA9k*_jRQXsD$Hs}M$LFf6;gstP9R43V48np!Ysxu$1y@qH z**0pkYRaw`A=Kk$KqpuJJz-*5WTOS%%vd})k0$h*8=#t-4m_dgkuZ^4OI?+q3+{j; z;p(}M=g>sS;y%|zm9Cg7Hh!D?SWpG8QUl`VA{w;U=j_m&E0@6%k!fyoDXnIZw4lHM z0-MyWDz09Wk)H_1ts!VIBj@kV3e8nX^}I^OoSVNpc77*9ZB7v6we(lYtDOZ zrMPW4YX;wf8Jkh9@!Mr=NGbesYn`Q`seLOdhacIZ`A4XT00kLchY!HUn!G)1(PXT! z(NKTb62YUsx>#)f#@*J#tKcG;z>W%)^=_>4;$X3UcLcq5t=?GXa!F96&S`~bomE8D zB+uIueU0UK3q*8kIcoto4&5)dk&`#KH%d`aNco8XC{bav>a+b>HXZe>wh||fyC+z{ znV}-BV2sB`niyxzpMKekx^UUQWh=2;6GLL$nm|)Iq6?PrFIx^`d#mRm*U}Zl>#@7K!W!?dy%r*w!XOH5X2EiyN_IxHys1=h(VaW^C8;YPj7ME39WrmXY3)Av(Rd`hHhY`zML1 ztrOU=RIwjBe}MA#;$zG-1jHlKm-1F0O zGIFqOXpsnv`D~{f;x#8^Dnp=%mo8Xy_F@PaTj(Zhh!hr57Z44m{gIYIy6wD@%0<$! z^8lhAJvK0n_3Cc)kDd<*WY?JxgE~v#C0Wwo7d{Ww$=5Te!D(`-)thTLGZ|?*Mx-4a`{dccpEiOuW+Jp;i`@ zwBq=*J4H$PL29s+^nUkG$);ptlE1Qm> zn?|I|H9DfUKLTZnZhYSWmGbL-L!y^&6Kshc^=je7=$wygFcFfmL-&D}j|Yk&oucOz z5`$hX!6>HLzg|lt1MwDn)GL)|hx)f5q}BpsZ$>9_o$xYEdxL4;cbY2 zirVgKNGt6@;)6SfInw#~hZ^Pla>%Pt<%M05A<6*J}UeZ!PRq+e!% zLxYfd#O?&`bfPM`?Ta6;iGNhdb^BUrR?kh>qX}hELrV^Er@Sim{6F$N`S|D94P;Pb zBgx=w^;NO2N630X0}+~KeP4@VAs(=z9eO1xVegV=UJbbuT_V8w4Pq?G^%_WQd)5w> z-P0D1JckiCNrR-6&kPWV^xS$x#EX~&J~+u4{wXL+t;%=ZGwDD--YJfai%}b+uUBF9CNQ8_4c6L2|sVxu22jw{|7~uYz3SiLm zrw0ou+S+gdD6sWk<@DZ5X~>aSbiL5`3VQn)E_YgO`rRcJxN2%J7VYryh=duMPFBgO zt&1G~yaC~CN*<2P!~k-}zP7nv$g7#*RcZkt2RksrnH zlT}Vx{rDgcSMa#TDUu2y4j~2U&G#-M9(H_gTOeTmskR)09P@7~hQFWjZ)pP#tZA%- z_sbD&xL5BMl^U;c)Bt`G+BoKFua)@m3d(AD2hvRtyQ5kD#uVk8Emkgr1u2y_=0-2l zpO^gG2J%C2N3NTUSwl2l;nn?C0(7BVfCOWf2XZ#n>}I%SL5~?V-kR-?m1TWrdoy^_ z{8xHSU)4ZKNQI5p%ni(LvGkINkdb06RtCC+r6<{emL@~(BL<@+BiNOVMHWW%eTdyD6j>)z1`tb&J1Epa5#WaeueEmm ze?IQN!jj*fj|kV>J?TdD;9d!)f~o((S{s9n4Sg^dq|O99W-VBKpZ}u_{OsK#SioYr zdJI1>Y2pzlC)c6nR6`&Mlpq6jSr5Q|tzG79LR`fHOEp|(coo6~>y24zRsXt|vg40# zB1RDO2~7WZ0w3@M)DX!8%nu~s2_j=)Z2tI?-l`!Ua=WW_vZ((@1^VCW(Yrz(s5X0% zPi=l9;!`jg4ZqwR%J8*miQptw!kGJMfDX;$NkCH^vrXyWKO_ia5?}&*fhz6AmVpc_ z90>5?LB}!phrc|Y7+g)?kl$Q8d(L^9gZMr;>lddCQlQF2V3oi42V}wF>%l{*}VAQFRA}*8UO$NlU6UnUboIttmHo$(f_w5#DD+O{`I{7 zCqFxW3d7#pM{Q)S{(tB5{@*@DM<`XqVL&ia;OcM%hg&;!v$x=KfdGtFYlt018$Ou1G-?vP&|QyN)r%U z?L;+#`M@Sk{yNa67Xoc{eViQ0IP$xw-6n;^)@wk$LN`p?C5$f5-v*gw2|l7PsN&YG!|LM z(Wzrruk~+zUK469bqllXZgAbLGPn(u+COM0*I5x4&eu#|@QaYk=u5;zUnmu-K2>#} zrEArY`4xYb`Z+6K`n0`>P`fX?l10qB94A$3WSk|j>!;BSRcxb+XJk+WdZV?B>G+e7 z0%sy3)#}B^n`f%*Edgiriz9LJw-MAN&6wTYa+yVc(1!~=T2^eWG zP%t*Ty6T&I(Es)U_<^@TUWi;)V?0Ku473et4kLaE=8&gQ&5Fc2AiqCzUx0fE%uEdr zaT~r!cG{)|$+S;vI{>D^fbPF!JS9U4B1`~#$F<-~6slIlm*3w4_QaBm`*o!JHK>>_ zdLc7>_>QG|`62UIxPCC5spIuBIm5HD2awWg0ly}dJd*|iXFd4$63E(9pXu1Q-Gai`77x`BzhmAFkx-$j zcOGY~svqilXvI(D$C;~lxqc(A!op4&Rx9j~W&@@F#WpYLo3Us81Aj+8|FeUy{5-~d zYGYFD<9_o7XzyojXuwwHk6Ry0Umxgcw$7f&@SzVLD%Ggh**6or6TkBEE;gjO*|A}K zjeQV2S?-El&wMXsgh;=?aJ{3tn41yuOi=l!73%HQL1<^`gw0NgJ2k3fqbet|#^ppH zOIO!xX|Maan=VVLfo?ncmjY2PxoaA>>)wMIHlA|%1e%RsA8!tBV{f{iw=u013@j#f z9pqPIU1WqC0Rd6P)g;hj(X`6$!M^JDBh66*40lf=VyoYno)?nlM7$1zFY6*>ynL9k zRLDI<5O$9rdvZ<_?TET< z-LDkAvr}FkdywQkHm8}R#SJdi&mjq+raO6cr|E=r;wK}fJF$DN+CyVb#kBz*drt9t zUkh|v?;S7~uaxUAS?vDnHtr;bYjJmsc$;*%B*mMUp}m`rTJX+Fu0hf@rkiQF$`g~nQfaWszQ-6j(Oegr_08J>{fyHV3b~s91-FVN;x$_M88nv4y`tD zzAa8VbvTLDwX_A|_?i<#J{!dD=tMj=!fcvb`#uBWeaU#%r|cHZ|iECsK~wg*zhgkKlt@SFdm>Fpy!zDr=SLTHpV5lRpzpb-6kQ+#+gD7jTmLq1s@@ zAifDJK|K5^+8~bWp`XxLz7{{_|EQXaXRSqz83YuzaK}q3uTpOGlGr9)+9@DDHX-RA z(6=cpD6J-H1E)MOhtEP{&dd25aWd%9fXqrH+J*O#c2Cq6h8AB|YXmL$kiX;Tf4|VU zp~qvL$%TyUzPm^jTfPFiS*&Wl9<6`dHmXUcrUP9}3Cdbec96ZW%LW!tb8P4WR&#}t zWc5Rn+uO&}-8ghYE4l>lTDgPulBLbKTXrcIS~-v#BCRxJ9`;?A7%3jMgZuH5e;J}h z@k4^>)dv_hdJZ{G8oetMCb|wGQr^sA9O%xrS8oaI@4hgx7SAY0s8+h+NZudo##Woc z5IN!}WTVEv-55_wRcZag5-gPrdQ5oG>#XM^5Eba(0tW*ZRGDgv1%{E;x*R}Wmc|*< zYH)wJ_gBP|p=GzjW|eeI?GzgMYssUPq)Z3U_Luyq3%>94rBqN0$E0{2*? zSyPY>DtpRdsUTJF{J&rMxh6P@t!#vK{Lv9wmyk`N4W0B>Y7gWq9k~S)u&l$ z_Jz#VuhqnRBUGECsHu2G;})Nyd!Mw3(vF{wH(&5M>=NnEZ{-J~*Y54l-L=Ql57aM4 z;BBvRRWpivXfAGqe=gMy4b%l(TlY&gY0ltMw|XEyso9^xxZEx%dF1Z44|aA;taKa; zJTMtvi7EW>8#LUc#{n-iX?TEy2Lo!dM;ye2r-vw8#Wjx3QpWV+zqTnf04EalNC~%5 z^I$G}0GPd2kPhgk_v?Xu(ew$9Woc7Fq|gO#dguFg z=BC2WW%+*N5C-+1*x9Z(@U~o6tkjL1dmO}NZgV$HZysFO)guaLN0wG1Y_7%TzwS@V zbOpe zHlV3iqmj57nS};^#Pd`f?CRaxHjdz+Q^(@t117gbQ|8kZT|)<;nV3z_f9?$Wbl-sm z-lOiPXU}AKuK?#qD4I~XicU~KMYv62@GYd%*AikTy~Qt| zD#}Gw&Y4gF4elxbOkM#ZR>b$QZ~@U zYzz)daAQDRdEDN3IIpM0$tD=qLY|1Fu zVXv(9$QKS6A7g$&h-0HJspuoMF8HCN;-Se(%1--6hb`31Oxagw})yGx0UyUN_*9S%P|>AeduKJo5q45aD>C zrzldk#71iFcV~lj_7=XgrP{6U_(TKB+oHXEQrjlHDv2U1Wro~nlldf91-pFvXFo=j z^hesIT)?AoyZF^ZPMGD;Glh;`W%u~z`d)|+0Uf6ZYCxSL>ZbjwTI;b=fyU9Jw99`5M7_yK_deX`z z?tFBdP?4Noyj8rGYd6$3iY^mfJVDC#i^ILDl?qZEm{%Plwu66+RmpfdF8Do?h#nrD zN=e|3ZA&05CYO7?Lr6C1{d7&^8;mv4qQK6LUn0*l-V=ud*c|!m5y;Ci^Kg3s1IWF0 zfbXJM^{>s-959?@*8tyC-rC#qox%I+Tz*va!gv}FNrN`I&332h>VJ``9SSY_fv=tT zqs8uYWe;15aZp#OPj>5r}N8(9MNWc8MJtsE_`6SpMWV{}aT1bj!Dhet6foi{D=C13bzEEW%h z2fL^r2O!AI{VKkwWLfvzApIUZ!`^bz=#Cr0y-h=XKLfwe?B6%t$=c|?&OceDn}CwB z(IqI9CYi?~J!_9_(2V@xG-S6x=&&@uvAR_}5bE~g@V6Qrf4*Yj6ZD1KFg@Mb(IcjD zn}Cw~=fm;^#;+X?eGt_0T1V%iJ()b7lrEpH0c$D#6@MrtfI1QAXweXW+T0^gKBom> zCK>Q};7q_`1zAEXP>;TkIyeKB5qP!OBbz`xMjtSYJ#>I8miRfQ6b>rXR|aCGwAC6* zsPN%k-p4GYIUd_hjQX>2RiINZ!G_>r9|1AASVkL@^-)HK1cfmaFUh!51q|Xifo9@v z@+jCDcyPi9e0i#)Ezrm@xT^4D(%*r(zi90{+zHfof158zGU zrC0#LmgRb!0k>j@9lzR4Td3QwehaiUDT)><2!r9`88B#xG~L* zQ*nz-g}xAF-;8}qLaTrrL~?ADM7r~ZMSv|1A?B|S63UN1T4Au%bHa*ZQgXFN+;9EEJ@)j2dR%8lGpDl(ON86K7k=Q zC5ssuo%*xmk__D{R|B%`OnJO;rC%b%8M$ZJj?6_85qr2-IT{axZLKrw>HRWg44abI zBjFUH?*LDWm|OW?2tBLez>YjxfLBe}1$~8Mp*<7(ggKxgY}-*YkKg&fYJ#bVWFG8K zrYuFjWMIs(e6o;yex*pKDHg%iAct%?mYH>%^mW+iIN7Ou|N1qde*Iyhlg{=EEo-bW zhsn{!GJB%+JD#nHBSazTaJ=B=dh?t9JtpTPqUUpUCe2$3~6T+UWWVqV;)<>OGTi58B{a|(t61o zu&qA`IMv?;IgOMI$Q=~8Ve#ETHR~o(fu}>U`*}IZ9|Hr%LaD_=2|1(*SZ;89V$+tA zm0c7@HakD{m0U|PDQ7YSElyg2ysRdDWw}-HgP+G!QZO!JDGk@IBYO{ZvbFGsN&%mGYVj`H4~)kmCs^ zc%cjSoaQGhf2)v{&K1a)V`$fP=nQ+YX~)&=rcRkyu=lCxTb`!Ugqg8THolgdIPplE z!f2~4$@?L9M2*{G=rEdQ#h6ugZ2YJG?DKcbjI3?nSOj|5y|bmt*`kpZQ%t!Z-r7nT z$&SH0G81cti8OGI80dMnf)}<8-rdDfMylkFZ8n7Aa^|E?cA&#n|6QN2kwCU8dia0>gO_wwiJ(a-m5XfG4;|^4QSRcWZgR)g0=Ty! zY~9la*uB4u%m$hB**A&^eIiGh1>Dkq$Mwss#3MNFct8l+Deq9;Gxtwbh>$+9VUr>{ z*a+iqJ4wtdmhb%3Cf*@47aCWAmvB0&N8FA*0&qd90mqZNq0w#v=nW>=ke~y;JN7T< zJu!Qn^6DJmbxcqZWAScj{AByIeVnu2)9zrBu6vp60ImtNo=%g9h38~gRCaP!9K;z4 zpCN7mkjZg#sc`|CLyYo4VhgDo`Pm@Zny-7q?g)U1^ziv5{4CSLfIoBZfkvza_R2PL z27lny(SX(8dB?xy&ay9LCym1bSYVQbA9&#L#G+}FxUEVYDXL${tbjb&XpBAwWntW0 z{P}qR9I^C=q}=nn^eO4n7@IHe1{m--?;*Z2?QB*>Atr0x4InjBQii){+afk}{C`M$ z>!>K(e*GH}1VKVcNfD((kd}}VfguM3rKF^Lh7ty8X_S`kl15@ErMtU3r8|Akxu4p5 zKhIw8UhB6Of80yG<&wFs>-@%Xd=72TfgV|Zr9O5IB-QULm+Y#Hbt?l=P<6Xaq3GwXh;6D#IX|0JN*VUg#(@IILn+Og30{4pK)i2C6A zJw0wPd%S~My0lR_+&cnWFwh6A8vUXk2ix-vx90UseR<7Fjw)Nrjnf>~4 zOs@zkZjY?rR?<)8v!Y_!JMfK(A<>y|-FUA_2F(M9ee60`lx2wr zku_L+^~#nw8*rWIRF$AnsHPP*FXT*VQ@L|fJX|a+T;FR}5>_B|f);`di|2}{=A%0M zrsbEvoY?odNCK*|{&1Qp%Q$XhDtd&lj;?_4Ofj$}JjSlFI0F6*qw%f#l<((*1T1B8 zY@CJ8few4|NlOTjj2(t~T&45p6SdlrmdIRdmz&<7m(@6X{0HQ9ef3*9lb}9tC5rS) zu%2p*vC7lm2l4~))AA>2r^PXd*2!|JLP71g{%F~S(% zD@LdTrBH*5>q6SdGQM#3EvAp%Cr{E(08fkw%*&8liUJ3-`n&y z6I;zB?zH_B)K@dvjwq!qlWl`cCM3^3 zEigm~O9wnpOm5{O2yATNFX(+vm{}Mf>cIDXAbwH&8i8*N*%vm++sZ0E-prGY&7&PM z<7}_QbIn^cLE?Lt!?;>@`E3pL-R1&z8;Yt|DV)KWQtc$80hn_#ZZ6IJffg z97?`k68!dG^jA_4K}v1%^e%1kIgT_KR0ncv7Z{Li=+)`}IKov*7s{WyS2Q^_-pKNhEXl>YNK$QAh{w)Y+;o>k+Igd(D~gis_Ow`OCe)j*auE> z!J80?jm6OZm2{+eY>kQ2wB_oP>pwukzvnM@C4LZkrvm7|BK$04VAff z&w3!NCU6G8V?ymX{RVmx1c?|RvGdDKmK-fPBGWBRqkh>qoL5Sx}?CX4n#mHz>ul+@fF7`p^9 zxwM3h6i=gi5w6e{%JIIe=iMzlLRNY!AHnSsO2;xNfeL0`!@P@_PVQA{_w@>c3BRiI zXQWn27M(d?xWl;UZRz&VXX)OJtvA8%KLcm);C4q_UWmdUQ$VFqwQ32*^>;>|k%cV7 z6G98823KL5TRlYnp&Rc5-Qs$^nJx%8MXPD}S|ZbKD$2>=makoVl{{HNd64#3d0?Du z$^D0L{ab&^_n>(hC%60Ohb!g>!M|J3l1Xd}6a_Nef$#H$12ouTB#%U`;2nu=6ZJ^k zCQ>fwdjHWU3&%5D`zpmPogv^u4LnE(F92aX?ex9-ZPTi2F3Da5L+9ipWwFe(2%*%e zu=9by2QqXqOe>g~ncCiXEc6gzU(4K8m~7#a->*&{yi-G0i)6KH^3J|H)aj-U;>g(Y zP|W=(=2;kmVojKdXm?{r#{Ev(AUx1caeE9tN0QOR&@BQLW}54}i%>{jgTNCdD$+O@ z#sn@(a<(zgE5()6sT4-_nVx~LfxNO`90xvggJ%y{7b$L8zvG;?D5_(qeWSw+OGJlK z!n(^jiM@WnzY|}@X~QoFaHu7dtj>Br<#8|=5=SMe4!8I@Ze{lgZP5}tJG%^+aS~rM z7kbQB-dYF3ur-U=pjRV{g!isyt${B|_aw2n!;P)C{#j>PtWC>*T=Pm`gg(h2!Ocyq zag;+wb!j+W@#c>>7Mhj^;X5JCHEU9riqz`A0wekeAN8=Dbh)toW^V+v9TrBo&kJX2-Zzhb0qaYb zkBbdPu(r|MAx2}PXkj5YwW3JwPdEG7)b$B(@-^{l8|;l$Ti?~k9Xxp;HmVw8Fa6^N z1!T3MlYCI?=_l40LeAA_+|IISw~rkXN?Am6b(3m~n1A_iEanKn8;`lJj}O%yz@ ze+dx3xdVi7XaclJ(<|`yJ)cEpYW4^F)dQa}k#zii? z8v{DzLa5$Q7?c@u4&lnoi@@8KP8>Q9QJF|MgwA)CDx{i5pw8k6#{9$JoI?W7!n=5# z$VXxfOF=mVdbsp^phhAKbOVducOqATcKR$8zPr=)}0_l-U@NMn?NQQ=KF@ z_v|gya`7(-Xu`AC6wf!GuaBnYL*E3o_UNA@SCo-zo(mYF)7EpDut_T~M(xUse7=3Lej_<%T=aCC_<)SwtZKfGEW1@RS z9n6wZ5)Tam`xnyHatFW0*Ik~-HS8sfRbw3qx#1L#6-?FQ`_(Snn3f^BT%A9reLOAr zK{@6syDT+sam5(>hHSE>&~Q-~yr!r`2=#?C->_Ze&`PEJ0TVvbj%Bm&+>H;y-Zk*g zIyc4SqsBYg`#9d&sLcT5>k9_OXM-6WrrQ25x_}eUH+XYzSjY}1#r1$I=@By(#d^yM z>_|;S1S4d255q*vpLTP;@S`0PIN6bt-2jqESuH>`aY2&holBeeWHHC6#(qVP?9zEN z2PvPm_2J&FJU%j~WMO-wi=G!4Ja&h4ogJ{u)g@ru^Z|)d5&(XX;3({NW_!L*d&2I# zXhrV-qOC})vX`IP+Gqeo)2tIWuNXUv2QL*-0%;)r;`@&w<$TCwUYdAjd|g6_r|VUHfvTs7nI> zqkX|lUM=(-4im}wZCP3UNHnb#x)sZjm384$X$UIgU)z`^YnJmS^LA4T&ejf&m6>}B?JRQGwtKfEl0Ungn@rVXCoF2i>3wE z#F58xn-4!5B$U~O=*r-$?XJN(Pr3~AwunoQmx5S&Gf;Ig-)3%yP;fF;nn9qzVwn*b za#Gt@F<;&$5T1XGdZl*lo$W7W&M_z@AZak6l<;mTMZVA|hU5D#;5am=mOprLI}aHf zsv<$dpaDAQNozQ&gWl_u%&v1b`)nI|Lwq=2=?0>nf({i70v|0xS4rA8uuzD!?9L|c~{$Pk?g({93xBli# zb%<9~zE~gZFV`g^Cm>3Z+JDe{tyAOi70m2?47IR1-FW|4Y{>L=SL^-y8B}Pu82$>h z;QAZiGEr^kC4TZ^&HI(cXR?Vrf4*ID+@r9qSrV(WijlhKP_mcfc2%_`lcQ4Y*W?s8 z=&SSvBpp;aaBj{q>J26*kw;+#9-S?OCpQtH`5sc7Q+ZtNFGf4yS+u{YuXWERTzZ_g zspf6OOLKkJC`G>NDy9oM$Hx#AvSEMFD+|3csnYbLwOmBceAe0G3c3WmJ$hqU)jZ>L zESI5A%vD}`Hi!fM3Mg7C+y@>>DPih$8<57&nYMWg(Vx3unc)SM_oyLtJYR93oxolA z!?v5NO+a0|sa-aL;TED<2pC4zo{Xbr)uZOBV1jjNG%)-8)_s23xK6UurFlaT!}Wy$|bH)0SZ;g;Quygy< z58T{C`UI#4QrRVKFP}2}_gsVC*JcHIA0o!bhU9A!X9ldmgdXWXrfpHlva5!m*3sxv zEbYm4TfbQ9=hA^Ftcep}`_qP^ps+!`0Rm7+E^D08$J7Ke)ulAaFynZM5Qz%Zm>NJw zGC#lCTlnDE_-ss#W7xfP=Ss4mo&#?a`A7-56!ebvq~<<$BQdn#ZP_b|)y0djO>hjp zE&HIH|Asxvh|Z(heg(}#cdXp(*J=bYPi^@j`xUT6{#+l}!J{7<;Rz6dhUwJB6%e+x2-5?kDZ&_6x-9%(w};>hG!qJMa|__!l(rQ+NJ~c3R9r zD$;3jie~BOAt2dx<2l*Lt!H^u5H6IhKp*(n@jJlBnVWG7FR9t-S=IgG0*kd_)HW?d zX!U`q&!+-IV;>d_hLH`i9QeIB`OUvSf1c=pw%%zR6%|vDM5LX)M(vpQ_8MuMWya5Q ztvy)IVqZ8FJ}1?$0__7wleVyMhBJT_f84JL>WE+rvNRg2x@;`&GcY1CkoXVdtPJt_ zcAnGkRX-dZHk*gdN%F-H?_e?}1BfZ%8yjsr)-jTVZjH(}IzKNPtjp#H!mJm>@o>VY^^_d zy3m=V@p6j+Gkf=9MSY31KpTUyl7u{&Sj@89RXhfFc*4Gjcr(Map;9X(qR zg0l!zQ;L0fqm%z8R}>u2s=Wok4Vy39el6shN1>E|M^$$faYi?i?7FMsJHnR^CBvC; z-AZfnk9no4FE??sK;U7k*hC5!Pw%4OHUIh0Bw?X8K}vE4fVu;wmNf$TvNy?iz0VGK zO`RY%Z|x2i*jaT1I7E{W7iJnI&Yf0~(tlv?Ar}%&7Q$Y%e!-Od_+W5mW*Heo(r9pnumL%AQ@~NSaGkAa)ECkhJ7e5Rec)#Vb zZS48vTLZ*}zGTA{boA`|U@gX+#kUz-_}P-06~2|eIs~2^7-Z%4wXB=TOLelSQ2Z=i zHdrGIfzUZu*gpzQ&QN42@3s;q?IwedZqpKwHUt?x`*>pcx1$Oan(5z({U8`yG(QCIyuk%?JQb8!TrPNKL6E_Z!fY}`2@1+AvM;At{XB+ZEvWx7cPq~y;*KNlMyAjPhQI~ zYyFM^{whrVY1`WgU{?DnJ1UP`LM$oc64;q2IcoPL?46k=6Y})HYyIL2BCE5lLnf0ydi<6hZ0s z#PCUSVKR1F{%SVOnpbDJh;EA%7Buf-qF(Rj3Y(tNqw5@1FWht81=);(p6z_mg6f4_5Q?J6+w)#nv8}21`z} zz%l{f&h&nmvT@Q~9Q7Uj18J9&cD0I*YbLiGS4G}RHM_%6NfgTNtXN;v58lf_n`fOT z;94?vH~%Q-NYbAm{vfs!RDFzluU)A%z#Jv&vczai)E5GFDMNgWn~QazKhs4t`i&so zQp+^0YP1DIT+}X94vf<*hTKV%X6!hUN7tEW`&2qKfT1!-er!(5U9-7L5$pO4Uo^akRB##f3;XccyIpll@>KH_ZfUs5+XJ3hF)efom-AD ziq+@9y5*;8W}`xO@8xW!4XVI@YPAV8u@E4av^l`aC^45j2caXJvur$>j3WwsHn*zw zT|jh3s%D8n{|^g|YFSZ4(bH)yo4Tj985$&85T6l8LI%A^lM;yWq5FSOhcOWr17eF( z3rV4QCd+}^bPH>Yz<@(cxA&}x-tV&)KjaeaYhDSOk=Z0oUr8}4jDz7tr(_h4`unZ0 z+z9>WEAFnt&zz4|{i$!`3k#k$KL7ZuLCjqY%6Ep?w_IzU30z^N5gn;~0ux#J9qh9B zn$VX3%+Op~hXVO+=BTi=r2SSKeQ}L-*;l7%?Z9^|RBj@wFO(~?c2AZUJkx%lhQJd2Jc4SCX<0&A67}rhh+3L)+I8bH?+s-BDpjD9 zp_{69z~$4IR~b2s>ukvqeM{h}R_K-|pZDf`Egu}Z?=y$jz5)3}%^(;a2E{%AGUnua z3vC8MpA zVAU8CmeFXpZlbf+JrmEDN*5~!}FZTg>?*A4R`cxM?J z0<(97nf}YO5n70PGUQdrv@S~A2BGE`6{7jNp8ao>kg7uoqMP}BAuE3{FTdo|J{7y^-zb33a!Lr0vuu3@_div zKyn@r5PGn#QL+a&m6#nYcl2)T7z8(lG%Q~54P@0TxA4zL?FlpUliB@tKJ_dV5lr_Oc@3`D- zk|L0dbw>(rK6AhIl|bEzKegD;;ECrcOABu6NT+qu&Szvpq31^;RY;9rxpr&Gjx;_K z*LM$9YKq<5YUW?8HDl=)57rs-J0E(hwEjNY8Xc2fx@?(i@*-jORv+sT#svv5GNU=p z`{>k>_XSrc0M{a%A4wMl)(ltUB;sa-cvf=ssqx- znD+qHGN~k1Gvf*Tp8$n2-&(eQHK(C>&%4$`4E zda@U2Xq|gltMp4|`mh9)^>%xxG5dyEq-dN32SRw9m<*EuXQEXk`}y0pA7(p*(lU$v zLus>NnN4$2ZG!{HH8KOMSL?4rf+XA04jv80_bTPCikr{9t#@TjPnZn&DI5`W$5Vu(N!sAq%N20#%(2amlqbZ4u;W z6T?e>%xr%5P@Z3i@>PsY6I1VMIo1#szNIsig*m6L2Oxgj9l+7Zd_7DP4@5TB)wK)- zqu&4iD7_~`mzit{72}_Bx|yF=CL`E`X)KJ|FbfzHg*fhnPG z+_ZP9yMNuI#iy5L_3^4>kaqOB!SB~??@5N}#TI$yAm=9CHxC@QIRs`>js`M;kZ(SM z>G=S6HLWiJgjM@8dfQjy@*NQB30y{&X*W0sIgVw;SUd!^6dDSDXBkBF##k!U<>dDS zy&o46{Z>V z+WokX?DT+ma@BGp;_wTB8yDDYy=Q(mo$2u30BQ>Nj55No_?>>%5B25VDFE4%QL@85 zoWnX^#$JD13c>2shSfp{vqC0%#n4NB5+g=dUce342dw9mG|{XfI+zM7V%0*Iff2{*tee+ zy66K9{{jfDjcNeg6dY57I`Fvc{rzzvwlB$4!q?lHkE|H|ua65AqJ1($mPn5qwJqP@ zEMt15x{iF3WI_XH7bDC6U{Rxh-u1V!II&wZ7wwP>X^=On*;mR=JL({|-(UKbRmJ42 z+|C#8fXvyd;_IPKTYn9J55t!w#b+`jCB-mlA+SF*jnhU=GZ0Lx*~Et_KO2jr=>Nv4&QqznA0a^VD&8E@6A6>U3n&LnYt4ES?F!(bmTh$?LXhO zDhsh2QF%TaebHFQ8dVUBL1Lt$XKsN|))bj)aFm1}g9c@*77jHL`IGC!Tk1NHHYQL1 zs?Bv~X&p!yTqwqZz?V+5tCY zv4T!n!L3BD@aeI`hA$JnmQH?0CI?c2iTp(D5tsVs&ZiNl8J@EPPvshyDup+-*u?rT z8W$-AL2B>Au$rqMHnf&|!Hi!;0iy0x_Q2%2D1c>lj0P|!VIvrG@WHMq>l~aK;yUFK z{K7QH#tQ-K5G=eP= zfcQQgsLy~oCfbJLkowTKi$90Se_lTTA%1>T|G`yjiPKsxg6p}6T3Q-_M9j`P+wkSj`mDdcwd(}frQ@h*UVe=(3T zq!v~XjyO!}{k-Av=W^}^Cux6Jc0?GJ;DfqQXxldw%1>ALGmrb_2_DZGi5XMjrXR7h zLGjoz;QwC%?Z=E0Ha=2m}^^#y`VgOep01vxO+>@mn?yQP?F{ zW%#^^Wysme7j8BzouYAuH(aD z6M5MxT%oszxC~p{@mfZ9pA6S?up~2Vq<1ToP(gLF8;9Re4{hKwx5^Pw6S}BVL+opL zN4QjyGa8=16wTQ*5PEeN(yT6{#Jp)>Q8V)PPs&fpcF9w@k>tFUAR8hs5Z+uEF*h*p z^lj5Qbv5;1YLHBI#DC+TmXLqdT7*6?e`!dHJFy4o)!FfuTTjZ_msxJ(fZ=hi@nHh= zjr4M8^0Z&gkNgqR%9p&~qP_&0tWFobpO?-h8bl_*C?MAi@Y3Y3JpGqDZH6f``&NmU zC|_7mUp>>a0@o$r;G9Qw90N~7-=yQ7Yw??5y4M`rwd7~tB@p<-J$8NGMfx+IHrPH> zi4407i{iBsSWOA!U&rBBgTCa~kkd6DDK%fDZn^z^s;iYpJXZb0lRQ?5g#z{2kM_VD zQXB|~QXz5Ny%O!9al>&~?e+w9D)6Rv-3r0ohlNHc3f%?1%HPY)I>6vob!ZYsBa#qC zq#_2GfwHjzc8}RKi+^%uwImL)s^vU->jBKjnPQ11fU;=Y@iayNw%^nSR!z47QxCny zkt9I?fQ8?nf-ncad_p~wUfGMf0JgwU4?=@Do7(v~d~o@}z+?fgV|OaV^8}js?5IUR zI1?mZyKY*M^IIo4NCdGCKH38*OTRK?BhZw(r5`?;%}F+e1YbNXFZ&_>#q%wwqFe+3 z*e`+4JHYn-{_nCrzm1{n7p|VPh!jBP@_PJFrk^WuX;d@YUhF28ujPOy4L|A6IWT0O z-zsYG1LhDRPI@K4!Z#ht3d!Hje}N5^cs=mf(HB6#Gfn0`19%YHjB9CEcGHsdA0ggW zjzFH>4^}kgd7dvs8bBZ4D_;z*Wn$wtn1(PPg2GPyV!%85%kEqQt!4Ie%qQtR@%&BzmxNM!Gy&qCBx^~)>3xUT(JwCmE2((-=oI~f#EyC*n z@8%7_P7KWU)n2hff0re1sZ-Yl7gZ z4`&~3X`cAo+hIQh7wX0s8b6xDQFuCU{t$7)bO`OX$=gzkoy;>7a;Iz2++du_v8xEK z%o6fDu2^_+dl}5aU$?=6B`ETS0O$Xoiz#K}w59A#rIAuQkxQURcSvi#6G46kZmeOW zdc@FqEW3NE&C35G%|M-w+gZGYEPXmcV+wfAU?UsuZah>vQvrnnQOeS0a zema9v0?12B3Y(4YmcLcvWA)~&-9tyER)#JR)e8fH6N;aA=66R$pE}9S8MqT(bl45N zo{@g2xA=j(yCqn~EOyiwoS21V-Oh3uuBz(*t-3-Ui*v8m&*(ADR>4jw%VGAuP5fH$Z7dRH-utv{?d_7{ht$U0mHxGs0Bk|0L%5uO>RpZZt0mc+n2!(+)4; zO;ZyeYq$%ld=A&guzur7Ne$Z??Md}%tp>PyTNQONMf(|L^sEc<7XL=oG+nI=IJCO? z)*{IJF!?!?;oAhw9f`;VGsoA~u|dZAFDg=d0$k&Dtp>Qh`)l;2^?KKyM^LOmj3wgc zf@IYo*UkY4zx9DFEP?DX$JulW63}JxevMy)9dh$Q^!(~*pgO06P5bElvXW#*gui>1@Sy#B zgKXydlv7q;x%W1!JEm1nU1+y#I%TL1xe`sd%taxWTt(K>aZ9T0En4+f3!rT60Hb!9 zAE6dg({y=Bu_v_VF4JMTrXbtl+i(p!P+k{)(fzF2b|mn6<>24}{My@q#)p!8sqJRn zmii_wXgWS|$?sd$xiw#6Z*0hw%YLvBh`0^W1^+bA;`KS`PDqWw0gbOTvtLi^f=laI z4Qol@8StBH=**eTYrk*wxhwSh%W?p>SPQxW9B8Pt01TT`3IdMr48u*!hc*hZ?yTK= z$}|jcm6eT5B6zT>*~VsWjDOBjLdf>0(RC9sfjR?FW8bK;Q_lTaIt`eWDErr z;?^Dgzl}$f>206z{t{R(m@OWacIB&MYi9`3=m=N1E} z+!cuJi%^fb8+UGwV3VT^CnIiQ-qRS#hIU(_J|9j|44b!LF}(R<@q|`)kAwqXl;PTm zTlo9}>TkT~&6L#-@5p;<+xPsmk@2}0J4{I`WuZ`kgGJ0))z7x7J$=h|07nU{Ik97p z=hq{D+ADXU6?$g%&M_o0-Ay=zv2X_1oq9Vw5XUcr{RwFCfmY(6hML?zND@R-a?UT_ zukTmZ(X5uv6jzBE$=8s7GeG_pUWHq3%jCo}eC(jIciN?tnVsVV&f@ekhaY*nrWoLV z-2DZ%#zy<5YNXjjR(C?;yeID+oPj}km0}l(a9n3J4)j;pDTVZ^%Ajl4eSPQzsxjxP zII2((r!4|*D?7!SR_Sd4YTyvOke*=l-_BOET%4E8q#dDJiUi@Ve&kW09V zpX+f%nCo000LY0U8SH>3%iE%``c62%u>PbLrT)clfJ*4%(20b3;)Ikd1P;9Jc*Q_N5Wyw>XitIj@9zTFg73c|8 z%!6HGze8Yk=FXw0fq5quxVu@kz$1+#%5=$PlZaw)+V4jzQS(thPn#E~)B4`9kr3)i zJyubD`_%A*Me;0P)=-$rR%}dmu|9aJ**VRq4-bfV*)EJ{jtM|oSQ7Cm*mM&cP_IoN zuJvI}H$P7V68997GT8a`&Ia&u-go}i?fq3ZJ-gX^@j78+oNbfd2>4+iHw0K>aw0VX z5y5$NPYSZdt#n4njvu})sJxh#@yyjos^TlQ(Aez9m`)LrB{N0@x&b67NtWzZY;rfO z?M`6HU|8~BM=^uYhasmspBrR#)Xwh;Aq^wtmX46EK%%WWRa#joGUITHrzg{6u~w%j$}I7yYYH|EI9a`M$v7-d%r= zE-`JU4CkB!(&mLU@0Zu_@KO{*CY68Z7!+If*lX5t83${^lvDD}5{2L?KyjlCP+e`< za4=MR%io%r*YnmS5fjvG{y_S0yZ-Y}P;oRr&B!1C(Ti$}O)WhP4JjZ{jB-A3~a z2P)b?p}SQc*BQmy1PD5}@X$a&^;Cbx+Y0L(h!Lxz!S{b4`6Ls7tPyR;J}JL9TC|$! z(35c<6qdhKQo+vs_RdWpzS5G_L}}*XFMNtce>jkEc$2cfdkHi$XnKPwD%Ps_=WWnF zz%9Vvt&Nyme##<-I=E!i>X+nfbZ2`Z3dW5t>udI)p-@OrSs61pDW&L{2LYQjPme_;fb z`dSzS-od~baD|GqD7T)WAmz};K7*t!LEt*skUU{=I0D4xgd`c}oXLMx9NgyXKwd^s z!>whnYdM_*JN?`JHMCX@huxHq3|SO~5Jc7MktP;2aueUWH<(844()ab)s?DgajngW zg-9VHSJa(+Wc9=Ikt%Su*stf*L+802!Z{#NwD;Ss6T>sb`}{QRa1)j(H?8za*`zF_ zHH#LM&2qEtKw2sH8Bly=m2v$D-v>bWUCR&bjn$6418^3|p>&(iZ-rJl@up?-DU{;} zDKIXervaw3uK+3c8q~%GGv5k5Vi!|cvA%@miIE&xRx!+wO@6v{_|N<5pUvTfBnrdv zmN^*Dp$z>wStAN4@Nz(69&nW$M75jVd4QkBUYpoWiRrEIwjah5t0lG$8Rp`g-S$52 zA0qz7ae5?=t^9EHL%>V|8$)O99uU`g11V&O>&^A9hd;{1z|jpPKUy~0qA&HgbTPa z`x`twL?jY|z_&J#{Is@JBHrcmZSx5PNXr zwY;kK?eDe5$h0i$5{!vfz^Iz}K(sy0vIRaXtcDn}IS?Ldt?pC(7Z2=F+x=oI#Wn|j zDh;L&$^T+smESiVNW+9}4$H2t!OiYse*6#q?ti74c-G1Qj@+Scv$ptOd&BknXCp-j zOu+DFzXE+&sND{La?AsiLO+lng7)q<6` zid<$`>gN4RgzDn=Ndfh#Eyvm0!T)vnkLUqI^u!m;j~-I+Sz@c_seRc1%{wm2GNOO- z&ztW*yzo%BAAQXfWryocP)lsyYn;(!rD?`6RE zUqAiN4{r^*EU3s(V`^1e!>gu2A)RbQRaTo8&L3qJSt?*#s~qG02-)a>|5;q|43yAlqfQr&AI*dUq6b^ zn4UnYCXSjy%;>djRHdbed_4Jiv@x^*_>%Wk+7#KrFAkQ6wfBq?RqM3g~Y(h($i*BFEzwt=nn`#DAAZ7`nn%ZwJ z&43cj;bu}T1Ga(jkdjByoP1YT80lVegx=Vsfjk@6gHnVW7yCQ#)$WO!wS<{Cr@lCc z9gn27*~G-egWlc53J1pzFVQew{-j0+*^Kvr)#Ku2=; ze%b%{8%ply5NdUQCdWX1K>zk-|1t&m2Mxe9Els<6@bZfeu=NRsW6OH|?Gj(=6FP%6 z2>SB_lsyQD|$tO2M$Jo{iWp#n!|+GVKdjegoVAS$n6 zpjp;`{QljVvS=*vC)1aY{4r1=o?wv329(|m;Pn{&Tvq!Fy$M>UX```Ku-2;)?eGcf zfiz!Ju&x?Ce6zkw^A>AU*{i=mvhx#@vDZs&I7jCTd*GPBIA$~g)5OQX1Nnww+@#Y8 z)b_XQc&sLgaUE`V{Jf80FY_s%Iw)VEmpX2k*+0&kU0zr4#m?%#z<8y_b2klRRu9`hgGDKOTX< zJqt`y=!%@(A_v9vQq|X;0m+CPS+|3g<^HQFJ_~w^VYB&jJ)~>3X2l1y++yA!^T1v# zC)FJb{_iA*G3?5x;?e2IV_bXE7f!px`GFciBrUAy$r1D&u$LpZhYvIJV**0vY}8H> z@YZJlSX4~NitV(W=Wj=?-Z8Fn#I3n3Mbb0PNKU~?u=oWv z%dJ%pZXJEYYcT*?<;5j4BJbL@=>h<*1vY`5R(p^bKwtnE@49EGth@w33QKYao9sof z>ER0<8~L=B^s%rC;Q6Eg;ZZ)I%I(~~1cWiD?o{Aw=(=R)fcSy;JfQJYxwzPn)ZN<*gZu)-BxPOSmY}txzHVgI^i>*7yk^XXMz>}&8FnDssIixCds+@_6`m7lB^fU`!Gqf@At%mda5;ozzDuetEAL9vuZ2Zolk@-~;^F6faGV_(V@-`u zB#D)f32uhy0^Pjjg-A)I)AF0_Ku>ph(#*}B9tvKvIw4vPKdO(&Sb=M?#gMx;n_&*t z+0t1+CH*Yg5Qu|PN&P4o=apYx2pEHUh56~EO~bXSXqii~)2?p(ysl=bz<1wvRgCg= zw5(^?%_`t|#!0t)L}ncH5@@6o+KXB31#ZzR`R0H{Jm!V$rk@CA_pG{H&N# zRW&~Kp2@X+ovw4RMg}HyPK}Q2vAGt%xS|ga5%PC3Dzg_q%pDZI{9Wdyn9(lt9GE{; zQYFrkWe`{UGT_XRk$&;Wfvz^lI9;JPDi5;y9yd;=@aPk4hCvy7J9f&4E|C>On{#U- zDcva%Yj#aLSFpq0s3w6STi0>7bMTC3%DDTuqWE{T>#{cEysKc3W8KKaPa4i!!EK8x zLF519O?lw|@{Ci-KAh3jC4zIU{F&qVR_#J{WZKwR{oP?OvDEeRAc~BObtNF-=Hj@TfGLaSg;ItRfPfRNvRMu--h@% z%20tpsW6#Ggt(sCBh{MR-mm|5<@SmxIXSOkzsCn6(g8M3GdA8KV#J6SdVmKv`B~Z zsBxMlDxZmzb+k~;(JWV8O`e!KT(g#S=8|SoCir}h-6j4+?#6L3eMq6%DU0nCx0~ME`jVy|@rDJtVi6s5H`#+}l`V;}bK7vJ!i936Ql568 zQ2ND6+tV&o%=c)a4kgoIinw>=B|sXXlOZAOuvMve;+(=qAITS^Y7pHmN#g@S{Fw{PSk&6!w((c*=B$GlKTA zlH#7G_#<4@pPKzrmhxQ~VgO+K1|S~E>?z6{F}dc9jcy!(rV;-e{duV1xWwXum*S(_ zf3IUQ9)CKmRx_H%NAJLRCaQq?T>d(LMA6B^_DiH7|Dzu9mHfHkTTRJtqlW9SHIhg6 z4Jm9KgZ_P@I7?079S>_yG;KwWG;(H=mef^$=MpL!u99Ps-&)Yzj_XmRcrJ43lWIn` zI>=mxXUvW&5(P4ZK{Z$g8vD24p#yAGAf?w!96s~}IR1*a0{ds|f4kQn_1&GP7VIM-k2pi+l{s(! z7&8c@9ss3KmE0!>{Lv9%368%Ps!UJNos(JrTgi6*8f~e>ZJ5I7&VN73KgWL>!gbIn z(qsL$`ywD3Qul3vbd}Fy9FSW7RP0Wt{zm$e2FM+@`r8Bs-MOCB`t%myJU1+1I_36X zVy{NB)ATCo>-G-H=U`tFdFSu#xBn52?v;O&6xVKda@T};qQZJg)m){}wW^QXy_ak@ zd56@fNcV^9*TYfTLy!BW0K?i0gp>3vZ@x1Dr7N8&!21mW(3{c$u%zm~Ku$JU{F$B&rX?}L zJ2Sc7lA$m6y~>uI&UR3iF#z&7?nbK{J!3^ z>J)0R1Do?8I!Qn00n~?-I!kXndC+;^KNxrHYc*ATwbEM;!C4W@qhHMa9pkE5MPU&N zbEi+Shy;x^hxTK;v09q;IX8arkjkwBn+d~qg`JvarNSJ1OVFWHGW?EA(IX+U73$Z1 zjBf=lKnirkiKJhqMd8}ItY41s6L}pnVkL4zB0k6!k~Y3naesXCO-xI(^-w6LU8t(w z)xjz+7T(t5h+91JM}w%*bD> z6lw^oNrJCW%^%`^rBhGJm;;o*@C})spnGc#uQt++XqfQ}?d9wyR-bAdM;j4vR~*t- z2xmaDj$1NB3ZU7cr|f8%)E~4Nx>RFr#EcP;B9PP)8MUO-%|n2V^*=jLaf}m-iPDw6 z3vbY1xdi=&RccR!ZMy^uSp1CBJ;06OBt8whiGQ%tS%%2}O_Zfb2uk<89fI9q=sn6S z%D#H@85X;>AtzRk!GkcZq{ugR=QB+$J!F4Wc&s!_->?55&?Tcq+r3M zka5}ah4O#%Rh+4_Y|rdmsbI85RS_*j9&V6GPQ6)&KY;$Z*zc$ll`JM|Up8KD9D!u) z@}{RD1U1LubbXSTBx;!?+jq^cG<#GfG;>WCqItOiClkN0w$8G zvu2BXoF3;vIjWg*xhAN?@ocQ&=4q1q$%Ja3s-Wdw(*y7b5fdhR6_BVH zm4$-cTM#OQ`Ml|U-{SJUbIQ;M^8EoWrXc1@nHf7k8 z0`%?S!B6}xyRHyNu9O-dFPaF%K2O;+=ztdHw(ddPB$TLb{ajA{G`%ym?cwMRQ0?Sm zUV#~;vb%_HwvYob^t&QcLgX?~>bI66#4$*}h5axaGnP8nwaJ}bhs&(8&P4Gk3GCJ$ zeyz2Qg2!xXtKPx0vFs!#174JPJHi&jDFiq`b|m)KKY(Ux_QjW-X!c70Uu|jsLSMHG zeutX{PHKu~qolIJcXm>%C zM4rw%FX3I=F};wX;>niTT{MEMU_Z6ImjrGT5nh{1&>>O+`;7C)VMVgmn(LnPnpY8j0~&QNcgf`agV`Wak=6iFR90<= zO{CrJ&XPoh{yY;y)Wk;_SZ&vERTtge2sd6H<9NwZcc+wz(GtUwZK+7!$a%C4Rntct zz;JOEib}9L*UD567c|a=IKDW0+{l#~TWHp79)-cq<_X)^x1PoO%ESr zz<6$RDj7;43_|oeQev26B(?2t#*f;ndB{-Nr#WXNeyw~XS%8d;pe0sv6_O%))7rjg zpW(_%ygnp3ti+0>$-J%*@bl=+)9UCW!~q+T7^R`Jt>H-$4nOF^Yl^~ z;~HOXR=twmnn^1L-gy%;Q?~b`CpGe5T5R7oL{nV^a5iIQ2qyCRP-+3UP-P9Ypl66q z-i`S-tB=H#%WP00ZM1?r&bN;MX((;()mPeDg^~;4g2{$Ll6~}mFD6lZI@pmh))JgW z3d0&FJC{hjM z+D??dqQ8E{{y~Pbkp3@mJ5=3p1PSptmBScfLS{OfY(6wj<8-vtO64UFsZ2b;o-%x_ zWGL;>%|A)rAE1CZlAgbrPDbq!jivb*K`lUA&Z!>(Z>%q5^J)*6$zNP_ z%D{?wfiI^gkj~%l|E1_V<8eCpbklN8z#DY@uqcvj`PO^)i6em;Z8s#+QWCD)8>QQep|&8%TC{lV#iqLV5FzkT5B9+npZok|6CzIwGGQ9u z&QC#fVrtgaPb}uAsDh%GKj;vT+P8C4bH(Mtjf944GGe@oL%bDA2?g0PJMuf=HreW{ z<;hp6?QYWgYr88F6tiD!PO5s`plz>$g;dAPn==ugy^oxd3hy_~9Z>qECfb;xM6TP6 zt3YbIRF5F*HYJ3*6JQ|~bP#-_t_Nez56#{g`T#UNEAOK ztYqB0t%6NGS}zh4g>J>iFYGrFZnjyXst1?`i7X z+ty{3buaV$r^^1p(8)b}b1sz|yzw*n$(}i-rqTa}UU}@@B$pG7N=_5oi?`cv>Bwqw zwIg2*u?XXrqxe)Uz`&KTwfH^LU;J2kj+NQToAJa@ zEnAzR8mvu@W-hekr0j)A=SaT>>Y#X;g~H+2Nb;|5z+#?cvxR^#edl)W~5lrpUZE0kCe+u|h&BT)pW~xxHb6<}!O>4|6$^jO#x(ki1`|H3^ z^A0f8exces!|!yTBYsao@cqG!`F<<+t=P#dDHA+xJ)oL20QAcU%FAxTrfIYJy5NGo<@`jQJNJ z01Hjz;LVsv(?0^BW^U*nSS40dZW2J@tiVvHF~!RSgQDlc-Q;fFOkY8ZO$L|@W zyY!7gLYuPN-jRBD)W;8IlYwjqW`{ER#zYOPNZ(P4A#{QajlKSjefB*~=Zbv|BmLpmN)1C}h8x3!9b6PC@3-}YBY z9obe?aobktgGOgQH%T{jFjpsY?U=0m?4{$IGTVNb2l2`THy{_dS?U?>vi(fa<5udv z%1rl&A@zOOx7VIYVR=iwM_6S+B{oPVb)TH2fH+e)XYL{1Ft+BKBQRIDiW1m zzJ4!B*;+oFr+jqTM*(HaCG8|VOW%789K}}Ik|Oj06JQPZ9RR?~k6-bZgt{+bhV$AS zw+beDn<>G#7^?OAfN|ue&-Hi-f`wv^Nw0*PiGZQ@fN@-To{bvuD2oZjcjLE$#Dx~3 z=2{i^CL)+L6Og)kWlcUXA-)+;O9jS?3>}?n>*CguS(21@4=!uMWywZQd}bK$7;d4y zJ_)9N*mHRis1_@dNOP7NpiW-U4xp&N0!$pby_qU4v@~!1yiMc@(h}3%c1M7*{Zt&4 zNp(2I6Q|u^eg1rUq&14oVq&*^j)O7?Q5z7AnPw*`S&afB(p{Lde@xz5q7CuOpus-N zRGmCdUFaf0sodv=uf3upLtsq18?wX@8qOIjK(4Wd)NS%I`ZV)KP~@{A(XMh18LKw$!(IMf&gR273$4=r+}f`rV>ZQx^xHmj_Q`R}N9K$Aj8OFq{P86V zR>fL}-t|e4LtNmvGi+kFfp!D-3z!q&M8{P5jx4Xx5`%Uud){O|DxsU7w;f(#o?(yO z@$UW3W(ajNc^ymMI$0Dn!+5+kMw^heW5qgVj6OS!R&+YIPd z*lyJHr|}(2pYr$;hg{_0 zb=XU}{e0Exj}`eksU?N^uPP;m)6VP|mINtq%)e_ZXO1Arm=ny6S; ziS+ARYXBN&p&u)2HoqrieWaD5S zq|;s%cnVm{qy*2F(0H;TLPGi5WD>WsUC`%eEgF@B2Cw>JsZpkGBN!vr*w)frxB!Mg z3RVVrc%N;Mz-%$rmhva!p4goT(akZ;88gO9vnUQiMsX z>OR*`4tM;ilcs0jXfUy8M=4P6`)Gk5`-9zEyHhl4Y1~!>L~&_heIF7g ztukD~kj?~^xT#zX7`3xpw8x|wjsQZiiUFyZZoipTj56d}0jpBfEOOYYX1|F=lY3f@ zG^^;Q94}8r|7_1Hy(0f|9QtR5t2M3!V6UHOq2+V83*6ld!mgF;pLJRSHpH9F#?xPI z5GAb|%>)wo5A16*RiJ%$xf{wi|J?t>H|th$w^@QyPP%LWvstF;+XvYRYWI7O7DZ2Q zQM=(os+644KR?D7D%efMyvy6*xtb()AbpPO_An12@VQq`7iaiXeir~4+honX=ii!O zLAIVKy`5g93qU9*Bs4w+v;$w#YHHb~*%RB3lI##D5nA+`vorIE%uLJ;~l;fA1&kYE;-0 zsgLaFoDRXl#Iw~b-LQD>JG&s}Y3;L8Yc4o2Qb3BB7tdJFXA7;tSubI#bKE8}9@*DB zum_9ynXFQ-W5#tVE=9;7BeH?BgxhIyF}U7dsA(JehDGLiG>1jA*UYDxrsPOQT>54k z|K(Wb&m3!ziuwE4c_bC@bru~_)8_UCk@6AF-b5nfz|_uk=74gjVfGwm&Jw%_Y#?a4 z9ow$dn)8ToJCwV!)u56Gi)=G}`xDUo)ON`^SxhdPw+Z-K8pF-=5JiTnD@3j968!!A zBklFp9P!*{p`|~et61j+Q)U9_X)8!bE;)zdAt|k*}MV!2YU2Y}mza zIsI2QYpt+NS=leVLgTz7l$5Z=5V9Vxo|#eiWm+FCu_8^KpvYbGX3cm1U4dL1r$Zd1 zA=^V6pP`(ek`g7=p6V+kr4dkxliKC}+X2Pr&foQ;b^DsmjtL(=NIc!AHe)Le{y^1T zM{Ndj7Q%~yUsPb{Zn3=#UFcI+34fWH2eu*Vo30=t)zc}2=z9w-+t=ia+0gs3K)l4& z+npUyvA><~u^R8Jn908^Eh=XV0QCdfmz8GxATA|3ly>PdeGD2)Zou5d`D)G!@hOHZ z58D|m{!#g78YTBJa(Ib{ky1TF95G+_S+dj_g1#JcUC9`z$!0Zz0>}ARU~v{)t22s% zOqVINgXM@w(*4zmqot!*A|XW&_doMaJeMN?5)({QBqDoB+VAD43$X?V91B3F&ouv; zY^*oqrjcnJkd~5PI$)a5;$OmHaW%L=v++oVFY06Bt2pq2VXp!BfUVs3KuW$jSr(%P zUl6zOoCbe`+18=8ak9y}bVWYcEyDF{X~hx59$TnvcA4$NpfN@|9*ccaY!k`(AfsgV zVV?asIz3?8JQ_LQ>T{41g!4McGDrPKEsAvd37iDmTFgwf6SW#*Yg>+{v}1k%KA8?? zgZgyO*LgRo00*#HO-zu57W-WqNZi98x>nnYQcko7f3dEfoQJ>*u z^PuX?H^ubJ@dhlu3ey&L09M4#KIA#!CyUpFY?V15A%=TU>GThb0a=?BmsqCJWWECX z61Pwhm>$X!R=K*z-HCWkKddg?H7|HmMs#rm;>O&G8{_v#REShYoBV0sRp*ozBfnEV z$z{(ASC4hNXJFB$p=YE6?3s$s$PcET96mnID}F6LQ^`H9m$wQt9*@X=XWTB$4&4do z*$>fI8YRi&TKKEdR#VfI&GR5mh~kNub`R^{-P`)wdW^)QJ9yyP`!c2b+}Oh>z>sww zGFa-5DDhF9Xw;C_Kl|@Xf-{~`S2X;X;3cLw?osW_5v(n_dX))7Ap1u^*kJ~L>No2` zxtQLc{KBQcX#2Kmv3zUYRp;{YDm$A{NOdJ%bywjfRMoyvG4_d)t=Z_X&AY)Ai{9@^ z4{(F0fxYQrj)|wWswXn(Yi9btH=njiVLvKWOVOH8Iec_=Qt=tehA)Uwukc6J_+AB1HJ}S`6a1_Rb$kmn zPYzy2NsADHkvSi-!JbZJ8t;L)G_UR3c%h5WMfanWgV7(!mKu!}G1>0USJ<3WN#ne) zyJbmMt~Hw7=Qa)2FtMz_Wwf*sYK@aLLwsYd?z2KEVdro=QJJ#ep;giOUi}Tt_<%|! zDq(@+1W5^a;F5U8Z$K~wIXP|MG0!)Bv=OYmJmlbphkYZA+`g&pTKYv*@tBuO(>% zzpV=(dJ;K1@NyO<9Re1@h8J?l=etq~g@-H|55juEXO44K&j@bKru4pvAZcMcew|1Z zf1Qpu7Aq=E+f`zG48;0(`bhRVz*0Rc&Xf~0n(2%BAj45zd>sx!WHnstD+Do}DnZ$W zrJ#dW3o2X5O%NM$AQ4uC?0ozC$PAJsZtZ^~L_a%KHqxR$f*Qt9X2Q*lZJ1o|j3Wba zjO*nI%^jCKiVUw}R57m}q2oK|xtbbjBaPcN1WRVs<#{_1!DcncZQ_QWu5vyZtCY)m zlZ%SI#McaU2Ka3sJSLBfRT6xorUzps%-Q13ei$@gZ>3Qfy;9YZsrt^SWhEQaawLBg)(QC1bZ98Rk=tcGTdnncS?-(#xq~a47zgt`d^-JUL~T zb-6Z3WKmR@^UHO}39df*p(Mi@`B}X=n-&`17MY2szkmhtqg`d147q3HOGKe|4ux0} zdZd2d>8w=kBy7xP&Icn2*y&YLCfr)m)aJbx(qU+YeF1QgU35!R{78S423V?rMTL4w z7&B0M;gEwA#`(Pfy8h-b?jAh54Qlt@rXy_IZ0EakMQ@O1obVy-y0S-sHIlzKu|P}P zHMT&AsC!jX&@14#u@Zmb5MZ#4F-j-_a)(&f6&L!Oh_(E zhV8?FY?C*jyJxBsB0C{g^c*ruQHh|0ADX|&+zoL?LW$Q6S6@bJW|6;t&#KVL3~gka zxiHV~0oGVmjo(@q-)vx-Pr0q5Y~v@o$(>#Ya$xHo{BtM|QR<^V**L`Y!SCPrhJc^= z@P;SSEP;Q+wEv*NKbz1guEs{jxt0LdQ9+8M&#RJ(Iini-8?jfMp&cLBZxcOi&6PW* zKU5wW*ApQN(1em*rm}wBJGsC%nZ4*%fq%L4uq`pMT;>SZD%eonHOb!O!6R-yp@u9R zJPBtG2)LxnSW(2p@5amcb*<#}@Hy40Y@-diMz;Vh6`aGT6TWvlSxEDtxL1zOKiD(x ztkm6}q#%0Z?7`)6uq9DyHD2))Nv5O{=O6c+>>Q9cXs1h1Ph>nfP|k=J;Z`J9fpzh1 zN@V)VVKY@)TgUO7-z^0kl#3_;L3@MBVzNeex6YE6Df3{)%*_+62RL#HMVTiiuwCbP z&Q>B{%VQ_bka}vFyfuD1mo~Oi$4vb;5Q*CcTsi`PAbaEx5lXg97^XKl55rSCaq|H> zVh0;f``4mQie}LDi7zV-%jO&bloS@4u5OvCc#!$-9iE!|C_rYZJ{Z8*pFkwL7CR>W zdQ_iVb!Ym!b@liwia2l%NfL+pV3)Qf_1;(7EGmazuO^aJ2Uaaz_hl-f*p_Bz7URXL z7_^=Iq>n)JPZ~m*Y2=^MBbKK5hwex~1V~9UVAo+;?9P+HE1aU2HJ5nAd+5eTmVGLf zcqly{FVQEe#jbEFLPt5{_nf| zYN)rI3SCO~2@j?r30=tt6K89EE@k1E&O(6AFO$^;i4JxAmdyf7Hv} zvx~qWu;z_VXtiZWMGAa1w6S!hMrX0SON&dh$ZB{(@M-D3cn5m2e`SzSP|Mk2E!@^) z#klnG_@Pxr5$-V@vgn{R#;#Wh8)tPWAj-_(8m->p@?+?O+P zGCYc%!6esiS3xFM_&Du*hioSdUC5+}-3lz`F?0b}?0&vsKad7A-&qn-I|u<20Abw zk7@l!K6oAhHii2-)n$G3Z9>s-A}02X>zl%Hd6L!U>NR+mu#?8q&c|8=A*e(rO*O~_ zp79}v2M5XP^3O2dHKTCowoAC`lefz;ol@muBtN>~bcY|0?0j0%SH8cMEQ(!)A+R;ai z{U~F3O%J&2JbJUS)fOO7DSEZ;RC&M?MZN0uZ^M4$R?$zzgLnIr$j#*(a~apsd-6b8J{I z`eW~jr|&|^`%Gl%S%UaCH-S*|%E9ZeZ!(NlatUaBTNox0I zh`NFlPVtR(AZAd3NgHf~)kJ2UlLjfuzwyhDK`K6nCak#6cCQi^?@K|7;6c9-e`g%T zg6CI-jh?*>c?bnO56-uJj1|UDAa=^^dgbO}L|ViGY{{16p*J+sHqGjetvn8OmM)G0 zQ9!V`g02~Zsu_rjeVhxAaelB3d^-FQvtAB{t$n`PvNu?ZuDpr?v^M#7*(+cVq=8Wq zutt**^QQ@w*HrZ8*(}iwvhrgyo!2DdXIsKpi~~1QBA&1J#fL1qxp+(CRTYxgsZNK2l5eZ%vod}43Oeqc_kdW?MGSOU!HGuqK7@b6%? z{Me(!SeS`x^$nQ&mQf;PPdFins5G4``p>PxinAhZ@(R*h4@G<-d4L}rTwg?~Fkp`t zB(8p@(m#F^z>4><`&Z}RQVp_$(|VRM)3};)YlTabfGh5A86c@;D4v9P*DV!B0hr;l zH@+b2gr+8e-3_JZ;Lw`4#Z7tnZZAZ*dEEwf&<~E9f$iTJ74t0tEUT|*!qqJ^z{)UA zJ8Bf@%v4s3JfE_8J(67i1$yYMU(l0T#ubPnQFb6=I~+3K=yMX08n~}D2TYvvs+KmQ z@T%@q^t%<;GmhhOwg>)ziT+ea`g|km!ks{B>@sN@@?cvD^kl!49U|TCSRCC2PzSWw zM}YJ{8PH-6|Ed7R^`T;{&bN^y`}4&uRs(ffR6#Ee$)T=YBj%S`OZ?loUY#n^Y5d4~i7P`!XAHCRI+4s9vHV#{ zfLGTVinuFWe*iFIkzqF*IGQjg5_PiU`p(D!?Cn)Zbir@L{OXxQ%PU z7JvwtAlwCGG+)_fA>f*dZ}u7t0AjDRQxfGaSS&7$Q@j5DIgwp)FvIG+5YxlZiO13( zBS92#&w7Jc9>TE8`q6|Hb2(7MN+#X5ClovaieRPX*J4yAInsr0XtrD~$b`yCTW#UrEr{081KBaa!VE)4};yY|X8hY?t zSIJifsh6*L*{kuPrrk;6YI!xsJ35@Md%qv^l3T&@O3SD2{sj<9qRN^LLBIc}a)_AK zRY#17t1q-ph3ed)0xudDMUy8%E4@QB@)Z85aS_}0tdt(HToKTTBol}olyM@<5`iwr z(punn`i~a?m+UFPAMybI#-8l%UAc|WJOTl8n-~@;@F;}yQF|N}6q>Z9loCt?rwK*1l^p0} zK~#Pqj{QNO2hTq z($!B!biT=-$Wb}PSY`ZHH*tfOSg`YtCoP}6kSb=*R!M2U6WOuFhz!;a$Sm!RP>Xd`_YE}5VOp7!L&gdEav-O_H7+XoUF2Yb*k z8s*+1^IpP+ki=Yoh4GR?=n#O|YHsp4>}6Zdc*8(VJ(eLsoVW;w3^uc}Fb;Op^# zWETF`EV2{GZk3KeOwdb9V2t!K_8w#N86t}{F$`|LPX=Fm5^VcAf3H1ZHx9uz@NNv(qrnXqN z2^b}*RYNH68OBT?Un2#^qACYrvvBAMq6w5wxOszijN&?bUSA|was!R(Z9th!IjEcq zRd^ipD!<#}oE5A>DedM&Q!=^c$lUL8-Z00nDH zTFeuY&9><`y(TtG1O5EYq*Q5_kK<)KZ!FC4B1Q{4lXXx?oV?(|TmGl|kjv^LXzlwk zr{;iDUUir7stOm@A!DxXHHryaAQXr$n_-3pjf@_XovDpoa_u~$VW@as?UN}?fCV+3 zQ%jB~np9A?-%TzDl6E;A8|UpIxj?;DQ`R*r|4Jnwo{(Q}b(EYzKanW48;yAEwG|1Kt(dGfap-mHLivaFkmW0~q7*jqZ5>5c z8B8Vu$%759oVyBlzj_3vh6{($VQ^K^Glfo6FHyXr&I)YZqqSj0K+KjIjKowl(P3@T2a2Fi)Kd58d+1vA#NQpp*JqKti?nN zIThZ<&4sCurRj~2*^gR08aJz`(9=0QJ)S(xW~{KqJ?a!#VYSQGS-S8i)6!w{7o>vi zt{Ih}^-=_x93dp&Ccv2#bUZ9Hm1UDx)apauOdBMWG9qwr>pg~ug4u(x zFIE#|8%V}BJfS$n1$>#2jTFO8ZiEfF+`Pv*V!aK5u& ztYpO*E**A&00J5=HuxeVH3Ye5+|^&rvMS&UpLs32?Row9x3rrhPoRPwincZn&4~$E zA1k8lx-#b(FbqR3!wMvzu7#*wR|WdXT%}{n=Qy% zH$b!kq?+!XpwmyKD1K+1>OHK(s)#&wW4aECGoEFuEN|%v3aK42%GsL(7P~o}2sD-t z6O|1E2L=k!4Niab9@u4*6-~!ln*J2y;W;~ieeBXF5?g2ecTE7U*ey-sKM?l2Sdz#Q zPR%wmjV1&KB>+rEp2JR+C9GCbFlMu&m_2lF0ow|UPzm&eN-$HuWb~@~`a)rCF`FTm zX!%L!`?xVltbhseds7)N@difCa-gEpGc6@8#|=4&0$Dp{>P$8wBNJ-(cBX*-wl7b$@5Wen1z7WhJu*_!^*_%4g3AQU%oNTLc z?o*zZnR|fuubHum2?bzI@&Tz}wIi;+ITG$H2SQz+n~%Ok&fvjzs}X2DBca!BJtam} zb!V4>KQ{}70Y-%S?qgo14+>A-4X~OiRrIde6$LBuB9qz6dzg%Yt4lw106@u{8HyhB zYmbeAJt#qq=cU|EM|snVIk6}z3S;smK9?<2kpd5lMsG62S$k=kw2&%2qH_6FU;yS> zczF_usOg3P+XXtO2f%jsWj;K2X0|)`Q~TKfi~Xr?Hnxb&&li`h0F(f-n`>?YGTN?t zpwMOutrVC-!j@}lyg3*oPy&ncu`pR=cb(htz%l40rJcoUoQbM z>B?g@J=q1|gt?{sHiLSeKqV_zJ$3}Ncwxao(MZsXCcyscMT2wZf%r57F~oI4o)=T; ztFY~32)oxnt7!@5vnqv(;{E^y3#8Y#=-l8<1L=o0S&XaMfgL-PT1~Y1+>;WSSGr}i zffVXCH#~Ef+>9Ve$d%I^EljvWVHrpB-Z}Q`Cvae@PVUM*(&3-EA0*{Q9-u%tGPOn} zo>_!hY|p4n79TPSl@T;9HpWzgcioy)mD`Yl($03tfk2pqLf!|{S$LbhD~6N!;9w=c z5eRUkfLyiO{COOAXU1f>se6LEVQ;MmN5{K9Yt=*ZPl=MHd7VA6zo+)xP-V!fF2HRi z9#?~#2P&*a<;-(4PnJdXTFn%heYTuApoFQ=wonLg36QI6wnfS5wDf3R!ts2G zWdY1kid5Ii-|=T#e}<5MYAy*%;j=YVQ|8~C`5O~VUTJ9P>`z!W!@BOsF~raDx89(~ zEr_1(2d%MnTMAOyq_bUbhy3pdA8=NX8e(az7E!B(SL!`BpFFNm@+Y+iGL-rxjtB+Nk;tmad*EE*n6j$#T z6C~&A&e`x>S&jS%$0Nh~(2D_ABilSZu2A*b%v|QwguM+iOE)pDN z&{N(KoCV}4g3kJGvdgDjCE-T6}qE}ZiI zfP+@}+NQkd&Ys8b+zEp%j-NoQrR{NQcxLgg?wy&F&K;v$6|WNsN!eU$`krOPH3 zk1G7N2acyxmm^Y-Dtb}n+R94znt$TU7ZVf?l)anI5%`Awj;#7AfhtVmpd0?#*U$B) zm+ZDWswQ-%;AtMdl*hO|ef_#DHIGxzHZF+aEp>Xcv9|It*R$0{*w<1Xg6PaPK5B#? zz$+F9$B8v6cShPGhUq%~9TXXlFCY_X^i~eRE%(={| z?ajOiSb&-N`IZQ4l&`p>4c{9#c|~K2wNl?CxDBr9V%P%bi#Mzot!&?}sfeDYtzoq$ zj`70ND(?ns)W^-+*W5^JdK+k(_qyo)F6+6PCKA_#wW2Gau$t#b(;=}9GFTDlwxU3H zoo=L}hSO5obu-h@=DzN>B>9UV;Eh|r!$Z_?G_Q>t|1Q`azbI}GP>#lTvpgo95Cnnm5&BsSjB_>bo2Y5vyN3S^?%i2UgBI}7N)-a&eK!TjW;+FBWy(+!j)?zC@D z%*?VV%mvkKGda3LL6}n`Hmw9RW)qt2EPlPWZ?{~->Ve30&NZ+yVEQGj8NZbo`DcBw zTx}kyv?$8gByOuVRtvV~YAM(#7a)iC;@MC%!Mj8IE43FcgbqHvWcN z1lQ8p#p+4WyEe&4+82rGD{L)YLX~vS=_+DONMAO2 zvizs@(B9QwrRyK+)51NtRa-XH=2foj8vBZU|JWe~3?iQSY~F2{30G+NG}BE#%nV)KO=avF4-Hn3|<{M zs}%#*yV=z3xV~0JqA?>r)H?$0MnD}9r*gT8UslGY$;%Az;DHH=zArN>$P^9Re|1eQ)DRFXHTE70ec4E zjAsC%yl^Zl8Gy7gmUS1{b_Eozna{kpW2>HpHV^l2NfAc4WmC%K*RF%E5vWQ0dh|c)YJ_Bjd4M+Q17pudf?u`~&hSFDp*a$mnp7-51TtN(&;g@$}8JZtnXCevR(X`%8=NlE$o_@hs`*3ZCagspLs`K>abE2|=9rtD!8 zPc%x-+_APy9zFNcGQo(gpX80xBawy+e<+SEx6kH*e|(#lJbjC!`V2r1FGNlO z4EG68tzL}R&yaaCR@f;ZW$We6Y)6E>(QoweDfdZNi9~wux>R?=*HPw*FIv5hj7~Priikt_sm;U)m zHxqsk@>~d<{@-V(zTY|9iAb(tbN~*Puh2T5?CmM}>|%9WL$m>{e&S7-y?gpLn94pS zQM1>8LOH@*NxKNHi>DC7)JPPup|248^PANF098Mt#0VvjDB`B!*sj2G=i5I5uK%q4 z_hLUuf7Fe6X>xL1A$(s)7u>gV^!$Mjwgwo$NG4{+fV=!B;BWqkP}#uR-XH9MyA*73 zz3B#Ehk11FVbjnRvC@KMsfK@9d}uxX2KEMolj{v`<7oPv;S_Oyvh&D-J zs<2z3*Df-p0a0SPN9$wd>Of+_vP?zxx0%L&JadF!de+gu2hTvR-W)OE;uz3b|2TWu z4-A>k9w#4`9)A^FE301*JQSiiGrr)T@{s<&E>MHw4|~`vz%wa8%u1_ZzyLn|cs6SL zE}gT^xU?LR`xfEbcgGR+{-sDoTbzRi;yCOXM~!cm|J_x27RpX#rJ`;F>{bDD0PM+t zI~r{$NDKVuWBv2|{p;F2d_HvH8%OE4?SL`DBPGUqfsi(Ei5Rl9dcv&I9Da2bcv683 z1Stae9HCscaO><6PZ0Wrv=pF(=3w@L-23aV|GL}1Z%^GPM^QWhB#1!43uU$|%BY7| zdC&IgSf==q0B+OuvsLT9$rnT)20xtYB|Js9tCJ`d&?-ZJvpSNxuP)W9_A-^XMY5BF z0QsmWUMqOA3FZEI&nmk28_pA7h`s*9S&Hzay~qBsEHLi^8gL(#iEd2)^(Dt> zo@Xjk_5eef{Pn0OCMZEK@!Rjtb>}{nc=q2e#zpZnvvpq24PVnIjf$~a|Mdd+b33aZ zz30@0XA{-^hYtAv^nf=g0^=dZg*);o&2?j6UrRswuS@;k{=ff^zlpd-co85G#%DJE zUw&Kvr*HRv|NCMzw?L6f^wMws|6)t{!1G!`W1!!^Y=Qp1`Tu8gzRiz6@;#2<_2g)> zt4sjatkPG#S`jNF-=zQN>$q{#wEs)^J$_^w`928UZUk@18M!M3e_t{&D#C{pQX_lD zR(S!$Gczm&wS(p96R&$5uis~>rb;K(g3X~n=sGTm1S}5$=NZ*$ z(!1L#-c=E)CfM2m$M82GVTuf168X1hpWl_>Ovr6hun9FCuPA2t3DN^E9{(J=bw*v# zohKPvoXNAX@aU@?{F;+%3=!pp^sChuRGA)F`iLyZ9EOY{VPs9jgqN_8)zJ~{J z9It{8QnhYCfctd|ICynN#0CDkHBeG(;HVVhOG$%S)l@#hZ>h|Lu`~EC43%g-=t)vO z-*wvC-_}_8R6)TfS4%_PR-`NpsaL6=8&zxWSwT_=>Ce>*{!ZARzj{%n{gn}ZYcCEW zmvR0JRZ;@GZndKMk$Y;zu1*XH>RTT8I?GRP#Y)C9n5zaS7McWA%0#Y_XB}P5o)b~ZT0y8qjsxt>iLqf@FgQZHQM0p&YtEKu%p|R z=>90{FyWL*cK_wgZw%I*{EJua*M>$5*nKGj$+WAqY_pv2%`C5pW$bYCszs;2jfs?? zOpH;TBe_`p`$%|~mLj!vv-=Pj~X*wDhe4L0)Shm<_#6A$6{cMG+zuq5i)to5e=FY3*gUs>Ty zYX^&o{ne95;4YZ$Q>E9HNR!}t%ru{_<6Ga*ebyxVP%*+dCz9ETZ@wEVoO_yW@Om;d zNYZZi&F7c^csvO?U_t3B#+^`aG=1RRZtfh)uUKYYpBuD2M*yr1fDy_JP-2@1B6xJ2 zvlEU13nH6}X&1CP%r3A9U=`DNw-~zt^!J)>M^#|B-}rH!aq5l2@Q^y09wHfMM3d)EeViptAOF@EgT#VDwUVs4 zB}>{tXwJsHV^ffi_YEzdq;3a$8fQEnzEgjfAJ)&G2`m3%!{a2j|1FsuLZ;|l{^Rb2 zl$$NhJKQf$_%_vKXR#V_g{#EXMzLi&I0R~c9HV7s*6ogdbBvgOV~!2YeLUbVbb5w}7Rt%$ZeRk}H-r^6yh?=ly6iZx*8Yz_S8D7%^3LK30#I zSmaCc#ibVhL>p2yg&)*~kQ0wTLK&TdI3v;n=@waC9QKb6-FFyi=;Yp~)_edqN6z;W z0Q7F_XV@m<%wN4J6L(qEs4X?g_Gp6sdIK5%aWONy z$tdWoeXr7Wb@TZM^Z%7^q4A2LJu!b?t@Q^W_O-)Q^?HB0%lwHTZ~9d?R#bPo8Egw) z*yNnfcvA!r|NEyaM1H&)K`Q#kvasThW#Q@*+*!*RkWwK*NH;`lRrKz#M(@LL2U;*JDGTO<$TCwSfR{gcfgF>q^%m-p4I_%}cC{kqz1 zIo)eMR;C(AEeZ$cAzZ*893}*vb!Xw4{NeN`NFMI~Ci{uKMw*O;z5od2{63}-tz zMKfW3L>D$a&m8a2-H3O-+4wpR;zM@y_g{HWaTav~tV^EYwpi}`xn*STq}(>%5$}#&z&KO1El%#1x1F15Q+znOeQ_3R6#rg^i)5@^;WhBUodJRI+ZU=p zcz7dQ>DWx(x8Uo4PYee1Q@{)nNJwt>duSQy)Y?~f6WQcwOY=F5$U`h1yB zFO{^jmm>1Dp!BXM$x+`O6BtW_lmMOU*(B8MStZ#jntG6}C|E4PPb*uEPBkAcY~}kK z@X%dSum&3hz=pu9?a+P+W;q7Jys*?a0lbZ#DLa5YR!IFrG5ae3To+V}Sk)kG(l1T{ zT9U>NBN>V>C2cWAPjfWMb&zO;WKiB&zm>p-P7gdVkcaX?K8Lh+OUna?f*U(%hCH8_ z16vma|DI0Icyg(nnN{ZvID?rdoR7%-rS|^mg8}q4nSeLx!<+SF#j>S3hxHQd?QR~J%Usv&Ec(mB?>SAc z_cPU+Byw=C*1-gfOTnTjJcaoQcs{e(eChJ*Q*f<+pTg$9fXp<^#a4tN3jDD7NsMMk72LfS7q--f3gJz^58dHpqj6U))b*|v1Yx2d-6Q=7zo-A` z%j0vv^y=mVUdua#-Tqx>jhh6&VlgKLi4PC{a`EMQMzFxl8O*=iu^azPAp_oFO=J`M z)O>9}(__?O?YaH9M8LCjr`dYmMk#OiRkpXe>ZvGOo(iaTxvb*JvU*ScXb9ZVX~e3c zrSrb^N5?r2DuqQlmM+CPzQYgS(dIg(7EHyAn!;ly(ISgP>naXJg_`-=!mUm#L2ItR zPC+7=GlN&F&m`!G+ehlg9y9Wn;ebtHl3WZ(3UOiBA>ewK)vojaH)ItQV9EM{5ArF$ z=0F~JGSjBA-nh^G`{?;SGk_dDCgz{JS@8PjxeWrl4|Ke3GU<6-Lc+le3}Nwbdc4V; zw6scQ16{&toRDeq{@)&wOPuk12m>LBMXj$OE8xX#(cLi{3{~T8dg5vb;8J5ZlNUeJ z5(|r{y8yjl10WEy#_(7yOR2(OtXY(WOqu%lls1J`DS(zpfz`Pb*y1;W=<;eFKV_{h zqcr#J5*qmjXr>c$k;V3azyRejSgB=vlCX@S?|lcLHg5F2^F_BwyBtAs!bvi*YR3<}38$|BI`$jEX{w*Zwg8B~_3vr9o1p zBt)dUm6Q^ZF3A}L1f;vWLqI`lNa^m*p;LOOfq{3=iF@yQKb&bg_!yQL?JpY@+B;{H(k+#b+ms? z)4X{cny?xmfln5&@Hr=%A@+vWWfnS+lad!bze=W^nq8qRv_(G*b2PWT;&MA$or06( zC^1`yIrOO7<|De# zfQ>>YnTV5Dp0c%DUPu`;tv600_Hp2JjK-yEU%wm2JQaAADR%>&9aljlI8L4(FX}W@ z7E*7uc0F0^Gozq4%lKYM=}yT9;cF*!_AJWp zH`^c04-aDfQ~&+h4N=6(yu^JF#oVhA-rE+2d^AVBuEVJoU$sBYF(%j}uOVofI@(Dc z6?nsn+ME8>IqRzB#gV>sxN6M7B!dscmBH@1U@owKX1x6Uc+73*bK-`AV*wH4r;DLc z`|g2U5`1b(d%LnwwFxs=W`*LVZkPZwge=@(0bm$`g6{AVXHAh`6^z$g^5nY=rQ5(Vr`AWt!mou71*2|E`VF9 zz2#9$D{zZk`uIoOJ*Vm7cq1492E##IKU@PiS)s;a{yhV-~2O=FfsfNhT4dl(b1cZwI~ zt@tiqpauz|yYt=Qttu%9lpyi?qx+=)Tqor+@0%demSQ_(a8Ui7aaZoev0avlgg-RL z6Bw0;E*<$TUk`h!XX&|3*v3Ly#_k(mmt!oTmQvk=jC{RTrnO6S8TLGpHfzc{*Y>^9 zBdi=v9yK)=%VI%!c=E)T^{34{%dLZAYJ<7C7QT7Q>+;vkwheaMQon`@>*DcX8nC(3 zw%sgO^)lDx@bEy;9eL~-_Fw8yg7)s{xKrAOIJwG7?ab88uI)~iPVA?&*~w$`Z%l?> ztXr^~_3mV9ZKie6!@_Mrx=KtF50wh!bJBjr9{5 zWnbwGKl@B|bFq=$4irE?#MDl`P&3ffe@`L)5mmL1STGy8CuvB-z(M;DnrxAxIPt z6EM|tdSUHbphzX^S(BmOpX7DXUDZ^?x#( zrPiT_*1j2UM67_v1;N*l;WWBs*dvKkvxX^&yu9Z^VXC8)n?k9bEF^7hcyo;s;V#(C z5c~_(DbHe9dxo*qiRe)kHJzzC(duX&-p?PAk7@K?-2FK0k2QcXGL>z{(w0+dp`+9{0c7 zP}s)l1{ZtVH2)hG6FztQvW1>N^uT$W4g&8NFX32cqM6v zPiDRO4Ss1khZz@Hde6@}?TgvR?P&kK`5bMiWlCQ+(FubptJSQ!QUiTXkj)Bo@N@1! zVwd=_HF}bS6$y>6Sx>TTL$km$M{J45zsFnoE8^rAG|H{?=;51_^_qFT1WnIyfhrvV zXG1pJ&3yUtez%^1#Y5keSw^Znq|)yk&n{lQT41d_YHjwV!&k2YyGL|W=zBCc4Yi9U zn1vhqAjsETRx=J(iTUtLp#xQLro=7Xq@VtcY?Q*Tc5?eEAm!pxPtNY zxKvp4=m`#`iJpkHdLHGmNiF3FbyZ`8R~SI-wkH-#i#YrPWA;dYabGury3 zd!~4j)%(DdK(|BSQV^e-?>OK6;-2xNRbs@Y=*4pshqQ7lFQ?NNf8pQWN@imuq@ylU zKrUCv-aM^KMJuw<{A&~ z!_l|iZd|||t`?z$#Bk_p)b-Z|SVHcs%~usWo>f=8ItNtQqp{a;S0M4@DhgWsZ%^dMOx;Njl2(;%7M~D{b$0waO_KFc2WSYc2VRzH^N@v}Hna z$91{n`JXqY7S8=km^?BuBa0KgI!^A_iG zbkv4b^Pa)IT(|C|Sc5N{Uo|W?E3^n#4DE=B0-7kdpguh@*D1Y9I7YsJ!+2F8vj^s| zY}#rTD`Y}W1=X}{A5}Rp=+i)=a2WE*bA3}M9fhGRJ!}a=!Nkvs@+2-(=D>!!It-jU z+zzWSSm+(RBg0=6QYHmOwT)O1epk1@A{MG{aNk@BGs~3_fE&OIQ1~P)tpo0^ zX1K3XQUwbQtFiPmKoVJOeu%}SmRvr-f+elTw~HlxArl|)v#AN7K>qA^6}Cjz$%3+p z(xoY#!!R)ornSM-O|cFuG-zp4gszebr+UqD+tk*yimoID+?V6Df-JG_@VPB*pTUlv zy3L$&f`WcB~fHK#gi9My|p3Wx>+vcF?OL&#_?zT=2Fxzc*lb@x_%SGxQ||S5b)4 zX-Iq-EKW%PpGJLJ_t%He^L?+I?|U$IG|y4Zo%e|<7+CC?s&z<5+aPaG06pG4By%8? zKF3cTh>`E<^(FGW4#q+|f5%LDQC}4DQ3DCwt)so@?dLYgWo%cf!zCc+?YjIeqUqpZ z^a5pv0?sPzneJ#M3wl&kCQXrr!@9B;GCIhInA&QlLUw*s8d32e0e81CFFom*NPoJR zp^m&hU?Fw;9=-lBoF(bQ7_n7R2vm>Lvxh-*fs?=^Ija(!*6sC#Oy?Wt4rMB}RXG>G z6=e!=4|>|QHLDUA{E?M#j#bjmB`n?SWYKvgWvu}=%{lQylRw>u>2jz(ZSjiBd7T|bu0ZE_k|Fy!nolPDcNJ=ArMz->T~axnvCra6k*C6gA(dXP z9{7HCE2V+XXo zb~A0DtsZNDFZbw$DU$U%dtLUh{kV7Gfzf}W;vv^$f<>m!UlExF2ZB*APgwoN5DpeW zn1FyFU^e_c))d1^KK0G^JYQR?<-eesPOq|{ME6_oXZL#v8&DUSm*{pP|B)QoR&^%r zicTs{6n9Z_pJUa=g|nb_XN|iax#c2{}E;vE^|ZF^>>W#mS1YdtS(y2O-)x9|OWxmZUgtC2IQMLIYD#ft^NR zH8SIAaA@>ct+fU82>a7&gf(ZsdSs@P8szzhBI&Pp{^50bd(wi5tKRLJ|D|9S6}wW; z(Yr~9l8;*!m;=&?)+rESGS^j9Sf$*P$8qQ`o~=-_g2N;<3hSHBA`Plf0|GhMp)9^% z8&Bt4W;jr?&&`J^E!dse7c`y`a~Lw~@LTWZy6N0B8zXAsE7Rku7snvn#~U zzaNg;RBe5(KrcU{iETQbP(ohGd5xqvjmU1(5o{4}oD_X8RU5XQs~Juni@;aUS2}^J z-YoM+TOw!Doct;pb;w*c@PAPLn z7lQrveH@y6Nr{0HD5cIT`x*+674|XUn=?Wih$sL^%Zn!9bZbMN1cq{~8ao`Jqe0g= zLl}w;m`l+_OiOiY(C?_JjndzqC013WhsHv{h?kxkC9o?H`xMaI)WKW{q5$>%@GY)Yc)r0bIzSS=%NN z4ZV~T25m_0K&zARXAtv(jie31O>N@?rqi6Vu?maPHlY65IXTfFusD3Qd#!ktlZmIe zYC*XwMOfru1km-mQ5~{8AvfgG9^1-v6lZ$70VTzH4hl)U-LrN9t4~rf0g?y=Mvz-Z zH-YLuje{jrmZD8nNgbPL>6UcrF_ZKPMv=>i%6u&t>SI`Qy~zWlN*~fuDH%Qg@1AY% zY_k!UwFW>>I14~oG4h@6!i*52c$*dSA3GN~Ci(5VcL%lofF+)2GHb&$mS@% zDLHe8ZjJcfH~1vmIBVkZtxmYvzq)c$pL3#3OG4(lhNh5ZPw6=1i(Lw<-h>i^oGYh( z&4zI^uFB3#T|#R6E|94TIvG`4S?H`o4@1Cxd65t{>xdFc_p~k>wF&Fad?=Z~p5=H^ zZdRtEUrRzwM>nHFZhZkK1O4(xWoyLKlU93_*J!5 zUt*^odlWx>aZ|v38pS*@mHjoHTymInsNjL>7;`(bTF%)5MkM3mpiBC5+r7ql4;S-+ zg;WoC;^0O@s{4B1Sqe*?%RorCM->|+EQsJL?+g^5Zg$447lrw0+f<)IT&TyM%%k58 zl>d`fBW3NzwS;Zbabff4(8bxp`iJX4X^hL;*WRJwmO-?j4K!;4lW>d3DmUU zl1CDr9}#R7enTeRd1a=!E{H9B<=JJIvY$`Xv_HGo8|jH9vQi-#=LI}47&c~YG#oUM zm<|a)%Hr>OoueK%kt`V#&)cW>&fR31WM3*GgSRLpD@C1i2dB45A5*KPdr=j&q=AGL|+OLnrhbvn9IKtgUlWp>mv)zapvP|BkptC!=EHdC%*cyN<4p=$h_~ zvtAh0$hLlbHYsLCK(XZoiU0b>Bu6(6i?+|#@I-1#kYe5!zU<)tPf2LD*&tR}$ zhfCgFGCWKqMy&5R`FSZ(e5!k4%~eHjo8krmF#+mS-2U*3IP2v)dvg0wWUGci*D*4{ zwqP?YRo)g$J<{zc;b6GHrtlWxOw0;*wZbUXzvV{zmwRER=KCj|bcd1eu0O5|eAoI@ zY4y(C(P;=11(2Apz@l!UD2&tcG09i>lP#7NTz~|<6Nq|jysq_wW_67aQMx&%NF}_nH&RA85TcJ4`E6M38Q~E5%2PAg-npF zzI;R#W7w2QxpmG=vEC6zMG>dLxbTKUoFdG*WonKyb&P@x-<|k~bk&x?OxMoj4DdQP zf3)DNyt?Q4CVt?th_fF-V6dlJkK{<-r277)_zr=m@I)x$xLG^Nk)hok7YkE{-)VE` zcO?-Y(fjN)Cs05}7>qETxXShD2{PnSOdAtc&AlpU&HNEucHP;3IGxf>x*C+Gh7c6v z1AqApF*$Uc-S+$)%M=hukgq_k{WNO3+I}4p1Z#dwl^yrJpVEv?SD)h}$+-LcT{^e7 zcYBt9-%nwsS_SyRt$FNpYxYRSJfXon&rJtzeR)+xJbi~cRk|lq-y)bpw*p=Q)xFdk;+}qrb zcp@>j?nL=l-p%Js9xPYA^Ei_tlTySiP+~|w!MQU>%Wt>%>ahqAzpuqpv!WspBc5tq zezys*$;Sjh#QO^x4TM4m0X8aQ8Lr&9>SFqdobi~_Rpv-!8!Sr(YNpUzLLxBiNASjtZX$B=ZAOg{%oJ>lAe^j?D9Na3C#QTWOS146Fj{G+EnOY zIUy@df2SvdAYc{h2L+4nboR;C4Koawu+Sa;M=w8L=hzIQTt}Fe6R05#jDO&H4M5`4 zSfEu|OVZ&3&_#G;{X5gJca^JL;*xG z+sdqj{zeB`Yr$`N^Vmg9em_U1aV(IkBPDbaZ{L?pI8d$p^rF4LYIioq&|PVBUKs&* z#`y_n*KJUkyRa&J7@gMW+3#?O3`opx<~e1(`ks`*|~9HyDgw z?^3|g@n2FQq>=W)x(1}Z>I_H%e=a%P*)b%T1qFjqEQ4yP6Wu1z)e8RP=)%VFuy`<8 zWv#nE(Vo#)BWVH>Tg7E>OR=D35+gn#k8b0v2}Y5J|HSLAZT2%@(sTrdMdMq7i2|f% zp_GDZDns|a-_#!usLKvH5=x8H*)-G^D_r7Wgw}Xstr^zX8AqDO1fggV82hA(zy_jtfr;>&+09%GD?`ii+8 zZ0WozNYa23Nl1m+5W*1=nGmUg;@hrQ<_5D16Yk8gm{jAisK@QG)@nP>phz+YDt(^y zT2P@ed>a1kX<=OS+_WWt4aE?6sL{!o4vn9AJ-ktH85|=ycPJ5eES5ch$I&fmE1`qZ z+VGySrPC!8ZaJ@Bq6_&@>Uv;Xr;i!w*KPj|&Z!C;Z z`k&9oPv~9CaxHkE8A`gSgJbKX%iwf>T=lCkD~VRqwCMWFbd7yg(mFI;NRm3Bep@P# zr+HkI>Ef50T2H%wctsE61yx60lZ^24rjVwt)dr-y?uIO%{klBwIQXAeIx3ik@T;{` zpJ`h5Z@L019**rZ^+fn-;wqFhy2@%wrIx@G^ch8Nr1`n6p`jx$z;0kCbAPRJP}cKG zIr(}yKlaDZ9ms%G=aHY0ipUrQZW@*~L!yA%i=3EymANB3P(74wJ#%IX3m21V5(xV* z-JSWv-4y;l{n}57Q$J3iX}C$eAD@2G`cb&b4ehx*Tqn<|S|ayixYSJdu+&vqqv&n7 zJiLAlD^}TE=+CbvM35{Tl6!TakisXc=g`w`K>4x4VnM1;pNF4LIp+7Ne)ajl+qb7q zzkin7hLAnMOh41*yg0CdsB!m6uGwFlLs!nS>>E0$;p5+9NhLhI4X-r|R8$G1PQ7@a zAo~L%13UW8!ImW$J<(QRNx`J&F9OmG-8n!ETi9wf;~{o^1D5!jI0yn_)+3U^tBb^r z-D{^=F44cXmH3IrSC%?ENnja+Rb>#Md%n(Mtq1wPW(l)kWFNaSp8l#L+!0^kXPfoe1mw7LUzA}7GB94ThR)9)4Ecq`vM@KDlJaux2c4yxUe$?lGzlqwcR^9mL-IjmdXe2~@0vXV%8ryLu3^~ZIazaYsl98Mx z^5sPt5{l|=amt3|KZ^Gh)3*$^PS5@Ws(R^&XW-n&D7y65>vE1LH2o|lgc1lZ?PjnsDJl-cLF_78%urP?t8Tt$>=yF7T z=Ms&eK26(|OPBWvm*;@JS$yz<@@dgc9JMi#S5YS?2v}4utL(Ve1** zC!w~=02qwhs&^%-S!Ue5aGz8uoa{NH1c&UVv=j!2xL^I}(7yjQd;+Glnc&cNA*~P+ zBSY!1M%^8^)+@dyI{Bn3-WJ3iMC-cXJN`7;dg&!8F2T-MHb&KDbu$}Io(iZc2kw%| zSO-~1K-m^2s5PdElidvCODuGq$PWUxEJ`b5{yDcX!C}FnVcucg!qVOW3z$t};M{r% zM%#^C8Y#?V(eO3`tKaxDRGd_CWo~O4R+BjGnP8yO`e;>?samgLSG%ZmuE~W2_pdxq zMt4(6!Z;I-{`aBI#oP)I-Ns_Q29NabdtA5IZh;Egc6DStmp_lMcvPjrR?{JS z4cuJq%dx@jEoKbW+m#<@UeoH=zSxn+>wPepWgo21zpEA5ZM+cWmi0MwhRlnCuT*=h zLFi25ns%^(bB^=+9Fe-*9Dn^x%1cnnYU-^6t9ql)AEX_Zey+AHz8LCzn%_gCM+-Mz{o?(R>Joj_LgzJhHY zFr?TUBu~chbOAN<(M;9PWOE6eHiaqkbcn`%Qj-sk$ik1nH-Xn*3x!zFoSBb^$t017 zA}!SXqkl`ltt7fFpNyg#*TY&S$|1l`DuELLnQC<$=De zp#Dd1yOWKbWM@=F8R(=Kbhl4x?@QHsDjp8)yvP;zD_m{=N}!Dl9thYXms*ZE9j&aI zIu#7MeqFMo){*DvD=!qM)f7uQBU)%?>4P=%sy_gagJ{Qe7HZkrWH5mtsz>I_d_Gk6 zV%RwqD^+U-3Nd*XO8!F4r1P%2+y_|G-R#6FJ$h}%{pnH!Ea%)6U;vZ_rRnspMMM0Wx>^5x zN>|6#aaC9|R?StHj7Exn7%{YRPAzBWI~KibHA~zSl`sG>tS>S%;EL!w9#LyCb<&LyLFmcOH!W|hV- z9sWQY?DE{y(R-9}hMNu+@j|WhJw5gr&41e0`)iL|1aq zMI#6~G}J@qRsL+nC#>n#*`R{XuKHV z=v5}k)o^6=@4>49A_ksUos2VR#T?9W<3n2jMtOtumPM^tVb#~e1hxe~C=PWe@N~T= z`hvQH76zi#Z&D-Y?DDl}sF?fs=nI9%CdAYfFqK7d@z$)1wX6bBj&q9Q{4HqWpp+Or zUQhnkewPpd5wDXw)N4vOz!N-j^B(&R3*OTi;k8%<)VQ_dghQ>HF56jF;5>A{jW$%I{C) zPtz}fc((DvQ26JGyt(nwVqZL^vEI`%mjOF`$3xV+~BpSFD=hWQ^-3AiXM>@rY z<(Q|)#ywMAm=4b1wPh(xO0xMc z$95o1ryQ3Mr~9PuE{cBMGLPS^c>y^vxB&1)&)*OKFcjPWa@Wf0ORH2FI+PWcN@xrR z3-vrw9t5aK{`$~Q1Oxk^H}#h`2Z2@ygghb`}}qS zloA7#=iCrri!$)6@?tcJU~`un-ng0?E76^#$!*yr8L^)FDej)?rgow`i>V4u4fyR7 zYpg{_u(!LxScPhTtnZ@9!6+m> zY^%6^5^pbAReF%QB2lTtw_7d5Np#J7VP}S0zUKQHUx>h>@%!cM5qie{Ye1+sc;M7# zgHyZMXphrIZekT|#6{!p($t(_9Ov&HTp~aOZOSp1`a4ElFM`W?-oPpus8yQ9sc!cf zP*IKDf}dCM0i1*VoPB4Zt(8E+8c_U3O^=UiDm?ZjrY8LNlud(E)_uN&)$vB`ikG>C zv5D?-CpW{0XOQ8L`UMyp4L5kWjJJWIu-Ya>j^QJ<$b9aL(vGaM$u}GY#c!dba?3A6 zWW6$noVTkI1}=%LxwSqTiZ|>hc^XdkCZ9q+!7>6Fh1Pwg63{Q*`GpMIpKT~9p>WNh znRIAYlj)BqFb!>FioDQ=U@(;y3xqTi?NeLy;}O-SwRwKuNroQc;R~B}f*SGf0~8~T zZteV3s%+rvWW{`i@Hb?eiiywLqbEo7F>3_+@9{cNSaRhutgH;@HbTLv0G21MGsNUJAH;WY*!={yFAIZgb%DeBHQJbjW2)g6uO zm?xZq9esCgx(k9w5{r+{4Lafth;@G&n05QYut9v`Pcz?@O{cX?DHJF zAO3XWlEHr7vkRnCeR0RKBA9E%T+O%^l?<{X7h3DZ=Y zQfCKJyf$envGU;zndeI;-BAp;S1f^UQG~b@7?Ordbotu{rpioW#gaQsaUIYvTMA7w z;3ZsSYrGX({Rl(^tfCgm8mNrz>Z;w$1d6DMvVw#eV{uJUi|M4|N$Z(BFS_4)0rt2n z??m-S5~Qqy|DMbck?H~J&uhcMMd?jooRswIWHwZ@<~C-`QArUspEcAQK6xD>|E;Fy zjXGkM=MCOdy-4dQ&xF#8!inzMx626K2Fgk?xMvLy=Jb*HlYpGb{5;{?6mvShcajd0 z6+ps9I~YQfXh>X7|0}5pz{(XG*O?)_f^aH zGR!spKB064c%|*Cp7A`nMm$i{R?Z^m-QjPSm%&P{2=t&f!<=VOwMp6t&lNo71?x*L z#V!lo5HiUq$N&O@ANspy4#?QYsa-z|rm>d-&v;0U)h$BUm$ZTE?)|)J*K);Cx89RF z(i0cbQBmp4oiS_f)H9YD()^uj+5y zz_GLbKSSCGzT0*A{jXw>{8l>qW}_sDHS?OaYnE{y2BaHu{FcL3TaQJA;?mZuA)TKO zY4&Q-T?HS)JjpvFASs}>0kg2)KyD}DDZ88ybDM_leg_4l)8iLZ#<8n zUVr~PI2>DCiJv#^rHhRUF{hGpYoOPK)0pdOw9Dkqi1L@#`>N9j=3;gt-dD34oy_Q> z^ns{-M@GhxxINdWXpTRf&vKG`B;kmX^p9*iF@u0c_txD}l%*phC3clXBFQ>)VwCri zva*JG?NK#+rquUCe^Tzm(9~Z=XZlq6X(ICYzlT@!&h~*4d%24)yze}^dg$w+QW>=` zZdsvLEm{ifevHf^SGIP3Ry=I)teF@B-iD0v;T#&e>;axw@?@(g zKcchws)SGC3ldhJr~k9zj3S_vaasxGXWg{dodukub|7>8zAWUtO>ehi#G%~viyK~<{a6$Qbs z$nCA1lwFTjh7e?i1Yhz-;%v)o^Ow|IVXcMxviyHX@DaUsv;dHB1T`wNlc-Z2ub>Y) zNT#6c=Q?RjshDYja8SAxT|Y9AKoCWr6tY1$?o&N)rW2Z(b|jXE4=(hKj0ybvk}8S7 zAh1D@_c~6Y{ zvESe1Zo)ZxLc~v_R-%4df}`I{(&L26!raXAPwhcndM_J8hA6*D?hF{?WNnL?F!0`G z28O9_VqxG-W1`4haD8r}ZZ5rUlzBgm$uLDPO)94xhj+S5slzsD=mF^?y3FnMh}cTV z^Vgv$GwPdYW89-r1-29|-Ke3_3Z&kn^6V)2IjDRYJ`ya;i0BgxxzBd?0Og8g+Gce8 znAkVnScK1ERR#mYW<+2$;-J;(=YTtiN^S$-{)`?K*MbgpY$}{j%6j@|qg-Tv*I-qi z^=R8fjpDw!(4Oi!FPX32ka|UE*5Czqi+jiZ!L^TW!6I$7d74{Cx}Pwmwpam@T~dO1 z-Jjm+8Al$`Ta}>7gjbbQU=1L<$jceuaN;UU) z=U0C=>&$IOK2$q{zKbNNRM$8qhHX*2EB^ZE*Kw-&LU9r-EBQ)=Q5X74cRXR>bp(Un zN#2w;{qOZDYBe|v1Cx*+IJpa0K*6Wcp#J|m3Z?Xagk%dt)=sMk%Ngjq~@bVKpX=3Q(g zg;y8vob|-dM1@DS!^J^k!i4#XkK$9*+%NUheenrbu65nn(&Ju?ynJQIsVef9PT}E1P29w?%fy^&n=io^Y^R=Ei0L_pqnQ zAhugDUG?INH=;9I^r1ABLyq(>rIOm^vSgaazdn=64eAKU|G9!I4VP-Z9M07*Y}Os< zq3ZfVVZ4@iXAuNb;DL>%=1FU!=^?0aq7C*hK$_b(@G1lX_kxGf+%rE6Zlwt;cw@sC z?ynsAAuT$81xj97kI04ii?o70`3iCwO!Ky}`m{hRB-=zieOW)2fYejEk~*0E-D zHTFF;>&+~0`jcWq*qTtgwhg*|hei-!o-&BUz#;yY5s#}o&FC%tmZDev3Q#LEm7w}S z*7|#E*`5jm4?Vxj9s(->Hu8 z5<0Ai#6cc{j^M6RRqJl5*F~>k8(JiVMdP{Hk3$;FUDfHFXA-e{{xE)!8Dy6|0#J5g z*-Z-_2#4-V#nFOQ@Y<^t``R6yZVqQRhz6WsPcRB7qJgywCDA}j8*(=|7{%~trBQ)s zhdV^SliH)Wz@VYF8ovRpQUqDU?QMaCB34E@UnxWggf?l>&f)MoDMvC}|6V}a|K|cC z@_gUe-a$O?*I(vNJ#Wi{3Cqa;ctq0}V9p?2LUcm6N;6iY<86?4E_mg1a#5LZq%8E>KoEnc+ zfrZo|w~3xRO>NQSwQmu7)sA|RsQIX&-iWjIs&SV3H4hPLLixGP)Z=N!?ttASxM`}w zxUD{!*z&ff3KXa)C`5f`%pS#qi|H$YSK_3hmp<4tc}9C5z5*1qcCcN)nlASr)njt> zVtKd1D46!)F*NPbKlMAPfEHgPlxxzxt_4@t_1czZX&PVB5-fO8yKg=j1`<1ZzuMQ= zaVtHZ-+hDkU!mPqBn$)}Bo={!c=%WBq57sYSr&_=%0J2q7V(5%Izbn4KK|Y3;+Zsp zw}KLy*Ii8CVPN3N;tbXtQ;ye%I}_QM#^X2jFWFsk1vJQ_?O4yFz=c({??|RVj=9`} zF|LBjGpp;s`{bafP}tZyg+Sj~pMu-QO&7qwR+~>PF2fXt&k9$KvrWVWlF&W&-NPs; zy+@Z0BOkHO1fTevdZ{2twgr1kA=|Ih<>fjR4qnmxij^-zK;B2T{a2#*SO3-$(yO^O zi!DI82R8AfiEYaN%#CkJWdLx|1Amyjw%PT;OY6M~Tyez{KkX8>7b<@i4kK_)x|pS^ z*d|IJ997NjQQ-$#C)7b#+_@opPGw%nC=tK2Xp#Fo1O4mUlZBk* z6L|az1@9W-z&|l9;fnGhobo0Pmstn5Sbum4=oQb_D5Wf%@rEqtAyhA`6yjXqkVy}i_-&}w%e5GVY%5adwOT)1{^RXx zjSIHs4{kU9Zlqx%K=yN8OlCB98)wFDQL$;51hc)?XfK59xo~TONtj?qFTtG}U`QK0 z?)9pDSRNw3d;wIV!C-PSb9sxb1I9Jho(^9^u#ondIYv;;EK~sF!LL%WeINsF1LLxl za1KH=4*RZBP8>dy(oVh-2s+{!;);J=72_&%-Fx{9;QO$BKrX%N#fmHQ$IX+(e;W6p z*{3LU;Z^7)NX7I^_aP|uMV#S= zumFRhf$6DL2Q3LArf5+1_v$Sga1-c$y29try#hG=18Js5e8U7qQ2AlnAegsKrvg{* zZyz7bN-OJ$9irV^cuk%lae?k2o>Mxs5D(4)zLkeWuJ82=>Ohdhc5~a6hIOW1`pl^y zSo{Z-)-jV%Fyw4j^POZDvz04G5hTB8+7+74gV*vxr?$y@>d-ZaxVOXuVvG9kSd|#? zcWeCPj)NlF@8>Bxb74yB*J`YV^qr$4I!F7z+y+n2E-R2Jcr*f@%GA&B5cc;D=U|S# z_m%-Sn=s+*0P?uWMS=#9O^`en4^%hd4hSh24}6(_dHlOJ&drnPAB{DA$>PPPw~>-XV}SRq$f{|kSYC_l;`DO8Y7-c)MTMrYVS z;}1*G_B!bqN8gfC_5Nz1QnW7$8*^H{;LYj3lQgh&{mXmAQj5yw&+=pW=QYVfOru;R zffRf;DsFM591R!CzdvIYxr&4b;T|ZYos%vOjbfBLm_-Nouzo=BMi-*o1C5Bp4^;uagY_qkH@$TyyKO=YU;FoNTc}7 zvXAw7s~takfVy8R<#|hg(Rs!xD49K^G6e*MyO!u-=&R5y>eUU<5EGtr^Tx}6a(n_k zs9THEt^d5pAnqbQ)%xX**sHs_OIpL|o;Fe@$Xw$~viXmiW$gVb1I^6!TV80L45_f| zPhyHcC{Tc6*tFqA@f!#a2p{(?`ZP`fSamSyuBYl?B(+PO_h>eJDKV6)To>~=wpz|( zw$_#c`|nMq{8bHT(fd;CHM@BkOFu?6I;~Fbc!EJ&HP(`V$pahX-~Nwo-sXqxGliDgu&rZLN*$u|+_yhEmjty9Sl~a;ATd}5AlyPVan?bq}%Xl3(&e>jCrjkvdf$Enrext8Qd>bWA{#%ENxbYM*=K-TA)cfl?l zU$S*s!gg$pSx|R-)3>&j`p#8VTJQ8`K>FvTeN_#IOz^4vX=ZDTu=UR-EqLH+=pSVP zLIN-}uk+8T5`FwjY4VOK+v~&O^D8w!&(6WQ-n!HyO^40MJs}wrKTM7*4BPl*qNiZp z)CwM8Y<(<{0(59%37U-x$w~Fm${4HQKXr`oNpXp|YPY7!SRB7FS>XfT)D4xm+XO?y zsavjjqY>8vE7&KElm`#;*^O#Ts&DO!jclP_!{tHq?|6fy={3AYYxe$_SAV5;XoK0Q zFFX}}{L6MP-3@VfI5gVh=PB`%(jo`fBS8qs2jK*njDDjq4D52u8#!dx++B`I~CasWq5B+ zlq7!ytXh|3W6C=LP67i4mSBt9F#8LHQqeAW{uU>y5`D#d)Sz z!(}O1bE{f9oZ29b+oYp_aKXNacLu}P!fJqBgM=jfwY9mLXKMtA3vCs-xjKH@w<)TN zBH}F{u9p3~-sZE8;8)`Z(MD*w;bL|-a0B19p&eW=SaSeKv|#jb>hFC|fGX*llzlrd zCTuRQ;zVQnHMwUEGf9v0g9)|oS|w2rf^f0;`<6|C)-nu?M$8U7q$y}fbb~^ z$m;Nyf8DYy^eoj>>{QpciV?~iW#7LBbT!ui0~tz=rmLgh$=aquX|kc>7CS66QsW!1 zc7Vj^@wqCRv2}Z&-fx{5$!?Ymma`;IA&&^v!P$AC|0DT`GFK14>g!>p04Zt=dX3x3 z6KL}kvt-G!%KK0KU!{Kgp%2lrhMlKLG(Jyz5*MENEHQRk;bn@2m%Z$yegux66$4%n zl+7YhSU<9a&GRpbXy@`U5$C3Hi_XKkmVkj@Y$g#bH14`qD2@_kw36gWsDpGEB@0Ny z;GSK7tmn4Jxfk4b`u92slcpWX-q{YdoQ<|Zw8ow>%fY4=pO}e@ON_9FD{mkAs);T4 z_%6GcVv`$rCJ#7rG)QM!w@+*+tf^TwStNP}WbScl)Y^>1{e)VQD~}V8B7J+N8|h|G zAz;C@NqQp8R94w8F=D@z*a0Qo{_L1exR5JR<-t(6_F9&6S9BvQYFZqNOD<}w(!(kRrt zQ`y*6?qZiU)dLtp7MQgD0^E2k?O>#52%lvTh`gI`VDE8|w za-BhDX*ez4R!DCJ{-x;^i8$}RNA&WxF#lJ1SH$M9arOM?WBhKVomXpidjfv{P4t*0 zX$}2hkLA9b()^DW8v5Y(u567P89viZvH&(Y?a76U4H{xH`qNo^1Zvz{qghHAyOrZm;_D$#FI^5r3J`J-Yy)}6$YU8&LR!Of9 zQe75Qq1qy)CgfPv#-HR$E8>Dh5ho1n?VzEl{Z_oc3 z!sOihX~e;jq7d@Wk10dt0V$Xny!cMUTb%g*w%LRCu$WgP8RB<_i{Jg?Id2OE>`Ujl zrzv7Mx1Ys7Tl^!39RC4j;AlXo9fHlPYX{76z3<^mmpvlT3zLYrBMy{i@A#ny2Zt-2 z=1d)hAzvi!)l8j%RU60L#+*UBfTOT2K2u+GoE__6*o-58@vRbO<+pe{QO__V34QZ4T{x|?@D6-zKqbi zA!EtkV8m)z%Ac7t)odHU*asMZ-_Xay!@;sNmEAYskhoW>tv>O2()B5&puC&;(2glk3^a`%~IuFAle0!>$P3DyCOB4!_o zS#2z`o2nSF%=!4r`Al2i2BpvUB3kBE13XNS+_KY+u_E8B(U{qIF~lxuoaFr9VKm>Z5O8x zTK5XxEoZpnR^>E=>^mSau>#2e4it1j=52PK51279a?Zu26AmkQAYJ<9AHtpXx|k54 zk9-oTYzO)DV7RmCl$Tgl*Hw}3-rmgfTXYXunC=qkdN>1$B*xVQ&n-mI^U}j<@b2DBTKoEDLHMu! zyjuv|3ZiUI?NDTY3%!Kz{;34#`Mp-&0%jg)t=dzYo&WyJ|9FXLrBeWwJ`IFE&DC}t zActiw_;~&)6>E9vx#rgrMPc^?AAR{W|FAT}u)6=--O`)--=?R(uDid!qrdcJ|M8Xo zn?Fp!@Y1RHxN-+uu=f{Euim}CZ%SzG=ifK?e<(r!KmG3c+q=s>+>XZ?w)Gx~K&fJQ{sYybkU+3B`hI&KZ|ozlMKkn+pl;5#YNu_<;GSLT#qP z%zim-&EDeT)6LNJ&gfp-%Z@C@rje5ZF1>$`F-nFmL(~Pld?C~7Q8E^4^?XV z$t>^RZ_^v%o7s4F1kcvrl%7Ls1FtVHBzBP=5^OzguN7+Rr(leD@lLroF&uK8Bpwzgj1pTPKM=QJ)ZIcPi`Vr`71TW+_3}u15(Kkr&iA0u- zhWRb-$~}x6(ycXkb?ecVnlOg^m^}6h%MoJzDF=-Oy(D!M(DSeM@06+RJy6^BI(K+* zUOA!pXV}<=%lR}u+PHb|j`5$iQ13DlJs=&TVj>rU{Mo%kyOqH^kSmBTu+XdJgBEVR zdQ?%ZT0Bk?TA{Ujl`U~8>k2qa+LJXKdHLv!g4_ESV0^X+lq1**fe$CaVi_I0^hFxP z>#{0|ATxv!>T@q*0zbZ_7CQ~IrcO{T$}`sI(p+3^=e=cmcRAi>zuK=$FeF?c?%vaY z=M7^t1tySh5?i(Y9OLhQIK+7VSwKVLA@zq~8z-}}|1^o5r_-0zOO&q3#Fp`Q&?`o2 z#?-2PdGLvh*0N~|f>bC_g^85(8y*8s6$0G#5MT^+DNDAn-!Eb4>yJl~b>XgDY*0Vq zMFw=)dmnm47329IOx%4iicYn~uoe*qgOoNQmA7%1AltV@9UyMhHw`OK`Z7O$L*pI zAwbD}YUix5+bJD8Oy)&@|73~gnweFN`Lz0x2@*&}l3ofZL_X+zb_>xE1FNl6cyWU> zn1=KB1Ck}0G)GQ3qWI=9|s?sx+TB; zj@$UMjcQzbyfutJ^u5BbQoCyU{z*=Gf9J@%B}sDhC*N%_n8&zJS0|&-s^%H#?iqwK zc(bYg%jrt$Rd!d{8U(`JTVoDcB3(^#xG0t$##F2?OK+rn_#y7gVk*;J(knSQh)sgF zwhDE>`_6=G)-Qflz`J|(4d6Gw#m>7)leKgop!ym#tchRDM1X*m+5UO9$R5$+XXoT* zo#(%LyB3i`Nh;1YTOMJgPJh0$CieXNG^+|TRzRdLXeAuwM=Kx0{(wO2;J!A6_IOu{>5HJ})l#0u4VgCz?{}2a zcQ{}x-~`BskJ0$%nE295sT!o$eR(}Kvqn#NVTyrGbCWuf&#cqQbW!pFjJI*w{!hGR(F36J>eCqoDFy84Z06lHiEC{T%=Cng3qm)H_q-#Bj1E}hW5Qoyf(Su& zkn*s32io*F$UW2BiyN0YO~h4qmtvI~SZ5Z~0y*E(FOsjeaBJBFJ~;?{4=hv$=V&(0 z>x3VdD~c_^N>V-nrr|wAXl<-C2q8eA?Qx$57Co-^lY>NGQ9@siRhpWP-Ew*rR2Htw zM%WV=d;nG@_3L2UJz))>Rhx7`jYV5{%Z-R;Ienl{+}k6MHK61)ft5y4p=neW1=L=*^AHMBtkldrhkK9~}m(3`|OGXS;(=s=P2A$iJcbtCcR+ z61dvtW$ z3%mooT2cKVGFl*AA3#}QHBceC$1BgBBXRD`_&(8vRjww;6zWuEBz0LQt|q8<%h809Td#`nfO;5rE}egi(> z^rL){3$s1$d^%_**x#+Ypqb5}k66yDWFBTy&!g9=v|>qeJJJT^s@LdMI@8o&Da`yI z258emKz@wuY(sz#x-18g9#VQP$V~LZnao-777_o~4bW~Bz7Gq`&XvDS04~^=B>{+9 zM%tQ*Lb?g!DcMa5jP7BbZcHZ5p1bRJcPKN{RVdx5aRQ}6d`GY^x%1KJQ*YgQdCXuy&Mf6Q9?+I~645wPRZ%i+u|^!JnR zIS<|Ma-*$P4vBB^jii%;Mf1#MMv&2N_2^#WVy(1`A=P3HF_nCoTrl?Ac6-OQJJvWK z(_EmuJiR-Nzuk81Qh^E({8C9=n6O>geXud4s_=ck@MJs4MlErkZ)bw9E!kh}PiP-m z60c=mjz*@7Ohe>(VouBT<(6fsy#q4%PLD=3;0H<5jDTtDR z-Mo$Y<|lI2oy}%Ax()2YO_7I?Kcm4iYrWsoha&dSQ0p|%t0eJoLQbM(%DC08(0%Hs zop{KJLRSa)vIQHrXF&w_H#G5A9lGF40t2S^j&rI7%aK$&@HN+U7Ab_P5zEzGnUk9m5NtpqpdmDjzXNku#_ zV+tJA+YxN|(l@q|pQ<{IL4ZN(sV&1q2&w>8eLp0*FRr~KNdE6G2mh9uWn7B|kDbo9 zyE`rg_cPl?|JA1ZdU+1}Ra*)bsQXn1ZwSDGa_Y=T?f@jVK^A3@dFJ#YT|^f>EV)i>)BR>50l-bZK~;WL3cF1AvZ!zd^shL zPv2A7$;%*4wibw6dhzIf3!+bcxBqTuTPtJRzC5=J)B$9A%Nnl_q?&zeX5ItYcYBLa zDHNbiu93lFx;{Mc(siN%4j^1?rXThZXIp2W!G?iRzXY9F*A0B`1Czm2DJ&=u>N~+l z(jY$56_!lqeTlMtXjNR^2gpnnPb)LYz2A5;t>_%fSOS?5cajwuL(*SzLPjkZNCr2J z;w0y=bwC+HfV&+7n7eIt9=`egpqjU@^B=9*o2>`GE6lR6xv9T9efsuSY0ZCM71%HPuJ$lWcZt`LNI6exeSHa8s~R5 z@$)mg!EBU~fwS|pjiB*+>Mu1;7u(9_JrS||55?WxX1>GViU~q7Jl*O6wW5((9xInf zsN_}r=tuLHHfMudCU%%Sfu0S{NN_ZQq>(-km3APUO?U*LxA+d8$Vrbs7j#qh&15Un zc*X7jX@!%}(FWWwuIz`O9=`DJ8#a6fKuRDDbln)sXNTj4I5UC~Jqv!pIS}C6HJ&UR zN+@paUTDXef!#7dKkB{kf_zuw`7IVpgH#PQ3w2gb(RCkMhq7H6fgT2dsyZN??v=T< z4j2rJQdxo<_IN*SEC6D?=U7taPknrf#W7RxMBf+tkxvril485(i(!XJ4N;KA%X&2H zXs8@>7i^i|rd%&+#0vL4(id8g+VJB1V)aRUBPabOFkpy@;kDitI(#1c`(V##qO0aJ zKtO{8WU3g&iFFqu@i(Q*3?HxFnA0)Z|Cvw$<8Oo|#Z<`d(+!U2l};(4iv$!E=umdV zF3{qjf(Jo$MF=uoDq-VdlEMq^%)LU)#~?x8JUUYe$G!VB2E5@SA&5;oNvAWO2&3=E zKrp_CZ?M}zr|`6>!#Z#oOSvn*OOK^z!;NQyG-Llp<1dj;xt^SO8F*^-5+BRmg9>6HatiH6BF7Z+Oi3I+5lE2r1vl#T&5GT)IRRPrNw zjpaI@Jt9jzm?KYDWLLaWNAqVYdJ6=VGQ+i6oSe9x)08o5DNlGId%g!Bv)^G&l;unX z(H&|ce)?-cWzCZk3#m8S(^rHq`9A91&nj|t{5Iv6u{YTO_yA`6RPC!`*qbSF#}1-H zBRsG}|2bmS#y?*e_Y*CC$i@cN;-{^4$W*?iKAUQmQD*TN=0$X25)6wR+7ha^8R16Y zHy&=@MsH_FlV_39!-b@D3aTju80-5>bP+R(S*GJ_gzEi z{)BaG>O{W?TY`|yk@zYSYH=DWzRV0=Eq(7a+K=8XJ5RL2qVxMMg7-qnBxHK^gnMut zx1GL`j$A+KZ?qqM3mvyR&T$>u|6{EzUtD#O#D*v&xi%=bni>kExLTlCoPQ|(7CAIr zCMyp`F*L?X7AInZ-C@m_NsHLLxas5?sRBLtThYUFCIq?xM0kiTQ9ysY>#HTrOStE2 z!J$8}Tlq|Pq=4c)LUpzA`%`Vv%XU68=mJo--0OZ~ z@MTlrrgstTG3e7-DsM6gT6e{MnEAXjrfYL2ob#b0V99&~lA3x2(UQ8QkY{ZG6tJAx zeE*S<=}U*xC>*C2YwC$kOu8CcEbVvclqL7<3%ao9dLI+ZsIycw06Lq&0UOk(PN*LGj2q$lrofw?<1|ChBW|7agn4;aYVq|hE``LW zClafSPvNGz#R&~x-W)y!+v{O&XA*fA(O@p1@iw6RApG%aos zEFi|am?a?j(f(3Kzb;}MFA(z6;G*SiD13)c@azo)ME<3H-kdV1M&qW?seKv;-lBWY zn1*(KaE}L9Pn=}T*Gz-FdfKv7sPOZ9ewCk$w)U)ron^v&%2*AjpOj^uE{YU1aVbMXjbHnzedwjFOX#zO4@g>=_~yZF!feXl5Ic z=$mJ5f7&FWO{}o=rV*J+M3q5oRYE}~T7mp{`rW<)EVRm!1$Jx|a9i4=R9p9Kn(+8p zqm}=)g^2qJGS0_(C+twAu3uJ%QMr4YI}1n&KwB(g{*`U?tThATL6+d$7n<7z7nhK@ z+d+lnK+cGwt*cbDq!QASB4k?)u_AXH#0-Z_duI@3Fp_oua~CRx#>8 zVv5?B8mgS1DnQ!12_32eTtG*TyT>3;NpzqRTajT0|HsJ^0bGP|OjgJv%f?{VajR3S zrnt+Gju-C9!_&>~=<4nt_u_9MH;z`;S~rtIYNsuekJemr=*BhFJ52a~y&c@|i2xqI`2Bqu#US9OYl+Wb2K5fyW5lHHuK^{ zjGFd8B0>S+B!I%EPQ}`Gj3N|oXfNfKn8AElkZ#A%>Yx4Mx(ry>VU>dpRx>dWPSu`MZ5X z(hM0Fz$pk$uCmL_FyqBcEs#giP7+`9g@mM9l?Kzei!Sx5-Ad&Le zn|BR0D>Y`FhbnU|Vrq|N<_y^7m#gO`h_+%7JLRYHwpx8UVm)oc0P2-?esT~4W(qs@ zqb*W6;Af!<^v0Sp?s>&i2=(&E*$=d|6#1Q2TP2bedw5>z^^$z$$tJ+R9KC1JG@|6q zd}ehYwgln?BKT_ErCN(_tKHtG`K*Psq2ZfNU_ph$VTJz z(pp|`F0wOuxmIhYI>MMLYQ!lXDMoU2ICoa9G9wCJ!cEsaC`3z-T=wC(fKCXf2yJ&sdrj2#aQ+juJ7i z?O`U#Ot(Zch_M`aBWUF$WL#vk&8&)dKmWL<#OQ^pX2V{441I zbOh@toQAV{lscC@E_|CQXYlh=f{|LQ-svC(MdqB-5}sG281!dhog|5j54TQ_gK7p| z5;`ZX$(nd*0U=W<-Og~@=C3f@gtmO%^3&%g_FiCsBn}9jBNiAqs^9HX2*xcOAwY=2 zy%|?nC_{FlEsU4jrzHCAiBEBV*&lnyTbD`v z@<4UluN@5Ho#FUPz7IwG5(Jv%Q-w)?F4*%6&#(t1NP9Y7o*mZfa)7FGD-(H*hFzJp z;ViMvEQ>ntnU;d=A{bwvaBHnP#wj#%9dPjekg=my7T~Ejy<5SMlqG_@&i^qtCFEC> zP)`nSttjxDk9cce`sSe;PZg1cM^%?(@F(f>&xMSHLrQO+#s8{KLq)khm-r1J%&6HL zJ_&b0*v3oc#s{H14G2k@P8CB;epQC+_62aWBk)w$pP^?1>wswdiV)M5`_CnM_mIDnG_qgV7WfhG zp(EwbO}n_`cO`hUXh*?&wQst4ncfRu=QL?+0Yjk6v_CBIqaL`pjpg>^dZWv#x=87P z@2eJn$U^08X@hiwvvRkUNI57H`A%62EU)5Q-3!5R@Zg z(7NCdvnflxu0T++^r(vJ>kcEWc?Wr-I?f3NXPb?RI)sSo9M|U`#Bv!X9h$2ae|mc2 zZ=-07KfIgzQKW&Uo5J@o3FW5~z!GQOoAC5Lwm~*r?8zg858B{7T@qva9_Q2ZPom}7 zREM0F^Yuq8^)?(!tLzv?MLNwzGuxwdNOtgEQB#uHfBD`h&Z=-}ztpY4#nl0;n$M)i zn-&PlFgedyY$YZr2ZBNlYR+AwDdO&{7ZsHm7hCroFSrprIf)$9vUUA;cF6?#R-Xld z_#Q$#qRbF!M1OLq%jH704PoVXkhYP|Zt@d9ZTWV2j;Uo{_DG|}i}0Kqy8;Sm4NIj&dHl zQdnJkIxnI@eO5?g68WiN#kj>pi;M&~V{It=|Gm%Oq6H&g&UaH_f~x`@FU(bERoBSb zoK6egYgNrQr+Ng@%5K=>GAPwL&3wPTnrUVfh6DdN%UWtSt)Wt3`>5Y3-SXVKO>_QI zlQ`f))O6gs_5^U_XOKg>tJSu%ay$U|T&mpTRwttTw5*ZzXsgF;kAcdl`xV_Rw<9Vh zV^Sgb$|5^@&YaS8IVzZkl*qt&C7Kl{$QMZWZ2PtDhodtiL6p~hZY{-@RPhU0$Ci6c zcTb^`;C@sGLPm&A(Yh2&d0yj-liegEvY<#sy@nND0PE^c*$0CVwpPyN3*cl6kO12E zq-Gx88z|aVJ?|0#pZ05v zOTM3}g3hI4?<~Dq06$x=Wm*5@d619pgH_$yOl;dqHx(G%doscDgA&fOy>Ochcf|qV z!ZQ35tQvt*W}85WvWMnFDa2D!>{GwY|$4vYBp+o~}pQ(KtG&+6Hv~D;%+!oQ+ z=vNk)e_Ld<7-XX6hVP~@_Z-jU!^~pP)0=0WA{pn)k;-*X_55}-$j5W1()JlIp{sJ* zGUAHuw3EqJ_uF6Ti7Co;EG`=T zRkdVVDXx)d&mAE*;*~1dibA?*$uRC5#H#jC-X)5GPb`%_&}mpgZr7-7wi{_| z*X@UdVd?3kF+;!^delI&l#&Y661lgLJ9tmmzZeM`VB(UdM7-~fOT8#^iD;)Y+|1Hh zVm##}eqWTKg*6$Htro|adHc+XG7}$Lp>-pGPFEuMg+XyTN2MhTtEjz5R@??KZWrws z4WVx-)s-1%f8A1=xeJ28Ev3HScb9@;Zuwcz<`=cMc0|!3(#?wfk;`XN#T_FyeEr|Y zEOh%mQ-R1!_GBL`#RD~(@m%-e2>!Ytxaa8uw%fE9~FuX(6Sgl%{Y&5CTPUn+UW*OOn_A>H6S_UI7`K+8-}eAOEsA zzZfkaMU#YYjlToQ^g&w|j0a)TJ1&s1ui8UwF7|&?FN~7r6QP+^e@5gHE7|&t5D||O zr*$|1ED#I#?WB;+B)eY-Wmb!1(zt}Hl=Sf*Jr~t*SZ`#9PpFK8JYGuUwUG&JHXe$f z=&CV(R6e-k7S2`_j{b_Bk5%(A=Q5Ym9x<6u&ae1!H3wMmhiKc>T7{8Ur316z8n>@=KV=V57qQ;N{gog@;%`)B8IHf_yi@ z_=B2jt=8)D=E|qn-t$IR%_121mIhQNZ47`3UTCx!f4Ga2N7y20u^9r)UAwc zHqr-k;bO<>TkFPB^!U@Q%`a@ND4*Jzwx{~5Y;*|c(+r(VSr$vP#JD77?7Xfw^24P+ zL?7XiHLKxcKl%<;sSm0gGF}#1w--Cdl+(k;Q6B;~bzs;8KSEftMDVa1*<9nw8M>~F zTL`+V4rZIn@hVsBt36}%eqsy;pNo^cr2ClIXzb(wv!#tg(_NdNc-jj2T<=h@K%L!te_wFuS>5| zQdF$aqXGTKp{T+>EZ_NZ4%wq={&D*(r{~0KB3auEFwlF*0{ylwB{|WOmX@2vh8C$Z zbW!ne#Nm?pWp!1E1!etW-QVlo8+2jpw;n|>*eFxMC&%*jjl-s^-04b9)|5AnX3)Zn z5ai%^zUj5#CgQ?uU%DcX!7oZH5i(K!*xM`V$Cuol3x<6_oC_Fcg7s~RI781XAhF@Z zL}AXC7C9tByA22ZsaF}iMx>ZrIt{PU^IE=g;q-0fVla^#uY=4ssVDmna?i|DA^Wi5=eHJ z>?&ze)K?8f!E>9KMBhFf=BH8!@nL!xFJw~$8Ih(`l8@$ccX8W6C1BzxcKG4-xTkov z-Bxx>U+>{+EMQ`}2Bc@vf{apokmXrV;cSM9O&&pf`16f}8+w8N=C>fp<-t-=o97MR zB10eszEvg&<$lrPr-?0oap+Gbglx~RQR?2Sx_1sPz(ZVYpcPo2jfYX_IQW;otN{Tm zuZvwa>=n;(P7LduNP%N$L zb_*yZLW64h#rAvo(sbdFH1M7zHPnHizmM+iQy4-Im{xM87uWdu^m1eIhMr}tk$c;d z4=GpRM;s_5L+x=Lh)^d+Ukw2ZSDokJUax>8egYFz_sip_a{6!!p%o``|IiFGOA*ZP zy>=gjq#J|14c{2F^WTjwgF-t@r;q*0D5Kij28S~M0)d*ym8gdtt`>nj)6*Z8Ra@MM zWA|SJ-d~J{*rrWTyd~{2PU!*)h0U)ZD8Y8L#oX^zp0y^4nK(B6ijSG|t!9a?i-J1W zwVwx4wRsz_{!GJ*9bf;ra#L3Jr}3L0WpW4i&hy9@t=<6Z^Q6YChuAA2EL}LE@?~l= z8vz5g1)M=sS8*tJ4w2ReW{W8q9jXs0huNjPECjF8yZ?C)z(MH9b+i!?d?XhUQ^Rcnwt!DnEgDbT*gtRsFFOgjmK#6 z*eO%X1>&I2iRR?A(p?&JFp##UrP~X|$=pngk{f zOB`VGu*9NN7m!5!)tx9_5Buh@unXcpWW}`F|A}0t##SWfe;|-QuJ#R(wImO=hUC@q z-zt_{PHNP#%{`1})z}*nvN@GpiA=&j|HD;pJmhG|BJoe=fo&-X7P)mi{DEC;@2}2> z3?**k91VQLeL)eUJ^Sr(4~%!58xJr19Z``mBTm-Po{nRRMv`EZz|l#OL17!|6wbw7 z@e5y=3wPOd`n_g2lMLhYs9m%*rwZ>retQfU9zSRAJ`tu^Ejd-3o0jsZZ|mWgehA!c@%Eq+ZRG zsl3LQ30I*Mk3%U5u?_(`GZu$MTs{S>>cGyp^dnAteSc20G>e*&n~_q?rCh7xWAq6S zlho;k&I1F=n;d5Qdc#KdG(h)Gbug80x=F#^oB6xdP+p#2%9595T|wKl@e#nHBk-*=q+l0^QtjAU$Cf3pf>2 zP*$->6i}FfvImGe0o#}K1P&S@91KP8W~#}L`z2~@!nL@*G_m(;$(1o&Mck|1AT3Nmf8v`7+_ z%!BuWfv?Y00rO76v7Z7yuN3rvAI-99jR`f@Su&U7s}IY!6rnXvGZBg49&iNFNE4hg%s`>{r14Z?_LUh1|a$ffT$=)D|L4QW{NvO zF1uSo@0xBr4vyHtze0;^&@I|Z|LW7_Fex?LMCb!w061p-xkK;uO2@j?GgV=b9-QJ0 z41@?XaDxD~Ya>Qrwi1kG?YneMv zcQ@fH9IvnimH78cJ_XJck|Qd=GqLU{M~~`~%4OA#2rZA3X$wNZAE3QYV_sSm`6gG% z=n~&%qf=>{)&hR~7hK6vMYTKPv12+ga#dY@`1j-7Y2#tToOud`_7|{2fUpTLDecs# z?9doz_)%^O@YSyIA`$bN4rYt$^-YB-<)J^`DKMM{W)e>mM7spRT|VvXP7|9%}u7NGJ8P$j~tF{lv0H zkdlylTQIH>=O6Q?k_(HjJD4K?INTdn@FbIjYu$c)!hf{w@7l$A*tImGOX~E_EDRRFiHi++JqbMNu>HFZhnuk7z3bFZ(mx2qx zF2kNK452xqD1L8BdzXHcxC9iM2SSL9Mo*cyC|U^*Xe+v4c9@L&y|8iefaKZocn85H z?M;b7E0aixVm70PlZ?&JMxDrG;q+!;zGgO@S>lXu4c~-AcX7J=<1kYr$lmiZdVl@( zMT!wCGquVk9#Fl08}<0-+eKN-b47n}5!YuN(Q6x3^|%CB$Lt40)It!w_QJeZG;ZbH zF`Kjm(YbfUYK$O+{^xoQqw3fKRz8%%pHe_KM9>Db*7dim-H&VM?_Cl(ThShRJbZ(} z-w!xz8TdOd4(6|pgg8d^ZQeRnO)vgQWI$KZxM^Bg41m({YT%a|=z(>JUsbx3XW3P9 z&hyVBa!$DsQXSD>{gnDgwy|j#FPJ6`6;8swSe*&_$>cfKC?s@P5+~O zF6;~J0;8{HA56p*3qvD%2iOSF$ zXm=IqhW7S5PKm6pbL@Um1ElF+-AM5o$h9JY~UA$QXKK;u4NuvP>ZlZ9=FY7m=S(gwFAZoxxO=WLTz7 z584)_genX5sy~tmX7~MI+`)2GIBr-xFi~QQ>=?ak1sMuHzQClabX{VQs?o#rj32zAUfO)Mtkh6x_Tg>&h&2UyQ zd{B(ei#tqBx5+rMIwDV2w!quUnQxG1B)3OqTVCaK@celZugInFitS*g+_;dqFBR!? zb&_G0K+mFwH3l)i$RrqL(aU+4<`L%Vxv6VqdY%k1h0XX z6RiQSXLq`e>Qj^1d&eZ3J&<&E)2+%PcxZvR2@rGHB7ml_aSugZX9(oP$QR`Il0jy( z@l<)l_LhtIY^b9H^4*&{V+1yt{n2-N>OMgcEEC!KKm;JOk4eggWIv^~=ly6JV5@KznZzs72nYYY4o5o@J@@^ps~&0AU^<}kb)oOM5|^Zv6ZrHKKOf{K zHEL!L=|W;Z2yH$owLHIFFRF4qT3{eQQmk)SaM^HRKA~qu^X2d!bbj>M$Pi01j)0YGSEDjpGkM3^KG@{F%vln&fH&^~;$dy>M{NDEsNV8i|r9j8k9yBJ-h z4;<=IsHvN2ixRn-KDLSSp_p00v>+8<8dILpV%u$#$t-R-%fq$)sE_7EMH@kYS-4cC}{?XF|MyWlS!UCWZiY^+sU4LAKJ5fr7J{Mo`a2a|N7^+2f_h zO|9^db=X(G{beV-plRsn^{Sv4or}ope{20>`YiH8Acu0+N~9Ln_r0`Oa9X3r%~TbZ z{6iGguD{;FQPY^EeJOplI5^&XRc?%<+8C%3l+8$5%c>jcjK2wTsRWqzBNA0@BFk$2`89h5#fH|ZGwMt@Te7?67>$~BB^5elVJ(|~o((|%2!XY~ zv+I$lf|FxK5L-c0L1}oN`IAetKn&YJQR2`R6gB zQtJ*u05$~9HsVKYQC935qt)4@WJ^a=hZN(1yQ=MhNwwY0AoVluwO@7T`Pc*;k#fZ# z!;%8Jxj`LjQYoL zJiquMEju8&+K`#%)UPo$ReU?n$J+hilP|%KUud`<*=nVwX4xtlHr&k%#NR99Vk0#n zx?i6^OmJKHo5`%s0MU{gLb_2cJwCZ1p+Y41{W!-vb!047TW$1aH8zBiME^P@TShVbBl9|hzMQbkmy1AxI_E^y?Ej-Y6N zC=Va{=Z2(i83QhjUi#S~O)XG)5bEG!vRG8-fJ{mWeI}MUgjI*?@aO8k4jSpik*+G` zp>0rZh)mYJxk6ut8aeE2?u|}M->X~`L8pm56$MMZX94D1g`tPl4c66FSw9C$|8z!W zopqo}9A0RNGA}%yOvGoX2Vbh1UVx??~% z+T~pmCNcf^+v|=mq4vUqZeSV4OL|HM=Lo;|zAKK1+M=96o^NzpcXE%Gqsy^W&jE$} zYrr$?+9 zKfFLkmY|Phl)vpMkXi8voZ?3wd{ImNrBYNNVP8FUV%?EaQsYqLyJvueS%E1Jn}X8h zqJA?SMJQ)RbqWfd^>tjE)OH(_3A8s6&2^%~I`S%YuNVqZ=tQK-H}?|G{yw9@R&^xt zR*_?eR$534*&c>uOZnKd!VsvAyQY0X+%jldW#u(54s9C`=?KLNilr4BSbRq_hB=~+ zL96=dKbJ7RO2k^Xj!xq03$!eqF{uYASh~teFOr+LNB0 z>^2;mYk?h`v$}1yY6zCS`c+O+DxJSGW_~Au`?7UIb$2M34_VEXP4;MjOfHrBkB55F zg#R0=SuFDFS>Z$BQV{U+RtzRZ5cv6;<+|(ws2ac+X|B$>o1lLvQ(m1k+xkv*q>=~= zv&gRSr8%y%l$2IxB$Kj+>^j^?lmyvyJ zBQ^L-AO9T&e_503*rNrjbwyyi<9GY}hOfJ{ca@3Ht z>T1t3neX0(ea*?ydQ+nLCqKVvLLVo8LIbM)=kR9<42JqzbPM}Q=M%v^&x5&_7!NQ8 zL$5_6W4}MM+g7k$?VCAQa&J6l?8->I=$B1Mh%^Bw+dcuvtlaRsr^fXif6&V|P4VNW z6OeL0M*!1%K&g>m`8nesrc7Y$kLB0qi7~p(n01+A+ zSi~hs__k+`r246h%x>gM&{DKVag|}WcO93ivuItzp zSQ;i7YodA60|PB71fioJkv7b%y#5^-98Y1mha&i*5g!BL&5V{a!pFu2XJx)DW0Fu% z1H_qIz89ZYc}I>_4<5Hz)I^pnRGO-yIXweC;B=Quj}`Vy8a1p;Z2cUbGNh-z=ne5~ zaNoPaj}ptC)CKe0k@K7vN$EpnSKN`Fy?T`m-bc$NO-L4^o0;}cA z%7n)%6-764bw7rg9&XL*`dmI1lxf8IU&E!wf-7hNNVa>l%G6zey;n8 zGtHt&vG(pylG1Rs8(hN zd;yGUx}+~#PsO@-RhPn5yo`LtBM4yCr>hB%l6e}?_P(MamNi}Nk}h(Y)e5qXoU@tq zQ1QGm-8bg3n`A%?sUA-;|uWug&Rk=biQ zXTqGW)j<%T9L03zW3Tn|omgfqptb0)o77!#DmBU`r>DG1Zp}F|w!Iic_Ea#949A}h zccTm5e?Es@(a&KpKT*h<5Q=(hyp|pT&gQ@^T@kQPwd@%DJ)<&CW1%}d*{#LR%V2YM zw8;j*m{}3d$EcpzSiO({j4E2ZbB^LxIJ4f_O)R#bXv>w5>_%%`BMo4zj^Y<6wipzU zWJ2Ev-U7?+Se!0lQFN5LN`tHOqs)F;);$7(lk9Bt46jc1Ek(%fP<{cy4RWErdM!0Q z`|o_SLTx-rG6?>UwMz=hUKW%GkM>-soF*C@UQ)8u6{0x$ElVKq_K*H_zS?4^E zg$u@D7=L6ZlEpZ0v^eqV(FSF7)}eo&rm6&jbXn7Jq?9|vA&f?Ua&f3_TG)NKd+c+g zqeV+=XhV71qqKq!U;Ve1EYrK*a$`VLHC_2;FUDp5-3tmZAW91|Uf_r>NZ1)l@c+s+ z#~b zVmw%*jpVr4kKz1e7RO`bXJV!*Z48TcH*r=H}4>M3|*hpRBUfVX;z#bO^}KMEy$k?8!j=DdiCHTg|U{-=1ld^ z0fGU=L}8xv6CiYw0T(yd#*Ie>_)jF*`$3fJi|1sjYYs9uJzh4!oIKk~VQ zHIR+YZF>fXp`bO_nXv|hK;>4GzJ6bB6 z!=ksDFi!_**WY@L?)4wQtj614E)fyQZ%E9pMf>gn20VG;-2%Fx&r(k21ZX^|n+jeG zPLVxcOf?RHr~7Nqx-}$EKdCMOK*Y97a1EMervipbukeBRl$r;~!FVi&=)Lwn(GteQ zqgP8Rg*pOET#%jKm9#xUP3KdW&@14dCV0g-$c2ed$qWK~AHVx`2ewot`KXL(7Tqt` zZ^)|nvHl?-faK(B7MsqUq71J$w1V0@zJh|`DGRMC5MmbzB`_0fV;zy^@A#LZ!19;~ zxbSSFgpDfhTpF$gLY&pV62|@?&fYSrs`qdARX|ZtI;2IU8|e-K>6GpeLAo1J0cns$ zNavzcx@*y)bayZ5E>LSR=O36rHHp^{es&i!AnPvDBexlKRq0p`$Q3K z&wdxu%I=z_!~%A_uPIQ;3+&M`nG}|mI5&O)a?-S=8W54b4mRzMc|H%cmqj=#tKR*om8RBKBLp%O#{5326A_KX4$`*EMmp^)s3k1Brubw z|A>nKTO=gRoy&XXQu=<`mI~68rmc5MEQV7v<>FZ)C>GTYeBOaVXYgWU>o&p>0G>j? zH5=&-IsuW$nXNaMz&yh5#iDmaIl1!clbwY@&_1v7orx6nHOV=E=GgNTG3|O}(fDK3 z>vk&0cD8zuBn7+6K&<9Y7)l}p1qlbA1Jl!Er-2o1EZWaF+QjrCawkcTc%fEm$ zksimypk1B5(0qDwPd+^Jt@W>0 z`CFgs<1(i#)K24hC*q(tuOx(Z1xG5=Mh`hJF>t$u3zRqWIEzJ`n-j0-yPmexXGH`! z6n(te>LZA!S?D@U(x|S!Zj!?#_dWUAIUND_bs@+sx~}^8j3pnWhF*wK!vXBpMwjk_ zu0MT&r^hi%5TS54$3wTvHxoj`{5Ya|0Mm6)@1qiIFSQ6%x$q0CMU2rIdZ< z>^??4q!_-gJJ52F{V(+h>YsYVc^rpOXLM81Eg;vUy>KEmU0?X0xMz^(Burb*Wvk;x+Tn%~(~An&EaxTLe_QpX`h2yPAI<{PK+LJdMLH%#H@ z`uXDKD)}#!VDuZC_0%CT(|sq+=n|+$jqE0$wHkZ@2jCVj_kq@sO_h?|=CCe}Ez;FV zp~J$~*e3y(o$R+Bz(o&P?4-iy%lPc^Lz2)O?{0q}VDafn2|fd1F+!UMlsCMOCJN(q z%SmK2>Wb1=-s^J1HI%cD7}UfLPk`l2s>&Zj<7#c0@B0Kud5R@KgVmd`VAL z-_CAZt^g)|>6{>GO>x(z??{$Q=)x#VOHW8=9tV)?_Yxo0vg3(dcw!zblO@MfC~pix zzlU}>8Nl=)PCyzKa=qVTNT1avTa=cgl^wp4dB81O=a38Y{|<6ZM)+O@cVzP}1&fq+ z?7H}(ibqFeK57DPkA`8FJgkW)E}>zJnk6T%2bc-8C(A|CS`DKmt*GbXzD89&g-l%T_Iv2OdFEtJIl}QbSMbsm&_l&%cl|m!y05W*NI0Rgie0^s z?%ay$^a}9w$Rthe>Jd~4AX=U!*(GJlO|Ua><9_!f#9^R+lJ1xk!(Z+mawRJ2PcRr^ zOoFC@^S#Q{09YjJdIC|8SYPW^Sb+_dw1L2eG350YH~I-^2EUn!FlV z*C6XFv-N5CyqDxkK4ho{>$4fY`h2sxemSzSdMbcXhp;S9MAtq@GKMYrNbY~7| zdK)3`*~TKMOg7CO%KKSp9ucwt>6sa+946-L{E`g4=~xZty07veZs$=jg<)nVXi?}m zE#&0*O5mr@nc-KG2I-6gIePrj^T~(*umEoHeq~RpRnkG=ytPM zoW)T#kfT5-Em@rxRQu~YVQVtIgkx!IGb6K_U$i>uMPZg4caTiSX9NJCSOTq#U9}!)~$=)xlYq|ZEgl2KvDDn$=x%geb>$?+2B;oOj_yhIb>J}Cs8fwe3wOu z@j4Ff>bUvdd_o=wGnXE6kj2OBeU}wLAlTz2QDt~9kP55HCK3k0IF4@? z9_HqoK#A>J^ub(2tNSE|RT~S^0s^#=*=_ZB%`fsAV^5WZKh7i}qbQ`#Rn88_X+qfStxvesCQ;{l{M`6C>&~-lizgdLT1ah^y%{wxF7k{V8@BbRurNbkE|!VylF&4m&g1To}Zh#6F(UIEyd2|N`8_JZ}kZ= z)uk23us&GSp;6I2UTS@xhHPgaljnSK_aQ;T$K>AHhzjc&oR^_)iVtOJS6vqF_ZG{O zoB*x#y;w5yTQO?Wbjc%{ykSZO%5aMG$uZ;N2mQ`vj-~w%SdiU8P1^ZAL*n%hvDJ9t zv;0m1@)%)hO5l2PWrdC!^QY>FZuZHx>1z7VBCB*i6>1q2405!-E>;Z9Ph)46j4+Xh z&VZKZ^~#G_H4-8ag;w1Whyg(iA9pS#O-Rje{RO|!(!kZUbI*xhE7F@Wy&XoG5yfma zG_ni6q##UfI_x4bs7N_Lgaqgf1fBR|oQ6GN7uVoHUaYy-Qp;w(am5{UKE;Tj z4Gf(Rj4BE+SE`nTH)fI-)m2oXFOm=Q!IK(8A8CK-se1WQNut86 z>~L|VFBJ=5DD+5`-C%Q;x+$)LOoYxX#R?eX(5d&SnQ5-?7nDbt+#2gju^+~XPmFfz z>Mz9T>Gm~?*9Ed`k8Znz`KtRnMpLnO-aZ(ZUR`t;%?V4y5NSI#Wnv;b0iel0vB2Sg zPGb6%pX%CO%eT{bFW)9V97zuP&${l5xKYqr9VJt#Iy$_S?i_cZz5l$JxLvVC?j0PfgddxsHFmibisD( zM~S|G3K;Wu6Epg{vzSeSoSW{76+|S2u3aociN!lL;!7mPr{D!!ItBJP_k7o2ZMDz! zf$>ZdFjPq2;qeYs+b_3&@2iy=A=8`(Z%HR6Y*xeOITaifauqU3A{983hIahK2l#j) zZC^Yq>w&S~P%vvRCo|QnWykJYaCaJwGwfv zOwslVnDEJya9KUK?|ob}(_YVX#tKHY)$|nun>G_gU*CewgQ*N@!ceM^E&_>bPC(d| z1v!=3gURO8ovIXl{PILePB%)J;vQ5*_w`S>%M!M^g0w#>xNetQ@xsi`Ta_w%-(t2{ zJ$0w{rJjag^UdzF$^6Wk%Y#xus!xL+GeAtE9+Pp{jlk16595w_n1k)cED{es%X-a> z&i3%*)dG2LVdCdS-$O4+VLjqW)rxuU1l1n?^+vlo^p zX*0*aC?Sb3q3#POl|7KUg#x4SEG4!^I)K;La>nSsd28AXA<~Gy46G=M_rRvpx^s2D z&&uz%_w#!saz~j}2MaNhn8;5lM(WEk!3gT%k0!bA&6)Tx76A$lNra_6oI=C^VTLYQ>jE=CYt-7NhhM8(GzW*>`TkrcLg4r@nU?BycK~R|#B2PPD z^#oE?rJk(iIQ<{N*}wLVzqK&W0p}6Vsh@iKRY?-|D`cdyB2;*yJs9B0A0PFQ->u6bnEmU;%fv#?t(T%-+c5f_a|lRs@C+X zN3-q#hsFnYQaHO_0UJnYGK9N=1{;5Orb_MS23PWj4|5%j)InqAVUkUL%fD3HX~|>e zkNVte50|inkeEzQ5*&jO*MjV>0jgv-lV(H(5W#z;>m}q~3av(`2$(mum`MjM{yV~f z1-~zWAdEAO^y>t)iE|A9DOUcaApLW_{CTmBU~{}b)+^AF{QZ$p2~bkZ!(VO4)$Tj%h@2_E0Br~9`W&Cr#-GeC0%o1h2wWwZ>r`95H;95Z0TIZT zZ+yPyM|#K&TXjLm)wG{Q_TmJ8p`Y3Vope*c%X&*KC6-Av<+!wLPzUlGx@k1So zCY_8^H_pSPUH2fTzrK)>`S$;_+r^_mns0D(;oLYw{YuEu}@ zE>FT=5M9-fR=^pGQ|(J&0@tpG5GjbvH34xL6xJL1-M&77PY&aE{|(dicgOndBosKi z2@rZeZ#?q5ZBA~l&(Ect60q)WFjFS@;lUC{{`%SfgS)-H?@2^gn9x;ckh`gRL(M_H z%*Il9OHIn39P-Z#gN_^pShlDSx+DJi%KzuXL;M7Q2CcFWQD}W)NUYN(*%SfB4Pp`PxQeD)WW`hB1%DZCu; zphC!nJbB~3=eX!;uY*Gt_UR#R=li?JW_Ti|;^|r*No#`L30=>N^q8oyko=!t`#w10 z{hO=&{w`9Z9orpd={QcK#I`6w58vhg>Oz{{`)d zf<;$drH+K<82djzoe+8y*C|jx%2hE{^N>y0SA#ncD!K%4t^e)+F(>jza0$Vykbe>R z%|L=mTn1fz^$WXg?Y{rz;}A7|+6sT_Da;N&!KOquT$)PyDx6AMr(5 z6b8)_d2Kx-?V<#d2aj9+$A9?0c?|#0z|7z?KgvmHFr|Fo_SdKWzrVTv-?#ez#ouJ8 zT0`n&oZiF#ePjG{eEgsN-2XqW4BZ37?fi7A^X32Wx&F5w_W#`%pNEUqWj|cHA_AoO zbOielD0&s0Hipw!30U+J3ZUZ!ujQ67ZD%Si`78wxKr`?KpV4qK0S$mpZ9mr^>j42) zS`b!41M9h375PL?daJYK?a?7Xm;OvC*6dD#ysc+OfTA_=?R`fnxMHGaNp>DLMt6Hr zks5#Xp!RL&Q|&Bt#2tZ#C=?K``|00+lMu;IhL>C^Ml=O(1|HsuPoiU&0h1KwGW@m0 ze}2p7L3f(#K>o-yr4fh=&hYh8XMwE3kjnGWQom#(5Yy!QN zy_^?I>bKD$N+{-ovg8WV?7MeIx#Wr8Dt)-WS96F!OuO5!tNsgsU_enVPVn0D5Bf~z zHl=cNc5SyZTG|z0>-0_P`ZGV*4(~Q0lkRf@7Q?7$xAVS+Pz|pd^+U#qBCKx&LmI{+ z!^Xg7Eg5Q9{p(p=i5?9>sou|P^62#Z6wEnKA^Uze1_4c}2wiw$!=!ztrf-WX zlXjIlb-rqO$lKAPDzwd`BAo_VZvj7OOc(%*d1Ag@koq}qWLK{FQ7C1yf3gS?m#*7h5Z~$~2yQVVFM;+EY#cV3Bv52&n3Fk_U*E~yRSm@(Cz(X>fnr&~WH z^rtq9uYte>3*_iw0gS_Gvts}tH0t34y?T7?B77S_cI(+zLG+Y;Uz{ak`DgF`v2EKS< z-`ms46(C|6^bj)%C+2zy;@)2Z4HB8Kgc#PMokRIEmPqfFU|N&h#nKNzH5Y0VMrV)TY>ne`Dq@I>OK-7zwdUapYblKw! z0AALkIE_&b6UlNq35pthqOAH8-kt|vNkma{!}e+jEiXr@2ZdJ=nmDQEZ-(Bh*W z8LE{mZnnp(*U}@BXdM8s>~o6i41E^%)G^$mgahXW8{0+CLK{6d)J?pTjaY+sSF6MCX7nX6T74|QvK%X z(_}xdm59JszKOM6g@&)p1eE~x7A>Cnu;4~mn7dtPqRYF^!u=*Fp7Hv1;c%lY+22rV z{b7u#(if?kX_tgK07_ldyVA>(rfNB}=atU8o2T}gH{N2o;$8^3EdPn8my3|h$(EiY zmQJLddTIIARKZ8y_0KV|1Xf{eyKqlkKYit2Alp6|VK(_8h!9_~at)Dwn}DkJY2(~wg=jx!tNwrAenN3$U&;uX1!miSK3f1p1-5&=O=>bVNoe>V5Nf~ zTv5hO2c{v16r@pc1}X}8q&TEpd?kav*!YaR!g|jM=bOx&mhT z8^FTIcHWoq_>Hkmh}6EsMy+;1{b`RYf_H=1bsvI3F}yUEVlfpQ>{;#g7GPn81+E2t zljkW8n4=P$&pAc@;^!8baUA5D{EPr8fihKW{G02p&LKe2=i5hZB9y71t8wdkN5|~8 zH>aHpES(r{jQjfNp8G#ASRMJ8`bM5Tt^!1)_@7WJ$4vwnPxLxC(J7c36CZpg*{|(W zI`$^fObTt9tKcMn2Eq)V^okH;JX>(3463#>nd5S28P7zQzCymFqGCCj`N)J{s94 zDbdTQ2*Ksul1g9KDZ)Z*= ztGT~=zYmjT98vr3a9elVY4G^GPv=%~-4#dL^{2u2kUC!Z=VZ3FH^5V7Rz{ZwHdhse z`lU^0i50bQ&uIJfqQd~BJ@I8`N!?@p`%GVcf)%M^6))4P{Dl6BR6AQoAMidC4Hu=1 zFm;H4k6l2U8o@1srqVSsRO3C`?ZdM8*~uqN)ce6f!q2X_L;KbLimWyR$ZBH;{E(7( zJ;z|JG9$4PtI(rckO;#>3<#&GzE_s))>CYUKwQx^GX#P<=_M?Q`&gU7M+oq2Nhqz;dgzre&;&T(IUaJlD2oQ(Gn#L^Dy@_Xxd0IR5P|(hH9ar^ zh>$cAvLU{0?8@0hGnI{`kMBW5BAHw2YyE6oJ6p%Rn`(C)uzFj79%B7-KKW&&_5zxI{I?B}OWq&EMnxI(vf6QX>4?rk=MQ zUhaJOG5=qFZR3M%9d@@>Xxhsh5s39W%~E{u*U6)X0#_D;@|Tx6xjO4snT{~kb$z16 z%lC>VThjYIMiaCnHn%Q?PNGnqSgXu!a)p;MS6&5zDKn%@(4nu-niDU>LykQa1qvcB zy8AIbvYY~Qhf--=XLCL<&L8SWs4bT^-|8@dL3X*(bbOl}o@+4I{pi#03mq4hIwds-xP?V48?w7=_3} zojlI3dDmHBI-OKZcA3!56c6~ai1U;dP>Arr%g?PZ`vz668Z?PD3`gzgtm+q8>0e)1 zgn<2+YODtsya?>xwR@Udb|>uYpO7UZluVG#1Q(xmaa6wQgos)6?Ds6(1dcK+&<56+K z_3|g|iU+6GIxYFNdvot%V;4swg_#RYSc(QF@(rYmE_?$RsKP8x>&Hzlw9c2mu43>> zjbFFq|Hh56PB9bR86jo%Ht6=(PfimF7^J;97%8T5B zGHOMIeNSj4fK9FAK{g2pMwq`b2D7E9Pwu{l(yRqxK46ZAq@mMUyV)r$g{ZPT%Mg9+i>P13bzlJ|3=kC;H&A)O#p3;dKGX!zMv;ONKq|+6 zBch!!0rK5~^aC{6v2IeQuow*4^`HM9 z@lv7>3}_p2-h)%Ijq*=h`9*Xo{Ue6zxb0M#*rkG?U`bMXm&bqpeJje{KCUpC+y6R` z2H#C*!+up|vR5(A_;PhO?(MSGF8N-RWLAB6%E?8|cKl#psaN`QhIw6zCgvfLUxL#4 zRZ`=`95Y*dZoPW!d+@_dxmk&nn~@p2>UKq;f*SV|!;clzz5N2X{E8x1>XNg8;qVs_ z$MOE%RMt1%+c(<|zQ1G}UOP(KT}p{O4@PeRgHN3|UqgR9SqCUAD$>A$eOyS4ysHJxSty~1fgs44lIq<8j z0F^p6?<-#Gsj{NMw;*1U$`sI3B1eZ?|Ddo3SA8s11G6d2+bTkw*ZX2|uLOudGC5vi zQGfNybhV9cIly!XG`@5P-$T0f8%SV(5a?1ORx6CL0EL#UaJM^SM|jwFH91u>sbuFlwfk_LFLWDGUT z~`shYf&w%QM0p26GO$X2d_0}GY9xu7>PY*a% z+;ZP)#2Fu($$!fNKF--a66>|GQZ5L`n-4+Ry@3cNjI7|ufxMMMeDN+f2Q(f*FA^ZI zUdxFGA$GKyfQBts=m$!&h^i$-qHIsnpUHS&li81H?pokJr*n7lcTag?~@DDv*}OqGmUGFno=2g6znhwZpWFDxGK1<-vC7EQ z*)5%m$LN)@6+`Yq1-g*@^f`T5*(KEM8!gH%-n%DcAD^3tnFx;0n(V~;44Vyc7r)r^ zR+)4jJDEDrIFdlX73kOZouItaU~ZP1s$>$v>$4xcSbXZ{o(8Y6&X$S!7JHg~25nU~ zDedQnB`(H^fUQ6;|2SeRpiA0xX>%r8!SsidO$m=x3gHL|sNt^In>;@r)RjSYPpYoU z0UX|4St|uv_++<>+CpMqf+DhST5DRb2mSQ^`e-0)#iN*9Ys@3nB4g`rb{Qoc4jTA< z0@#?{4{}}Fa+wdT)s?90N(ICBesmoE{R#;arKBqBI75Eg0)ISJ>yUMPS3Xj%&+p~6 z?aElz74Ki5?A7%kJbKM!9mgm4u(N0)a6s?xy5RD5+TcX!5UCr1%04`|*mJ$PYRUb5 zmW^iMdA`0ffo@0e7|!jy5*X&L=6!P6z0-8USv0CV=lNrhgDz@#xNT>TI#;jAVE$KU ziply+>`HJF>R+Ag&E$&~Y*bFWtdY5!tzwhit15;^!>zuUA!rR6_AAX_xwHi@H`Geb z7g}R#1WTAUgxS}6MMLYkh^PzsbDX2T0&>g><3y??rHxrm$y@JZJ0`Q`5X5UW{@slus zZQJbx8bpzs(+OHMmh|uIo8<0G{yk{P2npDXd;3fqSRLPn z41I0@TlAN}P5ENQe;t5V=@FFZO)@+cV@j%`ep*9O+#(OrWn5WjUyR1qHZ~*NH84HK zKVhIEH$4QR=LBq4s{4K<$HZs)Nz1w8~6G4QGttftujJCzI;GWfb z*J!>85h4OOnTmKvzi#&tglvqz2-%4g^5(ao({jcGgzNe^K@TEAEXcf4MwJCboXyHJu$+Q-v8#1@SH zzRwbP!xMnH%JGXu}lO5+tc*I^>R4l!HI7!-XsU!pYQZd4?Mc8J%H z&+pAQ6jrpm+xz3-*(`rJ8*&fge8o5qTw*JFq_iDZxTtAQsp^yXT?)PdD7Lc*gsG(I zOotY2vC;EnE2Blj*LzXYFlsM^vE;LL(>cN%x~R`%GxOa34o}b5O3Ao@(CLFgQMaq} z?+Ed?s0?q<_BH1k5M*6*d|6>TZuxb}ijNtvosMp94PY2-2g=0`DqQ0RVI~MHU4{b9 zDm^tc-G64=l$Ip~S;Lt09+bP0x$CsPa~_<>--J*17_)rQ<4$rj_PZ%5DtuH@9e!ZD z=x+h92M_YJZAi1-H^sARn7X35*V?Ev6Xen+mD|0?)8?v~sbfRtQlZyb=@r*v7quzP z1;BgJxOg2;4NMyVKK9d;l04Il)JZdi+|8QP*`tZj{6VcJoF%iVLBSuQnaNdl&}0iu zi6LDik&CBsK*AEPIH*mFB}ECB*;Nqp)0t3Bm*gjr&;O%2ung_|xMNv?I&#fCL^l%_ z0EJ^V-To0Q+L#MHZd8E(1I_jT(CotrsjfUf!tnO4k;p&fIxHR}-uN^iiWO#HFE%~w8^N@1&|J{R|F)QV z9inkvsqPmx`T>^yDgBp>VpcLH=Q}}}Clboj48j0z zlAM%&Gh!5t(Vup7pR9$mZlw_|)OWk7A}{waMh>9}?o;%Yt)rvp^YjfWY@bL`YF=uk z`1JweDE7kL5#Z=Tb5r|DUQ$&1h;17^#tEW7JQVI(#!4;@1JWBeLC6HAz|XQrIe?h` zF#{~RT0%bo^~#{i#Hm`Jr1-&l*oz@$H0qK8KNPyY1IBoU5-fAFAd^EC%2)J+Q}1~| zxZZvPGUaq*m37Za4HKXeNnS*%*aq{auBTf z?8)=sa^)d0UcE=u^Sq=?KQJhS1(oRuT|QvY)yuBGNx>iyJaIgk#leoOTLH3hN2agv z?ey%~7C%3szV)C06poxs)car!prD*d%9ams=!NXr=h1}B zn#b!`&`h3x(XF-H4%uxTqNINGqu?^l^k3 zH$_wfYX!g!K)psePkk6Jqt>T{ZPv%Cf3aOU`MgNqxmJgpsqsDjC@DNTwIT+}uNj+T zghZRtFV z-fBzS@>RALLZ&#XYk*K$O_`inLz^4ZgPy4GTREj`XYlfQ=C?R*v3hqTKii z_VBjM5KrgJ3Oa_@@_V8pR)m(O^@v`W?PO>lrCT$( znV4j!{Tna&Zr-x;oTsBsP$6*I-QuReYEKF$oXQsKGSbGa#0%-@CYqzWkJ|sGj0vd` zSQz%SssP-w`B?F{TiZQCI%)$t&9*PcV1I$gO`*Ix*`_j*M8=4FY5W)kt>3^x?LHpH zDRQ`SW6(1;(xNxA{T!Ytz}+x{plCC|{eC&+zxLAd3w&*MLefKn*Uio?YVfVDvWK6V zEDE!>&S{gM;Js1s0kCH|t&to)!SzoO)&QIltye^n00vNBMYZ~B-vuG^P*Gkw=hwzq z$vTT?H|^r>3%!WO^8O^5_*8BT7+ZKT9ZkbV{VG4*+d#~h;y&8HC#2Z2H`0tKgt%{+ z`$zJY`CM)13ZR7@kriQyVS^Ip{Pl#^H?p-jr)PL_#>Qwqn;>Qd`{)iA-kS0PncEy? zq5Z!MZI{0o+UaGFr}LCEK4hssU>qM2a}e8ST$(RZH@-O&_4dd z(C*JXk&a~_)3;s?qECH73k(%Tv9|!&?R+M1ygBT)VOf;2RqK-B)buU6 z!`YiIv1DH&)B9WOyA(FgC6iY_Dc8^0*V=dzEBU>ZVhQ3Xb88O{LH?`i+6oqCv-B$v z*>S7nsdk!eu&TO`;Nz*opC%nbh}Eq8+jvMl9J143tad)?37-AoeY!#|r0`7N_%G&D zCB|la)k?bj;IwgUj5uP}vhy49G0cT&2%l6~gO0DG@-f6G%__y3F_)h}rCVI6w0MyK zv#;51mSC;sPtO--+MEMnSF_IVR#W3Y@#c1_Hc-UzP2wWsYEp0HidEZL+_XN-Xzzev z+*Bhh9|b>a(@EkOm+jBiLHVn`pN$HCE@B~2ave*=#iCF_9($I4B2$`^$5s{V65^3o zz%14nf`d4RT)svG^w@p-6?LixQL%0W-ww7>ZB&?@;fU}}I!PP~tck)zBl>pBOpnq0 zY8vx8Tc<-g%+w(9nAy}kW6_hH`yq&}q~W~3E+dhKo*BOS&u-UWT>9yFNZlPbc&RQ- zakdz`SK+j+;NivdcBj3`DyM)!@0*p&x?!V9`H|dk>Zu&46$ov|XI`6(vL?Yw*4-R@ zx8BaKh#s!j81^z{r0v$|&cf21Uu+CTErf0MRWZVnC7lrK1;?GA#WKz#M)-Me7STF0G<7UVnPB^~%v;{Prk#uu_0$ z>(%|brDJe+Gubxma!W5idHB96&4dLa^^vsbs+U6Na2a{sW1eeLFAL+M_2|i(-0yM| zke`Qe9JoQQ(s_fBt!rOv$0OT)wM7582iBNflb)0q!N8QG5bfRZm?y6znwQQ4luZ)a>~sBwZeu3yt{k~CAZvrMG7C)aHbowHT|2MB0Q4v00|55(3PIME z2@w4J2}Qrb_4T&1l8%`W2EYB=6Fa}_Br6sO9HG(9nTtdxb%yCZ@AT*GA(%r*oC^~| zDg1K2Fmy!$+%50+x`?i}G#_wKxv;!`Pa%?hMZaNU(2-%g4J_!AAdzpy1l?l^dl%NG z@BI{_7%`i0exUL& zt;%o#NS|b`!d2ElEJvhwVwhNk$aKla=a0vR={N%G0fLvU?KOo+I;7AvxEu~r3UI)- z%_1*T;hbFEXGktP7<5zV57Z)ZRkkwLifas#*n7-UC2p&4CuZ-*upz8j_l)x*sf?R5 zruIlaY<&i&PcJxqthW)Ul(k~O?mwOt9<7JQ?1nIyax99Wl082lTm$LOX%3Xi$}=XB z-OI*x-J|FAc)JsT9nrVC1hB1-y=F$-34J z5E8&BLSKE?Y4eqV7sJlYX<0(R!>&qrvYb@Ecs`mv`~E6_qSj##miZ?IX!a0-Hd?zT zK@r(8CgyLcETrNNXZ{D-i)OA|s-$oRwcNgLm2iU|WyFguE1{Fo*kt^?hQQ5m`A*;Y zjg@~deKg9eE0}lPY$WtBYCd|oS3W~1S-b~q8OSXbt4jQOQ%~`oCcy-nUyX7UMaZW6G~KbID_3%&V}yhn z;X6eGoeZFR=DwA~OEs61D@Psa=OIG3nWV@|%X|b;V`|L#;$rknAE!}abcSQ-&)M^- z28;ro3>Xv*khvQRBXjvmRve8+y&BLBG6M;S#D< zX@cDtk;-_;B$7caA9I-+TUSUmtV74SthKCsW|TbO0C|fi0!*H38?-P&5p%p0 zcRF7g+I6WwCn1Mcc@Zo=5UJa}lEp)T=bPgNPBlH*JPvY^v6ZM4XG8$!2|*_=Prg2= z@tZ5fGe~5gjks)&NP5B$-l)(Z^#O5ly3S=O$9WY<9&`tyeD-A{%w%}8*`urL-tomEPbpX| z5BLW}w1QfV2MbNZYI*-a1jii03Wk?Ipw1WIU^tmt69Xt8zj~y^+|}G;CVH~hx;Jk_ zI5c-I6}q27us8W%<+2xu6oh5m08&e)Nzlnv@@|bm_cG!Bg{7)e^YK&s+ryk(LR0%9Lm6v0kdDzaelTc(D!U5RZAI=_&RlbZJ06Zw7f&B}^9Kr5E+gGJY)^PE&(`Rz?-^m2E@ zCeLj*54$TGg~SIxClLkMqntSqj@wy}dNg7}+_i3=j$iR0NFuh@8;g*+x6TA8D@){_ zD!>^&c{}VPp75(=n|iy?PJ+xR!k(7dtz){-N7Bp115{}UY!Zp}q$d~?wNah&w2I?#AzgXt7XpN zs#Z~15{14K%xUd@GX%|B%nsu$-lp?-2M)U%VT*RcwT#XVNT5kyJdJj47Z-py;6tks zU5r{)z=xV@FEIWeMHnE&RHVueCp0ET+jUbg&|317yQb}8^hUp~+%-_{P4H!504)sf zr8uRXN?-bu?hiY1s$C!6g5rZA*D^j*d`)hKJ^Yzwa@;?P)mKzV>m#oqinvAKu2Rj6 z(rxf$E_azN?epA22vmTMVDI^2jU_s}-?Vr6YzcJ;MC*I;Y?&gfEa_Z*4BD_EhvDV& zS5DI}Z|93*aVHyPUQ7zKyqAaj0GwCwIqY}inolftpveJX7ryMMe@rGBDm?EM$|Kzr z8_lx!0GHo&-i1eUf>qa7#dn*p+6mKP#g(zupvL-?(z^;f=HF29zH`L@s5ba#0VBQCJ1fuLoA zf+AME+VA)76~%Ay+;1?rLZLGw3({zNhl@)6ob(_&y+hY8$}y&-v7kSD08?&CQ{N>v zOZmY&p0Y$V^y2yst!MLy8DP^+e*C)`L($(Wuu#d5_a7%a4h!rHI$ZD86!I_e{VeNH zpL$0f{(+UQ5iH9}4iCV1RmCL`Wb;zOb!tkSo9X~{nuz%%atH($X&mwn?9!swDtH0G z4nxXbTMjyysMu#_pPHep0HM$%n@Sh^j_~=Ino=-8p#%eGB8)nhUTf(=eAvYt>ubw4Zu1F@xT# z(pRt0K;Jz|=iE7{JNoB^-#~w5gLiW?!U6ToGwYHhi?KO>{1p$<^)h<27V-S!fufJN z1`^YIH3HuCc`swxzhVwk%f&tLX7#@wP5ZS*Cz#o!e9`Gf9p*KqNn?3BK*@6Nw-LK$ z{k$vVEji2TniJ4Xw>M0lHE_y74&4ZwDRo5~ zcuo(6+aga+w5p+{WD6OP~- ze#2~$f}(zJcbeWmhlGso%3ci^M+1KM%E$b$uc`4NNvvYKVT=fVcP6t85qc)QY-4aT z!3S?VVne|1rgMZ@{@Yq`K8x~%&E*uv1#c)M3QUdXt4OOCD9bGKI_zv_IwdKZ)abk7 z4ifKCE#U5lrnt>ad$c$JE>gzuB55Fl6e|4D z$adc=4n<+m5;OMnU!+@%c>CjE+LC@UA&u<_ha9C(11c0Uv*u60zAs_uVBl{rcuC1e zCmHB)(NiR#pZ_W{h=RgD+oYrOIeW$%9-cZy!n;^Sqs7x;WKrWZDy{}eJNmfuf z-j}Ey9AB?bYemKQ42>b<|ysAzlY%0k8N}@QRmb z`!vqJT~R#wk%i=o$LK|6tV;p+y&wKZSz);<+rddSP*X%!PW9~BY~BS3Y?8lKcIf^Z z)=Ss+W^oDHN)`fc<(`Cx_? z-0K2$Yy`UO39r48RDA_r24mY!P}mLI!Jhx^i2Ev#g4s%E5MJZoEPE}2mB+KPN!Tw> zAdftGgMD>1e+@!pOVw4L5Zad$vWypKm1nB`0)t%!U__t+sfYz5mmcynE1HU9wOJAT zvUBzwj~PfN)L0u2K4g`JH5~v2(i&X^)!k;98xRMIH>u|oF1x=eQ^4$7na~9*Cqx&} zR4w|rLawCXpuhkOWz%ml`*rPz5cPpBs1I;3`%W#trz%r)pYFf@a{p4kVqcDUZB$*@ z%(uWoXN%2JY0hWy6U|zAtlFsOXk26kz%wy_W~CF@O2Ro!jmjjWqsn78?iNSmUwNWL zzr~UAjedulo+|tuKf^*|k0oi#@Ye&$VUX)(@J9Qjn;LF8l|)k&m)SL@F=4aevr|2F z!d@U0mEC5>^p|aVR+*_WcDFp%MO#r7n0?iR6=rbUS`-`=EItGcfhofaAy#}I!xPu8 z-CWY{o3{$8T{m07#1_wT1D;X@bj6Feau!%Sc>ZIFcxv;&EcNFrq5wI~cpdp-?JDTo zAGMu2PcWjG4C=I)^fXMqmWs{aN7~QPJ(kG-g1$mLW?MEtvd3~%l~7}rng=A{aJ%^{ zim_|OVoVKRk>U57d-!gG(}r`uS427y9%}eRyq4T7f(doAI*ea@Zn+-MOl5o4J`Fa; zII#CA)r{ZHevZ7LQV@QYIa2;cKYzs%CQ^h4cSc(5{g%t?SK)JYU3u;B3M~1eC0*c? zrI-Up9hfWOXqaj7t*P~H7*dQK%+H$*V7m;HUd>7-% zc!|C)DWJwhsM6xOAR7J4nN#`DqHZye>OrDs6OQwQBYP~f@!T}n7WPUXO$fuW2G9dESqYVOP7ERhe?OvfNCoQC0?F#VbWT-P!+x#UbehzY zQ1hte08oYRL0oeLRz6c@YnnCmNKi9~N0uazbgv839V0~ecn;LwwOV-~5>i&#hBECR z763gVfk;_oG|SKPF?>di&tQnqt@394yck4@#7gGuA%-(_iS`Lcm7|Kd0MnO|0JwTi zV$iemwk$t+W}yvem>6dIfDS$H{1e`;D3MH`mfkA; zJ#KC%Zpm93^DU=h8Q(s^vA?@>K}^#RxLo8koOo)foW1;9B{Ice_y=0-B*gF!uW{TG zz-Ajc6Ch$BV24hkI!DW0jv9^=pY8q^m0xn75mK36l>G+}ZYxVP+9Dv$$BIvD_%|V3 z&TWKaBL@(|pZ#0Kb44=`b^PO`%YN)XraPct>0RDlw6Vt}S-eBtS5xS#wca_L@VoeJ zxdnQ+mF=n!aeigL2CJs8JBID}5B%ocFD-TL3!-ozoe<5126$yA|(iq?(yacz1^t4|*czVF%?M>xGTNS>H1lXX98~ z-rY|b-B2XF_$W{z;r8RYM~!17n+qw(!+Bk(R6K}zUMoQ^UM@o!%2=6O@*Wa?W?kd& zbxhq$2=dI#<5gk4TDPAZXFwXZ9-21qlMRdB_E~~YsE?j3(J{1Re%+cZrD*h5jK`-_ z+9F^>dST;N?(VStB#~L4cww93t>cfZ^DI3}7rxQsZQoH2$MqK;hL0*R>I48`2nP0E zGzgC0-9j3Eilrdxd4&IT=&lMGEt+-<5CaBm!%%rI9!iS^EwJeR?hMAghbQD9TBBFz zmfODmn-#D?Y{zEI}|4Rw$ts=ZocQ}en1I!XrJt>tkI=%aL;_Z@yELC zL=0ReT)O0{y?JTL9OPLe9a9^YKA`KZEoZrpLKRXz&X*8= z@~@pi!T|#|b%hX9GBdfP;IItE6dq4QG`YwHRLAun{gGc-HS5&(PdmiL2=6P8!`987 zrT2egiT_HU)!m7BbYJb`E@*7;JBy5LU$`%N^anHkjR=>@=e`bnT9DaCUlj%r;c@^G zj`9~GoH}iQVjUpD2Xk9SZx@_p0$fs+OO$@3<~bIa8Znr95>4MA1ot4r$n}fSZ~7Ga z$TgT^MY6cp4&g}~zcwib+K-Ed-RfDCGsf{kO}A!NamsTbw88&~ib+sAr^Fv)=fgAa z9ODi&vnkIG!g0}x!S5R*30-+8_n{1jX&yl77@JCHn|V$EvhP*SHc*)aZ;#6P2H8_H zeGt_Ho^eww5U(+GScx?)4`yx+Ss;-f0TK7hy;cbvGTaxiBXbA@_##su;;MPet!snC zZ-*M-n@#4*pT5PGg5L`7R2714v6!1)S`;50*h~?JdPS~CasB@=_ttSyZgIQ!wg9D+ zmR3Q!8wru_7K8z$1?iBG5D<{=P`W#np_`!_q+#e9Lb~x?qkFrb=RD`U=X}naf2zp9 z%zdwWt?PGP-|O%c0#0vKG7XTG>}_{&Z;L;(T(t;1m+u~232_Z0jY;PG!3}R5Fm9#A zbT-N;8Jx?K9?L5m>F~6kJbyO3D{qRE-4ZQ>eDvl+8ogfKYmf~N7u$hRx0lk4C^A4IlHU+GVv-)$(Rwt zYH~PJN9bMzi&+O}g20bw|2%zDmF`Q`1OM)#jE3RKW;gwg6Z#tO(8yZv{Tx!;@}=F; z{L$`hoW5aZU8tq)hp4ApKmnr<+EmXE+Vy0tz(`=&ed0rbdjfH(w6{TtwO8D9O+P(Z zcd|FeRc%Pv)SM~Os@{B8(6AzYf|WIfW@qwL?!GUU4jUn7tJdD8W5L}#>Ehg98oeFu z>z115YB}0p4_1p_eHE)F-K(Ki{8(u*>FvLCh%Lj8r8uJ%^A6QlePj6%-NUgIpz-^Y z_iic%vdn9M{05#SGOp#kE9hBtRVq_mdJMc%sOqbrXr~PXnbal*G8#M5p1UbA_E_~N zM)LhdwA`YjF$ig>I~+y{WM7;YVe2|qRTQKKAn`#F)Bt1*7S$~cfW!d{&K4Po2T_8q zyGs^&ft|O|clJMU;-%;x;S#*1PUf9C0AwzcQ3)mla_6VgYdKR@rb@9M z;V^G_42*m1>#6hT_r3#A$&25NV{92cAPc8z6jytKQ6aq!=|Ry3vBZOlStRY>E$hpg z4MTCm&dm@_J;B34(T8z2*AJ)9mw=chpMACj0OG^xYa9`5%i}J;0pgm!0OBe-H(rQe zF93k}oD+;7d+s+tJSV0SS$<U{~jwwuc zuql89h!2|58|otg;tdRR$8JQZ^>9h2DKi=k{$BubBiULd-S3TjBFfwfs6EvpSlu6%32IHIl^2uCu zEB0UD(n@|Ny!Vv2ztN@6W-LZ??T-+;ZY>{|=4Inum!vXIVyMPhZNK$p_I~TsWZTP% zKMx9!gGJ=TFW)--;lYeWx4{1A5PSFt9AY8Qp)Nfvp)KY~n~tLk5qb96{BM|Ni$4TS zqv@~Yyjn83w*V;O)}|Ttkz=0SuCpBRHJ^v2Cm7s&WtUX4d z@-fm3H~#G5o8ioW!_}j_kyu1V^7SpSoifolZ*nXStYD4%n z!k>_?8vw*zCfKxzcWVtI9j&KRbLnEZ;2sy2#zRoBk1o!%?XD?EC-p)?P0xVujvh8+ z(kC+}fE2=I_RrQ*7#erdVjVT_zW5AyUhnd&K}CmH?YnKYn9@?boRJIucG1Bbt}VdC z(K436paTu!K`L+MC4e1rmba#jheU{r{YHqt%mOQhjdZLtaQNIVTzg?+L-&`}4X`hN z`~8A7xpax&QM+Z3K!bSGFMs^95w}FME8PDVQw<3hK|4 zlOu;q==fikW^VarMf}pGxn0piDs6jQxeE`SY!3iN9Le(|TgtpNivW-=*_kV9x>tK+ zJy&BvQm3U21YBp?cxq9)R%u&n-cv3Anv~fnOAQ}!8qE4pkg^}a$O>y^D&6|*ItnPx zKi986JJWKocxC?Cu4jyCaqp4hr?okkxfAR5I&1ZYcNZ1v*QLo|NVG*;_*if~V$98c zC589MzRY$+f@adHcIzqqmewPUSj{=fv|DCbZ{g+jhs45&v0R4G^})U)r^9B+hjFHn z%9Z?H+RTj?#cHAH(f+>0C$XNNJ;6jFMwiWcP5@|GAl6MEOp<>I8AukqN;eD}VKS5o zx-Al;kSy@3{zW5Z`dMi!mg+{iOXPA;@$CY*?sC=%h!Gu1ocRIQm~Mv_g|0WqRbIf| zM_itG31h*foxlKEs^o~{o^=t!6UOJ2HFf|YdLD~mEOPZBxl&OzI!&XHBD78Zy|NBl zmn#&yWRveOhm8g9!a|N-4kX3qg$Iwt#Jrfkh2Yt8l&?o~GjPCV(>R^w8IyH?A11T! zWlIMUXm;A`vjI!ZxN&Insr4x%XN6%LqX$fz+&ZmNHS!&7-9o6w z+rUt)5J~mg(iJ3Q44OXNpf3hW*G+;gdp@#VaO)Xs+YJ$(yhq-8EH;tM<5Mcxts`o{ z@CHD_-B| z5ogG=s!;nGL4nwy%<=Reic#_&&S4`bL~vQpK_arlBmn@I(h>+`I-bZhQEbahP<^8V zuo6arMHWdW_<8xB07LvZtQKoXAHczx=O9WPBu+ z`!(8uPWN$wh}J~|lVZ2bb=5@!q2!3Q%;@`;7s=M(G3n|;#%=Ko<<56pW5!_MOB2(8 zo__nm9SUD7uXwhuqxAzVorP)7Ec^&qhjr(99M5v}R#R9KBLUeznBpw@$l^dqTs!wP zsYFnT+4UDwd(Lj&tAsa>F0Ry3TZv0) zv}}7xkI>}NYOZtH>UmtmbdMdSw#Ep@(F8iqL5wHsuw^@@DH=1d?03uUU2K12=x zc3|G1{*>(oLmXsp^LNUA6*BRCrQLnW&F;q@=y(}^D(12oNcR6%;J4{;6&TD5uuhX$ z*DXMjKi+OS0CDDbS+G0d1HwP+csFzBdzc>afP7eWw|`J^!}a-Fe1#y?d$Mmb9L|kp z*|7%R7FSCk5g_6l_TK{K(rEr>f;&3|%b#EZX1_99$kYz+h$>+AyZ>VLL*M3c7AlU6 zp479O&{NFWS+uG-i0KfjxN%6mg;%afr>!Z9!cSTUmlIS-!L6HQJtB~NzV}Rn6p00w zL}J0YlKx=9Q+obqSn#oT*kU5+|6;*&d@FVNf7AJ0{~*EBh&uL}(De}j2~LnV?@*V5 z-tGtg1B!utd|v(HP48k%kT}95tMbQyc1@G`aj**qDMJCf-IbyhY}SM_6MUSdL4nI==VtN%^WknN}O1?6rZzkxIm7@bLo|A#Lc=m~v;b13+U0ALi4DKg=%`7O46T)|p6` zwGz*(0z)=pk}a?$|DV9Xv4Q%P^Aq7V#8e`qv>565%3}h|BnCHpy?=tvV}zJKW9&|p zqELh`+?2E&YwpEo1%MkJg{z*~x}Y%f=?i@HiQES{+DA|2;^%wiPZ#bG;y%AiYRGfG z401MVN4E26_bPuh@wbAA^kVN7(x)+!4frAXIG{kU;Br`$3*No|gY#7@Wy&_M#L!x* z6q+wTFX`qn`D*)2z!A~#b8ci>YN3LB#c1sMb1(wWa!5+5SGEFc|Lupa^VXN`&yj;> z52Cd|AMdWth$l%6ANcOPbt$AvbMWCZ?)$=JkH1itGxt9Juv+Qks+3p-;Ya}+nc@+< z+$C^u<~`FU2So)dlgHB*oWAZI@ipTrO?~f>O$8rU^okwu*iC{^-+cRRruT965c!Pk zD$p8H?j&OUfSCN6vp$>^wA68e=LVkw0R)Z)KG(*K8L+-CBGXU%kFEf)g_hOR15D`q zlhNbcIxBc_7N$RsFFeD-``}1}@A3fkj>^?l@I#KoJqg9#BSVTBkSw)!kRW=0XZ9v5 zPO8;b^XnDD3t9J+kdq13=T?gj$mZInW=%I!m=m6xq!mCNeq|ZiXg(1xDFFUy`&X3R zA6hnnKY$Fq8~~Xe8bTH#I|Pp>T4T16hDTqzTc=ilL!H%F@Fn=)S27v_pe?Y;u zgBqaMc3!_WR;KlwQ{ElUVEEerBPT97>i7u8b1T1rqJw`jmPLBC67~es9gZy=Wi4a7 zbr;>SLH@vbvtt)xi)R?FN2c5X8ciHLK%0ebY2M6gv z%-ys%V==9P&Km42RtJ*I{R^U}wx{_TER_a4(J$;@iNJ0^EyjvcrB>9ly%#rt02^X{ zi>&altJOBO$mL*_o(V6|5e6Z3XchVSBurpf+NV`*Ezv$y20N_y*6^HRtnaMNgXzbVB*n9{u* zBRPKPTdCjEE6GoaRu2ZSNj}lMa)Gy!PY?KKPFI~M@iu6?2NB2s8N~mdeu#2q=cm>P zkHBi!V+23JI_@dDozm7NNE*BAfthAQjB$V*I$5MxCw3u$OH39DcE9@#fQB|K9$mxH zoDDemP}25XsJ^b*%ka|Ian$)^5f3fdk5*EZN-G`7p@{@5pwK-WiwO5KZ-_aXEYzoM zXJgUJ=(Xp)&5VyRNKRUs0!Bs_UtD#84>oi~zn6s9EzE`7f5InmqsnR|mQpM7Qw|^o z50N=ui99k)h4m!7pb+-{fr$$Tsh}Iw_=l*p+4D*$*O@-$x0#8$S94Fuv)!3VLiFLv zTQDOX?xj3rOs!cPlxw-jukpPK{f#+&sLJE2X2>p6G09Vv$BsSOO@xmehxZT@CT1q< zWrE#>r?U%=u{%8?(^;j9=uI=Rrmo$xBuTpk?QAHy;M5WE*axBOQ&8?f2*4)Lt4_BWw+1HxBKj4{WmVFnF*H93<`~xJx49LXfpnS@hPp;A1i0^1;zQbFQgO6wL7cDLfX!#L=rE}~St(uaX-IH_s^y>M`f#yJHVh{i% zO(bkw9i<`XcxSsIRn4Ty8q*_odHLd-p!{!h?4oEHRyr7pv;Mt}l9AS9D+C<_8vW@z zC)C-}#mKD`H92(uQBRq>$_PmNN$vH0NZ;+KP=F#y!gPC5<-3T}N#K&3!zI{vOK9Iy zTeDaDRkC6VJhRWnpO#4~01@3YP$I|A+{zrf!nl(A-JjL2%$DJ z{5^|c2DV+;(|XK{ zwQOhW-sZbVh?ObAhCyNJxYi*|8~(z!XP2xHr}c}Eg9m4hFU$N2fIF;~uTyTI=)JBW z7$g2#jifZZPulCp=Adf97AW09MZ|mTQ=@zDpP*8>QMQMm=U`C8RF;!>n<^!I{eI)l zcn@=JZ&}+`9G0;VAT*_e?k10tB;G*w!xr1l2V){l44OMXpyp&gXRV23rh$&k!@=v$Dy1oVaRy@oC?Z)*QuQA0 za!#rgv11rP5k!^=7)!qLR08*AMBUv@dnr|^CDe5;M@@zncCx~+8|>aaf6ck9k+C_f zE2%pSo@Rx))0g>nWDY2I@=HNygEk!ELvsiQtII*DfcpIL^HDab0c(zdG}390f)RsF zQ#sj)45FyKW6UhIm{YlxQHgfiAK}}jX}64lXC}_oBZ3ILI%U{$K-an2*oM1AjOx9I z=u;eC+=D*5gcI5Z*B!p5)^&S+aTYXgfG5XGc<`t`MN|*~@s#4Q&a(n=)=n&&S(xQM zS2y%62p-=9Ie?f0!2>WzM=y$g`=kV&kQrlU1b`H!o9t}ERhS#_mvA~DmaQjNq^Z>) zLvQ!OcqBI0<;wZ)Oc~12dzyfb%89T2{IaiSP{ za5ay{hDD#zu^tT@wrIbS0Bgb!0iEg73-`dIyat-llL?$P)&Y$I~-8ATql zraU;FU(lU5Y+p(|%7NBp_F4y_iX-iE{e%hDGTiT9G`@@Pt#s9v>v$oomEI1LhZ0$> zEcIQ9@@yz)LpY9%(e_L$Sj^ZaZz+c$x)81 zYnx)Tw)R7GttEuL^TdIQ?GM=P@l*lV1n=Qa=V@EH*bL#QaJG7n)1V@_>$E8j_X7Iv znq2s*z#kHW{v$wQ03-V^K1!vZ%2OE&SJ^Aho~J6$wx@e+yQa^ibO*S|t_Hyv2-h;S z3i$scYMdiV28(a`en-tF68#4U8RUMxp*9aYta@0KTYpBm@;kZ5aOZ1*tG7ceE5ZCI{_m zDlk$2h}twr1)H0dx?l-oMjPxSUB+%_VnPRLAegx*EdH+S7$^^>JBpX9wk}=BOXdj- zR$kJV@lRGf4>As6n2z!@#d%x9Yut-60!R#ZA$GS4pry<~S3Mw(Xc@>j;xeT7NYAE< z^A4&>2JhAoFw-)dj~8#d`7~2UpQ3QQKeiY@XO{Uaor46Ck37}n_X-!RSkOrIc> z=0S?7$eh@tqurY2%*G5N+x2exwag<#^g)BXHWj&=;)vjV^($I`z|U9xo1fpVE#qp@ zEu-34Vdif+_pJ*I&|oH{Usv9it+Jq;&0j&vWN0dbe%r(;`_KT-l#gY(%)m?NxI8*SH)9b-&hCb?CYS_OH>%Evn3z1 z_6^$YDirE27(uqnEV_Yr}U=Fnz4K&p4L)(1Co-L(ksNpXSBg~z?xp{%3=eoX#uolLoz(kKf3QfP%1!11XSUT zB|ro-y$uS=;@60)Ygo}(^;%M+8#$4_Y0z@~wYU^OdB=?Lv~MsXVC_STmWn`j6$4cK zJLk6G-_=F+Ej@nBH`Dhfm;3(}W@sF?c4o!aqj`7Hwy;Bicj2}zpnU~_X8A7V{v;05 z&sU-y!BYz=kxf=!$K3e4YnBS{dmR*S{Ed|l2aDq9+))SLaXh;m;)`Y8wz$K_@IBD8l7v}~s+#LPe_qeM!NPsqR7ZXLAS|6o)m5%q z>>sNK5@+oUf6j8t7=MI!9B~L)#K{1kB&Pq%SKAj0g9~bZKFK{wR`XF>FX4Cp{LO#w zR{*qZhE)O<>uTd)Ulsm{)n(skp}sGw(1!UFc&U3gy^x5{p}P##K?F=VAZ>udVcM^@ zw-w;m1jINs6f!;hF7jVL9Ovyt&9D%_NjzL1YAyT7T(s0p&tpBu2s9x|6bvHDjMIm> zH(}k=RBL?goKN*v3?6#jN28iN5e@J72XKdRf8O2a#v8u!%o`(AYg@cy2tLZS@dpoB zW3bKVz6?Jot9Fr1_G?I~Y_}8t_qPh?y$OTH%8)8O{hReY{}b$UZRi3Ew^c-_biy%k z#3N;t!gFZ@(E|BWAET&^aupN3)WOH^jZkMRIxmxuLtt0k%VkVw^p?T7(Zv@;>3#dk zi@p>-=AU=+9_oznDCHm8X1?-+_Gw& ztbbpr_%hT0;Kl#rC-={vyxhc6K_PZJh*b2Se3<-dx@L$gYmuM{Jxn(Rm#=Z)zpoHZ zg7$;|ldeKAonW?H#DmT|x2ty7yrbhK|9ju}zrI+f`t5u7?y2nty+bKkw6jyLA3v{gUTGkDC0d_Bkle}tyTAK? zzGa?Upq1)dSq!r4|F6CG|9fxXuZ!5r?M14Z5SQO{3z`wG7XUwf0(%fXMnvE3TnaM-1M{oyaW2!osjjR4F6n6bve(}UB!4-5x^>);$bp30>A~a&+Nu+APNAB zrc+HPP)rcsu#=wtK*Vk&17$1ir&6VCs!6^{s(`#yBg`9C_I&WEaM6C8Kf$G?$qCKf zC5I-C7invdIt+?neTD@QqF)-f?m2(K9IaLW?*gqfnpl#a^ObVsH=pTll zoVWK)e=p$D{dj&w{eH%-Px?9Kcc&VvACg_74J94v#fo%gG2bFNQK)ZV2gpvC3c2@4 zcb}A%PQ+!poe2>XTr1t>7oxK>NfUE)W$(sT9=6RC2{MCt~v zZDq=SI=gkVFsBez`gxNBX4LJuug$jr=vis)NK>GSUHzX=iV}Wb>YM(KvOfjg@!VVM zy$gy)pvoo@5nq^KehJk2Zq9c`SOTGsE!2V(Ze8EG2zn{6m4Esjp%GLqyP8*;vbGM@ zxk`swKl8)|%yYb+F~$RVNh;@jrDAUxy*j%9B!&b3*mZL}pCx}+uP;FNtA2=P!#m$@ zmAn_!px+dXoz`B}+7_Ma50TQ4P*Zpuk&o4dyiq9$;LV-$QrOQwdfT?B9t2xcZND%c zsIJ0Q;1wAyd^NK09!xk47FvAsF_E<7^|7J^T)%});EXI7j+}P^aBjR^q-TzZ!$eL7 zTHJ7Mj%>Vz3jj9_4hYOQSZhUhf(dB=vZ9Z!-2LL+P_5H0Elhn55*uVLh9dYm+!7^0 zH9g-zhedgD6_ha;p=Bmmb5#3DbA?85#owjI@scY74PlXwu94RQBn8;6ZK~YtutOc72+bdmx)VM)A}#AVZFx3@MWHmkwy3C<uy}xT2bs4jU>9mHJiI z@CE}U-M2Gykvf;Wo~hGkHxiI|@keqLvFUN%UxFzG!&Jpv8Z2awDlq%44R!!YQ32Wc zlZGvonJO|lxcR*x2+W0PBSGW6%C*BUemO9d-mM#W2@utMqqYDkX#n_zi=Y%hN+WUP zp;z!@o0D0mAeF3po>nkTSKu!<`sPv0Sb1OSB#F6FD=K-~O)pGbCnZ~w(KVDRL`1sj z3BC8(ArlQ9yd%9km1=q5q>MFyozd)|C@Zz`OlRj{6A0@4&id*J;)-|j@M+GivK;bqaz7fbJm+hh;19~o(B5s#-EH=mF{b^P> z^Lw6-Y0tu2R?_k;P=Cjzz8}A$;QPDo&?`8vUh7O$sDN_Q4~?3lX=oq`MXfYSkf1*8 zdykTXK-l{yW7b+Mx+GUM>>pz`##20#rWij~t-Os5y3i$k92F#3BK%X!xbvCijsx3P z(wbT_6qSPc{E%1Dcf=*O5K?%Wwk%q5a%hzkkgRi$=LKR9bCVN~Oxy9kDY=s$k?>LD z;;ilNMi<{oiE2)06|#?d0AOHMt|14PKpr-G1=3AUQv%S3$8+zkwQ(M&EE`}-NZkY% zqtwfNW)f~v8PRYgRuvdHq6FT`uw@DHPcdmkx;KbOqbR_VQu z#}ly8UI>gIxX1>}EFPQr=gN61)HIl=q%G?j{6uK2r;iF-EAdP8cOLnZK4z|7#u0y< zug{DD(B-r*JYC;yO)Px#1Y6lOZu<8IJKSYg(w`2-jeoz09G zMFwK!_nY5BTnD3q>DpD^1wW_19l4*xj2{+lMr|fYVB#(lP()Gm>q>0J&VYQ9-4}>M zKc$Z7h~y-Adgo^(H{8|MUqtrj^;P{4ePLrxUMFWVpp+wAiSJ`ZK2*ImScL{2qE+|j zE3(kBu&7AAc*j`pT9>oDpRsn=@6w_w=_p4L)ad=^F}sX+Gl07n<}Y~GjOSM-tHFYK z$4cbvW(-TN93s0&joi6Aj)}$mWggv_1!M`yDSui0r7CUrXtBU7s_kdUy#~HitG=4Y z>Irf}A0<}s&*)C8&RV<{Q_oSe3L6~qh8IsmXYHq02@?V`Tkl4K9{UW8)s+JP1hc6? z0Aj2L&rS_aIVr7~UD}6d8b-21V{#+3w6ypA$z5|*nYhtah*!&tO|`y2D8MhJ^d$WE zWy94Vof8*uB+0y~IlK~Uc3m}KOl(^m_TUpX5;Z)5ykyw%yW7s6s9H*EVEcwHymtVN z2zM}aK-7SefJHa4c&bhg4kF~@po9%}Fd)n#5lTu2@?*qrpCS1f1`;Ez`9q!*RRH&x zND}7boR%sw)R`@xz>iYx{Dq&067;|Ksk;Hk(I&SFm0GTn2nI2y6a+Lp^!K$C_uj?$ zK^&(``}c0|6S`OAH}W8K(QNJg`|~c$KaKi9DMA2Sx z9_d!x(AUWk`x;JwM4PJ`-IgJ~SqEh_!x`8bNRhpXf7lrVdP{79t;M87$CU@-DNx_ATIw&PH8ZxV4ILU0h&_a}2h%l`Z1D=c~U(my`I|=EoPS zQ@O4V`1LVQobnEcl#uzTjt*7X8hUBJx8)Zib#_5Md1lq*L|XHj_9?8&>w!(6Fc$(m zr1w1Ue*q`qs?{%V@%q3XM)Pocdi+ct#ntua)yXsc7%#!U_tXKBl<+Y_C}N}yo$;|x zu%uWM@B098N_cw<4nyZ{9@5=&n<|V9a2{_@oC-x0BH9O035?`!r7hh4eQ9_JJpW*h z8HK83gNqaVS4jsBBdJNqKj(+e$H;qsw$#jry|+j?OX5xZGE*&WsrgmD!OCj@9ADMr zW_W@Gj$>QKUvy=%MSgVUE}qt$aaai1jD_1Pu15{C5?1z((l{%kvR;ec%9-OP3yEqFCx9R192PHwOFlc|onyWrcvCcRpp=|GSA zi|S!Jx?jcd+V=o7y?5j6&eRm@bmHq^K6q$6z#1c{_>yJ2t5zeHz!8(RPR`69`O^2 zCxgw80;d%fXi%*-B--dR#cgM*LmJV7kYLyEPUC0iroIjQ7NB;zb*bjAImGXukMZ?wx%;V**7(r@kgbTFN8r7)=kCdRi)uB2hJaeb zb+=G38q1UT9dWAg@6-X@x9ICzhQ-z3`|~j_wT%HwI={yZig$=F=r17zJtYa6pl5)H z&(5ej8^o9fhRTqu`4xuUXCZgjZuU7bT;fR2!InPy;TU>#nRPSvIU|ftE}b|_*jG?X zf-I#9WqhCuEKJXTQV4qpc&F*8ILv;;&O@!)Dr-KQFbu=bl8t+J$cctMGkQzMd!z^T z1`T2g2nb+d*HPlu&p_y(K8Hodm7d-DjQM#GRD=#?%ai0-zInDf3rubTYG&F3gOYpx zAydfIWBym*6Y3`t1YTrQjtZGU0T14VcG_MZ+7lR|US@QbME9Obe`WMrq7hq0^OS?u zk)Q~So;u`lf!A4_|6v&GN)>qpQzV4|wc=CzEXINpSgB!n|E)`I1SJd8W@%oiR~Up$ zIG0UeHQq3>0&mPPK8|(_q3;~c9|%&BSch_sWX5!4E6(OEaYYtc!MW{}34o0Y&xXqo zBPo?!u1^iix8M7OB%fFKsdUKw2p5?A5ux}N5+I3_JgGI3WnLQ+y5aB>_>lQ|HabOF zrYo%#t>O#DW`CPsh^+s(bk-Gdyx?j036D?D|F0^8+k_c8T zP@5TB!tdry8y+xq7+r?fc)e39By$ib&ocyQ@p`6gkARXch?$n@%t|>IPv^VI&X?Vy zdY%*Obl=?=rcL(0HMeF8Sw9S*TVz9#_J;=@akk}LV7`i#?;d$M{`E)!?UL%arkF;b z$=HW3rdYM_g4;4}%r;@SDw6OIQT!h9*<)=IofDv!#}+N$D3_m_8V2;@cgAo3CW=pf z*^KYM|9~y6Wi`5 z#l~y7ELp`XEf5EYn|=;YdT`n#DSlS&o71b9@Jt8e{TiP}4G-(qvFT_?^*|^QfwLhqKE-zi z4MLxiYK<~B^OiSk!}dWXG8h|qIz><-hZUXT8U3jp`un2uHHczdBEExlPX0 z?ZM3A6CjK5fkH<)o8=@au4IkoOpJyuT|Ymf&|t604m3k9 zf^?AM@as>3B=FQD_U);#3T z7r(Q3i^mF`4)9{xUQ!Ys-mzeoUy(C|I4}6#^i+oAvo(b&FmLitd6i+f(ptywK{3m{ z*v^`~Zq-W{vt||7qDf-J?=O&zvk6}wm3XSRLnASXQsE#MbCcwQBahpujdG3x$lx09 z)>ppS`F_wG#wHUgB68r9SBy=<-OE-gA*kO@M2bVnW1rB=mrGOlem%{f^p;KI4O8k-_oS zB>$_GaqA?lYP&4ro+YAj`KffG*`>1243-^~U8pdAso_Y)?j!#I6`w810`QxA zbFVXU<_MG#0Dwm&%sKX=T8#e@>@SUw9zCZ5p?}VtC}6GdI*4& z1V|RWg2b7vc98(-y|=5NRkvOGE$GSk!xjf-MH-~9hsqsnVizMM$@hA)7nhwB#O9yr z*O1tknMpS~R)Vl|;7cNGEG6$WCdgnd$8b2ROBM<1>ksxei5Lh)ize^Tbt@1S?7wIv z&$-awvRw+{;a5Ig{r=TdQSjB-o;#ttNDUw)Y0b{biii%!C`Lg$%X#B5;TR4%p4jyu zP0|J&xLGu{m*?+^y9H0@eTp4!m*$=K@xaygSmUiTm>>Vc0>Ao z3YJK|TL(#wo?q@G;?J`#U<)VTfVx2_n@%+Dm_9jnWKoZM(sqZL_}jTNBT{M>3YC$cCcRQbv; z!|*i&VbX8Lc=>O}cmjWH$rX1YM0MqBL{PCI^!=VA`PcgP?=Jd(7~`NkSMslmeU63W zelhB7M@DVc!$&qhy|3^;i((0Aelwp^xgv9PUcjvAOobQLnqLvCOSpy#6b2pgqkKh^ z`)TVJh_G3I&~3dKAwgTti1DHhIOXIGR>Q>ocue03k0ek((I*ii{%*OxI5b8(E-r_@ zrQHojQ|ZB})qvw=S$oTP$6xc`1%YCvp7s5KE&5;gNucYhI4( znf}(YX*Bvd>)63G1RuHs7B`aXAB0BH=*f?wIQn@-1x_I5PtHrX(YyVpDa$_N2tU5f zXW{+zdl}`FZAa^yD^MlIY!V&hTE+(U=-vg?3zhWKcp3KT8%w~ zHjCzDq)dHs?!^bvPriLrbuzX@4YI(Fd}V(r8$~z+V&wgRmHWSCjL(!}`LnHpdD9PH z3`7`kw)2|}{>>Oy*+VkMzsa>zM#~QacM+;2=W*Ox2QJQEF{zMIrePuzSODoIcj>YV3<*!}QmU zX8XKY-yFt(D;Of%kv{JQo!Ce2-sU4do>7~<<)2Tl&E?OIJ322r6D3}GybZSA2PSmN z`lRex&n$KV7LUPTGv*cXJn^k>6y**qZPH;fH(tTR0cm=&X zgR-?2%AdbpNlEk)_2J5Sj5uThdOK#o$SrZ#KzU6DgsdP-W>1Y@ydu1l?QtmwVe)V>NY4>m% zQ|o3BQ0mU5qgg1ompaOJRm*xBTBAtET>TL?$e991y3h`mXcG8WI}}HGRRzTbrN_c} zmsM2e*3vicul>P_6M4Nsiw=wx{93(s<$}&^&ZJlDonHs@vJy>hcMRe-8_iV_UC}Os zc9v>Lyc77gPEh{vz=VHDZ{W*gg&i$tRnvMwo~5ZOFyyEXESdh+k00yh)ZW0L#ZAY_ z`pj)$yBfbo9Z%b1_Hh))G3QE#Nz9kPj_qeq2G0hU(nppc?dbT$cN(LWc(ogQY=YwwhP+RGkfowV6`qbzf^*u%Y+s(UyGowQ0Js2)2jstcIR@%uu<4XW%oG z9#@xB%QsE)Hb4^&q{7(MN5k;f=2+=tr*9=604MpQ*D{{Po9BAhDh>sLR-Wxeo$EY< z@zw8X;hG>2Q7^{PIO;Rm9Wvr{-7CU0$AFh;acJW-pR{d``suV^Q=G z_g1%U3=Vb@!SW}}X`l}k8#d970Gib*(ISXTG;eZ`sgYE#B%-yd%&_`4j1*|F3;~>i zKNZIE>xuV3U+SSxq&ae9*h|-H6(j4gxFB5>B(f0Y0nMJfMEHxb<{Pi8Qcv(Zk*;a> zNj9n+;&IFA^!Q-`d8*jQK`Z(?m*21E!19t6hP#BEII8WXcwSGsz+Zu4 zS`J0SZL0AkdesjdhqF&YE24{vQ90S{IFFo(eQ(Hs1oKp|NcKTuAsh;q;m-yKL{dBD z4x_*m6c*ELS7QHAaTusESZOusD>3}M4RF6O2akvqx@2kXkqt}sA-3p_3mop=X8qz0 z9=tlIb@&5~BCVKx6V)7>yQluv@^)AwdueZKuE}v$5{e**52*Ku@hsEQy>|2V{fyV? zu-x3h+ko$4@wDXxZQ~kvf26I`lSkh|Hl50H?Ww=>cbW)fwMT2||G<)8WyJ8x4`|I|b6pwBgwWefN zd&xkvU1hl7DqRuxuvI;NBrJk4UuxjeYl|7kU4KCu@E}q(8}@OGO!-PSe)UEoL^iTm zaz&8V6FRP<7C*Jg535uB9!vR3JRrvvm7NT|xuEY{6dL0#(a<&aa-14E8EH8@7HfMr zZ2^FSM(9_mgKX1qo5k>;(W_F$d@c+a@9GNQ2>(l*^CCjSD4XmRgBC-j&s2xilykhv z|H?;ikYiQmFID#A3d*hnMR^z7+7cC2()I1#*orHGG3r&WEBW1x0NA+_mwXFB5aTPt zJTn#Y78&&lDmOm159XPI@c){!Rh*V;0lr~9!6ZFzjJJ9`}H%|xoPq%hlH|}2vz#_*GkUc)iv@MSqW+YQh?M@ zL<|ZF>C^xa*V$T7>CSJkc#`vCzzYwea9dlU5>S34?g8G)(B{bCcrep6)I?b_!i_Vl zb^~H+sK^?CiKqwbbe@5uBQ6mCatv*PF`A|ZSP3OEM6fCWSln&z2FhXGjvtAY5{aA5 z0nwrC&mp7kXu8FWFd@6(^Vhuom=?UVuf}h&^kw=spMap3n>9<@)1lc~Cx%$->J@?t zJ{%Hi@bEV$ByYO-dA<8H5i^^1w9)gYfnPP0(d9n2`?S4IS-hmLqpo3e+H<=6Suti?Y&gs;fSj7hg zPuxeH^?nAT9d4NRdr!V`s=$cY0gQmA@zS&ak;(zeh1ZnsobLG)r|2`Ua#?J~?ttTE zgzhj67BrlMd7P#eCbOd?tSDVG3hVnX)`$gb{hw^^T0nCDlV>h;1~fWXb<-@%ibE z3<#NQunvGv6cKU0QKB8r-bGTydolxx-3BBB zk}Pl5(T)gKxRM2&#QXG9eva)1k}7`InZs2aT?DA&J<~!_zo_E*hUGKJbQ_?GH-NG$ z1Js*$R{BnyEev9JozH8T#cPjzrj39{-1ckePQFG-u{RzkUfFGDo2qeeY^PoJ($mm& z$>RNad62Zb#_OC1rU;uKgxpk5EwCPrzLjxXSbd*GU3H9Yq<`L^vSlx`sw?Nad4C3!;H9qs?1(Y+s-jD#UtBU zhlZ?hZBpm>AHML2JsL7Bi*Ubc;AnlfZ5;06oeW)ay+2#J2d=KtONp+yq6)k_*=jWa zF{=8FI9=7!_OMQOj0gC{0kty&6N~jLFd?OlA@Am z7g0m8DqZH6M%;0E+Lsv`6YYWUw;!#N>!zl+7CDO=Uh_U(a{gyL_2EIP$ZKn2_C4jv z@``nWN%}kLiGk+oB})SO-_TJFp%RY7eAid#$4G{_MW5Y@|Jq=?KX0WTiEAYZGD7TcwyH^k8C&0uGEi_b8-zyEDca* zKW#XtJd~tGIIEWVm}8l3A*20T9A!}WXZd8@$Yx9d`mP>qU%Xwb!50TFfF!+i0ToNa zQ&%+4p->2%E@0&X;KRmZqME0^Q8}?%03vzo$7aGyMT$aaVwYfR6OoX@RDJp|W4*Wa zhb(^{4}0QH0H(>gUnf$GIeDp0bSZNJuqidcO2z^ntbS<`4mnBhz8tQ$;nLL1f+pLB zx|UQD34jpao>F&(ftzbP$e*+Kg#=OCf|0|l^5Ecx@;O*1>Ula}7oyvNhjF#Fii$(h z7i^+YghX}u9*~`~56_9M3{>+SSeuUQ-Omq|hd?KYhQ~(QpyO;O6tu&4Yif>p(O6kT zVi^ip5r(yPQACT7_~WcgRJ*!YO_K8DZniH-F96IyCvo^75{Y8oE zunw@t9@%IfY!W?T4n2!CN76+>ivaJuNTd4QglaZ!!Ryl{b5%iZTZBDNX{Ljk<=zrq zHzY5Phs@{slYYnWenT}+HL_b*Zoe4fm%ka}Pf33<#It)Q*7>h^8@hmLY%YivC9xPPzN~vD134mjHQ=c34;I<-5$E}UKCIUXV^da z2;IpRaTAXyij!b289#!?H{hxiX3;i`P**g@Z~8MQSez|w*=Jj_e^(tjkJMBEbNi@+ zI*Jly_}!~FA453KVnx|JKCZA>G*}=sA#dYLw-sXsOp4{idHTOm^{`=jTX|he4u2omoh_Mq=E* z`vC6;wD^h9!FV$!+F2@TB36C*Ty6ccwWHhBOF7pXr0}xZ*7fEP?N8zigaLNO=$Le6 zr8D1*qY54*X*s=I5bq(R6BbZ4QG8I8P+_pBy%=x!xAjupP@=2iMR z)Wl;SDzWKj$oljid;HB}a9g@&zI-aqjI5}d)=~BA8J0*sOVWdGC_c>hGb>H`X_ImbyvG;%d zU%9LW%*=WIzHuC%1Kl4x`AlXQU~CnXRIfm8GysJgAy6A7!TlawlE(}jo9{qd0d~kb z$_u}VE>{dS)0I9wn=CaYEfauoKWo8Kx-DLJgiRrc=*X{8?AfovIR{f`Tin~Al+|CK zP@f&j6A5A*0SYmfk^E#~-O($ws~8R_6VN}c57lp^2eyF}f~?I?>tG`C%3z1Xl*H!d z9@u?VceJ81{l+OKq&$5K%ty1+kJdt{MU1}>Nw@>~m2SHcUu6pCg8EJrn`WMC4Yn`m z_xHms{^6C6=m|Sr<*R-Cc|%l=L8hdOA}TohvBlKTa13yJ$o3CvB`h#4RZ-bP>s)2x z*pABFoqZ4OjJ_&Lfdmc7@MHvEKuB5$IO>pHbKq29^%3{1?ie&!rnfR5WPFi}6xhn9 zQp(u9TWJC25x}UumAz4^vU||m8+(?fDhg7GEY9bZ6TQ-7nVs*)fR4fIbEvEK@;zDJ z+J?*`1OuyzJtVr-_H=(04KBX`c*3-uASK1S`B4L#!ECFGiGa1fZLEBg#B3~^Zncdx zywxPpbpV8lJHmfl;`fK2t`ZBbbve`nOVI5|6e=8~M4*JbytN01`;wAU#ZBKigz+dn zj<@HMq|Og_lJuOp0TtW{1YkQw=qy@PwzuP|eA?7y|D_{aiXY%2%J^Bp$e5X1q1{4j z+Sznv-+6B4-l)Sf&^n-I7Qe~VE_ZvFC>N{F6HOB!M`Pa`7@`9Yl7_z5XM={J6Z8UV zQS$L2Duo8BKb}~`BXlUD#qAq12k^?01j_h_!7cD=pQdvZD^%#Dn=u}?;jB83Q~o15 z09`FtO~oFheuS2DlqndbkicO_HIR;HkvUo(%0pd`rZ;WEuD;c9_AbULOmDg>pIifh z``6+JFhUj2zkyo_oa)4xc;re z#i0M{*g8vUt{Jcv952H0O`|aSn^r@*S^r9$ejul%a3GL_5ch8il4i8OFochs3nQSF zm+AYmgK5|x!PIb*0L~2VgoYGWPLWI1NBECH`^kQfU4Nm6n5o2QkfXsix(_d6y!&9F z>bR}R-NXLkMI|zxv{gr)CMq;V@DDps9wByh8+6imz7wAu=;x|t9ld$~=bipJJefTH zhDrxY_q8DKREQi3GQz#Wn3r44zP7FjI+?!%?1j%|t9GtHDM<3Ch9^AWVzm5y*v!-U zgl)WcP)_cp=5Al^pbQ%!3N@?8P#`y4*mCowvhmCBDe(!Z(s&p{74)!G$o1Dml9hU9 zXKQGv$_Tfnpn7)dVqqX_BC-ZwSA5|UI+ajKv)!+$QbW*Rqa{egkb7XMLUoJOyU2(S z2~={lS}*c2s7h|O>YxrhMn7KFKZtO5(40KG4^IZ!^v?wQyc;4pb%l0Xs?5N4r!4j$ zbLzkRB|s?Ek(e`upL#;jr?rvfjPR7@lJA!9K15OD{9W5pr&TPDP- zw_X&mpUtL<3C!RSE;d+~tH-^NEW_i&N^_+`J{aP+SFy)ET0x!|e5SLaj^G@37TYMH z(-!bog6ig&sS(nq(wc|{_bAPl@l$(2)}DNytANY24{}KuZTbd?3>ZVOFcXfk1hKc3 zNyLJsz`VU=l|E&n%F6UDSL7H!H6hP14|O+J3NMT<%2d@9%=ZMOJ@6gHaI$ zB}V&xROYR@Td&~1R(w5=si(L?1+9QYFGP}SUUS!X#|<3|m(X#t{rqU&WoL`y;o*@8 z5zBi=HXhT!7$4axut;A*g(patCOd-|cxo?`x;rT#Z6#z;h<72O4FEA%tU$zd6nrqE zu;OIT@IF~*?SJ6^%`19T-oytSmy{iibgdrMRB}k}7@nQvdOUjO^!I@BzZ~|%vF}9; zF@Z>M*!v}IZq}z-KOq6(ZH>7-m_HcDwPFL3WnWVPL$Y|C31nT4D+%HqAtb2W4N7>H zHK^IN%A#byX3=n<{A9$gVl1fA`Lio(toU}+D%-O?rrbM^CP0m@3Z#(lyDC-!ElgZ2 z>~%-Fqb*D>Bf%=BZO*#9I-9RqDhAs-ByL+R0Ltksviw^u#K^twtr{rR0sT8Yr#h9k znkhyH(7&xCcV<}fkF|M#*}wm@&tahzH{_6 z&Z~EMetRspW%qkmW^GkkQ^5AR$pR)6?pVW**z!C3p}a~3(^~Jzm7PO*%y)|Fk5+XOi?9^#Z2VMMxCHEh!;@5o>Bgz5J~LtdFNtNG6GU>=Lx) zbP>9PnH$bjt`^f}?c)>7o_Fa3tRj!yzYkmUgjdoazO&d<%Z!hlkaRQ&6+Ep$#gI5- zDn1D5MU?S0M-mZySD~%6L)W={%UA%-Y7JI*SJbC<96jpitr>QrI^Y<;&$KC&-8(+x zp0Eps7^|!yGrsj5$Rb<}6iIjjB-+ep#~zXm`I%F%ta6zN<%M`Qa8eSBh6}qtZ^u79 z+LMxa*(A?4KDE-H5Lx1HvAmFE2F@xpu?#G_R1vB}|3dn&{tM}!`sQGMVJ(%JL_=wL zh=&;T(l0luOnx2*GQ^9ea1xtwrf=p}x)W0$jO^Y)nG~AdYt{e_xuUalo|mY4w&>x8 zPc@8c8$BLWGATxWY>TbU&wz(OU8cIq31f$6#Hleyb?EE&^2@rj&3w{3Q)AO$hqDJ5 zD}I=F?g?Q>&VkkOGl{#j2?q7>mn5E|yKP6HvBpgYh{Pw!Yw58p+<0aVB;c7FJ1|}2 z8nMs$wgoWR z;*)O{U{O%S4^f6@w9WKIscfe8C4gbw>k204yijEJ0Y{YUx4qOQHcbSB>|`!a-^A;H z+iI-3m2t!`|FkpP2Q*eyr@ISp?0x*tIi5fxc~<;JOCZ zsrIAMOZpl0rP7O8`7wD-Eu?qaYhA1wsDZozm9e4d`e*bk5J{`(_PUl~cYEr%ZQSi@ z2_tl8N;fE;TaL-(kiwf_ZmI$jSJr-#_+!DvQ=)2F#E$G8wa431QQ6?8w={E(gXTj9 zy@Gm#ney+HnGaTfstG=oYp*?4-&c1kXCa%#FN3>F`&?EX5qFr%$8g$H7#kSH!WHhh zZ`}v&meDuA#~W=xK5$ua1XP+;}TC45l8|CyiLpzMAMiD9lwlO+3{()ky ziPm7iS6(_3^_1K%pW_WrkB;nkrqG0BMP1wm`R15O#&K53#fIAhU5X_4NE^h4Y8Emf z`ZGRmYF;3Mj$VRMu+Z?A@`$4N9`H~^(%mM1Q77wE2)c(^Kg&z zB+0P;0Sr@4U|d)-Za&Yk%jONo7LgUM{yj#p(aK>86C!`UyaQH1B#!#IuYcqnxZTC7 z21aLZ0D}?4z(0-{*n!ew;>k)tm1f`jK|g1?EO=sPP9C)#`=B5JFEda`8eP{vZi_pF zML|x4en?&R9`fg)R<;%Gm*xTFwXtnx@C<#)KY%o?p?z$3>O5L!&+vrGL?N?MjqAl; zl456s^QD1T^SR>FOQBF9)~fnjtncj zcGdw2z8`-A)xc50(9jXbjI9)ru{;kvzN@(yLbSWP%%-`F>Y>Rumm6a$z`Iv}3TaV~ zRYlbFgSq-WVyb!*J3RmaDP&`&GNDd8_!cvIDS6a&^58zNn7*-m7Ltf8;!&0kWHX07 z{!>)JBW-D8l0WiH|BOd)~3|PJMd|XbW-6ti` z%11%-cdp6gcfdy#g2d}*Hba z0PWpTGm^FB_1UN3(Wuf+_Z|qt!ZE&ic1udHiWwe*j>E)F#{#|?WNKze&NPt-W;Sd$ z84R9pi!x8BlE4w+KlLF;Ue5$7b~a_VY)Ph8h=VN}h&KVryElzo!j8sfE+vv5mo%ip zh!B%jHjXm&PhB6O4xz<&4r9fw~$rAo#iqXGIC-$Y@_lA8M6aPBE1$YDTUC=doj8n z<9fU(Im9ox>u;i@vg&c_3A7s7faF~k{8V6~zrg1{(d51Ayh=@327wWtV;O%G}c||B&>&*`Rpydzh6P^^?7p~ zvDQ;-s)~BTVRbXgxvK8^wb%;mGf7Ss*KP~1S4vL1lP3n<=a<9c+eg)`hL#kSMZQVL zEI*$y{$i*@S3z}+nJteejVUXOa$4k+0->C7I#8xu_$K+g-V_q*-bdAKbNXdjZ1c|5 zaOb-?v=fu*ARp(m*$DW`=Q_&J|6Cex5Kbk8sJliASe|y%6>;&xYV+;#CyH(A&azXS z=ig7ygbgX`t?q{SSPo?R`k$L9Bg(ihBUM8d(k>2Sl8@F zymRNMu$tL4W~;)39JpD20-rJ7vSnuOydIg^j_v3!FI zdyWctT$H{HO&@CgJmb>S$nLS*j4fY`()#bWmK(O;Chd^bc1NLu-G@s%5rRftlsKPR zlf>O>+m znX~ET7%{&LdI&}K+``$YEJEpI8zK$ZzgZ6*{5HLP-?{y4?PcN#**G|gIc6dPIdbcl zyLWSndWBm>BU*e1*bW^)nv5bz#{^36wt-Dm2gr@iA7fHpPa5cO=oahMKL-&S#>%3= zn$$z*P6K%Z? zSQ62ty7We)1(Vr)C~ak{D?yo?rV`3M;jE0XdaYlC**TMh= z`20Qkh?-2MLzWI`hVaDgfVPdxE=b>(i5784mqHLwS=*?j>&9wK((P+ zb(tnDsK=?ZE%3$8WR^H~|B{5%o6=cfR#3tRFAfRpjWbj*tYolMs*EIDyP0&Lx)umx{cSkqb%hR*aSJ1*gP zCK!)ae=AdX!KH=(=$PERO%#B|U9cu?Q1%!&Ht*;r`{kt4A$lL32~goaQW8cmP*88i zfi|)AS&#=H*W9uwcPCl^S}`Ctk)I6Ih-7-m;<{n6De)SYoV#h5FH@@VsG%Un6P!Ho z?vmTm_{F`X)Fx?08tu4{s7)@;09J% zd=T1Qr3f@V$-Jb+g9#PDkTZA|OZwK5rFUk7{5_bn((U>0kKu`wylr-ta{y7(F+-h> zVjPN%vMCu0FH%~+&9|?dWE{k7Cn*n_Zz|SDI*Pmo%6Fi4R2qghv@h(ThF5> z7ojBhm!DcW%25b8puB61ZA3-hjpG+6w9pg)TDMWi6Q+_WuxQ$%O8$b|WDBOT4NffY zPlyKIFyQ74$si6}qd_}?vPPri>j5L{?@8mHDvj}5p;VuX!#o0R)_z8!!2zaYA3Nhx z&_;z$dRLExF=`ATP zywXWp5C877XJ|&0P40EE87zE{$-wGmxCNM^N>o4hmnWi8IT^5<*BLvi;_jKarbdqZ z#h8sO16l|9W)zPbD5<)lfELG+H+Bbto{>&?iKNNzFPrLVVb8}g5n6jP3y&ni0B$n}bLrXfM9+@|?z zDHobda`2m6ZV=2>e_gp%zMm+Gdp}yxHN|has@=y8a?XD&nt?KBV9QM4*I2PWoTsg= zm)+|17N8&x0SRQXXf^pMh+Osuq8tTF&Xz(i=Fo(9ufM;idlQt~TSM+CLI2?nTF@gq z&9rBjq-}Wk3rY@P&T3;tKeBB12UL)(17gQIokLk*?y`jP&sH57A}3lBl0k&U0~+@e z1C5p3oMa+^lK4(sq@Ekzv=wk7RPA)|7G;aWCWw0C{bK%)C@a`KdNSCVMG=E^^o??2k8wr2xZje%K2*Z1nr$ z`Q-sCK>8Dn!1JZ-H9(rz0pC+QOW>&Bzb=>!T2wD;M|8Oa);DBE9YJ@i`Z0Z$g)T{I z9?jk1s(VnsDJv;;_k7fAbaiu#CDGyPY_d^UP-a=$15mIO@i)eRNN9tDX=sa z!r<50T7osoDoRa10D?$+5PxcP4ihvPnPG^UOxoXZB;t1N1`8g5{2{DD9+-8$8FVTHs$?v6{?MJL2(`gB*Q!|JdbwZz?A zZj!oNxw{bUhsu;6nEeCXFv6B*(`8xdLO=|*8bgzJ`f8+g)ELjprec{~I>n2Q4tH~* zBzLAZj?(tggi#mzoa5o}i+1pKY_1TT0X`-W1o@>vI@AiiE*u54J*GCvPr4@eS_ziz zVBFjkz^pz>#+~zqBb1*p$f_h8P->ioi4=v8YJFu>?zF#;hp6uuI`d~Q=PCk*A|o`S zMh&DquRk3G{=p>{i~B~Kdh#~~XHb_EUBSi3YQ_)`RJ19BgZA`$2PVzf!JYRqx*iOs z3NO-(nr@&fw{-K#q7YiR+OAtZYRrBO<`xCz87kjh@yUwEYLq6%+90q^Hao4i(9zm( zgg{O{uGyc2prgN;la}{G}Kr!ZGL5d>g_Fi26M7YEA|Mc9>5>W(&0W*6Shb*ziA}sW5{d{8U-mo7*3e z4|Ip_Mb`r`1`556+F>ocVMKI<((bsLOOwMxcI)qZaQ|$-`GK2i(pt04rMw{wG9tUg zhe{^^+SC(ekTgrKlwk;B?OK@V=%#MImw1-Q%e4UPWW}D(t;vy*8}o41E^HOL8XFx6vGUYZK1yn&)o<9aQE-F zD!}6ipxcGlM9ja{?#wI9reL)cWoMBLkeJuLLNM(P%Vn3RBa@XEF9*(xm6~}W(06Hipk(;_^Yqd}2eybSjmz`2MKBiq)bvQ-{h{KV zQDQ=mMxl;|I$Xjr!mfQEGu<#PDL`s%@~5{?MDBa%(Ux6LUh7Z_IsvPB=7CN3Y$-Is z^$N3}Bc}%=Z7kyYt|G&fNwFV*0gjXlyiH~M367a`k8pW_{IblD;Y0ailEb_ZnX*0+8)+_GJ{rhUoyNAFZ^5Tale&u0zzwN>`c$*71 zz`j+-!md^34=~@&cYF1#quR&Q#o^$ux;U>N;Mg?FiwcA^r_FJ13ghTrEsIEG`|Rw9b_H>AJHfgBADD(VZ?Cng0gUqjm3YYU`KyaQ32%wDA z36G36WkSs$SQ@BBv*sEdlscoO6==k?m!E}?9R!Yrd_xixL(&VBOp-{HSgFyuw9tE{ zLM|LzWAQR(fcbhhDhTQ?e*TNkKA*FJafzGZ!igGxt(8tl&sS=7#lU9%@t68KejtV6 zN?=ozxaf^qz`zv;S< z&1#qXlss7&Jx)vXa++E{a!4N~h14`o85-r&&Yxuzbu!P7vz+PZAl10UtBJDP=y7(w zG|jC+L$*#9qg*%#ZDn7#I>PvI)Pf}4k7TItL~si-NLQ!>l#xz)8zW{YvuI9_{F5T& zkuh{~uc)Aw8`}kO%5s6S!i3O{q1Mhb72eO1!+m06zBTg83136`!OF`=Cx+t(Sb0H` zBW)xvr>`N~6%EA+U7j_Na69&tm1lGM-&U>ULeC3XY_@GK#Me8#r2akRBcw%>o-F9l z^yObQ$=9rU-xvR<9&om^`xDe>1MH;*)2SzZag!FWtAvRsBM#nvo5HfcFLXsM;_$7C zJNd2=Tx0r!`Sy;-MNvzxD6QLR>F&f2qe06g0ju@oe)W;|=FX`ygk zeSCND;_6LrEgRSWxmcHI4}W?`P`N3VAt?}P#EaWlLWk#LaN<}XB5~UMiNpu$Zdw&Z zUiswZdZ(@G3YzxSGVPxaa~ls%eRMvUb6A-}RspdfnYCIgp7w3m7uxs_<+N6vhofAw zw>sdoV1N-T#FNP5sy^N0%$y==si=W%m3+}F@y!mm?&UPb(UX<#tUdILc;Nz47$3FOyHR@#-@3a; z2Lf|bcsQPg7(%k0t(lkdhTi4n2nfq~`dawn(WatoZkwmlhEyh(p1i6|Oh`5DoMQ?N zB^EpOjU=2pPg>W;rdq}|4=Tssz~$yL{jud3?$Kz=O}l^oWQ^}^AG!TTs(vyv%pHF3 zVyR^aa%_o@aMU~j|2AnS4k&POEF;Y`ishr(aa?oe0Oqu*za0@|!}9(muH{dn9|bAw zo+1;e?xx`{Tm!deDvO(Hc%lM(lvrO^m@)x>!2JKr)_xTdxeD0Y`$i9;vhvWguo#T9}|0ai~e z(=HVg*#B4CG-sSVI%CLpZ__pQWEmJ=cb7Pfcr{gnB=y7zL#{ih)UO;-$*O&o?l%5J zFFapFooFtfE5r-uI5l_1%*5NZ?Xosc>IC6gbU7!T^mxQT|L} zp3+!5?_I+Y^tKLUrDeyKq>B&l--X33uO>YgMIHxj{FbJNJuLzd#>5@$w-rNSb4BT1Qw`7hCpDICX2F@pk~}- z-&9(wgGnXsua}vFn%TB|38*;RYIp8YfbpFg(duXDQ+)B0H>ChXcl+XLVDOu1JA32= zspZe_Fstw;AAXCrUVGir<^w2(cTQPso4Y!hvteeGgBv3H_vTk=zNxUGHQ z>vGzWRycksdfDsO|1YApzwd{tBhmvV{FP4zFp_t?aIE3bG9Q0)s@@#&7y`@gHDP8> zYOkyHrIWj3)|ShA+od13UQ4g7L@2$&M(5C};@&cNocAWg*X?b7sD>51S0@r|EwXdW=cwkRgnE8G`sc05|73Al@V;jHelaUy0Rn6oboq z+C~P}YGY}c!M@5OD97DWR*niYTV*DE2YK|(@np49S6;;}r&q?qUk$Jk@rhrY79|IZ zlVt}p@+%R+aV#5Gr$T5?)9=VaTc;M}o?uPy()GSIvifSj9LF%N+F$8>o_-eb<%Rlu zL^51v(x3^PN9g$T3-=(nDDPr;Rdo1PMRVk{NtSiDgo>A<-;z}t9;uBZvZP9{O47oV z%Cd&+i(M^R1Z+xk1w+bYH!ES^x!C(N5nAHij45aGT5bU%`r;edjf3rljF6OnMAR=i z(J(PFDGWmJZ28dmG{cQCI2%q3Va=FiLhMWTzC|bsvvmK8CZE^hWRw|WY)C6WGU{R4 z-23FRUH!riG19(BOKA+t|BIu|Oc^Zq+ZJ%N-6&Q>unUZ)BX-dVL>DZ|(6II0PqV6k z54gPZ8l=r+oWO+wY0F=OwE6!6Y0Dzd+wZ0Z8&GGoN96tm(l!QZKLqRDS@Ad!rvb&H zi-;y|+0jtQVKqZnl+(XPjdDb2e}Iop8bn*EN9a2)V)CHUPD4i3MkZ8YhTY%)N!&E`?$L7}VN8 zjp*_p7C=3tI6%Uf3!gs!WG|MIscrM~b3!Z7H5S~zSoEc3m2i=xK@$y$5{-LT(_UcY z?blgK)0%c0>_7MF=RlNEN4jq9N4eQLA2sE#E?N~UUxft?)EXNmc*mLu^2wTuA0%B`%kg*)cs*9eect_mnKiiMG9Kw$rEV#Jw+erB0I7_%FCg3#nlM5! zNveQ%sU7q%OXTYVDH8g>=IfzA!Tk(KP*r|`F^l4AAg~ny4#~jx4S9$gJJeZ)FZ(c7 zE@Mus%F1$4C?wth0A3Y&oCztvBG_1;!Z)7rhKTVn^is+(PAI0Xlzld|978HQHH zmp50k0X$iqku3j$XQIBs4&I@#vMNuoZM`B_)@*85tWSg*SZ@Q4w$8ua#j6M0RTcH7g*7K(e;C)rDhRJV_WXZQ*YajaJ zGM1)^@jN-872nW=8(72tLbtuY)mBPF35F#b0Gnz{TvJD_`KlVATX}%d4z;48XdjFv z?9!ZmYnyBYF;acS)O+j8(+3G|5*RLt-haL9O*d}3TXWywPzYmq6W{+tB;?5Xe%FC` z-2G9D%@<$^kH3y!m~m2{OyooP|0Wdv^Itt@ zpMIK@JhUdzxX15zsR0bgl}4B zr&3K?{y78x5*YqJe>qRTJk51A!>#nb+r@;2cmFYA@O^$8EiGUi*D5oX6_{pu%{B?V3d-Sxe!`8rXBiBp*p=5eo9C>|4Y(yht0&47Xq7%3 zvlgnJTe?^gA8=>^->N_G^NTbE(@Ka-+zcAZ`-W_}mHEUR>u%Taku%ZZW7z|FqFukd zc~}Ti#i_JEC2}XHVymlj{~CS$HrHKHfprkJH{Rgpq5=d+(&E2f^KDiQ)D%5nI^fPW zR%Qwy9Gvzi!sa9XbOUL6gPSTz1p_k4O<}?-83k($enDPG6Ns&u{TGg#^WoR`t+N^U z5~{!IC+C-rCENinL4@aVL;wB9q(Ab;ZT7kJs@2)Ge^hBr0~;k-Vf=UXz5L1Id$uus zYQPCOY*~9I9SHw;#RQB~EYXG9YY8DQch%E$FrykASBXj&*YQ|?9gP)h=&QpUrRpu0u24R~nmADYaryOLYx)yK0XgxDO|b$e%Hd2sVwiG0deVvpa?-Co z|6br=PSA00vMmg??)|1+p51y3pqT9~-gh)8Ija`Xh6|yBk8oSZ0jEeai?R6t;7ge2 z!Q9q>=WSnXq=ha3uco`6?l(9AV-6#5=(xeZGlzkE31XC#Sk3tS_f|USKU4zp>#Etw z#{F=edFf_w1#+HiwAbjRxAg~`V000_6okLE!HY1XqBrLzmSaGRd+kvY!YFlt`fyZ> zgK%IBV*)`CkAO-cnF@c*n$o>D<|oP7cFUL?g^vBi2hg#QXDaJ40GJK=N%SI4U3dbJ zkL=&1RBnScq-M{hscmiwKATQS22D2pZ&p=tmQhA};prWyey!W-+I*-A3vrCBIqZ zzV9BYFR=rz(56p!u-ObP!El~7i(|8$;ad|xA+}$`zq*$#ci)44WdpDyn?zthfRyM( z2e1i@pnG8gP8f6>y|@STZ@il39N-+lOmWeDZ+VYYQ^!Cmr1ve3rw|-x4|>0Yw+awk z{DA0=RlX1+^Fw9QyL%zNdiUX1P=PaSn1-*#Ff1&NH`^@=bspK-tK~deJ!i46-S^aM z2=$hYRH=b0M0D}-D*;_;!^UKB3Nv_W^NgI_%h>T|i(VY`y9T`zhOg}fydq*&vmQ~Of=U8Gn^W!ljRm^=l96bkzRy{1%9%9;M&cGdCWO5*+`=;~%&5BdYv z0UDCUqsR$m=lRYK2%;jEG&8v1BVNgY6Q*QSibc=h3F#7GU~`JWOTf&c>)K!KZ3kQd zxe1vGdtT-^LVD#T!qix6mZ!b#F!ljh656Ovde~oVW6tiO$Vu)Uns9;RC;k``6rQsH zd1_pVi-NP0q;Vg}GXc?^Wm;;OVrLP6AgBOnYNW;`SYa7<1W}*>U@%ef!9+yYqe53P9Vpqw=XN-|YrFb^j0Ik~;+i$}=>h9D9e6{uPq z$iA04D6L5bL3+@FWFVlXsLDY|n#GcVSkt(Td-5K^o8e4Z;w1Y{51=9zj@7XnmPYf{ zTnjLuERG2D9}#}o9cw81w)55sB^vB^H8--wwUtl*r&{;~Qg&#Rp`Qyt+BMHrfGM}g zFdXR`lUd5mQYP24lRe#nj>U0#eoRoH_lN0jYfjUhNsjfsMu;=K4Y z8O^A3)284QR$yR*i{`7lUD+Lezqm7;kznl_sS5C`;I`FqtqP-UdqZApcQm4`MHHTy-(=qJt;4eD)=4lp{?@xKA$JG!oAbSD-wvd3nIZ?o-`lEYA zN>g1gEah`(0v8oCex8SN&!&6~D@VxAlvoa)Z7GkOa3bLeSQ_-a(GwpOTE^9^)dR6Y z_RB?VbiJP8Ok}sKY^5tmEc+h^gD3_V0OJXd8)ndE8E_(1|R&i^g=Q`PU*U!j3PY3}FH<)92v4dVM4ItEc$D{3zlsCv5UI4Al z>!u<5rcXBw_mU5Bvc4OxbcGoL9YbkFIoJb-NOC4;7a6qrge-D6 z64-d0_Ucn*%n8mr(lg6HTw>XEL>5*)2bMdXt?3`;F*U&?IHauVgs7+)RBSh>1N_;n ziO}m5vtw@mT{WuGHG$E-Fr#20L*b-+QDpV%*sWbhx#0J|5qny(ZWNJ^@ek2QKb%ZV zl^V4J83ze2!0;%$%Ml=j8RNabqY`yMC#O6DK<6g15sp@sf>86=%(RY60d1niBdxNP z=Gp7w_p8D+1J{0rD}5JLNg5F3VB#9nDjaw$ zarqQWO+3tcy(nn_aisD8CmOrzKhW4Yi%YKpzu{L(GYqfR=!AbVRW(V#un2EMM>>aR zHrIil^%D+gk>gUM8%+TC8a(x0=v%Q`9Au|X(Oo0fs< zMuQi_8ua-v?ys(TAPOQK*q8@)golp6ZXb@*Yv+F53w~9{`0xSC>X~m~uhzp{%j4zV zkGdN#B9_ZSK}R&Htu!ax?pU?AKuAycYM=9LdcDN?CRL> z3B8e`7+RC^$$i!BU@k+~w5-)2``8KG{PNL||06fM9i;~jBFDWyD6%8^h^EqCzE4%Vm(E1^6YY>zv>4?1M>zOG1S2GzSfPIok3JCnphjSa zqsT@3C8@w1IP(pG>|ApCOK_3zB08zOUdtMRv4HV2Ag7g15U@oEg0 zYINFaVRvOCN0cwroTZ?Xn@go&vUQi)p2UgeoN6O(Q@BS}xMy$d3m0@+jzT3^Qs5xb zqEVqS>aj&~kg3@rq{DdT7>iQu$Q&;#ByNGuscaEtkR}Rc5H0_aEkFK|l6n+zb&&GM z&Pp!KR}ZyFoaNRm=E}VSYW*jbm>!@%*u3`>YE>=W^x;WVYbEa- z_vn14J$r+VI>@Y^(n#dvuWz_1VM>!^+MFTpDt3pEmq4iGn&5M6YZ`mU%YG`;xW_WB&O|HJGWUR_*wh8d90T5>-hC#p$j2K>rBNye zh;5{re}2E(l6e_^S+3wf*>rM-g)!S|+8~#Jv)pNIZf>8&E_b0C*CQTjs*VSUl9Z=P zQm!>(SY;Nf$rUxpg~x6Sk4h))la|DKUI_>QKbY`%o%QHFC{_I`fW!(IrFEaR&S3o) zzBaGof5X?tM)9=;tp8Mo1;)IJEU_TyQ7$mB=;Y~E60n0z;IZ%L!qden6b&Qrs;Bm8 z)WxB0oPM++e^VfD`GTDmZu`|xIXIi+r$gzTCcPdy=SJ;M#0Ea*r8L?#pt3gtqVfk% z1NTG!CTrt3yr0%PlsF>lY&6`u4cocnr6G=Ry4q>Y)YRcQVTE;ORr;U(K#IWVJL>4g zFVFa*IKjtjoXkPzV*;-5s`}G|g^9VF@AQfcx1B$J)hdStJN~Z7X$KOBe2QRhh*C<7xY#u51F~x^Iv`jo`P$tdn)xd z_Bg=r|G#-p1U{rwhu;d6udYrD3y)%l| z=XaQe`JxiBA|3;|+KYL2%A{Q{CwPO~jv$_4=p%~KT$T$_h;3mMxDZxdAsNr zpvT#Xk*+(MfTBqVo&QbNeq;sx$|VGvjsi!}j9tDY3#qP+_^uE>n!6CL}EF<(edSMxcZXtt|kr+ps*O4}Dz zT4;=kwNW|moZp1?W)6>5TnDvM@P9V#vcnPYa^$*e6clcxJaq9U4+&^^wzvfa|6xX6>>#2uej_XFh^U`lVt{32hD3!)Xu%y7SK`LSGP(mQtHC&wMF z3!-d7*gw4geC?Kbt<)tn+ww(W8`9SqL`5b2uJWZmFrHhwlp|bV+~bRT)&vaqTp%i}5CHo7rb*fE(cJR#;$G3B>8!FEx!1ly6WXt1DuN{o z++&jA(XOgR62NQcy0U*l2g`KC3Z@m}ptg-jgsK)!D!|16XwDn(;9~0n+r^S)q6EEB zM%f;aOEC9OE`gZyU)V`-nO69{?o3~zJ1t#owd+r5<1Yd%IM|`MiD$38|RDu^CBh%Er>3Bf%hT1sn_FOrlX1DPsi zYVk9jm3vpYFhYfY{G6&Cygkv+62Nmt4$_SNW3*GBN&vf{1*8>Q8YhIByN~`LS&=?c zoB~);Flqhzl(Y(wozMmf2(-~7jEJlBn3$_?NVQGzcQu@uR}J{0-?*cueu`%Fv}beH zTTr>t9%d9xvNWuAeN+j`$#%X?Q)lUa1`W6HJvJ3?bVS5{vE2Q7bm{TC0ewDT>C7YD zE^;0dLoz^By+rw!-_*mYlH>bE{#sXNj|JHMb&1U*$@xDTJ@sIHewXbtreyr#JO;+y z%vcGy+d$p4TkY|7Ut)djaRXnX6+SQ)90;nP=gd_q~39bX^QUu zpj~eWF-_cO_JTt}BCT?oPP&AYjFHr8bFS%+isJZkd3hmezP%BV_* z7%`1mria1G#=7KRFj_Z%CY&lqzyp$Z_wEJ#3-SHwLU!|y+heM@MuIg^) zD~7#|PdCxkX-|g8AAwvV!IASDk&c6_54s?#=t{&S_Yd82s z0-)T#4GPFAcv!9A-Ya(mE*80Zn8_Y{J?f;g4FdAwS(!svCz%HR{Daa(d|LkuG=anF z9xe45+4a`2UB1{0cbku4SE6!)J9OkaZd#`n}~98M~kn~*rXe$XFkS`)Ptmo z;-|*;A{JiX0}G6nD{z7ECT4huZS7e#R&%O2i_-k=J#oV}zn2+0gxJDwHduob>_6-7 z4$Xx5zUmS!AO%sE$FV%R#>&QoBJ&afyJhN1BfOrjad7Jypj#V#olp#uM`n zzpAxW7;P<9WV?!%9I8ywN&`u|-kf6Z+(qeR(E!cPU0O6R%HAmVgJw z9=9wiE+OnpI5`4E_I_n+Gf%*#^UZ-^y0WmK_w2MNR)6UW!`i6OWe=}iAkJM^tM?$&p$u2xo`99mR8ft$meO3%C6p^+f@iX+^(wS{8NucSUz%G#GG%?6pb>x(fjcdrwq z`7)P>tv-y(`>bI8O4M8?jLK^#U5s3?Fe)@Kw%K2RfrBJ}P>3M0-Kuw2t@wR1CfRh* z-!R`Ot=uzAl*Fq_dFBg7pZfxhzQO2ocm*i zzF%OzXk2h(=%7|m+NOIw^V+TDjgG!>3je#3cdJzn z0ilVnQOTyk9(M-^3yQskB!0&%&Ypr?CakpP`xEuk0qo)TP3jURH1e=A@Wd~(da2Ik&>S2IQA8EGYwyGD7OS!w@T)9F5};zYYoL(J4|g>&KvNk9F)R;7 zepCerf;tOL^v%=G*gZ8lifvL>*g3w7)jjkOkpHNu)D5Q$?z|6AVGGDB*Z^#xzQrDM{&4^GqqxSTlM0)?M%?}E-2{Mr%lbvZ=^t-@etq#P{kyE) zr~@L(4BmMI);DewB>Zce(hvDphTQ<{yNwNwPgbuYdi-L-R}HEUhBlU;T1MDg812hq z7HY!1PA>2YV}0$2O{>Tg*JGzcIZUJuA}9#+k7kzqnb&W=98Q&L70N_CnZ-SjljHwEusnnU(3jhOC12|dpC zHt3EOX$J3wzHucZOcAhWN7@qCeu4#p>l)R@HVy3Vnt6WW+d*O62v1-DAy``c;12+^ zo`4L#NXjW^Gk z%<7ZWVTJY1d*=pcPutRYH}ziU7P(rp6wY>}0tYlEp1v?V^%STDH6i3_xD)aB7h}&r zrCH>`?cauN(giWXv!3DQP^htc<)L|12Vr7XG_*)J{Z{xyfuK_Hr1%W7()6&dd5_Am z3|w4KKq+Eqno49}TcA&WyjoB`(*!3vk)$@O=s2e9B4)aFsMHk3?h_@-YntTNCe2uR z+Rwi)b=nu)UnH#Ox|8#6%kv+Zg5TwRbCBTKvsmXAThu&f{XXLT++5K|yE)}P{Ne^L zv3NU!%IweyV{YR<3-iK+ZHUR2uqtqkR{!3`$$5MJ1d5k0CVWKQo^+C5_UO8KLEFCN zGS=i|bcp-)2Bv)*&(7GxpZX0K2y*B3sm)}8TQVbN%~wx*5+dmVA3XT{foehoeU#WQ zU743j(Xq{>kNhMzWQYy(4m)-CK!OiE94&eYY?h~r)M)Mo%+aDCdNQ$r9jg%$Ewe-C z*7iL{LGu(iJlia*XnBy)Or!~2f=l!SDI7@NwB_U#5W{FbCHC|NM(tZi=M$V9uT4X z^~qm(_kj1IQo4=UGC$@X@L=F4170zu$;(h?GjA=Fdx$F;e< z0UGn7V5}_!;F-Q8z1X^g@r{!htvVT}CJ40541r+6EGKJ~7b^4}SlUm9M|>)3B0qw? z;1)%Rub_7o7SCv3bFk7kZqeJb8SYo^eO*M3wa@y)lo~D{(gmb79CtmY;sAVb3`|jT z54d^QnB!#t2Kv<&=@~jn-WDDPny*pQgV*yoM#nux?cS!p+d))nYXF+6wm?=a!leW`@syNbZk+Z&dgsOgS|?wJg3SvUPb> z^2E(?E`SziR_8IP^jf~K&*FN?1QqA-Ty^j2IkG8AwQFY5o&kZMniB?JUXtnI)k{Vf zq^T(FWq-G=GENj4e48!}ZYSFh*!))gvy}=mCPfo84(-{E?E){ROqh|y5ff#Fb6iX$ zi<@;z`yirXq3pof(V&2v9`+MZPeJ0<2H3|{e0Zv=xuiZZK(BQbS=a%4Yq2UQV~i*G zP%Rj#b(a-O$8`$yWaw*Yk?*`fCl~%KJzvqZ^Mng>pc#9B#uj$38wxah)Oa{8@NTR= zut@pg6)>=&g!KQ0+-$UXE($FAKO&zZjn7E?ew{Ytu8^(JG(M!6BwIBqq@Ovn#VhM) zr71z*ic_yPDlC!DPUqm@#(@31-uIr+=98UfagG>o;@dbxveOh6Q+p){va5zPHN*Sz z*9;)GnYRYELj69)j2IeY)(GO~Hx@lKd-p@KzZjG|4TXr_}U2asZ+gt9I7Ip12Z%<9NpyA2rK~hXU@dqy?e_sRx0?E9yAq`iUNy zxI9pIfH~*|C0Te#CXsP>xSI2($t7Jt99ih{8Xr2iXrs*lQa{K%}88UZ| zI6y2q&%z)bg{WMcarknz6D3JI{kze$q3~Cg`?1r7B(sFY3K{sy*ualWvgk=)_)kh5Vi*KnI^7$90_) zduBqzzf*t|1=*Gipxb!;L{EtGd(UdZn_L#}?zJLx-5DgYx&& z%FIIfo%ZF`j&RiKl7_7walZ}4=-+%L$F$$5*2?DWO#~7C>=zL})ZA1dc=?hN5m#zp z(R2Ycp2gWf=AheG`^e8_rONkSMjk#p|J{vS=Uc={58tse6(Rh0s1nCzf1~5}tD`_~ zJ)$*HAT&}=9{oXxk%dDctT`2l<15(tFobXD{Ou)tqdkC@M}!2WJH|beN6-Eovi9p6 z&5%&?ogIGxNk1!sssDNKmM5H8_TjWr^RfxdWd=p z5%dLjVdKe!*^TaHzT3AC=Vez#Q{BWqpVP6osclauROg+|6dk90Z`qTizg0~bn|>lQ zq^~cewCSRu@2$3Jq9DyQHxg5(v6TW2a!_$;nMT>QrdjqnTYkHp$iJP?--05slGm+t zMiRe)LLp|tHbpp{jdC3=K79XrPVu6eZipDujmIj$lrrpqLy0sjXNY!9Te+5VaO^L9XJ8nIIr{k5o2Ug^z zYwE|JA2YZkG2^%t!mgBV7I#DW&Gly&z|n4U+C^mf?&9B?zg`>rf*Mqo=`=0`Lc<>b z(D;rbrm+95+&`dk#bE?I&}%NvEq@j{Ejh3}1dS0P@ZA#t zGtKe$ZSb1Zgz-2(w$W5!R*j;2Svd5%cmXF?WOYISW8ZdAFrJcjrM4|)kOaXvch!U5 z0oHm&?_KGu<^$1eYyuj7nPSG(9CF(YU(E(a=DAsmU@Vn6kqGoTS^FF7>h<$t$A`KV zIMu*Bq-8LNofN-=0U-~7j7O?ZIgAJ;+p(4kr@!da>^B!P0HeRB@HSKv!2UiDC**<# zJ;o7j?l2*`?Joa6Kr6Fxgp7aSwZpfU4l*6L5W9Nr;9u)`~;NiXPa5Z zln)C!DglXpriJ5=pSNdJprkeDn|t4E8@|!!;ln?!*zUU3b^sQhzl@eJn<(vFU>QEe z{XNr>JnV6Tx%F|h4Y1|QM={$9#1d3<$a#vPyPFja1kIY$PBk=nXqC!-R_r-jC;W@D zT(BDwtbF#MU(@akdG1DxXBz8Yg4PkpCIyqVW{`Nr5?sj({4p6Sw)-Q)4Q%=drUSaG zvCahX6}NPEuj+i`%0xcW+-a3_uH}B)^QSAn4PX{l5tw9QSoXHxc|Wfy_4He$?)rz= zX6CDNJkXmMzV?3ItobPEl^ahyWC0>ER6WSm*QO4G@jFq!%b%2BTxO($1`qibm%(iF zhV;{MLmS6*W4!HVX7_F2pEd)^!X=Ue>Q zz(MbC@4+mBk}NQ4*k}{IH(MV&Q1~_?>)7=!CfUhx(h&C6Jq>uboK-C6^7FMt|D@68f{#{-=3H#` z){z(Gp%~Z4doR$y?wloW_m0hb?sHUMJWI8^scU%)93(dC^pkM4RHCpnJ6%~px*e!lcK03B=^AVyMi z0MTlB3una>pg}F$F=Vp11>QMLqjHGK+TQ)MAxj)<22l@~pFhVtJSs|yNdcmfR!^N* zqLYc=Y1)+jzTSSb8^ZOj+TVGz( z2|V`|zJ7wZQD$mEH3t8 z{W*2S2e{!Dz{C?HRdUQ!MDo_GCUuKDbjRYvE^Yaf`7s%>whl_AlxPJ_@1jOl-jMZ` zooc|;JL$_^q)K-Cv?Oqb<(91yk6?gm`sRyF`=a-1>@Np{DSMHUuxLr zF^IQsM1C>0XSEgCd&!q^)Sto5bNba^k}60^%niIFYnThLxppc~%;$R*85G*U@0iki zRN!b(ufr^AbIlR&E1ihG<&M)GE#6uDxneMFY6F6Vn?Rfqv4PKHf1T{E{R@AVs z$cHu5_zai+_mQ8x0wag|>&2LzF!Axct+-QNl5(qIT@tYZH-5+0*e7Z>o=oV9N)}-w ze-o!wlkpenVFAXCt*d75x7;IScKI!!-Ssw0&vrP{Id<5YPe&I@+*tgsxyy95?7sWA zYAfm6p4aJ1Ly2mMMjt^MN@3UfZExe7*IGO{2=T(Oy-skC3+3#HT*PjPxlU@;OwUue z?XCDqw1_P!AqU5U`I!%ZbE(b`WwyMaY=^tgP{j}hs3idSVe{WI;)E!0^ zJzuzWCIysV9Z@o>OvzSw8y*t2l=T35M%*WyY^79wLXdb3W?t^W%_c^=zIxi`Vh@D< z$&8iEL8m_~HjH6B4B?QShDAg9^UHdQUO&m~CLswS9Q**Dyy2qG2etBO=>kCYu<6Hj zaGGG}Tk4_h4`se5svd-9C~+UUARxUbyDMMT@OREwaLOm>op^@y9hTxA^+;|(jPLrt zP&c~^49gZD82Kl#mS4WY!<@EE;g9F4t32&Tk189dDp<^J75CY*{#aFR;G|Jyqdm>v zs^tH%us|ND9v0oTyEXo$?>?2*~t5i7Wokd5xaq z8~(M#vHQ-QE1h9h6V&ZhK4hd=_4o;tJa5B&rz)_4sHZAC)BwY+NQ#amI=G1Bbxg?h zqEtwPt$SyKOj=chZ_gCi-HJiuybOC zy6sZj-7+J0{5Zz9aQ}AJ*(M3w+fofD?m2Dog;1^8ZHE``kd=YN_Kh0}#B|q-3tYoKi8btt>3Ay&mPnChkt3nbmz;K7N{>bYI}<& z%rJJNy^go>rS1Cj7OqgeRC3wdH#CuUt;D>0AM(jCv#_tQF)f-*TMp1)HoZ%Pk~zjl zUrc|;Y7N*kqN}RL>9+#z!&AT|*I3|R=@mJ8160l#+0Xhhl1Tueoc#TsRw5yZ$_=o< z;;|8rrb%>o;^II@UcVN2HzJq%n|zz4bR^kGC2FNUx-w(zR{aZP@Ea&)+1Qa8r$Ex^ zPATs!{uEcG8EK*wQ=t=9CaCeAQ4)9nyawM3v@wOx9GdzEA}Ltj>^+#s1SJJNk{8n- z)Ttg!Y~(5_I~V_YzB-yPBko}&@Q~UEuxtWvYhNE0f?g+Cu8X)X|5P@SWl5!-g^%(I z5#}MWpnK-wF8cYLpSVr7u)SXMiJ5*-p%38G0(`7N&P9@57=!FtK7 z$5I>|7fAX2Rcb_dwo1AHqLv_$@|JW^N6vmN)l@gXc#JqLiv55iW8Kl!phZZ^(dYgPd@>NISfSU3EgDc0Pvbt42uRu+`6ZdO~oBgL85T8(NF-nA|BYfsY zhe?)PDWO1rZtfLZ3e~B~@K%Y!7|D;Hcatj4G!-pyECEs1X6|H7n?NMfzBf}CrGt8u z$-Q{;lJW=b3R8Wl_j9V&Hx_K2i<)?Fo3J~iEnt*;rr&O#I+757TffQjh2azic%A2Maj#kc<7fb)xmLcxl7H(@`KOqw`wK6qe zqoA{VZqQx{(`|h7%Fj<(LHjZ$4EHvJvar)XCxUiY0~5jQK_>6X^AdBW$jxwKVxi%8 zc+%|1g5CTfLw=@u_>2r*&fZ!9j+fy}kBDIud#u|QEA|YFyHN&bgez^VL&AI?5jRve z`rtzj*tVGlFZQA4k!BS>A~Ny-i1X_rH=-Xb%(gjld%OqdXRewO+!7@?ZXKGg3UmNh zp2|XJY=bB)%avf66;|XraPH*C;!dD7X53~_)|VIO=wmi>_%NbH4?9r{_Z$)~X!`DV zgtQR=iL2&|r>DV9@K6@%Tm(+M&g#+5IJ~AKolB401I}gC>eArI(SXIP($ct;dwOV; z-1w)y(ol}KY(>@ck93peq9=sP^*6P{^^yH4_UXEi%etRjm`}$a+4lFFsYmqglrFHj z;)c0Wd&rdiQNZcEe2(t}ie?k`cfk#t+og#NlGvjS{gcbtY|==yp0pg;WM$pqMW z*yY*}haT@okO^#VqTTicjrI^0(pZRfzR^PeRvS1PyFl@AQBwBQXl4`ZaxO;(O9sRm ze`A1p@~pm>s8C}U<@*83xRNoj4-h<(<@d@Z<44=<(Xznhc^g-LxAQ3#l25+bw+;B@ zbcyw248Bm%`QRyB~E$dz@h9`(SV^()G0Zac|H#`j8(#LSLU*<^J&({2&)lgyTS>?A~cD?nZl*bTHi6j%KK%pS; zl*|>juLtEf=I!^9tbQ6}ABUp_kn3Ah)cy;W5fP(nZwnzwcTIIu++~>)4w=z`v|;f| zbu@#jnVB3jYv$;QiYaRa@6x=A6kbifOr<4_SyAO_LEH`=MQY1c5&*4aN#`LR9P7xa%bT`!g2RX6#N>#w7Kzj z9L9c=S5|r&_(~!_YeKt!^A~8+ZH(1gPfaMXy{XDUIzVMw#$<;TQEj22tNL7r&=@eY zQN4Y;x%ei>47VE&rNnL?w=_!%bMX?}TU$B1;oa(*=>wU=5+Et&}-1UVCt9Z(@#&RJA+`}2INFM zE$ACvp*0u#q>|?R$n*1z{UeJrOFAVA`p?x%b;*RJEOhO0)2F618uGJDbXRx8Z^RP= z<36PRbDZo@x$Tp%e%UNu)>>9AmznTNLIxyg(eHETAsC~Bl8ZY~g zct|hzsLav=)WS@;J8>x^+XHUL!>mvf|CZS@VO6gvwKNqb$O$_9Y zt(6h>?bou3=^Bl(7eIL_cUR>-wAH%B`U#r-W?=@?N2sNs(6FWgBK}0E_V&-EpK&yANzqN{7Qq zd1L|i+xy;c;E*d8ZsM0HkwV9R41L0z`fds^?%hxGR$cE$ajD7rAn@`L^shqs9dXph zqnd_MkK$v>Fb4kNn1jg_b5woH&-&ELcQG}GFh-SUEY5r8K&x6i%t@SK^$-9Aib6eq zU+pqi$Q4;o82L}W1&jVRJ0y2w3RpMi=tNoRNY5-OPO10qh&kNjqjb0)(@_>^$4RgS z4$9$a0acC4hP__xkZ9E9akJS8^43>WAWJ-k^%%5vuOqHeM2y=DD~En><@hK*z;nG7PzW*ScuMXq=;VK!=u2E zmz&k1WDmY>!cFMCOD)QdmHUl&V|{d2CrW|2+pYmHDeC@ zQ#OXuQ!5hwG@an**&U>NjVq%t(3J`+S&bD6|NAQ={UhY&|-xpLKP_zs%TuKObs8@CXl3&p~rVkL9QYj`E~KY{GdXOuSFGC@CGy zD_!bO);k*Fg1-KhJPR>mZA4q%mHNwX+zJ!rkq)nq%La9sj_LMy>Dcrh{2H0CeHeXd zWk~$>s(@fF7HU`BIw2DgbowtFVD#Z)f0?UrzD}j#Hl&ONAAZQ(vq>1%R@A<4iD*6g zZdpNeyONYm+d0zw4)f```NA_JI-8eVX<0B zD|kK3Hl~LCI^1atlR~)s%NpPZy6YwBM+xnaWK(^BuR2Za_jx(I*9&p@iXB4nG3ni0 zNxWhx64%-n`>B(24kDh{A7Gj$_~H)P&mRAAORtPi8`9Y|kb8i>br64c#MxXOU_=jdATI;fVFsB3ajIfPHvbw7O4qETqr6z<=~uMGIFykP z&?so_VITeEE(7n`ZUHMdj)n6$4P~{4^D9}4_tACmOJLaGWeyz79~tiHSCz~p^Te@H z%HvCTO2O~$7<1$#iEzvZhn056oJHL*nhQ9Bw5ivnmv$&EQJl?sBE+z^XT4D=AjG?%(O`I&&n%YpYn9Faxp(;%$wf=JKPijAK zVAXifs>wa@yqwu=f zA|YeNGl_W9Tid*B_EPG$l|YJU^Q>#amOSnxapR)thUCA{qdcggfRDZ(YSFG%ZrISD zn89z^%+Y3bN^k65$-Yg=VaWz3lR{wHDTQBuOdIwOF-nE^#c^nTy>}t{yzf*-vGsJv zdSu(%K-kFZ2=X<#MfU5#W`%-1-cN0TBwV&H*@`yJF&p+i*Qw#J4gakDx%MGEz#-*+ zF*tLH^fDZSC;`Oq9#oW!-)3*+POv}c=+M{f!37crDS>BT{?H~

aL=)$Yy%JV@7v zRfmDkjS?~WL&UdRUI6&-Df_`u5lH4d^SI(!16aa$^3?E*ZpMKp`1T_dtPFd!NL^7@ ztt;OJxVj1eY4|m&=+F*ULF?FpQTE}Vi;h29hCkb{51)ClBmO&7+0pV$EYH!y*D{DEAa|M zOr<+ z=ozIwiNd7NeT&)#&q@aWllC#`=?Kq+=$3W5V_Q7V${uG;#fYfv`KTBuI9{#!bG499 zAd#cU>5P2IZkIRMh->c`eHv?3=1X8q!Hica#z3>0-z^ht&M!N9X7(-@yk$Q}4G~TR zVo&O2sqAkcP38#l$~6UUyVFs%$=pg4z#ew|J+(h_pMI?Te5 zc=TWDxg&}uwZ?XTqAB+Ch4APUQ9N|Vt??tvxX|%;Q;ZZ(vcCQ#Z6w6TRn(&OX!f$mbi)xYf^aIk_Cj%Ui zS_$prrK8xgis#>H*LD>FF})rL@=TTa`(~Y2sg&mtvm2*39sI)q*B9kWaz;2NpC?-e(l-V^8x5vBNbDxp>EHTtw#bG zbho_hV@<%<_w-ec$ADevCq1lPAlZnuRQlCgHayBFfxvOm=e47@fAH;{Hn{#A z)*^{_ahWeXo7O0=L%EC-JbulD%E}tw9$A}C7<#y0lxi0qu}5*-S_H+i=+S%j?{#+H zmU#d}9aH({2N-1lhI#~rNWIi4lD>NhsKImnPhBZqc)4cmuQt{CautljFmY~D?s9~3 zKAYMf3d%@{=pJ(d|mrCViD{ZMMX6?$fN77xGl%Y??ycpOvXGpUg-F(?nTs2@2 zBr$4;jGjy4w@tC^Z9$2$3Mvd+N{E1?Id_v=>ML~k*N3lDCaMz<%3Rl- zH!tr82&38z;@b80FF)|Yws=bBvgXx*1e>*;sQm#FtI+BfQyPPw%wmk;Z^>?ZwECaR zfzrc-WOpRMZwT=4+AQx{V>-L-#c?+KDK7z}i>H$7MKNI1WHjjp?l8SLXD@Iu6UjWV zUFu!vOu!AIaU(@fURHx?gPVh=O4mhs3ZJ$11a@jnLv@enO zDDdI!0ryJaKbyc$YQOksGw%w_%x5Ji869xj$2Wa0MxG;G@*AHT-p>uUV0e%C+AkpY zXNob#hQ}mg?sXS!M1dREkK5h0@MK#AU*PudHe-mldcaa61~FbNW)=U{)$La?{w;$v z6qN?j&E1eaOJx$|H?4CqnA8_%5bNCXGMd#-kmnn{y9Vp>nWyypR`1&vCm)uXUH`yX z;hICbnpDRM;~by#=9A1+xSH>$`bBn(wPy4pOu=_!CQk#d&N$N>0w+}xiUKDSqWL1$ zV}9hu{4$P(L&5cX&dm1=SS#hc4%e{zq9EhR^mM+#E*`U9q3(s@fK->y~P1?av)UUUj|;UbQUAF z6EVB~I@wqQPse#a1KRY6c7n&^w-%UDyONAUxJ{yG$BUQtO&%^wBa56ab17P;KznPN z__4*+nX=9@d7~t1?^CY`RR>KZ^nF??3vbziDsKfc&IkiCOjw3XieOuUX8#-#LQXTZTBWK$74j|*LS z@fWoYI1sCtN}aVEKw+y&O+{+oepS$L_0Yivos4(Tei0{k($ffuT2FK-%_>AaL+hCV zaeUZQgLgQ*98byL!DfqNnZuOyz{HTh*(CQ5bqM)pe3xv|jIxMQyxa=`sbAkFAL*@Q z8BJF`z`eWGk1p_S@X3|n7`{Y5ngD!*QtAuUB0OOvi#T=7Ke*}LE(jgPM`o*V%LXJa za;j7_T0c^BwVt+{wy35)1Lag(!+%KYUB0n>-TZ+$UfcwbW1rs$CXfD0(0<3z zb8Y?~IX$YQW|HkGWloEoY&h7Qlr~iZ=;v=5f%H~%qDNPt>WUI3DoQVdw&M29f>o_9 zFIpuVLuSerkY@%--aR-eSlo?b^xXOmtb$`GvdpfOZ<73}{v0#h!d zbUTOZP%PAiYbkNWlX>L>cp~TX|GY6=fhgB+Ay$V!8dQWAQ;C%bk(M{N3S1V~s5A|e z5F$mjp^;e1>XjVo!iwinPgNApG?p0p;$QVY$8vt-HmF8on^bG!d<}Np*LFRyQBV*U zwjONiKf{&AJgo~2xcYEknR8uL$SuhLPB|^Pyj*AXSbH?Fkm~n#3;xR&@jW8Cx}DU4 z3x+O+dm=KrZY!dDM$M8=RTL!S2idkO_3qPQ#vi)Spm(EBRG+UC_2PO4iSA-{N-PK{ z)NwiQO&TZ(t~vGHI|J}uC6iG5ngNPkiSL?^KCiKKw`L4o>$NQJ4av7pByUP*E2vEj z@h7E3iVU3)B&kp9U?L^B@xPFxjYl>EXJn!5|J)jTCthNoWL~>dbK*>Ib`z(|@jEP7 zN-P!@w<{lmpkeX+IB=!(B>^fs)*5!_y+pTkN3XkV^`}e+1r#-Tnd)yOxiEsJOoWNi z7lL@_i^|{$fM85wtawu6AMyayW9s8DcL}SJW^Y|U$aI3IDoeZ$Ip`y`%EzV-K$H_1HGDkVVyetmcJ<)b~ zr1D=ieU&UXrSQ%y{q$h>U*N?ejq2gsx%P-&>v7|n$%TPDQtuvvRfD#-Uzuw^xHZYu zeG@sXI63EL=Aq>_K?pFr3=oO9A4jC}m$V8-C(5?xgmzgUa{RfL$#;^0A}($5e^_s6 z+o!Xe%*^BPaMMZ-3{J>?_W0wrrcGHE^G&mHJV`+MrURq$@lnL7{oXW|DUIUmyGSH^ zWECJ4PrwS8*uW~{p6IWx`wxu>{qLeb8=%yGJ4oId!mF%&-SOwT1G8b0NEC@=H-33w zM*SDbE@7~>l||WoiE&Sz#4hMtfR5?67AcZ3y$vkat4V3Rt5%J{>HrS-Yb^VSrfwkX za{N~DfdiX|pd0T2{0GKSlF11jng8(x2sUC9M=)k^wKCaTNW?7^aqS-5%diBQhEfxc zopgoj9&k`g2V*~I`MIrDmo0#6&klD+G3tWJelWP);3ok~1Rx<>w|$K>j*mz>7VU)b zi+_I+1g?dWjv`O68T(2dexY^?JXlYX&6N8=+pRhxJkPVwN8!~o+5AQF1l`CycSrh7 zWW-i;gMoZ57NuJ2>;iY1GD846hG5(?*3MFuSzXTg$I61#Whsff&Cr9hr2|faQxbHV ztM|3zh7Ns%m^36f>jSG*ccANWa-?tvD$1l>|FPD{dV~H)G72A*J~K0%LZGrk<*a0o z{K6fnY7E~4xsZiyMiQH%^9`RMDdH_ zZe09S%Sfqt$r@Nol5)sT&x1SZmCR`NUO0A2N#l}Wp8&!A2}Yg5Z1oQPb>u>!Ldgf9 z>nf>9Do<-3BtfHeBxiTdiU0*m@dEMZ>d(LZgku=^5yd}vT>0WPFiFGQEm3TS(kjYLVmbqxB(!w zXYH0qY+1cpMObUfe8iJKOoeHiQ)K-xfZLxE3BQlAfOhXPvZKn~U2h#_=@Rs>XFnzz z_mj?K6=A^}ccGF|I4um<-4_OL(7*BMaON}U=vQ3WoP9^`4|lo3)1?w~fHa2_vQ1;* zg{c^Dwg}g*SHl$U2xCVhuQ^kGdEPqs(WWE&ON=Fo_*$K@YCr-5Ys(>kcu}i(u zq*6%XPKfh<(mP0Rn~Q<$*XmNngB%TCIz{BHv&E-1|F(P5|9D0eQ&jPqm(8AACpC^Q zn?^}b0;m#MzJy*iPg4JLfqa3KATN-(*2KESJ(#8wbDdA}cF59Dv5RiFU`cxF;3`eI<*q~20*c(r@8~`hNZ;@KA>0gTva-@%h$4!v2coVSh zOn$Z2nW)_a2%0{Y$~dx$-6tAES124$L9$C&k#>1XC*Fs}-uSmjR^s2rh~wd+4L?w$ zF7`KCO{Z(FVNf`K*ssyX(0yu*yIc^+^pb z8+6y+Q)ZW&=_@co&t|;=(lnf%4(5m z%%KDFEu7A0gg&T_R&{S3 zkjyKvW}iDX&0$C#)~Jpz?2a>C4cY-J@^&`LxHZRVu%jF>Bt5V=PW6MeDt~P!5cyME zklDO0FND!FNewG#lePHV5Z96V%2TOQue&GiS6QMGVTip{~8OPs!J_J1Yr`g zBUWTGPj^I`^m_viUcd7a3%A3(?a7Z&-((9a3ppO-p8#SUFM2Hwg$Y}Av+xb#TuR536vp6ja#^WRNfDf+^pk5iCZQy(?&~mRLrgwb-mq96k|QkZJ{L&{O}Me zygcTWT4VgX%j5}MuSJ`XB(gzvl%UD{8WDs!BMWLl>mfr=OO^IUw0Ej){juFSY=NWf z{w@~^nsio;*mY2n3Rb`9;ivz`MT?^T1`U50a=D$2+;xQ|8oA5o$A)Y28#2qYHrf7F z{rn&B=BLCcLENL|F=6-H2kvX4qps`WLHY25@u-YQgAEAG%-hYwlmy%Cfu?5sMH}!x z$z}+riLm;k>&}Py$}5_pp{@(Hf?Xjq6(yOVrV*+uWoc_G$Lye9|L_-ODJlSUhx-!k zSQP@zOOEA4M(7wlbY7D#vRBI2jSP!ES1P<1-#|9VP5D<(pX=rEI)NAptJztSV;K0V zzTl$V97;xcSPbw!NYBhr;AJxc8=_%G7qG|Rjc{Z^lYGkJm_jIwiP9{?5bq`a)i=EK zzj$9VQNDI@EdavfPr6Mc_CfT{|Mze2i(lk>hipgNH;{*!3@CO~)xs06V%YeB zkNzcqv3DmIft9IngW7wXswg#0d#3i$LiEP-d`vaN)x+YMZ{s->iT^`D z`$B+%6sq&xf`|WVI_>|CsqRDtBz!)}u#vxAs;WHxB~a=x?+>~yg74`m{vw!R$pArs z`E*OSbk7%RX-~KR{IHkkezfOYY1q(06{;hSmtxA89Ux#WU@49Mg|C~!{hdlBE&#Ou z`+ffx$XfMj=Mg0VBVwhfEQ!AO^ctVt=5Jakc!qF(5*+O|tU4;}iH(oaqv%D?lubq} zvBzs@>Fv%qq6#9B^#APZaZ!P6n+`tU_umKP|NZP^qAqeKqR7|<{57#Wl6%t~_~4oA zd-KnD$sq&a2i-*limyM#M0`?iMU<%&{2t8Wja-$D*TRxVTWNnpl3w0y^MBm`& zj}VJs5Yz`q8=@+E(;^i=906%!6WEOir9*Jz^*ojC`>Ai+rohO}Qod9<)`maFMxFNj zW%gx2=HI`Tx|Hvl*q+}6N`Y0ywfx@AnE|&w*JZ>*WL&DeVuq-mfyd9UJ2;LJn)rjE zY3ei4JGGgp(zTqK^jz$A|AQJ|^Z9x4zWUOOJKcd^+_AabRu#U_X}|9_1Rl|0wtvSK;4^r>E$Itk zayLQ-6#V@@RfX`^uj(96(&fhf^R4{X@%;N8{m*|=b-xcj+rp;-rai0vouldh^S}Mq zgYp0CzoZR%4wB;=gmU{ys7Pd-!(b%}Ih{laxwQ zx61jy{);_lqE^k1L+>#&L7jf_2FxG{K=*$B5;=uV5^=Fh`L4Ow0t6!{KKH@gx#WXH z(o~0!j~d9uep8=_l>8!*@_S-4qabziGpPE&NPPY?U=Am1Pw0!oJcmSlQ85WZ8yN8Ktg%YNu5?g)VwXba ztYApRGp7=}u9UD7#ky`1>cHeRvLQ4WcOArHeBflV@r4)0v~XnlmW|M7zwOtu!fc6_ z0**P-QI^4CDqLAxwktJrNNM&yM1S7;I3*o|%jNalcROzTDc1eP15UjxF`OrtO-ksH z`GJ_Oc>TYaY~(?Gh2y74wsY7bXIwpIUyt8$b3}Z+kx13o-@X+|@uF6Cto6i+XzZ~Q z@kFs|gLgV2XJy<_>vs&HLN6e>X$iB|_(a`y*B}K)L|BRJk4_WE@!FykC+iH$f6m?t zh3$kM`CJ<12Sm@0y$%DKU$-TN4r68_R{f&T*>4pUU>D*NKTfPy@0gs#?NOo=9uryR z?Q&F?y4W-~p5s-T-ns&;bc9Ys6Zl6_WE9%1dnd@3&QzV1M$}=HIN~KTn>Atsyi5p@ zd+@~IjRUrZ)to~MYDXaBV_HTguZ4lhx&VV7(mh`U?(=ua0Q(sR%u#G-8S-xdN3<8D zCLU-lRha|`f-Xm?q_n1Ql$h@miY%z0P;d*?A$>JQ#fxJBNI3jp1C&TTWQZ>+8YhWt zm=+~yT0*zKrptTA1y830nIL@^N(0`i+6F$i=M_q?=QzH5zL$BbV~UCyerICHyOR`8 zf|8$U<~&~&5dsVjMX?I~=-4D#xIeIdwY{HX<^o)KE`X|CXER0sY@E)%WrmwzSHSbCMy9x94oZ*mEC`}iP9x_m*A{dEpvYQUfSl3mDlnU~9? zJFtiuZNz@Hv3e0q%d~uGWW!aD8>7qW@Drg1+Xns9p!IQBGzodo`dHxIWTyy;Bj{o_ zLHsKbXx7~;?5-$jR6n5pJ}Z>?%&ax+UDN0331Wx{($EhlDg4S>Q=6j#D}vM)1{BXV zgw03vho^6%(L{%%KNGX$+Y5I+{L6QnB=w0 zm+-cW-9Uwz4XqEC|JR!!Klph8j+2Vm4M9-DXMlGPNoPzEcz-xYakW&W+OtZ7pkxQQ z_nzi+STEs)0aGkt1;D*uRmC!Y$KcT}GosG$Iu)|G&vIn^@g)C!?ZXoyR>P-uUZzE@ zh8ylnLy3&i(8@xkhf%FJMa(m1iDJF$zZr_0+Xq)=oCw6?ocC^Vg+FAGOcvVE)Ma#- zh4Gta+IfVT;fc$JQ~vRDwU{kM{LBeOc7q0Bl@YoFb|sp9VQhe%)A60o4bVs3MjDA0 z-=^9cq(02=CAQ==ag)%jX+!39(7d1i*J=(*K9Mw~UIqf7^alBm@M5P8I1! z=@Jl-?jD8`5h;g|1_kMEknV0I2axVgL0WR828I;e-|@Py`~N&^J$vo@#eTE*Yu~t7 zbAEqk9LMMQv?}{?^R+l3`iDnUD1cCSd`uWz38bnj-5d=+AE*K4K#C#g;r~1YE8VcO z0i)|D@oajltavJ>job(@Gk1b?WDoP#roEAmvp{bPeSl5XzNLdjhSPEO*!EjpT!zUW zKr*rn3nAF1J{OvB;QOK~3;eyptbf#xQT_p!L=vlP`-&DD3d$Z3I%JPda5zj}`Ypp- z4ZO~Wz_MB3SoTVLu2Yl4O%BlR-CebkQkcWW zqDeFdY-Yjdi5PUMEI67Bo^0V>U!EIPKlgrpGa~0ux#)_mTum;lVRF7y(ZNL9B`I#H zYa9)AN7FK1pI!)Cyw3at`8&CM#a5U|2>(-V0yrufOLq#%xnFmM2 z{=8v`WJZ^EfJ8iz;@_6$QSo1n3GK;GYz?yRVFMmcl5nSYGivKuJC5Ks94CY^-e=H3{pU;NbKCEv;s(`taNkyVZE1&Q_V3&-1 z_nczU>H=;B)^{KaHZ=Ms<0~(aTEU|iJp;nhyZOt2cvso=2WsJ!pxXB{$(zoV2l1vQ zezw_Qm`3CBp>?xcvX+ShRnWJ#_TJ!&{37fHH}J|0BPP$@G&f6b(RMMJ>1`ThZm(IC zjRrb+hrY1KIY{}{6MuNHrdFW&_&7o`jNV9`h{u0_Y@x}Sl*>^Rpa8m31Rao02GOU* zAi_t#&X%19l9Y+%Xh^A-e^E|$!~U8|8Y z!IZ!ToBEds=(?H8xG|iHU`_72jp#dun1Gm{brSMVT(?2Yq)JDK#%qDa8}vw7-+p{iOm!yODL8C8$JHJY2R zxxga$*{K<<3Jx8T*~2Tu;@Q2pc>ituUTEL%1)&hY-5I>=&0A$NS0QKJ@#D*s6$^Zm zQ!itcXFNk0L(QVee$6mx$>MZz_3NJ&ju^pmraGVi+CRR)a-t0UAY4OiW3ZRAbG%rZ zkSMT5dAJTTPoP{p^?wdmIY)jx92`zg6Yz{K(8{hY|DkqCojGo#d@j!hf$mirk5vVe z6|@`B)q=HU@kqUTjn$MgFTdTP2yjvT3GS=T3%04X-PoDU^WB_RQj3DcR#gZBIz$<4Hwt6pvzFA-}Euo!%B5wNRUfJo{k<6HIu z_iY;B`nDO*3EBcO1EEMlY;zE#a%H;w?bGCIw?(^Le#7r)fRsg_oz{cKxC0){4pcn~ zRG0R15ODjf+b`fBjQi5{N!=~%@@@Z-SjTS;h#~%^Uz4x3=iXCvmd7!7+XKlU6HV54 z(0~Uo0h>!O9LRh$QtbPg7x#rCQDA|-piq2^%H*GU;uX;+^@$z`YT{*^awe>s4s*0& zAnRquCFL{;KH3y}K@`bKv^>MtKn_%|$-UqjJm)6u7VisJ(uzs1TW_G3GbQwMtM?YC1kaU)EpXqC2+(M583@d#ts!!tyK0wHWJD*t?s zSYy?n()NH4@o|HgRXY%Lro<1=X-YxLu*cX~O2o4IvO)_t(o^OJPDM#I6=?KdRMLGr z(yeshx;(B9H4l-^J==?7|C~f2^JpGj;G2YND?J_bT?hpMw>%y`uiq}**0UA3VQm?Q zKs1O%t|--jFvT=AGd~{!@`LtE05dw%M|VO~&NHBM(t%%{%(q<1F}(k1axa9#urUzy z8be0~!7WjHvz6IEVL>6t{MG7`a0vo;sXUusx@NF#MorIpn&*bi-ri(-#T^gQYl>)q z=zHy1f7jguO8;53UQ>s_f1B#RhedI&qp1iQ6wlS9BX4X zu)@)M7V$b|w$b`K59eY%%nSySZ`~K=y{^wKxUHtyz;k_&B4q^xvW#ZbLXHP%&koGN z-a!y?+itGr@wTkNLCF)TI2NtXUMd^&gEzYv5cVbYCtxS~3w|_A!x;r_bS(UKBn}vL zPt5{KdK>Rjs}ndbn)x0{U{gOuXE*d&644w?V(3YZB4lqeUd{m=zHW<$t0wmfK>KXH z=!uT6U#ANSbIrDzDKo8G_;A$iUum|0rgoZ5edxj%VY;qRyA0!BRP{XBUs_7eM$-V% zIVN%CvhDAEdYDT13r<0Xa(zwo7hy#+v=k|6&z|?2-w?L zp5Ut35vsZBIH$>6{Me(yyM|@(IFYO`zL04_L9c{O?b;PU$#lpDhVZ5q{`y|a*|z}Q zh(#zDgNLSM%8OLJS5n9y;Qc^KJ~4lFx%6kxbsUh^_duTFPyYrtZ@n;;FVFjqNPbTn z*xhlJ{4=Fv#BN-l!n$k_Ph;O4gIK>8u!sU5R0{8&@%cV^%ILhBgVD>Y)ez37f-S6z zBOtIvgs#qNhGVnNuvzK(>vjX99{)QHwV4!tX^MwpjFwenc&L@89rY^q2|>Ma6~Dq9 zIy@a6MS4Cyc$^bzpP;Mgh>@3M!g(TRiz{xbWYk37xdmA^qR?{Uut3-`sVQdv)oAb( zvUI1gXAjBVvu=pLmZ5vH#ZyiZO{`r|`X{dJ0! zG-9K)8J@7{srUQz=ycMP+;XAhYyI^PEA#Q<{0I8Cq0S@XCn9kUYfH8d6m&RuPZRD{?+;W-}z(Ti|er0$yiwO&1f0ccAw`kM?L z5WhaluH$AcNd}W1lnTUSES7Scb-VnY=I`zk;*u9$kJWfR?%cdnRNRSHp|1lOqISkm z1s7<+Mq+Nmg{bU%ADc*b;&H+s8IKZ^T!R^#lJY%BUYXdzBuk@&f~8?a9_vp-kZ!gL zY?Q^3glu+=+YB(!&bpr(2jUWv!=xUc-}!7{P2(_VS=6cb(@x|&k-wnh{ zl118mcKw=zD%I0?gZ>$4Gu3Kh_D?FJuVSZ9KUKULM@(oFGq$?mkv1goF8o#qwc2~a|i?YlL&Nq^fo!@ z#~5=}dPQ7J=0Jx9e>xo~m!`FtI$+ZMX5Wfxa~6%>8rBUd0angQha2g*7McS=xKOcamaO4o-!#_ zKw3Df8Ct_t0Bvs6K><_<5x|*#UJMQHFenwF!WB9)`g5VPzX;+&wk~UZctv(zGynyk z)?}%{Oz|lg5d&L)uX7e%RRsPX4sr(s^${};KK5;>Gk}|uPFugGAyD3xh_!1@x-#O z^-rmA>DIYnS~tpC7^%qXbfW#wXdwA|9o4)ucM&hkKRoh36=)v0c`Bai4iEOWW74pn zn<1s>tMYvc=XINV8VLmKDWOlJ znX!qWj9zgP(GfWR88fw8ad(`fDm-kS2dtr?GE(Jf>&WAQBJ6Z9s_s?}%K})&e$}=<2_UaV)fu^fHU@q@){=W$&H#-V=-rv=X zj-k}eQO||-#?n+Y^gNveJXh_*3^m&l`A?F1mUJ)TIrW%C93zMg2y;U|BGpK`|HFOl$T_ELpnRGJ($mU`VQBKVZWR@vZ5=ra<3`8ONJqPr{1e4ZWja( z{DpJ;MRSbc+R;-J>5vL4?KCJ!=7)sD0XYQEMxzQdb4zE}Xe}fWofP0V7Lyn1H)i(5 zf;E4OaR3>0+lXc0GNlk7=K618e!R~ml@Y9W*dCvDT}%o&)^E~o=xH7nKELZa_myo4 zL@r7^l>XUnzV6@5#?qbl+uxzPoSz3asM4@Uyu*3$;pQ z71uS>7ymy}Wd%cRk05~B(=Jj#V-PZ&r8yOpMLm}v(5$^GB%VObqypw$XGWYNcb z+AH1D_%4(F0n*IEk#!XxhcJ+I7+aq<1As4L^k{Up$=PlM!38CGY<5s`M?aYUTjE{D z>v;h1SnYOHw>&>B0)4x zlWJ*gRZv=30-y2wda(SQdWyeqf)je9JZZc-l%;}~2kh)clb%6Ks;--s;@rOmoLaa@ zcROHw|GXlwfz@kO773u6IT*-KT)-_kf^kpeKH8I&=0Qj6@T6j5GZ^HXLHn4}5C9M8 z&J&Jo8wEP2I82Od2>d} zI47aSt^BS%Tpa7NW%DUww!#xg>fNwHk&6HWCMxvxn{izoPfg@7ho$&^(SIHb>9JU=K=#Zgw~7P&}b{zJ2S)VXkow${Zo?H3q%i>^U8 z=&~_gmap7P~Dn#^N?zD54fg=feVRibB){G*fVhtt7xmlaFrm!rhHn7H}>875B9HRZ&X@o9A-)+fAVSwbSfhB9^pFV0K;G3^7wiF2vx z?E1#ls7~R`fqF>GdOhgJDrMCA6WQ}7Fa9dF5}cIn7{lsAXkIFD65H9V$6h#d>v$9# zRODi`GAk$XNNe@9%^pC4K8i9%h#&(S8R^bSh1lwc5hgZYHq7Owl`JDz(rcAv|C{3( zv>GQTHgy@Y3&GJhJSG&>4(5{&s{^>MN~MrGy$N;@pE)tT4ROIc&xqunS$ZG691?p~ zufy^;(_kF(mb@4rSfkC79W&2OrOY%_*+d-FYG7jjITnvTinQ#2;KL?1l(KfT%L@Ts zONVZ;K}(oeHfQk!rP&B;_Gc0E?(-l{h)UIupYfC6Xs?PJ=)6eh4+J}0mu|}cTS9oF z%?`3nY%=j2f1NjdUD*@w{*2(6eZMprJ}zhD z))TGU-IAn`_n$1-0tdnEBM8Vl?vRx*+#jXAel76(pkqqrMpD90RI~zz+7Q}PmDUzL zNGAND#6lNq?RB#1+ZME2DotV&u&-1djqidB9?}x5Fi||l5I5B-sGg>x)GBJj-O&3 zkgGH{GkbPzy>gBGaEc88T40Um7}Hi20TC+MhF@k8U0dc&ZvxOhw$W^R*$W9tOCd zW^}J&py(vTw5pfc@rDh&Ai3xl1Gjj!wDyXvCV)|aB9=3XsPQbnNpeDvdMTWTgXxraDV&< z>}?+TKLC4|Ex~+k<_G=CF0kKbyv5l4n~*}C*c*vuSDj$k;tLFR2o#GZ9GMAdcqDtC5Zy>3>ElO}qJ*{P&NR=I*We(dRJ`R;!sf z_b40H{7*A#)!poH*3b|4jR&V|r42ZtVA|LZ_C8ABP=&p0teKxWk`FrTR-){J(;wYK zwI2&km}~x;aH1uS2>$(l5BK)?e*^A~hIUFu0jJWS6(0XV^bOA1Tnha(Q66tUJ?E*ve_D!MkaBd`E7Zsu#htQp* zj+=yyvQMo$yMH)>V1*(j)a=L7@`Z2FJgQ;zp$su!)ywUKu`|P-q8_EnOw<>KW?reM ziYr!1xq1!}Ow3f?VHEJ5JJ#3|;;2$qVx97MC$AF?|C;K{g#{QYC`h_N%?btC1k(3I zR>kww7$?QCHyonOJI#-SNi+nNB*Et5n=WLViJqE2xXy2QBukl*yCRBPkAH?3o3>9X z-9E0E?G(M8;hpRbqbwGXtqQwA@Pbmvv0&5lR;;Nn69HGJiIROYxtK@&{-ZwYh~BV9 zwDN!2z;mGvII-=OKS&9r&JiWbsM)sv7nL(ix>gEh`!1v~$9D&aOs%_Pejb@h5$>q= z1=#%2E66{>JnrQc3gw${Zm-~5-T3Y?km*4hqF~WtZ#e*nf3hvGo`(IZVZa9r;?W!T zWdhsMe7WBoZwC0~MXW8Ea^3Wzo!&vv3{Eb<;0$(3f5%1yce)BMo-qDj0o|gk@Tu*L z!1;d5{~gaArFe?2M%@1ap8FpSVAlPD2cE2y&dWo!5(_-OKl1J-2PzrxvFKCU*e=dJs}X2ff~~Hrm1{C3IQrkE=Cztue|-f% zv;ZAL$0hzfSv%A%Dttf|e84ZRZTqcY$p~&*>2he;8qn&eK)NH1OCi2nGok67EgPYI zC~zNsFr4&^v1ThrE+!V1ah)ykcIC;?X^mmQMJqv0k2b9We3R8jGAi`HzDt|Yba^|4 zvGIT$>WR`K*V1V=oZrMe9!VEBssZ*`tJBbD!}mZCd-e`S6rlSX<@!R$na+H=lX-df)PpdJ)XTWm2LyiC!|piziaM%OYWgL8el z9l`i~B#cG$Rjq|PZxr{j8XDZ|CF*vpI(49ETzUs@_6)~vw~L6$e8Kz&xYOLBmOGmM zKv1Q($z>b7IeojeqAJvqjD`3JEFou3{ey{OHxqj;)zO@OOzPaMwRi`f1zl}G=?^Xp z?Q^T=(5-l}?0%=ccHS02&T0w=N48_fH-qjj<%$!RUt}Rz*KKBH_+Q_}c@rkMBEjZW z^S;Lnf$(#McuthnoXas{W<>Z*<O*4y=jIAEu)t!IXPV4n|4!h3Vk-zjJPW2eh`=Z7UM*v%YDgDN7k zpQDAJU5lP7ba9cUCXXL>e4%|gfu$tcXf?y~%>U#;>vgeuZc$n&wfFwf`~9Fw%111- zzzB5H?jsIYEx2h4hv|0*Oci__vKzOu$d(Dq3MO{)0=d$}SB>1!0DH&dUc2-{%tbs= zIhm7dwXH9JD>NHdfLz1&fkFLylbq8Q^r?2n93my_@|h{`Ms}~jP1+_@1|{+KdElB^ z?DN5?yK&5OI49C^93S)o*!F=7hK7oZflAOmM;8RsgM9ViP1G4MqJ@7BmYl}MCwsIr zQ%?I`wv1B17{kAT$no}NkUr&dg9er$ZEp=6P2`rOSfT-VB}x84KR8g%)$X;|gKLRe z)fea7SQL;ps=0oh7WK@g8)Z!AElEB2Rf>(B1^NQ;;VE-2G z!9M!nFNfeKCUl5>EQ2(tlN7!;1h;#hLA2_lF}>4`l0JWH@?`*bYEQJw#<1uq&g7;t@^Pynw^K9mY)TOv8C&5DS(M04tREE8L3ykPEj- z6R9d&lJc@DW!^j{q0yE;@DWxSM}LH^0Y-2E)xZm!P$Fg&{=woSZyXx7=H&5AmKUz!cbE>tOc1dq9AJimjAd*It@rbiImYlD}#Zt zEd(r@AaR5t0D;7%Z+#T)k{;6ZH-K=YueLrK>w$$xemw z=c>9iLE)sKztqvk;7k2*N3}P=W=XFoVNy7Amn{3t=OhdG|64=8kJFTp@{+^|GR@{$ z3f;Nti1n{P)*>Lf27bK*Su`)ZKw}MZG`Mxd)K>sMv2sR5e!BWV44sG*27)x2N-ihO zV6IR|>l)T&Z4w?cknr*S)Rq5#0%n5({vQFe|F+F91a8fLwy%fZleVYKX!^>hs!sotm({>uNBl&!vD?^X}WBzG&@u z?e8^fim>q<_X&5V(=_P)Kph)(qRqQgR{ikYsRC_7Aidbmau49yZ!&R0!M7dqLvmRM z@G**PdEbcIx6+~JF+-BaD@~mmR<=L1x-m}&VYWQX^Ip5^JKR34rfFUF!6OO+zA+u3 zWd$Gkmn4Q?iy*@leWgUcw!iDWt}c2X%eZ2N7DbX68NUz(IFy?zxUn(~03eX^ju7kq zffzZlb+fn3*Mu$)GNd1QvESHSi>G_sU8#PE#FD^wxT}L!Y}VZ=GFZ;6IXY}Bd$Ult z{g!V%fYb+L5D0vGw(~i2Pl{0VsoiB6n*X?kwr1FsFa#w)Sx%W~f4|Lk=Z=O(9M>|N zQ_D<^pAmI`6DWD%uc0EUC4;H_NSS2|UfCA=fG|`oz0MH>vQYitSetw~iiK_KLgJvM zMNfubNCkvkjGF+TXli-eVN(vR%koVlCl^`*itI6QAo9DewYMREQ4 zY-?C3=KR^8UxwIl;;yN5vU`y%)H%Vp1w_OW-~4Z7ncl#3mo_^uxvwz!b~Lb{vWF%c zcrVR@ZYtd->LU3j!#VDbE%B0hW36>0iNDFtd4F&4dz1UV@X=*+-Nfdg_wZoacVUZg zBbVQ2hqvUL#;M(ZRgSZ^b0Afdf=9DiHyB(SRPIYA=qGRhIq4K1fqxosmaGDm95IlA zIB*Cy9d=Xtc@>KhOuDsJ7vKhei<$J|7#5OwtU%wuK)T8W(A$&y0%nNPj^pO?2s`Z) zhdj?Q?#wMbOll#eylbG1ko1l|>iSHh=kFu_+R*Q}qN&PT-+;b4s-5PI4<o{AUdNx15I6Ho@8W*Bvd|h?E`qePrE&%G5{8qE><+j!PKW(c!?j3ge3B+)|4JX*S z<)6*l?$py7p%mis4C^TJ00P7Bwd%Pn=36Ozc8%X?A>|yRUEiSjv3)U9I8>cuai?%x z>RLxL-$#ZVev(P$qiKz|)X8=mQH>QIuM`|0#?(3X>*`%zx>uj==T^Hy3~}`YCcn@p@?G5a6tKw#3wP*Ib<=y6`nh>0%M~>r>~7 zocWhZh+eJXr_E$8)E+bCM&f^E5WsNRUim630^9!$Dh|naEVz0(?s1_)+LRZ7tnW!<{h~qM8!0og8X|h{n``Mw=b0$ z3X4$X)7rk1NN{=Ab$JSIOIEET@zowo*WP6Ml z0_Fq<@&MKX2L0hoYn@vrj|y8pb_(pv7je)(#{NG3rrqqV1}&v0hjgxNIz~hP7OICi zp%_}^cr~g%>UUGq1}18Lf7DfSbD&Cat>>v=EuU4S7$dxSe8N#2xqap`0Y^P0exukC z#cLR&Ry@@5IIyVRLw?9C&t-Nzvz%38w%5gzql=kwpvQH`#&uxZvT-Syv$R5tAr{Ge z@i0Nf3187wv7ByD9PA^veZMZvuw z=9#s1uZ=$hq|oCQx`=}4a&AwzK09)^7SjX9ujwJx;cC6=a%Fvf0>ea!SSaD)SvLfZ zyUvznBdycc8bav^P|@F$QM-NFQ}L;-xIjH$FdB4BJZA4ZH; zSAZ*rrM6tVBc>-DTlv%F5&`-iTIag2f$F*~Ye$|+vcr8;OH33_hvs9iJ9?`M^N1A? zBthBC6uJN(JBD$+KCwncPbQspl1K4zKbns%692Pa6{!;27@flD*Kelw9&aGV>6)n% z2Kd+}zrR`jt3bX%2XJMBtQ+ktWsXj#CD|pbUe#~Q9*TPI;luhX8HKNHcNI#1a7?l7 zJ~@o6#TInUx-N!(^)Jw<4%a=kDKwvjnA3V~tE`r>?l}@284K2VM|iEKuPyd#DJq`7 zDKdlA0SstU$%Xa<(WY2^x?a6RE-5M@$1cbyzEzhMU)kdvhUTI&I8uH}fQU<{3{u#x zCfdj=Y?tJQl8+s@Uv7YW=>pnd7Xjrz74&Ndox6H^&Z@d`$~5nzO|BY%WoElg)mwkf z=kOh{lw|F;Vbc=XweFUGrPX34ji&%{RarY8$78ZxzrI&%&5mT}ucl zzCrf0-B4!~Qkiu;juk8vP3CL5iegOnP+un817rOi!I@+wQ5l$6SAQRkkOH^L z`}Q;0HUv=sGxL^e>J#KQpC*w*OwEUQPqZU|aEeVfb z2_2|;j_1gkZ)K2?Y8FK(f#H0hCWh6AA_B52tyB&w%~<gKNn5__YrM&f+NMA+Ev4NxmvVMe_h9V*$ zTuJi}aB^vB8@ftJU;i3gH@4HS^ea3yB|;S5>DHq*h&iRYuoJdZ;yR8uQEU#Z@5r;N zf`;_9NO0P%x_O2h>k^3RnZb%)?JlBNDpC(J~%@B4wB7^hir=Nx58J6s;8c8QE<5ax0 ze-ajnX?Sx!&tzq_SJmzYEUGTWZhBUiL;$BuH`-~|Xj2Yk3-_K9cfC=Nbos*wfwszwpfiuA0sy^6SZ$J6xe63I&p=nZ zyjx!@?G-j-HS8oJhlseXOzPXSia(lX0P)qW_{ki1;8w}upRNW0%Ad|rzG6V$>a;#l z`U(tY9dQg8;KUib2p4mjv-gBddT*7f=axvD%L%YeOT#R~@nY}f`c~;hs@vAtF1)TC zwFn@f{;P09hSG{d;V5le%xlYuyh0w609vg)vNQoR%Ivw9)u1~1^%&PpRCGh{s9#KY zznURbQ=hy)E!QCCzkZlU{IJ~p5=&aCu;d(s$g+miQVV}@G*^nAF}%Bu^BOSk2GIc# zpi*oNpBx?UFBzF93Baff3D0^j`jX&27hrN-HlxbwFDiqER5DQ{eL(o@Rvjxa5K z#P?+r1zGOC`VVvzP<Fz{8eRatc0?!n9+UhyLZ9uP zubo_h+jwzB`ewX=Elk=QJYTn#uKJ4=FbIF4vV>e4$dCbsY(dA*FMK}uLNo;h`>r7O zY`hMMsx-%~>@^jyE)ry@(6sqo&wwqP+W=-wV<7m-E}-9Tj5dBc zby;9Wa8Xo8#$!TTfgUqu35%XaRe&5MY~gRL%P~)^Q%>Z#itf0JZ;P5x$@I2g`=NVE zI{Z3G%6ae)_^hJr+pxZT>!e)QVzZQZaaIv+#kJ^T54jK>_%0HTdh$TDWI%~wDb`1S z9KjxY1yMB;Nc*>wG`_ucZ#Jx~=;yn+dRJeK29DS5jm3_v(`E1B7n$jTA+1q;s}&z| z!16d0uS9 z>Lm83d3UK+Ht;TADwHRRd$%Avs)6R6xLZljtITex#cM36XFHxdhxb#445La~Ni>(8 z?^`i|KGAI9Qu(r$#oD%0$K<+=W=b@xwXA?nMR@umGVl;sU4=c4T)-A>n^9RPK1eP&x+Cb`kzPsC~{2*d6h%e0nvp%E#*t8Lajq}`T1o@Nyt%3f`m&n- z89TVJ7V(&uhUlu3{+7Vo{mo<8^b9#DtvPgQEr8NmPw}lf0RmD+xd#<|SAeJ;Y|`Oh zSbwrRkEdHPvhE1aE$2r zEGWDfsxwnYpP;-AleTd|fRLAIVcHfaItuMum1l0N+&%2+e!)ZnTZcS zWb|s0!(Qk-*&ELd!D*VhuY|yjtWe!_!oVgVQuBVP zPfen&Bfr@iO@`%8!5$RXQ{=viT0n`B7OP<&GHU!8TLmVG4`=w>%XXd|2=nFq4HUR!NHO>9#77^WCMIC@ zAE4ujwWv3S3iH#7+8gsh-K+xj_EA{NtI`Fm4CxEQF)u+*jE*?BD*xUEp^+?(2*Fpv~crtlU%@3B_Ruj#_)xN_oQN*nB96c|wAd&u8@iQw1L>yNi zedE5P6&A_#M<(!AkeB2&McB)r#yLIUu^F85g30L9e$E7^bu`Qc>M+EcrJgI#BJVv? z+>7tF+TSO)x4GJ$ZD!pF5YkHFA(lV97?aX(O+4LVeVw!v5@2ZrN6q?&goW25$-4fl z263A`;!pl*E~95dh?3InO<;Ny02ED%hiEd=k3Trb z=46HW^&;dkvATf~DQ8|6QvwG>_k zOy|}ej2P99PMw9GKciwT=CPk}w(VNzMo|nr&14-adNuUS@?vu}>t=2|XN1TZ4)^td z`hb`I^oxDOe)D4j(TtcFXr-hy3|WbB>uBfB8iVJfi_zK(m|l4woCmBX4vVG;S%E%Q#G^yXbeKbW8;}zM zQ^j|QN)2jAs0|WWnl`LOy70k*LJPZWy37!vt5f|rU$6R2_!9=c>WZ2{a4eFGCfE9aDFVNtz(SU#>Mo9G= zrJIQ0Gl2%n35KysGg)lHIKj@ClX^Btz3R6oIJO)eZS6qUps1KGW{3vu-AcTr5URux zz&*y!&8A!NO|2G}CBT5>4>F;(K6>l};Jr$N{}Z)XJ#a>JqJeGT@Opcv2bf424cVP0!)dBZ> z)wru)ZM*hilnHQWH26q>B)f8KsnMx8215jeR#$}tnXWh)M|{Qg)@^DzTgBrBNky_j zM}c(V?>Ab-I2zZr?#QddIS>&SgCK~aS@l4C<@3W7Cf6~HTeMzhnQ5h=;&-4uvyw^5 z&R%PU`5NaiS1dL`6VcDU(MYiSWCg^fXPXP3X+OT_z8U+i@`IT&hfxcJH~ltEkv$$^ z$;;oncHRz)SLmj6A|DJAg%mvzwB^6YrBE$#s1?g69T_RRLNeT&8Lx2sgaoL1PiQ*3 zn;s&`kRSPhCq`@x?6erYN5x~DQnNTEj(B&ejk*fQ;)S zV!o~%?I5KVZ^>W2)CShVeh-IZFIlu00*z@-vG4r@0zB@(#Vv+YwtqFe?+b|Sin_Bj z3@2EEW!xwcF6<4dAK+*jj1vP9@)pfwNA6d%0ee3hCMXRVLYsYTZ<3LZ@|_r0AVaQl zTSjDrPKcJ1pHjD=3|&mN_wO&(mH~Xl=6qG?AHbu!%|SPAsJ%04$%C3dK|{RXx6EXD zdU&_<+x?cXBu(g*IEU1Y1~%7ukqyP}dBldWGBP%#hs+z{>ahgz3UcJZE>mB7{bfH# zntO55>TGwXJVK`$*+oZTP>T(W{-&Sadn4n zT8)G^M+_Kk56`y-BAUmN?l=RO?ilh{^$1IAkSvS6gx@rUx}INV+kTU8sC~rCKw=ML~~_hF@c~M}PmO zSWcU34@N)S1h-k$<%DG;D~-|)t_FUoqVnW-wN0#&3#m ztbk%LM%vkt&<~MK=SM{6Ogp3VP2jyV#C~cLrdHQm54bKyT|dApLyb3h=QpMx(+A}g zfiZqTX6UI6+fyD^$5#*9#4GfFYQ+QA+z-%njaD5zpx1@iK z^Pdr1;`}4+;^Qz1UVEaj=JV-tBhEeek+NNlLq*D}Co5}hlnK)`_kMl1>&VKDI!&$@ z-tWJ8Ey7)^tae<%8B{nv;BfKViaUJMgqyiHsSLsAc_)iL%mr7FDR8eIiH#ZYiDZA4 z=;Gr3XS>)lw1e)29Olu@U}ga-AMx#svrl;b?Ns2^a2)m~=2Ho- z{A#&mFnuh_h^S1hL;q;ac4Q*nDan-bU19-S<6{Gw?Dh`uVno5XqbK)C`>0{-g!_q| zQ7Y!iL@F#a80?Xs*6C%vYD|Xw$9DnI9@1AKe++QXti_FI@qq)82b)gyiG&HuF4P=x zF$sOH6ZcNWr$J(0t96;c6_QiOhw)x4p*xp&fC3IMmc3aL^)vFC5a@+AN>H?w_6~)wJa)efk_yPJf;Gu(v(!p1>SX zXDx;hBhh^icGvF=UEkkZflVap0}@`(*MkT8XVp`s`lgm3+j?zuq^W8X%rj2SLp833 zt@!wk(hai;`RVN{?C2io9eO#9?tw&Ba_RT%!v1{?0)9zlMzHgiD?k*}V%L05CSuu} z9q3E<5e#cD3>g&AgTADwQ9;i_jaXV;UT?#|q1SL2cEEpI?qwbc-j*LKVVLoE8dA{a zaG2t@*>lt(`-CPk*PC0(vu9CHUOXZ$-&BhdOY3vUE12B~OBTMinXfCXXG+uQf#+4V zz1vgyb1CQ7A+qm*q+PMGn&+@e<+Hsk>(Cshm*`3S6HZL{d$-NdtU`iMV?)sS5OO#V za+LQ~>}j{gpRGPp)F_h&b!({cJ(V*T7I-c zdgP>`>*?3Wj0sM-asu6$+Eyl|+=ExZl5f&yKK`3aisAR@?E$Zf@a-O>swYg|e?W4> zeOhlSC33O7+5Qhq=@Om-d7lmTFvL z?9?&O`MY8ty$S$YFeidiw;7z~kwn6Z#xO!p2@Yl`;X6*I#dw0Ng=PK|iCzCL_qf4I z1~a9h^#WJw{b!cE)HYIMLg~t&#(S|!1HMsV_c&QKM9WZ$_;jm#C#;-EZaa#7%O&z6 z(DwAX@M%c{0pMO;DFXASrON4r_)?YOna}JYN{bF)L0{UABad-rGB;vk{T{Et@$3+r zB+)meuQ9yQ`r^UMkkix$u`1mNGs@079=p*PNdnv=;cze)n`KCcD~+Z|rAg|GzbG&C zEx{RZtgtUX!r{PhIU3^c0?%M(5rKZ|@mCe|+Ji(exj?b|YTdb02_{gJw}f=mf-9Z0 z>RInO-yI*A2VFzNE_}+88}%$Nw^yyCPxBHa4a(%-y zbgh?`iLR&frC6MeTRQAK)~CnkL^0#;@$x0+NxaLSwf1TqsB4!(?ZXz(7N&%pM=p(I zrlL1?3fNc3&Y+{q+GSGG++oPlMr3$%JIFxa_81WXGQKCQ>vIQIKdQX0M&zmOsaD77 z23E-HN@!`wgnKK!EUVZ(Mnr)+@Am5vF4Bawibm@Rux!XVae&QmAE!#jXF+3>xV}=$ z_5*;s+cr13fu1aP@9$dAvD42NGzQa@rq z)lXTCGJ#+)*l5fzb=jkM<%KY5)aEMt9$J)!$M6#b$CpyQ@U1G*{wSC74Cr_~hA6xtAa6b7kF;7M4A$Q@lahWmlMTx%PU>fAlE zw4ye`OwY}cH+vB`arrZ$tmk`~nVaFbU6oy=d0|=?pB?jiZgSGa5w%AnPX8I3UJ%{( zszhMfCu}?-Vq3+jRijuDS;zad5vCu=aF-$kx3%Qa2B+bp_!9kS*Bco)c&vo)y|0hb zF$mL>9DjnUb1o?!P7^f%a5O%9Vu0Ku21MKk05I!ZQn@O-CJ8#|7uxbN(MH0}0J~(3%2MWrY1OFFqZygr(*1ml!iYN$3 zOB=)t4bmwhBHdk5B2o@8(jXwxAl=a^cPEb{g)yOOK8Q;^c- z!t-NRb=VJSW%(dbs$0KF7SHiGtu2>IPBiMB%JWtMaz%;cR!_2s$eIaf-Wv~RFr9*p z4rQcB8(D-q^hvsa&Og6xRWpe_Q!gBPg3WD|7ai1WH0%&Fm>L~^4bDyz_tIS%u`KDZ zHVZb(*}Cc`TAt$fSjf`xMnLSG$dY2|y8HEMe+}GxAWN3KjbGr@4v+~K5Bfytt+O96 z$k>ViYnwMyWNX~7vFQ93MR2aMB4`fiC!%?)I4FO-Q`{aIieddBv=qU#eb2ISC8LC- z>j}MyEN~3?+F+Naibct4<8%&=D_yhD?FC(Q<5R)R`kdUz^?cAyK&D1ojqhB@Uc7{` zj+!xlW5eVdsUOIQ9oP7VQv)Lck~Qa2SpfqR=rV3RzrUFU)IrE1e=%z!P6&x!hYyb;%;S<-Y62l1$NT`B%y?8`{K+6yU^heC$hPdw}+gC(Pt_ zFM#8~fP7Yf<|pQ`AAM4ciA@)_r69}7+ng>}iP*6&AuK|s8YvR?QM#Se$7z2`Y~Jy)f7`&-#U1{OQY!7upyBVM}?Q{>Dny_lvj8*|o)o7(wL zJDO+IHY0H%XJG+%a0ww|anT_&a6wv2xP|StiH|KnSTn5aDYRi~x2H zlHb1oZS}~Id|+{_FGbX=1w52b*g`=3OFBQM`2otQg!w)D@^KSVC{TiT zbj7vdb9!^`zd!8ry~il4rh0ag>#?SK%&mX_{D04DB|^)Ok@lt;`@_b6j`wsI#ruWr zRGEYS>;bw*dN98f7@o97!a@6hg7y{i;{3IV(|A1(+ka>k3??nL2Wy#BJRKm@X>0Z! z4#ATqBfv%OQ~kq54*Jjc2V7)lTuj0lc!au4c*NPvU6NP6d%oOqEAWPwVm`KiFG++~ z(|Cyy`t|tVKl#u9%ipJn;9CRS5?^80bKa=_Ot{X(GVts^ zLJeF1;fjqE(f9cQWVA%~K&UN-t|ecG`RRk39-M1#xA%Fm{`Fuzm%6(<>qT|S^d@fA zIazB}{yQtbeaxU@zQg)B2wi5=w^&~*{pW)yXxxqIwDTU3&Wie{tNy2+{!4*%WTzb={o{Il1$fnNA=y`QiqJCCA6wax#u zrTi@)`axMKbsSMS?FtBO{oTp1F^< z(VAl5w|^}vk^N*>$Z`AT>d}J_yeK61%khh-G2FLbT^=>-MZ!XOD&4&26nAHHnhva`2>RQL4f-0_5c%mJu79@olw!Ol`*@IK&6@}$@0uBN zA24g%WL(4U8k>Y97*h}B)Q+2URh53kH~N}c&W7dCf~bmVkly1bwm&?GZX6%`dHI;M zD6@F(ba6!Gv>GfTrsHuV+>uaJOy60vAZ!f2dc?-rGx$*X*>tI%|J;No_2VquyKKoE z)W$b&DwEP-m1T?G>YFlFFm+@i)u~qd_j7mSuCW&TiLVzfN$r&(&)(2)H+*W>GuSeo z`HYLmK(Un={qLVE0f;mrtgeWe@2yE`R}EV#m!0K|h+pEiD&u{&!;dA-#RI4-e?y`Q zv{*pByBHt*x?jaIVs!Q)QQlo0Pv1!5}-SeJHyls?H zg*V#t=zPR*)l*ZBTZ;d3QYc4OqQrX06(KBp@-a+3Uze7+Py^B`d)~zA`~v}^HehL@ zUUzV2Pg$2XlO106}Sm7VZ=8SLMhp4}^!5^cdN9sw#IQSKe1u ze-FGtidH>ac@|;tbCkUl$5uS{SDPk( zh$7461^+_fUIPTXp~@e--P_I?RzZ}&Jv9HuLCc96aUJL1a1M>td*Tz%LPXMK>Ua#d zTFV!`EA>_Ui#e_~pA{+jct5DL8&Lv}3T}9ZNs@Z9W2VybmD92DUW-VQiX+a%?>8{5 z9c5MUBoFL+`%_8rAAZC*TxUJEW97SB(8gmu{eoh&A%J&fJRE_M><-Z*zo<#lQMd+0 zS^$bUHgE}^V5oblBMLW~K(jMl{mhhV>VEB3MZ6_ZT1+c~EYO!|*~sE)n3CPZ2Mq-V zPbS?Om1#huGc|^TW ze*9X(OV8xM=L=7p%uAi`lj8DF5vD?RqFvgl30+fjo|1&;mJA-s zJdfy%WYl#uaFte{r2uw*z%s0647qG@p6szpHOCbIk2k|sV=-0D!3O5{vWX9PHR;NT16l)xO@*_xFBLJHP0J=v2D%@j! zzcXh%Di_j+$3#DLE6GHrgzCG|?N866&dLOX6&%Bu)7vK{51vPj{$!dD<(!oq=|gHL zwP&eYJ8EGKiA~JdsJSiKDn~XxAk+eWUW)OQ26vq9Wl7)C!e>R!&!67q$h!T=hA8kk za2T3&+4SB(AHAY6jzRNkdK|rGS@9}prNkl#L;0_SCIubTu1Z4Pye#nw(#oP&&5M7| zl{czz=Gh4(<@KGnn*Cs?|B#l_O7{{Fi;RmQ$v{6^`c0p; z;WVwZ3MuuPPhqyz8*TdqskVQ^YHct$eS86Wq2G)c;|fA#8#{I&6gN!;jw^+y3cg5< zFeE=$gJuyc^}fX8eT~sJ=DEYYgf5;%@RF|-Xmxb8B_@K?4$F)YxMxrGT{}i_&_foS z?SM@0HlZ$fOT&^63qN&wh)vEx!@v^9WljeMb5Ingcn|0WXeRprH?>c(9WgYlIE+`h z1rBQjGd@&ATwl-a%tR4Xed^8vAAc!~z7AC=(Bc9Kg9>{{{oh(NBP1j@qi#lpGv7Rf z_Qsrl`l%Qz_UVjMTTCg*xXa>k-!LHuXw``J*UyG}%~M5KDB>y5&R6u1qXh&;t$}#v zqxp*1z41KqXHcPTWW>9uVZ@(`kppc7`(_k#*OV{GNB5yHgVHZ#eNz@ece{)x$Z)g1 z{Hvf%sRH;^!|kYoIloO2#tH5mWsy=tt4Jx;VFhKkTjdlXn)2>*3Kh(sTm`Puk_*SH2bXx?@Fs#{e%uh{LJ9m?~NQ0?W z&PBdEMnw8o1(Ho2NqhlJ!8Lx|%u_jn-kW?NWSelK3f9;^4el$L!H^&Np_wgTs|8+6 z94fB9z7&Qo^PRs!vx!ccldZ_qjPnm7nN9T57(2nRf29mQ>Qwu9iukw_nwZ2!3#!I9 z{x^y`td<{w9V6@U)QL3yKF~PibRiblDYULY4Mc&T@>#3V&2<1=tivBuvvj(wr~177 zeSMYNVV6HAWnNRdA1=o)=|mY&UlXn)M#6bYx>f;R~RKVA}-c~lj+ ze42+(gIs7<6nlNmo^tmb*b-MhoA8T}{<~+$xl0&tVa8}KfhbVeXQ%S!P?9m7yh}Kx z6~mo0?WTEqcLojTi;$eaR#_?Olh*M0fO+g!guiaf~ODmq171 zZn2=6LNlV}uT#gE!b65}wQ#CR4!Sy8q$|P^G1$q1nXgfsCc_8mk*eINm6eh_0ZMiW zwQkpw?*pZnM;0R)kyYE%=8=(eLm>jpD(oa`Z^=i^AZmr+i}qdA{0<9x$mJHni1hQJ zE}FdB83tf%+pMa=X0$9jPRst`%m@LKUX{J^Zy~jDalDpcP5RkaxOi)aLT!<1uRXM_ z>qq$VZ^ePXIYv6!IF;AS0%Z+{gVN{{wk)0j20AuJp+lrMA2rqWx}Yj|@8BCnM&81n zz=`h2q-~@U=p174xO*5(m{8@*$tfEcYgoLvbla0)WeITw-~_`KUpx~AuNO;oWZ@6Ejzc9m z{uOutCQ}abO1Sx;s^4l@=X6R8y&W$1+7Q&&yFTrfV81{xutmJhj0f7>!!Tj!xeW*c zVvOUqoLpAw6h~_%_a8^)L51V`Z~XeFO?!Sfs(ePL3CyMDAN=WW%^rOKk7eFl9_!is zOFAmOFWhH=Z{#?;8yYNB>uba=QpxtXj8j!`sYvC0+Q;I#)vJlwaS?=6Huw z|E{<`^#WpHh@aHSq;pZgfjobo;`;*aZ-s%}PQBXv@-CMn^o#9c!5=!M%^M9O6DOTh z9F})NzL<1K$K9jMrnb*Zvpk5BHHolMU1aH7d)Dyb`jA(|{YWUUHjT&K`UEzj8Y})> z#NiOEvDUl|K$-cFkJI$C8GKqMwZgz`U&?PK_f3U?v;dtuk(|fMj_G)FlvSof&PWG` zcmBp2n;wXKX#t4($83dv@X6(&Iyl7KX*EEqAQDh9D7qe@hFfH7TjU?sApj_yra#=xFnf z)H+R)GR$oly^CQ`HAg{o-Hc<_7#qT=7ww8T_$r2j2kwB2o<-d)(khpFbKU$znj)G= zk0(`Z-$VGAcisiet9=2qjNgUqGX~Sqr|9{^ebMobijUjVP$1|hh>#uMbt2^NFV3KS zfBoF>DP5WQm>g>Gy+M8+e8iWBPOUA-Cb8$^HHiuWPOAcWXuV`YAgp~49F2JnGfO@M zOs^JPy=(wVRdHQo6aGW~tRXYPKxV9@%C;9*p7j+6(*Xc@H&;6#$V1pxYN#q%!>9yl z3+Q&FG}V#=6vrMV-Z`~geq^mXY@keai_*KsO~D8?kP#>)TxPF}hAbaJIHjn>^*Z@{ z&Se}aO`w!3PVZktZ;f}dr)hav%-WXz<~~pxH8?PqX&!i{8Ey%N*)E%7SS^e5lY{h2Sn2yHkJZgPXhPe?XrDk3wDbzx)1 zk|IP|VZls-mh6$^F@Xh4-`wpXDzS4FtZpmKr_HR5fzqDxmdEXMrL^adF46&~fYQL> zOXk^t=#Ojz%hjhnAGfFa*L}>$jLe68GCC)>t#da@&sa=2PH3%Ds0ld&gC*hwfhlpr zmHkNCMRs-~%aTr)rBFsfHl$~~b1%iIPw~3d)IS`XD$8 zgC;klytbaaxi#h`%`tzGsc2N`j|l&<+}R6m*VI*5y!BuhalCzn-{s?}NO^yLe-jH! zhZ*bbHD?Q2?1xkN9Z}$`Ic8*zm8&Q!LS`A6ccQS$LATuLObeImqUGaZq3{?%6L*EE z7hg(rQCQ{O7z=U@!l62GcZujC|lP==5 zrAVsisNdtgZNAFRxHfUgwGM@+O9v;6N-QErza!j#eJ(LPPUDlSlCJGF{LqL+@w;@S ztA$d2E_YwDPr1?gg%g6-UXRYIdY5h>U-23J_Q=5R2RpJZ`kB)5-@o*YywbH6wKy>rmq(- zM;K^%R^5f1OC1)eNaX`ip|4SN@0+gz8vz~wR(uFUrS$|>y0OVc zc_>Y4nkLeE6|NnP>9Yc$Eib(l;IE^>&#OTP%o|1XW+YX;NY72P1?4PE>0epf295kU zW&-aATArZd>D^Xx>r+)-y6r(}RwAIqWg@_30%a%zO8-TV?VnTp6>nt4R_8fEzT^A@ zvWWFdidHnAnoqJ{$pt=IC@94`?I5AWIJwB?g{A*dVB|8j6E-G2+{?20hE~qbP^Hg%vOzkfpl60d} zuwdI}!4sUftI^zHI^$&X>hh2G`OiJd@4MV(6mY{ax@EHe=f3|f zLF96kr%|!9B8(7{GUu=qgog16egX_%0iZn;P=q+QQD*Mw2~l5aq%V^Z9=fru90AAw zPsQR_0*a##b?_hI+Q!$}_RFc*14B12=Dge4-eauM6f2K&|90tM3cfa*$M;!&el>T* zN7hK{6Qk@alIZCeT>mjvmCB;&9(rPcCh$fCMiCmT``aY_@0ktf>?7gng7B>J}?6(Ja{GD@d4o{s8V50}^TV^Oog zYUA R{+|G%uFSl8u1(O-*97^yy}KR}={Fg+#qbmKps6SS}wL)7Rm~$WPab1Yz^xjc+1QgDROwNJgmrMWZs3; z1RHc`RK>yQtE{23nPGXZ3U0wyN6rz!9$QuGaKsTZ<`pwJO|wG2k=edRN$*t75?NH= zTOB*9?<0);W=zXh3A4ChYV}v4XK;63$4z+J>g-)hSrF|vDUqZtO(S{Lo}11)tdl!q za#xhF4}RWS#{JC5LXBFf$k3!_+)bAH;Gaxr;f=9ri!~GuIs5Sr8TkH8Sl$ncrm7s% zW6ouB7ki*W@_TPPq{qJmN6Bhcy(?4ggsWzue=M3Wx}9qxIXwl^H%IQcMFcG3h+KYH zBc^Yxdr)j}rabGm6iu(5pl&e0+89l8BL4HStuKlvyFgXMc9PmE!hC43B(&;eIfZ4A^dbi8sI|eg2hTsA3ey3z_MWD29Y}0 zpP`I(a*`52QP2WhHrY6Q$i%jrW{!#;R7KRUzl`j$*{{Z$<{3BM8sx4E_L>^p0)y~D zcb#WG~BQnH;5Hp(8)hcRtnK#61C4ep^`AA4Osj?hGi>2%PkG#!8sGV2ygO+c5ClV%Y$23>{{%OK!RGFnI35Vg`O z*ED;?@D|#vbcU8XN7_6k+BZ(iX;#i;^mTkh$#gHi%4H!{+i@HYEnv-+pin$_#*g^! z6=CCwwc{T+8J)6!7AS8cLUQ6N4HymObZfRUkg2q$;gF;%BSs|TPV8J3tLCMf|MmE< z&|G6_ZGK?37PJIXp)We{<@4?5Tqn84mgH1j-r~YTmV2+?yPNxa^w>i?tF5IP^;l%7 zq?MuuFWznPxSINuN1J0~GLmyKV{uR(jZf}ESFBwW+nVA-$Z)N%B)_cC8qacDjKQs4 z=@x){E~wsYvNVD@OQlY3Z?t3 zo5g?aH$>+b9?VoSJYg4YqC-CBHg{aO2+ZCvZ4Lmx$FL9%VpdGqXXQPx?x=JCfQFmV<(S`ZUQ#630%7R60Q#elwyi4cv&uJrivqm+gT(3b&_i&u>~p3`hG zW8*hV)jV2e3)TvQhE0;7W9hhgQGE-z{=d!irs+r6x+Hz#GK2}avQU|O3)2TVR-~@_ zVvowd=|gcGl({SCeyt$D3XgiFUcXp5`hC%;^zFF#`u?}}7@m1qNU)LRjm9t4`MdnI zl=HY%!28R`)7Xr^0CXnnyF7~}bZ7#u1r8uygD}KU&wjoC#{z8mgx{?G&Yr^j2|u~s zZxHN4u_AuiqgV$N&9IHoEkcv!<0 z%vE$t_1H6TR1&tTa4A zKsD<|$j0o`dzzh5W4CG^3dDf|M(oDQ_~sTkE30Vk-g}&DdQV+xH3k@;mIDl4Tt3uaxNjeEf{J4!MVoet~l( zun3xD8!a<917zR*bd+Y!fL~aA)>8ds*HzZ=lh6-TNQAo6DB39OhQ0y^|5ef9+f7MkdgYz9#RltKV`w~AESd8AFF))bIi6)CBUr7SRbrfwK>`&{ zj@4={R~59#;z%!JAwv0ZR81lKr^iz%rEP8bg5%E~2}gB;@!s?+)7fF=&^GREt=D{X z6%I5djpZB3VAF}OPA-Rc-w~^4Drd?Zv)rt7G>xy2RPBA0m7XR#D#lfjW&Zfc+ND%K zOP)bcW~yx`{h4X63If)_!=(Om;j)`RUNChq1EaC_f^P~wQ`B1p(_B2ND#KWj*N#g2 zIUF?xoxMmSB{J`iG|G{ylIOLKBWHC#B97a#ic2Fvq^BN}NUK>!e){ezy-FELCXt)~7*(-+ie>?05OAu4|IzIwPLl`paRIV;}!$%UE*orY25r46F_a1 z8OAXB6-X6FI#_>C?DKDug4=)FT(rwmykU8Ek{vF-wXZwC#@y^Rylap^UhrRk_)2;x#aK|9f8s|Se{@1W zy7R55VX|7|h9exEUsJ75{s=W!TFf_6vBj~K(MtKk!I{sylz7AKIr*R~m|OM==zQ7B z&>G74|9}>5&*7i^lQ&)6nZPzk+*|rA#YB5%N$owt@hgZRO5M6~J6(=0pq>B`{M-ZdqTw3nDY!*X{hcZE8jt z;IFLFKx2|y{4qUiqV9Wog=k`*8rW9o{Ytnrv5w%0n>@k+()-!bGsRfre z$sn80g%BJSDs?zA89namJ(wN;%5t`vV)HW_|RR%YB(nOi;DQU&d!g^E+q!D2n5wR@SmypZqZ z7Sn@!JD@9B^K+M0V^(!@z_EaTGK$1UnGO69j3mv-Dn6{W*G0VfGX|a1%V&+E(S8B) z*X32q5dny!H5|N?t5qtP!S5do7f}V;Exw_BD4;{+z;A^CU4aNK2BlEP{g{45_dX@` zb?e5dWoff|t)tH;MNT71Cd_j$Nc}&1LnuZ)yatoi6&Xl!Po{0V3 z`&*XOyzP-HkiURh*Mq69Ve=R4lG^0as#7RnGK=j=^LOxYBq05o4bDBY7H!!+F%iOYbHy*K(L#7<1|WerG*QgTAH_z}47ef8ID zzw6CAO;;%3&wqFhx$^Er>S1wcAU&sn7se&L^e1xI?s=-7dS_%JN+icp-{2q5tH3}> z_~B~WEITnPZLK%)8!!(3K-Pp=0y%YLX|csEc@2v&9CN|^0Q!aHkm4NjX#91lYA5Gn z3mmMx8XMk0=|}>MDY;&DR^)r3AZhh5BlDU&sklH3AMri0GN*ZzJu8!B z>$U-@z3eEvc%p%gQa?aeMOC@P-3~z@Zn>6ZrpFjhrPKbXXjt6%!K>njb$@{5tbr6D zIgw8~JlA6$he~d(E!J5doiu>5rh{wZ!K6w6P)84YpjdI~!20LkV7zgW`zvIFDpslD zHglF;yPJZr>{&$Eogn~zy2#=*F|&}pc%v;xO)^Zog5Bt}v~7L0>5E#y{!ZHxnOscz zlY&tZOhlt=IcD5Dzj7=U*1E!EB={<_T;f`+U9yZ``T0Px5h^SwM3uQ#DIrl-1*-MP z-o!$TPr8MVnz8Br)p%F}F+XTLz72^k@T?5ctXal!BtoekVlhw+^{F9*Y$HLBw5y%K z5A=^I$AilykKz_v;`hx)&(a^X(IR777Z`iH{+)&gZo@rlUTmJf>8beGgYP|k2fi7w zC14LhR#UrNr>?^_FQ7}4Ktu$?-^$=q zYE{}VPL^40NgZId*UfU4VM*8ZU73I8$(4EN{{zIh6ZepD*%C6}Iii4EvmcjpoP`Cm zrKU?o3K43GSY0TdWv+eRc755XtM;kh>MU+$@i<$G=;6^Jk-56B`m0*zOJ?nInZ7Xf z-zYENk0zgR>&WQJLTEWo_B^}d6TD|qCUhVn%xWn6;HRCsY%=OCzylZ`^v-vW}~sQ49=ik^Pi zyHG4l4XOd_3pnlhZHU9wPb^l#hvozrv@{gG87a+EZeMM}3+wU@GMI3s$JKS=k?9Jk zcy9qUWrI{zdkyIfXHZuF_wtdG>>Ad(eyOqFyUDU#}frxe!XNq#Ca%1PnG6+*VAHJe8JHbm`vLKTZK9USW^7d#eqr>Ynr2{t759 zeq>^Sp$9xICu;Jr$#()I@BSc9+K-r7i}!LL_?>c2o*5HpJdx{EJV8jC zCfH}{jfU)eO)|$GM1FN+;Cnr4dLGzp^e$av442>%hj00T>U~?Z9WoK0X3yeLz1P8E zW0vQ#)k&?XPd7@qbiHI|ZP$4abwOUq`g*OyxRIqWaM1!zY)wolqeaj_3lfvyV)FZo zw=z?9*tu#(ZqP8G&g*8|jloQ`IcYHK?b7G(^k26I<`IfmQY6)Jq?s0zt#4P8h(>p$ zRfv#OqfZy_*=JhK9lfcYL8jP7g(NSGXuX#}BCdARyi-vJP@8{E3{|73&6}Czom(2t zsAxhUKuh?juha4XJ?Gd~ajx9O%<`Ub^x%R@0Mt6mJvY3#8kWWoAGZsU zfoi8wXW1#dNf|Tf%yyzQI}1;`0HmVM@wh>GMV5}M0;p@&TxQN%1N6$NI)CqBBva~tt4$-(ReW!d{Ux!WQB(yS+e7nfh#5yjDDe`t!7|+r^IG#m1 z8rp@$U6owIN2fS6u@sX~fS>f3RyAspjgT&6DMgZ5aDg0#_gn_6WZx902|od_js1vd zlj+l;6=D&+l3_?Pq{K>NmZicIH>tF>LU(_1Tj6@$`MFH2C+cmZ?R`5@*Cr;vutkqw-nCT9fN>wBFuX zH){lSlH`yG2?=&pzn>UoL0lRBK~%5piXZ-XMVJ3hzWDcaWBC51(J!Q7J6|L0QUcD; zL4?rZq>2u<=5b{t8@8J7*M*1Ro4ljnJ!k~H#myh>*C+Jn+VX)qHx*GykUC9dk0>IT zcN#9XHMo|HjK4N7@R*f<2aSN}1SUVYa*FbI(!Z0r-V?rO?mYShR|3eT!d{cs9b<@9-5biLQ zhDpL-g^0=hl~S{@U5x4(oN{( z3f-Atjm!1d-i#8+3`ct0?^**f_TDNDlz=(hPh|Upm54E_&OTL#>*FsC&2C4f{d2~m zy0m;PWK_ezgY|G*>>W9c<55aPRf@1ncch&9=SWy}65uy8UvYfinyUP^3iI%^dq}cT z%yQw%snh6I->tM-ZHU0kjL`;?l*pu(3vOTefp@@+w9OyYl2E&z7I2%e1?KlfxblrG zjpU(tHrHmY66-DZ{_$5}nkama@9t4tO_ku6kN)s0wjU3On=`P&$Glj`!%V)P zmaV|^gwY2)&X@ADVH=W87P4cHP+&VN0qdp3wdiE_BQXS}X(?U$op@KTcr<$mPBPsO zBRasBRFvT;bmknwGEvRC^@L6^>*>9fPN0hDbBb7M3;MOcp9y4B{-9x369n6{$$n(^ zU0qUjkw?ou9`?AuqOqINYAmp8n8`?Qhj?+$VgI|0#|0cOs^*tWjxpyR4fln^$ul#N6#&05j}u&#ke}uy5N5u84Jm^`Z_6z0 z6R-V!8wF%&HJ{AMeO_Z{&J)2< z{ix8)E31}iOD(Fy@Otnp?QMBnVIwdD=Nwv5)-W_Cn~pzgM(iY4=}sR^QzKB`UUHsD z4e4)n&a|*=$u)nRi%5;RBgSuSJ(`>n`C9sE4;5h19OiRRFE%?I585(~wpx`CL+?ej z|L~l{*JNPV#=j2_^DkJdm+{3H*OJ`}FBOG=pa!$M#y||3yzo_Q$&y`$nnt|eZwlJofWH>Z}VmXu5ikBrM)y>sHX19Iw9FIg`d29^#>d8%O zT?6xQ9&5FqbVl*Fw^Wd3I+I}(+VNbFz-Ui!w$^Ud1qCGQyMeQn$UdPXE|ARP7~2X{ zN(?l__kivKxbO2D(q-1%Hhiyr*XLu6Z$rB|ICb65Rv2)6pz;D+oO|FR+8;F*jZT;W z_qi_`{iu8t>gP07(8cE^-;0o#Ql@{+4ATk6g2h1Dus7`!N{&Vi&S%Hkco;AEh8k{! zGr5S2w6)$=em{YK7}KA6;?-&WtU`q|W;A?xnkVz#N-0MLw`&R{zU6xK3rqNpl4Q4Q zyl{Idxc*WqjrbMcGqjp$IaDaCd6j6bj4Q7BH;7r;$P@R!6~w&C@P7|t#`oyf?$)g{ z^xL$q7ee}-!=)mu)vYzQTKY8Dl*?vn3yiob5qdqUvn%Fmpn}$&qF%+EbK2X{F|bZ) zcH3&1n>}ug`a)8qlaF=~-9u8eRq7&eI5_n(y@pmw-|GUGSbdJ%ZKx)HzMQ=%piBNj zgnk@ZoMbqBs>lH?>f^Or@2mi>SE$%pnd1Gi8$UU(G)XF05NqT`$fg ze^G8%O^9jI@WOc$^R+=4auoS<|1on9%meK77otDr=-W!qXsEDZ1tx%e7F}N z>-`rd$YeGH&rfOeOzvtxX9emvWhe=n^ae^tyP+x%$d%=K8cLqzobSHcHW6I|J^#W2 z@733Df$0xPhBHHgdeuu4b>!a*+LV)U3FWh*xWbFBi@g7Y`x z0<|oUu|-u7E6VSwo*|l}a9nlo{e0Dmw1vv?X$to$TX$*80b2B|i<$QkduoLIKysB! zp3$35BPU9OYuHk&9}s~HXcqsD=(P)6M#z;Wfp3rG@JFeJqs{n^G)CrfB%^xgo43iu zG#cgaRmJDPO=6_}$$UJb$>Wx{N*xv3n@=&q^~;s_h4k4^!zcR?nr#r{T$-`v7Zj$L zGG6DDrWW<^&-ILloHHT(hkHj^j#KUGfYTr(dx9*BbrTsuz8<2Mcs0!KtISexy>aMd z){kN->uW90ths5qGGu)WAD^T14iQ#A;?fA|8>tYMSd8dWwH_S|56gs{n;rCKy_?Ix zNu0|$nSgC{{2X7s;AvnBEd3<$(A7ICidHYXRZjnRJsgQ*QTNfvctZj9rtSok-=67} zfpSR zC2gYvIir`-mF$gvu~Gu5@?PoScPCt|0u*jGw|UNgyMrE4|H03y!7{(qno^n&oy3dV zCa!PTn))gS3r+0Vo9n+{`I!6GjKt5UOsKts;7I={kLzV(9K5B*TAI0emEmGn+8y6s z7nYqKgV9xe<$Or+o8m;R(9p1xN0~C9w*39@q{&ES*!o1~FqvrY&(EZb{i%$ro^Lf6 z^}fTfA9HP}!cima*3?gCHtVk|-)1vhOeh!W2@z!iIP)?vqpHMRv%ePK-k)#H%@=^= zOVQ)<0ujbED54JE~{doLSFbRqltPNWWX~3*Ul2f zuD2mn2YAa`P@>~kfe#lx?}d1dL2;Co`cwJEmp#z!9iNl=_Z6St3n<5zr|3QdXui&} zS3O8nwWic5FJftEhkT15I7+ z*I6-+Q)7r)zQ#bLJns4&C)UIu3sdgqTmtBxGwi?TTw#-OJ~+3Zs+{e-B9|b(u{S#| z4AlA0OPhuimc55A$TU)J5R{fCgTt}3hAtaHOc+Ba>I~+@dV(?+Pmt_aZVX-7SKWCQ zk{$tDv{is&QgxF(ayy zuV7Q0qwP~@XnY@8PR?!l08nEe=-NkmAzd|!Ui(+KU$j>7Am-g@iRnnetgf>k$?vN$uIlV#hI&8hNZGTu{xRijItBwZiUpplJ@Hr?O5xj~ z5>%nH8hzmI8e??~_dH*>b~IAH@`+;lD{S?+`(+jrN=^so!)9GaqH@1sRZ@|q#F4ZM z#Tq1tOg=+$uiREog8EP$0=zZfJ-HH zVoP8SS?`RaDXJyw#A^rWxmeWT39O=-nwP5^bB&Fi93UucWlU(e4u?@RhX4b@--|ffPXD#eaJD)ko9eCQrt1)HzV`?q+54@n2AuLp28?E zec>3WPq*Ww#1v1kGiiUhLG~A${&=UTlYolbP(%B1_^Df*yl_vR1$3|6aWc4I_9Mjv{>tGc-5g~p{|Q`XeCO4p zxeM)jII1%3yK*Ts;wJ_mZqz3U(T!M{Ds^5(9PJaBrb=A<>a z6ed5xA$_3M#>?!k=8zxLO1p6uMqK1Dwc>~rr*YDV7ME>+qL*ikX+timQyM-9{>$=y z?5rZlSIMlB8SgR_jouoDMky2IaVsRrdo`OgjqmV zE^CAPv(-M86@JPOzWWkKfe+8>(u@5sQzWzwdQ{zh4*MB)jWWws2r=wD&Qr^c`}X?D z25kMg-UfdqlBvG6?-iWf�DS>0F@D+ zclQkD6PFJ*KOhS!%n!d3BCEg$rt=AWG;tCF@l zcC;E-s~~_DxNA~*I(Y~!0~zW+EZ9DkE`d8X2TU=kD-fm~JPC@_yGi`z0B%bZ+Z;|z1$>n-MPj1=GmF8Eko4GjLU7AI~G6}zoI3qpZqng0UI9y&o9lCwIpH6xhe zF0xmIMvPOVbJU6rmJ@FF?VHol4!h4NZt5l-Ub7JE4Kj@!))F2~%iB^u6DurJQ8Ug} z^8e+6;;JK2%xB}8znRaiB>x-c^UnUhJkQ;)tO@U8-Hxg($?nOP?opw{UN>x%;I4Evbwf zRPL9s4KAna?>2>KH912L<^=`~+)w+o9aGq*c=56{5j(7bj&rKL&G2|gVl9^N% zS$zUKfk$AoE$%ztas=fPG@KQx z$2z1C?3>@88lLOE-Uw2zDTT%OPqmY~oJdb|9j}19U7@q2CX?n$Xf@M=L@F=9CMs6hfQQSUJQ6rD#$|KgE z^Ee{$iij0Uhx>3st zVtb?7JVT+9q=F8`ysI%rD%?A6t_c6IF80uyBpC*cEAUfdZ)uVFHzvn`4RiFi!{y=5 z&c#ln{?V;c$>D$_j=Ac)w>>d{OgzKp8qjBzuk)Q#if=cB%QY5Dwk|k=A!^lmPUG5< zi{?RFWO(>=9|G~JZQO1rv?Y#$WT@&&jza{6U|0VO!QSqa1C}TvTQicGwt-uIswC2~ zEs`19AYcsNmX_&6K9j!CcD*mtAWh4DGNjdJ$0T#98I~!teiD_c;Z^rPSbNK;DBHK~ z`w~%96ci<-k(Ng35(SY)8tKjf=>`D_Y3W9~8-^4R7>4d1I)?7<=a}n%UGKftec$h= z=UI!z2i5{+&NwYTPjYH~jWJq27)LDRj z3*3(u$m6Ye^lD^!-gk1^Vc7q;Kx_ zenUv0;#a}h{(JhZnYbKN|FQt+|J{Upr~EWG9QS?8nrgY(kF|liBfOjQZoInk{y3r5 zvhvrIT<)vN(-4i4GAW$8p+XSuBC|c2nF;00&JQ|#!k#WQF;;Em7(O{_yqP6h9JtHN zvyR$VrX}MeXDvx#wH(4o2R1$F2RqTnYwR~zmsR*aE>G-WAMQxi*~;*DM+@5CFzzol zX-9POq<&ui=6!_Pm=9f_Zq2Ju4iSL0a`96kx8$QzDojEr&WB|N>qN~5%k1;Y&HLIF zdRW2Qu>HIlnD&R-a}e2pb~=(yPw(yn$%2`BNBoOBbwC0Ym3IS{?(u|f&N6rj&Yk8TbKt8eT00f6g^c_C9>zdUJxD}&#sZGGXM})xo;6B`7|1Ng zj9NZLFVq5gvEI5f$a@!OU3Zm4Nj=VV_d)i>y8!CvGOjMRNzZ<0_F?2wLYDbY#mUXesLL%Ovh51>?fV>7^|`FbY10YIuFrj zBTQT>Qm^LaX;wh((pAUN;b~!x>9t~y z#oUd6or)ISS?br8hcZzOYj?bWwoI;Hxg8Ag^exh)a`>9|M~3sRYWVNQB$bl32#cRj z=!fB^x}U@!TDFAI)WrQIF|S(BMjOkbU7R3`hOJcVixGqSb?xQu4N#}et}6iHrD6!m z=g?z4&1J6ZV(;xwUAaC7l8iW8IjZmPNr?I9rIo6kNjDp|b@5y*EV#ni1aD~%vf)c#o z5pA-|t}grPt7i$6&jFR*s@+atbdz;oA*4tgp=$_cx4HcevwnjwI6~O$yXBjE9Z+&{ z5t1g2b1;m+dQT3j z=m$K|R3jpe#dJTQS~I0uOJvdCSqPu(4fCIW3yJsp)iQcN;yv{FpxeyN)Ara3>65AfI`F_4l*!k*G{5}M=Yesc*!~>kvOk9LB1y)% zcX^2CV;nstsTi7W-Bh5XYVf&eE7U9awXR;I+_XbH+ zZhpvE9RXy+=#(Lg?!sxwwp3*SNk~R>F+z&s#79 zblN$jv3jRKSo?! zzpAAyzFHuOT~wGtq3tD zB~?sL#uR?L*sCZ4B%!7*I^9Ni^hP;(JKtO%lm%30&p~mf61SMR)$Fw+DPx$r=jxkE z%@dzemGdJhY1xCBS@1>qi{k_f?|=L;6eKPJg^{sN6DOi$ANH@`N(%yQHobL~vwTQV zCPlG@`2LKS-VQCbxunLUZSfyscqi4(bI5-xn2Hq`W2ZdSUDz4Lhz&(CVx?9ABete6 zm}xXVLF2kNIt7>CX7D9PvW@0ALMn0mIH>oXN|a=m-39%XX}3Id6N3ZQHHTcjXG_~e2o9t9}(SM8UAz_DdXt-Y@)_ABTyZhJ@RTw zxCmQ*--Q%+eJP&bI4}@0TT{C<2X#*j3|e%y?=gQ(REWGeYD!h)?m6tEy#>gA=yv&- z=@N98SBhE_$1eDMS9QO6j&z#iK9Rv2!xUTme%#ysS?6Z;&qs5uCQNwpp!PvlqA=zdn;oD2kwC20r+-D=qR=^o9HRw*5)p z&WwPuqtVG$imk`t`E-3ng+j`CU&WgWSLEdR@Qg|j7p*hCUEZ^@r!-6$`i~hu`h)0` zT(N1Sp;pRJY&TJc{qfs`(w|)&a+_&uT)&;QD%O5)D7||xSp1+iQ>(dU z4-<1phrkcNI3LqYh#*{VL3n^;OTrEG_v_TqJCmXvgwyC`bMNB?9Id^cD?@n_1K;V?Q?)hRp)d%W7587jZlu!KO|6I)iBgqodgxk z+~g1Nz&daPespbMht-FfPnYvR?hV|Md14(M;;YGZb=(rR;GrT>*Jv{M%6KrpDNJrN z`0`G@<*DR#&wGWlGjVSf9F%45j2BoA{A;N zVMH?KndhELG})YC+dnyAA7F98nBA3zNG1GrNL4imO?k|f+P3X8azwL4e8BeGN=eP` z+Te?L-^Wyo&Du2i{70$9DG6)9WT%{z#)dphK4EE!RGVsv`w%w~q* zqMnQw$Sdf^tHZMW8$~hMQDcQ;HSI3kV-xmjk(bcrfY(-0PT4LSER;LbLr1^wc2!&N zCWcz6S*Uv=+IYBDevTYMl6c9Br+T4AIV-& zNlrHooFp-S%68M`oKpV1D%Gw&Ja=|5%F$&{#Gf9ek3%b?O+sr)96vO2d~)O)VKMt!yzW(7bXh;+#Q=~9p&(Tv!rf?YHk-U08er&94WJjGy!*0sA z-9n{yS&}O{ErguAK#NWL{lR9;5(%Dw^s0ZrQhz8TeZ9i{wjkYC;+QM2^ zFyCn7613>WV$=Z1B)8puyo@O5f3p}nj)H_apiCeBu`eBb!0BK;BOOd(`z#C3(yHP# zf$Tat85ej{QGyoa&{qMK(rwv(3TyYi+D3u>unvFA)WR zE@!h$u%T5t0h?XBTOtj1>+V zKm7{ZH3ng)6IDQ{NgM}_y#)^f6Tp*p7W%kE!)Oz>ZCu8EZ7RPuWP+e-=jntW zHAbJu5qHPuZ3|8!ZGFTO^G%o5;vl4THo5DWO^V2xazQojY_=RpdAL*@)Na7Mhw{ zBZoVSQsHT1wP8w0?|JTeQIDzO)_5{b^7| zI~D}Ywd`L?Q)u9=%9qd5NI}->dadU&nIrs*^phNypj}6+`uaDz5n}XJMNc$OtHU~L z#p~mu5=EvMXR5_VSjD}`_9cXc&iG?1V^}@^KA>LmlyW&T$=-@T z{A%z0>3Lr+H4psR@KI-Zb$wsd@3br zIxU;d?B_yG-J_&~9Qzc|Zc;I4}IF#NB-zrH;Mi%;dbN(C`Ni(qPu)9R1y z*dKWmh0u5{9@CSE{^{HQ_yUcmM}~3gMWv&9rc~hqXcKDK_2w-h#60Y-Xfb&r7O@r_ z{EY!X%_66thTGDK{>e$I+d`Ji*fd*f*BG+RiJuiH5e`QPY zcZebPT7313aHUwgsZr-+Ell*sP{e<($bb6|{-8-*B9>!J0tFi2dW!jFrqMfYJ#<;`eyT8?GnK6B-JAMh|8Ypaev->o#XRS`3fZPE8I_v&*dLgte zcvnd;rl$Ue>b-p`q`nxbb0&%`*#^p?O@h_F1P)1ysY-E_nd{NUsH8<13{Pg^5ZU|u zIjsz%-Ege5vxWMlv~>1Kd>8Q~tt1Yv*#Eo&XIr|duC;HZ_4=%)B-}jBBuZbo;~~am zdbgJ4cTO8g0(*S_`BVe_-vLi${uV)iYE7|C`R7plw@dKX!%WF=(d~r0c^&Q_uh#l9tVBPe+zO_CMz)f+Bp`?Xk8xN^g6(8cV9J zO~!5zAQZQX_plVg)N;kaz+TlK#q(cR{@W8Yx06!g!9=lIc4?cwU25WMP~m4(bm6`U zf+R}LRu)HZ{!YcSijhP^y_9!orq2if?y;GSL5t{zC))bFmSE`xJDT0NX>k8S$w7nQpm)2E1UO+KA`^7 zBQNl2p>Tcv#5MsH&+Dd1RPbt1L{!}tbQB8kWt;wcbcrg+F!5@~TM9!%DAiN1cL}E+ z==%i!x!UB^sP~2~h$%HpdnOFF)9vxV|GFFo(ceOx zZIm}Z*8VTIA$U8@_q~`LCUpHJ7=n6v^th6M4Z>tcqVxayDZaSl1y*SS0Xl?d_bvbr zE2HBmwB@2tKtGF%hKXelshH)&pyx-+8>-^te2RPrme553&y?gD zvM-qd*`J!4&8^f0+&apDKnQ$B1sbOq#C8M1sI}Z1oz*LVGQxyA z@xj(TKESgDCh}Wd6;?~mKB9V>CI?CUw${Urac9E?i@QMtjf&hRqG z&NwHyrk^xBqS|Ee{Z`FVs0=46dI9!ynUJ&(Z#UH)96DMwYdC(NP?tELstW3XN@t1Y zWCgZ!NOEw3@L58Sh-9qC8-1nan!xmq+2eJzSOjZ%YfU4m?{_C_P6=9<@D0AKpIxj{ahX)}-8$oRJ} z9oYjp**pw2@?U)Zo!(of9nF`VFE^6Hs9U3J{|QC!VjdVwu{!R~?NCFf^(6NXS%iWd z1zot-XVzuit(Cg3$xG z`II@GQi)NKZ58(GTaF}Yy9i?OP zp$r$nXGL5KMqZk104rCGg-S>!Pyjqzg5p^q^WCXpbV3=AshprdKcL&ro1=;v!sh~4 zN}VL&XCWR;!1ikIOHwl!=LaTQ)^&=Pg9ta+z2z$@i7RC;0m zyD%X!n);48`awvwZ&K^>2E0%y?xkVGyEG)(NSVc3&uL?9g*<@674d@lqsWLg$OLn# ziV+FzjvGbEcQmiO(4On0Zrzh1)gt9JwuZ;P?-jD!h!9E8;C1Mr@UJ1;I*di_YX<>W z^&db3cgf=12X;IaPp?o`xYr)Cz!zZ#+X!W%(y88V3O25q(Z1(e0^-3dld@fulZ2JW zArWn&M)~*XjIn#xds;T_!7ued)~YN12yYf3{0D)HLv;f-XX4jO>r2`cr2_o|18#oex_Q@8ID)|q>I8M@6=b#qSdXb$ndiff<4)8 zNPIC$LFSn{q)I8eaKE9rI5r<=Vf@?QCq6jSgFAksqT5CybW+Wdq>JXEoGkT2QcUUQ zcH-;-cH=Dm+3LH?-Svr||oP zNYch}T{OR@p`u%l-!)sivE9S3#R$4m?ACrLwOrpR7%Rk){e4ks{(zxG+hz#1qet7zY4=i09Qh{&6H!UGR>{lJ>rbBt;38ONI<0;hq8JI;drSJa0Z&K6y1F|Iux zVnH7+6dAuOx2khlQKAIUp?veIY?cSNZJ7GniY)liWI+kVHH(i_kYG$!bE9{71wdcU zqO$;#KFgi`3_5KiIn0;@Gs+rbZfAXEBo_b;p_AwoZPgPteNYY>Db}Fvsa~K@e=I!q zimX|B$+g4$9Qf>jiAjryyeXtBrts`jz1Ik-~m;({(RfyCS7N zKI>?lJ?Q!Bbw*H|y%-k)8B!S-GV`pSHB$t8WchfpKE_YyZBXAQLhh7zGcN|e>HAs{ zU>=9rs#C>m`LW4`({g%kZ@j*q2bazSnBDcBT$Hb=# zWmDe4$)%E$v8|)Cot9wlJS!i;F!T~*kBaQ)=w8w|sAB2G>B?j2k-#)ssjjMYYW}qX zRumsIX}McI30baxnx&mneECa_n_2<$Y5cv1Q9O70n7TFY1QuS1_vi*b_M&9oMOai3 zuIf*kVN3j-hJnK>4v5FP%vxQYvB|8#nxz)PRQK)8#;liov(~2?gNQIv5)flAq&K*p zb*r$PeuoQ~s#d4f*bPuG{+6W)xaE57w)zcE`b&U@{gCsImnzC_)f8~t94tIO=oFjr zzPb`Zf_S1p`!f+zPdCc$>|zP5BGb!C9yozHsLRGNDD>+2c3hY<-Q+E|_3k>BRThQR z;qhW`(UgNNabB2STB>xb#)eCpdgRK_zaCD|$OT`kMqJlH8rAwso*stjjg%EutEa6j z38Np!4=zxH zlP^_f)F|fw6t&tK3=nC*^aDFYzWcS@8#REO&HDB96$i^!%MZ{gTtvnE4QjYHD5GBM z-u$%&2Olg8(C)6DJ7o!_tk=?GN8JK;1h2i4;h&u*8!q|pfOH{=TG(1lvhA~WKv!Ne z8tiv2zgDJD_`AFUsaF!xPMpo4aYgLglE!)!&t=Py`EcR*r|aA?fU=+l;gwRkSYtg< z0C@6_TMd8EtQN0$#qysl|6T2~`RVfMFAX)DiDSex<|9sXMg^kWWZlZHa)f^u)}Zs_ z{Vw~7?YQS{QSNoYPe|nb5K1DXrTXuK%{|Omru>#7kK~JVnIefL&6jEYmcL;Ew~bV? zwxrK?;i(>Wjau5C^%v&#(TmRha;p9ox~mo-1RTmx!flk|?apa{$2wX;Q!vRZH*lt4kKJTD2K7=2aT zYWYmf4mQiIrjsxV?L|vu?0l!$FK;e~2i`FWs0QtFqb(DtP!G(lwV?G1F$c5v;vn6( zdsr%a5ua)L7SRr&cq#UX}HkOsnnDyS1XugS>-qt3%TuRajF z9}Plbb`DL^_3K?dVcd%k*6kg(l7Rz-E6_1Bj;BVg0{jRLP&t1Mwk~UB307Iq32*@| z=tpi&(j0D3dJG3k5>TNDGFT zICNEw;YnoN}_j8_f%(@+h|y>0lrAf%E*L$~PFmH6vkLAWkj zQkY?lH67tUdAtb@2pl^q=8ZN_Y>CFLh-(9FVl}B$>}?N}3{Ew`)9H7RFyl0Aqf zSx-YAW*Fk_lxYSzEFLJZ*gBqH&-}S-ONi8qoy>lc5NN2)WP1qc*R@7j1jkUvh3*Ac zl8ufWHn)t`AbUNL{Q|mZC)& zKvoc7vZIj0KrE3L*XC&84x~?kGDtVH*!T6z1(YR`e?5>J&%*$b4<_^NTD7cN=VT=( z)UY5#VtbO|jKW2k;*MnbcYuMe2Hg9^HOGS{D*sh`GQu`DcC?9UlYjd?T z|6F5otVmlOMmPSuX7Y{mlz(3;A>ML{W(JhjX~xlr#aST!WzxL)^^gFlPKJoqoj}F@ z1K=hfZ0+r#*6<9w7hmd$z0Q2_N>}VY|CL@Dfy0)PW77bxP>2I~m}@4%oS42;esu_W zSMLF?Dq4NWvh9Q}Wj>-**GIKH(`I$E)DArPbDCvvC;lt~{g^!-!WY(S=7a)Z5AIcs z0(TVd8(_cp<1Q9=^JLL7Xq7)zMd!9z?nqKHnJmxB&<9ge$DKEom<|tqEZH4|A7l`3 z6~590dn4anr2RIJ?!dA)%Zs^z;k)J*pft*;FS-FJLEp8I_yJa&{6wGA)RBr}y(^=*=hUo6ex#m1REBy;kCUU0+yPY{M-_1_U#h! z%D?e5PK5Ix?GBp}(_{eiNp5D&be zPL&Mu|FQ!RJT=HM1Ym3i#pOmPA&d+;#S3r*y4ls-{9B90c}loH9l-h(-6 zme`kNpk;k&K;OiaEg#BAEFCYw$qQi^&fg^obnj!?%xtBkcMmw!pkGlzP{nFkFRgZU zdos~k5nU{>?v{D#Yy{_i?;lLd7tzO_*g71Zl2&8NBYf*=B1&iIUmZ0nfz zNV0Mb=gOaAd6h*!iZNy`eJ$1L?@n==+e(5DYmA|YCz(-ud)ywOtO8ejxraczu^Z#< zywoCrM70b|1@w8;F)F4;KM@C>g~6X z?dOLx;{l`QD)p;-(`;uBpKTEdG843KvI8ztJ)3Q3JZ)}AZ|xj=ep{Vgr|}`DA~HVD zd|X5ZS=zw}j!z2oGOh5nPxVCpCU!qr)n5HUlC_h9{xC_yZ6CG>Sdw-&H$V=Y?5idW z)3EL3*jda3t!sp-mA!6~)Lp>O^10us(7zwZQ2Z27O-rA1f}IyHexK<$HvJ?`tkQy3 zKzk*4A<7T32(w3W7ABpDl&eW0y?S>H@z8VKtS9e79GJ_Z;;0_(~fV{D|5> zy|Sa>P4U{HBVgmvBy;$~dgtc(=O68au^?WenmW&sI^o2lX)J;pxf$;>=3IAwho%Y3 zeFwFe{PNU#OX|mJ$o2VJ(h_wuh>zP;*MP&AENVTmeox4wb4K2vku|9f2i6=&kOJGzkgCMtm%F{ zDjZ9q&!2pAmu%f+G+%G0=Ig?HM>i3QwQiIWDu-!r5Pco+HuxL`DOyW0!6M@CB!%E- z_8TM5RIhd%G4U9mqRgy>CTuO)XQ$#?oxblUi)_P340unc*K<;tWdzR+Xo;rp#%kF7 zhy#S4grZG&92msFFm(4Q9#6*74wh_=z;Nv<;0A?nw|z2+Ig!HbEY6iYw*!M9nD$)z zFPkh8jCsyWo)IK2PehnE7GG}ZZl+YEZQk(PrNAO~WS5}TAyAHWAB#}i@*SGfqMp{} zPub_|uP(+{jDL}FZG+l37 zS>6bfo~Jw?-%DYg3$0cCnz>VlDA8{EW$~eP?+!J=REw_w-xA>>d9fX;_&QwRb}l9@ zb9%&^&P&j`crKLM3h&uVD&jpRSp?W&TAdf>i+ekwgz1adQ^2+u{=eT#dBT&Jmy?w*QH^CX8j{5;JFaqTk* z-7Jxuo+C04xDuNY>_`pkt9^*AmJ+fm5g*$(h`c19S>;h*(vauPZXF#1`H_WZLM8lu z6F+wt0zcn*ttV^bDBEKgT9uchdtJBwC5Ag#%DIi6fw8#jEn}zg;_W4# z_V^X&97{bouV9b$W*mxVt;*Vjw!25xeIkX1^6q+%UgB+HN+W&i4za6lI1lKep&X;f zjFk}O)tKzlqRu3lQAf?DA}Gfon|jmTyvI@q(O!mPZ9_s1$OKAq5|bSoz2Qz&rD+R$ zV~Vc?ml{7TV8=T=O!|U-A^x9H!!LpdI+`97(=onuBGtjZ-3;1`qXi26y+*Ml4tSbV zjt;jcHxL+BRlu*E!g{+=8?KO}ttxf0b^FIg*6b_YvNNSA^*cKk_WVN+M6-Q`1Llg< zsz17&7-lU1AKuVIG5U_$AH)##%KZ)#v#8BZDW1u?FQv~iaj30J>f{~@VSTiA-L8r~ zTaEq2OfiV4I&p!N=ZsA4Qq!!?(Tf zd7fdu>GJI{iPR4h0Q8i1mXsH{$CyF>GvsA)I6{AY=V4rXGg?;K5Q*hKh%yc@AXrJ) zV0=6SPMN@~$Hd$NY-3N@yF^7mnuhiBK6Of4Qwr!k(P^ve!g4oNUj*Sl*Zo+l;{#m> z&3(G;!nHbS9w3>dM6DP){;c?N4pQ%Wve$C0qxU)|V63rx>zR?$-NKleU}}z8orSOl z5Pz<{fJV7cVbwiM${8wRhjbDSGsWD`%w6A!S?!|Rd-I8D_($AESeRcC>%#!|bYaV& zxZUUH4w!3?kcW}gGors-d4&`Ft*nN-XOh?|GOo349WJ%Q^A(P@`E^YnSPsU#Gl=v2 zl%cUkx6@6PB(7=G`P{KE%6a`r_)}t*b9iCUErA$396EA=EfmJR$~9xBu;xZ`+6h#U zFX{OvcQHhnM=Jao)m6p~FWkhAP|dOC0tJ+F0C(OBmaQw>&Y83NlC8H3~_nB`;Ab zn$eP0h5G#|0yAd?Dy~B88(JL;^e?dOtAF&8 zWj%>9+5OGnDeGL}E_TaCVpfdHX4)2E1rG zU!JDIAeWJqG~~i5?YTxg?6fAgDbM5VC5?4TiKfMjEfiTJ-gNuP+gdIqn?J&(_;Cb> zL|o@3xq83t=jC7=T4`XWhxI&b=X^1fhjTfSY5bTG2#l(WexyuYL74DQHO4ItJCtI! z&Ceiw9q}id!p`kaB)^OgJJCqFG8=Y{#1tb4fUXBeh0GSl<&MvI$hnSE_E;=`eho2~ z9IqIH%3~3UJr|JPXq48I!HdPH!dEPYyvO%HqELjAj+dQ z2F%o`=lHT}wtN-Lvg%*mWLLbl#QalGQhWwJ1tWG1fNVDrVgtr1wH+e$)oimmg( zRUE#^YVzyHJs$PWr_)m$Wga zbH22K$^q}r?)@i(-1T3eCW9@t**APk!EZDuwFp#nX;k4>u$JH$k6i{?4>c~u?4F#@x85S}OGriXz@u7rb3cer<#8 z{ss1`$&$n|7_P+rT5vRbtqd8}@S+JXw)|oFdRT!zT|I~|nkj3vC~7FzIq+3k;@|B_ z<{N*R!{!)qD8nTmAa*+0iWHy~eKTqwAGSW|;7KS(ng}U~F(1NM2U&~TFem^sT&adl zmKRStIa7$PBGxxdad`1!F*fvG`*$X38^)gyt8}IFHFg|vhJsL&XFoK^mI*(^!K?qH zTL|ZS!S9&6`wT4cnKeijD7^c5+gedU+^Q%DQ!WC;h`LvBXBJV(EmDHAkc zM3ALEo^tNdPGQQvaa)2GC1{<*TF*f``K4Bc*~t>co|AGe4>%Y1EV^oxvW{XC@k<|+ zI`>Zk4W--dvubR1-E~>>F3KOP5>3I@efB%*@lBnF8aPWy(j<}g!LF48{y)?`f$8eMn_3YyhyJBWNqRdv|I>f^_m2>kcTk>~z} z1tI(rMG$Fw&2s4iNCjuL)MBHwtBmmwbO4)(*XV*z4rlw7z0k(s7%C_sV`~R^m9b8X zQp@_B(-5L!?WJ$kYF1ke^#85n!kdwEf6B2IK=b&8I%Jl^KCy_Q30ket?Lb<#Iaa)x z!j+F`K4#H?4jfDNV==uRZXw6Fgl*t1UXpPJKnkpu2(0XOkJR@U@X0!!Bd`XdGs?{3>K86EVNy)DsEu7F zzK)L0-vsks!VAEYbY9D=YyhAmR|zm*l}g4kqa=)I_W?OO3Xro=CO8yi8-}V8aG|RO zY|9grYnpy3)m<8yq&0$=Kiq0?+&WFc+bdi6uS3w}%YVf@bq+-HFHo&U{jb3fbVv;1 zFf#^O{WY(b!>XK|y|1oNHbwUMt2(P}Yq1wTaDe(~1D!b}!SSE3SV8@JhDJ)*SI$P; z#5SmX9ItwOy`O79LZb1rq~SoqkqrY+Ld$8vmy~q=`u1k-))p`B)gX{Nsliys-(qjI z+_}rT4u}n_Y&}XPo!r);u>4I>jaU~rgLXzxGy{W>JVl87Gu@`^6WgV{l)^O^92=cK ztJ*gQ_|6ZW5t*vrt^JiMt6CJ@1vfPjO%sXkNKiwKcPtaA+cON^R z%%MCP;EE3YNkUh!Gvc_K$w@rVyrJ|sQijVO&7lgSL)|-VN>A1dzHl@a z?T;aeX=H?qHd9&!9KckOFF@yUh-MNS%{wwVKRXoeH;GLnWyz#KyIKifiE};djdIu9 zgWO?^&dW|aQYynz_uvc=iWD!gNs7&G?__91Q(vHl&7V;7m!IWh?kA=8{pY?TgZ7@J zoPCg!9P8z>N$8D@^aXjcHP%YvZ1oNAT2f@5BQtKh+_qSH!v{8Z%LkE^08^f&Z|xk{ z^;yDJV-i}o6eMNk(zB5yGsaLH+Gz*&SL&O!i4{4*LO_dyrKdyltUD3c}H zWV?t%EYf3Bpe(ukDbx^)?She*eN}Fuez;7Py1E!#&54xHb}whjE)TIF8x<6gnB|P~ zi+-L1xpsbWm^7!2?`+xf0kqRbKp+}&)u`I3yGTR+jG03U7~6)LZ(fT{3w9Xs#T|Uw zs2$1-VDJ7Bc-9{y_h4wiQXB-(qqRQ&2pPN9%-UZBA|3>uMUEc z;jeZ{Z~p{OMIn!%_Eftw9iO*7pqwo-7Wf|g+~Mu^c|*JfIwVJ$s(@A7bL9aDOhEd0+$(vBR(sj--1pC5Lnm5>-@jQDJ|Y5%(2)L3?C ze4)KWxn|~$7!RnbCpO^T%S@S}(cSJuZ9JB$6bR~K3*G$+n||L;_}71CUF3Htpgp|b z?Kc@5e->%yG*Vg)f9y@B40c%1=^2AM!&K%rNAp&{FU$dVa}6Q>dMH9vM@6D0M9A_5 zW(?EUt1~X!S*h{40$Y}GGUWO7H_WzLcnW17-;RbgEYAnF?b)D|WPcQId2~Eif-f8F zHY9+3z|VEz%;nTy9Lviv7tz)o8E9=e?*Ie3={5ILvp2EcSTygNWgW_)sgFcs^5(~tnzAS9(!d>KmSTJ}z+E+b6vi%ZaA zKuH;jQ0GtN*z5FbD!w%RAB`R?KI*PyI_03i>{hnt5em7dUX%pJ-Dz^Juk-J?oPa@Nv9^oFTAi5z3b{G1 zsv6@(=>S06?)(n;vMrrtK0mnxC7wd*2>259F_cERiA^o`-U)u4$WrGefQsk%b?-Be zUw^YZ`{XmHd-aDO6!u!tY%LL>X7ANqJkf{l@VLzjYg&Z*POK&F)GT2+eip#fDbVLq zow9>&;7}BZmR*_jRdV^<~|Sj>>}%e7cNFC!MbqmgCJ+UYtxnrIFMSkbVze zJb0%mwL+H#P8$M`mp{msxAUDC++a#W%!7#Le}jFRZjGzYtmV0Q>B zx@mj`f<2zB_MJK>WC`#_!_Alm9DkY%;%J3Z0{s0uZ#y2j`?W60xHUf|Gmlv6?f6M4 zKo$}F(|u4>dc&Ey7vvaX+0{G?NKJU8(k^v~PES?j5>R57;x^K1K`t2F!uq%>m5 zt6hx0;Yypu1!QKVfVd=FEmc zd3mUM1~Ll!h)8I}R5l#g{->HT0}Bb8YNqN+SVSJ+_YWGSZDn%0??QAX;UgT<*5ka? zlgyk)OfsaL7iFafLnCFZ@r&O#H%!NlGYAmWn^H?_xJ&=4!}4%)V~zuLxeyl!C4yy6 z(*f11nsr*o(`oC-TUxBG(f+)azHQzgwUS6MV^$`R*ORX?njw@uKG~W=2&C4V6mR+) z4^@h%oBK1%sKTKn{Nvs-1{${&txU+8KOS5B<#h_t_RNCS z{sGJ^%KJi=XXQn8!{4GfI#T{Z;5N;|`WjD2eCge>ucyxPt0#(2;5t$-j9Bj#!-;LB z3cna-X*$f<1DJe10J9fgsc!j_x!YdvZGOBN9R_89H8AL^`NNv86tcJM3+P!jd>gMG zYtu(#YnVCj6$IT6l7^?av7cf*p~5B}^-V{S`CU4XQ4t7ZC&8U;o zsCYanpRP9OONR?cEf8vWxKdCs4jik!oHWKTiQL+)eV2^sHIo#XBf zO{;)c8BK@o;424n78+xPap?_6g-{5k*bt-ufw3NJn_C@n$%)nUtHyv(B+E>7T5$5H zHZ31Ln!@_%Ej@TDw)zogvBQfjP(1GBVe!}2_EOoc)`RJyXuFd0d(R{Z7}6V25&&e+ z+UcG~JhIO;^y|wre-hiQg3lQT?lq4i;lOzX^R~iaK&-;x>OIN6^{eyQr}e~O(T&k+ z(5X0jm;3tX{?$yW?uY%W!)P+%WB4EEDSoi8y6Sc&J0|eyBSCe>E)45Wt;UpnCw1Zu z2dY^CS0}Q~%e*wuj4{muTOhGppAr9tiO>D^&biKO7xt+P(sN52U5O0I#U9ID6>{Sd zjUZC|j0Tb70P!hy**2@#t?sm_ca=wT@_M~ITOW#Ky>Zz{%HiQ$>qtDVjS@#}teN68 z6|GlFsuF@-H|H2hC!D&JXycYjq`Ww5^aX*+xHSBlYV+0Ri(``|&C)M1GTH%0oJcaz zt;~WdAw(~hHtMAO^%EckUAnC$3bC2Hh_|bDy!v)Ap}{Px<9;ADN+p7I3uL2#Qyk{?5VrjaY>`yU z-=ZN9vjD83sUQ`Yx!z_G)Si?a_PMUAen%MF#3JKMG@jbD1|i10pEvfX^y9L1JldjK6l%{qxAF) z%7stCJ?vYtxeuThq=8+2#bh=e6n%ZnX}-%f->@y3S;zf|Z}eK)?{7`hCvRad*Ycwl z5Z)8c0dUSfX{*Lsx3aoYa6M}=A=m|wLJ~tZF2IuJ>W*2_&QXXrd1}KrtAn1g)##)N z{<42;*HE5cDLdobAPsg@mdE1-z>Bd9f@8eM{80bN--BmuWd(Ff4WnMevm|5d{AxiI za44Z=oAq0#e-!e@{|6$B+PXg(C_&NgFP;VXxmf9P*>7bhMMp)^}eSQx{J52t1mNi-MB~KhbmlO3~3T$wg%1+AP|L+dwG1SP#7~I@m0imIJ zQ~(3af`WQ*bnGv6?;R{jA|TbtHCyG~=#TljC-d5CHr{8E)7%)(|Kj$2>okTX zjD1X*Co`Z$LScF-hnJh_DVqm!hXcon{3;0z@X=^46<*Ejj%eewVruvP^)X5*q4dVh zVJ0r~bo}u$UniD=OS|Gn34Z^Hb-oE?}*~Kbh|sko~;%x1(N!1kktR(=A_t^e+^;S z)X(2!PpzC%j)-%KeM>UeYXQ@!o@6#H4V;0+fW z^14i~cPemZ2s&9;$9)~3AUb}c=^df;Fp{qzZM}PnY`m$H?=S5rdXa2)bp|F^ z{>p3?#?7VZrd61a{|0!MMtVzUXfTFHp8p|73z}|8+Sy6fJvU?{_Hz?%Hxn)gDQ~DH zD;_@5W}~GOESc1PhAb}_8BHo|)!hJJXV_$(s-BlHvBUf%=mwHx$PjFx_NWiaSL1Ls zW#5N_iJkKX;i|#eUKh#AHH*fGX7F;cnAt3+J;}$>p|cn5&1b4!b|^jj5pVrc4Q-5o z8DfpKs`IXr!X?w_Un(+spyY&X!yo<1 zd1WK<%DTd)co-_)VOby)!k``j0o}lrp{!DCEPJlsR!aw%fwI}ciVeEF?(82zfT#|-wLEo(Ll2T3UY1^?Cp9|#Rkq%4!}B<3^Tyufc*EX zaew~lPtO%{-xbB;|GXpq?C)Z|Q)L2|mQ_dfgF_r7=TtNT^mx>eRL3)uzTz5Z*> zHRl+=ar@-uOy5jzBIOlLI&f(`1p41_#K4F6w>~Ag*CF-`mOCo8dt8w{N98+w7`X&MP0@jEnBL{*7o7w^}63yby20YTH=by zl)UqA5qTIrGD_1qByU7lU3^GnV2=Tcj2(LZ=_pV}SAKwgSI7KWNU!^+GidKC4_?Sm zp&vsOuM3h2#WzbNq^%tChh?m}gEuRO`&BCRtKdJR{30M!LR^u`KUvmlAcdG~HYd1d z(=Rj>)Qo-9eovg>(ar7+N^i_D9P02qsuKKbxSSS*xvL5~loRMuG!}UanjxAsICmWm zLC2gn@b_wE(V}iSu%wrbhny@aXt$s5t;Vmf{<~avun#oQNUA;H?^%JGH@a;J{Yj6&)}(b_+I@%pY?`XVcr5rvz= zfmg1>)LPI6gK?}Qliqp3d7mEPnd#4$4yl?g_tJ{EL&Q{cY_+%83%YRiNcU5#KhJI_ z4Bl`(c$hX#MaTZ=52-Z%@K~kG0VMCYpu^z`mgi^e!wm+Q_)ayGP3hw=J_5PBi8IM9 zs#fw_8C_;dj0=xY?|5Hy($&_u>J~az|M*aA;1mj}%;DK+FHF)HDh4py5D8*p2MFA> ze47%NQfR2`1tzji@IiJB*1}zfqwhL*N!ao?B<&Dg&AbP6iek{AGe&)#_sAjpTz&o! zw>A61=&yy6+b|(CqYXGp13`E>YCP-}1pBxoVhco?Z?J5s3Xb<3kXuztta=<@3*?)# z{GBq=H6#wy9M>fkH_kNyd#WEm-$twNvt+n}x*pWq6C(~RCI|)D&mcDRGjVnE46s8` zP-L;$MghC|EocrT4IRb8Fw@T$;of$F=KW4)(a?*^snpx$9ClZ|5An zFt|yl)FZASL>Ks~9{n|~nBX=o(~DTMLiD%XXue|F@k)C4P#4AH^&CBw3;(RWUH$!) zh#|q)W%@i61C4sbiZ4gbJURzLIk;rV(ULy!4OjS%0Qy>!Yl+8lD-fL0dN-`4eBtT18ZG2Y4#ou>w zFl!Xvu2aEKi`r7J))YMnL8mV}f?ztLITQXMQno~fwwb6Wa#if ze?R)&s@+2>nXcU41yx@Qc+IxWu!!Y}T}6S*+XEC6iYJM7TTo>@Ml5!vGrih(s>;H- zp>)`lR-wl2?F?Mbf9U`^170lS*_8me2i`jGXD7sk?IjDt@xJC@s|_~A`mw81&g7C~ zSm_`eo8xwQ+(QO*;{@-z|7{fSeSLQoIJad(xs#|}2&rR#56qCtu~!tpty;UR>%-Y& zkNNDt6ePrj*F(y-*tM& z+y3iAQyb^z1+)30Z$S?5;V-zyJI+8K+i6Fw1n|KJ6+d!&(HUq zx4%e;ZRL6`4`f79LyE(s2_Z_dHJ2dT?aukHO`!Xk50%8XAwF&{CMr}b(3;2i(t!^6 zn;p!P&wi@SNS55TI;wQ>7yg#57Y}Yy$vT5$ew0Ybi&c~Rr?`hkANsBcq;~T2EnBYrQKN~fanpwQ$#oKLdO5aN!6EwrT z=;&s|u#SBqIbef$poB8JT2x^G|M9attEb!|ZtQ2$M5v;Ad+HBSr!5^tRgwJ^>OYOt zQ$U+4vODzfAmIb&b~#Rq%0a^5`N{sU#fJfL5RHJb)Tr}`G&TZ?#1=dN`=A}`e#cFH zbL3CM!mF;`!7N3B0xo;4#~kfYY0965x7kgWpuGTYkmqiz)nnytPFP9;TH3@R`J(FR zhV}}CWREoF__V*s+zcOfRfv|($&}lNE1Tx-i!tUQ?JVl=tsy%p+SC%>o;@MAH8Ew2 zimJr4wh|mW?-5Xrm;Iz?u1UO^1n#bUG4v_xLYThv7+`G>C(JNIej5UY0k~A@euqOM z`W(cQ7*}M<hU4>$GrI5ikDe(!U&D6Zg%;k|YT^3l zbmX}MZmA?O{FdjxI5i*>$vL$<3uT%~f~>{PW!KpnKKko=2$iqRR(7VEM(G#N6plEi zS|zw_RVbQy&|?gaM>+?ehY-vGAy1%;+dk zU9ZEssff+KtKzu7N5Gds0oC@KuRpshn%(JC20r#sxa}L+MUME_yg)|CVpv|dZHiH$ zz~!fm^!3Y{UrH*EKQ#c*=@zUKkQVn}y;U9+y|pCR@tq}+a33>XYoK)j+Hv@3nse&m zdgVHyRAu`7SR!_gExK3S-T~JXw4PIJgVE}qCe1K2L;Ty%&EeTc@vJAR3FW&iA10E} zBg}b_JnmjEuQm6)u6J*xGnw#;X3`Z8msO#}2k;awpI9WAdF*gRVdTyqSbqvvOpLC$ zRz)EM69QmM^eWKd8GXN=ht17l52pv^z=t*?W8F`QaXhMjsLP`kbt!kHT7&~XsK_rM z<%Tu6Hok;osB7+KU$~MyFQL2L+{@eR?@xwL$P)8x;XKZZ5i(Kg9y+*&a50vEb@QQH zOTK~?l+E)`L^@XBI!mWT<1un{Qw-9k=pt>c74Wz`t@Xrx*LBCW%10n`|4BuB`2|{s z1_v2s-q`*gC5d?~)Ag6)trh%uEZhfAa7b!{1@9)}AW7A!Ts9P@Rs4a6? z)c!nvdzM^WI_$Q8;3I>~Xg2xdXO;npIEM7-k20=k&OMMC;aM<|7-erbHd;B7>bQQJ zA?}UAsHEL&@-%rt|Gm&MUBSvt=SiDrMGP*woM!>8OlQyDq>U zVOl6Z*X+ljN7A>W%k2^RY}?x6VXG@>9o3ZtWepjN2E?8Si5iJ-#6O$^)%#qp zFm)h(Ai}vP({Au+_i4yv55N9tK$82D5zofy05#*d$EnMey!&)Ai!Ky`_tk4eg|?s8 zPqcr)iwn5nvbB98?2Pm--yf98-V*X+HwDQq8B~Z4f(X+ql2g-DpxDxMLBtE%fx#8< zbUPwuaAx)>q0?!8JNsrDR9|Z$~gvF-nr9=ohFXqa`Ez>me-=Y53aM6 z6WCe^=UoJC?h>1>_Zp^8)?CE&xZ<}>V8Tm@WDKg-=34v$!8E1Da7^l+@YsqS({}bn zO;62Y1pC^0C71)%0YrEMJR`_2tq}GU0y@Ci+B*Dp%koF?N7O>^;JMIExEVq^Yp9s^ zLI^yaP)qT^*u$)vgH8(+I>^qzV4-2y^!Z>|4(+>x>_bZWZKd30od@CT@TV+qCqDy~ zR`cJj;9!)m&3t>Tr-_Y%S*r0nK}t}ECT62yY3P^N9n{qnzxFVoT}g*S5!CEmE62rp z?J!E+2g8@Y@l-|pYiB&ppqC23N<{a%bQ&n8^s^yHKxQi~0!DLcIHEvsEph@VFH76p zi8yhJ1M|B;MeOpbgEu;gnp_gA!g|M~_=L8g=6Is~1Bhk8`Z!1fe6%5_U!kTO&v%k;^;3+Ii}OA0wo z?~mL=H&@_BR4b)ie*J@Aa&zR*l5+*szO}C5M8wGXbVMB!0~(!AIu z>r8Ba;ZFm*e=MqVnL|C#PLzc?R!>7-qFoAYW?t)BR#XK${o*qz`RnnFtRa#_5i5`G zbCyl9nfI`k+0QH+>-n!^p3YAss3Wa5e0I;s7Tb|++rS=P4wS zcCOTq!`BFfhfbz|7@j@#^4iZ2wb|m`Lj~HS#y1((c?_DqC>b-6VM~+t$fQw;3?(^E zn4_2KF2iV~Yix=i&QiI4BX2c!D#P4s3>e1U*sM^?T}4Wx80ABa6p&n7J^LulKWR7M zzTde8J*2v7&OiVPWZPY{Z`zgn97u^%uRejeby^2cx)TkowlGc(pf;n5zP^M?@=Kv4jd+p-4;oY zOs$>|#;ua>F%Dl!?giMjiaw=WW{FYE0RyJOhZfXDdU69r0BIL0P1#~88rX3u9mPJw zo$^?HG-GoGh z8?P>p8fy=lCTY=r2LssvMdW>Rx=hwj*X60Fs$a+(F_0}ZpX}W%9(s4G78vy=S$0eE zL&Pt~M3LXIeO3B|*Mjg`Mv)r|fKqa8_AAn`ZsWxn<|3h#WGC$u;3fLPiAn zXk8#WLojHf5a8n6m6XP9&YEeLl_hMK?sX}n=yy?Cg*Di^U4$V|PD%;Yf@%_pYQYnm zdEv*3QHKG2-v`WyxAJLVF!14v$YwwwYc6UNBka;zf1RZs^gd$9a9EUb?bvGjy#kzf zT?_8yQL4@&Vo0B|xkvvNVX%8yOb=QnvVsP!{bnEHkyY$u4)`oSKk@_(+tx2Pm`PAiuyC8wg_m|D64&*+W7!ffk=%Q> z)5fZT22VsWyn{>Ejg>{sDg{xS(WtBY-2CLS$arxT%Ts8?YG0=J>PX7K7_ar*^VikD z9y57M9k6I^9o4xXWWCQ*gFU6EdQ~!L0a#<-YQ9*_w+6f~y#hhOtpImD%ZA%r==~-n z!A!^jO=}R8Q|Sw(wA_MIb9Nf-40Csj6Pubrs!TMRLp@jv60KM)6Ujd`cWvjpQ+ ztcCfkL>F0u(ZGXsW=9uHW=kuiYHFDt(^+i=O{DdB>#8Y7Ed8anKt#o-(eHpZASg2V zTTsNjs;dsVf79{iFZK4~;vI}n;~1!i5E$V|6A?>4-wDOUtEm9Ptw}hn@TTjuUCs> zGL5AfZ1jOynbPRbYCl#jyy-KAKAX>$%u$~tflQHWd6-|^coCHwSs`@)yUhx4PN$U_ z^H2?d2ga4*wmlk{@pc&=W~8nggf!gqT&)#5-;v}rZo_T&w*$!tj$57;xH?;ud_nuZw1g$1%PygL_9 zDS{#i1ZJ;cxKU=7%_0299M^-I`kfXMbxKVFwA~0rCcE)O#^&a(F1N4ZORj)m%MLvR zI%)jUEX9Yy+6x6gi+U+;uf09vBtN3Sy=$n1?RRVZ(r1iRn3GzPVzmwEg4xc6#RUVR zJcTZ5f@>I`r7u_T65PxE(tF;b+Wtfu)EN>%`#!&#OhAL7xBd&~EjwuUb3=P?K~qq* z?wQW%R9$SO*de6|c@$~2kwzArH5WNQ{a`a{D0E~3b1;}voy%{dbhxDIUuRCkiK=7& z(!i!x>Nhy^*>^``oACT~E0{HOb(2W6S)tbaIXK?O$?;_!Si#2t5}HDMI&1b~1RN3C zO9^RLqMaDz-B#n32Lt6i0Iw`yEv%5}yUmH%&CyWXvccXsJ1sjohupYfFf1df_wCoQ zO1&6lf+wr--NM<0GyYV$d4za%r(oivA<8cguA459;ntqdpD4TcwmFEXys!?pcOG>b z(Tr-8KJKakGp~53E-tt8<6SIjn(*E$iC1pbR>wPYd$zOhE~?)L60^n=;Ojw`qF}$! zfP$YuX#!yHTXp&^e$Rl-%~esXsQ&Qh%H(pu^AMn>5ZwOs^x?GlTmt{4L3v=v?_b9{ zQ@Rh3)99C6aSkO3>XT60aHO5h`UhjSsQ4$L<3_AVdqK-)WpZjKwOk8I< zAFx8wh5TLX$P$}VmZckK46(^fvYW5@H|k7Rc|6-i0-9qInaaO#RxjX$jQ3h55zNHU ziIx5FB-h@o(_Z!b!b!s_vlUU1!0)M~<7{UZv7xm~hm#H=W4>_xq6;l~AdlUcv@(Kex&^fq6X}i~U%nw8?!FG1=+YaRZuMe6@WJU`$rH2ZORcuO63N?M^ObSIVMpJ)# z@gRe#*wl)2Sz+5w@e#Kidp8Ff%0LFuL;YFkN}AKfuUNtDsoE;$F5t3R#@Kv9ANt0C zHRl+`Qd~AyF{-CcM{ym{vUAIh?|ZP^7G5STGUN|>xxe}K`z=ejW7XHEQ8O|3e6xVi z?a6mMhp`MrHkh|1CL3X)Ia!0Z8}X8#<&QYXK28wOxZ}|IJga(l?p<)GC`n`lOF0fz zQ^_5C`~zQ!5DSyw&u%#n#mi4gcIF<(H;Ni`$8{x>+(vq|=q%a|zgG_cpwVI8*DXf1 z$q7ae_+f#Al{R~Ch1iI{>Dl*7^}dv4p+{gTo}W-QJSHiBLbPkSnDXOjwDEGd>;+*h zXRa`pk)d&@p;gXmO()jT&C6yA;+yWEz3deYW}Z#Wwl_aW;Xi-&2fLQ|Bse1xN`Hkd zV7V^TChNfR3nnPT)*FSp*gwOk!4lN?cbCBzaYH=lY0pnyJKW%lU9}=TR;z}S51z$k z#glE$%-npjE#MSA-+XKq--2ajZt&&Q!0TdTyv%fXa)B;dXMRH@$mT}iHfOJKdpbuJ zswi%VPW}f^Go;(Qc@b1FV2T=wnBhZAdw$yuCKLmmw(B&HCJ8v?e>LNu%V4(U-p0Po>2%PpnkHpS6huj>85Qw$t*hc_z#0@7|vyaO>xJ?e@1A;QREcw&JeOTpvY zXZswY{7V=}Af~?<{d~G3SNLAu-rUjmWXjDU0nNSj?!PLkuC_LvPRFGD79Okmh#+h4 zoVO>khP~F_(!@#3gB~F`g_);w)^XK#Lgbr93yE?Tu=N!c79fE$nS&EfzMaM%_ef-3 zwqcV4?favMU@^uwuxj^|O}J{P{7G}^KxO4f>0+LB!@A~Nm|}1CDCBV6BG!Dp=2U|7 z_oJl+gWPkzb8}>d{22kN#)=D5U%hti6ge+#y{K0P?|M1rTI826SyEL1(T&!zhw-6q zEoBK-{h47luTL8_$3~f#{V&9y7nwb? zpDRUB31;@5PTIjDct4F+8wRSYZTVMf`%O)L=7o`y&c<@>tMHdQ?2o`a7edIViWw8< zjP*XJ8IDdSd7g}mBA1|$^Yv!^k+z;%ho9Bd{OpcrJ1cRih~th|d%Ip4#| zh`R|rYtAfomua`ZvhhA6Zcbk^2=YR#e#Tt=9jAhraU2m*_`-+3?%c0sI;O;Z1rsi8 z4juQzTRCQ$#zfpQMTe3&CV%0S5sMxQG$8dblz5EWvNNylAhC&kL-~A`+8(c#(3s)& z+Ebr$BaYDX#6b z;5i!L+X-C=?Q!ME#jsp*(y=7ss-yVitxYG3(}JN&8q+q*)R^b;cjevMmHSySrv$(A z);ZK$d+o=T^oAd};m!hJ8X?W=pwDIa>y1MV$Y9Iae)x*zs?aMwcVd;LzD-5EK4|#F zM{PylIK}xx2@9798~l@)>8f0o8V{}lTC+68$^&qndhesCuK3oz8%X*H9tws^Kku=D zgs_L(#GhaffX;4gQYY6%d$o&&WP5XB>=W|EUuQTX+D7N?*vLfJEy2dI-V+d<98a+S z)FV_<5QG;xiVKkvF(_#C)%qkCGeVbL`Tf?N)s8_+H~uIV4Bmq*BR{1U*$kpb#DgA8 z^Djt-o*d662ompMyz_>d@Hw0HMf%B&fH*#X>2saLwlIc_sx%;G&w7s)fB^yoKR{L&^)9q>lMfvp#!!- z3;c(z&#g2b8%xFn*_^#Z+2wG+ZGBK5wY6O=PQm5N<#qiBZ|R{@`vt^W-a>0IjpEOm zY0$!BN=vcJ=n1Y@n+7NTORQu{I=hOIN)`{*05CeQgwK6>1Kll-q2m z_$8I4YgwmqFI==o&?;2q9}D4iLJpc@#4>xRD+{)v!2>g83pEjy=x1IdJrn-KZ+`|_ zH0IDRv;1TxX48*3v1q1icXmpe{;S(O)JPNEHum_gt`=HNn z=jhdBR0hUxtn)({YZ_SpgUc|QZ z(jCard%q&9gGy7^HN${KH~BcT29^LbFkqbmz8?~3f2q9j{#dE0T$Xt2){7a>tNJg7 z%Rs0`0l%X{6^5hy%m{l@uii!QX$*})7&nEZJEA(^)&K_!Y{9+_ReZkCZ5WPjmt9L_ z_Nhr1B#@PDPrgEod48L!%AETb8NBEJ1{oaEd2=Uz24KPa(`6p6h~kTx1RM!~$e=&n z4^)V`)pkJ!>u2;gO7-Nd>@ENdH(q+j6gKFVh-35-)XT4vC{&~Kzl|F_u42m&TM6ls z3{J`bD}H)`K8KoVUBDx5GrUcdB&%?Vm_HC1mAUOb;GEc%I&A{MH*Ws@f!gGmpM2b* z4wD?@(|#3i2mcnQoXC7<;=wU}4gQTSkjGv7zSX+#cq;uqTcF)@P3wo5U_!cFZLLhw z(K5o>D{QW9db$sqfgBxakrN}ng=eVt#mRJC`Ode`AV0QHv}h7uWd54Q^9s4=Q|#{! zp07D)BvZR3%4x~Pi2v)nqm@hsD&Y>3jjkwPxY!dBR&gwVrl}D)S&T^dZcLI5hOTwz zPfUv2ETeJx?n%jhyXGMJAiul(+D%_vvS*kC=g4n}g0V1PHY%@TYSo3Ma1YBviaz#GY@Fij|>Vw%fAOHkl$pb}d6BLAruC!3=Xz-Tdi)U}qm^Hv?Gn4X3J4qlF0=)ir7|z6H*h?>bgF5+)>Ui1P55yHM^| z*odeyt*5l&zE7{Ty`nMzB|1$zvHsTtdom`o&W*+HHj24cxgsej8<`|pLGs=Q^ z3_27<7)uAn)2IO=ubmDnQf}yA&+^D9|KQ8@8?V5tytTCe%)Zs{o2>ScBKtwE3jbd$ zx-f`1Lhf9DdP1c89eGn3S?C( z{h0wW++TmlZvw)(cPf8~t?AFj_!+tC<6irjg>duoO14o~w#Srh&;I^KuYso=jvE?Y z;zIv!_Wjqt{FVZ&XZY&Q--x&`k_G?{+k7RZlnMx9jO>5I!3{UUYk}m-2K0Wu17Upa z+@DsOVyh`3ey`3^ymUXzf*`_@>2Als4>8RrGX{IOa3PB=Kx!H_f4gh6+LyxR-~R1R zqy;Kdus6*7WoM_Q%o8jxp6!b}^PKno+AChjVqO!q8*xmg;1&btO4W?)+G2KtSbRLMp%MDCV@91l!rLC*Ok+ztT*FxRfIgC;qY{jLQPgs~)fxRlC$5n6`CvFy%{ z%|gf%qv*YWr^uhuX|g{DB&zJ+yj%s#sQE4}FJJ2k9)p~*slao+r(Tv1{q2yZwe;^Z zx(?W?Ei8RQU$}uJ2=+3gek(q5Jy5Z*0w&dgkKN<20vTCiR_wlN9t>GLgLyo}7`T%dEB>P3QBoLko7H z&9TY5dYJI+(31Udb>y|Z#b`IY{NwmzPKP!l8+{npkVxs4_&@k> z&Y6GVztus*UrciYG%b4tan*q$`1O$%v53<&G>iER^z7+D*inK?K0pa50fGWIN3Wvz z1tyT`fitUu0T_BC0N!ztb{trrR%aSL;}@+ajjTwj2yguX)dh}5LMhYt8a=h1p3d+u zyjUk~sF%Hlwg<)|Ox;0TGRaE&1ZWNVxW8w*du-B_T|QiLBBcU+JeFg9Cp!w@Y(xOd`x9Ud zB`I+^u;6q*wO?_c>WpH(v76|E&heVNY@(C$R?9$jn&FeEbe zZMURsjq2D1TUE+SW0^`k$tii-Yb~Jpn7J#pU$Y~e_WnvDGyS!b>02Z!x{ROr?kcs{ zZ7Oew%pdvyAQs==PUXvU?%s@fZsU7rHwQMv=cmsOKP4%^G7c|qY~R@x%L64#?`z7x zuv|z#C+#u$MKH__yj4Rw6N1P!cp%l=tfBd;nlYCSvo0gG8m)4ks~~+h!{r}F4vvK` zi;TC`1R8B9rhSAw1>s5PcUsRp;%(95^MlW)i72cCt2V=bi0u2qr4QDbdZ~x_BU^x7 zkWfxN|A9KLt6q0}?K7U~0O>;_1_~eFVIH zg!S=vF;Pb%GrUQ;^A%4Ogua#Mc)glsA}E0ZF%q9guHaNGY#b922ap22Fn-8HBtOjj z8yEr%@Zh|Y-890bF}m&Z5#^s6sl&r^Gb)gTgjI_cs3sjhIiweAOLhdkN#3|K2DJSz znA<#9Iy|Os4;po*{S8+(vS_glt+?-^g-;QYOLMkpP`4Zk|uZH#`J{K`wJ{(}c&_rWA;WLV&vLrpLEk@)cmLnR}KCu(A5? zk5C*W+v1f|j@ltQJ{;YMkfvxomz>psjKHi$@02|t*<1-@SiQLhvS2+*diYS)(E!89 z0Lpk8Oo*D<^|auShc&UI?(KF*pE z0yO!3ERgMFx}^L0j>T>1C!q%=;b4z!Ri1y4@z37&$oVxELgoqcg>=n7_Gz)NdAPuY==eLkJ&7PD@J4%9aIEBQbiA3FeW8RCs7h*vFBBeC0?}}6CyBo=C2!wx1b9CDo_UPE)wui&tg~-zbGN`}=X_Jv zu&!rd?0$%t@!w}T(G4$UQszJ}Zqp$e17j)^8UoR^Sa6$2R=x8%pD5LFa{?Oo@RKy4 z0D8VF(i26#rnPw4K&@hK(vB?Q5{5{~>|wGJOjZB=S#iVgI;yncSM-S@hCf1yuOCvI zhlQxIwWB`9lQIi=rE+(>uf|>lyvDN#tYjq**o?ER8rN^nVb!z1-Ds>`EtY&}Gcnt4 zM>ux8pg6zOpR^d{9cW!A%FEOHXS}Nw_0UXUG|zfks>-}YC{-?tI8}3@MuD_JY4>>3 z?0Y@-Je)G0=a1{!Lgm#9lMo40@Xn~$x% z1Zx_TNg102K3k@VN(ggt+}>D;v2kFCE>Y>~_j=vZCZ0S<+$}!MaIc!gjFDs(P$CK4 z91B@fVxHoW=@!p6&d6goA7;5L`ZkY^rON*98*eT*h{J4?ml{*&<-!x-vvTGCt^J_TcJ)E}v2?3}CmbvN4er$ss)Xnq_Ulk_2}{zmQ$mHuhe#7WhzMU_r;Hz@duF2fS996Ag%kRbc!6Oo| z*P}WJxE!{M>yItl=EqJ}WOq=y+E5Jqy5UXyUc0oYOd@pYhF7E4g{yxTQgqC&AV#6E z{!r_B+NWwDSqPAcpnnu`49m}`E|Yv-F4zB@@RouPXoo!7V2K1tN6)Sw8WS6G<-Ncf zDtW?fw`vGT&OE;)$bPXQHTE9edk zCo5e6))NgzpVPN)!!~I@_*TIlPFk#0v8cb_CFP^s3ml(9!ZWg(CeDS%nCvm2E|_8j zikRxqZ3V+G!ls=>D>@AXVgSU|ig9VQA-|gKEp}jeN^I@45Re=jFaROb0sxrOd`;yH z0_jr5H%-JNIZGJv??$p*pSGhzmFJTJhBYqM299x)kt!kMQ>?n9z(!8?>e;V-va_O3 z#a>{ig#!C2U}T?OZ6shH6CqC8r8Dk+_kHG1B*DW+M5FQI*LPhO3F8f;U{Q_Kw#Oxi z7q2$Hzxwr&khfJY)jwN8wOL>3h0+UEqK&VN2=N&@?(R+NBP*xnsoMGlVWeFZ$WEO; zk)IlOcRKx(lNO_mvu<2+-`NZNw!GJ2csXI5;12Nu??I>=eeY$tFVpR^zwSBj-#j_v zcjWTrGThrRP@fo;)=hoPrxBJQjw|qn(ygTlGn zoHyeru)e+85_!;T0Al)@6-rjXh(sB5Pm9KiZeY4I_w@N&)d{Y)uP)hl29oE*@mPYZ_PsDE0)UIpjVDn0=Xt1l4`gigA2zMS;AlZL0E> zP4m`kQtSI$OVRplT0b0hisfKc;dZ2>9xRZ!zBx#1P(k0M*1KD~pi`=^7)QcN z0Mk;7E>ZTYKp72){r+*?F$t<9z_w;LDs)>gx8f@Fga6bPhkm;o?m~E%+f;@)-iqWi z{D8V|OSYm%=4XZG&vaB#PL%rgI&AKt3E0u4!{#(pIb!2d_`=kcy0-b{3#=ciVxO>2 z7+jj^d%NZcrr>{~jyTK`Vs&*hq|}xOcjzvBS9(|uVGDF1ouM$SZ{b61p~@S z$1WetleZ>|lG%aEL3clPUoM}lx-+F^+)gE->hJG;1s~rv+Gs+W)+@EM{!(rCNn1bl z>y1{tcyU@WWR;QV`Xw+VObf@6tjwXl7^R!h&RA^UA*V`KT}d+Pm_jTjpjG7D1RhByEzJHfW;4b zFsvSRIYvF9GG70cX>8t%KoYUHB$#x1TsUjIODsiaSKXRRxk<(A?BzOW`#k zdmVwSiW!^c&Z|PP=?UNVmmcy_M2n5u%rBicmImC1$^9Hboc%;$_ZF z!blPdt>LOQo1gdyjlDl8uNh~=KD$!hH;JxW{6JOC6&dt4+HY!kApeuJ4?DePr01sZ=K;It zNtZ1Smnr+k+y`N4q{#G9o&D5>QD|+@gzTd41a0<~99!Ya&GBoE+fE~v>k2;Wa7)!yoAX7xigm6yE_5=!R--s? z+h06MTD5!Q10omNY;RheF6whcy#cDr5#8vjEKuY!!d0{!#MbN zbY*g+BZ%?v^~PRVN%Cv}iJOmvaYD%X6`uAo?oZkwZ?XHOux$Y)?K{08ZvwIG;vEW8 zE1(=4x)(nt_)<~Ky8d9KRhTs%T&U5&u5C)m*|Y};-b(z_&c>hdzGnl3t zC@kDTw|&jlK8j|t$kb> zQ`m@LfEZivb5jUr>mEw7xIN&^zMek6-z4NZ5Gx?`}GRr;WL82hW=`6;y*3fGIv0 z-NR`i&0@FfNu0E+W`zInN4uEfM98?I&IAP&6_vx#I|-hTH^3~U(gj2WZ+r}VlyJ0VQ0M47HQn zD4UNB88A}nmF`%TPVLX4=ANBG#PyjiLO-&9((TdqFNcOM3I!2QnprlrU>Q)74Lk>j+mu)i~yDQpB@@2AgYwvXF_3S5$6nK8Fi=wt}ad?lObgK zef8Ro*SF|tdJn5B*UmY385uyN(t2y5>~c$N=GHIRD z>VjsoOnsD7*xHy#pk|p)=XT*HB5O*v$n(ukCoj2ynb6#Dg3|5ASLG(+-D@IW@=d5`gQ%NdY-Khoo?3jT8% zL+PYk+q!>|ZccZg-f_vJ@H%OCBrEZ>x82?&eJjmvFV(c8g_AX;t_LUMbn&z1nBCY; zMYU67`q{zf8kyb8BB0Uwl(2uv3mr@txT>sRoBfHA5gl9IyEg##u-0~@*7vI+%{gG`9rLcBi zrgrpX+D(+$8wfgFiy)yio^Y%MV)XT7sgOPbMnBDZihxL(;I7*RlXQ4%7e-z9OK&O_ z9%oUFqZpUw=d15>qmOrO#tJ{Rf1RzG7O$DrL8lvff24bpa~#oX%ug(z93GS4IPqNh zIf-GvM#+BGNV+1S{+ObMA*UPViq=ym^kXZvF2m#vqKwGE@|1k1DTlR3gB6oYEF^9x zc#Q%XI={bh2`+|84uPI_p;Y&xKOk=ld?&e_$JJB#Q($akW44K(aWGx)I{L0ts%DJW z9(a#f?$3eJo`8z}_4B1>n$9I)AmO-2cgyR_>DdEm)jDOXVU5wFG2@U~FQ<5Awy|VO zK9psdhCDQ9J>1q3Y_Mp+`OQm<#JK~620YYE#VH~n?`WB*mXw&g@$#UkXDOSq${l?w zNg!%6546u^CDNLGBxue%_YRz&3gCDrd<0DDU5yN#^t*z|tGQ8e5J5NRvE9`WwU7Kk zk3d*6yHY2DmvIdvSe?*LpmB5xQttGTX1w0MSsl0@z5pS%i{ZJ5QH;Ccv{8)jEw&7H z6TFQ%@ow>QWi~Y9geh?w13O|-MpzA9t#kV1ThE}#n-w}Yd6oA2l_RGi93ea_p2scJ zMl0(d8N9Ix*vJxIc``lld!;A)fzQh?f5PKyI!*m?5c|6anVa6UoqV#ea;tD#6Hc{> zlV7Ct<{U_Qi-E%||7ZuxTe>49=@l&Xjrk}YmjDw<9*d!D6HwpqaC(3X8JlrCj$q7a zHEF)w{CdAL$DGk;g4FFZw~?b}bA~xD4#SMe&mtMUn+*W$rO&bhBl(g#a&2&kQgiumej{uh6=Vz8HNE^b%~PJjKX9KNvmos{{k=&Yad`G81E7!~ti_eq%!_Zuc@ zDpUc|C52XH<{%`yCbnG1eoUl7dxno;cT&=BS5P+pmKwC_s20}*Cnurt=9tY=tqAz5nuNeiL-CW+$AY`Dax&%c ze2z@YvW&fXZUQWvB)IpYox@$KD71JgI#LyNw5FK0n42D_s7H&I7Tg2PXH=X?!*S}C zFYA&9H8)nP#@?ZuxNNuVLDsv{besKxEaiR9fHTIKy7ajp75XGp6=Ljv;3Q>TUBI2P zkdr=TMx`nP56sw9VS`$onYa5I1^wY&bGm6?cgV>uPq*9=^*d11sT96!SjhTIGF8Wt zt-&$c^*}_7`Hr1N)EPlER4FED5#CkfsJ9-2bY>R3+6j|PwWQlO>Qc#_n(){+D2m2@ znr@;|XOfe9)tF!*TwzT{4!Jn}l%0mJS0bks&miLFX)v^I6FuBUUa5SxSu=ktmzR84 zeUtxVq2pFVN$Ft1en+&$AJ0rg+nlXo8a^}0rRT9t!0CC{woYn?JE>a~@TlDOiXZFY z$T2ER{5aQkyzP1AT0F?+Sh+b~W_F(>^3JZ$7iD3o(`%1GPFXXK%S5tDAGF^}lgeh$ zl9{w8NnGFX#n)0&BKEUCYY%hcf4s_+jlyx9X$kZkbGHFJ{CmPl^S`hhZ}s2vRnia! zLX2UIRgr<&rK&`Ty`` z_Tn;nlN@4izwgJn_i-J6v=(yCPJuDitW-a^fZiV6Xj}*ppJv>hpQClW77KDuCk(vt zR6)?TYS$0uQv(3&E)sufC}`<6|D`#l{tF($l@Y6Db{$bQX)7ln$P0!7LRL2T!&;-B z`*BgixyDCk8{dN*y=(3wZ2sV77a`>J&^754+0-1|AG(#CIsA2fia&*UJb2u>VqkXk z2!o&-a3I=r!L%mP&P27qgh6J;xZ@WL!`?DSb%9pMjU}l%jUd|%pvON^b`qd;t=a}R z=5OqQ327l^`u1)3-5@FqZ-P`WrtND>ukg0z>G0=fF_DdGCD_=bWA(<<_sLD!MRR#& zO083F`#n8Y`8D|!)Mx&CeqKh;9a~?bezDD;dXW(=-q&|#U|8E#3y}mI$MTC9>$sL` zY#+!F9wWz#9HnjC+YL$rrKo$In3Aw1qv_4zdIPkdYg`(0_jFqGw%4F=Uy*Rs2|p}% zz%?J$x|-{JctJ~KTYhr7UgUk2fDvhv0%-TZzQQI0nz29WwC!nBboP0MLs#l%R@AS< zZJ~xSn~$|})Qc*W;qIj&6hc?0jG}62=LiZ;X=h;i3Ra)=o9~+7sP=0eC2P5Dhoo)G z5SOaUH)dWfh0*1hT6wrl#JgKRQV?Aek{8gS>va%r5#k&fwE{Q$S#QYU#eK)hc7->H zy?j%BP$v$9-p?QN&##>G*(IJ=ME;_XC=yInY>rmU8#f46B%joWfGY6U^Q{AeKho}Q zVx^?7ROvj$j_@it2s#%|v2$Tt*aL-RuigvyuBB$Hw!KA@!H^ncy>PjU7Zd}ZZksRu zHm;4*V2?CF*Iqt-Cr-Q4VF(>aJgXE8SfMgE#XpPI!udf_#w_|;W=SfwzPeJoTI6;Lbt~NJN*lQFV^epJv^Xog$obK7z$mC@LFTqMuPt7Vt4Uen z>*I9q&zbTY?ClLA?kFAVefI`^7X5}%rtzfHPPX@o?kmQGNAHxOyQWMJrlX`2mwg7@ zOIzznJKM7KkDhDGP>Jn7NfKEt4u|&JoJPv&p&GizlA)@nG1!^l;y6?Hrok!94_?Vm zkYgK`zrc2chPtU4aBB{q5sX4Zdz1#YN())vweRsw%l3-9wYdkBMs)}N$a;)|ynViW zS*`Q#J@ay<^`LyTT!L}S?Sr8ch9YOL(q5^qlo%r`q*cNr51VBl^{i~Wt76;eS^-b< zDO6D-m;Ma(SM=36AOh@n(t7qC$w+5T&*@qC%nJA&gn2BPi!z{z7VR_KFm z>R;ddQ0D0&cOE!>rC2e_DK7v^xe?>DHX=n;kly`lRg3u{9wrpfp^_bxHkw^K7zgkL zuov=8`Z-n+0Hfp?Vu5tH9}|H6(BnaQtfN+FZN_6_vo6vJmibSVry`wbO2EV zPmZ&$Zz}x-no)Os_NS!dsicMdpjph#Pm_dAyxNKiIltTq^DqYu&XwYsd4iuZ5{Me$Q|H9O{xiLnZdZ3(W5(oBeOijjN>& z8`xZ_Eaop!JdqcBGP?4;BQ@`@8z$zP3&C914z5|4?}2yvmQj^xr*e)Sq9=$wp(2xv z)tS`eJ-Bz=cayL!$TC7L)=7s7MlW0aa%a3=FprxCG~m`U1HAG>iS(FXiVO>3U9vxd zpVY;gOer$G%HTunFmR_W!!1r}W=o>iBR!VC7}5%;y=kXj{p?EXi2_d(Ev_TX#-NJt zhi3#8T9gKTioFqgRc}$1Xju&R+lyV9j`rUYlzT*0x@)yHbm!JNK)=V4l%jbY#J;$4 z{$}2BXeh&)-%)-E6W?gTVYVgsts1H$OIPWa|=ugu!YrA{1(!* ztwsCB+8k2E*=MbI>}89K)&eIAyX8*p1UrV!h(UXu&Ymn-X55}xwQ1NJcwM=6%E2q< zZw(vN%FZ`zEqWM&+>80EBdWj^GrLM9ZOpdZse5G)!5uK{D;ObVh$fjmT$r*&j)~E` zNR1S$9PoEL>wQzUsOocI?Kc|AkY2gOrzT*5hUV@Car7n?JT(o;KlN z__0#5gfQ)k=?fYZmNNWJv!es?kwl(_+RsE-pK)ARXe5`dssObI1W_k75?Vyjuu1}X zAKr5I*!<|&-q~dsPnf8)cebK?>NIw6&qGL0bAoj=<#b6REm@|&6SkF3zq`cml#LiR8x*~RicUpARmch`8>VYYfE4Xmb+MT;RKTWx=?8%N8dU%5B z%&TR}wb7iMouhk?zkH&=B`%m=D{=01rcZkxcq5P{WZZi0L4|6n8oL?`#G_VUIpb)6 zQY&Y>(788y{_&0FuKTrO`ptK+WV{R{vQ^UFpr3-3)rXr7v}}*EdxIR2L;bzZ7YAxx zM98`Wux-o&31{5pRnaU6CX)x+E=-;l=^G)UoX+Qf=9v#*vbJ^iCO)!#9lTRwvw zZ(nCnMZ*J_h~Je9{7UsLD`$Zp`>bOW$IPq`YQEB^$pey4*}Hl`@(vd+Gb9#XkdP4$ zE(;N-fWjgUE%P_r#wq%*dq5IhK^;!Vxr{83?e#{)*dTS1PB85Z%2N0EIbJV2un}@+ zx}*}CfV>m?MPVS>Fd8QgsIg_8W5V6wv2RnbLZyaQHsuzd4UB zEqHI!8qS%A>Y1;4()>Ep8(-essBuZZc4MbN!~F%tvDE7ceGGmZi`u@3td%`zN6iv1 zvVuC&(&@OV6@#Ii!|B6-AU1zJH~&tP&L5K0v01Er7A+{V%pjA@V}zvqS&sjTLUX{^ znrs*~JjT_g2RMIP&~3ZWN##9fHY)$KL3=^Mi)?WULRXyC{$=6bimk_?c#GT(zl!FK z;zgy>tXtP=6U}J-M>N(VQrKFm_A@Ie@{BHzzVRwfSmlF5j5ySZmmG4AEps%TpQT#d zE~XZ_>VzGRs_WeoCAi7pVYAKks4iH&Z|?FYeq!D*Uv%V!f@{5^B&Qd&49_`&vyM_`abURZ^%`!IOJ<28G~?{3+p!MFgta(6Mm zzY>LxFfxf35UVmN|Ho-|hkOUaX`k$^Q%Ri!ska=O(?RXs(dD%wjIXuY$6Oba-KDy+ zR(-y(TCy{CmyWY_Y|4ayM|8M3Cn0*Q5)K9)Sw;;f-{%?PY6ifOzQK8FF@!o@m3A{Kdae&)E(ILTnA*YGMvE-L z%BzO^^ZA6%-eYC44CeQn6UqiNcZ9zAM>}HUQIMX<3EOQLxw8Q&*Cp0C$rifldW1? zezDT5%ZdL=s#|}HrdDmyrG27ZHYUfcQ;s8kGXmKgsGIWKtijD`XtPNX(*W^qaQw_s)B*${Vl2n?`F}*#6Y-lbT_VoaSY{6JpgJJ%qX-6<-W{6SR!VCNh7;wJa zJpy1P?7Xs){U-_5gqvNtBC>5?7b8T~tRN{M;Q88}%}Z-9jk(FIUt?kWu40}yR9cTJHap}fu~g{Upfl+u^q5my!3JbH%|gjq!zu)ud;^Ibyk~q zz%iU&JjFQ!92vWGPuR69f>qzQ;$a^u$UjM2Ca!zhIBA-2OTi6*x{bL&X=pICZ!~1{ z8@w!a@B`lh!l8kZ9w2GhKEr^z!El;;$Q7qI&NQ#AwdU|8lmf-^9Diu1nre82D?>T= z!XH;`vncf*>SjkglP^NLSlc}@{FkD~Vpxx?4pn50+00>N&;7$y?uJi`MT5ipFB?p( zGB=D6F|Qr-_PY_r6J;0KNxU1eDtSiGkg!VG%Ib`br@I2m%^YR(XT>U;Opx~l_a~x}Qf;%ODAJ^3?zdWV|v3|9m zDfaMq1}GN#;xVa9nV7^ipA8E|nzve17Q!op5@0Pig>*$15ThuAS?j`6f-VUb<5z09$7UsgH7#0J{_Sj{d%mOXrSMb z!8&(m{|$UtkyfJ@!KKo7;6pJG6|Wgq5Mmad{j>(eRLx&Pb%&##%yAUTP*?ZmMp`t79)X^rofn0s-@%W)yi6kJSTGNUlfn(6BCIZ9q_MZI%8%Ue4fub$KGNSxBH8t&rqmD*N+Cuc(8zB2dMQus5c zl|C-cVuPJr;(HApnIZYX88iDkU=j3vOuSPDfg9zrjV#zE!6L$;Uc}Lx`W{%0i7Z}1 z+_{gD%rSkT%}z_NkJTc0si3(3x>aStz@dY;!Z00;Cq#8=-marfru!Ifucfj&synWX z;G59*{R=w^Ck0sO4kpb~vcWfzZ{mQI^L{5;KurUf2xIHr2$4;X6>6Bc-mZfq(6ZJR za_yzpst?UXPnL+% zV{3o9ZIIb%23I;9JP7y}*P4OuEHQUtOm<20@!=OuGpJ-|;?n0^&XXf{EjE!CR6`l) zhq6x5dl0mkapAwJD|li<`C70Xuf~YdHA^SK(Or_;~FGzA%BffAto~rYo?&`qmHnsK?Qc4wU#Usi{{W zTU7Qr$l|_T(#ughqTE-%6e0Wm{d%ZZ)X8mQEvh$v;meMklLU63CO4}|RZ!2($!4|7 zG3=_yQH@(U*l+|UD5Mjwz7*Y{jt^SmnkE4%seG~t&lc#wT8ntjnQ+0(V|9+b;f#aU zZ!zuhFSP`AM{F6!a6MvA3%n*w$SWAx5p2KPTS}tNrdO-|KjjfxHERY>Mn3`r)W?&$ zFjT%BW%wMeawlx>J|1T~k8K_sZ)ZO)ei!_MjD4feX<%s6B68C0K&>IP6!e6T+I8wO z^7`pQh12qdiD?Pc#R%waF`Yu-7kWqLwOIBf64351O*gMr*W3g=GwR0=nIA~&xHFHX zd`|1?&z8lEQ;Gi?;9tB;#Ev2q-G_(fEiSr~iYb5yjPmzuDkh=0$|g^WMNMxyl&P+t zcyc*_o`E`q+wJ#E~JB7{aq&XIYnpvfEWDyR64! z2C0+t70pOV-qSC{QU9l1SY_aJ$n%(H9o41pX=j{uFj#bH@|v!%fwL+O-YJtitztO> zH3v<<;_k1~f}~18;&I)y-)B6nY%A0pj^?f~xaLxOOePA2Ua#05wY9TmUKvO_l9wpi zo9^ApBGF5*9QtWjnIG)&1D`eeO|X$n@AO~;FKs-Jt??#mcV(({#B28C>2d#A9rxWb zHV#QP84F)d1>|!VVD*QcEF)Hiz=F^Hli=LP z8{*N9l5h%(1>aXUiQg;+Z~RVi*jfHT83nqsLxN2Zg)PWl8lQh7;|I68wCOE^(L-AHSqy7doyy!*}n)>wK4I7cobR*=@9( zKm{r{5VFU4Ee}{*t9BR^Vt72l#3wtt!#hN91u{B%cuu;83T3@4ds_upyzDIZKGlz{ zYk-N-AcJd$roS|+ncC&f#~xk>Cr#Mh-Uhy6>NM1R&?H6{>?BYpvopo|<*2d{9xK^r%R3VqF@r2o|U65Xl_d@108?1=93}}QRA8jQ)59I(1G%|C~9gC^KT$ zACB*gY9S{Al1V`>m+oXU&ha=S{K)u@}R(O zwqbqbt>Qb3SGff*1u6iFy!TfpgI-wpH?0*2oi8w=jsj}Y@Ax$IOGSIjR@8j9i9TtJ z(91UUBCyBAPuIB}gTkQwKutd6d;xeVZ|mI-?ksEp1E3oiV_tU$&StszU-+$<=WZs1 z7g~QOljH+OKOIL>+3)sUL%mWoIFs#56_b<81bB->p_4n(a3^40hIzYG;Y@)c;{)j3 z-X7y>M;yoI@NgXg}E9>pBm6cvDo_dk}6nbva5*?_%UUOlnHjRBl1{wWC z&q0_TGjGeTds1yX&e`qBCXH%8pV(}@+_b6?*;Gu)Tmu_Owag7Cwn_@98#HOV`*n-~ z<M?_P)Uts`Ep#UAQ7L*CcXb%N#@5Sy*LcAv(Ii62^xT%3=ydVg@MRAQ|v^0iu;7(4qr2WsAp1<`lS?%2xnu;g6XC>!0=P!$SS5s_;Fr{SXS zjtCmhX0}E|j;4vkKR)NE-xH+x$B}o4$}JX)&cQ4)Q_h&O>)N927^Xd3Mo@L%IrPTe zi)Eq=h%Mgqn=K3#Ya($-Nc5;?&^5|vCv@F*KknNAS4Z7l6`}DmyX|MY^}B zI#r|E{M<=qiJHD0>r#oc>+N-9r7O{zKGEIve0#&ujJ-BVLS?GMh~B*)nR*Ya#tTUb zrOb1;InF(o2kf>6b>j-L4mRSda32>85uM#)W74mw<2T(hCFw}j3-hh52mEiax0j^2 zZo~&ef2M1YiurKE@14yfKHI!}XSjtfVV-JrY8_Zd8W~dyyA-)C1TX@fm~>8*J2>XK zK%emQCeWg1x&HXU|C#MnLW+M;LQ+mi&Ey#vrA1z-OxxV*R}?*I`xN=5Rs4y0HnIlT zRw}_|v`xs_FgFdZl^4YiY%yJ-AdtI`0Kc}wBhr8xQP*8#%A`HzS9q&!M%N9oKWzJY zFFb?Fw7|=iM*O@Dhrno>YyvH|RwHUX@f1|b04;|l{gR3u+qMZ<%Xvz z6rDxy==W|}4L;^<;I95WXh^lh5=1$GgwxhRc*{q;Cafb+Xp+)+9t%S9zGQ5F5$XL* zLI~};ff0w}r`D=q&Ut>F0fwG2h8g=os6snsk!4zD_9%A2o>zY=5P)GxHEs&}`i~`lZKR({t#x})4 zol+Xik_!(}9R(i2xV?2t5^lfePBHy3IDd5`#aa=s(>$XhJAvoGCzN>OLrziaG>CEy zzU`_*ojbDUaihI80s)@Oz|_KpIAaQ^b9rF#?Iq+N#}DCNEQg!b7cM*K+r!r2;s~9w zuWx)v(nI&^tUB3qj08U5$@vr}zaadN=PhQY)<%mF6437w!dsVhXW;3ml!r8&nAWJz zce5nA6sL!`o33{>Ca0JW^x9aArdhmJTh+K2liud8bByUIzKYKgClP;x=}(`hpGJ+7k?RG5waI+aV&_Sje&_JXj9+m@wQ!a?O|8Y$D%rqDytQH6@ zod`-l*eIO7CN$vn=!nN8;mJ?73r{esX;x@GHGL=~($0J_N%Wpg*oyAHKb&Q*25Qrnw7t z+vK%2;RPF@YghhK3fvJdxiQ!XV8~67-UZWQo;pxfpN23r8A6Vx>f&(YDyn_0*rb3 zp)8gkmcPmSajh&HAROu^K$7<_%(-oz|iA3L_!OTFg;kdS^>QxnlWRCZ4k*ct}( zvg>{ctL|##?xh0x-h@dH=Gc~>oT5BBv1a$tmtqv^#jDB&jTVC#We{u7VM-=6*F?rC z$`CBr!{4m%H)00n$am658JJ@nrSTsZUyny^7uUatP>1Z@_<+#|<;4a|7n=0*WK+1# zUvmW^4^#T;Ixzm*)X6^0a0Y-6!W#g3+C_bJ$eHh2l^Px$7kndOC*}a&Rk~8+ ziT`kns+X*>``qx#=P+QrP#8$LxX@bw;c7b{G@M8jMyH;qI&rxAao`ST}*LQ#%Xg z*`uk2F>E$$pfpE{9pROuPp_o32Fjxl8Lk{FoSwa7hF=|_Hd7pws)!Uj{R}r->yrmE z@@X;1tz=04Gvv?Y({O<+haEzrtM(YmU=eGJx)m9dpUltHe)HgX71kB+vMvkRRXXsS zukRgb^S*OG`mM4p^mR5c>DpV#71E}k>{xo&ntOdXu!tZq3yvP^hLe?!6R;WKgKCJL znwyZ#Zx|_?UR@l8Iu1VQf zxTn7{EEEwXav6OVXeX&1ir327Xy1jCgqGvXJ~h@HcaE2ayN0*MJUk!?%6s}t8z0~y zOuXjwm%73$j;`0fhxj{|^PX*%hEC$(*kWK~2S_=%lH36rAL%M({DAuYM<2PU;@-*M zW*ME@8E8TOAC9$$MiDl6Jt!a$P9~O~&z*4T_5>cdj(alLr?-d~Nezl!8PVemdxW$q znn@X}FDtg^GUT(Xk%#{2R+O(Nw9sNgWa{IPhr1w)8r*dy1WJ`{HQzSP$P$QSY}0{SEJjAebASs`qBWw+^Ky6g1I-Wj>yPi!*5(>i-+EQW*fh& zWAdsB=zkHyQe4p*SN7pz6dlQmRidppopGyshTv!~#r)@^jTT%exx_r*;FBlzA!sG0aeft!wBS;cAxWt7(2KWgOAd1e8 zpD-VB^`3fHl`|jcKwiNe2RZ|1B&C-moQ5S++;SGXb~S>rhx!-mzLzT=)|2#>P{06CsKzx45M6RsXx_vcgxx7G4OLTJ`D*oe)$ zjVJDe5aiR$21b_ zpU9u;f6P(0YsdPLMK=MT;XSlX2IeSrm+W3%r9S2Z$2zp$knQY*9k_CHCJ>Lq3iAI7 zpj>ZR0Zsr!*t>5oh6Ji7T^40*ZmU3+Hy%y%j&s+`M(Sq)#&ZOA>h6 za%U@xfYHFKM=lPW2PKqP(6yRNa1=1z;JrqQr(90|Ju>dLzRJ|Tg1u*e zfpY-FBIe4zl$$#YCn_CCAb62wo-Apw4NYj+OD)QSrbHXtX1AV=aJ6A}Tq}_)UwFUX z!{E#(SHMvDEtJ|$Zx|YIsfuxV{Suz+EIZ&Sw3#)56$@0M7M+SucZM>ajG%tLTSiAkgtzqM-GIu5=dD?>11~2T`o+v{;f!7jnb$C}%J`Pit zJ~<-13nuxX4bhxDS`bVWU1(_i`ECa&G=Cs0cU^|%`5rE90DcfBf9LrFF`Hyy*0WjW z`urk)z?Y@|(qM7Lg;ne)3g)pHO-kOfTLX`tcNt3jTiH@HD_lNRWQ`nPhy!EmsEFs? z2ViI&k&)m>4YYHFj?(|WvAZbXkzaF$B-;z zU5aYafsB=57s&Tu%T1qYfJY^C9Rv$mt7=?{fu6k28CGTh00}D;F~a$w(qglmUFKwp zB{|d=<4j+`D=d7Hm_ZpfK&PnO?ID3PumsXo7?hilt)+f0l zM|JBf?#Zc_pFO#+vl$_Tt*VP-j@tpxVM#?Dy4kRwbZ6Q9FJ_ zvEB(R#c4ngmkq4=7~Fw<|n+>r=Xd15me6IiG-{zG(|n}v!y4RZGp zkJP+GH}l(XHv<>3DeOPKni*aJ65kOurzkK?I26Nec=d_I#9#o7Z}dCO<-#!Af~I@U zK(4RsJ#(2GU4w`8sQ1M?EdXBXxAIAX&y^OYfr7~Q&<+uF(N5Y=ms?Y?sOZ)gL{U-a zQVavn@Oz2-H=v1i`$Mu7m4b(C>w-OFp2}naZ=%g84Q^6w?*!K$qF8_7-v=?7m_&

d|Ip7D%UGG)npnn zk&1x)o7t8N%8-e!9_bU4H`>~aoG@3M10ts)-YEk=*SPDJ9Y8@k{4I330pe>NuE)2S z&Jx&QFARkrEhyg9zS_A6RNz-j6^zMS27<#JP|sBU2K`G%#0t6RxnUJpXchoB0RK{# z5yrE`QdTcGDR+N4iG@~aHNko&C&`+P9m+;6cX_h)xA9os<`JXnqL-hlcONhbuLV>O z)2xL(`vC_*uZjs8#Aop>*HYqUsqDgc2ONfA>!b`cczEd_aOiSf!8;G;GUBXws^|0* z{vDy8yQJwfNv46Mv8FWi-UT>>#Ez0#jNNQtiqvAOelRhEI+}9m%taZ- zvpF|>miibeyeCsSHo5Oc-wYf@s^@;On2emz8Wnwo=~8!dc!A9Qpv@e_JmiZ^>c{Ei zw}7SJ7EFVhVo%zQ2DvT{gX9W+hQt_5Ypduk3T4jrR54a>UzbmR zvJr_e#~(mDP_U$GJp0SAOkJ0)rfDuTf`1t`rw#su%Vl`RlnnYhGG%BcYOdQRp=G6bW$1*L}B3MB$luNb(s9c)K9*_ zEGE%n)~??{-pOZIwLNb0Ip5&@8Z3r($-o$y$b!;oI)D|{(fA{Dsa#Y5kN{tD-)7Su z0O=7wjFY3oU09|U=@G~+lVo_MjD=VLa4EUNtBME3Yukx$=Hl#8U^T71lZRIiTtp7t zJqR_zNt$`8$m#L*I2~W~M>X5OthnpT;l<_;cWIG@tJ)~Mj;+V9++*xt7Yai@5j z(*SynCV~V*v>)m(pONQ%GmbZ+_yXdJWSEDNA&Rd*u6$|qf7>DdMM?X=%XiY+5t-lq zK=NHX7bB?={8CB(=~==9gbzTM8v2wKsTYzaXB;1PI2Y~oyn0VfbywOcC1!dSP=O2{ zw%vZh6#vM-R-UYUJ)(>?9vuqkC6=X|aoo2L81Anym1_4fuvX z^eN*_mK)15+!w5Uy9vnb4|Djx*o8-nIRmBdcLP2x+-so6O6+*)sR8uo8FnI<8#Ht! z4oVrJ2r?e(S*1XhvJ)yltux?@gyH*h)O=REX}lkm4iC#=m`B^{srkRX<4 zKvNX^?TrGS-j)!D($XUanReCFQDw!)EA+8VwKCz;#-h`t%&ZP`(Q<8#Hp6M+J_kh~ zJFb7lsK_fpBStiIPp$>lPI0rg`MSB7y9EMM(>ldYFWpBLz@iTs;TyN`nwJ@G#HWjj zV_7Lc#k7B}MbTxqkiar3EqV!5l|RSP0#Ar`lA*kC!ggB^zMt<^=8Pb(4(_$zJ~;D3=1C~(vW)T zlcRd}x>5CF)?^Ed1Z3Ag2ThqwqFvrHV`L^+jP^y=;Z$~(clxpQ}@LV|L$E~E{Uc6FBvK?CO4n)1VI@74W z!@ni~A$n&_zlI_7Bha&XrmrFf9GTnOZjW~zcuLOGXbr{Y?EDb>BJ2U7#?Aelu31gst#z?J}g(hDu}MR5~6ZI z0^BK)<8ff?E(ZA(9IHM?q!Wd}Bu7N^UW7Q!I_l41{JooxW*AR`0&Y`!NQG4N%a*Bc zNfJw>XBxAifZl=eH&Enb$$5hEp0M*mq|jl1zUf8Ya$&_FbDs{&U2NY^2-_p&awGO_ z-D0z0|G-%aiu4=R-GjG)Q|DVJ2XG6@pqD_w2S+W&7SI$nX!*R8hAxgsTO2D@Sn_Ks9n0k}?j1d}U;!BFoQz?r#WYeL7dy zv4Y1$exnKKhO`4O3n>%ovtmnt(Pa23-DPL^W_8D4xAKRXa1OZUyq{vF%#6Y^@%JyH zqPA7a251e7amxS>7(X%?825Zn^FGp7V6)*r=J_?yzs|!`7M=^BUgO2J{L>Mw=sK#u z0}j*1621w1$kW;D32Ua^nr;9-aJdQB8yUJVNR~0*=cqM!wB=w&_oj>J7qF4|ulcur z#l!pw3VX@XN%N;!T|3&VvFoJx>UV&ItOdU`P2sj%^j7I$MeP3z(b5cS!8(_E8xuT$ z%pPIeD!+j%5&ovTA(3&L!ghZpx!rs!8jRiRo&_p;#>f^FGOV{j{&&+~2@T-n=i!+T z&;8~`*WkHORw=>A#(!}*WoUoNNrHkkZLqNyg9d%LYmq6Ca{(rQw2__LWBylQWh~>#ah6V*v0Su`heW7wZ{- z)1-DFw9}20`$}^Hfjo5^)sEuF2z6;PfAUhAG;1eMR8atV{3x%~O==(7jzYg#`uG%7 z3%iI$P6NOm){TC(BKg?yy?^Tr1ci-Jl8(5(BLoTwwcwFaAi^Tt@wNDZ!D>qTa5>O8 z$m{m#3p&LwndvI$6o-kj0yRGrEcIIJC;>CIyMou`pyEWQkX@MrEfUcVdgJul&z*GN z>6+)P_J`B`?8z1J>cHGNrPTby5|}BZg3TRuY`+(Dit}roKB?sZm;7`58WJXvDM`hv zo3n+p)NqJ%`Il_^j-8!mjR$-p$BT)O(2bgdx4+K>V8T`9gcD^K)fhZcHW zcuFE|lU?Y(g=zF%CdF0=4IHf|-SdbUTBeI>DNnGDIl7i9V%a})u?xGO^^>z7`-5zQ zS-9>(TU6%0$1GIyl#d=qy0mDx0+^=ngSQZJel}kIGq0R9%Tp+9DZif`-ze?auk0(H z#$I*&NLOIObLO2T(qG|P%{A>e;WjQUSBE6>njO2K0_Y;Seg{Y*ZAl!1+PTpm$^VXu zupGx!e=FQLtI`hK9uErZry8~(;3YZ*4;Y>lOlTTCKx$h8r6x>KF;dW0Qi;~e?N>S; z0@eBX{mu_C`?cKlFJAiT5c6`7L59%|yk>Q95=K|x?tlma!kud`;1fl(;-g3dZXEj) zAcM>URylECYf=kvP0Lkb!;G_q7O)cbf8dwC5gmZH!v0Ns(F9mf+0S?H>0%|XfDAxI z)UFf1fcuQRJ|wIql|ak}39iu_j+eg*i44x3T*XA9BL$L*ecS{BOXhFO&FxRRU}>JH ztdCGw9w~3&5@4`5>~JF?F|4%SjWeVavv9oiH$aTJKkTUK)*9~9HKLeRY*sgmi4?k9 zJu45*9FWxx?h79cJcc%2K6mUw2-whVv9F^gkOO+SDHh2CIAidLpL`cw1rV!*dD5zedN`*ox$hmvK455L| zU0L#k`XIUI=Nq~I2)}e3)dh}246_x?;cl_vM-q}<;x-S_@9^gU=X|08lFuPnE zvIT9T^qIH4SpB2NZxQ=s6f3z1X#SglIjgQLFrOx@8OKYD>J8%EXH{(`7t+E1X;L=W~?)E5D;DGakMH}7gm%588z zvEm_xJOs)uMgDcrh&5t|*J+J#u@t!Iryp{Y8-yd#jk6TjQYVBMYP|J_l41LrMNDz< zvbo6B`wSue<-3e64~e{<54JLciOjIK3<8M>PfK~}kg((k3ZpGiScDBNORFWm5W){r zzrMa<=vEsg-$8v>!uOKjD;l?S@>5U11;!=E@y87mN@w(c<6o{;t-tEIw{6z!aChxR z!dHon@mgSDXG!QVe5cO_+H z;O=v>*`Kk{OnyG))>CR9Ghtg6-ky!O@%TVw*ps}BT|#H4s!Z=)-R!$bJ&bNmtfi(8 z?@zBhzv4{I!uc)w4$*P1jBie;S-?bj3*l*dN3UC!&FVNR=pESehSv6>i2 z8~5gPn!_q=z|G?2C1|$FwUzdy<;Bxb+P?&3`0SvW-kmA0zuIqUk^dsKC3;hqFV77r2+W_NF+wqZbgET=SBLNNHgZ;YZW#rex~9afvejfjQj zH|d6#l5WfPT4q_X68&5cwE>Jb;yZ6|8G!`1RMzDeOj!0vg3tw0?1ch zWJ>2po&34l#*tbglsw-#k=H$z7n^aITRd;<8>0U97XWn$?`U8=4wxt@k{C<(LhC0X z2p7^Grm38(MLqrr7!0zi`#{)6rlG6UIG^}fXf$&DECv4omT74VV43y6DZQn}%WWY=ZGF+qMJ;WtjXI!{`g1SW zi0vDZmRw!8<;ArH+`H%Wg1XAa-Sjv9M9HS!cd~F>qfm7N`;q5dr=4a6cbl`j0|Ua8 z%EM`oBvrH~j)YX+O|)c%I~e$_%j%%Wj%7BkkrYIMi4@FP{?86KO8n_6FJ zFKW;~IEgpX!>vliaO-+gyWiY-t%6Y{aQ~A63w}^42etcdr0lBfNDWA|M}r>W*E&*{{fXB~G>ej9&n;<>X(P(7Mj zLRpl&r1|t9i_5SS&rfe{`CkB=>_r^pf+Ol79eX{%Tl;|3_RSA^&8oJ+G_&FYJ?p#% zTO&eowlovM*e#+4e^H?8X)9jJ?I+F*FqZ=bEZVu)3?qBL?J*P8TQes*d63ZLX3yC?T>NeC0MoUn{X4 zhSym8Bp+!F9hIAF=)z9lZ77+wkqZiI*pU;AH?uAST&Ky8Q@i-cGg5rP53)f&yRxcY zBnIBTK`bShM30>R)_hC0-6Dwz`}TPr^XVVPrcKcziN(J#Hm9ULfiTWdaXR9{vqLKN zOt-hF$kDwNC$J2UfOVOab?LRdX+z~Url55d#X4xA)$I*_OxFxX-w+j6=mQ&go=w{f z#bGCG?8|$0<345}s#D>peZfnQd1kE45=b9$5rD5-{ zy?Wp;+W^X%>bSILVZ>QLL)W4xo}#?(1LjUhL!5XEm9g~u9*<5~(~AlU%Vk>E z06OT!`$6nJQi1oTX{a%(i)6d*5S9QCu&jjUjsAh)-2Q&BAa*>hn4idL=sVIdj51`F zfb$w>9!^vNuaX`qW<=&@H!qHs(ks8ozAd%Er8o^amH6Z|kiZp*o;foU0XBYOX=4WQ zbXV$vgQW35?tMfI+e_r_yaD?A)Ga_CQEGBK3xDYfBr*kHfRhV|K;zPcPDO2c0J}+h zY(|LC#)2wuVPPQ?$8h7=Tx&G&YWOXxrjh%Ja7C1nZX$TQEN}HwHv=El|HIl_M`iV| z-QI$rgoH?_AcBfC0*Z7CNQZPt2qN9xB@%+t4U*DGcM3=&-Q6A1Am_S&JD>56XK&v# z&VLS3ly$G~T35{ZnGNOhoNljpmIh(ylW*9c{t?~(BE08?OJ2B!%9xSPGE1wh33Y1} z{TcNt>!!p$v5k~LyJ)|XF1JX@IJ(f?RahTUdC8rnbW2YaWnvEBQ7tuI?TT2s+wr`; zy6;JU$Ns0)pL|>*V*);Rd7R73Y95@s9p~+wulr&1*2;I7)p=5wdAjdM-ale`uI}e#RtRNx zCb*JXOqcKuc*yeL!J%HYS*+b!h=WsgsC{xr>c2CSK7Qo8W%4skibgf;R^$1}zL&-? z@^ZA0Bltg!v7tS1g^{HP(f#d2h?_WoraBXPG?YceG!BE4 zVtBYKmi37Yp#zM_2!7Y&-B;AUxKcN=S{CBG?&NyVhU0_gZ2sNm0+`ar;D8OD~4a+bjTz*<9y7Q;Bz{H6J^WSg1wYJ$s-@O02F3NmxL+jToMlEGGw%fLHN zF)rj*ag5|&xVCM+c!&V^vEwi^%~+Z zhJUg_iGRkp)PVdbZySPbZz)$bOx#-yrO}FICT@Syy3wv7IuQ_SQX1WVrSoRticy@v zD!TX9x8DMFJFqvt<{zg#FId5|eeX0Ii+9>Awdw)nT%;Mv+N8CpFTpwib4mP=&0i9E zqf5Jhi9e)^H*0-E%uMn%xP+oRfFF^LAU$Z2`q^p0DgZ4^rl19i_u`^xB)STn&;U05 z9#lpVpZojMSkFhuqB2?*rSB%TI;8;>>zWvyJ?n?xSZ*?R-Q}K4b?IOk*Y!(|4Oymw zlpxYeddj8~K@*AewP}QsJU>F+vQ5k6y`3{#`akh}|ABM%ZUiM}1t-M@YZeAT{C68q zc1d7UB}VBUPxggNzY2&Xr~(AGw}bx)t7#V@1F5?+y_V!7Txl(MJ}Lr!;>ja#0&ZoJ zw1*yC=sO??vQ{Z2FMv-Z8xb>Me-#sB(pes4^qhbtfNXo-W ze{w1Qew927$$OoFV4G#|YOPAX167+7E=VE84$wkqHlhrxfCf4`^GFuDeb> zNDd;#(LpQwQ$Dr*qv<@g{qfE$D0EBZKnU}8MYJcDRT{ER45ZE>uwn2)fKml_0sCEE&MuX71CP68K$^x^>j0A)l z#H3;|LP|MIAN07gKM(wkKpR=J_w?!C$t=2(?(?sQUZ}jz#f@Syitt1wqAHhwkru-6 z_*X2;zBI?`qgH9@`3DF^Ocorqr)8nPA=<){HWrnY6dAVc>gI*SCdHpQj%U0E0dMye zL9gQT(}PlM4IxAWI8}}#Oo&LRKss1DzkIPZlLXk=|FBH`_b(+Oqr@mBNh$t?7OlAH z&L;f$poJxeFb4hG_euJE^ER(*H3w|%1$rD2q&(2UIKAU~i1??HV$iBVl!xIa zIx*AWr2tx&&_{ZA|6u6$k3N`+7(iEHSS++~_kMkbv>_LK&!oQ`^gy&5Z)1JEZ0`I6 zhx_$0GRaZas$l^=fC_=dVhF{8d_-OZrra0XV$(_0MRvDs;1>CG2M#`ei;TdzXq^Z# z&s;G0_5Oj({O`r3j43jf@Xs{xCSX@BbrE-FvM&okY7QUA|Cd9`P$b3eu(vSa5asdr zi)9$jN72g7o|v!j-q_9r@7-8&X8#U?z-R(FA6XD2WC&a_|8?=}(kTd&gpg!BM+x0B z!Vs5#hS-09eg5rd`-~DZU_ca|{QiMH;A{!$lyQs8^*SQ5Ko7<;;P^ZoqWLh9!3doj z!|UcMgKzuA=hK6G|KJSq9o&op{?sXqGrZpO|0sgSYH;{v>DQmQFj~qx1yLO4(Lh7|70bvILP|-V%G*y@BIjf#6?x)*(ivU|V1)5c_VY7haQt*b~J79Qn&l zz$-4Dbs%H?k@^f_+^oMud-n5w-Fmsx%%%Izhkv_W|NSQa|NHACW|SDYwlwA$721FN z4E=Wt_2DlKQyvme}a_y z??3Gobouvu`|a`_s-k4<9L6;UX$ z-J|;T%pMu$=0%9x(mbL3avZ*NYZ(C_ zqdp%s{nkwQ3V~X?H$WCdM5mlI<#MEE0Fozx?6&1Sxx8U`_~$ zPq0`cbJb;0_SU(%v4CUyhb;rdxM5&0A=b6w4+~(m*h-Uz5M?6Phnd8FT%hRYGp>a~ zL(>Kl%Aeo6^@&gLK>?V8vk|;(b1?*N%d_!iNd@ok#G0obb%v^!m;Gcya;ydqC`9Ly zWquNrNz7V4+?Sz##Y~y!(9RXCM-yhcME*JwEj(IRiu`6cIbNCfzGmXZWvXXjE_5u1hf`AR4=}~SN1CTv z03Ad;v+j>i$?I>B7Aa-Gt!4ahhkLFn^;QEb4D7mHB6u^*aHu{7*LW>&TdfYD9ueJN7XVv`Li>{XM>w0 z6uD+EWlZs}zi^D_?jE~Jma1p~d{kIKe}X|SYq5dM`!5eYVuY_KMy~wkMH=?+Zx5&S z`v+9mki-M{dOu(7xX$@e=G4YRIBj3PCNC{r-t~1|st*Dd6K0Z-)5FSsx{|`3wt9Ln ze=&g>kn?UH)=0EKF+exQz>Z{xYqtoQN|N%ci?F#V!Polfe$RG<|FJ|A?g*jqKd;Dt z{>1<(^6u|F6({=v{{-N9ia8!`P^(52Lq_Qyd~XHgX<|^qeKX0X$BKn&;l|x(RO6Gd zxl=-DU2_syA6-EP2I*l*?JXVJ2pWxfMS@A`!S5|H)I*F%MdShV zi=Rql`Rbe0HZ^G^O<5-KN^ANJr-p<`d9p@B`?_ZEzzCtJui-D`nhz`0ZNuwv9EEiZ zrK^9QrptjsoQ`E5oqD+pHrvdVXm+c&QgPV!fKucZiiCl*CfFgUU^z7;TRZ%;n@y0R z?%Z;kjTQHz5?q!G&@>+GMb+U{7|fqWGH9%o5b4Es7t0&G-%t3n=U>txf=9mTw6q5p zO0?fs@+Omo0)CkYz25b;K7TstPe7XrLh84;+piv7K|TnRxPz8Giat45XgJzp)ARod^)#Z2iP=3}5~k(f(=AZ0U8 z+JJ#VU%Di5CIp$45@}Rgw@nSF#v(Xf%+V53kz|Y?LTf^;2TQxf3%BXA4{y%gEji@2 zIs}$K84uDH)?5+I^F>%s<3PDmtr9%1x2h%26GqfCrTS@5jD_n%ib>jdgFY-As$Q{a=BJ~bSm>KN0PKSSu4R;OyJ zjG+kbg9oyQP$TqU?J&FeUh?88)X1Z@<0duMvWut9Z`@``-_1t`{n7jm{y!zL@WUA% z?dxy<>uQiGAgA}qA|I>4Cq&X2qIsif9u|>n?0*dtgdJhX6W0Go4@~b_HvN7&x1tYvE~oKM7uQ&mBZ- zNxWoN1jc}NxHs0jdJvt4R0w3`yz1sT+aNJw0iP8x7aS;Ho?Z`698`biKN9XBt~Ra^ zSzTR$aCnRT|0t3f(GW=&@1;}WlZr_EA59zHS89~fX;&u)_ydcOGJsE&hCh!;G>zK; z0eV#0f+vdGNr$E`h;P{qF80=6K%8X21RxI(&*1i**`{XcHdKRQ*kU6JOkKp?p;EIB z%Oo239@zwhtyTb7R>oil#fC(jv4r5C6_hfV=<Mn%}q1t zrIKw@6-N5f#1{eZ9P%EExEp8ZeNN{y)zjnP29=EO2Gk~`EH zqR@S%K_$!H)m(J~GfZ)qgVY>-m5S$JH<-KjX!5Z9ApJA;1ev|Zwh^>Uha)UTLv$ar zvXUj7UxAF}W*kXCsES&NA;rPkAZ^wr;`RJ40MmYWSk)*uxjkDn`tof0vK^jE8|XV) z81FkaLDy*1w1h7UzZ|y7>*9Bx>0VclobhnltjQ}FeN1H=_-+Z| z==#yTU>*Vm$JE617eQb7Di!+mk8(Yu(Go3ZwFSYd-*kM+dQ{+UuI5(D!twS|dgf7l z!~)gU-W2DC+wPQhFcw9d&Y=ha)-#V5iV8)s{UfZ-@!Qe`K@B`rBQ6riD|<8#a!c@{ z-q3rMFyv^svg_PdQe4uot7j6zIo4&6wiF?2qP%2C&yjFf|aV(Z037+ACA z|LdXkA58%8(rXsoB5K$HE%qmX0Z67xL_dI_N?f#}=q(5=%l@_UQxIm>i|D0M7OqEt z#SMiQx0(zC3Cca7TS_@x91Jf4Sv(A$2UG2(KvZ&cOX3F21PsI(6xB&^P`Y4C@Oax> zI8Nss2b!N5Fg-12JRnVp->Z{q+6nCw!fu>^i-X69zC7!DpAfBZ7N>8f7+#sQPsZGU zmf8j$7bBml1OR4A13cv|s-XD~YpU^!Hzjw1E5S9We+_lY3({AACtjY50LTJMn!i=z z2LCP$McPi56QAIQWIxJqK(Jyw_19`cVLpN%XO94gzDyDRh#VVahjr1v1$9=$&lHgk zfDT!Ivdg0EBLQj39%ul5Kuxv))6K4y`FnSv$|Fj|x=|qt^wMN__Y^vxSY|&*i;6`= z9b>uZBZkzFT*6p%JSF(j6rLMDT+3vxH2Ni*+h1c_-Ty2?+SV3ew+G1h!{c`z260gk zULN_jU*Px+Se#Vc2D+fN=5D}>$40h+%B$=!ViRN07v^QL#r*O z0t1|Iv>5|KZ_}P1r;x;*JHZ6E1CaD<+3Hsp+d-ncEPn!SCuQxZtBoz&AoybYr8eY4 z!L7e;d2moZ9~26u_Vm8M%r5L;!j`&XodmW(-05|MwNiZQZz0#?B`bCx_xAU@NR2vq zRp3|Cg$bsG*Z$r#q>6aD<$2AS@*wM){)W0)IetTkoJ&sh+96F)_|#=I0D&RFN$%>oL7prGzw%}$DtqZ{-XGSMG|P+pcDN1r)^~>xKi2W% z^FymXzNp(y{BcQ|fld1jTyq>7vb*PV<#L-wJCpOQ9vKOa?ZnfQCDdd7+h3iIwmhfN z%}?D1NJ;CSs>3sW)YOx*CHyPPRc0*{t!^e6Iy;}PBGky0$D1W`A$4ZuFJC+F3I$&P z{krH4Pv1;*vZl<9W56U-Pe1>qiuDE)W#&SidU+#tSnRD^0cCv*k<$p=V#9%jTSsF? zPv8c3(S?(VS?sU0R>L1+QpRCq->0gX;{WLAnoNDuw&n4r8JNIW9A(bwm(Y*O>XQzr zU3nYK!tw-NH;N#P^(iZjS>1G8aN#^n<;+=2b^g7>p^+Y;+!Sla*Z(Rp{+IUnZ{4*a zIZ~RgtYyaU-k4D+%b#M{E$~vDf0FgQ@!3Q^qeD%PntwA;&hlI1`I_K~m^)>m^HUGJ zQ-3<8;WQLKW-*z`&IGG`Zs$1nbYGH`(D2U+gDd7Vptgc$KTX63;+Udum@c>52;E(0F8$F;a>b5waNG z-#X+42JWPh5UIXZUV!>Sf6!(`+t-Jphtm`~gtB&=v*#%oN}j!UC?-t9iN4>R6+324 z@t#ihF9CLFS(mmAS+^Ozq48>M(4g9(LJYo1{(ai#wq;ob-5}#-vZ%Fr#dO zy@uJ?WihE2*)x*1F600GjviJkJx%L&=>@bUU83{X%8lqKv{oMb{i01%3b->Ab;4GL zRXKg4KA*S0XP`7uyrrr{y{;FAo7Vh2{|N$QFhNsoEtuVW4R5ZutCCUTSG#Ar8MK%bC!Q+&HX;DI&} zQGU*JFURt`1>5343CX-Z{X;1g(bNX?3bs{wYLun8nY)TSr#BC48{}}L3|OVhuxW8D z*hXDI0Zo{uP8eRCHE-e1B9*KlaQN*EXxUieML7)INA4iO$HboZrDuAjwe zF-4QYO@)L@OJi$V+DKNqB-f?HaGy%`8OIpL7p2e%>TN4mJd-s!kY+CD@FZ&rT^uuvA)~j+oIx2B4FUM|(snk~0HIdS8Ma^#k zm&ypz$*5yB3o9FkqJ6fE3byFKH!ydBMUaaBgqYQIL#2bUqvia%xCKA9(;))==igF= zgy|H%6rxN!>yUnOc5SG=Act_VARoI>?q)b^?(wr>u>$7z+}??c$pydb*CZ=6Sim;7 zfsyG3-J|03^Qmu3F-EG|J6e*r-V#t{vfmqesc}7<&VuBySnMZrtUR@88%QCe5BC2t zk@>H)%5$^jm<7Y znZ+w$i7&h|zsuM(KwXkPTq#o5Nb*~2^XR(aKmhM+FW&MxC?FDgt6dqWtbqCc`Zbzc zWD~#pVw_cXTjt$u1K?aEFpbG{x@c3PO6*qzq;ZkW5Ltb$tXHg^_&=>o(L(|x}90lFZmB%1*L^wwe@@$ zuX~4)^MMFg(;k_GUrhKosH+?Z;3|+CLkB~S1cmf<{zOUNZ7dhMNG}2Jv-lMHHEWCQ znvJoN?4z1DarW?@5Q^`;n>CYs=3%Kpff>kj`~JZQ2Xsub5jW@>92jeW>#YlGxXQ10 zZG4jbIoh~I%I{iTtF_vBf3}hmya3*$Th2IRnXldn#oKOi6W?31Lshczcb38r`#?70 zYbVu1ep`ug*c<&3|F;gaiT4HcC}$;2Bgu5C@65Uh_RXSb7voGyn+W{BAAPX6V&zlV zIm3;q=hxgR_h#!SuXAW#lk;emotZ&jsvi|C!&KFW10VK`N{91vD3D+_xU(c#_F9jr zQT0rl2MZ5biIS~q^yA#U+9oCLgL&P1KRnslTuolds3y0~% zM`~F;3}Bwt&*^bISfhZrkWVny>AE%NEs$Z`9^y{|T=Q#_I6i)$7>54j)2N z>5i*rJ(tfe8p$NnZP@$AWZ?VN+Nnm}H%_UTE+~#EK0LDp0W2s@t6OT|& z!uiS+@_w6IC@9)8?=SZp(G&FupnuhagcL&B*XXa70*S>ceu&L4H(0T*+jbmugeu;y zy=k}6#JLAc;%kbqW4P~JFnm4jd@fcBJ$xZ7!1c|B^<<+D=2NkP9v#o;?q;*-Ql#&As|{}hoNe2DfMi3!2-xXyGKo%w^+X>QcrQFy<2>IbZ##l&S-J%jUnW! z=XY4=i)lZmanh|WtX)*&IStRRg5jrCyPV>VrGG=&x@$(InOMa$${K8{*0@~!@Eji0 zkDHYrq4c4PkZmuzLxCTwQfjOs!~8@Yy-&@?Q*y-F9MFc!tKp5B?@m6*w^u8YQUu4QPRjYI)P}<3gWIUkQxf;p{0SiQud$4RI2mtd_JgWb3>1Om#}YrUHD;unqijtBLTy?Rg}RdO3fGT{MhO`m zG&~7J@=H$X49>Z$K<`_PJQ@Dp`$hnkCqu(~{CyRpl5gc{p19nVK55)BX{ILQ@ww&z zE0itrPcgyb$v9j0`x{6+`?b3X(wjI}G0LluwbxSBvtQa+rX4V3_N(REQ$35?t|?5_ zZf=5OWJPmYccpCFfVMK}{OdNR8OpC}=gDIj{J5cI(@(MHLWJ2+j=BzKYUDF8 zTC*@P%sL{U97#F>IYSL7nYo)3K0bs<<(<*XEl;6 z(Nn2L_lT;HqID+I}_LhEA9RUE2G z%oksBUM;0QiA)wBGoq-Qc5QS$LiZ+o`k>85ICDH<;B*W}0dZ4G*=@Ax8(ZuPkWX2M zK9(%3jR$YUctFeG`L%EPG(#1>+)3w2g3miECoZ15+S#-^A06c;O-prII{cwBLxvM= zK*24J&QGn{E z7Fywm0AR)2Twn#rqr#+6EH4~+0GryfM)e-ht1*aau@L8=ynAuM&$^CNCF}O0bg$9? z;DWlS)D3hUnl!;2Cqr3?*q;y$+tFqWD{lMr6p`RkPZ)=qp7bA5p`y!Xyi^?ok)ALj zyWOXPRPUqkz-qDL4zMNlPBf%J5tEw)3S-sZc^Xx!h;4+LYuaty6Y){o>^VHgo!3Gx zn(tsvZDXm*V!xwBD?xn+ttFAn*KE{UY(+AL#pvy|@D10t5Q=2{TREqULFL=t;q^Nk z#r;x+P<-DdzpPR~X1Uz|%4s9_4P3q)iczZugIVDujw@f@ek#{f{;aSj>u-R(HAbzS z9QTdCb(MB07g9%GJJn>%F&Cbvi^TUCJEG420G-uaA5@1*>(vKq1G`Bp1C1R_Kx392 zLQVyCsHu4nukpRlq2-NN6C9TA$a>l-(hiEYMNI#q;%6F#AzD{b?-}$nHW?7Xx4^lz zZhuq>yhK%gF@w&%{#Ont1;XD?d4C+h#5SxTogmkni{6bVL1&2gWFXW`)vlKQATBpd zQx{}i{>HYFcin!fI?O)DTI{5GuZnb|?Y{jC676j#Z;SaBzd|`OXlN4&d~0l3xH<%e#SAWMJq}7% z3nDiAGlK8vPR`rKidh)shllmLNh!^5I9V}=lPATDzrLpKC!ZNMoNL)RO6(j*4V3U0Xx2wCusR1iPt+xXC}a0EzPn;f!&*n!n~fSkDFt^n=ziebl~) z-LgV%p_I;v7Z)O9lzA`yBK^1G>oCmG- zObe^�ZT*e5dK(?^_3$yA!B=Yswd0D}Ez=41}qvAHsrY761oPsjHP$eDgv@u{i*g(Yl1$^)!Sfgve~N9ONUi0^FeK$bBxD3A6WW zicyKzk?V1P3<+>T7AC$;yG4*EVdDh*i}>&BO1eTm;cvR1Bk{QpD#$U;@7F*B_2p~m z#~S^GrH>Dj7MCn8WL`Hqw%g#gbhTC(k#uItw(}fEgrf#356Z8{-OIM(@l&T@QnDBT z+-1AOm2IoA`X_yeaGKEwS73~fo;jQPYnUy(QmQrR;MNzkFDd27agkUgplVEnT%_9V zv~0F7IW>OSXm~B(07PI3T%SD4HplK$;j7}_MForZ>zBcR;8Ib$*mjJ9Z_!9cxcA^cvsY+Mq6DC zQ~mWCUyoM2-gBC4Hs+bZoW_A$yJbmj*O|Y~5dZaix{FQ6xAdj6=^nK~9AIo$z% zG4(%XUjI$(^qoSc4quGnT_EkVagYJdj2cnR7*91qj%bzgIvq%5UPDr%kCG%l zaS^?1gmvd}>bAx#ahO@Hk+w-|W?i}y9Aind?i#}9y*Kl4Yn);zycr~}cc;_pjdwYU z+uT>0rOM&P4P*A1ZV9@#p1m@sD(#M}GGfrAZS(l%GEF6ToYjT^&zBs~a;$~%>I>g+ z$R|yTt=s<0TH);kmcKgG=(Y3quu*J_Eu}};+sG_l_l?u5=Y$$RW^%Sq_EN4 zVt0Z;6L!gmXn9`R5|Urj^199HIN2tygtQv8&IQKN!Rz30FISx2Yr7vlB){@OjF^>Y z)#anwldxW<(xy4IAsLw~&Bt4LZ4)fY6TA2Px8Zdj3c!}P*|tZPAZ9gJ$gv4fp-qF^ ztx9teKn+FJUZ$0H+obpkg*$S&;Yp9QRK2`WrIm48$e+k?SmLly-*LZ95MH<`nwx)7 z2}8yD{BD6p#-*4udlT|g*ff{oH!)sD)x9ZylYB-jKT+xoC%O<&3u-34goP8+xf9Gx z303=_j0gt11bP1@?D@~SnR1jhedg#FKBAKt#nS{+#^a^AK^Qfq#-n}yzCvN;Qnc#c zX?6s{6a539j}R+->SUQOm9Ue3oI!`E5=~=(Jur!3dHKmiD1Bk~jSp{QtlNiRHI_X- zvO$6b|5)B>>pTIZJ)%vjfwfFD0R$=o797=ZjC=+R%kn zPT~|3Uh(;$9;<}XSkt+epeg-qCivy$;|KEvh1)(8OJVRhQ~NwnWfq}=b(BZo`?ciC zDT>DiTVBkvagm$M?b3)F+E=>7-k$(UnokoCKL zf9uN%a)&q@nI5cWLLqn&t$|=Rt74M?iLpnx-ZLO`Zb;v+})WR%6uxKZiJ=IVd|>(Y)$mm?wXiLwuK_#(iR>^_?pV+%w}8RoN* z45lN9{8d(ipR4M#u{s!ma?JjChIRy+$q6ph05W^YdD7XEz>QJgpFDiF$gm))Ye?WHsH)=Fr#|X4yTo zX%7ttYDQx$eMVR|f>uvWt%vn-D$$6fg&Lp_vF*Cgwmktu8#t*0-`B?F6E zhxD`)%|RRT&g>9F{4NMN+D~aO(&0{k;SnF(6!-Ci?h#T-$+4bPc_WHyBN=2g%VX>U zyL(JJ-qvdaZADy|i#cNEAR7>yi8Lbygc=7`CD5-}rpQS-&VkbQ83wNg`F71b!`3IN ze$BPEpoLD5OH%0u^*e(_PUxH(BE0!It?Mhsi&3|L|E5`waldp6yYR}kAzJ7n^ z>eAp;2rfRN0rj}b4GyK7c~I_{hWP&?I_+NB?%0qgx3Z;(TQfQQA`iRg-&G0<>a#9X zRpkO{iu~>KN3}{FaUW~zlM|=MjOIVGMu2JaMG_wtt;>??98AH&L7hD<#P5cBYlm2H zV(F9`W&R>4R4Foi!BH?WdZ46tm*{|!NxuwO)|q+oChRhYh-D^fyUiF7DWl#5?N;AL z5Gkz(Q^~YTtMIm-Kn`+1iD~~$5fXAWlag@OQbF{_^TYhgHJWH;v8EromL~qRI?O07REk3s3QJ1+OG@bk zk}-Pa=9R(hNd1E!3g0oiqU3a0%D5>WWfH8rE*GHas)`~S3q9y(yE3OsR^~`|LPHzS z-1o?H=3}hLl9{$a$n#pbeMU`*`rh^vx&{<>rO%k{uMsb|=O>^V3V9RHO58^LKV(+_ z>*~tmu4K}0P^#Y%-$_!&$eY=L8O0j{baJ6#7L&07toB{OnOn#yvI6^geeQ{^0!<`e%Axhy6E++d%+|%zm zamU!R7=WIf1nI1z6$qT(o^&A4lhnn_`r28aY%2(h;fltNG&@5vsyGHngPuL5qSg{c zuUcdHLLvMHQO zEo3gS6K_JQ$_<7HClI?KR_UQ+>)z>PN#RW7!By`izK*DB+{nolVpp=iWyE&$eg7+S zh`QN}!EiI@iscP9G~QvH=uCbk&`6hxr%_fiJQ}Y1t&sFgI+7PD$L2}- z3^MKCn3IpATp-+5#bIwZX#-(vV#TEEs0NQyNdCdq=|(why0^JuOWVY*J)0Scu6y`$ zO`pmYLmT@D@rd-h84gqpfZY=625PGWJRvc_%C$!k>AVO=&57|glFmfa4)@lHUQbjOXg#SLk0n_RS& zv1XctYhdUIj(EUK;%}=4@6wV8801-XSk7m+;mq1AG1`EX+RwJ(;I+)&f&$CV zQS|3^h5?qtWLtNe^WV5)G`Ox#*xfY9((8Udw+8~u9Mjn_{lIa4F@~3MJ&s-6qNEur zA{EZ9L*8z+*Bvc_W$=j**_nO#UFFO2?(t%!qSbguGhL$N z#S~IJ!jOGX@)EPdJU#hwUzKm#3iHG|%*$!>_BufWLJw+}nAkAaKReAxcvR>frxck& z3UdkAIQ&*#%Ad9P;&)sS3d(o($$=+E zFu_70yeYx2uI&FoXG=-3Ry!|^v=}Kv`aODej7_=QN-O%Q#gs@slwkto>3C9h(*UC@G->XFc@RMdb9i`L>%4vi%KU99D{L!Q zfeCn#<8*}Fx;{(Ue*rJ;^s<#Ru!%O&G)c3!ip|(R2U?;>Z;Gv^^R7>=%7+J!o z)Iink*tE^bGM=>E!LGml9N$r+_?>LfU<_mf&=!_EqkI8Goo+Z0g?WHoyGDvC>i1ve zjg@&NAyLiVk7=#riB#W-eYS|IoG(t)vJ~s075%mtS0vuo5JpRFJ!KW^V>1hC)5XFL zh7Muv3wvmcf523(NV~kju?Y9Np5T6}tHw3#(mL<{{JJ~R)f_G5V2?C+P|fKz?K+?RT78(;==_`?t6cQ# z2rIB-$)0riQ>b%TSAR?qtzK?1jKv)1+j)QQ;y~f4p$j(2zj z-~;<_{qf)aKv)Q08@|T56s0Se)vI|Yd~J^Ns1gko^i5<3!QAn#^0Lfs_;~Ic7>4No5 z#Z8qJ_q?%63!|4$`G!EVMO>o5t*J;aYz``^!@_iGk#U3^J-f%kJ3Qxx-X0(IJTRw= zYOS32x5}B{^(HZw^yUo_4Edyy$1Mf$;LnpW`t@sl=}nsio#7*~cc?b8*ka@-97@^` zf@WNKY}})%ADx0IemRtTIaN2V&lNVEFKDz|a#8%*qLd`EWg)^oa{{a+76CtK1d&zB7RE|6_Pocz%+EKinWZ=vCmC%-sS8!s`K=) z#efcaVvFlNJpw<(YDNdekk%@ak*QPp{ci10avA)y$WMz;n~mlqY(8J z9hY}Bm0F4OLH&p&+Cnx;4kr>V(~s@tf_&;?b&aX7vMF?WukX1+l!-lZ*O+GadK|k| z&YDK8;=-lFUi6W*E6E2&nARF`zc0Z)%mvMMc*m1E^?GqmDt5$-6B_9}FT(+r&1qKk zW{r&^9H42*yx-zS(e~?)E21^X^>#tYF^Gx~*`E}zc%%Ep$*W*_mMHSYc&Mu8S;>>X zk94BN?BBX7AEI+SLvwoG-@q{ndv&90ixbm86=PRa3j%s^1r(E3eJ$wj$upp|xI>v4 zdClpK)nw50srgGk+riWEY*XGpZKr&0eO0p`I=5_Wzm9TC(w8^=J-hN#_bZ=P%_|Mn zefN}dly63XEc1Sk-~O549ti8^sTHF9dN{Ya`qdPU3LNJ!a;hRs=4{d2&Yw?0h1^V_ z%sd}jZATvqp{AF98t35JeVk|6gc!TSaZ}r1ZVxXYF|qUM-U+;*dl(iVs$2si#&5~e z+z0X<7&oN^Cv`(5bDk~k@hKB+GELS2MrCAs5mb~qZ%ei;?iQ?)72_S&zS(%@Bl*b= z44*6kA8fWUl3hT{6yd3wBOriRp;(&$Z2M0G6|!thlh$nH69mc6=P@hnrunHCOA74sX1FmT20zAUg=#OMwc)9 z97y+XbOznJlw1^kv;iYRty9B~RKsx^AFKP+QySNr5mCi-gn?}`?^)tGTVpM%gCEcE z)P3cqZut$?gQt~Rl&C{Bw>2fNlN(Z1)N8vHz+x}<2Jxk#XGbgo328|1 z=kzsRQZ|+c@ABq}TXp9ZmxLIFcWJDPFj@5zRkD7_YJE~WQhFAyGTx{)+di4^>5*NZ zT2XIF5T+$@o%X{q7WEH)hu#uwFOFR&nlLj=i}jqMATU(WAMz@lU=M9}o;Ryb)1~5c z{;65u4hqIuwjPp6>;0EcYL9hjDZRzjJ1{tqP{`FA$m0Toc>7vxaD_R5WaWZ-jr@Ei z;kHYkC?)#uq&1GXKo^*gsWq@!?7*7wBmSZ9rv>=1)>QKTT1_*zuUgQH%oOXyS;yu# zwdLduk|-yBc=-Ke|H~dAp*P&mb%Q3_IXeQpLXGWL*YUNHpDF4rdMKdwH_SDH02j3p zNp=gyLo+3X&M*t%3iR1k&DQ7nC0(rR)-T*=&s~ zbK@2nYrpWM-R9V!nCG_>=wXT)8@X_GY)~IJEW+8q?pSK(KfWn;jq1(XK&Hp)mlr?| z2D~j1mDPLp?}E4%kUgQ@mcyo`g}*ICj%>0RRg@bvAcs>s3&rlx8h33KT;WCxuj|tc zwf)ZO?8_U@W2@;tWQ9h0D^L|%hw5D*W`ST6V_FZknvV!}z$UagCkfNqV|SR!zj1E~ z<51frCU`G|p|$35Nw-x8z0W0xdLp*#E_pI&;%Z$7WJOeFWhPqeRr}Q|mNpC*q7Ls4 z-V2o!zRjxc;R<7_pD0?~P1XfL*NmRKV!ydEw3!~xRcCE_`_Kehrb2?iny?DrW=Dc` zdS#wo?0Kd&THW9rU~wD4{YzqAkHo(Jd`YkFfYn0*)U_|;6pVq-;R z5Nn+^XAALuRt%x)Ac4b`Qhd_3>`BQWFE|$C^5$7t?e1SLXYcgCNOd@ii4IL0i$srGHnQQ5y}qfUNjxa5Wa=6itXlO~da^L3=7zSw(G_;G zzuW=%0feytxnUMkkDFe}SV+&kPkvcTi6O9Zr*RAy-$&>B-eSihOiBp{Fv*4ceb9xr z;DKHUC4d@bLxN>H^;Fv>k-E9Zur2+I9fWnK+F}2%{s;Wu)M_~RHZ;u*%-B+jgHnmk z*tC?0L^R*Epz=o-rw98e(TJ?)k6t@Br&7es z?M28_S1>-Vm1?VJJ@U1?z5TqFc5_E+PNNE3NL*<*m0KI1{+zxgr8YQi^@))*;W|E> z1d?H3Fz#dT2Q4r#T2(j##Xp+&jV}FHNLLtsL!-S6uiieK3g} z5qQX-gbzIvG8sCmbvC>{rDvvk7w+Duzv_>_#DyXBCFzz2tW9HGGINiV)uOfur^3O3 z*a6G9rJ6dUoNw=EI1%uNMTFe~^A#M;>bq;9w;LDIE!&{SiPxB(9e9U!rhV^9!%u;n ztrC-QMJ?H7MA z7g?v<^zC^7r#?kVcZcHZM&g`rNvV!t`?EJT)QrqU(6o5VTY?MjqZJIODZ@J-FF`e!S!= z=(~S6(Y?a=1w)P|qpP;WceX41MpU(sg4*#)>)EiAg(3fIs|z2l+v^vHsLBtuKVp!Z zZIU{!kegxomN-aS8T_vGupnMvhc&1EHxGJz4F&+SON){SoB%K-fv@6b-Tj66zPO_P z*R-?uT5GW`8B1qasg!pc%?RwTGo@=wK80DdSq+obk_6_*>DMjLFNI7HhgEJ$DbY*? z9FQOSMxi zg{cKmN)JFQ)>b7^bWiL9XMyp(FW!<*#oX&=9HpSx(Fn6q@VucIEjH8Of3!~(fC@UN zPxFyf8h2 z-l}DuDn{O^SG-DD?8Ilcid@82$Me}8e5m!fvn7hoows1*zomST{!N&LwuR?s{-jva zs6@n3jhyZwJ&_Hy&_Z>G)l;f87f=-nq{Tk#)%16f9C2k>A+~C|m{QB(4aY5OzH$;K zXQAbGb9R{2j+aQ4PwcZnPI%v`%T=_-CGw+_6BkWoPVb6hc-;+&wV$RRNL9Mn4KuuT zj+@RokD@4HrLq|heXSX5+&4m8KK=D%V{Rhb3%m2N>d~5eK)sE*%qYkcm@^fER!>07 zFEHJlWI1VW^Wl?)G_j7m@#tb@`8m7rvyt(}#MZ_oQw(&-xI(xIp5ytznD4 zPe~Y)(JP{-*nTHM$h+Vdpch{eq^JYJ;RU+3Qv`By-)Zywi!m_^wtEiH%Oy|*JsLyF zevX*3zwQ~#DeLVow=hh{>wOx~zD}Ca#RF*Jsmxgiz4N;7i_VDmO3rCLjSve*To9%> zd7f8ukeD@F!+k?3mKO@P( z0$8^WNjm~bV)ww5e9_xN#Nqb*ZwS+H+LRX%aZtFaP^xyDE}{Wh2rp0G$`;QgS5$B2 zk&|-Phk31!Xo|&q79iBxH%N&kbnzBq;q|?hso`srgTcjw_* zYnNfw)Y$jG?NJJdl*F)V{VrPUHZFrW)~Kd`y(McgFxi#yrA3{7iRptFIOt1?EjJKE z+=^h(FuXSS;S46~^;{^lw+cemIO>*TwpDpH*{jrzC``2b^xprD88V(cW^@aIPSUaO zos+Ul2{pFSi;ax=t%skn>#Pj2`%C-?&i)V7#vIKxcvtqIezVAI-TpPS^!}rmI1ksweah5H7(9U2#fQViC z8oJ`rVKI(EE`+v1W5m^$qww~&2a1MX29tt@YX}Lh zqu4Xo9w~j{I1V8tFn>mr;npxTRSSGli?60bB*-8XSjkemtSLoDKDAfjCyhG765N$k zG1zl?(o{?FOe^K%^SzM?n45k(z44_J<_8n6Q2c3kf^1!X{S;v~pQ$%a^fHxsymXfr zX*`Jwtu+cOEe14IQUh&0Q+9V#)$jV+fg$N=^t*x5?f*mDTR>I0ZtdTIpoG#T2%tG3 zJC?ZCdYXmn{jL)NT(`B^9@dO+FYO04xp?q>zcJIDZy2&EoL` z&Z{Gqt=|qnKDb)bn!MxuJgpFko&=8msZy9-JYa!SovGPSzIGod&r$jVWhZx_g)hS} zPVC50DOSp%Ix!Il=+2x{oA}e`#>uyPohc(H2dhhnpib8vl6tYFi zU9J*OTV38gIO7zwu^qbA<72VOrDt{zBtCYP-YF%Yqy&nV-1^@f+V`gi>^?$EUaE$q zA)ilqCy-PbWlACuNu}54hKnwdczW3RvHbnbM|d zu)C)KZQu<;At3+>xF~f~cs)Xx>@bs$A)}&H3KtTNsvt#E$KYIio5Ent{p#S+7Us5+ z`_9CgeAdGnmS3y!gqy+6Wj4LGw(3_U0&JD~%6lb+?=Z=g58i`OLkaqhWP7v{)Iox$ zT@tfhmz<3?-9!iy8=BgU&i!5|QM`*u>6E#C`)CEEOM7H3z@fIO0s6&MxMVI+J-&JT zsS=Q+c-T1=K@2l6Nm%rNQkOO1noF)XbS@DGaM4cyX%QSL8Rmm}W=h2DDYOc-z7xrz z1o=sZi0oTr8wxMVm$+!i`?B4dCR%nc1Y3SZ`Mr-#Wb~ndnAq(X)Knj?f-?_|LqO@? zLuS+Vu*^MW|2#R~`1NK@x$7_&y?;5_2v@;xm@wP|XsWT>8b7ySU*BoHa(L&n_AL4Q z_R1$HiuCdKQ+R&P>W5}>M82iYLrj@=KU;Ryb=$ZO`KCXevWr}aS7eBM)#hez2LMh5 zonDHcR9t%TbXN8%g6(ZiAs3ZO=BNg;!*0uVjgk!Vj9u_w`vLuwANA_Bq3*}75CwRD zysG3`sl6S4*XXWmYBs@~j(57&ryIOjQ$*xt(bF3si14U2#vzzu8NzsOUHXtU>^a)V z=(A$p{FmlL{2pcD$cNMiJYR2oKidO#*@mtB38R%qKO88ET@v``+J)YDE0V6wAd%nv z7*@edtu%Q`p4bPj%MCnS-Y|wsxyZV`t5o>d={+_Hr6NPYlt3(}?!0z>a7-N3hVoE= z;k3&`5x;{jYxa}!K^z_VQdr0Y{v0gj8vSovmRLSnmqk%XDXv_= z$YTUqlbt1<*m^Trj!X=VKIQG-V`lt;I{?^9_JWFyV&n=lCMhm6($)F^5Rp0PAfW*& zB8j9lpbimC2?FweIFF+I=Ik>(lUCBgU+PV!a ztzgmxFpl5*32Y)p;AIfpc_;IypB6ACX#^Y(N9f<-xb6d`B^IW?+&n2H|JCjC$BRE8 zJRrwQ+N6Ns3n6P{-vTJ;`@9(BQcVAthZA4NUs2-X%p}vbnzD*PHaX;2U}8eUyj4}Z zMulD`VeDg-gQ=|3;be`=65m$j;D1L06Q3i=<_+g^SsW-?7%DO}tufz<06a^;Ph9AS z-r3(?L7k#=eqs#-lsz+z99TcMYBzaK{AGbxLj^c?d#!rb>zpl}7?e!~HIc?UV2W^# zLQ4Q4v7o`Zh_@3*nWFRU+jw;u=!mj3w(ACxU*UACkXiWr7hjo@2lnD!bY87F#ZX#H z1XTxU8NQj>!p3>UYAC-rFg^lUjh1)_OQh6tkfZ2O(B-T|_}{5DG15j5m{@Akf?s5; z``>=kcR^e-&bg{o z?N7J(U)h!atD5BBya3RzN*|dOjc)%o-t|A+1WyP9Y7%a<0cMq^mDi4FM+Lepg`W#jFQ~bQX~NGOKljs%x#ga`9U8#FRcd&JH$D@ z{Ti53A7Dgejublp{8L3jEg!1zAYo3xYO0d@k&yg<`NEO?Mgng@8O!a;Hx)L~c@$m% z@I*R5DIu|>1GhBJ9~i$m#@4$}jMoCj54@DO?$#rRCeV4DOL&AQlgdJ} z03K3AoHL3zO>U?1sN7$LBTpQ}h`vYUCS?{q+jQKvK$bZx=Ix%zU$?L=PQvp@Vilm} z>@eSAuMwkE^2M6JfwfD&uHW}?n)W=1DJWZDVrB+jVD0M&pbZ`kJm3|}!;%FfHGrC2 zg6Nm``yQ%v*!EA_fr?gJu>f5k6rxLHqkU~RWdJEfQHu-My1#g?|KXPTwGUPJiy!Lr zO1nP&`=ercDFB+QU5m8&p=yaiX>BljM|O=fHZ*AC1)0=WB>scUHOGpL6*J|Ib8>0F zw({Hy(~q=Q<2Cr{a?H-O>^nitxB=+w4lu9!#1!yHgI-CoTX6O?Vm-~T-(S2Iuld_g zQUD)uw(i5GCuY-1dAWKOmNCw2llqmQH(xV6J~~9z9G{_ue$w{fgVxVqbPnsMJ)u`I z^uV_4u?OkB@hXQDp&3>?2(cMITrGmve~pBz&0IU7xB*?(5=i$jQTSKkSg9e7;e}L|a z!SF9Hem3xjGt>0Hq1<)A)-f@yvlMC+d!N^IeWs-%7Dw1X2%CqnN=_5m4`H)b1>*{` zVRu}ugfsc*L85aRtlIJ{&pv$XgV-+y;3WAfxbtEH>kjp*s8b$GFMWfKAz+cAk>Aoq zgtcBOYugVT2P)6UYP+s}l7U+Q;RE*NX>x1ZR1A8*@dK&y2ariI!ua^kRr+vlSWxRC z=|!*6w*IDm5n1K>h_ek7Ewu>#v<-;cFiqnJR|22>s)^ByKhtj7#iyg?xgM%7(OBhQ z(A0AXK}32RFjly`SqnAwsMl{xa53=EkHim=6?+lp;59TSED_o-_OX4b37Fq9q1A)Q zPC#%3R5mjN3<`~o_dp@#fRVC-G0xr>gehF7D*EvVG>z^1OGRtXa=$a6k6|MF0ltM5 zQB-*YoG(JCw3?FOu8jdNg$%%u*^nAe+&)!j930PPaEbfiqK<;pD#Q11=0_7^vrGWD z6NqUvAcNyY5at>SHiyn@+m$-$7A;-5niZiaPGgKJpS`)b$=zc3z+TJXwbN*#RMSx3 zeFe2UBlR1B5u+1`mu?_WvnX5Y2sXMjPOfQvL#u*{aE>Atv!gY?V-zUJOQuDeN1nI7 z2`z=si$W3@1jLL85iBZ-#&ir^q8^<=)WbZKMwe`d3zK(NHJkQZY^-#A^G%U04k=uR zkHO*3WT39&bah^!-}ufG^v&l~@Fz&wSKkBfK=nZ#Ms`B}k|bpNobP$T4XW5=fgQJn z-V1}a8XcbL15U0i&(`a?m(w-!wLY&n!Aers*#BMCN9Izk3GTF)tdn6Gocq@5-W^e` z(QS_?MPD-aQ{(-vVkr}Cm09jLC4+avs6@-u^z;FU^y;=4x0Pac-`q+Z=gl&qi`pU` ziiWvhp%JI{!*f{Y?>@X({F)vX^vs2gpPM~i2Ww;HJ8UGj8owzA5XX9ny%@JdRDodM z$Dw1yXVy-hz-#(onrQ9S!II%I2b}Yt0P52tkkdSA>JWK~VIo9{COCDY4TyBA$ZSIh zy2m(v@mD8cJi>;gA1C?l!x2`V>N3ZW=pSe|515P2!Hrb0AufZ=0G}a!8F)7Dw(NN@ zh*!cV@{|w>3nlG_Vb3MvyKg`_CZZr8d#MDpTE7;3s82PjmV|&NcNf-94Ib>!+o7dz zFTQ_S2;M>*N!`!WesG9?4>^_RJwT8xf z5wRl`9g=|E2MVLcSF`#zkIND2x*4GC_&}^r#{{9mC2{je)eTd836KY~Al>t;^lQEG zyr$Ue4tgp!()!Ryh@0z((;bv(9Ct=yLKlQD+fR#wC^I;rWrtqE5y8Q3zX`$Wg;jqx zv&Ai>UkxFHCe^yLB0ui&W6F5=va;p?meTbq#AFcBvma$YhnS9bh`Nctb26X?s5`<- z+{0(E%L?nZb=JHPr${p$L2n_Q+qm)rqVrtGyKUD^PtZb1Gg_nPBf45O`vumEomyfpFX&okf)q04 z$-xaQN7h?75gTS+)^z zle!g^&x`2T))wOkr+Q#g&F-`R(J_N}RrH z!rGYW`zIFy*C?zG7(y*V_$}jw!K!?*fj{|r7ylw`&=y-{R!aGYv)A%RySDg-jvzCK zuuIHq+xo1K<6Q-s<(?9%OBxt-J*PIqmWriYHX~-`DvI8^J)Xi&@myrL^L874bq`ga zjx-T{Sp^{g;Ns5r-Q>@(hWEIViSQQQDmeQD)9OSg|JaQZZ{UxP>Bd@(S!HJUPO)v# zP&DiqiDpm0A+pxx+R&$XRh|dcOT-y1*YF$2wpKm~C5&fq4E(=!A3_*en=)A=w61A-r2!{_kMDz%;~{IjGwX<;$F9__!alCy*!2LED}Q( zVY^@K5FlfFS@hn~MPKd-TRQe&*Rs%#9PT>~A{&*g0}FKOD~iI7D@AfoS<yFfLCe$-S*8P{sv>gwH$$R zQABnp#ZKJHrHZF)fp*lpmtg#~M|3AieHeJ1l(8afg3Nm6G3U2!q$mopUtX50n&99L z<8O+Y){|n#zeQoylI~;s{N18>(v%>vg>M80)jCu@4TECW6=|F*b%|Ql%j)EKdj5iO z`?C1|2;-KS`VGOjwP^htjN44`KV#fxy#5j6#*TFtJs0%vF>ZJtb^m|ExNYo2sT3-& z-$t|nONYw%u4jL0Os}p4PBLaX)9>D!MF(67sbQ*qW1}P|LK&BO^!&5C>t2CyIrz1lM|Oj zHSPW21c)uMxnIq22*}d9TH+(F(4gXesG6Rs@=x}I!Ab_KI=8gn6W2Z~bi@cwVZfdQ zLT=JeTZ~CMTu#O0YlE5(Pc*3#k6_EYa9CdzMjJ8M4?=^*I=)^uZv_VU{?l~4$=7mp z7()$s?!llQn*BWJ+kMYKkfZ>`pgcrTR%YK zm}Qr~+zTQNZv7Kn4axX?E1dO}I1&|a)f620a%4`x_T~s>;Nh4tTwu;}fv@3v0-Z6A z-B&+3z?Av9!J1dIpntW5w)yvzkkV$8%p7+5A4F3bOFV|#V3O1A_49|6`P^Tuu{(OVVqghFb2nXz^52d*fe zs1F27-1(288SzE*89c1NT53L2zGOU8qHG0#s+HzB-mQiSqaJ$j^inGRvhnxYH*RaT zW&!pGV23pB%8NH`A~(&)l3SKFDL}Wv1FMsM@^kCv)#TDb4x}1+{i0cPXjqA~uipLK$`#F_bKV`A5`%zRW2TrYJ;aJJJBeyg8CsX86t;$g zsfLHU?ex-D^b-}SWHGx;O^Fd-*_-d87lKsg-?If=&Es@8L_evvn*a-`xfI?*;CvOU zE9mU(RULi;HCX{)qhWGNBB!)=b;(T36UnOzQyGJ<`t@Eu(4Eb{%AScKAbZ1?xz{Ep zuR&KYCMLNPk^y}>TFR8LEE9BXt6Rb~o6thD4^+5H`*uCPk9XBfI38|fP&}|}raSol z2uZC9P`}s%z18Kd8+bN*uT&)f%bGStEv*0A{&Q0#>2g_o>Y3^1Me<7%A6FW^OvHpE z2luY+JeTy?t?XJ;iK}*;YmX$QFI#Nh#7`u6qKK#9xmE_KvDtqMQZsJ&Ge}MQbDe6q zhOJ}I;~h0TG7FwpQbM)IHMe(i$<5PBrCU);y7hDEhI=&x+_gMem&|auv#7n_th(hM zyh6)6^)2~>`Ag2BcTu%>r0^59vwFM9+05D`Wvo{TknDuRyxA1PP^Zp165MqvPS5dS zi~;-4kl4pEnVnX1%5o)7J;t$ReamW=nTBL)^2>{0vR^l-8JQ!OfXcFDe)9Znd}{w^ zno0p40vXRb<5)UpyGk;+IG`SpBk3}+tkh*cebB9{MP!uHy!n2Z9mglHzW7ixsq~qi z#jok^r{dNy$3_1WD5Ch?6`RBMw=`2bq-l>ua`MJ3Fl z9I5vmw>#Wlpe3wMHjMr?TH-h6 zCg>D@Y`oD|AIUWth?@k6F$f)r#rSb3?2kdoyvstQ;v9hC{=_LHfdQMCDZU>G}=N z;!!V%%eCWBoi7!Vu7X&|H=K)jgMe(t8AqSt$Jt?Kc8qVVxGP!l#+5eE))m6SCYI@H zWBz!`Y_QGql@a0FZ#-Y|`#&c;2*}VMzgid?=59l<16AFEv?wY`UB^_L+_}8iT%*0sDJQ#Q)N^4CrCB?3{;51;R zR{enS^SsroZW}x###P z_8PQRw}RY9$>h=%07`vbHW>UiM=8(NjxEGdgZ)%iU|jJd^XhL2q_kvtxg(h(G{xdI+{Bm+yCQZC=#tVD8gxX3P~ zI;CInx<0zm@~ReIZy4#!hy8c91F~;43x4U+rXp z%7(^!Yy&jBV;fwShGGrbPih~jR8Hhp1=H7RDo;@*&IVM!mhc9uwAS84r{0_@VqhZPu5n`Ce0G*N`GN0{O*rL6`*@l2j$E} zyEmTGXQrZ{Vf6Yexu;=)Q{}1}SPQ({eCXB;5Q`8>hCNE#*OTKh#!#5n@u_M!jE1QM zmZh=YNxZwaxlUd-`93SfyT4}BCg-bl=Ff{zVW{6Nv+CQ8=r*a#41Q7Is~FGo7Wr3r zE`e9@$yp}Q`Bcpn-A~Eb;ZN*=7X3>*#v*WhkhvH=h*4l~(DEG)60I(sHpVf1%mYC- z%CY))p|~%bDIP9-V4=OBlXI@YPRm~v0Cl=&AzJD#XD0nSxwpWmF5jO>y>X&LQPCS~ zHwxct6IzU|J^WL?WUvNMAxn~~T>!o?N z`Oax$78m$%{>g+iY(CM>1D$Q^!eF7#X3~)sXwoe)i%DxD2 z2=lkk`<9xaN+N3V9sJo%A{TL^s|uj-lEw zhW%I?<^~3`UP}<1H~Om94_Uv`C7CQVWD_eTKL_NWzG86;wj6!vlJ)(W*mc&1%>x zS&7nSIW@b`^_a4}jK-hA4ZeXvjWwzxYYroWw0x&IwtE*klW%fC1WI1F+z$lpBlI^? zS*U;Fwa;T-Qnm(cWE4xOwb;zJhHp>{oc~(rz>_7#elV@8LCIsHu3F&an%}+0?S%fpIP^^??JSK?or|~W z{93OwG`#oY!|e#(Lr7vFU!F)CVlfw+{C!OqlXR+eIG3PVKLvVyX^2wS+8F06V<#Y5 zo@;v?im*+UUzuec7ltSv6bd_0*mZd!1jbl)8c9pMA?C!VGQ$MJxs+oiK~UywOo{4r zmYtj}SK9Fq_sD^fs{y~Vb!X+Sb|3HTv-%z3!3po-rm;t=es^}@M?9ZQ@?sN7=%z?> zQ{-_~Jnf=r#tEn~*SJNo!X{-cuSY`j)bhJFkd9Ix&Q-XD&GuyLTR&_5g4(Q}WE^7p z0a=&6b29aLy%w%Np~g76M^-cqm>*QP3lrb%YZo=1#n?}a(Q|I#(X5gq^KC~$U zQfCK6EDm@Z-S)F|OCL9yezDlEO!qZS1`NcEeazwD^buMMQfDxsdVy;lK;61S- z=~C2_8G=U~J4toWa}U*NzEowZ9!+v6K%vb${Lb?Eix#c2FzX{_d@Heb{m%5Y33Fyd^|a4wN7=I6N%4ciSB1YR#8sgPOj>qHqtFed*heIDr7cowB-y*Tdaa*wG_)%{Hj# z-Yo`YF?@bkeF|@Tlqg<@1GNZ>%TkX>Y&TW$;~X^lNh%?=WG@_ZP%r9Kc_DcMy>uWq*~174bpeFw#n{0}$a#1rYm zlD{WmEOw`*SuQg1=I^Fn2h`%mlWuvaQy7eh4T=?}MR0z9;MaGPn5De{Xqruw%?>fz zp#O`y7stSc{pFcsr3;~E-GUcy$cny?V@owTm)_n?Yk_tdi|tVD<{St4H%mde4{UPT z6O_#lYqmp{-&ob&Z>zZX@!}c_GT~lUt$?8&N%|zSd~6tNihENSBBdhXa>mGdzi11b zocw^U65sk=FoPGTj;~wI+(H)Z{K4TC3YV$l_q`_wb)WNI4MCv-w;Xh~-+~QFL+SvFe z01o)C`S&jx<6P8@YxZUQbanO%_jY34w^z?wznN!tBOBA%SqPa(+Jy@dSp`}s>d(OI zhzX$}PVX1Oj`l6OK~0z4)oiV4Ud{IuduS%-7|m1RBk9T=!SWN&dJJ-U zrv&gnl%iv{;L=i(7}LwOHj$T)Q2Jp)+PsPw&K( zg|u1@7p`=uhLcoJUS8bmYeRP=(zQiDoRl(K2h-?OtI`bq+Rahs_Qb>`U+y@5S|y{8 zJrz4+=Fe@K*|U-^{=$gu8_dAmdK-^}#{Vpv5LTg3^J<3t1?nBQq|)3%rXAYc?hIe2 zWWSHTq*ks-+!~GC=+FtX7YK$-yjnqsP5OmXw~zs`)8$Kk3x!GKOh0_%0?)^iIuGS4 zB2wggAng};eG^Z?ZyO0-<8_$16~mu56&{Z70Q82v_S>Ly0MT2ARezjTAj#fx49Dh9 zRMn|m^4Vz0aAEYXY~MAp(7uR{=t!|6B=ZA=ArC)1V~qe&;x}3KAtKxOxF3i7m)L9x+P0^7u-(N;r!a6F?eJc&cn8eHF;ff*p;eoroxkvgznAm(#mS&@LRCk>CT}DHb@l z_Z%ERc2P4jiZ}00Vu$!1oUA#f@f{?*t!llMmh7Cvo(4|H3qrbU)NAwm^mX3Sttr2I zdKC8{$u`Jdol%pW@HzHMGPeIK3*d0alc(1X)hzymtuTV|QkE`okJ+b*g|Yu7HJG~ONSubNCdhtAV{6+L? z0ixH(iScTuEu(HB|*j(1HkB<%_K&{gIsGH-om>h-<_ej2WS$=-V zD87`#Hf`ZowY8uPDyJ?DpZ8mCzzP=2F4It+W=}S^+-IyEbe%LmN7&h7 z3TtaCX5Ku!uGl3p?(#k~=`2sh*ZXm#nsO5;nTi&@G6KFvH0=kMiLy5#KE`X4buHki z;gcP?PIyjGDf0YvG58*~pH~aA(ZaDiuRg6f*J-(=ZQh32sU6LZwVAb2eB3er9rulQ zw6X3-oJ%Wp=@axrj>CyoU(4Rb8$N~th>>Q<6xkQSHu(6qNZ}d~$Y<-$-@S-R$Re+| zW7^7(?ayS#S)Hx`XqBfNcX7BIz(daBuKQeC{i(!tU}fsBjlKNNV|l0hQm%={?+!N@ z0?y%)ccw)wInTfbAnAGl#5JCcs^AAvr*#@BCHkU8xG&L&KzBf@d_s|F4C@180MaTp z3Q#Ug!m3naRtPt!uvAyL3E_2gk&fU}z0!0a2Z*Ip1fxl}*HrF>*BJKE$X9MrrmunD zm9OSLfe-aVW^#X(R(K9Af8h4iiWVX1!tYh{{WN}b>{gfh!o4%S7!rN$DWbb28pBV3V#BottTKudXO_iG zlV!ZRx-(xmbQslz@+^V$WBI@fcK2BgvUoeB&h-4K(cpWC)lo&d{M8H)U{9Bvk}R|< z)bsguD_$(ELAIGCd5gC>s+Q*LU5vn97{R}$qoW3XR_0U6ik`BNvZy9)Y-^O5@=9yY zwGTc9N!!t#rn>F+gEmEXuHMv4a12MyC+aICsTr=gaDNcZt-IdrML2IZVO-dwfu|J{ z8bdu?gKhTMn!-&zd4CPYfJs{@f>6&%lRb-`6q_qHML|+C$2g_hJ8B;1!g?W(=%wy@ zvjL2XS4mbry{3Y8i@J85A)C;R&$XpBCf-xUF9!8?vgf?-gufMy90n#vLYzy7UDY2$3)=S?fTekhv{)iLNa$Fd~Du(4mOxeoE5o;6;tP zHiK>bc^z(95fT(`uFa?RVHp0TMw=YYG&@gx4z||~(^2ecv6~7~Di0S{G*Qs0^K@A@ zw~?#@!Qe$#ZBbLCa68Oh40Sm>apUa*%&G^{PhU^*I1u9J(+V&t9M#Y)#UI<}&mkv$1@VvH>03t@eLQGxRS!gtM>5g*2tx`DKUU6v`Jas z9Ye5W!=rJwc&+7UuCSJ;H3(m+LUw`>QKsTH`Q12fL)&KcSaB%wm@1?>zgj7sURADL z-jV*)q_4K;DAVS}iJmBR0H^P>m(-!9YR(@XFl_#=nM<4x8~@cpVE;oT0Wf`-n5%>n zm3<%_bM`DqqR9bN9Y7L_q0m|nn$gHz z*f0zcT+Gv^BjRZ9`2-7W?4iQ?earMmCMT^?xM1@5u>azC!Ed-wzfRSDtE4ed>f8le zEmuJ9pqfFh8sDGOBD_-mY%;$JAi~(I&#SsCbN$JDK{9!}#Co*!JqJ?!CgazF8$)vb z4&%+22a{lbH>Fl0_W-zARF%pZ=Y`(4S=q04D28j*fJe1beR5|G;q+2+8=M=vlVp45 z#tMMa`Vx9l)_AUOgXUi-)Ohk5fH<)?7FI!2ITTd#lizZH7!jmCrNRm~#`+>PA0`fG z+^BQ$&&x`BF)wK78jK31;5vB6HL(Ag+>TH-j-{Cp4ilpwD0FF_lAa<&C*w-txnw|W@&wa-{E`(X@ zo`otmKADp&1z^HRqAlNNLHako`A(H{C)J72M)W>ElqouwhQ%i64*IRpae*|7mM^H( z{1VrZfeTV-df%D;vJ0o0j~tMmQs^S|!Jw(_0q?WFw6O|>OJ?O0U)VIkXCdF3hq zbV%-Ik~v{)uhgi=3U+<2E3liYm(r+}e;Xa)I8tQNPyrVsmrYTdbj1wC@FFKQShQug z{^VRswsORD_Wp;sHIvm6&UR}Ak4o#jI=nY z1?^Mqs%*x}*IRf4|8B4O-z;W-`Ev$+EdKt2$^1hE#hhO=&15@=7-!bO)9?@(SHK>s zAa3stIcOZ%8M1LE|m@HV{rY4-xjxSU{RWj-Xbn2RNB8Pbjm#c-Q^`0Lm8; zoRe%&W6vYu)p)!mdOe~@2fzn++?w6D0X21s30c+K4LLCDx4=WiVK2vxHiGO0tMUdw zec#@zqG#is03kuba#fLi6z|D$fK1H+WQr1jOhM28j`&+yA$xx_YTVvjGR+H5umW&@ z&<)We{*uVdmnQoC5<7JG)XBnbl*A8|343~>ZOIPSjs-jhc&v1pJ&ebtGpFqzL%Bvt zqwe#rR!xp@hiBDBM6>;KN^{+VXJ#+2U@d7?u`GH7ZgFghoWh&^>?s~_lPb0KCoTXj zOtQ%=5nm(bg`0;u>F3=Qtn=`5{gfMsE3bjbm~Rv&e`{S&rRiMI#fokZLSn#l&H7BB zJxJ(eV0X-UkKc4|P0As$wN8tfAAm3h(xDu+Q;^-nc-Ng=tzB zI8B{z4QJ8=eI}MRj+eRWvMorhU&J784J~ujJg-v~8gA*FLsv3c5QKi%*&Ue)H z_qpfAI!9}wNf%rBF^Jey7M9q^LjaJTq4{(jDu(VW1|gy&x(hp$t1-ZCm5)3p)c3{@ zj;Gw;lb}>m6M>X-?WY{`iOK5HbO{%37oy^jq~?Uf3B+K*eq?n1JCt4Fdikq1rH#U%jkPpv_PWh}sR8AEvift@!ilWR8ehTmDmC)`KuCo$`0c@T5#mbpASMe zmMDyRy@GA1 z7iN+(J`UU?aJo1j08S0haJw?|u8qmTtwVz(jnpeyYYj>#o$8kAFua(Sm5GGDJh?px zmbvfS_9M?VuWBx=(aNqW_t#UxXp#bf9F(0Ere6axuoid_afUo5Kx2o$y88+fd?xIH zgY0ZYNW5sm9{JSO@2i*Z^)l4Kr4?T9RvkT8$hzHMJRaNtg6}b}tOsVjT^W+<`IoiI zzS~BLRvp!;lr(w?ZvV+z`yWSZI4le}_Xrl@oK%f3)SQ2uG3^+l_5gQz35!In_#}j6Zi0-gvQ?%Q35&LUVtBJtQa6SyNo+5>LBKz&XvzMnQIeO0P>Q zY!{2^V;Dk+qK+1;dCml=GM2WHnsAzB#;RPsi35Qd5^>ghf<7v@OI%goZzpJNby_r*hS5?rGn3 z@66AXTzdD))5p+q%J;9txg}3ujDdJs4IiTY7%cyQ75O}3ig?4o_LD8?k>p2s`2rl6 zPOsH^9}ccUONd52nOk2+Gfe$8xyDY6I*G#)u1RnOXQwP?9)9_GHL**+1KG;P>IZ#1 zQz3&{SqPq_e#7&Yj#cI4$)EA^TfVXphOV)-O)B<7*@kvY$ay8tmOM86R`$ zUHf9;@EKNL;p$xqR-BNiYg_we>m90FrhpBiSGS{Hdsyfz-=Zn1JLH@5emS4YMpp7m z{!$r%Os0>;p~}m?ZW?N?X0JOV2YS7i&D-9r>Mmc;nbKU z5!PB}lME&MXz~c%{6&INvT`N$DY)(O z7ZQ~H#n)=nVbA!VWocQtzB(b~&LgFz<|H%`_*AYym zUMRmDew=4k0ju))MH$Z*acT`|iyqKzNGo;!W`uCfJ%;E_DA?ZJZqX_0Ada!{;Oi3Q z$QK^91x4$&c0~Cm&$-7KlP$(2y>oh-!js2HP_L#dBjILwse3kQMxb3rNE1S3EMv)R zpQair2eim5X?1+RmkoAI)o@TIP`bAoPLbbJmBOAOA97*Jr>I?h&QOb>)yuqc%~U<% zY};>p&1Fg1s?rFqHGoS9*JHyrgXaR;m?83_A`T_u8}%HAErOER9?voR7__JqNJ{#$ zpPqo_!26}gA_1E3Rn>!XyPI$FY=X6r1lp99RiN;`yk66$u@QE82>Oo;>S1FQR$lWu!N*8=@?<}VKux;>Z0Zpe^e)%4Lkz6U|S$>&g~ z36ZmZ*4+~!Y>{v0ns#ArxCv6twxu`ak+U4O%>g9X^cfTw>(H2`xsNN3De1OdQTh&W zO44qwzM`Dp>X%&J{H&@Ze)9G*u%ARu6ne2lzBVWl9jco9acyRwcWr^Nhb1LI#U=jK zgVSd(f|!6(o)>557+OY5Iu(`_*D~%1OsGNEoi>FuYH2K|N#>abM>BYeODWSdT^1UM zzr+raHiNW?wZ?UY;|u!{vUV%<%cAadAMh<}OPs14vqU}ag0?P+RVQ)# zIWW>?;gV}k(;fbVlld*cA>^AuiHsF$sX7GSwD>b zQ~gzkeTvpb1p+b!`83Wq$GL~8?lJT~B90`UxPhPSC4NTV*kh3Jgk}w-4x9B9cqVR8 zId)a<@Nd^-?UQeL0l_;AuJi3>uzJ1JhC_@VFNiKmz_3lbmsZGM1(K8-;v{VEZv>nS z?C%>(v|FQ4_ftv^Ydga60rb<5=I~`Jr_*^v_hr{M)5hd4`XJ|^A-dsR^}`X(>)_5y zgBCpp$HuTP%SN?^r|GBxSzZ1{=vF4NRi&unsPSNrweP!D^c~UBP72vI*&mwb8c+D3~$AJIXKt$|vqSZ7a*^EUM}&+fk6dXi@LZ=xJy zCDkLJQ|p6UKJ7SYO%|6ITcIi4Y6*%z_T1)m zjPG?k*!H-NnlS81YzsEw%hccPc|s-uVSpu^KMIN|IPphg2J62MCDUP_k8iJDyYCd#$gSX~2~Z~p0#bP!eS8QdZ=KK`QPrv; z!87hKdnAK|Ykh^DXXOO*6HCQvAwtxf!!Vs=;5jxq;+P*(!l%OS5py@SZS%x>%f{aj z_o1GGX`e9EF{VN$Z!8F)_mwT z9dIff^x@d(_hL0kL)Id~N&_K|oGHr7E2-20Ur&W=%i3#~-hJ3cEAhzvYRRb)Fp{=_ zF^@!7=-NS^(w3Z&V#reVx%pe2K3bbbn54ry$Z!j|PHT^T0@q1BIc6@-%5}YvX|)A3 zBRvZk+qklw{8E{xacf`C9ujOe0bpT?-EoHQeEXIIVFE+bPrUC3Qb(tqaxR=%MIvP< z*X@gO>*I{=f=)=K-g;-40uaE4>SXW17F38H5|=#B z9scd88Nx^mk+D_u#muB(EcRf$dfHtwD@9`nqrab&@a>x zv$zo$L!`KYigBBnDhT()-~M6v%~i~#pGBx@hC1oT^sZMQ{MmH=A1dI#A}L8(lrDeX z*ZMWWLz4#}6FwwLWJMXYREu}S^gAiqn&O}Q*e$@I$uBNK!%Tz4hA zwA+#CJIJ&mUw?O_8C3rHIFaS#UFd%hYt-v(2e~Y7*As5AkV)7-%Jx07$DBb zccTgrUvrFw@n5>#GKuhhGai=KJ6R1B*yAm|R*Q0Vi^GXKiW<_p(w2 zZoXEDgg4CYa?b2Sw@RkKR^z|oPKjg9Nu{#H=(Vpzmo&h2GR6jH{Q1~R^uD{s@SdW2 zMQ;D`75?EQ%GSXK9UUu3*_s+}0Fd#+46x-1Zd+je2`})kChC8?Xa4>haYt-R4K=ke z%fVb`O-8GW@LdOxGW)A8eyXsFQ(qgav_aW>I?)ggnf(<*mWsx;pFm~iy{$*%2O!N4 z7`6eHbF;g+HA?s)Kb>lIHC5-?l#e`oaVH7?sLO*{VlovmvkQ+eh=qa8KeZ z7=h-M1TkU>e#>}v3(_S@Z4tw8N6l%1zkCewYEriO8jH2B9WfUU^i!~{<+Bh+`~vh? zMxfI!331*yQ`{Y!H7uh`Fi3m|ge+EV<|X8_{x`pH8I^lB z{!J+7T&nr*`Mb^B|8(1-xdRsGKDlfs{dVu|uixL_zQ}+0O)4M4Av3E6K_+OpY4#dW-4s|6z6fhqv~}8;3WTt(|c4U5T0k7BC|yuOI$UU6_U&gcXjO zd4D|EGI5PCn{Gi8565JncXA76mp3=7NHqcQRS%1)W;Drgjf<6X-8C1%Gi;~P6af$x zDL?J2SqR6tH1j*Q!;Pj8TWSIa33?hHOxoYKq5hBiKcHPYbquNi6x@;;ds3|=>NHpr zZ``Or_^h0W#Q zwp>gj=qTDSVhB>Sf-fKAPTOxb9of?uLaFPyjteZy4n8Im~ON z;UR&JSbj>;MXFhk?!kbq@xWb-@W94f^En)M!cC%|p> z+Fylt@en?hPfKbsl7k!p8usQ&T)c?ZgpG)OB;;1T`fU@|9*5ts*8x5xP?GtOW`!LH|4?=Mz~I$FHiXDT}_E~owU0W_pY zi{0JeWQ!MTfkAb10`N&Lk>LCZ4DULyi+C=(dS0)~q+z~df1jBx zcmH`puNwXlc01Xlne*Rv`zK&wXNSi+OZwxBiX^R@jlrl(61vv1oEvE*Yp@MU*PdO@>Z;#gD%D$?^_5FQxN7pQ9j~YjL<`@5nL{Q*9>{-Fv0w+7<8vC!|cATssZOIviwe8(5%lNyCOKl?8h=6|)X zE?_hfoeOK*5CWF6I^SIlycv zOZ+FGml7X3c_7QI!(5D}r&kSvlZ``AFcfiyzSW>OOY)dcKpb-QKb1+46Ri^ZKhoStrS6}`8v;EWV_e7k6={rourGF_-LEVid_y4i>7EoQL?b^2>jr5;T0YOB% z1QaC%lvF7}xfXHGi9kbV5zcOo55@}n5Pr*(sAZ!ES z94G`kkgm>K_XQLE9Nf>Om(7dA2O;;(b*!c40BoxMz=(3(Qv{8wtJAdPwXwbO)z9HX zqjZj5zp~)cqOH3A=tIg6W%Zu{#xH-041@ZW?Cw~f%rx-(cR{2M0h5E%hP2b~l zQ(6>$y*^$OzZ%eHUo%J5N_~#7?szMxY+}$Lh@(*CVrBPC>nY~;lbP0#8WE-n?8k;I zziN~|xG1+sowaEB2=lDbXVa@apsQDtB{Ze(XZ%g>{c-SC>PfXtouaIR=;Ck8b#$m+ z-qmLuJH{8#%-Zv=u+yknsb+%L2fw#1uVUdt;DjsGTjp+uOpF6AJ#l zgQPFP7a0(>gs#w4y-mj4rV<34Ch?k(Cip6x(-nhY)ekPuKR2GEFD!ZcXNKly#m(bC zuDFTY#&H%)p~psXEsq=Qy&lwyh0QL7GB|6;}4dv0CD|;3$#LN zz;Kq6a7uH&+9kvE=^8xQOwNGRLXw~!-dRgT#&Zw4?!R(;yCnDlxujZv0u|Cvr(miWFQ44PvsBYwd?bQ|NAvIujIFbH*6)rxg-4qy+OGrs*BD!!w6blVF|S<@K( z3~vOkmcFHP)OSsP%uq_8Z&_)o`Y!w`wa;jXvXx%8>#JqTIsx9 z9Y--hq|e>??me5S?&mNOay9vE}WJe2v1PrGapt)P`^kyv=N6Esd{1%r@TyuvD8TIyOuBIng4$E zW%(4=k5Y3@!8=(SNPV|qEQrHy%pm$KdY}oA{iLwg-|klxrgiU39%Or3lsgX7wei!A z+y_K6d`q=%psOf2LD+W=TfDn;3jKX!@GV%+c?U|~GS#~%he^v-82_xIt`Br9yO*5K z6{+?tKWNfz6K375apa5;1eR3w0p2!Ye=n%^9c4>cwNIu$=+(K_qhb5gNsNHrv}xpH z=8fD5MBXvNR?(9*ZOKvaW~N3DsI;{!<+|{yaalpYrx6En%&dFU8r3dQ`B@|Nd{(&& zo)%N~QE5@kh6 zLPw(dD!Bq}QWwSnstv->J$yCw`a7wDEhiAuNd^^}{iIfUbi>gYjFmnGG?w9Kf0fA| zGI3{UvsK%^cHnj|tA8W&rse+m{i?My1f1oP*RY3*W}Dp$Dc+NnSYBXR;!d+% zdcwXqunM;)B_d`(<`roQpVK4`dPjAc4qke?k=1tCy_-1Ax4*WS-#RpbzWJzqZsP=F zg4z7_mSfj2Xe3usvYYnfj0JzvsQ$oQHyC7NeeFQGqM5v_$a>e~4;$D_I<$kX4R67N z(EdR13#5oozd3&Atxpa+djFMVp_88U2Y4@3rS0bQo;wib3^jCjXyQR9V_(gIhu~yZzz%cKd;dTo<6~}rPzsQK? z;ju7Z%n}ZUAOzju$2q*A#f5ss44Cg?52ht$ryB4M7jB3kW&S5}4IZ^K}K#qTR? z3fhKXGAS29b^89tT~)de{*jm1+nM7Na5?mAe%vXit3wHuW^MbW(xoca z=?oNgi7a=-oBN`w9r{D9jFwZTLlg)6Nf=mDh>J+l_H+*l`lT_w2EPs2#AQmINyKSU z&vVwq!GGjgLK$Y0 zNhSF89KwA_y; zLBGUV3+^mG4tJzou~yz_SA}J zl-6Sp4v$`aBQOldc5I#xUG_HqI)``Q#_)YOW?6?N+~yWYRmmMz1!*5fs@N*nPjK++Svh+KlFaoGZdS0H(LT4lsxGQFUT!<0NjUR zJM|M<8fnvwH|DpQ(zWxO0~(N&6on}7mKoGj7HPxSHtK!>Id;F2FjyoBvuj=_FeI=R z_$0J~p&YA0JKwYBqBdfZiUifirKXxKzn;TTyZM7A+q&6GVD4ur^-N(DNm}l;Eopkj z^_0gM#0!EA{Mqio3@h$FskE_5A|O%Be-T^^nlnji$4M`7JlV^eksO|6pRGta5Kx!p z^ldq2dv#o^J~XyR?*&&LA80%6l!Jk5slodYzvS77kGBy=_BUH`X)o?BZxs~2&{6(| zo~C&aYqag1UB>rS(*m7EmHfT}M#{9oWuv>Ynd>GiiYjBdx@zC@2Lx1W4O)aj{XecV zRLV*5^U6wSDtDSO0Ryvq?7r6CWveC5KA}jHJZ1J)=rbtu1xRM|ThHpw_ReCzmbTnC zzRpJ4)dJWK>ciSH$i{JwdbpF6Z+#wLUW_ox-}Zrj8}>48h1wm07Yxz+#k;af8LXwL z4}WX2HUxgMAC}Sccpvh>=9`@1*u76C5ZokUk1)x~v4+a?9cImzSX!$6hIP}dy6VL* zjeAVz4h7aJH!J9zJ`>aX9(!BzrR%yHq^W>tGCvL1<=M2W=5LiHe@}j;k(LtXfC|xg zY`qgaisJtmmjA0J^S|_>bitzE@|*d3QW(+VCvWXTeILBSLAJNNS;LE%XxZY}y!kf>#>-`7LE3k(38~tXc zmp>y%N9-QmK8<%?4DUH^y6i5_&Yy!79JGgEFP-#unR#-F_dL zbKf!=8&1%ZytM&MZ@Qa5 zF8-1)F-5!heiaoV-W>#2oM$qch8V064saNg0siQ_QtNZ5IJy+2vX|PrPJ-xrgeVs} z<$hph2&&tz4yzzgC(l$N@|*7n^)Z=c5T7Mknvls34SHI+lr59I24&f}v*~rbc1@T@ zee*S!&lR^Oc8sFn4_>0{{PFqGWi+%vz>PYgQv>+R@y$;0UuEefK53{9o6>s;^*Sq? zwqNm3bcnSPd0Ushqlm3ODg+3|`1Tv8Y2a^=Z}~o%sVMBo;9e?;Was{(=dNtC4DJu# zVmf`Cc%Ma(LDMt89D%U9}hetj0{ov3yng49^Hns(#?G^`-pVFk0f?S+9TM9Xo zmnqqNy^6-2Eh8_|A7a=vv$*D2{21GK{U5l!uHmp%&6_iewD+#^uIjx+B93_VM|^f} zb&^|u>p!xB@!qo7x>K`|XNh=R{+c#EPT~{Hv2aQtv*z+d9J%)0m;I8w-of(?*Xlbcq%`Ea1DLiKbNsO87DV799+iUM(7o zGi|(C#3+am_UnaxT&T?l1IOMoao54FoNIZ0d(2{iz#x8F>22{IuX7Cd8RXop)#wg7 zZEz;uU5AqE6VfiPnCX;5`~Lk-n40>o>~}9FssLlMJ)!Zu{Ih~z>_T@3FPnqKZrmj` zS1aUb$DiSi{|Z6GPX53kfD16^3y{tqhJH9EpE~x&z1;9nqMHxPwL)oytA+DxZ`JFQ zIG()#;kqJ*X$#bf2F-~=yBAt)W!58qswHeB*L_KMT(N@rAdv-O_!Bz6;(ddacbnBy z!qZ^qP?osr(W_CU()1!%?!_2e^B%zp+R7dg{E;YUKH+x_!-Q$6rq?sxohZv{xz2CD zHgWiYVV-X#enp+!VVswDZ02LDC1_&yIQ%v2 zlD(<@=yo>S{+m>fstYc8%5&4l2u`=wOo09Bo2EU6k~0bSfpHc&;Xlr9ZoxtIu!f*+ zWP~|}++}HdLND*|+wLCTzOpnL4nv;uxsAEUBuW?S+p>nk8_CFl176e~br9M3we}d{ zGhQFtZS&wh+Ik@I29M>ZiSbUO5>;2UE}o;nw(K%NZS_K(5XqQ&9V&BoE;>p%)~@Pm zYGbgX4(oDxVauC$-infLQV+*fIMTaw!BQTz_3rGLCaCL=2Di_O?tSscsF`t$Dc-8TyVu7!{4{d5d^j zlyc^{NbQ{83vgfMRyAH;F{ap=8tRXKpz;fLAgr@8#gZS(b;L~3+F{w>S{1+J-WYoH zkaZ|MGelQtM#+E3)EEvKNe#70Xq#^yUiTYqDt!GJ%9;^^k*)*-zau$TjiI3$?zP7( zbh=)*`P-*XRqclBl=QD>IzFu|uAR%iGSl8a2FsN1l_~ij@>oY5lvujjLMwPwnaF8_ zD;syUb8n{9XDiZXr(R9uT83d&Y!}AXgBCSi_xmX4yxEoeZ^BJLqVrP5$aI2VVXqoB zX!m{Q{cFol`Cky+#P6l6CrU%Z&$-OFRx?+iOS;*foToI@6Ip_8msOBH0U~q3?cs2l z^;;{4+WLJ`JIn3w9%+#-(+sn<>d4@Y9p=)M>j{4w(2vii8mR*UcYwBV|K%E?`FnFI zh5q5MT$P;E7*+MY_3ym|Cs9|*B5j8B)La#42H60Hp2u`>tfWxgxYnzpsy)|{CM9j; zg_psn_nUk@tFkHXKJ9(I*@ifI)=!H=cx&=Dc~3(r2W0DNU*r$YWSkVcbGd@2f;DLU z);E4ZFg|@-zl;~Le9)|Qorp_8-L+0>sAXhi@=lALjO%6pktek-seF3_CKJ4RPxB;{ zHW^Vg^ZF~~Dc(xYMN|!tqVe?aqS46-G+55o=@a9>9vG46y1U-``HOvJ4g%(knlW=8 z)V7OXMM&+M(JTDd)AzyRqxbuZPS>p1eMx816M`lDnLli-+JiiqpE{V+li>)9r8BmP z?JJ+X<~SDfzAh&2OMH&V8v1zNrPrSE4;HcJ<`&x}b&h=|7%_6njPR+kPm1~(!_GAj z;;>=f)?`-GxQNrf6eO=i+{~ChrPSFiSO9{AdsG(&RN`E-jRSr&@n9XrFaCubGsa&{ zUN7~m;@~4{&>j2wjxEGRCeAaH$pw$#(2Ywz=w=Uzbk=(9t5dE{#?<5 z%=2|7V}h9knuDyG5|o`qrF1O5nT^!_9L!`312P(~@Yt`)f4;euGzzmW)O%fd&*`_t zqlr>}hpTo>S0tkO2FzTDcRyfB5?6;Xq)?ZJDy*h(bVjAn#XWd#4{M?q%(c3j1@xC2 z6sihceQ#;E+Y*~yuoer%9%8OcsZhmRa^T#|JwWX_D!C}v$nTyc%x4H3H4AjT9j7=x zU&$>^dy4;(d>A&8wYKYJ4aH#1W;rgwUK~1i`k()@p z`*C+Cf^$^V_uNDJy5#~lZOt}yQoLOcN8tc z-gqQPtS5 zw3&ptj^UBbU%r6%t4LM+lgV0MZ>_P`&TF?KJOip*B41BR#-0tYV?nuR6Bd#bqzx05 zyuPelWEaAd2BNY#ojdM3cKGWm2X|bEULE=n4t0+dPLyqq^^I2zO_X`pep=e;k^je* z=I>S8zy4K$A4fU*ESBB>U7AA>q>x`S2U?DlavtrdA2^(qrN!uzJ0YzS#66;MTbwr` z6|?O9zepyQR)u{fJ;{P2{6wT$J;PULh9JrySBVj z+@Z%zg^K;(M{+c8G05UIUY-)i1a8C&K1O+bN+hR?#2DN1QEGQC33SR97pIEPE9pII zdwebA+3eR&WO^(aOB2@r+!tkkBMB-KHwH6os0WPhBQ6Qaawz5`%VGR1sm6+RaY}r5 z?0LB-+Ni2x7iHz+91VWmyh@ zoO75<;SRTWsbI21x!eyIORo2Lp7Md^X30wypyy{-b)o=>PzG9-b4R)x4u*_!;hrbEw*cv`+= z7=gsqyM7F1i>`TV8Z5J_sBJf5rSx1Affl^k^}|15e-v}0#i0w?6V(`Od z$hz^00WsTn+)H{>s=Cx zm8N9xyup9>A1nYUGz?bq-c=f((_v-b-~ZxdyhmLo|qY zx5^a-0hW-&L&joWyCr4${ht)O-lD9&51{#&?(<<>^Ke#Zun0u4r_kZJlz0=`tQD4ja-JO1wUogY2Yy9KqO*cbW_+dTk z+yo&8_jIO40@cxS%GyOOwiPKJuEhz(look3zt??B~E!3F^4h5+_ZAPei?x?o&%d zGk09gFHNZ84kCB1y>>!8S(t|%5e*0aJU>~B(y)yK^G48<_|gNz2?}XTdoVs-*jiD(}sMxA=Fn^ zE{t+*@lkaZ(lDpqN4E&151205MCUFT++9DLeb{A;Pqq%)%J7gO3ev0iY8Tt}^Pbw> zCM*6m@X&icph&8(5ZjqvODphu+!da#W-Hj>eN0?1VC!toIPdfqZz~J6O>Uis`jVuO z8;mH9^fk|aE#Xx8Uefhr?^k7uoJ#BXx*?JN`lgD`v4I8FgVe!+8Ff$b!jp$|@ihbc zpa&wMSxjgnFil$0{^riqa*U6*qhy(D#Z;nNIPo!ImVD0AO@B^O6|14PZG5I;Nyg3sLO)ZYUTuixQwdn=u-ya7Irc1#{iy*&8~lV7WQ0 z)lv6%2hLRRc|pBRxwAL=dE~pdm{m1%%c1CKDauXRL$kS-ZM3+Yl*LX+UNGP>!kU>y z{io^*X;CJHqNJp&iuy`5)?*gWPS1^t#~}W9KeF9mAye^c@jTq^-=O->=P6GfEJE;a}mwN zb8|K|pG)fl$0#+=)tBz;gO99pj&R+SKeEV&0 zIsbkxynwqfcpP$p1=}o<7sulIl-ZQzPZLcF>ynu}Jk)km_fOiV|0c45k$Z*AyBL!l z*djq~@0uTYnS-(4ZS-#<+fpbm)9|u1&n`x3AG6xGAZx2#6MeggCLNaaGpklw}<((f1gNp!j{aQxeMNoYU+=p z`V$t=O|=C^Q$ZPRkd;%aBysTZJX*F?W#bGeRfU(eD$#M-J%&sJ-H7GhPa7$eB`BZA z|G4Yw)g(U6ywmWu1F&DQ8MOWUY`qS?o%IVy9^oJSB^@bh$6SeO9AYYIRk3ZjYi@__ z=MO*qd!g2c^rMDsROL5vLEj-+{6J0a?zg_S*n9P*-={Ls-OBt@wGIMlekql=rOAt- z>mU5QsN7HCjMq-dBqEzo4yQ|E-ynLr;y`Vf8_}wxY=D(-a`FcxgS9^6bEOLe{QORU z^+tdLX$I|3iK(ivnq{5amX#8^ekrhU;%5X#gLbK@QwPb@#+AMnxgKoAqPD#cE!a}& zI(p%HV)H=10j*IPIBdG*vID}PTyYz~AL z@3i*tHr<*;5-{5Dsf-Qng}cRLZWgSMnAHXh**sRbY&D}_f{AxQjBx#v>jkv5T1nJcveYgJusK57f$3S$*G_5w; zSS_Mg@A*)${Pm9Ib+12;@bjlr;9c}^#V#?%pBrpE5u5wnYokK@GqNMVH?#WGlr3)Z zr}#(?m}~r(M#}R3Qn;0uqa7F36$*T$Y2AS$a-L6!*$1_ytgjaOLmQj~Et3sCJL!X` zpgwE;{_%dR^_t7iefo1G4ln&PvtaXWfM^EHkWh(w+~OBs!~n78y2^qhP2i0q#s<_M3RzVV5G zcbIyGRxk1tq?Y=%CvCk>Ei)bXPWDQHiDCw2j-x7?h`9!e9R9$2ZTW*QKbn`4kTJ=1 z+BO0E?cIC7FBGjgIU-JNDz~dMG)@_bUgmljw!0Ssm&nC+{ROsc zaR{8e9{)1hP5nruaG)pwZT|2PdwT7)X?=1$8yu7xgr1u7m=E)9LKBWj>uL?s8v??00@{7GjFm-ZTxPNnF>Iu|@=SkW6HiX*ur%dkoCe z={wolmFPr-m%SPPRFm$NDV1;ttp@&$rAIf1nxA8P6I#Wd5Dj~P;>Rk`$temF$72R4 zGHqBY0W#j6&crfhliYLT!l1Yel{oc$Dz|dgIwyU;(n4Am(cGxRfMZYaa$i=oqA-Tl zBp|SOH$koUv?pP~wvGPv)5ex9(H{~Huv6(nc%5@79QBcYL#@a>wSq=U^MSbz1xXU( zMjw8rv2XErb&2Lz%i>iv1z6Uxlrj^jOzmaw!SQ)DzlB1Rilar*wqQ?B5;GDc0Ci8d ztyUE~F1{0v6WF`ZYKoswh05!Qd60Od^U@_%d|M{720F@#bUg27hzlfAu?EGwuIm$? zU|Df=Vs|9{@4QVtUK8j5(0lP?pryt=5<)KXEU}s5I+Z~@Jh8cU##-WuTM0OcRj~J3 zY+zl?3qCScqigZ{D=*X`9U~j_FGs#H5#^}J^Ca1E40XccxTfFJ@0+yO=ks?BH4O`h z9{gDTae~C`$ve%14vZ4n7siGBp%xmfR#aXeknNAOVW}k!#I~ z{31XE_WDg1#Wjadc;@)t5gh@?iRTAMZG>6Mp`k&iAhGqL$GIZOGw|X2kg4X9*cHpe zYZxD<1&*$q02LAzKfemyv6RQQ$+?A2leel_htSCBhCwvih}Eaf$U>3aU92S z=qn^wbj9@3qG)5BR(zj9_7E=7SURC>4MM7jV`31)+MV$5D42S6dH9FAUqPA`3lCua zvdyynjQI7Wp1GW*+*N(EqVp4$qNEYZi!<+rlcRW?2eek&H>_GVU@F?^@=nCq(xBQM{5=>Q>S6?M*Kj+bB)WlC{*z)>3n`bM45t=d#1fnJjO zznBgGw<(K)G&+BgB4Jya;jWBNJ~KB2Y_7*o=%~5e1^*2ne)hyoH>{^t< zIoXR)QD<((&cu}cihMa%8F@c%l`Kc!1czzb;KG3bj>|Nkns&DZ;N-5#KF2g)CX}Tg zx}%xEW+EZR-HWM3$*J{Tg>v<=^%ds@dU*jpSzO+i3<}K+l}VZ*he$3hXh2WPRh~w6 zxj!-Qz_wy58fX;H9ZH^bQEW#+)-__u^FBUjjDXO`LmT%l6f4B}i&os5Max23cX|WTNwaArwH}cm! zCEmNhndTN{yK-Wt27EANp?YMArPl9jgj2P8&2eagXX~Ig{Jw|xQo7mEa)Q-W+AjXw zvX}h)BYX9Kx1_!WU$2{kj>_`cYrEKlJr!5uKAP+S*!!(HM|2@kcL&*}NUZEM46gR( zLdei0+94jEUG51N(Rc`q=GGp%yDm4;Gq$&=^Q!3laoxd*-Z!IB-v;4oTl)B@nfMHS z!ZderM;QnB(4n*!c9Kuw3g+eRf};1=1Dg|u3cv}+Dfz`6fY!Fh$7t>ge;H=KjW7?@ z*>OJ&M&Wc^TTXOGiv@m{C^JiLmP%Gse&prDy>%{tFXWZ0pg44S4qxIsOkJ8Op0T!s zXkG3~B&4+ok3{ZXi9Gd9JQTO*lA;D&!p_8SL`M1GitXlC~mIEGoD&t;7%|@EdJNlk zuRScB!R7Cz6p3j=r}=xA1TEf9+*+x8cR{t}q{LkPi@UtcTXUlv{C>sNJ(b`-kx|i* zEA4L-ynl>=4uNxnfTa!Sz~CIa^z}KJsZ=fn!c}$a(x760)pAfoKAA7KIJZ?&YjWYu zAM~h5AL~_kRiQ?qrsb}*c>`8#x3T6Eg%kDS=i&L7I&@FHJ$hR01io%VM@|M;#3s3y zLKkDSmO-Uh=nSFl)&J3LZ5I9Aq)sz|m)hS~2vsg|v+vR5_2&!obAj!+V=aZ;? zQ|P2i5k{TSBgUF;w=#~oV+hHfhHr@GJpS|r#R{QqLqeM1;^(mJn=9FZ?4(TJ#HA%1qIH~2p0r=3Gz3N6_R@WWWyan zitfyme)(d~xd>r;e}A(4nLC;+1bY&k?VK%YMKE|fkbNf#S|Yz3jNpW04gLsjWuVhjA90L~s zzBPIO@S4``)yTJ07CcJ`^ZEz-I6eruO`9{$Md*2F|4bLkoj?F+^|CQ*koHDrYbrVz zS}*IpwjuYD?bh<5-$ojUmH96prJl~y%7V|2$k^s z!%S<9co8?(rZ2Z{9SPH#;!WEziH^brqkN_@rbdF!qFU8d^swAvXMcYjm+nB;mU<@SPfDBYb(Nwm0dl7Yuij=JiVh zL=-m?1~Fa=G$7^SG`yeW`PAnbsc_U5SF0kzZ;)d-CN$eZkoPksE8VF}h8Lb+LEmj} zkbT8*>`kUZPmG1hG*^!nr4K0LdEEE+>an~bxzlz56l=Z>Amdek5Yl0|lpdzq? zT{2z4=`U*CA}-q*WSWx_TR$Px*Q9%#N`6SWw*ZEV<;P}^PwM}F;5vI45Ie~-5Dzx- zD|V5|X{x|4+xEA$h;UHL-ofv$M6;`3rPD%aY%VQGd^`_u4QDhM(7I%D8=LcGZQwH- zRr0$ZJ6gOEf-q=bw?ZztP;F2X-f&75dT*$gh!_0zv@}Cc6&R4^fVD8jcX!D7@oUQtPLf3Uug2$j4N5wB+p8fkZX`RR>tq5LFxJ%frZ`Hg1f}v44PZR8V1~Nf_P8AY1#r zgB8rbUsh?MxL5CN;U-%U&xg!-$1!Fk&4;kW}SfJ$_VIwKb@NGwbi*OPte^5)hIf)HJO7+?Aa9aF7etV9B*WxSsB^S`tk= zcTliiUwh7lcrJghS@anW;&f3xQ>`V0Jfq)3e99;c@p-!2{S7Xs?1$Q|>_avJVy`=r!bBzyv0 z_FQ#cYqhU~-0{@mgn05dNqE5*#I(>H*n-kVf?By1j z=3}g#HcrISOrusN8-{K~uH=kk_^~!Vi8Y z9#rtHXqe zcVyAdC)XmqO&bHINbr9W?o8(X?}WSA#Ue?;%ttH{pCoOZ25>o*Vp@ib`}PuaS)?fj zPXTYr%3X&MNf0P?k!6-z%|aP{{-sGD_C4_DPo3f zbA36yPL+g{gf0C|AaCGh4M)E^;LH{geuQUt*uG3+k~8FddBc#i?}(AZeF)MLABb@# zyVr0y9lGh*CFi54?EBX>7?LhkL8};CnIf*D9FCXa|2!fbz01oeg*YQz)i^vvm(~0B zNLb@Y!E$sIrmItGV^Pt#!AfK-%~$$DVgSf-9K}So)3dVt(jD~~8oey$l)4pIL}ayR zZC~TKHeFe~d$}SzV^?5~~l}BX6#vcminqJ3@;9Y#Ksd0fPGpv7$)mwnBZdnIXQ2M2UAFtnCdMEya z{5fyilrZ}GKwH*nK9O#vt%*YT&zas~HvJPE!@Sn@!^psIi8FFG-#D8qqx<&=Xg&xX zH#vD!IWAk3pA}ijK!fR$_cX8Xu)OJ5aiY1W);MLZyVG@QDNUGY(P`S%qA1S+5oE3L zjT5ZwU35FPI^Ie+U-dC2Uug2`@-Lh&g+ZNj+itP$5_2*Jc`QVZ+=t#SpWgiGGyRun z-$;x`?gA3B>UYfKxMFX0>nldWv8&>0hWRL;$K=VQFxKNtAucs$p<~Ts ztAQ0u?m|-Y)csWmO2JVZmu{SD){A`@`^~Ozq-8O_LLl}73%S2F%Ti1{4T2*f*+qvqpsyH{3HH1B7ST=KklrG>wK z(CL+{?Rq<+cPmEax~^-b1GQI#$HIgRk>>8haQN!pc}K#Ox8W97-maeL4D*fFJTMGh zdYK_)pf5(h7N;E|&H5XcMK9M|Wu7u>EQQXTb%vv?Mv0YJDI2wZA)oqUF?Rje!%`p2 z>hxuT4zj^6)-2of^X8MnTr0wu>m>R48GG1KAM;;_P2jBLqOQfleCmnz#tE8X(DH^H zq9ed}dVhcPs!>cH9Gn~D^yJrsmJ>|GWe<-eKe**&ADOz*_8c@!zkV5@DxZ9p7Hx%Q zQzWNrNS`sBXrdybZ!y36;U9aNm98sTN>J7hf<42xn2`Prpyd^A5_5;AeZzNpTbvHQ z$LBh#2B6pQ6S~+PIopzW3LUJnmR+ApLF9A9e7hqRM@!A(=qs5ZZT*!o+R^(4lpZxj zT%~WNVhj2+9)C&C0z;>yfLsDF(ha}?Fz!f);*hVjJDm}FC@pJ&-IxR8=g0+^F&5E+ ztc#c(n)@R^p+zk|lb&X|H{@8@I45FXvG5eBd^-F#y*3_0g;!nsh2)ucw`VcNH0}Z@ zopE)rHPY28Pl+hKP4EQFF|EdqvMio)v;*T zykj{2gC_2g(D~FQZX(fr)i`fz1c-Onw?p$^7SJnv$jI9==aL z)^8`1DK^^E-C<(ZNv(2Uyy}X*CUVJIQ8DaFg5AsC2JPUz6-ZMSiYCdZU!9jn#Jzg zIoMC1UA>HOmF;&_>*SnuRN82RmQQe9iea3D3%R%@Zg5lC{)Lw|gOCC#7aXJ!Cysgq@2W=mG*APNol$shR=kM{;Mo%b~FF z{l=C^lTYfC%TbtGP$zd3*N}+o_-Z2 z4BL4Jvea|Y&(gaF;DFYRE5wmwX}RKyPp5{ljJ-bwa{rog*AbR4TMGW3o_M~MFj8Yi zbSAi=_dKc5=ZG^|BwoJ@|J4=0t}XwYhKYT~IrA<~#?YBRSEN;h%|!1roQ5!%d9n3g zKy^XO5rG?B`3nFAyYqZI52rNliCX;wlSlU1WAvXWd6VDj-q)GwXDAs**q&{y_}rSe z&t@WCP}&wOzxSN$3ic^b0opqG|3c<{vGd!ouHE_7Tb58LlQSf?!&_@jT7T^4QUjoi zR;`^5t~!7Cba#25GxJo#sSsmnw23ke)yO?Yva967$d*ZW*A%*&tI+!I;AHitN+pc$ z$u5S=)IO`etnY#5N6|^*xNZ*7r^f2JsDZOt+~zEvoSGhRey@Dv9X!tk=GKq88z=f8 z3M4G?CCeL_`;-MoE@6V}xi_3$$hJ;P-mnO3E-z>W<+iDo+{BL92f0oQC2%t-- z+RD60*BAGdDQR#9n^XI{b8;en-4Sb+NjH5h|Bojs@SYxU(hcD7>Ed&T-D?nBv`-r& zTbhJl7*)KDbfF$)Q(0T?_&1`R{}TfSnL^Rk#yQB^YVe;#EiBUi5K`Whc;cwR~j+-`@qXhG^y)KCUJy`Sdcl6=5L3XZ>Du*AsQEFLw0WehR`a>ezh#Ow6d$OrQH+MO1 zp(E=-Dj`S9mwtv3jpNn8tK_l1@$a&*L{%6SiZTgfXW)~h$6_EU#RV_=SPLLy8d(PN zJZ&R3Oh5o80t*Q~08Xd}5_QwtZCO)TrR&V8zefr)*^v6n7S;4vgw)La+78-Qu*M29 zd~;h8$pS8Z{zDuN_SVPV7w@`PQ^6VgV+R-^0pc3A>IDXV`v5lz5xI5|#Qs;_X1}ou z7fr%=JI=;9eEZ20QVhU;d{O=-z0&&+mfC-@(ETqSJG$U=O5#Jp$KQx+&#fd%+{tCAAS4wYKrtz z6Svdt+aBAaF}H1^emQ-2ikevG%^O&Ec&0mU{Jk@F+qI7On!+mX&o=4DHLHs5km6WOC_Ffno|PECN)^BQaZ!_v{U)VgG{H7 zt|I$`QU7M=AGbOG_~L*03MBYryr3vxr;zx!zf=Fyk?#c$HL3qAwEyYf|GWRZ<(jBO zv_a1^^?&yZ|EJ&o|NalCQ1#xgfSt7Mb-gzxelwgM#2<=*Jd*_7K%y0uH2SqLPA}j| z2EjN(xHt^(-+}!(ny*`}FhLuo4E5+2@~8WDAT9ctEkh%B9*>4xLJtT&=qK7S`~zB# zf98IhyX45OUU)xSqon=b`RjW3{$igYpKs#~;|cKp!0Zvt{)WF_?H&?sxBS`f-+Q!J z14KiD`689|`%4Z<1OV;P4C?*M!y9ljX^PUndIblgEe4G0$ulAlKdu!3s(xw7q})DS zNM`8$_MYdS?aCm}4O)gUfNUa~4*@`*6!ulYtJ#c%QP`!K#N4sVTmVsEsXqvSv_SoH zbD1;M2tmgIrD=$j@8#$q@%%TeZY5=OWFZUI5!upCxXFUx+h{b_H>3np7PIXk-6F{6 zMkAFDuSbw4@NPzPOab7767KMhN}B>|+itOGaB6(Ney~#1bw5q+Q{hXEzh8j2j2o~t zMF2{Y2>VZ`6^c({1OSR$s$!V>yl)Y2um?g~hU1qUVK*V8|4nxl1^S17hG}IXnWUIv z@iHp?$AcHfhGu6FAd8I|Y7hhNl#3E#gPB?vb_zS@D%U5y%-#UqWp{-&@czVR8|5Bn^H$tpmqX2K+&2O2Qo=Vpz7s- zO^lUEyzdTSMu9*%|9Nq3%h!4uyg9SxH_+!|=!)RR^3Texlr;nJu9%|rt}a}uP&WuS zBMO3IL^83^pYw4_>hCl6pRcKZ_4oG?pe8DjmFmqEnkt8NPIw3xO9=0_*KRc88;$gc zJ8-d&yi!qU$?rIWoUuZF5wI|~z<%qkU9UJgT{m2^iBLRZTV*gpVh(tNQ7c?#vEp=-1a;~@m6V92$c0#HS}L8J~Ed2L|e z5hlsUi%dhiK?XmIS}wUq=+j5VSCnk*cI^q`F} zDaI=S5cTnFLMA`}o+${4x(2hozz%#&!4xV$q!-wF7(f*N{stfNb2C7K^!%cGyj*Iy};OiqF zBtSXTy8nhB{jb_enG)TiW+zGj(tVI;_OZzpJP`D-CSUJxfdh#Wi8cVX8YyUTh>?1i zo2U`e0GvTV2!$e_XT)vSbU818n)JQ#tkWw^s7|AbCYY_uz9!7x40f!_*Ul zHPX{9=|yU(&(2?6fh&&a4@T*)Mj)~z7mz6-<~1AS*4;uvn3tCte6WK6t*4E!ASFk^ zhg;mDj=gKHktGZH~_9e64Di_G$>-c z^e_C`b4-W6<#7G98-?-u^q+r_|NZa#qU$9nwXY#Uo0l-6@}?6lz`$dyya=^>;%ri* zoWK-D0h~;%X%2o{_;N;8F*nVJaZ+L+sMHY-u=9~xVWp5+G!5vfJ)>FSzQE`CNr5lqM<9cy7>MTubkpt~al+YWJwDdleYF?AJdC4x{^uW3Un{bv%Q(OM8+S-2wc7+-P$XKjK~A#s|HIfN^%1+=;n zRrag*A<<0&{ug+eM+h?-2#V34rKuNzw$H${y z_wkDHZWr9uz;ol6@JX@d6;SKEr456xj2A6Djy^sIR4)znqGVlDES{H2_OA`v*j5dO z!mCD?^r6Ht02>f3Lnpmj5c#3p=Ue=%4t;#{W}OaaC+i+HnA=lryFBMv5y!BgiUhyZ(9FdjZO!A(CUwbLk;uGqwujVw9ss#CkamXnArV6(xy4Mq>oS z8XBQ~BFk=m7v&XC~D4nDcTd zeYt=uTYkXo2KQi0`9>(i^FB#a+uFT{{BYcDwJ}Gr@q(Ny-rWJ}x&J^soR2L#pTr`1|WVOVcBJ;RE9u>}TIcL9i54 zVxoyDjO5+{6%b^=?u~C;O(FD?0vT@&Gl2&O3q>sNp)Cj#P|k{>S8T5y z)nU564R?-5CzD(jP55KVCM1N^E@7x?dX(vYumiDiaM;c521*BHo`v8Z**CEbb7A_? zqB#o-2a`iXd`y}z;B9N~HGgFKW;Y>kTSIg85MKNTPesgQNf^r}@eL#KIta9KgG$+9 zfNUoHJqFWtax>^D=JSXO=Zm@kp}+!9qu7`j>j8qK*)*rY&MO~OP1E4fqnfQ<;G`c2t ztV^~xh~}}ihT`P--AQN}j~t5q8suP(Ff;USsM>|-CH~Wy8}`4IK)KbnDAI620oURF zdyukihm}qic06cIoKJ{2W|^4U6EfCoF6ZbRIowa9sfma1_25abD|MEOQ=*%;#h^G} z?2`~X?u2w@w&Zd2z@x6xGQe~nKXcQn;bjkW`;3sfMQ;_z`}UOJG(+xSmUGN6GDCM3 z`%DOFT^x#CT3%*yQO*If%)F)|X&d7#oRm;#+qvlJ2ld8wL<`Pmm7Qfc8(4-u2W5ku z#}Qg^2Sfd(4wZ}YgLEF~11uE35!|>2?=FX1y-<6T#M779JRyF{BdR|+<8Q9Npd;u} z(P2ij3g1<=xN7_T$F%&fx46e;6Zwq7(+d7uy~lFDQo>0a!xA$|W#M~i>lJT8$w>a7 z^6>ZhSySo)?Nzj`h|{K|uB^_C`iHXE*wja8MIm2EDSPBD7H3&U*#GFschaK5bc(p- zFkhbKO@#D0G-`|$3Ir8N%@5PD@c{-J>Q<%gBw7R-VmXp2`+#cFNR$)F{PJ7V- z2i>QAKvp6R7ubf?r@AaQKaH>FSuCAX1gTKCZi2*ow)ZaQ^sF(T>(UYGNXE}EcI$ZB z0vVML+cP67)7j^#_dtv!Fnn(=26ynj!@BVLYxO!DYwcd2A7>dxng+*(7d%pR(N`Ww z6flYnwyGA2a*63{y;{K&bILxX|1{}Z#aOPM{5)2lkYR2^n;_;%-W4>FM4KBRSq$X+ zx*vx!*j>|L2t{1c&Wq~F<^Ie)+iit^umF@~IhxSlyb#sn(7e%c1_9l4ZxttmPeT9V z4eqEV0dLS5c!OvddKr%Kyou_Yc;O!&J|&$NT)tSR+BdXWGKL|%jy7oP@PK+Fr}=G3 zQAmS!YqQir6ZM!cLG$~Y?a6+~H_fluD%kwKq+iSKtBo=7*7t;x{>6=)uI<@``@I$U z2MoDITeS)YILGL-%K|wy$)8ADgtuFSTSTrdZFuC|uY4r8x{+{$B>QcLRQkNN=Hw>Ma-4jw@b0y(2<Z$h7ud-wmFntqxBRRjb~mnvK#m+|xA){LZ+}^o;g$VVa9hpf`eFPmeYpzcQI$ zI?V45-iVi$g;tY+1d^0gyla@l4+vRjeg*}IpmP<8vABBimNxLT4VUUoy%fz=92O+c z3?8mtLeG$X9Ej`6de>JPz530wcb`}2AG&HA4s%noa?d@ncSLcG8o*PWdv0ux{nW=X zeC2bvhzASNU2JsB)zBz9y)_c-#_hY~h36r!Jqzz0ZT@O%D&}uY?+r%S%|WCwLZ_eJ zU#dQyCZ$<@LpNm5x^oF%M5;m&%VEx+E`s0HAah(Nob+l3i)X4sn4tMsY|A(8xAB%i zh&r#9BsW#-=SXXJ?|!z8%F-+R)+$tEP1-;Qq4jaAg=hN@N44cknIZ&p+Q(d)v#IuJ z7eX~TzQBxW{4wWPW*FK4#)@&m>GOU*Z2qHsVQlu2AC{lKYiFx-W%Oo?oNhK<3TvhP z4bXPcrZp0h#Ft!3;uOP{601H0)!j2!)Fyt$&?Jx(nG~K>`4V5A{fqFI{;lS;UbC%L-KNCYySvliwoy3TpXuGW$i*n8T=G~B>D$kxFGRL=QVjEYW$JOdqRr;5bcL&I1`F z`#vQ_UyPY}zxFF}74JkH?;E!gIE_uQ+Jk^K(C*bSH9hNx853#hKRM5d8TYZ(E3T9U`K0G#6!Z z!=^wOG8KqgDxHvH3WOZDVIYX>H{lOKxZOTganWKEFH&wj!~XFJ+NdPQ(D8R_Qk$|= zr;Ds^on1?JeJkVh<8;=iSJ(%ok_iIl9Wlg}7B%J~IJKm;K0{|*Rc`(aAsNahU6|SG zJ!2duHR;XgyToK&Sc2Cc%i8XK+Ta5~eH59Umpu%YK#;FWGLX=7n#rxbz`vCbC z4-lrj%=&ZgURImA3vA-jm^HAxs@pBYIQ|P{IIlV#T}_Tt8DDhaUge6XkZ6oS@|9AE ziZnTkVacny^^?@+wy-0Hz5^m(txc|RflAC|qKrkKNfcAOgG4ZVbu$ggqU4^nKuR6C!c-t_chx1c13=Bi6qdJpPG+$6p!!E2Ji6Hk%<&j1Oi^Qy6WBubw7z#`3WUZH%%-9qBhKhj7tM^BU z8r$<7XaZ6kGsmq(DIdE+$(TDb(08&sjGMcF*nNQ*H;PLsc@ZcbGkp+6U+az_LYgn9FY3P~ zhqGr3)g!?ek0cGYfJc^Dyb-jBbdW?hY zJS_5F5^0%OB^%I5O`ZhPVQdf|@Ax*8X+8&*#8{uW@Z`p3*yJsQ~U%kpOE4Da&HQ#91vwl%ZX|}?f1|R^9MD;lkQCi zwgFpoRt9X$LZDcQgGn|ieBNi{$4#k4@#j z&Y|EVTUbF1hp()&#x=-WTPgiiqq)I>@2D@WTF=Ui_B^~o^1?GH?yXT8> zk1Fg_Lf_OX{4&u$C1RE}X|f3;J>PAP3#FxEH!-}sHx8IX3VrOiVl(aiG~Ny>ewEBs z0)Fi3Yhk=fst)sO+cDSzvYzai3!&s=O4zbgN5AU)3p%`^8Kz>#H2fMT6Pllu;w%4I zn#0K?Jvl;!VwZy5WSz?k1_+<(IPSzH6n@*e^wA3>Z`jU9sT7AM`^m1?_opH{w_}4ciS}Bmo;`f z{E(7nM^N=wLmQ{{#2m*hYy+yL25s!cqtte~(8M0pX#{cT?M~{IH=BDqDao=xW$y`s zIFwNK(Zl{A+UgK~t3pX@M$TVQqFSz6y-cVb=kdMjYt>+^irCHiq+aHHr;E{UfZQdv zT2^dkG)cZdc=c4*R^zUVOY^s8-WNysbFoHwSAu z>GAXuJw$HYljT^XbZI`xu`Rs%l7@)Vp>Y1Sg1P7C)X|LMFDeW!4C$#a3+S^lN$Ult z17DN=*lX6Hx2*g0QPkWxU!Cg**%XG(ibHrXN2G5ob_e#YZq1mC1(sNMqlK6I35oNb z%&yEN&)>ErB%1l%W#~OYU1d#jPd&&_o2lQih!WtK0LxeM-LBC!$v}R=_8J(3%lh=1 z2SS^A}H_xCJy z_z9W?kq-7H`O=!*;Gt{oLezn7&B?NF;l1Y3ie~f{r@ZFCx);mulKoa{wmKD>X(bdm z_5`t$1OK2#P1YtPBy?qeQ{=bW5@lpKckA%SIg`@*>~gMcG$9jeePE}{kgoYG!Nr?# z-|@cBU|7`h5DMX({GztB_Mc%)VLiF)6BEdQ#gt2GVx3}8dC5yz{evH|!etJ%IL6QS z_-{40x-^1JaeXF$Lb1C*Mz= zV)eMDZa`dFT}4E(r02cWTz}|!fi!M5zo1GpYa+=FTg6!(-dr?>J(dQj4PzoQ?S?Cu z8j2a5Rk$=l_XV5XN`tTPo6TCmpL1aEm&Ur>hRRMqo4WXFUYk8@^60R-MQwKr?nTeU z)$`<*Y>^cNil|4v8Vpdxx<(0gm#-R0w=F0PD{SuE3ZLRhv15MejJj7YGf3k~Rrc79 zVm0`^%z{|$sZl|!v$R~|JyFi8pSriGa)tLin|PE)lp7{Bl2%_wkX+deb(6#tZWY{C z53){TBf&maX(`Q*WyLUg{f&e=Lj0v2t^c4kI=hxmC=a+%GIBG@RSJwoH*$FH#6dg6 zrn_>6Ka(-ZyXV?yi}Q)uMwGqkilBLB?POu)$0bG2ZpG>^pCZWAzkID&@MORc2zS~4 zcv()91IUqI7E)>t2Qw>vQtv&$wcHl``}tLO{^s63=c(_n`x`$ZLU8xNT|U=oU6d6w zu?d(azP1zI{w}>V*e$Sp@{XhTp_ChY&X@;l%GWCBuC=_q29@^d3+WnY&=+YF5!i>o_FV2kh8-He@J8bk*%|O5!h!XFy5Z z4kB*SPa3}bWGLU}a3m5L?Y1$nluUxZgItx5bp^jf?iW3C9-SMkl|tf3gM`PM9dQ{X z$JrFt$$0=l4WEQRuEu`B#Qh7*C_=<+o{_c@I%=8#>`tHr*=qkX7n`-bF0*cL=k5n< z!H_Xm*q8KeJ{c>^`vs+C$uB*ars0;W<6awY&aGClC!$+KD2X|0pwrRMixi!wY*ON& z!VJGDjowpiJ4IL<-#Lq4TslypR-%E{Dz0BNSQf#Ul)V9J3FAsjJ@QAZ=^z9Gof!Ojj zR;4o{sP&5B%NX6f2SK&(3wmh5h*syhM6YGOj6PE?j;4Ch{!OpVlQ}b>oy(D>AU4#W z*vcP<*5+Z2o+Q3iBQQL6$<%^nWwGrp!bx=DyayYc+Yt2?Be4DCiy9JsD8tba^zn6Q znoLrV(O1AEl9>mKM@T2Y{8g56&{Z{gaFY`QV=!C#BdnVm*PD!6!X0FJo2#FwI+cyD z)?4(0E!|}I9<%a|#E>znOnX~{{jQ{cbwictQ5%UIE@>bJfook9GjU6m zh!p{IQw(i0`JSJEN-!W>g2=3LaVlWM_}|g)>kQvAL;}!v^=D zxkQ5cx&LT+87)|fvirgzejYpc?X7kkH*Y0WfD|XCY_vk&;{$by~(I0bt=P0>DdGElv##Y@w#tl#_D|Rdk@Ou<_W0}o3 z!sOZA%Cz}4N93V@`HzSG4UPs^`3yw|9+T+ADy$ETpc(mI>+Q-$&_Plfl+U=PU424) zLmXSzPNX=OvH%W!#?|o>b0r1_wng$MKuc6Y**3k@%wF=2mpQZovljw=E?Yrol)y=4eeCC2nIo zo7qJF+mgMq3|M1!uz$7no9ds6o0ZQ;Sy40HjLiNbV4$1q*ZO%!b!l3s$hFbzew7C- z4!oz{@7bHiu|8-2}AYC%C9} zR;|pDchIw-l4a5l%Rka|rUEa4THhS(J%v!w7)fhk_|?jOIaZ`BwFBa(7D*C1GY!HC zs-#f2pA$3QruD+TLoX7`(LEfo8*5-aN5_`JHkVZBaKWY@P3c#Qjv?oR3e-Z-1Vt{I z+N@RcJ<;*NRg%>+`efSu3IIQ zdsg$C*UVGs@uqVafP%R?C7GD6`IDs(4=Oy2Em8FH?n1YCBVwh_?U_u5ePzyKb&F`` zK5Yr~K-8f;Jio?7j;<6Yn5v z;Xbu~b2FKhK!SRxi$oF{+m$isCq}Fy0Np?``4T;JoX|jH(O>h}R6 zW&2Fn(t{%$o`=8Aw{GxeetlUqbW4K3O6Y9YG655BPA90M=q%EFAtMv7WD4Xo(-5e6JyoiqMY4AE z`DWYP4np@Tvykof8CC$kY(2iYAz>} zwQj&l9|*pyp{HOWS2?5i1sVn|l{MF~7a&tGcW);1yhcp6XkXMwP_Q3W;1DWJy(((~ ztVQ{FC0bxDddzw$+4$R6OIFpBHLj8{tO|{x5SA7C@UPgGXHc$RQIryyjlPAd$gF~{ zz&reHfIJlDDktis8=)lW*5|T8F?3~w_^8sa_{!{=w?8Y9JI2n8^3!@qTV&=?4q2)m zMMB^M*Cu<_aHu7XZAD5w7VVs^0>Amn{a4E;o=LG!q6Dsv?#QtZqV8v_hzRnwe|?l0 zJg0&M&k{1b)!Blwsy*AtM2)G7RuTaHvzWTTJU6FL6?(k zMzTWDIUCG9WfoqYcb?Yz>Xbgw5UR6nsAg2WTnUO1=Z&vxggmX?t4J24fL(&?qUxf9 zEKhOfS$K7*+XOS_^rtSi=oUet^s{_wbDg4-D68(Wq4kOno(#_X{`v`(!fZC9=kNgS zj}v8fIn0lL9%EqrEi=FR`K0=+i&?=zzLdi1Sd~+sY{qNy1#8k`#L96wUyWMMYu-)V z8E1U96`6Nfp)&h5DR0S6w7{6MbH~nko?p<^ z8$rED9+P&Q5$XtqU>G706unfS{C%K5RiA)Hh>K71(w{v)SSW(8+pZ|m@8g#`km(NU zdD$>~o!Xy5;3kbP4~DOO2^p@=miA{0L-%S_R7S=RF-1xX_H$uXaUD^U`N!-x;~Imp zI~J&~5WZ2;Q?axT4#+w*{KfO@iiB^Bay9o;YL|_$M{c!r&Bd)m4?}Z0-dp9fL%@_f z^C;}N4Js(OwXYP?WY~hWPj2Fo^9dNwZDU62e7u?x3!2E^1QKe{2G&_bHIzlGC3v?B zc0lyIMUbdmc7I)&U4X1QQAF;!d zI{uYTTGjT@nRANW#24Dtvdadvzg&Ne>9G#aSdW*D9DRMDsWGjwtes7Hs%zyC_d$b+p3&oIj6VKhsqI=#< z3-4BR38e}81zo{x(J{U18Iy34k2zeRH+{i`6c4mJ!eKhbz z|7^|9kHkE|Aw=c9Pw{mWCk^L!pm}_nT4D=6aaKg;+d3LP6M)0Rr})0%ZUMf;v$L>qiKoBBBO-5a;Cmn5~t3ouIw9)QNq&eGj8H`P8QQHHay?C|p3x5yIeW zKMo6a+%FZ8pqLl2{ZSlcUUDl~-(xPeW*N_vaEPGJ!<3wvNHMAp&-F*A8*3vdx>g=# z*cQxI-EHtUcsyRj#8KdX2_qCF!{%uSY;qb{Wj*U5r$7ZWX)+jrSi@j$KJ(jb0Zk95 z!_smoGPRE)zqHYancd=3qZ)E5XyjO1eu8r>uVW}vT?@Ly(%PUrOid(;D8X^Jt-J?n z3^jv~v|e}I6IYAGBBkuzBXLVx*@mbELsdmF-=Yun(KD<`lE!q?o3CzhuqCd4nDxBX zQ~rH5w&G#V^_HAEPR)G8*&r~ejv0tjpDZ0%qdUfQX#JrAWEanlzGsQ2_au_pS%_A%k>EIjgn?;5YZNN5h{a%6M6 z>f%7%zrKM)xvET5_!QGl`h@OD5U`dR%!Go zLZvTjBns-}m`i%-IFV-S@+yE2nDrz;r6+!Zp^5pr=5)IwNd{-x0pM`d1OCy5*~D7?BAi>F4~ZKXXZcD(3YQs8owHt_ZX`Pf%@vAm#!quTDEJW5qI5tKPZIKD3t$8Zy!N0g$_`oznZ0ys#lTNS_1%6Aqie z61t_n=Mu|@fIRxU<<*Kgfhcx7^I+c;Of~Kh-%j52Nk6vw$<_3Cw?I67u!e!`E{ zantnrzAJ`sQCDFrBiVBXulWU7G5BcE?_^3Gj0>#r#G-}rQ~_(RY`t^LmNQeTZB$aC zCAQLPNLh?mvr1trFqKu&>3bLOAe_w`Tu(gCKq`*iT|!9}W7N$fTdgJQiE1tVNhFkK zpPH+7G*-XcVep<1!w_}psW$l+Sy!*=U8-4IPOB_(mO%TB&>C zg@`z`=zZlZEgB0rG5}5I%Yo1)o@=kKMb+pjh$t&DhPFt%`f~c)Zvqfg&q^e1ci!UNTr9PnxbgW#8DpiDrp3v#ErpSnH$VT(nKP=F2#M#?NF;*erg%|E>SNyhPR|SIW<5R|1Mll8K$_RrK)y{Csr`hT1R~y!lozaDv1;4BZa!>26T&1t^;&yv`24jsI+AmN?va zctWVNBIfwLupRxIuM`iz`1&*v$Vke+2j3R;NM(#uIOdy6ndb(Xx~B8piJx*`=-3#F zo7}J(SHSD#xKeAr!RCz{wnB<{+}u?I>|BDB9HuS)I!wzl<2q;LCW;$duoqHEbGFQ+kU zTP@A_2NjU{(@qR)?k&fWuk{1;Y&;+i!`FMR9*XO+I_Da z&d3geOw6C@loL|fXdB*;oNP8ov!b7{3@E3#TzyfkLdDQ)`40r(OPF2ZoU6`Jc_~ht z@A3`wrz>jnMI~jecg1QrD%L6kS0a9Y`DA(Eb~3@(?Nntwa%~}7HQ)C+KTW_%6`!P# zS>e>)?q>&KHVDq}IP@JzyGyVUGy;`nC^#r2$4H07ZVT~+uuL7)Qag4)< zC8DAxb^2HQoTAv;6^LHu)>lv1EP(;x;ps1aU>-Gn0XcZc*j)X=2m)f8vffIlgxKHP1Vz>ZSvFM$hu@snO}EzM8v3570aIDp7!d)BoM>uQM~GpS{Uh|lf>D-BTBhXtK7ag z_2tW7yvWvAi2jbb6S0=)UUX?4*%XzgL}Sa?V`erlHrgQ+%ZlkxPMMNBBUS#Ya``Rf zp$gh6gq_Y8H8C&F8?CB2uh$;v{RcCWimE?nP`Vk^u6>XaKl!S0?BjE7XEfW3&A9$3{xkg_T{TH|qS(8QP-crE?h`vfdnAwz1X}AzE86=1smxzd+po9^H|Dy0}pzsOVu}W zJSVn`W^{-2Zl-o+Cc0`HxN2D~Z_N1-(bgT5hjTF0_x)6hnHx=4Vuu-;(yp=qe8r*F{Iiz6ox#&DGOCdw>m5pM;=Yr9zh`dz^fjU%igajdC+#=9%&Yg72>q z_z`&u((j&n5uh<8@UFshTis&^GUT1Jdf&g+iyEOAzRI72{kJFh5z>p$dp!T#3Nc3- ztR4Gd*7#vD+7Q!6nTm9VoWcokB^iMX-|$=enwaD5oR;>X@IPH?Sb}8+>F= zC8oU&_9!Eunh8$FwEOEWsW43F*f*dRov@%X28458cL2icv-z;19T*!56pz8g70-?K zE+oK&TM+7f59SW97pL74#Mk&K>UZ@qUL|BJXG4S2qsn4LB2T?^S|R2UT;B$mmO}fpG$(01WGgSK1s;k}%M` z$A&YLM}JjS$4r@F=T%QeE?ZAQLFe5?F!s4MX(w7_b*vK@ikFo`@=VU@%0z`; zY241i49x*STIx5>LKBG)TrlF?pBO8-m9+p)Nug6vJ3HUnyo+YEPzBa&4bfUo)F@l9 z8^{^@VY1x>@#SQ<_wZSvPB=Fgf-#(B`RNS6zGKC%2E`zUpbCfLCICKiAv8x|Z@&_F z4?m^va)JHqy>`>o2|39$s|ucQW_naxE}!$9fZ$6)x)`!m2FMbs^ov$(e=nZHDfk>} z(wlp(S5>4St06~n4Cm=^5E_(vnIImY{v;<=s|s zWp7TfxgHc5%B&3Sp&{o*<9upqWe!+VEoFk+qtq7TT3~$163p+zvHZ&zuNWGPCVgpgWC;Puj5f) z=R0krmG_HhH=Af0)ktjIw0WFpojMxf`|Cz5P7mc^b(R0Cd%f9QS~LjFxbF3?ed-t- zodxE%#Qva7ynv;S>Ob0?JBOs>CN8ILNO?n~Ha6xCt>|V)FM@55MghK(O0k<*D}ng@C5C-7~{NNG#thwxJka;cnj*GkL5eRZ~i_~Dp*&j zr>u?v3*G zzCSU}po|t;i8y&i@)wbExWOIX7Nmr7_22lF1N@)H>ebz&Vvjd`il%TME(seU(lhJ> zN*k#o!WL!pOq1bu36Y`;ja16^s_3-#*ANxM0@hpOAyrISsc#otS}h5NAE+c=SI_a% zUah)y(HJ^5a#$v-WuYdez*4lIr$hVz#u5uETlmYes9jC z_gP>0mJWNMI%7d9MEeU~Hy62B~hnOvJ!jf#l}_x-U~OgZXi>Jw)cvcgR`}K&L1T91D)e zwO~GDwkqegARv9q*TWuogg0|Fh!~Qqmr5^gf&OiSom09`7E2m!LM=AVw|V#(|6@&6 z6o&Cjn@_LBNJh!1WI=J|N&d)-eSX#Y*XMNE3jqTFxeONY8)N9X9XD6NCGR_|Hkdre{Z9Gq1FEmmRc zVdW^EZixdOV?CKE{{V(#%$OJaZieG`7#gdZgpSw@Mmu^~o*?+z zXPRc7h)sLi2h~dF%;T%b6qrnmYY0A>WaPy*j;iJxiXa@yYlI@r;$dCr_6&xb;)XU6 zd+#M9bFLd|vfW7LT}0o=g4CY0^|_Iv_4+C)&G7nB5}%JcigGe1{OCVT_-e|H=s>Ce z!2{P0EI?@ww06+)RQk&A?d3mFzea%3g4X#-B>3(-gtCN%sG!qgN;r*`!G&Rn9JAWeB%qFm%9 z)<(4QWVUW~S$Q@tgwmRc?k~~q%Zsb5$sdp1=U<^8D09SVJ-F!|SQJrPiFtgca+l8Z z?#}!HD3W>?2ng8h0&8tI;b%Allil8vq!)JhTCBq@4^Ic1wz&JdDSj=wxlZ->FS&-Z zxUWMO^U2J`B~~F`)A5(Zq*THJ_a&IKMTR- zw2}zp->`bocqpoy@zgih(eBHct9e~V9BmTR+;qxmdi^_Qj4u@H)e3=}Nd?zCp-Hof zNo$XhQMDx1v`_kZ8LcJ3<)I5fl|ssg`t618#Q26o;uxVe2FvtlCxbebig)L^+a8TBuD^R}PI1IV(|#!!}n!bI6u`IzrF%ub(~uHiJfQ@r^=zYo5V zlkY3^mR%#BRE5S|11l^_r^RWcvu{vJWY0Yxsrr{D*Syri#ueLf>mpJK{x&fhQIlS; zul_1r{r2_ma{deT*FmN#0O3)NMfXy~&8bw~#az#~O)l!|WN)r^mXlhsnBUpnNh1j%}x|U>7|ox=8C0b{tJxx-%ROWD%^D_ z*_#H($*XpfZpkZT0**OpoW<(suJd@^s>)NbUzakY?oz7RFuN)ByqT#oSG5$Pi7W;m zu!RYeQbz}>gOs3g0g%LC`cHcoL! zMR|##SW@WL8Kscf*i^xc-%vcpwb&*wv z&IFZTzYj*L;tJTp4|Gr*Tqk6K11Ad&fU# zujVq%Vgz4Txji3oa4mt5*p%fno$$uK-qu11DgU=Y1lks3+plA6KXw%JIz1sZrNUzJEzpPrJ+EKei6 za61+EgPsA>m9hKOE*lW;^dj;fSGjzy{cs$?XP3*L%T|K;z1Wi!y%7#r`s+ zqd%`1dP7tZ%dBFf-ozYFa{g=x18U=}JY&++b&ye51~pu4;GY;iXm=gkf@XDiYp*bU zC4XV9cxF;&_+k%kl0K&T5{e_o14=tG49)61hyEpxucgN0eRv2ebM6TrzSQ9X5Y1m? zybU-f_~nTCHTWIiJzpSlcePZ939(pmL&tJ&1XXwhq|5}Je8S{dvBOaCJa>?|V-p*6 zmJ{r5Oig)(q#RyVvUJ??f;tnfv(kcWp3ChlKxGYL@sV89xSTK2tR)&8|N!)n+TK0s0L>_7Uo0F zz`|sQZx5ey4{FN~a4%U=TdDu(TfbQ*_Q5r1Vnt^gXW6Tw{3pL@drVuYV2dtWfK0Ct z#cQw~t|<$T*3 zxNkzk8v19FOAZ>BtGV+JSabX8j+Z~RJs{bX3~f+SPQ^8Z~ONKAq8$TXicM*Afj3UTLy9FRP9& z{tnJPNw6Cy3{3^hGkgu)lx(>?q?NVppvzBS_&PY*?M^xsxQW#+axFiS83hdy(-iCy zhaOLb4A5*DZ0ey0>sl8V0!8BNi#h%8*T+JjuNgBAo?O+Lx0Xn>b?chK>^T_0{#2l6 z8!eF~$sw6U;Jwo#{Hkz+Kza4+PLLN_b9V2IPgTtxN$TSjL+Q)p<>D>>V7dHn@82wH z)F(eN->M3kHiwc;64bze?;Y#uSdE91{{)s85bO=2tm=NBdtH=%V!CrtI|WhU1(;}%^1o0u+Ag_xNPKSLSvZKR`QI&x!n zm7gENz^V4+7~DUhQ1g1;oSeqc!Hl`pmQ0K1Dw`y1m*jSnDLRtwjl<0W2GpGIhke3W zg?r>y`51u(MOZGsYpe}tdg?D!kCWzF=17HMa1M$I28}6X@$oZ99ouj2t zDx0V73pAv7*4a=GEGsuQi|L6APIQV_(&eM1G74h9Gr#ukb{B3uM#1K$WZs;_K_g(} zikUh6AnyNr&K*Qxp@?rp!v0l+DrQTgifrS20F3zuXh zR$+kOe6j=+vK9WKF-^LO0iRkT*B-Eqy2mxNurEd_KMXb!tt&zpz}kGu!_VyNt_>eD z-nYEh+*JGZ@Oi)7mLxjbt(s@jL|5hf^)tHW-nSfxvpJ-#Bf^&!o*K33$1KA??Z7+6 zGqxcQKYE>YFVU9f13EUr)Gsr&SW`xPEi;cA=PwMLjolZW6d3#y^n0=hszUzaD|LaU zAk5bsfk!ZJQonj}6&q(x6oz;q^=)Y7C~{I9=I2NNhDD&ueh$hrU|$OweoNWXRn^nj++S-LWi z9fpB|bS^Oo>#sjQjtS_hM?b&j!fz;D2h2sGC&KQqvtFP2;%9K0ehDmGRJeU_|fO;x-c%hEO|6bl7=sT1A$y$DKXZ& z63ynHKBVyCVdT45G=GGvJit%9;!I7<79{m*C4x%8EPZsU=sYF$9+O+V4Zk0Yt zXfdM+FXqP*qkOZ5ucV*|Ylc@-C=dVoy8pHW|N9T9GAoO{{`MSvu;~vk2>bh%6shG-BrO+CXO09J2(Z;1H^3*bM8<5C_(SxidK z-(oalw+p%uLL-P4YjF#m%#cd7C!8IgAdXk{2p1}pjI#z_;yJ9sG)=^`ERhR1%Na!k z&+7d2$mmyNFp9Agum+n!a>+GXZpWJwFLP}uD|Rye)5EjMhdJ5@CEp+Kz*$I>$qJnA z;?XXmSYLvBx_3O*PC9lrrxTH}%&>fi4KFCjCb=5My_f4?lr7k1 z1YNf1P4-{xO}S-3i~N(N-!lM4`!p~C3AoeYd`*RpD8)g?|6Uvq0;zLAqw+H)eWw5a$@|m-Sr+djVeSkjJ~(U;xu;IAyvg?F5#-#e{9y1qHLSR| z)Mj!mgDc4tgYYk!C(0`gu?@uIGFti$?{C&k7Cowc&H^AguO##3#Um-~2De^$cOs_^ zXdT($8{k=x#fF2lTm(p5cOZqr*c>|WsW32X%7jx1$a(`l&VNa0#Dv5F=x$*E6`)cW z^v5znl`1lW=tDvf$6Yr{lLXD106aMVe8vCn7l#b~qrXeOKh(wid3PVcTsW(dSp6^? z-)h9+jj`ET87j~(bNR$W7TDX45Inmi{yV{wIg?S9*crkR;%^ISNJfEv?(sOl8%A95 z!G9=482YR{bRck@%q3 z2iq#nNJIoe5|^3cYz1Y)<}m!bISm3%jvANNXMl6uWoZXT3=D&WIb9ZH=-5V2^ zl27VqREyFDl#+kc&dM5?Fp^?b{)X1h2G&cV_u628Y@(ZUhc{$1Ld~_%GKM$k)fG2n zEqMwHLDxq&wRkFiqA1CKgmXIN%bHXbtYYL~!!DT$-?wWal8V|4Dj1v3BrendO0IxI z&}S=6oE}18LH~4EZ;^ikRo3jkT+;vbALL(ut$qtdu&9age=Uu^GTFnbJ{0_IFJSw5 zRdKghL{rx#mMHRd9|GTNB8Y@n{!jS2lRlBbJOG}9YN(qV*ixBAs38kb< zS`ZK^=>{bP1Sts-Bn2d;Q97hUP*RXi>6V87J>U22ea?5jeZJ!!|1liza5xq(Ypprw z^W4vUU)S#v=AhaGU}pz%kNoLg`cgW@IlqdvrIUA03!oK=^$($Ye77}>`W`H04n1^q z2uHmc#F$MmN@3XWbAxG~#G{2PrS@}>sN>lG9N}d^s)fN*in~oxrxTvrq5CjguDLd= zat7Ert{WO|n7980ymL;ah`bEhN8a*SzIg&-J=mlDvh=G8F(Qz}4Tv>X{|@WmcW@6p zB>cvQgxnT^=D_tNE5eLxvGRyn_b!p`5q$ib%~UuE(Nw{ey`xnO*LK z60l|y%|Qm7q8*f$BMzU&T)X_phuE(evcimQx2Ex@ygSH&bSBF4!1s)tCQbQ>D)t}PkLj;6 zHLXJ{eoygEL)A@!H8Wc5b=}|QY(shup(PLVw2CBzVV|j;PO&P1ER>_;&D9lnTy_s| z+)|Vf1^RgVZRT!JsL*fdEo_a4_8EOMGu(I-RLCgJW=~3l z=zPHMU*9GFI)%fc)#vwUn6{rADjMjYl5#-S$4$a#O^9Uv-bAfeGwh@x?6DY`ODiyn zK`7rlzO?5Kp|g*BK6wH-tTc=eWr@9eP0%r`NHU!!e+7b5vt40s4WJYWb}_!c0i2ca zNc#B_KHsPVX@ArH=1emjIo6qe{kn7=1q9ABeLVnHjz5ia*UJ7Ufs;NuWoe+s!v*A! zHg+KV#$CaqG=Y%IUu8=E#$>(FT?hgz_FcCi1>WJNSA7sK%mJA^98bPo-vl+0N#plG z;4WYA+2Ci$u1rI&>U~y7mO))XpRe?}D65q$0Gh&P7y-X$v>Txv{S5EWL*nMkb66?x z)+S!PTEG)36NM>cZRxKlh$MgAiX*4aj__8?p&wjgm#W3%zVjx4``iBQs4) zB8aL`X6^YG=c_hbsA?7#LGZfq;?`=%3W)U{fp2(xt<)|CvjKlqGD)ue-W-1I4<@pI zk~o2yYKo++xOE|dKg!h>wz_}dIQh_x1+NRg{2Rwv{5OsheZ-(@Z#Jsta`K{9%h4%Hj7>7teYM{3Eu(^EbVJ?yQ)hen(Kz;V8~hf8n-^5Ukt)7{%Pgy^RFW5`5#W4=Dod8EDb zTCfm%`5uzerS?`&so>|pap3QTD$U;Q`;7)&Jj{bNu58f)P)1d6;>}!`S34gnkv+&; z&Zu>J4-WH~Oe3H?FB%`|SIn)V-48BP6~*2o-sT_2M~doB^#4lYocW(goHOa2liFXZ zUWhygUY{eV2Hk{Cfr?huTknHmy`C@%wQ>=ol{KU9BU17vjcLK@mp6r{JZ4Ma_6^S0 zuL@RE5*g6CDeg^aOiEf%07agUo%*$j4N)8;ix)U?@P)VQZqHDYFPk5EVJu!Z33W4n zXZ>k2>EV&+h?_B6>&QKdJlaC+Fx3lRO--Rm_^SAGd}APKKCOLiGG@(Y`=FQd zaz~N!c)iE7-gi~MdR|PE?$n^IV{4g>AP~!)@gjQ_siJM=r$bypwJD??>eVSMgV={c z(NRVwn=$ zd7$0)5RXcFzCbzxkNfpOPI3CV2U2)B%k5syOrB3>0|nd1PPkNM+BY7!Ej`GViF%F4 zSt}e9NJ<*iCE3$siqpw2h39UXo??=>^{oXoJhY0Ry7{-FvC^(GU7Qag8&bm~dYtZE z_!_u($LYkHQfvH_Z_CvC*|&i1w-qVm=MI=m@YQbn%w>7gEr$vFEk(XM!(~iJ$su!( z5i+Ejo1&?g!6IwClV!zZ`1b3yy{53h1yufPUlTwq(Ouy)x7bVl3f^LOrQ9Whx;hCiyq7eIruc0ayN}i!qHf5s zh5v}~ITL%*YxF3UValnjWc`Ig&WrPuIMZD=DhD@?VFTn{TCh(C+4P*D-oP>oR(o}Y z_8xxm{RU$pp=4b=Vyc5>HxVe{YWFMLWg0xpPMwoagbN-c>1oWZcOm)VSkM4)nl3KYtic^bqGC#D@L)BVK0Ym`GJ3r zYEPDV0*m+7FVUq_)gl&lFD-BN+IGX5?1jrFt%q880{<4qi$C&iqfD#2n?|(7i$Ej*+eHiBJts%& z{RStqiZj?IF#58O9zWdFlcCo%d)7hHNbV>eZOht&RJLL}tw=J~q>WtP6` zr*>{7%2+Scw5gpXh+p-hl;HzUri6K+)a$IzOK;}YO{LSUsET^-ZxmXE6g~&B<|8;} zkfqNUq31{4Lj+umDM9+C7#!z~mLEpz9qYllN3v70W7_H-Me|lw zD*W2`4qTxZp+leP;;TW5FMPy5)gW4Si&?*SN-NfICD@p~yCuDx@sV}{Z;bmbKSA*N z&9Jk5=KswUFP_;rMcT)HGsg0ZuW?{S(gK7GG|7eAa398FGm10Xb;##^q4<+|*WW_| za?qSU4HuTJXDlZK^>bkxb-W1eYI_tTzT1006`l%*S~4@(?ztgRLT-}k-~uJLOj{zU z|0t7QHQaI2&~{>vl*sagqx~gV7&woeaGn*u$?W`PAhCAJ0s>`bs(lP(zo0Wst1L>g-^c5KdYfX|H$v-(^*`0 z8lo{GUj=dORXnbXU$BLKrs!47f|yWL!x*{+m&W%3O~xh`5TGG#5lE^-S4d7>2$6!mIbX z5`~7;2=G)nzc}Otjv<@^Xe@=0vWmZR@>?LZhTvfd%ojgFq~-nl&=f|}H4D@;O-LVT zHv4>wgK4JP(^*RvZNrd;{j3&uY2AGsXNyp>Lo+M=)V zyo);%BMOPCek7W%LH+F>~;ye+=@ zB1V6Pm-O1)+V5d|_D@JfuKn4%;h5@iuz=a}F2v;(uI(gAhhV&AnQbQ+uZgI7Pi2>r zBe`z#%M4^J8}lz9(g{B=)bZXWRFw$y?xw*f@v6yZ(;kebywl=ZWM0A#xBHatxGi52 zsu8B`%;m$x++;QM#8=xY?Zc@U;L`o2!-P8HJ{izKfeuw!-+Ic$Z7ba6_J(jnm>qVo zX|SoX=tiqoR8=&UO5v4;5$=Z=4bNlI58y;}3+zes-~Iwre*6*o?*l4b;MPoVyIz=+ z7n4A!^o^v4;ZS(IpzyS)l~wqT7L|2j1NOK_25_KHE1{cuZxCCKNXya+Lfp}3v=EUO z#GLsHCwA_Q`#9l|iuqxF#QDDfm6eA1{7~o--1!SpDNk&y1yC>7!Cf;F0=t3@R+nGj z8me%R+@YdptYqEh&nD`H8I`O#f^mN}? zvI5`XDMZ9ZWf5=xX@}HjNw(gp>%Pu2`v=1z=~l*>C=*K*{X9nSTM4+&BJjKuP7e{}U*gfV|+p0VS&jA8)_T z93`JpeIi2jfz^CKf6nG1qx@ULep$Sq!zx?$_kEmhKHMFhX7-o;_kfaM459M5cO!IE zf7H^CRMWX73SF$$^ZV0~#80m!-oz;;3R1``<7|8#NFQ)f7x|{N;}KXS_`vv1NgGkm zr&GNg;n-WcZ(d7y`~xTnxRH+K9(NHV={r$!yv&v}!Df1R93FEp`y4rs?|>XEQfYL(9)0cJ1y8MEl@RLV0JSp7xwCmyE77# zTd|aro8Trp$M{h5my0S>&&#vtD~Y(H8hwYY4@x5Eqa|oniW3Hs#)@$+n`?=$Ilc(nuOZvS+)ss9iu^WqCp)d4t0ccFm8svTV`aHCCV9mi^Yxc zwdvzjQ*{rWkspGNgk2&9F}G@#`3GtB7~A-D#QWCRto5jLg=U)DduzKPylSSjRj;fl zqrl?wA@9PYF!xwT8~wOA8#l?{>-XOY#HSS~GPoVMP8e0Iw#kjWz3I4GkG0;XhcRo? zs6_)TpvZEMYMYhcT0{!pT5c#(ESb+3sp1UKG=ff6nx!-m;9Wv1)$M6R>9{CmC|wo793eNtx5Ws%MJMFE$$bTz2b z1X=BDkeni)6*I|Wh^>$q{d)2nx*Nk9YIXC#RH+T@#E?FQRvhfSZ;PHG#uatZMhm*$VVRH&o` z=j8wI{^|epFXfog?^vzmmy1%5$Mi3vOc(!j= z(en#?bvG@;eZXPTLlwvDZc4>IUeJq!3ZldOgLcjFu676sZ$PLMG zunFg%wW_RNS&hD_l2s9ieRxwc$t9Ig|J(D*1$?z_3fy1%G1Rq-^LQBs?>?``OW85q z6(!wUJ(#QwQNt@)IOq2nb?;s>XHn1jZ#xURYEjIj??i1``)iC_+B7!Fmh(PxWBq2= zd5Q08)9|*wR?$vQ!`;OxlWk;i?Bz^=OiY8V?7Dn{T;{8`Jw>(vHh)jE&h3bGZg$^k zYhwC2et|C`YO-=KL?vT^l@zarOP!(0J{V#p2`?2j79yK*mlPA!}V`91YRp_1P zgnO`u@I%fV5k|K=Z=INf65h^g7q?0XlSz_Q7uXVhy=vDlwA)FWP|D5SbePz5o@?n@ z=e==ThI!c^3;wS8v_pG|BF~CU>2)`U=2g1`*!Bn6(Y8K_*ff>xp{ZTHT4t84PCXi1 z>un=S-b_b0f-jS!6oTu&=GeeEG!EX~?8ithOdsQ6DCd?E5A!3s2}`ZiI*riOii$h7 z*Y<0byuW=`K^uwb_?8h-XEW(}8=CqH2KN~srYU@)y;eu~!_B*X-H%bv^e zW^Gq9QiTZGj>1#lCc1i0A+@%(JhCdh43gwlJXBa=0oj>%{0L=l|%V|tIjk-Bdx})^i3HUL zCR;x7^%pccRPu2G(=|?zwDQixwqHt0aYRuM2s6&AM%0T#1<6rlF-SUGZ-<6TGgjyA zW+C0Akl#6JI-jhVN+cKg1#YNUNN_=-*^9O~NzGzE&A00A3$8-BD7%lgS?r&vONT^- z7MpZSpQIL!&l5A>)7(llt~F7AIKippaiRjkr@XEU8Lv)Q7ZZ;p_dw%&l_Wkk5lx`) zf>vD_nT!xink(CuloUpc_MF@sgeX~DZ;|`)4JF*=D0*{Wcp()5RGAapL-ks5rge5uIgGpOFu7^S+m)hq&Wo2*vbb)b9?GOY#tK z2#tTI^whdHT{h>CrJ(wK>311s!h`R5;aj@2i|f|e-FNR&31mYtEL5?-Rx*LBICTwo zHRJx&o&rhX(~Kx{d3~Bc*J!=RZPK;4`?<4x7F0q+Wy2uPl5}&%CLIgBK)r;bMq=ch zV}6u#W513`70!3bb0M%r(&uuqg2kObjH_rn0m!s_tA&c!D(m-{%R{Vt9wa+q6&BDh zN-;CQ{o^RN?as<_8`WKv}xFOpv2=dc+UHp3+E7{=pLGztg;+ikx&nq;h_xJRtY zC)#fSt%%5%ZH_^Vs@(}tQ)fk@rk&QuMcA9Tr8v1Bcb$(`%J8{Ds+y{25eTr3e#JMY z)uiiIRG3Lqz&Ppa?qIqw$BoKAAbnvZA8qNqNgQ&~R0}%HrkXA0)eh4k>nZ$%SS#V8 zhp2(i;~G`JuvJw>{b&QZH5C;$!rLxMU!7``DHhfj9P_BsGohbwo4qf!yL)T9)T~0Q z(O$bw%N*rDVgwxsH7ct@pTx_-jjmcA{i>gQN|l_6cy>%?nQdGv^WNq?>XcJnTLYAvvv-&Hsk=XgtU3L>6x0ML+Zb>6Va|%>rAZBn zd8`I0wpX-0OVuNk^2Na^d!mXwBmZN~7)x?~pdgGF@fUq>fxsCm z-Arr}nUN041~;n~k1uF~5r6^s;VZygFuD0px?>6}VGrz!K47!eHK`YA?m zFj8fmQ>*7OXTz8sjC*4wt+Y33DItCYL+8CsB(Ow=%`uPv}G}br>}*>rb2c zUQq^vl>8nYhokI*Hs<)1m5U2SU-Dyn_({uWcfB`NAp_9QsJEzSVR}2=ICeou^!e$r za_sM#D|~w}TNAJ@60+CxZiu2zC$3TVjS6eJ%xatOe=f*s^_^X6ki)Ad`lhjPBf%B%)H2=jTawWhT)Y!)Jjtxs{&Itx6br;P!q^+k4_MCQ?|iitJP4U#PeJ>ozk``?3-idmSG(m$9_kdr0eD$ z#mM4VyI^~}(R&t(T0&kbpYN^=G+`?TWP%1=6%UF-;tQ6qKffkk*V5SuQmSPu%5%4? zKNUsqOinMev$4jp}ed7DUTjps18-7aBYO={O>t7u-PqA@z=5VcO> zR;#idwd=X{L|s?tPJ4;zP{GqpxtN$>J8DlFeUN>{QtISapdz+rI$~JVc302WV%d~W zVS^w3!SJwKc;nk?XryQ$gs;ywu0lH$JFYCT>|C)tU7vYpw{vO`mB7j54cEEh@`m5pE7cfob!RYdm>yodF@I*oarCl_3=ao9g>9?d9@E-=X6_QWQu=wgziWsMb08SH3!RI`Z1%UaC$ z;#f$UJ>J%546=8uJky_9~`An{F!>BIxJ8<=~sDnWYwOo3eWg_>t=~9=f;f2W>wjaw)fRDOB-qT91dqK zSX=z-a_f5*m*4J5dc|6hlT-Z4k6&1)euIweCRuXcCCXpn1g`$YF-;0Jh!RIO{PKsq z(J^#+S=z+ z2RuP4TR?nVa2@vzETZEq6ftZ0cd8-MuW7H;J6?C3sHl~?^zb-+i(OBi`XC&Y#w`r4 z9k;9lu(te~O$3Tq&hxWVMT6cZBxkwQVt6QOg?$QyRwg_)gc3hDa*k&AffS^4{)bg#+iSW4fcf174zG=yD*}#-Dv0e%2Y}`cOC!A z@*W{MTOITzmS8KwtL^kmGGXOL!a*$nBo1k~<~g9NaaQ?06C=F$zOlnjELnwb%|DLI z?1OtPs5hf+NX}as7~v#Kt5%JMHOhPd+)~FlDY}Et>-)qvh1#xxT_blagVt@zENx(qx-*i zJfnLfg;D!F2@YBc!*Ue-WGjbSeT~p|CzB`y6Gx^gjfJ`|fw?WFe}G)Y2lyzCv4Y9L z522B*3`aMO$E}Z0S0v1_uy37*JGzRC8b$F&5b5_?Y|XZ3o9_$DXW((Yl%a0`SPiG$ zGWhkHvUM$tubXiSFrl_k{sBdnOl?2tk`1G5v|7^{7!z&6_-zUUw4zd$?I`k z#GM>78Px5XhqIfUP_`8TU$3(c+T|^#v=2gK_RroFijM4saG!fA$ag@9AZoL6ULzO( z22QrOuUvEt^SNA?U`Qu7OsTdZ3j;-FqJ0Nbk%7$I=bSN7whQ5$NN!VFz4emhC%@5G z0x=$Kri3gz@PrpcQC7C`uqF>(&z^e7@qEI2N|YdXV-HsDEQl@0MiSsfK*%|M1R$dc z^#^)({*@p~*$!gJtz~vw(@wMvqMYIra=ltsCuDt-%u0^a@z=L+D;plk(bR_AZ|TIY z`~*M@wE*Vo#;prBTC%=94nq)<7nyFJ6IR``d6c;$n3&V`$7;oXF@WYdb^o~3cL5wY z6^S7s_wPl3QIEAapEaUNsKY*e?oNwW02{~`o#W^4AB--RqLZllP-RBEa1%(#NvNuM zWhT&d`{@O^#^u}0cZU&6t)mc#3$LGmUxNvy5_e9L5mgy2SpTj00)$w9j?!+;u)`zu zNZ%uWxBxtHeACWaiObBWG&q;z1*hrmz$^SVQd%i+m3087d8DYH?O)<@gP1=-AeR;avfC9 zwv~dbrG5P`FWr0;syAtUj#HP{2ox0-aKwDAa1FGOPB37*`{qF)I+Nd2LS$ZzY>$42 zoa|6x`b1)c+G@nCLBw*}*mzj%5)Z7}C z^zLNG@J#zc?J_zwCf|IT#AodVOBI(idB!U2#1mRlHl5#hFc|Pk)en#w!_PDhItF z9?d1Id-ABEbmOOliB9V7OAS{G(>|!552h4zzvt7MM7L+G{=B*Cc3=fy4PSsAEC<0F z@(jSLrDYV`4~4|-n85SV2-eW00^?TnjVRX-_KGc08*Xe3f&pU*Grm1p1#l{`Q;;zI zfjfKwkygUh8;2uSCQ-6on3_1<=mJam>=9EjC1_{diVn8x$1`g491dZ&1qk#obL*_mk5a+PV}>%c77hI<`EAYcIp_ zj(oqHEC65agFNo#fqZ>kYTJ4=gSlVIb2m)t{rstsU}vGl(9U&r8+s)M;m7rAA=HLi z-Zr&d-TXIW2oJ~%ynvwJsczsDOnRuR(IFSH-s^vvMbowB?f%FVO#nx&^(4Ba6VuU% zbrhvlZ09-^l})vs;ZASC!@By7dQq~`v*CQA;nP~9@MN~6f(kXMljpr!frupP;%|Jm z^6OioZv~w!vYu7iuzKnmpCm%QaNqCbvtu)DE6*wUVB9~|x?V@q;3Jvw)^nA;eNOpD z{hbd-JBuVgS7Do-i$01DNW{}b7aD+jv9H4}O_{U;)N_gQ0!pME&)?jE$TbUK^yEO8 zyy8zeS?(v_>f@O6v7(=v)T%MvKmxP*< z-aCK}4W}b@F@!zp0=ntl>IW-hRS;+`=L92BhSeKs?pxXll_j6A-mS%dwb}i~q0NkP z{mAcvVB1gn=%wG|9yT`GynSuYj(Td^>!@oKkO^9C&q_w0z1yS(`uzE^JP@SB}0h}ExjwA(6{C6&|^ z1mzBOnkttPxju-tTj)vzA4#8~(k^*YnOLN}8=xcRju&#tS7T{+nJu@QN#KVw;p=$r~gfTny)iL$W*a^Pr@`Dch zL?P4uv&`TLENIz2!r@rkg?+oHy@ceqPQYLBLD2L4mOtH8gjOFxD=A@*Dco`uWG#wg zbhx7~5!*(>QQU32XzTSrE)aMUrl1S`(3nz|!9VemBa5C7rFaT2fqw9%$vH`8(wS== zc4)yjlnsg-0o7^3Xgu@lEcW5EpuBBRfdqDZ0%xM~IGnkuRZ*|cUJ&sx&k!7A=riY; zRT*!*mZn)uU?MG!Tx(n9?z%xM@=h2|OhF#m4+@eZTL?k>s0>k=meZng8bzcIu`PJz zEpaHv=-|sO{+zF<5io))?cwsnvz)@4HUgL{a^VL*&^kn9*E{DrV}B|nmUA;BG8^Ng z<`Fm8v4y;LR(}r3GRlJHx;q=&ROF}FS0?zaHJ-?(POL;=mQ6l=Lbp5X4*_c4!1Ns4#uXpq?Ik`) z747F=0~LX>-YX}HWy0Ds!+in_Nso^K^3Gs}#FAqFy+1&20PR@MYqDu1i#)3K$E|lx zX-gjUspfCH6|z&q)x`;#$er6i3OEi6;?iPYunIdk_G;XTYv+iqFymBo%C8#G)WxC+ zS#fxQM)T}w1Isnv9cj+rAg{cOl@|_Z%=i*C>?H#b_b-7ZH_YM<@3j`K4XLOdCFduf z!E02-`Z)ei+YT1OXdl;At56r&yFn4X7P1Rg??7Rew|GB3sx#|PCD+@XRr6YZy(Hw8 zZs?qfQV6hC-)cKBejVjfb@ z?G90<5R0S_2Xt*Fe&}tZW_fUExFb<^jU|o#WCmGKi>HDARDv!h#Mi*SS`SCuGf zt>?KNdyf8A#o%P^i_f?#qcmibsiwd+RaLg%#;O=M@)t2Ogf6)a~!>GH3x8;T6 zP#1bo%Ev{G&~<$GdNW{5v!%*udEUgx8sZg)5~|DZf|%vtY!hWv@t4o&P3k<^#`K)z++6J-wVwS8z}yrLTH;(Q!eR62^= z4>Igh625T_@Kzf?S=!+4hc2}8Glh=7_SmjM1EZR!~#TIcF}=AYz#46II9CoM8jyPFNZTzpacSoq&(&t z3&D^~w8z~DF=iP-umC=>Sgry-H}nx$pPGMfJ<{Ej`*}%^2t{CsqexVurKMCKMRf6EYu`h8_lPBa6~^euehD`FJ5 z*oq8*Xm12rgrG8eD_e~+rtfRC`3p8gP?&pk^eJcOn-?uyzz9JO>*BcWn8K3CR+5s3 zOx;;f0`I&_)!VpDn?nbcH+J;zHPS}$}ZKgcbq zQ0=o@()()1DR;5dADSjjhv)Cnl0QQ1S!e+;3CG5}_q$9AEh)+>CMZ?Q5g5K7*zbS~ zpnH#p2Bl?8KKUEnVa;t2ro6vAn z^W#!wM_0~6;Kwy5ou0xZDgn8-bU&%X5Yhgy;fO2%@ArudSW>e9&4aV&28VWAuJ|oCsz+2b0;`LsB>Aiqk%rnd5LCs@59mbB?SYwFenf4S6TF#mm z14q#+>NT$it^|2}sC1M0QlsByGl1kK8=9NQoNFn;(qL3YYvaEJLS$QxGsu3K)i)${Qty@HD| z5yx3ABk{W%Mg@C>A=)byX7))L`LAqfJaz9&iX4YAHWnH+Cb*DvY*G;lpAOeizjbz% z+7JqXEb5#*BZk0H*x`3STYPBRF&CglI0OykcprforWV zDNu7-5nr4oTEiUcG_REc40$dDtCw3A)z19Jb$hz|Y48(x;oVf}C-COSTp>w*r70!* zGkM(TXI%JKURgbs+v(Je55!r1F;eb9Ewsy1a0nofTnIfJy6d&yElG9l#o<7bV!|ot zJ?Hx4!0x3McIf;KTU@b1Gpq2G+NMO82soVIhk7P}bmy(GwaMfnZG!*u(~-%S3%M7k zAo|R)**TFeW-S|1Fu84pauQswoORRQ1;)Y&#_h)9eF~((DtnFvf=6= zwqQ`p0G{+>C4S5usDFYEMG*_FwSrWy=zH?1u`6VyoLZM#!Y!`F-g!D&UY;*$sd_w5Pm?6?8 z>5J90RTxT_qq-qzUHZkrTeB@o+UW8L8>)?;%&j(^SoWZ&R_dtq{4&D)1S_jl31u7w1wnj02H}MtI#MpLtIh1^$MME1 z#2BwYVtmV@ghyv?@U-_~tw($8g2$a{;njn*I%?-1sd&axSf0|8N0d%qugz{CjFB8! zl`T**8BIeu9~xCP>%@__n#P+HX8KM&;L{QJreobDQs_4%MEu@@y!bB9u1k8Jd!LzN zCwhv!Pf=Y9>r{X1mBemMWX{K%+BdCJtB89@hE?0VZ>e|B3{_04%yyA$^{pyGQkn96tZpj1L7}tUK_HV>F-22&0_mTiHV5x-JX(kI-D2 z#`enuYhg>125tv374z4>#*u6Vezto~DI`MoR^B6x5*F9-HtG7Xh97bKQOg$L`0J#@ zFOcvDbBy;^@z~Y~ogxW{@lK6|d?o|ZOa-v7gz5WD#k?oRsMe}idr7eILnSN~%%6Bk z8ijpcA84N@Hid2Kw2P!AJ}F}1aef)V7+{4lpH3)C>TJe#*ZVWAHTxU2pVF#=&Z8AvU(DyLW)@2-tD!O^@LXv2%A6EJr{P^asCOVSIe*gU z6DLt7aAiw(7d8hX;b(`2!$Vke7&sTyAr^E?BeaW)=JW>3vC6sda2TUMskBgZ%YHU- zj%-3CyxrV5Gfx4wuHBlJ#!d&UPkMA0+W51$l(V97g+AQh&ibbI~)}CPN z+#6l3^|I5`MeR+-HEiS03F(S=mj=yPFHNF)c+7>W!qe^Ygq-V3g3MC%Fb2_3X9znk zh(OKuOtPZdVWGPy6X6Z-f~*`3YkdUUVwhM1 zQHN`7#HvV&i@}8?Bl24F+X~}HoNL-&^aP!jNDF*aognk0<%9Zo!nAl0qcg95WOY?c3%M8tP(C4DgLib>#XSQ0!riVn zt{JxfK66Z-$^4sjV_FmSE|u{+oQYrEn)H|D4_{U8*;+Tuz~-XFqH8?nPm3b$ zbK|wT6&3kRnY}Bn|c`dQ& zT3jd>k zse8!eD%dTn-rV2*$9l%h3j1EE1O`RRe`av zCVO!=FVqvEkGg9jP1N;b)!KI-00d?3C~=KPmNN+v9G|NPP`ctQ)78do)NWDGzgZ2kee~zE zcI`{3iq!j>CBM0Y)o$#ln_U621mO*D{RksrGn|zy!a3%@_i~@!i*Lb6JOV>xRX>Xpr1ebnDid#)+2e?t9quwKEr9D7w*3&sA`bcLm8;B_M%fGE;kRO=rH(8p%kz;aSkOZ^|b;J-5w^7w*Q~DuKuHekn({zOIJ-PVL<`D zLlIo$SZo2*pe4A49w4;PO2jNcGWH}bR6SYL3wk+C&?=q|c3`%I)|2Au@LS~fb%fRf zsyqeUQdi56mc`9*VbxWjBjmuAWP!AgAnA`F#1KJxIKk5@q;?I?70e%`V__(h4M(4! zagw4W&@*|yJxqOc!>5|K?Q>rAP zn>^w}sgyE8UfG|c(OL1BH10>ZzWvt4jC$A`91adP& zeiou34@SQ_`pMDW128;&j2Cpuafj~mO%BIZNVb4D%%!)+VJfNtudJe5eY+Eda*=4c za1kjN`kru33vQM-(E(!l#j56yzpCKN8cx>x;5|nkynpYHGBbJ^tgssNmp9~i;`Cbe zfo2>8?Ih@`;LkmD?Iu-V&-q`Z>0e@{qf8MD5&sU}#UdqzQ zklYozm89ZygWYw*&ML0^%Zn3I2zLo9Fm& zP-m8H6n~0u6jNZVzxBoPkh*^RpOL#LD)biPpty?!!oim{^R%W2kjALcqAJ6aSbe#} z@5Y@TcgH2a-?G$fM;!j~PG5v|VdV>EJePJ}$kyw#d9;})#C`wthdj2mK-v8u0cPn9Du9U|4KcB##T0pg3L zPf$7j1_p2)Ppmgr63#gv+*!&>Q=PdAv;L*`uh`@=C}`0xJ{c{y(+OuAj?96+`zHlU z^(x?ksf_^>C)i6q1Ubkvq9KvD0S{l^<4O2^a&6;&R1rz=n8>Mw+klZOsOB>_gAx%lBvIl z;HH8;gh2;d4Vu<+86}|vSNWBvlmeip7F~VXT&&=vcn0Jir=)@AS7Z+s`sOMSWtdnf z?FMLe1eS$rn)=_~?;-hk{jZNF{zPB^o!C27_!)`&@n)+A5-ZD3T=h3_@L#T2|NS3f zH~jXEp35K)DxrVuQUj6ol$Lp^gTOEBulNXqyKMfObdxu~RXSNNB$*EvXB6m!b}f&T z<@y@&O2Fo9L5GpV4R3Oe7$Int)JjSjX0f8f7m_goG$!=*hY;!f$v1NpfnwDF=nRqf zbhjfwWMss*1Z-i4t+@aG#{M5`u#YNnO6q;4MF+qX|KnvS5_AAHsfqT;n{tXMrV-#? zb?R4vt=9;BqyEcZA1p>r%w7Fs|8|z__EUg;jR4}QA4pQ!hrd^I0S~z@a)O9SHa4o@ zw2=!-oS?=6z|J3lSX~3uE(&uTa991~8~R`Wl0m0j747$5-{3#r>3{siX9d@BZB$$2 z@K>4zK#X2Xv3+oH^@w9P@|FD%2KAUCbN3%h#b8T`ju#ttbvyu+=H*kQX}3Xi2=S8( zF;M(_rh$<&>&@+l`2gn5Dg0?#`vrO$G%Ma=2R2~uwn%guY=1B$e&^R2Oz;X0LBgR9 z_mSTLVtFYrCe0~sD@Cu0)UY8+E+PT%j#bxaL(&VyRP4 zdF}#KPuACM@<55;W2M}E^?IG*n8je8Hv58Shv9rRi?$|ndWgmT59vIfh#)(nDQaIA z*@|{E*Vd_;7ZsnLe81tkM|S9zS#2~yA3}w`f5p2M1LZ&CA%&f1?fM3^uUrG=cE$j! z2tB&6-VbLB=7@z2YQ6K?H&^d6XGw?-70R7z#z2D|T9kG;e(=!a*!RL{NFDav0oeE` zs-^KxF1#K}BkqM*iCi7%_xer5cX`5WIrkF``=Vz5+${jOYPsutUr(-ns0DPM6V&B7 zK(ojNIfpi!Le3oA{fd<#ajzeC1!~lZkbhDW)V3)w$-3tM>=IHtBI=zSL@Eg(st@3r ze>KNy{sxLVl~8gH2^g$4Gu@B$R_#N!O{gXFVOd_}_KDnw*z8Qmk<1DcTta1b#b)K? zsDg+|12W3*D-&Qr`T_3Twqlo7LD zJg2E#&egqdaANtOoJ2QkxkjD~Q~M>j%NzszeJiL>cMG03k8@#Q6DR`_y5ybfjPlw~ zWRvQ-6`}>ru%r~Wq+A#h>nOx?GxcBDn}xpB#SIR*K=6E(Rzi%gnv;GtZ$689dz#f1ci(5iAzB4hbWKNtrPGzp4Bw+F=-E)9Ru|dNdY+%oB=AKy6b2wimgHX0Wf`+w zCcOA$zSu59?WKYYOc8)-CAbrP&FcGkr1PTYMb6)ADL-c_-F99%DRwHDC0`k6ePvzU zC@-jzn2+1f`OiUrN9D0uOcETiC`H^IH=e~%8&dnr`yX+cmxG`h{eUI^6j6mZL1=cX zMi8q9^cMyupr8@M_9@DzPSFb5n}tBai#tS()R=ll;6Cw)XP? z(Ywxa(9t_Lr86xOw(bj>trs~n&wRF4;d_rQ5*HVpBNX6hBPu_eMjy;g=fuhjcEXlFwJXspH#n`4kejZl^e2QikKB~-5T=ix?GLBUa zla{VpDSm~ti29M-v^E*naKljFsa+V{kPfPNcs1^gBGjSiK!zRZ7WmT1+K%_J1B7qY z@hKAqAGqE=0i_vk(nB|D(+SsDNoNi;PE33f^>=AR%26(%m54-G~UjaKPf_fsv-@<_m0nTG^0vFr5)S3a`e0xc zBb#tXl&Lm-qhYg~2(z6=gz1T*saWfyxf${V*VQZ zdL(7?{5T2z@Hr8(GM-~OeRK2%#ouLj3U9`zr0ODw)G>2v-_&O~$}&u;$}^MEON3G4 zT6y@4}nJZri$PkTi%#l2}v8?B{jn$f1Bn>EDhz0Ekx2^h_sF-#S8#=OS$`O!UY zn=12SZ{gXQ`B>whpF=Vup4E*R9$hCK4)~qqWEI(=_(YB2qg_YpGgiX^*!m`P^Me$! zZ?V&sPnJoK{b1f5NdA-(mycI@d;A-rNr9<&Sui z$wDnfbuw9+RhEE|)}z)7Y2i`Dz5YiiL|Q|S`*yFyrn=P1TD8zXV%9UfO#`AMWTUwJ zgUGLMIp>vaQXIXdi+^Kb{OO~>Y1mN-pR>= z&VOnuyXjXK#>vB0$+Ft{(>W>qxUM_%A1ei4BevI_$_CW+Pa5e|3AXX%l|5|Pp zue_$uExW=?XQo-u2t(S9>Vfl>xAccy-RSzucy%*WopD^CwK$iZ)@J=l?tEp$w+(@J zTJ3WWla_9BJ0`UiXxtaLXGl8Ddp`czI*1=7(5lWo>1GwOB9Zvn_LyS*X`t3liOBO7 zQ4!7GJRxN#c=4_UQpeDnovpBGJ3B0`%|enVOvOy;YAa}`({QvA$XMS?itf+s#obbG z^6{Nbzm8EkEgTJ&?A833#o<>QaQ-|wx|=$!hO=dak%q`o>U@>>Za5##%!s&JN)0nl zErd!HIMQBHHIArpGxXw_l8lJz;3aq{&gpRyyd6t5WmDst*5(HH`wMEkE6lsFguXgW z<59ooHDbNa1>R7YQ{fQWFDIAb}^gfKGk>C0WeNmdn+V|LS?$`uTy zgUcVib@2#(CYlIAbeHhT;3j5n;$8JhM@xSGH=n;kc3(#|kp`%nZUtZ%H zX?Wudm%0dw5()aK4QjNRPTECKDNmO9*LX^zrL4O+@tZ zoWqcjMboh?8GN{5h_OjQd?=jNVcdwoVv!OHJ=%5nK+%r4zU~Rq50_ksd6Kkv*-v4D z+OdcKM>gCFxuVeL^5EVs7!@665jCH5j56 z?pszNReK&(|I=h>2$W6q8zNujgfRP|oR)%-`GCDrUhsXz-gu)(HK)$jnKT*zYjFKz`u&D7B<>ehn0aAOx(L#rAk#8aa- z!_+#3@_>Z^i7r=a!7!?<{6`yh)AvAh(R;_6$msr7|6F+^H{W8&l-~Bet&=Zo9)pc3 zhtoHHDeEWj4^g>)y#L=fW&i2F3Xfi)Pd6v2&bd4BjmJwpEKhPPnc{{5Q`;oMk z<+&@_#%#r`FBOIZQwWE05Zb@OJ%@p|)})_^dN*5Bym;3*vxaLvvrjUv&@6PQ%{l3( zdi{ikiklVIVAHRI;N{7)5_yNrn#0uDjq&$cct)s0^{ZVf_iW;o18sjcI9$-t`2l$3 z?Beif1sx`apV`fe3v=YftdFCV7p)h4PQ;jE+`f4N-Xy2^vmg8mlGm$kYt-FaiN2R@ zf1dNIzTlNjnWs1(X`XhV81t6EY%|@<1qDSoJ6)ayU5-K25cZmM?P7V8oZD#DPhi$p zozAM8pr2;LAYqhY7`rUVL6nS$*TMagrjwh+Xny{)q}}bnmJ8hT^H^97d2X?9% zE2NUED(BElV$7pI>nc`_)AM4XEvo+1qWikdgz;EQv;7A7PM|sM;&T*?jCc)g-byi- zH^zKaz7mvkQ$xAM=?l54kgq@CCcmW#Z4RdCM25OZ4Ys*i#mkeaeTI;+=XbRBiWkOC zqD#F{D(T3jWcx5JDB+>jOijPIi?l~>&?tuG_Vhj>ozro1k9eH4Tfvb3tE6l&fE);2 z&&^?JLW}1)%^c6v`by2_79+4dm5aSz~0!#xyRIMv!n6q z^r=aMh8iuGmdU2=vjKmW&wKT*FP);fWCQY+m^w00bSEsSfdN)Az0gEOGy$;m6E#3krKOPIf48;gq^YUZWzY zOZmFon-X`HG`+-LA>x*Wd#(vP;aag^v?5Qiyz4H5)k8JxHc2@V#tIXb3vx=L$H$6w zI}8sq6hc*DZkB@UZ=T~Mbh(qAnVNDbvHB;^Fl9#)4+T+bpU@&R;Y3=W0D;#=qSL8k z^B{lsSd+JiZ~2tXK&2S}!V`EllDyAaLYK5mM2YqjHjlp!xQnB?VmiFGswjV$HN3b{ znJ%Y^9fsfJ;U-kZauD3|*59XIBQiNzCT7I=q6x-sUX}!5z%xpo8>^G7`cG&}!4+Q6 zB`GFPU(|$NRr>tta~--362`)}lUm=i-Z?@`z}~>4@|?fanBD6*LbCT;ahkx&I_`?5 zqna{(ez9qsMzYPu_7zD+sN^eR>ICf2{{v`?K2rRTL0eBVUf#vS`|L@_`Zcg($~KIf z1}ElAH_ncx=%+1yw_kvAi85LCvBJB4%c^ZHOR(z0>~yB!N$To!%|5#OUOoLCQ)f6w zFm{+#kRqA8yhJe$&*bu7$`U$`2sQI#T;tGP; z%B`b_vMK5La>LjzSX|$jQv+8u@aNV2IVPLnqjx>KT=^|6(Q^{NF&rnvOL~)1o^`d#`QV=O;Z~GhBI_zhOBp2B2LVD1n%sNt4LQ znaNg9=&PcNpF&G`wAE~?raEF1W^NJM=6NNkVlG_Uz9v*9yYt}?r{(32l{dKMZX5RfQaHG&6 zq%6z%>^~r7nWl~P2qJN~uNDoBg}aI`3|VcU_jR?=$G@uz>lHRsE)O?M(@T7Hw*bcD zY5qP{Zw2@*%4Yl><^LL9aBNCh@!Y)>on;m?u;_%F0!! zbCC^CG6;0LP`q6QWBhL;f+Z1a9D}6s-C4yhQ8a%Mc`9xSJNCP)(2{JWiJD|kI@p9X z=^-fttQGoD|~XoaQxfC3%dr{Lyme4m!~2Vr!$-`s}vb`OA{i>z~e~c zl40UBr*fG=(MOD4e17QC;P>e!Iqz?KAFJc>4;U-Qy?DMH&TO*9*2Ze%6!JxB#mLehc-bdsUq_ohl`4F_?&c%nOF)Ounl_JTaWCb-xf3-8XQIUA4P+Q!|2 z{-~p}v<>}T9f)JpM%N|2zCilCYMz~38`xHM8|pK0*NxpVn@s7SdqHwT*5~4k&}6bF z634jyxc@|SA}f7y)hvNcJ0I&fK2jRH~BH|$Dnp*h*<@Zk&1QV`gD*VfhQC(oyNu+Tw{(Zc9cPY#bh_1iSP(V~W!^m(jhTs4E`{$apfRMHO_%9eYI3 z?eNh-;pJT|)j+2&co*Y~+;4td=Zk67eQ7^x_};LOCZ$4l`jElKctGOO!et7+N0Gl` zf=b%C?8CZG5;$>)BK(<=9>Z9D>g!jvZA5LAzvd@P?nsPqt_6JqA@-^zQ1szy?C#c_lx@r zw{;H7)GB@0)Y1#oEo0^NToNn=3zTD-jdK+uSdHgKkfXM%R z)RjW52F7DpGY)@SGc*nXO%(n@UmlA&*S{jtwutlzl1Tk*9$x-^)onZcb^!i`l_kMUa^P`MdUzvm? zZSmp8_%|h)s1k^IBYb@Erd&9NzV%fV9n!!jV$X_8q8>lf5jSl~jkpP8p!P>f3oh;A zpgFQG1TGbCknPhSsv_lFWat{j-b>fAXrku`s6R^iqA7M9#!C8G^JeA|zh+z65s5F_ zFQkduc*pDH!rb&^so}y`Z_JyS(?N|FiL2{!#6jBnOxc?JfoD~Ozh310mLk3NL()MJ z7j{Y!M($*p6}1-bV5@J|`+gJ$Ia1p$5p9n5pklOXflnzt5BlQRH+k9wBWL3**;|LJ zt&Y^Pc4*9#-9sWD-U-!CndW5CdU89X=|JvMq5QzF2$b7363%R|h!D=lZ4~Lb1CL$0 zTlRut6LOa#9;b|r9ZSUDtMqhur;?qk7`QgQw=AEpT|Lla+bQN9NvZNlGbY>W@%BAu z@L6Q$e5z>c>T)A*=7C0K=9u2QdsQ9{<4N6#-!#f!#Q?LYrX)$eMk(SJi;7y7>Vz)p z1zE*Qk}4095S{z>-ox}3Y{=<62=a6q)f^=Xfw|Y@wojH(1wzjtW(JQ^Xo5A}SB|6# zEj=RtAqAW7A804BA0;|^|HN}(a>{&Wwp<8CJ3bE)-UT=?ZFk)-(H}jza6zXUgloK` zLQS~zElW&Kw#aKdS)H=(F65}J3MABvG1~>mW3{JsXMX8Ryp^pT{>vV_X(e(j4b7~= z9Ozp+fMr`koD4rv_ zxTx^75`n-ntsQA@&DZdW<}_L=4$f8~riQA_W2qF5frvGOG~!EyCvo>;hV0SpKfdm^ zd#R<(Y;*iVGMQ#Y;f9Q>P}FUv<1V@cw(NW_{%+@6#d~eE%y{S1&Pxplq@ivNk7hcu z=^RqG=eSkKL$#qvlyG;my=dun`wXWNhO@Evj0Cedvyhr-uzue*wgZSlKNze!g9$f_ zMmtR&Pm;LR5U<_Q@(tg2J_=g+|(KStoGzim_&gO7hB=Kfr!j?e;0lw+3Q|4Z?XT z(q>vgtu1LXaPQ36CqJc8QaB=uj{HFX;KUN|Lbdjb^o3nwB z-VC@u$cT%d-vnv$|6A^p)9v3-`2D_ncTV;5)aW%aJ{i?Qq5d?wmrfCCR;(Wp8N^0v zA?w7GaZ_}~mW;sIP5bs^wXZ)-rr7(=-CCWP=Y9nJyyR^0#U+KwH{_{k*o<<@+2?X6 z8NgTJi?Fz)N8z4@j7+bs`6+tl@KH31GBRUG2*mj7yseXiTqNelE(k+8xEoQ0+h_}O!46FOl>5LY}Q=~zjOr3-J73J;M1qRP`<_wWgJ9v#!% z6@~0i2Fy+IZfUKOO^XrvJCn|Hco|I2$;7OBk8;Bh@*SDQoS!BrZU!uZ=w5Nf@pjbYMK(F3h6l@t&%`Z2K5U|t zshGn)E0W?^UuJ@_!!ctT4j6jpM+JneN$wwl%Q@|b;R^<%G=i*0I8I=d&N84n0I}XnJ_4kAf}N$%8o7m zRkz)xAy(&{030FO3;Ts>LIy-LD0E!DTC*Kxm6@t6YFv{L>Xw zI>`aq9-cJ-;KHEYia`|Wy(=TyH+qGk`dm#VRs32J9U_aXW(qMW+AK1mqHLp$bxt++ zH9vsZB@;_q3NnOV7VdByL%1csod76hrTK2pj&DkctTYiXm(s@jhnFsv~)mt?n7}kM!WC zBM0hCsVKy1x(Z|hsWcpT$Z$5%$FE=qypUy-zLsiBJ2vgfJ0B_<&cR|DC*M>)-|~ zx`UQ^4n`3)aS|v~%JxumG4I#fpfRN6GwSy`lK+%%DaCrAMm6IY0=6o4i6-P_iLkGdn(x9$q&7NN%5 zb>MC&!kEsukC`o-Ezf0_t!1(60oo|t~ zq_?hxV?62C>IbUfeCUiZ5eFYnsxAK7sTv#zWg#gEKbGj0dyd9i2-?`N40L^^m9&S4 z*GJ2~;;0v!%%IL!X*+_bTG2(DEZuP(c^s1O2(S(g$LEWR!gvh7v=e_{p z9kPm`N61*4VRzj1X?{)CV$&w~);r|FAAHpHwDvJJ!xEvoc#yttAx!gLW#@vjFiGIw z+oJ8m4rKq%0{GkREzE#5z&w<=y-P(Humuj$k(ng>3k$UT>u|(7vT+5Ud4c$;g%3P_ z&Y2c)zT+)e!Ys>M&QHr4Lb%6U0|FY>-YTkgJARu6|4$#U6TJcL_pou(4`L5pxm*@w zjISL*p)W`qM22ufk)ceZM`X4h!y@!VY3jAF0C7T@UWT%K=i&Zv?U|A#q^d~A z$9Uz*lBn|0dn+SoROhqw!~okR}>uAN~mGCYm9nDe?=P8Ta44 z+TT5Zt;%Qs$I-3yLY3{43zU@tAIqvRbxoq|;~Hc4!RSbPQ<;>o3WSnx$HxezcDlZN zGp^djdL9%unKFy3qkEqL?*`*mZc%~_>?7;OvOlAR^!M%8wm?Wl8Ot-jAA2R0HO8_k zcI~+RNRhW)vOL~AYpi|iM#8Xw+l$caY@7jpPVHcq%gegAoK`UKy<`~LmnVKWO- z>wmx=ty>Mcdm5|ka?*1h+2^JjQ!ub(nCmbs>7E=b=AMkK# zWFMiGBwbMmJl7NpSLF$kRoJsHyC~l$L}EH=qdpa|{{$M6VRovZ9_ApB_0;k-%h?o( zBn5X9ej>P}lpp$}y2e9r!EdGUr6vf0RPwRnwli7TGx&@Moj;Y&hfAS^Bx6F`Y#~Ki zNf}!j_7ZHDPVb|)G?Eh|5{MmH5zGp5pjvGw{)Y5YioKn%C%7dpR56a6zeyC#yGZO8 z7ut^yL@@#kKn5mNk&Vv4ayXHefdW;Q`gc%SqVtxzJ5|6n$RBrboz=RtomQAv`V(gv z3zPy@esSY-XadF0kG_K`u1@3GCnr@(87LOENc|nwUR{@#&D4L*-Yw8CeJ7xSy$zHm zD+8b@uw!SNv?hJ`sPx5m6nSnZBL9yddcQnTUi8&{{T%b*izUYx3Ro3e7xZuK??5); zsF*alxcwJ-2JDlgEz0%8O+|uB#BLA0-5_!ynTC(yA81AUYM)cDVF9g3M}qo!Rn7}o z$vyisrkOy&P5KoZ37xi*@EG0dude2=5gleVEM-S!#>=B?f64!^@`83LiX+pWQ8DG! zz9u_lPN2)2JI0ElVOp4Tm+F0dwD~>704G|w+yUr1{n*rCX;+~h-NF?9R@ zp#8$?^CCCl@612_QInK=d?AXQrK!}crlzP>@FzE#vvuQ9FFdE$oYRB!(Ys6f>;@1# z?QrVt_FEeDZk@WXDQ-AV1gYzEwCbirzzlw5^cnBb zy;X?ZFlSRjgw#c1jO$*WN2ZC`0S(YWy^O2)JWvml{-Ve+SH!tAWBTh4MacZGJ~;c4 z;<^x}LeT72SVJK#c%TS*5+?_18Hf`1vCDEGdl#1D+3)eGvl|`X>528<@4{xCrK01Z z6hy(##d#Ump^dhVy$g=Iu-Gm*cgdX9UcSFh-v?R}9;GjcQ}G%1caEqp)MYn$z9FdA zsGv1We3JVXXx!`1C&1K$7+~n>73;7tu$2#g20Y`n0tY_^g_zj_2PHtdhvAY1D5d_^mAgsR3aD;2vnu~9KnLi3MsDdo|gfZC>!po ze8Z&Z&eDZScl=diK?vJ}3Px^gKAhJA6m1_HI;*O|TT*c77b|G46D1UA`f!fr{QZG? zUIegbkOQS?7FdUvqqwdTSG@Fdp_~4TO(c%@FWE$_TA5`Okv2m2pMQ1hx>z+;@WRId zIy^ph!qq^>KyQ}3UtA9T5}#GMVc@Y-em>Og{1OydhdF#s;5n{g?PFc~fnrmI%6Ezo z$Jp8wJ)gUt8QTY}q2MH?039n#gCJS(FRoLt%(! z-v_eD%!pT+#+SCTXxJk5fA}9^;ojR3L?apYy!p9HG;CaZYi?2X|C&p5j_u8*P(hn+ zMQ(hFveI`j4b0!Nu(QN=X>=1Zi@jN!o{c(xcL%TO-!^bS0ct2J{9Cjta|YBquW@1me;3c%f)w!$Drd5uZBA&z#e{aV zrRJHpGJQ@T_64;Nb|6gmN7)TX5=$qj*Vi!|(H4J0%jg81>t@c4n2f)$L0pG#*1r)f zQ+$a#9rAhGtJQx)Sk& zY!A&EdpG6n?acsW6n+duTu+A>qOmJ zeX{f})E}L)1@HwhB}DIRUCrx26^|!sQyJ1)3d~f$F4h$nx7$}5YOb5CsaIoKJ&ASR zTR*@u&&CB;!n2^cN~19oE~VhlwV>R|z}dK$&lqrF^<j`|4D(l<_MkM)itZgW>-jHZg)goPlE?rUXBVFRZqxhm~y*S{=-+~5Tf-*~zp zuidZLO`+{Ejo^SB5B)N(kW7D0Ar}Q#H-SLT^Nf?Hq7$1NBdpp?F~i)rZLTck@=zIAI`4nTP}bz^ zyhhP~aF5@6_(EP8eNmAl(OO*G;QUDD-AntM-!-5h*Dzf;FMv7LLQnJBz_s>0?JJH5 z##e!{MlFTR{*T|KvQ_e4wd~0#mir(v^nqHS($w(C2W18Q40LbVI_aIxbKPNbZ07{- zwVcCuMyNpcBJrHsD?OOabxzt7PS`cn(+BnO_yXJ_{yh(rTe1}0D?UtRAD?x7GWgLn z|H7^?0h6C{>h_n%s+GBSzRjF2K%NAiK*^B7WdW!EvZ(#noaBF>oWOUycd2FVMTu^W z{0HL)w&?`b+xKI8Dm$5~BZ|$SH*BG$GlTd(AlzY&346EaH(U-gm_c~kD9!=q{f4v%hV3w@^Cr%ymtF?(=Ot`T#4%f2SBHxO)>|M@Cv>-*ZntN zd4D`4PXKUECP)R*?S|uR-2VXfb9v_fGuV%I?mxnQ4zn`i<((#MUX#M4pzo%6RcBE( z=H&;!wx>z_XFeYG%~!L`#nV1bhrYpiGUA$O7GlNpi zG$%!-${Yj#ChE&4t@Gww04$S^%ijMqSZ_ya`0B$eCsxopkI}@u_kesvo964s#8O>T z9dwLSkte~0&%%#e`Pd+RW{THQ?aoda>-LKe?8d=9J~gSX@Uq)p0 z^GDDL(FrcfT}3Cn(&bfi(j7n5h59b&w#jf5-_D-UeXw5aWE3A47uR$Y$Bo-2rT(7O zJfGk&udjA+BqclK?AOj59?9deYGyI*zKQ;7!VsiYy*#PD_6b)6AG#azv7g2~soUeL zRUb>uRQ5?Sp`-RslaJm`rb%=^y|z_+rf8l&03mB5Mog>^`kPm_*!B5$Y8zorI$t#R zldM_>;;(7F?%GVrjHN)uSH7Hd>F3Q}?m^I6=xjfIe3JC#TQG$=#E*Fwkk#i0dU2`* zpi|5yT75Pt16+lV70N{YUcN`LXBDbuU{|B0Z)%jZwEJrU4xa8@yTu#aK?%3ZIrUo2 zCv4>Xd>@K2#J?qbQTI5th~f)Ijt!f{EjwJxNZmL2t~VStmSUElzvT}FaqqHL4DFjZ z+-C?(5}2Z_uqY)n0`^crTXbJjeSxLKs{OqoWWCZo&Gn{ z4{5P$1Svz%ry_sw3K28NzZS_blmWNbo30r4Zvrr9FamC)(dI2^LX4-hS|vj2 z$bxjg?#Rs&0s=se>w_6H4?|E!{fu*XAxqM{U??AQiuhH%N<5DP7M{h)rJZCL>r|C| zS@XDUSYYizbOc*})L`ll88}gDhdSZ~`9t$h7#9|7!8cz1sx8XZnC=Z-dCaw*pK0Ya zKw{@LAB4@v6bz@alqCf0V3HnmuPWE%7`j=aeT-~7_iqijNw_(Yn5>QqZ}GWE-ck$^ zuHK5uew@A=eqfn;>W8adEWTV>3KI%%|U2nvL$yXZtZzHit$MDSd2XOFM0SJW~wh2SuHHEA2 zzz8c)Z$q1d*rj6(l;BT+j(WZF2mn=txt*YAdUjW5B@lYgJ?qekjJomhy%P+^K3t_1 zpP$ndPGq=F@033f`AvL^RD2qKK6i?EkeTWNZb>n>4$Q6CB2%&c;O|uzE_qJ$J?%jk z`wJ`%1vDhdzJbJ_^%u6ctqo);s2ybCB7e{< z2ye>D=m3k638J$COoox;l!sG)t(RASk+DpXNpEr;)*`4H@6#o?7xo|M2lF-$^rf_; zcTo}(Y*t%W$tTdCC7=XM%>y)I13Iz1440s_Q`Od5m%)4QsJXr z$>c{vq$Xww2yd%DTPbIN&EO&O2@1PhoWHaNkZYW?0Euw9j)b%Q485k7*XJ%WK6+U# z?+VO3LJ5iQW57ZRls?NB4|O6zgAc}= zHl~in>sX52b>E~2W@*C&@QG7A)xSl$TRpIQqRYiFW}ZwFAq z%n{5bUC7@Sj$(8jT&WCS0B9Ux)qjMb*L!k5UY@_u0kb|+B))7efBbFKDu=J2S=?lq z(S+si82$W#Kr1d$-~aX`_@|c$f2Fu;>L}{nF4D##Pqvst1V;8 z&62>kj|Ky-KhIaRNyU2gC$9@uz|%xEk_yESc(ecB5%<5mv48qyW=|3g@y3%G{*9CJ zzxy%B3!%AI*F$?1kK|8Q!oU8vB{V&3@7o6p1;>2;>BatEyO z-2Ew!Lk8GvVqooXQhNQe(TtAZvYr<1hkP!&AXw8q)@Vp;5S(LHyJ*pBMkFw&`siLY z@eW89Lw7aH?q5kUc7msjNyVUZb=Ypo9OJD&Z0VPNtflymeX-Q&hc1yg38!0{c)fJW zzy5>%>+dSvewic{Rd@S~?L`P>c<~98QHtJ7xdlF9BDm+#u9yg*fzpA+ERxH9S=J78 z%+V7PgCtxQs=cn)?>xN^dTSQ-U}US}LW982kE5Wj*z-gB)X?C~L|#90^rH*dqj?Thz=wYp`mshyyg-}TDia;-SZAf zCNr4?HEJ(1%|IvcJYCcI2oB21Th%u%tw))O#Blw|iZByPJOEk}?`e&4u_@+%?w$iz zz2W!rRu9&E4%e;sK@TpIY?1?#%l-^(FID0y?ZSqe&^07)TK&9{Gwrp_B6Xm zPomGh{B@+$o$}xTV&q(ev-2S0{m2ifX;%euAf#GTPwl?--}WJ4S}cUixd>bzhewEF zZxPT9tW0^u;crP7jvz*dL8TqbEls^I{oWsJT;68aO@hLtO0H5<{^Q5h86ph5k`5$| znNsyVv)1mg<^YQ~B)|}pL^0hhov=ON55+$C1x9~c8q=;?FcG9XtPM%?UHyY!jg%p_ z7kj$0$famR{$Z1O{+6l$);8Jc)mS2LnEhtB;AM97K8;~(3cC+Z%Ro)?+mHTajo*@W zLAyu9qOIwY_2hp)RR(yy5!VE@s!bDN9M7M={@sh}r52-wyYghWc0g0a{!_y&EA8p; zv(rvkir>#Mv?>7x-4JflWlHM;ZP*|&T`-d1M_G31CMM0Y-oviuKQtUD}u&)Ea*+S!{Q0IngL7M0V8;m3a70X z(Ckn-Z0&?8dK?MJKv%w3mckE`5y9l()^Xe5M9R7pmjQ&*#in+h@%vHkhH?t34Dklk z?;!%pms$vDrB_j_Wq=(5upUuUHz_HrH32=Uq1bFNJGZ7AZg}n>HTTBtJP4-XkEYG% zRXT&=Stkfv0vD5pCe1noThFF_@jDRsS}wlpYj}C-68gD^{Nt2WlfLT1#W#SuHkMnp z+g3ke#pp&{TN@S3qFL6{f#PK!!TbfV*n0kCP?;N6(?=3zp-ioS;f8gbL#;dUwtiU zY-%)WnVRiS)>yV^qJu-@jrSD*$*}|GMhxUR)gcK$i!gk4V3aU52eAb!9m@J)V$X^} z^CQG5Sp=x^G4>fVxDdhF#QqYg8|cU|JCWN2P|1iWqV4j^(|7!4 z;D1H#I&5$jYJ4yN;9OARU$txc(-^(We9O1?K*YAV$N3t;zYs4NUy53-92*0CUFSr( zU7S(cQxZI6_PdH21^;vhf{n<#=5}wP2DmN^zbD$xEjN={;kK=o|AhIV5rUubsfdlp zK-o&xJr-BQMm$f)5UCW)!qkurxY(t+CT2)EW3>aN!s5Huk!1*XYyU>J_OKZr@qBL! zR0C?eSqBG3y1!uBMV#Zk36!acUXY3OvsG+v4By0R zA0EnBFDMnzyE8AE{DK^Fk;M5kpx4&SR|jsch!JTSY}Wqv+=C$qpGUYw=MK=P2PIf& zcj1x|gIvc2;3cA;P64{b=P3Em1rKj;r{JbfJ zqmJM99iIX`Q{vrGl>2!cdW~2Q%2R&;aYq+QhcX{NHnhGYMF#Q1Gj>AkgQ>iqH+qBw znQ=)uT9&_mB*^A84j;=Auc+bw1et9qR^$}TSBN;Q5O8l1ymPV*TEpcJoQk{r{N^7c z|Kze{;&U-KOsvyaX`pKZK2hFxDa#2;;jJ*Y{$fJ8(b^q+HzzZ$NSs+(UDGYxDk|t* zTgZ(93=Xjce@iv=PbekD5M`FKFOuEC0tc<}n+Zh$UDB@f>_5%%Ol_5^z6cwAcpiim z(DtV7UFD7TyY-BG3%R>y>4zNRIdvb!EG$UY4C_t5F$y2(=yJgHZ^p!$J*D-(-J@` z!JA{D^E5Xi|LoX9+FaDdW=%NyNQ1S!4N-H&oi&MN?{poG_g0W@Y=Jq4yy|0$sl@Qm z%O)a~E2RN@!M`%^nm>`3tr>Xr;B-ai^DgHndEbM{8%#`NOJ(NfPh-j%cCM82@b+>D z=AZFDTYLOD@yJb4y03)u%{}L%8{_O*8)lo_+24=!)+Jj@#V65GdB$ZOw|@yHbKZEC z_tBm*Wo4*9JvZ{ zM^Hr8F-b-5>XNw7_q?rW@|j;V*vTvnO66m$gpM?6oJkz#lTXrWU;KI0axT)Tt-y!hW*2xx;-4jpX!90c zbdlH*{MP8w-f}zVn&JG8XvVCDZ=EVWvxKDyx#`}sc-JqJuI6^I-QRgj|K!13AbSVW zoY4tX@6<2;V~+FqO^Hns8)%I*?DP)uymhy`A~HVciD;X79#u{eGA+)xYlKa1srhW$gmb@4 z{rR_@PeR|!q(X^{dx*F-i`nXlnh)nWtSUzF_O_FUdA?gB%u**~bHDd99$4<5THQPG zgb6UQ%L~RE^L`d^X$(Gym(OKB9;B0P=T!*mRlN{X$FDx7&HhQt+<@Z!da8ucy_%vp z@wflZz3K1QSPoOPJoE4TZr7Z>XTLeFb%o-Z3B)sBe2 zaVg50<_JdJY=<1W`ZCzu2$;JQP;JwSQS!$S5p2O{zdW7#n3|2TVA3#IqS+OKw*U_( zR}0Kpa^j3%aBy%TdwmUxU>8wrQ>R4ciUgQp9}cY66*R|VQ_{!6SS@7{^stVNZ=xc1 zHNM;})(F4-WklTf;N11?H|Y{FoD3$KrXrFfdP|rk<}x_=n>l6311>JPH{&693@R|@ zOs0jcW-R#+r+W#%HG7H|R{-v>rwkogeL(}_PKhZVVGJ30G%L6jig-K_v3nd)i_m3q zuYLoOAyO>7XzX*n(W>(PYG7ch>*0Eg3=T{7;1NtR`b~l#`3h1^YC6yO9n+9lQ2;*k zxXgn7&Dp9=e@9x4G5Xu*1a?>mx$t*u{M zBVX@=xUbpO=2ATMMo{v}`C4hss@Rhtvm?P50#Q%Kp`wo~5nk&B_X}YqUEmid@H>g8 zc<)3^Vw#FeEmZ6?@zkBLyhIg_1;k<)nMYGTDx8>K9)6 z*y{RlVpzBNZ>TQJOysH+ebqbG$w6t#p26+0bLoWW@Zz}7?ocT85x6&w#eB<@xR~j! z2s`xK$NGnH+OmHSeH6`g&uLVZon+K$Y73SsjweC=98#tGq`FuP!v~&S`>955X4QoW zl#--Lmkk(m&>9EbL+vWJmL=wTdHvcMz1~kj zGFuB$sw(oeh33{$>~F_a+sW!4_zNesAP_F=r_0e?B{G$rV7$R^+pwfuJJc@y0@7+f z+d8o1`gnH5TW`*5pilTXG>{VU8qVIX*y{b_QEuaq9hGj}sB^;cI36%{jdzrcK^KJ6 z{5*(LuU*Y=7plX`8`)X*P=C=Q#JisH+gy++ib*Il-+_fuW6A~Z z(jbc6^faqcTVm@i{ROS@2I{`pPE(mfh+<_m7DU~+x77Y=z{%09;ctVNf3x8XM^Jin zb}j-!sqhJr9^NatZur zBNJ0BkFmcUHtw4^p7C|{h)KRfIJz}~UNcPS?~@Z%FHwgTJg^DqvGFI-bvXsIe~~al ze>}#`d-D4g*YpdtJy33pi}EOGoSMFx#f<#vO{UKA>j4yDhw~O0T5gP`5iGv`%T=ZE z94L1&I0StB&)!dmRF3&GhwH2#%MZ^6UR-CGzg(;5;eoIzc5RM0-b!)yrIk@u|Bih> z^iCu_-C&!`X>($v5Yc5)l$%j^VcpLqFHM)+sUDEcE5Cl2qPg%auc&6Wn83f^XHtW$ zIAD@)jfC-YfFQ*rLyoIW+ix2*gE9`&zSOeZ5su&03c*QIoKvHoOQ%k;#I09uzYDh= z6S{4Y5s#}iu*B04VSV>3|G-}9eyzdX>qG{1gmI728%yja z@AeM`_9W7&YY$8KGyg|v;?5NHLhvi^MBZyZ#a^5BJfhG6K8ctG(h3v&yA3tD_1x#e z>TUJ?%nrX(X2j#InKB<#wsN}`-K-`JZ1!R%ySwZ~$ZCK5`&Kruao?s~xf^Zkm&r1e zgZNRgd{Qj*Mpmh9|D-o!CX<+^WRNXUkn!dt(iSmoXIzYlz86th0H-`@&dc?Ia`*z} ztlk*E`vMwS@v8HswWoOz#xen1hX(3&&;F_;RRK>@A=o;MG>|0rsG;<)`Yf4nJdgB2 zR2K%_1vb9MTdxlsw2xhni=)ZG+G;c>+J(>NK_ARR0RX!-DeVr9DCsKb#7R$( zV({*$AAUD2^S|1equ2euq956Lv=O(lM3Fd#_?nD-PZ2rZ(EVmWobbjf7MbUmSmf&Z z^v4ff^^)d6za0jB)3Lin9c*EdzbmVNBzwl9m!E5VvA@Jzh3+2dN^i>R&yt0`G;{6N zY-=2Pc>RH8uXTeshv-$wzE*9kY~?|?7*8NZ?NCe0+sD+%y*@=Q#lZlOu}*#Aw}GP) z{W)MlVpK`W3e5fwh|ME)p@lF@N7UGVcop4mjV1}s)fhK~$4i!Dy&hTG%pxrisM^rF z&GtiZy`bSKlvHuWCXd!04Q;njhY*{~&J&cbm?}Ymww)x<=^>Y4yC@;K*YGV?gT!s`lG2*sJBg#j06fz#gjD z8q?3nbAsiN$d0{XRp{x&L-( z6raxV{uG?l4H%T7oAzF0s0bnF?UUn+7jUsHezIC(g*!_Wy;~;ud6Kp6t-|FJx>bIq zjjS?IRtdp%JQZMbM$ocimoLU|fO=7%3tWKrV}CHEH5A`M?==Yx`+rz_>!>W(b?w^# z6$OKCkrb2$ky4Nj>F#c%MS22?ba!`$l!SyxNH-6H3P>X$($epFJNI6Dt-aT`-#NeU z`)7_h9CI)qAMX3Q&Nz6W#|UmlLC?O79+>L%G8dliOOdP zEs)Lw0l&_A3U6y!7UD((p?i7do(QlC(Ub_G+;mxo1U)(TNydJ-<(`j~?{vlFm?ZFX z6D*Np`+{l+zBc4huocwj`;aIkCU-v*Gq<%`_2dn?OE1g{r`5E(zdWn+h&%74F?jyG z1yz0XSn^M-(h(!2dkE2u4QwY2H<>SfwQq&j^O+3aX4?f;wyRtFqv)>^Up%RE$c=2( zG>%awwVT}MgLmHq7B9}jQX#+GvNhaI<0i$rh5l`|_V4>Fj_cl{?2hWNbI0MoAuNw9 zqlWT_y86^x!N#s#l|L`W-`7UJk4&{fN$K|hJHsWe`9{w>YDw%#PAiMH=q+`KmUqFA zsCi{3zO8nPQMGIJV0($+%MBvtS9v}JhB)g|$#f}Zo;hW7PZO0W*m%Z=4lZ?|x2lPo)gHnP=uxmRpK`<*h2P2I^m=yaunGH!yWtNYV#tTXs|g?X4MzPwd=an% z`K}b_EnOaNOcohzvB6b1v2TFM5W)P)lZZCeu7k+M4)OUFX9P{L%V*tH&d-)tZ@P$8 zJNQmAm85!L$bDQZOjD?`cmEQHu1bu>zIJM3pi9!osU29&9e-@VrXevnLrVP*MTRm+ zwCdPTj#X&rGE#QyS8`4NR%4@78ms^!7kt8=l_M0_Vp#0c`e(r#YuQcV*Z;;2e6Z@u zXzyUVD&-n%foZYfAI{xfRFbHh#9G-g`&gpKijB(SkI!qH=Ma9$cPB&!yFb}>$8Xo@ z)`DhLMj=_DNHP6t#6uN@m-~3%D>+JdwzOtRUKtg94rgl;^fuzyNj<#!&C|=h6>oaZ z_pu3mv8Zp^pjJ-9n!v+VqSJTjgDt& zBWRS|n&tbNOo?=9x;sCMjSd=v7;F*jO>C#0o6z~%Cz9|unq|2)4o>}osC!mOs0kgZ zarGZ9+)z&wnwFdL`myS5?yzB4vM8Oy{oPIEk_a96`=~TF3T+=VUKArTw|P5ZV)B~o z`CR~)`w-9ZekKC#*S~*T|J|Q@(@MP`%P%wFI>AY(B(DD@8P4V(e!;Aq0$pbMJw>Su zENN5b9~w*2cd9b{n&O_FFWd+zu(~~-S6lVaH>lQLeFS7T(bZ-X3+}!?_GtL*Yz(=h zKS-Kz-|bhgxp8X|Yj72@nI;~CAPhz7{U)F^$%X1<_A$aC(05x8?{#mTIw38cGFLBq=eQDCZ6?w^ z<}e*}K3rY|RhOo8Qqi(&cR%Q;{TcGBf^gM% z#Z+iqx9bO_yF?h65YDC^v6M}D&UIwEM2?+%e|rN~PHS{T(>I^NdWGrk2rdpWk14}$ z|6WXW5@nXf?n-fGKO1bG1u0Dt0Q4ilGoM(9Zpp74Q`IwLMeO&M|nGr04O^wVJ+$fIvY&;d^@=z&dPSbNJ zR4wa~WlghbaFLLP^_5ZAekDVt$<|I=1ar#QjppY2-M4mOrMfd#ue%}u;DI;qa z2r&k)afs#f07*@V$hp>W6r_8cd3W1KG9-M4gjAxSLg$A$NMt^hlxE+0kIVoaKX|-Q zs0!vJcbSi97~X){$hxDLWOWD`l4vES&fnjvBy_m!Hi+`bl*vBsQt%=f8>n`~?yBES|ZT$qU z`aX!bB2Nz8FcPMOt)MzJzSm0G#U^_@cSgh6J$*Z4&hac!Tsyy3Pky4$xa{`wDZj5c zXRqF|;2s>g(Ls@`D~NY?>Y+QR;$*fjliCVQ{Tcyuv9RAm1)nfKIM~OJp%0PX?Oxva znzd``q`lfS5YI|AGI+dH%H3GWe%|cED+_+p!THRv_#pa_>zC~;)Z5rdJ3fhFR^3zxHak9yf#qf8hG%mT(K!DU z>@<^U$>H>-NbOk&=2H>z<;&tQc>z+JltqN;;{Y#b9x<5G7vd6vvq)Q%{YUFJ)b|VE z0CW~zC1K=A5Vnv^M>*u;`)Y#!Bm{HKC_Q&`#lsGCxM(^Fnd_DVjAcxA-v2M&qAVB3 zh|B|ME)8U#hfEPqCkcEhm>Sv|vLwm|RR&d}lI{Av$g+xV26SV0^ki4=h-N(s3=AxO zA~#TuaBlhER5ppp^Ec?lF|lI3+lEi_z+I}g!%D2b7k=@?9qdOEkY6D>VNZ}4w8U8de*0WA+r zLviN@OqNwBmcW6_aoWgqS1IGA-=m@?dq>8p2|Qx^VnQOv&ZJkVbdNh((gB(1X)j^7 z8NhA;d{Rw`sSoZ#1SR^X?DNjjhJlu!nF+W=>D!Mkv3NG-$KgL_Cf*Ops#uGeMaAd$ z{;Z$;eUOq0m3V?~_xlTpI zVK8LG_Y~#YFYF!tPBpMw@*T=;5gh7QYLWPnQ29wXOjPy!>D2p9czHtzT>kp|dG5jr zn#JN!yJ~i{m^TbS_!^xbj6e3^kuiTL(Fs>&L^NJ@PgV;!p68=Cj|!x9?;Jq?%MQ{> zhwo#G*+>QI?8FQNosDeckYYG8WQGv@T7c?3N+AL-rfBGD4}vo(Z>?&Ci%N|O=t0cyQEQJM%PgKz zs;3&`jk%39m$98nT+{G{iz`lrI&Ep+32IT1eSGz!QqjV?>HO!@+u;_r<*)$bDOo0m z&obUIJ%>s1;C`ju8!AwDB5I5X)H`PzI&uOc2_&ZaKK%D%9jGzYhUsv15wH%&W+*s%n=$0CKGp3>`l2tGsc?K^Hb?gD~ z(zL^CCQOp>vaPFzMA1d@0Oz0~Sm!DcK8~ZS-iJ-sFSZDnB+u9se^?xyBx|Dy`^^u#WYd?TPa-GR005lqPM<2)c=Ke<^f5am zHRLMhmQ#8h?y!EBwuC@CIw!x{s7Z} zo$q5k^n0*ABA!-^Q%rC3-&j}$$r!VQkBnQ`C6|t$SninzSao|#>6j%IrBOUBUI1@O zNZQ5v=IG-p^aL6ccqSHAKI&QqH70RBhHYbZFQL&I4pw{cCHD>0q59KmzBysv;H+WX zZLr%|N>?>`{W+TY5tfs<38A$~@SyjY&qANddD^(M8st@|?x1x!9c0PIgO!i(OB59!jYf9IG0Ju za4#hr+Sh4yX+xg0{{$@RQe3yvBSZo;Q^`(2kCXJ{>pQOHwgsng?Q!#cq*P7hQup0Z z7Ni>oZjQGJ;F&~38o=jb^6Td}6EMy)X}l#yxA?mM>}x%DYj{Ry2-nndHs@F;05;V1 z^6}S;ez+)NuszuxC+_Rfem>ET2>Gg$wt@#iY{;(v;pHd$Q`fxRP0+stX}4BAI{_&J z7XuC!Y?G}x5?AWM<1gC%c8H?=SRt4z)9GZ@`{HFD35_JF&B38&ud@q6=j~hoVnAAF zcgsa0JhRCNF__tj_;3&n9c;uR-9cwOJL6s5tLZt(FE&Ud&2%{0KIK4dV17R~ns3?? z%Bw8t$Qm}6f}z74PD;y%kQ0@h$;NloqkB4={pwcZ(x@jYeRm1b!v$LQ0TL=OD%T&A zrn(~<`_EHDipZ4acRGwyn^`k9=g-l^FSwX|FjwQxOPi!))@k@8agB-%&X3SsY&b8r z?z#Z4s-1F>w`afbMK^t3TP#hv-4%|GWDGHlA375DNXyq&Ojc>+;SD2nKt^?S5B>m`cZr zXF2ES7CtNZL|bJSGa5?~i9$^1I5Hv=T^Efxr5;f|7xK0euztvNckCEMbKP`6*Bff- zIx|hS6CK=_YxxEKI#!T*XCNUwebDj7+KBn_Jf-Pm55-;lkgk~CuBjvAIQtB4*bnzd zAb5E@D(#s1c9_nxr&%yeDD)qx@5^3|X0yWPO3`b8eOV%8igqkJx)Qa3hmKL^$gV@& z#T$cw%>YsJ#SV-$4D+K1N1JfhS}B-`n(V^(@U#iBb#u4n(PqTR}Rm2{f@BP#`-#lHJUX zO4@#9;h4eAuwXeoNM)t7s-So^u{H6tYw3q{?t;4K@Hf3IO0^Z5hLF0jy=mz)6#f81)MiswQoM~REPt69+TauNaq*)C53h!|X zaUG~KiKZ_G@D(F-|AUHlrmBukp%~n~R*E@Z`XNhcB+fMIX|v}^F9>W>!(J1xHQWmN znUe18hbccV_{0xQqtz&!j+x6<*W4p6FYsPj0~@aXaa7MX(cY7}i1Ui0Jw7PSk|Z{2 zLJl)ImP;`JV%E?rrp{To##BpjGs;mm%lhTG#!;1tSV(l6*uDT?_TX)gFv){zum+z0H-CDhG(O4W|$}4c^;98GBX+f zLhyzxQ=^ZhFJ;N{ZN7{cvM3Nd%3OBHaA|7C*F?Me%XJUVSC$*>w&gbY%83HNFk z4zIaMTr3gLCsI9H6;LW(6rdNJa*o6-tXc~311T~sF|TD>G55_&F7m+)t%#OHbTu@% z%vd0w;$YHp`2P?XJH$8Bq&+|VuDJTwdUb< zEzuCYSta|dwC8rv|6nMnBa!`sd_ZF)>KxJ3ciE$>{86A2wEO8%4Zg0+qsD)@fMoXa zrMA=U#2rSWy)teO)5|QsZv373#sOOK1?#7+NK8{57X85h1JhD5tFVDC@XjkEjYW_2 zV`_1XUlXb5vzy}mBKgwK`jHeT(B5;sYcW*1D0zAQqewBZH2RUSKh^uJeGH5y&i`+TXd@1P8^0Pt%O_s`vhV~nN#$U6XpWC??Di&`Nf@wgFOS{ta+G(d~ zsfbt~NGssJOj4PsA?}M|RMaYtw6IERZK6BTXy0$!D=~eQjEc*ymslw@#3RL7!0#EH zwC2BJWU&v)zD%^G6rkSU7@&qCZl5Wigw`k~qD_3`ZIxal?)<2y!b#N*Ok(l^m^w#X z<7k-^o#C3n9}S~bT1_Fd78=)($~vh4P%@=)d&!3qs>hSDoO+B>Zy7X&GSv?3HvA1j zavH}YQ*|GICAOx0VA%MG(~Rs&LJE-g11e(lW6})OU+xB-X!tHE9sIctEx1@@n>*Di zQCyNCEK#C9mm{n$VcnLaX+tgZ4pphz?^+@my*^;s6)aV>ew&Us13$T-Ahq|l^)q@KXo4t5Qur6l;p zd&wA|B@X-Q2P7u%sb_J#7L0zqs4(eH%=_F*p=N7k?6AL|>plA4d7{4Fy4%MeIA%uA zb^KkmnN9Z5L3Vkde1gb|(J3Mo&l@Btx-UyAA9lrjVS#=T(oNkoA}DM?h0dvh!TS?e zuF6*Wd`jDtl8?+NIlGDUOh6X4N2DrAN}G1KN66cI8@N~)NYYmMC1I=r;!$-d4SRtb zWxxd3uS;EKy>1$-O{>%NEl*sEGlGZvyZF~)#9sKf<)0wMgj_*Fug zg|4b9*jG=zkOtq!$(ppC-9zB1T%;l)5;n)QyAvV{y58TS`<<_@9RWo@vL)_}xL#mI zUHjtzp0U+=ddiE@W+`LA;T# z}4IlkG1+4+(Q zwn7(Zh(dN%@cHs2ME%uYjL)X5Pbb|!2@I|KDx~bbF7Ep1(KjXsq%K{NV8r z1I5C`oAyBO{kd%@Bhf`^Jb69&bXU9x;3Jw0ica#%ivCWd^p4PEoiJdWOM+tP&e*Rp zR|YmJ(O?#~hLB5VjW_$Ql@(P_=Zj3YvML?z!%gOL->XD0$4`=v%3@@CnEG)>_N;}JQrME2LmB^U_b4hhU<$D-=l7iASxpQy3^{6Hnz zi`noRo*E`Fw`Ge+`id5k1KyJ8#8s*eSJD~2FFqpk(Cn_Abp3WU ziTO}7WMeHeMB#62Oa;=ru+7TBI|z?tB{}^4`pDE(j95ffDDCqYv}3O~=lt9>!+=DL%Sks5s&{xq!C z^{Dq@uA2yu1-2LC))4Gs0{z6U>&TmYR6HWnQ#0McT$zYajR5uthqRt_iN!jX#n68I zxBKOA-&iz`xsNyLOrHnX$`w9q&h}jv*DSDll^cFc1RNs!^h?YTp)%LQ)FIDBsOK>- zcXyvswMx18QjOm5mK;dX2z5U_KJdO3)RAtg?8SB(!CKu^Rvi}L8OK#+<8I0oO}hKn zrx*g;6oVfaCQ(y>ZvK=5=Ijh^VKB2h3D1BH7z_G6Z4}0qLMPQfHh12+!W4ajIrO_x zP5=0_zqp*u$M=pM!w%L$8mOnQ-orbv9^m|J6B=` ze$!mQhp<)V8LxM;+=f{?@d>upg@#IP^0vSJmHsKj8@=a^BCH!-Ey|#n=zni7|stXJwrc%bw=S+0lG$;iY{6j&dMQCk_2GmMk~=->bu0<`E%m3 zO*IIq5Q-(7O#mn$w4#+Jnwr4S6ZiXzLdO4m`s7T}G{)7vaNezwtby*#$}jez3D^R? zXVFl)ULIiJrKp5uc_J+N%3h$CwZY{(pK}v|n7~(%jZ+KPc<||!YMMcRi{#=1EP77AdYmWY5C#GNLc;L;``V(tS)OEvA!b^_gaa7|z8d%ir_ z;s_fily*A*Kfdrmz29#71WrqpCQqm&5PHeB9n;_bB+eHY?H_RL3$i`>$B+J7kdJ@* zwR-2urW=oJQ1bszNA7=q`+xOEt6^W!Tdtt~V%+in8E5eQk8^%ZPPS3Ylz*c>|F;j- z|F0kFAGY($+Brc|4Bp6N0Cf|e(=V7ButTbp6eF^Om(#uwMf;Qu=0VyPR6tTNgVq&+-(a2pcHI5jzsi5#AA0jp4t^l6pZ}iU?C69+ z%>pb)2RM83Lfv6b$-?H3yn`WP$jU|}WZ3UInFWHzjpQxhY4yXpr(pw^c`gVXM0(`m zfBx$X%>>NN$US`wsHB0Nm64A~eplz+5Iw|2Z2br@x$pgLkRup;!MUKs%!Q%hQ*v3@ z2zRwwXJ7Y(dbY(Kx_4$@az|JJ7T3-O=E7T#w=x7nHj|wiy_O3IJVLK&^{bA|phFga zJt_fODC!r_t2&B7DwJ#ZF?7K{mkBM_?84l~FfPPknA!rHAX6C7Muj=Z>!Q6d9Uni* ztodu38aWa$;*4OH{L^F15&Z`rtu`{f3M?72MNGLwZYEgpQnMilojRag^ua9i_XYB) zP(fhYy5?&yI3$c!)Qw|4u?@AsEMY_NEYlpTZVJSNeaQ4Syb!Ns`~Afm@yJLRq1L0@ zw;#beppkp4ljA5jv7!deS4oOdkd(SUm|%mmhsi?`2yy+-bhYk`sx zrwD@pDPv1CO^+O-ooj#@HGmjIM7LS#m(_XTgZ06H!*@sun|k<8xPTs%7c!xk->&S6 zrE@n_u7>gO|FuKe+x1TPQ_TV$QK84|x70u=feg1pa6jWZvK>G_7+>(r5VvrYek^2Y ze{nb$w`d=VsbgE17T<6H&e0-Jm;}(k)g(8XB_$-m2cd$0UxbV|S1N4J+s>j~M1;-phM?9s{Cm+BMLd>_c)SD1hC&nfap|7k_3kKzo zQzL5puVp!7@>7WU-^O!0No`91E5e~*ajb)1U>{@67X$D+5t+1~B6Q(Jz*>j&ZR70T zPXU#ksHjk(qU5xPdfS~r+$*D>ou4b}z0Kasn3|rD`tD)){y$CXc`fRMfgIBC3&xu*j(6pc*{e^ z3CZG7HIjn{R@U39>uh4cQ{~n{pNKyu)`x2CX0}HZqjcWL`tN5xs5OqMhdOgcBM{za zLa>&59UI@>T(gaFbF&6eRbiEAM7Vk#&)rrG(aH>2c8R*2n7buYJl4Hl^w5biOHx@ym*8S3Cs=>wNBbjq=?-3{-IFRKG{oBjU&@Hl6-)5xt zCD?7Gf8h|g7i4)QS~7jAsZxsU_QE}}bRE#aQ~g2x7wHGb$|MB&v)1uAm ze{*g=N+IHUruB64GYFV^c~*-JjpV4ph(L^DH?z>UpMPh7>9bYk)69>rVA9-rH`eytHE)HaOi#LCAPs#DVd^gyFH4T<6^RbPNast3omhMdec1O&Gr=dCyE zN{aK;N;Klb_gSiqAByKA=%QdF-XSeIMJQ8k0XQKI0wQVhMBQmHi3?qNV|G$&$uEQ$ z&GkAtfb2tc!T{`431P$9rl-9;r}RR1h~i zbKdY_K!k=7*tum!%wg9+4*|RZK{A(=yY1UA(K_9HaX+`dnGL*`2(J=bFluKXmhBvf z9Y-)}fPX((9Vp)0D?s8gdJo?JXI*)X2q}*M%O%w!SZ=^0E<-9ZB52XKVR2N7kkcZX zd*+Xe3@GicZQs-c2o!jn=H7YdH5$49b^e_}_e7?C{(UW~Fn7E!ZF1O-KnRV!F?7QWGP5 zh>x8#y;0s1$ShpccN!5Zz*fIiB1m-h(Sj@`J{^|=?e zlxB|(=5Y{br5gMv)(|qw4QEFmv*%{e8;hU!44V*pn z8ip3$J~@ZYunbeF3bDXQLRdjCG)MdweTkN(M0cx|i%KMWQXW_*4h4*Z+L#M!J@yjK zxcypja~s&mcpKQIJ@U9(UsMNck+OtTez!~8`5AdTQnooqI)f9$wEjuaG`sFj-$%Rr zwUfELiJuq9Ck_9myHtYPbcSP>oZmGb%&akEdC)}7<27)O^Fm;EY{R0`0c;exz*BG~ z`dRg!is29QP%lurFG6{A9d)@;2y&@LvRPG*Qr2(iYzUTEYFw+r2N6xTs6%skFy-;7 z@;yWtpM)5BUtBK0qCbnnk=(7NEMrCjCq}X{wGkILUCEu_<{l)WN@i^Obgu@UiCfeD zW+_f6R*923SR`Dlr!8Zeyk>D*Z57_F8|o{K4loQPcA+ik;30Xd$lQzsfn2QzHOXl; z#Z!!}3%f9d!<*-aGH4NwS8c)iy&FxNfqYeFY2*Z@fTi~_a&fPR*6iwV3`H2Tx-aS{ zj8ZG#M@6OPfkus`DBeW5l=!H@6|D*xU!~-2OvBdmj+&+$#AFc~sJQagX)*okM-ek^ z2yLk-b$Q*(cl1i~ZE!v1^07bQdhPtY4m1D8|MHUk^U2mJna)f+H?u0&2gId4}J1-GI-?eusM{JF2(VZjSVz zsN}6ix)KeIOp2|JMR?``>}XANTo&-MqF!eScDn+#u?~t14+B}9(Acr+XiI>Yyb}lz zv!h3S0sW|G_mTo74nm31Qa?!ljfwGoqW6e(@yXRfWV07V)t+G%zJ{ELiSt@TjAu&b zc>>gwrwaaVP`+G5S0P#!_Qh@I`fSDS0QRaRJXI~$#Ifb^f5pUv$P~meBq!fnlgFb5N3d|Wuh1?jB&*WgT91b9%GNnpbkNQdN}o9=eoFN^TJoEb@l5c`8&M4(IltjKwe*jTJ(A*+ZQ0!ypslD zUGIEXRNudHVAenm7f*V`>vejp7e;|@^Z58bXfP3JS_;RxNzd30w|z04rQ{D)JcxdF z){0n~=sOnwxf`jk^t{U2xCSD8bhaR0o1?dmy#`)fIxjA5u^y zYW_6%n#2*Kham_?mx=b8?^QL2T$>D9ar=0qu#6L~(eb@X$_!zH+bQb_r&U>d}<5%U*H-Gue```Xo{y{4^1cIq?lWM162=$#ZqxZ zP!#@n>b$1$T;^65`fr=Eee2ueS*?Bs7Lg(XEzMV##ZnKAWcLTuX=v#9qlr$wf(Xw+ zg*E@bgJ6iO=ZiD{1i^Gh|0f8>6gqQ%#yHMRH~{+8(VvT%kY3AC&zVl%{TY6DlGx&* zJqL+X; z9g`4y0L4GAH5QDpOI~!js1yuDr0rSZ<2=JEvj>t(L|mK33QRF&`Wb%U;jGRVd3mOd zOv>qe;R#rfG~aYrJYKJ<090mB%pOo3Q0o2rewTxvH=xX-?th4ggeeV#dlhh66U zcy?pP6xPrIP9r&x9es}m2LpG%>>C)OP9JyId}&Obth_`O+ADVo&Is*dUi1Ty$oNt9 z5VPP%o16KZx#ySE>cxztJbF1dWP{CYDXuN|k@z8j|F~z1*J;*PNx79^iXSzC@hw# z@p!C{=gWPT^>K1aIs5UQuhusr?-uZ{f1X7i?URk@hfEAnG@mX$x!PgV7-&*J9KHF` z`UbIhiDr-&Reqd@j)SLZp3DWdzsf$uq8=P(kQn9obXIpe`ShO61$7@8)vtzO{1?jZ zt9QRPcD%Xvt{$ExW6efAAVD05-(nVNKqgzSU-&9hr6Yb7Id zP6p3W={N(XQWc}o2{UJfhXyJu~ghi2B{R~1`A=i6fA_E6G=2iB8eyZZ*mvc=#8x!pDi>dl5-67ne2L2P z9pQAd_mo36Tu#Fylo=mt=E;G3+L796S?r9rjYzgWMQNoJDlmX=Amu42%aV7@ghkQ! z99PUD%kyZG;1NXS>!$EJUk_Hyes374myvyb3}X+ z7!5FaMBhC@>mwuD6EC>m?{C-{eg`Q{xD3o?=lWFR3}XH*jAmi{zrkpR5wNYulK zLm$%Xl|ug|Dj9~LXrh^-{vwJ-;mW_FXx0k8_dCRl+H~!P+^^~|^S~TOfrmK>gk;04 z$JirYaLpmiJBiFy9&JAcgx}*p!GxOtGL~*{IB-B)G;4I z>M1VXEiH&rdq=SztteyHR8Tdpq`{%Kp(c1V#IdS=pP19G!}9R?5IH}l>un2J(v$0w zZep)?D~=z*d4S$-^kOnuh;z>cCY)FH-VZf;Uk@7G9|v*8(oFQNQ5&x#O}eMM)uv`w z1-G9bWsRxoel<%gJk<;{X>pD_eJXHrqZKLE2+P)>lG0b0EyHX*_IQ&j-{`xO{Cyg; zxF$-^rle6P+BkU-{K>D^zmtfG@(iV$sviyey+k}+L}_~!pbu7AYo-%kKveNVX0~cC zf5>a)FL_b=A7tU?pnn6dJX{^>XRt@fZCyBod_hVc2~ z*#Jcp@j2Y+YdFQMe<(h%`p8f+4-G9Ie$Sc4!o1HGWKfwunr?m*NR7Twa!2e3@VmEy zF4+}XX#sx*)fQWwH;5mtd{)BsTJ1pPR!(}uZZ`HkUZx>e6Wi~aulj2Z5=M#*qN!x} zpSsWaC@XYNC?2M4fkdg)%tC_(7%<%SDy$z@f)<06*}|-kV1wGFjxLhdp!}BM?&|by zFZaDsO)#A>_sm)R5Noxu3 z^H08I<|>t`9^MK5Wtq0v3Eab&PubtspjvDpEG`$d;mXi;-R69L;vUgBT%JS%bblYH>4v!bI=#_jZ|n?9Kp zyC$uI+?@?oD#L0yxDc$kns&QbzFe_`7;UjwzA`G;Z6w@j*rq7@1>&lESR((bRdu`U ziyq!GS;DvNY^TOiy^tD1<5z5Ro+aKwKV`%%e=GLGSG{_clPDQ?ga-OD7@4687A=_G@;1>RCuCAqRuwAJ%;c}K+7Qq!tAXzNi~yIJF?BVqbX zgB}(8{(NtX^=<0U#OCvmRM6VGRKOq5{MNFsQs<01Q{IPPiDJ33iN5-y>@^L;lY@dr zz4Dt}vPuKQLv$+D9ZcN(%#%yTSTVmu`zB+jQicvv_iSjIq}NSPHbU-i7`UDD9?9jb z+7wxut3KxPah+J=TylPX+Tn2iFE-}+6y8q=C{#2vH3X;lG6nOhyQSU(h6?ZL_0p2r zfT6CPAzPRP5*C@^J!Nn`fkrPLPAB~6D1r!tmMIbU@p{T9GJ?!J;(NL$BlKkwQ!JlS68?a1%xrd}@IDpqV%$YbDr!Y=ISTK7Yr;|p~8<>Wd_xv)c9 z1XUd;u`c1fhd`=~1zB-q-B7@ozFZo)>+&7Ln8pv(OU}Mn4_F|k$~P)E${heD>)8jl z&UTIvFf4uMh>K>;>Ek6ySEkGs1}4$07N?R!ok80WY>tl$B1SRFDgoB=`%h96+;0$V zU7@%^Iy5s~X_i{Lz$xZ6L}4Qwf;aC?`+Zk@dkbc_T+rSc8^rBsg%GiKsQK2+wC&dV zpwvD@6tSVMAe`W=^cP4BV1t>T%s}i?{33pvhE82(3o#?13tPaWIDG_bMb^NZIZ$mR z%uoKxxOEzSV$KYjT?yxFa@TzGp-d6A-UDk`*V(c)H}oQi&aNWmY>*}om76o7ex2a- zwz4JWA&!`zG8iMjN=VPU$Rv$JQ{o{HhfF5ujZaxP|UARA+MIiY*_z zMH-TN`>|il%TxRfrbWQ?y=2u{pPAV5IbD`b(W43I)5R~6N^F5=7Pf|lURL5l3H%EN-4x0#Y zT+Aa>JG0YGMN`?c1Xq6{X_mD%D(WtgZtw|wZMMw5F4~ry6!VFQ3XM`(bMQCd8+xRP z2u0GRAXBI1Uko1WWnH^f)A=0N{&HVhaT9SE1)q1%A*N5RvP$@ZPVaMYw%r_mLDX?@ z&vEYk8_God##mNK4sjQu?rqO-?1o*rS?ZoEdGQr_(Udv1xPCBPzauw`F=yVqXJnpN zs*6&UPI%-|ubWM4M|4@F6{)l#Pm1&@LoJG*3|*#ETmgI&H@bGakhHx-H0s~RibKp zDzg(^zqlUEPh@0`!(&Z?=SfDpIy+Pk9nn-+DUAp6*)kJ{d1eO!vYD)arWFtv*koVF zZ_JIl!V=ARF&>86FNbEv3aP6v0UA{Fd7Iy>*ucRr*bt_rmR z(#cSE+bZIxP#aJTI2h|TL!dhNtI8i8Ar48F$vgv^~@PPLauW~Kb%dN1nT;~_t zm@EUe@mvqnyWTET)17CG&R3PW6{I((Rl@f7C9#m#>w5 zr>)UX zeYp+!qX}1A=o0Y=H|dBDc+rbUBhE{q-XLV4Gre=G2{h&Pi-}%$Up9$k4Ja!ZdxWXo zV3U||O8G&u*JJjm?~3f}P~lbt<26#ES!1SfTCZ~!Lh<+y2JN5yrPyk1zhhheuc88h zN}8Wu&!`Le+7M}T`m1alfmR=d`$Qmx&2r>(*_vm0w_FCu9@X%zUohL7C!A@c?^+f< zFdM{p19r3k+IF29%klm-7-)Jg#l3m|&&Zzkh^q7`o2)zQxS!4HBz41XKc2cpPt$x~ zA8JyEKsW|D^T=KH6fd0>!f51bTDRY)0ALn?)lxdp7-Xo#ufo)e0Ubm7)R3*wYtr3hG zJAA7FtDnAo$HqL?JN8R?>5%}YN1uo^Tw&YDj@)5+QIrHbzt^d|6hG-gws*BM#p^bB zdyHfJvZNjeI+BjuT80>o0hOHDeuOTdlBU1&TD!Co&~7cbx4erx?zi1Y1_h{RMBrhY z==ntruZardj1z=D;q(J&LxI83W_UV5IM9Wt{(9PSMs|MS(SwuswX@h(z_bbe?a>ismVq(a+QUJ-RAKz)h40n*+ciAUy8eQ$`k|rV|9f-A)YGi zSE8!#?j%K+7(LF=gDrI|IUz@l+0cics7pdBf+;_-#E#t`inQ4|cHyg|@p2_$xWYIIk6Cjv36c zcy;<5xw(Ij3%1{@1txo@`yI*FY=ZN})LHKD&znP^Y=RR&-fBB#%$H_HB_j9Mq>q@{ z;u_^(0<3bvj8Ob0o~0iF@n2r3*D&yQs+=J^I$!(U+nkAMJ2FE$%Kl$I{<8iR3)hl; zvOBqTQe}Cx;b}`0A@#7;5SN^x2=9|P*Z<5Gn*@Rqi67dgk8xza=7%#-g&cc}d~1og zp;G_iImMeHgQWKsw3wYTm{2(;+`X&eh%wmyw7t=$G+_SZ$M8CR_tpRiIcG#VS&q(K zCVP0Xi_;cgd1?jn9qtivGs-m98b>ym4r?scm7<4!A?!JE<~)!I+>{pmWWPfHoIH6j zPdXv)hvj zFZzaqI8(a~T1-X%T=M#~`7!msjn(|Of9U-JEpTz!hb-i&`D9f=0_Go@`@8?i0^oo4 zrMBGZ`Yrj{zzy45$~rv3wUiw&L?bwl*EA$IBODtH9Qp@R0cZS-Wtu9HqS*2s{1wj> z%n9xhmL&LD+I@aPw#LGk@?;h@P@T-dA#~#2tZ06d>4-99LPOCJjln+Wl9Jb17k z2RbDSqrF7J4A{SH9bvZK7aoITS+e8%8x9~>R3W~U9oei*vGCHd(09`Wn=*tXLs1mp zzPfU=gXD5WMiC-HIF{_Q6^ZJ0zOPpAX#RdkgeUg|803r(8AMstki)C&UV+>6XxH2t z+D(@Wq6fK%uTW=)mz_Dyknny|X#1di_Z5vr&d&TBEN!nT>R;96dMoc9Yu2|GA7yU_(IGviMJP)xrd}lOx2Wl5XNrgxxai03E-Z$9!-St)nY5<+C z`n#V(-++G1*a+gR#u~TUgb9d(VprcWtebOG@Ov>lgx-&Dhqj+d>RZYEynRTM$ylXW zO`oWoV3Ij5qMVfOUb{s8Cx^F2X)jxoM!Ot2yg`nFVt>Xdb;q>}EYW5r3m$xstW(5< z;sNtZZH#K+OAfwQIOj6=?@;Ns-lM->ciG(=yG86WNJ^ z^GrSNyy=Z`H}9TpFmf>PN;|RGhF~O4rca_>O z8!mp3Xaw<+3vXR*D$N=8yeJXU3waezdKuuH3#MzDsfmSoOP8$4BjcR{gv#e2L*7|k z#+PPUAK!dyezHcZr)RS!5=By{bFU}rZ~W4+(JW{)s6(%tpSvG&)ap1|sC>`%YJDUd zb+jn!Cv&xK*a8_Dx4gNpJJ)OdcA{fgxeKG~`uG+o))$>5Y%kdn?JeZo7o`ynV>Jfe z_Rr@xA8gN(BVug3AXRV-c5J2S`Eu}e_sho>A?{c^?Q1`x+_5M=L!L;j^vadX zhD(y+?i)mB2W(}mY23V;O6-b{!>-XGeK=b1Pq&@rTmH-8Hd0XSysih;LGgEl@}&3i zMUlWQoZYRt)^`KGM1F$rWB{(gbd=M$te+AQ>J z;L_PWP8@m#)6S+|*N(C^dq=yK$hp;EBKA>uvX+bFwd)<_VG*rGyMDXVpUJ-RTyyd& zj^B4=732!G;gS)S)W>jdl{8dyN1%9^gNd3dF>q+nWT-Zv2UfPlWWG$qW+Xl{CD07S z)6(Y?#ssgf6#I`_JiEkV(B>}?%`#rCq^ztyaJ{?JjHc9ejQ+;ZnDoawFwXY|&iie) z1b;vi8@qUej|Dfv(nFiR`PNGvr6+Xr@mdnAAun&rVg2Pp;2g%haQY$`w#k|QrXpNZ>UP%X@)+1trdvUK19CcsHH9@XBcDnnvWU%36LMY3 z#!{vl-85GesNX_7Opn zWfZdSB5Dcljuxcg&FSHkU*p!a@5INDiZ$i&y1-(_54*$r=q!#O3G0Aeq;_yX`-Zn+ zh2=6oiyjk!`9wv|7+&$697XRQ3awIk)}?sAPqD+%*fC%Bqr;<1G*me_d$)&&+N+y9 zLHo%*?gZ{<-X(hB!l+pboK^9WuKa&zL@vH5VUXi1`LF)!&`5wS!eU z!^2T!Itj~^C4(zJY?&hEPvr0|d5hgxPvbOxVj?4r?;RL)$>~2}(}=eqjrTlFBhc}} zcKpGkKela|{;Dtev7`n3Tb2r}KY|-XE8$>Z(!~1bB&ahIqlhaSR+Xn5FGkdp- zo0qX-RO$ltU(8Q`^A>w>@5L(q!sOdYi+e?6gz;^+%$2IaUf5o+7-L7|-qk()b9iBS z7|w$t4TX-S*x{?v;uoK3Jt19Ouq~+AVER9leRWus-?lCyB_XM_B3%N~4bmk@cb9-j zx1t-)A*7A+mSUU6t&Q2AcJ2~z8wU^2uUk--yp z4USP3>|%BTLxVhE+R>`!YDy_^qT1C!3Ujiqz-@%YIBlLJrDGx8;Jc+dTe^C=Fm}l+ z{+}3JEG`K1UaKf4q>dGSwJzU|vpZg=t3au|*T1O!owJ08GebiTe3)PKc4yr~$0gyQ zis8jYu+ZsmjPkObI~SX3f%#!9S1l#AOV=aTp&m#<0FK|ODtY6SM6 zaV1;VB3KenA0!F76(l@wi%n?*evMT5quFtu+}idg@h`To=gj7f-O1K*jQPam15o7t z@ZUSNYs1ffNvH|A%ie!o*Vgv+X?6e~!H7=9+Y;LNT#Uk}qs>d|wOkzBJ> zme9ueiDHz%D~BL9N?%>fuHsjw z9p5=<_*sq(tp#82+;1GPWm?*J&i+F!bj58vnj(5StGT)y1kjv9x!j}NYz*`yNeOlp zrBG|-1KD`0R+)rEC5cmdq*#Bfo1He$?Ml0mdOt{^xRS>1Wqj_uI1QhbqlwHtcPUY+ z>EG*VR-FZ?^&n=HVN@Bx@{A+qlMtsn^aYx&Ex=5pZl^Cm;G+>qa<5e-esLLixJB`- zx&$laOKk=zt5-42EUK~h3=eNj_aGAecwClx14aR9RIx8@K?{6pfpAsP@&n;baYZ^t zU4IkMl8j<;n^KN#`eXe35^r4!i#kAjD-WDcTs`^;IG}CqW}&@u)tgHq@&nde0SXA* zKo#1g^BU-^5zBW=^Y6P@2HkWqTlFlm*s5=9KI;4^44d9`b(|36o;5?k4=(By=m5behLs!{mTyHUp<(Ig3R-BZUGsO6BEh(c^bfif=9E@Xau?_ zr3_`-OfgH`ohKY!TN+FRC0f4rRk~CbY9>e$ZY6-SaYD1cXjftI z5UddOv46@~d}NNJx{`}c@+4_MAZoFC2s&GWeYWwesYT)t%dnyVJ4Pv!jTeTW=e{mt zVUK?#P0p}apCx)zC>Q!7ixRb^m)p^>-qT6hFt)Bx48BL2(<5Gn-s;F^eDu9=8(L5J zYcr9s$&-H||_i&u)JDrNiL9F0fUZz2=*|G?v++kivQge2z zetqywp{Wlu^?DrwppWg! z{ymxZ;hn$;vqMVdFQx=;Y(>gtdmkVhyQgN*;dc9_W4D|-j6E&#JNU8YtrDohU%R@t z=uvIl0M&{Gjk8*H=3r(5NjEz zoBgN*D0-EXZ`Nhj7cS{aL;9o_=&yv4Jj;{Vr4%DhHMLwkb-lAaVQQZhJ(I0Stavx& znRb!R`yIc>m}ztTO}B5H@&zgAF5mF!=WPszDV4C<$p%=+xME}7)Nw_8OLl??aV#*X_)lH3z7sa zGb8Aknu|cqucR0*it(bgi2VR$O+(FE72__a;cgSef5ndz}gY$HJ`|u$SC=7t?tCTYz)W2;xuBuf?UKi&0 zGCmAWP(3v_%?YdL&v7^AzS_y0wB=lZp?19XC!(2`Pdhq)D~G!c0_!kNUHccSTrMZ6 z4WokT@QL22;;xAPnljgqQd3FPTn2T#xd$>W5$kz+-7^@yc8ne7{S%8v#ic5LS^+;he!>F6p$JEY5a zz-m~_{qZdavpv)_CqSJ_U0m=C{Z$6tW&b_w`BCr$%Y4`#ix@>HwF}Bv#3DSNn6a*Y zF-YMn>ZTq9Ju(Zr`5v&KEElEeV3FV8NJJra`LtJhGQLVCbN2NYv@F3l)EzUpA{A8e zgf`ofxD*_3Ma7SM375z{Q=K9{=C6x2>yPq@WK9seLV{;L&6#d573T?QxDqr83p2@T zP-|fFSIIMclh|j_CC0y#b!Q*+h#w48qw$WfMh7Sb5?bbCA3-lp-=-iKQpR_|@w;xC ztJf~jyn&ml!%Kkut=mq2IrIfdy0*Yk(IS$*TmT|^2^)~65Qkr>KR6WT|F( zL>$z)nzj2-@AlOu_G;`dAM!eNH%E&=9d;9u`-?v>;~rld zX3bHZF6+3pF70**8rY7<2Ll3LGSmy*NYPbLb07T0gLeFvFO1xGURs@hCV7UT8KyR; z2z8x^ETw@usBX_6k3fp~$a~39rAe`Xc^sW17vv>u{tOd7TM`X3>}Qg)%!nQR*H6-i8YaWa#PCA^&8cYE$@_LvhDZ4{l-^>vaaZ^wAwEsEYSU(YCx4%4%? z#8ObsIuymBee+zJrO;u{Uub+rI;xd8lO@;jV5$xlS}p660J#x(a|fPrbCu?NnZicD zQsiY)9l=Ah#NA7b2qNawZeDF$q?Z+JyE)k#lzZlSN z%f`z7U~KVe2D|)BtNxTECSLP)>|m$c?VBs)qkE3F@#|Ok2Tju4uBDNV<)9>b7|f(9 zqVIkUncAT$dYrwOTiO4NP;~migBGDRXhZF-ygGC|Obi2f!q|0us$ekabNOp8{FhCm zWQNF;WVIL~S{2pWjbHX0czJ7}$U2-J={qoDJC__LEBexV;`!=x9dLK6>5>if|dOwugXkxv!1X9cfWIHeV@otuB!ix{b1L zn<=h11HFZPToNdf+-@yC7;KLj^|HsdNrP~T!NUmWjzC_i%9F*PbIUf*j6*|AZZ>)} zT^IfJH2cm=V)m-ZU*Ct(^liAcOO+i5`&psq^2I$JMtk~x(~f47IfC8Pt!-CTb~}x- zfbaXYh#%g>D>|EgFr=IqM(wwg{HarWuyq<(>nCGCX&S-tN%{q^Mv=s+=|Sc$2sS9Q z1s$)?8^((6O+gVukmq2P#bf=}ewM^Me}bLzm*Pz(#$p`nyXRK=f}FDVYgKj0v4sxm zmcsZWyUGSP9Hz{B>C|YKt806mojPpBcmmYbGH}jPdk4p!*4SNLW-j9ETaR>!Xk4HM zm}Aodzgw1kVmauJI`52A`{fhYg~EuE$LNgfV_ae`n|1D=9oO!;g;1IsM!I=Yw2*Nq zspvGiPe)|dDhTx~)zde7n}C_=`;&yb`tdIQhGXyfXff<1)4pDpeQ$4TZKNx_?5cJc zG2uA0E^LtNPFunMNH&L=Qe@!qs9?L#bBb+_#(5#uDyfEn;9`Bt#_1v|yH5x7L;^E= z)nbEMY;P8Ps@$u~8nwsv2pCj^YTIj3>f3@>zx9uoxh4jOACTYAF5U~ToaSi4`cLa; zZE{W`&C;H2;D%KkqpJeH9PV}2!f4}yl(HSo6$0N;q?ZSD6N zd$J*?&-U@+WW5j$+0O65f-gi(J7y6Y-rVhx$Haq7yU{Jr&{;OcV^uUiC_^!KFvs$Wp&7-H}a<_iD-F@PFb5mX$*6U3_v_{(}= zoNK?T2kML>*ObpdvnoV*O&j7yWE@0&i7$)!K+`SP&HijaIaM$p040e7Fnh@FV0~#$ zLJD=QuY&BnDh@esY_55Biz#S?(_(NaG8}Q(Ui?(gl))MKzcq|VteFAg8tPN ztTi~Il|SFP-Y+8<9!SPz6#*{fZ-?;hEMklVXMB**_DTF_k8(1(1-5(gtgl6WdOR^? zezk*d>h=VROcFvCyNp3J_K4v83?d0MAa(B47Q{c}&BH@u~Wm1+MQ-?mWYQnW>9(p{Y?|Ck& zCK;YmBYOiaCj2GOKTK6xj;qzb-%i`O3Cgj#8TNgipu4y&+LFtcW@Y3wE(khkTP~i1En?gwJO# zh){ns4d-ZYYq5g~G3LO7Sd&eZj(bz5H419m6RL+EY`)<_9_w=A{gEt~P8xUH9Z*!w zRi^A-{Umkw4_=gA-5t1L-Z1y+i^_k3TWKJ#Q(-?~61oKWt54mEKV)L0{n`c@W(J-> zhTHlmW`~ny*Bd&_km1H=$3?ga_TR8*muMiQn0kQjg7h(6_#DVZZzWuxNh|`7crQh| zREYIrwgS10T1u?h8f-u6>m|PDe?D;x3oylts3m4M+93ViB8ThG!5I4Op#Y}4j1d@I z9QtN#kIR$Hby z9SP$T;JevEKQyrJ)w=V_hcdc=1I_%*_FGOQ--X%P8)eVMe#X^{xe0WKh|NS5ldl`E zwrA4@`bVv9xA+4CGpWq#cy}?)@976e6lRU42`#k_`MwGHgHUfdst3pr^IX1s7IH8@ zl&#pnNTJh)ptjq-wXc#dUk!58cAmikq?lQ!+$xgK-;C9`>T!}@nOX1&#Fh!uJe{IB zYO52U!eCQ1?5M}JM(S03gzLgRn&U|I9pW#r(#oA)nWruoBVY>Qa~-j{#5Zh#+@oHr zzxgRQJsmnuiBl4qPS#kqCt8F=Q`UbaRG1Wf<_Z?8(EVT}GH?YgYVJrR!(it4&C)|9 z-?$U<`^gdf*17TtwSSJGGbc3*PChEIwdb&ka(2yMU=Q3jyMjYRo#bIgZf847&pB;DN_2UDVIFq5uk4)Fo#Y2>qC8G z`j0;jo^(JIo2sj46nvha7!?jPq8|qUn^A{;ER3}+=0E;@|Kpoy-w~Hh7;>~OgkMER z6|lkzc(t|i-EAmGY!|!Z1V&!ylMGri{?i*hR7T+i^>o~lU?l|mEV|ZgVEqSE+}A(> z5GN(j$yHD!{mrt>cGs|0qlK!2m}CiI^{uiS179^6PX~avA{KzF4MzgeZ{;bA9$Qob zFr>4b_%EB0|L8$Rc4WKAOsvw@iA7M6?_-SRtIP60>~a00az6N?`GiL>vm4oNy4vO%`+q>Q`v1JM zJS@037~lTsg8z?I^XJdfA=cL$6YI=B|1bakm2Z$J4QcUn{(PtW_d`hqiFa1=dX|~A zudfC|m05roZ$$Gz(Nw5c^_WyQgaO`Yh;9d}ssf-M2z-o&QbPmiCRWjw1`Pfus|+BI zHLg+C^#WS4)_RHJZDlOX|94NkAv+5bX4NAu%QhT7jY``Q&hpXlc{rfdec==?C@5gw z^-kt`p>kf(>&6YGcOa`+gSsc8KBx)w^_bW1 z5fM-Y4&grnU{)))0(yrBk>q@A%gPzbAT}!>Jp~jN7;D8J9KRAFv5k&bXL{48I~s4_(^&1gNB6p3^9x-0RQ0W^Qf8zycU;dJc8{>2zPxScaHYv zhotS3@M-`094fPr-Te@xZLdJ9kUN|r;F7Yf1;}5hAe;&p{@I)Yf?$R)0xknw4Zt!} z8AeFf<*kL9bFMk@ve&>sR|5ndAM@vrkukCwrWxPa6)F7F-u%BVvWI;b92tr{r>$N! ze}7G!EK<8aM7zB7hJi(KzY4J8S|+$k!1qd~FGWE8K_bU}5pW$_0~PIua%SwWh>#r~ zi%z_eB3&+PQm#EPH`qO~URrdSf}olMFhg5V=NS}4%x-Hzg#)#%*zK=a(+E3EQ2W2s z0Qen+MwS@MLJv3q+Ea;Aak%l1-w zKbLcZlP7BKo#C$RZ8c)V9zBvEo_*ek|NDVyWPD#2UD4L$>w&|DjTy6KyKL?;@`(=- zbpQTJ{Nvf?2k+=FGF`#Y#wp!$OHUrDuBPo#Ujm(C{86ao@wIurvm|8merUaub%m9q zn|Bv`?qe%gVh~7A&{#gxJnx=#suHiBP+0kwW%t1?vV*u zXUlPbS`x~%_xfEoINQNI+nc!z3*qZwCQ#FfHs^_ea(RFm>BanOA1-ccb-w|Tkz)&L zTAO%^pyxDRAevo4{9XO_{5Q5q3Y$Ws*&sFkl@i+fi$zoCMg~Q6!bgFc#DpOjSy{-p1-4L21u~IjNw$DD`Yw6e3yuS6x4}!?h>(IB{W=9>d7-A@ z=3n=L?Sb?!vp+na2pHga{2Z-z=N|>sf-DmLO=WPnKz-I>)(I(H@7*VD7%G7&=pAhe zk{lNH?za(nft_rKWWGnAgPSf6K48{5M}zs#{qxhA%c=s`?dcy1#9Y4+F5f8zyi<;n zZmriC@&JZVyo1@1B_G4OEGX3o+_{&@T-H$qy5+8c1T2-?AY9Tw*z2Fbnh!tL%pJN( z-Op_|${N1~XCAj*4Mbk%BfzJJ*AKtL5wk%m0)sn45l9)+A|;WT7wBK&4(XI0D#IAK zx3&#II<~-{#8iFPYfYqVsBPdBd_$nub}G7=s{$yD`QXx~3y~dqrX79;-=W?o2@CsH zsLjqULC~#=Sd;Gr@n5f(fLoU&X!vq6@Jz0M7XFFV?yoS1GGxS(4O@B&5)a~H{lPyC zYh)gv!Twl#dS37TkG6r49GT-Gu8Xq`m~MH)gsHf3i9Bu_9OLUGP+o%(r{2ly>a~JG zA_|7AXc6kW&7F5AUX^;`Z~kQlVjL)@<0=YK8f%+ z)&!$_&c6n-9gDE<_Aek#`!#TeaFt2zCQ|tI?#=1-`92N?$XO0cR%haTJkEjIwvdH# zk~NzI$?CH7U^zH|*nB<-!a>O8#a|7O<<&vFKIFaS0bG7JduZO*0FOGLZauPuwq9+Z ztLH502@DN_&mJp_IG(j|1z$V?Qcq)dFGG70Vy}bQy+BOpResSsCq#esh6RLIzUAYM z`NAQqHMQ8oSbxLgisj^7#h8Lk312r6Q=Rl5o|^YjRu)tux;?JWuB`En5Y2e z5^fM^mkg*LaMOhM;Y8nRdrv1Bf?YQBMG5%thAFdWrLL=LZcwAtDr>(K=0BqP`GN^C z*-tSzb8+NAM9`jP9bQ{TY+*WHR;^!t!+!HI#o(bI>^E9aUsUUk2)U0OV%?cU_)-l+ zNt4+xv@M()gVl}j0kH*W&lXg5dxhTVj!UONA}bcAN32Z~dj>>7sFzR;hN${B^m5I# zuZQ)RHV;B3tp6Cn78gaa1pq0Xj*FRF=6Q?p7K6u_ zE8DIM<-z`Qqv)Gt2-M*yLkT0%lRT$|knz_8N@xl6-w#jlh{lm{}aTQF$>M-%tB&jQV zdjb)aIf(xJVY*g{LDIdQ_J&4io^ED2*cY4u0+k2t))ZImm+`ml4WT|yK`Vsltf!9x z1hSwiw2ZvBDWGp8ymUXpjs%P2rUOiKryGo!b1^2GDuxh5j9PGCYY@P&Z$4_m>*D!| znbC+%!qIF?5XA-Fn`6|>j$>`sx-a4dCI}}{8+Hd*h>#AF#<+fps)oM<}jixpy=Ypp?+HQ1U7`qdy`O$34v#Zf5JHnf=Qk_PMG#7_-mWy!$ zhICkpjT$EP)jvSB*piR5{Zt;SQKiUm)+GGkhw@^ z!%m(bCe!+7%AeFJ>EHIl;y`Umr=_dLojVJ2qg@(@{v#*DFF`(BGJ9R#yf}8rJ9EgZ z{POSh>c9VC@%}rj{0J%2he1C=(gEy5EPw-qhY2G0e8=O*CB%jqZXkT4?h51!cd>4U*&;n76ON_ep5&Z_Ak#dne?& z@(x1qXqWqYtaK^bI_H5QrV4jep$8_~El^shafpWElk%TKf<#%t`%6fQO|r&&l!|wa zB(D)Jv(^^$-%qmNle4y>*moIbw{-`JVgEGpoI@Q5xN%)Dr}-fw4Ok6iw;KA7%YwZM z7CJ8Ht>9yq6`nH!5LJny#$?u z7Whg$9M3)lWAfgV4iQ(V${AB$(a0ZA+Ee-+&8@-s_+xT#U=0&TL1e9Ut@~!d$?r`& zEvH*;kBVX4CoSJpW*tYR2wGkXA%F64Jl_a&OMb%)Q?wBuFGBbM%|nvMQMW|&v~V6Y z?GGuYm1P?vwRa=T^U_%-7*cK{+$OiZyn&!_)%=QJ$d9jOb|Vav5?s9=7a(fHNx=K4J+N*L*rdmndL2BzYU+=}XbuR+_p0Zhys{oLIBXavvwN8DY1W96QL%fi4v}6Sjqaz

9D`I`>eLeu$5qYo`jw`l0t;5lz zfiR0Xftc?RXdRYBuKMX-63%Cd;XbKd&GD<+BWy3yp=oZ`??!lIB0P(eQq{e|-VxJZ zZMORD%R#=iHZPq1yCjk^?kRESJ@M^F;RhrsYEQujJj!3^Yi>O|F8?gjNWIrykn55@ z>A(W;H_SD~AndNFBE2~=;@2o$V#mwP6(B>Sw}DmWp#Hj9W4`u>G%ULeFUJ*eS6U{W z@ZKwj5RFu5CYNXeA<>RufLiSBCj+ticG z1#VS?LhV*WlG;wx%R?rqC?=_)M(Z~^%cg7{lV6C7?v$eS|4w`5Au&a>BzSxKisu+p zC2g6Ov*Fe0xnF*P9-b~wBqtCZ^|UwAycl)FmkC#-Z4cNgv~!rw+ygz{u71lcgn+I= zABO&vv!<&l9jCrk9&_COG_QRn1iNPV3{LuZOOLM}^&HyA3M|H|*L&S;%B{{CZ*r(U zc_^1wZ~fG8e5aMDe#|rmJ;B7FwU$?D=Sk>{IbJ?iI&hN9pieA}q7?Ez^kE}sFzKxZ z#*CqDv9Q!7=F3};Zm`~`-t>4zyBx*+*TJo@Q~6Q;ABE1}(V~CxLttfe0Po2#FVUA9 z_7s|Kz&z5lNz=WoxMMd0Ub*G&54YJIR)<0+H7C2ibh}idpHGhS7y6Y4xWDTv7;{i0 z@7J`sN?-0ht3$r4bMlp;q0T>!SG083H+9Jx8n=RqXG-F^>F;rDKCW>b)I_y#Mm@@n zXSUBHD-dhke3ez{`22;IYD5Y&=2r2d_X+$X3VO zvDma0C>N`%SVA9ga3#L~QlXvjSixRbWIGnL4VY=@RB5Oy8@bhZHH=rhe79|~5e#oR zPkyC#I(tU_>;`9V^N}%Suz<*w;)7Y>EI zjuy;Rwv`ksEJhT&1)lxO;P%<1dy<*f_qe-q9#{@0W&6QpG8ZtDE3CLG$6Gn-wXgD9 zpa3VuCGx7%(x=DXP8ZR#w}7^+kaf?x$DN}j`FsQ)v%Y4c7fWa~#81tTsu+jq?s*QI zJqih9x?Q{2#V_1kKLhPI86NZ3D>7+b(M?E+C!9Sg-D1?(FIm)delpx|8C=j;cL4$h zf?2XE-p^Ae(_%|b0O9OyNjBa9KH5YH>AHW6!+SfCid;$=*3`xe=>KW;J&>2tamXxI zhptBiavocCE?>2;k&?A4JDD}c6>amhkzEs~+?=I&`060&>BWQdNnPHD4CxV|8$>pY6bkN}hf%$uGTi#3z2TqS&`VH)X64k#bzvixUWpE%w1 zzWS=jKuJr7y)G*eZih*BZk1`SC7uou-kCs4e`l|Oz3<=NmT0VEbgF4S(i0l(IAN>Y zQ_hPrP+oZ;RrK4j=_a#H6M2?^N8*^#iXKxRlwm4=UWPTIj7FBL=U?FNe3l|#@T$9{ zP8O$VVM_-UPYQ7yow8RGwtJZ{ketpfRv7lpiJiD6Wpqqq5qQrCsdWmz7VT@?hPtiV z!l5YsKo?WeN9aPX2!lLRY0l$ud|wC=K&VVg?YODusU+@GwD6d9%!2deXQnh;(v6@Z z9Gln(QNmG1_jKus*C4*5D+-HyWrq_32I~x^Z%cKx$W`8UH9JlE;&SUe$KE&#ms704 zq-LP{_<|{{8(+4Rt0sbCK0F>@R-3@G^yLAV@n=^^nwX3oFrHUO<(=Y0d;gyC_jiMK zL^i*y-)3IV?dyGXrcDE@#Siw^Hq0V_%va9oY$&!xEyKB3!KDzUcrAn5bmMEkP06?S zUO1Xm>#H%8b7?}q)P zr(>-RHddAi*xmbfReP_RXca#_JG#x@n?h>zCy{a_pi)1`NLg^EM98>^-8l6r zdq03Qt>{g(R_5A!<)J2gaqGz@2NTMdd3TPkJ4fgJVjvb7DP~=IZ-A<5j8MC=4_TDB z={7oF0~j&SfOA9Ok6O;x;sW@2x*Po~l=N3azH|H@i&lw^GJ$z-%j<`-uBEj(9{q>i z&9k&6&5l=*8=z^?^46Bl&MeFWd;ABhl+t&3IG7Q~qDF)FLD5sLE4j!G<{3%Z`%k*o zKK8KfVVeT>w<3_+9H72kn!1X{V8S+%1G-d(dG0Wy3q+ zh|-6|?K9bU{3`}7eLR6VPU%}fYeX3FsR>Giw2CmLUY*@Rq1h31TSHmv!JZOw+z3=n z>Uog~`BnuEGmV(6ZWhr>ZX`#|@&)oS^hv^(RK<;A02g2$hB0~bX}LkqZT)e!-VN>+ z>!DpLV;TW|^3^ahpqZPr?x4xMg34?sf~_qjVu#}GGD3#t24H(30LwapmdInkzvnYB z&qtB*+ZB*CcBMt#ZhQ=Szr%X-lp{cX;-)o!Ks@RRPQy?avN?9Utp8(QKyTxwBPX5D zkiS90UnW$NX}Q zXp5$-AZAJs;UM52MUDfh0Q3M4c>d`95!N+yjL5do8=TAa3A=*ir-GHzVo;UN@FW6)mLu&?1dsl zn=pW|TWlfG6%;hLwhw_*59+AD69qq1 z&5G*59#g5v&e(Fh$q@QJSu9j(qU=!5vi40P0HBLRuE4udm?TbJ@3r3j3ve< zqm%)F7eyXoN9Ed;XO;D@j}#_+LgO7n8)rq{HU?E?Dfr~CAvnXk4{zIrs3{ED(Ov4z z?wB`r93AV-BOHyVJzte+$UZF_?eb)A@%ap@mR0Sp6PptJvL`bDUo;%@3y&R%v`y(; znP~&`Y4`<0TB7C$<7VT+nHPe`sSlc;1Hc&}!UCPvNN;)Q91Zm(ipic>188~rF7f}UYJ zm=Qcy5;eMb-WYgjyvN5f^%g+|JruF{j-3nItNy+#r7vE1y$U^ealCk+YV$zG%Ye@3 z{vYBUzfeYtbYmR26I0f0Xb2zMJwA8ao^DXMwDu7ngSkLK#g*rpT0%%D-N&Spq|MCh zpE4sE3ZP*UYSLL!CuczK29Ee<(%!B(c`$0Xoop0BtKXGjq(@GU-fedk*IKus(BU2H z$%jk<{sX(rHE}OW`7in3!)B{-GXzP&|>3g3q-%Jd&PzlL7T-n(rEMBTL_aRo(lQlzsg;^uV{|_&XX;y?}*1D z%hbCwq+b?P+>iZ&;)^t6Kv(S3v5me(xL4PvlUmqmee-1J@!Nsy4=yl!*YuXPEqw6Q z*wp39nrT|xxfFTzKt)XChsl%AT%s^z`H%`wnf`JH0knb@CpjLTub6LnvGob)^RlMj zzZCl7n@d@2;lv(!szJW3X{yvmUw!GDx~neKYf+eXP#@K}IQ(i|L2aj~=VE;YTb|c+ zb*R5U%g4F#BW8zE^{BdFkV^05D$%$0{!urxvzUz3@M6x%JEaQbVR~LiPj*QeEcO4= z=1-KU3u)>+b-KL4JZaiCv?``TGUjq)vwm}UaoyF|79HI|Im~t)T#a#7;O@Z-Qs&bV*sP{teCC0tJ_ggS0=NR^i#C$$;td8|t_y+8Pd`}cdp31T zmn!qFzwLmTi7#70ie*f_^;dE5YFHWVN7kIQY5sY~%j^MlhkJyV;M#4CSfwEYmag?L zwS7F>CXve@a{EqK0BXfpbOt|bz4~)+lBO(^V#ai_`hn;2lTG;5OY>QNGdtkW_0;S^ z5g+@`OBB({@|PXgX4DPje|`$Aw$Ij7o+dZlZkd=IyDl}&|1Nc};ohAB;U$dAv;(pE zdZEzOSQqrh9$MP2L-HmusLE(XJdV!e(}RoRhKw9K8#y2R+3h8ce2n+?zIc$T_`bh$ zE_K+FDW*HROl$yXK9VM;%XkAGjwemWLe3#2*;jZR*Hdo1`w(AElNE0}q*$v=LtJI*YEc}?wErVQ_ zFfYW7S~p!wUH?uAcoq#moSl3dsZNlnQ;GB|qH9{CMjGF#0E$)rX+A&Q+HVWw__o0L zvWjnw`q-1e{%O}jV#{yly(D^}9GK8(_9b76RTHFPsaMQpB<)AN961zklkRR7iDIN4 zzdK5I#DMKWM+p9tjvMZ%gvo+q} ztP$((>9U0v;XSF_I`mR_^LYk>h(Vzj^y8URKhcI@WamA*w*fpE&Pf@mH;LSjdD9gy z&p>*x+()_OfOKOoD-SCjDC8v^>R)`Eha{!PT}7#j?G9_FIuXc zYlv%)8nfc&ExLk#tq=fbEdg3T06E2tl1V|e&Rr8*_(ZBu;<=c8^Q}o~`%+4N>uJ03 z$lHhM>^cln@HzWWRi|&~Wm1xz6-?(oO=vkqUt%=IqeI)KgxLh!p7vFU53}xwq(lvFtBA z@5P1N!4WiuuTb=uf6jvI_jA=O8-pE)VP{TgNy zDAcmAuUiDun|yslHqp9b6os=p#Np7AH%`P)8hkC~s!|KTGpzh%-S-_ZdTSVp&XpL* zb<2Q7T7Q#LQ`Q~~JvfD4N9oC;U~?Z>&3jerE7CWwKd!pdp;s6nCnx)KkK1pC1GRssWOlJY*PD%N>_otH*G7v!fYz*o67z16{v%T>gBSn_>bXUAHy&o=U z{-N_u)`Qv0&}g}uY+z{6e+{zBRWHZGra(+cdRC4=)W-W#>XxE4o-RrIJUCldQ8&s|j2kWzBnM7cIe8%D-~ zG2j5G(Roa=!di?XVhWTabD|V7FboR3o$=EI-P)L5IVI0zfdLgiC95poH8$F9NNE7V zN7Zm;1#C?0Z*<=I1;icQ?75XU5AY~ETv1xLn(f{`1#t&B7A51l@AuP>+mk8#G{*Eo zFjxcSN%pgw?whh21nS^I_n5v1@_SvXt|1SUa@TVWEPES(O8~n>6ic`Sfy{`bQ4nE9 zEW~Gn*OBiD)J*@~iViyf>wj3$y`T95D>{jPSkaMGwB2_H_}iK6W}6MRYFk#B$kJ~_ zh#TpM__SosH!%SK@DT;qBFklSSDb zV^TABTi>4d6WyDKqhwxMC)PKRFw4t+_vw`Dn?og##_oBSE=dn#OUeI2-8R}4YHL8G zrkqME{7zcZlfQ6BVu*k2Ldx6odK*WF_}JW^h_Rj_x!?RF>tu*}^20%6${l z+VdAORAV_dXN~tD<#Bx%S8(NBCq|r>DSfz%xZrTl1K#k_XllOL-*xxjxX9`~TJWY? zJ&@5m&oTN#AahOnokbMeIH>{IQQcRFlOF93G1V{tFXRWK8DAY_lATBo`yse-=<2hj zn|Jj*y@pIWnezyTuAnO8J5d;Zl)l;0-7Hb_PsS15QcR{MDT~cup`Xf5?Gauf5j~vYjh#qIe7JXY+T8SKavlD&!zTX{n z;=NkJe;zQGzq-Qdy}uIBLbm^3CUs6aP#?^5M=OxpAl1NbR0yI4;;EbM=-+m3U|Q1N z(WY_64!$mx9nR%mw;yMo<~ki1UA#R-$a8&GPs!XQ>z=k8ja1?c%y>x-oOgTEw} zKcEUriL;2s<)=cJGCZapG$-k=i&!SK&%)@2Ze?ED{yvJJ`Yo@8=-%3n-hl&zieBqR z#NouKkXCRkL8aYT75Ayoq4|c?XHsL6ln6%s#%3nD@Ra$*ehwLzvXm z%J4gzvmVZjEC?~RbCH_%WapB2*_6aB_z+V3EWfrTD^+tZ_5M%6S_Ea`t+zuP=C{Ew zPj7zI?B}&^KaYF|O=dM*X2aV942nqR{UAjkN@4pI8i_lrV;S!1{@T1j*WF%F`Sb@> zR}IbGE$3S*-VM=OP5B9bCR%ytjn9~ziFINABNnIw$z5NedL-9h#>1y8Il4})x|n@0 zZ0g{K+XG1=;{*rph1_{R1ngWE-n||lmt|_sgiT;jWRe&2vMdUyM^|aER*8P5tDLBl zCExdNoXO|LNbrr5@!|aWtlnxv+&-MUirs3a&yQ%G{{;pHkPhl4xCxAB_mRzc!0wI{ za%*6LY+t4lU@NrVeo+GQ%i}hO) zD1uVCK6AmuoSHCY_XZ7WkCI*qu~Ta{)?tK0Z#XB!5ARX?Cd$-|kNAS034bd7s>b$E zDieh>QZAX)`kQSnN8zY>D!hy;vyb1vz7VNd*L)~T-WCRY?y0}Ga-E$FlwFExlX^V- z87NX=K(3EQVc6Q8eC#xBzEEe(w*5=~T!t$BzJX-p`b_BzUlx~FN?0|$;;m&Bq_>4r zAOP0V$UUnpTbfj8=6S_XGp(av^Q-nBM5+IcD*xBx;ff}P8`ll6qlGHl-CP6T$1!p6 zpTU^Fk9GOp-<;}9fH4V9b$kEpRF}!->g2abT}{1XJNNy zWn!h={fV(9Er4e2vJsy7$)LMPr>vFJjJ?8`jmBI+St~r|VcGKIF43s>c|~omrYMl< zqlcP%Qys5i0h|Q6%XdX@@jXe=B(_UMnALQ%Xi5maY`%sxc#4PLlF;aTS^xp>NAlZ* z=3zt$gYQ^lENa18jW*PIEZFed>A||S8)3*&$suyW-jyW+u3EedHAMJHd}DQ#_HJ5W zW)JAM?q*&9fUXD>?5{)Y+YmC?ZyL1$tSe&6&l+do#9XKl=4$m@UbQNSav51(>WB~IOCd?_PW|J?mYhzQt(7H1wZF<1*DVt9ILgrz_4BrA8o#U;H zER|Wf6o(X3K(L#uCwsZ4uWuBto4@fFMYImfD)bL8GV>epK8OX(Wu#0%YaXf=Dn{h2vk|3+8^`qjtk zcyz1ar^;PEy7t$F|GJY3MB6)#WL{u5m>*>BDIf=zU5frS!J&v`$=E`z+*)ykD+0{t zy5Z7`e4C3}FZ)+P>_ux$=Yh}&H0p)QA_p3%=xkCvoMX%g&9~s(b3*1tf{6i?Yt^F| z@+Eu(8_b%~e?TaMhEBsAY=hi3|I33ex!u2B(FXivdNH$1b*{8^KW=9ovT43?|2;y8 zRmXN3^p^)+dQnw6gh%5VoWkax5a$IxSe#jH`0ky>vD+1J*K8KX%UDiy%cjnN%4h^Z zX`XmbA+)aozP2up?l%CLa;yMSK^<5O!%-q$!}Y3B`c{IWo)jZM(P@|uRHg6Zm8Q?_ z6!KF8dmD+oHzr4X{?v>P91;@+|87T@6w9>_9#UBxXm5uad_1^xhvtEGskdp4V?(ym zn%``R$2OLi=<-q8vYbqT3W&-ov%4$`!7RySOJ1uhKlO~8fEkr!*8oJ0)IB2V5qYP| z7j9XriBAM;-Zi=^?74M&@FmPg8IPVlZ#k7FHY9Sat_B6|4T`mbn5@cvmwPB4{KQ>( zevB_GDMuSfE_?0|>9N%C(ll37GI(bhu=Kd83OKT4;o4j_1|B>+z7^8g`oa|`BurV~ zi{1t!Q6yw5r3z|N0%G#sPEY{7^F--G1MmhNiW(L?E&n|`=I_sbp)GwhaR*SpR%TpDcqxH`I2JD@tCNM3&3bMZIO}Ay_?FLK33viT5GdFQQm3l8SCx^9O$K&}aX>{|jCd0I=q4xGOV@hd zgT#*W(?eYTf&KL{6+@VtS(Vv30mB8ZWy`a+A>iqQNVgs;6@$4`HuPw7N0<~B?a}U4 z?>##!HnVqeWoq9hx1X#id-4Gl>!ywk{TsS~2S&Gm6{xrhBZGR6DaH=Viz>@Ig<3Bv z#>hu7>DlA|tT3bEL8g1Tf-JcQG^f1BbyYo&kV_2F+g4`9HX#DCy!4wJpnd1jt1tl2U6mk&#=0@Pbuq>K2Hv#|-g9WTEu3R`TU|DD z#K1(Iu4!Efoj|nnP&W=O6-s`>MpwljAWX@Jc6UWYW%OEVfVnJ`o|f*)HakwFORb&t z2ARPK5dnhCH0sv+%MQ4h1%T&h`Q5ozgvIeY*%@5m-gebT;nT_dp3z2;O$L4OQCCsA zbLz5oKxQ+5UTX}+Dn+Ti7zX^L9=Rt9Tc;4mGYss9yEpxQB1}RdbZ95W^7t5{?F)fx ziEeVQ+YP4E? zVn~y2Y+p<)S@L6dE^C&&RA^!9;$0k%fmO)4M!0ooCg0fPKvd{&Q}L{(FG41iH%fT7 zv*|F!4C6z^=i+*!~6dG=_1aHEbZbN zt%|ghzJm}|gQn2Y;`SojESqE^2kLk}Z*M1-8{VJ^5UjM^CR9>lW#kb$4L#s*B2YQa zPih2150U=Mb?%jm$auaRFcXt95R~CsL@@Yj#r4^hAfFc3=Rxn^+AaSd(%v#4t9ISm zRum+a5NRYt5Q&?V5>Xlnkw!WtM7lu%NlB#zl$36eZUIT@l$LHpr1U$dtM=M^ueDw8 z_m9VV@OIAYI%AAun5$jYx+qtniXHl8TLx)FOjFz8_?^VR;SjvlcO6~DYF{=CXG}R{N1zy1pg0sH@WF5k#Dc-9sgfJt~ED%w|++kUq<2jl@$^qR%W4F4i2w z6cnQ>=7}6dX1It%(ecIibErT864m#khluw4>*Vr>OY_h8jMHw6YD`}aF46C$NWqkr zB*{f@+AM-CmWCbeIF{Y{2>>;BSs8_b>2&II<)tmljCa%E^x!H%Lx}EJVoz4UT9dh_ zE^@aES8Q1jgj@;fJ67R2KKaU#K<*zF=w0W+ZJ3=gL?lP4GkO80mo2Vy2`GS*o_O&E z1|E5=N|0*;3{I?Gc{%9tn%?INk@i1ZnZ(Nc?lSpJc=~MZFvNz%xEaSB31b+awJ|Lm zgj_pP!lvTPCZDodSfnY|wO&O+R*f9T(v1g=Pp+tCrkz@aFH9;fmq`pM*wqpYvGx98 z4HGV+g|^nps{WXt6kEo}fK)^rE7(e}#z+Q66WvA&9N&I{5HQ&|38DuY_+xfR9Qk4{ z@}9%M#T?9w#9g0c!W%X=dQ&li=EI{T5k{T2*pp~slJ3Y7V!9wdtcW)PYG&yrKO|Xj z72e91*{WBTWcr-UCVjU^{Wzj%K-o}S6-c$z%_KJ3sI|#wslsG{CLy#Ob_2pe?iftR zpzQI8%qVfrZDt-*8NTOs_oj8uFGdvCD#EAVlsfNr3&cs@BS!&@r-a`uqV-)s2Q8Jm z?ZagzmaV&dnjfhccc@Om$ayhulVt_-09J36I3}N1KPDum-xo^6KP%*eh=$YgEGWB@ zk?lg1?qjrS<4&9N@@ygGJj}`tbNkxWN&fuY&FWebu7LlqAkcob>CSL)+w98M>@C=P zD_LLTFb0Pe*X!Y(WPfV&^oRi4#po(UVapzgG#>tgzpaW>(yHo<6@Ma&!C27=ND{x_7K@l%q_!t zp!N;3!yaF}iz!q4*4m?InkMCQV4@H##oU*kdC%YZ2KlSDIUP{d8Ik?`!B`}^ z3_6Py##)8-R)pha%JbddYZt~ZHB_MU_4wP$JY_S=D$%Zo-|I^*d-Xc!`^`*QF$pBkI*$%U87lHU6spD%2wFPIr|1x_ z$Ku@-LV(0PgeP~#VAIhmi7N~Uk+WnwqHRz^8zmKo&Wf3mN6lSx9QWrkjhqp}B`7-Q zs1+e^R>8h&<9Op^0@VSz2HP_Ffv_WsL!iqRd<>t7vPaptBO@>$MaGJM8s_=s^3bMVhjb2p}C%Ay9HV9l8W9{Mw;Nm=wB%-ZRljzluDzHFxH2VJH=5h^M_|x`4|! zG4DiF*%y%2=8!PBMZxwZD%?L)mXi*A8dId>`>=x3(1w`nJs0UVFyI5>@@-L~b+(mG5b!0}{XDYhJ%fv(fui(;5t7ga z;>zl4xYV{hbT9h2a0T?=;k5<4^*oYpq`}>YSETyAKqn*Tev62;43QLs%lPySgLcirP| zB(B+scK|vH)5qsE`^>XxikocV(u0> z<90%OqPO-&#V&pn2F84y5In$Bq%N?py-DVEUa$_4{CW1}z9lupPsUbcc1H|ZOPM|v z*^fTtzs=LT_BTXbD$d^!buWyJsw@`6wEhDD21=aY*|N^Pdm+ zciIq!-r)3pv;Gv!u(uhxxvuVA4{p(~30tDHi>SG(NbQh%e(NmUh+$C1n`DdvP2+N_ z2jAIuPt|*yv&OWJlTiteQN2~?dxI^M(7FWkw|dggxjYuNa>iFJ@85-SY9rRwt&EHr zDhDWmcuQ&wa|H|88pvBna&JSx!BXw7A1)tHWMQMebbc$%T6Pb8%Vx&AU8};R%ST<3 zF6FIzQsGa(=EHHOk3T%l^?4V9l5EBKS)1Us)(ze#7K}0K%1yaHe@Yj_iFccU-_0p8Nbo8joFJ zr240fJFvsQ!+ZRa*;UO@U4QB1JzjQpDVNw|-TlxB{x$C74M%?s81>zK&zNCwa={zXKTlqKKCDhbMBEbLViz_bWtkZNpsMl z5RHG&)n@kXcIu?fyO5i?o|Vo&T*hZcl4)aox4snkCKCx-wqJ+n?X`gHZJr%T(2|JJm+v4Tp`dzs&Dm@aHH^n@Au|a$*&;q7m#t7p=_;Y@>t}5GD!BnBJM&8{@)OH zq7(lI;;z)tRzj`(T;%>*+}q0U+JXjr`>_Jep+)(v0z#pBc%&JOEV_bETNSm_6OHY3 zi1cn3TF*8;08a{QXJtKnwiJXf%4roI`=@^9E$b^|NwO2ja%;8ZTXCQUB^RM4WhuQ< zROn|@UJI)E+xMU}nBJj^mVqhMthV5~oBfw(COYLir{fj{Wfc~T%eg_75ouA!+tlNVr*Q(0c)z0dk`(wsF%~iCu)nBA+ z*?KY4ASxHvSKF%a)-EpUEUd)wD6bk-84C`;SD}tDKzu!!bW@c`DAbb|i3j;#cr32) zJeObC*E8+@D;=*`uj}yeb@MAbR0>#L#K zu>>D!b??3{%(?COSV0v32{7kL=stTTrj=|IULBUW>@?U&dH`ZAm(xKEb$#=M!!i3# znE-W@O)a+GrB`gj35oaLs+V(O3LPz{dW9x|S=y_{wj)#NeP}!c(UIJ}X;oip7}wv^ zYV-2FDiZrb9?7XZ2~$+xb_#vL$xb%<-9~A~#A_v@1L`9*@4xuS_`qJ0M9TmgxTw&J z$yN3%gf1UZDB$MZtmVpv`_#%vW8@Qvi4{U9`THF@I(>dZ*h}Wwa~Lg-DOtMpbt6}6 z-K<$erAR5X;3iE0wM~8*=)|J)fr!*A(geXEdP&?d16~NxyTN)mw+jMhx+Ic zddw`451A-!g+#O|X>sJKTM95uUr2z49tNXgY<%;CG%Cf&S@ zjbkQYx zrrQ>uiB3`2fcniwkjeA`qPfJX%esrB&H2rv78}p#1M>v_htUycZ=H%ja0e~HFY*(G zt~~2p3PDFpRY~+*joCtf4n{TPWzm{oPpdh>V=}jVX}$ylR^_+uyMg0?$4v>!f=!89 zErhHfXt$yc-!EaFv@X5Jhn1d-b{?_!`%EXV{$Op|_oV0d+rMdE*U?HN`#$dNx5h=`vnNr!WU+kh8nBr2t_{m-!%4W6> zALYJ0ykRFTb%T5|4Yx9qj)9IL4a-4ECi$${wLVtqWQz`#$eoiB3;3ShM>O5|juT3H zza7?0g|#i&eAjf#JJ39?JkYUtGPSiYY`+{{_EPvK7jg$eL|;C&p`B zN}kh}v7&xx0>Lh7vexZG?5(Fs>L08UN2{F*(tkk-PaI$so=Yj@{Mq(OBU}0ppS#$& zFY!;$)DPvTeb{~Vgpp*enHCL$xuSsLmQ^Y4v0j@09n#3=%u35`tRHkeNj!k{ibZgxe>~A5TXM zX$6MYCo2c~!;Y~f-x=*Q4%{lJ((fMAIf_$28xzxmsyBL%VmRzkxn)s`wH}_`l*?c_D>B z-}}#2F8^8}QS2i!yS|L^7nemAEkb+YaM?AIa{*XWX{qiUECenih)CUt7ri`B#+8GC zRW*B*EA>yRaeX3Z&|sXU8`Zj>m>c+}F02)KZ;!eAL z|36}_1%#dX_2IU#4htyN!@r)_ld_)y;IzdETanQxLJs#I)_HA+i{vqwOQM%z)N7oJ zrdQH>qS&+rvi>{%PoHQMqEUaq6y*2!=^)^HzSy?`%+|5}OQ-OV+S`AMe$(ywFaIt6 z>#E@Q*9(`unj)mcE;Bu#c`wl2gUC3alX$_L%Pp~Z7t%WEu!)%$9{om^{h^TIU;Q#p zQJ}!Z&Gx7Q#)ebmOrHjrt}d%}BA)V5*avGlcwdpQC;R8e&4|b=i1=oZa=ub$hzI{2+v0y?roa{D=D1fBC_SSP`~!g|anVGL3=w9Ze@R zK~va%^WNIRc0-;Dloz-P1A#=Tu@8wHH)NuiqYBwn|Nj&Cq}aXCBtt0!FSDqlYV(SD z{&YV3zqq>pnem6hT*wMwYc1oD{-^ioPfwozc|e7Wp2wD;i=bR(`v>mjfBvff=tsiU zur9MacqgJ$%d123$Ir%rF50Pd^0kVtl29pzm0z7N3@pI`wH z1aQ`&jYx=*MHFSw3{#fJrP@8Srw z*yY|Qez04j<2oSx&N%u9$@hF?<;@^k6d$lzfz_`w2OtzXb{~-Tl8SJ~$9`3ZZ)4^c z!Dyx3d-ZzH+Wijz991kcS5d5WbvXN;I|v{2+l0RWGR49u%;*0Wqz5UsUprFZ57r1{ zgyLY|nrpBTz=i{^)bLxa_TOn$+RlOQ`wB?pandCLh(!29(0ThElV)k=evP4(g2eWe zUPvgI=BGVNrl^8BU`#@kE)yjq!LtT$@ipYLkVeBT5?ETt*MCU-$IpdG672)NUM(zk zK-T{4lig)HD<(@07(8`g{W|&rJDbq@J1#T4aRfLdY?nbNOaz%rRbU;xqm|Qi<`km& zt^jU`KqXt*hBehh7~x#~8mtiug%n9P9ni3eW&3F^0e^`YbREPnElUz*cSc-&DS*XF zu^cN7-HYpK|5`V(4szpbu$ZOiwVHfvs&P>Ql-ruzi7P%32^R=N5{5xMElK#_pBvEz z0`b0QEwCN(9iY&=4r5ws#cIbVBYU24kkxaA=(;RELJdUj6iRUjh^B!|PBvhYFk_Qk z{JsJlzY^2lE8s^VcBZa9zx5DCG)U0Q%C|Z6z(aThH13`;{0bw%^R4hGV~zxu)eAJZi7vM83q(iJZ_2m|2`!XdQ~DdakYPOJDkUDJ5F zfCW41f&fPIYEPn|q?;?;*g+r^mKYGCIg8H(j>WD3w!l}+57VSlRQ6PA!5^&AI{RI` z8M7J=c*j@u{8D;=pPd5?Z3%Acm#TW;S~i5T71SMNSHSiYt@ge3bFT=2pBT8LG~fhc zmx*MW9Y()-iGTwC@S27Od}hVWud;uE+Bgt8)kncs?@TEn5Cb+uy-!x%1Jp)tkQzX`~u1E}3!Rwdf zm{YgJ-hGPZ=TJKib+|$4*TcU=*#`kMy6BO*U=LVd+JGwscK|#yq zYm}D@l!I*u&YW(T`~(S>>#tG8xX8Zj#w%vmFVHF`@%uBxzVX-3aHY-q2Nj?(iH9yK zmP{sSeIwsVw{_?V-D1`Nr1Rg7g8%c2SM&`5Y@c=vpZwzv#tb<_#{%hWiY)4dG~9`v zK|QeWv;k)o7T+L^K`R^`=Hf0~^yW0hoyIZRi)1#lKwBmHOdMu8U8fB?ICjk_kolOc z*k9N2JT$(^>^E+b^)S5!Tm$U!+-7w6zJ{>ri#I%jt3Od{Mjy?t%Z5$TGg&O4c3cMt zFdM*f1tD9gk4dlFoS$VYXAx#@0YV{6!wNjIDew-4+B#2xGK3atKqLOwb)crxj6*i2 zTQ)53ImFn!Mbns_!xRyzkpUdCXo~L!oi2y&9!x*0zrrt@x8)e@v{P+rZkfzavyog5{M{&K(ZqBLKS=$RudAjuMGYtMTO^iY(vQtG<57A zQM3Owq|u8T|9NU)%o#Bxa2HFqpp%Y4 zPRX$11x3cWK%ukf0aIt19Umc@mOj9(3dRjjLo@mk&KiMnB*Z`rbOtGh9!KAbDrDaZ z-;O^(NLN8AUhPV8;aZ!5l-e~3TH8V|YJEJJw|b$cXkq;@NvKKm*%W&!4mr9?s-3p1 z#A#MRfXjX90!W?k0|sXp0`4KJ&y8;Y(YF$JVS)3EyB?4S(XV4%!$2=#=5?a}o4_aN z`x6L`MT&{v&$hsR}>+eR| zZU2Mf4F8IkcObcx-_Y6B|5`L`U;hjktRkTH?f^;Cg#_Dr5t?#*cvOf3($GYmZ!wZ& zHjd*zxd=(W$@^ffb68-A*C(HAeq68D=pC4SKYI#rfm!1D&x^rCV1xJ60f_E$#%-G#=+3j_+vh_7#P!Qicrj|R-!H`4ZBK0Xh( z=J4*|3yKMZqk7N5_U<8Ev^q6_G&EOP8_lcJ#_Ti6fF1@e&|7^#f>dK9iDXqwc|po= zn^v*#>i&B6Fnhw`_pRxIhv+ju|HcCN%JJKW1Wqr-e67mQ z-wf4yKvSrG3cYI;A1HzD4d97?zU1=(zg0hQ~C10~FJGI)G7tTXwW|iz~ z+msCRFRnOFQzgn7VpKG$6V8hQzY~45Qk+Q2Fotvd@)XSBRRfWBr8*1L2a1=Om6@`H zH>PR@&1XVPYn8JeO0RU@k1Dd*g9h|5*%yO#xsN6OrtWZhAVZR2guw?*twspP5V(JL zVlQyy>$5bdy8{>!Tj)5>HVAbbll={#VAnTmVLEm39tG;Bg2Y@%g?A=9f+HKgMybsP z3`$n^h!$wV84*xv-YOi}x$vZ*5(6OLnq_wAEnEg|eLP|gjhgs-PE`ys$5tgxHG5z@ z#uU3Q{gKb&!|R*%h#N39=hx4JdMcN8k;|Fjj_S491pg{Nm7t^jg5jy2KmpA?oZ%I# zU7%MB78C5OAW+Q(`f~)j-q@|%kliCl$3N?VprXCAKPi2ESk%+0^!#2;EFc2ZEmr9z zLj#b^=A%U%MUM{USu!trisAF5>=whhaZ1ypH_p9A`xs!q5A@VP3ag67Bd2Usd^?Vv zBPnI3&wp@-c;id;*xr%Cp*Ge-NPD0{(Jq3>SU_7md(5D(H=3zPZv#M*3!LPWC8lAI zA@$<94koT};rw^dJKR8u8t_xTTe-7QI>3_3Olo7`zvqnZw}>bJe}FCv-H{s53$F0A z5+i|hYdxLj8kCZB1i)Eck*dG{^A|WeSrz2ovD&Gb?bo>C{zL`55p>EoZos}krJ~0)1u)_r5aVO6 z2gl19?CBI61v)5nn-)U_i&m}Nj9=osGnb^@R^qo-Vhnb81BfD?gDHDi$@yTD2N~Mc zj>A2Lz}SPAAULUw3(*&7ETzT?U(nyDl0&X}17K%pTA)yB=okW?y|NSKPsHIzhM4o) zP}|7r^jobj5su?o|Cw6X^`f@(jj$dz?#C3d=T2ImiXCjb#cWt$yY-askJp1U`Z8h_d}Tcu&td4t2bO~tI0HV$ zav0`1HLzLyGDs+0Y6L0i#8`ek%H$*YS&XR+WR*1s&-Sg7c^O37Fw=XPZ?o0#TgZ|1 zjF%lw>*qo$)9#-iWenXvy5h>;C}+{Fn-rE^9dTzv1WSq_MoP24u1U7F0M^yARUp$3 z_dB8)a<)FY)hLu?B^d+v9w|f^#|>+e?1hlYwS?Fd|AnrnRA{mV#+$grqS6&vUk+@; zlsC?KAGSljE-rgJjh^H;91Y7AUTHoE{f*ZHU&>-u#lR0<6nd49K-G*Z$|N3*k=$K@ z)>fAD)vD?BUJ&{c}A8j_cfjWIfvul-=$`>G>I(zZ2f%9{a{54sA-6O)*sHp z39;C*9+B0Z7FB78Ok-1vYS3#PF5;vwJs4S$qQQ%>$)GheS4J$(Op~h{W8XAh7e-doEnuJ-EnKkI|GBS( z>R2q+!(YCjuH`j*D#qxSz0)ss9@WFtn`gzy-_mC|gbB6CH}LAqH{^3a(J=+)0ESKAzX zZ`fXNk`(0JRgab9vyVH#SPL~0mq5LYwM(^UyRZ7BX}=x}ZWq)F%4ioc_74@qK)DoY zeU&gTw$mfbpuHoz9O}eNl%qPwOXWuntrBIZy)V2D18mOd8*K#H9+h1QjuE`dZ<-(M_y)v`L6w?uG@0nxJZFq;G$g`-t!71o% zTI$wL?%0OKD|vDPvhLx6wYsIIpFQOi_rGf17+MoLCf{}g#hH1pqR?7OjgVJuGnPDjPHLds`VNR11s zHwA1UOxBs$W~0HPhH1ph3@(S~+NlI&7YMMu zG4lxoF~TVMIi+?YqZ`@U`?s}X`%G)dKW^3sT-k*y&5gKk*CtQL7FeYGjzp@RGCnjs zD}3?}(^PmFwDZ7SCJZROTtH)sM)xMuJCpM6dBN9jA`B-}jL-KGOOUO9cLU!T)(Zae zsKXb9JNeC9E~05kAf8kXMnddE9OcPJf{-Bkd*rodhc2vMRCPseHTFr^?q;Jql!CXb z#j$LZyqV-k1=H-}C(L?lpagSGy1yT2-#xbIKvR5W(L}}sOHYWysYY@k&*&@AmK}pt z)DMhgx-wOlFQin&%@KcTVl$O^Uc9Gt_@>iCfgwhAMdC#*!c>Pz4~c3d?qTBa+z|n#h!kdvG7e zSPHB=P}9-VzRF_$O|8=bYMnVkt!oJpqf2xxi;z3)k7Kn?ll?}~rvxdKmR|e%*U=4S zYM{6R*7AoGjMhgnUzP4Zw{tWxR~x5pJQbqwwfoln4C z*z7lt4zFf-32YY)KNMJ2$`X|H8g4kLherF{^_k>QYq-IXIokS)Gd}36I=z!}Id1oz zlWkEBXqM#g)Ek-V_3pl(Cd4gjR3#=m+d7xL*jV`KzO}X|8ogy97y3p=qE+58_U291 zTzpjghb^3rW=tFh{gXs2FP|RKOScyullPjzwyp&pC}yJ<7p0$zp4tW-g@#0oj=Y3(*pMAE>4WUucTCEe z;TZ$6Gw~{o$9@)Fkqxv>?!A2^m4=1;TCgY_ah>Ln&(*4Y*seWPcF>VC{nF&eCfkSKMhzOGxw>QU0eE838@jHv^)d+c>IC~v5 zMgtTThwS60s#}gp6YLcoQj(!c)^rHotbxn4mzGowHS&Xupt-2?$)w*rJuc;w#!)(_ z@8z#Ub-U_4U-j@m+K>cL=uq0eFhZcCbyEMZi5~pmMi#@2$#d$pIIMp9VDapkFHF#E z#YYVrlAYeSxMWcc+A#|k&f=)%J~9izp$8|BGuXeHMjrt$$A!1{<;Xw+`y`8wzC?Xq zaQL$NFLaw3Bup*4NdTIoV*00G8XLbwJRIMyBrefbJg&B9WW>R9V-g5-8$h6AMF@1N z^*$$yOw~H!)4jsSU5Y@UbJ2iWeGMv*G7Qz<1iEQmiE>mbZ@U zLdp$Yzeuy92Z&4w%qTOWqAs2ZwRQBf$N1baz9BU~+YZmghC!dMS;9KgFEBMr_P)8$ z&(x);BVa2Aq*eVZW&Qo5ql!A@vDML0)kgvyDZe=5eR4d_lsA~z>9ZQ9UagV*G3XGL5f(VJ9n!4LHQuKBs<E2X||dNnP3tK4(X38sIVZ_|{X zYg|h%z>aKRkVFI2qm}u1WUc{ATrddDcjt zeD>~kXsqGYqzE`aT1un`E5X2(YZ2ZP(F=rN9i6G$k;zV? zs=n$hKj`LPB%s4Ft+Cu(omUrA-UHp5*h2n{=9>y#9e}@4@!PhzCJlMck@m*f7Z<5m z)H}ENA%1E@^j(RC;1gPWUfY*BXQV}*wo$8)zQr6q5cR7ADfG2;o- zlPVcvB|Ure{_rN1iGfO(i;l#!?NHbnw$gU~o70#+vL?%W0}P2OW#79FWo}ZUX3LXa z5xAob%gb??t>%J3~pblWEIJ zvB>3v@ep#QH=)rGTfn$Pe(5#iFd*VXITR#LeS&hsQFVKRI2;8eYrG#^E?5Y;-Odx1 zge^s0cFzIddfk1=2Wv?(k``+}k9a~4v^Q>r`nX?+6KJl(c=U{UL?%mTX>8>AG=#V- z&9mI1d!TSkz4VoT;-Jap)ql_l6JDFaJxj+*_mClAG5IebH^WeViSF{y^qt~{o^RPT zpk}&9u9>C55q9Ut%sCjZ@JsTG5xBtUx6EB^y&?3ARm!G$@ZR!O$FBV#M{jN0^v0qL zgfXf)&Q6PG-2$$y#q6sQ7t(feRd45NNAaYeB^<4#Ja|C7?z(nm7TuUxIa6;V`sG>) zdfx^7m1|$v=12@y~Id5W;{dT>n#}ll?id_1I!IVuJYPJ zO2C3m^0R(M#+h9?!tbSdzks|N6gTg0oa^OF34rm+$1?Fr95EA4dLtUTGmZkPA8Slk z`6=nmFaA`%%bg;Nk{&~k=5(}|4*Y!d&wX&r|g}k)uh7S6LbEH)oZTP#~o+?dSgf?oBB zzx9G)E~JL|Z;u;S!ysq4=OlpB4#e;i+5Jav0{I`+ima=LuCEgeyp3RQ z%>pKk02Q5omiID))t0a3_2DA^>-4MCbeYBv)9iwVYq)Dh`U47+B@CO%@goXlV%YMc zM3JRtXpOQ7EKZa@F+6gh*CeJpk!E!2Ws{+|YvbS75IuiE=vld5;x(K0{TNquI`F*aypT;UQ*-Hy(pO4W`7cLO2~Gg7MayR zrCx?HQqDbrS_%G8GOkvLaO#1D5C!Y&n2Xza<~_#Ft?8-J^PEMkqLIQ}*{PM(w#u^l z7%89Wu!&kPPU_w64zmUdj%cG)#LonK0R6&!GcE^M|&8~Uno@TF$%g5Rx|Gf8dF8kgRg zELp76k4T=yP=QoD8{-Ci?3Jhx3hs27dz&nILn`tb{?Q~Mv*g>Eu;(B|W;i~g+7gFU{x~pLg5Jo8Hm@D=oTPV)LC;^B z+YxosVg(k5<}0v$GFyRB;^P(j@7fl8Ay`6cMN{ndZQauE?#HlcD$Is2E(IG23^smh zF$0yYG!n&cOhVN)60vaovo@tWT`S&&h|B-di~v;5*?G>nk! z2-e`u?xMyT?yg5DW>s`~2_3YhGb*Ui6UgdRD-jCo<(tQ)rB`rCQWy%9?HXGwYtIyz zdqE_RDxor~cX*MC;zA=pmdx{~{<8(aO(dChYP6)wcL0nwZk9_i*=n2jAc&|4_g9gQ ziZLwRkR@}9Y#gU~xkJM55k~bnor|V=304#3dC!%Ofih;!Kc{2+i6LL@{Dr4viH-Y| zoL`b?9h9CUd{Fu4M9Fn?!^V*avLHC+xY61o0J&A2a1r7NVYnJXD1A(9I%L#SU*`yQ3 z-{|lz@J^uGH1kBTi9Wt039|_0zV+sL>U9P;%-CL7Ri?y@)l9Wh2f>Q|k7v@JblcDL zuRU}h0=C1ORA0md8!E(e&TkW{#{S??7~JMu*}2V|c(FcC=#AYefJ9|FZUfJul{B@(TVq?t` z)GiJkVwhEBi7p9H<$H0S(q}M}>;c)!$}cP(jWeIFh>S;;H^KKBdB)7<3n!nAanj1?@+r}DnkMyq`wi{qB&W?-P zUx6~{J_7d{rwlB@3~fc7k(U5Fdg_XAJ_wr`QaK~5GPoL$nf=hq$C&2!I5qX(xl#qV zCWyQECwdfyo`SqkMfT(y9bwR;NEW`J)|)@Bh#2wnweyBa_tQwAhz|tfY_$F@b_yG5L+OC*y6W@ zTTjIn+v0gFGzqSB*EL{0tmWNv|7;)IE6Y6MvbwL=eGD^OEV0NE^l6>N+s!2dMTU~q zQb{K~zc$XuvlK0IT1M-8-qO=H3OgOc?XVB!y(QajG_6#rDzh)Z&SI5N(o83P``?el z{_D>k`iittY8P@;`7GycMsz2&y+vXh2Wu zCKFM{IqU>FZ@#LQAQtb$H!3?X)sv%f_I@;YoolMOYOTYpTURqA%ff4}i}-kX;&u%` ze0eft+Fh^(tF~c;sdn1Ji(lFqEAfp%CbCdLqaHP=h@PM#Z8|;VIN(4zINM%u2PLFJ zrF~sCb_S&`dI~L>2p6XBxiPq=*WU}IFUg*3$6>E|5DBup6P_SpVyZfD^^iT-!%pyE>#_P8Ro=ZI zLh+YZhPWpL^M6y-9^vm`DVAG$DTUuyq(d=G0)%==RybvK-nn7@T9sW*(yWyy}v~Kx+h(otoCfsoMLXXHI`RINBc-=fr9(@UUrCvri%0;f% z*$zn)JWUZ4hLxvzCZ4Yigt+J}D_1`43++{7UEC=;-%Fn|nHkzK1{8s%C9t{@TEA<) znlO6n=~S+E=t{du-3QHCZpMdyeZG|cAD*vqN^QO1WEt4<4y7&G_+k^6+64pS~%(naF(zVLam;9%Hyd}P}BCI4pRi7IEvHBSAOxmIjHyX>8Wv8M&x zs|~0&d+Z(Nx0ZEgk1;#~r<4Y0CfDDXm6}SpqYB6bALJO2PrNVLGQZRBKq+zl1xQKc zX~+XvtzEr}$b*NKT_E&wFwI!Re0KypjZa@-sL`1Vmm`ECc_5f&VYmkdU0c9T0}3(! zt{qP^YrJxb;aSISUMg+bbNAOvsVo?GEcN1$Vr#Q7$wP%P%#cWA0gLo&4#58&-#ki; zk7?&fs8a@ZTD#GC)_wA>%uA>if0`=asthkB@2a1iRJw|7_B!G^%&-|tl3^Rms0PT@ zaCJI)PjgX=++-51*gH}Cs!F>hi5!@W-GkW$eLU~TOTO6*oZjFKAsc=KwY*g@0dO8V)bGsmji%#HlW6+NGwl! zU$aoL?i#^4U}WWa>^6h|4k$r&Y^;zu#yIBLXQ@NK#uP=pb^xG!J#b8M$7eJ@s)(M(^` zc$@Z7`WW&%qW8UFHHP~joves)g8de~p`GVz+n43f1Wfq{V3vQ|{PKwV$@rkWW<9B>taQtd z=|O_u?P9OPqN|439Ws>Ob4N1k@7Bj`)^@@TS}77F_mqPW&C&qL;7*6T$;|RD2r zg}!VuC@h&Q6z=78&q1|?A#P2xpp*MoUXvDy%Mgy>FW_91Bt(HdB`JKB=9ks0a06AD zfam-_7yDi5lW|NK{vm+*cO~-gVp{5z$T(e9EJj0yP5p=iC2Y_`l|BII;^x?R9%;YYZE%_4`s9&t(FrQ#%0C#tu>L87An$ z!muzyi@{6PgX?#AzxfBt@+kg&H7I;Of>AW(BN7P40cJG)up3+^T>(kWcR|P40_))1 zujzvN^6cNw&ZkpF(cpf{7T3UCEj1gbDV9F#@wo635vz zGW|$g5YJ78tMAPdm(cMJEXPaDLI>K{z(e)i&{^k-*gZ~$WhcK%9j+1aj49P z*@)4ym6lx$l_6_KQH2(kxaUs}Xl=UXK6*kP^^tkYsZKFfA_de+eN-K@xjT@zp?;Ay z^A^mJ^ITz4U21=w5T)e?oa$7$YVp{hq~Q66$tYLYTXuHQ&6Kq;6L-7_p!wPg8PG*?R9#3h4>aU0B>f$%D6E1eN_3XVX> zzWjNYNUrP6Ed{$+pCtHB7_!;Exq_hmv%LYHnE-JG*^4(8%3b_LDaB@ZzTu#T@wYzY zPj6yHAZWlIed2Kn&#`2|{*>F6L*jeEX>vXq@6>)x zl$)5lG;LL)b~|jWb-SERrPa;WZ#jek@Fxh~%ovnIhD)YzWGbkh|_~DF8t> z6xBg(LBU_k1#7Zy&dM9#6(`-Hj~@U-Jn=?1uyM8V0#ecEgizBXS{x!>EeTYNnpZA) z0sjoa{l{l?vQ^90fc7%^H~)-Ty)zL4l+0Bp+eWjdEjC*>zgvY`>V(8@Wocd%oQLN} zvpb0T+3qLCK10d|4uJp|WpF&J;8&ih(pTPG#J~JP+LLL%HP8KUH}w7iS5q7131pfJ zuF@C+R9#benAhs4yUb713_{iO`!?{qn}S;n1axv-2j>ylS%T?rRqFoQ`zxI!ZP$+r z;a_rlrtlj~u&cnRq4Vt2!3z%?aKN(~*GCle5-%*S`VlXFs2|~p|D_sXB}rmAikM>Z z+(4onbXeQ;?EU9(V{N)GYazMk8ZQ1R+XtjhA_*Y3`!G`Ixc=Q@g8QOZ@*xCPisfog zbU#M3s-|=+!x0TrhZopO5$;XORap=Qj73b_&{C6`C{u(Pgj$kvHH9nlkTz|8D2f%l z%n+_Gv3mFFoJ+Layb!4fx(hYYviY(~aq^a46b@kPhWfq&uLFPdlM9?kng_G^L?+y1 zaxRoub}`ckLi~YIwz^yenY$t7OXJ856PBfN!E)VWP=*i4Z;cj--e-J+N_3b^usazS zIgc^aXZ)qg!Smz1@KX7kpU^V0bh%M|n0ro4=%L2NVS1q^?L`pPZCB;41pWcnx3cKg z>zNOdz2m6V$SufkFC+;&x zN=xkN2ja#E6BxQWaxNBB_LSUgP@F-sVqcH556hdMXG_QhYpiPPO;~sIktdV{2Ea84-P98fZi|~rrV(j{E{Q6AGU>K^jJAEBxB;y1Lw8|W zL1?{T`x+`Z^D*c$K$p?9CcqBFf}0)w+VZC=OVWbV_rpA>>lK7{UXTJ}Gu}9_6Vcm! zWqAGkTm*S?>#*;#41`2I>6drY7v@@=yb8>zI+NoAFu`0#q_&Brp0h14Y}SAd8MtV8 z`Vun$GJFCSjpy&COlMbIale%n%J$=X7!P~%rxthJZU@B&@`2x}<|D~9a5qlpul@=c z%N^T_CDy{ecAU78(%&KTmtA#%MbNG3Ctd!b%6YfuHm-KQ{x?#(|MpWNBtdcV~*8#B1XB?G}w5(gegS;GSG6c zV^A!8teBTmK?1xWe3LrWc6!AEo!dpAQd}O}nQwaus57>B`JuD8*4r$Zp$|~@b`zE3 zd6%p%$~o)6(qc(fC})?m?*NED7Pwv7p=GZ%BA+WsfbgmGfO4ybKOZ2f{5M^nZ0^2% zj2@8t+(Jr1Z{2M3G2#FSQuoVv{D_#(x8-IAXtqMV^)kpStR^cs^4a36a|{nGN&Q=G zn{dZ5DQ!>%nGuXXVfckZdh`9gE+=AnjKBbXk_^Kh`Lwrp*YxTnjV|6g?0xo=KEG;} z`GbxaT@X60&>N35qvL;m43nKDTO83DUi~LH7 zhDQ7?reRrg`y?p1vAeKfb*GqP^lkLyy4>QUp~-9K)@syyqGNGBXD~0is@{H2?LTw? zYl}?tJcpW<=PAVDSbWPuz%DUyoLn)gFR3M${l~L+=Zl?V&8eZwe^8IM^P=_ttklyy zIxl*6;2kN(15dP63R3ngTUhAlNKYFs|ANtzP-hKLLqhGWT6ITfC+!Pee$4t)!6SE0 zQ2Y(Xnu*bycL?811ttwNAO}r1NnalgwlpBmJmPT&FEi#qV0rh!H;UT-&X8pw6zrWu`b0H zke{OlI}ej}Ne2BS$T0CM@-x`wr0{}bh3G#^ITl~jEHSJ6?naVX+0q+7 zkYw~|iKgB-3VG%X=kBq9Qj;E!ObY>-@uL|&{na)u|NYFEhPZN|42+wV20ksZ_i!^0 zF_or^S`*TuYt3NOu6o>4M*60KYWkVpCCN)X{a1PMD!|vCTczRsY1Kk~I(xC6szJJs z7441d#$pDZ^?AHi6!EZAd8Ma>GI_m&;L#;hPX{8*{rI`t@{59kQ{}slTzbY1H$wMZ z|J>sBiZ+~@on%aubQqUPKzVHq*l)7|xq2j{V5vrh_~;wWnULy@a6Bs_LXtyhLn-+U zl8S>x5ZNnhJrrs2vtb^Df+Y~fIt)$SXvj0@!Z|`t_1~R<%vwVbb!WGoK0Z|TdKZ;1 zcy^M)y_8^bPNis9IB$Fz9I6{8ByNY6J953xsOcEB64XW-356gFl8C zwfvF+^~#$z&WwdJM@M~W;0ruhgrRic+rnD2eVB~|m|c|QDZ4wlXGuWX7H5c;bYJYv zXtD9jr?>Q#HM1Tv?7+WxRWw(dU~m|`WA;=4HTweE>d-H_0OelFo?s`6P$cJm{Em2K zy8f9~4~3>Ny&@RWST7jvfo(SV>mdU)$PDnTHi&=O(1Mp0gn^x$bN-=F#Am%PHRS8d zl1PW7kMFZxD~x=XBs+o1{HY+;vBzGf*)AfWek zT(;7jR2qP=Y+fF==aiFp7VAJj&=j0+1B^(l51CQ{Ctgw_*$si5N*E`VlTK0kY*fwq zIL}CrztnLJT6h`WPBDo!=;>T_ao^K|X}@{2Gn8>@%EHP1I<^z zA(E}R1{wZGCu2EYD+8jv6@kS_ei?3qUO0O5EV!aNY#(qqUGq(qs`2psE49og1eR6U zq%V@Sd9u$P&6`qsCq{v_B$e#a7iemSdw!uj?@m8CHxJ8TIpn-I`1FclF3vP5u>4$V znI*xxRSx;is9;0W8R!ZWh(Q7r>`3hQ7UB?1xbvuIJZH#zVJ-Zack?QpQ9}{dWFh@J z6#R_e*T?AfjBpr9N&i3Q-a4!bbzS>ax?Aa1Qt1vwq*0I*q($j&5D<`dP|`?AN`rt% zcSuTyNJ^Ioh?JgZ%=PWP*4k%(YrD>Ou5+FL=2Va|24lSM6ZieQbqaR6`A85P4+$1J z4nZF!>-5iYm|gpUkq)F~NMUs_@3A zSOvPeQUlmdggCZn+Xz+wp+YL`YL>=4c71SB*hL`o?5cT~qm8?dO`{|yxTp@uP4V0=S7T5ZN&xQ`(J)Fsf(lMGimV<)JND; z9`XEf&K;~<*sn9-Ta0ozAt__s7p(Y&Oe2(Sm1R!dJ0DyNFQVlT>2*7#BRrx^5z{1g z^1DB5i$;8NW5V+^sP0*uYhh*N_3FBI~RO zl(CKer5W@3J;Uaa2Sb%UmN~SoKbN#7Iq6-$+U=%$nF3|(W_BH#l{*w66=R}<%6FHf z>T+YUvrE&6HABdm`)z%hXs#U;Gm8yWFCuF8Mu^+Bq6$ahKCvope}OgOXXw@NJ@>$jXqiqWEA-3De1*kI6-Hr%2rmj=h z;}z9^>Mnd~5I-J@<-0=6z6!~$-#8zq!HhK}T5bw^Z^qz*!(x(cPLWg?$@LCsLE*}$ zm3s}eFr?LEtEq5@NlcarNeg3)ctBEMH7>fEWZD7H7zXe|$3{oqn;UgGrd9JHif1B6 zSGz&P-a#fK+#@Fn7byB)yfBYWd*Fp7Ug6aC*zMSzxa#KG%{3Xi6#X_+b!wbWyeeP% zFJKre^QQ{0qs=5hvsEv4)4K9>HU5~f*1nzVn3YI1d9G780K~AoU46UsDAu%6QStO! z6*hK69uOx?OS|*w%?oDk*L)znVS$8sOW992Gu#_GEIE~qpO)A;6G8Au8Fxc-wnR_Z zzlT~U1d~{Xs{!nlFUYEUjScvp^h8Uo?3V=Aims;yI_dC#Ccc3x*d|?y)~3J4_?>*W zo~i`*7-!zocb@%cq*UPjqhHGTW}J^r>wf#R;HxLi7lv*I08ZwV?d`%m2S`8SKK-QA zp3jX9zoIx+G8CHr1ZU2YA0<|oCEexS{PccR{Cuy|;Gn&G>g2y6R%8Q*pcuuq8HP;* zkTXlmg%AO2e_sm~m9+MA0|mspuo*Udu-C1L1ziCNQu+Itos;l1|Nd(hWKv3tia@S% z;`>u(cS3?ESlFoX$RG;7I7%2#SR3^}Bl`O2<<*;o8(`)RO(1w>0XC|iF!?Om@>i>x z-O%QDd*}L-QgQm}x6dF|+y`xO7)aadHr4u;D1ujz6A?bDDCA?V*qL^+Pj0$G9hAN_Q#?`m+}T!X5^}|NM5*SS$~x--Gy4`4e;jF?-knBn9k}^ zj4YB4^q< z|0Pr}#BB%fShW=W4CQ8b?1;&?YVD6vyM-m_D`eyfAm<%XPUFv$j!t}d04Y~Qu(65I zr4i$ugjwiyGu`S-KpY(J&$w;WWASw2+2)EqRiL}rs?EV1+D4++Kt<$5YEYX+-*)pC z`ZDjchRHHfA+Pv@KKIcWi|1o*0pB4pvu4aHfm9b1E!7QANLFVHHkDSzRK+%~^$}l= z4E8m>mU`)_i{vnjx~ey%y5R!9{oZ%&yyfTqw<7b57p)Et_Bp8S=l4D=6IgQ{Jd+!{ zW#SWlqA#~j0Y>ZuppQ#d_?;M^TH&V5VVGR~ntX>oOT>PjS zn)wd<;-k$MdcG3J?RzI-Awhb#qsb@uO*aXx(=gX0Mr$t*NfU)!vsv=9=hd3?KDfU{ zEkDpV<_Pb8hg+@B1Y9@AlBoHSK9z~ps}yUb@#Uw!?fAl>-~=>87WqvENM#$6+wfMm zGEbXpJ+(yZ^f##oVeG}A_K{cPq~VFx7oBcjQ`Iayk`nXdaqI2!p?uRulbTMWe`jEz zg@R5L%o3Y+`)}MWJQ3sbXKmQ5STd1s0Y&RdQ)Le>)~h@@@6j=gV24%l3Iq#RVeCh` zHBmwekbvsL49H|b8ODDV{{oZn(IC_9Uq7>3=u@?gbpqEhf0lp>IX=-wyjF*vfS4z| z-RH{($Lyz5n9P#rt(i0`cco(J&DC=^*n@RN9D@SHE}%I9z(S}B@g5NRIK zOwoLgwZX=m%=9YXvc@uB=eDsm$Qk;9zB<)$`bHr4DwRPeYn3DV!h42RVL+t%CiS^HC+8UxPc#;x7(XCn(-(QrPc&nD3vt}c)tiw7z zsSc`7<=YdgB6&FpQXCVW1v`#**7MM4t$Ym<eQ?73$SFIEN zHZb9&tp37lmHma+@?U2m`#0W8|NXYqf18oPM<2&b)qaW;`Hv}F_D3#!MrR7OIKg5j zll0$z+aEs@2LEk_2O{Eit%gX689aV~6-WUJMpt7FEY&x657Sf?G7z=}TGIX&$#Cj4LCJDF4BMVR8Fi_2%rKxP{gUT+paH#j6egu(_KRn#9 zy{0oRn`$*5oqUb|5#sP)zn~@R60O1c`ZpSQWd?~YW=5srWN|bMlQ3rfF;-!9!l>l|;_)E#C$Hla@8913C3- zfUc16X>1VrKm9EAD5HIk%XZk%wD}JffU;p7Z^PC9(|`AGpTHh_G@R8M+|{Fh`e6LW zOaAZvis0*?uwE9cd$Q(ZQug1!j(?0M`Cs48Fi)JBt=v?<(qR1m(lb^;0U+JrS)1X% zv0?ldFNjnVc+chyc)3N^umFZ6dk#??O&45HXTqT$Y)_dEz%+%M{yPiO!qW5KXBjIU?uYAYjw6b! zVX(z|36uwjsRx0>MEk%4%-`n+s#~73a6gW}0Dx9ltm-XYGEVIqadc3ZD=zGTDK`r# z;y;M2m85Ka_CipsD;ef=177YtT>!GZAIG7^0n~nFl#`SeFfGf#Cp!xdSk5f_;3<$F zmFT&Nl3MA!H5jYzP$qQzd6J`(b$S9Ss6W1GW$w z#e~a>6ee`aZ>c{-!jH!&tp~cv)`b^@iRy2;Y)#w;3x{MDtXfLfF8B!PZ{0wyZD0{9 zid5E!hPOpGL6MdPlT(0g7-vL=?g~BoVZ-aXsp-Eqto)7ZXnpwZ;m+qo6>h`mBvlkT zGy)ot%rt*yn(N0{UxP%&kKa~y|M}}#E6tEp4Mh$98D(h8o4X-0@aWO;J~K=udjo#T zf72}Mflj@qdDfn1?tKbvci2ICiNa#HghIr@SYQB^L*DugOE6t7+=JgrRmYhBNv5mdG{vElv1Zf)Qr)M~r6ch!^ zNHbm*C<(J%5A0W0u-}AF85KXK^>yTQF$ESxIS?ak;KiDVdG3h*{kY3-T z)Z{RC2vWR*qH^~wsp|ZFgL_bY67^K?ZQB?p7@b9LIlK8b+Bew!@uBB`NWzvhw>tGm zh^WPGm*-J?>A+89Sk${Wdg(rX`_u^f@!PvPTVb5nS;5^)>0|h$0{UzTolMiCX&0a$mH#)>xgOHS|%9`j= zW&^`?|5W{ZjSdo_Pc7^x6a@@mh%HkTtiA{77>BM-YSiEy#S)n2V_mhHuiy%5|Aa&w zfHr1h%jM1YA;Rv^2C||0$y{Y}UI?C&vOu0QATR7~X@H)>bhysdn%Elu7c%t9%IGFq z2>GETb(Uzs#S$-ehcd%tQ{{5wtpvg-snWseMdD1BKYq0?lZ4*)BQ|)<{}}u4-=lzg zSw?4lsv=vb-1yF;8F4thI(5y{t}i@z5lV^FQe9aYK)m(u;erIlWb=+7ND;d)^-$uS z&zajk%!Dko;1JCL42%cZkxJfDSiJ_q9|@q@8ZAb0!lcL|VV7kYc{$V@)LYaQ-X~6K z9~@Q_#%pJegK){ikvcnM2rS2sREe%L4fs|mA8w;2?|!GEhhvnb z0b^hCAxKa@^;SXpp;wftXau7ZF%6Se>odeD^q9mjw;~Be$!*GZhy$3wS#^(zl~0Xn z!(9*%l&!urb}%l5;2pjV4CErCsBJUlwk30d_&NAalnHaO$d%bq_Kaz5aMQY&U| zE~@Po_2+vWLXw_TSwp(OkIH|y9{E4PY8me6`#%!&#Ks_9m+GtsHl3p?g4m`lH^A8O*3}BN1xxknTu*f#FG|W?;*Wf@8=(GvLsE*(92!z{`?##@LVxL5o8M-G8hG{*FBAqB3LJkeSP!V5TSNeBcf z`JRL(sF*V)p6zyF4-x`)npjoxDDLxycMK*by^MrfE^NC~Vqf|Y5SYO>u_|_A4-U~z zh*PMR5M1o~ar^g4)Ppqr2Qbi#B1hsSAB~H-71@(ZS0w}3JrucnJKP-a8~=#@R5^}~ z5vE`4$Vj33!XsSsCa8<7J?|llO({dh=*iXX1}7sA+P^>Ne<*JL+drIEWUywc1AQn| z6iKF$#Bc(U$cB?)$4|j#rxQeVoexP%;LfpUu!nHi6mQ6JZy@)EY0VklpBh0V4MMDfTh zwtZ~m;+cV0EcvO9J}^Y(-S=%k0-&i`sQJ+=lH^M+eR%tBeRic~|0Q7x<)sS_gSx6q z;x!g1mfPxbuiM1o(Q-IK31uyOgyafC0d;*m|4Y5QJbuG|aUv8z>^`0a-@$Fcj^vm2 ztzR{@=SY{7SVkTTfGK^~h1t&t0+;V zzJ5o@5j>!eoQY=q_Mh{S*mqo!@j8#vf@qrCGZLR@Y%z6v*G2Aj~_!VX87t+hu`WU;{HXaR%f&E6U&EBig_I))@ovW>!g&e+#Y;Dg^Q-@Y z=!S`-{#n4-U7P2P4^zKYu4B(zRoy=psTFD?^-F`w@ z{^xw=OW0`Fqf=LWKWXdtf;U^nxMmSft%oJ`UbMhUY5fKA;hCwYGsRGvK$Uz}=yXp~%C8nh(k++Wf45U&mXMLwr~WvpSj< zsUxrjjtsUqC|p^$gRyi>e6$Hj)64sNj~GC7m*x1WcF|sAuTs(i0XHW z#+NYW0BBjUTX1p@pshN_iB=Sk0Sr1@x#cn8;PW0qE3S=4Ep)E|+^KE}A{U3FC44Y~ z{c8;P&zLLhR6-_zT-h4@2jr^q--le${~dDW+!ly!rZsff;CXPvRJr~V-X?%(WyO;# zj6`lDApgoMqv>Rox?9ID(nQ#0JH>Zg>mj-u2^zOPy~{7?3}%k}x$*Ap>kC0aE}lqF z!b6aL%criBrt5v7@oXE#M7}D$b?U<*bjjdRj4nmQ6}$5{n5G?|f-#XDci=w_<~4)r zjplyJun-UC&xrZZ-Nj?B&-j6o=AXTG=3%HG9?$vkk)nv*KoV~|Ul+`IN+|fv5Jv=4 zPj`$Eu|FhqpvM#cd~^&>u!;X~L02=l{}Oc7+jpncx-rQ92B`5H+E?AtCu-~hswtY> z@7?i1OoO$JU$rx>tHz)G6YbbA`s54VQ8JO?g=aW1rmtc&CHZwQr>qSR35lx~WJ2v9 z!SM$I(dAojXwo$fKSodweh%PugOYy$m+_fV4^>#V@|H#m-ZKD8yqnt#$1#zLi6@7mvN$gi~&k8@R-@JnB_dzpzKE zeK**5B>H)e?f_K_h-3?m*&eaBXMR6ept%jrog-{{cekt)U_?limr?fbf-8wirt zN?XIkhg45jO20H+h{76EMvMq!f<59V(}?Kc!~FS=CkJcRwyx`+TFX3U*K*V{^5*xx zAaeD^3}tin^YeyY3VzQewvwUR?Nl#HlmFd+>#W+}*=|`X`s8MUVd`^m4OacCy{^t{ z{(8q)U+avMnM}vIGG)#6Mw!X3pB;`{j}zmYoOaoTRrjik(tSCP1pd|_rudzdp$q?W0rN3BhC=U)4- zBF7@dMp~!e&~2d~Ts%BdHrJI;li>qu$>RDDP@2ee;$2GJ$7;@MVZYVl)qoRx(*M?0 z!Td_e{D>|eQ+5s7>96)9&oF_XQL|2cH&g6hhn&8wX4rj`yp}5*e*&za3Bqbs-)<*T z{}1&+dv>)Icl38mzO1rroDT{$Ys`Mgyhju>s2RDHs3!YDv${8F@}@A=x02V9&zXDT zT@4M>D}Crukn^NJou2!nVUxuj<)q1+%KTbusy^e+!bT(BE=5ABAF1gE#MShH91uE} zSrxBe(zo4+A793-A#rynwZ5Ue0Mb>* zp$+lHf9Yf^aJJI#h3S30B;&~6$ypaE%t2Yeu>{gy-rZPhO*FR_7 zO1V&$r8*{!x%+A{oR`{KUM4W?x(+S`y`)uy=dMUhG=^a@@q${=fXTwAI3Gy`WTgGP zWHq=a8LF(7K$Z~cA}y9~-FW9(BLh=fcX4Qg)imh04DVZY*Ph#>%>)I;!GefHq3|DJ zx&Qi|(<6+ALk_77CFGp$QGcPd=z}@_k))M~BxyM#rJN_e*q;}uz3PG9{xz~eTJ9k+ zbV>!$;Au|DsIs_(cf^9}1%L?m%ok zR*~Wk#pDVr4;6~I#;4NR{qef8g(eu0UC#DAYsx$aub=gJ(7rnhT9+`PLf^qd^9m1TDsz>=p_PG9u#gE;b%7``wn+DhE^KNBH3Z5~D2G#`5icYlSX@o5*@cSPVn)JmRD%h{oS9PXZV?V@KXe?p z6q2QSHG_P0hfaKL&x+F_?5Wt}TPvn4L=y<4nW0P;%<&qneW}QjVJ!R7|Yp`@458e--DbO73Xu5QF23%JIH=Y*;Qq& zT@4-M`Hv6QMtG}u4QmVd{`=pdHAA1n)Po?!n@`ACx8|li?V1-jm}x~-TEpH#uYfX? zDj8y|->ScCzKzq(RpUq<8Rg`DW+6_YSNdTo9G+0i`4;O&YUQ}E%if&9{YQJuU6=c> z@R7v1azD9twFHlJk<@`-D(a{oZ3DfFN$ZerS84^IKpd!-u1>2cDSo|i^InE7@9?UOUb_;1Ek5B?8UOB zFX`w8+EyjB_>ZV%jMDgQcs#Ku>{s(pe-c2&_`0N8pviLX`EMWpYFwEMmV=Sx zFmDNa9s2QNT@Amx$$U=(5f)}X?u+winiw#Ssz`nK>tyJ8*ER=Dd%r8soLc`K57kyB zIq`~#37xIll1ebg@2A<;gxJ%FY`hIHN7)*Y$$@fk=E&rx_>&%@$>*vMj+&uOw;Gwb zfpXk)AK8M;ma-xw2B%FPKk>5vRnBSRp6I8y9 zPw47`|1IyTE}jjVP`i4ODE_@}GclMA{_yQbts1>NM1SUZB1W2BC(4@Z&WzS*$QeeH z9aBUclT)H^NrOO}8|UV0@-9II^T<$v{^8SrHCd|U`u70cGLp~n&(b!e(i81XIqq(_ zRl8M^hkBlS*;X?O;gp@0D7Q82{NqmHsoj?Fb0mfHNKp(uNtQ%O`GxEKvWvN;hjPln`S7(THIkQAOv>l(}o^!Nxu=uYSF4zAp zhKn|a>Hj%~YvWVy-!WWNaq>ADmH%4|7yi27{|&?SvF~4Fxa1B06^08%<)1NJI&vAI z^6}QwJQVW4Tho*9-aRLR9X5e{(DU9;_VcH8Va_;+@cB-b9Gi+5aAA{uBX+nxw#y9}vw z!j+AtwjNpK{Eh4&t9m;UtZk+}vkV=40h~=3y^JUyVG3un!u%N1ZQCuZwupBy`}x$0 z;EfqgKB|f>JE+R0Lbjhgg)EwHzytG!C1xK+*c-9^zhT&66YW#GSfk!GJI3sQlnkt z-NaUBF_8Y+tLz{Ad`)v%CjahN9u1<#j?}V#XUC|OBn0gt@tu;SEd2bE)oS9}c)37) zndNWj)>1NUf2DB8pN@B}7A#BC#5vF7w&st`NL6vj{2W!;ePb{h{N3MqwK7i_tDK4d zahd}ltVA>9PrRk};l96l@m&vNo<1qt`%WB%w>uFV?8eF}t%p}*gW3BMxf5k^04W{KjBo_@`%+gu5|b}Iw6-O~yK3Wk(`(XeJo64}GOdDq2{TGiGV#k6 zuxFy~HP4OTGHXai8g(?okPTm_8SS-5z1f6s2i{*DS+ow2qYS@PnFW*b?|OP z{njgjy6ggyfh(yqFky!<)`#-991MwR8gkz>>3%xGOMZ=loQ*l79BvukYD?Wo`E5`) zQEIUD@W^*Skg)3)xDMD{=_b+FR71VzoLya7-4~%<)39BD3}Q!Q1b0+dHo{$NgmM-rOc9{%xA4WyP{1w&ny;jZ))S+U}EHj zLqfPyTYDaJ9ukOw3@PQURPSCn6%H6f|GEJ{-}Dysn}0lnX<<>$Oo=4WAVO^i(+|fb zUK`8@%?xb@8Rt$VC@pPPt~T%S6bh=r$$UY6V0tK za%*aFlf;cSWS`oNy_l%`m34i5Q(F+fwbIUV9+F($PA@koq( zPja=WBDpruh8^$8XMzt=z##se_-|le>G}i@)4SEGu=27QrrP6SD!YCi&hYO{Uq9f9#PSpdAH3p}Hq;5s%_-%i_kz?Tb641$ z={aBPViKWhuVp3&BEI>J#!s%0d9j+s7gIMvXMH%otll{tD_)U9x@0QR-%ZDWr8#?1& z%ltGmmXc-Z-w~Pm6P~G+CEbDlumS$p?J@kVf^z1gH*UiTa+On*`cyybz3Sopqc@#Q zvAkWkRjO_95ao10f&X2`+e!#CD&oLPai225gL5>L*y_tn=cn8FU?l38`Ot3LCV; ztoIBkY3#rwx?l3F|NLH5cND$7R;x#bU8AX1k46@(ZxhU(ce^6e%*IeMwEJx2#?tzWQE7FjE=qH@^Oqzd^{tA?S5^b57||jdZb#ZvISH{(@J^iZ zg;-lKF6A*$y%E*!tu@?~HYipea7vnFgxtB5mGhV8^ZKM8*S_R_)`(lZ4O^2&a>n*; zR2r8Bylay!mYSaVdQ}#0o_wtmIa*3k{GJ?UMLI|h6-YP-i5I~<3yUh54Y=kkJX2eo zUmPj0%umGNkcwfm9(L0`yT_QtG4WvPD+;X2@2@tK`&NEGIXu|ka&qAvdN^S!@}jkX zb~%>YgU|pN1aiF1B@b@(GuBc(XJ$)urCYQ4t+>qn$44RHXP6({G_06aHjy{gc>l#s zkDt=(2EH#5@%7T51mtQfx$U8xkNX4AaZxzl3F15gX_-_a=Uu~^8_W^cvJlUne90N% z(&l;hDp=cb<}U3v&&@RHrLloLgbSNrq|IJ|09N8fjNCK6r56om6tu}q`1Lr`?v?aG zVk%51ZO9=srQL~7u*uadtL=AvT##oi4s04ud{p(1^BmD@fi8tF_RUC`Xm>L;QaIRcJIokF+3c6z$CCPKQLt1H#k@S*xpQ$cL^1~$WY zG{pD&l(07^zZmTATcyD0%QNM5A>$87@WkiaM8(@@47D>UwOoiZE^W?P=G;_R)B3ui z(ObKB@>Sic4ik@Jp;6B)kXt0-L&p(b>reXO4H)*;YQ}@(S*_Y;nlC9J{VZ*+~+0iKEdnMWx1u$REr=sZYv*#3{6NaK!E&KbElhRmtvM7(&A+s?+1rfe99nT$9Amow=flH^>|6ZhNJ?cfr4=e8(s1nE~#TsJ_#cHl-R z%ny!J6BbFbuH6Okqf$UrVe7=r6OL+x&0usy~+GT|7?YiFJbvftqArN zufc@vSOnbs0m*K7jZQMX{aTM4ce2cgy#N=sR9IDQxE>jYjVy~NArgp=<6oJ-eN zN%-qN+12mlAv2kjjr6-YPx@PipMLF$NxxfO_6=;w>af*1h@C6*p5y-uCI(^;B{_r_ zi1r$Kn6ypfd178>tG?fAaG~ZT+Z0-$CQ{jiLBqhz$Ic_JlZ!;^r{^#M`k|_IYGi}r zx8Fg2Ua|r>`){!YMwC9A5Phed7K`b$!#QN0!u53?i*H9SZ)N4D9{i5)mBp|8xzs~} z0UKp}gmRp97|TTg)z}hvCo1sBQS&o7+3!kQlD$X^&ILNlTyKDh?)$D}$mGe+ElMSQ zMO(T8&C$^2s|CCzzU@9GT?CNDOnX6fxU<7xv)ULmV za6L=OgxF9b^>&+);=ARA#~Y)p<)#fNqXL&z#=Q$AK#H+_1*BNK zGa$u!uYvd4dBKVJPBG*YXg4+Fi-fHWBe(=i+5*SCy2`elTpTxEEpI{o&p5d47K+qB zMyr8T25{`qL#VP-<)!A-E%M+^pgbj{h&t!FQgt14(>NpIAL^2V&VJx@WTmF?UI@F2 zRT^d9ZM$F5jCWCnFgC&6tpSn`6-E?Jrs|aEH59y$Wf+u_iWONokvkZ%Y`Jph4LpqmN6gY(=e5Ci zAC(gApvGKCArxEBtm;RN507S~jWjOT;5x2KJxkx!X5Bz52YvwCw)(dGlYq)DAXBLa z>w#jkvJN@c*V}k}&27e#wa;SciV4SS-;Y?2AfqC*1Vipa9@%Hgo^9pQZoWtOht;;9 zwPA^5SX-zvK5r62tKKd06Y7`}mjV_XNpod_4JMP1-|v~LUcxAWmMuN^Qt&PXvoJL9 zoVP!txrGSRu4ZCl^ye}mr9^cBf;lc6QaL>AP7&dv-2xp6D+e)LP;|bKXWw#>)o7RC zrZv#tvgXH80w8zV0U6V{qGNTKYmTLhomg#VlZ(=UYp=a<;&P-9waEILRd z<=6Y-eK3GS;2QUvxaaA1v>QVpmE4?L8DO2eUm(AHuO-)LGzamYHoL2qLd%aXEL(0U~#Nr$H+)y|Gg6v)4 z^{3u;>^Iv31s1xlcbFLBByybng7Ipibj{m*QM6-wFi)c`Oy=fZAbq2}EV?r-=!w3`mii6qpW(NamGU_kQ|UH5tEvgt(;d zn|pKl5i_$=P#oMgJ;j<-&fhZcyim71FrI7hG*dURT^`|{q%zAzQYx}PGx8-Ox|nFo z?n|!j!?0+mV=>@Z+tlt4E`lNQovwhxc8Z3pcz? z``qI6Tlhx8&;N~MJX0TAlT)*MW%nD8z&zOAlxnQ&5iAQci~`$K3(+G0LMR_KY!bL; z5BrYH1{W9qJM($h9NjPCClOx;h>2ST*kp4;UHWs=ZASRi2~RKGP5n?mq`cgKj(fGk zi>`9Rdc;-f&7OyQ-yP!?AJBv6)ty3sAN#i9P4_DyckjI#exi5m2^Lr@&NS<`dE1%EWv9XYp<3UHzGHwxq>05> z?PpsHU%;k_-Lp)CR^cbZXZLCfXScRQyMi;|t&q80lg|-m=h?LxdmGa~$QB_O(HDj- zx0*|J(`I+JcJpm^^kz%-07|w^lsfa*71yaC9;I?l(O5hU?Y^l4d#-E+@x1J!~x*xO8yF@r^mvrdg zaHU9z60s#^zeJ$;rI{IlKFSr;eDY4O#6#;4!R=%cKNntb^!MPp5)B)VWqZ-Y5pgwP>~VruG7nds%})WC)K&LdO`kDUlWcL2_yHB<3kt4R2Yg1O1N6Ww%}U zHT$|d2#8_Uxex1ER5d-XAKR3h5?3D(@uL!-s)+9hm|J>NKiSOWymI9rImQQDdAVMp zRB)ln!X1jj>t!j+_I;`hD3K1`cTF_TvUly_U z-rl_p{ie$HnI3sx06^XVu8AQC)Y^_K*gZm)ZEmQoHxtM8iIshV_|v_AD~D}G0d6hC zh%uzGg_~Tua-F9maQ_uM%osA05fZ__K%pvH)laG_K`gSy_p6OyZKTxVl~14TOJ?CZ6$u9|wVGFSx7X)kDxho*+E;~BKeP<6NY ziEny#PkBxnxa)2jW2F}$p~QvXGk%|UJ3XjWF^h>-YfAUpEI=SJV;bdmKe&A39Wr;m zk#R@lQ70{{V-&EXYNiI1#jfGI8;Zwu}6;eFfcG1|^VdX);{z2B>m{>ByRwi54cFWkGb z>{H1{U<|2xS3&(7s@ar@DSC`v9uohU6J(&@2Ai3*TqF`Z+1s^I0A^4Bx9}?$izF6i z5=Xk`3xSnu1rW%hQki#k`vW9mPm}sx=1tY_cc)gn1QF^hpL(uO*W`_XQvo&7cI2Y~`Gw+ytPGYV zmJjr>UTTC-#F00c^fd;J1sUBNsK1pzyKMw)C#08Gqao^rLirNWRZdbuGraX{?n zs_1&=i~bvePG1!`!?T`$hnHOg?$UycLtm3AaG_gs4&6HhW$`_)Zk=XjRx^01mEa7{)w3 z0gKNg0x5cK)R<}0w! z(G8A3`h98+enZEwMj3m8(PiXw6b~8nFAK{j1{JwbuLpV;s8_#d3F4jBiDu~ zu3)@{pVwFjv(QZ%yxTBKe60lVEBX&eW(#M0#2F?tg@}+pHB*^Q^|Oiljeq{&g*rkx_nJrWzRhyucgP)1uLiD%hYE9OWYDvvX4NUiFV8dDX(k+QFSMA* zJ#6`jWhyQ5_#6n2M=1bGIVMBk4Lpk=^-z7{a<%#ShA(kE2F7v|vI?1_@SJt*W~cN= z6K}Gw=)CGXT-8irO7sRt?sbz3XiA;OS_Q{T4L%QPLqDhq;n(+aFHlA1{DN+?8V~w0 zM=RyW+0}_^?bAx@Y=>_G4cG7%~Lic@% zdh=Ar;2W!=)P}C(TK?zWX2$nl)>5jR=^V5;P+H6NTPATMtvmLmexo6MjwF%nd;zbw z_n`5SWEJ42KVU%|AX#RfTl)R7-#ukK$0A6)q3~_FYz6A;g2$ESL)sL_CbN-ECX$5t zX0>#Fr1-14i3@3twn~1U-L8B3V$mT&UxP7Co+kgkjgs`cVz7mO1GkIIhQ)8s5b-7S zUO@F3pyh2!NYB4_{uFFx9KMy#D3O5_=8~n3FVY-=?zRX#5R+%x!jsRE506uw2lpo) zoB4Rl2Viy)ip(xtbe`A40^|rgp*UU;!>8 zkq)Oq+EmirQpN$kpIwoho#)hdW^Y|B(ytww?p*3}`}5X|gZ;9tl-`5kda8#OW0b!~ zF|@ACP%>4O!2qL2Cx4pI7K^O#^X)hIv7A-BdJ{YA5GAZNQ8p(zJyL*wulS%eFjB{O zd|3Q?eR$BS<=y7$>lRd>?H>0@nEO>JAg7WJ+_q+ai~a_>*#RcZ7hpAUz& z_*w$Nq^rf+3qM0!GK-C8z^WQ?PrDSf)EA1utTnrB=zgG*Qlf3N`DhX}@B@1k|tHR8GyyWNJi+hr4Ft(wvC#uu;S3n_!!%%zb$ za!H@FWT-i`GcU?d)lOjU7okoo60*;wl;LT&Iac6*Y9`kNMGg`*CU}<1?E8^PG`D)O zICtJgS$?%gQJBM8o+;mVl7={+S5zqFBH|gMRwn!_&BH`pu3eFxIt<r7HjCSRjqv zbhlm5_dm+>Y;=qqPP~_sdRCftL;A!5^V>b1oL)2W!Jo%+@=Zz`O74E|d?gQrN1LqW z@$%_3%%^xK#&trviHk3{9|o>iuMLP4a#mH^bXlVmVX zr?fat(EEZk&!_u{QAJ7qcP8HCDU+pXJ5OT}qcgEoGj|NED)d=F}}lbvmMgR>Qa<(Z6z2t5wED9 zX)E2Gx}XyGH|Ja@b*t_s*f}ARp>8WZsKs(IHs5v;-wvrJ?nH9MkjkU2e4!*fjpcsT zd_C>9!JU}`IWzNkuCdfKtu>v39PE1l5B$^&<&tFdLnTV2iU|6~Z%h`QJBe;LG-jqn z?DiYtVeGtyuY}EU3nYBwu#kCEP7uW$DuOiLb+B*7x7J~(u`OXW#q$Vvr^P-Xur|9L z@HACOC$Ah0)(UH~WUgN{WR!T(hcDZISj6BjvgrPKb&_Cs@CWF@u;!nKetK14eDP92 zP3K@mmKPsM*PFLtWXLc~S%f8|`$dy~)+VtlZkT^d70P(s@UH+JK zZ(Url#=-clAmk7{Tt83*1F0f-Xz~fJX$=q=J_ZsBgZu`G_2&!zm}4-)dMrLX2FbWv zQFD?a35+>&C;CU={sIfuLu6>iH2KC?;cs5L_yXLiewo` zwFqoZJbj`}i*c5DX|ZKC*e-33KQzJ@z{Die_}ci&5(r|vvI)XN*T1-H)ND~4{{ZdK z{v2gPv)82eT4Usr?PmP{Mci9Pb-8YB-=qQ(q97n)fRfVPlG0sDcS@&(paPO2ohsdp z(kUSzAPrJVhaey#An?v>t-bfX*1c=_JkJ>KH-<9c&lTr6&pD6dcZ^+rla@!l$<{%s z_VxZ}N;-`eURFrg={IDHKnP+0>^49qdppmeZIG?+xk%jqw8IQ*RjY%K(&u&qB#A%e zecLi|N19D}zB5uw$m^RjYpILO>wXm66}FS+Z3Ss7C*gRNtqX^cKra`GM=|@=8wOZr zGhjGRqgK|kLYT>{~XMniKGHk^tAMvTA8I^WgH5?&To& zYoM>O|NO0|e#xa%rB6(z^2X8DJ}uL%$d&JmogJl4DhJGz6W=>+X_-r4WZPS~#257i zOpKcP%-DSHNwrQjiljTO2t7;%=wY8-T!dUfCYPkp$q&6}>9TNs63m++(&|E|6u5!& zvf2~!N4{{R@p9G~<}m(_y{<;7AhwF7_nXi~N%C*}u)bVRY(++gAN7FmiCLc}u)$cr z%3G1096e{d3#axh*O>6jHf@J<-Te!`5<()0r4D=Op0IqWHq}cd#x2fgmzlqHcT1SZ z`i9I}XAX-&2;?}jR7EjbPwEbhqtPz6fh{2R<|FwB+?^dFp#j`c>3UrieOt>N$F2Iy^|WTLY|+m ze*ie=zgcYm@ePZzh8&My(VH*(9ev@kCpm_(-<#wF#51e!7C&{fSdOWCyz3xzMrp+P~=2sn}Zm;zWe^0*w)C zbfgUnGByaxyLiUJd8t>%tYv#6zo1w)OYV3Mp56Tp&ePP^2C0}luq_uL(APa-qaU3W z5qC65AF=swj8eDr`@;9jy1#;I9PTvi7> z{-Yj;js~BwVhVgKiZUajlPaRu2=<pk$svcYZ382_cna)!ia0{k;9qh`p4f{ zrA_Q`&Xz;Y2kkN+c|Y%{%t;le?fAe@{B#s z|7>RKcFBJ7=t@dqDE*K7o%1WS+nmI4VFG15sw>LKEO@<^rXlZ9xUqpZX{? ziiQ9qum*k2)Ac=KW4oDRJpqw-zryMJU5$iw9so!v*c|Yub|*H&qMZj#0g@`WFL(D2 z*Gme3E_N@z0#ForfFhmh4wZ!@AC@&2#pSipqGUB6&6|I;i}`0_Bjf-daH7Z*D6F>e zr;7c;yZ`$lpn|coazQd^8TmXBqM)+6e&h|~mIByXwYoZJkZU#56fhhOU=f)Ki!P~ zzV(Y@Ul=!~&_h(l=Rgvj+?%B{){X&40&|S-<0b^IK(o(BEcGxJX0GV2{RX^_SVv0D zKm85YA4}$6{X&@uEm^~oUUOdN4FsAp?7=eUVQn*#p9O0~yvxO5 zX*3$;&lreBe-9c9o(+W%_&y0fL%I6SjXytnL~+fa2N{NFd$n*_lVfK4=`RcZ>68BP zq4+mn(*cRD`$N_^>%^~k<^R)#7X6NqZ)yG%cDL~mmQ z3{%zz*1sq_5c}Rk^iJitN`P})h;N4YlwyEJbaqL-o-ijLf#G8pdvP@IytEMM>3U4; z7?5Z*vSf)FBY#B%`7fR%|D9{46R@W-S`z6B^Axgw|JKXVuMQ(5gN3ZqRV6=Fhu~N6 zXb?q;W=Mq(@@J)jk#r3NA^p|SxkJ#fsN6#`Qb%A7sa({CD>vtdff&Nz=(l!^j8v>4 z;d&B;21F@?bh1Tyb(%iVdP}=F3y8;8KuyR;ba5I`n?CPU>+@mptd?Ax13B%2P$Z)J z8+!zALp}s>D8esbjG`)nCGgWMXsGk8M+;Ylwh}%%6N0@s!zASZh*I_LXHDe6RW%I9 zw8T*B(Hn5d{S^XHmNyiZGWi|GDd3=%^C%;Ms`rf@^c@OQhgV za6pBH?g#unq<6Ch=M7~Dd3}i>G}a4o(7yqUL=lgST>=V@UY(BKdWb}*KS}hQpa71R z&NQ^$Ce#%w```>#v{}Ea$OTo;L;bJ9TlKrchztVZ;_w=5gh5NV|2{I9{r=Hj3&w2w z6@q6oR)=zO2HS;6p^J9yCEQOl6S@-nx5wF!Hj79=Kat zWcN>K{fvy4nT){nzX-q{k3>HReIFN3g}H9N`_@eU-71e3QNrmj&^}TJS-z?VRU5|E zAY$KOZu;rO-|+ahF{~z{GUuDM4pY@Tcvmrbf58=jF@;%6~U@W4at2L}k*?-!ycvuaIQN^$wmw5>rj zUY3^^;BIrllaW0L>*D!b=+RCFGfzB61`Mw?7&RJTdhF5h=|r*(s}3+~zR#P??#uyW zLzQRRCE9{@bL|8Pq51g13{W3ypF>$9_R?BW&q%HPa0hu>0gPgD!QnGCg2_TaNPhl+ zMhh~X9g7*9@=pPNQ~*wLbwul?-j8IOgPMDTtgbJCO}xr}R=Cpkni7cpTd-$ofQpcU z%%zif?DbLfZsP0tcYAjIfIC>>y9AyK+8gleBc4{--&%O|EMaaw(T;dF8`dwTq$76zTE%ceJHvJkI#ixrkD`)b{AJ14Sd zE<8e6(&RmBQs`9V>;`??!lYaKd;$fbzm$;)uyA7j8q+(r7wICVr;I8C^^&)@Qr&0h zR|^6V7TJ405qRHa_C3|sr=Xfv?LU{62yz2E>-es9nTLQQO8^`h%(UAvI2m1`SAgLn zehPOsKKMjI5*zpH&oas;2jQ17wEl1jheC4)A&5ztHeSAD1Ez79Y7MD z3rd3J9Mo5?&~MiS$xw2DINo)0Z|FAZ$MBG;phxN9^DR6Z2tMa`&|^U4Vs;%_{tn>* zEo6XjoXWu`@&L)52n{iM4GgS%`A7uQ7m(@UsPIyGE)e#xp#+v90y+?AHUjL?qi40nxy(Of$%o*4v=@86`xy81&1;^SoSX0!3(ae6MlK~#DsLROQXN+y;6`Tr(oK3BV zvctt5bL)PD2_Fe7#TJ;cNv>fp{#H&wg%rH@J<{)|xKTuZP|SKtD#4{;nLk{p|F*lU zVB{YIvnL;tfmO^rBK~k!UZP;kSzcIL7=)!`uY=rPyP=Dl{R%E`S@I81MB1#18v|Pq zM=D{ki;9rM(9{4DHbp5VQoCq&Fo>>tq2qq^nE)B8dX8f1Pt)6epg(fwa+qrtO-8in zlQ1|^JAfR}r=1WLMxR%I`g2)CAK{ZR1j5S>nea=%C%d*v`EA$J4<5MeKK}K>w@D9$ z={+n!M-kgCyg%jKfF%Ljxi163S)Lh>3^9qfthb5Mp+BIL;|_v7mTnU`#;G145}D-% zvzZLP<8=d^gVhwTxgU?*agL{rLvN|_AESr;CY&N+Yw2%ep?GoLC*-&Kzx_JOS+V%& za~)g~RZgj)AIF^1D(3a6dwxZWqKZ)&c`jA=dB7io*Pn6v16C~;7E5K=CQSJ95Q7x5 zsEN@KleX5S=nkNySPU$|^&zo@M|$Smf?4u4yltaOgF@F;SZ}Q*i<`NGAmTSJ`rOVy z6RgT}1JAFC2Wqd1-30wNv!a8qc9nH(E$r>OIgFB26yE2z-^RcL_R+~{yT7HS5Z-Iw z!6Qk|0EF1%Y2MoY9d5r?cJ#UKG3byA!3Jiou{EwS%ktQg1CHQL06Hoe#w5|5b8)&o z0c*H!IK)p=x(wX*)z~8G^F}!5v7K-#fKnzJg@UCsg0divNhf{oTXLwawX+*DllHH? z>Vt&2amAvq`bv<3!~hz*8qhRQM^FWJhfv~cz^B&$V!3kNMtLZ5kTgClV_Zfu@%H>+ z?4*n&C0!iClN=y;^aeQg56;A`oNC^)i?t*_Pz>TI z9_$aT5o7Q>RFPrZNdDsY+Gfiw*v|KGLxK8EwZfeC9%wHGAj_kJ$f3#%WQVRg1$yJZM^Zmvm(gC8|d!VK$4pI@sKYQ0j`F#%{srX_vn2@I>vg*kZA_i z`UZ<8ZAHRzzXRD9&V79OKnI+mc+741^F^rXWk*aE1JJUWa$!ryBchD%o|}k^FBi0k zAM+3Qn@*=?N!YKY27^bChj{b_fFBqJxS$Ju_x!H=tE`lx&5G9gUBAjq{)6!WB{zCwfk>~+3RJ`k?k@Hu~irbk0v-2*|F`GNmx>*zwq_aB;l>a6a@ zMM3sq$Vb21kh{2hoO+9ed3GJIaL+;MlS2rX;OLISVYfPRz~6dc2p2TpYAAbV-#VM0 z{niWhSq{5535$fQYe_c6Dxg<%(%ecb*h&VgUoG>}ue__mSPSMgFT^7aWBjKBf!krl z<-V!AH+yS83g*3_x*%oNAq&6fa{v+Vj_0s z4fj~?{^ZU%f=AVeqL0H6h-UPxM6)o7903_afnlMBEE+oNS0E~nH9TN=@eZGoAB4_$ z;)p{b$c?i9a&dn=qV)yTt2`q9?pI|^x}6Az`jL-hm+D+#2ELoO>k$Y{kNaER3>=@Y z<~3$K&4}QaEdt@aHQt$}>}FBgwZzq#hB^c*uG8*`i+)6=kGIT_!~tuj0Pq7c zMq~HrJ#LoG3;bw#ii1Y2G=xQTCVAYGr??)PplM}U22>s0(99@#!8FMd)(!m%%`G1< zsISpXQ27I=2g+;?5uoHpne+7yJ_82`aCPi#BP(mW^F)oa#k#K9on~Gnh@Hxr^kY(h z<2jRYDD^*w?=IC;ce19x<$YS#+J420RZ7?6(-VDly!a11xNCX>vOSjM3Fzq^_7eNS zUh&5^vR-}P_YRxD>Y#DO=UY_#0G z&WCWJ;nrs%aoX0fTE|V0Wzi}mWqwt{p>XG5JCyPvZEUTGg zDCoRwSbBNblY&DXi#;7yL|tg;wJSizbkCgR)~(b$R;ed^bdQVPd<|c8a%mA@YGN#H zbj2Pu{xK63a7bF=KJBXI$uQ5^h?gnq4u%|$>OX7cMmECx^1s>l6UHiE$eC_xjPKflRkWF#^!I^!c%O5{E{)FH#3-pSH)P_ z5*WK|O>kIM=6Ltm9M#S{Mzdr#jyt7bKq|_7ueprdqx9P=B`^0=9J^rC#UuXrvv6qA zSkd!E=Rd~%BJoT!D6iiYH_lN)pi13RJXQP4r^{8_8WdH1?EKvUBN5!2j&Y&Md3X&B zm8f-DL+xmulPhn;q&=`Sio!>kgsMkb_28ho{q0HWSYX7fFF$CXZwR;q?%jy?wi8@- zXW7x(GPkV?dVumlN>|fY`{N`pOV*WriMX~0L|P}Hd(hddioQLS@5z{xs>1Nqwr3qj zE~9X!N}yZ>7`--6+^&WdsR_ucTP|1MNmZdmgs}xh$doeQqhlFX6cIVU;krb{8n^oV zfsPk(jjW?xV`oB%CsAoq@2(3T(jHNaoaw9S@aNsV$KSv!0@UmRzhVjDCEE%74vmT? zeldR@o@7s>&PjjC{BxOA^XXZ$!+X&5Kih4Qv<D zHbRv-lu}HojVF-$&7|iJbA6M5EI9#YjBeB9YqJEEix(&p+t(iX3H`vE&!WsjcddNn zEGjg5Zs(Y1&&FaxG}V?}vqYbAr60TjCIy3id;W*MB8cI6+^ZGm=0R_QouvhF!R#dV zOEKxg;JxFZ^>Y{Pz8W}!YD%ZphiZvsG@v?&okiaM)lT$DU)*tAzsvLWZ~)1-etvrN z&|dQ(+=!hgvTCk>16zI}LriC8$jZlFyZeU55nt z8n534|H@4L8IeE38Hz$ZxDXjTSAEu-cOG&*6S(G$L#l96+?BCRG=M*)Kh#D_%e{l zs7ziPn0z9TdS6$1_;-BSPdI4E=PO9&NgS zQI3UH%y}(639Hs|f68HwD5&%-R0ThjKS`=E%OTV`=gg5+jlr7Mr8iIL$*A?=OqD+Z zFEf4`X8pwXYDjWS>B=QvJ~Gtq{{Cfq@X@`{4ap)W{4RX3aB&ZGV+;~)Lsx9c+|Ax6 zary6y7u&xiT0DQiDBn7YG0E4Lk2ZbJw(Lo45XPtpJXPn~4;0yYf+(rW6Ju0E59yBL zBRMx|uLmr(5}R<3Mg(I;E0$gwK6A7hLcAe(s2>cgS_jes(mNCxMnFybjU+-f5PHQ70mP)DX)ot zN{s14b?^uv^Z-*3+Md~&G)ms@NHw8I8-bj!VDe92I$U>>o!{1cUQtyciBo3r;OxQL zkvM@+=GU+UcE1yESI{M8m(SI^0_rz=a0f+EX#y)H+(iNpTdhL$1zna5!gc3rW#^;CM0hDg%0tXeC2-3<>=#T8|Jv8!u)D!C*06O5D%72K`so$ow!QtKRaGd)A2z>?OnQiD1kayL=LsewYP{z4qoT9yQYvYXsZkJ6Xun)Fj{S1YASC@En68gjzNp=K2)@OSc^JKOW zc07W|*K;4O(<5lkl6vfg`Kb$r$U1qiNYLH{;zD?@k#N@KEs0Hdq&Xjc$&{!Qz{tWg)f=?^#m9i>8p7Itd8F-#qn%yY>(HWDb)_$^vk)z(3QrqLotpW z!AJ3T@(px5Q`&v_#d7{rh<(%XC`;Vo$Qfb(9YjZ{y1eMm&5RQ>7C}J_2GKalhDvU3 z{Ft#bOMT`1Ug9sA4oln@T-U~=M*MdsbKm8CjLoCw(B7-Mol~H_QIB{54jpEj$8G>F zu5h64+r7mq!q)|srurAgUZ(OfR1zkRkO;C&c1=xuZ#q5R!m)d489Ror?O(og(zPzI znil%~# zTM)$FXMIbPbtH14hrbCl|IO8}!qJM@i!nCqCSDJ(=SPAuev~fUNtK>2FQ~sP( zw$UC*xR3&0_(s!#Gpal`k! z1@@E5Z22AwHQs#_Y<)}$*bV5`l4ypKKam7SjYCbiZ(wbqP@*~&%j_|XTaA++HUy}W&YeKZL#|& zsI72IC1&;3qv2RC@Ug=~71#0oIT;^|p7nRjUgGv{pB6$aR0ZY*md_TVSG6_lhd4wR<4Yw- zKvAD;9_cUlg>_nq3qd>(5IRHm!({Q@X17X=I>K(eb&Fq9v$|~KNuyr*(jvmVu_D}+8X~PF~Cxy{lZ40ErJSD zCC~E|5DnVH{tKY6s}cVL3d7s}51=sPFXiFhVO&U$)Ka1fW(r;cyC(5lumcWjX$;I7 z_f9Nf8Z&k5nS{Aurwwh-cRp|qfm`ZC{cy!4n8F+q{>s zuZ6IU*CP~0cIr`Vq%hp|jOjm1R01u8L6#=7ugCs;-6RrETim5V3U$o1wGYDo(!mKD z*8VQ68xR}UD>ZUc?X1dtrCOA;&qG({QQF||beQYlyqRs;IZ3BV*I9diGczPT>m1TN z;)Ldr1iAzbht>kS#Hi5r+lvjku{%dpvlC8K9Y=Yoy$d(!3Y7?rl%+CbY-&W?Imsrz z3x!Y0KDZn4Zn1JEw~{BEMDZ^-(3REEFr8ieIUaHjBQV!|)f@HaSTUkccMZ1ED9ICM zrpKKNu?kQuh}0V4B-ZaS)7!=tHs|{I0wcL1?`oKk5s?+Y3z8`-dznXDHvI97&Sbt# z$`1Zs-z&{gL;&sb>VgA4yX2N;0lvsj2M$Juum}9MbI&dTy$aQ?pogNcM$ICF&s`kz3*&1esG z{mhv5ed2EC>#3haMhmi$S)WGHT@5=BxxliaYbhNM&>R$fG7H0$O=wF6s2#xoY>V$R z6|}7T7y};hgmtz76y*eL8?$e2 zCoOTA?R#7R(Y(MteRtt8@&tiTq=|~U`|8qOW%;XJ=~1&23Gs6@W;on9QM->lh1YoF z8>Lr^dY2a(SUU|I=oj~-%o^?M-Tr4X{x3uYe{6O5e6;v#6T z@UrZL`fY-fSraL{qF*%u6GDE4FXiE@PU`nkB*5LKW zpm@}qOQxI{Q8UZb-D25A@;esn1@2GTHgPMLoBd;XYMq1E+`l8wTLclEe`@|bzgu0i4lVg zc)*DYSmDj49)QMqQnBnr>M0Bz3x%nZ2;AELh6UTA;jo_(v=8!KefdQ1h%okT3~YDF z@16@He4T)10g6jxy-Xzg)$m^EKc>(kdO{PH|EV5>R)XG$FwV3_RTdha{cF&Md%big zOwxffkkF2K2i^>AuUG5CYD(`V&91v-<2dzw-`(B2 z*XPqu5>3~@%Ip5mY%qS?-`HT8E&RWM!8B_+unuq&6;FeiAGS?~%^ z>H#oyjh^Rjy>7;*ny?Fk6%MBC8TX`O`^Wfdq!`}1L+?zcghzgwmx|xTa-oB& zygo6`Z~x&%xmr(Ba-S}Hs>0Quo;|}aHsRr{b6IvSirI2aTlXq|H=mM<$2IyVt>Pb_ z#ee!bw-+O1X(fPCEX%)XU1|eLZcVqF9lTH{7HEvcKJ?`n4C|?Ohna__1}W!OX&b)2 zK0h_f>O-`gU|zt#T@N)}Hdjl(u9>j-T<`>}*k~Op4*HXDw5>NEEMq%Da?X<8)n92- zRt`BRl-%=y8Lj3B3~BCJC4R-jIQF)ZXo3>qD5u`wUvt4Cn8z3IUiNu)0=@yJN6Ng< zC_U!c7jA4OZ1?;YJ6;1Q}9f}-l zsMm$Bb;q$d;5@&+?BOZAir{~&E;)W{e_D86nxH$yv4d=;DR;-g)IWM0Mu$1SmA-W8 zL5Lnklj_0_+0JqjfLiR)Q7X{V36o5+Qr5GWhudq1nU?o~-QD^6xz>v3k8QI9!=qk*jARu&Ky%UKyR#Jy%1WVK3k zA?H4~S*AFui|GTUtlQNak(`s!gjW{0OwL-XWtRB>QS*C-a%b`Mdk(uJq_-9<_4!XJ)EfQfmiKxwVb~h*zb00qrJW>qzWo3p+wOd#@Kg5a%TOCySYAhr^6vT zW$3Gn1j5Q*n`bIl41)=7yPR`YK+nN&KE6R|pd!s*a-HP`Obq&I<5h=*44YB5rr9&J zn#cWw?n3>B$$Q3+#qp4`lV+!7xXLn<%Kh8>AOD=%%sm{wJ#?LWKF>)A^d5j+` zy)V6_{phMawPjmT0+Rs4_q0t%y|0HTd$!OH+(Szbks&R51hbJ@+m7>>2MIIXY5jb4 z}Q{w7k!kpOBtS*H| zK7+Hs;Sx4kYFieX4@-7gLxEDUV0_z?0^KRW4H^Tws6g?W%H+Oxbg3$JoDXH)x6V!M z>sFiIdBB@kVWU%;AAp`S4Q&^ZcjN^ z9|*4~Z|NxTei$pH51Tar#47R4(S zlzy+s&*&`mZ58heD_)T;3tPYYHN}v2!!{FUg#Olpg!mnOi&rOvIZlqu^i8;(-RMbY zlg3K(uE1e@8kPDdOo%YA^PBd30vUxC?AAdV4bU&sbRk+d^}jgy@(R9Bg1C3f6sOCI zGL%2Dfv3DGT~)Y~;1A0rRr8Fkj^DspNQ}KZ8uq5@Mk8_QDJ%7FRwG z-sl{IMpFUEBb&7{;2f5%2y+1SNs(uSdJE>LzIUuBhvEz=J0djVl4dV5QxF^M*^0p|*DflzZjZL2Cx;EWhsl)5C z%Y*Lm!b``I4}aq(w>-G>mybxIXzf>#HTrMht}&oV%%15+>UDp?L{t-2Qq61*tSCkF zVk{hJo~n$yPLSxzL3+rsY1XkFg6^996S}Lk!niqUgvIpj zZfDq!p0AhLSZu%+mXCPRwMOy|ouoIQ?qqi@jv>GSg4dMNQTie2~!Z?$|~HE*J~F_#=y@dM?3m#Fb^fFHM5J0VJXE$Wg;^|cW7~HU$>-T zYOO9k&nPWEg1LCFiVPEpdhGMWiCW97o_xzc=pxSp(SZj1SqJ=!Z<2c)J6UW_G}YB} z<(O+E5b=-s>slyph$+_SPN|>uj9*JNUD&rHHQ@_<65C_pTh>&uTQk!o`NoDCbEC&`MuOnZ6`qqX zRi17183Aly!XPiSR{B3IB1aF9XDThWeaHiqPo7H|{@jXjH*_!V->eXh>!W9#llqq6 z5>=*K*CwZ@DQ@Lkc2{QMX5A(VSNmiMzgvHkJ&& z&_HiB*(*!g1kKAl6N+X-fd~+%vH4X~FgQ%J_PX(5v>U0Cbyrv0RlMi+my2XK?W7R2 z9C#^8X$qE;{_f7njx2*>u3p&;=}0%JH{udlWZ{zh`pI6s^B}Z6lVX7^*~nBSq1__| z9d&geY@cX8jIlduq8Ear-=31wh7rtz&1iv3z@}ASbvqaP0YkTrBFN~mxGX=sq<3au zcYnxl^-zsjVCO6|4Gr~XaZ@>e7@5%>>&w%IXD9xL#PyIeV}4VZC4ARVf@s;ZH@ie; zjQ&aEBMm+*+-e2scu+jvG2$_;Dd43rejau+`WAUj&lZSHE;6!f)PC1JGfUbzNCx}! zp{{_ubQJ>NT899af+Ck?*tf@3gorZQ;vjT zqu~N0=yH}GNRzA~bg9od>-oW;91DHCqsUU5e9CG?O&X-wp2@FC6Dl+#;GIL^vgk_@ zJpjcX9j{Z(0u*5ta(_&z%P32R{9-4pAxpnK!R60bMTAO>Wmm}&v z&l;LJQB$ehZP#mJ-Pp7#&nkxW*)8={y^+(G)RWo1rc7H{u z*BvX`LZN3$gtEbT1Y+8JnA{0IPo2V?GUKGko&({Tx{;KA?xWx{AbBs(@A3Vd$$7^Y znA^l*K?|ETap@NnhYNLv)+jgIVU0~UZPcKnDFfkkKCGTOeGxGDnua|z&!rL8fB=gY zm&XCGl5Li)wXW#mD|qND3hk+DZ9ng3l$wRj(T44r0OmbfIXcvwFc3AYIlSHZI}2di ztAD$%$1zK*ME}MIo0=Y$bmFV!XvNn^{L6Bth`nGVWJrBQKgo@$cr7u6vsiBOAz`mP z`WP}#9+s@BIEK%V!(6+PUa6SiNbXOKzeLQj^Y%Yrx1>$+;{_q`b#2@v(ls?CmB*}` z2=gooeImbZ*WrO|+f)3&Z`m(PV81F1C^LJG#;w}A`GiR;my_ZwA_TiZi8;4$VX6KI zhTs^r@%I(TbDxPyy*k3r`ONy1pF}ff;6O{?Giz~b<&EEjS-htrnJ@p9Cd4t3b!pyq z{3wu4Z14l7jen_yEo7yS>IMh4QnY*r$4S8zUt!2=+i&Eb=q|9DmHtX^JjLVwtXoc85eNv9&zoOalIXbMAG51VyG zo?PnPeX8(9KtM*<=@CJp$`D_OF;!dAd!m|4JpIHwyuY94o_|(f;Sh`qja2W32&D+!GVNTpikqJ9ns?5rHN3t?@6@pnZ6TFT8YM8?nfN zC0$TGPqX;}W`CFJbXKwUVYK_U*ya)wbf;eT&;KNB7C<7g?%^4RKjN!|8MdZxG4@6& zb0;Bh4H#TmwML$fi9i{L#@|Mf^l9K4b;DIB&8c8!|3If+IxzZrteUAEgT-CLfriZt z+!CD8quWu^R90D0!A?tYwJO54eNvfReEYBJU1B7tOc8-Y<9uS97pMH3JYz=NO9k)b zmV>zGf~cNNdi{?l7&cYtyRyHhrqZY#xD)Vd*QR$S+I8d6&b>`4sEE&d(OGkGE+th! z-1^_u_W%6vxq=ut=2jRP*^nfE*AxNMh?-(HHN$on%ZVTODzJyOxrExUEO`}5gIow; zrBm_@9ECLGH#=qPw{VHGt`5Ef>8_QT3C{`G4Y`WSL~vuuGMK}9K~;WNPMYl^yVF}Z zw`y<;IPR}}pgzxaRzR_n?X#3=5MmJLg1rI21<9XumJ@P5L~w;WSJRF1=&pBO%u79Y}#tq{TG z!Axjp3}^bN>BlX`u-pwJx?U#QPJysUI48J97?HjK;Xr+J!~mk_RC8B1hi@LCdaz+c z4C&aSQhnr_W>J<%d;U?`0SK%schWC_s6llll75cec}bq5$Fm-+t^L7Q`1L(LVOo%x zwmwztyESfgr7uM#V3!pomDkZ&oozkEMYip4)GXU|v4pO3sJvCJ@7kxnQ2v9ORpVj` zo+s2!?p4#I&=Z>V>(?KL6+8Y%Xx69FC;tP@Y6MiYd7L}bvRMU6qbEN9%2f`za0acD074vwG-3&RM#O{0gHwCLX` z>sE||OhpEj%QmfGb3xAo!EQc0w3E_{4dUak>H(XK6F7*xE2-j_`&H<%(msGm%isxF zjIl1mjTVkD3-Ya47LS|Tgd6tsQfc53>REh_TC|Q%q+R0t z_Q$%x=^7Wvd$;mHAfU5EQ8o20YvjA5U2F8rXKK=OfhE(XidTXTh2A zGu_IMt>dZ~aTvGHDsW1db066t+|(CEfE&%@ciTviJv!^)f_lzRu{i}*nn@Wy^a7K6vWTo z=9!`HbtFAyy~(6g{+8V46NN3#3?J{=OLAb}Fbu3BUgDu2biCNViKN(v()0cYB9>ur zL=Bqa73NME-s~={`{hkAEd7=;(CgisjMNDMsDd-j|A~inC-Qe5mh+dORuBRUu3xC< zC|1B`-KyS9l{>pL5IFVqY9Z6^sWi&2$S9e|O`n$WC+{)7PKTC}N1c|siGZoD$Th&A zQM)O5(%ns!Vmo5~!DU6)#yN5qP%P}HBp?AZJ|-r3VU~}bn3~_9r!3M>5H{B>_!%T# z)`!q0j@9tC;%&Tn&J!8>eZG781VexQMW%VCg*N%{^~-d3uHpfbm~9a|WsO&<*Tjx$ zjoU-QT$7Fm0!3fd9$%bftq~)yFq@8;`SMZA?09WD`c~?s;UNE(>`E}ECS`+Kd4aZN z8n;V`&#g%Z7WGI!G4f%ZW44J7z7seJ_-K$Fuie2eo1}y|Yqc%V^xSoXGvwRBPqp}V zqC^7);b^yf5P+?QIZ&EMJ!5zz$(8OdSFvS!^1G%)Hs-_#;8$MDA7LRO5K$uk$WNmyrg4ZKW z*^vAocgBU5)oneOxoq+n=3aw&=TgQ3-f9~D!wrFhAw8g*)GnNU(mm!82Lx)@iI$}^u^JkVE8R)SqhrCsY{ zm3so%Q;R7BfQNO44R9}De{mq1%ywIfZRb#=-RtcN+}5)MbnEMQNp?jWS}eJoJdwUb zf-Uzl8iU!19j^t!gat402(v`N&hi(&m;Gq59-Mi9w9emWdcRwG_SojDU$j2sf!B6& zq-&bDv|d=oPI|{@u_7LMsb3P5JJBdhy5BuLJ!r-LWv-Q8(cRnVD-!zsAT%w$sg$H#=Zweo$etbXO zw0Iyt2(ns^)r&oGXZ^u?gURoOm>YLw=`&!6Y7MDQ`WQvk$Ab}OvI69tx6x@?>po(A>VBf9}LBph{1-Wfq#UsrN28t4#@O zy>;5X0Gq*;qHZF}NX2AYx-4cMAZ$I0pC{(V*%JhQOsP(jS#`B?pg6Y=j zKxQZ%lL98j?e=nG)H25OV9awN%!5qh${Xq0Dj1R~S|k#s%0=UK<0ypcL_OCvMXh8t zN>v(9Ju8}~PJ2zCCx6^}vM<;lZ+cTrBvJlmyz^4tjdubb8N zIoki`-b!rQEpU@`n^~uu@v3n%m|q&|34RdaDNQ1n>~SVUgOvbDy;Rdyr#kbT`{KMG zghv41s;8?G#-4EqCXplEkzVXD(NW<`JrfjmZko8C4Q(^s;^IJ#B?F9R44gP-8FyS! zf2v&q+}W7;o6FT;{&FMm#JW%hyuPpjY0(b zcJV5_G=r61XuT7x`H6y_<#hIDGtQUI5k{8q%*6MGr$fvQ{qOoR!k(0?#83M+2^npl z?3HE+@dRdthPcN@-GA`S>+_Bm`1tm0(+DR3MQ!@l>_X{ms+UgUw+g6Y(ypQ5;$CF<`!QIOSk6ImcvE`DjKeE(+72DFg#3l8O+sKC> zvN2SsYBOQJe3;ec+`IhaQfnQ@S_4J~F{!sOc)&h;eQ#rE;m7JId^aP*`Z`g-{l2RB zL~adtAztwh^-byFA2Ls#6i^2Dj3$)zyg9NA`tr@OO`GGh0J%*JE7YKR^?Q0ycDFqz zq7f#Uop6)3?Q@*9a^ov5)q73pw)pho**4x@)b4eqL4_MIFTk)j!LQFyC9ErQmyL3e}f>GFdQ)ZtkC%NC=V0`M6L4T)LTS=(&Umnn*UZB%JTbv8beim-<=6>p% z&=ar>tkR#}hYbj=pAgPB7g9Q7p|yual;`8$ItCBLGA6WXZrL{;WFzn<5ZcYhHi04- zyPn*X0o=oHESPrSXp4Pfh;Xq!9iwzYr{B{taa1kj!00?`7B8JE%iYQ@wT(y5sZL%h z@X{B;A0ZiUC8 z$EI-YW>S_!)T+nEk86Q`T)x{Ukh3Rfbl9mKl*7>5lF;M^Mk@Q0_Mc|tpNIuAY~K*{ z3wxN{?>xf5d4KW~e^XhxN21ve7T2dW=8N62`Ulk|tQg&uKjkMc#qr$R+9=&2Q$lN( z_>I36He2eeTkDdy`~=-50o=a#5WIk~we`ze@Bu|FLU@g#ku!62(fI(T6{c`*EcZTe z^8d`;fpzlr*7>nVa?l5x3F0BGk5|4j^Fceg^vxl)rVW)fWof2uG+k-3NH3$RIt z%13XuyM38_2W^O<_kG@f`ZJ!nqQQ*18uv0M-TLAormqZYG+KOyovltVBejO7|Q5#tg5O}5et=0|4(|QwG|3~h zgd?qKbY~bDH8F#FuzXwSFaN-Q`lU~tZnMy|nlygYJT$GhA$ylKdHPUBVe@-|CO9Z_^T3L$I5qMf39=Ne~LTZLOz_Ai#KJ@-h2R;9&8Dg%@V56V;8G(li7~0JS z0Z2k1rsj$Mh07%R2}_+xccd`!53kZyd{htlS{O|)f+3vkxe~b73^&NMxNXO;s%6VZ z0psKyXmzeN9e+>eU?dt4aNlHt)=vx=Vg!a(qF{27GbSv=oVp8nbUknqOi>&yT=E2$ z+X8en;-NKkLz&s*1pulBK~j_l%HTP#SJbjKUxe#mG~Nwm2qVD0b}|IfGoVi@NXYyR z*~`ozxx|VK{n!$8&l`{@byBnM4asieeS*kAPuFWTs~na;z7lCkF;p+`5$-gj6Li6U zUAi*~84BRTi2Mdlbq39_{Z*{3`%n`Hgi#7;vH}gOe-KivX(3U7EL^|!Dq9+IAqHuX z#f*&GHUS!$-8E#lVJBZm4`qH11cOW+^on0$JKV<}$dJ2#aLH^H*6C=Fc;FCyygHuv z6Y3o1?$_xm$`8pQ%+B;^<-?5&N*yGxw5MStCc#IW>hc^h_CIA+x`TpIDt-hbfGgP4 zdXdaXh*JuL!bO?Qe_q=BVD@e0Lz+`H0gmjrvT;TXvp-AY53&1js!=kU8VQAhRtjdb zo3%v2ZO$&>r4opxM1NWp3`ndykOGngG?Kf8o?eTwTHT1iT`HT9f8m+<0^+ozws0#) zjFe80cSED+{*v2c&;t(NW}q*6ueeASr`l~NJ@&~INvw#zcfUq5TOs+A#@^A&2~c4r>pB#rk14C?ig%ba)NAxoLR%)v+{U@m^3a*D)hu`|Zhs9i6G zck!)9OTqzo)YZEC-zJ|$^+*|bp_ZbQCdkK_x&=GgOWPQbsvcQn{Zz<$hP?hBnlM(V z&2zD4&pNI!yR&cUU6{== z&USqZxR)bv>2lX* z-4-)zuD{lkE51Kkc6ZFl$&r^0A4tN=k>?Pe@XJDV(}SHwR2F4mQs2o6F3hGB@vTRq zDWnpCtOsftK1qZOpwr-0C7;CkjurO@Jdq1v>W_yJy&=$goAhmcO$`b?FQEk_=E`4mtwx5FpSl%cNsB_O_kv1Z-P7* zQo}??b!%aK<=n?lR2|0d-aS(BNg&8-6?+ILYorxKW%yReK$lExDq`TiwY2D_eD(4_ zYAN|SlF{-an5|%OD>IbYnK1Bp6E6ElImf1oxq%T?#_G9JZOAMa_P2W2i`bgSumYU^ z=Rzk0M?`hA2B)8xx(zx9)CED^tXSGGmSPYIk+RFfr9e`K0GWx0FREr__3z*u**Yw=|P|zUJ@EJK}?9 zWWD~lvOh<5j@MXkK_>OtmFK8)D_0+~IKf7$W_?W$fRon>;WyqUw$`=$s&f6AXbL;( zU^M2c2gonu(ck5&F=C(_MowRjNjBqcl4b3Guw}77j;qC95?L{<$7Fi6)s#^@E5xpe z_vlYBHCMfi_&a5Fy?mml$VFf4f8G#3rJI3GnkN)2YtV(1($(RH;9>wOn+>h27WOQm zwTbk4wJVv^u;cfe*a)EIeV5lSr7b)wi{Au-V_VlojCs5WMmJF%eCJ{~{gXkPq3klu z>48+NmpYG4i)pl2yV&`z)^??-PC^>8ox$+=aih_r;k>1>!1sy&_MAP)0Tu1E&B4>KRwqKeVt|R}zG5!*vGZI0W+yMOI=E=NAovd`%I9V@9AH|M8vw zo^}?^jZI#i$%Ce?`azmXWGZmD^XgCEe;5f^zP+7!Pk;W~0Vs|{KRNySm;+p}79iZE0uc_m(cM(6OFjw= zObY53YvfEgLH(8r{6MW-lSko{_`jeD>bb=*C&5mcShc?uR|Pj3CrW8{sVm$!e`r(Q zbRBiXM&nK0o(2fKjz~vIVlfgQ5^s;iyp?vzvVx`xFj+8i;rVXh0wrLa#!7=;Hqi90 z?CPmS9>VVynfbV>6h(VDh-?ZsfT@G!F8J3Z2wb;YcgM;dpd_Wly#8ep z|9hS(Z;szT6gYDecgcr02Z$0%c`zYHAVIxeO-9F z-M1ThL20V>)i7tnb!(zLX!8(kZCWsk#-?+kj3T>s<)Y>>IJ!MWpRE%Z-mw8rmP&_T zYg?hP&i-1KUR)%cRV!0p9}Qy$19-z{C%Ln zK6w@9TS~T#i$Ls0qH8CCoz?Xsip{yVTKl8#DPHGG>bDauyrI5nR^ssD?sd~+M9;%h zd<*p1bAxVo)n7QEGg#ezy^23YSEF$Y5#^`9B;gT#`Uk2cJH9g(hfvck@sXT6%f_pr z;RTOEsDQ?kPEs=tF#oyZ?ZQeI4AMeL?h)-JokX_mZWNiqo!>}9#^E~?1|f5S*zB{( zDYOrEYhxBzjZeaxk!sQTL*Q9Nv!U=VEI06A$CpiqoSK;%DFQioF5LUF(uLH52vDM0 zaLAUhsyKeRp%aY3oW<-)c|VlCD-W%Vj5WF8$8O@F28_!-Mh->X>^Sg8d?JeqDb%j=W3 z28I0sIi<7zYAu+e3DdJsHqo?^TA-X28nb2_*kH9Dw<0W2G<>*0##>O zC_>@Ar_g!qF;FGV`Q#wbB|O8tFPn2<*{V|i&=pSXR&X$kks236Wu)%bQVd}~uiBNLM1WwU> zEgZ`ns(5JJmaP|Fjjl%uj@@)7wnaO)UgMw}Fz^xM7aMAGJ@)|AFkHJ3Flg$(Pc-$g ztw^xi12YmRm^SDvJP0o&p@4B%vQUziaYAjvsPo9Oa-q@JVbFLJtm2`VsRYBya-yWwxRM>Qf{$SF6q059p!3cNjPgsd=ep*T=*=ERiReWPR8PAbd684_iFA<-Z!|1z6rD zV3sb{k4f2=XVWqLINn{a=eOhQGy*D^Y4X?X`MK>cKGq$w5woCuUhRJkA%K*lbStaI z_LN<{kR(f`ZLd=e=ZO&~;RuHU#@W?x|r=4*wGxFKi%{F3(k){ZIW+lMmM z*}PV9;lB&!nLMD+C||~_NouXkPrv%7*7Sd0p8~7(Y$9H6O;F`=dL}sJ%|4FZIK-c| zjQP{CnQE<5*2-eWcRg6t?3YPh$(+KDO5df&JMP43p7<~Nm4a!Pbl>C8{$9X3q{SNJ zgCsr-?YH93M$j%tecyh`IGF1Cf|d4 zzU~-Bx4Xh~n$p#mzt@NAgczEsV299v+p<%cEmB*2!+h_H);+P7D-UX0-in%q=o638VIi->IhRL3Tbkc0`DaFb7 zQQV$N^#z;m*fi}1v>9r^xw584`IB>bm{qvehJZGie{QQz;3>0~OM-cA8809iP-5=# z1WqhDBHhy(bP}B_N(oM^VNipMY?>~+?OB82rlR|<@DB*)~I~wLO&3i2RSiis=D|% zfDrB8gnOH5gVpy`hLRh5>mvqi-hzjplhXTSOmt-5vZ9&(o5#72rw<{X{HT6ycc81} z%!HEMGQ{}wTPsVN@)gP4O~^gy*?Cmjt>D#SREPd9bO^%co87ThPG-?Y_%td;;>TT~ zISD6zOrDyIskiVO;b5(GNezIF|*eoUEyqJJRIj2oi$sE zWnYfiPQyIMB#Q2h@HTz+_ao2w*VjB33Y|n;PH?N@G;b%}q#!V(%A`IG@clSh<2V*2dyz-_zo+cuqP~jrdwX;>*1=MDX6{yu=#*&JtlQK0 z7RfL9#ESnu^yQ`en`3z0!&h;-niOusOO-3ao%v{>(;dg+80ZOqDLSt2nT_K>>RVb0Lj?C6=h;Txpen5^Hr>U*R+=st9+<%#4fL z`JC)@tiv_FZl~YhhWQR5}8Mmf2ck723&R6)6{mw2KL2Hg(azbKwQ+~dsh!4l4TPYfx-*d)zxU>fI zeaC5F`M6yC-)SqGB(WhoSsIJ%EEd6oTMT6l6g^*-Vd|CSWLZx;(3Dxw}ic_BQW zLR?WJ*&+i$Vb>R%1X{{M2q2?Nc2*G2yZT`-+BEDHbepJEcOpg7CoYd=RDRer+ry

6*6n~;*rv7a&RC4$wIfrK_nk+LB z|DeLN)8=?cuhFL$YeW;PofAI34!XFWlL!dy8{fKCFt=SC{DRCEpdZ3%@=rM|~vfmYI0(iAmmAK7`| zX=<-57SoQj7E2R*Dv*iVX z=epEGs~?%3QpJO!y>gt|wEbC-kzsY&Ih8(!K!YqdmcZ~QF1y!cqVI-Ac%Z1t|B z%GyqQ_rNz05Xj8Pgh!LFWNE}F55lHh0xA@Jr%SrOS^k6F_BwErtOkYD7oR^6V|fNw(Hc55l$Cc{dV^asLg?<;r1lGxHhw z_41TGPrEP}PIz-NQK?Hx=7!$NksW}2eL3~noLkjiwJs!7(KRIVk{;iWc#%01=~En>RG`(1eI_(0C_^}-9=OFt#!s`bN{S-fPQmIp1^qy7#ylyI^s z!aQ29zAaXYZh)EP8O+Jh+S0jXYwB^A3)J{*QI8{!$aBVVB;k(WzIe;1tfnl0#9{R{ zPnb$I?@P!OIB*#+^-9LSAfAmpqtplc`-N0PJw6ulE`dpU^Lvx!XI`FO)RkVl+^Vbc z6T6}Eq4{p1fR@`M;WdGPTe^9@cI6&h5-qh}M;}DNC?ZvDvCB49SEV;A^_5-UjGyQf zT3h9z;(cL5d_+n95)8UB)cB@Rvyn&caDMiBwr~&!kvob^quKNpbdzWy$p)viFY(1w z3BNurdhcx7t^I0Ne23TciR1p9qopU=@;l)^Yh+Yh9(49nt@Y&^E!}1iA^r?EuX2}P z*cP28&lM`*vzygp9W~$b`qL#0*XCf5$Qn!;1MdW5kb1L+JdJxsEgc_4JefQaEp4q? z))}=3NG~$FFGoDJBlSbsD%nuHf68n1<39FwoNuYk|11~f9RuTa-59NYvAMc^3J*rk z5kS2YRx^v}rcvf9d|!q7FO4&CTzZd-r8Ql+%s^321^PdkmeyR%8vzQRkUg4IF1m3p!4n#5%6$>y>6f7vje!!`sy*M|!Si=DhA$AG|K{BD=NE_x zox4MKQZ-Dnr}4B354E4#iU@tW$#(X8-$-=0|wxKG#;{b@7H(2sc$~d|GAns{-Q! z4VBQ5NdDVhDdi4n#ju<)j53dRQ^Y4nvPW+0!K5P!x@3~B>Z8rbj-;;El-zm2Ik@7J zNLGqhFQ0hZz;WmH+Z2t8nkq@n$COC%S|NxHt9@ z1IL52r%lIcq(WnUNjw!4XT#z$r=($n)b{?I5p}kHDcVc|%S*RkvXPDCM-P`NJj>Dy zTv}~XpXcCJi$2*Kz~b-~S*yW1c>Og~BN%Kvfd1vO4pW1{;y2myXNLRSM}!$u4x_mY zeC;kj`GH=J8!v4yZaY>b&4vk@^&R?d&=C-SuCGLf*ObxSRYM>ZJ!zNXo<{P-KQ~{B zV7Kin&WSOGu}EvU3TtGZ+c<`U7xt{4D}05QM?X`rAK=%#EWYDKTt?r@cK;wd5@@cN zNryP^r(M4^l2hDK`Kq|HSwvMKw=r}u#zQv327aD`S0{$KL>UO?RwsC1WaRa}{*9xz z>x72l_4eOKx=ZvDss>Un=#lrIUuClzdGO0mQnjGZ-{4wxO^XJ1&MlRx>nDfhSG>Zu zw32vW8irY3@kyo}zS6?U?f5nP%ZhJ0l`~<4ZiDd0E$i7xPGvSMO_nya=8BG6nz*jj zv66HIXll)wp8IG!Yv@oeUD*FbAmx&$`P{m{=<_IWrg|8L{Py4UxLVoZ@HcdDO}tnF zQ)v~d>Q1zOm*URa*iE0a(Vwj{oXJAJDlOV9Fx~Mt^AQO_o`l!wnC!+eRu$$Jggpg?Y@A)QB~;Rcbnxi|w*w zXA1FjaXRQ!MaN+?W8&|?rXk(X^4GL8#kub^`j%4gnj%+A{>xXtU|J+m<6L#;$KxLv zuU@4B#7?pJiXWMx>ugt=;-v&@N&a?Iq6z-K^?<2j90|NCW?$&Z9&0uz7hYk*S?Q}_ z6_cbW_Zx>D#xVC*aD0QSo6^yvge~v#RNMC3`d~_Kw$Hjtf zc3C2+wiHicO75ZP<9)=HV=Ru^% zFei%4pybscGP;VQsbb%rfsqt;h<1J`^leo&jPTHW{%9%E(K*=qN73s$;jXPZHjAk@NQa2984 zc<937QO>p{`RST5=HEv#abj6%Gcxp>e_gL$fmJJ&;}}3|sOn~EHQK9evP!#FL5R1( z{c5^U{%O}P_y(`5s-4qJ@iifE3R-%m-3r7y*lOC03s?s$809FD3e3w zy;MJ!GY>}1GGLMHE&TKg!wKs&v0Zo2OyfishVHKSIj5X)qcBRJD-LAKI%nKt=UR^~ zI`beNVi~07GxPV1#*dx2Rhaj|8vR;1Ht03t49g%5v@i56c*Pk|1ueHxYG9J8DAt8_ z=;RE{=T+XM{mOalYXyP@5uX(M`Ihyo zgnXxyu7P827w&686kLZwSnG?c68MkC1QM=m_iHfc`({J<_JB;#0$0fs0+$G5btkHU zEv5-JFIM;$d7u~mq88GoVt8LlN0-WLA-9og`LwI|zDNp-*e-SMNT0W7R@h$()L?$b zcvpSHJR|hmkE8dA8b~xw55tcWJEASj?AMb6i56XG_T^2;JZqnQRn4wY`b~~NX&m>9 za*BQ5gWOc>!AQT^nFO}{3Z(tp~RYVtb1QxhI#Oy z=BV+v(wTHMnT+Jv9VX# zvXky{l3<@tfuVujwbUpjF1u@0hVQ1vx2Oj+SlDl@4urK1*j&?&i&~R;WM9(W+Re-` zFL{5@DWsJy+QuTogIa-U)1yW(%J}b`n2cCorcxvGr}wKze$GNlPVMts*O|^$w2dA-03aMp_5uyJBCmL3&2_Gh*5lozb=_Ed*y zTLepc%f_bi7u}`TfCV^;{wSk?`AKb%(^}BlISECHB>h!md1p9jlo;Z^TNWm@LbNbv z;kf2y>Z-j&fr@0Rf!8lT>3h&zXX+i3Y#&_Y&qhsH)oY;p{xryFt`q%97C6dZu) zhb1MZb5_)DysoZPDO~-xC#;tgPq%F~cS|ba~oF3GycLLc*zC6~>m3cDLBPP=^6&?J9k_v^y@I`WOFjw4kj8`rOKxM%DMp7J0 zrqY6KNt2os;g|yNkTm<$Jy)Ij=pfp_@@55^cM)3ON(`ql9yckKUe@$4@XeWkQfv=CNs=dTK(#f zedS77%Ubs8-yzxTaBI+(4NWQJq~r?1an92 zvM!&+>UcdiPoLJga`9rJ*7MJvkJ3A?_tsOW+$l`H9b5W}Tso*<@r>Qt`_~N;XnCgD zVeR{825rJWe=+y)%-OY)dtI34B|BiV#ltaX~p!45DFK>ep zjM*6dy>Bm+1nxc+bB*D)z+N&J^!Ls4zdo7+-<;-JN+!@D$i`L0YbI~<50x0f{eDD& zaX^@w!aK&jzKMJuPP^aUW|j-{W@{L!Bd+m2S`~uO-WR36{MeZ0Kx1Y!l!G#(@A7*y zOg=Dwlz#QhicM1XVAcS2?;W2Y6#5BqtnK zZXugCo;+~-tY414JfRIyk>VTZ~ygUwVa{&;*tdR1}>F%g?fwTii5K zSW$6;Q{TuPVGKxb?Ub{=a`gjmEN&R~(84djZv8r0oOu1=_!Uioa{}qY7rUtqG-g1` zPmqhP?Iewl$}z5kj5;%%m%b4GmwTK!%frT1ewLtseX6tSrSl^>Ba%jmBtlt#2mvm0 zu=yU}Pij}7k-7#%2rhDV*TgEzkbMK(MPsdxrsp!{Vj9X|y)>}BD8J>75V(AlE)d8a z`|uLtoxAn_el3XY;(Ey;z*t{Dym&DyiIV=aBi7!(QY?+#HbJ4JQ9?N9J7?zd!{D4& zR|Q=ag|}*To9$!#l-5G2dF7vOW?hP^4iGRHytKfbAe2i@A^Jfw=9Q*sn)AR4PhWY5 z`GDA1gw3!OddM1b>>333ELs6|6?zU5t=a};^urfGS;5}6TT*W6P>AodQeZ^gucO6X z_n^7;sFxvq(Bwuw?uJ8%e` zI1W%J7HU?=3~T?s6y)*{_NH~4sNVpA@QA;TYmumxKNl!Fo3$Qco%yn3fGFjdYuquq z4O&aLwtCS2r&Q6U%e<*sn-Z1nna6m%4qq%B5EK|{Zd_(rVJ69b8=YN)%+6_1i`7Il z%j%iZ5nlIq%_8TbR|gUnQ!Mw7)DFRHuQP*Uz3f5-Hk)JF{lrd>EBC*r&On4MSkF@# zfT3z2pl1=rJYjU@=B}SvIPp9rt zkas!I`5rr+XyDw@$?(}i8Gsdug9$jl>}krGnuppch`h@tp& zcV^k$XUxKvJ*W4C0 zO0WZRN0(sQxm?yZc|-B9!s!g`@HPp%bt3Nt>P1qvB;QR73f&t0z~Wz>*jMn1Si+~X ze)6YwW&6K>6o7$*5gXD>P9Q{Pc?Ww*nz+SCBUA1DMOzl? z;)97wXwQ-b%o2q(YWfD#!1Hi~B#6~sS!)WbM*2L5IxG>T#lQ6h-m--|=HHJcf&~ah zZ)M!h=ti1-M2b?CNV+!acY^t=6s!_LpPnHG*}}^xLw7#Sg4SA{aT5yOLh{e`FBlu! zsd@AbkmO()y{_rPB4)=&!0UbuiePEWeMJ1M*^N}!{x8H|F1r+dJrl!wURtJhmd+Jo zo+iQfAWq?vEIp;X&=61U2KmdR4mpA_HtqBym9d4iVoka3mxY=~Fadog*_x~E%{`_4 zwyJzZL(8>O_Kt4awI0I~j&`53ovu#`WEI!!#OEB3xFodb9nR%p5_%{pmNCdg(%^Ja+Cg@j7m zs>C_?O|Bov!qy{3%Hh2yXgSt^cNDT1dMq?S-11FT>mcYN**^)@3qLXuzt|YOQpPyt zxj%68nTwHWIHh1QXD7wpqet1_77DI&(sBKb2^pt4NsGb`n!|Sp9m7&T z+pu73WVX(DqWrNmA%oNB^%BX&WQ!7X?!?42_}V7WZKNpiw8M`yR3~*S z@e->N922h3ile!fVDuCEegCUOsAZ@=Y>J4&AsvupeD4^+&$f7sOwNKe{pPzz{<(#A zk+#|58)~&dCtTc%{KhL6L+d37-L2m`;FwgSHLF}B(f#bpQmUJXlAE6)=J@K;69Ob%tSjx~kp>|c&3-nVPa{~Svm zE@RhVdfED`bG(U#v|gmIJa)H+Qb_G05{pT{U}(L}PvaMD<^KAHPV{(ixyKS5!K|%f zxAUIp$Eym5^Jup?GyO(bcg-KgvJ__3q8J43%v9q#KHdKG2tOv;E^-}(Y`&M;*4+zr($WK7J*|jE0|Nri;q}zU3D!V1Xu|SSv?)w) zPH5Q#M7ZU;Q`X+vfw}9KZ|W#-WdEsE@Z>g^>}#TK(r6DS#7w}hHqUBkvaq>JTK)17 z_=~-TXTKRv?=TsmpTfR-`^v=gg4at}O2&z$yaz4T9B_3amSm$b@*LAcut4t{X|f}v z7dyVK39sl75wFW}yUN=9Ofg@hf&f`_mWydd2!Bb?$Wh)%^uSdQT=6<;p zZO0JR>SQR?B1o2Ij_M-0V5MDk`*z8N?u-`M(;@|1W=jo_O-}({|rN zMk4gP;sfm=8=rE@V%34iPHUYE&YsWE-T$6hkJ zzB{S;F>t$~)6VtlBMHtOGZ)gXo;{`Ts>?fj5OmkHQle!K$Oh8)(THShsv%LO%jJYl0L6JR7G``sZYmvk#R znxrKMoJogo5mQj7si)g&kbn(`~ILmrWa{-u>f= z$#Nm_7K6ks%LPH6n!=(iWW4u@tRpzY_3!ArAD={rvvIGV(V+jr5Ryd1z@t&;zZM|~ za)TW3$|~(36akC3FhY}k`ZaAYfUVs+B?O6>dRe4%Hb?u*=Nuc4!r%c$bmpw6{V!!O z!Dq2Y<~!V9Z5(dC{Baxv1;N&XPZ7@yNaNTdKcll4k{1hoQA?{}$$H_dl&1)0qXA{& zdWRuOT4&)R7gY(-Um`wnMc>#B5~Jx|^sjysSF@_;ML$)Fd{MG4ceoR-8LLV=s62WM zoMWBO_m`g?3KXUba$N~IGSG@_^rE$n_bwVRx=!X$dv46n#txXC47_7EePb{MG(7cL z-4g!q#LRCk5Zr5!e)^AFyfm>Z87K%eQiwC{R%nJ`+#I^Cc2v)_fBhIvf9}VJ*N?y5 z?Kn|?>po~W9xAyRqa1tV4M(K}vXmIjlbEi-h(>J2`G%Pn&=@cZr^>&9t|5y3V*A)o z)oIt~6m+N$y{9(Y1JlKKhk^)&NvRKpVa0RQx-lA|xf!WhdIVjG+m`TKy}+|evaq|z zOy~aDjw=55M!lnr2UkIltn>ZF`NFX`@dq#;jX-v7;VSO&Fr8ldWPQ@y<3`96qu!z` zA_o=5MdI&wpYf}ZwLpdu*e=ff{_*og-=PNWop6^0`DZ}Wz3eg_l>8eJZ|hF8?f#zU)zJAu z%C3Rb=3MSzxe^7@acawfhDJkJsfK7JG)$qQ6ihkgoN&*K<|M1O#_p)h{euN<~im3RUQp@&Et49W>nAhHkX4I{fODv z!<{@QnGx%vNC9KCD7dSwoOshGSwTyDL_xg#>fpKwEh?$cfx2N5(A2yDtqrw0M}L|H z1n?T24#6@b#@-kJ7REWCran7#$mqUQWb`n1-oMu?McfNVoB_pZdzeYJW#1X1lsl-BnGOj85m1Vylj2oHKe)jIccfNgpy}f4wfq=H z_A^#y<6tekt8e&fiLidl4QgK8obk1oZ1DokTndnoELPxEP-OSFYX^~3uck+}ITi5p zVJ~ia+*S9njYnoB;SrGLpgQb6e}Rhz3(}hhf+fFBak00og7GAuHk}*-t3HvJJ7kVn zb3HT;BYoNcgKQDYqX7S7Sy+oIV-rN)jjy4>H%Y%h@lbKpEwD3y&1Fy~VA)tk>idvrtXndZ{9<7y73t(wr~{WB4RQqi z(~};O&2KMO4`qNmX$!u!@@wPlLTYUfB#-oPSiX0>-NA5EL1iKrHBbC_yDngi9!g8`VlIMyBe$q zAj^?C%HYxS3~ibE@!GL8bF|~t9r8e0%kIoo`WlVwrJqNrOSi{g&@JYv=j5+}<-ry$ z0dTCe;r2txA;;J0YEuHJLoi;&Uu^_c`Xp$0RDT>zD=?vTZE%CvB=+P&xG@n)!28)sK zoceq2nW)bk#&wRc^XE+#&UzaDjr_+6QjZ6tJhc)_*hXJ~CEhn0{Y81nNOu?EDrgG_ z*`K7x8a?zWtQ|P&th^~h%`g`~RkkQxH3J8m{PAW+3<8pa^$zj%StKr~@>hUJSjZJ& z#SVBle7eF%B-&K#xly&K0oN?g>gYN>KNEJG;wT&CR^7As9EH+DOb}D%n0J+r!d8~g z4z0>9jn3U^xx?ApTeIm2?kyUB${R>AyoD~OE4`Y-H0=FqiiOlMtNxNo&P#)L7Yqt> zCp@5}+)up`9&I|Bq@o+>m%XwyU_TTDKB#1y?RL!pqAW3WdF+TGIpJ~EMbVcR~#tsKQX zQi|!qAbP?fyDNO3p`tAA@w3?7$NshOQF3iGKB$cq2FrnMRzYOgYMXI8A0FP?YAQbFCB`- z5H1evw!Wg#%@;0WxXoNL-(1>moNM}+*D4GgT$d?OUd2?r#?dAoPxA*n;1Tvvv~b4^ zzteashlI*H2@YT1biL;OEA*5nIV*&uG~7B6POc`LP_X$zJ@1ARADBOa`qrzsGGRWS&pqFpD6xc|WIiwC0U(>kJ zbfF)#6J+yxd&aW$l2Q`ERYfe_7xdO^j#)yYw>?Y|TE9I0j(cC)?d(pBN%-@YdIYyJ z9wIJMVYj+l1q-tA&q2R`ry45$aLej(108EvQP_`xKwG0h)iy8TW7UIx1+}o(<3bF} zMn{ir&|zx1d!VuJWFF}jcC9Ys=(yM)Qj!NQT*Lg8&`|MWnIKb|Dt+d2CG29xzu#QN zRB)}{CqwP{7JP-(M)@)r%!IpsJWF5uJ|=rDlu3>){J$G9|Ic5%lq6QcN@OQHiwkPU zsqU!r=|u9GKJP62$X28+sBIghMM805pfZvEbt_)3lP^)>>qH}o0E*0Mv1a;8?gsd^R67IEZb#8gmsoftKWz-wx+dN~ zIX>3N7w|yocr|*^MeanHYlZ!pCp`~R*eh?D(MP_R6BVS>$BVqk|LQ$Z8>Vtx@QZg^ zszKlm&v{!t%v#3KphD|S=OYe9qMgCFm%$qHDzmuCDNUL6lU2d4H)l2nZ4pjb(X|My z0D5SJedC>!aiuU;rrVCA%u{6Eq$ZttG2lA6*gH)xrNisMen(b^Pi z>6zDxmlEY?iHSV(D&Mn5`s^*U&B2T!$t9^_p2FVPi8pEKFQnDW{t(^jJC!!N{4lKW zeX9ZA@hIc+4_lJ$QvDGj@Tx?kH&2%`7?$8a+i-_a=oS-iEzTY{` zfAPGMkk|t2{FBVuiDTV9#*_Z_0ux^^U60~3?Zfww=$$yPm&5sG4|?F#K|@_Rys@GM z+a{^mQ~G=9qEiL0(^=br&?L~{k~HjMcG8IVhEyiiYN+V%wTaBb6;H;ic+LA3W#7on zxS8B#+9ff6=v~-8imi7{c$!0zo-Wa;yyJF#*KQ<*Tes3S@zx|Y|3<}Fykh8$-QB(= z1=$9ip?P7Cn|oi0UJ8GBP13@?oi#_~s%gwxbgE?N^#A!${15jqx5iWA$)C@jPT$V? zi_Xr~`%^m0D9UOo~@X>Zkj&qNK*EP|9Y-tp1T|W?T_5ZFme!#L60Lf zn>^kw7n(Mjx~8G8SKD;1(3?;aSm;x%%71qgcOWFY+re*n$9|HQVS*OxmOfIJm70=2 zULc9jO1#2nlJ`iJOhIGnh>+RdjN6^xwX>}GB9FR06zQ#1(TQMs8W>!u z0wmEx3YLQewSRJf{~tf`67H8S3XG0Z(59ZAWV^b;v7$+AiYgc&P;toWgO->%@`u|Z z7+GJU(@x{%Yz8ltj0LiouzdRg3NOp>ewj;e&ZhS7=w}s=Q^Z_$`iM+B+MW9q+3o(^ zLz?_dNBk)S2#k33%MaxF?k(yq=-@&u+rEM2YzMTwld!dMd1HD}k2Enu%zeW`bJ#T% zgmjyedd5#tmmM?AA0G8XZ&dSWdh+XJa6;+uyPsX@E<=lH3*B?H5D~JsC;jMmBt&qt zJg?T-{fiQ#bh-D10qdSt=eUXCt9HjasNx?KSXQhXDy??67VI)hCKxIXImSRE+ekJeEMQr@kN?tPeT5p2VJ^>d&28DB_>L<6v486Z;zVs z{dr?04;v~~Muug6uA$AD-*uB|&U8KbZi)|Km+~5hOjX`4b7p2;9iW?a4?HG(5%-qM zm_D5_e||lGA8&~Jg>oc#nww+Q1KBG zjAA!o%}CatQN%c{w^cnu-C-@-T))hcL1$@i6-YZRO*RV&h)?bUN3E*qa?CH&wi)YV z9G!Vm(-# z+a~d)$^29I=lj!($%yIHy`^%%DnGQ!;Tm*uB-3_gFl8pb{^UVo;u=^0-Kqgd*a}n* zKA0m%0bjv&av7i<#H7J$lc22M#9hy++XTIFSThH0)qJx5t8f#mT0!k%`%TI@7%>VHL^u z0ay-PCM6$g8Z{B^vg#EsYebFv&4??ot8;l+>YHbTqCOFnkq(1;!x&-z<6;!Iin8>x z*M&P$PHZbAbTaOd5#QRrz%#V`Q-7}lTS7a+T%1sx4M)bhM5+A!)pt}=&5qAlntn&$ z*g9a;mfd@gEg@Rp1z6A-Vf)%GvZ*a$(+ZO(a({z0ma}sTolY;@A`!5p#8hfUv2V%& zooE-Y4_j=~N*aR8!(11Z3H#T(JxA&!S`mPGSn1urqhmpCi<9B|qyy*&88`$hegL=(GAH6&=iN(w* z`I=*}lGi#X43VQd^VyXMPEizSoJ<(koNsZbFWgfOqG7`oXH-GIkt}HL_!&mgOq1r1 z{zbXgB!PuJX)A1~-z=KYO&Z7D`Wr&be<%mAXh4$%C)ZlShrpwh2%(9utl5Dst&^c~ zMwD9UZ}<=Y3-AtoAQ80zMQvOG{8jWmM1*|!fzGA9-2w>#;9Q(k+{VuZx-k7KfsURI z3zJh-!JZGua8JZ3%KGpAT~kP9RA8xF%@Ob~|KZ=6$WUBQ)Q^d{dOLp69b_W> zuo~M4`TYMA^8U-Z@c#>hJfA?pKGWuif9K=>cfLoIQ$xg$(56D{b|%MhR%-{`H(c`{ zLDqZ`=5_yg^?tpnf?YT-Fr_>m^1x(265a}>_jU&Q`Hw>PV3e1os;Cb)e5$8g|5IiS z)IZ~E{`S|{Q)e}@)NULvh`KpMbsVyNMa-qEJeNdG(FZuJ%h4 zR7_%z)LKHX#ltR$`|B2PQEtF>^!mLiF&t}$w0b4>Y0!~Y?cOhQ{(SLq*EK*+oD)__ zd5+w$-hXC!JD%GD7^f@8SOJmz!)cQ=vkHyy3w9eU^EPaHT_@~7y=h1Zqhc;3GF<0_ z7LUM%dj!|q(Pb!7-XIo|3AW`;HIfeM?wM$F@4Z!}<-Tgx?;!8|00P=`*Tsa6KU5oq zx$-M0jCfn5V8Ls)x4nu0)Qq$_0W#r!xAZ zfaS6kpAB(nO)=8|HhKe;6dgDUd8dD8D5K@WS*5g)F(5)-CB9)y(g|kJ*`cx`olMm7 zciQ10B=ZHC@ETzPkH@FMKwn+3Y(bQ{-2aM+=dI(2H%f6w_*}}%s`poo`trR97a<_U*A#zZL^7GI6rzxXHo=PRalH;cDx<{Iu*!cT zW>fnuOfqF>v!r7EP*d(Uw10hco7R#OX2z0Fkq7g|I$szCY%L0t9lOC_T zfeeP`*7i9!$f)@RJgHYO!yxTUGwEb#iuHT`zyy>u3oFk6*Kyfx*UcQlC7DXqVlQc)Q;X)LX1=&0Bo(gvz^ee%t#xi+!|L*Z zO(l687xM)5 zr|VGvQfB<`&k{5zut@1odMABsuvyZ$w~jO$2ah$`llB7T3=-P_kaSxnWLk+N4OVNid)!)y&Y+?}t2-2)c`do923SoPk{x>;Mai1CfQ(<7-jUS~!|-n!D;$4Yk8 zj--PH(`j_`Cww@U?%Kb7uQL$lGz)gYd8QMy>$7<9>&q&TdVxv#jx3?V zo#V6r!P2vsh#OPee)ejaupY+h&?Z7`E3Ij{0^7-RA5qidC_>_*uyf6;JU2Szm-=QURSuz5RcwWOB*4#3hDc>;LF|FyRH-#_WiusHrWciMI`tJ8+GW@hH^E)DubgDn7^mvrs)o^m_Z{`SZxg zB=i7pLd0&)3@V>bvv3*Re7giaPK2at+-9r|^F72-6x6ydqje_-_#C&P&T!s@9WfXP<{=~&tOJBtu3>nLqH zwBYeU+^H!q%t+bhhfJ_7dQNK|57&D>5i)pgYiv)j4o02x5SBCNHLSMGfN>V-M{~L9#MJL% zxOqwr{>&eBs(_|H4_F1~#$lm6&BUP=EqsP{3%uI8@$Pec={+B=C9}rErD!~J>d`OX zRibREw6kERixBI;h*^HU?p8P&g9N;uErlRoIBYB=&93)0MlWWS+;iY%UkN@(m0*mU=<=btwuFtl8T^J6mj!r_9S%X*v_6*P8sggsm z@;ku8Kdm6$OZLxa4LKH~2%15OA&A5hPCVJm08R8=o07@XSY8HnO&LyKgBfS8F%3ae z^yobZSfs8?V-bPqOD+NYCgtSgmH$TFGyZ=}-3wf8jo?wmU6L6!*#$8v)Bih}dm#Z@ z=r7Xc|1);4_l771Le$AKswTb*71*fU?mX;5HQn4FEu@CV8GSo|GoTp+Na+vSw^=6@ z#*k>^cwe6WN&p-_(zlVNKnl1vz@B{6`EV8)@1_5E6Yid`*$7H8Qfb4UPrB-0pAcja zcr-T6H#a2o+t;Wyk<}!mHIRrseQINV;e$a{B;^!6vxWCi#X;mcG{a z)}jtU8i%yY!+Sn1%HSw|aaSMr^!QQK=Xg`_SRul?)$p8B8ZYIARvN4gEZ10f}kM6 zpix>xTDn6*Kw4oSUD6>PN;eV$(j^^|gYJ00W3IFJUTf{M&f31$xz2x1=De;cV?59A z_l^7h+#rjgW{s!M5(jmE~F&v_#mz zd#@7;-c?7s)+V9lK}Dt(`1{@O?t}A~<%;hm2M;tq7h_QC?TPK;c$M>Qs%7j^2P~== z`Lgz{P=;XqoM{P(0J#G5m5@sgE`H3BXpq{xJ3YOS9HM?aHZ>=wBW7#k=CVqplX-R|$rnuRbFZ-q0svdj9g! zhQKWJsKeEcVP zy)iGeXH)T|7?~s=WEpM}hbBI{C=1XRE>>F1)tckYc46<@M=3LyI9cFREVaav#xGA? zfphjr2xq5!L{)b2M^Rk&2gK8`cD^s?L2^-`TvXl#l=oraE0a&mQI^5LVqcGktRZ{3 zRSvMcsn@agBO0McF*fYw80dbWo$s{-1D{#g&}=2A08U6N8X%Omr{lzN2TENQfm zIe{4gb8zNK=}2%nAb1U-`v{U}A?~pCz>w*S1cy_=HiUh3O$+&Yz6Jk7pd zcN}u_+wa+Bm0{^!6Rh?k49vKV*z5}zP0Hs7k(r>0;XcGKZX;PvFcB(n$NQe>)CIG< zk%7BlPskONaxmh2=>7?0)diT*T+;e|tL+$=+CirtY{W7gtmt4>jnSJJ2!eQa zUC)-AZKdTp8oWKbY4f>>ElwFV#W9ddh%p-3Sqvza9H67+uAaszGn$!DMDm z;eh?<$He;D)t!4sB(IL*RwI^gp_xespgFI+jeL**x0D>YJ>dJTKo{oJ<(@F`;AQ;w zgcm$!JIQe^P(rt>Q-7@-(p^}FwN* zaJ;#Agu)v^GO?c&CTx}FAUK(-kM8Fqv#Avfh3)Ti;~PP|e&UeEif zy&J15|3uSc=gZUl>kWIsEZ;-;Dg2M4aH{c59}ZjMYj)r2h$^kEJvX7aelyH(*0@85 zax%~Hr-(zh=hZvaMpO53+7@?R#RLKsi(8xU2VLuKqAkenP~Mv$y>_q$*x6lTdCa26 z;Pi02UUzr`=9g#hwk$)t%$2uEY6Ks(!ned0psIPgK8id^$ zE|5}-uTj=_fgzVc{~mRXLa~3$eS<|LhctO}>94$e_8tg(q#jKsUTs63 z*InTZ=X@T;860qrYiSx1Lxaj;91@r@%c!l0<0p9_-}Sn%K72|!NLYkxs~0*LgP)pb-jB`5<5n(Bks_RjFGBXuISD)=WmAf1r&MRc!hu zz8P`H|8A)8uiCIzQKF7Jw}u@_Qa>!Lp5mHgSYir(ep#mEpf4qnPyHL*1o7OsZ7rh&l0t_!=%f!CzlCKbXfgKhr+4b*j;`f!w|s;KIHa~$Aq%7H^1A6~+)As) zt1FRa&cT+B?e7&;czSevPpv!oA0s^@3UKWU3x9@WY+RHR9%8v!@vMd9Kk0b^F{w1Y zbx%p{LI&-5FFo2Qj>^RMg@;{P1==z(kbM!%pN5SemgrDi`t8_7Fj5IE3)JCfQrAU zD|TTaHi};xwO1MU*{}kpm$EnR4u!PtO|T+o1)ErJk@y&JG0x5J$Oq?Lu{@4nzZ8wD z+A%yNSWhh@P^Yz?Q`9M~8hGFcwj%!Z?i;lGEMRfE9!}{{%hG3Wm$~csk+(fC_R@FP zC&;o~hAx{l>u<7=Hd_DHJpMQH!aq+I6NfO3#U4TjHa%SNo9L;y|0rU2FkOymwT=d{ z;(0e|_xEIeH~j*(K03WLr9~pJo_9oe4ylL~`KW4yVpePBcu}I%fOvODO|#{IfXO<-|}W_;Kx^FLB%R#L`aU)mBLNnUPpxV zf{`v!78}v}N^QOYSe&(}gW-G01l$W_ejoki^epkZE0PMZc7B=~C7RSM0wy_cgT_za ztQWF4^qNybbt-K^Ae=VMc}_pa6th`!1m=1qIFT?{L?E0r@^v02+K}tNdbc;!SplQB zept2VpsRvnM(VEy>g&~0R8MKy-+w^yH-8pp#O%_Csgvg(ZSsoYy2wka+80T}53y>zcN?dXx-@5)E;zpz z+gZQHj>6Yvso+^fS(uYLzs{elN1iisD@VM<@sJfx|d z3&=>a6HZT#n2(DjoL^s_w_jn@X^d%f7kBp0kGWJ2Zk0=^_>=;D2Wj$=s_)r$op{F`lCz+)*6DtO5-f@6niRz!mPo28dRo#I zwihK;8QCR6H^XH6yo0ER@9I`5vCH0wZ>LUfi=a*ycD3!3(gwai$hac*7L6BfY~4_SQYb!Y7J)bNJb!jW^gl{#q*_0FZ|EIwvNDzN~gm-wk>iKkq~ z@q^Qi5T$B7L)u7$quF=)l9x?5&$-{5=+7V=zv!&7WLNRNYkPTo_(;qA=tZW0k{0uQ z$I)F{<1Rc|*Du|R%%AwaXxF&OI`99g9YpK+zx1SU3(l2XE6p=BeIc^;kiuHYh?djf zo`Y6#=(jQyniC_<%pfpVa$Y4P=h$`j#E6z59e;fgr#REDID&#+oB2!nrc5G2k9W0w z89d~Zfl?G$-|s$eDyc8;&2==l?ANl(f|dqlMq1;oQkq*1Gl1A*5D##0n;WKzrU$Zl zPW)O^FI~=7%;2u1wpwf8+JtiVv7Mg)^yV%WgfEOb)n%F4yhoZ`_12J|<&yG7fDV6? zj_ktzYbI|eyAHnf*r6KA`6U^N>LNozROyLUG!OI`nznG)@w-m%`MVhzA?)FQ8vt-YR!d_RMpxF&X>zt9%v3R|-|ws2-J5vWfYTMnQykjl z#TTz=_Fl=G|9;%$0k2tGHczCKs<2u0ZuOkmt-Wx$x(e2oJh@+;2Bfm;BWnGNa=EIq zQ}3=$xJf&&OQ}_`Hx+-*vrdRSOEFA-nI5RZkk=#mL-vMSjOo18uqxdKyf)=WeUc;u z+Cp!?`ST1}jBulf=67TyD9oKlIn54pN4_(w5ltUDK{X)0+GbAfqByjwN7Wc>n0_Y* ze^y-6D48NXmPdmiypH$%uK~1z{XRrm&_8n)#_4b8e&}4AS&uT_^G0RMU>?1ysHQxH z5eKJHn>tTISKzNY*bLs{e`A)h`sCkyU(=)autFQOx-s-Fa88Hf*`8 z#M@>qEGy}!|HQl+s}(%a{RzF`TAsqvkLEGUf@I?yi?@=KuIK29N!8({srT!bWT%UL zlSQKOEY$j!QF>e-%r)bfZ>xDakVdis-Wj(l|If~!;gt~|5m!`kD z07a}1W)LL9EaTb0DPZGk8nw4#V=~seoUWN-L`_`MN*8nc_Y(lsdkG0%rAL$XM*bq} zl^W{vcoXHW?)A*(0raA7M7L(puwmEXRa^8jOxwibZP*86Et|<hrb{3ou zWRL#hHdVfqkS=&Vy65waY>!P&n^%85Ru)FgYKk&9@(!rap={P~zQ(PL*dNEOkSWiP z4VyAMN7X0I_`-2)QH$9_z%tg9!2G6UKK48M9Pm6xrt~Q@$E4RcT~gW{3aCpTJ9IB& za@g;cp8P1@i!+)ebo9Iz8}qc8n&gn z7+RrV#O7nsTeFi62k&^P)Ys!jsMzd>bg=~m*Iz8s{C0;6%Nntk2 z?T?aij_kp%^YN5spDL=E~Cp+6GXMPmBD{*9q`E|VP{Z=+o0w0$M<5?wg{&f>7& z!SCLn3l07mIP8)Ib6{M> z96(lQ9lmx_Z{Z?|0TNbQNgS_YK0O*E1U5BAfkZ1izmdMAmT)GRRQ!u2V zN2nC`%BV3#EE9dMl5|fK!qY+H_CD7smrlJ>F?{4~ZAo06Xv4N}(a}V$EK$icU^h!2 zD#O4FrgcJA-4C&cr9SF1NEml1emwAQV`z$IK}jUM$m1Dz(2Kh1-?B=85Wb(jR<4bXRlG4qI%6SxzRZZNsxk_g9pQtoEFs|+=Q21fk>O`Nw zjr)w<7M(VwsH=U>e+~AKX~{N1;JVS4H;?AN_|ZGjy{F3AzU7<&#CaD+Cd>H9#LoW8 zQqD&3M&k_QfwSd=;`VV2ecp2 zrgO$moobDYvA&n^yiD`R4LK>Tds*7*Dn49wAYU3O$@cTfRoFl<#kC%T8bQ$Pd++lA zemjHP68@7Z#+f%iNev=syi{+-dYaBc*Q^37GTxtkBvi2}g_+z)DH2vO9T*(Svaut> za0X;O@b03w?}|5kSQjzJEltG}A(@s>Gu*%Z3?$;Q91SsqNW$LB#PUgrhO!dz_f1qR z#A>*^>oZT*rC+wgEPTcAxzAHL>~60UG;F=7P64@rhwseec zcf7uB^@C^8yIf^+2)BtQSJPp7!?D#f$uP~+{5%yVQwFN2=(iMCRNT-xxFELlmUEx!I#$<+z2D@RqL zH+@WoafF!K?17ZWvpjQM-85-ZR~{$u;fizEfz-@_%j=#UM&b8q%;pR2!Z+gE`RcfE z#py;X^feskn}|M4SeKI0^&wG&J?qa5$9ef9sB1n<45yASOr0`G;e6|A9|UL*FXQWk z=`GCH6gS!ylyiv+HJksWV^zbHe*N1stS(jTJt_@`%qSXz&w)jNGZL_My;^MU9KFHl z>H>%$S!D)p0A>h0d73^;i;vJD{@B<}8)tAecFgo?Yzt0>hDZY>d=W4{u5-u)q0B?x z#i1cRM_8S#7}hl)h>)0C8RPuW zs#^ewtg!_#FBL=lhz~2@+=#(%PSC?VzC(QR74S9vOv)1-d%E?(oR3i0V2C-d+fT zedll!U5)`$ii<)9!}JNGj>GSC-ML-%*G;qNvMw|^CTzNVZqrvXgi_XH@VY}{kv^cU zGhIXC;*A{Y-(8j^>DXJ`6_oV`E%spUYO!f$iq2Yb6;!XE!yXngO=u|@+tU(?Nnu$XRfx*L=oU`}+zD=~~lRpm;rkLf%JZ7s7k^;&jF zJB|-S`F8zoa~n_9efYP#H@mnc^}|u6%c}ew7j|>AyD_LTf~SNBf&o9A?sl<=AQDqs zoi0T6@Atj`=Fbdt9?^*CLXs4metuc*(p1>M*l}}?fyRrTkV-z(pX2L$W;T3D7b-mw zkar=7hMBNfo)^;eePVk!UUrX~gd%k_>Yn!duOTGJoRrVXq1E!(I3hg^G*Z7z+n#t~ z6n|VbXCm>Qbugu+o0SS7+>E!xC}B|;u8!0zYmv{%N7-!296_jJGD+n}GCDWxw+ zdQZLd-mBkt@p~Zst`PT{tn023LxIfc+2dPUtJN@vd zvCqS2qHbNSRq@AEnA}G(2&Y))Z5WB|Il35b%GL7H>y0;05SZqvvU4M;O7aPY3VA4v zbtXs~{!7*J@5J2Uj}x6Z0yW$v;*Asfy0QFKN=2u-V`Yre+u4!ME;zJ>v96)Cn=aC{ zr3%qG2}T-D3+w$YLr*hJQ50cpKMX9Um?OCH>03#kraXMedXmP)8R{=v$fn+U*>TbB z=w+~Ga0%Il3n1#?vhHL&Cffs_)C}GkybG6Q3CoDUvaA0%fa(;G0I?$KCB}1&ML|!{ zq&k|bLIG9;vIaxpDZi{3i=eD{>?b^Ed4LR@6MD`lDb}P_M0?~yR@ur!9zt)?M54+- zRx*TvqJ{l(X&lmaA2{`POE2@Rfz&BzlKp#1{|-OFnk&vQCcF!GhwLT>oVF=Cn>oIZ9_qOe?4sKcYje|i9=LM#o# zC;jZ$ZxA2IXQpiRsIZ|5O)hx;>l(4EeuaYly$&;)*srD{IB+xf z{(2C|6xxZuI096n1W+nzWDTK*b|Ak@>xkX#7AH*Iyz(26Ya{52r}*XLl&jj;^r~p| zI_yp*MmJ~eC!7;r;mxTv+p{^yo*pkeFt|Sk^DLhwDRDjqK~>LJM;(!S?bR)&1Ex$9 zBbd0is^Mf5liqhd+`jB+^WBaHF_4$l&!#`jn0 zqRXY5-o7HXX7f5_a$F%hE2lv#+<)6mJv4=i-mYiP++Rj0q|`nM=8nQ82^`_BKCIQH zv&RBp4cGzGS=8%3_=IwU1(q_D#xPSJlRB!oGcHt!wNl0J#yifF(^F`Lq6H1~W|~20 z9r3by#6%V+Rlh~`Zj}5gm#{NNwXm_sU#(JmJf4Z<)pbY9a=@$HoDn1AJ|a-4J%6Qi zztU;s0PlYur29d%;1cnVZV4s=HaO&d3PW6#kkXsvARe65R!j!3hXtH*J(b)y)=xst zz+%T3TW*TE*8{qGB29xlc-tI*k3$KMD((;um;P}3FMJ$hjS+2#@GrSIIcj$_G!0F8 z$|P#D6gvaM%>}RPfqEe1?X-~PpChK%^8XGR%1ls9WhxDd5GrPN;9>N54S;s%+Mv(1 zT$WUxi-j$rCTdRE51m1U6*mIw6>BpA31-{Li`gHaocT9;4^#k4}Ahf$LP;cpV4BYne7na6mBN>baqCo5dZu1 zajHDSlDX(4n$3C&^f2HX zT{&2t=NdaOm)fgQR#sk$weFOM&m%AFJeDb0pZw|5+Y#TyZ?t|#jWRS_5d<)`Y)=!d z|G04Q*NfTpSn0;Zej7VW^tsbDZ~lo>yP`pYn=6*{Q3gIYY9~5osh+K|h=oV~yQB8+ z4`qqF2yXE3@QikRqmBI(_b5f7A2c2bDK8KgakOJh3#CjQ4<78ma|se$+mY`Po8Nj3 zu_RM4c;DQ)yk+%OnSU4jZ&^2e!VU4lg?1nDMz)AuxQK^U{VDx*F>5z%RZc{J^(&Vz_=f0_yIK*G4gz4f8?oBMN7k`Nf7p&agxUza8=}@ZW$6DbsXy2sGIJu%6vAF2<3Q zD%D{d1WmOd(F2>55O2r`nmL1dAlE~XAy+#`5F z)gHK9B>8IY@O6tElUBEo6}e$)(vu?fdjN7vuS;`XR`UXJwgQoDZqe%>R?|bH`y&y~ z_!T`Ma;O?#O>}3iDtOXhQb8%`0-4$G0u6i!D6?3inS2y3BqI^gQguau%Mu#UF(<)I1 zT#l80;Lj1|xQu>F<8R5!3(7QK#E_0gweQP>zl&OSfW8}A$I8afv*3aIo>iJ#eD){FpLN424fcWIK$Q1scJ<; z;|eNGkgGws15OBRRG8^GA4*_NhPRS86{K&Fb3AOV)Tr|Q5zDVg2`O5guJ!B7(Do_9 zYj4|Q?Wd#d{%!CRhn?z*Q*^vpT@NJ#O#4+dHx<|m-K5@$-N z@qGnQXo_@93axs#U_JwwB;?)znqz1S(;cU+Hd+9>Yb%M&x#jpqk@Xr_KLDfl^NeWJ zaD$c|6k3$O~H>;W+rJ1;kln zxGd}x^4TarzaRGLDQ4SQsqc;6>q03vZTsZ4n%*eVwU!{eWI{KR0=xKN03^|7@9y<0 z%{;+iA>t|DsCmB?`CFbD2B^rA_8c9~@_j}wvMvU$=$gi}weE2#es|Rp*~>svX%7Kp zLSBDqrat4_8AyOGg|iLVOK0fO{j2@>|K{iJx8cAbUBo&kO}L-1gdSs&g;Ip4yB{Ha ze%&|=5QZ3UCh1n()I?KD_#}?=JPBGY?8&qe|{cd3n1W;Qf zY}v&MfmN_ZB=Ab1ii(w{eP7Ek1KT*8aqG%0D=onE$z7HtT~mmU$2G@V&vAGDE|F;J zLo}w_tv?HT9MwhQXFtnW*l}8wQtoP2<73rzs90!LI#^1IBk4!c@s>;IZLrC^sA3|r zX&uc1VL1(GR&m^J$=YcGUz6T5$WiriQ; z$*a14L#tfaEJKXyn!m6e8OdWQ4K1a(m+25U>K$yEym$uAS=>NQnaV4JpqOqny1sRf zxXu-WO{}LI%h@BtU>s#!`+m>yyexV*;}=B(kK z6mvSk*a~1RX9)egJz)Dg$#=eglD|;z_5bG4`d7*gQ4EZJB4q2+s|+~O-Y*$Mn=TV` zBvrnGWtrxRp()uaTKoD@pX%-L1|nYW0GB@YX)0c(=oRCPKq3o;VkNbRc(YJ~TR0}A zffT&5uCTSSQ>d%&De_Z71TB9Br=|1_-s4sCw~A;Jh(<}_cjl&{)B+5*8Q{BB-E&Bx zcmxje*t>j|`DL=$UVSoL{Ko#!!SK5|u1n(CDO)sd$$*4p zu`KJkvX&eoBCRpVs^))xbS+`3{%Wn@SCB{ZQR;+v-7ki2Q`RZ>YODh5!d0?w++Z;p zOxx1B^iG&4-I_I4b*j#hF^`17V0VTV}Y1d!U*l)!qI*QWs{um>R^N4zQi zDfw}02Q-*hIkUD`895I*)FS`GK=p4G6YiLsPZABIB@xCqAQ+u%8)j|qgqR~S_%;-o zuxE-lWKLTIW#3W)_woe@F^za^y+7|v)_EyfVp=S*5R;@%zUzjnb6Bd`=oq-+QrRnn zSo*OUxU^g740@wvzC{88Q5Jm_tRQ;+zY@_FEt%5kgJNi>LJDcI!D+N#Iq{;lzV!(s)IM33e zK`m!*y#5t}jhKi4QK_e$_Z?WL%wB?9s-WRr{Y$7Mh>4qA?k)&+gh1W2-l-c|Ci~#T z#+$SBd)V-5WrhWy{`y92JTL{eT(|g` zPBD5wR|$p%QNLSeGBG?qXnb?oKZlv%%8vMQ7{uPbG_rdI?XVs9CA~A&ph(>uADdBTa-5^3n2Wj= zOu{sF;6DMBfh$h@V+QX#xAzR$jgc1}(+p&SxFaaJL*3k&98y2OSwY!Qm#j1i>4Ql7gjBpqL9 zcn@mxhY#=Ios4KvvL}KsN$@@^d2MSO+MS#{mT<$Jo#n6`6dws;<4K~IM-foZSF;6y7j&cp}a`;tHNFt zh+4>pB$eWPNtGspxj6nkaEog(5n2j8p1bWJ*#(-(54thr6!WQ8*Mu4zN;kB~>$v<3 z@Nr(U-|(=%cT6`AVbhEAuECsY4XE=M2u3R~<{vZg*Im(rTlG@8GaMxt`V2>9k{9vL zr`liVsuQ|$p8;g`ZV1+angKt6N~{ovd@z=X8#Fb)2XUIK80^J8H0wa9E;O_ zZVmgQOzCH?0p5-ngb=jqC!Wrt-(Wb2)hx|k?4iI#v&0*Iayu9eU^4>%+dh8ng=WOA z007uB6pvv|akOTnDbuj^&JkC7zEmfK1_*3D;y42}a6|uyijXJlDt7FACa9K>>RH^n zr8za%C=^reBKXV+4Pb*>#hjEe#-hOo{{lhjChs_Pj%DN-J3Sfz6=|Y-(-e1{pA7qx zG_)@|K2;TaM~Z@$(&=-btp zb+)ItV&CcdZ%@*-I78clDQRdYFz^F(BZ!loytnwf-_!zTx884NP|)ua41pIlF6=m6 zE+Lm4)$oBrufdH<@`u%fbJRC-ibU!JsY%l136_IVWm_d4+}n2uh2Ar@Z=YSOJq&TZ z7%xQ~Sz!@*uG*QyzG3Uu?iyGvbBg5H=h_#e^URgUhz5G#lIw7G=A_(`>GQyc>%!8o zYKJE}y;1C~0jX1huj9{g<{5R$aqA5h&l;9V6eoNUcI%WcQ8PtN5nT{=$AJ_Vc6mH) zPQF`qZkGp5SY8+Qsqw3Q(t9cxPR=`^uwumU_pR^0`7?qCvlzonULwI*Bh_4F=Ix85 zENKeyN5Qt>cqA_~3K3_=lwnCEOR*b6reW_&roD}rlCxF1<@!)x%Ep(>_5eQqWdzPS zqLQf!LNk{u#;VL%0;}je2H7Z3L-8LlmoQ+S2X*+={{v!gA3_kd>pUi<}AWhFbQE&`U|^0^69FjQHXZo6IshID+|Tud#S?K zvwb{FCgOL^kE-wAl`^n;Q`{269a!?ne>S$5r9z{}am1c*63O-x=TvK+%%pUz#6zBB zH)i*Q?y}y!s3)``niS6;ZT`GC8Kv_i901}RH9@;B;l|9G=k%WmA4M+?mE7?uqpbLm z!M@u+T>=qwXYVsua1~ia=trMRv&fykbiXjj%Q{; zJex>NETY%-**{OvT}*r>!is(|z)h22K9Y!UTwBIXFP}l` z$705R(UIZnr=l+=MRU{AI~VR6UPyOJ7u0=_6~ecc0o*i5L%-CV8U8FedLu2}L|vu6 zb#){|lFopHZ6G?Xe^M%o|Hkk{AFQi&h@!OFq&Cgy` z>de70h~=f=gP#DF*CoIlDWabT2UhTy7=(U)NWNl%CTnI0Rfp&E&})Vv2%KNf)N#tw z-&0b;07>a3A^$@+#nFlj7qL+8ko2K1-x48ZaB!;fBL!u}to|LfB8J)ub#iam+W$@+ zGW#yRtK)3F4vj{m`x_ctfRQe@n3t*_I1N#834a?|@zCX0j7kAckjn!Ykah>_fF zY3K8Zyvj}K3_-HQp}TLH$s^`CsMKFM3bIY;m5uItZ;S#fcd$;-Yfm*H8g=qz#$j}| z&H34jt~b<1WLv>34!j!#$ZQ=dvirtLiTN3F&twH7>~}bmU;WXvxmgqlMS^?lKWD@~begp7ut#{@5jV#}J;sMOJOZ_H2BC zb4|0J40d5e`5sdg@gX)CsrlKttnD{i5iJ?Va<{TS4RUrI;Xq}plk4$4-1(O4^jS(e8g3_Sdq`6pyeMkuGH;$GRJ z3R&V@Fq#zvwFg`vYN5`JZ}s{pr{KpFvp57h7qT3E%dYprbSrY&t~<)9!Zw+}>l=Dr zpxd#qf4zQ$yo~iPLK-@(XtU}_K2GNrrrv;!2@ujC05PoCr_j>ctdGoPG3uDgvP+Kc zp398ri|Tmt;p)oA@EwIU7Z^0!^XxLnf3EVyJgRucGfb2939eue7tMa%78X!NJg?<&=vsS7AuT z1TT~3KuAE#kC z@`p!gSF5MJm&P32vG{=!Xp6M>TlN=qQZ4Il?j{fu;#I71l-YR5{@z{TCbFEAP3tDZ z?n5cUvqS_za*`GD!Rfv@KzG^qg*ohE-2*3jkG<|ZWR<4(u3Uf(z@2Z2W(*=fA~~r0 z@$tIQ1PP_eu?uLD3wwH$JxsxbXA84>{eB*mW_NU0If2M4BY~Dr`3Hj8?qvv9x zx|d`UL^P)wjnzAawqyivP>kz^2=_rKS;7$K@M|<^I*3w`XLKp&AFmomdKf1XW_+Z6 zJYS{RdwX{t?lgA!KQXBMZ60&`QQ~W5W{KZ1C*$-X`}0S}Aev?Y>vE=K0V&*u3cP=$AGG<^(#4p5#`z}q%P={pZPAYZ z`XByfJUD3(MR+a9{tqDGoA1khZvExk{e^1uWA#0-7Un-0u$6mYJ7(FENkA#^O67Tk z+e{EIXKn+|Ka>{;Da;krV!W_3({b`23|Rj*coogOq@-T-`dR37KmxY$c@bl^JWY1dSb=y>5vb6>N2`VR;CoYW*tqLqL+DTkj6 z_usLb>`$Hl!L08e{8EX1m|4n3j61i79{i7wgMT$b{*Rw4rN`mk0%+BL|MLHT{KUiR zHlhlo*mLXz!T(5;`-k7-kA80*N_vDVWzE}hk^f7-vuMQAW{Pf@*&J3^{|1qr`ezOEM|za1ELBU?s>q;t^u2Mxq>(}70j%#m99YF zCF;TPy4NAN%3Yqz0>@=lX=lksWnNVG-9HS4G0(dh;NA}WgO%sG%SaM{6CwM%>gx6{ zpXSx~)T zcL@&cYG9)9cY$jL32E(3X=Bo{hGv!hyn$)LwcgO;w@GYdtSx3x`=2z%64^YHNQ( zGx((GDJ29*>pyU)S^GLeU>>I^%P#@{8%N{pFQuFFEwo~e z&QPB$!PZL==mc6BztLx=tl%m)y6R9adR-{@*umZzXl#8T{7POIlDs^g3NRz_IAC~j zJNbDw+5pKe^x8gHarz=T^w6C}<;4^9WYZwd_LIP*`vqwMSv%Q(IOYD~=>59}{ck@v zq4sz+B5g7gm)Eej4Ua)4Tv&_%F|*)2fO1W<^wFlRwC(V?4i+Ase?Mr7q=L2~PfGy} z3SjCyciCO^u}f`FG7ht`x~Ql2TI7Hwn9g$Geocg&s? z)>W=A#UmiJT^n6``;9A-)rv|{o}nvmA3XBU1KMw0C$4yMJD9pJglV9Qqi;MP6;EL1 zEPzP$tz3)HcEU&Q(d!1W|_@ajyp@= zR#}jl{55{BF!$uRbqf9Hle*t!P^e7#ME*%g6wL<`kEQ4RFH`;L+AMpeh8OUfndYYMMCbmLOPYDp#nDVx^CcnB?1Qgx`~bMmNscU zP|R8@2FuK~cR=DsE4BsaR+bl`2p~OPX}=!gdFt$5|eY!oci1i zB4Ag>+cQ(IeY#2NUCQ|pEm}S~nmDt|LI-L2k#bo0Gew;AqJJD%i6+ z+!o-)Op{%#-THx6$)VL8@S-o?q=nDTpd&Kra1WISLSaP;X9=H;(_+(M&Ywdu+(x0L zV<65u&d4uWZSv0d-UctZpCG z;UZ6h>k+5$t=kCs4)3_?R*FMksi^b4FIQ6#i_q+A8JhDmdo>*#ogTh4$iHeZD649@ zx*$m9>JpWf<cup{S(hTtLW8^jqr;clJ$3z*H=faZ}-J%OD+ zPNiY(mJ(wM91Y?T4Ai7TgzM3YjOffXTUd!Ln0+;r!x@hfaXm~4m4lC|_QFqcgV>MK z;*(j~xeDujS7_J8xZ#+fcZO6Tyh=PgkQ6D)r>U&OFS3~QycPs}86Z&pD(69zRo8MVTHJ(2(U zX#VRzSWzQ{%a(GU{oN^#c!B{Pfdbe=s-0E}TCA2{!(vMXeFCnhU`RM5e8d%S-@rSp zgo|7JqzavRRcuO>a#sYo3-|Mn0a%CMvK3ODj9-IGspUJC5!nO`*@6?P(ZQk9O@Uyp zbB)zG&WDH77M67Tg@bcY z!%U;!vF0f58>djYK%BhsmEC?`?@6M5(V#`ke81}2`{9{fNx4%9ze6@`9Y>^mbX5a08?c>=PDb-l6FS#hZ5Ds;Bf7>*f52?pDGC9WTyDrc9Cw}v8V#y zi|UP-7G8xk^S;orGURUo+j07X^a#m#Ci-nZfiMr8^h|RoTA2okyi~uu2v=BdE~>7( zNP*m@YR}w)SfA&Ap_zJE=Euc^oE@4U9IbFcd)%huR(nGMDqE}iD>t4d4Vn($8F<)X z5{b)BYF^5U+En`w7Qpc9x*~0+00cW}M>}2AM z(SeS!QOM*l6S)jKXNntWgao;?I7X$YFgzbgm6?j^Sz)pQjL6^t(jb`zoDE z`F1b!e9Z%al*QM(WMXyz$phHVOKABaBwt}qxP)62?O%7lL$Qk)$yNr_DgVP}R{Q3m zy-}?k_Hj6a9m&t&g7A>fsiekNCIoy|2ac9D~O)Gm6U~>kM?= zvL*=jF=z$)VX_!hdX9rp0wmqj1$fL_qXD)ECZ?#MX2iz_trfz`8_J+kMSF-{Thq54|D zz)~UmJ%k~#fxg>d+Mtiq_F|3(aqa>NjhowlHpexbsYvgwn3eSYIjjY~C(S%>I3cfF z%%grBtOTcZjg*4=n{WDvd635`f|3%!mwE&(h}_%^c{%9Ti8sTZR5u4#6Nv2V?0_Pd z@0VEJ*mVX}qc9i5WFr7HS(xq6fLKR?UY--h5~yZ@!-t6?k^SBzwWF{uGu>#v?s1g_ zQ#!u%8Ury;OArNpwq!G8Azx=ukH$c#RKuz9toW5G*@HlGE;@$pN~I&>jPOP0NB z)KRK|eWX^%?^}J#tyP_1GCm8PN#%xg_<|3sU5|Xqk>fo17aRXVmhG{|5NuYxjpV`O2@92x6KL*;2Y*;6AIAF^>w{8+L8mNO|dgLnCpLWMDQU~G{|Q;3LSQ8fV(B7#l||4Q z^m!vN4zV`o8f|l+N5|2oAKvl3IoiVXoI8k zKK@0@^Z_lH;SVk;K?)`Yrg-DGQL>J!f`PW?m8+9O;zqIizz+8=Cpnc-< z+Nc|G}e!S<-aR&!j~OR!5i)KI%_Igs;w35ru*W#U~Fl;@^QT7jYkHOd?K zAt+pzhEWrWwH>*)hl=^PYL5vC^%e;z83u+5^K|&%m5BfP9{$^<&E)CM zQ^-(mm>QP_7of6{sL`2`!~oM5h7Wduhc=GsEMGD-Q-d^OxwYRKYBN)$n@zALhKKZ& znjH4{TPwd{?8&9VF`<=67Y>w4Skq1=QHizbO>|vp>)O)c}!nw*NPYQJh;DXtEb921)08J z{=&aHsg*nu&7mjRt)*10ViUO1@@m$4#gNPRUQ~+796wj(&@v3lmbZN;&V457j@{0v zF0s3D+Mk&hgcqv9qQ-9)sNij&KCY^CQ-3G(SHa8ybmQ5@=XIxf zO0H>#^8oXYi**YQFpEP0pg7O?8^o5u^C!64QWdj!W6(!c`Ncu65u5-0o|0?E;XLQ0 z26MtfHd;Aac07b8gg(4-eLBdxNiP?_64*t`*ci=nR99&nqUy|WY2dXW3sVlh+AHg% zuRIzyBW0sK{>e$3QFIzMKPAR@EwvAbT|J#MZml}rOVE5b5?X`5OZm-zS4V|*P|{4} zlS$F@!86#fh-)P8`lwN?EVK{+g->vq6k_}dYkMx);1w;*&% zrI2ONrl8|9GivZgM41xJ9(h!|d=@U^(_`QBG9hL&dqSC&j2|ohL$Buc#M=s2vwIX- zVbAJeZ6P)j#b^0)I<0v6ZALZu0>DthzQ$#Ef{k%Sq`1JJ>x~&EBDJcF=J2%PM8Z#H zKTiPGVR5DSgh&2Wx81~}uJ^x5>Ipdb;x8QHT4SlZ!m=KBjlPM@na|Njxns;rPzC~ss-c4S7`B3qJ#WbeJQcSgv}jL6L1~$#_7FFKRpf+#X6fA zs~gBXoiU@EF2T~}px}9PuJlegj#Hs8O?7!M2IKgPW&+&gS6rkH@*c*-AXKFfm~1gy z;%{4ErN66ni1H>rLQ0iP0*oY;ir&(YR&)EI@H@%=`QnX{TSb6d=v)vpau3z|_~EPw0G{_`|m)C%Kf z6xkPryROV8GM1E`r$@8*GKB$2p`*yqM?;->ez)ULi~^O&K$^Z8Vy6IZs7!@fwc+YO zgg@K2_$@u@Ns6jl`&IvJ#Gt=qhbe`1WMd+Dcd0k>I~JMtMN|{SOLHj7dtqdW81So| zmwky;Jsh%knWY-k80`knnForU5K?7UjwxyOzEslL1IJ;| zWu-+729 z8wT~yxoEcZ;NVS~5k~}>grwZ6fs{6p*9dbTG;_B`4RbKD3AcqmYLqbgPF6w=kj`eE zVKTTEE&yz8#IZ1~EyOM}0&AZ9bJ&yTuHe1=4n801W_FI+nNUGh0pEgbw@<<+(8wqb z_ui8!A~3}sx8C#mbJyhwc4wymu3bSx1B}?WWT3wYvy!}l(8#0KY6ii>MO5T)M5gYU+dxK z4eUCRhgCKvF(R20OocJ;T_p{Bw=FLW#{onsg5R)lCoSf4t!q833e+^kzA+UNyuV{K zw?V(L0nA*>VKn!5qOYGxJ6Bq6m-aX@cVpt-wCk;_se|;ruDB85ZYtwl^cQCeAXH;D$;49lKNVgy&L=T0e z)#KP~Yp@uf-A@V8tC=gAR?F5Iy)`e-bVPE*{7zzlqmjJfmI_nf2g5ecg_hGb4s~PZ z?IcNOhjQQ>l~e*}hS`<5qL2%g>Hm_Je7Maf`a=2hYEqb z%yykmeYct4sjg;Bm3KTzj&?O7Dx59Ks#Y*po!V^OiOqZJO^|heN5nw4TeW1Xtemy? z?M7}$jn~bq1%;3Z%+*)$^Ht+5-!YMSvCjc^mz#z~MfzfRt1LTBn&%WLT)YR(YoTmY z1Fipyo|1ud#oBwsCFOz4KMU;i4(d83-Yb-?j7$L_{Cd>e8l#=V&x6#7u%U>U>GvBR zKS7@-TUBt`XoC3-$)kXx<2^>`$#?cb4l}42XeS)^T-!_Wk9jAmyoHm86h^wgL2Rnw zEi%fkeNad~jp2Qe+apDyhO7z9CLAW#Ea?+x1!Z^>Hk>)u$e`9KbWPsNCwX)*Xc!i+ zb*{i6Yt<3Yo%X9Px466dSAP?}-QN>Av?q!VV!iBtiHdG`?a#_bO|FXpFR2mZS%Y^q z`7gL?SwVr7-4po0PI-6}jJ|5X@E4z(^qfsFEwJpFDmuexcibZKo&1oTR=ziE+s-S> zy0odNH~PU-t7%KZcOL0TaE-Xih;*jl>kR%csej-BOjEKe;ZX?|m>B#6h{CyjULF)=2!3D9xEjTxsg zEgeE1j$r0b#eBN-?q$}C&T^pV{RE2yyN2NE{$=w)nlNZ$VVfFheTT1y^A8#r^KvwV z{g|F*+-WxLhLjKE1m@*Zgg4j^5R4!3KCFjS17Aj5VKwq~UyWvzg~U(S)-> z>|L@~)?76N4c?kek}P3@W2RUS7(-Qtrb3#}?Rjkad`}TO6BS+c%xFiof*j#Vavnr$ z(QZD#y5K(CE^PHwvqLD___pchq{l+{xjh`jLb>l4-FJ9!Oz zf*NjLt7Vf+XU63Fm@C0Q6d^Y!_Hl2Yrpj5}nG&T4dv_04wmrtpJrvflXa~_mU2KHK})qX>*J#1&%hN6StlEMTgtx-(d%=gS1brtE=32Lf72~p%_jD<^Z?8llF2K`#D%2( zu&g;UbJZ(SfRlHwc2Q;JI|zzzM2T-zxJqPm5EBt1^6bSE|7nYYz;B9Qk*QlEr~bs` z>rY8{utH^wR4cLd>z{o(*qT9#xM)>3$@oWRI_T&{oE)m>t{%Y!<`!_FPwJ@Dt2EIV<2rcllhq;&m^ctF`j} znk)UD7OAx$eu!D40i{(z=?)%60hrvSOf!VcF#HmtXE9x@=lv+3$34^ETOE>hwvlVy z8hd)WcXdDi?yvQzXTiU-ZM))m(eqbj#5tq6TT`$l#lPt=8zJr2vxSn}o? zehj^S*-`k%S8@8CaP(``TKX9(xQerv?-dUAz(LO#C6 zp>~)&=EGjjA}xnSi0`hEiU}%;S=*-poKA_l`Y1-y{3Hwt36M|XW%1za^x)LY4El-k zDLI)(fh(b*@|wd=W5Da zC*Nej_;LY|CMU0cT#&p8*NZSM8g)UgSew7q{cw)V7FId}rVR6Rh;})C`M;bgnwg@%HOo%OKV=#m)C9thOtAwH-e*wp>KG zmyV)oBzj}Ycjjmax{VSi<9)A2t&MRNxMa?E)KfRSyf&uk*UU9*e`Zhe$vV67r5-*_ znmEPIqQ6}8G<%}TpEWmj-WpM^3?-L;^-DB0st*1Q1PB^V2BRXEI9Vb-8|hEiX7h=< z+Ni_;t}dwISNe7(zt*jpv}KJR4;jDVS4;gm3cKqotVxlvJffaT5=7#$Hp!ANtUj<> z(y**r9pZz2TOfl9YbFz>vY2BThK6C#&*~PXV_i6wFE4#lT2WM}S=vc4F2xq~uHD>lj@#Eu`wrc!Y{J3$auf z74mQ{it!};sChN!it8Uxusd7Dmntt^GW=5J2{v1iT9*bi6DU*d$Q%j8EyuHj-VDeG zejNmzEk+^hrl|2JAX2Ct(+CRpZi1d9kvVRocg;Q#7b_6<#Umy|iKAhay?ah*VG5hY zMlD$vSq2fSH>p0ynZ_deG#IIKo$e?N)8vQVcwp^BQeYU zxIY0_F_UO$)fhE|!`7MFEAUVSx#s9}IZ%6KVfX zLGmC~NWN%4BXTj17y3PkY9t{lAr&v0)64`|nA9Qox6Ft8I=rQ$GaliyO?S$96FM%l zEJN&MR_gU)HC)Z&$9JOVpFTC;NQo>%)sCFZ_8kjj!t6hRX`~TKc;(^AW!umYaa}*&?z?xyn-E$L-;hW5vQQjqh6+>x|FQ zEKVlDb}3m-tr7y*RA2L&D_d6TN%$4A3URkNU>iNi*C2E-E+P<^lzamEwRZUcp4|P? zBxWi?4?4aY+YSpBa+-1|A=3J*BFxS!wa-5XIXX%1lNv=Iu6!SDA(ZBqXj{egcXQ?L zeUr$tO;Czpsct`QxIRI2lTF2*X$0I`?f7TeISN1U7at{`4MG;>+XUTV|O& z(H)W*_UHAq$eo#D)?5v@GY|3ET;?L*PB9!l3Q%?G%$%^1l3I!$&YY5~ng9-5x3658 z?M|vqIUsEXvNjEGAPXVx45T096CRac{hk*~&FXXjYjMjXv+ubv#NE7f1UmX=5fYm> zI{7Q21KsYnCEksXVNn;5U5)SCjoD?Q_~clu9PATV`$R7Jki#L$oQpmG4ngC9+@i?o@tIY5x5P?mA9W&fL8+7D3$dM(Vc94FU%Z$zbL;< zBmq~Rh~!hTTG!~KAlAe(W`4S%Dcxk~j`N@6v|VXc#rE7M*Mjqr>?V?^#AN9JqC$CX zURo>`$JM2E+D_xU3w}1{5SgF=@{X`5RCYXPvoWq?4qj_{%_4eb z3f6!k-AK+Sg1^$t9k;7DY8ANrtZvLylL;~MwF*)$!89;Cfyc+Y*!r4GS$D8w{i^fl zCtq|&Vl2!><}UsNDl8wYAl2|U|LY13Q97}5P#-PE=ISDrDGhUoFmFp^m zZI(I+9+OR^s3A6L8TJXXt@lNpY$E)z;;iaef`_I|F3292HOTd(`qMmPeD`4rR`JHJ z8{1lHZRwZ021K}XPn5Hoi6f&kCMc}xukTA1kKJjR>geCU<L01B?_Kr#AYZby<74yX<^UhI69?`dwUmcAiP@H8TgeW^_1~#zWuU?EV^g+t z0KNH=be5dxL-9_4IWt7vvHS~5j4KFOVoa=nJdmI2Gor7E1>ai2qJZ-l>|Mq8>wuk= zWki#!>V;|Y0yFcK?BRXnhwb((NA*>Ki}qrOIaeNVh^MOnN@p^ak55FE{10*vjbAn(i}B4to+RIit~+1Ki4cL3*fyz0}pyv z>5}RR1kz?TodaVvnS6~lJpusqw@H5g*s<-yU+fp4?i@1#W^Wuls9)wYj49(G9jb}S zOb&MIYftYsn-7;*9(|-yzD(Mn5=T-g-I@TKg4bsB0}g;e8*nZxITEpWrm>Kj8f4*a z?kt96#M>uD%JxsrtPmf|jBt$cT8UAcMEmi){AssCvHr6><9Gs~ptc~-%7)%&pu=OE z4}Tf;>st7y(W@bkXZOuX4Eg;fWAgfJCJZnu78u6q=X4*g2L(1_N@Xi2yB(R>0?Apj zpnKc()hx)+@$i88*JZ&KyJ@t1UcJJV&IN7Iuqry)d3rm2SN zxmxH6h>@864X#}lhmYqQ!Fmi6%0K8;I5w#-w=wbVX3SBTem_}=zfdY~Gx{;!p4Hk& zd3hAq`I(H<>{80Ckz@R!G=YeX9G&xwGqj++v{PmVEf_mIAq^Y?0nnlrxgFp$znD;D z-v0-x*i7_h5jG_2Wu^+q#N9M~6%|?=Qs`Pa@SX+CJ^d?V=f`hk+`44qU|w$M&t5qj z8NT(0{tb3H`ecTDXEAzGC^nepDc;21tbUy-7d!l|lr7kmCfWYD0rzl?*0y)sg0z*_ z#&fC#wl8z|8^El%dtBR8ufo?}9N4fp#%ohV84po$_U@0})f2WYo$*xseuvh2#nS^*7^>i;d_NPF+EUN96cccHoV|6y=VFK&IK7;=~P`)rwPyzMOens8Q4u zuy8q|O+aKOu|j0hvys>4A*973)eLJ3qI~Y6jA)W#oolC-&0=z;IlyR(U~GvK;0y z#^>6yL~#le+f4h0!k=5>L|z{w0o`}LyL8h;??6SO za1&5Aiie;E*J%v@#0Z$J#Hdja2QfaUQ`)bD@p2w&!){L?zJNL^Yz1^rSzrn_V8l8u z2Eo3dNu`9o=ws(>PV+|bP9Zbho2cJXgd#r(=V}VW`L=Mbi~Kv4VhM| zMEsCj-lK|x=fwm%n`>{L>-a?kxaiH*p_l^AK88AW?%nV^1qS8UlCe(9tap=4;VbrK zSshn$!kyt&-mx3Cl-})jKjpTej^S=MM);d)bm1@fwd+qZ_6+LSQf&V|2M=jT)zKE96RIK zSrqk9ijdqW5$xz)&Y||YT`ZvBX9`mK6y-kk4lSAV#f8dq^Nx;byRZr`>|shsv(VBf ziOi8{ZE&H)^@@KtSp|#lU_X>X*~g_Ja2Pz$r2m|e)Nt|aO5mE~G(^9vDn4NIX}2ep z!XA402WrfiyDP)?{dhCCze37q2T)WU787ONPvE)Rh$brg7MrZtEp?hB&6}>4l^jv} z<>`+`D41S*AFK-B42L#S;k%FOZf! z-{Vl8+M4+&UEr!5KsmDxl~Ha1J6iYI9#iDXqYwG$V$N{ao6#49>f>4@6WH;W7d!oA z4?njTNwjY1FzjFE&=dmAS6VJ=^}_0j%Hu|&$L$t9+A#9HN-?;Q$z9f>=^;r}p&hf;xpR3J?xQNz~sBuI|eojxHD^$0UE)wD(8AW6S+_ zXbSbCqZQJp+C$^T{!ZNce|a|kLDg!??>Vhe`Sc~=$#Gj1JpzeQkM1~jyaK`Y;I~1J zVFWHu_elt-gsDPrw#nrAVzGIZ53lwqQZPGW^`X8(Sf1c$2*>a1v;OTlpmfCoQ#(RlYbKPucLu_sxvnkxr1J+ z>brmvoBJ77R_zEzAyrSq$FA<{H{OVmYhFuY+@b`%iA6wljNc3J0VqvZ*);-J)9x2O zSt#0gBN#|NE}=P7<)p^jz}G5-=s|LpB?t!?olK%2?xsr8;_lk^e zi!a_RE4`_6I$meoRA>KFYL5Bv=Ytq`L63;E?lZ5y+@Tpp6aSilt#Wv|dh~WP%l*+h z>KT8|de?J4t_tyf)`wkPC52Wj^)Mvy559P7_-T4O{|4wh&rw`I>YuZ!RtWX~9UYpd zs4eR1CGnI#9*Et}%KIyV4Dp;R^OMV7k4F(qGW2_%IhzY=g}5gw>L^cq$VVfUM#~z% zqojl@|D+a{v`LQ>+ipMk99PnLs;Jl&P^HLK4`Aa&URjEWWO}KP%bCUe0o9O`bhVJ5 z&r%?O=$4S+&yx*zb?~vn)b?E`x%BbgT9Uw~yywF8oQ6Cv*3F8q_3pn!Q@iE&eN!2} zms?DP7r!qwyV?Wjz#MHH@d$)8d9nP}KJPxf@8PKlV>oU*R)naJ9hKPK*J|z~kaD{? zMGZ5^5jg^fTkYJei~pe|2q?$-@pt+`UqmDDMKk&H`kD+wKd>LxKv^ok9DY@ti);J^ zbC3)OoD)ete*w8`Rn#RiWcSeIV1^zGQ59|S+kWZ=+7zg*^biPib^LUNP|C*2yz%Za z$9ypHZ1Y#E>6QS?)k8pezKFr`%r_#)Rav+Ot>#Z0GTHL~2OP4k zq?iAkL&lsWjoXV|7*8DT%tL-t)?28TdAsxEtDlQ&-YG&&qAv5asF?c{OG(v5D#f-r z{_GQ+6b0|46_^jn1@T!j>}$b1e%E#$sy93nT2(s*AwcAeBypn5vspNP9)KVB0!c$kI9BTv zz;!XPnYSgB$paq?=%R$hQ;9ooD-OaofR==$>1*NIcl4P6mGh1N04Nhb#4@~v+lKfH zAQ3#-Y4^MOcSvWCUOp>pI!DJh*8gCdld<6rx-HBFRghMjfVA`Sudv!3wAi%vakmKW zb4`(|qKXXUqF9f=JZdS)i@U^tqSJ4oRR^Gh#)>vGz~qLUi1d@kvR?9IM}$)MkWz{cx0`gGvjBZfym6e+ zq2ql_=w#6(;&jB8mlt`_P_U=SU?p_e@D)c2dr{C1t?hhAXjZEBSg+YWb*D~}p#3F) zt0Z{K)`}0N*1)PkmN3uda65np^#ptdXB)X8$5Ah~DYExgu-qYogWs0fOsy4WH$!qM z3}sl-2^~H*30sacu7jI=l4A^4 z%L$&y+4-nnMg>{7q%Rgw8 z&)-Zs={IDs2pGCGSKwq;BBo27Gu!Z)YErN?e#Mska)yWRnGc`{l-; zW-Ky-Cc4rN{Fcf03vGnE_D0Wo7b08G?#NpUaHgtK+00qgNXN}^oEqFivg$7b`7Hkr z^4YvBZsmr)Un%MQEiJR=`$E;gi>XYy-!Qld(q^dzF#mm$AXF|lYhOps|O)kh^<%D?Kh!Hu6fhKjklQad#M`jM`3uLhwq8t zOzKpMLVcufAGIBb$4!U3Hk%e$q<|C1&Dv#gtMqWfm&yirVefojXN_~cI zXf66z#vQc?9>2}CMfe6)3RE`yRWY~Ujob|n?2uHBXI-T4YMES0AQ(y{GH)~i*prEByo+hGS2Y?sLE{9}<&+L~ejhpi{B^+UJ(#7U^KQg^v) zPKJ)pR%>Cto=|7|*r@Bu{Z}4ET28h&-`C;!iO&~MuTo_=uU4*VWfNmd*VI4t@tn0* zxPF1;vD=*YG`JtgR7+V1W^@!?of1@+ZDI!KrxQNx^1cWyQr(FCabRTJfx1CT8gjH- zmSG$kyews4A~XB2et?SbEvK_t-!bJLm306s@4|cArNgGsUflsSd8Gi=&Hcxrb#FiE zTqY+qsLj!{h_n82jg)D&PL3W=PoxJ;h!j7dW+{}rt2V-~BcLiW=}MuB{Oz~H_9ic< z9){^=P4M@B*YNiz%tt?2-U^Csdu@=*7TH$JREYDQMgwwnEKXqfFI!o!J8+eN+hycE zaYkc=#p|B9fv#jLzFgzB=j0QEPj;zByVB|rwDr?)@yX{TM)Ak)^NhIqtJ6AUq9i=Y@EmYqN>8w@1k$Bz zlMk_~%d(ioW*BO!knvxgV3BjFug+M}r<-;d3hG}OSD%GZ56@h5plmAGi9fdtV1$P~ z)O#nx=cYrs$YygodKl+f@i9QMWNljl z0)m1Hm%wa|qBIBi|HPbq_x>c(&*;u&O8+l3T6K5Uoy`=t-%kU?IS9-xc=^rE=Y+^~ zK~Q5*oGYX;fDb{Ms%|bU2G7q6GG3+a{~UVulVS*m$^)DdlU^xDlHIDTDq~z5+;Q{` z$n4GEV~=S|`}x3Eo$TkS$F7n_qXj84PcwB1%iZXak#r>5UH;&DJL2p{$(m=adHFaSNz|=|L#H z@G$I~0fon-Lx_a*{n1AMtUup`(I3~l83ffa5d`>YF9>vrTF!PV01NHivNJhCKD(=M z<&G2jMMU$Q$4{QJ_-KMf&}>24-KJ<~#YAaer*LG2Y9ARUscztp>s6Z8E!3W$em7vM zXF6!*L~YQ`xxVOSPrM;ohuh`}HM$nl4cQB4?p6mZxC7cf4Z(#uf~}JQbp66c5;K|S zmPn)$Mjaml`&%%AyrpqaW<8Mg`n|X-Rd#E+BsY@Eei&ADqme9fo;GaWcQV;_Ve=lp z_9GQ;{6GTyiA@&G+AJr~Hk zw^)5Dxu5EKc?sf+Fy2pKs2O*ymwJERi_^52AE%8M+Ohl3P?S9VN4t$IA~DB=KYnI3 zHRaL13|fvaS}8C5c7Eir*{|pckk9&2Zit4jvq9(PZ5eEmXLG_z{QgM-`PMGG)7=wsOXd_=#iN#Y*!v^ zL608<`^Z2bo8%mY32n=uZ(zrF!WJdEs2yTcFi-VMyplqvPS8FAxFxsZ-Uw66_8$m|JXe1Yeh~lm%chyt)35LwK0Vs)PnQVZUXKc4DAvI*Sk#FX6rt7VA+aK znZZ;&;EBG29i;0qG#$EagLo#7^NVBFi^3_RT$mkzRriuftwIlFoKyc)4z3|bTOsUI z^0vrkV$FSGH-gjFX~$hR+Xh1qF$2xI4$iMDzU-E0a0je!K+zMJZ{)g-s;`#7xe)*3 zOQD&nb(!8tFr%jn-6n7=m}hR~(+(8s71q4aC$R2QlCF#n*vXk#l)JhwJfVTTEA1wo zb4YA>2>;L);Fh$2v>1z|JoQB=@XtVDPtoQ2FE?6}dI>XKtR;=k~#4GAus8#W>KZ!L@d$roR_eJ=V-*z@;f$YAc`1y5iR;H_%Bllyggva3IN2sJYc z65-Myv~=BWbx;ZMo{mlb1AjAuI8Ma1iX2EXv%3PMkIcv4-lt@2r~jRs>JMpX#ksFv zTYY^9;al;&HwiirA}DJ}V8cNOWbf1p7`umj;s^goD+CNbX~DvRnw2a%QArbyUM}YD zraz4qFW&S7I%golDqMa>ylapo|65jPI5N<76(Nht!QmaF<)(>M?L{=+3PHoJPjd>gHaWI4COo2$Z1 z%*$Q#N%2pA#g#Yb`tsBjS}Nto0JX8bWHm(gdr#FBPay`yvI_Fb!2zYR8%f`1r*_)d zB1HRfAOiP6BCuVjd*s+jVUc>b60zX$&2ioM^K0QNA^I!1ZZ;Cmw?E_m{`_Ts`l0;K zZ-uj9WM)XmrfJ`#v8`SiC?o?NrP_B;$|&`LqIUVZ29!CX$;1aRA!}J5t5#!&@f$+H;?F*Gw`H$pwR^V z77OfO%DB;RB&0q3*uE7#zW@K%M@VrI^;+!VrE8w~7d7hLY7d}iJu{N4niKgHY%TgU z*Wnv)k<*7Oc^aXQnjr~DX-G)5V+~Qc`N;J;;Di=3&=Szdnn~hN>weHoi;4dTd7&!l zA!K+gL&^jy4&o?A1^LP-R4-uEGUkBtNQaCDd1$%eNANSO0nWizcscqe;5L;6)t@Bv zI9S0ws5@pu#gYgPKuyX;vBB(Xisw@ZF+{1ny*EAsUGIYMD3$Fd*r!#x;SW)&U4Rf( zRw!m}D-}Izm2oPuThsKsjlxvVRumK7h#TQ1thuF;ZkUKf3iefdb7JF8!zc17W7&(v zxsAg3C6xQz-!=d-76do{^`<{Q#tRr6;}<>zv_a`F2`bd>^xoDKGD|C3NPDV)-3W0s z*iS7jflGDmkFWoC5B=Y1UfLBfMw>WpZ{Rsg{%zHSgQ0lp3>lEEKtCb2)_ho0oV(B7coH0(BBe8(FHQbZ{^hrUPl!w+v+ga-(HNA3N`KsVb8vg;f0 zD9%VQok@piB*vyn5en`n!N{ekIo4onvpUFWGX&G0)%0D;jvYSA`2M8c^tr~!DA5RWOFxG72dyIR?W0d z17j1EzaYl7RY1ZBiqYVOH^9t?2|j(AOpf*MCxCU~FG>9bt#S(z(7G(_i;f@Nw{;5= z;W=MSiYmcap^z<`?+=RFJ)_n@()b4vN{7^fb}uQPSBM3JbfY{OqHvV(DS7WTEKWlE zKmzuhoiDGy_}p0+LBso_O&Ia5n`Oi+v2Ov};l9}K=#<_^|c=zjACg^_OI zz?1QBPRl?2mMGh~=q|~0GwyQC_ph%-_rEvgK1ITKN9|B|R}|g6x6@DeL6>lisdW~G zV>VvHzg06Ce+aK_dVaDkDKW+-Uuu08-y2BuW>B{W15m}X)QS7g8Cv?B`U+JH@iWF| z9|-}Q*2J(0)_0~bW`7!|?7|4ST=hM8ul=~JidKB5#JD7#tM64!Awk1hJdsuidoU#; zX#CvxEr*njSpFi#<4{{Bd_QD@>cP8fQ;l@DojS&71cl(h7-cfE0j@!!b+H zg0&5q1r)v>-I*cOsBtLT5?)$3;k@niN%v2m*S|Iuk=SGWSX3U};3y3H>phvGf3Bgq z306gH0Lo5^5rMVrw`s@}C+5iZ{1^=523<$T55mtHK78t6e6zY@IR&s^l57^zp$f}% zBxp964t%P&nuhR&0PWMs;y3;Tgp@6kWI7C?{PX1K>{Jj-$ANz)Bz>2iA+;`Y9%|h9#r}7%S!k2X!83OsN=zw= zC=q}*NhQNBJbRxn{x7&RWwM%&s0rw-i)@yZ(b*M`1aZX=fqe31lj?2kzQ9L88}O?z zi@yb2AI|Dvm?=VI`$R7fXK%DW!|d-9Yk~M_hEdtu&N4LWxcj%`WRea|ocK0`L;Fz<|Cj)QB;sIhWTb#( zml9`&a=3WyGyOhLIb5{kx?_m=duzz!;viZ8VM*a-3NARQN8FTN1Hw{CGUJ7Jp(fxz}O$M&rx)24;@gH=Rjb!>U91>OR$vstLoJHVToB@j+`td5AF2s53;NqT z_@^fFA6lanJ|a}muf;BjR1qDN^WG}qp!orKN{L}+PYN`)ASKf1Td;O!e_p*-rYP$T zY`qVBAm+kc_7&wnC-@wQDjy$BHh4aQiK5iWLD&kYvUEiQhy@d~fOqB&z`|C5@X>lE z`P+IH>jM6@^;)dFhe=i>}p;0u|M zx?Y%RVd4D7h1)+B$5f8vkpR{Pw(p89`OrpLxNqf89Z@-gTdxK5lC4miC88|hD9#f? z0C~tpxPfg95Q7issJp+yKZq@yMk;Mta9Cg^|3eG7Z-Sqs>KEWeKl4tGhYRZ^LPKPq zc04ax2PGimxE6VlKG}ghl; zngg$Y56=ARxf%bnG!CM*3UAzwa!hZCetb_UV0ZsEC=0|XalFV1F4(%k_Nr~ylbz(= zmbTq;Uxy3}4m#?rLXvjdcS9^nV+#1{dz#KK_j+N+$-8=U8YiKy$V9H0}vdmT?{N{ui5lMl8~V& zWobdImgDG*h1M;6OP{?Ja|wu0(~m;Xuq?DrPxtGCV1P9oD$n#2=-hZehcKGQRHN&Z zXt0Gio;Q+TE}hCBtAA_|T&NM&h-!_1Qh`5f>UR_C z^h4_a2#VRJoPX_Pe50aXZRTf}T>)v^jRWBssPV}*gC7^>MO+XHh4J{!tfobtp^XcW z;>P(1Q!xM9q{;nXV^d-7Khpy(fG*iEOuFGIqG!k&uuIZ5#6dK-L8-eYS^1!NCCoX= zxSULlZ+*A4S7BlNQ7?fI{oV#uyZw++Y|bu$+eh3;zU2Lsy=i&KlYUhJ)`jmI>ULTO zNf`C5nMc)XsloLJNm%vVgIo~hPQMJQ*$*3+F(=I9Ol#}ZLuCIp6Zj8}sHY81`!DU- zBibR-94a*%sDLkZh%lZ+$zGL&7VlBd`OY!+kgAL{y9gdD&gq(A@e}1CK9dtCY!lI_ z65TA;96oi17`ol*0_&WNr+xk+9b+d!8CHRW(0bCsK3$0+hCtg^fN=ZvLR5e1z=G}h zR|XQy0;G2(zbmdyUC!iEjC&@$Bg2j-C8$jJnOkpA=J3s-q_SsYc5e{YbViRw#3<81 z`7@JjgFbK5-8@s+803o7+vF@Rj)X>CG@4M#($iB8h{e^G-^U2E`ly;NJbLCO&kN4! zlVPO#BHo=z9z5Kn@r}8CvZNs8X!7`C*;BK_jL3V0$>zsZKbzWF?9&KVyJ5o-n1ODv zD3FQqD1s*xFP|Hw#C(Cm94=Q@lyj$vaz}Ue?ZvTs4=Q^+e0JoH#2a60b8niOZj@<|L0Zr^DB$HOGKGnc9b)HRrY zQ0%VQ-py21KUJka1qG&4f7nW(GCaWx&!nAbf{Jm}b@pl-tLRlCXg&w7Rw`YNHPSR6 zo|{`gU@LGl75_|dw3Ge@E*jxAkqoW(;m66V2}P#^hfk{d#hrWfTe5p|et~8FUO%<^ z5zKnw$A_NIqEJP+ckEeKBjNOf^Jr50La19!#?{iiV4fFtYGJ!xC#NgBa)uAp<8A05 z_;7Z)8x%F9Rm>*Z8_XL&RGjM1>4fREq25p&3*NmvKsL0ZkhO6{=-OcafIPrC$)CU1 zO=P#uDQN=ElRBNSW38J2jn$iq|)+Aq@f#5WRkDbQBKjZ4_-k1i%)R21e*R=)w-zy&1-^RRSNcV3C zq<>fCF>aWfstiv`Z!!3xF#=WWOsr@1qU5Zp+DOC6#4RF=pxLi?)q5Udg-JW zakC1M_z-FXbS;=hSm55C#!f>zx?RieNW|cCs_K*`t#;V*nld{2S-x|#f(Q=^!Hwa= zj631fMm{s^)!#H;VO$XY5x!j#{mgnZ5v}`rRRfDOd1KdX*#bGc1%<(KAl(JK#d@%B z`tY2yS*xN^yiTas~FQx-kuM#BJxDW3>xwoDx-;d%YhDclRfn>yZeV8a#hH`wFd%*wxShDFI0Ec;~zf%sF?1!@M2@y%I# zjZU4R8pjVSC+`PtWs@9E9)42z*^k-7*M;(`%2UmG)N<8hHx8c4_$HUE#lw@XsiDuW zRPDRVKat6jkEgEgW~ooyKAa_`F3&PtGB`Psz46c^2W>+n9^#SmN&auyyR$OB42sJ{%smI$C+YDa@+` z{3=Z}JnR0hx@*`fuH$RlmOdZDXbXi}uIEv1oD)hI)QwoPqH;HU6v(PO81qffTpO!RmMDED~KrT$pdS7o;EQg=Lm`{xUK5!58gC1o5M9K1@(g79&* z7TAii&vw0%QbNTbCrcWrOQdROJd`{~bu`0>tjZr-LdXi zDfm=;iVdi1`Fx#`RkTvcy0S!nqG9ggUfWn4JaC?QJBcR zI~!uHtq#F07^`Mt)mE{(wt9^xLF{!G6%*{&@wO+dKC$NBh_1K3%JKCO#OU+SE_a)N z(6|--EY+3S^D!9Rv*1n%cHwaFij;-ABE+E(Et#5puLeq?WGO0Ge3Bx{2sF9M57ue8 zsDuWYTo_0N@GUSD)FD`BjP93gKx4ZIjjAXeZkrY$V#Mjp-ZU&SQF|6e{Kz&S@x^!o z!X(US8tAZcqS;OmXxoYj;;sR`v7kgemr=058d||avKotuHfB!TBPc(e?$#?MOYLe|>VTD~0TnHERtMl~k^t80xf7a^^U*kL}A zA9DtGKHN91;nAtM|v(bXf2!;OPhU^8cI+QXTjxY9A7_-;QP+IuI(+A#979O^O( zip#p~I&&dH_!0^Ya_GWC+{ACm$b)PetC1<9Fmv8Q&vEQGntr<&W;L$ql*y-*0*2=H zFweTSEk+?cqTKG<&6`&-QVsdtSf@4-f{l4w)TV)27PV^cjDFY@?tsL&I*pRoY%vhY z0ol6mTY7!kCStru_1K9jnAB#AOSickuYWOAU!)~Lbu3#;Pkn25S56It_ZQyzi_#Ln2DFQu>5o!<~M)ptKhlh zF+`cUnUqs_n5AVb%$8ph)*CmVeTe`!l?DZ!Xn;uY zH0fp2BR6?6@mhCrADlXxB{_b#qmjx&>AR{%en_X9*6-J{bdgV;3VK0nX6O z)a<7%JVG+-+sn@$ua8zrZr`2`sp&y$i0KXpZ$p#P&7wYhb07&nlNZI;LY4W4VtygM zyNnS=Wv0(DdY7$8U}@RWmD{9z*b<}1eA!_>M$oWoJMCA`Yj5Kd<(%OdJtyU@{1Fyq zrzaepa=!9~W~noPN;B&7KgO=pr6Y9>oMk(aa?9~qi@C|c7HAsYMkT3?-m!?6OqTO_ zeP|CkxamyH3}$0xFBa77ofH*rqy@2YEu*>Th`!F2cBX7v z>T+bYyF+^~2r(YjHftp14sP67Zmxb;A1e>d_xg=UL3&E_X}7~KSSWwT{&mLT2J7n~ zW{J5W^y8K}su{zGk0#<0Nd*X@Lh9~=`4i==ubF6FHunDHyudz5cM?xY@rOK)WR?HJ z+gnFf-L~o9ih!haNvI&Lq|#xLA|(RSDIg`%Y`Q^0N(=EW_WthcI^#G#hlPu>Kkx0ti38`QlE@wdmZuvZ7JH7~n4Og8 zvtgksN4*x4uXV75RemV?)SV)(Pm_2bySndjkDpR|&xT11URJB4(eW3l%M`S(AMP4N zsfh?oy|C?}VO=d##ie>V9;2Ie>l4rZ)WLVP532bpSwMr+QF`)Wqs&ZKFx#SH%a!Y$ z2XgQ^4YL-}PWt|X>9{guig!#OVj-n^nk)alToE*MW+Fu@Q z_Q>Y)q)zBE8=+(KBi-WVOK@yj(pID-I8Xw-NcsaXm?#Oj!|71Wkt`=+| z_c*jFHnF8TlY}3mK`L=r46^8W1ttat(L&>|@e5U#ndncN^5Z?n6i;E;gmZ9ZQ~HVE zs6!0NB|KTI3%nkO4#>kv*E<}@%Pkp0PX@DZJvdhtKh3bT3CSKVZZ3CIfLId>ZLRvm zA)U|Oc^8pyWwOlnrPGDIT!;RnL7Bdv$xP{rzHdT7ZQ5)|HTC12Ag!HK{n$w@%q*qf zkSPk?jlFqvmdrU>^HYk0Yw50IN?vW%K3ZI0LVrgro`^hArZ7|YnXD1XnCoi)yI&ADUcUsNSnZ71Y=`>L2Bcv_o6 zw0Ypv17Se#CX0OGq{dVbH5Q{5Fo=eS;fG?k%G)PaZj59 zr5er7@HpT8X+7O6PIdD{RR$~!6k|mi$?kmgb(P+G;d2Oaw@DVISWg)ACh3rNZf&5d zySZX30+)k~Mr;|gLL}?jVH&W!9jAo-) z7cQ?SV<5dN>!$=rGwDTDPYsV%o^6v1dv1=*hnxLmUtHP~Ge#Vnj*k z^f1a$>`yxv6UDTWlCW>pZ-{T#Q`f5}G<(%wq#3$H(y1;GTV)nxzUuXKX05fOu(9A= zn2Li>G;Zv?wGV0awzAQKCLGqpV%Av3blK^4fPuv^hLK$o=}68DFLoMZ5Or{zIH#5dbM4*EY7!%!~$zZvGblA zC7+Qb#OW|uT}+$Fd<7&logH`@8g zM6--tP&Cp`Zhtj#sxFU51VU+4J}S@@AtjE=-QHN=kH5E8g|ByB#vo~}C-W7b!t1J5 z&if-!Qg&~J8cbMoRxQ)iq+IiO?2Yyz)0`JE<+)3cj`81iXmFl{tx~EvKC5zdTeXHNX2<;g7TNIn(D(gOcFTh9_j>b#<4ioq zH`PK8MQO2b7|w#}nRxdjcF%X|o+(%l@NcfbR$f|YaPQ+bp6Lv-1q!H(^5$1*mo3Bc zc3If=SEW*Aj@PG;wB6`8AF6K*x{O^AB{qCtV-cu#+w;{gELvKZA35z!8yc)Fe=N-p zesgEgik<2d_AU7-h}D#AvqrCyJ=FNPvWQ-hQ9ugw`iKB_5kIi!U>qHIJ|g~oNR8i3 z^61NgHdY$*cp9J7%y|LL)^%~f701jnkT@V=x4Jvz|maGQ} zWEqzbW+*oXT~1TeB9t%3r;SL}xWzVHT)+9In}71PJ%-E)MZ+c)34W({XrDODFD5G#;$d5~ zcz0S120g2$B+Ds4>boOsa)_dB>+f6s2TwG-Q4O`aE@YM*+HtJ)J8yj9GayGPb_N%RHqU>Iv#v)9~M}h;5 z)HKmbrk>nv{k>bpdt?*?@>0qx765?wB$^ls5x!|;ww&F= zp%0aRbz>ztetR~)>80I&;Vq(;T$Ifr5JVsWTt8~j>vk!u*hjpPTtIf-5w zosY`vo4a(jSu*q>2bcN5sNlh)6)evMq-dYIt3E}vVaRcO8cVtXf)m@c5kQ69a2BCne8n$j?QW2Jj6S4ypIZsdJ4w z45yvj`G8Qe4xp$~DtjNby3tVk?8u`eE~9wR`ADmnB%<*GhEsc>AgPSOwr}z)kb5jX z$eBhLxBlsOo^J{AHPaQwb){9)1Pow1XY+^g8G#g0=SN09Nc*a$@NYMMf2USy+yF&@ zE__A|hakW+p-3als<5jiDNkQR4Oy$lii{!ip2uaIUETzK3J1#BO-E#2`S3U4D-{_o zar4D~1B8b+qXg#I&F$NSVWitT@z(pHd}SLPQ&X{EcS_RP%v(bn?42L(y+7AP%Dv$h zn5ImCa)52(v-j;Vp?Ux?P*OugO)zEwbVUoHyX!1I#g%t265K$CygnEe^5HAs(sNv1 z)SKt|Q@gD(axK`ASuh$kkCHg#;K%cS9bR<%Z?kn*uu_WsI=SVE^DbwlRb%d9$$~% zhQC1fr8Xa7`q0XCoV^ZeXMv>?`0uZ^NjDQH&vp#@kgN1A8LA4!6fX>{NTkm-R zYs%-@nR}Q5`T=TS;O%~Y_-%lJ6~9H6ZP>o-heX(BqHf@1Ck`5IK*jUC8xVN;b*FCP z9IIR3VpwTSi~59NXB$?ogJoq*LVdm-k-9cI1^5CASiaw?4CZZq;}CncD)P5J{BcFs zJtRK!4tgUWe_qPI0ENLF8K3ab0d&ot-e4SY)+Gu}Tg^`qg?nT~SGT^p(^ z4?hqKKHZ5StGEp#8BXP2lRfqj-O*5!XNC#6O(25r_Lng!6 z(Mu6VLRPfl{hL#t0A4e3VfcO{^>V6iR|naznZS0@ zMOzD`H#iHbd)6b2u0Int;M{IXBeD->N_Yn#qe)CM8SRZLxPv<1(`rCad8i*f^ZNcJ zJ6$d@wi5I1#^A3gcG3;8rLh1O#iRsHq)-4H)zwSIZT)ET2sN9~OSJe6c0l#GED>cg zRERI$52Pc>*kqb|$3RqK_@VJ(4~!0tn|WW0_&Cg4mBe<45Lr@FM>H8M!ofxi#1b0= zGkw=t3ZMC9NK_<)fgWzBc6JCl(NVm={0%q)K3fLvX}To-7UZKAcPshc^t7xXwa(V$ z-Tv9o!#!QXs@lN2F%lYSPe#dfKWgY^BM~3_>D44g5uqZ&r`S=Zm;ba+JdV86N1$uf zG6|%GpvsHrspIT0%q?{6oG?%Qu7t*Yi=DI1IL}Rlht`e{I1ZBNJcRx~$sj~rz@n$w zaTV6*Myhl9_k@EB2_p(K%+g1C;j}H*rq3j~14{t3vWZMIwn@_%N|KH=tP^TU&+6`E zv{GwQ2NNA7cYou@_a-%wlVWl6Jl!e*hug}HznS}6@3`sniGQv6omLAW9%^)szf=;{ zli9}6np$B+wA`I3sldkyIVf-uVfIoqd2#_qAyq!1sv z#kOa|W1eu2f?WuWZo_3&4e|h$^I`#mMg=Oo^9voFPNzbR@cat7%-AREjs1e)xIiww zWy?|g4&VY!2`e=`PQIyUZA70#`*9iKFl}iwg&l{+ZS(>~74=SVT9!e`7Ys<3h3+XB zVp8yAXP78n9bT@6%2{KAXw2K79n{vTIAL3`#dx7h(5gx;;0X^cR{>LgCl;m8o-^oe zr3<(#7Z^7nIDtJvzLVkT zyJe?hx10*VA( zU&#QCmfED_8S-PgR5~#0qBi{Gwld6(34r;aiN;xG1wCD_ABH7u!QpCYpq_bW0&mLL zYN2t>YIuu4b>DI~@*)w#3SSBu+g}bSo*gSOq_=mC!1q3p0vHNR!Pt*HLpq!kE#lFH z#$ppQ&`gPnx_)3fGes|Z9wOKIDkE+)*WQkH71aVUtO^&^`P14c{H1#)#vX7lSWZtt zBD{rvFCqEnR?6D#AojKmK?3HvKQ(pvY~#j0sxyDiygJI6Ze9z#mk**@&c!#5uy|qVLdQP$3Wr`pz0DT+bU*ta`(VWNqpgg zQ`n`dqw2h*i;?1nDQ#&Irkppg99~in0H9ti=!!^nJ>Vt9a+>(+Oc8WfA$H7!l<=dA z5vr3Yvw_fS5vm*-`BrN4rb)&og%|@n z)S^+Mq;Y%+k5l_?4gnjISBNT&kz6vaL_O!4TgfiaEwF`+$rK1m)le}Ek@nP1zw)&E zL3$K+J3O9*EVgs&xAp+qr0~=%*;I!$)&bx$reObOW|D|G*M~)oa0JIfB!j{--Pnbd zQ&EbB*RAU94n5ToyCTSM7fe?{BHoUBStd7G53zciiEAZd5l(|BCK(PXr|HHs?iam} z1Vcc0i(sC8Gy;Jr8L=CymkcEoS`x;%uCT0Rj({ZG@FoJ*@*%*)DgPAUoDSot@+p!H zh=RYo0TdOUM#XxR$k~3IB%UP7=};^&mw}bO4K(9QXc>Q`>N1+EM{AdeX>jKQBHM1s z*Etiem#fAZH98XfU8UDW=Uygf?Gf590$k){IT(KW*28wt>3#?5$Sb>Iqqe^bce36g zQ_R*!4GR#fl|}h`THFH%Q|J;gYEOk_e78tS135tUMT*ygJ)e@=qY;4GdxUL z%bM|8M*@}jGIHwhWQlDJrtY*Ts(?Q$CBfq-m1f1!dOp#i$1`1x4Nt++Ux<(q!i2m!;1q*3n{P)mr)?43!uL; z=T>OE06R0Xryw2VMCZ3X5XvV5JowX}gz0GubEWpB8ds_b-mX{c0QpjHaEpVB%A-If zBe3CWt_(|t@+AzO4z$*MBV{`IYg-(QEN9Z3*I29zFxGEjBJs)t6)-ze1{&zGbt4qs z2|T*~_?FagWj)*VCq)#M@6|tC;MZ+%gy9&wWB1sgCq&Fo0pZ}`bAOsL66z@fz3v+6 zQIL>gbadDSpX4{TU!^aazt>4-ha6no=C`8h+*|LQWG<-Q3>5+eUrqGAwnw1Tt3Ox& zMvahbWz#MoeH%y0P4{O%T8-L)@6V9BC_FGQ<;=a}K8V-!Vggj?fLiPq$QY7??V)V|=WfA!jW z!MD_VoWIQD$jO-Nfw*U&0T6e?dc*AK;Oa$<1a0V3ZCAn89cH%fjsCb?1vlX!-Mh_T z|Ad$iW9%L}CJ8yRFChCHMBHrg$gokWx))r~wt6&ve&t%gdSJwt**(eyq~LCw>*ckqat+K8(pFVWaQ6ApKF?_kCKPG67chRUbx{ z*mwtFNH*R!m=InXFES3Y1->&VQEqY1a<9Cwp&ft(^X4aI%8W0N)&Y*gUmguu`ZT`f z0)v=6``v{_m6Tz5x?RP-yVl@%R~%?1L}z9Xlv-*i7gfuCmm0Tjxye>(ATxFEHMs9+ zMw=tHDybM(3~W&DmgMb5=j6o}BDuUE+Wfv`yt2a%nYJ(`-pE~~XlobRq9X06jH&eG z@-1@%@`I(%1q2svGx3Idug*de`k{t=sliug-NNr>))N_7S@t%Pemo_`aV^J7E#gDq z*4HoQ924+wy0o+?3umIk;WxehrH4>H0D}F-$#&MG1zQztY6|vUiiU{}w@_ z#9t*@@(9y|Uizk?~Pur4y%L&^A&;ERcR9K>tSCoQXc;oEW_)O!TVy^9<; z#>k+lX&tboRT)Yt_01nbA^75M7Yr?dmex0@<{+^4sWf@D=EXm)XFuG#YWY@L z`FZh~-wE9K&aUb&MCxotMGQGF8h^FpHkHT<^Jrcx7apiPA&&_-O}b;Kl-dD zHoK-TP2;D#f+}Babc5^F~XByDLLm#lhwGWBiUKox8Ts{HCr`OKg3xtCUEU^=E0 zU;Lu@rAnq*6{_qdGl3L3fByGuvlbHV7vWRurEL~RQu!FAiuX-a_VUjE zU@i`$4*LO{iYO8)a`Un3iieBDI%7aLPc!1Mh6-Ii&h*I&*|q^@Dto5^OOx7d+&j2b(p-mC;iE0^V(984nHRsZG{gO?8)#h? zWx=u|^OTa|npMkBeC}#x7gwoDXm~JVwV_@#%_rZ-uRw`3-4h9FpgiT-MR=Gk^kXy~ zf~0yuWoaZOeurRxP8f0zci8N}{XnZnp4^O{29H3bsG>4``T||a(IH6HEoWrTEjtef z)3iPh?yrfyR-ob9eBa>3bA&9~xYPpE7N&`)C{m*HN3Nl6$%6KC3Z-)Bh?rssP$&cz9w@(|1yZrzvT4T(rnWAl6u(;vJZm92gtd-wb znkN)$;V7r$vJCuM=80sEL6(dAH63FUEjg@zduo#{gO@c&TJ?u{>;Ns(LF=S*tjYbS zk1Zxi`=_#Qm>-zU{+1diSqHj5v2vgf1~qwcn$R&+z-$*N*e)&jp1CMJ2_cq8DsTJv z3J@@Xw2&o@IMB(l;F9?~h}rtz@plz{*>s&xHe(Y&zrWAt&%oCIsa6!P6<{cS`_K)w zfS`tr0eoQ(M3uF^Q~8)Bq0_;;lR=lS#h!8RJjGd&F4{eGnOqVyg+Cu?N;aI-gN^-{ zN{IQ0q)WTEAz69DmOS7zT3|(RBh3V#DFISaF0ZmaCRI?&Pp%JMgiBwpd7`3Gy!CdP z2it%s1~*MvBe|2B2Z(R62$JZ|UtD?a1;}|0EPFP$J0v)0FkZE|fre#UuX6sHMcL7% z3t>?3lyi*I&Vw}dz)I)c2Xr`Q%p1j{7 z`b#ce8CO;__J)|@h;MWSmnIWrSiJSPPW;a-0Q=$lcyo22ZW^JESGj~N*-8@KG4NDu z2`1E2Ofu`uX+oJJ*8Cd!LGig1FP^pWcSK&Khf5?+o8fU&LgC9<`P+R%cpqHm4d@a$ z!AVusmQlJL&3B=R;IUZyL7%&RzK}cJ^j#Ek??9|p5#D9Kz5z}#XptL*NcCo zh-({+1YHw64BQb5d%L=GF3g+<>4rN-Q}76v2jwyV-L_H{WpQ zLdPbUaWE`9oK}Z&P@HYF)M3IvN=+vS-f_fnTiCm~=zRA6P<`jKWT*@D(L0lGyHOxp zdr<$AAy5}^cjWj~Txxav3zomxhL9x@Q@cmfAH^DD+uZP%xkij-AO%2#7uZI2?{6tO zjA4D4+#@eQb;1z8pmK?0XEj~Yet#5md@X_7u*CNOZ}|t>{)9F|8}t$%rx?+mi1a6Z zpBKkl>vC+iyJ0h3P$SXc%-N^4e?nH5vp7zlFwRT0FdlEm^DOyaJ&6A$et|i`TP^L! zr*_@&SJ&766|VPr#7=ZpWXDsMS$e!O8S~&u^*_M%)>5o~vB%+uITUzrYZ}Bxi83Qh zx59^OJrMs1T@T~sKhpJP^FK;~XXRzKNOk`G%U8;m;^cj#J;0}26eY9fZ}tBPu9vBz zM)w0+wsKixN~DCS$DXKs0L%DpX0#JYD^*>w=LQ=S1>Ik=^+r6#pY(;`Xa`+k>a@Pg zNJts_vsV8gZ6ADYSWi~vn_Q^WQd4%pmRs4eOk($A(2Z88P4m;BP%CM+ zDv~Tt)g$H&Eq5-v(NwPz^wj^5Z9B?+b*qrSCo|}&xUd~VKZ-U4yCf#NUta6C6iBtU z%Z_U~SDh*L29pAsKQ^ZQ4!H^v$FJ-TNOmG|4isxAgdli z2L-Z^YSieuWXZ~a!II^}c@+_(29&{PLj>U!}Kd>Z56Y+oJY6_w{9OaI@r3dW>LXRow$~_3 zvHB(rF-6z)|AozGpmECMYs=jE!*KrkOw-%J4Fj5wgmd4xe01`*Cca^M>G|3|;4Yxl zbKNP=u6wdmnIYDO!s$sE{vyxKvhNh|HQYUFYWqmKEMclj)y5>f+9h-NnLuCv{+OTH zE%)gM%oXlq850Z?7Yp1%d-q>0`(=q+2(3BhgfacYBH^!TAU?UI?Um{H`D^}Uio`vl z{%GqU1~+9Z4{-UeIct-HQW>vvIc}iN%L`rOA((T7eo2DWmltxUeoEiE{rs2mNmSLv zpugh}kkh}PA=q7U?D)Q)l7`eQgjxO6Zdm;zqFll}{t<`u?8 zS;g9##u0!=34z6)^!9Q;@(V+il5*wistfpw;WFsOjp8K=?2E^&VqsPW!~vG;(N`r* zJ7P)xmCkqgKcn-pNxHDhVsG>U{tXt_I zr(UC~(DZ)==c{V_@8En>AO44MKHk)aM7r|C%@5$DhTe%gw^B)XZ! zWS6(qB{WU20nMzx`rEdz%weB1`;iV@_v1pQ&?lqS$YbgP@%8!(KK+mu^zd3uZgAbn zs%@iZ?J5t4yg>hu>5ADmF594;u2wLB=+)WV>~i%6)f*)&klFMpBF zccWRbs9$8*b9~he1ShR;v9ZII#COzGo9J{d5HR!h9m(k+tMn00?kpp#^W2^GhVw;D zPG|6e!q4bKXPhnVsk+xq4UgLXFpiWIpbGrsO+Oh%<^%>y3?ARjD#V^m>8sPJmRE6` z&|$4{P6)pT{tw2yp(zZM|67Qkk1iE|9E^e3jY(GCgh;aWPDlp)2ZrB!%-G8Q+@~4j zM`<5|B-vu`=dfHs8z77TiL&JR9yJh7wby&#ckM18bC8a%22k>Bo+-b1$8V z34Uy3rdnPs9$TEWzmrxqB&X$o7Lf)~PB zSAjtWMvF2(QmMZ~=HK-)t3gHqn~`kt!Huv9qHzpE@p4REjyVsuU&ea(5D6JY0s-fr z!WxS|<;zBxaq^4~da&~3L{oAyN!0~&N^5>~q~bA6(ZtcE@rivuQsLO@4Ucfguv1+< zmzkbrUQhe_uS^65AhJX3jQL#^H+boAXfu(qCCcR=A?R=D<0RKK$?YqJ|uu5Y6qnW?F00>(r(Bii^lG* z4=`4-n9X9)Swh%DQ)E2gC;fUB@N{tOBnvL@{oXjrP50Uw*p(9Vz0!`(qEQvb>uEyL_F{!~ZL^ z-fM70%F8?^wEWZ6=YRK0U-jw4iG>wM0h{jIU9Ln!lSLuiT>Uz|V+btqd87t<;#<(! z{~dTa#a!rq@NxrcD9GW-QlwV_B}=`SUI--1k)cC_G@?oR!7|uo@o&kbn?C3IWPw00 z>yQbLQwR(hRkOztFdrt>%n(tnadT7wiZ`ofZUn#|-qoja!QDwV+Y#5BK{~&mya?HJ zq~GXp1TA_VsO4$hR*7I`j;{yTcT0*mg8W>yj7uup858lmvr|%-Fsel^-tmvzrFXtv zRhH*qAdd@sIQxW>!w0@tD3n!LPG>}3`+nZOWsMroyae?Jn%jkZO(jScP2Hh zbVj9=i~!d60c;6l=8Ulc4thp10H$0t0satX1y$xFto`Ook@yKkT|poDLz z;Qw$_F5MG_MpBPJnq`Rg9=w;Yz>L5_!Zj0vRsc=7>4Cnc$h?~odHWQUN*oXwj&e;@ z?j-s`(gHXkG_6l;*}&x6HSdah`r3w`=!B1lm%OiQT!xoA`Xj&mTy;E&1mzz_QNG6P zXza>V%K@;-zY_bdzs|x;<2eMiVrT$9)n)Ode?s;(C=S}sb&`Pnn*<%ahQ7|kUfpY0 zN9S;W1c(ZLtfmeg-8u)4$_?yhp$Ks+g_;dU|9r5CWstJnh`)o(~l>PXpDWNF$TA0WLb z^^AS(^Ms6!(_Y^p$1FcnBq!f0xYUI>a8?>%`lDl$?G}cq#f+-?*Be`>Qa|Bf2Q3<190BM zSV2!$*=~K{oDx}L2PpOV@)$EV;V2*mld>PRs8g=3IG8>&s3BM0ySo8A(`+ERoqs3z z4i_j^FMOjp|1HRG#eR*0`f)RiEqXlXK=ysPQe!>)T+^qkG_bg>zY^BGy`!Z}^8uZm zq66UpDb>lvpeRxfhsh-#EtWR8< zhk*UVbE3$57C)k3116m1>gvBq3vM(%vrPH8ZMKv)Spzsw0*iZr!pC52nOmuhYp`dg z4Vb!{iU3d$6`5TJN)Y3^*>^xP(`Khx&U3FBQeR#O4dIbUBWLkJ`=dr+@jeB~?jb7} zP?R+(OLIB-@ra?>Jqcp2#mVHZpgC-f>Q9sp00VR~A2rTnY!t27PlHFlbDw_Ukuv)6 zINPJGavMHx>aF(=_bE7YF>>fq;-hIQ7UFwgCui#5HW@&*)SWU9R#hs<)O*8g=JM>g zt{py!8c85Q!WeV%{X5`K`F4s08t`Yh;?I;hL()FC$Ivg|fTZeMD`WlmH=^B@jx{(2 z<@DhgU z-r6Xqd^{Ju%xG@Rzp3j1_P$>D0v4C}Y;T|4kB~Stw}Y_15VVfYHShp>vAB4_;S6lC zswBvEt7V`<=lc0nsz!l#AQT$OF1DT;gfmmpk9t_6P4m6XQO|o@4)B|1-Zna>i2yi5 zXaeo%W6!!oQDW!=7H+q-l{WlR6#7sD$Xez;$X<$FKO0-%GnfHRjQrCYm>aJDKxcq= z=V=RSNQl{HB|E)U6#$6i8y8rygo`Q5wjq)_%?VOoSv4{K2LfP5{@)3J&u*=e)c=hD z7|IkObPtWJum64_-x@?3T#-UGZab~6nlBClf zkg+{viYN6rbKUrte#Z5|IlLuLX)aLn5JL!-pqn;0!I|g;UOs;CZj}VpLMIxut1BiLLMkTDd~9$Ze86IABA-Bh%2ktj72_j1>+H>dJkZiV0Wm`G9*-AWy<$^Os@H zMp9PugZNeU!QNu846sAhAzwg{Bq&BDL%O2++7eCe$*y+1N}b z0Eag#1zRJ6rXuY;H8Sl7tS>8v091<9v0Icz@6XuqGEa194C=te8#s^WVAT=J9vFo` z^|LO7jCJbQYqXFG&~V@u)k`usF7!Nc+W?G|D|39X5cPijbO;w9h6TcOl5SBaBttMU zER_w9i$Ng3q)6macQvf7xG)#B<{nE(i>KNRyXRx2Y0XzMR-7vLOf`5^x zQ&Ego<_f{CI{Ez)j&ZHN*U9f-V)YJwOS^l4sq;T;_Wr5~g}*m>1@5@p zvAM~mmi>6gXbs9O+cBM3ZheWTQL#OORs&a|#AHSj!9hjH4nX5%)q}Lo0XbT{YYSe0 zMQ(wQ_mx=j*;~Je0=_~?z=rj3yAJgC?ENvXFy0B;Qo@f}icWIv5E##rLt-}V=DV-ZOMv~ zsh+SS+NJLKuk35}UEkl`p{$DS{kX1pQ@2tLo%FE!Q4es1V1!HzJ1l`)!QWRfWd}ed zrfT|j9LF%U4Pk!xhAmS&tj10Z;nE7RJ1o#}zi++Rc@30m?UrGns@iQaW@s)CEIMbr zf#!*P|UE0r&kt0^Ya&>EGp8lTDg4$@Zb9 zYJsJd5&4hV{Eae_Zo?q@xvEzub*DSr8RIzhpYi*AH7`EXhR5X+XQwEzqN_Ile*y;T z>d=j2FR=Dq;Q7?3MGhe=UOz+w9Yy=Ncz9Y4*MQ5~c~pvDE9cnY?0&5s6yd)`a8WT235wx3s2f#&5rQjA(YGl&v7ca>jH%SJ^uFk|&F=Uc3e=6!o-1a{lB|hdD0Tyc@X>mc* zk@2bsCE=i2f(l&&?87lJ7x4liLR$j}x_TU$4e$(QL&^FeT?Z%DuW))7WdHBM&;B9B zZHYb0oh=cNe++o?NduE&8b0q25_pY&0le>H;a1^I<-X;Cq6`r*3)F~m4_nx!d^1s- z?@GQ9K;UoaZx7lQcDB^}Ap}Xa2XnMK9e6`tyMtyI@q7klk+|e)p!Btv$BVsVb$8H! zggN`+8V7wG<#9Uk9%#6+@N#*67GZ@>RjpNizAWbQV!h4tNGlUbhyn+}MWov9Hvr4B zt*8=8b;4&;N`T6PaL;Tekk&>S>VFMD!roSS{yDDmVO?dz<3+%j1;|U`53#Jca&UJL4HE+1;Xfh#OB3P(i zsC^kOdFKOS2fTR0~sqUL0_FfbCSdX{A!z5q0Up?SltRFfO%3C{#OLC<6HgJk-{!KHgN zJc?;N!NM4^T_1G7pZ5uVaXyi(^_g!m6sK}NJ+@r(?y}l8}`e-eP4~D_rfVo5()C?3$Gc#+@9g_*15Bo-K>*0%XsUXz-RIzGM zKI$}#Wv}aQ3qrn$CaqsW)DHEc(d3$qb?odq1% zc%C(&WTC>&_LbqN05UI+#smFk9qiWHiqkc}18&dA20BB)ymVQ=w+gGH(s^;0N69yc zg9$V=57xC`zS!yEknR~B5tkDvh+=x~KcKmKqE#M;1-v={@`dhHHc-5ci`7?xQELqIGGf9rk)0i}ETVtK*k-g_=Am z8$ho&US9Hbq^&Kj2-|7dUz?==GS9a^ic{C0NpT!ua@HC!zU%~_*^E>*lB_VbpSY7SKRK^mB zogK>D#mEvbp;WXEKv%jn(=Ux}@#W2pWcAo@X|~^wLh+dL#;}CS#N7m^!UV1==zbK4 zZ8x7TAK;tjdM+iIm2Vs=F2Lp5)$cTHEtqv&?#!R_!rCRS8~cW$s|w%^p{O<~!O&4H z>T)bmDihAXq_Y)%!J^hyZg%PrhSf>C2N;?A&%V3yX2A2c{X$RWm``!T)GobH zz16Yf>-V0HsPyd$X|#!dY|~D^g}jE-A)8^0gO`g=MVbAkH;11D_~C=f}FS+@%s-~KATn8JJZ^?*{O|GtOT`EmB%SV_>Dewg#m zCjyl(`$Jluz@8b}YvV+}X316)TP*x4uFz$;SlnMyX0V>1<6zjrIyfDkwKN`7PH|@} z*?5pG4)Owd-B^KqqFKS!V*sM7#*@VrCU{8a$CTK4NOws-8eU}@@`kW=_T8a#JI|%g zWV@WSSM77Jm7cd5dKT0}Q8~uhrXxrDT|@^x4ha)rbeghanWICM3-sWO+6yz83_luv zDLiCZRASvvdr!!HeONyKea#&q(+}2P1lHtqDO#mEd1E^I0`X~H6!seC#a##3)?I8= za5DEIUES&oM`lt6rM;(a$9VJgFGgo6L7Uw~(J86b5uU2w9CvT`>%`ccw#iZLtYj z?}&b7AcI7kI(YFr+PJ35zJ_Nj$i7OxpagdF?Ca?+v9EM#ORp&|XsKZ?HFRZb9bDs( z6JQX1KMo7Q!55i|g!n;DZ2s{K=2$hJMF3GC6LD54(4_oHs<8+Zh>oDV7(;Pa^r8v!!ke~UT&~S>#+|* zYD>Q@4voUDI!bZqk!#>8*j3DwGi9>Y@dDx@816&|XvA`E*z0oke*)2~l7;DgvQkxs zqR-q;k^Q01b5KNM$%R$L$cMoN#4Z+%1J|6t?PQitm++<1-&l67s2$w=IPnyJ{F%Hd zu7OyTXjs#hdOF&Z9N79veibJYv9XGQ8m18Gs0x_8R>PaHugdVbVl{I{HK({}>li%1 zpV9I;gRFJ;zNg>|!mGLR($nwgzKF|dXmqx)k3fWdaoS30pVs$~`{%ZJ;Qz*8LJVD}M!-ek$43sV!d?Mcwxk14|G|A2)H&JmRg~6W0 z<#x;E#y!GFP8r&(t-5+S`IGeQyS7GbU)1X68>aR1`HY%_4U$hF5^?Tr>GNKy~&B4X5 zx>(09-LaEJaaqf-*Ju}`usb(@I(BtLh1h-qnQ(y3hdw%U8SS$kq#|p$D|Om~20yk#q-_cI88wUd^(3 z{gn}@7(b`ovQ5G7Nwx11zN^RPrE$+7&AwZTD&Ui}r1f}h4J1M)_K2!+Y|F7R4){vu z-^X?Tal5}Hqh@|VlxM{i3a=VzI&s9V8bnoU800uRb-g){b)Q~OQ<)MN zRnj8|FtAdfA~Ve}sJ?Ab?`@@-0uaP206|nE_r-Vy16qn$2C5sH#B93KG&GaqWd)-k zn_lw8=TdfD`W0e*X>E`a2#9U+KtP;9M3gNg%lml_0;p=jqfLkxh{2i8Pn^d-XFFx+ zSeW?mVozt#XwP>hW^CL1ikPHI7=vaDFO;1#qh47Gh4;C$+;WX%{NL~oDaI}`xdqv0 z)(BxCTbmCeCO(PN2XHk6n}f(lW5Iro*4GYe{H+ige|XSp&9=5My830uz-kf1JpwnB z)=$D?UV466bwUrNoOoQW@LrnGP8Yw6g=7rhOn;1XL6~fvJ&koI@m8F{jbbd6G+4`5 zvx`$KQTmD=3BzzFAi+~utoEsCWDQ`B$d7(}ZWWnthxKgKGxG~<$7}Jb z#ha4`^e(n|WGK|$Y6DU=EnIh7XQ*ZkbbW;VcC+WN*6-;eCU8>x>>Kc6 zpIaL|i4qSm;yG-g)V50JiPy0%{f#lrwVHXoyI_&sTsRKyzEhp-S z2J}IDm+Q<1XgMbYqtF&HdJr)vZJSx{AC7&bUQ2V(&@$3Fa5izc(ZIk z&hqmLOg(ioYbLNP9bbI)@~T{`T>b@8Y#QpzQl*4}p1WTjRKf=h%aSE*euym24X~3G z9UU?}&aamvpufDh9Q8wB_y+aGpBg-r)6O{Kl{~3#pKnGQsx81d! z)l412d#?4dOA08OYkI#Hc1c(LobR}Kk={Xh9q}=jYD*iDds)OG+d1FceP5hrYp%qo zP9wm5uaMzx-MPn1JajGPw5&XoF{qfN@wVCd+y9~a`%f2oK6u1zS!RjQ#9*x%CwalJ zuVX<{An(!rZl_ zId2LrmQE?K<+)32o}!W9Sp@6-cqM}`OX6wgE7i4-di<=J&#Tz=8O*wp7E9zfbH818 z4Jd7_e4OuUYxhgfi4R7Mdv9KurN`0op?zNV9`FXI+uf(761H$ZFXmij^E97ZDQ9Xu zqP>X7V+K60;kl%)kkOJb!BBGVwP3OU4}RRMqt*fTSs1Xjo11b4;SQavt&q<-jIg+P z7;>`0qdw2EnJne%@^y8uC$<72=R09~nJltV{k|5f{i{(+Xqx2kYP0ZRqChdPl&DPg zv{nvVwi!eUb(NOaLy}2y85*C+<+@U;>iNaAWt09^?oU(+MuGx^f45Spkt(+F^XRm* zcYL!dw4K*Ym8$b=Y+b*%c~CrF&;Pz_i6UspZG-~tv&hajR9uXZX}w@-4}-hv9M>bh zJoEVx)>cXOq3i*<3_=Y4q3pqsrZ3;jl42caN%QB*SVyx2KE2p~e@4NfMKi?STdhRh zZ%<)ey?XO|?4sy%rhQmp2`BGJ)4I-#2%Z$3+nvb-eP_r3Mvx6+n=s1ka)$|l$`72WQeTIKiswzq17fwWS~O7y z9XIEoD7+GoLYBhW%FUj@*|A5oocNZdI9z49$bDFs;M9#N)LYausJ@a%ab5R~@#Q`u zmG^=RIC+WNt@t#}4;v7M0G6X0pA(8&rn25AjTiGPBG@9X36ZlB8E;YTQh6m@$F*Z? zRC{1nNz_Cx?`8Dts65CR8{P>#9O^eMAB^mCy25oP*aBs~dIVP&X_GitL*9jLlIEix1|x}8y-e7tJw^;j#U zi5;&h<0D0$P#!Q>Y-|q(C^R^cB2pBV8m3u4$y)dT`1Q(uZx@1GkK3hJ(l2qdbN6PBK79F zv>Ln5#mmFXB!{zLwxU_Vq5sWNt%3H2^t^b!*4d7{dD>_w)Jlc`()$ zFQU$s8C-lhjxfxU6NxwGt6ppH(_)t5Y!LbV|5$tLsH*n0?H`d&DQOG@79c4pA&8)W zbc%F{ln6+Jlz<|kun1`cq)SN&0qK-Z=}4qF zxMIvzhsHy!t)vnOu2dqsJFivLv=VR)XG51oj#v^#SPNYJ4BgxP8_D%Ko>=cGLL&askV7_eIeQkl6Tf`dBZACxl;cO z4el6{g_8r8&FOH0r1>{D&$PvWwrQ*(GG#SMAbRTFXwL1;_XVjUjBFma6*46VMdcAH z9NX2i0DLZ^z+U9JpW!$mM{j3tqz!(TCyk4?)fx`8XTRylZ&Jsfl_g{UYcqx2{87a0 zij^uZGkwmF@07ZY7-)&KVhh3+vN5)`)xAT2ToerJ*>H(*cydQy|3T7b$Sf6g28S0a zSb>HaROe%EZ7Ylrq4G#B^v2@oMSJ3DE)>-SCUZLKwSpDRZ4!|g-|PkDlk$m2c|S-R zl=Ve1qhVrj+;8YiNqHQ3I^0!r)a`GieXFm(C8+V%7>x1{SkI}txPQP|KhILWWmQz3mN_aBvV+ZO# zU)v0%`)F(+;<(UeYarrxnZM36FQon<$?vzf=nRiTr(ahv*qjY@=WSHtbd)%NEngFz zTP9ZpUBA4HS9SM+_viC8ipNtLV#K|_u#D>?wGrL+!UJ+xr))h4CM)BL%Q|S$iIOXn zQ1Tk=6LxubZ(lCDg1?n|Rk+0QBso^mr)f7xI+P3HN-*kM^}hW1_3XtHIY$t8h~*a_ z-bUB!YIsgKa$j(rbWo1_mzC4szv&l$d&cL{6@|%iaPWz1eukyU`H&CHTe!w+kE}Qu zdsA*qE0cS2he?~8o|u%vmM;8ExXSDqv5pD<8$IPf$O+#`M$(`dJ-(&+EmKEfh;47Y z@8o8saTouV8gRL27Sn~VjK%u4x|kAs4|EXol!Ppw1p2F-EZOcwmOPKD#5+TSGiG>A z)tuZ(gR37njAU-K@NXD}9~7?6C&xk1u?k9}#~rW4JYzqsE6a3H`m%+U1~JyLnz(AB z_<_Pmh7vHYP-fqnxe~49q@^8cai0A2TY5y|8ZSDEU|89o0aM)_Cx}}fb5o@J(ihLo z+E{evN?|YLC0boWE6kR$$V2=jJ&h?H;1@5xWIW1zOEtZ^N&zpqA%!KJR-|jK~~035pudhqlZJ0`t&HdHbLohCmI5Jhtyi$K-x*aX)j9Bny?;^T74) zPoD00|4OB0Y*(44EN+voztM(y_}aPSS}B?!n?r(7riJPVhZ`xIX5jLr62Ge8N0#Aj zzvD6fnD00=fA=|a_$xJKUAh?`xSo2PDY9SKoc$sD!=Uah$(>kv7qY z67WC0)M`z0MlpifszV{_9olJ7y|*apX^Q-DLY)4~==uGc49kG0W}OHu6IW+^*VKET z=;Dc?34M|AE}dIYl#OFXtP`Kx!{~(mI7jy@f4`Fd)pxQ*u{a)l^G|BX^#4TK369sz zTQYnc1&G{~kG-QpqWb{tnW;`j8DBAK`Z9Ix3JZ@F0%sHm;#Mz_pTcu_RL;_47MN5R zw+#3iogMdjH>&_*A-r69Q?rWZW%<@R!!_UuDU=-R=}%De7_OOngJ>$Tn1}{jnt~_# z+u}xwDoqJ?q8+>C#JWePb8^O)$ajpY;$>8CS|ToN3O;cM_77vADynm>YB|{|7bQ<; z_3b?rnRy`mIj>LMf_s0P3R^+tW}U(UO$a|^&Bj=-?M3TQ%x7$qpl!n(R3=4yJxij6 z$yzEJQT5D3+q5b-X$#-IJUJgTpI~>*Z#m!8RPwS`Am9qn*>V#!IXF9;hN z^0-t&A8mWysw1H9W(iicFWWj6iJ36X3u0RSTf|J_qd9azC&oGt0|PZSHJvzDzd?%l(AQH3pzXBI_GV{#>oSX=Ey7R*^=Jf0>A+`fC9pj+kB z8&HA7RB4+?ShU>vuB5bg`!GReE})--L-e}6oiP&G+O?gQ(WJ*h`who>wAXV zcg(;3Ct=RNQPZX_k)aaO2weoqGhrIx!n;!g)oqWU+bwy{mYK`kwI}nHy=I{W&rLfb zahO;ozaM})goOpau=6lrY1!zMm1PEIRS1B3*yEdCS)~>1IiF78y;gG1~}C2i|1Qh*+H@l9N9@qiaaWa4_t)5VsJ$%GdPfP$x2%0@%B68Bm5M6oLTtxGUd#Qgd!Iy9oU+$WpehOj&XtHS&|U@ji@j$X|90(X$h++R0FBV$9>61Q^@;X7Sm+a)ew%5i{>s z##Dzzx}RRO+mmc9R!_Y=k|1r#j$1Z_-J~e3M8V|@C+_~nyW6t&+IuYtMrbo9S{BM9H<`)7Gaa}>QI}|;_ z7o$HJ+rF0jLcK_Hm8!lUt)VesY-w=+MeP@tBXsDZ$UQE(n~SFp6!)wsWi6P32$?aO z#c9e${TW+&!L}vFvAGMPkgx48t9n3u^sPyY<6@YsF&4(AH$d^bg>rm;pXS0>W4y`> z8~QAS0zkN)#FI4NpZ-|CyiGn$?z!yXMvA0aYZ&T%<{Yy$ z{>BewT>ZsSNdTgKWk+V zg2x_~n1UeHSa{TU<|v_oSwiC-B1B(@$- zUzvIQ!XGO`ie+{a+6^{5HOJ%hcMw3~rC!I#tjSbN?;BwYAD&78utW=xij*6&9s^O% zrlC{tC^}0jq@H8+&O+pFD$=&b(I*FHtikJSxQ0+Y0=k*koG(5V-d%ic!JBv&gK737 z9HF83pz6^;xKaUKTOq-RL0r1as(;wJ<_1WO5gBC6Z9%xa2H6o5O)}pz$dyoj;lBJd zloXL@k_^*Vy#Y7DxlH9^Ams1qr{0*$UB{@r4|4QdOM-q00wVrzwadf@;CAf)P!WA2 zvY*uertY;M_tJ6+cBHWphbfSsG~tdigsZY+hImBB6qJv5sMYVd$8}_d^#=?Ch9vqU z4Qh7$eLHKyXhW`K?3DH6YZG=AN#g)CdFf(w-?k)BV;DFkE6;4KQzxfw+od_^I#!9O zBkI98o}`6!E%Rm{qnSC7D(`Aaw}R}8KVyx^Vle))YJWMl(;X{K3>6dg1qP~VhWk0% z?|5X9vW9?3uPEAV zJd*s(7&R>UfS(pSa07u~glp>RV16 zx+`NIlGj&?nzx-}JBBcyoJWIt)Pm(>*zJe*dMYvfp3e*(Ou9pi73EYB9Q`@V zDL#e>2?Io=owVueCvjr4!h|%+s{ItGpPTMmArA?Me<0D#A;-#f5N6|YKAHLs#;3*6 zmQvkT8X4*;5>Hh>aK5@6Ay8P{S<(w- z?A)vEu0U$T>>kNuTQS;R!iyJMi%pAcka0_vGq3)2fWMiA>8Bpp(-U3C=9R+4KIaBg zvc$=_PO~s-%LRX;3r`QyqI#)c1#y4-+%J~SW5k_+cd+yMB^!}0_s4Hb}E;i_Q z2^)5H(|IlO^{}XROz#$#e-Lh#?*0wwkfve!ujC%F`iUrpNB?N7C*Qr)bo75d##3TIUXj39zRVZ6-X^vq~Qr^BE`{Y8t<#KNH;8JZMj zcL3HM+~0X4ROXGnMWmPOMDxbd)^lS{^v!nW7w&wc@+uM!0UN0d*htNu0LPp0r@Eo# z)OvDC55;t~0;K$oAqTBf$Qe3X0oNu@QBmEIwUA4LKla$JY2ty) zz;74Nc%e>c;B!s5v(vTv!!cs`guw?ffRAeHro;v`HE?PIT#aEi9i! zx-0!WAC&YNNtdgx@|zujgQf_fWj0Zh*VkZ}6>-6HLU^T{W%1;P z!1v1ov&!{B1}{=4zIUWluP!%cnXj*U#&w=9^7!Dp{ETf@P83lq00991b-Wt@?N{~! zH)vup{;jXe5Xk)QZOz2kbbE$lmor0A)e@Z`oP1&&ak0dV*9Tv4Ucoqfc|s6iUrbm%?1{enl*x&? zxP{I}gcc}#3(ul3caFn zh`VOlLv;H1!fn|N%nc2?@Q#QZ59Qe1FOiDVfuDA)oqOWNOZ7{KX~9hDMqb;2*5G4{ zs?ft!ufpmz1yhhhOIB41WSwSbC3|orJXsqpu?E5A*y9}K)PrYr#`HI(`?@Qf%8H03 z16Y5=g52sLawNM_p|sZIa}Y^DDbt(8yHt4fsCf{9I!`&(>^kay2kRlW9(7@V1+%cr zZnFgCW!1f=@cO++A3*1+B_HxGd*VDz-~va#@!Pl%*@uL2V+4f=zf@TXEyiNjI)a=d zeR$XGSa_QnT$`s1e!+HIM^&3Uu+3F)n(^IYMKQzln)(*6#hfQ;FN37}j2|wh?9J)2 zQU@3##rmJ|Me7rDo1dx&n%u&b^|=2N> z#r~FwLi3c@b}tBGJ?yr?NOD~(>)zRj3pb|Pqf}DA z{4~@|YL4fWjqW{g!|V^>eyYnEF{>!=DOA{y@r@hMUN017vd?fHQ zLn*)+OWb%Y`L>gRVzgtp-pZk~p0fORg+tHe9}i+%+OQLt?wEbg@Z2(p^}aDuH_J)k zfGjke@D0n6^cS{5R-CPbaJ$g3X;v2IE^2}#>cJ*Y%Y;9wtc)#KRjc)dab=}*5I!Z$ zkAY8VI|c%Tb>lVBj^AKKx;!9$FcXkwBe_@v>?&+IDwjD$?y4pd?IBT0k&H%6$h2?9QC+aCkUxiJ{sNZ6I94>yh>R)e*}C=0GIc%lZ4Dvb$~>4 z&Ag$oqTDaui7&!elhp&NVkZvl>e>m+W+AH?Go#*R{XJBVD4I>afayjHgR-_o$_08%+WJ?;mo{_+v{=3x3^`x9U&Jc zu;ZorQjm1;j~|%5_pBs7KI7oveG7HjOo5Kl9@y}d8(uZVB)N>YlU!d$6r~h$7klFF z$AtY*o3>rU;Q8czhbQ_s8LnRi_C3iXhNW~h%uL7cj5yAwb~y9*6&&!<9(ET;^d%#F z_83jVHLeC2-gD(%m8e$Qb1zv^aCsxHq9R52v3^E`y6C#2LHrLfoTdH%9Abs9^{2m% z#jLiEam4-Q_J***d!ir8h2i!y^B!Msp3KZvz!$K?@kv`9w zHsU2MB%^LKZ3lOQ;kAFw*Dk6>g&;NwGZFqXM(&m}tiCADI5 z%aZye&$*RrOeoHcc#2fNeVF%N9&P^xH5@5B;c_9uSNh2PSFGV<}|P+m*id0C{aq`+{5Wc8Srar&9>PavF$I zfdb`-!_I|wNYo`5(FrD%stR>ByM1oIiV6N?7gJs#BxFTdUmt^jPyLWsAKCK8a#ill zN8G?sI6=+B>Lv6pDf9J1y9VWB-lb3q{b18!Ku63)ijHKwr#h0AY~hAIlbCR$lsujk zEu|dyUNvzMd9V2H-HhePn{+#{3k@ck$armaX_5LGkBeK(lwi2X9Nyw?$P-X&p-@ZX zn9Lmt>{~ic6LvvEPe=l|PCk#OWTX;*J_7kn@FSI{vFlj6yK8`_bV1XJI%dqv_8~q^ z>LK8Z-sKf(Y-4$}@0`;Xb~o;mBJ%^9yh~Gi3PGiHCxE$_(e$|UOxPbfe~kti+)Qx5 zgH}P#OLyR{{Q;I7uNsq!*Y~J70s~MI@C@s>>j=$9;@{b%J1~%=Yi^0gjCfyOpUzYx ze2B$#yLdRtERLt(#pg|W$Eon`Q4rY36;+ioI;S$^ufJ1CVR9Q1{CO0<_3@=>FqgxW z#o80`-xvJUPm|e%yL_|MXey4dK2;b%>Rx!oJ)@7M4w-tE!ZyQQR*e8)!n7Y%HYX-d zbnIY%&Gk9{c2B`&ie1bn+ge9EzLLNhOO|! zFBd(DLsFo*G!U{)nQ@dze&XfL@n_-cm+pjlkfGH;xQDUg?Sr>vjNZZE5c3N{J zZN{UaOwn1&U0z18X48OZ?OIH@2>|vXL4;&vF58b z!>haaM<`0Bx0DKe+(TESFUU=|cv@h2lY6hjZz2hmn_(pEZK_cjl^?C?Rl~7yW8$4D z{)=wOM-)UOwpJ{o`V}U!IjOu4ZrJG8dtP=86I@rk{ukXc3^bDx4K(iG(t zjBEbW1!U=f^4l`MlOg5aJAU%dVhqd?JJTMlXu3?tjoNMM?gH zZaK{vx`~(vK<}JzmrP-!Jh3)a^2&NVj#{q;>fTvq0WqfOZs@>O ze*G-+AzrFFINyHy{6`x-n=Y>L$S$nsEutiT4r&n0OA=M}33V--3|?J6%lo#$b(qb~ z(kp>{rh4AfrH=nx@b!ftTs14&-$t03`t`U@;scm6({&m6or2ap7hOy&p#+}YZ zu}zz$tx6cxHYai(c3A3*pXs{C>+09|iOkI)PSok$xFS7zbZT)c;hBEk*e9`zH;(9A z1kl06B*v=y(Awkyp&skg=BN#phS4OMVNtPAF)^MR4pAMiO>KwYn9v z7nVp5hzXK~x9?*web=3D_;zmonz&ERRwJP@Rb5$Vl z_|sTNS#b_U^3vKgo|1UPzZVPt*G~l#eYM{XUN2pwsLgYbV{Si8(a!F8X!g7MSY-X^ANn?LRt^oesWJjNV1^NYH@iC$AYPYc%M z_k;UysrD~-@==%GOd4QHu#0yp2sI7q_?}JmLt_YpL%Q}=Fip340BP&;T0xtVrQ6ck z`URBV(EA;nMIu(E??apzzuWb7MD;iqn41~(B*(s8A8V9g(<2+Qij4?ZW zZG)9G-0hRXC68tOEGCUCp%4yPXY5#f?(w+hi3bCF+3DI%A^Ap}R+hYVw-&=fZZp+V zIGR_Ht@&p7nnK!e%s=3$Sq^G`reUI~vd*{A4 zbH65Qt6X)hRqr;}>&v29T%F3XE{S_z&x%kfmim8+6&;V~akVo>H+T)yO$#hPROD9g zwi}T<|Jth*)0~^;z11$GW!HzkloJ;)MYvZ~?%c5tN&ccU!&-@TNR+*mlpI?KgUR``o;x0|kAUm8B=5Dc*__=xI zTDESX=u%Ho!YETa8@Ei(FwQuk5o^fV@#Td3M{_&B%Beq2?ecLB>wkwH)#)fj$bV03 zx#@fN*+lVijcljd{xhPMBXU!+_UePFsC&A#5bDW{i#vg5Loo>qB1?Jd8u^T zZld|bTJcF3-gF15PcE@!(K`J_+p5*m50O95dxl%b8g(5yi$0~`9NKhuSZ&K*WRQj{7Q-ZPh;G2pG(<&)&AxBX$Rls&>Lzx ze*@Bi;ShuOB_OG(#xm8hm|(uCZ?Hw_1ocQ0EdT7v#~vtfnk?7a2)j@hu&aN1>g^0( z8JucW>U5i`3#k^~D$|0Km-vNgwC;^#Z6(Qz2rZtLeyIxW?r=F*}57 z$eycKEXFM!c*oB*ARaZ^PLr%vY~xu-F09;`_fk7Ibn?Yl9cn;fa<>2qvnW;RFBE3% z%^5qq>K^LLsCm#^-kmhLksB_u(H6kB0p1ys@f@mzw;|gtY|&iT8qD5kD@XRZ2X_AK z?#XlL(oDxkZ0>_~h~J1(C+c$X%VV%+(7Sz6nBXqBT2NZzFuuT|r~_L-S~Q(5uM5S9 z!aBk3mH=jNAV900#Ais;b=d&nBA!EHSm8h@>lf=K#-*;70E=9Oxa@o^g)*Uf4_rf@ z^dkas%{zW0n08N4>AM8TMWUtGRTWv})zVB+KYrI9hs>=pMCJRZkZJo;>G1uxMK|7( zCV_2a>POujw^`p-Znxq) zt49yVrNeAuC4f{?6;$@SG0YR@r}ag(+u5)&YwyfyobkQU__+-SN39Y!rD+@B-^!_R zzU5hJ+JTYOlzOGq7(b!F2+R$Le8aVKuf6zg#NO!Tfr*ijuP)WL)1t{-Xu++XnO}iB z0V?0Q!Yd34Yeq^B*ZBLB%_d8*H(96r;yGw=3oGXcppaYB3}XNG+rIW^%(%yDfth^{ zaMxBq?o1r|(5tt{yhX6~Y%!u_e`$ISH&AH3S?a6TZg(!k-za$I^J$5;dL3g>e%mJb zyrs0su(}@Wut`o=0z^?9TjPVE)7Mv2i|P4HZyDn~+rAo>ngsBR!WD?7GId11un$wY z$HslF#g=9WF;jkLv-tfcc^opVRezp{3zY)gzVeH_H0 zw>35jk!W=bFFRM4ewC&_Y0)erZVq<0kG!z z+}^Rtiok8O#y5{%v_&|~UlyGrA_IsLgtS+5!=HwDey$V&9ece9>8irCzE*iNue5k5 z&h0Qdi?=ncpee|qz4jpcCHF_v;DyBxQP?vEjSo<~zJagb>Q@^x`EDN~dqf~Rxx8-; z8yR)O2r|>9$T$r0r5IMNjPPm+%{~qdaeZ{<(mCO!L!v=WIxuHza(@BWoo4J7T5C;g@>dX9p`grocqAfb;Bb!R-H4 zMEv_NhU8Pv*Ys+>{|?5Z`^7JjwJZhdHz-SWXGx==CDj&D;Y3>V#tUv?QnRb@OeOJG z6?X$S&yYVh;UEx819rd|!iLQfaB~r4Q^cXNpq!Kl^f@>yaf%|^#1%0ekvhD6d~-EF z=7jgTuQ~(zBhunZl>nlv6=0j4H#SDl$4Br74}$XKytqm!V|C-4d%Tb8j}9$|bp3s8 zcsL3&qnvu;1v&2%6ZLXe&iLC_zWa-}*%0?&ie21hO<@9Jt;^QSCzgInnjG9V3eMsP zZJ^16Av{IsCz?;%LnWO*uxpNI!b%vYDNy@y+l-TG=Zv2F{sxQ7YepNG1yiCUmI*B0 z-t6Sbuv2q?`LjEmBW3%FY82iHJXQR*>6aovOG;Gp*qG!4l)-r*SQ^fF7c>rq0qNJf z#NoOnrm|bVnsiU$fXD{FjhZ)%B>Zj)9^svuaJ?E1P@F87t0rxJ?-`SB?hEBQ<+4QH!q}_N^{QQn>yEiy$diG&_Nh3 zoWa|PT%*x+1h@W`_@gaY3Xo8P%n{;|-63UcLYGs47J^QZieQo$gb3>oRG)XbYMyEQ z(JS%A%8l|ZcgQhF;#ku^omYoo8LUoI&{(Eg7}n(^YL$AD?cMW~=xgf$_4px2Rca8NbI5FI5N5ZtXc4z9GhF-QL&r9vD`Wgv_U*fRk@HTQ05pQ3L$R%qQ4_)^XIS(J-)L9`dFDmn4vYO zYm}qVR`8b*T;T;-i!&6naxsowe6864Zo0g4o#)>maQ^v6nz()+0q`A+5FMOLV+s%n zs2?U?y%?d(e77vH)UwX=7$z#l3|h?^1OfQzf9{3uKdQ>)7&>K!!4bk;e~91E9~XyWQ{<_9`lfZi5|kdMO1 zatJ8Qc^*H$rGdCO;aVVg)mWCryZ+~Ef|pozjs~WKjW-k)@d0QgCjsl}6-a=Jg)%0k zhWH4H#@L&5QUQE}P7bVGJqLIrvF@Y_U@h2>f#tdU`i$?{K}f30R0i2j^Yk;t&q0htEep3;F0wOw*03Q$(X@N?CP<(T1|DFCFelC2<*m_868A6o7lp$de z#%`=(Mj`i^75@-pnvLZb-SH)p9OE9_AN`yB@Avt4hX24}K2; zvy@D1;{l)W|6i~0HQr#4IlnANNb~>w?fm@>{>$%3onl!dw9?;`UGo3?*7#p{%AfyI z_OfcloyB4raulr}P%U$Tvd>z60u-AZK$h?e5%VCYSxh|`N%Efp+HF)pXw>*@86+vU zyxTU=2lLPotiZiv6Dt9CmIpVmm;=#2zv29NEV!fdwexk!CcOY-K6D-Cu-5)y2Ktw8 z@&EKqsc5q7=stA|y9Z7>e3*!<?Fx|p%3-6h8>{t-Bv94WPY<01Lp20bRF2gp}KjeSNbrmeAJW>J6#||9l<*u z?SJ~sNVEM5vb&H+pSDthkQO+ubGF?;5+lg;D3I;|qMg{jMIhVnFa8kRXk-T>Cu?{v zT~&BlceKJ8=mWE*JUz28LI2Zmd(TV$`#4TdLa)J1=DxLI96DzEp?eUNRt9(ay6y+y zjT)M6>&ITbr_QVwd}L*nD$Oz`J_MvUXtoAtvG zdni%ViQyu$-t{lB)N3f*gKTtlu$TmYgq7SNU_TeS2`pw1q9EuFGzIOaCKFo1YrrSr zzc=P^nCQAPDE}4uwL^0*>trNm2Qi{sgN`oEvEdle3tdM)e1|fa! z&Je7a1Ez}pTi7^quugOp(*GWn@aUsF@dZioq6agQ*Im})u5ZGr7qGtyO~dwINnt}^ zTOAUbu$`}EqCSLXCvSVcH4iwDIUtu4Lq9=Ibwt6j0tul0!l43~n~z`}@G2gFkvDxp z$!ip|5*h9^}c!7YC2>rQRNd~_ftU0W0W>n;H z!uH7@cRD!F209q+me@SilZl0{Joj3U2=kC9fvg2EOQ#XF5`x8o;M+}`o9A#Nh_}4d zv%6AmeEM>kpyPKZ&!=q2G0rYAYn6-H?G~QS1}~a`>L7A23_&I&`J3`YYPg(dumXP| z_*uaG-mQgU@TDhK$L=Vz7ngxEI8k$a0&xTy6$Cga-u#d#fG?s>0$#^S7`^NautDS& z*H^OBYig9Hz|+jk`{WJ3MF_B>ss|BE8n=4{5|BCwYo?kJ^D9%Cmt=xaG{l!wxb0#s z`0io~`bm`)eCTW@nr5RJo%7!BrUC-qy~20JOn)Yo{)dj%kK?jxb;x+fyYnwFT%3aY z>0InuJ|RZ-J1nv9Xi%S|5BpB{;bzSeh%V9O@soXd-r|_>s0%55m0H`h5-`M-M>pAf zpxwPki9+U3*|z9UK&Pb2Jc-Ucha!zHVZ2RqK{Yq39zIY8H_b7S>|74hcdY#YN$f9mf=BHfSBgX;L_l5o2`Vg48vy()Hai2 z+ohF)iYayHRqaQ51_gEqKXhfHq6k4O+pcN3hwo>>cqnJQt^tSs%DZFGj13_$S%u)! zaxit~0fiK+B?CmVPW?|n?Clm21rDn!Je=3%5NCgi3@X5fWYj>2{uSP+dJ3<`Nj!M$ z(0kb}*ai3w^{;ZkHcY@Y{@5Ooh1~gGtCAw=7kninU6cCE4_dc%-+Y*;4h^}LmtVn} zp8CnJp>Spjm>PK4Pa=M609c^lp{ z!BooC8TQh_E68?Q3pA(iw=I+1AJi|xOt_=v*YxjSMl-T!le0K34Nbbxe1yL`^@ira z#&5(2!It>=X5UAQjwpZEcOcFl`v$Ws(JiSbK=n7De++CGJnV?)YM4B?C|K`4=C&^z z()NpOh3Ag>d@np@>)Se?$|1MgO|M8bQX-!%<+NJZJ!+TVb@F#u0{uQwjYOOXgUJEb zrUrWD@)j^=HFW~U#v>_w$&!29u+7ej%N!O)*Qn+HL5=p`wO(p2-e6(w@cWYgzNCvo z$i9tz$ch(pE&K=<2jRzE$X3=yo@xzI1eCMha@^S%E!VQ0V7Z)jGzCLNRsA|Lb+QWz z$Iv4`us-VbIUU&6_w)P+mp%hCbyJ!*JeQktm}P=VoEsO3KxpcX@JAod-gE}t-4S;Y zxdZQ(Un|9Zq-t+%Yt|3&y9d#^h%O+i5k8Uirm-^@CUBYDq{ig9?|ho_Sj|Cna6NR1 z$2$qPwuGFZEzASErhbygN{%5jbp{d!`VmIBL(mFXyvMmsv-=C?G0F@`1jmpHM$60j z)(9Ph56zpH`Og*B|NUzzazDEHzC}22)DJ4gt@Co=p3^IUGDY65_xlkXt9g>gYuCyE z=L_0y&N3L#ETeC5^SShc!aE{h&%UJjyfsMt!xWQu1<`;Zg(IC`wfNTY2q+;FJ9BOY z!BaH{&Uc-Hs-<{qn2qA2$2t1Ky;e>Dp+MFd|2$B7klnNY<8w)4#aNkKYl6D%C_xAb9f=HY*6B`9pI#q zpng+duJX|L8;M0^Tsh=H+=vW{B35Mv`YLUZtma1jwD&nqpy0NYq9gkSSafZ*b$5_h z$tVTrPWqTE>7n?-C^a$@EIT3V#40iWiMD#PU&?7!+M8xXfv zUWeuN&F#1wcjl?w9yW-7WkUpZC_1JTxo`&BklR?|bs1Elv$2LAR&7xfQ(3^D7PaHM z8|yD6SV&yF*PIAK!4cx&k!Jl*^yWh~Jwp4c0})&2oq=GKlOBGZ7|P283c{S#`!Yy@$=+0*HwmuSgPI|Mf4 zpK$nM#ilm>FNP-@{eL1nd$7rT{a4_%tT&xP6RS*Pu?Z)Iaw4OYfuoMq@keixQ`P65 z&=_E1Ytwui#gyGPaQ&(UUPoOMossw}LHlcC9|9~nj?F=uOX-pmbol`QX)Y&(*99G4 za|FS3HZTnGpahFYVFzBw_zvOm#d%yV-=EICV0%B(7Yr%}YW-fhmPE?D_3Sxdy=o$^ z9P0qbL@w3bu+?iI8Px%VK*a~Q-n5x%Kmo6L5;C7(!z5|&bOuB*$C@S&wl}$0UBHFV z?2D>9rO{Gp#V-s320GwjOpCf7|3g)~4wCScicN3R+(6t&ZYiKl|M^ANH^@Zz$y)qV z2x83=BFEyHywGv75T%lMeAWmR_twZ|Ww5=foC7PB!3$VI*j;J1HiRu)p(e=bz}qu1 z(w{7oLq30{h2Vk@I)HBu^xT9s)(7aiG}X-s;`<&G^}-h)odmf?RJx8$YLt8$d#CTT zHd2%l4?F8~&t``K+@S@L0z&|qA42?gHD_51L`@R~rW=TbM(b~RMu6d#bO}#&E5>om zA~px)knP_R8$q|DeZYntR9%JgX1+n>W<2T7S2`N>;k~!KNoY}AL<6e14fqBY%7oWD zo>l=1KO4l3`KkQ7-Jz~Kp!0Qn?+QKu`~-{^^Uw;&-K?1m;)ZjLcM?i7|0?b};r@i@ z5e{h%yx)9Xudv5`KsefRI#;iTs)l&2j zcZnFVgdK(WbK?&RX(fkBd*miwica%h?J5~{VmYbvJNyc7Q?FR9&Wia@^%MU%2=i#p z*qN)j^mVAc0cO3qzzP5`)mZ-%fXTi2F94YSfZ1k^v03R4aiT4tw6Y{kvSE?U5-*kC z+(_vQ=~1p>ACR=R$O#pCg^vI*$)x`afT>5zo=){j9RQeK(E1Eet}3P1UKROy@?FJe z=ba+`A)Nj|maNuz7lA!j+HWuC>Gu4p9%riP;*4Q>2VfJl{}lwY7AJ10nF;2ro_|p= zg&sTndkUtI+<#Fp_uR-Pl3{@(m`;qR5t|c@x;8GtUEWps5)|Z5R<48cem-*93#tMa zr;Z3u;V6QUARSt}`Z+XpGu^h1zJshBz3&yORsGw?<_YsF^@7tPua=HuG`R~^-taeD zrSPbR*q7(y&gXtLTu-}rAT;5iwmjaZb)K5Q=CdpaFY@86zlfF`dA{3wWBR`2Mqb-qOLUv`WAMpjUBbb`W76%89V_S|7uvGYi# zju!BO^82BOpSml)R57g#;4mw{d3WM>7ME3!?TI%OFv|DF@h+iRr|}M-rgEn|?7gZ? z-}P&Trdg3*J$UEg*=5!3IG(osX>KEW{%1Q26x+~&J{wODJFiZi8MZ2Os3e9kkOmiT zv0TmQHD=(mYvAkN=g4Jz9=mFp&+MhX23K;hkeA~|d)=00 z>e&}vUA6sOjNT1X?~U$~m~n$Kr&#Yt8YjYPujK!ysZKrvmbDFb95E_NoGMad%yhl${=OQoRI<6DQLjKh27CPo##ulE3Ppb9msKO>`OxFbw3Zf6oZ zm=26ltC7|W08;_irF5U+A7IKUo5j$k!oIE0v!vKoSo?Urmqtq}`u&q)%I4f3j?84c zm}Hr_5dt&b@@=HZcI61FA-ri%`H(+J`$43da^;|%D+i~>44h0_0Hw^Ucfu4;7{x4N zu)-3HQtaiEw5PS|;ExsYZ#Ub|2WYQ2>H z77OK*j`O~;+-polVOi?abTwiovDPWE=Zr3G^*<|-;Y>Z^zTJYrVP20Yc&F)4+qz%a z$`7=^miZowH@VH8Qrw=30}yF_Ka_tjasbF4ewnH7;^s*^<^5UaaQtxC-To+Lq5L?EzLcCyXlHA6W zb!r zRnTNf`DttxCo18xG)V{Gu%oszsM4?I)aGCX33}XKlq2xz09yr#irVbBgUSsCoLX4sAGi*fI>-!fcq= zwX0pk8i3u4EYhl|$?7gG(OR?^I9)q0 zu)BQ10j3BO4Kv(~>-PqtU1&o(r<=g7yQBLOw4)`8{Ay)N?5%{Yzv=fYuUT49!KOHGyt;gJHAu0W=~ zZo|tNL@i zsNcmEyC!5z{LIq7N~h4@^{b&w!yTjWgiJm9QM=}vNlVJB%bPCA8BXg%Y`UEtPk0x` zK_@i`){K1Kh{j2go&$xY2!ez|L&5wH=^K9k9aHk(4er0002eC&OVKPIVJS|~iT#G* zee@xmJu=;2#D*V~I=+h1rpI{J{|3*FXeLAO=flO>E@=8}{)46n?Osu@VJw>-`&G0d zy`y=lY4}~bXF$hB)oSzZzZ;sOziHL?v^KAx!mB`&QK85cZ!c#3@*9X_1=(ju!&XN1xFweWt-YNtl7NDZ^&n#=`v zfcP=z-AXnK7iF!)EvQ*m%8F)|S)8lmb5ZE4{$dHczeQeY`g&mz34EGGTwuO)G4yFJ@oRn>jVP>N(`fdH zabs3?&pGFH@6Nxf27gzBawAVm)B`Fw=5>d1RGt?MOw8w(BJ=0 z7C->^vLxTBe4kviGM(MIxIVdVWrk!W$@z?Y&e+EYP+PK0E$}n-uOihxIb7v8OWuu@ z$$1aw?dM*{lhB7K78$YXz(>qj1xSFSrwQDZ+$@>%zokexDuw9zB96gcf z`sd2m5f6C+l|{$D^sv91v^ksQ$XHx8FHYSjrZv;&QHc z5|@4MKPrngPtjjL29hib!w%Ow#o7Lln(!Y(VPC0H?B~Oj?9ufJ!Ca%W=M6En@7oCi zO{|r>Z1l}kjL+$AiUOzJnA(eFq~F$qUP|WsjNbynPn?@AIVrGtwuy_U^*s z`U2A5_Y<@#t0A;jig3b*%~sB^O!4dtUOrPGzG}`hT-c$U#*R6fM$`Kx=KDaFr$o&~ zB`ER-0ijO0(Ti6@T0bCPCCmASb4}L{%Pt<0@ui2EoNUTC z3mf|&&wmn$(1dayef=$})97jPQd_??puxRroGG{RF4?#Ft;_xY3^p{jv~im$mX*AA zOxII#t#p!6&qF%WU4b?Tm(H{G(T`4;A6y&lyPj+KUv$HU@YT8}**l zk!de+5-J?qf%Y6L*=(&cdX^!7HoEhC!7T_oYI@4k4UP^Yi369>O~H<038putOWDyH zGRaSPhY|Y-qW)lgD$|rY(_3H;X07>fD>sCWK zLosRw8pM3LwhZSydDaBvmmTj0jYznu=4Cvbr_AywaNB$~YjSo-!< z^Dr<=l;CLvv41Utm$e?_mNqu2kKUo=d#mv{u_xUdHXZ>Ot=E{B@R9WIiW?oLe*Q3& zTS4=T@ay`_&|6>`nig;9g8cBV=3{*@gHZIa`EC*|QI{je9+%>k-o=_}H^76ply2ul zVb8zf8u}S?4n?(S_)8x0jQ+S#0y<;}6pc5P7lYFJzCV600PeWnFfesVnhn*_bQE|MsN zZ|I3~cx&=3Dq{^l^A4(?#{GL{ELvr@OTQw*!_tba$eVcCV?={(1%@Sn0wlQ8oDrpb zT^H2eD~g_a#t;oXVKMmmix~=NqlH8px}AlF|r0u17%&D z@+l7+wp{S5DObXbT-gn36352B69(t6k&D2LFe#?-B3BQMJl$YJn;eJtb?g}4|Btfs zj>o$1`+v#K$cRHmLpV@o*+hzr?4qngNQESOW{b=mlCmWuTiKhe?7jEQ9+CZff3NGh z$93J;egDoLkN(MdKF$-z_xt(0$LsZcoiJ8jcCSf2IrVypN(qNE8>Vqz5Cppa?pUe@ zS6|HgQW-Z^0uqel_R>?2D%E!rI_aHm+q0ACftw3@L8KeKYaK%5+bnyMC6WfqK|T@cppUX%l>C>@y2Hfa%GQx7_ZfMo z35D<*92C@B^#OEKI(4O0g6~BA7SZBMny>pXPH=BzA6utReQ5eIM&O7&6VGg1jHRJ$u`e+^;M4t+5 zfH%3vX41}KT2AY{$yFU(1t0qG?a!N?vKZDGF2KjveE)^^QcrFx*ECaP#D8pQ{@S$s zK0c0(!Mqw7UJb$ptX<5mAv^tjfI`Lk2CQ}%lcshz=Z54SwI%VsRwS8O&(tju!54xF zb4VkDF`rH?S@G3}UkQ`KD8MzO?#tx(WPJC#juYt7u^I1;CTG?mha37N`>?wLmeo9+ zsb0;I{Pn3c@~%%mK|QCGd)bhJ&5{C#hvcpNJ-Oz)-|i5s-jo?PP62f>D@sKEyL2iV zorMVQ*rivNbX)U9N!is;#9V_7-tP}yy7d!h>qmL_L11|gsy0#G!t~xWK;_GPRkYLXz|h z#VysLB@e4|BaJ}vV^E^OwlnBuc_``)<_XDE(9LQ1Mr@jHKY+M4^rwb|>F~M}uy|I= zABIVx$mrFzqYn~>^!y)5Ha?n9D%hmY=12I;=@hNiPHn!$lkU*LGd*el&a?9n@l@+7 zS3M!otNDEQ<1BTs#eNmR`K4dgtotG6TjZ-Z-?PzG^&4i{wX-enW?VVFYZN8E>ZST- zH}m4vQh`U}r*g(ldl?kI%c=~KF5gG(Z0<@x?3P+pO#(GaYH)`&E18sb&;)af-1DMg zsmE?LXnD?x70^`)@gtNSk^p}*ld^W`w~; zr1gQmc7$3qYsT)gCXpdK{-h`itYhYM$@#kfsU7>j77~&S?!_~MM7kU;k4#>qj<1@| z!?bqw7Cp;FHoi;k@YBEMJbojyo1aWKp!5lWL>xy*#Y#y%eRDORaPlp-^wUY=fJ>e5 zSv$~FwYKEfI;3ZJo!w-Re~4iH8qs6lGqpc(u>r?Z$%-wvy}J_X&{%rM~tVkbl@w-;D3i z2aUw%)P&1VKgIt58${+g0W+-^x~TJJ-!-Yx;zYX~p@!%tH_fzbh6P!rA5d(8c5z0g z0Zx;3Cx_o;kOc6QpOrbuWbnGpJ{Oir$7Ncc#}Q-IpgK2aSc|%+$gG39fWRIy6H?|> zqITHZXurMXqs|9lH-^o{J}wVJC)o!af*E5Mcj0OVC%1jZZl}J3rf@jDk z){1g}DO_qs=dKz;y&D+O_l6O$+O!{Uf7rl$Rk`AxD}MByC}0G0SpbMN*AZPId#Nv? z=TKt6$t91pAQfP%#6OW=NgpqMzsaKP%4r8)?r&Xm7GZ1G9?>5stPWXS8W?ji9x{I; z0;{#vdvK*j2~1MeOQN$S#dssJ+tqHorP)Rs%a zN*L-V^u?7WDOY)HvyufhJStRr#DyK zEoZ1`cr}mhITH?7Hc(Zf1?RxYzwB(U< zY^nxfgn6jEQ|FXtsmW7k*6`&Y1GWy_GlaA?r>ZGr8REwSYY7AN#_uKG`*NR^LrCev zwMHUoca04@O03X@z@KrY4@g4s?a=CuG#fp6uod)9Q0;}xDn|dTUcy+xROfmRP+|E1 zyJ>^n)`q*AQ$|<|IiJQfbN0%0S=+*hDmQVl8|HKn3^ab&8uVk1K}J8{fVU~-6T#Je zrcZqY=t=4E|IXi=4z2t0nllMjPzsGnpTotUw8xE)Fz>#ir>~Mg!X|97M&T2xw z#^#`;BZJ~p4{yu4u~}xYvP54UYUcSf>0P=%?z3ZfMU9IrioUo!l%_>L9Ki9e0g2TB z;A{;|Fi$b#3WZS5h;~R!k!rKI$VJIYI?k<~bR8gsj5?VfY{oRmJ+@WopL%?~e4W8by-SQxz`d{-6$cXy(527W6$eK~4Jya3*xxbFg)0GQWg&AX98osg#SpdVSjUy!7#*7FgV%FQk5;kAZm`otq|nVPHZp#(vVT^f^)81&QzFrNj!MM5BggPa!??oP={BWB6Vv zA{gtUVKzWo;3ET#P+PM*9A7}-@eItA14aeIFW(e{@*CA zo#eUoB;HeeBhLi@GaW%2hze{!iFl;{3C|s?BP`0D3{LPhMjX92O$$>ukFF z57=GQ64Wv_rHMkcKNv!Y4|(Qm1ZxS)5rY?h)sia5(bP@hIlh#v4?{uQS@OBC_40a7 z%T$|>Kuh!_)OBvX`dW6nO7t~@g^LeYdG7RY;?;{572rrB^<{YZS_H1kJOiss;>8Uu zIEo@;6m?5$Uj+^8NapxTFEc`jo6>L-svlwqsY$Lh^M4K08gHp<0NO`{uEIs8QHu+< zjsddyZ0B{dX1}>d?L=5joyt!9zpnCsC)MoM!Li|w3`m2suTdL))|Zw`=Y3i$e2)Uy z=g3a_dm|y5QYuG{qpiVOjkjS=Djt#GlyK2km08285?6Cz>hVW&n&O?Z?Lp2^2edlg zrB789*tWEp$op19VN5o>fhPtFEV5u?6Fw5pAi5>}^bG#h5UAvZT7=hYkLyPx-Ig^n zj*kV%*?om>vWZaNwvyvGry=`6q3fcwusl1dQYzV5Ka#t*t`QO?IS9$03u$_qNp(B^ zwGjvPjf@b^F`u~I5TWlX-0?Nm zH}%#dO4@va3`AI9`xHI#^R0#9g);61y`j-(Dq~2xDYDEczQ@)i_^cak8Tbb3{Z>NS zXBYZR^II-9QN4?fo#;kfllQnFFgFngU2GWC+vm|dLGklxkBxlQ58BCx%d;khQ?os<)-whm8$J@$vP@T@Bsq)fUMBHyI5|d#1dsFU zEM-78;1nti(Iye$0{JW$GHZv4m{;L3=H}GQq#ofvU;fREeb(aCmhMiB|GJFdSQWLZ z@q48|YlJVWIO8^%$oug=n+NJvL?~XeaXp20>QC682dFnUp7PEDD6VAFn$z$;0gxKj_kTwt+bQm4OR-w%j+6lm01?P_STr;ZXer(z+E? zu`?`GHlR>vnKYR1hS&U-kUlMsb%*i#czFA}zj^!okx3t^)&p4^s9_Y5_&Kb6}4vhD!c$_HZ)UluN_T%AF5}Lq8 zf}i-GeI-_wE5>l!0SjkARZibxD8EJJsF%}C^Xv_20r6m0^NM80L4??|mKIk(g^2S7 z5-=!6S@<-yZXA$s@I1FK+~gizza*xRP(_trzS%0tqO=>&>9^;Xs1xV=}t+!E7XAFz-6>zV(1rt)6IE(J4sGb9RCBXeKomk(T_P_B;cSk26sdj{0(XD{L*cy|G;Q< zhuwH6$Iw?XR${~>+urPq6^iXwW@g5W#b$Tr9rcxnz zn<7@}#6C`QSuv9NO8(iJl$+P~c*GxbXA|_H#Z?XZPO)<|Zt;~6yElg)sJ|3#O|ElC z3{so}#H8FGt?UCP*=TLNs$9ARY8Ybx2$eterrbpcT10SWXD&AW@lK|n6gO}aPo!TN0eH6qny7U_3OW)D14%YB8X0{EkTBlNNy zZU<1sN4b2_YtJNj>b+(jx5FE0x<53u`XFy{A4F@*DITQBd(n*7;>=bAbIUY|&rwbN zi#h7Qw0!?|lyTv;qyzezBn5itk<-aazjl>T;oa#l>5uu!CwJ7(k)>f^H%9qs+M93f z36JIEt;E6+<;#P_jR=n%;FCI_iMGIAeJ7bDA0Ci7sRuNO+e`M$>XLCFC*?EkO~3UM z(6iGZvXJ-6vpFeED|Wj0A~p5Mfl}u7qGyJNx0t;iKpQVrEa9Dv2rk#m(i_2?>0=H9 z5#~vhF>+Jcx2?AhZOTI0T)HHBrU)MWS zisMn1cac_}`hv+YpVsO`WQ{T+xUxJOaM(FjdpAbx0pQ!$I~o`)eFu zQBVcAn5krN9fv?E6m5u&uQ%S?i!_PhO{*27-zo=U*Hb2G+9f=Xm>jS}(3xI5N6d%2 z$&Zyhf>H}F)8+T$F1*9%fQ@FFDMHQ|aXoFY>oGhLn@zp&7*}iyQNWiMt(%9WyJzaE zevXNRPOLx0akSI{M_D+taAzBtu~(iZ!?oG~CGpB*OV>k^@QrnIj5SA~TiK5H$%_F& zhjr5ep0M`zKNOE{waXtvi_9@yNLKv7Bfm^{fSLTvvQ$2B%i>`U>}KD}Wi> zNkuADaFy=^&eDW>7kn3{s1!Osc3d-VeeSX?HMMW!U+r|q!)pZAI=a-0@?(MN_C1=- zG8m>`G$jwTdAC3U>aTmh?S1fdZHw5x0cJP5HIR4;o~vXcFnt1^ufX5dr+7Z+&rzU? zxKze*#gXnl_c&(p~pu8KelM=w^_a)oSo?}tWGvu%Hq4N+02GNYEiGJyZDe@BG@_od-Xf|g|J)A34o{BXEVnx-C9 zwPe4XkgXu{cf(14kD<4sMNu2@ySi@Q{cMK&y@gz}E1eF0cls0*N z3@A*YO-Cv!u5f@xQN2glt%*U-_)A?@1msLtQln}|atvjI`xv5x7-jwFV;DjI`AQC= zM2w&Vked>Mtd#)1H6`~s*38N;9$agMFJM|sM7@`Q%T{E!JlK)+&y`P&a~8Qz`Cis=`>gOBmm1`;Wmsco_H-cm!d0urH&d z6$b=kkE3}UE=2CiG~-m}dgv(Ycisj_3SENamke&1a9U1&azR=75Oo?nL7>3C#{8XT ziPywvQ&A<;hAjg4)spuKD^t$OaP1+KHrT-2kDGgIEy8Eg$`EYu(cI{R(qZJ4)4^x* z?E(?_(n0AZa0%&*6WyUjsm?06SG?cPa_y_eelc7Wt#_W zZWc@0aG66iL=;B?ZM=#nQG#!cCJk1;dPL{UUU8g|O+3DGOeS0;ZfvMVDX>*+=@;{qnOn;Ev)e*1?sq8J2K5I!oN}O5f+X>@T7Cr!HZ+1bOgAAAx2|9%_d-w$izau_6f-8c+7AF z?ezvgMmG(85CwXmn(*<)bfe6^s=S9^)3?(o-Vvy1{7_<=h4rXYgT4vxIoIAAa57dI zR)O`1ljp@tJcbu(hk#RO#IuTeNiNL>Ftt^Hsj27bDogJcCl{@VVppNb;}&um1eBUk zJOiFb8fGzavCe-wC4e_gN0!-TSJFx#MpA(6tqzFORJ zj4di;rMyiF-?Z>N&v<(oC&u*vN^VB!0OZzrx&pG=P|yO=?VKaBS2kO{^87f#bs`*} zcq&uzqd-d}Gguq0F#+FItx96bth_vNrpeUSw9R8Txwoko)US;2<@G`<3G za(S(U-8sUu|7@Au=W3F^N`k79G z3fo~ab(%bu_ZCLKhbT*~FLg(nofp4%nHBwgnlh>R-AmD*Uo8qarZl5t%(_#lSp%&r z+%~i@SXE***8!X<02Na^U6Hrs&SnynV(+Fq>=>vk(#v}ssC`eZqDlQ`x-GKF)LsRz ztpaqMURpN41EuNC+yA^L?=Is4nNsedCM&~5G9nv`30Ss3>m-s?Hnz;Xj-6XG614IZ zJ@XOg$pw|z5B9pp1FK!^evH$uY6=*A_dhEm`uwAO4i|k(k}g{z+K^^UqQr%K?;ien z_hn9&Wy)r5DPzw`Rhj5nCM^pMoZ06yJuLT2zyNq#!zRW$=?=q}=Qexg$?5bI1wj{N zw1%p0(OtpD9mZ`Kti!aD^vhtF&n{QGg!nQ*J-4uZ%(>qlFPe{^vq~N1o>~9V`u4sS zyFUG|MRWExhNnG&)lDG{1+Ep>FDV&r52x%1u3Yb>)HZ9iT(w7|aVCMc)_&rqASpkAm8oCJq#$lsWm>b#9FI4V9`o%}8n*RWZVq@hZWl;#INjMl;_#F$8B+QU!YlI9 zU{{-d%ce8k1*4s7(HZ1dy7o!SR?L>d*N(~e^;oEaL}M4G#;^a$MIpHWxJ~wR(;6?D zRzV%lBGemy`ac5fm0R)|?eUSgGfD93;?uq1wS{^Z zN7Y_@uub!jn9y*FYL6jxFSr;b5*rj3gqX`Wybj|8stXfIW($!u>7j;yf>h7%I@um` zT8{!2V+}*uWa`$Q57BCKS}AcvilDvjs!)m+ahN1#Pk1@g#OJbSUGI5+*p-~O=9GSPCCX{3|aLG_D)l3nJ(dxlu#xhsLAv=qX2P2t&@cVxCAcNiAn-WWr zy5#S2&KaJ=R-*7uO3Ur0SIwcb&I!%$8Mc%(`f^ zQ3M7IS(p|w15{+|$0S;Ek;t;{VX7KS*=vn-tq#I^qOZ?K9wPYn00Q}rpS6$l@zM(G z7*tgDK=YRb+SBr1{VpDlcEQYZsfj*VGM@A7NngN<3CjrZyskzaTnk};C*;^fT=4{aeh{AmbOl&>5aP>47)p_m{w&nb$*k)MO0Svsk}1IFDI%0A^+bOachZ?ay~!Yri#q4i63T<4 zG5YJ1Y%r5!S5D@eqE!R4n$GG>J-5GsUds zfM4_LQ@d&N+;5udLArddswa5(u^=*}t+2b1La_u;uyfy7tNI^9{~5X;nq4H2LhicW zI2@ck$3{ovdMK&$Ifkylb;xZ7WM)=j0s5#9KVL#z-C|XxX@GFp*mXx~%W~CU2d;ev zriA635=Xxct4(SRf>tQ?p7b1$t*$3+{(TOxcsEV zgAy<)oEDS4X4HB+rVhKxCtEyXeFQD$K`&qy63K7U1fx4+uplWN`ZC(SuPl)& zhAiOw^;$*{BH?iZ-8KHn(EdiH1&|5Ee6B3yKe#euaOPx^5ZVTc_-fT9&$moRaVlhq z@i(!cxoZFmcGSLK`7yj5t%tSZ-_Mf}b>16n>@9>(Y~ayk?`dzu^<5%WzlLNb$$6bV zoCNvci`i>C(bZ)>5vjldYC<+Do%>!3=i5ZY?irBP9rS=u&*bR)fiWimjYy*64*9Bt zz2WnEM;sP;J68fbbZs*8cm>d@YIX8pM4Rk7tck)&(tai4a+>2~>UGf+*SavtixmB( z4ta(LK8I7VTVdd4=&xabAxkdI>#5a1*9`Zb6TW&S#ZZBTU9WQU3~&U(0fO`cTsF8( z^Y$`pz83CKZM1NL<}$}j8HzTCf>?79^D;x4-q z&i4azw=(XS`WuG}%5@U7tM88#tJi)*7jUJOzEzFDREdAwobI=mVM~bbbji!&i_@t4qzN|IA`=!Mzhw zv=&hKvVUV~RN(?&^4aBli?J9PE_@37e;Pu@tq~#Mei^n2cI>~S4!mYrQO+BU(C1^Icr<8ynshHqPdsDeisC=L#NU+=$Ll);;9(1a zrVGPGc~M}JMHVxu+69@&aD>+*Qo#JfFnE3IR3H__FL#7vg86uEFAerl?1Az9`77ml0zZ(JqF<)IU`P45P; zhwH`JfBEMACt~bhzJlh!Nvdm4f+7e1_r{DuOM8GNFZ{AX7~ByQ3*sy<0(l_p1jytv zvzrd#QMjz@gZEF5tsCwng%Cn&fQiip_z4;SVnMC-1bosFK)(C|azobbomZHPtbe-8 zrDk#GW0CjIos)>xgLNw;r_{)$>J;Syi=c*$HW9uFd46|LTRed2;w(uHtYmXxeEn{A z;-%R?ecJGOR)$T2=FAv$gdQ#~@KhTE9yk;ZOJedo^!0+sQ-3kk>OV9CcW{!L+F4$H z{huVRfBGN)^`}lH8@GwZtgWB-4_~kUO_c5)?SFz)*EVgarRpz%y#C!P{hvNA$q7n; z$4!jVZwLI-dGRk#!e9TZEeAaC1F6pi3I6D!{@;J4-U@Nf6Sjfk%fC4aH zC`}{vQXst`Sxe0=;JhtSYL(jOn2nYSe+>mv)DI@7C5jLA+^|0g+yLjmE(@I{Jj7wS z#!qXWN*eszz0hC&qW^2jNJ^I5-TJmRY?s>s@j!RO)p@=F;i;S^d4z@sWtUk6Qu^*B zeud_u(Tj-c?aJjQ>y=^Q++m=7LLtf;y8GT8PV-l|&~3AU^u+22+VjgGM8^V)kSL%N z{kLNja=)s0Cy@_Ix138R`1Y*lt@zHc zI&31NLYa`<4UY-{kIF;UA2r8l>Ldb~C@1S?e!xnVZLVN~2H-L2#uu%eI|9q1Wyct3zg zTn4j5rwO+uSDs1RJNS(>Lgw-`uq}RFCC1x=5K#qu63{N5ySCPnD2vF;7h;(rnrxtk zn*sB^LedkNAEm%Q-qUxIYV7H+7 zl?|xFLI8Et1n1^uI9(#y7Gb-`0m9sn=Oe{(yBq6K?$sqjZ@A0Rfc2mj3zqV*TYxyP zkj1Qu7#VJ<5EM6zx=W-C;B%IF|G&N0|J&EyJLTMbxRN%@eS)6BPv4nq41wbGxNKn+ zz;KE;-iUmks-Ctf?DNQi-oHn;*jkQc3N)(W;H6=yF1>K_ObVDMKFLOC$lXiV;_XQg zy;lULs9IGrI|5RcC0L=CNFC8!bcf~U&6V=~=duRFS^EHuP%x8@fZ*o_kStRzihG|V z!FI3P0p&~{rua!P!*$htF*%-dGDf*GoJHZ?C+*u0XW~^{K!w)?%TJueU06f^t?NfI z!fsm^DlLllf)PaDhwWZ?tRDi%&Vs9m8TQNd`P zWrbIl>Y(b5;#ih{K}$uft8NW z=(WWMMnAg+cr$2Gr16S;E(ME^-v8lq3@1UHH3j<1C+oo1iGG*ex`yMw`lx?g-vQKz z%)3Ste1!d^dJIGJv5kSGXjl>~_Ois#it&RHc5ngpqOt>b-16otWy?djG;h%cgie89 zeXBcg50WqDQAu_&S9q?yn6o{o{_Um~g*ytMxBA2;(Da;nGW~X`0cPm5KN`Mg(n7?8 z|F&(UMh*N{6u&)@Y0`y2(0CaxM`ru6are(Ey|s^)MYof9P$E!UCIR&_UWQiWIC|n- zOvGDTb-hzVQy1*&~Z!0K?E?@H-^hAOVa|ZkPtH$wMxN$9%94qYa z{z)nI_v1R`2F}c8-!<+3uFPvEs;sGIiO{(O;`YwOJX@Dq3fTsrPoa5I-0K4noznWo zW2bI6lL#s$p^NQP)xfjVl+tZ%fR17s*m~Ff;iw!Soa0*q{;H53@0I|PaW8y)usH*g z0ZRJ`d$3iL)SR#{7X~ui45$XeH)b{qGPrun+W@5s{4u^==(22iSKu(U3XqF+{K?L&jKt>c2sJ$+iFt!LlX`m85DN$8A+meL z;a1rbC6?YrLa){sK1b}7)QMX68~6(QD8h|GW&fn6AIWN8f8CX#Em$v2xuJTelErO@ zxa~8i{b%Gd_@h5bv68#cE)td%V~^-tDE{+`rzz@+_b_q?!!fH+3ntEA zL7@?@!A$n!C#9UR|KK`RAfm?vr5&8jzv+q)Ss4AyLG>EZXfpcpI3=OeyAiPi;O72I ziTi*5743qH4OAHD6yykc{a*)wJdt}4qi7RM6uDruqVte>5F~`iafGAHq2jf}|5EA{ zPmI(@FtL^-mw}VImMY?zS4JsG(xLOR0unt@V})0D4M4Cp4S1IGV=&(GP>_bZ3gcx( z2QsmJOON#$=%c5>qqeCq%07u1KNZYY3=FXmo|l$g7))=buBhPrK@h-PVeIg*7 zH}4pn7J)+l+-?4~LdI4CXGTF@p254$nfwr(%G3wb9o7LB+XAE?q}&;g&Qjj z6d8?B4sb(((WG@KBG{Ek)u%S>m^tQ`)u zhY~`oM9O;PB2|6%^3qTlFccEb||KJ&CC^; zA8N2$uCl`ZWIs$1>T=n!7VxDQ$2XR1Chz&8Nt?a7$r@6_HS>+VR2{5i5Yb)z^d}&A ze6gIGTp1GP{n-~mEN|k1)Hh$sJ2ig8#~B8pK0@*Z@1642mnP_rLF{A%fd#DxZr4A- zXcRAycgQqf+&<-QZN~e*roAxmP`y;1?U{aVxrb07-4#2`Gq}vcP%hT`21KF zQhaQ>5OK@?zOQsUcir60glM1EIkDQ4d^;&WM}xzq7Z1<(qm`^zho++>BK+b4y|RCHm<_P1NH7}jS&I;OQ$`6uxyJniSfNOjcRkJ1 zV*=8R*#SUccqOR{rgFDiVX-V#76QR;^}?3>uuKgpciC@Be~=fj7jM*AY-8$9$)+Tv zd_V4q1mGEfg>}R%S@VG%e36WqE=u_pkBydr{?{lkxJQbBW8+<<%D72Texu= z!J0da9)N={T8viLI`oQevBnGe9i$+g!J7w*z zX5P==1=P=lo-Yx4wL9mCkKiLwE-m1BRK-4i1`M`iE(PPC9JSXJCu{B2+$qlD%EuH_ zqNxRdkYGv+RDaM+sODSqOFr0zD%r}@Vc&bb2D*Z&Qe`AV*n~^6{>3>FrMovkZ}*6v z$b+`dR|Huc8#<4l##0xIfZxRRPFtT7SWhgA0%j*P{KJ2gQ- zzyz*A;VT0-viHyoEcIJ+`%f*KP1ySBaXv(!{)4Wb1!3;Z#q9t&bXk>8mLF z0#7-qnbe3SsV)ywb0j2q;E$=VF@yyfEk;&JRE}&WyjqLHW4`I!Rc+c0GcoZUqTRKq z1ZCIZkQI5>3esVb5&fl>9A9UsuEoaIU=~MdUsxSavepTN#owbr8_wRVfgrx9GiP0+ zW%BkAdy7Z2SApwXGqsO1wzfCuV}x29*R44SF0bFcK~%oV1fZH*dB4Z-%FQ8Ao0Lw( zI%V^2)SZKh)1RjHCBiKx6jub7T#cQwj0)=iKl0m8b+ilr!2b~b6&V^~+9Za1 zov`Pi>?vxvk<{=I7HC@y5@}sCfyLMaTR*;+ypsom(ueW`Lb3!x3?5*MG zq&sDWa}U|s&;5#5{%Ji-nKW-!TVnIG0vZ^0)#L-mpVrLSOLvVJ9bH`eFm$q5RRupa zjldqJy5A6>Rh!x?7`%~-`I<-_=DhhmFiOWccG*$?F2C~-1`~W-T+6Q z-nin&Z86K;wAf5)##2L5u+9|&10gq&LGiR`YC2$T==9r zs}G6iaoS*`w}hi>zc<*@SPjaEg{QI(Oh1gMVv3iXJY8gq6U5$!_nRj2aVZoGVt>2> zl{!E33dJ|r&-&q#cFnEigA>H6cPW1I4Ym0#^KYL5heS}#^WdSOEGl$@py zk&JHBi>ffT9>V=YNp05zu{@N^i+azo3wliB>lr(;sbV)A3-@t5@8n+7Ehu-l$ zWLL${m8sC}-Q$iKLsW7NcA(EI?!i6cFw{*9&`WmB5X0d2QoM5$57txezrIcLTgi{o z_=;(_FqozL1G){)tM)i`{zI?HkCOSP@z(!;{)OwFyTblOzJr-9fqEmV>(#{F3qh4% z>Hv|jXm9KnHr4`+Cqzj@PjYbkQ0TVKPCf;e&Y?|oRjde144%36ld4&2OBBYhr{qri zONt6P9KktH*7Wvuz27|SSLMAnZQRupE!DWisB0+#C}O0cfTLk^y1!YO=&mM4JG8H; zk|=aYJ9_hlza>MJmgh7$=6*%7rqA7LQgm#$ie4^vI@c_PtMt?-ImrkwhH8A^7Onlv zYi6Oy;cbSgxvR`dx{(c@RC~ujfPBqIxFy~qnnD`DyyW1S%oIfZWN-kM zeM)1USvk(T6hag9$@QF5sr@w`cF8bp;k10{pdn@dw0bz6S|u^}+yX>O@KhI(Oh0SM zug7hBsP&P3m&I+jR$`qgrl2z%_TN?fng(NG+&LhbJ-;^jSRusjv|#M=$)>=zSqt7B z@sBzi_XJCyAU4Pis2)$3s;8`Ge=5m^HB{Ta!K#G{`$pBKW(e*w5!NzF71w4Jg4kpj zaQcG>Rx4uITkZT~Zp@#HX)%-g-sP<;o8xVHV}jzEZsx#&fZH64y+#0KI^)`k)}4fa zfk#eFw<^LZ(iy;pM8{9-gY4;i_*QuL*Cf{0S-$uwqdsg$Q z6DTn$qEe7N#BA8&#xSC`5w#^Sqd-y9`9+iaq{7UD%c=~-K0I&JAgu9HYgxnnu^ysk z50hK8HZOBwz$EU6Mp+<%_I}weClix3aA9?x=%Y$a{2uX(NiJAIUl`PB91=<~YA9|F zKQruY3huzhKR{&pL|yvnQNaLSeH>51eQ{ZREF0cjky&qgc@EB{NYW(jO9neWp4=j| z3gxmF1U^Zc?9A3fhhx6Mn$b-8a1I#;Y^b@k$FtrVYRuKBT}CHj)OsE7I5NG~^S06j^SCkt2^pq&l6d<=K843d(9GA>*{ZCKE1wCz zx7m}9arGybc>Fr!^yp9&Z5H_Q$M;>3MB0fDVC;+Y8lhz{C!yQV16hU;!7WUz$G*=h z;b9Ctp2h|3G5ja84)atqJ>5?z+XTx!JKCW65*<_c&DB%!D*%VW9l*=K&oNA4yb1{@ ze_xL;9j6=Pea^IG86@%(ZBkyZlO|S<+Bf>@xB5Cc)^+eIL~@8u<*A;LDvP2K;f^0EZmhv!2!dr z+QcuTXMAG3aZUzpc!D`=C`gTo>p_|0w~trXzhJ|}chB38yWc8yiO0SX+YP@c+Xzd5 z<#Z)2c6z4`PCToz(k3TQHtxNwQsLjdS=co3-Eg+EW5tJ;!cFiKOV#GLe$a?!!jmrJ zQfM*0$OcBVE2_y`^t<7d`TD)>g^B@EbXHh23tu9)y&m>$k;Tw4^dItAkAzTt_A3q> zgFE$1WAFxAbe}wucNb6%R-5JP4DWQj)PlS?BYVsGNyCq~2)M2Xk)wDjpPIl@ zPUfN3IP~-Ud!MmtHMzc@jjdYp>GQ{=BF@H$8b2{Mv8%RM3ZIZ7n(ancZLan{J?8L? zOqmQ_Xxe{gafs4n#ak^Nc{LM#G3+kNhTZU9qPSBTA74Gm@8x7HLG1gays*3MqV!X> z2PSXSMg=y|o|Tlw-Db5Dqo4Sc2hCZixMs^`1J&v7p`6zbk~o_%pk#81<;h~>Y_cCJ z;3`n6&^Ml*NhdNeN6dsVj>{Hw&g%2O44G=9QtBrj(lt1JP?HgqkuWY?YV@=?QB+(MG1b#Q_!cnU@F4n z^H+~fY@Xg`b6vfeUqQOGD!5g(`caP2Y<$3CGG@F;;oj1mDqYy+d*Nm848~>)RxrVH zE6Km+5ZXDB*(zYkx5|RwSD01lb+{g{iH8LkSyhBCm#Ohh8R`AmMC*imRI!!2Ai3@f z5uQ?94H(x1+h&Guc+rmO4a|qqsH_v7+tVJPrNbhN$@sa+V|Z0TE9D0$>FUV zJ*b8G^GaRh8@3yeLZXYU&QT3ld%{<3a5Bk_8Q3YmGS0^kU^miL#nh8I=)>y>$G2V% zOY6S)nGx$tI}M7uAghO5b#ug}snX5IPaxRM>Ugk^CNYiMU0v3tYJ%U zy;l)xs-9ti&0YzbX#k1}1j=1B|WTPjo-FGM}c5b#&*_gLAt`!rIKij2F5_^6v zi@Gq7M`_YmkW3Tw{%q->XD(6o8-r;pTnLuPg@6}()AZD6+W3SrT@iupT{ zjAt$?Vy@=YcjM{x9F#`_W%;?iK+liq zsdHm#+YfzAbm*Qr6nly@m2Op?3gg;#y`#KY!US<5$X+n!a;fR|F+p~H@}HgPCy0Ji zHAKdr4mfGX5(dEyas#E}&flY5zf2}t+>5m4jkwnfWA zAIj1Vl}EQ~2-)NZsN_S7r3kQI2h^R*LO78@k1|5p67arZp0GSox9LI^N3%UsW zya8_ZbXkW?OXc_zpMHP>{1>J-E1VW@0c@=uK_bT5aYBr&Kd%|8#&`!@L8c)T`KRuF zxW=1+82Y?EUN?R0wb+|s>ZJ)$b6!>hc8L=V_-i`1%k<}iVnZcCu^SizD5_>uqdN86g;F4f~JU)*f ztzSaMoO9=t%9HMJvv_NZHq!0(?B`OcTD00HHIzLq-MHS%9&Hy?EU3EoAyij%o4WhL zfP6#!2lL?D(GR&{PG7>fOys-FEEY*e@um_aWn!y0s9%NCmTS#;@<~a(nr;Y{;oBy4 zwJHi_|KX1Q{%T3nhEDK#6pTfcj<%9-EOfNmWRmK_M4!q2HiNrEF^Cm$5^ZNDs(5RW zRC8xp+*7MiKK=fDv2&HKlN_%Q8e&HH5pdFFwek*oUsV+MX6die*tq@@C!ak6%a=%K zkY&|xsz*0g7tR%rm%ONbP2rdS!rc=udu2J@V{Q)QC4LO$Wh=(}LnrV{iYwO|+f-^> ztN?54P(Cs8Rp(d&^d&N3O`<0A1st=ssB;S*H3CaT_mvB>%%z>h8IQ->@#;EVS5sqr z`~GN=aydJXa*atdmW2}8cqc!u2vho{sA7$5O-YlcU}-u3;AWP&;TchWY&}TZEKuVx zr0Z^dj1IdB+bEmf2SIbRg3EwD!$M(ISXDWOI8}K_iBvi}@MJ`G zLtsJN{{-k%meXK|n;~Wr{L0Rv%Jf z4HYJ!g)JlBL-+Wo42-$aol9#VZ=fqOn5Se}3reKNxvG_YA?;2_(ksA#$;3{y5U@GQ z5>cxfe4RVj*c>g|CmcT}&|aN-xF(AEo2lpO6jZL|8-sHvH<4K407iB{pt!@NhrUNJRe0mp)8U$WygzU2!jw~0zbdRbZW7k%KN1aCmu~$w&R3feVYOe$?dSS&Zi~g z8S!&v8EvpxRWuN?a=rO}e*K^;h}3>N8sx=Z9GO2q>Yc6p63;65sLazuZES4NCO(QW zc~#V)dot6s;dEBu?-=*_RlI5*9ff=2svWL7ysOE%5-Tvi!6AQ>Ux~VP{$n(gU{s?C zYueo*&nFtLg5pDC_{9W@Ux|XP4LrW#jJ|;d&Y5>t*`976lVNHpzrCBtCfP4Jxqr!S zg?v${oXTd3SCo6uNA=rEpbcyda{@p7W7_bz>i;uC`yX>N3bekO+T@q_XYcV0SZhC} zVe=d!K615Tg6>u3YsM49%MaaQrK8O|df{iEcuW7`Ek6*p*P#i$XF(YvY^f@*myd9& zCLwACI8}`;#a<5S?VH9Mjd}hu@~(!ss!oDPPF5V68|mWA&sEANPewJB=pkK-kQ0?6P2 zPFL=sIp)=A*zp{>yI4{!9fr`yF6w_IC7DdbZDX!Wq31Bvr#4Xpz02#gQQ_>Hg4P{l z^(oZ@!xlzPS=84BKL434*6nUwX(od)+he`}sz94mNPl4>Da}9YI!?ioS%^<-uxsu~ zvEQwU?K!JDTx@oVTu|cY4y*tJnkGLDP34~+@DI%2h>X5LZ*b$jO1GTMgZgFKrg5*Q zL+IMOZChF9DsFq~Wy$$B3r94ypSErP#st%`sVqL?9Gc5rb-eM?CYp$x5LkXOmGpj` zJdWcx=X|R<rBy2KLEhPRP=4Z zc{kd~Do+At;fwjIW%?t2%_nJj(%cKU_J@F1Wl4gIlXmrN$I3E?cBmPz301EH>y1}b|kfYFvI<79aW4w(=#>YT;D(Dy8An*Z@<~}&zb_X2F_<0 z7aFIhvCq!;wST|=*1dWHP7r1%|1d4{Q>Q9!LMyv*q`P#5h+fwKgxY=#T5KNGjO+LcEon5 zMacX7S*0kUj+7l(q1!5v_c4n?stSRXYZ=5BCAPq9^W22SseGvVu1*rh+;$=h;#=}p zw}_v9P~ln@UmNqh;s6`4?2xM!;PtZX@zBx~+JDd(r4(F=EPQyLb>NLEWERby6X%#& zgylENIHyk-Dulp7XFM}Q3e?F;r!i0%QR+e=9q|<&4~jax|Hs=~hh^EOZNExMhlF&h zgwkCKf^+8(RkSI_V!1Qly=H-SiqHw%OHVu_i)qtaLIKs zvrWIpezx<6)w8FJ)i$0ug(lj;!ZBGRaeX=C332Xrx5e+$wwWsoQE!ZF{><5X^J1R6^@g9y_&}EgF;E!!^ zy@vKw{4GN(`3Kc<&bK`#Bz}kF29ZJwm=sX9(~_Qgz*s0MRgjnh3MQG*X|bzw_R0 znDwN~B?wIDvb*V~V*kRGZ4iRORkhu4B~?%iz7RSd*xF_tfoS-Vn=JQbN9r=t6XP$z{2xe*l)+=<&Ajq}FA#4Jyj1=-kM+B4*2_P{*04{bAnwiN_9EE~jw z-u6Ei3MQ7O*vb_fyNcaL{F2?FnRnwn={;w~y7`|9$LROao<90+aswYIQfwoS&s1X0 zA)%K=B_kP2{TdpXDr4#Q(g}Ul3e>kzNxs8f1B!Lg~J*PsII3xgW zf$|Et+Ea-*h9ycyt&{!Vm=vc5&-W50h&UJM!+%i5T+OMA8nE6JOt-$a0E`vgv5X^C z)OEz){XLA^%Li^9MAxYMzHvqQ8$oKcXBwn_s3$6fJ9{}n&NBi|KPDfp8>*fBTwQEX zY1K$&_pvdd%csg&m*HTsqk3ECJTYtQ6C`SDc>XRsTN*NO*kN%pm}L&!a}5ey;>c4xr- zx^)UIs~YC?i?6{ZTb@N1A8~1b0Bs3C-wMM=@M{+h;y~O+NP6PF^; zXzQY!LhvLM(ntdl(lygr>f>3OafMRcqpH+Z)UC4Yefd}?sfYN9bFucg; zaa633viB2cW_!|7i9|25>)Qxbnj=iM@>v2gCp8F8o)c#+rrol;u_Aeqt#2>kjt;M3 zHsJ}rb_c!M+z6gQ8b}3O<@*lu7q~(`W(y{2j*l_#Jp(aLxtPY?>XqD`2=|)`@&o;O z{o76(Wd|@tw!T_w&@h6TOH~%(d=~E5Ht~En$M$=L)9PT^hJ5aEYECnx1($C-50ZA> zj9zOs}q{;5x8YgWj%Yqux#p#~$hUHm!Lb{n@-b@=}%!E~G0k;ad z59m7_LBT}IbSw430eXU`Gen35(<-e}8k%hUY9MWmUWRtn**~WF;8s8T1u0+f5JN2IzLW7`UfJGSH(*Xb|lv%l2Wc^ca$whP~L_Kc2I{EgMa`mlG5<3BfC z|I^4y;>Tr}PlauwUtqq2Ac~&C3O;zS^8W`8)Ei0SwD>TN`fg57$&RJ0ZKx~+$;Wc3 zsY207o~z4%c_93ddb?4)6rPl~^d6h8jDlh}jBr;m1P3Z#2K*7ybEkbs992v&O2I3i)gq_J zW<1bK2;&!h<)Xt2_I71iR#6TVH%37w#n$;U$uCJanUPm(3axrnYH7UX`nUKJOk6+=<%NhnuUNwv-(%AbdXBJxxMh6xtJxrX!QtsUrco z5t!Anz(X`0pKgzg>)#K;Vub~%{EVKhGVfdnSji{+aO*1SX(NlNViEe-;dhg5i~TBn zLyP|y%X0{qv;Rp24mQA+hoaYTO#L&{i?5=h=W+QmUXP1+0>XU+E$(}nbLjazjna^n zdF*oTSs-zr4QeuYu04Cm6wy>()R2zY^b0t2p#<_9bVkzL06F7uR)ver8$;_Gc|rX8 zPz;twQ2l~+6E;aDwgIr79@OC+lIPM~@pl5H(s!V%jJ_wFN85v69Hsj%DUxcLe!G4O zQb^0+D6-UJgceidpl_9}&^R)aP&oTCx>ekRu00D=1#J{>IQ#<%N)5^)$P?o<*@ZR@ zKv+neVa#t5|CJY+g-@yJMJGQzYYXd^%A(>y-}C^l7y#fbuba!X)PuH4izS|dp~LVsSmOwQB3tFMR6xS zywi<#kXADYkGdYcY3C0jB+As5TU)>u;9dB60awmOibz~MeiRw#WPe}rRo;&EevFDM zImDkZxW4j7bOhK?N{Atqg73W{z}iI^BH_if{n)laa4xr^%X{~D6?J%UctxZhN)bZV*vy`r63Lx7QMc z9dqnxrQ1UK3?JAJ-U=6PM_c8pLQeJe3JS{_b;`6b&2WR=@<&vt#`HJPjD}x0E9yuD z>4ZWZapQ}lya)}ru_L?6J`32St(YY1|z(4$t$&skwaN#Fs2T=a#!#NOm>_b zt!j00 z_`cRYRCBr&Z;Zu$CoI||f(kAD62GV&M;j6lwgT@_d$HmBiFfYgbuFHS9EhUaC`#qe z{D>DXceDGZJfTX3HB4mYM`-y{$(P>78?u3b(jm?wT^hAx9@GV*7;Fdmzqv@{wL=LN z`qjP%_zB=L3D{1ts9{Pq)azVw`krJ}BLDMKQ_II5ICXO}#@qmzE6n^`>KNVIl{6eV zqIAIyjbwE}4s7D%OA1zjj6&1eItz(H4w+fu*yzKcL{xVxjE4n{I}~lmG!|RGYG_Sl8J`IgCCyK}*VPvZFsw zYl{1r4*Q^_MKQ=`3N;EH`k&I4mXDV- zQ0Li~31I<3s0OB6#pl+zemE12kVZ<{QlMSSIlPRrTz{a}A($T0X=Vw9Q zFEDdM2lTSK;Ob8>*gm;LFL0u2&rBSzkpH-TMI6%su=w~Eq z97)MuG-SHC9lDv?vH5VAvvE+ucY!kTaN=t<%^$jl{T&246{+HyO{Mt;5qcK!Li;{;+9^TiY)KFD{8e@^IMpl5wwh zLZ!15#!jpF1p;!Z)pZu!KtGiq{as0$f;p+&`2EDo>@11ve&R3L)r8)OXB(aSSCri1 z%%V=SJQQ|aZ#_u~C!%UhsqN2sAp50svyK4cA&~IysU0+Sj)FpIKHYPp-7|n6e~)fC z0CMF;9NEMDom)jOEw*^cb05<5mc45`c@$<-8)|X*Qjw#)5-S|fu5O7;)k}b>EVp9< zH_Lm&-N-sXoN0uw=!#lqm)^xJg4^vMq1hT)Z2i1t2b}^n6Q4Nk`Z9!Uv8c^-c}7-u z`_RVFnYW|OUW7GnQE!^KXp9Zug8kg-WG;*en*Q$;r%y+}iMkKoT}%@d+b)?iT%>55 zx)han-)<-39KgS|x-U;UPHCLRE*uop&poJs)6YY5VPcx8fyhmDM;W`FT4#sGwU@g~ zD6I}GYx7>YCUjU)J_n}(=YqI>tbf*-NT9gWr;|K(WLwi*yv*O5{X6cCRwz#p=0>52 zgXpTrz7NZ_&X)RVw6_WRnQ`OyY-LjqHnq*q3Wj1ML|(OJ$823uqs0m5S<5zSw)S-Z z3)c&AvbVKY?nfo3ldOgR`fk0bU#eT#SjSGwSdZ&8|6^mS&L7$ShCbp^&Bcwg8@Nqz6BqHR2EFn{ojd3O}nZg$zwd1lQ za8w3qZOXTMUD1A%mJ=r;zO)}=T|DkVRokgwaH!~hR#BNvs*PPIbMEn=hgVk5IjfB4 z>TdC@T|~%Gg1F$?d4y*~^#`(K$Eo_CUJfgk&D_s5a-><0PI+V>YAluDhAWiK4tG(l zP+H(E&&KhbdNe9c0 z$wgI$8UUv-D8O_dJx$Br!=>V~fNERer+)@IvE zR6wadYN2RGAR^@lCEKu4k z{w5fs>mWTVHR($cM(1ws+T`8)!}uCYrf5g0D;KPxZ(!LbdRGK(v>II+kld4AGRa0<>_?O3skUoGU7~|Ek@+_7p{-$%KeTwHO;>&d8 zO{|>CP5tI$4FP?8wo_xqsO^Gcbm}N~`@o?n6eN+*zkqpi44O%KaDOsZW~mhM!$vQn zx6q;`1urWJ$wrNP$Fm}i$HNiPE()7UZ@Yz`igb>{&I#pe*C#4Yw-14Ly-%%eL?UG0Czwi)R9R{O{rdTPmo?|NynXNs6Ar@U;=@g5GDgd5T$hic z75|xIYH-DIwtXzj;GAeTgJ~`?CZOKe+jC_ zb@`0Zg#I7w0oA}aD#ceW5) zM`zrx%5(GV#J5&SoY&?2fPAwo^|md!Y2P>3h-r?rK%|5`Wj}4e>1PP9-0?OmB?ZfI zRUuDXBIUC$d(Wk4cW7Drg<~%9rhq%EZ=Nh+CF{f1J8|3QT^Cx>4V})2%E_=7u0xAw zLGPPC{^VA9&@1(4PB90}IN!;5A&SaZ7EsasFPNqm0{=dyiM;q9n5L9kr%Be%U9OPl z_o(CQb&BrKvm8ju6FgI62_8^m=mA@(*?5I{-?{WGxKwpkd=}Cc2!hZ83pO-BwQx{* z!MqO$P0UHY^W*IAre0!RIq3kJ!F;dfmS~_S9;b#H^%Ojz_dMQkoiFMJ1H830p&4{m zTfNO7{$pyqV-dIdYkvBYUGL_7)$}hLecN;Rfk#egXGj2Of)%LcR)(Wav8B?T)>U)u zB+YrNA6@#|?{=BxDoV1TolE#^*)x5BUn~ZqdL{rYNgsko-`rU%$mN7ld%qF3kO?d^ z`%XgZykKfu0SsMTKs!oM(DY;e+F`$N?bHc<{Z?bEk-;6$`&s3jffvWYeV2HU6k$Pq zde!wN>Z?qLRbPS28-WOX3%P18U7Gv+&N2IyZ(jCWK22iN7UiV>_9Ix%78 zrOI^0AM>vmq3Bx|-596=ysS>t_*MPy>w28>fKw<_l85y#oMOr|J zn6-AI?QsFZLIu$kvIOXC??2VEgdwGBp%~6zqzDomm|_QGrbr;bIJg3qz~kw9FoZNd zfZ;$;2FOjr1JPiKV(t|KsbKJx2LxpJ|Ak|j{)NPG+0gwgY~EDF&5a!)0aIqF20r69 zG*+Dw{l~P||C7}0x27L}v`B3tsN=_ga z1R!U*vvv;_Z>YM*yH)et&$%Q}L|Ok8;gr+{d+cZ@3bMa=;(Z6D=b-bCLBKHJXl2-0 zyL=UCt)^gj;`b2yj~|c7MQ_$pmy$-M)BQcjWZ^?+|BBXL^y#MpJd|ED>f}eW|QHbAO~nN0~EN}UxPS0Sm0iRiw&|} zy0dq54K~c`AcPiezRFYrw;G&+x=fM(=M^GpCI12lSthQ7 z@EahIjfdLj6QHZiK*zre?z9uKK$H_?4h9WVG-4fE9$*S4pxgSX8l|{Y4?BZhura>9 z$CqUeiUe~CxJ?^R)(X=+T2JAMK=5&j5tRI5tH+T5&1l#__L=apnu|cw9q|-59B#cN z%#~9U;MT$*E!xQ84B6lHrIyS<6r**XA!Sg%>xzLEDo%ph$SN z^Dj5szrJe!`jZwF1^Tp_K^5%WDtu2k^!`d`LKmGP?pLQ|I3R#t*gm4u~z1y5%G*llQq?&wXEt{6h3jtCR0aHH-DWmf}F-w?NCDd_CBU zUOE-Z6`q0ckONtP0eb0rS=t+)6M0a3f>O5XYq! zQd{mzU6+gxmyFM~Cu0N}Na`+cGu+=};(iygaSPkbrfMDhZj*rIf$RUh*efw7Q zrpD+k*S_CX)ouUwPgzfB)r9xsu89c`c!Ry?@;G|Hl@S<8hnzp~a)VUe9H*+bg|^i$8q& zlmE9XV(y4B`ihKs9C6qM7sucMN*9~XS(txUP+kb1wSQCa454IcM;*ISO#!B&?GR@x z5vY_WZVl3gs+Te87XnUF7~el0$h`WPYynJwd*6e8fw|~5>q*p=YxW5JiF)2k;-fMO zhyGY4UT}?_NY1Z!v;hw{8kPL7uk>8y%c5f36hBT6Vs)ST8L2gJRl6Z_yBXSio;C5RY z<8SIRPQbi8v$*vkEQck|3t!Fc_?25o@i9B=EB))2@Xr-Xz(Xss|Ca^u&p-eBpUomA zeu=s7nw7X7{4?5<@cMI195^@0;AF>-f6L=Alg6uhd?KrH|EF_v62gRSKm%Uz;@*ABfAmE z=l+%-d|C{#3ycq&ydrs5VG^JDb@fYz{~oohBc;?gMj`0}zZLRLgjNH-2TnqC1#g*o z763yXTE(;vAJp)rWx!&l%fSp>vLzA$0{W9s1FwXJ488YsWxjKH?a!Ns=V&U{D2bKb zqUCjaYyUXZTcj>TUiVSq0K*Cq;$0cJZWz4u>}-(^g-C);GcSErDhG0hQ6hq74N%>&2=O^x<*{-wy< zZaG{tkR;DqG^A{lhFEpTK~(hM8}8Cy zoM?DOXtN9z^c7eI6+^=!TBO2}_n_*rIyZKXtYc5CHYTbSttV@gsYRURkaaUy;jUYrl*b-`ups4!PNBAP z3g|@Thw$!xA@F|(TpCe~*W}Lt1{FIYTM&nEYLGO}3~ogEW<>Kj$P17u}aSuLDwY4Zy+`e5T_dDzt0;!U#6ajurKQSOP6+=*iE zUw(Bt`0_Oc%(BY6#Bz(#JQJj8`GB4dgVLydT={%hLzNV8Qi_k2F5y#SQn@V}-iE`0 zc+gdh{};d@Kj=L4ULv11*;4L!AMEJ`I6;%&zs>>pWVKwlJ9PwAnI`cFPFl96UW?VDxqKd1gh3-XDr!xMUFb@8)3|Q zFoFq%O6k6p2ZYu=frmkfITJbDntwFzk32}rU?{*D@pF5Y`v4vijvI}xf0J=YUzhI? zTR(`s(S@+v(lQVbdKwQ2J@#;;`<~be5TrQ4`@F&0b<*l&C>cOjG-LxzHZxUj##>M_ z^=L$*NPA(iCA7nb{vP@*U}Y7AQ+NeI`r8d`?Yo?+Y*9@kge{e_l0!ID#=+l`ClWo?qOq~tFIZ6-7ks(&T~ zpReVI=Nil)aVC4oNrz^LWWgmrh~ZHT<6W<=Fi*VEl^*czvI5MT4FL$elS4$sDydNM z8d^`+YZ=9F0Y@yLf05P$h*Ic%mtxE!XuJ(TBf9|FIlXsWTsr77)iGO%aP5YGlptTZ z$dbGrvCW)KwS}TLJeS(hM<}BxqFDHPFy92 zhczIQ5_M%XGoluQsZ6kNxQ$k8W1w)6>-J2aSZNwgQqaKlW%*uGfnQ(zg%`k{?3DRr zEWF8BZ5C<<)%ZtMc#WuxpJzk1h*ou7MCA@dC%>-K!obO;9N-us9}KHu9KbG1}q z1A-InzL)xd;uO0nWEIJ&N4s}p#MEBF!5n6nwmcbG?hg$;R^MjAf);Bv{2h1NM<^6D ztY%7i`lfP8f#{8)y3)KQn|k|s7z9;Ic5YO@exriN`IRB;`?1L$LKS(7_OB< zrtU+D*p4L2(#c1~?{*^09i3Wvt$lQiyse0fI(FWhVo#X%mB84+oo!jH2~Wv)D?O5< z7C25hEup}13Zae-xw@C;TWJCS$+q>G`(1(CpVGJE%u4rm&MV<*+KDb#5dpT;2e{`J z8?!#|55D>Jli2~p*&+k&jNXEQq->#PJ{C8gw0|^fs%%&I{fzPJI$q`N<$ql5|4y?u zS9_g4_2wYQpb*Y9AQSGZzRs@0alEyjwsjItkJl`nMy7E#c=82=K9wqCO6RzuZ4bS8#MXZ)eRQAVUl^N|6{o}h6PByWmCQZSu z2b4GcL!6#q$xA_XI8O;tuvF5;)sf*9>HAC(`9=GFWE>Bh#IE9v@uv!qvBb(WGf>R8 z>Qp-ofB8A5ckaXv4$6TQS3^pXlY_-Hx#h8pA-kL9ai8)oZtXDA9&U_h?FY|ZV5HHn zdfMCsX+y*#QL`V4f>&7b&Nl6y4NWLA`=={wXsc4P2HD#sk1oZ_8c_UTTyR5_%F#~r zxJ4Qw3IW-U`qHT}DoEPcdLcCDF$G;-TW~6k{*?6)$YPC;)L~d{$z0ttjo5{5B`_OR zj<0&cJ-naVG5eN%p8x@xd-L6)usvRjzTr;jXctm#4*cD~!E zzB}lkK2*Bq0k^dHzA5_=7?8}rMy)I4AguDCsBp2@y&Pioy|WnWk5C`K z`*2o67KK-Ip8F7{K7zT4k5=2#7!j!ER_DEPE|2k3#yAjW(1*-X5(%4uv01VJnruc& zxpqfmnKwVyNkk`^^txYOQ#>npyi}`wI|jpQLgo08xMherndPx&l)?H<|GR7^AG&YC9x}CK{U@V`@FX!vWbQti*kZ!wqw#} zmEAZHmA(7lo=Dfvj4wOWSCGwoj_bYL;*}}m*!q~z{f0V{ZY$a71Qg>^6m|8kJS-;pCVIDcJ6^_&SEGV`Elaq``g5*hYH+vq^2B)O z5`RkX0B07=-*jc-P^?w1Ur{&TU3>EaJ zu9nqu-P12SV4cCtRRUkBNFOWLT%735;PqC_a-^?OVU_IQe;qfVN!>+RmsMf*#G{AP!enZV+~7o*VqRFgUmVKU1t298 zLRCBDltiIl$>ug=ACY)jNIIckxRa5IRp`(h(oR!XX!bt9JrFRZW#CzI)`|B%C-(p0 zB-KM@&FypM_W1{n(i`_>ii=sDi|TWEj7*;~U1yw2iMDaYR_5@0f9wL49xd&X&WzWd zGDDV-aC5|iN1}d(;ZEO#(U~&=5`#VExFrgZq#6F0@R0d2^W=B)M=Y-I2oC-0-a-{J z-}FTVit%|rG8^$qM7i{%QJ^m~YVBB) zuYUhuZ6wyHzocvZwfL?yTkZUo)zUkzH>-M%U1yIt;&r98A&`V`Fs1B9#V4Dp&Pa@~s$(ND*Mz zN;2j;4F#TBgG`Zf5H7{Sl+*;)wb;IG>$eZC|JjB89IYZzLPY8-;{6#LxqrG2^^zRr zu3Jz!pv9v3@Q2nEE?rO+e9(eb>S$#^@xE2#%3}NgbHaFs8D5?$y(}%R# z?RBA>=l4FEZW+A}?o7;&1}D`ggP4=r{3g0QC6XeJ0ogIl0%TL1gWXdThp^?l{1W4Z zp7-kWrF^Sjx0d$}96$3X;qSy_R2hr&^hCHAQWgjI*M(|EOn>8Q0CN?SuVJ%yC?5nPKAFukK+lNn1vzmHu8r{=O@D1teqSSy&(_Xs z(&t?(3o~Z%S&o5agvJVgBdh!C@|Sp{4D|(18<2A>dQLIvp&+w^H73IU zH9MxpB{kukf2ksH)KEHZ;aUxJL{OHbRCr?H$AM11-pp4oWH5^R~Q-F>c7-`WMCAKjxA5=P^YW&(m$ZY{vs$OCuw`;Q;Qe45XQN008ptn)_k&_Rs)U)D)@T{?%wtn?;8Zp%uZL>uFfZBJBOLmli+HiTm#dvVkx)JxQEl2;wI)S42szp7o0R zybN`wWt^x}-yU{A1P2MT??bd#m{))G9Z+5R^v9=gn8XCN!5pp;rP9ILSH*9i*Kebd z`z3Y;Jw4oLL0j7Dj5G~=h$@tohcF(5JNKSY408F!6Dd@g2+d3L9t5aouYLIesSnu6 zt%*5Dzb(G?4eC9pRDrX)Iuk}-R>w}}bJW>A$g~K;r1Ht!2al9NOjhuU6Nt~Baz&W3 zSVDqnJ>=G9wkkHskE{Y^WVRmNG&5r;c7olH-b^oqJ89e~P|NUpEr|C4iipzGSr{a~ zR$UpZjvPv8^(NgsZnL*mL4jL;NCrE&O0G{XM~WuJS}99a*%+Ib>mZIusEU>=D&a6d z8zOrF6}|wN&wC2L;`t&znP0tLNSr>2g3kpNi&JIaz;H%t?*MK%pBB>t^66yYLtDDp zwdUO?6{0xCNrl#8cjt*@f*0*kIWwIl&3t~Z zp9C6`&E)>eoCK30YX|+wwhk7?3C!4rR7|Ihl0Q`|u=Yvwo^^R>y#k~|C}hxuYN!a` zWp^3;kG9=&Zpr@Q@+wS8ggVb*E#yG$01tu5I%#XGCyYr)99gQSrPgvTz(Cp|<$?ja z8{K@Wjpy%4r_I^sS(`QLul&FtLN+2^w4>-Nsv+*p%xmBMw%cI$8hCmK1)soeJGI+S znWhAi!tgGp)Xq~=$@lW>6^y#u*N1*{GZl%Lq&{>IPdw_2{1CJ9UvK~a`_8-~xaD`7 zT(+AMGN#Q926Fp$8c+3wpe@%ahu}v}ji9BeR`^i0iff`B^urCr+kBT&Uml{(0BK8o{UX+9D zDqTgoO7N~KQ%DbDu8kQ}U3Q_7)ufiDdTM^KF`fw}maTx7G#c~J*sxO^mX3 zpx#crtNZ3Rq}O$TcdPI{6Ze(Y0rEbY(C(=^NB;L;%qg9iGjGq-+XII6>Bn%#4xCI?T12f(U*gDt z5r%60s5=awt8K{Vd87?AkPyiy0x1Hca;ryuDodiGU)LkJgs%VDLpO&;AI&X$Wdqli z@@UfS4bo$A<7W9OKp&E+9q7Y982-6-l&{xU(h;i!c`(ytJ+IYFn@z2DJH-=HNla^iJna>x^6Oulj@Vw3Jv*q zeV=&D@&H}Om`pld!yM!U^UhIvv{oJvAFoH;dpIy6s^?E)4r29eOP8!{ zqb=zV6gq@Iu+(exeKn$4mqlm9-fVbrM2U~z^!x5Vbf+TQaitICSqxgAt^H*xE~Dpe z;PS362%$ZIjI1Z--3f=$rzKc{clt0cJVBLa(p*v4Gq78`^PouatA}mXM@Z0k+}B)t z_?17#y?N59&~#6+JuwU3nhEl`bW{s^N4$+(DRzKF6mT)+=C2SdGw-E^@{tLdv>nTy zyP(AjJ1$Ev!9|!>x9aC^Q{Ye5S9e&h%SjBynU_Vb$9v;l)3pC>fBo0fE7AhR5@w%~ zodpOs^7Bc~r&l*}Q>CQi(icSZr3>st!p9gpt;fn*v)Y_?b~JZb;q%gY^?mPHc3!s# zohqDV}AL*QkFQ7)ZIUi z`Rb7ljonH$)#-{UapGa5H;T8EW^zDR;T+?x2SdAUjAIJWC0@&-vBoxQGjvc4jS+Mv zeJ#U|!5Sxt1 zeT#+EVndyZEpIL6p#d!VU9|9BEehU8;l$@E>|xA!xtw3i$whc5Bo*Id@UEfa{$L2P z%_y;)i%TzQR_fBJ;!f33f2{zc2B#Gz^fF&(J&$7p+HX=XOXc6*HYrtyUyRA$F_lEzO6onD|OALz8d2-ZpstF;!kHa zev1x33}a_kNy!A$Zx}2O9$yJ(xj#Uy@P(duz47rPPqS+kjt0;2`{x=zO4|KkSUk-u z|7YsytI-{3PGKh`_`_3QZ{=l$)luEV#V4S$4(N;3rg=!gYeZdG256hjv-_mN4W z9cBt&l6Bm`&J=vGwlUlMkk>@jNne1;)G@7>lsUtxxl;MyqrDriGY?&23qY69QuH(> zf4&6N;RE&;qUSKzwX!K6se|m0>Ix-uB?}^`h{pQX>MzX-$OhA9hR;AkUpUXHOpWa_*@Cau^P+R1X^Poo}1o;W8 zEzYs(+{m=~WL}fV$u=aX5KPD>a6ZpJ=@;7zCkI!E{Yo5E6@mQ>18_k~G(573c$vbT zdgLdxj!to>agWofJz9PGc=}-K5`~n&NVx&d7NVRLFPRs3GTc4X=M>;y?#Ln6co=@_ zl|M?}FDk01$*XmHD3sU@mSW;EM_{Aamv#zymkaDggK#QA6|0#nSps&E7cM-XDTdPN z@V(uFYyDh@;3H03A3di0wJ0qz%JZEwzAN&_8#yE`xPOW9>0Q_cRX^Pm?2w;|dg7D; zt$V;IudQivR+w_Ua5D$27rkJLTtbN~ACWMUz&+cx@b4zJWOE~xH1oZYa-Ogi8&Y9X z05RcaRRu9S>H!k#=Q3{O4D>fk^BA5VO_dqEL+fHb7P2Si?va0Xq=Hc6SSlmBJC<3s zhczLnUDS08cX$Pi=wkZ_6G1gm_kt-GxwZ^%l3*%^H4(|$Nb!xb^@wMy>i$NaSk zpgjx&b&8Skf0*kjR*aP;+c5!-@C{LE#i}rqWo34*FWlV_%8A0TomMBz}&O0)pXnd zE|P%&?u{?xu)_D{;0k?Z3!6{}c;$ll;THSK&2k2U!Vhp3wJ+H_J%Kh&=uJKvwSne% zm1S&Fgs6>3Zp(A30n^O8ofVt-c55#@)pWlQ%A9erAUo~$tnnI~jvJFO zI=BlIAM7hNRt~v1Y_KR@7$EJHLy0%^$OjMoqkE~^M6B|pMN54m>o==emVbg}AaJ&U zN?pr3(%L6Ap+8@58`R!JAimTJYg+|VHD`(p3dW@5Rd}xsgFk1Wj7DI(3IwOqE2#vC z2-t$~XdBWJ<$2>nOxLubY!i$;StvPT~N#SKm8}=y9#&OM`!SSXE zrIpFyuGx##B2&k{&|x}8uDnPNpvFgNiZ46XO#cMof|c>F5$+rKWArl?{KVTE&*MpS zszI(I1!m?+_cSGR`wbQdXw{|GptYh*CMFK=t>o7m1NHC+Sof3|FjF@hdT#QoXUh>4 zi^brM0L@3MZt3-dVQYO$=}_*jZ8krq&oKO(wjR!^>vN=P`R)Z(udTMI$!509T-!(J z#hy5y@xZhZhOaMR{i(~j36oY*u#8lteR|yn`B6H^0+W}zk-*d;=a2I;BNz_n@t&YQ>Xf{U)HVA^cj3A4>@V$NE1=wCbnfo~|N zs0#1))muX~uBXdLAw-x@^hDp_sPp|=LE&YW3B|ACs1|g4g2|$;C0_@+-(PPwy*}#h zV~VY3dkgg+-B7x|Zq%P0zLA$uj)$CyYEmD;Jo+jUk?%tu2 z=1YJyy^$$uW|bt2kHAsQIRZldT`-_j)zrOY)y#_)(A+rj{MJom{Mzc37Y_*Gh!LIQ zn^Z1iKjbQFKi0f9_ubD^(mB8{BiUx<$t1ZozH;qDWUBCBzliPAhcU%CmJDu8${2a8 zIA7cp9++Eai?6sXe|CQhc{mj0sqYkd3oc}m(pR9AFcA5cGrQOaOU2(n23{eL9=~YP z^3{+lG7(X_I{BQaR}*y?t1j=r%dX{|M|m{9O9dZn`QTI<*6-R=LkjMzuJ6<;96o&wh``XoZD6D-4MUzq z?r>~gbAvgi@3>mt^%(ebrNV;s=Z9c0b?C9*%NJt27tEGmaSobPA|4upGP0e9E*R=$ zzsDJfdc$-d2!3CU1BRf9+x0#){-uMyXgi!2qxVf-HBD@sxEeH?98GtpD&s&=J$@0%v=VW#NA+aH^^mi^9dv?NtF_l*=UwMefVXGk6)UuIZt78(xR zgjj|ieSC-x7M)sNQ+OrCak%L9ul0w&3zlL+zxCRz$#^%r3NRKYZr>Ufq`9V!G5*f( zjm1XoN*V1wvCvS`fbkdRrq6?<%ENZni5y)b?M?^nA{PhHiDQ(C_byZLPSD!Tj)(3V zdH(5o`ZrN@jg0&6ctvCEb6i@n`|B4Q#*<=5r?8L6qv2pFKROOF-Keaj2`ryIYa*eH zL`S?WMd@Tvm|A==Zp*8JVd?^iDJn*IS44ZGxC*L-ZyL|kgWwQ-E$=DREBWIRtH{6= z0N4)-C&6rxkRn*sDU$>Lk9t_k%OEOv0<|xs2au3QvCZ+=&4^WZC(SfJYc~BrKm+`# zsu4+sl<&Q+I4%>xycSnm-N~Orsl$Jde=}t@F6fkz)*>D%lxiH~>(|ichOwEi?2pT6 zh5}OkNQOh+j2>)xdqOpdDmkIwRUbW&4&chNLRe&NWTdOWR3r{T%f?P&8LH0FKD{dv z-(_p4Sn_Q?@A>WC^O|kkeUZ8Qv(R}}cgrVln^&VWxg%V!YB@wW5SIBpO&?-LYvE{| zDsl{nRYdv&9{wQ+EaG3!F82`}MYGqIs-t{``^sk1AkbcjpXq9i?X(`EgFzvpP&FHe zZv6<*yEzOko<3k-(9;#8*z-{s72!-PFR+R1g0;y>!aqkD|3&oj-^h*22)1hk>@Nn3>f=oIVF7`0f3mE=4$?+i~v@6oT2Mm$z`_a#{nW5#`7*SN+w&)+#!8C$bV z78)mA!5H8gR{zZ*i?Gv2O+u}3~}lmRwWv|k#r?N!7?<0!9GvGC{58m z*L#Y|j2=u|!D%pHDbRf{)w9PTjMiQf+TINi=e&|+m%y-mZyboRr*AHJW8yyVWC%N8 zp~l#m2lUnDyXe=QEu*78+_E8@9#;*avsL(}O)X@XGR^Bfuf8icI)@{iQqftMSWo3i zC}@-3b)Hjvb-ZfCwqbWG@nl(d7XV|8U*Fvn3tNsH=-O8Bx$X4t%ku|#MxL2d@f5FQnzYgd*3)=OBsJUNd>wyGK8 ze1=AmsNihqz3BSMa6c9S7acv%M5tmY0IipG1IaR-DvGJuuJO9X=g@S3zjaw%$7#r@ zgYWG)V$Tv}tL-`?-A?prqIVg~6+!i=$N;Lx`V^hb^ZOIYHs>}+8pWYAKEfC8Z&aGd zX&s}ulP}GUd1lVo_gv)(5P8k4w55eddsaPG7i$lM$e8&hg>2X4)chv8f=99Z@;-qq z$+M3~L;Hi_Ek7Ts0>Vz>aogwIl^ z;gD*nN@~OJKIw%eGLvz&CYEf?Sa8Ll9o>XUQo2qUe=P_O??P*51w967n5UxkrEPec z5mO3E-qc)Z{0(B#n!f5aN3+JbqPPW{7+aUj?8n@=3BSQ{v@jRlb>2~|t-`lyDL{F5cn^eM4#ft-d=e5rF z^t-uRX!v3`-cPRx3)j8hJok$yzUx;pQchcGNUfUFL{10oDNrdtOX2ZdQ=bVP;aXB| zW(cA1aI9cX(Yr58RoFNdHo7vR@}72PwIx>Gj58y?#K^D#Ehl93%8+V%$ueA4UU^bf zt9y&K3bH;ZD-qTa`UOxlm1gRrT4iy(_K`ACWewTp%OQaXeIZ}V&p~W`{*|;>Y&D{S z&MI`@vs)2a%wh~-F5c>~yQC-4adrFPhBQ;}eGvpY}h6glF0FRmN-IzPM^L4eEfV{Jg}{vO!gm@uNWpd2-BK47 z=5Q(u^JeLz%B|pok8PV_bu|N8I?4PqKYFIsIN}9- z(g|*v3`GxMs1t%8pi`4*wz{T~IdJzWNQ1^qE9hJu0(OWI$CSMC241dyQ zh4?(U9RGqbRQ%PF$d=mzSgpbY$>MmMFJwq$Ru@`%Tt0};`5Cde{d}0b=NAjcO4844 z`1iV52WOn2MTl1M80-9UWQf-DKCSuW;>O%ob4g#>ZQ?7lu(<^(Hwvl2;gKOEe|o%F z_{s61;(@H%vm~jYK!pD|^bAGm!I;?&i=h6#R-fl|2rIA6*`Qp+AetQG5e<^Fo>_`!d#YKB_5?dfJep4a?it^ zZEB3>N4)Q2b)E|1tLTn(w}JnV;i%2cvFWnkA%BK&@xR$;|Nc2djCrF*VkxVeTZH%LH zzHL54Zx$$9D&4LQ{&7{06Vw;ZgEbrYJ2JcxislXLQ}whm^lc^*7}Ln^Cj~NxBvn88 zN(&Gok`?D_oVMqWGl$ORMZ+TQIiYQP4*WV{+BM6q5*%)h?bzh^OhUMqlCRkxuDTqy zj%|6$*gyJ_MV>L5$~3-_euOcz4bH5Lb{ggn8pY;jMgfLx&S{x!5lbQ31$7TfN4fy36#Ix8$#29N@ooh2ViJvckFpJ-B81|cAEdZR(vtS4 zxg>tU)=C1+-C~BnS=-z$SzQHBw;PT;o6W8}i~@XDhIW=PmgofwrQMiohm7Gcr#QeA zF{|;3Yp~T|Pn2;?ydXb61l4ibZNMJU_$!iWR4SG9C=qh4% zOBjK54DESuZq1|x9INGj0*h21oFe+L^dsJr&||P7%IFS^NX~#X%sx&Ed~0l8;(|H4 zX$F$wH3jgw%0Eat`mXOLC|ScoAUy_KjWgbXZi=5c#moBWE7X`BI$&Y8_f!ZzLZTf! z6%JE(eV8OZQnAi#4k~$EtBJM;81dAjNtd4h)AQXLO4x$MbsJdgzHI+yvtAr%g}UvA>nxR$cC7gM4|8}A7Q+2q{Qnm zd|s=!ZwDJK&C#yb6!y#XW67r30saSTmf}ZOnY}C-ZFbl7n)mRRn!!nmQWVU8E(FYL zDbP!NFiTG;0A-RW`HMzO_t}B+Qc=GI7|!jPSVw0sK)e`wh3^^a9Lxb z!W+LcPq=29eP`-=f2r-X@5E4PbAh~F-h1G+gnDKthNpg~^U~Cr+YlDsSrrQX#R!1N zTlCYR94+P1vhe4k&tn+!+r2pD#OAjZ$NKQ2CGp^P?4Qs!|4q~4PtOS##n?3NyeCM4 z9FJx3y`XJw8aPs9c9WSr1e@pAwzoh1*YImNEykuvGpFF$-~acQsgOzUjA zCmVyyQFxr}LEHIQG}B8J7boSJ8_$-lXbfcJBr4 zzWWct$#fSg&;}T=@-ia$Qq!Ri?^VgJKy|e#n?{OKOOg!m9WLbh#ZvK~?EEy=7@K}K z7$TSz5~f$mT}0u7WM=V#_NQd!CfpI)-=Q_GPn&S@pI-RiZ%zNr&!6$U4jt@T@LYc0 zhL775&A+1?uEc1R7|@V^>m8Vr7I7zix%X=dk$)Wc|K;Bv%g~>kM3%*K(>iU=i9h0C zFL^={nt;K5cM^0AWQa$j^muGFU+%^l>tw+V z8;IC7Db-=Al7jlF&^nxk82B2uahAuc9@2{Ih?zK>LGKV=+(p`7izIJ?k}(vFV#4nb$;h5!hp}0h0om zMYG}b;ex^w5*z<_aA^SX0D65%sP|AM-x4`F+~Oi6v4Z(KN%0tnzb?TX3WlsiTI0vbq6pvOqgNB~^-(?XMbLQc!k>g5g@(GX?f0_N~WFyL5PokjlvqR0Di zHjss+sUZy+c6Uf&i`&RB+DHMbI|C%y4!Oi$E^deB5qpCB<}EJhP=;x*S3`$WYHhr# zkULX?BW&zhmE{ok1`JVyU}jPw73$Lk6#H`>CMe_tz~wOiwe-2y64KL|{FwOUxNOT^ zbgPZ0pC54~K~s$wRB|5@!jyL*(l981lsOQ5{~Cy#AR!Z>cbCG@O%mz|spG?1F9Q@v^~8Rc>d&MKVasm#h1ppp=5np%~r$F2Yy)T7tUG#B&1x4Qwcf2cFlAE!>B zVde#MPw+O|0*)K&vHa92bSB5c?X?LV#I+43onC&7G(2KzqP>fXaPQqoVkI#@fu3U^ zplf9AMswDxb%N)ebIN4+{t z`6z#e$m(!0+p60!l&oHUXF!*zDisO+H=M)TTX(hcq|ANnk&w>PpTib8m17?f^dOCv zaYx)0gjoin=(U6obV%TK;8eZe!_JszF0TQqMnB2x%U=*Y*4rrZ>+5{Yh7|qUhNDnr zEImd()3xCKd<&jqz!scOdC;_2vy0ypwm1P}#K?k;IDgu;k&_gG3c-o4(*Ucx2Q*mLN&ACVwc45{LK=)zXZ za};O~0j7=Ub4z0{ZnKZ+^Pk3VT((p)l>k3U_36f01eRUELF8%$zdO{U6^8=vv!n|QW|CPZOZZ53ZDhLxtIIhH2_{Wgd zaAr{_2g8p%Sd=Gjo_YTC7`k=_5igYn@%nkK`;|HQy)`xP1^=I7O>AeiiGP}10QS1-- z&8vVp7zkqu*TpGM3#bo2gIaC+?tUvmGPUy+W1&NxbNftC6i?K z>ZZKqYUSU7@Yac*CI=+GxC67%2B3tc7XvFl>@{KRUbFZy1JUUeaCIbHh65?7O&n*) zGO_Jx>7OuS`B5a%8=%gpaQ$?WKu!MGD^Q6C!cd`NsE7{Uf-|x*Jl;p9B;FOa>c-Q05LC?vt<8;;ke zsl2GoVJ*+IjRc48TYB-2(6;UZbfa;;D|w7@4!fCIGBN3|$e{oJhqytE&4j_I&MfA? z?&Ds|m%kPm$ZP;CB?!n??C-q#!LxwO{OBXk;!Rn}bIhOW;F-6Fn4yGYG2jR*JgCG> zWe^Mg38JvJ?jK-B>SI)!j75Y;LS=99rr&TIosEn|cBL^>#N-TIbz)i>})+pJBcx*DF`j1z@Tf@gJ5WwYIBA|E&#fIy(aV` z4ZD7PkL5cBukn62#8F{+eL}-L>kqQoKuikQR~ZFv7XB* zRe+^1IRqmLDeQiayB%&4|EQm|LULEVE;Z>?x@@HUj9@i_-${`iGZyf{rb7UPLGSC# z>d2fO*g44uH_G7_OafULe(U=hx*2;ZlK!H<=Z0avVdgcK*tj0Mt~61`EsxpYWEIifV} z0#wNqW?^_r3V7dw{vS=$*1ekxZPD_QpdBOfoOT71p2*Fc%H-LY8^`h`(0$NSby+)v zanw2gyODve{VU9Bp~!Y6a?|5`gp7z0%k^{Vu3NLN9qozYIu5I&LrS6BJ`0uJ*zD?Q zBZg3=Cg@AL14Q#>8V#oZE{QUyA0dt4SJD=o&K@uhQ!C4L3A4d?;o8|OY9a9{B7a>Z|*k3wyqht z+|erVp{5+shu!}h9DMsd@&5kF<9!3H7;W>@ z^8~2OntPQH((w)C>trCqS5`0*S=l^>Wif7|x03k{uNhp+pmSHg32Tp9l!~eS zR$@BL-`fBoU%Aw`Hl9w0MNJ?;BaJn*3WsYDsO?U-^A+Z#>^5Tl7cG|Om!SVijzvh< zTmHd5jX}sqaAq4IGV8-~l(HDaowCKBKTal_` z+j!n99-|g_04pAd(EYiD?s~d`2Oj|6H(W-_fIdA53%y{Qo@LhAS@t%)Dz_b{S=VjN zue`xnTnhTR`5S(8ZN!iXokprsZ~Oz_XCF}@l=CKAP0|vX9ZNfe$##Aik@zq%l&iht z0&VRe@GA&CpxEn(<-7BeLu;5T&I5+n@g_B3L*!B@Uz4D~kRhQUHV8R|Zmk4%X+}`V zixdi`9)dI+)u6$D)7rfVh*(EG(qzhc(1kYi=cJ42CnTYO^vcdxY3=kGK?mrB@t&8Lj&% z;|gO)@(r+*5wzS1-e<-)x&h;vP?U6;L1yY5Ds#V-7eT7VON9IH3v88-%rVW{NLBJi zqIlzQZzanXmw_ku9G?fpi_tOhi}>-yc4}#lUrGxwEYMGPEs)7Fd#9t6JwEcPpCL9& zIUgyl;qYBi1#!Ic&|y-T2>$Af|#ZHFL@RGNh@W= zH}AG_$txAUM<9P*CuqjIG2+pJd{4||= zr_s-tmZzX6r^#1h&Te^CTQV{gni|;TVabSVcSj8ONTUSZdJU>{#ZEFk7p^Xukt)=J zZb@`H2IXk3tI}OI-ZM^{=Foth-JGY-y+&C=Sn1q0F-TiDu>tc*`!^56c2n<-+{U7` z5G}R=s*1)NXdb7h6&E?|4lL@^+Q9;3VPt;th-$4_ec-l6^R3U5o_5Woon32tN`9{c zf4hXQ(+YRD9G~DTiEn0Tvb}#CZ&E?``j>#lDG7j&S&sM}ALD!0NW9EdvjYz-q=&wczH9A7mcKwxY@oV@6?g*+#cW^cU5qr z3}k@Lm*%$>b6a=7RI*9J*PGtkLh?J2neO?N$G4a0le~CEcE;p}mTCUr#hjZw&T0;cZ!Ea!Sv;k zide!wV4-Tifx>v~q!pHOVSsqS^JYo{f`tQ@kVqueN*wPh>65)LI=&7ZJ*{CScuoaP zs~g>}tn2R?%6mYRVixlM3>@?JAHXr)8-E9mNwoXd;28V3{|Jte-0Ys}+v^A_(k@(x z3YGczE%+6md9Q4?b`{F}#NRx?|JFx;b4BVo*=G(puWULm9-Lsm<)JPJUIL9`RRXoMxk#8S#{%(D%t< z1kKxLB(57P!Yy|1t&y0U zI5{p!vlvZ-V<{O@e{$b=UL$IT!m63Vc`gU@^q)lnxHfAw1t!oJS7i=`wImRBC!GA3 z5mI&Sdb-%m8BqWFeHoR^Y&wQREcPfcZ2UPB?SrMH z@7t_?fdMY6Q+O5$dB-WsD*vgu7ef75jv2R&EBeA%nIjbR$b=_$nmk$zT4>)wg;&>= z;(KOX2wP=&>f)Wpf@+1)JB3_s>Q;&XjK4h}aSfm24t%jSQo3R(WAiE^R3vRuvKLxO zUTz&8e!AMV6_+E4xo9dZxAe)WP>)c>Sd;f zt~BulAKjq(uGGwB?1!``!Its*-3Cqxc{8ZH~eok1#k{hdG;a~ zZ1`!}Pfm`910EkcY{~TW5TO~Hi_wa~DXnL}0pJg1 zf4=Uu_o}|jA>F0zxVB_6NGtR;LBqy?! zGNg7Dac31Ry_7#sr8D{@Akbm(t3x>i1a7NKp{yS|mZ7X<7QW9^k}_^Xi{0AwN9+VQ zR0-P#bPaLouNl~Bzl&9!_j?V^^!M zdfnrEkZyeTN3|YshK5SL0+{0(WgFq*Zuo0zPW1yvTrQJw=yEbpUg~B4Ko`ZKmAOE$ z`H1(EkaRGGUSG(K!|~a{h!T&9+szK00;=4r5TuN7j1=A(yDpz7R3dpo}C~kJ1~i!HM7aiD2J=6*gYkf zH;(LD)sILOai@k?O@$g;hAWxbSMbAYS7&zdRbu!oUh~!AF1}<_lW&U?QkvY?l=yL4 z5_PLYmdW0v#IQss7)O}-4!T;2tZ)KoI`kKNGc+g}XO{u7%f`bqySg*Dq5cZOqh*10 zEw1T1cjLTSX}WQ|LwVEcf}k8`X*01@3IKQe={6qHbHAWuKqo#;mVi&eohbsl?=%7t_g4+wBN`@jK2pHly(aJoE)(dmQgc2cOr4Pqo`JZ=Af zK-GB1w-gAM!0j-HOLld>Qn+`H3f1c`^GIt)5a6Q<7iru0AQ1Eom?Xm<$_bOPDt{h| zxghL}Xk~}X9E`ZZ(w~QK&y{<@K1I$ZQ65|&u4#iEg;%-I{N+ugNv{7O8L=n6qc9s6 zobKlT_VulZra6tB?se@iOm%0HY)ifQ=o$51u_)HDpS^$>p5@b+U<#ptm1wzy-jzu- zr9hQ`Kp=;*ck9U5i5;cC9@OUVSO>*j&Q7xHlj|EWPUJh9Ey1f6Uk|mzRMcM|Q_NJp zQu0{{$t~6pOTZiFQP)Y|gziD+&@}6c^t8>jvlgC?qEoN4WF&3s*WADuklFYk;&q3B z{6%tmPXA*AX|0xB_jWirdEOfGi{L%% z8}xaJ5mw<%1-)K8Pt7=oK=U3UV6Cmg$BDs%f9Lz^Q1x~@sU7pf=7PGb&RaIpiZdW2 zw-27{<4)1TxW@F-w9%$6z<3!aS(YNX6s?{Tcs6d@qOI}oi$5+3r9gu)^SsqWwbqw3 zHuO1ql}FWk#$B*q7k_@yWDVW(dpVk`H?n7x;v*E#HT(uaW^x`PuyP}9X2KGpv$c1}Y%+x*eN=ngn zc)_AZ7z8<3ZA`PG?^Nz_BfU7mg_IXBBTp{LP1{ihv@BxGe|(C57nDATRol^&*`Ajv zxy)4hBWJn5+?lQJ^>Od63|1TNO;SOubZ^)1c~6dj-Tej*;2*;y(%k=lz}a96786o( zH`q2*fr2te4FhWphxD>~=ew^?gc)zpAb+9B7R}-Oq=&Eb$CV@Np5iAbo+TOf$^#0YDg4g^^E12m=V!Gr-^Y3`j zU4Lx(RK+(7ETp+{&l}(fpR;q5c6gLc|cKyRmS$ArXy4Mv5)N)zPv9=QRM{B>K0e z6!FEM4kW)u*N$EFU7-(b{0Xd=BYrTFgt6ZyqmeQ=?~Y6V zfriEq4kPA{gWf$9NzaiyvDn9zBS`GA#X0^hy8H3R#9G)(7u7g-(kFyVnfpuzdY?HN z$CR)7Dg_;A-_(+{YS_V(^xz2ho7SlO;JRh3Cw36MGwmwgpRRb5zAovCjkj`MyT}FJ z#5T94U}gW}dYCe0D=K=2UQ^o6*KVrdi`31@ke01IdK2Q!_03rovrFr)pY^s#cZ@ol z)PXiWRIanbyvSj&wfH_Dmu9Uye`!X0{W11;KRsiV(@g<{>zPeAL$Qc+xji>LicknwjT)Z3aXjQ+`Yias+AmOXeSOU%~$xaIBz zAv?+FPgrqLt*_aa97sb#P_GdjX?v=O6;ILqwPINVahu7f{MDdVv~cB_rot|tNhS6G zjqjLJM;9*@x`|4+kW=x5!~0}P8%#c*(Gn$P`?s{y=(lN!nf zy5Bc)ZSW@}{08Hg+i5#a@{FC1eh1#*{72wTA1CD)*sgghS8o|o407q5{|$Fzex&>! z7jQQj{}Fe?6Efsew2{>V_A;+evS=m(f&uuzBSwJf8Y+^6NKd+$+px{;v&Vq%4F(hR zQ^lu~h%@cq@8t?OzGLryZ!Rh@e36Djc}{2aU@`V{<%CsvU%}pcz&$f*lsw7_IZc4F zIm10r5bewv3HKZy&$rYrh|2Nd5gayI^Y!t}Y}#QL{#&{4bhjo0~qqqF$uzq)^e z{s}5hlhbb5H2XG)y?e8*kwMn5kfbCIYi_+%%6=-BKf6A1q!wYli$$n_ndlAnzuLKA zZA>CFAM_|CWMO_Zy}!|c33i?zg5}ZD@g{M$(shbl-L(jBYr8zsaV-lK6Dofyf?4-v zUTZX$LEOBv`2!I%L63~k#;*}A*cyv`(TW#z{Rt%;a2@5)(=Z&5j8N4{Aq$m(ACzwc z3F(#Q2RUa*>5enG6OweQndHsjDud+Pn-1kLLSP;>++CkS#(qgV4)lR-pw_fOT}@T0l5;NopnxXN=ihJS`LK3lFxcr^GGkg$!K|MW!77$Y zKAq!0ivL|~852ny@0<6aZ`_yp;6>=qoItP4F8}c6{j&tG0;I8gat*QhNlPK~sA%rA zfhSB2B!QTc9kpFF72fmhuTcj( zYXiZ9q_k1(pJA=AZ@k4awr2UlgPUgjZhV`}Wll(1Je@|SLR9sAwPH;*=$ky`+HYw* z%yxtbAiJEaN|ZehFyv49kEcnO%>RX-6T>gr#*o@zaA>{ge<|^cLD&q+zKSC$@dpTk zD)1;`N2+lx6?@h>6q9jlDZfE}Ro4$p$4a<+1vljJirXk{cdtUX~pK|6$$=8Nm`k7r&1;F`9DALqk6 z-@W({i+l0e+#Yf+&p8LOxSdxuJBQUo^HO`NRBz9o5T_iR2q-`L4>?7D{?4!8L)-IF zy<3!EcFK}!=U|~^CH1UU3-?7{{I>j_{42;1FHrX!X`ZbysL6S?%Hp_&rZmW|suK-d zs-z}2i7jKi1?7*ZF9yxK3KuhAd_QMLEb$H)gBoRfZ@yhzmEkM@3eJ_fCCZY5 z_O8a%FL65L;NqLqoVpEz|3-xAZd@ypW1xx*sjV2UfrO#_evgVd1*yy)fN|-cGa~fnj2EU=LqdhF>n5p%| zPM_OfP4FW8q%`?d((6!QNX4TZ>x5q#U@agy$pq{a&5(mvH1%V7Na>3Sqdf$52ZGvC zc(j%n%VsRO{iEkFksvCREPBX6qXDZ-t7#^U!cC}8oU)3!AS{U>MnkL^=qJB6*sWRZ8 zk8g%LPk%r9$}H9SwK!A7p}VvJv%ruK(00o$E|F5IcN=$bD9Fj{V_^XWYH@WMQAWqP zhl%PknV}1rFK~z7$eZQLZ;iA=Hfq00*t>hONMPyRL@_OPGA8L@BAaw!#hF01T%z5Z zlC**!++qBSWTX}*CmMw_jXTeXnm`AKBoB;NsiY|&Elqald~-b{0#jf5M^ z(^3q?JzmTpUaH^KIuB2QMr$7{h%@`T!RMI* ztn!+Rs^y?=XoR$K%6>t|MdjwM84%%o#lxAJN76NHs_p{xBdHb8SiP2`W<4-8c;Qb+ z%Fg}T%GpIpZPcgL`#I+~8Q!#$=JA-CHRa_e?#q(5N^b~AGGyL)<1q4Ga^dpWsKqri zrhwiY*^94oq+ToEkiB%Ni2hm8X!i}Hig*4W{H|^sbk2>QxUND6Xili}Sme{h+`;1o zAs&-iVf%3tsOLUaPwdr|_P&Ct_d|UDv8{sRSctZ{N0U|U@T#*xSXgVI$>~@I2tfcN z**`J*oDA(QDBrm+e%f~i54ZgOspPU7fG6!jf4ym{jm5LFt2(w0! z={sYoP+~oa^ArSr5t^&Q;}`g+9W@0QM~7&<>o~7q8(EHm)_A_`2cVDLHb?O)eGayl z<}MdcfF;DjEZfR*zrFam1`aWY<(jKxE@yH{RaITd|p<>UAxp zMttj1nPXgSem?h!U>!`Kf+40-;SJikO^tvj6WESH4}K}jm%bh&P(NzSaAlCzfqgbK zjgwa#nj5`ZX6>eEAGJb{hM(QM%?ohB@Jet?(K)6v$mTA8UMnL?#N){fQQ%VG52nxEN7rGB4svJQl4u#a{4ix`f+}oc-UJ{NDkdUi&ZzH;M$f-vM zlCn709NPkKs`~FdXosud`=v&eWw7Rb19+-^0<+TT;OC@cdVdcW0-ad{3?|-9J)Ita z_JbtC`Z$y%Q76}3RY4dv=G?gkl46_(zp;go$gIoB$FWNyC1^C5h@?*-5=*KBg#MNu+CShz5d|>RQMfWPSnoUpEFoqx z4$b*1C!nXq5wsin4)&`2B?7)Mn8zfI#>K0!AbA0l6Imi1RyK$Uhe}Ls`DGY~7;9>taX;zGnvkA9Zj5`yxIM@Q34PNvp0!@P+M#tlFtP zX?HX%?-w(_&}$%QSqwOc1E)qR%7}I(a+3_-G46}SCHvJ|%@YFm%T#Y~qptNn)n)h< z4W3sDDN8H?Gx?920p3H&(Jkbv>3@St4IeKsc0st@u2jizt2t}mFqW%Yar%Sm46o9X-;ud?V)&^vmR<3 z0%b0;5w5vO&gQoOzkOg8NBC%>V?iHNx0PjYNS7ZFr0I*}pyt$=$M$UK^M$Nn`|Yu9 zl{I>TC^$2kMV59d83Mx>=DmxbPEd@1z~m=~~Q_&NX9)^|HxhNLSj6M_9{+g{rEX!aZmX|J!NOGJFnZ%CDwlV&@j_aS-n$K7m-Nt4Z z$*HjVnSVz3bP9%;B{i^$_?poKk2P5}xj&-aB5x8N#MuEt#q5>lujO!mYIs7!Gh4Wv zvAYHM&cz=FL!Q79T`}ZH?=2DoXM!~g&VzeB5iP!yLi+HTGbY5Bg3N9yAl8RAt)9Y` z=>xhGTCQ?NB!U@g6GUo<9D*bz-BI83j(&!{5)IGbmhR%34@yNBE^`JhfWcLo9PJMs zX%%a!wwHqEbZK7W+JOPWji#^Hb2`B!s0OD!&VrL85Bw?xpnk1+RF{6P!WCgg_1n$5 z`|WMORZ-lb7hQr38^TT-=4n@Dm-}#oFq4sr-!lDt8O+iQ?8d*cQU^ev!AvOn4Wv7g zvR`9StZ=gOI!;I9fP6s3!t7=cUqi(9I|Jye_H%#sC8Z6XRH>Ceu$jdpiSuJ%bdn=v zOI4z3k`n3Qh;cFTtCD^llz1vmW9oYnm4JcFJ`j0g>?5y4JL1QwW&Ol>sy-T@1XE&kpyvza5kNvQI)cT;~ULI!XHfZrw3*!v7 zstb(!)G9xz>#KUik@Vp0-3xf%v(!zI7B~b3!wy5 zge}`6_q5swl;Xm0ah9V;pzOQUWYYb9KnhB}3C=o(gXN-oNye*a`SHzD! zm?GR-%KwFR@}IrHe>?)H+MIrAWGqkGX9Vm;Vk&`A8=t2Pgm^W&;h6PPNZht9bY=@O zYZNc4GTopMt$#~;X4ocp5Y&-RB`Ahfl2LEtkr9HGyl_)TD`$ryJ~b?n3(JQSpPoEP zTg&y@KukptGtK_`>Vt2~G)o_UM;pZe`7%YAlv&;(SW)k3;F$N9msd!Iu;^EHezahg)Yb?`g71A zf+m=4)Ibw`*w3qq%|B8PwWCWuj=)DLP``nV=$`AX%9n6rc)vKkA8JZC$Tt$g`!d5V zcD1_xbTVAb`d};LV4b6^BbY%Fc{yJKjMn8lO}9jayv*6usZ$0&AQFk#^UQk$Y{dDT z>tml*8rNm6ek4>#FoYgOwi<9CqUYzZL?wsb%|+kRmCGmh)iB`@?B=JUZj)U$H=)!!rU#93S~1D%~<$8DP;FGZe)wFDG%$cgT1 zeOwNT`zhh-X_p$x+a6(cil42?Phchz^5shYtzhQ1hn(DMm=+h6bZs8NwBW$HEt+e% zGWan?4}{fiPae?(ky0ncl^XQ)P3>4nulm#vAQ{kVBFTGjh1mu_roYHVpx*3) z1)U&uZTN*X-pXr4?P&kNG&+D8nocv0Tzj)yA%qBhvwm{$rm&;2;xkPcOIW#t_u5mW z;R9!G&ij_fhkIySVl-u40@-s@z1g`(_bB9fT{?#`I)km0&?=oRcREthT}|sp*K6`D zIcDnhusgDL{hWFFjZESlUvGtclkOb`@)+WRoc7JC{$d;NIbpzo?mm&(iIx;i&pj%- zGs={I=Ei}|hlTN~ijVR(OU?U1#pE=ti4deThazIfUiyq62zgcu2wGkyla8mQY63O* z8)#wq3v3=P$^l zgTEq^>=Jm5gDPmtMoO}7AH1qywm`kFO>r839Zrl}gtALBe8@FX3GNu*YBICZxvXYU z2K>dM<8;e<8f#Fbshsc03w}wIIR?zyhugQO^F++%&)xQ0L8WYY$>i~#?fucB6?${@oj%VNe;wlp-|lX8 z^`5+smuS^VyF*&LpAKYB{0znJi53#bJi>Pib`H35c`m=a*G_NFY=rNr(g#VZ-G?#B zc^h_71k$eR)|ms;vlJe{ODbFY8!suv5_m~&)+q*dl4?chFCCXMJ{A1@gO?OqklTb3 z3D(7*PiwxWgR*|E7|$GUWS~u|E1K_l^jPNzw)LR0Pal`U38<^BqM1|bBdp(a#|&Jh zvqwEJID>yDO=F_k+v+P7h!?bjhMgDiX0s-mhT2|)9#>m6@CcOezgJR7aG2cai(e$& z$jul#{vyYYRza~wL$;Kw1^vbB^-P#&n+*8&=wR}xMh>@Dlle#0dx6u1!+YN`|@HaZ3S^7 zgSJFsewL_{slqe*VIrq^1dGwmU+z?6Y6?VZa${aX|-W-y*IL7ueovt*7M%LmEuW!Xs`g6G}!nh26y7y^T-^sdQT zb0mC$Gl}Q^fiy=b?a!EBv4zq{UmvE``Wlbu7C+AuB^iCmn%l7bg9Y%~tICHbc+^T8 z<^rr7)6pZ3D&+8}`P)kH=M#C&BIjYYVagl}l?m!7q5{j0+xMk#Vi1VegFw+20M)L> zfj-LBmkWbcG08VI3#KF*sJq{QGeV9Sf^)H?yX>0vvuf|Fn}mWy*B>yJfzTxF%WPgI z#rrbT(R4$4niw_?9tFSKKJ^eKK*LNeC^7W#HTd*h29pqPTg zOc|3wOm)Gd*A}DBolN>`CrFv)i@?rpZad#lkqTsZ#V?tdoF?@d#^aT)H>BC@6O_c~ zx;ZN$DusVdF4{9=fM!MT^8*%2tC%C_gXyTXgq;JvIq6S!5_|l#8$V^Nn6Ku6Ybd=B zz)MKvo@>Cx-@!}SfGL>vKP6NDR)|FYDR+6oJk*!N4(Zcyx*{5RYcHYe?Sj!~-&xzj zoW1)hq<9Tl;1ydOxKvE$iTPrU2b$9JBsS96Y|)(??7q$>U;hGKq5*nhzUYDHiXJV7 zNx$jZMZpocVi^}7Uo_3#Uh-iVe|#47&w}iDB$!GlbH>Z_?==MwO3gem`N}88O z-|s3DUQ)-JqHa{+G%l$2O}-7-7?hK-Y;2WWb7V14=I?~-TYFru>J)%)~#+-T)e97*G3Lky>4LBy=dW}5pnrC zB=rOad!ZZF@FymtOmCK&!lYm}5>{CgK75|S9RjnPZo%n9sV!buE&E}KJiNe>E{IJ} z!<7_}RR)LSq+pOc9E{LTbi=*lLy3=0eF8eG!zPIpGx<_I1Ddog=i+#&ZL+~2mI2G5 zkAzUL`3FUU3u0IM^K{lm6@JiGuuXfGpG?Yz=bYhz{+x0cCWSqq`#HPuXgXmISS^bh zAp{vTp^3bG;+0X0Hdke&t)jrS}P8zOBw*SWWx0Y68Epn%WRnQ$C1=e`7U4 z{+;k|tfuK;o`wMCglIXf?H`w-4pz&euXYGJ%!h9sH)vK{jqn46m!QCLN%eHSRWR{k zeaZDfYz~R2z#Xxq+Q};4pX;Gb!{-PL0n6Z2w`Lh^oBd+cA_Jt_$rqNGX_O-G=z_sG zloYo*Vx2bV359@-Y?A>rGy%4hPKCbtRx`KDGc}5B- z6D+T!p)UNN-pFQf|E4ZfyuV5QH<2a$4%VgP{ee$`AP8emmmQs>5&&Z#2-BQBRQ~~m zY5x{@sV?0@ZsXBm?>YIE|I^oh5k!K2t5w~fg&ka zEnmU6i;h7QKLg#$(2N-*-9vY7K^gncFsQe0iI4c&*$*|XD}d2mXUx?WWLCUHW`rj zpI?@=ocU)B&#yibdGl?!16~Uc6a7UQzT$tr3I3OlTz5fxwzaug7iE0wUn~#*X65)d zeohR`{4fhqx_Xerf|*?=)Ao254Xp^yc++@2k9L#&Rzh4jN@>| z|Hs-}hh?>{?cPcWf=Egu0@Cr&4=E^V5Yh-rNvE_REz$^xG$J4+DWDS4B@)sS64EUo zBE7FM=U!{QbG_?W-}LzQf6gg~3eOn#eZ_hH&fh8`|LY%rm4xjX>t$2j3rv3DL|2{q&)d6>LPV9`$R0#IHq7fi5nZ-b5e)K)zZlQH4z4b0Y#oLTRco z{qG#C(j>TKF(;%~idA1;RZ^8BXMReJ0m=aq*mj=RIL^6pq*Q+?2;hIflY$|6=<+iF zR*3T%H3lY#hltUMIS1=)AV>vpMn~#JV#CvYe8UhV7)ZiEcO5j=!LWD_1N;10^eeSM z6ZZo!q>Czhp}YzapcJf;*luSj4$b)WIu!ksT$wh@4X8Ugu69y^TYmXRI$#mLy`PCB z1%$}W>rvjvd**&VpkhUW`5aosC)Pr6(`X8M`FfBj+U~LdQ5>9a3iKYPjQP6p@Jc?x zgDUMRyopT4pwB`8HQQuWce|9X`f zs`2U<9{^W8QYLq_A1s~tXwRTH1nC8yxlklZ6wLi0a20jwk>e~PA&Zp2Mn`yB72!#u zu*}WzvAQeKhD_xkcK51;W~`n$4C{=+>S_#2b@~rek6>LA1}3mzIC4Ay7sUh>$s6EK zMY|(jIhdAx`B%@)VGlGQbas5oAlWdQ%E! ztl_(#iZMTqz8Y1zvYkme)tAsBNPCdny3{`(!W5sM_ec@Xc`cBevm zu&KKbMd*et{{^Zzx7foj84QGw8zuQO!31Tuatwm{tKwBRQ^hpL9oy($rm3Ur>lNuv z*6U8Z+Zc9&nIcPE8a`fY#*sa*qydk4a&BngGGLTc#$gR?3_79Ohp>*J*!+C$JRX{^ z28Qh43d*{-xRbj{E63d&8oQ5xgcyk=mFd*Dm!2`;A~Zb|>bx+pWcZCUd4#YSI`Ic4T&3}U|M1;=Aq{w{ z^9v`hXUVOwN|MFHhiV}YXkiiv8bzr+Z?VEB4G(jV4}h6kR+zk3bp?L-QQ;Kf$)My} zSXr5CX;C;u%sQ|@)&_u@FqK5L6~ImHE(RULzj&BUwu`5gNXtce= zY0bWJ_&tDht}8s(ubl_bxuy2ak4cr$GSb>yZ=kW*d~tH9@VXCjCAd?&n*kFyE8C(v zh8$-th!Cb*bb;27jkZ5WWtbL|XfGRbv5!gu59zt zcx4&sCA>K{coO%b0HAiJ+>Nd159t-$ft@}SpE!T-tVoas78S|582P{I9qD7nQwpT3 z7Iv{v*N4C!Mn_yTR~3wZ!U!S`U-ncUTrW8t5XH_pg*KudVfuyI;Dl!(0dCF2Z<#Tq$fJ+hNvF97dJ< zS7Gew;JoSdput@luu9R0vV_L&{UuA71*(7VbYA_!7xT5kTALN4m;2o~$;YPC8B7d} z87~;l_5z^ib*dD&gRn9rp0lg7#6-2@J8a$F=!LMH%TF(M<(-MV;-39^5`qa7oU6_x zm?MW1Lb4M1wD)*MorOu%BGm{Q9)>(D@54=nTa$1!DIfq{(!c-C!&h>g4suen{Qf^M z!EeH)VFHU_Dw%*^7p>ZZki-yL9+47u(05^03c*tgROKVE_EPagxJs2M3-Y^CTweR2%D0Vni;DI$RpOAXOquZ|#1xhQNu!G(x(#+ERm&z!j^ zE1`xYDJ8{*c@h$uA%5f7?hQb0wZPK2Ttdjm{JE6`p-P%a1+;a&bVzIiPaSymo^8pNADj{$(DVIJnBrWCCN zyx*yH{V)_5tQo5iW-!JH^cXBw!$sWSdPy5dM$kWJDYd|`qmTlxMh4U=O8rr(<--NK zGe7F!d-(?RJEwo3sX&qfXsUgm0X2oo6%iWju=uI|1p^LQkewnbP1?-28WnLiA3#S& z1Zb+;udZhR)Gx!Lx0#-Ta*Z3Z&G@+BXspVqrc8$1#mBk&m2b+*Y-_52TyuPLu)btN zEl_{1H74OA_(VACyD!{gh%o4|P5A=7D{fRCa8 zwZ$fe$rW{FVzZOmakW5UlLf+MsvFU$@1_qUiFGr%>?1_cF~m%3fWYp#dD9RV6SvgC zszBlLm6JUcIMD)^WSt?v^laU64M;80iZ12j5Bcky$-VbQCi0;AT3Ba@D$3%Mst{LccCl>o@(Q9A-IwY)S|w;#YDj4((*#uO~uX zF!@>Z>iN>~xJ%sqd-`^FKsTsXM4ham2BuZ$ED`(0uB|#uvsn_FL%9Bm17x1JWAW(B ztvZZFVY&mLZ=nj(fFsVoTf&A3t;DSf+(!O_b32aJce!~8o10j9#`5b%Q zI>BR2nWEHe2qqOzY2!c%A|t$(x|1V&ztkt1ex-Ne@oa%h(*CQ5E_c{WO^t-($o+Ux zc?rcPJoEh@OBk&SC`Qa2c;~Tm82yiTmj^%b;f9;)5gMlN!&75zZitm})){ybdsfd~ z!{2rqysE&sj&W#2gyavSaS9wht6>LyL-b6@rAlYQxuc&QWiWB$IhW&lo+t}Q>6rgu zTLpwaKn*!ODhj6+{bPj;W!hjD32Ulzj5-_$!p4A-1g=#b=qsYPDX*Edh7+SN%Et`4 zmAgQ4T=3UwH|ws(dVO-rL7a$0u=a%kQ6f*XpbZsd4MXPH%EzSmuBV?&RX&6_0n0UC z1lxo}ycYOcxeTZ+jR8m@ZT05W=_fPKp!kcn2=={ZX2^EBy zVa_AnRzf4@daDki0xV)!R{~~(XvRhGhL6laG~?%N7odg0}AelJ@OSk^sDzr9SfS@U^qB>3+ql)>3- zpB5?_VUMYvE?$s{Uv$PPn;k{awoAs?#>|*UFYr-+VVdqt&clMu67L|)54S*M!-gax zgGOL31jm#!O2X^J3qWqs{W`1-o3p@G1bycGLp+>)pOb^h)I}qi$y-HN(b7})7>HmX zn8&o}mKx#45wxLSJ$M@&1=8$)nHGvn`3872krx1{#Q zW<@UDv+7UQRaq}x)0`jlZrQBK)Cmel=HKIHptHzWb{UJoL3#A~DiyAaKF1+UlKP>v zzW#z0pjlqpIs0QUxt6e;o$g&S`v*14q=bN}FYmGnb$*c5`C+zmiH*4x&!g2Yl)Gl} z#Z~Bk=>+NYf)b|dt(*w#t*l=AG{N>wO>R0NLCN=8R}2sm+>gD~_*TikvrXB_F*p@zTcu`)5Doa|501rb(P5ga>1?T~ z@O1C}37P_N5^|~rt{yLu>zPXsiDZCmQs|4kt*_P43~Xl7y8**vU8?yGU;F|6T2kq; z_8v>s&^6CKBia6?<&BXt^YV4~?p^5O`Y+Q_O5Xq0g?e$m{5~mFqTEV=r{u4lnagx} zk}g>RWeSo*`19Mv%kkZB(!@4R+ZCD8j**O;mzqio4^X{Xk{k8U7D&_v9eF~Rz#g{wpCA@ z5^##3|MWgixnxvmrus^F)`JhxofR>AyXVHf;KnYrF{hfyuLX>EUahwORjpd{2IdbE zhpCqd&b%WyeoLy=xA!iw_P z#fr=q#WPfr1leP{2Tr?2v=&tbs}jjOLlZ2D4D_phcin`gE??O@|A79Bd#JM1W-}>9^mAi!S!HQcQq7VvXUcz~ zv`~Q3!l^!(aPGg=%`>)mM@MEPeKSZ=lET0_x~$q&C$;armj1(~S69X29~Z{N&Jn%B zuWq}skoWnhZGHZW!N`Tn&DmILNhmkP1;H`PNr_eJGoMwT7addHu&OD%s5!L{F)W-`otdn|?09ME!m*@33pGHYesrwlh=X1O()=0xX@> zuN`}(?C}<9osge%WPiT28;rp!B$!L+1zz}6s3vTXRn$!K zF(xPaFIw*D-md7r=A5822V(}8ArEk8Sl`qn9_i2*A0tBu-@i_Xa9AyihP+g30sog*$2ZqM$~pqUoOg@dBCdPR)QZC$e$4~ zBvk2Ct3F@euiU>CKvG0}`G@OLpIkfLeQW|>MDNT8IYWgU;T;I09qy^jxz~7T^7gN< z2DvV|Js|(^aED}38-Vz<3uKfI9dyr`<_zmkDbS%`1(FZz++N>WLJzfnHK)6_4Rwb~ zLJ*%JcIF{8`JMw!L^L*<(Zq(d^i~rv9vjSZ4PQA+LTMC`%5I^(F19?b?QjBKeXQ{L zuLu5H2-b4B@s~I$2Gi3s^zQZjf~`v<<}bJ-L8p6($rLwSiPAq0;|VLJUp$xY?XI`< zCaVD1f>Hz^TW@X0LZO%e$W}Fzf^&U6k@9U&5k$^bp2=H2046;nN?v0R?rbFMh)LIB zq6#!%OqScHlvOryQzA@d&lPeIpn%iFVEE%bEaBT0`+7d&_LM%fgX!Y8+JkjcpdR!( zC*kRrakx)7L?n`+WfOWt_ZgYk(KBzLt?%BB^gy7hSJ(54B(=Sdg6{Tz#Bd^*S8%g~ zQDPn?AYkWzVP_+#U|%&8Z!&a#`=5j@>*jwFwjTbl@LOnzOB66aOV#qRQp7H8jY9u^ z7E=#9npntoRKu{da)YRo(|s6=inyutldyf$rrNsQMawfzpYF#STu@3r<9>ppBsMu> zb)^cZA1tX0#M`GP$oWa0Iq{k@UnnFX{m5!4ARQ%a*7yU%DVoDwI1>F0SBSH)jekFW zh-psyRvLi16$~ zh02}ALvN@X(u^G>x_V;rUD7%TObP)~_N|#zg$!Ac*Iu5YeeB7Z8De2gRj`fno*F09 z8mJ%|Itx{M)%LBxoyc&U+`NX-S=b469N%6wE3!q4uEO+X?&c9yhoNomVcWvSWc zJ{s&-Z1v%eX$hiusfHO+MYpmxpAAujQ&^hX*#dC<*ey+vy1(Ow38#wg_Hn{6aPo&O z#p>@-pO*X4&L%SIVOdTuxZWTGzR^o*|%|Di?r8XH8%A8-%Y7 z>?53bZ1VFG@f~h&M@sexstQo+S*MG1$CXS{t}A3obmsM9%}fqj9$$ZwXfc?X7T^1> zVBgW;BbmgC*~xw9AXDL&OEKN~dYXRA1@~h`%|1)#4|#l!*q~lw_~!LwWC+EE z*)ZB9>>V(~KfgkXkX~y2gR8d zi*(j1vcAYQs9Y(k7L@91xMW55PMTww20+%+)G&xHG^lod>&DBSJqhnqg~>-f^W;h1 zzD+sXR;Tbvf)%35kdTFx#ORQ^u7pR1zY}s0BPY##Lyb~0yMdYDiQ%bLR+N-xM4SVX zwxSnyAX-(Q(5`~$EN)#%p|nvJ$@KxVy48K76e3gUK(XvgfiGkd05TlZ53)XgYA{ZT z@pt%Eq;LyRDKi$`O}n=Qa=OyM1TUFOW75{SOxx z{T;E+ET#)ZhV$n{hzzLJsZ2TKiDeq6`nm~EoGhbTHo>|mk+9jBHwPJxmkPtf8`D$c z)r?cNe`&6a&^8LnT_VYzVf%3)y1JiNCi%qfN>k0X!yi?9A6=c52F1=FMYQx1ntb-! zRR$IB2b-Q^_~dBRe}yb{5_ho+J+J+Q8#Suad=xZujgqgJ$^}k;#09-_L-2{JM4h|Y zSH93mi^=X~mse2JFISKhG3iF~e2y#P3wW!q)G9Xi^WBT|x`X$&PxiV7CgI|Yxc?h9 z83R4W<5!MydZx&-7j~6;cVIw6`WXMfZ5r`j_vy&KW^(Hp>XX5ST$Z@SulnQM;eM^iwyRoV=`FWZ=kB>Vl}3mpAl!ZL@bbB`%T+N&+{&4vq44qh zcQo>D%Y70c?Q6f$-hNf@C$iOg)g_BWa2J5$$7%^N=`4X!*xGW5GV4|Uh+E;bAPcG} zL-O9DGB~y*J^;op_Bm@R0oMG*D-C4@q0ZrmTvNTQ&lN%X<60^fRXp)%rX|%oec7>B zjv@pG_ne|9;vjUVIEjC%@ZjA&wU<}1xm9i4h z-A65+D=>3(i0v+R=I`sXy1L$1z=Ay=4S$FJr|la95F6D_*MFp(!-WJeZyTFx&>=%0 zfw5RZJq7o(0!(Cn;Jx%r^P$4N+RoEA^$zX z`iGivAWPFCW4|p+3whaAZ=E1<^CJ*))Eo)W4L z*(qkaUZNW)TzG0pa}Ab3Vb9_T`>%=x$o9EkoKCg%JQ;Id`%=nuo8ru}d)xRVl)UX8 z`tgDVZhiCa@j)Ze4>oD1s#V48tTkc1$NhccQ*lg(3w;8eV>9u~UZYfqmcTDO1cP<@ zs{oR|X_cuLFWTEBM%gP9eV+@Hmi|DTl@xuamDDe#-Ya+J3XvV6>0{S9Fl&>19=+(5 zjJV|=JF|tPw7KyOJ%08D&-6iO^TgQ6U`bc1QLX1mPQwYC_KEO}kDSD{zdwQfjECiE z#T*?uet$4?Ey=oQb2g9a*TrK54ru0F0~5Fk#i`OI0^yAYvAn*5=Ut<%j8R!Cz3%ycMHlDRn9L_M~NyuvYgKAA8#hL#S>_G;T9!KA! zjIP$TZpjc0vv?f))Ys&xl_^$SZ$fof#yD&o)>$5h<1!`*T9QCLoIU;0lFcHG7xYxw zSLKU)`<7O#ha8efU^R!g_Qhx=W;}0%&-(xrS&TVzMcJNFIF2h?=(%sABB~ZI736nKNI>z6Poom~*ptsDct<{xiH~69Q&x zbYwzNY$q(-ACJErnMr>vu}#P5*7Gi}GrtDmik(6k3Y~Kp+%Ba@8ku$rtZqsE6_%!4 zYWaMJtAg0A?<-m0z#v72a}{pP^NeWfrb;H_Xz@zxhc92lm^UQ%=5>R9s;S(}$k4^O zUhcr~dNQS%J(srd<<8X$sL2sK?|g43cub8+vfd%8bC7v$lKEv?6!_bpMwi#i{Dd5w zQZbtb%L0g!xhikjJ23Ordr(swZ;aL`^3veaJ^5cGI;@rcl?q1_4G9{<@3MIY1hxlU zSX1=Icd0u%a{VzT1&DSkrKuyWH#>Zew=edTMR{CF+ns^elMPu)sAx}N<=surk!}w+ zjZD-i+P-=>Qj1_!W2DOEHTYX=K^K78lbn2}K(B(M#H)a{RL!?)D4tl@M05I?it`6Q zA*SQIr_HIf@48Q8PugEY>%8`_Dn*MTgO}xsn1^2z(aJ*!O6404Jc0{W=+jNTylNi@ z>$;d9el7U>757sgJcz}>77s|qITr5BNp($ney%CEfKcGLI%94^L|cfl>6CH3|_qZ{K2i=p>>?NtK7uou5^StSX_Jqsed8AD;*Jc50tf_UYMsC;QrJprH#KYd%b;uD$w_N~wJ)SoF!& zGa0uZCsy0;zv1g~p74tMbr8~t&C1%!V2Nph%7R39H+Qd;K8i*}`L+L^)aXNn z*H0msljO2sm)$e6&eUM^%vnaMOC8TS9nSK%c(o-j#HM!7)v_kbQ9g3eQ+$rJTT}O* z)<o*aHaHQ zmr!C}5ABPhT8p}mI`;J=H(i_)B|P4cez+O&JkT5RhFfNS;3!n;FvqP#XcWg8S9a@k zWP5ft_leZKaVWW+DPwHwhui4j)tJrEo5q_wfef|R9wsRK?ekO`gW;*L0tJFE13SuK z)`lYjNO1}dCehM=5|+M|-Gt!F;5wH417CLfML6tSMi#=;Z2vF5jPLFYy}CV@B@HKK zcV4TL(auXk*976ztBpfZ6)Bb$LHnB%>irDkt6`Sq=If)@cLiM2wORyMubWQ}dS|VC zd0XvKU~3X@`6s|EINuS(Q`NfN8}RJrzB1A`-5Nfdg*Fl!Y;YH#G8P+`$)VD1AL{07 zqn-H}R0ODL&n+jRrVF4Jw_A zMyYDMEc(X!TfIMTfZ)qSILkc@5pX~g?!-hudSQ6a5sj7oe$kXcAMP1naspD$u2kxy^Q$o3)hf~# zHR@8Jb9vVG-sW3#NYdT0q7Ep{20OCE5#B)IM-VMqFS(OuH!!4dH{!Nth@Me!T0NU7 za;L-4+-Wdave$bgJiN<;UppnR4_4zNtWDEh10S7Hrzz!|^5n=@QAp}=uCC)n6;LX? z4y))!SSEA#IgG@>VScLjKt76|Zs|6N9A#nq%4A8K&`bQ3B5L!>atkLoA>4~aDON7+ ze+1E0u?t-{{o4(UI|G6>H#9Q$KqjJz$kCE&OCq)B6Z|qi0ji4jiJ|s1sIHkhEy(8G zqlCWEPDF#V`zPA4W^XU$knG)p{O>i=R!YYEEi1GBx6U+%ibggLmBlrQFr*CF zL!pJ7Xe7>Tq34U+h77u4<`+t53dlXkyc zTSjM)saCKA&03{!ov2sb6N%{Vx~{-glCZ!3X_HA~ScWYcQ=dw1J@Q@+Bj=nK#r^|! z7GaFQ&Vb21^u|!z2ItttOuoz~|$v%{`dxJ@ID-W#*LDXs9B8T`gUL+N^ z9E|rdub@d8sYBU=srw+ZQw?x^Z63M?Po}E7wAu!umw))4#*{F@w1p;IM$qE3Gy?`F zV?}=QX#xNPlV0XZ^G@oyCLyMJrU(AjUl+)FnV~pjSspIl$Zg&P^%}8S)SF;C*^nq{ zmbRN-l0S!*0r9qN^G&bQ;-Q&kXD^}vAl=CY8O6LMtL;J2$GEyK9p2!?-_R{F;AH{q zO^_BwZce#0-=QRa*g*#!OqzrMraTL(AlyvQUhLc#MmEIEWH@|Z+kqQJ$+3t`FwgtL zIfmkJQh7ySnn0+467GoeO#1XF%JsG8Otr=R%+xDTDz|`&l6K@JZ8tSI){166`&S`5 zjci65S4~8+C73CBCy>3c{}QPgRv}zWqNcYl83w-Y04-?_i_`v>aIJta(Ya^p%^)&~ zE?>!q$|`#WLJ~jsjU*}VijU0_ag#jPO$pI&es5q0~EtI3`5%FTK^3B3}YG8;84TnerV$p_+wT z3KV1edS5@*0Z(HH7UzSB#@3`Oii5v&A+YaJKYQ1prFZoRt=ssUW&68#(|l!i0R%T- zgM`rHqX)>Dkx2sqaoi2^@*Q|cgVPVnz4jhdT$hjBBtU42)(2H9MWhf-OeWK<;XR|F zPR1Bru!AE!?JE#ZO?A%18w9}0yq%lp&3iz(^my@7SOONmq*>=Nb4(Bu*^m*$31#Sj zP+8}VX^0Lq=)wxG_e)(L&9k)%qw9ziZU|riqpPC^o*H45@ z*=mDG)N*!`daK#@`&wE|dqzD&n{!c>MR1(W3ap-7#E{S%1L_;^jntq1)_b`GB~V<3e;j9FD7@hqo#!2$ltNQ zTO+hzelz$fPJ(iiDJhl%1Pt1-co&lq$XSX5Cj0HDA#SdrJddp~aT%%_K~_^7_Z}9u zEdVQwSuPJ%RLVExb{nv`& zVQQ;aprh8!9J|CHPZiPPT%)y<+XgS)4!UO?FeVw$6( zBg|BN)mCRS`MXtfAR_HcYOW$!*%){6t>K?A)Fh_sw}2{yrV(JsKn)qsr}%Bno1H5n9Mfz4IpO$e8x;BfpNqbK ze8B@h>0W1-zHvJGpm`+zvDZ}%x=I^y&3yw*+S`$mKXvN*m1`{xH462FR6P27v0J_N zlsa>Tjf&4zCo?hnTd9UB689!N8N8^`9X=2sW!Sb@Qr(l>>VYD}7oZQ=e^%r)^4YDV z1KaO3A}pg{T1NJ0C75-UulZ?>W2kPi^cjYqneRS?x7;JQU86UtRF0=X;zAeO*!+NY zt=FDKm*s-d`&S*XiWo3$Z2KZ}hdkLS^5KMpJXR2#8C)?)(rvpVKcP+a5+Gvq5_ZL? zY)71%4+_k_rP{9eyxBsGkf7ucTJYd^X)MizSI5ltre%Spjq*(tf6tJG(HGG}7^HnJ zBE@MHFzZxY=Gp!${49j;5BOPxCGJXE*%87%Bgpt5343chkT{Q8A|tuGP|TH=-(!qF zkODV=Vj#x${(99445bm{Wv~Fw3C_cevAm6s77xd_e}NGs7ZJWE%@urt zl;iZd%Q3!}-ci479eliay-=^>`WH*yM3YvpT~_N<B; zPZ3-J$Kt|a)Is_R%I)+!s&fZ}FCbOvyTH~}I$6O4v}1KBzYy!N|7NVPO$t8 zF3(?Y6#QKO;Y*!Q9csHtUj+;?EfC7VBnOIOZU`MGRmxdD70E-1pU*@_@YP0Kdu-p( z$)eF6gsu^V?pkyAGd4idJxCcC(VnH*A&sF-1*brNnv=x#d`%2@HAk}eCSxCw>voF} zGb8F}b7cLp-6Tli$$JTI^}gkBI2)pQ^GS%Q_*wr%tEnnrh9y*4tUr?gerYdE=5m!2 zjA;Cr2q!qL26DkNBU`T{N^UIm+JQe<;ZG{s<_`fIx|$8*#3mN|n#~{+MGJ8X;eSxk z>Yok@whMkTWjr@yMcMb-zm^f>)L*G+0ewJ4>*Q0^8VigKd$GL^hjqaPmq?@VBs(Ry z$!U#MR+)vv5d&QOx{;!Bqu&h{Y zT-EsDge4B8gy07|3^j~HVTO8WJH8QJ#6;l-r+5_IR6b?+4|c|Q8}2U_X9Fn$>{|iGl+xIE1bjv{SsmCE`spl~Q7?TUoU8UesM2orh$e4R zxEcu2+3W+&GB25v>I?hmUs-8i%GU^OEf5x|z^@4zwZf(13~86tY*_98Pc;F3Ey?5~p-o^_?urW+`ab!5J2(*17YAtwv>mo)?ORU$jFU%3l2 zqQY$q;qvWd~mNE}HhlZktOW(>pkGVMdRBysAheZ_A2jI$o3Fb))BI#_0DUAD) zsQOXU`72}&%xZHGexe;aiUi3Oy^6+tFfZ(qSu-h4)63uKcCjNlGNwI%!PqbFq6y)O z+7&-0e=0g0+izn8-S4n9;gKjS?9b%$UVQl^gIwv8N7+Vitx_ou5{%Q|_s*TV5@vc8 zRuGC%g`#un{q>vg~)8KsC3wi>y{Kj~@e+qP|AK7N4Hh2F&I z&WOhBt3U8*v~nyr6P||NxKY&&UDf1FZnm($XBsyKtDsX+!}}T#$Tq{tiCK-uR0SiQ zFt~0e^tw|vP*)}%t`rW55^P^^&620mgcZyymTPn-Zod#7=6$1d%CPMqtr10}i2u|u zeh5Xmg@;TCGJYXoX}Ax5IGMo|r~koEtDT#cHLtx>(l3=F8i2JhZGos^aLD_+6I*>K zDK^p7rZAZ?z$InBbPCfLU76b>oN*l{8ucO%lo;uBp)_qP?Q-V7CF{e#!pIm%Wq{e* z{x(+;MAzgfJ56lmXNmk%J#)3M37nQF3Ge)RQh6mQT7Y&1$Q)~x68~?=X~ey_cONcY z_6rWjMs!#LbZ?252)i|f8+Iq4;eRD3ULJQto1RfM*MHF>xY>kMmbRhlD{a)hY#tJY}3k@eD~rZEKM})$Dc4s)I<; zjQ>Ga^Cva{3k(*)D=_!di#`!-RTIW-T?7x%H%A+%gCGy~WGoX(6PlhlPRdwHYe3LC zrpOb~;qNv-N-Mcmbs%vdS}^Th?{`h8web+wyT6A_uF}r?hJp8Hu?j+bv%RQ)eP}yG{*Owa(L@%%k%ZfU- zWxsBMtbp+|Pm00uHc;#?zl~V798{TpPK!2*6K-Fe4@454ow!p1G#doYEY#mrf-b4E zQV-SNFue=pZPt+_Veo2j-H4aAOiNf>rZA+RMr%NhF=O-LC@6d(sirBu|f`eEtlHC!JWHr z^#exEha1R>R)kPFHfaTUG+^B^KVF7^fUabQ^{q_9See6v$n|7mM`jhf#AXlnr# zDM{>17c5+6l|L>o<+g#j7w-{wp962cl%;CUj>3JKc^zt$oNbeqH1*;WD>pFOzFqbJ zn|FIPbk5h7N(`PjOMPFAllM!ig;|;gCsTxG`8Hc|s9@Sa_YD)p9p_mz`J*VdceIMv zGz#wt)7zy9{;II}ZZ=(8?eaZrfs>rkt$Xl4KYHE zP9}-xu~*6od~xLo=WYELz^$L zGZ?P%p=?mtA-qy!Ek69${R>KL+!1Gmj;!wR^DA7fQqvV9(cKxFAU2{FSdg!%Gm6^e z;cJL#>LpmQ}|FJ2Ry4Z`~0xHWlOH2F$Rx=XmTe zrPRZ|@Uf}c=iQVM1?`+fUJ=gk>cw-(8x0_e8gI>tEqx+7@j}L@$6*EMh{f~6%eQeL zJsIVn^Z~J`S~bx=I@P3g_1UD`D{w+)JFby#6QDYo;Y7<>?EH8ve=x^J@F0gIP{t7mj@neJ1dvoPTuiTiV) z=3ozqc^vvm?cFc9P_c)mjj*Eep^Du{$))n^3=>eI7&JV*IH$kT{!9&gpd(OC%ymtu z@v0U^p3Z_1U4SB~uo}~c_X}$Dy{m6zzH{@?WfU67{J>ZLe&h!2P~wPgoIIJF`uD@O zs%!xl)X_a;NARoY8I3Mlt>(7l6`LN;(FV6?)Lp{4Yd4QTj=MGQpA*I+4&WA8`=qY; zsg;kHez97;FqD`H=muku`(Ok~8imj6V{%eOC_n%v&&_zr`}IccPcKEro}yK4Z7CIOO}-KKGcnwkxWGMWhj4dZ;;Vszy+%oc8zsH2!?*4 zdRpARqBP1vu<#^(uwcF*+H%m%V&tAPlWIGWj5>N_5OweFQzJ|MQT~ICpG~}zk{i3$ z-4Wh%{#&+U-`1i=m38jI{7Ut;sIn>SHF~#5loB?SHMJRsk-VTb;?t2qGEU4Xr|vsT z_JU=)Vo9|PHed{IWfuJFu{Lq@7t#V^RdhBvX{;xa?q|W^f}s3>l+mNm-OBLKmm%mO zH|?xMt5>A`r5f>oi5m`jeoYI%HfJ8MjqF-utuUa=qRn3E zcvSi(DL($4D^KGK_)M0OOL~O@&5IpDUU267BQ7R(Jg?z=lIE|6Qs=%EEfY8qe04ZQ z1HF}@Bh_U&0AeUee6PoBTz#GRQ{D7A{(evQ2sdU)nu5pG7ep~)%jslan*Os{X@&2A+$ z)I^HXtq>ea;?wvV^3(%Bh_#;g*e-_P4`I;EXkNhI9W zymALXm?{yT;kyUup1e08YHRaV?3(#s1B~Vyr<5BULIX|wIDrzHGdvoQzwk*t%wJpJaHznqU3)uL?yUL^Nm~5{^JxFj=0`;^ zBsCt$RdXCRm;39t=C{gF0)dk-ICU!&fN9rjHc<6FZ~I+?j=KevC3jfki?;*hzGPSpU6UU}uV5#DxXpeFXpH;> zH8sDi%UJ&UQ2f__#=qb(|LMz^L;f(PUREL>{O@1*8^0@kh;_E@UYyXszd8TunfzN1 zFoOqHD2ocYP_(oat_?gcpd{e+>$nleaT(}7f%NB zIiLOh7g)5$2mmONNfqLoa+NJ%fkjHnax=IxHn$&=l5%&D;sSy()^g``;0H2QhxOKe zk_W-V9wJdVxgep=1rdd>I<;Id;J<>wJ@(P@n>f@LxqqR@eVnT`mmDW>`3_-DZmlzL zTc^^)B`gD)2S+5~QE90c+=*P@HvmM0h&#L8+o~mr8=L}!#O4!Wyw~gDifV(C{~GdM zh2)xj<$_VG>Ptm?hkFpqN3KLM8vqkec?4@sjP)s=mxA?$*8}FRfbmP;VXqa8gbY9l zy9{HSwaz+N+I6Ld8LIroC(h7@i^{kW`4#2*&n0>K6tQ%37KA$l10%x3a=hNmr zB@e*VRq8N(mCv$|nGf=s5Eh8;>qgZ*Bv}EZu0(JEmpxY#fTj8J4;7FdzK0Ix8{~Qf z=UCld=}Z#3f#5Zuf^EyBsDXyw48Zp1)j$r{vv<>c_Q9lqYuE*D5@45ReF1WB@*JA- z13X~S&e`XYh6~O@GHnqDx(FH(LW5lhqIOIx21mt&UJiWg88A7_0EWfTwoD>wf?nLU z0P>&05j2pb9Lx*Zz_-aE=C;lidg0veQt+Z3vMhys3^K|nZ-4V8BzXdSb`+_14;khR zYbQM~pW(ec&4bX_`jL1k?k?G%q+cM$n^MZ_J*9|U%HYd7n0;lyA|wMgrXxOltCxP` zAef~@*mI(;YO8iAKR8xH;oHNbd@EBTum@0|0M7g0ZQi)%bx&QM_3B3ztiu&OD+b7k z%lkjqXq2{nv82->vrY@M#Pl;eWN7dY%zDy+JS)Y7cKt3}c!`m(!bgMuiJq%IyP9-y zsP{gYNxlJM_Sco4-Iz9^jCY#kR5Sd_eM_*g)uauWWU$o;*n%|q7?qw0rDwbeeRG|p z!8ai~oe_h>m=OOgjz5*05jpBq5iX;Wj7&@A&dvv+cllLSIp*2s^Dka(NSt@o7SlXZ zc5~U;5Orac%t2`cMT;GST1yo=eQAv%{ShH7-t)vXM0?D4z>DDVmg9}p`OI1Gqx}#* zlUA(dJ&%11|c_&Sa6ECp^oK)~ypV z!@=Ze=G9|ATF$&!+wgI%H|3qC}YOnzKKY#$zAvR2Y;P`YkN-LvSJA z{SGpqI2&lrO5F81+CdY3xV)clc!)Ej za5M>n5xtBy{ZX8EfRCL$^7otv^9`46eEUj>-zi4r#UA!<^R6WF0JBR7dhLbXBH-Ja zOnUF>J*)4P?pi|w?38kPCd7tKP^F2;rn9qeG#k^25501r+#j1fW`Tp0Y}xtc_9SsPu?Ksqc`>|Q ze{4bm%>ZeLc!|S154uDq$pGhcA#Z33L?<>`$2-?ijBQ_TToq(}q%Xnh7bEYxQge93 z2r8CJ^tWIp#^Pjz3dAd>c`Vl zm;qNA0`(O8nIX}(-47aAMU!HXU35G|fR9MhSTX(jJHQku!?>o~i6s>T8*0cYHQ|)f zVM!1jHbs<&pJq~S59&{(_Le4NJED4=c?e)Vb6LXvvFh$k0y?1Kr!lF+fr!OeK0QkR z=!e=p*%Y`pJ&0peqi*YCIrK2(lbOQ6gtw?+!J#~X^t(QL!?ra09v0E*T>uhnpCeOq zBpxY;gX0^rq;}smrc1}_<^c@(?sBdK{Xc({f9I3nXH`Xq)pWLXKL6KauF8Q|-^<+o z5gX?@B3N|%3j9~TJ~h%4kg8%c`oaRWXBc6yrEO;0nnnfVquxC6%i#_di&mb+D_8h| zL;03757J!`4&e3qonOdZmTXt`ad-jxBsus&#_nkwxWp}Zq2SLooj|-Wya@k}{A#Gj zs)IA$g9i;qzKhr`i~x|Npt$R9WYhFm>dyC07~nG{e$7$2$cxc?IbJ`evk3|J!e(T| z!OI|myQ7;85x0L}i-HgA*8Dy2uBXMuAJgRJV&|nioca}Des-o1R0g+m#2O_24{>iE zPW8XDdaSAPT)--;3s++{hk;ur%QU$tY5uK;V{KX;Y?bKP}b0?+ib zWn16>eTi@26<_Rtxzrla8bWbcPo9r9+do_l5UPZ)A{Q#aRjfGiglKzWJ0wf)@9l#j z-^=~=;{n1d)DZ8(0+dQOIPLmEbbT#7V8lVrK|5{a1r<3L$>VYqhn=Tv#p zAzRaVtw%#`{&u;ewx_rRxytm$J20h;~6* za?3sCn-6YWCmV$^6RrW{DI9QoVcy$=4FXTN#ga+SHNhB( zBX`OfzPubPU}bmL2c>vWL;EoGma3VAyM0%@p}g3z8V|X5eD^uK_4eM2uH@|#zHK10 z^Uu3D8~np%`1Ugl_nR9m!I~Y}KW|+HWczRUPI#pmh&JX?smV{Eki`&=7WKOV9?ehR zL}}qSFzwDDKt404@M00#9hQ|fDE>m>3HR7IF?s<6ESySoUM5Xj62mK}{>IJ|G4H4< z-65T!F^b~Vo(JQJ4v1{WJWsx-q&qTWo0r#>?umoSYH*G^k_QHQsC9lNF95bp0w4hO z1`CumdGU9|!=dH?q@b0avZv2wMYwrxPjL_7Lm75vR094}j5}by2?i+*4 zVS6C~0%rdruLAlGL`Y2zBQlgyo6m2!(}Y?s%`GDCi?<@S!X<&e#XP7{;!?8`r+HSW zQa_5=V`~~$ki3C~zq9YYQ4|kkjGi5NF|fw$H7-lw8=Yo@PvZX_fM7$nPjn;tCNrxH zt}2~f;4G>)`7uxYwu2Yiy}cXm@aeatDAZC=q+Yigh};`h{l)_q{oCN*3>97b8R&a? zr3EIX45kt{@#?EJKHOT1uNk;U+xjrR1`%W0V*6W?ur(GZHZIPR&_123X0nF>B2RT8 zUHLIoIv}yqa#SRS2uF__ZHOd!21vDJ`WKB2D(8rUEGE?$c<1`mkq;3gMLOgvnQeMP zvF+CWEc0VzJV&o*E*ukF!|o#m)^7{tpZOME9r(HrjOMSOyOjY7r8NHTs@=%#hB?ON zi84Zjd}lAwHZ-O3vi^727G1*KSfsYVJa+!F+5*Yo52lB5CCsbbF2UzoF1ZLEI{63e zC=QbfXX4SRT^FazPz+B%afkclyjGEy99l#NaIs(tS%rK8%WbF)1_udLhTAmblTjQc z7tPB9ZLh>7lVXkbOYs&T#u;7>T4jFN!Q$uw=ihSDm+oJ}xdbK2;w9rAD6=6v4hAo^ z3l6u0sc}->;Ce|pE;Z_`Gc~zSIhMRFfxjx6RgC~nZ9gTn3Dp)?6ztb|(2spE^2;+T z3F7J7BCL1`+_`4d6@B`o3j}f+-HbQ~Oz?LB6z+0$`LA!Jys|D%!QEFYww$E*VeGEg zzK&@qzL)>9p}4KPvPtW@w54g5`j${kCemx#etNh37+?8Z)IZ*Y|I4p)Yp9>Ao^_|S zV0t;%lc90*rrNF=L-WOy_cxmPnt$k%>vi3cxPZ|`OKLyu;EjmTSm@^lj_ZX~{oXi1 zRwcz`#q#1+U53jHd#FprrB81%h%@dgr}->FhkBDian~u6Y+m;H-QetYXNp(qvf^Li z3qMIYw2J__oHEVVHsDzJb+#KEuG5;8r@w}ovWnsf7n!v1zj$>wS2h{aABaDp^RW9Q zU4pPf=SjKZf+Bqn()~mmC@|6{N*o6AOUDB+)!n{$JwqAv zIZns#C)7u6Gd7dFpkJ*2r5mbS_IcR{m9sGQl8U6v^)r^%iO03Ipm!H=b)6kKiyjbQ z>b=$dy=WqcF#+H#_RX-z^gd{8G_iM?=r%nP)^UBr&F^>rn~#VxF5jy6@rcjbWZkuF zX@pm|xvy{?21TCrCXHW=_@bnGg-i}|Hom)j3O-D!33;zEUkN@b4e|!}?XP@wwI!r}F60Srf7a4?D6+;MI9s1FudEcy-$wIg4?TWEH}%A0bKu5p3vb4*7fR zm__g9UQts(`FZ$p)w{P3jJb4)30+|J#%svQhC+RXhyg2by>0934__xQWifrU#Ocek zTZBF;Tb_Z;rkibw<_^VeH6^2m6^gjmFDT0DzfM*}vKH%d*THX(*=~;gY-Eda(#MW) zR;8yER=bOjy>FxVBf);9^)Z$yW z|0K;yZkAA5mATh-UJ)Z6Rm@WQxtqz%IL&0q3X^@_0gv_V90U`q<4e34jyBQlfI#XcNA=5x$)6wsyUiIbF8<5f$ zSCgv{lywzf{?Z-5tsJ64oFr(p^1RI=d$LM$sZ5Wv3E*@U{{g4Fs{?SlB}_BG=^j?M zt!^W5y7#q_PXg`FhrPWj-Fa10N&+voxqT)tz5%Pk6WA3&(8q^T796Agabox^Wd$YD^sO|MjCRz%KruGsOz^HN`rAU)K@SSn^T z#Z23-KIR04XjLPn3MZTLT=`s5c)&=scHfbzXD*?>5lTGl$U$>X9b}ImLbF0l z_xgw0PHP;LH6yisahvcO|L_uMXGwL)qvNp}4PysJAf${Rfec__E3F3gLl1d66@zxoErn%{g zs4ehEcwZN&jc>+=Rt+l3_n_W;is#W9s#K>3OM{6Gc1kXO;}2 zSdV-9?K9bn@=tY!;hAn~d?7Ku&xFYIBXxb6!8g41HJf(PAxRN61xvtNJ~a*t`e4LqsZy-BS#BEHMx!Nu)oy(AVG3k@r3Mf?tLmCiamr0o7* zs)m2g0=i5zEs*&gI?*WWh=`{k8CLtfJ#1TH1Q~Q97b0rVC0)m>wAD-%&5k8!FDNij zazISS$4vI9F3~~lBbX}Oel^U|#o4NDAntGx_6WAxTU}iP1KI`*@e+&8bL15zbd~7Y z@gClYOz$nzi)Yeov_GI*4Zp+@VzQq^Z-5frbgpKVu!844wAFy%vF(YIAIQ#p?{2T_ z?=-8Z$oACaN|8ZIbn)j^0M(!_kkdr$bscZf?mzTiT9g2^3mNk`FS+>(j}+-xb)Ja6 z7pBN(MSE{~3Sfe0KBcr{rONUa7P&TaTJ2XO`I}XZ0UWDZ{_AQ=p7W&dNfuOdq1E8z zTagsUX!VAdRjb)M){D+xo3vQ4RGup}QtQyh5x9g3!yAfqCGXm;yRXKezq>hE!sj}~ z>iS+y5FAy8etgetOJY8HDny*v2|XM(%2w50GCRBX(`vCjwW}DKo?4I*S#O4panI>J zbAbkHXT{7rLA1g968S>xlc^9hFMx3AUk6HuQ1drxaFFrW3q#yb?!tT1VlT5{=Hd24 zf)^_Pq6t=(>nk*x9+lA-||`ubIsJ!w+?oU zR>a}b&P#PM<8NQFF;rfx1#P#5EDWu6ff4r*7;)+f;`oYat^Ng+mh&ApOtP6^exX4A8z6?w+w7ckRa-YRJ)&b`gGHPVwFS+vx1?I>z(3 zhyEG30L~1^2{J7sZ+w>MN&Mu>W`iaBX|19D)gO)Yq z+A~Ft-Ln>tcydj?Qlp6_J}aNlerd`CAQVGB`$<_gN-D<`X>_z1$I_2gNSLtHv>2-> z=QKDx^5>o??vP{PSx{P)G%(q5PDmpgnF?X``w^|@H-;DedWncWgy{NZW-2qM8fo2nw->j1s&gjAm@n>F3rpzK!+7O`z`)|Q*UVl*emJRiUc z1@zR%3Q+mGnR*;|IioNg-*w3_B3-vcQAW}iQ@4e?`_d%MxlCdc#~{8LqL7&_j-b|P zl}`1p83(Cbv!q5%O3o*l42%R6pBy_~GN7Kd znQtuV`n?i@I7{s>|GL+WyE?DQ0|D)ma(lhpLyn*H>mC27qB6%{pPj=qJ2q^XZ#!0z z1h^Srw!jPV)>fRZ?G#zIw2eO^q#8&h3{of1Ni6_~GH7?xZ?6$UkDCTivoXpmWuT>u zXfh<6%0Srv&D8EO=V4{Q$o(O6%YMWN6%CR|E;dXKeuBSKG2*yJT={0ZZEJ7AX*<&R z4)B1{ZO%94)lWI}KS*XQZYg*+;S}F!E_ie0gO%p)Tyhlp3&y-J>vgnNj=mHdLL+0- zgJ~gKIgDo6FztDa%s4*ZeXib(z=@&+e2?uV3p5Rdg;ASgfebVHn02z6j1k3Y)EmFN zSe|%=CC{6@{p}J?bK~?6=G_-Ygn8nk;}cY$WnN=4L;$uiqn&+5G-oYt$~*F*dkvjz z+sU_6C&~$ujrGPK(Ok5n=pfi=1Z7F083A?`-hrF)SduI4TGAIr2e-dAri&-ROw*-+ zm$@MFr`BWni+GUnvnh4NPZIE4{TJ(3%1nH=LB#&RSzl5u6vz0|At5(HecAO`-^UV& z$3S)>ssr^o=`U;*;*42J+rA96^QpBo65^>Y7mhfD<3c|)C{3%_s?~i(fr&h^- zQB=#HkoF^&bu#lBsnqFyb;wt8=-|U?^vEcTcZ5N zZ^pIU*o39|))ugD)ArXl$>>T9Tn0^pI@e&ZxyAJ!S0E6gM_)gM`q{y32LUQZ+5+gN zJ0X}dAWThvG&9r8)Kp4v8M4ryrqwC{-@W~SQE;);wkxO^iVMCWO4UW3~t z`61n|Tr{ZMM$=z4->*$)lEI6VE_qL(`N255L{4fcJquqwNZe&9J*Fbr+RdDiWM~Ff zB0^3B5-qciOZ7L_V{crHNRMRBzF^dEFIy-5C-e{-N zSe}!#9hJ1DwHlTtl`vuB3grPuQs)cy^|Di|R?PTVBU$}$6;RmD$u-(9YqA8Z3z11p z1emKpO|X+vLarus?+?6!ly*ln*# zShOo|~@Pvi<_c~AV7 ztFURRb$K*-xL0AF2klc!Uz0p)SzEHb>_EpN9`m;ghrNq9hfg&9fKE97u%~qN%xx9d zzR$@|1|2_rii0S&e_zq$+k@YnmQAfjJ{$s+wqe4*6e##*Wt#H(1t&-nSd&CcQo^qIVct3uhwHrW58v>D%k|r#)OeZZ z$9q?E-fCKH=9L|64}0+Aa44EDa+Uqx>MJa|FD1|W5s<=BcZblAYfLyP2eO2?)+13p zodgNaO}K$ApABc0-U&`CNt9$SvtE59^CB=(T`vWlxDOVo8cp1nRu?BR*d+&83%+bR zhPpl%l+$6PK^c>< z@o2H{(@|kA{!zaV?d%lh)6|XWEYW1Is#A_ocY4s~VQcJ0O(oA+a=70q@ZNXfeL~9G zF%PWcC{TZxNPN5x9(*0Nyz&%v2$sr8=Bu!zl(BZokUa1dfkk@%Fg4jv(KEf zF#Gq1%zRi;XXvZRG2ckR`>{*AQ&Dj#f7Lb4#@k972S34SWF=RBOvXX<#GvK)d1enE z(A)#c;Xd4Ru5(^p6nDqIIhI6N#c2=+17pw5)y=Y7Z4;ZR5@%%;F0h%;_ZupBKf7=Z zzw_#*5P1Ui=2qPDuQ1_)4X$;E%TRaeI$X9WIZ0NPU}N_;769G2)I*N|UeQ-Ywa%0m z@R*ajzsK{j4L$<7N)nV(O<&6OWqnm>SLkOX{lx(Tvy=3Bj)FOaHJPz88M~~x+7;np zgePMsyO>}3Y20lDBnr77QuA*`^__O|-QLM6zeo1O4A+oXQQ%x3J?p_n5%zkq>dhf= zFR2k-)?MO+HYW}>ngR6;1b3p&(ElXco!s$UMdenbx*Z%jca3;@Qw6Qb5)EkE|3FA^ z{vCeGZP&rFO|#V}=XyKqgpc`EzaP>Puo@qrA8D367i~{rj!NGgK?Vvx}FKCm%UrA77~emor4k^(h5_tFV}WW zqNE;wse6EfWtiYP$;(`f+&KQTId2cA@Cxt!FwpQb$kZ|!hqoy9WuG=HiEm)x2#(1n zmDr~Q`WD@#1S#Dy0-h=JG8Lzq4Ir)=Y%cb=V=ILv+fs-+5)j21q-aLC6i;1nI$XsXls#yxRy8{>Wo`JZrwyCM?&;dfzKFDNJt3ap{*}YRic;@G0gy)f!#E$#MVX>YElV`afB?+`#K3idDNv zodjC6&L?K-EyBkNBKG|?SD_cIV4ZWIzwnDozA=})6)Ot||}1`oaJ8FgHcW(j;O z+2Kxjo3#yl)bI;3K}14nlF)QC@h2oWbtxr*mP}s1;&j1j0~)h(PLo!r!$2EPoNK@1 zIa4zByvW4|cJF=zUE;fWQ82Shd=6%r=%fkG`1!3>`Yo^d{`e*d2`xip>5F(CTgkv%f^?5;wuC_{i&Yq!2!&Cx&qJLjyzY_`u!ylRsBAgT zvKYr{{W4p$zhBu*S0P(ulJ#{li{ysgH7!RnRwJGVUlhMs4R&dSZ4i*2y(n=*Pxdia zgrDW-8JKE`Fl~<0EDfQLz2%&n3`1wcZ6y4WRz=8neb>&R8f8^80XIVm3nmMR1T!dy z<=&4tGqb8YCxTvPpl7Yqj>mQ0L{v;JdiVS+=LhnVl~-~bU`)QBeE`Rea??nE`Z4-~ z8Y=XIuo;o7vw3NI8BJI9i>TchniQ5ifvaP}3`i36weVv`?M z#GCbRH(KF}o#$VlLIJ3$Wr(W`drwthwsZ!J>ww$?5zUn^QS@*S~FF6qr zSL|Z*BeJS%dpY`|OH4{uru~EqG#J*;Zx_C8vBy2Nd~;Oyfdmmcxq(C{0*@}L=Dm%= z*?!x{8@bHrpWlrYX7Yvy=HVSKSh4EXwSA<5+TR|yfgfq^p(!Gn0|5M=vBT{=Oj@wV zkM(X~zjNZyCBR+d=&%!KU=@jE>Fvr#R!R&mGVLEMS=N&MQIQyn-~1tqN+S>?1axn5 zAG*-wMPzQn-OTyDOk5ouY~_z1m#p&n@ptsKDgJ9Bv1g6G36Iya%NprZ^YpUpBb4PB zRFJ;_r27!sR8+UIbR$?h5U<@PSv6Ia9{tKC}<&2pCSUM_s6QGN)}o-;*`2M=w_ zQ?<|7p(9!ABwfm`Ta9uZz?@00_&0R7mJzy8&7O;b>TPdblW?>efsrdSG=TJ%-a=Hi zXmi+-yu1^%F>`2};B-b8!L!3_5BihejlsbB8tygZ&W0h`Q8@)N*x|8a9-;ynObbfQM>c&F+8b1q{&rRrTGDrgxgb$a!Vcx`gB#3`Oo^y zZ^W@jfJE8I-~Uqnkelp#A;{YAE)Qj|eh5`jYA8BMaT)4aVs=Bu7!j+14(%})Ctqm; z3u=kX+dY;wE3+XXiHxzVcV)R|)whCsKeKHak`3^QFRW}7*t4*1%NC!jsgKRck3qTQ zauEW-4Ae1LrUgJjlyRzWx7FH(TqZ8n8CX0IxVf2aF;*1F9#1wcfw$;l`;@5t@`oe%`Xu{>k;%Mq zk+*Ze$BMv`BiAy_%eCk$3dPbc1YN9^{H4>8~<#qgI zd7|Yz2=&YHsp#9QhVtg^EEmle^CQ=`C?=jRqk6z8I z$q-fi*6cSlEpY?{Oce%)MQ;P|tzN7~5SDgl7kF4E>9vxKn`O?Bc8Qzw`+B28s=&16 z?37+eq#si?#4VYiW!T}GrTw+?IiiSfrG`S{mXI?G)oxYfP!|+2H*kDuF+{IJQV_O? znC0Z~dA*Z*57l{A>9fT4c2;d&EmD@h#&hqbcP2JcBU1^>->^#1o%-Ey{m`g2>X&~0 z(KS1WnJ9fD-`q0u;BuQY%j|s#hqH$(kd!Baub;-ewgA;iWUqy2uF2Uy@hn~Dcz%wT zmY6EYuRxlQEb$wDP&`V%D;2;h9{ih3d!QU-(7}PJMD9#aDmY|s>?p*;PWqb2rG4o*UXp?x>6vkypX`qc9kto-Jq5EuKmTc@9 z=SvDs&};q1H^K zCst79@e=3U#*fP|lT~-Wl-eGsF<*z6kp{av0we;81L_rse(cK^!$McRQ!i_Txq4d! z#0poX=_uqe9BYgRpjVGB{mMLX4OXI!)>~nLZf1)I8t9?o}Pl)C52YDEsUYFZiQnQDME%Vd0%bAk5=%E zEtChA)VWx}HZ{=+e6|SLc!9!Cj9dPrgCSoYSMJ{#6HZiMc?6|vMcx#)#zRnX{FbFc zu=KlM!Y%!mNTp4SnWgKg|{H9U7mCtr0$U5~bW z3k!eVe80?GkF6(0j3-SB*PPIVxhD?ba^L~iR(8*&s1SVP)kIGuYk`hy$PaT1K@zYr zmadI~K;Ux3fl=ab=-b^TP?QXUjUDQZ0nB2?kOs>70#gJQu!Zn9{>*8~boOldHI;{3 zykHBn&I4!97kehVs^jvEvT0S`r?pOLNz=;e&iyDYH0wyimA2)*@PsSeyZ&2tNpWM# z&VcolvS^s(_JB!o(U$?|0?Yn3T>1xBzp=6uqJ)m6V!|Evq}#BHz2p>+lKuFwFdG&H zya`)NyA&H!sd4%X2{kBNBW<&u&brapdc36KyxQ3bqH~G<=*ijrd+w38|zu|O@6(K)dpzloHE54$+OuKRMyxzF%ea;hy$oM`tzHK5m@M-+M-WdJf*Q&e<(9U?g zay88B5TJ9^PR8*F@q<`*D z3|oOW^gl(YUO#Z+&1`|)>I+)ei9p&gko|ZP8loEgCVnC~46*bodO2FruoO#KqGU5V zr*AhHBdMVCJ&Piesr1l1x#V+TlxPkk-Aet8QJBFn1Ix!nrh{Y@g>@1#GuSe4{0Ddp_KI`YUq&Z(eL6Q$>oja#$o|>RU_zu` zDDf%X0Jn53*>Lem2_n!NKB%fzA{I5&-iQCo4*^sI&yJmw-;3k*k>->GLJ#E_xO!~g z!0mK=3K946R{qYvIU^-A@V*Q-_IN>Eh}1rx%wj}=UD_@R2~xf0&n_g~s=}^hM>#cG z@0g0eb8+RX#7a?(BZIWlmEV^Z+`m!GFSt`U=+vwpKS?1~f;X!`XI@P;g@p6={{XAw zB)!9Yr4Y%_gn`ccJ-_ZUQ@xZQJH7|R<@MP{1Q|FWp<&Xn0~o=SyRWY_FrBDTTMElg z0o@1|L63oxgX^K7MVBlRwEp@Yhn>@L(k<00i4#F7Avy#KoUKN7jWV%}WjUzI%JpV$ zB$iH-s}=-EZzK!V?4;}ryT~zXJ~d^;$zn@wk(M{g;i7JHyyurpj(&4Nx-#PjWmo(@ z%4{)`tRrIVnB+KFYNf&iC(W1er!XAMwj83`u)A(F>K9$iqr*0c=kF+SlVtQMqM_#F zO=e!PaDK-v<#s)7sy2v|V_{TN+%M8)`kJU0Gl=A*dr99I0AV=FpCym7ooduR{s_g9 zrIYvVt>pw$7AaOt^yFD(Q1KWBeLXX3TQCs$w#c>AdGWFKX*=OEs7<|hi(9MSoLzk^ zx@_|Ogc(~F{hDgczA=~-MoaNj&+#-UiGCQM8d+LHqGYkB-(aJ5X5pyhI6T~`^jy>} z3t!r&+UgX(1@y7$Xaxp!A}G(UqE>678BJ!R1uAg%O&o}~@mg08L?%Qc1Yfws9lnnM*EtUzm7dH^CtLLn&!ctN9 zbLW`1RK(Wtgsz{r{VTbvI@OOJMwPgfMdk7&{z0vAjJWp34Tg?ct?BG~VzH$!M@s&g z0Zu_gOdm(=C9E-fqA64+i8fm2$zPoAioZJLGi@`b{L((Ql!H+`)hIxHMY%DAK%TK! zBmd(A!%^6quo{F5j*#{wlceyy;$y*B$2wXFCTXTR#}e*E?;(|~#wuLRuS5ZP!!~dC z7g=l`$YMbiU|1PT7l3_OGSilGbo~qYV!@!E@E5pZI?ubsQ?d+63{wtkcig+i``=f; z3mnt?T20li&GQKSw({3A)#hnlhOgxJ5%Y8nd>4Bxw4Ipj^owZ8fWd+TRf+$Vyjg*< z_^oH+s3yT*WHH497z}Z~6gMaqycn7CaHV3^@*{uJ0+Dfm>%(}(;6VI6$|vVu@sd;2 zXzn+o#scTNTRx~_7A$kjrWY`uc6=RMQ}>D<)$*1q-?OktH=pa@kBJt`?~17Jif+sp z+lmb7dMzcgFcsku=^A=f7?)nM>7kCZ=ofmXq037C8`H|ycdJep`MdT+qk!Fhblm?Jl;7q3h5)wI=!V+gmta&8KX+5}(KX?XyJq^~MIR z;7xr@+5bAy5rbQ}A+ETOy*wgg^fcUlK5t`EpL>4KF|X}~y1O^i(pami%E@m5PK4dT zf2d5jLKOSbdgka|`#Zz9F_XyX;=5_7rq z?<30|!EbGD{VVG;8w@u%Ha&7*EKN7PDA!Au;g-K5tNFHH-}CCHF)eM({7NmXRjIms z6}4aXiMiayf+VLf+~EQFQI5lfr`=vr%2)CiB6M&q&*IsRK(2JK-hqcM&&&1yQ$(YkcmUGaBh6 zbR2=W(D?`rhA_em``NTEYmu9^{1#3YW@fQ%{Sp$%)p_cnmwv*y{8zneH399fb>+MA z07$CaobN6tdZ6CGP97QPBpmrb%4`dcH!=UacxMcpI^`x|vPh1eGo+-CCT#}`tb_zA z!ufm0dzlk0TX=tA#I`U29y$UaiC&fPV9n%@QTZkj^>I4Rwo(QDUJ2oEvs$n#r^4vN zd7_;Ya?FBsHruH`xggS5h3yS*Qlpdv$!1y3e_B0hbI2uNYDi2YuKO((W10)4wA2cxL$1cNSheHw5* zl0X47I*?5FadPO<#ZwoOkA)PD`3(0nGu?5@d&(_g-QVEml()EOY9FQ7zbxKhyAS?R zw{|kDK{0p!Mj^%2r^T;1LQf?06nY$6B}&EzYX$DyCD^D6p<=6r0^oELAHmKM3|8b| zGuspS zHTrtF4cme=zC)26fW9{?l_uSms_upZSlE%UdVQ*aW99~Gs#SC^zagjobZkzuf8_QE zohI*AAztSDmw1=Hy_u9lKkQ}q_uODeU@xAz(mY(gI-S! zo>hfa@h*30xX{)*_vzwMEJn+k^a)-`%6EP^HNa##&T}Ap0#cP&JENM@3U z`kdITqZjGKk5Ffo=T#O26z>3=n{FqyFTI>g;U{33=}Mho{p!m77zZh8;eNu1>X+}@ zR;gT$Qfj^lQB2o4w-;>|S`YUhLz|(Q|7U9fay-*h6rJ zH$uM4g`bqF+ynD;os@PXe<=~H_Al3O+l4$+XF``iNcIfMSRwD&QbU{p-g zDRxNR@ibn#e)RkEj_0IE-E~pwM<%EjEtWj9dAJx-r<(ZFrAFMoQ-h!ePmf_gL>$O& zj&D3Z{CvpPtO)|5TA0ba?c4~MKer>!s%1n`|GO8$ZfpWR-uSGrm=w(%o4r`U0C0L$UFw^sU%iu2*YAo^;$weITD`GZ!l#mkPvM|dq^ zEZ0Z(^WzBGz!R47&@#&ccInGS@?Mcwa2u`~E8Ep?FAtaRaLlfQvOOGJoncVY64TjC zu~c98B0V2tT;R8JEvb6EJmBzWWPJ$@#Un5#Ht%5~Jed|RI$wpI%;u)aL4c$3HvUiY z<7v9=h7qn(eQqIcVPo*Ve#INh`*lz5Af1td6O%gAxFtW~qa=H)PX4^|_zeo&JhR?U zS6^5fxj9b5JHv$t8NI`eBFP*=hC5%c?fuEh_aPpEt5ef9p5{JEfmSORd=S3OFOIoz z2X7?sAT*N@o0}K@QMlr(dz#3>smZyrM-5M%xT>0n0yB_%lQ>EFLgwi|vQt09U%#Db zRUz@{DRP=Wx5a})uC#MTi320cLF-TSucB88e&41S9E_?wA&=b_GSXHW72THq=o%on zc&Fl-_h(CF#nLF|JNVfw9HxmqbGZB#9)T{SP_{_Xo4R#h^H>fSd~$o%eMjMrLVM#ik%X zF$M$IsK|@uk*C0^O8NL|>kpm>#H1~Z=j0Sh&VB~?POMeGnY@ zuP?}*2gJH?&P{^7oW{L{k-52kO-O+#P`_;u;87Qfd#p=~Ja+R`$XKTq^t^0{g~5K@_vD9uojxCMRd?Ie5dPDD{FHpvp%3}T z7JlkRAzz?abnib#;>1KD>B->-^VT0i>6GzIsqfzH@ZyrdUa>d|=qWYy1D7xe9O)s3uyCdOiyN zr&soWep>$LKOH}RLxJ`r&7Y(S{&&o;zduaV?~XC+t+yvg{gJNf@BjS2{z4Q!{&mL# z@BhE`6Yp}|xpt(NuRyIBRRuHXT3BD58UhZMGNML$@2sN;C+tH!*igJg?D97yGPFLv zN{7e7oLPGUj+Q#;Yo@sP*B^W_hcwev%CzHwe}M@9K(hFccLaQZS@BE{;V_kb&2JiJ z-pI5NDW8ZyYC09pk(V!30=XWKf)8B(zTc?QLHeVd_Jx$E=ms*IwV<)HfXe(@UGdB3RZz$pttl~|EGtzh(t*7LgXk(;GWMz&w-_g_SX(f)It$4 z|Bl4y@*okGF{_iW9ZA0${p>IH0l_~4gQiJdX!!rZGZ1TxHv#vi`H-Rd|(i`*n_}%}47X7cEp8xorrE&abNEviF zsgOIRcL@6go(DipFdQJPZktAY-=PFl{XD(w+j!xIhJfh;<)1@}S%Q5~(fo(EF&5b8 z$A~mxerGBhcS~s*I``MYKi&`Bjz?7sP-xSVvn?U4O?LMyH}Rkjm$%ZdAL|?L;pehtA0|wCfqZkG+u;i`{r4()k05Vddq(X)kDDjX zx-d<6-MFlZ2QFbOt-5LD!8WOrgVIhjEJiVksyqeyqAV%=UkZmGy|L*@SO0L^#KN`i zjCO!{@f>E{T?YS6%)088zC05>lHm812g|leaO}NTr4>J7o?wcO>vG=)x5i~GjN%o| zk#j{=a;>(p40Q6hJAo}4{e=7w9(DNzgB<)|T6FnES;wx1y1%R~$Bt*`sI+@O58ra0 ze_zA>uXV{kpNIeVAoYz=NJNt3F4OgFPK^S zwr~13jG6Zn#2jV8=wAoz`bIN1EoNfZVj$P(VlVh+l<(UDTYVBZ>py#I4qQNA5elkK z_qG&7fxiHmB6XgT8e$O_9H^LBovR(u+fZK60+pO91TXb^vR!N?tbEXoMjoF1V%YZ} z#u;#Y^rSN>@J4{J?l3Sl7Q#ciKWg*x-lSeo|Id2jJP+QkzCnYK&BDL^qB3J{xQiDr z%@rQY`3p~re5J&cQ_qr>p1)9mlDH0*S(ap9K?^A_{$vuCz-c$|pMzd;_YFe7tFr$l zoUc$zKsTrjQ<;83b&jr3$>RheqsMAo*rC6pg^o<4sf-1ZXDICfZoj*SY|6~xW#K={ z{FuF71Yei^^$xOI4o~uJ)ChcT%p$?0=a-;scioWoz&LuMCO9047%iB%`R=OQV~@?b z=++gm4Ac6~K}5aM>;xhl#-pP0$5#(QEb27ytdHu)Hb8LerHvf$47N9^97P~_Hs9Zx zs#12ps|5nr?q%F%&(OdaV(B4UuLyMDny*{~rcNiR{p0KS0A5G^fBSVjPW{UO&-8RC z{{4SEbYt(}!5w`D292-Xz`T*qfMj)XLxFkeloCPEPaY0hr(-z!O)+3V7(7M5#k{=T zWW%S<$?pd`RQUj`H=^-O(FbVXN9-J=S?WcMzTqb@@FOZ3OuH;!)Q>viHcF)41x{1p zN4MZce}76=?3@E!HT0@HnPh(vuI?(Wib8yD9xRyI)YOUwkfr=hR|n|>7*_msMcOW4 zN{2owhX`*Bm_&ub82_FwICoSzXnSBgo{tRKYSk5(Q{TX9bK?N8sPZg->o8A=_!jl` z+ed}({rmOo;kz5Vw_Nd#o}O7t@P@ts?+9E!9GzMB1@b^C)R6q^=u4Jf>Afu7;=5pF zlS5SPJ@ALZ2Lnp`$WW!e5=OwGu*%NKn-5~03$7l9w_5Uq3i>G^bt1k->0TbrHS+%j z*S;Jwd%d>5G)4b)CNrmK3t{l%N$B@y>;1Ji1Mc0mk35E7cEI%R8B_=It@ZhD|46fX zYbNk-v8+aI7C?4J1v0*tC%2G(i@|M5f6O#aFTYFs4Z{)KAFvIt_=&dR+nJplt&ys* z8syJ|g|@9vl|;(TKoWKalkBm369mh@Sj8sX#iyUkBxPRS^MHn2#b?pzcCfi9oP+Cq<#kT>#X8BEi|xG+E^Civ z>J*M+BAiKm41QyO=}kzUZ5WyX^4hjjGNovGh9@D#qdHFetPN-zU8BSfALlzS-dpu9 z1H0*?t=kyeSL4rHD!FI&J(Qn3wa>{>S#WmH{d-;bzx?73!(Rj}0$+dyk}e4&l;7}T zM;r;AV^+%0*SFEzRTQ&!Kkkkg%zQSJN1vf5zKOgC!n$puO{u z*FsI!!c2*T>^qnVudM;+lVnLUixj;zRA9}G&@6FnEgpIaY?*EFjIGi?I#14#0Q^Py zs$WdSbe?~iQnyzwLYj#kN zQ~DQy)Xt4C%dVr7AZQY%YE)nuqlQzqKb*uT+pQ8lKclu!#$LeO;p{*vLr^?2pJ(D- z5z>7Z1BJQ)*|}@Fa7Ul!QdvR{NerwoL9Li~(=cuYS*zTS^aObt3pHmHt9=BsH^yx; z)EIz2@`Wf=KY{#Lqn%rEJbJQ_oVazV&5`aC288KNxU;HP1_+q^a0^IU$p60-tPt}5 zj)LX4`0r4#z_2Ee)O zOoGz${(S2fK5P@TXr1PxP$#i{qK<#TH&%kby5=QO0-DTfJE+q(`byl!20CSR(VxHj z%bZMN8}t+MgtlO5$uHH~jH^{W{Au*a7<*`#e|U@I^gwD9CHmm=Z_yMmyLeB&mUq z-{`n?@}O%#G}Wj4TLAIty9-+0N;Sm+f_PnT_hHL|eotuffu7rJGkEM6YeW(HcVY!(++up7#%i;Jah#dI zp=}o#QsMAVzwLNWO+5Lco$YY{nOJ$fVn?Sx#AdB={SBLS9kgSzC98M-J7!i!?nQ^S zwgQQ|vdk!L21k$8$5Om=y5hM53tko$r=HC90}MjZ;J``1rf7mN%|}-|As>nkgX{e3 zIthBeoCYh&`5Blq`}19qi0>-p>5rbKg;J&QJs6h0ec(g~{Jd zN#ThBP^QrzJ7E@OPZnWnkQWOXRBXnnR`x0Zz4RF9}Q&&n-#vl0Wv# zytt9awg-l4>@C^_{8D+7U`<)h5Y{4jS&IL|*;&U`y{>6rx{>ZiIt39VBt#HUx*GvW zMM_FiLTQi|kW{)sx+IiTq(mg8yBptooij6gX3v~+_IdxI%V=Z@?8UNPv} zY6VMG_)JvyKJK;tjN2F}zr&Xm)Cg9SXEA~ic6hNcI}vc{HnB+}8XoQ)JQ%+tHmEiW zt0Eo(8xAAsU#PM-zoMz#%EElc`hmH-Hp^1>E2%u~I;J;BY;jfymVdZP+?On2UiZ0^ zlMcnq%NS<);QZ@7IgZ65Fw+Wh;T7CfGC*$NFh6o%5hpzvBKV0V=G2fCSR2QnNW6%@ zlDf!=-}k!fxxZx{?yX)-1jo6tfWx6mcc0&om3;r7ke{1*M`Rf~*_Ty!3N6*LCsM+sI$X;T{W(fJa zL<*)zxxu{}E`F_yuJWyKlX~11Nt4f)TTE}hs}E(}o|x}tWbjuDBTf4$DWm!S%-{08&CgSH^Nmi7}SYq}XZE|#S% zhPk!V((}>*Bn%qUUm+}UNQC>wAViSa{KRG9Lb?OH$uJmjQ$8@$MBGqn)wWv9CMvD@ zQk%TRR#%m3?p~buF8{A+Q{X3=osNnQMwPbQ6tYU074#9{Hmfc za5EXRMLb#}dYoz7wB$s0N!wm6Lvu!4yEH6@x`#a_WG2_~bls`{$J6I=4L{h<+9sXA zc*XYZ5NoQ%EOyYX=62+5@6%<4EsqXyKewQ8)P)N&C;8{u_{2NJPbo9r*IQ+UBRj|N zy5Ho~DJimAI53p^EpYmAq6B8)a&)-CkL9h3HeBZCfk4x0{W=QTPYL?xyWizu_ss~xRJ#$YN@Zp)kw1X+SIY_jR2u~ zqQRj>BEKSffUJKIA;8xF;YYHW! zd9_`&V~U{$B`sPzbY)}Fa1QT`Ccq;3u$gox;>9${bXh{OsMra?#N5_xHz@ZR0**`2C z4s8c(j$@LVj_8%+)qLC)T+?B#i+l649S}vQRsBniitTK58uplzSJO{HN#YV35`$GL+jR?vA z>2`yEsZvgx!vBHZxCn@z|Bc?Vh@;Lnq$+0X9abpmD%tGP9aJ&&A!05!`NYB5;8~zlt zrKwffpT>7~t$!$4`6a~4z?V0E0LWV`Ic=F=*?dYf+>j<7PdEQ;czfVDM{|_yQlVB5 z!JNJWnJAtYFlrxV$5Fxskvzo@DD&D2LJ}5s(;mCoOTGvt-4t7~w$wQqs#VFImqvEB zn8o$zL)lNq=pyen@Wuuzk*2yoFu;a49*y6if%4zg*z8< zO}o$IIXsU0oHDLTX3n(fnm+lmyj zVDXK=fcstuOU`VS`|fA9v{OP4DXK7v{`m>5@2XUc{y%$ns8@G^1trGZn4t{) zc_#pQ(MnXXvaT`=DKy`uO7?1)F7Ua|x}M67XQ-9nC=N`*&W=~a5#q9a-(f8E-*8=R zPZ}3`fBQaV5ht&|_wla8O4^d$dUNDnoWB>1nk>~#`{i}Q7BnWo?}P#bgsoGK)0h4B zK`&EY_|`K}sb!)PT9W1~l zG1H1^N!_nlCB!09Q)pfn65kxGeAWqkz$`;yd7?-H>F*}giw_MY7w;v`+@_WEX*^PP zj2Gk+Lw>1jB~R2^a!|6wl$O4Ji&E`~K)N`ZDZ(^j6KG5^a)EfV^Qr+t3`}N_7x#pd z%i|nYtFcQbB7lKjdZD7QhN6Z`FsmY3hk^e<)cLGu-|N8>0#n&X9ip?F4O`Eqq7E;R zIuXwM{U6f;$Cs^Qidb14GY#2r-*EPdAu`4O1J;#;wv5E@GSEP54sON<40i^3~kc(#owSdVYZ%E}oL%o3?R!)83WY*1$`iShn7mYq_D ze`a{iFt!r(-MkqGCbZ^fb+3z;bP0#A46xU?jw5yL)wH(C%CTRsm<@d0GfpfQQ-7x$ z?yWUS3yM%=A}1@G>|�=oIA=Cclr|TjD}mVld)uK7Qy33y2lHX6N&Fu%r~;UEuAI z6CJ~<`%zpA#eBq*U%Wq%gTI+EWq-w_)ccgT3kzpT8!)Q-i5swKP&b6gWfW)(`0lY8(GJ~l}VFJLysO;KzgCCs0w zn0#OgrCIZmiJU)y0QTDk=?+7R?# zYu~3lnrV$dmwVg&ZmPdWJqS<#i`#``?wr`#_Ty&#=vv(-qql}1f`tOqF}x{xcdLe} z-@Hb!M%R4Ml-<18Hp!PAa;?|V=;>wP_>oslB=0dVjgYNo1z&3G6`HN4AY3dClpRVQsyn$JYa)~tz(l*z^;X2D*9ufR4e`>uh1p5-l37hvGF(#U`bDd$GW+Ali zV*R^e@qMcd7j3*#Gf`&a9)cdb_HjG>JUra51HN{M%W)#R&eUALGN%;uN$8K7IzZq0K(B{H-6Y6M4~cbHItbZu{{oOFV;U;2xIkC9^=-9q%&Y$a=#q^}%Phas@_6#4_!+H$#V3O7!Pq4B4l#ozKP!ru zvAI}K4tWwf8LE-Y@fQT|5v3A5_BXRE|BO%teL^}FBXTCBiI|;?i2yJ>SF_tz-BS9S zh#uXEiGeE!rkeT|v5L5v?1$F9!cEGb$$CO%)89EIb-EwYd6gsuuH3ywrxV9568eto zm`uvzmdK|Xn{Qnw5@_$Q%i)cp^wp8jZ^4x05t!RN0qqaf7+>vVDj=l)vE zqjg7_Ho$e^O7JUA{7oeL4{=>IVto@W7^#V%`&w{)9U5_)Oy?SHllZ1H1@=VNw4Isx zbd}BPuP$u?XmS(E>?qRl4%AZ?L@(bwkS$6R6oC=^zMkW$sf@skf^2i7J8AZ4doP|GV|zcl#;8MoNP|slP-Fk(hlmLQhnmcs^qdVs=VFj;lh-S$Tr z0)@%}??Z`@*~VV?+oQ_68TQb)7!Q-lW_&}WoPBnUN`Jd~0$HmOtVvrM#ctu~w-gb% zxL=C0a!fa6J1ALR9tW};D9(^rgk3~_=$%(4-y5HQM0l4zm255+ZZfQM9Ac4%HU<0b znYM>tGNk3SM0O>2KQYVE5gkh8ObLyrUP0f45+n1r&cv3d0r|v3qk^%IUbM&|IR72j zrJ@%4yEUl}1OZ(XGwfHa7`*UOW#V-vA*|WtMl}0I*66FfbhYUy&uM-a`Klt=ObnjM zRng8J)CY+Vj!=<~#T8boH#cj|R%OZ`e)K~AYP!=ncT_E$cW=q9YHTj)>dd(lcnUqK zpSA8x_*~7&Zc%leH(WBC4}j6UGJ`($CX0PIGKQ}gZRw)AYyV;DJH#lbV>%wDYY}$d z5qK1H;oD&c6R|8xPA3}b!hiK?jFw8rj2qODL>8l3QwLzB1f{z%C`ht#3DvSfooX=) z9mK+GnYy?kZ~A@vv+Zpy%umOl7eZ0&vp=ivSDzKM<_OFT4kN`~a+$y7H7RXV)rS8K zh+e7}_Ir=bd6s+kg{$$}H_E@uc|GgEI7=x62)w?^goea&%QuzX$`3B03N)kpQ}G|O%qpna3zM#G_JIF`D?a>xxNJ7YiEkLtC5}H9LCf? z6&hEgA1;}D`6RQ{W+pC!n&d}h=@%QZ($$M!bB(~B$Dw1Yyc}uolT%%Sy4q_0e0Tp23#nW`oFVAaVE-nd?W?NP(Au1(Ij(d?1?X zI}53ir*(}(V0T2|IY-NK8=p=vJH^o=>lVFA*uOoA*oxIQyJEXOHoKT`reA$@`jhZr zOVMoJjPgI8n)9n(OGvzTV@hU;WRcWlcQ|XYi`eh!k~7bRVmV(yd54A-fYcdoMye)F zf_6PK0IQ9LfSD^4i{xX9D`{s(3jbOG7iYSG$@E5@mak4o^2%oNt>*{g{6-`3ryHBt z-k1M1-~A_FsBWOzzdFVB;^L`h)pGIAh^J&2N6HMYz0%vN-qx!14mLj86-o?UB#M;+ zi3BlIw+yv1w&F=@+zvj+FRIr*T~JCvSK9SJ<0#TnZg5nTbClUo-(lIDTKazER2!#X zgWyDv@x&Qe#%pnNor_%eKHYEkpm`2jb+6lf1YnOAz|8R%RBbA zra9eM^~^0;Bf2WC@^ZWOGN9oxt{dWH4qJ8kw)EL?TMk6-**+Q_oZrO)&-*QgK*^^w zt$y+$>ISEf=`ak<-xE@L0gIOlw4I{K&a&A1cQUU!zoh3EZu4x$Ro|vx+B59UXwu&l zJ8j_(g3=M4mptKIc=G8TE~6=p)Q&xCPx5*gN#m?hwv;J-?bJ%7F`0dZ+(YVvAR0_S z>3?B8tK;bs(}j#pNsB?C81lXe4op3(Sr!{eJgOR6^+H{{!Y(1Tg3&{$s{Rric;Zn@ zJiicmQ9tWl!+KIy>WW75mR+>%SjI&83Y%8JT7W<)=7Io~b~~Ka0e4E+ecfL;7GZZu z$M47_LChZtKtSx_MV+WaQ27O@9(jm-90}o0&Ya`}3lHw@%!faat!|}fM1uIyeG9Ac zu)U$wM(QDOIFSaOI%^D``1t5J5eH&4-H710cL#4%J6Z8B!)#P>P@ObfVgf#fk@G2c zEP?z4^Opg{XrtH&Ahnwk6onI~Br2ltUd4u(OYL`3SS4ry+`XPKM=-k51|2zduefR+ zGM4%*X2OEqLi(uF^!yXo6vZnB_T@oPg=nG(>n3{@k4wo(rX}VePDl#RO`z? zVN_gVipLR;J;QMyy-uz()f{`I=UlJDu5L?jJ8x0cXlj^$Q0XrD*y+UnB_h#$NgPeZ zRiJjFLv)DbP&nRD)tEE)#I>jCjgn*cpxx!@$Os2J(xm%*#G{G;{@Wz02_t2oi{Lna zAy3OrEdjDAZ1V+pD=DM`b})PV5y7;I&OR<20jN~J9b~laG&SFj=zl)owXDo;Z@{F6W)4ElCBteVO;t(JYmaP&%aUT2T` z?CbQHT&M22O8+@Q`cE+1^yRc)7w1kwLM~E};W?t+3;DItjS%l#OKj;|bS#dUb(9JQ zq0i?W85-wpP<&uJ?#%#nK_DC3j#}r!so0FH9=f`;sg0RrB~O*;(6L7ni#rfVM5&s7 zYd&0X7;IJ+j|?6~=@>i~s)m+2A4DDb5Ys6QB4Vp_VV+4zK`BS+$XkmZ`P`9?th~=* z3*)GVy|m!`dX$P3@6&aW;_BEU^2c>kcXHlSX2c<*CBV+pQ}J+n&fh~zK=zIL&TR$B zj5xfj3hpL54;Db_h09))MaTZSu5pCbCOc&h(RFGcl_hl3@hN^rLjyH0ZJ{9x(|L&| z)~fyMzr32rNWkKLtFx5r>W-PhXHKUHuJw3bP>UL$X74>`X0rTvC zuFimj?0vv-uk@xuDc)%REMXf7d(iurB8v)ZQ9W!D2N_q(DAI;c8%YLUbf;e%G}nB) zE2@L%jZvtNNiYMd=4>3JCfKEuaBnLW&Z)kPK@JF#xkY!c_ng4}{#-I=Nf_@S3q|)_ zV1<#QH^}@v4V_0lFwc^a5_-Sk!V9P_aOPOjrIbabqcFYu^D1NqX8I=el=h}vf*m)$ zaV-DFVqVU$TQ!k$P4-zn3xYtjTGFt&JH@8QK_WJ4==>nrP?N@vD$$fTu&;2$fTE~> z3l6$bR~cOwIF}JewYKLi!Xh00!<1Q&Pzz_X(0<(WUvDuXB(ce1DDoXR;2QJrp~Flu z0rrQ_@M-773SiXAhCp@vsPiLJ_2dzx{dvk9m)O1d;J-89-Jq=XU;>`TMGm4*_-41c z<&upPREXTL^cvCuq6TXZyFuc>q9f>LwYZ9_V(%Z$A=nx5kQnC1wJG0T;#^oKBuw_SpoOYYu@2<6eDZFUW8+SBf$3jK6KYrn9^$A@voF(&$8QHhGr)tjgLT)dgf z62uIi-f80q9`66Ait`)ESs#zFPT^>dcGr!i#LndUm zL=Y`K2X_W~9WB8oOuB4TreNbil^$%0L^Y{rHCbni}P?^OgbEtL4i-5-zq)bEu` zbKcM4`GWT7o!=S&UDP$nb6q#UK2TsDd5cvWOVEZ{wWF=^p=X3B?6*h)<0~qQ?_pg^(E@i$b14DOJ!^*vZ@o7#+3JBvK8{r7gwC87`K}5J>1F-Ov8MwE}2B6c`?Nf+1LObmx7=`oGg#Q3|Tyl z2H=JRljGDRg&AC21;c_bF4*F#%O7pui5t7Mg7s;V`DCHrgndl{v|^9ce>uWkc_U>( zKVRKTi~PPJTO(z%@wIP;mM>@JcT78q%3vLYVMyFDeUR8p!V;v?w`W7AG{~wh zB~(xh#AS~B$)~U`Dg)i9BG8E$OWg`!CQ-zxd+5&EIGwR&2 z28XPSZ{PNZmJ6O8XDsQlGKL^?##Y*cM)UQ?xlpd6RR&CBd+VR|)mpz0a{JtjM`_%Q zOij-b%7eQj$aY(g{Hm?;XUx<27IbgFP_0rFRi2}}0GaWtH}RoQ%Px%-;T|ql8liR!35mk|w$DoG$!|HG^VtVN>`jI3h^9!RyQ>(MK zdK9mJaL@g`h2}($6(J28Y&6wt*FUnpv41F6Z0`Ojno%*?U^Jq_%=xA`{inLCC%Fv5 zLj=w6*h)?B^qEOekuhlUHhs)^u->2Xyf-@BZ@<0{j10kKao7^NYY!W*;t=?R5ZMhy zFHn(sf3hvs{M=L!R^0gB>E|M+#{HB@oSc=+;v^r7WSvc=`DSxd9&eaD$B(dhyj3(Z z8T+uMXen)J_CGwEe^^BRv?cu85AR7a2rDpS3Pn%~cC8N4x=j*p7tL55LxGNr%vUD2 zO0>Aw`^f}ztCa{5F0{a*^2HPIY1*fV8lNGL9Ys9te#(u{iorsc0C?@fKD#630XIfE z+G6E^Xm3GwETK*O5va{|a&_l6$4X6F?eMvk*$C%?(SE?SULZ7Pr~#*!+uiwb>+Fak zfo)~~B~}}Lo@?2-;=H(!0!+LdR)~@?iGfE&LO>SDl{k9Rc*YyV#V9Te0^cfLwr`%` zvY}Mf6r}EuC{4J+a^u$MOdWz0Fbsou<_4@xb=^Imwc-z{C%@c7b{xTbGH@MteiRC4 zLIOYWm7Le9uJSDHqUTVd*<1RT>0R%k);1$t0jF(zK=}z2meoU9Othjdn3yg8y?~d< z3iVh5wy=T9OL|vv7?@<9WXiHFk?Br^2v}*hdSG_^1Pr3u_abNYm(`wLGXSL-)IW(yuZBB+s+)gUs4Vw6Gx&>4!}Iv z-H`=Q;@G)ZT1|Srg(*jeu9MVkUo~&BduwKlL$U@1z8$Max0CTrLDRuX=mt_0RzE!>w)C+{zxHXSUZ2M~MDn4=y_xy? zt{Kha!FC?T)`OBOQOx6OpRf1D3v==mAGms-mymQuEd4tgE<@xxMd}UMRi^7CBJRd7 zTaZ(%DIJZ0Y)bGcUTE0+l*@C=q>L#@iB*nxonJ7!>}(YHdB zRY?%j?abqr6-_p{IVhFw1QIK6bN_~E{dePOZ={#L7i%Wz{5_z*8G&xx*cwB|ZiHxt zatUEqaj`nxUrFcZL{&B8sfE5d$eG}L9YiXOPv~ZRW~hXrmy;3Lq!+i4D#x0f@qh`E zwi+VmARwA2u+a4GxV@zEy)xB0$15!Fz^a-N9k7IbL^0-f$Y{ES;r=G%9WLX%h7pC(O_^52%>$88Vtz1(}-vh)4f?TiO+d++?eGt#j)>Z@^f9n z$FOsOyHZVDh2jH)#S`?R7z@AFy8Y;Y69*7Gjn;-cxxc$unk>cGbH1)O?mcW{;ezKx=C7$={qWi`eYmwIpnr zNlX&8pD)3xo19LRk{s!=7pI}D1`4MS9|k%Nuf3K3CI3Co&$|`U_=*5cNvKt5UDf_lme?(i|ySS{vu<-AY8GgKy@9M3psG$KjiKv6s%#FFq>j z%~8ak)}_yO zyfE*BnD+gI@>p+6%Q319y<4&m?Ku4kUuf-nU1zfW7oztVEOZn_^tAt+&xDJF_=`wX!MeBlv<`Rfqm~q*nPO&*@vT zyn=5%1ex9=WFNvxzO9FlJ;W{kA(@Hxdaa7z;PZyH-L#L^XepUb`RcHYz^I3gtQU7# zkG0b068lUW@FSbg*?kSTk$G^;Rwb1-LjU@4tT|8koQ~FTDcKj5;Y}?aqlKa)*t+Kb z0HqM|$ZS1+@pFPa9UL_M11Mmfwdr_FAEn9r2wKl7tTmDa-%ufstX%fWbn5meldV2o zn45iX<8LC5*LH2vtp(R-$H$Ves@k%Uw&g)FN&H=B%P}lo{p8N?RxMj*E&54ZRo*-~ zMj<;aMfSR)J=U|IzIe_no34)<8xd8XLABGZMJ`f`_KJ9R~ zc{Y->i|W;MxrlD9x%Cq&P`x(K{yv@4oup(Do%(vza#2ZCxuFEGeAxP})1PU)dEy($ z{E9w$erue%*1fEBJu~5~B%WL5#2Rh;AwS7(g6P2UksKE*`D&<`lyOVyiGlre^_99x zy2^nv^P<9Xd=;WHblgHVZX+%S*8F;9u3oYx)>cnbh-A+^@Vz(~yL&X|N~>?iT!rT$ z!$lKRlOOM4d6+eCBOz$5%f%dcNNS%wYK>qd!JjLjYkk2xAn<_ew7Vt-mTP!cb=p0) zr3IwBOv!d=gJ1R(nkB8H6f+mp+=d02k21=Ig+JmtU8rq}@~u)!Q4lAWkiHD9pSv+O zrsu8WWTZM_r&$?MG&c6gz=oz_^qmt;cv!>en9Y8K>p$7!{^@_!V%_-S`>9{3wPy=- z9o|DjtoTH$6{ATA$%F8V%} z_J*0BXxJ5pJ7uCK%2Kq@swo!*U6kF-s?Emjs{Qe#p?~c?SrtxUS2CT>2X54`P5pd1 z)uUnGlvT3QBDIDtQQmC{_C`~v^ zr;Ot)a)&UcRTw65xIcWk#w1Qo=RV`__#Jzxyo6H1(}j`F)vt+YaWTi4XxFTN-K#9T z;LTDf+m%w1<0b5IE0!Ip+AbNGCC*gC(}WzH*`lG3$rZn-(< zNl|}!YUGEi$Qa#_g(F(mfAa_X2CdA&=1;MTLDk@|ql>WVFwRf8VMCNW=DG_R80zFk zE-`CyiNU81jXQEew!?WHiZ{UId~}*!jKM|}IGivz0&KP6MvuMWr0eFX-Z6@F3MHNxOpJ)s*Dr$qKb_mx9LhAbnF6OXh>B1 z7`EcWd(W4nC@p;U3@5yW*PhYNPs!wAZ{bdvJWd<)D9v_%bI@b=K!2c!dF6T+t>Dbh z4l&hYr1>kT1dyKh_TF{0!QWh^jae`_CGb#yx?N30d?)a|EHTSusPhDJndf?Wx4PQP z7Zovw4>J%!rX!^$lDQJ2B4>K5f>)3{!zERpe=|-=9kd*72pp(#n4U66=@b^HcSJ&d z2HN>O5`X@57OdqZ=)m(&4>zda(7HY>p}b+OYHuuv(q+#+(w8hKZ(}z*SyLPuj9txclJL_C(;87 zMsbxBlhfvnHO?hb&?jtgFiCyow+#;@$~Y`}j}K7)$`#pem~*k$s4Zo+%I>`6TzdN= zR%M7F;lp?{J-FMZ49O0{lf2tcN%ravzvO0wN8d0N?>5GCwi<3k%_U`juAC;SRX24} zb_hr~0lUdmRLeI&;_4`o&+3{eyIngJR!6TksB)d#@Ip#oe-L+d0z9u?MT zoHDv}AfbeMKJzB4eXBb3b*k$;=hHMIkcP*&QCC{6E+yc3O>7BEdkNAYLmWDrawi0zxPiPetLXIDJ4G0KF^0%mR=+djS{x{zu;Wlt(+87kK} zXFP7Dzq+95rSe~xS#i1S4}(<@QMj@%oEsx=ZN{ns(X|3WUS9+WITgmQU7J8Ftv&%I_CU z(n8oz{49BnB-X5u+EXECo#zHhXC-WMng~h{UqJWPPyOxO4f}{{)DLXFg*PXkevF-B z!~N|(I-8Ge&firE!#MYOzAnD}K%I^7p-uWJ@9nPf$P-lL@XKTTO@fzvY<|BHlt>CY z7#dKQ`b_GuBgY%~-txxbdNZ0zt1bCWAtMFz98{d?yVRpm1T?|I;zee#GSaBNJYCb# z&_VIeUueeQeHTicz-zSH|CXY+C9T-cc#U+7BCCNUZz19o92PPa_H{WjTe26y}*i*>bf zGXA5Q&YH;USM0>tdrXTl(71|>GH_En@?@@WSeDBj{1|j9jyp6a-D00o>7%TD%fEQ# zrmomr^BlR?j5iH-#%q`d0aeqr_AGA^?eEA;+Y2S$!GJ&g!hi8Y1}yIB3~7|) zE)m2xW|-R_kqN*9#5ivN9N7X*autR@A4)7=;N4Ue+o*aSPe$qil)WtFMAs77{#nLb z{jXuwOXh9FXIaO@TZq@-^O7WNM`C*`82<7%{%_j4T1@UOMGLCGy(mt9NOF>Y<_+N( z1#l(Cc(}*@8~6GDJ&(u`Kuv(P>@;apy(ao?0~SF4C0=Q)w1-d7U7>oA5OC;94KTGf z;G+Ebbz3N8z?sb1+awQwq>A<1Ykx-W{a;hM|C-_HqGNIEyuagJy9rTBh1H|_g-$m2!swTa?& zRp)Q4uTN?eR(<9lLKO&LkwREjUgPUag{S2ppcT;r0h>o>OW(B49a{Jj^0Cga|N1BV ze}3U_=`Yo^vs}SF$!*O1=Qs6_kK$ieRw5o(D`dRYz0RG9|NDFVujq3B`*+!fNWDPJ zcAk0mrvDoP_ka4DhYgT>M^;oFN+ZeT{`@Ka7az|5`H}zQ7pn@QQVri%`L6bF%!&Wm zcg^4Pf$52-w`*gqr?e?BB3EJV7S)&lT&_G&6v;2nD!`LzkA;ZPUWLTFP zp=w*ujeUkGigXifpi4Bg^_K?Hv|gYO&sJspab&8Jq9O|TPBd*ZHpGp5Fz9=!(Rr)l zG59(ls#A~D7^y+_-+O0zS^XEPTIGLMc&s$8>NE0Ne_;>;NXe(o%fa90Q2{cDPp#Af zW>MW@O1YxV#o3V#2(q~9U$YCEw)%}bfh;3o6||`Kw;#dVax94qRHq0)+{GMi!Og7+ z8Za#wIj0AxQ@v0}sLJ64ixOwKjj05-q?-*=> z9uffm$vyo@f0+TDQmSGUf?N{hizs09L9W%bMCwfgSO6V8sp zlMHwX{f6I#|BVOXDPe{@IXUUOKQzozq=bGMn;Ez)+5Wz=>+mbtiYk1h~!Fw$?fl>gi}AkR&!g(`_v_9={om}ktodlM?n2ld!Mr@(9uj3 zYuF7@AeHkHDn73!vaQ>yZcn=SyH)F+97C}K>Suj(-hcfL=i&M<%zm+~TSzFpzh+;} zgo-#qM__7-)^-zBm(>@rv0Oum*CO6o=87s9^v$zgX}j6iJG3|4qUJ>nW;({`yl z7&RCv@1}dRED?l^8#uhP1zJMY_i4{kY$vMn3vrC8#Ba9lDb&q^HJANEXhjbweg;>; ztE&S9KrL$t1eIG9#(yMn_^{97t%i+P$YTGVEQm}}%h)`Coq}j$A^${zR7xjYMknJb zI+h98c0UiEg9I(HR$f)g|Dl#?F?H!PI$?} zjy3XsJ0(;fpdL$r%DCRY zdc^%LV_SE7e`)Py{edaTz{YC**v=S2lZ7C_7!fx#YQch=(v5L`3?jVWO{gvhYz`S!uVWJ@AagX+Z+6T55*($@7JH%Khv(Jhl| z!-+eIlu^5c;eEMyNb-VFw|mIV?-s-=G5K&Bf)D-aW0)>U)V1>x2Tzh*dtM za2yJU^DCA)`dBbT&^PPz`Fs5^j=Fm(XZm4);$K%hnh8=1*LFF*e%hz~QQj6rULkqV z9%l&T(-H&)v~V!jb5RV02BhMCMQ{^od%sKtZzy&svHB-EI&ub!X*gh|DBaW8yY^5y z{f^KvYtCk``X0Yn1x^rs|G^Qg*)#ys^eCerZgPFsm7&~dAJ~t07(Rh^Rc1o+_le42 z7`nKM784xNnaf1)eg!Nc89UpuAYh)fp39l}uH*-w{oEdbj3nq6?BFK%q+CF_NH+A8 z9}H(`Q7_Gqj9->OK+@Vi$R%eyJnZ3)XT0bjR@skh?DKMgXj6`yZjJ+~9gHoK(}p2M zF4EQgtNa6q09{*9AN#}};dHXOzkLW-b6yK-Mj!f?Tr~yaRQ~kF`|q{3YC4e@-8AN> zlt135|6R-d{bvedq+Zyrlbrqc0%O}36`bbpA;nlo2oyRM(e|~o!M1%#*Rj(z88Elh zoupAz)1}`)C-f|%32Nb6(b~2FBpo4Nd|sf(>!rZB;%CAVw&6EWAz5?OG2mS^fI8RF zItU?L+7V~2o^&H;W0&NH`HK;#sY<@}%2JU$pV{fay%U089cOs%tjhlbKHwlsLByWr z!;#UaD9FrPgV5y)#2ZHYR*z_FAl9LJ!(z|kj|AI(^g&GLFai((ZKC`w_$42}&u5ANY)(Dj7{J@vlPO*n+Uu70YxsBU8qG0zE7Y@ZphpOS+hb7~8c8Dv-?=O)D3lUjhK>s>=Zo zXmN5Fk&F>&Vp0)duS0v+PmCd`L*+ivJzU#g0$l645XfAA3-{;s%UNN_EBE}m6LXNv zk8drd5^w(sJhA~{zyp1}y-tEpc4>)=R3I(&Jy;Z9_XUi&m4p3bkm9_5N$FhI+p)r; zl;D2mpR1I}`LxYPXwA=+v-!Q09+@4#yK6wZz7U!?-#A-w{c6FKaPp0olV7fB?onk^ zXjbc35W*m-ec?&I=2E2g)j|A?T~T>(fDRwK(&&)BM6U!Tg;{f#n?zZgF>8c`o3__T zeZA-wWrswkU>%eTUPq)yWYhM&c<##Q4ynfpNUV9((_XgM{m7?~!ef#uw>R4b&8`=f z-Tvri$IgjZ9~qxO7DD_5t$;)N!HR*!)Ou`9;-PRr&W6BW(CKN0N_oVdS?*KGP?p_9 z=o<16GG;{TvG!vE{>g`7Ji|cdh`ndM4OBTD09t70k(tEC315eN`afXMEeONG9(- z&R&MwY5hW)#1Yd14xT&G>{v2@%mY&Xye4DDZ?-g-ST+LPdoDCmQU_4eRSrl!{e+uG z&E1YX5v!g1aW_B`b&k$+nNh`$)VJ{_3Th_|mXuuKhWGHT6&ln!9bc00y?nlv-eXna zb+n1CUBLMAJ5=LeHs|y{9-No~+Rb)-ynGcVst2!!5y$kxE#M{%!`L;?H1`a#kxK0r zya5Gu(4K;fzPG$V!$!@UQ~3F!M?2lNf>L=mSCdzOK0|f;d97ZD2d-HxjC`85r(|BC zX}1z?8yh`sL&Hv3wQLo{3fr1NVc|r@^hlA(AQ(>t>^C`bD-;i59)v0=~|xc+@tWu@F(9g-EQOwvr>ibLaIsShY+u zAY&rHM<}x-771#EP*An`gF*k~I3?ncuH=a;%@+Qeg3It+?P}Lcz{yVR70eQy21{LJ zNWVaSpy)uIgp$?e;C}SdGw}j_D82H+^I{shx_tO>{0x&BUxDw>K57AC#^?%J4xU?n zZ^wRjimVL2AP5h|CV1CQg@i0CfC#mmLl;DdJw+5d@PdPAvjrje}#7D3XpcOV1VDIxktgW$RWBw#%4|^Z!KMTvVc@A)mgq1+K$~q za?IG@e`zW?KKE^%!knh> z^Pn8N!sr-IoYXKwTdey6>-bTCP&_@T!|5H0!)~E_mBaL4TJY1%+at(Bnm6c$bsWLO zBD9z5KMh*K*W3`&Uud%%*EH>^bX&zpnms-_TwSI=T!2XLY8}bIL&CDr#@S$M?6Xg0 zauv&B%~*(F-yqhVCY-a`Th5Dl0L=Yz7O5_BGL4ejEzG!nr+{VVd#fkynZt>AiZ`T% zN@xLQd>F7pa~zh*OMT|giGP3&V+2wU=UB`KoQsS51t{3cOmN0pE`GQ-cJMUq$XByq zh1!4Z_VtK=UGNC7WcRT!o#QNs~n$sbLYHz=u^_$q@u@LYlTfPR0i zYUZWZ`!KYjsxJ;{huZ}D)t4x>T31Viib}vW;&~91HWm<>xpB-kv@W)ayQXw~MgO>O z%lKDmjiz07h?ieRP;JqESxxn}TBgq=aq`tIwV@0&yP{ovYgU`DeY-Z9A)?|xcI(^c zJ{6+XGM!}yg{)RdY0ZgNXUV2%M}`#%uI7+UR7|W+xAEwV&~5!>hBcrbU)^I`Jg!6519hXV;4riMai zg*(!#)K2vMsnxs3tx$2y!l+xd=$&7 z0Ot(PBJy8n4x^>Za) zbXvrtRCh@9aZgVOeT<$?48d-=+dVPYT2J5Y)6DNC#N?FR*ln#}2du@S-nxq(I-VVh zM|Qff`>OxKSFra4X%XHFsYYmr)ojc@wAP)*UE%s(Mt8NhUje02tWBo8SLtOTzPnBP zIFeFbCo0bs{riWSdy7I=y~-ae$rc|4_Yk$ZGcB>ZPjL!c`%kp$2Dz%_2J|{#DbngC zSp3;O$R;6mvZ8khM!U*i>iP9%Bd0K7(bPZIZlg}0dP(||l!t-ZUGmo{dOXuxo6p8K zNorWX^f+p34>v(~sAu!iRDyNdS5PC?J2Y8xog%&8B9FBct-@i1X3!i`>8MCu6NqMB ztpMIzD>s2Jw_h>tYpDCHrsw~UwX=Y#I$hg7Ee#^A(%mW2p@4v-ba!_Mn{E^k6xft> zNNrM(l$1_s5b01ty6b!P%=?}*@0@eqneSWQS~F`o4DS5@pXa&n`?`KtPQc!)k6&f( zGs7JEF&0@*W!J`&Uh4SX36gzHhj`hL=W|VWoS(7*j_D^N(5{Ks{A5km&vu(!)<(tf zVqw#_b(55;4(A!VIR~pA9N-Xp0y*PAqqj&V)pvZ>;Ev%3v!0$I(Ibo3{m}3h(9Q^%OLJJ7YeFgKu{6((xC^ zi4(ETsZbE4AEKMl;WSs|eM5&NCWnvzX zS(6X{B-XRfo&+UTzNk5qNW7XL0;V!Pk`w3xW;H!;{fOL|0h9n=ioSdWLK1%8GiTJq zSy%h)$0*p@bO5GOB9$8OR%2neZUr~Y>I*h!^I1;nV;56uj6OYZuJEPiz{@&Pmk&gU zJ1I0F3PZ328!KTb1xQ4HqWpvBc`y2ICBzY&fH%PiUJH2Wt2Yzw>VG8LYhEH}C8F}B zU2r>+_EFo*=pRZK_SqHgdJT?*1~#mnlRiX~PUEalHm)vX-=pqH(7Beg>2FWuB26{~ zQZ*2m9fMiY@L?>wFh_KdDPZoH6U_~6-fd4NaPI(U3-kBH&ft9f7qe0Eo=#VMQ=E0S z{e?j<@YQEPcZx7WFaWo$F1VgS-Wd%^z0Bo)WbEvwP4>fRc3^^W1Mi9JRwhhj!~P>B zIHcE+9nZ@~BLfj3)OFWT;%z*&9uf!QQJocoTr3xH3gWH|n0E~3>BrWba+Zj~c7SNf zG+(kpokhsZ0VIKM5FNn%o?$CZxS+2B;qEI*2aI#3E8dV#hQHqIYQISHJ?Nd+?Go7) zf>Y&@dx0MRCDjhxn|`9MZAUYRJu93z)trJB^n$l8VXDHjjr==aGC&&~_<$|dg{EwAwd06ZMe5|xB3h?_&0ZnNQ@R84IkGjXE)3da6^FJiwW zhvZAl?cZ;VaW$n|R%X!cwbmE*SGZ5bWhJFzZL0M4I z_nDm&+OlTa5lxvvNx;dDHjhz#9J~7tq=;8+f}^_a*oQZs%9Rlj?~>`lO{?Zh#DE7j zBRCDhP8zWS$6lV!v9{8wIVXHPI~6?SCEx|6v}eO+LhKEs2xN|LF#Ylq*X~ZxidtWWEXFq5G=6 zuY?Ez>HG?%6x(?1_}ka^4v*Q{^vu$|lCXH>^J7YUtc|sxn0;m+U{YK>xc@*Sa*ee_-wpwb>CJbM0 z!b>`<&vhia(+$5OS<5PhKzK)NkjoP+Qf-L--8s*X4m#x}&oynlWLKvnte#?Jg+6-C zqwCexh{o=t8`=v%p7}7gT(@!Dyd7Xx_9qn+&i2%fpI+Q@gzQ8 z`u=D^p=AiPRK{)kXEoo~8JV~t_Svx3&mY>K-0Suls-}uIsyUAG^aUw(hQcpCJg*#* zmL3w?Vk>ddRpDmwS*>T=u%D^$z2m3p^{bjIcHmd%ewuA(h){Hq3*vB#QNh&&Ca+7U z*|6QN-q3}Mfel*IR@Ln+l6$J6wug;{Mv17Pkxt4z8T~D0cDDBw?vG}wTPr-$NpHw<5VlM-%LN=0cc&-z{ayt=}M3h#u<(g2>c^d0V? z=G!@DQYo88*+DG8J)N+}x-2n8n(VcN9G>-awy=F*v6|=0B(p*m;(k-3MzPfdPz1Au zfu4Ak1z*U;S&XBh!;F)``JsGM&-1G@^P2fq!CDiX64c_)*W6vNOp(gkwynlJDYQQ8_IzWBZ5SaTtIn!(!-=_?#g7=sU@~-E z0511AiG{DAsO2#ZpzgNc4q_!+omXIOe){sx3fH8{EP{f$*tsJ1u($rm{1{sz>HQq3 zNgtk4d)wnXr~KR3`2p9euU<2MsDe)#Fg{ zM-iy#nW+I1UtE$aWRi2RZWiwm!!1E2{!H9;363fh0blqpgT?n`uek{<^7fu5OC(?A zip{oBo`8O(kNOI>8k4r(Q;&5w`VZN3%Trqfp)Z*&&(8N7z4n&_TR$t{53|w6j@6;< zOmsIC7~@j66;jFNz4R?a>fyPE9t!FwwDqr~Zhc|B%=y9v2J;?_XZS8B+{7{wxlPO49J3%%tbOT!sm z+-<|8@tTOTfB!62(o%?+;C=hIpN+|#uu1n_H*;*T~g1Amu?t_(r*B4hFKcy ztS;!Axxl4M%OoLN>Oys7E9Uh0(J3RowE$GLQmHlV&ACzHdqFo#1m1Z;-UZOEHCqcZ zE`m@5H=?TrPUYiUY9vt65XpXZOm277_9#0Y*$s#jq=OlXf7T>4IMCj(sF6Y4GEG3K ziICkQ>%0!HdR|FA$p50!fw6aY)=C_}IkTm?Ipy+S46%w;DCZ1xidWn75Q%(>qxj%=8_>rhTYZv1*SlOj2E-dTM9H|O2|Ili5c$^x5Nk z7_ybugQ@?fdSjriE6`2ukk1hIEF&5g$|0fyiDJ1h%W9~@M1zMNc+_eE@_f{A*eXCJ zv_&3Ioe4X)ue(OdU}D2J+@&#BZfygG0M zt^%G?+LX)`!}&<5WN@m1dW-+{03H2Sh0>(;Q`Qg6&Zi;72)NNWH-fh$hm-V4`pdGP zjY`eUI|pBVa<`Wu>Uw7YRP*v!QSc#{yq*t^aJr5+{klDbdlsoo*Y9}3!j+1mCI;Qy zQi=wic!$|^tLvp{!|D6FFT!H9{X(8~K&PP6(fQ4q=7(rnUCCBk$st7T@>DoDMH8H^ z)l146ic_{9-h$J1P&L~xlsP#vJ=uNr zdbIiwPr`JyM_GixXeJC2o9%_<`X=#2h_j!cr3_FAKfLDj{_ZiQp{qUHR}M9TdHKDv z&KKC?saB2Y@q4sRzXR!IaRcXFRzYQLG8&rXQ}88{zgxLgTKkOKL0SwofcZ<8Dr*9t zaoDv1|D6Fc6U2ot1A%s)Z+0v*U@-kq-mFmYrboKTG|UyCI6 zQStDGcGq-zDeV=W)6^t+1&H-ekAb>Ja%3J4SQ^4-LD2oR^^fus zs(aqJj8s2N(U^X!)4&s#G(X}WC=gWh+p+4URlR}=hM^ONhvRW1& za8)_Q$ujIO)2EnH5(qpT*8Si6)KNy~)s`d2 z=g#3h`^`fDtSF2_Uz8|BmG^0mi~iJJQcb@c7)(66`XHxtL(f6eED!KAdI32_ExB97 zXd84s-at=e7QfT#Ji^JgW#W|FlSM;cnbbW4W0(nec);L0(x@zJZ0cFp;7?DTCZZZ} zg??nY7C+C25$?fJVwlIayTtN7#w=g-nxCt%$RTj`f^qV)nh4ZpNNMq z(anQ$tSb?H5YZW*1bPFbmOG2Rq|J6-ypo!l@k6&uaQe^JHw*O*f1V$(v!q~>zIrEG zblv~Xa9({g)FV6XIqy`uitYXe|LTMxD$xlq`npfhW5OwU91sR)xcI%h&ZzII4rs?q z!2FPZga|z`b&9y>Ef@8m6@y7Uy+yxwdeRzsO#)VUHiBDexu|`jnxaP1y9Lp#F9ZU3 z9U~EQhsKHI$sZzKD^0kePwlX=_YXSH~^W}C57&!k_>7-zFgUTNG|Eiql4mm+FmvIv;`%>GZ ztGywatuUmxHir*00an}>8}m77-a3hYeeAJ?N^}w$7*nfbo;6ZAR)3YzX zQZUiKr~ZW%qz+mhJFhq z;DsP~H|aY=*PR!8L`3q+Qe`r$q>)04P?p~5o#JxxvAhG^PgNB1IG8+SHk5bC@(DU6;V8Ko~IYdw51hP|K$EtZP*S= zWF%z?N8i|!>D1C_wZ0ezUm!Qi(13=Mzf8-7(U z(};YGjgXAG_-5n*>zY32mXr=mVbHg^Rt`NQHN$dm`@J2_c~j%&qf6qK*lhy_p5G@n zkx>e=vFWB-O+1o+!gCf!dUksPasfKPShr8yX3|mZ>5Un>xr{4iYyZT{o2kZMAiM+6p(go zNVKykocvSp{^>o#*Gm@UQ;5>ZT;+8B;vN3iyC2peB8+?O?m+hEvmldCP0H(3Lt*9{ zeL!Jo-?FrH0mrYAmhZz%=i@2PR+|`G?h${pWIkVO3Kgolh}k?XC!U08$121w`QIvB zhe?^G4r>=(8w>u&9pE3kL?IedJ##~AP9@o-p^pPExi{Nw1uZ*$IPo~6Z&*~Jh?>b$ zOrW6y6s%T*^t&6vQ>TsY9!`qsMW%t|GLL^m7}5kH?S;Z1`7~~OZ-GN0_z8w)U758@r9}*)|CETViPtnlYeLjd;P7X zVYAI!Emwmga(6f^jBk^dY^A1o3lIbWEVXl!FHvrFjAy@9hk?BY-Hux;#oH zE98!#S8`zRorLr_f8Mr_SQhHAkb%Jc`CDRSdNIBH`aPRVX%Sy&g+_1tpXu=W* zhDyDP?lL1_EY;8<4(B`wQMj9^Fsey^&?;ZdJo3VkQeUdeH4R2YpWU=!-z&zx#HGWz zvV=lqj+#%*+bVww&R%v5P+t*;S-ujsNg=r80jgQ_N}V{Uf~M&-Wu6_FEXzPdtBHrI zu5MSaTIg-5d{i`$$wf7drw-xnGQvZoJ#bV`oOiJF4ac~WlIO#y2)zNvL+_YgqbY6} zo6vxx;RlTZ*9}-+RoHc_D>jqe=ttmBedNs)X?foco$p zaZy_a#Z}+b)jjvb`uU6X<0CYfT0Zvh8)ysiisDc^egu2fn&IOi3G~^-NE(}yg1LqY zisF0(rw0JBi@n3sMZ4Wt>8J|?G@?#;6I5R^*D?ky=%{<$$T0U?7!RgPa+n8B_wtBN z*i6|P0MK;2=N;|mbMgf{eTtv$Wp^@6a+*Ij0lg09Rt(TpvifH30FD-1yWL(~5_!az z;8w{I>e;WhfJchiC)~4Nn|89&oSXPUp#Se!DaJXG`a2@$fcYiqTtg1gn0bzJG6*QD zP?fUFs!=fVRj}D``Vp|+SOyyF6t$A|z{ittB-6y-X;xUnNS zuVpkP`;~lKKw6I*d&mhWjDFl!5emKBCau#)@0M3KKFG+y&yaob;~LCT*kM*z@&=I{ zWeuxmm;fusbNmD#<0rs8VM`XPWi&U6k65MW$Kya6WRV>(>**K5lGH(m@Fd7)jSJo{ zWiWs@3#2LGKu@nnZ^eM(cA`{I09Bb`ug8QOnN-~0w^f0(Z#)TsQ;CP}J8f^x2VXJs z&t-M$iSUzO>gwBq%4m55x0)IspcO3wLVw6^*%1oUW#l<(hS1{YmA6lD-xat;S=BST z?J%!Ir_$?tgNCqijKIT$KTq)1`Ly>WRPpeBI$6NTMh_AhmmkxjJhb2%a4@xc^8J-T9p)$_zUJ z;!TD!8QsFtY95v47{;C-RngyT?6hh?x(5SOI$KorD>(CykyU$1A2K|1;5vqn8}GsM zi@_PZkRnh%w+mswDWW#aQgGTirdb6URjWRGHrUlPwJO3B6besq@K>f4T*-J}vwy*UhtlBwGp8av6saF> zn1{1^0KKjByc347C1w=3@SJm_j+DL(l-6aCOTbW6D?6=A-WoJ3w>`PDf+f-f60(%w zn2t?Qy`BDIO;8{7s5C;8uf^Y60H8v+D;mh96_zMPdL`eX9-GDP0eA~qU$!VyXD;Q$ zV+v^Fd<3H+uW?LRu=4oqCeZeBMX9gWi3LQl-C+`8U#9#QBjCT;93>v194%~+o4@#2 z=m9znHEPD}!g6n=G&-;Ld+7J*za<1GaY(~MjkP;R3B+nyO50u$61URRnHb_Ev0UDO zOcISJwFJk2wvq7z>BRt_{WMp}BlKk|iD#{Zg@HL^K*VFaR{9hL3D?pKG%5zId%M*H zQG;nmd1^~slRUh1l1lVT^CVwU&ZiAj0OK>S?n$MuQND!B434?FB>nn!G)LHk41VC^ zEGU+(*8-(CfX1F)BVR*1^AYl->wSmncPZ*e+_3LYTn3Jn%XXGol6H$yD3PX2kbEon z9MG6#7=gUqbAXa#{n;hBAmjCKc;0u{$b=_hlI5VxaNmg~=a(nmU#@@wLXU&~aeqy? z&N`6nyL;D$a8(|4(S$u5^d4B@9Twru5^?Jyvnq^N66zi3TH!(OsnH?c5;>pCtC8^o z_8%B)cLVm;@#9!Y0IZ17C~KCkkbw@w4>=qND=Ucp7@r(v)h^O zv!g=J5FL9<&~SCyax1FViwem@B*u%LQq*?ICO9rnNd&r#Y6UvCZRDLPa( zD(hzVpQGAaz6Y@o4!hST>`$mIN^2%Dg?I85sM8-g%%U6s)GzwsL;=<3S-Q`Uv;`ud zaxa`w+RsvTQM;bN*y>H{*cmw z&&*NndPa*M6Pk`5F}$#@=s~tgp$w*!6M50ezfy%3<-(@K^eul}3ud8g}IVF8iqx}0x5rCGoUJ0v}+4Ghq9+H6fS@# zX#(uCYoC>?)RS{D-ryG*Bu>@@$z#YX&1S>1A^<|I(UcSULm1&d}fW53xY zcCo{(cxU!Te@x?|q0hm{zue`Ga@89^W>#e2&bW&>pz0O7RBr}+TxuT(EXVy?lizqG z6)hqG#7()?%SKX*IM}IqvfiLw=X9dGfwf`0$dGqA%Qv^q{hd;);fxHLdkN~?wU^Xy zDoHOZ;JGXBKf*OfTV!5`g91b+w#UrL6h+PkaBG?TLAnn}4ki^EyZf76;BiqT2~cG2&^;nPT7jXfI#Kt5v|c zYcJsFFO9N98nwbZ?I^&0$NZB3YyhUvMj#G=d1>Cgsx%P8;!v0|*-=0wTaEHDY~Sn? z{!HKpn0xgeDWhr?9#xSvDt$i|T3RM(n+{#|$sRjrK?~IGCWSrM{=zOG;rvW@0-$U3 z%u1jRPewjWQ-y7fY7!<4hynLZP6Jc@^K_w!7v8MJajypOhvE+VfW3-DHK*ytfdPBh zXyr`RHt+gt7!X`sSI2TMbntcqaqNS$Qvg;>{5}WtOAiW393=Nz$dOSJsGm8Zq5o)0 zt*HKBzs|fyYH!~9x$px*_CUJlyx<5uQ++7&uGrxKZ_pL~j{)J;@19IV5n+XHCKd-u z5mfnh5B5ZxEoL&|KBoz@G#sA=eZ$a-3=E$xe^5FER>>yQOoKj+&2dL;>!?4dkFE=k zS-S&{e83l2d(hJZ1|RqKW`T<;P-TrAqJ%g*|(Y(bn^Cgx{bDS*}#<4ucDcf%g3T;*})fFVd`RCGztIF+sW%IT|oSD*0 z>0Qjlj3!!&Q`(dl!J_z0o+;FhluVfukDWw6n7*Eg*?PPs`Ws!vGJ6CA&wni(wEH?w zc3~ffsv?b>>8%S%Ef`A7G#@dJS-`^y)~nt=*{?MeRHV>W&ZRLBwQ z^+2+SyrJK2RN>44WdY>`5tAM(Mg<`|>SVsv`@AWnAb#HGDLm40LG*{dsokTgS=Htb zCp2?q-Xy3y!n42OqG19J7|W1G&aT=Ilv7gT5IbsY5YfEJfHJJe`Lx2A1N8+ANl=E$ zIpQXH$tmDcZ+U|txXeTnvs)@qcoWh+4FSL(?TLDnwo>evXIqn{rRv&T(2NEcwzN#1 zaSvE1jnr`}P8`v+^A(>skHKF21A0nCO9yDI#;COkDz60_6a1^5@1yMDIs)^brXxI9+r=f@j82I-lkbfUZP@asw5; z4DXXwx8Rud%H>zBPt>*Fde9n8r{Oq}x&C_M&y4b#4+XuV@8WmzY1S*M-^r&3vp(U+ zrQ~B{+N>6z;p!fiQ&JZnHCU7qn3kzK=Bm2`>Z*^L#!HUc_=CnfglsEKj363e#+Fzf z*6D3l%~IHop5gJc^O<4oj03tm+`VW?5bH)mC3>gdFLFCvgcHg(cm;e#nqN=(f$}ba zbujR{?1;uLBdOcu(o4|Ds!|K;_d2q}D-heou+IFZu+G;K=*hkpZu3KwhJ56jvC`az z1T73oN(R-MH#C;@%ymeH+W*d_bsP*>x-iZsg*L#KL0k>mg|v%0ZNms#Zw~Oj;*UFH z9G+XOa>B6MX%_#?QzgMql|b{7NCC%R=x^w2P(K4^p!1AQ*TCG-*) ziZT3N9N@)p)__W<$5E=V8bqOBN{N?Ibqhzwg2luw#)Pys=JE2YK6equOMwSu$8WE0MwYpQ$**$dMQfnKfd2X8(UZ9 zWuuZ4j|8cx#yH>ShQy z8A?9H4Oq+68c$3Lox0VqT~!B(D%t>>`l2YD2CU#V~4R{bxea9 zck&cc=LHC@N|l?hOiLQXo<6h(T^q|dxDjd`m_BUtso{B+C4kX3FCP)t589E|`6=&~ zIwIby?vieKG9RH^@aLJao1$q!Zbb-{@PvL)iEmy5|8p7KVXwB=(}PdqGwi8HYkgN_bx}lK!SIYmP-W9 z?6Z0JV`XEtb9-R&>&w?hj3tHVp6htztbhW@YiLzJb~h#YG6yL`6~_1*@9dMvN%5Tr z&Vda;;5`94?>pNeDX(f?kr_)A0Q$RSoQDW-jt#eBH|>7$^SN0J!6Q65uq;d9qa+T$*fRmp)%{R@ zIJ*kzJDldagqM1j%Y{-!_4o>0_CA;_qnqM{(vd_oUnu3Ne;^||Fv(m2w|<5M=`8Vj47J&XXYqvR&8y3!?U#BvdDZX$SQn`Q|I$2EL zDg|Rk4-rob761rW{z^E)wM=U7Bd}nH)jx+9EDhZ+5p8gWW3i*gwXx9}2Cz)FP9SSTC5HX30 z$|xR)44X9q7Nv|pLD<}ruNd-ZKZMz=+ly;2`=r)4rxP@zK!5sohZ%y1Tz+SRUOytzcd`gwEtfI%Yo5)l>m zMIhb^Z72ry(cy;p?Tp`uJ`KcB_<7S(gRq|^W2_0r* zf#v-h?k=(DnGZC`XNwepcM`G(AcT=pCYo2Ek$*W=3As!1{0Dw3{*OQLTT}1!$!PPMDs}iGO1cjasa!ZSD@k!n zdppNpi-J>{C_NwV!^3sp0nDL7h&_Ga_Rg2$9i>Gs(g`Bmp_D4@=}3J)!J6yWleZLp z9o`i3gRY_o^yEdWzqEoqyDSnA4r8|F&(~HtXWydXnP*%ObN+S!Xdvq*u$yZvFxV_9Y&Zndft>W8q`=Ur@BpGA@(P2De(PX?LEBA~|!Yg*)T4v}9cj?~sp>b3G z1QrM{-~9)Rm#E2Lm%2ZHL3;XO?(Of3Rie+%agnd)0{Z4XT0^YA^4v>^0<)BLirt9j zn=QV+oLifqVxdy(yR%vj7?nSS2K}w6yG9zW@9A>YD`9+0nANwlzU0QDWya zPWP0q?nWw!{*B_85j{Vs;=bjSY~(8rQkzo?#H2M0)P8A$@I29r1L>5F`{0 zc?ST+Vgq2giK&9-^$60_AnzKLER9TJKS+>6FxKiDxkqj_<`y-t9tn z(^DToa`Uhjhxw{sBrw0oDaK9f@FLO3geYOjp#59AY&P>B=(1Q$!hf4COHuq6bXlKf zmT@A_z$SmeLqK4(lg73ZwM;kZ*48q6m_cWZL#nB)-9Y?GQOzS=Gm+g}G4Qw*kPoD` zrrH~Shs&l2{VQD71*f1=v+p<42*0g3$tOqX&slBB2c{e66{5ku9A6FTk(%#?iiT9h z@)!=x(RDAG&bM)KfCwYqAC1hH4X9JlLGmz?J#(_(li&?`_0iuTz$Njln( zE$fw<&aax1fS)Aym)^J_%!-TgDXPPBnuI%D8iI-MpTiF$g~e{75l;1%3-al1S4y(q zhq>0{G%8ozQx^^ou84JvfUNE_=f+e`%cIPGy6!S3l(nPR7XO5F{3j3=6&@0faVgI* z0&7bJY2mF`Qk{-=Z#dLs4AW2FL|fyLD9zKgh=ODwvV3Z>KU8BkrDQ|B9as9YgWR+x z6m*4(|A4WT!Fo^VVKn&C#H1ntK_UAhb||0lxR1|v{MjH#(lYS=nNL5V+Ut|*xnQDr z&yd-cyS1H7B&-MDDoA~Om=$;H!yXK&WT!K{(1l>Kxn@zbkp88XUd1MERDDIXzO6)N zHCIG%*a;g_6HeQvuOOmFYlC~*zhG?DF#a23>!k4E*a^~{>}BZolH1R8ewNA^Af3>J zW?KSoC3N}e`5fo8ZL)=iLo`SIZ8~}KQCZ_HhuMsPZikmiLwg^07)soj0t`xkx<`oKyB1aX}?(fX+yF&B==@S_hy#OVo|NRIhYw+IhL|nco zIBKFTlJWJ?_RI@*{koAx3Up~ZyGkXK+PuC8_>UmqXhU>Um-*Cs=+>nFbbVH0fP9U7$ETz_3QV1VlI z{l@68MxEL%(o^C9uWsQG0Gk=~oZn)axBPsd8=uI#^~^ikr5oEzU>{fAuJy6=&G|+N z2s&d_d){`4XHpJ2_)iVh0BmL)2)LJ+zdrq3@VMYJXCc^{*r-T}XC!*$&kXL z%2cl}jWzh2djMzHRI0D)< zNTdYma2(1JIG--4gF()l!5AU#DQt2+rbp!|h-QxxY(Y*(ZuPPGt|-n64#jriSV6t{ z_jF(?DfsKLZE3uWUe&FCK>O(Rp-GFYJ$63{^jC52_)YQ--5Q{tJpY(n@N}}$OqR7Y z?NyraU_)R15XgV_L5fu2izcVdCM@{8RRpKI*b9Ai0e3~D!+1Rtm#Rok-}y$?YCK=) z8vCbRcqWlRlC&tTWoCs~r*E04dlCPnc83TNBzpgW5A{I0>LEesQTCpo$ENz4_h|=t zn-F>*%*Bl$!2ysu@Ea*!liPJ%EXs4P`#%*G@2qe>Mz#S6aFgTrKW$*}PHO&V8EHR! z?99h5Ij?D*=Zao1^4m?a@q-$fKJzXa9%0P0*2{A^YhK=TdZBLex!lRdUBv_s%t#kf zK5*{w976PAt%u$x0qeIc1GMS z+?7`C*(de!F$urF)r@EFqs@ye+@g0D3bW)3(#O*Ht-u14o8cN%VMp+LL&A4`5yj7?d-%&9JTqZObETkmsRH>;45G zkfHZJ8V%gRBQAL43A!(;;NKMa2CXhnInwnJirm|z&%8m6wz{`xV^16M1xX9V@%ED%$T6n zE^pKI}70YnWe#RcWh8ze}5+qd@?*N4vls(gzW}o{MjsW^Jd~+iI=H zh}0tJS~euRt*Hqu82!OE%?U zdb9(=t(z$209nyb`MeesXu;6+*;*&g$FW=RES4bGw=Y%BQh|zV!vNgWB4CJj07fwV zK$f(+*7E)3Hw^zm&PjL#P)21BxaR22Ixyd9|0HdsTzo|tfc3pJZ@K|0EQ(E&MR+Iw z7x4XfMf#oHB?<H-DY|Y3_Jp%`7Pwi1XSTGYf?^Q@&h}2XN8#$i9}^(2F$VpAvNt zQ&~>~2EtFIq#2-N3(*P4&tx-dp1VJG#2e=G#^8f)ts^^N*gzzQ?}Y~(d2FkPag&-& zfS&BnH!Y+sniG`@r>G*Ai*G6)?%rc^|GEEgE*sw{8u=EWErf(8*|aNK`zcR}B4s+) zjh=rG9%VQl!tKjkqEnGWA?7sPCTo%OPXoI0TC6+f$sqny9tc@ji;4w3iq;!8_&x+9 zYr?dbK8tfFf`FvcD(5AsbD%a9q4zzydu76b?|CPw;=}T1JTru*Bo&JJuWuDiB+&9_ zO&4ZsyW;L9z?V*}%#jpomBS zw}lp0(iegLLTQ%vS!kC&5t_*&ZVJM}o(dW;R|c-3-5|j?qrFj{zh$2>Nx8R@n22<0a%I+$wI(g z4pTNcTS3i&ixTiHH|YX3OtKLy8-PI7N1n)%bogHnP`0>1Kta+28ZK`gR2G{3EWmj{ zM_l>ePWS%P4_V?RcKTq%cG7T|UGLpG(CmW^0KAtHElCu*=$~7ZDu?KEAU0YvH*&`2 zOW!MszkX}~6g&i}V~i{Eds-^NpUHw@uN{lC=kw{j-GnJnStp7Qd<0FX9suYgCC*>8 z15v4ocWGq^(=ssr^uFbv7=vg&kcASFr#TIRgV{hQ>bdRtR9-Zrat7OU_8~y%B!Gq_ z%A*~yRSl$IQMi1$8?;}t(+*Dp05`Ea%S4%8Z5g~+3#NUDp^k*;|Gp@+u~q1=7ZLc; z!vH%VXI2aR5g4`Lm2|Kv=9vl2Z_ka^~Z}6{AVp9aO<1VBk6|E$0%yIzhwU)HFaAlW@PRa9g2;m}rb@9b_8N=_T_%U`f&Z-$64va^y)i_^?E=vho<|X zXIkCim)56Ef4mm{^3N)FQEa2Lv8>ytE!O&=6xuMc89-x;3>=ULmv2H$D-fz!%v4zz z25EcLtLDn&v!>DiYr8Zd8sX)_71+TnfUh>V-Z%seCl6p|LB6J4kzUe!(xh#f3abB$ zd;3|k#2X%Wxn!J=f6wCk*ALA^9W+bN7A5_!ul;Y`rGMJ|;rA^SB6$N!&JyZhKleYE ztp7#06{JRxm94;R^O5cU*8@r*@wsC>?ZEoy!tj?D!~gmV`E)9^31O9gczuO0kpM$9 z0m`c7Jy@t!o&n0?!rAvgqp83cPFmU0ch+kAgfy30-tk8>VoyBx9|sK2}I~#z^uc7Xqo`Q+i11T3mag_ zIjsfv#%c<3Zn-T=-*>CXhgJaMsX7Dp8`@g{E*|^hRLYzQ0zFb+ZwzC@7nv+w3@|n4 z7Y^vwo+&qKv30=QQiLxf8nS^rwiDlZG?V|vtIv|h7#YczchZlWFsw3v4gC)0Xzb$u zwe$VNUp#w{JH_V)mVC_<(5Wn0D~LeRM_T*E%Wsi(4v2vU)kpE*@@i#KXifikd(h8W z!iM!I4gS1+a^O`6{`_eFH!hH%RHZCOMJK9nzcXe3@x7{$1_3!xX+3&AMto5OE^#9%3{$G!rB?5mwNS&5?QK@cC+?z+UOnL=yI^pnty@9tBh%qfc zD=mh=ch_>aaNWf+iv81DIQ_=>K*B2oi*bS= zOYXmO&yC$nnEHYWC-DKOXQonx%ZxymYmCFO< zBXd~TzoYJ-rGsZ1zxxs4Z+xMM1bgV?L*_hBf7{po&ddAD-?3m+AqnRI>`4|o=|oN= z4#0nf0y%&hh~;1bB!?ux+moHtwPPTf|{xDseuP=l{T{_{XqLxS)FKl`CH!THFKa4Mt-F`TmTbwaA8jpY*@NNx`f zOjT`Y_X*Rjig?bz%x4u$G~+;QKtHHcseyS)vD$hyYU3x6*c=}?!VfAy)Big0os1>? za091`_It-GK6(ef_1_ib_A@+AX<^tQF2q%683lQ3>(v*}{Yx$E3C=5_b}uC_}@}eC&(2 zwj^do5q8-KxN_dR`+3cBbV&K3DU0V9U_6Yv@MtgEq&fXdTGjZ1W!%%mm*3xsUr?GO z@6CfyQ-Vu|M7lcy<<)C;wM}%_@FmF?w1eiavcOz*{xpTJ+w-~!HX zfDvxeaYVYr*J~hac`sq|ys`0DL;s6sWB!Ne`RRc2I)i;6+5%4XqSC|*QQXMc#(wal zX{1$M3p{O4sSix%``%JN$pbfz;8ZY@dovuo57&W2qUEBmdQ6){$lcytm)b!WL1?1Y zDiBy5U97;Jsu~!W0Y74Y$hvs7THAqTct!*yofrv%_bVcu2Plmg7eQN}zQ5FK`}`dQ zD9tJ8+=71MD!8BqFTRp|Wn5{1rx600*o^%Vpw{n>f*>{6!mfFHD26K_KJwebs80dhJaTy10gStp)`t+4ASBCW+)I$($YwNVS502OI08PVpAFuCiVbae%*mBB5 zndk1jAti`rsZKfpAHmn8Cfej(;2d!UF!A-$y@-7~;0&L+;;3IGm;qC;HF%QIFV3zM z@G=5swk}qa&0^kxMDoEGBVSGYyYuRv+$}L`@z=Zy*iAS)Rze4LE-NV46Yf7kROqH~ zueeD^NTA5X$p#&t&c?@H&Mf zmnj6alsbh`c<|aKea&a4BN{~JDNy3DS|KL47a@HGO^H($0LKgR9*0Jy&CO~5-l-_(&lEI|P;9~tj= zEiEUW10hE*nN`{nnonfk51&qs0R)IMNQxCaH!DMdRI1$Jpp}WnpF<|CKNGAFI~sW+ zT93@*3s>jmoQLNNF5DOKs(`D5kNY}#V|MS7A_E%$J8-bZ@74uhpN}f*@Qj6HKYheaTr#L4 z_DMVbpDLAT;_~wq{4nJznd|E>iz6iIj@psRIwpQsb9lxaJ zsD50csz>ws-KMxR2Fvwcx4*UR7jmN{R6gxZS3?^vq;%!QG~E_IHgnnbW(j*AePJS` zIWO-*pG!z?w(;iG?agURX%m=)Pe;#Y)8u(!2)_S&% zDuV2IE`Q!0ZJJJNls|0-B~iBuHFEzdO_r~2vS#8vjw>h#DI$6`$dtYD>#&5d&UKm9 z;&BOfK3kHiysT!j(ftGy0~zL#wN(=0tb}`|zEDI7nH_?6s+dfgbw&_$ELS-*2=RjJun(AW5cfe|6F_?9Iw9J6DIBo+_ni4N7_ zgkD)zwfWSk6h!BiHVya=9@d@TF5F%l!LA0Hu7{x9R!Z;k-wL>5Dn4#aXJmd7qkTwf z!Ijc>Dcr}5oY-{!gaJGLFd?S`YBimVB}lf5+u{?+Wnqp#5sGcDov%)j9FZc>$C7u; z+R@W`mAhKlgI0)MXJjdQT+h=K9X}_4JAZ1j?LoGFci2on>BM(;u$gp`I;S)&sjS?(rb3VrWYjJ97Dtw?p|R^Qoii=NcSA!9{QMYQcKqI ziH;~y<~vj}-eVW~Ra=JafwqZ%)BYUuN_guB=s}~}=t0fpoY{7#XZ~X)vgM6vIXI8p zEiS`-RF2rpVlhRvOII_Q($m+f?KG_p*Nu&rvKm#1tWJB$^1-1#*>@D;Fm8rlp6b55 zDp-^#>tR@Rj)`yn4`b&YPxasb{}L)QB804D9Le4@p@ht1?-fGG$_kN9I!9!LGO~$m zij3^+%yR5KlC9tKbY0(leZRl{`gBwIi1+*TdXC5A{&2Mtpm>E(g(lNh6|-Wr&&)et z8t16i$Cukp)hbZmm9W44r$zer*5iNsg&of6d;#4)_m3COC{3-A=Bl5-Ey{+JOn>ma zXiH_B;gK8O5s^{a9{C`??}Wgk&BN2WtGyW!1d_RwPYU=3+iTM|`;kwc;&|1!^O^=8 zQqHB_ev5qkVKi4SggzbjRP&&V*!a}VgBpEFfq{``!AD{CM`>Q~v_pMMWYTe!#>B2f zt2IVo1~_w(V(f0XQ8&~QZoDnZnNYt;sq%0lzh)GVRdtXb>WT6`Cem%u!NkfCZfiaD z`R|uAA7pfV`YQNHJx{q6S$WIo$WVX$dC}Ne-fOv(6UVtfI7+K`33|d_r>ENc1b=82 zG!J6V_A*h%lb;IDq)wRI%R{bz7`6Q%x%){^aGSWZ)&LpkQ!@}BXEb)`O;I7Nhg z*^{#UHhMdcSG`Bh&r9PZ@n7CV1~R38Bi$0!$@6{2x$rWhCvEDjXg8z(aMk*zPb&p~ z!&~&Zet}1_br9a#w-xf`T9oT>FDpY61v|cCRb_bPnk#;xTG}ty!t{tFAqIcc>CDme z;vv_jdSnf1 zM&crmOa#W%$L5zx+l=m$CO7yp60a>8u1->VpDfxe;9$@>d_Q*><*3Rnv{ob@8H?mj zSQt{oPYLqfd<8Corf`eL1KhTvJ0An-{0c{{SSPaHT4|*?=}%cdI+6IF`v zQmX)%`%*<`pJ?U+vt7A#-be5khG|ed2iwbSSf0ukBy)hMFcAtzy*2Q!ARH4EX$0E< z&=Gr4eszt>Zcs}-d?bV7trc9)85DiDj*Anb@*)*#%aR;E=m~MHg&jDLgy;GhzJyhh z3WS(4is4H60KA`i-YOK(nx$UsL8nDQocG?Z;i8ocBN(h+yS)S3Lj2TD zncbk$0O`DAv7z^B`IYTtLNELrdY)Saeh)Hl9-bw>d{yaP8>R@AaEn7RR6j~%fOHx; z&KRTrLu-KZaL6iih6%zps_r@NKZZ<+jx zZohwXpqm>>EdfY6GAkZdJDtQ8!E()~k5)$omr2EBCHk3Or)|!HT(@Ttp~RtqPelEF zLUV>6HnZx8aeZG+8p$?5xL=nGA>sw*Crn>A14TxO8KexsBP&s4B-Xi}gY+#A{Az;k zdro<2R=veDu!Lxr(wFr3Yo`u}BSA}IcIsnJPQ=u*((_S*vqkjoBeEaHUGB=7Xtt|t zfk5Vb`*{~zXQz?kbaocTbD#65hZwQ^}$t7sjf|$bv+5%N+-d= zfPh1ZG-=suPb5y!oN@`#H~V(;$tJ1uhF{onnM6Rn*u(EK>)*6mh%=CrmwtNmbI6M? zLN-d-{jZHgAG$dZdLl}kh{d?g!j{U(4-N)SM0T+L@`0__7F5vQ>$l%K{Ya^X+Q56= zI7MnH;n8bZFWV@7b%#6CVwP0WG}^17I%>b#O?4R&)g&%VEz+wf*`PAW4f8IrfX?4% zTjs4xJ1vs+;+72eFp0%HRMhibUl=3a(eM0ZUEhOUN~p#_JhAY2F9GQmdy~>VsmAwZ z&|`JLRE~}C64%D$a{ES4oIg{O>>9TB3MzfyNag{J^X|-R@YVHKD1ZLRh6Bjdf2h!pzzY9vjpWP+-lN!yh(o^^OnzVYle6`1@D{ODhWHtO}cH3-_;{B znM?px@@mpsn?}`YEZE5i5d1bn43DP$mOs6ZTc?h6x&WOlS#1&OYw>PM*OAn-eVn2P-$0*@^wCpFMsfgz1U9>?;j+}PFAqg+8-OLJV!(IDwtPR z-?eb$^^f$h|Ib`I;IbU!{pRB`F0b*y*Kd%XDNvp%aHLyjAaxaeOWuT4^L~@gp9?j* zc9g7v?5xbA$zynOoH6&bO1wJ3Dwo04*Ms$xO=jEbYTE`hD|%k$ZXWzGB0E?nVu66} zgez<%koC@z@aVoqzts2;nj}Em<0NlBZokvyD-`V==u#ZWv8EZjZIGzN!DticUZ*a- zV&HIECv%)0<(vD%4{;BHXE$|N2F}FDnnT=5-17d3ukyREq0pBOGSX9i<`>}i4zs|5 zRQ=^zc|$B(irct$(`SFWdLM5lr?#)wcx5jyQslbO z!teHCzU+2t3&@qWZ^rXpIYln zye~w3u^2N5LlS1pqQnkw!G0=YdwHwZ1XWt$B+1L5t~5vUleb^?gUdX4So^Pz|{wwv1(GhKguIXv(w>(vU7Al&FSEH83l-0(<&)<8$20yHW zE1YLCk~uB79(nkvD~yS5K9U)oLieGH(7a)TuRqDt$S-B>UpaQSA|90$gr9bKv8w81 z?AQiL|1Q2_B$@iut=Q)^Zz2-Urk2AJejfGgRPDWoPRI3fd#f7RmvA?`T364oGl<7M z74@NV@vv#8ejpY}xmJ78m7$oxWsnglId zki%hMn?_-hgFv1pSCU#I#q5zuM{9_prXZr7LD#LExnfXthBk}mStQm#fKY)QFV6P8 zWt;;+6w}Y+&%8<{G`?rriLEb}XOuZn9z$szNjB5_y3@z`ie+e^#Q5Pm_ug~uql7x* zi@N*III<2o>^hT#Z}9k2f2?#P)f`eoWa)1XI;sbFVQ^6ICXS9NxX6Zkdhyy7{dxqa zo2q(V>Tmw6ASC-8L}WD0&VD$^=CD>RdjIv8i@xW>=^lPx;(Xe8o4x&$=f}>A^XdeH zcC7jcm4R(4?Pq0$HODO7$AfO0-s{0p*`8->+FhVaM7~Im$P2}@GHIB<`Tl8o^jK?P z5+4D3~y^;2#oPAQer~LGTkU_I(A>@h_pI_;Q5v!W&ZpG=a$Y^Ne}d! zH!W7ezH|*8BC4;7MeYoVs(7*F6W=l1=6@9M)g;!{id^T%l*-GV_qbJ)f>LTVu~mAH z6-uoA)x@9ZIuAt44Dr8n|MtGHCIUBy9;aY=!w{Gr$SVnK<}2r2d!&EYqVe5`;#ekp za=-M-uR5BRUtAx2YsfM0?P$_;99Zg3*TgI>+NhnXBR>Ar{Hp@m+5}m1^=a1m>V&81 z5u?qYs*7@7jz+QN+(sC#>c3L2iPkk6#jw4}!d_E}1H7x%hcwkh^kM?V2Wu52F;h`c7quYsZ&st@q`@v#F|YyAM-i5Q7zo zK1-h~|7MDORqY+FT^_@X(j02bUsVt5kv@;OYC2MEhU6;`3WlO^kib=P>8y#m5+1Uc zkFog3SyIVM7mC6QGYJjdK&`caw#O1(pZiKi1 z4&?S{pyEsAIjsDvz@$|QrS{J#TBq8t)jwfur+dQFqi2&s>FEXZ1j@`?)sWsb2onc94h&w0(_?I^XFr179l!KO*HfLk!(=aY8r3j; z%5U(v#YpsR4dcd)vUb{q@G%qkt`EM`R75?0i&mg13DZa`ZOokrnx|i9?N28?kfajp zhJx}&?0MyEqCI7&1<{sasQP$#RDtW_S_lF{O;NLRY57;{cXKI9H9#=nvmR!`xK^Q& zQ^w7Kq3U3myHncp6y0RMNXA}X``q~ME!64QT`H{*@gBAI0a^9B4WCrjwjHb|3_S&z zqFfEHvtdz%+<*$&X&>aKPWw!E6I8Eznm(52pqg)6!e(-q!t2w1|2FDt4&^ME6h0gY ze!^_&1E-7J7RlPVJHRc`2cN3#*WMShwfCp@wP^D3=kTgJ9(hs;I8BZdaV}Pk8Vz%j z9#_Gd0;wBo1L9Sxa_<-Gvo8Kgn*~~(A6*7~d(&hC%7Y^9#H>8I?QF>S*}YS<^0f%| zM^mzMCXl5L+v4i@5y*$siiqj;E4xY0XwI(l?n?T@;66cpOH8pL{2)4*$bK-_YW5Hi z9t3Mui{tBrbArj3!>5ZIMoKjAU&)Hjw?iD)B)cL_S(tvPEQ;(k8h`2%$}Em@Zr+(@ zTHN~8l=ab)T9{epfskgHgH6i+HV*kOA7?bdDNi5JT=}v}OY~zWwU} zXMMbM8|HEXMQ*}dB;_ydP9n}>Vh_rFBe_fb_4=YC2PL!w*XYIF1>T^39)VNjL%XJU zM4MyHs&z2s^rx7mtRQk@um*QAPHlsNR*pn!&vf~fzC+(u_NsbKrmnoqdCusY)REN6 zR?Dz;3g*0<7%aof(TUB)tERJF$UrWAn7;XA?B4$6=V>`7(QmQQDVH%8{&Y}8MEX7Xzl>4w827+83zl!<}7rhH2iF>T-{9fOb-ul+BQQilFbkDd_^&y-3DJ54 z?abBNyr*2sI(~yXS>^3#c>FoC$TADXTVjgkFENfKMVw1>u&WsQcrA++fxcPqPTX2- zdZ)LRLBWORBahKQO=o0;%@i8bxh%3iT=be!YoUgeFs`yC9@)Z_ij}ffhdVjIu~|Yn z_n2qB`Dpl&b7YCx$aM4_Pm@Z*ewmP{n$TM+acJe#=G2!^qm}GfKK{FDIxddeG4h(q zd-FZnZ{wLbHBP3(B{8n7L5F|FmFY2+ExQ;Mg3b~6j-F!TC;cHTTW zj}dQ{=_qHl;%044yH9=ie)B;8je^(d5hk@hO@{I~JYS`k6el!?V^0y-fHOj_UYlK{ zJ}>rkCR3g3ZLNu}6jQa+4?{JWpKV3d9Aq1KtwfqvGd59v2Ay8iu0&v!JEk>ecS5vH z(B&HteJq2Bg?hi_vqYMYQ{H()p&a`O3rUy_k|;)m=Y7s$k>&M+sm>?@622%J(Dzbk9qgG!aJfjwEJZ(BWLGc2v86+SOH1 z@BIy?E6C4LuIp~8_oX90{@e~=nPl}7hiYTkNG#DqVA;$l$E64S-36DPc%y=t$dOZm zl(gxUmjqiFO{jwm;cZcur|_wRH0{6!^OU^MXY|8?Ed=lL9X@<(`8n4{IV9hDG5ZGQ zL;{w(-%y3q`o99j((^6*_As?trR0%}CGW4G*wd-cy}8Q%wrbr;^2*|6ZoSf5uNAJm zSmS?=$9IzxSBcf>t%es%f6o3(+ow^Mj#I*=?V`<&iJ(;|HGR;s{nW@Z>lu>X`4Ku zfVq@0Z))w+IT0ha#D0(W@;2A-NLwWBBjdIGEAE)ES8{lR^gs6EaV%Eua#vlYCB`52 zBfJ3a`KDK-jIz86Lf>!*B{nsEp8ZfQDI~A&q8JTv8JG}c-p&(mx$k<`$V18@>&{&y zXRuFH3c9!^*Y-llHlnby@j-^i+S*#!{6pAYb%s$<6vOxq&!|15Mm+wz5uRR;?`zA8 zxXG2fR~cV96(1&>8((ZSW1@4dSSt2$OZD1|=U5|5`xmtYm8L3}0s}=4?)i3)!XE^Y7YucB zR@OM5*6btSFi4o8fc7x2JJ_1=Zq}Cik@?w%6!+0DW2a9kEvpxfZ%b0sQZ5%8q}ndv z;2i;xR2FIC>xNjyW(;k~rAvpUc;_o`Z&bDz?PZab^P48G9M2?a_$7sDwx)^9=G06z zUUNJi-{k5n7P_wYPHRhWZX+wb1I7@Gk|uN1q(L*Fo7PR3ULm)?7Rv9mrfY;b``TSew{1tyMA}Zs#pQc_iPMR%g`| z9m}c{fAhdg+rLuurj6s;y{yL3-QR(dj+Ek0X=m&@8g15ApjI-GZ6uL5z zga~AQDA{rh`~FGqv7*vpK2~w?Wb*W9A|F`lD;HHPiHo57tJ*)x)_BbrC~A_4Pn9|P zcnn(aK92Lt*DwlwuB}FIC@<0AsdoGJXjRMU5wArUi@gsIIQZA5U56a-czQiBS z$U{L)(tPH$V|>^)h=K-*w~qD;aq{?`qjF5C7k=IGaGQcgd%hs@O-J4g3o^!|m1dXb zd~SpN-j6~GI#i*4Hdly=p)m8gyIv0-&@igh9S*%!Jg!rb$=i`1O z4fmwxALs2alr6r&pvST(b?IGWa=rg1cEwR=_x0E z#{-|E*&Of7+j|0*nHpb)L2i>*5gS?WG$P-8Jo$aCJ={pa)bwSH>+DHdSs@cUkj9Idh0)v80f4;v?Jh1ufn$-s2d=M_>dR=nr-a+0nr z+JgD-ssS0CW(PS9(;!vRS&DB^{mlZ6_C<+BYsefQYSnzidY$wpu?+4C?AcA>UDfr~SJsxw#U!RM zpo6t!{j?^8Wd~AT8n)nzOv>u@^gG^!1~2|5@e_9t3f;`p&=O;}lDk8O&pj#$sY>RB z@duz}TD&{CiG@#M8D(Z!t%9S@=nGwyYoaKg^o5KR1{+^u#Q|5)K73;wKeH022Hon7 zP9yCqKub(>mRepso4inq!)+5Z;ohqLz4O}1@zp~0s3a1i8sd z_Z6btNGx6-{~EgoV$j$qQj1L3R(Sd4uPt+u&DFRn3t{ja%*Qpzh01-p{ssPhR8Qp>GWOuw=Y|gbJ>X7IpDeuXc*oP7_ji!Q89a+^qo-c9 z?i!rgu2%1%XRH4%*8J_u+hm99We>*rsiSw720IKYam06nMLTJWUo3l>*$^Utlch~rHU3MGO zl#{tXs-6Gu9#dl+E8a(^x$|+);a#9E#xiQR;7IKF9Cq;xnlbHu4*HGZxWj0fbC4y7 zKiHSf&L$Jd;bb5wNbcAf1qPf$eiZbOeL}tqdavc?CRL_25(*wJ_UxdWr;#OsI+$iv zS~Y^}L*-6WlN#p&)6X5qWQsQo%2tfpAr?Wolc^(_?Y9tf*@?s(Kf7VKmz09->{ehwC_A_oX<2-bhZL&;tVRA2%v?X78P|v|>s_tFDLZoT>QM*kf;Lwuu4MxgNjw(OZ;j)~W zn*)39(5?CGTjIb+OCIz-9$l022)_Jdf7a-{nWOg{6cBm(-{-4EY8)AfQ#aXJ^mM|+ zx*Z>)(BtCFaUuBvK!>RUvR-~8iR4c;8i;kSKm@pb+MuWwr!2jl*F!ysu?;(ix;e?N zu1U@@hYil!`lNKo<2eFb&HRV`m^BhxW5i&UJq4-UQ@aEYRCtVDH$W!Y_pqEuNx4gH zKCz#QZwDeQ$1!G#HO?6SS;?%fM;W_A8eDgnEHaUp%kbtK3 zear4pF!^IcQOluxy)cyV8r+Wp8LyTdKZq0Sy+dsY)^j9;aO=`3c36&d^&4?z$4)%& z6n*ohThe3J!y}tQxPJM@&=aDbcl!m`9qT6c?~PBGmBbRauz3uVl@U%^@KCjSjQh}A zWlD#lF=L$!ncI9K@tdY@K{+(ehQdBH8FE7Euu8Wvt9*3WSgEN+xV zbLW*+Sx}CEn(?X7S%Lt+T|t58)#v0`$8W4YWGGP*qJx`x0!DyNkL?FUTWEGAX>>Nv zw}fUP-24SPR53oFPb({R8?!eOkSM%KO_VuZEwVBpQeaRKodkfBQgznr2-v83BTsui z!}yl`8nrk0QFyjyjdE%HN48pf{C_dXzYwfQU)n<_a3S7ci?bFg@irsI8;ta(RhRkGQ6KugWfEy~-gV zzYY|wdY`bp;?dq@U<#|saE*skzd^ifMUTB#^+=1c@)}DZuVDtSwq+7dfCXo$@P@Mp;Sr}LRlfcn92WaA`w^4QcdB6d-A<@ z`C@;zf#0egY_*yvyxUyOqN%Nb=r)kIZ9eN^WiC+xipdbl;hoAJj>6WeB0mLHKXLua z*>u&crs&%vRpp(!>Bhk2S?Bhvm|}++20C0#I&Okbw1>h=XmJgCc=-#?@*z;HfgvS{FKzuwz5rA_?^W=|Xl zRs^CdgqvF2)R1CsgNyPFh2fIa#i96{MR1vZRMHRK%s|W1NKg;QJzP7yX6wZgCKk_3 z>N@C!I*S<)u~-B!kzx2!aQu&YO(smUm&a4<%g$u&zx~!F^W$T9vvhZ1cz7^p(m6tj z%*OgrvB`Tq#mxdr3a_wuQ(;@dp51YLGdAUZEckQVT$r~1A%P38yD)o&oTQheDu4Qe7}r@UN#1k;svrG`%& zvlWT4W1sH+-3mYu*G|VyC0)V;R^0}Jgqooq9+Xw9AI9>_2B)!>g=n+WsM+G&T_CLG zTOaKd`IjHfZdHbx>EcO7Ps?ce3V*Y_h-mje*=E>>%e0_aX{S>Bx@mS;8G5$Q{6`^v zUev9%hTnd9w}n&PHa$oWDmoMp0sGCvW@62@@?S;HCiHZYN z#s#A6lkj}4NjA*wfUtk+XO^F_(i)aX+Ra(4Hu5wh&%22C!vu&Oyeg*ZOsLmE=i)Hi z4^f<97DQI8xqLBs5-V%>F~iBAs1dWVGS_kLx0{#K7{_m6b#wu9m=ko<(v-hrp{T z-y<{iH!#eQgX6m>?Dt}h2(pE?Yqa`!bP}n9Yw*kN=$s30gh!A444at<{+o*pM>{0X z?o=qwKNB5?AdsB8N#6S&9d@bfdc<0(K_p^r1dSP|z&h5ssEE}iXf>L%#4;HsE&@xr zY*Z~L`&C1img_{n7{ahYgtv@$@!HV8>qHtQ$>FZ4x-|eYjLE9$r(d zIPP>Icz}&PO5Eh5_xYOa5K*p`bSk#5o8vx@Dy5k3c~GS^9Ira@fi^}IsF$wp4Xa=V z5w2hS=^PEG+Z(NRCw}KOLd?HVaQzGCU*^ReT{)^Jhu~S^^7A9OErvs(pezj324_mD zu4S|jiM)Bgtk<{W^vg9T~m5n)GS)vzUg>*nDIUk)X~_Wwy5~(28waBm5mtx zqb9o!_z(gH_CFgxj?&W>i{GuUkulqGdfy=XwcW^fsBRsZX%}h(60r*XKpTELw0qs< zQq@YJ%?^tMrCqwNKSMn*0h;aVFZGH)W#I^ZS>)6>b%x3H2>d1i>PJM8z`7-;mVQl$ z{qAZ<=FeRIaBDUCsmBmlF<$gIw1*jVOTExc#5rTgg5QRZUNgkdc{FdEFRj;m#KjAT zzcYB(SKXtLTs4yU(pWzijycUDdI!OBO=ktUMYY1f+i7Xsq*E;PU3D%mXr zqEjIUP{wQKxuWG_UuL@D!{gs4>%a3wV4NH@D=dkPMy`~`v0!^95`KAvV-Cu)SUB5- zpAWirJ*IT22WwwgmHrG^zFA?RR$3aEemAoc(v~{F4`Zc$7J+9$`GfroHlt|Ja1oRbi%-I*aXH=@?ttE{;NkF@Oj`C!Kh9dB)a}m7`{kPz|P z{3YScCJ5g4k&h z@J}D$x)QEf++O%_U4Z{}#E9)es`uJv74zh=yT?lxkK8SlgqxLD3VDLlUO)$6<+~b#w%@vVy1Yy*g!#T+>WG`vu2Itj_0M4@S@j2&j}Cm7QvVj z7p|*4p08Oluh!y1oLlUz7OQ?4>FSOyG(9yF?W(@h7~blK`IE6y@bp2JH2e=(@7u7o zD_wi{efz2vtH;hSfPl7x@7b5IwOhf{Nk#}U#5!mbUZ9x1h}|o)21mw!UQC!e_`1Sdi z)Oemb-6i$&`VUV}#hP}SiFugeZR_jL^Ds77koW)bM1i>|QTCf_Z3N_{Hs&+1CB#%f zunhsfr11E|APE>qSjU6?SB-!(ygSoC>&_(pTxU<@n4`M{>x_ZA8y{X zrSt5pZ{n)p{W;fh?B#EFHa1dYubX`~yAyz(DSA~dnL4DIBdK0sHR4mcBTB22?FCvd zx#e8Hm99HMWlBE;gY035ztxAyK|1#2pfB(%Js(us23==xd_cq>_k)0vnINA^J=p;F zIV8=i)6u5cL;+jvE^FgeG#k5zno68Vz3dZNdaukai9sy22!hZ|C(7w534c*#EM^T1s9-sfzdCOT0I(a7n@L8tRCJ==S5 zxm?Lo_t!h4L%_P{KVI<8p%CH&GHxgPtXRIcgy{?ZrFZU*U&4wyWTcS<)->f8wH0Xmz4j4JdC7a! z+d*`bs+fGO^!9{xs3vcjLq*25Vyrn1P_V5+N+-a4f}IRsVlkLE-`+tc>qGtb5ppI)#S^+E$h=S%Pm}lXg1k)`DMs)q`w)9 z?{L!}%b=~@q<_xT`bN3UyWNv1>Dp_L_|a8FQg=RWH}4$9^0;U!HwO5XUE=mum2m}# z)I&(CXs(Hw8>iX5gh`w7COv90d^hJ^DgEk9G_`-+qlJ0dEspjY2u<1IBi9djn zeH!R!Xe_LsOZwp_YVz4}QC`cgN^TCl^Rt;8CTGiS0G09HbFu!d`!12vG_7CX9k%_s zpm}YYhn`bcze;r`p=9r>8ny{J)3w|(Ql#U(a%q_nli;G`?4o96obwgq>6>9pcWiZ1D$-)RbAt z;8RG;>xoUI{%bJ-SyS4Pd_~RLjyic%A@OE&iyn@g%eVm?!Rds4#lP|x8o@vIIV~42 zr0D`PdxKA-G}!(>@@=qqC79n+6TN+LZsSee>qad#KS$3hBBS0cfT@+Tuc6HsaAvPb zTRkie;q$5|k^V(Bs$+Wfd6B00)xF7Q(0R_IwG+}K#@3IHZZiyLnk~d#0y!NgyHkj0 zgAI$xtaL5akw{MhFH8PHoXK6+qu`s!SmrziT7III!2L=)zDKe(;~wSTeige?-w&ZV z6-;ye>1#+D{RSsZb$o5Z}Wp2-Oj(qz3;cEi=Vmmt52hAw@>JitX%p9rw>ySq?#hTLAWde z{J!b)y7!sd%u-+WRNfzA>V!=pdKy%bHQ~hf^42ni9^KJE;`EozETcS$K8$IzCs3 zQSY_74KgFrCC%1_UdWDk#YVmwsz|Kd4cPn_H_3maL;N8(oEtz&w`oTnPW?WaH+Tt# zN*&06vzxMaOw;#O8z{Vz;ivrQM)THit~LT$TgC#?5~YEd&idw`i~X&_wc`OxXPwju zsxy#uDrKB7OMQ;LPBKs-1nm%DTaA}_mzhkLJ@cG8V&xLbXmu3589H61MxaseAOcb> z-=-!UxF_Y*!wmwZE)EBz>)$aL0{>^_ozhJ#1Wj}%R<6{~mwe!wujG;^q#i_Q5JiN~ z8R>}A?hi2`r=K!semaJV`~^rmCUSp(M2r<0*z!h0(p2K|SJjmH$R5ga=6nGEY%Y6K z3qw1JDYg_`(g)w{3>3)ZnG|$2MxN5(kI&0M-i}Vmy3CSm6e1zC-*(2cC&y^^>gy7! zeS}qwZsCumDluH;ydeBo9`1m|4Ag|?ySw^Z3Y=&a4$YsCTegx^Gqo4IXGi&XYH#*jK2SiQ zMCZ?lbRy)ePu`9Wb>AX1 z|Ap;ZC~!w;JJ1>)#@bzHRc|-B&Gj-9W zl~CopONX&oXccx>O(WcOPRGa%os&|w#fjreVx>Eqq(D>YHRaK{%O?UvX#K`X3s1#d z`iJ@68JCzh=Q5U9DxLHk8Lcv>Lf>vWv{Qyrz8NDDCp_DvSm}MEDv@&$B?kq0Fz}pQE(}^o1oa#5+|}w(b~E zMQrSG{Ky+5-{vFfZD!MM%{e?ZOJ5%MKKmzO<`bT?@;z9iw-h)IitkUBw?xr)z(nrW zDmmF*QLbCsvBD)n( zKze2KUc}{a*nyQveI z_Je2NLo+gKh!kg-d5RWieCJIia3XZSS7r@7{Y5tvXxwBth(dybsi%TD_^T~6m^y<* z@Pb=8&h#9^9BC#kh=d@D#F13;XY6h&)&+ADQ%!eS=m9%4YnC|~LR-(6ccH?jvArdy z$3fxW-Tc;)b$s{B3$_jzy1dp5p?Shf@3IJ95JtzTN5^7DqrUjFxaflA3%k?;-A^;0 z8Io2Rtlqk2$3`^e@mTjbBeklybf?^>C5>2UL}v2w@^vp@qSlI@r!WediM{Fh7TntI z*W4Z@QuTEgSIY!YZwK&H5o4yIX=1bUI2DlWB-U^;J@hpSbn$yUM1m=_Q?((LJVUY# z(H0cpC;bin{@B>J8TgWU-xGj{{=S0yvb}MH_gedjn33+78{O_mfq`%plo%E_?w^u- zNL`+1#5%(uBR1-{kEuE+I@_48NRR;iLBl_mO9#y3*)b7qN9X; zyo>kfl=aq+Sf_D;CF9!+kJeu=$Jps;l*Vzh5%25IuU`3zY`c^tK9^vDGc{&iTf7Z@ zyl2a*tU~wg2)}4~>d|t0s(7?p7k$lkoet7EWoq5x@v^>a&NG~j`eY^a+hc}<}>M?Y|k9oQO z>b24$4A38WoJEIjCJ5wtxCeuhSzsAZQYT_@g@AG#c$(KUZIa)n`zK1^(F6}{()3XzR3O*(60Qnlr4{%o{{bzQFp}thJnu_N2wFM zMw4r&AiN$aO(3iN*E(4u+`iluCA+|(P9{CTBGzz4BmKN}Pey_~Vol#lDWo*iHk z7YOPEQ^4lZQA_`Ur$y$FnN4rzvA*3iyE9ud0Im4!fEMIE6r$c+MWJ84cBNPIZMJLt5U<+#O!mRm*Cvy zUeK1*oCnX)Q*wcpPIDs|Cx<(DSM_7`uq4a(zJ3t3G)YIhd#NR$c|}>XYsxyeYRz`% z9dJh4ELC0!l;n~IHKt9(6oiJH6@S*Kd#?t159_FENLFx26m!cJ&N5Sd;&lY_wHKk! zgSc-jvdk#1xJP&q*UOn6HP_;AOSKiC*VqxWlj(N9gnuv@#YrTvw;{b}{Ij=>FB_XZA{n!c?MWH8b|C~yz z-Nd=`g_bp+FM|0WG_QbgRvwuB+1rqFy~1g_<55wYga4GK`c~%bj^%kZq*6Sa>t8|4 zu*fF&e@8Z9`$D{QX#Kost8{64HQjMWD8C4}$OcD?&Lxx%M^OI5e5LDlUTsp>ZC%pf z4+ZgRELQ+vj@pXNn(~#gX(|=ZBhaTMt=MGr-mO$T`R8By|M|9Znbj(C?K;}yWS-+f ze@TVKQblw&OMAhyQI+&m`c-L2JtnBgB%y+&pKxB9jxA>8PPRJzaN$PxgVXlDh$ zM3M5^L}woyh=2*q;d29D zB_7KX$x==<*FNav?iRVtQOl|=?MCsZKvd+OjT#*U!dm=w@ZGoJ}Jj?r{??PI>*5z)l z;J@0_+VKH{YG9_O*i0#-Q_-C+f9hR^Q2V6YLaRw{I9;G+^|!` zM!AcQC57@AM}V<|hiJ_Dk>(?-^9{FH{{Y5?y5G>2t6R*yc{(?$02;N$XKeR1Blzup zt&nZs)gmDtzCT}$Oc%3SDE0}l-Z}jt1fZCrIK;F<%G&NG;7p6l<8oC>J~ih68c;qD z*E`7%y!hYdYZ;$#rTpF37>xZIXH`p5!!BTh;x2x9mZ(J<0EvA_7+f=B-+o|VQ)q7j zYEEwvqE;OC7wGblYMYO0wv6?Jzch}So)eGVN7I;rNq!2BC zWv@IMJ(e3a5Z?)2a~=?)>3w*RI82v+Lii^1?Kq5cu}H>mE0={Gxri?d zv>kZGkpy66&bw3o>sHabgJR41EQOnQ#aQ`u{wYS;V2jPF{b9l^_fM5xnl*WwCEpfk zZ>(u6Kz#XSDX%DXhsql(^R%~_f*W|gPWNVsn=WO)CQ_erU2N>X@ksxjKKEaL@r696 z+`KuQh%)3waQpaQwR!)u@%tYi*TacXaMVdzQzn}g8bCvU#ACW1=wPQ=7|GRVi z|6n}+`)>s_o*OW(aTkX~Rkr~L@*svzw3Iy0 z_)&^=*DF@&l+X{r`IPPt8Cch=xvYU}SoRJlSs_3}cz(;>y!l9~m~LKtRkrwrL93PZnQ@{lZKWuw<_e z(70ecMA?XHYE~ex$OTYC?T}x|0-|g))nuPDrsuFWz?rKCW%t!psn7h2XZ(MhXYgkL zsSO}yt+^<(g8%p%G8do34FOH9Y*_r)(%@YZk?*H$zm;ZU*~;DyaHaL64!?bYZD-R! z76-Up^D|6?(DHVaM za2+6vrv=5O+TzaF` z)YCNL?)kMaMA!l#hqu+!Tf}uwQ+VLp`LkD~_V1>=SJn1$mymvxdQD~Lv2+rl(fe;6 z@J3x0Y){>O`sa>klmygfzlA}+i@T146m0RZargPQU6$UrKQb3%smNILWAQbWSGvPU zt9#pXUDvx`R!-+~DbfC_PRn4+|auGcuL#jNBFs=;Xi? zVZkbAa8GRUs?$96@=aw@A`DdIu6-rUW8uSlWRbNX2_H7oTPPZZr^NIX+ zv7T6*CYtxxLGo5)TK^vYbI5w0*n8vC*;$}skwiA7be;LS@o&ZD|9$&v(FKfB>aZX~ z|5Ls8k(mdMt&S-mRCL@U{b!B(&rc)M#fD8O>441iS;$`D$}QpH3Xlz3#Oh0Fsut{F z-yMgQFMHRqM4A*MB3?Hc;@SQ=ccBS66J;3t0cvAD;1ef5faK8fws5O`vMFB)`~ zG+L=~`9Gg3|HrQ>mD8BrAL&82v&*uIJ;lNJgvM^zv1Jr=`0-cE`zGOint`Ps>R@NN z!#c^~8q{64cRpZY?)7`qgxGk4w;+z}gIjf=L%Cd5-ZJ%zr6rJ3aabp$j~DMoJ-EhAk3D`T)e)GgcS%DvnU93mLY6BF`p3-~Rd*uU6m!ygRNlhjY)kP%DRp7qa}I6^d#CYH&>(60&Z%EP8L0gO zk{Uy4wEVvyQgM|OV0pI2*|)V}-JK+S58%sZY{6^zpz=pZYAsnR^Y1*{FSPJ}yw|2_ zC{J<}fBSxQTf8nE&;CoPR@$rsfa4y>s#2T#kXTib(g4zxvg>^}UV;%2W1H{0U!idhxH3f?ED)pPk z2%SQT+FhP{0PXGKh?W3eHExdjf_^$dUBZwdC5G{YG0B1(vSjmEl}@>uvA?rOjdHq{ zp!o;%{L_4`^u3PaZT97Wd@@JD**w2~btYOrU)`Xajl0 zibXeWssUnPkx;wtoa4}}PjJiR>``l9|Q_%GCnKeF5 zw(pVHj-&%whv*L;<4-1r6_6g=4v!%#B(L8T`U0L1v}BAoR%m|ifQT*unA$^#e&!99_$;uXi z1NtJbu)1ASsa;|37*~2U6?{p6w|>dxdZgx1s1drn#u?@)H5%i+ThVabrD@n_2F2FP z?6lnDIWmGh>~f7}#yeV@DV<0oGAMB8dd2uOhtrRfC5BgB5{JK55ioDWhOs7nN}m@q zIr=W?wPlIm_WP`0{EXf`VVwYloZ<6KJGB9A>f>Xw@S&`rX_^C;19iG9JfoLI9-0b8 zVD~;)qSL)Z8<>Cx`hBm4o^Hrs(-rb(oNrhiTeL)$picGv?+{hoc5+y1$JD}EqQ^o- zPfDN-Dk+M5&T2UAmQANvws_HeroBQi@R_Rg3jou0ayD*y(I-!W9X|S0ZHf1zJ8KhT z%S{lX{;Ln0LJT@@+-)E-%7L!p=Di=o)zm*e?O7GtJ^sS_@*GOqZ|}$1^%L{teOOz) ze9^(%O2-0G=&!O@;$6RUbWL$Y#1xN9sx;|#r(X2vi{`5Rx_h3 zs1y|sn33a0BdE_jEDEF}B4A>``c@{t-k8MRhyME=CYDez?j8V9-R&qt&kV~?%-LA&T0<_}(yU9Rlw z=~MTgc`zLaP#ikKsY6FYbbMt?aPsRuHA>F55(Z_dr|H`R$s+vj$zE&PJ0m*cW*UTU z{eP^zWmJ~!zV<66C5Uu~bcfO*AuTsZgES)D-BQw^bT`r|-QC@dba#X3d){-cHRl{- z?>(3A82cN8$480lI?sO`$M0Y#MIFA;mvVV?xR3E`FeF89-z z)slH$j%VRyvZt*JuJa9XliPRODlBxTC^droUH22xi~8<_P#zbEUdq$?*_eXyKcM7t zI%yc`6Hj}_k(HFau_|L(?%vZ*wBq2c@R(lJv1?1H>qJ1q_ zxT_9)P_T@;+hJ|O&#v(;1l5}hv6yP~msxm(wyTHj3|s32zy23t)ia!}BB%!hexyb} z0{5GFfQS{6`;J%*ax}qL4bBlXnR#P9Wte){3yW53X}zG|5jQXHsatY44ZGs6n`nZa z5f_kZ!Oq8ZRA2>_?NWL|5Y$qtP6@1Bpb=94-=%bgA!4A|CU+nj*C2t1C?<=+C+b zKG35XK?ybd)^DMZTFb2x>@g0rz=$vozKRaNg*Wsa*Vd#9GEf->&y|YW5qr2+FT!GaOt%Bd*Yf?GFb0l`ozdro zzIYL~3rDQ@vf4Y_%U~bHEt5fJm^dg&AB)fe$#BF+k3h9m7>pXS+gS+D9~C(pM;{-t1Qj zIH1B3cVUfu-nk~p?;By^w+mS79Ld-X{9CYH{5|pp+uswsgYQ8D$l1;k0dm&OjU~Q> zt6+EZ`Wh_=J*g(Zu2vJ|c9{p>on+^Zlg+i>ee zZRw|`*DLOye)Gs5q=q-ieG%Ci5PtUFus%cJ9GMKv?X5MoT#OlwehEvwuMD!LOcBn# zJV^dike9aK_3WC#kB#xU+HdxGv7TP{(PytlV-@Z6L+q-rr&jc2H0L#2ILpHmVHIHPv)_Q=^Gpnrm1??>RiJyRzC20 zaCRp@kYf{hc(EzrOYz6;Nc$nUGdYo2_L1=ujq`^VOj=fM^v!cRwQzes#Vdm9F$tX; z%wM)A=eDM!=20%rU8c`_Fn|2f_ZaD|KcTFy`(k|#mLr;5*h=56VOkLz&Xt9Z+G`aq z_+K5v^t|W!(ZZwlC8ssM4-5hSW}+nw1k5E~n~VjWW@B@i2t~m=8!=Iu#k=ZqHlT5= zRfTyb8#GN(QF#XHP$HnWBUHV*`q0hCkg3Q~l|>$jfQqZGF9H&1F4AYHiy4+OMBo^U zW744h9mZD1?y{y3M`uzStPN8A0Fz=9l3D%g_rKVR)@MKq9%1^`#d7?E)6*N69?mzCZHk~pmM6n{AsYV|6*YjD-a@ytEk zd%AO5;Wr9$t$sGXbb)MseiDW{chtMgNkiUXZ9};99)m|O;Nwvn)@YF%%s%-+J~pH& zHfH#@uXc@9!yXMIslc&)B#vgbYRzn-z-b#C;Qtu}qT1Ku9~j`cvuzt7+}5Etxw(Jp|=y)w&+TwkKO6xwLzIe?u^F?Gw!T~nbJ)^vIp|J4m^x|8yUa<+W0;PHqQ1=Mz1#L zvK1!HQyJmp2FZHiG>FfuIX*oLOZ%RJr*49RH<47-0&cR(t+)?v{CiymT*q&mCi{(N z-))9Ed^Oq_LLg`Db$y<2)eKtRrsdipwpRNoIR1qO{`9+U=73`V)QIwETBqZ|-pn^s z%4&u6B7~mXpa8FRG7Wc+T)*tCb1h*wBQL5up}cWNQ70#L5=F5~cxb$X?+!}ww(5o3;Q$h?XxH(aeIdeZiKyRs#1vR zn=Od#ETJ+}c{>jZ3V~dO6fuG=AQ2cf<;E1@)h&5VXU2JFLHg%z)O)j!GIHqt5i%7) z_79Lid=_@btU!Is58ASd8J{oc;_g?&{irg#^ zrPac&*KgCzBaJ_kz+Ndkk1#;C4NqzD2)G1jvx6G z?C(`7iR;wOlqH00dcxym&b}@+VnWOx?j85YzfvuRtavJc*$3N-aQ>?`uqVE5_()r^>!Yb#-1#RxLRC$m%4guPAoy3OttzQPF(Zh=nK zpu8;tk0(R(Lv6={X{-J2#hKO5dQQnaX8E^|!A;yvehRx#TK((etP}CY${je4@X_=g z54gu0FwIm~EM8fgb8S5%?WVWtrYDH|SO|BjBRmcr`-Bd3H(r2wsl-W+;P8+o5l-FEvq2<7S}wz66(s_Sg%C??ja2D2~5_*A?*QM76r zf6=kw#%)K-H05`Od$j135Wi@Mye$m1Ban3S_I`&In$_yDSZ!9}dv-uXXJ~M|?f$1q zg(kOzQ{3Lw(y?4!fD7sKOK;E~hUm9oHTfmPi%Q`?@~?}j6Bwq|JlQPfKaI!|Qqa1n z7ua!aIX_1kG%pF^jZg93&~B@P6}K5;ADcBhP#Y=HZw}y55JGqSq#az(-eX;?QI7oN z9**}!+*M&I@r@@_B7mIHs?>U1k9N?)x#*|6(VqRLerv~KK;^kX{FL-#!v>$J?lH{ zo%{d=nRW9uD_Tgkfad$$92U)t{)ZH>2Ui~xC4qQUt=2t2xfv;S-_gu`{CsQT)|Or_ zAS~nt8%AjE^#vOXxUkSf@S0`9+0VOAiPBS>RSs}RDY_y!-kA54xriO))@>O)x?`lS6@sE7N# z2;Wsb@z$&?)U`JIQxwZX!sXJVSy8zuG}ddv_#C2jI_rBvZMy;MaZ>O4MYDpQMZ>1< z#8c$ANuCDO!=z?c2K?vr{ZAhw4h@F{O}pnnJVS=&1)36R1U{?WvP}x7d7LNjtrn_3 zZq-jq5ym_0^&Xh$MBEg|fw%S2p8NUlvr}$0HO4>UxW`zkqtx(bW=QcJP2#zt{W)DPmZ^kIP~GOP+VF?uA%kMe%2 zjtd(4i&HgbO<`rhT#$pK7w>byR7$v!Rv@3-YY}a|^unAn8Epnr&K3+c9nU927L1J5 zj@TD#pR!w&M_3e2qU@s+MRRW-WkO1kH#Oxy+&T=j@tc+%Tz-ciaa{T_YPuD;``B|o z3t`@MMdci*(_O7lk`vc*X;xVli4hh@zLH2H2jDWEBK=-1L>Wba<# znsNBvJTEy!;yEf)^D1XNnWSr*wbw%Fi|SK)X}|ML0r*F^s6qGA9PZyiJ)}z3_Fd|J zT*vmB{bfKV(-(9Ab`~D*oAh0WUNs@?wYljKZ7zSR@~xiSK0A8H_^vxMB<)9y&-``;GM| zk7{2{vl{#pixu_f=H0}!+N4*GC>eqOHe~*PTd@51R)w4!cAlyyNgXY{Tq5bKk;yk9 zifA4R^5`9apqKHN6ZOi7g`L`#R6+{>&WrR>YUd#nKZHlx3hWg}BHJ*^8D}|F5@2Dc zFp@ZlZTx>K1S#-(#iR+i+F49HFPP>y@|Y23s0odTM^Q8S2I*XTMfxIMLKF}wq@Ejas-CM4)P$D z1FvozwYm2x_RSBCSa0Oiu|kYFywgwdQO@Wagm(vTbdqKIZ)8uNSg=r&Zuo!7T@PZ# z()B#ww%Yf3_~DwxEbrXBCVAl+^vr`g-ovG1V4f{bEx zcB-5EnEEOY-!J#8LDc75`d;D-T%@9yEYy45f~nXkW0M1F$Om>yX2^JVuVC5T7yZa= z4<}n01Si5(UTng3cwx`8TucOPqxBT*&pBDL#03Li295o>QmFh-lu!bmxF>}wIkfX6 zb8(BUXe^`_gu0RqkNXD_7jYhEvc!`9m^>~^!_h7j{Pcj0|IWQYO&qV8sO2K4nv>F) zcp^?c<-pDl&T@II-b%nW*3Df zBVqQrDtY@bCBAD<{`Oxqdk?`L-=$Y+Hxt6|!$<`el&d%CT75EDY)c94sV!Y|{d46D z=G7!E3Gy;ZG;Ud3J2!6vWay^cP$zt@nz;IY41Y%CI$}FPh;S`kJ=d9?3&Fb3-5jO-%TCS`xoYaot;(=zW>{1uNDXQrwtdE;5!8Gk zVycf$tImkQ^IIVjS6BrQ24urmDvjvRfrC|NFV!=(>ORn**V_Fua#RKtfbC^I@Y?>G zzJ#_q`#=rk7y>^F_Gv@N7p|wjs@VchqTE1@7rXLpuKqi7O@0-ZJ-C$^A1OW9Q&&iI zOxw${S_x_0B(-y$zcJzF20Ts!)2Gtq17wVgrSXtsCu${N_KemQ>S&r91On&c2^p~w zN9LTLx0aDBKC{;h%(vUOxyI{V!H}=2IyS#*cEG}?su{(Ix%qMel5nJ9RlgO3Tlm8- zW~j5p1x&UVS9Y~EKs+7RC-<@M7I_E^%JD4PhZ$Y=mz*s(3sihyjWulQ@YZ#!Mv_^o z$nEC%XmjV{cAqj)C8@C>a7A1rvzaKcMFdq}as{kyw7^(Ta$6Bwo{=2;(Ux|(!BI)m zw!5BbF~##eBZQv$(h#u#G#+hd+=!955IZX|#uwBP?tp!xs3|=mogF(DgR5%SLAZPY z9Mg=jVd)vcCsXG{1`Mov%?+J*XNB~JPFiW<7$fZbkMvgn zg&926?C#vV3M5s%&%f79CUefMtn;oMDFiyJUZ0S8oQjy83v9a<1aPs7>X@q(vwp2T zV%xbI?vzV`1{tgo`5#?=fvMp>(?ad%KhPr3C~dD=PYjFNogFByn0@cOs9%~JYkZWk z4uqdF3mi5T0x2fu&1Q{9HTE6r0?@tJ1n$>$7H$g{=9#ClX0JY%;xH0l13OCJfiBMf zumI{d^71O-Jxc4|CY(%%R=kb7Kl18>4T(W&aA4z6tJzQB;okGfKpaXl3*8%I+T+wDy7X9 zWW>j26jO@HKa#x6hoOFo^oD>s5#S!_o0F}-KB4z_k6MypEZNk8C_4CLw1dHvX4rF> zV&F3@0&-s5&LL#~rpx259wHLN=cI?=?ZD2G#q8nSLkAiLBgPyPbJA_a{`V&zi!ad& z_knnyNyl%(PyVOK$)}P_NN=|b&$o`&5%I`g+8BLFKZS(Dn~Xz>0OF(9wmWirj2GY@ z2y+kkIt})K#=cX4k}w4TSb1Y^E@*J10N3AC^7fg6WEb`O%ZP2M_UqS}or&Dcw$%!}3A@fYAxh40T zhW1aGaoFVbdO~AB$&o|#tt0iYcO7%et>uMUSyM+Yxk<`rN1d%#tB3GxPh~`069<87 zzKEsu*SP`P{jMExj72Vn7clRC`wrd!t>t8nPrY07bZgVZKin^O*M>CEDCvkCcE{RX z289eL{eVX+K4%qtYqA}pa5-OXKtYV*Bi+fuh$>rcr{_)|zw|tr{X4oJ zi$q!`MVUGQ-l6KQArz!D$PXWyt$uxDj{l z=-#>a$IU&t(T2e#{)pX9?vyyilNRE9cb;O~IBMTniC0t0dBcxRQ-!aMuO02Zrrt{? zPVVNHG`h4t=lQn#mtzzYI#?AI2N(jR)p=D0Jx@4Q{!=(EYywfQp&0*)iw%GxJAoJL z`@;&0VBw(87mxgGr~UnF!cgxflO5XCP>^cQfCCcUv{^jQ;ZS6~0J$NcNP&c75^uxEi@Kq~krREPcv?f?OdK|IDIqrvixt1?0l5uJde>ss|ui^0)f zT^qR|hxx7Hy73Em4pWo918W0y~lT^AuJLwbOpZ^r64G*gH=$_xS`Jm zfbgC%G>|VjN#X6}z+$fVYZrT(#%r1tME#^HqAREKTkZGN9~WOp;8S zK$12w?Om2@MY`c$ijtwP#>DY~WlaKgi(6uKJAjX(Q0YkyrHSnxBAMrf@=KD1l6=tb z?&hHzloF4Jiiw)f2N-E&9G<<1vBi8HB*_3Lv({6$`1xg0GinX?RG926-P%NmSdec* zv!CsR=Zss+H|1KU*^FOME4|z5DAOIAl_w_B9%@bi(h_nE+m8rNp@2iT48>5}(Uy~9 z;-jkJwG>0AbEO!2yZVTj0|j30aHXU`n{&A50vRA*SEZ8Q%Pzc9x8zcQ)g7%vX|q~2 zHl%vF(fN5{OiFy)xk-MssS#fR{8w>a&YU;#mXq<`piWTCgj+S7C?=Fq9Uj*`susyz z2y?}qyM2lqZzXFkPoInIT*X#CG_O$^(*{W zpTaJ*XSko$@NE&Ik~=~5 z@h0w+sJuUwWoZNK*Na_0mSi&rrE->pku``_yi_}ItJ{~P%`@}_JzUcoMA{6(U1T7jMsz2y;cypSBS&iA5A0r_oRdT&s2@_I*I z6xH1i3K1Uke67H-j~%PQP;*jr+0~+>f38*3qa__T4kn&eW}FWP)#^mbg~JJfaG@0C zC`li~Ul7p?pBaEM8D#*c9OFo-4#bw@%eNW(pq#{6qT!5+TDADq&}gfQ<5_t54@+Ah zZsmf9ieAd}2q;|CdSKDcKO1r14R?oB^4QZPZW1Yfy%_Bcoo;JrkRZAsU?} zg%S!>N?|dIiKaV5c!)df6l~a!K@5@#pn`DfI09t_-l(lF2~VTL-n#!hX+aew!X5P7 zZya6hcqTOBL^y@z%h9t&(3Ul25Xy{;unhDY+ltUs2olOrMTlNV?`ABfT>rxegH+Hj zu~;(?$8TFZ{mU$?dBuST3KG!B)uVio9SmaN$2!7+zY6!OoOmHg{KB;Yj=8vL?ie^U zE1QS6iEkLRckQ7b;?$f>*#hQJq4))PTORI=r% z>UDIl1*9luAYl93w28X(cU0P+4_1EGbk{e{Kmb>I``ER4sN`_AWwbuH0isTG?r%;& zA(goeYE{&I#Bm`Y$1$VzoGsO!)^=Xr@~3uX`|SyO<@eZh7^1cem!8rC@w5NZ@cxHc z6j1%jXV8SO)P+N1*q6aC;T!BAu!om`*k=tu5R{Kq4`i!-7JyEfW7sid3(70@ylz7v z1ueW5Gg>HZ>Xyk(5f=FfByrBgInsPfeL7D?~x9UpUyBKcONFlHpbW$w{32xdHTKgxElj z@mPk%T5=58)D@7MZ?8{Ul3UjGI1_gSr7l64y}tnpcHO`p?P&@qSp+1rch7+$f^R?p zBLOOdOsz}~MeGom5TT&xYVh?q8Bpnn-kJ?1Q=K`i5Nq*naTC>>z}-LZ7Ev$RA+o(f zL2Cu=i%b>-ge!u=#0h1iepFpw1aAVWtPcmWk( zMd2>CJtykQcn;t@sEh&j-}-uQN*8e3AwWHR!p)@K6U#ECcmiGFc|9zy^7VhijVls+ z5TRp}sRg>U!Hl=97L2>`@j7mMU9bOIU`+(eY_4?pCpLtvBD2Y6M#ETK6!>6mf$)$4 zX-A3{VRG1!e)qG@YGfIWmmt~J^Q!WXhQwZTwIobLdOKH|{B+FoRv-qWruOgx=)d_) zjfa!AZV#s6d>H7p-T+FpTZxrH^XAAOz@$yM2WYPB*BEq3T$Y;bg2fcV>U{mu2+xt? zyg_`Mv~-qvi?*1NPRqM5&&iJAlW&lHJu!mV(H(mqVy5rlEj?WEKW!&rhrL>JC7~{A zs%KR%7d`^7TyX6xms7nh_tN0tOL01eHCKYb9TWI7+IIj`CbNlzYU?_3Av!QhNLyCTz$8Bh87Vt7zphsf@-c9-x0_C2?B^KL%;2>ha$_BK zwET<)vb{GkfCW*FzR6G_hAo+RE=+Hp`fdF(|zF1gUO2-*mWsF(VWm}A*EF0 zGO=eV@V}tE`MS_iJXg^|8YAp+C5Lh_nHSj+IUwGP9!ss{wpTgvB2*ja9X zJHQy#tn6T#ld7q|^^~84NR57rELyiZ!iDTP-!8c%&ppsQtAapr1?LslJSDWIT997i z*pbs~eDrh_XU07$MIK|J*1Tj0&atv2r0pdp`~p-h$oD=ILuq8>(&fz`aA;6}?~cd@ zmeVvPooXD^!hVt)RDG(+z_p$VSw?tu5P^@}LqJPO0WvdA-)mTx;m3SQ+1gErp$M^(`$T&ZmHIw_$Yl)X>rhZwUMs|xH8 zN{*Uxe9`>N8IN+VqGfh;`+t2JO8AzPDo@@Bbm9ejgw&#(z0DH(QMqXpGG-KaDuzQn z+fO3}&ZVRs^;8h!Sb_0;!R`jwZPkRf*oU+a#6{X`ijgrC*v^lpSSjSvg|wgM-e08c z+bA-R^QY(b zqldhuKp$X(;@7cou3A9-mdbWF!i%RQ5KSu&2|GLdG0F!^60`&|IJ;iQwy4V;gXbX8 zmm}r~piZx)K8p*PUs{4ABbS78S4)WX@&>p?943wdk&@vp!GQFX9w|LOeTn0(6{4@S z;=Blo+5H5?vzhp7Fycq3IX?lSM;L1FF0JzNq^|i4|6*S&sP%< z+MdrqQTNurdt@@gbWvLmSGRt(snHfsle+wbS*EV9ev`pV(zEOF=rI7o%B(h`@~U>GK|E< z3m8h6T*Gd?eB}Z?&{geo>@oSj8yYCk0;kY8g2(3ZJYz|fB2x|MTF2_SfYV!Lgryon!+9?J zbaHv2qdP2y&ZrhQ6 z2*zvK1s^d#XfZS_fqAc-DoZ!Ztl}LUe*kxgY?6K3%g)=gjnogw6~`M?CQsx!dzzoN zVJM3ikOy(bjJl~Qe0qu5YXL)rSax!ki(?OL1i9k$0DJ4IBi%0dtk1jz<)A{*=g)$9 znOrgRb`wTnO=`;M{4C*B6WFHl&h{oTT|PXYNt3?7>eu!PbOV>aQB1?>V9nIh?9+4p zs46CPyyv+ij4*>d6YWW#Qlc*;yJYXV;Kbj>P%uXdf(#*)Rq+AG@+H5^Oz%o!eosIV z+A_NTt2mL*@cTi+vPg|8gPwrEWCljHs?NZMxL-Oq$4S(9IByj#$5qihatBK7JT4HL zMEi{Y#TO+0HpL;Jy3UQ$cA5`4{B@w5^=uS$?*~X~USLhM4@9;$cD`A%%{;#_yufY4 zGu_V8JJ-!2=d%VL7UuV#*a`IWdVqM7(AuF19II0R*ObKIf!H1kWu+|yV;U(hisYYE zO+xHLNQ69Gf>lUqJ6O}8wsy=02~vPc%x9HR=`7#)1NguDG4u!qz)t&9dGHC1A4o#! zPmz#B%Jd7D&%hjgVM%6d;S4A<3oBh0!0O*q!%h`*6PJ*<^O6Z|8Q3?|7#ZAFCK_U@ zl(*y(#Pn8{DwGZYnkY3%Y*(D2B|~=?1aV|K6t~x7~45J(&5OM%hC|hwd14e(-bddS3LpY1xy37 zwp-Agi4p1{$3k9fCzR1$9|M~dOp0xBMIUJf)K5&MEZIAP$J1MK@f!5>Qz6bbP|v}u z+KG>q@->D`42CtHqp?EqD2sEJf5`sa2G-(V>O&m~G0I)n5;d?zf}=k|tj znP6tJD`m6G(DY(=z>wj2CHk{aWkpv}O-zo_lwKFuUBAr+f{|<1RlQF#&{*2kkEcO+{ zw;&(UACm62PamNDDNinWdy0RrR{<$W3rvN?2Vtaw$doB=;b5>2U(SJnSsx0D6HZs@ zl7eqNP>2$@ucmw5_tXDSB}HoQLcZ`@29wj|0y7NtP%J7a-ai_zuF8CN1o;)|q2_@( zD{$hd=foJG5<&BlzI~l0Fiy!NcleyDpr5+~h*wHbt_C5mT~0^Dc}+EjQUvdM{aUZ> z;fU1|Kz~2<@u9$1on<$?5V!;DQOe99kmSN;hT3C>=+#sf;FpDpZU0Vi>^FsnABk0_ zmd`cP7K1udBB!~kva>o#-F{(F$aJh~cnDshMR3_w7HpXC>1*ah z`+oX6A^GG2mFF9o3*gpN3J2UTk)UoT;M-1#ibFm;I4AamgJ;TZD+;a!9@XT@%19So zuplY|9@5C&`jNy}lKSzA^mD;Chyz~LHm-Jmz!g3%f=H5+5o1ieVy>PI>%Ayqi_&rA z;v5c(H9=z6N3jn~N0-;EPHy%QUNA-p0`GVtz?NMJY=tZR%-qt{{)D=B-G2H2)5)?1 zAdk7exm0w49p`xWM(WOAQG$1g%%@2&yvRXTNei~<<4@S`S3}fnJ(-aNuRgsC?yjn8 z;5_$$^R=k4L&iQiMb~es0K;}kd$zDa1u2$ZUriut!(rN=>#$X5@wH)Hpx*{4pbJP& zkY)s@Po1$}1JtSV?X)Hst~(qI#~GF`6lIx>d{qL`Nt8`mBU8sMx7ZBVo<5S?D{mSR z-&4{t%!YQ_Lm}lj*h@BK3D!+uN;=-O2~cCsg~&!_OdEyKb+DvEJ{dnr*VnPMCEMgi4$(A+2F`Kx$ z9=2G5=dvr^K&B=^_(O2I?18+vg8bBahB*JU%?B>Ko}Wvy?E%Ke@DirHiW|7F-`yyO zy6SvKdHQw)?CZ|pFWkdYd)AgkTE95LY&XtzJz1rW;M>o~q!yzi9jLGD&-)e$S}l-l zB6R=z$w-fW3!-e4y4dx}>YD`t__K0I=PyG*6CY5I9?Yr>v6iu0hAFaE7-(C-xgdJr zh1#ltnY>@QXtS?c1UZWC$$(gbxyTyAYGZj%k8=)yDp&JF41>7hq`{v=(MK6JKJ^fL z$MS{X-yis@%oj5)No?9+oD>`)PV6(&DWT8bgLa04HsWQhzno z%a@iZexl7oc((dDJ;nq*@y}NnJ-GKLazjrzI{)%`z(s()NBmvL3o_h>db@s`!lcfb zYt{+or`-q6%n3vdaLxV(QsuljdytaGYhH7dIE;*;7+GMC2$hvKG0GD|X2ei|6W(?CUayO>4c zZP_i*Ur>zUZsj56&_exA6Zby+?u)h$aK^XQlMP{2@-Y*WE#CBmui9CCIpgWi)RvCZ z_yv4@T8h^dv+MV+8cqu-oh-tPgz%$p*d%5KOsUf=6a6G7mPT4=hrU^+nOe3(k{w8A zuMaCHM#dqYEM>Oxak0G#C9zk;E2huZOU;YyD;soLakJ1^Bp%aK#+fu_bnz4OC-pM8nmaZYTS-2v0!S@^1J zDcZT!tA&^LOoo?+m7|reeO@XY@xPm9Ib-qp5BcI3NAV@{<)b?54A#GpUiGj@Yv5i= zP$phn#+ESK(8giez27b>8StkvB>qd;1|RuPtLifE$D-UH&Y9H*KFb99Bvf7P1A)KC zIToh5s9M4{eyG0OQ0|OOb@jeTUUdmw03~emS~dDq2j4iPVD3djlognSzK0GEu$_om zd)s~AmJqAA`3?hF?t4|7!&Lpjfeg{$Q=K-<@KOER-^J*SpF0bmFTBf#6I1{Gx%)Ht z#34H2>wGGWCBfLYVaRRAW10%|+l55Wik`Ia)m5BdZM8pwH3xl#P{6XTehFj$+VU7I zCj?tvZ%kAMq8`;ddp%~|Av2e?Uf#*#G|+v#mI*-(DFBmCP1CjBF)B2I6DXYo*u{VN z?xPneYMQ*ED-E6sx%h?ne&_myXDUMvQ%5S5H z`K=$Q(!nj*aU~ujwLKCZVVQMrk6FD1#r$*!`!p4YT;;AV+Kux5KoIPF%7og zsH&f#Io?LVq7MHz59@#5w|wRHiF3mnY8s^5ey;z@GFEsmmCz6V#i?QS3W1hfB8NCL zaJhGTOhCXGg6Im&kr>gm}-Hg{yr7t0VBM8Sd5- zC6C^!`4l8@B-YD#vLU34E!FZt)tq&X%ff&VS}ywqbep zNT?|FkD*;5O&yIS(pM-C0tJkKe5c%Iy*R-zN2-7l^27x+vChZTn|C#)lQi~({Ow;U z#4N1OJfPuQX~w)h9C&rY^r9ytgvr>mRk?^)VD^c47CLBBR8nKdvZiqf0`iat_kA#9 z_a@gTN`dBJAAlj>gN8XQbR8{zRQbL+7#5asSR17@YgGu`#8w)2Gp`_)aNs!OF z@UkbHip5RRniDvQ5h7~*GW3!L-COkIS8FUkEGC=ke58G=`x}7C3IQi{zMXmpRR1~9 z`HTv%f2Ww6juI|GYYK$586HFgRJuPR^K#p?kG8J29pis8MiM><&-dIcQA_FyIpOyp zTT(M5`3bk-7~S?1YcfnPTy@`py#XGwf}zlh9k$lb1`2>fwviR%Kj@rAKRPfXaPX>P zGU+0xLD_BTmC=Iayu5TP3HPPIUYh8Ia8q4HXFTEz1cOFsC&fO?8Oh#C*PS)b$~Amm z`i6F~_#|zzWAoR1*XVhe5s8uJUi{gXXW#92h`PBRNnF*6a4QnE7}6I*Pa}Ta7CRl) zVb?V6TA9?HYSnH&u@B-hDwpuymPeF?N)vzy4OeIeQv^C*2xsOjg9M z)^U>y-h>YU#j@glq|W?f zh+{mm_7(=uNQxr;`znb&8$2|^ElBWI>@FXyAiu#rOS1)$95V1^?;5H$ps-}A(@TKD z3@+{y#z3-sIwNG`FOEo091~|;U1~_Hcq+UMRssab7)cEvM|uDSRy{OHjQchCoYWIC z*f|#`a3DgaB-*}Xj$(EU$O~R6zhK7B0F2wPtT&tR9gD#I$|4aUoIn3a>`8DAO{2+P zPJ}X-5hylt<1`ELTUQ{3?SiB3U#O!?YF8HMVNdYx6UFDD0QhfN#7z3o$&(pK*a}&p zrem6lX7j2}e{r7xRwnfO#^iP3zoG4IiHW;u&fU`$Z#o+gESzu&gnVy9D0b~B%0C3( znEd{A_rhBJRI^-9%ltYNGDx{LWUF=%3$glO-&+$uJeCGKZKSNoWyy zfGPYp1FjaVb$5#Gn7NpztKZ6f(C=S)^$zB7x7RKJBdMfFw zP4qAu(fZ5rNfMp+wRnfo_3}^>CnIJ|Md!pwG`9A{ z#JSrR@*(I4_y3{8@#uOX`Ii499-NCPbfy>j#D_{eUi{~^YbcuNXG14H0Xo&_ztiad z+sbs`Us#r*eyTrOj}z3$c9b^b;&{BSCv_VUiLqKK&vpxVVbn9qW3?1A!ANeVNvHUq z%aPBrpABmU{e=FmF8TM@%f|t>WHOuWDe`MFSZE`64;swqLA0yA$-o&ZJBr1scVzB| z?40@?@U+pu1IOd#Mi>f3rR75xTgq;L;i3SIHOIo;sRysqG&t2aSh#tKk4l_RR^&zk z34nk1H47AKr2&QS)GrAG#LzT!Lv52o>ElK_HpSk!auRtp2+;$4A+xazk$J4A-+4ge zTJVdwFJ$~Ldxii0V;O14Rp9kVR{Ich>IV}hvIUAeiLGRK0WCO zK%EAxn*!+S*%3PAs#XU`=BdvxaA10|pWFuQ5!giXr{xtoMpZ5!utH~; z{e6}lDa6od_3kfeQUBC#D7=B!RO-+5B7JHO9lCxX zf<@K8607NWj0qF3Qfy!VC5TcY1X6CSR z!fUb+*7i64U;n`V{b2pKkMo^jl^qIhXuIzJ|M?QzUW#U1y|hbjlKacBCK0Y1v6v&l!Zyiwv*-0D-V50=z{1{*; z$_H>*s-89R|M~lTEZ_+pOJj~$2$KJAZm|pW3_{_pJ@6F^hK)BWHt*Gud5>60wCg4ghoT7;7T%Xfxn2< z5$uBa=Rxwhnp_IcICA#i7!EUBF_0c`id>f%PkjIN)DXtCf%V7%j)K`7(SSOrS#<>r zL(a3I1+N*-ZbcAr@;MhFxlCG znsx`u=t5w%!kq@!%v@ca4e$gP0-7{c4?CW%uJ>&xNX}Bz#>uVNNdisD27umW-M_S6 zYzE|sn)tsGS`G(2!O>0{@7yf;=OOc29u~SY>5r&)KdcCZGQFrgW&kK}J-n=XMzi~3 z+o7@pg)v_=Q^8IaBclV-`wy9JwC~S&Td>6_;NAKLpF{$KgtpM=QC7R+HhfI#D)!H( za1S1YvB?=jghSo-h6cjfq0LAA7IfFl9XjU#B{@t(5g`JDbA9(6AdmV*2_yJRO{W1d zU@jj#+s=p8b*Kt5ykHHP?MNIUXKS2d`z1<-MXo>6^lxhD{dDmC?*Ad!(&>y<)s!x2 z*e~q111C-YI_F{$w`8|Ua?E)Ia5sR+t^oR3q;*z_Kt&&vm$i$I;u?kKdeg6e>a0DpsC{ig?z z-9Q~eF;#D0f$>3gKTY!6Ghfv5mj;5*4!}$JA8wrg`A?y^Fre1c99?v;{gpWu8sG!{ zpT6?LT({O!T5%!FiAvQK0C-#N{1TD1Km0n9o|F$0`v&J)EIJ%szf;iyW&=Ro%* z9lWpq(Cq>-w-x&#bOY$Rm`eGKjRe(onCsB0{y)o}3{!Y0&yf>I zu&=-~Nl%yix*IH=ji~#3EClWv8dC=ka5znYBkaIGzy%7Rlca!Rp^&6|c>d;hHvCywTipRl|DOgW zeiqq4x$GjxAX9cZKe3m?V1vE((krO#61v4#N#?Sg0-$7q$6Z{!TFf=5S0(9{al}11 zY)gP=qTYmC;MZ6!U4v+51~kvcWLEVTQb;NcRI*5uE!^ny^90ZVvs6D=a#n*E{59{W znb9e*o)!SX8121}^HKGzDwy>Zn2g`9;lB~^zTeAxzar>=0JC6VKhVFGMVlI`VKAp`SalYM;`0?KQi{UMP61VmAb7OFdw8) ziJPZ_$d*33V6Q{`NZaR+51_EkWRur2idC^Yg2QA~4#aCmv^Oo6_@f@oSy(^ZG+WsB z2lP=PGxN8feD9qP=f<&huPX@cb1NC~5-=_Ziv!M>pROXQYCBHTc&l}|+ye~^UGc{7 zO{(3Dwok1>tci)3dZRDS_R|ESjg^7Br}4(_y%$~XAt(O-hqSi<%5q)X{slo1B!q`h zTDn1`yG!XVDFNy3mQF!Rx*MdWyFpsI>p{93{jO*4z1IH!-+A9Xe&0K@W|pICW+Bhb zeVx~F9>?!cp8!F@)&y}$LHf-mHxHQGIh2_@?uwUm$fldeEx=_< z%MqY03jmm-=%t3?Ucvxf`KaIF3P0>qjYp76;Z)E8pBTj|l23Pnd{D~h0Q4dYSe{w%FJw6Ou%Qyme z1x_~1c)9~b2Bo@uFd%8^*t8=?%PX>UFj2uOhJSp>Pt60a@UP(+;~>yklm@up2FlvY zz*Q3VD+dedJ7}o3ie8Bc0a?*$G5De$YvSXFx8TS(f9yI^;ZBTDmb6Bq=LwSiq8(Z; zEif{XbmctQl4lV%25EOsrrHqgEb-QCjvg` zpqK%clAxS%7v3eaHWc^au75Ti9a7m@9ss|P9>&-eb5Za>l z!K=8e9zxhoz@xqo*#i8$mBPGw+t*p?*WeXAw7F&rx z1)3Z$gGT|`dt69?DNHcp4SHr5V2?-w%xq~+RC`@Gdj%+D958DCB|XAnBw#@cuWvHH z4<6x)d*qu3yv3Z41B8d7%Bz?n`GZpZLDA{Gh+-?fgpT_^s% zJ@oOYWbC)<1k8c91KzsMp|DSsK;VXyCg;6Gn+r@<;wdnL;(Z&l3hz`8W{Vs{F;^NfB_Zi_kPJ(z|vV6A2A5s`S=7S3QRN?v;j zgP9TnLxEGwb`y@_h56U!JYZALiD}5NTn2cux2kg@-l4Xl+$9{$P-I)!G*`X#+O`)Y zEF$Y9j9tA3D}U2rX!5+?9XxAEqX^*~syb{mR0EoH?B}P4f@!-LL`14{LhG0&0yADmZ_v&zz2}0J+f*|? zaCVP~xLIv!BOH)0-8HuKJ7?PB=U4mARpcs>4v2Q!$#Hi$fi?77y;o(UU_J=(oBnMv!?ZXPfD z;jEzys4t8&{lx;%`i-QW2+$}tOTjKMLjvFfRr@W?R%OJ=rX1DXPQc%HpPZo|%f8rn zwo~mB`59;P=c1|M=ilJULLYKioQ)G2`kidwPxS&k&z~~v-pp#2Q!vbLH{eJk538ZX zL#kC$GdxZsa}Y&PG-o*K4m5o;GXl&oi*phAQ|_usL?$E0(om=CvT=eVzTbibrp-8+ z0D~YV{&I_tvtaz!0P;QRVXl)O!cwxXwvOU;IHHWE?S@q7^V!a>^!+k)zh)FLM>cQW zL1HDYYq~>7_PJ(XUWT`xbBD)ehW7%Ksc%-yT?~Bnr@+r&RUc4qr&^$BVvIkzj0-B~ zR0D8M6Id>1Cnt^;hKPzP7KTK6Y1ZPN<&O6^)i4K#W9~}4qr5iNUz)jc)$MEi4K@f` zG6yP4jmPG`BYsP(+^73yq@^>jsyjrt?u`6kt&z#CwUOl6k8W97l5b_X%>ripaFT4- z0>epNhd8RoKPg4!xb^Bx22 zoj_)ktt0H^morPy>|>;k8f}<6KEb=(yR%K3PK;=>477!63O!Z$sI5(;(GkVDhGeZ# zgI84}=uV$qT_1c&DVm{*dA{`6=pjC~4gwd}VziN0H z3vM3tTLMGj@w*oR{ZP$*SKYnu%G-XmjGN3t@AkDs=HJ*vn&iakz50hu03h|KS%kY5R%kGPkSPpe<>eL1CH7PL`nxeioKadi38v`>a-mYYn%s7YGx!&Q~K z}FTKeknO1Ybu^pZ^ zURz7D;SzZIC422QNL%S@CyJSu*rOB4QQev%g1E&Fh9{cYv;CexX`ZMW9L~_GUEr|z zw&g@UghgxX!=390#~Uur0k2;$)(I0;+U*kYnaQ}m7yT{L?X3Bx-IpBt)>>+{@!`sa z5tu{wO!JtzDCq8>1iNpbh#2cnl(IfTBe^bHctwJe$EJ0K)pfyD8+n6r4B%xW!2gE zV5Jb%r;Rvw1Ii`Uyd+rb&-K-m_e=?Q$_MG3=%zZ}W=h$G1nJ0DD3LlP>X<**UWRm#^0SMI6C)OKHa>tzpu^sK&@3k?K|0I=IeGv0(#=f;z9ET znZ{-5@YxUVC)XV#XZ7W})0hS!umpy5N#(3iQr zsdhAlaRnctq&Sa@m+UO6_D5>n>tL;j8rp$&ZFVCDpKH55&QF)xG?5y)oi!v5MqKm^ z@0k4^kw4VD%@ZL;8{|)9&F4~=^+RkFw<%}#b6SKXIJ@_L!&CE2DdWf#1yA}=@2CITuS}#2XXNlJP>?gd z1Ju<7Kf&Ny`PHt7Q$f8I-~x4E6nVZ50y5$LH6WXd$ubr11o3B&5W(l(ubzM)c$%$d z6!5Gpi;_>SNR2ND;)9q-`H-1DxSg za@TMn$RyR2I>oA`kbjXmEooj#1|u9>1bJxIT6}nnJ#xu%cn3<}GJo3PssOKVt=cbG>+rFk6sDNL=HRZ9^Ggg{|syAc%07)cBbxoC&y>Kn|z2+^2LK zc{_{oR0RK&j}A#?O=AwN#3R%Vo2uK=`u!u zbcz8-kyJ6*wQIwuNIw@_v6ti;y~Wd`oF9&qa&cR_zTA=9XkI0R)i0@lIWpT8*OO^3 zo{#v`2ajL8Q2gyyAY^yP7}RtlLGOFqA^COK`9|t7g=lT=aAL6F1OqMZVdT;muASCB z7HrE$_E_PoKx#jF|D#+Vqo_-J%*l=FE`~k!wRO984iRCG3X-Ep##8BvM4mZ&*`XR1 z_SozaKX%dpcb3QPcetD1)A)EWGd|xpM`4X$$NIhh)lw~`?;7DQ^?ps0qQ^q%QO_&O ziZPdLGRQuW>&CPHD=cRQM#(>^ocmeoy#9)reak?5HAp-}I3(H1<#Rg=zH#mfI^yr) zwS?=_a9$x4^CUUju?I;*kIhX&;~ozWd_m%nn&&Og?!bLQ-Yv)_-=&1%$P@1Anl{^X z(SPM~{+OzTKrYv(3_-5vDHHR8S#fDN2e-kZAD4PA!430zxwuaZ^4#6f7uIaY()-ef z=D8pfECcRuUF0-eYdYnpq6mN{qB|;JhJrX|jKNQFA2YN=ElB%mMVHxl9UpJ*VT()- z&E>}I5(`x{zW$2)I0!MkC^ZKXKVGTHn|UeCOI3WHp3SOZ?&2Kvl799@hY8cji0hg| zqGLwTdy+i%Z8YYo*OMd54qsb0ur!XG<7Q7B#c|K#_X2u0^0|~fEQ(jj!NqcXjQZWn zL_Ct9P!(i5?Ps|R-mVOGM#f4k?%%l{U<&>=<5{li)PAsQu+EHTaR0&Exu%sR$z_uu z9o)}jjAouvcV$K-v)~_lng@LH!22WpzWs@*{$0^r>KG4!LD=uLbX5;2dT(G7L1f5L z7!?iC6ZT&OSA5!o9s!_@h_VOColDKT&;={_jQRXxQ?ZZrQO%q_8&s;L9wBwcfM9!@O29_^_ zOWD7U>&YW<0wW{B+*w`M3j(TNWQ8%>jb~U(*;l4N!eVGkk1yGoPM-U1Mj;!7npUA& zLSK)5#xghX5exUOX2o4;K@}*9(71(SoEzG|k)N5< z{{!-qE*+=Z###vF3C@2+em>~=kI2ubhyOq1XXux|k)IeP{{{I8FZ%zA{Om~oUm-su z@u1&XtD+LMOzGGu#QahT(VlNpDPS-gFK@~!P=bLfL?1FVVbmwBT%YJtG!~5u%s}p>LC05JpSsEql6!{oN zbD!E5&pneX4-uE`MHWD$?{E@W4u@@HK6EQX-6(c;A%g#LV+zT#Z$j`l!{6V{p zH6@8v`Lr};>BrJ_G>Sk@_Y=4;ywLB-YA?GUWDdWkLM-?m<%IF#tv&w|1|_p=A{oRs zCgtuKCcM)o_cd8Qc}ld&*&{6Vz_6mih?YKBcqLUJeJ+n@6rXy zW^U`CY|G3eFC?z_)?$(OUbom&zcx~^iq4!@{rEN z(37*b4Q0eLnb*LX(_v#& ziy=Ut?Gg^8+Dd8}*p>~VqE$PJKpT!%7SSACOmZ=J{Vyi8iGWl3RkGdUw@5+nnChwc z0nNn5o>KEu?c$r3R6VcHXZND~6Lp7J;1C^8(;y0E1S^0@234MPFCAT%ZR8y0M83|T$E(8}Hs2mIOn8fy*oC#0@7378N?<@H4 zVm>41nR3`JlT=giLv>jgH-FL=ZY%!txi(C`^yp+%^NJeG+I~49TsY<=@Ac}`jG#gT zjUdvA^CmQpyZ#IMNpEA?*2blBc&A+?*>a<%$K~5bblpF3jut%iji39uoK&=a7NtUg zSOeA%urq}j>>Wy3VOTTgWXR_t0BsO=MMEBVZFW4>A%^Zji{|1Y~ z%9Pf>@oA2VF9H?S>C<@Q8rLr~H(1^nX6EJ=^V&J}lbR zp1{#k)=UP(zt3?vjMRA(jh%G&*`{OfBCr@n^FZ@mm4U)duW_z33H^;Hl_@?fvu!VR z*s*){nO8G|^5O)jxW(0aq4qi`UR+-D*`?Ssy19tU1g&SFxP9!&_y7tZFl`h6wEQZp z0h8$fJQVDyxN-w__DCpB%bAG4t-qGTO$~=$eFXq^s%hpw`0D(~mBHnqJ|^&tIBaGQ zfo%uvUl1zj*6%Bzj2A66yYpOM^S0bb8pi>+Vy5$+n(1LrruC@bN%SSy->ZQbR&+h2 zdjc6r%zHr!@YZ8hwQU&(*-hR}hAK%PZd?2tELw}XwGfE&K#JfJl$_;O$K-q#r>mf0 zXoC8)H9%o9za~v@eMAlm<^rsso60LDA4YI$2+%g4uPp_2%3_j})WaY`m0AZn?H%sU zCaK`KBIj!?rpr=e40CbtYO;;EdwHS(b2m_9PA3n!OSEjN4p*tkY#@;^!Gz4;en{3^ z8tm5`UOFBwEgoO){1`m`Sh#;?j9UB6CDNH^ay2#X{uZ!JJ|zLjuC7@oc4P*F3Ux`u z+5%XQ>}q!`sA$RAbgUG1YpS520;H%0P5q+@04SE;02<5&!)vHuX)wN42W;Q2-N~y! z_lsMVf~s359Mu5WW$#@@NL*Y43~61x@@21hnfqdAL}A8K zNqfD4_k4#li{;OJ7sA6YOBm!Q&Ib$ic#&Akm+n-;p^ukCYF>q6?dE)zRfNG!v9?ZE z<_qunRJ2r;G`2YZ5PUFNhd`VC9@FLbl`kqXQtbm;|CD1xHKj$cqTDgcbnbAxvn49j z!@OL#({{rubKZIjapE{$i^SNN=0U(=5{X6>Ugghs_IAKq>+O$VpX}Jk_#^BM(WJ0C(tz!Xr0eP5wcdY_S%WCX-kjzqWxw zx{Kk9K+PfuH+WaTV>$Oa*ZC9`lO&*AG)C(~Zd}Ts6yQ!1Z~?MV*l|ra4x87V%MTD+ zHb~@ZkJ^M4J|2trf(;Ol*F0Ikc8tI6+Xg@^5uHV*nM(?)SGJqvc}~~-Ie)w{2`>u<7B$ z%AtIdm;v}!d;u30jo_L=r(iP_8OE+h_f^nm8?1jWTJRO&M75-8!@lWw@uiuE5y{qM zbiu!mCl9)yT}HGVBbQvs0XrG#!?PFXQkCHtzSv*HZ^nXz)Za8qho1)Oq zgi|!tMNSylJ>dsG5sjl+nCrf&`_(@v=Xd!=%+sI@^!b8?PhW-!rPqRm4K32o7aZ;v z7WSIFQwF899E{YeTM1ZyAxBTs=w{!mtP^Nk=v!$}ZuQD{edBpROlj4S=DO&a=H3) zGB(0x#-WYV@`EaDch{rEJ8;OUt|S0107Y`?{N0@AZs4qevKZsn{zII6%QwK~#~0+I z7y`oc0_V2N&_kjN>p(UpRmir%$FqyghAaKJc91sFI={55UT!QG^IAGnhFJr&1ZR~@q!mJT zd`AV@uyt}?KJpr6gON+WdAsy{_Y+CN;6iYYK@j?cPM8H-%da`9-8VgR_b3nq%Npr??atBXbZ`A}l|>sp8<*sk})AzhM{ zEquqjmm43hp!Bx)w^5Ff$6gcS(gPF+haFb%;u#9X-8PJIN@sUGAuR4*j75D<#@vh6 z*E4JRM8BK}<7Drx+d^w8Lf|EWVaSNxG+45k#E3~W5)B7Dx|H-~wvn^Pkk{0{)OR9j}{}*Zh8}RrImZj98@*Yl{4)vO(*>^LhurVWlpSv@kXP%B?%2-!cKbQGRM;ICZ#!NS9VMPFiy)EX(5NE;R*rC zsChGLK+#2`M_|S0Apr^jFb#yMjUleqiZpOiVSmD45~VgQ%#Ek*f7MTmOh2H7A;?Gu>QgoYd;vutZSr|k>GD!kEzI!j6{p{_0h zkFk`~pBnTZ(RTd+cxc7mPn`0CIW;>6^HTI%#;s=FXPgn6j;T3Dpk+L z70W7#&m(@A5ps>0L$ zh0iw$;QVej8=B@DwWs}uzE3O#*&VXUa8pOfs2w;H&;EMTV%jLb%?kwIH}Vc$-=3cG zJsePlnJnhO3`|Dx@wIuptT>n3i~0jDgMK#ip<_$2DW;YyVf`gNx=$qDQ=S8 zl7$YtqLIgfg^yITjl6wPjfEkY`u(u}DyA(o^Geczz;1*;>eVuhN6-`|$xA}xL0{_y zj)eAVfSuHUE%A#aqKL+WRH>|s(N`Q33l?QN@L3E};VehREK z-c=tbfo%qQHNmUsOTpLz>4ISQyT_$zI}vSh)z+n zs@S5)yq}V56xB$5On%+MM`5V#2kdA=i2{RQIoH>vC7Rmk3P_>FYH9m~9mjS$Sg*X% zL$I6$;*b-Nx!?9r=X<7^s7?%0l4kY03PTa@C#+x2$<>&KR4yUhTOO9aT;}d zQ5oC7RF%Mquai+KIoLJ6gU@a_uy(X)2TQ4b`M3c5tT02d%y;D7JtbMLTs-vM=kxEH z+OYmIwf}z{`Tx#1{PQ<`#UcfFffY^pJ}-*rfV1X1`+Pw(nM9G)XG)6rC}N8WI#MUv zSa>DMOt}yt2( zF=%LKtw!o8eh9xA`Bn-(zGdF;fu?Eex=gxB;@))SBkiQ1- zZ>0eDq#;MXgsI{{Jh_Xv}xa2op>Gr>pK87Pcqx>wE~ux#p8KvsRP`Al%$f)`sqGRlpW z#R8ldyafTmV4)P+vZbEXEeu%>tc$XtNw+oNX*{s8qZVv|nm(?Liv@O8iW@7cuy`Du zoR0i(>)Q$q2tDom@&_BjW#gl_EM5I?@s4;N(6@JS6;7gvb%T3AF`g%wljtk9wVV3> z=+O*(IohCFqhpflI0^P@L^S2R_h%D3z~8F^3zddAA}I+_JK&KLVi`xaq_W?h@2at_ z^3Y)D@5G%46Yo?!%x>mk^sfVbM`zS@d*xIN@`4o^uxAqZoNB9hNa!t<*Lu%@ExHgE zc5rc*hX~;pI78>9Jb|B21>dq-p;@gt$ICPd%r+1RAedeoR#!`tv&Ks6mm^{AEP4O- zq$*knS*kDK1D{dh1iJuGGPZ;4sH@u|hz0n$le_^phBd#v7kmY;smmadGR2Kd6Bzo$ z@3{R{J~tM2g4=8XV4P5cy|MfoUwAdHdxW&l41&H;Q-}_c=b1tP)M5d+k#_rb;*L4; zv*j?5k)M!GVQ;vrm0{{OpZLeIx$k{CO#ixsag-pP+~QJ`W_`62OR)#cyEGyEpm4ip z(P_Srv)e?Axrp2r5kAL953y2vqpJM2og6R5Q}VYy)C6T{e)Zf&_aF4|yzp5k{s^yO zmPR)@o5=zNS$%mu{|r_HzV(#qf#&U`-xcUl#U;b>XpyyRVs$xl{bE%d5@^bQuSQ<77! zWI6bCd&rSL_ADN?{M4i(+t33H& zt;oFGFX(cTls!-*w0#Mu&^)vRvf|SEe0;`3c;^6TL^pKLShoUik{bS|LN!n&!Obp0 z`_gRbJuS%eXP6m=n& zXZM{tuU)qRE%!fk-S@Hg6*+-~D)H%81jo|Rk||hgW0#l$vMdIB!D9*x>i{fx;P%D3 zKQi?q2^z)pPtf~9QhXlnZ$RrNb#N9$JV&>h!;A=_d(quKfa)~;x=e9EfU?z$@R;8K zS6u5q^HzDfD7n%}szz~3$3T{p4kKiQ6`kjsDFzSJCw|ON zTCi;mBCrd7<%tI{mohUSYC#1~w+)h-LH;E;_1`xbmW$thB#E+hNy|@jGn3MF`SpEP z=&B3HB9+VDcn7UR-ii7fpD+u~A>YZTgKw?(rJ6vvd~ZW302vJ*k4d!wO(asyOgz89 z9B1mT(l@iZYnbxJ>-aU`UcuX7%v3MR^6VSAH$y9%UC8b+se651!-@VAx#}jlDu$%5 zHW#qBqx19C;CE|~j4qVQ?ZC%$_&H9&rjspNuvIrr{RW(qqEZaxt!Ck~@|xw&j2!13 zFK~I>^ED2bkJtYp!;=fre>FS^J=fr?1KFX$!bgyB51hUf$vIZf8;9qyJ0tFC37Wph zqHVyQn)<+=cD}TFT)LKn+j^tMEX_U_QyvwvQbq4qPeZRj$>qM74*44Wb#rkkli6V8 ziRUS#pJ~werR#Tv+*c2#jPXQ@Erk$w%YR2Tv-&m`f;hq}%KlGA+w9be3Rw_ZhtK}= zdepS2FQq>sqrMQOp|KJRc}++2Jr)v2mqQ)1HS`R(knZJ(x93HxqnCMURj>Up{|MK} zsm9mo)4k@c8la@rOf5lgb(TTOc|y?DcXkKzZa#GYdVWR%y`6_mRewmTBO!#RnCK@kSvuJq zMA?JS=Mm6XnJ?-Ct*YlGuJ&j!)a&*?P_GrvGbm&kMG08b_4n)iCC2{GDxaFk0V+#4 zxpm8Ro_dvW#IyKfB6nOd>QEzTQ|5Wk+R~>q6w%-YKV=%4IvjjA|M7O-m=)NozU7Dm z((6w^detY0)o*Yo|}GQI1e1}SyZTwR_~a?VWijBC!p#2`epd5*l3y&-dc>}vQJw- z0J$X}-%m~wSM?ZqDq$GVqTp&TmhY}ln~R#7Cr%W`I?*Sd}3=GK1?Dd=1Rw`8yTPdFVwPZ}@6Yp2qt7 z9b_|a8k3<;g$b$ZSOCY$sTuoRdI)zV*WvrD<^Ub>T=p+qF!d0kc`Nw*`PB{%eose6jO)530q!^}_D zWH$3WcPwc6r-NLdb8rY!jjtl$IDCZM5dlSmyqEz*S}NMONwI^zo0NZ0oDrCJV`Wzx zJ6+SwAo~v&lE40l`UQd=K*74~FIFvjiK-^R2^9RaTBx(7*;g!1P*8_rkWUf%Cs?-I zB5CWJTx;8a%WlJ|NWl`0yP5#sF#m55*fDv`^^5Xt5@$TgSs%|qoyg_Z9+%UnDMBZ| znmD$zD{cPXgY>IRt$GlD4S~HSFt*!=f5JTI(rfPixs;2mK{o1Q$95n}CWl$w!-qR{ zzCG3{iJa-Wc!T9sTV0Cz{5d>t?Ra?V0#0lvTCr6l;{5fi{gFq`)I8cC6CyqVYq+!p zJq=v?dX`bB<-?dikReWxsY4E=447G7y!pbB<7HTI{`}ngPp|l#!+*2=D)+F=QjE&ge5&Mwzkb_02KD2|Dr9-c^?m?JE7Km7fV3=gl;pi%F!z?Ii3|3l^>-v({D~uae#ALEVd+j_Iq>b(U>qG( z{i0&tl8&v|MZLqpovE#Pf3sW)q2zQ2ZCQ|oNO+bPJILDTN)_i~M75=pLyFJ3VaizP z=fl&#gQ)-E7hNJGHSaPMEe7Xm%)4PMFkO)8YtyNyFuwrgVZF(XZ`lh0xVkXby;)8W z#bYEhL@xEvdJz0U@Io5w8g3OjN9-mBZ3lrio1k|=3{XJBEkMNzwpytsn=Me$Uwnr_ zWQCX{ef5u4+NB2Qi%9nJ_`%4s=@>bq;0T6n-wtPt5>F7HLhvV0kf>zFz@zfE8mBaIYhjIZB)LIYoK;U{s!B;*E`jS228+mCph?^2;>JJ6(~WGNFB;; zu?o5zyPBh3H|#FAwjP}GS&wA}K=}g0ot8aN>_hx9hC%lGCnj0SuBBE&C4)-6aX2Zn z)d9%-VW#ppvumOSkZT+5$^nfQj8+gXQ$<7tSa$z^+drN0D;D zY4$$`+6#CV zRS$oS@PJH(E%+P%dM6mn+UP-zJvSAv%p&g>Qi=6#0P0kYn3|D-CFa^+`o@3O&r5w* zP>P(G0P?Xp7O8@<5=~r zhp(<3ggXDIo0euT_Bb(2HF;;PHRAH&Q3UDGEdx7k+wD9}eu_bCru&lTrH;fGm{T>-U$M=b!ZQ74v+%qa`}D zsbzz*4s&+8LQyJliUwBxB*@`|kcB}_NMYOXfm9iuRO_x?7{RM9@FhIL6H*H}eXYAA zc5qkm)iFL6DLY8wur70tu-|*Z0UDJ2Hy?;Hs+YG_Og=z?2Z(=c$K5H%k_?N*1{FOu zE9!P$0160P`I_7orl1hdTQ0srF@){}@N=3u@q&8acY`h>@Ht+*_m#Om*^FS`!Qh%Kv}f_sX+e+g)SB7gDPlteH3G0$r+z)djdkD)LC(J=T%k)0`FWxk!@ zT_0IwQuyu%X#teN%TITlolEh z@;E8y(-0pwm1$IogCVuMzKl+-3I4ZJ2weHgUs zQu`Dw5gG0EK*0C#(PYBd4+M7f(-LL1L6DGHSu94`mNizjMAlJdA*H5p-4JtU#?XbO4vRJ_dpN5V^WBAl3w;AmEB+R_@ zOHN<1F$Z+HT*{xm1G-E%IGY(^N~;N9k-g}cmvs8|UD*q$=92}R<(1~;@3X6V2W)}u zCwlCq`W-Lem)0HMdzR#8()+NX(yJI4B2&kTdB!iOZz!p!T=JAi`0$i?(mrmHcc=&Z zOhk6LcD{f^Ng$m$wVW3^=ttU?DVR?dkixL7_yZj3tg@i~L9kF;qtmx?^yYjw)jGPo z;|bjh7w3*3P`U-QW6o^$9`%Id*qF^tpEb_M?vkjoz9cTo;TckYzRYBHzd@!W6LJ$N2 zWeAJS7jnb8BfsCNa3F|ZQwL9@x1*7!>oi&qkv=ZbqD_QI3XSxglSHL|7AV2(BjhAY zD88`+dDSayV)K-RedbN4?EAXug_OJYIcnT#jy|b&cCsi)1JXcDa4)BAA88QYHTJv0 zrf5mr3sFr~$!p!{4ov-GshrO|M-8<)$aGZW{#?-=%VnF?I6@K|=({${JDXDaU&=N3 zCc3*9TfU82(afyRqKVe=;VWLvaYPY@xC)u%4Cj^yr&i0~+eWr3vSbP(%hlV-^EO2) zRxo1X(#))BL@A4hE5~cCffZ4AjR(!uW;`$R8)V=5cxZPgT7qzRi=&ZYb0$XySSO2n zm&*q4k=yl!ieu4aDA-dvmJ2n3L`%j+-Jj97w z&jXcTP=AWYia7JKtZh}1M2Q#r-Y?BNHR{%wOR-+P8?oyp(RnwebK#PEDU)hgx(8j; z&X$(xK~$WbUn!l#-rBxwA;Ui99Yn+xV7DWCB0!#ItFZJgx3biPYu3u0a?9fDa971r zdHNXhWoVkXX847fmG8nr|K-x?paQfm;jS#d`e4hIspwS)LGu)TTB>ab9zdRt;S{E< z$Ak*~30pzTS5RtiC7Et`iBF{lrLno4TN3Xv9r28g67re9R9Y;hnv0%^?p_;otHE)1 z3rBlff94#Wr^ZlX`%MFwJHx=KsHoR_tV}>J35kD*vZro-82Y@HPnX9q@OyfpgA1cx zNY8hDiM|3rxHaTZ{hIo6ap0lIUS8OudN#NEv+c=3B}MkH{1g;tNIn!~Gze?Y%pY~q z`e@+~DIedgtwb(7|pbf~}3C0o_q-Ci^Z zJYXw(f<(0=iNvsUCKAmZ9=nWg-bcqMu&ZWJp0B8CgeX3ZQ>7T_J%4l)yqLY1(tOK0 zF1ZOs4qqb5~xf_|eD$4xc({VsAA|uWcZ~e6O z%TB>@Ce7Q!r|yfo{s^6jzC6t9)4!%Qp*=e`BGpd-K|#^$Cnk@tzlmxtytp~Q)3lWL zCbieK)o?Mu@d2Epw=^Qc4ZN16ZNJeRoob{4L_&9UjiIS^7l3K`3ySg|ei0y*VZ=@s zRQ{z}ngr+>L_59gcWn&LIuN@AZeQZa&W5Q{Etue|+D9lY@*^9;b0hL=mUJAg?~gqI z6A*tfZ!Ma)YWoiuE@bn8if7&&o&zBuHf-J{-hddwW8`Gv88RM^n;bxFmW>Rwyg2sgq{Qc83qZAltq{s#Oya|N2SODBF_?q4?*byomOqh zGlH#~cseykJ0dpcw1n(Ge6U6Sv|n`@nk`1(y*5U@b?|YcH(cDa{`y(TM8h)zAAC<9!Qy`W!QhLii~@ zJN-}B+QCygB;oqnUC>%bsJ#8_jSkP(V_ac<;H9mzXL>~AI&9iXaZ&5VOv+;Y}hlp{cr-eo?b#R^YzKj4CL9ckTeU$48U)o`pJv8v8Z zGjD4|*q0hD_i}%whFW;7Dg ztZ|vulstU)Gjcxj+t76{wQ~d1hZMiSuH+pe1tANlvH}~9n6*3jHQnsBG~W)=7O}ut z`3LuPqO{UdgNbVZ8*yUcHeYLr7(3q7f;#)WLbp5b<@ikwA@&^l`ye0ZIT&kSfEd(tMiH7xZg< z3N*}fN(^kniKPKNIm)Rr9Xi0R+Cq9D^Z?FrMwmaKJ-cA4-g2Hji0^9s@o!{oT25r< zx}NjhX}KHQSM)*PP@H(i8-V!yP6z|(@@a|Z3Q`zat&RLl<+^N8DqZ`-{a-K`gfHBW z3$P|p7t|=I<9aFr?hOtIN2ERx=F=HM51~YG$#1k}?)n7WFZK{LsRdyKg;jKWc%gj2 zx1)*?CQ;t^imZ6L`Bk$WWaDGSml+GSMQ_Hzq5Ep7S4h(1CNVjrr*Q|oG!22S~n)#9*zh= zIGH&NWp9AUO4yANUN8T2sLQ_Ec3nJ(!+)RMdTDQH4A4jzX#4R0Vgb~VB_`4c6To87 zOef*%VbQEQUG88l^Qj@jDd0eG?oxQZ^#s!*-hk3f2}O98i2en|XUAU0R%>vB^#FFa z$hZV>6AuHb4T{Cfu`(SVxJ;)KL&pFM>MMgqte*FV5uw&;E_p|bkC$H_r-dG>?4S?y z)Rue6&$F}`>O?pa_Hf(@&B85DGds1fMe=VU#wC2e^00De=jv9OhRyVcDnOgFZF#l_ z&@#i#!G}hi`G2B&lK5&<$eV^T)+77xzXZ8VH-z#q3P`cTWBuny{-U;Cp^ORx`g21V z+f${W|i}M-f*hoV#58yKjdp5*aj?;cn;}0Ls;-BRi_)m*cHY%G!2l7vPzx+ z$p`T~z<@i4ENFdj(=f@%#9Yb!s7gy^SKKgoj5XN$sE?Q=9m?q-hLhZ!fFxHC zU(4tLanj)C>}Q2T2DsE4fR!)21UF`%BmB?d+4?1cS|)Bd>PHSclQeEUpSS?nO_Nq2 z$f(~>0Q^*S3JHYrPZj?9RE!oZRZNZ=mxb9_Qncnd~>$&Cg^`rU^)53rKBaAN( zC^lY_83uY#G6TxpOwzkT#oU+L9*=PWezXrhaz6JzBwpYYXGx}M;JS~pL zSN~S;{^lIMv0X&n3CJ)8dovXV?S6>j*`&%uQ}-a0ZE(ESt^ZjC5r*uD`t09x}F+W81-Y?0v|;PU}G2258DFuGcf(K(f1?KADEK<`ly3NeL@+d zZCC(#O|T5hhdCzQed~*fDEJ24#V|AWBE3m^Ep@g#JyN9txSlQBpsdw|m+Wt-Nu`L7 zy^|AX6%OFT?qMWySf{nU!{Y$ZI|U#eF-v{pBY)~& zUu_3gMwX0=>KhFNB#)DRDzOaQJz)quP~>pHk3|ve&0z|Z=hzad4>GaT`u=hB8skS3 zSm4Zr3IB?*qto)M;y!MjWZbQOAs`7r;^x-ZE zoEXW3eJyQ5ZlbPN?1w4pX z4rzRElOG(Ug8!WB(8mS+4xE_YK@R$O?m)G3){|{?#0afMNu8j(Ulp-l8AqYsP(jeU+T@n%^ASK=CL|QrorArzn zA>FAUAgDA_64G6Qo_nsZ_CDwT_V)Y78Dot#)?m2Sn!x)$&wXDx?)*oO!2kT|P`}du z|39EweMW|OJd=9XF_FpOKLbOTGu+neCvNq7kk)v zw%a!kdGn+%$v6kb-CtG-^?m$*--Q2e)h4)u7#@3k>j z=qWyhfqWZS@gB7ZL2T@+{7ujcU4vA0)#L0mXfL)>$r+dNaf4|n@tvqK7+5@d^kY< z%R@#jLnw=|>nc5}5;q|IuUSMb1xGoFOF{&S3UDxBI41_k9nQ&EPxP_Nvw+eQqbNQ- zxcN0Ofd^8-#Up<1RMxO5#O=1OH~78fZ1*K_#Ua^-cYw)ogkDJRw=$g&XiAT&N=TNK z$+F%50VJI3?uv7nBJn{j%m+ga?hc3w*CQw{Sv5}k!?NpWabqH;2&z8ouMC`JR1_-z zfM3*tsy%LJ;93MYu|vPuoTtHyH7PJf(qZZOwq-N*MM*o z4NIe!=0f&R^iYme%v1TO^p8*f@1E;_eEsz;wKs|!uO(l%EK<6Bl9-Q{!dGxHf&csc zl)uMA)7(R+e70b2@I^5Vf?9`i`#2gt5@Os%|3QnmB|D3PW5#@`N`ZuxDRwV#&x0RM z_e2w%0R?2;DSv;vvzSA-Z;@0coMp@FKSrcN1tQcs&xTw*I;!vlG_+<=%U)>kpg!k>Icy)mJgOv2NT$Wsssj`$w3unih5=lq{Aia=`1F4x()_!-e)k-_cT|c}PH0 zRs01y%$F!CvK=JEjDXN_pkzYQW2o~P^Z*t^a6n5ZP2x<13UP^Ty&E-FP(V@ij%y_~ zVL;Hqu0R7;&2G(cr+qx5PsD{R7teV6{TTlw+61M{j zp7YsFgg|krY%xFusKzSo517_{iJY9k$@mQwYO^MM6&y(BSGAq2?#ISksDmiaPB_w% zwo>XZ_Ey`rrNod^V<3JgT3Ad%gL^VWFz6v@zOrmfOoVUd_j>NMJnp|?IVA-Au(|J& z`ps^YFLk~@-Ijj^bE!d>`K=?)^g6jsTka3f>-J&DB?N^{;&Vx9_%FXy7(8#NGwry9 zFnZ0Zl~02Y`SO-cbLn(mwuWmFsK`lKb7b0wc&TLWhbGExK3ZTH*Xt=$ewVz6L3|8L zA{Cl?aRQ5ODI0Q$$w;VqvE{+DjAnpDM}IfhLC8{Sm+)O-pp7*GvNzI7ZoL#Y|U)eJ6pbE=E$_r53J+)C8z zTM)%HXBfftNDSWg)*@SOU|F(jyg1u{GvWaXw6KXrNtK(U511)t66Vnp2ki#$qB5qG zQ6=p25QVDrV|t`Sw5;jy4Pm&uE9Y7Ws!bv08g--C>?Cos@c1U&uGKF@&dHU6E?>X( zpvuZLN8$uk*Gjmw+*U(BEqSH4^XDH)vj3U~;Xux%y$}~RD_c*qE%ghG;B2Un{&J5U zv%&dakkuIqe6&H8-Q)=2$bqtzjCk!4yv=0bttNx&V}c^xGCmFQPi6X*kImrFkNgxx zczqUP2vnuP-b-8nMkOXVvlu@yu9JAefhr`a5Q_0E{S3$t68;&VN&)at2NG%3Ln>@1 z3~?#)VaFiApqo1qMtqtA8O#DUM}fpFurPaclZUMn0L$^N#~9fKPBk)HJ~mR_D6B@(N!vsE5)y+-kfc*Lg62Fe{bEB8>aD z$^8zFQNK-KT6jhzYDerP1N5RE=grHEb@P&X~P#OW z5xlzO{LV|t%c+{VRFF7*=V)b+z1y%cab6H{fL`o-z{|V&8>)~#hUzYk$$cDDOKEG0 zv>Zy~*YYY>rQm%+FXXyPa{TT3k&x;;W`iE^jcA~1&hEP=jc$vg_7O9HsOCW_LIlDn z#V5F93)3hgAhuR?#GcUsfCnxk3eZT-S1gd>yF&I2Gjl4$t?=EAW=|82r_SRkm3NwS zhJVI=*iuw`^t6(47pDC+ZQNptvn8KmyR&XJZN1x*rM*>AjwNO4s&8kmY^z*6;%WXJ zsP8`Ed$9Xr56*LI>4nty{iYo^8fO{=!#}*%%bu^RqUz2?hH-c_b8oQ*J1CH6`;Vxz zh(`V46hj}ai;+_yJ(5ati8ET#0h35;MT}XGtUgtvAXglBCy>PeH;6cnL zwB!~_XjSOenc3njspNCU=W*!gp{F^sp)pt%0j?Tz-S1zXejjK_8_#_%tKn6{rRyh1j*r*X}5w_HJU(# zPcj2$O872H>%4rg`@Fc;iz-*V*mC@)&o(0F=Ar_Ed2rtgBMq&=k6Evjk$XUW6PyiJ zUzWc<4p2g5p)-5ff~M_z>01R0g|3^Tp<8w5XU48ywH1Eka;1Q{qmwxrok2Fq;ARe& z5`rW{iDi&e99QSYq9ScBdY!W~f+XN>`}C?*Qexj-_b;Ep#F?$4QIKT*dA=8raq%LpPJeXx7y)E+DOGbX~Y4+t}vMhmyD_-91 zY34=-diPl<$mG5^&vOZ0%;M=*V%>(LUF?;e#97#qumjkEPFjp9Z-ZkKu`a?Q3+WZeVX+ zS(%V;5>=ie&T=boKIkAW{pFsKHj5x;wK~fv+1Q%O6tOXffwLQ>4a3(w@V!F|1_3K z*bpk`s3Fg;<)nu#FdssP;Wlt(!NeLvm;#i3=ccjVZ`(?n?HlyGA0G=#;$FX@pwG*!JQNzgii4m@!OyNkih>2x4Z#(|b*pN_h2mXh#l4F32 z@sk-|xr}`!6LvO}J3!)JliCi?Pxa{d-oa5>8`Z}0-ZW9GfMov70(6A8h1%Pps} z`E@!s^U<}Qfh^-!{KzZXc6F>ai&Gvz#308(E(vif)Abg+7nJC|Sd(Zgb; zzCyuALY^L0@gfj2{G}-b+R96OQ6}*xh6(o| z_3x<%qTmxmc#9=?OD13`IYN5A*0&VlZr&|S*So~dZfaC@n$(~F=!rt@h^53#sT-HRIS-1q|3cKlB`3K_!un*ilpU6g zW$fhn9;>rYZ0@X=r=`zU)(+`7wg=)DzOgZIC|y(8k{%aS?O zq@5}xSEp14g=>LyBw^0jZ>2)IH~ERA1RidZuzk1R4dwYB89ooGhKk42_j9_g(z^TJ z&GN@cy(+XqqZ^3FbRtc<&CBv@lFq$_WY|BLFz}ZYq4;Ln+V%{LM<{$Ou&RnCClHse zBykxA2qMk5%G_C*;X^IYp2_Joz$$=mZfz|mZlx(WC50MIpPTrY3NRJUHdmJkmqPq3 ztXx}nZ9pq7`2f=~Dc^0LI=Vp&uTHZ7cUN?^_o~|A%2;`}v%}o$3zh~uc(|AZ4=RlS zzQ!PVo1^_&I({mKFa8tB@DKdOc(xy}P+aG7?mKhK5$_T!^#!fVR{kdDbNkGh;AKE0RsW~U8`vEma~+SyFoum!!*<>12DK>&DGC;>p0I( zg!tL;J19|Xycx0eB1d(obINnFcuUa!&N9hJc;fWR=J)h9eb&IG(M&D(Y9!(^rZ(GB9#;GAu9l#vGoR;>{LTKVBdoJ!W-JyM`JYR{f_k zjqcivD6hjNEct+s$m8C@&UN#9X;%zuvQ}~yaV$m3e+F3+;QErX>bNW!g*VmK>>oT& z?diX{>~(SB2w?jpt&%EoQ;`{u$VQTyseq$c+%w?|gP0`!s9iJ9SVS1OBd0V4-}_yn zFW%uSZ4)sldXOe2&Jo<|exUA-vWnCPpN+8Vz5Jfl(dY#|Te#S2lFZj^-|;O4 zX~kmc%x3>(wYHTdC(@+5JunvjH7f z6OOoR6bYk(k{&+bhm+OQySijBHB;YFZaQpP#f_$V;onLu;vVA3o! zT^wYZxY)(ZPqr*HSki18G>%JOd&C_ymwaJ_$V0W`&B$OEywlth-^ed)jiMsOMm)g} z^>oBtZ?N^G3G4WPHWFeS6|Ed7XA-vUy6sAXcbVe-5<2#nOQx9}h6&9x(_dz9_#KcQ z2{hvUz@LfTj?59Z9%r#OC-qTkf2VQ(p;!S@D-xANuEA#;Nz`p>KQd!5HFDpy*Yw7p zV&m^A(8u|BouS|bqFg)E&*sKza8TP(E#MlsIRse_Leh$Dr_y!#Qn&~b`9QQ$A8>K8 zMmOkD{K!T6+dL3f!$ne@?EjLN_=(OO{@9W^TJb8T2C`Tjmx|N}24vYr5>+ZXy z>?+Nj=Q!nZJ!u0Kh8EERQ=nSxu+p48ol3QchB`w5y9T23Ku7^KDc#A7p*||p6$5V7 zE=T)l7CPJ>(3Dt^8+H03ern{Z%N4jh%F(1YBukK`S}d((nK)nyWRKmIH?#gyi>_W}5p^+3b#%cn)OYP*I|E^=YtgBSeWrfu>*i2KkE`xm}T-`S|tX$!Tws`dj zMd3Y4?uUidbG1GvPNG8lbz1k>qr+M-HJGYfZK%}(6(qc}?|)h2e+yoVX<4s=;{32( zk%=QD$?Adf8Y#EOwn?^e!SnTmyDqg=)Q{tT@RbH}uq_2>kbko(s#neNm)7VXZdX8P zeY`uI?I5uyf*UJ2BYRK#Y9x7L)8+?YK&r%X&#!s(mncMhLEjg8O5J5){!Me^!+uIh z?}5<#w7lgD_fVH9=%aFoXC!^6$-yz{Ts(A%c_~XmO88oUYuY(Gn%%A!KGJR5$#HPpu`FT!tn|^H zzI`FOWV^xdrxQy=z`Yx%YtitgVKzPsc6GXVfsS+JS9RsGcCl%0dri#Mg}_mF>;@6e zma44f#-gHfEIFSU+=XvmYwX#g?o*DzF?QeI$H+En`S8#Gz0&c2<=toyKJ)}CW^Db` zk{2HSmLOY}kbGrY6yGqxn6SZsk<)9~;^!MX%O4>0B86SNL{DB!d1G)?|RuIqd8=dUx^sv**0AKLH74t>n0B)K$71diManT^cbAymM6U zQ@Du4VERLS$L{eXxumtCi3Pr`lZd>e7j_mn*lIzpj(C+8iUd~|%1XX0@;{beW9V+m z+EnF~A>-e4EaBg`F@Gq`nTswOH7Q7PgXTNs$T%uQb;rpOuixvd&EQWh7sANhVlqzt zTs3SYmLU9lA1ftn?!;3qHf!3c4`vG$Zgch6_Iq0?yIZ z@ShlxTc(?&H3zOKTZO|c`Hl}WN0-(USJ~>xw1R_o z6p6JnSN4TItGmR!3XZUpdJyyZCC4#1NFzLa`r2Kck{_Nm8;}Qjd93%VY#T1 zVrbNyG`~k`01Gd+{y+&Oiehbx{ zEh_)sh~~;OK2eZ#kOJddqRvqJidnN8+j(#HR7t|2h6x2w(z?_0&F6GoBXk+OOevry zPrEFAuTHozTJi$UGrs%Z2m0qBn@~ZEA@DqK%JI&eyKr064q%5j)FJ2d?wKDo3~!b$ zfG!7;bn?vSqKD3niaKE#PqXICCePJ~5`&-FKWEn;zKS}XHc9hs037FScTt71s{oS1 z&o2Uuf~Y-zSy~rr7iqD@*MrB!HJwAC!=v;W4fURXux-2PQwbA0Rb~>IWSI0 zvXqh!9g613DWcJ%tW2WvhAu-gK`l%kISE|Z6dJQ1+`qAE7sf{`#>!F`bl%Ph#G+%H z5k)nIMf9YRw@`@b^;2b+qOT) zC1b368ah}2Rum|ztB7VTs*vL>LJZG13Hf64%P$wAI>+A}i4>Ck_&9ECu_Pt1ygpk5 zoVF<45IkNE$1o*39Jgt?J5^qqP8R5?q#Buf{jTQ-R%T`{Z_2gCRz>ssG$piQpi;av zVpdiLa@Ve(Ih#3M)I${(N}}%t60ccaerD=5Z_L_tV#I83e=>DgJKm|?d|qnavR34- zt=&=;!nplStIo-SG+sb4aHrGr3$YJ>TrZPsHJCJ^u~DEM^^_RI{_<5|sSRT?Z#H;+ z`HysgC@Rv2MolPL((+j1IxcqoUn!&u_VxB4X_h5)Vl?d7S}Z43MoBHpa+>FyER7$U zy3c&%A@VUl5C!&D*8G}VvFcf2Hp-9!n8y1har(ILb#ksrwS-TIq|n}xcrGB-wL zvzQql+9K#a_CpRSKU^au% z)@^fY99}PjkO5V4-NlCWioSr-=vyV8`T057Qw92Wt%s%A^pG@!Sh-jRa~LsB{5G`g z+zi8Wo!5Tx-ZB!AkhDOF7;YS8tefHq){~@?#1H6Q=Xd|A7rvv`YBh$;#3e#?ejNid ziLq%p-2`STGvF|WUx*AkUR~*B1qL&z76SN;(ythxNk33j46U&=ccPbku+Q}Xo#7g` z#fjil*CkuA4Z{BCu`;o?wm{BB`;7 zOu7UfMVTABk{o(<6d5@Nnnz>`bE4UZUKzwoys#v0p!Usv2$Rf^hT3Z-Q<|%LMT;`t z){gc}t2dNRwR%aktUB+GrFX(>&N+ZLVMMhl)+eQ7VnA8%JT>o`(Y*kQm6!Q9SWII{ zuJN@R{~T-o;?{`jlRl=i)o%XLdf$EcN!+HZXp~Lr@&o;A=-kE=xMHS75kHN->acY+ ztsHG!lH3|zeK6dhGWP2ckI|G(u0RW`MeGX$eb8XP9T~Ov4gERYS~8&3Zo5cwp4^?I z5Z8$s&Y0ZZN7IHL-GU&D1e&iqM?j5`0LiA=B_J0rme2WK0Z+jU^kt!sj)OwCjQ&Bx z{)5i`x8SK7CHAB46h#b;V{Y9V4YV~1OSkK6=xId1Y7d91}qmlQj@i|BJG6*cL0;4oq{3wLSF^N!=@+m+Z*Cp!oX6$Eud zYSxR=0()Nc>rmnJvY4fQER3AML@n%wgq^M;M;NUD22Mdo3gA7jXlHQqi4b^;=(nR(9ADQkr6OR{^1hg>$5raCnHw(HMI4 zEcJI9q$_ZqxJCkZinH+Cp4}93u~H*t?vaWfQ%Mqdf=Ci}B@0p-^X4WSq41g+7KIaF z3zO|V;`*-)a-{vVP_~{yh67j!WJN^lscyn+AlJlFS?5#A08)^NW$F z$0fGpod#@?W|Fa5wtT3m!BvCtk@(csC41MmMAbkvkdMa)k`1!}#SY zL)IEVga2!m#wwD^$<#L+jL=#4Q-$u=&WM4xGp8%+{V7BcpBxB$N2ukoKhMc4AEaH6 zym|5&B{p=5$3|x7I3bOnf)19s%(>G(9vPX@0C`ucM~}~^bXKv=T^W?=K!r1z^Qc-< zQv*Hfg4h}Zwf-=!Tjk~WCzIvge$iPkH7@MhRIy8&;&D!Tq9U$3(0hO}-hy=4r_;3Q ziIt?$(F5PQCfK*&;Ey9&w zH7!7nV<=);TCT*$_`alBpmyy*ie?$;W`e_W#9dT$NA34mrTy=SWpeYf`c;;mu$PLL zEv_33S)eT1Aevzbbq*jfS9hs?o?G&9=_@3Dj)!p=TkmmCRnHU1N?cadGBq?U<8QCx zR=&aX>>EU^l@3}aohipnVzh^2RtIA5V=E@9FTcsZmRKQE%C#igiM!=aM|{E zkyY7;jU)M=qF;=Yy_oySNJv7!fE|V^Y5kbYKiEQO-Tl}rHSw{t#sI!dftJzKR^g!# z=f?*OAKx&3{T0-o__wF0{g8Xw1+Hk9pT^`T8@y2!#;$$rHRLmwckByTyUsv_rqKV6 zlrWA+4{a>vqE7bu4mySX*fsZ(;z+VrhSxZaQ$qY*`?c6QZsX44{288o0q6U5#5U3N z^;PoX>e-$LoRH9oQi2&mG%U(@lm${$gul>Oj7Z!jK>T4^hHnGLQNdN&#ujMOSAC!w z$EB>*K4VrZ$sUEg9~h5_giF(k)YG_yd~a50-&9*Skbf_~{wgIbHbHmCxZT#vYaRQI zwIwT7>uxL&uDYuP!U|xb-Ze@fJZ(G5ylvYwnL+~{3AQT(8<0}(5{vZ8v&w~8hfNKK zrr~_*0^~dgD-@5j@zXYzr!D5Svi<5$uk9S$S<|VhWeH?e%hD}hHW)Jw+=K=s;rBbJ zy@*$Y>61>DzgdQ_DvAJRS^}t4U>;>ZM&xN$+L9O13|3e{-bO z@cDJ6_Vp9L?Mn)g;0cBRUny6w9+jI4JW#72dEq$YS%jMavKiBW81>odZ2GPrK zfe@b<`k$`BEK3^4sCvkb*+9kzKxON$KRZ`0PdzjDSo;x+-6ukSIZz1ds`1c$yLN-` z7M%xVW!;6K28J)_MHpirv~?d1u{UQ}>B%xF2dBQ!_SP2OH{#OPW9b2YWcvN3H9nYw z?zFdixdfT+<-8f#@bdv2Ou7(P9BHpbj_cO26yc-4@Ctk8M^;z zuY`U95MPn*AXP*c-dW`+TqGBD;7HFdtH$#-0zZSzqjy_Z>3FV+Hn?r@JlN>&mEW$B zOMf;!Pq@Ul`N$c}%caOUHD%XixvRqKTxb>s#g-;lq#t70jUgpcyf^Dii%jY%X`)xB zssN~#F9~k77;|LQXuB?N8)c(Daox3PZe+@3$+l*9mpdFh0%a3-21V$gY3-F3^Eb|& zZxP-^gT>94TF(|=F%}R+J%?vYq%f3sOh-0KLmw7hw{a_7^1wXhreL`_lf3?=2h5*m z64skLf57wA^MN6|H?TC9 z2RK%12sOWKCkjujOrXr%{|PS=eJt!ca|+k&iDUjK5f}x-ASfBsn8G+rhQK+t1JXPp zTsBnQbSD%!b*+zA#uZC3*{iLnNeZzjQ^7n_a-X-vN~!t-vRgM1Dj+Pdd|rDKE>0$<6-nCa?LfPP_nR3dB$r-tnWAP>EBbftS^T$hm%%Q= zwW-4NL7WQ%m;LENPn3J)>ccYQrZ3hj3*eKM%D&uA@cXzeQ%UEMSzzac~8!<&zkp0&=9TudZZAxfL5y1^HQ=7kXd-*9htQ zGKV%pW6q`T@)wGWe>ex9pVjdaqyMTNerr$YbhHD}<_4AjNmPPLkxPJwJlD}XQxnvn-=XPsyIFl;9bS8~| zs<-d(0dw3;!qh3TrQW?7(fb^)IU3-_l#S8bTU+~uLwp-sFW?>3w-Oh381{lR1Uepb zsXeMlK$8n6ryU*-KrmAULjh)T z*i;RP%@EX$-Y!^OiTPPuB;bKv4S4^AnK;j2*uOJ@qr}&XYO@9GpuGak&6v{`3+>8u ziC($n(OVy5)Xu#HWbBn^rCu~_Q#lI6*`6?)-#t5-FL(cyF6jJLufeV4^BJt(3eZZ& zI7F%^^&DB1UP&rKV^RU$$`-c!lo$=RmWdWU9nVnKt+rK9f0LVRx0!>h7d*pOX+(&+ znIE&*Rg>b`>Nq;j0KkEwxK>No%0c1OzENL)djvf*KVU7FvNW5h^BGVvT1aP<&iu+V z^<9&c^5qZ6_6;@JFGkf{a!s281E_Yy>@hAwTM54G3;l7Bo1#}=o=&*F8(u!B^a0Z- zisxuT_=7qB8Vyg_I?n-$ApK1H1ycZUf_v!{;p(<@m#- zB7`vQZ5^}J(L|I;MaCMqXvxTzLan7%{8)zNE13Cd8Zj;o8+T$`XMBZGb-zF5F$OR}E* z{soq=f4f`#f0nN{4BY;#m%5)(rSl+g)pZ18RTv0G$^G}0Ua>j$2ThZi%1Dtt?utC9 z%fOhQFiCF(rX3G^nHkLsn_a>K=M_%YgTd{B+u7=e_uD|=sW01G6BwMK7sH9);A@s= zzQ~h%mfhPoLO4k0M)fr?`=RfFHfo(iAw=2NJ?x=PNR{s6VXb~co9h*#8;-;QZk1N1 zqrrSXbYx5jaU{(SHw)E56f7*gM8G6)lILK&zH$n>xa%r?)n*cWb=fUY6Qpl;S*nLN zAIpXnS|H^Eq-u$Tn^e<8#!ZO7x4E{TyMt`)cI>>@HeOgFd-4~q68r^SAssH%g;U05LYCa#sDwZfntjLNNkKmNjor&-%SQrVk_ ztG}N~^D%Z1KarSex?u$EvcDEbROmi7KMa@eGap2gK(DFI(;%%HDXI>1r42~6CVNcw zQ+f3D6HmCIeNA)>=B`{X)G8oK;(SQ-$oX3z*=@LwWEI$zJ;#$O%j?>}h!OkdVv*3; zhh~=_`^N5;{cjki;(L&8T|f0X1g0x)Ph7;L<1f15W&o{<6v9lOZXOA7BGClnX*OZ% zSzdF_nXI*22&t%(G<0?=El$ulDSfoJzias~-(ZX&y;&pa*wO8}x#7m<<*lb1NRKk-QtfQL#$Dnt#SBT)! z^Bkrk32hf(>TrRoBl$2lF%U$_CY^u09)p$!mWY$LsIaKafZ$HxX<8i8l;s}B2?qpb zT+VHPjc16kwyKP`yIPLgQ(E=L>Qu8a`4;2-6szx|kaZ>>}$HKnlwa@&oTlf7kc?dw96y(w;W+cQr)u4ML!OE!qr@`EOP&LGIw;gn%u z^q?C^*9d!4HhiKB!5W(JmQ`>M%Th@=AHoMP%~AboZm@&%e~65<_doHPuC918=Bdp| zmpE7{xV6X=jI=A#Du|7_8!p}y)7C?Llyard-rgB2-bk~Y($akq6lE^#5A|`XK9dE_ zP|s`}APkbXOCRGoHbC%xMfpJG+DGkYusK!F+mkOoJxIG2qz~ba93=@^0N0yaM#YS2 zF;H+2|LvJ+`TH|NP7)0M*8QAf^1(*Fp4a>i#u{F>oeRtVCG#303sl2ukbxzmUKDRBQ^WE|qngzxob$evfZ58hkJcp-8!kM(F8%!~JPDwIl$WldA1 zqV?PfjH@wwXg>u`YdE(_SY2o^U4t7flD%YHHe)C9gX;3k&kY~T06Zn5H3N7 zE4f#HkOxj6^)a2$@XKh_2G-s8?O8E+?Wgom{%*I5vGeg+e2ZWRSshsE0}CK0Y8Ya? zT)a_^Hlm;P0MTCBczS*bZQrJ}t~-CUc~kZg;Z7B#XRP3)sqnvK^2!28L-|OkVTg=3 zkS1KezTRE47A=6G#^R9>3Fx@We{$A zSBKu^>a0Ep(@(2*vWB58pyUj#Na1AuY=jc|o(oE#vRO@wf0AF{ZHQ@JQYZntpIf?goBXBD^lg=Sv)!X z_BBlnj<|7=B97pOuGR_LHTuy0-D6`*t9~?IvziM?to?b+jdd7N`El9^q^nsv{mF! zFSKY5#1}tDmGTkrYJ|ZsuZg#eoFphY@e4{NeA9R% z6XvDrNqgesIeuc{-!~%U+nm3s%Uy3z0NwaC-_w0=MgJ_N(ppfbhC;o4=3cG^o--_XOsl7*nAl zI>6EqtY4)~{;_zQy3^B;|ALNwE(6sFpPR+F9vADC-zrEZcV9o@WsV_@E?bKLEft;! zMLh)s0BrIOpe`zu6P}Lky?Nr*T*=9aSeA>5Tk>kdQddR4 zgtR}vYL7aZ%^+XTl@4)@DQSJgink}A3t4TBfY)5cQ?XKL56`ul9n40+aSh`m#wvz*RA1!1suhAxG}GR}4Tb8FwR3^{eb@|ssj`4AF zt*1>ZFLMTx7F*k`Ra>Sw2320duSm-uZToXiD&i4(ZrqD`JOolGz;-A2=4;w~G#LzR zB1taN_G$v5R8jBhR*p&_O}KA-ZuE2psAfBR57u(xR~HFtOxn_wTw|DL^w zBxZ4=KSx=%Vi}ZBmp!Iid<`bPmXW}GeJU8ef->6vTk>N3><3`SI-#wEb7>%TZ3?gV zNe_7YO2}Tnb7ra+=azeS@#q<>?HF#gflip4a!k5yW*=Y?NUiQzZ3Vdgja7Ej3!7WF z`WPXe(Ul~;u`rNEN6#IY6QMBndIBDSxqFlXPcsAn4o=Cs_xsG5+jfkL8*BmDR@jc? zuW-UKUSXME#9*^S=q41K_e8GVU8GAJ1=oBCfHnf7uCT()r@DVr0FZd^qD4#lQ%9$n zChr;)nu!s=8{gr4#YU@IoFKrLW-8KBmzj%p#v;+^_FLuG^Fqz}JO^}t%V1nUCfkEN zZa+g3=#w*7Gp6A7U9xTqJ$EE25jWqpk#q7R%r=qCs9b_o zEHb7vQ+9+PzWK-PxsEutx0vtP(?==Pcs?g6Wq1TzVy|6UzY)PpzGT5fpJyg4Dd!y^F=k8J7CNyqi zRMy)ntOpc91TPtUZlx;w=?TJWPDqSW+&pgMFYe0|6t+!wVy605j&yGMR}LfXRK&75 z*y#tzFDQ8f?iKmvtX*$e=7|aI?Z`c&cgnAM2D)*Oe)*K8R3t`FUSN+Vo>E3lJ`)s-3VM}v9j6nwK1NE%Q zcJ6l4_*l(g_v@Ze;w8l$tM71+d&yBRf7NNAobbXgTiskmQp={IG6%<-rjZ>-m_B(3 z4Uy7_^ML@Htz7abo^=&*HU3Skn#1u84L@4~bxO9_!e6`ce`;LJ#CdOIRJoM%l&-q% z@GK5pD9v%VXIX8d5kP*?zU?A|u5*}At`skWqMmCt+TR4>nRPo_@|i4Ep|1c+M6dpm zH5&bG+TsrjtW+fi(!u&%e+2{ydWhlG-D5%K3_}|ClnBGp)t6JgpUaN*7QSz$G1pLR z^fWCkjQ+p-dNRq`OfLb!o!pgM1$>-pC-wKr1Xx7d7WI6VP z=*Rbgx>CEu_TJFDruTEUYitC=WIhp|bO=q=czJ5H3fbxmx;Q%4Y_V5)LljEdhIqha zC2e4t@7`EU5}Awasv%3`xB}kSo6E8}0M*vi!r9Q9O^$RkScrX>e& zyP%V?!MWxNec7Esfcwil1_jC-zm*DG^=InRkY1526XTM*_9{;C9`hZnt1a(RzcCia zxTZ-Q`KOI;O|3zgD6UYC@9NV0o1^vm`J~F+inKQ25QJ`Hm5?R>=+_pHo%v4(3W$fJ zJZI<&Zz{{bZLcab`9^+rh#3q}5)vJfBiea=pGu5nG6H;Y)^QQ zj)IMDOrPfBs$AL5=!*DrOOzVR;FIp3BRuZt42w}kf(!dbRtK`C?oxVKI146==D-yU zlvbM#Pg*0h9XSNnKYGI~+`yM>P-9;@7f8kQOy1q?Nl)ab*Dk1>0ucP>E_1w*aBcIK zHWfrZ$4rKym^=6Oig3qUE%6|pxw_{JH~536PqT&A(IcmW9R~wkO|bjGe=Jbg!O;MV zonr6O*SwqnYBb~{3|36g$p^dINF_DCRwTwc0(?;5!|4}zH&*o4c5V36t}y3Y(<3l1 zF`ronoOn)ciiRg6iF6Dpi|e7%7b{XG1?l?=y=)#f_b7pd@H_2~KlHhv=7CyB=$3p( zrIVZU$uGZ(Mg3kW|EC^sDHL&#%dN}X2^Tb)>Ukg+rqBM7Sh!2cN@O~GDYxx^OfB?3 z=l~lN21EbkvA|MOV<6$Dr+V}^?mSi&FZ_}%Xqh*_p?tr%$Yi{?zplxgPIRf6MmK4# zF{64>(FXvZq+qW5N`XZ=oAv#Z8VW4TsSm}coZU=I5~emipN7B?y>y9H*L3FRdZYT8 zW0k1lxs0G41V~WgWvR3MYQOPF{h1|8?`VqeAF4&(KSS5oc0v3jc97#cehy-v<`b>E zDhVVeRWpIY+{7y(1N{8+K*o?d@gJ!jFiE7N5*f4#G-OB@Jf{E<4Hx)#@q-NCBirY} ziHJ|a7l=H7!J!K__Ut!5Jd5Epjutk+tFx)Zrc1hT|Kg>~PXp?<>eo01ohk{@(1zhR zq$a+7H=O3(l&9|HoA;*FS6iEYEcF8Jj}ctgOtAjRC`rWY^e>|H_CSNnk63{yCv*#r zrwEOJ8IR`zb;Kn}yf!*ae#Ukv2OeRd4Jcsn=-3Le6t$ix@AZ1448V{(6b4BE9t@6G zYRaNE-1|vxaebb$Yts&&1eqz$5D_g3@81`hTs$Gg$TXY;p;aF~i_5dOrKzLGc(m_9 z)G$>?#$9?^=R6?TqfV(Tb26a1Ge8}8HZe=O-1UKVs)&*_@^Id`)8~7S1r!rxf!7nA z(iMv#i-zpTORDS{u;X8vVn$@VWdE5$IQ$}R02K#OZZ&jE9iS*Wj+F;5e#SFvVgwj8 zQIfD_oMBn;H;7DbX$KhybluYqRz8z zN#k3udzjw-3gKex9BgnMatNaj{+2_i=iD&8RZzuVDmYp8>`-)VWI2P&`@DEquCCjS zVxzHo=Dx#G$Ne(sp19H&eA47#Vi*vcS#^VX+b>tR#%aSTW2); z=Ec#=)QH!$)O-yz*QixYx&D~3B|#8zDQJ?jPr#s9w~6vw7hlrVTAFNJl+$y0Pr4@JCWidU;gPX{^8C|@=TG>- z$%cphkc2A5 zfOxq9r{Fgh>=o1d4Zzpe*U4b~W#Y*+%v$ZsGjAUBKIxpWXI-{UmiPGu@pGIbar~RiP^$0R2f!@T8})lr>*+ zj&M($Jh4Pj_%l3be!93F+=_1?pfBEU>B$41qV{eIk0?lNY0BP@bO=B>)ORQspZpx> z_*2S+2_Hl8{moH49$IN*N|SPwDfC2P78=2wFwPG~qy#SG>Z+%tXDP)yCGp+C07~mN zbdkg}6{CpHuYuARR8cCF403{PO&8`%)0Sj=0T-6nMe5XS9~%?P%MCG<2@iDtX)em& zyz&a@4CNiHf7P9lSfJC%hI7@AHv9g3ugD>bwof92rkC+4!SGWCwWt?~SHswae}1EJ z7nW_~uzdd%Yxyr+LK}u+BAY&s0I6oQI3exRVFkueki)XS`gYghTgnK%8Evw0ChBlP ziSN|qq3HaInCOX&2`YL6n9jR5rfVI|hkzTR``EV!v}G8GBRpmDs3Jj8n=Nad*nti| zqus>TR>Z}w{U4vre~5!5q6=Pm%t#md=rxSt)Jo^3XSNSr(2+vJ0A8gixrW}VP|$^^P2EQNoqHjsXKC3Qz@LDM#VLmkK6{9OuMdO!wUWxBL*w=~pm^Ov_ezbMgchs0 z>HhQ_`#Y{GzDd9Y(ew5aMI3d`5@SR_5AS2&wVU`-^Bk1|63?RD%YTK=`DH8U`J`L? z&P6C(Asy)@#EN=%-|_#4xSB>7;use5Lx##?j{(9oiaTB?SiiI<}Trw zi~v5C60J*}%7tsb_XXwxrtIkr$U?;vIgC0{4pIfr0timL1>IGUQ4@38+6j-MOq4iG zi)Iv-05g$Ue`NJ?8PE1%i0(~EE%UW#Xu<&bVy!4qoK0g1j^q)LRRJ=y;v0>*cXw{?>DsQ^%JY0lRw% ziBMs1f`vljUFb06;BesK0O+xLCez!A`t$jMTYFk!jkJP$Ycq1fPe9g3nf-M7KbLLA}}M1j3$n2p}yWc&y4gPE!D*_Gr>U%oK09Tl0<* zDsB%k#fSvvwc~-&yC+|7v0hm6;~a1Ip=}iueppH}sZWA4`+1Z!V zH{_v-Thu?^hJW|J|Ff^}28w_1v1Xc7_){3+fBBKBRpF=&tn(nwdiJUmuX05S7%}38zBpFfhW*pn9g%RC&#Q2um8l@#kq&Qeo+yzKeOr z)*XJoZc`f+NGJ`%PHGE?m#~?dzh^9;7o0VNbR&4Wzj@H|<>(`mxB{P`43Mw#k=jj|Iex5vtcg>hNDXbc1OUSi9cz>?8T z?$(A$7SQ)zOHgJO+#7@tS9cASjpBid%!VL-s=)7{9a+>89w-0fw;6H9pmw9dOiDbg z^q2@0VK;OFvk&<{lAq>j;k%_SEr>q_*ZPfd6H)rnDcGQBGAJ=KCB?8T$c2cQo?tj> zpA>TmOzNc6x^adVwF<%8rNLklrGJ?8>Pg*4GETH&l#!4f)p#OThY3o}O~C(yYa!W2 z8u*7UYVY;Agz&ll<+=MWH$VNXQU-m3q0b3d?7tpCC;wK6$D+vp9!q>BqJR)mFCz-R ze>a2alsOVI!iJzkX}Jt$>JOphlISu47m8W)y{UR=rGiLe(#k35)vB-|g|5v*$5i4) zBu0fy28bHw3yVsLP*FJBnobhlI%UQiIVGBTkml0wg}=fYMt7?87eU5L3~&@2g#J4Q}#QqRh2YSPAQZu$rE2JOk?K6;u-D z_370F%_sdn>ZZmYuz4-{<>tp4WMu*Y|e) zuB*@Q_WS+kR?2Z4-tX7@IUbMuBlJr3o`6uHdd5$vuypi=r!i_j!Jd;-JICamcE>P1 zqcAiat?4=f%v%-p#RuPxo($!GDR8oao%}bGe-tki(I-5uxSv1wx{TI0IbY2u0{Vhv z7(8^r+G7wl<Ps)M9RD?N$_{Km&u5fGLpMoS#fZGcmEwTYsB5YMK zI%xaEWPyiNPWSn6VxFfDp6d8i1{##`@G_^B(Fou}rUu}ecEssZmW4aT!+i6~E>f9E z;Dp~x0L|d~^m_vhqZ{U?dln~dBVPYRM1H72QYT>tIA@?MY{2T;%3-d-pj zTHr226bSDT`DW}asA3exHvSIIc#;%FB>f&Z^=c6Pes#=!;|;=wgOocqs5~pN5Z0{< zENv^Q@&DEx?1Vvv#!w+MKExgUF=^Iz^Topw($EYd5A`g-jqNF<2*Sg9+ZE zpjV@-*k;N{H3g7Yf>*XalTvZu>9g?&z2Xe4u^S%ko+z-1KMKkL> zTLla(tI>Uc;)TrJ4BqFq`uGjG9H*Yc2|*&FEr9I~Zx_WH^a_!f&w~*A8nW6&-L}ZC zIo*5VZs`gf;1TdPv=;iaxS}m`Ul)ztyGu29?aNUk49QFjNDrc}QC@50Hh zV1LYZzf4>4x;Myq^g$6dyA%!u;?E_ar~QhS2U$A|1JMAFR0edP`l_g+eby&63bzsT z&kuAXH$SIR;5ZwYwns7n0BmQJvS=i7hY3~r{SK|mm@tfStiycwe*=2ErqqA$2;wZs zevu1|*sICdlHfm6#=AXvK<4J+e%G6Pn{YRxV_M*~?6Jm{+x_tMgFB(a&-bROttQm!;TYEby+g$?5coEDi<>3nJ& zd?k@JUp+vG@dDVsx(8u>gUm*sL~#6sl9m8>BKgUQQCKD2ec(KS7j@&=2Y0|NY7nBR zfs-!73CV9tb4>w3t4Q^1JL)o%B0&%!^r@xpxt z3TsoP@m2v|Q$}2@6^I#?oQXQ9rI<2rLbfKtxXcBaMyZOor~WcBb3&-p;Ru3l5o&@6 zpy_MbOphaQ_-SykY&TxP%}_W~!xwZn=#!vGLVjKnR#=rw1BTg!Z0ptbthCC9ae>zUDve{LoVegt>y0uZ&{RcsH* zAuZ|3o^jkByu+@w{TaByBLJ4tPj1?0G}b=>DZHrzD?um@t% zjTw@P(YSLj+*^b)^a`VG-E)1`}wcXzDwJ7o4ljYdqAIcLF?G3t-5M)%Rf3tL52# z3-T`uYvs@Nr6Y=wvus16eb0hum$IphfX**G=S*F3)A2=f`x~{NNn6Et$6tuz z3HRVJQ&lJ$DZSh~b70u-{T11uZ`i!^q3RolW3=t-)4iMyyM7b2q;HDyVw?fLOy(d$ z#gpJ+Y5!|wzw+VRbD&+ez-%zBVwBPxGam<7z|OVNbWJXyjds4T?4us6eZL^npcSU5 z@!zR}mVl(pYjx7TJw@xTp8pE*uaZeYe5a{swK8~4jp(|y?@-xsc8!aA+g{wRoQbd(b4^kt71~mHj|SmQKp{WPT5%{EaSW4uaeA+@fqGmH(W8vYQgO4(K{qZLA**MkO6Rf?} z1HUny62BbTk|Qu=lY#1mWO_0RF@ijfz*~#|eb~gNOOTL^@q3F=70#)Bv7dsw-@V1k zbQ^uH_0=LqA|RZ4>r2@4Q+eo`Nbn{g}F#V-_{8V@JdFM03`{9NqQT3&FOQ`j%z10nrqt9pJmZ-|E4zSg2qKJepn6Nf5 z@X5?o9301ik>bL9ICqS?KUstvYmFYdJ?oro4rem%9I#1#Pn^mPIUQnk3ssHn!f^L_-j}#zxUCHL zuU-j_1L)SubFxu-WlkRXl3;~mHu1y%MAyJQr0%|JgOc& z>4qsL*?6f586v zj(UN_#22Y_tUoy4P$c-$AWK4Y60{M?<3EQ5 zNm6VlA5B3$C#JYweO<7(e}!VP`t0+&D5hIzf>uNlLP_=01%PB3s2Daq*czd+k#TrL zRL(3_=$b5SnghqV;;6MCYpLss`EM7krFa$5$Dlr$GL^YXr}*Aank?oKZGVk1{^lBALGfnO6Mk zMZ@op!1+j?tUMKsr@>$-+F+lZK;ATw?H1PF^Psq;fSMd&EfrUI(Bx$2SHPY6SW10 zRN-0o58k9YN;folJa4x(Ji<%)UAIo9zen!XAmVhqVZH^6(Q7mZB|!xG^z049^deer zZOb2eN~wFlOJN69954?>`hPhqH4Jl=2|>vbd^X*}^kOo_Q`Zc)8|SGOMh7!?l}>lS=AJgP(9*xBQ_WXl=8h zUSOZ?Jf}ljyTUi96`KB3et_ZMnuP!7k=9?G-Yn$49{b{>a!MR>ctv>#gf05B*;}+L`!}D$$6k}v2Pb4vZ zgy?7QW?>i*3R4-~@5+sWP_~H}ErEm4EvQ!}A16^^iTh;_EA|2om9W@6nnImBb7c1I zEU{!YWD~h5>_UliTN`gJa_)xF+0^cMY3-~|$wW=Hy_2o557}I8q#7l#cBHIIP(G2! z-w!h-xdiTHY-`e|9vLiz1o!8Q&z+u^_qX-I)rL`ZIFClplie<`Gps~?j6u|hxu*@^ zD45vX0U@2(1<00>OXdmE#E09G@#?FRvmKNV&rN-2 zr*374G((W%76A$=q5#6^+9^KCh3c>XcTJos1?GK%g|DlRp6W2rE4W&R-t5FJmL|%3 z^UUmE8Sg(4WBGX!EiNsJ@BT6Cv+Y$(=*LlF)ZNlWf3#Qn51k-$)r~A+ejUbFv%(Hi zWk@OBr(@2c67dFiB}GX5;kTwT?^zAX*j$l`uPl~ht0Yp1S@4)1Ee$N8e%LmAuGr=9 zP-aB3p%|FfvPK_6xrD`tV9xhPG?3{ z^3MdAdvdmT#2I)roP}RSygFT@*bMjKHLnWX%I@qGVmlf4^hp7nD*iLFLCRviBvZGw z^}9!d(4#GSdSX>p#aj~x7N7~p_gNe95!DjoBv>vL9iT4tcN&kaz4^KlAQ$z~@7KhP z;zhx2sf@?3Z|P7nX-(^H7Wt6Uqr*udi}P?m>5uRBlP@H4i2Hv*IV?CSex$@&>3hQn ztlMAAvnp;R`;y-3W>O{SOKFp)lWn=2OmW(M16pqGWW}7qE;Q5mv3$z}GQ*xOOzN3W)F`nLh1xkmJ%Y?J zFq%JBk$^|b#ET%VfXr4t#l}iGnC#kmTo`T2ku3hTPkPKj9{_(HZ%?+E=KGwt3q4_p zR>%>NRbl?bA?sbgBLtFjwq)NY*iD)$$s>2@=CS#%XF<_%JsE4FrC(oMUEK3zQ=OGg zdp`e6hjhw!O=j%JPaavaG^i`VWG_kN11slqZPWvpS()?Sha7`QA6~l!nxnCF?B>gM ze5W=I9N!Dmr6*IzEP_=#t;3u>lPL_7yIn9{ek*qBDVAnQ5cJNPxE)kpDwbS5^_A7~ z%J=6%JlwW)aUpG=m4_YlTYc`_i5@wg^yoS2)GS9E0f;X%Z{5)Hwe7M9@ikd5aW>uW zQya0*!^u(_PIqXrYM5@GvJ1*xH%!KR&b%8JasySpBHG`fOyGUmB#>@-r!v7ksM}%$ z63KY?g`adK1sQX%6x#(Yhp7gAy_a<=pkSDXXnQP3i2=l&xBhFHcKh1Gr_~Ew+;*2}wD1;alA4 z@>MSUjz$D5_kD^qbhiXm2+1z+qls8plOvxb-yQqd=R%R>Tbbbwr5O*`nKvz<_!Up~ z%}|pxH@|b`&51mcVY8`#oaOm#3fHfF)2H>P1Uuq9~>xZa#$AdKFCO6ch_+kkG)>C*prB>A+rB#7Gs>f<2iNE-@fv> z!Rd?eW(^zp5#j!F=U&**?EHG5jl<62zKc(Z>h9VzoXWcx)yIS#Ee;LG8Vbf0x8jFA z@@9O@IpH>o(G%ZJGo_P_YEvLvQ2J1&x>+#fKW2^T(l(4z*=p7sTTGuWr1$vbpd^Gy#GCnD~O|Bc;iF>Y=cjh&s@y#I+x)=sYj z6jNKVdaBwIUn>b2PL~O%PCjZXc$IV^$X3#ak@Vsl+g38UJ7oAB#d-;^$Y)NUr7@iL z_R`PfG>|mMSHAVQ@7F0@`YHVITlnUa^{>4Z#6if(+e%D6EG3zF;+^oISoUGkW$sKS zZWCT_Qm4qe0WZeXs97M$uYH|NnZv2+W%OTr6cKp9C{2Nx5K}UdypsBuYnbvhA-Q}N z@Yi{Va$zT3z0UM%x$p>12_pF{#ejmYy9DM^YwaB3_c}Y2zT?%-dae{$CLDNv348Bw ze~$m&<39CEYv}qcQ5n1bC5hkiaWrzI<36V}@dKjPl*s~YN!j@}#>He`{Q}Za_WJFL z=PJ+cv5nF(*u-U729A|d--tIRb_{3EJg3(!jf{6oGKPfNKRy@{H z!`L@N(TTq-8e=U3JsGyt{hLat%tvnN5>}Yr-O7rAjbnwW=EskLxwnl(jZMBb>-b}s zsnDaM;}Y5e`I7}K_s;7zMQfJlWp?@J9-CfUt57nIpVd{7^0tiUDUz7rf2)caJ1!j< zOIvobWTLp~UD{b?bz8L3ol-w^=55`T&C(aV?w6vG|`v_9J`WyB9 zJw{y|{$7TJz!}WylRNrQaeTvXV>Sepr^XG3^;CPvJSDUfl|3&BBNCJspXo3la6OQ20gv77*n1WYtbrV4{H92*vTUi7WG*ZGafzd zBnpG6JRi)u&$NIjs7-k)d`kOttwho7n--7*@X>dnozbR^`wB!CT52e@cf zhKwwgr3T`PK-sen`^yCsSFEbUy@MB)H-;WxQSrI2k$-ch{a&&lGdRu#Ui^frH2YA! z<`dRedqi3GcH-g#cp&?M)2cWWF*>%`Wqd3(S zf!ZM|7R!u+zEBtd*UKy<&qJSw%pEt?hKvI_u(x44TyzKlOht!=PlX+{Ud$_u zO^v)=T>VzMaR3>NbWx(OJsvzthQ_szG#PAeAqB+;i!cm+^9w8cu49GPrnQ4#fu}hA zg$Q;gBd76VM10&X?&`q@)#gypGcj?;Mv^c=|N0phJ-jfmPcx#PJT4ZF61YDgdOa_|m$6DXL@@Sj06Qt+ zjva)Y=Qdd9eZ3I|O2hA5PgH6VPFXs=iS}(_r)3Mj>B&8?Xk}Qm$_C{>?QJF8*pPTt zOHm|*&n4L-2umdem)2)*ae>^Mdm0Yhrb*>qVolGXoW2^8qP6%y`NxKK z-iuZ&X4N=z5Q^Y}ZS05h7&2InWK{?m*u1Mj7(*e?q3CPH52PJm_JB+Ok%`09h$pHI zUt?cS)X+@Wq@ZPUf0U)5VR+2!TYGlUO- zHhxw#hUtAJqf+v(EW0I!$~sOU99=-dK%8_lr+FFv`0*>T#i)E=nwrs%`}LD#oIU}= zf>S=Hlpj^MEDQ?A6z@Uen)aaU<{T54|F&ukPcmn^fdFgjT0xg&$rXlKogZEjyPzxc zz;jQuH!QWl+xS}USG)ttyxS$2oy?Jl-vuqa5cNUh$~z+vhe@m3+fec_4kS|Ye;mpT z*Smhp`W4w_f4n!TVO>TS8tgr(BJ2-=cehXx{Mop+{x!J=$C;Aa2_R60z`||rBNmM@ zmX{W|eTQJ`@>e(w-^dLmp4F1J!8_^Tb9{858^8&?B&V0w;$5W?4BWpFoONkrGuk)d zBeqJy`3tPjHQd0)RfeVH;%=(uRpQLl8g}@RV1YZ6?f5BHD1!9#;z^shif_Tk(Xxil zO4$*++RL?HYCiM*FnX!EUtz9&YWUM7-1|jCPtiPnxKnJUh?!!#_lre7 z=9#zFO$BOyx#1iwk^|yAtG&^VD89Rfk|gb`=K@Ybx_f?r16~^Bn?7miR`bM#vA%!v z9V2>fx|#bTKP;5=oOZHIqms+Hwo7NX`Q!P2aHNwRHR$E#m{rVtFej^{Xfie{1Zdcp zeI{?Yc~pZ3m%cf596`Zk}`*9mW-uC>#q`Bb8!<_Vdm1AV5=6DR%L^}uH-%IpJ1 z^Q-!hEpZm2y_cH422i3!7V%BT0i|N%8tA#g=1`wgN|q7=B3G9?yqbxuS0p7QBDX@l z*j?}rv`@DdED4H=%YK(epYY=!q71e3dp}an5@YRS;yr~duGH-%i|5~QHJ1?HyEhwW zy!74)Fl1lxN%8`40(k`$^loZ70U!)La1-V+vGrwA6C^BNO%66nIaYnxDD@R4M^`XI}P8P!C$v>#0$3|76ighy`%bk8alR>znmsc16v5dv3>dMH9vXj-t zr0emr$&YG%32e7|HQR2kl#`FX5_w2e(b1MCBxL6Q@qT7zXqEb>eZ5y>0v{Ke`73FL zZB7ue|NcPbw0846c6glO5{c6QTpxH;a)#lZ9#(cs2F%kxz!r%6ThIS!{T~MtlJUnMB!A42^TK6|mr%g3r|6b^JPxM;A(qVN2|QN95rZ<4vI}C3XGsYpidVUk zbOAh}(LgC1nE~-t{$3^hcUl^9TQM)XOG{`nMq>*JXyu z18xz$zVNy`)J`RrkWK7f0ny*f` z(Bg?}UMUxqQ;`aSgQoqthiq2IR#PQ3UlRs+FGpSyu#8b}_d0nBhvT;v0lGcUeQ!O; zrP1TAPbnz3?a+iQ6`IVmI;G$HMr!wIoJcsfJg;ES*-U{d`YJpvW0~D)1h~2+Cn7S- z3F>2s^w0sy_APx4>bvcQ!|vVhpN@1dfyubfvSxwE4gA3jRImM1sb9NZG!IVLfmj zS#1x(F3|{dx$^5G;OnY%_KZem5?+wx z!t6`_rOn3A58tdr5ZGR5Iu0q8HoR6+@KUXG!Alsfv!TmPBtIur4yu`zQhLY_xL2=s#Ehd|{2H{^P5V zuYe-$=_hHGg&5VH^5=(Z{?)C4^SK3=9?o#gx^4D4*u*bhG{+j5I5hcFYJ10lLZ$m@ z0RtLcGe&QBv=w+aa;#jf{pgNz+2qSxJiS(QBkmht@mdQ9I;tJf3y1m zD{}5m59KFg`FBoeL89p+3NljVIgbYt{I5@!wayLR*Z4A)X0xxAIwmmL6aMUjv5h}j z4@{NNfH5iCQJ6QAX|y6~Vsq*(@KX)c5VZeSE&mt;2#|*F`V=wnox=v6Nai zK6yWY4K+1XcdojkRb60NZ)R>GB{KsdK@_O`>NfxjEL-@!zrB=h_0WKtQ;!C{gy?FL z1D}?K?^-E|**Wl(EEXz7-%$7_ICXZZAX8c18%L9K12-=0%bd?_Dy9Ad*Lh~S3xp}$ zPQM1er;c^qrPk`l+_m3RX_rg1C6iM?b=tuH&Y zl1l-!VjxTlN&;Lq2AP%S z;L!2Q2`&K|8<(^?YVow5EDnKn|3yVY7-^kJgi5C0`Opy1pac+uwZANqCBy2Th&T!MubT_bt zQ4@-T^dJH>7D)$>mcMsP-|!l;vo-%V&Yv1CGLh+E!qS z=(QPS(xZMC*KTdhc5wC2yew=J-Fpsl-&}AtaCJZz$^qzeg;{@oTzolyAlbw_)`Ov{sc8>8}@zp^lGlj;2_|#(RYsT=)?67F}rU-NyE0 z8QT4DSisCJ?>}(c{>AFq(JPR19$%VSgllQ_QUT-fsdFL;FDe$Fq{N!;rH7u`2r5%- zq_p(s{Wu>WO8>Pqtk|kIEnMB=5+_Wbrr2DnPRa=^-$dZ^u672ICRG-F5Bfj;Sm;f^ zl4Gjo`N&9q{QRp=zVj)=)0vdvLETGoU5gKx^JH_E^zy=z4xXDlWcW!K45!XUqAX|g z5?jb`gVz&IGRqsa=A2mru$klF3K%TX+&GYzj(uckn;%lrWU8 zqcClFy)_L?uKv;NY<;H@b;g(!yg8Qk-r( z8VReyK~o%awBUD5e}HnaREWbGv@h?~`nZtMA!LPIj-}|>02WI-im0QCtqjZ*IzAcT zEjCH&MWb&16sFHHsCEnH)hmLgzU?%v#rSEnX@8s#8aljuU{$-GYhb#saAUB3Q#Pic z&gyLr;oc9mmIGpxc(H~#iO^5dDoY)sW#^pBbirk(At$w2#>kE5vn^%*4LMs%3r1i4 z$Fn-(toD0;>{j1mghCoh2(6ksL3-Hi9v+$yx%eQNyXAAN4W?%jqZ!0c>rX2WiRYh$ zb}Rj++lC6v&FW3aS3%D8Dt?`2J9AeIea1|u@3vcl;ZHN~_GgQrF`PLqy&pC@D}5s& zhzwI#^fYm_m$&xfAjWq5?VU*hFz1XX_%Dx?=`Jv2{qupq^f8U@f9~l5Ma_-Y&4{7_L5*nQnSv+TEbtAuC3x{+TW`ZW&3L zhPjkc$t?5yv=JkReI%%|8DpVuOQXPYAJ?rcB%Axpl>>iyOtNjdp!IC`J%HMFv zFk&PWVp?@Fzln;L!Cu{4K@>W)jAE!ybZv!_``D6h1CTzNq_!<{ToAX^I@evO7#>Il z5Ryul&Wgz5rq690!lJtJJ6I1k*(D=GfUXxc&+)@8hVhxO7OQnQfBUX&rGN72jlD`x zSFb}1opuDZwe3DQ2hOL{X7@Z2#&54-lYOTP(FZRR_#5@~oM7UmE5mf%O6U2|v!ao5 za+i$T+Rl2(7X;GNN%Nt|Z3A%O>@~SzgR{%Zj!1r3?|Ud|A2<%%+~qop9Vr2FR&D`~ zUs%l7H6Uk!=(jDc-(y+h5#<^(5YbRtwcOXf%|i}(7pcvh@z_vqzNP1(P88&90U20A1E&SG!6lO8q#OnW*w` zIrE-Wrp)y-ijT7>s0(MSN1uZlLPN7v+GXhJ{kS+|teeY?9E;pCLZ982>v^N$axY3u zXQepGL_9mV(tN?aD9zmRimOkI>(eAJF{+^`?ZB-W)OxC)?L*BqSc~s&H6Dr96joXdhlS2l`V*$3YWnzUI82q<07LB8)jpev%Cuz91&FUC-)$bqPi_d2g8Y z2qwIcsS~s0_hdc2?#~J)^{>ur*jcyoC`!ClH7o{a0v|@(UQ$p2erZboFT05JrJfS%-Y54#W@arZa;`~q~;8#Sd?GSzRC%{{u$c%4SB0M4^WkyYNFvS z^&sMCXCaGtiDZ_?)2zi6nd`R}+@Fr-@vcrP`3+8G(9|lWPb=TEr8MB?vY+p2knM-2 zSNkuS)3nghX7{Nu3n-i~IN)B(9Djub`_)O2jW#p{QXgy+%5u_VeJ+~}Kqo~WoXA^F zT28c>czdq>0synxQpq;nmQ|WwwZ&m`sQR9&a;2us2sXWC-!^r2vdY&3Vt}lrp@nJU zV3768EMV3@jWNvk=hlMYZV$qapCp;D0MJL6S~D(_=#lT1k8CGTfZY?+Lq45 z2}@_!s{edVLmlc6V`47Jnt`@xl9gp3GCn>%?XdE##nhFZRo&A|WfijTX^vpPWp@Mvun^Gb2}XqLXx-UI z2JDIRI=}NSqkCTPQyy@jSh-*+nNK}nFm3su8?NKrwR%24&)dV#h%9{*myDGd9d_e{Rd+<)zy2I zkk**aZv90wD~|HBD6~f>Uq6@<#GIE+Fi#$Vtd>Je*?q z-Kibu>i3a|!p{CC_c0Rg=*@ourD-T4RYI8Z3Cwc+<~Ok^IcjymKe;U;FMWLkYF%+YZA_( zUg5{8cvsCQ2;xmRmY3;x6SV%d;Xn#KCr_S@MYndM)LZWp>ujL$%YvArwzF*W9;zE$ z`>(dX=HuM(*tZ{q$2nd^Xu>7JHiO9bMk6)q_v(kW($*q3Pt^z;eftm66_+`Mm*#RVs6*kAHswIv`8zR&;j>aCP@UK6y%0o7&OA&&AlTA7v=bN=y8`p0?;Dnn~BPR6NAgirfU;xGf7E2}BoVT=% zAysJ$^RrLuA#v>RMp=1xh?qclzUjgBs$VZw-{36<>_?v>UWO@BkyFzIzO%RnR%_zx z$?WV^(EXY8rl|hf$bD)^Ku&$2ODU_cd`#Wflz{QJLSge}M$5ox)CF>nP}17s8mFpw zyE-1n7c<;i^!6D>*S^xV-qPAgT=f~#U(N6z<3pTTo9=`r=iKWii%7a9zcZLys@plo z4Jg$KvmHxL&_~E3V}K{n4mIJKQ+b-z(O)`{={GvAc@XkhW(R*%)^nY z#6*WFxb`?x7;87|9caaqy-j?3Gp0O2HrniZyb=Ff%K;^s-7GSAO23@H~F``T! zq_4sJ9?}84-9^aPk z9PsoV#;BgoYi-zgV=J3o-}*^$J-9XWt)>qLEAzm^>3;X{^*h4)!?Y&aOtU#3aUV}= zgej(AW%dg73D7Cs^(88`W0lj7sZ=z7216F}*L6&``Y_geK6G;VEl2(V1V`groVk2B zO3ds|_o3-ceW@XD*ACG4Y{DXX;(s2dQ;@47wa;{d3$A{+vA%{LX58ISRQ3W-dhQ_^ znn_`7JzVOo!Fn^d32SRnIU~Jgac(B1&Rw2uTGLY)?!;b(U*x$CvVvmP%fvcWBNZ3= zrnvoWrgPgHe**&Amy&^o`g%v1!`&sJc0$ZY$zMlj`kGaRl7EKr*{$OL_z~q%OF#JY z0zXxIxzUc~!wxKZfqtr|gSlY2#DO`-6fJ2K=tS`%!Pz0L@`s+mZ&=zJ_orY!xwqjH z$v^$t=y@e|MfSBYRwifCr%x+c`2t#;jCD~^gLVv{=;$or;hKQEuH9d5UBo(@aC8K1 zFCT5Ie+ax8ylA~MLbU&xqZdk+Fg*O~IH?^5O_M?X71h9_j5Lg6hFIj0%}V%3JM1y@ z+QCcVfy<6JM;xO)9q##BF@*j^u7fj$bSq&8%aKbCV^(90wBE38`Q~Jh0Z^NU!=>*M z?Ye)wTJa{lmOyftuk=Inc@kF?pHd<}t+yJF5#80dFT#VtJmZ!!)F`v^x#o4_^td(e z3gTJ)fqD2=s8OK2#~ZPuIH}%L^yN&dV@+i6*bEu3U(>t9eh<^?ji-nmfeO_2sZ>dM zyfc^K>&A|W{9_9`#gqQ(3_(%FBxjAHF27eZv?*OXfA>;|in?+d=rU3Rf7T zsL!UK@O*~frZ!i6wYUnHu^0MMkjRb>9Zju+HA|GF0-AuG8#Td=W^bPo*ygsXmDO^v z$zE6o!=5XZ&E&Q=!CVV6yaREZ;V?U8)H1C6!sR$iu4??Sxm-jx6dbO>l2(6odSB3W z^YIAYA|VlDW?jp4raFhfo5iL$;y&8RVp^;6?|GNcvpl@WQhoFSr@)tA5P<=L50v#@Nd zXIo6q9#-ar(3=}z(9>dEY0sv~41QUuYv~3Y9I0>yg+9KUQ?e*F?y>%ZkLdyH+1ILX zyJcLCqEE0-u;Pie4Uta#of_d1j&!drpr~?X85exzRZ_nn6Swa1(@vkz_edO~ z*}4Qgp=%4bjX;AdpOnq&n*k-6>>e1w?DG95)pGA&)wBWZ5khWU(xwN0XOXq+A9mWns z1A4@NCB~Fgk+Bi9hNj~EObb8}8qNjD>ihUwIp=}RgW`u2hr}#|pu4f++@jhr?>o-NORMNpV~V7cm5~2d?u74VS+y1?_ajs%uWo<# zt#*~zUB8k8vskfcvtNbZVf`_(X(>LuS*ozxSM8)VuycAw8g)U6kzq{p^9H(q5@;RWU|7kgA2r{}Nfxo9b2BL4$Lk_Xlk=^X~SJF7=`Cs|p&D zBISsNN3dSqlB?zZy23voOf;yaV-ef*qN}0z!XpV4&*5afP3;hh8Evy=hq-#ERd)6H|^R@P`}}n zTT@IQG4iJqVVbg~T3|iBa~+FoY1r}zG$XmPjR$@%pM}ey>2eFO&Gy}b*VPiCYdK#b zr>uoyF*-CBztYYF_kE>6hlIqrjU}k{H9OZ-We$kTe=Cny4+Zhh!w0oRaf^FaiYJ?N zID{uLyj;dbJ9oU7YHRRO~cQcAyG#@kw2M4p6PQ^>f=*2#yA; z0NqChg;dGyeodKvS%V$6*9AW`G6y+BpbXH+Sg+*cuBywu+9+Ddwd#=%<)_ACg@kR- zQYd;)w|7~_WG{5Q5**J;k~CGC6He$~&#VOrJv*u;Ii0i8eyqssj*z(BU9EOHgK=N| z>OD4?UDYVQ`Z}FdP5V<&#-BU$QP;dfSxYG(yd@AgQLf~>(7uUEJ`byfP#4jYm-yHh z#N@v-vvExkDUE{%6NX}-Cb0f}d?cDqG=E|gIi4l>8A(6SsS=lVaBAS6%p9a#PZ*H@ z8`me|8aYXZBFEuxOQN$ljfios-Wf+^&aGnLe$3Ob%^^%k`H5>Ckp1PS&*@mWK$)$m zY5yf8GbA7X@N6UD&&|gFVwo_0kXX9U#tg3LSBfnZSC#Sbf5C7PVuz}(c7?&vJG}2I z8B?@DBAA*(5W6PZBe3;?(5?0IDm+43VGE7D1B<5ZE}(~?*_$`O+1m;<-WMM?NSd4% z!J|1koecmi?^b4Rh=xX{i)8Z>01umn{)$p>{$9c`!Ot?&_in!jDt{4x-u*7n(O&)H zYizdxFN@lq&^7e6Kg2Np<1=LRw!NktEz3E5=sZv;MII^a@H8<{{(V1G{{UK$y?dgz z3a-3R7~QqNqnZPD&)FCAfaf3wsH_Zb*VgE2i08yjskx;EQJE#S{rXNV5J!l;b1PLO z^8j2~CV)Y*2{Vf&c^C}EK616d$xa??2EYsj>Gunw^{s_Feh>263O`wBeZ!65GKiZy zMEEWK=!uD+MU46F5+L$vtKT{a*s~k?8BhSK0!rVTFDf^8FMI zKOx|cc>vZKid^}ZuPxw~m${>jU>?=qz7|s#a8u`0d*ite%+Ak2+{-w{#MMjeex2b0 zC$%;Qq3v!f3$f7Gzy(MGGl)%FWL=)r5es0hj`hQdZPI(@+O?Bpsjj%7(g_<7Q3EIk zcBVY-?t9U+`#2@o!SEr?!kdv2NLW`igUTWd3n}!39{%fP|KS&GFM&hBHlvc0=*PGU z_H@dRG!ZJ2xP@b$Zot0t_=()C;A8mNyAJ9(tvxW)KiQj?dFj>W0=(@IL_}0-KYtl| z!|3C*#DCqR|MA6Z($o-D&X7=T6mpwmysF`7{Rv~z)u)ZGzbglzFbBXeG+CQ$ zn4d(LeTaMPz$NUgH^?xMc=Vr?Bqx_aMsJ`eIrQkM=@;b3D<9)RH*BPxZVsP!AEDRu zm|S7DD!%pCObknd}%ZL{;>Yr*Z%**3-li9O-cX7`X4$?2?xei zP&>DQoBhM`Q&8L{IX<&=Iq?Vxjk&H{PlJggy@>w;6#l>axH04>b?jMFQdB+`!eIUu zZ1zKrch;I1-lsBSBM=Tz8uiIlW$j0b zxDgz>*O1Ny7xa^ zh5zNR5{Age*JgURzyCI90&(Tub9#rOr@d@#O6UIige7=!1%F?wQ`cqxo_uQ@tMyI) z7Ls>DnZD5Ms`};rql?#2V&1m&d<`k*^{(LEelf`X7Zrx>^@;upSy!FpXNw>voM#P` zc;e9zKsn!t@H^mrl;?~8hz9*ZGdvME!>%c`HkTgnFUmnJF%84W5D*HP)gRy`JOh*{ z776lEc6@hh5XSzcNY-BNH{nHG<~HF&FmpwKvaP!n>`7)9Kn+HD=O3^7zr7a!>mS~~ zh+OGIo7tROeAt)%;eYde;DR~d(BAOXPU0pEgSW8-$_L8GL+GU5!NP_BW8N6d zzy%ItHA9`-dcg7Gwf))Ld0m*y8d5|;`A|Tp7@S|h>G>p4Y&H%Gg{z_1NaTI2_-4u{E5Lr1(Oh6HM zqHh}Es@w^p2}vwgd37TO5F)%FX4aCHtT9E#lcRyK6~~=%0niK1l+Wb^48*gu5MVhb zKLpeAKDu`qyZ(fH<4=zei9~#W%PC()7stT$-U>RPh~*mLMQj-IVvyTb!WOv*n+oqU zKP2Yw?*TzGCXE$aB!zF?jw_y;Q8*-Py)Ufy>CPJ;a^8PHi4u(Qtw+)$@2dB_tZi)_ zuXzEcydImWMiW$tAv--Rlo7C!cBOlX2%v^|9Ts}*tG-9nk=&Fw{T9PoVBU1FM`5y@ zT}P5T;`l=bQV2}m@b|q#hWYf)deZtEcktp zYM8bid=wz*^_(X7F7LImIM$cpc=KE!xc;A!`x z7F5-Zg97VF2;8SEub+~!l22V)IfN(C>{s32yG`O`9c8d~o6WJ6%Z-YQ5jHilwx8SPVsqt*9!oEO`#A6ex9Jr9$5VRVM-0mxm z6@vByY{D6aSOH+#7S`s^!s@@fXdaC%9WP=zT>e@57dnV=^P%S@u#F(IH`y2KpiqXk zul>bXs5}uritqgvAC{!?kBs78sC4WAArl4uq3IO&^NB}VO9)1B5Eg+yVFa)p$2D^S|4r%gztC2j zj#Ki_6N_(YS5uN*6mxf;6YO4!gxD^D2L%k8L6Rub$Np;%x5-)hmvh@Vg@xB$+j*Lt zTki@R4HwRD`jt{WJZ?C|7mH*VaiGM>fK3qwG@dSY{tsT{&NE=l5E!(#a{6Ls<^Izw zcL5RF-~VJ=O&nU_HV+?u{*63D5ZS;F+Q^Aw1RgaF35%^yl~%K!AIXinZzvR@+NxkM z)si6j0-Ie-FLF2L@DOxnkA6MOPN}9h4Hn&AZEY&UKf|;FnPaQFJ0n4QodI0_A&k>?$DO7pXh}dhF>rA z{mppn=ag&Q&-&Sk`}5N*k=PB)mMlWteEt-899mz+fg_LdrKmg9ky!4fnzBv!4Va=9 zC>~ZN{xE!yQ}`Ubq^9qjf<3tUj@^f0wlWR-{tgrlPKlwH+T4`juQQu^zM^dqe0_C* z=tIiflxX86KacOk0>g~XED44wbldq5{q=aRl3+}1z{)u0mh&LpEJ`lR4Xl|jimKkK zx|b}ZrQ^CeEHOTQdC!$lJOP-l76CG&`|Uo>;lv(c<07z=s46%ElNXP^s^E4Or*@d z0FTJKt2_OE$2Y3Wgh3*^vLlYI@v|L2gsp{6!$fp*hvbuUV>_NCi*MsU1{w@yb01R8 zm%@8S6@DbDY=93Y-~RkA2Z7sGs>gldQ~$(t{+Bl5Uvsp7{~{q2A7#Y9RdhHhi~zEH z&a*bKZi_SjA}b4#)nZG=m3SDQ;X9)WO6ef|8)V0`;=glR#envy+A4Kdmi7Oz_SRup zuIt(_jf8-7BPh}>9a5rnmvkc`-6bHRh=7DNf=DCXEeJ>>p@2wAs&oj5e%CYRoa>u& z?lsqT?PDLu_`~5)2Jg%B-uD&f`8zWW7G=)0(atwcC;Fb~(I;N|$R?x0!LzB&l8SBn z8%mz^XLIFGl@wVjq6;rD%g1STR#k4k_u^n&D70+#Wgew&HfBCZ){@1o>{k_gMvSk@ zhWUKTSsxd_sPK3XrW*go$6``8PevkRId1eLBkcbIWbLH?1;|p08!F~09J-*7X2`~T z-zLezf1)V=|H;R4&jLQyTSc}|;=lMkDLDKuLG zc@I)v^A2^jSgNqU`TTCr3(aSacVO&zy7X(4v2hY_kad7&B=JvmHdJ8_=h4$h!8`SM z`Ue#I)){`7+gZekLW6DtgXbU!+D}i}dm3K8V*=l9^ok zvNswmaR#`Y<{`X8tGUq=x9)~;ZCq}>hSZ)G{m$Xg6^@m40~-wT1$kD?D1(*M@B7XA zN;GPHMLMw5rb;SC$tzv|R1gAd{@}i9Ty1RhAI~pd)BM_Kc>*_ENiImoKdrtlDEMu{&?6r}P-=~H<&F#2(oaL?F> zE)VOn+1?Vu3n*!r-!(Am5bS4ew59O)tbA%z8#h1w!@r3d&uj7iI1<^FM3Kgu;(c{4%+UkiUb@vaq#qbjm{CZqhdTggG8eDPFlmqN`?Zt z1bHab%`M>mH9D!}?rd!DD(YgiOzwN|Z>`vW{8x=Kj0whC!O3~ICu^?M*EwraSk8Ki zOmOUa6<0IAJxOT(oX{H1zl@=i(e#95eBVt(bs8{Rh5Sj`$w?SCtZ%L&!)JJ;j5I}t zM7JIf==Grakwb<#^m7HQq0OaAo`0iknNP~#I5q;3G6Nsqky?pYh*y=5$#sdFGk)Rf zrv?IYxt*9FhN>6X<#4wBmMKeL(yA%y%BHpTxt{W?d4C{Sc@r;98;MZ1+^X#3R-T%L zoKIG(p?wu_qvK5b2DRTyQis6mj!pE^f)oOB&n1xzgKur^BA>WaYcOq6}J((?vAtEJUjO;;Ooja@tX)@DLk=JacKHZFfH#(4JyF8b;oJhi&k zmFGsKo;wZOl4>zMY_o2&5bkKr+{Lz+UrWhR6(*VDVZp{&rme(Q1w{$&YQg4GqI8O# zCR1^HN|*WK8_7utcC(yizTxFNK3&E(cjVsXbFK5tJrUW*o%zzHJw2hjUNd#8Q`R(5 zj=|y_>ntqLxa_PYaC7ilIq_2B>-xDn=FV4R(37vkh%j-KI0vtEYSEUi>agfXoh#@r zpTY76hf@th)Bq=xnfOLzt4bZgez*50X9}@MXQ-m7$S+x}V3B8q(H^zs3(C9-KYZZy z`Zi|L3rCS378#wJx_H zybj#c#8%ff=HK>zH%w}h4EA_FzfD@9hF$VjX1KPWCXt(+_PLWudcd!gyA z*N@!tc?Lhmj7K+6LfNC>KOSe*>8-rbnx$RU#G@I#`m3Zx>PZQr*eO45`S$KV+zEy*ztuJfdbyXSVZJJ!;(S<0lc~v) zw3$6x!uAT^hVX)emD6J8{f^9%AD9tntSk*>z`8|?V6)M^MwiEV^EPZw#(!ngyb_@6 z$I*I41L3Sa2ATzE%8)|RY8T~>aCrN1!v%$sx~UpLdVutqh-agVl`}0JnGs%>bOn{w#eQX? z26;&tZnmw%uOBIFzV`%-czxE$@1Wcd(9>|`e?hW$Kk3EGIjG4Q*Gt&4G4fs&`k?ne z+d5rjA6l;?Urw9&iHAB1KT)<^y#71!{{`$K7yoBq7ai>f+V8yH6$&mj?-dYMwf}x* zBi0g~KfGZpg}E_fhG^v}9@z_b#af=EjC*)(Cfe<4*K|=o@s=~h+rQG|llam;Lug$P zcbjVN(qM=NYX*Sud&FOH`uIBIrF~kS(0_N`pCR%b^8;aN`P5n~^ztv&YU_$St2?C# z_jT*IUm&F;u@x2&e0;_r0|4w_B zH|vt}o%J{%T5?b~MWBMgb&WHS#oR2?MY^RrKa77h8%~?+RZlcNbT!X|!q%l-1H6iw zA3n(&t`Y0!P@lQ8wqdfhT5d<}MzvOZYg`C_=?-Hl&p4m%vk#Ck$$@{8^Ug>K`{w09 z?1p{REX>3w*`wi-ICJQM35zsu&ee7tZ}cC2y2XZvjnH`gRWz?QBdtfia3ogW_GEZ%D|V$Lp*);^u;SKS%{q+|Z71=mE8d%!RIu$>YdP$06x z`?t~CzYb0R+ZnnJeyC-7+BC?WT;GPAzBui2vnP4ZX&A31>jxmOOKAkplp0t~xHmOA zwb}A`7t&o8J0sYb*RAvP(L~zrewJqLxVIv3mWv^(1#N$NI&&Vzdu^pS@jQ&*T9D*Z zvjjkIy^(VmXvKG+3@;t5c#_1&}G8N1wi>k$Dj*Btu1@>4M8#`*&)46H%nGG_vKKQ_w zm+4NdI0<_-pI4H%iD1H2e$2(Yc17GEl_cE_eTet$7rIJ>D}4U|B%f;hK2c~b?uaj zy*oeKsj};Qjv_JEE$wwP7!3tZqpA|etQ9m<>?+AO+7^mQG5E*2FQSB0mm;F|dwM*X z#3{9Vxt!k^j0;L7{JxeNCb#ML)8BI+i9M7l;47z$4F39bUMwHuWzc|{7?IT z-V?pDXJOjn1<{v#z!8dePm*nNaXsBW2A5*eh0O^-8N$(@6jhm|%I4VZ1Bh~e9 zJBnq|}C+~%WMVYyCp)#-(E^UnuAFOw3l!a&^`M`w}n<0k1$1*fTT9Lg)PHTT{Vx8w89WfRPMw@^44RB+qe(lG1 z^jF)=Heb2Wk@;WL0zk^GpSZh@>VU)%AH9*l(nI_pd!d7@KiD>qmXX;e^<97XPtDH0 zO$=`i^@+2BPiEgr#HE%b%swl$d+|6)byI(1_k2s{dMi^AubNDYXhhxK`^U~AwMoyU z$;TYt#FBwqz9i8m5!WxwVK!dw4tF9o(J-4b#ouo{8Sa_>icu^4!nM5?to<=42 zl#r!wsGP`FxD>ZuGv5myfAJ-_tMt}9aK!L1)@r-qyTWV6Gk+_q|s-mpB&sWPM4h&ZvHEm%>DI0xMT|oi3=rUrKA@) zLyTjI>7PUFoWiwo2s}|pgCX`~;t$Lp|G@&NTC$9QG1d6<`2$u)RVs1sQmU()q_+pm zR7M`)kbD7^L47gCN6>K@SOn8cgfOpvr(jn4p*r#Sn_foM6qBZvE#jHLNEtf;GCZB8 zEXv&wzIzjFKlb2wd{v^=`Rk?HtO}53d4=vl4giNzW`@g2m&E3)vA-kAE{psgxIvS97(0{cBtKDv<)fWuS(P-XNQ(g8(8||lgRY&V~Gn% zCY;4=QoF#Ygm@^-hx>ckLd6}2JO|v@Jo0>3ud${621*ubsf$b*LLDJpeF5sa&$v&% z_SwClsE;uovk2;v8uU!@IRAi}iM31@U_Q&z368G-Z*gre6Vt7qjHx?WeUh6ajJHxqmC1;X9V6y}- zfMBSA^rtoAv!ezEBySaKgbo#W0m&jIpH~r?Mda5S5Keb~7Y0x?177$-WaULs2sbfUd*hCa8!9{so%$Ls#Df z!rUp-3~$QDF`$*r$UMW8T@3zVubUxmk@PP1-J7O0T>3?GEP2e27R9ja^ zsA&xjf1{?!WKU%tUv_HkCO3Luv;TC!u1qDZ`5x~nE@m_ot$NsfVEMnindtV$SLidy znAu>UUq?mi8_Q?TULH*?sKniRpk=n`ppPnVsMP=1$K0y_swHUR^pvyTqUDtGM(%F5 z;lV;gl@pcY0w-dL)|VEExvyu?OcW_PsD9#|peppZpPGvB<_-PAp+Ss$L>)p&LP>c< zZ%*&1tVwB0@aQwXaVAV`FkaCYR!y1L4f7nA4ej^LuS%mbjXINJR7$cZO#CuYwEdjv z9UzL`9UR)uS~A$5KEv5A{|a0AMJ&VMZ){iuwDxQZO;#iQL`$LZTq63n^uL{Bk!}L_ z_yzt1(2n#K4C+udMEH(_#BQ{a08hBQ)zIX8PbRg~GoJ~+6N3Bf6`oYtKC8dXbHuzl zM@=R@I_vyIw{p+?^@FfpIO{TEI(@DX&;oHQ$6YhO`#5GJQ80P5c0`57`v!Q!IH>3S zL2_Q#X-s(3I2Do_dHZc^Or!PuhldKQi;6wCl$dBYKBto;g%;k)_$-bF}S;%j=A~7y+5je zRoQaG+Th7f0L7p0rLoa!pL|yQ$@j5F3-v2a#SChwI4gexT9VrgHY4lL#VJpsJ&=wS zQGCI@nz}K2W~_etutQyHm@MnQw8(>~pBRCkwd zUL570Uv_y5whK>+*TEwxeP4#dLB7_6qj9}0TrQDF6r(0rO)1ibbo?aqTFElvoZ1e$ zPDTQ?)4HSRJ6(4`sXT!aikn2AwL2y1-UY|`Hc9TBd(fQKEoowvzQkZtTp+dAevhc_ zhl#dsg@PR6&XtDk}`yJOM0{|*l|8}V&^KY>41rPtCyOJdu2xiqtTsq7QV zq8YES`o2&v@z`hRCM&aAxk=82F?Dyd%(>ju9d4b%?oi)uzsy#=^bziHAXIUBgdLLo zGUj*%!|9!=Ze%8xX+ywzprHHALjt4W{6T{U_vpKI_ERd&4WkyIlRXjF&qH!s*lC<# z*!8Tok(`)GKm^BJmwT|$5qmYk-EC`T;UhQe=Tvg_pBUEXdyN(+Tl=$nxGO$q=mP>W zj=6>fMbVF3eHfhcFE#_v&Ejr}rE%pEjX6cHyLDM~<#sa=*4&4-(nnlq)1tV7(cWt4 z3DX@7TCjYulIrxi^g)hQQ@ZG*dTQrqqjKZMvC?Zh^!=k1_(k)C$7g8!F0=!lp=6{Y zX!GLv91n;|`#n-EvmP(I5``DRk8BVl>DfV=N#S25ykd|Yc4hg49j(%U2x@^e7vlEE z8&#hjcg0#fjYng@@nZ?@MK$j7lMP{}C3C-~` zfgSJ1o0)ShOXdVV=RU7d(l`9nk<70@`A7Gu^m};AcU;(;P*^d{Yl!eMR2dV|ztUjS zy50vZ?zQ+v4$3I}A6KeQBEP(o{iSwaLL~1!Sq<(0p~bNXxo~HH2To7LX($PEZTMjr z=#cJ~`*hz;tcWphLh^eK$j|3=Hy>GfF{@os4YkTN#Y?*zGV2Jqw+0*Qgy9i>jWTDm z8hg!GFQ4e4;5z1V$Y1iJW>YH=N+NN6DcDo^bugjq5`}khEyv|Y2jGbBWS%(5Y}d@oD(%w#~>ZI$x%M7pEVOVV}Y#SSf3oK2&Qw&v}K z`7FM|KswV$L0Q}-qx$-;aJa5k7Q4P^cEn-QV`SIN@Zq>;n3PgxaQ0NmdfD!M9>^v( z%HXMInw6Xa#LM``5Y4x*E{!YXNR||p@lL=6rmoXjnD?$33AIiBB=rv@VWGY7##uk7 zKx4b0S*UT}LF41Br`y`R$an8vbs@(D@!yT#W1IhRK-P~Wec}15ddL-J*-cO3PXDNa zw&jn}P11k_pPUX6%|Bl~YezU|ot=q10>mXKw8QVA08&n+-*8<}pv{vqa8HFSwPM|;c@-h+IZbpOW`R|JM@0xFfJbFFmi85i317HU z>X$MsIrK3afyQ}>aV-5E8aKyQY&!)A4?F)W+a{RLv+>JZ6FIUEe@}@M`f@lNY)3LN zRiQ;W8j*=dmG*~SW?!1A;0U7=4>Ru#BO{Z)6i{wZ`8tT~TVdg&DHFV~lI(2GY{-1n z+Df1QIpmkHW<4Wnr`C9U94K`>d^N$Ef4=W(s^~}p3+D^E7xI^S)LgccpEL)leS?k1 zAwT;Cil)=X>o3DBvYiqDwC6P}3KdMTrmPpco;6C8{#c5()D??@xTqcXyrYW1TG|&k z8B#F`@3ve$BbXP>t19PFHK1*{-Mv>)Gf5uXq>Qd+MhDWtuktLqHFW|>4q0}|hQ&cA zKl|6jze!ZJONXFYZPvuUrQ~o(sFb2t5KlaHOaa?UlWteAd#s^K5TsT zC_Z;Z{(2#np5}EhAE@%yOCHa9=n|J}HR4lk|G?i&h-OqQW|n-Xi2l5S-}-mlL8jyY zUvuKJspy<;wf_h~vt2Eb*_K;*qI1vA&{BE|Tl%L!w6Rglq&zSY&B>k5Wo;RAal2V?`Lt43JNBFZh8-4@eJ_}x=0E1JevsG-f7D*?ZT9@-v#zF-TNqmAPiYxmNQ z{+YXZI{Pg(YpU_4Qtee2Ba#+r+BNj3G1XX&uSuF2NN&mnimuWehHA5wSwOt!=6!Sm z*VS-Vim3IStJvzKHsNxc7VCoMg_?e}B743zESA3gE%uhxtMDI!=>c%R{6SXAQq zG7F5sQzk)Jze-vE$LHE>j5OKMm!Mg*DQD2@2!cRAH1y|?W2p#?DRN439j#Gs1o3TC zZjaX;IwbU|blt&geN+Y>4ZB8nbJj2+jqgnQinoFw&$AGS)5hO*M@krGa-G-F&@qkJ zt=W?oE8+-`l4PRM$ z8GjCn=+_+%y4$(b-}iaK0z@{OuyPcXvBT>krF115Q(usp#+7S`?HOGG->DC&;qTLr z?O3Me83`W~I&e8k<9wJs)`l;V2JRC)x^OZ}=J0?e%BBJX!#weBY=Pn_<#c;uHnpH8 zMzmAT0e!&&`$aq?bm#O`NpM6tXbFSr%f7hXa0W(WqHGA`O=|3S%lw>ASHJ8&B9wp0rf(+&SI7rA&i zENph$$jrC4syF|Yf?U-N_8xJI8L{LmK_9k@4cqLJ!`1cH3cobyZ#uHC2v=%-d@YrP zedV?hZ)6RHVpfl7oMbVI{mmr9tD@WZZL(fi-5eP{S6k4h##;Xm065m zqe^H4p4qKf*ke_N#h3$iLk7D)0$36R#lHb&SO_o?E*~}n)n@&2)5Z#yThzYNZ@xeR z^e(g45-ju=9$bpESz#W%1eOQ)mqYsp5TeKCtHK}FwCtzEA=Q1$jOt;k=ryt$l|VhC zK6b|~gYy;`xjajT6jz3o=JIE$2QrlGi@{WHf*!2#yaPu1C8wcw5a-Q&`_RmFN+qgx zO;;j5UncGe!cXNYWcFsYo)*4N@cpMg+4*F$4a}ZrO&tT ze(*XD;<>&y3qsdP09e_E4I{#7?@r!(%1l5$EbIJXF#z4~YcKRq#|(QqzY zSB=XrReWyZZCLyJ*I9|=(UjbGkRZe`or8>j{q+ERHVYPRcInwZuv8VK4E5!py)+GS zQR&cm*3qt9oWzEl`zap+6yDxd@-GBqm71Rx&X8yd)8(W{a|2C|ut}-K_no(kqC-^t zR%Vv`-WKQ9p}v7PzZlXGO6h}tSQJqE-b*&LrD9RT3Y@#=YPOuH5U8N0s8^_v=~T|N z^9Z84RyK<@G`Os7{3Twr|Na$VZCbi62B{wUD54i(&DNA?GnIU1}M<&2#rq6;*PhRlZ#hx6i*VR7@>}SLOsCpEr{Ig9eU*6|6Lj z>2XVqV<#7uC0JH$23eOtYvHaW1-Z?c6+D;EP|T>!X2I)Atkm#}Rx(?!lRd%`#Jhc~6r^iu+=_Ny?fw*-1R>?0>6E9ww3` zzoprLO;J8rA{M`N9Y2DSMBEMkzukxax4(JyiiX!i?)(`@BGxcC96hQcvRS`BskZ3c z`40Ath4-2^u91|ca*_6%8<_tVAy^4yb&mmZPGbz{<3Ho*v!mEJ8Z8K-AKwGdcWtir z_Q22IKi6(d0+nL|?EcT2O5N?^vdGO@-GPtM%bxYTIZJUEn@6rL2QM1e+#Z-4KH}4P z!c1!m45&3O6_sT3fVKK%&`s#;SB3ddUJ;{*7d(g_n^FF;R02JHF?MAd$b=dam0M-2 z)zhx`@pZ~|y4NqdyGK?LMdvvA!7WOfSm;&`K=+ba#sg;<;|67|Wg3UY(arLF8pS+s z)$tGCb0oGZjMJWwuhCKI^#JAJ{dY|_AYs&xRLXx_P1_i`fq_Vj5MxnVw{obl^&s)~G=6 z?rZ2;6osiTBQI3Y7@`D9F0z__jwe&#-QCt<$Z{5%b(Lc&i<5>z2XPQt$vbc2sO_EI>y1Eb8$n660?=dY{9rQk>GtViYg;@>y#sKoW2t z{z7J4)rmn23YXyBB`raaOtlkQ%4E6}8#3rYJgcT4#K+;Hc(~#j9WPAm?f43}c zGN6tSVUm59w~{yk&3t0C53%m$(YPLf0=x~ZzcO&*^2W-$v;{{T2OwOK+ChaxmptZ89RJ{_Xr65tWRkZSrCX(ZS`7Mh zJDzX+)yiM?wEwsX{3o4eafI};L(!vhdUvw-tT)wv-gm-FOp7lQa$GBU7*uo{pINVn z6~pGbZ&eXi=opG#S53FjMCEeO8Bj~BdG2^^jNMf19)NM3-?*O9E1j6|WVE}bn$BJX zC4>@!Q^yoa4C+!Rua^B#>E#edN(EDfZ_#BmOcLLlI0=YsOmj+Ftfui5k_#)M7>Q4{ zM49E(xbj@7?D;qAM>w}_EK-fx4XwJjVYuIKofl%;A6c@*V`cL)6_I1wHfLS* zVi+kp=(xI_I<#6+-qxSaFxC6@ObSq=3J>}~()Y{I>Xq|uSP_iT?Rcj7$ZzUKJy`qgc9@51B*OG@4L3LpL#G8VG|Lm=bcSBvmz zKE1l)t3R|U`N@Z2v~9%_Ey7=ZFUhR9;i1r0-pMsR_MXE^+Ic2Ei-!#B19=4$2Pc~J zCKcIoAg-hH{Bi9;CHk@gW0(up5AV1Gb?W(?VedK1Ru^*ji-Uix|LP`Y{YLQ-ZA1(} zx#r!+k@Wto26WepDNE_u^;tkbJ|tI78@Thvuf)GAL5|pp!Z!-)BoETyA0`#%GV7xK zUfIwR$He!+;qV&9)9V>hPLnn)nyF}ThrC=iK`n^Trzn-6v+Hn$#o7v0b&7-4;S{1+ z#|Y<2oJ7R+wJ_FUF~tIBS|MU8Fu&=Mkvofa^QXYDNS7#=-j^Ev5O0Dzp$x%47ve7U)xA=duvw$%XObS<&390we% zUz+KO(=;`*w#W+Kx$X%COF&HFLa#S>vT@(j+k^x7a zV{fhy=&7q;>815hv3D;$;2gP>*6@(f+{>?MA;#`fN#Pj=7Kwd%T?Pa#hAx%S^`7@% zvWKLDc&tn$YrF|YnS1Pq5NlKj$AJ`28{o)vAMN!WZ?^K>e_1O)SE!pNnL%fB?n23zg?(ZQ_5D- zz8a-9sL7>{uVVuYgGmxfDS!RO;H95>;|o4u%d6_n-vU5<@SC6(bDg6h-JJ%O-ZlH%J^Q0fW_Ww3^k7@ z=|!ZB=@7>ytpSdv9Oeqg1--f#QbA2%CDs}xcO4>Pb=8wKUq|br)h4X@4daTNZ_bFK zIY#L%j3Xx3bD|@gVrhicKD%~ZY~1W8GxoslZwV)RX<<%!4IX2&shk#H)>K);Eg<)g z(4n)`bRl9x=cbK(nV&H1FHne~Ez0uWEHW1RCao#@^d;>n7Uj*`5q8@45XL@q?~Rc} zdA02jZX%wW8MJ*xNKW`di+7H1Fg&J&;>Av9hVGH^8^B&!Ee(!Yqvps`j=0QvX71%C z(cE(%rza3BIy3d`Hqo4U#TCkn@4Dufh~AheevID916wFiGVQd-Ozvh`IBnbUUt zunb_4c@fo!nK<`;zVi|Jz9l8rn+xyADe>O5%}8Y(N^RnxA73Rt;^e9xK1~~my1acdO@de%d0QgyAzl*q%-D$GuLkJX@y7r;Qp?}oD9ff zv&|(?(N_R)pwkM*v`|f4gPT-XZ#1T}ny*NfkyyQlPl(<;_68NCUdCJp# zF>NN-r4n;q6#-a_vrqNPqWnl0%U4Y|FSDnCL12e8(LBXYrY#t|-ZZX=lgu<3`}QQp z@(1>GrjY#DwA<_BB7YS3@E!lfu0QRpMla*6lZg#nyOWx)CP#2SUb6gQf4i!fF3o`}y2g9hrN^O}$5p1rAshMJE}5>roXl5l z<_b_}*Qn zJ^SN{>^1eQZ(rVX=mZQ5i)ocNe4prQi@AEHxc00ehI7@=u%60r?W#&#KCs2SX5NXv z|K3GA%}wD^t#zBx<5n~MRIf*z&e%cUjH}??N|`3DA>lxli(kLiT0G?OD;9~KjxWM- zl>745X8QcnsSewnXTm=8^OEBVOO4AS?ME7`q&br3H)H(T>b^V~pOeURztrJ1bJ%+V z7UZvD83HObYyAsU{G}D$9yw2McUC1boAO94xYm57s4c%}!t}M^;usz~#d1KRwWw{f z)htJEvxDCD^j;eRWqmx~ynBz5xmIk;=Cf`8uIgYLPhN)ErxnW^Pkhi%2xuqmPGT%* zaY$Mp-8OykokOnYW~)F>d-4VzPV!Rv63ha&CNMoDaQ`xq|AF{uLM*iB^ww1IrN+Iw zB1%2sx0^MJ7$sYlUS_Wg6R-N2roEcO*yDdLf;OjKt<^^_p2(+<&m;|h0Nf_q6J#e3-yYswnSuB ze-zxckFomTsF`(`4{+{ehxC=uBw^0Ud_Se+@jAT{TB z_T+VUXm;40-^E{39?IkT+oM1%)YA0w^MGH3ivGpLQ?ae-^SB|=Az?mohU4EiLV@s# zO)o$0`|~D4k5B&Zk+^_AJ&ZK&q1gy}hQPw40_g!V4R?mA3;{4xeIhhu;J0r&wsh3ea zPPHcawxmj%Hj9-495fK3Lm06`qBNBU-2V=n6GfVRVOEg&sO5h%I8Q$#MpsV`%T)|~ z@8~vL;L?5j{Dn;zYzy>T0fMa*P;&d#bp%%kT&lv3!YhOJg&=WLOG=nEWA&bjzZ#nv z4Ao$Dc;h*;eK{Kc){%l|Y)*RVFk>mj^s%053NPcO_6jj%9Y4%i^9*t?MBMJ8D=ZQR z-AQo*CI4oo&zvUQpGF46E-fuL_`eM$Uap#$&8x&Y{SGzMWf|2(YEgIVxqZ%oC+vk# z&HF{39dEy&(BF8Z^|`s?7lqPe_?SELw)L7`zBr7h7SFii_2vajypRoC&|%oOcRl-S#xrgg?zo`r`l z`v@TMkJ1V|C|7~qg}17!ICGy3|Dji%e65+d$!u_%*n^~`d~Rs=ngC>7A66H-OVfj5 zF`~kF%=P31tITM48UIP?r-GL4)s{AA&?kAkZ#$hi?o)H*?{nOxN_DDugQXPE7A<%` z(vp7;JK%6L>A1}HBl;SWRywJzE@@MI$!WXkD|bX4F$=GIN5CsC#5ijHz`i#rfWfK@ zDY+gJ&`~?0MDBtvi*FO`t5K!bdWa61eS?=syLY9+_X&YyUZp~tcx*DqV1~;76hB>J zh5GpK69fyJI^P>(bC<&T(6G)^KAoN3p5MRQ-%%I$Ykb({sB4QW#*Xi=qw-L7a3^6z z-?&9I%R0TgS!Uu~O^aoI%4)6414FK(!G*|If6Vlv)ma5A){);b{7r3Rsj~)air&uQ zfuKL$)9Il-U5L*oPU`A!34k!b#J#EU_Mzn^d<-Q<12U4eQ}E!93wy0!b3xXd(Y$S}Nv{%4L8R-O=L#{#_%tWf$GmJ>cK!6c86)Kv6pXp#u1nPvLU1ky<%XBD{HB{Q}iWVwJP93Jj0nh~D(ZD4w z{(V&6&c=Ge1>ala!DO8_!Iq(^KnsNvd{Bnjb^=cl?K0&LC3wNv*`Yy@Re^+9)Iz{9 z*2owZV6Q8>cEaoEl^iA&OC6UgFk0y8e780GnLMZ$M z>y&CRd^b4q7sWmS<)V-^+uzRETK{>MHlC5V1A~>;~a+-Te-E|BC zkp&blU|+1^(ula4SDboshlyVuMY(`LJ)L2Z+Q=aZBj8DxiFhoYR*~4OYnhcj`>1(_ zp(Hq87)0EH_NNc)->GL-Q-yQto4H zUJ6C%HRnK78u}8|qGh9$saoHoULp#EUaM)B2IZY6QWxFnPu9JW;$<{NpA*%%s%7Umb{FO=g(640J0!6eqgWd%8XK@?V z2SAS#|JV!9014`_aPh`H9Xk_|`NH9|&O86xpXvk_Ds|IDPmm=Sj53Ic*I`O+-4FZ= zWx=~+SNSgz>QRIOq|7YScj<9Xk{CSEx^VQ!#_prwOt7Q+UT%ijM0k6H<9*FRWXGHw z-3wnvN&f!+Q{qr-zCSH!{#jPGz$h(8K}f1FX@&+%MooiIDZJ1EA|)@9`?p>|z>}U2 zvthFi1`?Bo@E3G?lmV_&)xYQG{JF`i*wNgQnDu!FC@Hd$ad<7f#}r07#Xo^!Gk9Pa zhE0QuGrUuFGZ9JwT~)`19*#h{zu=6PLH?C(}Yy*svBWX z$MIA1cJ>_{p!sq;0Dfl^Twxjz>!D^ZC_H1I+wti=B%SI$Yn(-%k9@UE>O1XP^l|4d zGiz;$UKWN|7p`dZpFAuN?3tuTUfp(9WzYZiy`PlJeh>4zudj&R4s~J$kzBP1q@|%C8HvG32DyW$K>}Xv}KS9tg@6V@m|MOX~Nfz33xar{g|LKAL=ZE_r zzZO)^-h~mTL)~7f$e;Fj|Lu0}|Nf@*Ipb)d8k}LYra1q9eaY9v_A27ZcUrwl|GIJh z@Bi$d?}Y!&uP1oWR1te|d)XuX{~G3xX5;(>&)g>Lxcd1F?lrFH0F>Qh@nK6f0GyG7 z5Cs)bh!Oud&li4QfS|J5NNB4l?ErUk=^e;g@UYnW-+p(AkY|&uMwWy+(oE<59&S*j?xO*Ef*+!r!(GZZvwe6okpFnj2=SGvviUk z->I^G>;T74%z)Xiz2ttK2XM1N$3-f?04wVkX+q9v{?JK=wQr0Ul)#dyHoNMZ3Y2qCPNBS-guv#K zo*23kBYPQbzPc2T=wpZHR7=B$Z3K+8Qm!~ zY)CcLM_6X57R(Ms)$NS zO^?zFwBnPGt^Vg%{Ez>-DG-`}-Mwg}KKY}5Xy{n@7xa#Wt^?YzT+hTym*mTT ztsk>diSA#L0ZHHl5QW1^BA#_a@*QB>Wdk+*0Zm|9L+3bDI?2dfVXSRqgT%&L4)Dp)z4NSpT8*cM}@6DD~A30n8udpTQ4NB zzyU-x!+Af(U;Ik^v_|mPtC04_nEGwoTc^crgD@*^^g~fig!_Sm#j#Te46z@(LU{NTH5!+-v1TBq?`|#cI{G#CV)0L!F z(AX4%a7Yu19QoFrPP|Qq-#;P~@?lNB32(jz(5*d|a?ub%A&fl|Hlc{$DZ^eagkX&l zsD|eI9y&?_zzc1JZ#eV;s&5;Wgs*Gogv!4?TmLxh|LuZ0e1US&Wb?OVOlv2E05A$& zB>CIPm6(NcHa{lt+Ve4;n5Tw8M6xWJB2LB7gM=__^1lXwP;d?JI~)#I&cRpAyNn{2 z%zGud{pSkLCVZpZo7b=0iWwXTf$d2N@E|!UZU8UI3yzXvi2b-m5t)hT+O7s2K+ji# zu&+Aab+awRcHppNWSfgvnGL|(kwbte0-(@6tCH{e3_brQ)O0wi16Q}t(;TJ5K<_}_5y+Gwh4%+3xe)4bHEfUg5!dtJOx>l@NjcmLNaTN%rG#) zma2CC>{^`&KvVs?xv2viZg&5iC*)kX!RtREiev(w?0h|Ax0{E6b}~fT>0+Id$slO= zHo<45Ig~D}|NT?FK4@az9i#!J3tJGRaDreZs)ggNMDU}rz`lpAzsyb27$G5K1s!n) z5*#6O#OBAO^s~LxUf4ho2>{T9eOt^OI4qxVR~us@G)%nU>j?gA0)X1DfRm>^rk!gn zq5fl$-o^!HI1U?m$=n;FRjf{MI&9AW{^g@_0Mqu8Uk3#@Y~0dR`sKxY1#SR&GJF2? ztJ&|g4T0Ew85xYVpU^ObAI0iwCf{)=n)s+cFsp6mgx+_*5}+AH4nV5LjS}N{U89BG zxM!XGSQPd2cJzBnao8|?j~^0_pS&Ez9-Z4z0QwPvP2(sxoeyZs?1??D+=K1BQe0pF zhNJ(&@g(Ma$D-x537i_z$9HgoH_OCEe7S!@>SH;1AOzWf=?RultgXq4oz@8 zybqG%U`_WryNx$S?s;$ZPoaHy>x5J4mp@ZjVYHDgrCWTMKZsh1Xrr*AnG+qor)OXh zkv&%!z_|Ub`$Iwe$*zeVbZViOZWZ;cL6su59S^|Kmn|alfe;q$@bky6UvE~>k)hW+ z#>g+-UA~whiZ;*$=>DZaLk{zSJt%!wjuN&qU}cH>oes^G!q_zw0S718+Wmzq|Bpxe zUu{2fIVWSJ>Gi+Eyzu}LX5-$F4~E__#}zIQAK-)r6q&aAWA-=Y;B=$1;?BY_2l?n~ z0`eb+RQUT1%#l79M)f|4z@lUA*~(m#{orsifUrua>X~tTMN-D6yAGZJQeX#2GodiU&@l-u} zL^yIWx58N`dW9l^pnnatIC=)D9&maJzn|mkuOy=}ANAfJ5)K$YWdeuDiS)A$+VEY{ zO&h!{U5RQ17zVUwUyP*_7kYOFmrJVL8}dQ;pcf5;SwVX7qbMbb^lzJTe19nOI9N4) zLaqAd{N@exJWV!4jZY1v;p}y;*y%+rx5%Yo8EiUhir2_W`{hik;?D_fb3niOXkTY|gMFS$tDi&k0a9ve0f~qi zbc@mIMzkFal+}^mN`eyvW)>R3bD^Y{;9;rnd_l^(X67*@$lsK`gU8d7tq@C3H+az+ z6^_!9&i=N$s~F%G&hv-r(neFwcYv#2hb7Z9o+SDD{WD)UeTsp7{bdMtk{z_RFo`DU z@2$QN8h;Gacq+=HYm$V~pSj_*TsZx{cJbsrq1CVlSRb!)aVL1LpN;v!sg2os;xG&?w0CPMZN8z@;PuCB&~X)HHOTaE9+xzeZK`cNn7#(1|92C`(U? zGjMt{!b0W#+S^%l%E}ZsTo3+(8!6bzZ(2JxKd;9IDG=O_<)b`|As*cS(m?y1{;&bC z)_Vl)Fr!eTUER@;IK;`yL$W_cGzw_#v`Emm#de?K!FL=RniA{opw?ZHcggolKyS#6j30KqY*MK@{ zU@Cq~N?_~!yGsb(>PNSzT1cnRNGYK)1j|jhpY`lZJV^4xPqgM6rh%_wl5z6#@rb+8 zuqb<3ZsNA!-Z}a?$!VHa?DTr`=v-FdUexzrT>oGJC?0}jOtc>T9B;0R*N#WNDrIfa zgkc07e}<8F;q87(cZx~bi2|e3@*b=smuKyT4TJPM8=_7qdK?4mt1!3YeA|1)cOZ%M zON$jDjgX2LWW=k{e@ow%Lo~QVJwH~{jXqJmzX6qCWg}}~f(Qtr+!qToIopRicv1Ip zTkHlJql-vZDL@o_@f2^O8LFw(xN1zE!8~V~d1t)U_7vfVIK#}Xkq`2^jnTIiQg|NV zM6>c@zd3#m^Dq(4RN*!qtGaquI>Y`GtQoc$k+wBb%Xidzx8COR)MIWpS$H%-2=shnU$IX7+|3Qh%Yq{sCvat}c6bP2ors3hR&NS_-Q=`cg z*|qpsKz8b}HqLP%>ZhTg^6Qi+5D+A!L0Uk%TN2CDB=h|_;bKbqr_8sFJ zV~sUfE{06ze4gij$94U#7XnB5UnIMkMIwc3wNWBC1cV^%jyRz(?$_EuZ*fTPfJl_K zasHQ3jga*ce2TRy>HB8Y2={DkEzC?XHYqlz9Pww?NUzKEjVl_dJd4dGHJAP}gSms( zy>G)rC>l~3>0Hf_?9yB&!f42mH)<6~l8Yz01GmI-Tn_&8jT=$td#7VKlAb@Sozh$) zVAMKh)nULg=#D>KR}8p(Sgk9FfhY92E{jk=^F~>)gtU1GFnYCrZ;b zSc(nw1s!G^%h=I&S98t1?-;Sm#`}VTsOLr|>=&XVweRBHPhavYI-i667tgl-Qgw2f zHh;;NLfqVDgJLr>uLwYOi@AF8e}seQCzlb&a$k12NwL9ltSfLKMy;5hung{$)mp~r zPx03H#7G@cyXifV9H_JJ?a=1v>KG?q84msJIxW&-{w^P{x;_vXa9nd*rjH+c zjh8jYds;5r5MU{*$ug^Ax^08LKfG7%^zWTYomahZ=7xK};(}yX*)sj!p~pz6@c%B_j9<_O?kPXn1tTrZ|?0`1sqNKkj#^EgeXgirMKsT@tII^B?S|KMIj^ic}&bm`0{v5Reg+eTg4wobDE zahE>Ff~dJEUDVx*3xS1ooz3;*O;Z&L=9BolxbXcsz z^hmodz_?)}GbcIN{bwkxTX-nphlJ+lq(%DJgj`3x%?j+s+BsoLuSrkKoNEoHL^#sZnUknDWKEI?1Y^(GQW(= zj4Ska!_#(p7k)EVd*pyQfSlkmz-No1H>NOsnIM$5sM9{3-jJwFJ^w+~)qC@)XtNg4 zIAU)hTbw|Vdeoz`bsbf^xf-4BX*8C$W8Ba-TugMyTGaUYeyEt8?*lODi>$XEhKLL7 z(_;_ww9Z5xP{rJm95HXBUGhiOmJmcq^DsQ*wSJdUtUav?o87W6hV$m@&{DXKT)&p? zUE~}ZR}|9?Rl>rJkL-IjwG=DH_?W{h?HbbRpK)BQfw-Wynobppuu%EQht#dh(g%&j zEwK+dohtg$Y|?Ouu@D_-)d;@4;i*hzz?1g+#wE_$jdV5*6{ea*`F0t@lzFP}ml*s0 zkF$q84f$4-V~)X`fuoHUsW1MOo6rD;C+V7oGaDCA=nav+-_E_RzyvP3@KS9Nt(^@D zW?lT>@K`yb>oj04&S+^>Tvzj@&`wRDBl^CCG0V`7=3+FHd~Kx7TUwt--DHWJIK6|W z+F<*34qat+RGPp0?f&OK(2h$r3(vb!IW~7WJ2#vM1V;>Q%6}^HJ+U}_guVU4L-6Iw zccC^h{NsFmv`yYVhnqW{%;#e_CJcYpi;DejEz}$F)Qz@z{MHfWM8Lns^7RGTOVfK6 z-kcR*OzG#i%!K*xkCYuyQ7l`{=+HIxPR(_Hr=?CqXZs&*=)e0<#oJthXcw0FISvmI zD};l!eCy)sadl|u2uTEX8RuZ_nwha0t!Zpo4#m_GQ}DY0!wx>xPveCtn7zxYZ)=|q zzhofZt8oC`>vMybnxP{cxCJ0i$O9XlvI#v-Hf)D_8|-6o&4ruv)3X*cbl4-b%GwBj zBGeQb)k3l>&>ViTaYSZJmyR>r#F@u5J6+%|p$|gxlKu7KHbDSu}w!K0axZ!pmEw3970Ml3AoziPzpgSV7@GqBAnd3qs? z3J^e4pmFdm`1%WcT*YrXyI~!f3ppo6x=hGcw}OsvWb(nOKyzSTS8C~P8R=H9`c6uc z_&l^qz6N%X@MN82 z9gGT(G<-N)AWG7u;?AaI+W2;*(D_=6DhX$Y8u*p<@jN) zGa3qyX@3hMU$4wP=yKT7Gif_@N2xpYSLr`DFW||>jJAcTc?|A^W&94flWE8$v`smZ zChGqo@NiRMP^b6S6FN*8(J*=nBfcTTc02ZndnEAs zcH+c$+ABjvb{Sz3mQbv|YLaI4TbMGkNOko;ZC6*~%BeaQ$Z2w6vr-NB6vmrt4>RO* zm-X)WI)#PTZk+cOu#v>1w!4jY@~6lagReVOE3hr+E%}tP9VUi1%hrffEM$piY=22h zjy-y#Ix1?ay)QNu4?TE-ck}g9rb0)y&W)lL4inqTE`~CxxtHZOAYQ;fqv`*=X>pyy z(5i1>Zw7Cf-T5;~KTCw@R-JKkQ#%d^>*gtg2hXSTzsv<`c5{cu*NOUFZ9g001k`8I zS{z@xi5=|@uqi@P<&v1GNZ9?vmXB{LU^&$$wh8SlR`Xxc@1FZLd3&DyOfTGp*bo!x zFdQ$zTY>k`pNc-Z!nw_#?a45FMB$zaMlc12Glm%h{GhO$u~{=*AO*sbdB03 z>Gf@~ApEl>M98RjK7t;)qZ}AsJgfZt?%TZq0d~7+(>-yt{eI~i>#*!q(Ki|Iqu=j( z+#wh#*uTpiugN?9)@O2hAxePEDdKybKwpwi}+cpR6>@(8K2bQ$&QRM%39>ggRBka>J9wa%AP>tosQ> zmE!mD&r>{jZrV}J+&Z3z^Y7^%LyHgnn>pHHl^x$636`U3lj29k{zp8J!Pw|rUE48P zF)U|0>+z)8BqE0A^_d8Z@juo@|NAnyAms(S#pNR5_DLJJ@|1*KlaJ!F6J#Mp$bea3 z)nvMix~ZHbT{=(a`e8m%(^x8dyGxtm$6Z8JMGC!oCW%oVN!E)17im9z_Lp~}ctg~M zpH1Rxj7m+Ne4qPeLcS!&hIefUCUq-|*c!1i(?w{T`t0X-LPQmZ1u_imjJCn3v@r1F z=F`s{a$a8;u5R{llb@RevEJj^&OOTTTUCuxWK#?MDZzx4A8VZ6o%@}}Ur)WwTdF42`usTyeS!KYN_X#{%i@EKtL1>UZ zKx~JNarKI0V0*MLjhwU-3Ob7@;n6~D(gDtfN?P3tPYHn@ZNesF&*g2`-EeQUOSVp9 ztKlfkHrkaUSDAz;MtQ2Io)3jfSk&9cfuzDRbA@=~`UB_9=3jzaA6{GCWPQlqE^WeHK*y_m zbHc1fA#ApNn!0nUuAUNnk=s>|*DPwR_WKTU_@CaX2MK{$6HyK6b$mkG!l_~O&`)xX zzc;;1jl8FLg9D0>He!^B-|vK$ zAG)dm=!6YQ9Q4;nla1vLL%X}-BZj=_LnyOM#&6j7!NzUc@in4#RXd*Y7{50~mD?*@ zoGMwSzL>LtBuKcvz5bu;^#8tS`5%SwZK;g%U!RL?-^H2j4UPeesj*I)0hBCDW?wk$ z3taeVhygys#B(VqdJuNF9ZWY5z(?a4J)H6&2 zS8(Xgs414-+IZPV=>f57qj07!r(89FRRbH#AbIQMMCfd@j3P%1TN6Wri?X+^nv>l! z=%O^vf;SAB1!p~EerkEUe0Sbh)ryQW4B>NUFWx9Uz!?E_0H)nSL1BqA!Oyt;R7XuI z4wFDSLr@0BYAZWMtka*RmeCFuPEOy+(HU}U=jR2nHj5%PkC2I|Bcy0e-wAZ7wwoCT z&2w3p0X~oh4X)4tTXv+dFj?k~h+S1I zZt!MNMK8M|b%{{0d2%J8^+&cGombUaqmYUH|&F^08qW6L*=sWAPlwW;&~tp+v_#*9h(^o^?K$9tL=X!L6+pamiLc z$h78hrx68xsTX&cXO+NYZ{PqyXGKne;WV0Q?Vj%rtWs)6dgr4~tNhYGK*mAJt;8W; zFmo$XXBR*=T90s$aJ+V&>yLu#ss+NapeJGdHf&$@e5MPxTVdE%_i+hgMkG?>DUx-*pI$sddcDqH$iFu zOh#SXO^~gO_h3B`%oH9*&-eIlwz`Sg6W=SL7XUCsks)IhKUoBEmm|fRmV_4U%zPF4 zt_r%YX|9M(SH4<<;45OCdq}-zHLF^6S`BWS8?4*E`1?4sV1&)nMRBjRqDWxQ$Hn1{ zlcBnnBv+S$fk|!j1rciOgYc++u)LG8E-H!oa-?Ia!cDH$`mCFJ`NO~j0_U@TeXInbZsZhEh^@ezj zx!gAIjWxIxM(3l5>V@u=qq91c^D#oxz?HxYMWO>kl#(RWyam&I9baIwRVCiCC9#>` zW@{P6v6#1Y(k$k_ax7x3I|`2)lIcn=M3<#A^-0C_=re}xLL4G{G!?v=hD+8~Nbkg% zNI%V_H0akFJv+_OxXtPy4ae%R;Zo%eEdTR?wZY5&&=D^*(<{fk)Za1s!ihzS{=H7s zpi&Klvn_Vygulo%ibbZbyMsI9Nt6}ji%GvczZKpoPBIU%rEMR$;QEUC$xATRo&DH zGS<^#Slir*)x1~nrRP#w=Pbxco{u3;JL3w0ELOUIse!9#@#ANFhX+fClpjt;a>4^1 zH*y*Om8`1fbgaq#qZ!sXV2_CkqJSmqok3N`lC93}4g*o4Pi#>#cSLQObTtUH%c?q7 zOnPV#7+C+6&jQL6z>Ju1d2`Dd^0#v<8EV;xA5wHo2HC%Y0CZG=s0s*t6zx*OXnc2~ zy?9r;2*r;2!&k78d-h)5I|dyh!8=R-ZNd;m982NBZKxrh2k%J|LXetP8Sr!8l-YC+q(`Qx;f z^s%{7oKoWV2u-m~P_1lCWe2~U#A85i?3E3n5gks~eBE8%ro%(=ZHn%JPtf&dAO4a_ z&os_bO%qRXU3?K++o~ZeYDNab!K}?HwR7iRRB<&DbQ}{ts2ddqWAyvY5Wkm~UE4iD zVE2(MOkUl%$Q~CY96{WxkvoPjcdy9V@~$0HR`%2%f;7iEo%tz!=dh~r?V(_w7OCIK zpKd-{#pV}N?G?7JpFnmspbtNWh?Y%V4K-wUA?E`5X2lyx0tQ0ugP2flHP77z?{bdYkI_v% zF6-bjcFFZW_DAH4l6MY5Q+U-wzKrpB#z9h4_sBQ@BKFg|VzlBkP8V~N+O3=4vu9Yh znH2i&#SE@c<_&)s0_5TNa0dmF?AT{*?zo^9$8Cp0F8Ci5ni+g_My|J*}}%@^+uQ9*=2wIPsyFQd+I7Vl&1%$U)v|h$9kr2nHB}5`I$?{`uTD+IPHI$}4}+?e1_$DK>zEAk;W3iV85D;#}TFLHqZ$*hv>HGkZHbUk`; ziaqu_6#wBGOZ()VXhHaK0?q7Dv2gmJ4(Zk8n(hP#(_P#t z%aenhHmR6fyGHN^Zac*j+UKw(M>CDS#J@WCJZysCKr)Xdis0a`yyymtDW_3Hv0Q&B>{Ah+a#>~5qaLP%`Uvm)_R>mtK3}*geMeS=V z=X{3mJ0cfy$gF5ykg}`{rEjNTga#oZA&6^1!6IxTdX022<5le43^Wu6x|(~k*Uu+m z3$o%t+{SmnQPZC+_`rne{zC$Z6Jt?|hICC~1xPjPSezvOiKd`kOTYmx>7`S6?08X< zzQlcWX+Wjc#;aP>Q*PQNvO;sqQgw_yQ-t(Br7jRY3?&)Uqska^7#bZ8&&wLCss4gn z;{F|O`C4rUH9=piLgrfza&F`UFh8YQre7_LX(eVI6C2Wa`dMx7G;YX!65H%Ka)&a7 zMsA$7Hr4}guE1=b37@PtAGAawOC5GQrVeAf%J~~eilzxZ#yk!)i0&^Q@GMvS{Wqv( z;P>JKi8rFU=%P7qv&Q$l!&81U`^p!OKP!$kb*o>YUh=sSN?BR?tK`OhN0j*>8)NRCNlLGyX}AuBlGy^7i^iH`7oZ-$NXd8I+Orp9&@|2U1GRtjzhvL zG-Ci+4fKwbrDhEz+M!JPaat{2|BkjNFkpv(i>Wvhm(1QjvyzLq5oBZyny|gtu-yIy zE8P4rOsX3%geDEx0)zJIou_%EcU#6P_F8N!m5S2Op_`?k-C7?>YHQU;_r5P91j^;VoW;#0+aG#Ip^(4j)apx9$aL0tVLLJCxI0s ztmkdI%s)@t*VO2LfVwS@Fh$V`ALNSa2%_>$`n&ZW&;411Jx~Jo$`14~w-b(N`0qa| z+xy@k5m5Jc=w;SPnv;>ZIX%NlUIn2nW%ZsRW7lwY?~VdVoG+&ho66C*Xf3WsuZwK> zOlwM;680KKU>UWlDQJ}(>*AjKh9AB6&<=wx6|@*d5XSmp{?Y7;LTB?LSkMX)2&)|` ze4d^-5)a!XV3$d!+Jhvlaof!88!xlTFC@Yb_mmXmTaO2@#Wo#cYQMQX+?t7G`)0BF zgQG7yVFnTT4MmTe$}K!=i1-e<>tY#J4}*cMnCF3{+E|TU!cj!X2MX_b{QP*sn$6Pb zqEdtZ_Zi*a|8K@Jmgc8n^w=_#EgLWI>zlB_jI%t{Kf@ppAO>YRegct7X^~qi4Ba0 zKjXTg>s8;yqBDu^MTqHHeu8m;oP`thQG=W7G;^#1LQRMsK-LZ7${%Ka{$~28&`}bb zM}>|#xgL|U>j)p`V87;Ian}fD(|Df;_xw0oDi@xHajVunNxyS5>JRf0R5A&O+*UQS zz!8N6?nfyu6A4HpkF)zzMFmxN;&%Bt(;KA2cg*VX$R8ldB^`OZ&5n$^RNAf13%{Dt zjgfOK)WMx!^$p?HA=fSNG+ZNQ>AsdeC+xC(qdSM>43}+0NQy4uyR~X#oNK||I#5q2 z8tB|kBi@eCRrp3$wDBA!0PG804j}a9Gcmp-sS`pLUgQG6pYs>ApJemmx&I-DRePo2DeIR`i+Yt%yT1cgs6WRS` zO>L5h(?)?x=VVeOrJ&M!Tr{253LU)W_OYPHVO;cR-wrqu-Wm6s;qJAsyNw7}4QbHg zd3g)fd=|oc$7@Q^7o_z}X2Y*urc?tG)8lcmDW;mAp_=7?j zY)BKoeH}kWeX?aty4_7L{Jp0W>)B*2dK$jAp{KcM0mC`3euX(Sq;6&Nmx$iF=Nxpw zBHyj?TTkTKCx%jlEA>HG#`913<{me$NsfX^QP%hv*z1ClWRGSD0)MJIHh`* zy@<%}5S14%S zm3Gizc49nJ<;`2i}7s5#%`R4*91kv0k`)kCdlPV$it z%~+L$dG$OPpL$swk5Hs$z5zvyvJ1Oe_AwvRd6NHiRVk&=hXx_L2j$^t< z?FBVp{wsjZqtRx07o9Z>7oU>+EPtEzApW7fa3DRUow?kFu@S!9wdOOq4%hA3N8f|> zvigxCnN@!Tp*+^#rc_&DTPi==oDuC%V7j$p9Qs1@{R

Vywom#)m45IsCu)mf~z) zuk3=*#RU(G&i6nKp~OAh`A8@_*6PyG&)+BH#6SO#lHa|8W1-6FK*}0473qg%o)r*(UuO5wxmL~ zsgitn9qZTy^wWy*f#*i)=!H%*|DD-@h$6p;76pc7r)AF|)>4-K z&a(ML{qQA1G|^)n$vBA2aYaC|B6@V@Q5e3Hi?|qh&ArZ}a{aFf3)pE{9k0m?>qs|q z5^l})PF8m_+NH*@HnFhXTtCHF<27kVTha*aq$$vqVWJ2}FvUF+a2%X>=qOi&*?3Il zh;%>C#ltBvOyG5FPCtKtG31lt#SV!nE=los+GT(M49c1kV3$gO!?U+T>!S+WN?!Gu z;X-mk>xltXYxlYNQ1N2<+0}T{>nqg1-7OH6Th|7dxVi-L=boK&9seRppzswSIkq$R z;baGA^XuUv1@gtbc!!%OM=zTxaBW+OL%CMBacK#04=>Eq;i0*}Ive=iZf zJ2XTa}} ze&)P%Dg9g$)&jXStS!uZLC*YRx>D@p_aX(F`}~|Ei!Xw1ss9{IAaqiVoq-oaI@#L- z4xeCiB^p9g6+P~DnIJp`1G!?BSdI`$z?`rTs`B^vmb!AA942(y@zYKh(G>n5NinA! zql=#iSUHEW?yKS&8qB4&U*+hdmj3X#p3Sd6uw9^0CSvXKSpaq3@ljOg!$+ZO%S?gp zw~T({qNYhVmM*1c+$DmpJWWGA`g9bqdK-%hS6^6&P@GIwfY81W85JWBtnSx`aE-w% zHwFs~W0um;OZ5S@rLRrevo;yJ+~@bK@^~Cb$dX@R_MLI3IJ}(u&e_7zBZ0fgWgqpX zZbjEHBxT|p@5ZLs$j3n6{@KzRhnp~VwNNvB3ZNaU^F9A#Mhen687N@IR&FIWn0!@W z*NdEjsY$e@(1`$q@oCTWS=+L+ugouBo9m3tA@F%?;^GZ|fg$Y{YyO%xC zKfblV^AkwWMDz_TY_ZFB+Yb;ny=Zs`@%WJQIXPpLm~4tp9$}lmbao6b|ER!{x_GS) z;9Q7let=L}yf12FeztAg7v-TKK?Zsk7T9Ue+6kWvLPx zyVWZknY`l40SGyN=ywW~oi#@EG^vk^aG3Rok{mwz32I?HF-*jsNTnG8w`JwA_xRl@ zn3?^2u*bD^umvjXo{xAje_}3{YGPE?mPweZwD^m5jZjsv+gIPE=~8s9u>}%`+wc^4 zF9Wo|$eAKkw4Cs15={#B0Q#$nb@#&! zXIPzz^cZI&2{e0$p1-Pzyj7Fp+{@<1>)Zk$>`Xg6%B5;qvSnec2Qnr&_jcNEG$|=O z&`M*t8PfY!R9kfOOKzlwJ8Q(fe?mUNQE8a3T`s!}{=ZJPj|9et_MQai9==muYkTT# zv_n52t+XitD*(Gn=iwmuwxpaUA{L%4VcoJBS5^oZgh}tcN8l6jj5}LScJL<++9$Y` zffa_|Mdw{KVM;|ZWZvQqi5VijKM#>fW4CgUuQ!?pvelWIyIZ|M4ipwHnZOiiw$X(s zwUkw`9-_|{q;#X8A_~1C?WSI4QW3r`Bk)ZhQ<$vm!sqKLARMn8#fc&wgdbSV5>BKJe527Hn7*A4%3TKg!(*% z#&-}(?X6EqNN1$N?t)$IH3&y1fyrm&bQAR0lO<_n6*+h$*HZR-wy{7inumBS2G$65 zWZlcgj9bq-1dFBd$q;i^S9lNE8;QGm5J0vYer@-u7-?BtPzj8GvCo~hjjzPv4kcc2 z`#F%B80zixx7rNHvT4w??_hladlO50a9lmgkyj92TegngYZNc=zK6+En8pj^{F|H$6Dsn*;Z9l+eb-bJeA=AW!++bjI{Gp7b zIHr54j-$;Nq!wCi>)6ATkOv+h*;LnYJsd?$-A5#bUZ6UCFLALWgBa-q##PxlT(2gYwS*7L}qbppRCDAAR7vxVWk*9fIYBFC5K`B}dzPWtxBy#O^BBP3miQ+%veU?Gr znqq|zfWwqaBZD_oq9d#&C<=b3-KEJVQ%`s!Onl0lV&>2IYFq1G{vwmBN+kctizO#j z)2b_VGp9>2JGBEzV)E>t+5h$2;nlD4yLmEHvD6(8AaGZF^9fqk5OrMF@! z4kuQbJVP)`0*f2T0qqeDy6KkyLJ0~VY8!~=2GgZsPGcZQ^#=e>bKU$ z-9mA2JF1mRq25Okqh1x&udz+yAlOcwCufG@SKW~?5+tS9Bxi?qnlOXpJ$?rwch`#uM^wJJ^Wy?5UP<$S`bljv_l&nQbZKA5NIBw*hp8?$ypeI=7IpZ(PrK?#PwAO3%OkG*$Zd z!CGBrSCzB(JFhi*4w=4JBDKN-&wpJ^?u&srX;8R|-^4bp3cG3~-Gx9y(zd!?X8On4 z0pVum(v*4ErVaY+u!{|9j7Txkn=`R)VkZ5m3>9z7dyh)$<6#7Nmo)unIRdya@0In- z(njKQr?E|IbiS>%T)q&lCVEiWi(FPtEwAy)Oa8s@{DQ7{bkqQBGdfZn>Pr zJLE}pn6Nd|VTsiCAQ;FBznxlT61MQ8`f>6x=xIfrPMhmv1gv-BUmrc5V6(rFy&l8z zz-?~>?BlZ)l@X(Kwkckd6H#W8KgF(2M0JSqtP3!%r@X`-v2=L#{{vH$Ncb?9^w;pF5vq z9%3Zqt(-ttq5Q4l8Q4)j%_Z${-B5hD^>CCgHhGac+jmPne9A59=vn>>^&Ta@jkn2e z9x!PiaAj^X7b*7(zPrm49sNOhuHI)qJa7LjqR08OgT|kYU#}BchLOH6l-`Ju2L^OSTqdx`Wd!I12vVwNtxaItZqrpMu( zWbhxo(z5tIaILu2bX4MeBPM}s8RX0N*MEzF^~?xf2Q zl!hs3J4CoN6FuVqN$xEOvQRC(;wJfWx~+1p4U?Y6P;Dp*#-v|~lj+eN96_CP@0Z`J zL`C0ZWO5_=$O3DbP=7J2HYL0>PvOXjx(k1T9&c-$HqUgJPb1)3$*lIc*Iqbuc&J3< zbb5Ovy#JT;(Es}nfjU->)vh6eHlsr@e2iJ;+KSi2-Vfl zXoOJl=h(9`gfY2L8O>bzqE*awZ8VP|;J*;2rD1;|Oh*cNF?zp(Q}-2@WFHzL{uwdy zi#yVex)&l{+FAheNKy*d47;;zgy!sN^!W_P<3>F<@Ib?#PTRkEyg4ISoBjl|(_kJY z3+v$>)p$SC=`R6qc}=7lp7FO}JAg6-lrrzaA-MTth!Qm~PQvP!cC)N-0d+upMNGr$ zqdnSVVM#pB#Nj%k(ReF43fXJDfF|G-Nn z3;*(7Ivsa)sm#hy#(PfJI+RxB*4$$>>JLu?W4~CIm!6~^VEmFKI62Rgox`W}`UTrd z_+EST7zMo+wuqmL1B6UoMpIz8WS(H`@n`bWv-Z68cA=N(47|;OJw);}-)|$m_KsII z)Si1%CI7{EHu=DN0+BudDf1*@zPO}5gu}B^0m4LNWvvZG+i9P^1wbvrn3ycjC+PY~ zOxgPoo9r%|nIFcKPNH-9{hLo_PB(n#PQn)gB_66BRu56v&}-Aj&>ds!>o*cEP(Mg) zog^9}-qNDUeY|eF_GZzO-zvslNvk${#qq-ZP|*$P6LOXL-41GV_q?g*_P{ z89R_M8bqJy6e$W6c$~}c$A1w}ul}8YI?X$c*XV1E8|bH4wSI%7{3@GA#ug%VGvl7g z+HA=qQFPPHAZFb|FHq3?q5OiNLXxiy2+O!7qp?P)H#So|1S2dDwem*lt5*Am7Zk+6;(h`NNF4{h%f`Zu6JYBe~oG=6$v?TCfBK#yGwf0++|C`dGQ+ z!X2@_tTWyU^i_02Q{ zej{TuR8%f3GL#q2%|x6SF`sTSZZVz7Q^+lxqs~U{*yGD23N3iJl-!u%Y#z9Px&PYl za(Ct(9p&G@pX;RGdl&7?VKdGn%V5T$a8IEkM*WDB&HF~h>y4MMN-qnGrm_MVqTh&5 zvjxU({cc=d>HnSLVzHH4e?0g|B7Nd~_vDt#(aj;)5B6_fN;njmlu_a@AH(>^GkIj* z{l-q)w)oPSC>`E#8?Bs>#{-kJPgG==o%GE;&X=^Dy_b1Co;#v9!>IUXcfY-yi{kBC z&}&~t3Osp~&%D1>{YT}r6dTs4`tR~IcG-`%F$f}Bs4SA`v~>Lh$p!|2Y?4s4LI|&l zc>hBR6qt|4fI#Lf4tQdHGvO1F^VrypSJ?9++Z=}kxzk(}7J0@^1$U>_Z z=3-JePz)UIwtrHFpGJD`#d&~@F`g>d6(C;Ig=l=+-G|AY+Pv7bN)Q!Laj zE~+bQh46#xkm`q{G$=~9Pz-cP&xwyX*4%zh3!T`FDnOi2Tbn4Q$9W9d7gqZ-us|e# z+cJ!epxn`TE=C2GjF)bMnDRYx@`C`DB^CIUoLgi%w&^FRJ1hpt7Km6Ey%u1_8wI&Bt=!F z1nxLk*xW}PYQXg>(?T#%ViAj>P}7V??EW3GwvY~eG8a)cQNox+)CmsNm=C<(nm&DmH#vW<(bkPHA*CIRschdsk^Hm4^ zi1F<&wGKvX@8uH$amks_H~}5~VEm9z3T5do;$8Say);E$BG|j%T&D9oUF!M-wUN)R z>^mEjqUV;Yd%w47hyJJ@|C_%lgZavQeB$lz-1}4t85l&9;McurxcQM#k`wBqp2Xmg zC0XOe?kH!NkiK+VOEis$0*G?(`~Tn9Z}4eFM$h})@OeW4*7dx`R+$C)D(e;G z5Q|JRc9vg&cU*I?+Cc0FxwHr%Fsh+hcNs?g3$}XS69QmuuGQV4nla z)!lR^kFv}+QcPE&@4dRM|NXrGQ0{wDMd!%X?yA`r^7Yx{6YvyxT|Lgj#Z>c$8{5A* zY*blMZarlqQ5e@CLSt4=R3*AJW5JcrfaH=2xPBC1+MJEJ1GEeZwYds?U;tUni`sL= zQTU^aEC~C}pj?XwadeX8K*Fe^Y(R0Ki_$qB#jbyUA6mA&cy4JzT*9i#C3f4h^G@O zIZxV-`eG1Q3}W9fA1VE3JL!LThyoc@IdZa9ffV5{ z$=8IJ+iO1#Euq4wc-(;l{fWB+Oa&Wp5|hzz?p^CSltXUlDX_*u zE>W}T4p-UXub;hl#Xe076s}!o7=gzrFgq3=($`D*GYsZmcR_Eu6ju&!qOgdd=F0z3YEuDf#C^>EC_f*Ly>?fxltE@Q;qbf8I|2{tHb( zxN7t5-D4;I%rN%9|GtQ$NAX1vH>uacq}~6^L-^nQz5qJ2M=L0pLErWI=OfKpzz+~b z4{hAZGmd=%XT@duG3VL)~qTx4xk| z$1z)Xgp!WrsWGPa!8}{{ZA6*YYboJK%EBxrti*K-yE)28Cy>UDXXSULrQ2d=sK<*)1HA+jI8iy(Pp-KK4jNto}l%5 z_LHQ`dAvrjp*$G=G49Fm$3}Dt;22dDNP@Yn ze!UEV@LkY2aS8)6{L4r?10VpI5P75sb|}BqNOqZR1$f1J!A8c8D91!x*Iq8aPId$d zQy&0JtVtVI-@RUh6jf76=3M6G~~<8C0a+HgibeslsZMrL^9n#A_H8U5~a>sPU| z$Rxn{1xHLCgR*Wl2&Mu|C!%0oUxK`}*blDjYuQx`0MK3nklxW=E)&LGADALIgG|aZ zNT7D^Spztrn6K$HvU+4AaH0B{u&>PR;QJph^lwM>zx;QG7lKiLSQpud^WX0@KRh%* zg0lncZ`Wm5DJ;^T1ulWxDM*dqljua|>jR=`{GdwegLNPWC`^6YsFMIPya6JksP(|> zIExU=h09e50;+B~?k7wX8qmNu_`qtn0#+1B3gv^~LvRpYiq&`=XY%B~|KNYT?f>Ef z^6O=hl1b=o3HCI)10!*B0C^p*>)BP0UAUzE?Z&(z54V-Gt&-Nw+0128SD1#dYw1kd z2VR*^#BNcWv8@b8Kr0Oq?{lDq**|V@O(Z|KzIq||jt92*atuv@7HLqrh!xv=tP8^@ zl>?T2kPkxmpeMRbfz3PuN)%2)-}J{daR;-3I#N{ zb%^Uoy9R1&H9DW2JCX!xYC989BS{jlfG_tr%nT5orX3B)u?>sSO4%~O1nLcLc7l4` zb@M2QqO)lIZaN5dMe0E!GqPv#`UF@+i?G`!7$8efvy@f-7a!ig`CM5=QGWjBc;xoT z?BAjDQQ? z2md@F{^J(~f_@b{s}=CfO%nI6LEsoGp8izV1NWC1>{R0+2AuIga%f>T9(oZi*mW{P zO&Eg+xIpwPwV}GFfYlW|h3m=;;QSRZbWntgn%Lo{HshIH-Xgi&nEmYG zZVQGN^oI_2*Y8{yctrk46R;lbUU#`Zn`O_lV|WSTjz)I@x7E&bD}X_|SH_upY<;bt z^{F%Kxmr4>u*1jGs6Otg%lMse8>0waTi=RlpC9L0$ppP+B}D2X5@h^Kop5HYv=fE= zKvts<(;Y@Q+zy&MzGCpznn-j`BL=(n&f~nDw4F5LO*?miYqVPJIrI%OPy?@UFV)5xXptne2cnX@7ob0{89c4n}j$tau&Mo8}zEjE+?I2#aA5#78s zbdKHZeZ4OI6ziFhV^cjIotTiL0Vf=)pm_XTwQOwb0-N8Q4pZ@yPs9(hJA!46l?|VM zmQ7nBPhA1mz+vX zS_CbgCL)*bn-ObOoikXI?m^~9Hqch>)h%@=&JmASKtdP!O!ASq(!#sy3_1{ftEDR* zaGfl{xw7B602iITD>eoWMI?p1nn$Z;p~X!rL_x=xY?;Vcy-}mv$%ubQh zY*;7Cmdr>fBqJlM)6U4=Gh}3Egk(puh3p-2W))f4J9{Jv^?QA~j{A2Vzw5s5%x5+fOhFyT<7Jrxb$qG5Va(x2JaVS-Ua^jCDQVmp{sWpYro#VsgJBnRKV3 zIb$98k*8vpVHztV9bf-VnJIQ`v7)^ZJ zN1TW6^RWV!z4DcJ*uFlazp+Hx86Qf_yR0bfDqacueTcl?E;{D`tozJ8kS>7 zp&?T4we-{L07h!xTiquEhv>~^B8HI+=;&6FF(`glLIhJ;4~l+54uj|JrAG094vC*Z z2XA2rHK`xztF5U?;7VIx`j(HtWR$v)Xp5QrOvN6EB7@lUwu9E{G`E}l6?L2ef*nC%BiLdiH3=~!uJ&t|aEk3hH3 zvq!!aV7~jRs)ST6@)0{b|r|RA;zd74$-yh$_s&nSx(7(3L5lW<& z^mLxDeYy>r*wPg#s2R~ln`u)P_w%S2BvlF%M=bp^zxB6TVzoU-zQc~nJ)ZLa@2c{}X57RoM+qi>Pdc32h z6)@?I47O(Z@6^o^IKAe!oxq0n^qi*e&|ln9Bjm_Dh*Q4l`3sRj4itZGaAnd`?BJ|) z@?HC&shE)YPy*`EvQ;P2Z<|xsN_}&ZHqCqJwSq;o43HQ>PBwFHm0iAQRGebX73*WM zKykYym#@25H(d;PqZE^+to=R)s~_FrG`YoXH*!e1`Cx*V(V-!UBfFd1{d@dAx;$J? zQhSoVu+fBxu7X0K z;$0D>hiR0an_s`TM$L6bSFLo^)62ykX_3=gEbbAd&N0!k|9Hrjr~KlogtpqtejiG! z^4Os~nd4yx2qhWwQ8SEmb{t~y#pB=16bPoclpRr1=xt8-qVph_!e)Bvrki9??VNtJ zfKA!Y*G+SS=2x}q1#Wy8B+vaTP5qyl%w0bJZoR?$-%ofdFo|035BS}_M}7*P3=-Be zTw4oIt(!<~Xu}$b++C{;XByb0TFYgu2zPlamXMX0K;Uu&b+eYf&NNuYN)jGVyvW|D zwxPMCD$U8^A#TGJRHq|cn?^L=TCK3Pk`X^W@v@(<{(5stuzCb}k46Ok+6rkj>qwDU zezVERw5R7wh>cv(3zBw>ftpv;I_R?Eh49K-zL2^$4+Z=jpYU~g?)A=g&HQjn{mi0= z37DqS+)lfvKjGSX;0SZpP=P$+OSmPJBVR|U-TR+h94Ujg`i|JwmxXdO$GNbey|>#E zNa-p}Irc=-dd5!>WB91*+_1Is;LiI*e78YTijf0-QukR8%}seGGp3p2l@XKZ$_~;Bf)lqCg(gC7%BrXzWJPvaNl_{ zv%N9kUF36jw|5in(<<)&ids@@s52@SXt?n1D`_!ppIp2LfsbSQ>#GlG#CV6EZp9?t zwvXKM4Rn!_id_}sO}{c152lWM8!$`Y+OeqN>jMMjy^i6RfR&(ESKWJF-%=0TlXsar z1P=&_>mubD_el@v$nfIIo;~4C;)Ts|XM__J$-)YgisSlLY zJz9arQ+-ykQ^G&4wCK{M>68;s>bY|ygkz*`@95D?z8-ftyD+BI@J!|$cg?06Dp8Ml z*m?~@E>I(K?w@;Du_!hT$N7qkCDD~C)Z~f9DhY{4a+euu0=sYieS7*HKR+WB2GK=X zF4T(j8-C4hUq8tW79YQX_2SJ2&pnBt+i2EE$YalVL9dB<@G(<1q+(4~iZXct%lfo8uE6V-?6B%o^`CulHsV5MpiLKb zCMGYyVLi%i+z!2I2Yt4o_A6-Nu-u`YH};uKrlDRvTd7wTg>@H7h&Nh0A@?xivcwtH zYA5n0j4I9?zBV+_EPP4ohGs{s3!K+m<4up0SMU#%Wh5)Di2#5K#gwIq+&al6fYonp zaIPdvc)UULk`0aAWww}yH!6m2;RTXTAESVTs9b=If>Zk1><*C~e1=A78U@Vbz#6iB z8WYO7kA<`y=aMX1sYS}6&ADfB?_M)0iNC5%hfZL?d1{`IDoL#E4bT&1)lazh)z~t0 zP@_y__DKj;7JaVMm68YyYKT*j7SkwKHlsPel%JTpxqm!E-?RKP%t6`eR}d~w{7D0~ z$yif(j^i}7?!o)pJ-KVy+n4kQeEJ!`MO=ZjgJSX{+=po}#%oL2>~=e!mI<-$zzkT= z4}Z+ezqAH5x0YC%T=&-+WP;E7zMo=K=Np5fZ_+vb#&Wta`LBV#3NxZ@f&mAVgh3?@ z-*v|XUrM;S`;ex5$*$0TFX71q=+pXZTfXgLo1nd+S}^Ff0`%#sM7OpBTe?fy7p>DK zgb$~a-In~i({=u!PYnQlN;0|s9&fIyI$%lOqp&>8h&*7AH^Km!KH5dp?lx#nPvKw* z=m_feh!V)dH0m1kg6qU6hk_P&rR=Arp?gkNc^maZN+8m&=bd`7NVjkNp=by5B3Cz^ z4rR5|*~T-a#cd+z)9z`!rgKv5jAAM`ycof}wPpusuSw5L*e_+d9@8$QD(MGW6@D=K zaW?l-WF>b8_fW4c<`kjq0?eSkqBldAilE@vV#Kz^RE@uc&-AA$VfUdPi!)>nC0myu z18{LtviUhEQxi#-SerEY-Re?qVtf(0Wy78V>~d~+IPVR0>1;-#_%E)DlFmMkq~Y67 z$*OwUJ{{ly%EL>%kqedUKk^Fk8Y8;o_poq2VkMI_OZI($>3P;c)!2|=k8 z&*SP%zlEX?hgZ6^L^_0qTy(d1TEvq6ez&8FM~n`9k|p+1?RQP&=?M;z+aU?9_PPy>E{|B0HUcX{aWllhPH3B}+cF z4&Ko)8cE5i18q77T^sx81S7LC7fh5|-IAV1%YBbP#SaW;slL5f^~xhlX$_N$qVzOW zz1Cr=4{=%6pNeT*IJ3Jd^7;B^4PKTID43m(dB$sn|0BhP$>AN9TDa#yd~2a5vy0L3 zblA?$e1k>L+ix`j-|fr2jOx!hGw+5vpuRN{dq#7%bv4(=dK|!8 zKw3Wt?zDcd+}6n=|Da!ygL|tcx%FzF#y3wD3OYS~Im{sAqu#;je^ln%tsOA5{am!M zJ&RHxQ^vbZNh5b&x&1>^eI^GjCAufbek3L6e6Dd3CDQ%%L*s6t20GU zx}^+Y-)?!(eX=k*LA~;`wzpSOz$Vau!}s!cu9%o}k9wT$v+6(0P@NK%nPP?($P;^< ziaW)^|N;tUPa*=7N=K{_l92);eW8= zKr`T~cc)c{vH$4X;4?d{J|E4H05^*$+ znQu`}w#)^`YM zXIEC^(Kb}W8tJDfvR0R<&i1mR7*vagOmI5+aw5;m(k`g6R{T7llguYeeRp>9&Vmd} zg)M7!m~t}p05Y0irFTe`QN-4^oL^Xka$;q^B72N#EdT!cWa_idh(|NYU5raIBva@! zrpvel2N_GcRWnletzOxs#&4s{muKmt@HI~lroXIN^_~8yoQ6_Tl?r^sO`YHEj3PEW zgZ`FmW}kN3=gBePXm^{*R0LLL2F?gvbIB`<2!2O0!M<&kVWD36Ul8AxV8 zNKXIqV-C~Az9+TZNQL6B$oHKOPDB_43ZV{zZzTyhG0M_bBwAh$J{b4@l~w4{`ZMK@ zcYhtuF}A|cF>;>o_l?xJj81y3~bD@rAx0q(tR@wf@wJmbWvS zBi|ggu@?MxMt;gcZvW1?xo2*>v;g4SW3QRCKa8|zqpy{AFeKe*YK;DwS5LWYx|t_& z_`{<$er=m4P)+%+!?3ODaxc4#wJd7aN-b^h$alpW*$k@i9F+C{xp0av@N~$Gc>8;8 zaxKg;KQ8hcpE{RSKV?90tQ^d9%df!r44!0%y|SaE-UHc0>IDg4d1h1QX{#bRjW?_ zw$)tPLqQ-g%eC)qt1aeTD3w;cfMIE?Ip)XKjJaz6&~xiz%l2e{M2Hf<{g{r;mdSh; z%%G-(4Hk0i_SWsmCn7jC;#-S_Y{y3;uo!8h%I@<`R$^?gB2@zha3pf;#l>;;-q;6Slp(2wAfC-4(=If1>rQ@x zwO5Q^q7YP!f>D3#j+w;iv+Ntw+B^vwe(%cVR6F!?GrM> z%Ha&Ur6%5~=g@u<9V9FBB^TYtXx=Y&AB=kVPFhk~^)fn}%2hmWQrcnhw$EaN5_Ynu zkI%AC)VWo~^8E%=g}9dfptRI#ecr?QSjtV2!ZziW7YyH+`#tz3%LuQ?(G@;#(OJ?7 zw9re*Y}Ku_YR|747o_!SP}`6g|7CPpwZu^J8vXv1{<-r;;g{cT4LH03oXUYwVRk~x zvvWfn?ukY9J6N%#y=7lYUl>|uMVu3Ora|b7w0gQ8rD=yS3zwsN8K#a~^{KQ&o!OwU z+L3JjXCeE6K{lBnGJP($H)=p#xj#LraIpB6OBt;i0VjLr5)BpPgRwwo6T~-_iQ9zMv zyakmdIIL+Bm4F(Wn`cm+1Cko^yVC~{Z*URf%B#)DUb^0U2D(NzKEKmXv3g;em&u-H zq1jtPPhek--85etDN7SDq$cPOlNL+^B7<)X3ymd z2k-*m&yB_--3b!QD#-PX(WF_(um+^-3oza#y<6-`E*<~s z*Pgw_-6cH;vV7HGKE0~kUN3}xCF5}Urp#5v0~>M-Mceat2_R@3i40>3&b-f#cf~#s z_pN2cYuC?b>+gqiZb-HtJCdIs|J5A&LD<)2*Oa7AKE~D%rJ8I^Uy!_=bJZ=hJhu2`D%~#WJd}a2;fh+u6q=}tqLz|pxgE-Jm6%(R3XZ14R;q`<#xj-1X3kJ1R!Dl*%svwHL)S zFx!0+#cv2)81uWgdc(JiR*GdYs!<2x1MDZ*{HgjM@E;m>Sr6hki^_4@DOfJ>{g&ag zOD1FuZGv^c(b2|ufkep?-5kWa|5q zVEk8l8|j`4stJ~zORRi=0R8q41n7w%a+E+dNrKu>95(b?uQf^h5x9OX^I|n`3hdS_ z)ogqtpNsN-rzsS4{VKIz0JZmoLDd}B;?h80#v2*9)edGmWcVkk`9^KZd+PIS_6IfJ z9YYTiW(8G*u|5QcHfGAdZM0^g^;w^ex&4HZWXwqX+^Xj^U3>g_N+mHLuv~7ZDGcx# zfj`4PEl{5&5vc#-cP|jg^XFzVjD3NGLznW*PC&f&D#|jASYCn2OBzGBf$1h(o;Jv1Yc_UDeDUf2@;=IMqrWxXMDK!UL&Eb`SMreTI+G1!G*I_-AG z2(&u47rNmtSB*M%)gJSf-BBe3*DdC>TQ3bgfr0Ebmac2P+$1P5L{*6j5Dg#W=y{dYbh_Rt=i6d39BuU*VTsdtJ!oRpe<``t zEqgTAG9uL7jp^ZHkMl7DkOwaL1a{R%-7jcM)Dd(w8dh;;S(S3Qkq=kz}N^ch{6JDh_>+;=k3vRl^~DHY6r z$4T*;PjP!h>gFAus(2mzea8`Q2|a5+8x)3KsfJlUU?uERAA}UTGejkMY%`><`iv?M zFC{h2n5l*{FNt;kC(kOYYJy_U8?N`Xr^%^*-Ik>tJO+Dlb!bJH0}qx1+%*K&t=73tX6ZwaZTGDIl1!a#b}?TGdJBz5 zd0rRu4Y%DF{Ub#H%-e#?bmQ&(zrt(78wzeRziU~!DSaL*Nr7IJBdCPYY`G75z7fiz zA(dsZBcHud3B;Pbuzp*~gU1GaN@|O!hl45Bb)#g<`UGR@2+b2cydgy^ zW8G2u)5ZJ3kVkFt^>YSxCmC!?WnQw6A5!$W)!dA?;7;`9&QUHKVn}FhTeFB!NCd6b z&wJydw8R_qYlw<^H-$rIcnUtH0>Cp8tesxs%YC$81EVg@Ije-;zg({D9}|k_MR&0W;YQ6YugU7s;tt zPZc-noH%Ky$OKLW@=wEB`Ju;}7zo*NV68hOd|9WonPf?z#Ar7TKD1N$M60hrJa#44 zLeIwA1PdGz>`>^3HI6<+aQ1h9V%b#1Q)ol4i%?gBy_j_>VjFOSKHW0j04=Z3KW?Q))`Z_e# z&S&eV#-#(;G&%~rAz8hDg^~|VTfyzBu zO$*Od${g~LIsPEh>*G7IBwpz2*7#_)V)8(;P+8TR+N3bU@iSYo&T6FMJdIEletYup zVy=lSq4xAg++dCaRLzZhdaJJ6m&ZUe!SpQ}Q36ymb057Ekm%aGcl&2uhe4mhy2W4( zPnVt=)R9M8c)U-N>%X^@GBOK_IWJFpwE1_AJMt+O%{Ow0+Q#OKzlS`BTO;V^_>4`# zeJ`%!Oi~HKmiO)B4+vMu-0wsh$4A)J!bqTNlifGOUPN%~jK_a4w#zo!3`i;djRF5Np_w-lti)NXtA z`icDmmrhk38ktSrL7JCn1}&m^o$R-?S_&?qyd9p|V)k6`gfHE19N)cxDJD|mC7YVQ zMUf_Lgr4y%3fxz!QXc%(%yPZolh6UCfHWxagu40N!dfSEaV01Nps#zgB`4f(KP;fd zCPzZO3Y#8x7&h_3VmM^~;hFhc9rg2I%YP4dy996T7QLS0>-omSSUsMHM074Dmy%LC zkO;uj^FFi;(n+W1Z+})6=`&)*%cgcRA^1ih&!a{jWH85Y^ot1EWY86oaT7PCBp=L7 zpu_wlHHq>5DFXg?!gaG-8HjM1ZM26$d>TnXO*`=cIF%d_5b0kJ#kS?-1tDRSGbZu< zd9%&iS4MAG>_)?Xcl#K>iDA?@>F@s@d^{YBe&1xD)WKNPaBoCycu)F7TYx%=tJQ>g z%ENc#AJ2;KzD1NYwhv)DW6ZVFtcq`vG2TAG#&nDz(9J;V%(GwoY7bT+=L-igNw|2$`isQl90UCX`)Ule^)PUFc9Gk) zDR{VG1r4Dbx9SSP(BMhZXi2Q{_;7r|>haRu5111to6!T_>GH`Y;|Do76M3Or7*o=m zeVgF3#YRRk0Typbc?QLJ^~7sl*7a?!jh3@$1|GE13}0=&?bf!C@nGZoYw8(LuP8bg zER3)>G9j7Q1=d@p4zL9>`?fXTi>F0Ehs(Eo4U`g>2y9cCR@Dn{^}ljVgaYYhll8c; z)m_=dJSPL5{SM*tWChttQ~6sM!ZxlW9}wyy^6>-El`XW>-X~*BS3PQi0r5QSiYZrp zKhDBZQ7-WAqu^5JfU3K@DWgJ;Eh1{5=lZ1Es*4rIfBX?c-J(mDaw^GMJ09FL@k_~~ zicB&d(+TLP49O!)51?PnLsvHN55e@`-CtZuk3OXq8+_W3-9FJlicCOXJ&sCMgO#+3Y1rw8rVUR_u5TlV;W8iJlSO;XsObQdkaJlyrm6nj5r3dml`ehM+h* zn8`RZ+>D3i2O6n@sus5`+%sCJ6II0(WL#Nr{b*JArXkX4Rh)r<#yO8L?#159WUQ6B zSad;B;ar?pZDH(U)I^`S%S!yVqnO*qC7FF;lM4waW!aoMjsH+EB|y_RsrK7x%<|RO z0V}t65_63l25gn3;lcb_obAlf=3gYLh^1vd#-oFI)Hdtx*|~^DzZr5mm^WTl@2xM@ zYvkP6eVCiPR2+Mi43D$s%uUaRr(S*e+FbxFeqVduojB;aP$Neh{v=`PMweVL1=I7z zhWRZj{ERBF7h0QD_4zgP2m`Dqh;{e=rCt-E2( zA0l6WQ$x?C8{fZ{)(L{>j{@i2VO!iVfl2rMX;~odZVSvL8tz_l{B@GZ!!V|&g12Ix zYQ!jzR#ANW3TA?>>=`QJx{+%@Jo9B#$;f#A!FJeP3KTZEZ$`+EAmZlD824Kv8U7k5 zK`0h{-1U&rN=Z_l8^W?=JYl^iF99WH6Kcbv$@lnO5$S%D7-_vFk}ERSMf;wHlrdRSq4Rv+}nZwwQYn_~MQaLCGK$~#(zSpK}t zLsQe&Z(q5KnCh+0)bO>N+2m@@)*MQ;IDG@X{>>}ALW@zG)f?wGLlfS!*rxNB&|Hr- zw9ANwjbko8-3bhNLP_T7hz=0CR|-*&oH{YdQtqLm$epB$FQJo!$TyQ(nw{JzPIgnD zB95j5q$LR%=`_ly}WzJz>*KB!E?%~{0g|m2nxNQi*c8y6~EW(TUd+qsoe?Q{*)XeZkK~xG*SGBcaqSxt&f(a0?|C9xKN%rY3DC~CT>>ZagLv&}< z2{LRRlGK||Pnv1O@O{8fty}oL-}JkyJ6X^yko?L?tf7`e@hbxN=a1g#UuhqBQyc0h zj>jvT`-%)j)7(D|W9YKlRZo^T$P~~!F!J>a%Ah0!@@=+1H@(nBjUJbyLbd%7e%=4L zNyO~l%oSz9quo+mS*)IXZy2J0F?2H*ibhPTlg7dSIaD#xm+n4GeCG-Mz9$G^x3)31 zbuif*kl6e|cU{H4Nm-V*d%rk~HNGSZB^xB9M)k4SSS)P-Y%Jz$hsfrX)9YgS2cAM) zbTG5apqhV|YJQ-Ks z&%FiLi?9%BN8w?yqojV&+2R=deb0<;@*GW6xW(yx$z{(o*t>6I2ZnS^$O{g)Y|5c4 z)N`o84=bBQX62VytS0WD48|e3RV-Z&caLSjt_^1tO0Ae*-lU)%f z?JH*51dDJI8cdA(Nwd%I))j)l5m)v%?A4Ry@_Rf$9J3+$&YTic13HSJowhOYC`{@u zDAy0=FnrG}dj%!6eg@&HVAu8b;40d!4|^{EhHvbN)$$vVPU~qu*(Z(&8+Yf{@W(y) zo@zb#yN=3zA2Ng%h74MCHm91JXen38nea8JiD9;`6K`IkHVQ@o`(=!dyNrrNyUt9kC z_Ek$i2VY;#7+uyH9?YpKAIOp77!yb#_Wld!@LITKo=FE$D(}5FtmrX~L5GAG{r1S_ z0JBqHxjI{v{H+Vs2qz*23EZukRo?4@Ux0(R@kds6?T+<-u>cl4PB6=UA9uQw$~N~= zvoYu&981IzKqs5@73HKx5Oy^e(Jc!|AnX~ob7m;*dm}caaODWQjv<7<37aP&;VnK# zKenI6Qt==#wir-ujMhn&x-Jo-Zny8@1~FCiY!k{!xDC7PH*!!^hN3eo`>52fQmuZ>9JK3Jyi%xwfND#vz>e%a$NdQ3@}Z zKZ&|tr?@;Fdy8+WwX}uWO^SaYf1t)%*_?iI(JOVs>s9}1r1zmV6Sl5nPlow-_v*W< zX=ElQZzdUX;RCX0@gQrdk66kF`84jFk#|b6lduG9s_U3#z?;u%u}8)JRAGk=OP+?# z$zbIUw7uI=ddP4+hKSUl1-Ls@2MuHSngtb&i9hu|9~bwUmS&XP1BuH-55D7G=*!gz zr|wsq4r8x-J+^zye5>YkjUH)(qqq4(@KQe9nZt@7Dw0VStDSm9Io1!qBi29-718#5 z4i%h^!yocdKbJgrojzFXj8MP2->vlbIxSCJIbr7mc<>vTrqVrEIPKi}l@p^UWG5z` z06Z_T|Kdpd$BEAjX^dH@x@L`T#65>xF_-kK`6?of*=!)i^;s;j>)ZC?gxtsLwKj{K zLkGInMP?q_(sd&VXTNI-S&}`=pm0_c@8#ccbmJK`?c429YifC6O(I zxu=V0=f+NPfOuLv)a!(X7s=T93~$%Kfgss#AQ-ij!%_-(&z$vlKH%`d!qg*e=rx=P za$ptsUGd{NwZB^%q-0$fF&L*or`7E;#|z$GaIR8j3(j=jq(9ZFrAe?goJTllIcZ+SMTg-U68G66)fl;?!?5wH|=9K>)~lJpxB|5zjw z1vJv2F5z!DVZ`iDE1*%4C?;53`-0=Z0M9P5xQci@5WE=IPMy12XPw*}A#Yl4-V@RP zo6d+xav%CfMZp(uNyPk(y$g)VaikDP!homeDZ^>yKH>K#N~#>*2@^ghYS$;P4x8A& zI(*Mych+m%;IO$=_`S)+dY76_UsM+(m@_in`Obp7z$)iHOv2N)!)dzycXRN6AK_Dn zO4Cr&mU>z61D;YnU5Rap$NyG)E$tvF^)3CcBOp5#6hIFMD-9 zQdF+VPne}pT#4;g6kUDimM=eos4RQi>_xnLIpRSXPq5Lch)2r)Wsk(QQ@-9x&ravF zkG^Qsce?&;wfrTSy_WJMPRt25-@?n=lEzZem;etUE{1s}&jzFK4eV)cEN9X@E+Yd; z%+cI&@ZrgpeVoQ?r9))8EX!|X6x`+8bodCS7~D&00}fD%Q@OaJX}l41?mzQvW9Qv& zgD+e1+2V^xi#;SE!k7EONNJ`>dfR(~h&d9nwC+vr?gW(5kFza=XWZ?S(3^(udoQX|cBqcn2_hPru_}BlB8NS_RE1*`Fm0Z()VCWUxFCMz#&Y@?lZeo5&MJkKB@k4d)m6xS>+)P3=lxhOczH0DneoKs z&z_{na30@#xcqA-FP?T*D^WeHKXWhH#X?-0q(1W@H(p%4dPL|11=jR*j((gvGrjR} zK}n9?RAX}f9ierYKXlhjEnn-dW@14Uy=bz3B3*h+l!N=>?}UT5gp@&Y~&oGzq#i6~_hdFWGE8z8_PG}HVuK}JROdxQfLs;-%+Zr_u1?nwxvW2mM)r$opz zwT|anlYAYcvk5aM7zRZTamQmBYmOW=oepnD_~oY5Stg_kpZ0i`UEzK_|Hf75(BDadNR6%c zMIo7Xw$|zb_n;?B-pA4!LppPOvuK(Sx3?eeh9q2YoUiRZIO&wnt++jD$FZEoX+m<1 zX`P$WOp69PaKFRNuwREHOk+}_$djts<@vF~Ap&$Kc^Ld;NB^s&>~oqZcb@pfy3&hs zPwuSTBiF4<9!^`ASgRvcjVHRXI+@~9v)`^furxX(1g1=~qWi;CuHD}!m3H(rJ@Uxc zMXK>5?R=OZm@-sy5}BGF)Gr7kF9e)gfRZRM^%-bfE~-BSfB_e(XP0?sxq8j(=^ zI*>v-Tj*C-+)A-7Y*e2lqD5!HzPQf&dM|kN_jB(kVMz&P%m!)fc}kuwlGvU)mU=GC z?FYW$S&>vM@;7rgLt%I3IVscg>jAIJ3P(T&kCwAOG+&Zl-{WDXD-sj!aX;on8awo( zBhB?jPk|Yup%Y6(xv7Jo9%vFTtLEEj+7r|7E|&;!VY|vt)xX1x*R6)xkj>_DeB7`0 z$?H9sIoJWn`xEac*i*{W{G9J)mFE?c{@PjwkICuts&{2+(f4FUZ>?|8{w(>8hb1|~73xZsraY!s1@%3rL42uFSgR1e`hT2!|zPlmBWK3J;7pnn-1Yw>Bt_(MIAH5KHe z&AM^_>~w#5K;+WV?o|%HMO<2xToOruEz?bnH0F8WutvP=yIj%+!O3qK)rux3OkxlpqMPZPbn(X7=XKUL0Un3oFc0fL^AzduCHriB zlDWp99v_JH`nLS^toBOi^@+OD16su=fKN`}_wC7@M_j+|!GSfXDKqt8x22c*Ng)m- z;eCU_dhCk7$0ck>YCXHisjb0We|3ROX*rU-zA1Br`Fr=g<5a8; zAR#AQUYI}q_QQFz&Q@f3Btr)8npj@bqL0At%Jq#(e7a;IyGi}{C8aKN90=?1rhE(P z!Ew(X-;8w-`|84AA*XJJ2@(&CT6DVD`5c?wUUK$H9Tr+Ve$YX)JKkWiv9~yo$l7S_ z?1w1wJis6?o31b)_>^?xcK=BK9zN5yek+E#&nxK#d_L1!Di6sSg6^wN_6R!T5e#$^ha0v^fM-}GgFsuCRE6`1Doli{)XmTv0kY|o6V|I z<4t@mJ`I3rz-OQZmZ6x@X#Ed#pG*hIuiMT`b7(VoNA5d%XxF(2DF1!Wn1*lFa^W^- zZE&iS(exIy$REIZFToPG@FCHQL{9ZxurU?2CCLRaYd-`F_ibPRTOi;Ai69SjZ8kYN zS2gy+7Q997Yc1!n=BieKJEu0b!8@9=Tb$|l`?%`WBRoohAAvhO9RP8hJ{e6>eBDk! z8`Y$>R!_>jydOa)DA9glVjngy#1TPO&oT6fP+NlF=(WZx&wU`azTNFOIYK>ac-?Xp zvDbfW#jyepxbIagG4%y;w~aN6ApQwxLuZ2c6ElCo?C7IL-lXNLRD5|Q;CKb6H;t== zwMceZ2Xn-MV5-v!w@*7}r!e95bE3uG)KyL=Unq}&!-zWy2KELEOOOV zVw#Vrt+_TA3!p2BXh-)~#>Zb?-Z~RaI%IhD6{|wVsny7NPwfV)4mYNufgc^sjQ(W} zu(9w=qqd&)tfh7nd9q1gc*p30zZ+e|C(OG?2aGBAY$`u%O`5gx{mcwu-r=Q7F}bmQ zH^hyzgOp5eTQXRfrBN7jGOkBw#O_k-tR5}+KQJcGqJ-b)FHoFP`m_Dr1 z_Z!ZeZ&awBFiR&`#j&Y>@w-R%2u-o;;j4)@+vUBF50#4!kE|5`%G`(j>1d5Fc+(1Fxat`K5Rfi2`*( z_%Ro$raf6svzuT1>(}I;uabWue*T+94B_cKd3>agI)KmCnVKwESoEjdxM;dt@a?~_ zi1{!7|HC5wr>|;0C6M;+rh9d9Kas|O_>;@mM>;()r_>Jn z`q2zNj!&eNkhD)1AF>!}QFs@#Uu?*Gd=FZU+^OeXqxlbcU(#j>JIQRE<9jUr&GQ%i zk=eINFWfsiNJGv~dFDfSGpr>RUO4pz$L!Rb;A8TgP3#Pe&RYk zh8mI}e%p*D0Vq)QJm5E}PqG&LUqEmEI6z?|e$<+`qJ%`l2QV$iopLA1j2AiK{>>72 zSRQV%4dHSbFeQg-WlN_+387N69@GP&1wACpCrCW6H2nyVA_hu+1sKprdKZLgHbPYZ zFWMGH_JY46YxABw+hk?ye)4K$tDsrrf6z7l5ex{2;E)?w^)@UfaN$A|a6W`y{=bn8 z4Sb4pD+_ljt%u*XlCjD*FOc=o0Ol|b)RTG;jBr6ybKB4iXucH)c5p#417s2ce!slw z1kEFqp9^tTq#%%|rS)YPAJVw_l3c#q{1_xfA3)Yjs$=4=xv|&ov(aX4PC`r_i~tOS zzEW9p3Ik|T(T8Y6>OXw|*v{l7sH=C;Ha8+9y+^k&V9b95plM!`NkR;@8u}iLKLHIq zTv8051@$IhpKIN5rYDh)!r4nY)0z}!`{0b!)1ON;)ip0-RrSQ(x_$+27rTv?qhL`B zxOQUT25i5w!*%?5emD@=ULV3}xa$>HJ{NF+3!%5<`ZIQaiIc1~lkctjNx)6XOs|@tA!jB2fvsH)wCEdueX`n55POc!pHhOw6na( z@*sjy^pp5+__qmGx&DjX_TOjA|HI!%JK|S2csSZ{=bEGKk`P9h;QN1Ym;4`}wEuOR zu<*N1mNjqg#jHb$W00S@h$#9#roE__v5Y_Zc zSj*82JGfTc<3GRhkPE1KukX)*9)2->_wk=$(0NfnmMHAD^!jN&GmzW-$75hHDjZ^bE_c-L0$Uf4g!R@mrfzzLfotxG3@ zi-y_KPMh!^e%(AkdJYmP@xlT2djM~AE4_CCXRZ@5*{A?XDMFs7+SuL81HsYo`~rsG z?Qj$P|Kw7V_QuuZ)+&q{t5mYyL~wg{i9?7H=NXRy7xbLZFiS(g+RMiH9KtZh3{Vir zJ2wiC#Y^xSZCkdZ{S74ie#{X4Y1aVm{|V;s@4iHQY{)VX8pwcS@*XH{E)*2k=64$R z2oHDHQKCfhc0up_wCBnf=lM~8-PNx;P7WaK0-1n@(u23a7QnE zCJ##epDB9;lZ0Gye7)P<5UxCsQuS*${Wt5+?rh05+sG?ryTTp6VKt6+SsjXuER3z` zY#gCi$Jtb0yGc&T42!8oq@fp{$7UO_58)@VY)5sJmxGPwtW5(|5z)5OjAWSC7{Fmm z`hwh}Ya5!q_Fzu2GdZfmFne49XH(rMRzSjSL*GtHA5N>`P1YYtw1%9k5`|Bd^uVeS0dwK{dUJ>mG^5uUSi{z!A*wt9}n4=J-LK!!NI=Q z*i!2IX$L-Cq!OWOfB)pcSMIQ=YI5a}qg5pUUhRmiVId#yddVyRtP%j)sSkU!CC=4g zbLZ0;<6iJjbwMF?5!#7w)FM5XR42zF7-c?;yLgNGOgC`wpbU+HBY&!I=(Pri=+X-( z{NZn~io{O01e(Ff%(qs`|MWXpL0m$%R)hJPAHp|=OVaD%Bohly^xbM9I-F7FP<6gG z8_HtZ5kiM z1o-22uym+VGxLqDjF!K;-wBy$tN;s%foebzA#}D}wI{#^RaYg)+sa2Va>DNN)qQFc zDw8YuWQ|1@B?`sv2*c#@GTZ!KW2xl0XRcU zY%A20Fa3eP%oilJCGcJ}9H+I29m-b- zXP9JG%TkphjEpmo0)V~R>%0ibj~;WHAr9|QkBx%QMx5IfgZ~T9QP`ooI1ZVBqCz4_ zE|uSE%K6uIrf~k>#=iLHx}!I|Xgac?w}_=+5_5M7@g-`nkwWz`!qyQ2B(;lc7U@fT zMWj@IfFz6Rs0Mf82!TyR_Hs&?ccYNCTGbVM?yDd!pNCg9tdhMNK*RHJGdLBzX+_|+ zFQ97z4=c{b9J$E&c~H@rkBJdllN1^uDw+~siSScs56W{=67bd+8ldVXoCj`C?xplG z?3gfjJYNDbKP9(eynD9~%1>uXrgW&Kj>1}?{?#NR={>jX25}(^NJs$?X2%pioJG%z z^*!YN%8w_7>P))Ne`R8imW&v@%a>^loS#~-u6^g#K!t6)t9+AuL>2CP$LMzO0nsW( z+n$%FX8v@GH>2tNqa$~s?5Sk@Rf+uu#%Je_tD$EYhy{C}b-NMy6bz=gRfx7O8EN|s zW3o`IAF=i8%k{xN}UkQ2S(|-tgc|f^T+fq&(M$iVv;U$*=O;#+Jjn`IC%gk;Ch;p)^Vf28Xlv3HyUyoOOS60~ zqSjUiLwc0Hh(P03E2-B1!`fRwWwpL*zk+}?Qc{9S$V*5G0t!f{(j_G+A}Ao;B}gMB zA`LInB}#WHA}9ta-Q6!Cc<#CO{`NlK`Su>??>=XYHP%=|SxU_LJa=5z@A?JyR%PWi z%M?v{c3tnGJ&s`CX7OBo`$Q>54LJ^T1FNs;BOk@y)r{N|yymBVDKS>{A>%MbLfjo? zj!*KB6sk)S{3~@wB+xT8>HXL)-T>Kdn2s zjmZ_eh50Q*MHJDK(8VNl!UXF4f|| z@+Yb+DuWWw#Haeo9`;Hcohn=s`QjbHN?ElzX*1Ec`j+E0dG3Nom$#V6L~P#1t-+MX zr4z6y6}9)I+h2V$l29h+7xarGQ0i|6rI-82`?|r>cIA&ExvqUNKDEkb67Qm5x+CH0 z^CaN(L6sNw{t2M+_&C$TpTT|{-oYBU*sMzN}KM zOYtT-%dTzF>-L83=l=3CW>+`lcuJ*H-p(!duH)C7CWp1cGP~=3XY}j!zHzhQif=-$ zzdECr4)I;JNJlzv8m1|K{nQh96KLsrTs+*H6Ms$zmD`^5X}B3x5ne!T!c~m0wb_)X zcyyym7qF`N*2x=gqS)MpIRuHz&TqcSqOy?Lp<=;ex-c1wQ?H{y?M~c!onlt#N-=4! z5fB>7d#(a~FYaQwDH=F7Bcw0teR)nrT@|aZ#ytRybZq>UKS8S`HP%k0+ZS;`P z(SJba*dPA`opb%~p>tLV%>Ny9F8+Um&bg7te4{bqO^-nB5FX7+XgQ8>I-3-;OkLqk znWUdO!CMLRW*u}fk$Bw20k#6|Vc3x1jLT=^*B}Wv6%AFmKZw*EH(zVTqp4P+mb)-8 z8l`e~CH^m=b3?F@%$O%9H+eES#c`*6U#O9Q`BH;!#~w4auHTgzqOIZ!EA?+)45pQo zl1Uu2cqv$Z((Bn}^_x&Us!rB?%B4FBTfcV`Rh#LV|Jf1z3%$~;S|;Zo&gma#tS+N` zQVt)m=_`ePakOqWXXZ{Y~ZbosK(lb6%O+v<34dKC)8(| zk7`6z$?C4)j~>v7jp_Lony9xHcMajnLZUW)UzQ{x8$G5@17G?4qvsEjMI5v5KOZU3 zM^G2Q0nQfl{jfRJUV^p@?}L>ViC~R?tXiq^+Xv?o&JhQgzvig%rNz$w#w!&sHc7lVV^Krp=`$V;d9Kn z@iP5|Mv%#8H+;Hxcgn;p?fD^R>1<`6)2Om}ZzhS@&ie0|LrPoIO)ReBB1f{jt;b9r zroS)fZH}R0Ty*)1rOHo(D^@^uxe=w|)>KXSn?bVna*k>BDWC)#5nrQKP0^02@k5CX z$bwIRc5%saMIX3{EjM2jB&?7W#al7847D2ti=JJ*?8)cu4GI{WVdJ&u2UimmJH-7PP;FL zOyDF~Uu<=w|M_m1wZO$>0IrEc=zt&mxMJ+Fyyt5zP=>q0;Z39YR}CAX z2BWkIS9L{qJQJo3AAO8tdlH+VNeaKeo}l?#1xXRqML@?-e$eDzLb9=R$vuDZeSXFUbmtYzXDG*Pb7vP99M!%=YhK-6k575i4mz$9lU(9N&G43+ z5iZ*GpY!JQdVcAqo8u;ADI45RkhYohF{pF4QTDJZ|Az~gHzNA8r>J|9Ey*ZOb6lWU zrK6^$=DWwP1|8$QL+3LXxrMI^??=m2NyRvEN8SnaWO4}dmfjtV%F!%V<=D7obC{TI zuIzDCzHMH7PTT?&>0bTB>UXSe8AHJS=Tp>K65$9MU3n~B31fMVzH{S)Q0L^$#T zK_X~L@e?(=O?Rj8Q6;0>U9_~dfnKw3IjAsyy2q1SjD<@4yoJc(x{B^lQ&@2(7oe1= zav#2Uwx}DTE?^a!;DM6qI=|H8tOK%W^56spy6`WLFH76F|5>Rnb2+swsoZx6@#*s# z_w8SZZyap+=>`(Xn`I04VjitPH+XlsQrx5==F!FFa5px^C(S3WImAC-@>LAl@WpoV znsq)+PhUFXiV`8Y;odb+E?{#}-(q&@P~K!SX*@G-`$(>4+-Z+Emm>du#fPm@4DOyq z`Ww#bv8O5n`Wi`sukRERu5dTWJ>srWJ{y4c)?jJ5UsePYXM{P2cFfZN=G-6Ch~4d3 zAM3rU?~Q`{<-nZtzNF1`67I2hG+xtWG2k$8&uuLBKz`9j7xU^8+}x^Xr*M48@@{p_Pf)gE`|X(dm(hYV-D>kcnr7YL?`4cU-)}G<~o+DWmn`A&NM2S zKU0dRq$)!{eUVGQxY8S;*vsB%GImUteYyEWEcYCV>~Z)m+T!~q^ebPGQPX>TrAdl= z`=~c}Ow4olVPdLtVqP=D-luQ%@!N~!d}5WuHB?O+T~>gL^BD9h87ZIO^%$sDCTuvO zs~ZYoDOEN)2}`M8KG&7E(_s|2O^0J-wwjmMu86ubYx7f{E`dx-^(A{bgH;=3wM%p) zKIxA^_3Q0*?)@S%P}?G@BDtB(S(EcwBoSZ3?*{c{;}9N51eUz6TG711N2{zSz;AHI zV)QaeSCj8_UT!0blHq?FEyMeZ~Pv;^<^v?9( z=R8vz_e|TDa$DAw<*uh4xtY@g2u6_Re9hVeeXH7s_-e{2qp=TKF`a%u6_?f09KQd7 z5>06~NHX6A^B`N+kMTQE4(gK-zp;B4`n$AXL3)9K+<|iPpJ%ssO~p~OOT+R*q>-0y zkB7!}5y|V5MFLQcjPM<-?60w?l6^1GQc#>B5LX^@SquZ%)7PN!dS>xUw2q!l%1RY*$1O@68wU%&z!b3TNh8;YikpP;49(YfHd;9ndM!ULrQEBkE%N<98I3z% zPf<*Q42EbLVDJzuW^Bynaftq^$-L^O1-QE_BzlpSUVTep0}jfH{fwRoA`k=;<)DPG z$a|@a4^81W=~f229cg+cdMh+}$_w@{432ChTyrSBkT#`+e-3o8(-pcQ=zhjZJysIjy>GCNVqv5JIQJ6qZ~pbh7B+ zag<5fDCs4OGJtd^jN3C z9vh!!fM$&fWcb_-$`VV~2jR!pXFy~fNVI9d9`H z5=`hf3I)gkzTVg&{v?ptI8#i_dGU*^FRDd)stj`N!bDuovKe~ZY#{U;1l}C2nfNBi zQ5U89zjTH=;DB&SEQ2U+oYop2Lahp&e(u)U>6H)mG;q3hI zr9r@M6%c)bOT9CYS?gqzgQauUdF&)B{a+q%s$%H*{gOO^BphxjCrc&LShaH#I< zn_VjAO`p%XL;Y0!pKd6YAD?C689n&XM@dx`b$P9UFLOXnSohn^j-x%p)R2#VZ0fG7 zIc*@q`slmBk-8+otI1+x*>-HJve1{dhGK~n@AStyOMKSIYn=`k8=LPf?!ubJ)5ZyZ zDIZYC#;acfsE3kcfqcuP>;$G@TYa@mGdG;@jk8N)kYhSe-4)_#HyE6X-%~7$&3-!9 zBX3lQwW_k)DAXgpm64Z8dcJ9>HSS= z7_>dDnvd=Dw>LBl2YH+MOBRZv;eVVV&#m$uZ7_~D=xd3bLrNiC(b*L>ck3onk3H{;D+3$v*mvG+Ho>W^I#=xW*kHQn9nn#xpLrsa@p2Ta4*7B0r+ z)}#W?t)9;&I$p2Z!Yr!@N20Afw`-w|tJa91;Y z4KU|I5Nq1sG&JRsA#hD=C|p;H(f_R%RSbia%OsA4`^hUlGihdq1{z{|K@@q{XIMN> zrBM|sAmKrtd<&SWZ7r%YE{&T7To;ReD}TKcoMRHykR)5elIYFTFS)eu^P^BFD}<-# z3@SgS?&+0nv-EQWs(C-7C^IL6L?14Px_n(~Mk0dh$0ewqW}SJ^ zPd1ALXyfm6WDW*<6<5H(VYi_sUy%0GPzVoP3lu~bxYh49a3#>HWDj-uS4jm@&Y!2o;13^+E_3b9wd!N7@~2Rt0lgmoX5ju4(ayW21O9>P*qh>fX5p_}#+n!PZRFjbqHleLm%U`ED6(AaSS}Sg*Qu zlo1+|kM}>CYW-g<0GFf2`@_;vF&0sgLBWq3EXx>6Zy5JXmwK0qI8;!7GCmBqxOnu0 z!J+Qx9#X-M=^=E@+A; z3m0md>5qz>P==@UP?9uING|CJTYeR9%9L=I|Bxq%b$3s1uU+EAxHHf5SGie`2G00n z1e)9-N3uwq^HNDT!&X89Vyc*p&t7&H?s-0m{tY{7eA*h6$6TUb2W(1<0;j>1uRJz0 z4~t@&A4Ph?)4Tp9`me&-SyPEg=j7RV`Z!7ScAY?i7KRc#n`%(3O6dpUX$qSfQP8oA z$7sr1DoXyKj=MWFL%Q>3rjWN#BdVzQmv8FW-hPJ1Je~Nfn&TDmo^&+Smctz&}p*+~K_JjSZQo9@l;KFO|q0BX&unD-g4i|$YTE3_Pw z?u_erk#y=4ZMj8FTn{%_U)He84dY&8b; zgAdwJfG{JjT3I1Js@99Bb@Pn4=u;*Lpw9-aS7+mj(n-7bcM@aM%uHA}LXRd-H_8p{4Oy!me|e9lQgDtX}&*$7u@dofnC%g9DI|?)@dzH10=?q7ZbBS!StP2?kC{- zzU+8f37SY_!`X9({v*hc#c?OlI9zSM8v{aZm4#M(L^!4i1%7Hd#r*q6aluchWU2Yy z1`l|>$_jq0uMc>mgzlvOd?a839kZ<32W!%`9E~TO zPB2k+r;ocjYth~BpZvOM6MDczqbE~{?i2Xelaayr!4WWUxUL5rJMo!d(8~8|Nk6BF zfuKWGko8C?8COz&(+Pp3YL#DCOKpD^D~-_%Anx#}^|tt^IH304{pG3Wej{HiFPc0l z<_wjEGa?6Px^vtFBMkXrm{tG8rx`pG=|?KQtDfTp3OByCV2X0_MakMt7(Z^-{eea* zRMcsnH6-xcyV3WyN%-|o?9P&*IR8LbR$44ScC@z=#fR-`tVCxi`{(o|>fxTmHIoMY z7K=EFUB(Tq!f8!!=O0FaMI;5tC&&6@7PsR#DE@Kq73zFj`i(V*8K-PMtfdNgP2Z$ z^~(ntc_=)yQ~>|g?> zO9k*S5-|hR$Cq0%g}i!t4KW}fi#C(o1W#!gSWiMBOqK3eij1Rt$~jEvkBcU7n*v6~tLPIvco z^IbvO_bs=2ku;XjE+z^SpVvaRFGIO(gb$%-C{;+8_9g9{+hADw{kSW}3tEL5Ouny$ z=GL;kFlQuJQzzA5bfuRAdhus}ck-B2VdJEq2#aujr(W)D!XK+#Gj2m0?QDVXI}wb_q*jDmn);+u*L3D z6~2vFvr?oB6Fb@chNpWgBlf`U%+Bb8>%dXe(`6wwNp}utGo}jQzXPL`$l^uJOw8>k z9m5-`v9uJg1gw-zqX9TWFYo@L0Ztmcmmgitd1|5mZdA(4fWBl0TlxEbW!K0)>~Yaz zM#mmzjhDbwr9qZ(KZjO^E|`$plN(@N^XE2HtWzCB&KMp~ zfG%-EkNc@ur0AL_c@qSQvJ7f0(ydXBv8$zXw-K}Dh+(7`rU(5-Yd-fq7q#^(vLn-T zO_nAaoeAhJ6`t_E?o7My_GSMnm4Q^i12~aGzB-LoM#a98zD#o*1rp1FT6s=;7Y=7( z4z7lr+MoAnH_y%Oz+mfvS{Sv)#EePe1@h)t8-L78pT+C|IZ9uR^X&w=V=#q=)cyX&L6Q@_ zhRHNG9bWa#eRRJtN)mzd%h&Ha2~(&jA_l82#my&mV%dwyOkiCWU-ZC2E#XOZ`A2x1 z*(g{G_~`rK=scWl_2`p;bd!M%$U)W!uz!|;m>ZOo6qr0LHI1$)wB$sUJR{|i3KXIV zA*mZ$2}{?FTYqdJ@QX|L&CI*zTf^h_mLtt^>f<*`-8_DO>kgX;1jGL;CTdTzerFhC zE4gRNU=@FIFH=tBWHS|uoOp0#KtiTOW8@GZIUI+A0m0e6Dh;o?bPvKq531^Bd-Qg7 zvh@6unCo`jo1sFWx@Tc%`cx%V7aQ<5gQ&{^ia1XnEpEf{6B^BUD;%MP?P}|$j(8%= zp&${+hKMX@LOLigwO`Cq@c3U8ECk5p3gdfo$46UO=PsI}Fy2toX5Vl2?HV#&)HFf^ z3DkV{L#(`;L!F>%Iw>Hqra~CvBJXL-iF|egIw9wxaaOS_nC2s3obM$LM&j zotjQxAir$aXCJuyvSB_f-*5K9lA#I22tNuFV>jM?Q>7FU7pFdi;P<5zMkdnL8{XGx z9I#cBs;S4ecuGwgM?^Vk@0d0%KZSF}GrZpO;>M0bruX4?+l@tJM$-ub!i?_)h#VhL zFLU^Mg|}3jO|}H6#@MKfRSz~oFZEqrm6xD6)7hQ@2v{#O$mgM@KXc#n=1AzKO_U*&IBU`76`qhg3&TaWyunG@``$e5TB zb#4E7tZ;6S^Y0}*&RUi5+P8E3c2_tIsyNzfmw>1U>mJFk_F&H;=*Ln_0sr_y0T!V@ zR6~>^xU?qfh%OE*7l*c0Qb|egH~h?sOdgM~XFXfY>m_q#Pj!%1_6a&ibX)Fes&pYy zjbv*(n|fgvM}5^Kl?81sH{kwaoxyk%29j+BBY^Ok!y`+x`5}l>6DcJsfR@aUa4O>8 zx!7L`YxA3!tWEP=E(mEuOxN=s3IT!pV9{lFo$ztv6;`df5BD8Jx0MRhB*6UEVP57R ztkn;)-hZ%GseME?A#mK9H>nWjbe|1HZ5F27t7jWf;ejW?Gge z`#KsvcN-C~p5utIwTe(ph!ua@L|HMgnm_Ix^zL0b`%!x4)y~1o+K%Y%9nAH*U}475 zcFOTwz-rJtF)&4du!jv1VY@P{yN$q&b3d_GlSywbUal}}$J>Hvcn{m~ zqf<`#A-8#z>D227(No9SUhJ)}!y9p%RED@(LoXbg)8e(_E7H&s4cWd=XTpdd5uC-K zrZGG^h1yC(^4z6IllSh>l>1ZM-hX)@p4|+9D;ETC72(yKh4Jxfc&>1@VMqCmS_Ti_ zpDmwur)QIxGroSNWlJM0`EN_P#B$7d76T_34oXJ?_mG&8{ry5tk`0=9;s(u^f*&Cd_Bpi@S_Su4HXJ?QP-O?ob0e}%`NE%)c-6d06+74S zKeKLsq>M=ON$PnTCZ_QOEzD^x9xgXTJ(oi`Ut*G>y%}NfUHHDy*jg>9yn(yZbRrqJ z@~Z~O)7YPe!VY*ABSF$aUs*XXba4SRG%^ur>5}-M=_$9w5El-|*l?ewwGZE*q5G70 zkCXV;N)n!E>1u!@sAnQTJ9C-1H>M+AO=1|uLY?mONzvjiOWCEFa(A19MLQWzdxg@8 z_il0WBz>Oz_je_Nef%^&LM>>YAi9K(Pj%^LxS-rF8Hta$&ikY_w5Q6O-B9_i~<|D(_}I9}K)=j*Z^WeJ+qgxU|H(nX>R&rBr0; z^S68&tVpem+atFDh7j@PO@?BB;`lAJ{!}Mp~i^~dYT0A zyNYjb-2N>e#yO+~Q{~UW`7Qh>C$S}`nC^=$I%*JU5k|j^Ai}>b~o2{9!s^pRFNvX*B zY7XE1c5IJMpFzFb#(HGG8(RA%m8O}zVrNycYc81Rr(tBEa%`#X{^CQDKdvgKTJ0Zj zR2~A3`sMA;I~mr+24#|?+_|nP)(7r;t*K$0ruh9-n-5+IEqe9Ko4X8KAPs)DZiU9KUf3dLk6zI< zYGU-vc$8-bYU-f6!&<=QtU|g>pVKy!mFrwDP;F*+8 zzrX{E3#O4f$o@mjbx5)I@}y?lb8I=zF08^syFLC@QLr`fNT=^}Atc?*XY{PP6}41S9bFkL2YNC0^1NOj2pD?)^OAK4?4b-BPWDHoJ&Quo z#XpMgUFQdLYJdJ&r*CXv=oQY+5t{(l{~IHDUI);=F1L3043-*GVhYAuUJ)6YQe|=B zkGNdEn|_8H?jP!~3}cgE!z#N1(1gq*L4c7p+GmxgC~RM6fP7k?TfbZ~6+FPc_fog^ zufK2alO|`b{QT?2jn+CJs8i$?!_I?1NzpT7?I@7*ChQgC;=qWNLY1@;YA1fHd5@+i z6BzRO7#|X?ryJ10S&O`i-ZFl%^{nw~Zu?kF{C#hA2G?ZNN#)LvS)+Kfb=E@I(@Wp+ zsJ3W$j8K`Agt?l=~YXJ4OvvRH<946&YJg4-on5u5w4{sE|kgMc0JP*5(OH3bP_}} zIfKm7c%(qzMB|#FeChYHaxO2-YwHgHh}l>huu;8xXW_UHy)!mFWN$jQFQHly>g7Aq zZ~T6xP8aSu^0no%)70ID!WZHfl46yhBz?B)P4@`FLH%Yzc%$VjKaK;c*zdk(y{eX8 zTsLKm5Oo7;DX#K;=-yB?Ht}3y>&MrK`83yf(!09#U?54vckp2E+_CdgZogrXseZKh zo0a4F*X+J7A)j%ZpGs}Hrb&4O4Fvv75rKoNsQGg~|FPqCgx*}XQRRDu&L%8Bds^6m zwAgQ>0!2kZ!e(D;o^ki@DpjTc&25}fX2UIhuOG*Q&*A~;R1P-UE%4%c$X|u0Ws532 zGnAy088u)j<3P_bas+vZouH+-{AjRrjiXoQE92vq&_D{Z0GJ=OTacZq-w4uVAU55M zOo5s8fKCGdNt?y2DBNGP-tIN)rE@=Sp=M&-<}b@p@38qc8Q|*&%kA{Gm&;y&Y{88T zt`cr77=(G}Cehenc+C(S0x9>(~Qbxy}!S$_0_BE|n8D$ZzYvwnI51YQ;j6gN?VXdL~bQMV@Ez3+%yCFuoOMSzp*< zlZkEmf3>V?n4(J*0B_#;urnBjSU!HrzZebw$JOzS0>$t;h)yvRha9Q>J76$>;Ztbz z&1IBld}y%UgT%g6Q7vRLF3$$WTD~@7stWV%RIkjCg4iafK=~4*eFGQ%*bQvLsqxVWcQ`K}>nN|+G7)J&s zYB}!v!N*b4hektOfBUt!T~>c7&l9|rIiv#LiHA7RBGaKQk!s?52`Fe&O_{D<;6(sL z=aCQ@`#c0IROh@jozjOxfzrm_l)M4Q?8f~eT2m?~IJll$S=@vd=Ow;Fb1d77;*h@p zCH%)LaS^BI0yT9Q2wFwsXyvfkVp;&%#_53Va}itZO2YKrGfY0Dw|{R=|5DoLVMAz- z)DU^4^3lBj(zclUFz;dd#}O5ftaMom8>Rq(w6|P~VFoMzMkiOh2?lBvP5(w{l4fl= zk-sAGeif5^9JTsCAT*7V1-un}I_%4ILxHmcdUQ$RQMv%AE5cy(AAy_?U|D(~=;_sn zRw#~ikms>;3Rwt;Nmv+wIl`KJj>EyPD_=@PSMRbif1*-w{(8J5DZxAY2@~XOZGh3K zIhf>|t_eeW@s6uA5Zo6!AJ)PbV!kwx+jR2jL15$Qo1<~-O5WlK93z~!wG$3M`fJ)) z;H#PvzrO#kCr1Ap%_8&QJc>=cj*2>Cy&OShu)d%RKx7jzHT6nt89fup{FV)FKXSw? zpj{2VsIZdK%;RTV|+>ck5lRfzstaIFrG4FpL-<3ECsE zRfU^C4(l&0fb&F9@H>TeU=Dv$fcRtjqIaaD#KjDA!@F?R1 zXhJ67wd^*BF!z@i|B9XQ-y83!1hG7wITpLS`;dF#|NB3ZAFrs_%@PN*{8er8e@X}c z<5y6YK%(N9&FlULuJ!-JCrH37DU(F8%P0C*E#QAYZH75Qokq4^z z^vE_l1@U&~t7l0wr!IYlOXcbf`|(vBE$9j~07G!6sQ2EX^txBy<%%m5s8*cSJ#v{6 z{fg{-quQq?@{P!-2-d&Ps(yhNKVa|WzaAL!A6E7AWB~(ma&lYWdku&}Btdj4SD=|o z@dvoentVRi3W%02^96y!$+g)$n#K*@hRwiy*y2r30Dq9S(cxJty#5Z^>#*b}qK%;n zr+PY3+3AiT^u%fREr9LYtNWvvJqBmD(FGK4J45l)gS#*RmIZ`>98}G+pr@x;NityX zzqwM};Bo}}dn$;pFA_?_=5iSLS-;gUiLwqlnnJd-m^|!r_SL4<=1IvwsKI zOkZi)6J{#yEP->Xn%;N>nHTp7ZbGOgosMO_Z_YONIl|hFVQI6C`ctTF?Q}kSh7$xx z3rIvz(lvSTnI{X{XqsLReiwpE`Yi0PKQl>e8%k7~tI~!4g7y@Ej{`L$<)c}Otk?RL z3B30uejeQu{m&=nUw!i=1+lGitSor`i>pvEtp$#%4r)CkGb%f%NB&u>L8dGZoI$S? zi{R*(mKYR9w%-TVpAZZoqy$(fT>sZ;u>bi;Q3B?%1E=amAyhBvL!h{$G#-b7n-bIT zZ*P5Q%$dQ7gQ2$%C{R?`LvBmQe5eyG!VF3HfptQ6+!z3rcFE?sgeiP*?f-*U++V@}wOlIxG)y^IasT<&1c;rVJW4sY2z0V=x&X*s4~12D;j6vy zUmp`%Ac^vNNw#d_eGp>sr$c%2?L+6~w*SfBtD5Z_%T|>w?GMNt6lw%66f!@ zO8;IiNV2PQi`Cf;zm+RCc(3dYDBG?pykpF|prQU*YRm;JN)~vDX}nVIU6Ost$<4`00hLCOo53Ln=O-)j zp}^~UZ!tcJvx}5-NCb~L{EhuJeMUN)uzw2w^Lyd;G_V-X199*IbW{D0U}m=gt>ek; z4-o0IXkaiiyZJ-ul>Hns?Y&&Bi_qT@z zTa4tmpi$=eBfz?Z8rnDNAcb_3Nd=BK|8 z)3;xw<96Y~S{98g9AyjH3H<;=1o1niirRyQsC%|3#nxhaAOhn_^kAcTsg>wXQLikNv&NzP8P+-eFl*{*ohfIdw zeq4-&A(B}gi8<;3ypjc)`gsdn6CE%OUHPnll35894LuC?pb9=0S;YhXBw1?qbocBU z$eQdxJRZjORD0PBDigr=@;#}N>y)Yz8m z;YZVnK;VgA};jYU$qhBH}42-@pvPk z2Js*%WgugjzZ^-HV0yYZ(*Sw!|16^8WXeF-jERiV?#lPkI;?d0+<6qSNA6uNF*2cp z`pg8vgXsh<)vce=&XKn=L%ksUHXL+KY-T{tF>E-Br_c;_hX)GxbQqfr1M~igXi}2) zS92g~rbZTZWewZP14n^`o4*jG5f1S;kdmu%<@nuO zIzka1PDl><#FNz^vqf4R^?v}w2nhV-!P^P0)m*41R@Q96K1KE3VE(T$rU7H*FS;m1 zX$puGAEZox2t1*4T7YRF0rXrODyV<(fEg(k}-EF?TvSVJny+=^q8EFnlo=YN6H!0 zf!ILtZg*Z@44*i!uhq_~H(_Tp#Arioc0!_()D_<6$^%>N^6adoZPPQ>zuZa9CY{~RU7hI~tfyWFm0PT(^2H8~J$2W!`; z6xiyMH@?<-X6(Ec3sidf00es8bzCc;$J@2z*^86YP2| z$_XiLQm>$;Q?4^KG){hZX3Mt+pD-t_duQ0Z=kccI%z}pnTtew?6z&;eoSP4ywh^%7 z+o;cQW0#R_re_l&v>tcjiirscpQC3Nf-wy40r-^eo1!qPOl7Zlo~W~=PcymJy-%Mr zkYhA68SUCCML)?}cP8Ea{u~BHo;T5Q`~%2$R=qUt!*#HV-L)HUJQ=?Y?We6+HbAf`;#@ zkSAa^9O>+Suk|&P+~lwveTnSH*B>YsOgPq?*zsa>84B!p(EM>43}U46Yn(v0C25C+>q?n|gf-GtkVs zKRFb$==I>w*q;oFy=ugBx$2XV?Mt(Hi`eA+<1))X69OCmF@E}2|Ksv)oSyl*dmaPt z{RgUfU<|dFKn%vY%g{(Ha@a|SJqEt@G-%1cR^pAfe?cxFrJl2L5+2i4d7;_CQMI+Fo=C$HRdS`RW(2*EmEn&%gpnMjkA9*R{%=SCem}W6i zV}$M|o&J(1^EZQBX1S2f04obuB!6kmG@;tPde6OOCW|E-1;o7(OXjo)5hoPtk^RqG z)Ny+%_r1G!LbiS5uikBV;sY}%X;0j(SNXo?q>5x`q&>^jH3Ia09bk1aAxOme3*!V1 zRV2-(>Su!03;{LCV#>$X*uxr!&cpu-gC5zT4ZK5VDe+vD`o~KkubV>GGOInLftP77 zon!eP=o8)HXBbsWz}5h97)Hdje3JH@j()AUG_>KK7G06#NLo}&O<>0j`gZT&ENxC~ zmW#z!?xnB1Ud4De@}0Ka+=1mvp5|lb4QQcLYr09?TiqXktOpaBohd?K!SZf~-O&-T zhWeX})Nlk~otb~Na<8?8pkI@w{3+csBh+%^`mNdok#TL~B&cU26J(r z?XI#R)FAW~#h5G8A6R0jplYTVsElnnE-35Q-`RR1tFx%~D6@sRe0`en@jp3dFyFfB zd$hz};l5>V-}r5Up*V(bq~qo?JD)Vj<8`jt0iq5;Wf;R=W3(llR^yHKdP{u2}n&f7?Xwuny znN6Xw&~lmKBw-ClW73d6{=K5-5#P3XY5h1qm3)J7wcx2@;b64nv8Nw8ASA7mNG0bC zO9m%PqEK4@9!Qr|doJyr)IsGK-&44c#)_$aGnCeGz~9~S;er@T%H67(qAE1|bF{?h zOy_ZaS5~RJUf?X$xxziBj|nKf((ov4epBdjFDxaOHV=e;GYzulCgFz?Nx_Hvz^M;wk zKhh(6x%-q~%W-W+=j7npOOn>QJTN+Y?K`vfiBf*QbS%v6n}g;&P+cT;_yctYj&6`E zy22@TSC{UUJUa^^+N3Oz99nM$eiRPh`_GpUft)HyvB;O`Ewt7~HTn zoz;9DT=8G@K;psgh_{v^}OSXg?71r+kqX3XO1 zv@Y4Fe7N6Wgz^hTxqlkGccs+X%U9N;sgSpH!{m!+xIN!|(W$qlMm{gA3=Q8?x^$H5 zKDB)EO`5U)i?z27%W7Tsg{7q=q)S>tx+Mf@Pzgbhl9KKYQMyw=5CKUML_(2}ZbSq@ zy1P3?M9)3uT63MVzq9r^+q1vxntymX3*UE)=eh4+wt6+OsG|=bv`Ei`AI=Saj=U-X zrW@UmRx>+cLT!Nl*0Z}wW`|(=9M90el~vz2zxr$&S5y@n$^Y0(&kGA_N;BNdx6Eqd ze;o0g>SNY)^>Xclm+wjA+_7DDS(bsgZ68;oYlcqseQ4M*P z9-$R@%jOM0U&_vFa?w;m-E6Fqy5VroQaO7_Q!$2vSd`-LsF!xJzoTBRGR=U1HTZDe zG|BIuNiUep|4e#0bTJKfrA&pqWw6%qM6))30DxT~ozs7XhqT^Mc^;nVI&%TTO`3md(1(IQXau=9|MTX(0B8_~#F$;oS}v z%>0@gY#5d~TA+4CaBVi=s4KYs}ML}7=aOuRG6#`f_zi$>t8;2{CUQS#zaqRP*RvYFd}{e}n{ z@IBoUE4ZrC%FYMFlB5bUswz}7qvxgYno$gdv+dUEfE<<~h8eDk@Y|48)f~>r9srD( zB3(B?X$*NSO_h$zl z@!FJ@QjiYQXMh&WgDL;TAN^N<5%B0AaV*oa|Ccxx<&WKx;Dm9_dRP14jDs%n=f0LZ z>0#1AHpw=z_m7fh^-K${G!e(`?zF^efT5_il=>KRVDwcmxE{cw`i!D|QMo$@+_doY zse{zW8F+Zg4r%D_AOm+=DyQ!?=K=jl4IUD!T(lEq+kctDKpI6vH{Y>mH=>pto zH;AJ}TH7AK8vQ&7vbiz}JnK!N(NgL3zfL`oS9a~HJC3NKvfUH}Gjs5#?>w2Xp{5D@ z5@dHIpnoLyd}qvt^Tp9Db?#20x(MEy?ci&o!siB$-!r+hh1}wO?Fes;W(4RMxY@af z!l9ml>P$+TF7!Q!ur-nyHYz7w*Tm}_&JQpKoqY_jbHT^u?dWtMqrk==NO@~oVt z;dRgLbkY0Nbm}=cNmSp6{z_2cCnkA`p#PAd!h8KIi+1~?dOP85$Q~PeO&+=T(f<=9 z>@LZNNZ!qVUDPdW&6yI)UCGdKTVyJUcktpyEx(I~A66JIi;LG+HtnJ$j;`h0b+60;93@D`qqcU(KO$9#v+bx^0efsrz;JKk zjC`3O2M%DokfU<5PFD7l+?x|v#9!M~7 z*6|C{ypg)F_=x3)!Oh9bY7#_iV{i5;8cQalPta$G&)l9YK7pBBi*Kjs1ftn?n?Mu( zF#5t|D>_ai!diS}FoE(+`17mFN0*}5Nnk@Z$;d>7^p2Bh<= z1Unxft&h`0hh2c3-z8Z7IW4>%KJU(=a&_zOfkub0Riq}tKDswggq|YDsX=DIz}6WY zT{rO!4I*7Vo|rgg<1Ty0BR5khRxHxFV!ayZWvJe(W{1YS7?tyN<$9rH7blKHx3tN9 z>^ec|@+&yMKK_-T=7Z^}?h(s@6lo;6rx<$h?bnD>P|^gj^^I!uM7ew*$MUTAV_R&1 zPrD`aN*7v4FBnD?`{;b)ggn5mlu1sWOxeL-nf)0~?59bB5Tl$Ine_UNJ)RZy`%`?f zP^-%9s0Y(GV>?fXcfP|MLTq%MpEmBCyV(h0?6Zdy3_0!kR5hX}j4zPM&rfr_}GiYaJdf z^aXMKf%7Sp1)V>Nbo^^lBf&z=H(7nE+FbYn(u}Gc6V)00fIVoJCpToK61H2-P!Ipp;lxz z@LZ)qT3+Q-(df3Ei_vO!54Y*%>)<(o?31sU!=#3Q6EZpJHF8^KxId%AtFKBnIma38 zUawq1Yjp8>1T8v;#wsT@^A4Wt{|G+WUG2}!*fU9}BqGH_+Y-ZWcQXWy_s+(tVxNxH ziDTypD%A)9&2Y5k`kWUge7Ef@3zIOMc6j1nBLm$bpZs((tMHl z;mhFi#r+oR>)PUnT^EQBTT<+`R%Mc#A~hnA={jDQ?!Q1FV$x}`+>$qFXNReFoER4Iqblz9pMgFkR5uvFzwZ{u^BOCYXrG-oN%LI$yi83> zXRpu*B2A4+0z6+FZ%t4;YoJ|kef@CY%Su`t@Ws{PMTGWMxH}4`glxK=t6ycBn&kiL zV(FDUF(4&@q7lt`IuQs~`S{wX{v%Aib`J-&Bp9>{HRYviG$NwjtF)4y(};W6G2--H zpvzA>!8nuqh1gsU*pk@@=M;uWpAFG@ri#$&_-T;389v-PURW%t`rRYYx7yq$8Ljab zn<%=DAMNM#@f3iZ%ksv>;7z*0Q|EnPVZxbJur9``;mp_AtZN_f!vMTIjwBye!V+|| zP&RoEy>mhX94&x#$Ecezj`?;X4Pk6y$P&@LUN;_Era>B5UKP#=QXjr|HJR@d=63uW zJe~5HdOuiLz{G1gbKXIs_z3d0@f>|%PpfM>k-ils-&YuNu7x^Xx#8Vx48WqsmT9%Cho!xcqeAv z-roiE5>J-IMYLyd8t6cQp-xYxr1&TCU=ExmEsD$CGk5d z1d*RvJcr^=4_2ZA(6EZKoI^}-@Tv#yU)@c2L&KC%gcR65+>iSL5(3g=@0lZ2iQHlR z&(!o9_1Ze&He{+R^Vm=R1yO>L&}!0e^($JSmk=P_y*r&E#1+ycYO=?*=G5jkLzGos z!W!sw^KMKyzFSU1C}z|XvxCVz+x431ex5N`OGLd;15Mr%v*q1@uMCj{8x7_uCu%+Q zlmz0B7&A%XW-O|6?@4u-{|t)y?8rlC9h-;Ul?d&e<$9{jv^dw>q5%vXii6CZkg3Msz#QoJgYNoj)_< zA=4;`QhY!Z>?68zqHZ3<*b8{*3VXJ!^&t@Jmx0Su(|lmp?v{+wom>fxZym85;kRgjJ$pkwF8E))!`=o?q$eFmiQ$awrDhDwOP`{wiagysR(gwCq%MYaJZJ>Q5Zq6{Vj4Y@=pbAVlxYLBgpD1h!PhE!fI?mm;1FI_ROu^x$})^A^TrEjxwBo zGsSO+CE{)i*$fhnUT*HfU1&W)+~*xeSm#ZTv5X82On;NbUWWoCzSuvOm`38FtTAV~ zIj=>H#L;?;%D8O|-@ay0txn^2*sm~y2(^N>vjD1VInFV8sav{FcCw+NNc)g&cfs5f zQVEMrq77o)VSEuvdzbt*x{U<2G8-3<6Gwh_Ng>6K^7pFy@;u$n0;2v9Jc8TE+vH5k zx2_7f2LAnVlru?rpQM#_eis+-in0mWmu>-y%xoby4tfN9Dl7@_A`3sa%7vX3;4Mj0 zNhA9!QT^b{booTP5E6!F_{jyDAxU<-a;dTD(__hLB?=&Rg`#Iq!kO_0=*(lh&Q7T# zSm=#k&i(>wJtWo!C`;=;MGCiB+CaXdb4Mhc&pzy-KT4V*PmAcB6eJ`4<|7EKlg)B) z(wG^~szf3H^2{gVx!8lEzt&e&4`@#U7Lx5yZ~Jj0SL4%6K=of=uu!Jx!t9q@DPW)Q zlJUA*HX`gr@cEzLEj-Cqf*_Y6VA{lyyT4+vM5x0yW7qhrFHPukje^4c+Ml3R;q`HS z+qjz*cvN1kRI(B+<*+oQ+@5b%{H7bza4(|q=X^YE*st0%bc1_x}2imqguxGAqoYk z+K6^)K&^Bkz0(Vh@cSK8W3V2?T>o{x^CSuuH7e(JA!A=X|AL5{+M@64@z|LX;8GuN za$FH0{(Z^#@q}FxYB^_PWYB&-teFX!uVz{)I_~KzG;Uo!-SWIs%Cu>eak!J>xII}j zefFkc2SzX--s3X^7esIr!XK)M7L;QLyG8JMad{Y&s4Sl-USE*4R4K z6|zxr{R_D(6{#g}Pay_dDJ0ZPkshNj_PCvc;^VI62_N&QwrJ_iJoME>;@ zZbO^JIDRQ#2P#sl01&QIVd^Wri}_WtIn9N~G>gv}IqKJ5Hw_tL#{IAT6j_|Nljpa6 z>4UFb%>>iDLX1}jVyb`2X9z*^7P zgnPjLySJj39tx)S8qq8QJw|dI(TX5kizSG{q_+;~uJFHl(Xa&S)g*Q8cHmld%XJjB zpAa7AJVg_VY5rEu$*?oK=jsZeV?ea7#>?el1uv)|EOWFSSh!b9#yQqB{ zl{$>cWJ@;GUq&C=1!W-~ga2~G2`J9aZX5iYkdx4i&EJ3uQa^-tlqOV;kA>sPB{^-_uJgK;=9Qw$+2{H^VFh1qHHTqT537^rY&`f zDGyE6Xk&f0#P~#a!Mh%u2>LXpctC#MibbR_|f{7Ze@2(gdi}@f5>%B! z^=-w!f=ebMzx^Y%WMQ5BPE6Q5|9UEj=QvgGEX+2~f*e(3yrLfaXziOK{R0w8FuNw; zM@||q_`LFpO+D+%{R}$gY%H`L{R*o&@lN%xbo#~*W97W4eC8vr(y+JqPFH%ePuxv@ zZ;Y4V?E0X}A!BtQKdRrAf_W^IN0%I)k%x=oTNU5hV6L`n3&Hqx+V|v##Tc|YJ{{lv zV$g&Qu)4~Ae6Xi8%x=9J5DjvmodWY3-wxzq{xV;fKGx$mZM#@*@rBBAXjd~x=)%m{ zYnM+fDHQipKuzjUvqZ*p2gCSL@NupR0-H-#l}~d$Xpktx0rGB|o;{J2=r1jYzHEf# zD8zo|;@9baOkj>C6X1I)$k9hnc=D((%Qjp7g|NNNV)J9r5v<1}4lrS_eHhvkj) zfemq2XS#-@6->Y%k4nDZep)2*9>fvenC!00Jwzr(+I%bat=zspeZm~-kM2pX`i<=R zMZIfmslu@ZO)ahEVDq1z_!qDj6Q!+hguD~Ij`7f)Ep;x*jzY1i+WdHP3>A}CWeh9w z1yrsOBgl_B>cGbuo$g=*Fa;H6<{W-q zXw&BlBorX;v>8k&m5vud^->d?3%;zmPSt^#du8N?KFVmaVte6=xyWNg^w1%u)Cd|! zbcsu|ZDwq?+1HXHL2+|=N9zzll%+q7OTE=Cr9PMiVdYS68?ZX8yyOr>xjqzS8T!Nu zEtCOSW7XZlh`)p6vmHR$==~a;rmq;8cR)W0$^X-LoqXZJZ3nQRj@j!PJRH9koCBM& z?mP`k0g2#u#`u^b5%Lj;Cc%KF_2-tDuQnn?W2hDeF(M!FKJ|hg=Q^=K??7J(S&G|h zE})`~H1rsgkHe|!95?2S-M|36wHWK$$Ii1zA@m*WVXYo{it1VKjd!r9c-h9%rMx*4 ztugEQD+cbGzdO$K>!t_f6mre2A=?-@3YaSyo<{THSt}>CogcGCvR5`Hs!G9;7EPBt za#lV3AiDoJ{=IQCs&fxtXE=Bl44b}RoYC^~ZuT*!mT!828?C0A#zt_{#z5D1j|z)}XGnL5mutCsjf1LQ!%x(6MhEWJffp-Ch||;TOru`+ILCBu zM5KLk3v$0U*{`({QgjdPvObNhq8Ow+F=Fp+*tq55Odxx|Q3!Ku!j-;QP50`MQFp^* zK=~E+w1%UrS8DsquVL*zUJaC_Zum5M*`zQ03F75l78~X)b{vbhd;ET{zUpNG&V--# z-Z80Jo*YwrsaVkToJhoDLX>%@F4W^xUS>ZKtP=k&3vamMLn5+9>l?aZ{T>Y>^P9Wc2;o zIWLDPEGd8Z*S?H2N5ayrym`F@n%tcm)+DnpSd%B1j$ENhu)!Vu!`p$peOoJW#6Zv= zs`d2}SE3DOp{Qj=_K&cQrU10NZ%dRo+I|cdjL>@UB=h-AWP-LSK?~=04Q&!Oap9sq zGro>yiB60>#}zE?E4FEZ`^vR5t2dU@RPzE-HFz=|Q<3*s;W@}|C5x394LMfHl!JJ4 z>*hIQM2Jswrj>Tkt@}s|nJGRzmy@!-wX#{OrFCa9!iA|`Lu^CiT1yGr6>VO}qaS(i zOb2rsPUq(x`nV3yz`nD)g+*+z(*amKxo*duHcuJLyls%ITUdUv741FJp?XK6Y=(ao ztG#vSI>0_j)k-1yGaf)3B`2-BJVb&6Gmca-Javwnsu^TMMK@4!8+VduuN?N8+%Q`? zS=fwB$&5igJKHJhi%raIM%{?}i|9kcdbT8IO|yJPlgD>g+9MOPK~*(pW{ z)VF2~I)L=Pu=$$2QmK8wM#=`QYrAq^bT8e~{EMx1wXX-R`Ew^~BzyWB`2qKn<^#NU zVe`Rv9-x;hvm2Bv_VuA2NM*9=muskAxs}84l6quX{z~Gx>iY=Ptg9F^YtdVo6CB|b95_t=@9BF#7vO}B}@TMf(NV(~GO z|1r&eS}79vI;JT|t^xg;lja#zDrMXww{xVh)_xjt(~Bq1Vydx>8|0-%`bRK`MS`j6_q8T4bQR^Lwmal8XaF>_VG-c?tF6X#@t3Iiki znaRU#&>8h@80t#pwK9>_rRFpKV^ro?=n*V^S;g-)q}u*o_tp7D&MPO62yAamxo!5% zI^X0t5r5-U{{}Eg60d@Rgqvp;1p*yUjaWxqJC-BraqDv17*cmi#NsN;EEM;obs;5$ z&wgBx0YB{9x~bF?f&3v8GRFVhocC{$F1CJzQbT32WvhVc;ImHQ?E)?}ZnFJ0Z$2;# zptNVa9zZfs;FG%OUF4PLkyU{%-;da0v_Ozp@f=Ac^xiB>NR?^I4<>kck0L3LV{F}Q z)YX5!Kw?W5;UR+AFUXGhfRYVyv}U)CSr=rqAzJgrh;IobG|kq#v(1_OC!j8)(R-3k zc?_kWG9 zc!HNIobg|IAM0ZOd)`MC%&_zDq#iYtnkZz#Xtj@r^^LCqm%r})NS<3Nl2k!plMA+H zQ$!gGGQ3OOth96soyY3O_9h{FJ`#w3}KWnd@{$SAK+4#$xiXfM7 ztzA8sQeZ){b-DqNc;%g1l6!8pFYnpQ)W?bn~t?=sPc-VSU& z9ydwm*-ZN^wy=&n{iH{J&09@rhrL&_cxIIMi3#3nRb$me5T6iUYd$%*_$QI*759F5 za&JGpA5w)lWqnd`p9dfIumTo9OZw%{=lI18X?D@@Pl`MsWLc&Zg-Q^EpAh7oneYk9 zB-#+CURHPvCm#AchFuagvq+e14SvEJgE+o2pNdCc`idFN#3vbqB7o?z{1K z{YoLju>3m9^tP{o$u-&kB!(mR84|-0dI9aVZAlF)QLKvqXh!}r*W9D{7DFk}fosMk zdyWV_{c}zj!f58blMq8X;}hrFPZ%enop@@jowT0m{piy?#R3!Wiy=r*APHc?KEzes z1}SqZ^{V*P!Xy(5)?0w$oizOZj)|asnHm@CB$_$pK4vm(o*p6oGdM!!9zhz1DKhC) zy@q9TJ}cXomEs5NIF5K7JubTKOdH-x*Ilt67dxE%7&q2~LSWtx9`r2U)U4ESxf zb8FV2==gVIbh0^{dpq<-Gq%QSl850h1V0h7KUI=@%Is>DN6q~sUoI4r zl1huw@NTG5BHl`))Y+30@3$Y0osPx&#w@)u`%aF0HtUx^%=ki6j#R_U5zGH_@OBxY zo_<^W%HkVQz5?ci`-;W@OzORa+hx2u#-IX+LP;FOOI|a^;A=L7K@`+K*!=VT}UgVJ z_Z2Z0IT{Hsb;R+B)DCbOfI_Gryx&~00X?i`mVI<61l+t%V_&;-GEI7aO!W?=xkaOUqs*vn(J3AGxm&e%ieA&eNI5YNGOO zs<6GDL5C`6uElX{xb!9w=kh7&4xOq8<%92MOp}|uKNVQ%%Sm`Sbp}ZL8 z|LGLTSw)o6NMtL5XRzt=Hs}D%zlHvb4c?jOw`U>EitKxC-ZN>3`<#0j8RO2a!+*NY zApbo5bM$@rJm&W|hyMx+T4OGAoRM-qT-A7k3raLn-bkfq08HN6oT?SkGla)mK7mm_ z$0RdYcD5^lX&#oEdrRsDQV@q548rI;pNo_KI)CW(v3D~v-g?HK|51nE-(NF>)oP2z zzf9!+&0oY5q3>JD@r+{s_nxtTJ&gepYW|_z-j6R5{x^@MzyEb}Ofbotcla6e{J(sG z|N9C{-**|Fy38x6=>N@6?(cv7xeWY)pF3X}#r^;1BkVdr$65A9MW;u?PeBO$g)IUZ zVGP{*<@>U(HR=m!3fkeqkcX$V9e6v(awM@*)B6SgySE7bYd2AO+ivQkHbm`>Qi%Yvk}2c> z#9~UW)Jsw4o14@16Gc~ks)3a{$`7(AKh`e?4M4yFB2oHzRQiOJ zltb%ct@ZE~)Bxa1$I`HPZ_E?8GIn@-iz#Npw#87<#i2~^NT>^FB$APFXo}dhk+?nl z1LoR`$hrOVr13YYF7+&}5olnFCa5&`V%PW(bz&JMu1z`5Rn9rpTfQ0b-^Q2Ve>jHJRQC zPB0ioA!cu&?@pIhwM`+OqaCP@d503GxfWAc5BOr3jScpo6*dBN^x**T55CU;gM9=L zc^gI`62h|<}w430L46KS&PXaW7y1@6WNeQ!$HYs!=8SKYV zkbmEye=Yyi*$+-i_h=@GC&(%9`~c#!EX(h4+5jkXOWud#1JcxO3dEi1>HbpY$>pP# z3mbrTlK}Dh9xrXM((4W?^Q>CaPsAiObB@a^#DtBc9zx%y(KWy$`fn89hKNpXpObAa zm1o!1lq~-wPiN5s^^{T5~CrVXZ}xIzJDH-o#>*!mnlrLaA2%t zhBz<=i=NcEwBMk_#opvX4dsGq#p!J)&ps004hH>OwKT{5eqvPT7D?b&p*xU&0tb<&r2=KOd#YTDu%cwy4huN}hC~z-5 z{4Ur@_brM*UY!cPX^1xMD`WOzkTVI1_e$T(E3bbwo^LrmyL!_LYyUD^0QBd5dVF8v zTayL+zcSaJ$MeDlx(6i#q95M@k&X-?ijO3SZk!(`3USW{$S1?}u7`QeCf)mzS$>w; zJ+3Gh2rd2e&8SR^PNMG)Dz9{_s|(Co8>q7hW`GjI6b^ifJYXX^?o~EJDosu)PifJO zHy;Dg8VS?AlttLw&?YP|Ai@zs(2&tt3%yJJ z?o{h-^)h?>ILu*hQlJW>*VH58R^>=!q^Z>7`bxj25 zsqy!L;hi}WM%4G+Eg`s3Kn=C`6j&fh`Eq~*T$9a(B{Up4h@0Mgf{ywjyWvxOkx65A zEC|FbjIGd;3zoE)?Z=8NDl*K=Q-@J>X6|0nHDYdSwX1z3b>k%C~}WoG3+|viw(`0kola z-jS*i6Z~}t0g3mOE~_=p6|#gQF^)==6^qSP`hA&_vbNMlZxESk#Sb{dY&5`%h|))v zde!9OE}Rki)7ZwVuexOkB+b82!mF&A>x~>CH!tkqA5s4Tqq+O1_Sd(Vd2NTUp`dAN zJKfmp4Nal*`Woa(*V9>vTtEDG3>zQUA30Pkc>kLOpnpvo|DRt3Ox~h@sU;k_*r(RX zU31EMF#gYZfu4uRKj9Np1#J6#0zD5Y#FGsVl*t}rkQ-#Rdt*S1)U{dfELen5aVFKL zkBQlwTMvQ@yPg2HB;CPcbhOOe0Lptr^%H&%Nfd~{<*DPPx^rj_9|dyB-gBn7ECB!m z8B>)IE1r}??UryD193Dp2ph`fYU6WVOkyd$T-ibUJ$xg&4;EG3Pz}96JUBg-kRvZ@ z`&&WWLy}ziUp!8TXccxUTV*J&t?0-kV@G@Pb1w{`wuCX`S74mXG5_?`;#j?v_adi$ zW$`d(W+8+}gcGxlp+*#>Q=@~JWy@fF^{ZSwy8eYy*C z*t_tt$9Bvi)L0HYlzKF1|CN*IpZ`p}KDN@iELF|o@QcqI|H3A}|3=TExWv)|U)a(` z?C6_ipFKc=~vj-*iP z@qu~Fb0~xmE5V=>m_6^jZA>#%X|K<<28hsbi%pXtjz8+Pb*IY}Vvm1%DFTN1g2vfI zF;#)nY6o5=Pl_6Px&>Tobt;{Q^KB6}ydy7nCaU`QznAk=fX(sPS~C_vz^~B;phl$g ztf#02o-D^|>|K6A0xn00Vn2)lQO!YEw)Rb~1b7a}zQP<&jg6%FrCACYEWqt9#6;d^ zg1@wEZx2=3O0WLIw*L26{O^BLI+H%0=pOgzkPA#E!u)Q( zpm|UzNJ8G*k|Xz&qQr71WS@%8Q~pV$3`L^XRyFN1Myt{s5-g)8u@{^ly)iTl zIzr2>i<6+TLCP3P?P9&yFib?|pm83T4eO?cLUI)MMlOa2|465#M zR!H>KJKUbqpG_;1U4alFuAnrl(BB!-V;=zEoCnAMI}bhux0wb%E_qgQo`HIgxypl4 zMYg31m_ukpotk3bd7KyPmYWI|XG#Y^RL{0Xu0bD^AwEy79jqnOVl*+|gKtnzWmrAa zO+XLowSrcmIpp<&#soxyVifNN z5SS4z5G}A>B%n}(Q=H3(Qr(6Y#*6%(bGQvZZvVpRL#?iYX)yemfEpySF~LtzV-Yh482K#>f76bn;uB`4&TFWlFt{{A27@g!MTMa+8h32mQI`!=k)Kf%YG4-HF0EyEPoRSJii2yIp1LN3(M04k`gy)6n zLUyCPGtL$#wvg$Gx}Z%OE#qF&`CX&*a_tv{r{bFTjh&k3I~gOcaP;_PPJ5T{x9MZ_ zD?M?q2CkEAz|oADU8`bVAm1!-48*}e;4&}o4k$5P=e z6h05GEW*c#CfcvTVlHf<3Y)uewFI0Ki2dy=4Tpfr>2!!Suw- zj|f_tK9d!z?!86hxo#3QL4)5qMf=CFYnsa-5D1k7%Dw}nE; zb!Q2+t@0y*=DYV`T;5t;b%qBGb%wICNgCUBR(Iw*FY6i%Z-Ortu`~~S&`m!M(YF-#SG`a4uexL5B;`ke<{;xnDE|MtL*AiS3 zx@Up4l3KzE&SU{x;a z%^@CXz zSF($#wrxJdZHYP6Yo1asiLDjoT8nAzMvTC?xl)Z63v~;J zIPotqPE7Q#>Dukn30zNGvib>~8%1nqlV&FA-P?-`U%($0KH z*GeDR&#C8?ry8-{Dm-Bx7U#RySk|DkLS$V{(VRw|QyJu1c!BoKb;Tc`dav-wW2{W> zH29_}dslHRUBTGi%m}T)IZ!2avLCBV_$+J}Q883RWuE5sJGVU|n;L(&5U)c;A-Eh&r`W^bDT7m(?#nczPaIG2E4yNgNcg=YCjQ1fEH9DR6pyO4q+t<{y zq%}Xr9@T#INKx5*c2b(BMVCb^qGq(VyH1kzM)`A~JE6pClWWfDwI4!(b<3_nKX+qU zM9{xRw!ERNi}%4E-YU8(x7b?W6_G+xT4~xIq{tY!gkNIBH1mY`n|QH~RL37AH%nJu zW=rLH(2!(=Mq<VrFF<}a(|Z@So}*^nkg0#8(-1~)o0hN`JRclM(G%Nv!oH2DQ#`D zTf4dE7c9T+;$mX(-r>biN#sp^YVeiyi~_5p2R!KJHg)2({AUbU}^UeHm0#|xN$3&vbMBPG*syK z%?NiWmy1=6pMEL_s2d{uV9c{*3Rtd@rn4(E$>+V6*yHI7wSWr~0>XH)swdhr`$PB*GI&mpwk< z{lIF?pbvBbmd+`uQviG6MsbEi!>L8Wx?`@cA58A`7V-WcE=~Xb^c02?9W&xMXOBBS z{N4HSp6+pLVwjQJo=slUjeBlOV!$&j%xlo9M{H~LNOrbX*~e>OJAsDH-Y=SH+#{WtB9u)VREV%_Frv0EN00Q!P}sgH{6(ifl19Zdm6*? z>DRsXW%TbEGNfzD-9Iul76yHDIu;~Wbvs?-HncEopFEOfW&A!Ry+z(29)?Fbf4XH+ z6>##5!^_d^l6xY&sSCp?w<2283`mQs%I@jN`|!Hk?FP&UYPAX;RWW_I*7qkE-w2V? zhbXE-JQQ;N{u`%PjvEZ)YeN+PQ6@@=WNtvxq1Wq*^{^mY2V{#3nW`a0ly@6a_OWHFjhe^@54fN;nD)D-hh0H_= zDnxqqGH9C38gEp$U1%$;1ZN;E`NQ=l^b@`9G}g2GFrK<9@a2*! z2AyKPW;UD4Y!ixjlt&UB4NN>PRnM+!qZINkt|B2(^=gW-G!b1>6(4?5G#ZVtOQKtO zZ}B08Jc@b5Z#*I>$SG1h=+4+;Vk;hbTsUd(HM_DDyW;U~LxUskdbd)$L|T%rs!>WAa6I%&2@PK$iu9QRik?($wAL-R z`clxUdoB|Ecr^9o_c`o*z61W9X?J_>%>Ur)XzC)FWJwC5O*I3~J8KE!$r^rl z!U$)}mRQwJwxHcU2bt*fmbc6~MZqVMy5C!mClq1ga=M&qmfw0cG83$~Q(09%tm5Sk=)7;GsZ_NXf-d&#u zopyp@lzIHM!z)MwszuCzZ`3`^5ypD#>Su{KE3tL!A8Iqq@MDFEiK;$8YgdCMF;Nc> z$JI%m!o^bUhgBw5z%5ghe}=*PU~I{$EmdO)7N6mP{1p@-v9Dso?~Z9AP7(!;;*iK5 zKC*tP=^-z=`2^nTH(PIhYTwhXy2_ZU)^kKrLJd08K>lNK1FA-^hwn4pYs!N>`gW)C zA}6mgn3m9%4L>vbJ!r=++4&Q_^82&junhW5bm)y3h-2I*{}_{K{^(6wMsns=po@@P1MUP*|1dY8@NDf`4x*_5F zYPO2!sG&RN3Zshv0oSE9qnTCJaRPd`us%hPN$Z(fW z@?O1q5?^vrmMDo_Aq~zW^}0jiyBZWnIngii=p=N_62mn!ADqh!@Rnqcn$M`wWVdZy zrJ#O=x(}GDVN^8)SY^Z+9xx8vRvu9+AF6vf5EN=TrNo=;_><&Y_T+1q=2J+JklYAE ziGKcj%<|*c(^-DB6{|x+_q^+a>UWk(;-reG%=~b z$p^JJ9CjodPf2!+qji#>NT?)?<;Ynb>|Ou(B}|OZ&H06_R>!dzi3-S&mxtaawZGV* ztbI}*>r!x%cSN*-b{C>|gwzRp<&=k0n|1j{Fw3h|3DEgQB#lE?^nI4UX71>^n@Jt( z;|BZj^qk1YpP&qnFT2ZF&)g>Fb1UD7J;I+G&V0dGZ}=c5l=~H*1WD%Y@`DQhYT#ql zK2s{iI@zCX!b+NBFG4*%ysLz4ioJ#UXDq&2R2FOO-O)L1c2XiORvdEsc^q(3J0Y=h za$Y?A$@PDdSAWYT{?p&-vOqn}@A|E(7NZoxp(u-iOXk+bLc9lXl1+Oa7VckipS=co{7|=E2;auXsQ~bXo$C&M61SnA(nDP#l~niF5kNa> z1`WU82SnJ~+2(?o3aK>(6L7eN3a6Q7CC9JVE^qZ*9K zA7=cj!k)EP1`

ys9ufk{8RT;QsZ2c(nQE4*H>yKo(?JU<{Jf~fC0al=7<5+7Nt;h zEA3fP*VaUp;>=5{%YCnEUUexyDC5>1DWb5Ik0kk|oQ$2497=K1XP*%GhTGM#c5D}? z6R)Zbe~jEAD|QX+O4c!Azax31HB+2w3GE7bOU>2Ij{?OEs06I6b+4$D66+aUN8O8- zjJ|B`pXYv;su8|w!r`i-aRuSb7mZhp?YUw&BzQ1v6|{Hl0c*7^(&#^M`z?HVODQxX z)z;zQ#kXG;?`mT#DR)kQB^uS}&poWBl3c<5lim9sD#l%Jlkahl*k%eN&D32U13Kcv}^a}kc}rwmH9%*HSNXNSBP%KCTZgo8MF1Eb&(S7Q$}PvWbd!1 z-H2AIk^Oj&izEVvoV&Qa2E(}R!qPqcJtqKYpS5UQTc8`nz_@dRU8f}d*{04^2#4E$sjWmKck2u)RiXIODDVUoCZs1>u?wWk-jpNIrDuwXeeoZeAU*TJj;ML5?Fzqq% z+-DM?t6?FEa%sw5HD04HmMD=+@UHH0TI4rhMCqP$P>Gl6?zFk!IvR2LD$STn(7eF% zbD(d&`j7=uyb+^k=0n{Gc~kOHWfF8kIRMI*2<4V~PPwN%bSkp&m)U{zZ&XU7*Gq%0 zbx4<5wgUEAgsPz9v_aJ87?icZ{}t#HGx)CGDe zl-C&K(g8>}8oL?OXh_wbrqEP93|fl&sT=rf8SV4NrE!C?-jpAWrGoj~p&k=`xdDz7 zLoSO9v)%v~Phdztd=MI!nK70i(K4>iEy>t);gtd(%WGP^M@izpZM}o2B&|avPzNRg zuJ24S{;iBDk@cjfLl3Wfj$zw{WRQS+rfMBaU`7+#xxT7}#BbX>Va{w|7) zs0*>_;cND2ICG<)#%?#0D_|A1y-6*7cDtkI#lAZKdWdNqhp`Ko{d6_Tw+r8vnWey1 z=cj^icuN+Kt!Olqs{DrohjU=i+eOm{ao)jLG4KvO@7JTq)X;K1C^Ij335WRb!D}j3 z$RPMS&4zK#jg7dL{qj`prhrkCT1KS&=;h@(%jM5 zN&kYbF$o&{2LCx8lH4I7>N=EJz02Csp)U1>x8gp$tU0KCKQeX&EtB_=;LM&bIRxWR z`GkSTd_t4Iawf407fqO=uVo?Tg~^q!rtf&&`>*C$Gd=4P`8?@vJf7TN_II|z#ltoJ z9(>{p@hqFGNwno1A)YV5yu>)p`U9Pnx2W~U1zYMKo$AL&^>keHYIVb?vmv$zmnpKF zd~v7wbXCVTH84ZzXLlYFS`0^hNc7>d@R2Z~uq!gc{~yG?bySt@zwRqYr}QLMkW^sO zAT1>+-5@aODJ?MR?oMezK+H4nKJR<>8RLw>9}Em8 z%;$OTZ(P^sS`WdWu;50M?RZb2@Fm}bd!c&QzdAuw?wuXPrf2Q$%44mSBXX49pUC+J z>XRS^?&j8dn;Pd465es%*EXMW16YjP5T7=jzV>?GA$;*mpytvp_?WJ*)YveF=^@Vm z)&Ryf8^Wd=5m4Q5d2K#k2n{_=tm@EeUl>V6jQTaadE7dY=C#ECqHB(C$At4PD5dz5 z*x^%2Do;Pk+R@q(a$aa_bm|;=Z@6j2$UguiNHh>XZ_dLdz0oR^_rF>T zA}kZnlA5Fu-s-uM1#7swtZyVy21r>{iib5UTXY~6Rl-bdfoNnbtzNA6G0N{Ms2u$c z$QH2+I1fZFR0#Ct_E2#Su}YQz0oWG$b?3dB+`Y=jl20$eu1mOPepo*?7((Q`qG(2{ z%rZa5qx#Ng6*!8Oq$n2e3{}=bn^YNRII2|5wPQ$f3&Oc88%xo~90u zBjCaLTwxm7*BN8T()6!92#$=Oi}!;GV4!BIib9A43X!)i5`z7)KHdQL`@9jbeq*;d zux9f33?wytY4CAnn8cT~vE65;;g(b_h_4pjuTWKMK&nbR0|Oqe=SLk*)f|Jm?gow91()C|b@}{3i8V^-5ZI+++%V}XK)eWpQcyG? zBd}*+GDGkEJkd-!ShcK+wbbo0Z}7YIEe!*siP;tS#emvjHxOyk=p@FvH{_E<|35YY z|M?dJ;<3?Yzp1FpRk;WxXSAV3vI7-DmD~FY5GB_HMjGYI*6k+@D@(MqoDT84EFT6K zgw!N-7Mp>1W7=fuZa7thQLI*X#q3(LO83D?3Bu!4^%PA=hpaki>wF|A+d_j8laOwT zRLgmxqB*GAz~`gt3GXgn%-yQmrt)amP6!H78%dGb!A#}*^hmgUWSp(<70m$iT!Jwf zBJU^>C{b-%H|XzglW74F33C;^nhhCRPZjN9PgR8=gOV+*m$Mp!63DPk=G~=6zv#l+ ztx9gzK2yZO1A8{HUg#&9B-KwE=&i?AiS!>98nd#b)|It>${KC+Y-rsAqD(%c>ELUH z6KqmYlbfh;tu9*I^o0|Bbbtm^Rd=YlL*z)HOi?;({W!85KhpXUAv)zi^UJgHqlQC# z``Ouo6AFaleFE-=>D(o#gr4FlV&Xy8itb*nXWIcWm0%1Gp6Fl<^$yfoG8A6fuH6Qd zr;}}h0o5bH*d%pLn&>94BU}qIF;N=DOzcp5@w5UV_9d6?Lkb!aD5ci`kj3;fi;Ba;#X+G)0tP>8GP0Pe>%>3erw||G%AgUDc{kI^GE2U zA7cHyA4*XIDg{Y=+nw(>cCx!lq3GawGI}gMaR3@Y;YZ5O7w)=G8D$$BnA4(H7-}isdusZrw}Rc zlnd8&?GS~qH|{Jx^TY9PeSa5sjdzwjjQVkme%8hF>?!)@;6ddwq3gMtFh>G|n}iPf zie1$%g8m)1Qh~RK#nQkga=cE=cPG$2|20-}TxILQQ{{O_5Q8h2uSQy1fHm{x4``-3xsbh`e*|RKn&E_ z0|Zm9EF1m1LQMKjp>Nmpm9afvDj!mAUqE*)1g+3O8nr2F34m>I>Q92gk{uKxWcXGm z@<5MTf6(ml(LLNB49lIW1kpTR?9}8 zQvL(iNx-WIs!$LGXY-xeEg^)s9~m|V$YOn9FN6%VT{|K$btj1A0DDg5`73Zk*Vf9! z0auQUX7OVx%Fo!*u*8SZd(D6n8u9~)u~Xd(lIZUKDS^@(_!?(`&@E7_y;8#Tu7bQ! z3iuyw75G$x`yfNF0|FyiRoU9N5*0_kMH9kAN?L7uB_y>5xX754E2X#5Gh|JVut+pD z`!$jyERxkfsLUoYaoCUQGP|D!__;leG2s8V|@V%GXz1(x#kR$t4PVLqD(OcZ2 zVITYNzD~tk_UCtnYos2|E9Xw(+^vw_#$IC9q9i__Q)pwTe`%e>dkKf z%Eb*JUgFQEH9c)soWhz=<6;oOZek5Sn6G8FF{TosR(TfKJP@dcE`meGX)I#750GNK zt}*`4R8>MHC5_{O=tqj@q?=Cw=)t!OVeL^ucsK(MP5X(R79-@s^H0sjaW@z-cg?3i zp&#l(KB4oiO;IU7y92j@^lTCi+&S__>9>WTCbJvNoQRp8kNtd>qBKGJ9_2GwX{Q92 z;u@nTpD5daqJi=&HNU9r`m!pR_snubO$J`72INKk-bV>yg&cg3vFF&M1OZQ+=I#LCAFzO)@KDG;L8!>R z3)-nwuVUqNXXW+LlSNd{G-y+;XlUEb?_IY<*S@Bj9T@w%ABxMe|2NGWu)X=96j7?0 z7dS&!mZS-r{+PtvN|kF$r-RX8OA6i{hO@fYlz|@wV@ipQ& zP1LKwpFW=Ty;)24K?B1DX!!TG%ARHnzk;IGdWk$v{9poPJvIv-UxL&!O?j^l?e>7yKaBsp6dW4jg z`cG!E9Vs{isz|9CcJ}7Na@qrqZ?*BNy-wuL1|%sUCRLSv`{~fwr~YUje7-g+XANnB z8tv|@-l*1nnZDAo++)>>(1%+9TKxzKr`lc8E(u*{Y4a;W4Oumh5OQmR`PK~mo`sDk zK%JjDZ3O$}JyGIYU3{OX&&`P)`r!SJOua8cD;sJWNR^U$3VfsR{S9iIU02S{C&D~! zIT$IRpbKhv`~C7L`v{r;yvwvQeGj74{rEjwTITg50kG{-@bnn%HA77bX*99mzE z1!QJlHIa+N0c2LIDn3>&?=0vrOb-sCc944L?b`e`u$CZR)w zkPiHO0d&3fWzcX|!=@^7ibwuCAm0A=Cp#`Wmj)&0bSQf9)Hz z|Ne4co;79MnwaSyBx+k9@4OZ?20dlC=i&mmqzhaab^$%Fo>b}psjnhJbB<;cs?Z%sW=iQ1UdslX!@qTQCMKj{ej&M(s)wBo*o_?|hvO^QBmizrt;ciE9} zfnqgzaRE{NwQCFp3-NBqcc9MncPd~51SR>QBGvLHUK7dQQqIIx0r z;w?T{Ie4x~uhdJ_=nQ31XDmX=`)-5h+9bMYyDWI0|5Y0QZOM0#L*I!2c$%rAg14|7 z0iiU7Jt3Q^pO1*+1jHcooJK8ElOk@*VHC-M=sX9tBa^eQWk7@^!}|N)?GC^IU*GN~ zgzJp*9f#X|3UXi)asNn14aAOQU>pCr1tULo)$i753AmFd5oLbsD1bwiG1;W~HqC`^ z#$IxT%YGNVvLo!Q{Ks?-72)>$gQJb&j@sjnP_?H6i7lZZQw%on;`8xeGoZ0m0iYz@ z@B>5CyaiaOL%OQ>_r61qaVCG~^qtc^oKTUOtoz@x#qcC0))<_@ufHV83_D|>S zwF8Pw6ToW^^7%2zWC-*3s-odoq2rJa71(3^z-_}T4&{Kd`R8>5AVl5CdjWd(V?UH= zhbpy{)4b<==0o=y_a+4q9_ozW4)&p;0UN0cI$4>*B%A4qnpK;??t}OUj$U2{kuAkD zhzg@Si%q(4_ymB|c6r@7a0R5mcSX=f(eou2f(hYCJUZs4mnDEI?)3$MrSMBKI!`2H zDAM{1!`+-O00MRS%LmvC2^gJ{vUSjpI)azqFPnqvGBu#YK>w2<#N}DUO0p8SKJ<#5 zx6OX}soV_M5iAnzkgr?ayW3j>MVF;|uLc9}taqlgpRoJEUK*yc_p!`~RG7oMVVZS? zg=54~kC~^hOY7?|-`)YwP3$Y(TQiROeod;z&9VIN*cjhcO=1~+VdI?a+U=5G)(fAJ zMc3;p9NYSKxk5YrZAbsD4>_2Fi>;EctrQx$pZUWJ- zWiE(Ybx~MXRrd(YU;E=NDwxfIxa!|Na_f2v_QFWgt~FKncnOv-lzzb+-=W z7`*%eoVbj6GXXpzmw%ghiUgU`trS|e8O*;P==K6)i1Yg*h)<@{zCbmHJ^Hx%(RAmS z`3MzR=5s@zvuV^_C#|FFt$O(pU<{isn-Ss<&ikKR1O8*{`d>ehFn(}PDTqb+(I~Ad zNdMZICt)!vIsv0?EDa}F<%um9jReT>$omaJ((hFUwoF*bd{wx`Y$bWIREKT{4W)u7 zlGsz4E#6>LzEm>QB&gAi*GiB%Kt(xg6Gzak5#;HY_v#eL<>5ILYg}8PfjcjfjN>PB z$(_4f$zmM1{KFJ44`;woHGsH`ZO+N~?B+F4&tkiLu;TM8bNOODFj`49{{Ua1w&Zhh zx_Fr*TT`W8t?UvQ1}!j}xchm@c~|l8U_g}nchPZLAC_(cVE*>_*KMEKrzwi4zm0oK*{vZz&G+% z_1yvR-&-1nbA#9^azLuaR5{J+a$Mx~r3C`JBOVjfM=bA3TfZ@kdv6n2c}h!BYDLg` zD0PpY19#f&J1z=RE&fL=M}GVhm{F2}XmRXg(Cqn7Cb5A&#s$&M>-RzRv~;KWdn4spOQO?3 zgI>g&$p<-#U%uexymYaDA={~o`43h{=JWx{R4sc;&0iLduYpe?su&HOk=5l5(%L$e zv<`%e^gm|GOABG{OAiJ(j!1a`s}sed9Bh$nTniXffmK6U5kEn)kweSqf~*F|iqJ3PajCkUA1ue7xFO>rgPWz==H-MP*kU0(zL9IX_f4`*I>b%G7n_`5 zvm8B9#BEm55Uyuy&1WP>p-u%qD2XpkRc)wbxg%>YDS$bo+&NaHl;{+@>NKVNNR_!GZ)rtKH!6LCm){QS$1xk_wFT|p z?L3eMEfv&m-Y-d0QY@uXAIbeLCa#hGNN#C=ZY)yw+&_0M8VJQMBqX?qh5wYOgY^tw zQTC?zRUV6#7lFhEl19x6>k7I<`kqa@%-TcpFGFU?Q%JYOq@32DnEKv^8S8KqmL(6? z)1YPX+slb2{jkKyH}uWLN@yIaTdpK5TAO0&f!Y3fO=ke6C7qOOh=tw&(9BpYT-^+W zZauf#nGR1F7r_QaSGYejl5P@b3;SRZjKwQi5y;{w)t!{ZS_eb{%n73)iLM)fkw*qB zQZ)mC6tw4CXvG6k!}s()0Q3rMn z2wWtXk$i`uYw1ot)|XGc9Gf5N>~8t${9ji8L7(rp#*6(r5+gmU)glajJ)buXn=92fm!D03Noi}!gAI>l|K<`fRWc*!(#Kf&s?^=Y z7o#&KVj99lo`)494pBB?4{+!C4VE%arKx{t?|L5VQ1ip<=5Wp)Be)L}~!s z5qbk+6(NT7rr|Iuj#hJAMz(0Kpx7Rhp`QmKd@G>yaiDaNaJm4{PBPs=e})y8?Iny& zJAq$_9TSma*_5MC{^$63L8f?tm-llXRCRbEQLo0RTui0~$sFCMm;prle6xnI7&(?r z*b_5$!u*#44q8oOoZancm=K)}!kk}gtoLBFFuFsg0zc3)k~1d>{OA{clC;8TJewhZ zoW{^iypnqq=7EtDzLrO{XXfXA$PGeYm8d-s zT+7DeL_nFUIvY*ygzk{j>FphAU5T0-KaHL}iYdV9NU36ienq;-ay-gv?E(U5X7CXz z>a0H+g%|oSy3+zA>7u8r?U#Ue-2a%$S6H=^Z}YpA?rMp>kHqc%Rmf|k#@hZ3++uVP z%+F%Td;df!bF`tsA)_JoW&@kFamO1>M=KN~`H%R+kMs@lRep*WZ8fY~1{%A^dmrTl z@%jHKCf}qxrCYhZXusp~Xdu41LScuBd#Ij^@E;s#kFxzWQ{~f#XssDeP(^MF)HAIz z{=B%AxTXOl2P;~@r?pW}V6qfO8f|6(<1$u{X$9}|ktDqL;C`$+5$nnidUc|OTCw^A z-5vG3fm%Bo6XJwn3a7>(ZeMz`AbRz5!2{2IctUH=Z>{^b3*a`*cI=$=i{=wZz?sr- zZ|ba;W}C3FC_ptUqn~_TY)+P-5UKBxS*bY?wTmpsWemfZWYGroV#SXr>WZv7s+uxkxYwx)nK{=Ifs3_VZhN|`+?Mn! zxNHnphE#3odS9prTy9bZ@`#F)e++kTue&CPx;i-}C?In7hnC-OmW;61YSy`zzht{@ zv52D#J8zz?$BcOsTCFeqIhTFVmBXk-vy?|$f(?vmC^^q_XZKTI97r52Y8A(SpMTN# zyKN(I+!bh8UClqIRp-eEsZ88>8imouoj=JD=L8q#OZp+$PTV;Q{(4)9Tc2V+(S%z; zVmpIhd^qAN>Q80cNu^-#XaI`a~_~*;V$=&u})FnUGKL_k2 zqs=e05wvNATuDuUOP{om0@f`P3q)d*v`5t>jxA_Usunri>Qtna93T->3DMjLjpAO1m5kxYbR7SkXJv0T$W9mU(1};&Xm#cvX92m~$VupimLEt>d@^A^1drM`eR0!d zDp$BAh&VEtxWvujPzu=5DeK-u&auXPyLi|xU}7Knk54{h6FNqSWHx_oOgCR0M8@fy z*rLBskwni~Tsw>YCkd|}5fVVtk!#NGZa~(!;#sPiV%z3FLi;*osa_q43Xq^=F5|GZeR$Qh%Xb;`($R$aib$#!~ykD2x3}OnX zYHy%CnnkLTZMQd9&pb=93XafZv{-U_ih4(^ivaIN|4q=+OO~l3;)3XmRmJ0CFiEy; z=-Pp9qf)S3UXEctPs*X|19TkJ$F-)W_CTxr?I9tBa9|P%g zB!JR*SvbWA9L7<)v6DXFo?lXik&G^?O5o9hy4yu$!qUh03{XRt6S5+PKYna+H$LSg zWqS#R1MnvU+$TV@oMIuE7Ji&vY*^YOu=9wI{aZ5ybLEBZSq~P=2eTQJ4g}%Z{^G0# z>+CBMmpL$YcwF$|AjVx3VE(J%sC2r(9nP30HjPX@&i> zA~>;WDf{K~7dTwI+B_H4XNnrT(23*m@OsNWmtZm2*tdE*wcV5zZnWf`V-*~>yO;!Z zKODf=@)NzjSSQza0ggI_#Cu1(a&6O@6ZOrhyt_f%Z9f|rOtR=SKi=Pcl`#7k1vewOq6_F#q-i41y8zpx(=?RmBI7J zD}`xMOC9cJc0+3d9b^30J=?W=DHIr1_Hg+>zDY&F*Nb?+Q|#cHKPh2En_@GK(3w2| zRV4!YP${l|G|gp2yLRe!owjt%QeNfcbWuJAx&f&k#MA2TDofr_yK(OKbWxEEgGXs&{Q<>3wRE-QLq z(U~7%#xX#6j(!C&h&(lqbf>F5oJ)rQz9$eV=_8Z$H^LTT;)H5AdQ{`~c+} zlE<~w;*Rtf4PebZ+BAN)j)&9R&~?YQ%OAxJ`iW>b7(|3cY=>|ygSgsq=r;G%EeJZ- z9o7c%gEge<)o}Os3T#bb9{We;&S39rtGssEBa-w6xo1kvqsjRIE`@NwgVCK(2ka>y zclU{rQR4PrV0*21NMFWt)Cd}=fE^qcA=2>UiXgdSa~1>U1-V9NBm$%m8pB8QJBG^z zG{A75U{|66oQj93s1*jw(YUf}fDuFv*6Ac*u~9#RiVWO%y=1Z{fim;LX|^&2N!Qsm znz~+gU)4LD1!@DmUCybPPNgj7YW|-41B^M0EES-@Uhs_lF? zcbAaBXiw=oq^df)bO+Ng56#Q?rrbO@%D7@(6GX+$#)H-F4m{X~`~f*NkwuSCyfHUh z?@Zk3(BqP|Q$fV-q#RCzu3v99?of8r6uRB-MM_PJHox~^r5jv(wr$r#ikDpX=QguC z$Nt<3$2o=LKR6PNIKMw2>RZ|Z)`Vr}n#NT3+qD0eTJQgqc>D_+ql#TH_DN*t@-KTDc~8j6V^56Q3A!Jktb(&_HM_C!h(Cl;Z(I$Ih#Na{c~K#&8n9h=<;` z8(IC^_k;w1fI?f!{~OtJ53QW4IaexM*j>e|bM9ZS^}oORzx9=XEFzY)+Kng5sPi(p z0Gho4unu{zLEz=@pG-tJ^I2NIfdehFSmT3j%Fn%d4P2ghBQ#(#Wb*v^Ezh+DjM9UH^6R>DD1H3Tfk3zA7h*AKijomdx|IhY0o&eSGabeKY#eab7`Rhkh#s2h3rm*|e z@P!Fjx#Sta!1P$EG?NUIxe5eII01r<)6tq_H2~Cbd0#k|I|4YkG$2XU31V<(c7dQo zG?AvRE(>r$Zy@LE_kDgQ%zOv)2W!*LE|59W2M(J*HCrtBe{nqjwP~DJ@P`+^YIoTa z_y=`AcrUl;08Q?r=y{?JIMyHhh3uzmfenuwAZRSsY5?xoJ@5oL zRj&~CXVoBgH3UwcIX?>GCwLE4 zEZq~^qoO3hZv(ld-{3Z8Gis^BI`v>zdnauO(hvX3`z4Roq&-~F+THO#e!u@Z8~*Q~ zORPKsAkj9D)zdw#N~2c(31ctg_9LJ%jzmh3>l{{%r;5}V+N zB5HNklZH-XZCHQ*#PLJDjJ+>T_wlWGrys}rZCliGgGO=(;MM&}B@R-^oB$$SrdQ!6~J1Z2)AFjIENbp-0fmM4CS$Y}J4WfV!!CuFa#i>k?E{tT%wX5eabpb9#tTdQ|XgYxxLG zeEaTiOGmqmBJ;^S$&IjE6_8qvbrM0hy|gqzr*~=MejU1?`s8!SC>H~)@^^q7ZTWhk zSLnI|j0+WW-LJPkCL!YkzxcL)KR`aP(Qc4cS%9l6kk|ITyg7OE+C6Ij@0#)@)UioN zM{v^Q8PoeyBw2M*01dK8GUwm^d9bwqsl#&<(UK6PxK;hh9@njB55oi+#3 zWQm~_2*B~~OJ>#R1HXzN^D5w&>H`uL86?0MoDL$Vg~AUhVY2NQklZ#92ZD4KZ2&92 zc2eCb_^Bg7oJ^m({uHqp+RfGKt^QYI&+m*AStdxkW)!u3)5AdwzMPmx@lcm-rDKpP zrrX-wN+#FY{S|2+hs0H*$#NqOOjJoLK^*H#kS;2)V#Ycaw+mmWD~8dmUzUQSA@+(J z1P({l>#KoosviVOPO%IMMK2%${K&(#+WXRZ;wmB#+SLMP1Tr92{7Dd#oW)6tc!UFEPbSis(7aI6A~RxJFWuD5aWXl8^@gSpMpTN}%I@4sgG44`%LxRk?SzNvR*o0VMg;5hy`QbhGeHLZU#CMEuHhj8N=fkq&Xysee_olOc zkn3PZi2LzUlKIcO#zt#4qyrqJ$Y*VMSQp^1^Km-sI#^_OIZhhNb+gn1yvEE^i8Egv zaOb^hZIif0>J?-j5j$;x%uTueweBF=V-Hr;-9k{)qVorP0w+mX_1(jy4_VF%#?SiU z|CPW0zp1Q;EYPgKC63rz)4$OG`6+ffdtX$9*%NGaL;sB`tOBUQn`q=vVK5tKwybuKua%=re z{{aXMAa?u<5b6cWc_h(4ZacFFZW}<9L_y4PrVo=>qf`kzfb-K))Yo zG8vI++17%SNuplA!ofLh&~K`A1omzQ(QA3#q!4eUi;DBGL*Rbxz$0q+630J!x1N;`1EH zoI0e1V8`MKnAL;%;vCO1=ifzxib*>Ck7!Wj^FtgJ(O7K!*u*-@Rh}O^TK|JeHq}12 zNSh%@#F}(87UL3a=@M)NNf90x*c}>RBU)s{i8qamtwR=7)*>^`K;7-q*4t>eXh|t5 z$8!?=@1Y(4S-t+xs&4S7HQ^Gz3(e+}%Vs+NQ79AB-|2TmbfgJ57(e^E{|t(Q#C$(N z7Zzur*a~ZW17cYgW%A|zVumWMi=suQtEz(;T!fgwh22rze=i+4Zyjpsiwx2^Zh|T(+pbodkZw;zHQoc0boufw9yj_jnV$J z0p{l zk_#-uIkFr@yg+~b4&0h%z(k=>eYA8pi2AQN#1y^;_?^mosJ_&l@|sgEqnNa{2wb_n2MXF$LQ2Ce-RsF8-uDp}9< zX92>U`4~jS;Otf0fDIL6xp8G=mBAIb1JIJG!3jK)T=#wY&FjJ5G@NsHKoy^I&iCE``jOQyyZ4k84dOd zaL5G8S%X#nBm4MhhfK|~6i4y>RkTls<~JPy4yFj(F5T`l`S*h*n%-7nXVj8R(X-OO zk3b=5+us&#TCaq17ZP@%jMJI9CZy1RXo}K0@QMq|WE>i!gY=LgE120tC@&v+&e~tl z*}v1B#h0Vuyf58U&H1as1(;D&RzJkqCI}U-bwjfU6=t}Vjv@>Cy0`}gr}2|qnhRj+ z(t&RvpVHtau5}~gCsVDD=0MrYy6(D5D6N5vG(e)_9hE`j^ByAR-DIIkGIrES!qWO{ zclL#$>$KJk$3XZ22y!gUGTV`P>UKgvuS#G8=KF#`8^n8sY#G2zG~e_LZCD)~@^MsO zJ!5I_!}iq=^;IK+6Z*kuAI_>L)jT+64TdBH$fn~R785g@gVhczlt3xK z3T0^#XbIBfCy%m(T>1bzlL8+s*_AL-fcPRDM5f5ro`Z!K7{D+AvAABHbwV1qMWhAV z8JMZs=#7itdOLw|)NrsF4F|_C+{W_GnTc36`tW_E<(4+u!y6c%z(1!r z9R;Bf5aq@fAYJoG?w>%R@fV5xw6c~+?(ED|m1(c{V0yO4{~2X80@D2K;ZG1<;I8%A z8~6~*f4lVH{{M>@Wn_u_02{TYO+aBGgspI)=ftd`mpo6Pw^TPYEz3j<~V98xmaUGUKG>GKY&hqeU=L@j!e%wAUdT`P87 zX@hi$yRKaGaK_U`Y>X^mYb?L$yuA`f_BFeWShcX{gSBM40$AR=o79Kk{j4hKYQ5`% zjW>1tC!fGICR*vjt*6!tH+j$=~KEH)SDmB3sYabU<*b&_`qu$@jO3K!c}oIdy$ms4l7hT{6 zC(Ra%ULvrkz*P1%9@S*o>JG96&TQd(sv@jIvsGexp+^ z@*_#1F6VL@P2{fSmGc`9z9_d?&qD6BnH-(BM4TxZ^y(4vrBe9ML-gc~K1T&*^q((z z`xb6wF?8~de^~&LzjD%S={8RGvkzia=$!{GUK-ZF*RM!XU=sDWM5r0 zt;%|~Gps;qUmY2oij1O#&&D-hcWZC zUkkW8(%HY7w!Jy>v3}_u4~xHKh^|lM{W<+x$h0RooLA)Y#?tS&OKWg=bi6u_F11j@ zSml@OK(8_$pn+)i+>EPiJD^<{J^z|G)VwOp$5JbOnhs-1xQPSde6^Q|j>`RpLP;%i zu%XLw&A>MGn@!ut2V|+%9Z026N>wL3@$3LO^m5y8vO*3aHcyUY;vAT+ax&z~9<%=K z>MI8AWaRdaa`C@IPAkfMX%lXpcHht_2Zi0)%Zgoo8HD9FG%#NO0x)CZ_i{X{N;%t_ z`yPLmkbE5YH1MG08nj!s7S*MWD(+D;Y|%Vbz{doaQ!TzA(~aPbm$1vF;SemA^ z2W_{3F^Oaoi~kOBTS%3Q*zSvkNfNX;+M7la;fC3oD_^zydYxBr_crCV>r$h{uOCZE zM1I!Q+?E9$6cXv19(;eDaoc$ITcez1K_xJ9_1&6Qe2 zMGtnFkk{bTSgpv1$G z;Z@SzP{nHYQhb(ka?~ZQ=LI;&FCdHA>tjH6`%-=oQX@=8P3qGkrTX67 zaBwsGD(2({lwOIJqNk%g1D@#eX-#h27<&Xq0|x`U?{MNeHc*ENSyZ?h5KL<{)V`*w z{!Y)Huqc~BE!u}QIp&w+#xST~sbcSB$B$DCe_s?>OeJ7!&Vqvo|E=CuNmRs0c~sJORcXog_55Ig+Q%5MkGh0rbWriPX%i;W6_E-3GOu<@UhtA zqPuohQ!&qJ-i#HtWo<}w1E8AnEEiPHXe(`fo5DU8oK41L@+eX!gMJ?{GUl6ER6faS zl{Hi9hKvAghv4OTghTX4VevWH~B;xxlXFDknKwN3SMP@`i zoB^YXdIn!b_st2xfFL(H>7HKYWnhiyVY?g7sVH39kKK4+D6)BZLMju+_^Hh|-T^e% z#eYPSAh*?S3m{Nc`K_4GN#wWG3+A`p+|cJH<-J#(dNttx$5gWA8n-XNFH7QjzHPLH z3wu-V<3K(GJEjV`scGnTjH!PFx9)g&VP7MBjCsxyg};=haeY_{ybj!#2Np|LJ^BgN z2e_B+bEcT$CHp&N*R^;<9#$vpJtAK_uE5Tt^U-S9jex3g&|y`*pSTydHed6o#@Si5!ZdI?={1QM%oFj zBc9FQYH;A)XP^}nW~o#XE+aONA7m?Zo2NAmavs4b3xuhrYJFnOtWO+2K&47XAvvgD z=4(x463e55E5$E;xX8d=yq$ZI0w*&-iXgrwqRF+o*s-;19T0r3du)QQrEXV^qmq99 z9cX&?YJ~AIzf*R4T-VW|2G-f*EzkzHmJ!20$qb-xelB#9gTE#%a6vhUQrwJn8+36O zI<-!b)9@%uRI=Cqy*<2bol@6QcAl;I8`%Jiux+E+Q10qYK++@PMj8h07dvla{WxEQ z;qz`hlAohONBeF_S2~pH@e=4Pk2HVROuW%@Q~2t7rgt~TTqS~9{+1F3jSTT3t+gR{ z*O_H}W0+{`vh*@XZkEt}OOG`XULx^fJjwROO>e?j+2I7_CnVa2Y2Da+ zijJ{VQNlv&Uyi2oeF8<~ibaZIYuSeqbDtqE5f!Tx%~H3ZbJeWFZ~1WtHLYIm#~qCd zhUSRM?UZ#F z=hJ=E$8CLjky9*}_R?EriL;dEKIzvVj&h|(bcUQb(3j2LG?Y9Y$PD;y*HXj%mmIF+ z`ZHq*ZEwpq>}EmQcq&!Y)I@8>P9C`px_hVZ+s=tdS1-{XZ{o_qZvv}s9?$5`2^vEQ zJU%8`E!*$iTjJ@+^sdfieBBSnoLQLJefzd-f2Z#8P4=CYwilPNZEsdDbEsOH#vM)#&#g+*<>Tui~rXBGX-btDN z=B{kqJV@iB^hpK&Df3O;Ywyxdc*fa5_+SX1it-uP_ISn@&tv?w>C+n(tpY5fdnkYF z;~NI*`)pTBR`?d{;_L!Pvf{Gecq@$0;xi?WWdUi-FiTiJ&Qyh1GB%J%i&W>19u7Oo zk!D0bx`~4)Z|tUAh!4Q}f7*V1CqesIE3ZpkwwMN8jFj{Akv8dj!xK{ZGOS73+v15P z+3tbm7qKi(6xc8ZZ3(fHAqJjWbIO*vPH|IBcF zYT-U|(}}BfGsg3p_0-$4{=@W=k^8r|ew`3S7UGAF{c{tYvCeLM)j1J?B3p7omCyG$ zwk30HCtj-QmA8?{#c`j{)-&(6>+rrkA&5;WA z53QQh6$I{2PT8d%9_yzZ-=iiL==~JJmkBqROgPs_2=Ff1d@EBI*!ogOM5kG73jQr{ zJ>zi@!y(3ukOf+Ph%E-I-r*y>glt_-N6G8DZcjO7Q?b{?VaXVrKj5SW&ZXLKV@#9uVTLvVFl zd~=(A2Bi@3f(%bRj`5x)ou<6);1Q;5>FXS!0cJ~-68R)1^mD=>n@9Xv1G#GSsPqs1 z)`w_<#LLp9&-~R2l*KI|0P{^`Df0$kxf0aq5t3U5;qzl{Z1`*O^J)_@hBsiKNjAOe zVzWv&a$l~uJ?ZfIGDKnYS`FqNPjG^aT$P+7)J0c=r3Cz8fw}ME_w3^#S2o)~Wky&M z3P*d5R^Hnx!b0cmy3TK$;3EFJgAi0L!C=D3=4zQtUogk}J-TrokCR%1UIV0e3 ztkAR|BaL2WY$YClYWnIAFgg)(=!G;qFeDY+ikEWc^gE7v$*Y~t+GLOaJh1A1)k?yj z+-9KM4|1ew+RlInvXqul1z&f8<-v7sUIo}oLBmh)f+c)a^>CGMa>U3H=K-kte4!rN zD_|o1V4M*8-n%-K%Mui(=lM7j>2PqVzxf^}{wGgZId)3t5K%Y4X?bz9F6p5cQ1+{D zG-GVJzW1Qb4sxiHMqP%gMU0FUjae>UHd6Skhd!qucxav=L(Vnh$k;>^Cv^LcFN@oa z*-m_T52P_mHVL4Wy{XEj)|PKRY8L>H8wmUn?wJijuNa(8_Ja!%E69Rkv3WhF@L7F->EYau|JfbZ=|(S^yNSm`?5NCS>t3 zeDPdiv~If771gr!!;1q{Pc@CsRUs3Nd#xmMAQ@TNtJV2<>_J}?1rDeKB z;M0nx4IG&01e%j?7n^cse(clXIEC?%4vlhVIamzdC~!%_AwghW&o|S>rbS0ohF%5& zQtRDhK)Y9(a?b2}@@fDcDZ9|qGWD{Qdj^AmX6|`{>rQc#+6Htnn_t|^fzf%Wv0*W>5x`oXot9X|G~G6DdLWT54yXR z`Z5gd#nV4V!@z@>fRac9TSu5u)bn+GA5{#xDSFGBF0hiJr7nR}{CbQ774zf}x40l9;qpjyyStjfh;l`oJ+ z=Z30rXHU$K=>5KF5{ZW+6uV>nc(hNa;)X@!nqjqL{J7Bpdn*0g)T8+PA!Zf@CIk+u2VJ?%$|PpYLIn}~j@S{^{c>_+5?;3Cy{R)c6Q@oczB*8T;@LW_>3CW=wmF}ShlnzC@rIDefyK4whhVB%G z7(zhmJhS)yo_GJw+52qw`kl4TS(KS6bTi63KJg{GMgkW17KQw9V9>xq?WeU|IiMXwL z%St&cSLsqn<-X;uN>SCGZ%t27Ngit;5ZPy+EtXqLQTmlB*4BGqsWfcUa`DUZXKum} zTT(Te91_}Am~ky|4)BR`eu(xBuV)-I3$4bggBm98n56TK=h=uNCL++t^wnbN@qT@` z$h8h8f|s>q7Aqi?^94ctxvQI@M1R*rujftfaL#6^VMTm*_6KSzjPK({=SyUd4efPy z*>G>vNbFO^TWz#^hj1SOE){|E{JP|ohoqjxL(fyju!8)Su344Z5m}#y@V&Bur%(LW6@zNJQ zpmDZjBTxImLSBE`p4>-q{R|bE-tpb@wqiPi_Pyi8L1OPk3M7_{G2$-Dowhq+@Pk`v z+=Nc6_S5LI*2Z_zwJp!z9Z|+x7m%z+3vz^%njIp;?TvSOdK&e>WCXyAbKi|dN6hlJ z{3Fj9=x6cFcUpeqd|R_7O?R>RE{?F|*e~lh&|~!Zy`avm0_Y_Xo~9Jm(?9zok|?D| zXt3}Wvwk->z`zDI7&UGTO+p+2b zZyn|7iCK#?Zx1OCK}4y{Tox3I!%ltYEK{wR%lWePNtb>6`(7%t$34|-$S;36j8+_J z$s|nNzHY&8RiIY9-CTj0_Fjgc!HG2Q%l1r|6{%5}+mSwSUH-KGO;9Nj490ounG?O( zT{B|2kO)&#>=~YhzS6Iw3clYz@u=DiPLCz0#roJ|pie`Ex(v)+uB%}R8L~BUv4bD<+etXy3;yW_j}2Po@}HTZnbPu^($@S&DnVzXGP z$G1_Jn^R<3qh}hd^b+ZZx17!HV#;c{sr1lyfSP8D0LJP9RU8H{D7t{by6%ASNx13P z7RwH*Yd*!=+?1=ob&}GnjF54hvzzI(*Hs8;m)*s-mVnu|ut#t<5-#$iiSccpoTGPh6GDc*IhR=Dk-5gU~< zM6~7Yj@{<85la}n9pP=p8Cx#jX8B{ezjdN_@Z*ojMGWUhbF4mdQ1TA03y@{aRmR3T zxRS1E1!rM>F1%;I?eZ@YVIsIMQArAvlR29z_LH4zpk6o zI%jD!^wqI0^PCP{(V(~eNf5`S^M|;(=nfK_kDc>g-q+2ai#Av4fd#UbA8Epi*1@Xt zl1^GG+A_o*gFsGenTy+pzrP9oi(!)TLd%8`qZh8U^9`4~w(=sLB(ae>1tUezXBEA6p2K^#NZ3JN00^-qXdt4_v+xN#TzM)q4vNbqCr-y(Nwyb=50+q!D}a1x7|zvG(Qu(A zPp#P(RIX&Ru@5xe4E-~4Pk)&M(baKa)0&vp%ZNCt1Cg)?x;7gz2_Rt@H`83wZl+e_ z2?2gd(=T1;R*V~1-God(vdwi$7j?g6-ILveo0Q#SJ(c{uk?l%RpSed#byDX0q^_xk zb-oG6D*L7oMhTWUG1uK zro6K`{f&8G-1)_V)ra~z&HMsxc2?t&#?L4C#5{=8@b_NN^t?+YX1toM_wH*Bz7^#t zWqh}M?8c5GUiB;5F>t-H)c2?;3356F=OrG1kF@trkiSR09F#GbT;R6AuttfuO5jyNYtlm#El`&WO>$hNZL)}BOO#G|3c$3-& zu9_9RM?3>;W?B%7ICH_N#>38@hUI&??9PO%KXh~MV7s)Wqp=JkEwQ&JACXQ-{0760 zLeclL2|j%XYm52J&O5B83D1pUaY`k(V}PrHsA{Xt*SR+|#!M{~3h9obX3N*y?)ib| zBG8=t_F`IV0<^~WO4r8WWA4dDzWX|PMrP|Gz9G}TIbgQnH->(Q^5{wch#94u(y;~T zjrRgIht00XHxiV;q!ismuvoZ-46#-k%q;&_8ybr7biW;aH-noXqGtu*uOu3McIRnX zy%c<~wpLM4^^&cYtR9tyb=}irtBnOF)gPq%>u+Y}45Sjb)G!mQcBIq6>`kMek$)Ov zftI)Tb_psQH!f)oc+3}7!P8^Y>qd4(ZLRb>E7=2-5T z!|&^9(bS>>79UV>-r*Gnd&oK99nmmVEipVcl>eb8Jg*dd-{~2H=lxYpVc z+RNp^jupFud4w-s>)kC64!5+u^1D%^9DNPSB+XsGozn@4Tg&M((M=8eHsW8N0 z7Jo+u=Dj4Qz zD5k3=wJ-M^Ei?y6jvJB%(_s7klw;if7g~eg!bX5OQ~#}tcP{LmSATN9pqTt~;$4~92e4>zB8Mf;f$KCl z6y$Fgem)XFGH-qUtTfL>u(xGj^BMmD1%~X~e6If3_nwJ4V|~QNX!hpVBYFF zFo&JM1@9pb%r}1&wlSoeHNF#qfTl-%Zhxk#LVj)$O}D87jV~(%J%s``d!j;ZO=>6J zN_kC}W?rEE6B+->GrrvU-{%?aV-_=)TR5Kc_asHXF$kE17+ zza6)WKS4vUAxMn~#Tbww5;xCNN-{^O{uGu?e1mEA**c`(eTmwOKZo zSbOYUBUG%|Sj0;$BcCHbYw=}j!rIDNYI|{d_8mogK+L>GuX~Z*T1nP zBKEuY%KXNz zH~D^6PunSq{o?=ZL2ZPEH`Dx)h!A}ti>gzOIGhtp;pAT8nIFJssfFj0Qu(rC(ups$o(nA3$Pr&0(8EM#; z&Ad-D01TRz3fdiz++prA=>e=b@bkF4-4$2c{%xc|UXgg+4$Yqxk+@mk_C*;a``6%p z%0P6trkvty&bBzqobFc;vYvKCI=_@gSN?4oq-xK^TD~rhjV>RXpDaF)q-)WxcUpW; zmPcp&NEEo#c8K>8`=xz!HE^6&eCrz85~||evM-jqpSFk}R7m`1-5?zP+8!NXmptTzOZ0 zAU4JV=?{ch2wCpvHW1>QY89^y-Kx;DDSy9Zw}!?G6k=C-Iqy9+E$F;(YWH!$lSE$I z9k6TIUc2EnCVZfDo_-kV9VQaaoyECL6YV=&IdBRlytK_XlkSuXoA4TlAEaR{pXCh~ zW;9!QENUjmzX$B^EV(=nu-^~3A|O4{U$#=4t+*eQAS+e1yZ9~pbx8=RMZRhP3HkR~!Uz+eXceHY;xDew%`p#aobE;9L1OXp!6Xtq9-JmrWm%c+K#K!0p44=UDZF*@`q+r2W;iZhD|nl6UMh zH$S`p`>MDkThQ(BLci_BeV-_ACW(;Zq0+xyhtRcVxPokxZm1nTnG7~)vOY>zQ+=V% z+0`H;0Vwq^m?gDZrOPYwZz?1-JK4u)S*vW|4=*1#A2&(8#>uS%UGnq{XhNjPpmxBc z{&r`VKbyVajJDfdjuO4eOqV#s1L^dX? z5m|5nz#gows_C-Kw3$k`+gD(9YqM9)W7-+gKeS{g=t#`sZMp zH%k?@S4|LA9a91kX_M;Yan{&{P3mYS>Vp||Ikx%BUo}*}lmjqyXe@FT({TB9Ipb;|8L8y+LHL zz850EwUxhoIvVKMb!Tl~@gJY#K)%;)r|mqGtHLY|a;n{J6k>vmfCj z&AK|sxJt}8Utx@cB3htQ=Tqa&TA^D}B#6**<4&@JuLi| z#U^xlvdn6cnHv2~xslb3qU*iF19q`c_ux)zoZ}L;)f}NKd*1`9z=t!Y;p~X^IllZ2 z==uvcZP`VeDB-nN%GkDS*qkz#J7wf|jbAy8X=-B^hcw;6CX>YHYBpJBUC%xd1Aqu@ zB~GYO?DVDEv0H?R+l*sRX7SfE07)H$E2h`cWd&WE!`;*Uz^I<5gd4Hh(!*N%dBdAqt7yn zCJ@U96c;a(Y2b`F6iciR=P13_$Z6Yjgh)z2H;SE7{0F9e&mx4?vZ8Z8MciAejw6%= za>T-%aJGtPEF7#^y>vnR`mEUWkrN=>ntz-P7W2#Z>TF(R@Opy2Q)rt^5ArceH|R3E zmDa^Mf?w8uSw&odZtUzkUDoyr~rCc*T3 z%1jP7zQs9IeF8i)J`a@!mxw!ljr`W)fhIwmNY&w~+z7rvFEw%W5b;L;15Mx^o$-g| z>%+UE~8-dG~<_XxoA%V2k+1SEnD$0ysPJiHaEN zX~&7R##EEmo3BmV{j@D9x_<{5E6BToZj*bL1%)nG?*EFfoe+w*-+3eF(rA5hZ_6cA ze39Su{?Ff2o4d)DO``jVS!l!1neES-mW$#oOQ%k%O~GbVB%SgfKE&X>WybnlEyG-F zNRCoYMML6tYGAr^cGw1td>%CNetTRUv-}}<{{X0{*s>yGlP&??#|`uR=j(Nx&7Y%a zGhEZFiiCcuVn)VsL`(eMfISr9;LzggP?WZTeRGT)dVM>c^85^#j%qjqpdBZjY>&KR zNMvgz_O{$|VILU*{a#oMBT|c&b%ATGA5WpIxoo*{_abywb(uQ&;&5!pEIUca$L99C zQCO)9Wj?T_qn@GlSh-V)Ce|1LPuCiH3D|NSMs}fYlT^sd)Pfg!OD zc&G!@_iQXZo}x&)a5Bk1#;P^{8c3WSUaor1Ps3D8>oOuO%@a#xwmMBG9gGEn^?tN+ zeYCvGd|8<{19Z@s%TM-G9lI&kZb+VBdjmMQYBO}nb(wxwm(u$A*vdkSSb=JRoE8x_7l$6}5wmPEZ95YfX(Ap& z{g+)n`v*k8s=F5cJKLr%Cp>NuvU_^ka?-_#v&vgt(MXORnsseX^b~>0?R`6;GX8x? z4PnW?G63qbVePG7-`9M2>-Zv;4csOf5=CpR$SF+^-=S{9d{q3P6Ttp=R>}S9@$J%S z9ixPc_;t}GFh)6%2bhW3zbQWSgQ5vP0M-tmI)}VPQQNb-^)4{4fku#z z$+`)QM$#0scXWU(?7A#r?7d^KNy=pQ5S6hpWdT|A9&Z8EoVm}RR2oVzC{ z0-|3z>Cdm#X>MgiYFV`H5?S#b?00Nbck-j$@WW2f3qn=)hF99^5)2(^?>urh)oyV6 zNMgTHW4HxefCGqJgW8MaNny!URC&o;okc2o>lcy{HB_y_I1!*0p$ zp=z&Wne*>W0$GUjr%G0+zP#NMjkiDblo_^XdKY?ftJEg1<1+LS22G0SXi>_1x3b6; zSf9M+(w_jNGZIcGCRZ|Cg?K18Dst=Dyn(_D@S=X4;kj9uWy!c}hcJdkdbe#jhO<}i zWd}HuR+~jr^-#O(o1POtN*%;RQ%Xn7NQ=St5f1jhdjwY-@{;@6F$X%*>Ah?+1pCSv z65?_5vZ+45CW8b{h-<#JAU2)5l|DY<*}9IvMV*nz%mDVHWTgjGt=+2|SYw$&?ZUC< zm?qECA3Tqiwy=4op%GO=;r#uDAVo9&Er}Cj60b-7O9w#PV?M+Twwe73bIZ%B-O(+! zCqq=cmJvx{dNR4%3kzl}18$%Kg473icni%7aa-W{_h!JOClf0;T@pi{I&Mo?!B236 zezbt?rzU?;w+>}CVY7JUQ$R6bd5m%)j_$GqY=TX}03=P4`OtCc;zfA_VeR>^ufOk? zDtTW&4QO*pM?0Oa^+;Yi&aFm;MMrXQ4}}W0ZxrAN)^P*iN#)B^->nEg$;F0uCljh7 ztbSjlWdD$n8X^@;yfHrH_8Arx!|unVxKF!9{xCBnXz5nJXhVntNI(M?}JLoB|UvFK6=JzRmc z*nF?IL-_>ghMr`Zi-K;!JRdr*_l)7digBg}1Uc}jPW|pv@r{AXOG|sbzpKTCUg^dB zMq9IxVwdV)GPu1mFv_OsjFcO&Fuqfk0Lz{MtK8xXGq z&?sH5aFyq+0&|=FKG18Xkdv?84S(nkq2MupmQ}XNn%^4g7!otB-ST@Zr$F-Jr-~&I z0Iz|c#1HG%lWH`x{XmDuC1^}~hsv|oTvlP4<3$zy@D>Pyvh0qcPMH}8y4f+%<4`|u z@-K2CTK5iR zw6CbH>(F^$B`sC9u@X5xo^g3T!-?sAK45sL6(jooIpWs&XVqTkVG+xM*}{yvQ0~6_ z!1{I9shrEsY|SbZ_ml; z{h<+#i(vXvj_~2(wRmb8LPEu1^~n0U25UC~VV5z}ubnQ+-OICGl?cH-76I`3k|Ves zR>aAMZJ9VM%dObkp!<<5YS&hM0!_HO>EKt;0An9_;QE@^h{f}m`{gEwBVHo;H#>l` z^+BI5rj_^V(qzxG*=rths?;VpwARK*y2;2>q?ZpRuFrNJS*3eCUL-xp)1Na*JLKrw zvS#e!m2W3reRG*;wO8ODEH{yT5_JcGUMMvlpxZ%>1CPrCg2b1hUdEj)MX(t1ic>j% zhlR8VGBL5W+Ff>nR;V4Scd1!>){ALJq}$q?{vs7Z%9lz=JeN&>H{`*-r+H@*eYPBQ0 zSbw0^E{M0==CPhu6BBt%lM;R?&^D5>%f?6^!oyg(W}G%)ZwuRf~1x zs+o?zuY=wB2EsC4oCQtLd`Yk`+N?!U8dHJ{)pUS)!E~}iD#kQMA@(nmY-_?);`l6- zVJ}rJg`;Gv=uZdmmJyu8EY@*@$tfk8Gt1?&4aK9DcA~W(j%-pvuk_wyDZG))TW)8D zva#!V1OH6_={O6_6_Wcy=~k5d+&4V(5_BR?OLZwMWUnly{eO1U@hSFH?Ini90D`PT;fM`LSihjiByv*dK>12R>#Ak|DB zPDV?=eh{zeeekHh2M+m0cblf=v}P3WfK96EE@BpoC_NFKVv%)+42Kkc$n1As>74k5j!2#xM^Upa34^i6p}n%)%f{+@!?em z9grCDN_lr+l0`$Wn>YGk!yLci{uL)J*N=Chq5AtH!(Eh@YOyJyrE^R9fp323`mHtp zhlR%!M?F02vMsC@V;RTdv{7&?%hp>%uDDf*1UWL>vt!2;7I#bWk}e!@1{fU44brq&Vi zZI-4-`6IH#I?g?LDjracc_!~P&r$E8=)M_X;=4VvN*MIaQBPM%#~1r%j@uA|U_pL4 z1KZEBuMJEDD5dfV)9^7}gC*{;*%`CGE%j6mPB=%G)+FPu)9v9~9T3}_#8pBgctE&( zv8z6pKOs(QZy?)V>A#L+G?8>ne z^Cpd=&UqXt&?#*B$seTZgDqv=22}wV7ecLgMnxQHejzz2IKC9iHw%^k8-`9+|M?Q0 z$dI}dkFQ$$uivfzW8q|?qO|le-f>t=q5;pRht(*4VUpoqqixrm`Z8Y{arbq;`OvQ( zZlu3$1;d_+CCC4iblw2mMNO2i{^RJ;Kkj1~i8rQ|W$(qpwv}fsLFdSJMEli^?5UYM zQUGnUE=`dSgMmICO>`7Q!=#0ts2N`H0VX5vQ_=0zHLOa^Ja4;bXCrq3` ziBrT^6gjqYz5n(3jdQRiFJgI+X(R4?4m|+8BF*g~U_BTy`(S*+AO)}qo8EW|QG+op zl;;@LLuuHn72Qyv&- z0I4p?z${}Xf<|0~^SPzBx5~1EWghXz!8IDH6fS#Oz&vHpHHCwH_RC>seM2>AaQZoI zIx(^^3U1A<4z>VCPCfu*Jm!^3@{)h=yT;x2?7 z1IP8|#^76E+c+wR4L1R;L{xct5W%^19B}Mku`G-`1D0BlPyQr9-foN=or%S|24f}b zZV&5KfBCM96On3HM-;pvncqF}Oma}8Kx`SefA=IQ(j~=ePi@nJ*Wy-*pcAcqGwB=fuv&KfoM*{-j$({d+au}~uXT6hQHW8=QM?I& zpU68z3t{&?Rz5yI1zI)c6ozNoe2>GsWmTV%V9IV6RGpmEMUBTedd!~=xknsTn{g>y zrD@9PFrv2iK%<|7z_QpUJF20WIry!=3w8G~wUhjr^C{xUO>J}fR-TH)sreg;T2wcc zdf2A6p@#+Ys%6Ce6P#bGpfS`mMXvT#ou$s>rGv2gmpHcGtSG~hYG0c%U1pjaDBe$9 z9LglY2I%({xQ_*x6FRD7e(lu+qF^#xl1A3EkE8#WG$NQIk~(yXe(>G zOnsWra^3~Np9-cV^!PQ17DL5DER*OA=AbU2OWbQq*5Ziok~@sHYl1oG_So4uCDF{V zLHEModzkx;<&^o5FBg{q7`$7#p1y+cIOxefGq^Q^!@Fv0a`127N^0&+qw+ za*u&Gh+|f4;KN@a4AqY7_NyS^RO|Yg>j0?cQ{LaxWm0Q?f)OsFy7S>{P%Fq%{7@Dw z*)0#IV*4z3uecm@W%5H=!=g(-{9{mHgML^flBMe=n3E7%`u0HURzLXiC}bWU(bNU_ z*B|!_mTUvJgEV%xil`)B!p};;{zHW^On9atPD_`Wg1+o^chggDtoJ62 zo&g|Rep-K3T!r{D{q`pS2l&vX>k|*f7ChWLxUAV2#=EvS8&M?(Wh6C?sN`@upm%<( z&>JDWMt*ru-$B~H0_)_~TEknbxAt1y1Fwc!m6?1t9G zRVy#D7|f|y4*|K9ADu3$+KZ-{zPq~t!IHQOe)*06u}BeiYtc(iZ<6y3DGV?yA~pv$6|-PbT0FSm=shcE?LIKwXq4kPrQ{ zd-HcDwUjN^Vas+E>g6Vl@&dr}>>xzIBjiU#g{FfCCKIs_*t@I&W{>~?>bZeS`^yg= zAm)mn%BD>EcD|Gq30N@)wFTniZ~!F_FPXlB|LHRA6*(Uzc2xyhNd5i%bl8t0rE$$A zLj0dT)}aQbF6+?`(R{aYnFWwa4p8GZu;+Owli+C=vHzzX!P}egUs&cFJkvxN7~oFJ z8b|UYn2;lYDfxOW(JZQ+uYLl81stZ#ffrWGj2yrq-7LXIw7;nY|9|t2iwD0YFz_5| zda0NqwXkJ$RS#x6_hi+V^*6=dKNCs0M&pCt_yeV-t~QB3up&whC1FIEH+}^(b&8fm zY2Xc_l0qT{w!gF?X-}oBbCv6<-Y6E~qFV~~Gl4`P8Mgkd{Myw>v-!Wcp@)w!ed=L{ zIXFed=r5`IG!yvqwXK%=Y+GA`g$VC*cO)-xC?YBuqpStqEbw?eJ4oNJY}$)nG_n>~ zrmQP-tsA}R%H13G*>Sc6P79WRIAICgI`~0Gd8z*Qf4Yx05xll>OW=Vt2l@pa+^rmbEQ#|y z8D3z@p5rj5ZFJI3rZnH|qof^vOSAVyKh3ua`^}qZofB2UU;N4kzw!!q*Q~1C2R*V#bfA9a@ z3pg^I_HRGl$Qdp?k-Os@ynQUljkg%r;efYbkSIs?-(By_yI8+nAg^WHSSr_VgSn0! zj;3}h1fnm6D<{(7jfbe>e1H2`8|E{7n1f?{AD$IQjzJnMgH7 zM_V|9DAHucbm+rpj%dK0RCu5loei~9zr}F?5QIc9=Jtx6?{&PN6aab?v;ZdsbbEzd z1`QlLK$C@@h>Gg!f%@^g*wGJl&B#YwB>*9$f&=M`9gW{PYQ{6(zzyOI&bwq_kD4UB zmPjvX;BNG)I}vsE7Neij?^MzGhnjp6fPUv%NKm}*=-CFpgR6cmP*4qqGN!*mdk0&t<;^;PGs=fxxjfnUQHOJ| zv|4cmK+BWBIbDLVv3;R(1)|;KDCNcc&`XRC+d7bZM}qK`21c-45Of zJKX3)lt^q(YUkn+J&ukfU=<946;nJpUoM{d-#jM1eryHK2UdWkd-njq2Y@r}cd=!Z z@_*|A{$mLMB^8tl%k_rR=J3Clr&b%O1pwm;pk?-Tn_r4}yuy3@D}p%uet*v(NQd_K z1C5dC$ypnbuQAv?YVcm2A0!M;#kfFkw~=SjoC5lcbLHpz_1o3c$qbJr0GF7a zOp;^k{x7t64ZRx}L?7AlM!u&obKCF^p*PXuzn-Ok%2IfJ3|wjxzf!2YgWg~vjtC2j z2o2j`vdI6w3W(r5pvAWTk_0ebWtI{|2oP}(Ai+};dgGqtF4&l_+~6GsmVY{)@TI;G z;kS|zsbJ-^Fgb;<^>}2GiplctdCSKt=`-}t4!>5T_od7p%O) zaj%K275}T#PRa~j1IZ;<@BPmW+EB%W8c2Ik%6!_1NBhNOjtt+L2Y!g#J8OJRzGAbn z{7xv=o~;4FmeavbJtanH)9bNBbf^i*E>#sJ1$y2I)lNX~5hSXAoB|VX{r=vr;gB{$ zn&8?Sz>Oo?uh4cqg34|93M3?W zf~0KuRaMF`_v{{!?F7E0Z^#C)nV%qFJb!50ddEo~fOZ4VZK6K$&~t4DRN!O~2BFFB z3-A>_bU%_jqyn5}0hewTO|i8^FN;7ts()J%ZaS0cB!C+l#ul>1%y6P5%0J@MJXZ$E z*zbs}OVJA(eXx>W1Kezay#;KXC@y$Re!6Er5>$#pMNq3+CILE4ct9XJU`FS(@i`c$ zVQd*?4(vtv$xU5@Qvt7+IS{WF4MnV>xtKr4ON~bDx+8XRgWb@NzH(#3k5RkEiP(>T z;8CSiVfXy|*qFsH(EG=aU4VBXpLCw85ZN$)Q9=R2rrTI=96SoThK>cR11-;WGn`Gd zur{W=8B|Pxm%00BV+tt)EWooa={))6cXej;;`HK}gkl_GMO_IjFUB;2i2w1T|Lbn# zf4N8ChUVZNmiNCj`1z{que&QX{OIjRT!kP=1(4!AN~b%w_B)%NS73c40mQ60!`DHk ztN@ckc4HbNw7>P>DUxClOa>el`Z3ye^eA+-117S@xgnrdBG`a4Yn($9BOt_a0iCZy z47FK6#^qr?ZZ_L4Ke;y&Y-X5c9z{?AxlpZV%7|*SRun~J9b4@}fb zCA#9a45oMiU`pw`bCiY8)zNxWCX3DFG8NeGAaWIE{&uKcf0amQW?qs{u3JdMf9fG zcQ+dV*X$+GQSdg`2DLYEk{Loj(;|=70ZCSgz*k@Xc*>g7eJXYtEa!>I>yUs>&z~?b z(F8JZ;DA&bZ@u#5GiZCb(IX1l^g;DT`W>#?kLc%9N`=k=6z3d*(C5C!Rb07~UpX73UDG@R=gR)7L%1P93)s8K21>mrh$lTmj?ja+<8!=B$5^;Sqkm0eJ0!%QoREH{$ zKoC?4=pGA7Bz~FixVl0GdOLZCD~Bt8sJltqkJ(Ow2^Nlat}m(IWT_lgV6FO+JmZ9V z1)O0y(Wm&iaj8&`bqC1mwQ4>pwvXE+!of$g!#>ge|~$M+TSudX(HrZGZB>l ztjroJfWlt&Tf5L%=+bRZ5GwVHJV46~EzCQ;zuAR01(ls$0HYk|6#tJy;9gPbw*dKY zfP+2JeSm?-9o-2s9Xx#d&OH@K)4v3Ks7L_RAB9>?#`&|k_QEA^Vl%@Q@ho( zLXx%4IZsZ{P2EuL_Fa7M>u8xG`_q| z&=#@yL}Hrb0FJ#xa0|HAx(8W(0mt;Y8x{>nMTfY2lRb#ZT~fm{6}=Z=JDU!fkT58I2`ONL1XD59Ij$ehqQ?zPUK`dSGy;g zWW_vq`nqBH94ujY(2T4Y6glf2Hx5N~L^h9@s@)V?tTHQAcoae(^(?jy4P$o*gXU$j{R7aixC3I^*qF0+r^5Up;Y-Pr-nlEOat&2gKmF|9ZUL?0;Tb{xO}u=D0- zZh|3R40>!40DwvIBzU9-0rE?$AAUWy!+Xgb*e(hJmF-7-E%6Gf(o(L!nJ#Vb^Jcm9 z@@|;}f2Zf&d*H%;T8WHvGm&sw>3!7c^>Y>iMIk4sCG_%Nmc;& z^3yD7AZb*(@6d`7BwX?=xr>^<5_}$sf;WJO@qQW3&u1PRjOs|a!ZcRj;CY;`pfJc{)ii92gt+xawmY?bZ(+;igl0E_2_U}sc zKS-2?9x%5ccrFgfv-ZgFX*7l;&X7X&T)_AopNh2oc+!ft61X3b<=OUh-PO{0pcCBb zY#=%{66$K~a0g$`3p8>r_h>VxvjhN6~ zGWoqIb01{RUAdYPWFvjh-Dc8a75#cbfr(b26G+cRk8-m-mH|N%*YMWiqU8&dH#t?o zz9xcmjMOsC36SA6_R$7EmO#f-@QzB@#2JI2F|~|iRqqC;NO3$&n6hIL3c?gv z>J}c0OJ0He+S%=EH?2|~<@UuY9=vT?bF`?8UrE7LfdCJJ{P2?d09b)`xCfCC#OhpM z_ZV~f$@O6l*aZc+j>=KllEPdKrnIQh{7G}On=R)P4pfi9(Z2TyYu%gkWLVCD8;{Sq z_(w@K?=UI_C&=f1G+TBij>Mj<4A@n4lRnt0hXLHcGsUR0L8C$5iM3zOyFl>)~x1_ z+DHcK@ShdWPXHVs!Zf`zHEAL4;sVM3L?=<|rxjZGGD8zaw67`$DaR3%Hr(_AYFy{a zY3ddApOsUun&wvG)wTmP+mRJv?zx+eu6_q8^Dr$Nr&&t-SdMX)3|B~3`ODR6k&j0u zqZWiZ3N^EoTrLoq;&#hPgWbUWYT#L7exEm;db}~4-@K1~dWYctO1@ap)0C9CmR8=| zPp5R7*5(ZFzze)dtu@z1ta@w2mI5HakDe+!u+a z%p+OqVcI2)j~}7n-%(H#jz|WMX_n}&=T04P3vOC#hnSS+I5J)FD?_j#Eo|=gaW}Ds zjUIsnZp4g1(W?x-V9jP&U87J30D{vYm)gzyaYCp zt~gLq3Sy_EuaZO?6qk-j&AyHuXQej_h*-kDnYPYQ-qElP;=e|?&lR-)PIz2={=SEi z#wQ^n=VuKJzBkae&qG*h+6)!ZnT|P97j}HH?q(hK@OU-QLg!u z62Bvw@HP1s)Sw}2RrYq3H>c0=Zkgk?{yVIJUht`iuKp4JR_6GuQD!> zRv4_^S^W3miY0%%bwdMm{*<_fRX>X_pPY5FTrkq;zL^~qv+mi1X)Ql^oAw=qe9XZH z3WeNyEdiGy=R>`gB38rirNLaSavVJAd;LreMQ)8=ObvK~^?EKNiImsT@}Y`wnCAHx zW-Fuz-4I;7y(myKAewVE2!-b_NazOHRyG+o7K=#*?M!Zpf6s?OfoZny)=vx{XoX5p z^pt&hj1cPRY$#|DL+07VCFyfbN?)Qun0MjI6R&4VGiF;4#O%>)tx)%vi4=LYQz#!; zu{N8*_BAbe8YRj=PAznVnI1_>E!hHaCdDxrv}Fw^%hwAHYJ`^)R;)D80hT<<^1 z`UJogk=h8smRJ2ogY4e{6WbW#k$IkU@GB<~u?E z3hNJ+U+0gRmio6MhhHI0@HqpaCCtRuP)dD{eY7Y$a ziyAYaS8vD?*i;N>7sm<>E^=uQ($JAMXVY`GdsTt|@GZ;EGP~pTF1u0V%~yxVi{X4vN|a?Aw6 zsM!ZhEnFqbsG$ov4?mFW_`DLV<0;IV0v;*pi&9*7y8$(8(ylFN&$d5*Ti$a|&*ozU zdpfRAPmmEgX=j+Q#@o?HIO>QZrCf=Iv+_yfKth(qMv~FfC&B=fIm%{P2Q!Pw8`uQ3 z1Ia2K>E1^GVYa9GU7r54F{yhl+ZERTuZ&4W-~OM*q&mZLLF?Z$GLjBF1ZwSL5O<{d zVvmA3#TwvbX%8V=G;`%leHHQLG<`f7gO*<<({I3nYs}#S*+^v;Gq5}7M|?Nl>S$bW8JyBKbB`24|@)h#cq4-R;efMLg;^6 zqj==B;M=}5QxS{G6c6S>c#-<4$76_B+24Fgr+*u0o}qv&4^gVPPA%NNN2XG2$(=H)}2~hW+nNNx7fc)fg`f z*VJ<&sMPmgEcBdS>@N$K3K;5EX}yu3UT&_4@8WVS%#G&()>qu{P{e>rMbxjBK*&1E z3v)R?t>vh5dwXz^O=j(+ZgcQLd;YHx`#)}QGTE`-9A5kG;8fHZf}hl%!SBt?22y^K z4A3D>37U_Xm3m~0GS!(AL|~W(37Y2va6vHWaum6c=b*V?DM zy`w8#AQmMYMZL2YP5Lg7_f-qO0R&AQtDQ%!h0D`x7Wc9NG-%nGGZh#`3*@mD?sXi0 zvjn|Q^)D?!^;R!5>a-}nfVCNfH*LB=ed4h+^&c5Xn%+=Pd|$Im~>KWV}1USMKCJUw?!NwMXwz5 zu2@a#!_aDZSZLDm5dg$gayieusX_l=*jOTA-TDd6>`4Dp(u_c^+#%XjU~p+?6CIZO z(l+XB;9%qTVw4!GtP=?2!tqGd`|?~&rK6MOy4C>V*H+|E3nJv9aff(yP+XxeSC0)? z`%3Gc=-I0le)YHm8Ln#xMwBsg>is-{t-s%=$R8w~yDFL8d3ASnt0X`eL0Ra$_e|quqNR@VXV29LNEPj%s=b?ly{acQ$$)cYxe8KkN<#t*B{EO0j3Ty#0 zc-gP;$qJl$5R%dWd*YNZTO|ph-KUBE4(VF^GP@v7x-JUtSp#gmkz?*y>rTBj5c&5V ztmK;w^?Dg;7k_QTLhK2?IskyVM%B};CWc-aBba+9+*=DG5r^3ILI_(sY!=8@AlgfA zHCt`oStH9JIUb;7#*(cQnLz>I=2i(Ac4Dc%L{tQYkuq2!Ez}?VSpO$iP?YB%yMlIe z{y(^a>J1kkcV`kowx)C`$&YK|taB}EX6?wob%|G{JbZLqQ!p=fc1gb42zOW2x2!x{ z=(k@LDIK%c7{77#O7QDVXk}i)f6@NGy~&sG_O+d3SMKMxw5&$JvXd+!wmHn{wZ7Z` z)v?o%RP_sPzwBR*o#sH-iMO9gYE;Vi|OaCRyrW?`j`Z%ATWRhzlDE&YRUZb9&>f~@psRW zUiK7xw;PL@rLti^nFN393;BU?CZ~a(Ymb%v064vpS2K4b;E?IT-RJT9j_Lkt@t^U- z`XR$rMZCVvNW00Mmy6sWsafEDAIqa6@#3|eDe0^8vo4({rv(12-M*Kuv6V%kM@pnC z4Cbhc#`+4p7P`Jm!@UKxV6846ox z84va(G~m*Aws2UPZ57Fn&>@P{Bz##h_niEpXu07+!0*=`U|J+|ucMC|2p!x~ zIksQ6cmoo=MlK6T2RC9VNe=<;WWv3c;yQ_7R;LRIzpgbog68D>3;WHpyiv3ow0nn+ zx)VUc|M1^*28ZdXTK5iu>fJO&EdVdzAV`Z=19u!GUEFYlVC=ML9uC!;BRN*OJy&o` zAkpl3Q;EVS3xScEltn8kBCcP`!@S}gM3rH|cz-wGjJt^Z4+flwS4{t(8gP16a7DN? z!U?s0a^RxjrS6>{I~)u@VVE`ysqPiM55vi=Yl-!vdQ$zqQ7Th3m^IQ`fHg`!-3%2b zLQ!Xguqa3WWG=-lN;rZ)hG1WZUck)Vk!XqZl>|o7tK>!!xv2Y-=j~KXAFJ>WiZmto z0S7pB5)21~ju2Bq&Pe{w{(24P)FWL}Sa2{M?QRPIs6|7zY%#2{-oVu2gu!s}#VwNm z%h8N6?6b_6E75zDw_Y|@M{k)mUsPJD>o*82bj4&nxpu{vgiu$QZM+H_l4l&uV{wO7EXqU+)J zl5yCwG4E9lJ52GSip9(pZ15vVA?}9OAtp3{K!|oRuOHaJrC9U&;C)d6YKwN=e z5i**$wK9d#geOwcPA@@A+DEGYv2pq5AIRjuyr>|}+F~hu`Z%`d|Df%y!=iq-{$E-e z=@O8V0i;VQ6(k%)>5yg!Y3ZR$x)B6KkQ$nyMClGeN~EMix?9q7&)(18`?=2Ezw`Kg z&N?fSFbqh5^IW2ZK8~K3q8uzA&mbUw}6-1 zpA@sV^x6I%kR?Rjl26p2NXRRy9x|o7r24#qE~r9XKR^_`c;et*pq#h@6omW?xrW)Rw0-NV6BMjT)l(c;WunJs!|i&3JcXaeHHDWC@Jc3d}R<2(0vq=Qmuk zMDIKR@?sW5&xwc?E3rNGjVUK!%#nwtwpT_ucm*vA9iqw-7e93&uo9{&D~pulHt?@n zewy?3syZ50vZPYh1BJQ4j`@-2{*QJ+UxwO7`p?zFK@X$%PQ9GIi4_?&76jO;o2`5T zANR(+&~f=%{)C$eqoDtP&&`~B0o=g<6F0N%)&GW@86DE%%QV%fb+EY;b2tGX^eo?w zu`nC^(d%khJYL`!3ZFY~tLkvL`NyP}zv(e6WNVfT9U~u=UgnJE`0scX8dK{vxMdoL zFk?y#k8}MO`trx8f1)od)Sk!j2~p&KKlcY3j{I!{1K{(I>fm00jT$41;r45 zL0yquK8PU?koX^Yskk9Whl20p3`!m=*4Na3GO@*SZkV~Z-%aL->KRtfz*=i|!0K{t zt7rS_tlgkjH%C04G5adYeLciWFSf4#res z{3%()87}k?B}y$;FS$2g7|d@I@|nZUYJforRY{o38$%Rx=F~KUatAG;pK8>}xGfwr zv+S5lK1ZL4`+L<%Wa9xsZ{`p-AHD#)jIlHT#eHs$-96w=rytAOk$UoiaDqRhb4mHF z36mMWw5+bQ==4u;7W7S@f$_0yv$tqMpYh*q*$Y3tC@My7WKX%7MMt`)f$~s=8i!pV zp1f-biOv+i(Kj&C)v(9-`N0^*Ubcf=ASwQ=9=yB!tPk7ll zS(owmQ|mBl(TuMaxbjUE)V&iq#zGs8=Ek-^R}?q8_RxYz8nn+F_W46h&Vez;#8_AB zU5`}pK#Hc;yGqB3tgiqbWCy&A8lqmx>nS9Adq11vmmFBTylBfjMKmV^!ofXl&5m(8 zy+@DkM^kY)ySEJN9I;HoGYV^&@?Zn8A%r~lQ8e{tTe4+FzG zg!sRkhS?BOAlm3*T7|r;lI5Kh10E(#XzktE!Xzh^_XkP&Vce`gA3e%_%Wz-SZBSkM zt~!U6ic{NWH_E52yJuJqs0Z3@?*VG-Mo-M1?@!Sw+oc;*zKry)iTibGdGRPW30JE6 z7}TJEO!a4DE_AGp*U|&0==1hghhG0sCoLMK2vrb)k*OTyH{B{^>sJ>Zgi}x+=GYs_ z+obr7L#vW?5Xc7xW7DuP-Yq#p)jdeijhh^h?(DeNfz5ni>djG5c&h=AA(9FZEpPi7 z8iN`1M7-vXxMXHnz0*rkwof#)d`jnc#$!z(5!d^_ZubvJ?AlJ8)liwln7dz~ik1mP zu+)j6<-+_7XksmQ_*M@%Id*P%^?TS7($H5eyHdys8$BYCrG9dSrBcZxX0Km__J8ME zro8wMTuV+DQ?P~poogA@T}9Ax9sK&yEJ#J@_!kRr71CW6^GZ@U?OZf7Xjn z!{Y+;`$QT1Tt%b5KDn5SGQ-lFb!tLCcAjpuH?G#>461Hl%STU*N4&b6MRsQ9kDc(_ z@4Y_-wHy&4?zvPCdDB!{&zEL>4IId%l+eA`Z>#fmvOXge#L{+2jD9t3J=?AG)pOzf z3--~*=!bJ|?qTWms@A>a6qRLl8%1W88z9u`DghAc9{Z0T>*2BP-8@je6}sNSYDHH3 zHD4*<0BK|@furrS{#c%%c54h#cgL^iyGU5=Z-1`7GOgXg`=$v(Wau}^4j>tBnf^as zHjYZRsQ3ycN-nu|b)j$Fy#|*Rr-%P`n?wNLzWvp8^~5}j(*C#Sy8{B!CJLTL5s8PZ zAY^Ds!#zvU_D;R;oM+PQV&sMza-(xBDQevF^(ObnDgx)y$__H6k#~rMCWC2iN?*4? zC%3mF^+E8GUr{E;l6T5#SKehp-IjKvBi^G*{?-}cAL7woQ|s7PbT-5ZphjH&EkFa_ zbmI2Eu_+mXNB@6gQ+DzGWj3Xuz~gMPhK`QSFi-B)wDmYy;zG04`$z3b1a|jKwj=hf zB~SRDoizUVn8j&V%yJU=qog1GK)l8M2*h6R>IhFK^h~)_`NGzSY!Kk0NeO5bjeiMN z7G&#ZZIKW=$)GBG^G-VrO7_R8890{LPJv0|-3v(?Vay+(9-j=61Y>Sz_5H4ngXJoh z_JAA8YOmoY_x<`PU3tQagGMF2?J!g8Qs}pe;aAn-2gs_g5>TUOvEE*k_N}C(w{ryexRy% z(b{{z3xdKKvFo2;!9Ea)O%G)rtzy9tQYRCvc)nmJ{GD0zT0oyfPCt7vJg(C_J3iqh zFDbp~L}?$@0_L%k%N+wVQ;FIT_~`7PNo;?F*1UPHW$3Y->7mQ`H4sY`4JItfcZTC$ z;>z!2^)~C3hIu!(fcQRk=b`l`SyyQD3e4`F$HC8zsbC{29CZ7cwMBs_2-yy&4cFY> zE!eFF64%gjX;aCT@aDTDa2hjXw7~o~6Xp3Op&^1k?ffle%`+jqeccsg#~1{6m&17eh#(Vy-< ztJ{MrfP)T`E{(RvWj0aqutpxy`Va6My)Pn3yANYb;0|vynzY(*`8TIfR$dX?xK@Xo zeSX&t)D8{%^1VWu4o%(LJMlOi3t!MK&LJyg5`~9X6KDTVZz2%A12C2C8SZj3S7I4VL+x{cAA>6aj1( zFY?8tMy0!Qnu|qo@M+@ig;U;vl|AN7m*|o=fxqVDZd&B@D56D_fO!wC6K36>iT4Fw zKH_cqwfJ-G8s*rSv07gO@1=zB0U~>l%jhH{+x6X{FZwgjc97d!Ut(mO-e!(OpleGV zVx9JgxhzPF%ThN`y!w#tz07SS0B_ug4qSA;3lZZ5nY*J4*R2Qc$8-w_e67d40e1%( zfU)o8yX27Rh_qMChASQLUwh*Jlr;(e@X9W-QAOmtkesdm5z2p@<-Q!* z;xG9Y7{WVMgBK=X6uTj)Q6oYmf5S}@8eBS%5a#hu+i38I91bl6o#Q+cP%*xC z2Cxue_sJtx7~bx)rueMl*MH|tHtK>*dmX^?p3X25GAcyVng7BWB>Vk0wq!JEn3T$b zd5JFLXF8iyr@s)3J=|p*`dnWhj6vT;00thIWxtN0js-B0u}oYFrIM5#q~$iQwDZbS z_gV!8n7OFrk9)Pia5Q7(^w{HLYQ4^l;PIPbl!P$s4!Q{Z1YY2@d{mRvYy3!#2uDRS zB54x^{lih(&e+=LZ39t9na9=f_?xZtJNs+nQuXioKyyb=u9pRM1M6N?U<@$Y2G>kMF% zxpUI6mK>`+s$(_RJWD^|b?{;xST{xY>!=){-eo^&YhMlaB6&R9uk75Je$9rB3t!{h z+_sP1_)}yb$^h^q;9>K#O*VXUV5ctylc%Cg+>MOluR%20Yr6wuf!<5n3%>{j)$^X)Ab`*8W=Qq@zU9nC{z`xDJk=ZgB79ixoL?ms%l(Z zb+_V=?$p(cIzA33TX&UUV`D#RI7~b3^R=`nt3H`LZTzr$`rDh)rr&4Gz5ktv&BgCk zrkg*qr2pVBQlk-@j zlCy23^$9Y%xsf$(Y99lK^_zXKI)KhmqSWH7ht$8%JwOEasBiTNKFzqjuQquwiTF{9 z=_A+}(ZWiW*v0WY!`3|b(bFH5=A||K=#pTJ^R<_;E&x;lIag=Ye6sxZo9RZkn-4(H zgw;^`(R!4tvZ`iQ`Buc+ecT=LuDJr$9G1>k4{i|Au}#;#`W;#MFpB}ELO@{w^JolQ zG|OHhg?7VtR71H@PUZvv_`rEN`Ld^kX_nK}AUX8`_299@%+?fuk@jWo-jAy9I}K0W z2fi~ZVDrtOO*(KM&%vH`;8!Cii;8EI^2DW4cqeGyoA^2kzhC_5{tCr7je5RG|3}*& zf((5dj$pv9>UO&hTU1R5tKqV-idjUmNkJ-d(BL^N?9}sEFslC zXx@CM%K4yMa@Xk<5%P`I$T1sPte7;-kHJ(Sjv^1ZSrB#NFv5AKio2-nM+7)0WZRVU z(=MiKor9BaJSZ^`81G<3J|byK-J3>u+TJy6(3u7%NUd?>kpp02jzAe}$YPKAByWq_ zPv0X;j^tQ#&rVpcPM8{ed=VqCI^b$Dd%8n6xcxk(T!L|*o?z_s5ss+IhVrU7-;9lh z{s$X4R{I4o`Ed6kgh=q>(Ej-GFc8a0YYD&p{v2Q;y_GSG%fd{Yej3~hdOX!o{XBT4 zJ%$31_SSM^U@3@y_V7NFyad4gM|3Q(MO8*>-d09;KYa!7Z)tQ+s$I03<@pW#nz9c` zcM5W1B0d*It-8D0hL{pk3_z2(lJ=X}rfxS7rbbBdbNOer0#ejV&23NCO0wVNEx&N+ z)$cP!41$Ko(_Y5#pkxm9ww+mGSPH5YV}twr3aDqPqlK0O5n-%oyI6ZK<~azc?v_XG z#qoWI-Fq_)`nb$Ql?Ndgdl?w@r2SGDXhw})P1MO{hNtf z?KHAy!tvDKkP0}G`JnMf*?7)!FoOYcZ@u!c7;QG0w{DGP@F!?gQKBvIyb}`jT7V;Q z&7g-p2m7;wNxM=qZ*;FGC@IQ!ddOkXc0Ak{PRC#+8ZW5uI9v%(&TgJqm_BCXH)+E{ zCt>JRo~|ZDG8yXV4>}m?>*qvTj~2<9x1Uox7rrgWkw$XRB!;S*-o>MHeq>d#L6kX=A7AXyi7#ICh&*&GV>-kc8|}fLY^@^Bap6g6H-^8D z%5_dp-Vx#2=oasy=*yp+N}(NeCcBOP$B%#!Qr!GUiFGH7MLjd<)j$AgTIOrMbmHCy zkuz1XR%zwp0sA}`nXJbTO`2d92FV{k1C2SZNC@62#({@ql4*vFs(nw9 z=#VJIHi%K0E5)g^yB%5NjYL^M4>mRrYAY)CwlV(_4~)-}#|I(Yi>5z z4-<@)JP4}+-D0m^Y+;2=A@?_dnMf`Uo&5GA(wSqdpVEh4Ry`lf(yE6uc<8qdoC529 zRki^2&$_l9;9%o69x;Z}u<8jl&)x4rCTAHpFiKo*#Bwm&E#4=%SRJ!_>o8IfpA>bh zFyR?LC^FLKId~UE6#P-d1pE3mGCrvXuf>a_$@M9o;BC>v~$f-;$G z6sCgg^kViJ5=|(Yq(D+;Cfo8(f>$qR{x3Jm2psUYR}EK4*wetM;Ss2oQUA)Zfpm#d z@k-K{6XjWmX-q^XDhAw$n2Y(Ql}CtOUSGU!fZpF$OyKq~#=M0e42OfjsAlZ8!Zx`~ zO)ae;eO;65o}l}A5uBA2Dmx1FsZ@|f5=O}hYpVLDE;VVn00s#+NIUV!J^<9{xtg*1 z8~A`>;MT=f<7qb&H%zw$OSoTAHf0H8i5i|#oRY%kH1F1dK-1M#Ahz^H^#KD6vSp~( zho4TkCoJr^_?YA5cVNxjo~S8)1B1Eja6hVzEgNiGV~Ez^Ez?8QkC8f*t%Lg8I`x589r@Tf@k_A&6GoVH{CZE@`R^hxlV3Fub9Benf zgu-OzL>ZMtb>1ENXr;axk@ZpvaJab#24v?0p|kcQ#(2XJ8c03ZObZUg7ePM* z`C1UCJyZWjmk+Q$EKU$-`MU;QT)$?vpZa7cReysIx|bo~dGs=1RaCKszAHY@Qt@Z# zBZQ42g$Bv@*D2CIbqDACujU^vc(NTV3i(}o58g+BPsH%Yp)|4l&7IFgO^4!cTaZt- zKgi%ddl5ID8-uw|)eh2q+#vnHtNVd^$uvy!Pqbr3h_eSG5(q)1)&RS@K=oY)O%pAT)}+av{!!%&p04CC-snT$~8$yhVo+hEJvP-)a2Y(mx13 zm`DdsQ^#szcD)C3PFtc5_%#pX$CWZQwnZ$;$@wWhqs9~}3P7l30_?uTF+)kQ7(L3# zuR$AAPNHoVf6$DTvIBE`+wc3WJ`%tQ$b%>a;f$__LO`Hfqvvr47-3lI^c&cQ7J<}6 z2@Y))*duN#FV29v?OawuS!$YfQ(lXo#wu!8Q?=At50gF<*bt3m|O zce;z{W-+D>VoC|0p*dqlvFOW^r1L0R>8*ylb{y83wBvlMw$XMq0yY9Z0L%nq9fW8Q&yv`t|q3N)@zS2aj?H~5RX zFo-jD&o+8Rsv)4Ms=89o$1fvoIxhN;FmN1h@aTP_*h|D(QfWBk=WEYNw22F=70_D} zAQ!_r%4*jGfF;4<5fbUeq6mq(6bWgt)2)~bJ zLkmxK#$Fl|F?2o5<&LVrm3w*F`VzwiuOaQ*X<#76s6#^zstXG8oOg{}Qb)7&#b}im zKiR8p8bPE^g$(Tloa!L#HFJzj%~m`QkLo&&&>Dm=M1R*%XQ@9;>^ZGNOYsDA=q;A= z7<7e()#+NIt|`N+c3(JiGCH&A$S^bcrC83ZVlvXTGIs5&yaknu-BF3TuS!@Meh)D7^y|hRUtnNj z(B!1b2h97s3pUKR!eXvx1JP+R^x$US=8DgyetsfZ67gnD4Rl~H!PCDF#=(yW#kzi? zI>Ot;k>seoO(S;x?iRvrw6QUwqv8XY_RB~R=kYKWP0^6^ls;`!Gu-0Ze=PP9}Yep+*QXHyFG!uiC zbHV=jC_=68mJj|KZ+lX{FuYul?mB(WRehHC1ktQ=1-dRJd^T~d_42PkKexb?2bd95 zDw-SU)+e}c5f?(DMPKK458C+#Ud){sG1PRN>e?-y3=M6vQ^I^BQ}~j?T>?VRrbb$! z!bRR~P}T&>>$U6!=O6R>f!}(;H|IBvjUfwVL8+&sA1quWqpDXCyF*8gWnE3RL4}L+ z#j=P|VH9-_^~qzddv_$Ya#bHsSg@Ssig6A$DVdilX7F>U#rIV)_OpzUF1O=%mFj-b z*dx#z5i_c*sfQ6el8V#<*w5Bcv@n__1n`tmNxXXcCI=!Iyt05OJX>aXI*@? zFBLXQ%Y8d3!)Gcg*=u6+q?bdg2ir}Pi|yj%d$DwLO}R5eSD6t*t+0i#u+`A|lu`5M z&^~-{@$B%;OuaibOY8vCt}0#InI;1zU$ngUR6O)V^{oAI$CS}el&FhY{I=_$>5A}s zhOinz$s9N7u2gd!LZD1LKCz?Lu1lgD%XJY*GoO%8=(4cPwNE>@K_{U%foVpx!f^l0 zE<@THyt{hgDsfGSJ6bzu&)B3I51U00s(v8CPdq2M$G6~;MhRY-6 zTh?H^CpoTxNg!>-)JF}KgS#`0UhadxY!yszSXlM3p&)sQZV0W?7uE{D9=o@M-UzqF z(=k?X+Hy$?tC{5|D`cfK-_vg)k4`??82!pE&QB~Mzz0GCq`^h&%?!>M04r^&Yb09` zz^|{ZUvyWtmu}{lq)nX_zC2)NtXK0oW-fSI^nJMX3V>4S-<4i`$f758jgoP#(4 z^gBqW0bW5%3EvSp;dh`~Hb5BMo=~N)f7;IaOsDk%)wQdYLEiS(r0FMK%f(j^Sso6n zqe}`seSc5D1GlpV2Y%f~Ct}!I|D3Mz#VohH)^rbYr>TjdzvaJ z=b;8w_^|&TiYd5Edzaz3>X{z~+;54Vm$A&}x_a5I7u*B9^R+iO5%A6{QU7tl63hPG zmy#SnG)ure$Kg`Xi#m83((vMAsMJ|bXiV=U>8zY15&X`Zq^D(In{n5dkSy`QldP}7 z7<_`{cq#^NBKSm7$mu=>r;`WbQOdFp9`!_(<#W|SH3W-$X~XS5PLv#an?}(-Cae1prBk=PfX&!lbo2M+!=LQ*Dm;&^zX2MS%J##B7dsz$z}80r zwOYswBCf1k3@Pnk!!U&YQh^6NdeV?kB;8dsR=(!X0Wp6caIDl_)`nX7A}t%dp3jt9X5EZ0T-l*Z zGoB4G)u*8avj528))=+MbKoA!N$@(|VW3Rj4%3*CXg;IHPa?nbR0SsRHr^7*2#E{E zEM4wMr_!F$^f!GU%U6BhUoOH%2|CBjI!iIV_ZjJgU#h&!!RRvqO?owP86jA|y1AEo zlMZ>v_)b9~q{Dn3OSb8FbDSIYNyn}edfJG~!Mt^K;>D<9Fd_avFW9Sj=7@hGQ#^P4 zQKz~md897on949gN*v>K2dIHD3He=}A9p6OE4@A%Alop&lT}{7FZ+ez0ybu6fon>i zXfd{sv6N0~(;v2q>(lk_n}d|;7BIWKP34J+z<#Q;954#&cj$@S%#s!bsOau8CCa{3B+|Jy#Y z4A1!jNO!M~!e{|_@o6%T9+e2w(=<_@-WuShGQ0^$P#^7kPs94L_K0kI=^Yxfq8j^Z zY|~-sG432q==;)bhg-+}H_e7}E;0(M6YTjkeY(9*0URa*+;3||Qn8?7ldeaSSeZzdLMm*`|A*1p;W z_flpT?nLgQq09mye)|h!G!e5eHyH?BUkjQf^BS;tm^>8&!XRare#p7suZ0`v=EXq$ zfylwPCew=(@OIW4+~9)u0gbWr&YrhP2IoK}$llB$p{rJ?#LuwNb3-@q07hdzwAjZx zYcu!BF3pn~@B^DcaEdFbo$@v7VU#*{OrxfnUe z-DHWP)W_^ry4m@2*ll}~9jrl)F{DB97)HJOZcG$?6ax+M4bB~$YTx-5^y*o;8DL~i z_iSbawR!8S;JW?f$V0X<`Csid9aUJ%t3{f{MXLpJkyLo}{HXW_6qK4&Tun=0h8^y> zW7IU8G>7x)5!LcTKAbUDG)p?v>u03ScL*iO%bb>bJ4uyCM3y9I=CI*7d;Jjt zMfVq^26jgwW>4gPPQAdhA@IIf^rC}d?Gn<=nKA|m`0);`Kbg5rb?47DC)6{a+_nkf z&3%qKU{hJpcJBdQ47)d3MJ84u5Y#jZLp{`GGr=Ze+MCE3-&;N<>~@v+mu|^_fAUYh zfP}Lt*OT|CB(aSY%!;^C61AG)Wj`&?tA$NymX79DB^s?ilm*DKf}2;SH~w7t_>a#_ zU{w*XUA(J|aVD1uHseKLMR=x^ulMogBL^}o<}`f-3ef@wOx{u`Xfd)3rv1W)0eYvY zLH=AVK2zfea|G@Ux7&+5r#gud64)N+h4l^ zWc+wTL!G&;hb+(MfzkWPln50CMQ*9R)~$>dl)whkuFe<+iH<;Qf)4PeC2c6H@yl^! zI%W4md-91&^GN?2)HF3EdY_+30+NAgPXfDEK5*&03=YBoswo+YfTi*_cbNYK^56d0 zGOQY{-f@X;-#34*q=RQZ{KouHHaXjw&x0MjSi(cF)-mp*TGg{P3e^HUQd0D=z&r$& z^V8kksX|bs2;()V`;{jY@K*$Zf6p#%`{51^vHR^%dcDKI0J?qUM6I(WzI6l=BSQvK zs|*l_??mn1O{JUdF0u@Pj8^~kJhWfT;jWvdFpfh&TTE1tlbKm8q1B?fX5HfbC&a%?m zyH>%piX`aChrpAV4*dYxa=Flx-8sHb_A_*a$jr=#iF`)VWGhcR zakpmbwQc8`3^a*hIjk}FWNNzj)~!;j6aLaI@o!Hydxu73AgKI)JO1B(^zXaDpL_>S z23e>5s`#(#_ZM{a|Fjmr@T1e!nbF)!WBpG*{a?KJ-W`?7^70{x;EI2(us_dP{^K*_ z9$^T(^xU=;mHXq|=RdyAKfgKuJoEL@noKh9wReil|3|MG$Bcmx8X->WF~LZeaHm2U zU2;PKIt_7e;WasnNygtVZf+>r>fF(*ezQ_AtTzo*4uepe)-S*X;<LQ44rP-bOH|loVQ=gw#=r;Q{PSiN&Kp>EtperiM)OqO9jb#m^s&Aqe)&sJ1S2RL_1Ko?CYW=;UD_<|#gJ{S7=anp-v_1=Gs)_J2G4?#gS zLbF&4@4a@Rn%w0wpC2iBnP=|bOCAtmfny)Bg5DSVtNneLqoMjhd?=GIobH8L5}S%7 z?p=dA4Pg+XI8{h_9^C|KkQ!Uxn@g5*SU2(hgWrb_Fl;az+KV-d?|=jlq6&hl%etE< zZ~wwlR#VIrz9w(H$8C}qXFjWijnG#=*_pAy@p$&P%N2JAQ_IKS#otn z;h}Ht09S_cH1IZ?9&e0VB)HDzKWB0T@hzvEHaD|88nhCEY63W0!MXtGKy7^hqGZtx zqMMT^Q%sTcsH_2<)*XO$wyaBcg_8{4&(K)1i;SjczBXw1Rl_i-_Y1ggjKCw!g&!cx z!1=4Xgga;idU=0-BUP zO#A3BtO>dFhv71ua#t)KKCM`wzwVY&1x7?+G@S@OZ->U;wyA(zyjR!CbS4G(;PhdZ zk7eXB1jq2;CFsdge(6BUZ)^3V5@9LzC?1SMPeO%2mB<2IxnmTrv!J-iO2U1I0u13w zu{;N#zT9W~87vCXCDJYV-(a*C9u3vcgj}b-wavip1`zm$vn#z_D@akG$wif-1P+5ATTh}1;Kl+7Fu1GNzcb2t z(4>UIt?!+=sy%2an)Yvf-FDc(iiRmH$pL~WZJ$sDz)`o%TNbC{)rY(jb6_m22W3}` zkov^S+i0*;(5LbQ6}1RR5SCehD@~4SQtoT$`{%ax2VcmAKYTJ-OM#f`v0?tlhCYNf z@45_lI5&ytMUO<1WdpIB?75?N9DLqc#Ho2gHwzW^LsXioK$;$OHIb=g$vfU8E=HbZ$8BLKu7xX#*JC=?WR zU8gi^1AZ9K(Q+mx^%)KXfko8PM`6W0>G-XK70BSMg<7TWT4JX5Ztu5~JO~4czK%ya zeTnTI;8ZL&xjX5XUUUZr!VpWdqRMR1t`ix*F6EPX%U!EBYzq+dRF^a@(@;3GVehb z=`{Sm0u2CL@^d1u!HZ*hSeG!FOf%{bT8_Vy;oGjRL<8c$Cn>hNJweL&D15-DPYc!7 zm%sKoi+=-QkPJu{)O)r89%LbC0Qu5*@C;2>OdX6P78S8X)vKdc?&HPz-#~8=>vQ-8 z%21Q6)HzP^Ex@k9W}In_zr!*6V{aIf#B*;T=uGD;=rJgXQU~He-fXmZhQeP6Rv^7t zP(|~?wruZ!2GM`~UcjOpn*1GrrF^$4CuTGD^sau*5VW26M>nHa3FRuaPPKKC|7rj+ zgE%ham8{3q^UMySL2@L^Z;&a-&?f&HO?&DMgsTpqT~HJ*f}NHM90=ZQ@7H?X^5{Jt zEz;CoUbl7w!Gh5|3~MO_u)aCC{O+&}-?y0WM}Smx%-q-;)iTh_ z-wTZk01H1Hl(M=b81KEx6pW}~`AuE}OtPJz<;#@4|NVXSXen+r9IzFMeM1^Z*bv?x zJlUQ?ZL-r_Rz&T$OFWM^wCLe^s5AlPw&?r~T5uM@_;GSDZ?|$Ws0$dEym*>aSVCH# zHxW?edYx>od(i@bfvUvs3kzIDG$9(A*0?W9{C>PT7XG8kvUv5kgWpBk zJuAkHo}iB@lA7<+BF*gpZ)X4dpY&^;;&U`SsU z`L6(g0v!?}8@>k$NF7ylDqZ>xkB%} zg3(KmFC1GzV*pq4Q!aht^p}RcOjdR2Jkh_e6VCIG&~;$ zy1xgYL7~8#uBhQW@vrKhA!`;R3X1l5bf(#pHYL3|Oc(>*3%yB8tQM{aLcDcW7xjj1 zh@W;IXU@8K7w3UawCb3rzeV3D-7*NWfqz4hFC^>lfr&Q-@V;0;@d%Hw#QJYp?EjSX zQOIE+s$5n1)!-mB>jccd{6xpAbH`ba)k21VDUc-t>1-vLhl?@7Z$cS`1>-C+CVFo(<;L4E*HXZY)Wa>yQPn7Kvb z>KWMX>70{22Lt8VqV595w#Jv|PDw&bN;-=T0K=@|y$eJd=J^;H*;YFm! z3IGYZvl)D7`Pu>4+${Xv*iVXTWIcv82k1b_VgBCtD^Flk#R66unxGZ^*nOBGhZ`Wd zm89yj?cJ*HgzbDM`{W?*R}_<);wSJRkYq(c+lnFL7$xSc4P^zrlPG`V+kml@3R+m^ zzT+MPGOXrtw_biKQwZdjGd80JpqvVbiSz4MTWg{R@1atMTfh$);2{*RQ)Vb-!>~Bu znz|;-`w2aWK->7EcD)0ouWB<}78MrX#y79~0519w5$O7rA&&hK*@t_IMB zxCWwIB*->lJnQ^*qplYWCORh2q4US9Hb7sK)>M#Gn)AJ|)9Q*EC8gE*WSjcVeHw1d zg~q1>k|y^zi}RNC+0yWc>%7;GUS-b}f#%xe$&t3LAR8Cr6Hqh~ ztkPNiH74-EhWi`tymY|xxc6Z2?P6YBvSfRoAHqLylU7Wv4JCybsqa8H=yIA!$rrZfOq6HO+IWjE6s(2^ahdso3VZcjja)}HgNJ1mvV_Ge7O#-c zJw?Jla=0sf>dlNPXCbmLseHK$nt}Iuc-`Y-dv`|_){nbB$LQdxdE}^Y%?4X5eCA1V zGSw^|{s2aY3>`z4t7HmqkrmClSSDmh;Ui>p*P4_tLu3jGDJFPoHybtQ0NN(EOQ5T2 zWdl^`?>4zA?cUS!7~x2I>2sKd2gjK{L13h(c8V)BI*IueOEpWg8gjj%gf0sd6ARs@ zw8+^=Fuc`wH(+(=@B%0qQe4f#167l2VE@X}z^GnqKt7^Nr$Fj`<}GT<#4XgZ8s#QJ z!v{VbBM2o$DZK3D<|;?wN{ri2-b<|yxvFwmN4?AA*p#szlMH+*N(PRbZ{=<6spj}s z1e0Th@9p=07y}vN45{^AXIiX7*Cg>a$a+yxoXza$F@Owp7=1~nNyZ{8)dgX#T>cF zT49#3A4FDY)=8~22jqRV=Vx7{yOBDJZ(DCASUJw2t9gi9Q0EF(xt7)#)=D&4-Y>l8 zuq@}bPGP0*P;EK;MrXG}=c?^|_Ps*xf+_RZ^vx=U_e$7nI-_!k2LKMQC8b8Hx9m86 zG(03+WLrt9GgUM0@9@4n;n~g_rcV8p>@Uz6NjxPt=)L}8b%D0kv$uHA;?~&wj$}}c z?U$}-df3VMR=sp`*EdIZv81`8Up_LY?B8HR)Aok%FVYuB4JYPEbH90OG%uZ9yO-(N z3mdzMY)H;D_h+_x>*n|ZO04SE1JGm)u?TDVTrln-le}--U^A{>3xQU6s zRWnrMp}%`&Bgc75A2IAtR!nj~ki;@}*DmCrPr5}J%1}87BmtD6ULMg&9$?_J(9dod zkAts8IzsBEy$uwUey&J^;5RcolSTXk{u*jzrFx&K)b_cN3CLCS&-^>24dRLj9z=g-`M5EW|gJ+ALhq%^gjLHL&hfkS_tR<^jH!&OX zQ!q%xO|a^D>IWUl3>!_Uf=}tUAPh?Lt*eRZ&-SNDCAD!?$2R39f z7Po8$4*zPKv$9U>vvmNp%Wk=R{Nw?;RSHeDkkm@CegY`i6)D(ty^*9M{*nB}2D* zFSMatB&y-b9A&m}SNw0IA1$7AijxddGzj$eqnn;k+Ps1r_F=cy@sqZmiZvvK@O(fz zj6Ock=od_pMKITnV#6niSchLepFgEipPm!y`)GS53Oiv=9%%H%JUllHS$)xW=)33{ zdi=E;{*O%WACkrYgYNvr9q6n+=uX|w7p}X#K~kJlDF?Rsj@BDYcQes&+0ia^7zUDE!KF%Iz%Ug>1tOUQVM~ngP;a#dfR-X#5EJC|c1OHQ3eS`rF4E*iM?8Kn zE8x=_h^;yv?U}X3<&IC4SD8O8r>pPw!#toL8p~t~GH9&~ornPu>ybU-8vl5b6b^2u zaaCq1xX$SOxe4xV_n+FA%fywYoe`8!ki}Q@b6tKwOT0kMlwohBSppHMX76MYm!?|O z^1$9A7>*GAvz>-c5?=0a>Me@Zo2bI#)Ge_imUy~3URG9D?X(PKZVZInsrx{K>2w3m z+^D@)(2`?yi3W=WfnIS%uqDQOgLXa|ik5q=ln~`MW2k3RI9rdwtX#d@Hj7C!`A;G2 z_bK# zkTH=19A9`L;Rao_Nkf|o7h?b^@rvNIc9c|L_U%1`q6WQzG+6owq#(2-^Dw2(y6RgG0*7t>cM$?*q^@xRt- z0E@yyE?V;urD%IdTWlJmAB zS*}Mf%ySbSXK6%~ZxGSP;m2qhI3;hE%dwtW3})DkqTi_*cN*VPWIV;%R)k@=ewY?! zc#AKodJGNDZUd#1&AVf&p0C1s`I72OB~$SggR=^n6fwyLFFv~O&dSuLeM(|l8s8O1 zgraemF$RGYQ6Wpiw3?T631dlZ^_zl~i`nvb^l9pJ1*YYgRq-E(5X$B3Ud5n0a}713 z24XR4t)Emp=fZoNfh|X-_G?2DHEd>+R@S7W-c@NSw!m`+_oKs!0^Q3RT@4*NY@IU~ zS}T_Y4y!YKV#DW@N~5%u;q0JyH|<5osJ znA1e;(@{mn1|}ByYvMR7-E~~G;*ZB4u81&~l=^X|O{c13`zjV;Vm{((9JBr{Cp3xr z5+PPl(BMmII9S^hI$YjUrn3ewTg5(xz0XtIyB@z9Qz(RdctxH9L$qa`zX?$Y25rQU zj$2M36P2qDI@xRL%Trtu81%KG+EL{yr-BX|a_%00+Di60bM(I2>@zN|r=2OSlY{1w zB10f6!$&OWW*uoD#zNt-^=G;9hJ9aKyuR?bgX#z+w9F$IKBt6z+6Kh%qScvozVXUo=$a|2D zCB^9Jvl=6{p1C6E=d4(uid75;VWgC~+`lDY@zev%M=W(&_h@-a>>5*DlEJ#~o6xlx z45rtpjOaYRfNL*#geeTS&e+cVbf|2rlcIfcEKXwMx+es>QoMZrhQ`v8Hjt<5x#Ro< zFS+ybwe-B+b=9CWLCFmp1NUtT3xhS0XKMSU8*W;j86PJ+OM7Mn!$bBZ*S$hvz)vQl z9qgI~=sMNDF5HRqTsn48S$Z)gw)cf|7DL8OC93;Tsi%Z>ia)@0SBr6U(8ms{2i|Ir3S7Nx0kl56G6HQ<9uWPqmmuk${OXA zQv9%Vib(BfXq;85V(t4E(%#EDVxQM)=5a^cQ{!Bi=7oHc&Jd^Q z+|5TtOKH@2hP~Z}(10(S=4%*o=4GpNXUsc?qg9rJzm>xF%RXS3rL2B0ez3lR?W&a{iunvY=TA2hLYPg?~EN%YiNsqpWY{3x!$;jH=YKr zs5b-&7%E@yL*!N>$+A|K+>hRoyb*BOe<%C2>--izVx6C6zy4V>{8TFEf_f9;?s-}) zxC1XC(O-6?8F~2V9yPlr39kHJgJG99feyoux-7e@Qw$?E5#DT^kWy3D!Zs+3OB-MHJ|aGt!oAA?*- z=iLRpbRuPU&Zh_``v9STcKyx+8shB&4x4|l08#^w3sPg|r1yMJ->n8VedrheuY&8J zNxo-KGjlIvkD|gg3L>nFUDk(H9m5|_`~AMs5?F7Q0d=#12xm;SA1Yv^@^Hjk94xJS zwhy^1!-2@%-Dg;7CVT+8CGl#5K5Cu-VfbU4#Y3*J2!PuA7DYDvHJoz5Y#zWTNQ<@0 zKE1;l2kpK(j)v&deuZn>No+rPf693NtQgMirXscJBfND_MKO3$u{M~18oyAI63=q+ zv1h?ewSA7^M2!<_r{pcgiA^ln5@=QdYVogmOb`>t^;$Lcpyv7p3)58&BhbSsMM2DE zCq-z!mLHMDFbyCSi61qhFtw5EvSh~z#+fU!3 za0Pk6ETxMZ<<65rpUaYtZwSV|%j}FG-)Kk|qS51Bq@#vf$}dGDJ7 zQXA^Nvf-Ogzc5?}Yj{(I9gvsF*24o!GALVpRSg^DuE)a3UiW9 zC%`_z4C%%SP#Sbx2(iGpQ~}}OXJP0~ox>EH+sz@ls^xJwLD@hO^wk|^G|GR*P#g^$ zW`>G#)}ZH0(cIM$$YSqQHzcQ{Q`XQo8$Tk@Gi!#aN&oQb$roACFQh=asY?UG_4kRjDQjxtyw&Fl^2xZSgX7=7fRK_7$*?W)7zR%;lzSnhL*JpjN^Y{JT zez)KGm)qHPyx*_ab37jR$HrgTLn^(#vY=tibi#SA(=BU~5uE^z&X>-TuZ4^r58%v{ zA|{#Rp29xWEL3TRNyPkmO0m~193I@zEXV8~6+!YlDRisczag#UiAZ4d7|b)LVOuPkCZ)Xy4ec8VUWr*hdLEz&7%R-V!8ECfVeZI$bbju+_rY~;r1 zBu9?Wgb^<*cS_9>yz;~-D_uZm3Q?NwrsOBHuL{)}l8xOJ zjR-DK`1LH3pbS!$*|-=BR!dH`Zo)2&fL`|zLebZ;B9`WU+-4DT!`WR}^Tg&K$GSZLXv z(VdHPN*Ng~Fu82~B;56jBqLQ2J>zPeHIETxTQ;;(UmCyMsNAZLk<9!0O0R>5z4qdB zppN9W|_c4bYDsC)3z?zoTk!T=s6HsON)PZX=iC9S+}j@J^lQWe|prIHr(!No0?zUnQ5pdxxjBqO2X?Qym?VCtCbpv}?2EPy}E5Sw))2ibW zc)loB)S;6_%^}EL_^QY`+|2!O7D@gBR%`<7%nG@2=R}lQPl9yXlOJV#t4hBXn|N2t zAAVJASZC;5n|(vUW@P{2g{O+YV{NWRWNC8sme;S`Pss@rB+WPWSR-8=pzIrveF}?5 zwND21JW&jUHi)F4b{64gh10$pOs;-z6p|Y?Q;Dd`E!f$0a#FRWo?$%GuuihJhvgN_ zqgadDg52K1DKGr(!U6sTL{9U;DQgx+g{gzjd!8A-avS%^d>QgDs+b1i2Ary~D17~G zS(`AJePYe(^z2|*=_`+mww`ikj5cqKDSie~^jh-cE7#>SsA1Ag`G>!{Gz_WqMm=Ov zezR_azZP@B&OOZ6>;Tje0u7>h8PV1HZ-oR3Dz=h@+@c6y193-~2alEuQQheo9m~BcJ10IJmuIEo?F=^81mnepPRrSIs4@2C=1{ zMjyhQ@4ud0Fd2MD#OnM~`9s8TGg;k0_ZodoFn23 z|6ZKL9tL%DAk$+9> zb%|(yV&UE^FLu4VUSAZUF#3ptL}JYB&D8RYOjA2-n0c(RABiAJ@VJZd}!pPMHfjn%1l3IK__x9(`xz@(c z32I`eNcqtByal`1R_k17DstPcooLe#M$ovj`|X@@7Dd&^P}DK;5n3=|zF6*W&Zx!9 zMyn<{FZO>TKNIhSVf-TTV5=I*m=@1gVmhy=ns5re3?2kFJsff}Y-Q%qb+O!_jRN@~ z`0BN^U~6rPOg`M+v*d$@+`qw}D#&q-ftR_OP{H8x)ymp;0@jLA^w#&Bj6$u6OfVH> z#v~~tkC~U{H(F>rO=;Q$jYYx1$jiyl9lL(%`A#Mug3Iq~;BA_AYCGiGMdeX88Ep7bh})+&cTvT{d!`w%bVf2?Fh!?B~7|A$gfD>871fMIC75+wO(i z`7o}>5o#g$LovSw%N--}Q7%W7{$9`P;*7oR*EWpsdbNwlD@G4C13iSA z@-0TI`l#C^g$8FBmyDMN?+7b+xi-6a_tojBPj43!1W#qRrZ0U{>G4*cnt1LzdILGD_2P(1ZTI9 zE6e%DMGegi(JgyYXnv<#uCobEmZTEXigVJXmen{(ksG>mNw*kOqw3n+-(5#pQMHR? z>D{w>LcBc^lnp(TcbRU)2H;TF(8f)!4%%f^hFTkkMn3TIrktW(R39M$%@0;W z!yM!EHNJz7A99UX$9%Z`XF6FKa|;H=cA6|C)pmYU*F+TOM@Qone{*6wvjF|zLD}9QG>{Y8Qz00GQGQYVz;dv1t*xRO!M2@ zXtHixVl1s}4TF%WDbg7#7K|$2E{$BHl_pNqr#}>-@tcGd|S5~d-8o@8nk=ZDW`%_rDUQZ*uvTlo}@Y~z~ z<*pSUOC1!qk9pij&n>sub%Mo>_m6h%&RqUiO}V6(DUA2|eLNj5u{1~Q3|%xKTg8!6 zi{aB%R;rYxy|&N5mN`jnq@O3c>e9ZMHKk`_kj`9CY`w_~P4g{iNMpWZEh~02+2U!OwL%_+RZqhE8l!nRsV4R-1uQOdl*0-{(Z{?>f!x~a<>X(p6tq}C* z0k~{A=BhIFdKRUL!V7?zD6Z+yOq9`MQd&Hj+GFhN;~)EJ9Q;P69wT}8!n3zuk2_k^ z4---0EbE_h2-alWEu31rzHpC?=Z(lP{RK~$-&6LN^w$`CAAuImm!=i0uzyI&&j=c@ zV?%y;*G@B^r!y*Kfp!B4D=6o(j-s1yFHvXatK5I1X?pe*sh?j5R%ELoOpKfiHa~|? zN|{eY%6R6!t{R#*m2O01O#nIMtD{q_Q}5%g{+=-OB_m#?5EAJ?pq9y#=p4_3vU&hg`>=lsb6?!$|a=DOGmM$7_BOeeGYWI^GyhUR; z9L|-dlDVc_3QsM(CQ)NdujDsbA^<}>dgwATSXk*@ldG?Xucz@p2o%N<4*CMy$&7CG z0J~;B6?=>UBFFbes=vQ~Tq&n8s;^rDm-MPM6CpwCRjm54tAhwL0^-5A*oYmWSp+Ym z^~NywGa&EC++h`&3)+Yda4CK?@9!o^KHtP_e>Xgf-M3Vn{O3lwRWDl+$lOZ_1JC<_ z%6`BtVD;@%5a~GGdm0P^#FF)zdIPD8emZpmVE1=R$8FAU=dEGk*Uw+RLrB>Di%bCF zEK)CTiXdpNy-(0)pOqT6gi8kdjOIQX@LQqdxl>@-4UjV0a zKjPkf$|Y7r;&{&O>@BHNb~5g-OB={8kgtAhe+f$81umCB3_||gJ(Axf6-$KItv1V< z3KVA4452&zkZ+oJpE(y)h$Xm5szwgUdhU~|4|?pEtp3Vm*Aax1Hg4pkHV9)zfD-8_ zwo`t@#*j;`R!pT;&GKh0ksHhU+x;lJ$ul?bRqsIn$II6MD+ESZ;O0Yqx1uusNX`j< z#wyb14!0~VF+}9X#{qW~hg1S?%fHT^*#|=vf>_&Bh-gZCjo$?aa-5=NZuW8PyttNcv$q;m}CH zK+IShk6XZn6$CTIe38x{4I`OsQXnIdIBUgGAfXM9)wO}i{D2yAqY)_#vblgmSZNwz zOt1N!T1# zCQ*%(V5x?Awv$E_ejBVc=5PEfrBy<|*@<1n#H+kvU@@X1ubJ@cQin#|O3C8d>A$2U zBEr41H9twjK#F~8X|dASp;64O43oO2l~y9lo+QG|S&q!EdA$Ujr+X=hu9rc#=aKV; zbQ`(tPb2BN6M^wkz9PnVGv{7;zTP;D=WK&$DJn>lka^tNU zthk9i3p;Q!j60Ro3u1ElLP5F~L(3WsmNWOGW%C(i<(H(%&qhkmGUC_?z_}UP((HAr zrUY99m?3X$PAHfifkcd-Cge~Wrcv+yi5@8@+p_6d`t0{fU^^!|Vq+woQa^=#9}6Z6 zj}Rco6MypY{+U3xPy>wRY;UX6mdBT4S^EiJ1q!*Qims>0aq(CI8&+Hy4{%2}`MVRx zgq$<%jf~h8nXf|z5QH^UJKlZCyOwOB=@2gB!aS&vzxh$KYx@s?z-wws~jLnS;hK9qVHeek+RJ*6Z}Oyeeaf3x!CNUB8rp6tTb*R&60W`4+D~wMo~wzge@XDKJCVxo=E%46`0Ly0lPy(=fU2bnKn9V>1rc09X`#!ffV+ciU_K7G>>_7KB~m(+(9sur%nDk?&U#_jvQ z-l;Y9p(n%YkS%=CGG#I5%q7aU1Z0{UcP#46NL>(xuu+vbe{QU~HL(;0g$|-4)Dq&%JWxl!jq?F^nIH(1oui z%*fZ+g#AR661H`(RdDYw(?1h2&y$5$+29UOH&i_U34{v zZp%Z|me;WgG_r1iBCftao>Ka^DhV!wcW{>+bk~ok%T>Do&G$fL%3Kxl8B2YKv!TvI7bO_*JDG=q`sw8S&_A{rdN&7|Onj0b#$j9hpMxa)hW!mo1ci0D(0{)T2q|Zl1Jx1wFlJ$@7 z2Z-~2exsIcd*U1<*695;O$n<)Ef&J5K3rl2A5bETsW^QB1MhOM4VD+#^s<|7ukP(5 zrI{L-A`WIwd`FcwS6ZJU<%~vjVs2k+m7B=FY5vpK|Iil)FV6&)E=7;n-e9wWF>Q6J*R*UnmCx{wGKHrX#1l1d7n ztxCktj2iteIw8I%yjdB1*I+Gv#z@PU@t(0UYDD3UnfqExc?928!j=aLNxv`SxIH=Q z7VABFmezi!rtLhNUItgEgpHqD6?>y(GwhcFimzv8!Zn)1!Gyzk8pD2hP{L#2)j|a{ z;4kuxs_%YoGU(j#UpUb;qetK>EtE4&73(-Imfm@h{FQy|W_~t9ck}8<_1H3aT?eq=@}SKWA}Uwxt!Z^;!y{6(OEDK_6uuY_XjtWzZ4 zx?&tjr2d1qFA^-CSdb1v)Y&P7BU!cd743s3ZTF)?osJ?bY|s12Y*5VXSPW zm_=bGZyZ14{x?VSzqw#nVNZDA8JbVtxri)oJ$K^tyN$)}RxmM=P6hWn9nMDGH?nKnI1T)EpdOY^Z1SEkG>4r*j* zvebr4fUm*fzTiIHsQC-p{BWIOR)wb(!+c|U+h1lJTK)!#B#8WHP-Ng3$uDq}pN6O4 zgF&IGA2Zoqk#=>Gej84sIfS#HS;Q()+izGLauzmUM1MrEr8<*GaxV>j(DhD+92myS zK2I~$H#{ky(`js|f+ra57iCh4oTd~Q$ko>;&CQBEW8WkdXg+Q7`#@iBp#Ee>7{{{w z?~q6^)jVh=AV5eq@HRk4PsT@+4W2z38&&D;dw8$|k5ll*k)AEfr zldKkx8}FfsLo5C3Nsc7z*K4fn}1w|@*~Dk0Cnx>KG~M2oZ8i|-{`u-zcWWZxcto} zVxP9R&KiYlp{Sn^z*=4{^$D`66mX|27h5ao<*}|4rSmWQM!0A|pEK~^fFkk8{u3zj zCy6OE(AuNEM7i+qS8nCRRmNRqymkbWeRL63Pct#OgJJUwVn!#5ht-1c*uU}R(hQ+> z4PaUMrYLwR&pCE*;4U%Rw|Mm={xGdsX=PhGi-O{I6OIC1W&6LAB72+vds1YPg?!uj z!A-=$&gSi)r7hYKb$ee2?vsf}R7toZgCesVwu%QZ(;PTxn+f;apzO+Ydof-*t0On7 zQWz-7dt{d6$8+BOA-)&m*#_bztQl?X2&|4bT+a2@C*$bedZ2ur*p#jDaK02{9M)nc z)Odl?z@pIte-`KITS#@6nB^o8b2s;?PQSBFW-EN*|!4IcbT>vf=KDlw<3O zfVjR?V)(}IW;N}@Cl{7oLOv0#NgLqBwLM_mi`!f8p4`Ljj$*vFTE+j?x&wh}llwnQ z>;G{UymZ9X;o!5_ggc3$lWhI?mD-cKN1K zHM0WYlIQoEl2m3A1KUHzLy3QAa3ybFnECGZzL5SC?d)~W^v%2*CC^>1?-%+zSP$~V zOgEj``5Y^>x;ms-pShW1clqVSjt$7;FBPKRKHu~Iq>`*2ASr2myLlnuS*F9o)LUb_ z()N%VX){fm^vU{Km}Tzsfi%qS7}*UOX?a@AwT@0^#k8;WOTcOj+`eGR_#( z>z^O<@^MkOFfKUH_rmE1$}NIqu>~fzHb$?+6-hetSHpfJyEpwh(;~+bnen!IT=o){ zv38MlN$%0|<5A&P-f?!~a^v4mKbmKAs~=q=*;>V_RJt^n>4HvNTle%{s!-X~*>oSW zEE(E^|N#-68pN)rv$UNfhq3h#73B2tMXZ>A1bMZEUkQ-7&mExORBho%iqu`DKZz<6rP* z3-pqhbsDB=!J z8_9_Ki8bb9;gHX7*)qUPKs!m`+gB^O>~Fpr4PuPkCHU(nZIXs^#)qOmnn&zD034vR zggc2=e?p{*&YdYRB-`*MRD1h9CbsooP27E2ndOXC;ZyxV<*tkkltp7CB`;!{eT-#( z;s`}qmApH;^lI_Y6`&IW1-CcclY-_hxyz^jJ1n68{d2B3oJZ>1UAVvOnR@@C+dcYN zW6$^NIt>o8=dlz>jG72gAhokJm?XbTj{MgkNG{lUOy4Wel!8#%?e{WOW&$EFd}C=8 z=+;v*XbUoOB8yh>=u9)R2>~X>#o_jjV)+94LkQJ5ApnEY$5Fi?ARxec2^3d{1)F#S zefyvzL5uDIX2pE)KhPk9c>XgDQZcm+jj-%K@(I;~f<&SuNFhXop`wBJ{6mE+Z??DD zXL}M^LX%C1u<8nKGZbWvbcTjWp5o+}&)$!b2f9w+h}pe=a3G(J{0j#X*Ze`sCdXP^!5H$YiVe}AvbV<{E)e8cGF&qP@srO~+4)PEo#^+-5V{zO2&EYQjS zabdO)t_?#Kt!ubPQ!&5<*gx|k_7LK*CUv3%ImTgD79(;mugo0qe}S(~@A@3dQ@sYDNc%x>Zy0^6YwewPdXw7yRr)ffj%WcL+8Io~I5cfphr48ge=Un@K zV%6>QiwHOGo3keo5w?L7Jvxi^AMO#r$9jlt!E@Nt6m zysDa!LK7uWOt}1LmLwcI{N>YHP3IJa+0)FUVDfJ(|M37hW_~c!d$$?1R7CDvL`nP+o&amI0CT#((6;g3##cKF+y#V+2)mIu47jN>HU5?I z7zT5%yH}`LZZHyOC{FMZhB`oI1|4Jp(1F!SyHg+8pvZzqOUVdnNRs!W^I8wt(1zO{ zEy}qnf);J&AFZf81Zrf==4rW(2`aW5hzAoZcsJagJLuQsY{!elMBG!x!Sk)Hrd72D z93qW}<%Z?qPsy4mC_DQFZs(oG(x0l_D44~O7Wg(g4#KJSgh6H(5x&e|d4{@L^X;XZ zppoT{W@vK;zm2Y0x8=LvP!l6NZ{K_)uB{e~B`$G2%TK)T?c6 z&=T-3=`nTw^cb%5u70OqkmUIq5F(uBe7DY6*}gD5EPL{!znXZ7{OHN|Vx@`7CPPZQ z`|g;=^jrMs53~!(Ch@?$*Tb4rKD_v1hl+=3|N9;4K_y0k3c?76%l@C*VaKcvB0J4I zSPFa~0M-F3lO&@o()Xsbw-9D`aV%{W^kbT}CRDP^h|&|q(O+Gy9yHdRM`j-)tVlwa zkS*;_{ooJaZQU(&`w6ehtocuo zf1dy|)PSUH9g9dvV;sYpwvF@Y2PJqV`G`4qE-Ct49X%t^>7l;NK7MZn5Loc47)%Xm8;cSfDJ zw~g~^u+T<-bIp5>FF;ckfm|XL%b}}mvR1nPJkIhbnNCYpw~vfh`?nY8e=7`;3B+hY zO@=OOZX6okBz!ja37n-S=%Pm|!VU9C89QWfmhqo3SEgLkH}3wOzX=Lp>1j}~m9$(+A={^I>tx!VBvIXzS~j0OR4{MDp6 zCO-hJh5=CYZmsP|MUfPsjXp@#H(-em9Z{Ue(XS%f-2q6Z{cWcZ_s`e9gAl-f#a9!b z{8jQ^9KKp#M{7&tR+{GD*pb}-|7J%bs|pK|XkP8Kc|+=gKzx-H1KNim_nX+M|Nj6X ziOz~rKN%6+75DfDLvoYeqyLl^2YTefsYnIbV}D-JEOv9Co*ypFjT3*QW7wt+vnBe4 zr^ax!F=8YTVt;ZjrfJ|ab6l`36#fg%4Lr<9IhfHV#eU8e%Evzg3`s-b+96{%I1B%k zAxVTm6yE<7tvb-&^pm(E0qf!UTIcQc6*vuFu^o1m^HWe=j8>5xY5(&Jb`t4Z*)wzZ zMY{iAc(<{?0sD`?T`XVp&iA-x4=G^(p z1O5l|>p%Zc#|1x{Af4jxIAu5g;sNrH{_;P4!H$e({O51s|JB#*3|LYr!z%9KfBJL& z+GFzPFOL*Di}(NZ*Z#+EQsq@&HY3L=g+hk^cYa6YG6`A`{@XoG{EwZ)|K%6#hmhsR zt9|~k)|9GPEd^GDlYkd`zWoy{l5{)?_KJUhZv3`SPaM5v%a707DIfQtg*n#gdu2A% zzfbn+37TLe#sK9B9rpF*RzG7h=K*t0U7JA&Lct=hu`qX$_Ot0jXPv)Xjjy>W{e2Ls zp%zeUw1Cd670dE!y9sOB{t8uB?-RJn|4X9eD>>(Egl*mN?mett!*2^Zis$u!luQGT zqzqZ4$91g9<1t&q(eumQFBs?IIKk?=E>}h48UrVv6zx#`v-&q(zzENnExJZ2eZBT= zVOi>tu$L9?vw@E%zq2+c1$6;*qldGGcrxP2&X7h86!8@EfI+v)snZM;+q(1DeLxjTO?I8PLx z|AOvC>x(z>Q_#6xu*=(FFZi2=lIDEFjwDAR&VUeCR z1IMKcOG<+@oR^TJqYJCU4=H(?NAXrkeDHBqgL9f)+$5Do)_I;CKI6|7l`sbDg6ipf zIG3s621KZKLR~+D9fq6ALUURV#yx%bYJZhw{~d&DAA{!ASG@><0dCDxX~r62I7LAh832C6mWY;p$R z%d;5&HZNJ>40J2RxpaJGQTJ6-B>KJhli^zzw2~4Y75UG$|GHadvk-s7{e&49l1?T` zP>_X`8f(LnL#6AJI@X87h#WUtk<@^;Nd0GPWqW z5(Rt4>f5k2<^Y6}18Qe^6}wq;1bU@9)D_EIe?_M1i|@#V6w2gkmocb8(>@%?iRpeL zAs|o6n|0}NKQHSn!5{b46;b?(lMBrQ`7Rrit)gIE^Z>=n3K!22X!BZk&)_t_wuq2! zD^DuyfOpJr72@OG1LV!1tfepI-3bia?+^4qgO>@A)jCUnwDU3;+WUb9w^>r27aKzy z^ELej89A9+^t4k?#S}m(VR+mLBhn>hrIRN1OmG=T?Y}ew06|2QdR{kwANGO($WdTF zM5WnAUEge!$^o_!gx-EM*a0?SV+4<)I}s@@qb(3xxdqitnTN1ZF@6i&9A>}Pe>y^V zwR@E)i0TsP^Rc9OE8_;dFd^t39LNo}r4E_f)EwsWjL*z??k-o}^lJR(vHk{Lw_o^$ za{+rwUKh8Qm{5o!A^n_NpM>Kb{?ajc=QMA!64RM~KqlG!XtYil>-Wek2|fa>ZAz4S zD&fX_dSoZ8?*-TAwa*YF*@{Xy;t(-n*Z@|9+Z-LuuKGD1a7<$xbx|*($lS3j1)xi9 zsE9+horges@HjzWDP4c?V z<;wTt6$pWxqRT2K?+?^m@dYRwXxa;dg{wN#SUn(ozNp5W`i#)i;i7dA@ z`l{7B29&^Z3H-Cd*k_3@=oDuBeqn)OrH%}|xmX~LD8<9lCQg!?C@6Aooa~m@OS5s+ zog7$uY<-qwEug)7yZ!Wi2-UjdA^TZ z^bZMZat1&BS1@4m7?y>X^=x`9Xt~E;-G2T&V~$+z0J3N$+mMBORq#l#DhzpjfY2v+ zM+G@=M2K%Tl95aKrzQ*D{iq`2wz{lZ1<&#{JUp~{VsJg!lV7*3+kdbRytr>3kU78) zB-+x3)47cPeQQs+&FvR{lovEOsRPF%(Z`}^URiN|5Bl>d_l!>&-Z*zHi@6m;HChJpPH+{%0}p zA20NOJinE+yxHhXol5;?=06LVl>4WBqdq~r+|mywUcR2>%i}7C(7{+Hd+&-&`s0FT z?fsNT3ar|332b@oh)8N;8nyyIbo_>lnKn@&k{rp{U!ZCE1Zt?L{7GQbN8wRQv9tE< zn!_4K2M}A?QYaEz2#>`{-<+xK!82ROTFczYqfAE-rVYL})h~4`x#q}gD*JQvy5`T# z&cTH+&8W;o!jFLQ+#@)xs7E0Irk%I#`H`4CY@xege1^&Zi@c0e@AF%JP>`#_k%*G^ zm4hvq6P?@2k!rBn=`silV7@sK|3>^#G_+F9&#_?+Gda2W(I8@E+A!O414T8V2_tRe zMD|BAx?Et1rZt#>!Rdx3^u7(-h4_d7KWg$9NBB!~uA_wM)9t9=4t#9hWF+~>bi`o%IVNb4* z;9-?>2K=|)nNC~&r80=!3DGvV;(H36N#T*80b5 z^3R3;|Maz=APJiIS}dsUj3ClvA))XDY`@YxrixKZ@NslF8jP7k-4#%Cy!*qyZ{Qgm zFm}Om?Gqn&p&Ub|j8s6I<^M5$j$`_ROu`WA@DL=nT~KidSCsFc?q*5IqiQusAT@r2 z&+|&yumXwIKsAnZmzzceP$cnmH-Ae*RQMcwhL8;%f$4C+E&8E%+#J>|T+-8U@A|hT z^5J_xtxZQpSS`WriiQ{ezC_!%ZuwjsJG`Lv?y2wXCHPt_KZ>#9Q7pt0dpBo-ke%QL zP9z~>`OD1Z-}{klg0vXq!(_lHVeOgFgSw8CeHcA09 z=Q#}r@g&FGEj*tAIr8Zr0E)Ba`b1-ds4em`b~re9eFET#YOvh*FZP&B{T0#|2xQQU zNXjGNiJ|1AVz$83;;2boMvn|fDc~d|ctZh^p^J@TfN#JDQw=@josGY<0AQk&aD^I| zP@?S0_fja^9Kq@%lg-F^48NBv-PCA}O1tWq13oFzD%raXMukF&$Ka=rfhS9tbx_#U z#__WRW?s7v0}ynrX}+C0f>IU6J0pNXkBF8)^BkkjU{fHV3w{NvkH_52!lRxJ#nR|V z@WP#2Y*L-|QFHPfGdHZ?{-(YO@FMB0ueT?f&$c{mkqd3cYtzNfwmcb;k5_??T~tE7(`> zgBKx!x*vw!X7~3YlvGHHuN#*F+A)=P$b{|HCPZ3RH+GDJn*KYIaTNZ| z2|f#d@FNFfu$;#DW{8ur?;KXsHuV9PuyklTTischFxB80;O|x7en>3E<5{rcN9M=@ zZO)rs!C_Nku~*6Tx&O1WhJa4+@~+H(v4``Dfb=J<^kU_Ahd9OUIA{PUbH(DEd4WsN z{54e@JVJ)DhKF_#?NgdgOU2;W16P-Tquhba^X{P=X32M;B28ZgcFlu8YRF;<=IMz5 zeB_~pel!AlN6LdB(IO$ULt04_xVA>r=NNjwVOaoZX$$A;1X$*R)o9TaNQ2hg{Wf)@ z%eI1pinKg{?$~z+yluAMA7v+g`)Md-UvY}O#;~!DZd_(P?bXL$AHE{QAHqeKm-T8k zLOv#$LFlQSX>ZI2uG-#a!+21JSZwF7rJL3Su2Hxz`9+Pupt0|ouO!>@ldy}bK5LC+ z(bi85QWXj2)~MYhu#oL^70p-4({mOP*QjMILp|JkdNIqp$6 z6eqmtiDda(l{W_JEk|8}G&^g|TpuU4o5aEd_~yx@i=J+2O_I6zoi{*cGE_%Jq%*A+CgakD6*5=HUX2$-cB=3cM!dt%42;(abt@Wn_<{AT zr02MNi`h_K_KexQ1Lp)w?pTHxUoRV9Ch|=6TBk2ZCV8o1b*5&mG9FY)Vbg5)B0^5$}DPkgfh`r!lmj(c++2@byBwa8P25A350vbI2t^L zYLhQB6$+!4>C~vI-O3sNQMOWyuRJ1jdvf18I_Bgmz3ZK7rp-e z6y2z5dcs8;ZTyS}q;5>P@~)D3C_SCUTYIRGT)Gv!A4p?*(fnSaFEA+_KY%OTRMuM4 zY=-1hUxW_2_kGX1rrjhf=%uukXw)x*cRYN>&<*Nio#OBSD9dU(^70xCt% zKVJ?OJtfg;N=ZO6Xt=lECOpQVZ64dmtn;vF9H%c^D{|Ri=fS16(2bl|Ti#vJ!hPxp z+l{8PG_?DeJ^t#QoB6H!!g>sb+R`AdDTyVmJit0LgHh;`COk^y-!(JKO=^X&5lF${9EDo-fT(K%h^W3?&tg zl(Z3F-Y;&iNqa?CxCZY-H<V&XuX*(JaHTwTKU%ZpQ}wz^TJr0& z0~bJv3&P<#V_N@Cer``Iwg5f!1ee7jol7~nrf$d_kv?*Kq|#~BbY57K8S|t4(Ztmx zNtk)fyYm#)dIUqA)_% zTsf!YQs&v%UfS+`6?(OXs3Y2z$6Jh?O3Z-HGL8H;Y894!-NYdT6P5U5iW45xhg#d| z;vHCPa31ISn>b-DoT2(9FE^J8->KtVq~VdA2Yqv{ZfYA#zox>jhkMpU_}AW&^iiSR ziS-%-9ei)$wml%{ZQ&d1zlyf`t(>x#ZE#rgbld3MjYpMb@&&_5Eh7#MVo%~GjMV>} z5&RoOxsLEFts|jU#-32umG3T`2&WPE#e9g=+5h= zfdQrDd-P6JTiOK-YOMxVSPid6&ds^f80to{HZiD4>``f^HTV{s_dKMH{Hjz!4`Bqr z-uWYZE1`O&F%H+Md(HT2rB1yTFWzmRV9!N5%SHp2YdDPDN?5w%$MJJzUr|3Wiboep zPjYnEEL)yaCvm*f{XPQ)X*4u#n*A@n^=!Q_=r!2du$idSj^;eoOuc;Bx$$Y6r?yUu z-8hgPcM(Hfypi|odLJkp*cIS)Hoq0K+R}DY&6xsHjT7Db9XE%))lnsn^HHJnwf8o# zY}u0b<|G~!n11mMNmlrK^Nlsa--RGJc&K0jx7EF7kCe|~t>{Mo-lPM0ZBf~h<(IjN z&K6$%bY%*yzfm2>79cSO4et;=jne&lFp=|{IQ&Gv?6Q8+8*2!>7{XT?s1m0IyxmU- zm9}aXhHj(fm2!zs?Fv+f54;m`u08#2ZftQA8|#qh{jS=0s8>fMo?*#rty7>tJUIOL zvcb>McQxZAb$x}|pOqc=S^Rz&7wvlN&sWO^f7=do`J@nN0d@E`InMY+n69d|Pq9#q zZykumyr6zib>8?dEq3GZNmmAy`9vn4|K7fwSwTM>1Yu8EARBq3V=SZyfJQ#$%q1lj zH9w(DI*+GaAB<~dGBxcaHj^DY`RY7YR5BZE(S7ad=w6-6zmH0cxH8cfbksP`XVw^I zpqt)ADR^!_Os|tVMykD3X39jr8HQXdZMzX)9eeRboovJQi*I@)y>@NVDG`mex3eE) zZw)a#yun8+z4uAesaefqT(>~fPz~U}J)g~w_^Bw9j?^lDbm+eG6}`2wt;F>5*H|_H z@3Z?K)hhdRkEb~BQ{gBZyHSogc3tGlYx{;GE0NE!&XK8VvCdH z_dR{S9rsS&fUJfZ#<%w*ePaBdz@N4;4WZ$L@7sokB9Jbbz{|Fv0n@QD`Fx|DV3s4D856FJJJQNH;5 zbXfI|K@b7Sd6%_^&3$DJISjMn*1!&s)5!;4^A=$qA+$-qX}6LlB`qD~qIk(KRkU{& zeiNh269F)#ZzfRvQf#Ow$T7q8)~UhXDmbkQ4ecJ+p5b_+ytRrq?1J=QiMC{gYh+2-zH z$8(N;)}qIB&8no8O@*&B3;pwsnn#Y~E)W`j?4zTMrxELH#a%mVY1qk-~ zVNR4dr`j7L!8z~E`u$-96Z&Vt*Ex`-NEIt*O4*eX;9zQ#ol2Q4t(04n<@G*upQ=t z4$-lUb6y!9-~|k$4Y$6MH7_!^&p-U+3blNMjx^n`6n7@BvNXh^Qaqv(Kn3A-_tVh~ zx1S}5cUv3b5biN_%A5IDnhCHI@pb%Ss^X=>@f$egTL|VW8{X6P_(Gh=LelvvqESvm zgtaq#_vvr&IO8sb;GhzJgQth0yP$@OaX&^sv7ts~T~}dOm-M>vWdNq|AIf7osEU#c zppu#YO>_Q)CF9g1mWW?^Q<&t8%If2WU)zU4mH0Da#1)E68d@Qau4vxg>&i^%5S{yR z36O`Q9RF@kI4_^8Z+V}3?xgB?!)q<*L$*7SMcv{NP+4rst2)M?@=+5?pfhkY#qGO#0WLZ=bq#PJn8csBBY;?m9NZ%wUErk??W5krT6DZkV{?zuR^@Hpp zOH)BD7rBs)h5JlVbKl1wR(p~?<>dTDdpU7bWgHF)<3*>XgB}1N^0<6D2Q*Xp!UBmdA3S}qS@viA+e)TH9+KX-#eL^l}11jD%6;C9{aUTY* zVBL@?-pstmfjbQq4pZAHDX?#T%;eyi0^8#>wAl`C(b5-MS=Z%vM2S{PdK{}ypA-?} zMvcQ*RThu?OpJc0%=^)sj+=Z0L(Wq3<}mxCwX87b`r)Lhbt_mmO%sJl&j7ENa)ls1 zIu>EUsHQ5tU8@h%18wDKWhTp(3yXA*IV1dzXy?CWhHYtLo%x$49+VR1YyLZWe956Q zKTXh+CG0&~=%1Oq1UB^wqVM!<0X^Mos$~iRm#xIz$^*)>ei8I5DN89s0yw1YA zFzd{|A&qeuf8Y5kowtD85qz5@vslfF5|e?);x+tTTs4Pb$q&dVkngC}U;cU_>86)f zl)6cw@Blpg)*ue}oY|Sz#UE+E31`EnB(K$Y7gozuQ=vn-8R}10eD^fLl#P;-_dT{& zeHp!8n_a`vsVTcc_oCVE8LJ*|Y&|udS8}ZSczOl8-+6}VQy=(Pb26vKz;dlk7_xvE zqhB3QSeB;S8%5`%{+i^14VPYCghcs@$JtJ|DlASBa?RQj?ioRet4)N)Og?{Nx(SoM zcD~t9PS7KU@K<}08c-v}^|Jl4EX+D^Gwm<$W9m;V5r9(!(B5inDZ2x9-}5zMQ}8^j zZ^R~xNv<^NGR%Bdf*eF)`OZDh>XourB|S1-2tpW|L{4{bMs9yjzMdh&G5YRIunGti zFHIidBFudqb93E)0oMJ6Os4$nXaPE@<_uVQDLclcb^%_72e$oAGWDB7=NB^`ex>&w zxy~2`Vd|eLWa{DN$fq8}!%9TioXL$)#L1`VbX@}Ic;^U7=w1vg{0OFzK(QU6uf@2r zYiBpJ=zR|sRZi17mDiL3A61eIRT~@8S^FynBI6$o2Rq?ZW^H4pYOR4*vL&2`SNIu> zhW+>Ry5P;Xgl`EZ9k)P)$ayLzgw3-<+kIE;X$d`E3{hB~JCSQvAeW#?-N^jkXo?r& z3U;wHMc6+g^5R|*a^mxbSlle;*7T@G!5@L;DGq(LRNP=%B1dy>2)2ma-n!CZfxkfSIyia<#&lYUq6&XnLpt)MeTsO zc5_)0?RF+4p!)JR*)tg$sGZYo{Z=w7?*sG$IBdpwit82#82Xhag?T&^-6-{f%>;wa+=*=Xcint+oGfZFLal zGw=5u*Y&y(niL`y%}-qUYQu`$1)fdT;52zIi`rRlyq1N-V~lk`CO@SVvvGK&*F9yl zG@N&&hUt~@ zE3Mupzfbzy_9-JvU3M|VqFTVL1a4^wZEdt3nlTU?laVM-YHVwLF%`MS_&{-c?AA0+ z7=qi`qxXqd%oKwXogA6E{XU!;E7Gx*f8Y~+W$=eF_(W123_h_SfNA~`2A^1N?Bb`5 zPi+_+#pM|BY4yUXJfjiR(d(Z8$r0HP-p&KFnX;id7JZ76r+?t|O#uBw9bXxi)K#F% z7hdm5h^CIH8WE>w3as$EQ!bnI)B#5K44#zryKbC9(mWnX<#~uIyBRcWA-)AG%SAob zVa4PW31d6PQX+n^fVwFrk3ihP2*VX1WtQl@@CWrqig-GP;4A3M0pl5^|4#7 zs_P2K;2e*q7$fE+*y+Z_L5{?rUeP7HLcI-^RQ>d;M$GaIskMaf&pP3vR^?G)PD}NK znd|$QEOb{255aP1%lgcXu6)7fXir#2A|Um4R|87 z#*L-q9I>-Sg0!0$%)d=_|K~L0sSr0tJi1E7G!bH@yJHeqY7xmfrRAtdd!JRehpVr7aM}y01J&Dy!gJ`=dOh|NG8O0>7L3SC>UCS$)A8r}L{Co&p6W-i& z5)#?PnI5&wu+Tu7daF7Pj)YktsE=0m0;Mr^<|Nn2b)1LiHOkfi-cv~*Wo@gF1e97y z)ab(XMQpVwYi-*fS|iC9?sW+%ex=z4RANUupb|$uJ)D1YDioKBM*|507P#suE75aA7%t?po2*^}TF4dbcoe{x#yXeN}BAYqxa<{^N2_Ns?(Ri>yf_ZA5_i_+cMh&{@z%c17=XDvff9UuA z$D;esKhQ{sNL$@i8=Jb>qTbRmruBe`5@96=n)dFFez;*Xn86?`;(vUYxvU{gO}5Fa zrSVzOS^Ik5NCn8bx6Qtve!?2A8{^jSW^hvPdc#6zC64D-?^big08R1CELrF2_i`ce zptAp>Rp0e#3_&LJS}sP!@YPXK^l8VET?lD&&^vva!-J={MYh0H^8=~CAvN3f;i~8W zZ|b%8>dDT2P;N<^NEa3UEP1qYry+cy(#Z9Tl9$ltcQG?UJ~RH0O@_L!bl{A+9{F;M zF2cLAK~69;b%jUkLASDPiw!;AcNb^S?kRthh^{-&_k1sH++L0okKjTP*q|S>$GxxJ zM-g0n%7zV+L-Ksy9dD*jWGt62$whM+5$}js+MK(DZ&`93S8Yhh`AamFkm=OT&h6Ty z`)RqnasyX=mw!slh1ksodC)(KVYt|8Y49ERPns<4WNWr%<6is%Ujc*&!a46Kqo-4l zzm@?FvI-y6N0JDfHzlv+-8tyww$dgL`PIdW)S#p*-bJGnO|6VsJZ)NZp)SsOv zM5P<}Kw9e8&};W_Oe~gt6-%RMUMv7$LyfM@<#pIsLfrEDahle5JEOr)C99uboigU7 zxIt|Rt(j*calM8A+McK8XKQJ%VWVSZtz};m0pCFeWa&d_hkYLYYz?DNm=KRSx}if` zC#N=YWaa<&@tJCJfe|hAjbKV%LP(zhFg<1}+$%8IJe3o3S#8p@;g<6w;(Z3;Ar#tv z{Ix0K)!ny9Gk#K)PZY=)-SMnnKll`mVJ%IYI{TKX zNdGBqJ}RfB2tLbLDb$M?Q(vd(2ZyNdD?A;>4*sy<@DlPRwM0TztO!etHx{>6YNj+; zq+BWJ`P~-!S_mC5cBCIlN!MlCep;(B-BUClW-QoLK>@qnxSZGHa9_GA zVNyIv*kq+y1Ul&88og9GKVRI{Zibt=OW31c*}$@MS;%?#7WI8|*KA^qkl61@W_~}t zWtTCe!v&A3-lZVJ%kNy2v*Ug?{ohC;x zjfBcL)!c4jU?N%G-XXU88MM6%aZ;BmE5B+;bwCLnU0!smHqh)8ZeW%pY}db9X#dTa9d_rjzLz|xjg*g>+Q*!&8Umr*TTv|A~6-Ccmm6r zX&Y~E5>%2^_1NH5|26LW%L$mns-~wicTKfB>E+Unl=L+8$s%V=7$luv?s^uruoG48 zdUAdH>iJtTfASld({P+jA>@^8K0Cy~@!CGyk-&2L8AgB%@?{?Ap+eiF9*^*mTy|tE z&!FtZ)NgmyPgp^VbU(My)#@spP)tWy{gqkJ2#RSCgiwl8ADmsMw(!mjFqaq3h3Mdz zpcj6Og3@+ZipBNcnAX*v2lSCKDK)z=z8d_KZwBZrK(}SmSGBspHkae~R*Zz&?8BeRn;|*%->?j?O65Dp&NHrj{)}a4*h1GMGVt(*Q6QWc`JBRAv zd5B3wgML74Q)zpw{m|wt-I`&@?CK5+PsvCgTh)E72O(JcVoNxy3HCpO4t_FL)~jQ! ze&7eTT~Yng&D+!n*^$jL_lXWjw7#q2-MHhDR6voQXQ7NkxxO`83?G7O&-(imWcW)4o9HtLd^d*ZZp$;Y7eNADQ#-!G1K57ewu6L(5ii(5|4^D9 z)Zbk<9{Cl|wE)e~w*>wf?&qoB%`iGLM$fSa)L>|an9RmFh_~qO!SXw=rp_GII_0Ey zvf592ydJYMQ1HS=qVD9lYJ)V01Wx$(JZzkQ^B(;3kBM+*x;{YJ+~Vk|$g0Pi2?3Ya zWwoCY-`u8~!%HB`)%#8f&DSv!Kc1iwo(Gkl>ih2ty6`l`3W2*a1{0br>E}JV`O&D0 z1VcojrPvmDHyLh|Nlc#NtoGS+<}}hdEp%L*xTK$NpsiEI^j&ZyxEqr`4claAln=0@ zHlgFr?VQ0G1+~+wCO^8;Kzw9oRxcyB*4xsS!cGm9a>y)I{&*lQA4tiXU?e}WA#Kf9 z85UGjB5+Y$GmDhi_Li#42|S!HK~}ly=<5$V79*A0@m^)@( zjNao9o>h*x@nquckY((*oRZ4cp`+xp0;?aM-fUu^-5jCXOT$^yFQ_5gyy#jyW2-<~ z=S5+|B*ZSzZGyWNdv>*uj-o#?Qm^37H{r+9Cx=@EQ9)w5&geYN zn#pkb@~?D2J+z{QXpXA-KChw0`NX5^{-vM&JHOZ<&};5!(0YmB#SSSU7AU`hNmFQ8 zsIBBU0^@>D)$M{iqJeaz#*(Bw14%fXs9zdtTrm~O-gr-f&KHW z=o>gam3=YEycFGHX8f}9#U&pJkOFQ$OyraX`-EtvV=Cu}@Zv z!G}3YLTYk;1rJS=Cm9x=(f49Pwe1nh&xF;RIIMA*mt_48JvjMEEPw}U+uTApxpxQ) z@2i~_(MNEdMJ*E98E9QwrC)>aOM4HY`i}PX(mqgxxk_uOg}Oh>%kcYdMnzNa+o+0y zC_Gi0mZNHbpvkyR9Vb}_UaeZ)CQ4_?t~Qx!Ua+122aeECLt^T2YE44@sn4Q!`j*1n zBVIc#?5R(GIsn#FsoT;m8F~-W8G$3;Y#SdCd(DDMaxiDp&(8Z}{Q;>m$~;K24~%Vr zPA>%@03L;Ut@XaCruDf6lV#=op^LtN2(T}DT?bg#osVSPza%VRCZ8BAA1B}!n&nmL zZRgFXP(ATsWzO9n5}vK{>+GfdAoZOcB=KM2i$uGJer^ye@6Od8Nw{`yeAmoM4jNm{ zEeX9-CR&rc0n?ghFi|)r6t+m1lXYJ;+PFy2Fi!LEhAO$7gS{D}wcdPLoxm>-wJo$s zUp`SykGhxipK=nJU%d*xGR9-DiVN&H#ISbAWJdye5&|jy&V%%?KNE+;_l%2^uBJ@l zGXn~zGATqz0UuGZK$M7)-AcpP@Jh^`W<)s(oiB&^=hvf{tiC z96dhQ*L2>jXc9Q-@juqh{AitVhq>=lHurEktr_AEV+pwTA_nqonL?A;$DrrI6}sdB zGSg^2I|oJO=?ttchoUcuTUoo(j+0mFmKP*EJo~s;7gmHqE1)TkuFal+QB<-?+Ey0> z1q04x+9?y_AS<{FLMd1`X}r$R#UFqXms2RT&w6vVBL;nHbP4<<=h7a3T7kw1?J=%u zLr`AN_y%CgHD%FZnO1CV^n97&Iuv%^R`o7kFq015@r9gkR&J*k##*@RwXT4x+&iZU zLqlP$?Hf@Hgq9kJFC#kfQMAjoEuU zL9igDyPe9*Y*J_|J-1_mHxoujJF@kHjc(*;Hh{g-ZHG=QF1T?Q2F9)sLVy;Mp4;3- z;QWQRR%J!rbN@*1pIdSv*{7%l*mP#)`{DRctS5;Bu$_vf!qpZ&F2{Tt9{ zEXs8ra?RlOI@{@Dz%RY~q71EXbP;PgM7{sY#E7#u!I;44l*?_#PpRNJe2Y1ZgGG86 zi6i*~scY57;(nRMrb&n`j5&GbE>r9aCKlKwJAURKdRd zLZAvB099}WsDid3hO=LBc_t>Hp7%n!sQCipGpanEwtOZ=3P+i=vRSy~+ZMjDExqZh9cnr<4MF$J=Yq*nRBVYc`k8p2)bk4x)N*o?16o z!i#4Iwl?&bn!c)D_xePwFD~j1WV(tkB9t=$4wLPjAJAt3zMH5*oHTknD?TkVP%w*C z^Jm`naBCoJ*Ty4(#`s-Za?6UC#-~ymVW*Ny)OT|Iv1y2wjSzGhMSvsZz%~|JCcOo=0p0F; zLe337-+q*i*eAp<4&PX_QLSht+!Zn^htUX&ptH93YY6I*G`a3Nb2%#4Ky7qrelo@A z<2`MJPIXl=e$)6hI)q>8{jbWgB85)hD^{E=!9bT~f*VDIx|az)m)7>od}%=Na%zxG zG90(b9cRHNOo;YlOAq;JYf!G++1v<&5Q7Upg9RS3ZGU|EUf5hcOU4QQrQb?FfA6gp^6GEX^z%3cBhfQqp18)LRM zM0}W1ypB+wer#$CQ|h<)(GR0eM>rSGpW*`9S5-_N9tQu{59q~t5BcFD^WYpUe9q*& zbT5?FA)IsXv>l4EwaP!xJR7YI7=w;v8PD?QYKPdhIA$Wo$^c?&&m)|?_yb-g_tnv1 zVKvC5;nxy)jBS`9>-!RR&e*Zi5`-s^lIeo9#XrORGnG1a1BY;R1Y>lC$%DF0#qs_U z%NjzfR~Dpc)^L+L_F?RCdl(}YT%z4Zjx>=+$SYqHxjnF8Og~qCRDb9I-l+Nm@+f{G zwm%?%@cp~*%eu^6#|(%1YEb`}1;&-g@81;^|UA zC?D6IpifdoPWF2InM1MxlTPneZ+Hcya#7IP58%-&4H2o^rwHZRiEH)?rVqk?PYp&( zX$O@SEkvFhEp%y*wo5$xFeR?cTeCq`=dh9!*jYUAV5@hDrux3(PJ(P}jb&Stt}4W$ zirN#XJ9Nev-q!Y~@d=l(zdJ7VZb6`pDwv@%RcN*^zuBgP{s#<)$j?L(Xp zz@st_Re1yc5PIe!G1`Z+j4Y~%fNiRtT00C2(6G{dZFS=#POZ?Hx6pcDma3M$QsiDQ zM}KpwqD}Vh`Zm~6#EJ-xXv*oC{L z{Gn<}XP??56EWMgx~us7)Br_wY&uw?U6}_cnWqC}20;9>ntys%tf_X)p*xS5b~pPH zOklzz4yw5pLI+8Mwe!vQU9e}0FrHN5<+fU~wR49@9Y+K151Szo(Fvso zn%?VFw|}fe>O4M^ulZhT@eVHwUTFczbse=goHLKK&Rs`xSg7$**%-Z-dImH7$2T+X zeFyXG2MoBcVva{G@cU~JIjMz`GTlXLqolNz`WDo*rE`(g(VGIM*41&{bm*(R5_e_v zk=lx*cl-8`;=B{J{4-Im=@N7(rbGuBfymdU$XNd5GA~~>)ywu@>U~t5%I0bJ3y}J! z4+3%OY%IZnk!8KCSWV}uy!uJRlz2E*fI%+!if~G^#w>ey&8R(vi{3Ka+=#?1tsJ7WS#O(n1wQl>&T+c6k zhDO|*E8+UeoPjF{1uM;C35t{*x;@zSFZ8}mEcP*zoB5a*)qiyft={Y{_}bpOYe}C= z(CN{OltN+iG)x#}v@kCxvS_*6xA-7Im3|_~z~*Ay%L@D&%MWR5t3&Za^SqY&Gky!p zGd?*}djij>7rn{W@Y5nUm!Frh^K6I*U0vCV|5-&UHgOC`t_9M8 zxkwv}nuotvi?#<|nHsG?*aaYpHJeFIm{;7j)vOQ054RvRm{fF5y_Xg}G%i%~ zhLg>D-Kd@_I>U8&=!@XxOK0*r1@C-BsBwl zzY?IrJUmJ^mlO%#U&vwFan%sbT+)StpsjX+0p7|IYD!P-O3O*8ObYy`2b*6$NTy{n>gihWA zFNgZssqu;3(9Y(Ersm!Tn})y{iklgx>a!NTxA`wU(AL1RPpz~#!r{;8)BFl7{-8EjeVo(@g^O*Z|_r+vc(xJIc^`sWJ4yG zZihZw&gyC8S7aU@0{|BgWM{L+9+zx`GVTW;n@K;1H7|a9*9nS^vy1(AwRtv_=kW8u zr~E~G4qkhNbBia%986q^&_~@smJ!LJ!BA7b zH=pqy|LY*61>P{VamKO~a17K|9P$ddgh9v=n)F=v5{n+Fub3jLY8mOgZMJ#5~qrZZ7-ay-%1^3hAw zI`jGF^5uHEwJcx>OO|S54HSW)P#>Acj&*X~8rG@A=i_vTz>I4@%KT1kH-<_L8G;y9}0f4hsV_u;`rRMj&Saw9m8MM8XrB!}j+=-Gupr|oH zY)k;#BgkFH2xFkvJz=m(r6_w6Cupk?`k6QRw z1*e^AM654mEepUh+UW{eaG{W>55~i?_ekHHwNnWNzs)W4`RJAb)vr} zfp^m6kt<~85k#GUe0}hBp-9^A(2>rb#{Mx$dM^0TvvVK%4GEML#@?H6QuAF{WDi(* zn3|3pVKGC8hrLJc5fNxH8qckc>6A)#%)*_9g5{!O9XTYC3{J6G z$dm%-FJLE}Ly$HFlN>k95X_NO`%coavZzJ4v%Wa5p@&EI%X_%QIwme`1YHA4tryZA zjGg4jH*|s~=P}WVE^CaJ?oD=46m_)KJk}(*M>eH3sMU2n_NpiA3Sodlx>0{(oM@{Fhbt`8uBQo8X+#}lZF|!iL3B+_V z!pNpA%o8pN+)RhZZm1BrXn$qu{516j5WAuUL7X+L=^7?UQbDj zkfNUbj8JJP#VA<8Cw)#}0}~gMB|dimU5!9xpm0=A7zsnXmV?OqQYf3OWxwxom-j^W z@MTDDlyOOG3Q@Mm60Py%Tkp1#h&<`EIrtO7@i&(WrApX8klFeX5ym6a1@pDP)3wUIe4!u$GW#P0#pGT!<+gwaP4YkG0J1Pg z^WxNR*R?RS5k9SlA%pc53GiZyh&c=MnPvXOaa^pkpA9-=4AV5FH9D!kfuQ);RP!%> z@suerqJqZeJ|)5!Ck9e*FrW*{1y^X07H)7*lvLc@2X_d8M*cu9h}XQH4(3MHLrE%t zVWWEag3kv9&=~V(TwDz5BN&gANUd9vbqj-`l^kp$`u7h!lOCsBpAXNiRQ10EW&FiI z4!*Zcs?4lNjo?A+^m;>wn#3V`*uJG3jO9zn2I3Oaw!`x92YmFAAlB-DJj19)43X&L zy)TVVEHkaB3_jeAt`8@UzVdl4;)tW~C1LXF~ zeeU`io%=N|%i{mW%Ke>!8_9xw$(2_M9nT3iGc6q8U{Io_!g?HdE(5BkHnbVg@)RsLz$3!rWt{U-|mGo#p*!`_!o^5*U)`kjddm?#1* zs1QjyI?EbGzL>w+P8SHqBNVLeQWqZ$nd3u&Q9BC)mn1k~1&oaWQlAS4(t?m+JbRJn z*4^7>_G!A3NFjHCX%$DC#@|o*^lyaEm0_+w=vtdUI==?L)6I+N&%b@~pQxw5Vp;xI zj}&#nDN^GI)eO6Y-}zhr)vLk(e@TecG~M`J^5B0V`-cy8#I=A>0j0-1ul~OBMn79l{z+U&6|HDnkr4X>>AYw#(dkMG{RQMW zufPa*f|g)iavQ^w>VPTU3)ipta#+|Hmc#&7e(Y|TD8-hK;3wtd?f3pSGL>%qdETGG z4jIa^sM`P@5J-UG0xa(uH zkix<`EBYr+?J5SRh9j2w9VWOPKwGe$Y79}1d83<$5~y0XfLqG%c+bWYu;*5=oY(|( z2ny~L8sxWdIUrN~fY^d0kfuDIzdl6|*VVXbB;1H>n{QzZ0&tWkbdzyrk8! zD&jdyWc@X~9u|@akwkbDP#~YVc;Qy>A-yTQ=`vdcJ*Hq6c3JHN`o~()0RIDMhps0J z$;WOQHN9SemGU#p1qlh2tR8aOePy;&K_{LVX?G!wT`|B(Eudc6=OM%Y3+#{E;&X|CCh8trSO$e}f085nr z``KQ(gQ=Lo*^&tE_dX5hMwolwwsoKovXz`mw)9ydjC@=&0aXw;)UqU<&pa5ZzXc;H za~J_FSfd9%5%Ce2xcmqr7I+Gi)ZJJ3N|;<)5%7Non#-%k`*bt78?7e~7F()#f{=gg zb-OA3%U`QwQX*_3B=kb{!p`A|x2-QvKjECk+|%%(X}J)8O_p8-1Y%0?gQk6V3?Sj5 z4Ml>rE9TfuD?pNbY)yFmG!tUunH2-%%H&wtqMcyc*O#qCEOj|&9aFD%5qp?@$pukz z3|1tojcJns?`rC|&TJ#dZYsMkXmFX#1aq)od4)q%tkP0NQ+|dOR(xC>F`uI8 zq!R(U&>*OkOmg<=kg~u}jPViyqx!e?^p=J+9*m8u`>KRx&}rrN!G# z|9rHtDcY@KBWi4oIO$wZK*|u0;j)eUpB!OFhkpKV?ydjpw~*Y}H0D2b3XLjCE}e_v zR=|dJF3pjiZEB_JpLN2u^iu%AqyOK6;K7_Ex827p6iRI+D4~|=8Cf9E40yS91l7-@ z7)8~3=8Q7HVHoqJ6V8q`RenXqJ{LSzUku#R5;5dG2CkbkY|Ayb@(tJ_i}D%duQTpV z;^Hwk^lH*xxWfgf!VVWa+HTIUS0@}u0bQX49tRu_AHeWVw@?l6#Y7A!EOYh_NuWOE zNG7(?{>}>j`lt?=?eZp)FIL8p@B3nUY1aE93*yqBn&X&y*Hi% zu)KGhp!M9Ue$k@NlgxhyN3YXIGD~fc>iuxcE7bK~0bdyGb=Tv22>d zK2Ly&oXN-hI!o`S^{;YjZ?*A!aC`2b|wg5_o?W8QFwf6)HzC2*Fj(Tz@-9 zL{eRxv~jVy1|)GZ$|)G>NWDkW@4a~*pU7sOS;_vpszPx82N<4A=)YiiF4EMGZ-yp( z#Bgvrg8Y!8!yu4iUSnU+KFz&-v0FmnFbZgR2<4#275OtfAxT^vgQ+P}?u9l6>&e== zYBZYC9A?blO6?3eSHKW(vC*sk-#9$HKX7{{r zaw(PeeJ3PLzQpf5+=lm`C78_})2q7)ZfyeAR;#H!7d~1HgOL?dcf05t7LMeB?@7(7 z1pWjb%%=Mbo;13C@*m+fPZRBApOl-`gKnGr|ax9%6DFKG-*jaT@;rG$;c zL7jk8GA<>)JK!t3{=cAj9dO*9*P2DyO!xsfwc#YSZDFzQa8tccfiiU<=Bq%~KVf*g znI*QTc*JIoVNshmY}J=M5uAj6wHX#;Lr}LNO5Rj#%Ge& zOb*LcGIu=M-#$ZEglX|Nqq)EA3-#0i4bvtque2?#O96% zQMoDJw@#1a5lyAEeTcOoOcyJ)UI37<4;cD3XA?BlFdcskHY=&wP*$h^@fMqm!MVb$ zURg++mxKrm%V>N&V$9hRN0)vVrbZ8%X*i#*Nm??+nJt5Vhm3_$`o&M|AO86Vr2%w1 zl$Ar)+n0=hXwqwG^)jQ^eqNK$)|(V_ZCS%ck;wLp^4}oht-|9j$D*+~4Ft$-y=aF9 zJLAoYo+fw70d|ihz8gAEz#1BaUrUIAe$7{ru+DDo8Hal6e6Rhm5glg3?9bCsMLMCm zw{OqK@A8U#i_*@jM5Sf)8?N_=OOK2`rk>Kx5GY^EU0DeT2dFcu4+od4E{ST&cmq%ukty@qWT5h zf<%W@%$4FFAUJ#mM^)|zIWUx#z#JsEX&)D9R#-8|2!7LjXhy=NbH~dvX$d(ap+gwd zE(zUynepW+FgGz{puUgybqlO^a}5PG#KMFF1+;b*j3qioHScTm7)C9DJW>@#-n=%l z--&#ZgOg*ERh&HPJr-e(be-(9S^-oSPRI%XdTBIB7vZMkIyzv|m!)`F(qV5h3Pr&J z?1|^Bj2IwI1;k0-h)qg>OrL2T;0i$!{xD>fTVEPaS{xa3w6-BBlwNM zVXCZ)`3$7l*v~=vNig?LAUSyd4jC?=Z>oe{EtG&>alH>yX=6Y2B$oTSY|Sr~kuM1j zsH`{a-{UV(C_a9|8S@mdK~fL#HTrt=GLtdX?0v>84BA)YC}rTyd>A{?@o>=BHy|0Y zQwa-&LHh+Q0#KAyLHEF#t5HG-JAi6!zLR1btQf<1YnJLa>W_yfV8?Dd724X#E30Gc5H4f!T!)JU!1mlcYhTYzRqX3<%b@5uO6PK!I+ z+$4bf=6vWt$}LPE^elc&GUsMmZPz@jsPRGuo$A{Am7QhBQJJ^kxp05fFB23fSu6ib z^d}~^G5pXl`g4f+zwf<&!#4hM1`$Yk^$M>T?@?@Hgbto2uM!@!I?F+Zj>nTR)!ggP zb(Fb_7jLyv@aE!BSJ_)()VEQU&}nTVH+$oBlzEhWdUuhH>XkBXcS^MJ+?r{u9W9Yc z-hjGsF>`VYs^+OPWlJ14#yj5fpv~?8&w#4Qw8=jWXwqOeXbR88=?RGhWYnA0F(%*GfM` zN%Y*yfu|F`r3cM>(eeywFJb7q`bO~lRo+{S+kCk1`XSs=M@_i<3Hl+KlYG3x>OGaT zMu%Ujyq9v3`h}SS5*r42D|D>x zWqSjLcQ5#pki)RwwDEX@{)H^Z>>s zCxYu4CaRTjrtSOf^Tj~a$Wfh$v~7L9l&Y;9iRWUiNIpzzed+DV8;_ z&ahtgUhLbbr%?y=?loFrvh+VdLwUKz^N&vSf10@bqYb-)2;3Y_T`WAt_ZY}V9cgDTo3x&)Z-409FLIo!974jT=3@b(7P?p zvV>iIG-P5q`b(lt)lsEtG9clNF_xzE`^A+RWrjL6?H%p3+8hz=^P(D3xHqs1nPT(EqP zcHxuONRO?;?@&2$i{-HQwccR(BxBo9MW#_k_7|`{4eLQoeU-{Fm8$EtO}nhU6IkHa zbdQIrUZjqmc;yG%VG&Md+JJdV4`S`mr`@S4a%#b&pt@_ljQu_wJe2L~gT?-X=+*UC zr`AkEDCO1|xf>KTvs%|m6Ji1H$m?PGYis#u>CCYO*_ob5Zl!n(QKoed5(WsXts8VT z&IQ>Bsi`fw?*Jv7B=&{&jO*8LQ+TV^lMc6&F9rrf#dFSE&ts#XyIYEBZ@cco+0@Rm z^Qhl|&6HlirXiLYg{c@Zver#IPa)#+CsT}&1RC^+D_G>ALXaLu=hj%1F8Yg+=&WDF zZK11yeYDiYiAiKC!^~=1l|f@*(*B7IaaMa}!A~WR^&WoA*tv>EGyZcuFT{H;+J6Lb zrkhUDPgFY4;udh{v3pqm9!enHN1*9B>+Nn0krhRjo~gr!&R zQ{w5O-d(?}nzktbN|$S4!2(Y;>H2kReLQ9Od`Xpr3<BND^w3Gg2>tn$yX&gGa0A|r~s ztDz20(RpuGzf)8oK*|7CS&gJhT_!g;sY`W)i zR^#>B%)?mDp}uBr2&_V(gwW*DDb9B1$H2!ucRYr+a8zLshkJmhUnJNfMc*1%THi~4 zAZnaRAB#3&$6b=yd9rUJ9TP`0@Ti7lpQI^GBFGt*Wb4Sbi-a?B%V`4D>sNVyv7gfR zJ%N^!M9Jw-0N?Ac+ob1G=xyfv@Rt+JpGLXI2_#nyjW|4vhtCi=>(bdK>XHWyzGl6S z`4@bTXAeYLQN$A${94yMCT66F9_Al>-UnoaR0B|%?Mh1ulpGnS0y60Uo5b?VN|TgvhzFoo?)(n3jQk&x`!*l zztiFu6C#4cwUPw)H1yP>B&Ow#G98zaajaO+Esk3^GH$;@v_t(!a z%DztfS;(`|B5J&%xf-&fi_uJ4L@~<7i^!#NrLTK;d(!RtvCfqbF7_|GvL0ZsAS|)x zWry$E8}P1qFWwAQe*@i1#qB859}Nu&ro8Sy zi`Gr6eK6}bKY5{SG+sw7zm;5AP)Kl0diA}?Ws%JatWi4g*n@W(U2X}!{)rq3c~K(w zh`J(+E8J%EdHr*dXco<5(BHo5=iO2^>2j;HAqk;y7%YgAlivPLanE!uR;0J+gM_&? zwb`soCnAS<;@~@weKn8Ed-P*jWu&dgc92-HA6^ZmHSY?y)wk1*a=y4xTV7=s4Su(; zHr~}9tYc2)bso1GXEBxrl$l*PrFR-0Rqk1qoB5Lq6@_)ECyi#o-uWc_GBfpzUtwj; zDY(n;pp{-NPvO^7;Z2rkuB%l%wBgr7yx1oFIdAf4ZD-`@X2j-g@j%gA4DT+VAg8n+ zfTx2upB?6|m3b^5!_d~kN(`}kJDt|%Cw!a%$j#+Mw1A*NQT!>93qfKpd**TIO zKQY7QK=7g_>V!fm`35!2HZ5a6udD18*HrJ_E-+Zp~g$RW(g~m;DBZf^(v6n;is~O9R(Z zY;l$%y9v?iyrfJwE9}baU;rlE*Mx2Ge$;ulCH2b>7+Q+;CFaS>NDheZlmHY7** z`wu;_H+2+~RqZTnej6l8;YWUrCKs-+qp7P-?h$)q9g@~-7Rh38EDMJH-{-~K)SKK( zF9$T5#nuJCR-iw0lyEW&Il>!oJtRG=W;?fcSQS6^DBioD3q80un)CLwV$?zST7-nf zdv&Mu28nHvzn|(YQ%AAx^-n0NL0z`aB?7H8e&TdHI_LO)cSpITu162Rw_tn20( z_tE1i9bJ9&b+7w)MlG z7EDe2u`KDY#>7S^Bql^&H;=!wkR1wb-V<_dNdLTII3zf(X^yv<9(ckKhvQyz!Mnh@ z?I|)#J=Hg0LRQnWc+2sYN&K%Y`oVvJ`{ECo0*&37xeuwGTsZ4K5f9~kMP2ti>o?inQ)^ML>pCG`r+v$I(&Rq{5B~Ry z_iJYb0yh`^FVS5`ZU*KRK#S%zT@qdn>Wyd%RB*^2N}3O+)rPfTF>0mAe;S*USv(W@ z;U$C;#0_^Qp*h}z&fzuH%jgnFL#YOan3}vE@@n+|3&f97_x}yzhq~AP{~N^5&Fhm{ zZB@{xEN}Fx#yU*6sNHm`Ud+zw5)~~t_O`&t`y9%#6M}=!=$OAJOL^J2sFn{` zL!0L?Qpbn3c`sa~nmRXNB?;-2s^drVW2ylWhBgHzbyRr?t(J0TcGO$Nvfe#;Ay~(%xso8D|*z7R_(#bavI^NansQWk9N1!*rCvoZ<@tBGJ z8X?B*09kqsp0-vL7a`N>?0XqPW@+CKUyQmSaB0yd*B+CubQip^1kG0jYj?AUtrBkN zbc%C)EquzV7fJr+i3=GAUaDc*%oG5*?=DAt3Q09`dW-r1af^6WTaN`m(EdRZ^32tK z*frBy>PLvF3shL~_Sl`}NRe>LRzH^kPHy5pziE(kpcBG-x!bR)P9`rB>o|6Q7GVxw zSsV$Z63q^~G_RFvyS%tAf3sNY+)zq34`i-uvDo}ceGY62`JW1c0FP+)gYMX46kNXp8d)3_Mw3$RwF9qFmv zE{QF8(s|HVDT?nfJidHa$aDzY;-8_)upcn6jP8Gae+j~mkOUe>*aTiHYUq%3)nlh) zv7SgsPujiRsyrs^YET*_K*Qi*Qar?7F%zTGNo}(P0p$KHI+OThzfi11_Z4Z^asyw z-(@%{vU(wmKQ#-(0m`ldNisVHX}x~()m;}JcjoD@+|LXexrzP1-;nmxW`lhu<6+5C?#K{=`nawRxht@|9SOd zbZU;6m!EO?{V$S>cVF1u1@J{pX5CiT%$U?l&9l80prz_)#uB`3&qln#=hwwiyz=+{ zGppt3)ypEba=L=f(IfW_e$65wbJogCY5zg=2_iPl6|mqBo&lWlB_Bs7^(PP>l;8W3 z$vho%=X^|Qpn?RyWL|-7)X(~|2P|7hmP^HHa{;=sUQSVH(sTCQU(_bvu!#m;#t5ul z5gA+9Tx3p9)ymNsvEb!Jz1q&fEke01k7_Ex4o0(=wKW6e z9C-66^~w61y!*u6>Pz__G!ukE7l=KQy=EV2a-_qpp(+SvSY^1lQ$7{TKde*@^ z(yfoXyJd<2mPB=SOG#=2N4h9u5`IYcA|VGz4jewm!9LO9-qvyZEU;tRj; zxFX(_WK3nsWI+4L%UM&(ri-uOy3FQ-lz9kuRKZgJ-c%lMGinIIT=$2iT*rl@M+cuw z5HJp#=%c}zG9{*-;aHI5Hiur`J&LwrT+_fjVZ)C`>=F=(;D~dq(iZ*DbICd8d;6Z7 z%>3(*Tca*Lq}dyrOw4N)T^DZay@boZBU!}naJR2KV+VI|vnKCbo-_qH*5CUt&@<`E z*AM}T!vl?kOyAi!m3X;Qr%N^=M#nimy_xbMsh!g|SKi>a@lJR~RCBZnV{~}zeAl#_ z%sD&vite#U;F51QnQq7b#8qMSw9;yUG^l6!1Zy^{Z~*v~EQ}Pt&bii~$Pt|?W_Ray zu|coit+Sk*f?lev?4s6rN_Y<(Mr=Mmzp4Fm8s~~Tdb@WQ*QsGuY_~eaq!|3%g!LRx_h|0bN0xA>|4P{EdUPHys>Sv;T?F}OQ(xw+$owN5#}YPS3&q>G z1jLx+NEdjU@u%@pQz$Nd)GxpFC>zh(v4`CtGVL$}7HW?OjUE3FWp5o7<=XB6ZxICx z2`K?ZLX;FxI;2qq0jWVsx77I^T)y zTK=)u7MD0Y&wXFlF9(Cqh;<~}+j5a^pd_M4A}n!XdB(QO-3sL{yG_%%K)2FJPgNO& zs{e9elIi$hN~!Cl65H}-`!+9){lz$Z*N;vBJsx^JQGEA+eI#)a<-OP3rxihm#xWuqS>I4U>v0$ zq7DpMT#ig#Zgiea7sk5tNowGuy{_=CxhE+eKJ()SZq~}LO1?kB(#v-d<#}`cAa|$A zty^W!lk-@~0;?iN7dhhO{Si-7zE_9#oM*sGLcf3ZOO2tYI437ZHTLUT^N&**pV{kg z9DqVlK4EWA$59bodzK~!;&vIbUwr7!s@b}m@FcrHn>PFqy8`M^ufi**8oG@mjWAlR zSCr^1P*p2WHSS)neiUYdA*qnxtK^YBvWW5o5&o-s)13L7E2rM>2MVCo$3nDdYuctk zDC(tr36CL_Y?mT$aD6@S45dX#s28#{co(0A8uL2=3(He0eH>vkckV9W!Ryo-k9KST z1N#+DUTSnoVenLelyGlcRxu1U8t(F6JkVv)O1tZq642i-X3TACt?UNfxw96ItJYJ# zm%U+@vwi)_im`vuz}SpC)A9!mZHsgR%~8u)iBrs@GJnZwHbv}~E1G~c%tAAaiD6uH0Koq@*{92%!LUEP;$@RB;@sA zV;J9TH?z5XU99ra`wftwnUULR9Y0`6R3l|@AWdy(!1`?`CAfYDe@vB=z|O~H&QH-PxMeSp+q*hqB6{F6vo~$8@QasRdn!Nx@o|B+T?0 zB&0W_ooPf~*fW$!AMS$1N3AYtWgX@Dxu@}7nKFlC|2eXoF`zO-DPQo9aDj0Q-z2aq z51-)n4Lk<=fA;GRhEyw`QKMZHRF|ahn!ytg`_#6anNp06XlHq-n;3b+<+%&NXMZZg zd3Vi{K9-Y3{hTLGD|dAkX%PpApL7{q^A~Xu+5`E9)m+9Kj8)2)!$^esh#!`3e|2H6 z{8eX*{`^?u{!Z`$A4+KQ8kV|be%CVO!E)%3j$^Pz-d}zTvUJY`uG>Mx`YZI027j{f z$SGZSEq_dDqRVJ2`?t+LFO7VRr1;T6;q|^zP7_ z`Bk@-rK?&xBCAP9H!{ROuR`^1V$ps;fMs7ua5qMN?RXEIqsuG`V}2?`0#h$lzb>3r zN)ZPRyAvdT>O%MheXj_v#e9OLz{v0S^wZ)nqeG*o$at&ZoQ0jMa@~Fhayof^#Uu+* z<~5z^1rCZRRv}<*J3#mS^kM05Sr7sE&ZWz+UpOy)uEAVd@Anzk4rk)>euZ1KiG@Eu z_$he^!}#t~o><*&^IiN<@Va9T=nf{77_)F>3AN` z4e@jbVq&MADDnkHjWo(le-0h+`NiwY40Mr6at5r zc!fYF-2wWZWa+;`7(eX&9CtBW;muvm`8ARx$l8kmV7^XTpnW_FgX#-HHi7>8(zFa_ zX|H2@d7$K=2$+$`T0S-P5e4SNlmfa+ej~6g$WM7HXU#^c(v&oZfS?b-T zO*V3eNvbn|EtkqHI(_CK_ZvfHVL)Wq1A30<&5%d7M3H_2+u%G*(p^BTPOOsYcbe6N zBxBDJKh6oHhc`(MmU=3q^6*&9^=GAgA$CKnV4}m7x}MlWIFOOx{Rv2UzCx6TkzUv> z!H#gxj~BYN@SSANB-B1wes91TT+ibT^6yxj`I?8Ifdu-yCTVoWrf;dOWJfpFEqEW! zT;Iz2sw`>|#wQmOqL-Kq3g(qvT7c)i6wx~=$U4L44W3hV9!d$SHW8nl z^Iq2(>R4sf#4&v1_EO?sZ2s8@`1hpP!rbH4y*O?exZbdFY6CA@bozDI`68Se7-5xD z+{Wrp_g(kZaP8|uKvTL`*VK{=cxl3{6MkHrrs+z{$!9QKF`yEr-?zy%1x45pQNZJ5 zF;V$aOT3Iv!{uI3rjau`KJL;;;)LS?c>!XdrJ^mr2AbQx4OEY~c~6R}kPRcniz)nI zDJ$msFG3|{xi7>QLHsVz;<7_V6mh(SE=oN3q8*qRjSg|`7(X_>aKTU`c^h?dV3t9VcdG!8lTAoHfyAg z$$&+!Xz)3t%=(+G$D<*q`{txUQfv7!ZW^f^*TdWu_~t5tCE(1X2sR$gAA4bq6EY;N zLT0@l8i8_z%eX7N ze5J7cB37k=L@9sG@kXISrSi*aahnP~&zm`GNI|Y^-sOX-j%sbB+(CQi9jkuSzl&Go zpD1E_{!Bb@Z1=67=FNY0hyH!l%A9l3l8#25omMVc&aH@pvz3WWdOu_n^;euJisHeQ zOBlgR1d$rVuRay?bLBxH=7Ue?=kJH6Q4;YA;H%MyGOmkkjhA)_E#nUy0rqsRZ&k5@ zC`mxWg`$4(gC9j#AFb|0mB#U`7p^Ebn2Ub5{`#>2k>D(`Bjo#>QJk;Rg>Wg~N`Wwn z)wk=B3!=!VIqPtWUWQy>zC9HgKfl-CcOksVH3~s+&wn z;3JB&>I6ArZ@!bJM>6tJwVzEx*VfLvVKL?)NyzY^_Oh3t_`GTI>(nM`&Asy`|Iz5V4olU6^Y5}JF5bzXS(?l9$l2L;v(Ec#mopr$19TX$ALa5jNU`C!{Kzc^X*n9okPE=x&Je{;e zEwxsZ620Dr_%}5-+q81=-6`Ljio|u}#p<*r-&4zLi#}v>+IS@@mCrbiVQEg~%pFV7 zuZGh2t&sGaAV_+Xg`)&*tqF<0H=K4TXIMlYiN-HWZPpo{BV_h4(tFx2IyfmdQ(9}o z4;$>lUU9`+RJZnACc^ov$E4t)x$Z1(=2{)h_{SIIOF}iKp2BOI0?CKdl+}c^4A|F1 z0_A%|k?_fsm&5MIif3MoCon_LE&!$H4;AYLulIK0MxHjKwBD|q+Scc!8%sZ=JEtnL z2WnZwjvssPhu2!L=@koPSkRTQg%rJ1o&^&;?*;b!`|pasd}F!U_MXd0LhWVG6s#SD zSwU$eXM|4@Q@rb&T)Ub#kP!c3(WrowM*hxOSX%Xa2Dfi_N>0&1oK@~dw!&IDeOds1 z?>WO}_LEL2oC85*9?D6^Ll|t4UZrt6cG$HCR z-5{M3_Z4k$(-36uMpn$dlH(<*i+^`go5vYFN8E@HWAT&F8kCp%L=t$FP4HIVWb*N5 zhRIBgx~6WV^n$su`_qE87o1Ww4n84_)#=5e6uLl{r=h5@`c0~4GH1jbn5aS?I}W>S zeeJFki!SY^(_fxvj@BVnlhDs*syt8B@}P!^BGLxLCxUXXEBx*>p;47w#S`D0N^DVw z>Nu@!ELU7j(qla*$n|Ygb@4ng=g(l*V@aBHUmia5#~sHgbQjOK@K*lbPto`VT@lJ7 zZmL=p4oS-9YEjQ7x@9pMK{=bv!%lXW-)B807PF zSFrSLIjIi9fRkcVe&axH3-JQ5PwqXyj$w`mA0-OiYguOZ9}c6M|2gbHD<{M-Qsi^A z08%N9wym-03(kj!MXN>Xjkn*S6;@t5Eq%%Otls+^i5g#}Q8{l|@V2@-vedu7=3z@$ z(u?VHj(}X?hf(@b6+%dB1w(lOx6r9lSv0lxhS;V~5Ta4*;AJ0FkZ(Mr3%%s`IV%`X zrii7w`o{Qu`MIZu-wqDuB3E(9V|3lOSPGIxt}7SrJJ7RFd#ny|SKBo^hCdXsx5sq~ z`x+7+8-7$(PLUynd0L77(I*5lo` z>G2ieoN!7EcD9kESKuav?2|5jjZj=6`Vp!j_Ql6H6z6|yb2xx}`Kt7#DsqyM{h#QP z#R?0_S~mfNSt2i6vg7k)@}t1zjnH-2X!7ItJS>J2+UVe%>zm#E@F2jBP zyv#Z2GnLD`Q7rV^?G^{(_|xSZk(zpY$%(h0`h^N-H+KK1#1NJ>y#O`@lZ;%H<_^SE z@Lo7^mlK(vok&?&C$2o*39@nQ73_C+m&5q`>GB_AdsJQ2#>`Z+7Oo&RoHZ<+80Rwq ztPKUp_M;yBHFEqIoT5_HX5diP^r4D zdl9F_Kx-jAEI|juyS}oV9FrFFzM1#|!hT60t_Lnpqg$E{hVSg8&*wilP};k;c;J8^ z0BLWZTfThY0S{EmiqRFnyd3++6HfV0AAy+R+qzR_mm0h)Ta*@(FYA~r>Rv((!=1f_ zzXpZf4d?6S~8O2=~)1#L1T+MZ>y0Kzn*1bZC0a4COZG~cwm zIbIs$^4?PrOxU~6YK_Jdt9t|a=c4`$@1D3OeFLQX!4)!n9l5=b=hLQ1^`f{0zWIB? zNEcoLBimV;)Mgkj_Yt+*0CyNq`_U8>MmPUQ769xyZnkQ#QhbniN%HhUZmoh5w53ve z?ML#-;k?NK$%Uq3yAfMr;l``S6s9C-#$e(tuONzzsDsQ&4_A>x~olNJ?E3pgo z-|#7iVhg-xOu6Iy*)10}ymuAD&svMmxQHMAxU5^)!=hAz2$@CAF4E}O&noh2Fh73! z#t~lK$I`b2lmv~=Jf=~wBrsqBV3>BooKBk!)U&XP#m*ma!ojb^=+Mg|F4~UP=kWu$5%0G z4pCgwWigQKD2338IG8{=oIN%|UB`khB-9W5_`Np{=CcmG3+z*7&I>MSP5QZE^YPcu z1ep`W+ms-t#{&c+TJ(e3r6Yt6R?w%3f`aJ=uKT{dd#iT0_1pD86=Jd`7szRelF|0z znoa@TXJi1`)+wX4n(L{oYwmO00)0Guy)4wHW7>&zIr;W&*!6W)PdztB zDiUu2{KiDM3pVH`X$@o*w8ho3Zn2^AB@trOe)!X3vd2J@y!Z1Q<}@U9F#Pd6Y-UO2 zGl}P0mm5?8Y2$aAac$6~8)sD-DfB%Y>P60mh|EtHT-tEC>OM!h$)c~e2jmwsg8&q5 zN>H63ZYS^2g)}=9;q5bZwa}T2ds8utUIzr}fp>#NLRE{-wO%{zBGz24_Fc{&FUvlN zGpznlR?^St##$SmfH60r!_IKBznvEqnZ%438hyAI6qe6)^@?{8uQUULB;$(1sNCzV zCK@}Y?!(q_mgsxQ2jU7fY8qP9%y>bJBB5R<2bk#JR0>)RuLK7lvgJesovw`MwtKvc zO+Ou9De?5`7R{;XIy{o&1M==tucLkD3m5Wh8o;=2NZh<}ZMwRhqOoSTbNb>h*QVXN zb<)aqYd|Ji87LxVJYQvU`~Bz!bmmi8{L?a{neMLrq|V(obm%-0_R?fDao(M4Wtgit z!CfU6*8P>8AJep-%JH%64)uvnqRH4+nrycUlJB=ympi^A8G|?X^|=ZUxNSdReyxE) zlE<2`1GwYZLJyOF2^|qIgX`0ZyvzNs-kHxOJ6pDoo6$L+FUEq9vlYd-K5mNv zTe$v)2w+R@_C(7fY8x?@7qosz*%J+kiLE}I7|<9prTfUcj9tzxvPmT3?Y22{(`FD+ zxP-NTl!TD`$hRz_;{0t*I|Py~Dwk-!uEX(Z?pk3X?#a=KI_<2?g|TBscQMy;15)32 zBmHPlrLt3q`AoBLl}4ostEN-EkU&XAo|cMq@Artd5q0k;W44Xd={z!gE9XnTYza_A ziV0R__Szloqtdi`rFh%#1-OrwnwL83by^b$_pJrv47EEkFIc+IB!`Wau*o&c2;ZG( z*%%6t8be`SSP7aLm%pE1&YCt%JkQ&0)aa)^5UDXNG@3DJN4MA)pxH5lOmbe8!RFlI z69{!y&M8+~KBVkN+%5oVw`meudrc-!I48mRN|#NRvuc;MnYJeaDbp;pZ>K?*({Dz5 zmu;cL+HTOf%p(as?u{@_EE>Bt)24Y~@x~sZ9{uxaulyVmMO=>Z2n(_tQ`p0S;H8#q zQQg*NVOT_%w(XIHFmlagz^1X%;$1&8mzY_x(IY)Z6r-2DqQ>hFnj(98)7xs{bGq*x zO0HVn-9edIyB}0kl*o2qQN#Ckt30-4CVR`Oh3n#gL7GJO&qtKloOwZB@GG}}a!)U8 z<1=rS*;5i}Q}0>5?&WZBbgOY&|p>J49@mkGLc9Yx>zuxGWP$eelgOU9s)mW>;n z!FdQWF@7XS?e!r4@*pQd+Or?H?iKYzk}R;TP{_BhW%NSP{|&me9Xc#)FFJ~DmIYB zW(xBA9SgPHd#&d7cEM+LGmI?YTH5nsGK1n}mfcc^6F zOY+p%w2aa+^zV@JC%um;3>l9#DRenp(yZo@wpnI3rAzAs#e`4Gxh-qqo!ct-{uggr zah^)TRMxAL73Y<6SRbLc7QZ(Wk9;^_;$tw_m5q>KuyHz@-E4=?>Gm*v`OSqHi{hq= zzTJ(PPEg?_w~6OfF|4~|N8R}_7UL{*j7do8sjSAOUNcKUZ!_VNFh{k?3;s;E$o}9* zxJ_)H)pLf$szSB2Alsed`CqlQwYkGKxF&IQkK_gNs;Zol(KcL-D6Pk@+BaRk^~Jgt zW0hdpF@>0w+!sl(WeeOQ%kWLS$JCeb%R#cHH(fhhlZMUnvOva&{G~bIjd}U-yr~Y5OCI%J8Hf1aFx8hei8IiiV5Z2fGGt0q(K-2-y6JhS#t=B!A!^Q<9f+0@~O zx%cx+hRM1zLm~jSyxA?EneN7|P6!W57={UdXDQOBJ~z@HEC8A(sesKo9`<50@&}!v z)!zjY-IQN-xH*P4-V7SUO`or#sCZ!>C_E6%<;qKi;XZoRR%U+I&C?Yzvu+s3VVe7O zDeDuL1}PF6c|-i|^F^mCMC3YNJYqdCJa265(AJix#>|kS&5?V$O5`1`vZF2)uPGnY zRt>}QQfH3`MpFYhy+x73 zXe)K-*?a)4YD@Vl1Y}8kaaxU8F;XM944P!^d2xcP#@~apWxsw)dhsV^7q_h zTR4`>0-O)d{2rcL#V-4mB2Crec%NVIHJuAWU`eX=5(XX%uNGw`q|1fS#`cSY(YQLR zZVc(klc#@0Orq8Yxq3@W=8KkxezRk%YOS~3;jee%clky`Bog$DyV{?1guifo0VHqx z9KOSm#bV`h4#5t}3Q#-OA>!-TGjz)>#gUJ3p*l$iK|X@mC2|d|kE2U8s#Vn0B)_iJ zRFE4wx>`lswAJsy_- z6=#FjA|XBwCZ2w@4dX-%2xM4DVm&~nV+yqyd;*48|NAM|ngWspntnL(Kt4G7@OL{) zm!^P$1CjKV!Y1Nf@L-c}|B~})2$&VPyg@e;fe4;?kEuI3s6J6hc) zqE!mg90C`GrT%gT_@Ki0V>f&rofm2NP-+z16OeEb_ldea^Q4m>^C$tyH)@{N&}tuR z5_LP$t~l7#-fs3DS?etPK)meFujN&?5J>z$-rWF&+|90p@yBShZax5n@VE$U+^q?IF5hu#$ncKP z7|LGFva?&!ZmO4;_d$@?2`au$csP?f&cH$tu3G(ZeX3_%uek>{i<=k@=V~}!Td~fq z%+ZhL^!q#Y*+RlQf_IH_yS}|X%^k8kE(f9}yV94701G^(J^2z|)m7HwPKdp*FXVY` zax2E_HKtH?(_v1=*2B0%x>D}CanKJtn9j&D&ypCB5Ht)5#Ct=hP3yt>&3Nk%gx?m| zs}CmD@xsnbJ0|oA_gy`rIaSU7OX;EUgC?3L$tJwlcOo0=2A)3?dztdyRm|(%l<<_! zrZ+x+kZ`eFmOr_q4c$IrF|h5lap0cvZ`rvqzg5;;X-0zMT5!Z`ptQ zmBl1l`6czvMTAbAc(DD%{w)J|FT1mj(eGutDp^wU@H((t^#KD_bkKn5r8<@vRHLcy zX+i{X4=DrCF!6D3&9$0l)`S@n^6g|puO${&%z5nNDg!KY<;ed%I^UNg?$PS)sZIS~NcE>$!^d>22;R$V8dCj7COMHQraV4c-$AUKb8&6U?=z+R%G<4kD;*SX+@Z&t~x%f*0x}j`kK|C01K#(#q817epLl^=S!^Y z|EA4yr0+YXYwYv&Q~Uv@2V%V#@pJ6M5C*x2ZF3&LGQWawE6b|NwY|Mme&BM^Kck+; zkub`}h3O_2mf!i;43A`6ovR=r9O>&e@kmwNnZem1R)BJAD%0) z7rd6ZqQZ3m{CWq(L_f{Sg{9rJppk+ty||YO57+D-E9&l|DyS5LIh^BHWcRY@h*i)2 zPv2NPzSz;`6JD@^_BC!T^w#5aFzH2n|9-;$;dzw8c+Lred~D-s-wOX`>-mFo?0^5O z=u`YSmk9os7w?aLi$fyC>gm&`3U{T0|L;%!pUulL)#sd6`_kJF74K_u{rhqJqi^fK zesK>e{?`&|wtm7tdzAmjf6}YHr29j8fFD-9qyOu_{$>B|`}q(4C*5P*a~WdyR=Xz* zAE(tmhUqUN?iZxA#6bvAUc}(rzn`=FMug^vHW!CX2loMsje(@4_KvuF?T70p$9Xrt zwXtT$00}mL%C9^B8Qwzv7nAU4lk(w!G+wi=yAu_z{J6`Kj1Q;D<*oi4B{BrWnknFV zwz#BnY@YWK+aiBM|paP;e>iN7i=e;q=+5Y`2amRS|O1mEqB zp?@U~vLUaQ0C9=L>Yr@so5EIMzWGJn`!t~ktcI-uHM=d>jTnwR)P-d^(H%UO1k$pu zyqdoSXaN<6eZuL2nKOq;)P4F(1 zJfG<=nIo>bJyeQ|;C^iRFRCj=0{`wYAEC8uF~HPW1Nh*q#Kh>E+8J--Go_NS1Woala#_a#DQ999+& zvfW19_J<+22C?SxT>q2D_e9+`34gOOAJ2Oqvk0yM4cp3o{(!ezq)z#CmgV>%W~u1 zkaLz(&VdsGkqvsuz_ylo3-5lv3sefk;%-!sZVO-!KI!3Wi64w~cR;3N3}M`%Banr0 z67*i{N5Cw^J7_0L;m1i%;c~^G#kHz@DJz@w<1>#w_*o9p!v1dxYhQ@#ZH_;9i8&Tpj%5>d=1O1+Ew{lf=M4a$_>` zlRoliWL+-TjnoDr(;s)`XlU~8w^?H>fAOJ0fkhp|cG?c%6zIFgn zd@(?)4~#>~;Fkk558}ZIt{j)}f_CfDh}pO^3AY_+skk9us;E6{*Ps69r*Ne#tq?ri z(#r7sw%RboKFmT^I5q(d8jvfZpKkmlmcu0+nnG{to28R3*Q#)71|}ipq#rd^EewIP zI6<}C2`2Qtb-pn zVkUHfdM;Z!B&d0#Xq%D#XKWz=4(Y2JN&mjI{yne#4^n0)s#7vfi+47K3jX5{-Df;U z?0jZ^F_maD*t#8dDI5C*-0M33K+cw7LXGYDEB@(G93T6jC`QB2?R%ye7E;z&dinjz zRD%54A#2!$$Qxxhrin4N@YyFl^-go?v*Q~!@RbZH%e~|cZ%AjT z_o0!mubbS3W}W!BqX(Zp-VIauHY!ogHchLWhgG?(qWjflHO^0W36Zz7q%h#NAhi8iF7IB&9hw25@8^Lx( zlIZ@kxCv5Oo!EvY&VIkU<{TH97~m z1d6FjFJ#DWv_L7wM6Nl3m+02G9*EN(0YSi~F#^y_mgfHP9DlV1Q1n)AJ8L$Bx~{rd z_-g9ZxKDzrYj6P2v6h)TCErMW%>Mk@+E%vy5$lioaVyZLnL=Ur9E?tcRhLt1YDnH% zY~x;5*ygIOhj0(S%OujQUH}V38Vx=JF8&Y+GPj2&8H(|y(8hAdmpGddRvROUGdi*% zv=)Bjg>XRLT>ad=8wOe-n7EUqKYjT;A#HivkjAD+CCrdc^>a>6CoSv=mxTFM{(^+y z!mk4-Y1fZhP*An_K#i#B0c{`V#muF@)lP5X=ZGh8hPzus}9YH2F+m3)7g z&f9S(pu{#rm__>;`gC}+ga|F&a)i(%f{L4paS@x}=)d2r+MT|DhT(v~^Cb_!3AS!d zSMZ-@qY5APNUwc?7QNW?C~ejj&}wvdf)~#iH}uns=beE3IQo=6?I_8ilS{oI5~%i; z${+w9hOEJ~6?=ensk!)yL^AcR(P09Q$-~iH)k(<8cIQR@o}E2D0cn^)6!-=D#Jo?} z5@EK$ojYen(-ew3(ORAu9y8Pk6fdL(MsZ&4W$LDiB{U{cPTsp53y_3ZtkDrmGgWGx zE=ViAG#Fg`8&#SHGA7IItsrhQAW9-2L^VR!l>`yHM*&KA<+A19SwE z9QDAZXrlfNDi2MN!CihbYzgZCsBw{%zkhsUc%5jyO4p&093-0 zgFhWRVz^(m{H!^B8TD0ff9-GC(v=p{a^>6WDU7l~cQO)PwC#x)cIeB({Qo|b)gDiQ ziuNLrw%xZa)#L*(TopX)*trxo1G(2f{!GOq6mfr#XN;~V0p_1JT)t)N`DMU>l?wxy zLUi~>A5Cauabi@+(j3qKx(~ylMyVT`)v$OQ;``Rm&NtzX(%bVLmI`w7XhUAiI=l?l z$G@Yisj9}@sE*!7ZaD;*sQ>CRMm;(PbS|#>ntMkN|FX@d!?3-0?`7e@`YF(GMA*OT ztcDlb&B(&sa}x{R5k_h=KZ@Q3hqu^oFmC!w3GNKSGh+)V*Y{kjm5%W-=UQy7#5i{R zU|a!vz`B5|sDK+^vjZ|54IpuPVAC$y?<}FP#{npj=2+(aZD>cE0iLLW@0#-KHT(7^%M!~UI39Np)H+c*z z%}W|pq;O(%G)y?Ae5b>@K!nk5Z~~SG-_6P-0l+5|u#B$_w}M_uJ0;*8Sg+rIMNCxp z%6@t^?04%<^;6M#WF-qX5sB`@K`p$X){bvfPriG#PaTo}U@#fZZM?d7&@^UOop@;L zb7$w|c>ToE;&X@%!>Oi?-4Qnkxr_&^6beON$q$vECG6E25-$*M+WzESxk|{cRbOzA zF2JZcr*zU1#uQWo2~&0VKDWoK*_!^*lIB}4Vw$isySDse*60_S zw?%Eo1z_wy{2cL_tB)mcG*cz50|t|)tX{*<-o--tT4bLE4Jaj|adjhPB>e#XQ(W1D z)P5T+8yA>(cyWHvd@d#B%QOCH=RrjCA^e_mYd|tiK{Ry-=Rajx{e4-Qy;*eG8XO-F z_J6@u7DG!TOi}9*$WbCsD^~$6kVI^ot-H?PW{7T^9uGXd2hVDPM|BV{4#$2vy3Xgv z;{fJ7nx-<5Y)aPz7LY{jOsRo2uxr&U_ZJ9VEEe*rdI^pSl8$HeS=cVy!AEg?qkIfS z(LFqmG9S~~bMxdgIyCWkeR;-cr6|Pc$hG=Fm-of5DdQFM$9MS~c;Wf;%$m8GE%(Hm z<1O)<>S4bWT<2NyNcker2(?qhUZ6jS16_$=sWq<)?jorbVY;>)*ZWpOguo|on0Pg( zpy{fEOa1rG6<(YUvT=E%S>ilzsNq^A44h}0KMT@x75A%3#1`Rq%g;4;UA^(u+1bo< z`u+0L$-{=oF;IX_nEr14wh1>dT5A7M4{`j9wetB74lG^k5I#(LhPAU-fHOYYH0gH* z<|tQf7LpfvL5OaBTetlz(H>!C0yo!B-FLTyf=i0Hul}$HEb@Hf*WU5iC+RXjragTH zHQjT1u_F6zpB{vh_Ew08N>(-;ob7cZZpD?hrYq22z3ez=5TVS$}9woEWhbgx?st$f*OVlRnA99aU;FuNp~ba z^Af3}OOxd!uFk%s&x>eI2XY&17fWBMzPU{keCX->wHy;0U*DqZYt`ghg{AurRut)! zHepp}$Lc3#W><{VM`^qB-a!t6_zCiMpz91|o=5fBrp0Q1geQ-j`js z%qE0!Cd-inyyhM`>SPKngHxJs#Qr(#EuAt$sKxU7bG-9eJ2cU4b_LyCJ5Y3Uj4QEO zTA))uNIE|yh~QhsS1YqUKM4UB5)+_Cvx^Vz={1#Mk?(#RK$2URTIIoDZ(b(b&Z|zSBWl1TO<-5%dFjl-kdSs{ zWa)I}6zw1~r&H+78KlLKfeecc=qS0exwz_uG|p~m6J(cwoUsT&&`2-7>M?7A_*U+C zt>V0Q&rP;0b97jIVch#!UZv)vHwAY~%52#T0|SjeQ@0z6Y1n^2RD}s&6+NEBjTu8% z^(z#f7CemC9r(7?UaS-vJD;yYo|VfbHU<0R!yJr|W|NH7!!dbzllg*>-}eR(i&HPU zj1slk==$=Ha1IUoqo71OlMRmmvC)O~RM8=AtK@>z#+T*fBx=@g$zPsr?s-=j#62{D z@%UYtX}rN5bfdFmm)af_vuf5p&V)p{k;}!|-5J+*03^aU5!7ew3|RKX?qMFJn;E9N za98g%ld!Q{8+8Tm%|9Cx64K1dwLXE@o4OyHA%1lGHd*&#PEXOwur_bZSi?|_u#$=u zlk4bT%VnOQLWPzxQxzX^3}qs(?GR$W6!9G(J8EYf-d38@tnYeNjG`0y#rB8Dy0^Y} zsc-5Y!gk0pZaYbi%D;v7AX$UQzy7@c=*slj*j20`cZl|l*P-{E<2P=LaTcdU!$JKR z{%xP{TA3z0%-hY<7AIk?yiRYF^Uf>qvaz0T+iT9(?G$#>K5F{|-1n6m$%5qxW5pNK z#N%*6j)7d$HI36b{aP9~Onz>HfHXz5*H}C|(iVp~fF;uT<8Q=zB(PX+%><;bHWT+zRsfot|p)T&r945 z2Dy(g`Vp@S@v~QcOvje3kzEQ6??D-HxE262J3 zDwsTbm>tCt7USaL*{{rGCU@Zz`LMv`a5uD)jJS99o%rF$0-v~kLupTXw*Wiop4*0~ zD|DD@pkN<2O8I-$2Mk9B5sJlI7d}`Dn2HQ>KA@)b+a{9>b~p(1;PVlle{-7cwXiSC zPPV6VIch3A6Ccb=ay|Nf_v_p03L1Ar*<8Hgs&Odj$5n>=dZdOmsF3>LCEl%#QJ9TO zHI=z->U)XrPSE4RCbIlGX|ir4Ri1V$PH=@*YQ%P`fo z8$>Q~ch4j-T*ZZ%>{fQv`d8kv5;-+V{yUX%L-!YLSE1~2)dmhv1y>?9gD3^}K2?}? zmj5o|lV0SP%P{0y)1K)}e3SVV*(4(ICl;cd`v$e9{L?rfZo|6Ia=*Y&4}n z7?b#(rdRq1GUL|;Y!@kQ8A7ySrQ~D_B|MYCL0e!G5!x_9n}NjCuHm#9A-d2w(iV~z zK_X1{<0ZdA&0oGx7{&xXKaS-|U-|ll(oC~LHGd;fbd|Mj4$#L3YZf*QmmQ(?@r((p zpwQ0B2(P;Rs}_Q};<(_K&#du7Q?BM-pTAbY;9YkDre;21xFx3zV&;Y^Xb;!%yF6Wf z4jWJ!27!k8ro$j^n*o`l$qPrgz$4mv-`UsIa#t~4G<&%3JdW9`a+n0FekbkX_leJAL}2!95!0$`S<`co%GU?{ZLZ*rN9logqtLfMlyNQbzLG| z!+$b8VKwHzHBYnUv>KP2UI8wbw*3Iz;1QhbveosWDCGE{aMmxMDu3)642VXB369$s zZ*M7TGsr{#A_%7gn~-l)D)&B{J$racepHo89Jv9Y3_b_D5HLQx6W||Cq zI@w%T?nkICPTr@b78f_{4FW<>jOO0)sQP**w5aO4oO5xu2Z&7^4GZqo3RcJG-upAW zMq)c>G4Ut|eBzKhC%=M^J6`m%M)9rxpl+vqTOJfFALV8@n0B-wV8B?(>{)Wnxm1-7 zpp&qIu(Q5q8z0|Yv$SR+MNj$se6oSVZmmO_6Ij||R2HbOtfj`PCe`{e8cCVAcy#j9 z&LG$BeWzNFW!!h%V34$Hayg+I)#<+xJrkvE`K55CoQ33s+jSITNEIQBCC)!}x*YOa z1nUpNdFO;gPL@q@$rd%AU`pe#FNjAB{f$HCSkG13e~2Mya5mi zM`qG+O}l?#jA8sWuRFm{6MP%V@(cTWk|uDQa*d9{e{qTr2 z9P}33#RJd9n)+Xy3RBlWq@x~AmU}!SThACjef&Z>_+`-w{vWM7Zlsx-<}s;TS}d|r zyIeYw5l>N1l$UlkA#%TDWT43R_a+9lT-2p3ffyq2-U!q$ zLa+=@kuFkhDrh!&YWJ!rcQNnk=}_-jXo|R2JQ2?^dNjhV(G!7)vT}6BTF_OGT5l#6 z{s!1UBVN};?3RN5z<#ucIM1W;l8hhu)3k1VZ#K9>gHh@DtT#SUj?-in@-+{&A1&n8dp^&b9l=Q# zXzPbnTc;ha-W-&G#12J_{_?Js%#~9#RYq(m_6nk=m=DO+)b*^(%7~w>}zO#1){lb=B{^&~y2O zAQSx<`>;he_$gSt{8E z%@gf>jmjvNb&}i?oTIqdmi667`5f)Ldao(OU#M{WCHDQAk;jJMh9@FpGlkWaXa@50ZjeRRdeMC8#^{>Im!oJHkz$Aqw=rB0!62oec(>)+J4+PF_!0Kt z&{Lyh%&Nex8yk~d-)+Ze^VmIF06rMs=WA4KZkaznEV-b9C#j0KZ1kSyh4->dY+=j6 zEJBebWW%01(S=&Ll^OljX7fsE1&7yJp6v_-qc_H&Yg%7;Od};+NZ$+Y_x4G~-&z}D zOGBN*>aB)1JHi6BK~V#So~=0jrv>IUw8t9CH1x(Iznaf^#TSx@kHswSVTK?Kz;`C% zPoReo27@@{^ze^YCy%5Jx4>%iZ*jKAWy>GUYcuKE#&m|kZ1&j@cAcP&9fuWML34DI@Wht2=Ts{e2&k#JL%BQ&CllFYn zQxVBtRSk$w=t*^2T{VK}eStkwPF&IU-M9)Xf}!~;7O_PI0sCk6jUU@Ep^h%h=xhW* zv%LsInaCJ?r#?ok6W&PYd(ZX9#REL5b44w>zg2ETnB6%Vm`|Snw9qvpw*1p?eko9# zW>I<}naxH7CA08>@9l2T1fNn;FmcfCkcP3aS6A7#`aUfrSA{KIh1-6ax6jE0j&-Cd^f{WuAJ{~!HZ_TXu4FNmO9`ni#Y-$VkWx0!oF5z(> zN>q|k(>2}IuLyfj(w-#nheJ|mXYq(91v2_$$cx;E-hOWywurypF>|zOKbYN%V0j;! zH!+aEUSyI-Zb|q?9W-MC)Of zi*}f41i1u$0CIiB<6W-!hP(gC1W)q&e*vQZCuxQIg8OX5F!xJUSeVjfwRIH(l@ax` zm}N$@dSBf>CfMLv$)wvdJ(rS}nG{ZZN8JQuT*hZ7*g1Tj)H(m{-s>avI2r5}wuvsteosRa z#xiWiSQ7Kla}HFiyo0fyoyN%?i#$Wk=-r+Ox zhQSboHWGirk`4-TIPR2IZE+aMNY#3=(Vy${s>{8$!qN$XL)uR>4FDxk86(UF=vP?) zk`WTO5EuftH|6Y}KMu6fGSd=oZ*blf#`U&{$BwfN_Hwmg$u@6eP-(FU81{}(<2Frk zMF*pFo9N`D4x5|F33=a+dIR(y0ea%I-$!b(>K{80Ut#qw*!bDPdKVQ9k?3X*6SC$M z0ab-+#aLtnnkYZrX|M^5Pv$6l=3%-WLGKK5CF%;p%48F--{Hyli^v<#(q5m5ewG;F znCuQBsFwu{ty5HNhP*D!^YoAX_sImHcRSpyj^e4c%1N75W?1=!nQU@u>WaGRf{^aF zm3Pr~3PyDK-(A!b%`|iQ`Rb(XX}hasC=g67@k68<_?D>5wgf;O$+?0Bmw@OsM)iE0 zu6);4R-JRJ_Rjpq{CxyVVXA@A8DCR?*ScBzejUPK$t%#j?zJOq#Mq6G1eoCM-wb^B z!;(O;CpnB?3wj+oa7H_+>$K2KSb&#ZxZh&HX^-|wAElff_E?F8?+jS9bJgSB)F-{vNU(`CwK z8SQ&+I8(`lL+g1fvjP&T+sX&Oj?+pOfsuis#Xj>B!k#HYW3#KSaPk?#Qq#_v&uq?Wo*CMEnwvSt}B zS#zr6ze(0~Ff3$~p}`=URvT2>a(^v~CPK4HvrqR*bL%0S8PWpJxqao(@nw{`HP=zc?sf4ii$WPA87UP>gVc5-f$;Ps`q= zn|I&JgKJ8w3IuI)bWtl(uU|R}7^zyzgoK9re-C=*Qj8UFPqOzgO{lGX@BYzGE9asl z9d8U5&iiBvXfnSQszBDVvuGf9Kk;9on#sVUOLjAz2zbZOH-Zx4kll#UAr?gT1W2r5 zo$N1#*A&MdT+2eS1oT0Y@9SJu8aP3XCY?XqjYfy0={3j-e9Nu;-G*qq8W(ztkK&YL z4z!Ft8S$u>HG3dXwikxUXMd;DB-PL__4XonkY_tPI>=kAurtQj{`Y$+qH}YD3GYg7 zTw}E)bUiE&7ba@n`0qkBuRQxNp_+?H<)$n4x?dEx=B_1&I)rlbmH@kW;GogDh)b3k zr()UuSElBs8>|$+11$6<@HRYfY)oyK#kw+K*mz9TO;z*RbsCG*I`!9XenW?%OSE-}RzVw+nHN9%Ay3oF z!fdp_LNdDO`M}%{s&$%28lZ4u%I;zBhO>%%Kt{uQhF zw)$bd@Zbp(Pk@~TN!0i;&dO7M-Sb%;z}Tvc1dR-ow2tTmQSQRRLmaO|1)Fu>E0JjXj%NF~WI;z$ z(&8DM7l?Q@=$47JaT%C7JHb3W@M$nIxyjX<9dmHvxWBV*M|?bexYj-5w@_DH!Y@hM zwN=0?>RA0^U?1h;Jm>L(!6PVnqazR=jYN@pL~k-O(_KlG;uOs^f?@L0xdQ{A-Jr-_ zqaQbSgu9KKx^Mz`66C_WE@BFLkLkUtURj#*mCv3$&CLG~X>T1?^|r5lD

!hm>?l zcY}b^-Q5DxEe+BLA`|KE?(T+32}%e^htl2PJLcZcK5L)nJbUl8-g904;U#mq!1gS{?}t4Oa)^< zgcfn_brtT(^*ibCKcDvh{`W4VaPs)g%ZCR7@`2kxF(Q3G+dq+t z>lEJ32JlAWW9C+j;j6qG0w5*`bB%ylJ`7dm8#vvZgqgtb{0-Kb=|ZDp-peop2f*O` zJo$FHv@-&ri-0Zoe^NBh`M<79vd{}ildw-xz}GeGfq>&;Iu}Q{%+~yyF*QgeN%5+w zdy<{~R5=8he9R%buL%jsZ|QGkP!jUK!@C#OjOC3cS=lfh9W>7o z88w$G!h3)|lv>+r%Lc*y_bqS8>QAx@3@A*K5fXn}!q%^)(IBz`QI!dO{y99D8MrOH zS4Z^0#L8{K@s$YQ_}c-KPOXv8u35+v-j)rs-`RF}Hwv%;wgfot%mpyVd6Jmy?%3|x5ennv&F8Ju4j>==EO}(4cl5Vp)zZZM zd4K_1p=GoifcsnuZ&FY>+r+fPE7AdiW__!R_beP^o&`I*C9iy2AdMu+z3KWC-NhH`Fkc(gxw_>aM+M*4eRaE*WO8~=X1oPNCF(Rxu+{hQcBbIO zcLjkxPHx$dFDGCE&WzopWCYfHT(C8D5!16UeVA~Iyh0mAB4LEm?=XlAho9OR`#m9G zkl4W(B%v5&1~h{nKsZzr!Nc?$HXlNX1}wh4%&-aC2h1jQDpGb4TV!E z8x7x~7xNX>lNgYk&JM&@vin?Bs}3E$cj&SBCbX9BM#*8%-P+yF8GTkARQCLK@mhhvh=0y$AE)?J)an@Xktv zaW+~~;9jO*tP27-nM|0xzWI*l7^Z#iG=|;#-9;tnx8At@{{>~1ihBbxL;Mr5QkUfb zB${7*&YJ|;t(O|M>jb}NH5NB@Oc}4+`X@M6?=fdeTx=0Q#!Vb=aR%t8@*==cRL~i$ z;6G26wN3z$LZ+t`=5QdKGTfFl11uAC)WOKVS2EltHY`8*HQmh*6P{_{1QLA`+zWMIEqX}7_$JcMsXQ^?10aNx}aReB8dBTO3Q{15iS;#Y#dtV*tB-U zH>?!Fy_j@Q@mzANboPK)!t(Yfqr_ZiRfC2uSjxag5HeHC$kJqQTq8A`^V)dh?OKoe z%N9?o&nL+4)ax+m$jKe?1myaa!@-n`FtR%gS@oOufNFFRmCUdC2Kz5O+Et{M3J5P| z!4f#hyV(x_Lqr<1FHgYKl3wi`gq1&rs#|+0T`r-ds?XbuuJ6wcM(iG;cH5CDlp#0H zaVQ)LU5VqjzoK<{F7t4yrslwVOCY3B^CWxal6W4bk z!KjbXw0)Q$WO-hD4)r%o$UmRv&Ay2n{;5asJAU(Fl%#0FW-oDSrWnfRB=X7?C4VPO z&B;d|eF>9C9xpD>;k}|*PRlmHL;DB|MEzE>Eq+E$9%Bpcaz_n2{(tZ=WrZF+JYfYVA|GUQTsI>24 zW^21(hVGC8fV(+odVTzbtq~G`qg`q!t1G#HX6wl$&_ZBLmL-ecVhhZSC$irf)yIq7-G_8LMp(AQ{CW^)?BZrf= zbx^SQeSa7C8h0#!^c72Lqa#HT_dBUEtLM;+BZDj6%q$SHJqV`wPARU zB(*~^4B`@0sr`WF{0v9(=~tj~C$D%NcoR1jdJ=6ODCwso%7%2qQBHr~CkM8Zo z@RB$$slIwEa@mDp9jy@fU^M*m?RB_<@~`IG_BU-O0JHG4szzCMBF;Z{&TsD0UJCX z(ZNJ>$==V}1N~QLf6F47cJ^%p6?MMUuWKMwkL5G?0cu}1VM!Ny%53yMZJ2}Uv7N;6 zk>F^N?_Vy)RDYy(=^Pq$FKh)`fl*vdy_Mn}&J5n*|3kC1?f;iF%ScVju_6jrP48QP zbfgXXs?logxZOpPO881gl+Fo=GSyv3x0fvn($nc)wtqoXekdLU^Z(G1y`n^QyB84q z9rEEIHD>Ju2stMs5{|=;*L5eR<}rJA!JbV_*XjZcf7dh<7M#VTa8a_cpVpBN=gTEw zg&oq(>uD+hQIGpygUyBqnZWLf znV|%FykmqyEQtWVQwFI+=ffu33_(w)WtZ10iTWCdymb3OrC8KLtB{(AtfuOYHzF|- zj_vcdj7leLUW4-v79fu+?<~j6XvT4jz=k|bWEI9~qHGEZQzu1fFTd-r8J|DEmr^Ob zkG>jRZ9<<>#QDs7tV@)jr5vvq02_@4k-_Mv|U5S>Zi_iZqtN*<%Fp3m9Tkn>!8PR!+9 znZZdCkorT@D6XimNSqTWG%)r(xA*{3ZTK2-18BqO;CD1wCDd3?B;)^YkY#csWi(NU zR^XO$>QXO_>tGR3K1=D;zCyrY;{0TJB%rqF9CWn-hWKj5Pr9@WJpBUVCdCkWR@;GA z`|BW|wb0g#w;#+e!zSe)$ zz%3wF$gJX!+ii^1Fl1b>a%!-bpbzUKy1&<0q)~xqJm&WT#Q71R(Z`f9AU7F=T}Bb> zzWq!a~ z+VKY&o}e3;_Z=oYUB=S-u~Zg@vE%VplvCXnhb~*_>h7^6_j|MUzNMB9dxP(!ph$9{ zUr4dSRK69jdVqr|jk#sh5q;$&ke;Hp8W3~?JdMwAULNA3#RtN@_{0k!mT<-tqfqDD zS3mttT?O~k00l@ow*arHG@l!O#f`}qHn4X>l;eClpt@w0)_R#v%Mu;d&sO!7VZ+<> z>=L|f-^OJ$-Wk5h3Jz@5kWB@dA&-=U>?I}YeXmMwukDhRDk&-492E9zvi**@t_CiC zeWjfpz0G;k28j&T8M(M!>o_a3M?Cx5Fqut&7@UnTw)Zaqmbz0<-}Gg>WlxXVPY*8f zXh~4|azB4P%CWg~M38!}=j7Vk@grCAiKBTqDgN)pm2=!HwT!FZ5Ra|nrTHO!>!Lil z=@XLJ70MVvEONW}KD9upzm~l4rWk4toC!k_2f%-8BS}k_n!Bp*!~@d7Mp&%>8@jTW zSt5dv&ndS{dj~e;+x{6Q0U`(Bw@6d*Fa!@fGwHP%rI3P?AzHwc6Z8``^>ZO}slT3d zrvs1_$A@d{)o3Six%HZvTY=!pG8ZAsG2$MXe%=e`Xp3jjmmo33#6d@6qI}&O`jE`` z(wJg5GaBe~SqgI~u}ZP-z*dim*LC*+ASB!nKyj;PSDwYfy`5}VZGUwwZ0;=pr2MyL z`{!Uk!+t}6)IalCR~xE8@fhaMq4&D)$YGz5@}`_qex;Su1j2sj0r!Ndku#OqbOmiK zP}gb^w?FF)7+M^L#50gcT$C*MG>W3fW3?Nx4`zXFX*d<92_M|#KfaZSuZ#Pg?Im>F z=5_HYX+%9>T&C2U1z(AybK-T~B8+a5U_0t_g&fe)+HLYJ#KGzngPJ%?9%t4~srD5? zK9`?LpiQ>uJLFyM|5cEY{!E>`(1=w2bZ?%gkzK+HU(Z1doCS@ce)lICH`+toCS9|W z?+J*9p;y{&plNtEx2(G$ z#mC}rJ21|$rEmkRd7$;zqtS{P#*r==Ph9sA^xb-y3c+K;eC~F8$2JbDW!G+60ita?B{R_D6o;}>f1<;XC*SL1VgAD?PtJMq4;QC z4?fz7+3A5mhVS(+DiwGIVqQ5Iltvl{Czalz@FjxtS9u=9=nj~5W_zy?A)2bH=aUWE zt}kGjH=AWCroOEq9&&U#e9X*yoKMKuk5?aRcGUsFY8_g*q z)NR-OCj(p;J68|`ls~Tw>VMPtZ*a=kzriWh&cMO{!V%g88qT2NaJ(c?1Xa9a+pm*%iu8)kvK)Fx^E zQFxSKvwpSt>S0e3EaOi$RTnc9>nhSQDNKbo{JMX3R{3ti{#8yrp-9t(DI2Ou_bhBF zU;SG4P?8vi?NV{vG8V?Bxx+%uborRbopIBFnf%R#f(iwoPjy7$G~JY2HjQv`+FCq$CV zc0gjn4x)>_5c$o6&=GB2zw_O)n9sf>ext?Y_Uyp%y)7)FshaMgvqpN!t=pz=fx}Ga z0r!I9|3DsG`oY3A)xTa3WJt-hO1^$Wo*SUcOkE_060V|VhPMq(eN9NQlDx(C911dQ zs2k+y9fR2+S?ixwWTbPC?`Q1q_DsuM&lfE-j5C}UFYbgg6vqrsbe7tHyQw4HQiw_v z?qB_qd?`v#wIL5S-jOO?hn;>hMK4(8>9-}ew+>f&;CGO1=4Dk;AJETx0%Bb$H$?n3 zl>L{55-N?xGlSoUB@q0{vT`+gainR>>9lPfdU(Y8GITkacoT`ay-c}8y1ZnSJh@c2 zwnZ&w@PDY>HkJ1R?>EOj&vi`GCap}sTrvIyPkf=OOBuV&LmKs1iDs3jjOsEG8lEu~ zDj#LmBj07=5Obt6Lg^^1Il{f6DG>Xm_-Z{0MF`r)2WSInjAXGPB!(fe!NNzTi^Y1P z)7#O}eGBip45A5t6M)cRxdz6a=r7i2R@;o&kIUn`Qc~(NS9oU(&53o2Aq_r!9)f|s z@y7Z(dXR2CBLOG@TUqlhJENr6(sjI8wBb3#(IW%tgOGJAdsN+=@*`XA89s9;PRW>B zz;u}|QhgHhMd8}{Z~>0S%a&rCPw+RtG!2#XzSTWB;VFzZN#-EsH2*?4yOinZapW<+ zdWD9S$D|h_XmIc17yn#OX-fJC`i82K#5^n&A|fNvd?$GiLR4sKt<9OpX2 zCqJI)65j}#?^^$0iSvQja|$l?Q9yZFjxWgCmAfT8+0fQa*kxROp!5Y)$;zP?TCNN% zZ^Ahbx=R%a`@AN?4V~?{fYBNAz@Yc);_<}+kwr#Nc@oaStMM77JfSen z6h2<;FyC5z+>TJOwjc40&BpiXsFe z8vSxG0`f*JBM7IMrtP+T2PZ7}8b_uRjuvrEVn>c@7qTF?JzR^Pj+VEup?eFg_9q`O zB73DrWPUM~sor!wEx22i*mglA&2dO>VH7iUIzbFx85%sz$An-U@y5?pU>KV_rQso6 zfFTCY&<&2l_`yPx^P7vKx1G*GFwXTS?HY?D<*XTBXN(;h1%`4uID2^e)}s*NGNJ9n zBVTWjfl#~kzR*08#S8B6o*hiT*?$#1pbd%vc^F>ExQ&lI?z>63^t)OV=_zy<(H8iZ zA3t)IrN?QJrtblVUrwiut~O>WrwA}M?%9$@3$O77%1EA>&HW@!}W(4ihT@+%=~V4!#TTUTf z9LV-AU@&cZoybadL^>?RYk8lIG@fv{h_7Dh=g&j;HPZN7^~kG#d4l}Ulf@CMFjcYV z37vLHTyvgbhwo~E|JoC^G$)4bUb`eg&uX<2jZyh0=w$DHX0iL-dlRx6iRQXxI+Q8Q zeFi6{0Z8t})~ZOT1Qc-3gzK5dy5ZUgw~)guf25#KF4USna;{{VsriCjgFqZ3kyid} zPM+=?V6cd9j;7!zV}w&vQ#*nBG@QRq`j+9M#$CL$d_DcY)_zt zm-H+N%PmEe#HLH{E~FfMGpH^e?&Jp|g`8~?m7$4;yZ=~S@gELi?*i;*uj$hX71=wHi zG$qO?R{;&goC7QNS_^Bil)Jo4GaDvFATMHHK{1w;==TU+q{~$yPGEK)ltR?%*#~l0 z<@6AQ+pqB;{uBXEIza$JI)(Bp;H(LSbzQgiO)R&C?36~aOT&Jq!?zofQ^Cx|Lf1wg zhl7R`Qfgw2Q2uzs6Sc)&6^&pa$T1uZG$>^kbd&TaJobxvi+;a-loz!r+8B)siv%qP z!M;Xy+SUTu^x0>N=@o;uv{>u$uq|Yt{&coCA|}&ldA~|3+I0>UA{amt^4Bx>o#_|W zn2d(Aspu*A8q|Eq@6RZIZ2#Dr`ytzW2BXSmx9%b1tW=FhP|VV<%&!1Hv&~%GH*XOi91T>EKKJZJg6FFF;k+F9J4x_v7kmpkpT{G>x zznaKD!6FFk{_?{IBhfn$+I-ZM%wg9icELlp_<{^C+Q!cZU>bHhg5S3x9SQ0KlX_qf zTK$smO{E?Chd++7|9Ie`if3YZLvgYL3y|kkhFjm-&SU+pP(0o2 zgE=zv8|VPy0SiZMsRi$a&QCr#?xw~BCGWuQN?KNbB7T=b{HW6#fSZs7?IO0Pv79@= zDE(xeX8-mZcyoSXN5hn;WoC^4IzW4jKQAfVIKXF-D(dq^3`tvl`Kp^=HP-yG)R=RBjIb>u=+epj@UYf`~D)H^}w3oAjaHF?S2Y{|52qG#=%ZpL?DWF1j9qj9K#? zxodp2P4HdE168EfLHHN@k)+4ZxPRVZo=YY&62NcCKJD6Fn<>?%M8ju>Afn;@Z0iKp zV(gPg&PX9W#?T65q1jrixb}v^8?Z;2IG6!YUYUaqC7yfSHU986%zNXCXiF5-UZvgv z=WpfuEs%(HF*)DcqgQ3UANbj3s+d;=5N^;$Tt_?)$NCH?3o&rHNS%pqDC~WDlTi>o zN5o3mE;RusDk6gR+;QzG5`k_HvfWg%`t^-FaFTxwSxh_tql3i6NBykAWS}|Py)%LT zj@`)-e8xWGx72CyVDa^lP)KvbcZ+8M#(eGbj%h{92ZEQn4+P(3FL@vtKMr{=$3VF! zH*eO|fxK*B^1?rW@!a2|!Gxs$!to>9l3|{wbcW)d+$1O*F46_0o1>2d0HA5G(Qyqceg(lZm0kY%L)feT{tKB_^kssB zupIS2{@}m9^6!5`$Mn#AO{J+)$Y=+4aXjS+fGxMIR|<2YW#$L_iv0ruu{*84dn_r@C2*nnfsd>_wZ!zC2wYS}Z2f50nS--{Ylm-*+`z}KoziaVw zueIug$Y6D=#KXJ-4gR8+8Zf0Xj_2Y|JK;&g=}3jmkJ z0kFtRsSiZvxQk%Ek_SGn8pQB@@lw~QDKl4l>Dj0zu>8iBewsm3~t*w9CzC9Ew#v}+f%YY$sPCkNTu!F8P(WUo!j1= z)rWv2>Hn%UGZT>=D%9lMgM9w^dH(lLE$piS5z?8~R#ru7;DNTloKA|1~v~)Ny7BeT0TBO*19-mi(*n(M^0v@v- z9U30fM-X|SJ)Q!<&O4r}MJjov*SFxX8U!Ci*SqBoz^t`C2Y(p^d=nPx?hCgZ<};DCCS$z$077PGZj2Rt$%+8!onZSEG2e6Qo8}fqhYY^W(H?&y%T_BiDeEF zN`mzRJ`4r74(K;=z^V8O5J5?Gb`wpbV*&0;L8tZ&W-^OmI4G#A0jcuE-e$381v7BH zN?TDqT#En_b_KwJegWG-7zqHmPYc);$N@DOrFyX%%82IA_j)6Q&ge=OAZ5bR9I&)t z?HtEY^Zrstho0+{x=M$y52LX9GB5&UFkb)-?IR1s8-RZ@fEl5OrZZ_OW6`nFy^p1v zz^Zy3tTRqteDDn#1~o8kVoVW&6uZa1krJf5)@DWlAgMF#s#-S(E&;yu6KBlfZJpIu znw@qSM>M%kTN!j%qXnPR|)Lz z)||fYf&G&TjbeIgAy!0DnNFR|KMu>M7!S)kjvQQV(gfVg7l0o8xEEWoQJVi2d}C7Q zcn^C%pYP4zOk?ArNcMrMNE_A&e|~Y!NmqXbC_o1=%cpRE(4qS5%^D30kTwHS#@Ov8(4yATihCfTViVZew_j}oCcR-w z=LQt$21dP!dvp6!1BQR$Or~Q*_&JeRxm9(;F*`m z{PKHJmL*!)5Bg5ZWIJ>%2%v&7^F-)rsVRM}y>kPK9NJ4u z)Yiw~%`Xwo}m7B3YH+NOb}pzFOu=YD+d=2szN-LI>vqv=x~vz*pSq>FK4l&B4=}r&DK5f09J# zfa;yXZJTR8{J9z&DNs;WBN)g75rqOrO1m&f{y?>Mz`RHecttidi0D-TD0s>zU5hpo z*^=zOw;oLZK>9-X5Dq@t=qD{WnqmR_mX=!IV!P4&Y~Sh(E-UTR$~E!d+&6JIfld^%)dq+rFk_iRlhs4q#AUuUzSZrNeJnk`dam zjkUFEpaCE-Cm`Gi;DOgX63U6VXF}N61yd!oRwtvh_s=^4&VmsvF~fQh`hoC0PJ^r(L- z#sAw)`Tr`Pa05iC^O)3iFdsqL{;Ri8Lx*E!=K~f?A0$wN>+Yd+%iV%cq!~~JbLGHQ zY>lSS9twV`v(fZv=7ux`A*8b}dv>d@{{~xD3c>`0sT6r{aA2;3>q0^8p*d9Oe3lY( z?9>Fb6Dk!3Li)u02w<6)XMuq6xV&?D4Fq0Evr7az_5e%8j>Whv?-(DvJu~Qy>iPq& zUs>h~UU$0-vi~Tp^D`BU>C($$P>^ATC%3@~fIp0B)JPm5y5k$6Ey3H%=3a zrpGgCZvGHJMeio!d}HK_DTN8@(>Tz%>mC8bXi2KqeiOUJ2mzz;+xv3Ej>T0pQwoAx zh%2FhTWPAxq;x<}BD;A6F_<9+{4z!{dIV2NfOUm3Jq{=om(=1m8rOUJB_?3t2o`jhTSBv#|VRIsU?dnu-6&Wm^p-Yf-Zpf7}{NI56uoD`0QUrFU)x-8|A zu*qmaX&V85CWu&pkA-GvDm97QR%fzunavaiJ&kyU5S0VaiRO7e;78Y(MQ@aP2wIJE zE+;XLIi9u@_htYfCZ1Vo~SLO!i@!nsDRrVp7b7wJLcslLd-oO<>_(#=YEx^oR!s zc3jgT1n>f0Li zt=D2<3Dj<~_aMGy+bbnf*m!ZdSDmhZRqe2viZ{voeD^!M&$Ua}!bqJ_bkO5;+L4~> zY}UqiXV#;LZ+*f1PtP>GPI%-5BpGN_Z~*jr)LqgmFF>H3Lf!DF$79kWf5!cG@J*C? zl9v>G`GerYk+tswHEJ3PVlg}QfOTjHi@5Lv>Y-f8NIXX_Y%LZ+qRz@52v86XqJNIG zp{tD{6ES!KB12!V1$1?rC+J&j1Q#TMTUy&O70r?=DQcs%n0RO{^Q?1~BQCj+={Z6T*SGm4;k#+fCKaw%`xBmz!|-f)e^RwS5Z zwD%r4#H8ueAK`$vClo`GT;d0)@VqF9XZm2cJT#^~QJk5tx5IH&U&KS%GM+_-Bk{oJV$SRovHVin4 z2n_%PuivG&qsd%x;6XObpx9-|)FJeNnm7R1hh=_g(a;@OH5)C|75D7t!7I&ev z+2skG%u^Wi6sFm}#xa$^AY_+d?Dz7FjgD*0LB`2!c0XWd)GU`X^8=1IvxXmTvhPRH z2vSmke#!!Ja0bL*vB!{iOMy~UQB1JWdzsne4QY{_;C7!IXlDR?9+)pl4IRo>7^J>^ zVhX34c^KO4@TngvMIBPf>b=n+!zG%39Ro(kBJ~Eo|eb! zL+tNP-`FCY0d)lxbkzi0Q?VTYmFhIDZ8-#^66G~L{1$Z98<#Ji0tF(UpNOjW?f2I^ zpSynok6rPNIo|s!;&g3A*z!Xt6sUSjhMQ$tj24SjY0G$ZR8&@RBTpmG00fduaXr|H z1!oY3zjL@39A`{gYu!|u3t4Ym!IQ2d{{iUOUD7?10LmS=%bN?) z`HS98)~$IocEM2Q_o zf;E&~FlHfm4^>j11-Mh452W`RyX;JnoTBxhs&=2#8nln433w%3^8S6PcnEYyGkAQUs0|1lCQ>2a}KEd}7NT8ifSk*-`a9PFc z;35j?0Zl^0HP8+p&Qr#BC^Z*O~UWOTB9{{X~3HCm~jGS-Khdn(Qca7v&3mM8)_)h z<#PuJx-_6-`F7LFpk91w&iF=;`NDHwbagSOd9P`u@J4Xv3*tdrv3k#MDkMtV-L=uJ zOOfAKipuwGJsaJue_-uMIDu%_cQ--M@}?9gA;8$yHyc8L%3Q4 zdo-Q8jA-nRR6k&V4He%+ag5Qalk&^NPlV%=aSCrtQB9=tzxd7&#Gf6(-dF|AZUZ?j z)Rm3=V#4$thGg+GDV_W()O6G%DtR9GMI;q_@K1Qj)$9263GF4yHR&_r87lZ=w?7EP z9ha*V<3K4c^a)uZ3@^*R*cGWBlwC)Q+3RQ zr9W)&$rH7-s47>k;2&MGW+@yG(}bGk$sCOq_n^}Sf6r}(;3IL!{;a#Xy$4|G*U*Zn zlTvP&s=XK@TE^SKMwb&e8H|PxTasttFqXZGchdTmEg2~jPmzLqFhjZ;NHw!C5zQaG zv>m6?&!BG56xf`(R;AE#f@o93X!ipeHadz$(66(3to(>J;A%}S%J8ZxWn0evv5HXS7jk!37N?5(<8*p-3?)XPzN=7f`~G$cW~9uvWQ>Q z`yz;oYH76{-T=%JAo@zsk!dZqMSMf=i3V8quEmC=mt%yAXu}-GfpoFENwKf7pM5zc z)S(K;%P#CY09JN67H@x=1k2v%CFy>5JBIu*Ed`n(`O@Y!A37KNN#NTZvt?2jCXg!K zZbAGa#ZoA^#^%a7!@rh*MyS)86b?w^3iI-jVcNjOORi?AYLoc7xsVdw2-gpvh7 zBu*@rm4l5*|KzU#C$Y?GqTp-4qbuyZ(+Z*5T(9J&rSK`=wvf;VsfB#5+iD%_xxA?# zeZXA-1)rJm+*%h3hhmo2rd&p-Xct2ue|CB?Oc<_X?pW+lUm&TAn@^}!Z5A#psX_0X zr#^WmxQy2?6sU=mSGz%j7_x#3x5(KJY%-mKSFbyZx(;8Pq<>B=*7rc?0|XDBHX4L@ zb(zz5q(SNo%Ke0^>Dl}7T}9P0NkeGc*y{lL{~0+{e>vB&#wYa=>AI)s-dx?BK={rm zWvQffwe=9vxlbvqcD`-Z1&v5_Xqr z{Mlp`bLV`_4p+Zy%<(fM_gb_kywY>nhrK66r@jH2fpH4_L&+?MqRv3$@J^k|_s13~ zty_gb8-FaR+Y#u5b%qY5R^LfivO^{wOzU}+hcobEdIO&cUa2DF5{0fu!tp{-t0F=g ztp4)b9?-vB81(w6ce->+w>qUsnxQrTFKH@J8ec~M2GBF zPj&Ovr0dni+veSL$BXZe0&i_gTCb~TEn%AxuHH`jB%V+wrfwf)43zxDx}b@ zz6c6)*9sihaht_g9zI6I6~2JL+_C{sr-$f2tLaRvOx3o=We z7V0!PZM2@B0shcaI-itmg?b!U>kdx41ubr%MF@Z+hlpE_rP6P|H|DVU$%Rt~OT>U6 zNzp0I1ya->A7{mnW^vjx%<2R3PxITa`SNklf(VEB@J#=itd~e-Mu9eT6kvNqX|+&@ z4=vx$HDZewnxcm~fz41TcZr}cOhr*DScH=X3fG@D4i72GSjROWNa)I>f~D51z65ZE z*jHS?L61EMT86s7tPGPB^~>=GkehVBdrw9bC@Elihigois}@9Clq!TIz$8qu7|uUo z5tMZO_~Myz;huYA?hE#G2QVRl`wr;5@i%ZKIF7Ev`7#y!@i*GKBT?_T;`NPof&BqP zsNqn~zsBYgF$j);wh=B*nm~@ef<2td^}5Pse}ND4NwcW1s*>WD>tle~ry9j|#VUtw zRIbyr)4$hP4ujE&<)}Q}0my>MVRu*-ttskt1#T!rPeI@m@iGG>OZs>*{T#LtO#+!b zO4jZ!osgS|rqHW5K(k;{$^p{jI=&Wh$IhrrA+QjP*S?t$e&F zW0o4H4PCd}7C<(f^h+gLiD9s)W8t#?_H^U>>qGD49gb;l!Do&3kV|CIA)FfwRo09u z1DwdqJ+H&);7?5F>`=<2gPNqs`<5O5?|fpF}%{r3Be-JXlWVcJkMhX@dfoiSO7>pypy;DL?#^;s5om!i^By*Z3Cne z3z4tbPW$KVK8s}-H)2aFm4nTh^v01~_a%l`0l-@+gQ5W^ueo*O3bb2@ON!}66+st% zFG%ivMgPJ|F921He96}ef<>t} zNOe!&SN4UuRI4icG(W|TK|O*h>*`}6P7c;t_TxNJ&0-u+@8K8v&9!RuBsy0ZK$*7G zYL}~G)BsIdQ-)gRb=)3D>gKA^JI6C1LR2<3veoEIwSU0?^Xi5WUpng7B~dCeFMd=S z2dUeC^H*`G-Bu~kd-WoDus|WYZuBYnnTUN{M+ zB=59K4L7=;(|4%s*B`GlW}>Tqy3R&_?S1eS%mihpq&D_=~jM zThLiEt3&lP3`Sf#EYX88!L%Vt&qVU%bg#j=lVI|g4}ARN=ES@_ z4DnPTM~U_wf_VEC>~M7I>1|Gn8(_1}QbYzNVAwDxp~Q z=Is9Ifg?|b%3B3K^w!V?Cry1<^`hfs&4`OOmG{hPoK~NF(?`6uI06@E=%0RoQsj4W)0oZA$3epKFn z@-e!%>&M%rb^Ge>b|HZ86vps!J><9vYrpZ4)dMaM4dIF?_D`c0ulX2DT6uKtPUdIw zziJ6z$TaP@@Uv#C5i-UXzr;M%A?3Ccyjg5J_091{YI5Cthi-5OE1VW`Hk~pGo~%^v zW1ep+_xjWyF=zhsmij;ZUR08t9Ln)}u^$D|Tk%)-&102%#RgR+=CkcnUsd`zX5D%w z=_7#%r^FJ`y*eaBh}!DFGw7`W$s!Acp~tM#|DgsUovb;-cLtr80Ys?021`e1lBaYs z8%o3htL7gYBf1Om&AZpZxU>HHQ@DzO)}8VsYlVI=4&B9jl+BP5e?c(qU83*}VTQi+ zw>OZurvDW}U*CM8>iGq^^cl)Ff^np0q6t6b*=SSX&c<*8(liD<0S`>cM3QLeNmdC+ zVEh4|vC9SCy9GF5t>EubQakr5k0o0bHU##x$=|fOm-Zjwa&355H9r{ot#0n0!LM-~ z;BR6<#>tmaO+`3Jpx=umJZY+-nSxQv-Rpo6SOd*{ci+7o!7-Xfro3M8@)*Kl`lY>rlF>2Ucj&xtj^)GTku+~@!*aq-6=6uFI?qtsd zz-okU>J>ETE}%s4Ne~g;3|`K<^_Wq4qgRmHLi|NM+AxVefnbPsX0 z9e@9Z0($en%hp{_$>btV4qd;sS=Hy|WgUKKSFjCwg`gW1*WTIpn-9k?f@Buj7&e1! zUZ|pk-{>3Jfs8j2jY&W&D09#fr7u9F0lm|Cc2r2I zi@B&t@TmWBwArH#F!8PLwle~IObv*NMqRgs5vbfOl)h*Hv0oW4hZ300D?=+SAdRkx z;UG&Wnef|qgvx2n>d1pl2tAZl3M>pwrGgDi%Z|Lt+r&X7mhWEVH(`)}qD&J-w6~Ee-gv!N;q0wAdH#C|5VzE09SUeqkouE@4lu1+h+wpT zXpX=DEtL5dzE2+-BD4)cifEu;o^P}x#jjjxNTCD@#WW$ITE8YljASQ(fW-`wdAN`- z7|qqpc>t-ZglBry>WDvk>F1T6&=los{%rwuPbZuWl2@?NXBY7<(2CN*m*ieQ4QTUM zNj;Yz)?5cIIo5$}%CBSGph@8QuzPllomDp@H9b zPavk)dfGFI0@Xvl;fhz{RHYftpEEOOy7;GrEnJL#W*vNvSay-QdD77;B;kw!wA zkXOAr5@aSj%*N<=>GwU4OjWKR7=`Hov9yFh|=T@ z7@6)TaIrXoNpj7ca=K(Lm^fILKvJwx$0|{5(AJE*h3}6E578Cs>j8<(k^Ff=pFT0-@b=__gdGj1#H?X3Cu9Mv z7U^|OQeBBOoEI=_9>rLTKjsjKS!&C?-vgQeGfMq3rzrmFiNv1kvC=!FkYvyf$5fiMTYWE$cXYns zkK!Vg2?jQ;27GEIgL_a5Af9}OpkUJs0uZUO6rzFYlf-^T;L!Bf@Hpr2c8({CM~aN{ zKyu4}jRiy_Z_W^;n3UWwutzj6wEa!40B4<0L$06;`5|;gD^4$5W%0#YNL5IY>hO=B zPFa^xuAAW2m>L(yF|DIQ=8Nj|T>%8eSXiwLgfgqT9M|svXvaE8l>;9A9Sl|e`hcn? z)$_wepFGbGGpX?7Ug~nE^7yP&1PGFd?Hl9$i@=Z&p9knUMjr#cFeSl%OKMwbwqFwj z%`zZ(Mvw8l8o1by%pL$i3E+^rRyEC>9*aEW|Zl6 zFm#+_%CD%}>~wGfaKPzBqP(sd(H5qyj0GZ_R~YEP3UL!#jVtfFR9_yVFnjrrxwRUKEClA?Qi`*s8N%G60&J z{KwjD#fOWX7bQy#&le}a^6#Wtr-SuA%BeC;J?u|TX8!gvI#aMVa29{V-2VvC<*O`W zt9_>p63&Rxpg;Dnuei60zM9enAPEZ=jI~|7{E)gBrVCN7(YZ2Oi2cyG$esB#Ixh82 zfjeX(fc_W5W{SD99^H zWKx$u%7hb>a;gXoA4Zu(WQ0<)w1FZ0wI}CeY%pV9-{Bhs>tGYRkCRMMCVGeqbOl2V zZzj5TlJ6x+l-@pO|I}I3oZs*u)oG96A}1T9%Z_eiOlN>dFdf@q#7w!*&>J+IiezqE z>oX+im@ib$*w*+%fMvQImEl5LyO=iG$mrMZ(Wdv_z}KiS9QUB#o+x02udAhZ+<6Ab zP*zLIoihA^`-5V4s^6w|OPgi=&xusinSZWfU*$|{Y7 zidy*&eWIST831c|V^4vg1a=Rze{5PkxAmPklyNTR>uhLQZ-b9pnk<7};YV?)Vn{2M zyT|{kx^QkgroL$29q^|`C;QtKn!V?l? zbUA;vX$;>YIWQ|t17n>@QcqS4p#bBD=oyE;OW^o#{n>hF5`%WY4NDo%mOn+2Gg1q^ zdw9;x>fL`idhssXzZrQB%^$xXkA_t|KD}ZE<{fJVI%# z=-l!ZA&1=|TkQC7l!h~Cc{|Fi_b&N{B@b=~$# zNh2jCp@4LEgLFs=OprzdM5LuVl#(uK0qO4U22qKL)T9w6-R*tnx_9rr&OQ5_v)29G z|CY*9n7??R7~?x$-|0R^WWpdNYS1Um-OM=aU91ht8t`AW03XN;*6-9MET#dL#kR9` zim-2{7DHzGZD&dj+=m$y*O7OAoAi7<3t>X6ugQo=F&>2XG>(NkMSU9frn+o|#QoJP=&Q({9!G*Ck=ml8ukm`CvKzUG0Uup{Kxy zV0(iHRp;%;Xgtrn27&dVxd!VQ6JZ`%f)>nbkJ!Vqu!&?AiRp?Ye~KwwaK5HgxAKGH z9rdWXaWsIW!%}7-BFa|_5};N4!}oG#11+EpgC;Phr%CwwX!1j|n3$v`Ws=Wg{T}Pd zUb&+I36Wr^Ktgu7#$1M`1`&-1~QyG2+d$8L?1(wSZpN9IdvKGTta>2!xg1XR-m=bfsQC4@#M{8}cf00+C;t+*ced%WsiqHniDttMcZWvQ zRYoW5*$T6hAMcNJnv7~6A~;6e+|K?QB{qwJH-z!CIc}oi*2(ULU@lVYVP~_e%=K>H zC9+wk%z%j#NdV_`xAn}Z6a~xtfds;B92a3wVbnECbDH#}BN|1HFryR4$J7rwcoV$( zKIt7fMpkw;=M17k$=`D6p2P?J+oscg#ppI7IAnQ zE;7~lB8HsoCOJ&*t%^mDLBE8q{n&Ss@nXDPu{N7UA?Ad;^)HO|@GPsx0`JzcXk>&J zTtVu0tBBa~Jn6v(H)y>+pI!OvbIB@O#b*JMD3rfZ zfDiHb4+(mUW(LGHXHO8(sSo&o>iKwZ0vsQy+h9k@4YWF0+rm`&sq30qX`ep6%t?M( z=LEjyQ)ke<`#c2s4^soQ$~z0A1ICk{VH~cTu7^6>GMmW{QYYRs@;#(S$lmiRQf!+G zMLV)?8He70E6s=7F}MtTGdbEg*dG?tJBZF|e0WCr8uqokc#k}xoZ|igQB0;o7og5a zSbK)DR#BE*1*|2Vp_^Y2nvqwWYqd5V1kXFPt@@cpHkALaChe~W#j z!F{~$uZTSE!3t+Yx{eEtL`$_H0J1cwpks^eHNng1Xh~iQZWZLLf<>p=YAWEb9OxQ2$adYwi0n{~ zXpS1Faq!|XeD~8LblDAe)c)}!Jd)|=F1N{aPfk_-)}O1{EVAEa9-X>3e$th_`z@bv z&9t1?{qW@l*cc{O#$e$N0>=?es`o+=2H{Ik495tg*_k7%s04wn3>b6IU*GTpHNO;+ z_V|HObnyWqp-+Fw0if9qK?rJ)PB`KFGmr}8zk#Yd_><+AWzQlr%+p=#=Beo;!#pcp zYe8)asZGH(N+shA?p5&FF$xAx@xJ5|Ys;c?lVi+{PfUDr2|qCh?)oG4>dRh?Utc@;??paU|wDzB7*lw#{n3h0=0m%%fPtvXF@=XmaCdB z{3_mMhkPe@1)~tSs}h&s(>W=J_PaWI+~_Glc`E`7VF=d{5UQl3%eVRw{KA)i_(=Wo2&GR6C}}?8 zz6A>X#kJmeXR-cdi|`9_a~Jw8Zt@7_vs(f6k5Mke4o-g(&W@f#s0Ac(W;;70ynEzF-E&8# zc7gz&u(Q)O9B536;&vs+K^1~;8sHfwmSF9MYyQxUnmNeCH|XMy>iNdTT|A{$&O843 zgwP6xB7tH?^FaUBpFV9kh80u@h^mh6A9f{8=jWXQ_p!5R&cDLJ8@}r(7mkkvgP2g$ z?V2LHeH?A$wVmM|d|{++D0SfWz8&=0iLQYFGp7O+fDfMM8uWp8l~a4loc(=H=&ZSV zTNSzS)R__|((%=4@DeiaKnIMb;x@&%8PewE9&1@tp&cREyJfC)bo(>-GPWHu~HtQ&<~H$XMIu#}em)bT-KA z-06LcZMc|s=j>-3-~%Wxo)n2<5@j0tJFbAkcTtWZcz%Oji?$^!WF^&JjK7YJjg7CR<%k#`5ktak1@q<^bK@b*A*m2hg^Y3^c18ocakAsf z={+-?z|MLGA1Z8664`L*{Wcp7U#7oz^>Q2t4Iqrc@_dUm?sN@=3P7=le>l>YnI40Eb4+m&?Ibd?qb|^&ugC?57)EKh2>>((v>qEf z`GBLS<6H0bsUHD9_E{A%X?H8oqJ_RTu!{)|a`cKB6(741|M*%xvQZ-=uVgR5fP<<* zm(y(<2#OXd=F~=9LyU!2mLElLisRW(-`WEI*S`3B2l|EH=~MxmDV4=MBBU|5FEwxH zXa1&Ujm>{3n2L;O+N8xVjyXH%BcT;wu~>I1=9M*sZ5lPfLKj(dO7>%iC(4UQ(A4-d z5MZ^1yxZVIE3UNlO=i+2%nv&GD;_Lv28_W5rnWg@94Jd3kE>3#}+fo@1Hu%*c|o&PWSy zTX9#?Rl!3wwGew{l;K73prK@Wz3ufR^Cn0~5io$k06^=tg*&V#T7i^#$;Un5>KD_= z5{jD^0^*J~Jjpjjb|z*`ei4N8pzp(%RZsCxwz~0f(Dl&a@NJ3UgbhIKZf-BqbuuT^ z6Y=*4mX(OcY&rK4$;xr6kKV`b`ro7arIYfG)cnjmprK&w=}hD+^$t6=2>^Lh;A_01 zk&q@4_{ukd{(6AVX@zKTn5H;?*u8~36SJb}OF=;VeZ72qTuSD}T7VtE1>bxn~kYg;|%Tc=T zxf)~HDV-Z(a65Lgg*MeQBG;FzxO_M4{?SUZKlH&>{PY>{lEv29&OV7SP$$9tz=ax8 z@rS_iFX{&h&`~hgztf|$6AgKs?XrPk-gy3tPhrQPKssOxiDO@q?S8J>9eUDhg0eij z6g>b6Olvjb3?wn4)~p^JixB5l%OKvk@m!$U(m%O5YyVx_m4aq~s>Z03NbLWEUR2+0 zIseyI9`O-JM!%Mt*raBS$5JrKOVIQm0!+xh1IdV8GUvbXen>zv9B!lxnYvxcS z?`J8pH+O4T2Q5K-AL6KDVZk;7{*Sl4vKWgO*Fa1sJ-qCE%F%xPqlg_Af_ky~@gT#Y zk1X+CASfkd7j5&v&?wZ+4bRUt5zHF<%;K2+u7WNQzG4}jxv@vmA#{_$SH>Brm^)vf zENLj|LvUgu2A=dNb>TjzC}9Jk^TojGQ&l8n-Z87e66yse&B);q;|S=2$o%#!_*q9x z7WpEYN6tc14uFF{7I3y^B8Dz%;op(=1W1|QW2`H{+PqQwV!lLB2(Z)UJgvsvBew~& ziP+3D9XkfCx@TtqLOCp6=*^fdj}Nu)DSwC^rgFf8%{Sg^105$_zR9rVXg?EiTvf2S zIaxmN1Wc)6gy4yXc?0TZ+3?UH5dMbTMJzOTB@$2WRO^e1;%ll5;YC!`un{6(q_TRX z-v+mp4o<*+`01Q1$Yf8Sb!gpZVXlKWK_eY@JCo^XYM$d!Z~(UeE#g~h?j4c!wB{*U zcUZHhXuX6+*RFnWd!>ml^(zy?yagbXb=cF;isVT3HY#dzPq0#6-*aCN`Ri!_z}7Ttsx!o z{|xGqI8NcVV5cx(b{E_UK|@4gPKLlE2b8XP{4Q|#zc`8$Wy(j8E+vWK-{VmGA|uvH z*~bZ5yXwm@9|^FZd*yPOQvLV`dWXneRTxez5N<={+y;{NgwoV@UFRI$caRPdr9H*o zyW0Q->PIy?Q`=^+xQi3rqvJ*~Fp1;^#mGW)pR{^alo>YhH<^?V@5Hzlg~UK)s`M4E ztdOq54-1m#cUw3peXkGN1_>EdC(w%8Lh)%$M=Y|ZaCb>)Gd|x!nWPE`~?KszEap^tv6qWGuwjI~h&aTBbc{fuBvG$9TdA_Cs zfVa@(-}bFc^dOk*=s!UTJmgeTp*MA6XJylF)fflj=eH~@>-x;yEX9%vcT@~=sz9Ip zKE5Ju(G+`+O2VH@F5Z=(g?@=jj!XD(29$~3Ey_2ZU{;`zubO_$M>Gxx@|b` z2EZ>eNEW$PfmS4fHv(ujUtE}w-YsX83K-uq%wrpAEI^`%XxT5fY~E}F@6UZGOH7Ky zWUUSF%DO8~Ko+kJb9&Ro3g$-O6&T+#ATXkQC~3QU=^yZ>c4zM76gsy`cFx8L!Lnq~ zrMb1{uHJr0NP;7#cha5Jn;ZDOBdg?oT_5Pe4r}$~W!vAKJt=gP6atfbj@l|I(@E{N zT5cl6MZk}&!zTP*%Gv9?&6EwBK29G z3%C%X%LY+aj4R}Fw3$qT7q?(i&6QJQ83vYMdJer08i1r1RSxHi3|AH3(LF=+-Agje z2VLg(W_p|+oMehTsrEu_gI;b+e4YyTD$9Ow>iOydm_ZhbsGWw#!ebH!F*-aM+FVpH zcxd>K4lX&6b{Ecpdiav%`vzuTe=jrVH^<1CrCN4E2k2-6SSxQe+f4s*kHI$gb1k<{ zBS;j`{^S`Q4A-F3zNktwQn_jYgUx4en>L?dF|;{Uos^kt5B!~;k%$Z2GS``_%89Js z8QLVy=A4)kva;ybGGd!S#fkb^bTcs0Jh-<7Ahc)+-fXvB1?1!YAN4w*2oK_L1}1+q&E__TE>gV7hC!+6F- z$6wE!JaGn`$2?Js>EaIU^N<*%>GOH5Ir$OqRjxIlN#_d8h61%NdYU=oua9gs+?g_N zRXocCV88Q;lAppGj8c@7XTkH;{34( z1Wgplcnp-ywkWUIyDaJ84uzLLWUflL=!;;?^1_g0kGuf z)5rJnb~*jcb}<;zOvs>*e6!;lD#to`gn-Db;w{`&;M8QAA_Xa@pGwRlS!3!1P<|hk z^+zJ8H50{t+EPL|4GiVd-!FkY5bq&d#***#3bo=U=L6^7vHQptAfa~a)w3Wlz+ji6 zR<p`qJwiDMa|C=OdWfV(eZKhBP4JaP7|Qn{E+;bK;1g8PfH$B2oEKAN(KFsPkod`&9|Yzd0DY$~@+j@#7u< zy;N3$ZT841_?)naXdSxBnZVePCveIIU;%0!^EQO;gaVa$+v&s|JS6qxuEE^>fT~xc z%SKXfa3W4@Y4e*meNVZLN_*24C>#A)NHtXe)gWsC&LEgD zHzru*`}=l=5j9LJWARvnu>yxu_&MOEwF~XioL5ix4CA(Yj1GICc6|X(4 z?=p-?Gs@lW*!hlYdxKdFHz>V8ouXS(w8YjSwl+Pqh*H7d!Pv!jyk8Z}Wb5g!d9&

4Io!W3R(>N2Pubc!3S2f=6z?3Pu1$4ua=463D{I` zSweYC0=QsgmT8X=uD!iWv&6HqO7<+Aa$F9ob`Z#&2xfP^5zN0_4B#AnAI?%YQLz_r zXX@?B6JD4;40ENLvT%!c#388UfACs-eI>-?rl)$3Jf|c1TLSo~I0nZF&btH)fZZT; zJ0q6u6!-jI4zuXlbU*Lw35D`!$#D?miX?wmAze;8!xe1-H3QQTSyIR%b;Og3q>g4X zZw@A=?>BuSZt6+W>r4W5}i`02zn}hYntvakK<;A;z`;s zt#=D}pObrD5*+w$w}IHnVb&$RQzRv{Zq$gHEVRs&t@9D?wD}Iu!+213)RUd=_&AAc zRG_nS+NrDb*ihRiqI2;&ZFr%?lngS6&8F{8}k8M`*%BW_=$An|l)fh~z)c@6>Z z=^&^uvVP<8TMWh1dF{s|bXE+#JpUU$@F#cdzr?x!={JYi?w&{-9X&DjI*=_yB0E=O zszv?6B%7{q0}>_OOejrlJ*~lX+I;982wkTy#>o?nuTp6ui(d+y41r2qGxx?hgGpi7 zH~*6qm;5FjrT6}}EXZ-1c~LL5DB)K=XY$E4EEh-&=V%iwxrB@(ME4O_k+}A`D8>{BcXRqg-Eqrh-OdpMKwDs`tW|8`Dc6lx2(|B~}ViaKb zWobnwfWLvHUrn1$kDZ?}PQ^T9O{q z%+*wR{GFSs{D|%=QLAl@l?2n0$&cJt!%eDr4OWvW%-_JguY-Sljml-t2ZYTwek)@R zUhVL?oFpM4aVhP-#wp54UXQr8PZ`oV+fXaNexY@6!t>~VB@An=?5!Nr>MNVN;r=OqA=iCm z$oe_r=&|qbB?@|#!$#ew5{{Fu7T2Wbtwhce^X>VI6vA2>_wJ*7WpH}SBt5L~Y}F&v zlK)e&*lTdt$y2&Kr>lEnX+iWFH|1{)A|Iho%kLEbjx$m?5H)V_76ksvQbO5zXC7=0 zYQY-<1}V$OJ_}0Rg$%RYg0`2Spgk@HFbDCrgW!)n7$ZZ;it)>Gs?9$d9L&8RdwpS8 z><*O4Mq#xFCq>h!jDa0#%0x^!w;TInXrCG)Gpha9H^H$VC-{UtAM| zO0xPBG2#xM?qAo+xTs8Y-@}Yw_L@4FJ5cyC`Dc{;jE9>h)<2@_5$gnm@Rb) z#2Q2M+z19@c{3yz8Tj7NA{r3mgU3iV#PMJ{`+f3%M^GFlM^g^ef>k;UF3Nxr+oN{3Ke$}= z8?lR7JqRw+1NQUvC-*||#E#WdBz)VjNjYgWMbsN~7;J~Z-UETv!6<<$Prs=i1uY;v zq_l?>$w%p2Jp5i}t8lC6k?`*>9ZD0iF z{Xp)<&r*((3*s8WNa73JWG%XtdG%5gB?P zzlVuYTsuMi&8W_ta0kg=Hkd8R@H2OizXL&M;fK6*iu;lltb{W^}?3Wyb?^z;UTPK zM!dIGU_p^P0&8)1at8zrS$E6O^tXQ>dKfYO{|$N=FO73pt9y6{oSBe4@tb2U1Z_&Ub`Me9u>dMe;{3bW zQ6<+*Qx-1SJ5HMJwi9SpZeIeY#tUpwMh~*iiRP0)P@GVnZyq^2-4>W*3vWA;>mn)t-hq+a;1y_+x1WIBXX(3TH;2Dkw0bg1Y z%IZE5pRx60e&&gs0xSJ5SNv15^ZGYGxjUVLYacEQ?3V?~7aB0W$e*pRxJF1uyg(1) zp%w%P6$otCUQ`7~mq90~pm7)DtE4*68XzEVtdI)HJ=Cc(!_;JfWD(AXU!NDc0MF0m z!slIJ`;coluAh0$()#=9{JCxfobFWa{C%r%20f#MG(Pp1M)SKJZhn(XFdD60me>Lc zf~F69_qRDXp^i8}L}_P&oMAu({OITI*p7>uve#u7&C?5LO zn|~5>{!{V$@4wd$0CgjYLn|K^^9P%!e*QkN8=T&H)%zWz1+?2$J~tj0K-K&bXneR| zPcRnmgKnE0;E(E-Ng3ZFfw>H!o4vpPa91$a8juhsfpZYHbqwILKqb8hX4Xk+;umzR z$~xA`o_|`nFczaU=rR|(e!Tg695nw!X}=KmwGAUjI&jg$Bmp`FJh6Zt0r(XO-$Yed z*^v+k5-j!xnhGuNtJ4Iq|3dr1BgOM}SZLY{1vZn+VFo+Q^qB!PC2!9lzn2#r;3ut!w>MceC@@$<|x zYogf3`qS!Zh1i5~I0ZDN;2#2q4yD5T-QvC`t~2 z>8P#?yGOcXtp(@}l)zLc7c3bO%6Y}fqRrMn)>!BNp*A}AMOqh6@}&QY`8T!|e>_4@ z2@9SV<$g;yxk5aN(JV+{BN~kWyl#PBke)MaAOXSSOyn@mC@9O#m3ci?l7fEpm)Cf+tP@8K4wc(P4e_gC027fTFlLZ5cWKsjLcgO?6j!;gHe{+fc`+Ger z8X!6~6)xYT{_F4l+keTQ{|OqYEXUrtTJ--L7?8&QHvqhn zd`0=2SM$FboB4mHQCD<#&Q?zP+(5kj2Y>BfFQ30~^Zwf}e*OkYo8@$0$m8F9lOK{0 z<-;mKHYxK~Av*oC{|90voe5z9;^F)OCb6@X*xHQ$#20d{|JV4!?3xz012et4Hz}Zn z!_yCKlnO-q0jkqN-SUj*t720jI2638h*=gO80LaI8pyIpMqdHh((r~Y^H5#Zahv_p zQ@sike*~#Ez9RasIIX$ zJy7%$8rT65UKQ|jD*}MT^4m`*{gNiY(*UL}mmho~gj{13g?v??$vnV7Rn`cI&QL6T zoaoi}|1=8GB;ah1+4m0geiHl_Zu%@Q!UFvmV$R{S(nxXPqnD=f`hfg*+%=;3$7?H^ z3qZxla)t{Q0mYdOT$1Jy5Ie*yVcLcA6R6Eg8nQaTlKC+Lih?*a4nbza064k>tG3R~ zKMKhq!oRISC2!T{MGs(sgWR?=H8rWlz<)53!o!dkgA&04)*nJ-V1n)iHbwqB+aQev zf&2moQWO~R(Q_JS6FPEPj&OC{Spyrk1Yi#t29U5(I(QQpn>vDoMn#0;^!&L$Af@;= z&4Eobc{1@faF2T+1YteTA7HUY=LZ2uqUPI%CA14*mhpNa)84rTV&Diz`ky1wl8L%< zGAikU&WB;8KT540VsvEg#hGTmfuGTiK)cN+0Rf9fH9yPNx9q?ON|C7urKS*#SzriZ z=Xo^}4TwZ6`#zs(h=|5Sk5n3g2BcO>OVeVF73pk*sN~+Cjy@XyV~oYDJAbZZ{;Q`) z@`6FVwx*`0AbxI0!trDDKdvK9CJKm1WD%HmjuSoTA#596rke(eaBA=4m<~d<=OC}= z^Wq;vQ-n!v9H z{*H8_q_;hw%U%T+Xo?ClQU!Q$kz~iMR6MU#R)w%oWlQd!-=ob3TLoP!4oI6MiwPZe zz)YPj%Yuj{5Ov0br$t+m;34>;(526-dx#hsq2&*>FTutWRp22O z+%nC2pBE)3vjOF37qrzMialT+OOvP>a;Do)3#b3d8jSlp7&^q^qke$?ywpv4{evMA zIG<}&dlwvs+2&cX|2N^ON74^&hpn!i09?e0Akpq8bXKbD#hdx2+EY0M2=u3Qe)>zm zCrd)C7{ET0(jSVUWr7aM!h(SX+>t5=L+}T?nwpxiRhOXnQ3gpCn(I6~9m=ZznH{(o z+LZt(l4V(FBo1R_ZpRLh28%JPAb5SktKtkSK4K8%?pvVX!@_In@S`QY9842($^{R* zq9S64`w;Y{0WN4p;U+ZPF9+^(wK{gJ3}#6MqJ%(#qd`a_{a_Z70eDS60bbf9V5-+X zqj2gw4hlrHh!-=>%EC7xB&m#5ped9Y)QJ||?-R0L?3kX(5ch7H0{}#!;@=25<3GuP z_}zaZ2cmH_Z*z-5MSw!C`cx19PxqSS1p$`WQ>{s=m`OI$`~{N0d8~iaeeDHsv^A#j30X*S3~GtMr1B#yBngYO_k0kcSU|i+ z5_rKnN$jjdf!NOs0wANMLVlv4tsZH1B_a*tv-;Mt^*Eytm~29e8&1J1bO+YdZ?4}nufOoVmD zX;&Wf3TuP;f=s;$Z>THwpFa7&R2u^Bp!(%|UdKX6eOk`{f#~~($=?ZEQfKx7pK&$0 zXvEVeD#xKQjkrv)QEc1i3daC_=2wu0`Qpr$`)gTmfHY@ij) zTV;dkb)8;;fD*-(fPQSZ-v@-G@`$){B}9I6Nd=jGBoa`e?bxgaa9bTAbOYgVI9NA5 z>FuRlA}`Hq1@CK#!2#5RWMhTEu4X2L%$tn$3<|39Z)g$=lJ~Gl7Y)}}&j2Q&D#G9^ z$W*U^_s)5PgLe&B@o;z@rScM(wPO*{0h7AMwzYT1#5fzW|F1jtuly2G-G!T;QwY4B z$gf#`Y01cM3#uCZ7+ZL0J?`^Zm3kQHVq?K(&w%Be&vxcHqA_?&Y`xZRy#wgb1Zm5W zgkJ&Egw!+D+J!SJ#lh?d)LX0Ien|wx)~D6>YW!olBFO>;N8ksBG8_P$>DQF!TG8Bs zDG&3b0Ygv~7&Q`)v?eq-GV+0cX{#waxfS@}h+md$@-_h=An>}`ImaN>j!aVdTDomV zW*I9f#$Z`#RB!*-BMpu{)4e%mMaW=mek<+X0;nO@c&)5XYMvFuxpx-w_C-Ip)FH|a z3ouA2r=eA&LWDN20c8kr2~)IJCMI4Knj8O8Z%-UR11f-}PqZSqsgYjz$9x5uy5?jaDrvym z+PnZ-SICLYM4a@Z-^UIT)sSY!xc@v1fXprU2nO zbJ>&dIwLQRCF;|IKU^Ud-MB)VHfewhBCzix-Cp_5+`GHpOHol#^^(e!{ygLO5^qJt zD+$&8QP@lpq6KV4OE!tZjdGX{Z-l!}T#k5gzPkdVi`tDmVVA9B#Y=L}hoZyhp7Q*j z?N!(5=_tYYYXOpTzGKoi=T{iFKJWLofKrj((lG@({>+9RGR*Vle$pR5)7p10u-zln~fWnI_k}7SLgib^}}x zIuP`E7({}v0w?N8)i39?RZ7{c{pnUuSG`6@i^o^s{rZ_WhXB71m1rM4D_*pHzYhU@ zTftqa)pxMnEZYRkhg^q&2=3(OB>wPr=+O^=MpZ`sT95A3 z=P<&~?;{aJ(9tMdDaSlUFSyV3K?xsS!7hdwlb|T;n4rj?rZx0fk`d{FOfLEl)Iv=3 zumS}QrCeIsPa6{LlR{rdQrI>Ys)2Xn$Y;!HZ}<48tEHvoX$$OZ-bFW>q>I|cbnxL1 zgYrS(d9m}^52Sv%f{&ER5h2w_yHbEj#b}Gz9gi~8^r)r@e!m7@W`22U?;6vGJpq8$9FMNw2Wd|@GX?z@0aM7b(PZ-gV3`KcbJ%Hfc`w(n#+b)S;y`#b zD@8Xb=pA(UpX>x&Fc+7^;>*v{Uvv2)EG=b)5p&I3Ma7>$h0E65KEm_+ykFwe<}L~c zA^692`TH9iCMvZWq|s-?1K;=w#n8R{GmjOGe8px-i)r zk3ZD9t&1~gU#%ayZcRsCBwgTpB~!1QG53rEaQH$AfaUz0`%Y3t|8fe4f4W0*H*^hD zoFiLNE3+8J0FxZj4pE;F0kp}LUtOG-U+#Cg0=j)fiB57ORwzK9zpTJ@!1Ok>YRXTQ zTzZ@cz@9CI@kIHPWV`Fhg`cWO70bry_RvLVX&@yvAm4F5K|JBF1f#5 zC)szJXXU+o2%3Yh>96E701ao21DX3(z{lwhfS61k6>$*F)oPJE(Y;7;83OETSP2zs zCPD4nx2|-WgN0j40A@xkgoFsg+llH|$48g@Mt#>edmBJ4%u1EVd74td{~Ce3k( zsjRRrs--z4DJ?6x_x772!%_;&mW-!KtS1PPB`{sHD@Yd5H-%~u=&U-mtUF{>|iE_Fw zxa_!?XSRYLPC%?T8+-6fbA1Fn{q+{Ge$m0JWeV82Tu3q8GJ*EY&$ClZO5Mx>rkO18 zlXm&O`*33%OdK*3w*_ZvYPk3XFfs$a81$>bXE$ zXrm9*`{n$LI$Vp99@zHGrf#}T-n+}}mZy^F=yxB{pal8dzmN1^|AHPJawre&jqRj3 zz1JJEqrWC`m1D8yqu=$cn>pcm(d;efR7Gz5kW1Xb5KB4sR-Hr-f64ogA=<(i%SUBn z1ed8hdNzYnWLpKyI!jL&l|4ZepWIsq8>u#W-=ZiTMTYv1RVd0`Zy;u>dG8En6LYn6 zY!lxm2rxr!1}$-HepYF=x>#08GzpX-DX+D?Kn)4G@o%emF}3Bbo=G2Tv66hSZ9gia zKMZShfq@=K%6+SPHEr(N2Wd=lu8rRKTra?Bs}?0LtF=X(&@R*-=W4}A{XKO>(9guC zlI5sOaQgfBAl^WAtMxLOSvbmOucxVDfejOUklv<{TAdk9V~rqsPSg{9M@V<9DS09~ zeoy`kExVd75ZFXL-_M^ZP$jAK*UurpjMb2Z1$T3Nkwxr~$;olpYvkPoXqWqBiJSX*Nr zdU#V*U1Hy|{zvqC*hJ!64ExR#9#`D>9yn8<)%@9K4(JSw%RKbm-StFHy%`+k8O$Nh zki#G$s2J>_yK%gtL5NW9EI~VRS<_b04|WK*lYOZ{Iej3*u-;>f=%mvvqGAK;nhjW7 zm8+RvI|O!h^g-L;O~tz0^*h0O%zlf>+FVdQ{FD+yP!y|04?Zn0f2xb$u|u&*Jtv=D zd7dEbkdJ3Vc^0(~PFKC!@KLXW+hZ^=Dyi|!#VbiIQlNy3wi_;-9aN`w^+&OIY*hB2 z9i6VVSoy399l&$b0HU4(`iN@|O^3tC#=2zB(Zo6C7%0 z=y}nb+Eu5p-6!7s)x`)r#ZxaJerJjd>CeOTjL=StZ^e|-n=eGlKYn&Aj>n&{i!4A{ zQawutIFh`Nd+s_+5*>rgaK4f*sryMyx}wrLg>)oHHWQBvx|#FV)*}g%DQ@_o5c5bu z<@>MfQUyrPPwc-wv?PWF96DrCTy49RS*VTF$27D%oP!fDy!i#`D?2!JX=+BNlm5fm z(fNk#*t2|xjka@Jr>{mFwHo<+Y1vBrd;4U4Kr|Ub@u}$7O!QV-hO<3P}9;6VE4g6k&&N zifGQzZQ>yBN|+%(dQ$s9^Yx-uf$gFqB3z!}s@r|-@_@99C-(4Dv~DOp_RAI0k|7kV z>Pli4T{N4mwqBjB@KV<1mIM6oaGxuP_~=o~!6m$$q9x8mtiA|>6kEB9XFkY3_}I<6 z!!wM-?OWkvh~vjhm~H)hT}^>DIXA?DosiYp_q00mnLY{!3;ah4$^I#!XQacX_D7dR z)#gPLMb=SvKZdbl?-SmYYeMDSp%Uoj3M$77CV1b0Q&jI;)*_u4glT#pL?Cur`DwIi zG+MILfq|BG1^;cKn)eW=gyNQb2lJD<68GeC4@KZ(N!0W2uhyC5Q((B<^CWUO!RfV( zzZfM^UgUKvVzGp9X5{>zl%I7f!)-KJotXl^_@-8 z{ZQZeyKM91wO?JJ<*?gL%GQ0Sygd!hg!c_iQ|@JAr+6iK%a+i*4a(x(m7^h7?u<4k z9PO#`5}}pamvbajHQxAbl#AB2uibxNoXyfwm1nu11-Y$SI6k}STeK%@#6DBl{CeT7_gFP%MhZhzmCr%MVyDn4 z@7j=_1-|Pi%5;(#8g2$opnjpDFB?`{ou!7=AFd-waBPe?OhF{ad7h`Ky3w5e6a_h~ z$|pGG`flsnQH%5FV_Y{e!uI{cI@|taQ3h_fV}xzB7YpHo{g+Iqxcv8FJ%^Wb#Ro3s z2_7d+lN|r^i383e>{lou(lQyQA!JSOaIOVOepdiIgIjl06Nt;MSbFb_?sx4s9Cdts z$55N*b>0WP`-(KSQayD>;@nk2xq$rGg%=)g2tuZd_@N^tzZEd<+JUlzJDNafL;jVG zb?sVHp&#|*(gdTGII&V<3o!7X<%O%IL!zjk+?uvT{AyVYz4^p9M70^ zY=orsaiI&|9%PEM#G*vLYPI@j=xzUz-^u;r zdQa=3Y7rH9FI^l!(bIREVLJ00^Vb<0W9{24dPm$**`mYMtG?7LjjdoQf(ZGVLb{8l zbS?G-c2Zy-Bm2O55H4Tg8imtV0(K}qiR(f=UhOzZ`?clXqa{Gbp7QA4<#09i7>>wp zLyn%)C|?{L?mumLWzzr}6T#W?&plqC{k3#Tm5~3O+uy{hL*xWCc1FQF z(^L0A`|ZZDyitzjI%85QJ$u`18~2QVuuc1DVINhcqmyLF4h%Al653xYogrUM;sPo}Af0k-Er&LG!x&;Uny z_3bpZHbr8^gWOCon33|(`_pm=jn4MY>yi zbGI>tK|GtXSS5NsUvM;-?QT|{k@C7#3-B$mE8EvdY}c>WukO;Q)g$R>+iq-} zyfVa!$(;C;95u*K13y=&sAi!3NKhFTiI;Br>AmhNmqS7 z9m>@`!_k+>7fl~1z)A+vGXTd^0U9fXwQ?H~lkfoC_c+td0!(3!@G zsriVnN3@)|Sm)e~m|!ePWsV8MOMZ~Ex$`o1*FyF_3_2#V!eXKArxQXp_A|f2bEmq> za87x=@z+VH8FrKCMbWey`RBe97zQ4HzH^ko(jUXMG7Kz1_j6xV6=oW2rq!0D(z;9N zt(}C>&(}xD&TJTt9)0^b;ol5vi)xP|hM&HpU+~nVc6zf#<^>Y5khTYHaQIgF_0EK& z_`dkwq`?5{xbfzZzjvDU#9N43YVgIfOtCXTO@cnO&*HFaJAB!P@YPMijAh=bosI)d z`Q@9pdE#x-5Y+c`UUYt@ExW@n#`|D=C9!VRZ`V;d56Z)DDme}=qYv(73=lpP6I z%0-?9ZcAT1K4?ol6NTkoUs({VUTM0V+V+;ezrZN0-t*qFqQ>f7$#6BwZ`;t5?Odc1 zeCW>5+cnogKDxFva4Dq5KVy|cQ~tYUJps&%G}WKju}Qlxr1%&M)}u+qYWKq)4B8OO z#kz-YUegeUtyQ397VnEbAWp-?zg5Xp)O) z{njSS6vM1yru6OLvYQ zn|XwB?gPC71Du`!mGsP@!5m+&Ti*@)@I|?Bqf1=$W9s}5cB{{rnj`}h#h|P5%NxV` z3)gB-2Y-voCNYm$7D>3Q?6SXyJDr8nnh(anJBTeLBq$xQp_vn&+TieleeRTI)Zg`Q1Rsv_mWj9!axM}1a)jeF4F zAo6~~1uPz~49TL8&c#+Pb>9U=Lzzsy@5l8&@|1qNE4w+7Y+BM|6UaUHs5`OLvm;_- z)E<6ytw%dUd-!q+~Dx!icgR0n#7yU z6I!uvqM$_)_Xc9xoS%LV=1YaY_#Shn6%)_`G^?^77DWYTz`xc5x#jS#_vka z?`RZn?oSZL)tD2sp4^fNeE%H%;_Qz$m0_yjK!jJV^E2uI<756G9k=iIRBydGW?1AW zQKjJ8bOrq$&ci?8+n(S2$&m}apZ#oZNZ)g3l1&DHVrE6O7Vl^(1&PGZQodgxAp4;bE!E$mIl9x?0&m4_nDq%9H z?eopRagbh05Z3@;v!&wci_uIaK>PDt!ph1998%cJ*BzoqBj&7RQ&HRwls?Nq6%D^v zZMgh>|0p$r}*9}%)ujzi!r zKJkdO(tv$+bO?uOrv)U|ammxJkIa%+N0FP+JYhP5{t(3h)0xU2M5Ho#GL%#eF{hWe zQ1ey2Gxe!m)jCSw^Xm87u`%Z9$?IV@A}{`sp!8bgs|OobA}?k9%8kGj^)8Pgy#An%2yN}Y+tUWl4~nD0^KurjO7`|0HLcltH~|>>F1NL zW)QrC{;L7z6f_GE>Y1=Tzw@}XOS-OnHGOw4szbuZRS&Odw5d?ygtCJ$=^pKf9$mo!9I6d^{fa$9=TZTBqLrQtL2nWU)y+Bz(nWg8TikIo z53R=D#on_!CtKSRk$>_%%4z20E;4GYR2u*4UrgMl{H**<>6u}YLveM|PDBa&(x;n0 zcN}&tD){2ZiXOvF_tNLiKC4tDODfSjJ-j{9oG(jx^~dOQxP8~B9xP5tHV}|y@#glO zW@v*`2seuG0ZX=Eceo8%)rbl=j*}n$?oufqY1_@`FK)|ld4W(-yehDcyWS^DN-TXk zF?@G_jO^vTJltRM&x+;o6e0qdE*a3fU^~`>cVEXpBdk^b4&VZt#vA7SHoy0X&W`hI z+MKt2um79uS2YtKoVKyq$nBDT;#4hxUHGk#^Hz|jx{WKOn8M6L_9k_MJ5P3KkfH~R zw8uAyM1_P?KD>JSB|K?0rzn+@^v+!@Q=L1cVvAlRR&lBEy3fK?QNxD%BHN{LhTH@+ z*(aj~hKYeqXJErH!Jp+OQ$&@;Y2c?{P=z^|_I+o{#EO=&Po3k{#0 zjI|79g>v=T-eY#<4?1WEJ1OfLpdp~3urU();|4+&hA7pI=#?nFA$E>Rh(Jq5z|iR; z2oOf+Mpuj5BaJ*}m>oE-GZzY_9HW|>P?ijD%qa;tr=z%>0sG5}K=ndgqKy7vFY7C# z{F5iCL)<^tJ$sfb$oa=kf|<@*J5a=^Otx=rC2?nn4okC?E?>N3S7>e>@N*du2vfCX zOmor5fQV(m)xulfMH0h`2qGmeCVP_emiG%AcOr6uJ)an3C*U0UcXwlZ|AKqyIx}GPrE0iqs$)w(4 zh5baAhT|W4oul%PV8=4sbdlc>M=F#4z9z$({C_Z<$R(whIu(Ly@ICR}( zp4W_BzA?i6K<%#v*I?SfQm%$8l-RCw;%u`byOUSjh!o$Z!nAMLiO15VPo(zRTbSL{T1@45s= zoNBggW_5++0pTt`^T)4KDen8-ku!a~RlK1QEL+fbTlF(wq$|IlQ(7gyXZ<9v=Fry0iINk}{}$hLgQ;4gC~j(d6xfwqQNbt(8A zO7PYb?CzpS-gqby^%?SE_RrhbPC{Cx^+s2Mno{Tm@JA$*=g^Z*zybz)SrqQE^ll-g zt1{y?r%4=(@FSs`TTsCcKIar$?zm!%_2hz9f8^I zL$rW@cNMR(b(&SBhbXoR^5eFYvN7ejMpoyN8lwQ|ijbsDXJoqMPSg7|3CPoLK=A(3 zcl<~k4r#PMlaO_E)b`{%VcywSvEmzFtkZ$@u11lCU+d)C<46={4mF5%c*pVH6=Oq# zcR3+Jn47Z#@O=8iL^(3-vwh0;MQ?qH<1zArT8c+zKQXp=>s8tSQatW5=CFth+WJ$? z!`Ju7AvW(-;{7yMwDI~NkuyFz_ggntLZ7Y~1F# z8;*A1qL;vCoQ$Jkeu2771}$>ykN^Oo_>tNVo|@w%Ne)Ljc_BS6JR_(?&d$IYJ?-K@ zlRjF5NBKpx9GtvVTtkZ>KQ%c$7kQ1DvUF(W&TZ5cA*q*yYZiO9yB&+Uqta97togD% zEJ{ZE$I1|YTVlVvDN^HIO1~uEJ-UiK$Lo*lh4qB;mm{Cs>9C~8u|$M2eT?!CkKJ$N zw*sN|_bA>g8hUTw^|q2RYpv@n0%!XqPBKHlT^-!?6+RP2h>iRKnKOvtD4famC7Q)W4D=L2e0Rdq=V z@5*GGi0*cKrHslvqJ0*aw4FaOBezOUgjW1ly^bu~|J1s~E&1_TVr>=|{EIn@MP>`EF6>VyX5(A4jY;s@msEQC6efZNLB*7!(|!l| z{y1H3PpI<;K6w6&_pQ(=KHmkxRhR5j!&S9Hqa8{AX1A=AW&qw2SVeMd4!6BoyYI#) z?sO0BBgjaHu8kW1#$-osa(!QVswGxEdtcpsDXrmnXn}}#+8b4JZxGZ|9cvIQJLnm{ zfq(+X>n>s~9h{lUiH~Mfebp{Kf4?2f+ei*)~ zAe!U2Hs^nIm(s`BI=W7nW=pe6&olCr)FUna7MKhF-k1yG>$`9}r* zqA3MyAVKURp#}+8v$Jr*Le8g0=ygz226(jj0QdTORDggPGjEj6yt>L0Y|i3F8En^< z?UI_wK9UDgZ;sx<#13(a$L8@|5Ec@<@xKHTIwj@s+cwU6366xmABGseeD zJul&_!OAEqqqs9%HwzQHvNs4UA80HU0`XL95FN;q^RGwUE0pLT!#hKo(hkaj!lo$q-(3_oF;a{B?mb)dUfN4$FOKpumP~5FSqG3<@kT@!J+*UHAAJRwaBhuMP z2VhG6>#8P2qdayLltR9R@>=`*YndPj8KHQ4>75c|Z@;m@88C~ai8s~c4Id-(dzB&e z6Xc+d@eH~A4ok;35;fb3+_RND)KFI^Lo|NRFBK60O7qyS6D4l5fF_XEJhmqugGIH^ zV4Sd;;W9K3Ol>^mtxV&w#ZjGdkhya`K0@EI3-b{USKaBC7S_d%qB2BhbW8QlcS%t)nNcebva%)OcRnH`Eb1Z0d1CS046WyI`+$l&M=2-=f8M%HCF@a!fZw-a>F)S(tgjj7{DS?hNX9VrU0%l{{}0 zP~NfAe>dIU+&bIOU4~0EF3H{8u0w8>;|lHfTK^C26MR9P-tZNP1;%+z+s|p%eV@!1 z@t5ZW`zK3zJzU-DU(X64wgnx<3%!fDe&zLbZH+}V&Rqa1`7&<$8b|IX#29@2iz3kv z0a$72UN0Eunw(k4e#-)&Ll#2G%CC z5JE8ksG~9*yf$f8$@nL<6!(HV9$vA!FUfbj%z_k;7m>*4$aqmx@JT})jYDoQ(GY@O zC_9GP8G(IMS}kDWpxu(%Of#>~ZbmK4GAW$!Kdt%J!Mg z*o?*KZ@R63<0Rm~x4=D*p6T*)Yyc!^VjojU>!Y2eanzkYrA>=z4BufjN8RqdUX17F z*r3pIV(!v$>hV;H_~~}7cDI+U$^4$ z$`vN`FmMIncp|{Nq~Q2hng6dlL>)N_H|50cDjtG3@zAAB>m(iB^)Zt4dsH_cQtF%X za3B*xg79v>_T$5gue*JC+mj$dN<+4Y=5b&-I^wA>OSx=hL5zBQTJm#S&iw+J^Fl8# z(%ZDxnt9K@FcRjCKv0I0>u?xtoOB^B4vs&M2RX%Ei?WBj*%DnUW}YF1T+--7K`Rwb zAZ{S;x@*bOlfm(o8Q4a;ySrY3P5it%H&eFHcD;(%9AFGGo9NF44_p%G;V~8Z7S=f| zZclczNQ5jW%GxRh7W3_6V|v*sotZK}5$Y!TS$%oxzXzn;dJ3B6sw*gfJqw~+Ro-sHP6mjy9$-=ATrg(7+?iEsBO^#GX>`xhG z%in}Sf>vLC%8+-87*VJrJEz@rMd!=aCN5;9KKp4TZ)j$PQp-zUE!SnXa?E*$#+ zjD8Sk?>>}V1t;xhRVx;u<>~dY+Hpc16S(2pftarB3AjU3Q>v4X#!*-?_7$BsUsbO> z{!vQ0bG^wf51U*#Kqs_fb4N-eRo-o@+$2;$iK@M`OekN-{D2=-Yc7Y(Jzg zyp4Z^lyD~y0#0-IzZXimOn1qKYT84lJHe|hdr4)fP#P{Kjn&0Oitak`fe=4fWS=)} zjx0iqSyRtt2qo&<<$b-g2WAmo?QxGtngOGMs0x5nb@9brh;vCKJ^!SBy-tFXX*#X*>e^wobKO?kB<>l0?=cGwgx4#~bKlxAm1g(zjky0;{^ft6@7IN} zzFlwFCmq)?76k%6A#!n~B47P-LNe3#y3La(9)3^tvCH-n0cBc-!Wr=?eIdTFl zx+gdDt2x87*+%lo^6z@^cO1ka)L9%ogqbqZj6rhvn zBLMk$T6B+ujFc3NCnd?^XW_86YoBmKkb;5F7*q}Q02K(7PyA0a``Cda>`Om9vI^YU z6dykRwZQN4az>XYyrPKCqlXjhz$+T3mz{p9i46Aa^>ze3rcA0cQLl@O#f!!9G;tp{ z!<7-u8%nb=4>HhMr05GrxcW$*yn4#F2AEwh`tx=D3gonG5NhZ7lBZwqj}GHWR(5E0 zy3i3Y(mB+bJ$iH4zm&8LF;g}j0RF|}bZfnG;Y^u|WY7*k~ zSi%WSX#FjnN~ocloR&- zN*k7H+?Mw+$BWOo%BnmS4>e5e2k$?&XCbirwBbVNfx<`I^e4q1V1~P zqb|;t%m&ILbu<0&rve{KrXq1>I;5;({#Y=b!mQWnxVs!2T#}VPnbVtxqAu>=@*#iOO~<5iIMm)UhbviW zwiR%+n>FQrJVXC|ABfl*hPTFIPJxA?y;g@gveYX1=+sy9)y>US@v<*=@N3ZC%)V*q zpglmB3BIC51?LpU*9aI~eT2%&>HwEe&B)7rs3=Tv6}Bcv+k(WQ|`J`eZ0EjV

uZuioWG;USr|1%PrnjHd0vOf68lJXkum4h_3GTekIhX0GG9 zx1$DCl(9ay&Q{spUm-ZMcxNPmSyqN-gU30+Hwf_FDMsFipY~Nvx5;pND+X@OOOO2E zWg*5uQ^$NIBA#elrgI2KzxfEuLJq5!m__PsziwT*}Er^{R*Oicp{f) z`|SG|Ez8Z9R~5 zvxwI?^t&_wmG8~NbHGiqOISDTqLH9xVnQPlm3mGlhW(Q{zjRqm;^z+FYu-&Z)_NX( zsw+$sA&?AUc#&9@w^5Yl8a&0?8YAIJx3q8eolAe80|{`YR*a$`d4-5k{If{Jn4qDI zG0c3}k<-vTKMFLnWo&dPlT|Ht0rX^NclS62(K-iPvht5qZWZq0T3hj(WqxMxB(nbV zGsQJia_*#Rg}WVgI6GO1InkOcnIW|x_k=2+b!-S^s!zXkhpc6UupV6Hxj3C=V^#(} z1`To-pIX62IK8>Rh_NeNW>&m9D{y(8P`6gU@!31|dE?O=k#y)fW|?K}@@<@Ta3J~) z1b05Z@E_Gw60Xui)2s+~8-LSCUGSsqZall@7LC8AgVe523JcuuIdj>G)`H9!_bNWQ6w*<#bls)A$Rpo{&cuUr7#kfTS(c9;l8AcOV2)+=3na~$n^I{ z23}r7ElEsxv@m$g_JV8vIIFuVbS(>faPHuUW5Q5n%J+UNGKop%Rs>S4R1^K&MT>7W?sd9SOe zaIa*mC0q39GGQc{r(!R~ZvGCkVZOlRiwJ8)5+4ze$cjQBKQ9}m0f@;;6e*!s=|s}sL# z1@abpL;PXuw4`0wRZ6x5u4Pot$8|~4GPS<>H}i}X4H`#LR7rgswBdgMHv2&1Ngjz} zM?lXLXi&elBHx$cxfrnuq&?RQerD#>F>tqJ0X*_^I6cAR_(}7pvS^{Fh;i0iR=)D| zUgm9k=Rl)>^Pv#6Z0nYl7$6E0s}LieX;vNpI7Y}_J2I%^;Jj%sGrB-6tEwo#Y0CfD zD#hr*W9xIxYU905OHZVa|MB>HYA^?Ma{PWs2|UDo7)&B5!_R%iFPX4rU~A`P)q7P( zMzrtWM%l{BaqHT4+ZmN9!^gFdN{14_4ng**VVCKw%^0z%q$4BX!VcaAJ;>5$tf&?y zsomCV>0Y8}s?%U>x?K!^9)okw?LnSxv97AOmuegr*Y^Pa*P!1eQ`orUZ;&a?q%yY; z+JN*cjEQ&n&*oJ#x}WY3Ykr8x-)tNK%{M)DVVU3o`n8UhUdQa-zJeduM$K~JRitm_vBz~?2w-foC zO;FUuEX9Ln->!X>X>ly>tROzyv1=HUi>3qxr3dE`wB_ zdO7+{4W?J?p9C%dN|&9cwbM+Ot>cr9j>`KX6N0K^V3Au2xo{B4SdKgjFka&QFE4;v zoFLgJmhF-5w8x452(Sc8GskrUG7#dKZEsZ{SndqK+=7qB(@AB%7r>F%LoevU@#i== z->7Y5IWy6oA`Y~RCcyZvt;4C~kLH1;i!cYTJ$Pzq)MAfk6tUK+`0gT{8IExyI|jwW zZ1#W>kZZ&JaNC-A^}Ph=n-SJK!;*o&X?>=ThCC4OIa`*K(ij(kr6rx=U6q$0;#-S! z4cGH6`YkD8Ur(~4bwuIL$2LF-7oMK}qJy<_Jor4x8C z2bR?6PhWdjqQG`stZR4rCNMU?@<&P`fl1IA{`lFmxRGec+lBZv2zuQ*7$dZfrU6T` zSInxU8mVHXXLuFMt!%#(*vfTZHOz)rRiCtCerl~rwjkzv%iu;b0U|>d zd~}}q3iZNlp7dtJWZe9p_uN?>_;;#MU14s<8-A*dCKr1t>4W?Jro-i7r{!!l9fHp{K;2q;L4EA?CWV z2Iy0(qcy_FiDYh_bj%47PK{0x2fj{GTE%UIYGH|kY~>(pLU#!L>%cqj$RGcLQAdX| z&n^gp!WmRnK_AjJ5C%7ljD8*v}S9*veCWFQ|$})RO8U8R{MB?91hLuR)r$ zG%uyV97uL|%SH|37;u_?+;4JW4t#2c?0H1Zog%R}Hp=$HKN03#A0z3Kkr}Zlq5MR# zL^dM8sLCAj0|OlUyE6Pw)(0Irk?{c9mYx9qfgs)xl6Hv#gZe)a??3qqU2{3H<_zn|$0eu_#t{53f|P3b!1s%!ut{ zy{Z#8l5gbxM_kyuE^*GjkDeFi#$9`ScQj2>>2Pf& zPtL!fGLGNd$ml+jOXG+9M@u?^Yx*bp<@fjuy~)+r0!Zn-w)MMtzJ8aVnC?imykUAT z*rOgsQ(LiTn^928Z$YL-6%a3~ue$5-c?aN3eJ6twC&1mu0lh4ry=y8A?#?@nVF|L5 zT|Gy@a>b@kx>r8pagQe_cV7gYA+E?`;JY&ATk{=bI2yW5pLks>GiN%R$0bJ5yk3@~ z9)88)SWs?rug!BWiL2sp;PiT@X`)=}B|5A7Wcy2QtSy?nCpEg{hX?(15P{bPY2u69 zWI~L$4+U=O_vije-_z|pSi#4T(`%G2lRWkD#tdRq8Xiz#0!k z2r)|?m)o+!hC=6$(nz%g?2LP+IcCu_-{#mcxf8Ke3qn~F$J2YLO# zQwCMZ2WPIcikuNtOp7&!X*w*yS9xa{P@9c*xv@)N)bAF_0t~r=6^XasV*KnS7=`t_ zkLJ`GX3hmphC%>TgIAkcS1S!(9h% zHEdu4kHk;tN+~=j6OKyP3Fkz#XLEL6d=t-fv{2WuU1P`)$*%L=9tTiWX^A>L?XZp% z_9|^H6jgj^e{^2xQ?gu}@A6kmJiNdgET;I%M(<@V&~e052h%dDw*6{Vc`YjEUu9xf zk(#45s#TVWBko{C?gI+k@4WYZI$S^fX8ipvib?4-*ShhSFb|n{t#r$FrHiWgz^f^) z)cZU?zHGU3Xx~X59WA$9tUi4^uQmUl0bS2kcml=0q?{Vu1>m`% zMi)70f8_n2_cWW#lq2Q5!phiwKG@fhs=)4+j-yijT0HqgDEr`U(qxS<+N&^`j|Wqr!pY*7xu^uI0SSlrFUNaN}VS zT36t~i*By32aQ8esgTRG3WSi%+Cg`xGVhr}U*vm3GrfDa#cHz)PxcmzhTNj(n#8?d z4v2n-%iA~v?3aG)+|OD$?tc$949#+kDJ?U(IwAeV4Q#Us7tT`^A-Ca;`FC_ zYBTe`y@Zy?w%5)$BHE+a^XB}^X1gR~+h`L_NaOTX|9)6S3isr-=ZdSJ9N2%tosCz{ znS2r@%`%rQU^P2=S)j|7;IN?D-79j0v7IwJPA4%mOIP(Q`Wd4MpKYCRIODc)%lk=!XF^+tsyv-&~yyn_a(zv z1B-+Ep143E+g62LHbCy0bmo*5Sb38MbItDOVfT=zIH4mz*n5uxV>_^_bgcW}dhV5c zKnnTVnha5PbGPENghmkCQ=SBi9}RruKHq+;GGuama|vYskZ2E>#)ZGzMR_=%JDV8j zp0<&y_JD0dfZ0spL&-;GgHp*&c9Hulp=irxpPxPbN|L&T+I}2dKi9vCzrH*u3z%8- zBR~}ZW;gey^zij8I^PM#PiRzVlz{#|5e0d?C{E0E_Te4R}X3uN<41*nnK zenxzX5;{}q$_^i_VYur1%<)YLJ=QGR@>}=TC9ptsikU3k-L6t83&aG~-Dqm#ui;s^ zug*mb%~#w!7wX0xa$%)_QAXt$oW_VrnFGr7mOS=h=@Gv|}t=lvHS^(>*TtmF0Oc*VV6 zOKv6nkw@U)OnK~Q3~%yfv&zr;@yL1fXF*GNYQjw!|kco5$q-rR4Y?F z|5N>)^=!l8gl=!a#G@bhM+*!t%q=TFTGW?f3p5dO$8!k%sXYXDgKpF8yjo(DdWPO~ z(cB-@$=%fxAz19SYTa8rM_;o4s^9vph}}^1yPZS@X3TkPZ}YAt3b^g1LG~^DOc9{63nDi@SKNFOQ@siMz?1>d zyX@!zKVamZxLPLk?Nb!5Efjuh(X8`~#ZK;7sAr^>5~G|s$bY!eV7PKIB-qdMDg{jl z;lBRmUeX{`ebq~Xox>%NP=)M*c-r^!A__XzIlIJ0ROEQ9k~frnxvO=|33Yg-m_uw z5B^M$G;0q@t_zI)J=)x#9&kGtikF&zSsLFS1LoxBQX) z*L_h>e=T%>#2z(?KwUAJRRGpg0lXE$4)4W?%s(95w`^@Oq6Njy;hnpa49K*a)Os!d zZl|yyt1oe)Z<0%OxH+8TOQBk<3Qo? zupaw?T?^k}%cz!W8njS_5iTapCXtqutPxq<(@8;Y*>JSia155QO0Q*V)>to#eHw<- z?ju?Kn~_0vfp3N+3XAB$_^p2q?6UlSvB)7l3FzPF4N?&&<=9Ya{M9||)|4ELGO&md zjy|Zd&``I@)KP@7S9sI`fbBUFTc?lO$dUc^aN{Z>8sjO=x8ajy_jG0bkN9wP1z7B) zfjLUp!*Ox1o^^*LaWV~a!Ug~77C!Mu6n)NZ9o}R8Ed`GUx5#1b+BM&wrdbiFxNnraw(tMcJ&{aa+;d75&v3QNX248TXH)Nt6w^yIKZ5Kd ziFe3Mv{cUEZA<6gNy6?KVFzZmr3>}@p*zgEN^ys|&xcSzb87ly|JnW3GjXjoH{ao? zZvCW-POrt+MLWE)^|rul%)M=utkb4Tt+Cy(1~h9QfSpj;AERDO9#9^(Li~cQ2R{c) z#-x2Zsq_XAD9SDU<5-(!jWmd^Gm%~S{>X1`sF|y%@n@X@iOuRpaoLRzkkotNU)lg( zDp`SdJ4nPCI8%d^U(f44?TaHKI){_z{53yh^GWl4Fj#EzTKFWOG4`CZj4zV`#0$3tos#TxoyT#V~0~Z1LN${@fBJMz0Pa zIuZI8QMX5rwEV?2=de6R>{&2;5c%vX9lronYudDTK17^Vzq`9XF*XBPF)bROMDPrK z?Y_lzM<#moZ&Hf%$PJYBEu>#tu)hr0>eHI_ANYZF*azNw`a;BVpTW!?Hn;;qk2h!U z0UGWE&DC`EY1JNQ7>-*I)+i8&8w`GYtPcu{@bkR(r?}lPY@e+KABt?5EPRJag7ZqemHgwfc7E1 zBo0O`pj-ErW$$&tiC{Bwf6}fj4aBImL)h-b^LfaqDweM6M&viejv1EeSuiti&T3&m zZ06YJIe|W@75T<$8TFbn^3hp^?wWoOy$BdtEQiTDdJqXKpk^rUgAE>U@%xIQrXJ~# z100J?0g~BFm>uOz%DO;|z)(ZaVBA1jJT-0bfWVntU-D?MtP!dSENCRO%@_2on1-2# z*>@y~3|oDNcqwm}$%sc?*&#*Zo@8NU z3?X)aeM@&O1ww)U@>51T0=!%IFN=?5Y%(Wpa^Zs+zp>fukcPge`NZ4Yc0$N6zB0E1 z_;zGAx@H!hja5+0b!==*$^J4Jd;T(~RB4Oguk;=qEc~XCyb5GbjNXIob92O%Stkwn z9?l+HNW6RA;~)8%-iftBc+g&d6^Q>|>AuDBg8QrfGl~{?NcMYFTH@)C{By>_hXLRh zA{7^h3M+r9rVNp7#3TClsp28DZRAfRgHnlu`wakCJgMu9&!u77O4fQ(T(&G92J}~r zS9emxnX&)jgP8KO^z~#QP43^ zd*~|+cEQ1_a__DtVdZ)8A8;51f#biwMlV<&+zO$hF~oyBlC7aNxOnrlbAKApg-M6^ z6B+`Yr!~lO_3Ay3wQ0K7xLJ8#szmjVq_E%DvCd~~JaXe~bN#UYsKNaPp2`2^$Mztl znSF78fJkWIyM&b1(-7GhJV;Ph{Yx6yxK3{9cK#x(1NY+~XvSUvArlqYr+IwX@y9gE z{fqGcCH01D=hTv=g3R2uN}i5%=qzP`P~lZ@EfI@118nm8!lzasZ?gk`XpYKiUGJ8~ zQT~qSe*Xb4cA1MeDg_at=ICKK#{Ew}_`e;e0zbyIzUHha+Mm})T>C*rhQNEBL z1)YkA_Sipu;{W|Yz>8-{iWj(!9|-xlL1fHoL%}ThJIygy82!3p8K$N(pY2S_o1Pt^ zp~mSIC*L4Yo_!u#bNloA$19^?LBfAJb-$^wPb!DElMuyB$9TWfVbTv&$guwTbN?^l z@ozQkw-Ddp0Z3&<4bB$o$>)5-1JI`wL#gJk192=MNyyNDRsCxKu-wg(K?CUTCUW>D zzrM=kwJtCH(%DB6zaDrs@;O9_5}>&Ig#TMuZ9!E%SgX-p-1)~(@L364ym^@S8~;U? zRDoG*sxJOBv1!vGZN4Ml3J}5r}vj#@` z6g;H|;9_qPyfe|gq_3kTgXQK=QQU&DmHWHXBa0V;_xJ}}hr;c@gE0Q->HdRhTHsZA z)A1|S#nyj&_5H8M{ttiUzy4*}H*YA7utX{U-S7Y9U-Q3yjD`a{@3){vPqESezhA_pDyE-z}2ftQbIA5k$+({8&p=)eY@#nb%BJb_Q;AebDoueQ2$?B6*i!2(V( zsS6BRcL3ouB@INeM^?H@sqHkEDwJOT+jpWhUcvObs${%s%54vWsm7cbk=b#mCw+DE z1bE^*N(1iV{cqy`aghXilYT!lASs=JQ;qBa7WXT9<&<3@nl%MN%a76a4?taWa4#sB z^akE4LiSnS8=RoE98T5DeUujGw`oE9fa$0e*So0f+7H^E0BFVG1-w}YA;UNOY1yOD zym1pnSG=xaDU6}6%#p&Q>!&!>hTjJOXX=_$ebSWWG$8T@2mo8$FAMaGtC#0vmNq%x&>IB* zk9j5HqxxB&YyO0ze|fw?mH16Y^I`Q7?)j_rZJeXz(3g-!__hP?=m&_yXDY5JyYJ}X zD4Ev}%&vQwFTIa*iPyBCTft_UmeG%lRt@2_RCa69ZqwAS84m zrE?)9(vWBGik@=|&wz~I25yJZn_qy}=2*E+?BP1F+#VeOz_6UJ{ygaWeRLfFPo!SI z?E?6d-cPr$RBoZNb*5WaXa{s{OGsxna80&I^!$1XlvKvg*pJOdo7E^t_`A?s*U(AP z1sGZ6CwSkDMFq>=iet@csj%oiY|I8SYQ?wJCO=fTODuU2N9I5aNuOT>hc3Gsb%->xbxCaOIcuaDI49g92) zjN%S}>E_}Bj=x^fEobTE0&sR7x&TT0ElNUfWpOd6?ro$lwnFIwXqDBj`;fbLgq_GDR26}}l10?P5p)IS z>!@XlSMQ~Ez9)0J62Kw01>U^0?v#;7iDo^w`GNA^b?d_}bNl|1C1_TyGu@C*at!yd z=1!2cDoKWYZ;C#}!*s(&z_oQmg2k#7YwyKA7D~Kx2`DJV`sdK1v1ZY&s$BgadhvgI zrJp~PjpRMY*6952%P?^E;gvG(_yW!Qv@Zf-gdZ;X z5UmI#;GSf0Tr`^p+dt<=?es4?D@w0Y35V3;B>HcVcg;X+iH4%5$SA!Okl|w0$JJ*^Y}a^(O3T6RfP=R?8y9Nh2A1Pdxu*<|1g5fCHC2-SaV+>Z zb^bcRRn7(?$~~#k?I1#48W=FC4U-;KXx7&I*E3L{zB<@)Fg*o$eUl)%@`17=Zl;4% z{Yr9w(>v(wuU=m4ToUQ7Umn)Bq=B(uX5OuxIy`soeA|QDM`E`h>4rF3j7kT^AxSsR z>M+gvL*f1G?5liYfZ#3+UYF=VqEi6e-Rf~cu=%9~0P`(cjnJruZX!lMb2e(p1bP77 z(n`adp)v#A5NXgQ*p|S6#<~{k6|xBUpgquKE=P;yvsn>#+^2^yPqo>7j{VXJq&tcr z^lnIIL3uIP72$#LK){bs{D@_E1LOeg_dfL>A!3r2M2T2*VL}vI(4t^Kp#J*nRnz#h zcLEk&&w3v)dojmCzFF1Peqh=2m4p6IK?QJU`pHv0s$~so%<$tqDC65}ub2H_+|kW6 z3~ClQWmQ%{?26ML;sDLbiNfQ@J!(Hi0bvq4*OeFh|I3>V-A93?%;2smZJnNq=|H;p zG}dlp{;MqfX3jaT&GI=uT8dlas)uBGY3z6{E5Og8jpSw)q|&m^jd{?=lddrTwkb0K zpzA`cPD@_xnCLeJ*pD}K5>>Sh+{JH@2!Sr9TjKe>K5WPX_$?XZEpvd*`VBzrs(Hqb zb#F$xp_@h2N3Y#2mbR(B!#EUj9sU6BD{1X$XX@}u$|aZSIwxz8`{4d#0u4Z#;az-| zOFB_NjD7y846ro^P!X!BpvY96HUYA#)xjlzo}HDgL9ti`@S4!fVQi56IAC#1ZsM{_ zYNr@`7lN=KS0TnwYRZr9vtBkrz&+CXER@>#g=bb#tVv=7sJdC!$8Fwwki~!@(9G1& zJe6{(Ps+;;3IZXJ_M3iUEYW#|>bZ4k~8~Pr`x-(z3ms!>Z|k zE%bpYDN_dM9PT-}DIKYBmzD?(iLz=qJE5cbMs~@U`#}S_jvID%3~E$7=UE-$4B&W8 zzf_6^z+1H3`amzJ63akjLfhyWFb=puE=h)8h;Y7vOoeuOK&+RW@!XbMcm(FR)>h_S zpclp=&JE%G%K`L%zMPO&S?2E)j7DH|lM;G0c|X|7CR`1)w|b8((*e20Svg@V=l~S3 zbbwsmVWr}&=peTShV8FvBWw0rz}Z>_pt&FnodufV0dQ-X188$?D zY0y`8)S z;-Wu8S|zg^NaDJ6ax(cH7`NMIP?_-rb>I1oKu*OtN4sPlLs1>+wdJxVYmy2+1LA` zIM)+QSPI>v9|EX1$iQ(<0Xnt$J z3w}f`%-pRWmj;Unu`>a#p9E#Z!*`+n?1LBcrO;0IY*;G_^nou{mqIEPD+dJoEqBHs zTFan)%jwJxk+F3HCqf=)%m1L*M40g2R}BYhjS(^M%3M<*l_raEZfE9E z_pEn2Mu7*{2{1QcGa%WOrk8HI%)a`Y{gnTZZeVItq+yG;Nc(71hh&a<{5@LjP4h;# z^kGG;-`tntVaVc8!!1k8I=&DW3%unHHC;=z=8hehtH@TgPgR+bAAp?%Lth@Ew@=kg z4voCFJeJa7##6z!8GT`@E&-Z(t8^+^-R16O1+hCSm%z|+5UeM&2jc*6tW`q|1Hvu| zK}?O0Uvoyw5XP9#r1s?QU*F5JZrCTouM1~&^Acl^w3a<%l zK&&2yHu*Y9cF4f-Aw}PH=bWefYmg}&+QWjE1Nb~-UWKA71 z5Q(N)X}=%~`dN!OxCgv&{6R@d7vw(Z4Kluije=&HRgk|qyj{k+;-x>3Y~b+Hea20% z3a|uEeuS=-8uO$>0th){ynxYAHkZdP&3B=-|8X0Me|(G*o-cy`I&EBZE|+J{*J{An zeo*{oRNQIt;XY(v0~P4EPNalcICZs(%Nv09cc1x*;7!^p9jlQ%SXH@;1JKW#V_;vRvfb4HOpZuFb)B6es^)sT2Uj%pk* zX;64X<3@X1=?9;Qr>>WECbS5gpn)2Ts!D;E)B}3@R!PyK;vj)k4?gnl7zM6`7ptNF z7}H=0cGp7xx1fgEsecpH@Y^8P`s`>dqWYLh7uLq7E1@8JAHW!&K!AKtFW z6DM=wsm;l$UMw^{D4?x4F_w*6?|{^V3t4F0>zIN)ieqF@st)l|s+4xeqHUZCG7sfb zL{X$Tf-<~)Ut*6(Zq_5xUd}w_8kBhSV5ehHzNeG$SwNDBenCdS#qr>V=I-%sn9MX0 zW-Y{v0f&zrt~!C5S1fQ)<}8u{tE40QiE*;W<@#wxCs{81NrbYm%9t z8GQb}TFN+Pk}NTmmKD@>n;M%)j5$2tGYdARTaqrtj`Br1dMZVs@&X*11;Ad%-b5%q zl8@%$IG{rsm?}(+ra);;o;7FphvGyR@gO^=&L5!*;4J*02W{L$ZMf(Xzysb(8Ep9n zhojaVMQ1VfCyP5Yo-g{Rx_5ocAJF5;rTt5}IcDe*BeyP4U9)(4#e(b_w&xdfDP-)f zTEyCK@OIYA(T-7XSZDS!X1HMhkUjRq`m&u~^DZz9$URptEn7kr`Z&t^IPfm{E$`qf zFBx3jDFWQoG*g3-^&ORg72i|yxIvM&BQfX9rPC{s8PHH$ijhjG-DW*so}o~M%MN0O znhvh3#KN5>(@+xVSvsycJo8PeoB!Ph{Ga+g=D;^P$-f(5f}YPwK5`!YT(e&0q)De&P#NGWexO?0N0)@E?nrohP^4Wr+aRQG z*G*j9s#U+E8~D*oSvYj2@?m-oqRe-NdqUJ&Qo?XQ7P;r)FjEUsDK)ZAcp@H%v}Csm zk=8mYllv#nXLy$gU;alLg7OPuyF!sK-$-EX_Nqp@==TX?_>|=r|qG-a!)^`I-G4wiLq==Mr>vV>#QM z2XHHN4c{2~bC;=d>~A%wC_*SPt@q@fn846vS$VbO+(;~2AEtPyvK{?l4Rq3c+*$?= z2a{xmGA?Vf%1v43(MUhO6X%k11|i*-08g!pRQG}fqd!WT4Y>`AC;@E*d5YPM z^_q^IH$WR%^p!CA8J!{bm>oU_c(h_OEax|icXEy4ZXILtHZx&JJ|yNs(wvH#4qi{z z!Z1|ABCqduZygf&YQ(X**?27qH|xZ{;GCMnLq0$YmvuEr4sj%9c9) zc=5bYN51es0}%*Nj;m?UT9!m-D|BYBMMu=x>!%9zpA?j}&$c@TdlfS%ZzY|d6lGBl z#_9eL`Mm`AqO;|Z0&<2$46Cfgc|V3$TqPZ+G0$ZB7uChr^J-4r0KEn0sJz=z4^ADP z6IYV5&ci%$vys9b1%xWAziYLq< z|34j+|C#?^u<#FDyqM6b$h#a+Q0-f^)>P8ES*(3r!5@`B1ohEL)8t`nlaOIvdFw<% zp*;3YiHh*?QW#EX4xZby>Z0>prgILCsQ(Euz-RyO5QE0y=ycK__bjTgx+t8~uHdR&>Np-k1$`*P1?9Ck?hjL}8%mVO9RwLD`Zw z^_K@gjYYmGvcqm+rn*&}vet-I>H9#E!N-Q8`5%@s!btw)Kgm2nW4KKPM?tumTtRN* zN5^XVZ(>oEDhg?C^PEIyt>T7eN3&kPa1fu=XL+2eLkj4z(~GSvONAqpecs#4xv z_NsRLV4V>Vbg&4TT5%da&k6CBMD4Txi?z3oih6C=$E6#jWaw^zp`}4eK)O?glI{-a z5J99x8bLZGrMp4tk`8GE0ZD()yyv{9*7>g2v(|4d{@8oV9%ttB#C>1)754K!w@c=u zRKsoBn}A@0Sp#zszDRgz0m(<$HWHoHA}%ut+|$hF8BtBR#_vG%ZrO&l?J=eSw^^%L zig5$&S(?lr?Z@gp(}G0V>f3@ZPI#hrKG0Q17fSKWw4Yf3zLS)Ok-)QB1ks!xoo^fB zeU`$MRuZd~q(u_r28}Bh|41~rnvUb~b|_-g!|yjlPnppVoQUhB@lHC~!Ea$QlWisJ zy8iy6dBXwm_{H~xB<4z!ldqGp`~9CSTkfCN4IAzH5k22>afu8^X%|h4Postp-K&ZJ?iHJLEZ|HX(RC*vePQQ%l!jlE>90NG`gR zlKhe*jD&h-#IoxKxw7mZTD^r`rONFsQrNK$e8pA`iAraB1nAbt=`2JfIMMpAc!Lgq zkyAtu%YCo4&dAt%yO{cOqo3R^e*7Oue~P}< zV3g29bHGI6MAFYMk(^S*|4hRtxeyXHiuV-=l->pN9TOhFNm6BxWwJec4Z^UaB|AbP z2(0mLuQD1Q`59KEKYeHX?@Gllu1IO&DC8dpOU!ry>mt%8S? z%^HfShX?61c!+D(bPv2S2KDSZN$=r-ygmR=;thdC&pjf#cY4q@1DC+kU|7b$5kh)9 zkbrqW+Bd_~0yo*48|jA#uLdDu_e2Ii97u}U_ik}(zkrat3!$OFmDB&sv`>R~FAlIjl-!ZAbuQ9RwpfD3%O)BVU#GB#u zRQyHJ%eksr&hMZ-o#)Xhn|{d)*jEQx8gRX=QSMJF zEDMtI)J&evvoLYpgzt3)fXPdrZ}VW5+bmTN6dpSuwYO$+ji|#aE4Cj%*Q^8eKxC~w zn3ojdc@@|b2GM;X_|{{zea4^(UJw~_b{e1yWZx|9j6~tn$J9mGdyC&)k>-hwqh2a& zP$ROut-3!6f0=rfr^`@xv_?5h7Ey=2IXd-k(E|@Q?fVYY5&_%zw2?7n|w z4>WN0!ky<+_^Ir&MCUf$6%~?7~h@m6v0fsevk4{(ND`_Dn`n@}=r$AeXV&uLZE*pkAd< zpD!!7%lCuG_ejm<0|O>3bt}k9`xr$&+AJ^NIMJxHf0sdR$?wagI=16)aG9s(fO%l= z^)QCr1&G62f|vcAC8hG)EmPh#CXAtX$d|mw%Uh)UKlZ}s`XF!0%E8#8+Fq1r*3ij* z{ynN!U|^3pWP`#eFe?KDOLs13__Ku7=vv1824i8;7^(cEUuS#2Hui6swi|fo#=mW$2hqK%uhGpTq zB<2;1H2~N`kyA0c@s~c^DS>kz!yg$8FrvxNJa5ZQqT$9r*%`QRxr`VR3_+HOCiwg6 zP%dY8u|SDAr6=n3pY80s`1YzTc*HF%u+~wJy*~WvS#3{|RV!eIyW=R`Dy4kxiHu-e zLcZeYWK0u$TZ?>=lMyJE;y(lEK!WRZI7-{LdURgh_dmW@h1Jn~zn`O=(k-A)K_*SA zmf#dDlby?1EO|bGpwu;X<`c{DF9{4X6F!4ad1b zZ$SiOYUAV1Zv?3Zr-rUx?+OhON{c2YNR(<7mJ8uBb6B|z+7)TL&#a9YGP2KiNbRFA z@{}GjBf5Af+VtSEcgscI&SQp=IW9$XL8Fh2Z)5?biepzOjl38hv8OSith&c!sU%QG2i-Q{W&%iigB)%+3Elua1hdZlF_?(};<_QAyiATVIF`ac2#BK|!vz-X?@ zV(hKg6}&&*jnwYj_ZG=4sv^i0Ed`!D|34(`A3+soj8;_ypW!wxo! zdXv_Me)cAg@N$@-KD5M${Ky)kL&{e@=xQi=W8nSItuR6r^a+mQ@2VB}u@V{Y)8^xR;p?4qn6h8?89a@+z(fiEg9e5b2D`)G;a_ePmi zKcqI;liOSROU`p;hV$}Xvdbv0cG8NQW`eUy?fRiMiAMpc8_hIsO@XmMw^TiUm5~UV zRqmpGHsb9~doE$BY|~lY;SrZ(iwRVR3FDHG!Ix7r*JkKXw`a@?XyeTI*_WkG8PPXcd5(6d_m=wJ_ z_FEYqb!x>!z8XfSW<7PG`o>W31CjLcxluE2-*{>r*!dnq&DQ`F0 zqlt5>P_dQ4=gM%xa8rz2q)go>Z> z$Y(IG0LA!a8OmEdNMnNsnY}azhSOx zARM(b`W7a{)ID`9lh2|V^|j}=G`9k|Li{O2-yVAbat5iAsC7iMiy21@nVn1Xd=ldg zx!qtR$bW?jsEA)}(hM3f;&jO(C>0GV1I)cCmeC7&S0|VO{RY8~au$zFsRg~uWfg>b z;O0Hn=SRN@F4io(mXbCEjPjR28w@50ROW+KuaaKxpAdpslA*+VF?O!@TUYRB5Y0Bd zkf=0}#&uWJ<+lA{%Iy%-q5bXxz-|*JFZw?+ihh7==8L$9e+OQSAs>~p{@EzhPN*4+ zQlGbh)yNhd(9(t{1-yxfXM7!%z>lv_k3Te#WD_4y2_>tsd?9CBJHYTqE9=kIlFKW% zu}iO`Q^TXY_1IF!_`MJGP)&&VvoDNI^cSbVDiXqkD06}Sk8j3Z6h<@pp> z%cYuyZztpuR7f3qKGmLP5%x>|#Q3#4$?VPigR=9@3m*i2GmwR=%`Q~}1|kNT?h^`_ zF5=%JQWeR~t`c0|PMRnsU7V~Yb>CDRkC78Ym-^?lh;|6&9sA1c+W8kB;(Y@1ltt5BmDQiU zsN$@fErHm9l_ms6D?^rA&L)* zp?UPW)b7XE-1wm*m#tju5-)}^i%?puq^^KGFGqLCQw1lm;m$2N6qZ_i&N4h}U*b>a zN~1AzWG(mNyohh1szO@F zpGtm>RjOz=v9SkhCrRcikNH6_<^Y8&FWP4kGmU+6+fg{iE*zl`Ogb&{h>}u49+hVJ zPy1n@P@pI7KWKp<)&ImKdXjr`;3tre5OrZ1PvX>k=PEiYVlVPN1Rsk?{Uh>*wm6pB z;}zh3niq{?1AQ9g+Ni3|uW;3f3XPP~*H!dT^Y0Tq>mzqU9)C(;&Oev~5@<*+fHTo_ zsV-L?m=yVy%DsTM*Bz@q<2Y8y7M5gQp&!iU&bCl0iV z`ujMC3UsTcGxDDOUD(D@>aO=+>}D%4-Bv)tj427$823(xbB)tV+t>oxVU81&N|6n^ zR6VQmi6TaooZr?Wx@!V>;?Wv;Y^3 zwFpOUqRw;fltZI)R*(H~&m8lyu|i%Zb&75?Lc$i)WvnYhFSyV$?oID^=c+$W>S#TXvr-?jXTd_rf!ibQ;w5Fe@w<0Y zAdQP&Ju7ZZZ|j^xAE`#F!S{Pi>jW7a22mHz1=E zng~))mYOh~;|N)@>h0%wPKaQqO#JS_>fbfC1snoOL&(z3wBk&$IvI)?@$ z+}!)n8=x>0mI?<zX`s#le~4{ID8)jhf2N&)1u<_7(l(@{GNEgShL)MIsKk zuxCn|2VznDXW!g7l55V52Xjemw_G0vY4M-`eNL(IPZvjV_Ir1_#f{4-~@&q&p|N5t>4SDZrXK4~*c%Y#Tfy0JG$WOG+K!3AHBM77W(UMTS zD`^sGz9fu+x&S{3{EaV&T0$6zS(+nRshP?@0=Og?zY}m4d1Y5yb6&K+N`tECl(KBvX!rK@$e}(QS`m5 zKg~FZizaFosWB!2tZ*|gKW`UqL~~M`A3R=1OOk1eo1H&_$3#u&^tKV3gMwvc6;?Ry zht|*B*v2eZgh2@b<5^;#*@9r5z!J5D6C^?QHzHu_L#+p9ojFQ#lju%HI!%??u0UtvDowKbgOe=#w2xpp;MR43l`}E30_3?^ICF|H-%!D zKgy1w5aJmgKsjSb#yg+<;k#R7{9O4GFQ=_n1`cHn!v4YCQ6@pnv^S!WBGW&}98~ zu8CYx8HUIh4mXyZOY=>4sK@a97`sS0S-3=~6PV!5Qn*bQ&XTiu_-k)^7}rWPXfA$k zYwpnjDyB*@>s-Km3e<_pGmBxTp3XDjR^3OjNt(%Xzm^#K@j977`ABY`T@#y8RlkxC zw_|Mm4GEWLjno>>GKPJ8^ZBBU2F76FZ|fbw9jJJGvw@NMGPoyX$2ZtaC0#y4I`aOl8D9>wO799pb(M zE-50~=7RTC-|sVHv>yji&TWa(XUA75!O5E$3@e-mDyXQZbZUhvl;J|MZ4K)4ID$*> zbTbP$!_H%WMIoEl7@?SynQofJ>Bs1LPxCBax|V-t+v+#6ej#%G)`d3K=pkPB7)a)L zNt$8;Bx(8{G!iYJai~Ngg`~l`J0OTV#d0$Q8xWk{`vR68kBTmA;>& z?jX9sB6>rpwmU71Aj9+!b3C2m-GWKGxVx#OWKF~}1e%EHC z&MGhx$cg$=0ajR89YzaZ|D7l4%y^^nv#ufSy5C0G$qcjoE9ePoW>o+BNCd}b(HG>s zdti4ddxN)`4;cdiVUlYu1Mg_}fHmBk#}Sl~;D#PIZBV(Qe*Y;)RY8hvCB4N(p5@ba z2@ywf#Kr=;Qa|VMZ@hqy*zgD%78cI=h{yH)BvVM^=wR(NP5heuC4E$8v+gElhURX# z`W?0T?GC*_xBt+NMxP)Rpr*b`u0(j)LarSlc?B6FtFKwx983(&TvZONB5db?i}MWv z@6Hcdc8u5>8NU~kB}=k)9Z1Gi#qqAkn)dr1q&Oj8K4{+gVC<9ay^fJcM3H+--q2m7 zDT(&nn8zey%VX!`K*Cg!Tzzbny@c|S=MAXWKZmBdK|W>xZhD&Y1R>;x0@%3OUjN!n zql4<~O%|#?G^w*q4oM|31dY0dh@QikOSwkEvhJ>!^jkcAuI_Mr>&1G9oT68tK(Jzi z`;SkbtabCQxrzglbnK*9c0UhuD0&A3Co9!{OTEm)bW`K8H0+zjJPOR+Y&Zx3DWfhk z(`t-c{D7Z&#sI)*SS`lyMW3uwa?HY@F;N6dnq|fI-ENSLjvF;g^ci^w-fEacHZvx~ zqT>N_mP$TMRl`X~p~3+WDP0%1>T+XoCHtY6345VL${LQUS6TGLKQ*oF5r=VqOrrfX;Ftm_S zAH&CnAB5aK`2wNB=N9Sr;!-x9x6IYAdF5AB(ldoUhFCn({B0-;p31Zxc1Ugl09mb` z1ewJ}x*88rm39IN1sjV^({{Rqn5A*P*`jL_mFPKUvQD`{v8wnLgC-6UEjQ|raZV2n ziedp=6%fOD1MU0h@BihmwS{R*8(d80yC-0O;Lt+%fG*B|^7pCi3S zXV|wEzT3)z_3T0ZM=@-x>P6sDSI5$F#Y`UXBVq!L1pmn#iJ=t#z=LD-`glCfV!(H= z)^e|!$cn5+Kd|}>zHd|D(s~BmzPf(^npmTrHggFY>ZXS8#R2O_y6y>cqGcR7 zZrXs2{r+dF7BuD12@mqT)45VDm^;Ja2VJY|BZEK>F0OtKY_;gC(J-eAFiz_1^adiL zQozbnT_eRIv(*~4PxXz35}+E!1*o4G#=mk_$vpA zvEk}$2kolu_EhN{V5~2PB#SHDcE-}Gj%CQaB{9e_%Uuu)Y*}kK)83wdnbC$!`VK}k zsqJ=4q-V3u0X@pDRmp+Jr%PdzmhR7(^_CZ_m0^!^ib}0ywpf&o6O07do^>p zb9O+#$jW!1xeVF?98@a6hRzT9md{XZMT@O8X+A4s)3rwiHVeUnP*(Culzhg@%O*MgfHw-4j7MPAEnA zC7z){y}b<@mT;;$vo2R03cpDx*02yk#Le z45uVY=E8kCG>w}*wdcOi>f~pOcvUo%#*z!_oaDjS3#I0BC}JdADBnieue7y>Xnavu z>k9m^Au(QE>Q%AKOZS1*HsMy)zZg5&$y|dLAv#%GHpktD{qmZ~xU{Qo)khRgiFA-W z0U9~w^TS15xZB1U<7$&J;E`rNAwBVF?hNSVELC6El>6yZ`_3arwO$wBTP9@UccaTj zMj14!_(gjgVJbt=&KY1)#XiO|e_E`^m|T=ltNkoX!?piB3s4!-gs|_H0pFjvrQH3; zS6V{6Evkc-YcQ4Ea<^$zg#-c=&iE6>(GIxdYWBMBD#sARJq@cdvnba+onN&2dMt0? zEB1RIsYfP(8>rIsm;oxuE2rdnccOytW$bzHDk^yF-t1&IQ&t_CyQ8*Lv%>7zSD59i zNC|8^Jhi@!7sz9^tmJu~$fH5!-b&p6evJ13?khN4^wmrKy=Ff5r@=`6M6ED>n*#9) zqb8ox!Th0>3FjVN6}HuDZ0XO!IrRC3+?zke7HbZwVBHy4vnuU?^EwTL^%nBPcNE9i zgHmKhBojqTFfkG*e`rl0;J1AK5GgOK{n{cPb(<^D5$nA8w~n~0f_3&cU!ZP+ z30Ae^B`M*sc(hn>{>kqn_p?k?#zjkq-p*LHwW6367)r$J#)b527203pclWdgL}J7Cf3 zXL<3EK2?FrFGO&@KQ8$BFbSFnkq+lmXUr=gAkLZum^XXPF|XCgfCfS8K^I%lWdYnV zHC@!_bhATpI{iJApf5u$FI7WD4y(pVq1$bHWN--JT9ai@UdSXNIxd)8ndZ~RlEDG2 z7lOPlKj0ooANcWNsKg99rR9|gn^HQ@yRqKjL zLZ3ydn`OwvHWk%2`X+t?`iVmoof!V&AG;OPy_>W zwJ}m5=I!%-(AAK*kx@kAQCA3i>=9*j({$)8MZla=IgK-J)q~*!Y;V<`0kq=X89b$OkvL{`Vkty@Wa+9VyiwAcR(B z78nF0oGiZ#o-1V2A0gZ?{lq&yBO}c{1-7G1DnFmLx;#ndeyAkr%RfB*RhbN(LBD^U zoZ+?USkIS9f#^2K~5|Enp3e-Qh`|ar)w{USrs>HSYL=~RGPW&N$4UDcqwLXO6XV_bo#ZPc$g}rN7(cp68X&|E8 zckdOLav=~!SgBYaKxI@bb_YSoy1uq7?JNgN4p>Pq@~a~^gmk_gH)*} zm|`ao_*KX71>4)U1|`Yk8 zZKtA2sePzRRbB3rezz$(5#9yzbMTtlgpEwB)^}%BqH;sC#f>{W2{;j z!EnAh_j4JNJfc6aAI^X-DAE_s!fVzO)iFspX7@o-L7S`{xOeiL)IaP+>>HgReCNNd zZsIE=O=<(-SnON~oGMaR;oA=JJ>L^@*?QCnDkq{CGJDn(I*GoDakYm=iX7I27k1lbpBzJ=Ql6uye#$R?p@PDBT8+-)BAuX$+d&wk#vBcB{R z?VL@yzq^sIs61?O*>TlG$}W^`#`O>Fev$*BTa4&*%%uy|{0(&RnB@suZZtGF#-@)c zEvMK^Q-;R=X-8Ckp5}FqmZKArry|iPvy*uQHUz> z7S#vz0wgHqd_fUjq>E7KiX1#+xUi^I;dP>#6~euonw4PKciO)y{^;<(rf)GVax_2= zN3$g)=6>D*hIo{ANJv7`5~H9k^XPJ`U#Zx|T=y=Ms1Utc=>kI+dI$x*;sMuBj4>9u7Y4QR9(YdIwX)~vdwX=^4!EFVhoa$)@mO(x@2i;6 zz$aAHRC^!0xa&JzqHPOQE0{xf)*q)r{#c}9^3TbNs9X`uyv?#j#MAwW0wrbW zx1T_Vj5`{cxoSzCn^x-Fr7lmITp$_ulKVL+o*XBnvfc=k=$OsAnhE$F6~|DcAE2pR zmE|1MgAApfn3<8!<`xWTtoI3{jc+bBxzTe$jvdQ7s|0FLtpx82_nCcMXSz=%~n7g z-@q+rh5kI_3HM1o0zKAlJWJxBF#J4daZ}tG%Pcn%Rerh(ytq7S)^70amKgTgN6_>n z4nTRJLdisf^XbHa_~Jek|2cQNrq_ZE^JMHQI@de(v-CtE1{&hYwZqUpPTDGss1#Ip zwUN|xG8uj>Rjc|Aa+;Xv0K_0u8>LGRKBh=3Srah1Lp)|t z`??IKph@aF@Y-w|2pK+Ejb)I=pnTLj&_v|-DDVkOK)`l;E&;s<%w{!|V`;U4Jz^TCef&35?AAH8Mfy1Iu z0V*?0;Emnmr!wXMUB0O9H$dDN6etOsfG!I{u_L(Aw*$S$yRUJFP9~IS`WRx8*px<& zuAq5hoA0DUexfs)$H4fiN5iTh?2e~lbuiD^=d@(OGAKCaG=FZaak!q0q ze4SE9%N+uLJe&IaaOBwp!; zsEb`&Va+_%bLxA|SJvl?;U@MfvYWy#kQY|bBUmW*vTr)u%2)e3mPQ%3Ed8(gu{+fF}@6n%WSJ3^nzAjiHT!(C^i8ARm!5#HJu|e9C9pBM9BcQBR zpDz3$U^$f3aua)RUUntJt|oH6e&6?6r_6cCx}c$vF3r81#UwYGDDyO;Qs>j?rjlf*FQNLc zPUU)}3wR8_vtr}v<>gZ1UxWDSn2{!(qj-IG{*3M0(pYKs+S8KM&^3I|sR$1tmv7NN zxrf%~JsEqamNU@?%hz@521>rfDKIu#wSlIao*kEo~}HELpR zb$lUSUPdynU0zGNp!y;J=Ay789J5j-JY+Khv0ljGt!;U|C z%zhLI!zvYKHzAJ=tN%z$^ZAtd^*~+wKqavded$c!Y3|+gi7Ww)H)SiSQI{rq-xuD` z>gKb!)QlSKyf0E&0;IVyejECvqJz$W_`5;I7$>Qb&rQ!3mb#a#uVTC$ythxLmg~&8 zv`^o#<+QqJ4+vOX6*6}KYERPg(+1hzdnl;tnE$+cN{xV-kr6K7$Ss}?scs0DUD z@ViLp^n+c6%icHgM+2W~y5O@KO*y}*!6D5weAn;6D~!<`uobI>fVpF2b@ML43$@Ca zI0Gl^V`Ab3w>-COi+ij8lRN2-nEA+lP zz9Oq&Ysde6J@(|UCM-0;_K0=ofv-|x=bC92GKE2}k(p_9$mfI0MLlOs*vz&~FYd&6 zHKl1ydeGJg8VT>x-TBXjf^9YQ)kvRpmedS<3X6>AfnGg?a_#Ip0(J8jos=LHPlnWH zGp0k;rh}N*JBV4<{vnwTZo~(imB|#Y3w6}k)#*o|8&9!w>l_=I>(o-5;~(^g!Mu4U z6lq|CDx#i8=jWY+NvJ(?<|4TMSDUMp#>p^l=qV} zI)5Xo_k9-`ziwxQVva2z~Q)`D*@ zMGH^p(8o=aCI~ui$XA@3ybswO@P^y#Km$??tQ6#Iy4PBS$uCC3yuBkk&vppCi{2qt zBEqQ5ES4LgqOG<_Cyn+(1>K3J6a4-v#Jp~Fh$kOH`6XJ!w&+1UjT^9Y)koj=ux&8` zv&9+ipc;(!rjh4_lVRmJ+`pS-L$JD0d={X@uXMY-%73ab&tD%gpLTzA;6^rACSPE= zwK8}fe3@o8y4HK3oA3nyfdq;p(ufR_|N2KeQc?lOIL88qF^y2=39XiTpIo8WS8d;Z zNB)3oca+}DeAf;Hv?4HJkb(OKzh2<}^X(QWi%P-QBvGFRObv$z>AO|T5D>Bn#EDK! z)e=gHO5l*Fp!N#?xJxe24hQ2xTY*mcV`qvIZHMk(gN!_KiOvnb$YguTOMWNcAzd zuE55T_LK}F?G2Zm(y|yRv?DKsAtzxP_8F2_x_$_n3!&)?fRwjhQwpE`G%Win*^DE- zUQSl~J)Omyv`j2f?~^H;euksa;>yd6aSGh4aT8^jI$q4N^X9 zHMKxc)FnQ0IhBnaEOJ@X(g>5(l5j0I5ubJCVBHr1lQ&{)3e$`%_t6Lsf;LLvTbf+P zA6&LV^7hNJnKNGVwtru9#`wqUqvja~mqsfVqYXnnKfx%Dke66)1lTRkcwNY6?=BAT zmlmr;qvX@Ao56fQ->sTLRsDR<#uTT(4)PRcA1*fAG!@5x3y9BCz-*%O*U_KOIV?kI z*=hEEDJ>H>Wu7?fbpK?J$GuN_>(<1_(s-GFi>(3({=`v>?#Aprjfr2EIz6xwR9~jw zCb>-syE0y8Cru$<)h848Z}bIz4oDmFExPud24u%ezzgC9hhhDQN_55_MNnq!s?B*s z^rpKiyzRXect<`K_T8`f#VJ{WsFKZH1u~L!%W&Ruzr|SQpHP>m_4MJRBKAH! z$V2aK1g3w_K-2#MPO0k*l-!WW{T6Ynx@}fFD15JE+8a%b;CB)^p$Yut5iRAG%vmhA zPqTqLH^{)|S0jr+BfW)Tn~!uXqP;!&p+>r~aAZCw+n5rz}W+h49<+q55c|>z>*F*$Dfgfus5Q(lFRqEa0vu87ENzziNqW_2 z!9;C8jE(_ha}dsXECvZOKSXgN>b-bY?Y^rK&QFB>=zyO<6t^>|6Fmku0rDaFRFHd8 zkjfab_uklMYbZJG3O_60r*V)Ee!D7+!#s|>ff<|l4IIIIq%iY$cg2=ePRf1UZ1m|5 zOg}03)w26A$cqA^Gk*#^^vM)|G(AhoRpLB{I=P_#I+)jldo5{_dR|5BFk}AD0YFm7 z15qy(FzcNpY7>K5s{n+HMGOvi`EJ|)9S>=OK}}?INM8{C%1KE7KoocTKtG-GIsT0% z0#dTdgXa51InEzn0RnEYduN9BKgdnCsKKDB8R2&A)ZY1$_H>k{x0E6H7siQT$S=~* zD1TK$vG50fDR6vu7%yo_FbB-zr{NwET3^1l1^D?UJ`1;pCBw~2_JB8$Gu!TBLnWbA zjxD}kt8bk!$l1(L0WM!-wm>D}w%&yZOo7#axiFRz=M$=pa)-rwl-X{~|N4$?af1OQ zSqdl-`L3NF`!m{~UykcM(OAcbfp9;i1d#+K0L05p1FRHXe&f!Jy+5t7{XqnP8~GsvLY*c& zqt~>j2CRC1uOlNkJbeykI#2j-rshlRcz)llWKEX<}MQ=~On?k8`8z59a_YY^ug`I9fBU z2qo(&%a$_mzpf(ZD!6|51L!!&L_F3@EyI$iIu7*f#ysuPu~g*rPC80rKqjZh`vq?CXHphUA! zWe>hOJ@&UR*nmOi2GKpsfBQ1kIFTJeksmIhxJB3q?$l`@VJ^#hb!~H={pYrSF<0Vt z4X*^SLiT`4KnqA9F1KM|!YC<>9DPSFCERLJ{@-5h|GnbF35v9H3%)AqWx+rAPw`^d$M(oX5JO8Ce&p>o z1X2DSsVL!LPOg#y^fUfn9Z&!IHG`iZ)@|@WGym$j|JT##|Mky`Qb7@%1vw)E|F2*8 zzy5bKjIUoAAK~-FCP0P04UY1W;gZvA8X}*|G)oZJ>^*aW1(7^2v;sV{4rCWe!aMIZxyl^iYKlH zFJ{Ahp8liJdxwiK*1qe^VOjp?GVo6!5R{12Ij=oE2V-zU+NCmm-swD9thzy_^dhh; zE6!Sgb_~THs9(tW1MmH(L1P9t^hdP^Hf-e@%b#lO?LgfKM22k|z<{yf8i2@zG3mh0 zkPadUq*81}WUo=z#hTWr?|8iIV$FG?n{`#@rtMQpGH_2{zD4G2b@Xr77oodi^TnRE((N4bt zlgB;a>81|m=q|2csG@!c>^hvmeGC|OA)ZQfV=@(SE{(*R4%1?o#ekwGB|;0Qhq^f1L>Hm}Jn&Upg&M`ZB= zmaLIhC^sMkQ;rfSNQZP(@Ho`+!dy1`iov_n2>@m!%a6V}ISYZwKXIRVM#nSMaZ2oH z*W`=CML7F#)1WN>$|WFE#A}R9-uoUre_iJn02?Q&s%PK(nj7j1Uf{5(%necpS4rA# zkEHE^H-XWb&4T_h6pS*AjY0TVu#~2bWlT{5vT36(XP21R(3Z+=19hoxCGHHmxBR@@ z88B@t=KS&_?{x36-`|y#|NgMlc9Csu!keRAHC#*G>G-RV0I9s_gLr`N_E7Ho1#q1_ zfB)}~fA`_)Z91;5{yymBDjgfwP|txQ_h3HFEwE=|x_E@podT-xMMG7sO^}lF$q|4^ zb@$i%@|H?sIMI86lxJ&l_}H-iIltr5oFQBYum`6DoyBP7G~D% z_uR86aXy6^uF<|=Ui4h+03VeV2@N-9G!h#gENZ%$!18&l7V!0o;nf0M%c}4uKLM{# zJ>dG6I?&yzX#D|Rk`QmYFs~ez;5E-sRGhq;uus8o=S`oMPHU^LGh zC-z^}A^$u!r|c0ua>M9|HEjh5OvL_KT1a}(0GnvFER_<;>}~!PK+eI$yi*lB*Q(Rn zj3`VuiZ$vW@2i8G1+H>@qG(yp=eK&qWkTV-a>DvsF18u8h>uV95E)llnn26s#^Wkw z3~dbVr(FsK>}TeZ>!}H-BOrD$Gvcu2k@dALvvR5V3^WFl3rR}Iubg9GvOhxVOU-{h%{i&05z;z+%J#mfQnR%37~AyAjK z{^Jmbbs>Ae2haYiD5w;jUztIzr46u2D;_i!WCkg6<)h8C~Qj_%}^Mhq`1+VqbA^FQJSh8GmtCS6f{M3Xi8} zX1ZS9S?{860fWz+ZX@AqG}bd9?hS>LwR!pBZHX;#og5B36Vq>W&RwubR1R5(GBtwO zY9u-FP+N$922ghEM?8Z%HiEpGv%{xSTN4z#C)+ik(HFYw{_PKL6U1&7W+}8!s@WB| zV4}uTgd!@Ps(F`4cB89C_11Z zrcKIvUYae3isb#@6k~uw2k40`qRx`$6trN0b6hy z0gd9}2dd-;R#0dNZM-Tpa11ckQj=c$!EYaciihk3g5ygQ@IJ@#=b3*a_qK`y5c<$M z{AvRLTksw-*dL>#3KP{$ZXyc}+Ft=Q%b$c$LRDL+?eY%V|J>^z`#1w(>TW#(c1ubu zfZ3VM*7^TW2aU|bqC4P%F3Z6C`ajFj5^)5Ui0-pqK<>i)0)d3XujowQy<)KVt&x{a zsK8ZNcJVcCk4fzy{PLmqx8MX{fM_O<51`EAj0>*Pi4A}l2PMn!0=<8;s{g|2J!1Ve zM@mPO&Xi*MqdXq-A%NLDyF4YyP$+-^%!HmKNh%$nWHoQlcHlA)9is*O2{6{{L<$-w zNA4q;$f0o<2EdX7TIt;tXcrJesoioxH~&_MW9TPPIylD|0m(+9TPvg)(dC>(=g%bP0+elT^tGNFxmb5)x9t)KDB%`IWwHhao07 zdx~(^ml0o-ljBZ)7hACNZHnY2E$kWz{+kc_WOj`qG zRAHyzfMd66?Ek!%^~EtyA27IAOp{+-v(;Jd7aui*+Avi;+<@^=sZ5SN#5c0bJd;{b0p&8A#@u1%{P^pP9v)GS0+^*(1SUHhAw^MQQ|9 z5_qJM$b@Hwc(_FIMlR2yDUUBKo(*L_DU6p7IDo z_o$7qBZ&BMk>?klYd+tlc4;DD&AG^F@WdTUUKF_+qb0qzEm@7mv5-l`T|ev_CFb5z zfgXt*g;flX&$)qBr{a~90qf@6Wt_>tm>II%U(-+i!2)QgMAZ>FrEHzmrm#HydDK`b zFvNFgfBEd0=TK>|zxOX9F-aMi(z=sI>psX?E|oh6MW;H%E8C}r(F~n}R7$^!5AG!E@};+Lfk#onllNCpIcfp9-v zu`VBfsFvE+H8(i#$u)J%z}$m0CO=JliQhmN&J^v*IzMf&;}k@F&VFmMYDZ#$X_&eh z@}W4oTFs`f&yZ>nOf_NNbCC*xTWE?y9$a2}-tef+M_YsX)=9C|#OQKlc`ktO02$Nq zkYqNz$5>wjJ&7}#ZyHd6??6vrywIlClAywVBbZnNBtAQq6S$qSKX_~;6P&0bhi_XL z)diHa^qH<2N3QlcDuRo zEJVcL%ZG!9&XgD-#Y^kwmJuz0tBH_Y;f;Wec__1}`KdPuZAxAOH}{Fgy+d^5Da>J)cd)(YCXPt=wwF>LX3WcbBpOMBJR)IzgsieOsbrk(<$@*HuuNA)Dxj;Ll?RSkLDXdUnui<%^7R-==$3)XO%r}232H?d)fqF|`Az0{}Fx?h20H%NSWHS(LVH6D71=M7)+(h`z`g_NbpRwC9Nj z(@?wo0MCbOZXtAOPL9fh$1QVWKT;p}*f_Pk--Vk=yDPz2G#v}!kn?PGc-paJa3hjr zjG{5UMQUQ6jynL3TR(M?DwA+F=#KdZ;eW8Q{(CE|K_vzMv9wK%S6 z=ZPDqI14jHSaX$gfFoc2+Rpj>I}RU~-ZnJI`Pa`HQqw9*Myof)Na`F=DHyE=jite$H{LE_SvUw2xLF~bgmu!q`pW=QQbw8luS};%? zGG29~uTz_LBb-QbiuiXe>pvdnFZs{dU)6B=+%-jEkc%~@$$AO{k7lxi+Z?T0_v8{} z-E8F&L!qK)E~KGKfhdpc^)ISo1u{NAaz4qks``%X*%Yz7+TV5PRHYh>)GBLyar@%h zFNl&zYuzK+)<5#|8#Hm0S$V4bNhtw-0K10R+cmhnISNNF8*?167V2`OXx}RmeYSi{ zEPB6CGwrM%*?}<)kJh~#1sx7c#v4h;!17BlrL_>JDKt~C?;ta%+z+3PQSdW(CMZy! z^vGJOqR8V_<$K}99NmqDjWWt1>lRz9Qo;i9g+VjCvL-tnNa zc2+$5Y(b578pT|q@Z`078PSBbh7WZ7G|n584CLx^RA_^TLx{p#*OGN&n0}@ybL9Ky z@QI+wrD(ytoKIqoA#PWmwu^JN6D?@6l{yq$W`F-Am^WTga&(GG;NfcmoBnzjhTR(~ z@3Iv#v(MKo@!Xn8@GD0;W-b9%E8&G{Dh8ywHXtayT(uw4ti z>YQ6n7*s8(dah($JR(VeT`D`uGKLD*f~pCyqi%r{g4j<&DlpZu(1bHy7RRhlI0(%MnIjY-gY5mj=n3+A|iNnG{xJ zzP0`XORxL%iZ8^iw773UtcO$A%rC>I_plyhOZt)?Vy`&%@Ynfw3)fhOK3sC%g=1m&r@~PwoUxe#$%=xn|u-8h$jU8Da9*&i{kek4$9vw7_hCm zCHqNu^J9k?bFKJ%q)+}!MVyu+W_h`cyrLY(FT9W53m@K8JGS4y(>{F#LoD02mEn$y z4y}8o1mJ%jCt18FbA8%SShu+l_3j=PPB#AX%@6PPL0?~wY2|7RTEDoam0)2Cw<@Ca zDslMFYiWAZzYKDYnEEQs(b%2&iKj-U;SFNoyYxDnoM5vUBZ3KmY|ktdzvpwWYh53O zckvl-7L`APEw<8SJa~(0^({$1sl0m1_uP@pPDXdnim`TwDYImuIPN?2o~)4*;+9G7 zDEeDq_ms*ydw=yuk4TMVgHI^uW@@x-@mQ&^znaK=%t-pCKWyWsjQDO&y$2!P#{)Zp z^QRAP57Fj6V{ID~XN0eflS1uODg~}HHNNMJ*ViJo3-h$ov8fMdcmc(1{AC3NtW&r z9{EzE)V@X>n>%U}Yyb6`J=QH%XbAnXD844G`+@+bD$M?5;PNt7WLUaK0)7 zkoKQ(w*Sj((220O);m~eEb0@F2w&1mV{u>tLD$;WkAfFT3p5tYRtmH$;Hs3D=z`bs zBNx>Nkvmd{9+f6#LlipVT{$fEjaF%=B5)kSt7v0_($xynC0+>2r9K)4JQGfqY~qc` zyC8t+55JI6cmFDe!(sUC_C|WXDrAaft5SWUzdi_EY|;;5xkb=Bea>}>IR}!XZ#9`J`NVcIEg4TBgSi-jkfh5goH?v^ z4#@cDeOu_nXT2oImu-}glK}Zs1JVexVHNlZA~n8)zJBzURUedMDhl8`%h6Z{Yx8q$ z+*o-FRFUL-qsoos3#e&Ru4cd1k!H`bl^{*tg;z+>)ooEpr48RzOH6K5f0@I$C{JkM z7FpPf%vTwmKMTewrZQcDf#?>YzNl}zQZRFMaOa>J#hZi-|zAOGM$bn@BnLQ3A) zrow@HA)KiG1nw?5-xc~Ai<00*19=~&9mzMXKk5_lQWIbB8jd6Sg~sTY)EzFQxQpGF zOn&v!)zG)y;FtYX{w31+Y7CqbQ*1xwnonIEF&y`U?js7nbmEqHwJup|=z zEhN!KVeg5Su!cH$Znk~wxEN-fzxM92Y1r7L7wR#OOLIcE_9jW)L`kuX*VKZr(hS5`ZjstN^NMgD6XnT@2VvtSZ z=nc2pzkHcVx-dq3aAx?$5oz%5D2?XODAK6nA1|D|ZCt=UOlrKic829JxnwrI&g)&b zUS(1I;y)XY|5(1j3)BTLv)uJEVqJ<`A1)IzM;fkghODNA$t=C74=I)bMF?6pPKTu6*vYra)BptD0%C)$C;q9zpvq8fg?m ziMvq1_U3XcUN0ldye-d>rIT+^-jyq4BgG*s>b7KD7=5vK?hSN1xA79DOjeBF^Lxz^ zjDBvzZuE|_H3mcg~iBLr4V(ir0Put zc+Qf(T6@)c()YS0Feb;MtGC){lK2t~XJq@nn5I)?&W6T{*M2(ErO^2+l2U>AN$t__`-2kM&j-VK^rirOS| zExj<_$K@%O&#!#~?jc9nw0_V&K=Mhq=;M#d7~EH_rX-lUjlnxcVZc^{x#3gr-GtYE zv~0?&bjPd@-{(%dpn)l_J;v1T5%j3f3N(Biox7$C$~=fnH66!57d37L%^xk;C7JA7LU@fNF}P7F3I33bhW)DIO5CaUAMGQ?l$ zy=u9CIc$UBj(>i=@1%a+hET29qe_Q6nSu$US5p5?;*^SJ{_B3Fz!Gry_R;g7e1iszoyM9z)j}c z)h^j8G`C0fK}zG>ff3_%S;;%#6gzd4>8Uph=0Y~3Uld)paTWU2u=nkN$bul$^_){s zNlH?(Y{@Mj7MHG6@vy1%Iat4Q?`n~FsNt6Niltp4>csYV)@MVmH`^1>qGt4G1jGm2 zHeThm$LSD=6FMbUhcRX!wepPpvPX zN)CKteocD&FAbbel~XHpCeW|$1x4joAeSRWyjlzBEgR%t=&ug`;qvKxq$8*Wh9%eZ z@-qP!RH;98=_8(wr@ba0-37P7{Gzo)mzh)=&2q~H#8r-`c}U!3xaMg0vkP2SrjXgb z3}uk>YwY1aHaP1r*6Ve4_nFyhiK++ay%Gi1O5|E!yaK}$M?pgjn~?3$)hvnwzG=s2h$>pzPxWW{PH71N=_-1F(Q?%6`vqsz={133E9%lPu?vMlM`XV|h6 z&G8;v%WYt+wR}4h#%5S%7WN17C#S=;=UUz3D7omb-7md1PO?5n;R^OY(_u)tGPp=| zc+B{U;?2jUkbTQEo{1Nx4#H4lJe~sWDr;ADjfJfvo5GZTx;PqSes=q+8K!PtYu5YC zY*`**l^KJe>-~80?uOKc`?^uEj%K*;23U|3Y#0@@!*m+7VL`%U28EUkfaOf=jVEB9 zqp07;yx%g4v-3`nPZLIx!`NSs;J{z0$S`-B|Q4h#BD$x+Rce z*j~<~kpF`hvoAgie-C@Tg2Jj9LRf56J68RgOdGo&o>BN=nLUVi1T^)mv-zdVH?W5= z4bDuy(aGxo!#>N-sq7n1!THzeFY8Q=?-yzF4p9r*>D`R=ivLPK9kb7q4%V1B54w2+ zC#aY_KJ0^NEo_Dj5rB+AB11p@V8E{LRi+@$+E=LSL(+TP_ldrgypA^myZ?!xr&}px z$^CX}vcW4$(;Rvq4AccXFqby&P{k!Pnb5Gw^+j)s$UHla+EeH9Jt|&Yjc0O(35u#9x`_F_jcHVoOaG^|8;r5zv&Wcnx6#L_ zfWKp4C*A%72KMuWk=FBzoU7=KBUsuj2p8YJ*^c^w7&|It5-Ls4GwzWrsoL|%<{=!6 zMWTkMXSxdHx6Ucqd&lp~Dix~hJdc7VM66RImpVUxA^ak|+{z zz7yb8w|IozHzvjj#sUybE(vZhm+BK%j8?6&%Q#)tW|(s3wI>xBvS%~!Qe1NONiui2 zdR4Ut)Y}wyu^ZTxU|RJl-;1=3e$2koSc})u;EJo&==WP8yzR{x765$W(;)2X21{*j zl+x=9tg2co`R`R(?hF#NJ+iOC#8E|ypAb*}od>&-a~gAF6du<32Uzk~)!ie=!gPD*17?pr^S-T=o&ZGTb{_cHAUQLSNpw44vSI?VZ;XYwqhe01@N zIal{gM%>KlFq+Y*%qbJ5NJ!Yl!ByTD70ahx4l0SMO-i_}$@Bjg4z|V&^=8Vj7gc1+iJegZ%N86E zoOrlJI2k36;23dc?=o`0de~4o4;li^U)(AUyb|oYo)zH3@?Kb45>-q6IXU|eWjiqU z(!2p~KYLwJI(A#P%a@RxpM0F*XNg1XOJ0<%9d-$;xfaCiix%;DmfZRa6LKI9-AZ-H z{YZ-QU`!dO#<9T`kG#jU<1&SE)Gle4jJ#LJ+y?Nk&Kt4D!QTN5SlE}FEBF6gON zRR9^eyURY?VbhO>I3tRkwbEAM1F8??87AnqF-#Vi(`uii@KDQ=A&aR{viZSqmbdtJ z9q-`Nm5*98*dfBqF6bKAIqzLr1v$ViD^2xjYT zLd&zyFn_yM2e#R_wvFfAq)M*!+{B!?VCQ%SPUruY^cwoydE!p0Km`Q#PGlM)GHVT`h8sIUN);wb-q`_%RD< zPQ*oY5V#pNyGCr%H5EAxQaWcYSxL?J|Acw9OnG+$C2n?z25uQ;rOg)>&k%0dI5(ra zKM~zQge8dTZ<>A4UrcIe>Wd3>1g8uAViTPSVqmtt;5pYQEP&aJiISZDRR{izgdb6K zC2g?44JwP^7nWme7M{H3V+>mwl;rI3+JX1mN0J1FM2{#7Ih6qOyTR$%Zpvvjl0i%? z-Eh6LSl33^N@2)avgLsX<-Y zy@#xBlwvtsp1osrF0mg)G>4)p;#Dju?qHLtN3XZ&2aO6M(BqHPeWN!cv`-Jlk%b zt%do2LbaZ8-@S&pfdh^Y{>G`Nbbcj_HJt7AKKXQ4kE#WhZ_c#0}3lOhopI`>0;OpI)LH5eIf?4oafs}^BBrozA>0( z0#Y(ms|Iweb;ctZHR%l*#Nv-o0WMd`t%Nouc0BVe^ewIv9#0?`k z#dT*ry1IR&Eh24IM;~`@1&FgIJ&0;jJ*~!H&|7sN<>rz%y~=pjc%d(e2JQMrT$tW% zP{X}=G*Q_?DmQ`3J&i~9y~N$dPeD=F&!E2@tbXHvhl#o<4jH}yrKR@YF@n5N0&})i zabMMy&U-GH7PG|uL^^{SVq;Tsj#_NfU)b~eO!WPlA9|v+KKdSQo7&qJDLb!CalH5l z{)co^YzLZEgrF19$P}jU%jYuJag~v>Cw}u>z+M(74^zPBCsfhGO&EA4^-x&+?}XM& zkDE`3D0)&%xoXQA)eR)Ef+{F<>6P{>geZ+BVFEW3%B&i4Cc<9$Oh&rV3&#sWZ~4vh zXVnPTMUKsV_8M#3J4p7_`M)a^~qA9o@gnSR|$>y#CA9XH42}6D{`_TRvEe2pG-MVF)xQiFw_G zP52FA0TlD^369xaSd|w8OGxpmbd6dyYpIk9L(Fa0NEz}^Ywl20TjBB3ORe5qb+IFI zuf@&oB44euQ%(>f6;q3HH9Rk-c$y==d3>Aw2yFaxLA^3#FGhpD4H^S-^>)07(k#a6 z)jDV_qG@T(q_8)zD>}xH*92^wrf>U}?YwbCrI;#s8>W+QrJ~Tao~9-xRv`EgioG2h z_~_v%hVtP$tJg$$Gf33awoCi9kYloKq{^wLbHBjh2|>(zpa(Aa%Cbu~^Qeb+0w!=I zm-^#Y$lCsfWxn~D)dmNS;Ea=PDuR!hkj>Vkcno__NjzAsSN;iJJpu5ldZN5$AL zfS>BYm&84JRQWM)^n<#@39w%(60udDJwTLLZNuK-KB9(R(9OdL<0=V{p=WOzZU2Ag zu40@2!ClpKG>?$jcN%?kB_a|$2cHu~6~?-Mz$QhKfPRXAuN&VY3SF)dvg#96lH46k zzP-)6?!tRNex8cuKMMr^c6FoaU_Hfl`5|W#B-aKsAzkjE1^noG?0zbD+6kBhQ;2il zWVVhTw{E!{yK!rxijn-bt9EFdQnR!DlPrsP5A-C;>gMV?(fp;cm#zDUf!@@5%P%vhtnX0@Hx*5j95RM-40dmhAy@*Q5dyKFrHg_%)d>r4AL2V$`yi%MU{D!fg!HuzdD zFGEwrqX>+o`b~7~^MnsGT^%doJ8x&-ap!8hD9Zoq^i-EUT8ntjMOUMDF_{P2-u*9U zZwz%inPEc%M}yA012)%Jp~zGk32afRN>l^7*6f4+#gd-R%a}a!j~AK8rbuk*P}St! z>UskD?$W5F5kAuf3~PJq>{qT~q&~eNR7%D z4ZaUM%&JCO7?V;wj{;$rM>(F0sy}+5o4T%~K~iPzE|zEbTAdwuxb!Eso0bWmw~P4# zjpsg8C$FwueT(@{du8fTu$=fhT}xktwX`=?)QXbblb1!5 zm%}PGLybPpeVCSIJL#(UtNoIaa;he=vC}hf@#w%#6F#w?iO<@#prreE{PwSt;1auIvCZ^hPWE=Z+5N9dez4j3>V7KzGhX#|OdJ6=b@p*sHL`l}ErgeT&A8kw z6$6WmQPWJ*o0;#ZM}s=3kx@l6GPKB9o(;^Ru5B#t`5^V9c3*5{-TF zs@_YcH^)%4CHXr0dGP(FM_V2&X}SpcwTG{&-`ppNF)(Y0?H3O?v84GhB}sjQ(vz*h zPp}l?BH7VCItp8C>8H?B=RpNp63>zH(f7rsIgNQR@tKsxaJarN_A1|an?|lWM@=M8 zv56i8U)#vgOUgEzed;qoZ&j11Jy)L>q*7Zx^1vSJz>6P*{pk^oW^YPY6mi{)Lva*h zSZ5ItHt$oOVa8jr9Q%Z`p@;g!d~NChHKz=QtqrPa))7qm$f|WCbur}0)lja{F)8^;x2=Tpm zr+_>+!C}BpERfp(LVt8~GqmnLW~E`QU?87K6*uTH&c7vAP5(kBj*XS#+%4b2_O*(! zKDKR0NEexQIooikz&`vC90v2F;~oBrq@vt4n}M&dKlE2$Kx}GAz{*?km}OCq^+d1> zWrF6Bn)ZpBRXs0`VI^t_KLwWHRm;4RQ>6$Z6y-m8h^tkH7I>nxhj{qClu2@) zfsH#4z>Etnwe9QUAMv`jCt9A~{0|`0t6}Hu+4elk#tPXMT@L(=JO(_dV+MIAk57G* z{X%=myGAslJRKefv?CsS)7`s7HBpGW)m_VEvC93@g%)PNi`(~w+hyvmX@H(U_LX5+ zTJi=Z6)VL=Gj$ZMN=Lk9LEwP`%41fJDZe*!3v4*V#8==l&~s}!uYkSS)`3H~zIkd! zL|pis*=2QZdA>yNSB}kI2LdvMW5uw%2^0>zMeixP71;johr}LAvpL7QE5&V38sm4< znOCHK?J4=v@-o+YWH=W+xhxXiHA)ZKw;lv`;0 zk$rXDmSdnlNo?3KA9fxHO$6++C|C9FkjP)2AW@L5aGW%eW*bMNr9TrXeINNMrn^CP zzL)%(4J==IEJqXStD2LX$(l*pGJ`;lJS34I7=;0?KD zgmFMHy8+&_Zp+qRw4mGQ7+3xNs-ODF!KXIRI;4v3yKa$5(g6Z|O7lxCF5I~gF$>m{92k4Eh~@oQ^t8T7GBEYwrF<4^q*2XQ zW5+4C&Z_4vK+=sPgc8@ZLQ>d;fHt$B?%&H)x4W|3}R0aL}_LzjB`cxd5fBJ zy7BA$t|WZvO$4A&Ki-N?G@gP!=}cw-%@D3gsQB`WZ`~cYs~>odxdfn@culf*AlcVG^q@ z98LT0yiwM7yYh2Pr}PbnxHN_$mqPo&uDE5@-_qC}&8g_&7{c2FSK-ty#jm>GrzdO6 zf!2M`0KmC{y=icch2OgGLD=TYqCtzQnD4Omse@yIHe^vrNS%_vIPivji9RMXhmUY4 zm5Ogz@;ym34KF)u%rmJxdjByV%`|chO~frfQiCwCz6dj0Pxmep$o1B!LReltSY2~)=f#+Z<~dU%ogaa zyb_x9{UUIl)@(PTT$zjw_aMiet9mXf-#OqXrIAwr=1S%^7>>VnhVESn%X(q@7!SXO z(ZsoxqVWj6*9DopZ~Cj`sh_9vgf&Iw_dX70-@3H);x7DXLK^JD!p;X@PPurU=Urmx z`%M!C5FjCP^2(L3B`jw5n+5(mZTtWq{bb z*rFZ#NQ)_$FG7npgn>@{Tg+oxn55r_>c{PaInA;#LGmL;Sa9V^5e!{i6?XJ_ z2nuy=%&wB2RJ;85DS6ifnkSb1B{G==J-9XjW=hX;`vJta2eTg7gzY`Lh+|%8{2WhON;*_}Poc)MjbzXGD~b zSx-#k9mgsPqQmwS2D~HHsPCKATF3u}0mF~Mh?4mo^EpehGoBkQmEoKkxGnB=c@Ic# z;8{F+;@_Ow?1_On42wJ1@mO_t$Imi8jK+J0NAHF$@F02r?6_3E!#pz9HvnQEg>p{~ zhx5HJH-iroVHSYC_u)&~F3W>1wro#|jYOGxyv!z{F!F{r4>jjYy!(;uanHFvbdbm= zdjQD$L0DR9O+`nS_%n4GTK>CXta3O9G!yc60hJkDFUzXA^-E=86@R>10L7%(OxZ(J zk=u;a*PVWn5iZKE96;Yc1MTQkEjv2gyk^wptF|s1 z+DbF({2{cg6vUJun^1U0KGyVzk*cOJQL&p9oh!P^?2zxesnVAuCX_eU_>snzC;x?A zz_weZ!}uzC(RZpLK*{?%vhss9OUY_+mZ;2jxUbqAl{F4Ta@9n-2L7M%^*>v~3H!{h zqFb$>29!d!!b^SrX~dSDMq1G!Icj5*V$mbZ7HHx3$Su(KVbi&TM_44A?xZF$Q*1L} z)lv6!$iS{KqqXq~mi0$zDcwlV@lJR<2%&ovbws9?S0u=e4w3Kqgb0qwt-OrGu&<{n zwfq6Y_eX#KJ`l*wyzTIvkb?bn)jU~Rm||3J&Qn{Z<#>ID>5GbQ3%yum(^|5$9G*pW z=|!rur{BO*%yc(J+Az>Rs%U4TV+bjMbuIdeh%d;Nv%Nn`2bZQlfAs=S z7WwhYV<*mXWKR=|`^nL!r*@RZ-Lb#sIXZ_IpyaGYt;HJiHO=z*b+obxH14D4&U9Vg zTmJfmP*VM_58S)hp^?JV!!fW>_ey%@gG>;iLG{26?V}d>uGp&mf&a{f9oT!^Xy7`1 zB6Q;k^n&D_tF4p3-_YNS)50M1knZ|v8gjw!%X#!STsG0^GOybWIH5KEfwwy)xjW zt0E@zBAB4A(cut|f>$vb+$It;<9d1q^x7faS@FdEC(IORv_lxo~^5+ZFLUhq8He=n< z%ar{qU^^@`XINi>-RXH);r_Jt+G^|PgSFAGVO?WxiQm&!BcfYwZD4s8I?IS1zQJtH zg(;lQ^^eJCE_5N16I7a>lY6aKH;gTerD#m(OvL@6*OCcHzh@I!HFPKJ{D#mMB2*0> zt^0@>rkWxTNzfv9e)lFCM^5>6v0&VwufWOq;cG)`;wOc?gkc26R8S;GWixLEIiHJh zlGq~GF7ar%6qc9zGR#i}R6Ywh$Kv^}g}a$LTZT8-k91UK^F zHXf61c#TX-2YlZndn!V}m=#4P{_q^?GyTJ#Ti%jQ%~%Tz``bLndw>Jo!Xa2^7H+5_ zd&tA|C|jz>t;eh8%}Ydmt*v+V$}p*ER{HXh>0W*o8@(-)UK0)ZX>nge6&5{pBfUHi zPm@83d6562+ABWh+!N2!N<53;%y5OL_{VXrH9|O(ME>+xkGnFi4&mjm>0K9Z{D9R~ zMVXwfLd&GCrIlG9v}I&gdmzr7b$qw!KuIe?LOSFYY--&qQZ%`=b;4a9LJQcC^7Y2s zldvR+SZ?CR-N$YnoDZH~F!_?7Az*CL_a?Ztid4^$M>W6w8c;JHP_7g$_OhPW59UHB zY|n#)1il;I-aP9In-*_0j;ZCx4>SJKerL>WOr9lUrV3LDdtI~PVV#)XGTEj|9 zJjM1_rkeRNZUYW@R!y>OxD*^#Gi57#Z7u*&4%WV8i&Qyr&h?)k_FTKJK{%*WTUDPs z2aDXrUFfVzEjh9!C5;+AHa3HKiMlRuZF4UNX*%_I7NT(~b9$M!*&H?N{B#MepNVU5 z#R#!adW&Do_1BQhGo5(7$HrWpBZsxq+B%+O_@h!YpLi9I>}T=|V6(E8g}r%t5ZKxA zQ3u!2VTkN(d-W;%>?iZAn&s}s+4H;aVhF#?q{qZ#jcK$!wfQ<9ug^AmGE_wF_^UKK ztocOz-m1oItXcloaK3xpANoLi(sz4H2r48?aqoj_1-i;RlJkmOW$%=7g^E-B_i$R} zj8}LbK3+!Oa&3G3mRJ<)ghqgbn|?!I{GoIy^w;KdTie+u?}(=Z^Hf81r#uiPY&alp_Z=orV zHv6{c=X?^aikb}6v;GoURgG6`!T)Nb>m;f5i^Xi6ZTf<%2%FmL)~>4F%CkiU#gkgL z)-01=4n9@w{()XA3ug&We)UUHl^kmuhWSP5tL1H|YC%w-(Yr7{+3f-`v?kR>`BV4S z18vc$mD;Fp?zAW32R>~zlp2L!8_(aR^!jVVzCQdB1zyFHdueQ$xe0hs#+mmq!)q&>DK%{VhJ{5l_v~4fH6s}e;CLhZl zs;D)D;5~~XD{go;C;VCTf^)5zrKSQ`*HrZ*R_f~rt>IVtjajGHTTMYkUqk_rIsFPV zTQr+v6BYF3yDVFd8*&b_NHGF6Mv7*Z4_GZ#^FMGmmgnE59 z#=madR|l6O$EdngB}r5}X1e$dIh#?`q{`;ZPA6+h=Fea}Eb$Caom*_2lPW(hh-ZXT z@w4Pc+^Xe=woHuJ#^DfO66E?ad;)}RjTuSt9zCbPwo|@ zJIjE8Lzzp5HhLFbF%Om!O7z97C?wmVYbLm$#V58%C{A>l3L)OAC z)sOyxwj{M#-Zg*4Yay>gXhA3Xp!h?G&u0LQad3@ekYmq zUU+Qe((H4RU*Q}6ZftQOe+-u9UVOR`Io%w>D$(!YXGVcQT-d4w*jX2sCvXbt)pLAT zOWJphRIKK_pgzCX+^7<^(G+uY{2JR*o9t8k8FKQJJSEf_D-H*`spkiD7$~MHAn) z)=oNj$2jTHb*-c>FVx zrW#`0-cU7-1ZTZ+s~YyS&K%{R5s^tLu_hjkNZ4a16>Ol$h7|xuKb(ScD9>p= zPxL0*Y^N!Y2``}7Khv=G#OR}sVr3nS!gOLP=>nX+VZ8_8O@gEPvQm!8&&)1qq>P5AYK{O*VC1P*ksw6;I~OSLC5@l)#TJ zKG4t;;qOhleV01y5n^7mC&$OSeEX9c>SnWg9aNR+;^Hh(k-^umJCl|?<-Srw7jDzVu_lv+HYr+H1uE~<7Zn*fA^E5Z^NmJ{XNaL|2E(IA56mk zcuhd5aw-PBoszjH)MD8>EQU}hZWtQ9b#A20Ci*VvDUW2HMna!s8OP{CDFEa_y4y3fVrLY2jYc*W{GfL%1` zif!lO%$??h8)T+tigC?z)07*vSDV}x3eKFR^Ji9!NHaQ#mO+^S8*nJN}mJ5oyX{F+>VSM|r zMe)Pq{65to2Rl2NxUOFJ^b6t*QO}sJpi;M(Q`z1fKoBfN@0760)bmU!U&~V zp($}9x5l%#DUP6kmiivK9Klq2&%_i`8=rYSuEuJf=E<5Zz6i^zZx24^_&^zW{0o6T z)&7O>@q}L+|=O$ryjC`jSc}h)GCOPHyj9 z0EMB8_l#$IfLSb?dfgK;Z&9+lKcZA6dfw1rO8D%@z-_?7-b}D9Eb``G2?pwd1Pwla zY#yPEV32DGf!NP@xc{oQ(S;j8Xk~$-#X;Ub_8&C3f))f+Y|lvf4ii@?5kvKt&5JL>V=49CY2yCXpRJTAl|{C3MobFRi^*xkETj_}Ix^+w zFg?r=dZyQLS9fWqPu%JsEC5)2mJz2kDS(Gm|KC85sp986LBGYGxcJe1jUCcRNNKlgymq4Y_rM}g($kOq zk8k&%^a2E|#Y<()%$T#G(Ifr}4aw0`)Yy0Xlau7vcS|o`y!cl4QMJVt9;l|i)p)%} z;4pmFeY8}(=1;z=g36l(tCu>oSXpnRG&CX`9upB8rD7i;yrrKPhYr(%uyFJB3%C0307H!z_{IaU5@h-yUwmvc*b|0)>IR1DIYKxP=T z8UAJu(9H(;(9y8ebg3UkteUjn}iyr~tH>|1N-}Zn#<)?cln>6*MFe3{x7ezR7=HNGb#<~p#D=I@Sm8lma?j+rKVm! zG0?;Mm*@UZyp{jkyHre-iJRB|bJ);7^NYC1q&B5IJbe`%s`sxH)BneJc?0=)1SyKI z{(tt1&jm_l8EG|%Ryblp5M&;*EBH*>7YH^3a8}DEQ2tHJ+&VXPOhY>CJ9G@KMK{#O znK?N(Au|$Bx(Z~u0kAwld}EO>&Uk4qx zc4O4e0x%q-n3d!33q2sA?;Ai{vY^R#7V15=xD4(`+*%S-zm`iwvOPQU_g{PmSc=8H zNbR_5nBO^K%f-63{x46!fAgQD1TY02JZsBUSq#)HWP2mzDEPSMZ^zlwXBfki2@SYf z5dW-61>ZMcIDB-%flk-~-_rYVIr;-#XOV0p^~j|*}UH25+n zy?icW5q<_24Xt1LccRo#tr{O-N{x> zids0ITo0$&-SPNm7g+BP-IW7wcs#E~TY`q-FwcD-C~U1@on#wOId~Il*@q za3K^3-c!m8JI|Dg?^M)c^JjK(|K&CF(SSPbTJ&4Y`TO!$D#&GJ_aeh+MKqJW7N{n9 zn`fo8Zp6c&M$hSkuND#_hW!v3uYHFxtR~bSIdT@Ac%%$G!5y-2&{FH!LA^Tw3qD@p zcEH+6AmG{lG5)dgJ3LP=P_qyc6DdW{x%7F?2DaCLxlnhZKV?G>=TvgLgE8R)&q&GNw?VxMfHE#*LWW${rO-wmTXh@KhGiV@uf0o&E|&ki@viWL(g9U6 z{xlt0#Z-&@t_r!%MH6?WkKogk-~-HJro$PHxD@&E9V zfXk}G^pKfajHh z6^;E<2lE|#kanHzN6yTjl%h8uT=?42N_)Mgj@J7}8fJ6Uz-8y&S75@szd@rBW~4%b z%n9J+=nC7e^@lG3BUN=m&}T|d+NN3#Ht8`qE*>f|QoetPjEWHAv}u@z2~Kjb>F$Mi z(+Ol}%UOHFkh|ssxMS$*Y{HoSWHI( zw#YW3KdQ`tLwu)SFGAMfMM3K+DK%r>Y_!Izf87Z9+G+P@nH_sG) zus?k9Wg!1mO>+R;8(he2(KIPwm;v>am|EbbN)hd*Col)&@rg^6WDv3^(_=y>Dp4{tEuDP5D*)pg?yvdw>DsVS#-cYQ7WUjTiFZZL&K-h=>AzG< z#28}YDCy@_eGgB@0u=e*`g^o1wyC8HR8=S8E1)mMfnBj*=>)WHOZd)J%miY>*8h1= z`X2*X&!qxry2hk2o6mYCJ4rAi)qG@_a^P|=3*a2~x4}ully?YU7b|4g|AfC5&CVW$ zw4(^d5V&pEG6*T6lJJ_QW}#45{7fQ%3^lV=>E1m|NC8;t*I*5u zKth#daec7K*~vj8pia}O7x@qe*$PDP5(P*a>r%C~TwVj}=2`tMC3G{J)#~G%W{z~Mx4!@(xuny;W45Xj_Sp1!n5gr9Qg)9R-M81JD zCI`!3yTdN#UxNSV`#*^I|3N(Y$6x=yUIt&7sB+ToOIYCv|ERuG!!A5B7Z$&RgfYI0 zY(iT$Jt1&`3O$IrI`zD#j~93~qepLC?|O|)RD4KZN&0=z(cBm~M`T9s%Rz5dOEsqcz|L>YX|E z2E)Cgv$H~#JjcBaz~(6dLsfi%a$t(NBL?x*6UQB`fYx#E@g>Jp*f!bWa@|Hen%x~) zj+1pZ!_TWvpr`1B%aZoqT%gjlMj70ah<2uL-{4A0?C@`0+@GAx&cBh$<$3V!gWEd* zG$^GMOS&$o9KpGP9clyuly%>FA6&2V;HsiXEUbf1G4U&n)_GOiJH@5}Qq|5|Gp$}W z{5jmrbP*TcI6s6d*!~C}_ublFxfC8pr&39B3upGjeJ0^oKfweV1!fbXg}a3~uC#WW z;%4*?+=P!2c*FvxAjIn`7nZabTv|8^rQp~V#d19FT*QCR5gJZ|G}`_l0Iom_Vb^&t zY>fXP4A+Q+aQapI`v_}-WWlcY(8Mbsf%aYi>&%2|!%N{z1TN1i&pe#Mf{(3cs3GhO zP9X&An7P$pIt^)HCEHD3df;-;uZqH-^X{vXXF~aa15+jhx1Z&$)X}AtI*zHJ+9zxd z`ut~y0gkG~$JgW?>F8V=yt_Vb2yF-X$XV3V&y&gD6$5v?<|#OghOiL4u=ztk5gPr0 zB7_{!D*@-+;5-#LAHFh!VD>b>9$vh<5!LNSuQy{zJc(1)e;C{qG-XIPNpm;>x2c*H z+||`Nf{t!;7DZ1s#5W#dZqmnh|8|@^OHRY^e>~m)^_c%R{|F#sP|tlb`jt=+*-85j z3zr5*j5(JO?5*VaDmV=gylkqS;+Fc)W}7B31)oRbK><;zlMH61ZUo$`cHW&ry&z2T zOk$!RST2|~Re=;-y;|D6n_%L9WQE8Lf;ozohbx#}g-F#y3s}!%atm2fILA5Ke7qvV zqiZto$y1TESp7-|V}=v>IJj=T7EpZBON16i(A0NhHufGu`bJFl;K@Y+hP2%WlYR#_ z%(m!*Ln_YQ<*&-e2OHd=-0&*}-|^m?v2;aUNWcubJ{T0;^DAbdr-s>C0tkG__XXlZ@l!ND3PxLTu;h;Q)hxP^@P> z3k(aET2z8|2`X;{IU|2XDRV_SjDKKm@}~qEbQ}~5nl#ez?Dce&!f)A$#Bo-`ENwo) zBD`eaJH~RO_e>`!upANM+fOM~j*!WL0bvG2WmK-m>z`|L@w_X6L}~8Q(t{a>YlVF+ z@Cc!iQz#G-5!ISU`j_}iz$gE#Mtwa9^9V5PyT4jRcVHmEG*C_V9Jw)Q{`AmktXS{kzXU$nh- zRF-YG?oCT0U4lx;4X7X@B_K!$h;*qm0wPKyjf8-d2;2xrmvkC*hj@b^D5Z3Ybc58M zm+O7k^R932wZ6x-*B;~f!)FYP8_w&z<~-&xf5&XlS>hvo;19wF7zihavwv4N^(3Gq zv4%i-zrHccUJBmye#sVth4r4GUIag=@7rSt$9Ck$VDnz$W#I8Cin2Pg$XYCBq$V0x zI+*7#o_=y*5u_F}W?Z-Tsu9XWJ7+9XExe_b&w2(j;>& zT2EZ!W@+5HxV7KOR2z!=8ir;F)81+^3=3 zA2<%R`w-?Nes}(e0%vR5p?G?mciAiXJ8SdbymbHZWiO(91YWjRqs&)Lvl^b8<+2}h z2fS!M)RMo@ipk;77{Q37yTU$59C50#PkHyo)(mx>Eq~07P~OS z<1dyTB2ZC^Nv}nsp-L*mq$RoQjZVi5Bs7R=aH2RnO|!IUb6JX)WGEyAwcm*uFxtu% z>2jyg@)nCl{tUkwy}qbkK&r>K18xl(UYWwrHo2NBg}+oFMOGr>Qi?>8bUo$;XNgT# ziABr}FQs51{`zS@q@9d=Jqr(!X7x zqFX+B_)SLt#q_JI-_(`DbyCpka;57S+OPO55zgO|`1EcX*e~eFKeTz-z~3(r8=;X- z+IiaY`tZUEL|>%{>bNW#>M`ci6dP0vElu#4_csWkbpzfmIFca!Ox@NBRFgLS1uzTJ z(739kE}1W;N&9$59QMa7^VmwWPD8)nzgznFCAwmtyR)ZaMedy0r^j8W47t!s4I7mq zvMgDfn8s7YR0Wlz8{tMZd>X-b39J?BTD?xxY=5)nu1=*XEi5&yfvx(@3p>yl+;!_Q zOiT}3DBSM!i29inmuECMmayvJOGPCJ>e`|BQ#JsA^%^Rn^zUIx zEB;^T&Hvg#{b#=>#i2!)-87WrKD4H|FrRF(>|*-vH!zT^O(jKggin;4Jp1$G<>A|q z6Z1UttrMGF9-m72EnT#)pEjPetc3Pm?vuC8?epy3XUpBCea*NFmfuVmb*9tQ_wvlU zv)YkNu{P%WYxucD<1~vH(2oite(DDCJq4d2d{+*TA+)Av?aE-6C?!z@TU1Fpi{bU$ zCA};v^Te~u+&>K&6A@@&a%vqUFS#~;HcAw>+Uqnsfm>2?#2^^8|(D2^OapE5YO3B*!t>3ph20 z6^3T%FK^U|RAd<1sS$`&e8ow2HSDWy3oY}Wh#4<<(^WQ0BK{d^cy%Q4hUZwbho;c$ zsC6i;?hK8Gw`@fjn-8ks>N!qSp36gJ&RW=4!X33&XRd!h#k(VkEuK6dfE3I z*$Q3$yR7^>r1#H+xJ2=2=RMO%FaL#brFl=$`M40dlBfs1aPP`E{oNlmg=5X)JJ14E z*KFp(V10szi)(_{4Vk^`cgg*OxLiK1 zb&ybmLTOfO6h#|kS?#g2tfQ}ZV*Q=2hP+uMV+5MT zpV9#{{2EBpAVE{vleKOF5t}2NIUsd0PlcFHb4W8O{XC4V z-)mg{=FW{fTFi&lGk#5bNh#<4;eJVdDKB zwnF0{*@G6eN4!`8g@7==tH|G0@iQ;~Z5aqj@2;3R3)H~QAW5)ioD5PNNnNVrz{8;9 z29`ZP90sm?L#^pl4&e&tF}%+#Cby^^rIN7tFdhN)w7;yGt~CtehG@p!bv@TGbmhQL z8as?y-?x{8^fg*HUN%Z>#sC5`;|Na}oJrx%$-a*N^ez=47Y}~Cab{s_%eMIHi7s+%23HA{mB$=QrD!$!{SRx-Y+n$+bPj` z@>k7Ku1&pLGT029S?&M^oUgm4pTYR%u%dYC&Xc~}9S2ZL zxtxvMZbr$Fi^_slaSrn)a(qv4z_MV^Rmg4(wMOYPLAZVT_4rV$yZW6L+cAHa^V|G` z9jJ(Vb=?*hf2|bZs&%y`Ua&@jPM@s{-meWkLCSCjLmjM@hpwSb0ibX%D}_h$8AcJi zRO7L6qV3;Uz+PGgCewNg49uHt3&$+(=nv?vl->~BnN%mOEq$M0{`nfivMeP!AE{N` z#G?m2j8~kXt55>P1^sjVe;Yq)N}jCLS7A$j07KD>Erz> zLufQ{wy9;?wy z;6GjZa^kz!bbDmK=XyRbs_6V;jIrz-(RQ9|M1Q`ns_~1U72b^mW{+(|dqp-MX(#yp zscijCvE4_pVRbnw_GVVgGxj6uCrb9bZ%3fvq~Q&SH=UVb6Ff~7W2%*I_%@B^M@Y48GG3%DzFXeaVS30zL9VzL<4_*MWrS^>6ZMroYkb-xMF>JY3RIZhubUka zgloDHmaMxwswI`_7ohbD&zc$<8@jvI7@0fWo7upr;4@@h(M@t)=G;Hxnd!+Cz@&2X z^R>|gH&+%yjVdP zPJyQ(V^;gDhY=E(1dh6tVt}Fuha=|q1VNdLFp z8jalil`zaS6FZ3>J8FzV__U#?R(5Jqy*t0?6OSGn*4G+kp;GLr^~_>Q^NutFZ?po* z_0FaK7u2famvUL&2JM(Dh6u23EX96kI@FfOYQ?xMw!(lmPdyYJ6^IZ z*>M~)r4V#mpEk|f)h`g&oZLy}%D{}(#UF)qqSZh?gouNSopY1&6YPxOZ*pp)k?qbo$_124xJ@V%!%jvhj zHS8##^V@2je!8E9o+`|%5vmzOypHoG*afX+dc+0*b zV=?_03^f!TDVL@U!spJi1p8MH)qNbh7vSX~6t&>RI(xO>`VGMTc&2E_Y>@KcSM}G< z2#I?yD#kul=z2Tz=~wVu)dvfejGFUgxfMG>$ckR4L~`6*(fDnw6MPijYbq)?CWm=j zYrAh+CU*W2*!`x@lQcOo<)`ui=@;=2q#r?WJ}S&z{hTtg zsF%+dkD3YSJIzV9!9)xiatj|#G|;P?wWV~j1@`IIE<35S;&^Vb^{OfgE0^}wreOT# zjYkyJlAQ`l1G!(zRQ62!EkO5msl=P1p<-_ZOkWKLn0=oZBey=H&QQE-GgD`9*{{ja zqYCyU1`IQnHz3K!(oHd~UYhtt(Zn+&PVd9ugz5o`u_Zni)Kk@L#l-pS`FNc6f0M-Da6MxmxJCdXXP<3*bf?>vFTdgXT$7cc|3B_=il9k zRwgy5snYb4*?mVJ)EHn*S}Z=od1Yy9Xg_@Yg1^#mEzhjKwL&6^4E^FzOjL3*?ARTmBFL{y;-o)$xr6FQxyB!=)z8oicq3eO+7QZVZpMQb-5KBqR^L z3E`%o>n%0A!P`ZKGM7;gLFv2|I8)N3j;rK$13?s^hj_IV0F)5Nu&iP>N6L2GQ&J1aeATXgZQTuV7V_@D%-Usbf^ zzn8RpKZ2uROpcKZo@k#I;sop&mXD+uXv=H^Mj9YotpJr(@F3t*0~j(trKT2wJ4(;q zA{AQpbhODQl>GufHDs&kU(QL1*;*L5Yj1(&h@mlOV23%35LjeO`*-1_rjcB%XsG^L zf1mHmUQU=%Cioz9yu7jNk19GHK8-8{t=~Hvw~}o9h=JeOhuqMqM=o9E!A_KuWENHe z)JP*jIhCb zAaH=CrjqM(xvkNmipb%kAOi=aJWC1;SB@PbW#?LWe+vRWZSGC7Y8@uJW^8w z(ds2Ae`zbwiq&2YP9X^u@7BI*ss^u%o3+Mco9kT=9=7vm%qq^P(~P-6tUhW#4K+l$ zF*%Up4A8#X8eY#D45hfCahc(DfC%B>9jCD-itKp32T+g8!^J8Y9Wh`kT6o-~b=TyId^9vtZ zO9J#-tuYxdnFf^yXU&FxCWKb$Q1vs;h<*t%`+G(HU!CRnF?9}F^`shW(0Wp?2m$9D z%)P}HY<`cKS=0WH{Cy=2-1?&flc@3Bna@Ha` zqWA3$s`7gusq$G+!tZRyM&Y@^!dKNq3)5SD&52~3@h~X7b43(LO&82kRj(atk&FE} zGj?Dvn@8PS_`u|u7EHW&yZEr!2~dGOnP! zZZ8&p-wvWS4}y4ZaiiyFLq@SRsYgo)dQ%7&l$dvnUjr}dJXOUC$$c$NjCS znU2`I626oq=#gf;jXp2BRJ~DX{7X#5$m9vt$UnTARzk1aFbaoVA;nY`q48TS3ogSr zx5%3=ogu%H)Pb?hdjeS=L4tmmgl!h@UipP&CR+PzUdAPLhqb1K{o(k%rlPev22qF1 z7&*7eC@?YW*_&TVt>L{dL*iIZFQ~GJYs`S}Pcs~fasWiRwLhn03X2x`R@0z@8(}2u zPqCx!7Oe4yIEVYd$Ly=#C!0xMSkyWVJ}Q5bl$o^ls|D1 zx|w(7@>hQ_hXth*le%=)M(dKdWrMqD)i3f%jPPk*TdfSPd^IU4H@s+g^7&~HL~`_+^E?_<3`<%=q-!_7vTU(I8nikX);XX$cE$rc~Gy+O}nPd4l?7UaqA zz9s9H9A)-gw2kEF7z`F}PiR?FB};gI;88W!sf5XaM=@Tq3BiUjuD{*J3&NQz=Rg1G zGN+p}=EKonZpqwz(skmbz(skW~&A7n{fCANHi^EZll7HG$@@Xsf&q4X(as&uCpIy*IP#x zn8U&wPL0}#Uz($uMDPx8#fe;#jQ7Qk0xuUlO9uKxuH%qTYrEEQ*-XJrkjl7 z0*K777%Y-v7Mfl$R%CG1cY+T+_DOJz5B`(%{M@BKhLOopkzUnO7CkDSatTIjsk1Yh_{A9b&hh@lc zH?DyYfAsF^^F~9AS%d&T9`^AWfBtgA#iY*Ciuw7cCM8zxSDw-fiN{u+WZ0`RL>WZ* zRo?%QkJ~0c$`t(G#MS2t)hO?+QU3QnCcl_%Yt9-oYCC)!DZUjOW0b7lV*aMvaR>KD z1T5fhFRj5_`R>Th#_)`Hw8`m6B@M6YOrDf{r`TJ=9-KSI*!A|~9?gPImr`)+4=nT( zJ+dlx+-5~w|7bTy3P+uAdgL=c@$u_k4zWF$XaBgSFSCZrHQj_tgE>?rx??!{jyeU6 ze6Ko_G$SGA07^cb;xp>_m}O~9kop4Z{Q0l)c;IQhMdQ2U2lt;iWm_xQgf@d$EvBIj zhUd?FiOE@Zt%@ou`ZdmrSV*T?pVT}IbmLRh7K(Pd)-4skU7M4G%1R5h#G>ifWzdiF zb7MWHc26jrIyIB9Td>F#6Kd!ghx69j=cxefSFDE+9Q{gaVx6VMXEh(kZlOkfxUSx> z-N_7ugjl)brg3tmV)ZQO)*{RLi;c!Ga~~QpSs3PxRM=;Xet)&E5ys+aFjWMF5>Z&gE&p0D@JKN$H^sH8!t^Ye zgPp!0c2(%vVHWpqDxamDzY)WD!-6ghUOpALRkrC(jP%^|KQtONY}$$nw0rNjMcrw@ z_lO_;IK}tjcO`Asw%pgk^kKHJpqd*ZhhX`vR`D{@ox*L|gphrML^9e)v1u^@Q_#q5PVTIiFFT^UI)~9@;TOrJFfpfu#;bh}gU+!hALyK3|b`#mV z_h)yCOgtxfIx9n54Gj!225B%JO!mRos?I&Mz62-Iic^h1QN1XQGhX zAlTu$lUmZ=DOX%3m4tsV2IA*T{XpLr+4f! zt!v7EIp@VUB37P#phxnlG-D->z9^Dp(qwQCJO`YNFUeWOMRLifgIwMx*i;e468Wah z!8bAC-n1VnSE8LCk|`ftQ{hwE0p;TT))`)`jGK$>z;n-0xMgaK(@d(F&S3Lu&%X%V zW6AekAo)(Ii>0kbFpeRT;Sj{(yROvNq8AuOA8570ftG_lGubYG@Oe)?KIjY3aOPRc&1^@dn5@=!U9{6MV%VJzocRj+kfn2D6KX3u!|d0<6oKpWSuj?DREGoPd#kVI(AKhxFC z6Iia$bo;WF&zGkjZgji+P^2

DvC{8w-AWGBY$F8&H(b-LW}8BVM(0s>z8c9J4H# zcl=z1U3ff0LuJJQ$FSS)1&z!Kiezhxi*`s|yeqZ@5?Oq~rEM*@g&=0tdmwy}6B(Pa z>A&Iw8@#!5ceh!5Oe0YP16gvcvj5dZBypKn#w7cr2L02XU~T}Kmu)|`c;ynlXR^Fk zBAh5_6}A0%Vy2Og6sN{3gPx-K8GoZhYcfVqJm?a64MogT<0nt|5a!;7EOx6qgHOYk zVCzBZz65P_=@JyhI{SM?LB8oa9?sH==!JTaQzGVfR0+DJzm1NtTCbF^6ikkc<=fS%fXLvHT zg{)PQP&}Z56=kfa7Nw!4mP$LUyu!Qs7Q1!yVU}Dd9paMZ$n$06n3b}kuh)E@riEm| zzj^B-k^3YrVm9|1znTwrFjrAi=0Z$6Xc$%UCaZ+h+WM^nTJqd5RC+giPNg77fD2fA zuy~)-w+Zy9`vDnvI>m-8oCyaYBIwj`0Ou!1ak?O+V=U-NuG4mFcIfkcztpQEl9e=GfiYYe8xzHcOdRULrXi; zc~d4mjp5?31YH=9oszeSi3#R6Yj2hnI{@O`otH}a%<;|7;MTCm$xAY5KzXV0oOIuy zz=VHyyQSNI0#c)D?;VC-;R}g9wHSR%hQ7uujfS<)=gR}Z6WEJcCWI07w-SUtg0p&) zwFD+gy{Xc;ha=-#pSBRzo_?@3!yzoK&*lA8*lO?@j!BmAs8UZe88D+6B?E86+67!( zivu~@PVB8!t)9W;2MaaH3Sp| z?ZrZDhT{s%7A$?9FB~CTid~SlgfQH7uzbx6AWdv%vcy$&RwZW$%v5@Mcu^mh0wpbz zb|pqC_Zw~bMPZf+zz5y#8Qs9cS8`Qe$MgEIfi9}RbV$!gSQxt3k&)=@*gHamQf(q6 z0FT;vJ*jqHcpWq2MJ>Z-lJj(bhG;n>oA5dH_$@GnMlhb&9MH2I-pRC@rWVp;V1E_0 zvUmTzfngD|uuY=i*PInW)QoBE*8axTLdo2;^Xv!cn2g_iJs1R^=Xbx1Z>UHP%iWiG zGOWW!B8Vo_B}o{sBwC!UmjGORI9uQ3vi||8!LW$#ghbBS0Ux5h^hNE}Bf`mLH%g)h zmmhdSx%2KUQdFKrILdX~Vfw}*#4D#?Lz4I~sfF`WSCUh$xJ93<=*7jNNPeed_z84e zirfrb_9nS8k|J-_di85VCy7j~)}-Xk-1QHUU9}pgv~F|#*_38FLW+~2N{T4+Eg{YC z)g9P7q)lA5=II4V`*V2$GO%&&;ir9IXX<6ekF&O9r*IE^-*`&%$$nHcwW%%PnzdiH zk|}$YRid{?T#WMTC?t0qh%K4yXvNd?Dr*VR7jMlNUXvSGGCA+cdc0NqB-l!76^Lv% zkB<(`VTrT<J3{LwofYXEV zvYx#<;Pj56N&8%;XNGwB@~b?V>87Kvwt0Y`lB=Je)Dxx@RIYceAV`*tbrg3zX$J0- zlEF;kaY>V-aE424k+eIGAVeuTPaMUX`(Ce}-y%+C(MTGvgOW9Djvf7cZ8(Em_c;_4 z1+~!)Sf4K65m*Rv3DKGo*obYjUP-dqhD+;_1^+5jo5AdUOXn__Z83nMy)Qp=@NMh9 z?+$Yqx*5+g6Zm{MQwo}}Tb2;1o_0IPCHzY3mA1{^63buH(W*7Z!ACZuHKMs*456}= z19mONr$|GT*DjM@`BG~=@P%RWF!>Q*{mxa-T|4W;t;sbH(0ni~F2g49w=k`c#`;^^ zCEdy>;)--an0nrTp;i3Uta+j)RVz=+^toX4FRgEEkk1igA3HfKY1T%%wlN-5%iI5| z_e_y5^EM#!rZEespTZK3V5Ym_x8ogmM%C(t=Ss{ZtK+}5U-oZI4*$qyWDchZWfUXd zXw`*G>a$KVTKvG`6xK{z2Loyp42~-V$uGQBtvJnpz5;4E>b=xNij1U>(Og`Uc9i7~ z`F(l{4cbM11Ej-OcbsNl@OVZKuOA<-Ji!mKLy~N5k9uk5-S7CMwR6VmM_mqh}6EP#KzwK;kk(vt#csp@0qJ2$UJU!RY2w`uZ-3f)}@aj z)zIxE@7aQ9f;g)xSjG6#$Xa6uA;sRhM9{{^L$KaOG%#S$umwX@b7I`^G!STlISL+8 zK=NbMT#{^{4@p7fYfu$D23!f1w$;PZa9#~wOgBJ~d3;qr(m&TBycI>oVRL#d>>9o# z?_cwEAB$_&Lxj|}ZiO)rnW><9sx@AP(GAzhk?nIIz|fUXV~yWGuA+9mQK9+D1M%q> zGS~ORkCLI_QCw(%Dc`x(&+4NsBOS&Et4)*c-WyYsOa|bxzsAkHU9WdjBKX1hl)Im_ z8w2O-s1i~7moM{1bLNqK#TZ)03o#Qh+GjYh&K0TOP7r!@U1?Bpl|RrWBBg6Bdq_Gs2oEv(AUJY#?Uc|fEy6;fn^ofx(s&-ZdtsyMH~bGNYbHkQJ% zCDFF>TX$!IaJTjKjDI3g50ob@P`gNXog*5f9-(Y772?@diLLMHfVDMu9xMDkjsg=mT{9gz;47x*xR}1 z+$#9Bl*$vwJ3EA(87*ay)d5mQPj+B0eL!^eE#Fw20lj8rzE1-pr9(CKh#v&;UA>&c zcO?})SZ!t}!%cpr>}!HYGwFwy-6xaQMblZCgTtw(X*XFje>e}tBJBWgWc;`|Yr&_7T@6n=Tc2(C%KPua= zRLAS+6hWr2F&TdMYarrXj<&`kW{*N)1}s=+4!?~gWKLq^?|_p14MUJ+qPy3RQB%SJ z(^<87+%ua1?xW_<6OhgLCX7UV7OYSG$;oyGqj-Vei=uWBUSREor=>pjZx)E!y=K)% zx1I$G6q&sJPOgF!y!(as3-Eu>ZItegzr1Th$#5kuidW9N)8Lv+W7O)Puh3ee+~H-n z@o(qHs+_HP8TTV{w%Agva{>;NZy&8ZIj+{eHv2M#o}D+E+Gj__b0Ln(Lh9k{)YdVV zk0rf)!)sE=wsU&&X!e$~7f1tlZjZ;<0xVG{kXW*yO=inZl*W&n)EKc81jq@r%mp;)a5#uxQI>AOsz+$Z` zT(i(XPC4;BS-_AMmw_#8>YY)?0>Th8Cg?X9S$UN zZ5HX>Bn>{`&v7CPZu)8Rs{JVuHQpFLf0-SC@756Q+G_v}_t>7fr9PoA$g_P)tvl@7 z73$l%dK4v3L}2}_P^?A@SP+?DD>GC(o-_^w=kaZO!UnsK5^v9PYqGLe=wjF(3d#Lh zw=a4QS@u2nB80jG#f1HX%l_ z9lXMvkPX}8*r<7aTN7vNXUGOUNQ0egzkK(`Djh9-cg~`cO(d_+GqB!-5aptMNicUH z+fvjcN&}8k>Bi6bUdJG^xU5CiX}c1jLn~tZbU} zc~_b_o6#2;hog6GZLzuy#edGpyuk-sG5KW!eVa6Jd=&2m4V)m{Cg1f}r$s+0jX-9F zh6(&!r3A)&xGN4t#-mkj`8LTFO>v?8CBUvbR}$M$&FIAky7Xb&)n7d~PTyLe_LFS% z*M{fZtNH{xw#)OgQ|WS{Z%ZR=&!#9aOjZPTNDi3>hnRJxX7DpO)Owgi2*aMuqZ;gD zQ)G%~3=2xG-IdnNVdaN|Q%U}N_n5SszT=Dv^OFW%BJ6+S+TDCaj#({=mFiSv;Eq9$ z@A)@8+lJTvzy@Wq3_pEoY*0^eN;yv$pMo7n%8dv` z40+EA21!%}#7VGSF`DSg%RdWH@fA>!;`ZT5$~OEqAj@Sg~l%i@34`bNP;nu^-oFU!|b%ALJVjk7+r4 zU~$niNB7>%V+(dFpjJ}s;aOSJ#=H&oROdtcnYB5}G0Mq4Iv1(x7QMbyEzqSf9qf=+ zqrTTaRjRNRx~>jH!va-qUik}5aeNn-mxr&{$C#QMUwbjW^APa{rOd zb$s*kzDU=WE@KcK?~Jw)Icr2JxYT0l=(B204L%o;SI)m!->K9yTJD|Yx)3X2erj}1 z+AM;pnAEKBFcvHezH>NU!CrQKRvg;^7TOHm;cn zsz{qBk;l-k5f^QM~S;+&VaN(_Yy=={n-%p*k8gDrVs=4>^%S_b$!C;WQR#HT8c!5HU!&sZcm=BoAj8=!6{T!04t?RPYMHXb zc_Uy!l~oh{rS8wLa8(C?Vc|^6M;?i@lk<$7N7I(+UmWT zffKx%oxUO!Q=2ve`!p(t%MkYT zdkn0t;n4*MGjv|aQechaLQR0Dh}!khcSF2UOX!F5CAeFAEXA`|*$BIh(Farw`^;l@ z^R7!BwiGv?SVPJA5^_I61WtA3yvePL2McyAR^!NJ3Q)KKSIPx?}8|OUTrv-2gykE1m{67Y>p@_Nln~I zdV2vWf*?@-s`=%sizWUsAIRZCh zEZ!1*3TgrJh&tDFh}gT^U#*(CH~haq&_p3@ih;)jy*JhQxx(HoUeximj+jin1`)bB z)s;Bo`I(F~MC|AThueRNeS0V&^-8Q(&!RK#tokng7Oc*b>rnlCFjiMf8*76_>^u63 zPV2qf#_T!_4U_=4^iDV_>8LR88!g$uvxwe zBchZtk>9Yl)g}oAPX4gwI~n4=91=#Z&+SFcMngKza;4dQ?2K>zhM##E@m_mA${$7%S-i^dN8&j8(;f~VE| znh>6wScrrL1&D4Gg@U9M0=xbnC_5Ql_Z#@c#n5ys;uiJxhtSgBKlft?B=L8VK?5!* z-c76gh!)7J(OLs$R^}^ zQ`|C;wg*fK%yW(tZ0jfsa!;JH^U-;V_;acEZhn`OtoR^m;VK}C6z%6$Jp={`zREju4{VE9F8nln|1jRW9>%PiEA?u^M@my-!L@8hCAuHp-~}xIJ)#@g z{>95rMW1^`mP?v`db-9sd#0b^0OF5=QcXF0D#`ujJYB}`GVF7B^0__X&+ORrARTEd zXHDj1@Ou>)zbfn8tH{MEPtd$g$u7^)#Oc*otD!iC{ipNETp}7&K50AI|A2LKz+0|bxVW^{y3hy) z9k#5Vh2(*2M}NVU{>x$dzYpKhk~p+VMzMqJ2<4#tf-hkAM)FplQmZI@Z*R@>@ulMO z(LBDzPVe*s$PK(}-le#IJq&8eL=89d=hi+?Vev`Q`~#Ele^^}pPqv&Df~2yX1TOOt zJzT*1j!El<0zMXE_WqEe$Am|N2+>_Fl)@&xV<%wwTk8GqgN-DY5pjlKipE zyn|}Q=G)uci_y=bvveU{8oysuMNf9;jUHe0@9CXF6sO#TIVayGg9D)B<)} zPq5UL88`ZsoWGrA@~;sDsQ{ONNdkA{E^=?O(MLh1Mj zRj4J|K7f*605ANm{U1Wy;Mhp<069oe?%6#2sK3+t!t`I{Z9SMP-)a@;T@s|AzDe&3 ztU(O;*60QixRD|t_;J3(|7(>176k;}qYrsJzxcGnZ=AA!n&>(i{NF&i`QSwnYVlmW z_|nhMFB4Dx1#F4g0ZkCoeeL*E$LDeGry5m64H>F1D7fjuHB|kU&V$ z*FM~6(klL6;B8n$70BfH0$la(Ml~RNA;3}uHv$*}FZWPqlS_Y^H1>iLo2lyF)9`@5 zoWy_XJpPYg?{F*idJ*qEufMLWe?6oBjbFbYLjHxS11{Ot{rbs!yX;=@xI371BatL3uuY$G`BHF=00+sc zSitJPabR+*Mcg*CzdgxiR5Xz8Hs_yzr=)Hpuah!6`ZuR=(GIr|1}Nk7mEV7klrmn$ zQ5&96>bI<$v6vk7jA?MFmpMRRD2+Upycbcc@WC(;yJWsRT#4|X;^BRyro-|CDwU5Q z9wNdc>8IG@7FdV43k^)qG7{|;p94nZhi@%z|QjIl6G(s7}?YxKF)<BkdOIpFw0BHpQT zk03Q&)r0M+ODezb#AA4hn#=HB`+kCV7S5NOGEHz^xpfVkwKa6XD#ZqDDCH1UE>oZs zxf?d%hH?Y3xJ1bK($ugu1Fu{X2=!=Y5j*3`Z9nt%@qas;f3L*+x4Q-HfYsCL9lgK0g#$K z#uPrZ8SiF|DV3Pv7ptmqvF^88*hl2FsUpDAw%+kASqZRX%(mS$WD5^ z{;?JHyPojXryl>6V4Z$kUkAd%MZ%>l^+%x9#>{+_pfZl7)!ee6nzass&?aD%UGuE%WGn`0E!`7+-$F z+sriXNU}{PUtayO0X_8{na0rt5Qe^Zmh9XC!9I*xSVcaZ$$ZA2p1}@J=GyHFyEFhU zadFRsW90WXOi9xRK2~t#j6R(FUT(_=vm=%C5O{#~ zVV;p9EAk~YJ)I4qhh8K%^MiZX@N%Bo*&(+xq>?ZgPvnr{U=Su{5fl7!@t*d@E>T?D zi(oh_{S~w)3Xr2m4Cb6U4G{2`h3r~wHu&PcQxBuv(;W}tEqVbf72lO!fs-=XLno8? z0Gf4VOVFD9OgFT-nE)iP+16|3C$#>Y>f1+eJe(W_IAotJ#)O^A#MaM>BC_K5ns0j03Z$vKG# z|M9TV?R^AZUsNuP=-58hG;pDoodF--dB5@3CEHPP-sgY&R{iUq^3yx8qL*&N18BOSIR5dYVOivuL&x-VRZ1_z{eVmKSmZFD#?VWyK~7xeas%Nh{>B zfke4_#X*|!tsAsi39VaOaEC`tPCmB_*ZDjOBpoz(pItloG8=Ec;0AbU3FG;V0bm{X z5L_FT+TU83Gnk!rfh+%IB+`C;DWZ4WDgD424R@I6=XU%UIvN@UKse99u)6G<&m1em zu-c!NZ}9aPVP6fCA4pMt8}va*6EBFNT8G0%L{o_{HWNpZV2QE=&Id0fTL2qeG+#J} zEwR7OxDm(KVQR89bfeco&FJW~hb2y3-`nluK9nM^X!iPp)ce!7UPocjYU;#f76D@M zy#=J|vH>s7l2Mr}h@z(%sLU5%OgxLaFUF%3n3;V1Yq|d2*t>q#6q9T9X)9g^^~qO? z-(77& zN!Mv#(zx-|O;3x40D8rrcGw9(7Zx4Rqk2TKaR8Eob3dbNsDgWv^b;tm>}W7+54`|p zX$r4kMgueT+2kJl73`SR&Z!{~dQ_P`$`E23((jsrtuY;X;D6xZKK~x6vtFPxaeWkb z#rmZP*sskDC`jo**}jJk$c{&F|5o^vAGZ=q!xik7z)VTgdX5(w-6hl%!PXd(2`oDf_d+l-5}@74lv$(5CgRg8 zk&+T!1zeFZM)2XF8e)1Bl^fKNxqEy-Xg#;~2{a{E9zT#fjZps=iHJq;nc>cxfuC3}kUMN)=V8&&`^HBmOtiN=3D6Yjfq_X2;_~MQfhV-9)iV7q`Ce4p zmANbOaah$#h41dk3B)ch4nkp<=i7f0;3g3Q99W$u41oX#n*S`y5s@l!HX7($=^APQ z*_@R$(`MO~$PKR;Y2oLU&qNt@<)5G8hLxNjboG!5C& zQQ+O`j&Htf(P{Vdn^Lv$=<8d|H|*bPWGUs{DKIK90-dztE*+*;?aUaM1{|N1b{#+@ zt@DO9mf<;sfLGEMpjcGV++J`af>mA@k^Soy>%_{Qkr~zE2g{8Rye0RHw6;BNpJ8T^>G2JUDg)YF}X0o7AZpQY2xHzJ3ipE5gbTI{^XAY-zK zOF;j=;eIh_#E%^&*F3x8;hQ9H7*R)_&cCfbX!(*`vn^*I3MvMBSsvY@Ma4JNtIu1G z^c1P&%k!2}jTm%(P`$sVK7$k}eqDUYS-{Ayl9~;>bdqroX4^^5A5?-Y*G6}WKeE2PkSaZQhW1frt*o~kkAHS1&ei8x&ktRIBh$v3 zDfmE9F(XRv(aou6U!k@(Ef4oYvdnw7K@fQv#VV%J`=dpHqDpeUuVqO!`Q^i}(#-a9 zOv4P$J!43cg`Pq3nHBC8Vfp#3b0y(9q`6Pyqe5Itf2n(cS!hlDlh|IbEBoVWjlJ`n zwLe=P2+v>deRD&JsicLqTF_WQP9k>wt4BsHsD1XEUV1a7y_NWHkZA)o2fo+9y2V?X%rcPiA+zfRETH4E+uWQ`<#ll(rD{zR?9{XuW< z+;NGfs_;-m7UK#?|pdo zf`Y>*mcw?<-SA6_Gi~Ti46Ps@7t6w138Rvi-%QIdgbyyV`Pvtl3!S#IqtcW77?wFO zhLD#X3%B3pR|x7TJ_3*KQb$b4wy&2$F|k#-r7nY*Q;zLEQneWf=2vV!ou0qJgR$(h z&@%VvzWjJ`Fo!32CI!aHZChqb=TW6QnsFJ5W1-4LSH6p~htrYG_C7n~z|f2JHOF6+ zhC|P>?>E;iy`{+i3dfjfJucKat?g$OI31?$*w;cQxmJj9-I&dLjH1}W7s8J=J*c)+ z!kFl{cYcYnk#MCbq9Rsm zId+&8!4vFo@3&0%SIPAMS7o8d@utrd%2CdMJj zg8S~b2p`Du^jzIwC`gxOvLxK6an?SOojZkR!FhiL<~q7P2)eCkC*n&3f^HkD8(C8^ z_1GX>z+%0H&`8gcJ@5=|T)?f#{^9rK^%S9a;9&O(G#*s9X-92~Aep4yVRalT*AKhN zgsivsigEPl?V`$;uAH;+Lf`be`VIetm5+Za`*`r2b{&Uy)EY@K9!MF2ztL@AUy&D; zT}04rwj))2nq7Po;3nsfnh0;%jxwe}rBfDEuIf|kW~zrEI0(FcE~Rz6Oq2AI9dW&4 z;^>ABtkKrqlfv7q9Q0EI5+OO;Aybzhcntc*O1l;jQCqn_xEJJBE&{Ht@Uq7S?3(i9 z*m67Q08fvw$4UAh)+AC_7(aWTTH%1LbJ||xR)#K+=fhp~@RDziUyxJ{%d0Rd+PwpIR{zwGx+S_fD=MZpzmTOQZY6rnt0maPgF(=u+() zBhiA5Dq-1r0flCFHLdy`zoKA7y#J&BhA2@<23wof5v&q-q~`C&f|-lh?LmExX7+QG zZc(BS&KdM|c!%;#6E(Z{eCDTlhrD#SaoK55kEAK@y6@Scfz?*b3lLrYhTOZL0jnP7 z;JK|AsN)g4LTf^$rX3f`~J_rE+>h&XKu=6ZPt zbh;yay(ig4<7wR4p^#0VvzaF-G8px*kz!8=ACMozQa~`YWnb0#H#Hw#<~gSIbr?ft z9`_m6<$?{{{6uit;2=dF)hj`4myUytYGaeuglZ^E^fbe6HfGP5aCno}o;xyLU| zllX&n z5@|O=Y36Wa>T0it??;v2-_0wf$gz4Q1_y(i%;yRlm_2Sw;*MZzvCm=7jn!koC0jV& z6cnCMN|-XsxJZ1eYD}uLe2%7xA;mgyo18>@FW@3OLTh`Nn=CuokhQu*hUT#KbG0}_U)ne#+^ma3%*$QAC5x9LYJJxftaE0LfZ794AyfO zeYt3JwERk^z&I52D>sm~t6Yc9)hC+cd1tnFHdGB}FR!jD~$P4FV`u!GY zH>F%KH=Fe`WM6@24w!4quIxH(F{1y0X&5kYq zHfi-7Ftx>KG)u`o6|qR8482(y?NK}0I9@G<>@tuUj&8mOGq7lTuC0teKL9@wWO?Q} zkstLd_nlbydih!!Tq%P zY1MvxxT_B+w%;H==QQD19wzYBhCfnzZh&(eQ8}p}EX2$B+kf6^u<#Ub5_QZPC`V6R zuF2{N6tZn@%*VIc=7Uh(_$DEt&4fR{K~n){_z3-|gU{`f8%@;dC+#myj`GRsH0G>T=bGA=B@V;d zUBK#>riy@$PyVP=Vylrd>kDiX7nQpIaxXA@_1DCmvgCfaba`sh5U5@|cMJi*CK_0s z6QW%wT-Q(1``Gid1)a-PCj0`om&AvE={RAYFE^LZP4$HE)6}rR$WBr?FaK;n^OZov z%jeTpsmJ6#w#=erlRW|x5{=FWFT%ZnW^O9+1ukt9R$|n519p3luYTqb`Lv<5P^h60zngDc8NI&@z=BE6x}<=)GpmAnGuoE-60!u(qV9i$ zE*gMWUo%VZ%NjmyaZfM?O({{<+*8=&&Tedt$N-7NcW0^Eu1KJ3m!*xiby+2d4Wpke z0fsH$Zy2`QqjN?uUW^j=8{5B{`=wEz)fX*Xol?iz19vMOg`YIbpF$Yy<$lNtHP#&_ zsUG2<9TJ>T3Iz9!{PY9OVd-T)W~v`n9Tv;BZyP!6;F`g2kA0MYf02q%*u13evzdKZ zurx!P*~LDZzH=I11Ac>In*(U>895za=~pa@%kwSTZ_jX2-Hj2^IvUi%l(Ws0Mg2y_ zS8e03!Njj^ZeWSIiQ`1TO|C#c%P+^OZAEEc3Cr+}3fp(x7SGw!{Yb$qB)(S9Wn5q& z4-B@SqRyjI+~&S>y>G3lu=3};7K}Shlz(H5rhU}a5+>hl7pxClvz)+Z zt54g7%I}#~VqGngHI~;GmT%#XEg$>1X$_tXe9t!4f{a(WOMHPD28^du*h&c3z;_h@#QzF)8iHz@_@BAi^SLR{SqqnQH_|hT{qN@R zu}@#GXXwos&2v}WfuVE7i8&Gj;dij59Rz>R*(S)U+;~B6%)}Dd)~raP8W=95Yp~__ z#xQql{R^yolNk5dZvM1li`_XlC5g{2f9X28x3M2qPL!iST2?ox(|O;`D^a~uS(Ux- zzW&V=q=QZMSsoN^zvfwA*rlC0e6hMywO!YLr7~2+-188knfjkq4o|?pOtqcZve68L6o1f+)0Aj zjEgPwrDJchi$6Zdz4^iQ;RDSBs zTthbXG2-$e(mB!MI9k}`bw9jVZ|v|3?_h|?_eP2{%m+3yCv$qz?ZDj9jW=&_k&}39 z;%+qkAS#7$-IT099MZkg-AK-$<>9d5qbu41H5IGr7vQiA6E_hlUX;$Y)vV_~rGp!I z*nlL&8={qzeaXaxlmrlj8WcV8X2)misj(JCLVFUMJ?XG@?Vf!A3$Ojx8IA82<@Sk?53p&%<6A5JNC80!b zs(;I|jN5~J0EPX}=0AQ}t zDW$M2ONzgxw)VdB%0XNGF`~nehC_*@W3oF;XWJ(Hs+k*<|FLoS|GKyReV_BMNqv#C0S-usu8p@2 zu^>Uz^EG8FNyhLqy5!pr?;gyXlPIBQ***L80#%@>684d-2kM<%nebs!y?&Y&jh!R3 zc>(o+^B~Z{$MZ&Nz}8T>NEd{DPsd9CKuxS^@U+qQ#N5hQFf4Jr#{F5C5U6RT0*&>s zVZG6EW!Rd({9>@!C6JJ8Zr*39Xt|QyI9VGyw$@`EjfH5d3hZ#k#2JHVTfqQj*tfd~ zML4tr+!OxmF&v(hrZ}QBQifk1p$zC55;BI!@3SM}bmwp!zY>*lyg5(l+?RY(Ol5<+ zltyYC){2mDuWef_xI)=ynBn^8Pq$uQdh&r4(~m`2AT@{r8h}lMBpzK#X9Z;0Z@_Z- zysy3m%Kd_*nGZDdu!q?y)Ju*WQT8otiSVAZAlGPum3~ZoO#~2#EJJp0D^Td3ae-*E z@i{)4zk$2~^jc-}1^Wq8Xb2Rr(oVNIQ2mDvj;Mj?P z70g}4LI_LMTB$a#60O<|(m#{{{)Mt1VHA5T@i zl{(RPsD9Go0mNXHP*=Pc2K6i!K{G$txUG$Hpr+*8-&%B7c->9YL^7RGMp(}tu$(g`Ti*REzHfD$ca^GGkq2rTM=8vxrRZZ+>mCO1$HDjsqeIWlzvk!-7 z{XH;m@A^^~$C#w2uw{!=WT9>lNOst-L5Sk2l6zn`3B!$09M7b@;x^Mt3wIngalg9@ zcI;L-;Gxa;zmBP{)-v-Y-Q(!b2w!=17=l-RnS?m3lQ9)yb)*lcY+3PsH` z?9~u{3l7Nh)yX_VIcOnA5hocK9>95IS`6D!OeMKmIsFXx-W@h^v1%M+ShBxi(W+os z=yN|3fui9!mwsVJ++3A5#R!7c7SLY@t)40}a?P68a82d*Sh? zp+&?mr-O~7$s*+t4nB%PoM8F4rGebfZ3UNvdR9)RgC4HxOVq)PTAe*w^7 z$5fQ~Y2nIZH#I}9$9MkhMp}3nmQD~=hBPpuKOEyf+2oW3i-K6%TBxBP6Ie03Gv+x^ z?n;D|F3u=pGos4wTKT4dTa*d9mr*(pZ?qQaB2@H!hx7H~WX9p#n zM^W}aGbw}WNSp*)E%Eos7#@306QTL*#A42B`sn4{=f5!D=J&!MVgQDim4Ri3EldGg z%7!)fhhVVV83vn-$%0RRjU3i@k~@5jt9(7P0(BeCe;JNb(lt%unBjO?yj5U+SL4pW zewY=S;b3t$Sd`h+BfduCaF(>+IMrDJ&fHQ~oQzdjk$(RY<|#~8m& z`lSHH!8l4&3kC+*70%XM+mfz2B!>Z~C(ksS1cq$7K% z2I}ojD^P%DMBHk9$y`DQ&F2V}=unr@IqtvejvO23Y)cj{VE(Ly8X$LJlwn)=UAIN2 zdpPik8~@tkfXIDBi;Xg8(UxWpSJ8g-e@{8g1Z zA^3;n$RHv&oeOgwGqC2aZ*Cpay-iMsp1TA^9MX>~z;X-nWbARRWFabnrR-^gNfYwK zE4}fK3|*UnNX}Eul!nunOIy01IM*!niXyqTc|UK<)B9$pwT+D$Vy~QkMOk_HO$%TN zd`bjjBY|0RHR%T?XrJNfcQHrr6z{;DG{y?US)8=C(7U%uUc!Y>o60gX3oFtd;#0cM zKV$UDxO?Svh*#m8pT+jQr-SKxJ!gmB=5oYPj*y&DWONMk!a8Ug!JLrf%vkDQUG{W zg55iR6$_8ZfNv1UWq7HzaM|K`y4H#M%T@lmWxy@v2*rW@jVljpH47OaPpbGXvdV_R z{fJAl&62(8ilL)(SnAEPr}6iXY`wvly`SO0J@j;u@Ih$?dy9ZKFV0r*6&vhLapy`x z24@VRa<+dklbrF(a#h~E)%ia(4qn(I(zKmW-aCtIZ)5AGTjIGJ!F0|(d_?;M5Kqd3 zW{7XJUNhVfvnotlHXO<`M?Zi5lEF!kN^O%iG49HE#zs!!DTTeC+`;two=Qw((-gyi zISWZN5cnQz6k`o|7ya5-fv$uVLMzUpSDM9WpIM&X?9HE+Jjn+!F41#GLcFs;Q$2}z zb#x_CVJYrTSIJ7FJvHzbIr*=<39iuT9sTw@TXDiL8Bap_sle3uH$;5>)9?Iw%Z{y} z4WD0P;hP0_gCU4;iFdQKb0q{?B5r@uE}h=;RP*UAn&;*i$ZINiGj=y&bn`F`nlI$% z!Yy%b(3exTT1J4{Plb=M6{s!Fj3_}<;PqVfo#!m_BU0AhK%Xwju&CnF3dXH?0f6Jiat90Vr z*MK}uqJ8f6V|VJ((vHcYZq^(j!fQL$xJ()Wx77e4|L?2R8E>da*rljOb%qdIz>Adq5!i+s z<$t<-34LTb#e|en8F6N2_$da_Niytnt}s~nr3YCmDr!d3@tz=-JP%!@*rF|qUQY6sw%Le~T-N500``|;|3?<;U(Ac@1c zsu;n{&yL7XRVIvj(J)mOy;HHy{~y1k(K z^&{61cA|~X`JjZa2`z&6Q&AgpW&<@x30}2LnxMU)n?ypdYje>3=K{WupvEtc0#BfuFxF`iLjz8neaZ z(iSmNIuSRBKM{@M08Ef7LiSRvEL64lWi2>RaP95$LTX75lagc4VCQ)mR+t_6U?G}_ zfXnO1>p1$ok@pTWO$US}!N(HQGrCxLbzhV;I)Ca=t3<@bVqbjv1+q8|O^lbE&TQ0D z2Is3cR?pkMjTF}0N)q3OJ-i;`k}-X=>;fyW6E;2*?GKbu0$&69YXc0TCZ!0>lEA&$&L80?JKDPK$kQ&pC zslQlfh&|L|<2glTLMrUDef3o>O+K8Y&u$E05}lL!tQqK+3HSEq+l}MLc3CP0?MpIL zb=67;=-V2HUQQm+HkbnIY);JC7j#;7C3S3p^!%&0sfD6$!C%ppcYpT4r(OPu;UHdi z*4L-~#kzc1ag}OaR{&ge8=tg*5sM#@$5C~bcaO$N@0{0GgJD_A)=|%9(Nk#YgUAch zAAe?*I6}q{KuG+fo0pWGp{+yVw|_S{7lV5PJXQ8!M%=&p(zqxyh?&Y%nu@QVnS}fJ z1i^it61(oYRRid#$@odk>zq3G?9DdrfwS8aL)ar`Re=?+E5eo)W`}g+YX(G`$rWw| zX_*dsWlVB$PzP+5JYG z_CC76NcYue4+PB7DL-8J9jY1IhGoepyArz-#?Mz?Q8rCBtHy+Xku^Oz0{hktI}22k z>E6Dw@J=0ta0E5G%ufwznh}n(D}mAabyvwpF|mC%U7G26<`Ch|x8V^Pp!`KkDi7STMq zePoH@`l8z5!j2)msToJI{jQOUc?2aqeWSYzUhqi75mIP+^&2*w@>qSyi1UZfXDPn> zqZZrK6ecb!aoT^sn)UWUM1ZeU<*mu_p1;$NTI4E&x^_|2bA>J8)N-Xq~lktMmr zs3;RC7Rxlq*AKH#DQY4VR)PmDj@-fy1Ifdz>cyCrmS2J)yHpYtZs!@&)M8J7rg=Fu zna^|zKTd6(f;3j31e@f2)^1iw&pZ~R>xsC)PisaIauduQ;j|oW-~Fg(9`1wICTKyK zgOEXq5Xc!kT6;d%4R1lKuCLs388IQDF}J4@^Q-NW)#KV4an_WKT`KYFCGw(^(p6JY zf)|?+YiC?S*=M0V0<5_V5ZnXa!i+PI%G#6n7j27{1!66WQ^eF2FAHLcfbW4^evbewKfPiYywF|j|S4cLFzDd#yA_!ytsI3x^#$wcn zIlwwNBmcV1GWO^CS)={OP)nlY`Sn-b;8DM1sRW88%L6D7ZxIvLg?K~(v&FN>psx^F zur~;Rw-6_v5YIx}I&)sw3T)Ij3s04iCL2cZe;a4|Zxag_Xiw`FV_3`4 zcm!-lF7pv|chM=|Zy;UwWK99uj21!m#9uYwD&Z1IOm=E?MfcP`ylnXZ0z;P!HNXUC%e={X!~Ak*x1(MJ0Hv{I8?^HKfXKFk|@(W6o{-syh*$OLA}s9&-caYzvK)2p35wIInLV6S_Ae|MAVFQunI|UCy*s~7mAha6;1ctG z^}J6b?#B1B z$T`_ECBpJ=aI;~Df^z^jvjuBiY%bruZSml*B~HJ5A#@dqIeHos;`(-xtR?V=UdL8M zxJ-$qc-t&t+)>>Z1H=xB;3nV5zQ|k+aTH=4t4E~u&6mkEZP?kg>24 zLp@e!WWsmwZ4D_uTWj-q;is#_Ul1u?aiGEDPo?%XsR$FEt`8&<*q>V@U*KoECJG(NF|AXBr85bQWoZ9*5`E-Do*vL2YTTq~W zBtmG#%iwr|_%_@~Bj9t1N+t>A8CfBo50SAqV+_AIkHq~mivkNO=3dmeNs)~&aTng9 z?LY(`wP23UDL9uW{R|P9*%xRVcIHns8`}_JdcFb*C^027C=p+=@uB+ODX&b*dseM7 z*#bFO05O1%oRoPLbIU=WEtu+0G&- zs2FlUutm1DPaj?eI%t&3Ijo)x&>kD0uZRdgf+280vHrxL(&HdWDmkTREZa_RwY4xr zI6;h*B$cRfDV&Fd%9`mF7`$eTDqC_b3+{QB3Sl-12QJGiI7`h2n2ow--*|(*yPV_q z`ph5l$$1`d1Y@7f&c0_cW^J3(Ep9xS$XihUgSGiML6jX7^m!*bWwdXBu1JPfow{dk zdi|YUhFZ)WI9AwsPkom@@)*his;Bb_IEd0QhG4#Krf7o{&51A>R4rnh4xe)ABO6i8 zB~$%7stk;lx35X}H}l{taF*N9@TO_Za%&T61QUvOJ^*I^MpdOtEP9hHP^r0)g`m=$?Ox z=_lUE7}lNLS%m8(+7N==2I*h3`^`q&chHVm}tcB`o2=8K^)R+;1N23bFU8hr?G`E zuD*VX-}xZYu2Xc26?gFOtT zOpyzVHYTi&!7O{!N)q&kNQEqujA+HZNd9(SXEVOfMelH2D~fD{_di^{{^PGbAj-a| zKmH9+v^3(%M}KGQ->|?N>_wmJ0Kx}R32lFA+eoF4`%Q(vEZz4Fx?*2FbSALhvDnCH zx^M2I?_KdZC!5Q|!q0a^&oUpFWToO54Go*tcl(OZF!AJ;{P~wsy*|uc2iO0}e*a7# zP!Fw|rki#|27W0E=)$XTsM-pHxKm#|d4!(fsDC~hpP(6~8qjFO>QeT7iX{6lCK;0|b2GwKC3R_^Ct z9+_L_+bxe&i?^%_ay$;-_UU@xd^tJ1NL8UH{p`F1vyh41I~GQS3v+b;QnKIZ{FWe} zd}|oBA*;x-*xrJw^mk_1#|*~08Q&~`oPVs|PP2QqqA@r~=uJP@JN$-oJuEft90 zqqsf%P$))~a6dl01;6G>*TXK{2IpLF#$_$*-5S@XSsm8=u#)BE$Za#-k)D)+0!{6n zh4a0p)^#KzU~HOxl1-~=>^f6DIIY1K>!SGT?W}swXy|y+<92WV`keZDA;BujuuP5H zY4^2rx>H5GW?9a7oN0O2eDdn4v;K#O~(;86E0)9*~yilgRLn~xocDZtT z^?X?GIZ9 zk!j+`?X|{;gFhSEYw)U^1>nJ|j_31?hMU-h3wmcYzmZj3#1EeR(U~R;86SGX(a#Fd z#Dmy+l+(@!SZy8+bMWaYF$Q#fo_=SNXISgIbxP-U+!-3}qa>7f63bn{ zoYAtT!ITGyP%Ow#VH;OZVcwvFGX)rQEc`c+n1VOa|c6RhgDl;4zGQ=fRE1)OWb9I|k=;6a=5u z5m;?rgiA$$&SIHM4l1(zhcnw#i?M3RL|WsNBjCdCgSY)qRTvIo(y3M068!IJ1pCH#_#?H=g!*(U!ywR zE504aVHU$V-Vi?CBymQ^rJj2F8SQ)92KRd+)}5$#C%Z?IIGh_0!oiAmlptVBy@!_p zwKpoDT3#s4A|Z@ZbvsVRrdIKJr1O1M^1BgPSUQGnlyF<5a@cl8?;*r7OK4=o%Lk8D zo69Zuy4TA8d?NOE`Eg%&fwbKj-^V7)>jooRAJDiDFCH$rR9A0@EGg;w$_#+*f&W=i z;h8^M*D!bz@=g{%=M=I6;Vo8l2!u&N3CF=n)Z<^^c$!KNrKZ#Eg3c5ow^J(&M;puF zpty)6F%VjK>>49OVb`(5+vwKgJCLGa-G$QMKBHd#mTj@emb6*50Bg{tDrwh zZ@&S9Iov;?Xz+U^Y$}!6~BYe zfx^njkc~TrCtO{I-?jQMTc!nn1hWM>AV@#C%E*sJ zl@Vl$883k1B#$j~JGQ%FuFo3GXzvcboW2&);{!MT)R{c!SYctqKoIE~^wsfcKTVl8 zW?p3vIUq)67wn8xf#o<^6Q;RHSbv_o{}Sqw1+`U7tvQGqWCEuMRRYqC;7LYTk>mL2 z56z8eLgHILi`DdgGy=Yh0Zo8y4z^5!N83F*Um3bvKNGZN&pc%#1PBGam~Dp#TRqv@ z$}iN3|&E_$uySX{teOQj>pviSHOlrZoOTsSHew%)grrwY_jj}SPSvd zij5vE3V)Lm|E+ZLpZ}j1ykJ>r^z6Mxx*e?@#5H%|Lr>4*0hcVGebE*Vo!bL}Arj(% ztT7va0*?^We@BXZF)~4)Z%U7oTT^$1`IgOIF&;c7k?>d}wy}K{yW0=;g;yh%|3W4E z!`KV*>lgCTrDuG?V+Xb;9UwPZO8;RGSv&Vju*K?3!f?hY>$Pwkxq}-63I+rKSzOzF z4&OW^0utY({`GVra6AZTgfMrmRr$Wh{>-@F01rtQO5e$vV6cA{0~=`-LbUf7TLoy` z|M`&#&QtFxznrKq{&lO_+?1}mB13}GiT6mj&7g^ZRaIU}* zvq)gns?|q!!slE36kr9JkS_@2Exx?%p-x8Y)#Y6&zNx|8p)N|~*a0}L0=t1X&k!LJ zN$8+WWvYyZ;NvB{qV_-iBKZ?(W@j^0Te>PEpQQ&Z!SHX0L>^N~f(Ch<77X!%yMTge zM8pyaqkMf{y=s3S$&L%6L=a&-RRVi9acb+Vj|Yn`brOLZ&uvRI|17ul@7nqU7ofMb zO1f^T{m*{RKR=t3TIoFO6+3R0T>rDT@1M_#3wVSn)mbyd{(tEQ1}Oy7^<-(aDMaW0 z`>XNK-{MdI@IZl(cYT1-kL#b`f&bwjf-MMhKx{dy`6#opCSk&) zg~!bup=#wwx=eTs`JE;;`%@0eg>lkEb&b{=E(>|ObU#PS-(sP&XRHVezqXlB6yluv zx8EiBCSbNMhdZ3Vfnc^8LF#IRC`KcceVYek;b2#Rm5&M>jazosQ^*I}5n;yxVUZ6O z+B^tH<^E@2Z6$S%7@+s}U@U0_mu;iugg9llQ8N`-94PStBib=m!GnOwH$P*x+=q8+ z2!HrEm8&kn;8ec+;Oyy(>5!yE5EEV_h;7vU6)fCE8Dq&Wc5S2G{YgMVGr`Jt16D zUk<_lPKyZf#+BHjjGcL-nOAQ+=zwnX)NZt_$lPnZ7pmMZu7WI#F>=nIy+N9s&?7Jf4Gb7XUHOd>``ZP@f^+f*0t6)J&>7`4`C=dL6k_0Eswz{`W8U z2^fwifw-&?yo=(+B-FYe3(fREish`}eVx7f$-&3O9O#>J>!h6%AiF-@G=^Q{bYVXm zV&wwaG#n4v&%8yrLNY?4f)T_FKGK6e1&|m>5pCeoxgKAdd4vuHaaJ#Te>;1N>GvH9PAyYGUWA z&8y8VyjLx+{e(7cCgk+ZgWTh&KxAU5Yae_V_gb(%DtyKnz;wKG8tH$C*RF#f_OqP=Ytj831`T&g;|+0H zO6#05_p1fbzHl9aCK-!aIr1B2;8(Vq?a5gxob;RpI=|~bUY`HvvGUIc@4x-w!W**0 zcF$19xc?eg$&V6XO{D<7$t=T%(CA3cvX%$Q;~e0hi6y8{ zsN>Z5{P^=zN!fA99uYT!IC!`qGn{Is56lR?qHcC4=)Qd}kR6ivG@ z3q>HE>oq8A9Y!qcnwVQFBTc*PNDHr#)3NtQ3xwby;jJst`=>S&__S?d2y-&-Tr1{T zG~FuPcQ$c`B=NmKfh~~19KMPDZS;CTN$}=l>mBgvzAjs-qiBTI%SV@vU4OZvPUyk| zmE*^MuPgkX#y;2qK34-co!ATLuj@4*{{}?WmX?v=ac!Y`Wcq_X8U33NkuW#tB9Uiu znRk$?%2@d=fUorD;gPq6kqM?mNg-mt z0#IstzlK%~0MV-fw!{sPsJBl12b>EU{eD72B;S0+{2O}Epx@NUyoDQ2^M#u$leJcG z`EVYBOHBmCA+FaPf5}N?rr{V$euw3}e_7DXBj7~KPB*1?$K1m#L1R?Ys`|r@vak8P zu@Kljqg_PE|4=hW8CXX2^FZffg7dHuldCO6z~aWaN#jJ^r@sAeZNW1^@M-E!BPAKsK9B&qGh{d7e?!7M%EpAQ&sky?37NZ8Z9W=l z04&2vBs)^Rdg&QWfDX#57aKpmHNqP*zK;NxN6J3!jk2)2kEshT5cUR zPqpB0#;jTfRzrbAtYu>SDem=|PG)3f5ifUV@p(P+_8=z9wXsdR^j7&BrUyc0O&dc4~hHZ;0e>IZk;_zhVXu{-p|*^&+K%&6aDFI zq!NF`w49;wLzBoq4M5o{N20#2_`{+y_1)Z1m?eX#-wDvw5Fcu)R+I2;agM>u(_*?ZV#x z*d>GjyEx8neTBn9nnYplBJe4*LZo-ufqG{7%?(=po{tIrSOU$f0pt#LyKf3>-2>7ih=|FWLg5yq|= z6Kjok^6l%84+0R-crw~Pj=GD zIW4pz*<>>+^9;B*NpRJ^m%QDF-sqVeQf5Z~wjL`bt}IOMYJBr@<`fbuiHoQ0kM@sV zJohbxLg@H=hXLvnBsdS}^6yOCcL86jT3MzBV9?2>I1BV6EgJQeSTP6~FrOMeztN>M zhSd*-MD}2>cs21hPpzyUOk}aSy#57sH^{ecsi?p{ocS*$YoZGEVdA=>!5iM>X%o#u9h$-_7@1?SA2#OtGkcZt&%WPn`Z3R;wGE{fX+p7*hCQ3BEa zso&Vu(v@Mn<}0%K#8kS2)E2_%J=3b6uj?2+YLCH>*sr;68KzM-deFTN4R`(^Ys zC7+&7y9_Ab%5<5i2J{`%_0KEmx0(5#)~8%xM*qq-3H5QBXzDC8(6$KfX1)8RIah!0Rsn$Fg2 z(vXT1X8V z1=8VK-^^@qJ0tcRz3!F?Xu$fSi;{=qAk}r2F~dK?_G&8tz-HRNLXtqr(<#Rk;{td4 zEUD{o!!|tIFWg@Mn&BuI!_3eRlp?9NndjS)dyS+y@uUqBJt1^3N% z`*~eH&&fZ6*hRQ*$lR_N@Vfa|cL9Cw=aXiS7p$Px)l(NlPUELN-LA#-?dV1?7%cgu(ng&UKKHg)&Nyxi<6 z0eDJC{uKyg^vBpebnS-xZ%Wv8)ePPrbTB>Nq>I`Qstr4f8GZ>%glDN(xit6Z@H)j0 zWEF&>aRCflk73>rncL&n0XcUFJ!ZRl8qpK1RP|rMGv72PW4|2~(AA~xi5qG!9T7$Q0;^d8! z6IkTTy~40ejZLf{tzD0+-jEk1|2jgpeemMto2c9457Rchy@a-Xwk98rXAK{SX#dG~ z`~e@KelXWES5oa2eX^s?`pt*3aOhgcT@j$j$#&CuRg%M{eH%OrMI)-U0CTUk+lT5$ zEe#rWetQqA>|>^B8@H#n_;j=+=F(%zxTu_Q6+dgmmxfAy zmu2gf=|@TwR^o$gYnIIMq6N$%b#_MhA1)ir z;2AVydB+8kNsc+BI*efPDEd5jy5M{MaP-W!L|AqQrNneaq zi~nb&FMW|dp(lnWz8BXvxEa5{y)E{lxN3$)*2~c#sbNh=>MPOoUXd45;^01idw2G- z%ISe8i>dLd(IoEn%EzTC?T_5q-p0QNp)ak)ZeT=NsTi-z!tvNUWFb#s3Zr_-U`V zO!d*_s7~|MI%KtPGJ=TfNjo3WOI7DNM!D^~oU&(k1#sSeecqpcZzf!_gXDbtw88Y| zep1tq_@fU=`1pM;TzD0DXBjpxJNiiJZ_hL(|Q!dNMQ=744>z!RztvEN>-{|31&7{97`1(o748aG{ zCE7|EbzZEjAcnf&_{#Glc#zkK?zYslmaV9}b;@ryEK&1ugWY7P+KfJgHC}V0LyqJn zI=+de?!1cWmsq{O0~{)wcvKu9tQDRN5b7>98x(KT@pyb%^3#yj&|1su_t} zJg54-dG~UN>>ly4e2*Dw0=d;nk}C7bq;#0QoBV^1Jpr}2(@BZ=FH+bv&%D$cj6A5u z$$!U$g}nY3OxRk{-!Wm1qh;NzggjKP*2{`+B7tLB5w{DZ&S#a}KZ|t<}qE2t| zo50Ea>vC#(ggU-E+D&hbOuoZ?lpZOHTX}?1yR+O0x72r4?dcppv{PLO7LpeO3MU4; zZs{F#Y<=K(9{+Fp!T;<3WDq9If%!UqK#&zs#6dl!LNFUKuJr}#5;7w8Dx<% ztiTD%o1PefNz{7;m!fiKgOK8va{R_W+wf})Hm+a8m|2~MX?;ZBJjm^3ZPknF0L5|b zTv<>&O^U5x&(ZJ)9CEl@cMdQ_5BSz(f0a6ooJJZ5)I{2JiazK4G9qdV08SY>%;ivvI*UB7w9Aqdxb1*)eAVo zi%~y<42rbgJ1A~kSqKPwNjB}{dy7e+DENYyf-FC%X3i@r&&Z@=*`X9B{+ zSq>fKR+0V;ymNCJ&T!`aFHAALJ0Kk*F1e=BduvO;jaGq+`&h}wh5rFoOtJNNlxK>A zZtA_F_}7)Mj5MSCpt9uNhS#**%nJq76^q#2F+r5n>^7NaOSfPcIe6Z?)hJbbWVmaFPGYQ7Yo zY=D}V--_5XlZ(xe?DwjoZaP-~Oe(||pd(v-&0=KJ3JcF*^gFe7;KXol3*;>0$$bs7 zEg9_Z8BNd)WkNM%nudmO1b)mYo@vu;iXTE-TaAXlDDz!uWV{y8FN_M7P-OMTsrNZh z+LOoc*9rApx&LL=v)JLW*}kcRO0@1Xa`eitBOreWi5<2F;9#X+Rt+y}aOrmgoow`xxv>3R6jb|U%^ zGf~%MZt(H#^qSQlaUz4cv^h(utuk*s)WqF6HGQbj__|B;sf3fJ25(H_h8rzdTJ%NQ zoR|aDi7OHfeyzVQ1tBldKt{YR&1=}c+GbHXzs9+*w?IuGEeE+~ebCetaL>t3(9!fQ zSJwzT$9)$jTU9^Trc+6rF*5r6=iY;xIcuzpHhnR^a!@8G(^) zBY`_UbLyebYl_PxzDNY-BwW?>omfo-ncGPdFY1!mXtM3sq{}kvHPW+F-}~lS(BbB) z`cbM65%kHb1gg@8YOJO^<3{;AGyh5^6F4sO=VUVSp8soPGUAE9lgYRkedQ0*6)J@( z^t0DqFPAY;>>CO6KF_u-NTu0@$zv0z#5(=GGR;IhC0aVPD(y3qA7_3GK7srz|7?ES z(8(!z=j4ZN?eWRM+Yd~ak&bPR0w4a$<(xGyWV-EG&rYs?Lc38NyCD9FuxDie_0~W+ z&QZ_TMPzRBdbYRngfB9L=e`PD476OR?N&QIRmyxdVAAh2eeGVRd)+|-`KIcX7c`rK zjN>uC3Q79~4QW26h*iL4qoXAmzqheqY`I|bg*9^fp}3h&47+T<7<0G6_!lfkPdp%{ z4(5M(UL7pW6&%c+b>ghF>(1=DwQ`mx=Gm2=8#Z>*`y-q`%e&a(@3W((YXb$D>OufE9fFvEmCEgn<4rtv^ zy|-glFVM=z>Ps{1q+?llN-{CSD$g+GP-Y%e#Bk4w@yEHu&Ax*M;Y7bWBKP{M7dSxh zbz!{mm}*h$AAmEq=YzK=bY>N~3!QGN>&P^{59fcbRIWD@vI0`s@xk+y77J@Yf4OVn zGaFEY7S?${eI}Yx;k&iMcag+RF^}NP;tBVdwd4D{b3<=ues@OfNVWh^<;1E(lZ%`N z0Hta+XSXTb$=Ym>-wCTr$J2aYK*!@FaWZ){-zzaNNx0)=^g7LrZ)p4&TIcRKFq~fX zTMm1ji#=vtJ@>1g;f$feoTNQ(9S=93H%6k zQctB&VqO^P8>|al4I~$Pux+wqPKNL=iU$NdsUD*$Y9`gbGz$-RBn?iG>|#8~#Hz1> zLJv0!v)M*LqvWURvON^}w(UJ)H|)$yYDJdvC(fIkBdoUwpyoVr(_>-#F5jTmy@TJ8 zPL(IOe$($Bc4)h$C2w#Tj{RYG-?!uo8u=#ilJS}>_-d#eUDWu*^A&(a;x9C4n2=#Y z^$B}?TeuZi;#G?c=tQSnx%H*BHs-zv7Gqlz%)TLujx{3ttR<+Z!<7L6Iun8E`zAav z)5c-Xb0dy=<07lDZr(Bk`mMemJ$b05;_~s#DVTw{t-+~OFn>Y#8~+gKJwfHJAV#rXTVpWe=3rtGx6`%Qnt)8tsiem^ zfBOqoAoXsBP&+i ziXPm}l0E+qdv6&PW!vr#3lfSnLr8ZirIf^=gmefJf;5OoBi)TO0*XP3fJk?D2}mOh z4Fl3JGj#Jm=YF2O_r3Po@!Wgu5AVCz^T~zC3|@0x$9Wvbuc&$?G4dof|GgX9$y2l& znsk~pU;GNk2vSo)=5BLA#pu@wQYP}Im_M1J{lY$?e4A)82Kxhl@ z7q9@hUHt^Y-77;8Z3;4B#@|q8-x&W`J|K3-@dtW>*e$_eF{bXKLbX9!X_Fo^b;Tna z>GsuRANd$Bi0e^qd0reYe*cL^bxWEynTha+vNBDrO~~uIrsqvY^k%9XznrITdp}ZP z{VO~R&i7bKt9#!wBnY#q44v?m1^^HDhZhwZqn`@+n{nE5UZK->&)%7cJe<;h@d9w0 zw#!uFNyF2@gsA?G=& zK#s|Iy(R&B>+wXNc93#VEefzw0`rVP=$Q&SP^Ia2qCyhKSDOAdVy@VGG|^NU=U*X2 zK*?aoq`nuEy^M!Fz@Mj`|NbrAi#2BTK#E{oBDX#nj7?zTPmZQ0jy}DnWVGvIM(*lY z@3Ib_j31!e&61~+p=4?0!0dcF%ZS}u`v_Cc%=1%OrYu1guGDXhb-Eu}V=riWu@16E zTDes+hF%nV^B;dNe>_rP*$B@}Z$}%)Mu5YIhVE!sXTR z@XZO=y6&J6lq}?y)$t3O00kn7+bBX>6{a3w3sfmUN>%!BQc{KAc-smi@;9Jx-pF5B zZoPrgyQr6F8=*B{WZqpGwmsK4t;S0c36|r&Aj2ia3aI2h;Yt&dl^BZxS&|&EmPRu> zd=0wvfTWDOd*LbHwct5`_KJ*)D;DR5qnfAySd+&3m4kP<$=92uQ1tOvT&eCM>3IaU zA;%#Ge{|3zyd61Ow1e^=?rC&SiMHEd3SKuz(2G=!QrXeWcsm-5C4GRbC=U9`cv(4# ze!F-JEnx)u+Hn3HppedLnF4#+v-Mvo{NuD#YQSb=0%nlK5KYh}lVJS^T{F;9xI*|&I#_eLSk1f42i&)XDU;?B$2>U|UEI?M)STU=TbuuRNs50vhh z_E-D{n}Ui&=A}a;+B4>YYGAtcroaG(XVOe-nQ|lR71cb~GZ4UpNAcY_dKg-QiC~)^ znxn5sH#Gv|;kMah+B2O3k<%$F#A-C2P6xE6rI&)=Yg|r*e`53&TwJ`z*J#B1X)0a& zUqbRuSmJeMD4$b6hFtl`kxdxIbQ;G2Ou>aIB)HgrcU*%gv7_^U6LE+*oh$+Tw~y9p4~ zy#rbcn%ai~A_~?Nj|HkQ?NdgVowzG_UtW(aeDs(UnU>*w3r)?C=)HJ}0Ne_JuHb`Q zK#BL#%`~O@DCg-P2-gNB9JEW54-CP_EP(u(7_l5xPfZgY(?UCEpS1S+rnOd%ieg{l zwIX8?%=Xto?h)y$MQC1w>*o2!692tOj}9FmHvD&fYn)cG|Eb^F(!Ptwwg=F@<2zW1 zO44z(^F6Q8NOA7vdO$CCz5?gmky)n>Yu50aII=~q1=;kE$&e;(+F5#SUDy`;po(+W zlCadNpi>Co1M(U0@*CPkY+;NgMA`_&q)-f+Xsbn3*I)?|mWdAzA7+&ZrUb%+!+d+D z(k6N7E$*JiP5fIX$00}FXo0o!oL^~osQc&PEctq0GZhoeEU_)3lIlQd;UZ)I;(Brm z#+Q88jB2X*14-~2su$>j8kYS3_iak|MkCryw2ofg2o8LHTc+j5 zgw95_Bwo(_@o!~+w_DSc8V9}-W1j8pRQRJn4Q+|>-ia-F=Hj&C*~zORG5arR2!w z^w!o@_fX%IsYeh2*_k)d{53yK;`vF%oxOy)tWyCC>c6z!+{N0pU&9RbH?$^AKK{Eg z+b}IKW;;U%3!8BzpQHxib#fVc;@NfoulTZ!Ji!{d6Yj}3-1nP%YxOqgXsN?YjljrI zr@GTX6UEt><vL} zWS+@+3)|lifGs)lbiv}Bja~0R8`91F>Q45F)07c85*YSjz^W+4UyUH7Uo(b2+mmiE>0_%0h`ig6U5OA5cfyd#2R$caC^pV(k0 z*Pr2~a>Q{hdmLz!Jnxz6A;+}TBQ7t_Xu1eAzJ))M$qBPbizQWRxsMwxWYBX35V{{f zhOi%(Rs|9rs%zNCEurpa_We{Y2Q82LVby69WP-4%%4q`h1z6E7uEC7}!5MK&)#Yv6Fmy&9l%a9lXZ2Tg|8a6^bwA#&$idFv&gEuX2kqKt$= z>*>vvs$^j*rRl+kRlah+!p-V-`mrYfwEXSctI|EwmMj{H)^D7KOVhB_o}dq#$K}{Z zwC2N-1`Bgb^*Cu+U+`OuZ8V1*06Y!Tx@Fn(MNy-{i?Exx|ERe1<*LP(?>S%#wrksRQ8c%g1tauH^hHr@z&iA<mok zT0{S4>}Kj?cBe1&zc+Tv7Bmpx{g#$yl&`}h`AJ9AcxL<2qX*OK8Dl9Cu*gAv{EF3O zw3%^^6SaTJXl0C&9OIvi-AwP8p~>}+>SrfwfH|5H;pAqc{h$`rwJZ<}^rB^ZamIe+QF*pmHYdQ4b-o5!y-Z+^A$ z#>r( zEY*Ueq!t+KRs``199=KPapmgYg^;|#`0{|En>jJ z{j&j_5_vCFbeJM{W=d(``+&N1)Eq|aDWD6aB zv+;6A$3ce+w=)^p-YL~CX)l$iCupy)U&66m3^Srb{&VxU64(F6{4Ft-<0~FHH&tZ1 zU&_INqnV^ypKg%%wK&arNPKF>wAl3csHX@}E6%x}9>=sPOk<|v)j zz3~c2iKOG|OsTS-1K8MJ!v0zp6p+5^K1lgD8DMuQfv~V_viaKAxdF+PhCn@@HNo@K z^m#sy6C!_GvOSH#tv=dHJ_DFaq>-I>gPf_ZSh~-K?VjIf0UITYLn_YlF~%KCb3qTI z5rUnPiNLqYMfjnGytfP?k2&h_=_O#W>2*);=#xyuNr^}ZX4Q5l5e~+y`EMI-{LCtj z>ZQ3O1cRA+Lvo04)w9(#4GCu;btb`RbI3N%2v-1L#e_AKb z7mQj!5{d$9oCi2}fo7Bf%?U>H@4Cf9zTgKFrr_-4ZW#iwNBif69iV39kNsw6hXgpO z@M7UGi#F;W1zls?x$2%vZZQ;jw_SX6K-v~H77o=~;Y#O9$b3Y~tks40@j|GFwnxI^ zjVu?b638li%3Q9LWAXl;<$KSylVTew!|p~z`S{#f%4&+0SMkA_=Y{b3(%g|f#q&YZqYe6EVW^byLMVvH2 zi$JlEb7A8}YRjs{EkopkvLWnT2rRV?tVND+Q@n)eX-Lz3y#ev39ZZ#rlXm7;Gp+_9 z6DxYrcQNx4#nU|C5oxI-@u@Yqm{+l(U+_{m1wD6{^$|mIPM>_`1BQW@!SfWD?xqPX zX9Ebo%VuVn8F`gosN-$rG2clY7UWPhb~6m@{-ipwJ3mbHZSH`!2xn zQ-=EW2IVYbdVkT$1;B#kox=bLB~$#sdWf=_#>4Isf_|M;^zFOsy<%5QL4%>3%|AKU-Ofy2z4*%hc|9uFfn3<1P~Kr z{sUjM96vOHE6n4N!ZaF6z=TMyxCS%a&y~8c)_a*5I>p=1k)y>_$>PCX8g`oX@zg>% z#iHG9SdOyPK!Y{z(3x^GVUG|8+B(F+=(h0vYaL(~CwHND}DrSTm7d2h4(s5>K#NX$PSDbXhmy1t93Yuu0iC#w23hValv5V#=EmLG<+r%mJd4 zvMp3yA)_K9qy{+Dr3!mXKYGU_kQJ*Q&C+ZHs+lU1i##|MUO3V>XQT{|qN%o@aP4;~A-7Kak^-@+v@DA;qYC z&TEt0m!dYq5t8c*88s<(Fe#mHu!y?k(zHP6ro#1zy>HJ1(& zd90KVq0AeA8`-d56l~LSMyTf6Bjm4dkcbEePE@R`Meh;m?~(%f)>_V9j%ulEUV634 zlom_z+z9n=dRWl&oU^UGzuEZN$L+HqDu@uF``$dC>bzpunV3-eKX#M++r7kZ$--~O zQMYU&FFgs66MfbU6L;g!3jUzO;pl(y$vP)MOVGBBAVKf342i;S(47x=3M(|7G_lFn z-mZnR+OxK}czHeU6qF?ADf_|9=C3faA-8u^RH1}}BQt5j z4zRZUnZS)_<`ZP1$aKGD?*ud}x>IKEhv>c4vT4n&TVZ7GGkk76E7V~${_|&Zx?7q} zfSO!&EGl^|xBUEkRf^A4OQdBr%R0PJ1>vr{oK0X)j<+ znI4bjLM@+3BF@NokQZUhzrTl3O#*MEC@s8#IY7~!)qawB&j0y2+8%GCYWRS~E0LXP`;S8vlH(T-A33NN6f5E)$6AfGu38gYTxn`(Jy| zru!0vO$%O}iKmIOVh>`7+MknDEAZs@YRx$uhDL;TzX3AoCVKye$Zf zZZ)p`3Ip=P1K>28f@h8*md8gd$gekhi>mdvSc!~TusdAk8((lUlI(yVbm;sQP54&I z8Y7h1_#94YLze!y`&V)?W-dM`-4ODOp@r!C1Dsr^qi>Yjt_X?eTe{d+Sx_fHzOIy4 z?IHTRrz)quI*V$hJpICUUEgUISPy-7)s=Y7_89kiidulyE$3};AM&w{J#wfq_Yifu zI;?J{)4;c+A-(aoBYe;c@U-nCN~(O1>gVmmJ#(|;*G*z7LV5KNzGX}aTc05^mN`^p zw&_$6t1jVmZr>UX!9!7yBzVg*&Ts%j&G_`E6*LiI4D>2?;$Jz)?|k4~ktJ<($jW=! zYHToy;;Eh)$r0=Dr0AC%h=B6CT&irZqDV>}{*neg;hPs&cTQm#kE+;gVO!p>vyWnc92SAidZClyYPi(7DN0gRvg1umwNc|B`fN=3k|BC>9l@)r z&*xbD30IB-%A0ZZtJqKI+NPgS0UhT!6zqQWwVtNdEjMfV2*~yI_=^`e>?+lOPC&9A zMb&)d$b84_?gVnq%3yS~pg@)HjI*o!^UD^Ixg{;^Mb#D6)DLJei?B&~?DrM_aKUHZ z`RA@Id-JO8DDnDqgy)5y{5FpHGMQ{xn(r@bL zCtV^BZW_uin&J3#!HJW z7eKLqZ+z0Lt5h8@dr`{*EjhHg9+@L1iH%pUG40X5bIHkC-VZFagpE$~3#;_kb&$3> zYOhVsh}+#PH251Pp8eT(qXC1c9}J_ z*k^p{oL56E47QWDP9tQeTKY1JReXMum&Z#{hFAF|51q=TZvK$kD>>r$(%MD&_{_6p z?*cfP>Y17ItgXlfCnQ3N2p=rR2YkVq{sfuSzj)42`k5QD)g3`sYs1L!8velMR9;-u z22FHMG}LJD7d*HnnT{WKBxw^jDsL-eo2@2LCe{?!cKv+3wD5ZXY$N8V>8j}?;31Y* zZ#DO!iq0mQFNN~szFhYg)6{vu^pGirkGk}g=%ZmuB{xkAOW%Vpaa4Pu&Qh1CxL`iW zrUkF9?Baww#8pSAVei!SZe^A3$y%uG-K&9}&WpbAzkKWp6H|>#C!?Du80rF~XyvH} zNhc)DvmIS$IDSY0XeKlF3TohyY!B3&UutdzC7PA6@FY|Md)SkNxVKbyYnKyR)ARzr zcG9`el)7-$(q$gZ~su$#O8!l3YhPHyESr_8g((T~4_Zj_WDxUG$cW;MIfvU_I_GSk- z5j~UKD%oEB!5wGX3aaemyT|;gBbd4}*ex*Qinmx)?%+ zS=1`*AEPslfF=y03YMwoh>&Ru%~DU^)PvH*(eD^J0({>XVkLHez-v{xFOqLIJfXE# z4-2`0{jMqgTW_2N6WTBbqZxRen#V1uvnnkHlgVk?^nS7_`l!jU*8uRk22nX;Y-U#u zMoAzU!D#lj-3wLL2_thn$HCy#Q4u?1 z2_Oqb`hoxJJ=7Im*hoMv-$GY}d@Zv_L0=OwjZMv!p-_^|t5@Rh{jEeA<=1cil>q}? z0nHf#UwmAbtW#&rXX&BvS9pIulHBwZ!pulw2QrvA6YSppJOmY=iBVt#L0UhebjPw7 zD}r4iX{iT8qXBeUQHj*?0YM>o*p$ypM6rK^crH%Tjrir@Sz9|e0^DNnQq4uN6@q%$ z_O92*`JXS*84@PgzK&Ri+06+r1j)`lZ7-@MV^?`eW(S05a!(>>A5is#Dws@z%G*w= ze3!(LnaGX33Fyb7Sf_&t#lFF~=F%wObW5*gG{?Yu4w3pE#CD z55XI;px3;M=!4xXFrqV$b?ALL)J!3XQ*2|4B$TyzmTX5?`F!Tqmob&IeTB?@MSf&sYr%~P=N1r9J@#{mt+1iW2!Imis;qW&# z?26C?2E`sXaSLKt$m6nat&d(q`~4Y52boFFyMd^es>JsJe38L9A76ZWFGiM#+6j&8^r<)kL1>M=O!k5U)1-B^$DudH<-81GhbpNNRREiD%H~@YHRF$ zobHXRJ6(QLG}cZk(3$EL_`pie;wr< zst9;_e(|`T8`-#*ioo}X!-zdj+q0n|Ez^Q68DgR=qPU$#Fq<4SsG`k)+n=Z;5yBnx zS$fl4fp2<@SR38XJ}#Wd$dny%NS*XB(>poeFe5?ia-OQD>V%&43HiKl!RUN<+^*;? z+Ip=t_CvQj*)p(^)eTJSrtw4334dx*c0LmObgah`$cA?p8SaXctDW%!1D16Ir{@yg z14JRt(GA`9F6w+0@55A5H`R57I1K-qKWyw8qW!q2%l!u!2lZ$A(VBAz{-S$GoU(10 z#xEpq=)9rr8&g}c5+J1_&)qZeJ8$aZ@|Y8`6U+2ye)#A?+;|)3t~KU9Y&De_ub3x`pKI#HiE8SzXtK6V|)6+qB_PcSbYT90V=Zw34?MqZ$ll^lkGoD{&n65p1(D}N< zLI>Y`3oGN%TADB&zfG42|otPiqW<&PUDs2?4uNi3t-4&j5Y22OAKptZ zvD-`4jN_AP`pr&*zTIwQ2<^>leni?Av1ngz8`Fr+=gIX78$nCy!*JgqOU2#`&iocuALZ7qD4=mt-}o%Q3(gW1u%hn<4x#f1!i zN^`mQMVggE!93!d8}C8rzil4=p_NwPqKt`I3ipb7bZl25-}x`lLZ{ylrTePb&cz_m zddGxg&0c?W6srz38$sX}V`%wKJAwVPUDdM$sS%Z}7TTzfZNQFcc2xNz$Z(FNTdbeO z@c-&Ygma?>Q#`?3e$#$RVH>$wOg@OM_C>K07%PZ%7A>2)pMYGt#w^3LKqj|XKZN(Z z!MZqGN5m6Y|7`V)q-Wy{702z#Q9);~g{9?hV?s|S_w~n#W{T@~>Z(R_OS~_sZ3>=v zo_Gj5ItSaqOwYkurL3SAsP{|k&8+shvKK1?(fiTP2vJqU?fJNg=dV?roTasB)(Pk^ zQZAjrnk=R#5zp~nyLE1=unTdH36bc@EyTA}VV|Q;)(!r4{QDNFPSp5jcPQj6U7dr_ zegq3+Riz_lU)<3&o~T69Q>T6pHK#~MH5@G(BP`@a%)Dc2%9KchE^L0%u?_E1lfXtk zk?e+(nc7{bTJ6iF#Z*C8Jl)S`VI)!gk%RzPY5PXUOk~9N4Ad#!g3f(|F#Tf7iiWMLgU&@}rd0en zP!gDeKn;5zZD0i8RRhXb8z2MDyrgG+-c9G$4zzO=FThhYF%uvAZ3i zQ|_U@??MHbWGH)P0MzSP=qE)^p=T242)fu%4}G~7*Iz=c-@ zR>ij~M%`@934|vt$i!_A(3=vS=0w8C+JIY;%<(m!Y~nlV0@}d>X7WaJO8PGygF@Ce zt5UF$dhd}+s3F@a#A8L{UP_35aNET;3lg;ycQ33qx)rldTBD|P&cB+6Cs{bq5q-xE=oD$4NJS&(t! z6!Zg5G_BeLzf@%i20^7KLkmbs1jw51(ihAE)A^GDcWDW0&TCg{2HMV!xix5EC>^C6v-AhO}d zYcF*Zv_r|Ze9^m;8)tPBoA)@y2gC4}q$e%X8xl&boqiwh1CYAF`GG2OmDft|_;N}- zbxaDE%lmwwX1i*-4R9TkNvl0P;#$OF<}0=55&TFR$FcSHF8?sqBHtQ6t23MSgD=02 zgGXLmZG$aXd4Bx+zd8yI*% z)FukOXJXZwcj~4?Q*rM?>)GDxeR)G-G8#2VD#xQh^+EDA$?9d`V-n9 z{2u5yQfXkSI0!P#^jwDJqO7c2u_^IcJllSGgj}N4aZORkw7_OC>M$?Vw&}+jj-U*~ z$+ErP+RiGU8-cJa$IZfO3WRKpeaBCrrFhc7u-JH`G{{?{VW0G%tQhQQnIu57z1WJ& zaCZ*d2;8hXGmLH;qR-#e7#!-*gOSOg)9Thdkp%J~>OyQ(Ayb6ZJMvqt>ee3L^#LRS%*2RoL2PHu}D~e+wDBrktNFaAQ>mQ#a4&4xlJz_43 z)4Tt+AdaeoI=C4CN_LT08vq}<6RAgxIOd6#>X2v>DS3d!-*zNlP0-wmREv?m-C(|S z#D~0Glb6yrFd6Pi(R0xF8Zs~B0jwIG`*{!*Iuys6&lMdeJ6^hyYS=VH;BgLg zIT-KDd(-qam&=P+)j|IPRP@JLoN*tEy<<5k(4K5v?6cAo8es~2`{-Kk5@YR8VOC@2 zk0psZ+G`^b4C{wDfnck67oE4uV+DIeFK&_lmj}oH0KnpRBY7jlOV+*fYqR%{_JDv` z6cAUH^nsy`Telo98!mOUC?@P+o}zXk2o27WH1it%#WvzUo^NGjOh#H-9)93AZ5wL% zp?@Qq1WO0pPDq6RRXv|BdTd=6jA&vM7tC!wn?yAq6Y*;$_+CMR#Ior(4*aJIMW`91MpljqEh1ej;-e0F$XAKL=9JXB~# z1rkWwL%|sVrS&^rWLpZQ(B~{D?V@H&!^xrv{Ntg*qJ-4^@q_^TK|;XPeZBtW2y7-s zYF?oiETI5{C{(gkxYv>P=}-TUkcZ-!z>w9)c)tDeWYE7#ojdl=-~9(ap_UKeL-|v$;S9_`azIOxrfx$|{rtb4YH4pMh}IFK`(cTRD;}YD)O7q&tL%VT9G`FZ?zPvH21h>_Fbf^Q5JKEk2 z_}}>26sY+Vdu&%uv;ifymZ*H`u=m^^eX8s@!?)ksfBp^sA_D&RPaG5tZkOArxQCSg zay9>Fuk-I)+-q3ucsT!qi}YW8`25tw8kv1Bk0CAu|Ha+#KluGk;VmrzCjT1`%Aeny zCAOslILt*K%dKJlqr8Ow<~jVAmv3Qx^k02kVKf*i_s&5TrE0%n3&;qIpz>I567GP# zRtbRkE4w!Sc27L?CmuSTW_TVxx(TKgYI>lKMFQe{2s*@JzA0Ct??92nDj|af;k+mxA$_8#Z{5zO>OGM&ZC60YO)ghqZ z^E^0GxG4S(tlgT2-3N&LkK0SY;m=xZsPb2DeUr5tYqH6i=AtW-j9e2{V6D|p_=^$~ zeV+$HnKBNl)mvW7Fgu}uPvD&d?!sQc5}};iOFPojsk#ColcAs%OU!_hy9m1An`l2^ z9m*ikvGLIYJ&$Pw+xu^0G`x$e(4$&MfVsL!%nFXGklBN^@D%e+h%P`@9-yNQZlR~G z^1ZtiL(-<;d$-U#f)B60=aqS}@T|%Ggn2*2=;iZ6MU{YTuy6npbw?^)fT;xPvqUq0 z1H6V+gs}+P`sEoc6%@8-+9v)#n8HH{fUf=rw$P+v9dQcyDC9=&yA7)gJr{AD1P%Ii zcxh3l0?r^EUZj{Enl*7eIp{Z@H(9c=bUFU~b$^v;+g^1W-W~iCeUL7Aj%l;`5{#V$ z=u{fZ%7Z6kho9%q*`NDg94vwyKVCJtms+QM*Rl1$XJZEg)Q6~`oRqXNHJ`KkC-3$DibXr3OK@78BO@Lx_GX=X^A=jlITNl&`G_;7A-J-~4Cbsy2a?5_O! z@&`w@|36>y|C85J_etuSX6OKf*}$f-vJK6Ys54;A;ceU>DJ&KH+tD(_fK_pMh^vb@ z01jO@(8+h8SGeEsjcOj;RWWWmVfXM1&~5P7bnX?(CS<7N*c18CXD>cxD-|N{v3|c= zB=TQ-l?LEL=uhydDNY01Hv!wa^_)e(L{#g2{nPUOGj_BGB1R~7R^GwA7aqo<0uEq6 zLpPT9pH)Jzxj-|gUPuoilt8w8`H}tB`KdmrcFr;(1>I(`3&%dc>` z&A9ROr_Yatx?^i|1WU7u#u*Bw@;ru5vko}ODcu@TzC~QBTi@~zq z>W;Ow%>T6ln>=R>uux)E7g5bXtg5oyCcSw9hTX*)mE|r)kyMJ>YYvbJzcm>KZndb} z1i5qjcV47{!4J%E6bJ?eh<&}OeJMxr{dsTWC$Uo)S+RW4qUopIg$xNl~ZvT@G| z-th&NO?kO20}A|bL<{&iojU%MZ@6;+26)b$lM32cC9n1e9{^7<(s1@71&!yngH_PN zB=xO-ZIaCKG0vB)68*O-#Pa<4JM9eU+Tuqmca!LTf7Rhw9o-n>&9(W>CElx8s5X%M zE7MSIqF2i;DN#Q)MLl1pKBeeg?iMFUrPzaXop84YhIiB_pQycZb%quaZadfMq?Ki* zjBPCY=+jO8b}5vwlz))-tLLObtfFsS-?KN?Su;Oz&)W56@;~43pO^H%y=k~zn4Gov zQvnMoXqMa?@Ox5%hKCCOxRb+(FbbP5T2F!b-_7*1nbkIg-%8udF2eO@eC@zG=s#%*q5zx&E_~9r^n2c4c>H49VFOLk0UQM zhCJwZSnddl>pNsC7k>*0Rn8P>bm*%9Rakgfw`uns^5dWnyGg1i=oT^YWWiFQ7};{2 zsKN!Ej)Uyv^ApG*wqd1KV?$w+w^*WkDbZR>5X9Q)%JO1MQM6`<&v#w9GeR)+xro{; z>k+^Wn`D2*@+FwTxqhomd48oUPn#pvMRV}n9}VRIaLdC3jj$9X0?xh8G3a*b2Y_!d z{9`rQHh4q1f?`mh-WN83?Z6UNAn+n?6umt-Hvsx8$`!z1>C-g+)1>Gt&v-;+_H3m;V5~mUc$n<-3b+=jqVvr1-EtwCY1OGntm6Spu7%Xf8UP}6U5#E3 zwBnegHE$bIZA7`QbEqH7UIIL-=!ui!07Bz9zo_ojaXZ81kTa^f`Jxae*VwsMwuc`7 z(3|3t#{#W@V0M7Xk}|YFg9n9PoeWl!GiTN;f@f)eqy65F)z1aNWU$RFbYXZi2xgoH z&S>tN@C7jO5P;TAC!!Hh=OA(dY%Bh_#upp9?ZC<2fYi{rhfQwl-3KQmm2MmTrUf9eF#h;R$&(|5J*Trc#5)>JMO!J@iQFg6KXsB!F<%FCcX_pqerC8+X$u8YGsE1C&)PaFLb9psrmvlpbfv)78V$y5(Ayk?1oWDx^jKCzq^(5*j%J`fa z?MmOdcQqX6SK%Tpqs--oB!i?MfT7!d5@WL)?3kXyt-%xzqzKn?pYW8lU>1IEbzcN8 zIZGXP7%Mf5E%#*_FhpNA+Zz5GVO=Be+LiUs%iw29bY4SDp@e5&mjhQ^n92#NUVicq z3e7H5k5e-H8Bo_A__GpIb=a~`gjARXhYx%=<{^lW=hnXBr94C6S{#4IoK zU`Vf8q0a8x7oL8v2>bcYZ}SPy`J|W1;yw7|S282NH*FI2K2o(fc`xq-_iCONS?1yO zT$9ScH>w&jO3AgVq)hQM*Vm z74W-zC_zVk8Nc%ilwCq#I$-n`rl-9er06)+r|y3`T6N+`w^RtOtV`!Qlc*f7;>KoC zy}bf??Lw2&E`cM8H(_?;<_ixK;a12C+UsK~PC*X+9`_oFsq=uwL3cqa8J>mlQWv@aZ{pmTb>>-b3`lUjvRj~0U zjhIf{J>ZtHe!$5R zN=WVckgL4mQDK=>FW2=@o^64!*k4)E5V4nI7}-B}aVmQ+IdkzLRTbS-f4ury#vd$9u<-uA~`sAMXfks=|QrEz8}~4$^i)Y&F4$rr~x#d1bui_2Qk;4)!1z|K6SZCe1SoFQW3!>n4=6d-nj=6?ZP*=mEQ_#HxLoaP_r@{dAZfIFkniNi-xv!RAIL4HHozdT}e%2YK_Zrp-b;hcjUS(cG$2FC`RrMwjm@ zJ>;`}Bn|wjz_dmOEMHhtU^IV|A?`}OKo|BS?(Yy~pb<-pKjWSss!8!Sm+Myjx8x@r za)oru+Et&7kMBbjZfgn0HbjeYz1n6hF4I2ex};+G8qGx`Z}d17Qt1}2JBjWnqKP!S zl44l+veY8=#ed}6lKV$Wb>VWE_jbMg*O!Zw>SS07P7<(O`qB3-@yj^jF1JBvIy?^b zsP{ve)3W85;u9NO&v%7zbyW8;qovBE=tp& zYqM`l26~-`&Wxm%wg!MX-v-X^Rx=P>8Sv^r)0cI|XWPcuCPEly5{&%K=U=NpdkX%z zjUGwAWaMNc=Lr)G0kIl^ERFLmAb*PH6}|l-Yxtuy(LFJ2!2ooL?Euaj)kN)WHJ(c9WhnZOSy9PQN$vaHY_-A)6#j+<6W$_{ayMYm4K%%nU&fEY<4ZVyvEy!F-ob2EW-Y#!5!?o#=3&h% zIAt@H@YKt!anWD3Kuv;X-RVFcNrIu5?cEXReoSkBzrO|K(1v=z`d|5;Q~*N(hi%l| zGKFK%aSfXCT=YBmX(>^q0%=CnW?7hmSjYXosvh>w5CI<$T|r(2wWj<4;1dR3Qh7i= zQz?H8*_=S{I^Xjqc)xvk36^4zbiVPAXwZn~fjH=kRbfCqj5%KOef-YM6N{=&3WKB^ zF~BIevlQJ6maR??8>YgjDr_X--E$mnpN&DgUZ`lvP~U03ZEoXbH-;dmi#?#+WI?u` zt|gAY)oVWA?F$D^{<(VM-;HdYkD}op(eTMfq$hwdAeXPJRF64jThkpxAN>v?Q$ud` zqBp1X@x)D_+J)7we9G5!7Y&Kxt$VpH*-`A;?nIE~Lml`GQ+}Aoca;vo8zj{p?#2*CAvkvnT=%nnlPrG{hbyM!h8YTVCq)NguGkj=hQSnyA-b z%5;hU5r@eq+>i{fCR7_v+B>n(Tg@WK0im(5eiD#n1cQ5a zgk3vK4R1p6M$D^-a@l|)$W$K#e=Qq$XAXt@455+uNUb<-wcjZ#7zd`cB0r3 zo#9%lLfWV+79=fNzOe|{#C$uQXB`b5^uUKU7rEo!Tu+>J4M(5_#~7_3H6UU7o%ZEg zPx=h@S=~W>GD7L{lh;XF_?3F#d~Q=oXH%lNU&GNE0@H{R?d zCqt$zadn^kks%Cmw@{eb_`dKiDCcjZ$50p8kE|jj<>ea!2Fhs4J2L4`?M?5zZ~IDz z$4G3T%ijO5zTpM&C;4IOAaL7!ydW$Af z;AZyn*)8Mawucg#=8P1nNyoKkQHm;sCvf{7Hk#v?Q)aEIJrsKYN>P5cR}<{>*>8i| zT=VI;d@3Wm4Sq*Q{o_5y9U|W~8CUyTo_FV7Zi%qd6LfTxKK45+gsAJ@euI5CrdX1K zAHPGou(vO=elGdkcjbOM7n};E^8B?RMVW%3Kr3(ly!xZ&iTU)){am}F4MggaUco&i;MltR z)C&wl#pP9$wqfZaFkpp}aA_``uS+)~nieu9tge#8kT57_el_qKz}*uc_f?yEx$~2D z7;IJ*gsz~WRNF^Z!~KnfLNCmQ&2H}L$!d7tF1=P^5lq!9R8Z^F^a$nqWTJs!Jbuys zQk;=paKcDhrGt0&&dw1~SgB8SvaTiYu54OGbsl7&Y*}d@rRupGdNfyWD%^ce+afOV zDHZoZ&+++ck*Xhvp-MVG-_UL5b~zXKy(?%}PRD&6A$&=Xq{+43>f9Rot$w&kb48}NG(>#P(6CiN>FXTFK! zgYMZzO{=E9WiZ$2LDPFF0_Mew0oMsRXDKhQWUK88uB1xs5e9C5gYEbaN#1n+lB|!g z_i;5(tY6?Z)&URf*@N^nYn+O7qpAZe~crWKJRz1?!@`Ajl<2A>;@&N-*Km3(OnJ*I%pH^doq=?jQ;0;GOJQO?M{T?3Qg{hxpLAhKe z)z?RLV@HJ9{`hhWroNtgu1{~r6L*m$wUH>De31n8{mp5owTu3;E%qYGuebQ0KmLF5 z(it?9nUA!VRDIYtP8r$_5U#q7U!gy?qcQ+g`qQS@tXK_5m@gtvHQ7NtgF)_yN;tB zzsslu9evrNs&6-|hJzjG-TeEsm?wY)lZ&Dg|2D?R8o=6 zH#?W4p99M1YN&*yzeBM>G(!}@*#jjBo>=re2A3P0U+@m}bvtf|w@Rmx^#AQ2eCR=Z zUpXST^9exZ89Lsev3Ng%MXy$&jv^YPi8yO>u8U^?#;>?!d|Yw)@&aXZW8zj3liMt^ z&QFC#d42E{joaf2d;w^EoUu%ekt0FrX4u4m`IMfL|M;NBc)H^FiQ_(+VHNPzVHz#z zBzE5>+UplF{s3CS>!jD7+;|OA)UeXA%(i_PBJ=@iKGq7CRgls8Rs>ApTHVFr^!0=l zyDvj%**%OGn620yx<=O|S}9`R^gv?~4>g%j6;$L&W11bPm?njGTxe{|tY+jM`0Tt+ zzjLx5>;ad5Q{VL-<{B{oI&$^01xz_;i_bTL9w-VcE`er73J(LmQ;U7c2O@sa+3=BA z?N7}NdXAf~vmT`aMid)KqyQjU6qEN%0T&VFK&P48P_(y-!#Y#gA(#gPI*#AIRLGHi zel|##E|PErCKVLC3}j~&5vyZ!@h`eE4WX`T+csdn^)%|Gih8tPH@q-D=~!m0qM!;rOk2SgZ<*oBLBVTpP@zQ@YSjYkXO z6bOEg=9clXDW{Hl7u;QLA+p3kiyDhl;CG zZ@ozKToLw`NaVb1uOFo_uzhl#;Q)82aRIr&;{o&PwjL9$NB+fAXi%7xJr!a_^qU%) z79C{aLpd1+>#V=Lw5tFXCjlmZ29-fS}b|MT*lS5GcswNW93lB^km8 ztUm#U#pY)pFt2o+)={~1((#%`eH;%+=dDmQolTo?5dvZTmc41!X)ymQz3{l|K4NI1 zSz33;XdXqXeSUS^*aYZ&|Bt=*3~Flq-+s51jWh)}y;vxs6eAK!C<+21RS@Yl(wnqU z10n(q6E2 zu;{3{f`|vSO51{;S`2zoDL{6DH=)Bea7Tj&vg9`|AIl!Fe{e?eSY++#;)LgeAm;Ne z2c;xCqGgf|QSjz_U+|aq(nB0-NQ(33j*ze`r{(o~Os5~}T}fc~Za33@Gn)M^tnvBk zLuQ6F1AmB;>Q}b6VFAk32?8RQJ)H$t$m9FRt3Fn$X2Rp+$6+1T=g6#mG5)Bru&~K< zkQJM2yybBVknyaAf)0-s?)Dfp)h8Tp!?=0s)hHm1MGJR$g+xUiSAadhl839|Jj!EI zv^rxRmcYl$@DD0B-i1B(0CR$F$_NC;ijdnptPI%`yKq-eW$TKIMVc9S1B)}t+ipI< zJ$`Y{X@UpY;=C>czoDZX4><(aHS!v7(I=-XE`b&4w6+40w^v+V^#)6(yNv3;i@nbq zT{hm*Qj;sR9$EJg{u=*43Yn>P3OpJtZ>xXByI;X&TT`QFe6dA`Y25|ZX8yj?MGu;P zT%FgusyUFRrmCvypHFtMCHfC8*@HWgeet4S(W^`khxl5}Nm&bO=A)3_cKG0(NeSJ_ zjw<{YB5}@p0r`GTKif`;!{b@UMSB(F9o+r9VUzfe~AsTHlJSWV^ zNn-?pQ|I*LW%jZ)O1p!OHjxrBf{f8T1>t&Ltg#Uka~&qq^$Q7W69^8-QT5W!Zj-sN z#l;POPQ#jW#y~eYSG4JHE#;X`4cDCSB(C*F?F6Rb;C*>`$M18H&pv-)56BIB7ll9y zanAdvkDiDtcC<8>_UUzA-uV0@VA}A{YxD9^>9}}6uc4$mQ425_j#c~9+Q^z9c$AaD zs&Rtb%z>&H4KBQu5~ZuUEnGRro=#3hE1QTm_$a_MTOu3*%}7<5Q)9JwP7ztt*? zpeV2%VyjCX3vJqHU@4i6xcV*Z##R)<3l&Tvy#yK{O4 z@W97g$K|V@*Q5L*6J_FL3?~iOJt=s1>l0I>kF;<~lh3|&i~a5r&DGcp#cq@Ber|Rb zxHhUtQ`sH9*OLjJ{{G(&sVy4mhM!!mS1P2<9AOO*B(dCBP3cF!9?tVpbR6fxX{~>a*-Om4I`?Fhi%KQ0!X-fJM79Vmc1Ph~zaI0>-!oH? zVb_y5rzmUWSl#eOoUYN>O{08%%v=MR!%UucF84*LxeI*9k)(x9S-oJ8YVC(DU z!Fc*SeJr$Bhl^200kCJ;qcq+QbD6*|J7{eQJ7HK#%fR=b1s1|J1vzaU44DN9eVnjT zc66Qtm0+^OL^-rok~FY)%{xt5OCqN5{br24%u{CnAN1ujZG2zdW8>nhQ@;DPh|+&Q z^nQHUVY^yKE)Szjs?p+4S}sLpSV4SNDDRJvlMg8`OU6{ttA z>Bj>9PCvi%07v$OA;W{#rx+~QI;B(ZwYKc+7bB8yM!Y_^fFJRJi}Zylt09Z@uMAOZ|@}z5*&<4@#|~s>@|zBI{P)}b`y=^ZeoHRj4;~2+rxrJ!kaNK*YkChfS;aV77IH6p za_8xw#9b^Bdq7T!WsY`$hjg@rGG)a)RJ}|C5?&#e!Csxpwo*w!WC#pMy-8>A2jW1- zf$?0%#lsW$H_smrK{205|Y5gSo-{>~agkZMjL8 zYEd24eL9y=ESPgXbnpYfW1%n$IYV0`QS$h|c<%HFbxK)elf@l8+^om(wk$8 zJN%WGb@N0am^(5yb0Eg9wtLUR`vm|t*BSHUT4a9b-ept|u7KBA2KOS@ z-7>bkm|L`)o|IpSjk{BS@coNj&gF1!6=>00!It!KdX1pzn}tBmV8l|Aqp-dket&ar zt-szAdr0lzU!#E&PW{sOcPR>1D>SUR6=@R z=E;-Gw;iiIDI6{5x5(i#!{`0Zgk)BRJ$Zq9e{a1Ad&L})dFzdy+3;^V>Kdw+^o?|f ziUe{z5O>VrHaEVzaaF#Ou_k`PQ>SGDj9X-{#v5bM46|}l9XH9lW8-6Hs*na4FBfybI?E>fwr@*&b01 zkI|}2y2oX$UZemEXKcoQ7}a-2uCx<RQ>bsN5S=x zJY2%e7_{C`Xary9R}D@=inAq9@lgMNKJKw47Ix|7&_>9D3paMW1;Q<{0eBknDFgs* z=RbO|Z4mpLN)?RSWJMwNgA(9(cPDlVL(P6J?7NHDC?iv_z~f6ArC8E_IS=)RbRdIu zWjqTF_5^mD_}^iC;cs+wjZ0f_RRCI$w&0x%`L?1^-YTQG>{76lr1-1pqu?qStJp=5e; z2A75dWoDA=lLWxTF_1!NK5_*~t(SUzWD>~zvU8|MOW}68LdTC)OE2(0?&%igroVaA z&HFTM`T9q8R!<{Z7th0(JEpg^>3J_U7BpH|<-FmmD&`>doI$7Xz++f>s|8$n3j%%E%>z^t!=|_+~pq;W6?stRR??~=4 zy!+wof>8CEmQOiassehI4j}0#i#F6t*;C3qH; zr5{Sa@m%^~cW5FvD>W^ec$Iw&wBTIAo2roBV51P^3G%&z1O6=j0%b z9i{8ESd#s-{2t-2V6KVdy5TfhZ~0`@K0^IhpzQt5agA;bUJ_r-^_95+_ zK!lhXBCe1nHb2!d2q9ZEg#5mHW$lANwhwh_OfZYE0b#v)cvDorMjmA0!@$M3B83$4 z7$AZQeIEXZJQm<$Kt%Z4MP84NgMN(=+$PTf%#H5yGT$UibB76q@Lg?tYVY)tGnNh? zM%{^@<0d}GsS_T4P_@v=ZV)OHFFmKsdFw?()NV3#ZSw>K0pfl^$u=vp9b{(qeB5_D zaP>Ro7!1g}v}t~kbv#EoJJumlS`2wd>wvot!A|UdL)~^?2{uJtzMu-yFQg`qDQi28 z$XAVIa#?P$P~GKou*G7{wDk!jJ>SbLl^bo8toz|S!LsU#MS`V?0*mB%!QzM zKQycRy2F1dSb1dDU$b@ipuos)Oc#?36LfE64T|-yvTY8A70|RQHn3+-6^`qjrBi;T zCgVFXPjbA%oWkH2pRT?RBE}fp*ZQpo8}+B80mr`%szTByfXgXYod0!|8kO<;x88u* z)t|d`HLNB3#axQU5Ihuoe=THKV}5f1C*a%=?b_n<^^g6_Hyp(KFC0wZDU~1RA9U<`9qeRo^9cJzhy?Oo;v#xVO^3%DxpvIK zKxT@I&WmpGfZP3PL&%(dl2@!sh~gGY%p!7@H^tKr6qfmc^y)hX@5`YMw*(%{GSp$o z2D+c2k#ihOnHYA&n0cOri(12Z1&_n1hH9EiC;$WZt+l)itMoiG6YTrL?vUfnpy4J* zkSD(d9oyB{f1MgVOgISlzr+?+aig^Wo*SLiU|6Xt8D9t#vL-scYAj9=E--biBTwu z39v^sJ!Z@45q`JtkV-Yjk?4Jh{aZtN@7YsoC!#rVB^^}NW@9(JlP9hDs+u`Ol8p@2 zJ!?p^MU%vL!vE%K;9O@;Pm_+KwHMre!Ajx#g29}QwKRL}8c$dIDB6bprz4@9UN$C* z9G#HwGDK}f!zf#-Cn@FKM}=i0oXCx!I?+>1HRSi^&KTusV?fIRB(7OwD|4w=R$c}n zUIuxTQa-$sxkTsEboiI0YWf_76qo$;r}? zy|`s;W{s3sNH^HA)4#m^crfI}fzh_PHrHdd zIM%mFZx;4>`BL^)prNgJu;0hc%l*dCVUwi0Clq*=^GEcSCfkUH z*}8_Ud}>L+#Slr|Wa)R>cw3>0dNOCPC%1_Gf>hZIrGi2-BNmz>aQnu{))JeHyivIH zFa=85e{=@G9_jQp;JJ~+gMB}atGo9rbx)$Xq~=4}T_1z(7TcEu_dIRg<$)Dv_zAkz zSHePiZ+c=cc!YU>4)j(8eUqy>_?fEL&17)QK(Qs$7k(tM6sM?k+sY?!$Ll1(qP9Un z=HGbQSBbMEt`l)y$JK0gY!`8?S6%|UC{gAU7pTh<%DGrFJ4Pr*cK+Dq$07V-DEy9( zH_f!{q0LZnT-6Z&)%gJN??QXG%Ht%HuoDKbRsAOtj?3}zRjp`OmFzT-Sb|JgSi9U* z|D>hPHrEO9$X2S%7`j4gLKVF_e8AP+M(>fEBpLj$2~9|)sN%mxJmGKj_EJ6YtZtMnO5sWGn`y{oBo$zfwiKXEq1x}uhL{`I0o za^(Z!y9vMwG=pWOPGZ))XIuA?Q>T)v9iQVZ%4I}~VA)s`ts&nlJzj)F8BKNI*~||P zW61HcNn6h6naWsR3$gx!ft44bbGK#HUW^Hj^O`}6vIn+c%$e@K9~M@Kgt@=g1V~_` z7C)r<;LRYV!%p>{;b#pa6&@J_zY@UeeD$F1IG@;`SA^|10OOd7x zF(R9kc=5dKK`2;oyW0&6a0yKsGLXuH7S^80Yq^Pa^U0*$?Q2`mw@%h^jhs4kt0u-@ zZ5x{bnt`*S^@&JKb;bdhlJi_asOsXR&yqc;4PWN!%OQhcxHW!Ec|3DvLrmr=Q|pUl zXp%+n4W{F%w_dH;22#iZZ4_LY%RaT%(+D=##01h`O+8#EGZc=&86XSkoJhAk?_PF} zR{XE2=klpblzd5j&lk=H1E3uYWcTZBSH1;V#K)>jX1B2ApLr*=#d$=I2KL8!i9IwA zaa6k`mgk>e52mc;|Gbz4$z6%Px-Bw%{rPoz-bN6Klm3S3*h;kRl|FFzJTFl)|H+J5 z(#um}D<@j|Dj#OhA!Jr7#PL$VrQhUcp25m3hncuOr*NaycQg3b9)S5lh^Nc=`=&kS z*l-{vmuAm91>iE&H5?@~hj*|a_1cg-H6|&H3rnmU^B*EUo0!2kPf>cpFF(-zJD0JE zdPQt|sOO@3DTPRJ9aDa9*;oH#5=q&%3&?{nsiiS(2~rzDWnT+Zh1x#(7|Mon7@F=X zr|gB*?Wq`Vj^}cCe?`cQjYAxlFCor+;fh-a z(6gLuFh#C}D`G0+p|pE8KggNI|LLvL{~vg3RK{WAP{+yz#){NkfNK+GqKqb28Xp2c zoXN^17;OOPClNq+?J4)%SLG=?T<~2TdCL7A@#QK$HU#&(y`$*IotU}=>LY;KkuX~_ zHEg%g@C)Qhintp?LwB|yeiTq&Yl5b(KV5s}#HL=}m_I*tKiphwKY1*DZVTvQG*gU! z&AO)nBZ`dT&m=Wy&CF}6cgZu}(qm!RGC=FO3&3dtpLAA_za^_9d==$5JimqxUhP5L zThoi4+8*CzF*}$9LB}eyWWfBn`p?yldXH-DcGm z>tNMzuy+`hGCSXVJnUujw*dHQg>M94qM34a2SV4Iv}lt?=32T%OfOk+)otJr>$ zGbhg8+#5ff>$`Nu*-&TlH1FD_ zcUcdE68>g}Wj%yzrnioLJ1_9n>`|+nz?DcEHpCT`vqg_0gI}>eY?XW9@L}xroGj$_ zJL8tVv)|%w{T+6?GZnpotS?@dSxPyct}W=P>GdwQ`Yl$x|5?Nrk6hQcFK8``2Cl)z z_bN_;Sl$zJjm8rAG^sf%C03QixQ#rCU5-x}-G zJqvH&2f>7*jV*yONwBV}2Akb%+4~cI(Zva_j6+zhtY(Kq6r)%-@AN#Ay+ftAWyPD`_b8dUxX8dHmy&WHc=Mi` zES?b7W%ti(_{&0&ue?ShTuZ(=7DFa9;YLkUR2-tAnsj#D}uw^ zDkI73U9ViY7CC5CH1XmCb*zMb-&t~nz*^;LUZ?g);fk5FQ<>XjF`T7X*nJH?V-Kjo zKc3j%+u*#(aFXy|>XE9Q<(bi(2nIiO36_}N{$Qast@q)n>mZndSo0~pPS1cctRkc8 z4X3w1<@uycrg;9S`rFxLMoaZqLthUE8PF4hAGljI&vUorKu;jYOer-Fm|z>1&GeH# z9sDhx4C)YwQAnzbV}JbxT0s}bZg5QxqyPur3=FO%31_CN%Sh#*4ggn{?YabfTA+I2 zB`S%^IEaSy;=fn`73iO@oJKAr!IOmo8*1;z`g<2Kze*Oapm=fpFPP9~Z6n;?Gu8FR z5j{J)=E7rgEGquS+AqkV$;dz;1?O1K_fCA&QzN!A&~EpTi}CKxmydeOF<5E6yRA*N z!#s@5i*oUZ^7i4#`usz(2+3ubS*Y4#xC+n5J()I9cD2h^S(n3aKEy4vQ5rdMz<*`&{)_6c(sC41yHu$7hl&3%> zOeQoBy~d)45fwT9AQUnAp2Sp9{C8yvU7ktZvOPk@ZF^W#&e^qSKQ}orH7;Rd;21lEvao@hP+pQ6Ym?lOQ(8 z&6Q;23X2~zh0@aZww%Rei-pv9+L2TeArmBn@yl~RPCM&MHTTN5Yj!7Ne5biJ5+xjZ z%b$;!`XvW=ko2iMNW(|gf(?9;91tFDs=mp;6l4ac1;Veyj<`!(VcArU%gSrq;5oAv`$X6x$jP&?j z1n2~eXu9IgCwnMhe17`(Jv3{{P^;Nmu*f0hke)y5J3Ji;E48fE)9CaGTnd(PoQvdR z(%#eEv!>xGSI;5Yop>6hGO}y1%jUBDIj2udxV|YGrG`wyU9y%N2ZV_}JQzZ9XdHBh z?P7tK>LT3^=u&fO6JnK+h~yh7pbCF*kJ#${3m5%+CP}8Da%T(=)j&u4n zG$g}+hy@I$cy51KV{F(*92I2c9^V12n!7RAG}Y4lJb-2hF?S z;Y^M3az~4N_0(qNPv74AtY0q6l%y%J1;IOw6~?ZFDbM4zKk8pD26&g!b*j!JRQ*x6 z^LK))iw)m=-b(NV@HDA0O|iiP?E2GMJa<+4_@vy>KzDH;Of@U%qIMzM!BiPbEL- zR6S)&P3)@_H1P+urV)|#tFyh{J#JNEbz70y2HVil2q+!?HEwvNWNOv|QoU8wP7*;K z{i<0X{}5@c37v9JKAsTW&>Q_U2Zr0mi}~@e4baeQAXXB@b&ww+8lH-HNQeC_zVW;q zI$>N~;k0(QFd5d#$x>yihuH}BF-wgabwJ-n+_o4^IDuVAXdQ{# zaFp2i_~}@t_n@%K&v8Vxx-TAdwLN4z#{M;)Nr8jugImGQdphf|XGsFGQO~G{&?_n9)p8XHM%W8wZO4%&I{#-#+86l@W zr#|>*u_A6Q!H8h#3>Ff& zZI;^T3+i7X2MDomkonTHdumRut}+ZL)4d#Bn#Lvfwe7h3xIv6QwHp{OL~`6|Bc>eG z@HOu(O(s}eIa|$8Xy3>!3D&A@yybz0gQ7LOJ0#D515b|d)EIT~**E@8Jg7YYGlW`O zILzCQ;(K6juPABI?MBN@URWVcix{Fncq*@Zkx7=P4R4Wa3Te@lv^WH}ZnA_a*K|*% z|Fu@P+pZ+z+IO-Q9Z+NXRnjKuX@`Y6Z-04-kf4E0wBz$5fSe#mEekq(cX?M`Z!Nh1 z@eUGOsIHP^v@Ho|1=qN*22IzN%q*owf*38C{=e$EoUmGRh85$>GJT`Eumo05Q@e-g zZv~1gj1El{hG!3{|MeWZjo@Qm6L@0u_WSVUeTdg&QT74AP+GQ^D0<*667|=WD^NzdEBqSXoqDyK z$!W&yMUpUDp{3dZSL~ADuyq;K-s;#&sccw3T}(v=I#M6j9h2Df?BeZn9|JoZye?L3 zEFCAvp1d$*_-JTqDb5{LCOPrGY=qCH%+R58(1NE&54qG|PZ~3% zhI+JgBJ8zO-V8DssSv2mhr$}gFt*N)GuQ6c4P}S2_3ABiyN|VI#pB?UE!oA+aGIlc z{k)@m^L9b-(6u`*s}YX5)8@OTg#S8fO})^fa|)h=Z}%+KvU=%XsV1o+CYv^hd6ww)V)w);nkilKn}sVy>{g9C9S0^o@EB;m20=mkyWKiC2aqBRX?K`o1GEq?J30 ziAJc1A2cbD_YAtkf}<_x`=K^dh6{4$56BZK-TV2(06+(2i`Dj;oacpl+PiyU zUIxMu;*6=O6b^UCslZL*tz@*uAeXZllOh8DGR*2?IjsSxx0V1L$_ilhSvM!8g-^T%(Y~TmsetU97c56 zM2H|9vjh=2;3`I67!?|t^A{$9TUdanfJ~`qNq9eV)|Ii^*bPbLLB`8`PDp!az;EO@ zkW&`+=@0)tO~Hp4@cfQ&X&1l-l3QY}mP<#RqLZgqzF)zzm>f1SsR!liV8Gg4Y(y42 ziwTwxwEC6$=7LBe)IP*bJS=#c%D9)I{x*KU&JBK)IF_@J z&Y=(UmctUV#G>V8!iu6>tOLf|G;`Om%$v}BmzG;W_LOWdsE^x8drQ?ST4<4|{kT01 zzi`8>fK7QKCb}jvJPC>sWQs=~vR%_NMaP%B_(iX_b_|!Z!>U#TEF*y|a&l44`0!`c zf+L3xF)vBLEGnk_Nb90}bx*zIX>R-3ai1om#tHKhEkm%WFU zzsW+`Y0Ci_l}@Gp+9KxJaonUVXrJ%xFL;&j6wU;WNQr`VJ>o*VlQ`LIhVj~y zvlnp4NXX0h>dA~Qjynk@?StmAywVU!hysmqk|s;2L32)P1dhq2ge zQi@oX{I(-DzS#VNI>PEYoaNowSGzo;Sq>T|7b-~!UGT7`fb zr?wW>bA5H?pU;_6y~s=jvqP)C$lk;$#h5X?jboqd5)tq)RwlxH1s>Zm)!h|3O!wYt zcr!w--F_#sl?fs#3@%cXb$Iv_a)08-DnvvsN&am*5 zRyP`2o#Ei%Yk?iSF1l=CINxV{ebk^07FI1>+|*9%Zu zurAZ;H@Caz+9z4)rKoOWf*%de#pU5-wm(F>`w4piLm{>lMo+W2M21PsBy4}Bkhb}| zZW?zek360V+3+TZhdcr1PaPQ`@X3s?kc1mi@}K_SvHSXxMJ z1X5G+R05?$Go;hxj~)rFqh5&KsX2b0^63iS>-NS0Ud7e-B0^An*s$2~kgngvP^lDr zwLm?e?&llz&t=SOu@k`f$TenjEcfYT)^`Hy@l)eOYhS!r7!MwKTZ4pA(_gtiHxy*W z>sC-347D%M^aH9Wg>h`&!Ghi6C_t3ax>9gqI zD(>XRPOl3$PRZC6KcZzn7*&@if;1p6c~Ks5duc+I2>a|(TP5tsXPG}M(O$_;!qa%8 z>e8W!k~C+WDmXWJkH}$3%u>mpGO%-;=r8y9uJNM)tfq^je)q#vqUwz7t+NuxRl|mGaZ_c2>Img)Tti z?TP9%Yu6gyWMih*5k#R|WUGj5YLvp=(_M|z`_L`VN>sZ9qEGug@1)w7UmEM{pe9B^-iErR?w27!hDz%U5cMA+z8Rj(2$p&psv2?9EPK){Geq8EB2*Eu z#W-!WoQSy(z$bAGsxdIL>0Rv?+U>KRNOy!#x%7+ze@Zzf;FNgWy9XT5D>4A>v`_pl zyhInvGI~+adb;wKh>I{Er>n`%8-(y=oi*bl0A$+0^%^tXojqvblPQ7$fF(s66Eapr zs4o;Uun&eWm6#W?YFeewFP3`PVrOq>^$F+|MdNVf5IsZeb6E)5a&#u?XJ16p!33kcAW+&0yTQiTD^ObzkvM# z8?83P4gc%l-kQ)Ty$43f#1YcPqa7|#IMe!#a-F9F>b6E^n*~f7rIFkAdN3Wqa0`kb zfRSXixv9t9H^STi5Lv~hYa+|{zrMJxUj5ShuQGw0#Vi)uxC`?5bl3GQGB5TZTr45o zznN{ia9$=v$~D=(4a(?Dx0vEfxysL^b8qVtj)p2opStO=SN-xNwiaZwlgm}EiFVw` zC{;)bxEyYCy4Fj|El@(xrZQH>Tla7DIqB5YE4NrHbLts&geUKh@xM37{9Oq(Cs(u) zq)Lx?g+>cKRt)Z~)aI-BpdY(-IBC`}TaSgkJKZqGu)@Q)GBSsabl;B+9G5&jY2Of1t@I+AEj-rQ0>G`*Q@~{2nc~RU zEsygsuII?)t~;?UV=5T&B;lS~d&5L73!-)Iivse=+U+CZ({14?P2^8nfkBBFy(rFEEQS>;;$qbkT}d=fcOnAP(fyVjZkcv&-q+ zWAt1)$A&Fo_|@6VP-X1G#LV*bI<|r5J%@zXD%7qqWn}>n7VTuB;E=2raSsyWmlZ%_ z{L~ifcoJcGihiOWQKno&Fnucfc^=&NOh@F)B%-CtxBcW%Kbdz2v&id^tiaqN@=Bz` zryU9pgR4Y|Eo(Cd`LhlK#aJU!R+RLc`Og~Th4hO=`>@eZHPc@;^r;E9&;FH+GxKF7 z&_jFR4}H4v-v)D~JO%%Cf<5c03esk3K7>^|@RR9f-a17FcisubSdx`wPkh~O1_N9b zXNa-6(fyj3v3^%`R%5!w}u?!ZEozgc(M4V?%NE^w$v$6 zsrtjd2vjcnZ+=!x3wvA7p~h?CZiMY}OW8@XosAzx0Bmf*wu{@z(8T3PUd`y%#U10f ziVPUEpCZtlT|XB`JJEtOq>KM{_E(DC`u(yPs>r~uTlriu{Du|YidM|Wb$zBNn$h}~ zxs`1MB8@cyF2p!@*!yJ25zVF+lQQga!>Mw6dW5k}`b&w#miS%jWHx7?!Nl)`62*L~ z&o?n?7n}v%0a!_b6vY@yLfrTEy-W8SPR}KnYxvAWkzt2-U&J7yB1=zxrvK4#<6&Ay zz5M0{52Ieb+5`Q)wBRB*F@muq5Amx%cE8O+h&zH;T4T+v$Q!kXq?=WY&B)|jwHf%` zGSB`_Oj!)4r$khLS0pqXq0A<@oa9v#J00qiUz`*WyA14zhl0#o;fra(FJt9;2csDy zRoARbE_-wOGqzepGo9FcBMtSXwQe&+yL}=l#twnm+dbE*#H+p~37+ki%I=P+a1Qu) zjutElkBzF$?7tCbyGe4hjkbo|!(L#qW|HqpK2RPV)5-IkW*g1ak+xQ%lD;@7;%;iW z&WCJssxMbNRwv6Kp1F*Qupk;vrQ3MZlro2C#;WL6Mmp!{r-naJdlQX&jm(?W6`sBEaoY^YX3=#M_6IgDKAcUz@S^%6_=jo)lg}Osz5`fs zXk2|*sW*S+f99Qxs57Jy$;gtf*0P^Ihws%mCJ`3H9i?Hq*zM~^xIv2wCcF6(8Ga2r z2Bt4Bbg>pc12(!^%8YVrN_%ezE1eETS$~O~AMSA(=k(zk17|7yNr*sIIp7S5x}?0| zTsjOmIA~S9D2Rxu1w7e1f}wP)fpmUm^{~gQyrtud@cWHF0&?)&zwRTetL#}35{^=z$u@ni zwK-t_WgjYV^xyd5lwBFvYF=2cLLrGa1E{t@zR=)!_8B z(i-a=k|DM-DvpLxHK&+*BBo|4)60i+j&t)>c4%*9V-Jn8)RiOPjCwpgw6BSWIQ^_f zqvh71n+2zY0%DYSah-Jvfkd9;VkOLA`&4S5fr$XF1LOzlO{Dl) zjl(5QkD``R=aS{pfO{w0rih@_vN1}FqTQ;|+I;wE*4F4CB5tn&SFM(aTO#>Gk9N|+X#+cFI5g?MJfvf`#KtFdab(n&g7rVhBmi zL1Nnwa_5gUR26q7Ac&c`Eas&*vH1G^-iOR?Xj#d;wZLv!YgZ``XQJ1krV*Y+DXC~- z{{!MA&Ne)QhJ{Opru=N}9AKWCy6MfYY{VYldrq(l$j;1*HgX7OTQv=cZf4FafGkez ziO?EF7_k*aMytWvEDd2YS{AJtYM@L^LeHV@y@=JG=~4Of-0OCaIt{MGLy-$WEzYZL zvH7!jWz40+QAMd$8^M0cxI$bD$Na9t2TjO}T|qthp|^3RH-sDs?XB&N2EJka|2fVz z!o&`~`-m5RPE~XyhyG5!NO}zlL$a>$+bbAN?0yLU5LCKPpZ1^QGGNdN#k=C$|D4KV zCpbdQm%R8cHKTcYQ)}d1MajxdrkfP@cpk<797pPzzI2!X6Qw=!sak(iu_W#TRaw@) zk@cHmdhS0iwu4GSzpHMa7v{5$*;}^#F$F4@hagWKud_-&EN7G6D~9b2X;%Zu(ub;X zX$`1_#46CTdCb9}YPHf9CIi^#{+@%0)9yk&>1e=jAVRe7M6>A1GkJyh&hCsxr& z!-$WijrJKz(@L@@o7CO#t@rhQDVQWIh~cGLp*}t?o&e+69apd1RtPEqqCOuAkSm2C zQx+E(pGtgJ+vbq&uRM-EJ&bk&p|O)^xEH4TsWF}Q3_=c`x$@}&+VRxL4UJW6>m z$~?wVD}{H3uk~r~jjzKQ(2GZllDn^&YRu-+C(AU@h2=Gif>Sn`sZl4wpP*R3oiL&B z?qkpxT$^=4U0?wQXt0D<2dcf&_sF?K8|q^J>DV5Mrf$}>l`4DLjS-n}DM7T&Xrl}& zZK{Qly7l}-zmVCK4Mq7nt!G8^>q8Dtuv3^Ats99%SbttI=-}S!?_rr*&OW3Ely!^3Qz@I1l-NZMB4XE-?ycLDM?{778O2&8j!60_v#66sCan*u(YBU|~P=Y3YY-0gqGm{o`+J z#7^(zj8ty~77+ohWK9uf(X%@hmE=FqhE0&<+%yg{Qty%;E$Ua7CZ3h7Gv!h9)xek9 z7)*=&7I3r(06y%MD9P2V?3Z@I^;9qO%i1P7W6zdWl%e^K1fSP~5MqxTkZm|cG|Kf9 zd`}1(1NNw3;R7URTi-}`4(Gv_+|Q|#E{;cp(fa9AK{#lR;P7jI;@iV)Eq|1lu#xHY zACE$=|HYFJR$A#NcyyV}_H|Q-y25#!itG!_W*jDg@a}{4T12pk{;$hQ6g(qveRF;D zG+CRsKNy6UNazX+gM8yC=Q8aP-D;y+VrOxH|75U1E@Xkw$>7W;;D{W;ooo9|^_kR| zff7H`Od1-`Cl8vGMlN`8>-)aUB0GXsxp5&?g);2geLR+qWw4qd(FQP#TpBgKmzYPw9G%w{o|jL>+Pv&lSD$}ScJyX}_P!Xr6da34}i-u&s5 zMTOZ+m3)%ySVYL-OL^1HR7JiQtiFl&kT)I+p&Nd>>JUDxE4{_-P}ipeModrnYI50D zo1lJKQCil9xpk{yeC9jB`QRoMEjepBrO8w_EAJ5}iLuzz(U77{6m};+(T6C7$^UX1 zuAHPI=5P)sSJ&Gr2#IS{C{%&49Nj5&m<6oM~GJD$cUr3vv+My&g%IiwwS-Rey0w{NGfWeORx=XbG4Ji%0iLR~M0#X7CgMB{fK%I2xF(sKsh_H!( z#vcWuoJ3D1Nb#gs4<@e#FL><0ZYu<*MCAZxcGohPvYECI&se3fEz3dXKN zkTX7@WO1eUCU0cH>YHVNQD2%O{{m!qOM5EX4=%3@XL;DA_zAbxq7V6=(u?*WKg{2R z^TyU^%cGf144rE|co z$?))Ys0UcqI$%I973fvP&(W?zhVc+q|*-2oH#*=4qmg@QF0ZTJv z{%1ns*ud~Zg&g46yL}D^zgVHP1N+<2CPoTR%y2Fnw0;cMp!1`hXt@mtZxocUTb$<{ z{uJdOW_wJJVxHKaccD27n}wA*x*WQwLDw~ZO^a`$igtDO_1vGz4#_g(38g<>41{Q< z>pIa_WYaZ_%eHJS=Sz&(39I$n&eG3_#@1`kSUOc!e@4RZL|>qK$ets4x_VN~xeD|# z;gGP#EpB@r%wef3y0c8&U6eF*2$voL`@`No@edv!N@E;P3?$%|hU``3jbst$&z`Kv z>&Vrg(v;D4Jj6coY*(L7C%}W)Rb-JR1Qx~r=O2fTY+2_Cx_89>oB;E(2bN|MA`R=} z0=Z8tws~UvnB)f;s|0w}&Et8`QE+;hd4iZ!?}d5WrL~i1&;DqNf0X_I*i_h9%w})V z4VeYTw>TM6u)lm|@m~%WvK#XDIR=r2XdQXkXQfrjXLh*={q~H>BookqwsJ0lq+(o_IgY6? z<2$n05$7{!v@alK29Orm?RK6Wp=3ziUr^A3-xHGSv8G1_1bg&~KCX*ki+ggKQ_p&u z70K?L8(D^+7o&tH>Hpa{=U6TGEZN8vzoe54Ms%vIu%GI@=5{A} zTb>il10zbt0jq@A`OcCFWur*hy#u~B`qi_YU)uLC;R=zC5weLs4_g0SVupMP6azyb zxHJAbop<{;rpky5x6Jdb0Wfmu1{3WvrG{6Nfo#6ytN&;c|9(mz10%)Gkyk}+jFk=m zIz9zVOx0Vw>C@i-d6bYp%AI?6ci~sQDicm-JGkCAl>59eVNt5l!yl?l?8cTOEa5jY z3+^F2Z>c#<*s7q-tUpffrI+4e6Two|p&L^iPwojJAg-G%&2=+qt%NNmFd-AsRv+3=$n z;Roc7!7R)nX%5W23UZN{ zfTL`373mp+wmJG)Hv4yWCvEv(6w&vm-t`zSpmsp3Yf*OTmY8hg{S6|oq?E>eIWYZu4+KV`W$Vvv&Xc( z^{9+jlpK?<+yAC&ovmPlZ_7&I@=Xn2;UQWxPf9Fu%%Stxs0yQ7maOX8d?i*s>~1T` z25Wt6*?n(C?tCbKqK_3Cn)a82<7kb?;^f`nhVWo@ZZVhH(O3zSZ_zExnWdao*`U}! zzjgld1P&(62Mca9TEHNg`m#XfV^;3*$W6vRr%>fXss_C+YpII~ z{CGR#*W&3I)PUeFiDU`17Ejw#-r(}Em(oRL$6FeG4xOoGHbg-N6fmnCI_Nj+DCDwg z>p&0DqC^J?m%f1DvM`=7QS^D?!H${SG;~-F+_^R7#`*kuN2sZjapI z$|~L#>A6>$?+su13>{_R?E~+&dSUg4K>i|0UG!4SGXLA(V94KJm|;`TZ+n@)G691( zdK@H#;Ypqfhfn>WaTv1;EpGe;xS5YP-p|6f1y7Oed>h$4u#20m$%DqeKf@AXzun}? z%)EnRU6l zN=hmtW{#jqjwa`1r(#kyJ~wmll;viB+)$5M{)<@j(Ay+5oqr4+uH~MsfKsj2Whwi& z=VW7o;T`Npgavk+!9|4NXs|II0VL;DXT|ZaSQgZnz(s6;mlD7~Yoz)FQXhR-%YARGVw=4@584+I=}qKlJ7H$ETp6%Rpf z~{EP*M|%2J9ZWV^e{x|#}V3C zEwB0Y;jI)^RzDwdf$&bX*!jd`sJcGAHh=Y9uk{!-B)OsG#Cc&y8Dk7lG-!lI)DS1xri z{%l)lk*0UtglRGGx1!Z_)c^Ga$6XfsVP|3KAo{tL_*nvdf*9twjru?Fw3NdJ{7x3U zIaq3`Q+qWFvein0wNBa-oYH=OFCH$xz^2% zaHCvmd%x_?aBHdmc5!G{3lq=I=q@ohp?QEJ#Jh~p1xNjm!49gdi`PaRV2F3?%_l!o#dno7$mXXscmP#Pf` z?Hq}}f{d{}%JLJ?_8FR(60rlMI_ved!ig!jv#WqI;EE(q5uUl3;ghP~=2Ar7w95D7Bc(iTx}(@u1mRnvaB0m~eh- z1&(fZQlkIfX4%@HIhjpir`~8obH1#br>u((-$8yqDV!tdJ~ZieR#?!Pl*>Z4Jkl0= z#@TwgHU0_`m2WDzZq=tU%GC^n9AisK(Mbqjix1Rir=4n_0`phpEJ>)VW!8vm0CqrK;`6~jw-0S>E zg*X2tQ|{mWk!)83kXZcE11Uhnh)FP9#A*Fe_}mGC92h`Hu3G^CkYhm4GLN<7Q#}hA zGp|C#7+**G>K1+*p}l~hxuwD{8vk?d|Mlr-m`{QFaSdv**-8Lo+_`>Bx?W^FHRs>H zBkK~TDIP{73-@`_?Z=*NV(F(S=XxbkPwGyJl90@{zp5NADQ0Vm)fIWs%Q7Ob?v3;- z;tQG7FZ7h@PHL#g;zRf~lC&zsocS|K!CI$N^^DnrNsWZDiObLgB@2m+$~HwH?}U)pPapA>%~w6m1GvZ=X+UtORGpjJN2tb9I4m-eviaG zolney&#BhY<#{k?qJ`CuqWJ90DsuiI`Pnlq9tYgJvOAiBx6ZmP>p-^$TvI7j7bFWHcltjB!yc z_5E^^Y3yyS;gfEL@V$}!#*qq#g0g8^yyBWch%R8MrOU$WkP|-mGUTK@E=Xue_61Z` z35~r#@-i64(e+kJfpuI+?~vH-$h|YD8d}erV)jI?>jl(Y%FC9Rc&AS|=0VFk*N?@# z*i228dT3u~))xJ)R1F&bVntD9JE>HzU0KV$9lBIW>eyR5ZP3zB5S>1FF>4!IA40>g z&7PIN;o34;zf36h7*4tDIcH+}qWV8~+rK1K|8|G}&t?F@0hVX?3k@vC4mb-KosFhz zUdp;583$v82AL>yQ1|HNnQ18*vU}#|~`6Rz=Y8=Pv6-jvNPG%<{S>FN%kc9D|aldZi_$0$&zp%S-OtO2bpdFOkz04$k=Z4&M)mweoXgjNBB^(xMCGk;Y4vFz%bKu#KqK~5Uh zA|FyfE^}Az2tPN6o=W6716nmq5dCbkB)@xOK`QN(_JPt9wpXRc-Thyn$3H#$|JK6) z+dt>IJGwvpj_|PHkzQQx6}Dgyq_EPdA+4juo#ox|7Mzbd3_lN!osISWZZIuGsuyZ0 z(Jk5Fo^D){Rw5gPPCDS>e0Df&?gee+nB6({bJ8D+;M+_2R19f)0*|DNObpsELtm|# zbx|+;gZl*-(pa^N1WoWbwK8gf*;`F5uVaJz!}vxSid>v;f?r}EJ#7T)@z)A5E0o&R zRUhHLofRE+LYO(D5>BOEzZ^Zij%5 zB3Uf~N}qqr5FJ2(s)DGW%9n z0uhXQpL+9|)mRiB@0!YzD5{~@W59*!d$`LJ?GWALD)yss*HdqcY)As0O3>3 z)__kAAxz%|kKr4U=j>rOc@Z2>Z~etG{r@y#|2mHUW3RkjCeh@Cr4cAOXr%u#4)nNs zdPb#IB4#8;D*Z$ktaZ7Njt=`2hTM!%z-;@HLH}m(iLm$W2V<1UQK;x23JGi75;$$F zj{#<^Ol!O5gZuTc3d~S&X>ZB0;Bc$Nk_Zk=_x6?GR1?Ebz19hO3sPH?^&3;DJ7HxS zDmjdY>_sogymI9bGfSG}M#8!eB-`dDY7v)@bc9IMa~a2#dhit_C=WMWk4VGI3SkNO zos4L@Y$S9<&pM;mE}{Jie_c?Hnso89OME)1Z~L+`55`N@FkZzSSD3}g3gD_L5_+dR zuU|NQaG9lAlq@#hLlshk}EfnHr)Sx_Ln9l^a363b{@Diba; z#&5$hTG!CehIz&##H310CzWQZj;T=L!6FKK6ra|WLg*kLwU}Vrk4$^#m$Aq@H{xVkioLK1S&16+7dIWg7!w`cF-Yt=wvjmmf6vCw8w44!3+dr7x08@3s z8>lXmJo6!mc{PX%?QwJv{Rdog7k)aswuyCCepI{J!CMXSNUPU>P*#&kYvk1r5I5X) z%(mXU9Pl@{VS{>n6~p zeU}Cd?P|!BaeOY;U}CuYg7iw?aQA(KbM#V%8ixkJKFHf^vwki{XSZ?^2*Rp>X^;`e zUa4iK%`w3ikgxWnFwm^4dh)P#a@hv367q&-zxQbJpE{-kU$`x|ITLO^C~1uCws9$b zLHSaDS@*0%mr>2Mqad!Ts&~xp`xLN*)0mzJx0W|aMEl#)R&ZDzK9(HYzt!1)DYl+rWR*FM+`x5Q z#!`%FD=n(^xM0)(D!5<(eX+uFSW$nWYd7Ipy@jW}J4RJ>{#p~z5@BR_2zeFq_)i_2 zBj3Fghq8efaNqpxIDraaF=ph9{24=FQR>S~#Fut)VkmH{(sa&;&l;aonT zBCXt#dvg|uDn=mhPaP*$FwNB7%eD2kYJ5n`m$$zj0Q zHim2T?RFD|pI;Z2fcb+9PomuqqjB_&b+Z>f(O=c+pCaTp}Ch%f&PKalAp4=UVEtppu}eMEI(oBs0q; zuoHB~H_-)C^YW+Q4i3x2W1pqU$A~Q%m>-HnWNGsBN(3o+8#P|dOcKkF*;cBRaz`oZ z;^-*PO5#i0OVbT-L+v6eGioVXx7+^vQvUm?{9m|M1ec^B8-PO{(i?-44YR368ibuI zB)h);CMXLs`bgCMhaRt$Of|S)E#nSP1L0utQ?QSm2H7YN(NLxKCny-D7@iZ2lCSOuwj`{Wee z0sXJm6KLCh6&4ukefgThG|3=6&+4__I1Y9=(HE2s^yxK=4+URdq?n4%_cE<-Gv!`C z=hW*tQ49tGvsKbSN?u&WM;X@g3}}PZtDrD#k(PQuF2t-oXj{EI5a>4sk@zz1abw!L znamS~`s)N3N%OX(3{Mb-C%yI*N=eGyeYXrr)V%cyPAUDY1r<5sgc1%T794GsJG$Mn zcF>C?J*uVDm^b#eT3~0Ca3S9)tg8+GDmU@9uGbU1h4I=YW!q2EU7TSOUyM^9_HUZJ z@sx9!vuOR1I-&Khy}}F9ZMNxF{f!7{^@>c<@ZrZ8e`ZI`M&Y%M76*)K7lhe#|4fjQ z@US06qkhmKm}%42?t4?U{3s8Ns<196-T;$_#f<=ZsWLVvJaW{$tc6iYJ5Mg$xR6-x zX51uFSD}&OHdaTm53rV!s}|cd!jIVUJ)8-<7lsLLEVz$5&jiIE0m3ODmu}@l2Xdtt ztK{98gKJ|Lc;C<=%|aw(Ck?|H4lHf|{&vFc}VC=2q>M z@-=GVX$tSc(BzP&>e19x8zV(Pw;7WLji+pu9JqX(Jg(D z`U#;K3x#*8k52$yjeunYWuul|Q<%KhS%__si82u2ban(xD0qfqGg}i>fvxtER(h-Q zf$OT3_jFuqNrt2}H8sD3_V?M(t7h>dwa(H0IS8)Z+_i;7(WM&pS0|1e%XIl@1=1*M;wt&>#dJ>Iz~1FzBRx130`I%CdInU zcI;e=LhSN9(hl*M1JaS2?NWmR-0R>}ehcv!k4ou^*9MIW1E(}dWn=Q8{0d9<>G@K# z`G1n(R7RuuHK8et@bxmJX{FXIL4UAGJr-^aXK|v9;wvdf7y-iPs7}pB3lC%{fmYBF zN4Ikkxjci#>-MqGu;>5A|AG_YpHP;ziA*ChO0X* zVzqL?CER<(xEcy|=p4BBz*K?Og>w|_G=Ejmt{?VCdl6_*LmA*)lg_=azla5_Pu;KM z7leD%%50H`W3E7SHT0H4e9XG|A?)iBsP`V0gK%~yh+JDGJ-(ze4uw01=_&hj`^e2) z3fIb}6o{!d8|lx~!~Uop1~bPhIoK~x$og*_vbcl_NaGZW>V^*r4iXO_cbO^>N@$Y2 z1To{Qp_-C)w#zhD4?u;8MoRrYA{aO(Hz7c2wFYrC!u+(XeBB7%)t}$iupsuQS*6RZ ztCli|_Ua;)bQfBQUFLGdlM!Y@t=%g8#eERzPutMyOcO&rRGW69#ibc*@Niq5qJ7Bd zsT!i(RuARc424IfjX$V{a=6EVDey?j)@VOSKSU1`fJIn5&N82ZsRG!U{n7)p17gGk zmRnq#Cd{py#R$}H@iKzWf|>^2&U?Tq$w^sVyBha1E897=YPC=_T_*MT2id}r)T2TLy_q6-SMySelvi^G($i~X zJ2O-jWie(*m$DIZCICYciE(j5or;n$6|x&6{J3sSTbG+dZ3AQKB{c^rN^UGh(*^g8 zJ2kwPpPbRr&Ox*p{bcu4Bc!@simY4I*msnfZGD$da#+WOJ|pHI9kr>d%~N~NA-5l( zzPUQ6?I;ij4>SQavMCLZmjaGK_%RP{j$wem zuMxya`sQ~=7t2etgPZ;yOZ?TYqxYx^+Dsr-hZpk`H4~n|bSPAmi5LE8^ z^;-?lSWU<$p?xeWFiCjC{Yz3Cxzm8;kkN8IY9=oX5iYyCShwFI*yFbk)W&1u(-&Oh zqBKhz)#u8=OlTsh<+PxCyONZ{9jEa2x8cB!!+wkYT4BXBI3VY~v;D9<;5Y9sNa#fC z*vh(i4K6@y2=Qt#?iE*}2QF*e7o6QfqSd+uH_QT$9XLS!J{Y$I&hG~Xp2i&!4G*>{ zWTs9Si~cqbMpoLh)oBG+R{$?{XN1E+g%x?Up(p)}1bQjwy}?YmQfWYTZ(Se2?S0SA zyV5Bb9Hg~gTt`Qj&At`a`oxPF82p%50eTaH4nIJJ4LS3OkL$`cR4)iG@ou}5c?j0t zpf?Z@;(E!TQLZ~K5+rrR_BokTcGB31i_cv{*g^IUDlYFGv?D(}3#r4Mfa;@j;b-Hu z79N@D^8g5l;Xc*M>Z*%OiR>TI#>W|lDZZ#5`Kouf{p1W3elpITU@h#=pZYg&2e?=J zO+pGu_+7m&OC=U~I|yX9P?`xSSV~KA!*2Jl(qP)22KUwtBp0q|CQD%YxDtq_HJ918 z$UJ9TJ11#rZLKAfQKIj~h#%-O^^Y#L@*FPAUJEIlV;Yu_7n^PTDzj>>T9hWfn=V24 z;hkcHm#-a3jU!|VR&iLPF6Yi;W2}a>Y1uL z$fUv=lVo87+;lW~2_SUJ@%3Fvl`I`wPeXD>Lo(S|?_h)F4*Si|@v4Lgegx0A_r{8> zPNCZ2#>Bfb6+MS~oI=lYR-f1l%M>vv1@0g4VY_BDUyfL0nR?u-ysyx%J|{K zoPC%xy6b6fU=%Z_cb|o(pv?`l8R&H}F;tttaI`#U<^G_nbsJmf$dQngILGvzv`h+? zDv-;ebn1JmoXTL!Ecfm*4+X`jDkK`&F(huEalj*SIdpJsRc)m#+gY=aZ43L|6M%_F zO3Tg4VHk_Dd}tsk0r=>vuy3bYxt5!%8qN;w7njWTE{gju=e1cA4gQ@|YIv&qH@c?L zgBhs%wyc$>_k-*Mmv~}SfaM6!%I+p4vC>DfwE90vu&r~i_dHjvCT0jMCQXN|>pgA|>iHUHZd5tR21)R0p?6k*C3h29=nzKWZF@r|u` zPeFzrs4BD8FR7ryB=)mAha@QS{ULLJjZ%Ms|EFxE0ff&}9|MwL8mUS-u;*E}a9qo) zOgyDD{QTilDq9kgy{|ojVHtYG|4S!P_Og z(7clYqc|A2!`YgrpST3Cxs_m-BQbgY_L3* zC^<=;ge-!NP*A@kPj9{ySpzZI=Fvg0Ux6%24SG`{?2xCG5~C=II2OO6{hc}TA-lv{ z_OwSuY%Jp6E*luWK1LO_1xun>4EnScN`^X%Cz`(uYtEvU~e6UH_iKrmmy7sRU=}=cN4uo>`&N6yLAP*Q)dzW~{H?tH8T9%c#Uv6k^ z^V|rzOt!w4chro%>HuuQP=zG#A=mb;W8Z#bPR{9V)=K`pPVSN_HyKigcmo3B>bLH% z+?I*I?Bt#WEO)+Z1caHAUdqbKqs`7(DgMqY;Zo!!RU{@{WQD%)*DMuL4}grscMd(d z$1voOra|qWYxdqfhqr2{LmPq|lO0nWgObF=%%rd%LFHxK;=wZG@t4Uy(=)-(=?9qf9GkG+F8u5KzYJ9Wql z0V!Pj$gVk`yV1`{Qr{A#LdwRDVuB08QPH3fGdT#ky7PBtmg8D794h{sZ`4Z%=SMy1UrpX_GQE6~4pjy~cYtx{gBnP8a zl7N+{Bmz6~irO?uOTht7(6J@l3eG2NshD`_iX#CR$+%q9BveSHG`;&s8~kh;(&PYb zptLhFdpTuRA+%nUHM2LT#=B2&A64pAqFA5nvMYOYvdZ_wRK;%?avTcnRGfK z(|m?qm5u~Tfgu>vem!Zq9(7wLdJ7!puH-+aT~6W{?e0#sk3xm~0w45j)#kFx+N^6! z;CO%C`rsV>U`eydFhkwC-*^gXDW!+FzYe5ppHmnG>7`XSll}HDvhNlII79g?EJvV@ zaCNO78@EyEIUB5;3~GxE%K{=~%r<^sHH+Pe>UuCAAcT}}(`ClVNS3^w2H3CD9*EAW z9RtSGO^zM|6*8lV?Fx!d_BrWQh1oydi5)5JhqATCi32dAxP7-g0o%FhSWO>2gQ==B9Q1WIEB~`yw2L} zxmH}iA6(D4jDzUrFU{YoO3r-@^HBbB)-fj&vFW`zh=qKLmV`^Y2WFTK)3w8ukJL6q zg#gMQ$&PAu`6)%W4DNGJ7tgg?SC~sqM`=on2#_hPO@(r+)^U??7b%~)l{R0vWeaX( zot@|IkOnC3A_>B(4~bxwmo*~#ss@rQ&3QkTM&||@YcU)eHa=8(vR((eow4t+diqhK z#XD#n!F_}S%jqufKlb9mS-OMr3gAXef_8?fiR!#Ar?w1dZm8nw6K<7HF34-ECurQ> zbSFCs5CJN$%PT74a+PzMd2;^|Y_-HAIi^eCseDwr&dQzm!;cVJpXhsppCrNeqyf{) zaT9lE|I|s!8m?8PgS;jIsZM2i<2#hpE@0P*uhL(waa0v8p=6j8uUL3V1x$%mKPB9) z2k8FxBy&E<-C2cTqMBv)Nvn!IZ;*&SB8%mq(S9OMG_vy2m1sLDyms?|)LeUVQd?)H z?(n*xyJG!7PdaPnw=wm_hEnD>K}L%{zc+3wl$Tx)17Eh{+xDuz=U=jSzYT|1@I<|cmBB9s*M;8HAk(LL zKTM1c7H%+K*)Hd2Fy}jL$WzHFi?L$g?4S2kGJvl~A1sUv6cx!Xxe1rOo{SY{A&dD} zL=$_-EI|BmZPtL;YjDR*zgzDggIbKxp#2xrE6D%i(4G6oqH(g@yvC*UqO|s z>GUFv_o6&8_zcyPzWIPA#qF&WvR96cjeDn#3!kpx^h0TmE=ImOjQ8I7p&#Fq!7JBh zOyDB%?}PO4%@_`Yp1)L1#4Ua9OR5dBz|w4i-|4Z8@oB*xb#4ct13)lm@6DG zo0-a?%g~;RB0-z^=2L>0YP1SfRLLZ;1$Ba|=J{98J~-+_s|lZw zI5g5Ves(^JZS0KbQm^}u>{^NU+PE5#d(MCW&Ytl3AW%W(3%fz4a>E?4;N11)==MZB z)`t76Ia}La4yB&keMw65$Zt`l_c~=sn{w?7TtG~hTKCyq&t+*xq({4f}!c~uhJBOR!#RpEXc?`G3Y{^nD{jAf)&*j9s2#ZnD zGkhsqWvceiYk?Y(R^Whh(XHjOCf^@*lZ99B73=d3m^+W*@5gGd$_Df#L9K*{!LsIF zT;{=6Jay=+eLKMlDN4N&Z%zh@;sU$Zv_~bg31+jOJ`7`k*)^QCw3IvW&?m+$>x_4d z$lCTjeTQdp#0&g`17bmRylc~1eNB6_9vJSk{g5T5CrQN+@0-lX)u6Rrd8GPOO-DdVI*n*?8U5hS}&`YOm9r(p)TpBXe!k$Wx7*!Y-(%u^WRy zQQ7RQgkR>l)HdwxrP-YR@X9*76{GFw{1xQG+^kq;L3b+=7l+&XcNa@{-tW`Mp3X$; zbRfnUF@rojDgZ#wyzq_E>XhVp+0zh|E@jDd>;#qwmT z>R_+Y_i(+VfbBODPk$K{EbCT(mdWoB|HoQHxED4qh_P7iMS>!?;*%#YlN6nptX^QA zq>loYh51WtGaP)2sWAIg)Rg&kZdhSlpx=2b;1=5)#x+1+S<>1X#*xSwEGe%2 z;XZ3rwqGC*Q+brq&a?&Y2_iBOvQD_EGAA=Fd1x+-OFwh|$q!T4NEh*N3)X_Pb|M&% zBZ?L;hUu~IVyyCo=qR(yIJiAZ7uNXb9&59RSVSo8cAiE-#)@oS*W6|@N|_i&@H{+^ zRhnos8g<=Nt}+!3lhnzk{6oukoHLcn}ctG3`2bubp}@t)kG`d~7}Z~YVj`X%uU zbMZ(Qj&4Rn*~?m567UG%GOu;D{k{My6R_xii@G=FR~w?aOe^#((F*vLnb%Tizn^9Q zBvZ$coQA)k^W;yLnS*qhc`oPM11{x;uDN5Dl zwzYtfSh0Kcg%Zm4<_q?#xmvmn?|}Y!R*OAQkI8}M)o}Ay%*{84d%B-{n$C<6t(5!w zRP?Qkr-wdy)Q{58Ee6n6a`}rzEsdsHI|u5qg6~Q@X+&wd^KB`V!HK&TyArVB>o*iU z>Ml%#ryvMR>I{{EV;>}Fs9!VOD2~GBZ1=d^gB2(n4HJY7&Y1y}Z(lP~v?fINtG!Xh~yXXQPSd_RSu5DU`2`yz`pn`{=(oQUEwj3}&=i9A`*(gm3vEXywji>{WD1^^xxwaj+5=fZ# zz5c*hY9YXV`e=it(=kXaU76h}*`S2O)U9J56E23wMd0Oij7n2G0deWDgK^6Jt8%r6 z$*g7P2&T_eS_q|?NtGNcyuo3z(}o%{ODtIuc_&nd=omuIO-dDu<*@H)8)Im#;9vfE zJU+7p7~l1Fqu2} zxnl~ikl_7IK`alvA^BK*bKh>XP{Y=r2`bIr=ka5z!I}od;R9PeQ+%I)$urof%`%8}Sw-fYxAO6r z{#x_p3yuIRkh@`ogt$2@WcAQI{-2MYQ>}W zL|Tm7l3KaT=+f^|WpRN-07e(3SofqKBpS9}xUvt~btj@*KI1|EwHJo~8D%Sw#R)>~ z8k{>rBq$^4jt^awp8G9Fm0c5x1i$2O9X&UJhy99HJ*BdfnRrm@83vi_ZkQ;;R;l=F zw_o{ZV!1a++UM**EnnITQ#~gK5_JyG`^(df{TvpHI>hi$6f^oN8azSQfvGBHVLv@e z1?NiY3%_EtNk=z3d{!tvvdRYLDrd{Rwg$pqh_8~I(b}xly|9Zd3%zcr=&Suk^ae?3LpD^14Wf0o!3uxU0QqYP{Ease)R9E z*-*;GFJwmZEAb1-H#sO8GP%ys@osZc?F{3V%55PkVd)!Oux z&L6+8ngZWpbL!*-CHo`1M8gGJD@%r;uM#9}V_?#}x5%TmP#UMWyh3%mL}?Uw;*dwB z85+hiEXjf_n{vNjf6wWDc|2H$Yx>%|uy-W`8<%XZ;X#R9lwX7Wn9zd#FV9)$xq7Dy-{- zUr{+c+S0YNtZO&Osjv8m{kge-?UXllpxE#--~d?y=mi(P?Q`wr+RKj?ux(VAGYBeX;K~>gWo=h(HrJzd7e@*$h{S*~wvT;svr}aKm*Ct3c2{`#?n%=&%Z%hNz4Rt{zWA>tXoJcIJc7FQa30v8V-B9FTN-B)?$A_Z-)jyJi7McePD)y?!z-N+gi z=a+OcQK&M+nrc>QTwuB@6a7^_3CWp}2YWrT-WRU7)Lz$eYiwDQxeTtC?Pj?2_QaS< zn7Kt8Mhss0>gH&aUV#%`lh?YQ;spo2N_JQ(Z@rTKZbOxvsNg3PzS=x%xRz|k(Zj>; z3L3H|GLc8jdgY?Q7a#tSDnT9QWCht7!I^N0z(c`R*vwtycSb+LMc&h?YU&XNYpHwF z*k)BjVDIS)j2_%+i4Nsy4>Vt{W7#q|WcqRF@9_(1PrgKPW%x4ZmnF8~!+hD4c7@H* z+(U;Dm=I~O<$NLStZhhr^SzMzjiZMwuSrjzyj}@B5T7?_d1v&X@YQmi^)UND`fZJo zlnae0ewBiP1|6@_2ThN7_N}c`WIf9+x5tcLHSwW#vi`i;E@+K0S8vO!UVW+fo1t&d zWAW5%J+YL+r4iead8Mn`zTGAWbxvkw>o1hvtI>-;{7tKw0+qA&bC?S%Aq(y0i?519 zl(`o#F8Z#6#E^>F2UKD?4*UqmHXwM6;hPDT-TNg1|DI*_mX6}cpIc0%&}YKtEvNgt zZUYhXo+p#JD-l%9u90IaH{)MTL)M_1wLdQ;6he-|&yC)wKX(D{LLWaK$MURP2%-i- zYWc+`=s)Ck3&Sr%OuXxbzFIt^QxKmq>*2}s?Pq^+vPqb>aaVn~@vgoaE;pZkvCfK; zRB~AZIcc zble)n2wX38T-2Fv*=o%S?)jdXN!b{&d1uO=zvPc1?lc zUK3Thisgz?MQlb{9APJF0qU*xll^=h{o|j-dnI$v%vc-aUekGM`?9)YBbJ(dnMBOe zqYCosNraO5vIIAay?1mf>)fsBJ&zo!NqBSqPf@Q#Jn9V>&MbX++|I7}(fXQsxBO=3 zgWpgLDBBa0vEeiukKP6~0YPQ;^Xq1h4)0v1jVqZ>SmrpNpk*FvV;rG!Tl3I8cjea~ z{Od`Pr(4f|IEl{9NvjOUZ?W}00H)%}&5zy{wu}58#KiWv2YZk+#`5rfdE`zmDUqw{ z_JxbV^loBCa9Q%vRxB1@HYOmuyb)r!W}3|V2*)tWv0K3)ku-QpNJ%ZwL^g%+I)97a zz-yyJBo~9#H?pC(yU*Rr;(KxuhA3&j(tM^jV!VN8@&h(}E#vofwF@)@nX3687zeC> z+-NrnNy^EFhuFQ;hqj`NZ0Bg6=+ca^E4YPe>cLRodoBmsT2u-5ze`n*xey2QnY&jk z)2_wm-tXY-)^{fIk_NM3KNpSid3H%ThoN_&X1qT$=XbuHvJ4i!(;h@|mTNNS#j@pO z8INSJtN}brk2kx>$%)vPs;KFJOTj)Y*OFQ4e3a)sI&k)4sbJOZT~k%~Xce|0Cd|5N ztfgk_j=0ui6}*SsvH ziTR?d=UVsaW^KD*LS&H(&4jc{w!N*#IrX2cbeChbkSM}He!jI=Gl3VKA}4pJ{xv>} zF=$622Np=(62PutL<&8KE&PFcm;*B+PA@PpvwzaL<8nj)vrYr*7XbLJl5VdEXMPwF z?-uG;D3?uRGELhY{oc&tJQK4r zUdOdCLOLsT_2uJpk^rW@r6|z$Q{QIbDs!P@!`_dCDE<-Z7cqH7<6LJ#8GGSxeHGM# z#!sKd18RZA_4YGY3Ra3bx%G?DMtNidQ!mCPot%Ib4%3zWMs(-?H`=2E^oifB?V=C zru{r^C8U4r>Qy!g*4HIIru^QWh1;oV@_JQ2e){mZBQ6#jE~EXiraI0}HvzGQ{f z?Ej3Wa>f*2byte2X&EWswPuxaR*I4xjTOKLo8grvjN5xeY_|w4nfyK`-?CXZ9?-?` z#i_r_AxA{$jVf+Z#}cg6^;~k3S4PULM{y4hy9XlH&l?iIt$mIN|AUlYNnU3{6d|J6 z;a#IeLqYq&`|2wgG`k8Ed%15zI*69nHgBJkt6qtH9HYL?6}Fx+Y;)JzYnsyF zTj09?0>bBXfYjB(WsohTx6|KZK}{<+*?l)%Jq)~RC_%yK7u%3@wx-ptm&>DUph zn!GNSb23vyYf7J^@ymrHGfA-%=<8~8*0<5vRjYOawPA_)Pd6@$&g8H!Vlq8Dt%uen z#5}omZm)zJEhC>FR6vxq=z+8khd*QMxQ1RHfj{oRLrPD|&GW5+gvrOYFUm@?Dtt&l zj8hmJC)Vkjum{2(>ps4D6+Oaog?S@K!C!s;T&z0);u2^hT~=&_10`O_I|wvsKWo;lZcoH!>hbL>$#=O6qU?dT36-}3xmpHqg>aU zin5X!v0QJfqI9$<_tSMJR|}T8xU5L&{Hx0K8F5i^1p=j3FO2wOb6`C1?QA95M&PtC zCVH>VKqpEu>@e|kiPY2}4{~N4a7bV90E5jf2iR;7k)l8O(ZbU=qE)bNzlz>m)1g1) ziWPnP@a+#Gml+%*uL}+@o*5?$D!E?UEC>0U9bS!YcdtEXwKMw6%5ZRjQ8Sa)PAY>U z^5GdSlgNu)hIxIMvDT;cj#1WUF3`NA_;G65r*Q9$*jemL0pvNG+qH?gR^z9;Nq7B~ zJELTm-Y+=!MNyf)p{9&6>r@UZyCAbM<%zUjt`Sa^TqM2t!LDYnkt zA@MQNmH^XPru~!cFFoo>d&9Qyj$~Wje)5pDflO&;UEnHyw8})L4F6+`WQ%Qbszo?$ zo5K&RcJSYAoIgK296A&{V&90Z);#j&WV#J1`ciS@Hcd&sPe=4n?ce;so!orHu!S_1 zx%@iub6!!w*XWG_wFi&9f?vdhLiZ^LcgKFv1`jHQ5m|Aa_H|U5E9x5DB%f^yK4)NXP72iH1zr zdEgzFu(opcyqM&ny7Z%;@n9P3dRbH~f9I53BNh;cm0^~w!ZkjgDq{5o{e#J$8t1*l z{1)B}2n9kLdy;ujpknIn@9_h{xG4}qkYC`XrtCNR-A*k~`SH@O zn3Wjq7WeDwAOc9z>$bTt_xuDo!z<-R)N=UO>1>+@Ga1+_5jgAeA0@0*k6yG@L3O-3 z)bqx^RBV_sIe8)>))v&>VRW^?N~C7{tVz3bQ}b_=X>SIK!$9M@Qaep|SK_7x7fC~h z?(!rEwT{lSe}67vy!yljPW;c}LNCx-uVuuzad8w#%IuY`A+|k58yGVl=11dQgyW(U z+DuVQVhRp|+fg}UT~@DZ3qS-7ed5RFpc9gx^Py4l+%^sN@!}j;8Dc&?QSWsZL*k#W zUIFKrd|98~4&~iV&_G4e@~?R0uYUT-`0)PklMi8bz;QnF-Sz56IRi}sTU^X8l6X^@ zH|bg_r@KlWP6m!^J()}f+(#@$Zn!maS&UAEE%J%1<9yfK!Zk1fi+G`AiejPVk$m-& z5bClxb~UpgqQZDs#WG~U_aTGc^PxJS%mb}O@uha$V03=v{HKmA9~qiL7dAmd{cEE> zr5Tfa6WOY1c-Kj`SvKPg3YDr)>W0+6tYjXdl4;v->TsT*ol#^-e*HnoW-Bv^AU7+r zsx6J!7mXOs%HHaF>Uz>Tspom>mi2pf#qCRWmh+%d%&6X`WfpnNE%!Yuz0 zu2;JbU%V8b-bQt)V09a2H>)#j+g;@z3invG=)2ORxP=>|g+*%)Q%b|G zf$0XJk+{z;-H$j7z(WQ0D*w2nVRXwfMJrJ=33(KEgB=CRY?{K0TLxWZAu{SH+x?!S zO;>#(=_%h0F+yV@>HSVDI`O5>MFln^BGa;}(S4yW`+aeATdG~K_h(uj!6cyL)`(<5 zzQAelgt@(Yu$Nksr^$@g^UpJxwsw{j%-0{AxPjm>jm(!y3)H=c0UBnL7=ZDoH)Xs- zOoK9MS+nGtf?} zcncH*1#L+z*eG3z!p}AXe2PLYoHxr3-4l+kSmmVJaD`Bdl?fEJUAtU$D>2!SPVd-* z&U#e=T^}E}VV)K$78#!$$5pJKSzoYW3Chgu?SSqcUvB-|C_CZa$A&pad36!i?|LQi zj|`2^UtwM%9ISrr-5KM$y-GJvTl-M^e^K|IK~1*Z+pma%h=>YOr6^6M31X10q7;!L zD7{HX0*DmphzQbqFF`>-dJl;79*Xo{LT>>f^pb@4yu9z{`Olu&^S-lZ_ROCBg^@{! zOvrVeYaQ!%9P9lIB>N(@S7m(#P}~($PCAPhx7_#*)tGI+R0Mp+b5<24U;!q(I@Iic z1ZV$k&B)LgH6DbXrZ1P8J!xi!DM zMLdl?2a7Zp!DiY>3!u!CKh97I|3oK5(Tk;mjn)pgDD7^u7JqE!S~>u7uIz$9Q=T0q zSOPq!mU{eZjMJl$i+xBywg~yAdhU3mTK}%lMMolUTtkxS=+SeBM3Ku0y+J7Y-$yCWNODwlto>X4Es!V+&#L2|Rge@eZO!3KCE=D`o zj6Gql;D~qvz>#|}9TG|(_}4vw{q3ValeYdQ-bbss;gxRHdTK@#tRP3`0{kw` z2neA9%{Mw>nx>rpadrWiYtQzUgwK}J)2jd`#_G`M;^t|0%zK^)jrQdbgNvmfpI91?pjlYTwzi|GOdRb({dg0H|u6Nx_O;= zylpU%#ST`)uG@BhrMgSJD#71JE&6T|<_K!KSFSPWtUD7=L9aGUvP*3&KxjUczE}20 zAkrxPSr9nUSz6BD{8ro&D%@+WCm3sE{YY8hZ%uGcnw*;L4otfYI{sh&A6_Vz(JOQ8 zW0dzBBN%Q%F{;e*XfZBJssk>xO!2c2fJ}i<4A#E&eEY@sw(m^mqo>3<#`Ni!rfX5z ztoXA@Qy3V_zLk&g$H=Ge0M!|DH(4KIfukKS!pmktwrId)jZ24Vr$l)zUck8Z$8Lko zmDq*|8>2NR*8q4J=kJtDLjAR9FlUjV(u+PbxWOP-S=5W+ErpvPQDkuU4vs2|oizA| zi8C8i;k{Z$0UY18gY0eJY&zY&$kp-gtpCUEV)zRqpE_S?OEfa^+8+{;glx31G5@di zk{GA=oOp|H?coP*CFG@!qN`yw?5B^At7qjoVMw?!*@2))IF_p zZ^R%KX0Jff#o3yDL6W|gt8_^3et?BjIs$E?okhD_O*$I>3v$HVljk`E<3KeCtIlQ@ zF8YS}>=(gV;3y=-e)ix7nU!bMDX3+|(w@>r8sT;3w4{oEdgR!Wc+3TG^^Xr1DExH7 zVWNJS^&s@Z&)HDz*WwoWvp&m5YQ5hA&|EPa$`>0sK!Rsnl4rkZ`Gic^@Y=hFdsblM z+3y6FyCGJlYUO(rm^vFPvTM$H;(H?JTb14aC|k0<97hw|kE`>0M5=9A^68?1$T*>p zZ!4KpZrw;F|ICLIy+5TX9j>|DLyW%ZQJnRDYidWg3H1_eZdp4Krg4nyb@kStWEGJ* z2m-5{^%1=a<~)bhqYaJkJ9*7>%T1-eM6y4)rfJu5T{aD7>QH$g?{Cu0$J+OsGgtZ` zi=!kqA+WZy+b0;szC1?tOKxVzN@~fL9M2BdI=cPkZ)LqzKkD{K>T7R_=hHrh!Qp4p zzvDPaDOILA0!Ub@@|P{zM_JBCM1+=OAa&|H7u@u#mI!~ktKLbh(%5+B<#xX!rHJC{ z(cxt9+%KGbTx@=!g=(Wx`KP%3Jfdwjw86gQ>;Pl?DRvaTHOw-F^qqmwZG1U>{ zpUlIMHnPf*&0~x!SfdMSk zt`*I8T{b=t{nQnRu?#lUvYo^rdDoyJes0-%odtMf(ucZKHi~MoNqX{}jMNWX0@-Pk zk{?yS&xu7hOZ?bCvG!9=Dar7Z(6 zZ!luvQ$6tT=m88$>W=B1@b&i{cd}kt7{9)`8tJ$IOfCHyQF)4TT}8dhbD1%P+|VqP ziHsg345zL&f02>e?Un9)%FZwwO;;C6XE`r^pUI*3afax@xBR$Zf!jq+94WYNCzOe&UBuV|O2 zJI>=|i>RD`B9hI!rJp@1y6elrv&hhL?!@Ce$qo#^*x42I_Qfd>>nbGfQv>34{RIJc zCTL*crDd7=dt%vEoyUr>!La8ibQT{?63dse#%UE@OW3N`Hh!fKAWV8AnBG|Y+#f4X z9ViuA{gm!e-Ft3R8FT*#EMDbL&HH@HMqt?a^ayKYOomvqJ4LCb97MT){*1eQiT6+4 z{xPu^yFWIox?=0gTubXUhoN~w6Qkl5c*;2qPinuV#cwUg=}bB(ru_1pJr0KBQL{nxm*aPljzVed%94*>m8Pt3fJ&kBfsIS!^f+`bk&I&TeYv%bYNu;PmksvPd94G`-m+<4pzVfQvd8|I zp3ZVe6Ii)|Ay?AhN=nX%S1{U2+T@rZFBNd?RV2gPw66}qY-LOb;$YH{RLkpZRj6oE z%vEa`7In3i>Voc`2HqL?AHUAscr*Rc#(Tip8FMICfBcU9*k@&74hx(yt^)n%Se1ks zC=GX}p!B{DvnF!BO4b@Oef+E%}6*aK8K{>FA#6zGR zQae^&=BS=jQf2srH+;Q`F`B<>B~8^=_{AnT+p>SRDl54Z-&;WmsDHQ>XP=~dg4f5d z(o0HmZaXTs*5;QFYg?ut0{}qP=@eL!b+N#Fip*19XoMzOtNMSMO9DUU7Ga~J;^2); zR!ot)GTbjmABfE6u%~FwEs^fJT$@Y=>VkL(+;*wx<4!0gh-)!~H z@7&(1*Ulujh%OrLj02!Z4I#d&tTj(hjvn#$8as1PywUkKH-FepTR$aVRMh_PXgSpY zS_YAEAxqi} zbT>KES+UWicA_o2=0J^-XJJeu0~&BAr>5aie+E+rE<3o|goBhualc+)SsZmyT4QW{ z+d4;rn>$IJCecJfZ+kA6FG)miPhM0c2{EiVjGUd&(CIa$O6=$z(tw^%pA0*T&t;-o zxp=Mab%X@AzSl(AaaGQ9+GUBCu;+eXCeJ;)jq+QcCw!{}lH!e{TGlD(>^(saH#Ppee*Z0B_i-Iuz+rrQFg4B3gED>*~P zR81jXG3EvkQuxJ$o)91&b-{MSZ`@~i^r;<6KnUo^d$|UBlVG)C20iS_HDW3z9HZYVf70{Qc`1T%+J~BSujX`*To~C! z_V5chKY6da5euI^ROz@HcgdaR?}*k!st)UYn0gN1CV|83BYV$+Tog+(j4`_{XYFR~ z$@l5&z=YscxaGE2b89kZg>>ykA+0qJzM!^9{&yW-6MTvz>mNkgecD8ER&7b#?ekT; zc!)R;8Qm@_)g%VaptpWMkld;#ekNrLKRB3@i`vReGx*}D_%llE54bJ86w7#{iEk}1 zFphZD5by-dA2-K%O4zf;9-MtHg`1@u2=I`gctPZyg>cP@TxjC3F6)z#C=A}?Go~X$ zf0`uo1C4LeDB1m`J^Sb9FeXVWjW-m|>e=i#XL#Ryt*H=op@$_)aMEEw(UJmaY2-A? zmG$;M$4kl|d(GDSRuYvT9RmPboWbk_*&wy;JPOR+;@MVHsdO!qMT4perjBxkON9ok zeJzr1;rE`+O(&m4y@U0&q|%6F?Q`YSqUlmG%V4>Y?#$xf~r-{L}>PX($ ztdsg%QL>3lS(YK@Jq$S2QWjX1&a!z+KPou}a#~!Dq@72P!~qYDw#Cf=r8_Uuu5*Qs zFDoT&wcR)YX&puLiNM`B)^Y#BSt!duY~d3$fraGWd5rfq>5z;tu9X9Sh)5s6*i^+X zn`RT2C~IvS4yk>^MnpvgA9KR@c)KTP!xl(CR#^n}9)|O--0i$9h~&}Z{t~+2cC-JL_g3ZCK&~@p5o{>K=gj!eth{`}fYTH4y zzWNgr@5Qx`6DuSs!#2VV*<5C~nkbc%dPQ31!3CvM+;KP8!2xCaBJR9!?tlJdQ?;F7g3FZb`{G+u=(q6!W(v7uFs>qE>qXMz zJm}ZAo7i8XYONDCUotkh5Lf#i)Scpyq8S~*_dOA1@{&`0u_jN+jhVub8$UCWC)P(d zlUvR7TPG$B{+Oip?cd=lab8(ofL#-Z*ftvW8m*aEk;1jukXWHK!4bp`S()di@6`w5 zUsY`sg^XK+Yx52rRrvZ^2HewR^rX4XBAZXNa_@N!9_eNI50;PdrznoFKY?Ph&T~Y>r9|}Z1{eYKVf3^QiN}fsb8{3CXB{Pbon`InGo{4`oB<= zJLT4VG+{6ik42w4bI`vzR7aGo53L4R-YIy z=rA-u3XQ!Mi;S`E<1k+Z(9{!ylDD$3hIVZi)F<8)CvTa}PJ&u0sdkgn-HKYaLawB@ zQe?uCgD_3jG0>cC&im7WN#u$0JO%a&n10j+k}h59@SN;T1|Mcez%Et%+=m#0x_E^% zA=iru!FyS$vi_j)QeO_&^lAYpf&q4uB~i>6&(y=>IX#$o7g3jEZ!Yc?(z7#CnX=Nz znm`PT-T+lXOIN~u^65WT!u+}($4n6K8@@((Ex@VsQ6`b>piKZPs$90hgB59T57 zS|jHbcMwXZU|RyDd3)}-dXEXrM(xi5n?rq(nk>cz*ym-XvMtz3l*H@LR1u^1R?shA zJn52~cIw7MmZ{QQz9>8pXH-|mHMwYlGtfWvr!VFU1d}g!wIR{#}s&tRYXU9aT4ltxkC^B2SIzk10Ur|M3f9({+3U2 zt865mBTl!!Pu!MqiJDsJ;)Qm%8Ia+Dx_|uj^2BDGzN=+~SVLGjCYe)XRE=$oZ%9h| zMS1s*r(%~xJ8l&7{rcvw>-SM^j*=;V^2-u^h$Ejm?>a&0+YICt}34bpFo2!BRncSN#C!ESr;+`drJLeDlrs%8##zd$ z1WTo0q^kk|GLW47l+L|vf`&2 ztrQ{GoBcbOE6kBg@#z9Bp(0559!DH7=%8~h91r;4?NawWY!!C0mt;&01FTQ7 zv;2HC7dgJRCdDKk3KWc~?cao2z+v60<-4DW?j|eMXPv`Hp zTdNX&$@I-|o>og>2!+4<2qV1cG0F%&AJRuyNKyToSx;w4rAN1kmyw5!9YkGvJ<$A} zbzY5pG7I9ad9u^HGN0ASPo5M=XFr?S&4A{dTKnf|b;GZ{D(#XCV7D&`m~MLdTzks{ zQ$YYXnF8rukj`jH$}78q3>f00wy&~(&L-c)^`MrpSGf5$mQcGavAIe|>P#-m<Z2dO)!g}G#PBnSax8I2=UYgdY>T>lyV>J<`CUUbjlQ1`US ztYWHUP5*2CKLXlCBl>QyjhI+Ys3w;d%9`I4?8w-MJYR<}#p@N<3?S#RuNn7GudLO* zvlnvzr~fJ--JK86emO;;GwzHm73y%E{+3r|!lQg_sGy-GPt{+(jhxJ<7<+L>VxlYI|8ysr(O-!;^a=PT^CPNH?Xylm}}+E?cpPJa5vN0!QhqeFXYB=97pjbl|G z2bWl5TDnzdpXdEq^13tI8l}SpI;mPB01kHg{7iNvw&`@%Ywqz^XRIUR{Vn$8)tn%H z9?>e~4J<8IR{R1rf31x%31UH9&k^ejJ)Mnki{MY{J=Zc~-BllzoR!O0TePw={=V6u znFY(LQhitzLhl^8<1o}hOT(n66AF+ZHs*7Iv<4Ld#LDjx1yzTCf1RsdSG}5j9%1J& zFtZu?-vh5{4Ky7btVJM>+4;(CefO!>OX4V(sWyRpraaA*69^GbKN7>9Vg zZpDdYH+a@Ti>$C9;OFc6?Xz5d)nF6jIz|xJ`rsPd!|NHBopmHoS7`iydU`7s(Kydn zd)&t|PH*`&ram`Wbc?~ui1BYyeHs9bFdNb74xC!M$*?}R*D?aav6HLe<@YYbU zD^j>#q|TBUb7r&ic`8UwaI2`!R-Lv;54juHSd$=jwdLZ`Ih9Dc<1u$@>#hycI@szW zC9Lu!q>CMwzj7_cb&Q^p03x+i~(v5;5_y**X<> z4CV&{DVn|AwD80|E}|nhW)H7h45FS*`LJ`rDC# z9!A_B0$)CBfBmo~%AARO>Y9K4qzV5i@R0Bn)a;LscUA&>fv6JMIOr9v7P;7b;zU6G z+T3naU)2|O{wKCLDFoHAbIQC8(U60DreBzxevHncS>#kJW=wf(bD~{rihF8xN3JRG zycCm-{P6({rZo7x(yGJ1_h}OsB(K)h-+DBA+rsG*WI%#UO-AMjg z3qx;fg^}|;Yok@;ezvR8L&)WFjC{s+UoIYLGe9|LErpWzZe>B5C=1O#PcQg%iFHhr zvFxN!T}PkPW0$8LQRLj8QGmRSse0PE`gq{O$IzI7{if6A&yR|4!dLHd5C4$GmA5$_ zUE;X{l+Y!dkHG>}$KS!;jSJL_jj;uQ&ENPwM(1UWTdeJsi1=muwFNX{ly+xE=>hnat>r#W3am21|ACw3DBK<6a=w%Ava+%MudQ)FIefXqgRj)F~)?18$Dje zi7W5H66H+cS}zc~xbc%LP*Ih@`**rWZNTIV8h&mdnAcoPiMnwt?=<^89@;K!SUL=d zcI{#T=9mW~x}`;2>P40j!g<<1+>Fa&=ySLG75Mc;^t_!!hJ1xt51t!71RA_(q}HJA zG%H5fXxq#Z*0t|Cum@0lwPf&VTeYq)6Bw?S!GZj@@BKWseSgZ2sC{LbUD!FC4ClF| zj^tZfonK`tCaJIgTt>uX;+ImOl-)-KEL)7V@~ZX1KR2T{BSsInRNO(N^+r}Udnu@J zhg<2+62^~Vlh+o$f4l$tAzN|)4s22f0lOE7nv5~`Z z?qHp^nS6|(t=IvV%?&UOxpS0p>tWn$NFwUE9u@5b27>Aq$VLgA!ReksY;*@ZxobOz z(N{O%S8(Yo@dW9P*LNE}ZKf|${Cd&#u5geDLp)68NnpSFp|l&;nPV5&|C~Gj)eSI2 zc~(e8xh0H>*f)_2j#OEt3MdIVU%Xong1R-fbl-veBpSlgG}U%$J}??xk1qi}0fy{s zJ@$q*5Iek9DW~*fE6aS#y%H?>b8J^KJIg5HaZMg zHwlf%CITrhKQT*De91!nv|o&JM+oIY-erf?aW93U_wA!j*~D)R#QUz5V!t{4=tL9^ zdCN>y@QWE99#i3uWVSz#hf~;UlmOK3z2WNqTNWMb1T(J;Zk}InM}{MaK64PuC?WGh zO`ettMh_JfEmR}cVvvkekM*lcc(umP=JL?5y+wCON9AQqI9ZQ%{9q~!3${>~*^tIK zQS`T5ejk~^SLBpmy{LwK-{)zLo24S(j5ZC4!wH#HSZNvKW}ao8C74-Fgn4&viSi=~ZyEg(@Pz4(d1?DBP^ zRv(K%uD_4nj{R&5uGzLwCIUR=YPtlvVpzu`6`YI0EC`)N3 z`FkL-`&4c0@C2Z3uh&C0d?~~ola8=cNz=QT-c_xf6ICG#@ZO@22BYms#M6}uUtJB= zF3I1iPSC7hdIBqA0(nO*fWmpXMWQ|Z*$Y@1zbhi!ZrHzYRTCdkBXze0AcwVG!+F~1 zTTpP{!0K&yuRhrFL~ecf6GWQ?fxAn2B}kc98mSuN* z1$DidEh$u_cmenjj(G04B4PHx`fg0u|frlZ$j#H*>;j7&IgA$L$!T_ zygd7t63Ym?1gZ?kV;RUo$JoZr%*{lv>WhtXL-W_lbM9_^qxASO|D6M;@V@sfIgd&p z#yhMW49Q;Gp-V#(Kxxa6_$pZ`r$Y59rlqnvO;h=g0|iiH5ullP}O&%BhIs z?i(J!819(7@FaEAxohIU{!!$|Fo6XdfLBJZM-8C*=WrdJiM zRW+2=b;rd=t%XL*B;u3fB~KH?jxi%@LIhnJ%Zh-jf_=~1ana}6sucw<%u8i07uTLZ zu|;;zSq0=H`<;mnSnAEdP4=k!4zq~JXH64c<$l{gWjQvOYqbivNAH1;psY>ayIEAA zXYyPs#oQ>CkSW#mhRTxfn=%y>9UGP->oKh-oBIj$Fy3~-6C?cMYfjl>*gub zQ)B~@cio>e36Z*@cg!_09Gl^ozU=&#WpY6SALYN)gv_ui7Gl#r9_?pfwsC4XpVKD!mK0iIPZ0zgnSZIx=B( zFCT5gkBzBRgf+pE`Tk7SNE4nd5{pwBi_TPkQ<%yiM^zE3*`|6U>lA)V97On>T;+xG zeY8bjOtsq}d}5~5CB?+ITNqtka`UsW-$_NX)9nM+A|fn=Ae&N2Fs5)GGlq=KG-l3N zBgZn|`zAXzp-s-hriAr-D(679I4>S&j$Kl=Ov^ z4B9!W!jm80s<$|kM2TM|o#wMW%iN<_+O#cp@I&g(=cr%rlS;5C0La8$<6p1Af+RJ5 zYnlN+^Gz`WF8VOV@Skc|4{N!uU9!iS+TT9lGEVy#k_M;QJkQQC+8tiAz{Qvv@&_MU z?wDm=jIEq-SBO-v=-wAewVP`QfnNOU|zN~CrvYjj$?&CSa+;7@_ z4-vrE@Qj<-KUJP_ZiCZqX~a{R$5?GAnErnCm_XqH zhEh~Umm;$L#Vrmm{8`C2Q&jiNnduyoXSKpN1Jsz7IazO(YrLn#PFr7MCim(i{pGYd z%t=NsG9y-dN;u)>8Ey?WmOP4$yR|h!5zjB@$*fGbB-&#zk`~05cT5GG%im~tSA6L*VWL~V^^5uWglS4QsIqZuYBI5Es8sNd0_%Q!Fh%sI! z@;uyT)&BE^-{e_V9?S2~--v(#rs4Q8^3LlRAHQHyhci|KNOQ-hv^2_9Z_xv zYa>@ryIsip<#gg86-R{~VLrtM;GRsL0See*I#!~^Cm~D-;m-mAL4oJRLVx5r69v&g z-vx6wgB&S~M^GhT@j@PZWk>m_Is^L(ocfU2_S2GvThDF%^@og54bdzIp}j@(X9b8L z@0>xRnyNVX$1g%o?OUlS(fNayaSJ6aG&~@5YO~7rDqvEvUz7?Pp+ZTf{u&}pL+%VX=9U14kZ&_#=xkh^adRlf;tPBQ3*N%Pu z?eX$}1`SGX;~9ndjqMR2dp}A_z}`$Mkc*_FcK#(`Yk#2fK~cY;;J3WYzEFs$$O?R> zd+%G)Z;Ktj*#pRw%7l_-9}M3erl=Ig$rORSql!uZvQ}lkcK$hPJh{NzX-{4xvI}hT zE^Q>oHX}VaDCcK4=F&j7(iX|inWU%k?^nwcT<+x>vvuoq_dJ{rF1CaRA{%wKwbCzN z?D9aL5)Q~=!Xrdk4Oeum3TvEF%vt;1aXB=pw9p=4x)bJ?qm*HcY}}#H zyIP1ePAdGad=y^N>yk+&M|F?niNg;8&fnIaoZffiRM4}@G~OcdZdE#;98zq0n}Ayc zjOh*G;wlHWgz;e3+O?S*{+DC(93rwNaaL~?eve01JNFkmj>RGz%I=(%tiQpFu;}IO z?w=)!we6gfm(>(RdN}vCDENg~uk}}$qM8O;SuF-RC}VF_%`K1jjL~#YMDuoLUHV}? zzP;hkPd`@f@j_`1&Rw9Tv}E=$fyC?womW{69sM2z06gXJz9xe zZY?Vvq4GOS+{V_Lp3k_(mHC>uW>1$gZ?^;*85EltE0jIwd4|)_{cO7+ee}wc%4Tv^ zp41aaJ_hu(oK8;_yp1H?U%ae%Br#W*5WL~xn|ci#7u14>x1gJU$4O%_Q(DF&0Tu!x z&Bogm@|9nql2m`L9bC5>+W@|6J=B?|HCw0VJs)_qbwKS%K4=U)CUNmw#j5>AIK_%f zgaF_;L2uXIGtRQOqtf-IF6)QRSIO6{Xh4p?iF%Oruo^^h^Nju&CU;iA`_k%bZe{KP zCZjIS8D&m&$F|%oN=9m<$i-jS`V{OJ=XQ28=ijoW-`~?e#&6pvZH;{tjucJ_Q)hAW zpoA+ybKvmlG&DwW6mBxdTO&N>pr#!60_cMe7o*hzp+MR~Vdr@+r7gqz6%r4Am`h7v znK_pXRY!`Esl>oX?5Q<1ZI0W+hDIyi#Sh=A*l!KwMP2IO$IM`ov_y(CMnAQU-MO?~ie^p`Q2CSjA zGt@yfFn=4+#ow`e$Bz0i1$%fbkUbx?>Z7upCF;r_m2T%6S>f%K@C8b?tBtxy*HjBc z;p@N}W#xTJ>g!9R{X^YUrLOc%Y3hLIASMJw8qUqvcOP5#J;B#v{*bO8ST!BA zc%cz!<(i}ru(09QQPe=QE0NW0rB);R6A)uPu22n;6Ddkga~pVk-UGS8YEUT$5>tv7 zWm$9gc2`U}5Bu@oH{aF1|DL7Kd^p$Ca9AQec)Y@n)~6`bl;ZS z)Ppdg>5T_@z-eyjF=72@$z=%`0$EnhJ@J|%xRrU(eV??JTpLlUs4Y@IZDJwx?tG@f zwP?1L&VKdSM(b1%cHI=G&FWnB3v_sNv=CBe-HESpAm)U30-0#>*Z&}|=l0G>ZEcx*UFr{$ zOq(cB(5FKMER^aHhobEx{H}?pG;z7-Lx= z?;1>oS|RYdb1!_VBgobgR?DLY;{kQ*Tn_}!cL5Q(_2OS`%xc~{zUZrfw2)YxKS?Y_ zC+Lwq2?<%VKb9;^Y95l9*4~CiLHo#Bz?l;l`2qnjkGVyDFP8=x_&u_-=|suY(mK$< zE)Xa_6`CNsYG8>QX4pp}PfgT>t%rg|7u;~l+gEMb&F{0J1(F11OOE^yKvq3{k>n@x z*iXvly^-I5WPS3=j4f_fcXmb{VpbQZj=^WFB7>cB&!aV%-hL=4Z&AYUCQQx#J%k;_ z*Zz7itjX4Lp_V>m^L-PA@C!!2Ax<(CAalm&c+5iU)2Xs)C|>pUD|T;bwKVB+OuoG+%oHYT zV4VaB>vmI)BN-2_;yKNrWi@4zMtV>4-chI>?ViDeVQ));dY}dDO?Wx!d9q>2y9M?h zv!_xC<02kTTF={5NJ@cbdi7V!KGY%#)$!FH&ROC)PN?jXP4e4WtQ`Mvz@+#~y98Gy zjpp~{gry<2)^bN27U0sAH8 zg}NUU+_Vf?zDa~KYi91L&$IORGKx0m7>;P~$)CSxe=W;sTeto`4g~HeTuXNG{C?w} zIAypy1U|=7z)Mh^cd|3tyE4wtg~!ppLzjdac^dJ|)0gtywBd7nt?TrUF!hdk23@c=DZ;Nsn7utH)N{svR~u+!w=a`p7XTDcMO(T}hn35cZ9HZJd@RSlmNH zs-||Wam8?C_|D1x>o~pLGr3%1Gs(Io4SSXQCbGwaQE*}%vFQS9#*}lrQ@VBS%sP7I z+?Q;>ZnDgWSe@;SVVZ5Wa95!%n@Hu#)|N0~*XelR(AUbc#t62D$vOtj60L>3iyD`g z9YOY~hVC#5!;SL+XN6n7(%@cyKZLOMtQFN!q1j}jMK?@2Z&9;oXJmHhxC=oNK>}uz z*Yv34z5kXr^+gi(s}JG9rS(e+uy2%Sr>^Od6jPO?&wGOf^%)PrRPVWQ^es?0@FRpWxR@>4#i zkCmiG<<;E_H8d)$bKnB5Ic|)xO7vSB3Y=deXs6;{SHzdBlj|^;dLJ8O`mg$p*q-!b z=@`>qBEL!wVk0)PJgn4A;U(V0y5{H#evz=^g!F9Q3E4h&TgMhEC09l7R>yw7hhQ0u z+EUw-qVwEQ=@YdMTQ`LmLV-em)ocHcMeIh+b%^^1bqf&IZS$noU%XlNzacSfF!bH+ z==M>_a|lml>XE|YXnX1y7!=^kG#wCT!ewXJ&?*x z<_H%v4wPwe3k^3Cq+=g5{#z6S7LQnY?DuM7h;f@qq8y7(JxLnKiU|0RPB zH9wohr^Mukt*0?Z0xXipB{yBdYJ$fP99AEbewNS^Uk$P?)Dc3BSB=y1uhL5iu_a^P zzI8d3qYUOHUnBO|am~?iZhsJIYViVR!4l>NQ1HYLv46Id$9NPIkh#DzHR?~uo24h!D>rs*Z@!-kNWJ8GJy#p15^ z7&J>S(wAOmWsv2rb|wTb_t?1;k~0m<1`eff{@b>}%Y3=xynz%WOUB;(~>C&h9$Eh~c!`4Qto<|5vzVd|RsE=P>7RB#Ly+UI#y;LkvbM<`4EG`!Y&<374yxS{GqsiVKsxc}m!q==)lyB` zjM24t{XxHS{=}Bp!jkdg_t8`-pQB=X6tuaW25X0+6la^8jwp(RI&gh{^#d~*he=sS zPHK6q8;d{4Unx=d>1c|Z)P&sN9j630ng^|?m8XgG&y2$Xs&Bu(JO7qJA&K~I>g_TW z$7C7)*3@h7m)qixe~@ChEs z^>@l3r)TgLQmV-CW0i9bxisw$_+AD#J(k^SBZr6H0Yqys4K;kUZd+4Re-h}x!Oi2* zsWFCR`_;=c)v*M}V~%9{UyPFsM3-$mkFypmNwDIw&atXKe>veC#lnU-+JaO}J+-9H zb5}tOr8%IUt69vgw?{!=&dno%3gly&pb^Jra3$sF)H;|d2nN^`gjAV)FLaGmB-j$1 z@7BVzJy1He7LENcQ#RGViV=A{5;PkDd_J3a?YUjY3>y)?E%ZTuL5Uz z{DFDUK&)=GQl(lG{9vSp1jK%J#9LhdJ3UnCr6Zz&_|LEu1Gw&OeI5g$H>g}@h!-_| zQFaj;V@Th&2tGp&J-h8UKa7u>KbAkSXyJ7jm_nusa%%eqNS?l!=T#y4r#a4XHmunj z#<<==1O^U^TjpN!5h zE;jj`Ul7xTT-VX*r!okj>*e6*nPBcDDf|ZiuIjL>2CQJTzdp%qs`eddZQmOb=4SIi z-DC?-UYp50NkTu)@Q8B0>7rM$hQw#)XEI@jNXs!8{ohDR~_7v*w0RQXTQOo-jx6ojq0+ay0j zK27W2G|(HH`{0>&G(_ndgf#RO*p(AZn^p3fkMHvi4X`p`Hk}Fn%Z1Jac)<@*sre%@ zMBM|~<{bbqw(fkuoix3|AAGS)88A?3Bvue ze(LJ&=OGr#$)4^dOIBCy@1+a4Miy_EaIbGn?3*_2k8Bs;#NQ~eLXTUml}Bj}nw3n! zKlYqMQds@!wmryFEIm;8rMoD5vi<8GL4Nvea|A06z3c1F?p1~d3f^kez66*4P?SL?o35S9&>wOzT-Rmw;1_PD3Lz%7N!HcCR@hHTu)r++``>|e*m(@bR~=2PrmlA zFgxo_wn3DizRTvn*65%wZlKN-T)pt!%JTT;Gr{pMYzfH}CVN~-*7&lNGvy#@=@wEl zdPZd=)WlR{Lyj3_h^=c?IkZF-#I*T2d?jv-HuVu?WgIR03j2ye9M7?u64b)c59e{y$qAP8t_m3gvn9x^*0uVw{}m6~(Szv$=p#0GV; zxPKWi(xmuL83Ww}?o}~6gT>52;GDcmZz|D5W)JS{*zNlHFe!a-TcFB5I!~kdRr5WH zqb--a&*pDq1yx8(?ZmjzbQTA=mdvw(uqTn%S=LRz$`^#1uePhwD()p)kNI-VeBr&u z*n7a5G?&dMGSu>AI^Uxw3sFkMv?V^&LYynH_t?>yf;^-y(@Ql*yVD@2GjsQwLhH_} zp4C7uJrhu=^3)m7uXZ2`Ka}!oy(#C1TaTA4G)&hzM;_p+M6F%hTT&O+);ndGq{e&N zl5lrVy_-%`=2LO6XbrXvm>|7DS>OrJ9cF5cId9NSo%9seQFA%Y2hC-L7CKAwfw`Gf zi_hG1EOF>RAv!rdbydo1tr}BOj_y;o?Jd9pTsZgGF5{30&;Wnkz=XHKhA(;_z7(!w zB_71q@D7<)WKZFO|M~GHcU(eN@z2?#XEa*P(>njnA^C4T|9^A*{pVu+1`@;=hvaoM zwCLzN9@!8FFR&Xg?y_Ypa!CJiHxp_%KH&<%Y5odzNU)-DP;g ze4FMyR{Sf=p$u?Rmvhmt=JIJ3#n4W5${XPFE~6gcMz+|bZaHD<)<2dawHY&3znG|g z+xrHq2U`XA(EZ_nlgj1Rnaj3uoFS^2NUgXzcu3Gjy&6^@cydC8u$K0)Q7H3Z*M6Hy zXL;y`P*;uGP25kz|KtAZ?!F{IC>vp6koE=gFQ^gFe;7+0!$#fArXf=_NC+$@gf53| z)5l^35Otc${~l?7&o!-)l`pr|LM%>1mx6rA_H5` zbh!24kg2rCIpEVVk#z*0t%MrGz+8WMsCqI8;t%^qBMCbp z>A4=9OaEpRE z1oWGK-@k724$adFeD4jGxud_$(%&!A7>@3%gVqVI;$AH~S#xRhlu+TFN_BckkQtSWp25!|q-GAh$=J6}*n1~kMsXk5k5p;?52${jzJ)EChZf*)s zN}GT^r9y5z|2>Y}Z>Eh6xe*%-Cv($6kp*pH(tKu7h?Yq2rNw4q9nS(LY({#O$&hC{ zTa2e1Gmn-7sLDjvBB>Nd`;&Asn=K8zlKOeFQybs*7_UCo5R1H8$XF2d`d8!V*Y(A3 z0s3gAo!TN;Ufy_-6OUraTo9LAnnD2;IPT?tYiwsNY9)?brxZ2KH!JbA z`^2!GKz9pKbAdmL<@sk*Y0+W7p_uB!{j%#ZHN0cgu?1_5C5lrWqx&4>GWyo4$oGRa z605i3#1xx5C#uFvVKXP5&t)~Y8`ax7RcH-1up2oc$<@y7xs&$>iUvHRxWpeFx33=a zh6s9XndWAX;iB^_BCj(s5eZ?r%Ua#q9iIg6&L{x4(!%a6d2<}oY6Goe33#!N=n;ib z)p@}V(VO_AUPqI2TV8HmDw8v*f~^p+5QNS0kQ#N9CYHB~FE$SN zb2DJnO+g6Mvw~34VI@?WL+NQOrAxeRG8Eqh2%O5JKhHhMJJs>-+wx7(i7M4*88%nX z3o`wk&f~I8z~a72NwZr^^#lG|VYl_f6uR zlOV+TG2cu<7}1`FruB0^vImlKpRU%cokSC@s?mf98d@Kf9MY&EN0cS@D*B>#ha|QER)eobrM2c^u6#@?NdfgH3Hbx=_bMTBCZ<+*o0ss&1C>d}_3nWMjgrY~)sr z3_`(DT9kwG2{ByHv}o~vb@tX#QATaND58`Is3;+&q;yD2C@E4RN)0d|ARR*pNGV9e zAT8b9-QC@d4Bg!|aQ66p=bU@*x@(=aj(=F_V9dMs^ZfEcuvYU*McO4){@_=re2MQH z^LL8Y)tF;>vEkwDWAP5zvQYjh-&2@09p*CMP|L0SZ70465@Pmv;K&|o^pYw)yoa~#Xyn^us9cov7LiUXXb&){(iUNpHc^X)-L{71yq-uv| zV>#awtlgI`QtGaR!YEi`q%Oplkc=5cM&@vOI4GF`BeHAxMrF{Kn-}`@eb=uLkn$+U zQ9xmZ2vSh}AJ4!4$5K=bd;xhJE@{04D#=-F@rCD?F#qbv@CSl#wEofucX~ydYZ$q` z&&V&R7dBNi?~GnqF)9tt52f0TzDn#d9XiRWGpkFAG!++&_r{Y=vDkS}u)U#892JZP zB8&LL|DO2g*K1HrAKMwNztiR_$H&_*_0sSdU!GDlRoqekJ8G#n(9Q5Vud~Y>pYuirgV|4i!&9kmru9hh56(XIgs;?@ zU6coC0fX_n56Iu49Ov&S7lvpUm;SO_occt&uKs7`7 z3JvGAu)#(e6-0ua>4go22GyF#V8w5#{b=K)q~y2 z*DUqFp1DoToWqFE5!x@WsLMMC1$nC4M}S^YtKIxuz_g|GA82*q=YqrYcErND9ZMd{ z?B50)b;`4V_h>_D1D}pYLR~Mu0FtJStA|C|(R5So)RemPr1#YTEn*fJ(%OL26oR6G z!TzHi?0f{O^mM3gVVYO_KmeQq@1W?(V5K5%NvS8k24;t$=RVWp(&x(kSvbks{7h zr6kp3s#86g@uA*^7oFHcuNdv>h6# z^9(`SIn*cWx9`g;+$cE(c80ubi}1OLmaS{|Y$61x2QaxseoJ<#dUUzhe1@(Wo6v~b|lGBg61bugk+do zR*yH4Kf6Z2ZQn`3HN!U8(ut3te!f6$>;I{p_z_S2hY4ZS3%8*%@$_=AsKCD7ejf9M z8i)u~hJ?|H&aE90z;qTJv`lruhB_)%%P$P4_uSmHF7&)H;f*$tSd(F<3m~hseC&T^ z68#o>xU~119HMs$BFUIhNXMdm!XYP>S%y&71J}=8k%sOiqi4=1Lz_5^hzT5UM_gjO87yA>PInU@1p1bYkAS}p(NR{ zn|oOEEFHxoi3sVqol9tn9*58y}<->ej$BzSU8MxEEzqx4Bdxiang--RgsFN3we& zCtu(oPPLFS&3Qq^by9K6A1TUh8SiG>x0Jh-VMS;yCKFC0IEA_xs(Q}~P8Y6?=EXG*ZnP<*1{dh$-q7VEsON2tuZdp*O8bqP092RK3fsNOy)aR@ zC}4)ZAay&?1F4#g6OI05oI^DdW;kh3i%h_YVXi0-6x&pxOSg})bGk@k$$u=^3`NYn z6fx`l=d14(y|^%pPm2J_&u6oa5KdI|{M|gv(MB6@tnz7-oJAm~V`7g8%tFCC>Oo@v z9S|OL+~vH%?{A11$B-WFN7*`909C90mm%IEc@hxk{wUG5x+?_?cwE^O1UFLMTit!{ zrI5a=W>e^$(F+pxL%qkSPg-eH$$_3lc;zAg<$8*8h%B@jFKMFww5$!K|NR0o7q?Um zURu*igV)jiht@_SCu&!DHfY5Zur@JiE!aV1#9s*$$8!K@r~;Z>+j}!m<_g@9_n)ThOyQ z;fI1Q47}k$!S-b5nrdNxPusq2r71079Fk93*IOuF5GAeY52))}<~So+o5I z{OIq^`pam5O}P~6ON0g#t`{$?uqG5AH`*S<-S3vZrlQBU^%jnF^Wwp6E%(E$XDjN7M1}=F8n2vM} za^uhPK9>nD+-{yPEj_&Lj2!o7fXhXF|Cc)7`cVX#vrJVg_4<500d9=0 zWe(@5QF9xzs z{aO**p_jP1_}t)gUmJ-oCh&Lu45XtH?eza@m-nB~Pjdr0%hLN?9lpViSSyGMT*o#~ zYXbh?!?VoJ9R)4jBijbDb#KQavk-mpTU4$CV^wfWs0F6HbrXViqJ9C-@?A!o+%IKI zucxmFgpWT6x_A((V*Uhm0W5Kwhr9L-H90^?AIJM41h@TNYtNeZ8A&PQGH_bM`-R%f~+-Z9^Xgee53F@%Ik}x{IzrXH_&SmQl@5I4BBC|He`rcqK_NV9WDtGn`#2#d9l+Sm|tU{ z(kUzpnEho5`G|d5Hg#RajQrE!U~)CvoV$S{?muH|jrQqGjR#qEd~axI1guICaLa4D zgwBj)oF3@m3)?P@XSTTivC4e8)(sfszccQTTqMRF$T(71;o|_15zi zk|Y>9`I2Jp?Gu7tVn3Wd#$+63?OeD%E1n}RiUs+XT^sP|8AIbUMQ#1NI?6w^ic)q(b)J_Aah zp8tTEOG`gV+`O00Kx}G;18C9ujEWf{Q@GpC#1LZjtP6Fi)@~cH%QC#11xg|yPSp%n zh~r3Re6$QkK(ZlYtnq%Mh=2U!KS`o?iXyt~vq@La-*z{N>qnqT#`=yEfM z7~Hy|_Z4`GEF~k)LDaNpJ`QmUoK)fXK!z>1P6WB3$Z%VD3UqcgexQ=#De54e4dKXW zoR@a~DZ;Yj0a12NAZcsY!H?^VUHXlz>28UCi7;=}$JwQ{S zJHUB*z5=Xm?EF;*)1}5)h}HmM9BU?19$h<_@c16Gzp9VVwE8RgtnC%A6@Kqp2>mwc(0LKTX404QjRc=>Xs; zLDA&9a|(bZFmp=oflrj!hI&$sW&B#s#NEEFw}e87${Vkm zXA_9jcje11W^ds5eWz`kZ_d7lgp;e?>=%b9)ie+0QG~N5;6`U0AjMNaSb}r%O{Ork zz*NzCynedWrRZ9)`Z(9DBuHK~dCjrvG?*}qSJG%91b(-AFd4b(5PbBizH4Yj(Q3m` zw)A-4Z6j(}wVeTVVA-9iQ`9|p>6Du=F`*qao^b5m0Mb(m7h>Ss0y0wQt79@j=_5)oE1!LQk8dU(E%P*5btmF00z? zMI^)zVEdz<&``J?G2@>hg@cryGURdKLkrp!!Gii}V-^CVod9 z&??P1+1R(bBRHS>Kp}pg?1BnRmh~aBo7??3E~v4O4a^I}t*B(+FJqroS+{6d_rD#1 z(j)q;P`P~&gTZpqX|Wt^{#XRntpt~#4IzVzTpIZXGE#o+wTkZfD9ie}igNL&L-Ypr zJ|LUpS-3x2b><{US7XvwsCv#wkA<2#{85D*Psafe`R7Z4nAs;(-uORyzZH$E#BhM} zXhi89HpKN}g;{Gk9=v-?{OBUolEvIWa=Aa)+G;>1L%mXxy*~mKD6$9*@qKq5wQaQ; zWk`f-8s9Mh1?Y5bAQ@bxXRp1{kd`F)UD)0B0p@~Qt_~(+FkdUcK(b55l^X~=VMO)% zgc#yp-^Dadz2+8nB3T4rHWtY|br-}{TQ0F1}VPf;g@N-<;@uFT_p zB1(r26ZiFGanaX>3o+V>(gBG@SPKX`t2Ec;*rb#U?oUcC`JG8E@y^7OQs;k019=n=004kvHIYcrZ~v6(iz{Qs?{?=(}S5%fNZl zaZQZs_W7EZrzB>>WCz)854zwRr)vGD)G_Grb-3|AvCnO=16q$7O$JoVha30`v9)!I z{ZT8_)J1zv^=qN|aQg1`D@)D+=Qf%kQKjnv`>*P^5~!o%f9~!3jbR69WGw<0i$JNH zkYY;BxC{;*Su*k(x~f6!j5_DF*N6?HAXhmaHKQcY;f)uu$u0CJz^tb-r(#+V8EU!j zFZy;DmwXiKa&r)yEeH@( zf_>UQ=%9kiSWf{90%p1Fc07nxYJ-5>)@fSefJ2WCAWHr?C4?Ur>h!J>=YRh-IfOYh zwrX`xIn7Yy`U&Mc78&w44I?C@_j{-)yD4ys6)$>Vl!L;#FuWn!9$6}V-1v1BX!SmA z4lf;6{>bN;kg}c8snX&w)=bglEQ=ZMjBjn;QpE&zUA!}vJ?|COszE3dkq<*mat`Ze z=l(=`8KKjlM}LC8CmrI0yi0`HV>6e|a@${^3hI=0r1r+-inU})L}oy5x^u{ECamWa z!f81Z8K|ED>xS#k982Z$-FWAh=eo$I1jJS(3GQ^~J2Ta+^VS#P{~dMs$4!{dy$HM# z*lj2$7|t9z#92XMrDM)1RZ=G?DD<-&kTFz%bttm^ewz$RI7fvN&Yj)PydF@?@yibi za{midBy>tmK1z@9n!GT0oSe7c*g*c=G)o(9rFrW5uWZs%B`^|NH>JK!$2 zSPJB`VDu$gu+g~c4rivwaIk5<04j^geO}0D(>DnzBVdVD-5pUBwTm$;_NDUQ*FPG! z#j5|g3hXvJii;q_a|a@xF1~5SC6Mv^7K{xR0A4D%V%!`w5XsXh>mF(6aPq+8UH@%p zE|Vg9bDjeHa0AZaKvP*2^~hG%sEm)zxj**yu!p^Fc2VM3s+)9L++vuX;kf0NB&Yyf z0<5mbJdU%F>%!ZR`?+beLMWe46-cP;HwXHh+YkoJn?JyX7g4jG>`%^xp)*&?V3l&m zCKMuf4`|%-U#};6glRI1S(u*>xS7~Tx9jQ-r^?){662xq^);4gRog15c>g+CjT-d* zWw`gZ#(tp$R)WK)hs|*#y?d0@ioSFL6bX|oZX+M)Y2E=6x}%@~zzjAThd^=lxfX*_ zGTVl>mPdcNGdN#5i1I0$TrGPFDbkMrx(N&cwhvvEDkkxa{bfj9L($#n|66grcsRDs`NUif{%o-;`H1ZQ-9Yb#SbwmjYD%@4w>CCy z(dtk0P&%=m<~IW(oOn0JOr#FGN9O2m<7Z8W_fEgK;QOD_c^h%IvK~-$MKH5H%g%5X zD^sR^@1ARGt}L9O-p|0^t6DY95I4-)cC_Cj6q8N{?m&wyN;s?hiR8#)g!h>J+Z|;# zP3VVR@jnUaZ;OAumw`4cbLh@cv%i(Mm{5v3e6=G!tQUC&O;(&fmEB?BCN%4oR6Kqf z(dDQ$Is76aKMP44w@+&KIbm@8E~4C^XEb6{nO<{@P%Eb3dpAwo{7}&Lkuqld`pdiz z=FF_oCJD}CX)MmJ-9INqYM*w99zt)NN65eA8^MjWvja-I7q5G|V)i28h?N z191p&w+626k}+=rs@--t#TGvQJX(wv39*&}FSOd$7?apT)Cd+LAY~JWN5rnZ4MzR9 z13@JF>OZg+q|Y-W4jPTO!1Jykqw~;dBQ5g#-9m5!jW=Pvuqr{@EAOnlT=1sqCy{IR z-#5!c_EA$#3%2p`F3mw=S@NQ_k`8x<>%r0qbdU1^n6K=y2hYZU}0 zW%7}mXBAN&nl`y(m~@k!QG%p^T`-Fs?hy-s=M9m%;ui}pNQ=c*U+s2AcJ|zfO1gfMlbo65$p%9+nUF(avWPyL z3m8c$nqNi1!yflUupU`6^mcrRfh10w{D8;*i(grW?N0%l@Q5vh+S#^kU-gG}x3)LL z_8Fcdd=pHbl6`QtKuUYt>{>|Wq-CN_8Icv&>Q@E}wfkpT$z5}+%b|*=rhMP6f|ni% zHvYmP{4`dyS9+9&~LW<~^-0nCG-0ycJ^KW^4x3Dg26c0gR@xd%O__TJh9_*wPa z*h5Eewq90UN2hz(pm>mN7i2-$&2|sgIh|#5zcpIsbC+^M=(tD>=plkDDpoHhU&C^S zm82(+FlL2w}?Gzc<)&8q0-11!3uL~Y^D5Bo|ds^bBWje zW!8Bswfd+lTowTfAyB;(PBc#ASMw zdG0uNd4FKzo@(jnR}wL3B@?i(v1A2%tYZ0=kJ_pD1EP0 zBk*81FW92HL=WV{L_7Chx|NB@z#Ct|kiJ`@LWw+*FKXWkZBi-S4hm9Ny`VfOrrB&z zx(&J{UgX+@rqva{;i8t21_x@wzY~<2DpmS98L(f0-r$=Q^Q(gV8;JdeO62fR)NVZ% zB@0sgMu+cmG+4u*?6LJTW;nBBJGQO|$^3qc+7ci~@cnH@NS-8sZETK%o;WGYH|0(P zNb6}$c%z+TgLBL;5U$*TK{BOd^m7Rl&K8a)PC>e*gGON0;+y7qpqJ;;^oKMBA2-$t zf&+RsUZ1U}1gS779Krs)Ob(@9mEfRkR$Fn$W$R?@`?_%4wAXl-;8==jYIrpZU^5+Y zfFS9^?G_-po}WymYIkI{W6OM3i-$2g$7Rs{#C}Ac?{ljAPcnvzqn4j{?(QTLnpH7& z9`=D}ddo_)@gO;5fv{f{i^{psUcV?KX-45~$8cLF*4>oB!trsXSOE@Tmy){@lBJs; z{cAju&SPU+c;1Qa+N=D)FI^#SQ}LpV-%oGS;7Z|o(Vsnk>O7oq$Q%h0tz=V2e$RNY z;7d(|)5e=G_IxjxJm`h*cnnx|-Q{ua`J%On#)xN(_@Pjr*H%xoY9v}%%b_?o}r;rBX zhZGO4bM9QyUSZwo=PX07Zp~Cmv5teV1Oj<~+d<0$k#~5lfZ2hs-g%G$$(+j5#UZ!Y z&5MJ$AA1;*gPs2dvnK6f!DH3$3a9e?!ADD0`1+EDXme?H&0ZBU#0TX3+qaXl!Z+tj zQ5`ypM7yM1*emzATRogp-ax-LXyWj{Y3*))@38%sSs+u%8)9H`N8d7~!E#i&0Y4#Y z$jPIyt~`}2YppB|T4X`~lOO$r^bXPn+r-cNs{1{n(@ezf9kZhDJJkyj7P1@W0TCru zmk+|twWr|&qF#~%<3$IB=HZNp^f7SyJ63)SOOUw@AW~r6$ziiQ+;4HdVNVmBpW*FV z^FC@t-0CMl?S7?*FhPwy9WQjXZm(B(v(5LpWi#eMDrj)+@SfXyqIgZs@6)Vicnet`URj-qyD3}J0%ZT_hcCaQGfli*CUqKNvQeul(o1Jc1rerWzl-hY09rrY8rjq9N< z>RZBzgzYe&tsp9bJjQ3S$z_t2lKg|dTZ)=)t%@Sok$Iw9hkNLvIO7|O;~UlSR|!RH z)vDUag4+&v(D-~zD)+lmY8 z`coMHSVd=7+DA!+jWV=A4aKo`#%A=4`xR|I{lg~mb5K6d_b%o&3RsSK z@S}HX1T;jkz8vlw?;1b&lgaqSYBt}%^ssGG>5d4zpPc_G%EpY%BzqQ_jh~UF=R^Nv z4x|j_>g#sOES0-Fm|_y3)%n%4L%U#3DT${E@Tgq?wVt&nJ37o>Hf9YGS*2!Ua6H6c zvt-3gw+j&MwKy@Mfui*XEq~{MR@nimN$KI9HgL zTTK-Z<=4%u5RydChy6|pC2LQPH9%e$WoIIcOomko7WLlr4SGj2HACe7Bdg!7!MGPs zk`8EoH0iHT`qysC{Yc_B<&^3y+kAeq?iPP=KFu#3Y)QlcU(vsz2K`xLh?l;I8`;L%eujpmUVB$I5cn|Zj@$Y>`q|otfA2F;J;+#a zyey(etGKHs(46Nx>-T}+javo&CO@v#m8#R*IeBf01&1;10e^hB$m2t|vQyK)xT+~5 z%jj2XA@3RNi*mzRbOBJ zn1|TcHT_}9J8LyFeVJ$cssP_cR~}g(d?v)n4u6AsASr~=ua6XUmX;5+{HQK2Hz47| z_a((&T)fD%h=!)i3Z|x9W)r3>KU=Bhm7g7^!KZLdCR|(|V^G}5i4|6&qzGp&-T9qy z`Z<4a3F8*}DJqZVd%4RDADOC)81g9M`?c7QeDjV7W~jMx`Y9_VY=Mad&la<-oB+Q0 zYbWDG_SOb>CRxr=SD0tjIC2Br^(SE&B9n$Gy%o@BJhej2f?>?;71~)^P((Qt9;&GI z(;Ny5XT0`?7(HMedLFQ2c;U}kBpRs8I3msSt(yVQCn(Iah5sh_wv}Pu)4_+Mzk&aj ztC+ew;iVfML29j%wju57F!rj)6A8ITMeW`k`3*4Sn9#xXhiF-)TZ{VJ(Mb-K%iy&a z-3f;rtw_~bw|1nxI+KIIf5wDD)7*0p4ivsoj2axErUf@+b`-brrL+$(9H7-xD+9yd z9cKrVc6~c2?Y!|xbPU9`7D#eZFz8AA^vZUX*H_3JH`dutfwqtP^@F9? z=nrG}?at>M5hQ!y!!!1#7l$kG8AFchCyjS;iCC<_HLRkdYZOOibxNWU-Lg+);|{~8 zXs~+ODDdK506pwaF<+4ouqj*Y&o{j=DdBb?N>tuZc@{7!roB*l2`bFa?e9}qEX_;6 zdSXcStPgi4i}cKujmcYHTiru7CoFj-o3tk;jgVYtLn0+|G<*p0iv!N??==NQuwlA( zk}5P>;8|&uVYK6}MFFn5g?*SrVbSc9zU^ct3<0!4f59?)Eu=~XOaIYvIQJA^;Z#`3 zyQte{bcu*Me(c%#V%R5h3!R70@~M(W0xqX1byJqvGwk%xNSjk-LN#x1kVxO_Sg!u- zQX9Bq+w6Ruq|q$)Jpbc(4gygcc0t_b4dL9Pb&hqerH-J1xEOF=yu_+p$g8sm&Xm42 zO&cnJidqhuPAtNf+AjzIJ;(;M{`(Zv4lyz^~b4k_t~nE)At?WqqQD@@fwGfP*Xvzeu?ib zls_fs79>oR^}2kD6lZVQz!xS#CLjr%>MxGg49|1c)d!JB#^@Fg#6fGQz?jt4xSOQY5u7aNE`lRYg=EJ)ghk1){Gx zI_12;zmg`0NvH|Sm$)&y^PF5s4ZUhB=0``ZFSf_niQ-*W6E}MPu2as7x`M3(PDGoD z4Ue-~Z7El>;6_t}<;17nrB;&Sx@FEMlHAST%tT7he-bW!HjzeRi_3bio$bu41yBAp zjF+zblx}FPpOPk>bhPuR z0-R?n$l-;$V)XIj!!G|VcAAGL1P8v&zo5xCNsP&`f52<<&7%{7Jg}hnUAc|FcU{ED zdul}F$FOBQ+Q5w;EgGOS+K_yc<(SN|5Sr;Gg?ttKaM3?v9ijCWv$lDhPJr}$;`V9; zkJ37<=BoeoZ0DmE!e4?&JWKCJj$dRfELMK(?Uy8iN^sq)&9NNT_ZH582aR%mu+EWq zKMu+f*2J%SzP~_?Pv3pEq*tKgbrvgbxat~QhJrZ86iElleql@?fhCv}E5dMP< z3)Olm#|f7u8HCXA2S7L!THgiOGdGg@*oPQyGsa4Jl02I_d;gkbS}vBKv*qq=GMCBd z%e}ByhW)Xnulaec7E4_EOAE#HH%GH}!IIv?|BZu^pR6~Ak3G-xE>1sYZ}7uPgHFNf z`IoH@#H3U<%Gi6;Vh)ht?#8yEUUVw*e#vPvd$MsEH-4 z=0RkVO)pmWJ&<6y)*rXULggz*(-FrDIPfJvd9#UTjM2A`26(#6(aA>epO2y|XoXu4 zHd_5KYy#4YNw_zJeP`qei35K)*3Wid+~y%80^gsOf9( zp9L>Gveoa$>kF36-+>IHuHW2pIOQ*JKzY;7&;`CN84EQTl035F@XLR?U7aY%|75?# z_p#nrTgq6d;N9oY-w5jb5HDGnxh;wN-f84| zBmbC{(|x!e`ssT|I2#~?)mI_z`@y>F66hB6WeD;xsB9&GvNKmMs1;C?7wn#($-PqE z!TP|p6Y1MGNxkh^h9kPMd& zh$FhJDnBoQkgV*<6P4yNyT&Yun$en%>SC;^k``);#^H24p$%z#XgtacT^aDrsd6(a zNkvEb^Hn4k@*cyzF@`6Tr{R%a$9Z9Bh-XU6Wd)~V(=yY_GKkMUM+2hj840B>uWsZW zr(oU@@h@77j2D{&cf9uiu(IMyU$1MyoA!ix(ak@lvboc(OS4QbuJ>=J+c&vZ_HRhz zZvR8}{)TirD3>Q^(Zh5`!u*vo{@dRNN;hipMvEzxHy9(`1OSZzKURwo+=2!tSP1U!!JQxA-69T_ruZfCVB-j9$wj==DTi1edfHd8q_!LhH)}7y2KcHc^7OP zK`VZc)eH}dad@X76b8mWMQA9TiO2ES>8|=bDWRZA|eo^4$ zrO7GG!-GoA)&5{8wu(H_=e=b5dbYFku`+LzSl$akA{UkMqOc7!2t+N^hp)u-OoHOw z(TfqTe*ERH94cQ4!p`7ms@a>lXsVf?c~URKQ6W;PFA%c(b`;~EQFG!7(?+I5_0f1y z+tF`g$e>2zxsMF#^vK;H^)Q6tn9{2BS<*kyt6r>`G7Ou!H2-qR78)s7Zx7aV7V_wS zT!?vOeYIb+PpuUUtzpE zN=uz0@v`>~Xaq&66)YQP?lXbtRdJH;F{a?#?$%mOzK#qR&f`Z|Nl=a?GF+iC3DmF8 zh|jo?N4Oaypn9*3Xz&<{KXc6wVc~NKyw2XS3yDsO7Dd2^x*Y&K)pFWGap40|_R~Ow zWsJeWK{87_;0{8j2quDtkeS&Df9 zVDJUy?AbGFq<3F*s!-1)(1#FSR$-PQ9!jzep)7T?sUu>4>HYqa9Hm%7Q~-r7&~}|+ z4@q<#Zx8wTIxoo!s%{b_Nr5m-4H_(YVy>^FG-P4O&5~m3xCAfyrO?#5=)QiQcxy$Q zh(jnrKS5K1E`-J_m6FR>g5iyDB^fv&yoV9>Re=L*HY9pOkORY_H^2$04OcZJrDwqj zyN!@7WMtjUiNg0)2O6}i{mj-A30WQejgTUad4Oqdn>tO2z=xNLU-bfqr3rI~)p<)8 zJ}@8f{UGKIx{DgfE46yDhv{OUn>jlvh2PsLgD^$8`f{Sufs5lcNiPpUu3Fn+V}}-Vq2Y3WjGH! zLd6c9?n>J-aHbJpW5Z90TnZEpX$?CZz*-mEAUtdFBx_?A!)EVs>>}QX-DF>HJ!d~N zLqhKkTUSPkX=;#L2dY2l)9ZU;n%=t92auIgtjCDnGPwS z;zNP_$GQ*OZ!QSu-X_1DWpZck(0Kjk6;pK*5tBJHAybxCOCirY8uch9BLX&atir@8 z`DVFS8bxpQnM2=LzH!tL`>|XE(?l*dE!)iR(f*|&Smq*Am=lpls@`5Aav*zvckuB5 z0ZYkjN}%q8p4hQKc_3fek35@V(!v&l`VUuaHtZBK{6&Dh{Y(4H_m{1g>^6%wcDwY)6zh|@wjY8#k$fZO zM2=dkW$$Y#ZMyX=^i1@a>#=R?ZKJIYt?sQO>!DW0lay1rhn{-{2LuNO6R&0p4_fxo z-7wtP4?0XsxaOl=WjXVMIm?O*!Ig~D!Uc1={6(Od*qOEO#y=nXzF2i}$#cEovEn1) zo8iUeGceb&znKX8)W@aBxoAIQ!(%hb6T`Rq*}xGNUpl_cQJeOAbdcdQzDGhKgE@nT za&-~QG|#kOQInOktec?WQnwi6jN$3 zkK1`M;yuC-zy$Y=EpQgQje9Wr{B-?Es})=JvFv#nzYf1{XDw&##zNxaay9+Z-C{+( zeU+cBr2}KtlB363whfhC=dX^1hm64dz`oo8lZnX*&Ti+*Em5Lq!r{f9mXjdo3s=2E z*YW+@+CV@Ngb6He$YL;M5Yy6@Ig-ho>hsy5^JfS1+*O=yC0Q?P_wjfA%GPY*x%N?b zT4(^uTK@7D@={{fu-E`_%X)|DT;x#jVCSfQ@i3l$cnKs7YVDQlXPheT1D95IIMz7U zpH}6xuPJsaJ&-&~JW@PB1s2IEizB$n*GZ~`zSGAMkWlKpykQw)k$*WufQf>FbczWS z0a;~R8Tp~2ZUh}+dc7RRG$g$n@jZe~+!jJ|LUlvS(QUDcL)fv!Ngp_SxJ~u@^5qlc zbw2|VH9z=%_&8%#=iw^p>NuL2`kRyAjMpr<8q2wyxYF(bB1vnh^Q?Y zur3pCt0_4(@_BAM>sKJt36l(yv=qBZ_?i6=|AT;;$-20@h`RI3y~{;RUs);He0iBf z1{>YH+RwM~Y}L&I+RLpoUi%e=z3~zX%>?mmiF}`@;<`%=EneSC&Zg`ne@wr!)}5)D z9!W}xOm3{?(69FDkF;Am%F)i#zR=>UoYJoceq6J;K9IKk&Kqudchr%J+=n9 z@#4QIzlgl(bl9+OK2Nw(>lcr9R9RfC9y3{bIG#VwJNEEsIxS&QXB%SMTYJ@3TM?&` zs(oWJw`piE<1T~Zj_)zz4kbb%2im z9Y4QC=^!VdZ1W#FRX0p?)}1st+9>M<#lEAkhNoQtJ~mr;0dE`8HDnykbN|v02s^uv1T?sVBSuVvKuk*Jbr zhBnIY@)EKNwbE1jF#A0lOe;GF7i*#W$Q^b<@a1??wzg>JG2*$@c<_1T0_VqQ^tGJ6R>IE?s2LkX#l z#CT$ZVnpDn=gxLKrwIea!=N%yxp7`+8;SlkA+-J`W52QJG+>P?)-ozKviar7_M0zK z1geUN>xRe(+d2p(Swpa@Pd3@v1Xc%BpW?gxH%rreG|3T4B$LB6!rHOFOj9C|&?PP_G1%3J^o=mErFRmIQuFk2C@<8*R8)kg)07hrXTMY28ctoTd zLY?tZOdWX&Uj@u{6f9I!5Z*rRqar*DwMIaC+I#l&A$|HFARvB6{MQ+z>+jG1wf}td zj~|JMHO&}fJGpPXTn(pmS_)(&t>_*qW zfR3`WM1=tz+`^U?9-UZ#0ZNc>RCM*=01}y*neq#>DCM|!@j>d?+JbpbNz>QUF6}=W z9j-E_+o9Uv%LfLZx*6L{#jO)EZw7}v2w{=YfRrVhFl~aT0ge)b;+@F#r0^udVL#syYZ9X3$!$7xOZS%5Ns4*|KW$(B# zgLn>jUb$EFY>DDK~lv^{Bqs7`nI-Pes!`5bWqElo)n&fOd{o<$b!$pb;Ob^Qxda|Q7c{pi3<>Oecvrh1WU(HRA$5M%lsV1zk zGqP_7!ahv@o|_w-q!M(YON!#Fe|%C!u=Atm{F zX65j=&JG6$!u`qKej(Q^0-xX2=UQS#Rm!dZOq8CXU6qm%oeED~U{e%N_6a4e{Rv4L z*5}<6bU)HD2smDDo-WgG9JgC;;!KSyR7x30>W_NGtz4{{H3j?htkG)nb**WC1Vc~u zAzpvGx}1=qT=3lhnPci?zFY>=`y!H#wjlC3R^6ID7K0`ZtKhjz<_>kBoASS7>Iq`h zX$S+9Q7@#c4%a&USr%!QCkNkA_nL@?O!Vcrh574b?wD>^Rx&|}IO98$*Cz;VWH`nK zY7dBfvRYhu%q(Mg+CwhGRA_4H1(t5N231qBzEw3knCRdRyZecO9V(Spd@b9u zu-ITxtlR!Qw;y}N4f4Ye5BJ%BZ2=t5Y;!{gawiQM`v2b+`qTdFV z$Qh-cmUVa#<1bXC!&|WvT_v%~AR(E8U6|2CBcFinnynS>uRn^J);bOX0WhnbU33;V zF@o%W1LQyPDY1csdwFEMk-ImX{H{ySxh2v`OJ?3owY{2KHoXJ64483B{e_ zlBpR|7 z6TUlhXqYE>#kIoS*Pi{nrJu;xr-6w5Bs!I=kE7D46}zx;1_IHTD^J)b5BKqDIEvP~ zWraJLii^RC{##D}I8$PX_>uT}Q}Ak>!s1RQ*&8#ZJcu^?1b$!!`7IT?^BTA2;`po< zg=}~3XAtd*&T%*9h-kP^()S91|8#(V`or&hXdgb#|2!leE9Lil_ltOV2-z*8VKUQa z@@&@1v&DM()mZbOY7Cpvn?S*<*Cv&IgBMtxDvH>>F2XX>DP$h+dR=(IMlTsCi2riH z0Yoa_ZF(pH2b{2m(<-Bn&qt+*SMFS+x7HE{Gktm)u()7udo#H<)~AcLwfoD`fRm5M zFW#8`7e@Y^J6FIDRG;%qZ*VM!-;Xy3x+gkoSL8FI4a+0uJh7ZM|P^t!425=C4^#1*a@}1QO5O#V3V>asyE{+}lFr$tR@qJH==9~rtfPND(GqvXf0 zKAFk%VI1o?zMno}kJQ4f1{}EkfMt4Hhoiwhjf<8+uaD;)V<-eE&vK>z`Y)*wS)(QT zgW6RmrCyok3trt}mak@dFE|*9fQ{DftlW(7aUAO(bZ_0~3%VyWz3Ukd7I;jXLz@N- z0tV~9hxF%_|CKF#L9Nq4q%o;fS?lo2h>@|cMor}WYq39}+zN<&H_Fw+Q~CeVV0?@!wt9|MF~OArki%37YgD{`N5FB`6k`AjZ` zTtSA`ggsbF`0wUjul(K2Fe?o(VrX%F)yP{t#LTy%bJ-4Gp57g^q~w>wrg+QO6mQIK zQn@Wp`2DX{A0|PMs+c;YQNRf-TKAvgywVmGQt0E zAQA8bziHzkbks}RNPp6m#q-Jw(nw_&?!5Kkwz;VL zQDA$Ohcov6@j{K46KeG2`t=FlM*O|HxNs$A?k^s%K_Bt2cq!v4L`-!*UaW6{-M<>pbljUqd)SD0WWXvYB+An2FYj;7;|c#O zCDxH5uC%yuKYxMA@f0B{p?Nc^W%Kx4A91$2A9Lw9*l{wdW?J!z3|aB+&WyZhS_GT~ zhio<+P8E)be^zQ5kNm6ue1b<}G6IozzHBs?*7Ux{)5U5z zI@`kDmsZyJ>iN0VcgH&(tNMUaG7<00Te~HTTJx2I9|h%4w>q~y#ms8`#`r`&scG&f z%YtlG1e?8~I2nN`I0H)`6e087pObn(R5*wm=N?aywTRR=Z9J=6q{}j%93K&{i_g>T zKF|+e*Zd#hQEsHr+1a0MFzE4;WekOIa!bduaF&o;#FnMc_RzN`)k-ajQ6K8NFv3oJ zY;pnI;=<+I%EGf(JtiZF`*|#9s&-g0?p;qoFMcEP(CGvGeoT(aZ-%rcTbq)J%9XAP z(aO%wj(3NaUH*dQpC)Tg{pEqvdGp*9!hqeJwPE&1MJy)Db$0ubT!pg)p0 z<7tG+G`#irp9f2@pez3OrKP6}ttIa$#DSwn^An%0Pgl$qJ@%~baHy;gT3lJ*DziB( zw~xRM8&5gqethQ)X1QJ@&dPs{`27r(9&%6|?+%uD0r&>FqiB zf#56;&0;uDp{jr|D#|jmP+6$@Ih;$zqK3p4&N+>27Z_A0GrU zm9ERHm~RFYFLe0%3|La@d*+4_vFZ_|FrOgbI#KMN{nTdkFMTEGQt(Q|v&tu2x5>$5 z*;!RMbw}_hj_Y{3s$%?g2EQQ9<=dEZ=Zy<0_na=}38zQSUCN=< z6-ORAG|Q4_+r?`Zen?76IvRpS2J3b93VeQ*bx*Dvd$!c%Yz7mn8eFz#nwDxhOXV<; z648!`4mBan@x2I#zjB0w#g0Gs;CNnO-o?aPJRz7r@CBBl&%@bZE#xWLNF!v{LPB2C zEDF3C7k`9#R*>9}zkX1@dNHTNZ#ED$<3!-YGJU<`v8K|#)eLG=@(OX{3G!r+zA`Q1 z7;$rWN^h*qH>cIaqfaBFL6x=f!>w1K35t$ueL2Hw*L}@}7_q5TTCny+Om6bRLSM zIqxMvUxLOaMIGK8hk&z38q|tewypN=O*T`oSq^{)|7=4s#(mFonsEe)?wSyqKLBU}RYuTGKGTA~!jE#v; z811LamP1AOyAEm9gWUEjT-I=!63DZm^n;}>cO~-eEUv(&AvwIcq_-473SN+DNf@di zkYcAO!0#ql;Pzp8&0tF?TO(V>C(|9l)L8S@qmmUW1|4r-I}vk+EQ#`Q{ZPXTg5R4@ z@89DjVZmNIygr~8?2(Mh=Ce=NZLrf#z$sJMUOYs&318F+$~?AWd$Z7KJz9i2 zxin0wo2p(ECE4>chXPUQj23z!t?Vp6xIMBZmd5EV)nnJF&u#N3k_@d%4xGnh{;`k7 z4=v4SA?!%-ZI?KnarjE*X!pRSyDQsV@*-%zd#MmxP}P)dh`$cx=IXC&dVl4G4~u!WD@MeS+NDI zsCn~iSbk=%EU458McowhX~=%Vw`^k=YjunveOrK>E0|CM4nbxXtGdWcoYq*QtFJvm zX>}P`TkhFy{@zg;?5+whE57_A_>X`qhv@njyo2W#L$! zQ0(%vt=z(4`qK6CNG0EKgw^whhj0E$;ogQmmppU+aN%9y$2&8~`s01o?Xva>f0mF( z__wwT2vwR}4jUT@jx}9*{rZIs=X9Kegc*rpZp^qr2~E!#V#uUM$*q)>Cq;i`EHP=;l|s`1)rL00r?KghM9sEO1;s>8t>z zFw0ER>#RP*H^NBd!$JBEOe48qoEO06Gno=iF=i2c5iwKS) z$mnrHVe*ZiC82t)aIZ|yf=kx-)XY>lu}mu zSnz=?lyuEB*dx@K;b_9q);SzuA3YLNrhsKqXL$QU0R!{`(X1n;g*C$}&^+OAu#(&4 zSbxZweZ9*smz?^fDaLlWvae7cWdi^z&5@1)B=X-Yhr({C);&FLpv&zsKIAW*ezod9 zFeUWi#P05TW_tnSL*^}padtv{j-PT#?XG0YQ11Ym)ZB5wNs=1JJ9p1FmL0> zVt?Ltl-8`Vi}|M7QCk1Um3dI4IGk#i>~Rif>O@ZLTf%HJ=;3XS((op~rAcfE zopgzn!Ndex9pJ>{VTdpb&BKZkOBQG*v%z=3)aCl!UOH2@kewViTO2dtg=iM}ZV!Mg zkH=_#d0_y5jzO>jocmc`QH*V7qgeWQd_>Mu0YZN3e4C8(0l^`AuPJU#vsDU0rHJzN zW(*Ub^Bc~TI#^O9SI`=F zpsr^(-upUHV^wTXmcgF`*^#IIxQwy%xk2dfP@*8`a4X|KGGm)S1ULSx2Hw3~*07J1r@E`wGvGS$ z+mT{>>7``x)mYy|MwXs}cH#rZnHSN^?R-olP8lY?v zu?H5wPD+Q35xhS?#H3ki)o(;O)2&)GYc9Die)pIRgWu>Ea}N?o5Ubx!MwHaeL5_oF zdEErPa?P2JMSG@}SX06eFIu&9$vQvKh75Qu)PwH!(&|$P12K;7Q+Neq%}ZmhxdAhu zFVzcBi;1fNx0({Ie+0uAcS2PWC^VM#s~+rRZ2Yxt_1_40#uvA>Cd=}PSLpO|8j+t6 z!(2p|+azEqC|W+(X_uki--_sLxiey=8fFN?ZVLw83TQLJHt#@gYn_Z?daj;^#4T!V zb`Uq9pERYPMhXY~KK9FJ8Bu=KgAYW|YJVWy1pfNY7j`~qVNZ9tz3Dsd>vRSdq!UGD zu7FG*XEVF5RX(@6xxo(U5Pxj+SK;i$%db)$^#Jy(XFd$F3Ej63}Gli6;O z!;8pX@YBeqQf`eo{C>&qX(DismsBRpo@Jjt!|(Nt=P|IPp_K}E#~6nX_dNS8dZOcl zvZPnH0>)0eixb>Z&70DgdDU>pVYBb%*mjD0ZU)ZO7LMG-h(^(w-lkyos}nSg@EbS6 zuf}^F4ezjr6aFX+@Gv6!TGjh$T%w5;OvZjc{hIIi&iL(2=vcBEbY;vZG1f24*Z0U7 z3%4fteIyu^>bmGu5O;aJ=;FOG^vyE3nDX^9H-oAQawjZsIx?pSd$;<%T{!re#Gy)sYi}6+PSjtE&jo=afw%4~uR0Ek zx?}S*JMmnXLwK{^U2MB2kF0e4w0HoR9M*LCv+}xQm{^8xwRk~CSj-Wff4Ozse5kPO zuSa|hJizF4nc4#V3Tj$+-&?sPYE^5RQ32inJ0hb)5B(a*ArKo@W%%o$ z?Jnoa^I+a5f`sv97zYbtpJNc-J=g4Q z8^t-!;Z?5foy$rG!Iuj)Uvdl# z+4iYf4jA}F6WLEOope0HnydkE-V{G1gGI}V zxD3`~8VvVU6^EssknT{;KEHeIs1loAOnbjcY$e-A>9A8q0##c9S$%;^$$?5@z2_J^ z8viikG=yViVLu!{cd?3l_>A&?ae1KpV2=3P&_j|}fo=k`E52p*r&dT}vZ5}205@sb zSoXL3gPDBxhI5yAG7eps)AbI=#gRu2l1rx32I>W?GR1=lUW_*i(y_9%(H7{YRy%E7 z=Ha2s>@}Ww-_&U76SfXN$D5Vp97F56VqtncNbxJ;OfeW#S0I`$5LV?&HAFrtic%_>^V zcP|?!Rd3x`oqRRI>y~P|#VQOy=)TpXHSBDgq_0@7KXtx4CmX~VI~~mtdf)OW(mV4k zY-#rPYmBHvqsV>Q@N1KnUA($&%mu4GZfi2 zTir61E0|ZgBt{}=SZ-aA&_@91Grn>M%Fhv>t6Tv;(ESG8oFmHz(Y||jKdNq7`vsXO zaE4U`qhnoZ>&;SYSkqHDu`fkEmgwFyI=Ev>4^BbOM$1;Ka9cA+H5JgAoG&ogK5$V$ zF}Vdj10l?2_U&iqXELCz0bgxAOn!0;euE@7rIvQh+P*Au3&Jt!qRVM(-S}v>R_Rl+ z)kO6mmt0V%k@L;Ck>#xHY!JS28-RahPyv9`^(P%VcV_4Ls%uYRS3#))Qd+WHc~Mf- z48J)7VJ@Rr4}cuU)C=~1)LGQ^5Zkov^@D->9j6~wryKl1_Y0Nxx5t$E#!^c;*M# zmXf=DA#2QW6sH_-g~;E6@nkqMpcK$PLT>oQ(Hg$ck6R(nmMq5#=;=?aX+H8J$K6jD zXdRi1qu(Y+vd7!Sv7~77C{6Cpmuh|q&fN|wVECs65$?K=ZSRhYipGXq4YnC==e)oM zp*!DD$(|{B<9>~QM^Bc$vYU|X+cCU&#%=F)db7ha^Ql%U3=1QGCc(VG-qRF0abIly z%tZy|LHaA!px-yDLrKyC8jA<+(G=U0;!^>O{$V<2_RDNWn3NdZ?YZ^=f3(jcXPsnO zKHFC&B3QG)B3p;Rh}$yCgHs~%A_?kdP=?Y%82c!M>Z;x+mg)I5E$da0K1efL%Dzb? zzbp*udl2D^-`6g26i7t5z!zn<(CyHt6_K4CZ3ia2E?)#U(M0EpueJsh_1|> zgC2P-ekzUgl+6?rbXyPxiJOH)Js7JjmG~dD(1zlqL5;j;ML);LVPY7DH_r1E(-(A6 zNs_5BADCP#&@cs;$lWaukahYUV#Vxi!NxzAOrC@iUu+eRbiUwS&XLcIskKMAe;7H> zh)E+O~9`4+;O#l57#%xK$lecG6Fs@Z?aEt^=S^(|4_*x(!v zj>i_qtUyC^bZGz7`xJZ3hX!E?U8f;Yk!d}JgjQ(%ass(qJ56%Su@g@E;_M>YeW%51 zP;HD(KbjC((~{i1PSCQ?sBo{p><}3cc9w8)bg!g{0`2mbTa4Av;k>i<5I1UazQ5ft zI-d->6a7$0eR4~b#wT*{b}cxYdoA{!OcLvbf`2ZK^2t@z#H`RV=cA^9dzk%{ zS4?l3PY;UGyC3SJ3Hx^jpxez#R$7Boe_Vx@%I1OJ@vvJECnzKHAH{r$W8A9zkhiR5 z%~XEU(w?@V>Mn{xbH(hasYl$tAs-!Eq5EVx2C(al-A0_pNbBWx<{huOS(RPzBg~`7 zWS_Cr>?kvAu{gNp$%3ugPTW-V5M5nJZ1ik2V&&ngrR;r8Xd~u1;{i)dqcWrDw`jcA z@Ebg~J($i_7KEqZRf`rHm>;Wkp^mneE8%@*?+Q=Q-KpU4+iAJ^SjjNm z=^_=SR;t9M0uI&`->HpRZ39s4M#Hm`d^C^{%UkKl!)T|aVs5Ihz!axJHe zVp{?=Fm`mjeiI)q-^)_$uCg-|5o_iww$&w;KUM&8%9G>ecK*RkN#}mH^w6-RxDzZE z;pfrPB2&1@E+Z1GH@47JJ>Gii|M)nH^LRp2>ko2(Oi~#~Ki*+d+F&0$M#XM4z6Y~e z9M$c=ILDcz;TnH4LzuBEwdGc6t7aLc`YL9CEsru0#>rAh-Er5{P>^;r1+>3$xTkHlKI9DY(Z(cJB>C+l&oVbw zJ!?ZgXd+h=6V75T6lpGJId=R8aLN=4Z2ry?+JTvLubYc)@_;IoT#*mi6NjGMYM!=A zJu|U9JnD-4ZJc0Gl)?$^qhJ_-({y%Jfg{co&VyoF^Ju{Kq7)ZOVlW)~nYE{qPY9j^ zZcQ1a|Fw_E8Y`$Q!^l{tX5+~R=VZtpf>vtM?TYT#@62=y#ZeNGnGZH%E#q%(K~J@HA6)}rQ)rr)>rMi; z{~q_L50dsF>|$6L^V?V@`whot1ECJd04w*6T%udA`&u-gSZjT>;r)`m^t{=aiBiWa zmy-s`p+@6t?ww$+?kal zPcowDuahYY39g1pma5nJvG_V(E`0@Yu5p(2A0srG^`n98m$xt0Zzw3y{VSwiW?3@4 z^61Clw+AjNU6JK>MTGMy11*Qyakv3ANf(q)sy}0Ez*Cg_?S5S?<-%N{89~@zG`(7B zy0Ea(*{bTId^Og;FSIIHNN|n2?Hmdh_B=&EjZsaHv>H~ zbfs%Y!RGUS0w+JSxY4JEGDG`6USr|H?r_LVWMv^|CJT+uziR}t#RAjEf9I$n$^+^R zeS|T;N=f8L51{5LFp)X(CAeO|Ltf9)`nq8Ywk~G)#DtWokP&^X2$LR+AF!J0!4vt= zfx9^l-W*7%Q={A~X^s3ycgyLoa@! zn&z}2(6qAjx`D*q)fBeTlqlJme}rx30@07Q?2qnzd5;+lEf+>7{OzLPXeGcl%b;aI zjX7+UJ4;W~&ABg)nkA$?q3Hb$(0+OZ*ro!3`FkRl7Wxpev4P;FO8;6kzT1LlogF2^ z)dd1pPR%`(S1(TEl!M@07_BVX^5j zTpTfp`RJSM>b_P~zTakcBMo5H??m7PoMLu!4&R|Y>SkPWno&%lT0IwWY)1D^^nyM| zwf~{+Cn=16-Hdu&H8$r=1-qk8;doP9cMpptXf{}S33C!RU{=XsTqJh+^R0Wm^cN`e z@r%VbdlXT)7fby+^5yr{u^oy4*VaZy=I|=HRlL)IENvWr{Zd3ar*R`2lGTAk1^lw(a!CN^Z#L&>jY$1R!S?rtsZQ zTYk`gXE+I2|MuqG@*WFCyRA>0f}eEdA;(xZsL3LdJq409>d&^{O*(k0e2b{Ww(+4y zjq?arbKsF(ty-Pen3G~7$_x}5KF_fHJeta>5<(9VIn!hjX`|Mg1ou(< zRFLW;kv)o8-0K9!9d%;BTojC&s5*uSUm~ApI0`Mx($8(dpoE=%lS#2&74?j_T{ct! z;o=8Z6Y$G5Hv{6gOBM2NZ$EAz8y+=JB+I%KiFZchqvt0MzNx((#X(~Z$y*ZFioq5< z`1oKzT=T^h1g=$U9UxAw7Q;-!7hhKQx`x;Ftx;NXKC?+D|JK!dPn&Zz+W7>VDqq%L%)U{($aFL*c&^XK``vB5d47 z(}5!n)k47Hl*jIkIghllm)GRE`n*r>MsX2Qy1hnedU@ zLPMb{<2hk3HU{#=fyaQonD4h=l$QGCmi;QyOxOGK^EJJqPYolHGJKQ=q@I>84xS1R zIwW+Z(ii~aE|=b4u4)GUxqc`0{+)PUQf@p~6jY+iG#M-&pqXcxy>vN3zbn-g&3`LW zNUt2L?!`Ds+?CE%zpR0d?Iy)ov0bsxHD7hKuR3_Kl}Qko_Fnawm+N`~rC6E<7lxI@ ztgH8#Ee>a`gQTBFL$w$NTQi|~_VXJlPM(h%l+BEZ&({!Rousw$uD$ukmG>o50VB`m zIMJy~ods=Y%j!J1d)`a;?!U--jH0pQAV{c@&K|;`x-o|^ zvZV+eqQ3ZyZkiYifsbFc8?vd8$-1Z7d49ezmtWqK+#J2H zJ>kA1O?|AtXx=Zd8d~S*$$!C__{99tUB&7TF;s4eXina!o@Q(Ru}Otzfw(Xqj#g7uC)~b1n^2shAGT|rRDOgjb`>RDsi&FQ93-cs&_kJ}5k%0qywLQ< zL%}rUD#2b!Zi$d~uY_U6QmFrA@P*MOrkbkDHripTreGhD*bf~!SeRVLm(QStRRdCT znnQN77y1X%%mQ7RB9lywF+NdO{8Vwc&dYa`cP1H1SqW--%T*W)U_p=aITsb$hfiIA zP2i{$Y?FPv2?tf0CdE<6_fYUetqA-@XskWNBboV#Myz#H5SrkVwjCCWBT55q`6DEG=aSacYH zYL&|{P+%XpM@>HW&A&&*rQgWd&M+V~Wu!F*M@K78WjHeCPfE^*SOltt+nX4Rt|2m8 zPPGVu6SmDkISR2vM%_oqLw;6Y>vD@^;ETe2yh|l3Gk&ng^E`ddnA?l-CmL6+(+Sn+ zK|fX6b;72D%nqerrdr?YG~-(32yYa@a7>1142t@VDpAVwn>} z_Y_NJDOsfQJ(D~e5u$jx+xAPYEw9V$O3N;v(zZ&OBH8rz{OlfUS{X}s69T#?66!Dd z)!wmu>#;T5peA@0Y%GN1fFiC>k|bjMrnLYZQj=MZSh-uPsnDRq{6tSKFx6mK!GF|c zp_2rXq_L>)xq^jCMWSCENF4NN3LdP}MUshQ2c;-y*{u1Cb(W$?^?tO*41On?jnQFq zR|W~MB?rP|W!r3PbPpF?sU4~jwAi4;ojh+>tl8`Y>>w(kkDL)u4+bzmZo&!tCEoxd z0?4Tmyin4oDV01D7Y8mc^i*C!qPm9MLCtF-_Y14U4n`Y^ASYw!;)GZpIVk^-YXw70 zN7J&IEyHQ|&OZEJ1V@Be2RQU6^=gLi*}*|D2Jt|PWPCT;sjMt77gzUVmD0)HoJ;n8 z=naJ86gdjd3dP*J_-^j^=IIj;Z*;eQ182Os2s+H}_xn?LsPwYWjbo?v!+FKw=%d$Z z`ED8&OnmpO`}uh@$ZrS8?Y?;F**W1~ki?_C^igKMmVybXLpfTB^t*3!v1HmME3#zdHTdQV#crrf%g}()k^Y^6Ifoz%R3NLhN>4hx<)Ai^G(kswg65Py=R`N4@N4 zMteZU`Kv*toLHI#Bm^j_hd91;2ldo~@{dq2u~I0Wu{7KJd74LZj1?+U^)O;o69p3& z3eYs{77|F69$%rPD5t51ey+9>+qKhTz=Cf0i0Zb@IxQRst=!o*vV}raP_Q(_SAee? zOqT3RR3YN>8WswcMJ{9Q<8%k-lum2GeW#u5_UUh%$F#<4vOK1TxwA&(k+Ri1rzp`y z#rc%8wHH6O{p7l>eE_KZbaYeoj_=bUYw)kEQg&TCZXU4jg~0DS%R39o57$=IE>5YS zUU!{-k9`4MzfcIo*4yq+S_M_i*F*Ey{`A+sX(U>sN)_qz1 z!SSxD_If8f8)MuFsI1UZ_&lfT-p=|17T6-njw75!@2>fwj}Yh+LD5%?L^-EhdhFOA z0^R+3=!lUG0)MKu9%HOf1}?qBDm%*Q<_=c>3c$?Y!4SWb2hTFbcO zCd<{Yda#G+7I7ak-O2=53Rx+g}xt*V7Lp+v0W-5MUCNM#|t95L!HU?uC_a3f`yyNa~*_sRm*&ogg z_)`e|PBVg|q(AEgg=vqn%FI7P=N$Q;h^~ZWAB^UvD+ZgT98^$!ymq9r|6nnFC&c@d zP46K zmw3fD6t0`F)ChzWcwL>#F=sc#Re3DN)NcOL2>Mga3#c4rGZaO#GAE$+G*-+k;(%FY zgb@wx8MC1utrBv!7Wr-e!=s$RepaMzf{y8*Xkv?h)kNzk25EY#a{Y97h)H=lB};1C zuQ2~JNjTT_4-T%x7X)_q-9mt2(ML%`|HUVgI){qZ3(?^}V6^bF3<89R7$9`?Em<)3BGL%vyVh zBr0YTcz9N6NU1p?w^yDHH~H0VUXb17G~FG=f63*$4DKh&&qV$CV?7P^Ev$!H84m5< zPs#k?Z-TGLm10!7hoTzwJe>Xl@SIC%d-f4QjLB zO~5Xx9vkwU@4i{bh~|U=|3_H=!$baaXNE4I_+ck!G=xy;XExuIgr3c$bxgZn8?)j+ z-Ut52)lY|YE{IRCNXvPo^0%x?{+Uec@PBbr*cU;fF~Nt)jLMJZi^L%5YUG9zZuDp4!#@=QjgOJ?Ohr5GJ4{4Gqp&|nJEfQy+11_|NZ?E z&9&?&H^8BJWVGXfZ@R+o{+)ktrU39L)$6{wI6uje>L1)_y097}T9e8$Pr|0Z=SI6$ zoLY>x!)&;3dqzgTf6I@IaDgm-w3u8LPlX!$ms)_QXaiqfN3@K!==@8;|01scb70?R zQ7_53mNPl6BVKWNx9#)0HtjD|cJ3RjwTH`45qbR$tK5cFsryoX9>a7}@^9qy46nrg z58l4LJ)>^vpGAkiY(qiCi>o5e%QO2Ew14rfzJ>I}oW8-*y!dZf{__m=JBc2nu!xwy z^X|l+1t)u9v<79Wf+U$=`Rg1X_LyM=%k;U&HA1$8v z+N`NTHOV*ud>WF1X&~eaX2jR(Vu;$te)apa<@$O^op--0r+|l{|7AoH5ZZ}CCF1E; z564=^HL)i?Q}%}!xToV{_jcTF2QzgK>)nAUX3r`+I#y?X|1N~(hD0? z49qwm*ZCqQA}@cVmD5a1>Ni3Ub|04cf*#Q`*XjS*^pZ9^B;*BPy(^&ZO=;b1rLm*? z(fl{}HeNUhuTA3qM6R@6GG}MeX7Yb~5UUQPCmOj0$FAoi96Gk#4A_dgJor6g;B#DG z9ZZRm%x>&3TVZI+=eTO;e!7}9%(7|x)KoimbG~JU=k(NATy4Jg)MIQf_HeV6D1Q8Z z_6Y%6?q=v78l)Sk0g0g*ns4)*bKdto z>iO2<4~Dgv*?aaK*Y&Hrk{_@osV?%BIE4Z?Xu)m28AZ6;5%74_{Xzim?0U~nphJuD z5`0egmxXE|`HnAn>c!l;G~gJ}yH9l9g62XAvsU+AZUWdJ!`8143`f38+?r_N5mNL_ zd@e_f%DX*PviA~v%Ip`A2}AblgUKr;ghU#4@&h@a(f{(mJzdclJr>v|)gK4B_}hmG zTsvjtuKPibHslYN{3sG~Qr)>h=o}U^tSkUCx~SIa!7^hGe5tBJ?PI3v9ZOWo zbVVZ%$y&bR+U&-tSuz3itAEk8vU(;ljQ0z24jg6zj5;!`AUodkjm)QB4V(D|{oUcz zqbPi|SP~af42}BLR*MU(=cp8}j0ED5kqdXTv(H;`-G7pg%Sj0mLSnqD30~aVhvRQu zxE}qKE%#Gb;{-p+{^eR#?*ad;YuPB1$R5wJ=*klJ0;L+0p@9)(OM0{y>vdF=>I{Dh zUhY6=F&a#oy2luKW4>-#_bc0J!BKHzZ75Z-uQBBTAEFVd2?lKB*#R!6I3NPchPuIHYHajpRl|Sa3OCE)f9p(<6#9$?kgXn}u^SH5>#fbl6KZ;+8pzuE^DxNV z{CW`V8>MhRFdbGfA|%8(%%|`ex@;~_Z6?iTuD{&9j|Fc#t1D8gF;pMc1%TLnT}nR4 zN${2Yv?X9WmX&L=>1qCR^7T=E`R1c1s^)n9Ml7G4+wS#l@W`TigOg1|Zr9m*YN~1+ z_2L)h({in5cP=f5c5IFgOc(3crFK8;Us^Sm$>|jRWM7PuY~I)w>-;ARKx}TY>7bWp z4q72m>o{j49;pW{X3&b+%E#1P7mzUTrB zW#zQKCl7s@IZ^7xLCzh+IWQ&>r{m4>vd;9KSh;xS7Z%-R8U&n8&-TK6M7KBi#LjwN zJVqHNIza;eN zsB{y>1K%Eu%J60LUuowB+NYY?Zwg(5?z9R;hUTViP*4J*Ml!=Uq3f{xXub-~>d6_FL2USh0+{``u$9PYVoHC_H9;iUYAYT9h`n zxtc1o$pnMGn5?W!Mfdmr>T5bsl=EjD)7P5H#`;9ZDs*)AVS&QD9r5tPitEF9X54px zN*@~x>=`zq@vNy|x0Ejatp4b{?p*z_J(5Tl_K01oB#zL3RO}i7n6N@~s+OIEg@t*O zCXg#PVxKCC0ZWzxhs7-5!5Z5IJZ0G@6+7BJ#+`D(V8#<0@)%cdnK)%^DiT##gZnCK zkYFVWAz|6q7w#K1EWM#koP-fgm{0L+u+Q(eCq2cElheH1>)Tgr)8xv1+h2&H%mf>> z@VhtIkSS4saoV;X!N^QPFE z(u{ACLBW=Ca|t&+{D;eTR9G8zFq+7i-YJVY9_9|&bw?{kTXFQNL99j$^RurHf)cIy zCOolH#aJ88;E4k(VFHMknVT1nPV(I`RgLa_=sxRPJq_I7(z@YxM|1N)`+`78=+8t} zq+Zd2X05JtMg0ttwt!t_<(jqma*bisy|?hTXp>JIAT1nuS=TF^C9p5^6;tf9(Py1Eeh+#fN0b^9Lv49Hq^o7Szn|8 zHo>3YX1)ihgb)RBc2pJ=*S%%`PKo{fDSki64_f8YXRl}km)||BT%H@rl1fzGIx~5v z?g~t8J^2W*KbW@8v)vy}FLCh-;ka*gP06n7Lu2(Pop}GD9D(H=nLsy5JOX( zA-jy|8g8orf6J>>*O5lr1&`%`SN$B#X9JZh#XZ(D=vTj$bHGdEDipkKydp;ScZEWB zeemsXpJ{Rp4#Q3jb86c-eYnmKY-k^T&2<3cIY>H0XqUI~R7r8D_ez8N#;1Qc6OZ3s zbid0}Uk>F-6+ih9f)liMg5$mWFaV`uI2r8bQJSgBf)nTr#O=^JYE)pXk zaM%%x>H2bAV3z{t+K>sG>o1**H9BMP5pc^g=J-ZF`R2GrmeY@10>bq2Hj>)Wc!>7#6-dOb3$9LiMJ}mSbr)=`e@dWa1Hx~h*aXmSpR!qd6n4WzFUPsnH2TueS+h0Bge)kz4Ped7_m z)9DUuS$WO4{HHC9{m0@0=kgyu8~wnX)M17IMJ!C}L#*T&wd*Hmp7`t#Trm7Q^i&eR zhCzSEsfyr_Cct1Nqa2-bU>5iO@e82w)_hEHj zc5zcA*Wof#ww?y+;Yf3%iGvkaV}_{>Q)NSev(uvcg$4L{Tq(yO6t#z&b}lY0(xO`@ zG$>HkU^&Q+^5$eJD^}A~`N5%VdfHxV^YQTi#sW@aw`aMO*$50qmh&zcOwHjq9KPu$d@SvB86?ZuuFQf(0b!k>MD=R6xPWc zw>>IL+`G5Xd|uF8{!V``ltN%3$?arX=5lY1G77Y10~FT|991tu1kQToJ~mhVnbh*^ zUW{Ok<$OOtEgAv*A~|?tm=eOdGC_dcCbL0A$p+gBf7eqkg77}cT}-W}((Gn{Z96+w zK5ZikEj^VA9L4ZIl_A;hYKwNbc0NBk+AY|5f1l9xGQ3&Ms*#QGr3BHrXZ?m))u?Jk zo93jZMn3^^h<(K{Rn>P2mF+NSw0~a@Ht^MmD4rUXMJ{(kOKotGoX64MZ!x0j8?}Hq z4jEI))!xqgxzQvDr5L3rwnufFo;>yQWeGhTe9cDGg>3-%am zX-;@@;)1h5s8X$A+@-|TOU1}sWJR9gMvira7^wjS*@o1jRk{j~4o?3$s2RPIi_G8YlK<=kY zm3rrte@vfYTXe=5tk$3hFE?s*b0Z24MH>^CH91_4 zHlj+24*JRxE$iMip`=IfbLuVui{`Q@7jYLi7~UUMMUkOz{I=k5NI;*Rkfzvww9$OJ+)0%lewxZ+B#SZB=7XtlQB|q{ZUbRTt6wFLf;SDmj%A4( zfm=1!6C8GC6QIqx*GZ6yUCv4EyvaN%m~>C*5T$DM*6?7%X(Pu#ibav!oZc}Rk3Qiu ze|yT-!LJ>c<8{$AN+clK$^DC_3q+7;HHgn8j^FK^6@N?p#(_e9NOgEx&zwulNg~vs zt8Am4>D4nZc`eT46;zPZGf-C_1~)B_Wh}_?N?!gi`%5M09&vF4&_3<&$rjEtvc8+E z=%R&2w0y+13AuiiLF^H2tGxSz!LZn6WT?01(uZtR&4=*&D!1?Rm3)&T@ypPkfCheZVp;qW2 zT2O}^w=Mp$IY}Hi>@s3^VgqkzTkEAfuE8Q3%wCi~mK0NA@AKWe12rw+t7$jFRlz%0 zT+)G0*%OcaB+Bfir6nKysFZIu8nCc8v>Q zd-95LQa+#7De{j%_;U!*A{}2ByAIa7&tDN~I<+zm@gqANSJ%dswAdJ$FUvjhH=Acg zsNNsLO2vpbFYMT2J=|jA?aofWrjeQQnlHE?+&{eDeao{B5;lG6&T|n8ULLo?l(<}; zjE$f4I0`kHi|3bZ`c`VXPeMD1*Nb683m%BYS}c1~ZHBRxy3RppUwE>@?K{N}fD-$Z z-i;-$Ycz;oNl53Z`7B=;arf99?83r0nDrg{NgiZM<7 z0hW&JwAS%mHGKS2k^o@zT2Il0$!n?FCL}dq-{+h(Eq&>`d_p!guYNob)ISwZy@En` zPy%eJ@n=4H;aQ5Ttjv#2->wbT?~f(9bZF%Y_iv9?MLMr7E;85GY}2vE5!#UVatbRk zjcYWyI;*GqFn6sce%&x7kO?Dgv?$|grd6%Q zY_$_BNf3)J?Fvc%vumbu3jl7*lKFt2{v&q1O}>8Eq-yib%65F1MOYo612`MdLB&ThQ( zkgGY~x#SMs!CVRuIp}(}UB57-n1cz7T z6xgfgAW2q(%3q#{LraU_-ezuTTqScEw)ymBI?8%=XLyaf|HEJS#l{(^-;E%w- zf7kcGl*_Fvg(bPfE(**hIq%1n2e}aPWGsARK~0GKaqpp;5`qziNgOlFL}JUcQk@5H zW02w4;jXNB7i-^Vz05BRNjTR`*1JtSGw3X8`Ez*O))Z;kw~1$4KbjMv2PG=6_0&5l zt1Kqj6Tl@}tm_Nt6$WS3#;z``{2bzw{ErR>>(7A6m|T}a(wDT7^JVy@3u>fbRUzZXMko%p$dx8*4j__&6i z9YAm8?bCKLxsX8CrYRPtDQ#~<+CyO-hCujeB6tX^-G1Dm(eH>A?fVx0f_^AyBndL! zL=pIp`}g;^7DRa~k+uvJf5z^$G>GPwBpx6OtFs-7`YfjP}njti)FH| zq4<3FQJ0 z#w7^*DRXGsX@L(;B`TIi>B=6Y$~+IU=&v;hjNkY9r}5xZXHkRCwYyl2j?lqBWWwhP z;z={T|GPE(&)gJzivCG@N-sUwtce8{oXk}oJpG1#1Lucijn^wIMqnXh!yZh65G}CH z_t&kEjY8ElZ1AJ@H~HILI%(j=S`8|grcvP)U;m!M=c!8h0bi%&b}wH8mJu7GPgd!{ z>Yf$LJ3#7T#<;Cq0v%1Yc#wXQ9zB!;_;R>4w{Qv?E#2x#IvS}_fw;V)MTV^ZL3Re- zzV+_c`XQ!KtGGu)I!e;IH1>2s`dGx{Fgwzz&Lr@0M}qQe>d6LNviTu09`~`rD{Z~v z*zVN-+&Zut{l7ngEYI;Coy^2=Q^0sAST0W36L839CL3z~a#5q)P*36=uH+K#i{r$} zCYxGm^4);S_E24yu&n;~{1;DKZCgmc?>Er9R?vTag({<=k&{4x#5)EU6=RZ#A|Q;0 zJr1bI<37_&#?d9#OjO=}meOh4(}jPltAB6sp4}@76YTM61hRADGhw0eazqR)sJNiO z&I;A`z}(3ujr#Xvv)U7dszfTy_KZ6ji)3m|b_TSFDyzlxi3su>RHjG8dp;};YyWe& zQFumRLb{TIAC&8bZ&dEJ%k`(sUo7inR(&Ou$HliA&89OHZqJ@N57FaP?B1Cw^HQm= zYc*f2o38{YH$~thyq0SAylGtVsg~&eSF+jgIa-tq)O4{anG1w%Wl*~jXOk(71kDcs zyjU>7k9^OB+IR&kw{~CUF|*NXnaHDO2qs!b3s&Aq5tqf5clZ03+Q-Qey?bgSjgCVL z{_CdT<<)@qc2QZHY`q`yR(Mx}S#Hy$RsN-WT`zrv}=VUP*d(C3E z@u9+IMXbVccj0A^fc4KWDvd5x(-lT?kzl&Bma0ijQrrix!cyH%;#HsrpW^%2hJa*P zH~_b@p?OCc5uf9vyY$7-Wv8dNk^$;Lf%#SBE$1OQ3Zw8K3;HC(`v7Nba`HBTwZkYB zh~5R*s#thmcC;5-9EIDF{EV}^bSgg|Vc8p`dYFM}lO;eS7y^uGKy0g*ZME4XeFb=3 zR#;VP>8HoVP7RE()!R?|;&de}mde;ip7LIuAHlsM zfyHJ7WfUrtk%sXdH&W>zPU zmAi*M%UMh?xN#nb*#s@XtnL!GdZRynB(HAU^P;TkdD~)%$JJKaoj4~O8a^On7S{{U zD7osoqWOwWvBKXTXi$&kvfPJK_;_BpP^0O(#RRpF^kjEpfD!iYs={p`o5SrTyoDHg zjm?MQqx=TuGnFP>XPu)!W2YA$e)J6?q*0>T_z|$M9{n248BVjU8>9!zCP=-Ig+H-j zIgY|Ckz8yy4E)&h+X9zMdC!38q?<+;@ZI(cCy{Wt+p*HtsC9PmiSWUDXDe+grc2!; zf8n7Uko9#^GBOS<)Uo|2o$EfP7%s^mH-?YR)*Gd&G?{f2*44y94@q(ych&~dWYk6DjadQp71vBM^6vHL*;``oM#foGwXRJob@vD@MzZQBP zlcP~*7jRf@IbT-}-)}{wkRCUXSAZSj7RQ2?#R}RAMT~m*8EkZL=8adEpu;%qn>5Ct=+m^LZ z&ilLUeN~gfKkl9_H|V2XaO%tNn6GyXqf08RA|#BdnRiG$TR=9w+J6(G2&bULUgaRdx32{bx~bvY z6+@v9_?werBN^J0)@)yW3s9;;=pgc9<^KC#?&5RGr0KSSAmr1L`(4(I@R%O)R$bNBz-F{rX6@$33A(c`old@yfk2Y`sK*SmUrB;d3JbQL z$kcgo!tE}dSaUS%6@(uj$~e-UYgL&>JMVWAc}WQWtOwSQ0RRPEKAdX@fVPCSzF5?& zEp3H+66X6oysjJzPI{YMKOLnUXwjr@SXeR04B!F*DNuzr;vw$f>qCK?inMej zS^$OnsgABIxBLZ)9j@68=#9^Bt9}mpCv_&F@4ADHq7-hrCp#9w9W^6nL1;o96-_#k zD$SO9@);?jqJ9)Kb>siqNV?h~JJ64oOLvJ*Tk>86xJ+|0$xSK9@kO)Gag8Rqx;rKF zIG*5szT}AUt@;-Fp=+{GMQ;IM!p8s#k2rfFft&{aWw4>72HgL%ySA9z z`}}Jh21bwz7{<`6=yU~>8n_(M&L=_aPD{sx$7W02GfjxF@6uNvn%X3jymX-g_WnG- zHRha!l=&RrMNrUbWzgo(+d$O{)p7{`I`lq&D>^2L8 zMjlZo)geN85bx<|4=xsO_^aKUHZp>ijX>`(kuzo`@c{M!jqRi{(*m}*{ZhBBFq22h zI?jL!1AaWI#Q|`CQuWz*n(>HqQqE)CU)8*HnDv{?ROf(PVpB7sTF!YT`JTrnA#Jo# zf1Hl8cNaYD0Cwg5*g)(Lxq<6Ff|{ucbYlwp1pE@kVr2^wB)LBivp;1gC%2;VI9uVY zHc19$?d71OY@_-9C_Z&E*6w_{v)U7_9P?OxJ~=15)t`65l*fQ)s<_T<@Ok2!a8e!6 zW)A?0ff1C42(B1jvgTjeiTzP;6cW@!Utl#Ho`KhM!1o)r%lrCwY8F9`U2^EnIfD^6 zZQ`}>R!a-+)lVwwEfPq+aV*jpt3cjif&=h*xxh-D7xdu3zMsIPkKkU&7GCNOmtw!@ zGht)lj_M51_0xz@w9}URxE;D>qz{opzDuB-?dg^8t&S^QAuL)KGn0TYL2pEa?{c4) zkv4JtO`^~C0LP*^ebec(lP6wpt^N0S#`i2|WhU>WkCOZRUEKj9h*j7RC!}Qm>VTA; zx6ePe@LYOoBHRitS@{bYPt?{YlS+{iLc~OY7jm( zHBjkMW|J<-SDkj>thKNP1xMGjKCMBsEF%uk&Tm>(AUpo^PR+AI-{gkR#rHbMVd zfH4~7-nN{Io)eEMvjpG`2c=p6JBI?Q1sq@WA43B@#p11Z9~e9=_<&q_m=P-QJPu;m zS41js?8}D;s`3XAbBM*vp%Cw><^1Vu(pVNN2j^+OB-zcIw;XD zVIG%$$Dlb~83P|85#L)v*yOsj)|RdgPm!40L`l2T6wi#7$2{V|8PK!D-D;cYk|Zy` z+>a6UPoL1mwFF3AtGD=W6@gxqrOGl(LKB8rgZ*70q$}kHolLaCWp}EO0d(zOEugx! zZ#-&u-I4WqMn35Y={oCU3b)!Og`RBMn_qGs%$P*Yj9)|Tff1<@xqd(V zG5#R8clRwZODK%~INkPOwP$~L%vHe7`U-GLtgxO5o4lzezBl!VWXA=j+fq~#IL1P!$nOORCx~Z?PPw$Dk=7#h!VWml zz$sKdo2n(82t_4DgUmhmLeqII`n2ZycTw#flzjT_&H(?ytx!=#44RlC)=XFmfQfa7 zXXeS8Wvhv<`^m1I`(gtT--*kEVFbR+8cKm+yGp$G6GbNeUVTP`jS9(2I6ypl!SYf~ z5l|Dn{wa*h7v)P4TI_|5$@fh06sLJki{=hv*i+r$Ej+2~Q!($kV*}@wyl_YyQK<=-%hymI6d~_|m=NE17Z@=4gQ4EC1LY4f(w5~Rl z6ej$EDCMEo+xt2{o3FQ;M-Cp6ZVLJy%;w$Mp35}B-~3GsDOm9GTXF6u{0A`*@yyWK z+YZ8i?+YE9ES{q78erx zzV{am-Nm~p6dtw~#epQz5xUG-k?H7;f0A9dHCTkVcS)$?3E@9lO?XuLmB~o`Zcg6N za@cLV*D8otTsTe$Iv~iN7cA4P2#xl@-xtE6G~Zol%u^_4duyM-!wYJbSWAAu;EK;n zV62Tw$tE$@&ZFpmqH;S$5?;DOTiIBX&THGsYzK{g;cST$%hmaf>A2dJhPnVLJh>&V zts|OS7=_WLR8{+?zwxufylAW04xe5#0Ll0~hB367hBzS3C_|IwS9e>#>gX$PGLgkZ zThq`1ne>!tjNT4sBhh8Gu`+mq##A1wkvgy<3t7HG?>T`E?n$Pn{DeZ%9YgL-p|(qE zYG?P9KE`2rReq%+-x(fO@m+f4XCLp4?#;^6|LCSLO%3>FsxB;Dt+hji4&uWMqDjT1 z794jA2=x2Hwc2DKWd#foOyl`r*wZd+&jX>(+m_Z_#dVvSFw>!8uqYT=I}e*-S6aug zg=(%`tf)AqBGpsv1(MX=>yPm>JOGDVTLfc|fi8R@)_gbS`<}h}Z;R~OBTl~TT(JXx z!LDxwq7)vwT{6UGb;w*R=5-J`2kjgXJN{@Oucl{Al<>vccK_Pfhc>u2HgxT_)c1?r z@1KjF8JiN=o60u2g`?F{aW8WFF4kQt7OOuU5?u%BQ4~BY{7KBsdB7mNxzSNh@|@5` zT6&io!Exx$qz^#ho;I)r)dJ}C!L*T(tJ!Bgzsd6q>Ln(Mv@PXvmPl}4Hu=Zc9uKDV zCV=5UWe^Y6*Lj4ZK%=h9=Wh@$5XDF=NW-C} znX{a?-NZ1kbbd8(y-arEQZKqueW);_C!wa)B7M+qvx(Zfl`Ef#Wf0FSy)egWRM+%r zT|H&m`y+zMpqt;ya{6GjLZ|)V&4*16;q^Z-nP&ll1L%HkW0_qQaHubQzk7#`ZIkj)(~D5g<<>u(Of9s}_v-L783A0AM3dQ}k!lskS+2 z&*q9keCPN5v|*b`oZLtL_=qGGT4|fxx&s@Rmq7C1#@xW0(g6UYq#x`7N<$J~bl;@K zcSD5Lq`ow9wXnX%uyI_EAR-2Kt+QUGkK1u$T5Ss^=ZI1zEouIpg40In49)%YRE)bi za}0^syWeZo`$U!cB@cE%;=^yV+Iypy_Mxf;YY8yd(T&5oas#P}XQk&=Z7CYk)OPYO zdWBzWlK-Y^HoitN{Wx{sjF*;U^BHr4{m8UYJiP{wxT2c4u8sNp%(3A>zWqM0{n};+ zfs0vDt$3Y{KSX(PitCs&G}?KpQjfKG528ubeF__%l3uFQi7}(V%m92!S-wkD z+%3}sk9l{%Y}zefoYqFwM^2<0S z*6jH_zpQOb@mTQn`_SzQuBN3_u8mw!^FT}xaC2TC^f7Q05E$ai&YvB}U6}PmyvU=a z(pK&h@{X=qbmy_BAH{JmIuyl&G{n^0W_?EAAL+?>Jut8H&YTWW3rqLWE?@gWR6>lC zC^1EP7Mp%F-8QhsTQEFh6xmQJxt;&HAVIws?^-G&>~8IMBR+nWRe{*`TOBcgFFX={ zK7Yd1rcm4-`uP4B`tPkj8s6(<3}kGJWATE8ESZ!R7A2n5px<^9q%VW(m*S~tSj8V2M$%K+~eQVz>dzXkdWJA>z&q6LdF)~9qyOY@JC>(4W39)$qsN=0iZI*Qt1 z*slVa+EE8E*^kc9o$6Vt@YAtn6y*xOv(-qGNgwxT+;uiFBSLSUXyt{S1yP=YouJJc z@@#6{>Si31_ZVmGtE@q048AYa#8tXkcjJ$hXlB13>@1*q=L(VO)Eejl8k@ZIId>;s z%y`0py(^=OonrohZ~NbJ#fcFtaUE?TG(-Z$9`(BicB6(v^=he(?0uR@)!#b-f5BoD zN&4-gcv6+IfmvNyvM|MOufu~nOJCQ9@hj_-AlVb@jElLIl;6m+zQFc9vM=7%bugdP zS-6~6%eJ^spjnT3`{)*SrW?>XTPyB`-ufB{=biJJu`Tp6+$Mc``+!cAm|@COVDM&B zsX5T^pl;IV1fN8sfX^F;2FLeu(P<@QpXwPc%JSd}(Scfko|2}sfhsEi=g3@K{mMzr zcBjsub~gm~d%{&e*6HZiSI?}MVHqsEQ`$Z|OubRx(O)BI7TC>foFZrgVzW(8rEHaH zKZ>2z1L~5|hUxS@GW}~lc&&b1wSB1`Wg?*18w9=WnMhU|A|RS?DGLOPRu5Mo&W!{D zVt0pb29^aTn2wUp1chL*DJ^A-YT5<-5*#)2dppNi zeVsxU;|FZ;53G}*!*|iL+?8cfhGwFT_b+hb&YEvp$atO%Oz%&sav~0jdAZNO!^;I;@uIL-5uYdbD z;Vrx-<+DkR53MOH#BCHb2vt~BF`j(F)Ddu6wPhCWpc^56qhmlXv4v+;+_1>3$&Q z+XjtydyhBeiTG2PC-=w?6zFLn@93|l75>q*E zBWn7VKpmwQ@4IcQ`3G`<@#4b)*U9_t{mfVWFgb=Wo+z)ENVcpvR2+QVf|`}^s<8-B zsexK_z2ygNbAzhsc#>`!IfKdlMrw}njwxj?ZEt!>dV}^^`QTYx+4~2= zZ-tk>-}86CTehrS@*Sh}#w`p123>zxrzCWutmWaa(stFS+?Rl4jz$*qFic0qe`6!t z0LVl0)oEC>qpbdZx2%Rc{>KajdE1SAk_DR2@z-6_0+AgV80ZM zRHnS}f7xWO^O{T~7trfJw|m=!yLf$4GdkGX-pGKEKnww=E$o2ur`>w_3_yO$;%CBW zE4zT@z``{N(819RqetL8s3>*KwKf@}u3Q-F*- zH+IdvHV}Qk@!ksn>dE7AU%fHfZKaB{z8Ev_6y_=M>Kh$A90wdQyW3k z&Nv=^Mr!WxJ*hTI;M|!w+XR0@OhVfCDt`XHNP^5y=PnzreqwG5c=z$1H~c`~oh;Gn zl8c)i+U3w`LwUt~YLH#|0GGp?aFKArYQAp#LsJ%AZ?u8P=m+C8Y_uo-I!-yAPcxBi z0;^(N-k5`7a-YUBX}wsU&|nd{SMtrinhD)F6G7sZ1Tjd>;)kRM0Ykz9I3RJ+8~?I476f$7 z063Fi9s3myO%-CAOQjyFCmO!2Iz-jw8nj&_sIjUIZAe+tW-)K)i5*rKa&5mo%^)u) z#q@y8=h);o*h3HngL0S(1ZjHbgrG|-?{eP8CIL6Rp8RAo!wPfw3!ebP3D%sz0u2~(!=8)mYjGIDF~;itT{l}xyJ9mLKb_0kv^pshdNqfhKQO66p_P1uSH=`tJO3YQkooKM6d2N3!DWl%D0uL6uCDhJVnar`h^R*3GQFe zfE<=gAv|+yTH#}fH|iHBV`dXQM$-WoUpvm6ESMxMIfun!G=iGqOW(IWF?me+4J{Jt zFD+{I9`jQ-R|px`h_m<7zJJS?*S=|f$dB2c(yD1(`OHFhN<B6NsGY28Od7z+mE zJPvk~A?vt2|1o~=gcDvsC>@_aXhxdx+(NuVBrOzvufM9?)ybgX zF?(ge`aQ(u#uvY0ky`WBN{#<+5}#?^JK`xFzMCe>cj9^m;E1`!}9gIa4aZcy_F2W%;zv?VzD^gxx1DASq1XEpJmh?YA)QME?`xm za(a-n!+psf3$~DbY6;i%y=Ke7cBc^OtbRi1#-pl>u?`gURU+g06=*08X;D(2{dLax zSyp-U@rbc>c5lhH?RvsiEL=saX%t~C`pGvLFH(i*C^V--eUvOYbLFZJX6S!ckaj-* zpwpgxT^2`>T~LtT)M~DB7L6@e#HevG?Y-{og24Y;WxwT6VKvkg<<=AHqtqR0!LzMR zVxL`H?S)BnsAKYLMj`mvN&jaaa&29$e~yD+(%gRtn@&0%%7f1apLw07)L@d@=%}=0?CFIHv<+z1(0NaBY zhc0w6nbD5-p22Se6L{(K_*nuDrUF`3AS}h|Jl)N&zr4q6`*j(C;m>Kek0{()*<1=@ z^L)l&k|On{UMvddh+p~-n%wA;z_{`y#o*-W>rMw2#|VOBoNX3@kfoXdF24@>p65QA;iyHEs zrmtLO`8Zpp{xQ>A$ovGjat>e#?M>hbrQjp>_VVP@|MNSblS=!{cXF9`ngl^bf^1VD ztGzV7&>yx%wKe*!uMFeJ>1x31F+EUm*+zy*D<+BtZWx($=3=(*BB3okaIeYrJ+$ry zS+<)5_dZ?#N1Z%LZUG9u`3-1Jic3BzYj1r>MZhZQx~F^0*F&MblrST4%nm_7f`1yvH?ZL`Hc{mZRe$fa=>+YSI3 zLnr+4l{2o_`>|b57~W0>c%v4rFXTuGRHZz>kU>qv#gH$?JLEcc@Ti(~-rSk5hXJRE zQt{97a<<&3Xa2n_`#(OTZjm(q-cQ->-xqz?7rqk3Bn}a|>fp@c>jxQN<=S-Pul>CjGQq8KwiWX$wkHo!$~@Ro)qag8{xI}e!^f4xjwv53*`9|M?u@wC~=0B$^(3rSUhH%oXknhFegjhSE8a!A4=j{jYNU!1$Gk z#_k)?XRBf}-0CWV?-(txp`Prp5U_O$cRJg+C%sz#%S`?EL-uqEK>U@VKiBWMc13AXd?U)nhIcE`~uluHyr} zoRL50X2M2V8Yb*h z>UNz^kiFed$GtR_lO7Df@PF-HYgB=--%vI?*`Bg6Y~bzNp0BUTF{>#?^iOc zPjczR0@R~wTzYO)IVpUpu0_RQB9_yrQJI^^eu)eB{o)Xf7YVZSb+h=8Eoo8Fth^Ed z{gc^NJ_n0g(`w5FZT1oki-{6t!wFgy?UU`f@ZF_Pf0Tm%*7T&2-3wH@Q}IQpbf-Twd$bg%E9%8i`fC=gqIp9Ht7(f~njqz}Xz8t*nIw18{K9%2 z%Ykh^>(Zx?0U3A_O-Y}HAFt#<{6T*F*}2q2rj-l`l9&7UkM$Q+du)ts1KsH>+?!Zw z7|gcRu6jfB(O1wGu`_oXJze#~w`k@pBM#WqJU(0E6!*!DwF_I#?I7b0yB0r0wHxK@ zPkawB-1LU6wZ@`HRR2y?{cDN~qT_P{5obV$J}w{R3dAH8dDVu&d0OnIL+AX zJ~}ulE}0CCBf-t{UN4A~6AT@;tM;;{P39^199HD@_q+Ilwkn=hS2wfsLCZrQ%P)e0fMfm*h<{kS zdT3GaZGN8&EWL;(Fw5-m)>h4Ik_%}?kV|stmZ9a%nFpP*cChqLw>>HJ(&dEI_~qqt z>Ok?%tnIwaADH*Q?k(**`fYqglKq5A7Y5HSO!wz6y zS_navG04GC7|$x79&`}hpEB#ub2N54NphKYp|C=nUEJuLr`nYZM6xG?ChNnvOpc(2 zXARSaiwF&i8A5V(6ii$n^8aK3{HAXE*GmAh(A2cFY&=$EvHmHjm-#s|6*!`u6r~wB zZj;ExUvcp!_h9Pqhy;f%j*i7KzWstkI_GgvBzR~t`7kQUMa|;WA~eOt@oN6Y%mtSu z0(@K~|LtVBSm1JWu?Jl8z|(POW_%1qXHv^`-^awbG~YTvH4Mbp4 zHCtH7@BX~Lf+GQXWS~~9$;3C+*>Xl9U88ard2`BP(#L9afBD1b&(ZH1-gN}>bGmE1 z!BijM+O2i7Y`$_>iPR{+`XNpsV{^0iVzf+8d=v^c@_N*4Gz4mwdR+;K#W+-mEE(Xu z8K7oEZNNB_0oF<3akM|fj$CEWtA`HkI(yHIgo&UTn zdVi;+UdAY++C7&r4A1TY-IPgOf~;Yf&-zp_&kfk%bA?12Tt=;Z`yLtAHcwciDNh%a2grzI{7a zg7N%rBLK}tFr*(rSgraF*7_72lGvoEU+3KU@%4`fCzy!$j3jh}foc(N=@t@gZy~1D zaz9)1-FQbUJEh0BR7<38?YSkVU{qf%vwP#Aq?AbPbb-lmdrr1f@`FOPjL$*LW^Z@>|(DScL0DhFpEB3 z{HDOUt>*+=QRo}?gkm>MXR9sXokUu!JdOy~AVNB3?-{D8GHEnRR`MwTn}hS74|1+x zz1nQNxxTo~!71k3z~lcs23=1v1C}>MYaX?_ubHw__lcJmlrT@G)FB4I-bb}Q2TpNu zNDG!B)Ckq|T(NA11werFP~EP40$s+uh$ZT^+*T)>W-_GFp;w&@?%{=)42=MGG@s;p z&@(vC25lWoa+ooJDf zL(ch&Q`)KP3hAPC`-clJMrC1cov>3RrLZsOq{{N*(iKPN7N5MY-Yx&U1#FrM@y3rnv=B{ zGjyu9VP9VQ=PwvTHlqD}2B|;+~U$ zS1H!iGrqGyTtm;OQE|xL2b>|PQUnG?i8NM?25!@-eE4|p2){&gevW?J)h!5U4-bQ6 zS4Fn_VR+=t00B@N?%sa&(;vdR)bzJ+6o-pa;}ERZy_g5X3m0DpSQVVU&* zvG+i(v5U?mvk*eKpF%TP`bOjyE_-K=x*Mz_C9+* z&pEoEFYnj$?Y_9KTXfDb$M}z5!eCajl|^%+`9vRmjaoH@TI(#v?W~}Ob(v}W`J#_u zSSR(ROBDo%I43AZ7I_G)YQm$w=sQqewHB;)VTxToQxu`qg(He_(Tb9=#*?xFk3J2@ zDFd5CG_}Cawu6jxEfo_@&1Bt|I!JlnSZXmZoLlq@KS(^OUxDx>1i9AFF;$;Vo6R-S zcqac(*bRPEehI&KqjR{TyE+C8&gxN`ST`Fj@G9?hYJrPjxJ(&J=+8ZkAf6FGP%S!u@c?=|?h{Q16<@W*vlbr@H*huFKspN&#vX{9tTW`~9_(zTV<{S@W%%KgTV zDatZ>!u0Yfu19|oS3Rm_h>jEJU(L#G!3iH!;DzmvqG9aS4W8~T{3F)uR75jPfn=#} z9>t4NgY!6SMeOs}yR}&DOuuNBN0=E`0R|p?{;~(st@jynXQ(gfN_X}4yxMS;-*hE+ zGFR5$y4n!$fBnm(CdiIxjDq4KdZ-EH^ZDoC)Yo*)wbmYX^SGK>V3)ROY{GvVE3bYD z3kxB5apOw9!nBns5Gsp(TGw*;lf~;p;Bvqh?6dOzIfL%kJ<@ZHraXn>m27>rW5M7P z=54X^u%H;=dGcs;VvS|4$RhMt{x3G77gn{>SEZ%d9YtIb@dXXhpeEaD#Yd3xOi4>? zw|1c!`9V>b^&k^}%AucS001iN8^AOXg@}!LrhPM}{d}u6j{GxOt?p{K+iIl5tot!Z zv;7|MZby#+DJ+C+b!-L*SW}mONx(BttPjuYAMf>bFy3EXy4uKyaL09#ljB-@$_fti zRnMdb0fC0EScYJ(5!1gHJ?Q*aHjb$YHB-axT*Gzqr!IEi-*#|1gv&Y4(doiQplDM} zvUnB9Bth~*Mh6gH`CbdaaS#g$Av{^>h~NNG7oS)Li2M0}q@<_5WAJEpzktuE>wp|( z;zWx{Ct__T-uLLQYq{c~67P|biTvj3vAsxhGK11k7PO4~{w+O;D!ID@7$L~bN*Fz> zbn7n07Op$(cgI_<#~N-Wlx(bqqaxzqGX+sD!KU2Z2^p*Xr{A$^rxb>aP2dje=D6Fb z#TocS7saHM6Y~i}!P33Q^>B7v8b75+WUa3Ll`m=MDVd`@hSjSht;r);x}sk(C}d|9 zE2VgA_^R`OW%0pc_{vuaMqd7meWuU!mi6;k<;||wm+qPI&O@?$u1Rvqc?!?8(sa;h zk<|Adbg`K4`>nRo{E5$D`A8#SO`}wa@u*bW{~EamzN(2<=8Yt~ejBdMgJ!qe3uv;I zU>&+^mFJBsT;N(2t$NY6^fMhGD|%mv}dkVl%PwBO9x$ zj+$iBk&7SG&I5eSRuyUrpcLIO$d%A&pQaCI@^p9FbBLgbFgM`kn>&=*w)K(4EI1dJ>-g;V<~L)d1frlv`>^p<6dXfY|K4Cux#xyuQw&eQvOelk97H6Y3=E&r2oNOU=2# z!s^9DHV#*_NS*{-_g0W*fbwA`$)^1|4f*#43B|u4VEah!sa}ACSO?SWaZaK%_6ig4 zg*DGw@e2a zn@oP+($3oYVEcNg>xap^*35LdsQYcX_|C&9MqfZX+&JQg6`lF0 zme?0vv}xZpUT-gW=|4m_n=jH&h|*}gcq%n{HMi#(n~O)53lbA$IYnsBn(+}ynD?Sj zn0Gy?ZJ}gHOWd%YD~k)+=VAA8=Ls;c;TD4B;EwXjz;hr4Iji}ZyiQJ+IX7jgQs?Rr zq7%r&eBYV$^%KKwi~&I{en2qq=S;i5fMiPPpZ|Q>zdsua*(Xqzh5hBCbq`VZSc4Ed zwSzBVxhM8SR-`^jn%{&bG#KbQB`K%mJzK zfbw3Z^H!uit117Gp}j}>+F%c(`c&mktsgIKCIP#-wPll>z)k7Z8rf{tXtV0ucQ0O~ zb#LZ=u*3afRxtkOzEjHY(-Me-`1nSK@bhrI6Wwzr9YJ&KhWV_J5L!{c?<9N`(GTkN zhxG@vnPTm%))}Bp%Hu!jA{7e+<@mIn&gMOC%u6!0W_#M~214DU+wAt5?v6#MPcdG2 zzAJ$cRVb!Gag>eh=ZI;wJi)hUIQU(tOJ=nb?&+Fip@3cn4&Vu*tO|)93nS@&N4;CT zV6jouLgbjW7U|9eI1mqJRdh@^8u}>q3rvUVS(i~6x55p{8eJm)ez02RTo^80x$QR= zZBbS!z8bhmhOo!%Nf%bx zI1yv08U!S&0ak^u$S9gbBu2%B3vus;&U5Ex5S!SCXTma9?O@i;-OBpawEU--NVEwW zSxX|jh3RmvJz3L|H>r%{YwHJ$%FUT|KXFd6UXGLv?B)FJK8ke^D9dEni!TyQLi7E6 zaKU{oM)|8Z)}^Gb*pGQ&^w?Cf>kcGA&KT)(%2PY>rHUdU1GXhZsEuSdV$nmFTtP!wlm9Fp$}fHPbJG zr-onuoG56y1ycY$l$(;TH#WAIS)~$4UlnUFgYt}`lcd`_t96@YTC?FvaZ~=-js>-c z@6K2j{jI^I!a<{$iyN!uY7+IkwuYHNIPxhoYxg$?5Fut8#T`=iSzAn)LO_Qwf@imq zf-ckLFB@GDrQk7P#yH%n_74wRJcm^ZZ6JmG8&@lk`Pm;8fr!5A3`_-7faFUAJa{+r z#)=yhkI<{LL2lj)bO;&ntn;0!Z7qNJ@Dwu-?<@i5+f`1(P0>Y;*F_oE(kSaA?lHY& zOuesO^2S&_VJsr&^!Eitky`|X&H~;O^Jjx2+9`y0snXAu94l?oh(){(wM{_l5e}8K zWYLca$c8;)P`aYgtV!Wz}!p3!>+OB*CxFa&t+$5`$P5NcqPz&hn*3& z^1zKBR*gTbZ1GU_E`f~sc-N7kl7dtG+u3q*)93w zItwvq#18Og?C~D7;#huxSPQiN=2X}N&RJIVa&y$s@=o4{SBnmn?iYvAmkaJkeXFFz zGz6dhzxCq?>VYUiLl#dlUHeaeyXvmKTLgm(Gv_R6W1dP8`NSN{w?tMWh>$Yr&G^Pp zpA)3p`3t#KbfNO6@AcK1Gw+er_hD$st~Leb`qU-1L+-3MV|XJ)I6NcU0G~b+JmO^`I*Em4ha!S^nV5xlR9Iv`k;NbcEfixS z&}AK~@vv-zpAdS`LE>cURfd3ZqfE?_>uGm#`=hEW1`1}l*haskDeW~=rF%F|)e^l(X*R-RTNt7Dsk*%thyVm_7l2a&(Olm;qQ z__EJmINkMyaYC=3nQU%zXmdo|M0ha;VooIP-L%}jF^Z^py<&qex#D#TfdNG zD{K17w4KN|JheAoH{~++j#_2pv;?@9Yjqnj9)_VHPZ{TZTly)H&uzPPu#dA4QA~n6 zq?W@s1rbqUwD8AU);Fub84wrtb>aGY9lu$y?T#V{#d{DFjapqKth>(Xl_@a^P>wk(xD+=HHe4 z?h}>lB+s&y3VArMT0)U$Tci+4h=VLEwal9c^#U&5ll(g9trE_Ov6obmTv25<@n1G! zEFb-dd-s+46FCNwEAdVwRmHlgQv*|s8wMXfCfs-i9RP)|77G0mab)|EvXAx}PW9Rd z%FF7KY-r2u`o2C8;~PGn&|;Chz48Kmh^uzjnhUJj4SNz|c>?MNZTzX`9V3o^`>hDr zo#KmdhmTY&0~?4yWe3-6JDTFjz@%Nc*%!qHm@MtJT%4gNdkYI6-{xO}Jk941>puaX z{#Esjx;|E~IW&5}5!LNtusdTrC7Gue&K;3uQR$T&O_seKI@5M(;yr1&otpDg_JC>G zwVZhk|B#l-U*zTdD|iKbz!ZO=S%n2NyrGo!W@b;u1agOFqMTD?aNbNz`|I_}gg**C;R`i1z?5 zZT<|P9@|0UHdyHG@%7XBUHmUbUW=5gv4$##70U~y#9-G_ZQV+mSaGyJ`2z5h9lu6^ z5MZQcj6DsRX;yYzhcT{s_;I9O>AxSnnwD{joAJC%J<88e;dzsF)5cxC^(PSaPxe<* z4m1yX?GRH5+bCf+Yx8{Jt0wx$B8(I1jLjoAElW;M!B){#=@P+Vkfr`Olxc zi|`h%D%eo3lZfK<>kTvY;8Z|n(8SxJ_^O-hqtTLV^UT>?AFmwH7)0J)#BFR})pC&z-LL)@u(qo|a5cRvXGB z7-z~l&yw!`KOUuEmTa;H1tuZq7xP@dx|botahv}aolNWMi&B#esAR*VX*RI}bzGq9 z`OAX=>Lx-^tU=#VzQMNA#Icp$)7yE(z#<|`G`4;D9AEz+*JORg#Hvf=|H*=bKf$7> zVM;<`l>%A&zmfcogW(C)+=>bcCR;Gf_!}Vn(3~kx$V=o|r4^qS_6QR82n*8lz?e?H;=eJ20=O#b)V`M0{||N4*rzx&CeF}b{gg3X&`NdHeH z)DPcu5=USD{m?gdLb^QNF$=&Xv4jIz{Germ>Ez@Do{jzQ4w<$PTtkq=w6i-qx;Xq& z-q5N%VAwoCjS^7;<-^C1@gNa)v-1&8g~bf}QEbCCr9twu_o()J^K%-2+oqufJ_9RI zQIk?E`u^&Cv#-xafD^E-X+BYzcJD~c6Oi+@iguc~Ttc>;?a78RvMb)%6? zpaT+!pQs$3%wG#9kYben=UFBwj(GeNu6Lo{;ydbP%{O;&D60ZamOj8NZhQkp9y%aP z$uti9TVmnOI+h+TE>%L&&)*n-!MW#lwrc^`eU#`lAszu^dZK)G*CdL?Qy&y?uwj#` z{iVzWJ_?v4RXe~8^BZnmTflRwGXxP$h6l@SMKxsmAYrV9PNQ;=POY>P9f%y@(v7ee zY~B9bAcZ6JA*Mh)%Bqy0uhFWM^x9vAeGn7GAEAfo^MF$|C3f2`DoxjV`Te?H~-Fwye)$Un|o@QZOyufz7 z{}7!Cw1@6wIZk91w_Pu9c}+@6Z?XRU>m>kOCrA(e9d7Qh11252&XR z)PN;^&y-6zC`2t8kWM^ff|lY2oFJ(^v>RurSwXG~7yVA)_jKD>E?mu@NrO+VW$q1$ z$YRis7bOZgqTeY|m_o2Z0JbwaI$EjVjep29!idmkfy_t&Y3mfdP7p*K0mxo&-5b`i zuAVo9ML|nl4d=^f6=;k!hh$#}W5{}b*@099uDh>|1>B{<<;=4eV7+M^ew;0`fv!Jz zHVx`8G#CP`H97YNB3+$!XXA4j=`#Mj^7$-d?UTRIBcxbz)gKJAj#j^PuEL*p05k^^ z@XF;?fmhiFgi47$mg|WN*M`H2mKTR>hNs(8`ForofcgkdX}h2e;{hSlQ6lI4eGWbi;{PEGxZ)d1Y~jbY&&(pOrtR`1i_4gM~QUZycvlGH-$`TpyWYG za#@dGuRZFw)6;TB5iJIh5`+80`kni5BiRlk@sj7}I`%3s{=YthiI$=_{MI3aJA4g6 zXTT7-Wjx*|V-&ZB+mnJh6v@`x!1e;dNl@)?5ZeL^8vn<05JB=%kGY0rPE{~%{v~AjOy9|UK zvDcZJeX*aBI4>eh2#9?bd8JWqu3F5?${$O7|1%sn?5d}h<>4H;UPKlMa?sG#zFgzS zB!$qeQXiK)?x-DsM73&cUzn_M6=d!do-VnQ}+z^V}q6bqFDAVEml!XnQFmRHd{W|^W* zfBv)it{8{j8%kb<3jAFpb5Coec`QNLN9oChwm6`iacUZr{+!@fCGHJyKdcpW4rS#X zc*L9}wlB}K`6H?~SG9yi$pOf3s47-=@Yu-vJLM!u*!rtl11rB`GWIX|d(vApb>iYb za@&Som4_h`o=E%QM4Et?qXx@kNb?wr|a@~zmo*FJs;{#&9B-$H05?fe=k1|PG%_yL6g&VjH-qqA9$Ql1w zYuZkVnKPg)2=It!&De>|0QTQ--0X0~7LupkZ*bBXBnW*5X34BTmAGPD|xC!BaP=oP{Z)C6wf2%$QC#Z|^)t#%;(l z?Vlak7+fx>?y+#09?D?rpp~=iWV#+y;##3>Nr^(qi4)o<3xr`W32-rzgv0-%U zH1tqC4t<~c*EH*e_40M$cVZXViyV7?Qv;;&Zy)kuaz_^@>TKf zeJE{#!+$%*|8cg{OWj)v8I@Xv_818}vLAnECWh zeP1bKpr^y_9y<-bs?gp1nOIj9p4uc-%=#Jt@o~!=A`5Xzp6-(z$rC9BI30=by`-z0 ztp9@dob!bAv1}6O5T4VJReeOicU;;8aSy)mBH#+X+V<50!oIrJJIEa+3snvL;QQ8u+C?dBrCWBK1W5^f@r}3%9jOAmJ-y8juc#V}x{DSettcl0~A5yV9?&ORfC7y6!3FAHNH=Ux>&@PTGa0fN^7Lc~`N(Zu;4P3?vYpxi##oM3Ld;c_QC zFndsSAJycvA;52qjqwjCV6Yfz|GYUP>{yPm?)ZI(eDrSTF~%k`bOaAFF2+qKQ2F3S zsdhp5XhtP)LW7$^JDH=k(O$Qt9$oRxy}eRjEKZZ*AJ!#JQG*1(vN!I?jcw_s-_6t( zqSnB}0pNp?XDro-aliZJPJIN#PWIJS5o^``hO@f8D%btj=vPDYtk{h8*;qZ^#6d}= zWznL1vZBo?HA!t(S-H&t^GYu@c-$cPhV8eOQ>CoefrJM76!T z07t5A7mkVj>*s0I{qj@T`NAt{G_6=uSO-`w=lkD*^i%_e8RdWJ;aqeP8=#Hnx__`J z5pEZP#=PFvv>~MH>Ag|EIZe!=gWQlm$bZP%`6te$7TXB==#sM~E`MpX^0o4kw_trs zn89n;ZO>{Ee);k}ooU*U#G5U8I)ZYtZD@c&vrFw%JvgJOm6t3eerFE~ci@TgmE$~@ z$j;?>2!&I@$(6x)MAFUHTG|kg&9eaUL@p}`&YU>cz_W2(^~nGVtZD?BdiV?vpWms8 zY&Qz7f_S>WeSJGgdpXAWRjy#T-BMXxZ|I0iBj#f)?eCn=nvhYVT)NGveg7qbYLI3l zkjSzo6#RRc=7FsS>4z9?6lZ)pmy6Z+^bK#YU?gRgcw#E;cf(luJwJAj(mP*nw~a~E zG~-!1(|s*?H;EQ({Kw9(7I^PQo%aOm#1{K(qlMgY2ej>}V!U*ZnYF?HJO{+CL@-Tp z2yeHZbEm({`fPW*S2N-1=H)>>ugAw$rUC>|2j;~LL&l`gXe zUs~slN)u)BJqh}~kaQpMLp`Q)J`}RtzfpqTwR3cDwc1K5CPPL+in>{WVT8TB!$nYB z0zW;eLi*x~`*WE;Zz*a4-gsx$)%(j@Z{GKjOa*qb8;xobasy4k3uWA!Zcq|IMi~<= z@Nh)_hZG*JIM<%aXGwhMhVb*S&dQqIYFaLN%Bo%L=H=dqYgmQ&xvf*N^PFMjxCHufUx6=lgjc*Y=q!sJ>q$< zx7Wkiz`G;T9vXDIs5X=E3_1i|IbE6d>9L^-HS@~6wD$iC)H~i`JQR{-5rqJ>CQW^U~qT`o(+qvw#2_uB&k)|>C7VbUtSlHGB~1YypM$u zxHD0Z>c*KKb6|arjD&zi#vqFyx(kh6dAOzX_?HGAlJ$Tb-yvt6wR8!=nki>7klU)%N>~EwYV5kYpQv+NNcuovCM1INL-N&Q?n1 zf#BUKf3M-dUh2aTKqg^Lg6kb$c>_^-czwoR4koy%`VY8b_rJX08m z)t8re7}9H4D4477b$M&Ui$yyHVe9Z^RwpR7pdS9h&qFdT*)Omc)Kc~cd9G7QS;{K5 zLrV&Wza18F#KZ%r*+lszp(?=M_s%&j?C{qT;t#PYul!uprt&1w`T(e9+mP&za_I)i zbB|EAwmi;$gNxre`R`1Sp2Yzw8*~(SCYy_SKqv806m?f1$BrC5EGnSThY&U<# zvePWv^%apNBa_Lp@@wEB{39~+z1(a_1pno$s_8&XYURo2mmSCPbz;eS*Oz*-*gLyb zP~x-aT(+OyjiE&78Z-62>w1^N_ES{cg60u|);(yFo$NbJ=g4GmeW7xX1Co_)DvIHA zJelr(lV{HR83A|%jPd&u4-WUl_)s#gaNV9i9E!9vVO*wU=(~R69cnkrB|7t2rR(B6 zHfuqa|ABDif$Xe>greapX25Cg|@h4!~i)s3nluuCVK1KCRv`HH&85J=QXji{$!pS z3(nuIE?G-W;+Aewv|fePw0Xxj2`-a zN85Gj;PAqsV^5<0GpG-oWTeWf4ZHZ;Y4q)0Mmf1~6+!w21!Im^^lY< z^F||chO!=CMRB_Azcu2F_R}&7ljSk$Cxiz1#s%u5d{)}9{+#t9<5E0)#cxQLbAYt{ zX9+Otuwe^;e5KXHF>Fh;mda7JAXBgF6%u_BhY_NjD%j9d&|JLhCyu|!*+OmVjM*-> zCe~B7UJN+Gs8eR=T);DPukr1UUKk*V&35z!8caq6z9vCC+PJuJZrcA!s3$RGf(C3W zEAd7tHuEl?Tyt-BW4{=yA`MhxL5;cS|02pmM-Z(=#i7CIx4$75oRx8B~`n=kn z(a`-WcW8gs_(C}L;CJXW$mF%cZyJYApo#JMF^JYx5`MPvI5(bKDlQPvkl?=-0J9zq zw&RlHVUGZ~b{5U7Y@wa?mGjXN^fv&Vx~ztneAo-Uc@S|s>-}QL!lI5YqOQCiv7_+- zwTjZ-9wf7KCDS($lKQQgy+kz#ve;uGtPo&i)xv@&Y|qTr*O<5~LvZ_J82#Qq1=<70@W<2M0KaqItb7+mWH`hrUcDiJZu z*v!V`0GpjT8e)gGR0A+Bah9+XaK5tnwUPf=)8B5%lGjI?0RUM7jx1-BSQVKLv&w@V zIinz3P~xXk-N#iBIFJ#+zt#MOi~q(RB6VYP-}F3$#BG~dfPm+w&&m_0X1)M^8p8#G z!CzKZlKqU4mksUOnyHYDeQ-hN^u6D|&ELUg1U8t|yUm-TY@P>;4O9sa}O132s`K1s9; z3)cw2FP7JG3hH0*;7iOhvJKso(fu)veo4OPA> z>zLHlFh|)?%}Oj1xDqNESpR|{k$mGt%t`>IXIbAz7};Nw$kcVR41Sa7F{m^d8T+D{ zp!r!kE=9*-V=JnP{~KgRAxMkPlOQ7tN@KEdu{spgtP=p-K)^xcaTwvPJ&-N#Op(bt z``zti%b@dPX94eZweT&{pXw$-7`9+3(5J@P)qiK42DjWFUnFQZu9kb713lG?t{U^4 zGP&QYW9xjurL$-G+M%Vc8Lod`iK13HVQ9NU|B$$L`n6$rbp$CfvF}_+)VP89Q#KG;dF_;dIr4N8B`4FAOE% zib5k1Q(7M7gzBcU%xb4Hnu2!)DMdeX)0;6q$j=n@+wV?x+5gUACE~HSZjn=tRv+N! zJr^zsjbvLIk9N_voJ+7hYHDY(t7ImwSSrLl?S5g-_hDV?=l1Uhe|s0;bpY*AqTm(I zX)e2xu80|JM9!PC8#C#T6|Z9%2U1<)aW}S1&15EIlcg&dG^GcK`TD%)>tycc>!kNq zsuLKLdUJ{>B9$sd-6Trc8LM1&=&Pk~Jc$rBZRbfQWe9qCSlJV}_UMb7Q*e)SE3||s z&1R=|SGUfP-%ct2g~ItS+~5n3k0a%F%nYFm(dBqt0{>WMvDwd_sE%Jx4%L(=hR}(a z8k0D!y`K+4okuE+1kk4FQ4I?~@gP~4QzayCC&Yz2%> z4XP&!3_y%wd1e)shTGXg>$ywR@mh}ciWbSg%E>CUI_)TT1Uw`BvL`B&if<*KZyD-f zG(-p}aTE2&l-!A)@IU1RrQZ=2C|{hP4nG99W8#j9g1-r&|G6qaz(uJ)A8k;~M06sA zdOUs_fi2r&x3)WvbG$8JO3Qv1-|irrRT?jmwV*r1#d%$Is+Yz-+CH_F!LorpwM zD|1ds755DiCZE7wX879dyQ>Iwa}B(yr{+hV&Yq00Oe4P2Bxk3}Sy=+wV#QKkzXrcb zCr)go*~y0u6@PP~{gWg50ueNMR~dOl9XE!{_suTC&k{HVGsUY3`ulhBY2eZVF9Mga49K~|N+DMH=QZZl`B7w{24E`(M4wu$kSDn1 z_;?p&pYu0|5xDtq)w?+nIGXwMo`IL-w>T|_qfnsWA%*8TQ#s`_MiehMXx(#4lIb~* z<|^?`(Z5C>>sVS-wZXe01?Tih%zI)XMrNG=+-J$&MipES22#RF=qqe$F&<6}&P4s^ z-8NdV3&qVrX%yxxoJ^Bb+#P#!cdRJK5u5DfvuP>O;6PR(+bb317UUX^P>D?j8Ih9I zEq|npsfff@VGe!Hg?E&mr2eR!BLAXTrlLwy@fKCYiXc}I3j2xWswv|8aZ~;XYiC=$ zmG_oHu%hX4_L8Wi<0J8&6JpO%Y6HdxPVN4HX-)vQk@=X5;}N+&U;$(OHX)7;!cG8b z%mr$gG;rZCuqxnS$i{FD7M5B969Gw*5Kh36pju)$br#|I;?<)`rQbiw%f~g`585(| zi-*DF+F?FlTNMMDJq+B`w_DM2Uh;>N@9V(J%L=EMFMPL9`ly&bbz+U=C^J^veWjF| zb?C_|KDDh=hb2z|$DUm?DmAAckf5@H!KV{BtNZ^jDuCanB-{RY_M6?IB`+JSjG{;i zS=I^99hQ-_-`yduO3fvD_h3ejDNf zqLHN%v|}}vfI^!86YnZ-&dAsdq?`|L!jT{#bP~#5h^;VWY3E_{?ckK>T}&MajYvde zsB9zzELmoLe!s&fOk!SRI4K4qVD*8e+QM;n)?`4ysb=eUjx-)ElD7E^K-{B5+50P6 z9)LOOx0*GT}dv?AQ2ieJzn~k<43649b z_g{s(6vSMx^y)wKWR1~P$)?g7()Ad9@#LOepHg&oh-`O1XvQ>$P91>qh8PjlipTJ zhnV-y+bz)zM?ZQ8aAs}9ci?HrstSNEFA8182XDI=_dSmTCbYonoQuE!;TN)X=e|y_ z1o~T5L3+nmKz6qrg#j{QCs7bQz@3xit~0!OOnfiQ^BU5BPko%_sHMLOJ5Vai?sLa= zGX%?;O{`SMqxBQ(LtwLQ!Or{z#Cj=L#bD{%Rt>K+fE0 z-Xn0QmJj9P0+K1uEo^Wg8H_WA_^C^kHytG}nMwEauYv-({D?%ju0zbQN;Sjo`N^sN zOkTyjsj&z{KqGKwp2dNyNL?Rak*!HVH(?#pLrh|GKx7&^eYRgD2BET(Q8)191dwl# z=>8b1-C!s5-h4N|h83vDpk&+CU2{tE5Z3%O~qT}%sW5$V^ zx_Z`wTZ%PAII9BpZ<5q;MD_n$-bzZ1Xz_acBayNJ_wn9h?HHC;e?|IyBYy|-eS??c z^?8LeSQo-pd`^z2M93I)CcV{dtL1*#P_%Q4U|YW~Do_Oidl9P&^CxfUj(t16#vwoM zxnFs7qR{R?x?I+QIKEK}y>F*jcVYfZT!?W9>r`$xezJk+E;R6AbAnO#uYIW_(AV4t z0;@IZe}bG5&LxY^FJxV|C~jv9UJWkiOMxSh77|L1r`sN;-J#z+6LW)&KACT~Y#{ zaxfb|8Q)xmWY$i*W~$z7{lLzO8sPm+b6wUA7 zuO`buFqMWZ9r;!jwnM}di#;H1kq&VnRjYB#yMW75$hF8tdy{!4P)%0#59f(qMmGSW zrVrfB6NEW5Q1}j%3bcqUZS^!Oi3+G8GKgkYgoy|og;ESvt?=%5�aUl|WlW=_dDN zNcz{4Nsti=cQyTDm)q&~X&id(y5s=Qn^_YS6oWiO+*xylCA++twctkn_b$bbb83q0 z$b_r;#HAmoKrGwCxfWbjDgA2w0#k6#bIG5%!dw(E$a+n5ul4B%+n&&>OsGumwUicB z;+$+*@Ymc&#+(_HNv!DZ*SD;p$NwhP&+$xB_4L*`x0HMql8k)wqGG$1>+sBfndn4? zR-|@C1wGy8i^&8RW8J4ohTmFO%BTCJcLCVJ4clFX z#UD|!wp<3oYj{V#hVtwQt8M^#%yoRY08jX3*XWIP0U&H2gosBYg>T%3L=#A{)&UWG zAT})9HSiDB(hf?P|KsdNlz5cHNx&b?l~Ud{tvqbsLq+ukh#=t+U`7n*LWj||K6 zolNPpssNoj5FPXx)-|eR`_)FyCh0xX^yeVi>`%W#0#={MOJjLn#6;xvKR%8xWy@H}-Fu(ArNh5ycG`Ty=N8 ztDPBSHapHrB)e8`YN*Fzoo?e1=Gd_HvwEBBqvYeZ3k&rPQ2R4BG|R@Xg}yhYBP!>D zm3x&fu&WV^9b*;^H7d*!4J+(&mM3IeYJH_-6h8kf(UM@p#ieQh_Db`TDZVtS(eR!XqogtxAYWrw<@WmK0L1U~rLS_Wqp|->G);5K1|R3`_#XOZ##(H=<+5-Ca>W6 zBH}tH6fy5nugGfc>foBhT#h8N)HM*^u&0E5+E2`y&*xy%r}q9$ke1?f z|00Lq_>nJSuTD5;>vwJ|z&tv0%dERlRTf}vV#i$9t)-%RayFK5zHx4Ru#%(=WL`KJEg$&fVR=fyLMa4 z9SN1A7+vCcCYfAk(E|2TyjHd9F5;CD*EbkAwkwg!<@nMpntOVwIAQ0D@FFJEWF zi%7_sdvz_O3Y>e(0)X_Gbwc!#JA|z44Vx9ztlYe4KQJ?N*-M(Y6#yG!i zK8wzVvP}fL5v+I~wnro^Er5i=P^TpzYuwA{@Paa@P|xF)-T~vG@eoOgyE@yyFUBBV zRid7#be1_`RAVG-`okzC_Z^?xF^dTDW0tj3DM(M6QNwo^<_H?HO3%iyAKlLsX3Qg_ zWtI%fmm<%WKGU!FIdLS&ecJ(PM?`O~PSu(B8g;J>GT$DBR5Ux5?oVc51UX?idZTkJ z=V|)n$I9>I>P%%HRYmD|taJchPJawv{k=d6Qu3#5s0=oP*e+N{wUsT5(>CioapoEN zPo@E4AFuIar3Y_PBOKd>v2qbnIf=1JB9V-alAP}-WM5To~q#r55+&i!VJL&)#Bv-wy!8pmBn-y!UKZ)@vm?SXxR~>)& z_PrW}XMwzbnnst*H$XYdp@HZ6`~5?*ZYORR%jFa{QQA~zzT8-sX(?zNI|V1%6R~he zn$`UQb|S6TvTPfxL7$GJZ$h}822)R-)n%eQ()x7N;fuPnUN5vQydUhA8TgoJ>(I1) zEpIvLhSf(9*L9!#^I?(>ApyjGcqPoN-(wf!pjX|wuZ6{vX9UO>6W}~BP3O5q62(N4 zTY?ef^b+<|8P7uW%W6_a0Ejs}-$!3uBV0EZbw6?lyedxB2IEu<%&+qq^)}gK3deId zPBjkUr^J&Q64OsRCeiRp?+^L;7^R=s?AG4x)?ZnI{DZwx;~;ChJsPjwHqZI`)3Sni zIIO9hn$+xf_S9FL%n#QzKHrIXAlU5yE`MZkkeIaGMM%M$M+LPpkejR29-b&SV=yM^ z0wLTP(nPEi;U?d8-CmZAqp?QQP3MBl^s^Te-VW}Ic(-vK{F_@C6L$P*2lpX&MWh-7 zCEYbaP7k2%5!g$t#NWnh{{U&km;*E(a+l<~I^ zd9_Nmeu1fNJXp;b<`LAE3tR_#4R^A z1^4uHYF}C3?qZ5PdP-ZMC+Gab+TE}6t5(l#u4&g~P9rh0%v0*Q_BHEwJlkI8B_z@9 zezDr=(mWFAcv^ODk@YXyv;%% zMpuZ#<^zM!la!5}6BZ4gS>V8~k@pJSw?P)V1^L#&d@x$F7_X3h@26RTwCoOtpz*Z_ zKcr8dnh~5uc&&3W`t@zp2^oDGyv(*?a8B}1Pbu(qoxQ5Ep>7r0HL?oJ->k43V3HK& zMmusMmu^GV*gRdU5^G&_c@%DkF2+zRuN&F5zX2|z#_zCqrFc)8ucBaqgD@{0UF2Gq z8$Nuc#=5NuR!#-}_7cg&<_5fNIS&QwXS!d`l-X-Q5#-mCra&ik6}*n+TbZ*Ah4RZ1 z3&z!yker%9D25NU?5J;1gBKSAaa5YJiiUbfS^l8iG7&+DDsRrL+YkxcIrII9N%uat zh=8l6*Vi+xtjiJ%pawA!db1?Px3yd!Ru9Fly1@(`72&!w_dm0)OkwvI_`biQ3=~5o z0}KM*0S^0ThvhStQWF|^c>e;1jFFMl=JX4S75#s0f8{i{2vlP=-+9MJ3x8?Uw&Q1g1$d5=_=O_h zNWGEoCu3U`Hi--c>I_XiYC*$(ic*0dwJ<`~p3y-7wt+}b`6t}!ehmJ?4;}cA2SsR- zB^v}3Q#f{Ucyad&8;#Kr$v>k91U?LiI~Y}zqZBDHp_muDO$a>mpCLPpz>`4fqHyn8 zAlVL7Mk5Qsw-DZM>Y*jc5W$_lv(IcE6lmq$I@$U3oEbD!_+kQ`ie&K!3c)#B$G+C1 zI(2OB#jrwA>Iew$3~I@-`TomK_DWvbKX`V5i6Pl2V{e-rku3MptnFz;&o}4W7Iw<{ zxpsfEC&im>47FI;F15xISzPG4nUC|U7E%rNx*phtU13_i_mWMD;DGo}q+qg9mdUm8B3>_Q^{UOZbl18z&Z6pq$J`B&+l&3sjIy6AW*Ub`f_5&Np0 zqu=x_%=)=7h`8UZxhz_##EpA55W(f#Q8aAM4ePAUeDmhB`t#?BEeo6vrW8Y?OxZa^&SH@)IIKpEOadp(s+d(=m(r$d1?B(

~Ov!ekBj%%#O-kXyp62l@9j0UK3yqOsJ6n)VST?VkRSPi3|#P+pORx52O zT~4Kq2k&!B8tq!VPy=kv&Dc6n>K>o#(MqA{J1@Dc;JH6!MQtPCX7YQs^mdVcd$Ew= z_+9hNJ>AAoS92q6;p%1xA`zKDC5plFHh??cO$C-Oa&?s~gC~#)-cV;qSC7f+T|r- zG#TnTI^gmAkxP>D@w{MRMpSQLzt@Jp1W}FSjxDs6x4n+gwa8^C)MAu~I#*#HZ8Tb> zwtEbVS(xkwxDo6oy21bNTZxamvAiX*vHGHj@$&>Ios1;kD#H9M@@m-T`Wp*Uz`ka< zO5n!RdBvdSBz0%a5M!o$9%#^by>@hky$8)(ybNc3HgT2 zolCp5&?~B!{~ulN84g$5_HRcbLZXXaCWzj9Cy5q4MDIfoWz^^`qIV)%w2&a88%8I3 zV)V{nl&GVZ8Qr_`Jnwb=-~0V<_cz;YKCsrT^E}sa{EmGW3UFSXd$r>^D8m-ybI^;# zyqd6<36=t6<`U_4iT*iu8Fq38%$RRt8Bd5)G`o-UgBHci|DbI=GMTpB2m;J@$Og+d z6n9LwW7C$e9|zrDz%6b*GHq+;!aN4SU2J=5qK~I)RB-(P^?(-vJm9wGwkRn!i0x55;P{FpKTZ2w$mM1DoagX9!@e|j>rmjO zQDqAat)F9^x>-Js6Zs;YY*_=)}4lOl(_iNAU-F9Y@Lq;JIpA1s@a zoFsRBq7>u(ALNf9wW6%trpcD^^ZPBlJ4xgPc#QdS3_G({;xx0hx`(}_Gu%(N@yJf0 zd^zxjOVBd-FKH($&OIBH)A;I@O<;cSWvr;L{Le={>g~B43<1&xVIEedDD_@Ta<_<# z=r14a$k*kESNbU&=`nAct}Mf*Ru9+q30hE{{>IS zuw3?zzfYTQw)Tq<_E-nUy?ebU=Q6Lhg|oSIqkQK$`s!MC`EkeIawLe*pl67g;b_O| zMzSfK=~kXs&&6k?sJWQfmiX=U%MG9WQQpM|ZV|6KMPh~aJfs_{UOB~cA?7{97hk*e zY4ouoj@M-#mynU*gE@u{va{rZ+x(F|5SQq`U$fh<*pLZA-9G9aDkm$)=`*al$Q(6v9#Qw&;8%pr4Mnf7x{zVazxBi~ z*JN+?z=@--TvBX=Mt{f1-^%>i!K5kt;^E$vhHEN3Dvs75nNx1@cG8BrPZAz;acu|I za4)Cofu+oSR!$|?gkS4rQQePwxOt|%s7ZP&{(N|7rEY~#Q>g4|I$fb?HO**6N16t% zPqZgNJdLS*p!M7Gh4D!ZSsBn29DMhAq95+L=Z7cZyOCWw1_gV}UpFFN#4OD5@|*yr zdEYEf!8I6c{D{UgJUzh@X4H`GCzIpw4PwL&~$RDQTu*q)f-1~XKH;sreHdD#O z=o`ycT{0Y{1?3rij-{ylrAU_&s%<;SJ zaq8WZPV=I9cU-=AM^)+=I(kqr!AgRPOjM-oiQpd!10c}nRUo0s{v>=YBk`eA*g!9V zAn5{Mo=rCq-`i>n*ab;ROI4o??r_6pm?LP~=maAF?BGLEJ8O`MnmQD(V7WE9GNY?C zY?H>XE=*k_FO|!HwJQe?6YsUy^=fk@MTC-K*`q6wD)UBmDW2kCQsV@OC)8)_zB_$dDhcL${oUhCJz{@Wy^j|SGux=&B{Irj8$3|_pE4}+t5e|a&C&VQd>%&cWG0Q2oBzeFOitx%f8K^oyZHKFgh9yH*k`2={qk7Drul-IpsihPP z=R3ZdX8+ajB6`wE!?=Lex^1Ru_-dU9KKM~dyK*cjc}v3Tn}qX{vxd2{crArhmk8GKEm9(#0ZI~W#E~k0Yvrid?53Tij@Kmksve(BScEK3x{h!RR zv|J_N`Y2tCs8DoQ2o=;{{QrRnE(dF7D43iPlek zobmkvZ&W9(j&~4BZEkI^_!V*W@!gv1c0&7NmAAI70-Kr+Uj0&@Ikq?{5i*O+fMjyN z$sAhcna?Bc_)Emq%ak15YH{pr${@PGx+#ijQ8MV|-f-tWJ9Aw1!1U-&zR~;j;4o79 zP2*=d^NKYO4oX?JPek%XtLVg-`1xbguJ5D11Km=Z_;FL(18eG?{C&$tzghWL@?TbP zNN!1UwaCpQS#NOO2y`l6du$)ipZk+*&&6`_Ka%%`>Y_v=F&4b^f!(3+*( z52T+4WOxf>9FJTo`DQxDUp+b9?|B#bC-*ov`4jN(7hJw+8h%6$l+*ibO@GOdPnrBW zUcV*Ou@LQ@x0wH0?go17uBn#B?e-xxxS}DLnl6l}Q#9D_oP@w-A%N%c7&v)1Q=S{1 z2K!mhh(Ip9n&J9G(*j_ddF_74@tXVp@mvcybB@^HZG3qiqV+G;W26nQ_D7Y$LMi8S zxK~mHA=RgmAsQ()&0kQHb5eOs^rU!okI^cx^LX3!>3Y6$TBh$KQgBA<)YpRjO{j)h zqPdFp(6(DN-*;Z!sXYpx4Hm+w@BOpZ1=S*w2niJex7}ZqrD1G&CPgIZ;G-oLuPVe_ zzz8{`^p>ad%Qc1Ky&ZHIe@4>&PP_h3wNIGSDhumYuN9?ZnJl_Iu~y zzGcJ*D=iJ1cPake4Bb}=3)jMkC~y~~Z3E)4Y< zrj54obJ3TQz1Icw?0ObB>K)c(kUWn9n=#ZY5|imA2ga?sx9D##n33c-YA#FAF6K@GJ#&OF3njCBfE|JCW8KLP9!t(J9V1J(%TQ5 z?6|J7s^e$PexrUmURje^KI0Of5%4=fM<4ce35nRhQS&)S#uRu>Ik-61&jj*iv0LkN z1K$-|NL|KHit>Yu9A-{$TnM^DutT-CnuDvTqi6T+q@AOF=7s%EvlF6Ur|QJsz7CIn z#xlUwC->!)W`7 zWMep?+yQN}c(KFA`$t8wlK5q@D?Ou;6M@O~+mjb*P4aqDwlvsnxyRObR;J`i^j^q# zwyHZ68YB{@8pjb#f9bt6hHOoj%mp32Mm65x&+Ew6zJ{L?$TBRor@<+APsIwSRGgD1 zr#+XXQV2heUtG(e-*N;46wCC5h%KRjhJ>h>+~-ev8x_s#j{N|1Vb@<3y)$df;XcHe zZ@<8#yj(bM^%7c^#=>wqwr@H|h#KI(EYS-5u|i|b(%pE}F&FKzw)Xp39?7}2K4K`i z(sf}->%*r?6y2{#HE5C2!s}3(c4_Oqcw>sUz5=dQfmA;(vT32M?pjOEF{c~_dKXtK zYYZuo2Lo*Djxrpc>4iLPj{;k9J<^x_<`{+qr4!Evvc&j?Ugag;s#-LFGJJEZXm7mV zieG-W{x{8mpZl{4z`dmGmIpL*n5PwKW#zWYC{S?~I*E{t5qF<4_5^48>1+Qg4Xa-? zBX@2-hIqi`)g9|H?du<{+Bx+`l|7xxteO9`#pXj!YM;+tl(ZDZ2Xpp%`L@7*{lLQAF~%C$*4Lbp(@AuOua%V}EA>5jo<3_b*=DpAcv2zq3c5FxgGo5WK zv&5?O-eNeB-~;z7r3p8jz`8XIq0I&JlW+QQ*?iF6gg2@WN=`yiqv=xSG|eB6XfG{^ zw0~M-xwkbi33)gq>n#8?)BV*OG2Pm>?`)Lb+(a}=@eVW8e^xlK`?7!x6N!H`7#QtU z8(a4=7Ngh)CMBYj-6YyjHSGzoa>pwRe5trW<1M@dx>%yn>CPxaOaFOwA{BohZQ`jIt*joO+T+;9p}4Qr_&kAv7DQax)#V~)g~_XRi+uplFlwYto{ zM~Tx1@I*z?lq&YOp;(+r&A3cb64+VCKqTm^z3PLNNgR%Wz4RgnvRB`10&;4CcKkxE z{1*bkFf$z6M8JHdTHKQuft9o#w2qgk`yb(zje*Q@yOb!yuQG=+ zt2Wu~Nyo>tK$jq}ZkPr0#-Ze|`_>?S;}-_IBe?eI-hEr--vN5gd6)6bab1K zIjKXI$OOshTN4k%X7zShXN0*2!?(D7nmBMLo7N56>x$x(8O~#QhjiUY7OHt8kTN zw;SD>QQDY6%}8-4|Dm%W~wp%4rnq?Jl3U>K1R=w-2<=m_;kAW@XXGn z6QTFl&akq27rRK8e=#SXEa;^-?0&1x(wUz9k*f5YkUK`2u|EgUK(sY>e55jsWbk`y z`6>kmr_bzhN8fm{-1Qc_)tOgQw*wRTO$@7q3Y=);!pJU1@6;8y**>ns!Ff`Vz>?$h zQO9nz@eA&Y9XmN%pdHY1_S?j|kcqf68i|>lK$RuJ)zbKdp+ z{Hwz;$r7LBv{mZt7^lf0k@DBOxvKET_>?l&++zm(H`fxp=#UOUE4(bB5v zP5&POWA{wm9C?0pWl-8FM*BzE-MoDng^=z#*CpfnD;9~db1P4m*zzqVn|Ix3%qU)= z9JUVYJjqo@5l#ACn5kO`f9qSlkffCc{U|(XdztrWvY*T1pG5l?2|WC)s%cSKDcw?| zZN`j0$Q|bWQ#Ky6De7Eb*)0CAJwdJ-pRHXEzrIg<=ito3 zm7NctS5DUuF7sXbEUWs%2MH4`6yuCh&GJi*|y^Ex^F2|6lPvBCjY;_tAA_)b+i0jxdcZRRYTbpGXo17CW2rFz0 zuT>WBGrxKND9n(fd5x`e{#iKt9*0$Q;jrL~`vJR-7O}(d%78VlK3Q~i%)Ww5-`f)zyGfrBBcrS#bSpl0fVFfuX#1*#Dcmx3p&B=N3R4&l$f!HK;c^ z)`MuR`x0U){92!o{B$bCcn8j}WpN*OBGvf#pjfVU++w3E+ja5Ol!`E?0{mEQJMtB2 z>LRu=nATeoKkhE{sJT|$pz`YDs%$E*#2lyBUmhDIddik7Y(T~RV6={sD=W#6*7_Ql zErkE<`80g)R|2_{=)6;KNzT}z)ohuuAt<)9L-1_ID{e3y-;3LBqA1IyO@es3Z?*B@ zE7|k=jwE4^(hM^#*ODmb&j7z%dA)wNzp}Ej?8k zA$xJJ^HZ}T^UA1P8|Wkwl?tNzJBM{mD(vXRWN_z^c>R}rqLQ-=F3E3M>QSM@8`Jco z)_|o4%TaL;oJ%mtZT-U&A1oHXuh`h}P}|g_t=Vw42&3U(HsIz{A@FiT%IH&-)zK@Q z17*5z5Lw)TKZU!Lb<4ih_<8pHT)%@%0?PnGI(`lE(;dFKb(9eNayT|Rr zx*B;BjYXerQ_?kph7V-c!k-9f9_Qb-WUNr5qWwhzmsidMd0YUu`56K`WRYwbj}rBJ z)$p&>Jv*rvj=v_zr+Fm3Bzc4n^uGP?9R^nOZxntuSw19vPf0PK-eS3A%xqp9ym1`7 z8hJ!F0sFV#YK`{b{qtfLY3N8$L#BBz z(GNT*EUJKE%0&jYTT#0spA^Mg&OOM<>#U4w=nwF&->v%sg|)WOvpaSnpt&C@5d(9( zfD*AtJ+b!xBxGAp#$dA84D^eFGKV@I}p2gYKD zd;BJ}UQ3odzfh9lNvRMLTGJ3)czo_B8>*1-TOHPNxE|?u!JH0iH~jUjy1ZrYtp!sN z(|}vM@5(%h0f~CDZCtehqJhh?z!R zhH@@Ddg$fY<~dP~eJw3~%g4Zt<%}WA-3VydSnh_g;gm$tDst4_faL-e6jXRPW4G6i zGrB{cyL>()w9?L?JSDE%Cbu0!UqEw>Ed;3Oe|N(}PcGjl^?81XkM%PI6*C1J%Obt4 zrq^CGmw`x3qOo3<4O|_bS1baoB{whlRrNRo=fJ*9qy2VcFw1~q5U90u+==tcY&%@!@0L3W-}{70jPs5lL~jt`TH8zk1b+Z_?YJAq*#uAgyVXJvK?1C?^wNojkrJP z%tzzhjFU z_DJbL2pBrkWtA|oXxo_^SdhK+`L1N4PK`V&sOQ<}cT*|9tAV+8Cv ziB`(j;qh$7GR11c+Y{RlH23gjotp2P*^b@8(axX1|28A}PI9tl2@BaFPy0I}Ik zL#2RkUCw@UpRf2@W>S`4WE_e@{~SBe;lw_pLBm=Tjj~v(`Mexf&mQEj0-3196oDne zEW+($yI*%wpTE?8+Ty~^C{C_UVOJ~|Ke$5BVp4dw?;K$@GgySWz99iqn9Dhzvm z#|^~(&8DhhSsDlawSAgtSAJA-Iunc9*~?Jy&oBs;&_U=${9#Ex?ki9M(OV1Eds`=- zd_o`l9H(fDJ7RK(BbdQnV()9-)gQLeQ<~VPlx1UrQLGJLL|%lgFdTiVNa<5!xUHy? zp}XtnM|2pcLN@$>%35Ur%CYvV^+lYPLRlluW$>GDm)PG>6Ve$U4nTbop>MM}gi?;eL&oB5N#Q0tiH@l^?7DD>s#^f5lTTh0e zWII22gc^O;LE8s4B@lNUXOG+|VPCa*8+w)-0NS=$^E`&1Tx?vb&Q36uF18DtTMJ+0 z_SfejH8a1V%oC3P*x);7N~_I(hGRVBj?0v~SHh<)b!4WSbJ63+FQ-f30zST-GW{}L zGW(dk`a#ciN!>@qSSbPYl_<4@&>mJ$8`u1XVRsR7qh+#en*NvIbwwe@evV@L5YU@_ zC*B;pE;|;>rNrv?QEVB!4O|xwn8q{sNOYd$qK5eQWIw3!r6=f%?#%_mhZ~p{Y+|wp zUy~TOh{61nfOVJtB|V)n0^&}H=qqcO6?9hcHWD0hbpt+x8D2Z11PiM(dj8OSvqMVWfu_&1dy$+*F!u>o!zgVd8^3;eHWtI zDEGYRYC^^*c0R;Eu!1GoDTdujI~Y|AVa^=^%_)Qx z$Zc7Q@E|rlxs`xZ=}PY9kayeoraXRwOa-~nz2mzfmp)IX?SDR~)Jc{t)Yp@)yl6r< z{BHgp)#JWc!z+V7{0!%YE_7efAvGhdv~I`)TTORQqhT#P!}xUkdOqa@Z~3FwS=JJ7 zntfxw@oleI8;S3TEZ?__i!5C&(C6LU0y*hQ@BqezJ=gct)&33jQ1nb(HYEmh*T({x zY}~ib@a`}L$rgC6@l^VQmQKg@?XF93v;HvwLJQ=Z#(WojdbRHR(<42s(AvU=c1l9z z=|4llBd&L^WLXRO?nL%k@x_>aH>Ij#oB-2D=4KeJC%Y)Qq3^|M*%tRXt9Ey*>dQD+ zm@nAhOB~SnHW@ThMONBm*sG2vp0^^uj6@U9&J0;?_N?enxvRPz5+iGxS{mzWV80`s zj*Kq6C?4@SPJ4gGk4%TmbEnsXyjpi_95(bw={e>R%11)UB&BT`8BU?H%1?}@de8Xo z{R+YUsGM{xoOCgv*z&tM&^Ie<sg zm6Jz4CJ7t1OnKxQ3W>a!Up1tSS6J!$=%F-X-z`)=yH_%L)56=tCtlofL$8LgA*H-+ z?Fc-$-VbhnRi zAYaJ{77QU$;d|%`>!Q;Z0+-f1_(BHfDn@1%Rmi#repL1;wCV@Ak^qx>H*juDjbL|Y ztlSvMG1cQ#IbB8~u68Hn#Yg^^Qhykm>a1q%Abn*DKjjDHtJF{~GhSXT>MhWqZm%*k zGIFTwDC~50D1YAW!Y(kuisgack0(nMT5kk>-+#o7`nk#czA%Yxo-6f&_5DbAYW%Pt z{2Nx(*M^2;x;JuDssQ`Wb(S-d!Z(GjEf6}mud#YhG;1?^zZ4dk@YBqDL5~7mwb(-d ziVbS>2-AFahcyj^?3p;td4;3;@5;l(pN$=%I3w>8o42U=80phYa~rEhd0rq&sn}lA zVD};&Wgehq*+N?b=}vUVQT;RpQ^jlWWM>VKCy0C zV68|37tNRy9ddGnAGLjp{i7(rJyqjL1}7e{3JimOEHoMDq8Ej|=Ipu|^D^}+z7%@Y zcof&P=`Z}I> zx&{wLZeDX56aO6E*&pnNNRj?JpIV`k$zapQ%mWrVW?O9;)3V^RE>N#{y5eQ3LC&2+ zQ5lXmp(!)M=>yN=5mN1=7pgn$mwU~t3W9;Daj?u9^UP;s!qS5vub_O00qgn z#V7Q*6gR|CxXjAN%^dg)Vz*jSm{1f~LIO8oc$CwacZ$p0d)$pfR*=46TRS`LSs^ZQ zd^&YeXs`W%T$`C-Ntabc=jS1GmL90D_pHJjZE9S@{LaL7Cz~EFxnL|Q8(FABQ8~=n zw`#NZbIt3!%XxL;;REIr$eUfJ6YU4j`R`K4aLK76o&vVq3dxbohss+er3iv2@576S z@n@U_CTLv!zW%^lv0mwC6&t-V6IEyhBpKX0z@XUZ$0$4_)2A#$QzkC0(i)4 z+nHS?3&Fp-@diF-U;J+`W;71^V(0t02e99`kp~A}Em?H8Xc3 z7x`;WqoH_^6svmfm_ujomYFSVdc1L{yXDX}$1Vg-j49~Is{4rhR$BpTHYz^!nTa^B zZ}RKHTdi!W}8|r-j}aZW7X28)9hq|Tp>hI zBZhl6;M>L!q21U3D>Z#(m4Av+{~tE;|JIdB@BY%3&r=oH6ekuKZ5kkr$KzVs#MRcAaOaO&&tm9aaOWVuzudKsFoh% zVabYo!Z*b;S!#%B(J?WygF{Zce@l&dv1>tL+;y?R)gZp6nK9YRxWNlUag$!zURj&9 zLKF+7dFlUI+x{6W{@+h*?shTl*sSPz4e&y%Pzp2h6E$V*&a)3!3GfV; zGd2)jrrnJMi0Z44KPfNuoVzY(O)7Opxat&b{@YE)B4K~R&z)j-@-FjfO+38d! zio1Z;%Ag+41G2t1_uBn;{EJ*Xn+4bc1$;&ptvqeSTEkDN=V84Nm_GQzUK20%I zVMxmAnMup*hTfslAN&|?b=EW&d8Do$f;)rCRVyNo1tB77c~4b+_eh%;SrK2%_0w(3 zlXkz^&z&A|ul}Kd@kyD(_#FGDticzSrG*Z-;fu}#e04c>TPx<$)TR0V9zg!{S^`(J z6+5EGib%V%SO_YMQknrEBu&c&r};Li0=(k~sl|X12kqxR##K8x~5-x<3c4K|pAaGSNvr4He&p`Uld^=}{R{{l#pgn&uV2kg5>p>%y$6lUPT&y)GI zql4XC3N7sGMwt~2Inn;zv&TfvjhSb5o=K-Ww;U&s1y~ z1;KX$X)sct04C!RUB~$+HC%4)1d=vetTTavu&sYp?e$VSFO<|ih_`hF7yuW{^xcRiIM`|6wb#a*N7Z-B2jW-}YQpfk;YGwap z)Yy<$7;TChQZl*N;AY*q=s)m~jBT07aktW(WUAblp{Gi{#bcQugebr4X__JyZ>H(j zmSGG+5coE;rlF127QMbM^@>7#=oO@=u2(&U+!C+Kv?h*g3Inz2)Q?pAj&4+EW77?8 z|NocpAH&2S+`lE~)|S$MO&hK>1UAir_KrJAVxh?< zCMxBuWngF6d~(m@e0P9*i*&SnT4yL+tZcRBv_>(9eq6WS+-(Tmx9gs}s}&~2yT5BFC&Ud-w7^w7%XH*KnW3YB%3qr8a5iazw0oLHK{BKgsv4QgR4)V$PcVC4f#q@y9E>F^*3qtDWalPQ?Zxg z74#{$fmyOMY%vKs=#{!Dx&OB4q+&z8`x&Qc)b1ucw&tbf-m{YWzGedvj*GBchP(CuumE`6yo{lLVxb6Q^Q_dm89!xu zX}+uF-IQsIGPoB; zKN>+vv<+QOvz;pB+*KgwrKq)n4IdS}rA8FVB8&AKlup*}C_k+T5Vzt^cL zwL{ulTQ^tCb6)#tYCOQi1p_>Kep%5rQU3ca?ZQ{>NI#~l^PYi)`no`MDmjl*e&-{6 zvQt43LM+1S3ir%tm-B$IpYFLK`2;`uf>nWIN|Ijrby>i<&zh+J@z*%J^F>jc)~f~q z9`Ifqtm-^N1iUAjWmFhas5mS`Pazv%;d9Z3RQp3q^Zq_7h{JuwjW+FXN zQ>m9@qHZhQ!R#&s=lvJ_&Tu#F7Au_jM#MlYN_&J8&(w{+S%j?7n52t4Ir9C+9L;4_ zievl>L&pp&3ILNTB_Q2;uwdEy-Zs;YBG}QXN1+~8P4<=%Hh!6CpIJ=+k7o6JT-^{@ z=srqcUz=M=UB7TrG4Vx&oCj5-v2vU0rSMxg_Q6Z6VYH2YiFd5=IBQ+F42&8?xM;64 zN583Y4vA$=bp4X~4V~@Po3Cn@2G^j03tLL(Q@Z9Byir1aUOCAnX0pS*k1R5BY3mP0rke^QP~b< z>rreLh(}mbC_>e%tYzT)3kjFjLA`T47+9tdi<6AElg~zL>T)Pi2K{vBM7ar>qyZlk z&=eyCjg9AaLf^c6Vf2+zE6U@Wc@Gamdu?=(atJ|xx8#=tTZ+O4$Ey#3NL9nfZ2ReQRs$ z!>XZGV~%(^IjBwwlOcj#Q7r5dr*g{s{DQyWM@G+I9cyu0T(GTIBe9#yZME?H_hgxC z6SfE|+pEXQ#?*_1rswxOOXa7x$@4uX-Ayb~G=6~BBv{LP@9*|}qKDUu8Y&sg>+nwU z^eC#F#qQe7{%-&D@^R}}?s>B&f&Xxp6TT_|i%5jKCm;m?Pv0Yo-)rQPzBzcspbGiF z*>?ZC%iw=}mRu!PmSQ&&%#AMEgS<%NK{$PkUBKjkV6zY1hFM4Ws}rMzSNwc+2x3$0 zP}Y#UkB$&V^;*pkp?oFNG#J7uI4jz7X4Mnn)G&Oz)p`&Lx4`FXttxuDREVwd=BpEe ziVUl7j?`_myG~&luCMkX3+0?fZ4j8nBX+0u^qXH}IYGZk?>Cjz&Jwm=(E1SlSvS?z zEWT|Ho@mf@dGJH7G;RiUp&wlTyiEM(=|@A}63|c*0ipzps%UF?pdT=M*$K!ZDbl!& zbcSeoxD-?D@SCfqtw8AYLQNsWL_!G#A>6UnYeM0AZ&XplY-Z4QfAM z&sy&1s+@n)J}VRx)(Xy%X1@F46?AxJaFBjFOk&=xSR;>|RXroas5z60a>05*a43d( z#O4M4?Z@TVu^78q*1^7c!*-UKK#%%d8p5m1b@1>)QKT<@N@w=$>Y!D{LfMJ2RarZg zRHC20TNQ{w*PXp2Fv#7u*!H*Bt3dwj62|uY}U*hjVTPy6=HFb zA@xutg_ZhPMReTF@nx}1MO{0V*(6!|U`yKqvu^ z2~GX1*k_$&uDucUcH>ahjmVsQ4>toUJLpV>St~Hdw9W;N&?pF@iC~|a8zbwHsI5ME zz4&sje#{0Xh23n zMaI(Dw+*~~`73@L%!67@+U9}Flhd82n0ZP+?h1>Im7%Jm;Z(8T)RZ^VV9HZTje&+8 z(5<8RcI|Lj4o2q7{Pb1-4n(Rm6M5#cToZhjbyb1o;{EPj*lSIRLepEID@tHs>Za)1 zJayy#ygcfe93FtQVf%{}Su+MkAqnMf4in)B<5^+cgMv+}NFNcW)`_fj{Z5-aB!$dIkj z`6-XZU1-=e5i(X#@5GBlb+4UaI?J`V@fOzawgiO_b~iiN`(jEcuk|+1eku1Ox~e~X z$F$yFoE~(77zl!c(7z9m!9jskc2midI(>Wo_b+@GSdbO^3g>^f4Sok)%j&IyT<_0f z?}nw1<6Ip6^O`X6tKto0O9*8H$(Hr|4$F(&yMPN8T%6c!tZ{=@4QqVe(0;W}<(==Z+;n@CWQIFROJ0LSvca6y+d zef{dddJ~9Q5OZohojR0%-hXwN7>xfn`amc3ghEh>hG02cNqy$t{Py%zn80{nn1E1k z*d#nXBK_vXbjGtj@I{r81LRCGx&O@vn$L3?I=raEP@leF)=fpX!LpM%NFkeM5twJz z&mVR1wsG3lx0=);`&#S#BQK>%p$y#z85_iv$q)Ux=g}D^=D)q(u&9Nr#zwy`iXaLe-;6-QusX*O}%av84NIm#kg}#_DIk3FGRlVC_c}$T|@0KWi^zt$0 zbIsT7Pye*2|M%_b*#b79%*n|62IZMTfG;A+ZP6y(*4;Nr5t0Bgb#<%P7zf7cDR?f> zi~jp>OT2HdG3hdX8M^nXlkmg{#h2c@A_FmndRgv)3gNALlQN?Yl@J}1xAX{_#cMbU z-2Z6{+?+s9kcQ_Z0d;mV=!#Zo9yCjc|=+-u%vXbD74m%&NM(XUpg+Q#iE{861@jjKGoW_E@r z8*&l9SvetX=X4&w6#y4g9;k&$8w6ZGmnMBG1AXouGsLL8qT=MAhdB z&p%idGy@@!IR(zryD>7JV`2SrE{iRO6ydkS!8aa0fSF1@y+@1AsdLABfT~`G;IISg zzSd9hx#t^zE%N8#N#`}A`3n_`aUVF60DM0_yy{fXtv-@23LiXEwPURKF8(VX@Yh5F zK#g{3lmOlGBW8w(I#Q%eJI?DO^=Kj1WBzrTzf|84lpz;5B;15UfOzQ~;N>eHZvk3_ zX8lP5Gyt+dgVW8t@BoBQtiY@*@=vZmz}8x6t$iMjW8<3We(P?U;STznVmc(!Slr1H zJQ2|7j)4#V!5#+M2X&@#a=L$gR9C#N(nL(C`#!YcinLn*85ggz&G;$@gv;C}Zwk^< zHx0>@UOzk`IrbjPTyVmWA*07g`EEnDNH{u7PsRymo}^1jivO@eQ(m;#0X&k zok?PhY?UqZ^VR$5;IdP4ws$IAje6YG$!OX9qU3UQyjZzJ$9)YmecAa^$Ys#;HEJ) zJD`g{(Ub48u0l1hzU?y{*)S{0>~mj(N}`2{`EhNx@Z5F*j!CpjS~`9PuyXu562;uL z!oN!g8OW1sZz0mgU!#A{p@DlpN>}c3cDUgCU#NEG>E# zZudQ8ZN)ytbYB4XWGicp<*wyia9E}8j5X$-ObcpP zLAkb>$cC+%!RR1JrXv%Lx|$shf^lE@&{s$VGEyvfPMc9G>L911Sgvmd>}1Jqi3@ib zKXfD?uM&&_(H@he=VpqkGPDn!(n17Th7#y4keydxk)=X&bti=f3IcXTf|r} zrkQ*vfeQGXt%oEkegt(epwg$jQ4NYTxE*%*?kI)|*3t z!UQ5KdgIDqCm|EQU5vXgiEC#VN0%tL_f?eNJgNFOfo$h)x^c4Vsi)3S{31Oo8we;;DTv=ysB|S4A;el8lV^ zgw7PKN%lcSW3_Y;=A(e4l%7uU z7i#7cYABDKM2Ynb;Zj$6feqjYu<&d`?a{avHj6@^QW2nJ@wlhW2La(k`5Pwsb_()= zR*O$?m^qBuL%@yZ}e67p+dh%nGoU?;ANEP65TB1*0F7h{ED(g>tpgcea3K z3PNf2PCE~yuPqa%F{jl?o@#xUue}EsHIMEkSl-X!`bL=?im;mi1p`HX3b)~)i?==m%Z29^1Je`YQdy(hc zNxYG&6UUnSo-?Cul4WYxO%pvy9qx++$%Jc))ot_hRS}F}cQwR0ALl*)`cKP@A^!Gl z_|eNc?F#2D#fezuirlp_k5YX6{C&9A=kHm@4wEsF?>BuHeK%4U z*z99PtMGe{xX2?pVwd2caHXdWe-yRKXx*+g_I(q=iPIJ_^Y;u}3pv&XKqbQ3xhVP0 z)W@aJmRLTF@Bj#UcfYjyao$$mFI&D-#ul)% zP=2rZFn(F;U;3p&69o)?3y>S|a(-4t$y7MwAR8{Lb5<@t)aIdsRuq`GJGsxYC9RPg zaoFv;p^INM8zSxnKsLJtYZFs7Ia>}bpM_Ds?Mwu@^@dCBaSRbqT4^=x zB=1Kb@%}n^<-Yv>S~}opFU9btA?m{#v2*jJRq?sNg|Q!KTo6}D4o0nPX4vs#7uZ91 zF|=M$L^tm>is_2!E2a~H3?4gsbv%3Mn(nsfU*4dyTj=#u?o*$nV!UaE#qUo#U8T$N zuja?yw2WGQ0CD*+0BDkzbiL2GhY|L3R?4({L3xY8`_S%bqa%Z=8?HE7=CFvA#mkz1_@AcQ@NgRt-1mGiWdTMi@Rv|?kzz7Wws*_-{xiC0wrZrpOf z)Z7UjwOX;#y-(J3J>m?j;lNk}d&23N*^qc-lKE8|YuKm0+0{bnRYB=DR9b>c8==d0 z%wNeeXeA=>Q5q~eSZ@{{i zA6dKO%x@Tb^*xd~cs5YDmb}}^k$O+kzdF)_XPg!M z$r3eOE4snF++?+baxT9vz(eyzwQ8@bR;65m4yPyS>`@pPYO+6{_!` z@PWeVF5ts0;oeT}3+$G^0k974jeNdbQk952mc2Ur7jHEcWzcT7jNMH>u_M1_`o6J0 z9U^h#uA7s-*!;TdJL$Nqc>7@W1Kcg*0|`=s@>CorSo&O($K051fcvEntAS-X2|Rmg61k7jD7tZM)_I z#8pgqB9Qd?r`ZPl;PeBVip}~-m-q+DBlUv5rwLnzRHAXsxLjf642R{15sU(9R`|cq z?j0r~PwlCy06v(MU;lEU@(gpYLR=3&>m~{l>=Y1oV=oCNBFq7OZomx0@ViAugRk^g zxr^Caj(bb7)L`Z7Lyr(%J5=SEDdx@0WYa`EPwgcrfkIoZD0EEddE#%ul?T8_@He>KHG>QTAN=gNY}(3& z+Q3BR$oXMU*so>kYuwj|ek%&i+MupIdYg+hY8MX~$v@c{OsEh~u1OW`IF3s)SJm!r zBPUd+fJ;jeaJZ8s~2ug^Wj4lC9BWIkL#M2qB;oB%SDYNRE`3B72Dl7 zB)(`D&1x++&QANcd0kj#Ey!GzeOx*r^J;!qJ70%}>&CBUe48BZyUo=ch&JZ6E2!Q( z)gNqxo0_LwX{Nxq!{KgLZaEA&e7r%t5T6bq)D)SswYKEb8S`sBnh?+#>+Yp8H0Sf4dRsLG1o1e+0UtMA9pQaa9&<2;8zq zqf}lia;LuK`?mOb<<;~?;;vvC!*O{Ryq8qT7Tko*th%j)+hi;^`W*O5h}t}B!6gf0 zd$Ei}(%Li6qR^Og1Cp>f?;Z(fV6)5pM-iJPVBJ3IsWedwI=nqxpJmb-eQPl`rZ(%` zN)y7bQ0#dxs{C%}tz)tJt#;ag^Eu_(+jpG+`{(Z)%bUx%rNg|1`pGcHX7!p{6P!HN zmi6J&tHn>FSu@VXS4@k?g9%E0IZ~7nif)HZ<$KUN$A#PL1wyB=2;6o`PMcQ(I`hE> zIwOsvX7AKd#N2d4N2yczySTOo=tW};?Y>e_$5@n)aaU+E#ZaSsFRmC<1@{avCE9h> zs+=AL-L^_3DX)ObD(p$l@kdfCB+`r;bm-8pNhHz~(XMAcLd#C2(mIQNgs59Is4Lgq zk3KtocC&VRlxm^dV={BsX06(FfGgI0V?viN)h4cN86`b3>E#hcEd2(aJ6mFl^bRl= z?;c{<9;!e{;8^*ZZ8pIM?W4?yL|Kg#W3=T5r;c_X140n@j6|!6Lf6)C6Y1ePxFTM2 zDsIjMU$}oEm!lfHmo@h+dALk3QD9omc;Av9QLn0>6y&E?bKiM5qY96j)mo}j!$okZ zdzIKm)6CIHvVl%dz3H9ixP4_KF!XSh@35LpT~Qr_E;m^VHJHxq-90=cHMefw18>8-WGC5Hx94Y0^=A1tT!QG6BI2M53P3;p^r-;#y{K6Te$fe%v1pugh&c> z(@Bf{FH>hF3}z#BjJECi-&`Zb=EJuR`}a&;n*pbOB67KYnDopDlSZTO>2od7NTian z7dEp$B@yG%U0BT?*LG-y7NM8ih+5RqjTK*5P1js~PeNa|Ghb%wSPScj-4C*EX|6_H zvNC6;uukK0OvVsNW;1Y5hrh%_zdoo~vbBz=R6cRPFKheQ(`xRBo5*e@lVLPk8fva2 zZhEGd|~bl?kb~mR&W! znno{cw$BJ54-Ddv){ytY^45z&+=!19a0h`W+=t23W9wHZKu=KKmC6#RNfvp>PG&q~ zS!Mf-8@Oc1#WzHq4K~j)FVU@*na$lfjs4LGuLUqJ&L=SZP>d%GJvZ3EJ%!3 zdJF)$IHX`QTRGC2%x{ol0=y?a4_%3Dw*^B37rxs5v@wn2TsLbz21p}A z)2f8UU}l2I+!-t7*&LLtsYP6Gl1wX^jYfL8DZnP!Cv(|;n=x2M1L{zSK;5~l?deY0 z=b{@GUFmUZyJ4Y4#SSAKr+}Eu+e$`y>ETg+%R+PNiRWShh8Gc+Rmith-Z#~V=GEt; z53%J3f90Ho3PLop8@PJ1nsfJ-uA2EM zQ0x-Ey}U~o-8aWxP`H687EYQ~R6=3p=p9ISW4b3L9yRR6&bDC^#dKWaa}I7FZ=_cm z&E9En6;YzC-dnaIX;zCKJNzP*NJGj^p=ESm2&FY2oTBX@Ny0F?)icvxT3J9-6>l~T zLHVw~p+N#NIPA9{4@Nj2eHZl^ZL7z=7U^n^L9c}o%{Pj{;i$VF`-s~I>AHMP&v03A zIF@~sQcv(J-EXc1!^cb0c5N=4P!t}|Y7$6RbTCW6OH*+}UcFq5-r1FQ?A=v*`JD}l z?uzUg&r1OKhR^U&HUjC`;n+mpBbW_3657cb{2~q-vVQX=L|gEPR@aB%TcbVUZ1ey$ zsLBmlj4~`s2#cec^PE=FuLW?E=Tf&BAVz&Hv!0Z3)OC0t?I2sk*Zn)Q-tM8p%0YPy zHSV10Pz97rikhA%{!4gn^8>OQC!LDmr>tW@d|is@To0dG2h06Xq4(+f{1hjm9=n93xo6Y_q07^M#7Jm7efTmWr&yVaR8vcr$}i@@O%EL5ZV@!{>5d;oQOn<*@7rlS;ml zQi0jfTF$0J^7z@5XujA$A|`s*K*5ftt?z%Uvv$EYv+;DR!^a02Gn0vws{g#5* z?V%T$6M&O+!?++mI;Hf9`8Cg}f38dcjrw zgnbgD-hVQ7ze`J&tBSbbX%_2Q269Szndyv|RS!9qtT!bZ#xl6M&%6i_YHV#kSzk60_N6aUc~_T%cwjh4Whu(REnM31FR5qr0c_&<1EDr%-lN#Q>iPH zhTOs_i&LSBr8qv~%=fKQGj~jk&>GK{r~s$#01_zITgfjRHj_Szm z3lXpS@Y3DLkx_0pL5r(Twdx-!I;ULVblB6TIyc9h-$F`1>+L#Eb(B<*<-}Vb;e8P_ zUM(NB)tS6#=yTqTN568qh&NiZFQjT1J3xKo9FovhR#daN>Zbno#v(7swc@)hHop># z>z6Nops;2pkhGH8>g^%dZh`q;mD!L(ev{=7%M@buX+^cp=ZbD!;ygv3S>k)n|#DKCKnRUWq-==4R9o z3Q{gI4sBjTkH}>79h2iR<^eONn^D(q5Bp-@MN4|}W4O7TZ@+F$iwYc16;952bW;=` z%SL%06Uq!Nu1i3mxkEw-3=hG|K)VEfQ_`?k5HMpZ~ z0&@1Oa)=rhlDG$ge$}${i#1$+1gf0O21XkYA)2+VYSJL2a#HZZBzmt@5T_)=zNG;K zP8%dFHs|+v@Rz?}Rtzp^pHI|EkJ;T_5Ao%qkdxyM+QB;J$WyG6CiPXsg32WmmtsekO9e%-_5-bGZuMUSEA) zWbO>wb*DROeCBnJFR8tVh~UKVcp7;wTCmt=e*GFqlYa&I4iW;g;FlyczWD3#dwi0? zK!-;p3&iixPQfsYk2@V9i2;GKmft>RA#gNT%zWB&CZYubes(HoE<@@VxYmVQ+%dni zLb9{8qd1Chi0o|g!Bro-99W--3wGf(w}!JvhfZ7oHUjT20?=UDmUN*Ai*w9#57iM) z-X^xcsi>xj;w)M0w?8o_8RT`^*2E6tVgR{K#s5*EF+{(jc?=4W(47zrC4{cC1Nwh) z0<0cmD9L0vyZ8%f_A@F5Qe@2|XB#?{q8bR3K6NTpEz+cBh+lB%#pXhUKRu7p?YdE8 zpBGeNt(|LmK(s zx*7Uf#XO1Sjn9Wrh*H3E|2+cbH&mP#Y7Q-n@~IBlkMSR_z75hWN2KzbKLk2gdQtSs zdIu1$Pnfk_D%Jzs_I3_Cw+$Hsa#s4ro;S*aTvGd`Q>D6I7x4Z&lD(INe>>1z#!Pnu z4LG$@A0S2Cy<{e(`bOZ`?hF^Kb!_=%=cT)ls{__H71%2xfiBQ)FT^JS;q2f+iTVni zpP3{_Ti=f+ipIDne_L={Z8EM0dp`EHhqjWsfjg~0yRA#V!KREedlv=v9LIl5(0_FH z|1nclAp!sYlQSSTqx($IH;1qoIVh5|TSKUy2#q-tXU5sLoDhjUU0PBcL->0(Ro&88 z|C&$c1XiDqdWPn2JQb<5(9k%q?e^x}%XpbRo=;2Pb3bQ1f3)n}9Bsu}7WXHzRG2V#DkQ)m1{`Q(4b8T_yDl3xCYX|Gq~U#E^=m>XZB7;yLb*hW%eOX~_{k z)U5;7lb3D}hq}@OfRpD^Q5=|M@2vb=BK+h&_@e0;pBg1oN-k5AQ%Tg|pI`Tvi{RJZf)<{`5(Lj`fR4-e z8u9|p10T6RK4xY7hnb2GF(Sd!xk9Uzq2+m)(Ft&ZKka1AII`RcJjed~Z{UGU&iDZk ze_I6s&NKWAfjC8SiEk=P>r(1Jj>j!bwL~h*IbL#G3YHSWY_U2L8kddMoJ)X4=jFUw z=*_^ohieZvpmhXy+!L*!+yC{7{`y{<4+8KX3QJmM+Ak!9ah23fOgNk=hLKvbHw79} zhI0U)Kj3z+B|tATRO{)`6XEhdstxJ7x zomboslJ)m>+<3Km2RwhA8~?J--w;WEKB^f`W;A_lPnIhYL{4NeFkt~Waa{ms%v`_9 z&zuv8E?FPd(!xc&{vU?39mu=VBb_Z#Q#vX3ZTT9!qnyO)*ktuPCu&sDaI-FNYr zk68m{#r<*GzpmunA0*|!jE{dfaASVyEuO_!tSugvXLVUzAi&}@oieV0lQ8twyRQB6 zPVZYNFW-sFp#J;M(AEcr1xw}W4Hp|B9^FmtiuEq7tA$V^tLqT$JjpT!v$gJbQ&WWH zWeou5RnY0#KHl8sPh((~n3jga)@W*?eN8qcb$3%(${e=Rb^S>YRm#On# z_v3%Z>QTDI}@V@s4d?jdJnD@mFWZNM;pI^j`_3CvN8cD)s zUu8xof}!C!U#}=*11_a6It|#(zK93}K3u!Bv^1St(Dph&w1EYL5#oFM`wml6aj&g$Bm8?K!e}JD&V4sb;#WX2sucn2n#Oje&|g3t#-Asg=R z^~xTp*9(^XLPU2vbzKe7Qz^uATJu`}hYn?>(qL#~4h*EJyno5}Yk=EEyap1Falk;0 z{vry3Tw#?Ku8p1$*uyV!kRV6~XTkKq+JMkk zXqrZ8_KFHJG@ffSGc#6ziR+~r&tP5F@eckE?IwW#9YEu89y0#9C8}jZb6w)ao_6-E z7HeLrhWO7pU2cuc0Fd81ehalxTqfme|Ae}wZXi}089qCj;bdmu`n_(>q;alnkm6dJw;p)yUhRr z-yisA!6Vc=2sgWoW!Y@abEQzw0FB?722`NqHkSB`0q$vGb&pjUkCeS-dqu_IzcyrE z7B>$O^o!19oe1w%IQ8QjuhRYy==I=8!S3-c)iSbWKyl(#E`|qWCuT(ryo2_G@%0UT+?N(cSGDmZgx(h^=xFf+Yk*Yeq_}Payue|Hi11D%dim<# z0kmRl51@mIK64>n{1FD-k1Uadqxo#bbu)~4!mLDz;J52`;YaCOXt?-SG2)0cKUE25 zULi1Vz-Pb4p9GOzE4zMSWPYvt8MKb@+WP!Xv^$NbyoA|0;s)yasCCKNdQ zd@Dd$)YFCUiyGu|)a?^y6R7P@oWbu?F#(jxi%R1kzy!ZF0C54GBHlL~JdV6zu5jHSp;%$%dXOK;;QfL>zG;+xH7&e8^=~0Q&Ao zH*%mtImR(y;SFqq6p}ta%GIU3+tD6**N%U`^zVY%rkR3Q(CCo*fw|P=)xb2X^)JPV zzt5{q47#=?{c%#&?w0t9^gLC61kLd6H$blDvMf?-I$+-3NJ7|+_>Q3X`%+x(@nOd8 zu+iYAUGGo?*WGuH008G;t@TmvD{c$j-IGd2B$XQvyMsli4n@(i04V4(<$S;Oj>JMA z0Sir%65JPI&-*SM5<7j6_+2=De}J!(a1)S+swv=ZE{_~pt~9`>#>ewx?Uw+I?OJob zPy?{{(sI>LK)t;chYcU&Lg;t4B{)@W3FcRb=~bF95nga)g@9?v(e%XfK^imJlhuW@BW|uIR9Pv_z?e?#jI!*3Dkg=Nncv*uRBCt zB5QNI1)Tw$Pr-B8Q%2vi)(IIQ98?X}mSG^a3F&Z$>fDWc(*%!xd~7NZ!Yk~2pLI7C zCFB&Kw_riL4sRX8!19s2KfmmN!s|}@(RSuX)2;WS@@g$=?zW$wJoUJ4+N(WWtUm=F zhbaKdQZi6QT-XNC%-ma0!2+cK#gEM5ULyr*_{N#@OUP9qA#N7$C;d1?qv%|s&M z0*bqRI?$oA^||5(knaS;u?K>oXt@~UZYwPKiXgC}_%Z4I?jp#1IH5wh_zH1XqJNkB z`PS-cTB$D}aduTXzT4=BYg7p3IZ=5a_IGld)t!i-Kglw{Mgm9tIuv7Rg3=RvWB3D! zj`X*O1{Yt>P!ZwKu+kRr0!!-wMeH=7V$wYMNiv!szw}r9l-rS zu#7r;F5I>GfrjPsmAdbXl$NX+~>EV_j7xaz-PtH4FM_V>((V>dV3d%P9?<(lu>X2s#qHpsA z!QmA&@vh3vbc#n5lppoXe97Si?#Oo^T_3Mz-?)=NH4MwZ zw54OELf7eji=f!|>m30IyVA_|r?eTo1A7=(J_#oj%eL>q7OieqpIh|>v>3`l{FVU) z>PZT!7%sN5`8hGod$i!Dn}qB0Fg@Bd4{5Ghde)=E_YrOl@MxzZlQ7e<%47hqX!C zU1b7+z1t_=ERZffJ(`y2i2+TmbQ9x{Vk$DoTobKDgn`udREly3#Jm}Jt6iW_slR!RleCQPm_!x%68byU1 zn%6C(y)konBvjJC#m~R70H^dqpSe&bxnJ$1SccD{zYc28s7Id_<>(IPml)2}ay_oG zv4;rRdCS8u*v*A2iKW&lihN?c!K)(W?Owuv|I#=q(Ovj|aoPX9p%8s*_semC569@a zsfsV3#gi#Z-`p74Dd<-~NB9D#V1?SN00zv&!|9Iqp)Bey6MV}BDQ_7F$Qq5X&TlSI zY@O!ihbe5Jz&6TEFX_+*=d?J_n=T;=_?>yAqa(Yo+nqi$lGx}WU*eGXi*xQnr}bdq zMIrE3X!;OypGZ@y1yr6({4$@qu--Jg`%dq!un@_!k{pa27VPO?qsT>YL~AOU4BeVk zc-Bhu!Ax}vK6qn{uYZ;7ET^}+A)m@}G9fVhmS1{8eoF5d5N&?y>8hsGC6@bT85(p! zCHi=~sVJYpF+4?AW5KUB9sbMh@5fLK=+}a1T7;G}$P1Nbi1V?-lfa z@4bEmC=28vE?eU?QW!(onYg!mZ_+_AhJ%4Z z?-EI*(vf$Pd#1moFy{83y8Rfjke?1N9=-cocRV(5pFmwAXI_ghZYD<%!B%jfHIaQ`WxZdKg_gK@j(EIic0MmSg=pyMIrT`(7wuKJ6+7E`|q*QL)x2#@bw(- z!i@|(@az$f$$WSvxF|n*6KMtn2LIy(3`8Ui#i)HXBtDX(&(%Q(|LF6RbT3Xp5-;JB zV7!>%LtrOdavWP8SGEMsaqrdUc5nU0{7*_PnmSw_hfHf~=uZ1Mrrj?dIpktg$FTY< z`~B#-3HV5A_$oV>JSdRW&+ zdRt%m`?v@MR5ibeV!jTGi#3?|<)U!Q;U*+QxA3P@qrQ3;0)3}n~n_aw*txn?t>psLootz|>HAzml z>rkhDdFeNNb_hVTjA@8&xtr-&iip3cx$@*#$@Oe&#PiFku4YZ`M3P6dd%RnLX^x5c zOyTZ5l-lZ|acvHivc$c@X;-{cfN|&h7=Gz#K%2-esc~{2l+zwM(5xf#FQ;8Y0_n2) z03QDiXzJ!^%9&60k}oAD3m|>fvkkOWMxoYht}l1?WyWzTn(UC{;a914I#QYqe%7s39 zbTpmaNWnV8wk8KG{PUW>LS&EfhczL6rM}pD>L~h=``- z<~$MGTCm17cuJ~lH11s zfmO&q%-w6uh1Q$HbowQZnRDiYLw&}6eJh*6w#tM(`QqQr^VD5z&#OlOMWn~oY&B(ON_KeJA`A3a`k(>7n9H0h)? zEc)q%vlFYk%%iTCHl0?{s7H*1vyb|Q41fCYdh=>_wcH)Sciy)4{p1mB)fbZDio_43 z8Hfwe(JEAQkM?)?XErpgH<@KlD+4gQaVMvE{7kI%CrW=V14IjfFll*zI7MU9>BLs1=V9+&)YR?l&lu`;mnu` zoNpJnb|VSJrYKkHi#X#bX@z>;q`Djwpc2G2Bc3#HdA&o?hMO50T0AxlQdqy;&A{UZ z1ovtJGIy!LA$t%bv4Yji$|5bdy@xV>E2|q*RBqs;v(ZIMMwE=;)-%85NefzW(cR;E zwfghk#ZK9#f%<&qh!U+;y^NXfH38I<3k!x^n+_<{?qmF6R9OW(Y$+lJa$;v21PN00 z3xxh$fJp~kKgqqb-b>I1s^oJRPok>fc~7Sjx5V%#{uMq1PWe%;+pU;Q>p{#MRNUzF zm&yyIrHLy&d}+IAUgvkcviWHgMqENu-+t%#CfardKpx!bsR7S?bR!H=qZ5HC_QT?; z!O0-kx4C}zMeKC6LZOD-I768DijDvzw(RQoh-ts9?`TVv%+L}O*s`x$Tn-{kN zYjG(!yV19G3UC&(Q87TI7~(*>J9r*L4M7k0py|HM_2d_-QzP(m-0X!DQWK=sI&oZL)n#XYV00RoefRf!4L`}E#xbj|pHVb|Waf|kNG&p=$(HTXvy6#7cgc3MQ zWscSnBTJ+eYy-NtSg#)o^3vY}3PYh^%6;g#Iq5X85MQ*?O<=sJB*f82`DiTX15{|t zLHONwCHWE?%Q=>x5N|=9xP62q*p_s6DNer$zTNqB9O41#S?2^oujKh9)C1(I^alx? zE`AopCH~4&+~^RcootoW#4b?;1KcWy8V$OPi-J6<73k96i7vA#iR7FTH7Dpjvtq`7 z6A$uh=R?zabVd5qTMa|F0!~s&7&%k6>X$xm4H13n{b_+n5@x}c?DWP*Dj!A-6F1)a zg4S=6>+#8|#dLbq@5ni&_9x^%;O+Djn&9RX7$%=DQ0ovldv8PfJZo z8&N+nX}{UQNZ0o3ui?qxj*+V0f$wD@UezS3Eh-}OF~dRZ#^{nY55RH!Dpu#-#f8U- zkF9OJ|8&y!@O;z)Wv9^>m)j)rLwl4JDkwAY^H8*afvjRR6~z$iqKR1i_LR=d?+`1G*@SHu10D zq(24x;xHA>LiM{vI6I{Wh?kA7(JS9BmXbxf+$d*fjwz85tkBc#E2KVoMMEkbZ11rfw|hP1Ho8eT*@#x;M+L*MIKIL0x^8@mk02)i zGkPDQMiQl-9rSAi*dr4595sQYORGTZK% zpLv4i1Xg)&%;oGzgv}aQ3^UGM5dqjc5HZ;Q-GZb-qTIzdRbdTV!sw@N3#0M%g-vL z`ZaIZ%p`;CCb7p0y|?~{dG&alcNs5EDg7L^&^qN-6zB!$0t+zD zV=hqdJeNY&VSPV69n6+#X+6k~2MoLrN%P+m% z)xbCMIK!T=bx)ww1f@?+PYc0OYil?7`ys=M!(q@$CmqR{G}r~JJ9dp!@}PgNe`aor z|6n>hXj(!u6jtXZi~Br@XKrxATKDokI7FY#KJl6 zUfU_dteQb!_ExI~=2qzSk-Xa``aBGv_(>Jfzd`{GZd>SZMiLu##>P;9&ndgOYGIjvC zD98}k;6Tk`1?6KpvLM#wbuiN10T#2x5iMU?V*Q{q!q~^gQ*xuF?QlRY;YvGF?yscz zC}V8FN>0<#$U^kDxThDq$35y!2r)=+bNN0{Biz+G5@N4mLJ&eGkmz*q?Ft(7GHjxMy8zJ@rtJjL(n@=fV zVhJylF?Aq53*`tf}5Kf zT;u6Dy@M%;(u~xv7Yu1y%h_leF$SYYlLl4DHn+;+=aC5-)-{xOXQ-g_2zPbEG>=9& zTn>Ji`cE|*pD;_@Tv{d3xy15dBd{4&!6)-n_x9_)ZjjOEm-80}+l7q##x>;!Q1DZS z%{QzEWVSUsx59UyKI63!QH7Zh&qYfiLyrL%nyXvlS({2$L%+`3k zNlTCP3p*)R{752+O+%z5&UmP9rKKpR@ty9NVz7j{PF@6x%NGi+z_zK|DW-+lR2()t z7XzY+J9NLnGQJk@r3rJK=`=H2>`{nfJV))GQm5nf2YSXuMu2#$wx zj;HP{(1K~%AY0n?axS{nuv2U4Z`a(?&L)LCK8wXhV!c!cF9F`2QFgibwz{u`N7{3@ z_=g7vcI2Q}Nwhktqd8h-WAhY^ql`r0aJC8~+Pj(mbd|ux{^Ws-4s6*(X@(6Q_AYbs zbmq61r-K#F_UIeS2Af&GUaW0{hj~Z9q}xraA>kN(H-}XWr=L;ant29-)w>&Lf;20HV(;D!vm85g5;R;7|ll70)~?U~YL z{15g4`aP~i21Cuqps7tyZxOLR^i{7K_4>Vuew%Ow#|#&cwX>k7HJ-~zBinAW0)@WR zF?E<$-s6f>i1>I;T-#Ys*W8lJZNw7K8xA6BJG9_#CB7`OK-C16^o z2r)~NxuZT{F~RC6Z(rYRV2VP3+NuBinSc9>2NS7(G#)i3GFrJnfT$i5E#gBrcFG<; z+gPcDT+5lat-;+Fx$U@w)yV7kvglqx4Kwd)1N%XWQR4f{f~WzxTtpo~OqTCILuYfc zMZVu%7L3O#7avxNw5T3EK0Rp-pW^v&Id3I7>p+>&<`k{x@6pKYzV6B19YkIQC2w$@$C$QT>Z7 zjX@98xzUzZ3cxr}kxXON!1X*b*6`JHkG+kgWY3(jzP~6QI8rNnq2XfET2=C(&rMRDW*5JBJwM zs=OtzwL&Kw!Ev#e=iFn0=(QI5aNeQY_&-k%1OA^!-MIWKGQ=(6YP%{Ha$AbRCl!c2 zP@}1&r!94&ip9!lgs&rz^aW3N)6Ex}Rr2;nC;S)%RrPUdM@FdF-a1y9E!JwRxEnPb z6%{1_NS?;i=IXN$CYPI2z}b3`8B4(H5EB~LrC_+}iHx+K38mClOobR2dElT>q?87S_=b7urx4l)YG(%6M%S389z zzDhl#lA{$z9*c%;6w#AM(*4CUtzOr<1No(vd$8awE~`y!C}xqIi{3=r^D9hdk4&IK z;H>NvQ`yTY27mK(kzfm}_juOCWU%7lf0auKb|bfdljOGh%hB}DAKs2chU5i8aiw)N z$%#i!aai=gD*0Sgw5w^i?p*0~E<4|bXUbZj);kA-B2XK8zSA)z3~}%>sy%ruOTPrIr>tT zr;qk@B0elj1FFx1#4Z{f<#La&#x@=|u0Iu0bXMNYp$7;yNu5zG6(HUC`|mek{;!B^osU=L*>*&wa>uJ zxbKawJaaV>XU?vAo#t?7R`YJD==0Xoo+i=dTrTAYxh;dkD8qtDTK7Bof-){Y=HMy~ z8;^gj+y1#W*PvrVc?1GE-HvM3)g;j)eoTpp1mAc=`}tk#1=zn;=QQF@ z@rNBq0O=$ohYw|bESj~5yclg0zMGk{b2=j--f=iB4HM>mSf9S!C#uQ~i|lygGIaML zMSu0lUFH)GFafFsxGsjd*Un*qp^pYK`qTj~J+XvDSYKeXe7anAy2??_KvaAe5`puL zb_=pE-5bEYz~VoHSyx-<{GYZA!}G9_24)2fyRv7V!t zzXGPQvvIj@%Cp7N`fSPs0FT-aNsO-P;wem7UAA~r0u;FSn?#_6AsPXSO+~51&+Oo% z_^7Uc0n7`dp-w;a0biI+_NBg{!a|d)D`tGvE$>Tw7zyRIO@J8{DMsDELI`$>|4wdQ zy+P&7`Q%15A|ZN|bHZ6}8KDXdRv;3%E;Ca8pAQCZ(DJ@>M6Ti@3SA9)*_wkk2(qEJ z^irGxny$xJdPP0oV(0A?i3ekq_3lcdToBzJpsUOm;hm4KdTbV%Pp15sbM4NO`aaHa zb6)=7c-qU*-*0N#TJ^Xjx*dv%7#Lk>`D#7EaJ!SX8pZ1a<;YW(L0wG8KUP;=Eu0nY z0)@bo-L*D(`T$EEtx@Be-P+3Kl)kCxvQ;9HQId13o!oDlZy8yrX^sO*44-rSmm2f0 z3)u@9F(0F1HW$r7d9{EuC0a-D3@6U(4b3oMU0D7JmDLwI-9zm!sOS{{j}!Zj_)Prn>X4?!^?GQK(e%<;7E+Hqqku#8 ziQsDl1777K!!Zf#lym|Y80UXp)v3_(3G|h;rCA4h2$e;RQWE+jhHxAGQAF9lN+r>& zrHktId^1XEe{E^e)L3+NhAGb>)cQ_##r9~?uu5x@=B0n-YkfREEks>qQfV?|^qTzY z@Ze;;P$l`Upk^7ZCiPzHc@s~6?I&-gsAM^7ty?xJOYgCSQOYesUBb)hc zCE+w=chi{?C6J{wzoLzlXl&$XJ#wLB_`~AGO^UT>rCg{c76?E5-))|r4L2J=J+x-o zdYgN+P*W7S*knEj^o3yKtK6759EtVsF89BhOy!du0IeY@D%%Lp-8kW~O<+s*T7nM6 zW|cJ@7H*jR$+_BSZ+eoVOEAi^3AevkXUTwH?{vN~rvPl;jR+7clJ*&n+pPAGY$&hq z-oB9SV)fI&SxTki4OIuj93Nv8=Xx#YD+OvTS2e{MJfsi=UuhZu(Y{|TmRRg3!Rf`S zHHFKQE|?}zLNh+WNUqY>LTYxuf=p`iCr4e>EOWqi><*V?^R>=t40weJ$xl8+0;%YO zGy*3TPkzUG$BwD|dURn(ME*laX{AlZLyDM%lSaG4X*4NJ7J<3r3o$1vEo!;qX#`pR z2vNXcOhjYZYtLx5>-c8}pZ?PWz1@3@s@!Rkd+>2gR{*>~{13T2iI@;HO>(jLRtkAR z6o6XdxZ+InUI;tVC0TB{kh?v8bH)XY`?H^z;R{2Nh~8*4l+7L}$YXaiJh^PwVzvff zBAVB{Q*8#n*vx7;Ufq!9@c|;SguIL@+3uB>NbG7qn$_D+HJ$bVK;wlH(w>u`S*Umu zlO=v8fhKxH2fGGHFGEi9Mvf1u)_ebQe(U!$L{NQ4V7BU=nZywkQnWadzm4baB_|g=(?xD6s3{pCRRR? zMx93;O`ch+KsgY?jAgs1_PqoLRV3PfU_-!Y8E9GWy zc+@KQ89NnZQ`V266;1L}8ZES*kg-;A*{s11zXZzYa}*N6_Y_$KHI0=g+6vgEZ6_`b zI}2Fbty+(Q$)BcAH6MACzBgtFH>}Kbw=AVC% zZbf8+Phx`&6-`9+*!%q}ZDGHn+WqkVRz}hukdoYwm(|m6)2i?aXx4Ng1)RDAk;Y5R zp3effKVpA4hV>O`g{Zg&oQjJgwr1IeJp%iXb|Q>MKZl@E1uyUgwn5=K@c_3A`A5>pQihj!hE?7U+J1h3k0+@*XWcA%08Xt=rMY^XMoS?8PtE})|t^ydwcMk^lJpE+5#gZ<2aF=)JE1y4-y&L>;7hG zj32H5r>Ik|HG>oal^BfQw4kaMTRl0>_;^?p*WT{+nC&n-+V4`9BZ8jwJ5=#%pR^^j zpuXTsy<6T{riV{?>_cKO+ zDi}*0>3ASifE!CgLy(oTvh2lHHA#m44_|K;6<5@)+a^G8hv4q+TDZHry9IYEAOs3` z3JVq-g1bX-OK^7$?(Vm8@7aIbx3#^`W4*0fI_8*t^v_fHE|%Aj@qHoa8LoBzEGSv# zJ8v>i3fMY;P`6juqG(bKuSU|Btt>#-vq2IYr}O{ zB{Gy;Aqgko-~$BZmfmwank}1ZU>?N~=Qn5Id<}uL&O15qk7;T-7^%*jLazjM$G9Iv zLn*S_Au-Styws*E#8jE6Ys6O@Sl70DWwgSXA{u)bki-W)OVLkgq8rWV&7>(4M)&f0 z+xEcwCa>F#BZVVab2?)=UNh*I_6t8#{h5A1I(*&wXGM_w?^vb>kEk7-v5}j2qg6WzC><{CW3MP;r3$acF6tz zyD$e(@N6|;x%9J#EwrGP>>?rUy9fByRt+07%S1>+T{=}$PVAsiVmlp;CIS|C?iEJz zHNH<#Bb}T(qxdBcEr3o*Q2fcPa|o=GHcAdzOWb&+`W>w5Dr_GwhjPfYinFxtVj=`c z8N2j+x`M!=IkVXkIEXJ02-?!cbJ5%v$w}I{-qygI{0<-(lMC6B2zHA95aMtd+~oAG zO1t?H0H~yMry)CA*3YE;=Ft1#y3FQ$lmKNG$Hj9{Z7kQFYP+|@Q{2LUA0Z;}tfixK z$Tiq0KRd@*Z&04<@l5&cd^j=HHt_wpx|?34~aLUHbQ(-9pzGtK7NDeANE zh!gs6)iIM41?m%0L&FuE@=DMzk<~=s+@ez~btWqx2+9B`!(I*-;o z0_l021r1trY8M4}+p4qna{QQb+iHmHuGZ4Znf~_DbtvnN?c?|P1G_1q5=^@v23VJs z61V(=4;Z8_{@i44ycB207dr?)%FC4}_`CkOf+VZUIC0{A;0gZP9~sc49_KtX4R!9e zkcs1+XKBV%5`c2Q*wd5I4l9o#TXdZX}Efo)*G);{C^Szllv-yaj z-2g0FF=y8o&aI-mOV3|MWExW3GrPLpd6RJiWHn(ccxC*34ZlA}Q!#owt-xCJ84+jZ zhx%4_Dn;%SgcYP0?hj@q)4q|IvY2BdU}I2_4rafHpa3@R`fv%f#f(2-+`1Dr=w1Y& zk%IblEU13}gVTjz?=#sPcOhdoHGRXrwR*JapbxnG;T9I5)Mxl0Y1wOt7+_Sz`vYRcE#rqcdSS}oE+)(39hk^nMc;4kV_(8ZJ1eG8okc$Cj~RcTo0TY zOR;q8egXL;x4{7}LALKaj`{*t;pgrUshye)Lo%ss#mB!BxujMY#|T%yIVahRnaBud z$zMazgz--IpLnfCu^%6XL`XjMsZeWkG7(%P#sjII=23Xp@i%rMB5dM4cAbuj)J zSs@&_`^~!Gxs`wL1!_TrqSe!hjR>KX5+9D}X21YQIVbT$#oZHRuX`Xwa_FD|bOq&bjsB=N!)RF&=gBHREw%6|DcIb%&{QXCE>YeKg zf}H40{@i8e^_mZobY`#eOOQGtDCD7%ilLnqptRU%Y~# zPaifoiOQ-oSkmOWAkOx}+Mza%kt^5$DB`aJSBj*&D?@DwDb1Jhy47KXGy?~dUe3Y> zNBB2>H}IobhhI}kJ#ak0RFTc)dj}RjIP>E5+mU%17G}8{4EC^dh=qQ62;>lp1&Nnf z1Q+@UjNFc~b_=@U_IIuI30L7)Yz)34Ls?;Ze0(X(JJ)}Q7K&<1Jr^RqM=hGIy&0o3 z*u5_ic`aj0==T=oXA|0c-gpnxCMKJyS4;cn9r9y2F1TQcWQ)SN0X zPptpMaTjQE)Fcf&8gB76IW*ED4hW@Z?AAWz;~I{-*EtfBvFab*8udX-u+HvMAi}lX z*~owXsr=>BvJ8@Iio=Q)qrcaA%2ONcQj=8(7YSAN9dYA)ahPpel{VaWZG~c)i)(&# zzCEzUH2J}WgwJGxeqYp_vG8YqKvF32FsD6HS?R$`X0J_8nFl^X9!FobQ87KghdzAr z?m`GxX~IJyDpfwh=hD5N@g*KXXDYY_+uaiaszL+}<%2~^LpX`dFwE?j*O1wIpIF1dAKJ0^X@RT#LEBE-Dg=84ICfn0uGq$pNAc|bkgYiMk=_#`Ab zOZl%xw5-~~YJw3%+lXUfARB}6mKx))MC7EdAECRV?Uw2NAY)?`<^m)%Zz%cj5&#^= z4o?5T7dJ5i@%f=^xHvl8hofGGU{pC8v9f(3T7(S*M4XM$Bx;3SJ>m~+!F({#{x+Kl zk`AHrel+&*Ig$6)n6&Z=%=cUVq8K6l9D8%qG0qA~$q%|P5piZOuP%zj64_sfk9?kr zh^}LJ*L^I^+h(hEp)ZYf3wx-HyRSN_J-;vsR#8C-xQn{Hl_)qa`8wyyBSe_1=1Dk`riNzp3t%Gg*bZzqE)D z(i?vvMkw^XuJk*K4*vZ{P*C{CeINazgWW=_y%KPs_(K-$ao|A7w)C%`)J7@# zt*1-%?M9yx@jWW;QOo?hU>oo3wMD$Xu$PEb+#GrI8>z^%b{cmFH4}YVqzymvI&e+dbkN=<4MCGmB$}(Zj<_*?B%++q_OI!9(q|f7jl7n0msn-eZq*Uw2?>HNct9H4x1I?q&A`(vN3~zb z7UKhH$U^|SE(&&^e)ha=-g2tw_5@}WsjS(0n`WN}WwjhPIduuA4JRMgiC8PChnFqS zm2h;#K2^BT^9UEZRxV%)Hnu)|wNHqAptu!c(IS&2$6iU6tJtzwM`%=Tr$7^pVK`T~ z;t0*IkV8czbjMD*O*Cc4;5}XvB<+9=`S}6kTcHxB>=<8}j36+1i_?vDgD^EZ&y?G? z_m`;Qu*IUy*4sd#b9dGjzOA_z`A|(lU@wR`ZAqJg}18)L_SCX{vrCu-gtV5Tg6bn>(_5 zzmNlRQrnQ=lvt9%0piiFGc`a zr#&Ln26yyd{nQK|?)}06^xBTO*Wi;efeHX%!*ZWyhwhJ*XQQozLC(rea?H#2>oh4+ zZZaEsy!50yk$mg1ZVmjWSE||YUi+mx-|#y_obgf3(rZz_8Mx^1y&QEc@1kibRj!FB4F34b;WVeIerR{tBN6JZh9DhqV#^y=`z;`$6KR;PITyIMC zhi;DwFm9&eO=Qx*tH*Ocab$;zd+ttGRA^MP^Jjo?KzC5lOj zl+w~OZsd;y4b#Qs1s~i3t68dCC7IvuxK6anYxNsHtTG8SJI-=(#@}$ylG3$te!taI zNs2b3B@`b6^Zf4m;}WmOZu2~zo-(!iO5euqLN}Fe6<+7E z)qCSPZt>bznxXX)qaFxRsmiJlBUZYVl0o=>Qt2sB0UKTUrAIFp=P75D-3*{UQ7{k7 zj^Izi*AMRrrecYGqm#X&f5j}nn-8!TO6O66&?RDieV?phuf!W5G{igX=|$a(a^}c1 z&9<7sM+nFK>RF_OpO=hsXbywW|0z~$`o=L(o;0S|f9wsNNHlckzd5y6QapfDHhCgYj`QfC*qNCeJ5} z$$0DqdB2{=qjG4s6-5Np?}pnI%I%GA%ZTl+1aGqEIq3Ut5$z>om=~L=3DYMVmL!{5 zf#L-57MpvcLZlPIt=6U^lEbn};w%vT=sY+SFD$IpBi&S1J5-8YubH&RN3*T7W-S0S z^23v@Y)F;*6*iu2WhKqHNEcI)#!A*w9`tu%PC) ze`DQp@^YEsIb*}!QPdup&RhG;EuSxDlgJ)0u4cTja^NZ4E|LcMgT;WA=LbJtq(`tp zc+*Y9MkrU{^U6lk7}_bnWq6~~fxr?|OJyZpaeQ!~jVGe7c>;n_|ERDhm4?R@7L!Qo zy?FD%_Zum3v1TiR_CuK)vzmEM;&kB;=l?n;F;4&D%tA@8vd@9Euj2s@a9ahmGQm4%luE6@DmYl zM0aYVdCAg=v@Zp(n~yQ3k|La)GovKuTmSOhmOp=Nf#e?LDx!5H*}z`(p7SV#2- zn=Gxz?=Pxd_nqCT>TP>HxyWk6msq>QBNijBXI*4pJuR&J9at;)Am z?P??3#5ltFV%czqj6w_-deo1?FE!9aNm2%V8tWKa%nV^=tN*ia8;$ z^d40xt_cbV;t0VGTGOx)_kkiZq95!4|6XEIQjU?L?vsM zQe;mS3lpH}R;E!J6gx{v+@*DtF$wr~y@v_b9j(xVx)3Hm+n({iNU_13uLk31df6>F zMte3RgkFs>n6Q_xpo`LbmB z5jyXWU7k`28K`_INy=djWN~Qj(?h&;2{a^tf*9+koW8~NfUo6;8%%kSPaU#|ez4?? z^B4)tii~BG9uXWdDj+pOUA}DY;B1djjX++xwcNz{>B7>B-NwbB%l#`2Lq1rYw-p(A^|wWTaeM{$eT`c zS)nW3JB(i_YcwYX=&)IRZ!`g57u9Ye0R3S<2sk-`utB>=zg{A`fbtrxUc56?!+Fck ztn`c;H8sMFx{(?uT7u#4k$wkBmzIjg1Wq-qgp?gdXpTete<^B5w)c$-8{qw%AhAJ} zbPAhX_bSDrKEaw?qUo?GyOt0*H2K;KdHC^cPJ@8cvcu+a8p5B~4``%Lsmun=Bhv%U zws7w)GxPb^hrHI3AEdtBhpCeEDl_f(DyuL0ZtK&FLz7fnG7Ap_u!iee_C8WFyx%#$ zUhc;6Zj;r8QB`hAKWIWz!k3(-G8 z+qx$mTc>vafke>>hef*B~o4(qxwnHUb+Y%Y*%|FwTLxehy=a*1D{h>*U+Xq0Z>vr%Oy7we1bEoOiI+U1(nk`&cno1fq?hKcjiYYN^>@LVxIs;GnpwLfSsNsVuO#jTvzaVjr1$&KA zQPrIowl)=~VUTL;$cbk=wt0~Ueoo#V^@`((#OF-aUL*;<2RX9)x$Cm@xt!px44M95 zJ#lBl8t{nnA#hEi4iw7Wagk?#!thg1QpH{A4KOTWGHcaA&CC8%s1f$cK3aUJn(9P- zr0elb{RlrstC!~(vdq)SKiA3$w$~lV*O`g04ODOSQ17E(;1I+K-2ry4BBr; zxwXyAGhf(QG55Uk5&ZYKE$#nG!SP-?FTMcv!ViuUx9@76HuOk4s})^bm5cl&9oNpN zvL4IibyTActY_G+@G4~d5=Y4T`h+%_;-L`;;&EPLU@e^+8JiHIG~jhcF1UL|Bt!QC zm#+2>=IoZvI>ID|fu&i69V^ovK-rBCudYe(R-Fm*Ifxnly@ULjQ0OY%lNQp84px&j z8ec9$HArgukz{^|yM;K@H_X;QI}*|YY&*oIhI*+T?JC4U>_ngB5#!BM}T4K(gle~?w5u2=%9Qi>)=*_ohI817R=`Y2XY8UIW|C8CP!!hsHJCqzGa zsyzsAn;{CJMlKfmw>q(4`Q!pMfClil<&WzM-{T1NSuVQ7k*W$C{I2*JH|}DriS33i z9c|fvaW6+)bXwd-74ZfZ*8HF=B#tZ5D%+`HM$9cS+)x(W5UR|M5;2)(KmBotmglLa zz6hL9YZ8x6zYwliQ(8n@Q(g3J(#o8N(*^ z;dG}+%SkIW7$ymU1Se=GBYO29pbDEu_;C* z-+%RVqWMTGo2uC6R{Y$1y@i~Zu!zvNDC~!!;ig2V&%llesyZgZng1EPOxXO842dRB(>p zv^o$^J-lYb)pNILHfRpEGBEuvuC?rC2)D`G+R8D!w;I)`-M{=O1|5GTOJb`jUdO1p z8zWfL&?`+`g!Yd27}c2!>F+S;Kq6GVkipB$y_Ac;o`3R|KAl3tdnZv`xk!fYKJ zgd<8v7~!eVKj-bG(z7mYOOTJwX3*Ifn%NL?2xn3oM|c}zpypCHcpyxq)sgB~(+o(^ z{(kWao4}rzSWO!_n%Is>GZ`%`idDCbBK8cGi@?VTj+rE=h0Cznu(r)0s$$SDb0gK) z)i-uDsN(9Q&)B*#P@wGs5g|n`Jlu-MyEo#?ozHZM064X~)veQMJ~Na{UnJ2QJd{no z+=4GIuaYYJq}x*(js$OUwDD%&=SPYh`&#+5xtC)C12C-lLCQmCZ zOsc%n?y=gWhr#^I^@>{uWQ4UcuQ~C`V0sqW3wbR6j2w2s2~KtmGN!SuTes8eii7bx zV|--823xh8g0~^{wBP`Hov{?BCLf=L+4F{>gxCYt*~h%9gwwYReVzag15!$+jmKHf z0}Sc9(8K+9QsK;$J;nQJRCQ&?4@0mnoS=z&Ad4H@Y`es3ow}z(lNV#I4WjGFJ~7Pz z1OnxX$@NZ;SKYV9d>VR`uR7;VR?cyLAz=}LX=AP(+PM^~GVW9#WC(74S@ZU|jAn)? zbpG;R|7A?%<*)mBuuxr1M9d)@aQ0^|sy%+)Q`2~X-f}|dxgpE*FaFg)&};2#z{J|s zbo7MGySl>V9`}b@Hp2lW<`JLqCx;|(W=UmqE)(=Lj$``PAdtI^kXP17c$IO zy^Sey4s*2Wq2bRAM-Q@^SqBVMxz?Z3RE+zS0guCTEtZ7*$b?GMEL0O=QtCPN^yWAu z9HTkZ!l$FX;5w9CYJRNA95D^ZaHECvZ0I;%%qIu%TcE=%7BtYpW-G!%Ld3m`A8rFE&+>4vxuc2@O> zO&wpW18lsiz|7gX4&p<->-bxAXwoOHMDx|?E7B*Ift4hiflNNi)(DXf7e6GlOD8dU zJc$ZM)@f3&H{sky1Y_@@=p`9c!L zhoKfUi>~s?BRuuW=|Ym$0^(oU!;sK|*&aAm4&`B`-BeDLxs6jzi|tmTnhnyv{-&}hT|8x2jxg!IdR4oJ}yMa8LK)kU z@kgMo(a$tZzN*-ld@E9&1mMR#iI?g$#Z;$GNlPuy8?_Bd&wTf{cg3N3*gvV5_t#l>k?t1TkBh1!DiYUXVo zIuv(g$FVNk{C!QOkZ&4Mch0=>KrZWHdQ<=M0F^hT-2E;fd_7k#UNWr?5aA3UGDX-y z38>w2=GRyk4{FYsK0)S)<)J=&?r|GmrQSS)ePvuQm5q?7eQxmnhiVkiry$>Ovi)i% znI9n9LHtPS&+|jw!7t-X!rPRg217fvAoefe-=PmgxA@(Yv_{1b^8C&K1Xtb8H0G|B zIsK-ZOMBO~xHjqq|K{_AmfnuRowJx7`MKJnzd{br6(sarfMJuol*(6C9i zoEb!^lafQmnIg+kU~Q*x^Dr?np>=H29b`LosnlyXCOA5>s(I4;`P16&IMsIf47&T( zJA?Bc`SGMggjSSNRgXzQ3@C9$kb$w=4TAI;21CGmd``=8P()te zwj)DRNiXd$TT~zFJePOwZ2&w2JTsmI3#yl6Tp)H$c}PKP9VwY*y_XW(KxsUxEz31H z1KFYWaPkR+DW52;!&d38kMAMgj&mkY4lU%Ju-vffP&DICbJUjyQm-U@rF3Mnj@2AG zikQ-2#3d&m2ODNK2|#!RFO9D|1^btRspYFSy;0YD^2twA@MC`xmG99+LIZOe2t@RN2OysOm;J z0234Kl0&oVyb)5yKX$Of?*3Mf=ZP1qp3LVlAOaIpZccIPy^I@n~Neue`xtL_c=V9M&8Dp9`@AO`;6ilAf+hTjsHvd_LvgE>_RMkyq@RO=Q z`=us&k{`r^tiFEOSmtSwTWOU=c)NH;JZJSJO#^Jzo6beVSv&;~sH7(>Mw>Ld6gfy_ z3!YF~Ma{5{dI&8%sy0iAjB18OhToe85X5mF{xUp9F4H77__E#?e4YT$Ott<{pYk&q zC&{a|H#I*wjS-DR1u+;4ve$sFobCIaspG`0Oefzw`bl!R)4hbtZs*PxFXe;aTg6ugvtPHh)^UYqw|DDM77VvXM+2=MH!NJO2(*Don&L|V;pX_yt~%C zk*amhtTSCx?Uf%cMajV>dV4fhS#|ccV!=*b$LJP=8g@vwQG1tVPlhZjY|M61uG z>;%$bBtj+W%R&r!3VMY<0@<8kvc8XF(dLnzK8A`5Z10vuyPTORWS4^i@8p+QaaETw zOD@QfTRwql%m%4v{rQp{C@4h&EQLJ{i4KrT|6xAH5N)K^;V?JCKEZM+qO(SWD2~Tn zMOV1wkn8#4bugEj35jmd)gDQfit_G2H!M`f_SH-%I^}$^>cd-zOzUm#9c-h z5)qs)Y!oQjh}i(e?#UKT5Sq<`sqZTU=AeZI{Xi*7-$y!ES*8t`897Y5VyS!l!8l+Z ze#C z+6rl)m)AEB9PMUjPvqnnk23AR2w4Rg<=vfp+8-fnbSYhHl`!_-;@5k-!_=$43efBF zh!nhjD7b3hcxe~B-PPa-oYs6?d4I^=8_X1;r}Ugt0zd~eY>PPF89vT?zex+SO>zi2E501vQ4(UP=A{hCIky|t3ms%BRPRZchCxtEF$3)RO{ zzdQqgIu0#Lji-1d?F=0e<(7x#KaLM}<+P?~>+v5tz|TIE=*tpa#|8zk+@iyQv5c_7 zOSNNj{Y25BY`A4R4}ny3bBeLT>H~nhNhX2h?Dh+eNUoo~NKOO|WG7s>1+LJ&(#gEU ziSR!vV*<)_%dIijHDvkB@cTytc$Oyu`u|xncl*1uTtSG!^WY^WhMvg_R2_`*o8Nna zDthpdU)h|%_X&#yloq|u$dzYwx#ajZTZ`u0*bEPH!qpK-b#QrEE7;7k*DjJd=W}2$ zfSmRjKPl}UgVtGrqV~Mr*X5go@!sU89#{go`|~WhuZa1yVAdWRm>j)0RwzL| zVDh^a@~s}&rS52fKz&ekFkak!$sP<9=P2yT9TAKh4qBfOkPP1r@n{9 z{Q-+T87uvw?6^t;p0O2$jU*l8KrtQ~#e1cnmi%d_!0ARGVJ22D;lrGV)`!})m6T>K zA~Wi=32YkKWYxUk*$2(1*4kw@GZ^+rx^EGY)sT*VPOmbeE6B2>NNpGg)L)VEiO%m$hpV z>~@%qG6PZ>o_f?#b>MBe7Zo{7FT@T?Z}R@Mum_=+5+Fb(x6%iYW&VJf!MbDX_BJ86 zRq{)Sy}HGayTlj5b-7fP)NXkP`g>iD!LiRMyan$xf(onobb`gee`bd>bTs0x4+1d) zl+9cfT@)?&Kw&4Fs-JyjJ_y3{NtM4ILQlVZfG0Wj-PH5J*9^Q0L%Ye zHPaRsoosaI%}_Bx_Q3s(he6(a=Qqf_pf(q%x-hhURncF({Vk;$D8&MS*uAX6fO<>t z1$0BrSc5jtLS@-?HlvMJh>nZvYC)=RypxTeb?&Rr5PEaTta(w~*t~IK z!jMOkVW(jZqA>}U48e<4C}q9MX3=k;BcYlusM||x1NX25>Za46{8b$a+a+`KD&C9e9e9N60fGo2S8N*Zx2Xx1*);s!r~e}phw* zCSI~_?kZ#PaSF!^X8UVznDbJHoXEG=(HPRi@`f3&A>MN^jTQs1!y?u3d{vzGz*?Pe z!R#USiuNg$Re9(s!R6U%tx*XjNooKfz_y!Z-fW>)kScq}ulU+4R$jmW4`~QT4sooN zEvJyJtUdmn7N~=fnJ*ofPLNcHPP>m22~;Ok$Q145v|CBpV{6DU)_o#rQkPG5wf*m#e8JI?iY<$ zPUq9TscqE4M>bt@fD~Ohb>p2Vk`2w$grONL7Ye75-g`&ww9AVDB8@Y$tLuL#tXl8K zq;GH|CA;!IybQ4GE8-`OPAd&Uj3$aQ}Em&ipyPmHD@5Hd}K3qGz{Z#qUUHbuZg z%%-69YJto3Uc!+@Jpa>>8%j7~Z^ao%y5T{STd?=!)ys9dav*oA`2ftgvs=l9C_20> z(X1lw2fP)+)BQ+@V|d7zBurt;7M7ruGIFRlt{Y^u&&X&P9r0t{MJm!xpRIqOcA^9f zhdL*8;C1a{_Mr@fz`wpv3 zo~F|%j4(S%)?%ARau#y(k_=u@-sVhRwE#-6ujF*U!o0--Pl)vbR2>2*JIU`IQZXhF zFnT|r1i*RZw4f>yj>-?n^|m*DZ&)4~RRdT%&$&s12SSGl;`5g=@h4w%ONgLM|>gPNOYb z2cqB8uewo)Y$v)`PsGQU04@R4E^ky9B|h~L1+pri3rZjVK~T%=4j$v2n^M;(6u}UZHJZUO1Q=aaaU?qx6f&kwW8N@?VgWK z-rGXZL>M%&1^eRs`$l;+44H0%>(CKh6K${&%WGPdhXfXS$tu3soFf!P-s979(Fgs5 zlgx)w;zIQ75^2&e4QD*bvA{-gks@+p)Id6Pfd^;FsYbyiPr!u7LC|Hi$zoZ>irc`a zB_h(Iy=?X))De;{kBFtUKDb4l&(o(K6FT~ z>S#qGnfU~{>d9pmVdk;y&R{7A>Q!f3GR6llU^S-cYbkTSiVR_!mqR{p ze)S>B=;hG5k`Z}QoA1Gjo@oMRUYh7SW5wOetT{xJEOvS^ueka!Z@f~i^5NnxE4}2> zpj?HTLH1WeFK=hP7=VL{&x(Iwu4|Nb*Cxl!KOuh<59eo+_-*;ijTq{O00KZ!_Y6S! z4nC}j`)d&2J|ha}w;2q#+zAah({0<5?>*8Ygn@W#9NDN65CWiq9qfd(RFW;qD?J}P z3`dJ3B;*GLP8yzz+x2{-jyuixWA-b-7Eh>XA}=liG4x0`NOZW`aMvv2(T(Oa{UxS+ zgpoczq(B{4Vmu?zIsHui5NbeT zzXPqa8)CzlrmP>g&p;IiA$357xM+l|1+Ht%fkF$eFK<46Mvo7n`X|J*%Hsk@3g_FP zw9youAjy&e2+iHjjnN~$!|r>9UHM>h_@%kz=d?a0p-0q2J!@A5%oM{?F%D3m**Te4 zQ?KJ?w0v*;{4JIRT&r0!+eMc-XJRaCsCo1$6vefQi%#_|0cRK7?CMgTn9HbfGw6Y z0ETNHYP!6E6nm*R&P4aKOVVU;ma31oi#i>n#X zJK)iHR<#vuy~d@#S zge8qi1YSw;lbh(CPiMrTxmn6L8*ao6Y$UJH`wu!8+^`;@7u%W7eO@3xF&?EmC7C~8 zTGoR=O62@8f+IF$EFHXdxo&d)dc)o%nB?G2b2tG+x#W&(CHDH>W#N}koRf$-G@DUc z_~##>n1FDh7GLr6p~igs*w5PI++KD_-}$EbAH(oP;XyuRE&tT|73Euh3naoXt(R%L z(SZj%cPBWh&gno^Ty~Uos{a1*&-F?_gGzPC!zM$>7q`FVKri99twx5^@8ThGPD|di zXH$3NI!AaV)g^#Ukj9Wjno>-q(3FVOj)S3hy+2xwb)SS`Q3KFfJ( zK_q~b7U8Ho!*|32bGYl;OI?o94l8y1b-(Q=2UsgU?o0jQ+tcKK&O#g6rPpZGXf(j- zzHF;dA1dtFOjeRF(^TQ9K=d^h_K{{F$0+?#mK8lfFc1ctGRmE+tWN&OM8!1GU-~1_ z03EYPP^Y+|%t1{T4^#*xqsO$j(qES#SOC6cIY7o)VY^_#3kU;}u|%Yb6L!vu_V3Cf zh|{An^KqI%-H~sJStM5qLSkkd?ed|nD2SMuZ4Biei#Y#0Q+CsxqUUbG1E+=dgom)n zGIJ)L5p))cDL;LLM(q#*-#O^g?8TlZa)7L`&*RTGB?B|%e3@)oRiZ==4f&^cUq#(C z&@P+~DsZ0ylde*aiT37U)nfz^1yEbhY(A17+a~S!lnkyS-I89E*GyjVe(%J)uHMFQF*5M1m5L7bvd)pl%~y4g zff}ak4&*Z&hP~;$DRR3^TgFLyJZwOsIKPcH3|>LJ_>rDTGv*_O&@vw^nEcW<*S8ro zU)_OrBtThHhw%-(jDgv$~WJ+4O$r3F(Pc z^b@j5fBI4X%mWg(!OPi~>J>glpuHPL@45^75+3x@FUKK2BE;}LHI;JoCy%7?_1&qO z3G(QVCN5s7?0dz}sH~QYHCt|N`cVM~5=e#82GEq@RPnC8Go<=Q;9Eor6D7lck|o8~|oa zP9p=oRQ|cu+GwGwl5-#KQzcIto5O|0d@V0y)?$_qs! zjCXHRw7zC;Bo+6?ewnLhrg+dbEzpbX`!38)Zz3;0e7e>y!*ht(0eV>CghCnE0KcnW znGAOtManW!ZIJx4I;q2()(+b;&3}Urq*6P}Kn=~sui|uz*09e+mF1JR7FUmV-;0TU zFeD02#{XFSS_>#@JO;WeA7%fh-rf!HayDRiKkGY8aD8`9QCZXYKa#!!dUy{6^J+}f zx`@H=bLIIao{d$eKW9*64!O$ZzI^5r3!3s^=6+u$6HT3gcnwmTjiPnC4<5BL{$CY`t z_zi;-*VY|I9@4;Eh#UwEk>8Eg(7{K$Y%)@1ZVnS~2ftLJ8ZErkg7F8S zz5(MzBOpgbPO!H&1WK6W*S&zK4*rh`WPoC_AfmHH%b@m$3#sI?tY;v7P(0_r{ys58 z&2>!qwcc7AEl0@Ti)$}+K+y#?&QvL8XDzmkf-l~twJKVcG%Z3DX5wSvHgWkz{oUKLs>H5<=c6x-&;@ax5`AJz zL8jfa^hW_ z5C1L`$mt#gv~J%X{}2D`KmU0REto{^#L5o^gbCSv7e|Ti%##QkzSyF)JkJT>5Pv<7 zB^Hpr5P-^CnD^53Do3N!9zHFZ@v>3OC5Qfdw@}tGH=Q5ty_pG-S6Cg<9=Es~4)@N_ zYj-v?YoxAZH@`Fp;0v%#vw1C}L2j4-t~~kw{ermc&Ma8_kWLGbtQB*(0(D22I1ekyr(DPVw@YCpsLg+_zpo*5?&=z9e7n434Q$ z|0Ubk*N>CjHT3i(r9OM2Tk_TnxR@Jmz~}TxjD@cA9n)T_3+y~dB2q8X@VDog9sU@L z1@ZBHiy`5bj}%jqDLLigzP208YKrAy-Tm*$hmHZS}Kg;I;D$M5(?0ZdGuV;tB zv-4+3A77so3I-Qerzs9|^DYd(Fa5$aV;$RinFB8uZ9uEb%R=%{+6ZP(jdvRPs3yLZZmPbmb~7cTg^^f= zWv%RWP?kTL@9WymFtU5got`K*{5)^rC`5qVZ4a=a+og#G`4vtY(PEU)*CXxW|AXE3 zKbP=e2|kOfKPS-x)HR+be{frQ$oNM|$&HKR@=0dK$>4i@X_0X`7lRsYr$^Ki6#>jjVd*{QE!+Vz42>=QI7vQZvQyjCPXd zmtAdNNW!Zu?AY|X-8Av{+vFz>kDK(0rTs2~+r1&@#e-T7&$|wfhu1~{s{z95;dWLb z%1oWkT;X$p|A)P|jEZa9wuKWQxVr=j3GNcy5(pA3gy8P(P9eb^fB5y4~Z)TTOsyLuSC1)y{ zgOba$xV~PEN+uD%$Y8FaKA}*hN^N$Wb>+u9UvjC&3^UWfrv@2yu7ZgL9Rf~+M3SrM zP^LNwB}ntfqLbas4{W55w|R;SR+J}+YJ9eBFa%syg|`z#IrM9s9}kKbFfwZF0Wp;m zvYSNb*7vG57mf!#b<)G1w{OCan(0dfE`u1rH+Ao=FOL7G+onc;=|b!0NF)tBaZPVd zBkjcw%M3f!J@+Q9M|P^K0^(#7WQvUVbcDSK`0T>=XPT7}n(_gYDCW1bb6KIr`}1|| zYWF^Qwb!$I*)TexY6n%smZA5%Z@J#?A=aYo=9YZK`)v~8zFU@mNP9LM{h`JkLhhF) z&@w)A_V)4S<7+MY;d!t0La=k5=4sLYpztWnCGx|pb&&EYLgI#DaOYvH>;5!t$^xFi^)l-mRXT_H zJ<5l>i>VJ>W)At5$@_E7%;i14FmF8LDFuJ$d!DF$H;9y-Yq|}s>3yr+ppZLilx|1V zZ#Nn!J@wGiM*p)}uzfe%8k;zBY5R}oBcQO$178YH4^?6SsDF^zT7bLmU3Z_X(k-Sd zY1Q!Cdm34$F4+go(&tk`eKK-^?8T`FI+^Ep)ejX(8%H8Gz<=Nw($Z=Tw4nQ#pC+40|n z@h(Md?j7*ia*h}CSw*95L|s427gQUhJodxCjS0F$NJEZ4rWPmbsmJ`@3A4vC8i*}< zxH{^8SbFj@*jQEOqmYzq|KlO)9YVq4c5ZUB3@1cW4-w^M)cDl|_}P_vJw2Y+9X77v zg1Z+s@MIjga zf;~+;Aa3!YrX3^oUh<$D4)cZG2jZf9_yh;qg%xmH$vtLj~QNH>F!ijIOV=J<1a+A z8ULW*#t5-hFzy*#dITdanyUBIgB}u^;}xasm}71GogcNjWRgcsUH6y}01?_kO{HAf z)Y-#nv_G8zKh7|8z8|1)&68^1^eL|cVj1DMjFfmWR5BrK6`l`ns?`=rg(_w50aao0 z2Ir%Qp}7k(AO;6S&1q{E-3m192j8~YI!DLMcBf%jO-v}7MbBtE9puY2^EJc^MwQ0U zO6%*#Sj;w3)>9zcFB~kz5NhJou)q3z6zKKDsCqL=RPHqM`R1tk*7y8Ch*Tf9XX&Em zsp@{utCm7PG3EqH!5UD|NcKE`wi#~v^Jy@01Fz#4ILE+nf^M`rn8Kq_I>HBZ^=H}x zVt0|%m)3x~MbvQ9m@J>n?d1XeRvNhYOF<}`A2=}w3^?{miHP_v{LZd9)R)tit1329 z&k9u;pP0(cU71y9FMxdeQDL4`?N^oVf76p-b#y*qE%Lb}{WiQ|?WsvhOh$rrGQQ;J z!SV`4_S28nayL^eq~@P@4Qq7->_(!HGlnDXF~12e)dr`c*W5Ow(_hEKv= zLEp?FPR4@o`f;gbcNcEtgkpE>H@AqNekSGici|lMK{S)_FnjsRtXQzi4QQGRfcZnvQ>93W?KL zU&&M#)V3J^u%JwrXB@1Rf1`DE_?eHvrJo$jorWs0p-V>RfUsXKd51pi8lX8$w7Ny# z9Nk|FtJcLwI`2&umFu<#^n4#$?W;62oMRv6XSYiuxOxAjpb-!Vq-H)-1I|psVt^2* zJlHv3vs7j}85;;_6;P0evc41q@RzJ8A2m(eq?>!NL$*Oot1lcNGJ(!z=(yGuUT!v# z-}u_)lpl~!jAtQy$uszQ;R`Qt$$kkzs*MiwY;?P;N zuWN^V3PrXfMGl()N4QZ!c*z@o`yazYK8fgtWFS#5;)s{Z8n|AcUu*7YL{ePZMOjEL zgC_l%K1Nxrugsq@N99#)#bJ89yNVATrx*p^^fw~m_LV23)6<~g;*Tk97ABX@4m|gU z0;ULLF}O?`iGrKN<#a_D#^@^CZGJFF{)%Rj(7O5i6p{RxT2?iH{=pPdPGyF$5o-cT zG@w}yjMu2dSO4|_E)Bxudm>iJ$2?J+`ChtSD)eaJS;G=T)^gpz(WTV-jn?Z*M4h8;eQewf45I3zdwW4Us?iJc;gfO^hS z6$Sa2w|nPUAbv@U_g-&z-p_kten<$yYohKCvCFkL$}PpA>9fF znfJKxs&Id%HN@(t-U0DC{DN*pspInUe1s5GWN%FU^I79q(7`8`d_{2;)kU5@CX6kWWoHp7K?L-5d6!S?J`5FR%5`TnBx z)`1&j&J~ZLkIO`Ih3>y31z)5r`yP6SleWn3OfF4LxqT?O5A~MSgGpScgKbwrG#GV4$YQGjF{27l@ zQPJmKMn1bGpB{8m<_LIQR-{`7c5|eb-vfebU5Do)|D0X|$8gK^t1PnHp6eBH738<; zh}?loUJ^hrbYz^viEm^u)gNh1O1LIAg3xT(~X$2navTTDeIj zmae*<_EL`x%aSUY9WFI{@$xGKh~yO%n2Yb)qQL#oO}QSb2w`fRx@?Vn#V2ip9pcsg zsXnxQgk>0V^iNUJ$QgRe3t0VF`r=x0^6kQ5IU!tVBCIxDe(1dJ%Gp2?H;HE(_Mm~R zk|C&Az}vu)?@DpNfL;5xwzZ8VnB`xZUdOo3%5!OzxZs;cc#6dLtF-BN@a$H*$ON2j z7LeAl6({Q@I_HPM12&gyiJMKKhl=yDyl*q>W!jHllpq%Yz`Jzk$1ya++mutebpcd zG#o)17J~e4=)(fnxYOi@%F3;_mxklVHoyNNrLf6F|7y|hCG_UChuLk3dbNe=7HnAK zN;J|bDm_20KgX0Jew)rRG!OhuH*&j;$5$ZOVNzqngC<~rDm$!rMb)q?%}IS(9^3UE zK_E!D!MOZ(ie3zrYrLQAVZv&T{Augxut)N+DqoT4^FprJ?IoYpf}-^7%wZCnxs`ke ziEW!pg^nKrWUW+I4cfhrstDt&HX{pd_O1SRsOKMY7SlSbg5Um`xDrUQhl}P~pyM!ke>wjL{%kW#eYDuq*Q>9qtXB9VGb-N!KC$#KE-P z7#jM85EB|vj&4^1gpn8+_)%cE%YHP-mE%m~?e!}52V-)lwO?Dz{81QA=hxoN~Q(i{^O@T?Zs>8-PoEFm8m-#DX+tdVa`oQ|(0Z!W?ms0Fitte>Wat+1WJ< zjP~(b!cG!n;~#=$@58TO>yGqbmjR1ts^_p`{Wg@gA|nw4-D4F9HT@I(KJXh4r4Xd5 z*AzdfL0wljAGaZG#H8Qj=aCY_?FkKspy7XHWepK!cyyzK}TiX84V8H-6OZN zUJKdie3R@VmpAMi)B9~DjmtU>86Fo_wZcdy&|$3u2XfoSUF+?_hM-%9%h7sz)J0@n z*?#T>DEMi*`4jd3Qq*w@8yi6v8Dg(W!U3y1Y(48jd!8T;9bWw@0!&3$sWOXe1eCw! zwLuiPF21jjaC@HPjzd-zi)cX(UBGFKw+@J=Hln4NqLQs4JZka@E&U11k+@6n*7rT) zf|!hrt;jswFgd5I{mfR}*o*d=SEbl8aKdCEEX+AABbW$xG zLO!R%MOy+I+B@9hVfayt#?*o+3HA){h!G2Br=jo)Bko2cJ--aNb0Xs%1}c2z8P4Z) z?|GK8mQLkWEUw!muj zmlnWt#bx^tzJ+mw>v78KLHXvQ#EVfXfhnBC6p-lF8#6i}0D<>ey_ZF{pT@4bf1|BH zfUJRPw#MtcsBBt<6wT|RKpP-eoW}H^B>L}!sB7cY&_m)>(!%C_e^tDC3%QYdVt9ZG z$_SnZoUg}KLb5Q4kUteUh(Lv3qopfNRo6{5aEB-mO>5Y<&tRo!F)cN zRJV?!sK;dK&=Nd7Zb$3?7bSm%?CRQ)>m{`qcIi0#ODr*xU-R#^{hT~{qbaNR)cD_9y0c8K?*Gv^an6G5~F zn728TQK&Dntai-l6L#VAK(5#23%60++$1syN!BY19aP{+3*4zbG0f?WWZgb##1PyO z0W`Jjg9w_ZB3P3jo@T&k+I8)8w zqr;0uYv&{5rGiV{$+#-z5_gQI$#-G)|YFxCa+{#5Gjd`#{t zq=5K8yjY*#j*KJdXm0TzKUP(ZKPxseSlNkzIl_z7wDjeqD7tSJuWSnc?UFvhr z<;sCXJ{a#eYIIbZwAyG=q6`@h2ua%~+ie4~p(^RJsk{V}q2qbzOfpH{eN0gQIR_)B z@GP6|KTQ3LtEFvLpkh9f*mhu4n~qWGJI!TSSXi5VE0Hcp5rkGh9H2 zU{hGI21$68!x`!|mj5Q_CsqBpT7<0zr<>o=2w-|V=2BvBMcfSWBS8XMo|<`~hbzz= zS4mwNseB~zFFAcUl8=ue2-m%5QyNg@)Lw}Hc~j2|BO0ExC)H`z)TxIo5P#7Hkgd)@ zAzOX$4I{> zOw9}&BnX{kAE@y%THw4u8`jJ&JQauvoz|}_$~S#$uVR)KW8P}zz-Q;nwaXT(pb%3PG%Ru{uw(y>)(OyHxX3RkX!mfr zAUkJuh0O$cuap4EHhyu!oe-gZiKw#4NeV%5F8@Uw-hQk0!|Jigf?FhcS*{X{1XG?z9pLoF ztzkU>_?(P{b^FBzxglG=HSCKWxn*{IpH$MLS0ajMve9-^Z97P}HE@L}hN zEtZ>-;pwcWEA6)A<3jq98YC|p@Tlo#%!`Xp|My$}=TC3DH>GwPAJ>M_2I50sk@ze; zYmv)ldV`s)YWbWGIs63ho+0J?x1FTQ^O#yyrZLpGskaTx{Hd51L$#}F4c9p!+*Bh7 z!W;QW_p>kV|2)<-u`gn*J%N;GWd|^&D;-MZ3(QQjuQ7ZL*+e%eQ*JA$H8^BY=P*}m ztyq(FJCp>UIyWQYY>q)Zsx;mDBc)VkuYb}C{qZ~Gi0YiK_pac(TYX0Eg8&$tTg5tO z_H9R;Vw=|MIG8IBbZHk>hk*>&T<(*k?)^NzCpnkJYpIe-V0##A9Ftgu=_~oCsR8Co zCaMLniwJMtBwPfgjNCQHhb|2|wx~yT}A7Lji_~%Pdk5u1>PTzmz_UL<4uvpd(d02ZgI^c7%I7eLd49!jx zZ4zt7ru)P7)}@7GjMu~HZh{^HQEEc1A53Mj%-*DfEkmSZTNB;vni+9)v+4i&dGEvu zO6C`7(>l=zm0g)XS}^KP1KW=7tS7gOBMi^@-908AnT9a`^Zz9uX?b2oEXVHUM4sE+ zL{A6i7Tbv;XFNqeYD0}=DuU$%49;>rv_@`tCI5Nr75$-$ATe#OviNGlsplkjnsrM< z1=Abt-I1@d7E9N)!hfucf4?>1eZFw2xuLIkc$tVCzI9fl;E>zpjpKjmf`BO;lGVP3_!^z-CETAtzx=nD0#sY3vRYMDIDh;T_g^C4A z)!?f`oA`x3#$=1J*@RNIR4ArJk-+yV{OZ?q??PMs&kOQ@KjfdE)BhdV z|F-J>cd`BVrSiXH^8d$}a1eTPTF!E)E%w#k!&fpkljn(&e*<|#qw$YKaIeCvR~UuM zB(ZhU(bJzv377p-Mkb8_c$T+_g%cV!fv-@Xc%Al506(Q_{chBPU%yHLU$r>^Ts8!X zcJyO}zf`i{jL_AxIwi0{XEQ=&zhUvbcL5@P3pyminrAS+8tmL(R}{&+OEc&7^q_#O z;(F9{WdV44U0hbhh66?NY1Z!73MKVGIjmw>=!w6IIe|N`M-AgY_I__njFwx}6@axg zt5l?>$ea*GAs!&c@Njn}cd%4vpKCc?+RE#E`1-NRY=X|w;$nA#({@!9NU9CZ(v`mB zc>}ea030Ax`KTz33#P?ZGnIf6a62!>lI3m%QUd){UdM8$gIRyQ*Wu&UmUH`nxeBU3 zK19#}5suj5Q&T%f2vEGN7#6%MTzqurLPuJFUK@JWs%S4Ev*NR=1O6}#@CbK_)c_s< zqgv&!MaUa2^b1(j*DB1tK%!n_(3YkxUPyUEw(|YMo`gsRP~|OstzKhQqzw6Nb$&4C z%uI4GaoeWFWLq8=rI}3ss|!Fu^F8i75~HNU5TZDS=wGwvAO2V^w}${shV-GS z8|20Ra}?qM<~ti;w*u>KbF^83XGV{;$bwx+}AhX8JDJoHUohix5k5?6!kK;f$)zN3y0 zC|8}qZyxcGob^hyn!;em(A-g4+nAYNd)=St^4#lp3{!ESlJHMQ0KQRAm7lg7091YV zz`T#h)^Q&Qu&*hii?x!utg8V|ggNsGv*vwHY5E<5TTw+^@?G5BHb9pslS$?@3@u(m zk@%WGtwD7ERb6Pc(&ul-F9-I^+rDSPk!j^DTdc z-UqtJP?~04YM%W{P}T_iH)Vv|w9X(9Lq$G@{vn|!_qBre#VY_%Rr7E;H=O3Sn>WJ2 z<3@rquNz1lKO6oD&$y@?4_!L$p=IjZue=H`jlEus?Zu`BO`zz*soMtA&RCrd+aWx# zT>`+2;Jbqw6#7s8r=%?I*EW22`xSdQMgS;(3AlDl%;lo|Ex@3`dC5PM@+%N;4p?O* z5m^aRp7{Y_V^S*dojXSL1B`*wTDjB_Bcic2fA zgMX$y^e{CZxA~|n7lYTrxdMpyP1?V5`>2*D^F!OOannP5*d`@|vAD11?GGlDwW|PZ zgF4Mg;Ul_t81V4Zf5n5We(dm!MCp64c;3z15Bsl@ zFx6A1I(#a`Umu14a$5fq zz=!?xn>ss3A-}O&VCEkT3Hx6b{9@9qkA(<_$3p9+-syjuJD97hiv=pF+mfAHN#&ReBFBaeO$Rg3m~k&qL{1@FvkOT34< z-fg*792M3-0~S)C-Z!r>)>rt)?6Wo_Bf7E!2~c>6F1}*jXz>2E>v}jFgr&6sUs>UT zM06M!Me_pSIn)xV@4QX>OdYbkPhhjwFxW6YjN7rgr8NUYqokD%7hRR0R+`?HY2T{_ zXYHmpb)2u*e}{V z`s>Tf&XBXzXZLH3-F8M` zfbH)lU$DITdA?s0uEz~g&Z+b$F&@iWI2MOV&tdb^!z#ymG>(}BffpJRItk||2a506sY>juq%c1@t^sZH^>18CzN>q5>Vg9o)FSmW( z!(ooq(Xv;;VJtyB4zvrx7~%LtCxH12gtaaJgsye}B67Rx@xa<^PaI(iqbqYC{liiH zUUAcE{1_?>+2IvnDrHxqN9Nuo0C%5AV%I~K2kPAp4pIWSAHP$>a>sk>z>-5w_ova0 z7)}=wO6h?Po&8nXi6_W4W=nfC^JceK3Z0y7)sW-0`*G_EQ->!k$)&OQ<_k-BZKO4* z%mS}wf$L@83z%!Y)9`+|yT2X}Y9ud>*H;$1cR<%&816P#{sP7+(MYs@oI~O&`tN%! zU@?&K{QT3A!n7ktwnW8imKa%ouIO{WWaeMmh);5*y;4-x#33=(L(`sKTi{pFLAJO( z_X8}+jY4KuBPFNJPillsUyhJ=I)1;g`)0a|NXTV$aYBUiF+?#8^!qJKM{xg?Pz_Is zzQ13#LH*Z}fL8=Dsw|uDXrb9TP8_??eYITTtJ(;M&5Bf9hEx(Y-hB>!E)il8Xy*<`Czo34GVz? zC$3`@#fBY0qcd_KAwrfPt;^8X#lPOka#%SKMMbrM?>d69_K1z5Wg4S&L>_(-Sq+>Q zv0%5EjqISnM^dNQyr;1$kC+aEPwMS?MeNIgA<6@18`~>fn#RyQQs^%bYr#7Tlt4`l zQp=iP(MVn|!UTz`80d_y7pmIyuA@;VM{r}YvuNRRaq7j~(N`;|L~x1F_W5&#OY}R=P6n+#*(;qyZ0HoHD^16=B#ki*u0rO+oH{%-L(7dX zb*_BBOHBZVz=ViO06#GwkNE82m!UxuydzPicQ{6LKJ}_0r~GgU$ZF?VBE|xM9v=@I zr-yEY5@DfME1QY2tx#b{{w!-MHK03= zGC@_%lz&y@;oeP@5%EDkylM!KbeE(^XhRpoP7Eki=c5zLeRH3mw#@FUcs-UaU}v=J zd2@e)N??q-LQ80qs#U7t@6UQ zcr$E@)qJwh#^QaU=Y#F(FEpWb*=c~&mF-;;Bp(%XneOD*BCyw0Els|}BL6_~H|&Cv zs-;ve$Xu4DKX&1n!$|nnFk}tXK9SJu@UopQ!MdKcWNoN(ECAiOXsdgRn4~GtMdj$E zb?E{PKRU?SC9HP)X+$}bVTk4{|FM>DBoa_@RQovYOTdf1l|`*X6JXK<_ZUFf)gMPc zS3Uy|{<_&_bAo=xk}CSi29J>_$f0}Z+U`U??1sX|oAt;+50ok~uI1i?vx{Ye7S}u# zjP@uv=}MDj6*9{0P^r1a>&8$Y4&M)20ZwUYf#sEmWl#qL^?jX3Qan79ZKhO?J>eO? z_FH`Gk?^b*JXnaJD0HTC9@MJ*c+l*-v=B~d@ZwjhtvXepBa zRKkpiUdbqRRlF0;UBC@s)3s}^Zxw!f;J#1P+l>4rGZ%osci4zR3@l9Raj_f%&=hBsT0|d;uP^&f__(+6pp~+1_mSCmNlw4WbJs8%%@{G2t z5tFTs>gs#de^RLE=lpV58Q!`S&__3?p=!yO@0^=yZ&gx!P-wj6G?``3qM(=HG?`&} zu+PDSN&KGS>3S{T9m7pS^IgM8^wBdRkp}-Jzl5)Zl4;FP(J!R7r2|S{>Zb`mVfNC) zq4Vg%Yy|pOEG%Vi`A8sh3FGt1PasRx!P~D``EKdAks#A_XoJ7d-C{JjdNOx1{SaQG$YgZp>2segvXI z5$_QY5rv!9?>WiIv8N2jjSgNkdw1s!ic$~^i=_!WoNx*>#H_6cV(U8q{jd;B8$0V#~(g5 zWgg(lnuj~b>QQLu{-&3jmY+%@CMnSG-C*0a?}X1q@K@0Ke?BL+8KF#Ec)l{LV}mlI zpU@(QGhR=wX#n$)W=CUgPX~SIYYRoEEg8YP`>V;1if~@fPoPlksCF#^yUpP}E=DbN zshwppne0GB0loHMia&987Ou{Ay7U zB~Oaw%eS-n_g@S&>NTK5Ho0w4$iCULzq*Y-FS!4D+2(qVl-V7$#ogl1?b&jRRw9C| z$JBgpm(1^KXBLfei`ToeL+RB|B~3gw_=F5pQ(1)r>P@Yv$a#5AjqX6UU7P= zzh-uTQr$w9bhBtq1qU9X;dC=3NK+FB{%fmtXS|tur9(l}L+|$%kAgTyGzLI`c%&1R zV16(FPH$=Zou;M9QN(1iOpzgI?d|~(_d#3O*sg89KkdH+h=GUM*PEKZs9d1*p^G|16wzS_hSd4SL{YRHI|K!(DKFD7wowf$%%5LA5i zp_ABLQfgl0=G~=8%5tYIq-z6nS&pw4O*N%%2b|%diRB z20#>O)>#^i^Z07v-wLX+sz?g(W4Hdl+M5oiXr>3@k};Z(8G;&hO5rL zj4*U)U4A#UqyHRk@C{dm-(_1pz2ON@Nq1r5z;beVhIKBH-2 zn;4HF1QZv;d#F&c#gnWd*Gsa_pSULgqX^mfTQSjlQ=AlJJ6zYk+NQoMytEX~81b?d zAfU%oY#}RoHdbJ<`1MfD#$__8ApF)A({bp6#{cv~sx%S-Q5%RYY$UQjuWOrpH)Pz` z^?+)8R`OeM(e$J&fPQzhP)D>c$IM(>k^obY`130NLQcwoxBwE;vXRhysynnhyrt?W^!@DTY46XT;08d@*qWbPD%0K@6Z9 z#FapIqu(dP^jD6D7q#C)aWv*#lZ>_ujWSJsoX{yQi^D1R0BpbY`)n#rRm6=brl!yP zPe96${4t(c@m~1mB?gWyEpM0KQ)g!+$XIa57RIhPnc1nKMEo9JtW(W1@%Nz0#=ydZ zdqokR+c1@?Twf0ov=1xD!-jpUz_7j?0~9(75JKBLf&3cpt>}CG4Jl&mzitJhq{_gE zb_^x4=l&c)M`s4K|Gtn&e@=+pqtoK_(L(HRIbzO1FPL(|j}d3M!6g3BrPF?ADy_+*^&nc72G+I4Zlk@04YA z2XBclt>p%)x)-&~5=gjOWM41z2b}L<%eHv`XnR96U;19`kztL{b@!DnCJ0k-l%>e*ILrG*Ul2@wnV}=OySY9WAxrQmR zb`SW2jD}K@9N`N!elu{Qwo8l}uSGtN7$#^MJ(v1p{0oG3#L8T8z@9S*V3mj;Umt-^ zGk8W#jlgofJ6Z5W=-bOa>H^Ezdl@AhX;1kfT~!wOZje?YDAqYHm9@A;)5Sq(53hFL zE{nY%DRbi4e)cf~o@?r>BP#LDujKg_Z|H*{iU@e)jj#efVmsc=QGf@~w_WU0gAu&S zfQTf^(v7ty%0b9__^>?Ly62`qn-9?RWNKih)#&KSnSAaKKF+8vIOl)bl&5gnmdh+kY|c7U(wyC z7BuHCBZT}eHYTzp#9pK6K8ws*&1vfb$p!)sY`1&-Q}?=*h|NbHM__Ppf;)d7)&9mF zXUZ3dr)K3}={F;6@W(4RK)6`ui^@yG@qPJ0Fk!hv;Fbh(NB2I1sNxWi@9d?_^I1I} za-UFC&c3yGSshH}LceJPFjEWoFs2bX{W%1%tq7>D zHoT01Ubh5*v@QYGV@Gl0Y2Qd70jbFlu=ARDxf#lH2P{rn^7#%~>;LEzk~3OJ#j8bN z)~XuRda|g}^qBQ@TCDY)tP~v{frxy7|g?3`ITsbCLsWsjOC-bqG|gyULJ9>b_lctx?x3-&T0X2To)l79{$Nf zFW+$-sX3pqq*t+;nls7k?e(3u z%0$10WA(%gObyHJ{gnX2nD7FtX;i3_FicWJ8!$Ld(LIJ7!ujRe5AjgHhQNig-zsLq z;}afR?el+SVbIm)^+hhc&J;OwUn5$QNF9d3nV~9V_#hyG6)LvH>fA+O>?fuw%dGQR zkc$l7wqK^17D*Qk!*___Fwg482OUdSCqD0{t(za5z(7TU@PLYmQib6X9dlKbpwQ?#OF<@3DCTrf zIY6UXO?1zHMi-I^ zxX>}2PQoK0h|Kq-&z`7cXuFs=U4#t-b(_N;553gs`;MO}{!pQ5#M1uL@``U(9V@)>}fuqK=c_XddM!Wo)!`5o{#T>Mh?oGdNoC9d?OeBpQ}urfPpDXcdPsW%$}r=tE%2o;wc4=^ zDLT4M!}wjOjoP?>(8*Z?OsNyQ&E!;1-@7q(Q8mA#OpEbuff)y1dQzh1U|9NX6bN$`4PN0vJYFrhrnG z=fZU~E?4WTVOXI7m6gt5x7uZ~!M!E-GnoVr^8Y)8!8(0N!W=pX?rjLv(|NgRgm$4M z-HHUPGidHSVHL9!sQ0c+nnZC15Kn@??>^-S$F`5aj4ejEXA0Ak!w%@gF(vUwMa_Ub8&R< zZzm6#6{lij9WrsJJQZi#wl%5e0?DERH?5wVNycr=(eN#GFruA6Pl6yPowfvP!!U02 z5SO|q@89-#JNV;Pg7#edVF9j`V-z&ZMwx9qX0=L_l3=tGm^LYYvZ54>7bNz`{jt5Z zRLYq^gPrm0uk}{#3~xb9uNzq8EVfr%qVo0J&47>JZ(>B05Ei;jIWezP2$eA zh!G7(-<{aAW``>rWNi#n5<8=YztvA8JFc7Yoo6M~f#BN68DL#z`kMLw?P$QhUlq5ZJoCLwR_ma zxnv34Oik|b^Ts=Ez}bNxzYs38vP#B%Clv7WWHppIz;}}^$b#4W^RC|rLXE=>n8KghyqTuo&gZwq3|}7l0|JwawKN4}b7%gSzW)=!be& z&>H$B^ZRD}{z}$WnOBopnhQQ|i`R^M#;lFbC!8n4KfZZ`!n9BJa~WW$k?8kh;Fio8T|w%m zA8!Ryui`0p{a^Tap%TrEJzn~(IQ4w9n&fqn*r}v&Uybkg&Hop}F`N8TP^of$IgRGu zDv#*i=P=hl!is(1(7eJee?~)o@_t5yvTf7yl}+=`4>O+;dR!CAF`^Y6zdHy$JIKys zR32Z`^SYT3yQ|rPpi-l}o9!r!_hu_WGkO(Xe;BvA`RV&#SHZu3-;nvL>yK{~kS*GD z3Q?Sk#zJ>V znvN5Sx=M3CGuEJ#%5f4DBY(?0{ar&nh}#3IdX;NnIMHHzy@LrB>f+GAuK~~AbEBelfB!;*1|@wceoTEuUspO+?`Ynzof*3SES$^T zzA>a@7q%s+W_SguW=SN~Q+EAE+y0qBvtiH-3JX%!?xu2AUDTdrUAibTuVCDO%$ykV z21+KerQERJ0@&>@9><3`R*>>D|APd_A@w}xy_&XxfJrCUfbrTI|BLvP`f86(i!KRW<{{@=AsqjTn+i$ZIthhmPl}huG^;V?E(B~ zzEj=eWY@A)6l>0xHZ4iKnjeZ>tK{&&QsPLKlbq&i`=NgJhgK?7L4(p|4`2U&c#9hA z)F;)tvB$Hj54waRmj~DpHGxuRcSp_E^vcBpZwWfF{#Kv-e@}!-0L(|aePV#S-~=>w z1jGoEHVJSV*2#RYX0i_3BAyvW1Ip1MzR+^k6VuaG)()GWPJk(&kqr=OliqyHlfEYrd^%8`vCvwZWQd@{; z%IV7nlbNmFoz7{{+%U0`N4@he=XbMJrk2odPRQLq_;!AH9DIGJX)#)VP@R|Q#5v;@ zCDk}uU<}uAI6!upbrv|67kFL`ed|~)>kVI%uxDAi)}*@U%ciuYm`UkvsJF#*uwSaX zfWo|vK_P|@JvR(wQY8-9s(&f5{pC(Yf0$wh5$Tt_!3EbYYXLDYr$NuRZ(lkuQ!jIs zan&|1zc==xAZnA8=WlGRG)-Z8n(9|omLY)4$w-NDyIZBOy``&{q)DkimMP- zNntQ+JnkkZDJ4prZH6G;{T9#gxX2x6-nsL{ezl`|zJ&)Vq-deCofB>^C`x5U5w6?J zr&nlR8bUl-(-y(K?gc)L$=clJs?_{A5hrDeOs$>z)^W78gM&NFdjn7n? zneT_SF~E{ZU2xkg%8)8H>XjLm5&!2I`N4xl6I{w=Hcr#9U*7-TiVvD~e`9!ZS~-*+ zah1DNS$uCD!8!?Zh6{b?u{)dMV4$q&AlNx!W>P1t{$&&2>^EWLIib=_{gir70bZ3W z**aw~*fG3l_KRWvq;*Y+Z`n({lHy9k0TrV0y)cTqS%2|!b{L4p`>h`&zP=}yhzRsk zN2SKO#ii=QBu1K0^kVqwuA502itELiH>&S&qnn5RlQ#8VE1!lLs*YZRC!WZ>9AGi= zIpA%?;gmblmVRl_QQ{rwgfW>xQA`?LQ>+bk|!^I<&{L)$mwgQ9QnXsAMCyg=+t zw#T2cGSPY4vviVmiNJWtX;oC6>WxE8t}B>fslz(Wjt)|XlVX5ALzv)mp6OtooJ|4% z$abF-Sn&C_?pCUETGL4vQ8hr@caQ$8@&6vefA53Ozjzx7lX59k@YBsUdwKBz)RlGu z4W5In63*H4o8Y`=z2Fob&InQY?YU@t4mXCaeS4u=y zGKt6*D7nyLH(O6zI()Gv1u8+*^yMiK2}E@|8{{I=C;TH@y^;YcnC`vhY-JgcsEzXA#kmzH&WJVQmGwLt#iy>c-YLuj#-P~8$uO0 zA7RVO2>BDudE^reCb7Qt{&bnsxV*T(;Sx!h^;I_l(r5M_T(u08Ru?CgM@KVl6T}UB zl8QMc7%VrI6ERlZw(&Tpi(p?17ZzH0CGfyEFkt3`9b*v6mq44DYPgdllWcJ~Uw47O z542o!x?dmLEd9=wvV11&MVO1ge5ddR_;IrUnogo*32^p+j+T^76`6^=V2thYyqHvn z-;!MqHz(box!s8Zq+;)-YG!T7Jiud9vQZ0nBv-l>2|zB(5D5$beNGZK2U=o2cyL%0 z*1w5k#tI>J7w5dD?yx#?o7HeFe)@HqceiBLDFTDSbEo5SaGusvc_eBGEDnGR5 zMH8e1OGd)}5EMQObryC@G^xs89})__!6fQB-vk`IisafpoiEGk(t32STJW4KwZW@c zJN0Qc870TdE{t!qp@;^IGCXyu5nD+KtF4!;03@%1QYs#%%~#Qau#GM|dqBZuWu4kV3|sU^8N!GvKR|P7*ZZQR zg!^Wn*yDV3<>tVsBr?QdYpi~)Ev;UXQBQ@Q`3@&(}G3t zy~SL0kw!?G3J+7$`DdVC$U1THCERPB=VYhVG!i7V_)H{7dje=(Z+UbhmlV2Kt#Ak? z_4{IJl>qTMmV_=|jL~?`z`I7EGgNo3mG8yX`R&CXuoO*Kj_j%A0)ezTFeX?&@ZoAn z$lweh=iq5%zn^3A+tQEVp&CeV{{9)k%7zyRvfJI4Kj*t6!v4bg_wi1cBCKbonl9+E zUpXd=ME?m(C8z09bwzvJ0})Bt@~u(ELHZVQr6=J=Im8egKB%smBw;I<*3`-gY%>CU zHSD5qrk_RIgMX$vkk=wz?M~23#}Aq2v`Fnf+b{t#H`c$k=aZ_giI%R#a`Gqn#Hcp` zEvdJ>#)#n}FX-`kjbJ)x7|5_sscr60x^uf8e(DQ?FZb`UMhR%4DwBpn$^oJytvnqL zSvl01ak|Iks^AaNOwJ^k!hMZpf^3h@-}TwA1eXD5Kqd+rGgnRc=lw0}^JA2tF6BB^0rX7!3}GM4;!ej$zDYmWLGPT>Ga5c_ zlSs8g*wl%xl2(hf3CXG{ zA6ua#AwqHjV}{xN0F;}DitMMlUPR-w8v6O(i#skALXO;WUcoq0>#N?px;`2_Q&8Ex zGL)8P6i=?*G?McdO#KbNK5C98IpldbhH6X<&Xye=nlrm#(Pz1zMuVp=NVS`t z(hx-y{+Q)LKdoX6{r47}RSsBtcwwcZGmfguHr_RQUHgY3fbY>g!9T&p@VHbKlu9I+ z1N2c+??p@ft)E{C22ni#B)hgE9;X#hgERO7&;-Ls&m=Z<{Y6P<_nPftfYxI?=C>%r zRRJDxE&+V83#KSn_a15wKmwK&h#vHqUrV*)uMPRh-@+J4- z7w~z{&e7XEe}S-qXSng}09N$#?=V12x%396@^gJ|F^p#beeVPqi`9l+AhEl_yX(Ps z=Xxc^enlTD^XCsXgJ#Z{@$CNIJHG~_grIxW`*H=5aT*HwhtM<{HjY=lC%QXvm1`Ps zxgnJ*RIRpn=YKT9?S!Mp%Kw#xK8Y{6|K6}G8tO{GP+g#wkmXWUGY zGCiYZZ)M~F|IZO)5#6{b9?IS#Lm0YnFNq$;MgOICN#I7R*|A-0tVH|I@yM;k||B+4jhQ{TrKH@b(mA zb@XFXL*)~f*(#I3qI9ahCvR5R3v_rFT=r%@r4Q&^+3?$9j7nf-N^Nwa_p%=xe(MMo zBw}n-#4CsMp7{z960vwYmMdOeEl-q2n_JYIqG*Y(t#>LjMI6NGTSA8}O_nrNXjlgH zdDx7;VeGRf_@Zkn%|4zq-HZFJ^Nz>}CiimAcIy?#>U|r~eL_L$Wz?WotH}3WFtv*M z+2<;ELU-XU7xp|vkJq=js&Xh>g?F&gMZoWw_lIm1&+1vZv(qq@o*Xql!Wp~jhjhU| z-(FuV{rGO5TtC;2XP+K_g0b(pegvNs)6@Is)%0C_n8>64BVfCw=QRUF2UE$_8RrKl zvRFuKV#;YwS3lct05Ibs_r_yN_w8Bv#)3f_4ef+mT$R`8%h^UyoTg@Bxq;B5v-LS- z>|E976Is1_&(v_T2{F&%&hVH4G#)G%efeK3fFize@r~n9&c;_vwlYR47oYbmUZ=eN z6s-)v&FnOr?r!#S1k-_35~IQt%QP9d8Ig##Q6b@IAkZY5iV!)Sa)Q1b%`+El17LB`ayFJs8+C;Ui~^+WfW?`kG0;B8Uj6yGNFpe zLtqWTnQIql){z^Q=%2%Ib|Izrnkq3lX@88wI9Ez}1L9=GhCubAI{}TZIXYRedxdI= zA3IT0?5L0EramC)C|cTT{P~cobJl6;WYTECX8j|CZ4{q%?0%10(Y!h%+uK%HszgLU z3J;W~T%hj~ixxkVq*_R;$7k`&g~3MGbyn7(7n2PjK0)PDftiUI54oc>}tc*Fi=Ll`;P4~*}5@)nzigtTFbCz`Kw1dgoW{(eP@_v zg|(1?J{~Pb(01xQ92E~RftKkt3G}(6@-*^w4KbF;*7KIkct9=%^_oofO40F-Urw?C z>j~j6Sam`6K#_pw-CFuwOK-_ziu}~m=^YuD&I7csKX6TwYD?bAkO=*GEGRw}lHiO& z!OtI0$FZ0gAR`~4Z8U0;d#z6bD7MrxB+ zT9uflLWDV}AUMOM(mP&=qUx~erx-7sP8<*BMiz{M*Ql0ReO8yynuPnFh8TzZpum0w zG5=Y9dN0yscwYw_BV;W&8W7@q;lBg0Nu0lKvo8%S9&w03qRJcxhnHl3NGh>_7eyO^ z^Q5WJhQ3W448E{Fny*v_GKueoICAYxk2&kz+J`_+6`{P^4 zf!qpER#EA2y3+k@=c<**y8B*`t4E9}1ROvwc#Le6Dme-ine2SWpC*JlqU5*W+Wu}N zq;hxH%Ym~z%i8lW+`X|eVW7ZuGVI$3)H2XZ8OPC z_vt8XUyVND-3~agl$CQ?m`c7gfs7c7dwjD?qtHLT_!*gjH@^N_sp9irF$# zsHVfLEsGlG>+xB-?Z9jgiH+SO-B68B)ZWxzcu&N0+Hkf|Uy7+X>6{fCj2#AEa*=qy zAM;m^#i4L)4}$q_E=6hsqe|^i2p;?rq=m=f9j%De6P)wT33x^x|IxcEd?i@V*)*eN zyf?%>1+8toKzq{ZXcVrAQLsWX~)`R$Z=_Ydw$>J2s0Du z999i+YUeXFb1BpaLkMcDiQhRX_9`CJwi@NaZt4I#4^M*NJ!|a*$=>4|?4LyecJlL} zSmGgbeRdu3hQbwEPH<=7DUH1#`Da(vy4%6%g*LRCgT(Ewh%NRfS|taPnE3>vCc*j zmVv!Z{-fTC+5x*c+Gbp5mowWj`^lC>5g)f9i77%I$%PRhRY9?wl+Oxppfsr>3Gog~Uu?+jzXd)Sf%plhc^-DVuley15$QzX<(e^S zv-Dt-TPU6u72`^&2yXp;-%x_}Ej}5srI$nf6X;6V{PN&&a~fRC2qoF-X}eWNg;qN( zb$=ApAywx`Icab0zsWXUYI9nW7MkI|YiyqxhKS^(HDZbmK0pp+p%2SHaMa$=m2_sH z{)pSf)e#+Ewl2i?q0zhxAK+`PB{!vmU5`>sI(iC!s~rSiwN{s{&9^-Lyfu<#qK;lD z?9s^l74zlb^T}9CyaExXZ1b|G9m|7{E%^GG+AD2zehEyxl4x(g>^F#X-b&c6HBIfj zQAkE0&z#No&#q#!uJ^x+De3;AvuD?<>Wd_Uj#llPbUubY92AmdvBNvrctiCjWvH`3 zJ{jSy3a=S9{{^O|FnW=F>n%jo&y=^TUb!b9$C>ARo*KZ?l&X_?G|&!S_s64(fP*bw zSj;TgmOo+AjVWmJ-1rJ-R(DEK5s;f3&S%1+P*eS@^?fecdsUZH0SFIlR3dp96E=8WUzXl+Dq_A~Kgh`>Z=3!_>?W2?pG z#N9b>%lP%)Pv!ZSkX{6U{+lfjc9eB>^s|X!aa46I%1AY_2$z20^pLp1%5jChj0&o6 z)XC=jFq9fqiX=|ZSO%3G1$-zYQjG)Q>RCR&u-`(*)7kitKuAWGVoWwP?r=Pqv?C0p{v1j@{yE9Ro@;P*!l@ zvFMvp9HWbH_#~^3q+r?xrCic7p7T^33ezptELNMtvSiuILb|*#HHb&T+qNREdYyNZ z2u^|(6F*UvSK4INLW2u{c4#_{PVH4ou~aky{e~loc=w4NEiJJhpD$uJGPH;1OK>vF zb3L@X>aNPY#6#8uGg#?7(4ZB#IZ*pmiqhn8?NW>L>y_-P)Y!?RwinEQTf|irhJ_ndFsUCrJI=5*4$7Ft@DVTu(` z*tp+L>|%5+2@6J$97qn5ICF50bYygfUNUR&3DOM9DL2Ps+3v>%X3+87Nt3)%1ErDcZ-bY%?I491+kjEOU; zD6FZn33k`1;ezVdE+)`*Bff1eSF3Fua=M6ldWGts3LCYbjpp1)A4B%A)D%_4I1n8Z zEyVVjgN5nDM78$Ics@-{Dnh;tndPe|kqiybMs2my+&!5U&SpD#RIXNpX|8eb zFV-{9|2~kdDgLxFiA+E>^h8Iz%>Pn+TS?I)Spd)R@IZ|Gx+Sp*%+^G1fVak4E_Zve z+;ocH&3tIFS4H!+s~)7lscJJA$RD(ADdTl%muL%)a(Bbz@7bq94F+tRjfUMNe}2Uv z;WBUuLpg(up-M6p)kcS!4L5fKFaY9y;B>re5BX`*E_;mz zZPZaz(-$JsE>wbQsNtc4Izo6OFg}ey7oYs#XvWYMS}^A@fJ>gOAh*yuzpUO$r-VKA z^cJp;=!hYpU4#Io>aTXFt;GZ-25@x_FFg8WO|A)3m8np}BhTJHmEl$C!Owze)DHY? zE`T$gWnXJ`MX2oYEE_V_mgnkoWUUiC>H&u`n{uiLGtsn~$sh%tcQ$v;@wK_=E}4Bx z#joK7vIIjGDCO<%2WjQ-)yCD_T%r&bu(VD6~>rfttL#Wh));(8%@vtc_Sl6$`{ zj@@zY2s}LyZ=oTA)U)dv_ghh!@)y~C$A=h)IajFu)n@wXd4ICF;2bBf(wZIE7I`#8 ztiFr%Bh>41VV9ah3_*)dHYf75re-x+m&c!aMmeDv&bg;HZ%8+Y*g|GU;t(3iVGLSG znwLH8al~pki1K)R*X~Yp9_XXZNRUj2*ptYAdUNAN@aI)fJV=d68aSBPYO0muGfP?LW ze-Yys{l@>hhx$hjm{Nlf4?QC_153AfuE8+0*=jqA`s2wD4=lo_u%2-*$#gv%R(!|0 zzl*n@g2_P$73xgVc;IhfGqDHC`fNX}Oo&q+#BERF)6a5l)?VYzWs^^k!L2KO4h5%> z6F${<2PrmXZbP!Ub#H2%H;)t4r!tSIiWHq^;}~k4;c)M5|0_lUPH8ujwE)ehJ}~?H zzS5HPLnK_CZE4^m#X#$;1Yz!Rk(2t3=qTc@rrY5}o(8Kt%>a=F_m^Pm7D7fZ6GzY@g^*7ZhkNXi}_SY@^?>a(ZFP*2FT63Iw}()?6i=z67RXFYAKWEi7lXtD#v0 z4_k-)YUS<%V5riSkN1le*A!cpyR6q77W15i1T?IBYv+3Z?;^(@F8*G#r|#Cf3*1|k z>IRHlnxWdl$4bHET0*YXmBv4A1W{F*od9EkE4u4a(~^6S6(_^?c&BbtO~$F~e({}Y z`i!nDYrQcLj`2jW7P-dbUMOJOrTdH8*2GJ?c{>2irk6ou{fW?Wd?Vd|JgEH7kwIxn zAQtFmV?u1wNOkh!WaW7|*@fk0EZ!HKl{z>3y%EdIVb?rdj z1J$Mcz;GC7>7#%S#-%CyWZ1z&kdW7Y3mPKiJ)A!h01a#>l8Sn|x{6&*CRY3qesbV@ zun_(1w!FQve_a-tCO^=Y1Re6#X?p`2_Wjv)L*|E@7o^m z@U{5l^LFCsOpe;&*UMEmHs2NNhzM_QUf)!Z9oAl&Gh56--oDjeOAM|f;=u8STyJ!W zEp*6RlTvW|;;@5OT0uBnx_@M5IgOZ=^23yQDMXvit+i8rBDb}B5IcuM>VGe3CjYaf z8J)!7o?4@*&JVFxnh3mBus`;4IZ)l#p2f*uAkFupDV`;kHJy0Z$b^~6?`1Zk3#jx-keJe< zb{acDQ_#b0yD%QW2OZFOFpu6g6DA+wU8d-?R4&3e)dRo#`{=)@rZBL;ue!0s=uMDJ z@3u;tuIlE`JLS*;Ui-WUz(=U#KBhFw&B~IaK{g^nb@oJMhl!|f*T}E$ABtAQ zB=3S?PAC<)Xg%p8ek$JJ4enV>yO?30;Ghsng$;RWPq+tkbZu!6sVoRO)2Vgp1^I9_ zB@bUZQt*VoebF#5d_|v>_K&J4iPEoG6bf5xN0r`dFF4lWIIogFl^Lh4s<;Qdc;=v|DZ0y6K;uZ>@40*BS-sPn0%G zG`A^F5+5>`6TEklXG(w5_!wV{K_go!q%sM#qFhs<2x_|2Vn@%N?i{pX4i(Y1^a;sr z?o0N$JxWI$eD=S(0>0Ig%UAXCYdn+MMjRk8NZA~D zBl8YsPedU3qwjW8PIp)3L!WP+;#C79ev9AF^P&X!F``<)VyG=@eU9}Nn_RYX^obEL z3c{Vjl|4Q`MDtvVUwEuv=7a&~)LE>>h4|E%t<@j<>~U9$jM0qlSyV*ag2O1yX2k}; zr@eT@M*j%lfIFQLDALr^Ql~xqi~EOWwID`d$!2t{s9&m(P2p#~@ibzP>KJCF=(lEt zxlYQ5Lvcke7Vw6yEvK&Jg%PT|u01(f8$s{u^G#?OJUep*qK+GwLBtT2*wG8S_lt+< z&DqFX`X<1sF7})0Ysb_R z%PeOQ93K-$yBKI5&Fwzxc-g66xBQK@mFsi_BYNOuFqLHY%>~7>skE3Sp}Z(4-jw6c zDraJFp@YSxn;zf0HcaA&inuU<_ElhXsdXO`*bqGUN^Y+&{@@Tu)Iqe9=pj9QmKnt; zER0XmiSOJbVf&FFpU%evTa(2`@L!HpD`z#$4Xv(;TPOqyu&em1iab>KxtG?$?P>Ms zypWEl4H`!ej?<*HJvwuCsRd z4z?Ki{Rf^p9@<4zU}Y-iwTk7{PygJ$qm{aMgFm?17``8kIG}}oT5uY8#b~MyOpf1) zVayb7=VLs3_j47UU$g&9<4YMu2GgVQv2>(L$Dl=>+m*`fyktN_{x;dHerXYOWmjo` zdG2#*U%|~05%`NyPQf66)u1w0MqBnyw8uzp-;(*aa3f5?eT-n~^@l;{FM2fQjvMb(7r+E9PfbWDy^Z-y z^$is%923Bk-z*b$t$Y)G?k*^XP5d553*G50Txu0|P@t3;i7gz4)qB#UUcG$jX?)Tl z61(O8Y9Px8hdbL09ySo{F06`dRAv%Z-Ss}P{r6v1I%Wv;&K zQRT@^p}Gy>NkX$D+;u;`mBk8wdU(D5kACI;R2*5lfhkWR^qh0Yt`Hq~#v&8){WuqC zWSaKHW#Hr==d`%HU+ylLT=$CRo)Oyy2yLI{@ZAt1W@;Xlwk;arR2K`dgC;XpHU*J7 z-xjUEV&bQw!Z$oI)3e_}1hZooz=pUSB;?(Y%#V!2K=2GN?SvF!?IVG^mM3IE@Q$R2V;uM7p0{ylAA8bS3CusQbHMi zrUyB&Z1xZm`T`1zk&+ktfLjb=x6~TQVcp326R=N2ecVNFw)y`y|X05kgBa2xm>CzJxp>F0_2xdsh(SDL*-R*R5J$;I6V zYW}|&jm7EffY7iud5GgLdXB+xpM{n=;tu&3#HREcB+yH`yIQ)Dy49ybR_l}8^URla z>VL~Oe>)x%FZ|60&vZN~3S*|?;pWeJ1#pMz*5dWl?Jv*^;6lO#&UL7*n5LM>eMx6^*M+LE7`*YlU6-Rm~O z0CbDMLUVOJ3Bf^~i^Xrth95!G;CLG4hi$!_P5Q+@U@tBomhOZwrR8pPN`FPCK?x;| zhpzOvp;Lp5)|-F;vW7wm+{8`ki!V=7T^2@qIYadT!Dm<7K*MadnICg^rQ`C`t#cx6 z4rr6~>rj^+JbgJ#h@4SWTX?9hx)-s;h@|h&m2DLBUn_EG_;@XrL~yy>K7II(tgt+5VAf`=I_+ z3&23Jb%Z#BvtGbiOIp~6Lhxe!Y;J(?hVeRR@VGY`MZ7*$yBAz=&a3Of`6re8CXE*2 zvBlb{!6nP1i&{h*-&!bv&rLuHQZm;GyhOr=SMw<}BZKlxUkWC4Y0l=7>cVuH()RT< z$X!-O#D_c9+3hN$K2)QyQU|(AHVEPCZ3fnm#J&z6et#Z2+=+QLwMdUcpmyk#kRbuA zBEvYU!a^1DVR_w0B!nkcT~;`_On(mm0^M|=P#~nFF=kO?tr1RO&6=)wl&0{2Ns0RDMipu z9&zgefblWaS(V-+Pasa^VEeYby|TPoCcXa)Xp)d(@2s2y&1M9Jf_Aq1_s>(o1!9x2 z7}Bt>%P6L#XYrg7ogKaAMpf>{m1vewu)cmzB&_u$?At3i8ah1KNq7{r(U#z`)_8?f z)T27g$)tja9qR8NG!x&Ac+rbDGqBIh!OBV^Jzdjq)1P91%-QHuB?p&)?@K4Ro|aBI zNEH)*j^ghFH~Jd4*BLgoUibD2H0KT%*^Q_%uW|`LP}&1%NK=T_5y##j7?h(}G67^4 zsu=3A4zR${#g>1EzP;*i7rj44WqP90Ii#i9+C8)5qIzL9=4EV}ctP{bLx#LX-(FI) zfCECG-cvH6jr8oPs-C1Tqbu!-s+1q^R?5E1WDP%8@%C&*JFUK3Hq1{Yw_gl;VfcNf zSN-Zsi0|8Q{gfHAmSkJlUZU6?Tt&d$S;ri;2*5*#=sRHCIWCx#27$4No(^-_Cb2%+ z4zDEC;t7yMMD)fa2R!)o*jr`Hv@gxX4?*$JWOLdw9eZ;0#((X3Jkf9e+yq5SVGed6 zy6LNp!rOp~GVpE2mhtXVVRmlJ-9uV3{yDx+#t&t?-X!lwabTaCoqRo^KFQ!vD`-~Q zh+iflqR^3SO|S{fO;CZol(`*#T{^Pl?zFIk|3f7>IIW9s@FBPbKf0DWVq=!&>m$2h zg6AuOT_Cr&XP~BcIMQw?t<+z%ou2Lo@$NpGh<>$^iE1h%@OXwdO`x#31V1b6VxAZ( z+P_pg5&`OWJ*{c_L=gIE^hNUT_}Iu0TUQq=&YE=G1J^Xn%AsDZs^2qbwih3T(#H0( zd%rG_&hVtE7RKK!I1|5B{7dcXm#ypz3dXp-(jPY4sVV&~SFhLA9G9W@ReWl81z#Jz zEOOnh#7>iUBG2odw1i zuH^|i6H}ZCU2*fD^unLtLr0CLH5}UWB~e+MqMZ9K6lv+zD0?Kjcmz25qZXCaEH!7LUvS$|Quxt9El$bHKK)X&6@6p&V5(0r4A zlq{+5dXzk9B=D7fwh~yk@VXQjq8LC_@2cJq@6wN`Bs`hq4LKDtxU4|}Tbt3fuDuO- zjniCq{NEK|_5kr=D9rgosU*lmE?vdGa&hf&e0Ikl5L<5~fpjYE%NvN%Ju0ASLZoXXWonT_@dr%2WkeuUl-DlguMz%tBjNr++=(G7xTK3jk|T_4 zs-uXgzA$gv?o3tRl(#NpS*t}pel8@k{umII5r9UY7LXI}GuIA2R4axG`oSR0QQi}! zQgx1KP+Pzsk}s4S_%EK#fBkRbPK@s=O1|n%USAw(gmq%=kcI84!2u^E-%&yM=|x7X zg_t5?wvx71@vP~Y*pbSnb#hr>L3y*HUFN*NL(bf{yWZ8srw{HT$a&Z_6+3?)+!Sh{ zRnY#W-}t-1`o9-LJLu0vIw}2U@9Qs1Iv}j~A{7pnh>@BiyS!YErxOFs)_Wmm@w36V z28C~PGD3CV>qZOLxLbyc952Tj6Lnw@B=gBphCsCn71!csoLBa0=qk~0FK19uw!fq8 z?L7;yhXp>nPE(L(rG59-m(*hJ_fz>W3C5DYpW44(bmKFB;Bw+2<-VdS_c+Nj+Vu_&xOir6Inrqiv}08+nlo-p;ejKlFKr554h1j2Qz!>5QXTQ&;M zPN#E{!(Z@GYvQ#NV|cK<_`nkVV1?JZualN$+xf4_@|Rv75Ti5G_+=P?Sb!T=oA}@i zBcMSl$faDX!((M8yLo#rZIXC)AY@H+mVx8=WnRp7cmU7WU+GRAWMD}!#AOVO_H zLj!*diWz!IhwdJQt8pHq>3n5ny^@(SaNW&8Y4uK=yisTE;>5OxO7o*shoX&lg4J+A zez^Z>wV{YL6RU}50}!$R3;t(y{(r`&@hcnFbQx=&l~p!W$pza;O_~wTbzk zUk2mZqWOr_K}t(o+DR#9CI^Cnm?%>W503}d%6}EW{?#`kj+!LmCmkTd+yF$}vG5N) z`hxNL37U_55XxR?mBG29vPnRd80>2`J zZDeZSBW<5tSr?scpJwy5`d141kNe%6mV(f*F{=|77Xdk0IT$f9p8EU$o?lE+KT7z$ zE{`2u^nEKGW@l7{KQ4Tndfcj|eDZ9z!ZWSmWCXPixdEA-^GURwg}g^Y`N8DE5Ti$% z_pUI1JN0yXb<1U3b+3$g;hcUdVgO%X?{wxRDgvx2Z}*iUZ#EJCDp#>xnS(Ta3 zX!b2tu&VU-%DEzKZYKFLx7o?ShtNs`-f=C1n(iv7fo*calNd=`Lo-16qN6#k;<1tG zb~<2bq<7_FSEQJ8I?dnro zzlUz}M3L?8`pe{okDF+RC!l^Yl=;~^ z9+5*#xGqOmgs7i&S8dt)BDG$t2?09uRMq)U6t)mL8Qk+A!AK5wIm-}uORD;tEesNCkaa%NKyLAYzGViVWFwD*{q4ra-Wq<&A zS~x-B1X5Sj#)Ci;B7|bU)y)nFZ@m(#w;#chZo0cHzKhOHSpH4;UzU7es9Fi!n`&@u z!^$TC3lcfMz5XWtY=eg0)j2}Bs?>CF6|WA_IS4pS2WMf<5e@t&m{-oHrsSfqNbJoy zx)+?0pvz~X#y>StGv>qGda+H|7knM38tusIR<;lLXyxii>O=}}Pcbbryu1#vlAElQ z-^GdtJAE+FdBxOMlR8itzq{F3n-oxIAbcvbGLbe}H@LSEYh-W=1IvOJU$af$5QS*amQ1mJ-oaW)PPcr6J8-213guQKP zV{8_YvtqcE3zx=Kb_)@NCPlc~2o62gRsp=?3H4$?FtHD}765+QWlcF=eW_er9q_AM zQtP5L-OzXZVsO4YYP++9HsdXYrURx{wa0{eLEH(jJ1ZOWbdl?SbywJA(j~Elce2Y!Hqc%>+sue)w0T>WUU0Ti|k37H? z)!748k4MF-><|ebPOAE=>Vir)x4-fts-_Nk$#-FGU-crPsjdDZwcxUcUbVAM4xVaa zpP%WWQNC)vMb?h`lR|_xaD}RwMLe9VYB05@Q^W(DX$`mg-W3)QuB&%R1{Nd5NkEal zUF&IF$F1y$SsyB)BlyaW(4^O>Y&faK)$ulEn&zgM$kl22_pekG-#q6|x6H}4iYtoz z7}Eb=BKAM;bn#J|A>-D0XmgS+5V7VmZJt1yc)AH6uy(O6t7cR!H{j(Z4Pn=-9L61t z5OCHhQnbhQxHC?vPtq#d4b@ddDQN23sA~tUHEbTY?W7RkRJr)A8LI!1s;jDUS<&*? zi*fVwa8yoxwb3rfv^dT#qE_7K`}Wgz-J%O}gr;JkZl{OGZfLPlp0L_b@DUC=BcZ^R zBm&;>mHo=vC8lI?MKI#csuf}!5@n}ThtE)9m|F3F3{Q4HaeoYtW_nH4yC1Y(pDe~?^mT$$>5EQgpZ&?6xLZ3GYd+j%VZ2ssRI8*9yotej*i z=4<4fx?BjnodE~}itX5wYf`!|AMwK>qDf}Sz)qtT*IK#qi-tn;tdnu1reV>Yont#7 z)GVKUCT3k>;MDfG>MmGfNjK}(vI!4u1}`Voj4+vR3J9!GOf^{ALMt3>ye1M_yDqRh zUSdLBo)=H%zmW>@2qYL!{I_NEe}4t6YyM9Gk|+R<-v#*Ol|VGM-fS}iWGC0}v?WYN zx2xBT2+o_#y89&t2cx}ZhJ~}FmR!g>3LC3);p*j&3zwDkB2vya2?;}V5C6;4K9b@n z|2mX|gZ?winVx1l5|e?Oak3ad2I0Zh3qPo}VpG?$tlQ0S2(RX8bStd1Nk2#JkWkrr zWOf*S(TNe{flN^qm7^-fi%bDc#-WBFM`GF;(OB+l{ z(S|=ld-lio;iKOGw<=mKtL&q;V$5S!$e+hzh7gZuFJd0f>ABUPmSjdLWrA1qYdjp$ zy7{ARQ+UhfiO8wY?KDTC8H!cnj}bHKw>QHrhbvc?3Jo*5LDh!zE}#_8TC2>RtJ5h> z<-ySaj%|a~iP!ZuSc&JYEgX>L0)(=ZpHEA6s;QW8J2Ne411KEx~CJ3@Hebn)#bZ5P7RP%XSDHycZCiUB*X!|=dA8{GEGfTI3eIVAqN(R+_T57!O9?l^8Yv=r{@`nXR z3U}-?-K#3FqWSLfw0VzyqqFX_-B~pYQOl?Y82|Z!3!^TttgOv@?8N~g?{U+c{%AOW zBT=KLFY<)+)2B}s#G&852^)mNp1L660&akkzK^YDt`5TAQH^0%*V{suW8S%e5T+oPS8*FHG7LywR$U9ySc#7P5ZH^#s-g2X1nOh zSC(yq8*J4E9fFggxfJ&cZeYg7S9>4vun2-j;9ul!C(SlpYl;RbB>0D~<2k-WrWW0P zj_*sqt(wco9YD-f7F5{HPVB2RPy@;2Q3iD`GL<)0ueI{j8M=FV4qtQtP~>PDhH6;Yq3hKw@9aUE>2c3}vcO+cJ^b-{*q?u|Y48 zgJ2GrWKeKKT_-9Xbd9vgbnS7dTHb(9pX@d6dNjpE$OgevY(ie|D9S>R3~j8oo%NMv zHVY8hwnN#pWx^>18y}VyowQ3Y< z!`wG>T8ef|i$1u8f1HNraVT7JjAY1QYW%qOyDyIZmM1t`?UIqu?%K8H5;iga6Gelv zgqfC)P4+q}j#Ybx5X@T)P&?GK6bO&5C3J)?7YFyXP^?7<1deI&?K`o_`C_@uI$iaX z?xR3}tHQ4>>A(KV>mY0C0(E6%1(G~^*pt&S};<5#rOKk!H1^d?E<^9!)`9;OP>O1rhotHeNc6Mg~?;Sluz+_fAdq#JNIEjtk>J@ z4X)iJkYedYU19-^3`$htQT9RG?fl%FYWGTb5k<0M*Fe$nW3|Mf+_MqRwD^>}Nv3p8fzg@kgYizU#%(1(o^wV7kMztj9Q_!GXb^1?U!g(a(RSwGkcym^+>& zm6SJX)W4mrG>vW%-Ajk*oCB|cXOqOiSGIX;v;H)(+_n6*!#l-8gjNDPNi)k`lWy!4 zL-%tv+**&a{lXVQYV<7fA&2{^2K3dk*&1;sX*ds6F+6+p_O|!l(;d6+??X-O2YtW_ zW3!DGS-(k4QX+4V0`kz5Z6BG;_McajamCujQBIam4dRM71F6{-fH<6N{=B&={YFpS zSNqxaI%tXDC^bvKrF}`u<8lWW;)t2=V9kXeDtl}MeExI61^$An`e0>73NGY!`1?LN zVcm5PNLPsm-1bRdC^~%>Dn4l>f{uYOQcL$^6D7}Jcg1+N11y%n-(#5`T2)SY%V2tqqI}Z^Ty2TZ_X>;Otiv{1m#5k!158 z=WM#=qf-wtqOClmq#v!!8gREKga#$dcZ4Qn$z*=`d=~XA0vuT1{QQ7=QKDXhYV4ca zq|MiGE!;+IHI1o-CmL8HJ!+j!G&$7uRrk4SHRNj#C|E@3gNC6}15{aktt~{`Wf+pz>g4 ztL0Ttn!++V_LF7GL*ZtLt^puOBB|K2o2H z=`nQxiKnH zJlV2I2;DN7t>AJ{ZD%# zo|3N5gi=aeXy72zYo2-p^i4|pM7Zw;^ONy0Y^F<~-LXrk5qTQ*;1MxKz)rpdYbj;f z_GT+(t0A6s!48lfdIZsBa z1t^Ybc-49B|0!V{k;{!`_TTf?*Q6RbtB<_p&>SgH*tmtbk3Uj#*gVfMpAh1N;h#kv zOuWP$ND&xS92+Hn13{*E0zf_#wGX7Ro?|AI#GOjP-j0}BL2Om`*3}CFu4|IqQEL)3 z@uEiuSNG{SL>LH%;O~Ea6x=62Rn1w9GsXH7uiV}4-Q{cAHZ7fE;mCO@HPzP(f10bU z+@clvG(z9S&s0VDneo3YU$& z;%m6|j0=x5Ut`>P_@Lf3YOcJbWJrnH*AD|h0vw#F$f$Sq#$%f5MO0mO1@NC2gvz3X zV|v%$e#xKG>3)8y`v}5xw7FYOTb;z`KGdN^(s$!ko9!s?~9^Inb&=`-ipLdiR2)hG@DwJA*D5goWaQ) z2onCOa}{Cefm?QMKz}S~-@f&-QzrrdUog|f=Gz5o(?&-qr3vfyFZ2JGFORD9;F%c- zl>@MuSckcj%u=rGZe>e1!QuL&rH`d7DBd_WzYxNC##>9X4CEwSt{2LL61lyA9CMex zF@UyG`aZY>0uYQ}{wl6N{FeBRj)z@F_Vg2L5&1@s&&@7@F3i-Unbe+>y!AtS832ji zOZsW4VoFx7REKPttnwn@SfAy=DDAJb)`Tx0LG$~jn!&PgD&}JqI_pD z<2MHz`dm?Pc6k5{d(vXg31>FofcJneixx}r1K!!gE2V#*HvHTVh0XYECX{eVvx8u* z<*!q^oNeH+QmhwmhLoaytB zVSf*U=24jj#IDizcsnwKJJOasxo_^9F1;#qk_4w=xZ^En!Zga5f`LjVOI>%d<3!tE-Rq z;QI5al?v-@(`;WGg?5=oa%(frc0uDj4X0Q&gSKQQFl@4MjC}GyrbtEg&*t*OonlV; z%p)0;GyM*l)PJHqkV?Na_&oUY=H8b~)G0@H2h3DO|@ zulBJ8d``oX)-Hm&QYuA+OmL8}cROCwJJaRLybIcij_l>90{SOGnUt>Fv@OBh`qJOs zU+9)-HXQ^#HhXHiBSH3GCKQb3!7pqnVTk|@3^KeAHeOXbL%;m4L?PlKd*~2$k zh!qJAO2B30nHCdb7pwX^5Mf z)D=;U-e~wSr@^^&Y$5v(1g-JAyw62mis-FDVp*t|mywnyi1)=CTs0g*gIed|>)5<8 zeXWT{V;mkT{YkvxX3%egIQs4mE|2QWd*kC;d@*wr#Gpj^rI=$5-ZB4qAob-$!96i1 zA@-TCcPlgNir~(mjF$@YZ;4S2abL$;5p$gf_U_%+c|CdN=bdjnhq7@)g1F92ddt)Haout=y! z)2&4Ph}G#vXB|T{QpP7o;W8Qgf9$<=RMp@1HLQpNQU{UlmM)QQ1Oe%8Y3UNAkvcTe zNP{Td-F1*I>23t+?szu$zW05e@%wV$f8T$ee;mUz&ft7v@4eQVYpywYUPqgfG{W)) zt-X?&c_`LH2Y36obb{RCi;O?z#(WH&ic_4jVt*W;KT>1XvXz6y6c^WZTz$(BUrf7d z-gK*DpP`=Bbn3OXQSG+Y81K18wab`tko*kt#?u0TR5N8V- z655RJcla^sgfVFTHVBjEI4!jl(qM9k@W7%vCtKWe!ND+K$u=EbUN&&3r8B)Pxfs;r zeUmTd5mzMpw$aWD)u68w7-{qodfl5Ryy=`5O=f2(Hp#j^F*RHbs(0%e9h~S^v-sTI znwkA`WA>>eM|;!loTilT?B;DEqPa`3!d;Fxk?~BCul?b%hNNsBB}X~?k96avS?>c;Tg9#Uz#NLs+8%~!cny)VHjWl=1&EfjBPnyrtmrBoKx96JPre6Jq zcexy7mYx%D4Y8FKvOhdb!LChgcH6>FxcGV(xpa0TAMp-mF4;{xyf;A7)p_SEJCMv{ z9qjg5@Rok6&MAoDX8TFGbIJGlBF6l}ewUk$pdz;!;mHw%A+aR@LnI+FA7f#d7Slk# zsiB~p7=ZYMgw`PD z&H*o^1ai8+(Bk%3+&XEhz))jv<~q3>WBJRp$2NIpBUwm_sOUsI%HpB8`e>gJTgl1D zbTv5&s0yi3qB3bhj7Ew??T_2>auanm>ME>W?H7c^gzYW}n@{A>A)u#499Q%Ve^)44 zT_0y@gBDk*J2z2oWIe$+qs#v3<|h>BHh8z8aKyQZm~Ff^idI`kM9>^1H}9bU4fmR6 zA5YY!jj}+wx-BQRvl+g-)@Dj>PW0qa1P2~71H&{-x?*NWI@jzuA^AAf8lYMGXx(%BVDiDz{>44U=vQ|*q~j4KXcr^c;& z@hO~oG;&O4Sxrdi#~Jeq4kgT>pf_+w>p5x51i9^RBCC%2MuqQdd4Y*;%yA<;`ID`& z{A}zQPfp9pAqSt#NAoXoI1#Go+ZW$&5g>4=de5sERiL&xw=Q63lAYEAz!cLgYVjU@ zXKnp#P5xcNKDk=t;ox)72OX(s5bLCG?4*@VdKO#P0l$*??c^ftL@@yr`1 zYu&Z-SM7~UXZ-YGTAyR$cHFuqCA?_6WAo3oCG?!vdW4$fb^YJ>#&#YVyeg0#*eXrOx#Fm7tWF6RKZ?eNRPJ^C$`f~%ULx`*I@rkkn#h}@R;)V=WHm>| zUhqCA53)}PRaT3Te7X$J*JS%)DP6tZsW3r*ZNiWkO}boa)`9&`>fx-YhTqyU!OD?8 zg_5<1$S3qzYAYTjf!{3JxFvhQ=yk&kt@ILTz#~Nq(NHfp2Sks~PIQDgim4|nn@4F(m)yj{*MHcZw3WO1J-|9uo^UCMz)K`TP za1Io#gUn$VXu_I}7bK{0Og07oS=y+4d@cMxQz}Y%YxsS_@CFpRAJ~Hv(Goni|a=F8QUaiX8!o(CsM+42s7|Nwdn;sMwx@B zbQS<&>Ng@dhvG)#Kl{oK+|ivEFM~pVXjNIV>hNMjqYA?##FYUo58v<+6v5`z^1Pnc zWewj&C(cj({Hi<)VGlz$Ya>__5GKqtGS)%ohB{AV$q*c^Sj?yuYEpHr66SaSzf@z@ z)*6rV7UYvK&iPm6e97!A;*UBom7zQS-%K6#RePUYKzUyaI6;q$z>;?g;rjXj!mf?+ zgB1A4G;7r!4M9a&o6_J4XJ*~$&I0ZTg;%A>95&{|_1d){Y^X}^{ zeviwFzcT(+>9;&nPcy?ukMr@|Q+nXp1S#$I7E)P$HHupmg>ZRSgq2OE63kJ{BvJ+f z1eotBlv7*gPuGb;t|lAs*X%=Wf{Wm~f&ib;}4+7MowDgy$guZ*5cr z?aYi`^4a?HeX~Mf{eisZQL+IGlo+0iZw3lmta&2yNLJ9+PowUW8CPD|M(%Vs7ZfGw{fc-}ALey~Y90X=B<= z{Oi3TZgQf9X2T@DGZ>Qntz~4W%XR0l>9%vH(*RBiYv(lV8#n;3X3k9Tf?g>S_3|=K zR+%R>Ty@^9RB)wV1a;FMZZO|b)8_7C8o&<=Ep;0nZrYHb8)40q)!>r;;^5<3@`pwf zq?+s-lt0(3!h+|*%qZC>{`Iz#=Z(-8m8U9%)_sU+{CYdiDhx3R<#vn?3(2^46_ z%YPUE0*iIr*NGPt;|Nq3_S2wKtORlW3AdZEXfWBRKWWc-?Z&G))xD z$nUyt3sQ0anlFa{ZUxAb>#JCPj9`BvS&NodM@NF`+f-CRvd9Th`}p7}H8_)z&C({k?)IWOwIY z&2jYNePn+{Jgbx(+{y$edkTFoAmS`l323hx6k#jBUHMQ>1YCe@% zvKkIKjUnQ;r(9kAmRI!At5c%BH7U1|ksdq1*dgBiI-}uep_%n<kie!u-O6$ewvfLl>tbC;!x zZng`5!Nl*nX{9T@Z%0M%GKruBFByu&{t;&X)tJDBGaXFDa<^7Cd}R$zyu+yxA9MZN zfV-%(v^!tg%@bmeulJ{s@EGQ%RO_kWs8j7j-JW|q|BDUW%TxCwB$vNnPaFG3_P>E7 zowW+C`8MAQI>e?@baqc>-!evw!Bnwt#P7@=zDXgtQi(5Zx-U<=ue+nQ1Iml^`1G=x zj&aJ><|INR>r-#dUb?DRA^9zQUwEi`x$nGtPf|uiBqmlUY7ECpZm?zsk@W$cgp=d4`l!Ust4dGzZ5i; zfd1HEVqfrV?7Nl2pVBXINc60~6TdL&b3VD~dZLf~-|nsmanksg@v9>G zPfN7$rIv$#P(A5GJa7j7E3O54fcMvZU8%V0q;pTN4 zmM-}J@t!`!W5u`Wa_{BuV8^#bl6 z9^?vsczC!^78?u8g-2R{(3kuTwf*5{?~bp86xdU+c{0B_rZj$;@a+YH(>e{ZeBXJFTgMXFjAK)AhAt#cnQU3ed|Hr@H zhg3rP#qJjfb39@Kp{;7!c1qpdz3~Of(@`drbMItjV*UK2fIijRTHD>^mnnQ?G~tA7 ze21r9ttooF^MwSof1b*u&_579?qAb3B)tTO_sWN#?0@{~|Nid;{I*}C^Mpk?>3_Mw z`@hq7|99ByeTe@1-#LSSwOwoaE9$?kOG*ek_{Oikq7M=eun+!SdAIO`#lEXiO8H+e zr5y!)gSDJ~663$DjK?o*!3IcmQ)Q5R_}~NA$0`c8NZ*-M=qx7BjtMJrzs( z;ph5)AIU>6=>M*ge>|1{`$+zOd?emdyCG%ZDESgA1hDs?fGz~scUT%_MnQz!_U)Q} z%@0R>QgU!ky@jWzZ^XN2L`i_cePwDCP>8yL#U9Oq$61OgF-@D?qhwyk%~h3ya3Wr# zxjIMPqjTQ}P7~`-Ah=o|^AkRqQInS^1q`y(R6+rFb*H`gor|5lLLY?s@SxIM3HV&dX1>4;B_ zxw*Lk*0!a>d?}Y|Ae_$3K+|L|5Z*2o-DZo3Tl9RW`!hm47S~xNPCdc4qCLoF_ zR$J>7PeG!|X}3YoN)o^d+5I6n%skKu^6PPPJ3G5^4XjPhZ!iib2rqyT3iO)iUyg5o zgIC1qeei^=p#fLJPalUu;r%;Pq8ALbQ}5pfQ(fJH!J9Fn<2^8Fkw3wAVhD&EY=EY5 zGIFh3@iB5@FKJ1_#3bt;A>{eAK^jdXhmGj*U>@P!h512swu{{a`3?Lc7N`5UZ4woh z={PV!un5nswpkEpMbHi8JUVyH&CRt3@9Y9~t&q#@8$Z?m4t)O!Al{SILi)^AXM?D7 z_1D+#ptf@HpBG1TA@Mklyg0zo)K=hpsT+a|LnHB{zA8IEcLq|kew37y=X4#$4+cAZ z(iZty79k_7R?Lls=4L`JTcP0KV4q?!Elk5%vZZHH^rYRuCIF}Ja!KJc;N%sqo^*$X zqIg#)L<6Xxw;WhdC@E@dTi!yQRWij<2ie|}qNr5*8moFE2Z?Sou(B%TsTJ>5B9c#o zhHJy0T#|drS#>esEBe^&$fokqBA^q;0CY8omm)*-tum47C`31Hz;6Gb{y%*=xp z0-lsqRNWC|qDFuE5{%>ivJa1pJe~2jLv1DLeAFR7TV<70yKr3Q{XSDS6ch0lR0Pu{D?j90kLo{6X03%_2~mOjwq5+Wj$lCl05}HBjQQfgDbO8`ZNBWXvKb z*s-7VQ2r$gmLzxN(sd5xO8`zst{aec6E#OS=v7y zBkU{iEdB?piGkg^6~){{gJz}j>m6!D;*Za-DdGxFMui;3w9#-cX@C&Z<>ei}4; z85mr=y16`w2Hd{bT$1^35RIKEvkxTR-0=Lo04$FedgRZ7_{5dber(rg|io1t=E?b039;z4?GDSJn4aUD}5AMKW9|EmsfO zW&EC&eDrw()pE>M`DY^E#+-Jh*Ao1jfX9Zeb?q9qgaW$%65~Xp+h?WK;{w9gARu8i zdn{D`=CN=EKy}BbOg1>+&QwnlM}IB%Cs_m`l2;V$$#6iSBqI-G-7 z0euI?i+S_5`Jvha!T=Jp)~FR%eX2)xMb>k5k0+2GBk5Y6J6U|}-6UFfniJ|F`!QU3>ut67EMm`Fv?B_qv&n0PDJBI7D?SH>=P+%fRqmO6m9Ku#BC~8US z=TXIrVrl>~wkA=}s51Jq?qLmsQ{$CB&F^hvYic}>9RR)DsSb5H!IKx z$P&jQX5TMSq6u`z$8Di0D5=R@*eQG$$>S^T|2Y!>k3+JA!d4W?4XIlaY8y{0ImSlC zou5Z(YN~^E#5N+cG=TO+0DYNQ;6R)|cDMndOM)BGiz<7t>#67}y?~R56zORSkJWRp zc&3;Q6}xG4Z@{P&+HJn`WEMu&56YDI8h5tfwJ$}J4$>294BXq3Zu3w(flV)e}An8os8gCDo0viyDZ#r2>RKgyy3 zv>H;|>Gp^2n>xLeYNbV;3lGGC#So!iIHxFk@iF*gRE&ahiVhZu#4bU9&7kqR=bc49 z8>Y{p(2w7K|L|UFRHOT88vI^=Z?<|t@;B$z`_{og>EmC?y(n;9#34VPG%^^b>W5Z< ztz9d7`^bAJO;`+8(cmdd?PlH%L!6qH*N=!M!2^(%cY?O15A+}5NmL32` zMEt##kE_yfiN0v@LgeM+VsVRarA#>*(Mstg5az-ub1*bTzaKn$g^JGUcjEJt`3g*T z@P8-nA>wyc2Ee09u-o_v=_w%V&+_oDE{q$|Kz+(U2y z{M+=l=Wce;#mG24HDI_98U;yIYFPcK()X|Mk`7cShsXHeuW7zA@ z5{Ny2Z_B;4K*lrLX?tJqxb+8#71bnZG19+8);Xfp0)<3p6gg|)!-Vjw0+q=TmFU6A*e9Goiy7lrL_AJ6g1VNLLF7c5iukZwDj?=R)mtk1}9 z04(!>cAKn1!(Y{nj*WV;)@2wmqu9i6c?-IV70F`3`|%0+DQKefybjnmG`gwWy<>aI z{ZN`mh^YKZAARMI3Y%CGouh@cYW=w46y(_87b#r_)i3G1-<Wr}bloV$v( z^P!RLnTbYKAIY<;cO#++s(XGeBV!q3ejk?elNRX{$(j~I?Z#NVF)@Xp9teLk;euzY ze>2vy^L&EdWZf0cDVfJ2Rb53xXI=E%# zz16?gbxQETvhzBkKmEXerS~c5}6!@g zanDO;Id-oZOHKhIwhR%L;kPdXKdL_N*PAov=Bpsp^*4X_J%b=TyUF8fv%Jr4|BdD3 zA_uxiB!{*V75o96^9}+$lV$M>GzwZmeFD-=4gP~6Ea#QKS1ki8XhBNbD1BpZa&~MF z)0MVX2=}JSvoHT%sID-%nrJ6+ecFgHjoZb`F_{kXUfk_vhipyz>tyZ$=d>f9X9_s% z%XHJ%|GZXIE?cdmCtQ(`Vpj)b=O|lq+&VVb>`$+`i`T3@ z7h4+~b)VqP7e&9nH80)1c4|%=BOTYVV~CE3V&HHC?6i~3t^<{=we4G*wVt)!@HLyb zrx0I|qEi4$fPH1RlR?UuFZ%ZpkR|Jktt;n%ik8jm_L>bYNy(-D0ywP2gXs!4e|vI= zVrxK)XBQ1Pae9mxM~ zA$Xr+vWL2W1llCf2AJvnluHwEdfUjh4Y(iG?-OETUMjs(o_Xy3^5&3+MTF817g@Yc z-@`d<88_gqqV3qs+COO%EnzaGSwOh0gUgkJr#ia50>Zyiw8I|gihjDyY&bn<;_QPb zqNUyNUZYA#DvWgkt~9IG<F(z5CkZ>|Z1cEd%Q4kIMOw7k1K1aq z)Pr^ZkEy7v$r||8g~nt1H2}KUdk|{;kRgHF@Iqi{ z^Qd352^1Jvul((nLA#4-YohqG=A4}XJWnW;v|YOI_jA*5}i#d-@bg9^w~nt68Eatw%^qgq4g zU+RkwI$7)>w9{uF{5joQU#8|7AqFm%BR z)Jkz@`gZMY_WYcHU~EQBqx#hOKn`sUJ(HAF4vRR)xE*!qEBLSNLSp;{zJ`au7;1lO z2?=9rKnvnH^Z?Y{g6eILb4qGCwmG7bH#a>kk=d$My^WJu@d|st2jI)tf237 z`R7uh1UahDlJ_ya-c#~g238p4#MLRTFAJ4&U_TToJB5)pj{PT) zJRJ$9PMWSFiU3sf0y@PR$YTqY-Z=BW30Z2Yxfre!J?eXZJw<;eEM;VCE%_fEc0@fb z`!qvc`!U9M4X=joo;Ig*U)yj`I^QO%Lbh+{e5;& z>~VE!%*U~F`N+-`4D?MDphXGxs{Re?@Of@{*dcLqe+@_I#COZtcz$TzLuoIvd! zVbgRW&ggV4?&3G*^LYCAS$xwAKi0r6P8sbVQq$6kad1NA0$1s~UWa}iTMR<7`vl;J z@wb0$0%40G9_F3cH^PC8)4%L82pV?5OisZdTQ=D%(HOBnj<#rYV!l^hlc5K2t&f&k za6b=el88yg{CuFQ{UR&$Hs&u(`WGIV`+x@VaV3mTCs!(Ol!W_TltWoq#@=$9_SM)X z9iD;yI=0nXGc-KvoNMn*FmqhbUk6jvC2C zB(mqiM!v5Q?Yh$@H1-*xUNXrJh*VGr0vQ(Z=Y1nyyJfL=VHvu9)S`UwUxjKvc!c@~ zdXg1jlPBr?(XN*@n7ilVSzv71K8Ja(MoRSfeTG?l0uYz3xc?(5YJVO4{Gs`i--wzqMg0*J;v>Ewh zJkIc%_|M&kz%SC(1@z^8{h`Y+3FC#nT18Fg4jH>R&=?EEfa~(KIFa{Xf5rDKmIdW; z9e`VX-gl^qVy^^K4ryKuK2Re@l6?U3_xxJE&zog({}Q#~Cdf2tZjIk8bdB$!Np`wk z2y-~hc3EHjDPsnc!78aI7N*9%nH~_&nNfB*8A3h}DP3Kz3CIcDU~1mx7aEEe=7hQ> zq06a0Z8k4*9>GVz|4dJB$gp#m<}UpApbwpc3(unaUC9UH z=g1r6ipy*davUr}iYe)T01)2aNFigZc$IGROk>YA@q^gDXVQ$bG;H4P<+%MINWugj0t`TCU_irugBOnPuFuBRU)=*w4{sQ*8|i9mC1{g=ct2 zHIc(~5c}fC$31WP{FO^^Dk_kEVMS-nBJL3S6dee!qaN0U_fuB zr=`_+5w@?Judi{ZS}j#A-rwUqrqMfnBj7oJt7P+6!m{gsN_vFyUVq#jwUnII598$S}sPhN!yKeU{#qy7Z=3}S| zHW3(}Ge7$BBtizd@S2ub8^`3Li@XHp zj@l3LmhKaPbRW#Xni9227feYDi1zYxJ<=%>}4wh&2cw;VMp0-cUAB&%$er*)B zw^Z4ma(V*S*7nbp^6yVrrAfcH=>|uhXSjA&vDP2BcFHF6(ib!9ECLsUt^zvDE7WM+ zH&Zsvfc-EycvldbbJo{_Fo%vA<#(Fxwx!%=3`ab_`u%Scz&s-WB z5hKyjA^#CMYh;9`hW(Xe{P~X-SSZDBlJWo6LzfqTC;wBbR_W-FtIb{$T4AlA&B7*! zt+S8zS%$S^EZ@jz>BJZ@gI`aRyd&PMnDlB#9Bk6ze8bH(T(YLG$HcGZ@Z*S-_F~B3 znhYp=)T=zAwOMalHzx`hFHYaI&p7PV{oQG4px6z%(Z9mjj8_0$=Pz^V4 zoF{Sr8m{Dio`>9evb)tq-Z-V0R)S6ZA}xY6`*|h-zLxuO&2}2Anw0F@YMnu-gU^5a zY4d*(Nvc4ThtKNL$?E8(gCIscg!ymS5ml`@^eVPZnT?fIGAc~21iD= z$$KY00)3%IYoO2+E)*SVxBdcUkJ}3h(X`01Bm&R8^Aas`J}fC#<7Q?gdo|WSt@qH1 zfWJ2p-(Y?)V4gN*i!-Jt)&~cZAL|(xMw+@L8_MHK#n_(5McvE)Z8dYkd6yu&nVoFD zlah6+EdgAr_!_PS8PUkT?`?6F_ADiX8Y*my80PB~m~@&fi$>B_ ziCnVoSj<%DCq6REF5hr$n$b33#yVI?nOpDdtM*Jkkg)&je(B)7OX|kR7+!CUt7c7N z{VfbgkJIH=$)nUci<6cqBo9IwNcz+PIl47>p6}PGZyVtsJ#fCm7#`_R+WU0ia&p2Vy;&Bht{_NuXEt#^Qezv!!7l$0dEv*46C(k zsd>c9_{U}b5hnjV+YjM|Z%gE(DAecA6*RY1u43Y*)!5}^`;BJ(yJIAk_7v|3)3PIl z*Qx5=yk?cWfX-E{cEcwX+g^^cN!bl{byp7S&0J9#LN1SClxCeDL9Q1Z4r^vGrDC1A zEyK;$C;QrxxiQ*xIjXUWnYX657m0*Cj&1DBQJ8Mop5$-cP9@5a{_Ca5hr@42nR3-v zKb=;9`7+ge2&Y>-)gi{H&K3V2Y7Xs85#;qM6`Ox8*62c@>K5dRd4&?S8KJqP){kGMjBv|{5kb#5m@cpf1dfEKGHH^~6n@LF)Rw6sxaY0QAOzkxkL~AN?YX3NUpvx= z`QfQ`cJ;D|I4$KOD4^?l*6F+!(bW5Pm%uPn*Ln@}H$Jg9p9*%pbY0`tsdWnfVPq$`r&@!b`3H76wgmSrd?|))oWQ@h6k?raTBUl3y)Ti4|vU`%= zSkZy9!B&$2hgmlUbfkL@RyzCldYMGy>{f=GJlxEN(!E_mx91z{-xK6)?JvQ~K=-+P z&-l662k0hF9`JQ9DA1~A%2E9U00t}e3wX`Qd7OGjyOjU|121A;r}qPCf;MV>PQ;f8 zcIlvRX1~8EOv}K)padBH4n8;bKun*lw~aMZx6yStPlf)TE#MN0jf0bP<#u(t^QROq z{Ed7-EJb?+5bS%V;sFXDDt7h}ZJhOCH9Ze3Wq!^PshVft4!X*_!M!}c{I)q;Ti&jB zgxkr1upVc9*@Sj_U3scjOfpi#w3OW95+Jb16_|Chx3IuxIz&By_1x|EkHM;Uq_%Ke zrU%ucoZ6U%8j~Y?`nH8Lb&mP-9?c{DNt`$heqWY|t?zEj6qw(21h}%i4^f?wTJO>K$A;b6+uQ%RPmM1X!!q3I@VcMbrF8H=yFD$|u2lrB<;>vD zzR&jdWyf0+gCiu*-H2cQt3P_53ck^2ZWK<9M4IptpZ;ill6$niy7o)2i_hwPqq!O0 zVfz=1Do`Fy-1Ig~8F!4j)!o?+eslf3-8@s(!p|sJECLA2`{Ln*w6(Qrm|r($0+U`b z1PsN;$J2m^7uOw4lZ2k*%I$%VKCGdkammnWhA2~mr`6mvF`eMtS0-D=g0_0h{# zElWLB14<2zX3s|8r97!t8WFE?g;h|J?eL^If!*}kET@IuwaO!Xbj}4(y|UPR@Q9tb z3Lvnhx$hs-8VQ{z@i^ucKH8`#D!u^hi<9ZQSIEpzu|p&uzORUZDU_gX?nU4 zFwbbN)z!oDQx8wFJ}HCi%IaL5?f7Z zf50o97)gh<1LUC(=g~*xPI$0E)0bbg@V`J=x91YOBIb9E!8oCVBf4g^26H)6Du@;} z<8_TqOE#+@uj6Odw*_+qr!0HB^?TTX8mh2fBlpEd=vCr6a&Q)1L``j1|m*oTSX2@>;3 zSrAebac58j}C14ut z*O~cOQ)5UO%Rr$#8W;{H5W71W!zBbHaXae)c7M+?91Okoj|v+pG)> zzDvBe82%AND=(MyhA}3~a^hFNM-#@2%Fg{~i0zAy^8rM)eo96Y@x~fj=A8Qo{kiki zGXt(W!{4^ni{Cmzf&oU${L!XeefG_15WMvpxUYh@HS0WgfG*SPu7UU57l@*`s&?KC z0VSILE5_^o5Mvm!Ce`*5@gwpXC@O)rV=WLO06jVSbf&reWos~3r)zw?c3A;tHi0pB zPea%5-le@Bptqqj7IbnC+>S^?n5$uqX?bS>Bma)~oW$NGh;EW9>{Pkt;>v$xbQxm( zlO}pzP#CFdXvV(oCUL3$foC(Rt5?=Ss8rnk3L#&mu#V3>&{fB(W0cq2c~k#=lmnZT$?at>()h@n$bF2K=l6I2Ee*DK2wCu2J(D8$&v6@2Y?_0vHT9U@j zy}?OcM7&O2fHWi{*9a&piEZd&Lb!g7eZ99oRca<6U_RPx9EcpoeM+nT3mKhrveam=FcZ_ioj>j&3Z+;LV#^|>|M^8r= z1^7iXFHdb5=3UlPvN&nu4D}>>7Fls~O0tRV$;Yyje(G+U27Ul%n`2{l4ca0;mKE$t z8iyqTGoJ1IQew8A4aVWg7c$QkfAO5<&lT0tI{?{hL?`7;)n>z* z{CJo7!~Unw^xML(m7rJRvtD$*YIA^Z0(#;Ey{xZMijrzbyx$?%$-fO*B!(ARjHHmT zqsRDN*~GO28EymIYt;PsZGj*pc>Co1d)lHW$`M|eYqsc(J{WU9SF`m@vl^2M<~ z=jMnS@|;|_duW_iO&v;CU|^3(REmskNuNlULyDcOsr^4%0Ej*t2z&g_rRU{S<)*yY zt+))60%K~|O?XxyAciM}4Q&BYE$6U+z>>GKqXrSydQ}z^Om@qFV!+wA-|nYR(vpP6 zxzvgaZ;Z9+cXD?z=#}`LILl5{5cHT_fVV=wAzmlODMuCAER=4ltz;4svw@$dTD?uFopfu0jPm{Zr7MIg0w9xu>1m;4WPUjlAoMV%<* zTo(e$i|(;}DR;#SLFHxC$q?i}u0gIGZ28?^1HvNb-+U)7Te$7)%hg?~ZmO=@R-{}N z!k#^RvoAN0hdpNdv3dsO;7MCJ7@>k^ex%uE9|j7nyR+ZJ7Hh6AtZ2?PkU_^ zC6Oac1@YU5kOT`)w$|A7>_5Zf{8q6APg*BJInwzOCg5L!AH0OycK+tFbk*X$fS1)@ zL)tci9$9tRqlq4ODr*H}pNnS%e&cl{M_xO5$b*}v71GHj+Mw2o$sx1O%>wS9KM zCC*ypU+Ng@RL4339d7dC#?!=jiRY(BAeox8Ow^#By@E^iU8~e9Bq(g~C^+)HAR4H% zz5dJG=JOYQywwGDeu*V{q4fAODme$2Kdem!M?Ju>SwHE!9f|jjDirZK=WpaZz9u_9 zKMN9ghk~|x`5?oZtPeTpUeJTB`uX-LQD#dnz2W7)MwKzo{J~w$JBzaz~?kmZN6Lv4&Uug&2=d9M) zaAf)D2OT7*F`K(lIAZwbcBQObck?=_CY#EGtR15S9|g1K%?#i3Q(R+D*@%|DSXpX* z)uUf6dm}SYM19b~AsihyKL)f7%_jffanF(UyTP`@1rSc5?1~@YKIY35D zP2zPvs6}0}H77wIx@@^{#tbh(N#uNt@+_=+O={y;ziy7M4Od)=-k6s24fS-r<6U!v zw;GTSb>g>f=B1dUZ8OpCwnF-!wNxc(3bhq|b(mT;9u%Nu&Ie5}`~LWdL$xbn=A`ywJd9=!@LoIOg(wk29HMBf8kKa9m(%@(HH);26g~FtB0& zD#0=8WB$bB3k~jM%MkGZ2IuLJD7s5Zh&n=Yn)5Q!;3h8h)0GYl)K2`}1juG_k=rB! z*WSJe_JrB?XI|v9(&uD{lck2K?;fFKE-~xJ@Td(5`WF;o8maJv>kwN|VJqc)FQzlyQLJns<^1zL06M~lH?c#KE*@1hin%T7=5 z^CUZMVr(YTOO*#}1e%78Getu}ZyYlpZAsT&Cq#@$ z#*`DlFbkh9FnjE0P=nF_&8nvy8Qs4o($2N!(?}c>b%vMhvVT&Y^)cH!E^h>U$Cbc< zPI;Jyqg<(cJIU2+8j?&l%a)jaF}GsYR~KoyVWF|oqPy< zGbZ{p%g*|5C;1=n8hAU%E9eotAEW;{AI(>jyFK{o9|DJf?wsgw!zy#Ojs!=8YI^RsGGXvmzU%A zYZnA?zq8Xk%}tEN1Z`1ZN_c#QQ16uh6uf2bfs-{Z0n+w$0w0pia%kya5T|+(ODwsZhqJ{%7448?k_=f>)B%4u(al#lFc8t z!Z$I9TE9gy{*>fftT*?_A&KrM(x9LeZ{&^%rDvt1xi)#Bm(aj~t;j=o;ODEHV7rYu z>hEc=Fs-vU^sMMN00Ca>_2gH1coK#M+J1lO_^=Z(c@8R7HjuUylR@{UWvTY*j5_M zIK?jXqa0$5UhE)D+b`N)m^G87$}Ld$pQu=6kAziq%(*6+5*6I7H2MC}G{>4bj7$!? zdGxhWoh|UmrWMg;CD0uEQWqc`vc%#0)$x7Q7rL^SRVKpa^+=@!%SSZxV)VW&Vh+?_ zs<-R*b2~a6bYW*N2n{bq!w5=S)xw-#DL|9V`QD4bw}urSerfg19IF>A#N6bxzK#7m zUu2$o8%AI}`-#5%C|#j<^bD9usfdsIrU!a=kv*b)GJ-(tEOc{x`RquyW5zju>9HQa za;DAxABPv3qjiwTg73teLtBc*2N9Mu)Ol+ep0E)ym!$N&eYPWG2*Ic?&LzqLl`87| z&z^b&4`t>z$G0LCu$F^KC*w(`SE*}kYdtn#Vk!~*ziLV=og^le>ga9Fu2q*lTpI5>ND?zQpHRh-O4e>)do=fxB#A&B@ ze!IDjG%c1^P+%7(p$XAaTCC8;1 zR}$YqkI8;98fU&9PwlS3Faq)5Z{B1@*f)2j!gNU0Sa{M%c48hOF(M z(W=8vlq&;xwx^F&I6JmPeK_5>qZ0ir(n5)Nt3q?Ki>~s#CX1~H9C;N6cez?Q(AWJ> zrn9G4{@nr)T7(x-^^PjflS)2ts^;51uPs;W9M$^FPuSk)X+hajLZGyFkNN)ecWCSY zM^k1TAODA%h3)FKQV;JcJT=df1Fwm5xi6iQ5F!_;A(bmBRr*6+q- z{BK!SO;rXB*6e%`gx7BT2)=y~N#%>3r^JLT?6*7_AsL68a&JhH;G%61AMIyvfZu<{ z|5EfFF577yf_rFX*4Jui0Aiq*YoPV39gT^%ucDvVw_QB(MnyMpf^sedlMo;7M`X5r z-tM7*$0Sqku@x|ox2CE}XF_}fG5P>0-1pwdM%h|vRcGyV2@{}*QE(X(vGl|7=V>0T z8@CBWFxM(Yv0U#?lZH@(61-g(#(ykHQnZE!k@mJRq~iF z{toiU6Z0UHeisLClm8Ak+|1*e-Z_Z0;=Rk+GNEr^$W7q@O}3|BIg>N|*3MELBD2~W zKibkuV_V`D+ih4T#H-mIZ@{9VL9xLjwvq`Zpfq8^;7iKq@aO&4EV#bHHRXSpSwO1OnXg2_yt zpe`p}UIp;%pGgqOozFnJxPLCFeP^_I=1?zCmvWy5TaCPRzea_cvV7OHeZRQ&WS8Am z@W%jawtxuYSZ6`Uf~Yp{sM89McRc2%jX;q{&91~IRj!gC_rLme*2-}DkW&%l3q)*& zvW0=U5>43@ZpL>X9_K4HLiwiMBCJle0$rIwE5mA{+>@hFNiOxT;Cs!n9@HuV)@t1- zvWgzgD}yXOseO@v7-tB53Jezgf;eU(Olcw2OngF%;woMnZ8EI$iZI&|bbY#) zqBUe<^jK|A4!US5Qg2Dun2m5e+F&)$P5rn&5bYswg2X`H42v3yKy~B&($L`VHQDXP zlTbsw#nzW6D;WyR7Hi*;4b{=V*D&=hCwlh`4QD;VY?gDjmZp+|irxe*q3y4l0Ot111WRadtObWSr42T z1dX>1Cs!pqENlg0jz5Ew`L(EX#~AfuCjtHD;%zPQfCua{l44E$0t1Pz5YZ{R|LM59 zwnC#&xg_mC;1Dt?gryu&1FtnEFMsOE66Kfo;J!+^r2)Gx;=le^qep-!=t@<9zu5M- zvzm0-#PE%0pP=tu(Q^}=AH^vtW--MA?;81EixkjwI3kMcyWS-^@62_|K{6TyGK(-l zz=*`+O0+)tB5PNw01gQ2sr1?K#2VOSs$Q6#XZ3|=dE`={tDsTK`^z;W0~ZEOi! zTfS0SeA~}7x68CT3Q#%R#OtGOYSVq}8Zm-h*_;|KB29Xs$_Y|J1ck&ud^@cB(ByIh zdC|OF+Dkbt<+Ce=(Yu_;sJLHpnt^$;0}z)5B(NMjcWbDaZ zCe4czRXaTP$y=h4MmIGYBroCMJ}xKDIRfMSY*e3yVB&j(cM*Y~+G7xGL>KQsasgh8 z{+_+m?CbO?;wqLD1Lpsmyqpr||Eg2*sb3ECdRHW=@i99w^{fHi&SAEPX8^RU#SLL`B)FO1~%8Q1}<_h-o*eA(Z~x`whtIw#z9 zVaE|~x2u*Q`-?l$751n7{z=^dP(0-BHYhxpG$9i)a-HNyKcz1B`zY3yFbO>Qb8&W~ z#>pd3&w)pjd+;W;w)nBV;PC9m!yg3R(nKv(|Amc1V<4>RHCEr8lCpYa$KRaK8*{Rs zO~%#1f6M;N(iEtP0&Vw!(<;~XVnVSC4zlc*8q*bt6I&I_T}3wuqH8t3Kwi3DF&^7? zBH*W8H+01n;a`o#s3c7aR2cSqm%nzw zcv0`AQ1kae-!5v)?%)QbS9DH@VP09X5OR#Ozz|`&-5o#36^`TcDH744W0ddl`32$g z=o96wS+*3?BwcczPgVpWD`v#{=g!nm)g%0`g?lv@A6n_N_p%La=cl{}z7VwCN9uX% zYMGVU`d!3^8@7O&;L}=qzB2Zm*BG7dxwN}x_%j${k)e8h2no@M+j*5&k5t}}h2UYe zYLDXHo4p+SDMQ^za`O9zPf<*_`0d5oEJs4<>u|@2x&cZ#6BSN~ji{u7*r#(I)2Ozm zyJ;?G0+J@n!!;Z_es!Kr)(Cf_YwkSmYwvKJLbN*{x2`v z8zSw0m}(e5CSWlMvtttNGQGMDJh{y5V3H|TY*CUD@g@P^)ltCcU+R!|&}1cINNPsP z$>by>G7$09X;83lOC=7lRBl2Y_X8L!;e#fmT0aeqM!64;9PtKLGU5n!rPH_{dRAan z6wQwkR`7biUbL#TIsP=5(NCRUj^Z2$uTnX#|8PV~cEc0lue|!E%kBOsy28w3?9<(W zHs|h%^rUyd8kE-XpK(Z2mA|)TIGMo@QFZ}nn9{%6!L2uh1;~x|oiA3G21b*1rXh>s zHZP~Gb!L#?mc7NMccObb;ibcS>#?H}Cn2Z?gGn<-3TEd(bBBM0NoCP~FZjLSE`BZk z1y`i^Id|9ot{)VLB9ROeJ2!DoT=aM?NDJ9mWpvGyZ3FP|z+d7qKZHQ^@Pa9q z2pK}S{^*n8qtjZLhmuBeyf&Dry^S5?sU`SHg~lW5sk#MdarYaryJt;{48*9m5u3;8 z*r^C96)!G$lYHArH(pIPtUb0qdx`V7*ZB#E&{~yNmj9l~gtMZc%rbN75PC}Z_QdJO z@-fs>TdFVTo%Ka!JAV=PxD)O+BBcbc$r0=5Aw&#|-4jKJfSb_mg6n_7JuYqnUp@elO7-Ha@{bwRuIzsuuqoL3dCPnmVUgOb$PrXblyU*RJYEj?wcrAAqV zc9|h9PSg30tRomPS(_HZj!E#w#@+_~QBb!2<|Sn>M!AD+CU*^<8ai#}Agssij@@%N zYyzj>Y-f=EK`0ZoDGf3a`p= zqHdPS!MNLg`0m1nw_V<}R`-;42ec!UcV)G_c1910v)lV_qi>rUh5n(%wNnRGaXTDN zpCy%O3U%{RA7DrPt6!hZkEjnHeLesM1YEZlY@r`wxGx?Y#@^YO)ccPa$&HQe`YrdZ z6GxjXPj9MJCkC$k zJr$^Nce9EP>sayE9uD7?`9N0=${wud*-1q$=-!Z+m+j=@pi6)uM|B*cHM_l!9?RtL zJ7iq*QxRDG)f!{b3&wFTeSJ249?n-dMpS=4Hb{StVQ&gcn2}i})XoFNoCK~Pg&9_m z?ui5UhyqfyT}|Vl67iN&@SJ|nus`J3^3zQx_P~`$J#gcsDN@-2=>!y=IpMz2coBY6 z_GvH_wi5=?uNQ5*Fn<^DuJ;iPyu4aJA;0`s`7c+r9A`BCVH} zf_qg@a+OQVZZYmJ1>8a=>Kd}*o%s>T_F^7CE1Yo=a?@W_#CQ10v*sHi>|1YTCy-hG zen0ET?Tx0-WLtDArz`$UW0bx-5@=a;`mpEc?wXSqU3_!>to%W63X)n49I%^lNb2jQe#aPm)8= z&k3jw=cs{~rzXa#Tz))f7AN*P5JstH5!ccDZRVGb-@kL&J^hcKX^%4Z2xdFAMh% zt>!Qa>2N+$u@Bav)ioD0K@1~SF-I9fNILAu%yBw=wEldJbbZPxK*MGHY^6KARSdBU zF(!yJGU<4B^8=|uI(hERMg4bWpex;lGP62r)m^P|E!-tJw-%B1C@3h-XV-&>|glIi%Y%5HcoDSvV3)aC5l1aHk&U7IWD$ie5(X4F9iN^>!1OD!cO zC-q#-B3laUEEBcka|ogIGoH`u<)1olbeBg20z~>rJxSUs3;7QI(6j=y!q&a4jbHct zZ8fqFcHOBU^WE;chy={u4~eJ;B4GjC|w5LKyx9sk_Mw ztkX`1egmE|*3X!?8;T2KB#DjU8mhrlnG*G;MjUA@LO|VM66{L3eICXPQ@&PfB5x70vD7_jHpS*G*wD$0e0>VKKgV zf^ymjpH}o2z;UQNjX|$(u(Sd}Ib=^rIljejs*}yl-l=8|1y6x|q)}ZlL zC>Vv=GrqN-K%HJuW<>4OqnTHD5U0F&)R9k)@N89rOO*iYK+nxRs_}ytePJY*mH4#X zZj`X{;VlzfMWUF>aA)@mzThpz`^?=*?w@}iuQB9uN{yV?jNMigUN#cGV%*^>)R?Hq+()x1HBY+tiPxV=W zk5;JzB3bb4bZHT${jgQ|+RX<&+I!kxE;QgB1VQx9n0E|?CUZz?%P+aN^Y>q!f}U?n zOal)F*P}tovkknDxN)wq{!$`vI*A-&+OI6Bm%C*v+h@U@nQTzFKDZ9!9wlZ9(X5&# z4JpI6QxfpaN4mAHm@Q3s`%uH#*60m#}O_Nmz#8Yx+IjUp$l z5-Tq8gnA47>^M?X4PSx56;D%DXGd&@ug&9lI5;YnN@fI{GY>u8=bG}BdrBVG5p9Gq zA3RtKM;1+QiS7L}CpM2!Jb%~3^IApOKA_J_&WBs(kOYb*2aQ=pVYsVN_v$f=EqyoU zFTB!SVTViiijLBFZ_^6|O|XR%@LB~7Iiz`1aqvb2+iX}k@+PLx7s&Lrj}b9xP)|Pg zn?kYwrB-7gp$BovxjjKiY_|95fW>s%=rW*A{7K1MCL$+#4(Tz-a#bqsF z(OKG-#B_Qu)o8@#Q5wgZP1G_uR?wAESB@985Ln5njjzI7cjZ>0HAKwEXj2TXleO?q zLc2m0bgV^(iJlhJ6Wic{?Lc_5W-U6;e^!j^Dt6iVzL~odg zr*ke-&2d(?pQXlS52xzPlqH$4XH@h|8nAXVlHL*9+#L+y35`GNc?plsQwHwu7q_3| zFki#OGS;#W77dWIyTXsMR_O^2BZLv(d#LtxD+ny3Dxg*_bKZlcO)Mjw!W(}Zl=IQN z3xZi!CDEAbXB&dE!owBAo~p}Z#PF0Wa@<>bU0N>cU1Id`v<7p*@`l)7bnFA9BwzUByaRMI0L@} z0>%S7z)J?)3L61&qv3S#cAEys$XjC1{0TIphYuXd<0)umS<+(8`l=w zW@d}(iKne-GW-Ypnc6@&`OvN_W7)9Eh*s+Mw&l?84&nwc;ztL8<{ z&Y~)1HFS0E_$@&2wBkOTfpL6m@gyKSOo#hyrnlJ!9_N$BqW!xp>EPgNFUjaP!kfE% z07}zn$sNF13HPsP*(+~aI1~egR`YE zHK{s)cO)U8>@Mg5?z4 zkLRb3#Cz`CwigNqv|_ru>EPAypYO0;my?UELGlC&!4y9nO_9btOf9K3DhdhiyYxiU zz8JPc;bH?D?mnAl{bH`;2SGihoa$S4oLcgRGwn1Sp*K<(1kIj;U5x-|WNL?#=IZ41 zqqwOg3f7eHV@?M`jN>tz>Bukv$EE!#+hXP3=F)Zu!{zYvl;c2iQe{(?BHEZ^Fz@93 z$#`spQEbJer(}~`TMPIzTj|+N?r^B7}%>CHeor;!bW}^To4Zj0NH!8l#d|* z$0faccj(857^ha#vkz$@Xr(a-!+4tFgxMEaj+11UI35U5;({b@QHH zMJi1adsT266C;i!7UQ9nj2H`l>*I}JQUwv^6ja59RHtm|BEIXj?uqBo;3iM{=>+No z+T3|Sd7!gJ)!AU3{ilGgXpg6mP=f9OK8~{$tV}q5eowgPbeN`XuZyX}FUCPe&rMY`+t%i$y7xB?O zReQma?(w$WK)9JI>97Vautzbr_Fb@V*Q$Ax{K1r5St0WiqqAGpYbyep1 zBxh--7*1Om)1wGXnB(>>#p!SIk6B_sQ>UEhE@jW|36fJZCykc!oHtIq&U(K17Gp$5 ztOgt1!S}eU@kRk=b;7M^V2Yp!o)Tl5`2Z)_8U|qEMvLwIDoApjFz*a0lM{Q?w>KG5 z8m8-xYy!I6Ye<8p!&UL{Gb&KN`=BRPfMIF|&RqM2U6g@txGQn5F##l~F-LVe(8Tvd zE^CFdkKlx2E6HXDH)v9{N129*iotKe2@g>}{XiMxb9_+09CvuF;>+f#2_Lp5N}K^%ta?aI8_ogEdyLxjS_V*;Q4UkIp+atI4>XPJ-H5zdry=% zKWcV^J>N}org-){OV3sxRe%P?yRXava9CYMU5c3VS(;ke-Td;yCfN72k4gKYZzca; zS0`@>@0r=u0%*iMlV9b|IXjKhwGlVu@ojX`(xyYyos;7)&Kl3F5D|Qu@sqJg*XP>i zge=b4-U^_StHa^aW?MY-~yu__yx1XbtI$ls^fLOMG@!b1N-A|1iz-{Q+*~M!Ht?6rA)681Oe6!X9xp$lOd(D33#@s$NR=|UvmgrEeUkt4l)XrD$-WgkmJ*;`c!(55BtAdIxK+A3|Nm%^1X z{>^{{CIwa~_q4RPbry-)5xa93=WFFsRnDlG0_z!*r6iR6ODsQNm|eXS=(ebd4J5fp zH;s*1i$mWe^t^C<6M|z1z44Z#Iq&ypU-1t$k3(-&5xYnN=SX?^8g_bxG(z56V{YLd z4&G$S8ZpsMVygXGZsE>sRFxQc$`1OW5-)lh!Dzg42h{kHQm%hYulFXMA<)7H$w(ir zT%t9PCjkimS7+{`bkg@Lm=aFdQ9BBz0YEj0?WcB5;U+lL+w=qIvDdM-hhM3L`+l0@ zyNQdhwCLx;x0)svvwgd0c%ogY z+xfH0k*5I0fNZzi;7x-lXg>u+ktv!8J3b2UUtMWQJgOokFIv|g_7@OH<<;0p*0iU6<1G_d3 zyPVaaM;pTuDg^YNT#)0<9kYJpLgQ)9z|H3evwOXeF@US1BY+e$3TMecKmA-hc%6}P zyK84Gq3T^SNF?A0{!ME!e6w%ayb-!V)?@u-(`;nDd}}yd=KRqXaVfMJJI%^OY*@y6 z5~5))0$ZVf9{k2oldd$qgLtkp)px=V6Og3ZN^pwSk`4*`tZQL~2kGX|&bJSu7LEB_ht#b+}Ly7KmC7`c@#qp)nc z7ptuyz7L5SV7M(oFhN|rGR$$cn`}B}(~r`N&VRZdj1%(MwON%)AcD*k7*2YA;e@|} z{O!+Ps{6C!K!6bZjcT|3q?6~eH>bAHDtKognbj!zCiBg;DZ`-=naHHclX?zZ`M~&R zR>8UuKXlgp9A!Zr0D!dR9&=HrT41%T2ArNA3IRz^@|6QDkB36G1kUOo9Y{xXG}w|} zm|{$mO?!Jwi2B)MoilJ822>vNNeHiIbhQ?+N)f%F^_V|Cp>p1y}3A(N_ zqAHTFej-zj=^&{%0Ud$Y#~V-%(a#-dSR}HSq&g}aXvL%(V=7pbo~E6O6l@qnsc(z~ zj9Z5>rFg$Zj1cv`8S}q}4n}&T6+dG8Oki?IZ?%e`$c=A%{%*18Q7g=kiz!8rTkl>dB~%^INFz4f*GG8won~Jk z@qVLQ^hoRidldzpRQEl+cE~qj>|iDT5%N(}-;ermUcOKc$J?kq3KHR)d~_tYN`H;& ziAC*BnZF9y%iz=Hi~&uiyfscRjxj!*W2}z;VO2krua?DPuddRhi0ETxn{Watt?-I| z7XR9^sNAYq@G376Xu1ZMilu!C(Vb(G63NR)mc*pZE zl(`%W^>ok8_jQ`z&69s8aC+Jm{_5B^BE&p;`F+e&Oem#KPP9 z^IOQzF}kp;CgmZQhfU|Qm3mC`C(e6g-dIBhV3$7l3U+aLkggC?bCGZW!h)j6II?I&D|ox=y-G+QX*AuBMr zv~s|^iTPoca+b`&2SH&V!&Z8X`gCnW+IMCv>5!;y%>(t|Lyovn#igL!GNP6X@O~Ur zn4doq>YC|!9w6qP&H6XB_!dbNp)R4XBS9Qq$(serdRZ2Zi}l@N@r5U9jQXErb@erR zELmRS6Ji3Q+TEP`@b*{9%oJXe5Myxct*7g&d8L-X8%300@o#aPB`TX$(D;&oCF2gx zde_<<-5!GciWF!?%~pluLmjErezL~$o7U*GHvf+zG+_uUjGt%{51w@4f?=s?VctR5 zc{$4Ka2-7{WzvyFQWM`_k+ypBV$a(7a9FWKx21L4g(68wn}@D_uuFPDLi&6m=n<5a zCBfaAbe!KzzjqTXJUW;bw!%!9aU%}piYF!javshL%e((t`dHp$2a%d{NV|o+it-7mFppBmEFGLGX61$H1OehE|CP1JBUv{O zS?$-st{A--xwR6HFa5(CW9-OhxDO{_w-wTXtSSB!9mQG7SF zakR3p`wT;H^_rB{{x}9zYVpCD?X#c9ZrTbp<`z%6*E#m++V?|-8$5SGmCATQ6(<#( z^)*ep+ab}vWgRCmqIO=)#Ot`{b=}6639cre9jW=>jwdEEHqohQAN@wSmmULxF;^Y( znWnbqC3F-yjwfu!cssuo!`$~+Li0&2hFgu)OLI4N-;^Io?o2(LejD@7D%`m~<q{6#LgP^XX zA@I0Va}t8_dBBWqM+4dZbrB|VT4}{ck&9IuC#-CIx=J} zK2`WGG~-wr%Zz0GOL{TdRYWv;m#ShU|WQ?qY~hJ@K)Jl5!mY=))Ki-*3D6#C^a zGZW-|$VCP5dl%+(gE+4a{hRY-pP=?mjA4D>=bS~vNB(Ql_}c?^2>ZTPCiu|qG)n+C zl~UMUy~8M-YFL7SSyOWk%A#-s-e*&ZZF(Q~eBI~yrG5=ik(G~4rS!Q>u2#4cfzrGc zC^4l>)ksp(&RvP23^OVlA2b|kkQPevF&rswr&5W}d6}BDvCJ|>i{*1LNv6LoV};QB z?due8s4fv~Wea_=za;Rn6!&QSL+e7Dfw+dHJot#k_3g5?-m?s^;cGnGW=ZCdmMH11 zxbWW+BjNHWCX(P_AABP0H(F?w>XOf`4?aE;u+SxMm%{~JUaiJQcsQv|q{z?eH1~N{ z*MLgcW{(O0XBjR!U7}})-G7Ijz$4OB!Je2 z5X)p%Lt6bH-!{^ghFV!-VW8l3eY(jaxb1GGOefh6KE<^IN*852w_jEppRcK|`xb|4 z)Hpaj)Ty&ulq@h^kwoBO@0^^;=aw`?A!-=Ms@U-7#y$NxD>q?r$xY%q3t~iL&c!Kb zNb7}>_nzj?!uM#4twsZ0H|=TPmigNHD2};?;o;n)_3Ibc2S7b5mx6RG+XZK2RtKXc zW=+*A&ZH;!@eB$E*KCz?5bk;TnTrBi!aEf6MVs&F<+^|mZRJDr1@W|a1j>LcTC5bx zFMsa3WSSoY(o0t-Yh@BD_dyppXp){)Z=9<*R2*EX{|%&#u1L3E1mn|6&8xbSt~|II ziswG?W(fjK7h#t>JNuHTQgS~mRhBO@vUBTQW{R^AE38u_FKOsA*SHZ6i+E_qZEV6G zo^TkFz+Wf%jQ*TxD8J}cYpv?g0>&>5)Y(Lo*L6)Uj>vdA7A!8l$GbFqP+x1aV1>4I z3iU43>AX%joh>FRcOPnPr+&Gh>D8+1B%1ajK9FXgvfKd?qw~zmr-#NU9^JI|{P(9E zj5pf&rMX;b{G+#fCrXhqeqpLe0D@((W`48xbb<2e6{-}wC?oUUsiwq#CGmf827eLz zmFOLHvrsJpxKnTJ2M1#NdE+x$ZBT_@^3;4OeWzvpvtIlh(L=t9rO&00KhaF`Ek1ES zNd>cRJUlhG@b%_=e>A3c8XfIcS6P^E%a&}^%WGLmA>jD7E$DPpLDsB^Dw0G>gz0?W zq4s2_`~WoVZ6-h^i6MwDNTZY>j{=GyTTcYR5O8=P`JBka8wA zXeql@&g0tmu3zjcC#e<|*rZrS!H#^o7`ma|B(N9Zrf!b-u>Z>-wpc*Aj%Mx%YOOj? zXyfsxpD5A9MM^loCQ)k9yYEsawfDsC>zwvYAvozwVf*%Q8!mjYips}LuO?R1*u*YF zR;qp2hG3$?)ZY(P{OLc?*%%p#Ue1R`D7cc*CyVwWH1G>#T0~Dr12OaY{_gH>zi0WoVzd*+>`S;C~I_WSBIk~lZ0Y^)UWD$I+-ptTvA!IWy6Tw!;I#kZRh_YAePPW-JI{wKesf9Ik(hkUV3I*wdZHP9eZ z=3`U*x5)87Sc5THtPrstn#<}_!vsyESI%y!(aBtw^&jkH@vN97GQ7Xm#Ka@@1I{+t zEj9z;Ekl_lf&uEjsG9;&A*8ar5A(d44`&)>vgCCeT4=yiaW_g_1U{v?u!%~{_4wvky5zeyO_V~I=iGFw=$aQ7AC ziWvXqTRXq-Jd0~Y(vG@oH#HwUQ%}{b-8_$482E^B4|!CgAwEf5n7py*PE1WI_2$N7 z|0RpUij1(DE?v4;p_q2Gf0mBQJrna^NFU4h9bRxS6J({o2QK+Z)rvDBU(~XwPm?Ws@6tU7@Sjg*d9AFt5mK zmR{Ab`5f7DqfkTfXQVi!)vwa;3nNwB?k{)7?iUeNkmBn#IiC1a?m{j&-r|v%JvZc_-HwDwmyZTIS)}CN*w|?H+!nGB_&X ztrC@#_Nicpp{Jj-V3|cM>1rnbLx#mx7LPzUU)$EKlu&W$6HJfh=21q4vH5L!igHk% zmz(QO-ixi2)YLt#a+_9{i85R@LUiP5b@pPC5uQ`n|H3j^$#}7nR$2Hs`AhY@yAa2I z(4`(9Xb}oc9pnTx$$$K6a^Paem%TK`vB(B(Fly-CXs(*AE{uJh3o3RQ{h;E&aG!*d z`U723cU~x=MC)732Il1ek&a6(Xfo(fRZElT6L(V0CB|F#{=96zJcB0uacOKwvX++i z_1S>SVb}Ewp&zH)&ex@QIu8(ScWJ$KBXu;I7l+;o2AXXJ=R2I-0~C%A)3G$SP7k@Z z@>4`*J+w-f&lX9w!@uW6e>%;7Q+PNF`99gr^FIORA56&q`S~GSQWHQxQ1e~b@)hN{ zWpL|ZBV+k~oc{jz z>G3sYc4*5L{()hv6O$+!_ptd(_J*>&I(znhY?ef_dG*zgt9f$Oo8$H!_v%J|?_UoL zwC%s2&0|y*5}!C6 zA8XD!aFknvU1L|RB45UqJsrCG>X&?#-lcKYGI_e+kb&xhz5J@3L6u}V6L-~(wDkXF zZG3aaev?)iz8ErP9Nxbsi&wYRXUyDPpR~PgrEL^pYmmR7GRVrhhu#vQ1%I<@{!z3} zFF)8cNh?Xwm3TYX(lC>CbmOL^Vp8WoKZlT#nR{TjQmIzM27NR_JBUNS#KCqePZ#5k zOT$p9bdJOhW1vX$AUVk-2^jTG*ApG-ls*dMc$BXaZcI}z(%^Dd)m`NR7pYlsefE0q zKgXjW@0VlWI*i>)T^L)A+#`=>mlBM;{Wn|28S`tkbifX=nXIhIrOgvnh(1&yF#qyY zPe_o=MjSnZ;o#;_!kuV(+oj#kui~#m)B^pr#U%y$0NJm$ow7P{4cm-RFm z{QOjy$@1DQxqdXSevhNGksv{r@sLlmW7cPI={lgwb!rB0>gD|ZW(0+m5XfwH1Z>m@ z;+xmnMrtg~ZN>~!8^oXz2!m~= z^g&8Tj9G~W@0UVxKml?J%^E%ai5Y1x*Cu@QQ@{<~a={lZ6T*E&M5@d8iL<9JNeN2_ z;}-VyG~@IvaypJ5z9iKy9gi$pSfn17U;OY!rUo?J8#go@q4aB`Au@home$eGdVCS( zyVj1>kj^Q5Q?i9cK5wT9iSpi-msYPD@_)#&oUWEQnPe~jKQq_=c7_0);|M3TIQecq zB%nT1eNwldbor$x11gg(5pa_0Tcw2&+$YX7tob?41|r`VU$DgV$Nz}R>vA|%%WZZL zRHM-JB_>nJ>jXNwTZ2(=kku*%Qz3EGgQCOq|6-IRLMeG8Agwj7D>-g zk-^dDx~#^5V2OKeg{YBGHKOSM=+p99a-Gn6raUW#j9YrH&S7tN62O;O06|J!Q*&K^ zCh61e@JAIHp@5Z$B#X@m%hm#&Fz!&SaES;{=;cvL43XYA^n(cb95lzLOy_jx&fC^X zolg&JW?*R<`W$+4{5gXU2V~gpKaf#bRuu^GIj;BdfbFtDi#}V5)DP(R@V@LPo2am~ zS4`(wDR@hI@h19QN@hJW;6AG+icnk(1%-p`y{wd`wsy4Ae+Q0#`(GIOz2@#B1+LiG9|M|t^lXJ)Z#5LeZc zQ%mX5RvyEKZhsH!9B7YwKMRjx*-WuI#(bZ)`DyYi;0*~EbKl;8-=}Wwnj%5VQr@+D zbn;J5ElfVEnTxzqvgOT!SqeFfYV+6#_{kx&d1i@VaLW;G5j&e(;*zpe_j@!}gDixa%bek4rw% zenv~n`TqU;a+2ui==|p9h1wzV|NmnAyB^=50VcsI(`5#OavS#zW}S~&D_NEtnE~(K z*_4co*P)?HYxJ^n51xA}EkL-1onNu^&sS;*kETUQR>c+EjpL+*8fH)ks4&0bR*#LH zsh44HQFx*NaG{skl3RMK4fjB_g1Sr>yR5@Wl@RB%*IIZ@CDq|~2;s;594A2vyOz?Yrl9#__j-NG6XJ_HZYO}uyVE8W2WvV;dfG}x5qvV8q(#e?R$T##0vob~$t#;7)8 zvDvE{tYIH@+adn{=AecK=%%3_6CVWhUKj%|LiP)=Up#Mj#`B|Vf9TeK8l{<0CZG}= zt6J!E$MWg#@8SgnZTmBl>CGpM18Fv?RoMp3K81E#*ZB%U{v(SNcHQ3}ot9Od0vLJuhVSBevK4=L z_oTcI?*-Po(!Z2fJy_Y=vK1OfHjR_62bgw|kr%w!eJjuRh2+<-)641DM2d+5_@X2I zZp&#j>H3O?!A4Qk$nBn&;!A#U_#OwGofMUir0wBTg%=FYi+XjSk}dlC>}~mf@G=72 z?~+hT53NSC*(zxqN0Gx|ET5jJLg5~3VG+H|UdidkVys5yYXO`90<6gn(Z&_Fy$_KJYIt=UR=cY;& zl(X4CgPZDaOF7Q$v-icTmaDGjy{s#0H2pF}+;bO%JYmfM!`qhcl19DeLqv@BL5E*; zL0!+BvFA_Cf#k|r-r6$#Wu++{h5-GO(5~Jh6mqfKJ`Ex!)-R*hJIT|X1Iwy^(sPY7 zU9j&Fj(^rQCMWKtC1a@=Jr4~pYK^;XP|!`wKB>T-8mj(E9|ag%%UzcLVSCU85n{h& zVj5^cF4;wTdm_U;e&Y!&&;fSVsRp2iZY?OYnIqr_ks`uj=#ubx3t%7dn025J1`~Wl z{51k19?*R~t^s-CQ>$<{uv}x5Yi{sP{fK73g|m53mJzb7)1SsH}q43%%R{*LC~WT3@BuK@a2D#hH99yPee$`1v*20^GL5Bu@8;bAW zJ43zU!5Dv?zv|-tv*{>;2nO_LFjfHvs4WYCoRgw93;@S5%IgTXO)Vag8r}+e1KwdN za?1c!hF!7cVsB;;0JfLmBdBRU()Vmqih0-k<(A#WO}paZLHUcbieGaiOhEbH-yPtUC1|Ptd!+0^F|{Ol zV{*!=rx-gjv0$L{rrbkcKK=WGDnh&IcHNTOD!EGE$9F&0#r(*>ia|i$ol5K_wHEr) ze0W@<1s~HgGx>b!&FFKIz9`7;dhyAZb@}?CBpq$`)S(IHyxQHpmGh-4hTE8`RaZ|Z zsd_P26D*xc83*jwbbXVUTLa?)#_koFipJQo&@&C@m>GFBm5G)AbjQeK90Lez(2mY< z0)rPcB(}+0j9o2&kru1pR+V!~ix&FG0)RZTUv4$}n50uoPW23xuez$Lw6CENV1>Rj z06Ccvpb)YMY*km}%`fu4EN^i!!E1M^P{62r7a5&uGL)8YTa;X~OTnV0=4_%@uTJ7< zY)&mYiHH3C8vMDSWQF*OcLJ5TeKi$lNt>glR=xOih+Js;Muvv!7|_?A4#QhcFNjH( z*cdnOoi}Dq&tZ|L^G!6LH-8Q1>0<|wLSJvJ#T-;QBk`f$Nm=y|1~xy?Je3Y6OpMdd z@+^14TQjw#Hxskuhe4Bj%|yA`hby!5R{hf(iZ40)UcnnhA7_VPmns93(ZxTKJODZ# zV8QmSTG!TF@Ap(+_v~1cha;;#-llT`z_A+!H~++E;owky8%tq%-NEpTont6B_r*1! z+S;x0Y6v;{gNaKsz++mGPIydNp&%R9H@{vO%5wPphZwq)ctXa5>}( z9Fnrbr4$Co-I@TLxOQPj(t$Mm_GzYpD!7M{U!M-Fg@sb8&|zDig!@B?TJ0qRWv`tU zLY*^zd1RGnx@}X7aG20~Q~#GH_21HimFGd`y>WU+b!0k@002t++`y<_KuyK5cXB)^ z$=#I68U=W}_1fPb3O-ZF%|1#~%(ry$?RT+}uxWmYJUsLmYGD+qSD>^s`;@Hp!UV`! zsRWZ*3!j|HHT8X*&tB6zt-oL`^S%6|S|E*$FQl;IV|V|0#tO@iF?qw~jf4t5)ue<)PR;duY{+!V`%3&J-M zL(a=aY*Ybhw|c!BG53T>AIrpQcdiy{y3hn*3-w!1Hu)XTw%7cSi_F-&SLxVlW>3k? z0e^8c3=?K72SU^X><*ftVDNYcP1hS&FWiKzU z=a+AA|4Y2|e-}omm{DZ1fs9S>u@JyqNCKFP)Xd)+qM#^8!Y0@^XiH6iiGl<9ud4w{ zmU)T~vyTExaPnQOhM9`hJ{mx!?tR}5-Ya1H1m!`Pt1tpu)j4gty?^T@$)-Ch{ z9!?pK%FV;eB-UeXXc&-jje{oK@^v%eMd5MupL+z({*a98`W#ydgo;h@5P)T{f+d>M z0VljgU<}ERD|TuJ_#S|{bLlEw`L#lpFgWq{sLe$DW}Cs}H=Eh<_i!2)yHU2lR?}O6 z6?urXGEF(-i^md$p`!3_xMGnF2YF_@Fbxf2aV2$eoUq zXaq+Ko)tYlyfJplnSy4qSvvaqwpO*cpK6%r=4$O0V_Fw@-p+Pt5q*8TOSa&m;@4z6 z;$M$LQ#YfzyHr;mZRNLb>KEzVSRuo-RQd^$@uDQg=E1g}1oGLUz6x@Yn(pRl+k!vs zA#5h8G;xEs_w?suP<3~AH;9zJ6bWiN;5V9FdtTDa@?s8y=Xo$8rn5>RV4?_Ruld9T z!!@UVP{NVmCD^1V$-r&Lv1DasEh|0V34dj?2_MEWAprbD7Oq}2BhBN*Hd9EGmC|{- z9jNEphw-(+MT1I}&)+N-4m(_Wo!|eGr>(t|a_oF)1qgYd{R{s8u$JD@8KQZ5gwvoL zwZ8wtq&Fp%$J?@0`K;3$kwvU=kc_$Z95%PQs3+ewbq^P*^Cy*G{Od6xx-f)v&Jsv0 zh_(G$C`G4#m_GG&eYIHBM#4F!t46&X%3rULRnPLFDbM{$aZ~r!h=P)RbJy<$DKRbW z$)DY4BXlVMo9Ror=oJMj z&ReloYNc4X1~ZmdWgoAj=PO72CsCB^>AZ(4->SI35{zzFWE_OXEMJ zPgvn7OF`gC{pxH0KQ7Qox(=}l^!P~DV?S5ZPZ3U=fsPw;97nL0^S4iWL4&`R4WyQO zN0VeTG@#ZiO28=7_q3lmg+Af8Ro;+5V|O<8Y6n88|K2v)P%zQ59F%zG)cHZN^>q_It1EPos(r>=7Y_!YM6(!l>>*(5~X2^Z&|-dfVaIRiU*UMshfBlNMB; z^*Hbn^+ZkdYxaH^6vt8&Hp3Olq6?%)!F=}IBO*{(Doa34tTcQqT!NRrJ**-G$N&0t zgTq4`%LXui1GN+myZTKLZ`b{`bKnOpY&WKFyTDM>Nn&OLVt#}dD`PFU00xslp#6aS z6hnKw3$18;F!tIY229&AOv~+=(q7#vR_cdD6cM4nkMMrzVI8{``VUEYkSVsLwcTQ4 z?L}N1qKzv~B5Y7P$$%HJNK50v)d#OM1bDd9Oo%0qjGU%Xwa9qCU&QwW%T8( zH@mEg>kw_!H5!$$_f`!(nekZBVt6RQa(ah0Lg0tsq%2Ve2YG_z?GPx5l(30LS^;A{ zUh!8_#mQD^n=kRVN2^Qm{(qLm*^z`bkBYsb$s)DXAbYG}S}xs7M`r@tr|%44V}O?Y zXdnu!N_BvKz(zxt3i${VU$>y9FT(lKiJLzCu*vCcGB;&0k$}YF66e_lg2R?608~)9 zUCo@fDoxjgC(9gRGN-OmfnynUkIJBe?U2UQmWFiW<;GB+gmB_m1^ZN`(~+${4wIz0 znjlFQj&BifF;)RG4I96UvB8x`YNH^BqI%c=R4P;^3@i#yN>69`YXhR6?>`#Kn6n7Q zJ?hhkj$IE$nXWvFMGN4v4pK|p*|6G-4Y`hZcKPOWNuoN-Yzlq1JWu`_I}zhgpH!x; zjIVR2r~L&;mNA&dixgd3Fo;v56gY?Y_=YF{`#n08v~ zW%EXg!MRn120N4YplKZ9(HG%!;(*dp;~jezZEg~2lFcYc#XL)*EjpNG5l=hbMN(9JYAryqR1Bb_Tr z@32a~KN4&ARxv=DQ7U~J4#an#q6Rg3--)dY5OH|w;=kBwr`~iIBanL9ks25LW5(R} zl5~)4zPy#_vR?_7u>Fl}(|hRat#uqG*324!Fm1Aw7Yhvyoo@fW62bZWa=R0Rfu<|@ zIlk>~gVU`SFOazUe@grRr-c^smX4KmFv=DOIZJ!Df~jqaONK)~RzUvp+1mY@7^#dq z{FY$DEqLi0UL@CMcKSCNI$MqqiDnhMPIB18TiYm4GZhGwO_(!O1o`d+@#ER@&laGD z@seExD)sQgEv_%4r+9@NQBc|4^2b-M5!oipVJLY2-rkSzwSDD0f5{{Nr*Ztx z;nRz?;zu3E4!BAF#C7G`fBwK_IK7n=2tiCVr!q@r6|=$CqXJN7gT;S{Uj7*WOizMY*+WMM_C&LAq2@P>}8tB^731=u#Rf zhoPmzB1S>LjZ)GKF$@f;C=4m7gf!A2A+UjOjn{R~-sjun-}7s~*Zg?r$2+msv({7h zy6+-$(QwbEa53+1?pkH<-(6i%y&aPr=e6w|7xw|@$BIb_JEgSZF@@N{)HM$)G_qmP~N5ADDa|Cq> zP>Yp_3v)`75q@DFMh?Aa)RNgwscN>kY5e?XQKJ3NNy&Een!BPG+n>jUtLj=y{umk# zOayR;UD1nO6<>Q^ofOyyRo)Q=9n}2NZgRwT#HVS?`?2-gs76%VA_Y;&mDF@Cv+SwZqG(Khe)#990ib%~rHi?R2MI*X2rZRwU<<@Lz+4-N@VP zV>nqc2_fH4EM?O!tEdBUG4`>HwZqotH$XrBL6PG$da?XmAj6yhp}^+lsR`Uw7*Z;# z*%K48IvApupZnTfwRZMd~GAhO1>=^+RAr_PeM^6^nFMDAJC*(7wc=@>5z zh)cO}S&VwFP9azt+2 zVp9sP2Z6kXxL=l_NQ;#M6&BlW2K*a|SFwDlayO^^mHqU_q$HfFkpDRUgV|M*RK&{S zAX|>OT~@L^2Xaf2B-LE3L%B??g#qWe_rY&g?HE*@Zgyvj6$ex>1-lQLm%*b4slTG) z1M&;Aizw-}jPp|wjLf*%xhw^-Xvym6u`JI$vXVmCfW$T8WKV>6JgDa^ca;=exI0{B z)TMm;BgDgxgk3euVnEG&9lK|lQSTV^X~ttk9yY=z?S3tOa9REZ7M#%VjZh~?`q@xl z#HZWRxt=!F=7WEdP^#8PZ|6YO6qYKqyojBUe zbmwdk8t|)j8+9Z}e{TS3jf!-?$mo3dN3zQS6T)&AQ;pFqsOpH*JL{{RqH(1q|G_i2 z{5uay4CtPVnnPv2o zE8Q%@aK>zDR>!mD6cR{9qq=Qx+xX6l*j&WmIl+LEuK)|OCzC6|#>%S1q4uRW4f>M1QY$Z1hp|Z2Ebc zR<0`|SgltbivI4rtU0SPTIUbiK?#(&3{xa3opeH^(g}m(xXnm ziuCAv55g}{F}qD-{Q;M}Nit0RV^!k}4-KUe?FHsmFF?GGbBKx9vxltN)CcRcp6Spu zi!YN{HARfSK?~1nNxqXev+$K?+icqcC4nUm$8OoC;t3!2N@zJ z$%)V;O<-M+EUif-t9DCsq3uY$CafEbl zO3B|vJN5KJeI#r5u7hxj>mhwEgz*wF>W ze(P)wzqg9JAH9@|o)YTHPhz-3C!fjruT}1v#s`pp-XAjeh~;Q)1d<@`@;*&^lIjx#HMch@qKcc!dR#*d>oRao4IVn~K+;J5u^n(>djE&g~n*Y%Opr z`ti_usYKr1M=Qjb9s#QY3-Fk{$P#Nt%^`m;ap!SU2207g%hJ-rtV*1!6JQMp_fZeQ zLDQ_dn%77aW_CV8LPVsCwVz{dRYkG5^ZcKjk=OuP5Z%V{yR3`qaQb|amV4zm6mlHf zc{t-yoaA}%O3;32FN-D*^BQNXRHpQs<|OTXVp;>b5J%NY7-W*0e9pT^!HJ|V6d_9F z$aRS?LLo!EMDaMyHe1MDfujn5CL%2kzkcAXRma|^=}JLl263;*J}PdCJtD8ZJ&!+1 z^3PY8!C6qT*j*hho-QvhfBy8Tb!@=bai*CK3yRog$)(Lp0(|_q#`=B3Pa;LfK4HQS zH~mvv0)L$OmUMWs#;H~!^eX&hbKt0Qgo2Cbqa4Iqp_|c$cd5S0} zCnvno<$51uP3Du8TrnjoOe7=4H}BYhq;nqPo~x^B3H8f&W}TiB{Lp*cUPq8=VS{50)g5!u*Qf)dfzI z_S}0tBjMUnEOEHs1ao$ISIGYkiqfRt37t(kIoAJDyR=N2-Rk(iIo*HV1fJhukbhKy zZitaVQ}J9NG9-SUrlBSMEgdEu@w{_DrQT?I+mU+T!*B)#t_=MK;q4HjVLn$n-4tpP?QO~ zu8a;B_ho3V;tkWb2`OB=v%*jn{EIELc9J~|{gIGs!$$$M`@i5?da23DXjxsGo=6@E zM_;Z^)PzUuMR+)_}3p+&-kKLe`Dui2fSeLk4I!JC53-R-KvL@KF+wb z_$Vp@rbJ}7GFq?aSA3Yt6u@n4uR{0}?!oYLfeiUntTx-q5}1M5OQ|ebe4aLBNO!k4 zaU_B`_OZL@;2`pCcG0by-HbPFCN4WXL-N;ZQS0m;k2CyG&Fv2VdsOq+J*^B_f*RfB z*82Zt$$!1&vc?aj<7uR$CgETA%OGR8m2JdqsY&Ei32*4&E5qntmoeWEng`;D1a}p# zuzx?~A0zYcnEcaP{vDHl$K?NWKk1dX4QP4%RGFUJbJVRy$H?fpxd*c-?0a=5$v@WX zubIjB0Q>b)y7)4ZTP;c(s7k%f$UzdXqzViLI+Io3=v_st4;@Ek7qvDMwsK3eS9hb-bm|f<$d1u z#*>Bta0$Hxsn5Bhjm}C?r-EVws%qnY{N+FXo;J}M60^wjW>b^N+0liLu7RGQ0PVqx zzZ}W`t%i@CH5l<;XwD(!Ipse(J#D*OT3LCgY~^y5^We=j&=k{8M?WU)+DlxBd_G`H zXhLRI<=cAX0=Dzb$w;X$UIOW|H#-FuNbo_IxsGj$8UUoOE~PL(zpU-Ow>jK_TT#){ z$jE3+iaW&6@L8qDw+S;&X6A)zb_zUnkD6T;vfSq$92}e>KVkB^@#tU&^}YjC9&mtc zDx6h_c23TB$$p1TMHa93N5UxMIT>ntnjuKV5-pZ~_Vi7z*F0h4fZ+}=j5l=5tF7bb zSKTAqg}I?m$RW}~@qTw`6J3Hp0lC3~qM~HEHFRs@8J=#{m5$EN%815>phJvX^v3QM zPOPrDpF+~9I~kO5mo!|=3=Fukf_7iZZ}+OXFL#k7Y(^{bS?#1d;Hv|)f_+vQAa!-^ z;sBhVAoR~QMZ5x_G0P|#PD{b*lI}p9NR76;dx@|G=1vC=x8poqiP&579kH=eI{s+~ z-|o{ADgT@T?Mk>PVIhaxFwLXEJ&*uF>+fKVU%&^lLXVWYV-?H~kapABdSKRu$+R%|9BFbR7}beSvbS2mE7i zfr#Jkpe2&Ktt(T(+}75%e!hb%rKyD*#}5gS=M-+A+&%%(29<-@OmRmAqbI~ z62rg~4qW~ys@q@|G3-jyMLBj2NbL+$mLws^1znt-)tz04`@g0+&qcv?j_zI-s<={6 zd*^;)3aJ-)$Q3(#jzNJ5p#%~q{eV|Diaw46vIuqG@>Hu5)VJk?8Bdv+-@VK4)cvX) zAy&7I^)FAYQ3%QFpIx;}kcY6V zc1qHxI(4P-<5j6^zb?yn4^uFULU#E0_y*deuaej>Ug&HXDu@swxMW$AL+i|XU*DGd z#-fhFOTQ9}rEi1+Bxh;_+Om?;0`w&-O?m75Rx5^7LJub&(G()RYbvb#jifCrn!NCCvwYIqds>kJI^JR6Utw%$do|$-({F2wqBabmFDr&O+ zYp&(t28%-6OB?AP4U4w@09gF;s-0#A&v&*+tSkggNClWDwdwj)9ED4LL~1eL<(!Ni zJmW}axEEP9a!!Jv0k+cL zYhgkde&!LdoTg8@+Y~k;!~{2e^Gu4k1IHAOEGD*_o=zD-X2ax#W^EVY1@Dvxj4(?9 za@774@H|~tj4S`5NS?N)re;QBG&MV20@O(WlC4sydQ)G&)Gp`juz3t(=NUDpA}r6$ z4eR6{`XbL5__9pjbRclr?{@{ng9R* literal 0 HcmV?d00001 diff --git a/.devcontainer/images/config-dump.png b/.devcontainer/images/config-dump.png new file mode 100644 index 0000000000000000000000000000000000000000..80b36d11e9da7b87159e354cd7a5e22e22a4c9cb GIT binary patch literal 620071 zcmbrmbzGD08#at|4HQI_Mv)MuyUQ;f(hUOA-90)b1nF++mTsiGMvZ}VZS?59^LgIi z`@g<_Y@e~Q>%Ol#uj4$9<6NYQk~9F93>O6j1t2RUrHX=r&xeA7OMs1ud}nTwhynRW zg_WeFimaq0jf%5_xs~k~6cm}rq!cU_wfz?X2%lL=)W8sx!Vt13nk*Dm3Br%@1o=b> zD0%&(rziyvG zK}wd12vHO1D>Lb@tVhIX@#%Mayw!`d66^H!=V`z#uJb}er`h+4gu4oyIfs;tafu?V zmg$KhozB#s=^0GYF;sI-tdig3Byr z^@k5ajst`8_9;WXTNckE?u9JQZb$CoX&*+HLMd+6#=c_%y{MZxFY%;~(o$z$dfE8~ zHcft2E?hOr+-I76t3;S|hd1-E(1C6B;p5f@Q;`W*9@1da*^U69$-JIgoU2}#7>PSO6r z6~N(^NXg^*f#;2KDIPo}xQF*ONR|z-5Eiq+&xU8-7wCxI{!}R}rFY4Zpq+#zY;@h! zk<#~7Cl0*3dXf`Wu)98 zw_gYHOD!>%QICVJq^0w{_KNnn_de_qxxQ^B00(u(KqUzax=e>&e)!5i@T#w;-#CGN zl&vN8wF3Xn`<-{iSeyYj5x-3Kwdoh09md7{DmKwFX)=a?wy902F0IZ8_kesx7lDD&p5U}<-bdzqx{bpTnJ7qmFMaS)lSXaQN zJ;7ndUcr{eRt(V#dD8pxQ`!(+E76;X(*DbS6BEGcyHoblj-a5R&Y;9zUyQt7fl!lB zVq6f(?Q@Ytbs2LyR#hR{|CZ&-XbfHp({wN-4iA_SI#ci`wkPR-?3D1Adn}aEXi(o` zJRKLvVO0r8bWv=OT^YnA>6e}pGy^NnLnrHOO3kS`$3blGF z>mFTm-OswrjRZE0HZhimmUmXsjc`k&X{wpLL(jd!gXahOQ?KTV4qEqd-SFI44?0bL za4ddx{g1sMl)a*)Xt$bSR2R-ZOMHb`$q?2%YR|ApQ|p|<$_EZ3}G zah7>aT8B=QPU+GIm&Mf{eap_tb{ih^pR=~pM|Df^_cAYRqu)ncM~ld}eu>}49Q7XM zb-~~5A75fGahvd9_9=HQf1?>!p;3WW!K=-y(^b!2zp?avdA0WK%I$Jhqg{=kjfFi! z&5DBuB-@(WwrjX^=`ka?Ahyg%X3%B4O*MJnho0kHz3R4XK~TroLt1zs7NlTx z6JzCj)`-Y}|EAS8)2YxQ|H1ZAQ09`helXUP6tG; zOaAdCLJUFq2nivn>t% zu(3Bnj_|#RM(_>DZbyBO?x${w&U3}!@)YBu@?_F@$Im-!E!Z-FOwc>-GOS_wW5iKE46qWQq*kBhZS?&sO#kn?LV-m}WH z=(8^S4ZD`p#7pI0qA?DN%geRnpI07_7mxFgJv^FWKi;db46*D%UbWX(#eYiGy8aCM zZD9A&{Ueq;vB#)8`~?;X?-BcIz277#;d?^1>g3FFhprDVj1oKu0d+u3f#Xk((QdFh zDV|fc1BYNL25C+@)1QwvD*7hlq$sT((k@*zTFkxtZ<=sFeRTMu{Y5^>RAc^AWx-0> zhPBS+dhNAo)?h~*@0|7=MOhJOCkKVWjKMHVfzJ!BzFxXBTQSRR@pa-zSY9|o3v0ge z2YHopDajRGKA{6=0y$xe94- zzL`!+W%khBX>!#Ew0l3K!y1_@j~1dq2Guz>F7`I<7P}dDG zP`0#Deq;^Z*BD!8XFs<*pf*nE2L3Kh^HHTh`5~Sh`6;4ec>PW0~nm(Mqz z80+b^C{1=Iy4;2se-lk6(<=~F3KLaf*TZ_GRpY!jI(Xd0rO#gu1XdwX>4vc9eB@F` zk?@u8i?*z}q9V#WQ+A%?{H$!aFqzkU7BRcp|Do&H=tAtB){JO9Uo1l9g_o$BZHx!VSeXT5N= ze`(oSG9W{VY$+*QAavRm&tljErkUO!A*PdZvVIZ*9rN9NpPKjG3#So-WNe zxO7772QBD9Z`rpdsdzH}sbu)i1eDeu;bN=`0 z&GhJXvSQ3U{rxt-!nSM$UWbeSQ)iw3L$){3?5vJ{rcXo9B5R`992oYu{rf*7@*MpM zDgnlZ+HbOFLjeJrb`i1i-=)r#{%sC$qmWxD=uFlr3mcvGX-YiZbgjA_c2E@UKa4(2 z{3JRy-&Q?g$f!6?Ju17CED^bKGi|;9QTV@f)QefHo7UlhUl4Wa^;60WMkk!%CFl19 zLI2Vg_EspepY1BUnb>9pV(y{j5|Wa1LJCHCMCQrk2)h1z)3u6ZlSf5arDx}&vK$CH z`nMS=Iv@hFzg&R-cgeL=+JzpRjmcsE{MvUq~87f|HoPK|g2Q z3rMq)rQdp*lWO};h7Jd)$nj=Kv6W|^{~*@~a+ zRM02*hn0AvfE)plJF#X8^m`n-)B^xci zI2T>kDeD*f2e7GC%;1@6w9%S|k8xG5=Yn36Q{M}J*%3Ml{+DZG$kWjMYPfeEo)m^> zs#odjc*CJtMl4K527|0!_pjf|eUGPCOy4R$94U`p>H>CE=rt)Fc^E9f;&}XEbES!w zXPuqpRjniYx4)xVGq>;C9qHbQ2i=s0g@wtaaYmUPXmU-l*)Fn82S~Chq7epT5&rBY z==ln#a=DNSqGQ<25EWfZ85BUpe(o69+^o%{TKFR*toTLwOjp6()p1gpMmfnz+veG` zzk(}_nW#6#LBV0<$t(s3jKt24j1?FF-lNr)*?l3fB!SEB1c{#)FF??;UXoDYzhDB4 zo4e;ZsTAtX;xIktH)h3`M@zE>y1{oZ$;_rwFlkm5gP)Q`Og#=KGPLnxG**DfC^KHp zEgEA1s9fVJjG8pdKtGrqy6V{$!DkQ6i;FK?u14f558Lz3$IsT|Hzv5TmUr+40Hm(3 z?~=zewqRY4-%ST&sVRW>#h6`0XAAI1@Z;OlCrMi`^{7Pu0 zszqfXAt7cm?t|1T+mnZ>=FOrRV0U*e`~x=H{B{<G;khX>gKThE3>`cB zCuABEKyeE*Iz0Dz{I&n;5&t~8M-+&7TR=@^Z7`u|&^oMW;JuY1zbWu{F=Qw~tP`8h zGo1WF_P#+qkeES9JBj=#8@Y^iqDxGN#Dno}{cx@X^EbJ-ayQas6Y2R$sBA}rPO^GsTMJhhN|;Nt9euHOT$JaAM5Ls$J8KE3vpa z>jSchi6kaolW{ORSwTF&b14Kaa=fg4cFMHTfyJwoY2Uxwf>W|DhrYd`Vjyf7H(j@C zsB`KQNV~n~Byzj=OmACYxD_=kY%3XF_;i18jo?lmRwj!2UA=?zxn)TQ2TQ_ z7kP((JM31vxPxOp-4)h2EHKe6PMC&sZQ}+MZpQbhUQ~`J1iV}hYpdxIhS~x3n<5i@oA~F2u;qokBgfzee}Pa6uEJah zsYkhfOPxlZco*+&9W$RLip1cGIQB6$yNOg_#a4XkOMTQ_?QiQjat`FnBrlIHdxEi| zJAJtUB9`@igk-j<0&ZpVB^y|ksI?})aBYMaffwnfo3lz(gzmrr5`w^Ac)O!VIu6>r zoclMVMNXLIWX&WCl?HE=g-?I9jhgB(z(skj@?G1voLhX>(Wq8dnWNYIq}Pn@tNzcY zLxkkcIrz=H{w-T|%tAj~v>J5#ems-R9NvT4wN?zKu|Yqlo%C~RhT_1ETOT(GA*0c1 z*_VyO2eUMTAx;HmLp7hA#SifwVrKz|V|2haZoxYWpIVi6;QfY=QgdEVX}ptF33HK> znL%WQ+GMM!M}$MlknD>i|5<61Lw7fm)mr}T5LaPs9w7^B^aTfBgI{{0KJC!d!<2;xf2 zT)Tmblp>w;7pk=;MO=fj>|NkND!+al-o3)Rz~Hb5!xY2G!|IOrx^803_zExK5o4Y% zRZ>z?o)prsVM_bvgY?5nn}q|sl_tAH_>1vGNR#c)t2B-qCa>*A9o5eJG^#P1jx z(tGQSFP547?Y78LpXk%@dfSc;4gQ$6V-j zlIw27JT-c=<`$!y$|B5^ES+=ddsVdIg3$KCvS#DBw95fkViB1dtx9--beyNU{odNS zW(zDZd~5YwS9ZyHyHIh(ox^$zy`{#^$D*srymRM$8>#zA9Xw>C1q%PyjeLADgR`OgTtiX)d55ZTY@t%W$#0UMv|Bv{21g? zm^R1zkVo)e<+NL9fkHTZPwj{98Gr&|6kMyhBos%*N#q^Nxo|GG1NGg71|rD}9=l98c#uKT=f#@O{=sfkhy)GM>V|A=>cpNAv~Yq41{+O;$+6Gx{z$ID zN$YT>RiiHd%F8HT;uX%B*z_pe48@`#YR&g4isZaQ8-3v%b#46v149FV!|fCe(P1DW zJ98a&h#~-$Qvc4qwnp`3p;6h$n!@((t~$#^*%5SrUN9hJE+P8a%DoF2ehU4<eSxrSs3(T^SbSCRIK2U;lJeaOeOK0>YS%nKN-BLyfWW?=!28;kHXh@ z`4rv4rlwT99EY$i#u%tOcHbWcX$D-I-tm+x!?u?X1$}HmB*$H~E?OlFUZN61s@mfHQJ}{8aE*LzGai}km~1S=P%QC`&rXM z52L_X>Z6|s1u^r7*2V>oqxBxN1&`Mqeu;^RS$Ci>Kt)OJN2nwsd;e#1vpNI!o!xkK zvB?lUA>rNi6{O#2%tM8_Zg2OX`i5if!A%qlJTH!MK1zj6u0q)NrT>PJV5C6ZXz?Qt zA+KYx52v`0algd80~>&84=qNhr5&{#rmXRM&`GLV56bSHPIcO&Xz=)CJhe}B-g+cq z0C+6BX*-H(G5v0A4BFh?$|NiqCCd4(@f1C&C98!+dJuH_uu~laqsL>8w8sPa1$2Ly zDR{N9ZI#zD0#ed-=$X}UH<8(7wlMZ8pBBSow&ctM=2U*syshccR9`{t3CR{#GoMH` zrzi9YBeRxX__o#rW-(~HbRDoT-+%;TZBN${juIl^9fQyh6T-^>#rY^4fRz1~y9QC} z>%a=;!0lh9XUDuoUJeP-%Wm;^if@Dei^(WlGWV#^c_wW}Lc<)fdw{Z$ z2&zhAHG!86e%d{N*TCMu_0A^~xAA#z#zh{o+zh5pz1ywlg}dT>++ofGR+pGr*RbkF zAq47;{|)cL4nprV%eAv5gHxSBd*%3kfpj_AYK?o#(Qp*cY)Q*VcV(_EdsLGlcx9eQ z?mJ&!8OpaEn&N{0#&uQ8HSKOzLcSdNH7I9bvNc$TD5*LuH?%;a@EQ;28V3$V1!&id zW@`e#z8DnwvDCbf!+onx!B*v@cN#^?U4rAnIS$mX$J=x#G6YvjbvLM{>NITjMb{0d zadFoagV779{f7=ZAHy;#-@Rg0^wZ=D*|NV)BYed(a{r-h-xYY-HMw2MYr%KenhW)~ zI^4eKxEi3SW#(D+0of(jYkGNFEh|`j?a1wddAUFmCPg3k6uXNzi?RwQ?L3CIWQoVo z?*R)e=P&%X;4ZasX=(5-_eZNor4AZF#Og+En?E(?DyPiIcc#N>n4yl9gdS@L+tLA< zBaEh{U%#pPYPFD|GCsxL$7juC+BhBzZS6>LL)?1oZ%l7)r!g=Twj`4aczlBj`(!{| zf84`HC%3YiEYhMFPp@bzAjT!k)wN}@d|4$gEY*+$M=l{jt6AX97dY=RHKwd%KPw=lbxr34C6vdq3-u*%f{Za2nS%nw` zA`SImogPDtpdw8!KJSYNmmj)~Z?e7^;Wb)=oLb#D+BE?+)%$zj`X+wrHopGzfk5qw zeFjfe6KN&Hjld%FlWOsJ>aml)5%b+uG3FENHt4v| z(I4<_K=yd@i0@`{8zL>upN9|g<0Hr3M~@jQkV2+@bNZ zlU;PbqVFE<_B*|^Pw8_vvl$(z)g<5dg|Av*5Od|`eozTT_37IBzK*6&mV6B%%~@{q zZU?s6mfAwDe7XQl{Xf*8q zXi7{??eNGFb9vKoeccDIcq;XY`0MrhLul!)P-9^ij8){WA2;-}?G1NxVFq~DA9#wY z)9&b>{?I5{ULeH&`K!>w5#AF?c@d9d;=h4bxnj6mx_=Pu6;Mdk+zW-Cla5&!*uTf_RHxg_q~36&9IuQoD1{0%bIDH$J*jusc{5-$vmaHCrYYx0aL{;iIg>b#Ue&qd-BK}|q$(o` z9aqa4Vjx*&;_`ao*YCleuk7x~9i9 z`RV}X&E5Z53(az>=9~1o1Ve_h_koiIk-zH5#G_ z%MXT&KRfh|-&v}c>Hoqd8FSOX@;tw^;xL)xvswLk%$h9VcBnH-JP=d2#(nRYQ_6#M zmE=5D_h2G(7q^V)!ugxZB84UAx`hy*&O4~h;E;&Bd)MJ^VIXSdPM#vO@}7lLY-xA? z2E$$b_0}f5{%%eru4H#^;rD9t0wg5=S5)LdtsAm-CK`erh$_uaI?}oYfol|T?7CT>e{aSK z+$nfDrDr+5-O2Kp}_I;4ro zDB2hxtfo%h+q{NP^)R44vjOTQmIeevn&jp|1M!NTkv-j`$( zo{dv3-n<>z-k0PI9hIl`4>nqtAhk1q**^;<(1cudU5s-D_&(Z0dwve z!0Xd+*fypMth0=Dj}B_k_UIl#Gt2o@muX)akoP(FnIx8u-{C@))6XOpga0nJ?QdInIW*WgW{8N0kjNC2X<*;> zz%rd151z31kJa}B12}9?#29>y9Y!bM$|=5kA&eLGo;ypVzX)Jlb_=Vw?~6NxG?IZ$ z?*)~~PqfK|UUFP~woq_6U%}(l&~C^N1!DrJ>`_gRk2RS0PWDp2(R2O$b+B?e$aCH% zva$s2aP&d6ZAXTz$lF&Vdc0} zTvDhP;0{ERrDlr}(h5mI)s{G4$-*?5=Jh9x;}9b8L6|$$OVxX zO#SVetviKF?>;+x3;lU?h~O`m9ET%MTfQvwym}lK+XugB3cea6rPL@&-A|H}jaN=XP8EQ`%2CI;YB=Q12)9*wm#po&_I{kc*x2P#tvvO0p5`ih~%l+Wv zyz%jP8%Y%CWboQ+GuSE45kRJr_?V!Q}$+eC#~nSub@jG$XusULVniNurXujjXrz!?AE-IXy?2W-r1w% zC|1sAIUkt3+mwt1%j0y2@jB~yIev5KH2A_3y7MTcmY}wpG4mda+{_u)>;a=nLxTO1 z!<{PO%6C{w;h-RcOR?&D`wq;Bh5ml2(fGG zEh1J8Ub1__n`YG1Xz%jPvN1f0HChPn3@Bv}|h#7s@o4 zBfoxa(84=v!!)~sK^zRaIxV=_>RtC$r^{Y1Uuf4`$vLVgf? zMB4C3m~L{M?CoC zB=bQzR%9D-%8=9e4r5R4v7kU%TR9EkzNEUV>y|f9A8=X4QPpO_wKV^|H_Yj_ZAX)5>A;pJ^5NCxK515LEPzJH#}895zBc>O+=>O-$UuBjZ||RtY+!;?0-?( z4-K);`n3AF>t|{{uhA=VEgMm<)EuXJH&_rWIEtVWGX9Xl3M_v9L3eJS(0v2e|Z1HEUSd!5JZpF!_EGP?(=3=l*4 zq34w;tpGA1bpgm6_d0)FYwgdp_YYf~YFo!mhAA=R3qBM|IsXA|a#o7^ex-~A!@=9O z%=-n_zuu;}b8I9hZ~&otNHNQ!{0n_EVY5fPIwuLnnzu_>W2vjv~_pYsz83_qwC}(a%#u65tSMt@c+)@D( z-bUQHId5`i*i^Pu%EuGlWdFbMPXzYT#xp;`Dmo)TQWe)o z=~;e=HX8B}nPbqsRpd!_G4-RF0NPel(3(@V5ZoQdO0^$iZe z^wJ;`nKG7i=Y_L#OFgrlwVB-4{Hf2s`~2<-`t88nq_ykkVNO?;Vv&4`Q!)}s#ESmZ zON5)6m=t=R{+{@G@#6R9??SD(jII9C;Vrkr`IJ$XE>)yt!sJa*Nt2tn@36nd-y!+s z&OPhGp-H&SV<}n$0zXGyAwk9`<8I5?_cUxwp%cmm=N-N>uIjq#HT zvAD#zOJ}k4%iEJ@I6b_6{V_^A4-?>O=^}awxr@AoGMvC5O@ktZlkkTsl+ZBxdv3p8 zMDz5Ut*O#7a$P&K#Ub{6O#|&FDDQ5(Mb2!m&H_f3kbP4})g%Zi4+B#U@fkx4bOT1v zeBi~HA6Iu3VH7R39UD3^U$zOEE7a^Dor(wZ4twVfw_qnk%n3hZViq*=(Ptb|DrN`E z?p{GVwsDYm*Kn@AJNs>bpto@&G*ax~Ud3tb7U}lk=-#}kSA>ILnP36812fj06*x^ahm0zwDyl(Sv4}Vj zsb?&?!=g!9-D9^!!e{p_Xy1UKyHEGswSK5fzbc>&6&rt;16B$cH@&MmzyLz8`=A5| ze#gt)O3fSX=eooB@RXtMJL>P`_U$?XhR$gXwr+uGd`7}QOuxW$k?F=dh4acn%*|5?syQ z)xUJH?%qAB7iPG>Yo!N>@3CKKyCZRx9|Fu_agD@jF3D~i75^z_UW$%|+=wL(^V%)1 ze?_Jc@JmZJv)`ts{RFgg4pS=s#iXq}2~UW(zgVbN1n_ZLE)JR6q;Y)7a;sE-wkMDk zSQYAA1sR&i0=E7vG;qa2L#j+U?qXC|T(+LcF7ASR>#of&7SbTjs;UX)40kW0NtkyO zeuK)W0^fbSw<>eKwxLbX9o}v(?+t@{w!Mq-0NPh$-L4&ZXz-TmHTl~ck?sDKop1>4 z4~e?>@XUEATlvNnoA<|eOp4XK)E1Xr?~vy~^K-_15zpRaZeY-^=8}@zcGI#mEwwaV zyl7|*(sY{oX#-+O6L7QkZYyjvi2JPNIAyvrsO%xlN%ICoHFoM7!(Y99qXgHI@8U{q z_ET0_tMSi5O6gcRcJ%3O8+%s6=21mCys2orVfg2?XS;GCY_ z+OP_iSi1ELLxRAk88;P2n`5b03E-?91JRZ0WdDteCd=uWKU=iIP_Qm`z9fkh89xdJ z-F?37<_PvzWq!)RQ7e@IPyN+A`hS2yvTH=Q^9y8@<<4!=D7(TFk>BP5R-HOkbN zHk-C7Xb4G>!iw8O=a=*UbS|Jm7GOhUzA`ED(A<&!26jc~5BOAp6gDSa`qQG=n1Mn% zcD^2{GKNP)nJznSerxVnU9i3gp8!{Uzwc)ds*Y%lkHemIcdWy zXmeOLF!f~nu*Wlan>3GegW8CKg(o0wv3^jbyLy}~{iT5GkNWH!(%xRxoPNqZ0pdhe zR6C`5yOZ@Er5sJenm!z*-BJv|yFG0`E4E&(SwAo>4!qVc1`ZwFYxIFpk9nWFOgPam zB9Mwbhv{v(mAjztb-a)#0<46%Q=jFm}_7ofuDj#%Z>b?0)Zf5F@~Qu*b*5^b)uVJIgb<8v(8zo7xvKQS)DBQ<1fTV z5zY&4;^iFeC-D`e|^-3Eb zOqzf?xg`4~tis57iDbgrUuSB4umfK7XyA+F&ePcJzrVk^M!VTLL=2Daz;8}!uqa0} zTcO3{N{>xSafth^l76kE&=ezIrMWqya*aE)n*W+?#AxX0mrZ~810min|HVS02W8PJ zY_+>IMSOvu(x2%n?mqm22|OSrzp%1Qr5As9JY@y!7G%1dULBR39TML(?$cd#`rVBn zJq<3W?{L>jm6{xb{UzLK#Ji}MkK%(dsgGda8hZvs6g%(l)huT2=Rx|c2CYR(N}$7XB%`6=|M>RR z)fCO4^X0=WxkCby7*CJF|9mz&$-GU>`D)qz;g*msM>@69+y9Wqy-CP|eh4VoX0ZnI$~R-^9sAN*WeN@galPj*Gr48dL1{3d)k=(JDvAB_!{DUu%$@hO^izdZY&?#pDb!=xz2Qg z8&Lmi_mb#H=eC~fFGKn4ka0god&6)HIfa7+O5bF6Z=lp1Z&z)Aw`+uB;f|Rfk3poN>h9) z*QSdjw~YPr*I0^>6r=agDk&0j(jV7&DiGuM&=tAq{EtXG3wIq-1g^_?6t|x7|25JZmnOV`wlAv&iB0S^=R$&$cJOTUC!IaC{l@)L%)` zGI%53b-$_*Z)A`0s$nFk+PyYSY;7|+@ez7Vn#v}*J)%+JVuSdT2!htb|C52Nz#78n z85p89muglX{d|r-?sg#Us59paD^leE%URi(+p~FZc!#8Jn(TGwaw7=Bh%|V)^*$y0 zI+fxv>lmyA)glGj9fdG_xsJc9MAF`Fz!|mdji+GcIL^n@l8=2PYsW~tl9y{s9|0A) zJ~K$)qhK!Sb=MY#5@XhU+eTPF^AG#5lmn*1J%P1`7 z<%h}4R$c(%{%D(3{FnY8wN?^u*EY|bJG5Z_^xY~m>d&<;HBM`)KZ+LERCRo^=jkb7 zDz1}IYW(B0@x1UPe%?A*#+6SZ+mH~^xq6(ecZZ4Jiciizpl4@Wc01e;UTqDabZg~fheC;2d;n-s>ku+t1|F0yWGcg)2!ijw+xvU0zEK1j4 zC8egEIT-s1ml1zfAK*&58bVxolJ^<2ZHa{JzppQ8wG7;nF2U1Z0HT&dJ@&22;&{A^ zASx;<6IM*$IC&Y|X0T6zrbVidSDjj8Pu0Lwm4Tp6yJszl|H+#4;2sY^vbhi7UGX)H z{9^G{hdJ!<)DR?xyL^GO)2SIXO;p5N*@<}VX z6g}Ol&rfXa_+w|&+lY`J_^RvzAjGG77pIhJsUhYFD@oiO6uAw-ZwJ=QQWE{XDbZmN zUa6F6wqW@%#p6TmM@T3SW*s|x+1g=JBzHET2a~Z7RR(n}D5U4``($%7=?=E(A+d

iatl zfpvD*0#=K1$R*|Z?r|pzyv}7t4Ug9q`Z^es5Pp+k2iYKEK6z#dgl*RTRRMxZ4TglO z!YE-=F7eE9$+^eDoNO2YWjZwrGep0ySTRG&Xc;*YZ@+!}ws5w89T#TIwP*}9n&CVl zm@ecM>9Pa8!(uQY3T~|+dbXj8bZMJi8@ty@;z7HEI&v^c8}{2Yy-(&j)LO*jh*RR< zPuKQxF+8(H5SG*hraimtCcne={Eq^%qAkM~2xcBe$Mq+=d@7Ep@C2IJ{MBq3Kdwi;0V_FJqF*ibzPsI9#S95KFr(9 z;lF%&Dq@bzE;WwD{M=C8BT9{b+aog|b8b4tfPUct!-Yv{W_F|w2@=qZA!{sD0()D< zTE)RHt3b655X17^~RICtD~h4NC(m9cc1PVzR0B@4ZWT8 zxmZFnm^=p-Y`#N&3shwKQ{DfuDT)Ro9`Ceb$+|el%zTi6YLa%!>7uEq3-6%tdauiM@n$>$)L{m1td(kG@&*U4$O13w>qKT=-=|sc%B!2YPzlD=5EC zWubG@J59I9ui46?li;1U_|#NO41?FN@39OxypP6WbC7t|cFC8+m(yWGdIByFtoIp* zNl8-OHq~m^nxqM1-2GLZ;d7NhUt&iU(X5)PL=X<|^&^i}cOFs}DRFD=`A`5Mshr7W z_0eJG-YfSy-&s%rj5afiG{aeCMy2zKq!<>8LC6SNIQFWuoV2j18uKOB);jCZdPkSR z6A3heG%IOkIvHo@Tln`h(|STw>d?rU7{NLif3e?1xUI`w6hkWQ>uBX5t!2{PT~# zFC@Xn!%IALIC_nAw+}A!eK}KehI&;Ne%dTn{iR-W4TA*NAr-mdD&V8LyS>jREF1n| z_5X&fqoZR+4`>&u|Hie05-33%UyVu-D)Bu-j0Ow+byP@NfTXjEbZm@rLjFb`(Tf*E zbDl79GP9RLo;9#pXXX_=TlUXWQ~)5O=K{t@GpREp#@m<-!JC$cM^Qaq#| z+J7I<;28?Lw5e>cp&^<@-QZYNNo7&%izB{ zHgPMFb&wKw)6S-$vSNL>8#_ssy-#`?h@B!;Tcy4khZPIb3nC9Xjt(AVS=d%Zcde=P zTP7wQB0%V?JYJ+)u6_7!Z!24AgD8@cb0#^}ies-}x) zfSAQf*L@CWm|tlgTU(9?0<}mk>1SugqjU|%-;DFRD+#tN`>|_>7nD3Oh%O#kHu-59 zN8HHy|5o!oj<97#DB`ygeVpPQ5kr#EG~wv66e91Zrx^V(JR{baeDseq#~&pH?1V449U#K z_eC!De?3a5G`(C^w;$3}CHRMWW3jyF$nmdKS$oABiiH1sR9Q5Uvajy;t@(a`HQC6A zwM-|BU1mkdKll5`I_rI$r;akp5y#kDl1~5t3M3_jEV)DZ)UG{HCT4aage)Rfw;N(4 z+x&-N;Ty+5)~@atq1bn=l9jf-){j}7GJ@e)bu6l zNNi=4imii1-`xJg1;x6XP@Z5xST0_x(4g1pGSSjWDGbpnM1_URX{YK8OU+snokkAl z2Sz`42BbYTBmEokV70%kH=KZ5&XhJ=6}V^CAyNy$Nc}YVzHk(t_uc;`9g6!CcQ#9UxoP7iQFW(jdBm9o3jZJW-ZCo7Ze1IGL=XkVKm_q=@8vtoaH?r8~*j!8_F)r?Fseq+;2{uSgKwMNMcA=l2Tf7vYlAAQOUu8Q&F5bR(kl) z&>2_*D5$8ipYMqk^ezNhXT3b{o_Hey0>RRoJqpo0)@;qcyoEG;gR6$dr4w)DcsvrB z|Cs1G@mpL9f^Uco#d~$)jpV$2DLN2+3R!}H9SWwLdtE_~2ZURO4%TwQ8U1kMa$lO|jZ<&fjw=xL%(3nx<;?!Ni%ZV1wGbncgSJME*drCA%~f zFN*EY973cZrH zSbF>1>=4C_#gWYy=Mw~otM_j>v_$g~Q+938DdyX(=jn9_QAmW|NLMV_oMvdGF`sOF zJJXTGUBF>Hz)`qbPZPC~Mtkelt=fqYReC5zcBuo!28H)Ey83$3UR)R2bLWY9;~lC5YPNuvw1HiR^q0JPXf?t%QZv(snDE`xZxNpwO_1uF{Ey5bO8PYL#71MR|!d z6n*HL<5@fG`MUj*)MKEOtNBC{lrONozq7WWHKpu^#ecM)<3q^V{;~Zf7Tz7TmuV`c z3UCzTJ~}WN&x2;SF-yK1Hb~N>dSqr)$qPfD@1vc@fJ0;7~kGJvp=6K?5)c_g><^o8yxNBvW%3(qmLeB z<3+OSLlN>Pcp{KbT@`W6E%f(B3S-HSlj?hQVivMDwuYUzjfR06&)qEWnSI5x<5%mXNSL?FPwI?b7G(#N>XGS&*elh)+GjF0k z-TL7(06-0L&fpC>?HS!xEi2hS*cxVX+_kXX=#=Z2SNQx~^g4@f!1~g#D)p030oujI zn*I4ktGjcV4X_!{J5!!6K8&l;8!XDRm}!3i0x^-@WdFeJGN{b@;`@!cZu@oKo$Y zM;S_-{(SZioLlUOK*IBiR|ogLEIxQZ!@6yNeXV-0|NgO1lUt+tq@7Gb+$(1~y+A-#Eu+iNt zPMNtEamjgmS$$`vhU9>#ex_RtWp}kZ7yotUX1_@}n&rMg_sCKY%;BwaY^pjRkUQ>e z=22^G7hSVfb#N%bxhYLkJZRp+yQz^;V(|UKmLnkdo`4FF3%Z|Qv2{97nHJ~of8c%X z*-wI)(~cI#gGHTVO1sbWHv$MuN*Esod@U_@>Rz`Tuf1$tQ1jVXDpOB{itH5nfp4MF zx`HtDC-J41J6R%Ez#=|VC%G{CBweAi`%c@^o4qf5=wXsef4tuMGCe)*K=1;uHTg|$ z+FbdS#yM5;`b_S3r6!)1C-7>QYBf(C<-AnJwHp0)t~)$lQMpocIXO7S`S2OaYXXOb zvB9Lk6_etH{Fgt^EIAI@FY(T_esBX6MT`Ao7uD{%oyEk!P3P^O=++^_S{KeidsJa# zw4Nq&otuxHtz@N|z^UrO;@aG}{RPY(oO=WPuF72%_mU)|V0_w@SJv2vfXy&;_=Vfv zKEBTjx$iGbxQX7g_PpqxI5bxjcY65lx;VBZI>zGVzv^DUpFy~wP>wiLWX;KTWvVVI zVC%KVd)C<9p#fT~O+2e+&M6VVkSC~Dxtjr|e+MkWL{1Ce8s1px>U>U1eGQ58e4BE% z#skDMuo!eT+Qsc}F7zWx8FG=S75S~wx`&dv|k)SOnLL>*TLYVh7ct)Pm9HYXZWo8w{~}CbasDwkZ^U! z<6t7@24AgCf`HR3zQz~~OZ#UnalL^r*|#Vu8}g0%$3d)dc%|$Xz`nh$Z<=#AyLQ|f6>@rCnYsw^}2NXut)K|y6Lu$ z2@tI4ZFc(w1YC-#S?1)xhbvb*RM9^{k{LlLXYvAElq%Ng*w>5 z&!%HS{;5Ci+!cyYrV}`Qj*Ijt&YND${A~K?JEo)e{p(RSZ$!N~{EErYliFnu5#V^? zRCJE(g-!RhW^Sn>>m_0w#hOq2 za7uM-e&KMaKUa?o@EY$8qxU$?e5PZoZ*8LvSUf3BP845OiE&mWz zr`~hyUoL*YApjWn_~N_uujs^Xj%nZ%l@?3Znpu9HAyO!@F>TX7r=Wa`KNq6sq@A>l zqTJbUppZ+Zo{IT~EAkBUG-E}$!6`s9S1vSh#+hmT1lebRGwQv(@RxfVE&NAsBzK+G z+k_|f*IICaGo*Ot`Sx5!aq}R~`YO1|1c#l~8NZ7cHX4<6(LCYf1DfU6nYFhgQJ09< zN8B!ofha^}JWZ7qwXn#|QIWrvyZf@ZDVn#xG+f(uaiEac(R#qtqsC4pV|}h$s)XNp zYr{rP+-7Ugn)x71pDGp_xr~=WeAcxtlB&T114(WA6pQ)RODbFXE=tDF*q`Jw z3ECM6B;AbDJjm-V7YkCgzO~mcaWa>Q?eZc$Jm78OQ|zx*Rm`8gS!LZWgS*yp-|8SL zi4n>SEH&s%30};;dGlu4ooZJ!%*gBrc9Zwu?78M%tKX$8xJbe`P>6HE%y6*iDL$Lw z^m;EQ{xu|PDAg|=wi)v!o&%(5$OQtn_?Z?l5834x=#maZbBPhgtDOt$dLUmyPo4yI z6xeSW>$S$ZVC`l&7x+A4(op;KW1iqt8_8pDapNi z?auhc-FoRym+Jaxy0~j`{P`&vm5-8f2ETmHu=p0Pf5F zrTld^8+1a8{pKj{^pG=nD5WL-r6$9COBwgFGk{;ses7_GoRP6@kQ_!>n9L_7{L2tq znKm^cmeqN`q{h}m-nGyJ^cJ740~~g+>wm&I~n#e$+H+dHvQ6tm5Q%U5^t@R z3v7dxF`u9=rA*KnkEfK3T*l*jF(Obn>P5q|>#CeAm#LB^i236SAnRs^%gcR;xVs7$ z!D`r|5?-T~AAxWmT)OhTdyitgmWF!1m}=U>D-I|>Q!(!StW}|T_4cD%BUbhwtwqS$ z*v6!0GZpeu965&8JS(EBZm;gjd75=k{B+6`5yXP{>Pq_hNahTq)8N~A6Xt^x>6H}P ze#@=qNlYwE%!c*L1Q4I}7noRYcI#gv;V2|78_AiNlRRN~!nEEj*90 zh`4SQEgB=_QJHqMFtl@bcXMH`Eu@2HZ)@q|?A5lmHsUeJAt$qm8@%Cez6~K#;Pm4 z7gh0BcosK9CSxnel1IB{c9UECz3lU$)lb1&e!(9oGoR@t$j*M0k-tiPBi>c%X(Q&P zf}Nbr;a(l*oUQX!cdF*Y4isB*Vh&2@6o+@acGDN0Y?cn+6nOc^DHPPRmu?8elA(q> zU$7G%NcVL_JYN`%s>8~63EJ%=lzzjUhd#u-TvctMKVASe?DN^j#ivf6c|Oa<9m;N^ zlIotNR_Q8H9JCx~LE;h=8(^g_Kg{I3fOSc=-0}OaN+R#y9`W~Q{hMF3ZnlzR6ROz! zeC^v@02vfk@ziInhQ9QrF+Xnlj_xM*;Ye?j(v2<&#}2Eoz^JS7%3QK(x;v*ffM+(8 z)j(GJRljku5ydsbFBOm;vy}v1m{xZTBz$C6HSO8JKH^7D{*TxGH%s|*YjV(v?z;*) zIyzR*$d&ItZH(dPf80HEcWJ1US($B+^@h0_uUlVVUn7o5*^c)9-tbZLk33e6<%-iE zfq`zPA?abnwLpr8UJ$H}&$aLT$RKPmaaxPG=CP5)e{lO6gG!_x^NW!R30iq)7l^u_ z)9dR;au&XI-4Hd)GOrR+xLQDZtOd8apeWz0RQKoIe6vt6%vZIXZsJITU0|IxXw|P( z6v?P5L@^W)o03B9eu3cq%xKKfz7B=4f%N0Y*bpX}O|Cwc;$_8#`WoM(Vl!I)!xeu; zLRqmcD%#?uGW+#~{(`J}Qv%fR!?j?m4l0lK@LL{p&c)P+OvUEbkyPk3nm3NO*v?;@ z+qW{(F3!*-KWsObZn}`yT@9+mwDHglDumS#X_1f|ZP#c5v)@B0b^;{V3p3|G+G)|; zU7ranx^T{_N8O`w0*M(|SXiFV_Tf9sK912}X=l`|&b29HmP#DtbXpCJ2_n4LH~16$ zetqO#%h7&|1g&m_K*y`-b$cbqbNaaqrcxEe%(lO)$_jI3f=>L7aQyX|)(y1!HP%CN zB}l$TIOemeMnlT?wGQXy%2tE7hmQ`1IhIP+G(wcEJgehhLHv4KyCs^)dAB2G6v{aM z-@S3CGI}k$mDjp6=G34fwBl!7LN)|hkVD5-`O$$Xq=Vmzhc+^Lv?GjeE_`d1cfUwN zTnZ7(`R*M+$bS;KxW@iI=3riD1!6{FG09J+!!*mk*vPP?m2uS>au>m5Ma2 zzW(-|Y5tJi-2Tk$?Ce0{dTF+p=9Q}3=tsjbX*=ThqjLqBy2GToQhqXfexfG7RPC?b z{I^?AeShRA`r0B2HmtIo$oXJS)%;>PJC-$&xtTUH*08uQY(`xH(Yy6sUQ7H`PAN8uF8EY?*(cTL@%^hA{VZJI&1@1yQK9c3|X zk>bb!ILjU54ijeb%fZwgi4PknuLg4sU$%TLigmkCef`@6ktu=Wm1BySCV}h@hg8wa?QlEZOA^(aoQoQA+lCl{IJ9}Xh?*cz`i;BqUr*pZfmS%u3`U-;6+}R zg3}K=Qu#Nt{aMqgBevmn4fD3*MFTb9eYBW27w-gkGn8?3>4XF}hnkC-eK{;h?Q@=T zZw~dbKjtC>E>CBndLY)&m#z1Cpu|8|to726>CQw*O_cReZ;D6uW0XqVvgOy?8=1~T zQ&7dR8)PHDKLDa`x>UMVJ(Cm@T?}UPKy0(^{mufEJXU@@mYSFh9EvWVinf0*Atpck z&4;CeCHi2qpMkkc)1Np0`B9iq6kfdT;j#z64+Oq!++I*N`A!1=-fs2a`(YUIh%)?; zIHEcsmObTOs`1?`l-J&>F_M#6yD{|g)2C10 z6916&yf9<$L1b0iX*t1}uQi`perN|R7Y_58Os9=hP*A>rYw#l!Hg`6$iZUuZ%5y~16qKFDGG{KY z%$=jDH&GM1|9dO{D`+|qP(0`m-r;x2t$Lu|>$JBpcCh5^tp4;FiAlkr z)rzN-LtI*o?h7N_PfNp>m?!1(O5L!En0&>L=d=W3%~4ahr}7v3-l8;wF!)0?g2~+b zu_PyX0rtJbM*^{ds91PqiGhm)t40l$N_75x&;ATte)pvY1qECMx8!RYY0I`sm%c-t zEG9XJ;GVl+YaNQ_rV5cD`ulFbW z-AaS%A(PYLT8vH+3BQv=$y(G>Dxh=j{A|aiZa>BA1^jJf#I}iC z+6*aPPYt+Uusme*`80D`X1JUbwzRtW0#R*-!Eqjb3MCx}p01Eg-$PH%KHz+GU}ZAx zY9J>nNSw2!f9_0h?#QIr@1Dz_A=dR%=dhY8EP`iKQc~hRKmpQ)5xg45W{;+3#miF< zrWz9BW_nUnQya8&tM4A`tC0^AJd2&p>sB%7sokvF(|G^4mt+_6_I5bJ<;iz8^M5AXW1SA6Lc9vmA^&JT*?o%XM{tCs_P z+{y5Ld-)`<`zega*6h1P*Zp%R*say8S#E;18QwA{dGr<7X_*G2&nMVv9<&tvuJ@~i z;U{?TDU{%wYUmzf&-B)A9alU~p=iZrkoIKg4m|UH5dm$oHjC{0H`b`?CMWvh>}O4jNhB z9`mo+f?V|r6gs@Q(lRsspXF%dbf%u<8_ycP5um92`Cif3({!xbNW?kgm^JV}6Oyz7 z0lvzg&_MJ*hfNVQAM1Q{C?h9_3zr(v*{YBqKYzF(peBgAdJYR(&#JTvxl|q9P&UJb zMyms4W!kf7$B(gJ{^7EDwU&|tP+^oEOQtnMxJi*_Vu_N!ZJ_@7k<({gW~(KUK1g-d zz}8)Kq9D(cEy?c+vZN?(c5{EHgIz6+QzzM~*pJ9o(a5IN4rn&e6*PWB`E6hRPj4?E zd~O_@FnkE=|0#OGq5nn_|J!t-l@z6kg2SSA(BcGX-`Pu4q>ziCdQqQX^=e}nuz1-F zr9#uCdE=27fwk;9kZ73=c8L?P@Woa z8&l1fK(lwn-+75ucMU+i2x0Ss2U_2ZMw~$QdZQ0~)Tqmgge12l3TXhj5jeT1rMTyjTkZqmwR-tymG>eebWiY@o{Io-jRD>kuZGy( zP=)~KM6Te%WjOA5$!4Cl#xJueso@KmWo3K-mF}Fkr96@58eRTGUos8IPakMo6=&5m z{)-;|rY(rALSy3QU>SlYxQaJAvCR#D)Lg>ErEhe6Py6gjGx3MczqkMZ(d|i-@g*)h z%;Y2@BT#%cNaBTVNVMg>lN_^df`BDWzn;)Z{&xBf)QyRRQZ-Mo?$|u2DJsw;5S?Ii zTh-xjxqM`6P9QG=22dx@l@;SY$(pNBZ*f@QrTd+vTHOV9MK?Xj>LhFSI0rWAjsnq% zY|^hD&+P?>*bH0{w1v#mr=6oyo|Ms4bDVgD$J%}uv1^}_$Lk{O_b_P{^J&|YvJhB; z-RAr=`H4`0V$3w4CW>;*Pi*4iZabzxxnNzM28BWTUW{rLFB_-Q3x=rg75;Q5U@~fF zZQGXmeB*qyH*7SMD6X;wCgr(P z4bttcvqjKH9T_wHWaJDf0rk-IWiLBASklqvwwP{}pgm@U5bJ-x z)>uFe$f&BuEG3!@m+hROf!A7!XlmxhfNoA0^y?>8Vh-1nm`&|bDWh#P;{A_rDF;W>q>hTW{iFT|3q1&nj`A`NUK;nf^h?f8jrqL(4*mvxI(0_Y&g-`#2&%# z>=Z8r8HpwWGkVC@8^2R+#E}Dn9||{78P9iib~0*wdow*)Y)xQSud>>uXre{UHfYfy zp_EYxNI8wk#xPEQxKMPeYlUdZM!5I_`+=m2?L=@WvyLR~v(L8x0Z9OJAPtV~_%y#G z`~UJ8X$9!_>4hjQKwvR8o0{pD6m3VHC>e!sQnDf>GbiOZ`*@|W#gQH$M=^2c3DmNg zDn$I-l@~`3_m=#HNgQ)OwY()0t_F17Vdx$8d-Gq${1S?4eP23Q*<#P@kb{kO#Fn2ZR2bA zVHw`u^hH!5+orS0NkU?-B3j$aKMQxYx#>7odNlpNvzPBQZFgomJ(Z5&9k5?29sBgr z&&%IooDA+JEY^~;G7IXOUUELNZ=-@i83M{Ei$^l07{~Q7xdqTHyApT%+)tQ@@j{}H zZ@q?{Qh+ZLiIMpzG;!tHXPun3(eK`4udpR`S4g*mMBeh<&K`k+P#y23m<4iz1dkQx zwTR(y8vBh|8~}MLIjnyq@rAL1@j1+k2v!XNmyN+UKBhkvm!F@%Y%$4^cQ8hB6q-zf z6VJ#l=f}4@Jt;XcXHqnixNmBXj!yWZ!Vcmq)BqF5IYm>LB4qD28bIKEQ0)=MuOhM@ zcxzGske&?YO45br2x=?$OQJ6k-^w@aw|uI*?IC8OR{t1XT8P`I+V{-&M!{)H_kt{j;)#jW8^!>-hdL4-qLw&>T1c#V=;>8c*zrBPx zoy;t|sG6CgT*Z6lbr)U}#iM#50L0f%2N$=49!u&m7Je}OT1Q7tohBvfc?U5OiopX} zdPv_SF za9d%)kq$mPwnXS1QWygW;si|QUUg5lrnzGx`g}+K0Yl;VJBbKSY|6>LdAL0Kxxgmd6k?GHp0X^4#2nJc6KJ1EBkTHegX!#7n9*v5hV!QahT#B z_PpzM1}9G(2gKI8Zue_FOGYliJ@rB$HDoS+d^OsjX=TZ2s~7>*F+c23fb6$$1qzl7 z`uh5-lXcFH4ItNhU*L$DLXc?ot&^bMlpCUHI_oXYhs;~{zr3_|7-l~nOM$V`e6!ZS zSd8CrI@2sJ^noM40Ip@*-x(%906_1uqEX&cK4Tscllh}sVZL^}$ubWBx_U-n5<4tc zegXAmN)q-GwBX@d%hePvwsWFsDUQYR#YOQI7kh%jDBG~ zfcOVL0D;#mU!&J$1P$ZJDZRCoKf;dLzJLBYQ~YxK2A8D!!v>i6V56!eJ2FC(r4 zTtimM6r>H_Og`xe6|y~TV>JMhFcu*9vvMz%H-s{ zL1GT_-Ig=zyKsPOVcNF~NqH}+hQ12W%VGm#$2(d_8DqF|cRwgrTE1QJ5U~aCiYeml z4?%qW$ox2NI*Zx`9GW=qDdt+?dgO{%0tWG>BRd@eUqq&Q87*gj>?a3}w<@^`mdW69 zixjK#KnM{glQeh@Bai@JY7wA%rZDG$OJ2uvtrCKrEybzvyr%I%cYh$Mc1{Cd6PY(Kr7PNx&&XjKP+)SML0$~UBR41>N*rq*ZM zGYDR5jn}^2iMon0N8o>vb3EYYTD5tTBkp2WKwtc@%kjetBkbk-oBhUsV`@2@h(5Fh z2v!MYMOOd_URAdGAtQ{_i6a}2KEc0L*z&!*Y%|Yc0|CDAt8`a_kPT@BB3b$l+I5&F)e3q(0Z7+BXQ>RURdBm zS1>}X$#w3?7((LB1*W#adZ>mmKgMU&xKBZkbDo5+^#T;wCu<)v=9>gv)Gmi7n^g9)u)K=XF5rTD}=wP=S6xW5TZy17mt1 zWDuDA0T(zinTp@-Fo?)cPfu@pLZ@2BgKfQ`))dYP5OkkLmM*P#_*+ZE{N_zXuDLY# zGgV5NnjYP(zpfK`xp=Y2z%Z{<_80gXsgFwW?L3b+y?xx(-arDZs($*1*k?gUirY2j zp6wxdLx!%At6+!60x}2(mqzO)Ws0ULOYJOWlsmlgZ@Cj% zwBBWe<{AR&4u5E&ThbEuz zbYT{v6|ye?2#|AnRuJw40Y%+ zFPe-uaM&yn%P+=!*{d0xR=m3`(k~o$Nz_8fDTj`20T^SyD$m^#@Tp0ix zRobd1F!_c=D-z1dBghEI6X-|iXxwc;f$n7!%a_eQ15HrZu%fSOFsx?^TnxCfd2=gp z0HHGs2Ut*hdk0u-wXd(v0ja8E%5>l%r}S|hN){tx@zVD{Ty&&@xu#&oa=7@H*;Kqz z(WLb0>N;D$AsldiIg~EM@{Q6YiiH78oWR)VxKw_0_-k*!n2s@BX!pa@qkKJC&$~5% zeS0SMV?9zvC>pZpczBXCegsvmlG0U3>%1Xq)OJFjS=g9q+MHQ9YzhWu8(}+cXLD{^ z0GSJS-1p>O{6ZGK*xK521XH+(;_06^A4bB|s*C(Qk12JZsX^|8MDow^A$6c2c3f|h zP{u&Abdjm90*6uTm^Z1JWn3zb8=aOac95az^dWi&FP?LPK2;6c>28Cpq+&#fEw>)%V zBFiVnxE?<;vVCCcDcbpPXFza!Mt#3q#hwm2FoZghrb6+9XE4OYVnsZ!3}(kiF-$f` zDVpiS2yNXDMZVoz|}ynIk%tAXlTsQ9}c+o>o`a5w(p;o%5a83GEnj4z{JUk-QY zm>pvvCJmGSjp+Da9I}fTE|g7{F-0yWAg;i4`h$m%9bQ>Bgeceqxo-EM)-?(vSiaCS zWVZ_2ldQWu)A6VmNm$>I`ROK$hVWU>r57MM^iT??!&dRI@A~bh#!yF7dUy9{;a15M z@5+LSGdHMz$=6xP+noaTo>O<9v9z>oqEKWp>SrmNc&~WV5g&)5X()7isL`(*criJ;7PL*C&wcGybA#6A1Y`0vRN4~(a48=an z{y_qTxh&F!vi%8$8jyzkX8O$m^OjH+y+?`4ViI}=dh~^)y6oe7ytG@jiT_c>(koiEu3!YXf#AE>0i? zKK~}R{tQinLDCN{qL_8nuLVdW@k)zYnr6l_!k#38A_PNmm@huW= zD?^EB9!{7Di|m0a22)7VM(OxF@zIOU+kz}a4Zso;qu0+O!p#36Nt|4P8lm6jI1~E&hr74lns!4#X(^XN#kj{Rk>ujByXfoK~=)M zSnn!@K2jYC8xI6%$v1FVimU+;mrgnnK<~o`hKs)gKMlfYtdxgh$h{+pkm?UBXxKglzpafP4g|Cws`Y^fKQj5}_mG zb9=dRF}r$E0tzibk?pyNYY9u)=+*m>kwM=se4D`~NcWNaBQx(~M(_f*7*9f`vV6QM zs&SAB1SRt(*06}hU%vFX3VsTOh!Py2Urwj_^|L^|bbEJeiDYl7-1&(ddrXTtP)XIm z6;W$s#9S7-i{TEh-9F>mwAc?}Bk`v97$Jle-cwP>#Foddp(03#=HgOr>}h!y5W%XI ziqjYGL&rMOs!tCwGSy)Et|EvixaqPQB1zogoo4G%n0(dKzOglAZ$jv_{qrQi35!Sw zCjWd{77C8E7HKSwk(V~0|J_qpjE>!BQ9F&6!oF-5f;}yZf@ts zYYY0o=x7aG2^0sF?`)`C)x_R)i%Ut-AG=sfbnIQY!EmFJRO;v7Bfw+)GEED~Qc?Ea zi5l|r8coC}adnqIp}GJLCgBQ2UzqtmGB*uiDFx`6 z-$ZhiP&Ok4#5RSIZa_~R=o*~Aja0fZZ=3*+C4CN-&GwZVd3#1+#C>Otn7cqpuG>g* zfDFDCD3Pu{K7fRX9>N?fNfPzGcut%$Y{{-Soc{la+_^!xh5$5F7$ubvbJ5x3La`hOE2foBT_kdaq9W>{P z-wKbP0EH2|hNx*fK5&ZhAQX;pb(@(JD&$3sI?a&|CuxBHnm3VDn(-iU;=tmXj%_@P zFhxK+nC?U>bZcHaZ(*0#4T~4EG3oWlUFzB2F8TknndH<4npp|U)Q9}q*j$JzVhvPJZz+M{_ z;04bbp_6(-`9N~VnZ-cbsU6`FFn{v*-BLH3>;R~&%QLNJGUjrP|VIv?=UdIF`#H|P$wF|v2k{9btV&ugGM4Tr3ib=LhP zLarQJ)PAZl<~M*n|JCyUzpPto$F3VeSU(EJ?#aH?AOCsXeNN$omKG=Qc?WXW?KWm5>C^aJArX+u4p$8*p3Ga zPb{2WE;=o{g$;iN{#S8HJKzHivjWtyc%9W?!YVYZni|;;m{)7~53_ac0AEL^zr}yF z#t(ma=|-z5it6ENh$ggT>71Z|)MEwg!Y|XAXKe}6%Ya8 za+4z#&vM1*cw2z{tU7mh3~wV)8!gV}48BiLG_Of}mNN?U&HjMS;C9-~iJ9=5YKp)$ z=t`TJ?O=97LG8N{K-?DtaU0UyE-XI>*hL+rrq@3F8Y)-?A8HmY>tKKkZ)R94!C9&k z!rFc3Xtu+tSul(Jljm>`O~QfMu%M6x*Xp7RkjUa5a94=a7sii|BdtG)e(1d9J?H+P zlHSH)#Sf`U8_}l|nPEwn3yUA7=&iJUacPxIN60<*%5qt>O%&Pt4k9 zj=s@22-^KLt-~y`(Xty;?cii{#8eB{*qut$D_%dNg7B9F(*_VX)6yOtZk1yS)}Sho zzkuAi26_XLCiVyc5MvEtpg$2}q92k-8sUdD@I)NasRH#@;rVoNf3nhm8@!Qw*?RE2*$>t1AQHFK;8v?&jTN7ERR$&8unx%74tF2 zC41HQTlTO2aIwUU|Mr<=e+1pM->3ko9LlV^0zLe91Xe>C`QjeZV&?Ct8wjjC@<^+IVV3uxX<@kBnZAyUS1snsL5B|f7nOdh#sONp zNybe1X^A7h(kG(l(q5A<@Ff4GD*vT3^ee9Xz@2H#9;PTLC}>PEL#IRVsQu`z{irA9 zWHHC?^v5w*O#0dytg{xBr^>e$bHgV;XQLrCT3<(TfM3SCp|zh@1pZ}%N&3CTVv}EK zD^w_uWWYCfO~#-B=?2X(1EtmWqIEd|)Z6qH5*CK&dDD8=Pc=VcN5G6ctF>f1j{%n@ z;4nro{6=iII9i1#8)|UEcG%9;AUH<*t0Co$5kYHr<%sP$i}P9XgSOX^#xK%)KnmCi z9*Z5ruIr+nmo#hql&4q+6DnD|m2vxE9LiXqV&c+%Y^*{qD;1N21Qw<(qk# z6J-P~JO6WOCpQT)!Ob5(y3b(77uXzv?EF%j_S1bcNB6}|K8u+I*h9C02%1R3i)(dK zPE7g+2HkT`Gj!Xa&P}R0upd*1R2ic$hoVn!F;6@}H>(LqVh{ zK%j%&)fu$W7oe?)m`xSZV7OYdQP_uUG->6tZY;tb7ckPY*b|XwzI3}+z5HO)JHoi= zHbA7hn@dABNTqYEw!;NSmgcf{Q%#=@-gKUEsl z4xloV78BA%bSog=x_oCcVk|AE+3S&FZc-7#&Q~aff6s1C$qsX=_AME=?){>_jds>Q zP=me~f`%oL6mxiTHdl6JXDY@Y!4HK^&Xk)|qn@?M5ZF~z*)HJa6-db~7qAnsj&a;X zKwl3a&RZlMM0lnUT?ASzxk-1R<9C*bbd+NTkG{9sqo$qV zkBJ6yt53;#!_Jm`fKkQ#`DXC7+ z?-K*Aw_BXRhBN`_(RXJq;J=DC9WHa^P3VN<>FZ~0ld^#RrwHImo&)XQvRnQ9n@vq& z&pVY%XQ7@~fB-fmEuh2qyg8Cn5|8&*)`u>VIaO91AT_nkr;-dViL!7nc)b&+2F>G%MZpY{H{V65;)E12z=O|p%;Hs|8~SZ6fI#j@F$WJ z(2w>lu*bBr^n3?jt`coCdJYm;x%h_>Y%+D!N*q@EpV7F7qz?sS;i`}!dV!vmG4RZ5 z=Ly&S?5f-^tXY-ZVE%sy%YTubQ&(znPA!fE(7dCiG(bUkodvNt??XQ|!a~K+#ZUP< z7XSXTMd%U-SnblzDme371p{W@B(z}L-y+!Qh0JNcVW+)^%Re`O#{4bC!|=0wd{d9q zELLGaTYRv{vb588En7pGzQ5r!HQTApt&xrI`gt(T{Mry0uG+KI1uLmb3xoI%x2tHJ z;p5R)PFK4s)k80#q?05SZby->=-2(|YxZa#NcwI|SMLE4B^{KQ0>L0+&QeKzcGxl7 zfx)bJ*uM6-2bjq)#gH6v)UE1V2aNMn)9euMyoHOy?YeQqs0*)By=74PB8}W8be(Ln zNOkgay45p0O#rcuGxh;?0ZmL5P!N`qJ^dTw9i>(a3N1Zr5I(K-4S$j$Yr_!k?E+3f zI}@jTjqe!A%EkHY!=IE2*R9$@Rrl9Bq)=Wfteex}^#eO4H8={75xenw>x(4v7fN7A zH-VaK*qnSIbKA|;7>MfQVFWut--MKDDz)Wm+`>-EX^A^*hcF)b*|3+%CGOVbLSeX~ zCaV^no#uBvA4MC6+D^yE*S7TeGEPUQ;*Bw8s5QT`Zc_5m+R-(5_P#gYNHNoSlykHJ zT5SvfcL`Xco7Dsm{^?YA=iQm4&){EmIu{+9WZK?1v}ERRwb5eBy()a?SZ|ZBp;WO^ zO;3);4gBU>ly%cW*K7S(O5wJJA?}CyTF+BZHF+kxLe13%z7A0JTf2e#7ti`!MhCq| zf4TQW*CzNNIEstYsDiM%dwt2FhcPvGtv#!Ll~JzUT?T?4Q~AyZ*WHKZR_J{=&rJH- zkkrC3eEn@#<2*vZ;#a)(8LwdaspRsuwVh8<%i{z=d)wuM3P%#WbP`!{Y zphKeuo$0$yM+eqPgbsN5XhN6oWWBlKkW~!E=yV$}V6O(P?VmNQjBZM?QZBMs;d`{V zgG}wbTs>=*xDCaS(p%eVe7394r5JHiAM-&R?IgSO#{c_5UtS;>Tw$0u!K0-2M5jgW zECK3Ozk!RSfg)r`;H+<^}Fp0qHf{6VD!TwF9?DjMbk31BE&J84Y6? zvJ!tn5J9sc+bOMspCs;A@G?PvY)#U-G|vZF#-f^j$C0z~LbDnS8=xW>>jtbo4NO3| z2NG(MRlnddaBy-$@fpJ-t5;}s!rM>}i36=d%b>HO>jRp-(zyr=G#Na`60j1h0PZ^* z?Vo@7gL9c$N0Ft0RN)K^Foz&4oBm!r_w*(K>VGNsI!eMEOc4qo*Jc#Ll;d+KYf7q6 zy&b*oJtg~Y^`Oy4Ru#EUhkexsK)BD9g1M-fue!Dk!}J3~5&y1jt5f6YWu@<|wZZp3 zt2*iVGn8$|0s6f1abMdOZGE+4KTu~^I-q!IiK32;LEpdR@bqgAIy}ug-9>Pf5Hqz5 zTvIVKlYLew72>o^C9^tmN$2~{U-8f;?#;KqR=zgBa>4zqJn6L+avUYq`Lo)X)!~NZ z-7Q#+$#5Ccf(0`Gpf9&9PgkOo1VM!QFgDZxGh+(ksoCq>LQQZROI&$hz3nua{7)WF z0nb$*=4KJf*Ks`63mjURN}FN#8Z$d6LnzVD&hS;R^xyyN0>(Z`U>YMu(l zN-X5x_1y7UfYSVCwKA`}%GiLV_HmU+HuiaKv3*v-JK!zh$wgF}>ISex)Ch0IHN5OTl+$0o471-U062wD z6nT48L*XORem|WXi>A(H7zvX=-(foiahb%@P^AftLd7IhlW_KBv9({GBV(PX_nNxt zB;2maP`@@DcBf_$MtyF6JlBYJhjJOMWfw9aTk|LLB_l@^<27SDroft92bXMMH~GVb z9cTDct-o>q;ly3*G1BXy(*a$($Q|NY6jeOJO1yLB%H(ey8iV)kHaO-zsAlR%i-#5Iw_KfU!5Y~M(e65`B}G}S4rOKsUL5Lu;plMpsFK@8 z4{a&MX83T5|0s-p79hx*lj{J85%t)?^6}hcCN9@h0-|0gi|NZtJNem6L(1SuY$)l5 z1Xt|eFd&i4h_!6vWrtH2<12Zws-)K+40M!@aE&OC@ky*YX1aIQ-TAj}SFj?Dl-j!uKQ5XEmNAYDHI8@L||R=@}-U zuReh_#wMbJlT~4l6PFmh1ZV7Ika492VJ#l~2b7cys{~rj0(@&LO`~r^&Q9A#F;6450P?-{}Ah%7p z#)tiJmuodaRgeI;uj`}O3)QW+0wlLgqHd=#JSV6=T=X*+-77A;wzEv2^-3V-Y;l6i_3S!3&_Gff#j~8|7@)6ejHkn81 z^P0$=@$6Ork@nRa%)E`-Zfg#VyqYolDctYdE?T{MfNC@JI{0JNG7p_6o~FE05M*NZ^&z=;-z)9)hIQzQ%)qYfrV*ZlXg?`df>)jZ@3*)c_ zPJa>+P4w}ima7_0Mg{yN#ylopGZdBZqJ@P-Ic3a!PCclnO4Uv~y>z}>w^>-=R)xD@S7O{Y2@R@DrFvt9L0vYpb6H_7+zC+Ibn5~87W68oeySpBzUWC&b zH3=$AMvU*xJ3pfs0|Cp5E=j!HWZ}5RDg40RoVUEITY2llEhnY1Tkqz6sqWU*2sEdN zmv~jOlmn8Q#Z^PazOI&WC03kjzMMuBwon0x{LBEwmLQoo)?eq%9NDXFb5eB-SL_!3 zO2}=|z0$wk4_96wQn!ZF?(fg|ja#SWS!c(ocn zp^+>$)%~`H?0qkX?dI?F6KxU@Q8!MN>Yv9rz2I3Sw~+reDxT!bOU9R|BLC}8{biT> zNpw?;b5|q(kUg7^M&lIbFKs1V;rmp^5lQDFgY$ewOG$#aKJIW#|8RMFDcjZPN~OMb zzS_pdGOl7~N>RBE2V#)25%{Ho|v$CRjaV85Yftkdju(EpV3+zyTTHIjChgEG_}xYZx{T2u1Znvxa&g@= zaPdg0+m)T{2sEpQwG{laR@Ltmvyqz^;bE)eG{iJxb34NCiqWPf(t~Sm=GDeHh4(Q_B<~PVl6;6OrvBPA{q@^MpI+dp0n+y@H>tH^++BS03a- z@x$xzfby}*yoejlEc3Z)+j+kYuuu;uzBfxKj7}hjB%|L=AVSz zH?z&8NcPwJ-{n(8O^{sLQjpg)+S>Ts6Sxq^)MdNJz{DTxd(CMqjvE0aV)uHy_Kyyi zj(EtW9pb-wv?3{)B!JnadWTw2$h;K{?!dC<3X`EoPnO^A2f35tYS|WEJ(K?FZ9zlu^^D zF?#k6OND4GEir~LFzEwt2+Bt^I$ULox9nJ7IWX!^0Fz*1jTpHoM96?4hFQTI>1GXU_R6ou>8z>$TG6JyL=PDi_K+|MYS;PWBQSl`~`FXow2D=X?O~(+eu0`6L|m83d;2`j_{Sh_7jrCDj)xK1_Uig`zRc=!3{n+~|Ek z8brC-U%44c=h#V$aI4Rak>c=)ncU@GMYo@@37B3JG0_OHf0uU(=4{HRQNloN=MJDA zk9a8Lm&87{K-19=VQy}Fw?cMIvW-yD>9@?(3lEoGD!tiBa-I+DKX`Mu4YXicpg9%( zun>@5(r^Qs?xd)W!=L#B(e1y-C34;AxEs(z+Vm0OIV5*dBT#c<7yYMx@p*xSQq+h} zbRq-$&}WReFOa{M(;3%Yg`>@F09XaLAvmZ!>V}T8_|_9qJg(_+--Z|J>{YK77Avdg zr--&f4Z=?^42Ycy`R?pPMT|y61Zobk%yy7am$Zg S^CARyBblS|xdP!M)FH1u}N zVeq}zsBxNNA7juHcv&bKoP;T>I=9Y-O;etbVJ=i)qW9$%xs4ee4;mS|DfpSX%|1V;^>%B33;?Byv5l_BB%Olw2F;jT#{o8i9}M0R^to_X zEA)p1nJRs>XBjwR2dLCf-2Uixd}`?ddJT4z4=d`!v4u zhjh0Q3wCViQFt%qZCNw+*^pOUt1fQi+Smf8v(a>bkl~}!t-YbX7!}5N|0#A8+54Rr z=m*{*Ut9KR@!+3mkGh3!MkVwN?r45%^CI0_*k%ZH!l`3z`AoC5YI1m4LfEPkB1l|C zcb;zb0&UjgMFRZ}T@xk-TKtpeGYrbDxq7_$smXPQ7)#crR+B?=tIY_KzFFi(ePX(^ zOw>O&RR7igoBSW9(QWWI=fq<8FnaywHjchE>}8Vu`Kvm@FWLTzM7`E!9^OLLQTxgn zegbD7`=tfr9(RPpP=W~Gh5&&WTP@uYPd7*@68po;`Z|{swXQFe-maNq$kZiE_z}*< zn3XJQTF&jdotd0@yuF?!ttWHLX-x4w$$lFl-AB<=Hen?G6=&!eL+0}JCMul@+DsgY zKs#PW*2hZ=jgK2tFWC-_GGt2r+{ek}HIU7nlEH71f1#fGpwoDPs|QDE!kt9s9pC$B zyD2}A*utpb)3yR_L>~2Fs2Az6Y$g|-TpXMC*_p(f-KiNKy?~*%_u;!f4HnVbn9|RF zwnsYGjIQ2AFBNn4d zve=A5BJL=tD!FE=FeFm>$h_-*5G>5)*cqt0q?|ByH>qqP#aL#rRer6!X|J_Flp&7* z^)q)TT;_v71c#ZoCHoTo*jp`+Ni))vS2F1=Wf#j|sr4Ybv-)~Q*)qLp6N*$WgFK{g z*prK|r-e=kEw@yf)cn;q1(G3acY@9mw+W?qfs zz+0&F2&cuWwAXzUpfxCxjd~>Wj>GJiT0<)RNdqokpIfMnLRzR{9T#30SxBn52HlsB zJ*x7~$?B^X`{pPpR?is#Q9LL=sY)+73 z=P69b?N8%3BI#-ru{edPi${2pbb6&@qU= zhdi6^Zhg6MRe#b7{IhT8dlNK{_dP@AR3it3Zm#yBeru;bE?Ua*tcEJNShI01bW5*> z_p8@$PhXeKsu|BUR)?^70VB~Sk93?Z^3VE^(j0%M_WH7Er&aV3*1|__HGA}Ve8VvQ zG*dH`z%4BP`y$p#=2Bb7=%{?KT~{^&=d?-C{}8i|$F$i>q60ByM!LE3*~MHOrBLJ1 zz_|6+)2n$95p$v{BsT8QlpKn_lJ` zHjfkGL1L?iI??1eOscNtirMTvlxQ4l{@VSzI)loHc{yuvt2eLHB&^}ZjDAg6$qNIh zyM2UbGv~iE$4cc>b5NabA5w8;Cv_69q8k~)Oo&y{_q;O`>^ytrcPTYg(xh6GF|xv#s{=(GFCbN0ifTB2(+ zDCi>?dRnyExRmf!*`4OZzbjB9N2o)rTops_q+P%hxgG6bAW6ZZq2~}2#o*H0({wGw zEgsX)gM*9rn?i&Mi*OA#t5p7s?H+SUReITYK`j^2vC5wt~c|tqe8#A0+ND31& zv8^|%mhnH!2htkc2LxLB+2RbxLK;;HUSH4i&`ZBhd*gG!hP}0{7}Gm_b~YxDM_72L z;%sg8iKJL~<-yVj8BRsoB$W1?K-ql6#X{$oj#NbQ2aQ)}-VSaOn&2G%VR>ug0VAJ} z`181h+GeZ{4`Vh%ToTXI`LNHaTmwDK$4Qy~U-oQ;8h@Z-UorVe^~cywIi^1RCUSY& z&%)0{qF(&j7X`%;@@e%DK{vozC=!(^;rC6BgGg>;W%Oun8WDr5sd8 zbG`25%6!q-U*Z&qyr=cE8>QQA6(t^vhlS^HHWyB||Kj)3$Ikvdn-5vIB(9TTu9Z|h zO&EmIqt6@%tr79bs_V<&APhC>h%0m1eL7#sX!+WIf+79`sAYXojh|5%$*jVKxwKGX zAmXYo?6kQqQlEKz0cAmMiI+%PY73)zke1n_K7wb@#E-@YjpvK>8ygU>adJ1oi$}y0 zZkPQaE%|RGk)VJW-syA+d6rUD@2Zvv@=xUu%=hGChAr5gq@+iQl-SAEZ-3>++f<$xVM;PyI4n))Pmj(mqo>;uLV{vF>)x|R7Rs>SZAWg7-YvB(FRLZD zq8M0&0CD>kb7e@x{s}A5ir3F~e|A5M)=TDc?h7N^g_WqtoJ^qdO^vV=TlC7AtAFen z1+RtGxCh)dxl`8hPu7iLPi+I=0s_v>trBX!D6A@-nYz(AG2>Ea7Oec_>A4m*^XprI z*6^>68gzVM$5ETSQ3wN_S5hZZ3yrieMJ2(OQz=R7yL#WpOeM{9QIk*RxgSIM$Gdi@ z%kk_ObwY+B&{|{7*3)d1D~2d7bjz>}M2<{@~cM4KeH$QE23sr5vAo0`S7!JO!E zW@M16z1@7@=BsCpE4D4>1E8s5HK8uFzjUJU?Q`^&_~YecnUgHLpIs)uA=L9DdR49T zWe+vr^t(ZJU}cBn8-z1U2wS5iiZ~fuQyx;_~sM6+D(DahIM?nCfPT03+~X~6QbcV@CLy=^}B~%hje_Y zduv@$J%;yPQrL}KyoCfirWAdJf~e~7EFg$mSa7H~HQl5tdDKmZ`c1X^q+3)Vh5&dq|g z44Qt))Yv%`%cwV9{F}mk6(jHmKQkR!7Zyf&ug~L;=Updo6uW@?Gh~+b8R*mI1Ix_? zmCJ0SiBA;EAN_nt9c$DHqP>Oai}!qx*%XEA)=)`;&zF}dazu|blU81f4vqSfu4wo5 ze8w=A;ZnLToUDbccyE0au8&A1_>1CpGQa4h6?Fl>?qvz)^kqA!_2K^kr&?Ijl zI)-?-vTIm(VKG_oE^S5p_csm^Z~T%0R`;=YywFhv@6y=ajET2$NQQ}^&lg1isIYlU zfmC`Q!_KroNP{8$Os8-4U8TTKVQ0DSm3T88(sB{y=OXs^Z~RiBYA&CMH77!@yJtJR zr<6~=E)zz_*7$ojm|VSpp)kqP(JDgw)61BeYS8N0_n6K!)bm=5f5RVU=+om0C}kPu z10u`Ajh`vB{?wJDxR)-@09AS2bWkBqDQh?WiDvt{c?^kPMwO?3Hq$*iV{VOAh`*J4 za88{?too&h;ZLv{2Qp!0k1xOfquQUnmqvFGH>BBYsWJwZD^YfyXA%U)3q$^5CW|{? z{g;L6O|p3AP7FPh3Mo#WeyQ}3A6oEWv2<_Km8I3ZYglm$+m0L&e}cK-E6CIY^Jkax zD!sDE25+an_CTI$CbrC;Ytf@|+XwF%jRZs7HzfLQ?>pQVbv>|UlnHqI{ zE>%T6oFBoZI62HKxwF6b;Ey;Wwv)7XQMa43ypH}rl;}*7wsO_3XP=>HIIgW2wS#1O zU+pHp8q%9dEir1_dpr53@Y4aWJ`x_K6Qpv{=J&i^8l}I%*qN_Jy5RFXy6!_q_Lbex z@W5230`mvxk*SZIgTr5#u)CodY?wVKj#|f#_by*zEJ_c-Y_OOjLer~c6Ns+ z$IQvfZzGtp+fv-ZXa$tOwG`=U{1Oo=27+Tx{;juls*m1^Kkhn~`R1~8o$l~rhy~Y@ z4{gT`CA+$y^x7ICn<$T1d*6A9;zU1u>P72(YYPED9iP%G49A_t3q&WaDodYh74n8s zj;F7?0rryn9zWB0Jt=n))M1WP7?O3<823@7XIxKPr7$l|9&-JZN*L7|H1QF_O2GjJ zRgB}t_?UEb0&VRjv}V7;Go(`!;~Y?>hmBDSt{EGncU6mT6r-+ICuL^%oE*RFJ$68P z)8Va_W{ZA_nO9l%yD~py64c6Zm5ZqD)2~j)GxPg2uI|dhjUAJ`QP(h+RBmfmSa)C} zc$S^6*Y|33bP8L4T{O#F;fk#ZPbXRzzx?a>;IW;U#?WFMUSo2U9P!(lHB6Si4m1|9RGzq?(m}?$JF0K(;OIA1V4)|_wryA9(@PO zLvBa7_z7~O5d_osy`m48U~6Kx0vIsS72Yn=n@5+~!}P)MCZ#1_{}^apShysDtQJJp zL-MT0T4eN}p6O`b(3k%aKHQ^nG2nVIRiSnMLgsJnyUaJ~TiJ2Z6bmJsMINs1d0?QeyK7I^VQw)S5%#X)31`O_y=n{Pm8s~6u*Z7+>Ye=ZN(7HACo2Sfz)7^4v{QUWqm!w&J#H(%{I= zkGjbm!+hWKGct5f8;BQ(+Vyo{$MeFCX^IOs;f`?-c{pW7`Ma`scH>9mtvrIXLV&Q- zGwJpnlxWul9KET{eCDEx6NVQXo zP8~Sr>lvtu9;tqGgG0W)pZS_R zA)B>8yk5am^PMXmXVzVbL3wl)by#2-IB9*KquS;U7?UnhGD zwO5^}i9%wkeNpWJtbI4x_-21gJC3aX4T?WrTqM&O z6CVy*)ReC)SOh<9`$R5ikhN;;Kak@}Q|hFd#y$5F7EvaX&VlgqQ7utFzJghcVD*}k zg))b@>^mxz7RD!&mkhiHh&!3Hm)-aReG|@A7@v@K7#6Cfs$G6W%Wld-`0YcheM+9= z3V&Lt%8x2(b`x_TI6B&AiO{k%bxA4ET+ZRuOT6An(Qx_4hsUhVb~5D(+8U9R?5b20 z8Wp>8n)JWy7%2Cqd0n7_N zsr;LH8i_yr2~}M_Nh#+v6vp_gSZc=WrG^DWI+0a_(?arduKN#NpL)uOouACH2;JC_ zsAkAa>jKw;7eWtz5DdL_2RpnZUd@LMK#5U`-(XWqW&7sdDqf}gxim;roq%&C>@Jt? zaK;S#rPQDGY0L|68n#q4G!ZQxgFEtDPb9pG!VN`Qe%6HP#s(Z}omRi89)MIyvOG+g z{Ytbty|Sv!a&imIJ^br{bmDVo-}#E1%6*J@(rHLfRSE{vom;L&(E~y+8&D(t-HY9i zpQ02Jte0IL&+DN2g=2MH$X%q9O2Z-WOrwFAjU`f<=GcW=Zn6}|eAa4qDP>is0 z(bz8B6!noR8|Q2aopw8{5SE_btcWl zTIR@=ljtnPB{oY;SRB-fpJdjmf4%weLB$+-&(MK%On8i~1^(k7gNE|Gm7O;mNuqJ2 z?er_kTE;)UI?Ee18scxGdeqa!)#?MQ_1HW$>x(?muWeJG)-zB_4psvxDvBmiE3Eeiy7h7->fMz9W6231>4Xb@Y>2M zpm5-os8F53tC^BN(>@ko@yOVE;xWKlC^52<=KcrTaKU!83^Yt4FgK$wMoH{I?Jnal zoITa`TeF9ZA*rrmPK`WA+_?wcA7%Y>dy|z-2%w7T0P!Q-E*9@ku45inIhaK`r*>jGh*l(mc8K7 zxY_Hv>1#jUgn_HJoGZV!y+$CidQxskbPwnK!%l!8Kly0J| zfM{tNxC*=-ZF31}3$V~h-v^6>2eg6)I7+7rx7C;5sNSsvvR32sJ~UmBl~{A_$tGCM zQpsUuvlHMm!-$^}t+p~W_w)={e8Yawf{~gzMKgVvcaFCi8j$$2j`WuPUi!S7jP)Z# z`i3zw(EozqTil^HIBCS%6=e||A}c|uu21Ckl&}3Z3}Qgj_D^Uu$N3Fjyn*&-nr#Uz zC~I^3ik(zT$bp@zS1C|RtMKR-kLb-z^?6gEL#Pe;zG)RK1NVgK8K46(gMnNT7~$!l zH=JMf&^|wFY<_Xy6@D0=;hqVti}zC*0AQDF(~(l#7L&bYRwzjwCy;6bTg=+WqUwSH z^M;j=RF@PAb*f^M9mm-U5ut0R(BF1J^uo_;&0#E`!#xJsyHDqSl}32vT-qZ(om5!! z-+6o6;19e34}z&~uN!op0YD>o&ZRtRNsPb(`(DaeQTo`QQ`eH?!|t$nC&!s%1;FGY zhqgT7-%bLm?y&fJMWkBkPm?p1qyBB(!IKNV>gw_M(4Lr9o9O=t!6yn~BB#eA?@*j;h`{yh1G_^()9K2MOdT=BPOOBl+;q>0g_H)WsUgVzqU$R_l_dWQVk%cl@axuu$SF~~ddRmN)`Jx&^ShBi@x}c1X z73`J*gE=(m)JH3b1=5HDWB9LuyWURNc_a9Wj5wJ%C}y~)OKAJENw0>Fshp%mNb+Nk z&SaVyO7{VMJm8$=3Ei&;GteEm=Q=6wVu+d1j|$-h#Z@wYc@;j^#h4@bI!51O&}Ch4 zqOem4@y2ZM;I5EHF|uf{DK&KHq2{^no0T1ExGUYa|gtNxfNoRiyT|5|u%6_Wm)5!Lz;ooR@YGb4isGUo1D19TEz7N_4-GDZL-c zKH5xdIH{|m#yqLGUgwosM~Sq8y_TvA4Z~#2y>J`VkjP*8dB1JuV9a`&*0=@su<2SA z&8m@y8CfWVwjl#n)SZX6#Y?3Lw-W!3bs`3(Df;w*W`mL>t)S$GE-IaL%6tt^xab`1 z$3w&AU9+d{pG$StIINN7ged!m+t<4u*pi7stwA$>2N@$oV8NO7U{yZj!Y6n*fZcSnI{p+0+S0Nd~~SAj}$)}Iv{4n;FzMJF#+lyskyZD-(i zDv@TdpRn<>U8ote1!qwCeD%Whv^GmI@mN$fnWIf9j*PO(jnpaO zL`iQ%;r+n#8epdjnb|FtuI=PQ%PwEhkR>CAPiSZ^a$H)T&@4BoO=ad(THgtTI}9LX-7hf{p*&di~>9 zMzKw24TjT1wy^ire`%*bDNdR!HIh9(Su0LPmVpuR-Z_N7{M+ zV^yY1Xe4?`{$Yo^E{oCXK@txB}G_C&BW0|l_~ss_Ew zH+G79fy#vHo!^6mNkzB4m6nc5KR!2$K00eLm`$6Aeokp2ArS_P_xBr=qU^RT+N%8P zHa2rgV*$HWSh4i6kGlZ6y|P zR#_hb<>dm*Lg7^0fQN1#cxd)YFXmi6e}l7i;DdQefA zQ6Rz%5irfDy%0qkFpC-gv2VE;(D37Uljk@||3wWoPy57MgIk8do*m;h4YXSV&Xuf} z#c~ID9Wyt;Ip@J6-eC%S3{fX@v{D7_gu!LiUUVy-aPc0O{?MaFPY-&E)qw*$&WcDP zG{A0i)sH{qyIq7XZ11WY4()^*Ns^NAN5Ka#*&t~Ee#6|G#oou`)sM6)#b|GU-(o|Q z?w^#!`{yHeP@w#ASV{JrtOI+t;U<4OeeHIE-YAACaH^EJRqRu_jr_^g$w+&Ch+vwy z@~1PLy^pDX{YrkkG<|V!4`XuA(0`0SPI2p%IgNw7c?cbN43DA>d6o)i29o{cpd+1(={?;rro<2 z7|%AoPgm@;fGBMh!D%3^W^OeNH0`ZcEwls(z?)cbf-{*CEnLSpRw;;&Co}`bnxs%4 zwYzB@EJoamoz|!8YZnGOut;1FBt;~|Z%Ju=i3Qt^mS3)$(2oSFQ>}p{vf~LR77lmX zGH~&NqfzIcKi|m;8?gxMPIj6g%+0bFJ}U*4{-6r^kPvdg{)~(FBG33o*o8>WErO$e zRX*WoR9^xU(C!^t9B9wv+(W8x6z;3kgheVk$Sx8RjRbDzZICVhX{jjxSK7nzQ@zc(YmQUPoQ!7O9b3lZ@tp&9u%^P9?&YXizJ3gE@fmZe?0#-ug|q&rMR5Ild!~nf z$mSSPf+J$78cCi98k(w-faC=@(jk+#FE=`^>h-VJW!sI3hYcmeD;Nk>B0Ts=shqcKZ{T`sF=mw`# zEcp_tUtkoy_U7IonB$Wu#cvI=7Z_4XAi|z&f1)`~&%!W@8bXqsY|L^uLihKlwW{vd zAs}&bps5qijhfXxKOXQBHr$r%9%RtK!k5BqiPp2WlBFSN`aB0*ZU==LFxkAPak(QX z1(czgQNKXQ9f!p6hAHoE1qLF7wdBMoKFOwo24jIVq}Z@WK&4_Zh}Y2g1~H7@*-;ei zE175VI2I!WEqb+%51;?!@;Z07qWl5f2Z4IQNQP6uXLy5IUIyTc3UF;2{pJjvbs=Jj zEs1%b{-!vF*zItW{mW?ysf%&eU6!Q_;FD-Sbht7sTRG*Z!&(r*fb5+D1VJe# zn{V>2;o`yAocB>N3TU5>zUj{Re%w0SigMSD2Vd-pH7eOoCk!p?sT(|l1fkBn} zna;FvoF0`nKUOCGvR)6DM5i;}f`d*I-2ld!l2LB=kI+}aPLFh}O2pqBYFivV8}Z@R z+9`k@! z`aD|I@?mc2aH|D{=p&PuIs3XX%IhjJn%=6H6i_?8yzDP?Ln2jQf_cja5P`9uRe@1* z$@S~4eX_IPOx{~iAsG)4(z9LehL=s+`@Y(S%t@_+Bv+nh@kg|(%0n8zFg0lSvCNup zC|SbNPm+O)4opOQ+%LeF?sC?uP98YNKba9-66eWur_*r1yU?fb#mDZh$my>Qov)4* zM#k$~f2wc#t!@ELUCLDdzSpg8F><~f#Nvl-dFMki|hY}m24L%WRXJcBUAc}YzmH^3P zv=!y^vA3T$fcxyi1=OYRXzm<2K%P9~s_Aki2~r!63U?sL_}K3Bq05cfw44&#w-@e1F6D?rU-(r*?8kx- zb<7W>T~6;lz0BN=sT7cExamrOe4k>IM}NDoHR*oUL;=SdtGs<1opjvX>6f0hz@D#x zP5qp$;)!|*b;rS~z6WJ#Rt6le-P%&45XK^Uy5r&1VR|WB9lBqTtJzIM$foR&NA9LI z;Om&%TSouuptD?#F#g2hS|OEDRz#Sra0oTEWe>i@z>m>gdh#MWs)nR2eoU%6mfv z^kszvNkgJ+268|)$6BUvcK$|~D|XJaQv{pDZl=ESLrdxm5x4O>p7n|m zuhk}66XjwT49X_wt;UWE{qk$5dm>!FSYvd>5BKZHEx0?P`x$|5SIzH85+YbrzV5rw26mURsH^A%cD*W_}C)iGM!*+Nq}G1=jd0 zNBV=MHbkb4l5=>=Y2q1>-B}ev?%qp#IQ#nCAH{G!`(uG)+=?hQGw7g&P)tKA+gWyh zY~IvyFwnwCm$^vmTlqi{)@Gi)YNPzB)4gaPCl*oiogyDM!UgZ5&cg*4sv9TubjCn{ z1boJ$i<4BgjT4N^3N%?2C92+08wq!?isF4CQDfV$&O7Z!+!tJI&P0*LTaEdOn^sY- zSZGz-W|N1%$cdGj%&+NpKRKxVG>{8htK))L?M+XXz;k&+|N^=tplnI3@P_cmgLZ zM~oZ=-}0qM(yMrSXZR&^_7{dqD!iQat}*Ppq!Gs`05Vc$Qp$1y&x||2%l5hZnlLEa zKiyW4zaJ3S)^xXuvoBRX5Pu{5@o!>wo}2414oTUBjVibaGj7sxa{$x#12FbWvRh-1Upc!K73Vht5hv%2vafX zQ{NqYF+U!W4-b?q2Qi%r$Fwr9&WzOzsV5@Lbuy60+Ixq4iOKQYeA3u#_5xOl`S_I> zDw!4Sij3zj{MJp?hT;qk=c>5IiGlpqZ*OvP(CrPFGsg{xSCgMDxcBX!`<5Rg zIE{tNE|wJ3qC5*(5q2yUOmP;61MDNXBu9EIn;!Dv3kHl->SR~}d26Nt_f~`ho8&~y zBuaY&XnU4aF>!vE?0q*jmDr6>{+aQw6I;z|jl`$^g1;BQb=RwBN#LHxMrMbcSn-dI zz}*FH7H-R?>RG4BJln`O)bIgDI_Vyg{nsPOEeF>B z)WepGy&Hgo4la5|f!&&6O9s7hm88&UO+7H?eYVXpLw2UnI;&F<5Y6CBj1=BXy`PaS*V^wi5a4s{;J{k1@nU8ee4DOyI{dX|8^L|#8|%gx1vSW9!4F~!1=`7xL&3V zar5WAR2E_S-zI);-1+Vzsy4bwZ?2_)9d+>WHX~V-=*120p4T+Ruhas8xwUkbD1&KJOIiNZ$UAh<;WndNVqj)1cPdG_t#`!a(vEk|j$W$+(`Jk!zQ zWmn17V$tYRSa?Q}h-qVkk#KVQHT@pB{)0vaqo#!~-R@pmbT$@!1Pd!4xqsNN46$r* z7G{b{i0oGzc_LWoh3(%41rc%Dr*@D07T(2va0#OWc0e|!N+I0Z5!34-8LyenKG-nGM0x^u8G_zd6!`(v3UVpIIT57c$C1>)iSgd8}Wqo4ml_uJu;{ zFLg4Mp;VkCc(6pa~P zSJmFP>Jti9-E}CYn%4~-EQn9OelLF_dfy3hL#6xUUO>31*R=Q=|A z4G`w*(=MIS_mrqUN<6=alYo}wKOP$C!T-#8y1%l(7P}50!!z|3MF9*OLn9qw9~;Ti zWtj60DV*jzsDE;c+~`8fTiCKkjoYe8#r9RWMNrO07P`XUEYuOyNP{NlYk{+gQf8ij zdidI?vwPfgfigrnwFr7whoEo%SCyXQk`}Q<-!VwL@Hzy!c&IpV2~lkDyIm}CML1o) z;m$f(LtLknYa$`ou7a^*U27c@Jnn$18qM)rZuoF!g99(;0l1}KPQV^HK&yLGsuH5t zRps~{WYu3@Z`qVaWH*&Cf542@x~tu{`3RGx%bcZ%^u;Q5!fK1hIlLCa@wk~YlxpDyk$vUpGs0ZN)K;?GLNguX@%CgmS#&sR82)Wr%!3~N;T2nrC8w;^ zhcAmxs-~zK&l0sXuSgVneKV_=QO*swL8VWm@7*|P zjzQ;A-3l`N8^(`{3HD9H(||kq$&^-KvB7qfQkkvU-#fgpTGwNQqxO?EFgBOQYP9RTIVc7@y|28w959{pk$INtZD>sZ8C zQbdnKu3XeFRvQD|=AcBb=bDw~3F~!x{bi6wrvRQL3Su3eqr^kW+jJQdKX|oIALO2%fD2#xnJQDK>$&DUYMxP*7*PGlMDlrd#6-WZBBC{wQSE z{7yN7H?R@e1zM>(n+u0Gi`YKTK5cjQ_EaOn#HmL+{Z3IJrJ9@AKfHS(Y!pkQxadV#XzjLjF3UPa4AUEFpFmJLF8(qP$GpswEt1F`nxqb8ye=9Oxw&g0BjI8s_ zy|LZr={Ei2505P%1>-iLm#FO7UwNoG77VIicbjCsrqXuERFSR64<3_6o0 z`EtHR7zEyI%tX*@&V8F^xhO-Y@*{_t_0o&kh&qZKW}nGR|8O6AvU)aDLfZ|l(jJ`Q zlp&HuOSF_kgvtT`*hr@(k-vSM$bri3Sfa+qKv<6v#xx&UOITK{V=vJb27(&~U$h+R*`5F@GB zhaQ7IxQ7*EU6BWnhuj^_o%l!G_|^@o+{NqzLI2vXU;Tp(!9}XMk&){^Q52HO)i=EL zcq(kLluW@+jn@)6q7fU)`WGq+pP&b6FWbfVQnXyIS)=!x6W9nKBNF^Wdt$?tN1L6IUz;jV{{V~l9lq$>H~BF71r$OfaQ>ZZq{f9gsx>g9nr1mw^X|nVRNZbU zOj~XG*3CF!sVT(47d!=qFf-%Gl|@zYz#_7*Z(I^-8=BFJ$a!=c6dEwP9mKQ}1nSX#^OVuykj%*f1<`hOYo@VrAvXZKhaGs8Wwo|ECVde= z-+E*)iYAD4Lz%qw<-I`M$-!DL>{jb`Ud*=z+Jd54FmxUGoND{@bP!j(mTdQ)-y#c^ z&t-5kc9V##&(d&$5w|Xc)iQyzPk3Ll$cQ12>DQ~B%B1)alE>G*=^M6XKR9Cx&g40d zM8CNIuNN4hgE`~A7mAKUoSut7Dg*`meM0f3#Cb6TJAfDP6D#OULjcI(*I+G{Rlr z(_##?_+2pEB2ee-?5ur;4$6@O6rSn5!?+ng%98J2UI4lBxk|~`7ijKcE(XF08q>dx zKnHp2P3!0UXhKMBX-BXryM%SxVS349%h;ov{m3lEe;T%_7+@w@Q6L2Knf`Uakt5g; zfpzQX!F6CVrCoO;Q=t?j_Iy=^Q%mBs{I!`RaxdoT2s54X_&h9?l1ql?!2%Y%~` zq4jqys~4#fB)l3x{NK&v*j&V5jV=j)^-pi1bTKFe)D)<%Spjo_^o7QUkB24B~WDiue;%2c$3RV zYCzy7mqN;wf7%ENT}?xcoCs->DEU0Rg@p+LV^Na;Xx_0H=iTD`h|gudJX)Hm3)YQg zkS2AX#mE^GlXCH?7_j@x*HMO0iM$nbC+pd~-;>vlS)eCZ*fEeIrFg0f^x`RUZ4`2(I!~5z71QMA=+GT#6 z7hHH=s0rvlv=ChjnEZeV)uP=F(vDQkMSe4jWX?bIOO9@$eH0>sq~sK;48fMWithtb zzQ_unf7v^vsbK#o(p#%^qm6w)}t9a!r3vFv>x?tL=^4km z zIa#8=&tKoJfBn^JmL_^S+urh)m|tj@OvvQ?nFOQ$+2YY0Jj+^Fry%44Yh~RVW}LC7 zgPyFB4De2AVuCBZ^=31m4*@y)WzPenlxAkq6KwD)k<+x->J|9?jC~HHFIj4mb@(;bY)G!vSH~gNpx%T*bPaB&6 zQ6&m^w8Nj%%{lO1vHbgS{%`+aj)Y_#n^}eA;y>B|Ac5IGFkDx8nk8CQU&m!4@<3)5 zrc~=Y3^r|-9~Elzv4+6g^56bT{`E(ES}xC$koZBe=s(}4ptns{jb}?0IZ!pjQvYY) znGA}8p-cHcQAeNa*CG_MlVZ^Xvj3mIF^kHFN7>gcXx>Zzs~7q^XV?FHE@^RnKGJrW z?cVBT@&Sge(smV?d5*ylVqE@(zqi{gtq!~$Wnl2U290nmSeeQ#_EeW297F3_zdJZe z?=;E%VxzyiyOYBA`#NZ;ZURv@5}ei_fKlXg$Oid!4g)AvRJn5|h*LL`2Vhh64-9e?_kG}zJ`4Cuz(g<3o<=SuEH`#7lHh_6z7t%s|Ksie( zhnAK10!x?~vU@+7LvXs!ks`+99L0AK$k_{Kd_x_?o+qjw>N*$UlrRJQ69w)-u3Q$C@{q=7=VN|dT0_zLTy11&)8aoPPTsbeEn1c5^egzzOk!;{E>Gh%&V0nUduoIKKr8JJL5i|C0~H8#)5`G;T$umVpZM--GFyZYU)o(Uy(5y8549?iW(OFrC%F%yz2~P(U}@ zd3p9na2&DyFUhaIZoY61IgDEyd8+Uf*$Y)N$!k@cimd9En}pT@UtwhxHITYh9Y9RG z^ofT)o$fQ0N|Qc7eY(KvQ(6aFGb`F4h@5Ka7?>8KSQim@(K5wdU~VY%#@=p?%xNtl zeB<$@guNRK;F;k1@e~f-h!=4xn%x5CXEg9a?t*OETsE$n7Ig=xsgferPZy=#7vgt^ zo>u-HrR*;rgqy-XJ(OqIE}n}4l1VnNJ*Z|p4wKOfYG2A79(>2wO$tXUFO{!rN_)YL zwjF}JlikTd2zf=$1vala7Jwre2he$MvPmMsH~09jl14fMvluNHgv-YG|j@x#-At;S~JlG&dXncn)kmzqkYb#@D{P z-u)a~?{?^zF&GXiZ5GhPCg0L5krW4i+ZQ8vtTt~^Xs1|fv+;@#v*YT3s6kP@1@+jZ zsU#Z~qUf?!tnWubNsFCHy`JNfEMUO311hzPnkT-mY#`UctybvBkVQpqQ&ohX-v8nV{mqxsO3)(+MWwq+DelLuS@Suekv z(k4RdI>vK-8&ZdPv z;KI|=K#n_rHbMq~tdu;g1j&SrP;QdM^rvbtK;c!OodrB2oPI-dSFcA~Le|KMHU@to zssgk_3FI$9n6%LO6hmfdilj0ulu7LU193)SLLC#IuCKbDL8FI$PJ6(ieU)wI^f;2v zZpyK-ADU2kxV7Ai?I1z~%lP-v&d_HYBUU=7xJ%9**U(KHJX- zFK{A?Mt7k;%E9(z{VKYD{hLqgzy1vba#yua>%2n^p0q!>5Oj3Z%dBHrojqGzQ8uh3 z(tVFqj6&s?Of~w_Lwjl7v6*kP=ey@mgwJP<4#brl{0(l+M0}Q#hNIONYAKtLEpdRj zK7d-z+;?#f@?9K4Xd_UtH;)0E{GNdn@s>-NHn8qi4!Fza31j~|T#A)9F18@)nP5AP ze87QkyvgcICQ5|4t+5XFwd)a=jSB|BJsIs<%hFd#Sc^=uACmXo`@&3og*W0IldP}| z;c~4iE{Wk{vm`pnHKIh1(z0gdMl;D(xSi!+NdLJ{Z|F;ZBl6-2(>ee1WBAyyj4(Qc z5NxXd*Y6qp!JaV5#j^ZFz9`9v3yvCZA1TVNLYe98MyE%0XGjMpaXIHGr!sI!HU<5* z@r^mP@VVUb-m1Y2FMA5IIUd%|Eki;~p3Q4;hZRP%6&prGR_`QriMp-FoU1;e+Y=RF zLAB4oLL;z07fkGZYD(|PlP%y%WKN4=*J2jv)&2 zNe)}Y&OkOC)L7kM(Tdv81gJtS_tN?%nMvPI=8XTzBY(9RJrF$IDcd&3e?ERK&0?Z* zI*g1aRs1RPNI>!)oXfGDgH_CP}wW{+7F-4X%v!eewV0rwEvl{_3ms;sF>tXi>A zOsoJ!%mpH3-svvL1y1{Y8Fea5uR#lFSThZ1fgU=M;=Vt|ilX!~M4PZDCEwYdYJ(o; z)>lT2qW?wOTYy!$ZR_LGC5QsjiqfE+W)0-}ftNXkYj2|?*DNtKpP zNd*L?R7zQ}_>bv1_nv*v?|<(V?|$~<<7UHJtnZuOoMXJ>4I^$SLN%^zOhS;&up7+N zDf_>{4`uX0z3O?V)?g4eZcX&y7C&CBMGH##J86OTWQE*MK;{x0OI^# zmH??TfTsj^-@p1q0$x$HwILZw$ZJqfSIY}TBC{2a;(PjxnVGRVa6l6 z$rbn-=0%>=orlX{w)BaT7cu;)4rRFKG}QqPB=+&%*An}YOHjf5mG=est{X9*f#%1n zrF9=iVXPB(Ayn}*ifVNkJZWTo1}<+>ifluc;uh}}E5_0KIxxRv5@-X|iv@tXhw8dD z-tMag5U$3X=zx-h%%>t8u86zUSK#c{0JHnpw9740dx1Yckgtg03OQvt#g*(Nb$g87 zjLZ7=f%s$xvHWU5%9?^sdY>O)>VfHc@}})jo4pLe#TMx7w%-uOlJQl@f#>`ex*ITn z7j@}Tr1e@3{x0g#9?(GKQ8x@*W!t@m^T0X49V;f+gD!Urmh!P=`!%cRT1W?Y5QUCh zjj96d99v5BiGXoFh4hw##nxDbOpR4m_y9HuANNVv1`zd9@Z4{c`V&W}7eJujdCD-iGMc)21Y->`F;VfjaR%d#}-@~dZ>Rd-bIB~O~g zks3C7Bo|Dt%{F!7Xi9Iy)JL39OW8q6%66z%QCbBq9~hfcTr{|HZF}2tRBWlK0PyK2 zZ51CuTB&v=SHvi!EhfG0!mMRQOGcat4;=b0pkR?Ka+y^HS8pINyLY2`bYAWDjsI&S zOa-<0$N1tVVqA!p7}c@>j<5!aUcB)mjp&jk5EY0k-s8?*EJ(LZn}TMgpL-7q8K<3l z>t^?Z!E^o`6hBn9^Hb$S5BH!oh&v|j{X<^S^X@lgk)dr56gC|ql*bT@sZnvEHSnsYTP{h+4Yfnat}l0?HcDftpj9j-~1i9Pt= z{jvV1yT}`8!7%G}6PJuLaF6l_oCH+QyGbYD+$Ei{gX#*kf(uT$B}w606yw1VqmfO0 z5>6SX#wVxrKmC}NLIVb>8c4bl$DZ>km~H?cRMd1tqG6BK`=_(HZnD6(XyBtTICg6a zM;x?Fv%}_(2ed6$CV`2fIuHzE1vPM!{TzeC7iZ-10GhRNl5*)P*$>XnE3o;U;FDl3 zhf7_;7+$m@sA1k#NK_r2B0IXf0}WXWblox2#n=1({IE~)r2@2L7PGCBHRum}<%7-( zyuqSCm5$KlBf~0ETRT73ETKmvzdMS9NEyo;V=&Suxyw$XSMFdO zWx=j-8Oj?thR)9b_WGoquUZY9Ba`?RAudg=`r@Y+&(Vv$95ayHRTjNb(x>6Nb1eyc zckU5zlAbrk0HDY2F!$gJ54)+~M(kx1J%7(5)GdO3+ioO+OpSg8un?%TXfm>2C_Xx> zfg`)OQ~ZA}#^GcJw5jYMeiB%n4O4674Ji@B;w7H3?azv&5`okM{aW8jsu$8)4oOm8 zMN~QM@)j`Pv4ju+mtJ*9jQDon3(ZwIZ$WyS^Nw>8Bm_1-Fe$N#obJlB?oN@{_%>X4 zlIo)5dHu3+hYK8Akf*ZBMzW}@fjeCZExNnbRV)gA64?c`loi^==x7d=>V$({-;E$r z1DBO@SJY!^SZd%e%ysw44nOi!k$+yZDzh-c!P63awC{6bJy0W#8#cpjS$g|M*$hq` z&&DahQPf$~80qHm!M$WizNkwEgWpK$gcML8J;$8ymowB+*?7T#gq8I|c*!}1aEUKm z&By0@vLTh}AygMlmaY0s9s}K%-~eT&Uf^#pyCA~DhO$01Y=*-bJ#dYJAhe^NqV2;j zFz1^-d(A(;pYWq*^TWlm4>x%KZ(A|Wkt{C6AJERTAP|2HpM>Bb&d%j$5C;XBza3lN z%>Zq;jcPZL2p!`ZFunEhp2k-Y6L3Sb>e1-i)e$dfIaMDB<>cmn$V)o5khNWHpX7C2 zynb3Mx335=fwGHV*}NUJ6;?jxaosla~R{?UCU{4fT?Cdj}ryWkY$I+^|!>F z@T*fyms#K|lUg_|1N_ym>SrK$@W;+3iWU9Pyp>slyNlTRc1)2{uMM$WC znfc&9lb`-y;PE%VLh}Ho6g<5HIV^Li`>sSZKS*X-qwb)EfTG-(N$7#+4wjEPNCu|f zjzJ4fgZkjX0@gQwoi(>;xI+-7nqh(6`FTfY9bodkoP(60KBGR9Qhx&rtzHzsB8CNv zIM^wfh4g5PrQt#iLx9MbZKXc4?c}5C+XcimV%l>FuHnd&>HOjxo`bbm74HPh-oDmb9qdutuX z@P$Sq50Ht9d_f6qVv0lMM6im0POvnv2JgVc2AeGCRPv zKqVZdZiFWF9+sOdA&|_~`oC1M(8#c-l|19A{-VDYtTu%8J%0j`^RBPG zY554!uP}A0qh7$5XousU`e-agP!R?plxISfIYXT6%SNn{zR3Y8^yHW6aWM0f~PPLPr5tw1DUD5*z{rIg!^Y?W;{mJdy(fgZanfq|Sv>eiXVt|VaC0A^c zv=2uciRCvnAg$QUcRzQ5V}zZjPxJ1;njpO>%V`hifKRufG2h9de+;`s3Mwn2a-H!= zA>(I!cBOi?Q}2Q;l>)s?eZT=F?hyu2>Z0Wg@hyNPNkgs7N+>xX&druXW5<7UMY8rG zkKfLZ=x#{LyF!u@!$q7!O-oH}Ov9Z@e3DD`vYggcg$yorMY(<*g$6~+f`ID{cX9%< zVq%RSo>E>-?0$4NY3Fl%^49ISjzmLTZqe4c*Ct!;b1{HrNV{_WoR)Hxc_cRfc04mL z95vaVh1OU&{=;5P5q8O2HJq!-OjPmjV#BADJAkvFKLR_bSn5x#ExGPQuFbYv(^2zW zX)$q6ffcP(DR>#eOhMv@WrYePxmax8LrpCdfPnK*WF7H1=?!(KCFqoUVHZx>t>kTs z<>f?9hV!b28#tO4WehU2&!I%IPf1snR|Kz^+!Q)+4Gt$4c+iIDX57aB-U|MrwElhr z@a!WS2jkoniO9EMk{NU*OY4NuTFQp4u*W2h%WT{1Xi43h#Nr+?WsVakv#Nu1cj;GJ;F`=i-<#lpdkQd?g+P*e24PE=h*1-#}O`7((yng zC}Yq?RcM{3Bg7?U2{^EiKO)xfuV2cES<`qX814}W)$?e>0ccYT?!Rgvf;KJ+&;*nI zZp{R-YxyaNA_S3U&ujwjg)SD zu`UZQy{{8I6iPT3IXO5URxPR$WT?g#>1K87@Bq)AEmGryX66Yi)$$vKkn1*T1)P=5 z8r>obl^z{2)i}PyFJ~8CvBI3@`)Vf6@md=3b&~|3Xw2^(V`Q|OT=ecTZMi{@#Va^` zbqWq2kM3|RVZs7nti}G--ZjDz=kZKPskx@?8%6eUN&a#D+^x88B^T|(qmm|T()IR5b=ad6L`J^LLsdO)4x17DO#IChMo{yE{l^X>j_5A&x_ zpKv$R_WLfBaxBXP#7@dSm%SCx&$e90B_O4aKyKJri^AuEM*De4(Pw8FC4Ou5Oz@+^ zexLCF+zwdUN#Pz@@-yRI*#D>b^%E=@beH||*sbpzz|}rQNkwHI$|v%qIUna7;eWo( z@4hxmGuhj8J?>`S1851Q7uQ27v<0*y*feTBBR$fir{=qg1NZZA{&OX2(87k6If;`X zyYE%}&v(;ip=2a5HzVHX=J2nbB;pO+`j(HP2QnY;{{#H`2|4Hn!h_|{5Ta!g7)mAP zvGf;{n3LS*>ZGGTCp){!xpQ~W0CAeIA@UCvgcAwn)D-TCNAO-27XkraLPDZhD23vn z%OOa(4w$e7w2U~j)ce~Xe_etIZCrdYix{D1c@{FV1POQ5_0xN`ZX=d)D)#m{{Oz7c zDQ`j1VF}s^eY5m~hxfm5GD**z7tb{L$>cNv@O0b}cGVxUFpJ)jS_D(~?NJ-d-Mjc* z9^#b+K+U{VVxzrh4dqLG<2PW-&<&~P55a+e*Hm=<-NOKnXiiNEo4CuQV12lUPwr3w zL3I7HiP{mz10p-0uke?@Y9Cv0GRIK?=rj!5e%rW??WP)YkGRH+clN zFkbpV_^$;XQHu*jlmG>s?s%-4``-!<1lmx-L(7ndYmUm7UTrgo^;25aHFCZe$@wRr zR|xhgN^;%6v*?r2b5YXL#syxO*7}17S^?s=&s%7eoP*!1C`?XGO|49vRs($goW)DwEa0}4R^sm)xMUxdDGZoX)sc~{o!dpb-PuJ&hwsbkrD#k6jmKiTmt$Z&9( zir!hyun8ELK}iSYobKK=WX=xA=4%Lqmq(*MXwJ8Weu@CKgWIuY<4J$M>7*`o&lWH$ zETLp80^x&xh10cq8Ne|LFiSutmMQ2mR8Th<>9bq*t74;y_C4qvTcISHMN=vGsF?OdMj!=Hkt^MT z(svf%N6)JSH^W?ve}&ygUFNf@|U$E|N4sykb%vy z^IiPB_+n7FO}Oq*?|%nkp}dJ(*dxNy6eM?*S`UCEA=_Ry8>gVPgeuQfKA1wgAN6ur zeCuz#aSfibq>YtxL!MFpAL%9wbH3d~t%0Y-`eyCH1=TiJldOlFgYLsC^G zm(>p!F~BSo^sb|Rh?fMvt8~v=MMOFdY1Q{PfRl!eFZRD=g=Vx=_gOa$Co(blAb+$| z31N$%-Wt(=yQxTOKUq6I{~Vf+a{)o}e^TA3qE3OD-TWFIar(=EJl}|zm>Eb>y2u|} zWZAyGRvQN0Lp#{6`0BUD@h2k|b@J8+y#lj9ury{#`ErleBmzxm^NcEY+~+zIqXDKL zrrO@UH`oMZZZf{0$@7%PT(d=!A@ zD+=zSmx!d(Q~>p9gZ^T^r=-GDia{#ADqVAkrNQ4W`Ul&UHY@DM{YIpOQL*^1ahYJg zM$tp^&4l~xS#8xPr);n60>j`Ez`<#1f)WqvfalOeN`|HwFk~et*`TpGb5~F~<<_@P z9xQUuj`^wYOacWUuBPg4ehQR6-vLwEE@~<#B<+W+Y%}3tGaL%YK`Y0j0FKSvYNr1l zRsalD{3mLj^UBQMI9&BAh@YJ9j2zPKnTqt)7JCQ00ShCZn;%Nf?zp*!^BGssSz7!- zffhm-IBY|QZ!X6oNerbK=e%tUm-e}pT8u;5ZAipcnutRzrqC(E(+I%v8%Ua5Az5TF zOOdBrDFF=+YlZycaR^lN6!bUIHTr5G+&EcZdKMy{oe4#+5Mp(8Cu*aDai7J490$ovXZo~@ z9)3|`JxFVgeop|Pz`CD^%xSpRuewJ=H#ke{`5o=goosAu%799R>QKT``|QB6QakYtQ$c906D=oKIQl6a3`p2L9Lfx+~SG>?h~!Cdm}AVq0`56Jp-&l^(O@{L%*z` z+vUVb-c|tyTx0LzpMbwsT?v$8^WV^OkK})7n{RRJO9@KH-Ty(}OlGmN^pUCSketWi z?pVlexqdE5qcw^>Y#X)|dN0!^=D!fD#Z;$d6-FnFI20>pgyUXtg_Vv2L_jL}u|}`( zy3*Icoq#MzYiv7oB?*ihNa*v1}wUwVD(zI7505e zSspD%4&TP8r`|Nk95}l`wC_)FAdu`ZOZ~@l{li2!adH(jM@zim3=FH$NRqOh@rwt! z-4BsvM^Cf6+6yfeqc_K^2DCAIqT}+1U@k~uGp&=7tyzIb`TE0YNS;c$1!oA3Wh6D! zrdHko=h>!1gGGQm5ChKTt;gDcW^4&UX6!Y@16=RRHIuRppVk5IGL9&5%#yu&?Z;&lxIhz^hBnAT0$=+^prvF6iz2E2i15%)s{89W`_ zAPe`P_4%9)+-Im(H-~^#^S&;TMwEg{j0MhB3OaA-a1kfOWiA|h!RFmVny_!s!x=?I zM=N#(-u;8kQ;0-iZ)wb?_c|>3068!u4@*N1OadNDdfb=NL$p^qpw>36-TuOB9a(|t z0fN`-UYoQ)GALf7!8n9rwzC7S(OgIH7!(pk+OjZPM1<#=w%B&AE*|<)FDS62?`Jn0 zg2Qhk=h2Hsc&cm|D9q)57sdJ4_pxLh$p1>AdY%9`o>dC~gaACvcmej54*joCK1&vF zdcgb!w@qmNIk4!Iegc8jW@bDd3e3t!cRsu8;8`0KUcYyjvAS4#^beLcON1*bBrAuK z1Rq}t{PE+~0@yB|t*Z6Iv;l!VRKV1#Csk3vX-dv?5W6yv9T&rA{DG?vy1CHx)yYXN zf8e%Q!bDsto*%@KbZAt}&$uZGXfuc+txNh`<+1Z_>7N-ZpWPX zO;q6TXQtdH>UDjLE_9xJMgnJhvsfB*9FOu^&cMw!5UPI;0s-J_Ba(awUR}^HQ1s2j|Hx8r;JAANyT4cPC(Gbp^^0W7wI*TTUPmlYp?K3ZpDU? zavIi5B-FNTh-!_rdJR2b;>x-j+e5?f`l{pC()Wpy<)KXCmq4<;$Xirb?Y3}zhF^$^ zme!ic1Y~U;^Vb0qNoE^r<@I?8Nq#<3er#>;AL!{0HYJZ?yaA##Y zJ4>%HbqA>U0$}L`^W4yUvH9|(H$Z!_fb%yM=SWY)xkPK&15&Sr91eSKROzB5Y23id z&E3lNXMoZ#?6#Pw;oD(3me=(FPb{_Wfy6Bew!{Y-2Kf*|Yvi+Bii1P^(MQmbNy1GT zRx}6jifH`UY~&iD=;Q&1#f*`!CtaYvjsxLTD-=tXzy&x$OUwD~+qccLZE^hkP;u0T zOpFM})B`n}q-ouD#J3*Sh})dutVf!}DIdg~QKU)FSwK z=|C_XWcbXXd4p$x7@o3myy6M56Y=*zyQ|<}+9omg}2>ANMs(p7mV9oC z3;qc-hU&MX&;vLW`kybI)%xRC$cI-L+4|sO^#|MJuLsV89zl{F8P`+(_!UgiE3B5z zb`%xJflMJo;lUBCCiE)OT`!}fOlCt-#vIK!A{+q8VO>DoxH)^`nFs()Wd`&X)GABuXUF;>zWcy z{N}xr>!fZ;6x4iHti)19fWQ?1wbl-~fW1MR!zeB9jJDa-^TrU84gMSH@Z4<7!_ zvfSkbRKqhJi=Fzc=owEBs{iqAIs-r)Y!{$Qy&t)L4R`moBU)(UTy<(m8j3AO_&H?@ zK91ia_8|@L&V|ku$MLOXF2?=dU^xcjf;;CKSb7P5^D_VQ(fZr_7$v~^q@8P?_}ka^ z^{H4Q2w}pNj&ss@e?RuOowNQO$xLm<_y{9hl@PTlCj(MtZt3tN;KijZtL>OZL(WHG1%i*TiRi z{}%_EF~FimGlrW<5fLl^-Ki7@9hdY_gHT0V$v7Sz)wU<6pIP}~BqaVhNLV)lRcF+T z=^=BQI>c%S>sJcC6XPdn?pxulN~P3tmqG?fO=9V z)H?k8&>D+N;QF&&#-DUHKvAIQDgcS*0yF}9Az;AvObYBWv9E`kkTVR*LD7YRL>(ym zD_umRV&3anHIu-UG}nBxd4m?p6O>2;B;r;W2mB%j>k4)WEboEdF#SC=xmlFx_nvUD0J$TBHTByizQpUf=F%5zQ zAqmmZ=UhepskGWd%o1$ST0Q}%*A`eMcv5am40@Nq{o|!h_7kL0O^R+fAEx{G`B6ko z1^fO+8v|hNAVZd{K!*1T;(eyF(DwLzudHKv+XRWK2>6WzO?o>*!k;iGpccbt3Hftt z&&Bqrw8N-!LsuAVB$E8GUL(N938g#Rcr3H-dsi4Vlt^I94ntQ@-Jfd`tu<&XeeGxt z_oG%F;{)SA5FII`b;NtYU77`bpCG)}Nv3w*+{u$=QvQxo+Y< zs`x3GCGIY93i1dSEI~NY;l!L34cJyolL=P7Cq&5lV_(k;Vxd7TNET%9ol|2_%jk*+ zEPgc5u2Uj^8IaI6pm8kb_s*gGqFHbfiUE%Nhvsj(*vjV{+me0OPj!3G-e4qe{LU^N zPDr2_CGmVl3EVY;KHh)0ZUD$T0!b%O z`!qi}qkI|6rWJ#Z`Yix$l;o${X6ZEAFn)7CFA5A0ZjA)gL7T%&{gztcF@Ef0;g26& z?+)Ty`ZJpPbOnbuLYNODMi2am3|8NRhWPz(^V5Qb@ow!K>NXmM9D59ypG|a27$63C zu2XvVJ@t+MC2prl3J)vuvF`4ewUc5N$Zeo(JVEdDfb%sk|EDz^mJT?(@$ z@q%V1;(E=pj774y+E(qL#jP&CvE>{&f-aBeq`4{i0n0^z3#qF7D-=DfYCEk$gu(O!=LF zJLJL{0NpAbzbdEMUA98H>+?l2{Pv`CGc&B`+kob9H{90jyzOSVM`3{D(1cy-fT5N> zlW8(zBnR^&%wJav&eyN3?BVo&_s<9j(*E1|@&BG`|Me)M=b*GxXE}*Va$6oV0;*w0 za?kuM$`uyt&IFR7w|PV56N`o)#vR8g%8K)ZoWSg9IGY0Bjw)~Lsf}ITOFyV{K0dWl z-Gu>L&CPR+5{#^V*zOAC(TRsCti{S(aghD*~V#QIO zVOMz{(V~K`9^`^OnEP^c#ShIMz4_FTBvdv@vJP}9DB!Fyt7chx^m zd27gLnAf(lHc)n0P`TY*C)iA7af5t)Fdbv2j@!1eyj`{341)mNFI*uMIK~Zfx+L+E zo(>9ly%@P<+N%+!3d??BAO+zBZ}mI;jO&J&I)FN6mPU$`ZsxGyq>WX+iqQTTiG-fo zUsl@n#X)q6nIPZvaVZ

8COOinn&)%GkzJ&pnUz%ICZa3Q=QSw0z;qK|7qN22@0~9+k{U zj+>HZ^#K8&2MxPt^Zj?TV@?}hMJzPX<{nv8pHz}ebgBfPx;0t0PWzb33+t{VCBa4Y zp*kAW4t!e_&W3<<<66+H z(Mx*d=s9j}miJ9Bq?;}-PhpF+7&}RJ21k3Azj3m$g_M2@(93qiSMxmvNWUJhIKJCU zjE#?H?}JJ-(5I0;%h5;-DSE;>pn!%!Ks-PGg55*NMqRJ1(e}B z>z>CJ1eNnMHVD05LS5n~YXbRQMKImMY}w?#y|&}fzXOtds)NQbd3N8Bd?oqp7mlP|Ua}g&M9}Y*q zhO7?8o@q>!OdlYAoD%WRVq_38khZ@N+w=@l_6qU|2j+`A3}WSSXv7c|L%^bia@uPP zOvFB5z7+FC&G;%U6feM;SGKnaXN=1FZ8yTXg~?FFfCPIOCj=I7NEIh;uctfODq zLh)OAp>H74z2|q;E+q})H7zW&7kF|wWL=y_URUV%aofO9%9euClVSiFD4a4=H&ZL* z(BGDY^JZ;q=xM=uAz)!aYc|*DOprjn!Nn%uO6f8XX+X-d%Q|gd@+ptgn%Z zQ-khi=`L`2@01OZ+6h=aq>+Q26-U~l8VZ>VJt~ecY_7^M_tow@bGI)(Ii-TYsh)|a zMqfq-jfbJmF_+C8f#NFqx_X=E>h+6j>Kn@4z>vzkT;E;~GQ3puzyCZ+MsU5N(^-$V`Q~Rk^$P)y+97lQ_$?d`5KL z`A6qn-~6;6T85;NTV(^zVxwQyWJ*=Ky8QTRcR>G<_+h2D)DJ3s=i00FVRPSd2HZkD zZp>`tIIS+#dahSqBT%kg->)-g~i0<~g?0P+msKkQoCKj4|U6KcNbiOvx=h^3dAw zbpIZW@6m1MCC}xhdQt{~&7R2;n)NCBPm>y5d$Bu2*Y*L-3K+>vrfZx#5Xi(fmGqVQ z#;3H$?7}z{gN!f2S|1EP8}%DETHgZ3&$abjsw;2Qw~_2W%+D>#vfx2mCk`Q*Q^7>X zvi;}E<)k00BV1u*?u}K10SZrZ296%2C1)aeG8Ww>eEie`{tBR@41U>O1qX=8k2z_o zg8iX?!OF7B#sEn}=Y!(GSI3et6|0`(%?2v<#kohnytT5ftJ(#P6w%Gqyp}c`iftcK znvUlU3L1=d!sJ^Ej9%nMAwss4am9|~gDfPTE}EA-i8S?j!fa5Zu#u ztPEtdXw#SQoE;wkUprIdE=jo^H2~;aF|& zP;45OUwwb3>G>0e3M!sb`;p#Z&aufLEkEsjfS~%9Sq7ilE1<5tSFQdj^^Nsdz@%CI zpVQlYdaajzkgmE8gkqPf+-%c25(_69PY*H{gna@ymf@$e;MMLRBXHfm_N=+dY9~z? zWZqF=Vpm|kCR_oESHEYQThOe%BaJ%KCSF(S`q1K1=I4k1_TZI)Gnh2 z^m2$);b^YjL0-{`ZIc!4-$G=Bhq(jzp}tu_NAkOKH4a!0IV3AeyKwG@`g*+Aql$a? z)P{L|UBYeNtY1GmF6_1BWz>f=i zEtpn!!ES)eI#TL;3#(Gn!QTftEc^pQlkYv-RTn>x?@}UH=`tI-W?JF&d2N zI{oZJkCido8GaF@%uFM*%b0dZ-ygK*pdB$L{- zwoVDyCu3Ww#jNDYeP(>ty=DUW>07q|B@5%R(}CsCfu^RNIZ_b4E*~^G*5zsE&iE2& zCxvyAY4Ya>NhOq=v&`7GhK0|Z9WM6%P-3f8=gs695!Dm0pIdM-usffv^GRlh3Y31{ zq_@<=`&AkdWdo)cS}@iptOQTlOVW4YDiSPRh8zU{5qLOuMpwc>Th5>eLtDY`krr;B zGHb_WdDGwAKlDh$MMp64R+VM@QOu~c$6OnU0Xla)shl+fa$)Q}Ts{J4h@P8(FB{bq z6ybJEh?7X|XI}e4Yv{`2`1B++@OPh;GugvRarK0C zZ$15_;CpEkYsqns$yEmBjIQbqwW{xL!5=0j{(Q^2`J(V3&5Z<=paKB8rbIOr?jmZXE8sJ)(qg#@}j? z|BlzkpG={82+mO)2;U8t1;S*{;}-ysTtv_@Sl4XcH~<53;Sb)H;Ob7NwUkuC(9NRU z0Ce*^{rLQw>Mj%$C)e!UG6Erep%rMIefDQoND5ZUe-KGVXnb|o{IPjsaYJdHtR@ep zHrMc&PF9AmsCw0SnxO?PvaQDx9pM4eey@sK8@zJ69)I ziO015{%5BfcE`(l@Gqy8?22y8+02}skFE~~9m%ttImtPQX|$#sR@)b4wxygVb!)vR zJz+!idnR8u?ss=v8fBI#MFdPlZ!h)B!LS{~!m<%^?ZO3ecn5>n$#1)Icv40ecUCSt z%vmnk<=3@>X=Nit%hy0du77?OE-b|S6(6fC- z!OS2dymL%_as~_Xx;E%{Pa&H37`^pa-qYnj*{>jjx{UV0Jk2desP+#g`_nx>rFPY}Cy*ZN}^!HaRW=>_}sUi6dHZ z!^0(*I5|8bWYz?H%etv4!mTf)kw#owUzk<`2tEB&RUh^&BP49+oduu84y~)y=El*l zq~U80^!hI)xti?qOKx}CLPM*@{=l8J9WBfK_Su0sL8HiTsjxX6_?xLzm-wrf1k5`i+f=SzMhTC1I*I97 zLc)^6r+CjgmC5YLA^flZPBr54AmRN_sOc7y3l{8Wl1}ABZ-Eb`hjp~uxJG;VXy%68M(#KR%O^Dy zR}WQ-Dsbx(-!+v<+Pux$5u7%uybk*`_~^EQl;^nCXFe{I*A>;ue#97 zzkaX+U})qWHOyN^M-$!wNG5Y-$4CzJ;)tWkf{j^(A?L64QaejKy5mT}Jkg8Q{mV86p&+wHLm93GM=-8Pw*?dEO(Xd0Tno!6v$cJq2W&Yb>yGy9}t8!osudGHw>cN2R$T0kl?!OXIs}n;u#|xW8;SS z_4lnGFQrF+2-!`G|aIepas6{IH=gb3lXc0T#6eki8V4=F9 zPaAyD1`Cdqek?^2Gz<;H{DJ}`BqUAOg!O`AN(sjNCD-kNwiUsysj4gI%t7w3mI1)- zw#f3T@>Mx5&|MTh#@-BPTOKKHw)sq>a9yZC08VXT?B~Tv3~&U7--GRsjnFFiIPOcK zB7PC(vkC4s;)eLR95vOPJl=;9i7flaop#k2t`mOS>xH^5-LZ5Dw(p+`cjowy*4zoI zwcG`c2zEQ+b)iM;k?Hm0zF*~`oEj;yjn;LR(}$HACXg7x;4n+%N9DZ`dpgX@^ zbbR68EGs&OW52y5E(u|m_eAwhVoAB1AovDc78rl4k)K>|03z(?XsUaPsgGk2IVS8>2&c&IalK`H0B;n zt@{Yul47rWRXIF=;YNNN15M6APq&z9wU7>k29Ysn@BqIjOLz~{96?LQ9Uk7TUFNtLQ|4+%|wL=oCRU_)PAX`Q6|7kI7zijMzJgI~E$ zB#56gcI_0qPxiK{iBN5dS==Q(^P$FpWso&l8y7Uf#BwB%80pC2AG7yME{P$lNjA_C z4-t)9gBnU{9HtzJgd;~oKTHh?wSrD^RDiIQQo)^i~mf^VJ{#mFUvp-4wY6i zJ;6%rZk2$%2APXf-RV7Ob0ZOsWI|zlP0s(#wqbZMFo$Kplgl&o`Mltl<9k2u+kDl? zO5du>b8vyLKEx8L^suIM@orh5k(XF1%Y7h#w;VxT5aZ6op7Zw6kw%4k9!1aUMxT-|^D9;-7v_!dlfcSx^ z=ZuXs&Hr@a|LaI2LJ%MLob*HS#R~P5^N@59nJngs#P;t=H?Kn?%R-+DuTKDU+G+g($G3N+LcM^g1%VV+-Efy#U4$>hZ5F6 zvPA(;9dbt;o`K5L7}#x}?T>jFZdJmy3iFU~Hq9^8Fxdk*cm_`1@}LXrH$S~pXPDA@ zeam^z!CMnFS#K#~^g-@3U)m40liZjDaK(`Hx#aLSUM8k?!!zOmqc?xkyLa@gS(h>% zBAZ~8O3<^`gX!IR5KPk7WY))Wx!U7q8f{Hd`IyTil)`bG%?V1+o)l`org=xPr@hFQ z6A+HaXVX!7#j{+Gj_qZSGdfvyQWdz* zq1WtKLUf-BSU!Yjd#A?6gjsYsZGkWJejZX>oRbDZ6xClxm|RrmxdcSi66x+axbd$z^+=qs(2 zR4QGq>nix9IsM3LH7K`KO+Huk-pT8rwB><<3I$!Ecmj_&fuSBSU_l4CXw+ic z2{g&C=1F~B`&`-}N@D_KC+;N&IWISzh0PKLU(6K(9+Buak#Ui>YcpQ^)_{&~D-f`b zQDz-k&?}mD<>+;N{MlpMQ%QH&DUUAt>9=5?@QfGvk8Bxl5ZostY3!-{wnD?#7^bOv zp?83vkIjof6O?vxJXf-uPK;X)%QRe-CEd(vF9>vI`Tc`5UT(dE_`Ov@0tIdlUpGuM z_874>O|PP7-FwqC?hcjrN?xw@{Rz}<46)lpTs2Tt?wXM@1)jxJa68?(x zdJpqBx+|QgwbYj-q~n00Fgz#eIPtn*xik>NH2yP0qP1QL3fLlO2@0r+1}=`TOH_7o z!*`sxV3e+W_~%d^))IVe7C$Gk`2x$N9h~59JeJoTaC)IU@!h!ax*`|?f!EY$>xb{` z!tQcXmT`()V8MMi$-4~Io0&LgtB#z@x{{$vg9!2m>CUiB-F7>!i6L=U%k^AM!_n@X znV3xUEIVyfQD9Th2|NKx?K2S*;0J}tLB`1_v&mXFzKogYD`$VD^@jk#sd~6d)w>7# z2LkR8+!Me5yz2?FI)_F|Avw^b)o)Vq`l7>hrw?9i0?pf}u z4_}L)2F7zW2^%|mD;y|GEJ1+pJ<3~2aa^o}tZlX^m9FPf8gP_sfh&{)Vqfj{JV=2< zD;lWr4{Ooq-&tR1wnHRE z3(UEeG1~s7-jL^eVRx{+OVS^2L6Fp2-42Jmsdp|EyWBk&k0tLnquI6T*13^vXe(XY zF~9ou0hPzpUsy-vcz|&%BV>2J#PHK-279r(5V5fq@5I_f1eTkvI@*J^y`F@)0d;!jDALiQt9nFQ-6p zjFf9#RgX?1XI{beupxlSVv&z00=3vxV~8boVC1g?l6ed0gRml~;X*h!R*G=~7qJGR zHu2VdA-{l3cu$>;6eHJ&^XvZHAvtAKaYk=IF%E$0AE_8+bs~m>uW%|4Cj(Kg z1zg}y!oyiSX_CmR%Lmi{#~sf^HLE}xg6}>*GXUW5i_co(Wy{EC09N{f2Nv9s)XHlY z=m6$*A_LXo!@S{?Kyqk6V_|v=x#^F>tiWI@A@Xrk2Mly@gEOW%DozC4`~3yhs{k#! z(6w|bxB)D4#HbHTO;+xO!Q_d;!oo#d9!`rlgiAjQ$ zpVd}4U**gZm99kt;A}2wwETpL!_mVPdsqxIR!QYOpy=ZbPKW8|?vWk=n;xR2SnkV8 zz$-nr{Km@nx65z~{lLGdc`ZkJ1f71Z^Mi-QK+gRdo>>9U6(bDQQVPRxH-zA!bPjM1 zB}x`N`0)%8=Cl zdg+r##6YVF1j6&byl_BTw_I)rGd*o!kJ4!$7y1X$cmfw@6;FWFH^TWc`}q7TBDi%U zm~?ST^f7*KLQr9Y_L-*<6uRhWr8Ch12j+^y@rPlkp8QoQdqZ5f6+Y#`78)8Y15Nyq>9;F7Bf4kfQYAhTa z9B;zk1^(Or`0xKSh&zljlC5Du_!tA6cRZmH3p~_-!|mY%}YS)epZS^_VDL2RXq1) zx}euIlXdKKo${92^-1j_+?7o264@mOhbKNhJxos>)rZGWTGx4Pm#>17Q`6ma!K>E9 zkMkemhh?8j&4$oS3LO{hGUfMb`|mI3zaK*^yH7z%FqQOoFrJT$F^b>cHukvknymkEMUK68Z%deD5$Pfb&GvhK!vi6+t%3NO_ z)dep}v;KSSuc0P^>?;fZ;uGhCTafZo;-x=iwE(2x^vfM>qP*wjWzL21>T+rNN!=&f zlVDF11*Kp+sE#babsp!K1Vy5e;ome5FDdA{&9mOY2=o;1)toaLxiIGH&D1=ujVJsR z`p~-D;BGN`4Lz5Jdy=p1|elM35pRHL_pXW zaG*O=)&AiWWmTD9IuFbmBJV zrjI~%UA_4V)F}@ z$Pb%f4Pz7yx3OV3I0)Rn9_#!33v17TV+^ysa%?UGoFS+5i{9R@m1KPR7>gY(v1NrI z4yUV%CF3h zkAdr>S1;IG*){Gtc^WFgd{o>arkJ%(_cF8;kFeupu~5Mu*(^V5@4sx=oLl!29$rEr zyZ_WVDEMdhE&gOYQ*e-{yKb4Ge@?^u_?JoPBY&?R{=JU*ueeou7}Q0!)5`qB7W9E2 zfMcZUa__aOC;>IQ`El}x#BmVb$7l=D<8y32bF~aHDbdCoYv30%N|lwk(NN}Iw2XI1 zic-kw+*V%-(eAv(9v~7Ow?&Zkd=s!6CA zaCQV=WQci=L%IEPKJ76Qw8Vfz_1)3;c|$6@U~@v^js22J<>W{8+&!wA-`1<*0FiO7 zJZI;Z^i?wzU7UE4n@@LpSfU{~LuAJAojW`3oO^%ywB6Lb3CWcJy2-O~pp%w}1cZOG zlv5DXmN+S)KRS{R%#7UW0nLJR-lqx|d#8dS_~%`pVwZf7#(LUTsD>Vx9*9XZXN`3KhE0v43r%U&5Am( z7nB;cu(Stb^$3bb^TLz(~#5NPKA^%)7-QxlHI2I1uVO~)rC9}zl zw$jZtULK#$!{E;`17k^rR}OgJ06;sr0brQQ-^BR_-2g1dyizeEfQ zy3dhCT7~hk+dr=PxHv+NVi3hH*asdYChZn|ylCM`eryC>_;!^X{aC$jL=$q&(?N{o z&81hb5jgHl!{7Hgm3%maxdv6|(^}eo;M+k*VDnm%3Qp!9`+eWneGLO@ z()ET*vq$P5QEZ*+qgxjwj7^!BX&tJ(rC}|x)cKtgtKclHqn~sJLq)lw(u<_&NJ;Bg zW{IB6(3Dt&KIDrnuuky`MlW?O`B`A=%x(lH|Q9%fH2ZJvTbT;Nr#2 zQZ-ee71Z{~JT3W6hZ-6(tFsH|-*HP*J@qe!A+(<`g*l~O8BD=uqrru6zFzsa{J`g* z@&mcwH%8B1G=14QhKzzAmMPQdvZ|j)t}*A& zD>7Eqew_J7;D6B{JfGJeJXQHvEa@%?Q*)KHOR|*3Ch8X%%|H;C^K!_)guNVF|GNOz z_C)$A3+fN+r;mjc`lK^xpUMkt>3WO_;{KfjCmn}7RAO6}Pez?cG+pDcQ}$8cQ3k#-QpWtouXi=uuH_LoRhL zthv4t{ZGGCPrXXz9ZakKcTqb78r~Yq&bvO&`)sNo?K0 zJ8IJ`keyU<@PF?;?$qQ2{OtwscQbO6Z)HS^=Z$D!k+y(9DkMhD55nk(=VI0c%07ZqF?zlK3#W9qqchNO@Fg2&u==Z?oMrQyk#ttME4VlDF+ABKcXcqrOtln zDkwP&9>He0LZ!&@P)=j4`^y!nnl9F*-Y1lf;Ejqju~GL1u^<*M6J_Sw^-cGd!Sa#u zxWuQKA^D}U9@Wn^cY~`Z?BeGrY#%i=zde44NP3B7h=v>Eq*2f86b zX7{0o*JYqGXBLE1Bmt8Um9-h2=Yc6HYhb>Y)BN;vU$v-J%S9A4+a6E3m{V(9v z|J;6_yovTx_szRZa{HCiGG@(rspxAxpRFoatb~wJue`{&IC`uIW zH<=`2LrfD9t^6#@^_yqOhTs@)jT(}!Tz3Ew0678aP}~PiurLG&e}vI@Aw7?^&Td5b zmOo8P^5*)P$i3dANcd->LpU^g#aag{lq^))r%W|TKXXE~%hV@^nNN+~JM}F@w zSJ2ix`YBn4W*B%w?7kCi;F}b`&4|{z&$6-(sel4Y#6321w)3*R_`!10M3iU2Hqi3h z2pmb@6}j4bWc%R<`{<0FrgVDAprv&Dv@n3eUw8ew@A+|dWezy>)}}Ch7B$P7W@uMn zKj8FGgT5w1LMEh^SAV>RIy*YKb>;S~mJ!aU{Sa`RIoeCrWp(MaXyu!F&%BCUO3?tH zxv;93aHCRprUM7P6j954(){vO3UG=k-Not=rgYxaqRQqNsg#yxJl155uA1H*+??7B z#zE}0A{~!OOw)m;>G>7~7(R=CI~3;)-$-sgjCEg*bgN_fh59($I!d!x$_2VfMiBWu z&T%e{BNgIPU#)2L%wh?T<+%kfOLp{NcJ|%~VUtS^nz|=#l4D{6fy8aF<1#hT^Z4yB z*sO1NdHMLe4HNAgmgg@NK&4atNS(c^C6R`L-Q8r@H z=3R}Y{l%k6NX0C<8dBvSJ>@X>BFJO9UxJVb;v+P6H)YvA?xZ>jt%Gzj=r&Uf6|xj# zD2w!yI-}Tzs9;Fl41)Kd)4(O*EA0D;x%B7{haD>%)L%9?&A}ad|2Cbc@!Aw2$t&+C zs!<)pI4$}lk8)1{O*bzRO}+UKP~Q zq%TW`e|$85F3^+<5G@SS=Vt(icQ)5_`td;+CZe7MTj!6YD33s zdPeWKnfFZv%c3qsZau;`cO^L(tEVhgt(}QQ2c@N4iUU~lH4q(pVrs0v_kC|MP`>ZD znI+1w#WX>OJ6^U{FTAc({QQ z8xw{4XXjuW{(0SkRrtJaVcmeOS7*u*p~-anFb0MvlfZKJ>xxQQfAh5$p7ns)ebSBO zZ@U0(n48?|=%qWbV44xPHD#Lr*T6g=Zr+8IQ&(Ei8ZWyLW4Q@tDo+W9N)p}AA@jcP zYsO9^*CeZgHW{<_m0<<~EWUO7?Ou8C^6P(W1yq*%fQT0!LcGv_ua&c;qbD(i@#uGf zJvcorzdcMDq8HDd8kCFF*v9X?-1qr2RiJ$VQF%H#LTo`l=`xpc0Pg&exIBH83OK$M z@PuJ)f~DeoLYo-_t21bL-WUn3k@$yBk~^fqg-!x@=Rgbvf5>3)L}W7kuI;C z?$Kzll6C{qxpg^N{sn+Dul^$sUd>M1FB7Ed@tM9iLN7nk5Z;**u38-~JJ}KP3<>qe zVa?b@zYnyi#L>AOoe`o-&H-U7=SiOj=@)`T`mKi%kl*ct3I|py@1ca~DV@(o4guXY zz7-ga1-n}1px^HOSW8Uc0S7pz+ZXINHFsax?|tG*nUk;Cly}3{v#C62qmQOtclG8?Tw6kfjJx*iG+@5T z52NrljTwjN9Qei!@C?(f^z-+pt8Z}sIMTf7GJlNa5ywYXOOqN46gq{pjB{Yz@StMt zbkY#e!IzYkkrXS+SvX(Zz$K?|_yU(5w$W^!eT2sJ%u1x(!#C$pruT{a*K0BLW}&`* zC+S>xRH!YIy*;x3xS4$6GuBZt79ok%?o3yHHP+;3>T=TYXKv3bF0@u$-Zf{4%dxa- zZkj~d=Wi&!!L^fQ-=aU5Dyv&SCI0hAxK~r{t&k7&HK+!CKv|n&Jnn~;%%?aN=Bf(( z_NPm(U;|KkiF)}y{x{hn8n@gh+OB?wqGbH;(G-iO5FPtVNgBNB32WHdvz9j#!s)QR z9%lBv_nf}bmEI9cd|n3~Mj+GyCXE8RU3X(%t6XK`Vyxc|?vRHC_Ru`g(+>$e=ANV` zjzloaq;=sLmj$UjBBq~Nt6R=t@0j{>i)(APp0@iWo6r((cjndP4yil*(`PZ7Ju&dUiN62qh_Sx<_7BgZE>X6rU3AEx6BW|oFOmsy9i=pl z%F8pa6?7HR_dvAX=k?)wSDy3yA-8kWj_yB%%Hu*N`$r%Kth-w?o;ThsKu*E3#s~~o z?EAah3@TfN8BSKJd?!JvX7cZ0E%XqFYwk5sk@bDR) zBl2@Qe=u@wRlQOL-P2Z&KozQw7`4dJwW`cuyee|8!O_bu7oqFtjqT712Y|=Jp8{_Y~G;hc2t>WgmDQaWo$x8;Vu#o^@g9HlIr* zS&p-}1eQ$%XpA^=eQn}<`HNNL&NYK>cMljCrRF@Wkaa{xYIIJ?&cT!Qg(<>e^nlwo zm3uMt$I7vb0?Pc@r47(8AXgWz#Ho;{q?|pMt)_e6TvPT-q*pU(0oF0zzUTKu?9D?7 z0Ww||fW=NlHMk$jUb^{}G}LS`zUC27-oI2kl54v8&~n8mP@qxQk<+NVI^B zyLUVhLY&_zyYz;RH;!0VMJBO?WBktnIK8RkPY@<(8`vl8SC@~7pBmq%)`XMkcyWH! z9TK`MGy=Da_0B0Dz{1V_W45f3S(kYE6TY9JjH$xjLrwT>nDv^n_5`c z#8?1P+Hhf=z+p3}DHOiODVe|@83_*clA{N>+->BcdReOhYeU~PqeDx$O=0= z9`M{`Otk~H(0t}3bgBX z8ibPgjJwO4F4jMLsF`B2@s|$9H*_y}RCuo+@-cv?G;69kSX;kb*EYfx=w5%5 z_fbQ)pO?+N_Qe2VjF;D5r9JRFDM4j#HE088M44F3M3E66>&|P^Xk69GJO0Koiq-?@ z>D4|50GqRy4#2f*GHCkY7n*?r*MUwY)xchG(8px7<2wg|Hg{#*Fxd0ILmhv^8>n(e zu|?($<9(;V9Z1`CH>1gNBN3Y!TgJ%Ib$ng?5K>LjC|BJA-4c{b#?K$N)%s5i z_>U3JWo8BJSp%{&GbNpI)F|d#>p8-m>>*C({TCscYhT~Jv0dD??ee+~G{^T8kJv`p zMFz!LCOPoE1mu=yXyvbAWQp;#(u=jz+Aha!a+t`#Sl`}|9lPCfqBW4l)8snW9ziT5 zUS3aw&v6RhRs$d*LhX^++xF_w+jPO}+AQb~nf|66-Ft4sDzTY3Mpm1>1UH$QP5HZ+ zkRDTf5!21xH(R8-*e_-lMTCVLdK`x?%qW!leI|og=7o}=jrVf81}`8y@}B+8!^c2% zC1x}!0#my^05G^YH_?tC57~ThE!h$VxQ|-CCN9H+2TT>+2fCgJlW>Wy=R3u!;b$C& zv3nSv7Vp8gyX2tIi@ag&SaqoM0^C$hMw}m3oG@kEW#ok&a>MbCuQjgFj~3p3 zMhE~IO8%{~{*Qm9TT^noa7^^T5^p>180L_EwFq3Q>0clO`rEAE^ zULcV^?LeP;e;T)A{Zv{PCo8WpiHqb(rydO{TRmOr4Tb5;PihTZqXXmZl-fjvFfS;i3j{Im{h*x zqfQ2km};~;#uhAPSd$GR<$hi9O72ZE+6coy4{Tz3WcGya1=LM5vWbDFQerOgH3&dS{@r8%O;OKeXDf^ykJPmZ z?{$Azq-UU_`yvaiT;7x2?~zcu17&gK3rOwSFhECw!u^cp_tGnbXTNI%3d_6EtCLtV3VPtigQE}vu ztVvSWFeC$iG}KY-o7(-Uvk9SKgttD-pBc0A26>@ zE0`Vo`V8(^T;3Y1)A{Lh_#4ePr3kl_bF#zDF^%tIkMBj9?#al`7w<<;w6vxa3AXX} zzsK{~fwUNjJ72wpl}`DZCTI6-6R0bm<(rnb{07uM`vs`f50u1A%Q*y&Z9evRg!KXQ zl+Wgf#`&lRJE z*oH!Nf(>dtXL}86-VNB|*l|}_?+`JYMBz$=K2f7HHS+m5Mn69<*N-pq@YXS@j-h5q zg_hOGs^ybj3Wdu3V490*E{agem|9*7#;5sauT-|HW^v4WqC#AvK8`XpW%tO(hhp@f#DTMqzmcEM~7JgmFEj!>) z$ImCFyI=XkZ3uUPV%czpJ-n_OQwzh5IH?{B68fHfU{dzV{r~ zEE;yYPkXVN)_xDXPe^JWA0nhRW} z`f+kCOVxR5Tl{pb0&LZ`rX?lLcB!tXQ<++Um<#2-4)-mnXw8Q1i_Ah8QNDfQ*KwaO z8sJsdtX));TX)7V+x1J#xJK#ozweDZ5Jj6}`OxtZ=ou(6W8`@ztdzQtFngX%ja2sC zPN~+BMiJ23ltBC`n0==ZjXe9)1ntMhRT(j~8fNlyL;!p^fkGWeN>SE~J(L(w~>=jQG z2@I&*HV8!mTR7M+e)%8wRCYLx-)=M>lfH-!GVq(#nDszR$WzEbx00l+uCMj>!P#HS zE)EVv>)&f^8Sq*;8whfYCg?EhhdxWwByovfxScsZ-k|ce3#V=Fnl0VDb2$1`VP-Vj zJjV4wX=zk254FsJnD*Y;7>d(i6=n>KVrp^`XK=WnuX!4x3594ww!Y^$*h$!h^^9-x zjpFjspr3lO2RsXig5W{PeE~|So*OqeJW}E12n)~lfYkiBV8v|r%j_}DzikFBtgmd48U2?kEup|bjxHn zEq9^N(y^dvz(B^J`&Vu6Z58bw19#mUt%^-D)cY;Rf9=!Ftm<4rw}8fd{ztr(SNmmg zMDrvljv(L&rixhc#EzbW78zsrU&jVpxMr#BGznMCGB7FyQ{-6Hg=oSSfteNX0M^hmb?U3xA3c+pNflhBJ%j>^tEa;ANq zULN6Fj}$wN#id95maXor8EDE$>Kp_|`8&A%I?*gfE#Wx zs?$f><06^oS*Wx0B!_SPNp#PFyZ@dEl{a{!)p(znlD`eKi9=D0Ryqr&Y3?O{*|gkG z0M&WFq5qtydkE&`H|v^w26VxwW0kmgvQk{-xHCMPi6(vbP~lQ7D7?I`%Gq@VeTJXR3w>vLhMPZdtqXs*Q!R%&Wq^HMoQLsG-#2!%Uhkcg|*s9os_RXA_B& zxVUr2Qj$m=e831J>Vs&jYA{H6#l^)VAH7((H{;*G($5BW--8(%qX|r6Zj?}pt#N@p$U!sqN z4&8tL+z@2;MK^rsbvfQflt2o?@?6JBVpviIK31Gsgs@inh2y1YK~wb;$TeNu>&tV; z;M}D+7r&5a@ISt~cj#(A^#o>X&c*)bf4&+w>Ib9unJxb&zF7EM@?OJSa{ILDHvo=* z4&`14Npw3{5371@VV+Lto3Mj#BvSrtz2N=-{M8HjllO=q(N`3_3SgSQyxz2HCSYwN z07`H6hdW~LQyj?+MizKsNB)TkEbLF+gk3-4?#>EUH+k=?_=nJJV~?iKlWb^5yU4Fo zOP5>R{!m3dw3m5wq==EA`e~w~xAl|Gs;^H*cY3dXOMsg<+JYl+8FY)r{K-Eo6GbK4 z2saIDrrud_MU*QxtrO7sVD=RY<_d?Z!xNCZD;Z30l1LY&8Ud5U&S1}`BzH#`KQL;0ch{*)c4(=fX8Igc*To?o``6~o`!iY8->`0gUB~)G z=dZ2IBdIodwfAn4vpe6)`*zeGgc3QIiEfw#yNxi6;|x>#EL8!iCe{WdBcK$! zE#xH_0?9YsAaZJp zgpB?!F@Imh`5)#zipSXZk19@dt0!Ag@Iws6P;=AdD>3+Xx|aH z*v2-|ra__{(9~vME1l0xS8V5RZ zsmA;}5?gP@F9CEsp#T?a3iB^lK zqDsjMhKG)5&}rP3!`SH2$a<*i7-U*0ppWfzF0=AneoyAH)&1)}i+;A9=-#-nXc1G3 zeRt$h$^r!I1vuAVrVz$TR{VV9I~yIq?fZe9uM*8HsyE13wqiXuAeCQk&+~IEVsew$ zuiT!wvC^Y_803)?mJ>{()-CllS?_Pj1?h}C6^^<7bLR$EpXj0i+9$cmILH4)wQO5=PZr*s762Fg70Nwj~YEvvjwc`&Lm5qZWWcTt9 zfW4|1Tmr<4gb6{;@MZE6>&+C55Sl)?Xu^9adnt(@zY+8r8p_ocErVYu; zL!;SHA3X!AVc2Z0*it^|W=x8Wpn-rSs?A=c4hcw~YSw`CI24Moy5j|w`aczPDUQK> zAY~wWZsu_=Y{~O;Yp>8aKtWfVqN;nNvUIB4h`vDSC-qd_b$@@MCm{9j$gcK{vYW%IAapIsRlXp(tq+jD*;+nSi)4rHaWf?fPW`INhPp}$BfFUSftWow`> z8#m7Zx21sl1|F_599HeMI?EY3cW)t^@*WSEw590|?%Jj$87rXgM6G8gK`1Kb53jEo z(7L2C4q?|Z_s?G>`#xven-llksPBu2W|{9UADrYCFMC%pgr1gxjtH-nERn^qhHN;F z%J{I`*-XH=$%Nx|xf_l~B`ZZx*E(=YWhBZLkl=1CMkIR3MApF^Top#Sms+ChXJZkA z-XrE;QKjZ#%S_$lF6`8MQ9^sM(!)7vbz7e$M&Zcgz1iou6*Ci%WKMCn=RD=WlG`Ld z?82eT8HMOpcOd?B<*fd>!b9+9BnFY+R$Q!XiEaJ`qW(hL#6N$oaBYd1<-AkuzHG1j z`-I_5!hsBRft<8^S=L5_?w1mE@r8M<2I}YO(0W$)g9VVie1A>1Iv(+nUG$V=WlVr_ z!@&uVHf+V}yD&;T)%Rp}eo`TEz-60u;56clJ@_XDGC&v}K;PpH3-Z%! zic#m9K2rVwq_#3uL!j~2&DE_z=p%?>Eth+_B>*SGIvGN*U##RWujA4yCYh<{_z0&7K`TG z`uOUMasX;yw#guNNVBuNu86^55(_ULx+tpw1F=Fmoy-;k1q!(Sgn?6|g5?%Ty|h7K zi?3_u8uLy@waSc{t06e=PNCUfx|wo=qVA6&J&M=$`9?*T%Ab-GUrFwzaCY`Pv@?-< zj}Ha^I=|!~`Z8kcL?yxNzh&9tfC+AQx;Kwf+IAt1QhAUvquC|#<>^bZ8tw;Y&;<28 z9dre5o3G9C;;`=VO1e4k;98-Px+(u_*OpINbN#|q7tupfPySypubv$q{j zjAdG_HeF;lF|V%tyyy zo}_|myma6>vSf*&+<)N;PKU;mC~Ipr$JR?EY&{Rq+K+gKT>Ogi!m!W05njnp3I9%D zq6=5-8N`hRM$7b_-_FXYKV!67xKGuekFIhECF`d%Dcz!IonFf0`R;&Q;7`_hHxGoF z7%uVAh_4YgJr6dEi1`KRpAZCo7G@$u!e20KMUQTXMMK1pU0;9iQi)_y`r#O?` zL`(putR5QAoS3UKXhqMU6?lf6lLXwUmFcD0&M+8nuWXY(Qx;lUw^K-Ab1_8;?_DpN zwc1H~+JrYi_E~VXEptqUEK=vvthhVFVzb1(<5y-5v%b_Udc%!+8ccODyPIz-G}v&e z{L)hc(mXLrBJI9F3iEW7fbh{LM@#P*Z7^HGX4I;IHufe&oSD}`Hm7*gsYKinJ;yU8 z<vp!o~~a+#*wH^a8sSOMGbGkBEpMY>+D;NP&@snSdb zg!4^@_=c&To&C6tSODX6o{(OL)HtlFgE^#ZCKf^G`xAoj?qcx^Y`!mIg9q+CCHRNJ z*?XX9H1r^xT8pN6b3{i|U>22iN!?Yi~+lOfh-@C6m&5$L@8D zKsiav7?&zvyhe`e@jPI=F9yN7Hpl^g4{=3OdlWhqqFca7$kLR41gqS)vi{AOl+?W>m;eu1h^Ua3{&C;`!#I?B$tRrN1pOBum9#^j*~k(8cNL&+ zZn4b}+O{DA=1FU}n) zy(?i^=;C;pMv^2{>bjxMpF`jTi)1RQvJ|*3+K#Ag_1M3;fnZ+KF@rJSV2VNB8Av|9 z8L$>Prk-i`gL?uVfrBvUBCOSLoR|m6fCno6uc%27FNLvONkF^ORTr6{8n&(cY0DVE zku%`v+=~Vz&elH;257y;c&%LK5nz>pJpFf*O9+_yo=kCGftd2ja0A8Ra(TFWA}T&$ zwlr>s_vfjPaXU7Dg0`NAB82x7r*y|O)89B{R?Rv+oacv9gkst|_=Sy57PbPqoI zYwi9XkxOx~`191Is(S+XnXs+xzWW+ctQ#9(6+V+Hku-?1$v*k!%s^Hrr*nIt#4G6n z&bj+nIfD_+r%A)a$x+iC{NRSm1MEwj@9pH{Q$o|e8M$q@;7;h0p0@mpD?u)Rcjs(r z&B$qiESavZCbkh<6Bl@_@V2zLtB2AZTnwwk+k1JI_9nr89NFg~m)xpz9W+d3aE?@LKzpCCByA zN}k}RnBCBAZ^zG&UF9ljnD16I+s%^M(R_9HVs3tNBq>f8%Px2Y{_m?6Z!_Y--HYIFY*6hhWQJE%TTi3V(Ho3`G-zLzzSHc6s*VwV}Mt` zJoBL>dL0)nyNaL{d@{2zU)wjL7OG(V9x}thvGU)p>HqduEd!h(TFsFnJYMp?^K^-S zY#N_G*3Y*4`Lb#ZX;tGF*6p|qLQxok52xe+n)uziFH(MVrKJ1R3)1g77GS2>%Hpyr z;;|blcYtY#Tr}qQ@3r-qa%)qX0E5pqEXE%apB-Aip+EXV*LK3cab+51j^iLPIGmgs z2fb@5J&GNS2Z;u$aqIMJw=AaBr^cL`oO2>Ase<>mVpUXp%8q(f_1rp1IGy~wP+bk| zb>b(7jKhbND4Og0PGmd%d_XWzVK6kTuNOeLGz{YFKK5mcdIEX&;*R&rTwzD~kIT%x znHaPR02K}+=k2#|-)1zN5sWYywzy9pBupC301?xFf)&d9y^%gyf&fhtA2NQTh=(QT zZNj3876)Eba#!8F+*LVK9&56Pn4$7F5bKq%XGyl9AC)&~Q3ne=X7~AU{KGRP>riXc z-(CO-W?G0Yi-C%*1lX>Y#REGr};gy1aQDA*zVah@7RwC=r~P4c&>4Gf_{B^ z^cO)wK+H|dM+*=vWc+Q;^#Lb9{F`8W>ce4;8}O~#g^by;PaYRr@|&{vl!b0J&YBie zeMKqTLQJvsO~tk%b4To6$L|fiZ7X>O4ik4~5(-lNL|dQ~6xKJRHy9U8V8%pIB^Wfp z>RToFZi0}kc2R>6WvYI-<_B@ICLsc3P&6OTclW~aHF zL69#Zw|g?qk}Zx4#Ro1VX}qe;39@q}E`S+tA2$Lv&Mo>;_(8D?xlI;NAFeb!*Q7lYzMu*ZC! zymubICrw$grWo`I#`%$mJ=l1ROEopl#h{}qLl9O5S zZ+B!g@(}&Bealtp>p2EX0}(*2emu|RWtaOmHR)T@_C3m&!XAQ1QT`+~{Yx9N51uug zUs;X)$#$0=cstnV1l&Z6G`-4_TTT3nUTXPVcLvgYPjL=#Ssb)~ zH616Sa{Dx-BlP)GcAm^UENoidmwb!3JhMq$?9&|(tYq0Fx@7MjQb!NTP3|KYsiR26 z49=0IV=Y-e`POnmD*W+#K;Khpy*e$~^O!4YWlBiVsKs2{BcS7D#6-nBADT7u6F$@! zzd8jRExX?QMja}{Ah8jz8J8nnKkQ=AIa{4>aRRf4AIpVRU2!h@0@_dJ*SepRPDmUU zsrn)`a_@PF#vP_GSn!;2!dBOk*S-$@F=^Fo8muT~q z`y^EcqfS`neW49b9seYMA9LezuDlkp)J=_G@bGqH)mr#NdhM)50~Z6xybrBHXnuB; zt#znwKbH?Vgu~62jPxq*2QSTQ^}N+Q7_?I5qv_a=e%DyW#A&zgp^IFdAgG{aOzOaDN1Y zNVtsQqScr&?k$wRF9P>kXED{2e|JyhWrjU9gT4yS(Q3LOK_JE1&7Qo(G9SzN+Wri^PjAu{XY}WRV!*YzA2=XItM4q#KuLBz)bu z+5V#MEa;d43Zz7RtY~APfn+xJ(Fy!3*@?sg(yk@7^(u=jDt=q7>xd^FcuX2vw5;DS;pA7KUMhx zti@sNv<0##RYcVQ&$cD7QZFh-9o~U&awwX?#bv_f6<_N};w-3S+d} z?NF^Um#wD&+`8|<(P`N3;TKh#$ zy`pl4>aGtCksAAIZ^(4-8x)|ksDS%9$_>|g)}*Pm->+dmzv|HWlOW*+6`pQ8HZjw|CyCU zUyC=*5wlj`WVJR8tYShi9Z%1mebIzwCNL(72rIDcZ6pZnJ_C2-;U)vH?l?_SJS>C>hf zVfbm#O~e=|;V1g@dZJ8V8J)&wF4GdQ2i9Xj6pZD@yk7_sI8!cTRJf#|m1f!vN9irV zeR={X>P(32j0h>8nO0m}x4G+tZfYeroxVb$K*Ai@UL8344Zdu}Hn{G@3$r#y4Smhl z%M(jjI(s-#xqg|4S5q^viKbp+@B7tLMi1vfDTqQwSfo7J_2LuFeDCH@^$2XrENVWq zlta|0nDyBG>%^t0v%_--9s`f6mIE=Ip0pr5Id|mn1P|l zWgxbKli?YBK!XkQXq3A6k5JnB{K3MnjTo5S=FMSx@O%v)1$D1kSn5K1UpSa=fy6@_1+OO1DT4j z>HZs5T2PzAoq!LoyiMggvCZ;@HPd|=*l^^_HWjVVTgA@an^+sTXKvgu~cUUw%>|5gc%VOf@vIUSp*CK)1f zyGXF&_Rqn&J129UsstIQk`izFs#4Rh*>%UMNu>PC&c0%BDpDnwN0JKO`94C;-)y(8 zVR0PEpk%7w_x9gTzVg%2kA5GKP2x^#;WLeXQLpZcSQuioDdmqL$#uFEck5J`7-;!`H@WOV^)f~0 z*J+=qT3I1Ep(56)nmMbAbx(JGewgniWA!TWz<}4%lvaPj!pp(EtBd{hnb6C3vj(zz zUs?2+cN&BvufLG>_zt2$b;UCo%Z=q z8Gsa#)@P5Hono3cXqBx6ivyxo?g8{Ifx8 zXoSL{)Gp^fr3|E?7u<3k`@5xE^xF2GTjU9c~{mK3UKc_s_?Z+nKcB&hApuxcWhTlvu`ymseq^ zBB8C=g6LZR5uWwecH7-5-^9>y=+0Bl8t(@$G+~cH7<;rfQos?X@hWOa=PUN(vBw^e7u&ZpH#|A&IOOWe& z60JzVy-)#N4P=l>7uYOrrT@EtaOvp?QpL9J7_kt!^sg2oM{+;Nmb#%6B+S!NRQ|$z z4p>qWB;j+;4dbK1Ki6zQ4@xS(?&CyLC~_OZ9W9A@y8arWNn}Kq08HRa-2+`+5SFCu zqXy$@co+i3F}8=nD^vT`q&lmNlFC^aJ_*BVvY-m9Q|+1*!$Dn6b!ucRWfIT2eVaQ!63*-OeHNF-WK(PC*grG zE?~RX4IUQdPhaZ86CTWnOUpBLD<leQV6VU<_xCP!Ag&%m9{`Ss=pteOb1 z1mFGh4YSAhn>v+P6=neqHq019E;GReG@CK`S7@_h5aF@R8@*Mf9rz6rs;`Rl(@g%Sh4xXzi|dpz@Dl(Y8=6PF;6_KfT& zA-UkMo~C97dz2?Qd)^ldq}i#dxY{TKmZDMq&0OTZF4L-mm;2O7S68iK&;94%?B(a0sUscGVK9z%J=PsJyy#$4lf_75d z0N`lvT~D5atpqo~XgOuC8oi@@1Ps>$AZm1Nf0hn}OmJ%BVxUG^UXq1WYWn^rfg0DW z>iV1zlKYqWLCd6_O}eat49fF2#`8nle)UJbf+2|lZ2tBNh|KG~S4~ZWWT;s= z8y|4No75GM(?f%zKFhPDIKa+>L8h<`_xB2CPPWCIIJ6VX-%PF3oDU8PxD^t_u=wr5?BL|XK}f}S6)TN$+--5A2&17h2&QIe0_lw>Q| z08;Rq&Mfy>&%fekmfNI_-`e|$#^7%Ktv&Z%m)%ncTaY*~kM1+|ncaj3?*R?ow01GZ z;DCrXC%K@>cXo8dgQ!Ciz|EE@#(aKht~-f_nfU4`F{c>kyl*t##kexsI-}Ob^f+L; z#vJ7fPbUr6&3+_mG6?j$YHI{5xoPJm`Ypd5*vB1{Pi7HAaA7FLgT~_q5-rC)|B})V zr+Ci3cbBZl{rXPIp<)Bi)5<2#99QqM{;AJX`C5i4of);qMx=g(jYvQ)ER(XWY*EMM z@6~?((YIZ`iyUd2-@^E<_ePpsDTd-C`75A^E5q9RA(*VhTZ<3|g2#_6W#Ci0-6}Ic zJj+1q$agy}j&a{aJ+}qU?|sdACrFYyq4WVmQ-ymPv#s(N9S@Nf^mNyUefpI z)Q8=>I{PW#D|x$!StWOYx7uBCb<~h{-Nhv3%@4Fxk~0=XYjFa3$@5TwkFs%ImylqY zT5Cj4XeTQJDaj(i4Zg?4mG)t480v=gyx*BAFNPiSuR>z4!Z2DaYZ~-6>}|Pa`4~|9 zG0PVjzuZV;Ud0nr@rIBT8Nh3*e^6w!DB8DoDSmMG^)i?C%CDa2w`p7>&vCP6*^G)gs#!RkFx(+KgK{6N7{tMyPh z_co2RlE4b4?ag8Iv>F4_BELs3(kA`p3!Sfhl2kv+qXcka?LwU_(Fz>_Td`eVWh?nI zsVTABkx;_KsZN+=no5iL8s)iD@oT&-;^#jo?GbKh8A!KH8n4@~aUaj()(#`$@PnNw zo!bE7E8jAh$Xg&%P$Q zI&JN|T|=Y!+&q`O=(mKF#BYgPFI92p0c%g5M5o-x#JIKoo6euB)%sk$-SYgyTc;&Y zzP|t2N|pKA-AjA-e&D{eVjEk@ZujJ0?wxjHtOf?H8_M5LCUr_hiS_5zPW8`n_Bq#h z?iAsc_gdoJu$ru_UQw?*d3b2#XMe{sE;lPuyfda+uUuNPjcz6RDGEv|+6DaKyc%Yl zKuzgY`1y1VZ}^>DMH?w;X#-mrx4eeem3|0uT3|ZC@`uR|k}`e}`dJ_rkwa@9dTF zbwkcit}V}^!562h-x{RINC)8Q{R&%D6($li{wT6M5`yrytj>D}*C}F$@Cu7l;qO`> zjvhUF<_gO?A4s!!kKEc=8AJs_I%hf@ZaxG7y;$FjOb4~BNRir;w(3ssYFbT&@mJ01 zZ86yHJ5R#i&EF#h_P=$;H)L1apD-t@mQy&gPJse{3ZG=-Eu1PGBn`=--X#3+@pC@U zlSZ5Gu3Oj*_Hd`sva8hv2b7e(l6&&??pI~nBYWdFGmA}V5=On<} zmnN~Y+8Xv?V76V|GjpmAuzX@)_(gC-E=a=v_tRVTDX0M7zeWf^w#vIMwS_%t-bu&h zy9ve0@fl z+*`JG!PTo5c8#cLXAZ^;8y=VXmz(iHAy}$h+Bo*ix03Kj%8 zp3;aA-b{E&_bprU?}JY6-2YH34G0IJKVJpY!xxL7tC_c*zCx$`tt|=IDR>kjZcuBU zdbh!G1xO@xVPP-X!^7{r#{+Z3()>nkfbF)oBbXTC8rwyxv0kYpd*$)^lULD8UZ!K_ z^M$YAWf*PASVrROVj%bIle|OGa`&y`Un z1vygQB>nfiq;(!S<+0(F`7=>we3XC|t{^VfhD9I2NZ zeXkFykJmm-a<}!4dSXPrDl?cXl9oA^*?xUFfP!OBWZl*74~84KY$fW$%XftBv9zWw z_&u5;@;%Vx_s<)izF5DTWWP-#h3*u(sJ5CDmJGPpJs<6e@>gKrGuwSg!db!UWT+fs zhIYYVdxVET=%G&@N)b;1lF=U4d7*20yu z^r+Od=jql$$Aal5t72BuH7oX&4x9*?gtwh25#vW3A>qdfKj8xTzU{!CDb4j_=Z}&% z@ax+69>MbDZ4k$AjI=4+dJ3|Dgo`r$FOICoo<;j=+`U>$_udl`a&TlenrI%+58wLk z0|x)~zx!K$?>OSv{V@E>#LSz{GoWH5Oij$_gTzlBTNV91awqU+28H|6J_T)5+&d!^ zA0J;5X>J^WPF#in#Lj|M-%?*QE+-FM9q6{=4tH|L)|-vA%+0p6!I^;mr&OtiwcxT1 zc84WrM?SsAxpTMaXp)^YPa zlqP~JeHa0fglZ8w)$;SZ@$TAiAgqALr_K4FHWwdf-j)?KASSPSL-^Ef?uvZRTrVTI zw&hqu=#r}wN;7@dgLo%x5TY_Yj&jgDt?4o*_AZcp-RWI>PsVVqJFUzAmbz!|_u$+; z+L;nr!RwnmzHzjl9-2s>>vlD%a@=@?ky z6XlNiAzx3Le|KuSFfLNDTcpwMlX`;DwbSd|F_0=EP3FjWXR8mBV9kycCeWEXz3AhvCQq=<=LN7HxyQWQTbUf z1uD^Uxf?%s%mCb0cE?&dg1#@lT*^2aHw$+pwu$?5-etWh_&CB(6aE5=Dzmx9E9>7d zJEki?cFI3?U50ke!T*o5w+yRt-M)tZD75m5mZP`YaYQcI=70u_;z z5)eUDx>KYClyK1{4I)bO&f9(V+2{T6JAXLW<%e_jCAik}-1m$z#~3rO4R)5%j12aG z_ojZfVO$q%wmyzfAWlUE>Y z$<`L#N-q@Her}WVF{dxZ+dDpAkK$RdDwEUGhmidPVNsd6jDvf5ae8mOm_mGIV%jx5DK zcV?D!Xgcp_y|_sP5R^|HgdVSNAF7Q&cN&m4plstR}wHTETQPr5mo z6&ezQBwA&8j9fo!c+S1ocLMHB5YP%l7Jj1Ca6w-3rVLtgJ^aiplC)QqW+{FPHVd@Q zKl%8^us{Tu0kV3L*!@eK`q3lF+l80q;yu=`y?X_PXOpvT3`Ah z{dxuhnYo!zdh8mHl9}>q6*b)?m@rMlMEJAS%ettQy+M~;%8k(3VmXQ?_y%kbR4gh)o*8CX~0KZVOc3;9Q!{m!C z&6@>`pBg45l+ud?iC>2wR8}e|zS*>d5t=_iueT{2ZVuQLsrU^6;`*^PFt`msZ=>i- zj59@sAOkLXN{5U7ZWfSY>XR$Nh^TZyWWAfChJ8!3+C5$W_F2vuIxdyOLKW|G7`F>B z&QRa9weJJP@Ufuz_ubcGyyaY=K}*YjH53AfxadmY#^nRd51y)plGnR1$2U0D5p_6y zwzv0JH&QUN%yG)|qIlG(y`;4gaEHw_0Tl{}(ex@Y_^0@i7sQimmhgXztsj@SK_Ag& zPg2K(Ikm$gkSnOl9V_Xt^_`vhae~+ME6-E40lz;lL1eW~6E5?Y*VCnrDf}+afuj-K zNfq@G6c1&&{IG1F@`eMCyZ1ubZ@R54q1w8sqAJQfKZ?y@Jc-^a!Ou&;r=G9D zFFSRd;pgp}Y)eQGNGD%vnS|kk7PH4Ofk~#062p|4muGOdOkFx5m|t~W^7?h$ z1yj{%pOxjES9#xKi(XrnTRi;x^D>?@$$61vPI2?=bL8|3 zOLDTMmQDTCe)n&}pN)=Ia?j5`h#P680qNeSoTg9U6mx{#>wD5LkW<^<*)_#(OYHZF z55ck)h0W)GJ12OMd8r|eH8d4Em()AA(zN5APtg$&W|l~tnMh=9wgo%Zko<9_Px7<5 z>dA^sBdz#OCZ3vKDBERGD%%R%I`1mK+$>Q8URTGAfyfv4F-q$=rhHe4Yzag<(JAuA-h);N4Ky*=q$Y!3ygT4dz9o?~L!S zo{lx>*LdT!d=TEFtIh08Ko9i8r}mjYHX!qu9;)P)(MfK)o6qWkdERI(RAg)4emV&c zJW$1N?w1{#kJSDCtS{RJ0>j8pr=Y;uivmOZ8w)02EzsK^Ht`$klw`Z9z(T_l?*8gY z7HDWaHUDY>=qWt(j`Tb8nP->mHhZmL`FSk+5DoK3hgpXs8>}mF%CPiCeN*xs!`+OI zHZ_WNSd2uCE`AME2hUeGLgc+_2U9>kBhK#9EUuB>3#$ypV62}!m&d*RYtUmf;uQzC za|`kTs!Teo81YZ1{@;4asK+4IaW4Kgan@g@jGWv({9|ae%`u|S9iXuJ{J~Wn$Q2#EU6>>bK6%;0 z{hk1nPtEfAFn@cWlKFTRqMN>yO%^wn#TNC1V{yXUAC$leX&CCZw%J2;@^x{yM(hQO z+H?j;Gj(Y(Wra|8*8piYZi)kQG-R@E%lMP)gI$6UDhEgp8?-$6T&oogL2-rq0b4dr zgHDFXZQG(bpj9;5=PY|C8S_bFXh7+8n*C}&Q8`S!ZAJ=Lf338fDVpqk;nMX*Tx#l? zfmti1Wn+IFmwX|=V%n@(CfiUu)G4qH z@Po@yer*zX+L1zsp_ZIe9KZ=QngW}&>sqrk501w)o0HFiN>=#vqLwhZ0PN9ia*w|B|)ak6Z*8xN7w_D8sb|r z_rWmPC=T_cnVnh*JEFPARS&xb6hLQ|3)$Ylvk3UBhx5#kdqqGf1sNG?J`U1;K|EM zwzFCEzys`IC3MDIdv@&B+4pJDTTiw;RFdkZzsTvvxMyZ(Qy`3|7fT7wO4PuYIwAxE zq!-C{EB!Rg@eW5DZ^1PTF#%%HaoxxO+`b?fRE@9bE{S4++!zSx*k;zq&LqS&y>$8O zW0Z-+Le2ySC+TjF3_5cEglk?Xhi`Re-JI1n2@qDswQlbjc9fc9WkjI@;&#fe-k}GJv=fD}uwYph znq@Xvx|U!t_&^A48Y~?~fQzSFtR8Jb7VcdG=k2jeg7mvP&WT5fgg!Zc<m0j_W>HwsXHp2o2=T1y2ku)D4+=lvM*w ze>rdkA-41gH z&e#31w<1|{g0eD9h>s%Ba~PZ@NTCFN<17hrnFPU62=q=K1a$WWl%0UZ?Ql?mr8#Q& z@AxTC`7UjMz42|?sg%b*?%2T;m`Ui!7Qg3*XocOK)bS(jh2H7*6X=c=6GElLf!JuT z&uGOQOTB^iS%`G4#MXj>V;Xf}7WMf+$eDK;P0e$o>59d8z?=;DD_pnPO1SYgSxn0e6T)wK6LW zlU4v{oDr73k0;K2&BFxLANHm_`ic@DZt-RTJ5vw9za<)sVC2L-fAq)oot5h*a3v`K zq)B5@5C<>F#qNr2soH?~DUBsyTePqr(W}6RM0c8!OX=WJCy=Wa5AG}-OajgnH}P8S zP{wL3B7H7`&?%^p?XUfTP!}qPDZNC&8rs%4 zxc#fZ5qh49xR)^cPs*GWU)aaEyXu6drwQsh+i{tmpO6s_Vhc0mM7myUhmt#zrvf7* z5EMvE)|u~%S#)TbKM%TpvkS371HKUFq-y8|ZGH!;iG9hCAA6v#W@MxY5ngivLHm~n zbvhxA92iN@bgd#{zGvFzw_aFiRs&KJdMvF&`I@=x@ICqtV{aK9EXyq2!a`aKu-pTo ztndLc*x;a=Duq4=s?GxIBeo_z^iS?`h$0}0ZTj&%rx*HHe-%M8obxB)S29BmO+6!O zBcKPd(xdt;b7}|@Y2zzFBUp4}5gb-}PP{JhMd9gEIV-q(U#|LdGUrzSo~bd|SCMCP zCAVBWDeyBV=0TW>2| zCX4dSgoK2ud7m254S3DGrokj<2-O+y2iwp%G0XPE%;NF)up3f9_o@7w6K13g&Mlb| z130Ckahw&0@9MA#G<4j=Vhra7SLY9LC0KM9uD-{ml(95=)3eqBh z$PE`Q=c=LhTdl!$G9H~=zu8tcgvWa+Mt=L}V(6FjZ!ZW&omk<0cBbrtVed~>t zMNuazr4mMS7swa*VQ<`KOEUi7=g#Q)>> zrt;`qky96^+ht+&pIv045fSUtnc5aK$0a1O%|!YcM(CN}zY5aN@*Ay>s6lg!z*XVB zFgcoha^Euk?FFD)Db(a#Iy3QSNFK{824>u1fVQ>BeURJ#+OR;|U)?S7=Prv(^dUc- z#WuZmzQngnr0hQ)6CsJD04fPHzTL`25mzSxAH68353-}VCBdBwtrxu1I+wD`aEvM+ zY#^6T-tcl44Y76j9)9faPgVK#h)&Upc1!brD`fxkef`IU!Ui6KFqMQ897Qe7-@kE} z|HCj3>dV)w6VF-q_=E5zEd}uL*;$+7j%n}xz~wTMOAdrinp+c+blt5)_vV`CcyxQA z(`YWhAn8hoafEJ8MmB?AiqqcIVyW zvtYdkFM!x7mg1304Q&tP1aP5Za8`LLBe{=x*({wfp;@Y%+wP={e|^ z&#z;F{|A1!>SVBg*E8V1FP#;9Lo3ojIFgwvK!l~Aybe^v%>NJM`evP8-&c8e0KGF{3Q&G zG($R3CkfDGwjHLYwNp$-FFz1C^7l*n`zilFe(gVB11m=l2A(b>R}rl&igA}e|M%Mx zaDcBg?z7VpuM$V;Jb#!%Ue}Q=m z8rJi#@AZb|y1_y0DPDNfODk|33!O_K>}?Mi+?vN|G`OQNSeQt0hGhxy9#6{$B}lvu zXU$JQxlTR{=+^Kz;K>)l?kY8SCTBe}>QDY1E&qNO|NZ%>aF9vn)Yud;APNQwRH!Uo zgt5=qnRj;Iq|roHe-J9XQun;)P`rIek`t*K^nD1FG%iYN-@ z%W(^cDaAj%=L04RMMPBhmb4-M3Li)=GD?R65%UodBvz#Pn0Gl0`8!c3x)KVVvk*9` z=3n{sD5{QXf1=4|E37^|5eMv)|HrlY|3B(+#1?>&S`2-L9u}c!Iha1H^Z+R6c&8cm zdXcVU>;Dy~MTihRrqBp%1n9Rq(5tlp+;gNF6{=kvHpTh2cM-ME$bx2)4 zCj3`iO>8EDXm$`B-8vUReVV3p5bTjJL+vdKc%nM6Sw0yx{M>Z|s4|5HW@WccPyF>b zE15`Y69W;SZ4)?xRG^-2k?-WWuRx~_bf7(5ER`)X632||eg=TeR9+Iy1vybJ5U!hX zz*S&GbKzSD@Za;&B$R;8o`J$PiF1$b{O9@ zPa^t^YAkfcqMiJ|7C@9!T*qL$cSY?J$wju_e%U+7*q!OhRAreN&Id>^S_HjTzU`AEv=I6~ z%7fmp&U5Q6rma!_#*sH3z+tDCP?*kmSq-2XBNRPx83ua@q-W2g2;EPQvVkTcO!^tX z>gsXK9E?y7LSLC6_^B&$-|s#r;eh=5%1Edq`2wAx`u)bu$DO?UaQ#mnP`Po0`I)Sf z=`%4CHS;Gh-)tGXWqscN_FV7R-!T@=&mOX%*h(aG_{8ojEfp*Bi%)(nhX0+-bri9n zSK|dObdR|1rM)~1)CpS+9(>93*H_CFL^aikHsq?_w1?sYJ`h}@xeYVde_bMTGC;*F zCGNYj?BPTo#E+O6P0oQz0{ff}$rsRh`QH8Jx+RQB2dvUHW9XD%DSN*_(%|Ovho^<^AZ`bs!u!m4K5V!i+V%vi4M%pN8jf`rIm?N@5C8tK3XB zQdgwcdw^;>P}FDYoXO%)l?lv+W1PUCTTB7sRT6xvVX!`+hLMW}8b76N{Ua*SyP`1> zzr;3&|En?S8<{3p^)UCduyFt{U1TJrGsd zx=%%F_XWV@<W38_b7Xw7cR*qbx#e53(g;ONl^&(Sw@`cNV5+jCLos_p9>aQ`+Ly1fY z&TTdiW45y7p4YXZIXqY?#6)dDrMvltiuXa7d{phe7#ss8*-}7op6}2euyRU+#6@dd zp!`7|fCQR}M(}?Czdt`i4JS2>NPC}ufhpBJQQxI7ePWq0PIl&^hQ!cyBcrWei-d71 zo0sE-%PKg1E@C;`qjkndfwpBJS;)PyTBu(2#&;!aHdAQ%z2Yw+(ei+Zoy|#QnKcUW zcJo1>-;{7``p3*Tblz8j1So4haSyGIfE8+gf6j@^;v2qE$?K=elph5{mNcf%4a-K( zA9(@WCk;^tgEd-MwSq+mMi2nHJZMha$vJpo=gS*kDLriqQ-3uamJ7p=bYMXcvX#+< z=2Z@&^H&4Ofekv6r%IBWKxU?fl_@%imM7shrHQ+e1c!XebYcUDHl$Ac!LI97)V?&x zQ%!`g{D_bcSv=2Y!7MSyp-P&DegG)Z)GQZRT=#%&7y!9cgcWuBx(bT{A0tS@DViR8J8?U{;dU~ML37(%HhRLLX% z>~KF)p^_62Q=Dd|AAEoOS8c$yUlLzGVrw8k=-wxhlB4fkPJ0uFg5=UmkR95-kcrC} z__z6|I|4lX-Y!7&il_!Id5nFlw;#;B{-LPst~QD)MD2csYTzmV${qSfN=KxZKshc` zyxwYjo`e?T+DPSvm^Tujj_7BA)pXAiBTDGOTTwADaT7>clrsIUddb(_x#w4Dn74s) zJ`*#&;InXh7(`>uQCUr0V`>{ngjZN8PaJxYA27TM@;^$VDOQXLXcJDRy@)#wsk8-De|%14w>KI1KKzjF8VN_Jl(H)7tv0m|!6;m;;mieqo`)*IVhh zey+C|$zX@N`(e}ho$AzzQ6%=klVK&S7o$ye>dyPEcb<5Ua+fc!L}OzkgnkwUHl!!&kGad6l#8Qw2ndt`1=#D2rTZ8)ds_eF6V zv2T-Y@)94N;19T`g4^PqU#C@8-dSr?$Gty1f9xR}j%EhRwC{T;(>_9byGF~(1vQW} zAuP&_*Q2inYQnROa|`niasYt1B^SFM>EP`EG}yFx;6}8JnN5J6ms;z&&$LvocMUSM5};YAmV8M3Bq9Z zqOoDQmjY5R@twiYle8FJS}vV7e0c9Z10-(=SV0wqV;Fpw5C`ie<47EzDR?@&yA*;x zx(3wLFEYb?vd&Ho1-d3!b*2RXWGP{sy}SSpNrx5SP;$>xEkgVVfbuJ~+-3hG`FT*g zO}LXnE2h;|Co|%3)Z-N(Vl9#HnEQILfseCNbeHfkTa zl-(#2s5TKo<#t*2FJkbRD{L1E0>Re%sT{7=8LyK)gejozO_~mC{VROwG6i|k1Gdz_hV5c)|p}cXW5WILZ zC7P{QKK5570ZjQt&c2}E{nM9$*JN z@6|PNe|~wA$@!86swEc??*xJc(qs}yYT1s*n(w}@N{m8tqmF(tCJ+kqB91P#(8Z@d zZ*jjU*`#kiheo$E7YJ9Hp64XkzAc%YYrFn^wUDg_(df>o5*1AfO3nkJ5sbgbIWOfJ z^{WJXINC*&4OLnf{y=I*B&ah_aD&lFtdDIGrw0JED2H04?I5u)4)WwMXfqqT${=nH zqvMX0!HrbDO}nNUBkbVp1?XMQ3^3h=MoxqXI+kcm5mFqY;SET^7_YB)Jk9KUUB8}f zTq6C#ss4ax6(wS9G8;Lnejg~i9qdr%084yFo+Gx~fOrTMP-8H~0ym>?YaW#WnwXB; zHDkL-#RXF-BXOsZ+B;R0F!HCch;zGyMwva3p{pUzB^3QYI@t1G@88^NI%X(>)Zu?p zA~fTHNEql+4ZDB?!1M3WO2NZdyXD3H`GQx`7aZig%L8AK5V>MuVjwmDsp~vfQZFxo z6fFR%SYGjW5Ok%GvJTM^bQ6qGK5@^xp(NAzvRIx90l`FVPYticnzfZ((t7H*6n1?q z?gvVph~|a_xi(>puq9XE@*C$*MB2y4qa4xMD!i>OSI4!Nxu~Tqel(>;#!1-4jqRfi z4*QI#nX+rJft+sqf=D=rytH^JYFmulzUV_`isb012MHM^V{|592j`&c8HR9cHoi>s zEEDVBWptVhL3+v%32`_wT1;TZeD#k$_S^G?q0ur8KH#?OiFb%U&hpJtgAP~@T3j_Tl6#%63t@{99ni}Y}=YjJpzB&vW z5;U1*){S9Yn^X3y??eT-3FLoQKs+_npYyF7=x4O#F_+kD6@rVY5IBvAJB1wF`hF_J z*?kxa9=$)xZe!kE^5p(PU>@**Z|eRN5BFhzFb3mMA>eu+qPQXP^DvwkO3>I+fz7_= z``6&qfiM;5fBi_rNs^(E9Da08gmg)G8)a1Xio9l^g1`7qH#mRr?qLKw+=Gk4w+T$^ zkKO>L=}B4+R}xTbzThWjc>%h<@5dv}ch@55#i3MpM*El$d$LM&7rGJJ3tCr8t1%JEwI z^O{7=H}B7Yc$^xVg|qr~Tmi0PYQ^Vq0XIOoF=e`nDD}|OzYt890B3JoWF+!P#Qq0{ zLKD%WGktJY>2XY);0$TKa=(fYwvINICILi9 z)P^|ffgqZFdBf06C;=$VVmB)NOLN@Bf0c&$Uel$Yhhm5lf>&#PME8*~wwclV7~e>< zWKNa+tuoig`=12Y{{*|DyrN z(_fb(5b*dO{15nn-^%1X_~Uv%`DD4OuUW$uG~(KGnYnqs`tM~xxeEp<3hy(@bt=^4 z_tz$d7CM#{Poazt>qaiVFK*xv1=kaYi&+lF;brYA*42u{{I$kM$x_uOobr4q5+7Qh zPlPHdkQHZls--P@dOGS)4-54LzdLg=|KZ=Y*i2+%C5_1Ts0sSMRNoOWWv;y!yqN~70lj(U|bu37$d7~ zr*SPqjXd`?V{AWe&X~>`9xFF(IC*!fGd=yzsge9206+x*QzZ>wkP4PB+)W3A;`QK}4NJ(aY5Xl+xAjtU9ZKG+cwcr9k9SgLt)6vP1sstj}lmFtO8s z`kn!+y9Z3--&~}wIF(!d#!bG?o5Y9p3HX#~giUHEtybtl%7NJnO*)-J*G*{-o{2tyx zIfN)gdQVB7I0sXfL68ad; zg6NeRhz0uK1Oak;1_V#MQbrR5gqCZ1+I;Gothfzj5Cw|ls07%`DFBy^@j<9P(9p?R zx4~>=Nk0`uf8@WU@AmlvDgMe@vu(AQ+iqTnWhLSiRLZoqlhR~d!GgG3G*8DFyeWu8 zX_!Bmi)J*pGApRuiXesJ>|K4U{x^OY7weDELFomvQ7He}umFef`R0%6GsFJh#gRX- zNQ1_zp-bkB-|vyKLZ|=`%EFFHv8Z1l#3w;x5~OBAJ`A6ISs|e1B*YXaBpumJNa-qo z%e7ukkn^u{Gb+0hwi;FA?PsS!Kq#x3cZv5eDiL1!#kT!lA2eKR%Blb0iI29x)qu?; z4QS|#Khu|jn*q0PvHKh=&~0?z`QfHiADHNJQvT;z`ag3!YYKbj$APb@Uf()B~@L-Uv7B`Jb z?&e!V8CVRr?CkFWmILUjc#E_HjE`pcQ5pb;vxc96!*Rjk;CbpoXjP`N9Z)8Xs6=fR zAO(mT0;$=^Iw-18uLhdb8d%s@gE&R6jX9f$+fVH3eniE<_dZrKoCfg}8^|XHC`6$2 zSeFM<$LoBb8=-VQMhqby+rq#i=W03d5Q(0Vvm&ZT9$U%7i2TA@;c_FO^)+DGDq(kQ zS5KQH>b}aYHO()Y|M3|!j$jcIid+-U8_gRIu3!4&1Vv)sIFI^IN63YN07U+A_$fIP zzpHGBJw^j|bq8=aL0g?TOp3-8sCY$K85)YBIyeblbF9=u&?DaiOZy;?R)B3BetAmI zjPQE3gXj<`XkHxKMp_zFlK_JLc>QLDZt01j1TT@1eAOV5-O9=_jj}1E?HXWq z&;a>DudRhjepcsYcSgixVQ7Qg&VzA23t+UI2xuuz2NGIV#HTMk$44a!;fT>RaO||+ z{`sButWUF)^jgFV0j03dyxW{PSKkY{DUbT}gCB)n+r&w#ZlgAQG&!W_3Em-w?VQFT z#ijuOP6ZTpstcx}X%f^z2s#UZZ51##DcIb(Q0Mn@bir#=I9Qc)sldl&r~ggU(XBz| zCAp=|B{`(&)DN=!*MR=NM`~aj8yWRlVa@khd0aq^=s36`=XPr>R=(mD==Ja}^Nz@7fv?Snx1H^{`DUk2j zO*H{@eGd)2rbhVu&_1f+v{-vGFc0?rY(@=bjw6~|BXJn~^%Bd9*+As8huk1bghc%S z#tH%(sj)8x>4yfwEWxwWZA5K*whQP0xo~j)7(ltsd=)Nvbwi2RgB{idAP>=3zv3_h z$6+bsvCZX#9SZobr>3u>z|PK=P;n%u@DQ>k3RzzlL7J}>nPp%nOSkbVevtjOvwDB$ zv|`&*ujmJswLms|5*RfkbOfcAcV}ODEO6>6Kp#hSpBe{uhdQLc5o!UqM9|0yAse_? z3u-=qQXK%BwFF04br7U_mpGM4fqD9APS#vrgT(}>;7AcPVSJ33h!R>PpS3%KPVq~2 zTT={k6~D_CQo}SV%yepyvmMgbf=jo~yTLR3aSVv=?Fg`$!3O5l_m9@O+{C7+t;hzu z#)a&q-|2ok+ny_iW*VEnXX}`+YiiCR&2bdlS?;ZGtACWLp5xoZ4Sq7^(5(ldb{c@@ zoU5HzOFf*L__uSEffe968O|S4rLg4L3vPTDcFYad;ZY1;HS~i+9e`ka zggGL~;8a>O2DXG$qe+ZoBX`iv>6`!kl>Vz~>3WLt$|H<1*l=Fr5)txS`C=fkyi+k7 zM~b_ozR{5GlOOe(NSN%()x#wWq{2@;^zU8xKto%0R`6c%+neXA4G;HTrA^X5(c9LTp`zEzjX*qp&aYXtlK7Uy(6pI(8l^mJy;jM-+p%^NyI1SFec#5btyVave{aS#3r4H+=`mS5nWuaazb zJOYk>Nl=Nzc!2FESsZQbx09S_{0UF*<&QfjJ})NTa6InOKGFv&!@T}+kMD-FCBI`Q z#s{>OQqo>*2K!dZT_xzpTP?urOoe+_B$Ig8Pe2uUd@lUTQ}<(4B&7$Do2Z$_3}Gxo z(KK|i^4AV0vzRAd5O@<0WSnF`IUl|meo_;;>|0N1eM>CSKiRJQ7A$vq7|z!0{+#nb z^YWR7JbLdm{99{0k+N!)!AY{@rFAzHLQQdr&W>egGpr~k6a3fMhc$Q`PxJ2x|N3wP z=s)-am^)5&qw+AF}eW)9+TfA+ZCb?Sn}Z=cz(vt;l@ht;}sjQdl5(l*r# zEHnWePzw$Q!qZ=0&+uKjuk+wua=MU7iT-H3T|B?0v~`?rHOO(g+~ZFjaIDgvhDCWa zFw-ol6zN?|SsH(OJroA;$Cm`$N<4E4N60>xdb-F=vsVp4(rWKG7V&2f%{!tJTeKb% zah)Qoh1{tSrur^(IEKKp+I{^Jd6CZ~5EmTdJz-TZk;0wI&KelIq?)_sAXn0>ihh;{ z=tCK`dIt6wkTT4oY|DI`Ar*<271&@nNUTk5q~(6E#V zOkLyoOpTN#o|zF27?fsx4@)y(D(x22QBR0CBqmlMTzmN= z5J-47C5548V?_8Nx@7f)iIQO)wZ^>wrLYs7l$qyDVkm@dJu*T~(MR}^H-xLgQUA9( zl^;mmLj#Ywg9n>Jdfx2~Aaihu6b|77kWW3Qz>t%)nN1djyZw7!`0UfKcD;!z5ggk= zlx$C0%fXOOE|5Wb+*Uvx(d4H}b;c-`rLo3u^y}IIjS7a{$muhUhi?eESjgF_PWjXZ z(@vcOFzHe$%n><7>;sjzSJhFYVG8iFDO4@?&h@7R$~YnAPdNiW9W$-Pe~<8nrZbc) zHbubw84++(U(=6wGNH+4W`;Dou2{-#<*LC)Shir0ta^ z>Ast#o^)JTZ<<93M}IoLC^x&%No)Be*-W7=Gnoz8z+lyM9~ysp@K%0$Rg=7Cl)&8? zW@PSi9K@tL+tT2`dyN)~&WetYI`fjz0iFCiq&G0%p{+=HY$8B2QN6ix`dYy3LNU3VZwc|r^BfvhoDEc&CY+Wea(uj0s!M@x!(utLHXniphYuw-BJJ9U?;xtKjeHkH#aFkB54#rJtiz6v~a~ags#BzS1r> z^m9+lI>ejP^v9tuAauu2(FuH125jUilYm7ZVM$IF?7MoTLJ$PYjjZY^btqZ_RIz<0 zrLw)oRlFGLt=GKo0riT%r4Y}~pPx*5l=y{1XPQ29VDR5w01^HeJbjq3@k+6>1fIf! zzriru_de?qXT0VQ-X3G)Xh2IdKdW&B%8)E`P+5yn7++k{v%a*IsfThS>&bTkOPja#yuJ*C^LOdDQCc$(Pk5*lxcn({9Q8L{KHl2YN>cbj% z#B{oKZI20?MvI;i2LmAG)0G)>f6s~7lpnr(&%?KBC;&IU*cU|&rGLDq>J@x>;Vke? z=cm;e-T;`UonZt>f;RfkfYh7}422Re(j|baY@DP_g}#83)o~sT?e{sd)qwYRXL>?6 z^!oR!TTL!Efp!wlbZ^d^>eeDq`cEDy@LI7J=423OG-@dYN^ioGn|e3C9y`oZH9ww- z7Q>r@rpNk19%=0F(72_rmp7i??yNM2V5;%s(s0sC=paUb9=o)Ou((5>=VPR=N)@|& z0x!B=N~UR^@PeTOXQFeLKDXFR0JhSG(<71_=@+Byu|28k%Zy#pc+i!pe@G?)TtfYs!D;V6~3`|M@@IY`)DtueHEq-Y;- zb(;Te@Sh1r6l7!eYdqjNE8V93vu6z~)IU#olO)RLZrZi{1@?w zX;kBBe|&cDtW1L9I2o2|CTUfbW!^C^e|a{7RSG}r;wv6qFjfU{kNli*;FB*!wVcQ^77p(pwj)M6R59-N-5HPSD(8Uxp5FUH zv|G+`d5F;cMWCs(QY!FCO&cF@_eJ6?cYw1wBS|iAW`?oBodc|lFe-c5ZgF1#M*mko z=DO508-OO6?)ISSxT+vv`b28^IWd85v`vfGNbt+^alY$QBM^Ph8tfmR0?R9T<-;Ff zg&neMOopzhb@{bUlA4@DIYG~tEpRrZ7cE^>E04X9kwZOt^h+gPM6BZN56kK-#8hHu z<$&^4cfjHWH#8qXH_vh(MkvAUtEsJ&@s9%p@B&Yz-IPy%UTnJ%xiH4y@TG%5iAns z;op1n(`6Sc35eXk1nDxSF4E>6&}3vJ*za*H^xS4Wdv2xdzR?ofI)`%UndR7xX7BLF zP$}-|kBSMm3N=;0_?cV|IJxq|cmk<4{# zu5H~k%>(CMbeS18!(uCEK0?kC-~{bhLl5#D#TEpY%bV3xG^keszmD^n%&W(X8K2X% z*v_xO@_`31^UL?=J_kD^Po$oW?(p>8Tsrj`5ER$a!u?Qz@M^+RvGjwN-#loY+$3HU-{qUa5<0)46 z1cdPH$(Uyc@c~2rLcv}RMd_yG;hL;!`CuV21(lu9b3;?#fpYsL^KL;5s>N<-F4K1| zR*N3&+$$P!Ix&M@;7XT+{~SMbSlGCjeNoAICGUiQW1;^tFEHtJHW`DIu_rK3`x9MI z<-#O-l-A=oGDstI4?VRZ<1ld4y!C}340^_`MnI{jU{!S5AA_$CT}k>$pPDr86VTiG zEKmF(q!0xx`PP=*V7cOxw94Fc=%Yqp5g+r=duY;~V2PsVbRd7wb>FqR$MLTC?sjPP z;QLRgDMB=!@_Nd~Qm77IYnC5M!wYN?XtezXJ4hV(ZZQPCm0|d_pMr%e?RdB{5;%@hv==;u^$M1J1PXt$rsWZmrMR_T8EUbS8Y%$yYxs*%iA|91x-7GYp#ij9F$r=L$S|{* zf-81L-eTg5HdFFx;1AXTGCC%pQ^V#jwAQCM_;U!9PNo2MQN6eNx(Lhht_zoe#n)AZ z>kr|Jg%VK7R<7R$Qa`=bC1@Hr%z^;G=-2a8b$`_6&b$KE)oq3-Wc7XiTk|~_wLL#` zr6J!=UIeYwz{bt$ufY)HO9nrCL7qMYf)n7MSqsKK>^!_HcNT|qFOMx$>@WeD(lK28 z#)G77O`eqMj)}v4c%vM8Ap4e*5d2j*MTB?KHYRwg3h!E2a(IRA8$3~oOw=A)cd?2z zKD+fgmxR|B&`?t_F^nGssZChBaqg?VX7(7GM65dByJt^PtRUmYf^Ge28%Fn!k$MO8 zUYEkg(h=Z~YVn&e|Arald9?cU`44wkc6S0g_l~vDvp3okRj=wf`2idF@slTEjbP=O zZcID}>Vd!~=3xNJUp*J7t7`Hfar@cXR64s6z`BjOMERj6>+B1%fJ5nLX{CDzLhzTj z!({(dFpJ3i6W9#zNs?y*=>?+WS-j9G@=nYeWhI3Vm zdw=zVK+o5pY>6L)zV8al^9Jd?<)nS2Kn@|MB2~E+jh^{~bNCR}ST zC|RGft_|P_8!L0pxtrXPJ?<$o7=kv98m!2iJJ!Rvjq2Kt=0Fj#o5PfJ*1;^Xr6xx}dFHmY<8YFSj}O zzDJN0@zW7z+E;cRb_|U~$PBc1*ggdCQdYk9Wh4Nq4NvMGyThQ++DfO?dpLmk z-8<0K*erRU1lg*<$#52KX@>#!zHmq?R-U;V9(+xUSBLRWB(f-YEZ%sH40B03)$hjQ z$xmTszP3cjH9%4c1=XA0xg#PEfgpG4=S=r`Z@4u{1(I&l7x9QJ^ihJ4Vr9(%gQ6!E zP@NvqYomt?&6H*l35nZ!C6m_UWD(?rFDcp8PVf559AOp)5gJV)16l+~287U>Z()ba zV*pvw1M&Nb2UKh7iZ?6o))P=GB|3boyMB z18W~)>bSt2{%kvZ^?MMay|l~Vso`Ja^ZGSAHQUsmq`n`IQ|BuX$lkroi0q#Tf)&*9 zUekiF6;_Ezqb?Za7+JNLrj7QlzUM%sJJHviERQO~2;A2(sgTlIm*v56t&Tg0{m_lX zw>PTr@d8X-()|Qls&$fOn}8ohRLZ78S_B|kq|^Rzro_|6P}fdAk+JO=Dy0X}Wme!2 zLW4x7+yf?CgF?ZGW+&;?FW9gjtk94)V)|48c%Cb=g z&x1~fa$jzieAEGQAu(A?7#Do~qWN4>@JHm1X!&aLDU&Z{Vqnu(cR@z+dm#*>883&> zhvw=?N)Zts$Qcguq`I})s(OX9o&b2kL067)>;MSj6W!YxbBOT9=_NRXUe0R0Y$bgb zLLk)3ez|YnVkj4qeM4c*Yi6?X9yjIFO6%WwPSN(ZbQZhWG@P!F*w1kvkhXUnZ(ahf^hoJw6xVsZI{ZBRl`EP{d!;H0Gr4;=eLUPGRJhhw+xv(htC z`++!LEh!!9Ozk`Bb@>WQ!muJHg7VG}Gj?TQI4WEjS{erR6%By)Ig>_FgeY4a-NPO{$l37H+aan{!;XsV9ht7 zn)jQ8@jRiStAd*9A>Lr+imj(CDr`Uz7#hSV@0U%$RU8)>GykFR@~bh!kKvd;3Ziy* zmZh84IDh9wvL&F*lm866L(&v`O%1nhYZsVzFCm?wz^F$&=R-;N0cqQ3Y!nLB8;yXc zus-8|{MdIvNWmG2g<>w&m3ngRyHA$+`+iES|B?f^w&HK`7=p$*T!LBwg4z{*yah&S zRk>2t)dN-V;5-r+mq|=YPCA`kmbd`i-7`+bS_9;JY)$=9F-k^3jJkpUkG1yz=X(GD zha)6}?5%9dCWIo{WY3ThvP1UB2xafR_g*18TgfPUD>KOo$;$nFcfQ}>@4kP(@BjO~ z&voC|)pf3Ob)0kZ@p`{s&*x)aBSk|tbNzhq?CCaNi-P;}74nF(JeE@F3G}<>EM-vr z_!TCPF4qiNcRvKBy;C3oSk5uFU6lDA0h@Xuel-1Q4Xw1RRQ;DgN;IPKPP9NYC6V11 zCM;0LJy-c16|2(z<)axD7r4N?*D{`S41(FJO+ITAusX-smz}QhEGqX(Zrr@flW;@p z!41MuGxnTNw6P3XQQH=ffs-J;);vU(LwXh8|8I5*S|)Par(_OhhE%?MY(uI z!*ALE47bwj$gWoBps^uNc3PmA!ZZ(M8I$u8dlXYW{-Gg$WRE>svQ=?=w04aBayI8w zwl6MC!MhWFa(ko8p&j6!a5;VlQlZqNzKS6XQNsQSa8nV1s11KdjDV@W0_;*)uHO>* zt>W#RU0>+5xYu@e2*il^S}jiRFkE%QxwYMU)4a(5JY}`ZET%Q6mnA=kt%2aLZah6q z8sAD%0a(tzcjTY_;kOz!tHl4BtgGe^MmN@zL|M+8p&pxYI)5G1h`U_J;`D z7QaChCzq**ZK}f3^c+$_1|OU&`vo}gdn+>u#7SU}w7_CE$KC4VcM6wOH?YmD6tG!? z(1?p!FL64#qz=wcH#gZYfCan3fYS|2mSh~81~PJ|nqx`C!9FUgHSo%l`sQ0hF5llT zU7o=u6JCJZoWVthIL_!M;vzzypB*HO{DfC&hsE9LjXF`n2>QA@$a`OSkOp}v_UWwY z?BzknyL$F7xJmQA6143>_j+s2a>OCY*;{DJ7<}Em*PTdWb~84jNqRvKP)ptdW1JqU zkfYJF_NUiJgwPzXu09DxH}th{fsHg=AV19}{8q*~$R5yfY7`nEY`qIcTMH)Mzl%01 zD`0+X%SsfHnaB8_&ms{i5L|d9VCCMK#ch7nHu>uB-bKnHmt$|Hzv*tG`(Fovr5FuV zhhHp?L5?N8gn>uQ^!FA5v0XX)Ry)U_JRe_q6gU@~Qt4Rhz&1 zzdm&xR6tFB*0i{6&!_YK%}?dRWum*Nc_9nzyW#)+dHhqv5zOWb73m?601!;TDEBg& zQ9c+JOeMIy??@gvPul*^Z}LApy1qD=u`;snuibr(jI;mWe~EoZlj|{{zwvip8vpu_ z>5Bs_<#h?e{=fS`{L7ys{#{tCx`tx;|9|;bAIrckMviLo57_T-e(wL{QS$wTe52m^ zrBQ!-ANk)$MCO_VD&Nz0_++pDHfsE@4nUVu=Cf0cYN`MJ4q1}XexL3sRe{y**^ZbJvuJzhaNazfcOiizqUXyQNcne8O!zI6Hi^|o47BDsDw z?aQa|fFlYq-Mzj9PEIz>(!xA$0)@{A&I7%IvgXCgS$=I1|L@*c_E%Y=q6xH2OM{S4 zFqp>|q4!I{aOZ{HOXV1f1pM6I!r*AxSLFsPuK*jHR{2e&10H_9jhs8$eLA0g%?!wSVOaH%T_A!lpMNPw64lXGqISJci#RRi1se zlIl2k_3K4p|L>Dk5}t7X83Qgkh$m+S3nU?EUF_?@MwI{2WU|$(2@<{1Aj=r>wcNOX=9kh|`7GtPXBUBFUzh60zq#re6&Z|9ra4*y6r8$Vjb%PW^ zP;eh6sk9BF2Xjdb39~WFx>WNTJHFAoK>DWsMu>u7*mH!oZ}z0YZFSk{j5KZy@9yd6 z<`co}2V|^^bHxA!S@(V5^3$s_4%iz|hAK!EV1d`tI;vP?sAexg*Ox8)A@(=J$$6y^ zG3dH$sxK_x`kp|ZKDgWNDA^37_aLw2BUYX02eM1co8ua@_29YJ2Ze0Mky-DFl^lp) zyJ2p%WLjhYJ)(41$cntwoQtG!Nm~yiN}F;ih@Z1(9xet!6CEZ25#Si?LFbwu0(l<# zpDF1tv-a&7luy%4P>lUNjW&3+l#JBtq`DDXjRWr{eBK-AbP7~giv5E6Hj2&pw~~rf z7uqkNke$(Knkdmy8qj>wY2QC}de`sXiR%>Ce?I{K;%()NiB`{Ok0#R($F7mrlD9+XLlDfSjLX4>YWl!Y#E&kB zRha_X$w4q_R%c8Y6rJw&*3giUrJ@9tF-7n(?7i6lS0(SF5t$_1)LCSS@3s%K{^sK_ zjqoiHzlrRdD=ef(V;B9)04$M!)ZTGU`T1dcJVe8R>_c{x@S|khf(*(}KsGLjcr%0N z7JC=6C*5&g&YmVb@@_z~BzD3}uHj&YK7XHDjSP4d@P?VRK@bVd-}mg?l8kGLK=a6?S~tIDb#rwsAdQ z=0FsPwm}a}+-XS_L#yMYW~9qjJ8N7g2I|0aM`F zE7d=S02dPm9yUEv55EQh^Y;wLh1)sV&uJe14OX~mtCC>ZpOyYPz;Wtl{Y2rnGlrJdo?5PXBtvTv9!)jQvH(ypvD|+4^>eAt;iL)P zX6mEI@aQkXU~Au6Ywd=6`|CAxLVu9jV0p$6-+JXZxO#q-sIK6{&wqbMKfZr~hKl8{ zF{UV1-P2DxWnbxc)I#tIz&1*2_InR`dALbXIZO`8ft3=v-T4lxui9Hsc{Ly1(r6w!t^da2YQd(i*}Y{u%4%Tb~B1^g>N^&gM6|uKI7O+ ze#k=1Tz15x7%PR6e(N)Z1M`kTNih3c_4}{u-nY2CH38^b6%ble>rECJN!6?DjKt|Y zjd<&d%#3lx^p7;z^d-w5v4u$$!v_&D_AOTUgA^MnBjIt~!s|WxgudmXLYs);z>Z{Q z*)7?5M|)ST_DhFGgH_&M!;0`veV^ogQSCXS-Z%p~7h}96z3UYD5lXe<_AnF`mTE>h z35GY&U*1w}*In8LH@2x)gqgU-Xy(}F&wxt$aj{|7Po;x|34u>_#v(T4FOn;HiC-SB z7XofZ$*q-p&SM=^{L1#5vtTGrb!wX1_`-63f7kTerUH^2WW(z@*N;qSFQ)#-DuZdcG zOr_v56qBQfd~&#a$6sMwroq~Sz)D>tMX$7i+dzJa{)SyblUuBTW=G=#Ia{gdjuY$n zgAn+ z8Nb;_6p%9Xm#W~tV|FY0*a&4&mb-wY2CS;_A|aRAU=%}035}RCqwl}nfg95qnj(Nc zYSk*pg?foVwsj*yve?ro6BQ^sPyOmXL@2I(O^8^R3=uPO*AmBVTIh6?XhlzVuiUuX zd{HJ~p>6f1ZjB65KjrJzA43)+7k_izwXlu*;VY{xmYcJ$SMY0R;qA{3>7<-Yipk46 z5xN|&Ja-g$ps&ZA*?YuaonYca?jZcA%%es5>^K_Cr=49lctju98(<;oI+a$>qx~}t z&l@!LJm~Do%FZ0#I_1K0Dj9kxb(I;DR*gFWoCW6$zp`*dW&|0%GzX} zJSqDY>8luz@|msq5m0b`!APT@-i1Wf;Nd*%q38a_IPHxcMC;tDGDD=wz+g`vf)#3_g2eQbpU-hJ~BLF*KACr;B`+R|i5k&!Xe&XTpCnHApGCdxia6qUdZtrqc~`+Htxon>*&0V+Y=aBv4{zDdBQK@w?`WkVa$l;B+y3#k7%)TkHrRnTRD#rGy>3Uht zVSY%H%F!hDxKkt;+i{k4SH?7>?HESKnb`g5&kYGk@@A!8G;^M6`Z!I|Y-+Sz#kf2j z^_s?SZ^!0`;(&wKp0b>PHMPEAL^|}UWecW!1>X8zT^s0jOX8w}Ltrw^qXw1xgE^RC zlq^A#R|LC@&W89xj9i4S@JHvGvU)jqqd(RhT^K{e-XlXFC!p$A_K~$}`&~w2e6`_^ z?E-iYWF&tQ_3QyYnUCy03(a4*hqc>B!dtygj^o{cAuBsN2ZgQ@c_=rT+Gy2<1!Bmi z2x7L2eId9S&d_kUz3`|>%Yu(&rH*bT3WK8vXu5*jMSD34BlP(8X>^mcKI$*P>-~!N zfDNGblvMv&l-<1bgUMC7n#-GfYuEdEWrNk#$G3>R8~|+`muDK7bN}Sir7*pvb>%p3 zS^%bP=eMP9@)h2|5}TyBLv{kw$+ zkQ%7_p+G8kxIxn;^-O5p4R5L5J;QR6>VrK;3^&Jm-4Z#&pK~V)TN9o~Xc#ok_)fRf zaE-tJdVXa#&RZLX!Z>p9(|s1}98lY)=VMV_U=`nlfn3A(6J zIZ~m{q85`{$!GS|IZR8*@X|KO6G~)-usfU3oHM&|*CzBF!wS`lq7SAgH_7{TYo27K z^@cZomS+_~3;xlB6%6qCn@joX-(U;04`7~CEL6=4MpRvhnknV6XotxM7$T`E*r8{( zYE_)>_yo|-we{`EfjOoAv=4bdD(XS4PQA@;28U$_CkLzNYSFtQCP}Pbeiw%KqQha2 zlh$D>CmF8q+KooByC+UZ9Mui2Od>k{X(yuO4v9Xk+z!h!y~46}G@{iu<$P@;!ANsc z_G8(T=O`q%wvuY}n`9a3;`ZVacl7C>BsoxVyW~qhM{4psANo2DYfA}p#_>{X#Dr&TazH*O)r{Ne9uHthCnU7%p-_5;l1Y3Xjy;L^`xQ)zI zbL(d<3~m}U3ySs_w)Wkpaa+D>4~nM{xNHMS{IfTxU1q<$H>Zej<@v?HP&NNf<2fgb z3uUxk?Oe0->^9rCUNZkG3=`aA=G7S%RC+qKb^IPF;NwG7MaD${T_u2REJ>4j+{b&b z{)pz?Tuxcf725#VDC;4O&7aaKJpV_v^DqHSV(*w;_K8a)kcF=Fb&PgF@mH=o331K1 zYXNrrkD`rOWT0I@N`_Mv6~h6nIZ8hq(i^KZyLGkWxcsm4+i45RZrRt)=_vuv!tuSX z`c6cxNNdv0=8J={{n)ET9G+_>4zRpqu{=7t99nDmt}s|9$OG3T#i9oM;dUy}7$Xqk zOvP^*OCpWdQ#OS~w5!jgvKDGxp%Lj;0fhCSz$D}#bs@4;!^}we_cfcc%WP- zftu&&blu<&(j@cw{Ib|oHe4qb-Iq?k5I3<)WTN>{n>~VXSmAxKQ7 zx-3R;90+Uuawd)0o`_%miZI^JL&AWT#ohQS&SI9CR_yQ&CN`GJ7#AWPU=ZrRW`_*x zRH-e)4(=6)0cDlc=FBb6P~rM_FVOFe@T{G+%0$tVEqj zv|x{4Nq+i1S&v(Iv58!FQ}x>)d{)*Qkjl)&Sm6(Sm`Hir%w)*Cfj9w?`c#?-)G56Q zO^oemHg616OB#Xi;he~<9+eWS;KWpfUiOMUyi3hjVyvaMY=nLII1X|g`Z>;MEU zcSG_sQ1}Fh*dl&as`5j#BA3A<5RulYjq{PseVK$}9+Gdrg#YS#eR`;NOgtz`d%R?<|@2e6B{1 zx~dfj$&zlNwbYo2+LZMGOpMEQzaQaq$l4FpY%2Hl=uQ!hd_;FFUBKOh`GV-;C0xFe zoiLL#C>?&f_K>n^C}jy93)J8pySdNCb<8DsZr>+&t+-6+*y7LK&%~8{YsQp9x_)Kn zIlillqPSb>Cz_PI%~>xd^?Ps`w+XPX<{&-hDIdCZ znPTdg8>DK>LI!@D&AT#fY(TW4{$J&{<4hwkC(FJ!4w$fZf2?7?wEv znjiHX_t`A0)@|ojRoF&OMpNZvOuk}E-8>ft;sOEdhgvc(C zw@*x0wqBZ%uye$*)ts(+HQARbcfAAMjw)On;p%TasHyU*jdO3**e%?tv0Z*Im1``! zTqiF%8LLi(*%GRLZ)7^e!2x{f>ctbo8YH&bY<{`9M)$w+J49uHrYmdHX=an=E~w1f z@?|fQl|3j*Or#KTt&CqC&!cHqrpQ1W4~rSbWUS$+HF&|jdJ4!)mJ@JFb82s9RmRmG zuqnfMy>e5jwekg^%x>SrJ@TsMv_GY$C-kwUJ1+`Nc0ERfsx#H-`LaW7(+9SY$jJP5 zR#r#8w|2RF*VpL_!z$fteIxtXjC~nGU6*`v=yGN&V;`<(RwW*;@8|73p1XJ)p{|Nm zdbm;Xc6{2mF}F(1kUZ3Wl|S!#dM(bpIe*3Mm$76eHXf^^Q6AN!8C{H5s!8%Ug6vuQ z9D9UG`OHrYxIT9QI$2xynPxfs1cmYUx%%wJl|w%j!NSz5;nNE-tLcwt^zW!dOtqF2 z((VP?+~IC0u`jB$w3!C6Tj2p`LryjSqjG}YFv^13ONWLY1-ZtR%o#R!_-EKfE8O}d zlisQ*r8-Iv&*rt)I%h!KUiheaW%{d*Ps7PtG^1J=(k}jEyc`z z18S?30U4?1e)*1Uhca%xk_Rotjpmi}aky>C9=+^G1 zX4YP^afhW%;zReDe$0NV&BKwY)y4YX5!Z;W@&0=dFj5QyO|I{}t>CXOTTW_&Z0F_g zmb#Hv8N*RnUcXjDu9Z-?k8y681h2_QK8NQzu~lca)SU=@&nn6WHWlanIE;I!O)e!(RwYh}M&F5`soU#1alnAu zx+~afMvMgTS0#HzIEk~m0M6eaQKHT3h%oPU``%%V^+O*nVl#)^xCUgT*_h6FKll2x z;{TLXgTB~v&6?kCw9-cJ@=Te)tAoIqdA*;9^$ly)n;e`o+%qo3PVFPa%{z(d_pK*X zMk<%86my4L<4fK7qt4B*0~od4Z}U}c=R#zzq311^zyv8)7{9llzw*gq1vTWY7!iBd zE*|vs{0@e#2KtHFylCg#JN^eas~1HM>+iF@v7(7l<~)ANgc@P?wR3o~Ux;arl-J_n zEjMO>xRRb%4o0Xgezvtz;+VE=vW?~24}nmPj@@WeO8V1pn7Vj;Pd_z8K==-%=& zCTJ)>i+`1M_uG?OC4r)*NHUGf0iQX2w&ZOLk|0Yb49)S|>$+qQVYD5Mu;?)mt_-UdO z;b(rtVU#${B7Kg7tNQZ=;*?*ueW@!dP3;sLDO~po(m?uUA2mKJLRz`_B>Nz+2AhoI zojz%8^~<(jC@cC=!jaggp8#)aw2eMsaas6zih_UvHLFg9_CvRpaALwz?tZfeCe9c% zYP!x(eT~^-<(wD1Tu{1ESu(vqdTI<3lm~h@@CkgY<>BM0)ib;>j()Y_Mr{E*oG(Wr zy_Lb}LE0Z{Lm8a8hj^Pj!@NN;1+eMpx+`~W3OfjBt|fh-Cg}$GAJe?|i46+lbB(8> zER|hn9EB5@SQ5VCTh9tj+y7ya7t0dgy0F30{9b>i8=$o9^$6WBJ}--(g}N+5DFy)| z=$XIxR5PwlA3ZLdS{P%rFr(wd3AVJ`+eEQ)nWxuX+>lIRd2L1!sNDVU&xN zDKIBwd2(c3-taoMy~)pIm^jn|0oW+ncdnkD0*6To5zd(-<{wG3zB9C_W3C%XQ_gUk zi(S4HY=s_&U>@XZAA2=a)-LhST~SKAtpTaPZDIKlWHXtwfp;Q)k+rBVola2iHcS4%`j0qiQ_J5r}W%R z)Z&UaqZ^j@7ldh7G60L1im?I=-|Cd+T(=Bc@lw=s3`X(|F->Ie%38Jh?G#WawnQHUkA;{0J>K>HD;uG}<4(Ufrgl!|OA_eGX>r zF6daQalu?OdU~OgusH)--NjUIqOM4Xk}6kfb=!sM087cALKx^vHy$buK^;;<7NJAh zE*P@2j?#A;Ov)HU`30An_FsG{Z8sEL!WvHjE63YC$B}B$4l#Lmg5h8jYV3<|3sH0Q zQ@(KY*p}uX2>JDvxA)7+m6v0L53M#Mn>s@vTEx-<{Z&`{-1hNQ4fR3;!?>4hn8hjY)pO?Iu* z)wk;E21CkcN*p&mUx&H{Ce&Xf8hK!!wj8~j!?A90GcCLd%ZhjXDpwlGSle}dF^nC3 zJbwjGD-(7kyZU;|%iPyK@=zGr1%^)D&)dm<{T}NWE3ACha6jg+o1eKbR{pnLLX!+k`On z{oUA3Vfr}k+EZ6)|NCr7dAZe3YX^BkGx}@p6UZfmzQB-MHtai7j4a?}|NY ztJROfFrId+j1CmsvRKGbA6Jky9f;+V!uEVnKMpdgt%ksbN!zAtThyCfcxQItZIFL_QW=-W{;?fRBlbd~)$SSic`HWk_=&7m>8zV86 z+HfUnz+PfT-lt@9&sZtR*6+|Fm0gQ+Ag@HG%bQzW9)HOM`#5--zL*_R1C{lakKF+3Y%-E^e9=&3c=nCBZlPWq8E z7o}jk$tCay>q{jeF#wVXidd zOP9vkS9v=d@3DyrZ)lW?@8IP5mM~}Vecx$mJqmMxMcwts;*3&D9iQBf(v#D1D%Xk8 zYFn}m%$dXDP0AbJy)-COyP6BeD*|`RR_F1;hk5hdZ!bO7vl;59;4eC;J<`7sW}!Mv zHnV3?G&{#NzWFsp-0yhyR1gVzXK8Z8JwGpq7oXfdFN;1dfBz)ITj8Hs0Ntr+8|Up$zot?V{tlU>Xe!pCBigcYnTf*TDe83hSK)fqjQFrx=Lbv*p{`*mMBUVL6*xrGbR2syZPu_ZATjE#8ku$_dTrb? z%N)bW!yd{8sWAquHOEHRRJ3yo$pn{!6D)Ad*cQda)i!TnN^?Jb8Qt3=&BBnp{S6@1 z*^w;i*IwTC>l)W;I2tHRoZq?%bl^yVurVvH{lFiG?UWP*-D=XR2ugkH; z0}jR6G@)qRc#UpP9|05IVxs&dzo8fLySbA)8r=I0^w6hd(pSo%jvLP+l(B9UCia9E z3d>yPT|dCsVt)TSo$rug#`ccY8`>AtIn5=7lv3hm`jE)X&uJBAqHo1J=zA|sr{H)i zam{)+^Jro`5ng0Nj*1UkK(Zq*zI#Vz$F{^Y>jf2)a;W-;Yp1ZNqLGAnY`sHwaik7B z!O_hS;~qWLY*-2xMs28P=7x|u8+#E>ve$vKw=i()X>fK7LsjwL2l!r`e;9|?`o7<; zm*o&&;E-h^6s%FTi+oQb4f6QPzuJlSjM-8?y`SMf>>6oUmVf6B%NMRZk3ElB&$Y@e zNPNDAAq8#*q$rQMFZFSOJ?o1B&mMx7;U!?&UuEB0rvSNlbGCAD+g}#nXMp;|8N+U z)iGmZ&y$q?%0FR2L(4TsQ-K7UkMW7+ODncji%5J%Ld^3>QinIwpzdeUsm?|80X1r> zNB2USt~R{Rp?nsudZhA>y1tf=zZ#@p*Ifo4Fw3Ij+e1@x-ckduOn}2?v@19|!eI&pW<5emeqs8B#Sghf==4Ep8#}P$0`bDD&moHR7pmK;YtS zLuVPaWF-8bHDB|EQ9_C%e0ShGFS!1L_3qrvQFkB&6D;v?iG-nMk-~aX5W-f$L>kuS zF#JnQ#`F>U5Mmzf9+Lq<+Kbt%nlcr_meqD-CW|0ElLRZF*WTp(0*`55?jDjrjk=e4 zBT*hP*@0YdnJF)#u5p+-?n2Kz$Vwl|e)31);K;rs-E4J*(ZwVwu3i~a_OeOPMBIch z3w(CPFou@-wpxd&g{9T>4|OF&-6Y}1<&CC!s(J9~8v6gnmxOo>JbPdeJgVga43v_O zw^AXG;NI3R&K(0eMv3dhk3^61uBS!Ht)%b!G5oRK0U((Tv!?GDpY5!+@N*!6F+**< z{c5Xh<`}O$It_lwuo~`ZpMdqb^-!l=Pw0A!?~^si2GU_Sh{PPX_(c-kH%zYK@68dX z6R`i2Dc858O_$6*H^tBUWv#0biA5+gSmUzzug>!7xL5{A&`mkK(MZ{-o0TlGES6H!o5ck|4N>tfq`oS5(sMcw0Rr+ z>=Z4YE=dKb-y$WmyS_>xOCgZI7l8he*{`*B!2TXvsqi7Srd{k_(x8XRw|vGCfRMsq|B8hSOKw#Jk~S;4VenWgBaZUUla<+bzL#je0^__&)~x33 zcdmpq*@zU_I66l!@H3I}6>^ovi5MpSbJY4jJvMH1pDS3C3NUu7k*}!aC5RMOkkX9i zI`V`yNSAQz1DKu^+&_yd<-ywNqk3Z8+CB+7 z#(%7-SFFy8l0&BfTXlsLHqotZjjbQrna7JaaZL9g+BS6W zVe??V+B*)&<6w!@2cm0zRg8N$pDSiC@@bp;jxT|p9%?`egg6Crt+dzC;&KNz=YHyIMloLstWt+H=NSv;0g(cV@b)&$z1kbDm(-Uy)mX<% zKd_tAfS6@i+0?3Gsado1TF(Pzwx-X1*fqzw3D>T>xQq|?%M5Q^*>hJ}L|@--Shby3 z5}&pmH|@!3EwL3Ed8)CMOCxyLu;Ldke)b%oaKy6tl;}fNX$bc-X!kJgPvlN#>kM@k zMZZS?4!>2FAAx1)8Y_>~FE7o3B5uTT*@r(Wqq=I}z|clT6;_gZ2_aHPiO9qyzMiZ~ zbA0s-cU%k}MAhmO<&=nMJ;Sf3%_{04=%6vEj>5C9#5U!Gy^9U7Y-1{LzsZNg$or&+ecZdJ<@K98-=ferv=!m~QpRF;E&v zSZ^+fA8--0oEb1Lt`2n!OYS(iZO2c7ug`Fqz^!VGK4$ZpiC5539J70z|^> zM4^s;M3X7-4A-qOZYL(_Ut|}k@Th^TrXzimJ8EyJ1y>!*a_jt!{+*}>^fvF9eRs+_ z_NHzdq#)~tGXZM;J#(fvE!I;!?7~Duz@KmA2Cy;|247);>|wc$tpR0CWtZ|UjzQ(m z{4QwSTh7Xn%8Ux1#0OID*Tai-I=m6wjwBFrTbZ+rwSrG3hUO+EldWjvlpIV0xm}m% zjtHF=4K%o2q|}F!zEq}-RY^3kO&;++@|)||5WgFEy$#gP+uxh9m(uD(EkVnYXV6Cx zxEu7XwoCnc9ZB>nu9*wZ4#!%;a zTJ=it$bdS-Z#6&T`EQ*Phc6ugy0c-K)I086&wqOgycaUQ>66W#j?zslAkJzmv5vj*Ja#@4^t4(&}D-Dx(FSAj;6+z+*o%?#UKYS+i zZO0bjEwTx4ASYt#bgmidc9*bm9zGKV_1+uNa+k3c8wvs=FLmYJjq{xgjw6Z!Iwfy` zP6(JM~NRDI<;>(Oi$cT~*YZ?IP z(A{f#1(6MkH)XaQbrgR-;py|piMQ{xcXZh}5bl|BerxqO#g;-4$@DM=^~O-$Z6zU3 zEtmD-?igGXA0T}M*U3JN){-3yAFlyPw`Qe>?vL)I=Ro{sZ6IaMb-;_E?2b5`;8OZGz^wk-{UJ!8&$It*1(17pY2E8*uR z)nQXR3Me_eo`;1Ce;hwBfmS^f@q#mw?_Z0|z3PwF`Dqj&zQaeoi}1^ zOqNbbPUZxN_@{Ie6zj0Gvp<=LdQS9nInLl(jR*_9i}}Iw2Zna*=S-$iT5Rk2eq>)# z)uR<~N)N z8}#VPH|U8U+i0vYD6-Y(L6!KkGSSsDnY@fxbwP#qX>Mw&M#2tIHo3u3Hjfl>*I0w` ztCr`hG$<;1)Et;i%0j2S-`1<+;}j>aIViMI?L83ug0{eoW|DuTmshRxB;?aVo{^>; z+q8RM%E8nkA_xA;-@)_wPM%-n+Ob2gsg+7m;n(+8Ru5zO8fF>~C{{g!8guPmnGd#~ zG7{&CY_`|i5w53o#AvZ`nM$|m{2`be*1L>=1RL%MI1CMDQQ8T-G!9NlT>jq1s+qtnTgWmMZVP7Y?Z7Fcfv>nx+;$F)v0#rI3sj z{q&71l&Xn)ic#s#s$@4tJ??2!*d*(u)${!t{UMi=Ml{Ygyd-yOR-SNxB9V9@@V`=nL_$Ivw7@dytSu8Y~~g+1ey#bd!WZ8wHnPG zpIE&;z4_3{N@tx~-GhWB$lIFGVv_3D`JHdPPMxc%HYd*$7~cL_E3~=8{;l*4L~U5U z(Le4Uu>LhhK|~9LyO!$uq&1DDk-sj!&$|5Pgv$9LpG!P4HpNAs(^B2_ZjK*s@o-Ur zIfk8mA`0ec!KUR8cMTqLUhyVmen2!SODcS@_$Ov+ytzTHYw&yVi%r{&)i^me+mAwv z^Rsi4wS-b=)>tW|*g3CsiJCZJWmo01o>Z3CqMuw*XS)^xdxB6Cul$PePvV)*HDxhdS3)Xa(0elz>} z)e&qN8Rw04K+fi;h$-i>N2rHhMwhv&WFOOvKTGKhY6=+xHAM45WE0TjL=U@99Kjxd znw|^8vK3)8B4sB}ZvgOa^}FGAdZg3=>Ox;}VtRYFd&$e=bMn*^GsKK(V8>vUu{4MSeg?b zu-fZLSawmovub_dP0sXB(eS_46Z>{N$b4pGcWp)*A6vb9cf#Zg3L3AORZu#k+j~w z#3B1#@f|gBTJzD9Hx^F_YM+A{sb@rQ)bymYf!XA$ypLb*KHK%>@XhcliNtF1^fTx> z>VjyG8`*5%y28+~NN<_)vhX@>&FZv8qW3*7{?P|w(XT4+LYwqUIfYRj)+`idar$03 zBs^U+FWCi|#XiG_xww&SW}-B+e1)| zYQqkDfa!(pE1{UnTkY!^7uCjj1+?tMtIg(Y$JaSm(Z&*Y)(bL7R$Z-lpH_~o7(5hBb}Cw%tz?fFsP7u6 zpveoO@jVIhjblsfH4-6|bO6Pb)AKjn{5q3AChON4H_e2{T$#4n`lixt5<9ZoMc-By z>4kX0z;W=QJa3{%P1-|?yRPRtS9q64X6sNz%ggWG>K8)-EC61BKds1C|+A&RjWI{X$;=ESx)e6Vz+M9g3Zw_!!y*A{#NH(@VRcGp2yVzQcjklYPL< zu*mcmGr@t!7}cdpDb~Wrx3`J+-R6()l{y z9?_T}QK3LV#$o+=TV)(w{m36GumJSBQF4nu#v)`O>-(%@>dPSXi$3-hnr~bAk z+Mq-e^l$26GH2zVN_BXLSVv7;m9#_Jzm5?*o%!>Pu=EU=d%Iwi3C-~cCa;V-T288y z;O%|OiNAtn&a;g^78Bv9GGm)ku>=yZ`vRPz zaL4hoGTWg?kDSkeXCMI+G z4$Glsw4GqELnRO%b@!*(kLqS@_gJ`pg4lib*@$B6W>uPudrMTrZyM4=&ziZPp`$g0 z@Om_KvEA3wSk#rLah^1?tQ}02m*071Xp=8DO5HWa<83rXhT;a%xa$dH$+$TfrSxC; zF))HHA*yd+k0p5~_I4R@Z(^d=7GUpQx#KC0zD1GLMFjFpj@Hugf)h$+O-o#T&N7CAkq>Y#w_Xmd|28w+f_DJT;%nVO^}tn-pi z8Nb`M6*@RvL{JJ9d0iUShZxCk5sOyRpTM<$kJEyUV#e7Gr;NcD2Q;fr&OAW`)kppv z&IEpQQd!L=Z0w(P?OB;jhizH*3TYlF|3u)sGCH;H4wzH@ z+Uhd8Mr1dS+U5a)mpuWrK=3l z%h%QvMlnoK9(~=mw;z(8=}gxdbr~z`<IMZl58o$ z?j3P+xPf$}rr59xvwKWWzPur&$F=UHmRuZ-bz}P5j{Iv@&0hXBLvQY|EQJax@6A5R z+w~6;xx|}B!RJ}j9TQ9x>v3l$9rTc=(CnjxhLeEJ_V)aDlP3B&3-q+Sfz-aw)2r@1 zp*g8SSst>a z_h{){ufLUO<-E-Bh2hU_mIVowbn4&deWf$0cU6>z7x-8Cu{(8HvF^SVL2?6^4lvT~ zMrlI}7L!xX$_JkP`;)XN4JWC4JLv}!DB;Y5y1ErQ$#|#eF4etu361G4+83~ritYjf zZ}pri(BTP$rUcK%kO3h)ZZ=E%TP($j+hz2=Ffd|Qr*RxfM+=*hgEaNpaKz89Vo}Rt zIa~JUB@n*#;3mGmGatCwii@5P`BD89ea!`L!7jLnz^dsnJY^uy5w z$gB|=@H-@XbK3Qauy)TZ<5hP59$=9|!3?^R+)|nNwrr^F9>J`2y9<1NydNGD*v-~g z#m}k7k33+5jB2g4p;+r|u%Lqg;*sZW_hQY+gS}jOls>J*OBxWh7DjOer&F8D`X*ls zL%=3h#BVcq3m?+_AR2d;N_KJP7(Kh?oVUH*qO>-6?hgb>5A>Zjd{r{pxcpvqcB+Cp zW6ZJ}0)Ayik`hfR{UF|)=O3FL6 zchOKdjmcgMk0e5`=u*(hKA%{2AN)CM*nb(O{j5FqfY##QJEtH3UrVg$`SySG?fh}? z1Pdc+g@?@jCoqDs{6vGkUXe|jEJ6IB;Q-Adf`;X2`Pjs#A_AebcMaru_nt6g+jrG% zeVYN5&!}=u_$bX*4JA+>71%H#C)|}B_~jmou~|a zK1%EZp<*foSe&sPvKLGwVwe=^&cWQb+zvaHT!k|;_T%UJ2y@Ml6*?+iKI-_pDEa^!m#4K@sRCg)``u?x zkxX1l1zK>xZa|@KiX0X9Zi$chZiE>jOsjZYW37cOE5@8IR=sSzjrJ_j8Uh z=L{n7k$4xRJ_{WwMiQLE@;g^?7uN~z_=0XH81`Eo;Sm03R9KaTO%O(pC%Tj}P&t;y9O#H84Mu*2MF6Gint@HYr+@D^ z0u-p>n1l)0(T_lY@YeefG_r$~4RY6%&SZ|_7hV;~dsre8Q}bhb{T?dYtRtQP^}gpX z7NYHGX}vYk!*%U7xm-~{L=~1xp@%M=HWyitOVA;m5^LuVtfgKRGOhp7dS7>S{ZoPP zZ%!Q672ogtdRPPOmDm3eSdN59^1LKuaPVVlJ@Tsc!T!ZHRc#uQL*{=Q%o1sp-v^K2 zn$-GmNs{03(jXFy>Gp%%7nRs~Z3a9DPk3RZ&tLH!mb?@DCCleFl8DKUi0kr$Fa$aw zNDAGVN<9yfGg0MOyHy}#lLn=m?z<)}6I2rtLlEev>M5e?TAa)GkvI{BAu6zY9<&fR z*C53yUPF8LcbN^h@UP&ZfWNkSUNF{^7R)l-UANpAuCF?yU`xLMm^OAly7-Y{N!1b3|m1fJdb@t0oNMRsr?8 zh}_7n973YDUsKtV*af90c&kBRPMZMj9t=x_0<%vgZiinWs<#df(Pg4{fXa?w$S)@= z>S$md(MIW;-+5pXgRCuT;w7-8qW1L~8JJif6j{iY3q)^ifAcE*B3REn_cM1vV@D9) zK;1`c85P;~GSMRD5(d(Ke?iXy0jsTs zkSNppxoxRH9CA7?=b2@A6p6XoG|^3}S-&bFnYL-dF3vpe$S z8Wn#s?vlp^8a_iYid)-86HiNX6e}bXXRwS};%yahe1YO}#W7M`>R?HbO>Qc?0-hvI zmstytP~rnzS*XcA&IgI4nqMa``b)SHg5)(xljbT}jfBoa;$~@WtzVa&rKD*zDoOVC zw2gTc0;JhOUlo7WmuR%OV0NP-p0`t*IY~;umd0}?apBIdyEro^u_10lHd?d2xijg@ z6l1q&dm38rzzQmwBKY~dj4NXLF}S>FmL4zT5rpo6*#*su)@dJx=MSJZDG;=}&aUzb zsIQm^p@$9peUn+u0$oP;O#97Z!cjwp{1A%OEG#0`7 z?YZNoXY0|)P~#%U)+Rg=+2oiX&!L|jEvL=eKwlL99Af>VW{@t1vQiIGs=Q&-W%t=o z5FW_McH?a*l~EeK^+e*(N=CxjNQ?GkAl_Wp5)=hRu#E^G<=&Hq|7t-lYSCJH?!9=; z1oEjWlOQ{fW!x@ZFNZZS&8qqimfmJO|CJt%bwiiB{v0Csb918;N4#S@&ty!slv?3A z9#bnw@oCh6nApY=k3I;Pu&m)xH5wPFaJ#qVP!Xq5A!@&PpV#Aw9^2>K4J0H-j_pZ7 zE}gF2R%9|q$Q@1>GlezB3RdEX5jSg;*P*krWATdeybG6#J{P3@U!1*nT$Ab6HY#Y4 zB8pO!rdX*0igal@76d8MJ1D&?y@V>FD2NmhX;Bdn2)#)O#0n?`L3#-yNGJ3_XlFgX z=ljm=dB@q#`DcEcVK$KDx$m{swXWiI6cN^D$|37^t(k>OX~vMzHv!ELdDyM@&`0lY zWto^uc9z$jGPSGuZQI`$tpgx%w)(5Q!@!vj`#sjr9jdDm@cMXF`MoNyY$IaQ&i~4M z>Q(Qw*w)7ZbdZW>I+`=Eo_+5z0n9$sQELqg0}TzT_qX@%a5LPMbHMd#mU*8z5B=St z>@2<~do@2x2kkqqygTCVusd#*TrTJ0rB1#bD`nGc(&^z@nVpl96WG=!mb;`4vxi7m zNi11j@@wA2dz#b{r2MEQRX)5ScyRa~4X5m=NAChI0AR0YPE}#B7;!yU>wXpNwjV6? zMK;yVXt$4wmxU-r$-4}UUiey*KKT%ZIbMRb$w<9tuTJo+`4DpY+~h&uv1ihSLA2#L zboqr!zI4-{_}Tn__^U0MuyE?9%pPpG)EOhh4L28^)1=f=AlLy&7xF}Nq0K(&5e)NR zmwD{DeSCwBwnN91z}J6teDgi^{YdLH~-4SD9TUAK)wwZKlC4>?=>-{GIO3yVK!05Z+SOe@@P< zABRK*NP~mEdsHf;ulxsV8L!kN{AkIu=vHl-5f zoy7aS-4NPAdg)Hh)ptY8M@RIJ?DSxVLUv8JB`z(qn0^%>^k#FaoU9HxCAc*4NtUyt z#8BMyMaB~KQDgck*X_n3yb)OKI0pyP>lZWZWdDX46&G2}Ud>v`n9`)qH4`+bc}q>A z(d6BaADq6bo7!xn(}_vPgjzaXm{wsM#CUE&`s#3Yza{y)Xx-s#7tIm+b>(Fv<&9+; zsXt1Yg*wIb@$XjSZ!PqHOReJRYxgYL7LK_jDsqU?lu-pAyo|rm*6>kRmfoRc-0MyUIv$s+F0np|7CO%0I$OqCip7*=Y3mdHG(-De zP`HFT6=%!^a&dwyf?a9atL~{MQ5$Q9TMF;^Gm~R(5YX5TDN1@HR`hfOVKaQmCQze;&N~LT`rE>0O7AzCEh^7@T-|PbU zk2LjN0Bx`uroD+djIo&pEP>s((1IY+{;&ym$WTFn;YP3`TM|m#Di*4zTk6X~Dp~%? zJ325jI_ei{l_69G$ByX-sSjl|(%yE}aYE5Gu34{R|uhT@yRl zINwdOyN;ws(ocDE`g$;=Iu{m*cPB>#7w4Gw5PU zrN$?QPa8l+gC9V{pMRBL)^Ap*h>i0QgU|PdSgR4}s!q$DvD)a`wZdj3*R)uprQHgW z<|i%jUFPK5MIplVk$#%vei;%JuWx`^+7{N`Q{8iwk_+xXmxRhf&V6v2ki6u0hZ6U3 zoXA|rQ(Y2ZlXYt2;FsD^(A7UFa&kfS2NtsKt-0{1_r}Ml(ylAQkJc87j<%6%s*?q4 zA2y|vP)nSpm_V}x*ix--w!8GG#%wa8K?Z4a>vCgdW#`gandy?YYaKda$V1g5l1p+- z$>E7jjkQoF?g#nJp56=We}C~HH_{jC?!B3K9prz$zhn+i368z#%qO#e6HO7B-Nfr# zRA0POyCjv)$x9sIw}Dtv=?3fg2NOn)8t2aW!J;NIJGJDjz4ea*`AhNRzHei!quX|c zkAJRs6>t`sLTTW{?Q#%!<_KyfIvULl72SiJyJA|(%FV%_S6a?@@v^V*l8K;0dhD4S zh2;t|5;_qZ;r7H+6Y7=xZ0_G>JN#w}5=FF1b8vlNkzhyoAZK0|lnmW+x_w7CKvm>5 z3J0f9>U;&lX!QCFx|X!X15L(#04EYpnKC;8koZy>QGTl_DTu^)o_ViUvlAa6c!=SM z@=eQzJ~_CucjRX!u7sX@$}Qh5W|H;|2vIGGk!Ph|1U&mP)o_YpkRXQ5H-{oSOk2Hry0Su700X&<(S0_bZL#ffz;~<)dg{Wn#Bs~4w z@IC4i`J}ln^YKB8N2`OQX2r)G9xq#x=D-I#{zc-A*q4I~M{JXvE#a zh@+hK86%H^)ax-b!;aZ_zb5!s6Gt4Aug#BZzs9DA*78jCS#t(ms0#1i#hU2}9TAaPN!DZSb)Gx&fJ z8)B%F-vUyO34D?{yL@{WoCBf1v)hn8#^#;+Vof+DT_ScPsiEfKq6s8`5nr~Y=SS(r zv@Ntc@lJ`eeN8Ne>>A=t%|v}BT>eRuoPhnuj7%m^v129dIhd&#-Y;fBU?M z$Uq&wW<6TSWUql$=Ar&NwEHCZY#U@_;?HrQMQ`MQk;wyv@1FOu%likWo3l6|3Xx_*o*g7)Z6JxHC zPlNfU98_l~WRuayHOyhSZZ0+^h+;cl_+2Kr_J0RBz0@*?JAEjE(b}`8qxdF_CCy@| z*=PrIJuxKujq!n8NLb6xxHj{Uk)^aNC}7mzH)`DP3Q>8+44e;dEpa`5*pmW|(hKNJ zhc63gSPd6-De{i`L??_^QLu?0mwZgX3my2}jpN1E_Tb9!HpRd3zPjdNiLOubAZ}Ul zJ4{A=7ZVxfMMy3YZ9hKEtZ&w6Mw9(!Ll$~#c-Bmxr0H~y!=d+@@k5*5*lvjh&1AEf zQko#z)GhWpo{o)kc*5Uh3($q;Vn^Uo-|V^1C_t!a=)xFgKBRCD%D;vGNEhOYGV>`y z<6cUR8aF;TO>QgQg2VNMGQHUWnC>08K?&mvN;|pZLSra^SyFYUk%53B{g$-26gom4QB4Qi87t;>O-FI87 z!4lFp-9;u+J8LZ#Q?Mk)jVgYH&8sigUSKv&UX(3y)f0$U?29p4j?bf8NPaa56xjPx zYHjFy!k72{UDJa6yVLu5>JGb!Mg8jgKf9eP)j`yy;s)nMfvl{;W~6jNU-jTG8X?7P z!Ew|twK_1=zbUq1ic?{pvypUa4b&iSB*XN^D@*gZ(Zk4iTE!+R8f(7vNIn!jucU#HQ#{3 zgGEk;o*K=s-vW1(KK`%?|HRKr=ax4DbKip(umAei$P|!FFZ{!wd6tf8Fq&6>_b;!{e|#$7(Fk5=;!8Oc z*+TPQKJ0(^yQBA0QFF~d|5*4B|IM#I#h>lA2=xxBVTPlTzkH+r+cy+VchI`l-#_^A z$Upz4Uw>B-M+znCQd+n=zF+Gj7EL=j)E`~Sax!s-zX2{XfIdyx?(IF}8v zZ*EFcP#6)1exc_|!U<2|<1DOyJHGtm=e!TzoXb4O(|IMkPV*AC6>R%e*5?u6#}9lX zzWaE62g+SJFhqNs3?Z}65vGSZe+g$KvaX}bixih2;r2t-0Txq@zS?}<)Q}oc0(;hz zQKBFhMj*AbX;@CAPJ(Gti?o<$eR}OR(J;!p8+*T3D{dUu3Qi?C_09l?r-6-a*-pIl^^V-ED`L49w?A(%9Lbgqq<3#= zywuPN8x$wV2WysloSRzZ0^*kpg_p28`?6bVaGRIjn;hL>K)E!7wdrw@Y?|}+XpAr^Uv0z;g;PNdtQDjQC|BN*xe7^6)Re=$BtAcF-1tobRZPH>Ulc8}|Kq z4B&fZurB;4YXsZ#6$wsSmOF}oxDRC_@b?D9l4P)Q0iT6k#7mO0Jnev(F(8hV&YJgp zoZ7SFfpOaK8gVj@dotM(u@hAH_HULTx2+Fxtakt&TRSZ8*o2L3ff!T*JWbf$)jZZv z$TlCYf3ys21KuedY+92s5x{tqo-t&-4od|IyVhfE5_G?;hkyA-a10NWb7k*@*BAc> zO^JxEYk7A5zJ|-#6=h~Ah>4y81dF!iaAQK^fY#vHJ3-GpH)GBDmv{D;Uk2yy zTdC#0Ts%=!aRAm+2NEH8Y{vT3!HTRHi5{Iu zMq+N<6!P>7-@q-*0i9^&mQS_+sB1q7SyLigoX|)}Wk@>IMCoZ+%O>Q=m&3-e1ejjE zXI7rXnNWiPhs7J!bs!m)Bh0=R3?{H88&@YRu$?s22cSYsM!v0){!PoqE4K;hd{!#Y zeveMoB>p&xvsr?O+03G*Jgb0qecS8ORy^p!uTz?}27^*VeWR>m+@~N62OYlt{m|Cz zNUT*KX*Np+R;^3Z6K$Cf7pmu3FIvKG&FL7BQwGVQVdcZx1(?F!+I|$KAfFO-Lq1bPp!^wJCob=Tswnm29mr&Ts|xT!Q#}kQaU{g63{!8kWN+f^ovob%8Qt0X)sw! z6150HLpCAZGTaVDM<1STMdH+Z;pabpN_P@WWAmrMlj=UH4gIAyFc1_fNj0#Z_XGva zQ|l*tG5{**0TH1sV!0l>j0OYiX7d?jf0eN9c_KIUQB!!z|W8$-H0Tu6YtEF@}_zp`A!z^QVSSmods6;o;D20yj1{IbU2LR zHu@rHLz7O|DG{jp8GKFs;p(MJ%LI>N;%?|lMsfDASzKv2dWDq<<9Bsbg&-|2e8)21pn{;@rP?Z zEdsOxdk_^|w_f__58pK6~D&gG!g8 zG}J)N*%x3}m%WL^+1mu&D#9<#oIcyFDvM z-$ny(+PnNwAU~CY$J3Ei^|HA}!Tgn|X#hi7@pByYfxuvfG2=4T>6-SXu!OpY~^);ED*)c(t?agW_#c2m=S6Z!x7v5) zvg`EocY63@t#Zw`F)}^8VsAzzL@_RR=oHR2e3szSUnzcu=RCJExmaT?MfeEsuI9mf z=P;C~DOg~5}rIj29HX6#75<9mANb-v+D+fzbQtw`= z%mmGs0|17RyQHpRG-T4+RjIj38t;*dwE^$>_ye;2F4LZKUCYC7A#w(0OLwrVt$hC| z-w-tpuUCz-$|dJp0vwp;)ph8JKh2dbs_tTNy{orEypwuVMqP%8$KQB6Z%;@9XPN1y zqR3y?`M-Qa@!ozulOfbLq|(qUD;7J$ZQrfDv-ZbJL4>Yr?V!%u$8;8nqYt@Y@TfDl ze_*)Tedgr-o`4^THvUy1PCj1tu2t65>TG?3*nILR$aTwsVn#Gdp7VqrCWb~by=@Sz z+TwIw&lj9zOeS_KD@iwmaE5Gfg1QKaH;3jiF&%mXf$>4R@{=|Bh6XSAx+>5^;$GB- z?8hBP9)UH@B?&2L;B8)}xQBFpy*rZtZvO8LERGj_Ipb+t8fuAWv^%3|tAm8Bk9H?C zdwm7ZUu%k*N<3uUyeUygGYmeFlFlj;G7dF&7u$%;q3VYvx1wgG_x<)|OS>KjbMc@W z@;04j;WLr(DzrF+UVLO1T`FnE=HHYKh7oJsKxn%DwA-Ng7Lb?-5^zQGlCWuxYw(47 z7sTA^8IfoDuZr0?(Abw^yQ_iRvwfjhIt2y}5Qx{V91noAFX1&~>;P9vwUFcaP}M{g$dn#+R0&g70H1!IQ7PeP=!_cfRC3wbAAI>ICcmM2(V(JF4vb0 zXuN8l(0rpYsh$pVf+n&HyxYIsHld%<2TH*?pGuUW(m6ak-W_aRx*lCRXon0ily%@k zc7aDRTYiR{eJL%r<&ksigL!A9!hO#r#Lm1#;wHVgDeLwxnVK}z1r7wSKfR#PC5yt? zp=i*~h?H>wN6OAAf^Kogp8KO7B$UmM&MP~7*~X+X@K6u4pSHZbe!yw$;5BX((ekOg z0vL}Iz4XI(b0?1m$$zTdq=0B{DUULkGu1FwQ9!USKobtLyZGw8Z&_tw`U)(fHaG1Y zp&g;`Het0WB`Ezz3MB0+Hw*kRu;IH2c&P`>G2sS4v-Kz zD4fT5>v7Y^y^Pr9p{o?kGP+!Ttq^A`^Sixv^#6w*yz5%DR`$H6W z(yg+E!9g-SJ94+o7eJSTHsvrz9#q~Pa$LY#_5{*Vmw`>n2F%FPVcny|PpI&5VmvPTxULV9Vmtv{DS%`g8 ze}B#$FbD83=l_mfx(FFz&2{MJnK{kFptt+lPd;q(+IB!!k#yYxNOsW7(+9p2@kjj3#Hl zyUaw^3xBa;2aPi8VPOH~&{lQ1rLW#zXJ$PBgq-v5xu6Y;lP0>G1iO(M1|MC^=UO%g;G zo!|rpcGAffJ;vE~fg{eXj;n^~BPlFDHlb$o?(+5OZT-CNn^rA0?|||78gz^CX@|g` zf%GEy$zP0Eh`Vu;^kw>h)%$NX_W|f+GCb&tJ@F#=>+!?mHEmbu5;Ks-%s~0$nj@pb z`J4*x?OfVs1WExRC8|^GB``*D8Ay6YoRTDcZd;=O-W}MFPigAIQKx+-CwK$1&81z? zPCF-U<_ULzRdeQWeV*HBvzq9&*|UxLFj^pr{N9)C58hCV4Cj!vU0NqNor5st#=Z1o z^fVtz?AkuCtnYmc32X<=e2zNSHnK!##k;{OO=?v3IkfniI?Ros1mbP_LTZ#&y$aES zGEjfa?&T3I?t2E@0f`~sF8^t``)3%BWoK~f`)9F>d!dP|r=cQEFjb~%hiZzwwr1S5 zlwm36;Wufu=IN?93D!8VG*Ylv*@GLTVbpy{f9}iYp@DS#3r&xH-=`L5r6yOvRA*?W zc}yqNO*{#m%_3g!3wt2k`TL*bUKljjC>Lk(x^)W8A(rZ7CL5hSjGO9`CO|xTq{Eu~ z?dsD+g%tzxj7`-Ft!j!)`xz!QU~-RA5PGdYo-x}SxS1DeByDSF*yR|ip{X&Qw-$p% z5?=}_*1X`{Mc#(YMug63sbZ*e^nfZ7dD=o5XlK<{!t-h38GG^-gE6lgU&K(KEP476 zxBYnxH7%e4RyL_V89G?Qb_7XilZ#cm))J|Uz5G~yWpF!hK{mLisYO55C3M57D>~m5 z{O@BW>lE&>{{x*Xjf42y6j3}|0)&hqfytxD(@0vLiTQ&^i4L#|1*)$vnWuWwla zUY|y46}J@^K<#8lS|{CS=fYYh=Cd<=puL6cBs#2pi~GTbDg z9WFO3uH7G|4GHE|klN>17eqxDh~$50jt!}ehtgo7!{{Y@y`kehR{d}yS=Z`I#4eze z(@#5ep}#_UXG^8?vyh(}YRSoJ8j=IC`4~HD7l`u|lp~*)s^siDrh+FGWo_F@n%H5l zjz=}b$Y;V7c(X`=ZjD7s9Kz^iN8+^hEr+q%UP#%#TdEFm?pG;o4Z|f}e0b2w(26gm zjsa`@!o~zDvm@AXSY&4I`pca0%P)g-_wpr)>%9p>9{mf(irWv>Y#$?fe`f?hHw>9A zmdk55npn0y>ZO{5y{2*n1rd*L_a?|p3fU}=LhEqsD?c6Tsfi!VPID>|v+TvQ?ulvd?_Oh}W$~Y(Sxb*+uC@ci z{{ct;HORQT=i+cajik+=LhvhyguQvcL4(EI(0et-HwaJVR{R}AK<9IiujQ~#EBPYQ zh!VFWLR~k~alZgQZ%u+T>g*VK`|l%bjx2mBk^A3^Ba5dCnu=no4jAZ#H70>OZ2_xk z2^3EQ=_hT?q0I=lec(uwv*pLo#)k73W}yW&n1k=N`7XQK0c-?7wvQ zw?~w21nHEhzHhu8@E`^%6#D~CN#Vow_~~kzlTn8h255G3*ba&bCcOhZa1^rvxF zUlXD~?oFInt%Wj~HSuVKlFBE{Un{R-sC@KENGg7#5tP4jxl-SYz9%xIGI($hgewNAN68^G_W^Yfea4PTsR4YSZiMBZOYNV&8_fv&Kg+jO z_2RJAE!^88)P$gm;QS|Zx&>cz0DGdP+{MfW^TO!yl#bX#_#}JiV!$lxd{K6@JW8v? zvAY#!sqi>(;|UXMmU`<&N6$64TYCV?)HzXQ7?=G&dW(TlcG)^*8j}AEoi~w!mIKSB zbAAogJ4oj)bY-i|H)5N0nf@x%rIsshqtzo+6&Pq)ds z&EV59F>g2=lha5#5S%g%XUk&~y!v=YO;@1toCaK=1eRbsMcQ6Jgb*gn^LKVBcj>jD zO6}XPNQGIusoSuvK{K!#<kgi+`8E4%mv(VmWmV z?CQCfo!~TLL7;j~0_Cu>$P#kDRVs+cE~y59QRCD|g4we83)X`rN6wpS!QC?jh_{=r z#jW0_;7eB3Ao$yd-r%@~s8*si>)!pL(9p0v2(q4ah6KPR7>*&c%c0XMJ^nc~d(z;Vamf z5x<@GYJ&nY<}8zsrYz2lgeF2(;g0)Lu)tK|6Ldy#-0g+tffMGvlZGYrpr*7)FutYy z#>)11IIKW;-%WFF3S_7Q{f@kQTig_tYzJ5t7iZkc+t9idOJeBuMj0dykW}Ea@MCq}rvXWW z^;&_>+u!H(Z}-lY_qPd3S$>jj@IX%S{+6jN#CHx>0e%Rm-wkU{rrHeHM|~)FtI~ua zqw3oo&Z#&pwNp(r( ztE?RKYSIB?fc$>XO^0A<2|wt6hemod`Ym7iE=}lyPxiv@C++l9u*OjF)GzGqgor}k zu4fR))GTmhfT88{u&A>$rwm1Jy;bn04Q4-CtWtJQx_6#EDXjPb74*kRB{T>3|b%YQc08tcGG zdA3p;ZcK&n;Od;p`+rmkppGI6FI-WdHHd5Mk%TeQY+qg!lW~JN6dRnUSQG4tj>#Qs z-?Ri)drjzJD+>4&^ni{QjXwyWsCz391DOlZ-~6iaYD8>=^Ory@^(+wFpA>V;kFdhg zaN&d$lRp@#@EawubOjjQGaN>YRY+L2on9 zz#+vI4L;cL%~OTtfF7@q803(d&B2+O{uHY$+ybgPvoHir3BmIY&;w7P5CF?Yqc~D8 za9bBqX5%|7a)O4J-{IHhpiOLa(t1B3h1Nyjy4$sIdMflycBWha=6y|H3Qr1yE7#AO|U4~cLZ*L)8pU+pU|-X?~$S*4qB3mIm!sv-71vKIx_ zZI@m4QEO5^_1OX((dNwzaK^gyGIWeWLZ?CHIFrNt842-ThN`+25lSv~;Z58T42yE2 zUIy!_5{jlaheCk=xo9nIllVPgvyY%TxmVuc%v&M^xS;CMEuBzLbp$x)Nf?^ItG#I! zOwCm~5iJSOWx#+C&=Y=hS8f@(jcT{Sg6^%uv^*MLQO#1{clm)_$qCL7e-#DdL_`#lNDNXQPi_h7JRt1@pQ^|fm+VTzHouu4Y?K%a>HD468mnh;Q& zC2nn&qe4H1j2c217e7W#iEF?e61}{O9gqIzhrkmpPHk2E<4Oe+vf;hUVB2AhJ>UwX zz6_q0!?hbcOnO0}iiKfb&HN4AB-03w135BY;`nxIf7u&}P;F(4WgYI=pw1&UK0m=% z7*uoN%2D%ZV%vZdifjj;h{k%r=QY#%^1hoqX^;$oS#N}25AU;a&64DM0g8A4)_To5 z8N~C0LYUR0@Mp{wgqFs>9Gy7)zLPz>{`+kk8G`^Wu1pkj(Sf_Z#~;!ehQ?HC8t$tfrbx-jNv3JU7xx`tT%Wd3v_ zhz_sRTfGDIxiBG~ne^7Dz$fef9xm#Lw6^l2k2OU@B@aAueu`Zw+eu;CF9>z zlC1Ll=EL@z79ePNXF5%+!>r7!VS0bKgqq#D1Tl5R7w)qqhCEz6%cx=@D3g^+o#~#2 z=xhS?YXde^@s=F7^YJSnnK&hPD6e8D;&$)^OpHn6K1Ibbl-E!aOVsiS_WG^G^5ue5 zVWkOb-H^#@PJiNN8+h$lA&aGj4L6vN4B?@=N?L-I?T~K6ijJVdm^$HdDVAIWzrJ}v zop1@oy^CAs>j~8-(JjjW**w+wak53MC~#|2tsn{aomDi8v(^dHP^&wd3-xy`b zIxL)!3x&EkcJfLkRxtuB(T-!8%d`ZqPQl%3QN?%uH*Y^hOdZgf_(Tmk5T@XB6aw~8 z+_X|;JXAxu-^S1+o4Mjq7FFjyohdL1we3e195!N7imm+$u<&!6tgsr#*%z!rOyv}8 zwHLYP;h!t>jkb!E=H0Fu3TGJnw1YyItzveAD^%4|htV{Amb2WRKty`78KLqN@*>9x zS1S*}+T#fm?f02l=t%pU>h)0bd>GyocUXB{)LnyXGnuM(fSyAG>E&d$f9Su(C`{@p z%}I*%*QtBk%%ys;`;;eK-Kk;pYK_NgVDiWqd{U4;ItW*18k5uuf^s$?g8B`MeyLb& zp5VmV;Vu!zx;-ks*0yzl7ANEaSurm$axSf8^)9cLgML$c*{g@-e+=j?@{_#a< zb^Jt)0+L8)sKhj0rd%_%zvVLp5HGF9wG3dLHOnP7xG4(u`$KRAJEJxsVD59CE1+D> zS5Cf)f&n}-5-D<536HYkdNB&6nS*(Qji&|{y!9mJA7>V080$Pk0mC!+&X zUU1lJs?L{(dW5XDgwj6~?cPPY@bY0;ojIO-W+K@aHjaJWbjj?1%L9dzn8+Up%%@11 zcX|Ub)B`YJ-^j|o=pXnkY`-InvX2|g$%6|bwF7TeDT7t!>L+qV@I~$e;o#=(Ygk$` zPz75o>73VNi5c-G)yjfAcJa>uSnCSe=!Sw&ql4}R&2O*{!#ECtB^M@RDkKc)*k)mBpg zyhT|&gFW&VHmA`%mVj-jogaL@r&I20yHXocSpe280ifvU2Jk-1?8J9(h&%Osg?g3{ zBI_e;XbRL%F;`ux{gpOIxGV4Mn;IJyORcXIu4+}r%c;;XFxMCOF4^}&kCF>}-VDOE z0LEp;)Y!Aohrwa+p#FM>$Al34|0+I4`(k@euqM|*!=_5uj*9UPl`NsC0?IJNi-Qp* zCa+{rw-1M|Vvfd;wB?Q_2pL=l%99)J66>)q1s3N=^MQCZbC|tm!l%?6AL8BXOC#8F zp4e`0RLf9u{d`f-%Li)u4+H|CY4rSj>f^D+mFM?`ivV#s{!irg|7`uExe?$b)Gvz{ ziYf&DqoJ-tTyVjX|KTcM$vNs*whYkA^FIsKGx1=>GtvqCF3Qt=ypDc%_fo(u@jvyX zakRmwZhX*(GL#E?H{D8i_r7J&hd6?)-=i-b9^z%_gpH7;qLm}d$zY(C>BC-ppG+x? zw+<~BrGJzh{Q0fgM%{gsNp2sXU*03ZKXU_vg_ym8dW3~puld1dC=Fu~($oNCw`Wv9 zTrmI$e4YSzuZ3`yEC4jbTk-5JkpYH8t8;sRspA{Mxlfz#FIWGszARD?V&y6#$&Ez( zX4C36bZ-U1VEaE?3)Zc#@ z?EzinOhg6Ge|(NSJT1T%tAf(I{iWso=Rvvyu&Mtk5xSBf>;&WgPCVmwmunm>8d<8Xu44{QMJw&+UUM9ga09J`qp`>)FK3 z%UfpVGkvdtLVG8j3zkD=fYKbt#vYQDgzdnj3J4Bz-N#dy_f%YePY;LPs`XPV`YTkZ zbPsyJQ7GDuKw+P20|r(<>EamrVFI$cE56mGR%ai@_m# zyQGgwF#IsIWra7mKK7?J0t!at7BF??N^0QpQ82xyEg(UI9Kbf{3Pa`v&Y{KYeV`7Zem@IesAJ4Da~# z_zkkK_o^u}0CwA(5fDwBeKr7dAoIjX=^zk}=K9~l*zaeWBoy;;|1jC~QMI{D*zZ4@ z7fdlLs+q>a{Np^(sCfm$bki9_;<(!CeXk1P4gkSmjJ$G51iMal9!6)QtA?ri{ z=P15F6SOwNRak|PuBxf2-K@HuGC;&U(-l3OXy*|-Wo{A5?90MbjmD(k=a5P6i~THSZ~e{Nwu$6#3Zu`To8 zf4?fAo2xHGNpwniC)YcmnYZ&FPSF249+(PPSZf#$@KX@9$g;2wxRqB0k9%(cNE`QF zFL~f4Bg}C&N74o(*vCu%z^d+WCHz-y*I%#I;WWkWb%%(@KY#m`=Zer-Isu6{%FGve z#(Ew9f1JhWJh%$RuV^Bw21OoijCz`UhQhyK9dzFB_ULr?ccm<|2c`)??D7_ zdoJ`K7tTB%(i653ft&1DyRlph4bw>Bh282W3IaBK*8ptcBFQaxy+y=Afa6^8ynL^V z46tC={KzLK0O`sm^QsI11;~Z2eARav+L2-u16vok+UCMf>VOAH&u3Qc2< ze&O>{i0&Y+rMYmwe3l}N@w*8MhcbvM%`vORiGwSp8R>!vruh_b0!IT}pa?GHc8~8@ z+xfqqga3RzvhDl^p{wx+J0cA_h=>f+FC(gVJt!WvvUXe<0@2)eQaYedHa z@61v0*$wc@D}m|18_9Oxup6j;&B!Iyf*@*UK4mtDj0&8{3g*6ll+Cy36ih;NSP*RJ z0vv;vDk#Ok%%>sq=^d=yzMYJ6LBh2&YLTgp{hbM``gIl&gL5E?Rq7is5YRod~TK-dI# zz$0TGpWB3xq))q!LE+4&7vJVSWrBmt9c86u zi+A6R`d$&Jes=EmH0-_T+F38BZ)26~?N8?^aVM5T&3f;Zn-{KQZ>((k`<()Yk0DOD zG3A8|@_v@lA7gNyHC-5be}5X7PvuAmkI`pO8tSL*wUBn-%(I~#ZWk7U6hocT+^#hH z<530ozhb6Bcgxg+UZSd?|B)5qYq86D_F(#Q>C?Axz-!(=>wOw&8mur-m)a7sCHS@O z7IxoFP~7n5e835@t^l}`;wLCjf%oeM@tY^LO|{jlGLJwzon+uA<0VRtgr;5vYA(af zt$F&&`3xBOI+CtdZh#l<%JRB8raY2}b8N!<$M#Yh8A4+yzV(S} zC)Z%#Bz=MAtbubYu%xW;IyVs|Q>Ten%Bu~8ol95LD!^xW_1#q)znGb`$OodkYK5*GX+CCt%}+!G{Z0S(>w3L2Xo`#0Hby3(kZnhV=Jl{? zVp4bxt>c^%=>vkxKvyyM9FpW3In z)W$%M^6W6Mff(TSeR{1cXV4 z7ow*T6ANbdZ*qF@DAjbYl+nCGu7OkpI`Nm~ltiKp+SZ0L5Op}T&3%sRI^^rX(EaY? zluoa!S#Y14san|yaeD)JeZ;#k^&=qlcS#2$NvcJsAUcZ^ls)-(dVFDJm{LdM^%3?5 z6K9E_@SW*PaDJ_8Q~~Kqs%bl2TKy0}p%(}vY$Cc$?}1Hlh!E~HR#~l_mM^N(-VJ^S z1GvK9Rztwa+JT~VrHzQb1gcR%O!s=5GQ=i{Zj6ZAxvq|Vc>(q3-K9B1dGfS>K(>tx zYoOw`?OgM|O=0Nj&(+GIVKsP0ASpkwjV{z}Xc^pyi9YB*s|2O~x?zqe;+L9NJ%2?j zC?x63T^X?TLZbHE2P-HTog*do??4aN|04ze4X;Qu{Z(lB=%uI!oo#n0`&ietU=3{( z76n?w4|=y+R5w6Qha0b?7qeRm2CA|oR;vs`9tJ^@!3I#$pzN%Cd0)hODyjYwK8Ok^bUn1`SQz< zHSum?=FWsKJb%eoSO+mAR+nqh>e>QRq?)V%jej#rR#3m}XZ)YboL*0HJML`=XP@aJ zNF@8+O?hE02xLcCirr(=$N9gu5)BUqEEWxfn0DQL4FrpG zp`6AcIP_X&62Dn#Wt7*_UhY{y7>}dNa-u?5s&g`IUm{CVhXfInUXI4L4un+TQJo0x z!FWW(EYd1{4J|(u-~H$A>c6#}5kb)BUKqTJVSv%|G^+XR!sqn;15mtgvp3PXUcU09 z_qFS{b7rR7(Xw7MQ-TcEaBHv%9obR{9#kd4%IR`%25b;L>ko$?!v@0XUR@?6NfO}V z_#vouaeGD0IN}d&eYE@`Y@~=dpy@X!5I#K6{aEoI+)xSATW`c6faDzi z)H3yuL9=Ck(^kG>=)SH?7ofA}Cw&=M&4IJW>vR9y_Wb}*JK_gJd7N6w1JZ0xgi~}z5P=CDp8k9Y?N(D~O3HDo~DPGoZUk+0^Aaf<& z)lmk|4I1TB*yd;fMD~Ic00wU&QsDSiJQQfsG?DuCcDL;3&eYTNcQ{X7|D$>xF6>h1 z_rxtwY$&%KdO4R_FYkAW`!~}(<}Na`{V_mW2_)m=D(0{fzdRWds>FoXp=-5IzpYDe zh`0ltya&QoBV{_*mY@kRN9%%aJMHmRXF;IvDU3V=&njhFVNJz{l64mN5ER`s!q3mB zRgI0(Y`J6I%4?OcD0){>@O7M^p701N(~Xe*2=?5(C9J#NC}%Ng79cchIfMm(miUU( z<)O=qn1{6%CDnvJy)9zjvEQ$MiWn)nIAOJvm-#>YF4}ZiZ?J%<#HsAw-9w%}_MMs5 z5OoqAFPG@P{qWgvmQPJc9{BFFvvtNh!CIi;@bqMd;-vdEQ4Ft?l!@TgVVfS6co{f^oNxW8Zy2s7ZN9rw1w?-SScCi5Q))gWt@Lj(kek!)9d?09pu7 zs7AcTdeBQu!v@S#_o_yL5?oJ19`H0-LF?puHm%`eWd?ptj+ghN*V6*B>(IMYKD$8`S0FAD$L4JmJ~GyvXsZx!3PA!f1dhyEe3j zY{>wS)HoYt0i$HbX&2aBCrEyh_%n|Ae<$I;PVN8m4Gp0kt(+D{Lc(Ec$bJvZ-C#_$ z^Y8?*H_jId^ZbZg(iihCM|FH+Pn*e2go)Fwb_4WCDit39q3MOx;p@nx+m#stgs3}@ zGqn(V3HNM+S-Bo4Jm`hUl#ChYmiHj*Fso-+#X*woB0uP2xz$V*4>ez6nbfeRGWW;cEV-z z@=uoyU^r@%w?K(8le3?zgfx?@{VE1%Lo_xg$-yI&;xpg1~ z9UyjGOp{0d8{!)B(C$SZ+Ih7v>hRDCP%#d7I4&W&cwZC19p5B!FAzv0YqRS&%Rw25Gp-T37RYB{|Ns=N~H3jrYC&3N$V~eWf#IF!{zpqlH z?aiP)ilZPUHa7N*6y9$)W8ZS~VjdbE*9Bd=ezlJxi*@?XWGDT<2E>P>lt4T{^tuc^ zE*4nqxNY3r2p89^CZvA2y@rPpmwlCS_z?KRhhe)~3vXP?fwflliHMEO0*9{xC-HUR zgJBtNgo!8SAks~y7f1n8CL)3Um=p-h_9>utx(^V+L4n^ikFot^gdNzIv8|hGDL|)c z1yjHunp3CIzq{*(o!>b&0MeuJ(%f)_2I;}EZvaZNs$|kEY+=9N4*rH`pY9J03H5kO zbHB=Ci2`@3U-5-ovIj8H<8|LK@zndl5X8>`%Fpl;U=K-;)*>2rGnOFPhv?t~hVL;* z=(Wd90LXB@h~>%PAlfWU|Kj#xkmk*q-|SgcmtTDs08hC?U&YPgQ-&AbB(cj77z#hkyA6TF8QN_?&fO7jAvd*?zX@P!(76C%*Q#6|x_8V~+4 zFcnz2G`#dGk9_cc?t$Jf;Eqk4fu8;?82Vnvk3P)5CM+hC5V8$n(`TYk0%(9h%D@K3 ztfdutz?8+}$Di6pKUqMlSpqFR?=vhMJ>t9|tI2*Tt9B0t|f71J5jqE;vM~bKkMMzBmmbU{tdNSqAr)cnw_^1|(E?vI7=S{;QUWm>lbDB9JAE&Z|1VHtBxjv{JjZkzd75 zp+J-grI7$vsM$ahLV|-M>0#XUU>0{}IRBCS|M3D?jcd5?C+`t#ed{pOu6f!42mFap z!oXmF%O*H>cu+@GTWwJ~Ypc8c`{g0E$$#2z*>e zEmV2_*n*yrT`ZVKYKZk|KN3EajSRvFa~*eDQVgJkc9ABdO&oHWDr z>9NJX0^>Td7d2jifP~Dn)jV-5^K;+uO#s9~uxg4s`_WeE=#2ZzTlPC`s56K2o z-%*8;&wlHq$k z9P<<(z-+cQ!TX6%@f(OVBK5vFj=25!To|h+(*Q<`Tq2zxz~c8hh<23uVpAkBF92Q0 zVDCfvavMyo^;YMuF({{1q^{@5uZJQ89l<|nPS~E6h7m^si8P?Vtt?za8E}0V0K=p& zccBN&OBb521p+ZiirnncX<~zfKZ=POIpGk8bj1gxL1Sxo7f@e4T83W45M-8s4EiGO zSG=SeHt~F(JAfa`E~?Vc`@rsJI{N(Xdn6<)GI*eOCoB?Z%7UfKO^yTl6nLAu0QRsC)0YoZJ6>oD^w^ zmJo#o4N{^Zm&k1IG$>L=X(uEXT2>;Xr9oRsgLX-2NM$7Lp`=NYO6z-^-5+l6_xC-@ z=ljR+_s9KsTz9VVdY!NHe9q%Io(M%7Q6pR?NZI*Rj^S3ZWXIjESNA-wKmhg3r}b5a z2i9aloY7Ey#ERAb?(LKAE@%psxnyD@b^9IS+0PtHWTtBmw9cFR9rP?W9nHw2g9 z-Qf$+VDEuv>(qHU&_$#-m?Tx6%#7O@O1T0zDBs4nd15pv#j0K=v;hv<0wlvjgzyfM z-eWe(^_X$eF($&w7VDXf@2)f3{VBVSvjLhS*}NW6j^7%L&>PFHXBe_TnQRU3^Eg%} zUz-=_2QSm?IQLZ4$|&x7$o}(nD}(kWeTsE0zOJ)84Fs3#+Pl&}gB|b$_DukYIf*sB zCOsSn(RAtx%#BR2vsiluT&-u0W@dgge&0m;W>d{$_Z6e7mG$>eW=<+ce>J&PzNdRRvqO zP?9d}JJIZRI3Mi`az|N@+3fU>n*biURMXm1r*Pp0E5p6F zWAz)Lc@dyfA7r%a{K$GCnGL(1&IPqt>r<%7tlSiTg}0acLNQ2l*@>o^#HEHvipQP_ zXR8ZYk<#)UsBdK|SK2Pbo+U3$RMZr$>g^m9SW38N#$D@&Tiy}R)UwHIcJ0xW0HxQ) zr+Um764Rj-wN6^Z_{p*AZ(Q1M7+BO-tu9&}bH?QM4!YRz{?kI;*|zdi-(l~i(QEEr z;#77KS(;Laf*V7&aJ)wNMbc0sgKPGsZMe7JjmU2y-Ruy(T4#mfjGAO9n2&>u{ii0T zua!z4{O+T0Y_72>(F#?r<%5bnQE2QO=5T9%<{?X6s=j4O@sIb=n;8MT?nXRA2(@_8 zw|(d<@6&zVW0!dHDTHFq86J8Yap-gvuj_zO(i@L(q1%KwggVfnbiwQVadmw_q39v> zJ6#!8qaEHPUmviyp!L%|@9!ziFD=||Xnpp1lKoiLq4OZfpN{fCeuDm&`vv1ONmuF^ zDy7QWo9tbU>$ffz4N;(@R}61D#jd?3pakXJ4%!O)o|^Sv6EUFHoP>!zD2*eXIqmL* z!LaRV@+Nt-n%AHVe->5d{^0Luj~z;G@#-B&2-!eqP8Yl{`iI(`5kM(F$vw;~b4FC> z!J+An!#YI=%C8opr6O`Ox9j6|!eL*&A_2<3lZsT(_frX$yfJ|A@E9z5iT1Jqy?v?H zp%MW@#FCdFv#el|Ze@Klqw)G(wBs%P6-VKs?2btm4IOtKF~~dn@p{YskpqY(RYGzx zO`J6D%VOx$%}Fl`6_=N~7m@DBP??ZNJjThC84RC&zP&KF8=1G|totXs@TR$0 zkTJ_&_2LN|XP>(~dOM7a@foOSlBiEHb8u4ZZHi?khCK){@~(fB`)yTy)qVl1tOvj> zPCz9=@EzVNO~O_I>K-jU5E^N7DUrNYB zaq;bv0=M3Cobt-bUwGgdCo|{HZhB9;E%}}oLxo50xHQ%`-mTAK?#-&p8u4p~967pB z68+NVYevNzC1~kcK}wu4ljdK%*sU3oDH&<`?zexEyp@a4YqyqJ=x8A+T@UK4j ze|=}T=>9n#km@_6`s=4cw$PE99o+p*rz;o)bOBw?kCn0i_G13wJ45X0x|`I}2OCP~ z{^51WtS>OvSbNhe`pj_>h(NnvgvlKd- z-xosCHP5%x-+%76wf%J`lP{>tIfV?8H*)k1 zF$YcQ1ONC4EoRfSz1+_d@$a7PKP=}ztq*$|iHLKk?tee6e|pD1Uh40^?0+7g{b#Kv)!yeOFU&Ld9#KRuCuUhm4edXMyjt{$MJ_w~(1hZy9(PuGS? zTu;~T3iiOEn*8tRAfI{aSbdXZEfy$FeY8W_*ld|t=P2~Pc(5(k1w-v4x~#t%9J*Qkp6Z3SMjrm`{RHF^oW4-2^^4z;Gl9_G59sd6!DdGE37T??2Q!m*rk>SM@f1WMA} z(7sz+hv+h`(gb%f&t}fe)Kh!R%*;O3J~{p#d6WXs2@0fhQlqQ;s8}H2Ldh2aQOWe}IQ3*h|C{zv2If>`9V5OlAnA8qQu zom5(gsRN%--g_$b$QBO3xm@YN3*|ni8zaYD;P%sA`u=T6|I^Y7&7TQ`pzS^78#v#} z`ujmBDl=%R@h!{{dCtjIeLSu07NBisb{ffxiHvvcn@AUNZ}F$?)aIRirERt%dwMR^ z5B*}UQfY_?>PAqQ^K4&;>P8(lHmc*_fA|eDuz)JX(M>AA1wWL3vivdkrjzy&q-4N? zR}QvF955hJe|> z^&{{^i&ryr?U>ryq}+r(!>>=tGErq1^{!}{uM;GzL2+R`jU0`y*Z10(GhiE?BkL6F z_toi>QPzB7Z?6WU^uRuFn(1!tb%y+c5mNSA-6Ytnqjq`K?8#EgXsh7nXz`E`@sAr! z^F6JhV^!%aLhyV7pJK$HcP#qXyZfJwx1{S#*^QDDr;fSf{T6CekfJ<>wh!1J!SR;q z3c!6iaFXrvsp{cA$N+3#eJ3)8ht4#&JR-nqk+E~z%>=OEDm!E_!j1(4kq!lwb%6OE zR|7bJU_Ot|>%%}+nxLRz0?l3LnY5S|J&&+DQ&EoCs;{sA!*~1GQfb?RM>crXU4rI- zY!C|_?4$qg?cv)!z@OaiBT9!hc6Cs6<0s;JmAVL;TUJ?b56 zMPKQ>O}X~k_gu>T*9$W(mJ<1V zGH0ykc>lSjgcYEbL99}Ay5ze|eT98x8G6JtCJp511E~EH^o)M~COD z#ul?|%1)8%8AG?s4Iq*A)sLi}P>Dde(w((@nNarU%PttlNsg*o_58_L;gjJ)w=YOg z;;XV99(U78q0IFKwTcMNcjn$7opMHuvNrFj9;-6XMzO*K&_fk_?)JCuNinz?6ouV} zQoSo}>TC-6J7ZR3%HU>lnoM9TVq?5cPHm0p-|B~im6>mxj4L{on=lE8KIcc}!#qUt z!Jj0uLr;TlxjXAoCO|=62izDQc|)^elbulZ%?u#O{cJ-^ks1Z)&&Wn?#~t^Ts+P2^ z9+0bNFqF5WUWgJ&H4_LZ6~`HWY)kzzwjpO&`2>!-24h#!oVQpyYiMD*K_*c$Qn2@`;&l_}3NNFVmx-d@y1h$gucROI?m2wp@)d8Li(K_*>H)^Pz(x)zEsr>*Fi@6=0T*zXYl#Z&;t}Adz*;` zY-@A4lm$1oZ0qTU;FF!vtc~ZEop(#r92K=psnm&X)JIT}G;h5ZQJCd!5!?_5;BfSl z*7kS89tp2^3%f0>V4ZLe*BsrH&qGHj9q~tAH;NbW$r2b_b;0)H!kl@pL}d$d`lh zQ+qXI;$Ql%(qy>X0HNG%ji}n&Y=n9uak31L%i}L+tjXu~={DMKs-|Fts-I!YBAeTn z5emuI!8@cWYqkw_KQG@r-si2Qw%st-IDozV1j_A#cgO1bU+08lFKw>FhETSec{=$b zW53-SfHC|G!UOpea3&Ak9N#cfl{21FT;G_vWqhBal^SXZ^)W|k_77lM&e5>X3)xd% zO4Y9HWS@%FzR<`wmsloHbDMQi7tlGs_3rm>BTOm`^OL?`5TGun?oJanE*># zi@WYxeI;m#8dY|Gtv;URedAL3d&shC#X67o9CzJAyCE61u~AsChkbRad$xhs zTrF70dm%Mot8&JLe7n2wg<4Ijj{8*|_oWRl^qtRDK+s?1o9-K4pb@A4$dxmsXxd8X zaba~@jDR*CD`H+-ivV%4OR9LPfNVj%6C%gN*eMzz-il9%&n)b1xmHp_-qV%5=-MD9 z(tE-hr`H|S;f?uEItrg$YeY)P9g({B6v%7M`%uXj;ro|E8$}Vyhhzy6~<}@ z)Z5J+#eI&$B8LTvJxDBB%_nv+8->(2+RZ5I%!9D}fe1rwf!QAqM!qixNb-)6_5t}` z&OUstB*8@vC>0(pabS&dNjIVq4gYl_Ze_pkFIGT&RB$1YA(HbK_ zUyEVXrS=~bz9_5`Qwu_H@UenH_`$W}s`YGK2OAM{6LY*LXi;N}3$QE~P^oq!O@=r1 zAP)sGEPszsYMsN2<#sUK?M6~!LRK*|S^Dlir|Yj?C3a$>ZH=p6^u>>W_#VXkcD3aR zE8pzrKKK~!n00gYstviJiHYl$0OVV(d?biat-sPNA?)acnj^8=)rAnidj`nc^^IqU zibctK4%4$r-zAc9lIo)>l6vLkpUy~#%62m`A?Lpaim@yRiyvfgBqc=%Ia|8fgt>MzvyNiRnhDMYk zG0nG?j_tm8fn%SOwl+m0-N?nYFv!4G^ZOk;Z_!=SLIEGy>mIL?qh1BPX-LmsT z$?$?1Pt!GSC7**~`i>VFt&+|!eqCsKc30gl-rnndC_YEV2J|=~58Zm&;M8|R0H>N+ zXDy4_4P|IbO9iLFF`pWTmFoJ+Ca7|GHM!fr0c^qzA)w@gN6#1eDK^>ooMh5lD0jj- zUH_wOcK8H@Hj8}^d_mnMf!I1RKE^hduVC0}6yVk% zzVLqf*=w0sFJ&(8)qC`6`{K$YoFq?;s}Z%lht^7)gHLv$^PF3W%Vme+q>Kv8QzO_X zIGMTE-8UZJ6y32mtq@SOKm!ic0E2a(NOJT&F$ypj7+1XNKsaxn@^%W@>hv1ZkPz;O2lYT*nI5CpYO-90}cd@bYb z6QGDq5VgnOY6rBG33PzQ=ylO#wCopi|r1dTnuv8$ODuI06{faCZ2 znz%Z@aX8P7v0tna*z`;pj$Kp^9X&q%N2yx1L7WJq*ibaP<#a}yBj8x#E^Uvmog)KX zT<`WCjZ<=An&Ii1@j)VJY*6kaLgG>qfVwZN&=lIg;?1s2=Gl<^&0Gq^QCnuZ-uwxv zV+e}qyu*cWD_-0Fqb7T5hSS2Bgw0iBl8X^GZ{y8gb?VCccTtYXHansXR+! z`1dRsMexVg1`G9|hDXBm12VC8x|=Iy4sUk@^v|8dEp<>7^wTdGMK!xtNjk{uxL>)7 zjgybIjy``zOwH-!hpPstv;8Q@|lHU=uoYf7gw5ZFj1HSI`_3{n%a} zye#L)O@a;In{xEi_RV7*s#`~QI&eWNWlO^@;kaZCW24ZE1c*#j9Nbt$9gIeqEwcvR z(Txlv=FG#6UWh36ZfPH}5yVN2e%z2#47VaMK5nPk`&raw6#X(Ka~HNL9Ue-^Q@WDH zqYPq`xv4V^QpvJdVJ)AgSD|XVEiFQ!*Um7?CG<(5s^2>PSKm-r-sO9s8CR=Hw<$l@W8qtk zdcl#_6AjR@L)>vmX+H?v&MU;eEooc7*PUarRjP^S%&ny5XUZ=AiPZhQ(%nVaYxr8B zq2jdFSfg=DDI8ABO?b?`;)l1Lok9J@Lhb%1fz8hSg$u3n<|9;y>HF<3=eWn2vna>jGYX~*eYTkNk;Q!=*6C{;|`NrHRxPk-*GU=;azc8 z1SUbIuq-T*)mKz!%tRLD)i;PU4H3b0>Q%ms)ftibHbl(WtC^I8y=+B9_9hEG6nhe; z7J%$d{M7?!jpDBmVU&KTLiekB@Sk5SLb2h|nolRmwq{j0J#Sn0I^jM|T`QrEO_DamBO8l(N$?9aOQzOJApW4D|$%G3W_& zi|sy3iDt~7;gNceqI`Vu1UN!$T4|TQznNn5QGey4 z1rXw41&M9Q8r3HA&euH)I8sC~Lh#Y^TW$?Y8`00rcaD9KxEoy@rs|n1#CiFhLQk~Z z7clnBU?tAc`5riLE}t56T#d6XPH>Rg!B-m7*-Q)7wB*vBYNfgMGtlwpQ$qYTLUWjf zA0#L=9EOp1Istl;!~i&448f2xvJH(#V+&6KCXE){`Gc_ z)~VC_OG}MHmN?1Yfl0_>I*jN*g^uOE?4|MsQc`F*@!^WScISy>PgbtVKAaO_v?Ots zNXvTLMzP@R-tCJmeaj-Uf!z7AE$ux+U)(S$&o#6|LTk3_1BNTe~@V98Z|4>av%`c$mqMng^XE<9~D!(eof7?QM?dAkIIe080W@lB&6 zcYuN3+Cs^)YB|EZTe(F(E0T5(SEINttj^7K`e9O;j90pSC`v;e$2vzy$2ly}h&a_$ zU=$K#{SV4Jsq`s-aHuvSGlZjq*b)V~xO#MNLmxe&lV#1D1E}&lUmD*Go!FDynu>~w z8=Eh%EpXvMMD6tzMb)jxp4{(Hb^W1vGg1tPzO_a-MQ_Y=#nqkP>;NfquM1LHz|8J{ zGZ!4QTQ#frovJRS>TPzKb0Gpv7BopNFU6Rb{D~hACwBWDFnOcALHX_2aJj3BFC&NT z`F7ipoxyD91p!08Y%e~*Ghw+<;*e69%2Zo!S5^UHDV}0<3I0HzhHO1d*|XGnIZ-YT z-PdN&5631rF4~t&hI`)lq>N-CaCc)^_@edmx*V(?vC;0vcP5pN*l2cioW=bRXQ-E8} zBXzq|dTCw^`Q~!HyX~-pJW}5675?m$4tX|r_h+$aXE&Gc0k5 zKX87sNG#T?XN!*1T-%xCMGw_CW+?WoHs2SPrFPB~y)$ zjOlKTYL^bkFa_aMhDg%281$2IFq1V8z+yH-bBv!v3C$>xshlO{g(VoV;+5W=hZzrB zp$4Gt% zL+>V#;9fW(a&>*S@)$~74iURrsO$c&hbh>-Mt?d;N+AN-Q^xJY}9uWZF^ZsH%K&A&ma`#@MMVhOR< z-X}*-+$g3LPqYvW8LPVsFj%9)Yh46!{=Dnw!GoP!f!V$ z2SFBzP#vt#pDb&zIvphPuv_cW%#fT^UR^tWrt7N{zayvXXN+pvkuvsiX`N%OrRIl{ zxN^~b_OBGZ>K#e9?MLm>37wCBgvm)_4Xim$yp*oCuP_oKVezas(R!q&y2#9ab2p`I*wYYaB z=IAXMPA7Z)8Zr&k4F&p*uaud>^wI2Nb8ryN&kb96n$0P0mG3ypl^zQZCa>(kVNxAq zj_a*MOvkqbYGlpm2}H%~-z;p&5foQbh2bXw@2?g9H!mnI^uAR)1b>k9hnhZj33Lvd zVJ)I7ci9xW`JY>Cy2D1@846BEx+TPT_q}#|u-?(QoVlg;#{_()h_?04I-U<_i-RC{FM(rY5l+neU=M7q{=u_re>HQFvQkvK2ybL+iYKyR# zCifFoFvWweb_t(`)C6jW>mXeb{Rq=Z)*LO|c5FN`*3>d+H?xL;5ANHpT1}+E>5O zweQlt3y_zV_=d>2-m+m3rARK~Wm(VDCu&+28X9HPjRe=b8uj-zCs)cDEGWYM<2{b86l=K zqe%gWZmHGYwaX^t3mRQU<5v|lK0|t+hmlPBnr}+`hH8mp(44uw@3Wcms&RvL;7M7d z1?h$wL3qT+t5fwj??B??jNJR=-8Hh`JB{`uqiKelo_9k~Rb_yOi+cQV^`TJY8hh;H zhRnw>{Em@S%}*e_QxI{&*ra1%N|>BymeLE84|uZ+1MKM$7b%ODU6CT4Vp1L_$N@Y5 zj|*P50i?$m8~1o`OC8~Sq@>EJ>u=@j6|e=|)NF6P>%>^JTm7TuVi(8TH&1Z4*ewh0 z8+vd&u~@(){H9Jx^1j!lDE4YzdQRwsS`(nRsn$21@ct0b3VM6zb;lk#8s+UxnO77)S4wnVsAq|$bUoA9 zw{6aUJ@kJW1|ePqLNhL|o-`6_7irL)J%E9QI}df*JhC^W7#SNsVGfRAv@Wt2gS65V zY{_5mDViTud$Az!2FG6|C+bH&&|>SXi}`P_6tIIt#aroAzE{+#ItF64LRd&%dp3O4 zyBYnpJd~{@@ZM?k*Dp{7gubBe?12jnE%70`ucM%C#D7hlHN|H% zX_nntg^qiw4D9;rA+SeMn5<3!bJWwI7Wkw*YHF1|d=W*R@%_`#sN=y;Cyy32ozeH^ z&9pJsYe?($` zQuWYPct)BntJYW^!qAasoS_%?Z$NZbQ|F6VH*5JcHWxcPn5owk(H5BcmHp47sklSa zcEwqoBt*X+)|6kcFTn5aROI=S-;JW-xN>qm*9uBVHREZZG)$oW9STpCj1i6lhY2bU z3$)ca?M}?0i5Yizr}Yz5ek@4B1#1<2dqOTiFL~H)!A=S2HxXzD(^9#O9N(^0QKnj5 z`57eei#9oQ^1F;E-=%z*s}wB1DG;-2LcyCef$_QGWTHFGRSXfLg)Ulw<+`0T1uH7z zjWQAnI1Mg91Lp$hm+j1QvtTpGpO!dchKJ?mcK=T_yjO-cfDQp@1Z>Z^2*iH zY1+bN9V7%PA&+Qf9J?2u9PABBtwRfcf!TDd3fZW;4S*Fo+~}GlSYbg!I(IF5ZFJ{& zO?eOh&!ry*g6;5Jl!Yaua${oS{Xe;ao;^JyN)AxCD4a*~=bY*(y6N8z9aVr2pWRhA z`~1{u?!SHX|JCoRounbM&>hM(m#1t#|61rM4LpULk}RyesJ4>kmp!ESlDFwkZ=cPe zzUG8QsTpkSo-653fxrb@mA~X+jj#vPv`&=6WW)B19RE(cNI3*ORq3ib}c6f(2NMV^LkvkI2}KWWa2dkL2%#f{q{0&2K6~RsVwCI zZWWYz5I~)07_-EUVq}&Yk~snrhaG$-)AitnMdWl>pdTw)k@@*y^?VCk8qDXNOJGN+ ztEk;PkU@||NDpJ>dZ&9#UaE#<4l5U52GX#ECcyHs{>F~`H}W8sLuwQOU)8Qa<$pR( zh`OCU$|C=08v9Hdez8eAb+G6ffdt8U;r1)CP7P|gU@p+tt5f6v{5ljN&WyzI`VX?d zygGv#!JA;+oR@$M!~?BBe(^v87!0&6SrrOZDX){$wmExpSy;jya$erbUB`B!Gdl9? zxy9SBF5w0(Hna43Yu*&i^v`oH$wU1bA;G?aj}juyNTxrDXF(0j9WrkGQw9zF+#W(k zFl3n8`ZADmj{)TuL9Z?{te2Eb|Cc)-dtTM>A&M{m8>?s`NyVrdf%ue?)v+r}7^b;U zzK_w3`$xveuLu6$Uie?YX9a8)Go72>4kg?9@81o1MGNVY+o?LvX`46CWu4~6;TPNQ zX5+PaMuaN-UW7`Jf2vl7W6%G}=Lyk3Vr3p!x_b;`F?scW^=#OwfWSzdMupJpsJ4!d zz#lvxisE5a7;o07<5WW5Ayw;AAhrl>f>f{3SCF#tqt2S+ev!fT%mSflZh+l}A;(^| zXtm6aP(4f8#6SwBCQv)A{62)##0_Ugr}p`l>6jl9KkNy~OpZ8;m|kQLwIS=22at~6XbK{l&+n)M|;3mY2K}+(L4L9dZ8pYKWD1ao8n$^XN7h!2VV9))2T$Pmq_E#$O z!Gi}o%@4hw=H{2YPpJ+oh~`@pa(tS%IC+^AWtz72>#YN)zx#nftU#u@Xs_PHG%uON zR+KCF?2(nPr?r;<^JWVR7&B(k2d+PFc!Imr`KK1ZH2h4+c6`tJ1&4nc$)ARIDq*W+ zGVF#s=ey0*_`RR^`ZwP0=U=9N1&j8EgoUmN!L4_SeLvfnx@g-ZjalO*StPGSxI;n4iYb)g<2Jt_SLog1qi zsQ`kxi9UY6oS;<*ob|YjcttZLJohAye!x#nb&vS;@q#FM=wG@11X$N~3@YT?-thY31lyg|<__nl4Ee zXA@GSf&u9cvm_WH4^@e22h=lZ3RYtc^*#sM+`gX+3XtC&r@G25)67%PQtVg}O)lvT zllHwlnI7Hg0%&0Rj*Ff>78}nr%kKH~Z0qDU@%O=J57|p7yG`GQ{XhBL@NcvPxbZq5 znR}Y)U4;l8?MBHLwMR5wYLn^2UeSm*1V2?RRy4O`I&+cj204} ziXr>`Jt2Cy9`>#viQen%pI(RWF>N4F^*fNDoqEIgmoF#~!VX*b*MRGh+cZt{`L6wsa)}fWSKV4@9nW$mPWw)*lelr-FmCQhX4@uz8aq8KXYk3>%YZ z*rSA=Z&@rs)!-n*8BIG$N5c1ZGRb4V0M__1r~$ao1fbQX%whlAAA((omfLalvH2F1 z$(-rrKC_$J3)=Wa0e=uR!K7^GNGOcRX5u_dze32X)=1MfP#-!z-TgRuoEE4*y8q!U1Qx~LNWW0ZTbl3z^UtWy(=2hy(uk!%2XS`bz zsTzE4VD)tG8cR)DaX)&sT){`q$py-9KAMxs+X|uaK+nO!;gz1wi2^bkM&0RuNyd<+ z3wWjvo5XKU_oPIrQo{|nje=La;+jdr{Vy}H*51UmU^<4gSb1`t20TWh>SY;0rJq}z zxMiyRou4M%LXCvyC9!ridj!awS~oDQvubX*PK-3_p2~bYhs>Nfr%d<=f3Rv5tTb)R zucGDWvRZ8XnU}3aJ2=T$>?`D7+Xn1V+?WLSJT#te9iMj5Zjwm8RSW964U9b734q9+ z5lW_-y83*u=2=$@3u`utN133)H5Zt!J@0JF^kH;Z2udcJnXq9ANbC=eU4Y^hhIYJ}uQzdYO1utl_d31~#dFEDdfbLt8jfA0@u3z>gq3;ywBRzTo}R6LAL zQwNa#IxdU$qP8`eb1CaJL4Im3sKbm{gV4-OIf6@q>y>Jrzj)EFXnJZd5ciN3Hxx8C z{`;zb{pf#tL9wCt zf%x|mxQlTH!hp6E&FSQQ7M(O4$}VT0?+9V1lSkcXEv90Z65Y(}#paVFk!=~>c8Rsc zY!*AI;Bl=?4+h#b>_Ngontd(<+AV`Tr}TjXH8w}jtLW$kV8k;W!}s<9M;;5gye>7Ij=Cf^Y;_;-#!1W?IEWRt2l~Hc{zUj$`E;4 z$OA3A_=C6NGA*VYFAz`(gmlCw*2#X0dUN@<%q*}1=AxF$NNoM4Q{S1;!-}rTSUM6U z=WKgN%5rbaXKd8X4-)bi_PAVe?*HgU(2`0}+#nGoNlJ+Lf;J}CMUPm0V&N1sT!?`_ z?Aho$5X_qgA#3>Ft~zdLyfqD=n8D}~V4?Q8W3ZC+hX&|+xgUBnoiY=Nfea^OAll9y zO$38OSfWFPo5$yG_g>1=lGojxjNsGV$g!HAbgC!OHuAnjg$2W8zHV4ANcaq(a#)7N zt2KKG-lZoa;9Dwy>06AZ?49USU~cE(0`IPhlmNzNw@knfc=@cYc=&7%9SVj`1b<&8 zv#}WpVk{61RR#8Q!zA^-S74x?sFv|9%-X^$C{dW5wB-v+}?|T1;lu z`i}tb9VmUP40)p<5kg2=rxeVV^I=mKK)ZPmCcFXZCiz=spjFEdoL4hYM9u_Le`Nld zA9@ar=jY5*8Q5nOaKL+$)Ih0LRYc4In{LwXB9X|}-mEL_WOU9dZ@V(-NSy;#N`t_x zZ5-`&%3&mEyoS$0n;HR++t3Z25fi*|&!)}FtImExD$CS&BfvD_B_8NagE*xr9GIVx zQIr!-;eblaR`m71z@WJ!%Lpk^{9+>@{)z9*QkQS9tO*V`^?jOJC$hIr=88G_G{@7n@ONAyRrr*UiT_D+ zm34JT#;~H&go-=2TtP7Z=<|?^L&MLOjk986rB0N-aXp}V*L80jyaJMspTT;Fpt!yR z-S;-0In5>FMIX0kFhL>90lsB|EugY&^-#TDZ=bUlm3w`7>Iy}sk6ytBOZ}3^_zXF=rls}P?@_?o^(25* zeSypP1Yd@Xk2hoAsc)Zrq63hbc|K);4=j0WW)6_5M`pngIoqzIAC@HrtUodiB|aul zuAEbzGN;YDm|@V3eMz#2G>;gO38>XDkddxesPvD{17s|pU(mij{QV>+KJG_p?@^=* z)dgnPy`L_(DZIFFhFXB+nb9FaD$#0EwycS)mAr7OPXE5tQ|1ow`#D@9de_Q+2>je8 zzgee$ySem4_RpE)J(DPZt=X5jFdQRTmIs2o?kusn>p>D}5N}1F{27FRG-WsBZ+K}Q zxiDce7$;<+44IqzaGo@eS9&v+zv+M!6r=bTa1vB@>Y8OAfKU#bP3S3TX-inX_9JLb zn6QXTexFgV5IiS&raz$ZzT@>G$)XY=FT<~|su73OERNdSaPJ@>) zJlq4)ud4`%ov+t;K~~r>s6lzSbsp0MHJ6AX!#&e*NYszKYL8DmJ=&}ryTPN{Zx(eq zhv%hG^YXhv++(X_A6#dUDbgCv+3s-orBku@xZ7D;d>QFQ0v(4yN5N z{f?is-678^A>Wq%*O-Hs9}2W*bkq7bS6Zw%#4SvLG-rXBF(o~{jA(x!-U#-iM7t5t z+RYH@DfK;CvhA5gU{E~HlQm>th!zS_J6e5$cZBjln4Q8_E17(Xsi+#RQR11`Q)V&& zb#=%}O~0F76Rm{E%UAaK9HUs&cl|4}A^EB@1?C3{$dgN=5r^M$d6D2!&y2WM`6NHK zn4&>64^x)@_*GxlpihsacIt&g2p|g_0xzukb8(!cQsx*V6}Z0JT6gkNdQUR zOx|XPn?f|wKtHKRF3L}tA9<&SY?4jo6Pt1Mc)$0Sd2X){1z2)oF4Fh>P|^n>*)|9r z3UxhAC^No{XMnNZ?|Hn_d)3{5j1c+W(`r>s?)h}L5?LGbCmJWl8oi7OaYl=GN2ps1 zZ2xIb#*w7+oTke_U~~@i?qncP6i-=|gK!Vu`%c>QowE7?TAOX`Iuh({zTxec+O_Tb z`vr3*92 zSXaLgQVVsW_hQ(c3_N8WiS|k5><#(-AFlFOyUt;tgF7N%-!LP&$O?(YwY#TtWFkaR zEMC>fb6|y9ISoXbnTX_9SQQw%eEAfw&etf6umhg*aNCX4q^%CCW^0gs&zpmzLw$Z5 zKF`Cz%D(5r@5Qp+T=gSTPi^~N`}M;eFmMaG8rhf4qD_1Q`TxXAl^F%L|OXNUQ z11G>OT3J%XwF2PyiGmG4|5(Wk#l~T2?Vf=J?e) zmQ3f-h9kaDNIq94sJ4w}naelz28*Owtb|tMBxlqI6C0is{TbPfK#3aza6K#pSKV@D zB<(3P={-nWB(rvy8co=RAXC&n@2(PS>tjq&j@6BK0 zWB;v2@iU9suRoXGT2JR|{GR>XlfA{yG0+AtiH%h*fRjG@Mr4UysW`|?#`Gj)HXcbG zI)g#e&I2#POd*EgeA`GP06R4iYDfw*=cdgf8USqCgs$wH#7L<93o*}Tq5SC+jt;5F zD>Q@kxM!&lO_j-Dn?Ng2a~1&GBoFlWz|><_YCBr?>+n6P2Yv3kLvrUamyAN*>x9@v zrs&zdA_CfmP|1l_eb5bsI3iMbq{=IGk3y#IbRx5}lx&LgnVT5&>mN(0(+|mh4QP%Qs5Mek2TISj);4UZopzxX|N75b23jwXGW?-B%KQ`q^52?0M42(q~M< zj8LNtM-z-YWCE_`rRBS*wmKt4+gV&Oi%Ll!bEB5f3BgxQ6AS}AOP!iMGko)#d}1`1 zzMx^WCl6!j`YVu7Swr^KJ$>{{Os6i8uv6a5A!%~~2~Vq6@8?syLg{6hL5O!`bXkn_ zz0R!;&Lb0W0@?}pkaEdli0=KSN6#MwqF&I@2J-u@its(RGk?@*P0ITzC!IW=1VV=g zthEHmFq$DGtJ)K&Uav@)xdiI=1zl`+=tv}|M=(2zIEA`Gxo%v4FTQHQff!}AT`d<* ziV#8PNsUb0`Yt+IOu)#lX;_o>?KK&N72b`Ev+_u-%+7xsMgHHBrVu~1CT^uD|9m_C zipzAQk#xuCbbt#{W^ouWn#|;o66z(?5>{UR{d%5qk_U1&IZd&M z(#ep`94LZl#czE}3B!{pf;hkNl+`7XOEWU&d7^uhi)0%rI8aL*aqX_3lgUvq{H3p* z=JjQvu-B&~gck9x7Fu{}3+ooIP3MI4u6ZuXUBImOG+t;C<9E&ivByI5*9$40f34+f z%yF&Zb4K}ieScYLwPtTtWJ7;IdHYGnL+0k@IT_|oEM?tA&@o<-q5sHK@t|}=9%Q`Z zDltO%af{zot+>6~WQyCwXGB$fn^5~%4p!nVLcfoZIVon9J$#58YWZ(v7EFDB#$N+m zsR|rXYEg5_Y*wgw($x6XF`4i@d^uod1d3e>fj?M@6R_wg2o*N{_fMIrtNVO9#(4*>Xm%7e z36AnZ+vXHv5SuF2eFfa8F9cY zd^BUYzulnkD{C}{rZYirJ-GNOPisifm!$c1eq88q+|XM8t!DjsS+zXF+dXZVLsYe_ z`wN`CqP7`CCe;sD?*>-iT@HL>byt~@IWzy;n6`g@PDK}H%v!Q8v{at8X#UJ65@|YJ z5Z2qhr>8e-(Ab&G1WH6pLh;pxo*bl(IzJ%DwZ{3&(>Za;2Up1Kp>kvFkk$4Z#$;ON z%|UGbowZH#j_%O+L~%y}(s&j<(gqSbm|RyB<6-PA)4wA#0W+1Nj=m5TZ1`Tiw+eEA zfp=H6B73}%R3;-xsIZJ}s5bCw6H3G|nJ$aO^^_2VusWM0!;J)%om!L1A93B!C3A{-29Zs)B7EOD^zL-M1&B(opB&#Ojrwogy3!(K z6RntuCvl?{90l)1U)EwiiZuNAgVUr5tue56gRSgG?#Pt?G9 zOClLd&kMtIgD+)b2AdI zMMqB42lb7MG66)`3Ii|MB~~RqsA__}TISVtjwK>m_u<`}x1v4I1jna+Tr`X?UC{d# z?&%i7jlIKwOt}iH(Eh6@_@DkJba3YEjqG2m+ut*4gkbQJEgYO);W%=%7vN_LgI4Sd zz~mk>1MeYbPN$t7A8!AOd|?;Z?f2mbzao?JWHF^@L>c~@Y;{+N*QCbJxD?0g_fG;a zroI?0q!sD%^yx;>1zzA-G4E?vWZ7&JcZedY+lM?w942}^v(FvXnAu}*%KG*e>TQ{` z5i2C`Qwa$74WP?@Kzc1Q_~J>6_n6C9dUulnqDj#lyE8BS*DIQbR8+61^P9iiE!=ra z5BS}?I_lDrEFy=I%uvWIupnWcq0oDR7e2+9V zxmpo6UBg(9cQPtjR&bD<9YCFHZ{Qiy!~{a&D}S;}Z!!!wNjuUqXj2;RJPev3+70wi zFk zg(AZ(!h%dxksTqWIiJ+Dkf6^F@6INKoEJ@I%c`AkG>7HWzHHhc{{2v(^XZ&@erFwZ z<`#D#(+d_^EVv&KEJObhF@e+#Q!!H23Uf6f9(DZee7m5sJaHHTxG7)1?s863{tMge zzh5}^vY|<*9eOmZV~pomZoQhh=20D<@pE3`;NPYT@czSqqksDkch8RPcG$^E3E`zB z#>W|T$~LkyEBiXT8LcX~7u0R&=n5Dfi2L406gXBALzKw0NOC8cR3$8G+=>yx*9fS> z_}2ZZ!!ATCCd!ZRx@c}t^z!PS*M6$9?+ZH*ZazI^-GPu_#wl2h-3wUROi;k*j@V2(kwND=2j0k$NYz3!{2Wo(Dcif14u zwL;y|2l^4ZFozs=+i7^}e1wQ!zyOVjp;;7+$hsz!k$k+-7(9SgGIr-!uF*4M=)~je zv0Bll1<#g4_bBE12TQ{AEW#|EWp)!fTa34vXAMEFtQCQQldjwI`X3&Lb}tvd<%$5o z5aM3r&PtMcidmq{ALU-VpOUvJec-D3LUx@6gP^=>*k9WTMXmEMKb*m|SS9!_F%*}) z1J*1SK2V*%yL>xOH5uSJwTJ%K`+Sd6!%Wxse%{*p2}6;&so?pR0OofPteJI~?K|PocZehH_Mv)Ku1L>TsRDmc8{YZhJ~4x|PBcMKjH3 z@b?2_Po;#@Y(B%X?0?)zi5CU?0!VsgBzTw7(<031L z_p*O}W$6?*g*i<_(_E6jFN}8t!9mfubja-KZP4EqCliq#!}x+3e}C!pUQxRl*XHt# zw4Yt{_m@uZmD(2);SBAWF=Oh(iT?57B(BMw;n5vD>&SEt>F*awd5W6|ZCW#P#x!@q zueB=5rXYKyVi72z3=fPlbk2+qo9n09hEJr~eAs@tK0Sr#(75f+vsp3yi~KvKSaFSq z3R?dQ@Jj^9pgScf`Nu5aGP3s}Meo%?w12XMLXG4BG`8Qqx0Sb@RxGuN#u?V!F5Xy+ z{y#-v|M(34UbsYI@-%)VIl*HzVT_okbZRIfN{v_@(Zkh=W?THM6aHkkesRTBHtnX& zpkAI!SoH6*;VXFk9Wj?d7J`o zZl88gN|uB{Gep5;snib4T(2e|kNA{Y2o37lEdP_6R!b#TMyT#td(nIf?+qGAVZH0c zKqpa@JUssR0^!l!oExN%&?YW#VzGXo?UJGOKu=uQ!6foeuJM`y4To*4%-h+x_g%R> zU(|LMmOUcFcBlJgXGL>o%&9%UaM~aI`BMkC;Lh|Z=C`N&%Rj$>cR%dF)9<_((sg(N zpo%;EcSq>`(UF=*j?_GJp92)$d9;WrmTJEU3k!>qoOVfsoWPK^bPJo*?z9Kp+s^xe zh77d&ULB(?Y;yLzqQW2SQR+EPB*t5U&#)||md-^J`(2Gb(8+Nd=l{{I9wUj^_u=+W z^NT!lao&YUOEJy`194wmWZUw~LjF5*@wegl`HGsyDYW{#f(e`THw;c+O@(S_Nvh3< z(H6|5T!SLX&0RMHiqUR-U}WF@ULEKYAq=5TeC_qSMgR3g|I0q4G&8{RTbFOzag|a+ z$GOH>gn5yqr+zO$11pJ)QyUUWbL*{2{5pT|?P_;uGUc<@mdozALU~RH9E6-S)bv{+ zA7o~|_4zgZA8tGNM;aB}4@8z1}(XZSuEoqULd6LpR?&b#)1xgQQiRp8LFIRz1fd zQS=8Dm&xmVOx(iAsNFaEgGwRb>b}bcwZWv|&-R!JBRj{b(1f`gPhtq}gROLLbP^4(Vk9<(SF865*@1K0t7RE1~-_FU8 zEs^_!Ejejz)A-=^>o(4NOY`@0nbxb{tx`9`v4%|P437Pu|HP7ClYsFp^3&X+$SO2J zgF3pm!!>9@UE&b@gQb~4<3{3{yiJ2kq-nUhEUFX3Q_3OmRQ9K~?YFJUh^_j*rX8g) zF(h=!uRZ_3#+;>?Fp%A~b{@RL45|_%?72=Erji|fLMG;71hfH)m@Cl5kA&jTma7|E z=!NI~nW3K`K5e4?&Wdfk=Cl}++dFSRp=*@N7(w}u$ZOr{f=_R~cr~ z+Ny_Wgzx@}lK7B>RIBM&6x$zsAN@hqv)oG(0U((#WI+u+^J5or5-)DA@gB8&pRh$m zrekFXT69}#t-t)i{$dX!wxREVUFjcuc=8Fi-l4cHiJe#ZC(d#5Oi^jrVen?&wP)d; z)*1Wz%~V5D9FGs0-+BH|o*3?&GLx8}8LBcKm;dw|;^!iDtSX})_|t_5nLz@hvw}fe zr!zhKXPiM+gSU!QERLFA`0*!akKDN0S#m6LZ{W_{g3Iq$Hl4sp zh(g^>ccOI3y59~9-I@esp4FMocKM|Fds!suS181uKEpCxA%|w;ng1B@QIE}Cdw%QV z*6KAh^sRvu$f|^cJnWML5qat4t6)xFX?-<{;Ed(v4%6>+DDg0N8Fmc&Z?rMhDu96I z(wm>7Bkx`;(KTLxe%m64OrnLmDHE-Nz0Px(7P9(#Z-YDBOht2V7x*B{U5OIx`z??+ z*b8U2+|^s|>(1xjUtWbe8O=whXn4%Fo-Z4h(ykK-DOc>7=jKk{0L$nk;L3*Pkb}rgS zg$$tnO)xAYIaJLLBBs{q!yMs9E!z;o+tZ*eAYAW$%xwnEy9e7#o+f!+T8=AMc-P)| zh+(+fuKPckliUfM6{_%WojfZ0T#Fs4U^SNjD?PTLtLotzi1(^o+#R{_=Tqg)p|cQf z8yvo*eJZHqI66f>m6$qr8%0IM7Li~3eU66c{GVC?|N0Wt79b|{-F7MSw|~x`kNn7k z=uuohfUMrfjPvKJQx&*E;$brLGgiFP7>j3I1Fza^k+wB53?DL4_YPqPv>j3>) zyWbY%ufM4sqB59?QE7fI#_zW{wZBosmf&7WrW8fFjGrrWwPS zAIg;?Uwr|D>0+?I6uraoDqA_R_WGI)bnxb4$gBn)zC>$p&og&s&AsZPuGrm)C^|>0 zg`RV*hpgO+@R6N6Ot7Qpk2Ro?vbD1^RuJTAl|rkp5lRk-1=2rd9YvpGusmGfc~dzs z(-ejtQQu?!eG=A5>c?4pJg8rehz+qRn(eI73nHTNE z6p7LFWq=yJOE>f+`Y~ayRuwaa0hr7QFkEZXle+ojHw(XYW*1SRES9nA@r-N#ih*6% zFltS&D{py0LBaU?6zBd!t^*ie&kw3dzwAshVwALKhtD4`wG3E)Q~+q4n?$(pP-05= znH?#bEtti2u+59h835UX*pEIU=#TmkXzzk~25MaO+l`VXa=6d^AI{!7EXsXrAK!|K zs9+!{;9yWnh>Cy=f*=SIq97n0(vlKG3?ZN(jihu-cS#J0h)6d`%_v9?Avw~&^?2U> zJ^Q@py!%|&?>{%&3um6^6Kmb;j>TsnaM;F50xDQBq}Cs(G<)X2e8wt7!7`7YlotGj zsC~bV?Dfu`478Jwkr^0g*4%^B>Yl-H6pykrqGW zZHI#C9k%#T%qe)sq#rQgCf#8YHWX3OguLsZ zM4bzptt1xP{rdU+2KWiq z;n={k5J!3iRr_KMR5hZv-yrM1sY%X#d#(4eE3M0+S(iQFpYif9MXqUC!OLobQ63%I zL6OG=j-FkctIzb9L>Hrg1;MKzUH%sK-psSpxIP%CP7{uL@&Y+A`y7OT+<5xwaIFyi zZAp(c@N*7>FtAa}me~tmLJqi4xj@9*F6*Wl!mdn%bgUbe_}dlGY;9xTsmI6rCGI4} zdFvfS^`_6CF|T(6kMRDL2jyM+>YX&4YP;%^mOLVoIyx^*e-JW{`8@0v{A8GGGxnIr zFm3bHx`dT%T{@M-2Ivsz#r0fgEeki-h>aSSdH0_%@P3s<=iBFEJK}|QFcAw6^XCf) zH$^p99}g>$kyH6I&sdh!?(HnTaVQAREmJ7ivvq!#lAF5Li+PE!g^loR2j6eE>Hll| z{N81Fqe%!aFk&G1~6+!yfi#7F8PVq%mAk!t>b90*(eu~QwNzfgVv#p1O0z(!A zDyxmi`9!$nbiR*ZmFcuk?5ps7vA?YVzu4?sbkqL_oOpX*{)%&)vC8WOlfqB2-N9)!bc7sG_`8nJ^ zq3RC=1zdZMRCspdxZTx&C=#&yIo9!~>Fl+&ygxk6x3OuxF|vt`i}S-#={|2+MNf){ zPuYnF4Nb!1u~ZbcOq5Wp5vLf?uz8>;pk|q`rm z;)DMdm*G-jaOin{sOwTRujx~oiFB-GZE17QVle-sjITsvvovyp=mZcKURggR@iJl& zH+uWomPyaMSCf=7tLS32VQd^{ebK${c(+|gj#|}+_Nr|-I{8b(l}EL_H=mNKW+~Cu z#SQ*gPs^Oj41;$b{4w68mZYz3?*}%De*vG}H|kD5Z%$(}v9%~fwI7S)|AXo3D=a?r z%0OERX-wafpD13)uaYRlnW3 zq{TS4PB_dTw=B?6F!&|NIpL<@l5oX{F#tYw-sC zs*$BAb1!EL%eRe5Et?EqgzyCpQbQgy&r%NAJ)Bx&R3_=v77Ew?8avwZD1W>lc&1E2 z1=Sn^X$M~XFUrNul`K2&7rLGgrNn>3r|yo{ZBsdrdF#>U6I-j(G}jFa{40WNcZX$L zCEwLg|0^X(hO8V;> z(a>P*{>}a$J#vB%R@>&A4!JPl+BJ%7XS((Imukh(eqVrrA8EzlBIBAv)Fh}l0nDie zapF;-6p%Puyw`8QlV7uQQyH=oIkx$28`T!y5&g-4k&`%0V&+uLQfzYa%$szCkjDBV zuXjQ~xl*pg+gM+B@MIXPsn8&(t^{DFC?FA{MZyHB3^Qzhdlcw%OVg2GmL*gTChoGp5axzS> z%uSt)%BsS;u5tYY(~{?*Hdo_)wq()A)rOM`<5wnKOGmSc1;Qo=PlSzA9$slVJeIZ* z3oHOc;kT$2SvNVv0j^R)m2$4p$+M&=Hj(+(#wvxx?nB^=`PE}vp zvBSrV-V+qdcE>Crg=lF2<`fc2p9V*U^?;_m4~cd3%O>cnMC61we%!yU(z)-5nl}*8 z4oU5%_iGD20T9mB6_G}}P8lvf$a>?9Z>3p=y1<8IxO<=eXvIYzq(A@=c^ZSqUxLL z^F-}>iw&cA$9H=>N4wXCAfbUlY~_&S>I%@ic~ZvORL0yEk$V8D_Oub;b;@T~(;Y(S zY6`h(yi10uCoH|ly8_>d{=`RcBe61y=?ywN+PlkVmhipj#T&5HmD+M3Lt`@0JqnV| zz2ut4+2FQBPq9^Wm!2@(0m*3nnTd$?I4=fs^H7UQ~WM+ z4wjo`MYBSxg13NGp$xs)T#Sk48r_(%WDcdCc8w_o;FXk-?PitnL7WW#t zf#hq&MQgno_{<85OuW^>be=u6aseMxl#(a3$kn^+_!ai-J@PBzUvQzSWta@SDcydWw!N*OxsAi^$xP zO?FCshQoUY32zz`RLEN#co;T3i#?XX_=)-Woo%a3@^~ak@pAKC@4jd!xwYMIZDSXQ zEc*8OE_vXMMz@^6K6QJ_7f&b^E9!qdeAV!$;q{f3>2Hk%i5&+}wrL%e7r+l&rNj)E zA5#}IcyU%WyQ5Ks>{7D~RxBY(myiZ^TD@CDw1k1GoDu`CJgVCT$2R0vy%zP1qaj<2 zeITt8mqfZ)+?H?GN4V)E=ehX4tR4yoJ#H7oN)|V@!)&zpg*Q{gSP9%QJ;ljX&%=pwO>Xw0q<2hgy;|8QWTt37w?L8)+7~RpJl}l&RB4y6)#L~ ztf9-jwWysm9mu}Sh@Nui>UifPv$7!`!y3O9|b;3K=Ml16JowmUMO2nBH3H^AK{20^*e9`F-C60mfqN-ZE9SX z`1<^1T1Dfeo#F8o+USUOzO037aRXKA_T~w!M=Tg*=R+uGj5%1U7DFawjIi|#pH8oh z_G1J1v!xYz*IdUag^OzPo%VbNXnXDIaO}T&F?XvIYsaCxRh(R3+5P z)pA6O^iK|CCq~-!@CyL6#9AfG+#nL)WT*K@G|y+^f!xMf+{q#KJ6hhK!3adv zajlA`L&!{|5xUzmY9w2hO0sh$)KPTc#P|#q8gGgt9S{wwt3G3F)LxK?QfZt2xct^+ z!7h=EIfOEEp=7FUS{IeVm{0N=NzF<@i8Dc&ZM$!ML}a(WOw<2Fi9(y3Vni4xwE}y^W1eDVg{fxm}^_km1JOSG_FD>-WD)g zCtul)`Z?XELCgEPnX^8I@?%!{!X12~$F1%wVaH*T@4rcvr%`c(6-VWKt+u1` zw$tkL+YN|MHk%lL(oBq<{8nmld>C+m{^q0&KEI!)dhepd??U;D#|QAY)mtb9h<(iN zRCzxZMW6GYE>op28PL84S>GyWkou|;p{S8uLYJwSSbQR0V1XkrfcXqKU%iV;f|Jou zk)F@&tPeJ>rh)j42FUj$K7+2+3&xIk^(jx|X`@$1Xnuh6L}|aH<&W|)@glZwl-6$` z9;hel1;3alQs7G4FhPxZGM`6@d5~z!rX~65{%yR+Kt;$K1O@P*yZxtoi=GdnnA#_ zCICwcC`Gf665q0Jp5b^;IKF89v9QSSwvdwDfT=M^VU>5_^nJ=o7iMnOgX$9m5LaRK%M+2i8TN8MIg82;zFK;=h@rg{xehA0CiC zFNn#Z;gtJYG+J+>CWxzj6JEx@JzN4|_OVkr|x5A(VWwthJKB-{m%u}_j zA%<~SJGpj=0-!WLK8&uoSdv;!}fwZ9i(;ZOXM0XKA3wtIUu?p z%zS*p8~u$XMR|~XUc+9scz(-xnt{5b=+_sue&U1Amk!17USfYhy;@~6lNPB)9J3qg zrK&aTG^eH%zrK>L=Lq$GsjuDQMc!w<1^uS_pj>&K>d3<@9???tt?ikfIV3O^E58#M zb3I-?$dC%vgUMj_@L=Dl6wYZahj}q~QTcYv8^t~sP+auuPOo%hQ_909B@k{ls{u>= zUsjBT)&caRdQ^cyUdOsMvRG~_FV6oc0`Wn^Xak_I=DFPSF0!NvDzD-rfz%Y(K(@-D z>6Jm3&sFoj1)8%TK1eb;eo{;GyuDgwQ08qLTu5Sd;Ly%NR>CKAnPPf+QNV0JSLi@h z)#Ba2^ekMG*PWf!(0g>2AEbi|AuhKrc~1blZUzf_#O+}xp*6v6w<7A5!QXY|05VxC zU)Uvv*^~__9)p$g#d6=gc-S;0ZqrMGhnfDxi64FCA7>df*8;}DA)O>BH=WJ^9(%T< zFew=2R34dk$l++)M>#~%OF3jRdJHtuG%i?+6C+e~;2d+pWw`cG8w2oQxY+$Civ=#hauCk(WrS_Pxu>d)}SO~`(Z1nS;g?4z_Jtg>B#1~ z{`{?*&cA-%r*+wSuEI79MUg0oWX?6EA6-HVRu=zZoL&!I#1nM3yMUFrpv33O{V2upZ=iUDAYzNPcP%9S*UTeo4_cjmBEK%$mMKL4J zNX9Wu0$3%zG~ZB}cu#h2sN9lUcizl?3#9Fx(%p1lLnzK@Sh+hxKbvgs zaRC{+sjS{<3}A>Nmkx@JSbsDjBX;1j@n;reB6icBrr|NK6@5z{32o! zv4U7*I#qHkZtdzE4SjitJUJGv|MqU&?qa=5E`-ikOmK*tCkUc%Wn#WCreO9g=qRdYo$srT)#dFFMtj~ODfLb`A` zsMMYZFb}J?j6Nb1FlP6Z$3!}89spHLRmMjdtXybZX)0WQ@>@5lVZ`-Rf|_cwOO?8H z9~ERX<{;CFv4|B={i;vQ{^4G*C>7j<+Wt;eeR#Pd0fHs{>A!uOq!@!)PXtrot-Iid zbb@(ve?7&qdAZe=oT)Eg`%dO) z0;F*pJjyUO zXlZT!D?Q*p)g`Lb1=x7QT>81Qa1LDNbT1gBYQB_+(%JjzeJ9MsN-VjYSmjAmQlo1! z`TRZ6&(Du3dmu-Zdab|tOS1webC%l`U;R*p!*6*g!=BohhQg3fWvSq`Yvc%#lT%x& zdv(5ja_-2cVK21X*Rl@JpD;e;Lj5cU8Ky~SE-noJ)H5eyoNWcKR}EKq(m_2Z&+qr% z1Q2yy#dtI3_hj@VQ5LPDN}@Zh=1(cD&Vp9aE$Aje3uTtjIt4dZXj8=UZCy{#Q+5%Y zGAtj_yAf&CvKBG$#!x|_Yk6S%&U&2RR(mD~%NIYG`HaILWnqCL3mWN|FrFn@0&L4~ zO~Ow`shZIrl2Vg6J(WkM-fzVQDV-txDsc&!Taj9nUntflrC8bw44##yUar8&M~`#O z@XZ*fMB7>AliS2q#QG9PIrBRsVfR^)-?|A}pDSuRqvP>dd*!pmi4fd-7a-kpJWXox z08t?>PswDZq#;vo@Jo2Cj}%snm;Tdx`ODAr#SmswQoAr{M%+&yG4{p-HIrwSi!hWa zA;?t@LaGwIxGjk;(L0@=gUI(8<3i}Y>AtsbP zCoHO4l~iDQT|0hoFs}+D-u8;f)NepDIj$vBSk_j$S|DnrYiFB~!s2M^`bewDGr?nf zGQDa~KR>8oyr&3oLJQjSl{udN=N-PeXV}5GIm#K7uiXGsWZ3zfGPYzsCB3*=K)h%c zw6LZeO%%$}=x%2H79Xjr( zU?f0G_Yoai*ldkXM8kjEZ3ZWSfu*|ol@_^l_wAc^$c;PE3g*uD=|BSq8v8!kvIq!& z(r@5FJty4G+_D@l%iUfIa%;6!`l@~8Ae5GOvd3$wR1i+F!h7%5({@89>8jAO=|SBq zbb3bo7wD!{Xn^UK@QG*)RWlbytwag6%MHsltxDU>QuAa{k)bYmBAlxv@iHvn?3Z|| zr;F$i0Z68DZgiAlUIbjU-!sPHmazW;W>+Wdy@9MMd%wl~kVIEppO1|-95E+jTjAs@ADAdQ zw*Ps;I1mEt{f-BCj~b2aYfWNs@R3=oWE?_D=(?q*C)3`zsmJxbJCh; z+W+#Bht?um?*(1R{M$0C?{{sAQw;^W=q|VZ{N{PwxBXHQPYuGy*IHR*)XbqVPq@kHBxp@f9N4Goflwj#^dg4?4;!0e9r`DJZ>&4S@pRC^u8(W|0f zz`jte7@evv?SB29>>|P%(KDaBH~+;MVpAKyMImhqE>jzqYMK)Mv6)nRP4;|y+{5U) zoj^!2m{t#3x4>g zmzwlQl=LVeo;l|^Cnpd?Fy^_oMSwNzwc4LPiVg+UOJ}?I27S8_Ny8Kq23Jho;)zsC z9$rBne$#$gDuExtFTH`)Bx8y>y2HpCJ$hGg8Y(D~^58;DLT-5Ny^@|3stZSIw1-S) z!R2v<@bMXyNayV)Oz=&(ADrihO0%O*tM)GgVzYN|3|M7y>K1G`0B6~9LQLbWJa5sB z@V{zoqOX(|x&!>=FX&Qp@SbCCzx(XqNMNJW!vUMKmJ!rDa#5t0A-(qn)ho%UTj%XW zk}(pptWa2PY`3;gRkGPEv_z*@kNo!HdwE*dlj2!_PLx%ZqM=p7_>k)e$X7n{r&U>+ zACGaV&z%CgO&W|!l$R6swvF5(vY;@y*RAa|!?Mwnu*-}%Rx)!%9mHYa9ApaLyq#H% z=TOY}W^ctmEITx)Wi<1eMjCyXTUj7ltG_Hnbsd}xPeqls$_`8*8d{K)Q}GLMEENpC zTD1>t_d3J%x$U0T&8&nTv&ETh4Lv!438xG%NGVKo0TM}58 zo=VKm<^jal#fR$J^Su(D2T3oXw^Z@o1gUWISc6|~iL(z}T=iMA@D(n>Ea&9>0b?&f zLb(^r{t(qFXG#_<776ay?iHmlG~&^m!ua1@iD^N^c64h-aY$TQPDyu7;UGJ+H`79l z(^~xFOoiPV_XTZS%drCF57I*;UClMqVJERgO3_I(% zqo@{!``3h57Txv)b$LeyQ*2)tR40;-$LZFcdy%$<_%rTMRc#)!=lQLGW*BWN(T^~( zWKIc#cUyxWT{lRkyVP12$s$y#SRUTG(}=bBtZo$X#>W7qI3^rpd(AHSCuA3>t18$X z?;%(L52B>`>dXaNdy#j7M1LiRzN6|-FcMCo`1wjY~ji6 zRIg2mDM)WoH!Vq7fr>{jZ6+o-lw#9Rp9hgZ+I~LH6NI^Y)3fG^z+ibvJZ8vb^4&7{ zh58OZZ*J2we?)Z&(3s-DF?b1~@S)XAEPep#jF!YTXc6zQ1Zk;F6^ z9V=xjwON5a@#z~@p6sAf(Ic0@_TFdq>o%kd7aD8CaI24e*LuiwkCVmky1Bk;Jg& zlZbT{g;8a8bD<*KC}esYDT&q=FAZhJ@LLAbzr;eLsBRF(GS;5@z5Q5t#vI~bqFOTg z;O}ofk;D?@E#;mYz6g6u;1UF>3TCtJfe$Vcsi>@WqO0z>MPr+eCZ8~L`CMSyP+Cfq zxmqE<8j$MafvM>(&oQM#<`v0vIUT_-YTm3tWPHK;JF;gB5QyCs_+jZI%m%ml(@c%d z;{t6iB38P}ysHnsa46@zPAvt^{|LXfq%!&_xQhDEc4kcEYE*PLZMey!MiO~+-s%FI zNve%DX&9JaVqH3F z!!G>mp9ans!w0Gak9MN$M=m0h6Etfaii3s_qgWQ6%pS!?;kGqQ$cdgcySk}dB4HqKNWTADinT102-9cfSCA-9hRo@wV|YuMJa@TN3O=}vmt(xF3A@kCV_&@n z87WYiE@AuS7yt%b6VyXS^hM4a)^2e%g$hA4;9RpT=sG>T23}hVUHoE|mNEXPKi^e8 zAb0Egftjup@6tu2J)(kKO}C%En8ZN<4EEAn&>|B++glY(CSLdh=LMP#OY?->*HmTK z1a~XeI_1Qg4$a@6#u)c5>cI+~Kqz&9h;N{xZCR;zw2awU0evPxJIoh)>S`70QX3_r z!Q)Z0h(u@y#IInCho<8*d%Fz>ooglLQV-QEU{=8?foS%u@wcVVLr#)%htM42F!>cH zbmqpj34>k97Xkq0p#{CrPu`p8q9UP13_rf4cq4kliPB^c(59d}zhnek4SA;LPNGd8 zeI3?#)h3U;hjOHjfP62ZrqM|ZFc#HwI5iEFjzxv-3*!aSKz^f*qs{;{D1d5 z(Jrl{MTKyZROuJ~u-2&XZVldOWV{QL>dL>?wk{LFxin0_snJ(w>Xg9mDQq+v<=VP7 zqtRdH1l?7RCgN$82fm+OQy#)Gs{(1BuEz!E3Nq*tYzw@o!VVt=L6l7Ihg&W+6>*t% z!yrkM7;V%7i`$I4EZwc^JaW1EX(TyaYOt27|9K9rxpk{!P^9BERRbsa7HG9qT?lWATB>*}p)s`RKl>3-6bo$-}*eC+wzH?0CV z@S_w9sw4h13eOy{PW}nxT9skMLB)r!5av7=a_8GNxwWdlHpg5}UJD|*@U~zg3D9(j zH+bh+f{H+KXKlp6Q}*r(TWE&ebK;p#GS;|`IKct-M&eDz(yc^|omKQBiCli6HI>nC zcB$M{RZ}L8h23q~gvrPGAqVpH+`0$cpzaD`ABv%CD7v9J#)U=E>P0NtIg~c9qWeC# zGUQm1Xi~jh0_k`@vlB-727du!m*V@-esnEr+D=%ma(7|p>fmBFKZE>;i$k1wN}!PZ zT_{oVeoyP%RV!y1!}1ffrmTsv5v#kp5e8QqE45j+gu0z|&3SFk&%Ez=JCW|Rfe_nr zWS%C)Lrk7aw^FxJjH;_jmB7qL*OrX=C&jJ$k>Heec7-ml17m4Oo~J#E_84Br=Phj|Znt5`o4@ml#bBXw#E-2B%1S>a z+0Q+Cn*1yqnxRY5#bSR4oF~Q}eObHQv2{n|9|Pa*6B&w`A=ATkII1H_G#J9CjHuOs z9{gU;@wS8jam$}C9pYYY^Y=y=?iJ#7)T4{OvhwZ+G%_5>+kDSxJ@jP;i0CIDp(j4`e^3FxMp6yz)(wV{$=O-n@7Jk zp$7ehUpRI_w*u#WZjAC*u`6hAVvjF}`y7e7a! zyx*v!w>gg&IZ*o`v13EuvmL$EC3(KV*$eT1UxxBptzpKD*2gfbGpeL|pJzV?-SP?g zkK7W6H+L;9KNU+gR@!PTI_)r1mvG$xr&9f*&#j?>WeTlv6F-l{HHaFSFCDtdqA3%1 zMbzkgHVihphu_ncQl9Il>UV}13zE@G+j1$^1zhUI^xe3NQE1b6m0}GiPuCDG59hyt zW&bvy|6~6ZMEdS4dW8zw{lnB58Wlz18X!aFV59}fL{|7Y%NPKvTB;paPGMLFsJee! z9a(*(7>k(dm$%<-(O8M_|vG{a9eqO1GQWUx$`TvZOc=b6@UsNpT$rnRnVz zL%P?`cwnnVE*x7KGVe(C!UEZ5BBX#@?BF=fTvZ_x#(_%6S#f5u&pDrJ*;OCEt-5=g=xr zvq*DDeY{#VcZ#Qqh~h~p|0s0Er_64}bkJ}J?m7BOK~(Auz0b#_dR2G86DuOWW>Xq+ zl1#$&7V6bbvROmF&;q#ZH#hR?^1)4%Wc{J!hAQsLhVww#UIuWh1?&*-=1cL^Qawe= z%Lx#h@P+0YkhZ87tJN4->8=E*t90qEN!yQ>GJ>^G7$7%K5KAv7s?kN$MLcc-ra$?6 zbDD)uUn#AL$N6}+qNlHD-7gXDF9Qr69Y46R7BcOc*tk&kAY_mgWyjy)iESSlzp)ab zKZu)@DKZb{kE%@F6sDdNq)vdcdP#7vkrL-Cl|_7T0J0InzN}Sbj<-E2mzbNUCXxL#ELFP4l_(%e?Qf& z@g&56G#EC+_Y9q9k7Fzycdo7r!<(t?+TSNX5|wn5;A2}7J{CuCAhzmVj~rc$!Q$J1 z1q(~Ka8K}S%)JYfGDl0y%q5+84mBgTvAv51J8cMZz-D*6bGbA(#ghxUlmjBzZ<>95 z1mPK%z`oyq+L8qq@o}hD%>m6R^LPeP=zy%_MCA<3cNwDPF8y6+^+IIxps%f$@9LtL z(C_uGFRcSe@(maRx?QLT?nx@}=#x=8C7!lLsH;3m0}fkV{L<}FJdJlEfZ4T)Vk)VB zS(B+ikc)fRcxv(1QIk>F0XtL#Czsg-%z>lrnXY`6_>qSk%+x~tfcI|3HQ9dlLzE}b zd143Q^xBqNXPMb%Y%zx@HEZw@7gs)S*DJq_G^VGxQxBT2&nA+grqf7~V0yI`*T1&e zBj=(^R%$&s1*qCmkREU@ivS8kye{3`dgZ)X=Br~`8lz=~Uxq;jle5(aoy4@g z0@ZA#VHkfP()#pj;-FT?|3e;yN|@LDcASkGmv2P*!G-tMm}HphQR8p4f@6 zj0^WPxA|@Z==H9@A^O6@MWWgwbR(PQ`!(CwM6gUaqsyTKFbEpnDGR}12G&E$f;`GX z1iy0QBsCqF|%L7p@(x{7;B6z5pJ@obe9tud@?OaDfjm-JsKSN)H80xF{Q^izNLtM3OYgo5zb~#oanFD24c+GsD}HIW807eW z%TJ{8V7$w^s;QMHrh1_(MY7UfX5;YbuoqPHH|qD1pVN`BaT0)TxTipo3d}bXaq>EB zvGw;7&r!T=GfOA)Jv;I!Q0|8J--+-YuROZKZTcYXpBU}f5l-zIjS`zcI*715^&6M| z1jzc!!<;a%fP$4q0OAgiso_O|U2Z8ONjhQY_ocgV!XZwzKj8i{Z`f7fMqED~L9?Tv zUGU^-nsoRN@G1Fur>BVQ2v_(Y^8pHlg(pGd`r^0P4yt*1UOKd`u_8Ui-(MzCh?d_F zH^}hk6AGq9GLK$kZj2y~k8iJwftHO=wcH}EG~dj=x{O`yfcrVxUts-e0EUIT+Hj0d zKw6p~V(;h{V+qL4eQ@rgDy+weR-TU5**6n5qs2!W+aF)L1{*sHRQJ-& zM>zDsx9*tLVb3NV`uTukPm4J~Fqr)zRVp;OdB7d6{yx9|3Z@k!(&HR{?Ee#+bYDue zq<7g_8_VGRWpeK1pX=~T#s@I+WopF-%UffVb@qc> zW+=FwH^YS!Z!Z}SYg}+{e})wlA*pZ*nFt^O3cl@$cfV-v8)B%yT4d0H81yKDEp&tS z8JNq<-@XjAp4CC}-ebDS}p}iDEkO_72nEf4Cp$c)H} zLy@C3MlnxA73fDwA#F{5f9$`00M2br#L^f!wcQY#Q^I;SY7FLJjC$E4_W?nk^14v^ z#lRgVH_Z?cL7zDW+%T?i_9ZIs!}p_UjV)6t_(Tge7Aan+{5_Ek;SWi}gPWMOwZ8V} zll$944#95!*O&c~F7j$Shp+Viuaf@{_hn`f^e)@-3DEvs-TrsOpJhe(7LHD18GQft z@&4DR{lETmLJD~fGiKKRg<}1`zx_Xd-;Yd@wA;D-egFC#mgRInBv}MHi2FDI89Kh) zIQoD8ihusH-+uzRKhLexn=~Jmm|lp8Cn7e}5K-`j0O!m(RimrGVB-&wTmjAGkVe~$ z{Rg?N5Id%>7$nIDwL{-{sWT`6f98JCwyUzmdQ%?NXc;T8P^9m>5L$;~)43_eHp7P6r?^d2f$9fq`&w=B;o+f zdbklBan5CFtl^D;ji}(2n2lBgp7Sk-PiK7qk!SAWYqZ&L8JDjfY!Ug5)wanA-f4#6 z(XChXFJA#1q1ptKNFYVR0p@maWa~Rb-0)zofzrHay%eta-xkFo)K;~E3-%lp3SU6Q z58e-7evA5l)K7g4J&}leb3lR0@H^p?_0QBtEdO~8ev#Q{X!WI~M*_Lx+~asG>2A0=*<)6dHx`5pe>3hLohb_teA%>jk^gp}+ z^hI^nUM*8<|LFxV+t+U+MJ{;a&pKq^fo1I%7_HredfD^)24vqgthl+M{oZXX#l_bJal$fQFDdze^89P7j)AYcca`kjY`03Jy97|!i{ouFPrp-4@7yEY%q6}2(+j{i zae|05g|0#&>F&Y3Ej2Lm2wPx6y)qcDiVhsVuN38!zXQXTRFEZu$wX+zQ+~6r7vLkU zEXFvY08qF$;S&k&_Hw`dFf~9e9exuomJHn1Ii;CvE4*1M1IjY5}u!4#} zDEtmL8e(bAQVM3ti}#4RBm);rdUK5|+tv2ZP>zQq?%4AIFk-2IURBKexCi!0=AJ7kua5{><&X*|jAwLi<(Qs8(Y9rijlQ zk6qi!oY&kDiXsvoka|;zgYp_0b9;<^Q(pLS)4nVg81Iztr4zXBIvwoZXw`xuur-GN zAz}-$tb^~!*W@;|Mf z-#>GIyMJcuPTO_+rX$E%<1X^;e+!xHpp6h@ z2)r?sz>V0(L+XaG!U%v0+(^n5Goz^}`AvUd+96?*O0M7Vx$69gPqUBUK{pVBBU-zA zm|VQmZpq`w_>^IbsoKgvs@Sdb|c5|8o51>Dth`BjBg=D?G*K?E5{06IAR5Z9T9`te2?!Ao&2nnidV3M_(aJ|k6 z=fwy^H#e8yN!QsIhfvp&NQ$^8Gv8hpbb=Fz$v|FQEK-?{`LKBz6n0l)=Gnn3ro6j^ zEQM}WzyWZd7^(iEA#KoBDyt>mXHOVhsOg=BZ%j(4SSWs&aM39r1r8L7z`7s3X;=+l z+^+pi!$X$$phcO0d^*3#1~u64*EV2?!ep{p-S6(4nTM@R7<@x^zy2=kY}KYy${O9yiu69ptSoc&0!)wY&V-ing(7e;>K}S=_Njfoa)@=saPAi zZgXPB-R8FluSTuosJS}h|5y*mbCCF7mr25-zUq01lKpvl6EeYs(V=?n=gn9bSZ_Oo zb3;w*0C*nViA(NC2h#ymw%$PigLaZ@<5ssT*ZS9M86$TkIz?R&!vR9%h3N}=|1=zc zcmJp1z@!nnHoGz*(R`DzxBH}IhZsKqem$EVLN4*)Kccb>i1rG@vH%aPF6u_p9@vqa zU6eq*&6q!m;!F|EA4Xz@Z2x#!Ce^m(<@%(R;4C^gnZ8TKz+))OEalc12O+m_9I9XK zHR2s#sLRK?IZVGkxQ}KZ&4JUWyIwyPO<|3I+H2k8()uaAr=Mu`o?bi~z~aM8ds-$r zS)Pf{?BXX67E#d?G@_3lJrz4~pki;wylCnUj}a*rM~Vl_4=lkker0ZTV|{cmZm^iZ z|G2rZ-coY!cn0_IVwWpp;Q%&g(g||CqY`3|^7r26W)tzbP0cEMIN|!Mte%xwIAgfO z8l+mBTKo6p5ch$v?>6%$7oGMPAb1$RRi;mXi{5`S25j#!Km3pC4-yz;5}KaYB<(Tq zT1d+2MduA5bN*FApwOseb=_|Ngqhs_1X>(OUKYrOzmaJ@jg$TbCOl7w zPUHH=m0xmv4Ls%9cgWP^ctqy#(XdU^{SB$fYwThL&x{@aHLNBFm3iOu6S=g! zqxGR9hYE{+4LsU;$Jbul?&^ZM^{6|aLb;hs1-JQHQ)1_WN-1BT3op>|qeZT>mhFmM z`Iz~{{DAb&LdWq-WD`fzofGxxBDu~yX~x>YsmAL*R?)Ky)9g2<*>Bk%m02~<(kWd% zb9qR>e2Y}-l1s)?^HZy6+{{f!Kjd=RXL&(O`q~AGLara(y^lE`CZ15qpkT}G)x#uy zn6{z_yY^V9gN&>pTIAx$o7_iD z>?Y~Ts>bVO@*_5xCo>l}ci6HT?_|y2T;Z--QfLpKbDDU_Lr{p{e6Q136#e1;#|m2E zGj}wmH`LFo`i4`6m7@g6#L}ZhDu#Vl43tz{WL)0!$=L{0<>{1HMT_Wm`xN(>yCqdT z)(KOkzO0&_CAo9`Q4!~5Orm%KKU?>?w69gZn-yHe+wQtAdz5)Q_+zOzv@f(^c^?&Z zVADw(61r<#qxL3opJ$(T+-p0^duM&hTWV$Q{gmZ(M(?x- z#zJQMRkT_gnzVBK_x40|rX!v(2lzj?-g>@id9f*c>rNrFz-#aSd$-IVh$eSyAN#$T z68#U9R3<4$1gW1a4?gSOt?{&|HpK3!1cxZcBiBVNfyaK-E|O;WnpW;)Iglf~vuoak zi)33YfOmmJw$>SIH6aZSPf3oGw9VP33d6+Z;)I=?Z$~Cwu`sJB7<}r-<=g8EnO{_pT}4 zF`o0YnYQt~N9d$uUR=PjM}^KLZ#!8WJn~Wg z+EPZ}e5pcyZHT49zEUo_{SBW}IWxy#NGPr3NWo*mA6w(HH8~%woI{a2r%fSO<<1hY zQsz9AB*oEd`f8^Vo!gv`o*f4yoIa0H+c?d!%5_b0{#t5ZM(D`1>|EM~tGemg1k*?# z=5)tM%v53Aq~#FB2TXuTjc!8ZJa+>wE4-vM)VG$$e>8A@U_^oxhaquH-jp!4kAl@Y zZ^%lwt=Z<=mtf!&q34YeMFNP9E(`@vRLGZKSM?v{dx9hXCFnOe^F~`Rs25{YlEK-y ze5zA$n%i~BFF9b=F&*_}KT}n*W6H73Ao(h9TAM6&y^3A$52F8m{{Hh+K627n_41pW zzYpmzY@OAPqvrMcuM>k_)^v*%D8#?9egsv?12A|JYw(AsWmJg$nMWLlY{97t3gy=w4I7Lu z#-wn052ewM#0zP(bbr>H5?2 z{Ev@Pj90RT<<<}!IWQ|++lB0j+J1$FBg%9b_C6ubG-|qj@P55GcfM}6Lc-VUP3R4e z1=Brx$(iSk8E!LlDOg?=ih%=yes7@z9s1S0g^VWKfRAQ67M}q5nC~f+Iof%XuxcG) z@2e|h-KX;1cCt~&XquU2Vq0dlgdpkXK|z&VUXzYN_s@8OaY}&o^XKtMX1JpS*;r?= zoQvd<1}F`#F-ZotQr|lg=@c)W#HXTpGxF*|(JLmHnQoRdXQn7He%F!QpOZ0Q2>EKm zGw!7SrdEO9ixsoTqNE=cU~e{_b)&BRI_p=OPf|T!b?yWil&ru$>}}E`Pc_qQ4L5Bq zYvc_$uWnwd^vf*#P1 zoQ(~gZBkgznUY=?81ynlbW69iLv-^NT!gZB95YY9_l!F?$9}H1xq(hhI!SfqdYik! zu{C%B(Lmc9XpfzT`8rk0vl?afCkYiHgosH&NGL3(=BlS^lOYmq6UehArj(e(@}cWw zI;WmesP4N#KR$07_N2g_3CK?`A63YAIA6g(3%oL(^W`AN6$U!nPXRpg@pl^`V7W=E zzgWwwb(X1)%0y!E=ndAZKUQPc2o0&9vV}8uGf0P;GAsP%Jx0er-j06QAb@MkBn(Qt zqxV)Uk0+LeKK*sQ@!a?-Nhf?&-1GJ4n}h;^FWSCXCB0#Yf0}+`Zkr2CYaM5~vp5#cuF(agM^jHnB|65__PvLYtJq6u?Y5H!%qnu}j=4K~V!dVf zVhGl1x_p-Y+#$hVlOJm&$FVM`J)geF3lkUrd8YhJ(dRDlFmb3nQN$HFV$v?1aPG{e z2+Ovv9V|9#R7RaW@?-h3+fR7`K5Y&C0tGcZX1-1m7cH{y`c>@NGtN1=6sN;X_mjQ; zbbE+i=#g1I#c6X>B(Cr6Ly9``mVz3c7cEVvE9A`Vk@p!U1D_*3jr6UA=?lO;{ zU1rU<`ezRc6g0F@VBwNYp{#4aOsq!u;nmf?hlP{Tj!GnOKvJTE@HbPs@zMvhlRgQO&nLw4l*}{ zS(c-t(jEvZY1G|DTu_%AKKJKtiID=iup=%%&QOIp#NKdE&P-rA)4r@lL#Dodv*WRl z_uLKlF*mt>Ylm$j^<|4&ZHEMPZ!Mb~D_U&RQLg-0x^pRxeTiL` zce3rpoxIE^Xy^N|yI6?b=zN0XBwf0*&MhOhfu@AMx2Ur;=%QJT2KGn0EuoJ)_EqJ7 z;a0Y@bN`t4SX)O!Av>!mOo({BN|{ZqrB$_Mflxe4o)*n<&`VV=;q_+BW^MdVSCfFQQu z$3fJIn=f-lg;Gy=$e7OzkDT~ofua8H6}q%r7RTRuvQ*Xe*_Bcj4dTxGS6iUb)EBPS zYw)n%U$B#MSg6lrDp(a2xJh=-N{vK0f<-eVl8^NcbeL9i>f|U6ZS7!^u4uHhZIS@v z+Vcc`oA8wlS|Y=$h^4GPQ39WcltVnv@m>3+%*CgLmR`!9Nk;2)inXF`U)pBRW!u$G zC%$M*t5tWDe_hn2eRSPt5lJCy9JvK3$E{O=`mjhcbv7PRa}wj*Y>);)v{&kuW2EFD2L^a;7k`Ml?5SJJK+SINydiO<*fXWiSIh8VEptyVj9&1n zE8!30x@m7xdq+B#!yS*Ko$#TfCG|S{x$`*R`>%F&sIQ%T*g&U5`#&?>pU=A}4V6Ag zn~N<8GUPEOJiB#DlHy0QVWEL5Q{{^*QkEeEL8>T%-c5|Er%olMegP0ILo4-cMZP&a>x2~wVBx%B5Hmpv7w|?7NbeR zD*5w_#8THzXlmC`{Dh`cl*W;Fr1NT(4Bj3uG2h2vzV^{4*zdgBv}3pGB6%)*^!<0j znv*#V*%5&(wH(iG_#N6|kV|2pd5kJ~xqH3Se}|s2q+h1F80U7zU%y$G{s`#M4)7G+ zX?d!c@HMk`X@{72J^%v2$)OqPVdiN;w)ooKj#KEg>rjeG;7m-0`ngBtEC`L8EJdYJB1%f_GbMZRBo;9Jy>y}_hO&?dSk?qRw_>0?W#kX_B=>a*bJ{*+Kx0a8K%Z_Wbw#d5gf;U<*TYbp zyQ__M4*GgO6gNjJ+!TcyY%aPCXGWol*EIE{MtH0IxVZ70s$R#)+*F%&qggYOb}ztS zel9e8&pj{dVWEhrLY*&H_NTZmPxTu{Mwwn04xegGd$ZfNx~}w=ZBNGg2~W=Mi;eN0 z#EkB!j0rN)B~D6O(5Ockmd|}p)Cp1TX`m(Cxq05H-=}M>Bf;d>1JW1Q>iSyxO_ziw zzXzZ{mIaaU{A|0|k!fi{mK1AS{cVS4TKW{0gKNFd$?PP&nbtdWWijxi7UggL4o-ku z@l&Aa=9IiK*{@#-L)8OqZn5;T8v{3xsLSyq3BHaLrGN}jL8;ihFWC!$_YJBN3qM|a z%CCq(uUG_8@fG&yXmk%!tk-EWtXEzP_N3^q6v29M0b*bs`=5tT#}}eCNWx*^Bk%*F zKYj7b&y11W(g+_3Wcqr+Nz%6e#f6fVMGMnj9zn48TxHkFk%23ms+$#soOeV3?5-Zqq4jrRL&o`Lp` z+x4nAtAY{-irRpHkvg!j-Ohws#j$R^JwN>w>q5fV8^0WSDC zuzjzjR{e~z)T<_+2Xl|S8kl;wquL9Y|$hexm|lk`2|Jl{)T{NIu*K?3g@kM_46 z8i6Ed*ND1Pj30;wnk&B=@t~y~B<~@VO#^onE0XKYeAH^9q`tq=)_wcqqe~1n*NtyH zb;~m9aqaBBEHecCpStvnJ!o=i>7rrZM=I=KO~_C&+7KtAk#=h_QgSo*jsx9%9~Xy0 zO(@?YT3Tyd9dE*ZceurXn$E`Y0$-h-uQ|&I2q@z#QtPkBS{b07nNOW7{&-Hvk+wXm zXlleT$gv;VCntLCSkc0<+HbIG>7za-;~x>|L@a&fD(f|xcK23rpvQ3@p{6<+~Gc6_P)|ijqd2a7LiE$Uk{QMmY{iKAQwI@JC zhz1$!b)G9N%ev=ry5esZy#E=4uSTix#_5admBk(7W^tR80A5ZMN`t_v*HEA(P@n$l zBAMTNXZ~ocFn`gkmKA;!_w{9gs5yv0e}GREFVKd#mBzE9+G!NN){&jKF25hF8$KVe zs9$lp`%35rnafoOd@Q(n&!+@zpXIc*^*e67dpvi+>0PU`cLHp&lvNhV zatl{J?4e+tu&?Md4TgU8QlSmc{E4sy+*h`B3NOE>2xlV8t!ZOkS3{34#; zz)#BM81@a${ciIt^hKSg85!dt5yPeK4#ipri@`$IS!Mwt>wDiSB!jLYe>PlIjRUNY z>q6&5a^mhXPcc_$NxfB<5GfDcxD#?-?HP}g2Qd}_Bu6GEts;pUF!jUjyWJ@WT%_Q*wC`)NZrehc5V2!oon8&7Z1&aUZ4mR2xr%#bv> z(X6K)6DkfrRc$FL@5{_)<`oGr`o4Jt27`ei_L7smN-gI>h3CO4+^yU?LeJ`{W;ahH zgt#5PrdT-@u_L!;MEM2_1ucPHW0nZvQ~4hUHCKD;Ras99A7CF{$T}(I<{g!5sWFeQ zYenhFd2euzluUpZ=qlx}F8u#RWBqjolqazyCsPMcuJ>rSU~}8!jw8Ft&2Z zlgkblpM-@%$^|c_&esR}X6tcDz7dc^@IWsjxc1I_g6h(x8tp<^_l9)$y)=fjK`WX? zW-^bcQUkOUyKTO#jlk=5nj`L?JZG4;8d)=7%!J2{N-EZ4EJ4QUwS3T59u0;d0rS)4t_`%_tNx zs~b-JN-ZpK90*eQOf38DNMd>CgF(%mhhjp+RU_Se+?&n@W}p*~p8$GXC)UTarDz8* zuIX=e`n9AZPIGNbBEtipmQ@rQMJrpZe5^=!KEywN^yaIBFSBxfg;HC>c2qoFP_A*0 zeLlfQacS$Z!R$AiiR*R}#Z{i}bdrprlGUpOq_HbM&lA^-?zwroFG_p3r{R3;>M~wY z50GzCp$Ctw z34OLb0X*~zU~@JSXu&HgcjoT1u^+o4Q(g0|4v$!rV2mnlT!zH(X&OmM=*Y;9vQh%D zFNLJc6NBZb(2QxONV8gaa`%p4QV+eqf!k(}#gWj(`i4K5+wo4!)RNmS^+3jIIJT-Ok8tYlkxDz1@&=D2T-;}K=8egoP^ zg?e=|=Jc1u@d>wf_pv7xW8Al{w7VON2onU5P zfG@EZeli6BJB1I_kS~!edc?K~&!9HLn=A zn%esgn(Hw|+?ky#GOMP~&^K@?-Hgj<&o;)y#3;Ckdn=F8rE6&mv{=Q87yW3fyXG|N z{WDS;LEl*f;B1X>NaJS>w$s+uB7j}ejFX+ugLz$S`!dB4zcFRvvS|^&WQa`cQv3g0E&~8fB)8Et1U-%ljn}_ zjDQ*jiu*)te>2Zu{m0Mfy`u&>zr*7iDw}Si`FYI$xF-6eFv-S>Zl=5M#|cAkhuXOK zTDkOI3T3dGAhEnz*}bP{f0P=hxJhAWE4pR{X;pq!^Ui#9RC`!^Sy}6gxzqJt-^AJ# z^IONuWbVdHdUn@wUvc~5m@n-CpiRMaMcidD2&^Z*F%Vr#bX{Ux)Gm{rgFV~&998dk zbgPu;ed$n>K{rO0aIM=?IYOU>-hRCn%l`1rmv8r|dYvT6>|T;TKAf*ncQ?c!#@Xu* z5}JOAf5?J+nKfNynRz7R{m;7HX0}dPd_FLp_2y6eW`C;Pwex2WmE4cv9_6fQC=T;c z@jTTm#yzf393*;nlq&d}XZJrH0PkQh`w4ujWfrAZqup;QX&0zPI^nI5-fgRYTh1C_ zV4@U%9QQdfls5v{f;5UO`=22^b3^}N@T7GL5& ztE=~ox9eao#xkGSImS4Ed3fY)eEaeKa9vEQo!Cx0kTI-SYrfw}A-AY{{LSFd#Z9w; zyRju?Byve*fFZ}y^xo%hB4=-eJj;qPa|a`S;ttQ=rU# zMot#9HNQAVbqZyF>9sNuYq~;=TKN@bwJ7+zHy^#ibk`2sumV|wm@%5(=nVAEU9e{9 zQkwHKw1)r^;#FG(!go+n_?z8onbq?j_lKg@Qa{qJt+?>hyge%)81_P{``*NI26rg) z?x@}Qp6%o2T>mA5|wFZ)KPO zDpsDNbig-emh#Eve*6#UHF-jW?Gf|1PVjX}NkY;Wikx$L9c+NB(3N(OVE-itS)X31 zp`OiX3#E@mhzVBZqb6@PHo%)O`g0Z@-Z&-3vHC6EKhr(Nhq-c&X4Es)-lgfU>O z=Pt2Eb9h@0?d30)+?}Yc1(Tw@>(+5-T`A z@UWmNfS01Eov2PBqdZjLXFEVSC6WSBkmKBPaV0N*yXQKE(!#H=e>>F5fIRp~Khb%| zZJTQDoIq~9OdPeiZVUA#rBfb2JC4^z>_Y@*{kgF76Bd|X@?Qy~nkw+lz7BR8kII3z z5>g7%cIS+Q(wqIyFDaXZ-ra0m&VmYBBzd#n=Rh4ER4O@7tRIRY|SV{*oK z;3NsTJf?`ScvZlCG+`bm`r`5%ROnTGM&9Ag#WTXLTMW_T9ussqQNI6%6aV`G0EaR6 zqc>{i1OPjU;?qzX+qr)&n*dXb75(@lWE4~W2{e9g7?4@a#wnY(@8mEGUNIr)Wj&>3 zJm8dOkSw^IZOiYxru`sQqs}O@IDfUD$r(x2a4Hg9*O*pO3VKGMgm?41Xoh!d<}}cO zY-hqBK>~;445kVO3NlsrpM$Z}Ik^fgG>Aq?=#wriCxw&`qEAe%TJA$mV?OC`n0MZ1 zlQUR31GArWm6}RC2q>cya-5*1b8a+8bG5mT#k;lx+}yORWEPjhc-~K6@#SwS_Ey|> z`2t!^a*}al0TaI6Hr32int`KI8My+I z@Ty0$r^~_-@KH9VDuSjX=L-RQ^N&fb3Q+@bBJ|Fe^PWAzECR0LgRC}PMi<0lK&~^1 zV;%Ys85y>)H`{J03ZKKn7A7Ulzsy?D)IG|a-|?!bn!z!c*m>x43+jlwW02x)&I-4kJfUZ16z8H&iPE1Z{I+gG$ax#0LBmBo@hcs&{Anj#hB5Ch%Iv4E%&6LpG#1G~Ny@$DImwkGZkg zy-2c|n(dIgTz$Z@w9oycukXX*;QLn8Vs7AVy z-Y4D`o_r5ThKGvk%YjyMQyIh_u{a@7WO3+_qf29&bTW;&r!;vFejL9k1T2k4)z#H| z#8*0qipyD-_av<6%`*>=$>ghVq*kVz&qGIN{zY}Q(xS*|tlWCpNNUqxhUNuR-peAf zoQn0*0l5V*m*F&xcZ_hz-{x6jns;R?Lj4eV(^~rYcB~_b{$`eRdf}*wqCh-ji%|^$s%(< zcdEbUyNPP&M;ShddNfsYdXQ0t3I&R4{t)nx>ITLlVN0DzkiY^_$`uR0O8dzi#6ycF z#3{Z4d~o6`s`5v2byz~Q-x+~YB}7!D@1e%@L85L ztx^JWx!;Qx;Iy<4J87wTB)(gi15Kn%-@@TU%8bAAiuBfDFW&j`NZ-4R1x+3XM zj*eT(W(gV$T@eLE`+mYNB3U#q9}gQP)`{GbGzX)LfST!|krUEwo_jk7G9)QnlJyuk zHNc}a0e88!gH?EL7dqJLtVG+)NPfSOIKtGQQV{V7^M+RAO-%j6SL6$G;b=`d&J*(= zu3)q1*6{O=>Qxqx_?l}`eb$Q>DW5?LKF)U2x>3Tq27}#WU#X%mC!%Xcnc|`nM8`H) zL20{=kIPV6-H6LK{-(++-ucUD+d=<*wrB%pMF}CAyJySxEg-ijS^oujSyg&ij+HZb z`+dIc03j+w^G&MPPp@K5F^?muuHlSUm$FKeHyh4TtjvYjg`CuUl5REEu3R5PxHgxT z-@dxW*~dzt_&kx`_YsSv9u<36H_rA1iaK9bczAiKn51NxN#2kx5a-^yV&1qhNWjvg*AA?Q zZqU*#Z5^1fY5D`4H=n>!7Ju`&rcnw94Y<;IE^uDPe+AfXGPiOe=3yL;t$WJDE_0(! zP1404x|kWa6wr&AfQbxVc`%J6$pl53EigdsvxAk6ku55}P$2}xXuUT*SVxVmc1)h_ z$k&sYs4c3Aw>e<8UU{QbvVM5w=;*PK_L5724&Sj6+EUPQ;9Dn95ih(H8XUDlpdRwh zy^@vnN(q(=?k&$1B??+ph0lkMgC$T%WGT30EH*PX^7-z4o;+5wU2_0lbMsIrZ$Dqm zQ~2NmSLrDJVq;)*_tcqJ{`E>Xkl#tHM?&&4N|~F}!O`e*&(g~>i>NT&5VgZE_8m9k z54Fe@AC!C)AQst`KC#>LZMH6Kz>vF|cb6oibjrvV3qlz`#zEqn9Ae95QF_^mgPtx4 zAdD}Wfmrz0KbVLBfi~_5F%=o;cwMB~5aa=jiH&Z1UCv0Rv<1H59HW$Z*$~3V?IH0t z9#2x;w%!3=rQjg;mQ!>tOtZ<8ffdtCkw{QuC$ihXWDrY-)#Dg}@`l<;GtvuX1 z%tX&P=yR%im%4SO5?rK+JiU$>xZnfxS?Y9b*>$dOgCb9a}n6!rkEZ}JseQ|=* z@_yO}5#aGSKz2zCfc<=9;ihS?t=E(2e@kYJq zV+gHdsIKXX<>N!Rqyzal7Y@lul5xhu8~N@8+u2ji;=H#!+{zFM$i@sBi*BmD0Q!JS zy4BE02}jDiAq};1Y zAM%#+EHjEI^G-h>Q-otHte|2B`@zdNy%u>$Zu4N(?o(1{mbK`j_@2xUpC4k?I}rfC#()3h<4KV8usY#Z*Zyi`kzD9gRAF&b`e|L83J<#bt$>8+(PI&kAlGM|!0E5zdrzP;r zzXf0TeHG(H*D_JQQFaHRZ;6tjCXau2CffwNddvb2AACE!7a-zrXCEqTk z6jH1nJd9lc!7YXr_Bq{}zLHwo3OQp-t|M~ANM4YW%8UIntqFwWV5z+Uec&YId{p0_ zPx&!}{&U7z!WvNBtJx;^L<_Yv3m%qW5h&!x!lDI+VY=DO6y zaDVjvD(?#Qw2N8c?X%h(hRGG2gI6;aeZrhlJm~gz02}C?k}!-W7)vGKfl15(E@BLH zSp{D*MshW|xWHg)6EJ}JB|$LbYb=s)!B%=>4y!U&*@u%FY>~Sn@>dPZCnc^vT-~KT z+ryvnbka%7h0nbCi7?w(nWd>|&!b$X;W zqJ6W8;+S1NTKR`oxRzn!!k1vM(9#~E_++Cs{ArPNCN*9FNrj=I8*L2$pUs?W)L};j=PNnA&)C*SJ$>~ zuBmI#HQ~nilP&*#PZG|GpU!q!t8V;$E(x!4Qf~_@Bc`0$-Kj-loAU+^gDSY6xI))L z5fY$V#Ii?!H>2;si3;L{tz3%x&(cz*99|E%P zfl8%I+!z;T*ls%;V*u8)TBJ9@kU2i7A&{Qi@c1h;9riOirAld+EP* zbVA8}A=GYkr*`Lkq3~0@q?1Q5h$k|LVEt|h11*aJP~y+g|6`RMELzy^D*Jsmf16DK zJ0P4>!~OmB-QGA2z3(Viwi~Rh8jO79$EmGTFAQ|wOD$euP`Iv&-*PS|FD;)rKR`eB z;KRP7E{a-tY5z=`I{iAF%lON9YAtN7x8#Nx@)h2Dyb!F*j0Ip#BqgT!`N{+dd| zS5~a1KH(D$2pFFc7o^wOgHEw4kTOjfcQ3TyrIoLUvO zZ{vl-MJz|pPbiz`oA+y*gMAg=`L1=}%6j%TMtp{!S6MDI+!ov$Xti9#BKUZIsNe(3 zf^-$1wZPKS1p*iR`3qqrmKIzY<;Iv{S@_FcoKy-X`CNp;i)Uuve3~(5HBBs8E7=#U zD;U`(+&EXwP8&E)0$WmYGEK+)<^|>k)@yRaW$Qt0&E0%{dlE&w%b{zV1*;kq!#|7!%!~de3<*@zNj|2lwET|on`>JU}EZCoY9T2t1DWH zp$nC3Tpb1pi|-V(ZDTxwAIqjZ;n>m{GIX*&=JT2J53CB>npB~RboAW$+@0MMwiM42 z!q>6aVjQWn01A)?-Q(w`+Ea}l{JgKEi-+Mt;gWl+6R&65ulOxb)_GR!I~KW>NwIB5>BN@D8hio3 zF4qNw5wM-f9W^7QT4hfcP|(qSTdAS5l#|LS_^$47p6xn2tzZ0$DM@xEbmO_BmV-a*{92#Mhk-~>>4V2^T zYnFohr8ww~Gr)V8N=2qmvckXyl=KVWsLcm#ALji_C1S7e7JTRvFh$Cj4ATmF9|OP_ z3oCt&xkY9}0%aKs5cXBhM?APggI}k6LT1E3IlnnZV!u1we&JyC6Ho4~i@Dva1QZ+w zck`~S#bLK!yf+g}pobAmQtE@ydWn~j!!OJK&EvXw@XB~Q-IW%pOTt`Tpj`z3@P~yG z8u#Ne_ZBx`aracKtJWp(Ioi!vs9RS;u8+|SY)MR>ebPqd86HqXpFtb zwZx*t{KA%UsAHeal&lgnf<9P48%-ky7M9@$xaL1@ub};$%TOp-4f!H@?r8ww#ZIvtV6cE_XTsE ztD6C(*28p(p0Y=_I!h|V!tabVvYd6^Z(en9#lxkzHGcE(d(#54C~jD(l4}TLygqW{ zt^O^>|2o)7zbof8FxiRFbBA5OhtC8yQE1eH#TXR|bm{xi0NL)fAuc7?TZH>=dbj#63H6TG8q@_3y~or!iG9Q6^(uZ|@l0#z7ES*$B}> zo1!@Dg^XxIO0u53uFW2F5vG)>}}-wBEU7G>KAvq>qfn1vCE zghZ$H%`|M6xMHn}eGoJKQ4lyV9XHLuQpbD@dYWxWX39x6wSBLtq!FOUl48@+)3qE zwVI!kHdJfpsP6C1Q<`ssf%fB`3FFfthcuSG){BfW2fo2-ju8#<9!f3SxCzB!Y5hw> zT=rjTT&5kAB`#=n>CKionTJr@xi8iO2#dHGA5LHJY*nR6TW)2ag>jkdQOytUKAu6L zR<#G##@z2%y^0^@H(Y)i!KQbONk=|jkjITMbX;ru!KU*b^90A_>$*FzzvKo#kG2U( zSKTFH&i!xX)vWDVG3q%5kP1Iq11SDy*9H^-!=U#adQ-AELAU zP2_YJ)qR%>#vD$q?2;{X=dZG0u6vgCrQIh)WEn3--k%@#ay}fS<7GyxVtY(ZlTmcf zup10=J2xA;!%5z4!05hjDi+infU&vvI%Lnoi4sfq8kfSLS4i> zx`W%-wwGye{(YhIFB+sIDuCyDFMcw||26wEg*+pOvuZw{7qJIZkZNkKCT3c=l)T`# zRPDii(Hq8d+|0}K*wd&}=>7?GO8sTwpG(oU0Mf%ChaKTv^lX>Te3Q}pkM}aueX$5Q zZ8K*EvLW~4k;;N`P7X@UI009QhYn2&15eiH^kPhcDAk!)TV-!bYSBv>e4NrZ;;o-8 zWn4ml!arG1|Nc*f8|X3Weo3uZe|((Qm}dlUtlz;`^tnM|RS!}h5Rrep!%YBBLFo4y zCUrqHkg2^h9H%tQ0$4beS%wu;l=2G7;#x_L=1&#ES2FNBnwad94ChTq;6ovQSA_+I zoLchb$Z`XRT#%bB0rU6!l0k_i<1#G&nm;B8)Y!$|YzX3}7A2fsGeVV}7`pxxi5! zV;odTa95QW1)yFGpx2!ESr5S1P}gJ6IE5zP9w>3Ow-dACEPZH4@ke0$*#*f6oaW%# ze0#y0)TTAnhRF*VV*KlY91sk^xy0nEMw&wNV*-tkT-a0CJ9mHXqUPYjx@b0o4m8`i-g^vK zO+dt?AW@-9!$-bD{C|9hbtE4EI>MEGwkIK`cY5p}J-f=))2oH^)g7$WouI+%47&ao z&nXiY!06$TxNm?{&6W)ogySy9|N-^V8K?i0vrOps}qbB`5Ys>MRgWPx1#$CGa{BK*=?sp zH(`)8p|(=%`6BZ&O$nZE#Y?><)?lmKkBspL3f?mC ze~Sfg?CkNb{%gN0K&Mc}m(0}gD~ih`#QyQbW6%PyuC$39*MJyvA0n>qTT6o-W@iV$ zwvQ*tXx>^&?BsB7(;>iVWu&jveBe4^%bC-dsq}?rebh*>&a1Ovdt)u=xD-~)E&!CA zyJ&+qP1H+PdkJ$J1WaWfzIRXHw7)J>C6TkbqPN9Y01{l7* z0`J~m{nB56CI6@(X8q_feBVkCg3(|6vH$;#c`#EczD(`2YV^o{0`ze})np zs6GD0TKoI&D2WmY*MRk!lV?pG9O7a4>h z*l}vo0alZmR$|}+=Qu;iqA~R{)_w{kth^t|9AxlrgPEXgM}*9I2hl%h)&J)Y{{B>a zCi>!{XlUN;!T|=PIvC0cexu!lt>e7H&Ewr!1jemozlLcfC5pXTk$yi3sP^d~qLw8* zWs3Jd-*H!@l3c{4y%dm37IO*(1~4%Y1T^OXu8;>%uluK&6snRsYCJUk}daRMfAhNpvw$OJeFe4wadj{c6Q6~J$_O0(F= zXA}Z1WI?qdt>$c)^A#*qF$?d>)alUab`$*Mago0bqqw* ziuV}{OShc6_JndJLpfbW%IYbgggi(!L86ak!O;MJGhFDlHxW=iIbekAwA?T5VC8}w zpH4se-^(L^fBT@SEOve|py85kf~mk*U(qqBzM>#6r7Fqp zg`PsSv{~~>MfmnnO#p}6$ir9jI(5>5J;0!TIZPj5_u__gDUCNdQr`dlAp0*03M&0J zLUV3$TwsBo>hfi?FEvi(50Q-`FpC^FX!!y5@^_+rJx&*?Z2e)7$;fjqSh8{A zO0ui*-M2bdOJl`CLQ#!iD(_$SqPZS*rVBF{8X~o+cxw)3 z-yVf=2XF89>2w1%{g+`NQE+OE8@n9P#6vgcPm1?cx%@T`%-&N$iJ4_gnRmB`%dM( z4hJB^!~%Ky0Y{5Jc-A3_*p*e`V8bR9V;CsV(#k%Uos-`_F9Kv^ey<cD-5~9cXl%Tcr35lNtfURp|zQe%|;Q7wIAHRPHet(%2TtGaNS!4P9E{r^9E`0@W zh3p7;a~4}U1oX{LtB-9F?})oq@S(6t_+_Fwo4=Y?gG!(i@9NeC7@*AvQ56#`u$C?E zO_~Oyx}HI*7capgdZ95`Qi2#(o;@l0PmtTQ3ntFl58^1G+s8t>5H@p;TC2}MJ2m4^nk@Y*h=%mq;1>w5i|0SP2Cix;j36X;RxzH&H%wn!yEi`Dx9taEj3b9E2 z&n2!m6PZMR0UBw|^2tY$V~#;QT+MdX$SQckEx}Jn@8uED?Aor!?kc|gI}=srIq0I7 zP6s6;AB)MS9-NU^i1^3dHoJ;2@Z^QJ!wjDkLQ@|N#YkW~YYV`}uQnHyun}C5rU$}8 zHgL$&g@g`_a@y!Q3~8#O8$sZoP^cjS#BpQAvKH~`$22Yr7tq|UCuxzfg}>l+@cne1t5bzz6(_*7hf07_e!Ad$5#OS(2hlTe%JfF)E+pR zuh4cukOdach16%akep8`v6}l!kaf2v=hT(w;?L z?*VRgQ}|YVD>W)JpL*2)k?nVQZurHaIbL{q(m1ODD6Z=kkX{A!!WpxW7haa4gef1c^ucx6_x z2Rw9gw>(X~p@WV_ojE7y0`@$!FPQ}>_pBj2n_7ry`2++bhO@DEjG(rNHF*JG$j)8$ zi%bJ-UQ6CDPiAWdc5v-BIR91w6-}Y7$HNQQD7IIE!;j~(My0*6)Q4Lug-xBnZ%oKp zhQWXj+-kEbq0hIs+i1O*{7VWSQx9S=!&3a)Z;O#x4c@h!Bj`mhmwo;KiQ5i)F!;xB zs#j&e@FpQaUH-5MFfkc8Q!k4bV4Mj=G@%>NQ!mO@sGwBUbp|sF)&Lnb0W)6q(Cf18 zsz=azE*#>n_PGndF0aI(+4rWR2hc2$1>0gX{@*z&L?P2K{{kYHhngk;d$05Mmtf*18;_9I~@lHU;nUHFH#0q_E*&wW>6DnS#OJ?JU?n7B{*-W*5}<+-rG<$gn3q(AXu{e9h&URv zmf+yB$H7Bt`2ev0>E*4_YKva#sbO3xCuP@vrU}BsmCRmG0CNTHU|i#XMPvcKdK(I+ zW}zA3%}y@45j>g1TN5|IJ=sY`eBb@dE0~}89a2Ic)$X-CoOW=$jP-YVtzI(#9(v8# zZqQ@E*er;`bil zS-Zx+0}fm?BSF{V4H%e%Q3gKewbQG~`a+B$_cc#UMGm6-*6@A?otIV_^b<^39XdHa5)m6@uEApxn|41k2Jxe)ff35&aQDZr^^)rB`l&bfTSpu| zT$1FsHzN!L-smlE%&(Jmb-!u~B5RZgBtwwQh$8N^EZw6u=x>VlfX4VHN1=syEZ!he z$B6@Jwwnve$1JYrvwb6J$CRjp3p@dgJ`oPY5r3or%%u%tcq~oSay1@8`idDVFig43 z`%|^!H;{n>3;(x=?_W%cN#+-k?S!^z_hqz;nWAW%8vM}Ab%OXXGSmj@>06W-YvV@i zGkv%T-Wgy&4Z69}s&VEO_`Sq}Q(=njbXXQF3g7k>ydmYW2m>b@af7Rj^^<_5BKn9w zS`mplX(u4qrhwu1GZ%Or2Lm~1_!(+r;{D~U&YX+yfW;Wu@ycd@nID&J;b!Z|G(d{D zo{EQp%ekRkWQ)IIQO*!JbS^{&K zX@7)Ty9h!|S{mxc+_s}ncw%4{6`YQjH$_4JLeJ^@R0C3lTP6n^dm;(ss!PO`_Vz#M z0pB&t*OJ~3F{)Gj;@zEEyV=fM5S1YO)P%YnM*qtX)`L8@Xf{Ctz{?wO?|(-mq3srd zW|icGX8{LV5A5qn00kHf_xND_WOze+$l~fm^*a~9p*j&h3XOoDz-pW=SYgLPS3pdBk2?(C zur0|la!$gZ=#nLSFQkR0Qp>pkxgXm*{=?<77S5SjSC1`Wp(x|b=0$ty!=i3b?cNm?z;btdfXzNq$xW^vfO5; zi~R2xK@<>W+hpSSIbI>R2oIRv-)4<#LAWUny|>TJ7bif6umE%S`6h5!z*{~6ig^G* z!@DsHW}2oKfK4uJ3=ft-55NT}d0enc-2^{!FK-G?%x^<^u}DPiH{eO@#sIiVV95N9u31#-tTyeXL9FPM#YgO!} zedFm=H|WeBysBeaVsngF!Wr(qvOj&C_zXvn7r5x(cTS3SnNZLCUsIbNr0@s+jc>pn z-%NK6!~73TK)cu!xW(C$klcJ?Ytn)#C-%3>I8vn)&Y`VLDV#GSKqsRG!#{EBc8lt=a>9l$? z|B`>0DWILfz+p%9Py)bl>jI=slT8y&r-iUbUur7x^GoX?8cfNYn(D&eyGcZ`(Yh?q zBB?3<*as#($70d0=!KlPn_;#w|tV>+cNHzn;54ULCa$2G4afzod}=awQZ*&>&}nUC(_xTv-a{ zvR_apSclaf?^|+N4&^3yK>%70_oKkBCyEM2@C9vPvS=26V9}}KCIs(-rvt$G(I)!m z-S!Q0*U$nckAW++gukxeC%;oYldjV#?EmpRuoan$U>JX= zmpcMwz=}0!W9QodJugKt@;LxO0&TM_faUgeaDu9aJZV*uL_=_-z9(r#nNXb4AymD4 zJu@XR+pz2Uu==M*;1?C3HM|LMc?<%de|-eKMOl9AueMO6@t-` zv({8w7#z2mmE>MNhr^Hc^n13k^~*JEytTF80lkWXZD0WnQv56`cSH%nr#xUPglSN7osqz2Ay>bFi(;1!9|Ev+T7kgh-t(Jf8zAOD2 zq*z?DAA{suWw}A->y21Gs(-4Wk`>lm=zI0uUclX!;+ET!{K_*IZuTB-MAmhB{SZwW zNB`#*J!Y^Q4HU;+@Z*0}lipn{c1i2Q;fj!+?~5WQl`h~NqU`f)Uk3k*1?zIs_m5aT}}EMIYa2}%SC+sgjgYJoH663qv}#%PMy*$VvMl~UT(MOzrex)@s4qrHb_9E zaWXO7jBK%2l@%z!?ehx^cFeNl2AI;Y$=6ZpEB>&lH|NP=`6^;((z8ytGq%xPg-w+4 z{3gY1X$2$Ll>EO(T+$qz5ex!KOn>55NktcTfvDD~x|zJ$xAYLXJJ-;`fu`i9_zOf1 z>dvAA%THN&-W|f7!6bZQ5>-yFPt2yz3`JOz@<8|5R^8}=`O zgb*d@m_0y0OW;Xzmz@M5_x-w2tQ7L{TuJmxYi|2V6*7UJ?*VSfc(8K#L&Sa#bzxFw>1Y`fDSs!0y2WQuQ7_fB^aQ zf$RUQhW+@xH601B+9)smp-#ETKzKSp?CEM*dTJ-geZRxAg)fpmMv{6=dW(U zlh2=wtT0q!*2gPL@a2=fU3}B`!Jn85umyJm`F%i_f&%D^i!r}`8P2cb+%25=B@&G% z2VBc=04k+WEMhoX^4dG}-k)dIKi|+F*O3V`Of58%NsgH6Uy$}}pL)=mE6C1JTb@RP z_S#7aJO!dcNcl2P=dr%}^MWNEqwjAon?hgxeqa4A?mtR?7&fh2M{CXoAItr9=QpxL?!27AE3efNY6f=xdGIE<3>eFxQN)=z@-r z4K@KiTEI#_d5Ual=yj{@^z*Fmm8DhEHXvQw~2zkfCfp2vlEbw_!~;M%p>Ba+CRqJw598}v-=P_NWX@yQIQ!D}wtCy?kG zdyS}@=%01r&nNhg%Bw03$P&|g+t;{A^;N=zoG`ZWtGW;B;P$DWW47}I&{9Gqudu97 zf;5^{r%I(gi@v?cYP8sv`Tt|<&7+}i|Nrs(cBh5VHdMAGEi<81$QnYFEoLxdNZI#& z8Cxk-LRl;O&J0GF!C(|2WH$z53CX@2WB0x0{`}7GoX`9H`KNR0zB@THuh(@wpO4kU zF@2a|ZzwETad67$%TthdGS6H&fUcoo7KvzLl1Xg<&Ea=S9Ra9RCKo;11Iv_}-X3g0 z<37{p2YPOUk!(b3dg9A0y7m^OM+Ms7P@)XDUg+6Fugxepr;SkVzRD z6&9Ffkj$n!Qk`Wyrk{X%?q`}5M(x%gUa)AbyQGu>1UeM7Q%Fu`{yDduU;D-z=#XwT zq;Ewmile8PYbz7CDgYCu$T{mtJ1IWxWK zF`OTzb31-|pbyAJinSuH5j>gdcP1C|g9I)QbNOtaD|v-{S|YVYGyvV4+_0yg9u)-% z4F;g*h!3Oa)K~B+HT#JXbq$C+IHt}5nB!BI$-@A>XL^LY5!qlOkO0Cfj?rs(;x&yc z&xo}i#I@Y5wIZJ!oNn0E1|uVcXKdxxa>xqD5t^+2kZvF?;xSv1%c#I?PoKJh^0 zCPI-(Y1Buq0zJq_X3K?h_5qXitc<)3D%UcT1uka3Hc{4$`s0mhI?Wr=ygf=fzt6s= zgGZ*;?)%2dBvJa)52V)>-!yU!D*{c7FMK2M@mh|;{{=>zP*2+?dwox4b^Z5k)sAd<2Bu=v{YJygC z(S*xU3Tgl9YXAbNQ(zX#3hJLYF`8NgVcYPkc<(Yhb%+pnuq z0Jt}@3*yMxAn^Gz>Duj0AVN!hCUMqsnChmXiED`azTV~GE6fcNyPYW^qq%Z_ zZx399?S6;vZ+%w|&~u!Y>%KZLJu#vaxEho9_Tbr)!mq`vvwKlG%2_JUbzeQuSAO-E z=7-MkGk>2vQE}nIg>KdN7ayE7Sbl79hPTq-q^fFuf|%AI2ot(IAzEpkcP%oiGGUcC)5FW31laSa~YI8#O%h*|z?Q;+BSYub%o{^h8VD z1;Hi3?ar{FV^@;iL;5HI4+SKd$KY^5W znyFnXxR>;&RY!ET9gwT8>qBEo?J$Du!p%<5KA*~uGXLDJm%Ii|%2`8F%?K8bF9T!1 z*V8_;k2H9_4akU=cA+Wf z!L~}H6C{d)qoEh_)1DcUv1Q%>*tX~pT9NT=2mHeyC!j5BTdiHGR;z~|!ppf!*TPRI z3_YXoX8D&B9bc}}z>GdM40s#_M*Etg3(!kg))v+@+9%8Ccq%@ANX2Z3vNMHq$%`sN z)7~H@7HKJ8 z9Av~FyU5;n z@|MTJFjM|N6`Vm2nHg@+3|#=*Q^cna8_i^OJ-(WU;H(WOshhLY&HQu$H&$&39YkDN zqwc*Qy*jw$Lkft>^$Sl?#2tdn?@g;K&Kd|^IW!puzu_+}gpd9N-O9hP|A2ELu=XTs z#V+S^0>w&7H<%{R}icss{HbA_=(=C27qPAF!&R>sRU-wSS=0w@TJ}t zTNGnMoNB|5+n)PA=lsC0YJbq)SeC5us%&OJw0&Y4)hHCk7hR(cHx>CUuHrvjE;V3r z+PhohiY3Ijem$eMMQ8fcg+r4#-T+2F03+>3HP^4_tkoZ$6jc^U_c4{utt+z{Ir++R z6ZDAxulii@+pL2}P-=-|ins`2BE# z6*TSBS(`)s!|Pb>w`-fpX)Hof)5SDbN&CU&hSb_z`3wYLY6xdGoj8_?5Y}kgseLv~zCZL?*0jRRmv2;FTOwLp$YmIa!f zy=@AgDHgBpbV>G--OohL$kabNaINYl1t_HyKhO`N`4)w8c-If}ycS$#Rf7(E-yrMi zJg}l3jDUqtD_2UpD%7*a;f()ez9!AKECst3VE)F!55DNWLRwHDN(2I^x&e2cZ}Gdl z?8rxa)_bFA(k$#~A38UDTlj>fs|7e5F^D8_=kyKg@1fk?RZU#{M3F-A~|J@or)L?GOMUq z+)BS*%hN6Y!#7(yOTJ<;4P&3XLbqlVuK$>ftobZ)l6DyYvFUH`1J6--733&hK0nu#iab46vpuO ze8iuEuZE8`HaZNoJKn$*H5gWN8FEg>KWNrfkvB%B(OJWh;{NEZk(0#qYDc{vJHz#E zZMzhOrf-Iv4~EtQzZ%}aX_YQbKfQ&{4RAiAvVmEEjebwe;0np0yz(s<(M%e3zEvUPj-Z9sC9ReWhnL(0=k( zfXH@e)zhB+s?oioF$pg}Uv`gi{ujfMd&J)SB_pq@cf!yAgP!cfRX^sNRXD-9oJyXwLo!Rx`HednUcG3GJ;WD;wVmvMWGsVqKuanfPiQtRPsR)boF_j99 z`xA#iUbFu~Y}v5L=e|QxcDtq26pZw6JX01(sLn>fd07eLkaFzc)xeKtmcv3$x%63Cy@8?;x^1E&LqmE_qG84{rMrl9FB+9`9s+^*#ZcSk6v@{4FBvLqWx zXNM&@BExbkl<5=B_oQQ$wk{EJu-xyeAiXesK8Fr1=DkStW+U8iLhS{C6tYr;aVv)S zraW`>exWfgdu;3w-Qo{>+;MA2TmpqW;FxcHWAY27#8W&N*;hFDxD+{3w7q*`!}9%_ z=CGz;FY4V?$dcy~IEHIyWv=xLs1h|>I?r2* z-hMYJ&H5;9wsu4mMDDmL26(RSg<>Gxx9(H?)HfHHLY*7^J++#CM+cA4Pn=dB!bPrX zySLx9{zzHIW1MXz^U9CVb23M;+d{`@>E$R8P3Zlq4A+Dd$52?KB8a zkzvSD&o@PjEv><9=LYKz&pOGA=fS3{of6{~!I@8O0~Yx9a_Jd=c5@9O0m!NhkW|gG z&4oG614P3(q1SwymwUM99EU@9mGpY9Ay;)JoW+KrEHFhOGIrHp4HoZCNuRLSoO>!W~&Mj?=k z1}6*zr6-obG)n^Gl48nlgR{9;ZE9PB*{mJGKjf)bh90#;^~Ke&6;7+fJG07aRIzc| z8bjD{r^el9PN#0ZqV4=m`Tw&3fcjIu+Nb`LCE||QcA;r`^I4fUkWQUUcNDMzi*j0p!KNEXDC)l5KWLjVxHKD_; zrz#Kexypu3OKXWI>J}EUk_2b{^?iV*J;@o;-9SwT;9X;WbZ+|{-q_k^*aiHKi+`K^ zWUT%W2;{To>1b?vcP^$tCGN)f6ULnss?8<{@qLiN#QvHq)MBSfnqpTEk?`B`KT3D< zR&&XabqnL+BM^1pXha?OKR<%$3=xvx5w#)u#kw{GO5l{T;dd1hE!5eWLNUD9K@OFR z;b`|N8IDRYv@v3cOx}q{+T|Bq_ypY@kn@b=;B+(1Pqd8^brdomJ>|NAn*P{ZT%-ZL zWRC|ke%&&#E&qzehrcWuB@vHHP5X-BpCquEI)iu-<8Rx`@6x8!l6xR;8dw#^%k{Y)VU=11Y!JI|BuyB+O6ni{*Q@;LsS*NlP za>MX4wt)ADsF}f-NmE)Mf3Wi#SwF87pmndy8mc9BmO<^N2ZvhIte?Vt4EC?!OWqzg zIH^YE9Aya<%_n(bGsr2!Ey0njqcYV!ek?Upy8aLe>Mg?3z|Cf^9|kje4WFtzBjm6| z+{ELpj7^g+kKs}vGGokdsdc=Pk)%6h`rn87zL6Hcoy5@8OjO3NQiofdckRV-2YCO& z)pSe;ckpTwCIQa99@!{)Rbt2+0ey#O*h3!(9P#6bnBv%W$sKjhQ~um`YZ{q3by7Za zZm+0a4{aaYLF6d>y*2ys&C)rc$dS3m+T@~e(!m+l$(OvWld7H_#~G*Y#AfW|7Dc)4 z4g>I?ORmd2{%Ya9nWMNW>iGeC@yUfnKS!yC1BlcYY&zYN|=qq4V=T1($$gAu1`v)%=W@+Pqb=9{nws8*hDXvYzS;a{ z5=kYTW+!fcrtPMQ|BNZnX?iDq^nFzZ(B+gY?&>l&RKFQ+X!P-K4D)c}Q1@#?#Ft~f zGX&qxjW?X$Ju-NS-0p66_DW>*@g0^*6|jr!yl)rcKV5%p!+%+jKM{$((m~O#+F{9j zQ?=2+c&%4)K(gA2cM988Z?2QBNg886E3%WhR(o2A?_kWiia6#cq1mlC^b9ovD&#q;715>>ba%2sYN$rL~SZ8!aT051-uv?%9^R9^1S<* zA~Z4SXpy{zF+An0U*Goo$lxb+jv4)tA36EcBuIQ0;h`xe_wgB-EpXg!+57Pw!HxZv zdiyg}cGy&E{$^@@5>*3%wZ&vHfBeGr{I(P+N}Ji8q*&?d7SXAFT>~_ z+xVqq(SfFAUg9d1$E{tfsHUhT4ZU=cpp+Q21`%-UIeA$D1Wu@sC05>x=Lueh@9%)& z{N~DPoFq&f_gd!gQ<}@tW3tdA!x44reY46ONiD0fPu~PoRH+(f8n>#Jwlq^!EIXVu z6Yz3IG{gh-IKNNva2rO|gF^Qc_*zYG(@v?Ezs~RPPl^XMha+VQV;G!fUvk7EG;z*8 z7b*|J4sDMl&WSVU~VcNIq|La(}A#rHvM?c2~ z3piEorRlRU3v^?6=C_x7^3p!)uS`S8?Xs~p|+z}l&5>&{37kP3M;O@>C_%Y z{e4Lt&tSn`-V91cR7=bB#pep$VrNw`jhEf&QJ>mEy#ft>%37V@Qv=+*!SE86E8ABH zpSA}g%RckmNwi{bn%TU@zVR$if$Rx8o*S%^;wQ^|#pg_3cjT%yJt_~3L6obohGFjd zb-cq{(!aFkdTgigI}eXU)w?1$PAXi-vqbrt>qarE**Ky8MrRCOi28)o`a)z0)r;OO z|Ge_qrcH0d%pg7y2`i!zJR-SH+b- zMGKLTqvLejih>f`q@-$=FwImpk2`Ftwk0!BFzL+^r`c{2pscM!lFvKhW7Y!Z=$>1r zAT}^I)evGhRQmUDDeo|2TLj-bQ`Xcd$;A_C52>&}^ER@nWO7jN8&JcUct4_PK2)_` zE_}e1f5AXJI6yMi)4yo&_N4sF%@I$BGSW(hyQ*)nT8AF;Q=vf~+o6qtV!dzrsJq&X zl{E}7ycLPHgE>)`;;y${HDKW{c)-#ovm(PsPY1c50gD#M3 z_-*l7645Gb4SWidQiEH8DobLHGQ5yKf{}y(p8g^>&KAMOoiRUT3zRL)b~{J?*s#V7NJdrACX=S+~HU3fJb_vTgtmzO;jLS_~ND;4PFC zvB~T( z+f0=-9)<&Kj{RCCQ}nD|#49K(d2rL?68{oeLT5NI?AXKWUtX=n{atUf!2mHk4;t%V zi{F@uJ#zFL53#T{F~oNa@6V(+Lc8Xd09zIR&fCobC?g*tmQaIQjd#Y`C1uTKF77b# z(Yt0Jp>HPGzglk*Z*=i2x&!xz%UMsd_g|o*jY?^}^NamtWyZ6IYo4P$0e3jb-Wfh+ z`R1eHq0E}4ddrsX*z#iWtVPiIl4=pZT1!f81K54@x>M9<%VCW`eHx?2>dfV5A5^(r z$xqzI{AHhkd$Q(%-~1H&BPNoqm=Y^HG{5q(Dw_N9c3)~t_IgqYP?w7Iyj4RWZAGR~ zh2o!wDKn(demRe%=fI9AgT{|9$E5CF5^%ILYJ$gAj{<5cnmz)QNuE=);MaujUxYD| zZ(c6Sli!=kT=wi5R^3BNq;A5w0Sf_E{Uin+hZcwKXN_O1?fFC%TL zO?sMidi2(~@9_B)IbXMueBkxIJi&CDHv*Shv&9fkyH;cU50H$#@+}Zk-jiCXB|x@jk4@csQ7 zfKx=T_kO9nuAL<{n@98OuDf+2fqF}udqwo5H7m>LN~HIt9>1GUYhueIqDrf8 z1AxcWH^x18U^L+Us^+kE6>IO70pdwZM-$|RVNK766yP%Pcgc50>CiK7F=_%`QoBW=T zOkcF9rhL$dxhxXCopK_2#VN9X%5T(9WoB*GrMs_)p;^;z<_)dA$w%`s9wqt6Aq`&$ zrOfyp(ijn+-Kzuo1&I2&jp8D6a&BqSq%ZE05yUq()pi|Uke=WpD=FT$==}i`c1DVr z;mD}pDeF(0buoGI2NZwmIo@0tWws9TF7-YS2tydS7V6WYsIsrAqtbiB=bflv53KPW zWgV};-nZ|l-Q4ryOECY>8|lQoCuKlTBP!bxc##R9-4=gOCG`TlmOS{jmj$J#3)^

QL6y%%Z=8d*;e`gnpBe$3Qoh?W&8{~sImL3P!;pfCE(2@ z3OX8GvjX3_m{vSnZ(d0E=Cf@1z9Nu?Z_WNbwy5l%Ta=v_qC;81AHzk7Mnr;|q-!*= zLbv;rx%6|Vw1wxbi7pZ@EwX-ZGy`gcXbl<0`nQc+sax;#qlBT4PzFL*jf-1_houcC z(01ijMU}3TF#7up78_7;kVOL?*<`j?4Eq<2{UKxR?ETNssClrHjldu&1|5g$j|oru z7*5_y>?jsn@}H88(eN$IhSq^v-p}9l(|>h7_RIu4v+#@nI(F)Tq{Pn;AX8OlZU8z& zWwNLRX~tL26d)?%6kop_|IYBI&AoIa3?N)|=jiZ7`pVt(1)86GQcj6E-Jow;N(`mo zoB}=Cz_4iO`jXYxwKFN>%uXo;q`7ZZ^rOr@~CdRA>w2 z0pyy+pgxQFaWscJbc7@Dw}{`KS35$qO8=155XYbnd<<@DnC6*670B`4f6V%+E_+-n zp8Ph%=LMMi;Y+Mc6-TKkul*kJii-TGL-k6dd5`=Kj&0YqIPSEg&T(Rx0L{;|y68s1 z=q%9T|A6kzNEt32pZ)t9r=+;9WzEX!0v|ELblNyaKOMakhe@toydRjE{AWWZdpEg= zxAl7IqhYIYYh;@P@nSbHXBn3RRlnsNJp9kLBgncN>%C>i*Zb`KYDbGWZS8s_wa}c7 zuwckL(=bs4p!WIGrkOMFtmO34MfjJ?i+ft~MYHm+plrB{YME;=4HqtTAU3HQDxB+Q z?+~dx34H`QxN`KPL}W(jI#e^-lh=iL8vqAI7`a<#93Q8b-#RsE@95zmwWD=$oIGMP z#C;$3c69oga;adtL4}gwg}ShSY%|ecwD@s@3&P*^2Fo59v)d6b)QaXAl?6f9tzpt< z8YoBJX-N)z-y7$t%~RD=J?v@Ae*{&j#F`WjpiOB_YN+EkImZghvz)v;_EopQhWn7M z_xl=Ut|9iC{PSukmBWYc+vib7fwmImBlg|TGSVpq3>TXowN-qEs`A(kX(yG z`_JtG5Vh%q;Nmar^~pTb4d8Xa>3$MT>6>Q~B{-x0;CIBo9u>FF5ppRzSR}`S8taj4 zw7eKIJD98L1LQV4WYXYlPbla#>`Qj3J4R@3Noe@S9ZC#wVmisy#rcSFE)MoNA?%;e zCI7IVoJ_y1#X!?ekuQjWSpGkh}&nY4hpsdD``6NCAnN{QXQVZ3yAcf z5r^Cn9;|_KI1d8W;_CbkI-fgbbLZ@duuap<8R&Bwm#?{BYWY-NfOd(k81}pL?c2XW zO`c3{%KP~m39p&*F;E9`&380o9jLsV%Yp!J*gLoDd1aM1V*c|d#lT&kT*PY7YD{V` zch6QJF#q*7-dP4tunJ~Q!zUt;ZeE^

ba$+fowEoQqw3@0!VjT~8CJGZ-+>V)fJc zLS4uJ=m?-$H$OVh17#CLDoTNhtjv+O{v5f)#7rzDmoEmRI7&bOhYdj4Z6VLrtluHW#w zw8Xa)%H#!a$o;)D<{)hkgGuw_y@7K$NGt`NzWLjX zV5!;Ui((E1thh5?dUB}0I*3L2(%`^2*RFW5>*FQqkh=g{HauNPcZ7?m62d?E?$Ql#Fy}iaLtgeHE-wzB?0rl?YKz(n>BhOXOHUjx2NR}M zp$Im+7CROAvaS4fRpON0gC~H`t4l;4zK+Bfse+hof-JCYma+(L+hE_yzv{XIMjEdI zlWaz`bl?c{aSd;$RtJbB<{&;g24-Fl%=A?a5#bf3w(J7E&;{dp0Ji5v;0TVq1`pQ2 z6kn)C26LEQeakZ-^>QP)a`f-Uw3&%~$UK>77K3LSzQZeHe6=S>mGv(mi+7c+yfU#N z^9=Uxw@3^3cw2a;?aL&?S=GU3P0%>(_~x(xQQ_qfTVY}Kd+WQvF>6r*?WzUY9nED> zVK{r;WML};nveXenM%a_L11Joa1ngn>&?1LzNPxF2u5{=C7b@*%;Zyr(HR4TDB z)d>{@&3Q4>HRrEk5>9kKgUNxdS}0|22P||7uwt6sWM~FkoR{o^KnE_#cv7I-PG*p9 z+C0KQYDLA{PgYhWZbcv%j=%)|fSW@;qTw{i25$7Zjf+(TjwTBvPPj$b6y&-)0RyTA zB3+GTTjU`2lEYcyVN7khx9#X=qZFGymW4_Z5Cn-?+O?TQ2Zg3FY*O7h=ZF_0Qds*y zfmM88U_FPF1!QZy<#t;^UYvELRiD`z=3}Y4)6+b&K=S^b-Gwmu0Y0jY5gXVBk7$#} z|1q9qv30(zf3RmcAP)Xx8VAe9L^<-XBCsK&kfoy2UEP{UlLvxjOJPpiXmom&fEd_(w z;8+)5d@%BG_)Fv>Q?53y5f_FFTt>j+nZfdNeSRP~ar~>u#7LeVUvE&OVpVvM@7d%O=9Gd<9+IMW-gwsd zZeAv*MQ#l9zFZ5Eu>;(^GakEB@ZDxqsI9O{8kI4R6`bd_b+0~1)g7sssACuRuzNv> zOG6;4AP($RKzAQh*lj-a7K=$a#;9i&I)YqZZR3a4E1piEH@e^UH$)aNmG`G9YWY(q$kMLJs|)Bv(t)K*lAUMX~sV@rUSCwo_iJz@yd|>CLs8qhD?^fMUBn zKrqv92Ef`WgzbW7R}`8&_#Nr|+OiR=MKLwxT=+n(=@ee}(`a7F0epOVv&S#*y?4*f zHTdy2qf_7I+cWA^w#hhUnKNecck>JrKAa+L1x^5~XGali_SghSfwH|e z<{Y#`E9icX>1EdJYEF3h1ARsC2%lQ3c-y~|wdm3B zf|m#t3dq^|t+WtkdgM%|{?&JdEMJ-X3EBp2RM_4ms04!GCc6={Yf$^?`Z&iGiH;d2 zs&QEgnw7`mJ*zbi)O}ddT;+>)5!&ClFLpJNu%eTFi2lYG!1U9bL_jW>OS zfji?VSohnZ&(||t0+P~znNdNYEflE1V$2~XSd@9f<(~kdFcuPl7;FQ5-IRe1T-2Q@ z(-FhZc|crrLo)FGlQ6XA*nwkC;?(ScBjJ_`iR`~OXV!uF@xBr&J0oMo?)s|G%;g)a zQy9P3v~5W4d+vQNb>_oc&5~TWc(-Y%_P2xcKcB(iiX#CD1r9z~BwF6B2@?q!Hki>I z0}w&sFbw#gIJ`kRLLXFm2n;I5tYJ+2Yv%YC!6&0lQ69YNEAw^clT-&IoAi+Rtk8*M zXzW&L>fX<5OBuVds~$pm&#_RBKZHnuagPan(JfbJG&9AmzKvnc->*HTz}-O4a$%j7R3G&*|o^^;TD>d7{Wz3lJV3ZP7vX0sh;AjUlUJ!i!9CnzVT zDLrLq1guewG2qi~SqOXYo$L>C0Zm5MkcwGSS?ScRxxiX-t1ZY!bpryLTv=d!`6p37 zkZEt~Xru^#YMe-8D_r2jOqBxVKQj=dh&a2_f_6>#nK;a77Xby~Sp?hb z{2sG15Z+pa(uSKHiz}S3HjRL#I{V$R6A=XmpZ4%m5RhI&v%?i8VPxCbv7237=HMXS zdqQo$ZQ$$Fy)j>^Uj=o-x`KGX|Ay{gvphR;vn%V|ztFub3-N}g>5GuXEQ?Ll7t!wx ztk)gv-RwlluTM|Jv7P>&ZkPU{cAt)4c^Zc_9{~zWz{HIiiIz{&<+`peG{4=K&+yDo z(;KP9?m+rvfqweN$Gv1g=17bzo`kF_fD8c%?hV+0h+=E5qAPPmlVA znE*J<%smpd9y|e69+**`U`Erp;s5!pJstG7U-G%%eqNmd3r$r;=CkrJ&X;Zq*n26^ z)sQq61?(dXu;GSiXxA9zH$|Q>c%UC*;prSz51iz@QC9V{dRI9mgCHH@VUAd3$N6AH#sP?tgF}2<3GRbHJ&;gP)KZCMb+FvU+8(rflVb?6DGs;K>&=Z~ zOl?H`XZ2Gxx%HJ$tdOB{`E$U`)u%B86(&hd${(>G1o)+{B?SE@bFGoPj|^swhcKzD z<`{v+u;S^Aa4U%5MA>oWlt$Cq!}39ebNXE?DOA~eyMA#TOJI*`o_9&H%Q&z6`enO5 z!DIBzlTr2jD{r9b$-dc8n*AMZ{D^bj2X?rLG;`w8w3@A?1EH(yu%F&SLZMIJEP12H z4a2~6sq%ZEUAPO?Q^+i>D0xhv?#-xAZ9#lbJ5`2J@XvLp*+0~ z3_P{DZhPzh(4MY`f9(&{I6Ct$qCTzoHw~GrkSB#P9|`hX!Jkg7LFl+6b{TE*RWIa5Z_5|tT7;tRRc#n69k{3B3tGJ( z$kKyVHmxSx()x{;B?>9t&^*sxAWOMvToWiuuoFD8M|QOjUa7VULoJ;5XHKw05hv91 zyn(XyXZ{2MY~4eq0TI25O%nEGCzvZsbxAGB6O4E4STQ=8_S3af#%S{R!Uo42oU_&8CT1m%&flmT%C{UWpCf-O2pXA(K!$+ZO8;TDg7z?&NsUEbY^qRz0pKI#Poe7d zv&A9D9PCYf!}A|2SBo}W+txKtC@&m017G+en3%LP=qfs_Zjtq1l9&JiQ2aV}t;Gu4 zdDh{Z|3oO{;clb_PBAlh2HJrdd>jPSr98q(NB~$`q-%Yr2IOKjmtlo*1tprN=(YQE zwb3gdZf77WCp7O4mYWhf2Nv833AGbEwVMqVYci%d?pKt%aPISM;wZ06ZKWY+9Op2F z^K+n~EvCWYTatxU^N$B4>x6kL$3C08BaTseEzTaKUmX|2uRnJ0yBEjZ8pFCT|J2V^ z*ZEcp&(-V2Us;?$%Hz+_2^M8$hG-SQol0i5by!ynzBGhZoJjsNgJBNMgEpQMEs707 z_+OrKwF&j7FF$f2CfuC#b4V#pv@N6F+cPEJDA&@7lXEk&0%Xd|q>W#r`L)pJmK_5C zS1Qy`oSVkr_&V$;GMsSevF|Iin+|@JUAO!*<P2i$ez zJ{b7Y!FT;2uupn4;pf>uuQ%Exy;k-awLu^47it?8D$ORzx0Ad-ShA36nbV3+#%j;cb@;9-rBS8rJct|K!Nj1=0yaqe14;UPi9 zleNBxc7FH+er+47Z17mt3(J%Lo0J3)um_v&H*=5u#rZqn_Se<;#lPgEKCIpX2*e!o zaFsa3$jb*{E;KBGL)I&R={m+%Qd{EI`2pZZ$h@@?@%`E8idg)#$qh)rpO=Vj7KClh-pg|sFGlu?mKzaywOHRIsA8qFq z#@mK?FM^aa3I5~WL4p;FF@vF4Eh&)Vm|Tn&1_T- zenZ<<%!0u=TdW;?O=zizV}Bbu0zSi}xJ(dBT~mNBokqlk?3M!6Ui zjt$n8MihKbc4q%V6Xuo7uG{WVe7XEH+6TJ7REl5Fu@dzeQ4*Ij6~*0$-L~e4{4+ zB=2!xDQo`1N~U#9#b3Wb2(y`?&n@k_2WQ(`#U%&vV;lEAl(!*P^S~-5#mUb_yb^gr zY6%}e{u$o0Xqzb-B+sWvJB@7*N<7jJ;+~Q*@^)u{3y+e6KW(-%NR2*xqb%Zs(YJ4Z z(6W1CC0)*ze%wEBXAFp(yaylD1+ImU#P~iGB^Z9-*ZMKkxf3&1)+Edk`rFf%46~?5WLt8F-gdz zf>UQYxC?s7+@8k@>&((A13M6evl0t?##FK;U01pmd^ ziHyi$EB4<0C~0QRZqJ4^zA^MV#u#H7a z?6u~R>1}3Dph(YWeq)C(4biFwPdYX_WA0x)cW&KJvdM2RiaBSKSQb;advj-z^@V2L zmT}v?Zh3vK04n&c+MH~Knn#$wu4WUdWLG~;!Q$AG|Aa8zev-yhagHw}ewsMf(CeP8 z8nRk5x78~>23=qBI)4D_ZN}kmWBBa_16Z9#UFh8mxeuZi)gY~tI&2+Q`AIXp1Elb_ zBTOisQy}!pYk1X8)dR%K;}cCKnKChOVwa3&q1OyF6vU>B=*-wi4nHIPhD-bhEmX!s z-K9g!EKIbUM{-$*eM`8lVimu^4K(AeG&3+aB<|L_zbD}B8@fuTL{UCskuIR?lLD8n z1zR6_s16_KzEfRj?^#-ibS~>s^NgFGD4Ra#oOOh@O@ww2f%B=ds&ER8PHX#!rQZ-l!rBqn>YgR3UX?Krc{ariEDo(nzcZh}C5FX-phX zFD+tWhPv_ol(=;V|77{G@PQlhMVAORz{l2UG_Z$-Zwc^HCv;TqD zRuAu1sT1nCCXltQX0$Q-tYCZ)^UHvNw}n}P`2sXPw2 zFTMcybp&2Gw~}{$M$%wuyLALUYh;@pXR>)BGd=+R#B|sNcf#A|P3iPUJ@bpGtK*;> zJFVx43vWCK#LY!SPAJDhJu=zOG7XE4>vgV#_dJH$$3(y6KYpXI{1afz1WO*HCx7R1 z?f5E%+$2PSv_*vD1|Bp&6cF_IAG#&pwteh11n5cjfy%5X{p|-3=L7I)V?{^X{tmF{ zBjcWjVVXKu@-*3Jzo>*5K|DBgUo4&0mKM_ZjGXG*GUQ&TDFV}CrCv(l_KXF|q)syC zT;P33RPP}AXpOXCJ(0G;0E3dM7vH~7Xj4+rT^Vg~@K+Yl-62mfz<^Pzd7re{n4Vh1 z?n)ZGBL^~TLPNyrh+x;XOMyP`=OUPYs;-sMfg9Z{`kL7S2jy70eabc_>Gwn2-m+OY z&GoI=Eom`j1_&E1){_Pwl|$aDbo%IhKC+k6wjvNXxsFFJQwev5gh5VKL&4XAc2~%3 z?;Rzo5x7&aIaB0%&isP|h>iG$&lb zgvOTb)ycMTXPx_9-F+b! zU7N|KxCe?2jw;%&QnjgsylFCaWM*9-cWBIDNA%lMowLF~0-r0oyrQ2?pxvuE@~!u z_qU+T$$Pl9IiOBx5BQ^RLVN!L9eC*-F3uf(_L%SA3q4>>PL%&Aud`w`4QsIma7I~z z1%B$+Sg6+@JryK*H4ZNgcYE^^`a1t&&gvcPdfryK6h`a-vh0i9Ssr_TJsamCU)RgcX_l zzHezx9`P8}<>DK(N;0F~c?zN`SD++`Y7n1&NxnVrS7mp>1bR#0)3mff!wJ;63Q&ML zhqmb7zhD|fkJN=odTPB^@fSbd1OIzSfOqz$?ou;pulh`PEW?nhG3gn1rO&+@bMSbH zy=CgVQb(ZWD93scEk(A)aHi(PYW{2+9YlSiH?-83>cV&jw<4cZ*qZzP7vz7|l4W05 z=j;-l;nq30y|%`tJc%=i~L%+qj?0TNq*O{@L%&R4i(ZI7I zj!v-JuG8_Hv2AQLT>UZJ7_>hXba{?0xa~gCa5^A;*5aI*(Y2K1<2xglqbpoL2bd=c z?QyS^`Bc0u7q2j@@UJdXt0$i@jdqIgST$KFt8xh6sB}n)Y{+<)&G|!TIpjHedFH~7 z=4IdTJMwKj#D_#?xq0!7=PTBh$jXbiWYM8*OiopD;7C>bjiP5HyJg5futNR0jks%? zhO}m2bumZh){|%P_`e_>PPP^EAH@=>a}&cn%Np0QyBp+Ac*#5bZKNH7UJ)J?TE6PuC);&F+WaNsrJ~ZJ4x6wzaTC?4&w?L2niyXtpp|(c)c8bKNz~ z!CdWZ`HhmM8u26n@RJ#JJlQC>w;bZp6&oUpCrS4HB#4ZV@xRd(BiilDA+1QSuB}PG zJY1~YyIK8V1lz*M|)!wLFF+%5wwOL;BgvpIL7r z8e%5vN&eX|UP8WWq7=s*#mwwY<|@g538k?;zZNBaDCwu+uJk6`Vzd9~Gjlmv-u9~8 z(DlL5OOML8Cav&13qLbM`BynOFYTP~9t1YmUndZHjPjnPI8q!_*dW}v8h40ofp=16 zoPLI5M^is!jsZ!0%Z*Dc+SSUONOvHw8nyji1As({EhFUP+=jSw@Y0t&r_=zU#p*o% z0HA8)req5f#YlZuBc0D)k*bNfyp5Q9SbomgY{_Hd7wq(<)@?P_@qxI|1y6~kk>9-5 z*Zij}6S!swh_(?LZBOj+*_U2>^tg}Fqf-5nYg9&=i4UL0>c|+Z>NsoxN!GjCT5lxm zCubK}n*Pb(e?S)aNFVzD_xm=?vekBdyPWs`)1?MKM`rH=8Zm|N_*~ANHAB(M^oP2z z0abJ0xVrW^P8Kbin@^aj<`#G7Sw6jYgw-3=Qe3HFJJZmXSQL+Q(1pQW!>zmm#TzLl zBOp?ArvSc&Af|f%%wwfiT=}Qau;$ryLhs}3L}}oVnnfOg!%|giSo`Dhv&9KX^NMPN z#-b58Pkpl+H)Oey#!7hP3(sQA%w3o@qTKNV zvdS4X3AJHK55bj??m^P%?3QXxYnkx7EI+ULn}bo_{N8q|!^EVsym1^-i8{Kta`Joh z02J1iDC22|mNPT{;`AALl_2E&IU>{Znt0AGoRTJB*xQ0By$lB~HJ@~zRG&S7BonKE zly*V`eGb9J$0fh6tKx0;3pUr)`X~MT0GFGo?fagQnV0Im{UGS#c2(GHzs=>_GFJbO zz3-04dhh=)q9RQpLLHIpGOn^U2$>lnA~Wk!_6ij$tBA76-rHqd7orrhx678j=aq!t z>r>zRdw1XG+~<3a$M4VkpYu4akI(1*d4Jxo^&DXuomRs=A>%$B31)?wmbDD|A zTHAeMoL-o*e0`MIpgvfyeU+0nEqL>5RQiB&qm1E3D)yOEf{&YhL0RUw$+o7by_Vfu z&BcDuGno0pA!2(>YGMz)`cyk7_xp0`H(6gzYaA~^bGGfpL0qdM_o+hTw>;$&Xznax zCVn?qX}0>U$3Nh)Qu$cZ5VWR))D9&J82UXaCWKQ?rM+b zNXiCn*nR9QPK+8_1cd61IL=qLwcb;jf2UV0>4t1PJRN8cFeOQZx>fAnt0LO4Iw!>4 zs83MEO{f;XX4_WfKV*hE5`dYem%z$<{jT4z%R`b##meN&`yZRp{mZOb&e zFOm}6jjMXi7@~0m)>SzHY5)os6d3)5PQ1!Q!~kr=6{(vuY&0?q0bbxTu9azd>(g`` zgA4OAKR^1BbLCfpvaS2r>mi%dKR6qX-R2*Qiy?jUdzm$Eq`3= zj^A18g9smP4#))$97!~msd6V9eQp|RHZS(3ShpvZe&&fEsLmNV9kr!n(|k?-qf>A| z2-{%V<$G*#CR2U(*MS2+$T10wfog$6j}je>l|Y62Q`Z zDSf#T^X;`W1F95V!jN3?6z$n!0R=+0E${p{Mdtd*5@YYp&O4=UcEbKzwhoE`_8Z|U zId5S6bS#9eE!JfNqo8-h}d zExb5!s~J~EARAPvxwf8pm@jMM7TNt3`@_pJr#B<7JKw@=^$gVef4rY|@HPEe)y`N4 zRp7C~(mi zuBWs4C$N7f+)!n^1X9k;+xEQhp035TK zOu9<6>#~Licn4?W3UPBM?`OBC^*$+hdP#(Z@5V=N?Opk3<#D=))7FfAHey<4UE zcH@`(teWVP9}i-9186%koFDt6M0k5PG@l;Zn(D$qtmie$44* zxn*a;shLb$ves3MHeR{xJ!xc`>Hw38#=ypnHRowjCFaH$!xfNa@t$8yoqWD!_)#`* z+}98NF}MT!;R;I)izXZC2*pEPMU3y$9?ec)k)n_GQ-kP2#2s$tSR7 zX+3p->w*ayk87A13N zCaD_&muMkm3hKCKDOWXc-$Sa{7c+a9em92%!yu3IQx$I|P8$6bFi<=j(?REIU)5lL zC+fJOl8-8QOr&py17sa9`l7=E8*uh(W>(&#CsVizd$TzNMvpSArA#`cWyq+SI@f|s zA&x(!SX9kcW8A&>G#1!J8qB-tdA}tQp}t*wJ0j_(da9Js`Rs&O1{r@Ncs&ZeW&orQ zqD^AxsityRoJ7;&-7CxZ6mvSHQJj0IG}UVHOOQedw0#8A9Ac^HRwZti8M*{YL=pZXuuwr>y1_zcLzP&=1hmQtD;Qf~VX42y)1;1tm(NgO=T6kSJibSz=I+`|wb9?eVug}BgdN&27q&Y$yu$Pe+dvu z*0rV6v?<1F$3tcbF^{6APB86JeJ%zp_sWUnZyO+nY&h=cub^t#Q5>&-vr#YgX=~$0 zz5YW9&et3mw!nyfD&*GP{YhBg2F^(JO&ZekZhZm%el79S8U7SF`=(X3#!9EoM0*xN z$rXjpTsF@|It#NG!T=@F-46KWfxwC`2^o%iKM^RpeB{YIw{90paJC^w ze_ZGj*MCl>CiFeP%w9;k&%}HZwOe=3?me1Ezrt;WaS)&qe^X2GY~LSzb^rX46`$&> zCG2U9ov`)~*Pj=dnl!}ft$ znXm^$rV2~UYG9((g4>hL{Ey}NeYXpNG-i@3zKfmyVt)8%Az4iXI^tHTZ9k+CKnJWV z652VoB#s9`?XjBuH_~7F%odc;#uw^^-96nF-UaiAS-al*QYbKb#K21{K~(qBzAu19 zP8)(~tx*dQoMM$aba4NECeD4xoQRV{)#4?1nW+0*PxmK79DERCE^FkB=;a3N!HmYm zenc>Rq7VcE9FA7~{-FEkk^|iM1_C#p*=uP3V=*PYDxjxv$sUFk)N`MqDLfmZZP#77 z{wv)qCWy%N+P2WZy8K#Jvz^L`VE~n&DgD;r2f1qjQ(xvdViAD?AD&m$dMv*@`S0(f zLKl`%FWXH_`N!7dAtM1dPY$Vhins-D^yc;!lB67i;QWgGz?zuz9Aw#hw?b& zGDtiJ8m;r!bK7`##g>z_J^l#TnGKLA|s;bZfkJ%XR__oRnKVRtp69yJF*Qd=a(Sl|6_)&jWOnS)~Atq{s~ z@p=7f%4&U5qWXQku=DD#qRnpmj}$&o)9I!)OMfXsjvyZ_VP&(hCy)H^v+3;X5*`8P zPUn{g3ZMP@W`3^L0c^#a(~P7Kxx4=7ktE+#fGgnyI1eV6XN>{)1_gM}BZb~G2mg1a zD`Lo#nK!}vuC#o6bAArof9#eUgtDMj83-xVDDdv`Q_fG6&zmT0!+sh^rZ2t{B<=m{ z4fg(aftfSqnaoHSD9nJx9pHp{s&+RQ-OmpZRn;cyLJ(^?@1n1tbcav zkN)g0{a%yAZnldyhhMAyPSfbG-jg^#TtUV9H!7lizQ1`Osx5vecoP=}KxmTpIbWCR zpB^*6uIE43v4lyS#Cz^y-f_^KIpu+jCix0L2H14c#pnmi<}WVJKNdiI87Y_geVPCH z6aMD^#ncmx^k7BRykSvb!y=#o9cUK!fG)%K_W+?mcVZ+K{a!)mA9wH{*HU}~;$YLm zn;lPg5fO7`Lw0$_c>xSDSw?(!c)99Ax8U?6f4r`L<*7~N;k>MOJVLkQO9-BVw|6im zS7rxq{^uS3_a6Sc4!>@m|L%wX?uY;Ghu+-sEfOnum9Oocj4L{_4;D_3wEkB3TgM3G$ufJU?z%ycD^DrBVly zq3!G{a!A2@?*i4YH}y5g}%4xhyK<-`}Hq}Q2{oq)qvwaE%pEXWV6T>O0Q`! z?sOUU@p1BGPBPy@z7p0W4nVr-1>ujeYCpPhDs7wQnE@zN$Dl|(g0kbVO_iB=u1O#$kXK*_Pn|CSmqJxa3gu=gAzhJ@RHpD-oyZKGr6++Su5@ z)Fk3jzB!AY1Ho%sP~fy8h&o+ zK|+-*Tf`<9fwVvOb3y^;i!wuWFiCT>KnYixCek>4%jj-#0z!Zn zP8jcCgYMoVi9witg!#sPrY3$5!w?OY?hXX5_Wx%eK_kgPYXG=pz2KY|ctd|@w+J|p zlall3#weyHRS(23sk?t*YYk-&^mN6V(@J_fxT;4pJCD&P@8;5tnM*|bY;F$v@-|o@ zj%c|x_PA+ngcE4Ro}T?k3px#bAWqZ^y}v#%|A>CS!)GW&o?&giuK#qCJyC0tf<0Im zhm`^*hrHDebeBpIqXjEbc&UGXgXw`Rc0R_btyoDmPbUjGE zT}p|k*vYOfVdcs6!QZ_Jtom9KqlSpdgTf2q_5f0Am*xNuWlK>0?Op*ceTk*$PhI`L zdGopkIbB4@e^V9;+SW6KX<34B{NIPbQ$Bd1cf#EMBYb#Kh}Ya zvaCD9Ny*On`u^XVcs;@`OHwi)R3UBMwLbfSsDx(}J88X%Z}0P+jgEhD6wb{Wq5uHW z<~qav&fR!_R`linmrbsbXT*%hLqD(Yr1j^WU$Ua8xpew}HaL)nwQ`FQsh^Pye)^MTq!{rQnX4(`$dJx&&@4eOuOZ$z96OM%GKSI1pG6XmibZ9k7A2;%E1VRRxgQ%liP z4}gbL_UJs_Le~W0S^yK2Lv^sBt@?pwwC2OYnHH_)__PWNyG& zikN;EfdEC8r8eS*hj3x~Y*_y9%IEjbFYZR}J3as9r68P)9Yw)XuG$LST;V34YX z@dJ96S1pAt+fJTLmuFA)LCFi!%&_b)$a>+FoZKUZ=ry#<>Hh%*{Qu5j4|weoxp<&@ z{wmuM@rr#jFg%?TnRg7J<2CZ76S7Np?kw#erMlyC|Co=`PQFPRN{{nbL=VW^l|H+J zjq-D8eQ$W=Fj-@|*mrURKXwnz88{gZv}9e={G)l=UkTkbu}F;&E5=c}gR=9-Hv+p5 zCbBOca<)9*$u|Q_QL*nh4eBz%r|Rf34Xq*xSZ#cN|BL{}^@mn5I#P zPf7o_ljY982|bzFHUn)q@)ZX`BE<%{(ZND6ob5xlF7-AL_aA_iRa$t%|A0>a%G&+& z1E%RlR+oF`*5M?CYbXmqsQ*-VM``~mSJFK#^Bhn3GHzT5*jb^e zjXb_~Im+2bT!F->J}lUL8*oQm_44_9fMksJa+-V7e zBhvSBp~00xz2Pp7BB=%k1arg^(3+exUvcO62#+0EF68VduCT|P#2dsITkFq%JSieg zPWJ}_EPu48w#1wXyTz{E-*$5m=eTwF+SRL9uf4Z4&#~9PtDgRpWJcsXn`wHNb5@S- z%=shEQu-V@D9ZHYm`6_^9g#S^un|qz$|Hn_;&Drx{r!YF=PXCzLBvT<6jR?v;LZD& zBV62Ke|}cRup;fA!zO1uvfo`{nibmE(KlPRi{hlqq3S<+p1<^aF~|3q3^tKXm>=D7 z?&q?b_TpCtU#N~G5s%jfllpY3om{Nv5j;yzrIG>T;bdYDNSwa}=Yo@}W9!ZuWq#+x ziM^|Z5#q8cH4VfWOg(6JH8fScW7<(g>qQmgapel*LpuhKsr_K4+lKFIk>#HC+gah{ z$BEpX=+=w~k?N7Ja6(ybed{cD!cTQ(MWY(_?c_w^D-VPG!+r?S()_e!)L5`-vd(N z9;98LGOZ1%dp#(SN##Mk-&Ay3_1TGk+57+LdjEPj^Cj-;OG1s^H_keeTv7oUyD=c5 zWb>ev+Ef%f_3eM4TYqbtdGt^ZQXDLB^JP6vWXr?@n5{ghr=&*P7r@_osWuZOd>e@W zMu;#{_{SZ^9+TVfDe%qZ7&jjIbXyk=Hlwc#Ly2zNTSh>|?O&4&V6Z@3h0wG+UGP~t z`_69bJ%>MO>cWXB0D%1rM@Y|?1Z+WcGjpG+M0~?I1Znxr%;>7yNq?Z-m|zw4M55VG5AeL|5k? z4M*0Uw0WCikp0_4+-S+vL`yW=Q?M)`OT0JW@lIkSt)_csE8Vw+yyYEi^&dG$n-{zU z(~*mcWIN43;T}j2Qn-GFxr3%U;-#FSwX5*&5A@(Ox~$ayA6|;c;pNcOZMf4bn99Kw3hb`39@s@ZWjD0W$8}V5rXz} z<~^9C#+a_h3V-%Ir^t72(FS?4O<&#RQ9{{eRYf6(vFv-Wji_e5-=yI)QRE6(BFy4Z z=NXS_-5HGaW?1qM_U{DswioKzN0=nPjKWulUs@^%-jASp@dNNDJogDsYcrFhBEVBR zx_lnGb5ja2cgi0o%D(0*c8inrOYM=rjYzgYYF+Gx*p0Ur)_WZ`F(aBQfFVp$VWIQP zAtKddP1eo0sMPh_={@qfr}wa(T7YzNd@3MSb`B(akKZzz%^ZHC@4vW40OFbqCr3GZ zLJJS^pKV@NSvXK$eYj=>HBTK8h@74W*tLZvbvbZrdb5RM2CY!hLNjCfMXMwazb{J7 z-%7a}M#ZvPO~W9Ck*ei!!v&=6t+jGHD;M^vNb8R4YB0(bI4=D_3^=7&P6TAU6|!xR zGjJNw@c;gOxv_r=w8(xYF!jgYTriYbrZPCU=kP+m>6wF3auJmK&X7N`t+o<&O!*cm z=)7j0wczyln&z;50^f+YUwXk7BT0>^J z6SWfaa!)dQK|?d-LYR86s<);aFnq2387P|}bjE*hF8s5f0dxh;qi|Mo(o@v_vk|V? zNi;RI3R)GlvsF;)2K@pAGO^h`C6i%IIzi#dBtSp_Ox^4eZEkPn`udqwR{6_m{ma+T*CQa$QD2~)mv=sNFD@$+6P29 zr`4q>IdYC{aZ3i`zi^baAA`qQP47PX>j!(w!-IIQNRjXZVL z4M+z@0Q*mbAKdKN3ZLk6OD3OS7%x>#l!QXJUIS*R$hnc*b)zr+=0SMrJSFxS*rnR$ z92@eik?&x`b9Gr=!|*s1d+Vw_H9=>k2p=JkUnPWyx_)~Df-aqXH?$Ab4TIERK*I)P zQ*9jJ%4vkaKCXA$(oaUuy<3{>$2ni?(DDm5P+9{`>t-y7S2nM+kZW|xrb>3_Jv1^_ zQhy$Br^7G+v^T0Z-a7RFchUrLn+(ewF>s82Cdan94kHDa^;Tb9^=pU}l3Mi`6K0p; zeC><4(I<;$%}#7(165>Hq+CWLx`BK%9ITJxzHQvLu2-$S`z7W6?now$cBM4evd)XP zi62@w;ZqtA5OG?0I@dQ;4UVm*{Z7*v$qn)If{@IU=e-inbbelDKkfVuI{*0eZ3@2vnHYF1#l54|@Nq?;3t{KLcZu=Mm4lbgU{-+O?raTq_2Hm6`~Eg4;f?|IqM_br zZ<_-`@!_GfEYcHB85{?S zbKgz;R-7}#1hkNN5#UcfXynq99DmO~02-$CFtW$6iqC@u>v>?|IZ|SeHFlOE=I{Yy zA6v;>MS+4f24B$yWN3AQ-}KdMRS!~7($i5{L*^6V>f}tYb4#1cc~aihf|Sv5dCNEV zN#@|7Z65=82~QSw={aVA?0rWLl35~W7|v0eNls2qa=dM2vNf*Tha>mt2?6sr>+sxW zT(}iwYfwg%@QU__euLGy(NN<8J^!)CS+;(X@lJs+7-e&Q^@n4(mH3_2gYC?)!i%*q`WCvMiU zpW>V5yFYvtX%Bo6h}#JC_nh-t6uB|}X~>(=5@CbK?Go*iod7RHPdKK*!BTOa|||NUFlvk z9B{p*Y+M9Ew}wO2VF5Derx`0tb=CTCvH^iane+!H5t*ostqeDTV?`}O76^@ z)A6=q$Py$eI`~}A;T?v6$K;bcaUywR3u?M~uA>ywI##vklHP1>Zk!chP)!`F@|FUP zZqLa5CB_G#%@x{$eaA7+ThFevrHtt2*>L-gBdW$mk+vP@jiVfmR2coDnHIkzYUk#_ zD^$`h>~+5-;@uB4Dic*Ff$z)F+kDz3Hs?Wt$g>zU65^bVu#sPHe*7)d4WbKwR0JVK z(lxa_`QSDT%$yoghH8)XW?#>t$lh?h%0DP_WhCCqIW?TB=V65UDwW9D5y}qFsp7ID z^EbbzR4gLx=tYyMq%xm#FL1A3snYZJ+l7pm)|LTsM{1SBLSfvl#XhWvJwAI zXSo*p{F@3Q{3wP)`D)td`X5@0MZ2zPSXZAg{z6p_P9mQXqFSG|${|IDK1_Se6pSOD zmj!$zpJaga40UyR%Mt~6LDn_6&f>gLznMpI;Hb8Fg*KN$gxL8w z-bIifSP1C`y}oepH_u_ATN#uK=p298qf2EhSM&G~FyNY3i>BMMDdNp?MPkloEx6sZ z;4zb)Zr|z}Y-z*NnP*D`&Bm4u7MhFe22ohbYfIgFNH^1KKwL?d*-AS0C8Lq_?Kr3Y z(Aw~C5}5zD-~PlYUW%^6C5BtGaB4VTF)GE+6F_Rd2~5JF5l07sqlCv zF9Sy6n_MBPAz$@ctHnH~|C~q?B@ndRK?PSqDNA2rQ9IWdtJHm`Hzo<(*6<%r9E+9yjm*9`DM(Jo6Xk-`+ zj15@`_1fF_lDY}dgDXMGdTWE;tj}2SG@Icqf)jpM+^K60y|NnUH&TRQ)k(Lrmd^4Q$2thFl3jL&`-J~wvXo4j4jT>o8Q#}SL{ z&~4RkqOG6rzRG_?fn60=p)T-9?&s?iU{J%Uj!RsUwk>vWbnQWn^L6hsL5B$q&~vHS z=lTtX6+*lV?1&Q#uozU&?h-g9IA4}vtePX3H>Y74%Af9(9}b_%(44o|Dm`oOK>Xr^ zsYeh$M{&kmhIl_>YYR3*7`gGg=?FC zQTS3O$O1bY9IGh8T{jTCWcTP#VJYHtRLP&6v9ou=uK!3I6Ue(_XybH_SLvJx>WE>` zx7c;1CA~L4+rGNjmxy@E_NGWM67fhL1PjQD^vwf-HYK#Z^{o?;yzErX!;FHC=T3OJ zx?}R{jlqDA2~t9j#P=L)D#k&EPP^KxW2zjm;$&R|61B40XG*+Qs9wS;S~PKCidk&d z1tTGA1P8)mM{IwntTZSmYPU`2hIf)Gl*IKf0P12q(D_08Bd3uH&`US6i9C}4N2G(u z1Y4sVs_)e+{`)-;D<|YSMUtq3D011ltc#t}JMgT5fld!OQ7P2Zh*KfrKrzY{CjGEa zYE|G(JZg)wCx*g?n-3q3Anwkram*X$GC5WG&%G;n#iqRmQCUcEE1_4*=0>dumqw4F z_L`|k9=o=BpkqNT1H+wFA~A=BL8}M#e(EElL8J0%Tw!Yw_LwxMwEnTC2;(bQhSls$ z+x#;~2R0qD!fMwI+1S+-%LEKVq)m%-O7|F;l}*eZwIs#0OQ1uq%cj~-&I(&9Z*tBQ zV3nrmGOx&b*<#t0q~zGI@HZ0jFYvXjTpqx$l6u6WOh1S^<%!4IKq5tlKkZJSdVhJn zAOo=za4J=ab!m@y{egD_nFXx$DVA%!3RE%9^AmfE(V(i!DoHQ14^eJx#gA0Z%YNu+ z{Jr?luO}ZA12!h>Y`2J^R%p6KG>gYzE#7Q+ufVFetxR`vlij8V)I|<1ffmn{?wuNQ zW`kufS~K03t8_R!oU$!rSH=hGJH3$+7tNio z`EC_)6O#mad7LCWS`M?K&oJMyKr$J9=a%}6aiHP~Af9`c!VHSUB*A)Z$x4gy6E{cI zt=eVSGbsJsAoo+U%A5Ug{&iznab;IOzu#=A7|PG1=dfao|EysbyRU1V`y~*9eXG0a zNu|k3#_9-dKVKq>k@#IyBy%a}FQ=RnwYSNfj!@FAYZTiyw`uTv$6C18g4d+!RFDll zVSYfYWNUbK3K56SJGxx$xUvrUVo{uudthzgE5J_i2wPC+(=-kM3f*ruMT~*JP`%wm#P!=sjhrm41L!p^XX;PH8d3h!~DXIu}w;O+b7c)t0}7yf(vV$k?9Oh z)vzN(G`YSni>-|`P$AqTX2aLzoq(yk4dX)?tYC$unKT>9hEAi^ing!^m~SL^xF$Y% zt8&I?t_tS!*9_7tv^I?5lJBcwmw>_hp-ZPYyl>&^?kr2?m~{V?xkGE543evA{E8f} zY@#XVr^#M*SYIR9lc=Ocq?Q)dlzrf+jjIljmTug`U(%AtB@b+S-{unAJN7}Yc~|=L z)EYnLlOC~1D2p{VYALV*;=t>Z26KXm6zZw|VTD@`P95XU*vK&#wY1E(h}_^(-?D+^ zphu9mo$VKDW4+#}>zaf?zpu^E83=8Ek?c&EE55hrK6M3=OB4>1#I+iJE;_r;e4ZirkZaQ4x)w1At`3jubtQ$lpN6H756+u`vy%WU{A zB+IoY)>BIiy0Ya6#v3e!6V9sG+g}|42shroyh3jPg;~HuF(p^cfsZnd0^ZYHw!)Je zCMk7+e@Y%P+2aI*Q%ON$wTr|Z++1vdBl%GbG9&UX6{@!KoDxD49 zfRWAdhofX7U^$C5!T~?qZSdG`c?nDd0(3;}-)}AAY6Q4Ua(6e#>3{UMH6EqFi@USX znapJjkYSC83!Tq$%|7-EE_Wt5Qa<4?;S`ox&u_M)P_ zppn#U;9O2vGAoDf6Qz+~wT12z`*al}y01~M)yL*?Iu{^`dht4|YY$#1Nxjfvz(U;a zXX4{HHk;*2E^+t74E_ohE4b~$%z13y`TM=ctI7dE6f!k+=*Jt!P;t}DI!PPFfLcGB zDK_~%*JI$>bjNzaa*cMDbHiCKgR?#EH_@SRa*1-91yQ_MTQYT)#w%)=50<=EAI+5r zOPLPw&|1r%?$LgSC{u9e!Cq-II>)Hhr=00;n zf&ndo7QG=D9sI?l8dBR)&On<+#tR15b;^{_cDZY#@rctwijU-aF2@G+6Xt{E`b*Tz zPi3o1`r*Z^vDn&eV5>Mfrtt^bb_dO+1Un&FQZ1Aziv{mypN&6hAje;^Zv~ByA)`hL z#05)EU>CedlX^LJTk&bT?ckD#aPG7X-%>xBLrL0hg-WXZi7IEmBPKPMCbxtwdh)SY z>0>Idt^G#yGO9=`SU6ka1%oJ>EOI6C9G5K~f5fhKSM;&q2f4VjEMg+m#d6-YI<8ml zFWjAjq39c!)ndn*3+VRL#ce)_&eIv&_G{C3Wx6L8nCQ7-L|hq^%Pe1)>z_(tmqm!02GNuA9WpD;!qeL_IDUrVLa)`hVtX^!NZ{E4&pTh-y{fdf>HwXRbe zxtX%|A|;*i+K-*&yS(n}JQR5>D+i4tUrhSkk$O1|u{`eLFGs=DwT18~K3*{1EO`i$ zG{JLbV0|~kDCn>a)P>aFcT?7dWoARGcjHIVjH0T3n9{GhmVo! zP6{g?R*Q{UtvVun{@@uBUMe#G=CYnBRop5y znaN3LBD_W&$bV4xb|{{dUizK-(1YNUhv+V{n)JzmVP+ymL9nBQ@Lqaju%EnzsDQF! zii?^%dhJBiUei-brl~efQLb^`n1G%;8zDh~&*Q|W^Q$jwN+>h!CTU4b$d8IM$g?WHbyQ|z2r{uc&rz>Ha_+m^T#|6=Z?l1j%gW<*L@;h_b5)oeh8 zz4a^yJ7L@1mpaPgMQ92Uu=)ghZbUU@StR{VTJHztIDV^aG^Giczb`lcnUb046V1*t8vRVzGfqKA z;%vNSffmNHn)I3T^2Y$idB0L7MEg7xH01iENxU&VrtIh~&`C5h*Y!bhp3K>;Yy{@a zHFB1nnUT$WsMX2VkM#T^&TF6j@G)q8V(fzv+H4VhTDgFr4rAxY0I6eQcnlhi_`RZ| zW?v4_8ON{gF=wJi#C4rXve70y^nx}EiJnZ4_Z|`uc)^V7Cha>x_bQN%n@^Wm6Khz7 zCEj~*g~g8!)j(%2H51O#t7HvO4=Stx3^X2cmuKQLwM(5^hmYXn9tzXA_AuO%bKopF zVWZ9X@axdrnYh{R7)G?F@ZHDEB73#93cXt#?E1%{lVAvVgurl1Vh>*mhekh4wL8VB zB>_Cn*&f|X`i8d8d6*9rvQ7jG$rs+gB|PD3H`CRu)es)alM91o$D0;c4xq7NOz>Cy zFqgE?eq?mRqBt!KkXbVv_YZq!u#<)71Dnh9DRmeH_HlEXwI`{k&Io!VT(_+6z@mAB zn)9D<$w#+Zoh|6G>M%t68QUd5|6gfs;cB+XD77n<=?MY@btY5VqG`WzZjZME4m5_{ zgx?S@&109tBp#DGwt63=pYnUnd)HYW1$~-xB~Pa^EyIKzbCHPNCtWSj!J{XNsuIAP zkBH3k%|lzlHt!3?wBwNu5zF#TJ8Q@^X(8RtgV5ZwGgpOd%xS2WWn3zVMuJ*`*o~m|iqd{@j8s|Qi0~Zcr zP`VYn(8|{H`aNo0G!0t!JzmC-JLGIUjcOd?6-`$^W1&nzjOZ1iLuef*dLB$)F*R_3 z6vcVH<;MoH7+@2@1=_Y{o3{%OR9T>g9d1e4PDd~88}}ZFoTV!h7T_az8gmASss!LpRy&t2={UPB^xzQ0Ja(l#wBX_Z<=k9gp+ zW9Xl=sueGJRQ8=yw-ieM*?xS2QUZiI5k1w_=lCPW-eCn%|1f zpOxpr>}~b=x+x_=dHX(Fb;@iS()Vsq_&MSP=RpH*@ovW2WIvnJf}ns32By4|)_~6L4VQ`{B%_uFdnklFT2gVhTW)AU!aR&@n17w`lYo4R)Z^ z{oX+#DINJT!6FA-w5;p-eFVNMT{&qXhV@o88yJ~2fHsC$9=nEms$KVp{!urtcgc$@ zn(OIft}Jz~9jlrgo@lZb*Bb-}f`+m=eOMMln@{^_YsWDGE5sRO=}}xzh&Irkur*G^ zTIZxiqSK^o+V>By0JY=8fy($^DD_BKbCu(@})3-ci3#I>K3w^~2q{n&Lb}d95 z6<9e`PW`D3S55AUZlSx?OR3X1hc%^8UkarcxX~n%`zpUf(<~I2R;OR{r&HgPyrs^b z5S4^kPC0m6cD27({=%P*RrB=#n~^{CxGoc5IkRN%cMo{V(2!nxvKup$>r_=0tgbUj zg7S9MybwisOBf~}V`?WzT}`|medyzZiL`wi(kX)dDnrphMy+ya`kusqo=$b%v9D0# zEUWeR>T6DE$(GnohhXIFkrBkKKb6JjI1Eb>#Ys@emA3{noNy~J5*Zi6t)_a2x7Z#v zCZltELcu-kGGyEsC9+I=@rmQ`{Z$>XrwI=OU?^7wz-7BRExiZQ+fvW1knE%^urB2z^ke zF2AK5l_uRd3ENk&lP0fiw%|+X3DUl`iRQTYdau>Ug?c(qwFiB+ouN>8Gv`EQU__2P zFJCK~bIL+L*$8TPaQIv~`^2{H0j-MKvdf{mzNaI4^nB^ZJmGaaTXpG5P*_&A_0HeW zi%YS>wbNvM;nngB=u@dJ&it-d7LVzDLKwK~_hR@#a+DOY_pLvNZ^Q@^J^XUdwy;JG z2Gbs1)YqNx60(XbAJ>o>5~peJVN&fUqx&E8@rm6FE4_WOJSF8EY6F=!0$IPt4`UN^ zYhA14VFM!i|AT!Mt)fp;EMZlcS)^*9EL9>!~I=K-Rv7 z5RsPDzTk4mxr#t#C0SYVk>_c54K0P2-wDKKh{tDt61`26grlRT{^hQi(=+sV3zg%q z8?{+7JgQ(^#L&mo*Pk{rD!U#bV4-=gn=R_>xu%R;*#@#?FDbv`16Nh8yMKJL?CqsD zljPfb``%j^YOHlQ7^$abw$U0MI;2RL>#LIH=hd0rxDg_xGiA+hUKCGya5OQ5Pji3t z$dI*Y2FK7=ijLCMvNR!ip*w5V9CRBc(fTIxspH=yt=BNUhPlacC5HPN_u5AZ-F~** zr+p{xVCic8na6;H&zV1~S2Z4Q8zPty;dMSCGq2YLg1=em5T3Kri~OD;d31ra-}Nvp zb+&@jS2ere{5ir=v1}LGign&JhSjCLGix1Q_^{3H%(M%?4+Y^MR^(eW>DdC~uW?fB4=dBf(=ZV&Z~0bl1-j zQI3pTdQZWo|ViOdzgII`C$rnuUbXg9OMF{X`>4F-I5*& zWD#Ld20bVhg^_0*$}!(grbK~?JlkycLg&WXl>r!S7sP9m5!1EJ4T^ulcD`*oqdK$lAEa~9p2;Zbe-xKezFtn)9udzT>akj-!-A&OCYBgr)s27EyR zBXT#HMxgCh9iI3SWK(Mp{;3f}=f-e#bD~whyO+Bg6a*Oq3vWGJ7P*JJVHPU>)vg-a z@%RWx`s+3Cz2?#mE4ZD(McE$|?i_HS(RCL6Rk9}DST|7it1HL3L#=-f=wM?99BQpo zt^iWKP7#q|A3~oQH>-n;(kJ2q1b{OXfa;^)|Cp`Uv7JVK%GM@WRqZ@t^1?6BC~)B@ zVkLvEaO1z#4Fg!-9!6F65+A$>u3mhyWWvgaUArJ4 zw`}|QGK%$w-%daBf{0!<3XluJm|n1aeCb@}DWn(_c|`c*r_Zc~4tNGrd^2BntA7R;$lOqzR$fyRC;G*}bJjJ+Xa# zF>6ZL^eZHyR>Fxt7xD|@?GLa>tXeUy-Lly~05sxq`;nle;|LN4 zVxjLI@1-{HjoH;*WN(iiV)JLsz9phsat~6*Io2v$)+P-4PF5Q-_C@J%Gs$w~Jn04$ z4Q`l?RYw|kDsB7$YSNF@GqAxPcfLX{fppph0@mDJM~_SWpSS%cC@3vUAoKO>|1B0( zhVU&S4M`84obY>n;jOJJIL|-Zmg&ntzyX06*9*=;Ib^& zETY~xs7HUR@w;gv^XuC!_}gD22u6ZTdJA)@X_-@>pgjx$B7 zX!;&`6_7w*VdxSfrZrCqpADj2@T53dX^5o|VoDgZrqcTgo_R^1gT zU=!a4gRdISI1e74kKya(M@U3ccPqKLp6i-M5EWDRdo0{zgcC@wm*7u`x)gy^okg#7 zv0es}pV#|g#@vbCR-VEEey7aj<>lqKk6P`SfiPx>m)_YWnr9Hz1)=hKqZA0mGI*pApPF&7YyR!y;3m-(U z!w}vl^$b4?VhjD8OTFg6koE1=kASF>YMi)?SGuwX#Y{3^vdk|GERfc$J7VZ1kQ!&e zC76OwZk=2?%--uk$NVm+!!GpZE0fyHDGsn+OI>n=cZ)#}h?*)+c7(R&;rd%%hSXX- zd0ogLhrXv>qfG$tK)AD6sE~FQkYCb^zYhCU)nr^?D0?R{a73o~kV$K zVi=V31COjl1Vz2Sdd!ddTAB&S=y!rx)Lk{Z;&4uyS?%IJ%2snF(_C?+EJI=>t$Z?? zcHM?JZC4;*%cY3KIFol&d;*#OiQr-Ijpl`Cf2?#E%1 zmbvJiQ5ZGpSkZdl5a4mz=>7Ty?*kmiu{8{@pN9#gW!UdL)h?2B#k+FWxjp$R8f#)1 z20;OL&GtK@?Yye+7AvYSt5t{KAvCn)}Zk#&c)w+my2#{rpVb4;2KKZ$gPLC|% z?sA`D9+$I-Sl)E;%-s0~)1r)CW26CcGd&3{Qr8z>&D}0PM8{+kjbJC9Q!%+XzoNZG zB~#)yK|yXw%we$sZkkUY=|JU9gkEIwzgYPM?X`R%-dAzpx<`$}gM>yx_Ct*s%?EUM zLQ2zuGueyr+$+5te2v;t{9aY39$MrvuRc?*#lmsx)E!9c;&?*y-Wl`kbJYADY_C}4 zBTRlYkYtM(>JPZFD^+=d2y~qm*GW(}lB$&E=g%~*0#)nRg!va&4yL3$P^S4aL~snk zAbQ0v`49vzKKVZ{J)atK#e=!OX%2Icqi+fhaCGQEmE z7*Fcl5n3#7NtGH$NDJ(xM3G=KeGnbybeW4e#n=Fa1Mtl=^mnUe)_u)#Q|B~r_d^0# z3iqSVO-P|*t!}>g7}-hX1+Dk{XjEI?G|cpd<;bO=#j{4W+R~G$Ep&|ZbK#eaOYj<# z)UT4<^&F3ReVQf|TvB*En=cbNXg6hEVl5UX zlJX<@Y4fhIP+nt6kpwircqPa0bH?u`CUy9rsPO3rdb$V1sr4$OvaER@dw^{ECGHrd z>6-y@($ao(E2IZd6eljk$78OUgvv(>hF(USC@QL+{4!w~$4OzfT^W_jT{7{uP5XOi z`Ig}pD3B*MaNA14tQ?mPCZ=WgEVJGrtYMui;Q$m9JO84tZvrqAenhI|k;Ik{y|xtw zpB$6_T7E<*zWTcJJkDOHDRxeyM9PX=YUy+xkRxm2Y`b`ckO3+N)!Oe7uvv3B-S9J{ zoxBcakw#RvbUhrDzgWXj5wiOEZQ09_v~S|@{uemK5q0=bsBHR0CueU37g@4tsMoR^ zMBZrPpJc&VTix;xyKay#;3K=(4ibCusZS3;8WiY41*;cB3M} z>lML0TAdyBGQ8h&FKM)zKW5`jSCd9-d(jw3wfm4-PeLz8VN*oH?^ZNWEN|-gGBM%wIoI2(K)4oQntgT%G5PssK_>U{5xxt{)&*{4wk4o1@8pev^8<+y|qCeGkq z0Bgo~GoV(lBe4Y?fN%hLikV{HdIxU0K_= zdN5*T9sOxOqp9MM=JS24*=W;MR~xw;HlBHP|lPC zxZ&Y6pwSjLVg)UE$pOaRQF03QA~y)jtGN?par3-RLT{#CS<)9Y@m6U`lQQW&mW!Nr zVtTyh2z}A!RRZWXNl{eUM0u?eK!1g+K*cHTX4fuFbY62fZGPhv$K|z>MlT9ZW%b%W zSL5_}PHvO@l~&_40_+!8C83N@kLri2bhX!x(Pcp*&P|4_;o$aQG#@9%DtNC7)#|NM zWEi5Q7LfZ*Dpg@OE=NLyHSKK6#mSSZBf(BG^g?#NPA2L+O3KRaH!ex<_9JV!pQTRn z!UB@DYwB^BUGXF!u7ZXA{N}j&?ekgQjwGw**v0C5J_RY0Q}pVDD+EyoAjr~e%9c{6 zHV1Dc`ah632v8nY-FlJjB5BpnY?0(QaJT`C?se=Q3|; zR9&X^bwBmqja#wHY_s*3OE4cOq^d@zS4EG_c~_58lA3w1+lV4|wL@Q0{nDD_oIV|* z<4S#(v~^qtK_Tc|X}MTVWZnL?9>;j^j;&aSKu{oU;z0)Ct|GtNP<*h)2|k(PNQiez zMVky%O48rk=qh*H&es@&%=|p$27KUOClB!Q*h(^i#liXu6WM}+&9cvcKE2{&^>yzWJk zRaV7JwLqspl@~9Zk}c%fP!pw>@VcQ(dqQ-a?jikv4N%o9%V&+Q+0{^CpG29}n+z|QI$Ax*a9v_v; zTfM~z^rbzl*AdDKfTDo@Y5p~ZvRdnio|IBx@Gg(tL;Ew-q$03VF(VjX5s@-OaVmr8PGO2azt}xAs8_p)H@6ay*@+8xC!- zp`6!au`|pR7?xz_kebe~qd83&;M88jJto0lP>NXxy^S+NAS~#MZ6;Bh!ayzTYbD(Z ztc54|weLCmozQVp3Muw<;8qvk+oDHNLJ>vVA5<&?<#|}8@#eL6&(T3vBxy5y-kKe2 zY8BX4GQv2S{+vWZ>zYNkKF7@a1aFAuvdtb5ycz3@HoN6pp^z}GX&hV0Mot)jE;Hw) zn!Ol@`^>}9wKWsv8@#82>Zc>N%S8nv3(QwCq{vnDZue`-iX3jvO(gQ`DZu5!PJkgE zsV$S65iYcsnO`ryQR(|JDBnTk>+bY&@v1SWOga^M^`DL_!KCQ6zVjc;Y=Ms7-eB zJ&p7y#837l<7r)+l-lO&E8LTyb|+eHgR3Ah-ZxgrH4<8B(k)r-C;NfbD(>b#AzJeu zr^eo6A?~HhlwL+B#G)j67xd7Ks;%#@(uvpWyG%DCfgbSAJ%z1e$@Jf9qJQiZU5SC( zNB)GOpeIuQARD*@N95u%wlliDaK71j?n3kSIo>|T6Mx~cX_|7IC{jigQNwNNwF^Zi zlJ5GvpZJonjbI{s<}fR{V4f^9zC`Sr`qxU`Y=E1|f3(pW0HZ>E+9y>wCV!VhxI1z+ zYC5mGZ+6duZq>>@M_^#;l(Y#kBuInUO=PlGff`M&ooeED%7)3L(F^G`&|HeI1jh%J zEw@T?_`ST%gybi`ZJ$-fy2U}ZQAyPW>a))--U|}e+6?APVaqzG*%7$eRXM@fFt;DL zg6kqXFJN`>#J(!e>mJP`h>COXbtJj|g4~xh4A?)rCe;YMA-L4K)#Z4%`rN%vLU&!c zhJ6?xGIOvwYWIIXhRTnWn+U%ba#UJ*pKQb9tp97jd=1z5hn%m(8;*ZG;)pNF(lli!Y^$by-Mv-cKlX%{Y1XzozKZjJ&qDw47T1cN+1L)e7t-E`Ah5 zPSx;POku0L4!%ZBQ9tjoB3Lb0k;pBi1>b{-8va|+SLfs=jq^@*tN_wi=Irh2kSBf# z#$$3<-@d*7UviA1=W+Rqtemg?FEcmo9)isw#VsqFheM8ny2*}?{lf{Ib2y-C`jvw* z<2xk4Op%e{$LZrIJ)`p87s#gCMV9g!s@6>d`fP_YEgH8O+3q^6J;lOvS;eE#!4GUT zcaa4(n-MK|Y9@v7HgWm-y+Q8tYv-h+c-jTws&HQ9g}rVYDeV8WcIn@%f;0&vsy;2B z`2FwwwCIgBC~?Vf$z#&wA!%q35jqf>t{>F zf>f#eVhAWd!7QTgiROO;voo^7IF;>JHWnO`?NLqtl|U1(gPi+Z3IG3%A=Bb(dF;-3 zm!g8-iSe9{yooH_2~T+NHWIqnGP1{|E4M&{83@r^l*EDRFiRblNd+1fJBpf@z<;mjQ1=729;GGyPG8<$y)vEk@<#9L!LyIhyZ@a$wFHu?o1Z(6i ze6S?=KcU_t<&(H9XqbZ;!ZeE$vCnIc%WR+bl0Hoo?+)XfC~$=F?1hzF);6kKD)8ky z-0W>fmb`~%XY_*Hr~Kx*Uc}ismOFc@eo67Ns5jFqg5HH!<7+;}WLM6v9S}B;S6u)s z%qWT6tNVvE|9A-e{eb=Rw`!q`a6T;TF+*&Bf273A|G~*X_nvC(h=IvmZ}Q_X@nQSz zt6tK$&|q64rglzXiqB2LK$?6jJTtxkstr`HMXB8kyq%#d0&S)4e=@?yF#jv3gyd=F ze3zH-b(wU>4DPHp zQJ}L%N`^1tSV;bW$w`N{L`4eT1=6lihXD6Knf-5%>ayS3FZ3}aX6KER+=2&-aKP=_ z_x%{_#J>Ohvy*d0Ue~t&Ia})S5+dVdA|J550PB`DLnE0s`i&$&*Ai;q(n37nGf!$ zygKvdFZvcyZG4F6R|uLDAzMd`wNGx{sRbnE%n_J7bL`K59r*KHCf5+Hj;iQP28UH) zg3yrj-w$Mb_F1`3GbV`wm;HJ^MWMx#g5)T4&G5ePF3glmLbUZn{^DqPRS?6d#ol#} zo)-~%U2te5{J9Xs0`ZI3Gqyy3BZCyZtozjxRE-HF7x?(Uf6s#M3m2V3>IT!*lNjmZ z#zjw87vGe90XlSd*0EkI)qlR^MGwydlHn-ert80+P9owtc*>}QVqvpeVK*Q6hy5T$ z0-7jpm03C%dy?6tWsz6wMyKD7BG|}@myyFpd5O~su`Qms%NFLW8m8ap{oJIKU(^ACoHS!rmyZ`&r z|F2(-d=}j=DN|fRwDNy_S^uy9+ZP6wjQaF5BE7H`# zg5;+oF*(L%F~Y^^ao_|M_hdNVYCc$-Dz*J!DkSWvmMW(ng<v<#R;``EYVLM2#mQXvXwDi;EEFwN0&}+H>upN*A22{7- zVJ~@9c-VVCy7+xxm&gI31jp5h6!?h{i*@bUuaZOeVKQ0cZddKF(3k#s^xJcTZ0l^p zeCiO5)Rp2tZD@DmTXoa)v0QVS_+ZX`)&PGRZ=2_Z5H(1vNrg zw|%Bd(n1iZ29AQ2VsSxqPk4}40|{4shjt^*xjK1bL8<@&hkj_y-YzjiLJ3Np&H=T zq?irnbc<+fCYj?FxEVf);AjNY1<5R;DA&-X5kATAJgJ>pp|d3rxIos%Tqs=_n;>~* zZz6RvZIe==7Q<5T?Uv+lxc5I70snI9L^DJkJWXWBZ~tvCz;myEWcfws0n0VjQvQV7 z4lq0)`M~+;hr@wSi|Z>470N6Wt=ty{*Isl}$2TNxWkbnl*v>u3<+;}z=fgu_)l{@s#4eImf(8KUu)nEhv&nygF?t*>0wj4Yd?cnB$)f@+ejG>CQegBx# z$P02VgrtCsExu`bF4cgj8UZMZq^0;D5ZrIS?l@*$F4Lyj{N$cCzc`F|Jc#U~+tzBm zkmNoxl``~YDfwoBg+q+pMuUlf<1LkoahdVLZv?PL1vdDx1EKAqhU?Z}FPE{Nf&LIL$4Gcc>lC54z@XTN5phD=}9kg!CixEAMbL?Pb17-g^(zc(kC#CKgx` z?{g}7r^P8O^gBQwbK+VrR2a;_DW4&s8(*Y?Tz4QvicI+3`Xyi-tWR~PhN_Ah56naR zzzw_V#Vt7zn>`=2D~T9+LHQlA8KhAl%5nkYxL9YnQ%y$#-0U|ash^w|>5sohaL4XR zf3=h!O<)f)WK+>~w@3IA;Q-y?XYfT?L|K%ugRBvRk~#Uovd7j6zz_~}&J6`33u%eS zM1*noJ7FnpCXCQ%U1q&Ig@qp2L$0vZgC2fo+7)Tl(-a<#q?(9+4v#=MSjs+sbZoR#GdtV zy8=Qc985@eqm`|+2t?2o^LLQuO?*p``-5%J%Solq-f9W^8XE=LMX8?-@CmlT!jsH9 zsCu1%XQ&R~HS7~bHWEs?K>;h>NW5kjc64s2B)B5)x5+lx{R0;VoS961zJ?9e1Fkx0 zmgR`j4%ce$H^u|P&wF!FGNAp1_vQ*--9g5hh;%DKJ7BvFacQH?m6*_JXmGPpk?dhtF(z(cYifSZ? zXRzwYic#obM#RlejAK#2XOGpVOMs0n>x!!Vro49pC^T!I$@$JhzKpV@n83Yfq*1y0xk55q;r zR7jBXj-+&G_fKveqSt=ZJ5QD>Z?lw+^`zAx@C}z4Y4Vm0H#8GQ`q~!3;Y1q7A$n7~ zcijaH3m-g2t>Z+jsoDpz`D)tI1kUg=ZBEm>$db7qx8PUNx#&pWZ#0%Pd1mua8q*89 z(vJ?Q>ow5JSGlBloMPIpo`Ij&c1`BoPW&2Kjz9ILfLS;w-IVAa5S1(~fl>m{fX^1h zdo}a32BiPqmH*9C5+8xX^VAPE003(VcZqs6aw(f@rxOoNTQO9Zs};-Z`Me3|ss)>g z%=X24=f(GfVVfqW?kEfzpQ3El2pd2jmksG3zX+?4Z7+j?TdNLQVb~(T3b!;dqNKF` z&ilF5DAQ1xcQCnQq~#UHuBjg6vu74M}ehO*==|!$t*pLy%usxI(!x{?mbukqL+qE zi6)}LSh=s15%i!7gl4X3Rd-x=B#SvyGB^^LlL<5`p5eOiuUn(>XVKLo-UKh7e2?Pl z#?y6b8@PDqx9!7<74~t)!$Um$7W&QrnWN2{mPyvtA zC{wD%T%Z1{%4(Bm>fAZDk1d zw7qOBxwq+Tf2&{K$6dACc_mc6q2$@?(rlL;w3EO_?I-43WeWYcofzRwzh-;O`3ffP zd3EijnlzV$h3036ce7(-?2cJfVqulxkbsf-3!8i~j>A|Bis(=`md5S9A_4)$w&hu~ z6)V22s=k*+R^ArIE0mcd4q!}G~WolWHl1-2AgsKq!B@%9nwQJ&t_c5X(T>==33reYTLsDq! z8lyKsDRmdr< z{#+mvTzQ`-r$ZTJ6VQg>CSD4Kza4c2vOqfmoG9vKkzC-@5n>FDa)9Ut`tnvR!n$+q z?Gf*DEgwCfahO=zt;z7Hm?nNYQP2E1UdJY(FEi0)+TS&j#o(TWL^XG)jduEAL(%?+ zjs(zOnn#mdj96(wQ*)HhZL`#&5S;gSX$YxN5wM%PwDoz}@}UqqEYcDbdbUiLbj$2t zI)l&1HdQ{XWuq*qM(e&&Zh2dX#-Vgt-?`KsficGj%2PF|?eAFq_3wn|vrB&j+ZYmj z=K4DeKx8n=Z*wU#S!uq&=Px7nlZ(JfB2XnFVXi^1qpNR>y3jq_XKRX7Ub4#U@X!|QS z9jH+0M=7Y2W$7&asIfzvw@lXA8FUualC*A|A1Wyw)$A#>9bGDQ^OKB?etE4GWe_m)Fg=O%h84lF?dsqo-&xQ!~I=WPlND?{Dy&WVXhjaw}mWSKVYXpt|0aTm~Dg7LL z?itMm-1jgYYLb6INWe6wb@FLKy2@a>BAqRK9-?ZGwsOmhM|Cjm;4TfNctRl;UlCOV zkiCCH9BK_T|SRK;gPT*!gyQTx5S|6>W}gESH&so{p9Q%^F1M1m2^u zZu)p>14$`$?M%46a`VxHEfzi7(&XCMf5vH$6MReH4(g!9CAvs0Ja&OfkT;hezpU?2 z>11(R+jO3l$;^^>XW2Q zwm(a%H;F&h-dk8-O`X}@0b35HXRIZN%(a=77bBL12R9GY5F3bV=HEaWx#9S?N~$9w z5hrt0EZ65nE9gEam~qDz$g`C)?1l^73{_3zdIy3Gh6};`xc`esYZMsAiF<+MvkN1G z)%;muj4wuOTI#jmpt5EH$saJrt8cOQd-anpz?hZuf%k>=1#@Vg-HNgn%peBR7xKj- zy`~W6kWNAUc@MUFLhoo}N(Seu`qL5yRWvP#g*2y)N^!7T9~=YZCthX?{zMpCFDdLh zRexkJgquba(~Sld$iMPW!bnG_c42P5y*|}GP_07{VedbLN+N@ak>1pO$(`Y~%J7#? z_Oc6ZeLHv|iuNR^;nHR?XQenPsXeMxY=?z@2Ik{H_I^ba5ory$<(x5<%d|qp_a16y zpvwr!bG{a57>z;~MxHY=rh1S@IawpXJ1?s_pApag>PYi_Jl~zZKc|Mw2+ntxt1tf0j6LlBe%d8Bv^RKej;l znv1s%^xV!-`RMHLQ3GS=R^fCBNu9r=yRl04 zIOA89Iu%pNA*zvH`fgj*{vr33EJKCrfy2X_6D2i9LNIGzH}3ny1yhr6yUU@B8+sik0Xs; zrP^GzD-RQOf(S&VTd8CUJ+mwdPPWRFoP20XRZTvQSArTA9ZkvCYfhQ%y#V!~vHSMP zFeYDuc;+%`-rjBL2u+p6{ChgjLIayE?iQA^W_KPvD{k2)3M=&oE(_PN&QSHi$SSN? zo0;i9y)U7}mOJ1Mn}m3V<8QIm0*~Xlj?RoH{6IUEhW2)z>{z*Cpif~V-3S$t2^d9l!|Nhj7yAE2_%Z9{dl zcQv_ks#c2iPyM`#HHoqmCZMC-`T8d2eaV^Ks)Ckpcw++P8lG~^x5sq%uf6>Gaz4@q zyHKOZY(lm()|E#v@VHudiFysYF*>nu6~zgt@2V<|VLUlXuemA32NuvRR2&`t;~ePhuh*Y&=_9t@Wwzt}QY ziO{m7nt+))*@7-M2cuMV4CP$ylsc_v#u3>-dNJ$h(MbeCA@^(Qe$ zJb9eSIV!H~JX%u!v)i_=xQEkVq{zhCIp|IrD~6Tgq8VigyH?LFnGDY1_^mraZC~_H zbz=vNPW4A2y4GE@APdr1RS||6-o@RkVTy4TwWFmfPK%}Ywsojx3gN%8R!LNg6hDQH zt9k}Aa?X)e&hn#s1Sg%Q{pR*RMd|MJ7A0YlqEs7r?((qhgG3TrI^o1eF%}i3d-cmc zx`&T~m2{w<6>PJ2A6p8x8NKCsPQl^ClYy?>YSg-Sgo@XLfDybPS)woMV$FqV7~*kb zak44wts`b5&Yyf&a}yPyzz<%bRLs`xv>26R$qg@|d0RCZfN=HQK z0Lr{!u1YUs+LS`tTff_pZPcm@P%*!;8;w`ZX&l+mZo&&x=95h%Ms4mHML6M-IR)_`GsRiFP+j=!yqj?trKWT8FL$XFT|U_>zWr((X$MVp zL_JUVAHO5<9HHuc%vieosfdAPO^r$JL?jNLl+3mtu8ukpk%BD#tNh5(x_c+B@#TDk zHq)PO-IuI?x<`{)`C(b+uJxz8mmW=wCC9u>Earrc`LXG1GLb)5YY+NABR4Z^jny51J(0 zpb4QnpsC66N(%0)yI0Tp=A}kM{MY*!Gg4*~S3y}uam&c%H-n?9%caZDI8c+6-}W?$ zt2JB&~2sg%D)H?=Vw6(`NdNcOQTn+lt(8FtKIP_o(@sDR_}tu=3D9}sF1d< z6HRy2S56+wXm(C*kc3R>jsWiKH+~aKni4%eK~b?{+6<)|uf0O? zuA7G72NJSCwr2fx_RJH7X?gArOFtsv!s3gjFQP*?na>8KFSiIGL=iVuW6g|)6z)s* zB(fQ&-g*UObl#cq9n_n|`{ek+hg)udn*#4#rQb>*Ir%6``)ic+VOH~=cu$8Cyaz%r zU7H_aH1fUcpT*q6C@UmN^$&kp&3HpjmNETmEpougjLYiV-f)5*g@+@ngD0f=q++g7 zaqdJi+EW$>vI$DGGN^`jnupL-Ii_b-Tuez$+K+G#l6}6Nx0Kvx)MnCk)v_o%nv*3P z{o3!eoiwC~#y&Eks3sEapU6B0eu|Q+^kdWD8J$xLA8FD*C4^pV(|JO0y=Oaa{$B*y ze^zQ|&J~r4Fb4gZA7tFH0)5p)#j|=A6LK3Wwy4fV~H=9_VNrcaX_)6W(3d z-VFBVugv{)T&d}*nYIl%OXkK=3D?5FF*KLgifEmr&Mw^|fjqWS~DVjsCR~ z)#r{1_0RSlPJ<}fkabRb`~tr?=>25^En@&RZQ3?p1RBv-p3u8zDDC9Bmo}uNo~fJX zR!R=r^qQZrwNyI=!f6_+8>- zI0(G?YRD_v9a#4yyawJRMyG_(3k0m`Sl&9beJ`?GvD4&Hxf9fd8KFLzC^Cbcz!Ttk80_PV2 zkvvj6Q-UVsgblE1rO_4;ba1ouhWPCre!6iJ5QTFEB2if`%4$1#e(K*rmNi|9x{erJ z7FZJZdcbnM2t+%R^ILvNhdo8JI+-P2E)$N;Ao12C>vc_{d{P!Q3JKb)1rgB`4g$rE zWp~y7qBX67B3^_>Glchi-8j=jWqSD859Yb-(J96np4hmkI(gW^yS+b#Q zY~ta^8cxD61z7aObaHd0(Q8hNu4YczBqKDVR;kiMfD&(8mNTAU#ncbmTHB ze+dJC>=}5a>VHF!lxqIMeGot?FrcZlZ|*}YXD)}L=PZr{vm!hX0X-U^(fo>d%V!P0>VW{H#@SYS5MxIa9-uEoawYkhW z8NJ*xJnH?@KTN}v0j<&V2o&vhS%KwW?f9$86VgVvFId?dioG)3oW6t0mP9*xD$5$1 z`AIZE^b9V3g$WE6Y$U3GX5}i67y9!~okd3>;1a9ZJ1nCkC!fKvE>81yZ@H}z`rtU< zk?MyE5r&$|=S5olQ(R&(BBic(pFcNwlMDD%$G@v?dPqBvmUcQZ|8{DUDi} z@!9>EvXSGqM5N5(L79(h6=+KHn3Wh=9es>3W{JQR=DCltI_Gxl{RVn%s z=57w=?dBB_k;9Ugq)4tTy?pBSfL9k!HzB`fhrNG>qG8vb_RaL{SmW#wdE6oUM4al^ zev&1@XKvHa7@8JG3NQ~iRtOy=eVJ~t5v|6|den)|Caw`3pd1ug4C)3WP({r9duJ=-gxQ3N|rIQ90#=^H0bo)tZT zbLqvu{qomYBAo$L*oBLKzJ@FKMJ`u93{JR;z6~8{#3(WO*1%_1oEkql{PIqH*96}^ zTo#QY`jRSU8uvFY3=Ss!&gD;|_FgLQZ#84pnhbmEUcPAc&`K4P74lKKe+B+HW9I2p})tw*d%mZ^IzkCIX zmM=Rt%flY(OH82g)->;%7)ag?N=Nguhsnm?Z}kr;Q%U}oK%7jo1Az>0eBYXlZwI?r ztcv}B{m_uCH){!&p#30*bfnnKhz{jT!shVB`eb(95v0S(#<8FC=V1`-7`V5y#Wll^ z8_X`3&aQcDv`NTXW{u#AyR5Y{Be5#$a3NJ;;jd4{OX?jVQ)Q3RWhym@ZH^9wIv%ME z=H~vQH`p*Pjd`vYr0se06-ppx6+Nfb!j>ETv#h-Q!=Y)niNE&uT_(3h;S{5bo`MW2 z{wm{a10q4KYXsMe%wC}DNWvW9>^puw^jN-LghLl?^>P;^^XFW2@1oIn55SI=9C)); zcMG>2wD)4n= zqWfWGi;3#p<&6|aN{$!wMGvHsBe)v(TDcAB^7C_3lej=Bu_jEemf(*#tMuUoI*D90 ze|87%DA|>d=trRfm!=UVL^_Ki*~4Hp?N>mjrRn|uaOD1e5WAw!J^j%Y-6?DVCzMhA z2jU5+xjzN?L(PG`VwV+I&uk{qQj$fiFQ+!c zt8?Lpt4zWBtsV{7Vyusiq=ia*U8GgH&braLN0x0cv9Pf3wSyyNVfIOjC}NRQdcSP3P$Dqrgn&> zmt9|+-XOT)W>9<^_e(`Zg`BgPx8ewGiVA$Z&7;Kf*IPuW9VVK#!ya#EH7_yq{p~@; z%lgS$Yb>9>qt@u_^3;{m)@q_(Qu2Ym3yM_zKPP=ZPg@_)L^3soX#4Z(vTJT!8$FkG zealc@Jd)39j2F0UOVR9x8s+31hI_3GuscRZIa_3M-SIbr(!1F%^5dyl{gLJLp$-y{ z;bP&*wb4YY2RX`Q)qAY|#c_97uctm;oSZzYxuoik4kistxnd2+Lsn?3Z*BaQyDrHw zG%7UapFivyWHC2fYIiO^$Go*mPC2e(rs~*JzM=U(vY7bu43y4s%N~oR&O5e zs^nvwDh)h5^8&;?JSQ%pj6U>iT>PtN5*(2BDABgraW@U*YvMUhPZ6>7&_7BFk!`xF z!P291Ptan5UOVumsa@6Bu}1l*inp=xZp}f>6-A8+6NfupK5;cmCc;OVel;8+xx7K% z56H#5xn>Taq`45{^SNk20!m&jq6^26P*6|J)}Sqbt$(uQIDSv+cp^>GxJ*>q!@ek# z69*Sn6jopL$;r2#Zkpki!1pQ<0Oe>oemeJ8@d5?sx2NA6J;oq4Fh^$+Y{j0ep<6G! zT#iJ5+aX)0ik|l7O`exJ(dzPjd-PK3@5R*g0jqNTPMhx?k=mhfF{%3KCGNZOX+=+2 zKWIIKNV`<4PENUkWJu`8Aq-99mWI6vrmp5*@P+GA_9jG}L9LsZv7=}~hPX-L_9xd^ zwZenP-VfTo5!q&{M~1pZ6c60BSUOQtBcmV9ilcq{tnsUAdMqL_EeNS3CxX~7vu`LN zru7KIqmfD04+dKy9Px}52$qSIrT|W2neLos!cRG;68g19OGYL!D<|frMXDpd#_f}; zF{cZbI2lJ#FZ~kpzz@yeeN;Wb_vk-fDF5^6j^sY+U}Zdz8rSsT1Ww4UOR0CYq!YNZ z&A}+bEpgrY;RNC3y)yclVQ}ofZarO7&!fJYMPAiHI`^z_$iArb&RgiiR``~hNR(gTHg^ekGCJOp%Vn$^9TKa zG3ukWGXU4xe|V1*kOO+FDhc~zu+PJ$+5HJ^Za+*Jz43KEt@nO?f3+QiZMNP@$5lDz zU9fGpN52bnhagJ(o2W>M9e-r&6Zd1L-z#8oKvp`5OC@d#$>XV5J8$5(@ZPd?+h`8{ zAZF~)xbN1+XJ|yg`FMDG?>QevO1x9 zSLeNco^fj)9%Nxsgq|IXoR1VAk>g^MY!3E%JI1F+;N2-j$0;eZ>IjgHgF0Mp^(*4; zvzHNECV|6{M){o9cPwL3)BVw`AN9JA@Z?sE#BZq){+ketO}EuK5dL-jK=(%WWn--g zo5sd*&q8v6q6ZC#ACr4f>nb_+A@)aE$)j~`fs+}>&16SkXKv!>p)kEyo6DS`^{?v?tB+59 z>b2Odq!R~VwB}9E0oB!ZK;4K~OQ>D-tTld`Xq_&Bvhp_6{^pRjHb}1qo~10GiR$}9 z@KZ#)S$maXQ`|H{3c{l}jr@a>gz+eAIFc2gzV}M>=Wk`VLKfLS5M$2HNEOb=TgJ~0 zMW;6Cs^b6=G(GWmt_LmchKB7KYPUSSA9qdr=n-z>Z17p=(w4dAK}cgu6I29?l#hQP z1_HO=S`bwY<1p}P(gC@U)j{7{PP;Qx3!jzfZQ~u1?5WXARW`Z_LS$y+kk@?xm8#!B z8e=YR8@s?_iV=hBfNe7K@Kak$ z+sL{nYLNwm+8$-@hg+ycHPO>8uTZ7SI!NErW#_#kX)L5CN@kb__-F4{V^*JV}- z{?(CsmwnLu2sh2#; z_h?}?&>l@zUfF{yd&zujBL53R(#ewyN!KBCD0}Xcd;=_cTKLK|4&nXzub0yZap20d zJB@^mVyv=H55VG-#E_>JD1cwwO;i3@yqC3HbXDf2>b#kp#E9BUhUWjBRtGLAl< zAsx56t$&$WdSCgYKbL{jb47nAT`ygO6!~CgiSc4N?@o!Gb`5&~DX=hB5H%bcUG&=x zv4gN_j$(`mog<;f$;nI4VY^VF{~g!lU+!Q|xpSv0+_6WJj+Tne?#AM-ctS&vn8&1C+v<61gGREiUy~K1Yi%Eob?A9aaEb5xaXT0{9)U@DV$S{bwP#&~q!5P; z>|W8Xq2RMgq82N|Ki8Mqxj!h=mzA~Ws^md?Y&H{-6)63=qUZb8fuoTm7*Iz`{Co(G zYxh?K=&qBb_3zxUwzx_7pW2Q8xg9>#*Lmq6JxToi({2Xg$o?FI^j&ydIJQa_emR22 zGUk_w@zdb~gDuAAu;0ge18HT>p>F?RVwbee8Zx!q>xxuiZ_;JwB2Z-Ddjf$JlhE48 zEZe;MC$ss{m4MV{xnOE9GrBv!q~|w3n6V1+a=8gK2sVBUDq@S+@(tYQv(rCdz=uG)ZJNv8_l zJr3!2m7zpz$={1u&4vr3L3G!1@3Eijx``&X_9V&N3m#S4NL$@qfiU1!qUo(@@fBXZ zm&z*Y$)A_8n6XHa6f!2a=}NBY2o)}BusinF0Mms_tAD~jSU&&5&BylYohYf0)cl@( zTfya$kF(J!A%nHGsm?0Jn2g2+69D)I-EJ4+@VmfRMBYT0JyipNr$`8P41ficPgaw{ zv`@JMyL48(?&golaI75w0{rX@= zBy=1uImQgp2nEA4aXj`sw&hxGhZ(pY90-LqqDS{eKwjo2e#9^0vf%IAd+`HyVg z_|wj`FiuR$d=WWgy(M)|MT%_89!Y%_G%@t@pYu6gKwjvpG-`ekB#Zs0zS?Y!{-ZO0 zx&hisO7-6`bY3QMg=>ia=j?T3U~#NF-u>Ok<{=;SC`nM&oaBt(ObIq5cUez;*L@-~ zNCXm{VwqUS03S}-{PW$14+NNpd{#0v@xCH^sLLUey!>kxS(tU??NRvP41m8a? z55^JM^j6q(VtWQg$9j{Un-kvPnPWPAKkKP)@1zm#i?j(V8po>5g|p}?Zjn@;VbdzR z>o%xgI!PUus0Yg7`>LOw`8yN@+>dtlrO6XHCF;a4RKfRWh}2QAje2Kd7A!}`4_ng6 z|MH0<+JKy%yB@#1LE!ipSqGcMR+2(+8jz(~Uy1SEz_pwI_ArFWH#!#B(FmIxR;80;iw_& zBZxHLbBvJPY)$J|6#!Q?F2%BLrkPZEs{^tZf|3j17#Z^XTJ~4E{7=+;83#CoM$DIM zpQM=hscpX9lw~BN+ueDb{W`iyc~3(Ku64?M1deod`Tk|fwcdy8GBcB^XQc}{A3Si3 zf0wDav$a=|)wHzN+S`XU5Hd7sVf*vMFlZ4oXuH(zz>z0oE0TxhGB^g-LCmb=Ct;R2 z#F@_Q-Q$0P;4D#O?c-srW9@#7;vPc#c+GSf@f!H$Zn`&9Iud1Rc%MPk)S#v~Ro*kN z>cENoha5t;2VPQkU<28Z(w)+pG*+`EC$kNmIw*f=8;xd0$c8|#B`kpqJefB2j1>?o zViZ3FZ!~`(oBlfNCFXlAWHWkM&rW#SRv7r9eFfqyaF+H$C0e0SO2DQ{m-QXb;SobCLb@W z`MiOz`Ehj!2#_1W4#`8Cu$bkyWK5n4%z_^G_)NmukT*d(nKY(m+q`tsXLRR9She%Z z;GY_l{2cOVI`~@jLv}ADZ+xD$td7qHfHP#-r!~Jzo|{8T14cc#X7XD+w+rL=);aF; zLJ@)u)(K@+e~wV-UgFcr-n;h${>AT#fjy?#ac&#$y z_x0Q$jb+&aZC8nfrfshbiVvst<2-nQP>sP={l^BPdB9m99T&-{pLZ#W$zfq|7t29U z)->rp6XBmdR^8KBhC?xRs8Jw!nN7iF)4+o9+3^^X|9sCx_;`H_Rl6%QAr+fkpax*x zXyygBqYg6Jm$$s&xZUdKS!{p`RsB`F!gdzYjdYLQV;UH>1f4ED_%~Fer)*nj!@{`- z)Dl~A1ewIlUC*#s_efPXs$d7L$#}qpT+K5gzSWk-A!*spau71#3G^DDw$TEE$F?&e zs{C86Yju+eH>KjW8Qf@y$mmEoI=Tv*o_K5orM+9z6|fx|yqBqx{l&JlM~Z2t=Y8in zy6C4;>bp_9O~=z%N8#=cvgZ+ojwfQ++Swgpht61eo)8DscAOW$zum5uW|VfsG`%ds zJDVW^HY@Lj9q{whVI@h6-Q*L!+sDF5mbJmF=2wx}aT zO$s@mC%kxZkZp5*L?-5R$>$j69@o3UDd66_#6;@_8+0O(n7{#;&o2_w241*YG!juw z^NL9F3<0^mxc_xB#^cN!n8na5v4*URGDwk>M3;ENu9wnR2|a^W?a@3@YKBSIRUup8?1V!M2gwUiWIOQ#3Uie+WlfS#Qc7W)aYN&$JxuJ*s#+>X zB|9Z4Uo6hZ?s&U=dlby)XbJ8N-OT=FXgBhkXhjZwUX+2$mRwnwkxlj~=rmlg3BXQ; zV1PUQh)xfQ#|}NDUbcVIRlEtGmA5{U-CL<1>IAY)*AxyOSLn7px{+=6!Au$dlSaB= z2QlXzpEgA^>x#HXCa49~Ku@?*2nZ~>LM0Pqq~wt&WjTlh?LhY)`*Eklxcdv3vxR5D zWz-sCf3V*CRxj=Yang-m*eX57{>ELedaVA~xq!6rkiX!pSu-7jQxl)|eo1d@r6g0+ zqDOa)yQ_e6$`Nz(k~Ho`{7#K+=06{u>vFBRptmaLL;`cb8_zWIfyr2p;1g^znEN@R zU1=9?!I&qA*cFKEPmDg^&b=u0Y!GO0c3V zJ6yE+iHx&@oPiG3d5&?tY6(UcV$QUO=s(Q%V8oS~y!)Vud|}X97Qb%0TqzRl`rJ<< z6xTIEH1y(TCq7XKx!4U+E1@+8$1oIANilquWk2y~XotV~LFELQWKQuWoNiVl4!l?t zTE{7_JI8fI`SwUmV%LFcYgtK8)?Np|ILudS_ALuxB@uZ@CSUP_ROG&xP2*wav9?{e zSos5ZFg-E;!1e%N$kRk{&^F`4%fQ*j^6#;9i}};AW#Gd8I(TDDxKM+(`785K2I-Vx z<5uKdQg6O8^CSsVz%;0T#|mm05G=$NIIT}98Qk%sjASE;%1p_K_j+#^gTS?ZR%;Cg zImpUKPbeZVY}t7Z>ArF)8})6++768cPNzi+HSQB*ALgsjOQ$0T)8j4cO-DOy+L1V8xhyD zI%7}G9a_N5?dlBXuP>&PXM?>&*Xqxm`6G!E-@cSpphGfN^Y{o?Dj{D1FEe)#mpbxl z+j-%x8A@N@^D3==EFugXzvIJIEfp$pa9fj}fBF5ixVX=tvH!BUZJb)o2r)fJGOLK3 zi+vARvhL(BJvBIZxiqcsH-#UvsG7Ddw!2B~M!FpoOp8nm__iL}<1w8MOFqcLKPSxF z+)7E$WT0%&A4)+#)xYb`%O7BJ)Cn1$p_266(OvtC46_g&Ql@(n|5cUQ*H%#Oh26&J z))}8zD8{{{v@=VtdvQFBJ>W-qea?x=y6u_AVWkssIjk<6)?U5715cLEi#;X?C6{FD z&s4pPBc_jW%F`%z=iMZ!$UW0^QT8Z};Alu`p_)}r?E?#naq>v@SZcae$S|`*^k@Gk zEX;fu8GTqP58h}!Juw%&ijkop3`SuyTHpiMY+lLkg=2e99E<5J4NBcGVsT9{V{GS> ziDdEvLh!SMU2S#}(mQ<4IE@o8)p2Ma(Ycd5FLQZKIn{62-}NmI%#qRb-`hJSHt}%x zRB}^=!fap31uqW!=jG~DXM-aa+r@Tv>v(S$J4Ln)TMXC_$YFMfD-Z4;Jtgt}%C4p7 znpgOWCUZo?yynW%)X!h?hezRBS=H*_Q9k{{AE$+n6`J?TDge}p7F z=eK7|QfvN(d-is@=rAhx;@6N*M5;?iQT;;++qc^>x6Kmt>T`(gO;#3#3z=t~Jt$}J zQ|Cz}F+_^PYQ>>Aw4gUL%2 zf>IUFq#10U_fTM2$!j3=B}Q@=Y|b;7rZN@#+?{by?ZeA93gb!!8Y<$9#U^<%xnt>E zQs`B2qOe>wEx?6;>Cg2|W}0y-Z(dSZu=F=6yk1y18}VnTS74Z^{ko_jd{%VJ`pxX~ zEr#64jWi3--wo8#Paju zp4CA8bF8kAnHeDo=D=vV?ruSnYm5WB&(@yY5rT0u%lK-{x_W+;*0w?|8I(nKIsA}J zmENqHhKJ(@Ud;5%V+#c9Jk6q$odZTcj(Y8QbhlJPwnKzDDdJLfqO?a*tZBy0ysYjBX&L9;$vpa(|No3Cpil2ODiSMRds$!=Ebv1)v?74w6Uwp4qebnD8RF z^D+0YwayUg?ZtGon)?m4n9&wtySc7F;+1F|#!HW;J`w4j{6t>t13+$A_k_vi$VmBefOw(OM6;8jmO`g0P;F`v%P|A;n99bRaUD z=1#s%{5@AYv`!y$90$kvd&t32;A{nic4K-sxtt+(S87F=VaBx*X@`FSM?o&ATQQH{ zYKZP&+G8lJ9=@mE*V8#(T)PKc!g|MLU&u$1ZRHg0lD>TT-K3t7f+K#c@d@G28>SuP zmOBRqeXs90E#AqT%zG@D@+>0dAjV;&adO)>*=}FbqTNji)PViKOWa#(7@_y^MJIs-Dm^;kxAf?L~0s_+4W_6816r zCch2X9Ui>{G%nrJqREA5I~H7~#J9fW$m#=G3aNAY?43->M@1$5;hA*8)3BvwA&HPQi+&vNQf;xB&~2|^^;b&=Qa0~OFQ?QZ$%s&!-Ka*(1Uuz zKz``S^xNr;ht?3KcKK~i^5)QU{QM@Ne5a|T_$vphWHKR_qEGqefkDsSe7L~9y;rdJ zGl}D~6IoTu+9n7~sCvSyKlh1Ru4ANF1adyuGy*h%wImJZN<`d(KJAZg|8*z9c(dz% zC7;rJ=65F%opt!i*^&z=C}qzRM?w0NrVs|*q}ivlF4`wE;v53alO4n~f)Ih(ju7o-A>+n-n!Rshf_qJ5}w9_tanViK$qwP8l1N|`N%cvp0~eX^?d(OD{M2XaZXz! z%Kr`VCTy@}qMr3Jw6&7PcJLE|PhTIxcQizL7w~gE>-SVUfJp0ih#fBh#9u^#tGS=m z3ySf9DhOu${6D0bM_Fil4wF^HjNgNB5hHNua-#8>q9SI4! z<<#4^xIXb+q{jcjZIX);atS=8HNHf1wbU!UiFFr8zW3~Y;#RVlnKsi`Ze=YS98}KS zG~hH+N%*SP7_*~E_fU}SzRzrh-Y2DKLz|S?AX`_@6b8ezqCAIyD1qmW&&Gl}JfU%Y zmZ=r->A`S2kB!LCb0C_2EtfCR`}Bl@#0Z|B%n0N{VsnaZS7Asvsbjd5ys@GLt7%y+ z&p;ye3Eb({uiNxKYGk;XpD?)>^39TM7@GioZ8X~)Ub6IH_o0Ben2>;epE!@wmf21) zv;q-eJx%Z8*jbnsefJ4fU{`**B}eQ}C%cJnUXKTEtK?`VwzgJJaVu`ymt-}z3KFGmud)gs~z_|T>LiPd##~C!gRciUp z!r-9-lx+a=a4F#UN}-uKHD?(PG(9<>P4+%dz-E&=Vbt?!zL_h1tDvW^DxO!vQ?cc( z@JA03dp%)|E__;p@%I%3@^^w>T%qo0RjkOzkv-Obb?vu0sBSEekizS4%`J$0yj>I7mqq+gYKc@IY81vTR;NqcNdLRx%MU*yvWCjeJHse)K!X?npVt%?V z+obQv*c7uk{T>tLQYz-zSu(mVeWX()nmn=lYj&eY%|!TIk=vAAB$ zf-Fvt4@7^Up0ZeHGjDSN;Ec>uk!2=_PZx9^z>8cZ7u@Mqh_+F{tuLMcyz^-UH)vLA zq!4cPk?v@@lURnv&?>-}>|nrKPT@s`a_P;rKc14({`Q-6R+R7FI4~c+C3Q<4oa+V= z=vC~rc=1|$`#y$ivU4l-M*|sM=-yeduQ1eqN`L|BRzyM*9wZ%)d@LWlXV5Hde)J<| z{Z?SsbDKE^^LL-<3`(Kc3+C=Z$J+OQd??B5SCftrImr=Hz|Dr~zhec75$i~)1Gdm! zOE`O-$-~{iN4yPk&htZGvXRAUlIa=Bm(9O;BiKiGPY+4qDO7SSm8ZvR6dQ)axnL~A zV~ap1E+~-d*yY)}9d;lxBf&nBclYv)$)j5N{a0^1gq=|e`HlMWmKWMC(Paczf$>iZ z7{RdPuYp^|_o{2`r3+Y0yDpxBf$#XzA}|o2HiO>xaN`>(-$4gG!zJ4L<1j^cXR0pX z>Bo7kS%5Lte&GG9xbE-YtZW7vi%lv_Bn|&M2(oM*po<=!53Pkh+acMoDa7<+uVw_D zLUI^fl5}#bV6;qY&E@;!2l)$OcAEA4*kcBc%aY%00C;(gp(IiF76en1=eswRppYH+jeFLc|3TMbl(?_{hK3@pbgavOeVzf5oG+|pMKduTd zk$S#ZrAEcLz=F&L4nToPCW5y3O1R~6>I`dHh+*~suID%p%Ak`}r6jjI<-%+FYp4#y zUG4i~)Q3{`LOPl^{KrsXop)g^Q33{a+*_nulbVGa zdm@itR8XJV-c^NR>4bHstyz+VE5Owa;|M5e= z&4vHSkR0YHjFApYru@Hsk^jM80&%Hy_YCUmbZ#8X-zVUI{7?TL$Nw5XCZiBLCZlt) zy?=|l-^AFz{^tLF4e2jI2BTz4dI{x!I4%S6agdgun|gKJUGt&wydw3zdXWYWT*4yJ<@3M4Cx7!Q;s)@m zs^SNpo;?FUfagKs*k3IbD=2^!fh^!UT99#X^t#bzTSsAx_z|JEK%`m#sv3eli&2ZVZ7<2??7?=es=ncPPK!!s6SXU?OSuyczr#)1WH+sq6AoB&a(l!8~bl9JT@>a5w0H~aOZWLbmX062lHevo~zIP>oX81 zhZ)zZb}cribtN20~H0qz{B~S>{h?%R=+fAH;YhZM1$IwLP13()FY3z z=I>qryWscOlrDOI`hUN~|Ll{-h2z2D2#>aj!2ZvI^N$4hFF%_q29Sc{l-k`}zppTU z^Q-^-*uv~LAQiFmO>q3JwEF)F&fk1WS${Njl|i+eV5q=i zpwj}XN5n+b5dQ=kB&5IM#3o|mh_uLi3kKmzjmnM+^z)!6zt~peetM{r4?I-_jOzsN zXa;%qbtXM*DRB_3qSfP%mGK}98D6*v2}rn%^rep z?pqE2RINYz_tzKOsE2etahid>h{kT(+O0etL0n-=iV=b>3amP3p-9HussJz868%lY z(`^|Xt7f6!ELrH!O|)l_9!DIXE(-3&g>%~`gtHm?1R4Stbm#bRmkY?Wq5-S2l_>pS zC~l{KGUY(_sHhgUj(`Ohmd^&%U6Dxn7%FCotd6joxY-7_M@Frn{v3Y1L&*BR`o%#X zbp9>y{=@kwoe&!id)O@y2JR1GR~XgrcMu+j`T0badXR+Il_-8u=()un(8`XRz}3$>EkHjx^$Br6N34pP z=~ALThAQL97xb-xfzTcOTEFv8FTatV7d89hjd&sq+kD3v{jlblZ`8sTz`yxmFHrsz z5Vk%O`qPIK$51=hpZ`U&9!bRPZ_SaBBn2%NEP0H)zB6cYBOj^{d)SNQje#pMgAgWS zm0Y9GZgB8RNQNpMflr}`Cpw8Efjtx_pE|5TOU;VtxO}Oz`!}c`hJ=AX-K`?QAyw)- zXFvS@h5RPAAS8qC#~DhbN&L}YDv8E{Gv9>O`6AiD-UnhF4qmIO6Jf)576 zy2c^ZwU8PuN1c}#`FMMUz)vv0M_GfA!)l$~Oyzv$9@Uq;ir6ALZ-5%t%ePddS2T-l z9)qC-F;~BxIG?cRTV>p^xkp+xJij(3VOR)_j3=!0-mNYa2e=#$)jtzHZSCjusx z!4FsMR5We9)L>34A#Q6dLDaXOEodI*1=yG?_Vk#JVFil;%qd^*N>|Fz)Ql46yVh?7 zcqzS8@F@h=2stQ6e!(a52B%%ICj_fmmxAeUV6EiEjgWtgx+k3W=M{xiaw}R9{9BGfZD(sMq!A4y6;3H;+Lb z?!(cCt`SOeKjr8EO_(FRp1tJ`ij*+qf+gyM*^4Nl*8B-?GSXug8benYT5cR0{1C6m z1%0+`nrrn-^vB91g!SW(VZ$c6Zz*6e(Nm_5hB@r@slt*AnHs03vdF@Aq~_-3$RcLd zyU(-$9j-q3FcRDzo4d}~2J07ek!4^t#O!v{4?y=eH{IAzJ2(En5+I6H zXD^VauSH$Og9hjUTItiZnDkl5S;WWbH4?d6d=yCV^L$tZ1=ULoT*No>U|L=@26ef5`lm1FQBVV-(qW#`6ZA}Ye=vq*AZ`!CO!tjW2=M?a7(bwPISFXovk@}P{7WIGo43Hkr z6z0m6oF@zNT~R^v+2xy!FU4-v5F0tUAP1W76yeYmR@&buY3|UK!Hm!>bmh2*p|S4Z zjrcPW^RM(X?Ps7s<2Xa9hGbGjd=F%)6srwlJ*kgF9s|QRb?dsw<<7TKps<+y1h$vW zTV0gLTIq!lOIJdcJsOH+2F4*Z9pF7tvh=0b<6XeG)R0oXuP(Nd?+rj z^q6G0pU?aP*_~#7nC$o^WQ4_sU*#$@&}kCGVHaJ(mHVP%|9zP#+=BEmvohCkkcx5r z6b)B!PuCu_Aagb_L)ak&uBH}w4Yx|Togl2VX&Ah=LKro8ZM{&CMYi$ZOAtY0!~RSM zE^fthc#lW4zgFYaB)ts-VMIQw&HE1$g=@;!^a&xU&Dnst^n{EX2{+W%Oh%w-xPxr# zTL4?x1lzxo5IFQv7C6--S#L%lY;D{XOyI4m5wFm9sfl9#cHe*$=Yk^O4gOPD>Bcvq zcXrI?8r?DYWloSs@YpBgp8$Lx9ep#(a|e@PXd|9dRM|2FTqonq41LkMm~fyvaV2Oz z46XJ(m_xJ}cZO|5^1<5_xf!ULDe(T%BU7O)kGH$Dax#MCDdMaLVu24|q(EOMI6gL+ zP#=R_gvswYJg#uvHe!kw|XKk|%cr>>f)W^%O2;Y|@%TKjkA~09b z+BG%%vb4+-(teeYKr=SOuBpd}E9y%&8CdGGy*4H^{CFAwN4l^O&%gBG(#TP7*^eAF?p1k9#wAy!sS39A>RLU`U`jnvYAGZ3~p{d<)2! z0SyAT@;ydB*j~_w)gT$=d&!q4$XvU>XaN$IZr$rMw=`1r1zA;miInLG3=5I9G5wOk)_aNc(sK6})ZdJ|BAlsHPAbbP0C*St%OLma`4kWq>~QSF4^z z@!0E4MT!^z6nO8u*F&a~n;fP4z|A&;Uflo+%*689LvL=U^Kbs~F#q{C5hrn3_uT7S zPU@xvXjf%@(I5uQKiezh`oa&rwGQPE@ydN! zT5Bz>=x{;TQiUk%@i@;xOFghmFL?quK>dEkNEb*IZ`{Be%6SZQ4AR8CP3U`hR(z<) zl44&7kT4p}tSV${Ot;GJn7eyEC^5qTB%bzhgDAE;sr@-$N)F7P8o)L&v~ZF$)b#y1 zHz(izrBCXHRG4nV^}sI($5o>Nr9U0S3X`xjnq$I%{Ct$NGv2rqiv$i(jB#U}L$dh-+zWx=-eS!#F&BK-YXzJ# z%)vcbiSPC{6*9;(448cj9H!|XO7?Lu{q^oyo6u=Fei16tYJB~zA@dnL9&m&!M?{T<~M6bWHFZ1gmz_z4e=osIZ7koD^ z2PE;V!xUNsfarX8pwZQD0oBqX`IgFj04|93x-?-cx*W@q&`LpxpiP|IKbLZ`4(GHSvyQia*I}gWA!y-n!E?&LZ|xy2w>d; zm980NK~0vzcc-A;u1TxF4lqrK(1#>GXf_@o0&IWB zr#Vmgf!9p>(D~)0i#v%AxTh9qD2XCn+T-r#ZY13|3w;9!S|lR0uqdAJM)=QJXiagK z3Y!K@68-NPKILou*;F+FVc5LFlB-*dk`E38kpQCg)?X4a%+9SPHR?zZodr=Q2OQHZ zFck9x3BHD1%^u&GXcs2VPRd^M#=60RnY5!jgjqq#l4Pnp)qqQK9@` z1i7T#z{+zPE6CQ{F$GyYCXJNa8%TZdcIhGSYqpmi)=9z2YzUFx0&oZ3&!xg%^(G{# zF=&-`BU|M!fDa(luh&$P`4QCy{;mJE??E6q;VlIH-r{a6xD2e|Jrp)o?(KFFM0gq% zXaxy1-a~}x+h+X>U2uTN)x&xo077vvra=S_xD>nutx=ovUO4Y_DjfsnwK|;X=6Lqi7nfn6EZc$?t1WKYRzmSeI-NIYH?t1u@2sHv=i{9pkRJ(7}iO8D@8q=Y9|V`%(|; z4MAw2B2IXcz2F-n#BYCh0X+LlOAteN$f^E8{`+zefWfg5Ph$Qsm|P3K-AYeA68v0gYKH;VWn zMs(RtE-1}ZJw5JN4&F4horG&egJqeVK_O13(hboW%=*x0v4HTIW6+`cDZ<-Q5qd*Q zI-*G>vDoG)*28JkObkoBR25>~tU{Hn+^hAcl(>8D{caG4l}6H5SIiITLK z!Y9cGQ+ zzs_*#1rHEW)ux$13)|34T%GpjFJ*D$6)fI;K|#KF)}I0ShxF(w00ecRYNQlLTvJER zbM;gq`65r<-wj#!1cN;f6-33$B3L{iyhfM7hvO}yCY*jh$7_EjC6ET5iLmgOh%H5$ z!JxNQ5CzB`Wr19F2-x(Cl&40PMH&SN{Ir>jFw+G$$8gR}Skw_7EM0x6{$mwlqrClp zhzx(5kJ6E`@*Wq*_c%!Ql|+G|H_PfEV1Hvxd(xGvImloA#kVS~e;FD?)&&JFh%^tZ zOYQG4U}97n-7NjxZ3KV=vnpSyR~?Utx&KN=g1^!N8BxMf`85IpgVabihs8mt{?`QJUnvp(_7USQAnynDzRy2D zEFgZMpNfv;4Asl`{D4bLYO5OQePnG%+lgR&`g>vc@Lz5LTG={48%=X zx+$dJj|g291;hjaRo}d@TL7}Q+d#g3XiFRa@$J8V_d+Nc_T$iLiOECNKuEm~9mB8g z;&Z;kQZHiQM3`CmF?fHCTUqrndKW;ul0L#(qL?g>1ZRId{&yiFi;mV_oAxsB1t#*f zlS=-Q9>JnOvDGhdG1pyj0;%atC#@?ixz%H+KQPjx_)(~R zuq>U~#K~HS(NM?ub0qgXge;!EJA9P{$vE9;U`p_KJD1rGSq)#_igejgPaG*}uKoHw zrTbOd6Y6@5FuCjVNhC=A{JabJiUCrMo-cVef!qqP^BG!iHYCP^f?p^*6l#^MIyr{# zU6aK{IVoR)7Ku(gHwcM^I14lwS)2^230oXbZFu2FQX4>JeF7HBuf=e@Ms+0R5VVL3 z+%E1VX1*6fEHa=xp2<}{0#r4Y$XXn!o9p++90#e_k<}Ij6gZY@jWgL98T2Z0oN|u} z6hv=+cGpR0yKg|cCe)Oxk6iLVEpj0Y-&fLp(5>9KF?GPuFPDwg5ae@aY+U~FbpX2m z6k2hgk#M00bJM@a4;@~6T^1ldz4s;G0IJCeC5ow}^e4tksoWljxksw4NR8L#?e4m1 zNgme%N;ZQBS*1{&)+3X2NM4KUM0+H-Z?FXth3WL3Rulx#`^SNA-#*VGZh0_Q9HD{8 z-Xee|WD0(Ruxqfi#+w9cl8$_%&a9#|tPJA>sLI=r)`9tp-$75vO`03ukfkg?NM@E) zL3bXQr+hQ!soub2t8`cI+^N$;KgUqSCxWcoW6_+vBTh0>*J#w5qdHJB@LxW)8bYY6 zMO%^nolqC1Lo1jZL}<>Y1j1q)IHkwuU0_k76BZ=`^&gBEBMN%QmBAS-9e^tBP9&e> z0#=e3yH-Hq8a3$?n-#PUSea45J=5tsU}RI@B!oulRRvx6%60>{SB4m#pXA?DNh__tH};an}Q)o5svhYkF{WMIZuJ+f1;=pzrDOE=5@nWyg%ksE~OHj^%sHO zI&=VtYd^;xaAf2}5~As->#mkPLPG&`(2r*b{cL>hDuRyw;1Uz|UPh`}unFUyf_z@VC!C3~@vY`S5<_*QDsmat^{HfL3s@K?;UgqtJz;{ypFz%zj-~TROoA z?OpOeeOyKFD%eCLAMTS%ZI6gjY!9UrNA`D54G(Ype#p};0MqrYzob3; z#})bhqj06$G0+kSNgxgFaSP})i6XZWe3{rnHSOM(AWL-W4A+tEM-hlO(IjaXJEABB zl4tg9j?Kh9dnnas5mD-a)XJ_0(5EfPu!Iv%M_D=yck*ovHlU;GokNoDKV3C{`{Vl? z?QC=3|5S)v6+wYjit!2uP^YZCI{)Wi6W+RI)1#yk4*JXp7{g%gD8Bm&tc$GOz|t-P z8iRqe$yz96T?1v0ZjrDevljkz*Bw+y;PHZ^FZ}?i@Sh_Co+T9vAZ1y?l(W~6|Jcps z0dU0Yp>O6(yMUeqxl*qp3!B7*GA)XLVT^!wKV$JRz|?F@ay=VlfeGA~9)bkW}~?(|MzJXbnFBpL-2rOFsfqhHHR2l6J0 zvY`9HY>MWxj!{FZD8M|e3gp8HaMDMVCe>SBKG)LHdPeCWsN@FloyhEDOhKMuVHEaA zlO=GU8hmer^ik9T28#9;Q%ac;K?ws$z{=O^r?J zJVbT|hx0m^amx%E1WJF~OmvRis+=V`NUMDNH1dumTTT4Fe-?A}9BjgjLz?$m%hMQLYP zYPSIy^KBR@H1Er~7`!C7kWZ(gYOhOT)fy`__8D~TMqs$WtkRJ?b6@}MswLD77nZui z<|V#52MOqHv+4Ap^pAT z5zVAIGMo=RZ5bz-OFDfSt&uU7yiexGX);u}GmKFi_`$)~Mylt~tmVt%;jmnT;P?Iy zS!9Mhj-LYKPSWx|YONV>zZ2Jw&FX?x*`L#6Sr=vANBx^3RuS7{@NiI$ar!+f(xtHf zs-9kHRGLT5Ae745)DZZFnM3$rw1=-C5=h4iTI!@j7)XzK_{+Xh>?}Y)DtoN5R6Z6o zGYg33MiY!>-_A7U=tBE=KKMAH{J@4*-;?7J^CGnA^P2K>mO=p8p$Fr9YEM#{(sn;~ zfa+yhQ`_mLJ>-sNa4a#0>u>ty%slE35Z}i%WnU~rHs#5?_lL4Az;=g^P0RtC4+lQy zM)e~D^f&{lZT*k1u;KF8>Nj$2XPkb5`(*S64f=sxqL`P@h@56;rSfUMN?l+=AHZG9 zH!G19ayloQL^M_nAE_UKkV6Pp<kmi*B)_!+A6>|e>_Iv6OEzEE{LQGFMtV1CZiS*2-?m-Xw8USgHNI#+tI7xbzaB>2o zq3IFSgeQ9O6{)=4?>Hpy90>oMqB`ZieSPB;wzOUdesvk2fLk`poHIS)<1md>m~M9{ zjO&sq#qMT5Uyr-%*$mp=;1uBxq1@jwNtWi_=E{C~(FE1LfTptLtuG299WG_UE&-Q7 zFV|vO(h*}AbY8tDaof=X(&-%?*PUR6*n_Vti1FT)^0xU>UPxps3~x{D0tOsKOWlFe zbS+7RdTI9Ps1p(W=>9!iAYTtnU2rPs%6|* z*Mc3D{;P(ttl85&)npG*Q$;YFF0ao?$Xj#^>_QccTi18bO91Tud1~nSqWgy)?Glj4 z*YLC`Ao{MT$6kXO8@zUAQ&%)B@X#NgAei($uN>Mb06<7vGZJjJvssmlevwrNYn6XWZiS=utDzQ01I7wl*Q!3~y*ape&Sg7ui>xHJ7 zyCJ(=kj*IEr-cE8TMy4`+t1D)gj{#ws9oHb*s|(b;cNMVBoq4|c;W=*$sAOOPzEnX zNuN9?Na`pH z0%-)3qITa)(j@L&v-;;rpGxzhbX2~(+(;X7EI*}`(f5rJ>f)xWql8fmF$|s$U7Bjx z5gb2iNWvTHWqi+Ycy}F(PZ>UG>v1Uoi*g>h?Pi0@Kwf~cMNnUBz6^@7YvsCq{D{F! z?}@Z2)0&WwS(NW=m)rrz>Ey?re2>Onmj$qF$=6rBQNlsg9<>Yvq7x}=G>6(xl3Ltz z4%NcS`r_4+OSbKm7el9>OWyR3;ak}culSCL2q*Y-Tk;c1Y=gAz-$i?BJ?UOEe5KKB z%JgY2ynZ1(uAeK?^P(X4ZnSvYhtiaTM_UQ?In9DsMqVct%a2;$ciQ_ma-}%D^JvV$ zf6(l*Q)noLMWwp54aYBunsOPjg5vB<6Si~D<6rkA`sU!KCC78(9``_*=re7UZ0Bx= zM}q$i1zm1ABA4YSlSg@kxEC-MQAE?%us2<*eH~K##*SvWw0)+>v)y*+Y1Tkr5);ME zy$Q`B&%)HS|0GyPsS>#uNHZ|Y9;IRnPV&v5OX|K|I7T%yRt!BsrN$DH5dB{L+Dx2M z-Xvnmrq( zoaTAmxTBc#W#JDrjq;uDJlQ>|lae+U2_~0Nygn#eSp2MhJ@BB}=QMyysKUU>a$u(K zI4=y_FGapb;d4|$9V#_pN(IMMlvdGL?ZGP$Ph+q7yhsRddeU)Nu>@02RHzRQPeSNx0mA$4C2W*3Q_q`}>l| z7abYv8z_iNxi`@pg-Z03oH=MV4bMA%uBX2x`%2O^pquBsa$O63qUx*J!XgHbcpa^{ z=EWZab(Zd(Uz=l}@^AdWf2;SShdLbPd+!f^H7d*?bA>`7S*F(KZnPX@zSCJVCGuDD z#5K36h?)78QN0d$wa83k;=8#}JyFWI>td5HB$>YH>R$**`N@etcQFW)Oy2P8)}mTt zh`4=E73RR(`~dNjs`ZplygM$$Gd-0tB{L}BF=$2~=^tW`m~&e9vin2}He~v{>7L(Dr)$>h9+kQmIt;5%pB+1`3I;} zmK})}*PQ$GQ>3RZ`W-HEBww*JZKMmiwL-3BhnCUYw=k;oS?cgv9Cvs>+UY>4=34L( zR(_1m;c)`_7EUG34CXnktkx2GL(TTGvxnu4RLcgPy1A1vJHB7(&1{mC&wALt=wcE` z!SH@m!hNdsfiZiPsCxCI!-?w+78J-5yCKgjCfcNrw}Nghf9VS0WwC1BkX19wUfnoR zB~xj8e@$c&1y!W1_`Z8c8-_D;T8V3vpW`r)Crd}RcX#!Ml=9kG9Q&s$cU8=m_bO^j z!EHUX{3LOgHmQ`s@S@*71qtd@S!tDS{oDM*=hJ=UJgR5nOcY!O5EFs~rv%=F)8Y$i zJ2UO6#T8mCH>(36~5nedyh%3f_^s-GENt8PY5|m+@Zy^Jy-(svLXTLHRSCpZ6M> zoWh%k@ji>G5PiO)#zy9P0S7$Xf^I&Fzoi;Y$NIH#Q|R);57%1_k6F3W6|m?lq<(S+ zPBSNSPty;E+A%hy&O+<#e_!gT5_&F4!4$Iqg1eo?3^?R@#mYU&pGzK|zuIzcyV%Xs zW1V_a^qxk1enohQJY2C#fjrwZ-1CEg{sIPSi5BaHQ?^)(I`5Z|nRi?;w z<_@6o#oWideA?63N!v3x(^v_h2{kE?LHwCZpYN~u;j?Lf&OU?$yAVXkMfLIJ8*Ac4 z_BYt)=;cFhh6q(+Dc3(S@Xfg4W1i|E5*433TUZk`Dru(s_N`&TrNV5%)0zw5j+hk` zy!?~ShuwzOFsnTb1J^Vtaq>Vh$EVUiPS5SsO}ml2f?(zVs6>Ifn%pD!r(b^|&zC$xY%iVEMjMR!2s`h|bhSR9PoP z{u`q|ZQAY|djnAO|(XmII z_W&%gHzP?#U?&KXs&8&$P#HIa?oYoLl&1KfN6i5yB(w*&8NLM+L%S^)S|qciimFAY zIB3Dl=y}@NWd4CI>w@57awd&ES z%%s<^k4jvoJ;ysi8@CcPRU{ZPjA-f+*zvsb4fg6rixSI)U@ld|7NnTGwWoWDaOQ{# z_6xT<&Q@auJm!JQDn79FBAU+&r#vdyBJGyv^U5I$t>SiB=w}rGmoqmg-|h zA_^CNPLIo0Ocu`zjveFPn2Lw%dU4~sSU66i7?RUioa@fI$HY>M4CYyDU+y7uk-Fn? zIrx0giPXAn9a-xX)2XhsA~TCdu&@&=+f!F*Er&{MAH^`# z=DD>cU(EE6jTE8dG<$BAURF@2Cl3ITDFrRKbk1f%2ajTSm}LrLOET)I0{xpagMA9-9Pt)q7p zi>v4tgg#t&nYJcEmwGem*9PI~h${b?PVS6s zY;N7h@$Us4u8a+qFmEpL`rDr5yMdysApQuU;PANYH2_Ib8Z?vAx)%Bz74OKnvUE>B z_nfS9@MFSE1z!p6P6x~shr`SsssGthre$;C^PEiRd_2>edz2g4%4a#NCHq>hjbL;1 zb?n?CB9;sjcIxlnjfd8{6HPKytS@4Xqq3uana}@wM8SQ>nLdiMRnkwdWonV}RBDedCp{M|X8-Y^I8a7# zpdoq55muG6kS3yv&a7+h?OM@@G`?tTkLqR9O)j_x!aG^}tT{-+ z&IcW~fUDU2aKOu+vKBdU3d17Mj(?=?5$KO?GU4yw={b51Lu(T|JD`uf6+*H6W}2T} z^!$!X0knT!ed&wm{Vsl+TbwUGaR|T;^7=lf#wWOW4y!@TVaWb#Rk47Jw;IfHB^pdr zu69i7^37ZfYFtT;(s7kF6lYRBE8ya21%xC4;bAsU$VzwY6KgA}6yr&dZ1Y8(f}Djx zhJdv_A9j#cW9^kpIa9I1_Tu#cMk10aIUVll_ac6y`11mdeoHnz=h&OU z@Si$c>MbHWF^qN*_KRA|*HWHxRO2Q+`siJekLAdXy@rSQ;3{OfUv$7#ri}w#`ACO= z^x7E*sy+v^Hhj;KG0Bg#888$(`gR}3KgN1{IdzV7q|8$*?OU#dy~L2IU^b6Q{L>*d zL9%(R;L{3K{qmTuZK?R($;H5`7^oB*sH+geo3nq<7;b|X1LQO;{sAq@*r!T*UIID;~VpOZ_q zw!Dl8wlXQVPa7_~%hADkY$D^-k(=xayNe$yF|%E&}- z6zP~4t}Ke^GxIDO-ZU>fxcLQU)p-^QNi|vLvXd!XY-mHM1E*{=_R%F@y`{%F=Y9K; zMon_R&*|Xm$ZVS60T5{1D;@hqUG=fu*3o{-SNC!jgW`izNhb?<;~4`Fq~b6yX-p57 z*l#H(bf>?PXdRQdnoc8&+tid0eCD|4>!fmR5&Hps6$X_k_G(f52x@_+Z`QS)x8B^R z&X|J3!HSw8eP+GGg$LG8n0B&@7}WA^<{pWOdJHHkvA3oQ8GavQ+O$|K1 zW=gQ6Wy%tl>}d1D?C5}xn#1Yslf+M%+oNu!NWmXxrnXDw;s4(L8*xqO#R3r%cuW;*#%@4y~e! zL=okpQPaJ;RG-1id9mH0JB&&8eM=y{tXTs-o$P4F)}j25%ywMdLVlG-c}KFGN>7m= zN~fh(lLv2B8+c_RDovjT$w$RlFY`*4I3_rwB=z>6Tq1s2^Ny%7g_Y6yPDTg?`H#E1 zABEGn%+yzfSk_xKf(04r-Orti{F0RjQd1U{fR&E?FSF~D^JT?a&LEYzBBVx)8#EDZ z|M>tF)xW<$?o(~1Fx^N)im~9(Liyn?Z)PtAZOKprdF4U2dnN9Lo6#J$XHNww>TWXW zluRDw4!T=)v43#Y=5*_ydZydHLVhvGKwq@W-a1Z`SWske|M*Ag>`vB?EQJ&KS=5=R zM6pd%tLdhoCu2UF^P|+-Nz3DLyg$;(*Me{JRQ^1){gHlc%m0mj$?5T-_t@OjBDP<6 z^cL(%vUN(}{yNwFRizTy%R9lIJsP;bi_MDdhqXC7F2|#G{4iwRWkIO)wb_x+Bqzqw z-~~T^JKK*!gVJ5r4?B0%)AqepgSVnphjDTB5_bh`EqB&3B*}>Rsbjt|#Nu#d`?uQKVQCenpD&&d7iOhA1m1F!lfgkP5ETnSr=*? zx=S@B#TSi%Eqwcsw01!xCRKYik=zAVT;9CByW?Wp05xy-61|Luf-!YTe}mkH)k?h?&LJbscOhs zL}Kgn^M;t;8|jP(Iy{e#Q{Ha{%Wa>{kk7h?fonV5Q_O^Z(~rvNIiWNjzdG~%CJk!Q8C&K4=5nl!@*XKS~bXw$m zw9%3ulkZ@=n$r|m`93#|@ln*b_~}R?_ljtS-q@Rg%$1homzEs^X_l%yP(`To`z3D^ zkbKsTpivZ~)WK7!)h)tSK5-nJW)>T#cN+ul!|`WSWj{{?^#%UZy3y#Whw|O8QM12% zj-#Ekqr3i$ftHps^=d+O>ix5F)z}@hFJJ5u;+Q4i;S+M2`MumF@h6t!XSp_U={z2x ztQ^6~%gJ2w#`vrByC;WSxill30)0c_PFtfchg$=#S|dF@J!7j2SutrhvZ9an3H|3V zqQ%t2{9VOv#BK7@onA>4!wHJs^V?oTdmJ@JFP-NS9h+^VKD1dYT($LvU<^BCF87Gc za9FzwTW9av;GGRY)_Fz0%L+q9!^S6Ew@>SKxdUTLm6QYQBsl|W-Uwx4WX$BT(4`zz zj69)=G;q4H$=SH}BZ8Fs2kWlce6;&5=U|7;ydByxoCI4Zr`Ad9>9RhD5U$|>OAO0# zmPPYht%=6sv`-#Qxi~&qU2zZf%lG(R>?ZSeiOa2PeuwgdyS0X&e2;(J)R(xL?yC5u zyJ~k|oH>hvhI#3#@E?Ehlh#$+n0fW~*T3b!A|Rxe-?*V=IdTpL`3Xdfb|ZYKFy-Z( zDzD6d+kBc=8M=?81Ko*3q>uJB^9&yaj!;hv<=7Rv&iw>k4|wq8e#?e>@uW*u#fkaOBw5q;h7 zzNC@|`B05-nylFLPtV1ra`%v8RS-8^6PTfsF|G3tPY6xh4t3uTEi??oCAcBk?Wne` zIItD*w%(S~R}8Cg#mA?h&?dVIPn^8NVFwyAEe)c+w#A+d^QLr<1UzZZFzEP3)Ss!N z?mMt8wwZO=26PGt(Hsjtl-|#^xPx|OGCaEJN^npoD%D<>&xfxOwi_M|6Yi3nAB z-<4_RfEGGAfmN5p;`l4@1!fa$vWj6+au~EJ33-;{1D`cjPH@KD4^rH3duCROTBj7Q zbEAR`{W;@)Ldu9bH;QP@tRhFL$?@~=WTWqWuw)9kMbY<^OENW86;~g^1d9ZTlqhrh z!Vi2Ii`V+I)XYv2i;k8x&+9Zk|J@7V;Mr=8eIYMlBEFKRNDC2Rbf*s?{ee{%y^J&& z5#g6k7#GmgAeEGs`M<_#~x~Oa(BCEs(1z+&(6-8EyOquno`8}z<5Bx6`G4b$|M|o zjAi8HvPx6+D^j0D2!hdYUr3$Xp}-n&n?_o^;bgZo6mL2=W1LlhX~dp zd+1jAdW^*!Mn26x?SK4wFsld#jMbl|L_4N?t+~wc^?egX?^7?nfGn<=u^6kgU0H^= zUHA;7`EBMC5*R*s6=r3=PY+<8wx`f=1Z9K2p^0c@vUXF>HJbxxX2~{~%XuFskEw!) zLCi8$Q~;(2%peAcldjenm+;Pvtts`j7zf9ny}ZdidW@{&k@$tn5#XeJF`Css~-PbC-dxkq~X`Ddg@VCf+sX6q=PQ8#^4`&00yAKQ2tXZo~Mpsu_#n z2RmOKWx+@F3M~?C$-d{6V&3p9mQMYdl_R9w1OoiMlcJ(IcS*xUMFPzXPZIj3-j47k zytH<>?d+b7p|Mpn&y_YmQo6I&V(n(1aovJb{-oJuJCO<|lOh^r4%aH(86Q!;v6Is- zYK+C(zccbpG$4l}Sgfpu!pNy($jP}HTU&PM=IsZfpwt;zbu660#;gCDV4?A~HDZ%P z3bpH~oH;qK^V3$0M%`SRN>U>K$<6N_FX-IGxffFtZ-sk(SfLjTI3CU2l=K%m9B7*@ zJT;*WRdJ@`hzEi;v@o?M_1;3vZn?3g8s!_T{hE29!kS7Tz04+(g%wSn&$7p=X%Mb4 zI~k*X=im<5EiZ0UP60Z%g4CjoD3Rck39)kYCdTC+hro!+DT+1Kp&sB{HL>TG)}EyB z_4E=6c=mnU!uhOOl2>HPdifqBe}nLen~vXT`sCAwcsnIE&^GbwS)c2Ul^U| zvoQEbSrk>S+<4htq2sqkM0qrRP9^d4j?3_OpAW6KlxHb8zV~>OBc$+9r09)UX#Eo@ zC=HAtJUpju!?^dK*6kN{+!b|5ck5Hp5^R0yX)>?4a)IV&q|k1<)7$-LM83uYE-7-_ z>{|_<#^U*dER_-*DJ&I9iO#DIO^>^*NqdSr&J+*IDSTe~>6B?@9P_8}xY{nG>r{!^ zix0P9)iRc*%SH{wIgl2NReoh~)?Ky+3YaMTt% zj{S(BkdyZx)u8{A0&#mnW4w-;W0T=TSg>Yez4uE@@PZE zM6tV#K2w}}t334Jv2zn+7gfzzd9{RMDg%AjcB!`B*#1ST4%*rHi>@YZ7NTAe^YH}- zH*DQ9T{nDnq@2({#=L#^*wD}Iy^58OPZ(&&oXo9{Ez;EvX1OZWa2%uC=-cjy`n757 zydEsStKbj`$G@USH$!|QHE2CA^eaQnn;RRbR$nmg7UIy5hy5@vbbgTN81USxa6`%O z{bj=Tgp}{%0*i8Vw_nMad)21JYZ(GJ&b^iTn%-RF+ehM%5^J*BtrcFYU$08gQ0&OD`k&C~4D zgKTBd{5*M^?Htk>&qV^;^tL0H?$_mgv*ni+wzY-o^D7R*-yF}i&6>qHx70l_JZ`nk zUWx1#MU7u%=b8LbNbogLrpZ;%dfcY+a3p&{)~so>HmEQ-xJr+Sp7H)D{gcdr;&U=f z-HH+jKOEV+{Iglb?V_nqlsnVx^VkKIg?!VonY>~C)eoLhas$P@>YAgn2^ypwRac?h z3@9u=4c(X$WU=tvBF4)+VAyMaEf};p>T%=P<>vQimHYWZhxvAW*gv^Q*Hu!=ZS_VY z9Y^t>2|8biv`Y50Y-ohnQNcCEKluBd`v)172N_Smoxh;dU%Ps0SQB<2(20p< zK4R6A4T?=Hk8*EK-?+ttFbJHhOcxqAZS`MSOmGBoeg9&mB3^j@I(z1o%qV9=n*=hVSmJa-A|>7y3wB_hUD( zCr`t#G&;Z}*qTP_PsQS;d73y65us~K=PzAl`Hn)Q^+c|&BQ*F5ukyCq`_ukzM(0ZA z>DT)k%s=sh$r9x5?|*lj7ILm?d+y_lMPeA$&s6lb<6Nn?o3^%x$R61kU5@QpobVeIaNd09{iw&BT2O)6 zZNpci%->t#F~x4d-m*AzY?nM<(W0K)5eoK3a~7r2Kv-s}MgKm;#YMdjDhA8F3ie&8 z0$Z+G+8`xERjMWVS_-yl<@A_|8;UQ@BQIVIb5#e4yb09>Ej1~tJ^A>qw_ zQU=2|Dv3{{+sG!Sze+qEVbNfHXQ!+{ayz8Po@?#AKvV0FmvT-;yf~d@E(2ltrCMD_ ze;oS^Z@C4N{->W7e@?};(PN6c9s0X)t@5{U9hc|2D)8=e#)gVU7MZHwc@UmwTBaJ} zu6)i_rDcj!Ye@RgZ_|Y1wtE#SWqSc{%{;az$Gr?IasfOQaeY55`wdD83Jk@R#r#_# zbq@r(WUsWwZtWX$xXUzd4QJv_MR1yT!n9_X-px-(YHAMQMf=D?h{83E>+a_E{=0k? zP&E~_L)8?-bufUF@0RF)N3x^qXijjq&XhOx5yW;7$znGTN)a|16tYI}4 zAD`6T@pQ@VW{xh@iVbbq+TMJ`QR-^U2^U9shc^Ef28o*GdpkR~a>HkeeNy2u#^Q7x zhij=Z6km5?$MaP4VO*cxs4m^3SyCNRmL4%-$Q%7rIr)I<_TUq3x-`@WGW*Rvc& zd$i1m5nuGGb@Td%0GFEqA2$s_YO%#PDP?xIaHDo`)xLd{nhV@Oa6S8 zODE2~vtJ4a&@O}L##5iRI%Gk`&%R0~#eYz`jnAmI{-g{Fh zV@6PXh4SmCXq#{6DMY@89{N7-07K-N?Jw?!Uox?%Hoog~EVH)6RNdpx&uH}Y)0X!i zhBybCWs3JT3O`#|qeUVf!QZo#VGG%A>FtNcEC6=K(+Q+{>gNU$qgUfqB# z`^OOD)Zdy4Ufj;qbW-=ut&%pq)do)M@^*s~y&9jvNt65kkG=1ViYm*(Z4m?oL?mYw z$siyoNHzeHB_kP;oHIof5hbINk)UKG=U4?wQc_9IImePr5#PD?%yf@EGu`z2`QBRm zV6mvW=ia-|K0AE-`ylb~{wVy*%LvcK5pW*R%J!jYUmh5A0|{p zFCCnyaocuTW6BRQwU^8@1k> zeBRw3nT5xj@JA_C<_;*FDzfb6t{`8d=L}WG*=CV&^c+*!JEZ&i^;W7);WB{O$t*Lw z)1~1w>3!Jjt>T+2fo46#(TH#?I%k z8MQ!h$YBF(tx?$sq}`N$nn=|cb`Ry+EI6bkIXk|vUXbHx3#I@aRd7Oe7pmmsNK`g1 zTo^5bNKP%X_f>CuOc5mwd>qhLvkgvU^9FHlDO*6pVdZ?{usn~~mEe|H+*{(vU=Sj$ zK>+6LpmT|ITiB?DfEB{k!n!QcxwWHMv{$>kc&t+?d zo$s@1=y+FoSUZJLFr}V&ChYh`bsStROQuF9r2 z%MohiKHdH|kIsS5FoNoFbcf4O$i-}Uf72J9+0F0Z6p_KEwiU}}8e8(T&WGlrprEd>$qq1Rv~Q0};hiY>l4`zmr@p}eOH0XmhobyCo)Aa{hN582 zSYY^9VX5EOF1GK<;X#&y=g0Mf7}qF~IqoniMbaRPjD3org9VS;dWtl~ZqK4a5#tD8 z-kP{N2wD@Ep^BQ_QRD6-qd^WtQsB$0y(ou|^g<0@oAM7O-b7cZKX{zgCYee>f2Sey zMmJaE5sL&DD=PaHt=q!4*{XD8=MxsTkOS(7yjicggOQ-sP2gc`-iaEvdd_+G@6hrE zS}<J(Q^rHslql-bwztvS33JjU&#-pRVH<_m- zTlXeC3grNUq0A8AcN>l@Ou_hGj@Zss*||Xt?@;%~90dcf?mJ53JsQ*HwMSNxVbOB( zpsxGa%C1&AP;v5xM7S%`eXM)z25Z0r8%OTh$cIysU3cAEteE&e#{$aUtX1l-P3s{C zaRE*E5Q1=8Q3xs)-TLLRf6I0+-Y8%IfzmzD6Q9>q)n0mNdk@#z`(U`7l|@`U4TufD zVqwjdK#u4g4D~CG73(}@Vda0|n+%q+O4KrWvT6)0_GEb3buM|g)&;(-lS_E>vk;|V zqbGZQgW}o|0EC*lb%iIEyvI*$so4{x@bU99=2KmWN4=>YJ5j$uXLTiN3`9OM1YX~L z=Vb&7SJyzfq=&UyJS95@3bc2Mr|uHCJrX$lUO$XaEibT`s&@7jAjQgvLKfAi>BK}Q zK|+j6OL?1$x~&>T2F@C%{t`wn@EJR{dWgpmL(P>(c<+63N8{rMvhnREkQFw@J!UUl#>);ue7} zn;RNa{7;DAXKqn+zXCCX=1tr?Zw)x;4KFkZsyYRt_@7)acLxc4Z(}JMP%hSz>Sl^{ zdu{-*yR;n20ynZb{pf}x+HDAhGJpy^X(k{aUIaA&Ga?DtoKwEL4jVQ7Tk#43ao;{g zh4lm^JstXsBN(VJ3t#KMdS7q~(>S>%HY|^4#rmCyWYD&Inn4&`@6ZlGHG?m;8LCq? zo4W{4(HcpgO{p-xrh^P+)M(t zNR(OpT5hIk&z8-%Y1Zyhpts#J*f$PnSyD-9ovyILYG)WY7vn5d zGViPu)K}#t^#mRk6Cco|KJQ80;2S@BAU>Sg<_Koy(ksfmH^P%r=|lOG=_@lMVo$#H z5}M)RG9EpqslV!YokBQ67zAw!fDo-!i=+|orY|{ymTktu9iF6?myggJ)|2ESh(!^7 z4Yc)>?oy#zB>S9+GmGGIzxzo2ldYVk5)F|s#jBjG+L7H5RiU{oCH;Pcao=J zN>{LS(Yj^6Jc0W_{l`yz9>L5i2^$-#PC8B^`8Cx52cfRcx!@6jO18T%yKdReb^_li z&6fipioS0!YNI=xZnSywzADZXCG4@|^-n~D(sD{-Hg$!QrsI&FQ(grc8Hco8j?^%} zrt}M0a>F6^gMeaIUB>z~(%kYjUlScK3I*&)Q#h^PS@XOH;5)Q|bE=Ty3mtqWLllti zh9@09Wuqq9-F$;bce2;qKXvi4f9S=ymfFG<0Dh*q9uUwFfRxjHd?0!}E$VjL+CRAQ z;5)A@#FLOcX?Tk>=!0zdcrB?rT3}6KG;cS(lOTIOyZ;c7XliKbc*z?YIKFt4Fy&AM z&={&@Az+qTgjM1#`BO@x$7ZjO+WF+Yge3&PE%A;U(mGZ{<`-F#V(AXR`P=P7?~!AO z^SR=f$k5WdVlyrMZzkh_)O%=*(RkyfoR|0W|tzJ{%12q}MR5)nIfMz+#*BI^9iq zo%ulpRiKFPi%F_s3L$&UjENKGAdLVRiHI(D`xrcCX{Zvi#4C&SIkS!gzIA&P`w5IU zl`D-nWl1Fi%=YZ|PCT5OKZtM7-)=l?TRV3rsNa1{TPFczZF(xcM6qg+AoZCm89HVYZFWXpO!rk0ZR&k`6DGpcPqAuC6 z=D2SN9$Y=}!*namfXckW~4X)K&}^4PJY4v)>a=RIFL6qng; zyySi}CQhbPQug)6mmRclDhmVh^% zpIYOASg?>ExqLgr+GxfK?ODEE6r?_+mD5}2KbdB(-`DAgt)@P-c!p`P2+{_%Ma35xf7!L@U z+H+6i25A(SbSpCKhl#I+;xs-#j2$928EF*~Y~m22T5K+b#16NG1{N~)zl{rRxI2vT z^N)AF$7kPIt@4{cIFcyeVrTj(U~OW1?^EyUnI;b`RGj0rda%FmSE{q@QD`|2~lera=d%U@C`S@ml>==&I9vK%>B58jkzR>Ac9yuk z_vceZvvFaxCu^wVyt0D|UF=*Os-!Gk<=Sm{nU3`GhIF8>isgdKA(d5$B8RjtcSc!} zq&|yqu{*V~dvA_53V=>M4`K`%Tc|9wJ{3gi-`58ZF_(iTwRvOcocDzpdd>z@9>p8} zW?-i6Aruf<9G_Qky|-+0=mHM2bU>0>OcNUD+F8Jm^f7YbiOvX0{?2TKkftPmi$ZT! z)|8Xe(Y=m*jlyfQDZ%2EOq@jWH^b1vTpjAVv4TkC6{8vZca7R=nr$%7qh?UN`yw$5dv^@yN$JzfTGTAt4(0TquF?sxBCx@ zj9QhBDT13GcDinlgXr5Lqf~P(J6EGsj9P1Ku<C*z&t1jc)~YAFSbmx0q3RPpkrC0qJy=5Bequg0py)E>6h z<`{9Xy8T)QfW;5BNKYV-SCFh9B0vu`$C<#Xlq6D21(7e`>1&`eK>pONMLAIk$nh#{ zNZWvaKSy-oLE27D(FE1_Ueg=YQPS~ZQWuoGYgVnF-3PV#5lvFz!TA)0hJ}muYMHU` z-pRm_otrcP6L*j>d5&6;@4V__cJIky5W(^R@)wAxAP=04p%(6Q(9u8rVN1?!d#RVk z4hn5u*o*a#Fsqd`uEFJ+b?okDzkGs%>zc%581`H`FbQPzZKsc)uDDt@V61($CHBKluYYK?39*LKR}m`7xvvIH_(T2Fmlyvoa1UPWcXzp z7rJ}5(LZWkb2anx2Go=DAonYMnqt5Ies*Gk`?kc`yO%6(_kiX>akVi6JDfLqW+Ji~%OY`gfo~LWyWSsX8UvYUpFo|zCwn8H zc)ej0ydhZVHScNF7j`gur4})LP@~(;wOgjUn6p}ye&AZmD=fHwzI|@L#=tD^Qiwu! zw=eD1`;tN9cdBHi^CXLcG^nRRs>la_UJW&~TeO8x=7$?_PPySbj{~x~?UINho zUgq2Dpw*#t`HOphux{o>;jM27VX>EYRrbTA2^8;GP^M?fswar-cZQ`y2Scwoi(5SP z(?C~PV-)(Y<^My)XgJ4_@Z2H3!PC#|M(tZML!OHr5Nc~a0snU?T_Xu=c> zaqVhg%3r;4V8g>>w;d_pyfP79eq1WlRJ0J{__{?0YSSvK;EjSo>27EWbii>+nOw55 zd*OV^II*yw1Qr0_?ec2q@O7Z2ywxN<*&(0P4Rt~s0aklgZeIuGrp_VH+wnN_B|~X2 z`-eJt!BrK(xC-EhhsX0csBRYkhRpuk0TP>wc9!&eo_>xYgi4)MB7aqJvBd1-&Js;hb`4px z{W~x=2#?P_3JEOsKH2rw(;~&EsaCD20Q1_)x_56=#)W2+O=>pv-MnO!T=RAv>aK^* zuV}6rzi)?_q$2pVLk@r%-=?UGC7rMxl;$sLj9Gkw>c4X}y8=upnq(m}*(9U%qX3Lr zjl!|$G*lnuw8zrNjFzFlt+b1Z1t{A)7WGwz|Mx6 zKHLP&(Bk!iX-~ejR+v$J(-&dV(4t_<>Hw2_!BdI}Q-dQt73q{riA;)MWW_^uI@rOh zFgm~4Oj+*0Yqwf2*TFwsF(cWh{z`W?NQa11e47reYTq;@ceXbJnm6Lz3Xc}5;kjip zL)WVjO=|l1cczyP&rMLL_WFsICFqjR7e7~(^>r; zavIK@m5M%=U`J6S0JCUnrpG9+@Opp(wd(`FOffo=<&SVz@%*~ZZrk7+-$9qDq?bqM zaDfDFB$2kaM9c_=BlVmV$I*N1wOX78FivYvA}Yfd&BAMTEbQ6z>@^#a`IdJcq=X)f z%!_0J@RZw5$c0Vr2q%@P8}3sp&g~C?5h*n!ouHF4_Ra_;tpVgi#=>lcX24C>(FbRP z$v|5ewv{)zFj_gp&yaUw%1#&}Jtg^8aCA|A)rxOG-dawHK@kb#0&)C&0 zSOljcHFIS;os40<=`U|j1_s$a?ZrzNHJYDIG}U$jgPW!%*qQS>j1+nC=SF5)|^Hmc3K3Pb$izkY9lQWuB_RZINlkES|OV zc3~l7*3%Az$X+ORSOl89R!m#KUJHfCZ5VALE+K17uM;9SGAC441Gp2d6z2kJ<&=f) z14wpTs4A>+*EG0KMGCRs)}=%i>xuQqBf+~DxaUM*r1tB%6vfHZ*T{`mBuLt;4PYgiA!LTf4NUkOywCx z+0B+;Jwr1r_`(B-3bIvM^WYt4n7d;6ym_#^I$Sd1{OEe9i)G}e?Ag6N*(MVq)-z3| zM96;sau6u14KlLIM27IavU;z*=0fc~oxsUDQo9RBS;2872~dUXlsNHjOIf8l5@%=4 zD@)4k+k9$|muvHGUH3;?@{$H1jUB}<83k16HJR|OC7`#|y|>lT$v<;S3 zl2`N*TvP2Fl&f)h;Jf6SE+NU-eG}%)K2l7N7!Phrw-e2l@11w86r#+Bc+`vvw)rFk zgHd~oM|tY44@mvpJtDeOgy_caHheMS-oF>o`BAy1d}qI%9+43SW&u2Jw!BzRkc=oa zygmd~A#=x5rrZxp6C}__O+#~yJ3m(dgfIi?&ddGy>-&s4Fr-|Pp7{Wg?%LM2tf%-G zZm|!mY9t%bnT}%H@Q7%|Mr-ljUU0)}Bv|#m-WjUAMO>b~hk>wggNbBMCQlg%CKwn8 z28z-gu(4L>v9Q7k!eu$EXVT)zmpt+v)Mc*Y5{pXY2Y9G)nD?=Qem>W9h)E=Hf4`q{NZWs@Iry^muQY4OuQ2i5pc9c^%K{ z9UCq1w&1(zIE=P!%o^~oY?bDF<~rlS;*9w77Vl;x8%&6qNeqb_1}1(D-Hg>4wHwK3 zH4Ld0pUz)eg0=5frMu^9Ei4~_Y4yye&-dVO9#@gJ;U$|34&uJ8g9#2PF3pu#S1(oIy zH}mGzsKYmw5t;G2I>PyASL{~gs0Tp2&E_3&vbyF{%#A6HdUt-Qwy2ucR#f>GS1#j$ z2qauO*PEH|G2CVDYvd@566IYG@eY@TxUj-V$%y`S5JsTj?9HIw;*hwzk%faRPKL2SMh7?R)1OBi(}|4odzADaS*a-CgN$R=u#4 z8pTFd%JYt;DD{h3>D^WcQ{LWNN67}tV=0lQmRDx|)TOB$p z#hdN6wO)Jcx{uN`DULC33VuX2Ou5G{!Gfk&`AAY2`pQ^XC3Z)ybJDBs_FH(pcJWQ_ zR7IlTZfSJOQ!wQOMyGaHXZE(@6w_y_)y@YxbaKl>1*M1-S;7%L~})}&RUlPnGK-Q6?DT6NgS;TA$`q6 z3O5o*eidhk_vo$p+*xg=$X(#X(Z=NCw}e%uuA72gWRBG8t!N}@qdD%~4v*3EM=o6t z&CZ%HAF$B|C)60AFJgKV5<4s@BpE1eMlZZZj%JXErf4jQNE}oRdt5sy47Tc8T5=z{W%umUUIMEkYI|qd)8qa?TZXJ?S{8 z$WLIdrv**+ToY4ms(RU@yjX)S&36?rU>si7rx-f?>3k(5UlAoe(pi8M=jjn{JtlXkpQ4RMJKzfIosI)ertuN6JHD=!A4m7J} z8B2M>J7X3jB$&Q@uwhog__DnoRQ~(cX@@vM_QnudHBrrBguh_3U_ThN`?leN2s3w8 z8MjgC=2iIjUNDZVL|wUHxLp|;z$>u3`D9+97EN#dhT@K}tz|(x3#B6s(w*qyt3|ix zb)sxv3HJ0g5;RZ8U(-Xn^%V;^6V|gMO$O!%=0L#zkku`3P3!COR|PNo?5-0JHYSO5 zK!LIwTEj=9Ael;w>lT|2A`juR6*%k5{u>g651A4iyTl@|r)&&EA-&q!*R>}HwfPLR zB>GQu0G6^;cKyCitr=kCwo=W^Y6{v)o~(bbjQ7S9FxQrbGO?01eH-k(AYdc_XWfag zo3c^C3q~rbteHw@Q1Z>Swy;30K8Q7Gqc_*qD{rdeKn|dMv_}yOxx$TM3*t!U-bS5y zFsJ#&v5`bQH9as#j%pTd6Ug(W$hv>CLL?i8aHohuBd2F3Z|WW%fhyvgDNVYWSGAcF zRFPfDm$#t4viVKV`Dxm5i=}cze_5|nr8;e1(<)z*sOWy9jpleOg2k&chrBa&n<5k` z-szw_J?}bT7<6z~MV`&gURD8g&b4;i(+}#ez-aqovV~&9PFazpHoE7HGHiN|27XdSjd?Pa( zOWtk;_AQ;TLb>t->m0yk+AgrB2k6n%b3V%1g>@t?`bI@3UwzP7@3`!sEW?Z2AbgWj zLSpdgz=5Qf*M>vls`-0;FZ?ZgcA{W+kFgkf)?HHJsVGH(;~i-}(Y(+QcXt0kEeJZR zY2*tE<+YiO!4?dOI*pmXuuxV$sLYOkqEl{>6-?w!W(bE%5)D){#e};NP+GqT8q?;=kpxV~ zcG?7<`wlZYFnv!lPKGBii$6Z~m>gwh!Lz-8xTP75;yJ;a9iE#M^76u;S#LdpgAi6u z+-5|WYP{LungF){%ei%V-Gr(%t&nhJ7}(J1G{~0~V^ay--g%LBEdU-vxx0yNF%57JiAFCnqh63yl8S4}q!T?7=1G+S%r}bQV_AH+)74hHp&| zcH+exY*&%-W_7Mhk@4O1#Hyj?a z$T+BR(g)kl$;1(a!MfJz8+4Fo+7J#s0i@9Piu-hG73*p!{}Kn8o!Xw5{FFbo$U8V ze~R6QByP$?`0P9-rsww98%rrrJ)M_K;_~a$iAa!v8=iZhPog>mYHP|7MpMNkN!e!c zq=slWN}7XNmbG#_tA^c+cC{fclY4m_AR)52e%uJR{PyzF(N1|xKbwtXA{=xu57)!I zEkjI6XNM|YHM+cmFbv&b_nveF%YMC#3}v}PsGJyL`fWcVLntkw)pS84l%I08nK`Jj zSU{pBV8f>%lh{IR9nCK3Rl&z&hU1f{J+A=4P9T2#+T~!<)TozZ7HaV~tOp zeg`RY%Z8g$kykBS9#AhzWj}FniiJT#6Ht@i2aUUBKEZXOVg-u*|N7P+zr-Zf6``$+ z*?#?3{VoheikzW}t8SU@06fLNXgTl$F!<}Y_+UZ>L(LlU*p>(2OAWBbKmy)#8M#%s zXP|(xof$~8P*vH`^vfbq(%u8BqaW=Ujc0WQ7!abb3Q(TB9JPGE2aO#G0Qx%YK(?+K zOnKq$o>2F%LAqPXUybS#|HtYWZ-7on!`IcY^SW; zNo58G#vi_kUgiGnn}Q!r0Ff~TNTDRKvjJcy=Tm_qy69>_{l&!&7lZ=@chm}@69Glv z48T~nT?$7)cqj?m%r`h~_b1wTknzoGzE(wm!4scUF{ki?2Popo1JOgneE=Pf2AwRM z(lNhm!4Uu>>IS1|sya{qFaz*gS4ThKyy-+igM4QFRp_0kUHuNVzZP5dj_vz>!HYBO z0tLfiCpgJ(@1=?55`3W+<%zO5S}spA#aplHhv(_>LICO4Q2R3RLehRuMi+P&-8`X@ zzkTkvNAM3*4$=}k`>N6Nc;?6Yj2}&a7)0TwTRmQ)>#KjhSdAALVV*07-LFKpK9m4K z*&ClnS~p703(Z_5kg5eW_vW{`

$hqZr)Jn*m>&z-VlQ;6E++-;MT%O_!2_jzI4D zf3&rlIBmn+N9ct??Oz_E?-&9~vrV=4-G9Tle7jNr2y!zZ{ka7D7M8^k2c(rh;Q0Zv zgw0zZ-4mj5TlipRZJlQ!#0FTdz9*nOOkx)3LzV?-S?22kgct4-n8R`D09)Cj4``*< z4F^2@=Vs!H7tH&kc=l$jW`Nx0081fHwBXLhC4cy*d`}I!}S8PG(mbaVcUceyI0mJOgTrlrtHroiG%FhLoPFIV#9S(xsze4U^U=1pWLe1BhJ7=-~^&W71fXGDJwzc}2I{-AB z!>1z+yulm)=YoIzC7c*M-nTTdPyhFyjDq(9xmMAe#(Tfr(0}@`pRf4ifArr1 zK%K18Fyap;_UB*WBXI_wn({F_=n?(o<^Fulj4Z$hTrXV>0-gM;-wR#|v$wamI~}DN-HyOkg*XgfHT%|!m<6M&PW3$L2@0vh%&6PI&Oxj21Sa8ED!in0E<1OD_c zTu*#v>E#vd!IRV2!ho<^-4GS4NGK?)pGdu;an=yD{M94>$5-*69->btuIU7qn=;Gg zD+OP$)||_$dqXDx-)x>A)+t{YIlQi@lZi$AbPx7dBdD_lMuImFlwME&X|8kNfi^v3 zJ>?ty)j0W~m$7;I-KotB3@`dVJ9p6#WR-ts&GF!~^{{|H_?ADnYn#)?uqU90`;tgQ zMB5SC$pu?jw4l7aYm&4Vyd+IN)i!NY*nLK^hZ4szH|W7W)(t z^YZWi=}$L)kdppja$BkF-*Ia)()!kN+#Ff-_FUka8ZthBV4Uj+$YY@5S^!&LEJPxf zx19T@YxwsC|6fKIM*oN|PI*<3oP59no+qyD+`lj9FTLHmOz5+vnOmoPhtMMbAG~f9 z0o)HCJgRT^C!pyAAQxkS7TQ@~G0Peo)KJCWq62O<80cj4? zPj`Nsw6by6YPQGyZ}eFWV|D$(71}C# zCNX^_442AQoi0FOsy#gVQ8nA#;M89R<@$pnC!vXT4VVxzr+b#o!eB&Mt9PFozHR~*)hc!Gu-g$br>XQYb3R&fSWq*#y{@gG53_`|V zhOABb85RB)9)$8$5a6oBpNqZ1<&FWNURG#I=ua7Czt09|l8#x<6*2t?3;>Vy;;4kk zR!K?!qfPyH1Jo}A{xoKF6SZ(&R(8VLrCQ5M4`S!|zch?80P-9{hybC}jNWYZ{;1Q& zr(D$_z-(KqbeX|qWc>~%ApUJHL#0cxUh&0N!E`B8>yu#Iv0io&L zzRKvn)df?0>A;2Q#}%{M{JGu!+isVAq>skjHBtv7;T3gY<|6`#G<|mjdJ4`DEejh- zp@LKHETlKs>~>nOs4;}$U=e6$MwgsIFQ!k430elUhn^1;1P@!r{0aIM174U8^oX`OOsLS!t!Csogny&;OptOH8AO2gybV3@lE zRJD8l&Q54G+5Psb-R=Rjs`Bt?OC+1cB>LQqs)b}nFjnkri2yZ3h#}UAz5H~C%`ZNS zP^C`*8Kh09VUGbwN3>RBZiC@{O;>~uRIgoxh_RaI1W`2(`=1EBz7>v~_ApOZ)*o~< zmdX1Ij`3&v^?3|Ufkkzc8U8%J@E5*JnH6~1h(z+iYXv=+)_~)9=qiWS+>Y|upC=!G zzUoi5!!?azPLABen)rTRR(b;T?{ZhoK}S2=Z=R|GPzKCZXRZE))%^Y~)3Sj(aR`mqK{M(Vix5`6X_oYq6$P$@9~)1gm=SDib`qc6nt5T! zX^OAfS_2iE5)bsoP?5n|NK~d95JZnx3_=)l$9(tEY`X-%->>p793-+ybwj;35)spH z=rJ%!HS__u@FF0@mVpLvs{k~-`>{zv*abAWRjVLi)Zf^CTKZ^56NNR9HdKtqca{O&>^B zW^^-gSJuJ70mz#fE#|qvEry;1aTIAh|LLLr_o(JqC&*3;h2|w1H`$U-`AO(b>$-?F z%6JJ{6;J6eeptruS^%dsLtuW2z&%7Q1UPA&e%1QiP!}+!BdX?=gBY-x# z{+gIRA&xdc&8MaU5Sy#cyC6{xS58CGJQ^0wKnpy#!Nc5=i_m!AN_H*yemC*y|RP0*)4 z%`)pggM+)E;CM$~KOGYRZrjCb%IMoutKNmBAbImfrMp8!qF4heo?=W;6Ca{!Q0=Ue2Paj>p z!)P_$ETFk{1_Sr1?Rq0wzw-e!rh583!WnC>kGOk<76GN1Z!y5`EgjVXVwYwBwUNhh z+U!jKHk6jMZ?0vYXZIHytD6K>E~#Z;DbHsbW-wTyeg(2g}HH#pxALG zH1c#$-KPpEap{V5DE$H{4N03j2?&t1HA z`IKM9!vVfZHpvTHLEjz&!UPmW6qPWO(%&f@ryB)+Qy#RM)^NWYf_A}_RL*aag|S9JivBIK*2!8|LUdG!EL z{q3SKiGTBh&iB+A%x^gYd1W0a#B@P41yt4h;md093o#t0*9X zA-`MEENtF-$}{0ojE;{{vHL=3JSfWHLL#ANNuE1W5b8qE*$Kc?!N~9*mh-?CI-oSun`+XuY;+hC5==Hn`m_Uy<$bpt#GI<$-r4h7vXh=^Q26D2+x?gwZiy}z>s zpiH~$Jhd>WY+R}U9gZJ>)Zt#>Fyf*(x;s9;{0H>pucj&b5|H!lBtjLOXMa%#9a81M z4e_7y6||K+%j-7T-x72^z1QTTfg=58*lXOs@!4+3Cu}Xce8(hJn}D#n19$_1r}R+D z^uR;)#9yGe3K~dd15bj6?&^Xm)W6|VAd-lcM0ZJf;58w#wbjj&quLYo)4%86Rm5%- zfW)(J2Oa8CL!S%aCBH|{{UxX8Ge{hxr7T+vTL_K&#YYO)1EhlrfOKlpym}PqRCfUd z(Vh~(`jQ65u6S30PN*4DcsHlBB;(5Y#|HjuXEkPC?Bzx$v#sLvFzMZkfgSI z0HO7&^U9z9r6vFC1^T416j++kMx}r-l@beh-$cO2h%A+`jA=UjdfL7KE|WgyE5G7$ z6AT`X?_g?KD8a6YVlj{{&-A1k5T|v6nf&mJcV=G4mf3wjo&6gtf;#zQq26) zpR%!aMJ%mhE2ng)Kl~RDGcY*3M8|&t?@p1}rOSaen+eiyoU&yB-J$U#@L39>#fyLE ze&2!cs@qv&=GEz+Roi>;SsvFenp3w$0MFoUs1UOn{Dt6O*7cWviMb0o@b9UDPydFC zvVz>(FvT0XzwudLj8>EHF~7TApI9;txSLZI0IUvO1VM|L`xxH8Zo`Ms=axlZDgX+m z!eLY%kwcY%n@&v>CXP>6z)`sDzYEd%(T^!TwjDHzcA`cBe#D)o`eEaDR_1m< z$L2fuB*2gDVeX83pFrTpomwaaBog$8suK_d^9WTB21FZntRyj`;>5O#OTeAoD6Mx8 z!enH;glt@zH+ze044_G+Atd*ygBV|&(cCR>A@?Qmdg+8=vO4ypm`n1%9`7-#XXyFc zmSSB-FmW7l4k6?@7$mY8Y6XzX-o*Tl2eaSJYnD82C8GVvDt3k}EaqA5iCZ^V+_;fQ z!&1o>q2nh6l3}apbzPu-9r9{>S?{E(>=5{jOehM_sKNNr$=ZZ!sT@Kbbc~$B>x{yB8Cy#B#V|`aQ|skb;+a^;2Pafol@i_)OHfK`6rT)YZ;?O8rK1< z0mpAX!9~}7eiwjyhyOR^LiUf_zwR>GfX8NgH=qm%+fmHZC`^Vf;WLQ|;dLGB@%c(_ z54lc<-grT&LsKuZ~v=kHj!|1K(ef5{b;`iJ+i zeSh&OCF4Ii-0T-2WC1YfP~jbo3xDGHxv(%=)2|Q|{qM{E=M}Y8fcV<@5W{v4c>Py( z5S1{{@y&Kb&qimQAje|sY;LW1dq@jvUbkYk3VdNXSkA6~jX~zJxb)+^yxJ8$BR%V) zD7F?-vb0M|&Ux%cA?%8ZQY;U$g-+1%%klkf@poD`4?AE{<0zhd^@Kr_j)S(?*v&)4 zII1UGU7^IHUtT3&7cQG{KS3t?hSSmr=#0k;D7su;11&{Tz&Dfvr8y5mC~tYFdV%V| zR7R55WzY*K1`!d5$D$p5U!D%zT>CpFTTW0YO{r(Jemut}j{$mJuVR3h56^9_a%&Di zvm9kAsdxg!8abobA75it&szz8H&klDG$cV8nX6Z;I{_aoF$*{CN)0d_C@`RGkC086 z_`cpuhufwDCU3$w*?T*t?|1`#CV4j?mM$L2I%s1CHtTF#SZfrA!(3FE)o>svk!H0= zyr5%89PMbCjM#t@eKKrw?g>;|O+~qeeJ60>+T*nz;eX?{sVGJ1d9vNF*9b<-irv8`=vi zd`o?~%PZLSkJ+YnaDz!XbyrsAJ1@??k_e$h_vQ0%8)#4Hfr5C#k$b6m?-a3N;x(pc z+;976Z;emGzbMYmEBPnMx1VZ9p__j=L*Dp`0USq-cu8O(WT6xuAj(#^UL|yVw#vDCx;H)rr)mQ z?*q1BC2cSC>{NC>;xcedDHSNhK@D&J*;ya3k>plD@@%cLK!S0J$GGiMce)&ra=I+x zr3x;Z7kXg+N}&)S?1MnZ;)+sCoZD-IACX*CpMMEh9ZgQl&1bkR&v0L$Rp$}e;F}%hLZu^F zv%bdBJs+8v7huMM+75+&BUdN9Kc8o+XiQ*hxqpS%3j0hRkf#{4IJbE@5o=D|7<{nqHd>rpr8Og~H_g`IT6E%qEvXM&?(UDCM=&f`MVNF~uAJ>KSW~P92 ziT%)-RxUn|J==9qk2QUK+j=C^?*pDQ&<{1YGyi4U;q#00<|?Tteq_3r!i0BX_5d5F zhat8fx7YqIit`*E`IVs(Gor^yac7=8fjw9Y`EE}Kt|f>}K7L-g*jTPqBl84|qd1Or z7Ra8(zDNuO=NhCOt3WD+5R7Jc!})Wl9$l2KLTPA829sX}=bkE^MR0TwCqg40#LFE5 z$DkSGeuSO}BEZaO7$Mg8nG}>%-r$^2e3Pz}C!W-fPA=KK1W7v2l9Ym%uFRZ5V2$#m zIX*GFNp4FlrT){++O}ZY)qf1`t`#Zy#%!)FwnJc^E$4xL2eqhI&E@cSeC;sCa$2;^ zDB%C=&|XN_29smS4)YyPX1=`X@aoZ#9N7ZmJ1W$Wq^vHf^y@+Xocl>$`&r7E7WJU0 zz_QezkHX;tQOs&byjkBXlgTwvN?ucaMt1||ZG)5N!iQieFDuvP3#OmJ2-zGJ^Q)J4 zdVFs6I6WGvALGsOY1 zO=TA9vIUn6qwNsET{W;AMwpEtCIUTs!CAR1K1sC--r&~fyo^Wg4CO~fx`omE8?BrP z=HJ&0kDFY+6d2Td1b^?K1BG^s1KOOkcGNpM14sh`pQ`z`SVNAN>W%d#D$Q6T1tIQDFg#++csC4CP zzXA)d$*S*H9o7_4C6;kD=32jY3zd|$yQ|kL?eRG544Poi5m44wkfmlhHLe@xMPDHQ zz}z-Zo1x1?FgH~ppD6I=%{_<5qd~+a1Ub4F4$PelZbV>&YQ_)hy+}*emeBlgF{fX) zpx23M+p)rlS*tO{ldmo+y1+oA!Y(WMw3NY|OIM5#7lp#~$QgnH|}v zXbE??$ys|?M4FMFeOv$!S9#w0&|p?$TOUbJa(J(rBT~R)leF(+rZCSOdnxj}Azf~j z(wI%=?io>pPuoGMU-2Mrda0z-LE@Zi`Sz$4-@-mXkD20ehg#hjcW2O|Yq@OVWvIXM zB^;~Ny*wlV3>Pt|74NlwQWIgnc%WGmW^g0NV}y65+E*K#uW_~Qn4?6~Qh$1WJ;MwP z5_2}joz?ra@at*UA}@A90!KrYm!oya{AJ?+INS%{*6?==q(onu^68b+V1*)t`}U18 z&(jW+0DEN{=x_1(R?d~28SD@j4eiz8@_aSwzS!vs5;iq{wdmd&C08YU z^JA!u9_nY!ar62!B5Yu=WInqMb01Z*k{^E)PqdqE8Z6SBUW4!Ia?m=+a|^IMB{8q0 zCe5~^^lP7d5oSq~qfxK4wlY{;%n>K;)t17K-{d@{py8|ZO_=?$j35}e&54>VmA(0l z$e9b9EL^4vRgfM$PiJENiRbH1W$M=(tB84vc6qma%sKQ@HQK`fi?$CDG&*aTC>4HY zC;9Gj&CrdVT>kc}(WReqC0SqGajKZq&I3-91d6H*D~07@E4j8yoq(5@GR70YHf`mj zAMs46V8`DioGCzkUKIN1i{+NZo-7d%STz34x(e@%Q2zCu%)2^Y=3NPv?u!REvslfs z_};$A4`=9D#8#>tRukgA=ss3YAgVoaz2u3VS-6<4!#zzIlCEnx=Wy;xZCuCZxWWF50i~INR*Chf z=ELQQWWfFOWPPe}3Pd2pm;4{myr{Z5)0-+qbZclSnv@;u#fMM7d`_kFJ}itPxHkoz zg{Ff=Y2>%eBVI>2!nY`RjQv5z+lO0C%gp?qApJegKEdS2i!=iKk3n4KAX)KPQ^_gl z0?gje6%2;?m9(K6JC&(1^D5^kujb-eB)rMM!@)Ta)2P*jyM<1C2eb$rS4N{_?sMQ*HhXNy%M$nm5 z{WhluY~+_7&8r801%!e+J(-I4#q_=QzE5hh;1EJQ5EzHa)MNFaFrd?V&PS^zMXECO z;Nph|%I6g|KR74eKiFBtB9?rQ>F1O=pdIIloR3S`(q&2VRBy(dBZS?Hq+}@A^~DG& zdBg#Q=xy~t;NxRdGpX1e*k@nPuQ}tcpq^{%6P2SL{;t#&+%BFDJKB9P} z#iTus0dVFg#*-+V!>624o7MjCKENapeK&FHYJrX4^CvO&LKYp%mlB(*o}+0TF6{@v zgO+AkjOA%pGAu7zU_|5<^i^6feEWdmWT>m2AT;=?yzhx8o{~Q^=K+3BY?+Ic=BP`b zQl#SJL#b88l>OH`u3_e)?818PX$2zJW7F60^J+GvO-^)kHE&&2D7o~=Sb5wGwiLS1 zoe?$wBq|J@&RBo|GyY0}ce9JfbW@0*kgDXw!NWvHh93CEK0FVb4|4D76G`2bdOy_c z(>#aaI^2If4ER@`zx7y`${$3W!?^Z#&x-NAxkUJ%MFb#ZAdVBWqhbCu21O5IlQ?aF zJ!JDMQ*Xn-S=+xcjZn|iHZykmtfZmfuC`E2 z?6EtG<*+?i&zWns|BvuNb9}@-8e>pVd^7HbpOEJ+o5IzCox6#&$+L}nVfM_^W7Y1F zpWS?rQWvBTHe@EfEO=b?Mg)47AzAj^@!N>hiSknGV9sEsQeCGuE!?jUS!_Q>QV2R* zKI#i5e%-f`EUZPf5Jarqzmcq`^pK~(n(NU4?Ursf2_$=^Nx`C$#+b3zT$8;+;k8Xe z!($xGsiRr5v(Mo7wZyS4>o${u_m_tTop_0I1KNQ_N(;K#M4oYX9MW?&EvWbN$B5=S ziv&iZHJJ`Im{PmM^m~;G+GFdvL!Za1Sa0^Sk@($IlKQOPaC<(CocnV$r}Ycsf!?90 z=k9hv0_d)l1CYSyZR6Lh=RLfupBsiFV}zlnJL3)PyQBtvA$8PcI6kf?E@4NPr5%xt zRKHNJ)r{HXr}C_oU86v(eGLt^;88HK81kW?8t08XY^Us#sVL>mv|GqbtLv)-ZYQZq zk@+ku=hGS;LWt((L5Xp1W9V8zv@%7tSIS)BAF zYaXz)=S4Q&T`7_TdLlgcST9*v>3c_5H|{y-ecv${48~x?-v3{&HRoJ&F%#PKn1;$bhKF1jq}(!{DHjcOSfakTK3~su zAZI_($3t@vzInQ--zuGAx>zX3!hG74nmMh}@HQ?nt1WB)bkrJS#&*o5&daV;e5Tcg zfBys&eCCUs(%)7G^eYE{THhS?Fy$wvMg6-k-=D;U$JSwgWYZlCh9oFHwD%%T=Ynat z=FqV@#xNA8b_wNtCB$_Zixn;R@0GPJJ;21$*uEk`USb&N5yL28Hk{`-!$W6)eJ#;i zOqLcQo<@r1W0P1bw-#?Cxf`p=f{SmCj;z$LT1NL(WQq)^gKBj-R+2126I{c&<9i>O z9+*v$%3V|w;|T1^(ikkWd73r+ym;n&c-5o@n+b{OMH0WxM!B8>oiif|)i;bvBfIlc zxC=IF-{VBQ>Z`ZRB@=M*33VP$LBvt*(N@_xxgapFjj4g$lI-3wrErAvw(~?HrZG-2CWRmw+De&5Qgc+Q5VuM>7gkx>2 zYt(cnRb}kGb%o5GB-5Ee7}`lzz)|+EUSQ@k^u|qmGbKBwHGoR zThArkOZdtGmmHLF+XXUqukqUGDm$}HPs*p^yA6onlo3~Fvtp5^>s5D+W_)`boi`-# z&74rD`HOel0DZUdWMbRbRRLzD;O${%rF!MW>JxeUW}`+T`7Hk6SdCV?USW%#TgUUKbr|4&_q56GscHYY*QF;Qo;G%J4gFiTtBhIsjJYr%CpZP|4qYMH`^S zEYe7>{1KJnip>H^jc-+L)E*>(`_gg+BFN!33qydPNI?1iFjL|Tvgv@>a|lVWna46Z z;!&AtZ&(cF%}G8iP?x1ubh4hP(eTgEt~Axx!u7&qo?Q%_iyVo@oYxCJ$r^U!HEYx? z(bb*=cvmN(>SJl(RVGT*{BPH@Fjb4ucLOe{WXqAU^c^jm*@`ZFlO?fG245-q^sP=cCE@JFE{};cadfu6OERxcN=ECD z8tpdE%flC4OM@?7&5**WVk}m+w6_t%mA9bWwvjCyu&LNOfu{|D2lLobrIV2Hbz#@V z4kslaPOzS=Ehmqa&_ipg~=V_~`OC#Nj<1MuP5y!=tQ|FwP$UFIb+@ z2)UM#YocEX-{rc*U0`@#b*le@TQI*-mF~m_AH$qk)Pe2(Rj07KYci}!{cbmlJ?z$m z7hd1hE#1;7)MWe8{QNna_s^pp9lk^#p~m||fEQI@ACwe4sB(*8SJtZ-|TilJ}5(7N5)j2bJ%xIIUbnt>i26@z5Yhe|rnl?q;FlrAH&xD)L31z?#K;Sp(lya9DLmxat>xJ?{Y?dnGamL%G+ z*RQif3*|j|`E`k2f*ZbY(d+eOUZ7>ltB34M60##qJaRK5CU&uxbO>3z(CZ-k#YPT=H`9h<6!R z%jv`Lv(-;HG61+I$4lZR`gO^ulU<|5un@p5F0^S6x|9&p4HN&n;m1Bw(tusrwUJ^f29ri$V$)}KRS?P0p zdyWdnp)AF7DgJ2)5xtbFw&B^>&9Xg!(_g^=_4i;Y#g%2c;i3fKXHrhHYWZrANz-1r z$~9u-b(K6@kJo;N(iaBh#)16>jx$YOQ^uI@6Ev+90vQuCVgv|^_1^PTY`NO} z2AwZ-i6SDGJ`tD-tL&LP&V2IG=TOWkn9||JwFg6`EQez(JY)+9w=vC|2KKW1Q|iQH z01wh*UQK`Df6&W+%iwUc=8f|V^xkBwd)VzVGxc;{KQka{$}_Nj$uUKCk9wy`ihr;| zV2Km4v#LX^fi>Xq<2zB^TY`cvbvq>U5n!Ea9XkV-RaJSl5`*X$E)teD?1r?Yv;YW< zuy5>h+Wq#a{A8A#W&bS5gT~z8_ZsN^*BaOpt}6dNR-Q>tb*SeB;-(LlrHwZ^q-$q( zAe*ezd|P*T=MuJA{N5EAhu%JucV9{W{_cqoBO*!jyGJBS=^Tn7llGI?4zsC!^D}AH z9ZZ|v3ck5HI9o;o5_^T7;7nk=0w1qc4Re;ew5Vv7b__uREuswlpYU+0M%CT2sGaoBUFIC{qfbI$w9IEkHxi|B0@xhMp#T8-qDvmX` z-A|0w?&-9K9!irBa(09BUFVkWmi8ua?=kbmxlP)=ci#8_Eb%QQM$Fr-^7sm$UE1X! zEIEn-L1_3T349GiK}WrAAB5)Gk}iLd9S+%qe4J>^7JD0M(wX4%)Ntv#>=D4<0n8sq z8r=4V+%IP{q*W*ulkjUMsm~|`w&b}_ZO#v6OR(}~O&xlcewE#f*`0E6(XAcjntAjt zRJZgPK(URdNe=cS8WRGIt~mn}5eV?$eZqqqa}053Gpoax`axB>+2=H0a%*q&yqED0 zq#h*lC?I9heS!r!F;SwQxZg)_CVJiY+fWjfSSH-(wp)U}U{U;U9!HGMP;f&`wr?B{ zbqpMVsvmS;QW@D-c!K$CfIQcE`av*C@S0($1N6JFDMO6roxiO^)g*l7<31o(ghm%X zuf@>u{&84k1dGXy*7{2KdbG|JMEqT^Cv=4WK8g*zk2`p$7qDg0iPg5hkQ$F%i$Yb4 zH=3-qHzhafgf<4+O+tY$ILNLc-q@&Tv%Gt55l@R541RRe@$?#N!#2l!qY&eN_!R3( zo#>z(UG`X8z=-50o4nWYtwflV)`i*z0Hc%pC#q{=OlR=QO&O~nvfQ8P#Tu%$H@RD2 z)&_Gj(6CdxR*+wdff;P2ryZ?{aGKOz_CGP6ra54=A7wN$PIoB#3x_~80*t?;|InplxCfddMjMuc^RG;2{0_U!ydE%2lLbkvD-pz=bGOH|-%DM$KTN)aXkC^S&bfcGM z6WwE!^hF-)acu07;bLfX>o6e8c-(DvRTY0MV05ebmp7{AeqC+j!8q$%<6CbyP__It zr#`3OlN>G48_pX$2ad9{FY#ID`PnJnk0~cG1$+MCi!{x~g%0T9cWY>nWxL5~WuQZz zSC}U~r*>q!P@^zM<8n4)u+hWC_q-PO{#N5*$`KfjbwJODZ$s$6lK34P1R~$Tfv;cN z;AS{C&T|3qbB`~%N;J~G7@84C6~flYTXuunc2Uyl$<`_AWCFNT&AVewpAP#)f4z1} zw4Yhlidl?<3~-{;IKSv?;HF?e#496Dj7zK(G>*40W7uk36N!_G!rF9ML6SdLp;lK?6k97ki#`NkTdSK0gS*5^uxrsD1 zVD`wH%4+_A4fnn{$!N^+iFLPJ$N$xq$f6h_)&X}Tc^5V4S95=vJJ=K zZ5#b{x3nXzTtzBgmXVm#P^~!Cp6LD^oA)?s_HD7bLY>GmhTR&?Vx862@$q>2{!L1k3Ry^2ZjghU&lA}>{>C6fx=Jk zzC;+|RQ%pDaPNwb;SP*NeswLxW^4$t6(Tb@C`MM0!Qq@L4wB-Yhv<5^9xvUMPfI*# z(P4P*el$n$4u1NL;SRC~KsIj;8Asyce|$~Cr0xPxBwo^WUlN1PaGKJaFJb4K&+(xS z?Zbtk^Q)t=ly4)Nn_$xgC{Z15NP)?bt;W(E(C=LCshtAv(d0qCA&Oa{`~jKi)WWD1 zfPhmSpKd>}-cqaS7wBzzyPKfb?bYw5{6wV;1|Gyp_r4{!yEoQhbta@LjW)PB7V|qM zj}piDN7<^|vv3aCMbO_)~Y@NrFhgsogb*T#GsQBF0^pwl`u5{{ksBYU$1OFrsjS!Qh zZ6Tp#X;WJgjzYnSwnT$NsLA;`w4V(jufbgEPqls3=P?;3xXDEOY_T4q#QN!|hPI5H z-dzv>3zy_}N&R)H{qko~jKHGa>-1n)QQ8d}E@Bi>Hp7@pkeS*HLszcJI>&F;aCT`5 zPN8iX4Xuz9e*OiHUsd%AJ^ecK2B_G=622e3nrYX$y-uE?z8Wk*L)-m87NI^74@lPc z@#?~Bi^nQ6!2Es-#9Q&*PG!z=fg0%h&YvDrYtu6Ln==bB6msJT&A6|zv0t(hgp(t1 zMK;!l+4VI)RX@jiG)aTnYEpzkIIWdA%gwyS^oUxJrRJ;nBD244OK0Xo;cZ{WIA#5% z_|oQcfv6CL_%uM@BNw9(h9wJQqBi4IpR_aE$2l<*ttAFc-L#^%ASodC0ytYBSA7E# z9sQrc(%*(2a`%mBy(D48Wr~aYMf*TaMK_Vhy6TY^9AzKoJ6=`S zs^UBYamLzemh77ka1-33#mK7%vO@R=7Yc7FbJgRNTeC}QrOI;3fxQu?xKahj8o$8h zv-m=?8Y8vmwm94Ehp&2dZb(vcuM4o)vlYklJ zF0!-lA>j08&nOxtdSdPA1zF+~Cn zyiiL1f!EzER+c2ER|NhJ)%_i-GfAPT+c9 zbmkXz95rt`464oug-xyaHw*3~@S@#g9!H9F=E3gb%Qy!*;FDy8>X#_cO|J(1l174; zBg$e|S76!fGj|#GwNauPbpdgE&=@_suDaR>N8x_1M(cS38W=1!3P}* z=%YkFs_Pg^j@5y_7jS_W{nm=f^g}9A>h|cn9JZIJ1k~BCmo%TdFMqqh>wrW<352$N z#=xC(DN|h4OWz^ZPX;|u|T{7M$ySH zh_67E!IJfDT*id+{R%)oqyAVy#Bd zJ$FY3?wD$N479m5h_cmgJ*q*-B7ql2C1{pa6w3Z5nNND6=A^2a5$<5uyKn8&? zH>ciPQXNC1B|1Pm4W!*LLwMk5b~tY(z>EPc-Z;_yU}BWcZ7{FRiD6eq=_W6jP5nyn zdaxGXFCa&Ze!2_%g$=+*9M2f6Il_ps74Niq*aH)6sj+Y-48;`HwRt|wg!xONAV?cF ztlOvY+-@Cj)PthGd8CvJDKwlEh{dRQ&0^@_w)rgXS-bTci-Bbneqdc(-E131T; z2J3^Ix?>6Kc~Iqx?b=WiXE_u_Ti?5b)9p);jOzRZjWjV5ws8eemBgmeYB+o9P*uND zzHaLZnHIbMG?C*F#$vk%`8PSI6wWOyN4{wVtr~-h$1f{KTk3Haxd%`9N3{2{Xeyhk z+QteKbNQ0MM`Rwl%;mP!`&8qskw$wTLgqO0Qb~ElCnKO&e0yBT7k6y}Tur|9OhXPj zBgA7qz>r!|P?|=hB6oTT+X<_Yesj8|u`$i_MZbpqmtw(}mOvM%`*rb>H{C_XBdFOI z8k9iVv3)Cw9E-OFR$lhe91ovjzHV&mNY}KE|~yT-i1eLb9-?&!*dy-2(zW)$ECI zQ;#k$9ZY-Jre4oaq{*!nKUPQ%w=0bc|B}-y&gleci-d*)Ka}%f91xCGez4E3nrUh5 z&`?~Pdhas3@f#Uxkb`pP~5R?8CE;6cjgc58hp*Avfq@7+R>@qZR46fYo_noHrC9kwARkSR zEawh-^c~QDXAhH+=Y2m7<=`>T%I2Kr^q%KycnV2h*c)yRrE4D9EuF*tKnVV7XzdpNx?MwoE%1Mph^6$9vsh0H2S* zQLIW)8Reclwj$#Bj(MC`%(psV5t(T?X7=;_#EuGbS;fA;j_N-Ma zCJTfO_pc1*cB$sIIyM7yMrm{oWj&oC9i-Pfaqv|7zLkbe)4vm*-@t$dO!CzYba{w03NL>eQA z@cQ9e2rVYZDWlbw`jRP_i|{Sm;5P9!o2V()3?C1QB_wXaxoYtIta=YW$#wo^*leBx z5u24hS7C7AI>f2Uy3o&Xgfo9Bn3&=g`a(b|?b9YvqkitZu(BiF+OMmX`>Y#HnKS^p zkU;9>R|~l`W=i^TQwsE2ori$ac|>20kW(&htg)Z=)vEpAl;;xnMpJINY2v~S3y~J# zM2|OoPX@lf@1F6@S@OzvtK3O65lO7DndbA7bx#3ZKv%U&rc~JW^Efee zq4-7_k95!b-bU{6t>G%GpG)J>Tf!FC7N{18W;BgLB*6S6Xb)dpMaHSFfy8`0rY*%* zE5V)J$ouskw1@0?$Ee&hE1Y!aNl2dF`~s*rYP#5T{-Nb(9;Z(F=VuBxexGG9d}CPKS>!^Nb;g1 zZ=actq5aNP#G0^gX;<8baJpaRF~r<7_s>rDF)<8jX{jF0-ZAjHWQi3!+?SaindN4JMzWd4zUaj*+}lo0(m z1JGpiN{d}uAdv9lkt{a80P&tE|KSbYNj zRCHTfH;n@|LrM4KT`7`LQNsSBz&gbJZxp9Xi)G1e38>@C$l`%uRK{rW9c&xGslwW> zbqXJ}LD=%X#p7BQ<*bIPSU*JR$t1mL5y5U$XF=6Y>o~LQ&Ru6x^-4^s3un-J+wMRv z)pPe{Wq-^0$0^qMZts<8r#Z_mZ`@Oe7`NE>jE-mGws|0?z$yMra^$_ra zZ^2@VKe^g9|MSe;RhUI)9MKfCu2YR3hn_C}8S#tHHC7u}Z@ztipgw}1Jc|Nh@U%SDOBM6GiR{*K`PHH?IE zhTt58*2Z5z0TmZ{+LbxiBt>x|d;(kGXrcw2nE}|X8`pTO%s%ZjGbM%HG5&zf<^|Ot zI(##}kn}WZmp6XHL24=2b1hdc?@C{QPY$RNy7AsbaQfdqAv*P*Rb0^Uwi%n-=0 zc`)bP-~R^5)IkU5KY^`jn=$fcBMhdkfX4eTEwn1#HULD}*jGy)y;DRa3qAxJwoArv zMCv>WBySiIXa`Lmr>||(u~d@BW?f%1wXpjOqzK{J`q-E9rT5^t_!6+`5F`(O5yYGx z{h%4){qo*r%Wqnn`LHo}S6i)8{)ZiT{~#a#yYZPNr%A3mZ51Afiw z3m&v`vj&vBP?4ij=dj49y%&`meVTGv%qrkFMlxypIP^6pj7ms!3&fUlYhR(T<@+lW zj6awC|GFl{&T*7m>3$);UjOsO-(p(6f62sDvi->Fz@yoUU1c#W_nJmjpAv%j8!pSp zt>LeSDlnO&Kv9nLgLTN|wiqJh6AvtL#j$HvY3L6Urbi{-CPB(D%>dIwYF{(c>OmV3 zVqNpKGc}U)pKM+?MlsCb2KuM|f4(?E1Qnaj1+a@}YapQHpwS!VZM3vmH^9FeK_8TJM{bq zwq0{1^`mN2N6$nfZuYYkBHF_rW8@j8Op9|gRDX`i|2}{_L~v!49MyMF|0f3h_?{uG zLu9RqV~Bd8rUFttlQ@r%M`IuqGlY_;d6;98p115S=THQc8dhz9{Q<}!)--kd`)?g) zUis5{s30%^u%buSVwJwSbd8Hpqu_IpKNiCcf

s-_X3+1z|L0xlce@6Kl!OrA>a$ zQ^}0hF|Ph|xc*W!!2&>A9@lrqf55%|t<;YR+qWCjJSG&0v;Mz-`A9&dh~ zwt84IC6)TmQ{r#u;*S^PeaCS1yC+G5+VC9yHoOJ!Np?8Bzn=*L=+VeEJP6t@c7ok^ zP|m85lZwG2wQb-Pk+BZemBLv`Uk6+;YP}wl`0gM2dSu_g1oxO)Nes6?_;=1qdeJHRK*`B6v zQ1d$Z!L0PI%Y*Lsx|4b7Q%_K+_ug5qxNLk^!sj$}z%%NnLJ?Ogg~xwhPyb`Il|7M9 zwqSYqk_@f!W#Zp&c?3nb>mOPJu#$Vbng;L$Z>T2&ZcQyo) zKoCM(dT-M7Xvf0n_V4-d4S9gv<7CGNZd;sij1Zx#5}D4~8cQB2kKOp+XUsQ>0cZ)i z-SYB5n|wvRUN}GclzVM<0_zxC=5H9gZhXp0n0Y!&ugz64|Q{| zyXOsJ#>)=zE!@e?d<8oE4K^|6DkN&^+k_s9|JC{gKP*PR==DsKF60JFv%`RNg%vJ1 zlT!35q3`Kw!N1=q4Fv;9dlt(pJEy^6{_kbS!H|$5Lh`R3n?YFwZn|_&k%!Y{|MNqdVZZ`r z+zt*b#__Md0S|Jl!JRoL4Y!2|C4>uj(D`EPE6_TdG$5*7w znRBDjwD9o7A@;9rA!M1(w&viguc=bM71ZD2!<%xeA3D?-QhGze-skbki{ao6h;Loq z^gPo8+3FD_H_;yV^}8aQN``lIKK)&F!p*6z>Fu4F!vbm(|&RxTUY?D z+PSF{12-a; z5*pq2EdT*QD>v@IT^2<3aIGI;^f@HmV)d486UhY3fxkGNhxll--B$f5=);y9RO?l< zQ7rt;ilU7WbAN7*Zxw~}$Gvph7kG1VA-D*_#8zNAtxI`4WD@wXHDhq`3Wt~&Ej>b9 z>lq+z#_$Bj-O%Zy#$WE0E}T9G`uLD=2Y308y|cCHN4#eG@oj#Tg`?!p6peB0?|qnh;ra z#Gwt#`d}UwAUP5sKvvj)077$1;}FW<)sRLh`g|YJ1B1Y?MYiGB`DxRM-X)%fSq(-o<;Ayf`Y-MNd z%9VRyLlFLEvoro76PK6~nj^~+3zPKNB#?_Yfx2Tr5~}t?D$-vo%bVbjiNJN8x+SYj`YBLVH9BJIIj*RF`bC?>mb zari$#>KOUvU(mNzn3+S1&6mGvk`ANBpz8($UP>Ol2R5{rN+KsI-}FBv1#^yq-fl5$ z_I4-bfn-j*pa)n;yaeuM<^k@ddpnMxx-&lcvC=0(5Mp28zfE!A7Uxm6+|zlZ?%|yY zDv%Vp?)CEanz1!Nx%x}+2e7dJdZDZoodyB4R6jX1?FcQ!Mf5JGc$Dz%52=}K6??@* zbI!wR9vQ(~XA=aRUMh@|xuyH(g;wt$aVB9z$iA{85^wGWT_i$cz=I}5m0+2WwbzSE zH!)$`Jav-nxBqGCxmcONMd06wwr44QVTtsT4Bkkh^Xz;qqu)2-U+nb2?guH{>yrrCuyijJI zUQt3qT?vo(l@hpQCxYjB%ks8j0hN_H)ok4oU%H0hPH>bw{EWu?D4m=e92_`}+A!D@ zFQpZiZ7D#0_Sc~`KXC+_<-e=)e=g`rDP~WLGB-R~ypGx2AY|ih*%={YeuItv7vXwg zS8=~{3>t|qx14xz(W=DRZuqOK$5;(50+HL`1;o1MZteA!d`@CQJfn&yF7kQV>!}pd z)qa`QtdH)I;yN1$8Q-#x^*av`%ezqBFIltmJu_TtWWyoyIZB_*nroy}!PTtKm71a_ zOvN^)?mxb#cf7Zbd&tbNtikwewkW2x_AQ!|zI&Xs&ij5D@e9R2!6#sj)%ec+=NwB4 zjF_!e^$|)Nh4G?Hp5O^}yeh7z%E6W=BR-$499^2K+R`$9dGD(6!#7w%2)}{zV}(3`QG`DiN~yqGA*Y0 zyc4$BCC1Ej0TLk|`rLl(DrMGB~w3CF&Z_&pvR6R9v;A}VAv(-K!*3iVYwLFUsQM}4LS=EeB65b!5hh0s-{x7+Fb=$3o5wULC%kGznmW2AIrS&RcM%0=oMtZB4uVB zv+I5DePlBl>`T>;(}xPSyH4#_9=UGK3lt5j>|H+y9HU7*ZBO&6u|5x7?FTRBjL@sh zX_Oia!&_GQcGphz9KJ5FkO`un7BBS-r}m1lm(f3Y5D~I8UWr@()+(VqG@fD9YLA!X zr#?dr0sR*G!kzA~C)64@H(d#g6BRr;U&nJDP^j+6czCOdv(RJiRr66WB3x9D*?$np zO5QG}{@KYCLjh$!_2seB{EucbyW^S(WF&bFBKf?k_9tGq+v17eo@suGx$nR8SNlVG z6@#UR=IOucuz(F6xn!h0ZA!#jM4@VSo8xQMW2!h6Ss%=95T|Mg0na68WzF_C{ke30PX$OJjF5g$R z{x_Wo*3Q>*XFtUE+gA{cG#NX{9tv*&F6wN4DBRl^)r~n~X@tXXrEj-qG9881X2Y?K zyLM1EWT~@ziN&Yp3l{U(mFOFqo+TdHS}}}qIJt9GwlmW%5<2Q6W$OkP@pFAKi}x&k z*-4Px8ftIzF2UD4R*}}81braY+Ky4|((nlHmE34s(0&Vp(^PJo|=ULKdD9#B;8IM?MEVrQ>(5loZIl|{qB3B#K6IG=Cbnuw#-L2B& z8$Pz5k)5S0R1hwF_L3}LC6}D;&hknnQD0kB<{fePi7zhwmpPRfnh{1pz>Pb9V6rVr zX%35%PVH$gd_;*8BnSpnQ+(`{fi4GJoQ<;eHB`?J5n;Syy_j=A>en?eQ0Yi280K55 zQ(d6d;94F*K86t>t${UX{L{W1q{J3g3!+fk8Bis*@+#OToJGh1_~cgrBKEx{AcBdn z7@0E-@@wO42cw7x~v-xbZj3y>~pZ5oACy! zWNGj&^NZzShR_q{N$GtRFh5p62C+@X188;h7)WOyx?)#c^REgdI_U2qx|(FfUMysy zZBuXai8z8Y@;j453qiUgwom*66+OtQIzYbK0e)?^rOxI~`jieI>5xIHxYKZY$~A6_ zJQeL@PM+^kH&Eton?KPiB;Dc&P)yTOE7cc%>M65UhvpYl;?IFLZMk>#{Yp)tU=v5z ztX@p4U7(QmeMB7Ry|}hh-l=DAzRxr_m-VIsCqO=+Q$C6@ZH{2BY0$s95)T~NwPzUJ zpD!oMujvVIR1F3Q>2+DE>fCgiJ_ZS@yFE`oQb?+H4FxO=UQ=O{_9yYH0ZNY;CBxP= z76}w9uDZRNeNT)~A|aH5_h8;3G>T98Bg9GXS8z=K2^b@3OZp;n8UG7<*?JGwJwOPHW9^yaWp{AjVNFf z$y??it;KX2*nAGRK|(wlMQiuUg^T&^vzbBN$~X1PY3?B71_zh@6!ng3z>3DcvWs(G z-V#}|a5TV0wSgi+oxmk&{=_>B7zyPx?bKJgm66=i6;9)Tny2r9+D)n$D}A!oT>Edpq{g|5Z`YO;`Vx;>Fk&vVu3Gqt7eq> zTVNlDR3kl&xC+T#N0J3yoJStGWu)!t_SzZ=u{S&tpWzzAo7IlTw~xELI+Rae){nGv zx?6%Me-hjCly9SY0Se3Z8f}k)L?NV4p5bn}AoT4MD_XO)7!e$^_|>~~ZJ8ZW;mp{B66Lbi^3crjwkM-f%DP&o<64E@6sP|_sRtSYXKcAOuM=?R zs_V4|>qO}caZ15n#V4o!6Fg0oIZCOU7pMa7x%rh|<`LGK=~+EW)Y8VO5c=QI6R|o* zT6%Fx@G6L(cV^HiFB$!PJEiFjW2Z1oLZ(&%Mov8y_r529n4 z8!Pgpaoyszjf1l}Dm5>!zIm?IDf2lNft-7W-;mb?l2=}Xtj_jl5uOgqgwVAu@n&b(Ccj$Z38#WxcXkJ zt;gm_n_N~E?baH_6QVow5(0fy z%a^9e!AaHdVWASs+s7Ij3CQ%XZ&j)ik>otn>q5Rjo8K6vju_|+5S->X=R7RL-$OZ| zvY|c%Dz>@cE7vbDjZa_f@(ky1UGfGN{xyFm;`oy$zP;>LjNiEZLb+nyVR)hXPlq?g z2IarF4u|sOSzbTpU>{FX-|UvTA(m^MUu4k}<*xfVMVm$Acs#aku1_GXqAj5UATtB~ zM;HeV7TTlX0$F#Gie)Z%++?mwY1J_mV1BV#sDxYal*ek!(6m>k!*1rBq0h1NWZ{71 zA!2KH2)Edq`Elu@xCrt)CptJVaBQK@WzA?ncwBU+s}^Ve7_fA~8EFe|M6NjgT2{hk zZ{{m&J?Eg-I9YY-k)6{w@V+0nS89z&!0Z(s1Nn%R=}wz@36mOExvWiy(Guk@wQ zcW1Q~lK433Lz&`aBj>md+#*ABqFbphZ*nJ^A~+XDB8L*#0tc#}hMbh!$V+k?@MhCt z&1}gTIc9x5%<6jowRQK7X?OihM97z>rynQ!Yjd2XX!Sz z^MYS1rE}SIuVn03o!g}4*t-{B4?#cS>V)Zr*z*2)KsKree%?C2ve5J=Gnzb)&lM1( zsDDXzi}BOZc7O8P=0O5fY2R^X30gL3b|wp};;0K}2Ckdml-a&QCWdke4c$Ijs9bCf zFF>NgK8HiI1WXrR`1?flpg+Ve4Ccr7p9?RtxN5HOS?2>Oh6LY7@rVaH6ho_$6hOlB zpysDFn342<{ApqzhvGBdPb;3r;cN4*As;cu!Khx}mAGu|(Ws$$%p?*R66s=hyonA(~1o++U|bsO4fw3( z;*?n2Zc1WTqj6D!$%SqYq*25J^OCPQD7>BQ80P*-`Gh3Ww72p~xJW6ZRy`6doe9IU z<_CXYg=({e3q&EZ;`nmdt2*e-3jA1$)_b-?o>;ydYAXsU0>nd9>>{C!Q4i}n)HHqX zspHU@zgYyp%+|b@26It`>FMRRcuSs5RNRl^_?EuM53+9@rmgEV)ZI>FTQ~A2y+7Pm zBV5LO^x~|DE%i~j(51G+*BPYIJADZfZ3P3#3SYERp3U)Gb!F=~3)(P^@_v{tX}59J zs7R9eLZZio*Q|-EHx8_p-dV&&(Osm8+u~{qRJN1x*l4NbZcffza+z>_LGe`N?tXH} zBkA&Qce`YG&g2|>r9=^RcwQYsSH4;8#S6)HB}}b*B%N9D;0l{&!sQd~)NI6pGaIiD zK-SIM>{fkW;?(?gBmB@0LSPuQR|Qf0DS2+(i{?Gmm&3&uKkRq?lbHB7L-FSizU$cP zv7#)4fAF&3d|M!|$*#WsOPLA!z+Gp%%~S@JF)yM1nU_i13i>Z1D|mfZOxuV+o+s%A zh>`>@ho${7whY}PUz07pV3YOieaHW9FLALnkSOB0I+?1>gIE7@Tj0BXhIDW7MUahV$T>{p` zTtzHxSzDWq|v2v!+b6CBku|s@@if=Tt8xIuv0qSSc zEY;tTlyBvy!<=rkqZ5LVb}+$uyegl36U0d5HorY8&_3ymT^cIT=-HRj=hS@fw3f5@ zW+bB8P6Qp6@{*U#69(Vs;(eZ?S+l0fBMn`Q!-rL)>s+l+Ys_^hC$4+D>1aNU;Y*p( zJzxHZPO2>mm)yP0v#0mk{k=5D^l{uc80A_8U4ny^P*)d zSYh)br>Y%a5IaAOGCJwd)lF5}Fi{H+ygEy>!$FsT_mm`J7an`i&I~qe*V**`}>}W!IMqltUIsbIE?%v82Miyv(qPK1_BT~SMfbc z6I$oBIt;AUozcio+dOq{0L<|Io0|%L2@dl+C9;x^Z2d?t7!EX5F`ZLQ$t3<*qUCys zv~lxkmoDJB_jZlbDH(s+Lf?uiZF4I&DsB%VghWJBD(~!M2N} zG`?js4v6K@EzLbWg7@_Kwe#y_{<}X`2Bqbr7!kN`#0lhGe@CX*Vz9iY*8hVjAGpEc zvZ-5)`iI*?3i;bo6b#$#E{kDV)^H0Bc5m~Yhn83pNuV+qoVW4?p^5p~+uTP-0qK|7 zbh5}ggyr#i{>uS^?23Mwp>OPkKvX8q0RErlqt6D28?TbF-eM~W#(gZQVT_BADAP;% zV8nJ|?ii>WGxHp~*x0yblz?bxuS7i4TqZiXT=y!UmywO%(pv1hD-b=%HwFE42tetI z@^_Y5*i>-h&`RW@76J#tS7{pvzhz-+r7s0XiN&R%V_<5ybTjAXiT9=+ybs}Dg94>5 z;}=OL16tx&m1{nu83A5jH-19}EHBusa%`dVrp^htBUjs%pkiMrP)yO!y0Ev(JLAta zx}JADL^>3mEB`G|+w4kvkX|-SrP~^LQf7n8*_?4?jlIljIA|#C%jE49LfRdeBO0hH#?3_bBI1 z(pOF8v6|(u@lz8oo>5mv10zeN6d}3?i$>U;3%?C8He++Mz7}kE!~~xOZRMPYeB9Ry z+$}2L3R%rK$hDzCcp~lQ62IvwNXj#@gOU&-|IV!~+RN&AFr=qz{7aLUNAc+{2FDC< zU97LKIyOVK>4ZS=4&{EbahThc{xnv7w7AnY@8A!%I$DY9SWl*F`?wqoWBoIPNDtKC z+099C%YdZoFPD@nMqBTR``7P(u=7l;sA^{O&>)oAGG=7AOcA#y1DOsS-J`>}YxSH% zT}e?)5_~TzN8XxdF)I_a-quPEe$zD+%wv5(|}_|FATC<~*cv((uB zSlr*>SGr33k#sTbF)Chgffz+V@sPLl@LbN@VF9LFGf-9gFwbv(8|iIlLo!V^@%6nspnd877O@jnXHnXC5c0tsS1%D0GVd%&BO6@s z+<0xz4N5h3yds(j4Ckiv6U!ZtWV;>D;*dBax`1B6*NS$Y`tXv3%2!g&^>IfCnMh%u zD*@g{+V>0rwJ!*vm+4?mZQ)#w6aiS_wV<8;cBELYvmAsnz@jJI%lmx$7Gw-pK8_}Y z-Y)DGu6e{kMy#M%bLTijzF^C|^sD)<%=<0#%@`|P+Myt|;DHk3N(8ViZob_yBJvu4{Y4sDx2vzh%{X=;&fW zySiOVK57nHYVkVYY#EY?3p(=ZX#Z)nk<+&Q?b92R{Z=-E)zeFdA_&Wpt%AC)dl_HZ z`2NcapmB8%H}R=mLeMJWsXv#a_Y80cL)SHbL3z1FXur#2krDhdO(m{Ya|b@Mi@6PR z@9>$#0+J)5Y;P`>H)f5j)AFpIl1As6bcN}tPV%d=eh{0+j*}~>2`XOlMKl)T3!{q8nFf6Z00+yPaR`nTME56~rjr0@kgMC zjX;=i(@or`kV(IjC^@bBi?+$?>m3D^7E;Pr#BI-P37&6rV>V53?OWhRC$@Q8=noSV zrsnwhCs23IfW?x`lTf~Wu{2!`yDPjlN%V##I_5wuWnKaLL^IhuTSfkH8ZCx8D#knX zx+Zz?SSWvI8wv@R z1i+-Z1Im(Cxi4Xc`l4gG8@UqZ3Sj?$3U<{{mKQUm92(0g&pxXAa0CwfVPM~le@)+j z*1?=atj2Pi#BdjvJ&VDJ$NU)>Bbdeg( z;Vbs1x{dUU;~dM^d8eEeEJ`023clo1OI@yN@sqT!$VgbLKbBy#aNeH4Q7TeZ$tF=p)7`Cnu{Gr~V_BTXN6#{* zerq_JusB2Rrs#D@zQf;}=m}k}=EMGQOf@iRE9uo$=wcd%#ofD~czR(Xt7yA zVjVY?>x^eawth=scJH;^G$WE0yKb|UCWLAkS%A4y`((;f9Ie2{ec++ire+`=^^ouR&o1GFHuap@2bB2s7+2?q99vMa_#`B4^j~L!iD|9)GSa5Y z;t-cL5-8#D*kIo_66F}v?(sxE%{{uZ=qexLBEdq&^jWGzsM6kYrv1|>#Ivao$}32N z9z6Z+3St`T7myiXp@4c?+kX!Bj)Yy5jt}~}FY%ZXnV9$ezC3=EQ!Z9-`(1>i1HiaLDg6L z&eM1J7|3bsck!dOp2bvr`Bp&gUpJd-d4C7$OYIk99^xh`4?^Xa(dNP)ZVn|6`3I5w zN1^mZVQ=U(f@eq#8GK9laI*MKmEYxKSZ0<%v8LshCEdascL1&Vi!bH>kF@U&%@}5!o|Jlr4J;**hzQh>B3MXZHTs`(q}Q$lj~$%n-7F_q%h>GrrH$`F_v& z{nzP;kN5lay2o{2_jM)V0EGqj;D_r5eA&+Bdqn4h2^oV%%E2u`{QJt-h|5jP!wT## zLm(Bx{}wa7pb3WX(=0^g?X>GdQKKNMh`~TLJqbf`c2v|)C63sZE8U#Aw$IJYIAQ{vzY>5rARHP@2o?ICFgTxDXQZe ziEeFMQ!8WE+s~@t!I1QZk-ZEJguVN#>`QLru%)*KYD3SV{;RxOm_K7(cQ?YNPsR5g z&hg5XE3%iYggWzo?@B@SW*-WAe`Wkpg=L$ebl{rGX62;KTQ6kkJkXYIEe%G|v_ z3&~@=`%%txIM~XOSAc1?@n-1CNL0)DK;{127heKy)W@YDjc|bdRJF{X_iDKa583iQ z>(7HUM1;r;=Xb)yfY!=~xHj$c(JBuKl+qvLxN#_hc!CC^^^;@Hg_-afkqupsTrL2{Vj!|#JwEQ$r0-Yd*iC-9a z!of78xeEq?mvgH)EO#uf?{3H>ia*1T`7GK@;`?6aPh?J>;&x1L==vpI+2sPShWwYv zwz*3Y{(d$k$GyitIrOS|`(QGPau(%3z*2iOQf`~yl;d6LFqhrnvjf04p0l#VxE*x; z!{rGe0Xfc+_Mv&}0yXTQUd~f=)!d7i*2~KEC=BOA^?Sj+F0-OLcPeRy|I_}~^I}`x zMYfL)Jlmr{jN-~Ee`-B(GJUe5G%?Wk!IMfC`whd66HP6^?Wnk0nD_H7n_4i>+;rvs zaKJu$O|_6WSV?}gN5oLXN`_vUWAJs;T^gRL(EU%mi_K_ZAewtm(2RR*>mH|@01C6V zFg);KsmC^zpmU)>1wa_!xi9zie%jJKe68^JM|Kl(Jl}8LK4#y1a_mk9}pgvc6BCu!Lk$?)X z`Rs%D4n+TNhEvj1TrknSo5PWIO#b-eaJfFZCQPSUX1gE28p+Wu+U;_|Ud+ClXE)$7 z;gLc5apxT_>NO`O&8r8nPix6jA$j$HR5^qU;SgBN;IXS%p_t%c8LdK!}>W_93^HbeA#ZPR=-SJ1zVas~7?X?*- z>bQoXx2l=yUkXlPOVf8bGxZv*H&kn8uROcx`Fu$bv$5UwZ0^pEBNRgeFPb zd=r%0W!)63HU~S^5v_ch*P|<}n}!yn>*BGP_`wlp3mK8wlGJ2N<>0sD& zK!iB5rvfzPSghre^=c4h3W;6?Y+Q&y%>|twUK4+ z_q}mpFXiR+g*`q{R=DZRl5ZW0i=SqNQ)N3*OM!;@b{kIP<=kD*GT3x*gg*VFB_7=D zCgFT$n;SojAygOwAMPf}wAcj)xq{8HKww)fVy=vA*#bG&WXs1-bZ?0ZwG2N&3lm2u ziyYYq z{mowP^VkfH86{g+rYD7_RUpqY9LVf%7w0(=h66rFkpp{N+oOY`&6+H-Gid%ra@Lsb zr6FZ>9Z)H{3N7*_Z)TlueKk~7vQ0U(m7%!PE^+K`qHN`q||JzfnI*bOFA|-y$dX z>!1q=zO`?kW%wG_?GYA!;^UvFXora+!UA3$VJ^3T6rGAW48d}930|u+tGi{0z;EI$ zDp0?c7O;JTjr$Q&Y9X5(R9W}Bd^AiAYTqD(zQ=yU zjFGD@n@hzV{Z+pIqWr?&bosqs8dkUz%eb)I+eatMoG;PfB?ao}B3dcQyarlq; zp(cU3xGQZ$J0+)&dvk;8iyWzLi5z49D0@U&&#Vi@f?l1chgtY6&O?J}`_~Bz$(RmF zxyWi09~LyD77uVR?YRjwfr|Hm}1*3+f=9e21W2kCa^8ud`A9DURt*1&_U5#$9j2 zdQbayKH}8^tD8*sItID_tU(A10y(qR=9g&*4o1W44dykPAMuVqg}ABl0uK*aXz0J+ z^T0T)iCg16FWZJT3%)-$Y8^&AS66;ay&MR*Q82!LqB7#ri(_FNZ9S|u5DUeyaO3hg zOxmIb*{B>lZ)lA}k?qeY6SndJ+vbLbK3H(oQnC(`^z&TONvlFu%FYBpTZA{A0$yJH z=jw?oD6cb)mx+*dhD{xFM@YPo9 z$a&ZEGjN4%V&ZDYMh!SPnWKg(w=$|DA!^8n>JLM+0QDeQ?->d1z8ej^pB^PfFm)Vq zec~5Ki(q%R%oKy1@-5=DQv9$>1Z7^&3g&=QnA7J8(otq#9$^9`LMxlJ3Pf)|-ZM>4 z5X{cC&BHH(@dTLe#YPD_Ws@GfBT{%?<+LbhuUO9${PBzX*R%AG*US>mXV2;ZrQAU&o?;+PhKy%^2h_^-t^_!Amn0e&VImf6S8Kj2u^GRAbqOQlUJ8}(CG zsmD!rNN0j(GOxcn|Y?8(ZT!6y12Wd zQ4FSLOi^egvQN%z+g}nAk`rO@BSld zMibjGhr!I7h;>;~bK|xkF(pWQ94E29aiExedVvoFZ;W?g2qn6DfC443irE;;66d6c z_Yyiko786!rxW6ag@WA8H`F!9dBt+vxqwiC-fcws+aX~LY%{;koOpBm#L4GYtX>Xv zYod>4KQQnMoM4@b!+$*ICo+5K8P%i+Uf+osgAK}gM4yE>XZ)eF2HqqyO(J!ml=2Ov z%2Gpr-bvbb1lFYM7e)oZD?;T3rAEO+7mBnDeAZW#GIf3#jw(+65t(z!7T7Dt>w|5wZ*USy_vtNeAN04y|=r_muNX`$A#B`P!r&FxbY@9@zyItjNJGv22Qb8B~TJi9t{bd zwPOj`TRkfwmYjSK3opPY!0guD8-@de*UAP9?gg>YM`#$zD&o*f$`!JZa!W`U5f+xy z6fPb$J--)uIk6doRONf^#@PLVXaV%xlE`+PLr3K{SBJxDwBB_gAujaZUV9+55HI1O zx+a(Dr$AqsG~rIFB)sy3JY+=X5+Bm}+84I3rY=&(uM{j5eWd@g`>N&xee5j^D*p_l z5T7Rt7xCD0Ja-wdULch3!XY8F>A7mB)cFwDTq*HfV?Cs>H^#-#Vw+n?@H$5$@nskQ zxiLe4N45bm%T&*Gh9rer0k|joa&M`4aTuiTw2n#W3031?ye>RkscIeZImB6{H?OSf zLf+jm=Lrv&fgIK4VU!K{xk#&C-TCBFYt*mf(5{BM=od*}0MmyUM1mQ8axp>WD3r5Z za52|t^5qrGwYgDe}WSDr#n7!kOkl+2>2sC<%pUL@Tx4GB>Aa zSD5nmb)ND}+g$~}xsbO(vz$03Qj81G9CO2JMN%awGii;!0~?$uUFV@D-r}#gaj8z&@L~m$6N1HgVq9uh^O_tB+uO&l`Ve>tE zI7h%#y>yay!(yN&#xl*KsEb1JZ9XvW?UmYK?Vp+{)BH@DtIVP>DiW5KE}}YmFP6$w zqMi4kbb9^0wB(L~#^O6}qFu}Ck5!Q+mZfOk;Elch@>&umhN=uwsUHf}P}&-m;FbAG zkl4bie^;@0*khv`UuLlzTa48f)i+9g-=%ft5aE|N51h~Esg+lBXusA%W#qQKvh3E^ zmS;*EKlwS~dPe2Vj`LOcS}aojS_di^F-e9`!+3i0djc^Zk6C8%k63}y4oAj*DNE_> zbySTJm%&@#Owr8I>hzj?zIRd#4v6}NbT!53aCoo&|I9PwZE6OHM;ix%F9~^KYWSgIkaLID>aPVKvX*=^oU#XYy4B< zyhdf681#j_WzZVbFvKt0!nWJnR3M)}LL8Yi2+@#sI1$65J7sp4}gq)_dHu zpIvZ!|4}!@&CK`+CE}iUalCeA`-?_z9Z%Xfe5yD0_rs`}h+j zTpHz-eN<--nakum|7h2d__Y^B3OSZb>Z}t5Vx{cz8Txw${DDg6wt?KT5>6Cp?t-0n z=diE!ou{2Vs+>eETP?&XHlO63CGMWxBkGO)1Xw=HvR2l2>9IV`WDNf$#U4a5$rAn! zuN>o*o?H1NmiezuY%`gCH4FWXxZ=dU`UB0l3sqe)#^pjM$fn613R_t#H;Nc2AMR)v z3$mj~Qa9d`Oz@}?4B?fdRnZM0HG>s4;TNmF+f%-+%&IhsC()2?=le8qpnBA5#4KW( zBg^t_p>G2g&KBIj zL6Pve7!y=Dl>XC&ox6Eqg#l7}6fA?<-2Nm!-zVp?@+n(zgUQjbJ(=BMf|i) zK*s?sGSrZhGpuD%W2mt9tvhqyPX21&xJ53XbokKgZ?C)@=5|YppwoQeQ&~D#db&|s zgo_w`yRlRzs(duYp(v1Ki*5ddx$FI%a0;&+9+ylJ%|(H}QjI8)(qyKNiVK`MaK2en zlvacfE-%J39~z#IvFI3TceN!P;5zK{NOe(ek}chH*KjV~l}$_dFuAMdP-73Kf$m0u z2}IK5IovC0g&AY1^o1Ei57#DZUu_RCr>D&>x-Habj_-F*8uyK{HJ0jwkXq%(VoIqB zDeXSJKxKg`>m1&vZ!i7w)be9?mnRh4`d<5aq7|tz1SJ|g@4s+9Yb}qnB5z<*^(kJ6 za#_h-G#NeaFJhf>d-=SDs2GENYoXb|a>VSp$Q<4BQX-p&oVTd-7WiHSb(^1(TI-jO zO$(Iw`?2CuwAh4?^uE|R+^&106%J>-c1TFHytyX3@H#ilito>U>M$6Ubg>lf z3a&M$AFWijC!P=qVr0{0s=M*zqy$}Xpfqr=X+g{CK$}%JteKk~p zbbc|*_zSZ$k@~!d&GJ`})s57Tys9hg!qmc?lWUmZI!o@*BgYpFIy;g+a^`Q>T5sQE zNDK6hM;4v#a7bMIA{`AKT`aiv)`P`t>GbV3;|R@WC;~;gTGTvpPh-U(hH@LwK;GWJ zX%ML7BL$*oe4y_rmwKOYma^fSO)O9m0!f@x%RZ`HH6X~5HYXdyhnH9awU zZB}SvN4}vZd!J`K%*et%ziJcK`lA*DmrhYTDthZX2;WS%88$Sq5guy1CLl{$)%Zi{ zyuI9cQT))(oG}4@LX#H2_*}K1SvOl2ky@-HsdT4e(&Y?gtf<8Z#iPbduG#T zzqi0y{c=FGerBXs$Hie-jdiueO%=V8t-v$4R8eDaG5BC=Lg|Zr^|$h2r~GCurX_aQ z6*Or0xyp5fngHG7MSo(|?Vc4WcJakmk7L3TmR9QTzQJx3chPv(N!{ErC67L}o{Bf+ z8`x-9$x~hfBDIp1-Aa;H+%1TgYg%$Y?IWf2KMo9CoJ;#-tPK(Fy_7(HHhnskD%Xz13i^&iXNms zv|#NNx+Rih%yg#8oY)jZ0wr6EG$jK_lsJ1wDf@XGO=r&S$$XIu$N)>o#6kwyTdT?{ zbKE_n)jjK(VG}3L3crf!1C3f~<_l@`?}+|e74fsS5Q`_6Pwb&uNWH3Z0=`HLO?U6* zX+F?!e2E#0^u1~t23RTak2jO@Dt*LYiMK48*IJ8q^cv8SdSL(jO2ZYLzDUCU{0zLr zF^;BN)~+DkcG-ZRNfjx3412oEo`+tiWk)X+HIs~w-+OZAvUf&Q6N28*I8r`KI{OOUm_*58-mxBS>l=s#AO1zW+$NrsJXD zqnzd}pT}ns9#_1Gvfk8sW6?fTYG%u`sJC3I#Itkf9FyK&K!~$b#M}5o+CWNXVb$WR zn-S&B?}v&_Z%?I%T_}mIo3)JZroAy4k>{;FJdVJ#`;a&kib6V_a--G&AB;hKBIaWj z$nU2F@p5WutKS^tV=8zX0j{&0gjEQPkYakRPaExNd2rRehO(dXtNJ|Dvq(38XXQ#z zq+4*{(f2^zV7u)8z6BPTl9jlA@gqw%Wf+SUB)>Hk6__xio3>Nk5emzz=3(XQs$=1A z#&OKfXnt_dq;Pmf?2xL%35E6ip*lGWs^qmMpm`~xB6yLFLI(?z+H4qA?2gn%DV28| zJ|#=MXuGmCE!{ri_O#obIcPONe?_oX?Lfo^uP&S+aXYB0!zjfw$;E}!t(-P#4@Aa3 zK7t8LS9SLFlxs;k8xYeZD4&`I_72~f+8MUYw}x$z7#Ypv(FcnnW3cpWQW7n0R$|io zNOeVoV)hxt_x~(qe>;Sh1Y!+IJekV$Ka1X8y5l(fl|E#{Yz~L}J5HJd7An$0p-AwS z>faS(Gnf_@TBP$YfPX4!qcy5Cce8NkHP zZC6ZDw2;fUuu&AA^I7o?DoJhGUo65$+}%)2dxMBE{qrkPGQ+a4$Gmi1A5@a;NfaA7 zMt}8Dk6}{yiM2>(F>d<)R+g*8KE`~dTMR)0{fXCFzrrr565xYs-U~2EW8`~y%TA2u zqBk;DRknFm)C-W%IvqVJ%&K09UFjGK(%IG_dv*uzog8+-cqWbs?$4tBICd|aH{uVT zXtS7y&KrWngtx!;i-!jvqtgsikWb4mi~YBrAyELcBxlqYho}wSkabC{Nko_YV%?7> z_Ug|U_dlOXK(h&@j(!8c*IkZE;6dtK^YP=@Ve|+VkurwTbpYA>7-)A#H{aqP$4(_M zn-)NaEG9f)`ewm_fjFrmEnJS$B2;U!K$Gd7CsP*1)T$a!?C9+%O{MQ+;DF8EV$gcb zCI+!O4hNX*s?*tW`oZT^45)_*o<4ywEI_3zXUJn6KK%Lqe|wVu|-{N?0U4 zewLJpnwYdDUU2+wdrj<(Z@0mq+X{?H??bOxI{#z>{67MN9YsN=RXFJxlHB13)oB{@ zNZ*g|{{}fXIz62}WorVUqFIm}C|37ia$zkWeUNYwA6qQ(RXs$jAm7tY`ZZ8S*JKi_oKT~=beui)%l^(=lJ2pO zc#59D0_fSnLuseC15xMm2Q$~mbR9#!f*(gh<{2_m*dQ{2T-lcEa&&lrCtv(NQ1%$+ zuz>fQ{b`1f*NUW1L3f5#DYF%~L4$fBwL=G%I;~mE?;XU3@iSoc=g#U#c zD@A=w$G2)`pG1!y^}vdKCnevnKiyMW_;liWyv)CSy1vT=%@meVa85s20a>$;IXQ15 z{6Qnk%UZvlaq*_2H}l|U6ovKqAi|_GFyD0i{wU%KGcge;a^wIJXboCKE%X?OWyb` zT6wF{7Qi5t%VAb_13*PdFGP{_E6lIE@YA7ywQY*&D>IWj0OLA2++{F+fXdl&vKiwz z_B2BQ%*HoBuHrUMmE%`K;L3-KUb}Ybn78cjZ;Oi^`#8ami{8kZ=Ln7mpkQ3sJZg3B z5VWpONr!)HrnEgj#=u#{ck=Xk#jM;9r!Z9MfRc0ZJj&ocZS|+-Q>sm4^qg-%bgIjp zhdlmANgL|g(O1es?s82Ni!oDxZY9gKgCk^JKzcst7_8li1Of}Z`?F!Rq7 z^1u9)#H-kepB2d>y`}&0t$&5j{OK1A^BpIq8s6T_*!*99;D3dF{_(B7t7zaJ>gt?i zhUoqK-)7(b49NL4YC%WF-E!EETTp!*_v?QAAK&U9|Ni%D)8MKR#Z`H4Nk+ zMZ+M;+`@u+xCrDO$5;#B5lT!EXdEE|T^dK>sZam-@?U=2|M>--D>#XtJ6F)hjsc7n zRS$}O?JW7#ghK7|hO*||@wctkWB|A&M8?;k8t z6`STmKl30HF@*5P*N|$#6?|L>i6Om|e}(G~H{08S@RgWQ`T^nmNO?Xvzumn(EU}M& z`9LII#c|C2sCAbKIcCd`>!D>e1J9Dz`)nEoiPR-A^!<3=s%n}|+&nxa`v?1TqWO`` zN@xE#lYiwG8zx7t#t>FU<-a`izy3#WHzY-g=#ea7{`)ig^BeUaUu$NHsc2_rN)|VJ z^Dq9(e-A1PA!2iGxx`LBNC5I~rs?eMy$|DO1Cx#fYeDBFvwnRq4=^^{4p2RWaVQt? zAh-}=8co=gYUljOs$5t-q9qBUDF%*g(7_%>k*Mo*<(3UwkkpWde=Y?hDK048enx$e zn~a44#V6Lf{q=O1Al*I6x7=4ETb(YeDE-DvI^Vsk6LL*@f>6b$B8QD_{I( z>__2f&w?67itFyzjCM%{>yvax_K-<)ai;=?pY!@}rs&kbzs{9<(w^73>C_zhfYFUb_5CPbfXmQ2CCQB3q)MFXwPs3_?o=tdsb_EZ4SW!W z8`y6I@$`RNR}(6CGophF4JH#)6T>jv&d39LRP+^<9er4 z&kIqEisrXBbbKvl@vdGug9kB?n1$SdbFDT}bXlgdL5|fgNRD^t9bzAn=aLPR z{I4d!ow=GlNQA&7(oLp^VADivCXFl{gN?f#RzA^W7WAFnF$f0|6$AWxCFWO(ZgZcG;-#OSp)>*0v&1`>(clV-=Bc%3+ zLnUyp0#;S{b-V^Wumrs)3`H?FQZ636pPHA*PM$(c5+6jqeIh?**B)b;M;H~c;q13Nh#PNb!0!Ng>q z*t?{M6*|QIJ4s)lyO3Xhb@MG4l@PgDg(x*MWyBE*rAz>gt_Rvr(Y1ZU+fdxJ!7z03 z&Lu+#TOsA^uO1(P^z@Y3@~pZvC)6vB7Vb_9EeJ%h1<-r%VpvS(%>*z=3y&6dEs7km zZ=s&66u%8gCb{SO&7)3~GiVXICAnmysr-_91Hb)_zx<^qkw}jz*q=)L8_MFHO~?`?(#2{m35Lt+nE38&%#o!AD(o_1 z*CQb7U++WqUqaaEBtZgB$#D!o3v0x z?*XtHI~)H45tlbXx=BIZOT1w1%lRdE_XzOHsn7H38F%Kxo+_C%p5fyLHJnGuR7pJ; zq-pv!ZRe|k7sX~i#{sY` zh}^zB{p-J!SRxiuUmX{Ijg(iJ3>c800y93_^{J|-G4mtIK4G!}5|(=-a= zkxtm6N%{sVDI+<^t}Y%i6*&IQh6@2jpXkk1Ncj2>4U!r~c5WCTCSc|Y7;_-#=kYu> zZ&azmUZI~K7J=Kq9MHu99NeQ3OOMP69-olzHc0v-*s5v4fBoHfKV^Vgvr+#h1(FOt z*I^=hD-IxJ!N8vY_$(J}-xLF(nBKDp(XUU?#+aiPa{j&_AfTpYo@Uq}r2)PhL}*sQ zhD+Q(8F0qn$NJgwqU6mh z08BG7ZOA9q>lH;@`-=OuEThlx4%Q2=y(7X}`}Q|3f>`1K!Dq~8TMj65Ccr)Mu>&c1 zS`oskluQc@3QIx{4PUU4?m(osh9VNi4l*U7wR4(p&&{b`j=>?pNBBtW9{{0Wshm;t zP}ejL$2bzcAc&J#69uAL+_#h!1i#W2!#|HkGBBJwHi<=H<5prW$NA2A-w;qQsxZ^R z_{%L6oNu#OCai%N>@YET4lxr2NZguR> zuzUFvlflx=H6&BVg5*{-sCtT)UIp8+JE_DW+o`X5W&d6Xy@cav^{{4{4w~&!?op3PF zl!xYNeGJWGV`AE%-%_ zQ&RCW;`yq61S7h72ldu902V)H<^!p8#pD^aGY0_0@~)B_A1jEs9j+E0&L~#?1lTj($U~*QY-gSv!(523hjw^D zb5Sv^5*&heF0jeAe@_ldd@Lc9!o;Y>- z{5|MK0|&_u;7%7xx`uHgBC3@@$qZZv=Z;g-68X{(Gf&&WVM^C)gnAw8UAt4J?mmP=dmL;=yqg2Dq+O3&sVn-L}nT)$GbMl|F;s!MNGl+ zmnPlPNKn|kEtbJpA?Y(s*nhP4(#y)R>WTa04Orp}@~z#BZDAZg>-p`3!$MX@y5s~z z3+02@sVwEo2pEE}E`BBnSlf+){bL5^f%Xiz_#p-8#kt|M&vr0ere~04)hMV(G^1xh zzTleDJH>I9+yWm>n7p|nO2KeaE$HRr%&tP9q>cTC`It7bH3C}G`kZI-U(O3UnxztO zfXBhl$byV&5s=UXhAFCfa>hmKbwZ$!*9JQ%d$i(Art^*gsIuYK?@L2mYx;)%bh29d z-8^B0frk+~52Q94FCKP60f~RNPR~3oToyzM+mMke7zwvQq1z6N`k}(cRi?%uw`JY-{*^Q$^@bbPmC#40h?eVCIh*6++fXqH#Q`SJrN0Ev z`6B}^TcQ5Gd$$w=v@$-w4>AAJZ=85=?tMAQ!@a4SFOc-w>st@}Jp>v%$PP=3Uq|{- zpK2%0n=(j!Lc(M+{XtylM@HWzSu_A1QHZygZ-$odTG6PhLfL!i3BscnSF0G+AH?6c z2W)CCU}QL?*CoMifvFg#RVr!BU|%F}Q9E(4;?kb)xtY_;A^f+J`W}+h_XeU!p@emk z6=UE;l*W-1!g=L(FgKykK;92?6BvuhY+PL^2V~Ce3uKT7FF=BCw6YlZu#Z&q*&SL6 zp+c0*pzzJ$_8;%n*!5>7P}Uq`!ZcXZkxY; zo^gW@mI;E(fK>e~l>9GtY~mA4HE{{dvx#%f{i* zTvIY}82pXjA0=^&sjUC9!cW{fTUIOsx1#k7^9o2+W}9UZDh}xL1p4N~cJtJHKE;l@ zpaRa*#cA9FgW5|pO_5Ihnhd*p&1Bjl1g{A1TIskiwfsKE|2>WTI??~j7bNyWXImxK z3Yi98z%ap&&3vzAk`lNZDstovEZDyuH~%kSLMsi_O~ztZaFFlo#_$d1rO}W~#&c$W zHs~YSMnArNN!LPmodxMp9YC?HNvM}C8ZiM|vV+}^k^5zKaQ?Xj{V-4bFF)zOJa;oW zj5|f8^d7B9d#QK{13^7^z~-SH7(`}>=o6Rok_P)60zgtb4>oLA<^+ETWl%?%i@1Hy z)Ed8k8YUnbHkC7hha7*SwR59K#t8b<3n$@|(=d3$Z&E^u&{xj>!!WGPIt&UPyUk+I5SyBxIT3b+8!0DZ5x9MN0#dn>Gqn^pJSJNV#N2~# z77-6vro=|&Yh%D>Ni|>o1*p!QwAGm*gp?>?xam2*p?j!j<$mxPI*e;beT59ic6#0% z-bYkCQWjaiSjZX?`~Y%Rd$$aG{AdnRFBqxBX_3;^|Ij8r>&=AuBRCubi~Yac98MfN zA8~pLjGs>c-y7lU%^T@kL1j&?T{D3wm#mF)>)oP4&ep>7$LPk=>`j;$4%}VNly<J5WMX>TjctNytLkO#b>wU- z0zUx2$4D}V>}M&LsFh5jfarvfUP+jEh~2%IZtTFjA43)#(_!rwH9ig$?+7+3A|?57J}VGy!G%S*mu(Vyy_NsL1fsh2Ww#7 zu^H;qj6V6-j*H!lTNc4}a7=g*;W%W>-}<%-mQJroj6LA3VayRDoVi@@lB*N-{J#u? z>yMzb6jT4_4JF6?o@4`Qi>r{p@Xd9PHjoeFGMs`iJ$=azrX&$6Ht$0fc&6sXAEE-U zS6py?>ySn=;nwSJmdurh`=r9=69)i~tiU}`^?H**E7Lt90s zvh^GrbIBR{S?U{<)tTHl|A9nz(jaN+6`lmoAGL6%h&NorR$-VIN;M3NoQ4Durtlf4 zb?gM(NK)x)=|(31$k6A*BN$dlFO`-p!Ng3`D+#=NA7&quIG-=Dg1{eU&$6=`S6CbcR}9 z!@A!9t4;+6vn9eyZhiL$6eZ?~q2*G!$iYNw`14mehEaMs(bWtfFiw!J&*LF<8`@rzwF=`H!+SlqycHV~tIF?KwVrrzSa{wZX8^bf^Nl;`&I6;OB zQc@|2$DLLX!x#rp3?%JcNAd}RI(my<*t~rY2x%`?LJCaWCW;}5xQ+{kpPJw z3aIiXaPhL;HIRLIN8+mBPPqSkLU{t}R$a*wUHAo{igFFkppgsPv-VRLAKe4T>9qMD z-=U)t+ErY|EFaAN*?u{Op`CfOVa5`8J+r)bz7f414{SY606p43^v|~BV+`h*g|XgA zJ=DqV^z`(3!2tC7D!8w`(-|#xF3XLyOe!4ZfiBc3elSNiaoC|u+hbEX2oG589FX<{ zo2i*fxXWMiKJa?!nmMuP3F`QHnkLc4ZI6$ikWJe?MCjsx!I7du0Tdr&JgOMo+Rt%% zde}Sh4h_a$s!d6oK`ZRKa|r8LRb96)w_-AYB-%7bYYo>VZxhDLXPW_ce36ST^PQIhm3mQ&I|vukG7zj0Cd^Q2wV9QfU4gUR&s zTP<$sy*dlHEaj;peUI{0K5p_X27TA-L^w6?&fSiJ{WDsBq~{_ZyBNe#n{^04hcWjB zhBF1EH5XegOFnfLKZPAwzWD?5E7hU)BN>ONJ^k&Ryx0V5z(|sAk&kRS>TOXRbn{`V`n3Tk(L@R;dBA;k0A)t?NCGN za$oci9s*Lt>+idrSt&~!o`VA|ZGeL@NU^`@mKn?~4IJG6a@OnlU}i^!OR%ZGC--Sju|wQVY!ULfmKQE;jTH}>Feh-^bBCt9YN zcNN5EI->(cMxI>-#Tk0&n2<#Rp@9yHP?Qi?9LVS(s48zOj30VJcGBS(EU4 z=$n1os7@1Y$wI3Z!9J%VnoSuNeiRJphuhwWPUt|1(iNOT z!6nWG%mxP-VBN-GF^F2UnLf;;*64t#@f{8IjfjW7CSaN;X*2}%&&I^pD?iKcn$*fG zIt)?;ca2s+E|9oAzljqK+x>*cY4{Qb(UL|1#97^e{Y(%9-IFzvwk&FcgN7@Bo6`Kr z-tKlil3Ci*UO|T*%`o2_+NtFQ=*_YqjKlsjr&3Rx~-EtgCEDkMEDVla3Waqu) z=}!d$&+jQ0C0Z}yl8G*7j-a&p_}sEwl8Ik9$M*AB``^{&d3om;QeX#Rt~Bl=Gy`NpHD8%a zb>onu?!hQwSlHv#z}>tb(&mVE(2E4|QDLVJTM&Dhg{8BX{dG1POlaTFr6$3vwm5HF z9C8!hl&q)?C3U&&Wr!YR4FMzd#kjK8+5Pp%y1+bZ{$>`1v5c6Pp8&eNV<5oV;`9a} zJIM`2E5~^7AIyGz^PO8BqJDbCpq3xiFQJ9kENQ9J$Hl9(t2XW$)b9s7SMtf0)%krC ziXNIB)`gY8)P?D=Q6S457PWwsMJOL^qd~L08fsfN})`X-VvODf_udyR1EV0^pQH1!n`B`Tcm)dXQ^`h9vjQEQA&Y{`J< z+C$2WI&?uL?w4&|5cho#mdOyVSgo40JFsZmfojAWAsWmN>1=3RQ(km2wAY<GGxt0mS$c&+e zFB)q8wuJU{-3fv@e0@e~UbVLtoRkC<|vllx1iqA!RwjgE5lQ4HT@2`EuH zG9KH5Q1pk|(z%iL9Gs&-u^G}`;$yANFsz%czVf{1+kcI~t(WiVGygXIPi(-^FesxJ z!lCurN_%MWB9}mgkRkXD#kIzs+BO^9j{zGvUML#P(6PJxS2Ap?QHeq73_1K=_eGuE zJPpPlX#087v)tK~lk{%)1Ur@=z{|Y&?!EKjEMMJPHzJ%g6k`4U&EaX?EW|4p0X6zzZfMHqJy^tH%aCvcxsX_Ay`fAM?m`gCUSrH#Z!;0e?>_q=KpjY3?i zW?gu-`jn4l!x-*6K27fs9V?wJwM>RQlXfo#xtQLi-72R@-6>-xqwtIe;mXW!s=ugd zyk%kU5T2W*E-R$k1{I7clW6n&W(aR4;l#qE6zV9Sdky^YeUg0a1LLH-Xp%7hX6vAQ z&E=N|D8rbM{bXmBVt=dAtWUVIAq;>I99FskovaYM;AXMVD;16PK@puN;g zj<~-mLF4YLAQInJ5y^#^L0v7pb;g+_CzLi>&iufAKTQ!)zR^5h;_7`c73WeQG$zQ z zHXBhGa3-OSvZa)a(z4X1pDTb;^kd$ZmiKV7llsG`ab{&Qxs>`6Q|z47xisYo?2R%8 z_lNcY0&fp3N$v+ogb#3*98YPW;r2_*7b(!znu2_lFjjHhvpq<;J$-djv z*W?wAgvx5^ph`>+lvV?@bj&1As__q68ubeeb5yDZY<8PdNpV$Wh(Apmb-QS#;4by? z>KfiadfK`y9{ZMj8#ABVrrI8N^D_r)ty<9ZFbh@XkX@kA&Q*FEnK6D=1FQHQd+y5- z1(jNnzG5b-eAK#JT+Q}K=4g$i#%(B$Y=o9RP<`MD-g_}F!9Aejuu_1#rbms!&<<6d zT-%?lLf2`TYSHb!mcv;*e2d2(COZ{z#XTmgS;(g#?%Rk`|M{WrRSkp6iht>|{%8Qq zWHG3hUz|Sudml`De7QGMw;;D({zFATVtjMSR5E%`Bf)pLozdE*l>_C>=InA4xAAr` z)mPUhp?hu#Po_^q^D2V>vg?no?aN6Je>suoS<%C(ogYAPM`L-xI!+ zex@0h&$Kzq`0gHLqjMEpziNE643dv|96YS9Md|6*@3n z1Dojp8sm%qG(?zU`urQMT#fd^U}52P4?l(j|14jIavXMCp(#LMeCyu^!C+rmf8E(99 zLt{B@2nk9}*GbjLWtE4}u&2dg;7*jzThk=57>GY3)bvCd>l0=vLCGb%G{!Eo(r@o~ zwXmVx-BfDH?osb1&fpHnT$+SNmJ6EpsE}6%j8+A}YDlB+y4z{q0{USvgf^LZLn|8+ev>r+rD5m+-sYfn(F2b!O#Nr9^_?)9Xpcr;UU4@dslLC6Y~rC z8h(^OI}dL)wLG*?XQQ6V1Ls`youF29#T;>k1F+f(5;Pvx{ZNIGwgWM?_|eT}z;9sn zho}-d;RmfQ@RW;9O~S?9pDt4s|~X%;MfBMTn?p>psk^Ti`p4iGLBL}tQ>5p zYi-SZ<-RivNAY>-M@TWWRAuP0xf|);&jsqs(f+0U>cgd+)BG#}6dk(j3rOiUb25q% z4sRkD0!Ju^*S_`~`Oo4Mh#rKfxABa!9045EF{x=Sn%FZ|AIPQdo^$UgxMjyYC`5{` zalc;rt9r|0PZcTSTeE#+?|B;5n$~IFrXns?SGj`}r-Dl#7r&h7p!)GmO9QOTd~I~D%{1?u1+0u!B8gsG01#~4OJ_vfjy0_90 zG-Dej8FT7)tC&ji=ZyrmB)P$%DLDlH7VxxMyGzcHV*_%GI__&3*_B22c%)k9?(Bgj zh+te_$+7j}tw^WjxM^3o;0Vb5PIXtEgNkh|(KM2omHhIaEvv-NlPKY$R_Em4bpA}! zSa3f_LP z+RY0Lb!ICc_`cGq4t!w{^AxBcU|+fldFuDLpRbx%@W75+c56qhETAqosO-F*mWj`4 zBvGBq)wj@{onYD=O7sNA{7<^L;It}}{l%e!H|O$b#?T7V6HGZa4^imq`~mn(4XXW2 ze_0Flcn87qNXubKSB)*rg=5P9E{mt>GkNadrYqRrD`?3ckAHxpmy-~d+m*@9W_d#u z_d_qhg^mEy@nqf1Nq-U$HzjXl3LHZnZOyM!#%opLU2O{)qJ=xF@NqbgD(9q@GmO=W zExVyaq^m{;wNxBT_+!k{@H>)8D93l)va|69QIQorWn4@9+Dp7D4=Z~e#MQ=2b_b48 z^R6AkaIUp{BM$K;^6vtBV-Zne1INgXu=iuF(U_sOju^-P!1F*uipZyl-}R-|V`!Cp zAzh2J#C+K}ik~N~wQ%h<@i;2HjmayfkqVe8+r5r)PD=BN}*Arit z=8w9eX`$ohFV2W0i^`hGe4NHxvGZme$0wlYRw==)@6+0I!S|Tk4E^>iId)&EtAT^l zzB9R{jb8xH^zvtiqr!yd1uYO0$XZPh%N#fl|AITC=P^F7 zM${ZSJ&Y2z>8r;T8cTPV@Jywlt)yHLZ#H?R-r`i&Y**cbY7EaDiQo2=20-US75W>{0yrv}!BAETv+_3e;C+4%|$!EAzBWc5`CII7ND%s+oi5 zFyUH#8s~;z!Zm#oUovV^6=i;4Z5+#cXex62B@HU=^W59TYt*jfekEzJa+*xvxf$Am zk<+TtJSW9f@y=Obvf*I4lxI&av7Ep{b`@8xoXM$Lfw#kaqj(sAqy(m_efms}t7zTT zAq_)6_|+u?0*|x<6q%YDTkiWrZpv|STOe%_aog-JE*<1{LIZae9|+m8mZ5)}cN)TMTTESz=MAnM!bZ5^3&LPDGVGYn@2k5vCc+ zwm&I(gtHvUY13%V;ru#gBF8w+qFOz7?vQt-nGG48$5j-I?iV8CsuN6(u2D7F&G&Yt zOwV|IvW-wSDmXno=<Ep2{Aw?V-bc4C>+$WZWkdpUuu+%q`ViCd9f~%)Xp7JAK@WYT&Mg)lIT(O#^ z3pRQiV;N45R|?SKO;34FY#(4`-ZPkhnnRNt`jh)Ez;Mx^ zajLsH7SMQ5PDWugR{n{ z+^Gq;ZTvgHDm;4U=?IM74C}|iKqa_Vj8J#B>giBGveHY7sQ|kw?yf^&{OULAI@l>- z+kIaYdtP*(O{5M#Lxw(`>Rc*E1g%OI?mJBw<)*05reU3kGnZ$$dk${REwgJvtt~N819VuAq@vHfXDJ=KzfAO#bEyfd(7+uCcPI|n?r~rZgXy4^_%JU4vPD3lr302&|3236IG}?&H8|a!%)@N z3Hgje8C1Sx`5aJnN!(9lA1};%;B21^Z0T$kr##5^`V1+jX0~s+%CLuyO!ncE-SYsM zsRL=7W6({XCQrF zz8YVwc`qLzC9Uc7p@NS~@QAj2wg10o*}#$;zY&ZLDG2@g{;Nl{9{ zzfx!VxPsk9q�dn=GrGPFAx?mik#-*;!-FE=S=#Df(F?w;O)vYUi?Eb;cmfeCNu1 zNV<}0k?+egrArPS04bbCGmM4Y!9S(|Ax8=Pg)taf$tRYIli2gD3|(`aQ95b4G7RS$ zPwt(fvtV<%VQX&<6Yi*NRVlFy4NdLb%8JhCdVcOc^}C6yO+##_105Y`Ne^+nyM^)+JG*>GDB^~~+Lq`@dkK!cQcl(20+6%Ght(eLOZG4eb5Gu%- zm*j&EzqosXP{j~3; z@i@N@9MYy#XBEExqQ&pAXD$!NNkEj3Cv+s)p}1Q}8%d8yScLLFl8%cb{MvNK`04 z>k&-*j0sbd{3LCPWiH^t7I0#hL<|6UK6is9q1{&~aP@h&LYFy!%k0M3&eD}5NpQd} zaaMol?kX!aE^WT^slfAwStt+RJxjmHc7IYEA~<0gpRB)feUv~COJY=CM$GA<|J!buLip|^@k`BvdJ zJb6!x3#ABqCcC_L*^RIemE3B-2x^r!BGk&dn1M{Ju^x>K-o@Hh z2rR^iDl9$K>|{?k{e3OXN`EsHbe)SAIy>mfFV=M4LGoMH07bX!f#C7?daS)A5D7Zf zh)oWEWFPvCf@yXhPVfcwH3t%}3V27Q&D$Wqo8{Fd5SkElUfp-Sc{+ckSy*7+e5~ss ze8MrbiQJ{ruHNDqC5VMlR{@j}{yoqV7ub_xLd}+=?DFTs$blC_IEu!5z{PpoNu6~9 z@CT>LEf+t~dAKz$#+?FhqMhR+vUvHr9WgbX0|){W$SXjiC+M44?motpd3)CFZN93(;sLhFUJ`GcF6AFk(4cg z%hd^F(*Y#hrzP8)`A{-xNA^MLm3fa=V;AF)+xq!>sRdmGnEI*t?0xwMBdf{qN4>m{ z9;vl3fBbf8ZM+uBefq8X0YQjHPB}GFO3RW!J2=3S6J;AzMcT!9+50~>EU3L6eI;Ew zx+LRv?{Dlr`h*vPWaXk;t@QYx+gkZUOkGslgO&~gUM}jrck*o|a3;)sAT>SMdoF2w11yasAdFhvl{T=KDUx zLiHOS_W-x&%`fSek&nV3gd}9%a>gz$gHZ+?0(lBNV`L}A4wPo!>w*~4=ndnALwybI zJph3PdG}bcUyT?o;kj69rVG!+S5m5shZjjDt7}T^J!Shuv7=sSA3AQ|;{@MTfb6gD zvpdgQu*wPW=6V+RTjz7QVDptVt(|J!xw7JKWLtAl%c%2L^LYZLt9^}YANwbz8Hk~V zvwd;eBs13K3cd_N`Ik@K@Y~bPrg64Lb;B(mIZMHcn3-%Gj#tBKzFijD_lap( zdqReN@jlRLBfKrSMfJ2sF(=F@xemn#*9+XKQBfAUdvDNdS%&A84UV-iG+&4XsR5q~ z6Rn!9p^2fC7BFH6vjpNpr=hsf`zb>T3j(&&K!)L}xSAuH349w6`U`J_s|8M)x1xWs zVW2jsgd`Qgne#Dr#XjHY6PJ19XYwpTNXJ)Ryb6JgS_!sx&XkwFq-sn@rPVtu1=-Mv z(;;9=nz_)I@V>!~z0bh*mLOhtp&KdxI{E zw1B;B!$zsrP=-czR6Ji%tHja$uT4?6P!+>(>*D+7$16YlIK4pxjen}td_Ic4chEM! zvigJL<iQ!IoZerpG+`AB08Hin#x~WAd>~8zWNyuZtSQPJ;7j4ocER=O zSKcSRtRL?zVV^9spP4r6Dd;tcdlTyWK#JHiy*mt%|04Y2b_tVt{M#FW&db4}f}g?0 zi?0>)#;r`+)4{ndbgQ7jHrwv5Ppd|3riQoT@RT?yL!%YI$T1WZPIXx7SmeF2ZSE9H&L`)R}*_Uj^1MVnT8-dqJFsi4( z_vK7du5<_a6p5sR<6wL}Q@URmAePba4l^Q#)@#mACAyh!_x9c&)1oYc*^luE@$XQL zp?Os7y4QBxzQOkp3I|hTD}y<)07H(#G&S~S`ALd=PKqE9_mr$i8*1aGWaI`h0Q4vZ zgnqWnA{K8LOpgf-8z*;st7>Fd70*F+0Fk@(klH1BQ$+7>^Hj37lAB6lduB$FANjR& z!a!&7k+Xd8RRWr#%{MQ7=|1}kV3LU>dR|nI_Wi5fjg|xT5$@%4Srrp>Q`Pf6}-8P;2)O#sx z;3=kY7IFWW0-S@SQN|Qu%371=V;Vr?dNs&C*__~uj#xU>rd|QSr(*R;kIoRJl7P{r zVPJHZ%un)mp1UTOZ!8VuyC8UZxcISXk<}3Atfz%|I$tRC!c-GMN?m`Q-__zGWVv_Q zYgrAS?{PU_%mocb#$6@_wu8o&+&3H~Equukp-oUflPo4>T9FZW1*^)e%h&H681SR8 zN)}&Loc6Q~xHZ3eAoO3o65q2x6m%9Hv5_ClKByG0lDTgh=!pEa`Xu%(n! zrraBQkL$Y;;5ner_ceg8QSuITSQ>^QRF3lV!<0MT`#mg7Nxr9|SOIxuhc602qIcX6 zLd;#UOXTLO@e1W4=jDLh3qzV=va9ew9xG$)4C=B3<1|bIpIw{si7KCq z<@}RXJ&JG1_wrIQZtvxeCQ3OB$xSFZK0gXt%K?-KK}NM8WkVF3>|V9=K^~!qM$FaS zB|K1mjasYbwSPP09GXx&bf>tTa>t0?6~9=T51lpUrdoj>6#XRPG!#|>(bvX8z|dBU zjCf#Tb_&FDu>hWC+8D%u#q)t9z2hj5yKuoX1yt&=UD!Khh%TxaB}IMof0z7i+>UPh zJujz&lvyXIn{!Nf6wkP$`R;F{TG#(pti>ApyM*eIT?Ju{9TuleUG%bw&1p)Jrt3PDj8st_Ey*xQ6?8Ng5;-M-oBOSWxyobG)U*t&Y)I>No|uUH5fu zm73`74Zy|7iA zW)r(IMN85+q3LH1_;SQaqIt4+bt3kBA8^T9**;kd;1Wr3|Xm4UrIeU*!-x z3f8yTg!`W)QP8@0cAk9n`HUIqkM$l9;mhlY%rm~7TtPS7l1`^#9hHB15vZvHV@?6n zWNYj>q`BTWz9;jR#x<>vLC3&|rk#2v)ivc8y|N0B-bbrq0wt!5ef>;vNDkZ~uaP=2uVDIFVDlCB4=FjQM+4~6w4(~@%04i<%dQt2TM zpRfpH!L8;zr1u^%&x)(u^P*WMnOALd=e%FsJBF@La5iplRX6GZj6?HIAa|Ge`j}ES zT(RW|-%xY6wj>0sS_CWiMGv2R5PAIKcd(RnF2uiAivS-*s@>7Sc!7JQ#JMsHc3qZ0KFB)f{d+(S1 z-BH_s3Doqj&2dVi=DEi74GF3n{}`8HZjrfT`{<7W9wcsrBMNR*q0b->DO-jf$O8zW zPa&=+QdUwan(+?!46uYA*FCJajERyvyFTL@pHO!`1O^~B>P)9LW}4j@ zdgUJSFT8(M$&H%(43D`nM5p3y;GyAoENR+DRi)7zwrn&Yf(>lY;~9b zI@L~5H|@EdBCp=!Px4-yc++4`nd5l&vF01 zml;wo@W@7%qB3+Lc$rc7&hb7f=@Wonl+`*@-ivF-MaD@`mUw}K0$mQxF_IkDDCHFp z#}Qn)Xi11+j-Y*i3y0n~W3@LUm{3LPi(NzD&9_e-n7?KxF#%4XH=XF+A|Z(7jW`sh zpV}OJI6~acIZ|#5l;F-)&quesz7O7yh6H;e)j+lW2+}qT1Ig&sI*Zk}nR)i0o{3St zzBBr5?S+<_2*c}pPd9+v8&;XI^5)}cNrKGYIB-rdqku0^rHzwYT3fgks1;lDrWk;Y ztB0HR8N!ucf=OA_F%1^_aOuoENXXp$yCvyGE%(mOqfgcN)`v%2zP;bVfH@9v(k0a} z$oZmGQcW%1E?^vVS{W629bFU$TG%&0Ay0&>b4a) zGXO{Rk2rN9zv6A>?AX%xlM3PvU<6qhSgo&NZ%N|~s!+B>JnED_A3Jq&J7DhMdfa>m zQ=Sp`;BBTO@QWXqzwFrLJD80K#lH>0k}?O_#jQ9lhfxUd8W7v)e1L?jN)@clZk*HW zpsI~M6ofe}0+|-!>S12>%!Cn%c$;T{vLwuW#@MpU+-+oNWO*4_hHsV#$&>8}RRshM z*}#Qpd_4C&!`$m$ZC>M|YEhQU;U-}!Q43m5+2?H$$-f~sT zOX*Qhys(t@8Xq--yf4n3sBCHK*%UVsI`PJ>VQ>@%@mrX;(D)p^a)RV>x;CVtX+Bd; z5)iPZu+sHkg^6aYkZgceJ>D7eaiM?p;z&fPWv54pvXivKs-y=7qdYP+u)_WYkl1Eu zCv-I`Ix8qefa-WWwW2?Z!E)i1LD|eRk}OD{GLhknPh*$WckezhkhquR`(!#iE#<~* z!NIw42CkM5FQb7wIBjASYD9fikb2G^c;BRdGz6$#7{0L9MpdknKN-uiWOolc0n& z>f3(~LZHOxj04LflQ_csM9J(Ip`2GJwMa{KiXs1M4VtQZ#KAdU*tDD_tL7|5$93d| z$7Nte{0Imzs z))0`hO5Z*L-NDF^v@3wZV6lo(M+$wz*zw%;qmzNG;&_w>O!1S56j~*^CpqE%Hfv$E z`7baD>UtHi6??e|@2yxn<_>q>2>i~S_V``q_ep6^bx&Ol4H1V{n8i$3*Ef6Z{$G>M z-}6z80~OXtTPCOc!)-<-ngB$OPMQlDZ;Lg+7@VsFDtwM-oq^8VU7xT}4fCbnoZ-+^H*nI@v6=fbX<1ll#;7_8K3s8$ z=(}Iu7$Qg_6c<_CkM7qo5Yt6LB{mC+Mmv?`PAy!j*t<4%0il~Q@nEOIxdRM)=x z!li40sGfBoJ6bGfT7C0o51TIWO&sc?1+Z$%ZvU=@<-7N;wS)SOD)KN&JM5x0O}iu5 za`xFj`6$=I-R!OeF8KSwGP=ik0hnE}J$Me(Q6@U45&28Z^(8 zk{0ktix~9fMuSLQ6L)|9U64%cK0F<6wWvZ)M zlal2kFb7NeV;5jZ7fXk5O&xa1o8^_~`--6re=j$IHs03JUZ`faL=>$?Y;^uRFCgmLDQa^lU=+y?NiJOjVMvszNxfB~85lHcQ*i+3s4 zpl(l*SMqLn&a4)LyxUw;4__@LW0nREFr}ny9ZEI|vlcZmTa5je$U{4;6q_eM4n}Qu zQbLgjL)!|4Lcd<);$n0v(wi_X;`a9XFC4BH!c{jGG*}5ze$%8Xcwej=U)mO_>c6^m zXxZp(iBHjddNy2v=Q`SYV1L|It{df;VDswR#%-#{^w`9$>Si@gUA3edZDyMiw34!eR!CzX18Yn=Sc znqBaM#bHyS$H!kugbbS$x)i5UiE{0Omp2!4W%&eNHijDxP--NcD7;;#6HMFGEqrOD zQWvNfmc}(Xjf;QN^e({;wJ~by%R7v1mAv+c!WNIn%tQ=eI!a1OO=}8p`?m za5SqwcTMBO#o%S$B*a4ZSKvdgle^oXixTcP*E?kM+NK~0C5JLjFe_+>@P6xlKdcD1 z0%xiUaymAkN70gx>PfH;$yL0Tq;e+&N2f>Hc8B=JRv|x$(iMirY~DsYu%_QOt#~NV zvuCxVMLFx@%>LP+aw2Vh$*^oOGa;xr;^7If5Rf$!>It@Cg9KsHip1==01R&H3u4OW z9=vh4m4oeJH!Gl|^GmH3Tim#coXg5y80oB1MlB56%#ADg!#RpUJszzThA>1v3jp*o zYE}0DR_p$!nF({17Pe~xP4w5D_4%?wqt#=sKi4#Wv!y41TNN8#^n?>SrVNN(VAJ>X z=V*1@;n79i88=I?VMR_L!M>)eU6HN!zTi=$S)@b=v-4-FfJn8*Js%>sJfhST(LxbX zdtKz>P~|tyjDa3J50&2hFk_-cdE?pOaF1E)>uojm<4|@$hNt|Tj9`!$B7mqdHOWPz zVqQ?bbikBveOPT&{Y-5G$ik{sx2rX{##@K%$2ktG3EP66mB?+Bj#wa7R-W-AXbxO@ zAZv?^S-m~XP}H{y9%bwAS|@9RR=~ZPiE~t(D_YzLJ-tx;_M05vDu+$)K+WT@3X$L| zcqa)O!S{~51|01u8|G~%^@+$$9w35&xt&5ADz(si#|!1P-hr1bIGKChYRmP&wBkDR z=KhSQ+_vq-nG8#TbLTH!xp7DM#V`MO@t*O$&tugFe(0Ye*eXo0h9C>07lofa1q*@U zLk3t3o-@a6qZ6wKUNjX_72o8K@W4>ke$!xdkT1DbDKT;KN zl-sT1jhf%MK)Ek$zGq+cQTyhjwH!5r${p0lB)R3>D12nqvh1t|@Sr&8H5mxv$%tYx z$?W5+Xfy~zkwh<7@fxZ`a@{U{IYnd`@j6OPE2ktgiK0!K^w>0$cT+Uv5#HR(E5IU4 z3Tz{8)))=8WdP=iU;x-`(Kb_)9Y}axJ2yq+_5H!dtu-K?$%i2m!Z(%KIC5Qeb%dh& zKx~uTfMQeXm@*5VoCyW8tCm}Tpml8ExI`J&SxP)x)O%-MU~hfERHZg|qPUsT+oQmF zsLye<98t52E{NLfmZSFRy`&qP6ZRZ$a;ljL57t<=?lI4oQKjC;fND3n+p%QE4x~1g zz#Q{cFK~*|T2`$rljZ2e%p=@`f}4`UOs9ZqGIDIcWJb%99eEHIozqH<6xvCbRZ{3G0O!| zjvpszu<5_z5Fj7Bym7!MF(gsp1_jD%!9q_*kx zWR|0_lKx|y{`TTp){9HO*1JuRbAs_Ya?5pWhC+RhdJY(N3fhD}wx$updOPvmpDS{g zgg~GZ(0_W1EE0QL>)M0$wo~hLq<|2ad^sh*B=rGa)Os)#ygLYobk$eAYDqQ2Oz|LH zYY|0~Rr2Xx$CHd*i)WvV!gw;5-Ou{71f!~t#@C~JLn*s~7SwN~XrZN=_wY%`TDQ4h z{M)y0RaSZ6snjUCi2!rQ*u-Js5rSEC1Y945HX2TgpP^H<`3Y0+N@W>fs*0QWP7TT@kObmsTw@k< z!y9?Ly85UFz15zI@omIGyJ>W4^}6ReX+rqT*i9Twws(&ypz6k>Xtx~5I%2+U#nB0F zyv`Zfp9x{_{H)G(9O54~Fj0?O5A-LMo2nzM*>7AFSa*|WxUA?!zOErn>SzxoNFhm8 zQ?;sD*6x#7sWQnB4yk8dF3;om>{fsX&}*;R2(@LVA&u%AWw|VFTgtYnC*->zb_UjU zv-l{pZql?Bf_iEF!`|tYbQwa@-FZH;^>KTk$eLAb7DQf;ZdNnKQzXWWeC3BFy`ES0 z2nfRI>baB7eM>gv#m&%7K9q!RmDhBIUg7z#K#X;)f~wSPUv`YOQPCq?FT3q>F$i{) zC_&8GW$MHcRz{IaZ9i*I>Zw+v|0t+$^;x}IwH{f`l0>%snR?qV1)i&x${}zLJ&iIu zgXXT+;hrl-8NWU-r0hfa)B}fA#Z=2I@qM!!gPjYHGkmYILxYrR*e5>m*R@ys$K=_; z=^gEAq^4?I!AEE!#7>@R2Iy#)mzh~%;JP14{ODSH2Etx6-Lh~<)%K<~b8tz$`A^I0 zkKx*Mk;9HC?STmNkI;*`RhF=>Lf}MDTP7e3(^6a%Vib5Xm*;gwF)p8|`nw-%I~UqS~Oy~2TdM}iq92P4o&l)fD_I~wFBy8uo(-TFC|H#g15CX?UhPp4K1g- zl%5?VpE0b`CJG(2$cJegaCzDB023u86$Em(U03EoJ`%Lj^UCNOowV{k7ef#ktLLIL znj&>8a3jq|ry@x$JLfde0pw*nCc&`JX4*!D;!ra2CjOurPov?@uWLIP(|zZb@BvN5@>oTqhDHaaIC7b)@6jSe3OZM zof{Q0xt+;1P-RN!z-4V+4SZ2DE$Rnc*F1nFUH+&b{HEt{o1R)}<-kjk`%KrLPiQAa z*r0-8n~gzhZ`S~@CbV|NvgZLq{u%wyo^)Uj_8Q;@U{)F&iVi(lS`F{FwKuPudjT;y7yrtBHEGwJg;K|#sy2i>;&I$jpk*QmJlx|cU?EzhX^YG@3xkslx49^l(I=n`>7QR$ zN!rp|KnVXcY2X&6~ba^iUa+}M$x-b`UH#yEOzGhueP zUf!aUYHqhVVCX z^qCjjD@P+1Q{TC4M-xX)2UE#7Pq@ubr`l)DG@mW()F@`}l8n-K8nYY~oE;Y6M>pQQ zJpr_YgJh|S%|H%18+mpEPv8jVcR=LN$7nwnuAKqxEcvL{L%LHS6dq!1d4d&A zL{6RGY*uoE+W861;FXPQfjEEXof^(te?gX)S6$mOKOnY`v?)mGlVqmi91KLSjWg25vq*Y?3sNKSOn8Nia64ZMzPCvupJXJO zL=^`g1umlxZAJj|*)nP{^{%Lj;cKZzx4;7vH;QeSkIMo=ZF5}cC7nDlx4~?&s~6g{7}OOAH5aF_(GOh<$td@X z$7U!GK8srn$yMr8PgJ^XSv*U~UWnqFSSj&&UOlPj(d1H{ZRg#}kkwy(RUCJ{keTEP zl+m1_3%f99SYA?6)XWZ9Qsz*Jj1_N;3#@f4ytvbPYojv6oePmP@O=_UhX=%rwtDW| zoxpCqF}Xz&ioxshGrLDV&x5-m6Xqh0-cYNqJ|x~70>0W~-}&?#P|n5*<6gY&1)!Eh z!$jRQ?}V9y+=M*O%YjleikCuRkDzqTAjHay`}b*on`p(YN)Mo`mF@YQL6qvF!O;-% zT$TeK;!n_1##cQ9SgJKSX9_p zgycq8V2{?cek5KR-4>B7YxQOEVY*hLjlE|2_1kSP-Qw*jpTrqs{H#9?XL4*xs=Nq0 zq8^($A-yhGHql)#>P;PTDPco~-haB{fj-6cTB!8* z__#|94gvp_fL-TzM8Od!cHHqNuH76}7J|WB znvL~^j=XW78BhCHS&=Ke@v89kdvQu*pQYJs8yD5)^CKmm(H^nEIW|>gkP(Y3;ww@? zX=tN%xYqrQxRY4+_>%`Jgr#M7mf1d*$j(wD=@mnIpC9^MrZ79wC~7@r=?jX|oXf%- zI~qoCZkm;aLowJHj>VLRq)kls+Zk13KDID25va#x7WdFf*$2CI!cECT9Tauc5^b9K zkY$sOM}}H6vZhhrr4GX4^d^v1&bXr{&0`k2I>8CB{9S>h@I%iR@%C*WVQZQyF zh355h$gk#SSHCLuPhsKeV5EuJym8RNcw90@tM;gYDt+P6WT2VVmrTB-^*n6td+BW846(bK2JunF0|)w!U& z=fl3b)2FSlY)dA0MH40pTaWN1nAx^Kc3HAXpXMvy%!=@b20PVWpRVe4Z)&7j-Rc^j zKAk2imRgbBQ`WTy9s@BSyZTy5bXC)wIrLc)zAZMH4hE*JmK61rN*y4*&RR&0q6Wo} z4L_5V#SEHK-@dIrlu25pymhSBC0SjmrMI^2*30m9DeCk^9 zkhgk#-lh|4E2&ss-dkbiqm5RoM#p$r)6mTL%w$e0i;tS)oAi?*E&?T5l+W_yTHVI) zGd-h@jozeO8^_V4qmn(_RjQhFNL$)U>2r}OJ*B6xke=NzgeUns2Z>z3rH9+$m*p?qWWHQ4Az!5 zpKB4QmwSl1JiVZ~4n(;|D3D(2H5zB@*zp86zwzz0yGcakz>8(jEN&Ly0iQ4vB55&Q zCTUnIc)^J3)cM&J@vlp{*d5~QnVOBYBj^WjFJ|Tveo=D^o#+dy@+X)viTb{D9K1|t z1ZP|uXyML>RSh}lYd>;38D+wKIcl#N-jry%AkzIrQZ9iLFP)iI~`xrJvn`*L9p#FJ4Zp5ASEuZtu@q}2J>dye29;hm?<$>Np=#A#crfV1ml ze^;pf)-)zaah$|&nx|z*{CJ_o&0dtNE!$0S+LnY3N5aWC)x)#6E63wknW0T5_T|_2 z!{5S+F3Df#ngkw4B=^^M>*!e6E2maKHVM9ZdV?sh4om@>ypeBIJbQm@Wh|5 z0L7|dd?xlk17}ddI)iQY^#S6|4m2JW@B(q_HjLocoG9w=gcDAO&u`Ql4qnwc1m)=j z$02Z2+3&^dPnE?`ZK6S=X=wGXe<0%Xn}Na(V$;O8MF?awY8DNAJq8(11(J1xC?ytl2=NEy7*$Vm2`1mOlu3j|gMf zgQ%7V9*SjzZq$LyAWfu#atPs~Sbc!=<7?}XW6V$(-Ev{Bnn8_*2%UVEY9oSQ&I8t1 zTNX3j+z4C5pJ{T`;{j&4Hj=>M+R(|#x*DE8UDkYcfP3IzdRNnSm4R{fSyjPpLarpi z&Ck?*AZjt1MAg{3M3M6>bh@NCZ+K@6>5h(HSMzr}McU_XxmE5TPZQR}PHWlDi??Ne zC5`G$y|oRx3K}vdV~eg$r8qMvTeP*k?f{ZkKZI|>ap#0h?-;hMJs%QM&)SWv8Z&_h4jXW<_qJH})RZv-Ei*ZF9ec4> zn5LwCRWo~b&koTjhx=L+20Hhz9iV~4vN2aF(A04!X~M>hfkf0;KxSwyK`9j!6fju* zXZi%k!{cm3@)A$MN-k=6iL<+vP5uF5W1xu)a0-@ha)m4H4Kt1}*$-Hc8H#YcH~_9% z+DxRCfSbbF7-C5?p*x)Y3j;~{lX529!u(-$Wb^AT5oV^jgLScqtrGC-CUUnL%U0z| zF>)ia)YE7O+XnVIzz=j70oXv3EHC2fhOQxSf*|EuGky}dZU|ukOKbJh)iZo;!0jsr zJk#>&>FBNyW|ktauYPz_-TY3}vOXzR-MFLr~UAhv2|!1etR}R+o?6C*|c! zm^4SuR}U1wkMMjHM0yZ7`D-fK7_)KOqby`ThH(`%L_1O=qs0S+hUw{8&elk}UR$Z; zG~Q=z41<=BUXfU;KT-GJPP-x04{lx12*GQ%_)$74(A}uw0*NnKU^)A!CPD+p(FUnu z&8OCYF{*pyQ(`mkS$T)_5To|?0gUytKc_r|$@eKEHY4$c=szARW{f}P1upp(QTki^ ziiNuXknS`+I@|)~XfEfiKug-w#_)uV83`S(4Pt^Kq>$_G&N(MG2gRHN0Mj7Hr6E3q7#et@GYABhN%=s>w+i$Hjh%~=^pK{}*qnlw_rQp&H6 zTQam~;p9CY8;+CO^MIBlticJ?FAE)y+Gq6nO)(o6?6@`=Lr-rJHGp%T=dmR{;@rks zpv%&At}zAVFVQvXL!hBGjQl(M@!3fRBVV*@ znAo#@GY!rO3G1rQ%4{9`a-`1+_@C%e%Y%8oz_xKM?BTQRH&qAU60!m(L)SeHPBAA3 zfKb(6jcj7ygd!&tox@FyJxr4%jLvN4Z7a7^Us{KRybUnJ_Xf;?`Qpbrogp851^IRR!vkI`$JA-vx89Ve^Fn8FP#Q8mP!yF;S1&a`2%KB?awKDw->3|= zq&{7{(KWh%pUm4bxF)WF^VZq4=Ag~vz>QrliRGE<@G$Oao*OV=Qs#~Nq);iICh`Te zSotIZ*dMqh+5CVjeS>L8{Hm8!3rN~5IBvI#uZBF-h%}w{BuwjgLj16rTGkPNu#9$w zD}JBlE(yHRga0z(WW_X#PGC{e$n7_X@}H|Jq9^CBlU>@#Yhi~PL)S8dRYrnw))gfg zaeMGKEcLeHJqGFi(Ln+@P4&$(U^Cz6kbE>&cw7m37qat!ef6ah`}_%Wcb?BKe)?^jmrVTekH2PS)j~TObkgtr)cAc6)PFP5ZS8;V{0kYifZ(CLomdT& zKUvSBH8U6U0n{;>4z)8gfU)<>~f9qWbNC;xIi|NI#4JXkzW!Y#vFPX5~+*ucsMXLS5f5|HZ}n-82S9RXz9 zuR6;E9H5%zC9eH>FxAE1hg?s?_%}b}r@dYUtqF6`AeK(BDw5Rl+!^Qt5ztze$KOM3 zJ*de+c6&xu^|J1|6wHqPZEW0&T43z<$OkntY796Lwydcd0tAp{c@hYqiUewY#5Pj@ zBzIT0tgId|qqxESa&8p+&+6#UACegd+BSVFzPx161;$dGhX9O2P`He4KZPD!2|$V; z>DprbIimD%p0FM!gBFLyS<|RIhd(#S4sQxJf!de7U>_S+nu2m7fnMQB8@Jkzd-KP8 z|K-KCkKmhMd7jQ9ppoLQ@D(uM3ql9^qeYYreOLXD($tnGOX zHvc?Nmn6gpk}o2lzHsG)Km^rX0>;dqSHSL{?|<)83!vj<2rG632|dtWk}DE&R%!-JKV$*y$=3@4THe55 zu=u9pm%?=CYYsYWd0$Tql;zLlKmVBYr5JQ3MqH*KTAjdFT$hzQ-_75Dmok+C3wtN< z`eH0HNdEI-{5BJOd^~Z0! zh7sOQ7qXqG+y)68eB(gdV-Dr%0m^_R$O+Jk=TS~3dFAC5AaDkfFkG}i*CmvSF;`&Y zwLF>gJ4v2X*JysA=|X$50AS7>L}Wx1>GS=*Cptd<`c|AG$5W`aPYVc~Ehi&3-Tvd6 z&z)Zd1$Q?hLgU|m&A&YJKQ8!RUI^o2g#-^j){(^f_cqP{yfpmrHUD?t%VD=bm7o6m zWBKDl|IaUcc0mWptV@y^3|)z@Ze8wrB*et#hk*97OM3TufYkrIZu~jG{`fynpMwvJ zB{OxW5`OyP;%#P)?uVto{L`v@Lh8?Da=)LXIRzEp(peuNP8SH7>zo@?ZJJ)Oq-s|{{ z=Fwl6@&7&|yDxx&0)N3M`FF0F9lV!!>sG?Qf9QXiX#YO&7kt1TBp@7h@9$hQv~wo8 zy_Ws=5B&>^*tW3ng#e28Qt$rGHOqkac2+k0UZefb1OH#g6!cZ_JAhJzt3V_9H?G-{ z7QEL~&+zXo(gHWY6ug}M?%rQ`CjWl>{@?Wd%aif{P2ayhkGtb)+dET(!R+-}Wc}V7 zQ_Z0ZsvD!ryns7fXpZ-n@A+>tX&VM6%Rn@$Ht#TF(L=t6j3Uxcna<{g+=Hih>(m&3*mh-&p?q zwZVI*1kb{Lpd0_|BKz+J&y{UIP+5A~lNi6O{f^BKH1G8;-C?mmw<-8!f@+*2qwwV~ zJ~lXz$4tho4KUyCtt9@*W%17+Qk#wqvPgI{JOL5O`~P-e00$P`5eTP_0>@niEffEr z{CQIZ-L(d;T~*X{4|2`}^HOVbZ^+i37vzd^Jg3k3PelKJ9e@uiq1}^cqTXfp;uV?9 z+Shc5SO}l%y+5R7iP~;euYPC^8dc`Nt3Z~Tn%W$sG)jPp?8Sii+1r^}3Z8A>(J?RY zc~3gKxhVBaNDvRu#z~9#Qe}AoPIAx+ksZ?h$st#}jTg&y@@vb@n|Hdq&O@AdI0!gE zOl%?c(m_trj)U4<=uh5ZN&Hxz*GEN60N~L13UamNp*$}P1drYW*0Tc~5dUoxcqvra zRQ>FdC}ZpMwuf0}{jsCt#VgydYC)4MS`QE@GeP4pFER^}*M)PBclC!2Wu zk3kFEO7up?p&r^6UQ#&-T)rR!bgT!O8@fG`rCr&bBZ6^lRW$mjIp0vA;DyR z8Vg_!qRiq|ji1Lzgp+XqG?VrJvG&zrS*_c*ilBmk0Z3a&cS(n$DBays(jc9R3P^XS zbT>$YD4?WtNGK`YEpX>@-~BuL{?3l$dG7P@hr-9l`qp~i`OZ1!m}5{1m!B8saEEE{ zaBRqM0u!&i{>8^B#E|5<9;9^&JF!6zeH6ys(=_s65HoGxyA!!xIAeWwzxc_vf|1y7 z!=mTWV1wuI{f$=-Y%w+N8iduzCeR&?fY9I4yPO6}h#1}m{odIt5=xVtj{vu<5xdNV#8!V!%F>B zFc}JJy0SLVDd&N#A_2C2f>qFd=|ws|h^EwXa>&px-<$3Utk#Ij~bY2Hyx1g6+(d0ON|$d%w8e4wSTo zPYfhF;jWpZAi2>25GkX<5T!StWCXNx)gwDWx;g}LV5*wA`nM;|ziOP{_sZu9rcEOPxo)>$=`lH zCIS@Jvt+SP0bz14Zh%1=Rn4FdcoeJIY6ic0fiG`rqk6sLl!7-CeDKw_z*%Div=e$i zetZ-I^G*Si+*s82l)Dw$HIR3)0m6S8(%Cgy z8LhNkM}&1Vz=A37*Xu5E3%~)=clT{=P!A-(K0kx~2xgxm4;Zvq{-&w>XAiKU4^9iF zvSV=P&O}9oLO9Gu!I6*4;zn(#bkBrJ~iwsoZR?$me{AY>qRC;*SC2V^mn{)_AyH;OsVYdI7B zQWS?fz%T z(4G2n<{e81sQP=Zh|w{VI~K|P;>tb{(-wZF|IqyWB?1a}R&taep_;_u(8AV+9B^JbBD>2(udSyzZwqb zp)2s-hSN8|z2VgPQCKmyl_Z3OS-&2z-%}&Sc7pvw3GE&;4Icb1}C>lt&Gw#}WR<-=07Jwhsx+Aq;pP{@`&!3B6?r6p5c~ zf;3myY3BdMdj2DrL+=i5I8?4sXyudJgOm>#@>JaHi09!r+R6~1Uw#bJ{o;uBPYjo} zfl=izrk1GxsuTnV(PlehBOyZMrO)#t-pZ*-RbazXUHsf$LztnbtEfd zBI+2XmgFOM3BG*`lamxdMxn>JFZ}AW(?p)#?kFHreE8s;Ed#@azCGY~7CzgRs5LSH zEVZCJL)tI@i$GG);P;Ks=AqVuZ@St)#zCgrF9K zQ=(>WJQyd6%^fN)4pMN`OFPm4O3#0@&X92KdQ8gaE`l=z;vS-hRiL^c`d=)6q}0ab za8IEW)Mi12`<951O?&dM0kw!t*V9gs9QPNau%|pkx|@9K*s%@r=l%Tr!t8R~g}mSY z8Zw6=Dhgy7f}*q7kH||@4n$b!cKs59W040jaju<|11Li zO_PobgR8ON38dJJ-S z)W43pIv}X)xb^Bsbn&VNK!Vjq=D-3n?7sxpkUFu^@>*32g`jpZ8fZi3ZZ&h%6_tJg zEGZ3<{6MHf;=joErj)J?GM-;tw8+IZTtb4>E6TB(zuv`ncSCqI6P>Sr{Kp^je@+qio5<%qFI6S< zUwqypgm_RNe|i5GI}yme5~6}Nb}7NeOZ>lxG7=Ce+<3?~ei4=X8D*rA7|A=29gY0& z*N(ldScoo1cEZzMzy7;1DLv#lq zm8New6llb_L%=Zag^~R`JBYZUc~sXCkR$0NKTLqAAW?IP<0d{LO!?=x#B_u#N0M32nN+Tx99@8_r|PHJWGqj1CeUV_`_|uqYPt&+kn&PS?P%bj7&Ti1j*Oxl-URkbR9ET)@@0UbM{ulsSGjR?aGY z1&Ta_{xJ;H({}7WorN)8I`VoTp#S_a1qBn33%t#q0NyE@LWJgJAL#xJSSxVH;>BP5IoRGwMerB>HR%3T)_yK(0A6woVr*Nq zjC7Lz#gTB=!IxGf+M(612oMnVtO5Q17VHC<-8mR4MgQxy?>-AhAKTlaKb#uw*Usk_ zx6&Aa3OIq7BeEKLDb8Q|F0PHh?ZAi3H7jkzptUJ40!p19dM@OYY4*LjDkaSW(f_cd zp@x9?vyr>({jbmLF0Kv3`*}w%?>=vsyZ|?l-8b&0tgy)2Xs11`((xF6=!dCK(3Y+ zF$*QGj2LUrif{!2>jTiA@Kf~!(Wznh1e0kDV~~Fsfn&HBbWlvk4(#xGfp$I*O*RQD zx>)lnqmJ}3v!+EUcSHty3_!Fp6YKX_9O5v}VyDDPG=BneAEL;V2?DGwSE&HVUsV;T zdAl5zF79pz^5h4Ub^S|$NwWQz<4mXlr#hsy)Cn3=t_yM|bH!2noL%)G#ACdexKo;u z7R}1T*fS0bu54}!DCmmLO2|E+94?%_e_L^&zd9VBr!2Z2Z% zn7;2zm_nL=QoCb$_AN;7>KIIr(?DB=65&de)xbQtxkq<*_ZDIsyCd#rGi8A?MyKm+ zXul{f^4CEffZ+JSvx}=!!91{Sw$d69p=XGZ=lo}uAt`j^hE8xVVkB-e=}no==<@A? z?&5~`6W+BfDOVaZ*pmCn5sCKTm2m)-cO1w>T~7r@2jc?|U*p%U1znDv);%DRm@vK` zVDG0Ey@KGWdC7{Yn=k>$$+uhCB>}3;kMi!_PuPJGj*z;oG{%0K@2)?lu1g_}g1imM zI{tudWZ*QfE3)k1M|YrGSlvN?K{{w+@FKH%G!HZoNETX-HLBx?oLWznThu<7Wyeiw zvEP3gj_3;aHwm#`$J-SEK71++G2Vh|`K`^U%w?X=8Dw;&6oPET0DFu#2CJ0>y?RAq zxf8TVB`4qp_kzAnENCW4rS?h*)DG;WS1g|;HVryHtUuvFdZtZHY4ZzwMB!Hu8Kkhu z(wKcn*b?~^N~Xo>d7q6n5TCaU}8$y*$!$LTo|iQxn;jM zbCU?o1@uu&szaRR*CycMZgiL=7P-owU$)(Yx%hZHSdm3zAFQc6AMoOD8Y-)kSva<- z^&k?K$tYU9V)fg37XEpG{ugMTQpjY>d}LMa5$cTA@kXR>+hpx!|Cd$qyAE#=JNS99JvWNC zRcAzILY$_ECzPE7Pe5Iaq^%2vl8;qA>Wa|hn3xG2S7&*u4@g!XsAM@1RYmVUu97)z z>qTmp$*$}>v#9TnkLYQuhB=&Twmt#ckEB)Thz;+B@x$@mbQq4v(V6OgZ3Eh|{o~fQ z#Q0Y~uxdQNV!XkEn$ zE7A6Yee%{d5ZhuDU48qSB>d%6#iS#SzmS^8BeL-~j;}?VWbT-io$#86sZH`ldl{=d z32GzWXP!yyCYbpwbg{!Q)~(sT2@mDmw%?<{hhT{qtPDd&%nLTDP|?*3@g z+$qMLNpQGmbH!gAe?lXE^hXRv>;_oW$1v(RK0T&zQGtd|>|<1l643l)nNca6h1uF#LX^nUx7dzw42 zplT~b%nlR^oD}Ar&BG`WNB1g+j;r_glcORLeMPgAyeyTNh`%lyoM?iMf~b+wK#(Fx zA>n$*wF=#n;_KgttMu?znkT2%iG}ItYQW-N>`M(qjcbU=oN$TgrL-AGr>3r47O|UY z&7r`FIPZP(PWy;rl@+hbOi#KM5)%Ur`1;Q;CZx`z4Gx^-Zq*>yjG8JFtssN%FC87r@DpJWEA=&g@PWAL@_`A{r(ofiO zo~WxPWT^ZYg%O&E@CI1DT}~VYUyh*#WlZq4yD|5QoY7$}icHEA-L^VJBybXcQzagI z)AW8=ky#FoipN3sLTwB?cebzzcOrWo^$a;3C9PhHW7v)c-_E3q;=c7(hlQJU?_Nj# zH_ixUCGnj2d4~Z*EGAW1`7URkdBv#@B^6^q{@lzl3Nee{m5Y7!BtpAr4kLPe40ROW z6_w`3Ohk1NwfY;>N^?lOtxA?5>esg-wYx$=wmSUeff=9LWSo4LSj|)h%NF-)t%Koi zRc=^fpyo866c7KDqee|#iVNY*oY%^#ntpO|<_gCji7u3f3!8c2{3!U+6^(9?lGjm; zkwhLy<%?*IrRhKT;=!-LQCU%Tw~#brMs6;BNDcE;s7SNO70M=broczR&nk zHecJF5pE|xh-)Uqc|>Z8%jA}(4}879+p;>*oB)rg=a!;#PIAWKAS@9HvWJYp-8hyd zm-vPS4u`w)x68lKN!mJY5$q$3qX!mK_fF71l#$ko3tvoM_WT~q@3dP3^Zz4bsdg8e zsBZOZ-XkWzR6EU4J)Y9ipWE}usN{QmWxOSlqBvLmRz`&skq6T5clzwlX&7fEoRWzZ=?bc4jP!wqk^-K&#ZqkvZ7D4a1pdh~uQg40 zu)2M>Sz+eS22NwUDkG`M7Hc-)mqu)pQaPjscw=gL40*l@_QczCT0UVNAI|eMX*%aD zW<0L@;uzS?Jo)48rm44e&%EP&noPkazsl;8d1QE_OYw##Uw!ulm#v+#RUMWD)>^jL z#ZO9hU99S5%>BDbC^pPL_I@II)!*}Rj&j2h>FH`pM9Be=5mPj`wUc~+81k8 zu6bHH`q@a6>K6tJ`HlBv;vWlJ#nLY}S5G}V*?nd*Q7~EkjOS)6AG5KzAIoQv*O!Hp zbNMyTR}4oc9pls2)fb<_Qn6Y7}zRlXm{(3s{tLtr0Zw~ z?aDvOb(%0jznGRtj6i~HjHd*KqO)P!5i!Nrbi}-_g@+{f2v*;8E9`U{l7y~;POFoN zc%bv>ltvnm7#UMn?L%zd%33>AR$uO?QxjL- zig(=^re3VIG>!H?zO)AlePP9#o?_9Tgb5$X3{%o97F107l=-}$fKyyno~>O-zRugn zSw<&iEJ%yTDzAkdC;aI(NXu{s)yp>A2432Yz-XNDpe6eea^%~c%(P979DF?|FvMhj zjgmhH?|JcMG2>kgW=Z}d5Rjs9-3U!=H*DcAxqS9#Lb(NpI=?=dY^v!iFI+r{&7kdw z!~p(-?^U9{`v)8~->|3`vjh?)RHVL_*?`3vYk6+>2WU_qRvmJZq_fB-VequTu+_PaC76gKXwOOTf35y-~MlVcxJo#{S)jKz1RkqK8;vrf~2H&!g z(U|REUi1UaDN}6~Eh!r^r4AnZAJww#&S{^CD8B-IlkB?lw7RPTXVMx)xTd4MP3M#~+26bDF$2+mUWgCac$ZPRsdRewdRO7wFnLP79sUTog&C_|0W1Mtdoss|ChWP#c1ARtkmF2@{ zOO&m;{TOTOer>|6Ij$U^-kR)Me=&P20V(anWoH+cx4x^+GR>Vr1hr7Inh&3DOsXrH z;+(1$WWG;Wws*uhj=wH$el_98G$n^RUf0@QotkOx6|B&fL$yaPU0H6F<~AB^qeh_~ zV|%g6p{ewLi8h`8ae^}Cx2BCK;(7{yMQkNIoUV`@Mk;WcI4r3MxfgL>7RY%%$fRkd zqd0HJ=Daa*rE(+lI8+_xh|4pvM3x~()m{&`()Lj^O`fuRaZ1ZqlgA8CRI z(?S(Sv$=4mK!@jnuW-rus@VEe1(LBE_l>wHW~JEV-|A9n+O4Y4(d6A_cJ1QZ?Q0^o zcqj9aRH0SPZAryrY5h)o-?oZJaMe_Y@XaStUZz_?vZEEpEf!MQ}lGh(T}Z`=qE{gI!x@cZArLW(GEMP5pd{0dwZeUCbIa z52bjPORKh30ta>XTWLbW2U=LmWIj5Dk#^Ad1~gY1ZPWRim56Glv5`sPYuL!7=n*sc z{=g5UPDt@3o~-aOYPPANEEYZ^5!y+k+@J8xij@6=%2aukO^J_OiVB%`l>`yrCO9Du zRXHp(e56^5*g*>3sxb+Zb*JcEBqvR)@vtAIReA7L_L?rgiMTXA$E23!JG8WlQ1;%% z8t|gBTZ|uDES6>5)a0#Knc49iyswV0a;BmiY%PljTul!E`GM!k7+`><+7eO5bJ+<0 zq^w$lS+gL4waL}SxoY?*Qeisxi$WNBiRfGM3 za`J-}-b6{-$CGHn4;#WMQ%_2BolI4lriHtS7#8(GyL6~+u{LIxDlq^*TfeZ-gkvi? zw{NA6#~**D<%e6BzwWie)x<}3qdak-I(c9(zLOg(BY!98Q;EyXB6vU{4z>7 z+%DEkO=H~mEcRHdbJ+`%9MM=Sji$|PrvTNlFABcqox3cnwQh#H#kqZpHTYdRC8F8u zF2>v9oxR_uRl+UgYL7Q&mfdzXxO&a6QCulF$i?=0a{de5{ggt7K-}6+&M7~GZn3r; zeeXwP#PiyvDrdSUoBNw(it3O7S*+h_bGctfD)zFo84ainY6<4#ZbRGuH75HPtkIU}646!$zA0%|K7!9y;=4CbXYQ z8NIcLQz>=MZB5l@(3uFE^<_nrFMv>x=Hsg>X#x5hY1`lmJRz%ClvbL{9jXu{3hj}t zp-EtQ;kNncK+m^nxD={|zz)OkIyuE}I;Q*-#R-IRbX`KJk=xvfU3Y%O0VsO_TIUL? zk=q}&VmMfBQB=qxZI1WnB3Xj`KL^3QmWrxkJQo}na*F7NrdEnvRQhf;HCZZ<`mrg~4Ba)Szt>NqjXVA+eVPt|FFxR7YuMs)7OBSfMc;i4_n zD*Ij9-Buglh?q>qJ#3?)3y+v#Rnh+xA~dR|QqZ%%P}PMv&>4X=g>GAks5o`b8vh*u zJRBAM?jCb!{%rTSD86HBg5`R0-PsW3*>>2;iCmB8RgtXVQmT;n^D4!@VSeN?Pg

#~FGlNnn|1025AqdqA{07BZBVOh<{vj13t`g6bv1z6 zM(*rd93~;l2cHWVh)YhkZcD)3Pe$t_1R~#Xrl&XG*i&9?joIB({}jN#1wg0D#zhj& z&ls_%w;sC2coHfwJ?kmPf85#GubOoU1cH<7TLa@R$TX8o>5+G=`GI6X22q8l=y6cVxrx6k#bJiM5LIUoiiyY6^%81k>SJr}D&UboE< z^^>_cC-l4-oo7z>Y&O2EnZZ*V4FVSePtmfP`-`|)qUg*nGd>UspPSbD- zJ?Njla9=+^l5%!`rCoAc5aqTsA^LslE344cyBfiC<{YiA-znS#@icARZXR;ah*1QD z>UqO!!rglcW!-jhfIT#P+-wYEQI0y7Da`OqA<4`R$SH}r)e1RgUU8CltrTtH>*vu; zcimc9tu#*lz8KA8pHEH}764s4^QKA^X+Z&y(a%i)r_g? zR*O^3vME$F2R!XWtq<6bYIyFg-qR?d0{NRL|A;zADMBwI$4J zyhEZF=f^6UUPl1`85jpO+n0xYLs=f)5{V(BMm?m9mpGqW21W7 zqf+`L7!UhG#kgAg4<^iaRjoF&oYO7VojW2G^^A3Uk7;#&?5(@k15nB_sx@lJedWgK zfB2$8L;3cFI~TsMbPY z?BtG=q~Pem_Ttg)xwrDX!W6wpcWG#Ekcuv*f2puaXhCy zCl|EvMdt6mN2x{?rl z!%O4g8#Wfxp+fnqRGt-KrgL411)#GN-+E3esyKxg?UbmO40acuojW_$!z2R2zQLkH z7Q3*WvFT5td>#+7F4aG7@+sAbcivu@!KWR1%f&Bv-e_%_rIe-R4J`2otpSI3%tqMI zniyS}gj++e>+#7<>FTA-e0)CFU<3HSA7Oje1lx+00v*=WH0KgcXhDVgCk8weq)L7C zK$u`M$(74WjS2?_Ywg7*-oS~|LJBRa zh3!EtDgAI0U-=hn4V=n#7O&~XIlq*fsVyF%XSj=aICl<*#F2UyVGK+kbCXPPcK6t_ ze1%F^8!sZmM%f$lALC1qVDM#Nfdr3T@)3gg!gYQRV?sxX7B4TgF^|p{=h{l$p}AP4 z3iuZcr771SEb8pAX3R&=i!0{KO@|+!?RQ?SHT1arQSme?PwqKt*9`W?*B{QiK+0)k zYv?RBm7v;_DU(uqr{gsdyK&UJN4nRR_>GA;ks%)At?%8U1DhXkq?ETC1sk^G_M%hQ zz1V8jHb1Q*hN2w}cW2k%OJ73TbNw(lJo(Vk6H_+&!OAT9gJ{GWSRq~d8dtza9ERzN z^IRPoHXIh?BvjnE4nP~YBleD!$vXIUu4XNFTFta?U#<%4MC|4&71`-f+fHIeLyyW3 z4H{J8e(9DS;S&2kSGR2ZAVORH<7|9pgmVVqXmER|19 zkNbIqOrol1kcQ2L6q-!Hd7;EG<(WCQomPZ0ZQB$*c(b>ywN>^LI3uPU%tUI*e%o+L zo@TT-qPrgW+_6Wn=E}RuJElXI;`U5163B7dJxO;HY;=hf_BW#S zUtp4er5cxoADex_PFu^qX0@GJoGDk=6brVGYy@54C5EPnjlRgPV&vIfYnjo=kc@ZH z%rD8itnR8XBxf?XN*uw1JaFaV;~v*KhmQ z@aIZRc1jVXOpgZIA>%k6y#&QpX*J^?XPsE-Lq8Dphuz&d$J((qms}satzcKrrfIqU zcNkFl|L_C8oVDJHrdWR1YquXXy$VZV8QoI#^X*-Sq5 zlwF10_B$x&g|?T5ds%O|_Y4B5FS2TBrY({-Zd&Ha91*3&%Yb`rN|(Pxy1X?XBU)sc z;_oV=X=9NKDXuh$nz$LM}`o8qz`lxduGMy>WOEIg1l;Ji< zdz=%+M-@l!ZCx{S?3PD@I~qSav_~-;?SrZS);5rXGNBhIKu=HeV$q-K-lz2HgO@oE zh9`>WSM!}{P1H$N7^Y18%B)%s)Z2LMKOV*{bCMkfGA8~Aa5gLEcN9%Ck!+oFN~swo zk4$akV{k0(Gz7Z9BN~whFd8Kxgygz$uumL)1 zh7TSRp1#|CdBYD}UKLirNJAoi4W)h_3{9^nKG#*eM@;*XG1J5zVT!_pwi!mCRBxI^2+ z`BI~2inH=;04si*Q=2a8t+{pmwuny)@j8Q?WLQ!0XtuZgh^I%Ix_sF$VqRYy$Xk5a zbTI2gb~XJ2%S=gqHN!oc?CK5q4;6T{iuW}KvK4Z2d6_6Ww^FkrWd51oQhS6I*W~nhPF1G&bSz}OOk1IW?h6DtPwTO-4+5AqoG z+|D@wrby41b+(Tcr=xw-CRR#&CC80OX3;F;*o>yf8S(Zfi8z5U%%O7OrSpPQ0!!_n zNULV6wH4$4b_fXCpAm3BR_{m_WSFefl)v?G^v$^1Pmn#w1>$ zallV0ZpeiaGaNE)Eo~=dltE%0n-GaM{b!LTxAy%i^6wLUt=ho7g$7a{e zRS|x#e2g^akhY+91%^l~p!~hf_U+Y@791a}C~na>=L&|F5$YSYp4R0alx)v?(R6sH zcnGrhg-14yD8Dd|7sUPtyGZ&x>>?^u+j5bgyXf}XO7*I08FJJp4&f;mYP-{NuUa`T zmqqr^0{EJ1nS}=3ij<$+V%Nf#kM*s38cw&~Pg{VHsqf9N--^rl1MDEFTsNOY|8@FGMQuE%;oMBjP*;rv{jkE7k*+BX*GW+V@#30f`X zl(;z|NyO&{AV|^uJrGpRb?K3A6lFu9!ne&n=l5ZTNG-rCvpBhH*s9t2j9C(XhRe^g zu0_OEndh-M#~83AbkF)W2U?kenYK~l+i|CyCwi$j{vk>VqIi%2v$wIxunl=-5Dv<9 zx4kzCQoZRCd4;rVZ|jdb@ZxtlD^vLFh}!$FA3N3)jD3X?0S{ArdJdQZG_N?(j7lJ& zDOPv!Zu`?&fuS2pVOFznp3BKphv_nK#LK6$_l9h=;gB(P*1$av?)cQ3l2k}K%jEX;6MCv?`#xw!;ljYRg-y2%D;m>e*yIUOhA%r7qf=#+c^@|sjNPIuM~%$#Wv zi~I=&nvpmSIGSXq-OlKkT%M!OA<7^Ts$_va(Nfbvvn&*K8Vr=sr|@pYj6f9Bm69`)nK*~Bq`4LuWDanwOdkVb$<8b_syCR zh^-LZ99?L8J1iD~2`(7L$+_mDaGhr}A5|7X8wWq|R|A;uU&4Vj(MmRmrR+}7<44g=yr<7sf!8Ttt!srVEGo_R#UmO`n2VQDJ9l%b2g2- z(eSB8r6#R@kDcRYXFQM6Cmh@kZmVK6NpV(u(gu`#mHXU!LSP zdPUx*<8M}V2Afk5Or#_Y!sZH|SeLV1Yg}bk7MN}Pw)KH5ke5XP4|A5G{>O$qL4q$s z)kh50zfWm?{xt0#P?^)7W>8TgB?#)JA#l0M3xg#nV>VXR@3VP^$*lp~t!Z-2>jxl2 zCf=-1KHu;l6-glpD=2K^UWj5hQIxk!pYuLtr$@?a;MY%tX^h}Uj~)a-itWggmT1|C zj&W2$pbnb6^vs1g#g&^>xYpC1gNmogK7)rkn}=|p*O;sZb~6^|>Gw8JPWjrZqPF&B z$vyOl|NNX(z?J-AiNDWu%l4=EVnjZ+LCgiDo%>fo^1orL0v$4n(&7LTE?NC*lQj_b zjWl?2<^g%+m6+l0a2{tQWfBdXYyYuz@(cyRTu&}Ox$YO-DRAOaW;G>DdrkLh^LZ+s ztG;5gJF*ESVk$c>TX{Zgoeh~R-*HiL=~GX~%ATSp7ZC0{M-gd~#YpkZZ0;K!PfD(zSDK@BD+K1lR?HYi9>r#aOq z#jeDdV_c^x9dG8R+_Suin4IGGAj$6q46fCd|i{{T~9#sN%$d4jZ67&)z(&y#>Axgx_7 z!Emj!y+=Iz8)@H*b|D`ECZs(>s_RufE?j!<{vM9wIAg+UY-j_t4kCM_uUNmWrgVF8 z(0LG0#n8ix1vRgJr-vH*MrtQ*DH>;-mn~n&2 zwVI1Rn4~MgoSFB54Z-Q8iv^msBQ#o>r~K%}n*^xO9T=&fdvGu7^Xs|w*JJ_GT>>XH zs+CXE3{hXmk*=v@5->Gn6Lqb^Mm2AGfR=hMHTneDrfe_q1{lMglEl%_3Lr~$81y5R zf0M-TvS(?#RMbM_cX!72sgl`}vhSEekJ;{Q;IOPANkg)lr(yZBRAqST8mSZwCgaPg!Ky0TfOG!K87!F zk`IBB@Xzs) z9gj5B*Ce^T?i#S{F5tnRfY{Y@{@SXtLzfH4-{blbt??qzyl*HauAVhL6357d%JmD~ zR{OF-8>#WNU)sx9zUb}-JNaDWg8Jiwq2^DD??_NnyU7kNNa{tg8HIrPUhtq7{K%xM z0%KP--yPx1>d~P!qtvW^C485DA*xz?=!QQp)3HbGVAw&N*^Bqypq=QAhl$qhFD{{_NT~=~msyTMI1@d+GlKWEDXD=YhYeL-znsg>sJ0q zF#UoCtK7bf;wtwFU5b4WL$42pqGk#Gk)ge646P(BM{0io)->ej0C77SS zJePnd{B@dq#(1U}|GiCS1s-X6Yn;o*Cz%JiHhHIv!Z~KNs%)~tIcQGpzfVvqF`s`1 zgUBh__UVi9y1mmawcWxLoj^aw4R<99N!p#3l@of^($@-Q{De)9^`D||ns_ud9F#TYC}b#RW3?|* zek}jtFt|HZq?>o3KU|?xOKhpSEz%aiB||&W6rmMhZy%nb52Fq<&DY#V*_FlKURaI${j7c zVg0L%;>yqG!0C=q?RLAF!BM`g^-`-_$LsAJ6+`tC#Ey>BOV@l*bU?ATVjy$7_46B{ zJeHstC>TC{5AkuV)zLgZ{(iC;yN&Wts>h_yWy{``MPdfS>hh65DzC97PEo zd&|6SE8|Y*Yn$=24d z?2;j2kpPwa$`-YRQbiJwxLtr?Q*ydA$+nX1n?!&M!o-}Uer&9>Dn)NKLm!jIz; z`JBrkwN~ISJX`KQHeN*0zX=n zkKtDgxWW4_VVet3S?eRPd;6%-c6MFViV0v=7o0FF28oQ;Mt{}c$Ix#og8!y4hr&Cd)0H~d)a1x|<19*c_GhkGs zAUIF*`_@vUUSXKPV3Lg{!RP_h#^WdEk}K8vx*3G_4#O~IuicK)Z?AE?IV>FY;#^p} zrt7u>nm#Gj?T1`H=J|~KsMzgS)X`?V9$RiWxkkU3JlgU(fP`HGt!aXg)!+k5<~!Hx zEPAgq+MfX+z*F=n?VDH!81+u#3=7!IQtub`3)VheCV}GgN&$ z#-rMHahA}B#BJ}JfsOES04Y!Ui~u56Kgr@f1UTNA60vc2LfaQL_%izXZhdCWhzmyN ztad7kVJ8V*S}wokSHYj)8$gU|+fio9=r`RZ0$5+^|eI1z@xh)xe zTaRP)WsTuRReMeJo_=CiYHlJ&0A1xZ!yo0F>thvGx>EZB;>=e}gk4$O8%MZsC=V4$ zBCHk!z%Mh9jw70RH>Jap+p8?1E>asHC^JdcO?3=QJzv4-epaeLk+ z)kZzhYcvmLy%G#RA_!d0 zSu7$dss_Qk-1&|A%$FKF7huw$(w_dpRl2p~9}`gQC_o91XP3c{W~wQUXwd_WLr{eLqLr&k<3}#QppYesg4hj*>Hm@%Lxa3)Y0jc&tf)9lWa!06w+S3Z+3?jo~ zj-3qp!<*gpK8|sfVDi%svp%7X&v9C{9Z*5|dDZc($@g953rNX|(Pb25C72z8;si~| z>G&sSU-J4b1`&(qDC0C}Ed?z4>#a)jA0C3rNNrgUV0e>xtcCm=gQ7h{jKet$F3ZYN zI%D6f)5Id3R^Mp9!ci_v_@H{tgwc=nW1{bN^@L`A{a~)jRIR;s9MU#MD9triXIHN? zH3lrEOU7qAZG8`J#hy80)@^ps>GSQSExgkt^7t#tlsBpUD08@g+Qm6j4z8^xpu;wc zqUJnydwch~dvK@?C)VwDLA6=KsDHvllP0e~JZq|bTf_2u=yMm9Jk=V)N%($L;~I}( zqID-%cpN5UBI?tJr@EpmzcAQM9qrF0S`P}oU=J@|LVv8&Pk!%)__yl&3~w4=f7%w_ zcpGxW=h&Qo71}-OjQSL(elhSm9PM{%^O)Zz6`hgHocKb;wn&k6*oJH%1L}n-^ zWoYA?=Wl1?-}X+jublovOH8oo_8J^oDgfQqtc;YIG}S0;;-TZdKIP{r{ub6p)Vt)J z$l|33SP_lEg5+ck+rs44-)ht$cqiX{E_Yvi>g;(tn4rS*ce(qbLK64YO?-di7q6KU z{^7pSTz5APUk!0=`WGZ3y^c<&RxW;57{sYQJg@T$5(HM1Pd|Z`;>>m>m z8phK^obuz&U9@nOzi|*U1yKu~DZ?-U8!kZLRp9`VEYNnxU&OeO=U|5Z{uDYcvwK0^ zfvASleA;-1+FSF57Z(_$m%qH-wF@5uImi7#Df41gLBIUd#lZSTMINKh^9n z2kodkPpQy^-aod7_N!vd>!50pPzs}UzklRSWY(ZQ`6}(W%2yEg`}0gfx!e#CDJ5`Z z^A!(T%&rMf?X=G#6)z_`?{=RYMk415jL1m?&gdV?&gdwrvQu;FF&W%n@oT(+k(m}>VPc_24r31b3#qW7i)y+)&z=H1tpE}t1ah$-%!8b-T!^P?yVAl zu!J8TZ!U=ZzT|06yFTzS(HjcMxJ+)_1$idIVzUZZE;}(Q3|uI{ zg_1>x*|)Hu`7QSi6|ZWN9M<>xII$>H<+(csmvwb|qv(vnE?KoF+kM z4SdXr%QicCl$MA;$ zgax7cygr3n3hW_+?H(~k$HW`mYjN?8v(XDc;Fbm+xrTIkO*8C9N3^EqE3o~<*FJf@ ze4IM3Hzb}Sz=fi2ak~X9ly)o#?`-xYlAL~eB2XS8#2l{~K03ze(h;%=$VrkU_xx>J zFsRF^b3M#9?iZahbR!U&6#ChF``7jT&xQWsA3CVnVMh27?nZxnS(DUPs4--6lnQoG z^MDCw3_aZS3liueNvP*@wdysI^hp z|8YNHT;B)p*X5@DsMUFYwhRu%)hnN`TP?V=IZ@3lrY!yOI{*CN+7P^7ioA6Dreje{m^OHAr!o>JQQNpR$L)L5c`q>uEP6MgG3=eqZ4K7?%Fz1xZZEJ|nq9mP-${PA9%zLM#JI*_lCGf<$FSha?n z)iW7hzkKmDJf{=BN)J1qDgZ*kjR#*59Lt}GUDQ<)7My&{{CsbQ6wSqrw?@6q;^~Q~ zG<@zLOEBOhycP$#02KahK*i|UfOZ`tz19QoJt)k2@^^t+XstPph;Ym-Pt@15UMGXt zBN`~UyE3MLoLh;N)^oGVw_s3FQz1<>yl)N;uP(JOrmsc>@#x#>MpOTr{0A;o3humw%-K^C_3daeeOp9`F8rRY-@RI=m1P8NY)e zfxO6r{Q1~4kfA5~=3ua#K3C8*{^#RPlErCQNuRA@bJ<%H?RbeV^{;ot^Efr=h&LlS zyUIOexY1ITT)GARoXV@A@Kg(^BAXZg*OK~w{_7q>-he|Qx-%eSi7Y)T5_jNmWpwU8>lA9Ck(!eA2RfsHOfcO0L=#Ss4}-K7K2Nl*Ytrgp9jDt#_9GVfN5^;`-o(#mWc-Q{!F zU6Nw%m}Mj7qT(_THTnQpTJ?|p{!k%XUZf4@YLV@tVj1jQ3rz%jKY%gq6wraNx1htO zRq`{cOepCv`C$F(;>tr{i|~ybI58iF2Jy{v@rWes2k~VAc8GRl`6+~a+}hXn_CP4q zd269<+qK61G}|zdm<4|@yWH#xMV&cyS=p5#q{zm2s;k~S8c(}3Q)PA2gTs6@6Z}1= z^EiNZJePN_a9pxghfWg^)WL_{*yD+X*v+c9<-FLh@PiRT-e4D`0SQKU?TKV4l`e|i z0??sftqp`sp2pAw+ppGvzi7PaP_IZJc4Oc+yM0)AxZ`R{6bDl?$CJ;3?50DX55Ep4 zi$w^ASnn{_|40Vms7%FN+NNgS3l()*xn%8)5%QMutmJP0iu8OJYvM;vEn{2-%cEx1#& zigY@l3X%o7-t76#_!UuSXzlO;0iAc4$8OaqRrp-3;ZUB=GPFJ9LUsUw@jj>e;JGbi zRvEx07li!UCS&>JXh9$oYL#@v1e>)Ayj;XguNDwLz}{ml+71BCh>9r3Fdxi9v2bOl6{HL8<>n+ZQ>2Ki zLjewtYmhrv4t&)U#(q+AIBT;J)*u0SSz*v)SiSOgSCjj?F- zCDYMADZ>b1Z&?YD>?04b@6KyS{=f@LDF@5>QPLKVau*{}*_SSRl9dynkTl+tR4*}& z1~g#d(eyZH+rt~|#=8(NXFzL}r5{vo&-z|px>>p3@~)xuH7}G&a?-PqHikvuMsK%o z(>tp5)I+OHa!h>YsM;vMeB7o>O!fdWK@@RMe@EM(X0y}JpO)sHBPw>9_etr*3=Ox<#fC(qD?>?E2OIZZ6S8dU795!z_gRa_|qDjRKth;XH5hCmp|k!N)4iYmS1e6?BotNqo2_ zrlK31Z{l6fuXfMJqd53ce?efC-Mu!ZkAm}OR@AzS>)1T!czshKWvpMF^C&bW6L5VU zt-0-6?0z1eIVjk_c4y0-Z~R&Qz<1DO>RU5ve6-aPcc*ZKr^Z|Wi%!2zWek^_dp;9w*YyrwPTVPHE5VHaWSo!3%sB{Tcd5t?Z?zwbdy_nPYGF5y!&jWqk_w^_X% zN#P0E2RD+(Z40xY=%G|O;d3+~Zk@5bP1UJHy6v1T8!3KaYjJF?y@=XN@dRwGhH95u zFK#AvNu(2h$tn-(3R9fFfQx_xBr~yWjT?)SsL#C_6qhr$etzz3`t8kYA13ssXJ1C_ zMC)XyJWaE2!_U6dZa7+xe%O(g0!S|+^Fu|%Y_XzBlcj`yzOf`N&)39vl^*4L{(~Xtj2_v4) zgLYHiNE6yZt-YD7&q3+D(upccX#q4@&Ns?hEQj{guc>}$dp>6-A#Jv(kQQE%&BcJK zTU1}HkLJpn>nPtgw%1qF>G5Ohm2w*z5hK@+Fs5Bm*+~+3PTMYtp>2p^nlX`7Qy#s3zolF_>Yu+@jL&C+{Q7?ruCYl$O(TE{#cJ+LvT0kXa9PO^FmA$ zHE+(fesTE6l=AQ6e|lSV#hrJBNTdt@Inua~;pZ1tnuv}vvlR7cXcvsO-e*n@cBiD@ z{ca(!vzYvjEZ=)Wm$Sx;;C{>Z9gZA~A=@o~wociho%>nKgvz# z``bdnOt5gEnyr)_^Z9MbFt*)z;K~}}$wJv>Fom%tnlPM|ZVXBvk8&*X2qrB$QhVQp z+l-@)wF>G8Ehx_LO8;uuqG2(VcyEO(9k)S2N3OGm0`1IjXhLDAUS!d#SWdVk(@@nF zo*TXa=UrX>)zyTCE?~Movv*$YL)mZQGrE`D@KQ3xYa>MQe=nBLYO{&LNuL7c-@PBN ziay@TD|BPwio?9Z-W9t!_3GBD>^sU|g|CQFa?airXOeOos1;B2l1bJrr~U2~yzN*qthMmx;$v@nZ{9JtN9p;W z>g#pb3g;#C$o@#{?|XbwEc}e`bp!o`CQST-Q#$Xtxg_YJW&-}~>ywT>@PF_L=asf; zr=`g94)E|fi{{Ue>_H1d>5gW(!V={WQJAO{)|~E9*$|ld*haPz!S*e_E*O2~!a1rZ zjyL7_2{tmgmcCH^kS7&hU!EVsqA#ws#K7(Uh)H#cHuUadX&-YS!TAJj<7ErCL-kK~ zRV$T<1V?`A`URqXDPO1O16jr*`m>@FN$q#g=;IyndI?%)L zu1=S^l-FcOPyQeQE=jv$cn@7O{Y%Ez;XY+wDBkH5*+An{&9UQ5Saz~T^}MN#R{fFH zqz9JMGZfLhMd=i#ge3i?l`%<0L}Bire5Pv(k?7OVk4}?*4R0@A73&->E1yqt3JK#| zDh_d!N}C!1SHh3%NbRV%hE&grH6kB)s3*>9E9vaZb?W2ccpGFj=VAJ=^g*`q0g9*w z*~30~q|@PzPIsOtClrU6o?nSaM4)~?I#>g#bG8nhJ2~CP{k7j#UR{>{Ij`il=A+9$ z@33_(mH4*hqlxO5d~+iH`?8gdWS5&%t9yAEP$Vx(=Sc-*hU`yIjK5}btK0Dhm()i+Fo9pg{fhSD9yIk8my)8sr7nhq#&F|Cu zJaw4zR&pDxNWmg|q>!@X(~5SY!J8TNJ*VcxNwv7HY7IhAPQ&HP=c*1FC%mm{ewv=E z>easE?o3NL&CJx7t*)#S&ke@r+^4P8wC!_jaoeLCFzPXl&%(jC1{iNu6CAaeyxXlP z+#0jmi(CYWF49M;{5>=*1D=9!}SP;`tPn_CCQ#St7!n4e-dEID_5@+2C8n?1h3mp^tmTsV0Yh{1N zTf;Q?dBTu6QCG^H1#N}b^b?3B?Nx*=t5j~*J!VcMSW(;B#i}u@H2fOHQh&h-)As;l zLP5oexh8UOgEN1VP|xw-KdL-%Ws>^dB_$mpPpTjk`oV=N)@+UN11R>js21NNdORoO zdYoRsmWYyH4~wwVs5p6&D~Y;ZUf^tX&^5xEourY5e;s{m(&$C@kX9P8S^Jf{S`<+i za1Jg=5$)Y*T00dKo4PH4>YJZOk25f32ZG!&Y)Nw{ z`>1p+9HpE#C;aN}tw3%QQ=_V**78uo|v%OvL z9W8bH*mY#om|IktgPrYf9?rIcy)2;iJ{9k!C@L!4SpRvZT6R&mQlb)j$!1F}NE&7u0|D9 zB-~V0L2an$7k$X+2*IV>&+_zOaE{v`nh8=BL7k-Qef1R`r^+tX;mDM!%bTsI(BqGF zQnp2DqC8dRj@|EZG4zU;>yNm1Fs`Q`PB`2v(k)b^+rtR>;mW;r2*bIG+Dz)X*|o28i#@}YP9#Dv&$tgOPhw@7#w!gKFZVXlk}8I$AaNn7rjbu{XoMzz;UZR< z8p^o-cBahUG5#^tvzjGl0`0M>g^e1dV#O9aR|E4XvW`gBS#Fh%LZ$2Jt-~maM2)$N zkt@aWvOKQ5^9-j48`=0ZM=3)SDsF8Y9LqhJH}y%bYD$yaha2A%%r!I1T5bz*(D)Xk zO0Jk%oE=_Yug|~|iiat0E zgGfPtfYpp7p@jd9O(M(bp7k{OOa*^&-KVFhVRgqK8RSpBB%(p`O|pxfJB5CR=>Agk zi=0BdVCB(VKW^!G2WB0e1oo}ET;gZF1u$V{(0J!yuE^R#&Gk{s#$dmpzEBxv1+c#L zBNVt=%gzQEJ;Z#AKk$9tiG{W$_u6P?Ybaghk`$4iydKvZTP?k09Q~h%-ly?mYz19= zwzJPW2gH{K_=Jz6J{P}Ni-~f&>02}rUf1-P!8zx!f+!D?x6K^RBApi_e2p*rF+&NX zch^$!v9gcU-U!@DqZY-3&@>C9J31K==JfrSx*oLW!yd3&$&;eg&tlOx2nn?=cv#S9`f}5IP01(~ z`j1O}Q+>pUeuH8*>2aDpdC{^kxe#=O&t)W48eQIfe44nb(fi{8-f!cX?aMS8(aXVPx}tiZePiHD&# ztl^zn7t4R=%O|z7_* z)9UmtcIq2t$&~+$#XDkZ1Pq3*^>NlR<(F*dSJhYaNp26~Eh;l5i)RhbRy>aizHyH~ zsEfVMo7wWQ(^_p+_$&dHfvwOlz}WjoVPMwdH=0Cgo67rnOVAA^4Owk?a4Aso z*x`vQA#(dqa>*jv<&s=euP$eOL}Uxb=L}FxRA||HnUz4jiCb4>lO&MrB6GESY+gp#1UD^tRqwg%2P7Hx(|02zaSSz0fyxdHRsU`1d0(NFDo z;u56?*Zkk8Z4iuy^@;~GxZO(F%n4^TM#WYlMlnS^n=hc~*K0g?4mcAssrX@DAzRmS zWtOo`FWU$u^1sa5esh^lZAuc|>GR8exWp~g*7#X61W%wR_PNdY89wb+G$~Tp%$13; zf|7SBspQr(P1?b0BT>RqG3;VXp%e=5uJL8Ds@&BCh?r6wO7_wKdCtlMjgqcU_he<9 z?I{FYE1v^gMD~dmZvqD-_H&K^{K#TPR}&g>QWlO|ZGXL`3EhbBdl$F7&K-9)kG_}D z&Cg+3uBvbA5bVT;gV_$}6*uXOcF+pMdOaeBN}EuD&tg8?D0+SMGlgT##yDf*P9Cbq z2Q{w7LN5dEmTa1rby+=h?^Uh-6R*KtCh61q6z3oLR{;iSaGr4_$ymrjhVglNlh}P4 z|0L^P{PJ@Ul(XvFT9Ue_3g0AC7AWOuKaP|!`@3{4JF*ap=@xoF!^I%wi{2GRSt_|wnk@x-0?&NK@4F7>|c(AGNM_mg2ys&)IKvYlzn?#{oxs_52|vVU4klIV+{Ve{(=kSqI|R_Pc~X|Wn8^-my%kD z=Ct)ZC<&yz@6oGATZ{HjrAOM^%dWb7&s4sv&*)c=K)&{*QmXS~tCyI7f}@x&P098t z=>&XkC>O@UP(M%R17m1C`qC_`h8$Bq>xa3pgm0cOYPO>XkaL!NV7_;bdo{t|75Z!d znpt&Sl^=>0aI22tbGBoo;?-#j+;>oV-{L`;`jXReQ%^=mj`3ZVNrp?|3r04YedS)w$AZ=~|hd6quVFh7a|6OPg(R zdalb^TZgwQYy5EthKT+?1g)(+`7av_rt{lWpC}ue18)Y+wrR&Z@j~$ z=jnKHNY>p*oxu@`CfC%(yrw{FYhMfhXAZkTTVe`)L$(5++%WrZ;8R#WcW0lp2}jgu z*+#>;*^h2o0&?mj$dXibq$YWcnUA2MgV1H3{-(>!+QU(%G4oz)%hfx8jZ3Qj#pd{R zslas@G9IMburvWqxVVk|z>elow1N3Ix45JT(mkibIFAO<&c4pOEWi0Rg}Nj%lbh#t zz&_M-j3=tA!intti*Q+jIMI6^_xCdo?1E@rm{E)@B$bdN0s1cAFPVtGe;Q54*t$R5 z`Ss$THYo-5Z-E80&1Ki|2U3{4nFkFhT4KUj4wH!9U-`~!@F~q0hUbesFc@uqw8Z|P z`ptjBJC`!85=NNj=D1g{%;<7xJpWmNKC;c#K&$tira-EPSM;^!39x-Xeip#BBlvz4 zhCVXuc&2Ncuk`??x8RnM|;;}m1IhX*!%w|>RI?!oU zHsnMUxTYG|E!}nS?L5PGcwt_hQWf*XAUfPA(#?&m2hl4~Tv0+~l%I@AjJ8(>?-Ki9 zL8t1$1a#!hMTi^j5=(w%IfE{C7CR&BN{XP0lF~dwZmlJ5dPA6Bdvlyw!RwgB*<z`a$_|Htcu#QA5LJhD$kyimn-Nkbx;jbM5{0$TuNz6W7|3@VT$-FXgOjWQS|m zE>KG|8ay2T7+P!HZBA(0pnA4qehI|GY5puTZHfupPZ%>ffrX@0XkB$vW)CM5!^Eh= zEr)|t+S%{^{(}KcSRjsk*pUmW-rbommS;}W_{fyx~T&_ zA89OU^LmU?f2C}giP+gX$MErBsqCbwa}21%jw_Ly60~Whl{0aYVDwB~wK_R!<`CCs z%;380`;bD|hiiud#`h%12Pa-VHiD<5>$gMKDetRUCXGzNFh3zG+}ES-GIM}I8%iop zbL)Lxn8`WX)iu+ESDuEZATczKJnJp^SB}lXmTGtt9y3XZbkoj{@5%-YkGaG%lo*Ga zt9AhaoY)6##E4=mFA3xORPG@Og>xLGL~i;Cy7&v?zi1X#Q-%SQ(PKh;mE3>5%#x{b zX0xvXgqHq(3(vE|ZJpS9P1FZEgBnxpKBgMb$j}&6PcY<&^y_0frnG0+@jAR!?eV@VC@WAeA=?>~b`l1OiNOyFeWf-UG9 z4up094}jV#!u7X7qywoEGW?1CKpJ$y)vDg;T^%k&995rwjXPV&+}@i2qjT8nAjEW$ zVJW<&y-LEO`)EX82WtXU0MZ=BJ&%Np`zS8!XwNZ*Dv8xy%Gnp|WWaeVyYwm2#fICE z4xdeISo0+dn0IN0OZ6f}!mPey%|L|1WNvr&DbVUjIbwtiG9=9cy-5|G5UGL)=evq^ z3rDWr#q{DR8Mn@Vz%65zR7ayX~IDj$peW1!)7i~Pr zF@6b?;o81yN# z>=_qz6@z@;NAZcJN-QR{5F8q}@k_WIh0AX$Bv!#Kl5L&izEb_3!YebQjPL2qT26N(5_ujdlqurFZ;d9!~ z!=r$4Uza${M@z#9r@%p;Em025?uX%qoBLT0{=&|ook6BG-B-nO?bWnyrTqlLIRgdn z%?ZF|59~~CUtOI>xNN9#JTTZa<6Y@UoQ>1Wd&{`#11WxJ^)`*Zj8k?P4f&wW3q+n= zDn2(Ceh1dTX4^F5UHj})a5-oWi&GPbw_C-z?7l8EkJyP=sBYufg_5D(PG{cAm>^jo z&-vxYB%Ce9ZxgSYTqEHJpVi4o@x3A~+vmf_zu=UkFS-n9vO)Av8g8+g_$leK3LVRX?aq=s-G=iA*~P#At>>*Pv) zKz?vAsJ1+TQp$Q=`3giIs*XP?=9gdPavhI7kMr;(boaP?Py3D9O6!gwR3L3`ea_-B zBrc@>^Mn5HCBzD>=(1OusjAY{D;@GlJ4Q~ySfi>B@Oxa27mMFyXE5n=e1GH^DMrbj zNk5|rJC2Rr8_FGxIgs=72_$CBE*K;P-CacfiJ;ho{D8n$J4x*Gcz>152U;(2eiH?fS| z?Hl!=JOq`6rT4_mJe;%AwGNP;6HBj$n9sHZv-(X@(*#K+Ms@|bsfz8`*POVxMz-;& z@<;EPHL9+(PIQ7v2bd#M$}2A|h6@_O#h7})^Lj;%& zA;Ur=kkV*o0vFFJ5VmU>pN!YS`YrsVn_Km(pbfmmEx3_%*TbWdxULk(lAjm_WRl#p z#|x+@67NK4JhrOVoT?}m8MM{=7Udf=&CWurImY*+yChL5R29{yAgq!(?1}u;lW&_ z32$7<#f5~XaOJ>tt8vAz#m^OZ5PxYw1L@6~7I*QtI%~B|YoNK7zgzj!6B-$rStfUK z<&>G$3u#HtUP0qNLC8jWiD5pXuF*7y6%!&u_DqM88I_^l8;=?91bTQJ{g5O(e^}7k zOOT9b{QV{iUi6#q-75iGi;upZm6$g}N#qSsO21$5I#hutt` z&`ZmvV2qTQnTXjT$Q&ML^61@UP&)jMk zXW4lQqJVU%Sc9U3wH+Cz$1-B?g4?8m_}YZJRoApo;n^RSA5&9S{050+e0pyQjI?+3 ztGp{bDHV1T+r8)a`5^f_SAT6k*pJ;ijAf}rz4*C4#|AinKXUO@s(Jg-d@D9lmIwi& z+9yN}+q!@h%@l^--)n=Dff8(Kw1m>}4trC+*`=oTrcDf2gqUvM`6wyBvB{3(ctPXG z1EDM8q{HQ)DOVHLY%5aoc`Yb!WA~^q{2uobx4LJ5lh%ixuLt0L2jjaVrPvbl3hx;eLc!l!@ceP!-_}IGY(l@l74|(ZcA*jrZ(Fk!pXI!%0#Q`QV&W{MFB6Z3%ZfEhvVJYF}7u z&Zg52PaNOtSf@FZ9J9Fd z*jj`!HRp|94^QOhjo#-VWS^0Y;87O&5#>W!FxPq1>GzO&F2`l)4jZ}se6*ojW0K0< z)9asE^)9+!^5OkD4e1&Ids6KZEfnN2y5S*k)K)v+Y-IB&drp%z)r-F9Dcq@%(}8cy2VPP zIj=JARp7!%SDBYk-!+&=4gfd^d7CE}o|5 z_kj^cbF~luA$#wa+IyW2+7THoCkT+IoR_|*d9D!FNgRo|I(pd6izTkU1q)D#v*>pP zR=(<#3kDgdc~(l#E|@wV#QIEq0j0IYT<{7mN)8LDUGIPzL%kd3DF`T5Iqg((kxYsw z>tq>gcSOGlHF?ukI*u5;6+z;9#}x4yI`CUh-3R5a;@Q+Ar0wa)c6Mbjw`-A4y&7w} z=&mDfgsOmld1`)TwE4kXvo&}5!WY(}ZqepGHdUQ$D`^5zXAY8iS^7Gv95!^fXk)Mkc-Xgn)G`uZZi>(7>LXMBs6%n{xHXQjkfis^(qJkTCwzHj9lI^fdt`r_=@oW+FS!0Bc$F zawH%?m_-q6hyBV=%^K^mr$9n4^TcVm$T$@7yL^1`MlqP+#mc}PDKXrNVy36n8U{Oc z%;vQ@2Wh|xQ^}%S{K^UhF2WC{Sfh)6k%CZo=mRnDZ8V*h7cltu6FsfPwj0UCI0Sn% zBg(?X`!21%@LcNM2};XaH1V~(_4L+t7lBOM3?{-j?apjA^BuL6 zzVG*(V5CUOkJ)I3w;+>H6aMyeww3g6N6>xlR&E~SJh8TfZ8Zk5dn!EI%}%{g9Y#eE zo+4fYM5E9TuwLAXt=mNTUoRKc;_&={`2g=;klf=3(crBS&jTF=QX0;IE7pbwNRYn1 z2|=*pn9J5zr3z-=AUgIvQcFf}_6HtT)=^fN;~a=Yw+45eoX#ey>kACbn;EO1v>Un+ zegUBy5r(&RPH0#hQSm!&;z)O%Y3E8mJL#$u;Ml>^oU-P<k~rV-jYfY%$8y zan1_=;x~eW6n0r?e0-O>B=1ThaEvG>y_0$Oqj+ExqNy#E>OVmbU*t`4$~23#RR#pE zdfWmJa|Rt31oeQ`7Y%!d#cil$naA<$Qr zk3C<0X{z#8BFwB8Xd`_6GSI8J0_du4}0y2?0s(e|(D6mL4!7}JW#Gx{B)Gf?t74gw@ ztb)Ns&bw>RAy!M+6c|w}(0h}vfji?N8O9{ZEp-YyXmd=yR9bquBN)o5%r&M1P66@M znRlzee{Fa&`B<3j8VQ%6>r+S4%_$kHpYGPU(jVQe$?ZJ6JerR7x2odVzV=>$FwC%T z@3g9#FvM8JU4Q|oFi9|Q0piJ&4K2OO@Nms!{bJY*0}tAto_x6GcC=yrR5zSa5dqtN zN|Q-U__P8f!(a3KBq%|lG^i(Ju)j*p*J9jImLaq$F}?YQS=zno!tXj=h@Kb6^{}TG?k^@Ouz~UT7hYeUPhF+A?X>|3AY~MO z=6~qcz%(~MVg_QWjLrS+T5Xb*N0Ff$BNyV*!ztms!)%w%?w>$;U+H2hdFV>!Zh*#)uDZob?n#~9FIW&+#DapkWLjx(+` z;K?;lI+FZ*t?fU5-GYX8?0fkSGPmG0oJGxn_U)hX8=@%h`>A~uxsgi(F=tnL-M*!! zmQ8O5=9ZzhA?q{PceFm;<)Kkl#`lcGWx!g zk`#9l>!X;XQcg9w!H$UFr|WoeO6gs~$@d{!{i zRrQ{^3d$mlBNX;o=kR=^(Ybk95vV>e7dCIw-EkgbBVI_r%nsLbJGOm$Zopnnn*5fk zevz()(WPt*YV@?T zRcV-nFI!xO^Q>GNM zlAE!Rx53JxGvdQit?${+AlA2PvTeQn#x}w9rt%cmG4*1?!G<=yW{-{Ct(w?9>w^i0 zz@Oh0q9n>|+Dk&0*~*;gw&tX)tE`|ert%DL{PKsmdt{&67JJR(gtv|FDe>3bZ8#qA zG46Ew`uNEF%4dG%>g&T_?@6A599H*pI%f#;+bexkO$@OcB}rH7oBpgiS9^VO+)4VB zTJn#aJ_rvj?nBb4-j>~kuPNtj(wPf2z~V+^m(l0;A-0>L#w1;ImE_Z@yYyUZlb7b_ zc6HwgCcCjF>C#O-YyrMyp4a$oI#^;qo1|mq2+|+KIZVG%D#@e7&S&Gb%W05)VHK~W zAdBGrvMAMOBBbt9t$AfqL0$IFQktq;AognY;o34N%N2(xxygMuQdCAE{QE&P2LoKX z92OQH@Me;%q^^AbY%$r{#cGk^%aWii`ZO|>$DaDaW^DSUvNqwyVi>0I{rEoP(_2fh z+}MmOSm&jzJEda`f4AnuWALRf)!{r-IjcWYH=sM*r!1*&X@*eH!|u`8YLkGrG%YX@^uTXg@bmcxx7MM1KbBD#GCSJy{W>dWF>1_ykCNds)T zsxGbfTa6+kCG8ls70MobrOYY5rq_t0R;mmE@UyT*<0Y}ItsXL+SHgk`{Lg90(6-sk zT&ChjbsnWVhOVs_2>l`zqZwwNcZ?e)Zk~FSQUeaMVAYL73h5008Ro0WcO#moKJ%IN zDJ3xC%Kw7U=S9g|maBBBfAP-zYbBRp1_FJ_80T&S@3L$U#{CzINk6grU>ft~j5BCA zJ;Bx~8$cz%|1;)$k#REk7)dhvvg~D*{|d8GfY3JU;FEH$xpy);G`2IHpxoOJxf(({ zonyFH7B(YyAx!!MMOZw-wvu5v=T;|Nh9FAeABw}|a?VYe4j4_63B|SX!$M*=C2{XG zM59~<6CSS#WcXi7jZ%QF2!~D`Mpw(D0aPxU54tRWS6|S>aTIC94?S`bs&5rG>Wz2H z7eDwDuVvwGUc{chM3jgXj63oOTGPb-wgw$hm)fy$y1ob9c*t8Hix`s_DioNqVZaev zA}PbZ;r%A0g=E~txZLaz8qnTc_`Iz@|CuP;;y%>>j*3bpscD`RnySP^UvTBV)n34Q zd#hf%;RS0=B4(;`l}%oH$9!|Eg@3H9NH@=Y)V5~txqg%RU{`u4U5XlTJMrq1biB_g zV+cKoTH#jb7YNC%Op~mS)=*a&V=4=YpxmV4Har|e9p+K3yNRYA?$6r8;>}kIIi~Hj zQ7$x)TIrbyLxAv=9P|ltgKWl%AJ59ldUc16Qx2_MX4Ujb#e+B0j8l=|!8NCMtyLxM zrhnNFs3ks82^Hba`$931E|d5%%Tdf?v@}2c=v}d6kXOfn9=f-Egk)UhJ1do@jMIyJ~#I^>uYYRkm~-CTJlT($x}2X5By4bYJbS0`Sl$}!xWZT*=>vFtVVP$LqK zN%QZ+v!S~RK7|>V^_k7<^9a|=9ToztNqn7l*Rm5_4~%!9+~94{{IZ8GjsB(D10#O= zm2y1k2j`a_z4VNs6P4v}xoWWv=MrB2~0)Sv=f?qyv^UUkGS)aq|ItulZDtjJ*+chj#COIEf zW}YL(kI@e@grQBiO$9;(KE%wd4WlUi@TsKxM-C*FUw&?b6jtHj70&uDQOl}z^uUi# zHir^SA=C?CB^?baGB}g{_6I-2_@*nZ@;!!dDjbq|sf1OIpST zA#}%C1XTQ^Pey;HdTv}KqGe3}4obA=T6M;J4#%}5fz?=z86V?A-v+2MEv)KRl<0=j zWpMLQ4aR~xI5#|G_UuC%w;$(4hWbe{?e_#pmC1N%86@)i16Zt=dQ!(ragwoC=ilv< zrLzkKmsXlgZfdQ=h>{$jMkOe4$d>=YXM+|39|EAGAAM5kMSuLs6vpWAW zMeOqq>(UPQtXQ#|Shyr#DC;dbY!lMn4^{Pn`9{o>WV9|Qz7cZ8N)LC^CX?!fZ%Vfpb^TFNF=40Fn-p- zS_BH1?+d8aSwBh&TUeEk;1m7)u0M>~gZZp4VRcprQT$54bfwua85hw)zwD>BN7q|w z-?Oqz7B|sdG?=_tb7lVaT{Kg1&(Mq%Hhfuqvid(O_Q*0~e2VZ(3Jd*9^)TetnR9x* z$mwQ~_uvp=Q-SnQUvma_vhk?)B^`iFTylUM==KaIi3Gy()6$s-HpFY;zr59fuR6Ct zg;04B2u^pShOz&0t%&Y;04j?^sstfX*shQB-ATCgr*G>y#;5R@+OWSOZCG!(YtH=z z()KTv~ii1P2zWfd@f*R2htAv{h{fJTrC z3*ZE~dkHf92FK4RF@I{n#-qHi08WdWmohRHGt7C{jJJGm{TMmiobF~Q{l+BDX7WB&%kEX=EYa!Qnbb6RE zdb>?E1OuS8KsuBtC{(a~53P{YJRga=evrWN?A(4+u4-tGtyeg%o!E-+JRnbofuQ7e z;Ih$Do60}4psp*Bhh1~pJnmSlE*JOG;Uk&X2kmp`{d9%c2~lL^O+y?;{`qe??2-v9 zL;^VS8y=Xd8OTmR( z?w$`9_)jVL;O{*MWCYQ%kg}8`v~7}Wvd%^%O@RZ`LYjYHZ)bc%ncV>;%wB({Z?`Z;?s)v-HT=9#{rNlE z!{*EABaV`80hUwuS@AeOTqx3!EM5r^35@P^tu7Ub5kN;g_4D>0D1W)&LXnpXC&+aSO+-`0|n=Hb7S zSBp+LUCM?1Pj~9?J|8|hJy%haW75_Cbu0h&f`4HJOv*Z%jC_=lJM z^P2gG7kETmhb1Hthj}0EKfdAKriWQ<06+B9!DD$gAh^m$#SXbtwu?Uq?9MCDql{ zyKkxk$x#Z>`F`^^@^^4L;pjS*_yEFtj8}w?Y1xm18{KARyg%5Dn|$3 z6piQ@{D=p|{)GMU-RcDn``KX87-)YwTH)T#Zy=lp%%b%4XDGAU4C_bI>hS(w)>P3I zX40={Pe^UWV$ME2T?_09rjG*7JmdU3`)I3re)rkyT_-2SH3n$wf{ zH*^V)W&NoH#t|7R&Wwj3AI{?>%0WjQWOM;c?-MP~3$s?OZU*ER#k<$S zF<}J7=CC6qABms*$laiHBd>u_BC4dM#Ipvb>!vD}KNk2`r|_RH2UvKEddSw$ql>He z{!cIc=ly`J+`oLch#I+18(H7z{%33aw~G_`VS;owVaL<)Oi?iX%ZJMU?|V!l#(81U zDBbJnIUpfndwK9;3m#yxs)Yv8-dEIGZo@!x z=yC9O?_~&+_x)cEEWtxs`0$5(_S+Qb7mesJ5E4@?XaQ@IK0_?AJq^L44h(EuX>9a> zs4p6UVF}i{!I;{4gq>a(O{}EyMFT*vVx?gVkbbel%!TJ6X7Dtc2mQQs-R98`3pX~z zSU|Yjn|RVk0ZP7kXr8}rtKMuwiN)|j$C-oNy!1UcOrMj49&}X^uLtz6ClEQpJkW0L z0nsN!Sr4c+oIphiMCNgS&C{u`EE2&=8Qp+k2}3U6uaxV(Zx8+aJ0k(m%^ahEsc&M} zDBEG5M7=8HmEqe7;|890h+Y6OOHiGA)1azhygrPZETiH3Wm>t>G!K|y4v_qCf=b~{ zGWkI!|2Qc7y1C-njpYr#!yPOhhTdHVKx_@5G!+@0+l?dNfHcj&LQaVrgOHod22`E} zcsfx3U$(eY57g2h6$;px}fo8wE^T4(X8Stj2}Dpa8Sm8bU>H~C&d7d zx>&s)4BUoHrIVi5=iI&k521M!I=J15uMS{T*PR&KVe~v^ zNYzN!yfDhb4r6?v;VfAQ$DAlGf$9z)+zk;o5Ym~ZID~}fYHdKg`8*}>dSjsc8Xy%| z55B{7{0hQ;O-ASXo*Dq!*+8C>&1{H72P8TcP?3pfNOdf_?70F*NO(c^5i8ggTdhrrP4McT#h?0jFZgfyP62jCR-_ox<|>x#R#((txbaW^>>l zzO5QxM@A*V+DxV~2fLa0k#Pc$(>fRLz91a1C#Ik|%BCc3vxQG;M$-q6sYFrXRE6u_ zzEkzSSF@1`o4Y+*t8J54g5*73^;FoOb}7I#YUV=t*dlGjhH+LRAv=(vu|Zkag~lcE z(ftHCioWn3Z}&?3vmm-2ZcvehmWP*)JFP^6&$9k8%Pd@JiA^eiD2U))QPK9G$zgL$ znY4!A9Sb<)W}elOl6y8FCyIeQyl!Su|I@QcfXrpHBL|i+aIDC*X z#5~fD){kiIw+2w8|A|_oSe_;ir3Pr4#3FN`yzv2-0637W2R36+CY;55d*Dkz`Ml_@ z;E4GZq@i%r+Xn=fbheLg=&TOqi*fyW%rFDhVLz|#b>t**g_Y`LWrZlN=V3hr5K+U) zbx}Bz0B0`|G9RlF=`9p(G-#Csb{vXVnnCKL4G)xHrv&-){q&oV!EhiCnddx{>F9MP$;Z^o_&9XM~3#ia?}+3g#Sm{d&g7#|NY}7 zDjF)Q%!p)XB`d3BWX8e4k!&Y>6CzS%l$jMt=CO}GN}VGuIv5#uUpIOoY(XD8288het!Uxu?!1#<;nk6Iq_3yzo+x93&{PM1CLgy8OmE3 zu~(&;-i7@+SlYevb_f>#WIB)#N_EN+og4_1ryCKPla-%t9}$I6z_?g+q7Dh}A@n4~ zSnS=0-eS)u9|ezPk3cJHO^@-OxGJewN70!s`^Eh{`xZ3z4Y^NMc^;5%nB5AZpz8h& zxOOTw?1Aq_!P8nGh&#H0%iq;0KK`c3aJ~mRA%Ev}mU&qD8-Gq(-#>Qgz5j&{{_-0iMp-#&8=I;4ymy~L;T;tG7M4CXctSeY zqgfVQ0W`ZDh@L@%L*Z=QDqkJ7V6ian-q0C5481(xDVqn_|&~w^XZxGsaA$$ZB+Af<@ zGaa#8KBE4$9z4J?CZ(@$M+l(!B~^h)XEvF5UHWp!63jM_WpzTV#hggwz76{_)0E#R zsGY|(8i&T|n@}7|dkY%`uLiEFzcJ5>yd(naQeGkOM<+y(0$b+4bF$Kso$6KofzMrAc4jk!ZWEvLn1V({HgEIBdN7lU4 zemh6@xALeGl1F=LW>g@LYRcaNgk}c9x>l4sKorUe>#z{{WXmZ0Bq$|~9c!#CRmUUv zPd+5_KIsafI)qf&29`h(#Tf1&pW$Xl%y6CjI}aYEx{o3($_FFK3r%9|DMKs{->JrjvqVzo z!`BEy6MW3}RGuiDG%#@qy>1P45vkdS3`P|lv0ccrLQErE!Vz#+{n3mu3<6485|9rY z&NgOU4N+r@XEgwLlUHE)hbsiivR_aKpXL#ifvRE#3I+*S>vNGB2s-v=@H^2eJRHlK z?0NAgDF03_sRLfL=|-~VpVTgYKIj0o%t!S)2&P#-kPh)r8SMboqBxu!pHtmL5OaIE zTEREx)o^#B`zVyu!q~#n2Z^&#{j4_Qn6-bKZbG82d!zRo3@Z~E$Ioy;gjrH?nSf*R zIL;Abz!5iKh(A-fe~^wjAot z0Fjpa7r+5s@5UF>K_kY<^Qb!f7{~}NLTRLBP55%3tPRk%Y0_^HA8j<_sqSvpjf*oD zAdVBC-TO7VKvEK$j~GS08^04>)B&x8@m%WmgSRRCGm5Qtr7%P~42>zK6i} z#m@yPZV-kB1ED=AI|1EJ90MoTZ=s{FA(wO^giDEhuHDSwx6t+IcxA`J>u$F==}J09 z`M<7T|5I7^(VQ~l>qm1ffkOxPAFhxJ;z~5>BTho3cd!&_q<4fyRRT$D*7`u^(y~UU zhaetnCjO+sJR{h{?i2w0XFt2l(7nqp5CA0FSpDuWKMp`Ha+Z`@jnIQn;Ku_4#*cNA8Cuvbz>|ay#_@S7O@L=13pm_ zAP00^xb^Y9jVeq!(it70`CA9h?Zn)e!^pNIcDSo6*x&W+H$jQMcu zI;(InN7EioFuYC4{i@mv2F>OQB97!7ib!Xo*nI(Pj%b){VBnBDokMqIA1&$1?V znkMs3Dte@-&dl(e74){s(lKBE9}($)Yy{`-lCM4^TfS>@`8HC3 z9b^BIGQQJVSk}(#VW*z3itND)uEmQgiaWvuj-VA?9biAQXXk&o!?9*MVFq%b_(T!C zd1ImTSeigty8%rgXM78 z&R{Z}0=Uix6@?c@nvVw$rPc9ExPE)D7aEi<>t{{3GC2z?eP5Uhl`01zZM_U^==)Q; zAh29-(UHvUZm&if=rxmFDE3G@b(GLexAk^6`W~$r3Sg4C z<-pRP=%9OX4{y(IO&z>7AkFjtAR8mN-9&90}MqJPJ2{%)YQUj zazqOahB&))h!@4iW0SOA?96z9VNJda@B4fTae9 z8%>T>E#>byA~*w~q0+EFv?lgd@1a3ffOPBr6 zK*_eT&tw2R%KKqo#QspU9ilc6P!(K z9c$;$Lt(agI?aai*CcW(+%J)J`lT&CHVCZ0D_5A#F8V94%1Sg;J zhCR2DS2kK4fr45}*!G9KR)5#=jL^A1c}w8xYrHeg5tvN{p}yA*+PN~;c&0;fI+u}#H8CjgOE=~YI6M$6U%dol_+on<0T1Lka?b<-?A%%q zAvyTASMY$YHR7Z6>&y5aJ&!o8UtkUBk5iCcqKGYlH9+z9TPvW*AR)6efnjQ%39v-G zxW#nwmi$Y@re0+xIspip=+M`o6f;Mtzs1tXP_YJ(caCgBp*NHjc>FUqpx)0Q#Pr*d zXJBjb8QAi{a6RL4kZ-pi;2@&#cZ+_3H%5dP$2mO26lJQu_|r@ua-YsIp7^?Le(bC+ z#Xp}Ju~4`T8gDeS{&5>B4v}r$s(^5wVtBYT@b@0lCM;$W*H4lOsDFi3I6QeHAHR1K z@88Kvy|RPQNmbpT?`=S)kxwtO9u`Y}4F#lAIw%=l8ZGj}!jmS>$N!k&2SsV!6Sr@Z zYs1|Qxz6Gd=L5BltH%l~%n=5fe2FB?D<7wemwV#7^o@>*sCpaw^G-LXDRXMy?UtNP z0(nzBubS^6?vD%09N8lmp?3%_{{g0v&wv(DaP~@+Hxz?i(3YM&6g!R*R(n&w`TXXK zG#BJc|F)wynWrcD;%TLn>zT1G_iyDLrT?6BISVIiGnK*^{VR-bKjP|yd!EKA0ATW?rrz{4&*2X+Z5i&9T~rE4 zDo*_Y8#?b;W{P0jT#5}q!a{muD3dsq@8#9G8{uU9=FA12nl2L!1mH~1|O;B=ML@WtUi z#Tz&BN~Or^Q}UwNvj4eK%CI;AQx1#N>rwxKEV>(#sSDuajI5toJ)KH{j)_JtedF3! zs2G1p6|QX|Ma9x6cH6M5PmS-{Gf^95hc00BV^aS89KF|)CklG8oDaSFZxCyS4!Ib$ z1I(iSFs$nA1wmIZ16M#45ifTl!>O^r-~PpX=ae5mjPpR+QlZ9YL4b8h*#!VEYX-#c z8?@oESBW)XYux!`;_W%BV-l=#F|d$oV)I-0dTl{8`k1rm87oU0oPVQ_6qI+N6_}d&s6;*trKd<8B#HfznJA9a&+Mqy?+G6G;1h8bEy-u+&QgK&H$@hOh=DRSbXPyXrY{!tYCr{T^$C`kYVVRSem zRB*dPu>^nS~ddb1Tq1T7jYjC{EY5ZYLwT)5bop`rQ zzZxP4vIQj`Hg%IP$lBD65-tz=PryMJfn@)9Nm|#I$Ln$B>fhyi&R@@q zIMjtC(HWt@U+PaMVCZtG_R8?vU5(u)V0OINc5&S|l(nfeSc{H&=389sA=F=;VPULr?QB4#Frpo`^&iRT8uXWnW-9#?5J95QmSmS4kPGCZvVBF@bs3EFWXHx4Z>~eSJOG<7r-U{_CBvIB6SbCM`uD7Q@mJm7`Gr0_N8&x0wxdGIMkKA|l zq;+n&U#hwo*7(E{qw>^GCa|mQBva%W!hAJ=a`Y@~Fld-RPxsT~xcis|_x>#a#Fc|b zT}+0G3x6Xfo2q5x4SVZ3a$M#1W@(N@Uc+Zjy+3D}6@3G|3Jp!J%`8K3JxxhzWqskP zb^%u0@x_x7Zp~C%u>=5&*(A(<6!`ssm2jQl52n=)lHp0-6KnvL|9VV!rx-%fV3GHL_4B>YC z9;ia2hS27$rCw=EJi0H{+|W5Az_5CBJ2c8*&EvcKW56%b%>3JkO_>-X*?j6+HR7sX zQKZJPN9;|_|8>Jb4)7fcx7ZK{Xt4#dYIGDerlqRbq^wCwH#kRj>c)2k8q36;$LuIDpOJ=kpY=IHb}^&Up!(th!LET-9_w#ehRKU9&E-@X~lenVJg$!6st zxkA9VnqyR>%J#N&K+je%<}})~KH0YbF@TA3B#d;7QS3cJS?hH(;tJj|_m2YAz$&P_&24Ul>CY>cP+v0p zeYaur$wj37569d@Q>Q}r-CJ{Pc_sfQA#WxNTnYts4Ud0ud5f^(du3>)({ey5SO4-v zX?g*y-`rHmv*1`n8yMk4#eO50Zm*jH z%HQQ~79rQA4)H*Gr_x5-cwL9JLH#of%{eAK&J0{=d!#SE9A7q^Kf6^+H^gMrw%8iB zydqXL_e(T7_TGGS;Eu()(9}h? z@cLwaX!)55k+MOwohZguv&<(}oGsh5P@fJ3r4D{e^CIA#bEEPjQO!%6_YwET4{Wm^ zwyefFIBuRcEA}Za$zHhKEcudtJb03I{@G_!;{~QZfY4|gnuZvKF@&~XcuZfz=F3>k zaN37cKMT!pQ|>+CY3VlWECosZ9=Z6&)W?kTyQ*^)ull`8K86xET*taXJWf9NPjJRx zzpOAO+sGFA3pyH>+|SoJWX=8JTTf%EhAamkdHlCWYdO}P4=aT9zcg1)`Zk;KsSH^Q zP}vNuH`(&pPLV$FYF2!XPQ#cORyCu{GrFjBcZ*-VwlUN6^FYQS3Q^xP@M6>PyA#xb zNok*7jR5e5*{j%Vb=k<$O4)s%Z1kLN$F`hprD3b^grW7`MTNFARoP~IS5I2o*?tNr zT;H175Lh>EiMoWvi595Mc2L#TUw>tO@)cV0^26{AW-SXd?4qZw zq8sRPo%-=lX3wZu^z+hI5BluMcwEpD*L1VF{JfTMBl$O2UlqOj5Z%!l#inP z9O2e)(WJk_Q=lQs)@ns6uz~mUaIU4!$0V@S4>#21tL(C7^UI?il~HLs9?zOk)jn{o zq&S9Bi&C@Stt=Y!%Px5XCC^(Iod}Y$ z_fh;|V|Jb8k$6#|xzT%mnCU9|?SduLaCtzU*EM~KWSt;7T~d@Vk;TDqgtx_a+MSJO zdO_TJp|r8Gj@!E}r-sKtCS*#9xq@D>ZE)4p5?zP?#(IS&r0qF(DoM~4+(g%smLVtG zg~c-Fkd!`E>U%z1eL$>k0!KlIp%Y3^%`859B(qJ{Rs#E_5(YZLlzbSOa^^LR)HCHS zKS$!wk9%HY?n~>(b4?6-8jY36F>E*y-4y+S)yc`yxjlP-r$~l4nYfZ=gfaF(#8G-R zr^dHFh4Kq!)4Wxe#$bTl(Jx&8D%{9Tkl*Te$K!SXQnE0rWt7695(1-PcJK9|4q5L+u#DuPEvjs`ocYcH=e!n z-A~v&F}PX$aY@4G;X?fTvd?o_siQ3%<=l2;;#=OS(|QIMOgI$6#SD6)!yWxj8B%V? zc`k;yWRr&}Dr~zJaq$cy^JGVfo4Z3C#-C^P+SnChWQx+Mj+3fU9ydrcjsncrgZC!9 z-_t0+nFtII^l3FqmzfCLxxKksv9+37rR%eLIC>D{N$E8>b*>hFb+L;^7gIQ(s@*D^UO|cp;a6NIY%-%t-A>OH_>>nuj86qaKxS zFh07L`08th3o6_%b?gR3m<*Y+i`=Lgwq^X<$BTj9azZx8%%YtAVd$AYWpc1($EfG7 zXIt%vM>WZquk6~Hu%2PwZ9ovL6DVg7PHWw~Y(SBjNygJX?V|hBHCkcswuP)#+VnR{ zI_BoaI2yt8bI%NnxbA3~aFwJ^H}AxUtQG1EHpUV8o*|Rm*}^4;)6^GcjjBKSaaFxh zE-WUNjyXqXqV~kBUe*(zLOU^Bhgw{6)b~>FIgu%Eo$%FqFmgIKLzf~<`?RdO?dYPS zZ0n7NAwp*G{Uy=q&H~-raQaDtB6q41Mu@)z`<4z*nmXOa*t4**5rqO)juaPe-=Jw^ z=ym%7czx1x0aU%*hh^7f)#i5id_U-fdu#F*$r$l-kyLXE-sL z>o0)`aPY!aT5JLVCxw9V>w=#5VwBo0p3Oee|Jh=;(S*DZ^PvhZm*I^!3!6wC-nf>w zd>ZT0_bJ-BmCC!V)5wh?cE)_=t1PEmf>`tbA82P>4HgeJa5Q6u5u5UXz6v zqZm97NEO}g<~2#eRSxH$jTpwWiAU1C5ZSQEDrHl7OgFQ##5&48u0Fw>oqp!qLV z#ia=hk=>cC#A6a8+80?HntA>(VGQ@^)(CaN8 zyt#`qSdQ4yrwCDPK zSo#(dM=3jLLy`U%@4m=2kIDF@O-M=AkGqKS{#3o0i4bfIGu5-O0`BN>TgT&R__D=O zH=O+QGk{bl2~c^>_q7yQ064L^8rrtNm2eoqA5lzHrZXbjud&}`rnp>e=qZy@&R=qVJlj6)a zIk8>!Us)&Vww!JuJcuC=$K<8)+A2Mwm|)>PcLj0JDjB2&XXN8gk~uf`OQ+}5(r!h@ zEgBAYtw(9;(WFj7xs8@Z=yn(Mk8`8Z-vw`416f2EDr`>^&duU-1xGyd7-o4=KRa$fmPsm(M=ydy(ML?fJlWwmO5nQ@9Vh)_HxYeTLt0?M6q;tC&yR) zqAPH8PvQbWrmz2zPWWSa+!D(WS-{hx&6B7Tmwi3eIc~}@9vQmrxt=b+EV*82Vet|sdeHu#uN|ceku2aFsArc_Da2YiVvxy&!1_~ z?aVhK5|wchlT)4B1s=GeOy3@QX`CcU5GrhG#yX|E#Oz@&lxJA^9IFeoJwBudo7zI9 z*ADpR%u30^@&bEdYsQ+!s9F8d1M5o~Q)LV zeo;HT_~U&QKFl79A3$-MNG zH&$))S;tZ+>#o&2LA|aMs7T;c*B{oD>M}B~AUo2HddM$;rDZ@jmad@((hJE#HT_Yw z+XkI4vgl6zSVd1ql(Yvs+r~RVVaorW=6VRK(lWE1in`^)hvGv055pN>oPJs1u5=)H zIVPZB^n}93%h83)_45f%WHUw*a z1q6I`Ax1pMKDCgh*1s>QGg{Q1*oVkOlS@@Vy+E<6@l#Uo}ytPrd zBEeCy4=cw{KkA@VcgXe-gQ*fD&0zHp-x9W__WYuBf_+0x$ClGwK~jMQO!}NeqRlq% z7||yVZlK&zhRxEfroTzff}+2$(~9b$gHaBoj({JVNppLsyn@Zt#SOkxHC{BU*JPXppU)9YRCDCfcqGt|YG8S1F_mACj? z+H^Wy?;y=U`Lf_w=R;vh1pywTFC$Nm#(Jbz1jNRVx~8T(ja+K4@tpLmh`r(Mq?3lK z;qz$Jmh7@yDK{$k{x#zY5pz4#cS=b;02k~Oq`y^P*v!IgGB&vZ3_H%nYF1f4>@lIJ zO!Y6>HbAp8ue@+4bfUqna03^tY(I8ccP)WVh15R(tj9xYd7?qH?xYdBmqf}e;pees z0!pE;BbNT~a=+b;zV<<0!PJ7cvzKIPYG(Dc>l_lltAqkJ~F1+OJ^po)C%7%x#7FMo#aT zvAaxT63xQThtl<}H@XA8Szg9Jnp#i4xrx~|n%IPLZ23d;c4(4OXi2cRw~5xd0KU&} z*d5vg3sels>hP?hBonio#jhD_*%pA3QBy_fFSk!(&+ZLYceqA+Gn}b1#V)xttT+jb zU$d9^l=M6RUvy!*8ULzi(EIwq_+te3mEk`BP2B8R$pYKw6>P;3>yAT!CNW)y?a!ZqR2(bZ;n!Ob9hOZ#*i1d)`y_?L zE_+wFu>O={hij(1l`uufkL=129<>^66(u&0K9k|=a{e)$uBV)jQnXJ|OWRo?bMR=t zJnE*2gz?EFF4`wU7=bBH!^OsWLdVaF=);aFIjOGU2CZl*kJuwS&^;7sm*9uK59aI{ zss~Y!;=*&MueVeP-&|nUcz&hf>-`3NS@Q6rn8G%!7C0wf%<+~wp|&!jM*H+Nwjjpo zd>v<%DNF|zKQ`haP))d*C)}UwrfVmC;WF*hBeOR)F{q?E?;8!XcdAIvSEAbNN~7Pn z_)yBcs@ael>!)SrybF-*Yx=eDz<%-{dYHAep?xk_b`xrUhZmD$Mn!zcUrz3!woi^O z$xq_bvfndQC6Wp}Qv8liphakt@$_b2%32eKW5{6T@J>sd#%Mq`rEp##EECC05g2?v zm{an*DER*9;;W2e1U^a`;_7lAYIl57`)(=f$>(hT%td~RunNh#fqDWjHXDr2LYa#u zCS4r7jGW7}x5`^B>}P%}4=KKRgWeK4-JjW~i(>n}B<^tPz1@Q&&yTeXH=y2L$(FtU zY1E_n4#h+v_8K-=w?`+RUynDAOyR;hR^Tc_1yMPq-6h$tFV1R2HnSb97ma#Z zh+<=V?DdHeG-h)_0Dno1c>S^sXIg$Nx1Mv1ND}e8pvRbSXzO9cH_O2Hu5O_T%yWBc zS-~2a=DhcG)dXYE0Xa18l(vlKq*)zSuV`tGk;j@mGkrN8lHT#2#LN11WA7=dgKzi> zoqpc-(*QeidkJvY_4YX*j^gsVcivW0m)@H3FkSL%pdH&@7c5DNeQjSoMsWG?{wj|F zQJAJk3tQ9Jt?PW@5-f7N%VS>~ydn5pxjy3Ymjdz4>am|y3CkRdf(jG_O&<37AHGMP z%e|d#F?@rVb7&3sNnLd-^^0t^sAZ-&G}GX%_p=FR7&{4j41Ll^Ht)8Z@lk~N`XA9{ z^Pm>oI7-{-Rw;dFcRAyL+4}}rp3Bg&p7@uX_|fsOJD&RI<-dl5^1S=`E|?cy6BAkl zHH|2Y)Yc}O@A-em7XD~tKo*PpP88nTRk^*MI9;f(BJ?3ZkJRk=x-rA^ek)bm>Ftv( z5pD-yC{$lshvwATu((l?=6Pzudqm(d9nPT)$mTb>!;7mrQa}rt@FPkq%kxekFT^C%p~Yah_+xV9p8gA$`>%jhfvMI%FmXALgirPy0eB=m zR+pfQ4tz*tCQlZ&3A4n-JVm6S&2z!dLkXKKcJ;A_P`=jdV3Z9(BYc?*h(fO==< z60%rj?7dG$=3j#GMyd3_!~e`J4rPspu?2iOLJ++Ol)++OtR3M9-z|!iNd4M}dx#&f z1)V~J3~JvMbXCg}RCNzO*oC-!{4~11Q+9JCHe^~7<`6fAKIzuZ$aWPJl`CFyEa7h& zz4jI)4ON!UZu_h8-3c8)O6zGZyWN6ccK~|dm}FupX+JpTdvo!Nsi;U@Z;lq51x2iA z|Jx9x(pDZf4L~`!eFsjwqh5Z~$Vw7gmEsAqIK)7$hbP6M@)<)Sogt`MBk^M?@gpC- zN0pkzE4~B)C!=F7V7eAjm?00*s-KQGOB6J%_hkdCz+kKgP^4B?L-xz2RBO6L(_M1Q zqS`^d?niX7nEK&fw<>*aG1NpC6bG{uck7S-J{GbmFFQNm_|`%-(K(&-2jY0l1IZ3Q_Ih3)qX#PI_&+#K`IG9bBSA_eUU|0gwW;9 zkqWgPUjtWAkc;~_&~BI#P54Tdc0aT5JRX|$wKg;lrK=}3wi~wu2XE$^HyBN*wcQXM zA`IC^_Ll1;d;$7${YyYH+CH(!)L*7xBng&fm~+3-UDBlUSg{W%r8=Umz{_*Mb9)kRP6 zMf@8YF9JAo&-}}E-WMbWC!qWZ*z$gR5kNT!-!PJT6G8Uivm$z`w`vS7iQKc1l@rq z<9V7cluIVyqrxE{yP@P__zWvsZ&4B9QRH%H#mN1rGYo5!7e2*|!D1)bUF2=ri#MkMBW0m+m#=hT-U_@MY zytw*h)afzak!2V7Ja$jc7N+o|ibB`EbUvkm)DHv1dKq(h;tOX7y6%(a&k9RIx)n2f z3+t!f8AmkD%*y?)F?fgOh$1Hgx!pvI#JLlzeZxa6Hg^8J*WZZAEHB#O2Id;W3O!`$ zXhta4Bt-b%bpJRr0bC{rO9uO)grYXx9>eyjTEv^-*vy9doH(s-kMSpTKdDUZt1~DF zF(#*Dz3bH}UM#E+lkC8=h8yZilzJTgnHQmwssF6th2GtE6a z@k+e?H&{3ku=b$n*lafU1*e*NcSru{H!_ZLVy9jZdG&@P)*du5PAy4##3!$hd}Umv>=@$htWVS|OI_xf7atI+ zM7epQsQVk+s(rHSnWHo|>w;4l{~H`^0jh70dR~*MTlg_|yP(=n$7BYrs9;HngKjpg@39C=I1v zYqMBOYsBzzIaU=OYnY1j4+~HZyjRTo^iGf&3*dSRC56gledN~Q(xFV}SaM+ov~6bY zk?c>^yEn>Fv#;9rw7oAyc?Ehj)YK)sZ$>8=`vA#@)70;jTFkXe{>}*(9TF5{3`*Vv zDVr25u@5HKE!7mQ#(S#twoM}T?9JHvT} z1CoNMD*_r+ic6`5GK}hFQDeNDzqH?&gL9Ex*kns+dmQEkjV+9ft=C5t7<^14YRu8) zZ|#B~B6v)BoxaZYge)iS>5tmn^(!=tM^&(Ve1eumewM7<<`!O6)!I571;=?#+a7BC zX*jhVm}<5ez35r9$MDu=48Lov@gv8yjoe~*YY(8`fo>ZIhX((jd zbZQ9GNc81}CjPHs36q>LCj;knWO>g;m>CJ~c+*qyTF1wJG|T-O6K^2Y2T4t7EwO2b z>jTHN2S28Cb4N0$4G>C^?yD#1+84DP45X~f3XQ_rKq6tQmC>p}C}IF|oo80^BsB%u zASDkC?ad4C7joO*zp%L=Ml+*D!+Urw!~^`bL?KUk$i8PJf_gUbU7k=Wh2u5*`gYeU z{`wETK8At1B|+)PWtbR9uH*Mn@BP5SSNjUA`M%~F@n}B6FWJ>@SV@-Xlbf3g{v>K; zoN=r4(<>E8VKOLc%6hyh!>_2&%CFvKSGS=jRjdi!89UW+spT>i(1a1rE6E32m+p%V z5mxd7a6AR{t5+Tk)pmMhUUa|U{soq2Ncg>y(`%;0soKyVJ+)BUt!Avmqq*j2ODQ|2 z`8N1ex`!z%akW$=$5^myJe{D{HCNZ69V|V4D}Jch=AEt} z^V$TuLhsjQ*`8#PZl=8l1p6_Y!HZ_YpN@agH6-fr#0M_>jjO9)8un+8K9y{2ICR%E zqW_dszgxx8gVo(>SlZ$=U$nUZbNAYWIO7%WQ2%b-+jp?o2y%ZsjqYWGS`%~^;$q;v zY&_6p-|C$=RRGgP>tbZga-pRtbsdxmOpAgWVRAd{JgGcGyGl2)n>Q!EdGwf-c^}!69hf14-wAXq_x##~k9$9A(1r(oaty%J=c)EXU9;BgzKq@T}i<#(5zOPsdm5wVttbH#uF~@tWln3YH^f@8bWRqnD&rky@Pd+n4%1!K{&MQQSCw*crQBeg z7R}?_SB;2{%hJVPyD&R8+ulf1pwjqJoC`A5DIY``Ut^oT4mPZ-m~H%bV4R;T9<1(y zVkWy3p;q6jTd$TKjQ|7d;|PgVnT&1AJBNC(y8AkEVAUmimbe`E!~(CMS;p5=zo&Am z9#ff0kPuWi6mk0Hx(a+lU(5#7>*pyuhCSyvU;cuH6kNU3;7>V8V8p(@w_nvT-FcU` zsJOmU^Q=knqvDXIb`KJ5`_XNV{jY)ICGpr%?Q(rj2-P{eG^$YV{?!Xbvc>VqyKXq`%d@8Z$J&}t7U@f$&BngLe;o3oo&%)T0$Kj%nBBy zPFk67Cs{=Cyyq})H++LTTdES0zS3+n0n9RAu0BtZ5yVMBri;q5LH*%24X;cH)p3`` zADakAr!3hl&s8Zw(dv^X4pKp@&rFQkwobvO+C;s9U7%jk)7eSoA_-pEN>k6zEqsj2 zVl&DhkZo|hsM~G^TFClpwFBsLW6p1nDWj%LxzFv#l?C*bzd=Za%gZpPjPgtwOg5PM z4pM}R!`Uwwrw_6Oid($uC1PDDcaEmzxS#baV2-O?oN^Sio!FkzbdK-FliC!mjL&YKW7KWgD#ByGuU~Lj zIxTAbxYtoTz8WOgp%Kt_VL@{{29)VPZ`?Yx|~#pWS9mNu!v8N8}S3D_B?f zm=5FQf=(Zg@foXazVcvm__hP=(P=xcQDWqREb)2LtXQLoMa#Oq({%faP{B%$9%Hxz zdfZoWbYH8BHh%hnR4%(Qy4R%k!}*k}Lt)~cBiI|8y=vnV15b5^{Y3)UZgzOun;Mi8 z2qY7yf$;d&=VMAOSc!(`PhU4~UuheiP*{ARtYY8GFv?ef3g6C@!pGkC^suX>Il^Ni z)~qjT-Ru{T?G_eQ{*>fF|NO_^3Q%$BEgf3xRH|qOoxO;8Ic5hbEBI22Vn5kk{|fsA z&QdMx8rkwI^_-2bMv7mIG|+L~xCT$pG=!Jvyk|dAIjsHR!|BJdE z^xzc83o@(ijzW}`-{$xl5Tn;a>eXfI{*tl{7Ftf=2^4qOLVe#)#Brn4!`vv%OD?#m zqEGD_ZXkyT`+gX0yCM>K6L>g0?AItq>?9t6W%AiPO+}8CwqEUrmQalf`v^>*ryKex z>iy$uNO}I?%AjATO3ei5oHS&^5rju~pWOrJhA){FiwjV8yv-+19NA);PYji%hu(V}eBrFPN81$HqpI1U zPl!kC?2_|;&~Ao~x1O-wNKHHc(P;jO=-6*1!4U`fQba3{n51RfGNBw>=nU3FMqj#f zN%*XOvn)Cd1`D5I3o;Ew7z7F-U1vn5(h$%}6qgV&kps+kRHJ(x+dyB7j0PX`o+(Py zeiib#!n4;`4O{z3RbF51zTHsoluYE$LH|~KjI_gW#nY}=l$qId_DFfW*?^f6UX;;4 z#jtcy*s47awyi%B85Rb|?~Eqm`ccy&E3|?9D2}h#taB8r-_zt{;w{uwCml=MP3lbE z;6K~3J8XV&L|9lW@DB;pX6>h;JM%DwO88M%#An4oL)1%TT}n6SUV5HMju-Rr2M3_a zJ7>xM1}~Gj&=fkAI<0nB@8LCc`Bu`9BOF&;Kp=yt5q2DWqB^q^G0A5Kd}jcxk7yo# za>JaUnu#CMT)vBlpb@DTr+%Wy`xwjb^6B=iH?jx>UuwSlqS>@OiV9QCHWF!#*7XtY zVH)BiqrMA^1etl>%eJhMbj%eg59=@=mvAEPdXK)?W<_>F2ryOEDL%TE9(G@zf_zn` zIDh!ZGdzl_ytZxPA4-CMNEi_5R+KzpA^axeU*&*EkoIXVja!)w%z?J--E<{~aUbH# zvw!7Tjh$JWnTub1kQ4L%7O17)PFV~sdl)S3!idbK3`|Ipn`>RSS`s8 zrbE4L9f5mm&p)*3RB2LLJz$F%S@-?Lxr!NRPhywL>g=9<`gcKf^#3I8%cf49I=_ylNR}VJ?3=og3+ zBb!f+PBYbY6=Ged`~;B$nlrQXh`!gLVwknKIoy`^A`7&9@4SOO7Eh& zpJ9K0F$hY46;UDMu^!=254XV8# zQ!sn-bvUsLWo~|_GgH560|JL&88wZ$Q3Er^$qsEk^3>jKjS7;cB_=4iX z1FzWEwEvKS|GPM@iTkWZ_v+ul4CN+=XI4hF5*pC`XCWxDD zUaJW?%Xe}hHeQgjFnc$fQlrlQ$nM1TYyL9DiLo97!1nMSB#wN@Zy>q{m|}w+(KUM? zT}{STLB;f(QotpQ?5YpZe)?`1E3Z`;QdwrC_!K<}Ruq3|3n}{kQi5q{Axpb%cHw7x zgJXmiw*1j*{wDHj%WR3oD;eHAx?dmn7D*Lt1Epy6mc~weclm^&Q;(Y`{rm3AV^+X< z05#+*raKP~U?k)e`>rpu^>M6I?8;uyY##~Ue)yPT<0#lOG%j)Y)BHEVK z0Z%iq=~!;s^-jKeqDQV~5Xeyc#LYZETTx)cp6`6)K3{QsnNE#zz%`8l?M5B1qnjMv zZHK;lngC7HV$Je|Pww^0dXIIO5PjJ~uihx}=rX(Au?L&;+VWDk8@Q=vED3U7_u$nF z^3Ts-WkkJ9YdJ2vt}TS_IWX+g>7lFVOm}Le;`SaQ+*42B@}{&4lRlHbr{>uR3N2Ax zATd;dM{7R8Q}n=!AiWD4=gVZ9;~joWQ@#inXQ zmdg?&&g3WTFc2-mV@K5|ZF&J2>Md{tPRU9${%8nQ@kF^X${26LXNB)&olGfh?9O_4 zqEVe{_HwDix4QS%sU2$L*B9g4uYjdP?d8+Em%h{{NU?Vp)qyyr6ZXT8<|h9nttdzvSF=&AE0{Ll zlj?yjsg;DND_>>dc4JJ^Un97(RsXLPSQ*NYC{Y5Q6@Es@Zd1RBDB2kPB~+=@*c=xB zY<4B?rshgA!Mls^Z~-kx*JCKBstQEaHZHJM&glq9NzUCo|tU!k%$@ zB&=Mq{h0ABX}Z@p3%y^dxH;~R*V88%`i=%Nm?}sM*;bvw9r3p1`jpuYR6?^v!{7waLJHXkvdJiXMf84GO)!cz0UO4a+}ax zDvO?w)t=>}ojJZ8YZJ+wXa@;;V`MWaupxl!FfFDWx-jd88k7PhHZ>>oU{bZHGS?ET|mUGnz0=tLBiZXY7bY_<=7 z;2|^uIksK~Y<$HhcI%&}9o4rh6?ZHZD^@yoIHXQBr024oX$;4crT+L@G)`w~Bm3xb zZNH|pfQZyYD?Yg?3s)S0V=p+fY+C0jJ|TX=ij$`}3OurbW8r7DpmY?*gb$ zP&U-9FOyopRN5#=it+)alJe$VLg=m@I&17&?QU*P6AUNc20S3-k7*$76{ZqFqiy#b zURjJ`&+kSJZUAvToHb_VIN@HLNLcHkNvh^;EuN`sy5vQzgA1cK#Qih)|Mi%DMl2>a z&Sdx_Gf06O86c&kVB>*4S-)>pqky#!$k|IC8f<-gpl$JWF=rL(rMy$}=Ah>LB*;`8 zrP{Mxm-kbS1G0N`E#TrX_zsS|c=AK_!aDuT3YFM}vzh-Nd*2xrRhF%-m_bA(gMf&F zNK{FZ1qmVC&|M3Q6?1SLvFvP1>RNiu>(0Y%Q4ZykH4r+emhPt*7N zd4DyJU8l~ev-e(m?X}*pqNst0W@I?yz;-PDBShp9m*xG4c6Z>&-7muZ?qbCPAuNjR zZ*P$kqXJH(*Ez>rJPi~Tp^^?@fb@5?y-8AcCOBBOwQwtw{5#K}t^v&f|1ve4)5Qy^ zU3I%HjnI<2L-PI7(Z`i{;T-Kqnzx;7@@_n7^P$5Qb2l34gU>sL&C}us)Kghq6x4dA z`f(!uq^n7*fVDfEwj#rqLElZbve%1QO}j<@L>8dvM-8l(iUC{g{GIOu6lfzA*GGZ& z;uoyq`F5NFMMQ-4>3AsT*N>z`z*)sDi{iSK>n2Ix-O&dPCbn;?=d_248gJfVA$jG{ zF765Nmpp9QQ*1o#caVv9>6GCUn&sC}Q_ow}W#Q8#_JH7arFa2yYYF@%t0$lkTm0$C znoiA5;U{G~sf+#ZY~w3!wZlCw9H+SyZC=Me5Vv&vf|oJ#KH+P*I_2N~0c6x+=J7D`WUZN=(bYFWy7NqUzB3 z%V_Sc${0oT_EYnH$K=er6O^q02zqab$piRCPKP-=4&$GAE4?{^bQPLf)|+f0Z8yHI z{O(5jaeo(b&6Ws$i4H)pf0LMYpdS^^3O;wMkXVIpw$_}Id5Bz_^DCM6<}wajL*BP7-OLfcpE2`(fN1();}4T(tp7n!^$J6jz#C$z z_(8l(^fmX<$6eg_t~tOlh1qn!a%p%=`D5Di(Vh76mG&9MfQtR<&pS9SNvRqAbu@&7 zB&|Km$Wo5=d*(MY8|_`-ils`gF`OXZ?35Zd5a9ZZr_S21mlo@i{H6XIh!c%)GcucTX|EdOP#TKOnr|_Ugvr&A~+5i1W)!!8sm_C-nCXA@wmU& zJq99j>J)#+Q#d$x;u1#g`f~-|?}mP;-$8MNf4vB(vJ{i57>ZkSx5GqlUDL!TEC?oI zqYh6=P@8}mZQeOs7>g8_$DlXI1D#W)GokCQ0LgYXRc*xqH-bd z)zsDg=!J-_vz+rPz5kS!Lp(^-H70zWOV zxpGid6DGGAS^e6v7Sp&UsOw=W6yY7yVD&D{MbtuIn2YN zEV6H2cgylYn%m9p91ikkp^O)t)mwCyt)Sz7!BHdF;AL%j*K+zuuD~aR+3;{?T$oZg z)08b~)FL-n@%0#fH;vub%MtaIE@k{6d(c1Cx~O)s8e;^cH3EE+ChO8=wNX@L=QX0Z z0(53q|Lp)RP#_=(86Q}1sl|=6-yVkg$&s&mkgs%9buDJhG{jfvnvIncSfv8jCVac=?EIPlvx)l4W< zoR`G)=dNymm$q+g)Idz~RTeg2TRL8qh&+4jKbp@i3kQn|+=wR5{*3Wlp$}M{ZaQ73 z3o=M1!a(Uf?ixVfiCHu^UL_I*W?OOKD&gQMVQ@hm?{50=`7>pp(?oSlFZm;Ec08*A z_@`fo>&KYCl~?n+XR1+5kOrXgpnLqsoEuO{k4JQv7y&fuPp#UP8MvFh5jQ55nq}%t zMOpyvO_W*ojv8w<93H1^UMSZArrKnL2rqkz#mm|92pj#(x6{U5uYx$0E|O#cBbVH5 zsUwRWBpoEx0(9tQjtxlf7pGHPA=RWTb#){(5= zEeZ(zyYE}|LPeD!p8MFtn-!vBHCZZrsm;^wO-3bk#yz{Cz^q80Kf`?e?6I$tRN;!r zGslYR>NnnJ5HzNOSIN}`sX+Nlh=j^%PiBR8A+N6~$efOBxL`7hy4um7#2x6-9zE9L zOUy)e-uvOKvg9q|myX!4A5Jr8OvcX6aK@WU9nV#3aS<2bHO=TO$sD~OLvkd0V|vUy zU$49Tv50sLiY6g|&0IK5y*zIx=wy8DovFLa%SeeZ`!=Z8?v7K6ik-*c+vj5QlwD_v zn-U)12TRS)wGfx`J0&v`nu{q8$#%1+Y$OnsjRfw(;(%`M_vTxESDSol1IE-bQJ|@u zn;%r6lvbjd@zA#4O2}jRE0fnI^6}Q353D6D^7wc}B3mE26G=h_(C@=FuoXykSs_TY zJ1s=Q-m-q5SJ&wxy~*Cr(yR7BtG!JT`uOe1_-migE={-k&{C_1m~Y|)>*QDOHqyi| zs72H6Om4j7G`cuWg(V=Qte&TtaD4wZ?Ac?N(Yyx%mXISni`{=7i1zP7EOg!GB^Yk4 zxSYu7>O|n57!dEftZZu&LsFgS^B(OVLi<*O9%CgmiU=~a=DnSdQs)~?FDBc8Q**|l zM6rF?uKSZmz9gliLPEL^W&vgTV1+!2x`%j{4J3O z)oHz;pR*jDV6JUwj9_9AwaB0PH;r;LLJCs0p!Ix@R#9k3!iWb|_ZU_BTo(6cuxB#T zzI)L|m{}Pogvy~=)Lk4CDvb(#lQvV6L69l+*0f}4W}vT;tTeS_^NXZNvP;ZSyvVpE zzj)(Qr6R2v=Fr}{z0!KsF>984qxPh(0IGRXI0<`T`pqVEjBX6IEfKy!sW&)Y?OgF* z_|F|X>C^|hV>bV&SH3w|2J!_wEH?&?m{OnZq-@gk)DBZ7x_v%q1LCW#8_KFwYlWiLM&6gM&5%B?`s=U%L?7?wriSV z)Nh{rK$pm%OA+1Iu({JO>p$q-265CKT zx;JB(Rk`sq%Gn^hud%1XV)oeR7@i+ux(B_&pI z>F6$=7y{m=W$bs$L#tOCiqWA9TJ(aML--wwsB~V(tVaGZ15>K!nuc%pz3~4aRuM7% z&OP<+OSQBqJ{AjXo*fW#!gZvyUw?bmU_e&;{LaT2$f{QY=+myAFqg%m)h=_Y$E5UK zQXxstkG0G1`!Lf!pEcQi$@AkE()H*569%S@w6ma{Jg4#F+N#=kJ&R$eH0yF(~ zBO8dt!kgu%zL@^t^!uV3g2$4V`#cgA+6)zXQPr0K0v}P%&%VmHxS{HJ&73LyX+KaS zWg^_`qfRz`QoEdMqQnw1wS0X$>md`up!BzNV-3w%OvB7QEUQL8DL3uT7>hQ@D9s49 zmj$7Q29`6cYJ3B78J{zaKg{*3p3cXskC@h?f1htV!)CRq_C+9P(1lThKKa>4pl%3s zU?yX`EN12>uceT&Phb0N$<$y?diqLKcO+*?hUeTPIuaqZbUFJWbYJ^r6#dFqhswv0 zQ*^V?b>9oks7$-(U6p65o#~N&T56_fYDP-z)Ny$)2R?P+$_u+2It{-*#`zhf4dg20 z%!{d?*VV8^)manHhE!_=ItH2gcRg~2P8k#tmY*9_Ii|AG8L=J3IXAIwf|z9KS%s{l zseaf{@@B5OlJ02d=1YOj*gBzZ=WU0lxLg&gnoheWWa~|tEUpi?t?3G&kIP-we7{k( zWE&gztTgHv?tdU+ns6L!Yh>+BzW)y`ptFo;Q$xUe)${J#D*-In0@u~99!_bs?40N{ z`tZ@atukFn?X0>+orZcAQ6S#?wNLddi#4i*^`f_Y*Gp6*UKT5E8xFueX^~I28;Rwq zuVxQV&fI*1RR2QPmYSG;oiwrI$CpZyXfrw$Os9y=v*LsX(-?Lo57Mu*6=i|1q{ z6;G0c*jEH$hKGmscekUkegi^xj8~0}j2+9C*DLH*)z#JAi<66uGgDk-=U)wQ;V3jB zyzE#H`E|2?NS~z2apI0#XUqSxV^h*puBthp!Am>TX_cFxZIsZ{eoi4e)uvGw)RyX_ zd>lp3&M;^u=bi{znmsqt$T9B_A^-S`eRGrR@r`v_tj^ary0M=)tUJt{bDNJ{##wf? zCaMNmruPB;2)A(W5hJfjI%MBYQa=mQjTI(Z?$274| z#O4u)p$(vpv#?U-WkKux~CUWlv7 zzx8oYQ$%YBw}>+^y?I$!GJ1N33+j*OH!dul6B;~6Vf}(yjt|lt6`ltL-x)6lTYt@t zD`%?9@*9%z_b68-@HGy0V$ss?N z3lYZ7Y7?VB3Ym+`HY zcp~?ASN8n~j@!B$KR3RQ7`H$l)p?~x#KE5gDUQoLjdUx!$Z=RWmwJS|y@%B(bma!N z(rMei?2&w4v>J_Tiu1@-{=>D7%>0gAmzd&s!%|~ZvMFcVfS0JFtK%CUsG94VsMw?u zfGub?GFNCd<%kO9i0ijs2S*bbux*y{=g;QpeW$%E>D+tM+(Fn8SB%PVWT`USZg8%j zH!E8cgaV&RG;VrpRMURWU*5F!m`m>NMVjt4wL6K+>G_SBEUuxW>m>|q;j?rM80*}! zQ1^tb&fF<~#?aaOZXDS?SSpV|slNO|+8fwh5YJ&m@aLg8qXe9|0D7iNsJM4$jkO^2 zOf%Nf(fLj6EXJ@cpav2FZGBVYD0G)5lMYBDh3-$roEY`4+#&s9^jr>-YqugG0`?Z^ zjWuWhRJ#qdfMT)>(h~WGMyWc+-TW*gbsP;5;~6c-?Ou>nF;u0m<}PwmuwHd$J}h?k zs;qh$ueaE(phC&oiqB3wl+()zZf^B;CAq2jZ!mVRLk;sP3TwlU*xkSmPRU7hvZCYC z>)8rYtwza?UEViVgv&@3q%MJdo#Tg}-Gv#Q97{#-_Jsv1`#j%`%-E zjtMiJ*`qmb{q^&1gAUE-_i)LJ3K~37|BOFNEK*lOa!Rn*7N0V7y);+IX6y+nCLC9FuGq4PVsOPS=h^U}F zh|6)YZ5$Czyt6sJNEN&2}># z=Qzx)qH~{ZNp!i}iI7G0RmX)dOvx6KxUfgFqr#_x4^)dTuF1s`HP$y`nK>L6DDzMb z{nR6F&xialn<#FD<*Q8t;O=(SeK}Pxow3tBY!-KKsEDxk1t)EDcT5r4?IriARM}HOncQJ~;6$THm41({ysLjm=q)RP&^pH5zE(e&$kL-cvmrXhiR- zv4)SM=@aQwQs+UQa{_sBXtAS0S=rjXPVNQ=R{GZ65(5 zD85ulUdCw&B~Mc*$+8*eS)|Ufwu1zQ`ufvSvz>8`%~ZYZ6sl=lGa_AcMfz-0#2N>G ze>L62Xo+w0_=|x+Yo_r-X7*;tHh*d8Er3aw5F~J@JWK1Tv;4VX0!d46iyvCO zp1Ddaug)R36*XW9kThSJA9yyaD)Pj4&21nsfT5E)qrk?hdWdGkg}U5()Y@{MH<(Xq zq`WXJPvE3M;T@%nS;ws>zH?wqc2x&7XF^@u0eYzWk+;U3d#CAg z`KO_C)C9G5U(NM4dn@bL+&_LZcuv~3abcvan?veNIquXWn^h=cqb?Y}Fj}^JKR-p? z95f$&>Oj&66>+&--Ns6v)5gS#Zp6z!y6*zR6!?mZOjX-zqA&Q3epZniGH^N0G z{RdTB>phV_cgH2!vpY(c`Aejj-kbSE_zW$C72Hk`Mkeu|Jbz zI;^)$1hvsYwGP_tISWa}sE3E}h!tOV?t6Od+Zk2Hf86b#x4q)UO!CX~dim0yjQO(d>U9|rh6Tkf?%*$Z%~el8yPbco#v22jbT;U^D$j{e;LO%%=! zK6^>me^QGESVGg5tmMB<3;uB%T722*?`2cZen}Z95-QR(bK0Q)p!SVlH>U*TcuCrB z{PPVSJZi5pya4_@m+dyd1SFaa#x$w82s&WxpmeFDQ4U}gvXOHKC0XX`)yuAcq`PZw zR9>hjs2y^-+Gr`4Hrj(2S+~wDB&4tApI(vtB|-73C~;m?-V(Y-#{+VXxv<}j1+xHV%NC1x_E0#v1f#+qWHXn~ir1Q^r!1ueevD!>BrT0)Fi zKmT(Yh&~WK;I-CgyXAlFFi-V93}}H10f=AKI~p)ocj?*xEyDhMP`!i4?~jKw#MA!F z-p(@3K_bkzJuW3u|CWRtoUuB%+&7jC-cbBHj$X9Ks#!OHvnhiq4|1S~ZVdO_Km z3J>;q<<^jC<=$TFDkuv@tn9*^)6V}g+m!jS(ROXnK-@_pfdZLhFSLmwGYTI5E^GWb z<`qu(6vLdc8!K`@2deh${kEG-7p$!*4n)iSIw@S(KQ!|6C1$!$o120c-Nbs?^!Zs(mmhgi$Q6ts6`-yjis<#^LIW%b8h6fOojUh^T^5Xi6+khJLt^a`Y$um= z0RAFJoey;rbt69^aG`5!X;ExL z)jKFJiKNiubY2TW_LH}Fxq6-_Tm{5ZrPWBfnYB|Db(@-&W$561faCeP_zH$ApAOY` zM=Y$1e2Plm_&IpL?w|T+4?TI3!})@(+vI0b-cpB%Zp$Mwt8bqGW=ua4ti0*E)jEIu z*@u)dvi7E=a3WY>4Qzy1gIgUa^3yzO)d|B_N8j;+i?Z@GyNYY zK%_FG<4WwkFsSS#wmZhradlGXAZzkc`K{DLtRH{83>`}DEL8Z-p#phW{gGoZJLUr- zsQ!nw`k$-!cmLvblS$D{WFpZ#_VB6S{f}R#_MiSie7$1dQ{Vd`9YOy&Y5&{5$l5{_ zVO-zeCHQZ@=hq?o<3Bi0!3uqKRO%+pv6JKPE5OKefs2a^6xWagTk>+&)xCY?qqDFj zojr5U^1P`2Z9K>pOe1z7nwfnZl-b)C9hBsNZyIm3xc2&uhZ?Qy@tNo(*~6@ z$Pz25Pyp8+E`aBv1Q5fbWSD-1u3KYi@vt6@9@Y#4tCYR&im$Ef#b zUkzWBWM3wI;q>2_BL^js4S&4k$G>l~|N7ip%Gp!rws_OH*_BNLnb^`)18@ZEp>#BjEcfoPeq`0{74{MT3h*(JaJ?D2~aVF4!vuooli_th32 zSZbh)0P$i*7$fBBVA+GW$1pZ<3TC)KhRg*~eLMohyzk5FC&%3OsmA>E!Gl~%3|}_l zMV^}J--u=U%Eyiq8sAaQlQx84!WoB$NGER~*u2~jQZ)^FM5<-Nh2^gYnx8L#q7>Op zcykWz@pT}>&~nF%nTB1#=C2RQzuuLX5&=Xxvn$kpAwc}cPl_Rfv1or&&#=dY1-ZQ> z8>9>GzF7Q?OOM*4VB3~|ekt%@zvC~zHi|stMKk8?|I1hWx@(_pF@^1upDpEYq_U#= z9e65IrQU?dc!>>zVwntrc8>(y01E02EW1c~4LQ)=R7s*x>3rC9X>U{W0P;FT={$hX z?(79dV~nK}a@Hvr!fQu7q+y4g?As1g zTf9J^+Jn>IV*g`a{P{$DbrO;RS)Z!Jmj@XGDxj7g#WP^vo(rbZNkB3!$r!oZ@;xVR z+d`-4;NITB!NXemCVT{sW4UZIaH-EVbzxMNGQ`rrg{X^LfV^6X!Fj^F&y*OwsoR;^@$4 zF8rmc^_vg=m)!IbG6VJLJky!>zNFph;TiPK91i{KxBGP<|Nq>V(+Llx_@{=sQP207 z@0lR)PlXBs{&->q;5)HrrtO$A4!% zZnc;fz0XS*{|w;QCZJztP^g^fDL1{S z{uP3Lz%h7_rGtfxDFB*T5`FjjaD}kN9G}VRw#5@7Ed)q3!KNz|KBJM!tXSlpBO41R z`hHXf=HSsK^TT&%96x(0!`9htaAjR<4a9w1rWZ*T4G>qTFS97K;im{W*~G#o=iX`a!>PYTn`q%7B@G8sDAb_i^A_uCJ@3E3b644 zZMhJ!)X|tTU>9z>u{436IK9V>b=(@+be0@Rp%dcedwvd%YS-LHh~uPHlI7(PIdBxn z{; zb)C!=pd9KJ1VTfhZTJa4>9OBMgZ~;j7@t&x_$tZeL4`+DX&BHrY>aoa7y|g-u*>Z= zvnLj>pgzM`YomM%@1P7Gz;P5%(2;3}u1(~Xdon2Kp0&eHtXF?QW^aq2;>IZos;0^t z@6%lVPW>xb1@>5rFtxwcskjMC+t)s~BXsXaLs?}ASd0^1oveF|Coms5gOE;zwA3w~ zJn}dxXOgcw3t>A@<#8=Q~RVD)FGg2XAq#@fPTmT;~TXfp%mPhVRDAx*79N=eF;C+v5BP@!(Z|ojUI5QcMLn z@`RMFH(Iagl-~B)+pG7QCxv>a+xB!!h3GLv<5BJiZyHEMn)c?JBH7P@dvCJ#wnUC@ z#X>Tf&D-02gpe^a8vf81hPd+>Jek5DHdgAH+GCvw7M4BcBif%3T}y z)oV!;)Bo2+`@7rea~?`MZj_T3xzB6^TK1#1pU5r05?rzqTK* zl!Stc>eAEgqhna?zgue@iR@KI0BBlImB2$;4&B5@& ztubEe{+8Qc@b?yAVTd-CJ_*jCI+j`^x#@8Z&!No-qzEDieUs@QdpOpA?z}h+gmi$4Zm0}o zfKSX?5!W7boTJAxU===coyvhrseK;_-+I zd4cKM-?|}v)%f2{SMr~*l3T1L)tmkC%m5_y&>SvyTu0)fda?gi=qFT-Amf~$no4AVAP&$d#|2pBU}CIH}h*= zu>`Wv%lXhuEYC;Z7;!cE1>^sKBKxz{xI!N}4c_65%IJjJ0csd*pJk4mxi5OB02Gp( z5Ri5|;@<;K!V$Tk^_7S?7rl_$>-_$LfKh&k)S{$cTOS;2j8dnpfTA)lS9-g^(0Y?S z@L;(AMxpE1B)laM4>>3Sh)o{jPq?iifYBL}D&n*TpoF z+gxqB9Fb%A87)8&|BMN>|K4iHoIc35HloyRwD;NDVvMJ0(Hh2qu6rbP0*ouL|*+1s7%G7l3W1O+VQ9863$qFM0rO@@GfNkoc95>&iEt zT+;n`-UU>Lp1KAHKZN4;X?SQ4eyYho4AAyS;%Y^}68FzvrLTX`prr!IDv^+Bx(F`b zFFjUr;s|9oxkLW(p%$5n9Ay?79Ai`kB;MhGb}dKcAkMx^z6x${{uHOzq5=1-Wmo>! z5yTHQ46toEaNM)BM1FH-zJ=F6?!!5b7aMwb`#43~N?jDaH4Hf_L2uz@_@B=*E^^p9 zKl*e3X4AL7t`9sLRMkYS_^G0gN}46;u;1k`yG47Sya02_}`)ncFr zT$t%)tmNu;C)H)P#~G3(vF_i=HR`*C<{Na4N72wX*}!XL+FYprlx+Ffcs^ zCZIA6jeObn(Y#2CD7D(^Ux`52M_d=-OqqnBq0>K9;tzale9V0H46?>aK-ju;Tq4vk zBGc^*R%B;BFmxH5CZD%=yif2AP1Je=d=j=r$9=yZ`*I40`p0}Ge zp`0U}4oyQ-fc(!&4~)8!?ACDexgmi2fRMiDVns@;NM&go((;sO>pQ2qh%YR?nHeZE zb{y4w@3K{-vpVUK64#kuZPyFpt`S`thW=$9wG(6LB(t^&geAm}IOv9A{ojV6QWgX` z!(1hbm+=$eD5VyQH59RNM|?hTGkVh@)_DN zN&!iE(1^2<$L>sv3EhA!u1iQDKyQnXVTYZ#oHz-HKtPN9Snp{gME1K<%kL+f3k&DQ zpnhq3Tq%?m^_7oq0axzk(=)cx>1>&xXWlLabRC(xhlpIa`zZC$yYy7{>R~Sq_la8* zp_y*?xZh*2RYW4u9_tNyNr>jn#6tphX+W1}G|c4@bQ z?ojDUUZxzFp=k1hPe&Wj09H{wKytXXF~(c2Iq}*N%JoUmCV1cGoE%Bt>jF(WwJ!B` zl>5#IdAT&4O;_6xW{ed8{KdM)&n|$XM~U((phdDjWYC>MUX99@`iaZ>7(hqcUUSwT zX|>q}DYTnNvA<|*p@CpJAmEz~E5f)*M3(4>45jn@vDMc|W1gI2h3A+6e^3Rah~G|L zHs@`>F_El(c<2ZCbEW6C0q5@%(kLAZCTPISn%K(-0&yST86~l^>bcA7K4TY`de0e3 zSE0ho?-e>n{K+aWf~Vw432B6;>YpVV7B%YtJEg%##?_M7M(3H~sqUIdZq}wC$5Ncm1cC*5cEZhuZTl0E zhoTl8HL`CoXNaUnj})N+UY|q%Xe3I+pb}wgAtv&B0DCYfJNio?Nx;% zH1>*b#ru5@ja?B0C7Ow^SDR%KzXV*yC#9LFp{=p{dCj{)61G}-x`J~R2Uvz$)jlE` z^0`pe%dc0~aO_Z$dW#HsUT&dv_3&%?ZlRfUSceuriyFo>*aqOUe76Tvq1!W~BD?F& z=F98VOu|Z(Kh$qgJoVP?C=FhnT0j?4H_NP7wR|bUHu!%c5SaQPey;+RSU2o#?T*t5 zWwjyl!|f1xu2pR@hGGiI+@=iaZXxITs!s_)6L82+>Bmm;G+n6XUW5Zk{aZiFtf=mY ztj>2HsVWLWdA4k68S7t-g@buOp4`6QrcO0hDs?qza$|Qba90|fl2tI8Jcq9bFjl*d z1GCKTUT`6=8(`Hl?LA6iLbXFhLi?jpSi^HeCHEa4`Rqoq0dN19ev>{4=LQzQGoRq$z*GS#WW)qk8WFe>JhR5K${P!D_G<8F(Wvi+Q zaw4Mz-(XK}vv>E9fY6b;IX<>di}r+dso~u8Y+IskMzY*A1?}7Hl;P6sI;e8%*^miB zS2drXtaK7$QC%JS(hN3f2@XPmwxjE3Js9fFR;~%rHK)w?tDl&UzF&Px>h@t&Xg6lG zbLc9(JGx8d5%t|4*z&)__rz!y7f=7TfWo<(^h+LRMex`E|^6&Q+e06{ENNvBxBOixyG z1AB4WLNVL!8TE`?-)5o8WeO~&)Z=CBnVGeq1G~AjHX5j&5ZYWg_(OavJ*m_B(V7lf z-St22ryVa5T_KA2xq05j)5NZSpGs2PDeZbZP2W+b-Ozwe1SB;)~i}YU8yl)5xEbuWFUcgwyWj znq|?QfA-zt$wt^_J^#TI#xYS*VM-aEU0!$ja3{O6zor?=>o{vlEfra2%b!QDXM0hh z*Cl26HpUZh^}a5~H0_eTxyiVk6YS{aul$YNY2rOX)GckCdO6i;ISK=1_4m|9HJL!L zl+Ha@Qz>-GVx>>ad7h@;=qybWKNWdf>b)_MRYuMD^vDyg)o=CLD43?{ zFo9nRo95HJq#EOxR{VQ4d7QXm4QZBc-jN>BkKZlGCX+B>>Rgu+qRFt|O~g1RV;dv; zyYems+*~iL7V;1jFTf4@yE+uag{IUcP@^-$XyR;2o8pG%-6-j)zbQ&LW4~||xa@pB zOpvcCdGD#=mR@q^Rl_t%t*Co6q6D<_tdZyrwnU6&YQua#750;fm|%lyL16P#lE1{)Vkl?GBbEmxdDteWKbsGt>z%XV7FyAv@o4TqUY zde006O<5A6hdxSTl@s&uHJLVx%B8qim@=e#v`%P|s%wxpJ2Gq!(0kmfwoX~Fer8nO zNHvf{AYgfN9X1)gIf3twiK%{EVni>-#t_~x+1!W{A?wi}Hn?Dy&%UERfjXn|m2va=vCYQRx*xKkpnK z_)L8DYd&=ud>MImEq5}V_}2xhtJ=H-mkrS+{%@3gC~c&u4ajg{qI^*YO7;l@xh(6W z{8ZMDOqXio)C9ir7Zsp%G*)LE%ZtB%UGSFGJU{q>xO>|IKezlr1gBbRSPj^0TGv)3nrAR{27B#f@22VihEZp z$sFinUS{)NBWXiPys2{Jsd7M?;VL`=PA-FsvEfEd(Gec2#Y1n$4@MKUz8By(NiSKb zU;pu>q37!iGr#!L>-LQPO{D85W2)i&`ZX6IXGt7x-wBwbZWiQkfWytbUeJPr%}MOI zq7Q#R9M3xw>y0}^_|*}Xe&`xd+rnkAV-}2^sIsX>(h04h4YhisvCOxc<3wKL?}8hz zXup%?VKCVkJ|dzqkyZ}qQ+56mu-}Qux3+$uG8mS#?|=U3==77xkHlD)=&Lo(C%I;Fqo8!!k~!*qIh9;b zT1u#`(brc>x6E_zBSS<;E}rk*S}7*Uq-;-O;Js@>T8>vQ^+WFqz-v_1S&$B^Ul0qynZz(Xyp`cvAdg(i5Hx> zbK#(uJkIF}@HdiYKJwLZ8y(5YYyKo7u4^EwN|G({v~MlI;gWsPOpk028mr4gfX49M zNUo&dJN@YOh;WB>d=z>XBUIepEK{21x)be#lU{j};->t}xST>XxO9O2=RpZKXAN?s zVzH7z-`HKN#0OGr*U^-{(&L@zB>xoq^S890LRTO6%;tF5mqCl$l+mhekgIbjAXt|= z!8xeuoOn;By6(3>(nfZ4<3(u=LyevJaYYN#5q_<*jPgm<%#?ohkqug!mkF`+Q!j~n zw7y<)HkdO^IJx?m!k%=s$czsVnkpeQ-OFx1@?{uT%YM2jLZ4Tx&D1u{7E3zyMz5@k zgPjMndTf(pm7+rRgyJ*5jdnQ=!US%_y{oulAknVK9_!pZLCHIH!d#L_YD z%$o?E``Hj9Af43S24HYX&c(X5#qP~zV2L%E(K^5S6ge`6VkbWw3!JhP3LV;i*{Osk zZjJ3!`Jn~+Sf$1C-4Tyd-9L=Jdvmzm$x&_l<5mCYLd)~+8{dw=`e%Gt0TnTxtz?ny z_bYl`-_!2o<#^#ixlIK3pqo=q_%hC3AbLP&a%b~foiLA}^Ku6* zZ$naa6MtDZhH!B!D-eU^LF_})$Kb#A@m8Jr#x&Vdza&r$=;_8mv6c@fH0z?p2KjcS z@U!IdraPO{h@IL;L(m}^4RPoh>%yqDvfB+`J*}XtN7!I(?{SZ&oH~pKs~)YeZo7ze ztMbpTPOCD#6E($lpfUS|F-;|0{tWU3$BFo_4hr;qMQPScwz8w-@q zEyKRFcK7(N?^L?3r7L9-w!hg~=cz&4dx+<<=ozurxu2uvYRMf>d!&k?qQxrZydbnn zW#Pp|^F|ZCeAk!Q%DoE(#Po)4E3vLS1s`TX+NNRJ3iYMCv1k_p3R?$T$!PIQ^g;HH z%OgGd4~t5Ic8x_gHR-K0&kba_CYYNg&-4s*@8km#KW;Ssa zOM(>T;iIk*984M9jb)E);yxd)C0&r}X%rLG!ZZY6ELtpeR?>()bv|}ZM{YB+59Ltn zVCx0y51%BRw5vSE6q3_10wp2i1C;n^-yxHEUN0m109796syS$zcCg-RUqa%Ow|h;V za~hJQQJ4!^O8vgZ@|*I@_+!z@8}#+a!Nsc!4|8H)>z%Xwn%o4S>#Fyi?h}J&!inV0 z=>!#-tpwL%`Y3dfqKAE&3CSA<$viu8w=n@)sUrbfMH)?mqwV1AknA2K>q8A-$8;rUwzJxZuL%nnCV2T>Z`Of3de>H#dAdO|C(Hd*WP>T2{ zc&_MurXEUHoAEzvukG~Rn-DjcUJbaI@!VJm$OM*jH!D=xNeuO`80mKB65hm zJW#R$vv~HfbS^djfGLM-f>gYJ>);d{lcg#XKZ=){mE;f?)%lY&rcvIub!86xIovF% z)W9iHU9~;Ztro*GTJj91x+Ca^Q5%{zVvLanQ6Y$uGh;c*1-MudhsMKv)ywZYxj&+6 zO)^wFE$gv*+@%A}R=UQ$=~WsFp_!fEPae1vTv&;Y)NmTWF`m z*$ANQ{73%w%fEPCCwujBJ0bLE*KzbLqS8?~p{ou}lo0f3jg1Unn7qnZ=@|?OR1n$uY zn9XZ^HZqb8(j`>V<-xge_s-eXhcH7aX+!yr4iAGTJ^K|8yq>e+OOUW8Dtb*368-|_ zwf*s#Ay8H`ITmHxHNk$5=9Kxo8i6J@qcR^;0&2c`^hha~xq2~ZN{)ElWCPOlzJ=oX zD!QEyFGR`;pxUfWpHB6~s3Q|RFLNk0RMv}MHJ=>9A%(B?M3T)0qZ!sjRR&GtFAv4t z3bHldrl#VAJ?Ee6CHCYPcemxpD>CEebe{*-iFIk_e&`ETL%l!Q%>OE>aOHLtR3~4( z8SH#Pcp{aZOc>O>gDM@oLkZ78$HtJJo7zXoXZ6a<#-rNbblen#m*R;?+ae`?wxR*h z&ZDIh9!n@GGq0DUxZ`m*W-jvHw6ja{BrUcDYCwx(+t8$M5fh~IUA*iXB`Iv$A6Bfh zI$vn)IH_qWIH@aqDm!99s)W3jXWd-;qn}lct8>hR8g&YW7Nl`HYl@mB$aT1;%XfFY zmkDK)6v4QWT`!Fhbt~5`xDjsXpXo$@G?32XAK4*iw{}!w_0E+H`Z8D2`c7v+8u#O>S;EHhf}3@& zrz!KjMg_wti!4^r?VOofsG#Zz%Xd(RLi0F+Cqy!Jba}nnW=BLt0yq)Z0 z{ZBM7c#q$Bnd!+R?%W_h&Jf!De%VGg5Xg8%yV*TM0(sBNIIu}kR+l<1^V4Kz)lwnv zVEjQDltjtY2H^bW?UWvoa3D2wnK4#u5V~3{{<7BZ@|O# z53ruF3EmjQ1?FVnCxXj9@v5JVK4)shlybjeXFEMoyoek&KV+!ZHI5605M@m}InFqP zLs49&@&NZ;gu0Lx_*wZD8yvtL)l$+aFk&leQI%vrJAAH`%$`Kq1-yx1|5U`HdePB= zZ8ougf<0=vH2PluNKDEmWLTOe;{6;sl%)iwn9m5XOr9#-sQ@QTyE-K=#NsbCu*h`% zc*jMeZ}pjUvlv}n$-KqO$IzLadCw5T(RrnQJp=eDlPSGFyEVPGtkuKbTR#qXhweVh zrQ&SA=vmO_V$m=1DJg^Rak{utfCIgFQ{tU`PLOe3HmL<iY= zgi6z6QT$_cP(~objJ@!c5P@{0w-OWBhO&;N>u4=JEdl>Xc5Q^GiQ5Z+|(w~1F3b18=5nID7o42=ARR3Y^^MSq~03; z8BRlcbaC}%P`%IcxFsA?-kg=OB|DcLUdmd2vkDVlw)B>;-8JUhb5{oq?9fAE>$BQmA)s7> zz7U&dxbMb#I(4bT2a(^jVSm4eR=h?SqT|L7R*27Xvg3807)p20oiS0Jxvw?IGdOo2 zG#SbHdBYdKDwHVIjbMdlo%7B$Jfbv^_^48m(=4pjKu3TiI`p(b4g%((ynd8jQRoeJ zEa_})1!7T9R9WXD+vjfnMVjV085mNF#Yj%3(OS!WCc3`{AtK5^t=aY(()}R7)b8_= z911o|S{M#osCaHxwqX1@+ikFS5;NzbpmV0q~7u3yL5`tO6g@f!z>=^x1wbXI~RG=8-#(nRg`Nh z<`!O$)x6ehGJ3h#Zf6?bCRP_I2GrbmTH*E$%A$*{m9}4VQNlxg(>HF}oCc~ftFbf4F5o!Ms2P{O!+ zPGJ$s&$EKdeix8>cvh}sZlC=qCAZ$wh4mMD;d(RG>#-co3+0Cl?vHASI}a~vH26+a z5&C^ZD1{RFi-I|b-ef*ypmgR;&%8siQ-W5Gv43IN4v5IfAl;~T1Yj~Eth+PKODp`R zgSOxLK1E_edOCn=WW2^(iUB9m*| zYTNgPw_P^^A_CG?6p*?>IspU(Y=DS>bS2UWkxpn45fKm~z1OIKH0d2IbfiQ|AT%NL z-XRdkn~Qz+dH0NW@4M%{cgMKjH^v!`p?il#GBekjbNwIE2pNHMHx#G8gQ7xmDQF~lJsfNUSOF_pWX25$W^{edgc^cuLw-k}aLxcC_?|q- zH@;U2_HKM%3{x_AKgWk-?Z;gBoz6f~X+qIIZ~LJD*DmI+WzyV>pzOR#zI|X#p&{&n z3+9`wUn{|z81mnks|E6Ked7^`%NFJK&NNU9)fyPx+`$!yStvsH*3@?Q7%lAGxH<=s zoyC}E{g_N+l~05N#e5VDCok7x>-(T!rT(_+^!Tj`ON`qvmflezk+WT6LREg!DQlo~ zKYGOKoDo(gdKnucb4rpRl+veRIp%dhc0^GYlQ}~OOy+`>GwGypR-vX##C)$wewTSj zN6;BEQU!(cO#9*6XObmV&(AIGs!l6o<)S;w3KEw?TBD+W0*@q^#p|^}W+L?wsHflb zXaoSL=1M(*8w!X&)>A*PnTBc5vLK5wVLw@hBPutm>5x|CAVmIoh9~g>^KZKQi#?g4 zB5CzUPO-fkj~}r5{1}UP|G(ib{eZ|R>(iFDVB3CMbf4KB0%oHCysah0T3!F(bAgxW00?)mf@Gn4n;la!f=P_LXHOISHBZv82F>+hH zXP@tYqDYbka2PS*`34!Y`6qFLb2>{$tw@y}lTPm~TjVhcma4yZh}daf85vb?4Pa73 za0Mt)H=wc?IO!z?srFq776{jjf7Ax$`tyW!(0&)F8KXwto|L@x=tkpj(LSf4P1#r+ z68;04$e-GHpWZ(@IS@OTG$2>oNn{7NGSI7&V;O9_Ss~k~ha;3{l^wTE^|&gLn9Gwq z9V&)M%*P+rVmjl+vyHsIyJP3?qkePxPF+-gap-}MYt~eVW%9+Ha!?u6jUeo9RO1-6 z@uE=t-t)#)=7%J~Ui3qI=ZhC>HcNEaOO z4*L|Kg8OcKnMcnAWgg@^26cHKR`2KHUIaiD8Ed?;TT+kT_qL{6{~^}x(jO*AwHs}l zw(db?jwCvWO8)za8esjS3F%6Sb;&mW`Uc(Tr^Vl${q3PDD_SU8OT)oQS<6#yK9so2!(#yxRD}%c=}cfJ9(Nb8^cP z>sfi%#sHvNeU&lLo!ACef0Stygg#TMPP!eri9wUGV`$JcPTK#0OtxBv)IfQsARNaa zqRhDaD|J|fX~&>>jB)9jM5xy>Bc64ZBvX$0OTG}m;zv{91W((fvEH{s-SO3xQwwrY1bXdkPO*n|OQLR&4_FY$$Q6E=D?hsNQBr5* z;U)w}iuM8ch7b7aDe+n3We+{U+$4V~HyE;*tCs{zf{hZ@kFTEeCEw8gF~y0TwPIA2 zJ)N&F9VTA~KrMv|0FfrS_`(OkG2TO!1=0es)X2wAnXGCxEz@Q1-`072k=()2UUZ+N z9=3Sa-8zE?SL;)5shK1rUbEYquK{{J!hZsl0FbJ0hIM}=Ki3X^IduKj83;l;Df!GR zT6svB;H@f%HtH;p)-An^!&u(e3<n7=b`JNp`ad;z$eA&b9W^(l_EfM16m=jjIuE55X1-LTvu zV)0!*2)C5MW0~lnx(+0EGjUgL3Tt}LX*bnU|29~DPNY`O02q)t14<54=;&xVl#1wWJ)#+&#JF*L+6#}k-`Z2qCmKA*)*h$$NdUtKA zEb2Bs2rq7E!%HPF>V}}4SQToGz#2C_VbIB|*&?`VLq>J|^_{zKk7UoBE8+(??%nCb z`}e>52i)6cP>tJZYstF?-RnQ7kFL&QfCVw`aoKu@Y(6QWj+9U!(e?ob8h|qDv(|4Y zE3}lZFmrRn<4(Oc-9USd6eVE|o{NqX1`PIgL=;z_xJlRS+Y$c^t29GqZqO3tyg+ zMZA#)UUwgnPeP;Dm-Y;5E%GO8J4MW2r%Aqduo!|p3{DsY%DrbXhCjrRo3m0sQi0}E zm6*ekWze98Nfb(Oc!7fELVrCtOcNcVQEZRXbMVS2t ztnlO8Xcg7D=&sI}a zN#Gp+rtZwI2pzgpvGCAYvHiqpSO$*%4iAH1?N9AK1|lHK>|9;%5vD)tab-S`C%NBR zoz(`4`qYh@!JLuPy&vuZO`Bib^4E*#pEL7AD@QhW_D-|G7v+k1<7GlUk0~~I1Bdb1 zXnv{MPz4+a(ya~gQzvVVd~XAIUdi6UD-%TktSCVo=}J}65pdj)khp5n#FP@b4~U(m z+vg~YqX)SptimqVWWP8FJo?%2-A{TopY-Rn{UB|vP`hFjp*y*+8hqMZF&#eySY;7> z#2#}D$1{KII6!kSIj446yyuady~7nuBW_{+_F`FTKD`w)-}=Jeo)uwbf*9*hDXe;w zH}Z1V&=vb9o*-+eV>{7gaZPlbnp& zN&&_@M;b(5taAF=!3-Nffa4w^qr+C@k=L$m6Y2yX;nzxb-EQ{x=#tOlpljm3cdHEo zby`8nAi5bDcjsac00g82$9-DPm;!C5Se`-(uwG~1Ikj-mvlxqm!pQ)@{^gzCOWiYPh9P9ZVbAY- zr(W$E1Aw~bquOm%FBlYm^hZD#kJky$if`X5fEIaKLS69_*K5He9BC?ul1|{ov#5c0 zPWm)(N7wMlfJ3swhtlVdkqWp958$sTNm&!7{3L^ka;eH(fzF?|hNgAT|Gv}l^E=lp z$f}w3Z4Au9=J{=15(AsCsP~NIxt1-+{%^42bzU~1`lG{0a9+`>xye zeOCN(?>lX73Kk{v=OWR%-%OECxWxA0ska1J?unIAKq-z-*|Z}OZs93?>3 z(u>>AL76MWIF+*#<((1F#82bUsX!rbNd}DQmh`8Kv<2^CLsD42Z|sqwQ;4Ny81*|e8gA=OvlqKcrq(a z*^?B_b4Ay?mHs_bYr1b}ZkZ0FC1%E^5X9lnulfwQ|FIz`IjOcmi)vPW?J>~!kdgcB z=A1U_p|_azym_}$Q^%eHwJBqQE>WoLGc2yqgU$TwtfQNG!yv!rZ4+M2j{I?vcDLOO z^lnBkoHtlQMkJ~&qIFt+yCSsnJIB`NJ3{Q<`o9gVZXcL}7@K|Y4#OsTh%{HgMFA#F zRu6YR)xyl3-&1z&Te%}X?TaaGUfaU#nyu}F2Hs5l_25Rec%D2f{hQM1ZZMaef=K@j zsuB^+)!hmCtriV;!H<#t``XiJ)b8S=w6+8-na9#X#GS$?1(H7cD}+FO#`l|q^f!ph z`8bGVK(DZ?VWyQ19?3Bi<=^anEF@ zYkwr@jRp!EFvhsmb~l7_a$!Z4voalc;R4e*~h{ssmAmfM>U48 z84tpI5F;>`&k1M6(VMZ|Yi@OW!=CwLm8CI~vd-gkk9pelAmfBk%(e2PVx9G&UcL<&W|t(*w+2 zI{a1uFg=*2a?l_m?vL}dS2a!UiQyUAwRi6h6nA}vKQzVGE>l>GB|B|h6X!ig8)wCk zco(074|c@~Ed2XhMuO%;FqaZCtwqU`sQrI3ULW9kfSxd|D2llDXK4Qfap^NK(U9=? z3D-}3u=qK7fjKz2$AD4!)@o4i<}GEpF)htZ=c835LPjheGKPlSnD3np;VEDP z^oJTvpU_g<8WTn)$z}H@*-rsltekD%K5U(7&b=_N`~lmF<+dBV@8(v)&D|=ylNk3c5(|#R+{qeU_f|o&w1ofXA^PEo`vnHY zZtJ%s;XF{7{+#}30B-t#2WXOs{ruQ|A_cCM%TNO)ziq#C!3-7Tk7m|U5$l)>N|345crPnTWGs>Drqf5yZ^Jfhx2XHSHg>|~^NJe0NxEv>AQ znYU|P*)nnjPLvtU7}QM-yKTY&#?T5148$O?B&&D8s+Tt)uMCp$=zTrU#gO1JZb9xT zsghZ1qqz6W>q%~-(+=&SBvETvS3y%niB-NP z^_GVyO(F~yrQe4rnM6Bk{D9|)E$y*qtixxCSai-dNj-eNQfs6Occ77CpaZ`52c^FI0>`DbSPWlrf=)#$#x6CkLSQeB1W>lRJy zZg$1LsZzbqFn(Ua5_(%R5+aBZ;E=f-A%Ozqfz^rt(^b+#X460>y7$Gj&CGYG$m9C8 zY)zX}@HkPHq4#B2xs;vwhUbVkXms-v8lHJ5O@T&o@6Z^Ho7EE7+e(8~8H;vm@>8G+ zIKf|RhI8e`DY2BDdY(-CM~}Kq5Hek=!Xd&?qq54%n3SR7?J(ABb7~qgtn*|$3~Znh zN;|Mn8Vbc2IG6V~RAui!*1Jb>4(UzrGaR1NOl-m0m7BW9qmb{xQ?Yq-!;#ey(inNkm-v>2RtLeL@q*grw>h+Y`kEn5rIugfb zBlA9B&DsfpAbx8*yz!`U#s+IFX3G7Z{_*@#GZxd0ldRrlpakrVEnAvJh7S}X}r3TU|c6_A-&W=jL&U1+C@AE^3Rf$7MUTSv|LiLnTs6uDSn5( z?v6Y?;0Z`)#jK}@1v8Wz4iVbLEgt_&1q0e1=YwzBKYwg`yj$VlmbP?)UNGL9Yrk0g z;Ev`CA5b!=yX%=aeD`=C$5EM1ud#&W#ytq@ug=yCrZoOHDOqW~^%CBkX`BZG#jvx%OYS=ZA=~6(m48Maj-=_Edi2F{13;HE_UtwELF?e*&)W2F1dEQOw~yMeF#-uLxZUY_8=&=kJ5o<5v%`r| z=Gdtkc9K&VO1tatkk#m7PnPKqye&;8De&861V-#&KuN~FsE`>Uw~p5B*P!QFp;xCJ6iM=Jo)kF+eo=jWvqMs%P#8ul31(En{rJX5 zjDa*L3D}HBUOSr2cx3pubtUhgQzuD3zP;X>Iku@^pZpP19J5G!?l(+5#p3-f;iMC) zztp*UEa?nIcpB1b?9eZMbHD!$!D5$DkXBQ#u*!6FLV3zGwC?R0Z)ZknrCQuc@Fu!H z?l@Qp4{~1mjU(cD!pT8vJ1gN;O|t)Qq<5qkJZIx8d6{6g%cE9)y8>qXQ}3nz_KA1O z)%_O5B#L8pcn*|acr}v~hBqy>HS*s7V{L?$<|riJgw5FZz|l*V5p4LGuBCv-hvCrU zYYL<>RvhcGO=2GL4yL$4EkGA758Zvk6*|)sQ&kwfS3C6B+_OmS7jPJ~mj^a_9rDiu z%b_p}5@hv?!e`2e4E#>EDS%LV|Kh2EN^kZgj^?d zf|~El)OAhNU8fA$;jD^wgnjoA5V%4@O&f7==(w(f#IVRId3ZC=4UxR^iYI3#EO)Zj zhPLm^Us?e9yw3-A?w^watk(nxc6}pIhiVN_j724-dS2+O>UT&+(=FKX9qs@ON|3S* zi?x2j#iFZ6ZI2wW*Hwb2>^H)T6;CxV$>QXb>YaDngw5 z%@52EHYZCyF&Njzx*w+q!?DV=H!2Pu5+Fq*0jVRmcTMy^`s!u zn#ppT<^2^f6Q533gP7KKBkp73^KWO`xfAR}LuL#6b0%wrscsJ32Dep!1?+SJEQQX8 zsm2ra%g;e0OdSf8(O`FVy1Gn}ZDy`w6MG^K! ztVCzxc;%>6m7T)swowb2)BESO*qb~_nyZQN&r)`1N2<9JuQU=rGY4evg%m|}Ad2>X zpgUt6D#l#H-0CueUCP?YZRBl zH(ie>$CQ5o6(;WpB(ncYZ4WF_$N$Tsy<623Xl^2wJV*EPKKZD3$CV6iTZalGqM3X_ zf>A{(G2JVv5QB7;OOX%a?ya1ap+63ePx^~DpgFvHlt1VTK&%ZXIy5r3Lua3mXwP69 z$J)Dq9IKSV)mu-pPCv)yxvta1W!`O%cExE0XsqRuF1Kx+qKfBv%A51`>`+>Sm#t6p zc}l%$#UIxLM8T4W|9CRwtI?Vi&soTZb|kl~@-&U!f!{VkukC&p_nW72ez?>_emA+v zldpiAE~jL!yV>|OukA+QQ}m6{j(*21;Xe}Nl&d*T1fnUgUT}Kz8@@6{}yl-{m(>sckX{6svZ}r20WWd13PCNZc zC>#6zk%R=(@eM|L?`Z5wrwAd)W#Z0sFgP}*f`xH#pC%dCJM_Nb6hcYd6T^f4%QAr0 ztq^9PZ;8>x9`$t~>i1-IwCnl5#z;DS$R^#@_$ouk(6oEWVAzdW(a#>+B;bsO^sF0n?}SFNvM`H_^uffA@(8cOFDGbvLz!6k z?RC$?U%V~W|HoQS-_^rDEg(DMi@gCSy*+^)^f1&p)Ldog9wSa00SS(FsAM+#?@l`ZPlkQGm`kMDeb@u(;d_cW{1 zQCFq@AKPbs`{2QS8p8H3YVR@JC(eS5PBx;P`Rd`e2IPVzwQ5qDQ}cqoiUT*TIOoMZ zpLK!eh!y?3y&=(dt2tF%;Tev*uV5Yv{Y2ih1*@KeSIC4z%_Gs-#47W!<*+jI_x{L#+)4R-gzJ}N;NuleTBZc~ng!!&ubu{(0<4kC?-C+H z9$I*5PL~1=yOzBmJ8lLfJ%>VX4f{sW>{_kFo9>L5A^0~U6s;s%P6VtqPJY7wj(XI6 zc|CSz2Z};a$zhzW>@gAd!otNrA#xE(#Q@K(-G?vVQp8IMaEX!pfeZ7 zr4XqsgppQBf~A{aIp{g+4iDZNYs#pJH3O5U-5JVDB4alweS#CtiC<6I)zBnse8riE zZC_m3$x2=nK8xn^!~EfFbme2u*D#L|kNfWA^AvD$|1WRgNY?SOJ4@{3PCN|`g@0nf zA6_D1cf6c=POT+G3v6j~HA}DqqSaf$!HZl3(Ed!~#0ym#*fp$36^;@2zvB@}YMO>& ztrCRWji)>bjnNWj!+YEuat>G8x9BOcToWA9svIpehRy{-hR!>ITMPr|kFmDwT*4yk zthxHkF&Z$B)sicNR?34Sp$nf?nC5McCAn{m+p3h}R7K@?nqOm{75fUi-~-i!Yjr1> z5LScmpAw}rX2ytAdW?xzZu8*>a}KP8y_Hz`uq3lO(|`{mr&A+5?-LpsjdQZ8oyT#( z`3wW9;8TBbvC44T}pia8VMIOr`NOZYNCWMF_rW6 zSSC~cwP1B+>w+4L1mn)QL!uU;ikWi?rZSqcX;*GX* z@{NfLq61K%hME3d`c|HMQZ*Fza!#H=DThj_OiL?kT#oP#RggY#&wHml5rl6^fI?%f z|LoWO*TyWaF`u-0cm4ll`+0oa+4fCBu+KXox7yCe$?@SPl7nlW6X*1vosrOpcOs|d zv<#{Ks7AeCCA(;*a|b;5Y!DkCN?_oi-Qf0@vvX3H{q9b~N}E%g)54p=L207(jN{2U z)XTGTTM-NCBlF`oD58|eQxlAjM1L2}oan$5DFQ}EQ3)T$*W%HQi#aVy4GWj^qJ2tJbTcR#Az8o!1Du&zqB*N- z#AWDhq&%S#$R9t(F{0jPRnD93;YJ2slE`nA2Q_dlrxXZ|?4pFPeQ@yIc@)OW1z|Fz zUuuSV%G?UzIdIGvpHyS(g)2^rShu+}Pb`;mU=EZ&L~uF`F>)j|y%)q^jz}3if2u-z zb&V@@t{`;pnnW_YF=yFic|U%AfBLM;?lnYEBA@;dFR}Iq|m-uN(A$ zwcxnGYwx60{v6~RO+yYU=0`Flx+cUJ&U{b$06eSl(j5BO`6 z|NNT&!5nKkZZv~=f2M)^bCBcR(M?JxqcnW#9Sq%_2Yf;mCa5c>Dtzywh!sj4m)-bG zeCoC27@fgxZWM6;zYt%22c@6kh3fT=@10nV%}hRS(0b|bQr!aOd1SAUf8dwKpf5lw zty@~nIoSvZpKv`-1SU0Ht^lFG^k(?=m7S68T1m%h2vhMXpbWs!ob6IJb1ZchAI5^m z-ImrDlJpn=kfMMTNK3EH^&HgF2~c>n>9+xhA5DcNNz~VlvYtN*=?G67c>w>F^2_Wd z9QXb#c7X-*>$UF;0NTlB=!!19e)*+(nzd4-LH!fUW`glIu|BSjnZRo`>jg`T^i-Z& z<7vSz6Aw1(-wmPWnr#;8?>+Lc(%UU#Y1(&x0l~CC3F4M>VgYbtlRT&?6ILG@>bPGMmTA;SKlF-NII#F zE1~qW&JWIm zl>jaZ*U!Z8t!RS0&o4S+7H$8{g2{`i{potcE}yjDHN_4b{PH@=G*c2TVf5$=O#b1K@X{NF`V!^eb88eERG{1RTfNROT< zd>zoL=YR1*%L-Hec%|>N6(-c%Km|wr@5+l*ve~Fo_!T}%081=0@AbmP_jF0(XT*pZA-PwaH7?D*qAzSxMFP%3>qRygM z`SMtApG1c>#qMy$h{GP$^3}h%`?}7Z0Z)C^udW$>pB&c4!og?CV0QD`cT>RZKNT;847)AxMY27h{shn@KrrR_nCgjZ-#tYCvH4?5@0&QC+rEsr=2>%j z`mCg<&5n>tQwUex*GI&Pf%mSsDq#zMsjE9Y}&2Y@Cj3pNGRClOBEX(jPOcRC7-mWY5g7J`yEx(QM8H zd8AL6@;Z`J!@I$CRr&K1#Dkfu8NaAhLOCBfg3DaCU6Q3SW@+dC+2wk?I-7yR12&ox`H5=SU?722{VRdZqT7Mmi(UZU%R!iqI2G{VYQ&$Z z%;%%0XJ%u3j0woPece>1foK1=LmBubhprhll0!GVLPYRNYgdhZZ|9;gR?ObW4K43i zW{7xR{^JY)r9d?#|ohC*;!(F0ii;iB}emsY%ok2jtK@U0b$hF!zp$H?Fjh-6z zg|ys){VWok3VIDIx6xCy|CRM28|F=dGhcZ2i#Yg#{LiX97e2JjL47#2Na~KF?Lohi zIaG*mJ=J+;(tnO`!bn|n=}EWD&_>3T=2_lV9k;lNPuPs5#V53gkVVaQPDAK5=Eby( zf3oQF?0P&xWg&9sw_MwZ-Q~0ePjd8K}=K1bluulr*vU- zv-!qEC>WC#jKO*2b(zZ9n3nu0O@YI~N5v~3Zknr|joBo5%JwTy5>*@-ydE_%293Dn zYLmE_J+!u0JtCpc2DhsUb`YgN*_3;*;r;GLIwA6l+pEN7iP{=PksbSjK>3QVN8U$p zL+HAHtl@%k?PsW4Q&u&+_*$(TFpFtO&p=h>iN|q!RGXn|#|Pj91oxOOzW?WG)o(?& z1EATPQ-H*W#GnCNWYo%``B(~#FHn9fl^Ojtbxx~%RoVCgt8>o>W$xr}>Rfa7e!`C= zR+a)VydKZ${jUUgunk;d(iE_Y%mQ=7TiSe*asHsPU1nBB!^3NqRm9xiE~%-K)j=p2 z=2IW)(Tk;a(b`tlI6M2jBoC``0D)3ODqWMf` zu*98K&b8+2l~$OLiH@qI36sNG0}o7?aP>O6nJZ%^T}~ogcG)%DQ*K>&9h10HZ58pJ zd>Qlq`XLEIlrKLV7+me_&NZm^ET#|5{}P_NCMhMw^6wShKl@&J4tXi>KDz_%$foiy zAj}AN`g(#X$MoHX#@}wz%(1Jl8$r2#{$^) z4rl)V3$H4Ptu-IADP**~n^_m+>gt;$r7v+ItwR6^mb>rCw z%5&FeChiGj4mR}vte`DjG6bsj1DEIlLcJcFK|OFOxYUG`iAol84Wvus*0!na^nCI` z?DS|QHBu&^`ni4YAFYRV!&B1f)xH=~I8-T{IElLQsrpUD73mWx@#;`+&8yH%H+k0U z2U9QZDGwj2I4bd_W;-`{ay3bcp}dyA;I)~dG_qPP*jx~u*+@YB%~o2+Thhlk*Hv7c z`vdQCAg*Qn(k^NN6*q04cU-N^JF&u_u-`Qvty%FOe#+G7_!{kfl2CD&;>9^YD3>f| zWxchjCr-TF$U;iFX%zZ_K66h&Fc0@P})E&&%$rl|^0211|7KpHk zLAG*5KzOP2ap&3&1icmqoNyD*)e*2K#RGvORPCOK;Z_&0#=>;D&E~91RH=3G|01v~umQJid>kjp5HLPp=U&2KKJ)lsz;h zzXF1zhc*NU7O~h_dbe-Ef1=)FYB7+IQp4b8c3g_u=(KlxGEZ_FZX4Ae^+g4>vxr1j z$sxrtJzkCg6n(SCWCMV_pRPk*n*)w*f(bxQYRf65ET^O*{4)^O->XyI?<>!--Ol-J znlEhsb{ztN9#%J|Ss_THEN7ROr-=%D6{tcHrZNe*WuA6FaVC8`9NV1~fJ)A3Uxx_R z1($#NsGk0@W~Aej2%K~mmkR(~#M8owCZtA2L434#xuw^~zA@jz1W&Vn!=O&hWw`5N z9XLTGAlB6$t|H33_VkbScpwm?CkaTGT27NudZl&rVga3^=;P#VMoG_98+ML4(P=pv zN3D=D8B>=Lo8+`*9g4#HTM8|`(Lv5D1wzA+zrz;#QR}^Zg=O8c%HA%HIs>l;N4e?= zz8?6Vw+!-_sTJ$zYK3HbslC9-h*9)P#n|j=kIzK zIHwEz`kcel0?zXfYLcVqO%A~*iBA^Jng4jsA^Yd`1rV%4O?vEFQwkgUBF{zHTg*2S zn`jKW@4V)?n{!x{*Kj|q-8Y_Tq|s_T`#;|l`i)3>lS5pF!^;BYNRjWTg;epRXESN_ zt*e&bSdBi9pJ#9r!krAh5j5c(jekf*fE>lrBT6v9gtS7{;7{ae+8Q^NN47nZHlS7Z-N_ zN)?|Ww`koyN^Tz&gDOt}Vf@zopYRyA0H@&qjU^78MtPqRDD1TkK#-5Xy1C=&*DrvqEhk*DqeIhjFf zt0Uk0q$88ScEz}jjbPrNm8W``hi^XW9g3lP=$Ggrc+xJhx@ z(rY;y(vy)}@vQmYm9MRGya8Ee*bewz;Y!K?##5n2PR)}#Xgsdd%VHe}V!J2aQQL+n znxsw&xijrP-WD;D-~#Ph92{TRVkc+z1g7sgu=PErK$POeZ^n~}Qz`{BiQeB?N4kap zJ2CWAfy+J@aUw$V5NisAeGqTg(;JZS)7A^PM5Ks$w9|+FCGhO+PC*ZEdbxHTzGkVH z4agL-518@CSV1R;cy3y!24V#v3*Q?v@Ep4jos0CzYYqXP9*dkO2nOnYK zoFazoBP&y7?**-CtuyVr{@iBW%O%x?-m9Z4&O#b#olO$HfDr8)ayHuQw;4%ydU<|Y z$re@nRYW>zy5f^-Y{CJ=tiY0xWD~$+tSZCH8Fw-|sq5G!Ma19O->ai|%D%p%ij&S7 z4I#v4lKdswGI^1ZJdCd7O)HH#;_D6uO1qj}#xA?-&pSNSD!c64nQC%2k2#xutP$u2 zagc1EEcqJ1jmm+WeHgF= zck8+#>P)HnWZu;B?!MawP7OmI(H(`@#S-yI`EfeT%tn!JoMkPNSNg`HmokMaeTEzJ z`vsG_(QA7U=}r}o2+FhGtrf#}QC!Kpejyu`@}f+{kJ@(1tSDMQU>ytL3qi+A+9cvB zX+5u*_R%-%IwLjR%D=O}<{Q74Dv>!)p_ZrZb=cmwPebOrH}K2U>4@pQ!9PcMbW;w@ zNRS=_owfXK8G5gbJx;GD`hb$Ev^PFm=Ps-z-)?cgNx7g}1Ew|cAf_T|TW#^)v}F9` zvcG$C^^!xFa?!raXdv-;XgbtuNJc{_xGMWJOdh96dGe+8N=$Zh8iXjsOut+U@VXqc zwwr(-tv;CAl+3R~?e~@_ooE$*X?r`jW3zsmrN8RO;v24bd`dNt=K6C_Kh-Mr)%{`i zUinLQ=MPPs!`-@c`w#(PM6Ijl6>Dn^UR`pqdcZya(YjN%q$tBSS}ZpHzQy~m4gKZK z3RFhZJ8A{Z$HD@pQjC-<_J`-W)Y;~_TY;4rwI=FuroO|u2kWR zXVngZf*up+A%oF2`mx4RE_2kUL8XeP(k`CnS`;PySTT{jv#r!W{0lGHnb~>sta_5V z0_4RCLeM(_=-7*_My=Gp{MVeT14V{Y1w5AO^*GzKC7Cz?`ND0Yn9f@Ns^nQc`*Uty zk=y1!MS3vsR-rck!gpyz3beqvgy@tv)ucJ^>7VWkye7MBTfCfIH=`oV5{P|l{?s6) zEvUIIJu}QF`oziJ+WO@OsG`{Ob<-C+=gq?olu(Yu{*_j`Z7q(-j6Mw)6LwI_q%s#Z z3^8R?aUTB^Qh2)7#*jX`fr*_`*j#8K5!t?GBuKyMU$|1;?W6yjh@I_uZHZB5FL6~t zz3WtqGKi*iLfw4fn|!$#qbaX}XFmrK#%jZ^EGE;hKC|n647}0uQQ$Ni{+62LysfML zm;SFG1imHOz=T;ZFtxs1(HL#i;eL9lX6?C%x%965vh9{xs9QlPAQuDDqfC>Wo)0*O z(27ne4#cBd=3j?;&RutdADrWPSRx02ysRmcMlHmk6pPwx37gj^L(HknBW_Jsy(zEX zEnju>-W6>r6Bq%04|dK5yunqnh5dTHQHHH!4Hw!cVY;ZnVI}=P2Er;vNDfXJYma9A z3!6PYNwqcs*BrQAS=*J}FzK)<-Uy#;-p-oN@wUb{8irsm!AZYM;9H03wO!c@8{MEY zoof|La_eR^&gKaTj%Tv*VVe%{USA;W$Yv>^H}%lHEpdf6QQ>VyXv-Mt4DFPAPlOHZ zXEwG57o%H+Et2trVVjR4L#C3JKP^9I?7lB(X@P1FrQE<#f?KD)2R5ZuCqA24hSNEGLZ;RCZ;U~fT$ZXTi#GZKx!_gE9@}}T1@jnIuQ*L zq9AcM(|Evn_zK_!9P~QA9C|qg!DTDX&6bk`0j4J>UZ6A#01TL%UhW>g0+Ram{Al_K zMlmQ5WI^>@67O@jN(~LLOMG zgWzUc$b`;BbA2y&bT@Y^E5FXL|*^u>^wmcj05w`w9gySCg1j}Jj9_ySrFK69`6kikf5 zRg=XPb4Ak(d36=dFFsv<96d(Blde0qbJ&6dztC@8bHXxy)d(r^vjiy~rN8Yxf?q(H zNiNrRI^|82&&-y1oL?(X>1I=d8t_U?tcsycF7ad zSz%_GMMyyiWVMlZ5?N>D2GHUcYN+kvN9jG3wFf3dSKCF2p?5SV_1BEpsQAQV zJ+IEU+WyB#=z9F%Om+9*J~x9gcGETP4$*8ts(VY(xg-*0BHOA^oWLW$8VDaHd^ULA z|6or9V_ORUFnVOQ-7GHvpP1g?Z4jOUvuzZ_8icRxPX%j zvju#7#3nDdEDo|t3_BNDwB?pInol`*$Ep2zaae-3`*nIo-0Yqp;Z177D+io1>Y)j? zK@sAR9~Na6zrD@(+00&4`fSbQhe|14DTmEgcr#R)9IFHB$l{PyuXgg6KC9JCCPAUT z_6AUyX>SmuG^@!MUe`=z3$yjb2y>u7V`XFk5bwEM&(FNn5B4n(@|jbvcE~%h4eNw3 zGJP8$&R1QBNWIrJ-I_|SBlE0UBbpP|UhSj_h*sh_n6Qx?#KnK!1Ig`rnEwMVUytJs^sgBMA$L85q~jZW zx|85PW?{#?Gjt3|1fHI2piO-xqA{gIYnC+FQnwEa4K-e5Xx_ zz@|Ntcf+m_7FR4cy$!^<(sCNfki}c`$0K8(!&NGC;8l#QpA;a)DVwzT zwW-*xfN*{n#LDX91lLg5+HJ|%6$3lDECIauV7_go&!HYl|ECk{0R3c_kzjDkDA|HA z1RMdEnr#^bpHyxUY-RZb%X_6|vPI`>JJ;jovf)d?H#%!OJ@Y1-CRp)66M3&>{Tkv& zZ$*BAOvk;F7gaDVyt1=9saHbTMzLrL9)HaCMh}p$iJAhPkNF=1p+MffPj9`XA$l{8 zzoArYlr%iLKOFj)RaQ*ccr<;z8Yb>>^{s@594NKe=jR$#mHc6fcc+A^vgtj34irqw zf?36V*EJv77pGxelfGK8dG{41_iEYZ;8iUqZ=;kAu%lFj`>;H##E`m% z;x~HISzbNMCpWd7n1m-69dbjav`f-Q9a?2apM9EtXJ%`(o$fyd3ChWmOp?P#sxF%; z$0Ma^#w{K4<_KF%=v5{WXYBGWAbJ^kwhJIH*wx{83?GlibmZ2Kip5jSR0XMshEPFb zl~~kNRz@;mO6N!JOj+V4%2ZY!2m)dfk-O9s$U}C&?)7In4ki=#r&tQYifct|M*t6e zdPe>8(jb_bTKsinE?bzO&M&;5zEKfeflT3*X)4B9f_fpcm40OqRf$fS3}IM&9Rs-Q zOCmpp=Ch?O%SqoU@~KBpm`IFgBq5s_Ie80GgER-nugkmPDYy;vdx(X%ul{j9k&>c0 znlIr#d--TFF)~)8h1pnBoTtn0zF24X@&vtx)K_&@<8E=a9&W{;?E#F6$6UI&Yzzvv z`?hZC>~4x*6J7qOKEx<@KuEGhOYYDNe&g@}HRY-j9pevuKH257n1!8YUCQzo{NgX1 zVpy=_{Raa*1iZ^l6%UMG3a^)~75Z~Pyv>YXzFmD&IMk^;GZ`>VhvNF3(+PC-=2v}N zRlNibOXdH+_yL_x7MZyvXR=H2d@QBq_=ES32Yv-aw!sDu(KbKf;3U~giJ)x*a4 zFH)JOEq=QeWAxLON2TKFK;ybkby*Xg7DcQ-sNs(I=$8@3^_h?i=BP-L;JS&zK@*&3y-y^zRR!F=Rx9)OTlN z8>4_`xL19KfL&f?b6@9&!gIAY84|-9)h3oD{ST8bDg2Zi(`FnJmgxB(?EPm{Q(N0V z3g3I9xRs`&fV5b_0zpIw9T5RhAR^q4yA#O*3>9kQN1{_g(^sl+b%`Q9=tv z3=lfx%;j@GXS`qDG2Su$@A-DV$Z)X|FwQyGbzQ$^v`R~EA`7E0fnZdZc6;$(>NnRf ziF~pwGFjWza`+K38kaGom)Mun5=_}NWAo7$_gf{vappNiZhniC)XK7r>(X(`vV8dB z-n$9R%b;Zoc(aX3pz4q#_umK58|&aF*z57dj%fpS22K4Ge7>TeLu^L2$EM|_heZ6N zF~{O392EF_77IS?=96R|OEVY2^xqVo398E;lzvV&mFTYWRy!c%k6CJ)WfVy3nmyy7 zhiz(;UoX7#G%Fi?%CX`;^P%e+?vyw<0{0VYGZ~D(Pzn3|JqB|Px$}=K8w>;mTM={h zEq)^0C+@C&W84D<0Zm=f2LmZvrQx+LK4B-zoB=K(+{B9`Yj+`wfuZBxxMKeDIikpO z3BS(?2{uO;76#uvlL!^EHp)F;yIx}Vx7`Fh@tLiFOB}81V@G;+RC&kD?=9&c`jmvH zM?b~Q4cV>X3w6KWX-PB=8FAcwc@sCx=_-u-D)ayrqQ{Xf@*ewLc_5%z)YroAPSm#eWKkBCZI7;i7~^ZjIfG7mAK;? zuD4;27h#ogW=~sN0{)(+*V(j!vqNZJof`rY(t`f+S8%Tc=9!DE+`8bnei>5M%yPA{ zM0S{KiEOLcEd3F=rFC@MV8LhQM_{xVd7cO3a-5iI7s|h@Nvn-ziE$WS-&=hq!Ro%! zAyE4>>A@;BN@=WVyyzNCoH4F~>ULmZ%0m}#*>mzd81bY}#e=Ki_45wD28gzrIrKP6MN($Inz*4EymrDybEbSceZygZIDj45Zq6KQ?^#XW zj>q^4TbYI?*q7sXeCi}gaW3$JIUVT2ADt9#BjqKyBV*5e&<+B)l(v07psjCwJC>=xfGG^?YX25Td5(=G^<3=M=$Ko5EcwzrX5*zT;l&D zW#(MickZ4mOIpHdmHbgV`#Pn_#;Dsey3$o`Yg{ArY!6GfHV-yL^#AnF2mjMQN4V?# zL9hYPq0e~Cl_8$TuXnv^GwV4VdDVE)&@=Zx)$!I1-%7s{iarf+3ZF7i55W}yp9)2$ znbLbFWgnF3V~qNmwGjqW8L}FMOJ_O%&YIS9b%G;#R+^siV0d_Kn7-`U4W-wmd6sxi z{{5e|m#Zp;dlC+ch@8EHxius%`Yj4 zxTb^~T6{TbO5Bk?VWYgeT-0n^)KRIN=cF}L=^KW-*1;ZOJH^%BuI;J1r=42h|*p6+QLk`e69TPWH&QR4WrCdK12IdE~R=@M)m0T%+QE-8Zh))erW0uxbD^Y zA+X_AXXWvr^BdU@abK>)LLf~}xmIRZ+IUj!*=r^xZp`DaC-q!~gGo1VjQhTk#O1f+ z{k-L9|LcCKWm1ktJDIz7UEz{*_NT9q`o6HVOTQ#vHY2&}O@N#*SH+lGSK)4i%?Yt( zP>Y@+Z1CL}5wK?tcVV1+X0QEq-i}(aRH+f@{aaBsdcI;FE|hM%K>%L+PAgAM#aXvLjC<-%f6*3?z~HUqYvNhtiu#6P#U`28 z{T``=crV4w^NgOsNjs4R{=#GsVOZZBcf%b?6ZWE<^RJi|B_ z2j?a^hm`5y1C7*C=4qqV;mcR#O%?)Rt1h+M)t=`m;lgZw)UCUE4eq?OElX9?$rFjA zXuIC+p{S9}ed)FGRxo4sx}pBG{p+B>;Pi6wK29!0{k@c5^9h z286;ps_MYOq5H4&cgxK8%H?4uKFB`Xl@1N%>}S~{mG!{9esQrq=BJF?v-ZCU=|X3h zTO%ZAf;FdZd4GNCb+ZVVlg+LE!-uI7op@k0b&u5NlCr_eDGmy?{e*RkiEz8|M`J>L zknI|KSAbq#Q{DTFU&Eb&#l^3^T5(^$k(^u{HA7rCm8FY?P!&)E*C{>-5-=kSRUkR_i=XBLf)AEZ@(cOF^mM*H0 zT)oP=wP)W*7?0JF1%;#r%@jN4-(Z@C(8MiZ9;;ab8M|lr5oM-} zv`K)tAVVv@Sf!m&41ygRHNUhEf%Jt!l*i8iPWPn_gO6Yj^Q(@94lWMp&FpG%IBb1{ z*ZAsU@Y}%f?^|ch+D6hX+Ryd3oPdnpszyjc-L`e!yfsi@#V4R`yej8n4E6gpak3N4bLrb4w9Mte1qrx{$K}O1iiFq zuRZd%kyR!)4e}tAp*8EY4{ZIB_oqHiVu;HKxeLV>$oN^7sIae2{(wA76Jy{$fby_9 zbjD;OTXOq)qCo=qc=B$bo&VU!xcc5T^={Wr>5m$^$@ASe&D|(km}VqQC-CpC?vz*5 z=8XZ)#a@EVob*V$%0_q>WKO1O{Gs?>^@icI;`okeEikggr`w%Qt4?*5%IEW@6~?L6 z%S=k_j$OK)W9y!$S}kD9yK?IfYFA9jO*|l(kv#Lc zcu;eAj?t9eF;eG8P#R{iK|Nq!`w=PHLeD~y)7_TX`cc3ncTSKXB> za6i5|jq`RoLvBXp86A?e2d8vpmEA|pV<0`stZE9FKu0l!vSr(L{+7OD zcR@R|CeQN`M8%1|HTyr#7CVs;loScwv;eFv>QmTek5zpa52&7amoa;AWdSyON-BCI zg2m&gVK;xR($3eqUFmy*ums*O`6jvL>06mk0e@A5n*-=@EwRmkD$v3MN!~=`)et9Cm#lCf0Nq_S;-iu>e~K zHT%iotPss;Xx@NyH`_60K4bIJ_#v3Kh-6<1;}I_NG6NwaTuZi{m0j}U`(ACa9!Krs_^fi`Sf7&d+JQD8aeU4*Z%grO)8v^eGwbPS<}{rg zKf|*mF(Vhg4XYx_HpguhDdu~ZuG#9z=cn15tK9TynS>-V9x*7*>;W1nO6KGVx8^G&ws3=tO6qcJd6>dj5K-Sr_7M zEGs2=3cnk-fM0k5?UZ@Q@Wn`G#!bmhMBe>j$_PFQ8^e&oHuKRX`1=C1L*xVhY!oSa z>+Xq>aL=hHQ@9AeXqVM9v}(_Msnp+IhacBystd*PzOXra)>VNZ4T0P!yL!Tfg9~(h z(uKQ`m;S36X8fl~nH?IvE&LspqM0p-gF?B(9M0L81zHOo%^#ycp%B)0w!Mv>6a*N1 zFA*MjX&jDjq3C5#9wAGEm;z{Y{Zeul7t*0KWnOBp-P=-S-MVUNdlG zB<9a@p0XJLu?DL{_wP`Q-tFcWEqVAYcnEyIz-g=+^vAQPe{@iJ5`-$_ z*%6QYbL6gKlf*>Z64G;_1QhZn^(2X#xH)mf1S!zmr@bvW_tG@9vOy8e63hd<6`?p! zRo;#2w93AKOGezJ?1d(80%==IYSFbN+rwxU zXNSz3aCN7m5Gp~#?kcXXHL^xnT5H_nqvxp|PX!y%s5WGIQLR2PWh+e{n8iizuyrHn zP6SL+lN1Gb+Khub?SDY771n>TJ90q%mbS_4ZXB77{5SdEh@w`D7&6)fD~kY(<}*7G zuc0Cq7M=BH&v4&zK8o6iXb3L+h2`@L`{{i-F$p_+(CFfy^qcoh&n_`gjvh=BBOy?2 zLa#cjCV$+1>?)@FhcGVpj}h<((lCnj1Wwh}MDJJTa&p^H9Kp+|)&9%Ec)isS!sFUY z`5EoIDsL(s?fNgPhd)R7lHa0THOX(+D@S|mlSi}_$c!gOkd35Y?iGoZ2B-wd=TCki zzbov{#!MWaKYFjSN{|J?2GT!gw7F&4b94XsyY4@4Siupwhk^EF{Kev{b?xnz-{0 zH$R+LX4-S`nV6`yR^F-nHc0%B+jWQ6!MLG4j?+s)L||dr;7)!&eYQlm-Px#w52rSg zv4g2xd$jSt%l*}VmpfA;*+$yJsWY>-`RmquAGud@^7hH`?h?#%8h=t5J<6WJ%rF6+f_r#^ir=D%u07Bl6Emoa)#~zs2Ce^S#wa zL-Q8i69XXMu4&X3Q+Fmpl}3}&E2D_Vau4^V>qhXruwW-{$1{~lI%%7CSxH%RIIV)} z`pP(6Zl@A{fCm)4vY^ba!|~kQuuBOWODsZ8tW~`FcCGfEO9@j!eRp>|Ta?Y4NG7ca ziENVMIfsLL*S2}?idQX%FaWjItByH%BT|PRkc zl9fl|+Df(Uw&FkX!|f5}HdNz+%F+H7$tCI{-U7b1QBdYDQnZ+8evuvN8}X)2B#?NS zQ9e6obNA6gc@ePIH4U}HPPK3qx~oS?#fE>J5IFL8`aAa%`L?T2k&Akim(aG;1aMFk zG;KYzu2iMfacN~XV@85OExaBxdJ^{gyok*8%G5R78{=h9ZDwDic@l2F5*m2CJj&x~ zJV&ca|UW{pw;k_5x|N33X#-yqA&VO*gQUEtYT(*gB5jZ|*M- zCLaZ{O0yvg+*0J?gn~_nTRi9OKDQDyYkG(Ke6u1pKENjm==AeO4XUGpM`?5=M#1$i zQRk1db{4PO^$vht-(&R!O~gkZrm_E(SGZ|)+-16&9-x^hxLNuT`*x?aZj>hcL|MT$ zThL?QJeU>++lO(AYT&l-q6K={6;Py%s@(!qC@$;3>Q^b3dP$^Ng8nv$2pCsZ9=#a> zK{{IY6o{HBr7L%BoqxMhl_+rQR>W&`f&pn-ePhs9SU-XG_cghxG19-OE-O%wMe9#% z#ZPexJN^p4ZGud@UBn%%dILY}r>^{NWQ!2E^%P&4DFH9UZ`DBg#*?zZ7TAu{13vf7 z2A3Xp_GOWLS##8Yi4w;|?20WD7F@aJYc;g(Wm2*b)*-tuzgG2>g(qyS3mMP1Y$BC?x_iFxch_AeQJMLMz(Fkj8)(QZv zumc`by;aVTp)Wu_uziax;vfRgmVJTRajKJXR3ElgB0X5?^_fEt9k`iFzp;4fB+sLt zDx;O;tT9Kj`uiDoYG9P>PAh-y{%N9HzN#iKm~M!^Os${z-l2l$>cNEYAsWsqo%4}U z{DjJV=3CLoFQZivmBJ<=4g)c%;mfJ&(lfY6YZ8lvG2N?^)Ap~}6(~Bv8ho%!BCf8u z4QL?NUmH=AqTw9QkDV)?@$tQn@6Wmz6lZd0<_KHu6oS{FmMV*7MzZ_!jlv)~JAEv$ zeU_SSmR&aJ;XWeQq_wucyZlM8+eZq-ivSOUgP-t(1QPJgOfOF^`w24ohBMdR1KuIl zhMyX&`ozBOU`_;aRDLSV42c;G^$KH{Kmk>JB+xif+A9hFa>9Q@3(6VfcI!sG39PsYCTANU|*QM8+zg*N?$LBFl=KBNPCv1or`jB0`skTzpQI!YC&|+P_ z4H;4<0O#)vK;HfJ*4n1}a~EQG!6=O95-src*X}Dbm+di^^o-q}E%<~;4Qfs6d~|2G z?()zr2DGmN+o0)QM-T`m4%vuLbjf!5+Y(a)*1Xw2t=E@RGv;H8KPZ2aIBMn}ayF5Y z3`2*OaW7A9@{UxfN%##sb}~0Ee$HGEDhrYRGpf!z&v~~SbqDQ}Ben*I0#DgrSxa+R z@Fg6X0*i{F(`E9zPAx~Re$f%!&I;W5yPy55VFcIpul(dnUVd)-S0|R7uDK|9woSoX zn!4?c1n6}$^2JVnE=-tKe9mGME5zxyP2uz3N*U1E~uq8aJ5R; zD)qtV_kF>?Zs@3sS>IISoa=WLQ`WeAqwRE-%9$JOmXWsYJ+zSne9v^xeo~J~&-6ml zf^$m8T18#Kh}3e;@Ln!$YTsq}=+~j_zDlxZSS5>5%qG{aTzK6|c*kDHp0-ABCVRn| ziZ`~={8#FUeQ{Gx23P}Z_DOEH8SxnjM~!~e?6%}yu?&1!WEm;0n5IcknPkjY^A0`W zS2cAfS{_;+W(imihKvMHd=poTh$4{}JAPH>*5@h=9Sf7Day#)<3Q$DXeRwfre24)W z(b;C#_ktyUDg7W9J^kbM(27-^#l;H`8M(RiK_y1i2jZAtsg(QgM8C;18vn-^44a0Z z0Do{Jr`AhB=W0_@I7I%*x)#rPO`heMk^{)s1JgS@(Q9c1z{j>s)?fbG7VziJZ5F?w zQJ*-osnhNULWvx56a}1>R0;9Lv5raYwtz}C&cX^2s@j=~Hg)8NGF{QNDY0vnD@YLr zaA=sVe#Z`dfM3Sj+Joe`+^HXqdz1`LC`NkW@^@%38PK#h$DPq#++gNNNf<}mS;GVOY z%yfJwnj76d)Rm^~b&%uLiOvn`>ri?}_fAs_m$~sx6~x8IZw1*Tr+$1n zQMg0+h3buP$qN74b}}$Y>rUO5?S^I)OAnDt2qC}n(7DP&XzZI=Og>vRvCktkBBCC@ zIVt6b*>`sMDX>n7pRKR{=W|$2Yw~7p{V&1^wBt-!fQa*A{GZjRYM9qF9;KO=h2)he z5cd7<<)S`pI*hkT%hM$|ENa{G2X)!z2xp**kBW~7;h9Ay(a$#|?Mw^}utP;ov;9)- zt0EN&q;T`RyA-=WH{YtLpFB!fBHCVE0NuPV|EugcYg9fJdW{slbMl}OokqGxzs0}# z<^#1NCAe<%!P`3mV5LXDv3TLjylC!}yhw8gjKnJGpGTm9HNeSj_A247giEF_bg@)B z){YFEw>=s3W%0!WEfTE%7(cEgLm~ z&x>#016gZY?3+aHI%*htaOHa*VZB}4@Meks8!*HzD8C40m)h(ZX+iBdr}x?13W&e| zHJiaw4l|rM{a_$RW4k;X@x)UGG%W3iy2bkuAQgVdxEbt9!+{f8chSq2N7H)_w@C^Q z-@R&RLfBjPLIN8(w8QCn;7A`CPnCd{b-|>N@oTeRB@?;^L|%=Fe$NQyz^au-d0iW_ z)y);^-+ptvv-jJwxP0KV!3WmUNja+^mUOLVu{vJ#X!SGZ$hG_>kn)uMoDucvdi98K z#vBB&i=ut>IKAqD%FOn-HQodAo!|433d9h=jDBnuH_>+yOALFtJHpI%Be<;heGVls zULeVi+9j-k=EoKJPnIfZ@3YDk0fhwC?=xL>@e;E)LyIz}vCiVEaS!6>RGHl5t}fb!WD6ewq0Sjm#8jT_|Q~-jy8G5pN&$q!~}DBz+4$` z=pI26O(>i_53kE>L^V+KkzNN^@C)H?Wi8ycr%fKMw-aJt1`;9Zqa|kz5_*A zi=RAl-cJk6jDo&u3unUP^)gvj76(}+@rK_XP~wxY&PSgEGh?8yTK@;%wputyBL%S4 z4;5Y&k3>i^<9>D~GGAqAyZ7Rv2{Xh6Q}|0%lm_A+4TK#d1y?}ES$#pXx-ONWhdMj{ z!k@+Fw*nAph-2Cn%r<;Rb zXsB3t^b9$&$>H=Xv8^s;?+8Yx!cg*@Mve{Y@Zr*MKD1+R^LdxDRWMR5Q>Fui;OUb0 zC(FC*G+1R{UG0Gst=t|0rlNaQt@6E9&;gY|NHL>?^ZyzAbqf z=L}qrE9(A0`PCYDJ8vnA&sdOG?%hRc&0`fS#T^{f8#7d4UG}z`!lukEbD){>qhsm*x^9ZJHfJJ)JSfqF@f{s$x^f-5q{H+u8Kt>F*hwTJU3XUG$*MZIYKDUG=*h4BiG(b44dSZp{= z2ip3fC`bX+j-V{kBSUeUle2h>c$m~qIPf?dHa8jxQoRa0wV#DbOEz$G_F;>q; z_{p`0w?$Q?<*$~{D(q&M7(IPCn#r>gJ;--fJv1tuEkqbpB@y0EYRP744uy}Odi?L* z(22j)e9bK|thxcNHg&0?iHoumISQTanVfNh7bKP#Yp%Kl9b-p*AuE|fg;3i6@te=v z92SK)zW4HPygk-6*>>+vBr_KSTb1v`_x5 z*}`w8rJX>6+mIbQ##{`0btpRQX05Nrj@kIk#MK#e@7;2E(#cUh;Z6heILnu)_b_;0b@+r9DVqi?hNo8S# z=Ccb|uR+B|-3}?oWGvGH{(Z_GD|IYQdy**fAb_rehdi5X583rWK)-RO3;0iCFDBx-|{n%Lrlz(d=PoK+;}EbDmso+P^0iPLTJBAwjp&q!z{ zU-oUx^=NUF8cTR3%`yA0c1%RkoJ;*))0?O!Mv$ts9Y4xhesWFld+S=!sIR)+tP5dp zos8=*N)ROP{0K-?!20dh3qv9q}Qs4d=Y9au;3Q;2ydA4aG5k1avHVhH}Oa z6|O5p$ga1(pS*5t_*(6HZ8(XBtcTRNWh>SHpsOd^Zxt9d;p!B?1dL|HJmvX&15YOe zh7iw-F9fesBd`QX5Rqj&4^dK^0f}w4Kb^;stkEc)-q)2xenr(c*OHyqHxIe?4zoQ~ zp)zqsl~>DpKmJ`g(6$fuFQ)p+U8>20sz~yljLZ>VW(B6X;>E6hb(YMu(3;;`PdO$C zZWAsn->0x=j9((l_9P#=GwMW8!#;=Cfk>2g#88zz@N;x58-Q8WdN3AsTi6ET+Jr5~ zXzT`kLBEQULf`kSzPR>5TfT779%UAHY`Ll}V6$jZCWTjsDgJuM&!+PoKP3+fv|K(T zh{>Sw|8;Y}dN;!IeC%AG-$bHAAQqg1GKeRUadXlj=Z$xo5>tZWqMRnzc@9iM{}G!1 zpww&*&m(iE<$vx{16n*w!c|UTJu7fqb^LYNKqWX`_2S!2a6W zuji}<8JPQ^YnAmAa{6AT{Q7cUg$Wf9x@+cvE6w!NI+a>0yC<$^desDz zb*>YSa~k!&zWxqUnv2&s+#dxI-9)3!)R-^OOvK0J$P6_d`1_P8WBXFvdQ&$(jMssE++#ZccAB*SBk04QT~D z|CoTlHI4)YE2V+0MU9DA_+F}g-R``y?|1pS>lr?V0GhKjT(A{Rgg22d6DxC>aQxUr zNRpq2l|xF;1|0t%s59@ zFf4BOi_YUrHd9r~-8LK#cov}?rk_Zfz!Rd_I45Wv-p=U6P#NbUK+fEkT(zl#O%RHg zVYU2KomfYP^a<29q+f9*c#L@qKcdJ0$-6CAZS&kor04yv;m04B$OIGA*MjbE;B?fV z1e@879Gp(4H_^2y9z%Y)Su7>fi7koQ34P^xfwK=x2IBi99)_+voqgizI`^G_<873V zHZQDDix~bM-y-SI2rv!uj7yf(Z+o8c} z2!!q1#bfpTOeMw$L%vs7cMV`O0Vf2<-ZLmvxg5Uqqc^TC)N2f&iRjpUd@gnz3QJfv`}x% zAlP0cP6z=g>Qmu44-&>Pp9ND)oZGHVef!J1T2hTuZC87i_U{N}Q042KGi<=gPss}M z&d&2=LqC_Oz2jGYS1#`tBy-_G!@U}qOrC&rCFv4NEf=ZhT%KbcCc2<&ftO`4+9v88 zQmhg{H#c@1Sv;8Z$)3{xSVUMv-F#o$xH~XCQP}k-u%P&wc#P3rtSE2k?L)aNLKdy& zW9AL3{IR?E#Z=>^M;-KcdW2NMPnG>U#=YsdR47<#1{i9Y;-IrC#zgtBp&AgbK5$k< z+R+cUMYb{328x`yLLjHE@{!zh?ub*kdtgydIEqUFpq-_ zU4AO9vbo^p29Lwkc=sEXrE9Ii7NC282fMaiNp<(m1La(gvo-WCeAE=LVP3ZXSOD>x|kJ*c#(2;VQg z+J$aKnT{3H-nP3H4S?=r==k}!`T;|TWyI5cTjQ(wJl?cG2EH2G@Db6v=}+^kphmu_ z3kKN;4MS7x6^bzH(U#QetxZIr-wD236akwdiXo`tMG;nuRxCqq+5^YG9T}e50A!;| zNnn0K{HAAM`N5f#fkKZ%W%#gv3ty@55|L*{4Y?x^66$bCtI?9825ZRW8X+hS+J%KoIj>7E~I-@AZg-+&QbG1tl+7 z_=ZRj$sl|Iq`sSbiPbrL=_Q$t^MO*UJTfjosixaHzLy4mH|BmIPvBqhvRet43C~)ZEV?82|N`6Lm_&j>GV0C%9ikU$hs5 z=p#~bwm$ud+7<)!EI8r!_vh|Y@r!~{Hr;0|<7xcFgoj;=qX@V{^%om%x$p(){g;KJ z@IAMrG_PYxkH>0vse$Bw`-%eP!2o)VJxGHnGhRV^H&Fc#QTj$XO99Ubano8d-`aJE zB3WEOmszCy9BqGgUSvEGtJ?394?3(lzrkhoeYvUEnTL5>U&sA63j=||>p6v+XV>Wt z_$F&)Eu0(wnP;-IVe&9e!u6 zb-BDafn&R&AO%(H=EhCcpLKN*|DSIUjp>Wv=2K5@W%Kwh`E2lxHq0osBfCNCTd&Vq z&3eAf_iCA@Ff^_n&#s45rglR81Z}4vM1aNcOutg#Fo*&hG6w;uC0Uy zGim*9Q81poc!A6EMOakKp?CXU!wHxX`2pvhMX{)K9D}Q96ujwkGVpXt#wC$YN}DCv zHL+fHqt?M+{Kh?XqXxj!9c-#!M>FN5nRcYIf2!UYN=$hqa~_#Kr2I^pLgBm6 zELgtG*>!ENDG~MqRlF}C*KB}X+Z-+z={sKTmzG5Ag|)~hPBy-;F5Kt><>x)6#kZa1 z8OqBuUDQeSyS=Y5_ZlZ(ZeQ^3|78Z>F9dV=+I6|Ji+{f`J_aFwLr)-P?^A<@!Fw>w zjVgdL<{Dd`c_^GY{rwY7T65>-o(gY2bt)vs+=SD>TJ*wmS z0-XwuUlMnEq!yCKn}@4|-3gq1F+E=${DLPkkEY3i^fvyQ#Wj)o21V4efCxrlBHe}b zS*m-XsvISk7c>1_G^$=C1GKco2V3v-rkK5z9)W$!yOf?Z)?2DD$kJGwFzf|jkCo#$ z0u9zQ7?97p9RCiFvDZLVvG58mNlFFrWpSBp#=bV=Ll-g&;av~&0*#~RqQ0>4pX9H_ z5BeL=G#Z0$qM>6&0lUN9~KNy2DgoI6HhVd{yb z4QX9W0?``=Y~utq&#EWFau340z~HnXEM1;<+0+p8=GBIe2@%>KEMXAiQ8iMH}xORghQrt#nte00r$%f<(gJAkNpGc09dn&5JLQh7hA=Y@)nX~O!<1>^!IbxhQ{JL@~e!#X<+vUtl5Y?W2AdI3hBLVkzKrkvHDK9@B% z+U#Cc>wn5x1wv7>-};8ST~5L>YCu`8c0MN<-%&l!Zk#zbI1?ii08AeCQq%_m6stoV zZ%*i}m1H=NakLnL9m1Aa@ZZL`D{T7m7epw9%ldNONYUtn^{#ZTya~vMXr^>P(^i&o zxh%KD5}TUnv#I;9p9ZJ+a(c%{zgwdKvoqqakI3M6Gy2LTG$A=+D1MN4W#&G*cWFEQ z)RfK{v{kRhM_|&1R*;rCQazJSLb#a9HlK3p20cpT*LJac6p8Jr=FOS4`; z+EZ4;_G-K%(|J;74FB41?i#F117rD)>_iOBFt70YsY4D-D3*)pg<@1w3VY+nnaQA= zZ0t*Io=cP|6mK&d@!@qz6=z5Gs&7g@aH=&YOFHcerY=7i@Z|0w7C-FYmIX&%@bQep z1K^o(axeuT{1GdinD)l_Spj`I9*4L#gIkA~ectk;4K6;WUR^ikUo+RJ#d9`jW?Igy^3m`h($$(cOL zIfT)Exa4nBbNqZ0H{{F2gRep}9&Ltfo&u>gZISPuU0$YjiafhqJX6F?dB3@B(OQMY z(eF_r#GbtjMjcKQm+1_Xf2j!@b-w-*>!K3X5fscp`x?p{+glWH#WWmGL$YMT3G)PG z?LTDk1V|bN?##+W=7&8<>@D5ncq>TcCMLSdCxMmV1H3qCP8DkKwJ{NF9`s7Ff)YLWu zs8nz9)m!P$(>cQR2kXs1$zD4HrY#n`$GScHLNs5P04m!xEY&>Jk5fRncC){EL4Lbx zT_7eN0grJw*W0{6u8q2Kq^lJ{R@c#EA?!4Z_ z9jfNq1qbk;WMi26_si-kU?_>82~Z?2ciae@)$v{)j=i#0y5~YXC*jBOu#L3&#E??T zs4k|ee9VeRuj6RiXHBj}f?sKN5aqMWo8gxfgR&dEA}=2%J#zucS?dP~CpSc_8acks zYZ!B73yS2p*Otw>sjn>GM|P2`tyPfY!}6uCNOx1bla?^yc(0k{B=57(N?* zUAlZg0||H~h6e0?Fj^(ER>Y3tX1e{0$jaalUe$Wn)rrkx3ySb;cEmVw`7&XwSJ%XA zZhZ#JmslY#yfGJNYO;uqrIzlhOa2C34B{;*TkC#AcwFE)o6 z`Bc4p055!cdyV~PnLJhPuzh6B{;d4)?Qn!FU1yt&=B9;&XLuPRbXoT#$@B1@>fMn^Ue&t~M`a%Phg7Y|raq|cVU zJUlwf{*ynx*sGzf29#KaO?>Q41Dt3Xvu=mP4=BCqnS2H6g$wA68UB-_c@63Wa=zfin2GuE^hS(BdE_bq*XCFJ-w{z$7aKKg_ z&TYj_n7+KvwK{t+fQixVt|u!Th0+Go7mftC6{_fMhsY$DGd*S>W^;MFzKU)sA8EIw zeJi@;CmmfUTf6r>PT7k-f=g`M;YZxJ^I%L?PY>0AFz<^O;%_qme8IyBKx`j4C8j_k zXEP+xH4lqIuq~dnCfA-`1a?AL9Mp^xD#-v57SRP=-F?v4rtbN1E+ajU2cFK%Fnh6GjMK z-5bUXf{2mSm6r-NqmGR%xR-Lv24(CxjUqAoeK3nPlHF}X<_ibHclrY6$L8S-V4C}o z3MBveld+|86t@4AUsE%-xSOJIY97u`y9V1T_XdUF2hK6EYzO{5pdfo){je>A_kUpu5%gh}9iz#C%mf>x^|12DWV{nF zAmykB=g_Ic^gW(gK(BQ8j9SjB9Q7#fnBt&==<8TcV^iQ)I!7{p?qJ-TN%o+<^ywgn z&6_@?--AZK(i2hhj}Q6URIw-*CmWYQtDNwhXSck0+90~wI$F>^(OWEdUR3;0cn#6T zwzoZdu)EPQ*`8ymCx3{%M~u|2Vu7|2kBh5I8%SBza-eggK0MRCkpe*7SlFSk?3ubm zY(Ob1?k{`JJ-%1toUia3qo|1U3fx{UU$-XqcplL+`VZg-4UruUmrO6IEV{5&0Mp{U6Pr(*vNc`oPAS3(q3qm?FVU@@8SP3(zg3idI; zixs8f4nbV7u*A4^TCtTb_?LGVN1}VFG(`MSPkKan*j@Z`r8OA6!bMJ{wC>$f*=JJ7 znl3e}jg4{&QSuJmPOEPd3|*P_OeN9M_sCW(ZD1mDPC8=`PzTTL;n#r0$+O(UT&mn?H<1UafOh0! zGYt9fzSYmX(AzyKLg*d11C$|00p7`&xlN1yKWf1KlQzboxiPh45Ua(J@owDWW#jrv z4dm--u!|Xy(XC+LFSdO%nts_cXSueU_QfUY#itP#R@||_O02JKc%nECxyrAz*ETdf zwLn~mKf^fg;20kj@UcZv>dc@(+4UX$TjXGc?4svAW9^oxz1)&G_;>oMc35!w$nH+C9sYgOydI#VYEP zusZBg^!bB{yNFrn%w4&au#{&1D;WCOF5uwBmvcY0cl7snaQML(1gvfgdzJDx?2zrDTK>qj0eayW0w*@-Ut~exz$;}jrk@;0gwpsQB$~ZtW5?6Vu#>j~J z(J9uG3s8f^uVBm{*YKA813)$yL~qA!kGXh_o!E0a`yN~v_Az;F4Lf@fo`GbpzDh=2;m>uw?Vt@4>bIYb(ZI-SRPioXwT_&-V%YTd zrMjAU4~&*RY1zBTN%my53yskE2SX(K{$ihYBSshCvPhwCNvMC1uVG;RbyxN6Qg8<^ zeyb4$z50|nKU8Dw3mX`l^J{*Mx1K<04DAT9kxK~CJ6zgadr~0A;m9%RK#$qt&`o6T zv&87U^L_^eZ0;f!Oy?ijyv6+U)DQe#_^RU+KN}|eLI#`4Sstm#cO%5Z+0cGeD@zNR z;vdzd!un-~=A42WX)(dq|OKXgkk=dQO| zdM8*J4#W&AY<^}N`U5oD?tRZ)ga~VupUd9?%oVADyarykC-zCuV2Lt3J-r@VaSrME zoqh8CA$UjY7cbyzB@64th=X&l5>U*%PEBW;y%v%Y@4u!X&?Z!XQxz9zmqc?0fbGq`bSDjbdySu^{*=t}H+HVAAm9-P_F-Hwg%+Z|S#8)$-{Gj8 zws53;T>I3}g{<9U{Jy8w@_0yP{)*CdFnZHNNcG46d@BM7$GaOJCG4DQb!j?AzCd@v zg$*{g+GugMcc_;0Vpq1_AG`!LpI%qM?;kEtx)o}->m3C^3MGX9ClX;^2hR?TQ>CJi z{MdP_$I)RF7TZK_JJ`QPKUzmw(-9 z@)^L#aB>1Hzd^Y7D5w>2e=J|cmqkA?rB;X=0YcTBV%0ExrKAVGx#x|pu0nnNpzEx? z1(v|4H*WwZHNRIma6JDH4gpGyysm4f4Bk7$+I+gM(e~{dbLSjp%gAKw4ffNq?&pm8 zwOiv*AHqGpPAN+RjE3GtzUx#S7}}zX`GL<{j1KTDRsLk(#j^&^cG#{fHPs_oaqdAP%6=;d0>k>pC7Dv;;eZTl?WMdri7 zZr~Fl6y?=?Es1sK77&6v>t~b*5k1bA8r0o=4NHq3``rlrOGVmmZ!vtWV)ET*FBlKm zJ7srcffM*>BVWIF25ae-38?(t?Sx{8MZOPjA7hdByFjl18dJ_HmjfG_b0WXP|Ggsl z_^4*$@1)=>Wuk8HX(L&JORdW%Cb*`#=Y=b`Jng_!$J7BUMGyU`>U`9->#>=N+!C*& zf0IaeaHfl;JB*G49z2bz%%Er*ngi$iP*4G0fx43 z>SB>Z96dantnj36}>1*JsTq zao2qpYa!X$DenE0Z}}AVe6&pc;UA#L6XWQZ#{yUAY?@JAI>Z@Ye=taO=rdu1Se>u+ zc$h4N!$&+SC<>n7uXWV+M8d=abnNU-G3{^=TAlQspl3E`!m~i>!{yEa^jSK9(I0wf z>(i@#Y)Wtrw^(z`(zm$Vs&3A3Rpk64*x~p5Pu|72BTHiXqo`w5N)1*myMaL^Q%$EU zw?Aii*zT0S1Q_Q@Ouf1>aXM^#x2spVaQ{5~TE*0-EO*DoRm_5A!Xt0H34Q{~9qDk# zKv`jWyTVzfU93`WEtDu#mR*!4lEAm_1wLagYMj>{Pv#yoFzVsZW7{d0Fm82fUS%yq zp;=Z%#1{jF{HbHnS+m76+l*rXn6%Bo5<(~FGmS)b1#cM^BXM#=B95UDHEyj zv9R7S7MAdr#bxaY&CQ59++}^eu$L}<4^lg%MkI$Ig53Jor?rjo3aNfC1NguKc8hiU zgN3am#E0gD;1&LPIkhof;CIloyYVmX5b8oG13jtrkH-8karM@l z(yn^Of`KZH=K}0_$8#qhXe6T=2?GOe=+N=_(z+n0MWY&?$|P-cU6OD33WhpxjzHfY5{{lRu#zLbd87AVq& z7Oy4ljzdg%KBrp_fbbH9D>&5i+7BSoH65nIH97UrQ|!a0%&+5pFC#yI>^c{nQ41l? zG6A-K<%c&|8iRcgw4MXtUo|4sgojXp3ZadEKx^cmiC6oN*j<+SRutuyW)MF74ldN9 zQ7X_Z56|2E;8GA}_1$n|i@}v{{kEsx=}+j#MMd+Q1H_SVYYNAFsp_60`E0ds^=$DU zi3$l7yDDwFH7`(T>U7jwEc4o^E>7x!?pbdw$<5JJ1i?#GHfLkDbxBmBIpmT5yrA;Rg z>kG||uhc7B%iSnoZ+g~D(}N-ykS(PsoN40-C05u&IaNl?ZL!;OjfNswf0eVa?T1@< zZ*0quUhlu=9`Bb!i;N30>^5I`&DKt<*uJOXLs$lA*j-7@A0z*WV4A8}F0FN_!8m}M zjFST}tl&$mRJ8!cM5vYRh42t@jCOYnLg=H6MiIHk$1Axn+BenvC$glld+=Te-tSzN)$^!0|gIu8L# z%?}@drgd)U=EZGReom2J3*09D;Sz80Mz+5kmO!o88*_`Bdd|*|BR2YOTA=vIrlR-@ z;)}LcL64QAYbc7{Tz(cEh7M(Ek>3nhxT8U}QLoiQEKS3+_ii83<>d=IZJKpwCMI^nyV3|MhJYaJW1vlYslj4h8LaJwvN_m-6fWePBlVY1o|C{WEdir|JBeO8g^=`PY9I zo?H<^I{zvpt2!wN2Sc*(ah0H;ZV6U`FN9lHQfu*gIH9`atgbAj@mb``&L2s~YRP%1 zjSBox5iPzh%%%#C&?p>xQhvE^J5r!Oidl&e7CBI46v{MwzUieoi(`>WsGxP70wOd( zFT$|UV{d>-597hMV%glN@X&K)`sq?6o0+Z>#KKmN~tU{|-Vzny@csc!bzo?&!D!>UwP=azs^CB$$w5E2$S{S9#t)ySLwys zAJ@_zYF?3l+^M4BDr4Pv$4W>emvUJqLGq`N%92Nk(4E*R3kGamgEaOjm3v8HMn5uy z3^mEQn#Qj6o@zp= zW@Qqh9${pZ0CgZqT#4}V>i!`tq({=EzNz{jV%vD_)zzy8Hq6>aj4$ zlyi2x*sxm@!4#l6TMd2VO9I?~9tvj)!0|=s$gUmhPiDt~wbX?93&-Mb0jhn+yqE7p z8|RMw`9ISZIJ@_rNp&l&xy}85|39mF(XWCqL?P7Um4kfjlhsj+|EIV7Z{wiFg>gu? z=(<;In-=#rid}Bhdwcq%p%x`v)A-ryS5`Uc7j2@w>(2P)P%LZu2!S7GXuc#p_{z6_ zn&OTZ@;{4;)KkRZ6=a9J7Nn4oS?&$y9ywZ`Eb?c)r_8tg_#Z{;dQ0kb;g`so?P?8i z{PY__l$gzD8}1YZ?^>kAZRpX0IwB#Gk}2ZWQ*SEHs|<;j zb+>|@1}EhLAjHL(;K|S5dV@!01@C))f8d@PI}CCv)Z$r)8K}X{tx?j=$QME2c?PowrH*{tqnUf15XdyNLVGNiy+Fm=Eq5Yq(kfzr&ww$+yJ=OyA}Z@V9NzG2 zkm$=Kq^YrnkA9qF;B%|#TG)NZ>EnL7nZp4AvNKh)80#Bw?SiZQ<4zYFHau|Dh^arQ z{JR(U>rTb1TG!o}6MO{Ch!A&NOgLDTeoD;YERjQl;*NV_>85R0X7`>h6B%U$L&=R% zP^OtTnkG;t5x@WU>>f}MZ(;h}Lcj+4g=4;)bb2b_Gfia5e<8|j{$0boHUW?HpsI_J z`L30p+8}34l9?U-L^l}yPqW7@{8b17%l7-{jJnFiy7fPj*h+>GKz(Z9mc)}#+<#wv zpsRT6FoXA}yN5}IIWfy)5+Pgl<1J4XCuRtLaCz{pdQ=O;xTi?7j63|@vI4{#W@lBh z@foW-)lFHE1zjk?>}4JA<%zIk%|+w@6py(9JdU~gGJPHr&LU+BorC7 zhM#M#zxD6;((~;vaMncj3%1)8l3Dn3r~D;DT}sVHU~ISE25a8xe*aD{Veyq~PF+Oz z&tPrDLa4~MLCSFvB~0?%8}EgLXb0n0;jBusA&Il7PAsBck+X8Ive#S)i>}jnzzBc` zoUvz{MYKc*QiuWd{%z8qyt2;o5;WirH+B}j8PyfBo&RxORN;aD)eU)F1tTos6NF-J zdnY=jDJ!#G{pjs6F47xKF5Omqn79uZy7-}wwx5DQ_dvPC-tvLZD06h3Ke-7IVk(Pl zaz?N7INZUyJ5Tn2V)M^-t7|lfcp2ctAamTJPF-cH^R+${m%_6TlOURnP#bH{jemZC z7{nSbJKxj3^E78i(?|i?hRSzg-Btpv7xBsuDj-mtJ<0%>eKrm>Qomc2d&bv-i){e) z6{3o+X?ZkUO1J~~DuVpGps4;3J$nhaFh8jE@9$c~%h$07bc^h3 zZdwgHUt_E!5GtzsDjJ zKU2+hPGO2%^NuiY-v8_<;Y@(KkXsK^G0#UAw3ucs`J`{*lSZ-8XraZL2?HFXc<5@$ zc0i={HxVJ$;Ndd(M%6ofdbS4N`xFuvr>eue#qnm}l?W+Es^u^zeC;>6wGUJSyRUa> zRr*j-%NlMiH{Wu}T612UI75xxz*@faP?x!8b6XEe0km~)3qfsc*oNAQ&zDNx316D% zFiVLxdVdyxQ-9w-6?!Bgb2WZ?e-(li)8k`zk>e?t(k;RtS1EODuUu}8O-xvutAZQF z`J8bNpd~ngl_yS-Zv@2S@fB{)FY^gyKvV!M*;PH4KFS@dvsnR@qvw3{zzQLKa1{Wq zVk$0(fNrrnkjdpB`3h^xnx&)$>9kc@XX~!sI-)1wUcbn*?b%oF;iCkzTQ)`t znlV#vER>henNA1E+YivUnK-Cw3i#+Ve}R$GWfs-JM@@X&TPGXjciw03VI`e0Zk^-%zy4XWy*PAt z@A}Px1v5qbpOZtU_MpF>qC&5bEIzxy z*xi?_=o(&Pp%RgTQWn&XZMC6r33gFu<-oM{q^uO42- zXAdP#CN&tnsy-hdx5yq#iYBH0Kl)+ffuuR*XS8_1J-S$^-{=?mcbM1PmVa#il725U zvMWl87QbXD;wpjs4odR*4MxBEDoB`beL{`t)ZPy8g_O@ceaY^>How15NoYsxZg`=4 z#o=xcyYvA1G=WKSa_f2hRX!gMn^uocTt$KT5vFzquJHP3{`3PanKPMi@ zE=*Kwl^{zH!Fp_XFJ$gR@Ahi>It|=%#omgL93e?tQCHzvump>Hj*Y{_C+NIvshoGT zPfC8yA+>l1TEkNs2gCiHo<_k^%0L)7faJb5P<2%QJnxPrFFbCS!#4|o3X9Dh@n>c6 zczs6@zV~Cu*lkH+an+RTIV?LPLl}k7y-@~;@D%l4F2q;U*Z7mpK7!vaHy>yP(!Ys79Fd|{Qz zmatTJwO?^l=1w+4m7xcoYE;u(>Fr8{M;7y3sl!xOt z9&<$@ysfjEXLm-pes&28usB4R{%C9DLM$u>`N}2?FHir@*1%U>nb?gj%gYSbL1z;= z2m~up8OM7MNjiwAL&3w&qb9jHjqGJ;FX$bG- z2+N6ck@OW_g9+U-dAIOy5q04bl54_B3O#tN@m*Fl0CoWg7ic_WcEl?=g1Do9o8JL< zwfx0npEF)7J|#YSRj{%uUi1vKwe9b78^1a|UGZ_EFYU7R`mbI}x;}fizDG2nRSG$?yxNbu~q|9lO7FvO-u$cKwV}x`qVRt&~C`=cQw_3?-+-%|-2} z?K3Htsaf6806tYd{)Yo^^B+1who9%|#DjS|Ey2fv1uIfi2^P%5bqbq(Ic z9lVP2K)O#g>4>^6tZaC1LaUHYD**s?j^inf0+{(5*Z^5{#7Z-3cPo#&rYsohz0O6dBzs`$rOx&+6-%sO8?q`x=|Hns8UxQ#h`d@EL+{lJmo~Lw# z3$WXe8($~vFN29DVJ7gNTbqf3D(8pR!kHm-k6u1VcFGZHJZPJ{`N{3h`Dou-XQ_C? z|GFmq^LqblVp#Q7vSao75uwLb>c-43+qoKT7DaU7Bx3#Edvd4O!K&u=*DJOg2!&6r zcqYN7*wa0BfdN}hq414*shQN=midU_Raw$&66Z#Q$Pk96VuCRn88dhCc~mK;+boEC zXjA~;-m0K{GEOQm>J)I9xg8l#~W(K9xNcoK@MRdGU$KlQbbt>({E?8})vDbs)kF@7%K>Tb{7Ixm}IkVMA$r14~j zL(daE%sLSHCx|AGR`z3U@b>19V|~bUk);di?NdP#E3vh=cXt^56T4!Y_IF~#B7kS2 zq{P}@v;`c$_2k9#vDSA*0nk^!pbK#DOdWpa_j7K{wM)njnEIOS%tYhzMwlOc0szx& zs@Mup!Z8DQyZvUhFikAwRW|T($^_AzQXtTYD|QEVNkQ-KKTLOD)W%w5kW=^)x_1+>73rpqk?t93%IhGI^ZFKURFk9S|%e5A%v26>^sD_e~w^&21osIw}B@Fro z_Ib^9UUxVwcCHS47VB&$z^vh2DB?E`4`3Db2vGZxRe@MkVuLp`FpfGA)TY!tO{^n= zuf`G94yQ7vbbYb2zVk}+&tql(bL{H>T!Y~Me_sPPE!(C%)pb>TcxWo`O$aA>==e1H?uc=D8 zV_HvH%0|XH{t)IbN6x)s7QX-)wXs=)^+z0Xwhql|g8jBp2u`sXIU_N7wchzaWW52Y@5z z9Jcn<@y z40UrJ`NHAwk(cov60)x&LIM_q)O{waJFr(UUe2jy>#aT%`uy#~20Ju?*CO7;rT6!* zf{-==gxq^rwrn9G0;saR_eY$SoCO=iOP9OIZ>wQIn5-Urdxg=Uw}f;5p-E76fg#Q? ze5lV~lqP|9s6j=R|Gds7Z~mdKLfOB?L19gh7zxw5Y2Vem&C9SBo+JzvBn{V(2fc+W z-$kryZ!358j?B8R7OGUYNd2gPP5m)gaI2;hZEgL7=Mj6G6q!dKVLkCl0Do2Uc>mjG zjB#aD=@)(LANA5&4Hj<{-LcQ}WU$CWPqwJkQ10eC-G({^-X7do!%c683Cv)uHEmr| zAa|ZNRW(OO&9ToV!?A0uIOy^2-_LZSQfcXjlKZb$Dt;P!qrS?;G={g#BQ@8$gBC>) z1CH>Nrq6sMJHXrJdik-SF$uOZY_IuJv_EnGTm;1A;S4ijr!Btm6yz*N^0~t^n))PQ zg#B|t`+=kN{!yiJ zu;%``3VSt3`re}@dJpL0il{PkieBJ^FJKGrT=H!Q@%iKGB_Z+sp>F=se818JnW|M- z*9GmM0E}2!a+c9Qzwcp2)FZ+^Kn`H<*lT%7k-CcMoRt7%9$F32&}3RbjmikBH3_o; zPjx9n9_Pez1mGlZ2SQqOGqDFxzN}6wlmX=VRbi-ZJF)PkaKurY2oT-n)cH?)K)nau zkU-6j{0f*pu1_ZuHj{;1C^qqcDxcAzBTTUITzc8xQL>cvNEt|>)T{0hR6!o_eWrA+ zhM5_Y1)ApT4Uw`VIm-~G-lO)F?ecto1<;7#qAUZFT0JDT;l1{JLzOb01Y!L8HkNiN5>;-f?Ske)4bC6v%}0z5R+@O2PIrpwfuN*oYG z)@g4eyv_BqWO=0`ejKLPcm*jEP@15-lTeE?q|ZM^7iPenJhSGphK?S$LXkeT0rJOH zn|w%&yq1hSRzIvjob82k*TOb|Xfwzq0%{2Ecf&nS6{HkjlU=@1?=ikHy_dQhl?$Q0 zq1rQ5{tSuVGAZek47Ww5jw|x zN}87aZrbgAnvwOVmpsvbRPL(?uh!^>sbaJ5bj;;AsB$fz& z`Z>!8>tp3@2c|rMNFaq~YrBjDB~3`#vvXtCk2|gK=6nF1BKY))Sljvy4dFu{Vkx>2@J;)N-2|a_$h*v(Jyl?qbk|>~p!Bu?ifM=dnFnaaQSqU>${a7=C%eX7I3#0H^DGEW@h($52 zD)4-JD`@xO7vIs`^%?SL(D5?{UA+Q83z$BsE>6=L`P;yMx9@aGl?GbJByB-{QN8H~U5}rA9TKSN;640I6OM5PQUF#T`;zxg_rF#9$iOE5k=%*(?y2?x z;qJvTFpHzyT3muz`O6Pi4}-W`dL@+#l{)J)Oh{kMYFXt(olozADz<)w@yoK3fNORS zI)?d%VqD)sAlzf)rnwMG36fX+@F*8x2JHeP^$^8qrGv$rb#%zDX8=epc*}EeO{`at4xE`FS>O3MDu+)^mqe3oR%l z(EylMw0ryuyH>*Z?vK@Cj56tYour?$Ohf8;z3{4GrM>a3?X%I#m)irx8s1Xon=B1k0Dl%fFI_8+^thkb zq>J7x&O#JH>XJ#EP}b%DaLuE7j&1O{j_XuXy9=pWn2QF9>seMW)mZrtMOx>v!!cPI zur_=Xh4+!qnrMZ4P%Tu*R)&^O1|M2;$M_UbkeuggjDi+~s^1v6jGgZ!rnYrQf%0jI z%no2HWkEtYiUklvrrT~2lFz=l8KA?pw9Cp?LVjdt&TTggDAPZJhUh>%?`>j9`V~24 zD9}*Rj|Z`n4E>ay#o8~U_dW)7&9!E@o`YhWTtF6%mNP(43&Iz!v;&I;ptV6(_aI{M z&*Cq&D}MtqnMljs6HpA}F!0#l#j&{p;j4ReRCltV0SR&ObEG*CqM1e0i%F|!TeX=u|6Q;vCeuHGWs}8hqO3` z3T6x`R>30&PmCYQ`*AU2BC81^xha3FDXKXl0;tXZuG$Zk7MTw-#D$r;bhvbV{yNEi zpOs%(VMK3SYO!>5cOoqKbnv!_G3?%g$%Uq-@6xVyEG8wCz{jG==z;1|Sf%-9q&^~l zh5RrjSI+h~HQT25dV48--_Zhkx7?^djz{bD$s;_B6dO=qGEqA(z;Sn)dlwYRcK_Fp)*mNcuEV<{BnV zJdKBB(a*$k9A1K-h^*7~cHZgPmuO7IONBm&33-4V3X}$??&49^zuO<55q!IPfkl${o=)GfY>()&jfO#r&~DC(CBi^|#GT1fczh#a`@|}GPRUC4#OMKXE*6tnc6thY zDe=}HiOf{2;^GCY<^i(5WKB)ag$o2b`TnS#GUq_h=nk3?O z`IC&u+PBGOER*uWI%P|F^~!bkg)=PDD5EZK2%4i#VMy*60>6lA$=O_i)CxR7P}lPj z(xJQ$Cq=4MZ_v0XK`5B1hTZQXbiPiS#Gj8xxaUkqQ)6vUbtnyL#%4#)tx+vT=6Si^ z)JlwQ6z=ddoxdp-MEB{#n-1nAdYMEe4IM0zdBe|xS8pdq0+pzh;fle&@0gtO$7<2o zpGQ6nBb(k={9u&0v3zG1YRolO>AN&3c1eMedU>cbM|pmDck!Ab1qnY&bjwMV@>B z5S12km*7n$z_WKC?HkbRyHL_Jtz+k@KmPkqk`jqE;nc+5?kb$UDHhQn-}P5({l8W6 zs^qyl0yrKnyXg%$*?)rq~6M)Iy%$W{bS;CGJ%-K!y(vKw-vUl)lm!VCE8<_Mr3WJwW!r6Vk zTvlZAL?b^*+P1DSuilU^nCfM_u02bJ zS_U%yJF=g=LBV+s>*2R^?Jld*#;x!TJ@uA(xw2_$>@FPl=$^p*Um<04#Vh_do638Q z1XwF8-_vy2s#M@dc~4{Q z7q|zxdTOO~?;e#TvCYK{%5NLnL3a9MPj?+3JyIQ?=xDe#v|s6auf}4X*K{6AEFV-1 zzNkk4_0xutXQ##?8KC(l`q&if@fE8@pihx)EA3_tV42N9LLnm`QVT^o0Czv?4B`$Q zz%*r6?kPlVJaT4^Z5_TUO~n z|IP8E++`N0;`0%Y+~O*LO18+7NCPBO5Sr5SZ##kzg)#=*>!Z3uUhqf5W|!lyIPek& zlDjo8%5jCKNhmpl;)S#X{R!qGKLz_w1;@#XCQe6QW4T*UK%B9%{6Q&MV^qO1BCLz@rt zRF&`ZX`gAvBk>5KY_qBiy&&%eM2fTOU|Lal{>9n=66uWxebtT>NfxcWG1RuI#p2;e zT|9G<7_mc{Zv73)k>^>sfe(C_bZZtCP5WD`wPO&+56LZ7Qp}+ zX#8aK*Vk3}Ol0(j+{9c7)sVEP8Q7uW?_WSU>*}z;_l<{;K7X?lAO?pPS5E>V)2|_3 zfZxqgW_(Sl!lZSadTNB!k3@>zEg%*EL~Ir3j12O$6a`$m&kjJE0g&M*Q54iiE2<$2jI% z#&EBJ;M3*kwoVDj8|?)7L6^>>%DZ_UNU54UmIPm^svBlORFqHx@f@+(T-kcQ4y6e% zuPC}V(~UX?agtgM%9L>eb{v|Eu_sS20mp}S9bct zhF(7G1ec`(eTXgfY;y8v>d9}}JTpNjMXv5k1+4fqv=loGKTd!UN#iRlU@a&JViPJ* z3LFlTL|Omi9DvjIq4&%-$m>bB&l2&=@_Q3@&Rbq3iI1ya9jY&@pW_HpvCUm)WHLsk z`r9tW+}RnR_u6*#h-oEl;HWDbh{{Sy4_{xye}tIVs;VGu*JZ#}j+ZG0fnK0hR&ffb z<+Ccvx&RMqiC$-8`z&@h--6%oKd?A84|rb>YZqAAa*aJ^-gVv^0d0GfwJ$ed%7&`X zGBS;tOAn9VPmKMY%E(0X<3gexcJ3hMOn4{2SyhU%j3<|D5iBN_LTH`!zrWV_<`v&eR@OkoN?BhP0U$&O9u_=eRrGm z(B0%tfANLpdUBo@ip6}K=t69`5H0>db}Bshv&9{Txvgh{65Q=G82g9>hIpxWOri?s z>PwvdfQfpX1!UHmo>6FRMseh^ zlXtGxD<{>Rk^TU!J*Bwn!{}l*w}CjMb;QJo9%9?YEP~GV)c#jwRxQ8m99Qf=-*)={ zqi?HIk|j1nj|wDO>CE)&z$m||={CLBR%lZ5*1~(XOc;Fk{HqAjqR0r6o586U3~Xs) z{g7&3_bP}Ark0R&&(;Evne=aZ-z;-TWTk&kRrxv#)GA^vDL|{jz$@~4tHOcLi}ck2WJ;Sp;Van}Dl@~$&F zN2rBFo?CR9s>KXcDI$hOQsviwn`^}YWpxK~SVApOfUnu%wsA;0@s{tXh(aTI`ox&( zz_})0RzAh9pNk@GHgP#M=e3+-w~2zIb0gQ4+?!Gys(sa>HzV!V3$rSF{qQ0ho<=@{ zYn|CF90`2oAgTz0^TUuIx+@In(%A{2eKksiGu8Q7l_Avwb?-B3eL__o@5=3f?&r_! zODg2D>M~z*anR$lMesgmYg0TM!`e0?gy@BsiE`Vj9#n$UL8pMT8{)@}+A0<3l)XP< zp6A`Uw6f3G_#Ng!4TqSj;8z9K6nUn}f$6xBfKSU;0?b=N3$v-TsNuire_AZF|I*I9!wemZ?u56y&3)71XB2%nPP~%W+8Ym%VE!_QH*6!YLsbPRgYF_7; zpqr0u@_T3Nz6by%iF$3I7d!<7Im9cr^0P@svj92tWdH!in&pDaR$Q`|0(74Kr#ho( z49k4-VWGQm2bRel{IyzK(d*0^SUKk$8+kMCc6>C}eO(=GkZPc{CZJ~riTtdvw+LXJNMjn}6YLO>bqp~?uOKb87K~f0Bl7X2<4Y4?wn03i7xsVTN^UDH! z&>uq)DogF+w;LgtZ)XrF14f7U(%qDX z>l?l7xMB^;XQ~U2*$9~qJb9z(Ryq7u$j<(#AS7aOipTH<_kd-_*FaX;fsaLir20b! z!20&?#rf>*%!IH=qk&QP*RKn)W1IA0rS03pU)E{uq3O>9$1jKU+`DzF^r}gTAvd?- zlMl%c0zN$(KP7gUqJ5KmbzQAl{NR0`>mQDE)z^qq{EdH;X|6e?RdzdNM&*Xe?CVhc zD!Rc4r+`z~GV-!(SJ-uL+u|wdQ)=+y-*~X!x z7Ep-lbO)Gb?hqOGTHdh^J^=4zCTG09qq>=!i2sap9(p(g)*Z?$&?+?Xu%84SCp*YD zX%;LZ#uj{`DZ^_yO^g3!nTc z!HJ5`%*VEa&Tb~^7c^c!=l|5%L| zuUr>Fv&Y34UKz0@(_)w7hi$p=@$mdFzX;1}UB7y7?sYJCV~)lcvQZknwDT#*CQ(dO z2FJ~B<}16GoE`m8XR^tEQ^9+Vz1`-s-V&kR>e?SvldLrS_T^kZSX*5E0;BuGlFx;Faq?$fGZPX=7>^n`H2$?u!`K6k;- zkCKTH(%nAIMZK4=OBg=4z2G4+B2Z1$`pPoT7EAFOoqO(a@-jPDXPxG z8w30mmFbO{9q(%Y|BDkTIgFbn5R~VC%?c|&$79qnt9gMmR8coC7m4zR?i!#^{v6T_3;I)bz^q%AR{j!5-ra`5dEn zQTjf+F*PRL{qL7m2YoiS3nLifeC}M@#Nyuwl|0#k$=9;`EY_DCR~P5ar@m5qdD?FO zip{|fsA`S8AB1X=&k=ybza{Psj4Uq0RH^n(09~@J?6P^P4&wbzi9NLkth>vUbFb>H z^Cw3@_es!=#K3lZvHv_MK&fteLi$BsBY54F<9eJYe5MjM!TSbVb`EjgsGu$Yz< zV^B85!AySqUo-x%+YPM+y#Bv%T^b1zw{`C>>dU~-qeO~N7Kr0H`OR;m$wdW3Da-;p zwvsNDus)+GZcv%PD>b3kY0-9j`)5gnHse=<^mzdSNi4x?2&32{@x@-UOf?`O`X6|fmG7UmEYmeL|wx8QPXx3B%mR1 z5nkfNN%GU!t7_WOY*U3?gJFxm-XmS5dE%~`Y#6KV>TSVi)V6Swt9&(TA*Ak*b(-oN z92zlr>IUp_Qp&?G`PXQM)^z@*dApo@u~P4_$`g_eXOo~Mv+9YODImY`*LwnWomf!E zbFUi?s|HdQeGsv`74ol$&7l9Z^C^XAIDrBpwxQj^p44j~hll%6jUsvN%5ptGYhGg= zEXr1w`#$dV?@EA@;B1^z+k#KvvzOJJ4IOH{kR+ID2E<+*1k-reVU!q4wi=9*9s@{! z4gF#eTxt?@R5}<=<90{pG%C+Kg0Ez=D9O952m2c5+@%${1sN`STtVICe)7Mr@qga& zoa*1~4_xO`>d6)k?Q{whS9Ye=99E2|*3^6ZzT|>0ypz}pt8JZ~SE|SD;`__UZP6+P zGUFDDUPiOGMEhU+BbT|g4OkJtHsMAg4Lzin)*sC;OAZ5UpbXwT;qvt>*GN0s?U=&0 zUE)17RZWEr6FrH1iwZAmDW^5M)QyE*%?%HA_v}mwMN-Dr1QVJy@YalEJljPMQga6H z36X6A?Mz&`RQuCmCdFqP&NIl6qTB8Ps?G0tbVHN2ncsXXoEYy7m<9@3OJ-vawP;#2 zi|o^yev}V1iCw#`@w=yiHCDlK%Rd;$Bx(kSZ>#3fUo|Ud=Fy+fe-FI?YYcx(GpD!i z#nR+9G!FWceJjla;Z-CLchB6?9Z!d zEqf5MbHbV}L?4s=U5OBUNh1qbnY9NC$V1(NF+S&xtAg=!(rNIhG#lFFktQ~U>9AQ~ z)8p~AFV4Q^u;3V^C_fu0lEqCdn63tBGo_d@s4&$zzy!%IZUBb=z=KETK9!3Hm`3a9 zkap9&5e~iH6iz?cA1>+pZ+Gvj6Nh|%;Zn3b@{9L@g90abxHQ%#9T(oHo{LP_uo@NS zkxJA@M6tv93*B&S25_DpkHu~yaRHQSln2_Gc&K;A%ABIkv^<%}1ix6k)Zve8*t$|@ z|E<#2TfjEu_I0oZT!@O$d-*nm89ar(7Eyic`niHh=_hwBnMnuu@_gkLIJYtKc_@|9jSz!lO>G;~fs$t!dDw_it8r8y%(vpUW0@tJs@AF-Y6>MfN^6E603d|clF;--?f@+ zFPJs7`DM6xIwRxVzf-P7HqZAf=AA<*lAU;z%}Q8Z^XZLMUqIBhi_ZB#c-Wf>|IE?&~%R|OVV z+6IXC8*f$JSGeGf*TdE7wW*1FVLql@V6V=6msv?b6xIQZffWTyRWtAN2V~j}U==-xa#4JG}}!#JHH8R#_JM zir2C41S-1Jc+qZAqBw78$xgt2B9e_2ifpZ)9NZK+GUhB;Y}*HU$#nr)IMwIgV2W;K zLs1s3^7^do2F0o`^Em<-1hlZrK~kJ^KcYlBvadtAKr7I$F`3=kuB4YM53G%CSGY}2 z0Thg=Tq*XwYzG4yB;U~fpw!hy5T1(j_H+U)E;%Sk3x0TsAp({iA$!1gvz>VrlqLBWY||NNT@9%S zQhMhmL<*ZF6R>s_po}dG8sN|Ap!My2xeN8N{Wh!`J+B70gj!9rAkeb{5Ui3{OhV&J zeP6906==Ctk9MykCIf*2K++0vOZ9IN|KIk1_m`(9xE9Ede!X|QgG)WS;sT~A4CT*q zBRuG43L`exebZPEo&PX}S^F|AKJ>hb^JIW7(GsE9^0gp3t~gO7UJ>D>#uS_G-gOnb z_tx8^@v-dbg=1s&a*itFCSO_luC5 z9S$G1cL{dxV=PyOYZ*G1H2^}|&*GZl6&SC#bD@kZB!;!01 zccMv}{93eJngpqEJhnt7srmT0K_hRcC(=PB+5_6@!9W`HNfU$ugH123t?}i`Z>tTX z3Tg)DsAaE8I_GZfZnMbz6waEP;~Q)LXS{&DdwHlZ&L?wZ2Ol(4GyMD0jz5Rf!I!Om zRglH=EQr4L@}@?e+ErR1%!9?k%>~frvD+GPYClBrv^O2gmJq#d%L7GUPQWHvHz2CM zyK>5>=CF|Hmkj@3z(Cp-`||DmZP*`>D-QCOMZLMdfafzP-nR>*qe2x@iYbd3(cgP( ze+99kQMMao7!J%O3Ms^tm6qms#kPGl?dh}~&-oe1yKRtW2>T8}p=bk2py-|2tcGaw zLhJ&ISN9}BoFxbcdgq-!bPe8hhpZOo`|m=iuJw-{QPPzyg8z0rguD z_=R~@!R^m`j#xOZYwnCx!3w)dYGd<=3%f7I@3ma%3608x{vK}nfTUl|9J!uL&q+dB z>U?M=$}M^}xp2Txdg_F_SMB}GPGWm#@4a2|3VD-;@@vEC9wcsK;`0Dibb{#tS>0-B zvYX2RMB9(wF&l>}{y|RCk)fhI6M{!u|$x z3f>6oj4{A=^6xF2lK*ovIh8Ybv}pcQPz+=?ByxQ9T{e1V+V>DJ4Ik2|-vz9}F(@i) zUQguRi1sYH8X5}d$+O@NS}!8=4ey8DZ=#)LhN z>xAVT7y6Wx2A9t#OYv3tQKh|!Uet2k+__Q8>Vqyd@h=Wfl`0(6q)$?U)r}Ek?#np~ zXc!t^3fp9A6=$Sgn^PV+#Y-(gpyv{WcwoQ1@ed_mcK_7H@%bH-;1k#SxlAmd@wS+W zN|g8R;qR+zZ9NEc1Cx~6ks!UD9MnANDRCNR@*yMSoW9yvNQoP<=Q?Nw>hqSP^w*xB zLu7}WDP1u@lQ1l>7&7~gko^}%zv{}}e*Q?G?tGo+YFQoIQp(RDIiEQulKRdhEB`b^ zJ^OKZ-RvUp+3c#;xD3Ss=-U;ykv-dfZ0pd*KXcGS>Yd1x&Vs36479}{E+7FN%}b5R zV^MDr>-ehd{SOXeigV5}9S}X9hQF2Q;UbkM`YMy25|;D??AKVd_ZP~X563zrq^ZET z%~~8NiO=@v>)AN7Q_FnByaC@9)Ar2^GK9|?1h!qVf>>q8ICuW>iJOgHz4-!P8AcPW8Q#ku>iPE^khnp zfo+Du_aVC7HqDT7E(q$142CJYA!AFB<(YrgvI+VXH`+q9|RZab7fBLsC%vUXg zd))-M0_zN%J~ZUjaz3!}O}Nndv#u8Zwk#^qm)~*fnvzFq2wQ=XyiF=HX1WE=Z~bvi zy?!IQxq;{(JHz!&knzN*@DVK8sK-}TUBSeehdnzbA7&;t(Jt^}{%1cHYe2CaP%=hJ z@|n+H^}>CFJ-2LeXw+ck5ADW-N`rNW)5C3^(h&E$S4jPZ9toUWp0JX8mj1@^%F=YW zk>wFrU0=FA;b76NNyc^;OA`giFqJJ%lc@bwBydh-3TKZ|FkGN(WK^FaIUURawdojUssN3&Kn(VYV(fYuPM z)r186m@J{iRvJWlr2seqzydSKcqOn@^QyS#013k_3hxjULO6j&rQCk>4~YgTlM|V) zK|YI5K)!DUZ7i%VEgkAv&4O;X@WvQ0wLRHt0K0Nag)iq!x+%6y*H|mi|Ngk?WBu7;gUYJ1}MoI~i_0|F^@T;NC%J1>e|> zrC8dBZ^-p4sRd5_%Ta1ps(ByQ59tv}UE`Y9N5^)x>$6;V^y;HqcpW+|g0T_>h$#)BZ5CUprMHGb!E0|Lf8d z+ULD6)U^7d9oXqX1?U^ym7{Z8hcf7cALklSsya6ZC#?Pq^+&zi$d2<7h8xN)&QV3? zkP7r4I|gl)_gG7Z=6BC}Js0BNb2#Iy-udBEaS-eDHD9P2lEHF-_T`1@$j4eG&>)aq zxUAbb1W)9EKtiR239c4q1K?l2N!RGL9^QX_mY)`)a zw`JCWyGJLUoTzM+va{_XHXNFZxyfW~z5-9!oG(R#tu$s&;1w&~lOJ^omK5_7JHu6+j%Lpnz)Zi#e|qJUdfZh1Sw?da_Xi`?PO=y$j(c8mHPluAnxE=a zU>BZ^AKt$;|0Z;*(5WwTQsJvjj>}#dg7{&{Ua8acWw1w3S6DB>1HCY*srZwgH0!#U z6m(oUB)nHPLLpnA)Odk<=geX$&NEnV;h<00QW}A=Pha`DQmFe?u7?{|r4z7g{4OIsOsMY@ zz49eSm~DM5Q8<1A<_L~fc?JsE;EzenU$gSI;i6tmOA3vpm7h{XZJJ@~9;9cR!Pr%~aAlE-7TzXj%9(Gh7HuQ>RQBhejCMMIT%giWOD7GOOcYoLHj>%)@vkiU->u2> zn=Ll)I>Hou5Uey122z$fz5ry%DZ$+A)yFM``_X4_?}b2q#-&@&K2ih2YLJZ?=`5N~ zD_5&d3EJ(IYz$}K^3%htr3(7ZVxk$+KHJ$RynC6*gdbycRQH+wGkI^ z_#4!HzneT#o?oAqmoA5LsrI={VZBJ=eZ6vc=S{Obi0=2BdMK=5$Q^dK4P|T>-2W@P z{tMwMB26~L027#aJ2 zVY-m&a{`u#LFMV!vI)_`he||OAnWpZZ83$h$&tA$F8ma8ohtzlFM;)_-%q%A=%Lev6q|~=8)XtXJ z;yg2hYh7LJz(%eTQLK~NYRs`5Vq5SDT7UMUdei=`4y|$_GLc0nSM=;g-)PV6D9R|~ zErKSGd}oJv;ueKoKarbZQ^F`Ab{uCG`~VpZq%DP_SLzbb393hK*IsCwZ@&xkIZ4|v zMjsGWiA^(5676G#y)|l?c?ZWQu!s}?)MdTFqBNS<0;^~dQbKRoAa|T z*upX~Tfy(0fM;Kjz6@t>KF1&hHXc8@1CDX~^JD7bC#j)42@v}0gKOJ_CWFD=Jy?wl z36f2s93!M1_yraO;e^>)3!|?ar)o3|0B1aBr3(oY&sgvS+W(&2gdeU_fWE~76jCtT zVs;ql&}>y;Ag=zkXbzH>yc>7Xer+JgXXWxvF^2zpdizEbfT`Ifw=&ilxaiebsnaX6 zN^4`r4;0Q$9d?P5KS4v6*O0h*=>>_wd7*^0yQwOe)t;qm-fQIbnWKe=26GNA#O&RF z2RBklQlrlYsINTc+>*fYBR*P~QfoV81_tR-l4zYXb2dhmnSK69?8#`613Si-U+eCI z{&1LK|2ROyJ}TFL)nwnPJ=3LcBGi&bU{O5jMj{ng>CGD8gjo$QAow8KiMQV zry$X@d&xYjKCHh&T{^m574J4JV)`BxYKcM#0ABI2am+esdsDWF$9tg@dXMLYe^H9Z zCaVJ32W$h$1Pnu?zpGH>Bx)3D3_9XO?WwVxp=6ONs3B5c^9R4)+VmF`-&Q^UWlj48 zf%1?DhacxFiRo+^vLlz*4vyuJqIE?L5>g-2-fa@t7Q`y?m_kF+Fwn!$OI+(_7;t3Q zzpeBi3Sk>;OUT}a4Vzt^{94N#EFzPXw}AnNBu^HtyqJpnu2256-f461-z*`JnVgZG zG*V9xIdAMX_joz8#j9?8F8a_sJ1n=qF{q6^&{n-$e!=4Ab##)fEjk&XL=dS=92wH1 zzG}qA8FhaTbOg%P$d!^D*<#i4kIfQ(_cxC8m?L5bJIIbdjz4;a7F z5mDy$fOjlvbF2O#&u&^noI#b^mi280h8I~l@AlZ_NF(4(G00X0$EcHhC(|}(>l1;7 zHk?c=b8bltvEz2yluswBoFr2`OP9uYd7;S0>BxN&w&pm+8f9Lebjb5A`%tL=%l^}{ z29GY_n5K34tGXin_Z$49YC61=x;I46i|)x%B1!qFZireAcliMg#Tr1#@mqt2w0 z@?1wH3CsH0`og24PpfKh=h^KxRvI5Z`l8S}Q^e>EoY z68dU%;$^{HiCQ@akaDV&A#z)RkYHuF0~jo<*itsQn#W3q2wXXtunMrjMa5!@(sWYKr9VH#PB$?|~ zYit2+p4na+NaNn4rUXab)b(Cw_q`>^3#Z8t*Bf9tLai6FjQ;Y?Gv)7T}fuHTV z0e+lWbK+)46nn45>*Ms64UNL?p*aFR?`iT+0#iXsR&l_*_|30oCd#t#$uv zCR}ClpsG^1n$M~f34ETfn(5AW&jEyG(%g>TTx$lLzf@CE3Di_&FoE%18@@V!U+uqy z0((EjpV2ELTOQLV-%3g&Z7tRkI-gH^sFxj2Iu7=`P~Ycv%F%`%gb>AM&K?dLT8ViC zbq=-jqRX797)*fL&WM;9S)=HPKsTU3eFHum;TI056>>utvy&WNGBsKGF+8DcO_EMXBk)gD7QGc3 z1*or5x;whj^O*ymR8q8kn1lzM>bXj>6wBcKqIX={4uT`cz{Re$dEEsVTL5iu6T>#@ zxg!LTy;@2dt&+vpm?T>-uTMr&_Gy*>pNsWp7U=1{wdAm=4fKlNNVGb}-1GNV6vR3q za&h-_RAYgmw6>!;+ZCZ#97pV@?y@##m=jtOHP0c(sM@5y)+dMpcUrx7C|JFuBrGLs zErV`_$Bjrvr23~Q(-JpsDJ-TlW?O%6FPVIQnG5l>wrgS(yo>ndaZcygnWn&v)k3{YffYx7@3C_>o> z`$by5j4oiGsx*p@S@*A$yq&}b6hV9yil&lj-gcHY@f=Y%dI$wa_E{!Vq1gNIKPhuN zl?`M_^<9O-n~3M%YK8t{oPB9~WT1n*=;SUuRA{Df9#KPD~s1V-GJhd4Gq8k%;O8fa;eW3VZ6x@98@ zNp*7_MhWY~5UgoT+k(iauBJvlHv1sjtGHsTZjjK>_sfsE^r4#pWbP7P2qx23-o!vb zo%SR+JDeZnIfJnJ01|esllimm-_Dv~V^zE&ubf_=X; zA(=4F57n&ZDJomR8vKBw0U)dZO>hIMl4cCV(WFi|Qfj`&G#M^roCl@}*7rT!q>|uE zMOOul5>iBq|AkZgA3?l|bMHL<+t;c0n@VLq)WMuk{7WQ9GpD(f|_inLd+q zibbE`;HuPGn;{{FSZwokvX$91vgJ<6vs0qrL&R`w+|VA^iB%j9x-#MSS!XDKUq_U@ zLsCv9O{ecXSn2IBovzRFdrobSsGvW4JMpZ85nT0dtT%AfA)Mg96l$i%2n83`ESHW+ z;yaF`8)8aHSUO4S9oKuP_Z?kDuh|r*$XrkkRi`OGOqyD~KdSob@jU%Gq#|oE{95mNJsVWtbU(Df2nr8-;51!b-*}`KGBk6;Mb<< zcAov{W9_0d4yPZu^9(c1B8y?Hdp@I)oe2p1N-c*r9#G?a`A6FX4G?=;NgC;O0t|OJ zuNzsN$x@PzyCRJ(3%MgPlK4aV4ELCl1qIgn-TL7ND)irWV<2Pu@qCA!=mWNhbCWkD z+vee5+zR^|XFmZap;+>L!f^iU>E0;U6m&zwi|Y%Hb5960(eCz&Gx#@`h2K4Dc|w4z zP}(k-mX^KXa@ub!R~oddA8QL!$D1$uoD?pQw75s5aCjqtKcgPvt(WPI4r{PcqH^d_ zz^RtoiObU7S~`jL?n|2FlknQ&hC1MbhP@#;9g#bacGHQ8g)9rHh1OqZyA|>_qE9pgGAbrc(e$Osa*LQ!wjwOBL zDz(g81$F8pN16a#lsQ#r_)OeKpgP*s8`h&7-!y#Tn3D5AkgiiRCB8ISST56`EyS`@ zNTzqPU(E+f-=j=)%0s%M%wIoyf@1jitknp%lzSwN2A$}Qf@Oe^FbAU05H{fYutqj6 zPr+O56yiYoY~sknWQ1Zje?fztRmN-O>#sWy0v#fH9F~bPNXL zzWlxZ_kBORZ=d`gY_GBH0lTjAJdV%jeSFSOn(9hq#0^rh9(@e^farC}^rED6naIy4gB7+u-0Re@aa!($wCj`EVOFt$-IErTIOI;WJw< z&byZsufLFgyZ;rZa3F(HXK(a3aSh?UdsSQSUiG~(=Kc2Z2Z-C(^vmnlhO{K#z8wn) zMJhUOFe%MVtd+!HI-cA9`__KQ|I0Ov&^i0inxlQas-COJT*`V{vC z^Q*l(kf(!GOA$hEBd9+f-rQBs`(1cfJ?H)NjMGn`lb0EHaPkJ$-+aYo6Q-2nh)a(j zU=Lt(e*Bx{H7M?$FJ#03tb`^2bAF_-;&?k?_Za(F{TN}zIcn|M_R}*@67qeuEBc*> zq~GA}V&W}7{q~P-Cbd^8Joj(wJ_Rd7Lp6-=bK7bC?)>6Fb6o0}wMv~C_UHM@cQcP^ zzPA*cYR~d_nYojaWd-fClB2pkSuHuatg;B-sEOU)p_WSk*Os1pLSD-p6ZcyW^`-%op|>$YM0p<;t%VP*?zK z>$5YGS9_TmQ*;3?!Qm~?c#ZE%<~iFu(8uZ&sTh)}n?Jq|dac23oW~yHdt|8>LaB_D zl4CDG5xBI6PYEHB0yZm5}(uymjZ8gwzBX9I6YS9WQ^4{LWa) zo1u7@=}?>{lHuWDMmy)wb(|b&QXDNwYwLZS7xiQxM0=A}ev~*T``yL=_~P!whdUFv zcX|m7a2Qu{Og<1D;^MLqy!v2J2ReK~Jc4t-jEK0o^3DeWF_2YjcjjRF?z&o7Y{IPyJ2lzM#C7h!i7<*B zRd`T1swq;&sl&S?T0tukbrnDKt=#?&3=b7?uB7xWV5@jbWQ%|6zW3vH^5ux`gnb2y zq8{rJI{tWxA^QHl0gJD~5TUk=hiVcVd>cR~M z(y2bZ&U7Jk4@4e2-J7{);=wL1AV8HK2alAB>G-%iM7Ao6d~n$A&)6v_OD+g@>!n2| z{T5v9I1)UxCLr$nxT*$XKfKEef`gPmZ=;N(aKUt1nIn(d?{j=CA2=JZvLZWrawL4z z6%i599gz$UCM*O?Mq5Qw5zjxkqLxk8QMP>~_)c0y5%#8n&GexRTNhXI&!P7eo=g(S zov9|TyI+RB!G2fPZPfY0ef(hlN!pV+9$(&Wt%uz7JoTwGJT|-!cyjgHi=V$@*No>e zqZY6sD^8hGZd0PyDtThe8_R9S?WQGLu~c&XjUR-X|EHEjmFMf?{LkMQG`q^A zcNBN-?da~{kf~Zvi8tyP$)d!oBSot!zB!gM6t|l+>6~>s3NpVIEAiUeK6N?OKJ7Ra zbc8uNi-f~$n;4p0o3zdhcUX4t&ZN(b&REU_8A!=k6P_n9Gn_GKJfF<6%{mcDci5lr ztdMvfCknBlanoC=(r#dJ>@%`8vNYmtB6n(XO0eIx$2i0_UD%sXvP>23`fq*Tq24i> zpr0w;Y2POHA@LF1>9#6+x)ATJC|ndRTvb}US<5vo^?kljtOPofG=nHGue=@jVBh;x z`6>5vdr>;k84*%Z6B`2;^u$Mtfv0bTVJzjJDo&ro2Q*8_kJv1@F~+c z$MMBE#>uL-+k9ES0||tPd68}oj4cY6`i%SW232}ja_A*h=~m%ai5Z9)_B04LAQw|$ zOZAW8SFoBUm%0!qJ6EncxSJm$&ym%+=V$jKHaoH?a-eX?a$<5qxX+_@O@=1n!6*#e zz8~dr>}|B`J-*%05b0HN!m}x7%4afVlGxsv1Igjd2zu|@Q`yZsfA+J1d?S2&-g+ryF9sNp!TvMe3 zo8`6LZa>_b4(jr|5N~=^v2?dDZke$c;xHzb($CMBR_W>_3m$)=reiU%C> zu_Xzb(9`jy&HWPG{5mUciZ<80sxhMj?TyFDE{U`U>$`$l;-$Whs4QiR|2p}N+UVK{ zIwZM_#M74#Uw!@6>7D!(ZS&@q9=08ZsV}VmHOMU)Qi3n{EsPqw zP`~JVk~fApK?jH(S0Be6_qZZm+K!UXGzR4o+}^@q^<$QBENTJu4dv(8dQirvDKH|i zg`n?jsQIFmp^vtl|845>+V?e)FO?s}_kxD#f!Ln#QbP!I{%gwDym!zkSeH?d*a7qM zFk-$7VI4Mxi^9Jo>Sm&5=?oh=&@|2TFr2j9Lss=elU^}9++?14>9*MhgkH7~YrS@} zF|bihwbq^0sxE?8ARP_QR_oE$xx-yaVlxIaOcllR8~Hd~@43u!)x-lXbXLnZrmLn! z?Bd7wWK?Cc^@(Py%NT1k$`4#Vx@^?I!I#T)&(DIo{p#H>C5z>@Qz-NM<2y4 z(kcmj5+pNK?_NT5wq8!AX7KtMZM1lskaY&$WF0i|R`1Ql&70QdJ9)V}b@sJug-s)E zO*=v`i{_{>88~u6%MWs-r%zNPA z54&BDJSB2twUuECYTOsz@K~W5P5xGDqyY(ic2nIvUw9Fm?`Mu_IJ8T;3b?5aOUGh; z*fu3D113q9X>|o%%<>pdnfHR5R%d&ij&|z{m*i4z7cfJA#xmt(u+FTB^eq0o0a933 zNKnGX1J*s+=SfkC(l;4L9?s7Xl7~u1p;gdo^KU(!bjIfoE}GEU+btyr;Rx0wyZEHI zw)^{kxIet4R)2%HYD$Rn#{j1+cjUUx!Z9z8+J1-C;%jf%@AAx`cT6~C@@b#6K6a6R zm}bGD<9O3e&^tg!jl{JuHf~dgb|-sXMOpkOm&RaRB&QxDrzvbqgk{%$c5S|c-6ZDx z1`7|Xxy5@l0-6bWlK}zbtGJDUitXFCI8T7rAROFS2OI+66)x~#03J9vcm;U>_d8VR z0{s8`HL?BQ4^z;ezTx1!z)^W6uj7xqw;Y>pI#_sc>A22>WAo?{J9{{##NA}C=XVgR z*(;rAbJt=Gwqw`0&z!mp&qL; zrRLpNXjjZ+o#Wbnhd*Ho$T+gtpvG=J==0G1G9iz?G9m1@|13{akd^}h=v-nYUlxj3 zKPC#y94mRy9Mflnl2Mn#eCY=~V(x#@cLJx8Gv(UIT)&mOPIFcChb|g<(h^HS2VIskWm@>% zE~4o5bn_Srx$DDt=Z>YVg?j7$n+pW%Py!>ZUaeW~j`!X|J&ex}5#pC2;-q(Vv*ZOO zgguG&THlnr4Pe+ncio)B9WvxHR=lU*T8`&PSYGTeTV5WoBM*_!l4q;4b|n3O{~kT3d5***UjYbiz+#Hp!S7tj@sSwmhbh z*2q<4k>&IS23(oX41&n5(CXDNX0UpM0ipC}2*0LxjGSN4?z-dHXmlja%X?%wF z1v>VAP^Y!{qF}C@2etH|=FWp|%)3@rxIwGCWrnb|BJnQ#hm9(1kC4{nOE<7y7Psk8 ziw#^%Ntr$d8vz*}=X;CW85^swB5)RmEQl`|o1NxsbS@k1_|Yd@Gb%{hBd@WXMaw^} zciBnVrvwKGAm|p9&gyMUJRM6+5*(XON3{V@?9u>6(mtL-DM%F{BATQX-G$4&PrVX2-|($0UIIW0FXVh7-uB#x9d(W?dJt&Tb{|#;!0b%ITAno!#abco! z{)et-x{66Gxi86wlUNbu#A{aAC171Jc3N}pH#b4 zos5c0T@B-THme^SC)h0xeTQLjW)JHpXO*RnTvJYT>b`ay3P76MnNV(wJ{_<#cB(b@Xa(FWJDDD-Y+GIV6?kGaQ*th(IoiD$S8roHP=D>Kmr*( z3l_)2X57{fvyj**uWyWH_kVuC3wCK)rUBh!QUfk?B8$u%Pjy|pwam@U-%WzB&0__= z#;SmcQ3OStj1)MLa9KZG{zCWN@9CXwGE3=uKEfF_2^KPMt^*tw4u!(75r?%$o8cLG z=)LA;hj*1&>Clsb!=8KlE&hQOthfnHsD}TjkCnX5f^tDJkJbb?ZlbjntiG64A;7Pv z`@@oYD3~Pa^Fr-3Dl5|Fo~@mtFO!#L@xKvyeqevc!nslebwz?X1CveL}Xs zGK@wLz&fW(WRiGi>{~z-!<@j#^{XcHhxc{HVI19|nBVyI1Wo_8fw7St@nxKRK-9#b zhXNhqNUY?h*hBazDRXTAE#s}6A?Fv0eoe}3;4)+F-`e5Hds)|Cy~ z_T60=$4J#O#`%&H zDtCMB4lL->Ggnw6k4vc-V;eGt5xmsq)ep1`uv2Z6?Tio z!lHIjkvPnVfXJKE?dfU8%_LSimKES<;JPq|l=x9sD<(meLm?gyzsg*km2ONau=t=~u9o=T8geKCl z%!_aVm0S~ohuv=rG-(apPN7sBaPOh=z@W0#7~lH5$LPdLYKlE!=K5~*jGer6XYimI z*$?*7&tcs+4J)(34b!e+q_s5>mWca5VYY-jfVl{^C7=-=(nyjG5ET_o4{VNJX;areA^ zYf`25TREc58hYHi&h+}1*8)<4M4_!w$HKRLkwnR3?LNEUtFv830b_MG=|nran#{}g z;dYSN&7WkA!0TVCLddU=Rq>!>RGezcyT8$UfFkM&xoLpP?jD_lG+-28Jhb$e;fKmx znDk>_YRpfXpCm9zJe9_x*XnDJKB{N0W;S#jD%DI9tZck2^^1e@qK1sNXxdE*Wd&F z@2|H{ULrtd#QvO+I$J3bQ%P6vR+r;eA;%^E<8>=;)A%eWXqFSjv1$+eH<~&-{m1UR zhs^B0JPt|r?X4CjXdUAq$=_x5YhahnBnpV%K3U~CtK+EM&m1je4ewCQe``wGZAJzx z_yp);i_XOQ(wIj5VC4$cVcWIf^3dyq;9jZD>}qoHDqxW%xXhbkbWsPjJ zw)@I)?=yo`u_$-cfXwj-M^j7A=Ar>@pC>^#zd;?F^zHRYz`JF)osiw?mb_+`ntKG; zBlgCF;&ii}r{b-;m?3Nu{j(BR)7^we*BvWeg)5!-GW+2~EL+rowRp7kb#y2eW+YoVXWUFLHn%+O)w1L((pr}@H*bkm!u4L_vOk_u6(q|K!v;L9tV!C8JT@Db z*)!=$(k1)1H5>-IKJ2F`KY;vITQ^Gnmw$kE?hh*gq1UE$k%;qv`u9aIZ_}1;Kj6G* z4k>|9N+$TsI+S)0o8805+L{ZA#30D32`7p>rNKK^(#+Aa@-E-k28B_kY15$4m}WY4 zC2otXuaXpl1wDld;Jp(;P*umG=j^pXk0BNKi$PE0O=ki+u1*@8^O^a}?-%xQNPmL$ zrd!*0IcaI57|O8ZZ%Q||2^9KctPjGT>vIY)Js5)KFu`JmZsozB5-DHp&`o2H&#hCf zWPXcd^Bq1tO;qWRk4J`jgo1GlZIw;t2ey;@2MEV7A}xLb|Fo+Q2=uB9?)gI=_Avln ze)}|SXr;P5Y-0s5YYUAI+7*cLT&eza^Uy^(Mn});C`U>#I97-R(o5V4lmebdQEc@| zvRC#NV*7K{ngxY87a53~eZTD!4B{5sNXZpZ#S*kvKMkzm^t+l5mCN^>lJz4s&3 zJv~|}4ay(1b{}_{m<{|IY>xK+J4*P;F@4_uGcj<0?7Oq{Rpo$3IpPh&y|B{2qd{~d z5%V`^?6$Ws%^(#xxaq+L1*&YD#6#8d~T|iGHL&6E8@EnCnEKC zh`A>iaq*fs)iN}V-vby9c{XoOA%{gadp{sk;t>`59S7as<5W0kZGOA{ zn~t7DGGq@VUGSiGwqu3+1sCF}PQXH)rRCIj70aP`ddtagufyx!662crEqN%RPx5b> z+KFXUpHcjl16FuIptXeVQnQQk-u*X3Q{&NMiAhYCEwbOtgO3Is3cHlrZ7U+91mI3c|6*wO#CVY zd$}nU?L$TB4@lio7Y}|L*0~zfAQ-mE6Va-u4U!GsDKB+AlY-x|Uu$$D9xf}z^)|S_ znvo9KRpw|%PscMBCiY;@YC8-t2u_dN9Dv<0Xt`*IWmmQpqTnq=c$^MJ&T$2=_7DC+ zbOF?fjt&>Qj0F&0d6&U)mQ&5$(}u?%Yac|*J{MbZS1@{Tw|j(L?ZN)XK~*2+`yNjm!uCj{s7tBtX5f(+)~xkUeEhE; z{F?T3e=N`AXnM4arymSVH^4mSa;~WNqz6U+X(o7Lgs+6KLrq2M%sq6u5mZu7{3`mbdJR7gVO6!geQ0Lg<0xk>04&bWO}*$ zX{D^tr>Q9g7M8aQbz#J2uAdpokHvnryS|&r-mjUcE-_K?Ep#0KI{|eNw|yrPT7jyu z6D;OnKBj|_4kU)>U)+)$zUu~P&WzcJQvQE| zHyWOA{qOz$YlQe)mhQW@ZALQ?#`Che`Dx)lBGcUhfZw6{r@>VqCp zi@BePEJqK|#q312x`cc@mtL>*svKHW=`X!{;t=FfHWwSmtPDS(8xH>UiNQ`QZ*El=oo7MLce^yFf4jFB%A_9lp~&b+gF$J1>btZb zCZ*6LmxD{>AYE^t_5a_L;1UM1y93w11dAtQ7}bsUSO2)o6&@kb+h6)FYD_!80Euy& zrn7*3L{Ie=DJ8}H)xpueCLw3D;cS$W-jrxCBeP)*!|05|>*ed#)d&*s1AP;%?A>V% zx$5eqM7Ctkw{LRangyYnVA7-$h3`jGcpUx`^zQl}NJ1fB2QjcRg6bazev zs78Bi7pHT^EonvjJPn>V^_$hZ9p$Z^iK#q${40{}i(!N9V~v$BD&lH};-ac)d@2|f zcTkTo0w`x_ph)87TDS8O1iCK?A;&VKYTP>)Sau6IH1wlUo=j-lfR+6=H$-=x=lW=! z&+c4%+?4FrmI6EV$AHbTY}$?STt@K~YP=3{*)f{)xGSx>YU6a-fZVekd2Vt`S%3n* zb%|-#06_r9b7B>4t!g@)z?i;KcvEHCA(}aByF*vjLI&#tN;oU0M&8oToPrU6|aC2fz?!)SI0bzdEG0e^JXjcW8Y?rJ}#B;+W77}CX(hA+5E$HEK6NvtzD(#TQE>!k-N1$`_H?s<>8QU z?VM8ckTYEg2{NzcRhW?P-hy}TM(3lYZHQox+F6Cb3nH0BuIOEf`C-M!=9o>89zH4qqg%AA-sP2vsvC2d zE*YdfA=ennA*ljHzH=~8^5-iCJ)jo^usePBvrj{>(K9?>*IUiJ-f}L*p(r2e9pu>L z2YTJwcKshfuXd5G5KCT+3Du}k@i+5bv? zBG1#0GoK{wLj2rdZ@bPe&ds1+I{Utc^DNGCheqi5WfB+Dtu#;Zcgi9MSuLD?w`o|>Dv$8 zf~VTWJqp+f^N1sx!dvC8mpvZ<3?+I-!d*H|lqxHAx>%X!X?hwEv>HzIu7~ETbJ9G6 z;)WBwta}@=6KH(Yu^rVu6D=G)-t>5&5uadn5SII<%p(!ap`IW$EY0_y)vhGo?m|Lh ztK^2YC+VbA>eY?6EcdTPI5=zie64xgZINdBQhg{;Sk@&@a_9(fr}O0@aSr8)?L!V8 zLyfO$%rOrgy1J^N+b0b_TDw|9o}}!gI1cA{FojK{#VO!&Kl2-vuN4NTnaV?FgdgY) zz9`me(KxOBmkV&i`@;UEIZ60^f^*Grse{gGJS?!GjY+84Eq1yw`%) z|9-ez@n@VlN>OubMk{7+G9ZerC@@zVlsJOR6;=IrsKoPuM?b>i!AoPI9jBY)_MH%D zwwR#LN1jqGeX#OQ>W}UyYs$v|F0wBnn%tpOt3DW1OTMl81jtf5YMXNW)r5M{%MljK zr#5|rVmk`l`J9wtM`o3?8|Dm8rn{qOuechE(sGnc)vU?Y|eWbcxy~^j3vB3o#&;mU!$I^CLKzR z3%?Oz``CO6n9KQyxntjxfS=8G^{n7Fz4zf8;_pE2kGvbq*wJ5`)!Ef5_Tu&3u-%Ce zTm!zO*F|4iJ#W0}-pd{PP&p+k7#aw&tD3|?zCz{4?}72!Ty+n4XMyUHf^4XwP>8T; ztGWM1nQOpAyr-E+N z+t#!{cC>hDch4$lV9Njt&x%+db-2v=P8NDPse}Z4bJ^RC_MftwqCkde*U)81y!SF0 zDlAEK(d@pmfuc;AFFOqWua-AQDj}li#EWOQ-0$X>kIfap+|d=r3$)EDb=+rbEb81| z0ydfseo*Zyj`ZWK)Zr#ags0}i-Ds?}fw7>T#(wiU*xm10Jlr(o$VUWpEln>7Vj2IGm*%~3d9K0R z|?A{m3&V1in^xB{t+7d`&?+e?M=RTpwN2@I@A z9rf30^Mna(PTbR(mwo8l9N$17OO3aOPE5WmX;6fJTC)t=)0uK!Y{$G3_u2CgvbQh_ z2x?`u3@FcY76bt8(~7P;s52GD1JLqr86y=;GmbgG1(mq#@`GvFN17=KlhuD&MnkzC zUg(Nq70tu4en02m3~ah}JorO@qcLFZ`KSi|FIu_x1qtOt`42CPH0UjK$S+FrqNG!h zp;e{rHPIxrcVxSGq7bwnY3&d#(OSjvvZz&8~qn)=}89hB+{MTEwvyWE^sme;SXQ=L0F>o(apoc1*g`}(fgXASuPU)LvI zuW(JmVSAY|%Eq=)UK8m%C^T%mw9?1HH*&t6$$P2Yw;q3?AbzH<|_;QXTY+;)gl3|cFtvk{8-zf%_r2*lO z&A-1x;%7($spi_H#e9uvldeeMxMhrI+i{?wacg!sAqmaQ#?}+Iy1g`juf@Llak^Pr;%WmhT!RqCC4UKKFEP-YFKLUU}<5Jk@37^J=@jnGCu9QAt zDLT0^KsrSu0LDR_8NLP zEQb~DdjExX;&|%k%4zxt+~w?|&Q>42j4VQ46%AVxrK1(!KHZEN7!N7uaF4HwW7~Uw z{U*BR-LJ2q^H)_=cq5%CD)k}UjiQsa7zL#@O|SJ17p4A$`cMulyD5Y0#vd~hLUWZ} z0|zGM=#Zzbo&20wVMmZdV7#@zvXYFUDwE&o$fvr{pp)Eoioq-9Bn)gt{&`I{YMAUt z0@Ib>*TCKHXe71ppxk{`ddIkefJ%A z7y0Oky}sPe@PYkIWNoXSl>dyXgI1*rmG9Pc2;?gHPn_omAOBP@Ogx*LpZ1u^{!+aZ zBTl;j=s(mXi@0qRg%*g$xXDr1<&0113$07!%P%A@$%*;|{9`#1&nWklUOb5Q$`|5- z^)KoeE!MPcte(ypyG5S~cP2Hz9HDUQAH!8|olf(#fCKo{Nxq0cuM5cWlpdwx1`!CS z_T~ExTD)$~CfTHN>wmnJsM(_`*wsjbR_WkS+lGc=y|QuxBx0DHU?fN#6XS~LiE)$B z!y4(D2MEBG?lfjOZuY5D1)(Ev+E2!%oHlWWHvrSRws*Rm6>*cJA01)E2C=eHd;1AMWUP4rP!%c zuPg`8BAtvx2%hMtxOn?OAtz)r7ccUA#Kop%iKZ`&Svc~@#5b7CM*#rapC=RK*f23P z>O>4JG!MJ+A@2A?A4A@IX}FOnwGRR~jpw^9e$P-bXV1NAZz1N`uN7dC3@5f|yY}D^4UQ*atzw&N;~{w(Zf`1=7+jLQ z_*(E2<%T;tzCwBP@PR@5$@^ZJT2hKqm-|LHLyT@Srp%}>Hr!Dx#{ZP4CE)fD$cTYQv>_#OM8SZ+IxuH9%GG{!sh-Mzh;?oIkrT&a!6 z1^YVia`#8R_iuMB=H1>`Rd>XN>oO({;4?`*^PS-({4E?-LBSJPuV8WAI4`0|RakLNX|Uoj)HIE|*Q2NzvK;m!4bK$3WQ8XNSq_(RmSDBQFt8D)Kp>YGJaP0D+`%82O}C zKt#tIM#whBM=YpPk=AM0Vl^0!TC8ACC-<( zM!KN$pU9_;BrsCUQ0R}4^H`6zF-lim*L)-s_+>80sV_RDkW#PzGQYo%PXEq}V~jI* zwe$SKeeThKFK{a6wY)IwW!AGz%|$bi^=LG?=h-MQn{+I?do~(<;swOfF74WVDcdvg zk^Z~_JrEm^|LD97xS%ypvy2wkZ5Dienb+s@4aQR|8D<`q?vmhS>Y5&6$_fDniUoRp zp7)MmtbZZFZt$XERSo+t3T&Lq9W;I0dLya#8q?fPL<6&bk!E8miX-Bfv( z+F_h5ZIsH{&_3y!Nipbu(o|IL%1HVzn_)wnPk}rDfOY&XNwp5HWn6HT{tXRl-Lfer;0+t@3pY14 z?#Hh>R6ell3b@9(3{&`gRM_V7`6P0eD>H5Ac+fa*&5t2Iw;(B>G)VM-yz1Y4kHtMU zaSp!a(V>+0<^4?>qJ^3QnYBUe zqv25m2{Ry_Sc4!YNO94w_|W} z1EbX?2ofjn#Uhyo-rd=*3odF_0GW_)>^y0W^Z{~bL}wL31#4wQ;ij|i?mT!(Vd*~$ zJ{o;YRPuLgN054z8Av3281yu@F))@eH;;k%0HMtwA2>~Ji?}V5o2-PvSCpye&&N$; zo&q5NaBD)WtXHi)vNxP~|?t5NeSf)J>Df*)%)=$#hxg$g%FWC&q zd)Al)6}(3a_!3R&B@JsLDXWhc?n|bs(%Tx|k>1$0Sv6hMJ2}-0@#6E`-jU4M-2Qn1 z%+{S6Ji6zkM1Q^b!m=q5jgb#Psd2=~8O-sndu%&i20}JG8u4q6f?HQMCD*ruy%N`t ziVY<+G-B@JR_c!mjqF^}@*C+GM>T8S5m~>xls&p@qmLW5ynJ#j8FV}**f{ZE=HBv6?mM|vV5E-7?+iu=;WJcO>{bWd8XOG{-o=FYD z@?S<1)LUWUKav#orA%B?Lr2>FgyLOZSYWZn8U?a*p1P#yppf})p|FE+A?XZ>gjm587y2=a{nPb7?KnB5R7JsHo>}mTL>*9d91$vJ_X4J z3vm%w{0;nkO;LN+%5*Vw6r$R+Uq&+fiQ^|ME)s?Oz(;j^U{N(+nU5j?5)MDyZjg1> zgIM>K*BEfC3YCJ|ew^_q<9LL3vnAZ6KG6X(Ba-UdsB>$O-#EY{X*Bpr_`~5UkQ5qD zq9B-a(fS7tV<80kl`GXkv+x?nnBIP7{_5V&Y*`8}pDCd@rNz--+aK`f;_2aP0k;P8Kn&2S@;&0N zuagc4U77au`zN6>ZXR^@$~`!UaYP0F*OpXP zIxZdnovV#u92|01ZRjc#eFh;xTrf>gr+Zpi5+YRa-_wyUu{uy}J zy;}c#DAcV@N6JAxLx^4DO}MTNyzK2q{Nl+J9_>+;+?b#s=x(F?I??>%k7Yg1`Oq|< z%7i^Sy8m}GLXIzsI%CuN8kph~UCNx-Y+kUzk&@4WfmWkRo(pg;q#w3%_W@*6Sl)9z zz%aX<2)_+AUDN(V+DitAwl!_4Y&mWp?R6Q5ATy-Pawf#ZP@!}2XnsK{_ zLTi9puO?#84SQog4K3&)Fdz*(2M*;-R@&%az9U`C^U|9>2#CAjGP0AY?-riI8Pvm>Uf#fJi1g6&Wqp?3%6} z4~@3KH#{yeCr~*Gf=lFA1@v)az{$pX-}K82P%xx;&m?^~6`=;*6;SZ8M>NWp)ZYxo z(atw3Xljr@d5BKXgkYbn`|uEXi*!`~Aah&%Q4E>&*gN)x_-YBv%(j`_p-zLG+GO-< zM6k5Ud3L$@AhGjhGE*$*@7*4$WSh;s_TW*pw|=`M6ys^?*eH{ylqP7tV(*zWL~(iv z|9mcCFphZQzNj}kF>;*s8ou?jfxt4{=8!u#L4sDoylt*Q9lXn(Bi2Tl151AihoX8a z?Ot!N7f8m^d)9^kxtyu9#wCGycf48gbdLa_p7uY3N^6f#ZRhkCn+X}26-bv>Y)*W8 z9VZ!$@i^erO!ECog8CckD8`R^65Du&Xtg$()MeG-C$KD65U!AgI7t|7;V zUCs}c=p4xGjwU^sT3RZN36(gzG8)U35+ei}jFS1LUe{KO;m5SoUW_xM?=aS-qaTR$ zTCpu3QEMu(neDmK?kdF=p~XU{gv?PzR7MP}x8E<*bgk7S1>=PL>V@5tymgpCSI&oib*CI-b)Y{yrU0pn74*4X9Pt8LzF+Kj{}BKL0leB5r3Cub@!^ZV1x z1<)=v!aJi{n|A^yDjd`DWK1_L;IVmg9bzYEXV?5P*$(-U$ZP(tR@+o4(%tW^aX4#CX`>sBuG@nP> z01bp;0TFnh^ueYmEJRc`pP#JBN3>g>G|LM@W!0emM%HREe;|0Egh)jxE{5TH{- z-WhP*y2{y%rkvilczH|1XW$Nt@i(*xy(iQcddigp9Mr4UAlNMyRBjT20w;~qu9)uM zF+kPIhn)Z+vr^h&{dCj;qTi?~+|Ifeu>fRTdj?wp*S`@h6#VMfz%FQ?S88BrTyS9O zUUB+EoHbhJ$FM}^IArKYbwj01XBxV_!=D`oWZy|m}b2k67GXRzOH-*!L za~}-kZw|WBbm9&Zj@E|#=*_fZq*CM`&JtG{H9au_{8ab^5BLL1;8x)wkmdJfWHT^@ zwq0kB3;dN7F0^<5uw_^eCo+dy6hsnHlzgaFVhQ-J&HcvA0$|$#hm97Quqc5$24Mo; zE0=${UzqQuscQ>_9*X=lYw>NT=D2yvB#^4{YkK*GDVfgiVATJ`-dl!6z4mLvN+<#X zDvC&ph)4-Yr=Wx=h;$B!bW7KasDO%qN-Di5$&v05Bn0Wsp@(i}fT`!2wbuRYeH?r5 z`}SG)+MnL{lOE^{GuQw6^?9B@r}vaBxz8jRlHf+?s6VfDRKsv<5M+wYy8o>*hr*Y{ z)_XC#!B)8VG{q~wr6yySyi7+y1{2pip3kxoi~G+ct>>hgDw%JzAA~g4d=jzA^6d3G zmY#`>faTCK1^#%F))liM5x%~dQhat#Z+5GJP(OR6qp@JKY4}QE#*Z@qYevmr>Y?St zPedg#i90`Vd6=c~inq_20LI8w!xqJ2dnc%)lZiBl(YhLpT*wr8B8@`X>8BS0C1L74 z#Bq}ZOnpK4a`c)iW3r){zwHFz3-K{HNtm3yZ&?)(m;vWY3IU+?_(F^PSLKGz6|--d z9;CX9pc@KF@Ez_k$hE?z9*H=~P;jaV<*G@Y=E~g;$vHf){IeJWvmx1pw0RE!55Ml< z>ewD8UcLPGC@>{_uFB3rUPH9Ljsq|8pF*94jYjB_O}q6(m%`-QkxP8P8{iiQX_hS@ zZ?;}|a;Qnz*R;Dtf~(v@XWo96R~Y8+S3ly`kf{W9xqnn^akqdT=Mo|FIhtaGvQ4cG%~*W_izx&kyM~V6_v`u0atQk7k8r>9TvTiz8&+z#eoVew2RzsS$>}{T z4mVZ&T>j?q1e;d~DYr%lgjtfc@Kd10Wl0XN zH)Es-Ph$=f#QTHd-pGiPBtAEd*O&Cwy9GL`@`vvq)+wq)f;h(>JTwI(;Bo{>XIZHU zE1Iy}igwLsCP!Hh_+aQ7#L!tsCIA*UO%Z;b( z(q{uw7v8SSF@=&^Rw?bpueXn@dhdj3Jg(y*gD+@!4i?3ngw^G!z`CX5#}8JA@|w?z zPrffqU@-Hs7~eSBLuR`~a9KP69h|<0fMG9HHQ=I{{){KCbAGsup}GG@1gaPyzrO-c zI=;i5T6Qdks5Qx}A5)RqS$xi}*yMNqrfOCu%Q>_612~lHU$(4s9Wua zd=2t+XipPyJqb|`d`WzH!LAvodWRt%93jEq7nQ+!pvaABxb)JU3K*mDm|V~PQ9>l; z#*5Sr6AFG_b>EFy!wh)O`N@<@s5`#o;jr#0s`Hhj4}Q#sB|1ztugNwqrQR+d(5-|N zp7!iM2^(5F0EMUhNtnmGEKZL)#Y6ieYW?JwCe0lVO5UC~w_xj*hDK#BSnoyvUQgD0 zDB)4(U^Fe@DTtUf8-|a0X%{-ACR^;432#Btw`3sBOg~3%R;-G-zrHnp<_z-6V8Uak ziXp4c6;LQDc|JStI{HlI)btAteAgwiSOHVNC9%!e(|4cC3DznIH{AUwcU7Kn)Z>8D zS(bkU-xhAshXjfqET+O}*3t;~>f~7Y z?a|F^&K*L$B9(?xx1rf6vLjf+g*@G|$9CpbEZXWB>cBkDYwoH4jnV6U`$%`BVvV5GIr(L5TScv@L@5&CyFC*IP?imdK=wv@D}+ zD8~s#q#*;+l&K!q!vgH+?yuNUcjbv76MYl6d%35Ru9*RRd&o)4z=CzabDMVU0|{Zh z7;yw!HoK}o!@{YMOMQFR>BFK_ZfDZNhBJJQheSnghb5Rwf)%huF@n`p?SUCSUMAj+JI!-b;@t7%p{CQOe?pCIzqCiUQS zwo36v0#%&4_^F@XjP+x-n0x{Vyag;Sig(;+2FIMmV)qF6dT(4lAt{XsuJmATeMhxo1A( z6K7$V5{NQ%GJ?@WyO3HV0MxACS=<|NmWG!&*uPSj-6Rd6P~&fg+f%ii%vyZT8$p_M z7E=;^Qf1Mr!?F~>W1l^Cstg!#b6PlYmhL#7$|*x@wmN0&j+ao-0fQgj-kbChN2I)R!g%RgVlfS7V|rdYIud@@Tk; z(PHdKn>ebO|GaGv7jN1!5O`5VOA3>v! z{mRS7DlPnzQTFNsMj@Hf7CD)T2v%Aq8n!bK78z!}O=)_)4f(-^Oa2vy*=sbXJFg{gyy+GkQvA{i#_k3zrkIEE zr(-2wg|Jr;XR>Z(pXM3?ZG+KPo?Z&MKzF4{dHIWo=j!0?jb#7LGrteF{jM+)hjoB zRzmj)3k$%<{SwZr6e7WPhT^JgsMrG^1Ry-SjAjBKMOkre(Ni{R_Gzg!`u`|`m@r!`G zFWsfYWLEBI=rkEAk2j!FDhPM{roi}AXX{G$b&BS$AREvgmEyO3|2#`%Z0Ey#BQB|2 zIsTecw76(oaJg!`G0jIXnjCmumQu`W^Q5u@>B2jK{3HWA({_z7VrGUp`i=azRI5kK z^Odo5wyj5|Dh~cc^TE=y+anTNn>O(k_qbZjVrG>gGo^m7MKi z>!NR3+!cLqBPhkAPc_1u?0ds8!3!ezAi@0@P;zrkUw(ptSz*8sWsiO$;i$HXfX76s zSFugDF$kC#7>A&=`SUp;@>Sw{j*qtLf4VC%o@n=k^A${rm#0*;xDhEtnhp#y#?ycc zS9a5ty0hQ0hViw(Y|X5IQRm$TJOK z!LjHle?XUb3}Zh&-&+v_eS2^`Mg5bN;KYkNza6Kq>55PYMK3y`7ZPUbgJ`za)arI+ z$k2?_aiZ8?z+g%klK}`a2k$FBy35Zt%0|TU@t}yFMBa+75^9fBxY;B@QNf`YDWH^_K#;2bR}J2-m7d*xo7bAPV?Quh_$oAG0D2twfJNIDvlr>>b7&bGa? zjBCy`Xv@{jlPXvRVN;_mB$coH-Ywb*Wi*ZlcvXWb0$TU?dezM zZj<+2B7`{PW%*yx_MLev{N(#<`iQ-3d0bApM4Ia>fyKQKGo=7zm*J&kOE=MjWTZNG z)i9)hj{feK^PP_<9%Hg$$Jz9hYIMw<7b0RwO)1>%=Xpx=mQ=iJn$ALo;kxDe1H z3U_QyWH8~zq(`${lq?^7>2Pi2WxzC@bwV?N;``k6eFavu-fDO0dOw@zx^vQHcln0R z>b3rS&~2e1Y||3n7aC9QRpKuw#&6y8Ie$xrE?8^_v`D;acwP*xk}G@FnA2J>ZyZgm zqQ($NK{Oo+tNSc={&Vv|?zn*61VC7+C6^6|bNIZPEux-nOQbS^OE6Tz&pCg38DjW; z=DS}oD&}R_-a&ER(ON-zpTsbbP*}MA$sKMM&x&aej4D@|#r{N+j@;}vF4TS?2-h{y zmP8FTm3`WNN;x8#JVLR!SpU=a9=nUzlAIP?!=(Y|MQLs+*R2G^YP>R%$u#$56at@7 zuusgfHb1knTdd#7@_un9=YrEBkZe&OaZi>#>hgSrY^!yVQP){hn)>V{{&K|(VkCaW zIfiMiVfnW(`yT&9aUi~Amfqzhos87SGrjURI!e?sLl-&gR3evzdwUpsYoNUUth@QA zy>4q?NZq0og#5&bEXO_Cm`{ATOsW9;Sa{!z7Dv~iD9>=5zIRn|c&{V{$5%&PTyqe! zwj4PNJ$twoNm--uuj3t&GB`;h*&AkbzFtw{v3~H05B4fyg-bS9SOh3eaJ&w7qGQ$K zf8{}}Ylr$w@mZ{VO6;sj_m>y$n9oLO%6)2jTy5e*_wcDa#cK|Qw@pyG;qTdkCt0Apjy!82Q3E~ex145 zK3F7kQbLj}+vN0}M}Scb>CloNvrwcz!*=!SYxfcvc@fGxJf`IE#iI_F7auwvpSrrZ zBUrnw=(F%a#oj`VPy5vE#UqNnJnveH$n?Mkub)uY?mZr=JIbcy)zN!2<+I<03rE@% zq?)Flag-M3t?hxv@8j2l0J%1B)kOSE%$zp=E7kL^!(Zs=lv7zp@=UG-J1njg;Frel zJX$2Bm3c(f@|)8I=b8vI_XJ|W5!UEja_e5XN6=H`MYMm4n&MbE%UE4bhI>rO&j<$q>94j*uN%dhgc@Ic3 zWL=#YUn?%_)cI?9PQ;`28`&mSfx&eAZZJJ80o6B|yEePA8@);+Fi<7AVkmb}wU41od2vP9NvW|!(bvlp{ zaZTRO+{QM#&0l`T22NV0^E_4`?uwY3R++6Tx`?!|+mO)sC5W#S)%MjD>|;5+X@ePp z^_XQqKN#w@Kav)Ckx&o0bbQpC5-#VwuL1={K)-rZr>{XQo_wGDH$<1NzUk1{h6hz9 zFd9OE_*0m3i|4P{Au!dmWLJV!Jki5;L1te-Z57;SvxpuPl(AMEtOuF-{*Cxv0yc{c4Y%BZfr zy@dG#fIG?BPLip|%6Tk5k}4!C801~&ot1M;ug3SMP0I}$LwH+tD~2ZgbkON$N!6c2 z?T9cm_S;2LYz>mvVfek2wSsc((>bfq-adQKOtX_5KesugsPJtRBFRi|i{nFSU?I396^8#)tFU6 zk}E(#<_Xtwg-l;Mm@&-JN-(dto_HvN_A5ucb-3#?+(%gf8n7YE6kSIh2Q}iEj$ty$ zod*Vj6mht@1~#COIOTdENfE_Jjdo~XAo~^9Y;==IYSa*XgCzgB&vAoFFdTo>14}l; zK9DC>JObZTulr+&FXN2ph)I;0xj)Dwv*R=cO{@1y(f*!;=lge?wcz+~l#fBE&=bhqtM!U>m(@8OSP{O;Jn z5=v~8$hv!jLQY&E5%;@r`C~=n#BJY+rAoK?#|Eb@n1&*xeW(2pK$Aoxbqm8$0jVH z0}sVBD^SIgDr|w#)0-0mo~|-Pw)WuWsQ9>4no23c&%$V`K)k|YSUq(R(0}~`Sv@Mk zH?!OY9@7?9kZFiYc}wa`#=i1(WA=9s+$^Li_^g5K40y;s8n-rXo^O+fs%RJ)aKx-f z?o~9PKRI07NZd=9`KmX`V60{HA``$elJpM1T|Xr!%aeG4D1}sVUUfv*+%)~bEwT+q|Q3#1Qs@KbYo{CSiD9Jpp9S3cJd_6u^X)!9|k9 z%MFs>zq9WB!`Gv3$vK522H`H zO|PI!-M4_ClWQA`cd2W5pz%e)`y1-=uj`%o$?!=S{f1**qeKQ)aIod@y!)N9JKrzl z5Jo_9-QUSvV{EuN(A>#E1Uqk9yBzIjSGIA0&5sCucKzk6Fb9 z1NeO*b4-Y2>^^xap$!1hnn8@R-|HoOt%=JRw%*JRvcQ#^>F52@+?bL&{sfDNA5*uG zdCc0k5DL@IAV=Bwx>-IVXK+npO}$Zl>Z0enYX;#8(bkk{j{!P*MV*5=!u6Y843S^j zd-BUCMTuT*P1&KJH;+9H6+J%-!S$<>L)MF&6b%md%jjOWB25GU3We0^-WRr$K7l-- zcFhHClw=j|dJ$6z*0mA1W{TdR)vZ#C?t6*_)x0*%fibw{AN3v;ARlG0%?hMx-K*ek zi}Ala>-n;vw@AX9tS_UxfUi{!Th@2P6fm4SS!9zU|P<-dWp+m{}o!8(xrNebXy zy373o^CmwF3C3~tCd`ixd{k=rloFU0_-p2GZcet0Zfcm?E0*mT(uX9OUHTE`?aRX* zjK2wn$rSF$?uQL~>e&9s2>C?`#q)qiuJ6Bcz!@p?@x=uOK7&Wb3lGSz4BzY(GH-#<4jj|mE!XVMJFexmiTGf{xd&7dsvoXrgr{p3&3L00tS2z zeC>k&)h@+QV*xkX+kCTfcJ%vqD3#|ARRUdG@?*+6=FIZY+D|R8-OlrgN~hDTJ0e)5 zKO0V3T|E48#ss9;Y3uo?PmBmljUK327%!rrmzkwENj&wnTazC5%M7fj2>R`?a;%g_~A#iL7aO?)2xG()woAsJ1ums1Oqsi(i z5fv;K^a{&wRx6?Vl3@=D!r&}XkD)F<5+&p|_kCaSftj4&Li>l?f`meOK-RzgGfc!V z7GDh{4Ff9Y-tzW$1{;bm63Jq-u$4CULofnom!QzQ^Gk^+bezQF@-Yr1Sp&)v&Hgt9N%B)QCoHmwVsERDMsusZJZU^c3v?&EWht>bWXJPZT+Zmw zgr?Muz3XmGKbBKv!1wp}eRwZ_yiyMy@hs5AB&}ZC*Rrf3 zO6bH(x?4vo9{D}K^8y2qNEDX?06S5;-Q0T*h4vU{y%R8ytw~E93A67P@x4Nw+g6bT zZoC?3{4~3_gFjQ;-^1y01%AklaORs5Yp4Hdk(zfpNA7bD*-?Yx@DNqdn-VywCMUQN?P?}pj;FPiqeVnXfPoV zoJ87oBNbndP8!<;5M41o-#?lVI1~KQxZH82>ncu8kdO?iZh-A*PS|Zd3z-3{lG8a4E~+(L%$sK{3J|P;n}Zg zNBwKi!~ghUsxRD{flG5_|0|pMCuj0Y=h;hok`(XveBqY_$$p6j^FMqd4{ngbcq?lB z>umXdJdhlzFFdRM z75$fAvX=kh3CPj`V?C|f{cFkYU;j-C-XzVf5iCrgI2oA=_+K|A1)$6v;vv+f_SZl0 zFW%T*r63C+Pe}pt;;q^B?yUd*WyrUUpb64n$Smu(Z!*S(R{HazN|EgbLXq7`pZ`4z zX*@wm&DiKv#q+;%+9qe3aU!eKU@j+aKSPDTbc7`huPJi{RUX4}m7$rWNp-VG3Pzlaf{tC``H7Px|K?x#^%NQ*VRfa~mH&n}`>&s+O*?hp$16+l_m9~-Nq+zS z{ohJUZ$tY1fGo`Csc5ixfgvU)MoUZUgP@%$$KUad{^LVj5n!Kz&xRNg4=PCSDp1Y| zwFLsQB`HpnT#leiP@f^WF&_05+BXXT`G!0={|i00`cd)3*?X4 z%?u3rCfP0ue8{O>=>|NQ$^Nw_ZmaY2HVs7e=H8=8J< zH$pyVEB?I?nYr%y^M>>a_v^%KSV|H^!yea{@?sCBQz8m5q(vXVZ@U% z3Q|y0Q!54PE*F39H_{IT4Afryo1b4h`L#pls!t-sV@!>qh>ndd|M*ES#o8gs+mjrC zQ2rkC`~7`p+R4eVEdTMlN{3TxhNZUjo*5_nezJepuVPj@c@ow}r$6xfm8=EEXoQ4a zH(skvKu_84|D9i{m!8bX=9!lEd+}4m$6~un0wlieb}eNtkvbOa$z6&azxFqpdeATz zFmz8-mlCeO@m>F~YYnoz#y+!k`I~+0-)p3Q`fsB+U_`^7bzT2EZy)hNVMWMZzvPd{ zs~}4TCV-cS43Sa*e_}18)fp?X(G1vhPYDC8l!eA_z53z$K+I)vXOsOcgnYI47Awd^ zU-$R-k5;-_61O|Rk^nrz5zry;sh_=a`$o6K{JUk)+VfcMkq7G#t}9 zaOYFP15}rvj-}K&ZqLn0Ngy}N3?z+zl5Wt5hS0mB!QzlM!1hj;?Am$cp6j>XL?!qR zG=S??3+MbOC2N5&yd?+`ErELfVd)+#{ah-eb^hYifB2fz;4}1i=@h77#$U70L<6G7 z{0_mkK)$zs;Ee24AgZVwMiLGqM=M+qZY!GHL%=iWqQBnz-EY4oX_K1S0_4@#;0d)> z)E^WWd^NvQgitCVid}t(Rg~1@fOTI`Ic}o9Kp1@vfM+i4dYcTPz4iP^jt9B^u+;Zw zz$!r@Z{mKrj7&MeYUA-O0~CrDFyeRu6ouUYf2I{Fhpr-GepUzWhUK_}_i6=ODX#ET z7J^9p*!&5{U}2$}9GEx?1srZm0H91dqyg#%xO>XrH0FRveNLWV$#@*K01$Bw`1xbz z+i5nw`XUYVeM;F{&^EVhe11~Me(=j=j^V?vZ)nAWF?9soR%Dch6c3x7UmXB=24h8c z)~tR0IIe%!n*_~sxK4SFEY3m!>-{xx)xyE%GoWx!eDsS4u;YQ0R=~_y4ct_bKklpC zZlbaT{bC}fZWtqTkx2#Qee)9be!Hd;BJ`V7?Q9 z04ooQfU2XC*~>r-YSBd^PQdgEfG>v)Xh`#CX(WA48JGkY$rS=_++I}%d-Ls)Tr04o z@x$~?wrc~2QV7Lirz=qKr>pZj$nDU9AJC@~2XarQKF>l|6evGFV2gN#z4$5rui4Rm zd6iLt0?4)G(BVwtt-!|DHok(J{-hD{^OJ}rz}z0lp~oHI;XoNoIc>`?<;#F; zmALE*i_f{T8K-zrThWj5tjt<|$tx^NOkvbNTuvy1?MRXKK9elZaRf6POAYF^S5mdI zRmwo%Nbd#+%ooi(w2AH@Xi2aa%x|8wPl2HhGx17+(IV^bb_r0gD?X?( zn*_o&TH%*r0@XL9JeKLeyyFc5kE&3i-_$Sr0oYRHN}0Z>RM=@@Zzn(mxuU&H;R z4jAv2STGyl*NQ!UZPE2{^OMfwud}oF0iG!xD2@6`^I%;ysi>|kPgJ;Qd<9|8pv-<~ zR$_Pl$3aGvMu+wf?bIjtB>>ZyVzMgxt}_iHl3{8dU2^jo!V*-c zF%9tgXt+44p<}!(OkNiAqIRrfU3Q%f0YjhjcEf$=aT}hA+S?Ogl@qQ%>?Kv147osY zEhyGc5ZCt!sSGdHIJ$@L9*AuD_>jre^{*$ow!tJMc%#{S;=dO=ws;awm56r$$euZT zcibxItWC17br=AFA{t=tSY@SB&|s>=%#&Kcu?QU9JEEq7A8MU3T{-+M@T;O3RTsR# z?kflPF!}(WRz{oez|!)m_j3U<&XfVRomDcm*lzfmN#!oBDw+{dEz6Hjx*@g8IR>j{_AGAAItLA9TpRIQRE_#z9VIQE`#5F4hj>Vv}JjQ$|CRTEf1$z z3QY=zTLK&4ekKvR;ct>cI=_bR9<31Db|15lb}|q4;&R%%gleh(^2PBuE%I!lbBSb~ zd{d4VWSA%T$lct=ZcnCPzHiwt-&5YcN;Wlb*gJKE0QWz6*Bk z?&Sav4%8e6pU~~Zl`QDpwYi&JWL3% zhxqS%7kRaznja4A%(M40Z)MIm_OI8dYL0VpYP?ayoo4kAfajZ>)8sd0j=`WTPJOI1O^j{zRtIjO-4XEcG z<`~+yiO(st3ggBgKb5op+-OJ!Od87{{(g#r+2NC zjhJO*({{x}EFj9Yg|j|BjV zLS|BMh^QmHccO)!UII*ri8%>pFs~Uou9(Dk1iP_$YMC?se8p{YQsHFOn08QSog_HmI}+wD67!zzt1G3i)^C-r#j& zfWu9vuC@7mx#QXXq9-Pcqjz#EGb?ShRJrduReu0t+0E@fd^(hQbcOVE+jer@T;YgK zOYA!BrP~$40CX78PIL|s{BE2ZNK9Ie4-N=pvQOLJ%S^h=G~zg3=dk?MK1Wb2_oM#Z ztf$JqTg}XOszi|O??k0wGqjp<8rXb|b&8ITj^9AKcEqj+cdliB11L`SKn*hO9LXxH zv3`xI7XuK3^TZp@of072pGaw?kFq+Vf9(S(S}nkhQPt$tWo_4k9?{Y)3>dHX&lGui z;@)fH3g_@RGd~_y=;3TFGkOA~@2oF-cYK$Uyy+F&Rvee|dSnyV6CX(EDZbT^{bXwscSp;m?)bq^|Mg_4 z9*4Kmyy%TirM=I7m5^@&;UdA|dJ=NL4%(OQe05@W`eTQN2!kMn^}F z;M-SXX=oA?d{V4!S08qu?*`DzOG=s+FrEcC023a3?oi`SiY7p{HmN>T4*>E==vrqk_BuRQ%4_tRT*aqUsT2fN300MEC zbcN&CV-uIj;e*uI8cCSXW)K&vbOZ2TZQZ`r{*t3kyta~A1z0@|5M~A57kJEfN(VH;JZSxw z*1EE;{!tb5c94(9ct-5RK_J;p5#bJVEh&Us1cAivZ0 zfhtb->7D(vMfa!2HqO>i!({uyIZ9O)C(^oq*&DDg8eb67mdFKfpqx$Y5Bu%l>lEi?}~mR zjA=YA_r8YMiKT@&p1JE(Liec^%Q!r`QATFz{>MizFg5QzEcq=EiMunX%a5}9c7K3? z!4w7JRzdVS*zFo%_&D?rEdZvuE|sm^GWm_=aTix=8Bcqt-5z`+R77a34JY^=EE<%$1(u=epY>&GeGV?mq-)rc!}+j| z#~#a~7t)BvW>z7LsVxoI%c^vlUK6r;=#*f8mercG%>RhT@@*LuKmIPh0_s#Bc-;7H z$KSFIxuz*#NFOOs$Z895&&O4JMA#{*e6Os>rNfW{N50118*hWhm|>Fs){f(bX6xBP z`T~q%!U9+1gk6NmOD}dnlEwMUpW?DV);dG2{AM2ote5f#<$5CmFj;ZQJui0zScGo2 zqSx30r8WpZ_g^AYBC6Jg>3h_8c?Q>IIaQGGK*T4@YQ4^4l(y^GODbdwYQ3Z}?LMWc zwEOlCx0To0PacgpYhB(O-& zW`bC&3q!4MyMOvpnRKT2R;79S_T`amh=(&m&SlNLp`Mo}K)A=7<)9&A-%Lu9YO%p~ z^z~(gw}Qt;F9&V7zeDFzrRVTFgO6Q;F=At7$zmQpCQ{hw8zx~-Q>asn%5PW~nCT*Y z9J*zvgxhu*^W5n~y~LJe-CB6kOZ$uw(lW1pN$kGse8x!(EaYO= zht091`L$+5Y$?MnUBv#1TEMp5cn_Fi#<41;IvhJaB7r z#BwU)C4nZrBd6`DXgE3yf_;+lwLufQ8zlrFe}^rC&~w0x7RuiT(A4K3inYJT5$X%SwIVm8!E)K&H^lH}Pd} z&#d~Kd1L~%O6>reR4Yi1m}J6#L~*wP2J01o^&GJvy}&g2>C_+jXpl8$ulL|9skUQO z;)-Vo=3zYwrcCIIvP6-}hg~d5hI=}XK)GAKgh2%ngyFoN+eVF$20p$TIurf8ftTy5 zvrlz9fx`-O$~gE8fM+#cf_hs~2k78Eft#laFVbWvRHn)LwIX|@P?UOKO#3 zx*b01H1*qo;z!LXwTC7@yI(Y3soC!)Ia;k2u*%%H%Accyd-tjQv=tEe3watl5|Q-& z^p8wS&zPrpJm31QV9XF7kE)Z-mfX=ZXY1o68`iJ`=~bGT2U)Nfa@tEIE4k${s7$V4 z)$4Hj6II?2tD&1mepfoPvlAJ$PbcZD8BiWeXX>Y{PcL797y3!#af>USWM1P`o%KXxjm`KgY>P;S zebgUUPk+%c6$z9`=s+9vov}-usNC*{NF7X)ZUYoI2gJ}{6EjvNe7AS~1$pc&t>*sr zf#zSF7c~l9x*^%R;gI}ikE{0v2{A^Tx|Q*~sP(2(iD0mIx1#W4!wP3pOVNq^al=|4 z*i9A6f&|c3EGw!2n0D9?uDH9DM-!kqU3)NWJQPvU8lIi(cauN@<5+-Owvlp>l1GBA zc@^!Tf@l!3Y`qKeJOIlre65wPd@(CP2fhNW0c45az>KKn>&tZecC|kWE`_iQ%f7oj zp51mWKW)|~5#@oQH#Q6|aXCe9Aw&%8oQ(6w%Madn4x85GhWo0Mz9_}7CsF|%erCP4 zf!@$FP^ZrypNY!b%pEy4d>Q&Z`#Kv1+W%?a3!+!^OET8aq`w>AwD?%eDL;;hqk;thwdMiZpqrgktsA-^j-JTS8Ep zX&L4XpfkpE&8e^T>`+txV`-T8j+ItyU{wvk56wHn)`NP@{NKmYj+rsW(L%+ z{QcKrRp)bze`qXH3OVi||%r(6-EPlo29%Y}5j$~}lXxcG9vqQfBTx5?_ zgPI%_R*vgH$WO7nHNm;A+_`quyyr7Y>ex z;80Owu~dtpH&0Q-Q^HiQ24ki`vO;XMVh<}Ca89#O?p4K=xWCpEZFIXNQIGJE?T#8? z`7`f(M&@M|L{0=3U@;VRIKT-eZgdglTdK-)))B^Y!50ONrwAyB>$ z%VbNymoEalXKr*gT?Y`PxP)v;SpaY?0%^>WSe-K47Em47yVVX>+)Gh%z`Un@Z8GRO zbRHj05mOrCuK4xt7u-b6QS7wSeo$iSDdNV^<@dqSiEgcozU`1JL`NLyb2~f9%Lv+# zc>%1m*uk>O%qb`S*<~wL4HDzx>Z_l}(`|mfFj?+w<)%-W&I;XJJn}-C;r2%A)2}Pn zXqf&MFi>q!v3zhDvq@X$UJKc&6^eth-z?rPsWTiMT5G5)t0dU!L2G8ZR6D=j2U+J1 zLBn5Ph;MTdB%6kL`Yid!7HITOMQZJ;qnH(6=^B*Yf`uWcAFAWUM0dm{3o29-BH`g9 zQ|9Q#`pj!oxrEZjde$u^S-8yLKzt9`TIW)4HYxWxhGq=;rlQ<2f^g6zqD3M4U}U{R z%W^(2y>0PftW}!%KuE;vPzIJG%nzmTl_D-GPW~M1VXi}1&=YyzovMHbp;8sDe8Jyw z9!s4<4qdtSLAEPCc3zQYZXNN8Lo$O~Dg!BRcKPV*9uYH~6!|r5fCxED#Kx4kb-rJX zs|2hLIu~sp6mIvERv?}s!7G-br^b5n&}U>D7ZgWqWzJ*Hz8)Kkr?k3%Xo zw%pGO`(!w;XeUXmUv}pW-`88=+%fdK;%UlEEl~(VwfTp$&j~vnVMW)dUQN`Y6?)CP zs@p83r_|xrULbHi7P=gZAM~95-Qfz4&81MuEKP*W zLQ!RUYe$h^tG$PNZ&zz2cekXS>btcXf?syTZ^RH5hDz7@0JZ+OYT zcVhihaI*@wniu11G+rOLQ;SckY3*<_emfByvoDfrt+s?AtSfYJcG+OoAOyeluH-0r zY_t43uteoMv7vl8AdefUT#PjaT?LeU17K(XWH<&!*jf_d;rxr!(cX3v(E1OL7X45x z^|)KDW9v)a{`!~*k#omGMH~SY5%)yqwh;SMTU!~E(L|LpL*(5}KFJSBYYBf^wCgpJ zForEc2l~~S3s>vx9Nq~7?0xMg-8{XEq$jSVPc03%f_7u#>BCIH46q;kIvJ#tp(JYj_H#-F?Wd?feH`Kme z*Ecx_+7UOIb4MKfLIkT8K>kdLR%iP{|7Xgka3?h|yYQUnD}{}z66p?c7e1ZN)#&e) zo%oc16;M0W!)9`{_co$58*Yu4Z_z1rSKfg5(IVJx#N9mm+10ClYe5auJVJAO^w5D# z*6A7b>NvlP&s4<54h#}l^(`qw%&g-DiFPIACeLf^Bong<>+H;?Y~LVS%VOPbwkf6@pA_xV`DuErzxxY1A8iC11y%nnkU6Cqwy? zVGf1`AmX*3G_7te?n-!qKlb$Pog?_ouGr5)bGj2n^XAin_Xh0ETJ_GDs7qHrMcYuO z@J8#%ljjq2D?ErW^C(GpOaH^uo0v|`9H=RrMLezdF6;6k%*-$C@@5=OMru7_D--#o zWteo_oz3 z>UY9jz5^DfSsu=;&aY(z(EJYfv*lS*j(*zA0g=XM9w2Dw)d3kFiGH+~9I7a?1wuH0 zv=L`*MxGk`G+^j?O!?=Gn(j+QBOq|?39iP)#N4B#aIjq&fkUVng|E3R9U)U(Y~8z# zvGnU`&^`LyibugYv13;@Ij|2boAD9_SQdsEFW?w z6w{Sk3Ce#ETuc~VMCL<|t?TQo@%f|rhM&ku3VY(F7BPtVtozax&f^WR&Y<^IQqqny z-R_#KSCC0Ed@fw%t%34XGwMN3XL(BW;2ny{*x|A79qWRvBcCtuN&p+*qlvT!~?zOeixWXkK!TBN^*2POGi; zsrAm*=&Nv#n?r>Q$}#w(buU#=@m?G&c_eBg9G+=uXE*CwFcMl~-n21h^EvA=E2Q{~ zk&l&y$%>RNe-F#T7_sy(8c%h`kcx*%+vnd#iRh&tDLIR^%6>@B&JFUFPlj$|M98nn z)j7IBAzdbA!hT}xwl2e~t0{q@Ht5kUt2-}=WjLD+PwjT?y3Jfmv+}U;@^n%DaQ#yC zJW&g6E-S&gBNTGnErKd=3FO5CF`2q5jUSc&=-dA1Tlrt_>3{jj?YE7ocV5nc3QwSX z2(NA>H61>_Ks-K%NN2SEJ1NTDNVN z9TsHJa>PH}v_uebYWj{*WS4A-N}!T`8f0k(VEjF+k+dJzEqgO}y0D8r0Sd_in&U9qj;Q$~Ehrk)>m64v9&zAy8O*s(4e>Q&g|69vQEM7ydbhz)5l_2qfH`KzG}y+`ge(P?L%U6h_% z($8X8W6)DRST#22>Oqw5DI7v}8l`z%T*e+d=~KQiF1E8Q3k(h)6MeBqiP0Qf!yb6T zHW9@RHg2js*LKW%MpwNR*R>bL#^gh9h9A9S$xW$_5Cxa^#Q`N3d6>YI30hRcvww#G zby80AdufKW>A}o}GyP^y;888M{%WoSu z3DM16Eze1FvB~R;m!HlN+eMc9>ho>-rv6`6 zhaxP<5iD#<{`)e^IXpVsIhkQ|A7?qkJi*5kD6DYOJ}=sgeS6v= ze^3|BhdJ{9jRb#uu*LweL;i`+I(Uv$iDk|2$Cf8mjxl*xw9D20T2CQ$ zj532d3Tzr(8oM5>CUY>T9XvF*2IBAKt-vk+bWooi)jN%$uLH&0p}C!=4x-EuvYWmf zEW$VksPlr3VsG?M!XC~EUncvbLVN@X0<+Fmunv!&xLCtuZJ7V}FisTO+qzW^KxIoV zz5NVuFe}}22Qvv{#Abq3U9_+)s1z^XGFQl8Z}|LUkf%>7xc6emXHkbautAyEv3zs{ zWWy~0NoEQ^;!58?$sW_j>dzau7a%f;@iIwZyzLo+&BO@G zmgL9)p~xM8OsjZG`__=23-gAcXI|WNlcd6wu|W1RIK`6nNL>bhzc&QR-Uo3 zAQbsMs*=1S_{T&2vxxpx z-=olZQ57M790xm!s|4PHSp4sR_;$A=_lqIepTLSZ>h_-dEll7o7}|aZYmcu0J%cZX z`~*48jDby$*@T?RH^=dlom7XWRJffKxPM#;UR~cf*X01PynzG zNchS_)2@ENYM0n39eC28q4uFW2f!juv-+^ZAtlc0;~IBDe&m6cRcMl)pQSV)t*hD% z*OWYZA8SU`3s8>}C>Xh&cZ$8xq)K>|iPE=Uje95$7yHN#jFvwn*MW%&+^8J^2=DW< zTfUldEnpSujcK3s9Ysr{7YUMoo{A?`t*nh7@IW{f%?M~Z_dUuJ`9|e%NRo@!`nZVy z!?edk@)z$$Nc_1;7E`?ck0_ zR&)-=_g4n1x}`!V49&D~$8uF3I~;0Q?)$s5_YN-9eXO~PMdr$mm&1+R@oxi znk~xAEv;$&;JwHtQSu|%n5j@rLF4mD6J?RkV_T4Ns|LtuwS&!$jYWfoX|8CUAEtZ` zwUj?S>FGc$q0`1nbo97@4ZHA`5919haTL&{i{sAA4#z2Ph#YomCNVyjRbpk$x)~>i z-(e#Njh8zy!S+>P^ikZJ5ya8<&WFf=jA__yc9-6Ue*~ic$E2;4E{H|i>pM|!b##o+ z;46Fovo9Za`B{MyO@O3M-38wVjfgjcBjSJDY1g|XJn>tf9SYyjm&cMUgAxew9Z>Hr zf5rHDIBB-4Kox1y_sJ1^*ZU^8@ z(6$L)tbg{_I>^N8%5IeBo3TzEr zfFpc>$hB=(5SV&lEoiQPcG~MuF)M?vvlbSecH`)tM@bYI|Ou zzeJcc46F&1 zH>{bw+4v>H&(W|3^mYdx6%FO`V-TgZCU6Z#iKnl`C!vA8`2b7W7$Pu}Pc>k7B_PN0 zuir_A#p<=u9OuxpIYMrpxL(@qnw_| zs4lDf;y0~j>O3k>5yxOu&SsR6y&k_|@PM176rWur_sGR1z&KY(u8pDFm?g?2N4Q5ddiN8pIJjl_R+K zDg5x8lGk%n)XZUrz$acDfx0<=3d0s(>?7A-M)>H7-m%lKXv04mSH7PDoH*ZwrP+1# z4*M>Tffm+oM_f4Swz^}bI4#NtZ9bXs^n1}H_d;%&*|QsQ`pZ6l7)heBJ&xjXSZ(h|WJEZIm*=~0%F5{)x2V#< zcGxJ4kZ&~|sceQkk);RI-d-Di?cZ~=W7)!2SYr4rX#6_R7}XT*23}(8e5xBisy$Dt zyyh1qez@45jgP8SU)Y;Mmql1q-z})wOpyyTa*K-DcZ?nNr%-k6?9tS3$@dH<0FlmS zcNW}hX;etx8e`<0&V5$9qQVa?KNM-o#G5#%iY!tpvcWuZlSV|WKw8th_VD}R;C#gx z4+@!ZalGaGB%;uhdCkcRRwQ;@>*3k&zvqf?6u>IT8jS}_y>r2bTJ)%2Y7{ncEKC)= zKi)vd>oSovV%Sxf%$HYwjO=jhz{MD2JLzsS*!S+m`Bt|* zVnRvm`P#W0{CU%>xoV{eZ`Aj*V#krfGPkzH%*t4GoI{av+s4siQ)fu6mHGOVdVD~U zB9+7QP~>2x)&z`0Ps6&l+Uh2iFfZN;1;pio=X`3@OTcS4ordc5A^LYh&HV6KRY?s- zgGH9T4_j%%L3T>D1Ht^0?FM|a6f`bz*^$Qr9TdziU(r8oA(;m_&Cnu`MV2uBM3A9( zC;{-fv}I8aufw$Kayvle@618KSQ-uI91mah&o%a_qQQtE5Cdww1iU?h1IKA%H19@Bx& zj`4z7);;F2-j?cVR?|^y35v5*2r-L$dd!?de*m!CMO}@!JJGQjZc$<>e(fEtxK8v8 z79regn4&y5;BF7u|ex}XDNMN|oAd+uc~CLJV4UotV%voFt{PGb+VSY@vXc%Rjf z{-{-ISo;8=*<)D>+o#%cII24%cUsi24&+2OQUxkqJoGE}+Xfz^uSk^Vatef(e}fgK z-+1JfVdVGW%A%Oa-Xt1_(ZCXKMYN$lo3rP}no=ymkeUGDL(dhw8YlTpO(4aul;@tE z%M0wL$cBm5nR#(RUIT2$_V%D6EVVCzfJpWHuGEZTGU7l&U%~CCmGk%F?E!O}sDdKQ) zSu8f-6oj+F=2E#i>kEYUDQq+f<4Rcuw?T_9B#pht9N4#Tf%p}}TQ8jma%J6lbkYQ1 zf6LZtCi;_T0P?=(7eIZXHw4!;6x8``U=04l%+unpB|Ye_H5C(&HW(;CP@6O1IW$L+ zKPPLw>ua@l*EbC}=$(gZ&->Nt0HVe4yS9aqk*lkYICO_L(VZ1%+Wmx4vfz23&W+CF z{Y>>X0H&GmVb!p)tK8tKgP+e=D4Dl@Ydl;>oJ1TaUw5%7r}%|4{_QanLYgWZSr981s4!BurCP&7 zq1eX(>{EEcyHg?+?fEA*L8|tqlx2!W)Zlo#z5mg6eie7(w6j1P2B=;gD}4YmBPPC? zZc98J9g|?}NW8iqNs^jZeez|3$z`=;z0OwewW~w#+ZL6hbe_JjBJuNQ)DK)nuP2!K z>GvcPB2K8W0_2-52#;?CiX{uf`>&rWcw4$ocdTf>e97#`uTtyx;qClJ97;!zkEv!7oX+00e)z6E!By2>twu*8hi#9FErmKdQ5b+@M9S28Oe-q@xP zdi~047GSG_!T6Ji<$f)gQHp@5s08?kn$(O(z!ZZRru{ck^moc@%q5)JetoA8h(%8( z&~56PeX2XUJH{`?PLs6-+B=MK43RBD#T+>C7K+Bs#NE0xB`*=jhtkAV2mL`Rh5*9! zLs4!{3&y5Lir1Y;0S5RlMAT-&c0}Fh-TOqz^i!P7sj*@tn$H*VQS+8C(KvzP+6XIW zb!t-mc7pE42GnOQ+oL6g?I}}gnDZ_1`_J#{C#W#*VQc4&EB@H4KVe3I8DAiaOjyqZ z+ci4k)o$I&2R6xj7P~(+)JBPz0*eYuToC?;g6P)WWnAVNed_n0BSPVWiOulShG(&U=brM$bSDOk&z`YrC01RB&&+V-D6pyA5zqJn z$S3I=JZD~OMdzzUpFpFy7-UK5Ht?Xoo!&o|hx6+CjL+;^))?{qO4^9VLUTr^FU}8S z00+Scbf&lS^v{_00sQ3Y)D<9S*oC*=^Og(DHgxlzqxl>FbFL_YEF%Tv1>isY_!Z`_ zZLNnq1hNJiBK(Ctu|H5IDO<`H%b_InY`2)07&l})bFH;e_znBk6CF*gkUY8lYI9^b zvKV*-$u`?#vM|+c!n{03nsG@E8j~^X&bH5-Nh+$_8I3}AZ7+13_s|~xBKHFY;wThY+(1)EY)kk39ICaA# zKOvq^td(A>ta-bT+gmAy$k%H8xCZuu^|uzhHJ%NDk%9vC`j({deKNUa@1uwr;)ER3 zUSsLQdJ(+ydn-dic*HvOo|XkCjlIqMcFV)8uk6+e z%elNguTogN%@(*fS;U!qX9rA))8?Z8_yq#0svV4hgD1~d0Ce9HK^7(CLmV-0 zlD;=BzT-@3l3C{9-KO(#v-O2@RRp>o=zCqpV|=pO9?>sDBRY>t`fdmA;#&ekSN_^f0%8^S??XW$ zDGlJPhPK3N+n@m_%x^XNUACZd(&UCT8c6<*008~fEK7jnXZJz0!0WG)1>p((;Q#>$ z2M#W)eDmo3=vp$+Ayw9g1H>0mU+LeiVN)|k%`1b=DG>*ViyytL|UR-3kYr>P`|^}<0h%##(Zl?jlezhL;#_#&So;J6vXsyV>R0Hu`K11<n2x$A}=#G{14Wa<$PS;VKXFUm9A!^OpbW zzj*0=qA)%XXD*_1gQJnro9NtN_8OMQ9FBe4;I!%lP&uhu3I@3lZ@gJHvZDi)uC z;th~AOT;rD&ez-q{<(aab9^Di=sq1@exe}Ma2K>}0gGD88e~N_p}=ZXfSH9Q4`~}l z0ir|*AR2w*Q=Cfrtz=L5*i^J!PhdS!_D!Z?;tA4vtGl!Z8uI*q?tlaUXtQ zlr~f8wzs+@@S6TFNE*0C8pw5St~wSb-`K5jX;>re$hZP=5~IbJtD+l$6Q%PRZyF z+e3SNGqWar`#3~%hYKAzj{L;G(dNL`6?D4dH%kMQQhGJIe%Z;hQfQqAj@eBq-OFcx zu0>a-=JR1#82V=)|JMcjSGjB$6F7KWeC2=9iTGn#%fF8V1!#?^y!zb-ivQ|Z{QJN0 zJ2}-qJUrXemq4P4%|dK1S>7_)+0%3AuXE7<&`V(w;&1&*lT7=8^FmFn;^{lI*p6$l zLc$-t?tbT`u92&PMN5Be5sLn!S|1)he*9Q2L9u>$Kx!Zp5@vhCUJxPzyd#*tCC78e$12VrF7lOBsSO3rQNPoK){_%sLFi1&cmX}z6dAY|| z78e)U#1=RJklvN~zdqXkt~|J@~jhUfFaZAke){QSQ?m0&1%k=9E> z^8YJ=@Y*Up2;*W;SO3Gm|6do+rxnPYh}?YN`rlp5e|PKruMYbZda6&)m!TH!I&GlLo5Hqn99vPI+9n{-wA6>*D^l!T7&%}K`9ILAQA}08UufqT9 zY5vJd2u6W8A-N*>zay%7Z55sFr98|1vv2?VKf8}4Hi#2Z;YPpv8~l^E{`Z>)z0_&w z3F0btCi(wTocRAs|1THz|B0oa%Ow2xs}{h&4w=7uhJQN&7vk==^r8 z`E?n%3>Rl{4dH|wXiJ;#z5tQybu z=SGcSw*Y?j2GE$ifp$ur`M?8oMLEIvm+l7}G8zpYuIi3y zk!xg5UH89a#$@WPjmEgcd*c7}%6_TFV%(~%{_3v#uYV(LK_3-Gq5Ej5OvvHvJ8c(5 z8Jm6lpz7JTI5(j87(;2q#dH8}i=IUGNiQ0l3^ZiOezCd%*1<8pcCpu1v2Vs!L>_wq zO|3gYGoTyP3beGS(BQ!1?iXcfvv^M1={h?8HYpLJLyBDM9~Bce6aaZclL9nx!ci{> z#w$LJ8SjW0^g4TyJB@o5U7mAJDRYiH3=^7rgXqJxXbE70r~u8QzrQ>jcqwx_Z%ocp`gV(f*V+QklTLR6 zeC}WJVJm0d(}MfkuaL4M{O7ty%jEv#_D!R>qU~(|VflBre*(cM;EP;oF$v_R0wD9A zw>DgG{7P~j6ZviUvFsOJ=c)1s8!}#SfQYn?BWPF1N8T9Qp5 z%y7DNz*Qw7ams_zi-H%E974D7t6 zpLLqBRzIC9I{;JaJKm{4M)dt7==VpMe%lCmY}PX9isAwrG$v7EXY|DM@wtZ0WEB^H z|B0bbG%JWj-XvE1ys!n@f4EAbdoNnKg+WaC0uX6YEr)=s)&l(bp2DhC{yrXQGy9-jP|@Ck z2Gez}bMGZ_nNrATfEE)QU+v=tMX{rWrX1tc=+# zPqhq5!fbrRW8M0e|!eDAmg6pLucJxZJ8B*vt z>w`JmQn~~9jK08G>x+$k`YowMd>v+<~%&BU$60j$H&kim^2nWHo(MuZq=?h@fqVnLdI+2=u3Gp}L zF<s~WX$vTDj zcG!KLKi>(ssxM#|u9{sMTQbCH0D#UVV#T8-mC zuxRa`A&}own1}?5cz519aW!X<$n+|P@ne6iH!CwTmKLe&%ksKzVvM{y?}7F@>$iVv&6J z(v{iYP#gHe>HCRnRMDfw+$68%W+_k|j?-gHrIlO;Z35}oAiy8kq zABe-P({YP_qa)7XUtih37lC~Ulx8_{AGT6r^nOSd%v2LlhE-x-&H1nx>nI$+P$nduP9 zyq7kYWMx+%>7_#kpR`*#lt_^-&%VRM71^w_9~=}6CncnF=oxrd`gMJ*l;Q?PN60#m zHZuUUOuw%LhBDQc@aJaVmpq)kF_-fqiK#=KSd0yivafQ`Ub`TBMYff0I*#TY__^6I zSA?L+yBW(_YrX~|QzMq=K|GBQP7*YGS(Q}As=?A5&EoM3cGGqG4H_`0ISRWQj1=u> z2BVLGT%Nnc*xhbik@aVR!ySwEvJ<`vTd3nmAjq9*7o$04g=Cb2go-XWZKOmzPTIxlY*_ z-J@UmIo}FAP6n*ncDNV*k>qYsKScgM3Eu|;g_l)j$sUloAchoD;(UktW@@CN{an zK;moSvYP9SP0@Isdpb#5K!}s`?m`?;89+ zxFiY!tUEDj=K>cVbHyrh9KglTi#P5_+2PYMmolp1`MapZ(VC(7^WUstqWg?ewgYD%ZFpTXwk<62*5gr%cpIjQq!iZNXSI2+ zZOWFuB%xCLsi2dA`$s7v&XJPJS2xT@tHeN%wfjmN(AEPMp1%~8F1<+P z^UZ7YS*N$iQ9AX!R7yx*xxLK~12+S8$CKx(x?___xl;GG`s`cDfUQvaQkP0ngM%bY z>Qa70G*#EcqV#gs34w<~f&BZJ{UC1r2O9xAmNtPC{1#UUo+k2`Dr#F(d;S2Zft{Zr z)~htu&g^v^&D>B`sga*B`#f%2bMbh6(+pes8#-!UT2QiZc{26x1irj7jvjP2M~8Qf z8zC6r_;*1wt?`;m;ZKvggsfobT@({*KyW*6w5Y(M`75!{Bh^ex7+p)(QI>l(XJFXv z3zo1d&|jzvNa*g78*4A)shy8Mm8bBjN=@!I>6x;*81y7aVf_Bs?#G-SE#kxVD);=oX6kv21)xE3PLFY(#t0vL{{pZ+@7Cxt1roY4S|gzquFtp@Y=B>pz7ccxR-TvIUxHqcVQKMgEa!!qMFRYQT|;c1hW!? z9OWQw4nV6-PO0X@Kz-ZPpwkpm)#!x-Td+BR@Qa{OqqVkzzy7t68dsG=8(}D>v%EzGCE4n>BNT|4Lv?zzBL~w=IQoR zx-GyxN#x<|`unT^i1$`A=2iCO<>*U2Qm6Qq9w76*-Zr=vuD7G_gw$JO!?iOP%fX9^ zA9|@6{|)28AZNj_y8^@ZK}+H4er9J)N%c5M(x;pW(s1=5L|GUMuGO(~(`C$S<9EhC znGCOpE~R9=bt)4bG9LdqY3BSqJ;fU^M^*}B)&xnH>4;q$AKe=|t4sb^v?!*m&lmvw z${CNtU6kju8o!-9@!iKtCAVfmT<-mN3tr4ZK36>qc*2N6!zWdfdO#Qne^5y$kSps7 zG_V__gqDtoaAs7DUPxI)3}nhYK|7kJh2Nra(B-wk*Im-JC z;27^+Ywj~MHhS;Uo%y%e`S9SHOP1j3=k(y^Gr<@m)~|;N)k)yus9c0l_mRRW?d7>> z;>CCf`T(kv0)SFDXRnfRwR@lM_uDW`JBD?F0it*`}`mzJhpH+UtE`!F$Cu}USD4h z7cu(@rwn;ktfSzT)g!$lPRunBW;HmJV^Ss*&d~t;A4~eK59$DCRWe>stgj(f=k*gL znd{0x<{Us--4Z_;>kBT+=l~Fz(#M>!2P94$x1m=%8Bxe>p=2Y-@(gh0Wm~>mQ(y#Kv^kb&WsTB3UWc0I7{Np< zT&CqUm5JjfKAy7cHzcKHsyTWcakf0dqdYf+iO5Y-aLz_Q&2?WQ5M$5!)YdmSzV;3==uA5&6q zHCFOzJ=twF=P_0AC#j;wbGKhKk(eIqiY!K{1Rr2_pS3$gIQ1P=nNlW!EqKxLK?p0~o z0z9r(XtNGwu^GXrqOJpdY+abGsjaHU5SN|Nx0udW9J(zQzTHCQJlXGn%cZ0(GGSK* zimg_(yiB(-kJ_v-kSViT-tBBz7c}VOG?*dF+-9ps1#fNOTwOa<*Du85nD#bW5lV+! zQS6KCDif*|i*&#(YRuj9bk%NlNmEUfhlH~HjQpIw zG8zZnm7(!`QHDg8b%j!qiDz!c{FHN{k@NHhHDR#xHW$*kiy3ZTH?eFazreE3hhF$` zhr&iyg|K}`tr$|0{+S)U2h%FYVqV@4XGm^^4}BYjm85zlJ6A%oqc!zxu)FMU9KrhB zli+)#^aHT(xCaxt%!Kvfjy2y*#o@Q6GT`>Vb3^=YXNvO!_7KZn*`v2KJSd~rUbErp z#Nn6fNqg}GU*gjkaw1Q^HYBfYBR07W%A9%?TDRyOujwWT5oOIGgvA|};fp!;n79eX zSG=oVQsG`z{v3RGIOoM)0r#T3IS832m34zk2Z`@9P+l>`N^Tc?LXxD?pTc;F{k4)rCKZQ30yj--d5zTz$~ytNi|c&4b*%5@{4`-MlqYY9PL zN)>uBO8zR6f}7C0N%-l4s(D-6f_n^=pu8qh)P{OH%!f_%#7wpheNK!ZP-GKSDZ3r{ zw9nSLe&RH?ea5ohj|3`Zlw9(-Hu}byvY1=3-XK}g6k9FxL~QO_=aPlK8O|VoaEVf* zgm#4RrDp0!lH)Px+aT*a+nO0VsJ2LFu&&faH-W|ZUChxiDtX9kri(J+dGoWD!454L}in{<)zee%dZH7?~$WyAv4)>`_mGK7MKInBh{;dY| zImdszBYp}|SE$S3*A8H|LyCqZZhe=;yM@)^ zIPW4r6S?FQ4+}9!H`Bk_%A*MB5JUkN335*H=y13YOei0?SA4cPB}W+P5q-ox-=Fcm zutS!Q#E9W=DoIeTjPiFhe>kPB@lESjRo7J|mmzORbR6ZjZFh`=zp4wnt4K5~cb)hefB)x2iB_);!Gti>y1Yia`~%!PN2p8P%i^bTrj zF<4!c7<*;iRRI}$0ph0yv~61aBzPfT{aszhr8nH^(?bWvGd?}$Vs*{dUG(Cn8Io;d z^xrfYE2Fp4y*z@eRa!dD&nWc$L~v?rt4>{m%g$>A#J^D&1iOxa+!-3JH|ZVY^6Q0H_!QrI`yNdPQs3+&IFLJmF7XU*Gg>Qj+n(b_ zIbD_MpaQDl_r9n#$U}peve06#Z5m`x8~1aSQI99 z{P<+V%&MEK^C9t{0WrtE-)%eeb`GX3_2%$4_ zfwn{4r@tE@e{UXzBp9u!f9Z|wSB35WPM-aAC-xb#VD1`W`rKKGrkD^cy|GG8rY%Rw-2$CT5SsaB(AK$B5eQF=9_^IO<)A7r!aR&_Ho zUaW28MjcJ3-^o{R&5LM#JowO1=fI0$wPo|p%C32H2HTAL&hjS!sXTZu{HtT9t+3d~ zBKh`htw$>YD#v9*WKpl9VYjq0xu|7cahKPHb{JKoO!V-K1Y`fMD|JTu#zlsC1MWie z5!zwCLW)a3+;+e7CT%1)w6Vk#U+PD=`1xUp8S@PMQ0U_Dn(Nb4_qda4AZLmRY2<8- z6^C*6?E~37mnM5kY=-bt*XXs35jx6GTr&Wgu7M1pE!hDl@?&74d&qZvbO6F9kZX^` zfBlH`0iUlket$^C%jUNdhlx91>sYSBGFbd5#prJD)6^EXJ{N=(+()=9MyTVzGJO6i7y|-RknGV5>m^>5ZTvtch>*C zc06raLZz#3dfk$F_LTGsMuBO4J8Ywjt1H?l&I+|`7g zwNKAe^vW(<6K1a_V zlB;Nt#(L9LMFlBERoP(fI?{=v*?fFnSipQ;H7ba?Ls)eon+D;}JYY=ucRTS9eI$Ky zP1-p@Q|j5F&*^1M%4dP6&~vn6ViR_eYMr3ZTw6P=?8xWf!+p8yf_>$|Mw~EIt2brx zYs?fA&~Re8crL1+twbdRCGUD1`FgHU=izm|z!^Sn-;^rp)mQHe?Wx86Ws@ro!DJQGG2C}@(_|!M`Jkj5^%ZYF5qqx=v`or(NQ%1fj?;N=xjwmN(5Vy0AbJiw zz%VFro-a!cM9qZkCOIU#%esP#H(R6-#~d41#Jf=(PSqMWWY~*K@!sjvq1g~Ynl^+Z?a*WIkdd*Me6J+i(AU% zmHS>_&tOszH^df<&Fdc7p^AonU# z#a1j1sdtzXB*_}$@dGyV9tq?U_2y(xVdYv%RM)Y)>e)-{x+7(hUdcSIW;B`?`z;^h zjJpQ-u*$WRMx{X8xWjY_l0Z_XgbhI15pYnvaG-Zm%_h9O`0Gopuvtf)HOXMkF{ zdi-2YLH13J57H^hfWK5T4!>kr zlm405kTEcC5_AC^mk+eyt8`ubE?%AO7Umz->JnxN|VlRCE8p+y9kE0!} zl!LKdTDtL4#>sc1O5-ub;sqgXD3H&RY{tz>>wdJ!T=BCMp^Ouk!Dsj8c$hG7#51nn zY0Eo4i?)E_<6@J-b~o=ctTXP)o#;iotQp7VAdLz+h$cOj;!U3}V^}iqY6cxdy_Tl9 zGjq9r)2?xrGVJ`b@(EdMMi&l8-IqeWNOph}1Hv&o5JowSG|d3v+g8c96T@ zS@_hwjcVwi$X7pS^rW35l&p3IVH&hGqZdF;0miKQ1dCmG)8xYiM}q;2^L)aZ&uI=V zP0%7;7D(51%S1n0C)SFqy9S{!my3thSw+%qG5eV51?iB%tTLnSfI&Pd#1xSu56Nj5 zTtsskjLaQZ1i|=qt&K%VcqJozRZC=KDP4QJRU1ttR#_uC6n!LiZbq!1&L3|-z@H+F zwx<~i8r_-pX@E=<9%CFQ3@w3NS&rg_V2|F@+*1sAmRU-?4aFms%rq+Y3SE}PIU_rx zr$jl^Q_@(aZ=lT>%9pQCe;nNCa1w2hH1zNQB4#54@?%-J(kv7dZAPp{9+U1JWZMX} zwpI=9a4u5qotynnT%Q&Vn$-t$E4OQ8D<9X4>F-s2OyqS5|6Bj+kAa1xxqS+1zdw~gG|z8@0si(_pDRMAK{w$1$HI8SR-PDoeLf+(H?n97*4m^c^* z3mY)ZceW?*SbKd*#bJqv9U3RN-};D|&kH|wnT(K4TcZAqDR8G zA99)t7V0<31gC>_GlF!*Uf82EuAF=moJecur zv=a=Guj22;tqxS?Fkh89cQ2?6+aaWq8$k5aa!ieExD~DBzttr|%89RaKC{s8Y}?%7 zXJ|Z_nnX-)#|olKVk?gX8Rk5OgJ=_CwbS_tKXQ-1Gut)BqMo%A1f%~qE^KE|3&EmA z!-^w56k_|dFED9nt*^amB|%^X0jn6x(yYRAI+KrKG(G zJ3}f0U;1!Cy4gv;pZX%wXBNEI4ZNo-W823Rgjhqe2R$bPe&%;pV^L+CJrUX7duLw9 zj{DmD__Jg`EySNm`}we4%aSdSoMd0Ugj=v8nrUlx@BEt}Ee%bDg}l$Q9d%a47Dxl*cKOpwF5UuhOE(I%ON9w`AFjUgdH#9_WhyZ;9dDxLzO0$X_M*OJKSO!(v#$(B$04Fi> zMf=9H^Ly7j#FoMXMaBWe@&(qV4nYk%tSY;?7SfE*waToe6+GIH@jQ>3$r=5s9@wJ|6DTGAviI5^e9AH7>O6ryaq;yqAJdCWJO{kEn% zb5(gZvZAg*Sh0ZuJWH9N+MrI;pf&J z8yXWcFrv1x=Xzzx6~XL8%bkxL$6rYC&WMdV(Pob9!X11_(iJ(3?`ATjglgM*F}(d* zS<(|dn6sZ2kq(oM)v-O}3!^d}VnO@wX4o_Q1sTpH%TA|mo)8#?NzXJ3-lGbEhPo$n zFL-5oK5Oi-$AUcH6iJSS9p$*W_VA4imG^s?;a(mXBDHMcRN%4pWOk98nC^7RZWj%k z_wr?+p3lMyit%dW+*oteeEds+X(_gY!nB-xuRmh_TgLHw#pFNBGVl8KPf5%M>x}8W>d0=mi@oN zcA{d$lP1Rv`W0)ABQEsTtW#{HNEj58G?tqllaekv(u!A(If2*}tXqVX)3P!2nqZ9oV~HB^U8eeJ`y+D%)S+cIIm^d0Pp!bPKjJZ$kIU^vAz@Cq z=gMtp9UAV2Z+Cx2kc9qy48@9!?5FM^p+=L{p@a^?Wb#2zS0VZWG%9D*zE2cKS$sh9 zG$-8{l3I3`edKF=ac~{9;00^=F8^)I`;>-_p?LTWW+rWs!tWLh%(Dr2%}l1ES|MUU za>9rwDT-iQA&fg=8fU|izPWa{&ZC}2zWRD^VjxvUhhU~Am2B(M6^0eAW83ip6X;x0 zTm_Bmlq|wt_ixyeG~p{pq+!cJB}ciS*_6He3F6Etj(@8-)Pt20#`Qqzrf9gx;5PK; zAZ!s-G~eykQ$nU`uZ?`ge=P*mUPD?}N-v=*S5RaUFND+;=Z|oTaj*Gu`ofRo+UJ6= z5}hNwIETeoG9p{J;FN?wyi+f6!s38ibqVh>L5e^+7GPAW<) z5#gxT?|WsZB)WKl7r<3^9ThijbhbbxCA9vObYmVRmFD zx1T_}Ehjq4r9=~y2m=|<;4_H#_O`Ed->m9l>`|hJUdq8$tZz4CxV+oy8-VL_$bP^9 zdz~$ryyY-%1n$5{XPitLRS@!)H4}u32O_e z*6sYx`APCZlBwP~Ao*&;E+S=O<@niG?*x-178sa6kF!%Ub%r{`3dKkHAx9dRNB71Xc54f7M(_K% z%bqE=?>&bXFmG}lTvM(v%lT|s(+ll<8L#pJQrXYFDWD}Z9ig72puHHs`+Xx?NPQ7$ zu+c<0s1*}avPSpzt45kKRoFJP&rF{JnoDP^lgApi5W#iB(~0?~w2N=B`SJu6j$Q9k z$dMPzHg|4MN4quEvC=hFl^#MY!gV zRq+$y&Ix6Xm15BusDlLQ%?ny$;({M2MtkBMS}~PHkLTn9Yn;>G7iS?;q19a}Y$*F3 zWG*V;{q4R3<+h87nR6%Phrp|}V#6WI4+!oD4d+wZHxBG5xoXt8Kq2KeWAd~2JS%!r z$J`2x9D^9gWS12Q9$J_T^)YVA2yRHy`+%HCj!FsXK69d{+~GRh=XX9}cczz3-DWy% zvR6m5V)g^K++JZ^b4l5dT9AQl*;RY;Y15a8FWScuDQbqgQ73`|13#&-R$ft;#w*Jh zH8!0#qkG{JRrmzW(r=&j%;(K(5Lug+IwZNw2RYJwt^wG)8jI9H%V)g_Q#`&G_{X8v z(&roWVIhv!Du1SbngTU5ZPCoOhCo-HxIE&a2g{AqO#8>?am*v}a$z*~oioO&uF0e$ zB&jyJgzoY|iRFv?wc&Vkd*db=+h3{LJH%vC)v!)IcRPZ&CJVd?YIF|uFPxzs6I9OF z*=K{|Bx`*$o{lbv_<)PsPiTgJHueD*W3BEQBc~0?^w+(%JmmG>bTqED-GaqqE?*++)Kwo0 zydFksWJfwwQdGorgRcUAhVSfK7; zO>+1|NO}V8bpe(hhVQfFl5D=&uJV4vJBJ>Vi+e@V%Nq(}MG3Keq4Dbf#A83nt{vk? zOJ(f;4)~DRV^X#RabEPFy?IE4{P_SD#;zNq>U;Qh`w1vjJ}osh)eHYj zduQR8o-F8w{qEf}3&Gbitps$Ag=v)Ymo(LS=Y^8l1)R@OyIJ9cM_d(9PVe2-9Fwg--_vZG@?d@>%}O)|5yOb^4D-MONSQh+(-n@}h(xBu;RN$_ z;UN1z22g7eHp?QIES;hEvSC^^4(8+zZ%{THq$F2mWD2W#xH(Kk*1t$bWYrbUe{a_( z#|+O4rP2fJh|7Bwxpfg8WiXROCpyRBjHx71cm4ni|Esn<0Sj7924xZ{FR5=Szq6qd zIcbh^Zvdvr@C70{%45bZB>9;k@9J&b(PGwlNH5I^xe&(EqEHcx%jWMp>OTlwcKc;o zfi>=n5YmWJG>mH0WU`ZV1HkwgeSIu^&g(ve2=fsRBBFL(-&prmiX^)4jjWZJ8R z`SuQM8LzEOJ}{aE!mi$|IBGQys{`U>_u8A3SCW9q|a5?MDQh|EbdDT%TZZIrBsP~4tpO=IU_a( z?)SOah4)4Gbm~_g8MFHdF(T`^499qH?L|ZFw z%S&2eL&r2O7*m1ZCet~iQlK#!0{^($oPn+0KPMMy6@|Mh(Mi-l_~Kq!ziYw&;q9%% z;@YzG;Xp`$K#&mJf+V;H*8~q9+#v*acMI+Tf zdT#g3{KLaj6z811&z7~SZSZ=cjrwR>nk&j3^AHhotdpH2gsacPvLiwPN4sWv z-dYfAUh_PsR}fNfd4gWF^*8Ycq-MNKjlVMI+?8+IXm6}e zX3S8NNb}mF4oB_9uHDtgW{L+lA$4=I%h+4`yh(CHBgEnRPIJ%3Iuhg2r(T_fzoOpf zyHiL#w2Ysc8OF%fBs=tqfaF7jf4HHu0 zDUJ^?)>TgwLwm;cVMQ&(z`^XV_{!;XzNnVlSKfej*yFJe9wkKNc1HX0n598}x*Bf) z5xE9Ep-;369gdk*=HW0{P01wx1%O%RYEYs%QZ>9UDz1wbZ_H+_TPKPEDc0&J^Azb# zOZ{zXS1-DH(hs=1l{K~WR#$CsW53KU$r~9Uc5lQEl7K!QTNuQTa-tdGMcdON402pc z26TF~Ndx)__mMK)Mo%u7qu2uJ>>Fj$8cm{Xydv*tAkp_gJ#TXE^_mbRyJIdnKeP1w zap8#=!LP$lnv%19P=mR_X^xQl{i+cG1g7G+c2YzAMlMQq~ zA3u@4YDSN=t^f90ZY&@4=>0~xViZs;gIi|?k)i=irnM**=1z-k7sfQ>Pee&kyC)O5 z5WDcJCeOfu^#dbbZ1qDGJsQKGrUYZg3$i1YIIYqqnSeVifwSOAFVTw;Fkh^gfex>? zSY$7cdhSSbTB`Vr5xL<$pE*aP4wGZCLh9Z~ddggZ6kl6U!yJI<z_gkvUD5nysfFOFDu66@B?IFx`}WvWk2Y(r!u)d>w)}7yweZkY zTZ=3A>7|H1*%_zWitS?@-XyA)b)MYU(93RZt|5|)-Ivi@G)6(~0FX}L=0HMTQ_%e{E1=D3k@<0N}Hs_g-j+RaTf47iXSo$W_YF2k&2ex zUKi`mt0C2kPz*y z$HdBRqywE!l}r&u^Q_TR*H*neY1s{F<#!~U)v-_ibqFaXR=&szy3b!qKMp>RWgKie zj}h~jL|ib)yRL12#Ju)f^Z1fwMF*GXWX(s;&-H|i>t%^_H#NyXLc=56;SjFO)x=nW z)qeWB7yP|h_6F)R^-RvR?f3;rNG}Bw<(}Llr9XSV4IR6>-*j zf3qt}Vvk7B2_!~cw^<>f5~@vs_Ku7(Gm`kGmpraq-8XjTJ!rm?B3XqF@bNtsc8U>P$9?|sD8yE-JT~8zg1|d+|BXCF9xuk^9hwaqlI3Vc2U3t+7j&|BdRE$ zP*1&?E}<4?r2N@ek>nK9%E>OW1FX<#bBz6u$gQeXv)KstMQD!_P`WwHmisUAAY+H3 z5U>kFHzq&_Vv0=n7x#Y-xp-?G&hV*C$#6*mao?FPY&vrFM1b!gO6tJ2Z2hZFzrHl0 z<)^B9!N9EIY;w$OLG04kS{i|~TlY5U%wS2HtimL_52zbjUy{SKe(1PHNY%1Of3xUDB6k`J=OqjEV z#q0*P?-ap66Z|ED{+U?!`u4T$vL2%=NAUXjEqB?X!^Q~Jc9p(5QSd}Bi@^J1Wlh?* z9c%+7bxQ;=3_>Z>c+_nNU#N7C{}70um+$^+ok5h`;7Uwt>%F46qoB)EQ4<7}!QJx# z02DbiCVVaPyyI47jbZy#eV8_)X!;yh7+V0&1b?BaZDG<}HXtp0qfrdy*aXh9zpnAC z>01iwmtjUCI1Cy}I2ICn&<=Dj08ENAxc*b@BceLQD~A+A0t-}|Q{7W;WjstCLBS+9 zNE653)@z^Ndy82*i=urGvC8bG-UTlZO*UcVAy=2#1jBoY>A_-+FNMF zdn#h13o`T`jW;nR-Ha@=!`mU;yP!V2V~H(Nv};EB03fT0dm+z zeTXn!td3<>zZ&??we17Rvio&I`Rb{o{+ZMKw4p03U>}#`;pFqaoOFb?U7fABFaKhh z545Z$By7FCt%B=4yb^pUwbB*jfJGND0F=f=a07=qg&EwumOffb(h;tK^o~Nc><#mh z0nDciPC>nd8*VGq8_+GEY!O^Ry}?f$Cmm&~7&^r1r*Glhua+rUTe*_QABoFxtlyJ@ z`iPmz23(yO`-nlRtJ?lr7fGwGCCvSIL-fz^aX^U9!n2h_?#(s3h8Ohc8M#2Zr^?|3 zi`Ggkr$~wo(ZPfbNf#y!HtihX-m&X%XY;vBy>Jji&R_rST1UkZkh~6W+KK0iBU6f< zlXo`xVx26WdVoP>L5bmCz6k8~Iv;?t8z9Z>Fbj+R;t+48zXXNT! z`MGHM46@tX%#rU+N#-L^A>?Y8J3kY3t;4XMT9a8~P|FU2dD_F)WV z>t?o<)Rug5Z_*pg$unx_QPy%1+JOT1{3PyjTVaLsDP>8)BaOLXtf%ju_uE+Q<;h8p ze*wy@Oh81d@5>jaZ`t;;!fgr#u zc541SB6Sl`{V+^?w*KVgCVsjXZ}|7%Yj5OcfEkx6h{__+t%aczwnh{#2dgzC3w;oP zfY~(I;Lx^0KANA=$3^;$AKCH~8-P6*>G8|J%{e2IY29(d2}gYPKqbxD&MimZJ|kq_ zs;Pv^R`A7iWeQm0Z(0CRw?pZI-aa#gBM1P2*r^`a(cC}9B>aFuIpB_SGd`tFRj6!l z;WIuXVac19&i-oLc2z9dyxn5ym}V8phFIZpytWo~n&h1bP)NwGaCf;rv3W@NN8u`) z0&^Oul;eN^z%gxB*;~fBDhI2l?}mZQNfw4eKT~%QQ{wUngS8Y5%HX7vnW?MWY5*?$ z-qUfDSW>rN8Ea9ytj2-A_5^+)hFqz=)Gtis{3Sl0WS_Md)+u?04cjqEvh(&U(JMAE zbMJ`AwTDnUMAu+;d1f8MzyZPrVAo9zNlu}mWyKBA93bYFwasBHsohGct=DnEai zXpK$o1+ZY7k#HYd)SX(b_8mURrF7p-1@tmKKpG8Lqy-b2nRt)8vCI=zC|I|}EzA(z z)G}I6D=Ng|+k}Uq&@;Z9I)J8Ij1e6H1hU`7iEKq+^#1YhrN#&*2IH<8E@bVgC@yRu z6Uw86)`Y&EmZ|~vg~7u^dBPEP=_?F@uWbgjQf7O3TvO6EReK9Y&_Ze~{TUvsXBI4-^GO}Z zw|_v#-L;V<7WnjtD|gu0)>}P!t)lYvv@URtoy}<7%d!&fopFIfz{K<#d{{fK9~{tK zSRSw|KV6p97)Y%Ha0+csvcwb2EtLbi&R*UrahpR5s!vfEBYTnfHqd&wwzD(smGcmL z#{t&$q-YB7MVxIJZ^jR?1H4q8mb|<;q0^RAH&`;Phw$|%yp_uXf_d6}H+XkVr}^oXf^sgh|Y@`xf`OJld^HxXx#NjVoC6p44=TGZ{H>6VDx zkD<$MyqDZ|q(Sr`+O3iK(k3T(=dh2ldH4l|G2ars7kjG!0HrjqtrG^fD=dFpE$HYU zH;-Dv;^4TF7@FvcM2DrVg0j4?Pa>Dm}Aoy|(XRL$m@Y1z7=hv+9z&2u#}nPmy}5ylkO?}P282>NMDj$S?$VB^EwdO^^w6LQl)wzvjJiQ zYfL;i-CQ=eKSbl#Dl#g&U7r{aeZv&|3DDBJ9&d*5b*8(A#;V_}d!G3GlrtmsJX2Ub z`o`l&cHlgrAdY?9@z|JEgnGcgWF?JfBHNZzGcUDFt%CfO?2Pq5noRvjuzWoJaJ*?U z;IOB=A&5Ol%Ud??30Sl2xJkLyPftXc6t9aU@<4hG_8E(0siyY>w3+q?whHO?E3G&e z09p!8=IP7#_FQ-I$Zju|0f^cR>zodd(57_W3d8LgEl%Lz#-++;5N;=1mP_h?F6Q6W zftkhdx~w{&VALpk|FNkTP|Dw#Gr^-c2^z;D_iR`pJtpHw)<`lT@SFuoZ>mMHXZpc= zoA1rG8t&G_~v3a>)1bAh8e zw!u9g`Ihupl<|hW)8Mc80I zTwEN0xW*dBi1)F<%RzjY2y;!vA&|bsDs9+GuA~lyyjlxc-vH)P)ru-Xy`B zi9Q#QacQ~}jxc>lE!QwZHbg;|`f{}1=%wv?7Gp))mNuMs1GO9<`qZ(`slYG5!$O#E zVl?K0t<~BMAjnBU0)F`=(uG(W-&kd4g&F!nXPv-O9bcWPMq!o`trPrf;vR>95pP&R zp(e-{jPK}ayw|k@f9FcU5QKuuNWaBk@F0#4qbqfKUM{LS?R;Gl=a%ZZgN5Z|wqU)_ zYgLngLkMXL@1FCX?%d{Cx!cK6+y2kZXj z`Sc~E@f%C`Cd?xpZdPBK3qZQec`eP>usKUCM+L6~d#6gt1Hd@e5YP%xcf!>^@s77L)Wm(#bem6kmZj00B zEduKGJ7q@8ZlEBG{4vVSEf{1;)L-ayMc*Wg4Yl#1h$>j86Pz;EbpSCm$-aCv7!_@u z%9trk+-p10&drQl^fVaW{XGu?vnseaV&| z5l)zh;9o~zTM>0d{i!peetVG0iL9#(aq2cM=J4y5Gj+o|O6a&#!%lPbl+yRFC;qXn z6j`V>FS`63i&#ULCD{14sy)g zG^oh~xzWDr4?Nbg9~H$7fI$u&4eY?pNZr}-DAt=J@JRA7r%Xo!C6PiH9Pe#1Xey~q zGCjv-ifb#;;OSrsD>@FhZHH1dy@0AH%MDDOr|qVw?HSC;?wB42D>xVzHPhzV`n}3& z{PBX(fRf3VW4>vb^wZ?D`QZxMQ)i&CG6nLaF^7Rsqx}KvANE_ofrfGF2ReB$5M}TC zY~(b%v~FZEct}%ncK5?zt)DmzZ=uT%UJ7p%;k+;G)5naVS`MsHbt(I_J8D(Cz&BzY z$$9hAoHSOluuMI_&}1?MmjV=2`OscB^-i`a?D*{04-#;f3~9?l5beemF91fK0B}K@ z=kp0b31L&-0NN83o$pAf>u8@y$cOdWYlTuEo5Qlw(pAw*LU{F6m@P|2MwF-l0^=1f z+H)N%qGyewkvR}VT<|@+t%z!r;7whoK-e|G1%iL)9)ptj>a=VWC}4?##n^H-)_CuC z7u=S6NZxqO1$Uf1byyo~t^mQP4HeV&v26>#X1tNT@pbSDYT)u8&m6^Rt=&#jXbKb} zuyn8xrp{V;+<#zG0id$H()r>-kkF01;+LI;$=2#lvs-vu_jK$dk;@pHd5d*9Z9paK zeaWddYavuqEy5xTQI{2Wtlhnd5Lqbm93sNaSi`9U(G)Gvvw_E8WU5qogx4S#vr<&E z3(uH~(7ew%9S%tbAJ(0n+S~_HtaRne&PG;>b9N#GirFgk%rgR zj0Ww2xNfXhxCwOxWUTo)#PI;RZB=3y|_!ZaAY9Dr5u%Z9oWQf14Y3$Lx0*d4Yqc0|WK}CR6~<&8 zBu<4odM0i;GU}ihx9Fhe8TDJu;jX+&;AOFYo~l>yP~bugH5G(0HvCUL)aNmvFA>I0 zE`qp#x;q+64{Mfgr#dIDM$d8nAO^BlqrYkLK@2MAER{>6MrI@T_$uKER zZ_%g55dr7~nL)99fS-qU_K&BAbx1wyp6L%Wc&fPWRrKzB>^SB4gm$d%&mEHv7yO7_C_oTiEp?c@=@0e_);jQ&HzUE#1?CkU$!(j%0)i%;llc%mO6G& zms#+G>xV-++XViHyy-)umQbFly~gq^deI8@e)>+)3H%+bFIok9D7Gwhc7XB*XISm7 z!9q~A0NERH-bc=$a}%nu1`$T3p5E|}wu1d1mt-B&GWNQ)s!8+(`f2w8O)9#^M#fY1 zYPt$O5a7WL7fm#$zomqsU}lU4+C5e9q23y~ornUw0W%r$QsvPzg)|3oMz&3PyIVdj zrMEt!kXeuejTVqrb61a=x^cy$)Pk?()md?04lvo@3*K$Zg;j=eQEK(cX#^(W(qmm% zKr~ne^=i^^wQSy%cyG?x80beu%P$=w`y3e_7ph zCbkpU!1nl_I>WY=btn(SZ@FX(oDa`43^}QQS#+f|1GB7KzrcoPL~= z0!+jZ_hiELGuiM)!hz=ymZ_}aY&U=*xV;2ksZ z_VS8zd>z$9I?omHmMw8yb_F3sZxP6h&nYdG#kzMp&LiuBL8mqnJCiojG7O<`+0Zqf zPbSqxT+W;yIQeWPz@rWHi!6+5uNa9s2g0vxb-*2^vo$c>A5sQ~d0jqAb{Yo}q?r{E zbUEWa+dmVIK;<~YGTbav@FMK#x#t7PuJ?68=7&nPdn#0>cjIUx-MN%=#oE&CrK0k7 zOUA_2I)C1iDG6!%=8I+>!w+v2Y@RdoZ#Dj|7IBW?^#EO-j(CEJBQ&u|xO^o>Hu!be z7ABB+v=BZ2oO3}Qi8Tj`d1J7U6b5Bk5>_f3gwadZlGsRun|;t}qybphn}gmeQEcGo zL=a4}0GKD*R;k4pZ#mmxVwFbpDG1bVa)(t{Nk7*Y>}IgD6$JMVGF^OX_=%7yZ+QB) zMT-J7Z+_qR(Cm8p$)Ts&fcB~bZVPwpdI})%+xp<)cYa0sniFV)I`XoC>&N-DuHXuO z3hR$MA!Y{bW*{~_x~qhRG1X*7z4p##fS>}mqW;@RwrN+OxWJjJDY5>`DD9>i$a^*_ z79awqzI5Hf;|;3)*p}jM%e%4`_7vEc237%;6LJIUit*Hn)yj(mnVbd33$p4t&kczU z&>Ckw(DgBj`XPm;<4Mc?J$EJpq%JFPvPEojuAp^Aisu{XzTiZXNPG0M`nAwT0ZRU| zG{?D4rDiP9gsFf1)mKqqvEdZ1F2p4qtc|TqC+Ot0u{i7Hm)n(avnq1L%Z2||9nu|F z>)74VTY3VWrv>t~xT%+M!PvQ*8EGz0c~S4=fJh-_+~nS|d>nkv;ZecJ=i2jt6jln2 zDmR)Wl!^6uwIYSSKm@wle;}OlzAzmxS0)-1EX3*k9MR7N1tP_jQl>jVnQLk|!crE{ z^m0c=C~9N@OBR$<7z|KE@l~ee2M%&qPhWd5ekwha+`ejwMHr7dMI&bi%bl%nUxhfM z423(eEUkcY#G3l>Qck|j!T2{k8I>*;K=AS@IdGTN^Wpun5NUK&`VW{y)zsun@g%Qb zVZR7AfKWJC)r%y=8y8cMK2W&16-kD{@iZ36v;kQ>3vHE;t6n>5Ud@c*;(^r@&p2N-h%0rN1Q1rNMP8w90>JULU04{sIkKgr)F*(RCDl>TI1(BPSIhBZ zQ-rTJUfsUcljswt^?*dEw&dK2OVjL|eI$|NAgm|X6zRA5pxYAdrrIph{q^=snDyOo zS9ees$MNdMpeH1XOA~+CxByGH=!i?t(X9;=Z>=nD6D_%<)1D~f^*w=l5zj=_ZC#^L zRyFu;Keu4~hIl<{pyPvavks?WUg$+mVdINa%!E4=-Nu5)Ec}K8I)}FEsTIU@yi>aZ zso!m1MdCo=``wa8!K-*-t1f=yES7Y`+eGGX%o2KgxnV+#qmgUDxbun^;}09~FRrg` zQ}{%Tt$?K@)%6qMvK6257DH}`Lpu^gW9Nw{`ewa)@|T~q5&%+jIx~zXz;?Y!ac)| zEU3wh%8-s(=t{Z0V&Z|Ea086LV0Q|RlW$xD3!FmcmA>SJ%c#$fh! zE(<&w25_Wd4IdJj#i!+VUwgw&U*?j2ugQ501Hbo);%X}qy`NYEQYEOIOD+c5^8TJM z8@l&rEKH=PLI{S8ZMP@yksfzsuwv5oZveR(9i-trh*Kjdbo$#6F+h$>=4b1zCdUY} z;dNxj#il?#PjrCQK_B~58xZX?YHlV#WDvURy$iTB!_#kHokjgLCQ#*D`Vr&mF-H`B z@uVWlYaW*6K!Vj>n_Qygd(L6_|a3d*BCoXCANuDeWY?KcmdjikaMq1Z{DX171Pp;i z4Nc9fqiS)E4Q_lqZbiIIq<#r+4X0^_Wm?<{do}?8^RQ#~L#>nA@Qa8`>u?l&<9Pi2 z2fYYLf9dj2YvF+_{qaKwz^0vIhm;;Z%f+VH)i**khsXr!Z+e zBE!^#FjxEUf5k&n66Q2LwO{zT15z~pIM7wc0|M>-ZioDHx#wC0cuh+?qJ^2r?=$gV z)lZqP5NxCuffdmVS1b{OQ)s`o5uI&^^$15&`n zj2eW3`Bms`$+&xPdw;#{dZFO8PrV=77 z0;&XSnG~G_lye!r$ROxswbqS$Bvs_F)mxNr;F`M4aU83P@Iccwh^6?nh|znSJ*5Pe zE7V`>4hiUcMQZu0T7W$)#h@As36X4yYv!rBK&j97XYdNj%(-5pPZd={VlS%ZT?{nC zO-MGs6OMwa`D_nO!Z4+F6QaHQQBEHP4~(HZraXw5E@)XAXPr4Tkzx*AWxQBI*9LrT zYx47Pk+{eniMb;VM4KUrlS}*%7pu+?T_JrqCN)RC*<|uo|EB8n(}+w>Tu_WKSWQhC zKBfl6N}sMet@`>{STGn*RevE2CPYKZo_Uw2y91UW-RD`yx{+Sn$<-$Ku-;(Bg?hn_ z^q4InlI#l+WD!#{JL-GccgyVb{LDdlo#2$#yf|g$zi7gJ*wu?5bb0uTji9J!7Udx7f=*!sn#TWMJH{mTk?dPo{j+evU4pigI+KEu zmlc2*?`Qh#ANNA2`l~ZZ1VSYDlJu*p$>R@L=AZxN;2<19%o=R&Zu+-VdL!i#(DDA$ zy59WKDI6ui`V;vIJvVe^&0~h)pf_;H-!Kz-9L>_|mx1J(GVOt?Qz`V1ah0f!@beZ` zGAqQw*c?EGh&GcY(!YJC!ho(pP+@^TWKJ2`LG*i)3n}J>TXT_!Ys}xe>d&?&@D=bz z16O2bV`9#Zdr3JRxUPT%cWriYGA^uLezGe7Xakk&^QuSC>PC*F5d7qe?>Z&wRk^`u zFr{jkHkXSpAY;sIu~1)e=0X=#I~Kb@^PdDne=k`0eFUNPW~ZpX^rwkebtOu8dvIbx zX=gL1viw`LzxCrEcgpXt^q&UqK9>ASnWswN-j_#finpeJ=>&OxxYP;|AojgO!6Ak$ z@m*{M7#aB`bsDaK1|Yom9}7tPuDhYWCM5s7blAdS2hNV2Ko6)6B? z;*Y-i=eD@NJdEDPiy5~Kqs7#JRVV+?KTRP8P!4pYkC6PIY{!4~7-G!8U=Rb)P`m$w z9rs_|kW!u)xMQJ#sr3KV4Vk|nQy+1Dv2ImQ_!kDjf7zBlpvD5h4fT;Kv6KNYF@86! z|M!0N#grEEZNv099r};0>wmjp$rBKV0em zm3IhS4B)|L6@~RD{_nlF|M!V0!rF^jvbsi`XKVY;rYPukw^aVG76Qtjq(J|k2NhNP z>(XL>Zp^hK0gK%-Qq!uD>i<%*fNWML z+I-ZrEOBdWFXvO}YTH8;r}!((D*AtRssGLjaOUR&?|t{(EcKtZKsdCWLUkAwtJj+C zl?-qAqFcLw^B=}{|MY6V|H7|$;29QUPWk?5!0CliGP|AqD(^z$ojAFGDP9AP)P=Qa zWf)F?2Je6~=i-~z$s$$G=j-o~CG>v1;9Ar4#sVMkmF^>yKHOFv{bG0+b#i&EBDc~D z+1H^usJn?R>pZ2K3P2Z_!?5yhzo>Ux15^L|-RT=G1x%f2_rsxvKU(m=V$2w&Sat%? z=`O%izDq^ZQkl0Bu&*cw9N*`hT3G=HsPgql-mRt-D{ml-)d!CJGF>k6@GtNh5r(fu zz0ozJ%pR}@rgbglSFG8VhpkB}6d9gaw>Al++We@TtNjfl^)IgHfBm;Y%Ac*5>T#;< zjDPe_gy4n!+hJZ!K(e9?W-#(jY7`&^vY1Sty#LF~#prBRtS!;6KOAMRaRibX|90}Yl2yTe$_}6yg!cm%d_~d z%B++m-~>49YEHey()GywuB9mCXJa$Sp*dN4a^SvezFYb~Gq&@Sfw8TO#r``9od4Vr zdNUY!>}E>Z8UT%J-A7NCD$^TKR71XHuL6*81x_yO;E2^ObircFCUQ7rRBL!C+=Uk; zZFj0&yjT?U=eotqT%C3nPX80Ty>AC4u+`{|U1Dx`uzH+yAokpprX&slz!GMw{*9xpN=R2& z6u%DdRQRkD?*U$`?Sz8ULa?5Y&HOJ7-pOG#U7O z^|U5EP*|3qLHZtiR_?Ldd9;=l^~4{)_n=aW>nwb{%b!NElP(M=AO~IGB}Z+20#Nt_ zhnFAf2L;;3QUy8dcyTwMOpLF#OzT=F#^1Kf0)qH=5E7C%vMD%DM1qVSwKwZWqlL;0 z>%Kh~Dfi_g0@sut6;76V%NBbBq`xfu@C|+J zY<1o`Xd2|n*j!zY%NUpwnGzveOa z)@X0$=*C{Eb3jf2f2vexaq2pS_h+qv^D_hIxe^I*qnzN9(t!Zu)Fsc#Pv+eeNT9-e zIC2?-HlB{x&3*a(Y0cx9rn_AGy7`xg7uUw={*LJ$Z(m6_8U$&-@n@NjU~nqAUr$Nt zcW~vc9;%%W@-!mGy-0Jkm~q-0UX9q4^H;?Y#GCRsk|oeyyoqd*L7fkuEuFcXO-Ap+ z-6fc2htF9}$;mk&xB8!%1$dnZ@x{v+_mE4Dmoy7I!0cSAH;bkC4kTIr@eRW1;d$@X zugn2rCfGyNPsfMw2%?iNWNm68_SXEnv>}?S)2om&pH9xxOpBE^kKFM z{a1c}bJY67*^)cF?@zL`H)Bm-h+o?7Ygeo`ntM*x9Lx@}uP8p{G?nCtFeyhMo}oG9*Oqe_e0ad)eha-_PW9A@9-C1_bbBc-0qReZKGW7C!g^heu%D-5|}y6@+EBG z{(?e?%b(M_Z_K-{6}G6*=F0}$s*|+6Vw2ixxvkVXU1&SQ5HeUVUNk*9NORs^^%hIt zJniN^{Mw2&T%%zSo?zd3v6Q>mtL z)zE}DA0sg$+D|AalMZ?7oYy|XQW*G4s^|8}{n_@M&Zbzx*sPUk7eDSt|kGD(qpe44WzBi%cTScDKAUD?7B%;t@AxL zw?|nm$Vt4;{k`aXl-M~r7lCPGmq(C-IcUy3?>8K;v+UxehYp29_l|w04`tB_JG&n_ z>7zH4PYu_GMv|cfget1aea3RSuc0y11ll*J*L4C^E#kVR(_yDoo0IbdUe@X|d<*4# z5P<7Oqp9j)%s$l9qs$1MN8O(AP6c{czBloD<}*#-lCeY52q*t#i%6Z!#C(#e4#w-k?yF60A=a@o| z;1DqW^&hY0y)R$lAieT=1poIx+VQEszh5T^f^w&j@$oGzRDM8-qF5N&C@-jYck7cW zYcazvHI@c+I}8A=CiG;s8~Su;DsSr#8$tGICQ3D{^y69wQtnQ>0_DY_uCA@Cj!^}> z{nL?I|2@&y)o~!rxk|B;i2I_g$C>$E{|f0NTFpeF6u!#jOox^?jb?Sk6$P>lJ>!I-DJ4Q?$c9B z1GUP6YBI+s#|iFBI{VBEaxy9amSpGC_KbD$q{gHg%b}o=u2PCs=7qh|(^U5o{DZt< z!||~)Vi`xXwlZ|@7xuK&DP;e!`~T4^`A47m2*WuCQK0_gcj!a2QW{`+?dld9g>%2T zxy5Lu(Nvi$_JNKrN6lTyj7;<;!XC1SsA$rny1KeiT4;$+P+i@Ux{4B|`IaXIH}qmV z!=VKn!7h9NUUbOHF1=fHI$j0!SF%d#G<;eJ#Oc`k;f0OP zwk0~rHb!jhBa^bd+h>BsA`0$sI`rz2`7K z6P&)j(e$w6?&ryA`zi%4K*>IL`17h;g#U<{nsqGIKwTjtNRiZA zX`yDhr!arodSLB!rRA($!Bi(3Z#uukjVza{Anv(N^2y8tHy`eRXH*^Nr)T-~y+gI? z&4pv7prc=wK5}UAcyHw;4FK=lEu(4lIFcUD=wF3zAw=K_VGdD%;d z@otBEq5Vgr9-BLq9*MXFlR>Lqn6) z!|6zD&9avfL$qH6CYHC{F8XDM`Mu!`@;HrTJuo$!?2>XO9fZ^OmEs@pA(L`w9EYXo|tD*6fm# z>#V4h{pQE`neY$sUKb4_b=GAu2ZI&4w6yg{e(r~Cc@~vjj?Sw>&2We*dV+J|S)=<`Ao zE~=RKm=uRvn;#=?v^3>OiJBJ7=6xabPP&dJ@yWk11#ZD26OJK)eULX*G~GqrFY@H+ z($yTD8(!L6*6vrb%+gbl_{ckOsM}lR+A?iw-BuSVMMX-(J0{lMhQL>?LsF2w^O3>0 zdbE~v$23Hc0rpWI4<|z!gCA3)HtC_;6haf6H)E;Qi}_Z8uODT!uJ?IwJl08>NWCSA z>@r5bX{W^ZLq@a=YGYL&UeWA&#Y-K!YaX6npu_-!F2)f>kR6iWU#q;l`_89u$$a7^ za5cD$(H8`ZDl(%3F%K;!N^-wW$Hz58iln;8RII73Oyq_Cz5Ng&m40Ps<8Ed+(kH>G zDnBf&C(XcVi>P2gyy?gIIoBoE7)zv+mUe<05g@X4X$5Z1y-;v#B>~xagvt>6vi$v4 z+^!Ut|a^f{cEKDYNkMM#w$G}VCBVErlF;cDWrveC4+$&_k_(T zan%d_ZTX&4YM{Iby+Tniq1D$H{Pnuo?SQWd_!9#5eIEQl_={!!(R>a5qV;?mL1iVM zGzFzL%s0-|RK0wp&T?`Fq4#|H8lE%BX4%$Kwa+fu-W19=S?jtEnS2PkzZ+^)Q1Epb zqS;Ahb>24{R!V|?u}qwcvL5+5mrUTZP=0H()!HfI`|>K-{;x3Mm_2a0tYs%6kL8s7Ep za5cJ9DxH{|>~H2gsNwF})NM1pD9~#G_pla^P`wiA)O57q6TOK{D!hxxydQZtsf=B@ zekrPAKg@IZhT*DmwdVTf+`SmAOyN2d6_ZdgzenoOYN@swqt2AH?)7f<#p2Y3C-ZIP z_Eu_4r`C^|njaRtRd#n9NUp!8)Lc)GYft7Oi=X@bneCz0Uc(8Mp&C^(PyWqi%cizH zdVDt3vwMA^%y6tP|e8wdI3PLPEIN^t-@XQzkM20i$}|0H??w+_NX^k(QMd zknb%yFE;iW&{0XVq6}XW$9R|B4ju4K&Qj2dmHwJkC0$O9BYRk^UotzW@kEq>97(hs zmM9P8ROV`c9rx(@vp$`t%ulw54d4va?%fdTMD*+gUfAa!bT5xf9jZV;x!T@l zR+02eapc$HF3<0(2@QH{59ujh%$ZJa7+5d_Y#LU6vQDO#o@ET8?H}@@{rh0ihwaIP zF(0Nzd;E<>c7tv+#?CHXnie^wDD*a~x^OHhuS5V)pYirX}= z_{*}An%4S9RZY4{Z0xlR&x?W&E*|EyO|J`%-&U1)c?o~Ye9cPs4!)~v$cytb@R4l# zqxr8w?4w9cY&Zq>AE5>I<@9EtXT|13N4PIB^=0Y$hvHgsG92c_ZW8B4DqT$5c(rO; z%oqf+82bieemU)*nU*v<#sQ}YshzoHh6G~e7A`^E6SU7W#R|Pj87{VIyt@Vp`!6iE z)ST)~$#OA|k6+B@Mz|ner3lAc-Di*)wJC&HEidKwgN9N>XNhEx!@{a=$kR?@#-3`T z$Qc&Fzl?Y>%CnRYDu)bKQ~r>YGqrozH!l%BCy*2P7E8AIIv}E{=27#IQF@SS7i2@s zSUvip(X7KggXO$z{-@Nz*M}CJe(zY8VnJtKs7KXZ@5lrD?r`bt^8U`pBl`Y6ljN~R&j4-;XWy4^ zpHsLCv!q0_rKc~BZ0xJ>FUPD-_OOYI1eN+0gLYM?VS(w@7p+Nq5N5N|3<^WF3Wx6vouupB%v$A7ff_sJgmKlQAV=P z>oDa9r#zG1GA8g=>t4X(oAzVu3(gEhRfgNL*yd`B5T~x@yYIs8(6OMuZ}(eOAy3nH z?Ra8R(@+q`ba9ZG1e6?y<@I$&$D#-!XatEmOiCzdNPn`kUEW ziw2TGV@9s`Ib2L5tEkv-Ob~9Ln5E0j)4?M2KwaB_D+B;#YhfKZYK*`_V0mtVUtKTg z+O#QOwNrxCq&}3wyw6conSavwXAESW&-Sdj`NPs zg?GJgw7@!d!Arj;tW$eDFtMNEVd|1DcBhhcv= zv--Vw#Re`91SMS->}rqt_q*($+4N0Z;Y%5|zm1QN=e%#~P+Y|0bv^lfJZcp$0Q%$) zE#P-LT=HC4^)gHE6;C(7KBy}z7gE`ur*KCpwq8mb%c?tzs%rUBEu8qQme3N*B0<4H zg0`^4nv0NVS;b1Q$dxmw(4Ke6&aRurRwYSIpjg#?_;Dm}Aw8*2l)#3$zg* zpNysKvMNjg{vgLtTy7hJ{wz93JhFyW-ktjK0JCsSuO9{Y7v~`7k{`$4$Hg{$@CP@z z)K_73I8%=FqMkqeZazKfPh!Bp#x{iC*x2COJQcU^8n6DStv*>yXMcHCox};4J8Tph zgRE5Q(>02}^zLC()Q{k?wY~(qSS?srPug4bqQwub7anTW>2T2B{4hhuPR;vr6)4>x zZRK{S?5cN>Fa}9IRSpu2yqfR64Av^l9u3eJ6qG)2JK0};)uCWw z5Bxl{;XZidn?{&Zxo{yBG>F`*ZYt>HS4~*;4ux=mQTO(1(P3^&oS{kEqw8h5yi50O zu5Go*zn|6r?Ntvrsmo$;)$)Ezvsp2iC1+z(1XQEU8vs7d;McapM(#RZ6nic;9U+Y3| zn{2Ny;#3V!nZgV=lvO`iUNe3f zR=DK2wCF6UR-^(he`$8O>3Hh>bug_dTZk8;u`i{k)Uegy{XtK}pS!FeG%W2=d+t^d z%fO20`Aw_f-4X@EXzzd&L90uyI*P_hc5>kdAfigj zy{JJMY+V1)<(_ez3eHG$beuYLHn@*m#+96YhjqU7{nR@Cc~~0;t}189AV(p%FpmY~}RBJPhsMKYr;GYpq0UM7WudvlU_hIVPe*xV^zxjvmBf6U6k z!?LH$&Y*%T);kmi%SL&;MVa_WwBH!a%L3@w$)oyWN$*$&kJg-OLQ17(Fsc~ z#jg=1=D*6@>y-UcQ+Veqc3p>aV2uALfB0REvds#y-;Q;61TxY$rwsi{I;LqgFx%hv ziH#P#4#~mVzLy7S+7mbTF!73%>z?Pmj_>KMY~d9Y&fk69>87i;X&4(D7yP_8;t?IF zBhbU=Ve8e}?6iOWQB&LU0w25W`>QOs_aL^9A4@Juib|qWJ$o-V=}qSn#s~RspRnI& zWQ@7ra&5Cah5LiS$-M-g`|RSVSEndW9{X^s`dd2vBbAguMv}w1ScjqtgZQ_M^bdxJ@Eu^r{)D0I2de9ClD<9qz;76Sftm zW@Yi?=SXo@!i*TI41B6_{gp3f8&*|YyejWq9gPAPoJ6zhn13T={3deKKxz~n<{gu_)h4Z=JRFrq%oWVjx z?RrIeLRrhRBbt@0M1jx(%{BVRXb?(ER$(YXdhdnb|Hs{1#zpzAYr_&2NQeR=B?=-) z2ujBwEl8KNNO$J|10o_yDBX>8NDLi{fOK~ZT|>h#z%VoK&DwkIz27DOz1Dhto-gk= ze)m1xbzRpP$9Wv*HL>5iLgeLgrYBUa03jk;s149{$0 z7=G1t!K``BlGgb7yBZ;b(@08qj)x_uY<~!gP13&E3eYQk$q-rBESLLks0dPtFFL8`>guR{ptkI=Pl= ztxmAf;88=0pr zuQ0Xn654trenke4?u$maeX4>{-JPXP|v`yO!B6rfvs{YtIXh6*r1T7pRU zTF`)`f_b9M^po22NawqD!$in~Nb~ko&Xy_YE&8pM&XuTlfC4n9UfN zy88w^Pn^3V1a@A(000V;Zlebu=Vj?<-WUt_h+Be$m3_sb-1`XyA^Ah8T0JL|8-yldw+(V}FR=%Z zhTc-0_Z!%vetWIlZHxE)&xQf>DWIgZ5@%|9rod;_v~$-0uZt@)dbVqo9ob!K zV`!pUM_+f;WWswt=yms(*1csdorItF{iw`d)0Gw&EU)wHy~Q`GON2@SU=R(}3_ zlpppyt#YeAkLTh}!INj*d$G?iHdXl#6!$9KK~8Rz3Vxl>!%5*E7J|67l!E=VbZw|?iy3Ko5ufvx9@!wg?7epCJytv!!XgMb*r^C-p zfTARx0peUiO{%e$s`8$gmemJ!#M6R?+D@6>5I|@LZZ}lee52do%XOu8bamuHh94qh zWwFHE_tOJt@*l-=R@p?6gWVDrw~LE451xMd)XgOmUAXY(`rh715MKS=w|g`_pfBi{ zcFuzQ2&vYZ8?RHGO#0%3v z^|9fkpHEkn+gV9TN$(ZuR=HKz>({xd8t>_>tgOfZo8iu!7)-9Z`1<;;#ASM};Ik^; z9Iy0kkYuVDL4Jf!Yj2|ujVDg0xB(>U#pK}{hYxeoV>>!JMS;;Tyc6Y~pEf7zwT0|R zd^SF_#J&KK{lf!+QsW>G>z(kpFj}TYaK<}&UsxVYC{%v6yf3DlqvqAamv#C;shbm3 zWgiQKqm0G!=Ibt_+GI10$u(I|gmgQJX-}Rm0}%dlFA^3Bt4ynx+afga3ZXM4_p7p< z;4W&Kp4QTE8XA%+QZxNIq9un^d0^7=BQ>j{RE%UCp6`R%ezT`tEjrK(VrAQ1B{ARl z9%#jXkL~65iN{w)c70YbPr1&Pd7;Kw@u1_}B_Fm2t~os%gl6>*MB2k{0^PV=hq+2T z7U(02eP&Z@-I9Uy?S;e3ik~iP_qM!{6iuH`cf}Sb%$_p4h1BdbP&w^YJlH;lnU_R& zKU;;Ie0H3x$ck3gHn^WM>zkm|f)rW?{7>2ac0*Qm4V8z~5VYKBNJ_r_NWPk3JWwH> zC_N_3%V&#yw;hnJhJ9b!F_^voZMw(cdw6xcjXFKB zr1?OZe;K(P9g|?asWD8G8D+(njE&FEDjO884|mHfBv>h^bXLn3=upi5_I&@lO$VE( ziMg3iY-&)>u~m3Lc58&nl1EAl(VYvb`83y}G&F!*E8YWjl|OF4rRww*qag~H01-$U zrDoVXHKlu2$+_mB?(OYe_+BpYc$$NiwKJ(e9EXsApqn@P7W3}GReHHTuFO`>YSG~y z&@=Tb1}^ECCt>;Ghw9BK1eb&dmOtgBe1RKy8{A)5L`YnglJ1;{WTqW5nh_DnK9~qN z3~C@!e=dn%;fI7n?jeH zBaTpiWVDEgp4_Q(+9I^XeQ@7qRM)K#<5j!@dqEaNGFCToa!4bh19{c!tgcluZyqkp zswH|5MYo@`lBX<&IDYymu`cNNav=TQ?Rs=T82_pVb5&l*5sZ^cHEgp(q zZ*elO8_{zgG*2BYUcL>%bm8%;SzG6uZo`q|hg0xZ`!LEvT+Hw!QB!vrA0q2;nOt2S zZlQ#JRYVL*jly##{WE9Dzlg7=6#KZht7}LCGu%@-KR?fHImk!_xXK%Mo`{hkbxU7= zzfOWIuPE%di_uGfsu>tGO4=nNvxRFd8ogudM_3Q-9CRt%d z3Lachz5Z&(!LH=h6~akslKvl8l2r)q(t>#B#_iNAo+$G%Lb3)(w?wPnj&&RapeY#Z06( z6g_vg!Hmvh9EpffAt(m=63T8^3^ADX*lZ5F?YUJ8&)!s4S!7`O)fo}K4G|-`R6#W? z__4BY1y;Mv`^}qn#8rUR8H1?z-k)nx)ieRK87s{CI;weShy_r<9I-Y-ADD(DhpeKti9iRd zHwY;VQ-@ZROqc`0jsG1~>Gz6Cv&yw<#)l6_O)dG>k~x?d86_VorLY11>Xd23iqA0L zp@~*#6E^NyR#Kt-9s&}$as7In$oedV{UW%m& zi`ZpMpnqlTFdgg?eE|xW`#XdWLeMv8_?I#}KJ;K|MQ?BqJRb3FPdj zhpFz{pZoZV$KYoHzt6}d8yr3@EdchUKnS!AM9Hz^+aw-&DlKwK@+XKWj_P4s4DYFE zPmp@Kl!f&;lJcwIrhnrCXk(ngHdC5qLxYT-Cj=@+_7Jl@LgJWrvki=lg3`kE4UFbH zq8+jd(E(s2-Cjk#x6e7&emyiaI_;M%%ZNC(Z0JbV%c<=4@(OQ_?*@o2HVp6TnlmrJ zH*+@hP?;7M&N@gdXB6d9fjuzo(aGy?tzGdGeHc@9Anq{k<9>~x84lz+&wsk%DW2}&Yp%rmGve`339E&OBwo*>3 z$G$|vB!&fsttOJL9^_}`W=V^l3d)G09S(=I384`t~l5|Nt9Y3PH9 z)^qA$T3B3s05q5cg8QgQr}$e!?$Hjg)7RhW-5KTGUVQ6uMBZM48-WeB5r;Sivnxr_ zU}PK)#Js&K+R%L`Dr!1lrCLRW!K;dx#^xDQQ{gZ`vr5j^h*s6qU=p1SO~`i%{tyvL zg+kOWgIKTa7HZnE)rHj<=xQ;;k9Hz)iWU$eUyn8)B$g4&rX*8KL=R+Uwj~<**;{@0 zhm%~rT0B|Re&d*Wq&O2OR$-@2<&C$nKW+)C?#J(VQzissj5$2`~~VU(QpQT)C47%H^*U!t`m|>#R zMGrSx_nyp^{e`yy5Uc7`!7r@^#2u48t=wrcXzY6NBp<0%pe455I=pelyV4JI;F9<6 zjN5Oo2So1eOmkj(1xf?0mnVB7=zWjV>w%qrnc1h6RFbkU_lC-@rGd8TMRn>JDhCK$hEBJ-86W3%uuro54xMhGSvc6`a|Y^04U8{Yhv_qizwRi#B=4?(CdgC zqQnVMit>F{CnQ>1dV2D)9(M`ZdL_0{Rq2^O`-XO5V+F^BuVWmPY&C>wN&6Z{?6o4f7*al;D010HP1Q-`T{ zR@S`Gjz5hRy_0HBV@b65A1|L2hFc_vhz9s639-H9ETy*4-lNcV?Ye4er%sXGcVUmESh_ zWT|<)qYBHR*aoRT`sB9#1o?y&{&X|eQVw1~z0#d=>1<3x@=#B6{enD|-+!9(@P#+evKgrn~%8BiDa9R4f- zj!MpUKlbogTTRi|W1Av2TVI`Kc&2wBjfPWNVDrE6tb==a$$t-mn&WXd2&s-NQWs6g zDc4g^Bu`G{)2ga`uaPh1h$jAGVULj@C)YHbo$Gdf&G{eyuITFjoO1d;fKo;O8rA;^ z%9^)lIHz;G*@h^_4;j`%WrqXa{+Y$Pmh=b*7nAg;Kzv0oP^R<4yQ9-$)}&&Ho;7;l z_(@_pw+T==39U07X%r#Lx_qLrJ}^Z?cz}q00^>EC%FT6XqJ-$OxlV>Ig?4cYsbvAK z^M>t^BK^LDbL8`)BBU~3S|6-Yqjx7_+~b6+3IwY*@D>&>3L6o8H2!d0iFU4loqCy) zowU?Z8){x<_k`tJjzAVJnoR;7fF;Ge=ujjXm{j(P<0YsZ-#4_o7w* zZyal0XA^5qy=ACR9)|?_NSMy}`#4GUHIgmU-z%OBosD5CsFwAetdUT^l$u#~k4f8Y zW%-wsK3KNu*P}$s)@bsKm2(Ej$fUwj*!h&suCLWOZG}dV(i;|7T0wZ|s7Wo3w5<3h zY3)_6>=f&>P(M9_fA@Fvf3B&UzvmNpvY$<{UBxccWz}7_*FYg0mry|E0_RAs?El#& zMde-2{vu{mF*@Pljk_h8p}$WOehD!jI+ewc&~ZHAL-G6LF1NN4)mf+ZsFL!3!HqGL zR@c{H5Ljm^n`?pm0!%RTe(B}~m-)-(ebI>|CtQx;;9ys6?XZAR#hRyf&zZ9_(D%>I z5DpC)ADue-f1ugy9jtq^JplG#bxGMMhXGT_HwOM-H8OGU`9#i^+0 zUd8gP9=8j%1Du;5=rc+EAVK8xU_|DuYEkGef)d23l-G|-s3H4CTVq6Jrv>--1$ha_ z8V3S_G-Q^Q4SM5je|^9SgM@kSbpNr@y@buK3sAIn9)Sba#x~kgxad|J@tS-M)2i zZs#`mIX~?`8O?wF;V&Em{}>jrX2UM;8Gh^k%QsSc>F3v^wt0Epz0`BD2&aDX;Hc|8lACQeJM}XLw`%zB<21FU~*vc>mkj_(!se zHN##kue|=>ojByZm?XS+VTm}S{AAWbe=dQ7b!ol605(EM{`#L&)8y+5x+xp7N!NEZWl+qd-8yB{= z*zN4>R1FL`OifKAVq=*#G&B_0%>lSx=Yts5x%eimx!)|+*3>hv@boCztj~NQ_-6HT zAiWeiMRR$*YigtK%=rv==*o<(ovNDFgRa3CIXA}`8dlC{s6We$93EaL-F1K1Fsb+W z_e|s53G(0G-QE2>KK?2=B;*-h+VE0V79$G_i(_@~oomDZyzmZR1@$VXxmm1%ik_Y` zK0ZDoC56M))ip*f_ko`n;jKH6E#rla(KFDu;ZgO}D8D8a2t>;pPrOoj(CTD!{jn5n z?Azwx+YZi-k($qodL*WiGc#pEkl2Z@e-sKg$3N;ntLy8Pq%Eepcor&xaX2|SgFk(W z1YXd%an#T6()w^-1x2UZU6#ezgLyXT$* z5Cw}!)M|+B1RhQh?f?$g$}3M-s(Ih9S1!mEF0_RgJ(d4cZNO|jJsDY@ywEN4w_FB9 z9RP!LubN!YW$pF0ikjL3U^JZ8`WYI498+zw(wf=d-``6}P*BIo**QBa>!+RsK1ak8*;@Xxmksu9nvZ(ABz8F{8_=ltR4 z2ZCu>{Mm-{)`d$eX&x6?51P1vfq}q$@l{WU%+Ag(%+DKbM>wu!7(eVY1pa^k78KvDfMmCmK5VpsU`+-!pad-+|$YlM+U z=uh7#vnz6CS>@y;5lmrsIEw0ABk^>0P4@T6odE5` zhDX?40BDTpufqrq3oO&}-?L2Q?P@I2&6Wmlg+cMHO2Fbf2DRZ{^fc4uGK0J}QQi7= z36;@7v9XN?$&oon&eiS*6fe+dcNUgM7Ne&i=LjXS4<4v1YdOl=2CPhhVTO2s`el!( z5IduyufZba8GkAWpn})KY?gPq#qTdl6;-lr_~?CZ=qu~86JaZEsMz5V2e@a$v({kK zv9B;jAC%zMYV#gyM!t^DaI03GFGWJuC6IbM?YMG7fX*2;lNc+YBMrLP@LrU0U34r-5+@cgQ?+bc(qaS` zUn)r(7ZViF#QOMgUm;;twGMgX%KADBIXO8+!+pF;KmJTcCZ-p`6d^0Q_?GGR$wKa< zK^h*TfGyclRFIYZ{NckjA2uz*Z&NkSIWwN-IynTzs4g|74WPGQuB;gbz2mf4Q1T%s zJe)kR41E$nV!FI3pox}V-0X-n?PsD4#?F&UWy1Dr7@NdkpdGRIKoJCTE|}g}`FeFE z?=z@tkiJRJ z9`7?V=xucIgq*tAmN+GHjc~2|qq1B4Fbk$P%_ck+FiR#U$KQjpYpI%)YHv`nQNoZ~ zdk&;7+DWm@pJu^^P_~oGJ)=XYV0b}_k2J~a3O)uk)Wqqre^6FN#qeyY+9@4ISOeTN z3<(T@$X+0;meNQ%=$WLE?9_P_79XFlhR$t%)|})2D)h>C+Wzz-Gp_hzuLBekfH4 z-)@5vr``%8DW~4fp?Fti$At8LrsiE)DhJMn_cJH}&X31YzxG!{s&B@QsXa-iQlNmr z(XSR_K)@|bKFDt|$Y>lq;yh*0uvC%?**I5KhuOglgkr;)7zHP-w(^Ewal@H9W)llj zBfRXf%kxSj~d2`$PntFWWl9z*} ze!4~-*!lF@ktWyno-4d5;>>9mEDMoDH=^MwXZe27AGiI>_YHii6 zQlf&IeGt0x!jpKHK$xX{{@$O>3q~Adj7wS4UqrI^9P+QLYii0F8KvXX63bYZ1b(sw z^w(BaR^4i$!NE7}?d=0c|o!#;AaKGRScE0S~5NhnMaQUct2Hd0_QO9G4WYN~2#N`fGh_gmHa)@;Gp z+h+7pv;|u5Vyo2VU5E95UFe;Ku2+}$ev?7xapyLbW$(Ab-2Rrla1iTuN{UyN7aGcD zaDOU>J$56Xb=~{u-nlVH>kWe~JB_icyLxO$ky$TsZN(ciADufZZ0SL@j&30bIfGGMR_9MjCg;oeGXH5NOOWv+Y8#*?z#htu!Bv?6U zb#Gv`qieI)dkm-Wd6)=EW;dOr8@L`!21Br|b8V6VeGmA?`19G$)?Vx#9z6{@_XOG? zRjDn|{(e(@NfE&-J%Hr=VyadS2pCNIPx$1;EPOtgysV=ev_I1*vzyN$u0rhYkFl2>D+-`Tj$y5KDc9C;w!0&ePvS~1jJA-=aM!M=Tn6k-;<9fo3r;DF$`ow zjX8|Ojbd+v4tZCT3gxCg;~ywrl|OFk`I+`7p}m7NA&@XiH=XGTUu=H)C0>se>kn31 zYl-~qGbEIQ59Ng4wq$T+T~ewPA-NinXAEQ|vH+XlDKS`QTP4EqUWp+jfXbr^QDv$c zm(2d4xK_1kwp0_rU>wTnJA*tpXAnokU`9P;-LT)Dk9r>zO&<&dc{Qgd*3}(?u)^A? zEq7jLjrJsn29v&Mp!9zG2jZ$)Aaf`Gdvw^uh4y zj!oU;-a4rp#mESNOA;anujaJd;;rm08V?WW`6VRgL%U9)JJojH#-`hWkG=jui9i7M4 zJ2N8sta9=_qU6)ZUESe_mn18d7P3202%iTP2{Rn1I*ofXi*J@u!r@dL+R(;4!nQN>2{vs+|F4lilPQ~uMfLTcf?g?Ah z2NnoV%OM+TYoxDX{>2tj3Y|KjUJXN$7(UXr)J5dwO*UCW&SdStC(PGF?Fx{g38%=1 zc$nd=h#xd3NLq;su}%V?P%nK#lI_@=YTF}IM&Bm;%997Je`cH6n`#H2nV(v0wKr<+ zbd6v%O1{);!kU!<3PM*BIODNzim#I;l4Zq6)d`yD`e!8Yqz+t!yJvC-uAb1vOXi+K z5-tD;0b6QObd0`TQ+ITAjZRCucb$j`V2^fob(sP!!&Lhp9dGiJ_)M}JJ~4hzwQa69 zZI4aN4%8kA8V7Pj3kJ=9QwRTPSDMHDN5xbqQ$!>C1nYF)9p!X4SmS=eKol_=mFSw8 zfxDNWHY{Ljg%jDs0#HB(%>Jf=*J1ylN^S~1%6h@;{C`#jUwBUVxOz&p%6qgS!w9H1 zYF2_dyB%sW&e-A)HuT$W=YYZ+RxMC(?o|0H8~^e?BD%%}Ur^nd>K{;6^AF2| zu-UCSII(y0y=-&2!@25OBW6eEQRnTj&P=vMTS%W>Q6|}_c-q+^VN)q{`_pwT(%}Ppw4aN?vnq z8x91Z`m9uBOzW*%-;~R-%?i&$vwey!DXF#sk7#No&RmYyCM#;lQMVi^DsZ{eZ>Tzk zu?wTO&HhgrIh)#VGICE3SxN7DNvP$6SscvD=j=pCuGF20d8&b}sYGX_%`98ziiI4& z9l{9SvF?E*<#_|Ec-zGWD`BlD3hU=?2#^r%X-E_x zD2aDwe;nk*omHRJUnXB-zBy@g*Ka?gzUR@rJIfDGP{*0@EJ|oYTC+#t|XOYR`zVc4&gR{$}C_- zu}a8(#W=R}kjfg!l)3;))~zNVlrIZ^oSl1UxgcK4o9?2wKa7{_bupIE#QchF;bx;| zL&xXPnQQ=}qCk&6k8Km{JWb8+Tg&qrY6ran`h1$RJnoDQnb9>tu9%*36(PAa1$PAa z2T$EU5IDN1eZ+WCHLA}T}B|#JF?SdXMt17f24Tlks+_2?Ao6vXyENYO*P^hlC`q^IjfMJ`SkWU z{Y4=2zk1A{f?;m*es4siKq1iSSC=oy;!$-T`OO5*Lv+^rl-Xn^4il06_E!c0~+XPz$iC%Muw5oxN5{H)sNJ2 z%sK9y;a{@~DmavJnUX9J=(TyZT_nB*2;XSz483w0grD*c?(H0H$hG5qjY+HnPhL6G zh$4p@g~#B4SvQp~6CBZkv-Nzj;C-OAo)gBlPuFhw@N|>iuv3a&=`%~JAsZ6wP_o%M zl}G=8AuCxJ+)GGCIo`S6ZX)qVt6wL>4=gWi*-Pbri#^Rwhn93qXCXjhDI5=FYHrX% zRLp!jz8QW&eXG9={|C@uQfAhTfJ$jYNU{qx?{L!Urkt&9(MZhBtZVo)=HY^``8xZR%D>u{r?d>Bdz#o{ zzG&&Qd`lMmm>3i^a$AX>UI3d?*V@&mqzP!tth%A|Z>C(UWqjzY{)dYBeSh(fO&e`K z?A4Cx8hL^W=i;I~64AQ<6fu8Oi0tEV!@ZQKmqw&>g)@H)iC#z2Sq6(57`#Cpj28wn zdqxl>(eNO4G-X1qh7>X;-69JsiZs#8W#7EFb;~T*H_d48gPfJhS7^5w$-g2;4^_^y zGw$7KI1^)SXzmlCE;7=)?0guwQ2buiUPNTd8-b;$TGP+7UwA9dP6QHMWhSfkstLf; zb*|ANH5*1R*0|KY&x)}0D$)%y3SZ`ajqa~UYCSX99(I#*4YUEpu_1jRRrP!)53U~+ zVIjK(Z{*my5c@BMED)c^N7Ph%o@1-m&yR^sO@J%@kohSiL;-3CY&<|&?2 z>;yaWR8=-`!wvfxa}ff=t`Ddvrt05CM34c}yEjy4Ik@S<6{XPp{QR~d3;KZO{;r(3 zf{&G-TgQqU46F(YdPFl9C~upnEB$homdhV$WX)wWH>}lw4e$=~+C{}rN|0mwmDfdl zlMe3+NsAjB_Y_GRf_rY_Vb0#t8iK_<;%Z{|%h`fkg5rCCI?1m>=9FhsG353T2;g`c z3Ug)8B*YIfzj$qJ+QNq&U&}~*NF)#xHW+(AyJHe==+p<#5QnpUIu&t57-J)~?6x?0 zG@@f96pH|-|Ittx4Q^H-4DOm~8p=b_!_D9nzN{PR9|;82=UqkKE06(|y#}QdJ@2uC z^PZFIw&oaPs{Gs^l=^xz6`wm!pLDgg?_JM@7#3jOZu*1Wg~~(gqKU1d)^vEJ|$`CdhyaLmBd+5Mum@x1gvXx`ekcLbtD0f2I{Q)QH*P5 z-#~et5Ugq8*NO$|!NOt>Q&-dRpj~xp0x6j>ZJHT}lWKM`R5SlE_1p0bvPl8U)l=J# z2m4FsjaiTLH&EEc)b7Lvckz4pWcOZ9NbsspXJm|OXQOp1!-&m`3R-k@D~mLXZdGdN z;y}Xkb01~A-MmS5?ZG?JvS0U504){y6V=mD!^a?od)?EAKD-NEd>{fl5av5Ud-)`} zYc`$42sa!vmn{TRA|_dPdqIqnRr(sZExHnClVL%vmG7ORDJeFL_!i5zw%`R*JD3yB zT028WKG7}%x971(#?V@HEqd_%M6D3o_jNn5$e2WO-6jV{n zDxlaOcSf(QnE9l<`)=&gV9RumQPrJ%)ok6%U26kwWpdD2wLEf_BRY1wp?TasQgk_u ztK6lb?(sx6>W~GXPPiohMZxAG)cb;CKH6!Bj-kfF=1TWR4yY)q{msj<2_@@z5kg7e z+8f2avjv>l9UdR-57Gl_|DvfE*gqlR?#zuFH--_=Xg|M8LB+MTfbbho^nbB*_Y?)t*k zVo5vkmTl#5GIM%HuddGL%)Z;VZ|1;f^z$q&TsO9zzlr`uivC}OzzfFVzinoN6i~mP zb;|MjCF(OJ+&>`!9a*0G^@#N|Sk%`r1+`6GgFt7ij`jC1ufBf%+p=8K$4%MZCfi(m zz$NXci~X!jb%%oE`gaDh6*%)OT}lJ|&A4qWfx3pqIzqkK(7~b9Zi2q)GcTEy^oY8Z}3>>TqAf^OWA1XRr8xiu}U4vwq%+I(B(qxVbV#B6f49oZ0 z6&v+yhusMB_{1MkZ#7aULoL40m20RwEQ~w%LV2cqu!pU&G^4dE;o%<%Xk9eS41A*X zj=K!`iENMOBxd-WdTpql`6k&_73KQqBae+Ue&BIYkFsi+=Ku#vVx+DLIAZz7eR+Z-Z@rc z*yP41>@X*0X=5|I7(_xJ^Y$(73?0VEw22H*UwuU|iIJbwK6Y52jxK_o!X5h-3- zT3*iMlcT)8Ia95Y5qTx9pp_cqUf(F`=3S}d1kI7h-fUS8xojTX{^E3z2~}kqi=Ki~ zt=e8UPOM#1r4n_1Uy}+5gnzcf4BuQOiTOEiNw$YxRlE$ZWY3Fa?)v!&$WZyv>PI%? zkFL6JN1cg)nS5pQvtA}W;_ARdFf6wL%~E9p?W(kb?>-T;^W3|vZI8dK4X6-*ZfXnxb5<3?=9V`18Thu| z;80h?4Ta@Zv3p7lY86G$v=nw6Q_0^ERKKEh$3Bd9vZ38FJ3JL^Al;k%fMU_Sv!_R) z*kkQ^N6)X%GjLv6BRA-~pKY?6Y0tSG4lVXbY_F44GzhVe2GTkg*UNl0@EB6jIz#T1 zM4xTCi0mu~rNsF4KPoR0#VY}wNwlOR!h6`TaN9x1nxu1B?QDVXfxYKKyK#1UqhiSb zvyG1UVBNtGqDC&tYDz`)BG!{#1Vo+T1V1$pE)>+!X z{wGSl4robC$M-@7Rr{jo>LnF2kVgn(R+7Evf6ZzkQECT+ zG1fHjs>v>uGo$6wv+JLz()#k+^vTKJ@!8JzCB2WzEXr*bMrGJ&a-!;<@l~ER8h%^4 zsq)>6^-x*=fQO`!Nw>*cX5Y;|rn&T$fblFzE9aA!oO>tK;Tv9BTIzH2x$&``QG|9; z)B4n=kkh*@rUfSxcLeurUdYlG1l&(dOf(rm9nYi(~qy4tQUx%T#V(IU#t?d>wSxVV!u@g*h3rN%&sqGkHZA}YVIkd2Dl6XSLqp8Ir9v)R)Z5E(IgJS!Xd!asbdROU7 z#rjZ>U1jQ*a`Qw^l;_sSh=})MBWk%5Ci3R}S)M2BZRG|<)4kn8GVI)kOuO&Q_g?i; z2`s*O`m=X*Zv>L+bPcP9X3gCKf|f6dDW^Yf#FZak`K5ux${U>Yv_e~wX0gaYbObNL zTLs5G|DEK+IL;|a({bK8rO+ZzY${ozuMMzbICJ9sIk&f9YLR3y4%Kb zes2E{l9Zr*w6)&=)sMcU0K)0*QqhUh7R!Qq(7o!`=_w>=ip&Z zkvp6KnG2Bn!Ay}dB0s?Zs}5-6vs1<+GCgDJ)P&)N?2-l(-5_&cWRTMs4p^8XAnriL zuRHC2SUiakZ&_|%WL_6xQ-HC;N$C1*QJobyc*~nnF<0+dQ*SI+J=Xf=*Z)LYxOn+k z7CRc0$VnwCXU50`Z-F!{NaUn_Uz{kh{eGPGy2f+xS$R!)wX(rXwW73Sd*{+m9PVeV zI&axTSH_JN88(PKuS)7`HSAro21|)J2-+)uyb=B}+TUni`Zy(4pt9d%+y$Z?T;Jpz zv=kF7Kufp1%GnghJG9xy@;KVO3Dss9RwOYKSsns@D#&2~xErWlUd3pKdyPQZee0at zK%XIBl$=tH0ZK$g<{yzCe+nE#gLqa`Q|6+}tQBC+ewgk!DA4Z%i5Y>Q3h7Dx$Ks5~^wFWNaKz zOfN4r6S-<%qd_r)wSFpAy!8#yCNS%H7|!j`eTQ~;tiQL#>2BQCdHSl)GGai*-W!x$?o;QDf@LeVtQTl@teqUVSfmf( zXD;?{i|o(dQj-1NXrt9a>?72u!=5s0z-`ib`)Ogf?-P5inEL$!p-|-~s}6%@Z*e^l zy>&~2;2m?h6X=f= z%BL4bJ6)rOsaSK;_83d%c9~SqvHnJ@ZhQ7}TL+cA34`{Gx^}|g*1A8Qi-ds4oVT&4 z%vmL0x7xzfoyb~SLl*X5U(VBw-dc=Nxe$YEVMt14?#vSb^39`TqRgf4z^cw_dOcfw zhAWj^PMG@1-m1;K)Q+!8SSCu?UWlW;xa|z_jzU{s?qmr8zK!nP4c#4Z<{tWZFQ!4a zF#-sPf~&%tx|q~=jaDYZyB$C%=h`Iix5;pj!TlN`zF*PECZqRPp!$kirprxOMp!*6 z94cWpW%Uk!vU3mPtJZFAd;Id0B$4sE^y|!1tdd@I=b-q>adZ%)anIG__jN@(vNJau zpjAOtAxd$N;7(&3qJLIHJCwqys;H<~!Ck~@Xw)PlBU}1G$QdQQnBHyL732Ei7p&B% z#bmbLQx%Zc+Bc!0>UT*TQ!G^c-H_dJk5zDr7{JA&-p=rc+TXxAE&a(u=7}U}1&ZWv zkq0C&SFcjx@pc(HLkE9fSv0zvw#=qolgjSh#tfJ1`xdX_yC7{0^qDW#ui!4wekFe~ zvgQ8LY`n9E#>ayErJf?{<(Llh1Y0dEOCh0lDDKd+1ziidaWFu~Bj;nZr zr_4_H9}gLQB-lc2)t3WR-C_4BR2NN~Z7BVn@4la;L(U^-!!pZc?;88?ArD~r<%ACW z-mQSl!khDH_i+H8Xi7VVk9$Alb)HXlQ1o-JhrkAuP1?a?Fm8a1f|B{Wii)Z&z9fa&PV98|%RGMX>Xt=L$Sw|*uu;8$ z`4q6b?@1~hCCOrVT9#tMqhL$RmAl%oqDVnXSV^r8zbKCeSx^oYgYlOLTYO;8t}27O zigU=Is*><;vkt+Ea@=p%&R$ZI|I#v0U)nh2K>b);3`L2k0-cRR{eE0w5&Zn1hAKYe z?Nyd`&Np1k^zaVvY^I8!0;s+-(wN)fXU=TYp*ZawH%?)WHHGeXx_jDVFetKzF9 z=BVe^k=k#u$G;U0^)ut2+BBz@l$5XmT~_Yjzu$e;TIt!6{aSxIP>(#1xJ*quWaxbu z6_}4NRkeC}oDI+?S-)SIfZQbvof9MP&S~4~ico-ulGe=B$^*Ry-9|kZOob&2J8P$D zJdf(^53BR1?cN=SKKXH`&XQaB*|6kTIUyl2RJq=v#%Nly93*&8`Rb+7;W2q_+t3L^ zefwyT_euQT6T|We(E)V6)F$3ex6~F!1yx{g6;<8*x`Cc2$>1|55mU`h?^^s*@m>k)++R z^QPF8pF(A}d37QtcOrk+Jb&=0t?Rn97=GpF)ywphK?FxrDslGsQx)FfPI{k`-UR@9 ztn0s$aQ)RD&9MSPCc7ZD2Y$_#tfbU;m?0uq`h~6eEr-C+p3t)0N@v#HYEnaQcHB0tw}5YZ;M`zzuKF;4{YcR z@2@j9=-&40k`8gZh6FSF6ckP;GO?N{kt6(0IKTEh`+@Q9Inu~%?_80nQ8m!DhK3K1 zbP~eHekn04@=Pt>B3tg-6p2uI^%^SE+6H$3jqFv~H*w=_sQVbM8$I1r8i5Gd#@q<~ zsHx$}`BY!DxAPg?7Ar7-hU)i?YL1Bmsx4-dB_IFrl;>I-DZiM`AE!mibn&jUEFWr2GC69Q&3KeJ7K$5 zFzY>K^xkEJNa$(6rQ3f;LFQb@`PIKLgS-#O;sqSS_O8a9%D*#wCwWW_d0p^rxyd}a zc&x|uk9LFUPw@kT@qE$^1J4?O-Pl#t)fp*1NvZ!beECw|LeIPe#Ka`E(wE8!NE0IB z<0njkmc&2pqzCUc5RvC2=X+@drgOTq{=l z?qNVjXSOyS-mWm{44Z_$Al9H6*fK718S$M;ao4vCt8erSAV#V!jvzEWy|%1;X7ZIT zpH9SHmySy>+I)gbv;|N!o4COniJU#9Ey=BcZIxPa$bPr(f!V&h!jeiVB zYFSVzYC3_88Ag9z|pastU54rSzBftJb+RY2gETSpQM^#*J zy}i44j1M_MvKr=WB3mKpM}<pcx2~?$7VYo9uN1uVqh)SMZ{g6|4Ak#2>%|ji>JG|&r4^y)}r3e$^TYR~= zg^Q0ho=y~gU^AdGq3iT&w$G;F{R{MIUBXwC*8*arN97-(nzZn1xuB)Ft$7yKLagM+ z)>lA@>_jN|mUg7^h1#9pA^5+~{C^Cx|2`&SY378x@4h)gY#1PyFJDe3KA{FSJ0V6+ z0lJv;jmU>^9FtFEZv=;o4jtWLaHNg4d63qpnSqCEtAPgG{yf^JN2^wZPe97-ArbeK zg7m%lr`DSC)-)+8ZZD&Yr%SeeTG`iZ;jiWiNNGev^T;glDJNsQ7jS1nc9F5LK9JT| zk~_H)M2I;@b#ZU>&xQ58@a{)eBC*>Q1tzzb;hLr4B`x2)nsX0_;gzrluK)Ntrys?% zye+@t;wn9PP+H>PoP6zGzXEP$bP+85uHkFMXyaX-a_=gjZi37e_XBbi~XAeVWqGZ15+2 zkk!{nlh6MK=90e}6DxFhS=T$O^!xVr$sHN+213v#<;p(-&pwiA={4)`N-7%jUfjJt zENCP{A$G}sk@6MhI900Q(LeK3|Lw8<@-K&d{As1xJTFWkkcOcY>5?2^=cp_?nr=6l$bM6sK?9S>YaA&orkT7;%`P}E}cSQi3 zByl+GGSsDHC&q~`)iJ_$T{(O+E&!11A0G3vX$FNMXA=lj_@ zu83jHRF@x~JKOA+^1!+aOwhmGCvOcql5Hw>{kSny5FT^jY;w1=Us17h$K_&y(AZIV zf^+qbOUhsM$i<;oo*q-_;4F`Z`P{`P)$^-c_Y^*U`n;h|r2l)p`+r){?H8xIbgOnP zhAR6_!$E-&JqiE(`STohbGGe~*AWvF)1p-^3{~1PpXffu?()=kSWG!hk7dU0JF zC;8O?l;7(9K8HsXcXNnTQ2UN3D9`*zCcVnQz3aU7vv+k_xTy<&AlH(<#3#^!&2atr$3no z{`K_!TThwTCZkweW%2c7pL;~IK0l?4@;Pj1XaFjhz)mz2NC*1*5EGW!Evsr&Sf~0j zAo8+{(=E4_zpBa)7vEN%?+vqI2#oqJ{^TmYv}&E9pPcQJ7> z*OBzR9`q7l)(`)3$a~!R=AleUyY;ao;$*|wu{+#1KCf=TP_W#j!!s!#3zJrPMgxfO z2JBQ=^6hBq7Va*drPOh&W-cHleDs${@)3#0!^2B?>{9y-=uI^Aj^d*7r>&lZ@6&h$ zZ%O|(*#G6l|MrisMH#JDAk4eOaR&#^8a1vJ)WVKW?~wUEj^*pPyo)L{lrQtavP_L^ zTC>MfljSWpDZSz*tTgP27Hqd@Sc@+#n<=OWL&U}&+D`Q;aAwaTSam9(YRe9WP~8S% zjZ*#WL;G1~!Zt#@K&zK!$lJM@!D({?OJ4e0;4BrV%t|`jW;(dbEFi@;{xC|0s!$y9Ef;c2*23 z&Ep7k4ci4m>Y(!sQLx^$Cz}oAP+O~qNCLM=1eBAE=F07>SPXKtH2mAd(~4JLuWi|3 zqF%v#3?D2#T_mS|v7-i(gZS;-%`Us~B`4NF3!|PJqZV2w{)JaBZElzdnU^B0YdIiR ze(}asNLPQoPr8anr#J$~psK8_R$Z#6+4J%{_$*v3%}qmc_nk`9w0WK5&N^z@qH0K% zmYE|7=~58`vvUj1YO0l6&Is$o9IwBgDoc{5C0{0y7%_s7U=Bu>1UCUQ!tXJmz-}Gu{?|I=jW5tQ%S9g{jAefZN062X?F_=!^+9p zgvTjcwGeTBky7;II0lANen3h!GZ~r>OVQ z;R$GF^3J7^&%}-+GCqp^-t_yQ_Tsk4srkO58sqQ!`Fj<1qaB!ip()bXycg!c&%Zx3vshVuj}z(IJTkBWH>!M0clW7;8}4C8 zwNsC>)65nmWp#SKLR!-k{l?98)^eUbOsC<|obE|E`&py_o`fw~&1M@rF5{Mjo4=*c zO3Fib;d2CSe|2qP=j7fMy2C2v{ZMLAX_bvVc!a^Q(yh3)b4p^L513C}Qnm?|sGo`6 z;=D(@!#{BE&1tNUx17Y&clBIs_UN#<&19cb0@QsiQVvi{=CUt5e+|zH@~1FOBs)~& zG}n|>qsF-(VlT)91qM3hF1ZAMZIxrm%L`+$vzwz+6<{YWzx~%&|69TRCqZr@4D8ML z7lOQ@n{2EzUD;}_G*ShLcoRxYASb^{LK4rHLVN2NN1iD6N+q0DD~j(~(&^LfrIaU) zEm|eg{@oRa@n#Y3xftBZEqOF?a}!)`^;IfEE;DaF)i)s9(lDt z2ur`ab!BBR3)HCLYUrzKol*_5A2ua9UWTQZ>C&>lTE)zD_sd`EM|Fh#(2tg4WBl@^ zhL0-V>N>tQ|AlhEf4+K^59_MsRrP``t_~`y-`I8Ae4XJTK-!Ef&8UIwu7n7Qs&ioF zh?Xa<#N0K4xRlGFsA65#r6pUG>X2KxdJXSDY4{@sDc{<%vRsoIBri|1r6@KLz_6BR z!ly?qrOitDjbP@Z@;ds-^*mZ1C!sY*5}@#WWuo>}%U$ zv_#N&=FlBlq^UbnpxURIC$|>N#r<#tBqG{tU;6K@V(jKIr49-QKh!aGCF02&)gA{& z9#&#V(QW!)W|sfa1K-uojr8>N!~i|sgC)#v*7A<613Bpk`O38ZnwD2K7t>Unu?`ofd_{Ix9hLx|3uBb=14+Vd3018*56H-B>{+h@>n*F56i`CPAi zH38dwmIHewaDtao?pmXd#tjQbaV%zrO{b0Ua_)#!xJ`agfk zg48Jp1hTQai!{#2$q8$0lp0;jND3ghbcq-!#cZiSp`1&On5?|K2q3x+z;a+~I+xdh zk^41>W#aVMY^PnK%!8ePY0-o;5Te&dnS(5WX)gM<9eAUm_yn zN16J!x3??!oD;kw0ajL_!Xq{o(S9^J%3MrD1hE9V8ZrgDbSrafH${V64kWk|D#Wvh z3>SVTuK1Iy=O6jef3N?4{c8aSQcKK{OEc-u4@ljmi|TjC-UkLozI*p>T9=87>lrYl z6cipCABTdd!wC9MOUuhbacwtFmY{Bt<@u%Me9oK}%_rrF1HVO;1aHOwR8SUeI4ekg zzC#40PH8QS-J_kmJ6c~aNpkh7T_PwrffBzg03U$mmQ`1ex=bzbJqNqDCnF*8W(8FS z={ot&t0g~zM+e~RNsi7~0hoZ{3iYMSzW1HpDEOP(zCr`V3vpGSU=WDmUgBF@>_*^t;+HWL$*ol%;Bc zcz_cV5EXQL3{;&6cYEWdQgd=1o0^$50I0~w$Ot2ldy$iqTS?y@szjuxpQZZblf?t3 zCtk$wGUQ}zi~XW_<-d|lF*-HEjM%VRv<*&Bjs__4N%sTkX&Wpl@5^U+_4=h zGxY6KRV}qqZrksxHsSet-7K5ca3-#TB$7+r9*)gj(JUIcY_JU!odHHq_955{qs6j4 zYHmy&PoAviWuEVgxg_Z$_qS1S`ESp;RmW?Tc^VNoQW>`28T#u0Wgo(`uV)`^pUy_ZLeaw;IYS~65~z797jiI+3wdm zg_c<4v!LqarCT9KIm9cFv<#30!t+dYk&TKi2?g!Jxxr)No zcZ`BwC{JD4*xU(D8qq0q!yv3@)^ECvm6F;$ZryVt>F4aXQn+RY3)gdf3UE@vZYb5V zcm=B8xvaoz1@!(t$$s!Fy_RkE*B)rk+MEG>BDkPVit=6zp!D_i-#>5kVx6IV+0RVgLh~Fa9}OKfMCN&SxM^ds0jBM^)#Z3k1;sRzLq!|RJ*Pcs>jz8P)ZQA~+T5?D zE3&i0BA_dGuiLj_=bTJ^cUyLt=WMa}@1Oelwf^&)@-LkZ@S|<*-&0t~%or|x`tmPA zt9aM7r(d4J>Tv;f>8v-ts|w=D7t8;&AFU-zy9c{PbJWc>fHy%#Mp$rP^a=t*T7- zeBL(a=2zX(@6w$Be}5qW+#K$q-OU_0E!NgHj}wj%0LIY2Mrq1U`f$+wTX+3TPg>&Q ziLp3wH|GNj7Yr#-#8-Wi4&XR_CvqyMHYB~9Y4U50@@9)YbbRn^sGbCz_Lg?pVHtD$?`J(J0k!-P~g0;p@EECm*h8GcN;f z>x5p#M>=J!UPD8L_WOuuYAWo>?sp;Q{i%$1uxHOUSCoy>pWr!*R+kbtztRtt*yk>0 z4P5&0E=aF8U3S>-`W$ZK(t4yXx=aMEM1-_gQw;qO3{)VxJ4WxsNTC z)$3FMSz)kVXjgb~=KS?rYg5y7jO61-#lpwgMcR3v-kbvnWu!jFj<;~J$X(w4psXil zE%4P*aVEKpl|fa4KJ*pvl5JaaeIQ(|dGs~R$z7E*(vO!;PTy1ISyNZ!JsbF-wfh~o z^&)4Yr32^Aa@Iiwzo-#y`c80ci6Y_ZkkQedCPHcxZ}QT3G!=!ZE+V&f+*>*GO&Qr(>x6Fvl(1Oqo-sFl?*$u;Hljtr-;q%~xnM0(xUnACnDc9Jgs zvGHQq*1l*|ClXmUO0$Q>F5klzh>glNTswi?)*dZ5(>Rt*XZJtTRlm)hSJ^{N1d*{~ zDVg*nN-a!z2vVFD3`dYCL#N z-6?Y0_xKfvuoAeEn9-zSIB{K{QIz))Xbc^Sb%={-NrQ|~ zBYo!uwdKavRU(F!jl;xoi-cZ2>1v|H`;z=bDd-^g(PIyb$Qc?E(!H`Je|Oo()`b+Z zUd}nmAMiL_7XzRREZ3p#?8f8PMSdbKuZJSJOhO#72k%PKRJ#K7n^0x7y!uQ{Cl{-1 zH9enSWqSTbmfdhfk!6jn`OP3!VFjA}HJ{wuS4k-x>y;o;dRC_XpOn%+RCbOjE3YTx z^<#JG^1>UPn0~WBB7VUE87z@KMh33%@w4 zb`U)Z(EgiKqx1JyOuFVc{p;%ZXAj1Yp>4Q(0~7#0Z;*$BqEh3ASw9vO=E&&oV;((I z4O_mOCqZ;!_}ta3FN)k8-8MPADw}~Q0)Bl+7B!#l1^c{6w5Y4>;hV3F98O_F?p#M3 z>z6{J7RCD0vsy=!mVaUh{Ga5B6WhdAVs0E>Y`+>jDb$F=U}hAW1_mkDwfpVK;Zi|b zK+SB;-eEpl!@oOibHk=<(Mk;UUCpw_@U2bB+ri9rZs6XE3W7rshdPmy@X|}Hhmdn4 zLvmB=JX-yeI`Ptg8=Z7|#rzQl^>rrT8u>EL(b)x+7KO&QFeN~@b~M{w+%0;d{K+0I zvJsZc;@RlmYp3<-+>~8fhR7^>6cwFWcnAp;>cB1x&8K93?p{$V4JGHWjoAVpW!cPu zl1ETEBdPylWpVg79%Gb~Z$3F`PR55qZEK_mA^14@{n(|lv4~W6*Y=vWoWT3b7b?-d zO!*Zfp_Rsf5VGtv-6qBqB*RAP}LTB`T8Tbc7kSFWVY-+jqr z@48i^ZkBE9PRQLP zi}mJL1u|}Be*Xdj+Jb%)Zh}$=oslHU%{lJyS_xQ^NO=+G9WSW()ZEsRAr9Tx*U+18sz`U z9{8~mSNJ5})*JFQKJD*X0GjDmXX1V(2ENd7`kWMnwz+wZ(6wx6TA8Cd%4)m}lI z9=V+H9RtEl%!+TrMGss40aMeL-$xDi&yjFjeH>Dt;8O+}JTu4&kkd_?nRnR3L#iYd zd@^mao>uLl#geiKeyCAp;h(V?O{2C+J{;t$SU{!MCL#sGzl-XPHK2C*7TGw!w+!$tw!B=9WH~C7pY;TSI)|W=9i>;Gj1YQBEQ{NB=(Yn9WDU z49{M6!~0mKyV6}gv;=0tn7+8n%|d+yNMftu&h+_gu z6I6w)zEqnA|B=}H1!VqekP@mF!MoB0|1O%LfXRL?#?Mgx8CI8=yK3P#^Z{>C>6ByX z37lOqzcXwv?AnQ~V?yPI`*G+^rCYHu%>Bx#PZv^aN>%Z8(UB|cT1@&Fq|x0((TUsP ztsx=y#u;}XXw^ZVrr7Mo3R-d!h$?FUq_wkNO^Y?4 z7PGA`3jcOgFoJ{cU3^VCC@4-tutd;>wkqaCkn%! zvCT}s%EUQgls<}ZkpDnDl_n=C=}DX1!}|Sst|iR& z>DKm+J*5b!x(!!`@Z%0p%T_jKm$b}U+#(N8$c)T9f~H2fNrZ z>k215JZN7~e=XeTkBI>l`B^u8U5D^Pm97uY6)yW9EZeUvx*yd~kw@Nwf0kszG+DNS zYF7@nF}5Zsvi$STpp&MMzV9^tU5DJc&DK>HhLA_F)_ z-@t&JiAm-Vda|1`%dkWflIV**r4}M=pCehGh*yI;Y{46#x!cBH z7P8SSTP@GbY|&eFKU(1fl;${;-p41&pKBh-ZEc~pKUD1kN5R#taIUQ^HYN_k0uUJQ zw{PrV!fh-ODt8*^VI4h&g!-KX{PTHe7v*<}xq~Vlc{UcfXvuP@linxuy><7HTI2k% z>n;|i0IaIB)g&hK)F1^GO*lR}qT|D6ZyV&co>W=OIR=-O?!~CXR7&!8z2%gqKYO_+ zY=w#myv2r-(}WSQ=|;Z638fU@kdBGfTBva;_?-vnFTG!4&KGm_ zs#jOzk6AKHS*p9$ve)FrH5Cbc55`4K9~Mk}4Uacn5C^t7KL73)`19wbtAjCzlIs}( zk)QWN;zUmaHRL4SJUM^_{uoM`jTN=(>=!-=(0M*==)3(OTs@c_o96S*=(V*q;4mtiH*v*hmr^*2ypkIO*M5-g6LGM+r9;_(8dM@LX`_au+ zsLS(*MVuzRU40!oX0@SZw9e{ft8AjDPVGENclO_~A-+Osx+9H2qj})P0aZF0 z&On$#SW&H7oiqP(tZQD)8_?Eo)e2-EfMGubLb1Ehj_kbK;T}N|9*xa#mK`7atb{V- z?1cHrS#}?yweHnCATZQF%>pj3!tEBVcFF2HH6eVn!q<7Xo&g>wbLsQ8QzoHItgqf( zn=_#8VhLEJzzE$uZZl@wIE+YSNPL%~FPPBs^K0kdo$-DbIy>Uh#5ctB^R>V69dT~u z%+WCZsg+SR$0d8Z=%@_H5e9Yq>N>DUd)rv*eP`)RWkJtKA0vTkw(dPalaF~0k4{Rk z|4$ntAHV)*LQ0ORpx68fT4*LN#>Ot3H(BXdnDsnZFuifPECCvr< zmG4TzefxLFM%S`Q`5lO+kM@?^+;(A-!=tf(aHQEDDa zO*umw!~r+8vc9&}wbgdByrl@6j7P{jI!0&1c$YDOWG5ExtDaY27qYDCqGkqee0@`m zHJ6++@f(V)Tr$O`<#j<_J`kA<6?Wu4L(KWr36ucXU zLKeMlK*bZ4Dv#N~*x3Oc63SsdSU0_hQFg|}x6ku&FtbwZ(V{Qs{T#avIyzEP!G)~$ zssq-F^~hQ)%Hj1dK9!a;aYI}$4+Q`YP7zxP*v1dNE+yop*5ozb%|%A?Vj+vVWl2JZ=Y=2)l$-ud^5VE z{Oh*{?Q__Mla1L!G}J~|bjhHRZJB2H?;n5H2dW5_3cm||6QF&)I&i+CI-}LqiMH!B z^-nBO|NQ3TI8Fm^i=Gn!1Wx0Ly4PTYn9)Q;Cwhk!V5{F!JTNrX1!L0_-szIxa~>e) ztY~)O?Ae7()%irq!XDfbjsZZCrp;faN zs2olnd&)(UIli|AtHh9aysQ}Q(1DxNe64rSdYOB?HNbK#6nEXsAKQE55{tg!`t_nm z{o*{l7N)pb=Cy=~Y3MtK-x_j@e{4Fj-O{%tp!&Js*6Yxl6VubvSH2>5;()ggp$_Y} z{OT#=vw@kB*)K{ond&bxWasBQ@ID^DbkTLEr;Q6Jo^0^HAyc^ooHs6!$63~xw`E-s zAuUKh{RaY3g=>@*<^x4G;#8MkIlPm%iV?$p=X@y>il z4t~Eun~(tJ#_Tqhd%^WlrpnAvFu$-riI&g$ph-!h+ykjf42ID(uWjFja- zsPEm_p)reO=RZ_pgdNxxX{{R1tPIVy!F65i?1;w8(eR2*hrpGIEd35)X%zY77=qJl^sgcif6rE!)x^F0O4v(EN|H_=YKNz#-C|*94+mg= zSsk7DY!>(B4+)XK-FrQ~ZesTdk6;C5)h zfIgVqqWZ}ua27(_YmA?Sp}hk$eMD#CILP`o`|QL*Vi-sjnj%QAHD^1F8J_<`kbsgV zoQY|(9b$0}i_OT(t}fi}Zkj1Upu=PE=52-oSipc@#j;AzOt6aXZ`^Z5XB*khA}B8mpv8e-a~By407g<4fZS z26lEw?DI@dIN~RDK=}p3tZA&-W-GqA3#Dw7=tU6G{}k(1DW(a_dJ-*ErJ%=fj?XJMf>eJ~AR#$?j| z61*}L$SP&>NgU%9?aEsir72U3j!bSuitTw^PPjW3R|K0SKWUcwg4yQ(M~<#s8dxt2 zAoGJf2|p3lp}x*CBxNmGC|}*3Zo)2Q(O54)JZWI)~YyO z{||n2DkvB~5YEV0NTppDcI@+n6kXczl#;In3~2#+g`M>LV9+O*lXS!C`AQ>PLF-DE zX8`opUyLM*vxt^!S=;9XZ%$Pu(_}T(zX)YC*}Hb>qCekPj^$JVetGL6z7Kdvq3aDD zqmt)So+YqC2% z2wSn=oZ>8qoUX4HF??0fFme|_?dEGfEB&-CuT%#09mlM}y|d179@!qXv}Lk8F3sUomb!$0>p4@=M|y6M>M^zo@MK z5%Uy3R(xS?SRNOAZ#<*?FFx_VNV2U8PX=omJt7mrK&xyDsNb!n)O`MYVdWkBzj)=} zKh6L0_ooM*)ID9*!b{;JqK4jp@60z}UHK|Lr*+JxPe1CH@BUrroGBZd7XKK~pG)`t z`}gu2pLO&W@USfF-dXW-tFCh1IX^`6f2=n4r?2ChX)#^GD|g6 zdmJ^WsGJ7_h6qnz+_rl?8+feI=lhEp<$ttN%n)z}LXA73f3|s?GsQj19);A`Gkt3+ z8)drKRnsW8NWPn4BV7O8#|PtN#{;Z z!e7uSaS{=2@agI(9#&N~Y~9Aba;EkBjn%-KgDSIK&w~d~EImP!o5$ zPrc?65SDPQu2NV@q5fU>;(zRbYSoDaSy=T>kHT7`=bJZ-qN2K7TwIka-xL)Ur!0lV zYb?iWrgd$etC!!Q^bAp8$}-pVSAw^b}rQZgcP9_~a?M+Dj% z%B7Zc@{P_S@U~(H^K0Ab!dN#Rd`bGcsmuc4!y-%#g-l`)z)mU`9;mUAF$jy}Hz;SM zLgt@7QU+}FFt=2uO+ZpF1jGoOtI|F zZ)6P%yC%EOt+PJORWsLQxjNH#a^;@5Ra4*Qo4(mSa_EwM*xqD;+TqsgU5C0ud0lWx3-)(iCTyV5-7q7!nA z#^UeJaySebd|5^{y&A`1j}ju!KB?aQZvg?|SPx7+-;nopIZp2+J@S3%b?D^e)Y2I* zK{zAPzv0rFQPS@ z6FK;H0v~aVq!byn^USwoHO;H4qG}X@CdX=e6fn`WjCZMd{6xl@CF^mD) zc49U`=0)=j!`6D2V%(uS*&1t^n_zR8r|MW)jrYMiUn)M zPo6N}K;pA|+53@#URY9OUvqaM$yQ7$FY6ujWCgjeTk}WQO5T<+crcTDFj2BYM2O?T zT9n{uY0l`pOL~_*MYd^%LxEtIfUjFQw7Q=av1!xs#{)w{HddaEqiFKs7~vnvi@F=+ z>$VR3qJP{J??c~le%5z^^ekm9>eK)B82t5U)I~FWFLJn@s38?U2JF5XSi(!SPuMFS|u9EfZ*Xl9z2e|Ni@tUsH8uj#p2 zB`j>9Z4h?dBb}Kd-14!g+UYyY0L@6!Ytzp(H94?`6AZah_=J9w(Bv6y$$hv z$6W!rCo&{FlwX{W%WPt)S=hU`IH79*KuIS)j|d;%=HjkarEMk{x7kvcx{`hMS%)5}=u0+Y_z?-|mFH%yP-K31 z+MLm7sY;I2IKCENE5jDYJw%@d$TLz(KX>yrOztOha%-Qb%97nds;%x#Joi}_?@w>N zfZdG_93XT5;f}0(4#bmft^&E6a;mOsma#@!S_{`2Da*?mzCUc%|9t0xSJXZI)33eu z#m-IltG6C6JZpx&e3@}avsebW1E&-eJXJ1->gbHJh-!3|qM{>FMPByV;QW4@a@v&7 zU5%ZV_DZ~bD5R}<2cw!jYT9J_>Pd-k(V}}myp-8vgRnKFWqF~C((QS-kv1w!w{FM; zP$2D8>}Ti8m-w*C9v|@psL7~bl-9bf?Q`+b%ZUnE7t}xfX3uZ%BY@?+e_iIgS*6-D zi-uAYA2%j`&)@H#Lh1LKy0gCNBeW|p1%c?wfg@Kb=Ns!S%!%*tu(1NKUibi{`Xn4^ zrWBeF6+XDSmTrN_$t#t2u)HU6_$*1^P{P*Fk1#My+|qIbvrR&}hSa#Uh3Qq|l9#uw z77D*Y2NfAbUA*eL2E?@Ojl-`%^64F1PlTI# zA3llUX)$bu%E-JsNnH+cI3_W%@yolQ8HujHis={tnagHfjuVMFc_Fepd}MTl+8f7C zHrkn;^BuFM3>ePTX=T;k_0MCyYa`WS6Y}_X$!6N76Z0dq(&LyX;mn?RDg~2!885e9 zNiGe6OG8?Buuw6J(tB(fWk+E2*JEJid@+LvmH{&l6UL=t5Z~O~G}s5`Y}e{>ByS{Ug7G-Mx=31{ewsTs8`&TuIFAUF)! zKScBs3C#z$pQ2v!9?{gOf>q&LkiExsI<>e|736#_g>k(9tAOy6uyXg|3CYQa+@d3f zx5vCH+GTU5#i;p2TP`IfWx=WzsG7)n62IZU)^@Hw)DEB&hFn}nOu=}4`N z@%PMB(N<+_OC4*aNpE(YpRMdZwX8Wtma>ZsrKy<}w#vt#Qc|sk)VudXUA$fGQBonhnVrQr(gg(tGQ#c4)UYY{%=kvxjnOghbN^?5 z{5Q~~SWYK52cB3xFV3Rk-FAk!V8c9HSrru(g|7RXr!MWX;`Z;FglQ~D~@@ZKDnJCiV$&t<RQ{(mz#%GT$ei4WS?z&YdNA z@+3q@mxJKRnO($t3!13E&)UDUzxL(47=a$Y#&C~VcWQo_LpQ;~`gXQ12SOxS3w!rB zsp$$3fI>Rhu)`g0b#(;Q_Vp>Zbah3Rjl;D7J{`Mymfc_+?iz)B?HwS8JnDpN=@3m1)U;z zMtSq)ZKW^ptdSt+(yFkUmYgzNeN)tyf6M%bruRYhNC%7X&C1HsUO`yk`*&d`_1>{t z)~sv>{a?;-AXBIwxR-j=iu;ze-M9T~eDSE8xcbu6f((N`981t8p}F!s^-R{d3pED| z87ZO6f8l69GN1lJ{EFmS_rav#Iq6+lH<${fba8+ZNI%NP2#jhgX~Z!%?N}}j90c4V z`i8T$O&ANn;er_}%vIm@@|}XODY)7G)2;K@oct%p?ypa&i)I1cBC*;vAc%7nL-Fp} zGo@Tk7hQ>@DuiWV9}nL`O@i_c*-Xn!`B|IA{%PiuK7phM)Pwk?!!ZceE7RF!4r0VP z#>=-eGlOxD&Vd`Zb*0j3hN9&TTlg`J$cxw)qKW!Imh~%6xe0Y0fhou1JltN7v>uAu zFdFxpWJm#_Wo!%~PyL3V+HD3DJnl5b;I8oBwC8nTwxi+tNNSIkz z_>7g6HKk?@bHTvYN&gnTN8QIO>pKKNnUU^FBO{}gb_q+H^s>->&2%%1gITR4i4A3^ z`9-Y3ys^BXPA}?GZ(fy78fSU$NE#!jQbLW3f@N9X@`Wk*b_3)U)2**8u!kBzjgEN|!irbbTcH~W>9 z$2%kDH0%7V!V(D@R`DyHUE$`_nhamR8rnLh6ccRQl8>ZZ=aLHTa2zjUqT z?wjMj14XGDiQstYYN7^jQx$UAX{kg|>A`!ihT29=s7ybb>FJ(scWKYg3R>_Gzt6@h z1(nR*2h{=LDUYoDY(oez!s^-eH{{-vH?782}=5P@b-$v_iXX~XqI-l_2oXoopPSAb2)wC$jpQd zxcw%^{*O~kR$NY(1ABF!!{%;QI3J$%`B-(2IC#ztas8(Ai>jN|2t(ZGWUhO+6guBq zy7d;~O~)D(_t&fTQH>s3&hu5=#F!V!m!KkghAH=P#@RDR(OchuQWv%A7spI{?BKvP z6}2`x(c^C{LEnc*?$qiO$-%j>5?dWRrZvNCOoENBg9E69<7yF|QUkgoUYG5|K5skg z-E9q$=No)TX79HjoQv6)5)%35vcw<#D2;PjtKKHe?nzhjGqUfgiQtMT=Sc zwad~nv5M!H0aKc*STR2MO*Mb{;Qi#rg^xn08W;S{*^*T)zd8}9R-}5YPOa0vmF(w3 zgISk3UG7k+4|w>+oU?W%g$$h1C$|kx>DKv$sTfnIg=wOh&3n_cNs9V9W77)yfyZlO zdNtR_;m3d^5{*7y*Ws?Rk{h|}v;MFo(Rup#O9;J_;j)q9P49n5kN%@@5fC}shkmGi z>^;3*Udz3~5#x{K0nicPbCr^ohS?Q(@Zdp6RMc(O2?#0ad39Y~i%t`>YZMd=;&1t4NxK!)A)E}>J(g(TQCIW^tConrfuYa5T+!Dg0 zSDBy`g-gwIP#&sW8YhVtP*5&knWQljiVfg2Vot898o2i+1jRd`Qapk`imACdZ~n!V8S1KyLz z7xC`#cje{;#WZ@?R9r#)jq<)%g$I&$IZA_maX+fyaJ{oI&@mU6t6o_Z~ z5A?1*di2P8Z(WZWrwB%}Kn7t5s;0(_uwS(vgq%BUXl#s`W_^5DL}XNN#6(i?ium(p z{1L2q<=zFK*xhb}L)xSFLTPd^!^MwP`A*1j&R+5nlZ4#=x*0k@3eStvEkTHGwepge z9OXc3tL19o<6mBjk|2LiG3E6G`nzAISjsNA#HMdhGa64(;O=~sSYusUR@hg`rd)a? z;;a?p$A6z(SuHv+VJ&q{5y0}L-APHq95YffYB`$hemc8hDF71)LWif5K3-m4B&4K< zokd>s!<^RqqB-2IiG z{Qx%MdTnf+?WF5_DsIi4d?@DyK64(ZlGwD}W5gc)dl{LadLV_EP?9L`yMbsA_%O`< z%~;t|YbrIBp{*+#Tq`+6jPrG;TK1;gpXr@dvrj#dBCyt6cFW)npP7-F>(sF} zN9&q!=_1x5ZcN)j6y$l``j8JMyOTpI+3!&ebA1JETaF}q1p&cmEhD=`N!quVyciNS_x3qRKk>SD!eo`4cXqd^=X-8b%o8yjFvfV8TkMsQo^XPu#_gC z6IZ3ZgC0kJcSz$?wi+dHd=f+TMn4yX%1li zTjcB^CP;1eQ+j%(9O?5*JzO@&A#vL2pMA#MP#2}P?s_gMHz(pSZJV33t769*76)LuavxhLPctysXy#v6?Jlx+)rLq5iZUMmD6X+R;TaMp z*fL9N3YUcCR$&m*vrl95<#|i@$OD@fGUv0hRy3=n4*hUa3ehi0SC4NC+H32U&(rF2 zBI)po)?Z@{`zq$&l@TW)bz3@{gVg8_Gu096TLvTNdJVt0iCyEQql-kTT%U}j6FYvh zqPrE{_R21R%6(Uh+oQYxZIz_YO#cNqJ%$&zJIT2-|4xR2ecZ`472aV@Xc0+Hr}2gOEa0odXH|$zh$Pw_RIFeBg-?bLbTi{)^^KjENAnf<>6x}itqEMJWXA= zWAHTt!@)}Ggn1qJ+Q(3<^dYs7NEXPrNRys6Z_Q4fFW13}Q>A-_80gCl-RZqGS$x1Fv~&g$|L zGCfj^=V1-DUCi)n+|Z6Z%@S>+nGxMu`uP);fVrlliEA-r@o|h-=R57x^C^#R-rV$z zgodz0Lg$Jb`G)xKKCQv@jSq|X#v%}|^Js{ywWcY;C8N4e!v_-g9923xAEv>rU@10DYjP#?}*9q-#kbzvv<7g;1Fovq!Of~ zCjVSLN87fy{$O}#`Htw3H8vUD@=lg}6@k#M-I&i8dW+3+bdB{*QsTVv7V zcEBzddDoqGWKZcj@6bLL;=ikM34dcHJ9p?esfOO=b!+FdN0iiIqK?cxSKRO2|AmnGeswxV% zdLbBUmHlA`vB-%GnNbH|e?HAE*DPG(fmmx%?P#*Xtjp7&8z|X5;q8xEH{gqf4!1rV zwO7&DIP7Ai*DI!tsaVHOP1Qc6m9cS|GPAl)h5E!{bEcMk&$Fwf%Ld(VCD zIoo~DdH3`F=P;r(>$lc7Kk?-1ocC!>F1_Ly{8Wy?*^Gwegtw!shz|WGA|fZWr!3jF z0~hB)6Z-xJN+GE%6?C8utp~h@L@Lc2&0My%>Y=gmgI*$7a&mmz{Y?7jjmLaL%4E_M z?jQO?MSFntmYq5hV$%5w0hF_5ai2Yl+y=w~@@W)o0x z*IjDVHdC^}B9FNv;r``~Nn!vf86=2*1Uf`Zw?)>?vXMfz9Pc#Rs-Ou!C1E`wzDN)et>Q7pbj4s0T36$%h_9;E+D0 ze@S>Js>29fahSW`C23gHrq!DWe7g`utN*jT_aAaT^yfkqUXtioB@cw%(3oLX-N*K$!-r_ z37^4*gSWUK=1w~O=v4;5C?VmI`uy3Us3@W_Y?bk&5Yi#U*BrmAE z0Q>eoDoOuW_jn@?xFl;tMMr~k!YM>p?d`+cjZ8)dP`*~h0@8m~dq+pC)XFDGA0LF5 zeto9~pyER{hgfpd`r&KLCu1*1b^!YR&Nd7Z@cqjSvF`TP7M;iI*ELjkP1e^SAP<<~ zDqW?c)d9>_)E6~{omCCtKr(oXI6D`-SL@%W{On6u&AHPjStO5w`uN3bEf5Z03tK1E z!U%VU*x}OMKy*!RDE~I8R;{uUrM7A?zv9wrr&c240PL!6q6rIj9r`LAC0D6tn@w}) z)pnLq+7#sI)mOWG`R;)EPeL&XYi6!vhqXayDoStXns3_VNIUK>bh9dt!gvgJDafk; z?g)^p-#|*7!8)uX+1gd^`_sG5+nVEj*i4fGfN&qhp?SZorgp;H9ldenz}bX$moba4eF#Zg{0L?*lDN-_Vh@`JRN<8 z_w)x;NKh_-;|7U85TTua-~7L{01AU@$^}5r?dhu1`F-6#o-2LU0(rHr{E`$ZsjO2Q zu0hXv$<5h2@4?~(y$))uP_5EJ(O1`Q=?eXdi6_l#+7!wUA?2%c4q0k!j4d2jc+uBq z|0%b$KxNdjSZD{4l05y;q6*A*O#yD0ecu|J<*p?^T+pQ=8lbC68PhJ@F!*lx1s27gc=mq zdPBeKxkB~|G*pWtttUo!KzpWVH#+xX#QS^MD?1SRrROAGa;7p83Wc(Sq30>}4fo`XzvlBIRu5-RO`nkxm2DTk zw~bZ~KU!QFouR@Vy`J(1i?ctv6(#q zlr&RzpKY`50Tf3PE)ziTB=8B@xIO;8kxo)l(n0bhCY-6bUOcHF3qhXqL${h}a}7{A z4(;pe`H)!Wx8{7HcF;G!;%`2cvzdcTm@O{)fUspDw--2G+kY9MDmDN19BhN1lIL?Z zx$d)H8Vkf#_3H!M%EPQ!7g^WXy~@hVfb6w5C^<>k*u;D6a{lNZkVH>OCovy!Pl>Ra zFL5TNfO4d^LS$mWzE(-syt|IQy^QCO#_dYT+R@m}-J-tVLGyiMGIW3Z$&7J+k;7LI z50DY4+SIJ|R*2%7s*KgV&fUw^!8?nmH2t}s3MHFms7Fi&gw zZUDD(e`1PryQfTgAz^Io3xec4VMtk-rZWVq3$(1m4G>~QHZqU4GRvx^{jcVNwWbal z){vJSQ6Nlg43QUDDw0b-Iu#64>aX9(Z_0RHH6zTq-+?Y|!GOpuzvkGKrbaqIuy=9S zsoT~D$p?--` zEfz;OLT*ift7YKXT(aj;cd59ovFvMKLD(|9dTWWolDlECGcExePrdV(?Avqj?GIk86!L@Dk?C6%!zP4S$SQMpFetd$%u)GDJyOd z_@*W&?~fjDZ|8v!ZjFN#6%tRY_b-H%b8^l$hHBqegA-9{Y$*GqD zxW{p51B+`eZIx5{^{tzD>`TeK8Rc!|IwFOP-TpKBiH+#X2x z7biA2e_p3^UXO1b2T1V1GvPi_pbhkyKwD_&IeD@wyPj&lL3*Vi_wjXLv;9;uICJfg zgi_UQAL0`D-$9Fs;5b@DZ(dt~#w6j$#Ki7CF$Xy;xVl37-uhUufMGbc?t3(iL)RNy zr=E`E0dJNf8pw$(bl2#E`$+pIKDT1+cNpi~$IfO^BSf~x3;*P*@yCJZcY(`JuC3X1 zBJp>S_7o3z4h{|+BfE4s>>U&bHI6ypr0wI1^7^ zUW5>kj&WMG&t3Gz`m~{_DMNH-abdB0ZNCU)3ELfMu+XuFT;Q>#hj$JiK*-{3;_l8^ zry>p)i?*Hf_nm74ig$yF|dLbmvY0olObO>+t1fq z8fR_!Rj@qGvDH*?WBMM9PomS98tad>bX@*!2-e^1xG#+Vtj=Rsp;<=Hz4;Z9PFW4- zdc(e%@?EhHZl0!fJ>W&J4(VSMD94 z` z%HOE;Ew$>LJt2#`veq*gbl#R4{PomDs{RzLsxjvLRbNRVY60AFUfGS(Z<=57J?MOk zA7SNCqjq?wYyw*N{`7P`bGm>NN}>~wYHKub8C#T{+cbzVOCq8d@C4-*ef4=D8v5-< zPW;e{7}vvW@5lpeFjwVJqEBQv)B{oKxH{!@*{k1DJ8Bn~6>z^8tl~7j_g_2QHqt(S zsGh@*LG;KxdD5>9bN#w{B#Tdlgr2j=+=^?oMwpMt0vTm}Eg6s-Uh;4WJek$6hs?1w zEPmX~2_%qIU$qu80L;FF0C5G2qTn)EUpnCnLbtci*T_6&&F`+bUa<9BtLd2n_tbTl z34muw0u}(j9wuit?Nc>h3Ydoo@n>fi&xV(eqc?(H(ooWjYr5>3w?=ge01`tUah)o8 zHy)(i6bP75iaTL~+SgXk!+#Uk{?!!Z`w>X`?N^0Xbic{^*l?cIZYA_NrKPf$ByeVW zVOD&~O`+`detrmfB}&+oaGtWv%|}-o-SPV4{^wn=H@td)2+oJ*8>X$!ntHS`ML1W+ zN9AP$$*uP#3&4|vlbG;Tn~|6C{jko@a*25GPc{96>xsd@B1|RrrR3I|up+9!7CLIP z@y-cFG2Ki9U>{)rOfd{tEM2c0%L#y6PX}}cwAh3#k@gBs-UC#32X|mAG^wmCC9iLK zl{`U5&(F=OVR04lJx0B1kla2^>U=9P;&OTxQZ#e2j3vaZ13N4miWK3>6@#0~5|I}D z8q>Myb^w1(ilq6f$&J*rXHe@_kD7UOrh9O@^rNxu8=(UL%pG5RGh=z!IOrlRU3JP| zAJSddbFFh7KH&s(IdMX#?s@m6cKOXZcir}9i>+?D+TvQHqXwwAL6-Zg)zoIV}<{%qg%^0Tm0DuOYM6= znPy_X^486H^B#Hdk!arQtgOQ9H);2mWV$f^Lg;^3tzXahip0*p-!`3_j(N7s1dKv0 zH6~X1Kq%w4>-HgU7bA*XD`ZLw@*@u^%A&Fw9p)O4x~r;xOs|sO?Em^vYZTTWC8&Pd zF+vItF%y_liu)yUlu8c_5X`imj9f0eGNOzszvvTsp5AonDwOT>gso+ByP<@!xj8-H zCR+H?$foYsBkmSKm$PkU-IUtU4;Msj6IRB5{M7u56*u;?;{QNpT=$S%{010qWr&J^ zfRMm*z!-Tn7{v>A+~3`O0VttlrZI(PRNOp)ACbMA8aW{AT+^imHc^0VV|E*g(jc%n z&+J%2ssvQCC2c+x`t@`L$4AuS8IVOU_#)@9GZjtfIYY0d&Ng2C7k`}t;IDH=^q+=e z6fm3Ja2tLosOEVpwt9A)vhOMu!t!~ol<)zXGy?C)ju46IJ4Cdk@JJKTw1#$%r zeKxRs$kr!rcSh#1d|DJDDh;|FPGe~i?(x8-;pbDIbZ7jVzqi`#oPrQJIfZ4@QZx+^ zo0Eu36r7l)!;c5peUZW06LnGC5dQkJ@ZLdzVus=GtxJ51#q{CHjCy(6&o|%BMO9e) zE8%UY^`PB3ntI=pN41#wIJwmAh7iPl%E>I0syQl%gTiL7AwRVxepEm4 z#2kD9wq>1@S^D(nBjmk zQa*Y2@6laDO|NYrLmV#a-{b-FU(12MQ4yiP`n8570q}3Y=s+3(WddL}3VKaHqW_%6 zGujF-*OEj(Ao3!X!j1Y$A8_l5n@wfpyf zhLPdr-lk)!0D43oAnmA=k)Qtyqp+x;fTMG#w0?{D7T|eA%fuuNtnjbpsXW$u z!fYFg(Uux-&j!GPK#SHJK{0a<|M)RD0S&Ct2U5vp0Z|oG-!oNaa^^PDewNU>}I;fNAiIf}(7@X!LhhC;$GJ`@`QD z{r-3O0zmwbG{KI*CnVgDY|YPS*e#1}#S*!d-`m^!Ip|NQ&5)Ls1|;?Ktsz?!Qq3B( zhi093u!2j8{ed}EVmxeW0gwvHV}Wk9|EKW;so3456Cf-0>eZ{++{6*vtwC!PvV|J+ zP* z!N@ocjP4}DNxz4Y@Vxi%XqfwnA|ye| z;`*a#rLzGOGNo^+Xbn|r%sE`Mgti!@!ohZ zu+J3}6T1+^=l)MZ$sZ0r{y3cfcbNJY{?q^%h3Po{MA}`bq4Gp0V8&)+D-#w1*h{8w z5wGU@@l`dcwo`1w0X{{d77GiD;Yo&hQ!}t4HUth$#d*f)1~5;H+sJ^@YNY-Cbl+g&OR`dB zfbhM$yZglbkPC1N1CiM5sCv5ti6#~}orknSw6hJs0rtjXE5CFi*_I@c5EGk}T7Lb? z9uJV<0S-m;P)`_%ed<560RAxg{XNb8d+&}a14q)p$c3==z#Iiw(h`dmdJ?TEP5@Vl z)1V*k^!$8cMx#R4zcf8K7$6QZYd5L+`1rUqX#wG9a&mIVHa9o7e`_dt=ngQ_yJ%tj zS^nS*Sn%(CihuXRYvEfR@4eZ=w1C4u;sInN&LbJ^ECGJdoy|&D*Bi1VqsEn-cx{uS z%bU502}O&>L+(JU*0?x=m&J1amz!H#?}1%B5YX&gN`zc5clg$OBOKM2t4-s7>!oNE zAnNAUlpomI3iDbz`OMer_1wz(PlMIJ^t=Srd2M5hi1hLx9CY5*n1krjJ@1`c>ztgN ze#NS4@7k3Bbp!CQMjwJ|1;XrW*Ndx$aq!QKn3B28qcBOh0bYC++XIpkxb+{TXlX#3Kt2*QvAgp=zj@bJ3(Hqas(BICn&Rl(8JjZ@##`6kY!*a zV6ycFalb$T@VI=~qt2x9+2#UG?2dyRlU`5gnDjZo%DuY*Kgb`50Ya;3Gum%cEAsOt zvGQ_rlV1DPgagw_fG1YT<^2C|(cM7%Am&tuG@}o-YE2bz>`&q{y*c#C0>+oCoq_xN z&9HlDrEWJG&|0X@bt`_+#%pGl#mC0d_J)&10|JNY z)h4k=SeTfx1&Vol4swhpmKqOrYQE56NOE%W!&BYS(Q(iSDlr1`{I(MAq;}1n68q{8 z@xXbl-ar2ofA!tbL@y&F+-DSS@Bm-G(eXG=PUP;V4p#l=cKFki6ZWzKu{*$>RLK4A z4hk8Fd7((d$vJ)iJON4h^3B1)XhL}c`1slhNl7NG){c(x$rcS#fM+8OK-ux}^`)hu zd86d1DlIJ?Li7&6w{MgKOMmJo=EVO?i2rNh3pkgCw9x6r)Wl`_hcD%NdGK9M_&Qsz zbYdwN5Nn78Ql3zg;SjO0nc1YdvNQCs7LboD0EE=&LI_wm_l2&r0QnZBZ$I3D@Eg6c zp^u7=KC$YN%wt)TKK{iWDAZ-wNx03d{<3@R|Mp;qdl@;>y>$GH2!yB0qeaj$Ai;IC zJ(!sF6i`M^>3~dr2CCxxwr1d_O0s>>&0=AZsj*xxopH#^6vI#+UB1|z=pGmt_)>sI zsM+XH;v8-}BBUBI2ajYQs71@hCI>WwU4T19GZzEf=#D@Tt#b`wOt=+_S^P#eQZ6|D{0Z`$~oFkRF*UBwn|KW&h$^ zC*iH^0!xcRax#^3y2!+?8_=hULg9t3p?Py^aT*n5W-rcI*s zCp~&LznP8y!IUorpq|@4CrTj$GE02Dt;RBG)c5aHMJgpx;bI3jd#q_Ldj+iK%^r6y zAF)(7eX)eCrWU`XqaiC{;r9~)JW63<;Y^b`H z;#-9R)AGv^f9MHgUkEwjaze!xet6lHR($ECu6g9iWYJJP_^kwu<)W?Dr{3&#Hg-d` zY(K=CB;>{DM7CHiurF*>i1$aHPCkt%*c$K(i@6!s(*j_L@uz6tA|p@F--edKg2nf< z>5SyCN{0axTzUA#Ybbq}$eSj?Pa^W=xh?Ms_lvkP0~-VV5dC%?jFk)2k^}FTM{WX; zGS*BH5_|l+lT}#@nB&Ix#(_ohu5+I}On&`%&gy(CoRA{=rl$qwIxVw6!@?&s33;y< zt?ZzGdGJ_RtNHn3Ymw4nj)a>SM+K$Id{|Av^p$h0V$#cm@R{|hy2g5GHz%Jr$P&9k zHt%gxj^x}^htlo7r%lwHorcGbFN`nLxQ^CH^n^wM{~M(;XXVT6!cvpbv{+y8hqg82 z@1I*gH`nE7N`4B3&ArdC%(!y8P8dQm&5D_^BS*8)7_co8)iY@E3r(db7xu>Czkfb= z-)NgtUqL|rFBc9-%@5wa4py=sR_FUTJTUE#RK}SL-nQE7M6=oCsbPjiajA?(Pne)T?hvD(MDg&T;*#o_QX9&z%P%cqO? zr$vyy8fuVT@_PuPMVf7h8~E0A$e*dkozl}~`}D}N11%ojv*}tc3NKMVTjyz<^_ zA8XmJzAi9zjB4zxH~C(_)WXCfO4`GH?>^O%@+dD50!OQ)sx$1-R_!@~`H_r(1&jH^*qy1Dw;m*uc* zF8Ss$I(f{~u@YGE*)PBii;Z&{Y$!1OM9dpK)HB@a>)6Oe-;wKP;FH(+Bc71As3K1X zU5a-SPDdzt_UnDCZO%K+yFuf`p$lU~CDU}yrzLDDxr2O`#i3H++<-&daP$Z_nN?C2 z|E(MI8MtWVrDvI{rQ20IlQeAGMmyvwtLtr+$gh(kPwFEAk)Tx9c>S{5tbzJ}R%iHK zWx$?*Ae)0MyRLw1ovcQ98aQCL(&wpC*uN-or3uG)AglgwRD3aD{KU0q$( zkyhCkmbVTLet5YvGTr+UKF`;y(bcqWY1fKv;W2zE!Z2AfWyp3;qBupK=L-sp`D2q$ z5jRRs2lA{IN90jXQ*478UyWSUv-JMm?HG9Evv6vNlAn<9F4bD@jIh}R+7m;uUk0-!z zb98h>ek~U<{Md|?;8_?p4EuUjS%kAOf`B}hP}sTj5O1CyA>c;j7-NgD()k;#N?!vs zap*C>w46BW;Ak7aeeCwy$IZ9F4JyMz<|!``&!hVs{xQwUms{6LcVkcu1xcvA<9cgF z(>}?0gWD@rIM3yq`440#@nf&smb+gnZh%5GVCvd;=VGpKo_p+XHI^c;LXKXF&`>&D zI_7-7W9mW1z_Ytf`S8bJkw0jWK2rjjlLQ4!u3ZI$r$8okhh8$rZ{51qPPVl-5go!e zJJeQxRI~(?dja;yz`#QK&6_T-CI395?N$?IDnG^#CvD!36;xEXGqyL^{#Nv95%My< z_+*$vmyG@?dou><*8UF9*Vb^yZ(xXLrf4GeNSkVUFUo@K=huA=&Vzo5uEhzB=fl@Y zq#CEL#uh6utbKy#(T&XPj%SjIf{eo{tq$9(+5jDS@HQNP>lw-IyQnfbr{8sATq&Nf zZ+WD9iFB?iwFqmulik=X?K+6K8&5?yyFwvya;0+)GG20CA1DMC57Huey}ep%ME{1Z z6#v{lX$rvNZ;pR1Nqee3WS;i<&o>)!TfBTzJktZJU#Ah|w)4?X{`I62-PQ-gv0zUPuA;OGMw}#R zK9p8ejAqtp(FD@QL1V!mp-wQU-~f+wKx%-`fL_ItVX(j7#IZGe$tu4G5R(B`2yY(X zRKUc^tZ1cmW#zM!q$D;l$g#D=KdUtdh>)L34z)vo`(dY{tv{9`xVH8!pajy;@+}bs zBcp9U-6HBIgQN)Za=5KApSt`K@XdEnqn)MeQNHV&$NTorW_krg z$oY{e;OVs*z68-o(2`V4uv9{>(x|M~!Xum-7Ug;!LDgeTO}!umTX7vdJEqc&o;zBv^X$`J;%;Pb4StORoMjqVNb}V#hMssyWn@ z&nXEG5W({xOH0+a-AoLOlxo=DS)WTD`w`$s9ydceJX_Sa4hD}73>~XTaIV8g`19f& z4Tld(k4RLsz|Bc54odG3zIi#Lt~f3wJEV`z8Ea`Z4|7W6ZKU4EqTk;lv-n+zh#=s> zK2pNJ@j}6ddoGIb?a|YJ`2|btBh>p(dx<}s6Jtf4o%z%>G|(a9UJYh|{G9*q;#w zmlPMbEiP(B!kJ9xy#hXD53UpJt~S*24a>JSOq%lR&-;WGl)@6r>{d^LaU`czW5tZe zIimBo(iSLD?#nsQk|j@!aNe0rh9bC?p}(;Hl{w(~T0BfsRBuPgM$XKuCW{=u5E(-Y zzArhQ=jV&5Xl%&=mH?P}?6C;s!x7f>fe=r?VJ~ZEOBHGq0iO9G!XWt8_>lC|&23in zFnkL`LVDZf1ZZ%17xUnBxrW>}V~}accf_%jT|$+oDS|ScQaJFuZ`(QLIdG+aK7pT^ zeYLD^+%&qNP$Vwp;=HGBg}RH#pba_T9;R7s$k~#(!})iQ<8MbO15a}`K_j;7N$ag# zq;khJ^ETx9Zx8no12Z#Tmj?jJN+G##N9Ez+p#n`!#Ugkrh~in|BODwa zemPnBF^z9G=cXtb{ z4rZTz3#!katxZiOo1JHbZDUr5QW|8E7sjI4@1L|CY zIxlc=#>sCW6pyqT?ED7@F?gNN5Hy>d;7YYjc6?$}%(IgF{06oZh_Q zdG_in!%uUPuFDX&I;&MuQr>c%=^9!((gU;h#qN&@pOj@-VpNpSPs?kT*fUH~5UyQB zwXOLy-}eXLRv1^(&VuH=vYPium1ibj+nc8rYkuGrSmFBId8NI67h>Ra0k(QNOx9x? z(tq-3)=<9IVYEt7L-NF&fk-(9!E4*)urb#$%TAB>o>{I zFU60p%)*2|epACeT`9=%vGYy28BuWi{5+c5f-*$Xw!WH8cfP->>s&~)U2%FV@&yxi8az)}-R%VDk9zaZ^S~gaA_m65(944Hbt*on^K?*Sf<& z+KHV#PUY#+ix*|^2W4{GHSCdE(E7KVR#&>5*<1OS&xS7F8?*7y?>wDG;zw{ng(!b9 zrqxqm)MO)arhPACx3vmh2wC*>ZLAK=tbEVw%JrC))`-MyPO?m0bGiQN1Mf(wdXtAe zq9wOy0rvd&Lpj~H^ISVN!Wbn{ci;PFP-E|*E|0v^uw9?R>b1G%$@ZfA8Rpa5)fP~m zE%wDe4zngTEJfOH&~2)|+Z2t~8PhDfuwthA}nY}g{m86>vuE09bIZv`crS${p&&1 z?)v&@NYfSqLIh0xD_D!R<|sf2fEG_cBVW@QR#Ra(BPogJcNHL-VMM}x!Bv;yL8Lpbn~}k+lM>u6alkeyg7@5~ z5!HPwZbM8#7AHkY5Yryq0MTSBhj-NgL+N+D>@n@lET>u{C^hs$e*oR?vw``3;>>yb z!247rQI3JeNE>q93B5Tq`zGfoj9}Z{u@>YDv_nj1T4$?QM=1LE2B=(-6=AWMlR8B+ zjdW6u?xtYL96x(3I(@j-L}uQ>66H&C#PQZi#Kswix8Ftm3y&2BNaxNHTIo2 z&7n&o$50?Q67>s!GU`ARSJ7F2zC1 z{`=h7AE=4BrO2Q;4#Q_BbAGOZX){z>fj+H)A}P|r0bd=kRAz`Bw5`hydeZp3wapPq zi4YHL#pY=xe+3iXOxM2J1sjInJu36pK1jp-vi&T*Aod__=*6(N-+|NWT%jea(zF`_ z+VC9}%DvT_WAa)emaFsAQ$$k|65-Y0U>gRu2~XI0KOWU@lfj>*{dYL>u;BJz0ZOUA zP3M2BAFQZRGuYYqlkPtMoG+&cUHVnOHj9a)9?BK{O`a0IB&e;@AfjzB(Nv0*EbPUbn z^%fHAYNKVpXq~H@&X1*OYL1h6N7tY8pL>>J&FRv4NURz^l#M_FA@vt}C*tXyGXq9q zc(`-M0n1ogK0Gt`IkeAQ&(l!ZX$qSS?Wq=%gUV~F?zuYWMMm1_TgfK}3C2lu64_8d zF=*+xx=f^>#aME@6sp76mS5ogh++ALy7MNnuUQePEh&|rDjhW{Ey)($^1kiR_j9*p z;A*2*o>ST@ADl+~2)Rbqi0HWdwW69-ud;jILamI*^)V^;)>t|+)%-6`Di7rdIvK+& zt9@R)LOF|9P1d-k0h|SsOd&le@GM$dRIqCpBrEenX~7IhI8k?(kKAy}TWpNrZ8cj~ zhDgofQbHMyTs2Eceb=kcbNWX75sDoRub@nZYpvbKx7mtTL1Y znA8yVc0wJm`^|m6$_-A~yV+b?)#)k8m9&)RZg;v<+!r$J;X%cI%m(-7iXq^}yzp<8 z)$u1(J=XQ1Gk>vMR>p>a=fH^Aqak(Elw*;@TfikydAA<-4T zl!Gc5ANSE5Zv#iW0rn)Gy6n4bK9L1WinQSk*{Jf{a1Dg9WpUUdhDdYayr;Ys-&s%@ zP4&hY)RF{6nhrd}->SwGD5XMiWfi>!HvE20ou1TQU~xbM9;&MHzhQth#cLri3ppZZ zY$y=Rhl6_{o^ZlhuYBug*1uY!A1{iaB2~F+ydaH`^3Q8oD6C@(0z(6k+l?Y*5o5T5 z;YJA2NKTia8{Z4O);?jZr>hU;xaw-1ehoK5Ml#+C`aJa` zW8CHs3{yT5SEWe?^_B$D*UL-ip6$IFBJeT&#sPtJ!Wa`sA7+5NQ()LE5UbWLLygYR z!wJ&sHO_}oX6BaIckR*<>ix3rr+RVVhxDsU>*nXB_2S#@;~bD+8Nc;TTng{oaW|(M z=;q0g_%fRFrt&5`coC!z9*h-zJ*nZ?qG#oZtb6Z0g`V=9Q_kML&T(@SdcWkk@&Gu#5_Ti=0Ey?|H zJde|-&{y_CBy-Jl+UK}S&yXqDuHV#Qb=`MUYdcbyUzdM`%T!xVpia}ki~1t^!*C{} zw8`0?#kCB4{ano%25VbH^&cwqg71Bs&Z30JcWL;%A42HCpb|^=@k9Me^mV1+kRRVM z#ZXI_jPyu^A&Ah(*b_;F$P?$j>XK-vP)3%m32f2U{HXJ2N9$y1%Ml;CaF$-u0rrFR z&dx|MOaTqSn3(-|0Pvc!T$AH z3ma7%wdk|!dV82Ra<2#jZ~+Pc5+~o;%i@K*oP-j4w@9JRcW=XxVixz%7>wM(d8&5( zYB@6+iV)w%cg%jyom=}cQ)^Y0V4b3snXJ~GB-TwHT<`I0TsIoW%RBFiFYCEvoKM{h z3=lsM3k=R$vh>SF(S5bQe5H`9Ue@&yt9D+`C7fZl)IX>0x1El*Hn534F9} zvt>m^OcHA9>V4}#24hKW16g`z&_ZyxLubGsOQsN%F8+q_%gf7P8<7eR0Lk@?YruMY z*t{tn?(xqY*`~<1TO+L@^e;Kb@i#pHAP|+{`QZ5{;O|l`LDX8@u06Y$eZwg{t_tE7 zcU9 zvyEgkb9Jqdt*1~SUd+QabGH2+_f5tqFAQ&|C0ZF%YyKUYnD7U#NhMJkDHUp=y%&bi zcW--WwcDGcPi@eaW`F&XMwc+{yX#`T71WyL%7|JFa(*un!N={fW*b&)%00P0?_bo*FzV$FaLB7oD+RCE+RnH_c7V&C z_xQQkXOMt&TLgy+8ZNQ}+(L9VaFpa*cgF>Znn&~-`%dAB;5jN;FES&H2p_)MOZg@T zD-Q-?Weh`)dxmgpUrrFz(Q7-m3KBITf;158v?Gk zWZ#|rz%h`&-nA61ZzF<7z}RbRilhYMOa)(3|2CTv?`tS6v7`BRnY{p24E)IY2vYB2kT)XWOvPbpF zfv3QqqZ&#-G|j8kjcxZX>^u7&l2ElA;>8P@o|rk=-h+Y-5}aLILE!$o^5Kk=_KrIm zG(-+L)vx^?UO2OjmRi}0M}c~4)xqcWM83$-1D<@?a z7)&=r?5_zx9x3nDus4waWhy%G+puqFLNM+{KS$mcpKK-~hGZ zF9gTjyS#t`MWYjnU%kCL-oPUMVb~E)CIA<1nk625*-e=46CM5OXSGwsm+=6ZWRHNi zA#rGW{QUf45#-G)3-wiQ=HrsE`^Qc;pc)oI)^~va2gcn^!9E_|MrTjh{_5H0Gly13 zKY^nVz&s$J&={m#7Kr3tA=eoA3y`!V-!!$fR$gEloj|vK2VB?I-eg=>MrB&wA z%sY$qEQAmmLxQ%`fr7{+#X)^za`s9`iPyLKyUtmD1vRDQD&_)kgi)0lWVqEr+_ukn z=Zi`~0`D&U*gQnwF)>Z}&~jnCnQ<0jy6_bh?gHqFVbVkXmX2wYNtZzb#-E&Zdy+*C z@DZ$aZz|L~9~qeU1dQ-dcz2AWIoS-eR9-G0@*_6NX?sH`61q0sYcEjzh4MbrCGp)M&6S((cod%6etD3wz*0c*OOcUr2SF@`&~`z@-W#YaB3`b`uX z0|GS8a;OCf!$LH}$W5zjPv=j<*7)kqt`ecnE473rhYQZzN*L)zc?*2=BBkIgq2U4! zBE#}anu|JCG3a3%;?=h1^9(`rxkKM8A@944onw=ROV_NK_|SC-V|exH@mF3aVJYl5 z8KO!2lcg>%u?BjhWq3CCDrw0On9I>V*~(saT#q2H{kL-1=j$zB!d0~o!D`C9(^EWc z*M1+=(+oQjQSZCtzZVcle{=33ADGB&r>zSd9jp&)u+)Qc@UX_T*^#N!*7$wn4=0n=PUBl@=_XzAYcfRS5dKbHN3TlQ{yi zbhuRCyQ}(De7iS;cL&&k?M5e6=a%?U-J8l@GqTLCEjM)noo(M7_`BO?GhU3OH;oIj zau2Zd;r0;1ls{@c0s4DgoHJ>3C(TgO7B`gOfsihms|IL$E22pD^Ul19*^2I5)AQ_H$Y8#tUQ+>F8+ zVqikzu*VkjL>2u`#~>VGp4S#U66A`KT}PO0tAA`p*s zEFTqD6MdGk!^T1XdRos3#LE5y@+K`_D+P1;82UtEwgKvRfaS+r78OIx$r@q9#LR$nP*cNN!$kyWX(HCYXJC zMARHJuyc~MZaK{(Uro%a-!bV5iz z?mnyc6%h0&AyUg5uicX&ouVJBpL}_n<|3|hu1~hgEZfZJa!HxLd&a87b)4^~`<`&G zp8U#|@V7>`Q}C>blid*8L%ed@m-yU$-|jUox?9a$0#aL;gyvOvV6u1u#p!3Zryj!m zyBwF!or+&uuCFXR?CB4gs`61Q^^GM6g0T+yLyvQKyVA!RzYGK|!==BtC%^9y=E*rW z_ku=It-edAuq~5_8Nc_?eR*rUOYwy*k;kpYYLPm^I~BR(5nZ;B2e?jFP^w<)fT%iN z$QFl^MFg`+v+2<`pLyG>)%x|rJfs7&XOml zBr^+=bi(s@lzgwPtlse;SWkQ5PT_rwo=sKuD*jOViI@tfhNUUmmA1zSM6N$Kbh)C7 z*0A%e)-yoxa;dexvpT?KRR9G!{jy{9imx!2A*(*`_4?EQPg8ndlzfk7eR<`=H-Dbs z>grK4>IO$fumD{2>fTh5yr$*?gO_Y7zqhZiFQrji7Q4#=QRaH~~@Ou*_c2{M+?XeQx?GMe-_V$lo!yyM-L#_P{HVzKn z*XM+1O)rgP+b86T_}!by5ULq7S>J3wvX~9nmwfn4*AJt~l%1={Yy%2`y3#+WQr_@zjeJee%b^Ly~Rm@ z+_=zLd|Vt*v${|~O9_?PKBUmUv(y#iCRKeg+i-PqfE0usWJF9#x+n7tB8xwPzSsW3-`a>@A*k z^5L)>sF`3>!#k$wY-HWmXI?g z54q`*p;z0FD}`O`O_;vHx<16@NgWH}`3Su-M`2FNhoJMbLv5)2frkT;${L z>=8>8jc!g{)BE<+Rz#r7dE7z9`Cjm<6**h0 zZ%tw?yv^KFE^gD9PJZhrY}_L)>^TSPm0pyPF;SWRo35UDq;d4|)gViXKp)Qf3p`qd z?;rH(FeS=J4Zvuh0rRngIjZ=vtg9ymQp-YTLWG?^PL79kU~=>R*gCIlIO_Q7QLWvM zLu^W^KNQj<;jymHPgAHNvkkkTnk16SzQ_=iXT*LZoQrl}4pZfB!3a#ym&bsz9r?

4RO&ueno&kK;4qF~aqH)E^87!ny=7RO>y{=Q2u^~# z6$Ez+3GRg8?iyT!ySuv++}+(ZxCD21Eg-mkZ)T>y>FGXupPtk6gC9VVTyNDQYu)RX z&7hi3iQ*V47~PrsGZV6h?9LUPUiS18GFTTmTKb-A3Ide9WVKWqHWB7YD?c+YI-F?XbNtEr!S-uAFNq^teltp`7oSJ}^ zBR5(b$jcM=?L1HRzUCk0^PP$MY=r8bm?jY!h^`XV&4svz4rDHzlbpO#jn808t|A9I z5RSJB$D9jUM78~VL4|z8!^!k>Tkt$PIzTveIB6ePU{zax42JD!$&9+N3eJ+`jP(HM zW7nkMU!T2tWR_(#kM(<{b@XXdBH=0iXwv7^L`hBz8U1`%fd_Eo&M{s$;Z3r zTPf~Br}GYOhKMX-nRh_emQN~P^Tvq}ED>b9mtL0(@9m0hb<4@!)0Ipu=&sbC4Vdz7 z>=mFD4$@GQNoVpF+nw?~|0c!27z|)U(5fq<6A=9ERJWBTTcE6|ov&(CF)H<{xdC*` z6Ot575~Fk|aVRH+Xr340SU6&1N+anEg+)*l>{9WvAp)uAn>n$HdTPRMUcn~&jLLq7 zpjV2x#}MdF=4>6?h9l30>W08?t3v%B%5&3yv~;$JU$4~B;3dncWb=YPMFy_Y!Z?;U zrbY$TuGvUXJ<9z)*erliTx zRBEzRcdGV9eUCK{GNuuhWv4*s#Rzr5nu`IN`Ow(6l|Dp#Zg6? zGn0en-Q*Kpwe>oF-;Fx_BHYWSlcu>vKi=fI+A2xcL;ESV6T@8_@MTS{GfGEe3q#Iz z$$E9gZ~jMVocIP=;*aAd=bVRU_;DfNj|RG~uC93N%gi3=Z7-Gyb7yXQ#d5@H-=pS6->>-=(@&eEKz>Um=ZlVu@Ko&0#8`|)SQu+YWQ_BwY7IRHat zwY>}Qm_kWHMbwaa&L+Q&n_INDekFD|~#4 zq@7p_Sb`U_4Ru_upFx~m3Jgp3j@CwK!U>xAwAoKG@sA-9vUC&)D53Xb9`1(Yr6?Py z#P7lcOM+B*px7kQ76~B8HK@GfVd7E0^WNZ3q|T^xp2(L4PqpOhpJB#$>KC-orCa0jJS z*a0wCoJPXgrm#zzy8?sRfe(eeaiI|NkzjP!6VESRDS2Tz^_VM9=p z)1a1bk~o2Bc|o=JGJiWuNcIZxCNHx;5ADY56*n96Um<+deS$2}$*ONqn|2TRd*+VO zhv?MQVShDfSuHL4<6o)IMXXd*a7%S^VzS_%1pq8T0r=;og()T`Cc0ax=HA!&-M@aJ z0@iyZ6cjMBH=;gpb@q_yoWk+QOs_Hxb5>X61P;U4tzd*XfiX9So8LC(i-t|s_a*+u11t?~(2 zfK;kDu_IooBvWNq>B!v_@GJ9~=qwc8Q&P}CrV2ubwwa>D)NWjaHk{<`k}v^y0vZc0 zn)fNj`juGQY>F!2YRQO?Gm67M)T=w?9JQjU8JVnTI-4NVo_YMGK}{YgX>DmRDbV>8 z$a)pW@1Y}3pLj^3L(VNK&MAG?%-}Oh;~t)9q_D^hyuL!YPH|FQyWX^<(eFGgG3P{z8nbm7lfesXl5n3TIv}duGohR$_C#d$Bjgs<;Hs0o8-1Q z_Vd!&)Y-_M9xgZuNljNiyNZFPI_R05PFNLt;C6$(GDB1d%tkgPzz5;k08mGLhK@6# zcRM<`M#xM9Wut?d8KBqE_yfH)qdX;ClDrf1N@EH2JQHAf)D_H5TE8D&&^|dUYkBo` z=P~G!EQg^m*zkx9@AH0a8C2d0H5^oK*>}?apkfM+=6*Z(>Y%LNx6Q|Vf2J7%7mckM zrMk69LbyFG1)DGC2k;wTaJa2m6<54WK^Te0N#;jC0$by_pzfg%x7eTP!n)UmJS>~o zTTIw)9j+3Fe#(ZnCkW^0Iu$Dibkk<&z!(^#8}+{NEHVEeD+EJ5$2?zMR}=1}q?G$o zA)2Z~?NS-W!YmQWBGv452T7G9@+QE&T}Wvi^&JvuR5(XYDz;jY3qTG^Xk`~3c&Cdm&uC%-qv(&pV?B({M;0%`9<>=Pqj;_Dm za{8Cf^_h>m{Oc542WYMPMYX48JxajBSF`1$XAQCQdd41SO7!{#)Cv2zli$pA?KANs z;fse92WaA_z~dDeqhfH`%liHa@>S6~c0xQ5JXFT?e)z9BU4K2sZxVxx-Z-b=_*EzQ zx3xt)ynzwTYci3D2i0qBeLXZEA76HLP*4ytjL>3Ah4oFDdd@d1D`Y@QkAjBQ6QCz2 zCx=2v_`bgW2vmG@6m}WX6+woAhxaq6vTP>W>H^K%AIgv;Ixkf3Bb(AQsaZb))?nY` z1Aux?=87_A->TJ~MZ>=YB7?fmT)48!Dk_j}PVN=Vu{=E?xF^>6-ekC6;%3ZYAFj2F z=K6LX9nlPqOh4y3c|14vv0#v3CLVP-rs|JVODY#&Ac)gCH>8)pk7}Ix>R?HjsV-9g za4)BpJ6>6)JdjR!>hf$&@f+Q*J^g)~(<>Qs@hz2Qp;~oCO|tPKdoh#?cdvhNM6P;` zbGc7>F7A#e`xu{0e|K!ia{%t6TT4%3BbI>UH{7)5Scn0}!Y+WI^+l^!s(I~c;f_iX zf4MSF5}fZpJ@jZ5pgXn>*u$(D-yp_7!>W7aY*YGs0U)sysH@p z>KW&~=9^iT&=&FCXK}kRDKRHF#Sp1#WbVoq!I})a@cDpRzazDfQ{(j|A?L#*iB!j*k!rP6AN2f* z?YGJLTOypsa3?>(Hhq=IOM5%vSi3lkAc5w*-^iE%26z;2v#7c}xZ}C7Idm5n`mD~W zFkk-x^I%cy)!n$bS#h?6?_6=dIFlp+EyT*9oO6Bl*KCe2pO)nBRlY>ME2{&i`9&=z z0B7ov2QR%E3>C@_-y}-_-I9F|HM{3Ed!9IyO+@+q|G4xi$yIJ|IiU^jHRpmL)pg50 z_8y$+>mDZOZ|qlKO_|N1PDeUM>M33ng<0x9b_0~7qHnhq?d3Mw9qnv}{~4Xj0WJPDt^ zYfeazlD7IKBs}mXjHYn}C8hI$#>lYWbJKs()S5*jWS)p7MPS84BqygADw$f~eosF^ zPs3VQ(tm{e0mr^-8f#6}LXg5ylQgD&cCNT`gj1~JF0GryqO9!hYqpOz_jgI*bv6x+ z#DUft2ituc1=5D`j5bq`gzwbIl?DZaDqaMBVPcClYmjZ4-+H{Qon1C@7M@?^@9t-z zCnMnzfw6(Ml}8HBx8vn7f17+g1}%McvGGdzba|ew2F(yv85&=VM~=*7XmiI5w74GB z03)GX&Mx%YAVlsPcW1_xC0a>kQI#Co57RSB1LI#bY7VJT2MsX~Iw)!oXAP;u>g)jm zBm=J$(fFJQ{Yoi)ZQDkDdgp`soKrhcnjC6snBY&}V5Ac^RQZaB2rI46$hsPzO>!(W z4rz(smcrbucouYBzQC87t*U)yOI}gz zT#+~KrNDA-edq$Z-R<@)x}zWMr7kVaA6&?fZmm=G=jKYur@E=OSw6IR&BJc!?&}I8 zUMbExRrI3@nXU?+w64OxFl*a!K{r=e* zEUH%UBM$!^z_XKux;+&#*PUkl@y%rZTMcIm+UJL-WH%lTa*mcngn-?ncGVV9{kQHE z9u2?koWK9Pf*E@D{}ka4!{WeKR8bxXFg!5xZmG}kV@P7G=Ys>lzj9uC0Q>-9iZ4B^ z9Ud{m_0f2-!r%<0S-Vlg7TIr)g&z#ybM~U?1vwuoU;rD-SAOQad-DHQNm=7&G=!Vn$-JJ%FWGfvxA7o^&KEx(m;6@5f;A8&ilZhG4w(H za50MSSj>S3-#|L8G9IbwFs3KBR(M;0^T97ETQ5XE0%)(+PY>9?CuUI#pYze!D z>&W}SV(w;KRny>Oj%E`g@b)XsVk_*WqGj~%H4z}_Pi|IB4e7)6HDd<_ATj>Ppxo6&@K@}B>3fR+-CjxO_%Z~6$x06 zWMD+f#crecW<;>xS0NixT;1slHxAy0KHw=1356DHT3V$wl!2%o3gBTm&-SH3 zE!f+m=k1USeHUX0o&XRSSJ2YqP`^!E3@+(F1wlYFXv~MpO6^T=3lgl3Q?otp?K!~Z z5z?q^0RLpH{9&^*x2z-}$FX6oa&cuhQPB-ME>f&s+x!oq@geLdT2 zcM0>etk#D~O(=lnc`r-VFoOwLjo4$>FFc`BMs`nT_XgZcrE@BvJVk)``bDX?2^HUdh*3dSp^8H+ujWf90*KYY{|3vdJmno z2JUORD15Z;ed><9>eXbYs+ZI*gzVM zvEj!u$Z(96a?~FpjGFoHsbm;i^woRtt>sBheV&*>XEyAV9;Vshacw^IY=CubzHm)N zH3g|UMp)kLEvS4PXvUqkF+Dn78R~oHWNZ8yIG(=RNsiE??8bHDA{@mtjW&U_*e59o z073d&AL*t>lW%=;TcaQ}@Duuwc0I$CSH}80)zq(!2$wWyWl~Wy2`A##D#|qkGh>r_ z=C=;FhPG2ty`tWX(Y2e#UzrBFlIH(p9CO8mUUdtgC~FE=b#~Yu5&VSk9O%>vO>vtJxoO$s zGAl~KvqS^s#s1B%d|ulTq7 zuZ{rnPRNRjD}furSV>LIbZSTTi1IzzUEEZbvjkambQYE;I|oNK=%WT}keuI~BA4Sy zS;G7j>sy&M3pzr5m}0?BFmsIGMTy9m*ThYW1U$E45YCySE=c z^h+Y$Ec+n#m=ABjIq#k^3px;pCUHyZcm>AqCdJ!z>+I|5EI54IL&Sor|&`?I3y~-G75Its`d%trcuQ=p2HG)%u(+=>^gNhJI~UxY$x+N&oD9g_GmK9$?f2hLhd+pRFsq_!8lpQx69IxB&&EY^~d>qhUNntULAJOPmUG}=E*NotfFma!qvqeBTe=Q=9P0`5n0zyU06?m`%f;nA=9&{1;L$qcfU6CIb13%4so^PQ2kq3F45XK% z+nUs{8=Ko*HF;AiaW)>Z%T7io8n5p{-6d|U2rqXAYEaNILHfw>m5v>!o5zNw{1_cK zChN6oP+o6gkpjQ`ojJHc)rlVMuq1eEm4cVE8)@D@*KH~;qAB2o{Y)c;iGNpMcdU~IP%-5ts>VML5 z{l$JA70bGQMi@#fE$sNWt@{_(XaoxQHVM&#hNg}jBEp^o1E?Uc%zyw6S(U<sIBeU9_08(sTA8ETPI(_af*}IV_CPi^s?&|uXEirmuHGuv-Ag~-G`~(%wX#2 z>pP>qY%DD<1{7+z^{uUK1_G4%M*k?#Ng>^3Ys650D%TEH!WGFgxBB`$ubUEmjOp<< zQhV~r5P<;AmK`F#fo+oVr-luTg@8uJ5Wdmv&zzUf6$BIcj$|D?#T{ex2t86XqWbuG+(4u-UNR#q=*1jnYU{th4V#NP z_O>{o6hgwIxe!jo3nPfnoNq4OB{Q_rNpb&lb3i2Q+Wz@P(^rXw%)+=Vxo76j1s0si zXHHR_@mZZ7K5iT&68Rvgm#Cg|FDw_%wYp zw?lA!ul6y!a!VXL{4_V2(MbJhk>qAQKDRl8Pb%eY!x*Dd7?|Lc@W)cR+^OY4t-`zA z*`r%(Jt87YwRCC^N{QOKt$^JCS(QpGFgME~YB^^)IcY9&`l(gPBP{td)tmwX&}4mF zSS}GR2%MWQ!=A0+qQieBp3wHvB_wFIjW4tkHUKC*p}pfcALI6O`@ndQ1C!vb2kd0U zCh?-k6F&9d%-G*>mtbc}AtO+!=u|qbPH~E`><-P6)RKq7mRxDWo_=1Zb{!|^1*Iz4LYtsa=VgikKUlBr-0`QA2&AipA0De zfBxscpJRO21N5w|Au_!5f2TZJIe`)s66&5-Q2P*I0VH;0X|*~MpbtNP?02VnW3k@B z!_Ik>$eFdm$ix(VtDsqyI0u#tMe)JSRi%*sIJT5i$NOw-e(SmeRKtCt*Dr->cM*r{_f?0Ph;6;(=#K&hL2ojC!r3}FOffb&8$YkNz1LP~5%y6X zT3*FXT(=3^;@C;A3T_^cs++*a{p`R~+E9Exa5HrS+X-Uyo+& zAnxD30BXpp>-dNEq4eH!{|W)E`z5AJfF1{^K}8aci~WSNT@gMcJ>zPr+|Og!3&NpiA!U5qxz;QQC4>?u06Hql2SmTW^uo5ZrV zeDcwDB1$((fj&wtN?vqO<|X@t_^6ooN~~r^MRDn-yzFS&j4=x%Iw|2>u5K;TGqgA? zo~`@zA+o}jyo&GA-)oL3*%)VYu1w+6D_yLZN7JV=SB-~3$wtgRzh{__Zj;Cj6QarQ z{oXePdPx_pm$KJRV7254%h~w8H>JfB1(R z`k&l!!d+h>FZn{u4D?H+|Gq$Oih%<1qKN^Yw|xx2!Vd7D&Pdwd-xqRp{3P>ucjuj% znJHUXR0IcDS7bFbC`UVdTfd79ELEu#j}rtw5F$uONPiVWL-P291o-ETCL|;zU$RMn zEHTHxqxIZtpawx6%#TP4J}dov)mFxLxGZIhM&UJW zfCH~tgfaPj_XW@G3MFl2aj}oXaYs;KAdDI>#a!hp5rtHX)S#$bCeF>dibPl+_hEHQ z3xaax3uwjbRY=eg5V0@Rnc@RL5Tc$QgP?=Md;7yFOu%uQ1n{Iqf!*6J_8Mh44coGX zOj5AT$|-?KBUI8WuAi8I#)u|2#%6&~B1Zpuy~D!jA~901#d?_y(7{hEEd4=ERvvE5 zCt=dw_BU^DT8<}@d$D6T-E$g7zio9fY#h>HL%NDV`Q$#@qxA($VV>ym`7=@#M;ozm zylfq5Ro#!Z2HfY;Spx7W)X;phKiwcTjbGKLKj;x(`029PMpRARPeCmg2n?+?#0)J_ zA53&a7YBSGi%MSqwBNS#<*J{`0Q8hP@Pm}a!kx=a{U%$vNxNu|Lq=y6{owSYO&ng__F&hw_jU$1NkDa;! z0v|DREx+ot=3EjExFb{V`O@oMhYc!&0Wu z({DH#X*>h~)%$$|sP!FHpxw7eXXh%=y92y;JQavXpH3nY9kVe%Uq5X)+~3jNKcW_g z?*J6Wq2Z|hyq@Lb-+agQ6vl#qfEdhiAHK|)lBj6ln$wzAjH*ETHi>YtA4?_o!1SkAiqo-?D z$wl8wm}E5Yx$aIfCV=0$d>xSqI6G|-3btyci27y%i!9?VOc5qNBoS!1t&|Che_;P% z4-?r(G)E(NMl^0)oRd_0r1@#nMd`Kvj5J1@fb;FA_E5^K{8{4y0_NBiLw+>{d)iTDSIVjU z_bXXoftp3w$D+=CTmAFTvb+@UQv%ei*_G+-5)z*^w#{E&upR=hF%z+mKrnoK*J0LP zxpYWx&pKPj&oH*`Drs?TWaShf#&1f_x0TmkF`vK_$k9J{EVTSc{XLLH>>~nVB{fo19th#+gYD}|*kwuackICe)lewqV6pG|XHMt(ICpl+*k{oK}K63*lm|7EPBJ_u|k{z|nY)D42^gt&^p zdRk<6@pd!DoQI(pqiQQkwEbwP{j?2GQ^}V2y&TZ<6*^Vx7nV1O0=fv%GpCd6}}I{ z&{hwidz+s$;a;y*JZRy<=v9l~;o*qX8AS084%Xci1|!Ae$!MYYg_F0?nOdqDx$S4KhJ65zV}m5c@#*@0I=(vJ za{c*K>&|tNCL`dIT8=*;h03kQe}j?wGrVKkA`-fr4BAgeJ6k`~w*~Nwytr8Rtgem3 zQn7ocKP$W0R9{x(z}>4Ln;{UwBiPU+nRN#VXAtUZ3#2%T2x^Y%zUC!|v+dZn-W1(H zO$m$hUeGRh-1m0j#fWq;Tb7tyJkL7Xvaq3Nr$b?sC8I<7M9!ZIKIcw4mOSji?T#AZ zg(&5YDz2bq@JJke+cgrlD~T*?#hMiTjyhmCRouG93C%#6s&49Cro|(pE}=qC;WDq! zA8!zEQSZs8d^N`Ir`MX>AjA7MF1yMgr|E1ir2N`FJ7adFAe%M#Wn%TJ07& zg($IBD1hLsFF&FY;7BAX&PgYD%>l`}k`gXObJyE$+1m~JHdN&1|KO}cN7O7F9QMkI z<^%;3RLbiX>e3QPg^;#lTmzObQ2+!%mEYZ!iio*JyIv|s7RG2wRZQp8QzK|{KChi>S^F zsaCtv(%MDiIcckrzjw2&MWQ<#O$?ds6?*HRM5ckI)tVxPn!>L^&3%0{QDwN>>;0^I z(8bHRAwgZH+KMecToNB@;Nl5HG%+Z=@_WC1M3P~pdj5to#u-lm`L7hn1t_x5>#PNJ zd7u9NuYHuiY~bOsl9BN7f&RpOa4h}W+R_7TF6egl_RO$r(sFV>0Par~b)YhIfV{&_ z0sUbz6|U`S93OnzsMA|-{$720d}6|{FjF~<XTbrL&aQ~{@e`S zYwxX zyb`nc#cZfC0)eHdkJ_Y%oyxYaN)ng-7fzYsenS%;h{hF0!D{NFnksY}+oF7I3=+LR z^Fs!*Sh%DQ2I%dH+3!dCgVf)e7(gMlChZ%XXh2X&n~zsrITK(c9j}GS#@}9b*fHHk zT>DN+n||MGT3b_Z#O~0yl^8ol7!bl;H~xXt?Zh>!7tT4Q>N91qGroD zg$9z2@1X?`RXHme_tVfhxNqMJ?zRRkvjngAru;;xbn&{RWO*;qP}eY5BevjUW!5hl z@JToi=%Oh*2Edys^`>=iN{=@n3cB5yOgv?dP{)rXRK=SW<;%DEZpb@P^jy9*GgJ5Y$P=Jw$7mP{4& z_~1J6x*bQgm)YItY^%meHlNbqzNO45biu`6)C}A8cEoO@h zsW6Am|F(zVT+R)i^^jFpE14x{@!AV2{PuWgscx7|Vn`ApLHoICB5cCFGfhW`O3@AA zAWzZgMqbZ+j?kdgdPC0a$AM(`0()8L7(p^0t$Xg7x!G~1=<2x7126_<_-|l?rcYR>dS^y!~+Sw&3 zH51sO9v!`VB%m_?3jeoc!@sJ^DCX1r?P2%y1FoqCRQIi@m|2<( zY^6tB(GO6U2?z+f*4DJ|1Snrn>VY}2Gc`PVpJS?MH8Ma}7^Vd{91tQ#dnjrqk@Kn3 z0s;a(zvZG;wJUVWbPpXG;+yN@T@JP^4GrJR$*q3d=;{WfcTj+zyOHe(q}Hrei93My z0T#@Z_9qLtfXsrJk`fUO4Q*p8Kg>er*K6*<4}^Hsuxnd8UqEH%T^WQ(#yT`_`sCB> zTQ(ZZP+Z~<48Ae#;ePv`W&3QHSWyoClAXg!N*pj?|M^_CN}l&wm>XO=>1K1XZoT{H zMn-xVxfONg*6xf~R%V%9;VWjnjte(`6oIedbpA78!(ooR4|(aX2}0XV4LUzMUJVZ5 z`~40b3CGXBSOR9pDE;GN&Q+DfJDiTx&@79Z@8AKjuN!uR0#ON_6;T%n9sI4!;r-DZ zQcVi`COi5SCR1|~N%yZc5tGw-O@Fk*bnTXPRzc_|Bq$QxZlXzw18cg`||+80?UqC?wY(N2u5 zhZn0^$+PU8*$M(ATSDU6EMx|hHBB|Y)m3!pNjj;I)o$;iyeHt_H3fZ; z0Y-N?3og;opmcjIJyyMxyoIWBK|sRg&2W;k4d9hYQw%-#@mG>COHY}I<%>?*o0h%V zb1~c z^mYHM7c?n{lI;qrEP#o>-wcC9z59&DFSmMs^{eN2y{V(1tQY{?q|?|b+ES;G>y^;? zeHJ=uf4?50*D#BHfdb}mP_R4r}T0N4&0#X#CkO-w*jyN!3+FjkI?02sC; zKRrr(1{^oG_c4D9C69s_?E)5NG`o_jAp&%OtND#ygr#Z9L%qW_%2=M~ zof$RBab_j4?x0?k!ws6SSM$Jp?Qv7XufqUISD$$?L%ps<6kzUYFpaZD8ebUqKK^@r zyh?XW*iajx$f)R>{MQWmQ<#!D*OVv3gkX}sS*m0)O3vT4$MU(C>hctGP@T)=wlVq-fBocdDhbZm~)Fm zJmlM=AM2X*`g?;0dye_K(9e~|{KNCoU>XRt^#?Vt` zjt(+uBcrFzfxRX*6 zXEI>lipw=+fO^Um?)N#`yNYon$wYkQ`HG?a(-U1-nN=IaiKpWkB_b{v?sVaaQ*2QVs- zIt${QqyVpJo%^-cwmSNta!^)ec+Yy3v*bW4wf}+wxb!4HdQ#c!Uy{WLXli^$P9;VdF2 z^gX|)81xf*I`QDk5q^b$qRATo)PR^%rjawYcc(~ePyH6dAzPS8&ct5Bv%*$^tT;Q< z?Q<34J6c^;ht{*?+&hZ83PJ9LQ}r}LFG|mai+J;W_-ep+I=e#SjSsG$5q}YIXvbrA z#Vqt%vmMiXWP+C!mW2vGXM-rKIJd%#4wJj&CkvD+UcCX;RfslUOz#u zRje^JpJVhJVkTgBFL!nntA0rl-Z1(wX??mhR;Q^>i)z9K1*G$27r^v~&+E>XRH~1) zX*>wW95%)HC7-CUO)s^yB=Q=jg8obU`2Sp!U7g;*^S(e+#w7Cp{dMp^&WIHPsPPP* z_qE0{hJ0T;UcwB}leDz8zw1eu0k+uu5@fRSa{YxO6zqA6;#I72Po0>bLAKhU+KRO{wAxU!2L^$44pz~{9FeQB zU+=H8`Li0Z`a}LTizWUm)T+?%@V3PC^i_A#sjtG`s0TaSi0w;I0tk;`wUko|5U)Xc z5>Skk#&Fk{SS`}D)V^soEV)6Z70q}&%w~V}?)y-nSvxpjx)v2@gBsXScVBCrKpS#O zE}((e!*=wqaBRQV@py`T=%vbAg>nmC+DjtBZcE1l;{HUhlsClIHJ}8hR z?YH0zyWV!zxD+u`e#rGJ?p`3{i~|_3H&1`fcnaKnj}jaf#`?w3*m&du3D2Cy+?3|n zq-)mz?tdi)e^l@Zj(%f`OGJm6kPzF%H_~KPP}ozm3OGPNikA-R!h^44w5V}&-o8-5 zrM-jv=Cg@LxYXmUB_Y0^dqyiAIK4;kf1hfZ8r&7*(Ql5<0iXD*4eEo^!P>KNnj!s? z{E(j?*sBervn4Y``N_zm#3K;M{Lj4n&$0TUyT2$RsRMYbj@X`@H!P` z1;2nzF=3dzP7;zA~k-w}Twr1THd_PQ=mz}!TzyUCP|{I>^*NN?IT`Z+B= z=SS?-%@yqYRR2e*3;&OP#*Pcbm~r7&KG^W?*HaJ4yBtKX|GO~MP)fu~1u17{fD>Q|O5c!(3QkKP0K08J| z8UCOC-3T&3y+bX~(Sf$HP3oz=ww2!?K}(ZYRi}74TV9vb78BX`@&8rQ*rX=#E}2)T zRHRh4R+T9#lT)&V)tX3~TViF=q5X#_4Id*al#^r1^qd^B6~3<1BZaFg11IG~jHIOI z)87Aj62w3GeA%o2d~Vg1=kP9$o@;CJ%5o$LK}c-(SJUS7^o&Ubol_JtLy-S*^RP2O z5)l!hVd79}<>d6wkCgsot3yCS1<5cjrlc^482UfW2KP(<(=G5{OJS9k1>!AJHv#~9 zTtZV5`(lfOd2V?H5CDyafk74$5+eH1I4i1>`{Toj>sXAMDitH0#tze-kDResRb^&; zNmhq3_A6OG4b%i(p+j(zjg}kE4?c@^8VM)LuR+0Io9iat92T8WmWY zB(&n5H?6M1Baz|u)O57vBPb6*su?=ULZg)qx@y2z1vSyQE?w0B{xbZi@aMf;2tZWy zg7Vx9zz#*a2b`s2fE-GK3k1Md!f-gAdJD+fUU$EWAR{MdbCzb5K{mxCkgvP|c8K)z za)5}cfCs1U1n&mp2jVWyK%|@LZnrqs8=F)iSg4HU{MIzwb&(7?5+Apk+O&t6Ih3q$ z2iuA9@Ome`1CH{v`g6NSS+zD%1`F{g=>X`AJtl1{;o@Ug>HY64WtMI(w!a{M zWd~vWr`2P!1o>c$Oh}q@L~v%DA=UJ-82BRZ-BO z6&d@0kwd76hzO9TrB~+i`{379qt!a8x)+e`7j6xxX!(YQhGKsI{!N-%nR6L^GBHwq zZR8d0J0<@(<~keHV0w;nrlP1!fjirC;ojD!_;sBF4HreVviVtQW799!V$;+0Y``;v zlKSWgPhK4gn#2Dwe{WyR_IraO5vPF^_R&7$G|ao|hX0(w%0G<(zWJ?~{nDM|vuk_oO?x1Yi0@{DIxB4!ycgJM52S;ZpWXUv@E+&uSi1%W z7TP(kz1>^Bm1A}k`dyA6tte60ADf=s{su=M`UMV$jbP1wOs}7idA50ZOS8iGiEPGX zgpodm(o;LD=PhCx@B4B(@dXkc3w1{F-QAxUKD-^a)6u9?rApz|<>$-(0TQ;-jzY-Y z?Eh)qun$85$2ywa1S5KtPAn4K3}5FUHG?DEYvZ{P;eR-E|K)F`xgjRd&*M{HaZ^aV zfY?xG=`TS~*Ffg0HYFA&Cb>d^WQ@1>8!;J~Bp~UT(56X83u}^vUDXH)-_+sx{G67I z{PV!l_pjta0cbC7{qnRcG7~Wx@^rPIt)c;4=UhCGMnh~-7qR)WRzA(jIb8_id)AhN zW+DytO1Ylr->$rX(iGu#8g?=}xUyW6!VnX4E_NwERP`Su4Nm@sdU9{;*YObOiiwxK z&PU|c))r-f*8h)Z{6C09{HJ^8&)b)k0*?Zo7iLUGx_>+@%rpQ}xPKxXqhDg<;vS-$ zeRjLCpr)bWJTflvyE?;lDR6dm#u-qLuM$!|Tea&O@UU6@KwXbGP@4%pWuwh6DjPN9 zB(Eq}a#H$b-u4<^nII-`w%^K#ag|>q8vC5>CpU0^z`(a}FMqLbGiPhS&EB`zclHHiERhW&)QFEX$X&ydpu}pX{*14?IeDbuG)B6(KOd~ zN{Hvy$kf&0b6QPXGDae#zGb{qzQh|63u2Q0chB`dw`tZr;=$`Sc0z(!^#j^luk*my zyE1-{YJL|Hkt^8Ecfjj?zM!z5*0J`DjA%TkwaQ~LYR|y25~WiEe9L^dTOu?R6cfUY zBpodE>lQ_B9-e%=eTJzP2mI2#V5Lw{tYdYwdIbEmrL&cX{zptFTRQQRz-K0!!!RWO6wQvzpeT2z5Y=AyEv8kc~9z1xtReY?EtNbC+`2xg^;i5*Y|@6;h4cSrsMWQ}rAr@zH~1);pE?Bqss z>QomP40kw}n*;^3w1$XHuenjz2jK@J(fFMwZONgxfv<58WbWnETuJ>21{!uGI-4{+ zALuBDK<3Jy`wjm;&fYtm?Y`{;?ozF`bfHG5DpiW2sF;8F>Hl6sK zkPDHc!Ee&-Xo_aC{hbf~GgLBijGMvPUa61+5`3-kiGxc31`NUWI4v8^{&JA-I-@$)8Qrj)cBMTxnlr6aUn%>$C#N zWvERJG&L<@uu*DGftBaSPrp=e|8ma5)-xWdn?Cw%Y-~F0 z#EXcwYP1ZK#!LRVsT&f4F&;c$ap~MS0dP!yWm*%zjEsyEVW9%DKMuG7$jui6Sur<$ ze)#b2g4OhA&6JDLO{z)ObvqTpewAi60g+Zv(ya|L*~7xpu-{c%Yh-@VrXJ`YWD4}~ zFkc>#!cZl&A3TWRas7rL)K?#1U*96dYZfVV5RY&cObQ6a&AU>P6tfVDTHU-OqvPIH z`yO4a0n>#6tS-*Himz=z7TN|rUM3%P+Mh3Cyhr1{T(_HVy;d^Xiql=Kdy!$~f1jV= zXSrbUNw;IZqM`1o>#+Y6+NeMYN`LH_dG|;@+{|7Q&c;ztI60ny7Nn)Ph0#D(yWhXg zXM)fq%qCUQv~jB3Kv{GP_AO|9xc?F}<|W?8v#WyZPkKnWMg7X7JE)VQzj`qb5Gv|a z694n5=R^CCYirDz_DCy3ntTC!=C<@|1qEr3pDzejIm!M&q=5 zu+bzWIfK5ic27a@FBQkXadqAL?_Hngz`68TE^0EP@U_Fd?m2^q+qnkFCO<3lmO!pHQYCj$+( zdsePrd-sZA{lNC?Gj{F=9+K|6-x!`cSh@S*@|az{FuYyW+W7Av*P18aP7_9phRxAy zda>E67FUz}vWLgeQi@8jS%0q4?51;iqr%_^lMI4}>tYU7=LWhqX`GeKK+@5VVcSx} zn)|BjYnY^bf-K+53~a=#&t35NS`Ck@N07hS(~(S})&;+QSI%bEV^M0C118JwHzHHg zn!Y;N&7N}L{o#CC<3GX_$pEDGl5^Y?*NwmNSv{P!4H#c(H&XJnC6KZe;vRX8+92f_~DY@ISus9zMo>)qTihpui&` zfvfDv4<(>(EgvJV8IcsWUimXV>n`mTTS9@9tN4!c2+ z+eb89eAZ&8UDr^;aA*g+?)Qm2Qw2cS`d=L}L zn0>hM>4n&T@A<4MeAPOG&h`@O!@trFv6iWKp^wybY>IXQXgNrMW7w1G z`^i`DgsCsPtF`xWo?v150Q`Va@5z(7)LkQJOCRUqV^IjT z$B(}OgLp47D`kYd3nmT0wY87hG||W?rb_zuz>$E}>IVMW*l8_Iy;L=(v{6pbM|(KM zp`pXY8kX|=dI?nGw|K?S1naX_DNd~pi5LoJfm9S>c}Adb=0`tD@03Dj5KkYjMoES4 zJQ`C1G3@t>B&P2gG&Fq=r(RN|*!>3Wr{GeXd>$=6iEpT*Mixw=rpBG)DN=$i0^W}K zDhjKMH~qSAEDz>>+EBy|<@4-+>WvyYiH}j?CxtoH80TRN#3bw0bUr%43PmL)IYGx? z#4C|t*I15pXRX^| zNz&xQp5cB8A`eZ)>jd6;jhYyV;}f@R3#+HLn_0?nKYg>X2eoK!zc}Q|QU5Mu<%U;z z3(b?%dVT*fwOq-oJK*5p->wgu6A5_o!*B0!NTlb={~pOZJ$GK@(RcP*>4D6uy3U=l zSBc%2$E1nRDZ=K>8ux!|>On`bw~yF_!-{OX?3>BzIRNdQxC-iw zH-Oo!RgAd;`)MK8wY?bi;1yATZzb*q#<=D9E zxw`@9&z%)1eDg+V+x>A8W3>6lUa+=grx}F%;guT6`H@r4?d-UIglOOwmGv^cmwN92 zMSA4?RbgSBXg=k{_WsA3Af{j_)b7{&fr!+Wk&)pven@UE^IVTAx_u1QP>T=(;#F@# z)g$QD)e45Gm~Z#ck=(NP11YP5xJvqUT{zYz^=A%`I^Pcp#CuV^~ zY2H6bK9eU9^;dFK-=>7m|?O;&kWw8`PZ-a;hIBURul?_t>hgr1w^4Mz0fHrvLEXN zOf&7zHh{3-di=~PN!BT(*k~!$=95jV1UtTdY5GTAN&nK)3oe-jE5|8Js8kPNcC};d ztwpxJK}`!ADy+S^UbeKzWSBZ>#*=@HN^5VFD9qIJ{`TvBn2vAAXJ?(;my;;GUw{7T zZvl5oAzHDmx`93~gy>*Y{PZEnXvSTf+{&0_LI4TIc6xj3^D5DjdrKpn=>uyuF8-^q z&&fAV01$%C+Ge0UBU#zv=PGy)&NSbv*}4H?G;Hkem_wy(OC(AuJ+CaxA~YpGu&q=4 zD+{SvPd2XiGR*G07!=&1<>6RefQx%J@--eb>QL?yH1IqdoLwZkWB|u(l-Buual4_;gS%w*Ggo zT0Ksb>gR0#f#r;J{xCF99}`GN%UPQ~6I9QDEDrapE1LqR?|d}kIv$)o1lBjm>d{6f zNl@#ySac%-g9%z({q=>vP$y!ylaGv+DVmtN>B^C-Y1h(v{GH5(7Xl1%N49Bd`QP#g zCJ$pILqZs75Qm>lf^*?(n9r(cSLp?(DFGYdWL0zT+gp-&*%#_(1PW`Sqoa#atTY`D z?NSyNul?IYw&`r)Kk$^b?TWnVmP;gz7g=F8Qx8Wj3m6F8_1Qh|grx69nzON(?juWs zB%PffE-*1A43}S6!$QHO485CZIjj?Vs+pJ53oO8QZ3%)hSXfln^MGb zsQI_Y%%rK>Rv4{8YnFQ4YA^V;l?gTE^yo+R@T9As+2@TW7(o@zDDcx2AMr#i*GYO!Qv5$l_sjm9mJTJhg?M}oajf$q-}>xEA|3R2;E{=9qK!P zY4*i=CnVGKA#y!4IUxgz}(1M zHa?}xG$V4`9}QJ)ef`Rz;>z~#n}%%@)enBwL`m1&-&V5hH-%Z?ZaOuDI45@7+eT44 zvsJzR4mtj%`2QUh5;vO8;R|8~oxGJJDaW4_$Ia7OsxV*Sum~wP*;bKlgTMDVG1o+wb4M zpXcIo>~x=Qd~Km#A2t2(w6e|-*lvflbjaTB{j(qQ)t6F}Br!Y2lOZ&{>T^}r-+ zojqHkLtdGpm#f_DMOo+J83HSavqGa#ZRtH#ur+kDu#>HPqs!W8}Wtg zoK&E1Khh@vE-J-)s(c(bc78af%#ONaA^aDiIPxM#z#44-(H&J?p1R~M&Fz?FTZ7M) z;!P9XrIN~;_I0-{S?y(QQd4oEvOif71LVdyhxUxm^;X@LW?@^)TYXO*QE`{pN60;v z-SBRYM-sIQd1ovA7U>fFHy#rz_E&ZF;aw@9Aw!71X& zT{BxZ0Ou`Pl050En6D%Nmzy}||K!<+wq6x{(L2Q04?$Z@CfEKPDgvY9MwvM9HyiNt z*_>`SL&7t0%v0MhNfRw(1Sdimju`F9fl;>t12(pVSm}(lqPBjaqA>NOYLCfvzBD(o z2D5RBNBC^eLj(3kN_Rac&d)0cw!h*X?oz+;(?NHxT!VlBxFkoYV*3C#njHpNgj^#y z1+BqCVlsKoTSv+Aki0e~J2bhHoGRC1aW)BpZu_Jwf;W0sY$qLZW7@@#RO9|KYt?H_ zV5GfoT-^j}pRd@GlCnvKP0F_{#o&Jb79o(<-)M8@#xy9TO#x=Fmq9Km!84hg%?|u+ zgksDKPzPpn89t>D7LY(gLh+9h_M5D{29`q_Q-5skeJbW6f_aIR2?O(yXcc#Vq^iTp zvFh1X+I$ywUkC{`MEPca;Ql@{+%PU^+X|WX%sMf@y|LK6=s}u~6*7nVI<80utr`sb za4CDHb}aJ;ZaZ=ns;Dk+ZW(ONx3#YNjk=A${UE(nSzC}gk4J3pJ zE+AI_x}xanZ-NR)Dbd?&ZWPs*4>FtfFncTN)w{#BH=OEc6CJ5uFTRfl4tQ&ipqi8l zn&@_BR)UqL{Gmcb3s2-M->$_KlF7 zKt!%VBa%*t2q@6w!M3@`L!4YaqyH0_cCGZ)qIU3VGS%avh#73p2JWfF+6Kr|ZP$2) zKeDnE*qkqyp05@e4-bi9 zeSly7Ul5{qj!6^{BXoxL*G^ItF>oCk{Oi|S_$zgQQrN4L>ak^fCyFG_C;B?qC_7K` zSI)!e&vSEgRQ)^qvp3e)o1#0II3M`(tY*U(0jXB~-N;?qxOl)|j?^>$Rfnl!7aVzW zqqY3%1L*Sm{It+ft1#Lqh1i!44`%H0_IVANN?>-R6}CFdL2s-(r3x*Ye>)Y|+qv?Q zXjq$|0fF%zrPL6{c<`2sCynTrq({QAv9J_SzKtE<+1uu{~y!!8Aem+EyS!e!?^SG)Sf2$}qNy;%Do5gJY3@ni@F5PfPZ?cImb65B#Uu zadsD6z8}P|wve3V4&~koP8;G}J|Hf#7hkE&yn3a!+oQzk(D4e^h7au)1I?C0~ zbvO{&fFlQK)co*Ci$41qC;>b#%^yM$9Z7ag~MN?$`jX z5yRY{HZNI1b6r%({FbkQfqm>BeY1Rep|mga^_0oaAjL}E9BTD*%Bu47!5o<(s6oDg z9y=%_OZVBcH=T*3YG4vzN0rB7u6twNdQ42r*=j;jLtA>Z%Cv7{D6`Q#76Q+eb(UFh z?7K4dxM``+*7)J4>|@N#9fHwH0`lWGhlsp^nzgdp37u&bxnTTb0Ef%GPu6kExNh~5&wN+>`q8?ZEX)$eDF+|1MgiHx2mUEC`L0- zwfYc-6PqGwb942qxWIIyYza>yN~VA;P4ZfkY}hj%F4&zov6pmnCYbAHDqc2MFR4=6 zwxvt-^tx<*L+wX0LXHTw^?UT_v-5b>r2lD64GnFi3jL}?QDp7+R+O^TQ}{1GymR3l zW-I;V;8Lrb%U6JFL46WN5jWrLxa$P77Bvsh*qr#NYKNN)Epvio?d07o#~_~BwFIaO z-EPF5xE|!%;;%p_%MaR?NyzXaRpe7tA298NnKMIBKE=VM{-GBy#iboO+H46O zH#u)8ZTDjhXQ$~|bHHW*$cQVm#agM2Kx!;V%wp=&4CRDxH*hSeH8B^L)!T5!e{I``mfsyFKKNX68KwZc$EL9OwWx)+ z9$fJyzlTp`P0~HsW{h8}m@+sCiVy}&HXkBc;zIDH()JG>noQS3#Peh17mIFDZ;@4d zLiRpYoMtP_s$Yu0Nar{W!5K_7-ZpTOh%+H#1p9Flawh*--* z`qaH7I2-PZ9-{!wp@#kPpF4QItB5`ccQV8m7^nT>a%AMz7LDqFv`bS56RRvKmV`0-`_97=?V7)(Yb+>bb{{*G1AFEcJJDQTv{mzm2uyFW5{lucQ{Na8k5{F9t@ zPmU%?tGQ&)H*#8Z@_ScuBem`OYJK5LU7ok3V>C|%$ z_K%oHf1@HEJA0es$mHbYc@U`ZZtoSl#cl-96>^qb0#1Gqp0RBB@ZsfzgalVwS-K<3 zw>xfuKEOm)X_v9M`)3i=V_iw|+;^Z)pU&JLL5|uC(1!~x=PGfo6*V`kYaXvw&GIR% z)qS{+dw(ulM@{Y3(q%cCv_rSEdC4?0sS5XW>IM$&CUayzgzi(VwB2jlf{6mnMm|g{ zC`jb@0^nQn-g*;yI2f>?p*j(YQzz{EA}?IiR}nr83pdUgnedyE0H(dl3~$ob@*{kp z+kKqF78QL^%7jZHs#Nr(=so?Z&NO8Hf)DnNuGeC>l;4oQDhy-$et5_X;>5HkZn0es zBBNi-{0 z-997e9y9Y8{JVNM_Ik-+NM~sdM4oj1!^f8bM#c4y?nf(VhMB#)6h5@ruN|hQ!l1yk z04+XE;}qv_+fCIwYFx7RS;YMDK39Z&|_eK~XoXpI%{~J=9vD zB-6w}jxYXsxHw=zhP@=-W!3b~dq-)9U5@1esr&ZHs)H}l#e0i5lg%xDMWO3Ma{6mi z(962Ru2a_1via+GGS|+)M|I^tsJNMBsy}#J7fjeK^5t>~bn$E0KwP|7 z%eUtH1mx#DGJomW?W!P4v1vEkyAxL1V|fsYL!OPwuN`S|&gc*Lj)7>jq9hoY7$OkG z#_+?S3Pbm{r5FJnyV7L_%<1%Ho|g9JXy^-)hnZ9p-Db!6!_s07w9f_nRZ2)1iy6%e zVm1lu!@p}cY^CVt8=Z**67sv02Ai9K_fRjMzWuU%1~j)fJ`l}CEN|GmS5!O0kv<7) zye@H+5ubO+3@X#{_EeTuzNrb4-dR~Q>0oF7+m2K3;p;$?=v)W~{lzhye#5G;?MGjt z;-F7nAZ6ftF4aE%2r2U=fIW(+1q9LY-WA-%HPWIqsNXr>(aid)qv++)8;T}cWvsCS zNJ7sgpZHO$S^7quiso!E%g`c1OtM-nY{o>n)ii&-DNZcDqkKPyMK0>$>mEUUW$O@Y z%&#AI-DZ$WYiMdcI?#NJrn9TVbO9zuV-}n?2v0UJ{80zVy*Z!Q{t*Iir^9L|@MTXJ zeg{C46Lc%LLyNtVC^{`^1Le5cVYyHF7);%uEo5C?o3IU5@!!pKn7<{fBHraoFVuGx z9ctPOesd-B?JHGzi(7xO*8Ce7N)38Ui7=3W`3utde}PZq2hr3fNLhKg$>n>AEDgWC zPBd0*A!71QIVFNt_~xD*)G(pDP|YGOqd z>Jn7!x4x=rOU`s{%|$x5Z;vusF^slcN-fP-XHR<8_Z=!ppS`XCTjBC-EtCgbCuWvC z?DaOV{X<;xPt$@G9A59OHA&8|c(v9lodLZuQ`YLn*haA=58Uy#U&iG=J#4+OlO6yA zD2e-LzpK1sbqrdKg(S0Pt1~KB6<(kWcnEuY%YB$kZzmoXQotWNk{3`wKzU`4!bT^^ z9|b{^>wZgF^<$8=f%gLwQBGS~XH2adiRky({TG>Fcm` zWm(xF0spRCnKOE(m!&-5sLEHb4ppz#@XRCpCOvt!9ejL^`l9opH0K}J?d3r?%b_$m zH+%i3|6ebF<-YXnzQNpBao+wFTUc?Z5DvX|8Kl^v>s})6t<_^2pOcfQUU5*Yui)Jq z9C}=x6w@r!qEP9d#k>}R=RI54RD%t&9#oHvWH+q<{n)MEO;+=ccXHDx{Lc#?Lt1U> zsh8v@UhqGdTV570H&1wGGZi9w+kw0ySx~wvy4K)!s@(&dErr`>bn5=`+mS87Y+<&B z38K6&Vh2h{gyG-Tu^*W{X^{M%kApUsTYPDY2;hK;L zLUQ)f`V+?~X{)rKM+!GEzE54w2^=;JGRpUkKrxxQ0D22kbEX7*=b%{MSa#r{J-gyk ze8GMZvthDk7pN#xti?fp8dNVs8>CF)I*csPC*pkD8N&J!=+^O5 zBm5-3zt%RQGw{#L1ZwAEnJuKI&-V&rpf*%|MOrZXq5hh~DUDk$sCZV34jcYTR>eAiI+Q!RB^ zfsjue67GqH;mEkJ7kQp$1v=1JL3T}4)nsblv`C4(BU-)5)<8uPR_~N`ac)tu0_!vD z4?(7Ts34)6n2rJDeiK@nUXv67?dz+&tY?N$9^8+#Ku5*y=v!Z{u@lSxghq=WQodEO z@UXoiG*|ylXkeNP%(Zl3YbzfZ@G|6Hm4>YS{P|JK@VuEG90Hg8e6_Zxbclv^s7!C_YA^yH8eGOpnxk8a4PDGiaO6|U@(~eN*7Dp23G@pUsi9gfJ59#$&DY` z8$PgF4q&a|9g+X@F=#Lgk4!CBHC6VNu3PYiD*#2o-0D>u7$=R-eS0qI~|guvTrVS?Gn5oHeYRhC@dw)*9uxJL^Crh zpLD(nu6?Ci>%JIVOCFmva#FA=to3=1tW7(bO{eGI)#Tw$#=EXwKv~1=r{Hy1me<6- za&#yCX=z3#=qr#?@4%agJ)bey%E%b0udVOez^Ft*Rp#gIp6&CNsAAtD6brgipJ0oZ zL-n~t(Gwf;g6{qJm8?Gmhf_g5LqdX0B$`1@jj4Sp8(0pvO?MORb^Ey+8!1d5-2tdA zU03}mmaa)rC)45>WJvNg^43UnVd3h$o1z~Ln>5z4JljAYc0&2ss{Z{V{NEJq|72{F zGXPK}~|Ua4-pZ!@>}Xzt7udEDqj+0_6@V$Rh54alrQj89PI7EyiG&z&@9DZ4nVGd zjt;*rCWaN>v;UD&XmpzTs?UuJcMH6Eo*N>II$&9|MRSs(KGEGTSZX?&mgL#!l< z_ZOiaoX;Gh1}J(n)LRR?7uh*RktyoRvO^r+MMu5z;Rj-ZjsI>W_@KPA*YY9-bQ0_8 ztjaCcXmG~HSD;*;y(wWFR*aPP|2BSmi*@%;en3m1E_Rg_iZ7d4c2T5k9>EdxtXuk- z|6=a=cMePUYtuwmX5tB6$=4t*$27OUrk)N?*Tgq!8X93sy_}%!EZrwhQs)+NcVFIB zcex`2%UQERWUO2n6(Yjj}LI+oGv?NHoPhUTO{#h+1 zFo5cD(|6?MacTS#2-#j^ov>LPPj&zx*(MW+Ymca-Mdwb${8Fu!{#yqgz*a-w* z&3@7Go-)TKFxr;1<+2$DZ@=o}G*J_2)X?95-n?eVVRwF!zYq#lY;HfZc&4uJOb}Ta^hpB+Eb*Mp9I<7 z$V1Si=Zx%<{4eXW+Ry81*qI!fcS0L{jq-i{X86_pJYznUs1(=TtclI>)`q2*g+hQG zeORRkykt89mvFJT6fH!nypZWix%nB6c`VwnSDLS%?Ryi)QLx~u=8K`lNcq`zlFNc| zYiE?9N1N4|)ovNG*ZS^TbXP*4ux0~;6kuEaO*&qLPCBHgrA9&@y7B+HoYmp^~<7Pljk_Mg37 zvj9aKYCy{KC6PBST!Y*&lBluzGgiSaDcO2cA9Q?g0mt9Aoi7=$Tzdguaehs$wRfa! zF9IBye&Ihk*)Bg!0^$m&lcj$(C;iv@)ek&OyIF*P>P)^pGc!X@k{}2O2;8q_WxYDx zBh=^NrsRLq1UR%F*@6IjhjiffC3d{LO&|$x8`iwNruy*DtfKbaH?;NiL_W5@zP{lA z;HWzOA^H0o$IeZhTgUuN_?nD7Xf^cB8&G9Z$9*35-(^r5QUXqxwWXmno~7B|)C~wo zkZqaRD$zKVls{B`()3F#MW+_HRpWMPw2sO8pu}lW0w!Z#7nU2e2;Nq*`|VzhPjt#O zm^y5zeAR?)s$B8W0pDkSb6+ugvB< zOEg$SxS#H&B3y>A*Fb(!nfiGix21s=TJ8CI7-31stN6ewvr3@#0OEInfLFZR=LT3w z?^tE=TW01FH@QINJBUxLo`XWYJ&WJo64~MLpBmhT2u8K0fQEApK%y!~3MHl>g$zwhK42Jefn9hLuKQ}xi`cwf>yJ2)gG{2e=ur{{;~bC zAJ8-k1GOwkOyOY)$4gA6+*}E2t5^uMuPVSluzmVR)AR9w3wCpk>4mAQ)6-`YLMFO4 z$(F?lO^GW|TZDnyD;jq0+ejXTDe|GIDgKGaye!rnM=i%^8ntkJUo@Sa(ed}6C^8^< zoS8`38sbcItMOj#*K5)HCbF2b?gDl3=|i6551w0-o*fg5AdWFkzQj%84HFSp!bN$f zR0|Qt|IUH;mtygCAj=5Duqfr|a@1d8*ni#1K%gId^=E5qD|iTKbeJD)2>2v)8{F!Wur%FBpA)?*6dCj?aF`tfF1oiH5{nW-~(L-&Nl6&s4w3q!yn-8Tddhu9Ah>5~=CsAAF6 zWwvLWR>!i!WHnvyd@zw0Q~WZ}mFHbbaFQK1+}PfZd4JYYYfu+*!$;w#ZvDG3CR**d znPobkCA`cFDSiqQUASJ5vYVMGaqfTA-Y*GIk!_TuOX7lv~X{zis?90+chLi?E6!bnXIG7Qw%$nvd}cGZs5H#gW8|| znwEAq`vM_N1(ztKD%n%OO#y*{5oP?abyYY}SgSkL_EZeNvNay9woR&|Zf>;@GtDNy z9zM#wj1>|FW99 zmi>xY{7AohYq8)TGLNshnJg-umrEK-dZl=6hw@Ae2V96_DArk0d zk8GW!2mSM_O#&O(B|A_^-rV%;oB2ov>RXP7!=>rs-YuA(=^yGu`6Op(SK?G5YPq!y zn3`5dj74qsIZXW?+290Ns^#fyV6pzb5IuQqwi|4c0$V8MZlYHpvM08#H2hXr(x)ts z$yvN)=@@`o#dRv-2o2EGlzhzUm@ohDGGCO7IlG*lY*o&RPFsaVQ11F&(2b=$t3Z3z z{9UzpTdmm1(vZavC)l^d*}55Jz|vq`SI-N}d~9X0;5jnr#jId;6pmQomhp1QDt#p2 z8#Hc)C05k4qN7;i7zoSSweb@{$9*C%(AIxsgo3^MOgC5f9Dt0Nvmz_@&Cy^Xj1T>& z5JDJy{0z?p*2kI&Hw$WaXmW_Pj~x?^r{Ye3;I}V~)fqUa^3;Kd%UzvopOwQuwSL%B|}vH6Le z<=_womRUKO;I0Z%y00L`)DnfbjJ1|m-`lfdegTY?)Df$VNl*^*#jKvR%zvL z-X|4PEM3A`P1*rG@vJLdo!H*t^1~cR6`@c)1>36=X5Ff=FV&+ftBT(5;WJGJK9A9? z;R=-T4O86aylz2_xq^Em$3r>ikrRREgfw@Zud(mz)z;=$B3vW*gJB1G}BF{K+BKle#t+Y~+ zd$Yng+pb*oGiQQ`Zzc|as}k{N^vg>NB~A`y;yKbq8sAPE&v?kjt(iK<^_Q{aci0;B zl;Q2?BSJO~%v;sh-C*dkyreh~t>3Om0_U{^_^-4nzI_X>;k3g5mm`L@p6<=UKD2rn zw4dai=XDm&s$UoK^GUb|%H?Y2*w4+DGsGer9w#1wG8ebRrt1I7ke%b0^PSFNY;2AZ z&jfWTq5PNwmgBbytHn%~<|GN{3tX(VdrFx~Z4@VW_xP(eI|IY`zz;$qk&(|b43*B9G4J4 z5wwr_nzf-$Mb!r4N%|9f0e`A3jz;40d)V1jHYwbphnU&8o_0akpX8aieT)Oh9>6vg zc28q;^4fMlG@n;gMHy{nV^z@&>^`EXSF>&y4h>XizNpF=Jf%<6%%9n4*jM*XO|4B+ zCwHc)Y7S=lGvC*Gh|5zr5N*koNP={P%0CeF|9WYwA&%7%20!Wl!#As4xOn2^$wwX}wHfyM~39Enl<2q=aJ z#>hA~%&rd5p~|lFn^&fvo8{8T7r?hmz7jqYL|J85)`vR|6d3_ohkz~21^Oir*!!DB z$C5>pE3dHg8y*9tjflOSS*3#v6F}Xz{rV6axrngA3$Uk>+Qs(0El36CkoT-L1I?|i znkxIjQ9#s%^FSB{ue&wAx}$HK=-C7qK19~)wqARPlbj+$k^%km9$=Ke4DKvB$j@f# z%5&X%QSvn1T7NDLl7GRM7(+2`>@5bmrw{^HJLHM+cf!@Tyl>-Ht`)^sH@L*J9P@=GWDOjKeU#QJ=m9^jKdb_-1Lf%^bp*z=YezA!u+!E~Zpf zrsqTsA?xS5cff3STg#ZC^kzX(PjH^4DwDd8M15nud$~;|5>uSN!slCf`B+j)cPAw1u~C{PsE4-Lc=rO zER%aBok5JiT@!2d`jqzeyw*L=Px3nUuHWf~a{@jR5PlW-()#6Ha)P6DP@C{*YEd~K z4?j=tk<*s#qoH73K#*8^f=Sc?=!DI_P&k*hlCit(4b6ZHr9LP@ECNIPqG>FuQ zi+7PnX&*FKV*!fc(@Zv#>TlTr*PE4!Eq?LnDVo&+R8{jx=o>&cYSFdgp&+-qw9`zq z*3I*ZF+{yF@qDww7#IAOMgq$N73kn4uAA;9z*U$uG5@JYr3|lE>UpcXbxKuDWoO$d zAzej&nKCAzuKD|0d8>Ig5{Lka!7S}v2<>b6A+h?1noBOqf#i6}#Tzlrs{1)A{Kau0 zbmq3*3)wk6wyhE`yfUbJ`Na-^;e4;g`GfORr3SzRe4Y{1k2N~Z=H*|oR~ek!R9%I8 z&wX=rEN-LK%+MUaV`EFq_**vYUmq{PS8u7M;w8`V+>8Ni>%B5(f26Un&w z`T6^opFDU_(D_YjAO!xXr@j3vj7|{BCIiN7v#@$-)|)A%$aS)EX^8<8~XItg3exmSZ(%-X99wct7% z(h;xMZxq&hE4<8ajW2+Rg0*$YPYF|HwIFVwtGRC1Y!wzepL*t$ZN4|4H}PZJH5|4- z4?p_eV&!7_uA}oq6KG-Rsau1~q#(GiK*i4X&*5DlInB;(#_oUd-1*Dt%-&^LC)miv zveO2BAuAL7kwC1?O;YfzL3rkJlDSPn{W#0cfQuWf!NR))0{DFH1FE29ySiDlRIMci zoJ@SZ&v@cuR?Pcw<_%jzy&7MVZ~V8`VF4)B6u#LATjaSD2p;SL$iK(s^coVc0#oz- zOAt-=5;J(3o|&s&*_#W3amxWsLAOs^mkPCApEh6?8bf}viDkVsh<0X*FQwIP z96)1ugZJsierSX7;kRggJ^}EpN1UKHFOCb~i7ce5$ue3h%eRQWBt1-U{t+pkky$$j zvdl0y_tG`2!KMDI!-$#{aX{#n6b}5&-g;|#t%eKzkuknpbQmjTIye7sggp+@gK=DKb;FM=R25T?}#=uNn&e~)*z%J?8%+9Ip>KZkm#LUVYqqtV5=Y1$OKMi{mN{vfX zXLK4G8a^{Eq-}0W=NGAy5_J-!Y-=uZaNHKxWbRa=Z(rDC(DuE?9OTA5JI;Lh_U(x) z&`3RCkAy9st6jsCj^Qn@OBUy>orTjseR9Dz+cDSPuU`-=u6yk5|GhSiKbl6#{;kPh zzgYB1J;*L|mXO@kEnL@kX(oiaz1^`VYXB2&a2=c7boM%>JJ-VL&_T7P71EpS=1uD> z+mE_+#V)E^-vDeY_uZ4AFc7ee%YZf&R_oJ2Wr3DubDVMDGuI0%`IOh#4MMK0bwLEd z$-O3{mGXKA{y}G*2R&K5zHbSU}a6c-?B+n?T#H`uWGuM_)nOjA=5mmIB(PF`w$1V5I;TPRicnvdv^9jY^%& z>XzJiMZkK6e;9WjZ0_yqJucs{vwPmBP&Ib2AQFZ35T(3Iv_1Pq#=Ek^?mO*Rlx3p1aj*ko;EuYBMrX zH_t=6P4uQ8wwq`;Fh;WCucJVA35f339f6x!-cat@;FTZ!0|RsOoJgsk=ZQEU>+l(C zujc2YC5&i%ZA9+`PnNZ?rHOx8ewylTQku>Fe0~O>titVEN)MIBN zG&G8u#z?&2-|ib}$T@t6u(ownIz)ZX(m2e3yI7prZ_wwuX+wE8pTkgBJGNX!CV%|z z5!k=nXRjKyC8qm;NptGCxw8AEJ=(6nmjCw0xZh;~+`T-DCh$XVFPv{&&Df*Un|pc; zfJkQKO*v3bX4AlSVOEKJ?e&~tqstN!-IqQi5aLWs-A~;}$wiN9g8~C}_8CVrp)^*Y z?MgB*$u9R$<-NY|!9bt-qK(G}%A~r3EYniC`^=Gmg@kJdH7PI>_Bxch9V>1r_lfnq zH@o}d%RhX|fjVoG^bC`HQ_&ZjZ00CD8XOj1m6)H4YHq2FFYg9x0x5&%qh&&6UJetX zCSU*){s;{hwRCH;`;@evkmcJgTd1kJTH`~I04$1U>4{(Aa0jJHx%_Ef+RfI)g(t{# zwT|~smM6Z)c}GNk{Y6hG!}run93}B;$`Zxd*rd9%VcEmyd8fsae6!o_+40zzv$qWZ zf2)~X{nyXMff9D}?Cs<^Z*85fB6b0cPsX?86Fa15&0^w(SKF6RV??m-W# z)D?voaYdv4NVP6oXviHGX07NXd#>=V(Mm1fI@m<1&5>3`mLpW<5`ZG^F9)#2LrL#X zgAO@>3Oz*AvaThag&yb>JIu$l`cv+)%T-weJujXd8y*V!IjfZVeNhIGb9Zs{XzqMf zfc%y~7_#5Pnn7DG1yB>d?yJd!o(Po|%ISR2$h4^;k{qQ5M{kMc#I zPghYTFXJE_2jczPJUn|KpDQ^5Ji(+7~uJPZHT;f=^mu<#pyg&<9lh zs|LY@=+ghbp{7N8ck%l=KqVa6(p4N0mo`X@0*&0AzRKy&x$gI+{Bbt_c~z?#Ys%+R z1cSC%M$4xaKuNis2=rqhcw8XhhGCQ)*wBXM{-cM#UCmTyusYzT;-Km|r)68(5ijnf z^2t8)AMejD{nUdj%=SPJ|3;1K?wtBAgI2An#CCxf^typgJiH9_B{`>;0*7Cdaj=2i z^SXHn(C~7K8&ee6bXLjbY;0ROYwPydeGD@{T!ns|x36Yvh(L6 zT*W)|;xgR$q~gC-&)|-W%PJ}T6c{fqNqyzsa9msZ#Q$9ue0{+Th^1ekjCtDs zt}u^U#=%kpAyJBHC^&p85PI*G?CAyS;H!aqe(c%T-eW-8T+-feo7T~j!9!1z&ioH2 z$KNC^{zB&;{JF1Qsq!8D=SRQ%3=-^{JC)F z*3~y6zf)g*>^U6nyX0y~s}Gsj$1;Lavi~3UzB8=JZCiJVA_@w+L{O?75g{N_1OiwP z6$GUSNCy#+-b+Xj6;Y~nyO(%D>s(xAck_@r4!+hm?PObh-_HeU-V{NWx$;$J&Ij0dUC_z7gzIDVdaiwDr5&CtZHkIxvzPd`e3DPiu{&DD(r2#;e>Sdi`x7mNU)KvampEoZ5+~52c&vjDagLOjmi{+ns?tk$afAY2c)a9!%qn&QnTfWiHuhzf* zt4BoW=qT5l5}i-{$s_#zm+U3!fpC-x9DU|rKf>Q%H=lzikB!)U(YwWW<*(SzPe024 z4@*zJ>b&6JkS96XR1bp}ylsst>ml~~{DqVD)2pSJ4g$eJ#H4x&CKCm7^;&0X3ChPv zntnBhk^NMHSrD7iCD^BY`#pGf?){|$x4k*qUu4qYYUYz`Z-w$=-Ntm(9g{b+RAbpb zT@Uh)lPhrjrj8obQVCYdih9fG)Hg6Sg~V+vy}1n7BrTDVk&@HVPA0<@9;N*EGPK+5 z(y&;pHVOgHFsPK0l9nc}5^PFFo-oD7n-Elq8`E(iQ{eZn-m>lK>Z(0z9{qZLerD!H za;#?>rewKA8Un6eo#RMB^ia&fR#|PS37ie@rPD%4SJyT*mWN+4>-h0; z(sFBSu!LCyR=7IjqiSMirl6Vy#xw-lot*5p93LRm5M%YIuf$>e)lLey(J#MnVkgPd zd`Q21eJtP;7*{NQO}7?yo}XEEP~97|am$7v#xItXlbM)!+5oXJ>AqCY_o=Y3Fh}XX z=ey=er!E}e`Sy_+DW7VOBHdO0ijkIexF1bOGF`siM;MUpmm7p&-d~|)5l3!rG}o-@ zYib^zj&U;pL&MEFFEGZsO~RM#Z{NNh4I&vHAL1=D)fy+Ke9!FY_ICEu=V6;)50>@u z|Ac#|xOS9<4I3`E92ak`n8VPUh9_IP{MFbv0S2?4c{-Mm>&oDZBw{Xz+$8 zd&K*^K}Cs0KkE%`EiLv#XOv%vnASaj=bN_%r)QO&<8dGH$*@Vd7X~pjaDH_7@Zn2u zC+_O&$E=2ihoc9E*NWW7Uh<8B=66%S=1<1gzw#|5FM=4t9JGA=Qp25U@)Fa{j|d6! zBh{~ls%D#mxelXU`Ahmw5xfhpP(*CGUDbGNjI_isWvzI+J9>BG;-`;ZR3e7=`$dpF z90Wt9X3Fm`oaS_DQ(&*P%C2PNl(22;*ZA*v>UG*vBk{+js}~OOeR*lVy1R05whG#Z zfFAcw##(BlD6C6_D(=Sk%*1>{%xCKxA6-CUt3gx9Ev*SWDthMJxpVQKK8+jkxN5gn z+76Yi&uO7JwDcSlqCw5uci*mTHfeouS~lD!eT%ybX7h1IogI>B2nUX2W`T<&+x_L` zA=+U=H9p1+4Gpz@`*tS}m6Vh;Q*xStoacZJ=5A|mztDRCzKvP^mDN#90bcs#N;P+8 zBRHJl`HxW#UhyD@!7Vv$4Xd7iWM@1h_^tbPv1bWB;hXw9EFx|QZCv`r6 z{+OFx0um{EJyAlJlz0Aq!C9b9WHkBgkjjya@)Str<9LmmgojD0aRzDWh69meRwpV; zE+79Z#7j8<6{90z^V=Qn-#9Hg2@vd8YDn|F)eZ3zQ8JSmh z>zb97mC*MbusUcFoBoUEf802qgMz{jnMz1VA11QLTNyE{`!@IdUJ6>aT z0bS9h>Nprba`$<315*2#o9SQ>>67i4+#l?ASLU9IK!o>lW`X?7Vqgj4&0S}%53%IA;=&7Kaxf9IU&5gkH zh0{6?J_|02Jg6TtM9iD#ApjyXr?avY3fxd|4F)5A7!U4lL4Ne3IqV=#37$-@7QkQp z!?GS3r2`ur;>*PD`T6r6REtW;4{!L8_9(}A^M~L2;}`z- z-{*RSeC;0TxK9-4SeUzh%Sf1N3>*JGoP3y92`17^mt~?r!3n;WA1Bz~Vy7H=k^f<9 zEO)qpr=^C*0;Mn3wcoOBaF9z?cH;q}_bwHRAg!NxnyJe&TzF3E)&4)MJ$RI=JqK?1 zAf{tswr%g7ot>`%lgYSWc#dG=AK$V=yd9pgQXkHGtru{B0je4d+_6`_-H)H~*EY=O z;MqIkbgi=~a)}_kG`Av;%zhr-smZKRf-$nP0l6V~7$I5eMk^YesJxGG-jWun;P!@G zG*48FM;Rq1CZ?~5am$ic4KpQ#-&T&15^Ir~&zK=P`hIK)Gx#C`RBk2lUk;4}hx~%| zRLYi9^4GR1P+x8kpzn~D$z&sA2xGXGyZZY%#p7>SmCOKc`DDip)^UeGf*t_ z*UYpJ)$k8OP}QfE!oFx~>4#zhOP!|cz~oM}jT<4-YlLt-f0$;9}JSRcZSK?o?o+tqY1hS*|7prN>YWjxY@2k2L zo?U8RF%oh_lNET1J4^XwnV)Hi;r-suRP}%`4B_%j^&-D|5^E5*wdvACy$%7CEP0!+ z@7!bw$GDFNDJa3g&Ic6PY_+O)Y_#HO1ymm=%gf46_)-&vkzPkZumpAg!2{nV9J3}Lo997}d)J5!LSiPs4r)4Q zWuqvbZEGO5Hi*$Y;AAN^ebK|C;mIr|aWyTz-K`dW4RD0urh#>vA7l z>6tb`@{=CK9g17OhH?QL0WPtj#y#@P*&K%97A0g0F>V;R!(w62L%8U}rWdO4IdzZ* z{|>xCOQ9;L6COQ!lqa&$5Q13wbi--Eu5@!QeZ1KYvCNZvbBAy7kn6zXaoLS}Rkqbc zE3I=G!uvtY3IH!hF+3nEFce2RMn7^oGH^#t0qr7~X-CrSr@;dq zB7{!4nF-VaSK3XEp8kFg0j;b+R^^B*EZZ3APRJcYL&J-+@{pLb9G&JTEBA~=mWyR}gHYiID5QRfqSrZNfJLCJWPN2g+&%)<4TLYj9$~miqk~QhH=B-Qkm?r=n|+du0gU%Vw~1!GfHw!9XP>;Vq9Ekggm>UhWInYJ$Ct zf!xyKplA>q*#z(kFGyo_s9}P-@!x&<-twsi1L?S_x`YpPF47yrqW;nK`TCoSWC{(wlg4}c9h&Y{?nAlw{Er}6NwJHPSo1?JATOJ-BLNBs4 z43Rdq{)bCPkR;bsoZ837zT@rq4w+v*XRP3{E@Y?YpV+2q{_srR&CTuZJXlGS_Jo_S z=_tF;=@#2I`z`^%EtKoc6=HjGQBlzY??(%BbN-7OjbPrNkpmHohX zw+X|m=G#2eNDAA@n(P120yuob$Afq%ve=~7U(ekTplljiT8hB;B^;<)=>xG0+abZ4 z16f;J92l=#7A$bZRk{_LBD&+pnr+8@wpbns_?V;dv;*Q;iqzyz*{Y|s9% zy3O(ZwQZ%DVO7ona30SKJyrNcqul=2t6mEMnBfNMNw@01{)&HTJ^uLSnkyi~%qiK& zwk7rX^`!v@rdUP;7s-tG<^EeN^M4HgkGuJY1N1+JznypghnxO?-S9!}l*<_KCx`UN zJvuYZLXqi3Z=SpNcm~4dc%tG;O+)56y~j9B+jS%+>oQ>@qHX;-k3xt?{=|&_{3V~) zr$ER3l>Y7Mf0aif`0d*>QbimVW(K@>gngCug$5#mEcIyvEujbC z)^6^%Qsw34pFVyx4jFHM3_85DS{mN&DJ3Np4?3nrwnLG`gi=;I2Hg>eoagPP7;zD| z2n;D1S9b`K*$>pR+8DALp3o6hzAF|F@e*VU6YQ3E3?bb=M@zcSt;1uTHp&F?3+;tZ zu~cvG`KbswQ#IQrJ8B&7my@m8N1RD*-*m(fo?K3SXvgIKGBdM_LS=S0l85qUyDYqB zkrD25Vj|cQC6fhGfGKea?N^X}`48^l&-e9@?iytIfD}@#>CC*%M+7_4AYxiV-r3WG zPPzN(LJ+u9t~QukI&V=e^pJ|=M-8X?B3du}0Sqa^4Wp1YL_C%zywuwW01rGQC@6>r z{bu&Ufn&na^!Yb`71JgA!t4njx-K4`RLXVw_>oPbglBPN?t%eU) zKWcOj5{pY8qb|B)r77YD>qH4=GYQjw9Pn+P^v_=sJ^}KOpcjoZr?zaldeZQIe?UKG#uTOmsmfO75sj*72rLGoZ4x(GnbDMaaiU}`d zK7Z#@ku1~9d~e?oU3Th&kGv`@?2(;v+LtKn;{nxV4i1hJaFFlPnvMX- z;$B@{y{oG$-FtC!&pv6N?zP|>abElx(*w*?1S%mDZGtU$NoE$YS?YBks7-#bNTt-6 z$A8Kf7--QlFj)0ON{tW}!7U7C(;=>V{A}oQsMV$zRrv+&KoVfP$M{B1Fwq01&ANx)w4(z4NvAF&Stld^RzB zif07@_+zG^Wwf&;achzELF?F%75{lqVFig4FH|1=v{ zzcccDf9-K&VCZeVy%9{r#@%TLj^!x&5aV?2J2vq<%>~d=knXJ=3YVXqcH{Vf&r)RH z|ILY2Jmg%!W`OLgnDr@hke@&P${lMOuDi zdJ!8_^^!042+&%$LB;TRlkgS*K?4XxZ8<;?^}ZW&Tm<)omXOy5h(SGDU5s#!JY%!c zXN2E!?OuT2eP!$Y_U#*F5Hi1zn!ql9R`GdNiHMlPltah(ibqF$V&=(Mn2UZziOJQ1 zLN{i2y27qdk%!JMS>B3Dx(f>%2^YNU65Pk%FMmplmtjMe$s+I#WygKnx>Pd)M5j~( zj=n|LcJ6h_eb~|Mj@a0AH*21nnHeNv+7lcKOI@0>;=biSFT^*s7xr;DF+s0+E5}_F zZ;?Sy#salEW0@tA|I^ZE zgM*m$w}jeg(=%Z*Ewo6yujF}Y$C)|_$~w7}d=E9uDhfjgnDOgpCwq~eGmXh%;b)3g zp3NuDheJ@5wScjF%!Uq#&F0Iu6)?nQSflE@D-5`e0mFKmB;f`LQV*4rIu5l9bgRU# zSi?7RVU9d*B(sf=Z52zi8AwRzVm36Co)jca*$+GX-L1VoxsJL)3J+i=jxn{?+9AeH zD%kwkqy2fuAUwFM;rYOmjOi*yWx2^{_wj6M{i|v+V~E$ndv?X4gw5(RtCg&h%T1yI zYufn_Zv%}lC_d8;F3>+P-~AP=+h(!ZS+jfOXNXY`Uc|hI!YE?HL)K;a^y%zXA5!IHNGKA6f8H@Rq!ry}2Tz4u ziWA30Xb9@m#eL&c=_U13=t*LzHDy;2=^+hs#QS*MEV7~R?{@WluJYe;ILk7n?RW1( zUXplA8D7goLuZ!Z8pHkDZd&FttA*bFnVk1nE?y%Z*p;OG{teJowACNa!@cPdKld9$-kh+x5YJ|yr zg`~bL)_1(62OoY}N}+cOdC5{S8NI$lmTRpeWOB(lIcClFC0dPVDH;Y&>D%DfVudRO zTBU?~VxM#mQ>XIBG2XqLPrBWLC+9iFDCS{x0#@Saw4NxF_LBaRv8D|?R-pC8QY>a+ zB6g8AnvhQYzKASmvq{cP9bBD>FQLvRg3zJq^?lB1d}X7$!m%wa+(-J%`UV*`31M+1Nogl!$w&dmC|$P#T5A8|bh^YOLV!K?g0#we(e+07b=CPw z73pr|t2oyG0mA?;k2Ogs#p))3H(9n+I&DfNq1H{KB z#?;{FJ*GqP<|gx-p?5`XO_XDut|-fGM8CNEX>1y^VPfrNM&;=jkm+u_pPiZ6tU^u< z_vAHc;_%kF$?{x|Fz5u2ve^o@?c3=C8m$phE{|xw8IE=&X9SLfgh7cU+vepxReMqzt}2&HZ70|2mmq z_}*$WC`u^UPA*Tn1R|G&BM@M8%M_9l%Y)_+!cQPT~uB z3Bv(iGo_RG4UC6k0$F|IOAtHvyT>S2NdgA5`rO)*Kj%9OWf5sDO}~*iQr_ydWaH2` z>*TcPO~x1333_kF^+oK|_wcNb1c~$pL@V~_vbl1D9rLU-y*LG3SzdFLFE}$ub&bTM zW@&{BY(-3)mu`9w60O%@mzGP8D(vuP7$<~DTeR|;L8()unLe$t5W8|YDXH?M=GSz4 zTcr@!RgEm|bh|eiZ+SHLW~7>;!)Q?hX^aRpJ);1Iq2M12{x<7L@s)hv!Ge2ALrgyW zPO8DB)B1NELxPmp>r`cle)zGqW*?)r&v~-$&$5aiiqH({h zlabQpWn(xL-X66E!BCeoY}!kP*?k`bK|@)&dL+P*l$`H=Tfsdm(zCt%zC+|W{*)Zy zL5SRlot^ht!=TN*E)D?r=v(tiBQ+FGD`-w)i3OI;-d+PCw^Yash82)EI_I2{ZwK~A z4x@BWyGb?$rAw?nhX{eG}odJvtn3kMg2A zHFnoB35ZWf1RxvJ{JlfCr3utwSL3gSpej&6=l^Xu*XQ-wJ0icUHe6C@Ld`TE{B(Ww zQ*U2MDqj;$v`zE7y(8jVSg6uT_^nV&zBukf<}CqhVKKQ2xiF>ueYhe(68!?Yqimpb z)QQm3YORT;(K(lKJAke$n${Y%QkG6AOz>;Ll}^VF z-nXq>?LH#yY7OXnXrN{N-l>tffIYNeEkLO3tcvtvK}zZ@e5L@PIc^o;K65ei(qw-2 z^V$d4_3STqc6A-j^cX0z$pu-f`}fZbPTjCb#Vt7Zh!MDQt5V9%E)jI#W`t*D?=p@n z5nia>gd|1)g3o!KyaWq9&)mz#fEL>hO=0~#0%FyZ737?Kic0s)V|l6;urecXYtVhW zT4ZbqE-FgEH#E@?P1ax;aRp(aLH{<^^{dCRHS;JNX73pHS!@*Ci477PAlB77Dgb{Xq6VOoa&9zUyQCG9V347P)tp~&= z;0zoQQ(qYv!nAt!U(7Hh_7|p)%b`|k;Q7 zJHlC_dE!-kTxQ?$cp`B~;wDr+2EzwE7Bh8|HF-o*mMl`Er%)ffbakU_<{w<%m)lHR+(sm9Bn|>mL!`lwn@N%qm zZ1vNm(hiP}X&QOg&TE|WGR%y%^$cb-UVSXz%mxemQzyIW$2;TFHR@?3^(O>Aw~+@w+}@%;v}*uY-R zYi>$uEaD}MS%Fg@y1q#15#Q&nOKsUk+LISf33&q->_WGXo?WhDybph*hI^M(qOl)&FPp``StaK0O z@b~8_Sy?S>c8?zUJ2$QHpSPrX!JM3&jC*+I!KjDOQEd2>QqM)h;q^L+uziz_1eQtI z%1j%cLO`J~GP6<%%Mcj@&lIvLFH!rUh9s3iZv8W26j3kKe0TjjEU$dETbCFl7`=54 z$G(LAUgmwxf@jVwi8%#@fN^x4aa};Oz4B8vQD6gzC~%}Neq(Bi5_gDWzVCjUsPe6I zkaMD^*e++$Icg0f2UjB1DrWJhl^8}^<$S2>MCCe+5Z~xV>9)Vpdk=3~_gZ}nS3QcM zB3AF5fs~Lhy&LuOQr1S=_Gkn?duz{JOV{O+ z$XhkoRd7ja0LCkx6(fB5VJyPfb~?|$VUSRj&uq{xoG;&&0ydls~lTKW3&d* zMyAF=C~90w&BzF3{asr-7R=^om)IK@6f7WwU1*_ewM$FUW)aJ9lkavUD~*~gLtM!B zEkE4V*wEle!~nNL!xiV1Sn87sxd0+px_EJFsSy&wOP*0IU4&sv`J%?v<2E&lrtE-$ z<$}SK47-%jTvK#iki@X|Mbc|Uo|o(f?#I~?5#3I}i%qtmKsUo;5NS=Di0X^%pn!7k zCAexCtT0*W+118P){6%M)qnkpKJ)#8SrH{ zI0Eh>x@#+aG|9dih_8swZ)L&m&_uG+d!md>pien~q31b`R(ZOdnzB`@uLE|dty(4P9ZGD^?J$56q;;g$@ z$>S2dFZ~esxmOQ8D=jA|WXT9ranaiF$mipi2}e6~ovbvvZ?_cQ3(gD)YZllHJhJ&v z!Nx(}2(}#d5odksN0a(#UlV+X2Eoqwa$5Iwnbw6Z3?nV!cVR>CEFJoFG3uSJW1N_< z0Rv|$cdnJy)uzS0B!TmXHN}ATZFt-e4wN6kTH0775vz^#@-SAnmG-4fUL~o0)nhD# zt#%Eu_{2K3T26XY1Grdd5<(k7 z%qwkwnq?WpOI=6j=TvQOZe~#BwbZl?7^@n?{df_Q2z-Fygv7~A^S(T@(%+B-6qT%C znt%CfM#3E=plv<;1g2d!eX)st9qQV~qZ`Q|zEoG$0_6^YsFP3qekQ+V*K`o72m*-sgXzM&W^q94@E61oW&T{Co!98y83 zXL&R&YufReDE)i=AiNftyF^c~-2nE0rE7A+57s4~Ou@c{w6EK*AaTsEZc|gfcFI zOCol%$QO#$(8 zUMciqk==|TLVi>R^iwt-Vrt}#`uc|mS31;!kDl6xGlCRmSZgSA4R8(;LNHzl6UQ52 z2Kz1`vyvVdrq*qA@P$8WDeO|6sYI7PGVORgzQk>_SV{PR4(VIwXpi1_i~`B=QU_NT zre>0GZ|;OOY;qLjCkum2CN-+m!p@xIg+Vbegt+ZMdWhNT$9sr*H$?Uf26H;V&>uIn zn)wlH%k{S%0ds)7!`Oha&XcD+7CvE9?JP#!DiLbVDT`6vwGeEXV2}860h8kn?*J_I z;ez$xyC7XcyJ+cVp9K8WRIIm|&>#*;UDeg0QZ&whKmqEgk5i3rPAe^Sy}>1u)Zkfxb!aG;#y9s` zon;up`ydpzcJ>@!OXPjlvn9^Aapci>A9~Jo0}O|GoUmw*BdN*f>CWZyiX5-2dd_nT zgHx;QF+U{YM=KdOg_9Op7bkq%tmW z-icpYiyGEk!A(tS>75?Qe)jgvpV3WzH0^&jlIP*___t4LtZeS(htQQrde%%cCLe(! z9N&eq#3`deiNPiW`HyrA+8G2c97MU$w&sK&UxYi zH&hIZ{8dJ|^Ijt`5QLw$l!1Ek#&mJE8AuKLvH;+s1GhWp8_RPC!+FW{M|h>?^eY2x zVbH$W!6FALln5xyO<0HH9hT|vuwerZjC|L5i9KwIJ_;C{eXeNXToK3o_YoovC! z>8D`?>P0*$eLmlmvWgz&pm8~hi1*ZthEb&As7-Mk!BrP#es_K7cDT@tggN6Rv3GTv zV8xs9k%oaH$i50!8yc?H@(yn%W!OvtsHcclQA%bRP4bHaXo}xqP(tnB}ZmZx|9B-nCU0mwM&W5 z7jrWKa2ojD<({pco0j55!Hs$zg2+z?>Mixc$;(FT36(*+nvETq%ZtS7x>p5ENh_BW z1kTOxt&Z|;(>3Wcl{^1Pl`{m~{ZqurkeXjl)KEJBWMxgAG68M?_k>9Rt_e(n`D!MBn7Cz+E~YNDMluN& zTk~`OUYb1K)7kmps_R1U>#nWy+zd*`hNj;G$o_E$m}5uHB<`6-Dvm-EKv{_fgFQ~B zK<(f}Wxd6OKY$X07N>}8oCj9l6HY)HK& zQ|^4*dZ;aOz)n4+OAcP{mc@F1-K|)T)qClq#PlWvfWd=AIXMnDnG#_GgALCD7w5W{ zXqA^BmEZ}Fk(FqGQF!*Bwy^)Ez})V!=*w68tZbM)HsRwT^qQ@qOAB5k9VxlKj7$!{ zUQ-nFw5g1sPYV~1COLV@#S!Epxki`UmvGRwin-~;=llD`Hx{DuDT1hV73V^3ZIrd+ z-^c6siTaE=7Z?{wHukysh(TofAR~}w*QF?1|3ZlD;qoFjh7z%?A+kJv2LIM`lVg+H z9bmAmvrfm9JWDPaF0shEt?k;2y*&#iLpWqD+Y@>VEY}QAx<&)#x)QgXJ84qVvb)p0HL9g4h*L|Ko41_u#5(S(&c+Zy z@1V=4^xZNO``P2#v$OLm&Lh33!+wLSQ7IpcOGv|vVed30sHBz%7c%c^#gUW~XJR&r zv^Rz@A=s8NBED~A$2oO~yLb0nx}Aig&fueOhj?3Y<;7H%%?e#xr+AOrnkVzvd!XRWskiokZH$IKMq!2dR^_;L0Azc z$}fvcNSN!-j(Yn3NFoPaWVHhT%QA++7z1w^d$mFdgFJ@kb3qIOG70Rv_Z?IwmlP z`Uqz5pp`^8^AkO?r~2ShGWFX40!R&I7;*2z=Xh`FY7Mlwlkr0kGJkqX zaOyP5?rgc4Xv&>|Mqz zr@Butc^|$#Z!lks^Rd3cqRJk&u{@0i4SU8Y|2dkj1E}7vGtTOQp|gpdbRADSz^rL~ zPz-SOZL)BQ&E3C&;;;z!%DAu++>j#)E=qQ^iUhN&(a!BRb05^dL0Dy^rw0J-(>z1s z@I~w4ic3qM5tc}BfzXke%ijP+P!hlvPCX_-xdJ~H0GVPg1miz?u>Ko8{Q4ol+V+(M z(r{0;14f=Xls@ygq4AoPohk`GR)ms|=z&Ig0eYnJvptaJIXL?kdl$@*OdBx2#%d<0 zmf_yX!msXNhytBSLAUHvL!7CgMcMp*4FfK%Trj)>& z4s+3_@rWz>Ad7^{^c-prXL(DsP^|)L7jSO}*j>UWNCjJ=n5IMhlRgorhV}K0_QG6? z$+}qLE{~9L6j89M!PAuMjF^X3J&Fr zH0djAhI&u$9!BNxH5c-stMMC~UDR>RQdcF#0Gai1LPX-CHKZ^0$`L|A9T{+pRFC;y z!Olu<??gkLtYwk zm0#oH>RJbEbNbTAcgw)ZttNp*8p_^t1c-^zi_%-14tr(UJ@4oM9fED zWyEf(jToI;gD8k!+U->{zmru@Rz z+d>emv(aidulMM?=?e`)j&^l-v(Xb18PLndj}u!K0c36`1jss2Drp%%@|5La4e$!A zH0cZgY)gd7W-s*E{9f0HCH{TjA?(LdiD8=cqfx^PCAZ5*l)3l2~k(4MJ-QeA4 z8Hap&Mmge$i%U69GZ`5JHBL38_J3AXFi^2#32af4)dAC z4^3MD-b+(aa~y@uMgUdD#*HZkFrr?2NLA)FrU?#GFtP{$A8zzq2xXlj)T<&cfV87~ zS$Cl+vphb2JuWtmvXWeyOWEE`eT+|i8#){nyV-9bm}0iPbR&+;&#vcwvkhywJ}Ad- zGqC-y{lubI*|VMHYzfFO+IcdEl4w4TrmnzpN%aiz`Jdq5ZWh~UbF+{!a+gj4D9hIi z$OgQ;9VI>~;e-M7H4(slMHssTutS0YT%KcL-S1AqqfgS09uA{XjnnA z+35!kVJB63(b9W$~=%`C-Y^7cPhhYbs z_z-dB(perI3VqXAb{Gd%D@m8X3ta?X^zlDw^SQg+j!rsC99@lr^Ba^9)9*@{c?PD( z9W|XdU+GL%P_$B7=6oxcK%XZ>%WpDaubE(*J9F`rc zEg2%Uy)}VZft^F%vQlEvV%xvr-{*dcZ>m!0nb@4|221ca?l0dh?QRq*KkqgStYzkf z92K~@>p&huXa+)GpV&Ga22SoE7jU+(>1Ki0GZ)D3Pw!k@bH!f0gamiawU;Kmxq?^w zHY$HQh&;h3_ud6u9bp)v=3U(3MN<~*?~e@PPI>cW19X5nXwpQi*Ghn##qmWgNkiFJ z!ulP~%={08eTn@4JLXg6U~W7Qv|Oh5Qo>>965qY+PwZsg6Zl(h?-60EzVqVZyX|^~ z2Jb30l~^_CL!n{^SJ6$pLn0k*ZBP+)(IF8L^|r3H0(~Ltqz^KtSNHD@)X_U){cP9u z8&`HOUb!`SfrRV=hY86G@77qb`(YnhhCD@rX1{HM8&R5K;S#Uz}# zHd~Df2ykEk(g}UJ9dc|Aq;-72>#FxZU|WA_FMKS|-hu9Kow%W{cgzc1EP)8bCXs)q=1s7-^{J>1LHH>S#9TIiD#4)M`j1AgmL>+LHY5t?_^F`_KME*a5UP&b0Ku-4h*J1-bx{ z^y`UH>K`zNwe()=n+kS=W*?26gXZ|}m};%^_#F(R#~KML8CC2u@FuTX*x7{up+N}H z22m+nfZ;0n25|{jcK_esi)cBp7t^iX4ZG@YAEPIbYYj;XG%=2_^E$uN>MI&Os;Ww! zOV&$r4Ts^yp{NJ|o(2tw3T`*A^J8iK)A`$f?h>$nF!wA9$=|Cd?DP5a=UxEb(!-Dp zTaX$cVxZ~+loW!d9lN*F6xc2u`WLpy=+kgBmnrJcLa&w4yxl*v0RG}P`sW2v*8@2! ztG7?lf6rL-+pFN?C)`QdR)g-mfKyl)`Q0mHef+rc4i9 zxB94H-^uL`t{FWjpYrT0S@R@98@_+H-?wj{a-yJWuYuvf@*_${sc7WVHZw2(?63aa z${C#lW5`jAcJ(~lg{32>g#k$dNT`uhDEW&wKEleu)CrKO$I zJuxKO?Kv6iAhNo;&v_c1nU><8)-ZR3>-XmopHlwPg8caAxA%cZOh7=z6}PiVZ93na zit6>(ClyU_!W*!-BZES%YXk4At=Mw;0Ub&8w4PFg>GJL3w6Dj+cS*|k@ zloH2INM@hh&RTvr6WhB3+QW1xf=65N2v^x=1brl)6@>rRCuEhwd2YuYXi`Im4^t0l z_FynH%^`M2>Da$rod2h#*vEpg;TS&c#_hg?J%S$0L9@}s3WtY>mx&)7wBh)%+KqF5 z%-jw0=l-2lY_rt=Y*Zae9~?co(U#jSO^Nm{;0e&s!E9g`fVY*Gp6BR=@R9_CdNz& z*dYkVm`ULfhG-6z00HsAN;dE z)#v7!JD2L$Or^K|l!%M8;qF}f(dv@5ek)VZ88NTO2JQ(c@m@w?K3?@(Dr@Ma!xdMC zvmnOHFac?|sP}F&$8Te9|7OGf>8~q4+JQQJDb+Bfc{}L>;k$HDDD-s}g+fWm&JKD0 z{CP@RS_4m7fS#YI6#kG56cuv8U{7z6jc$F#TQQIuzhNl`coT4| z!}pHr8d2NecvT+aeXlithB5W<;X_R3LjDZdBojmpbv@ske+1HVXRDIt&l&^;d|^9;)Mqcdr2U9|pE>jX{R)iKbP#C)X7~_z-}i?A=RrhLQhP0StObA-wEIGa zUA~WeuE=tH6ErZo1ytjxHvFn@|J@8JFQQ?;)nuYm+Te#Ltqu(ztCnr8e1-FFtA_+n3t3`1N z^KCmfA{yTB1()#%$&zPPL&|1DwG3W@ow*})btDzA@qyPFA{e~`@w+C}anfS68KBX-+84x2+Yh8yg?%UyQ zzAglA4Zq`v9g}qx zGV#ZNMEsL0Vl)te*5(=(%JKq}1Hm-DC6FsM1su=Xt8-f)ds@c`2rj;+9DEM?WO=HQ zK=y)$uktF5B6jZF=~1qiD0#ph{4^Cd4yFIy3FZIFpN$>?*|n&C9In6>K09`z7Abc z8V2Exqc3x7mS)dE2Y}98liFUnn)`s%m=K3zy#&A zGmbvf93e6ujj5NkslD*yw)-d_Bk!~9&d@P^ln`gm8V;;{?4be33LB~^OTiaH0m?4N z^xJvScW%w^MW?^W#p6dq^jWy2-i4$_$5v(Zw-YW&UbOd=h}{Z0EupA%H%nANN(3pTq!g48 zkdg-JQo6glS=8d2_ul6{zwbP<-}CJ4d;Cu@SoeL!oMVhRMz=5-{uCQUt`*+u-j?#= zRc~*fyMZJ(;AI%Kza|||-}X?Nxse$MoUOmMWeM*^b}iyr($C75$jSZ2Yl9?#w%s2i zEqj%h*LJNknBqMsmGWxlI=|3+jgZJ_P1gm}ulAW{R)dTPe=t$BY^T}sQH3+C@zq63 zlu$T_F8M#y?ILh+tK2Ww*P4eY6w2JVz2!17wG5qi&8*S1ya=7Oz?M4H+k0tvZ)p2I zFY6Pt`Va=q1DMwE2VC`VTxu2(PmFE#TLyt0_#;=j#3!6oR8*@S$_fu%ohO1N6SA_d zw-vbp1;m}-rrJ_$KOV?mGZ~>zJsZ*9{;sVLlo0+9+gO{^D(b4{>0?rg@A%gu3%f@0 z@_|`m0m8_^xw;l7NfJadH*0c>WgruN{p6jR26NiAtk_uULk;l^>)kK~eN3<0T15-t z|5QslOS$E=<2TD*kPg@@wgAt z;`ACw*5Ad{@Ry$FEM5^e>-)xn(!;A@#Xde2!*sQ?lLn(Id)&R6!Rx}sCFxP`Nh}N; z;^z>~e$`x4Wbq-mOYP`|C>x}It0fL_;+T9bwDbyMWAcoBC!)5ZGl=ETgUcTL_y?@- zl77SXA}@PxtOwcdT#~|Dl2zX=R0M6*R!$f(R%8YYdo7S(!gI<_JlM)F3$$bT#HpyQ zN^!VPgdz{L56m)iuw{!bWG>qYJjk53|IY<}$onr>IhPWR7xk?+hg5^daVI5;@Y`ZQ zx+`NVXU&lN_Ta;+11LWe%F4usQF!5yLcDhurzQC`L?rtocG!uPXct#kqsNb#_32gb zzZ&W;!)%6>+611YcDk%@X=Qb-&Esx{eZP7B!!opPL0MuVeH(YXs!rR17Y546v3TV! z^$ZC=3?^As-IkpdvT7g|54+nTCt5bb-FBqqdvlxZ}t2(`Lbc z|0Fr0)L)6ex#^>tJIi>@WNJSpJ(b2jjj+!FB6$_5WFt5Nfi>hpx#9iX>uvQwOa}sq z{URC=FKX_%9Xar6ez+KAStu<*CVwt9?U)-QH2LL9eUkE3LxEiGnhz+-Q56{e$%7m*3) zJvo%yy!LRz_C8oP|G*sVt!K5T^YHQ2Op6`vgv@f5Y}_w~c|1+DL0>CFgic5dO1SF4 zj|L57V-1`S6hQZBI>H8Wo0ZjXU?)W;$!K>UZX5Fc&fR*plaP_k1#S0vP`JNv|JBt= zZqD@lU`Y5Yi(dbFBbn%`*ioI&QMlJ%?~;H1nQLL#S3k8qTHI{HzQ~)-?0UQZ*NKOF zoDwE@wX7US&PFlVKRFlZlfz!$&i+|eSxjskA-;$=xjUa3G&e_>b5;5AFv1FfBEz}J zVbKrfQN9@uBA)GD3=JMz+uOB{WqX6d1Dy9{XdRve!7khp0mQIjeq6T@s$@E^Qx_Xx zESe07f~q{Yuiw`SAj_DK*uFuM)sIyU0LNYvYiXR?mYx6fwW^i|RXm}@sup^f5hmAm z#NtuB`ynTj8&j=NN`l&QJiNExPl~bMukFSJIoY?eRvt8H%>EHA!dO=BQ*ZDVmFeK* zjkQir8c{M{x7w9`Ks2bSq;$S|)Coi@t(E%?i$-wU1!q+G5SnyD@4Ws5NsiJJbJ=)Y zyua26Bx4&~MXjQHW<#nVhyn)$XIEneoN0SU$DoClz9*SpT!8k9+YgATXX?dd_JT`- zW%24=s0|U0$$4qa*+dHk8jgmckXUs}8;#=DZ2p;lFJtrXAaYjcPpRl*n-o6|a!UJB zve0YN)ymQ@_ABO}UkI=(f3JQvK3{X##n>JzK>(9RgJf+)XxI%sn z=?y&rO~g)da9CFt;q41wzO)YOBN~DIU#{Cr&GVCpt#u%v$0Y+lH8;DQ?GO`64`${j{@W8pEb5szW(m*4` z!=rMcID#-b;Xdp(uJMtI7YvIwfy6J>nV}l@noDUN9UWD2C+bzAT#AT|3XoTYDfaQg zuGB5_=s!BSk9ySQc8H}i)zBE32^l%HUzH?b0J(1N1bvnnrcVjB&9BbRFfovoa)H8W zZEIEy7Z+FNV@ni&W|D3OII%}KZf|W(ZPu$@qNEHMds70F>#=tJvpV!A2o+pj-1<+Y zF8|HisZj+atiVRTwAz7Y;KoyB5~cIogXp>xjPDYF&z#Q2AcjNM1>7Dx9UyK)mOH?U zDIiSs0ekcJ-AqQw$aUV8>W17MZW+J(XZ`s@CgOyac&wRe!?(2*Q#CUu!Z-IWg01L= zsB8POq`hi$O4iux>U*qX!9|B`Q!QGG10o!o5K9wc-<6@O-A3K}56>@1dHF{oA_z{_ zMxiDuE(PIlv0erj*DVlfZBvoMRLSpOv(&!aUogf4JLC zAG2)NFi>clSXzp)`}qF1=!bvj82YVA_{Z8TzjR6^u0luoQ%X67klrg(&Jqz0^U_Bh zr^B1|iGl_WOf*rB%d60G`@a9&r?lRpUJG|HIU=&kbHhvDYl|o)MjD+2aJ@$v!zthf zQrEhEz}ukE$(&x)KbTWTM$xC^9T7#^xBUEC1n>}K+2=^tr8I+MJVlRpmb6eQ1pQd_}HG{@>o_p@mYe9!nTo{--kBDF(a&h520FbLbD74S7 z_V%}4`)~(+xf05G&jqA-Ti+{2D|g$HmX92di4@mQ!^yP`9u-1g@Uq z^x6~Iok>)_+Oq`BY)d5?u4TWV$WG<*(SPRd$g4pgufS&(@V9^3qgV71f8EoTI7PH} zZ&0)vd&p&Z*{HU(*?QWWv&QdEM0I6h^Do72fjQzAw_o%Ycjt@IXgeO>fL`@(^QFw! zz>}lr%P{k3bgdXQA}WTtyFjfQIQ_}z%0S`ApIC!OB?f3MV)km?$e#ZLYB2o49TS%p zXt5}u_}3vIi0*fWXS8PTg=!AUfL?ZxB{Jlzfwkc` ze~P{B<)9NM&;Dpjmd#m$^}Zf0e%AktfJO>G$%KdOAPJ8GLXd&UgyfCE^=Cy-BWdMw}viw|<+rCD<{^iRT`WS{V;wzEQ&(>ajvIPE& zG}BdJFhZCxFueF}2*CagxQ1>2I*;h-uYCDn;Y!#Ts%c~_)avPLnV7U;gQ7K8GywjE(va&h~Sp;h8?pdsXDdWO2yct zB*iKlhTcDo>N@Iu1e5_7xXPbP=V|?aX!Fu{R;mbVK}u=_CGIK&TipR94?$uPJ1Q8t zb-)ZjQCvMT@?c2quROqiQ-=KAZ;k9Di5Q19u{TGev5{FUwsKDP5Uc~lacF_u^cR4` zXe9Qy>#N6~zMUhUN((~2tz(;NVvRGbz|A5FnJxoR{DWxGw(a4t>$1qG2NMa`f9%!s zFZdAh;ceR*hYjj z1F=tN|N0opRfzvfgQLCt7Y$C>q_@m2a{kRvb0T@nKn)-iZeL&D%;I8TY-}uumtO%0 z8^X)`cVF0FX|VrQD}0QACpo(*8uN%8KS^I=7zBPiqVb8p@yRW}$!_BFhdqQ|(}>09 zH>z?JEo9paKHNhb0J0BKxes0tz_1?sX)?J3mIcnR$;Jre4K2XLK49oMqNu-pR3H5! zkV4U%vk0|}KV(Ng{BL23^}G{^skt z#*1_H(^TH#5pU&~r@!uHuZcj%0)2Qnka%aT{%~^k0L`l(3irb{6X}&rPj)dY~ zXkxqndO7~SCI0)bdKEU`DK-Q^{ zSq;SC5W((%uz9F13fn2^Tp16dSjvE*J+_HVcxs@$GlZqP}!x4L!MudU8w@0Lr^#X=zy>2x>YckOa`} z=3U6|HeBq>&4Lar#M!F`EME-4_`~Z_Z!09!3gcs$0R|zI@%HyaF z0+OCk<%a4S0PS!etq;;uHl2cNQLx^lLAd0HY(iHU?EQ{63G)(2U?+4>0M(Ep{GOd9 z-s$3n?8fXjWyDug{&eASdN$13Q+_(~U6iBopdc(Vt^gr^=r`qK5Aar4Lv@QBs*w>1 z^y>Jp?ru_qlY<9YJzC|1uWShEyqZ1wL-Bv6mbrY59TD^Rch8(Vq98gI&FKjbh>VP^ zF2eHh?q&$MyslMppCkMM^QWX9s=>#`OwAwhy(xM!A;~IdJ>}6?XJdE4jr|KFN2g5 zh-Q^+8wdiCE)rO=gmjndYIXW}r_+EgUtXM@t^Y%L4Tx2d$$|~1Ao<_eNBAV=nx}we zW1NEZI28k$Ghe_ir^Z~VF_G5!I?9Y zM`REGTOY%7mKLfKmtx6JM=S{|CA_4SV$GaKfzDfFiX}X$(7rAV0EQ=JfMQ}r25~MP z)3A`o!xX`+I9>YN25A0sz6=cfGho~1_Mb-Be=LAfjs=5depCXaXFDkwH8sb(0SLJT znxyf?jtuT$mNis%QllQQ4JW;GNjaGoz=M#C{ban2Z_NFro^M={X`ndq=IUBVN?MI?OoI-~r;#i;XH+KGq^@6t%hCq+h}@ z_o(Id`%B!3nMK^+g|xfOsPTN)4!x$B?K|kKodQY-Dt|^NYG9V8ThR5cx|6dYj3QbM$}xxuWxK z;*H35JB4nn2Z{@fIHj4K`D>H-@7%61V4jK;)pNyPZ2O)(RJC`Tc&q=a(V|G~s{G4@ zFjm%#1Bnf4F>=fOMU>x(WivMZJHy08JzouOBU#_Q8A3urOuFU6FyuPc4r9~Io$7kd z47WQ=(`DW{?Pj68{=NVs zd-$+P@7sQ;LVA>-kcG>H{*M-Y5gJR;%>%N9d67vG#&ZG`o~mEe!p>~7=BpuK^Ek!u ztGTC#^;f48|4@1MdzJdY=9E<9d&=d};zh$*$&8>N)PX`mLiSuhY?fP9^Xd?1oG(4i zf?(pF9HZ5DEDAm|=6By6mxr9zoB0#Jd|`#YSGEQjLJqMi14hINAmQ=!~8p)mW!LSD!JtPlOm z8vN%LWkkG3>d|U71`7CU`scrhxtR2ZowXRI%sd!D1$hoFx$O@|j7iiDe~-+uQ(YKx zO0f2n#Y4@{&E1&($C+jdGYB!8T2R6wI%A+eOiJ#K)gICrzVoP3M%Y2sEBnN^F-2w0%j-6;1_AnJS>dQJC+YWK7NhRbSk?N850)-AABN zZGwIsHAC}f`|mii|Bh|=I!*LNiION0`>8oSQg@ZzU(3V@dpEr7%w6iEp1rCbu4Aps z!<*@giOuL)^*_uU2(_Jy;x$zp09{cQXiBAMoxE=56F-1ueo;Z}z>X5U@jJLd6L$&W ziMod2h6)nd(%|9ct^NdHIRcv{S>>z15t;x(A`i@ZTy3m~Yj$ZCMrs?8dLg&G6zx;! zR(d;#FE}A!#dmvCvw?!Fg~j|q2W=huPSxHXOK`+SV$sLJG9utxE2KzGOv@a%Mragp z2f%;WEf^OAaW%e(acIB7s9F6qV05cFaR+S3jM3I=+}^;nAtcH7_8_Vd%d!K9Ugy;H zZI9*c?Cr=o1>seR(nl`p^>ksCMbeu-)Go}flK)%Rhai9m+@F+@0?K63b{a&nhV)IQ zpWIQ0d&8|u^-R$zY}$EjU;*%YVNXTCh+JX$THzrgKZIL(OnYrt9UM;(Gyg7+wR)x; zR|Lh?09UipATVp@XxkGR4B1lFNVHn|w*9}fi+OPyB4V1-C`rVKSEIzmzBGtO?0`yo z_@Ft8A36{r`Mj6c|Li{beRFuOvq6-w@Cp4_ldSUCZS3C{=CXr^w$=~x%?gG~4j1Dj zn*+Sjy(si@!k6)t6xWE@Q)umjtRne<+}EzTA-6FI zPxZ?`;Y~9aypwXHE^+%4O!)cJaZeVB(c4~}ZnQ%{8cQ9wpOnE<*lRKoRle{+EixiD z2c~TnWJXae`{u?^%*>j$-#*{CZ#4*G19#>9flxvwamL$ZIRlr$W5c;%FvWL#VAWT_ zjZPG-OkZp9?j#*6$^`dO&7OfwurpAyebgEo6K4)H5KLzPWU}+RTx8cJE=}v>wXHfM z8;1x7KRt%Fy;l)WosFM=F}DB(r~<=rl;fbix{hr#Z*}AJrky_C+2XYZ*70AGG=aeA zxuq$xh??Nh%Ppr`g;z#%@5l|;iq9CWy3bP1?uBH4r=l@!IH;{zV?(-?KN#S}uwm;@ zonX2;yDWvLC)W+CvP-kezJJ&}{^oBC?@U-Z5p_GA%7os0RLI{V4^=BGtlohpT_t|NfKSO2k zV|l-2nRrtI7@P2K%H!Zc!b)KiQ8`TQG~%f=ia>e5iYjNz<4wuldd9>GT|4V(P*=f8 z88#5|eC6&^p>d@E-~DrX)&=^zq5%U6E;@L}i^u#}YgX%NIKbOGxa4i{@@dIxP3ugFVOp{CCA2h(! zwE_=UWLBUL%~}1n5Dr){47+Paj@0qCIkE=^5^T#3*9X65>478;8p^_#e7|piKl=(y zG^r^3v=x4Yg){f4nPuiAQy5b+`821llj;#q-UC4(4@ z?lr5Nev2Y@kNt6)>2YYlvCW|ajD_&@2LI6cKHq{~cX%=KQiEAP%FDpwgFPez$X{vEzj6jwfjJ1Tv;7;hV_BQSZ zVl$p`>DD+t=YM$tfHeYGkzWF!t+5X-(N&OY^0nnCs3Hc#4_if`olN~WHIAq`H!ScO z+)3L@5!)>kDX3GTaPE98NeU^Am=#iIPCW!Zjh!c_6)dSl+QP8tA*ST1A19cW2V+qx zYXan%wEUEo`TG3EpG{}{US&Qje+kH9owBg8IIIx9aQC6CaKabsZ7((P!+)r5yYm)( ze)=@WwQF#-Fs;ODG3>f2CPc%XZiQ1f5I^GKcxUdW^YB<>M$2x?WYE}~VgRASUhXB^ zYintZfkxCh=|QetvekFxFvQkh^OY8!iY&w6I@oAEihu0o%F4=`qgW&^J3*#npR^E0pf5 zv4g?k1Klb8$O0%sg^j=dXlAa9w|!I&UR(+cc%Ut*rf22c(FbCT}V z;GD|zA}e+srVFb1;V}WJ*cy8f9OQNdEPveewyZ@j>Sh~Dmzv?J3A>@KK=&yOxxTAR zs5K^Mbv&*CKo8(+2vUPLD%2h#PC?496*`;;MDz7-aQl@7XkmI?`KNJwlA|Is%Y!u- zb719>6%C>mAxDJxNTsHUS{?op;`=|}@=U9K;8|TP7Ht?KV))tKtF)zb#+Ed6gT}O% z#&UnAUsHcwmH*Lkl;z>Z;p>d8aJM0F(`}jS7D1oP+BI@~IO?HrsBma6>X8u^9v+U+ z8hK5?V~lU34!2?CV(3-=kP9pB$&;;4J0NU{-H1hylQ4C?cg=_`vh?(8O1XG*&^f}e zVi+Mw_j(H|jS|ugjn$=vaBwbGZnW5OGT_JD8ixZ)aCYIg&)MpRFxDJF5PLAi2))Cd zZjMr4(;Gtk%<}nR`@rOG;Q^S~)exZj;eU#pk2br!`03nG+y$WtV)Too7Xc^LNkZeca;q4MFKZZWZST{2kIK%5qg{9;Q{Y)TIu@i-X7YXN zcpI|oHSe|EhU<2JB}z&*s=PJ!9OL#e*65`jQQmq(kt%=UcY_nI4Ida zUgxQM-DLK2h`XwqYIR@K(rc|XQfx*lczSvQhDU8He1=lM>Vt7H z(Ad!b<&=WV6TLqzMgvgC_pkvg+(6~UNrG_lh*U4zShFlxN|RM4L{B4!g)72{37qqi z^YXULEUDH@0jiudf}1zEG|EKlE-qW_)#5d|ZvLa-!#^r(9_-^l=y};}l7{uNcIInv zL8d4gbEFP%FLP%99`r4IA;*1qPt&y~+L@`QPp0O+(R$FKtwSI=na^wDwe1MhP6XoN zhbSZy3JV1x@W(n8x&dU6D%N9n7HRfY74>K?y$UBJRt56~{SLpG`T55FVMr`W0E0El zPcnGb(0ezCwhs{V6hJghh@f(^^^IE&NJd=H+vl?%WoDO_IC|$`VnVi$o`U7vSI{T6 zUCOr{7PUb~_s;wTSJiul6M#ifTEA;YR7&tczH8ek!||>2Zh( zB+N7CD72&_2YCD+^I<_Uo{tfMs1Ep31wU`bL*|soxWUX@n%474OqL8DAzLW%5+Cp} zyzqErDi5|6dWn$Pii->Ck@{#I=ozEsHS`QH#yfJyU(J$VqEs&~gZcWY=C?R)ogJYb znQKv)tdOB$iExnfgw!5vd=d+!mwX+%anCrhq@-lRde$``l=LB`?N5@HALE^pV@S^e zaHhSmneurv!&Y7-E^l}G0gl-Pnm5;2~j8H*5pCSrwf&XrH*wqNpIpj$kVJ!V6Hk_ zTNCC;q)%WFH-X{q{{E=$?o9o-Za9?2k&Cv!It&0DIY@r1yae|w5zI_k#0$>ZRy;?c z&n9`o+*8Qv#C>KMCq<<0y*Va9b3(&ZaO*MzNe#c?A96}evZSM!+_Htlj19f}Zyv&^ zCcw!ec*i}#ye8o9ZJj>2u2xeO+^=dI zLN9?-;S$!bbPN`u@B<%#R8FsjKnRrvZ`_CR&*-aW+uS4cJ)GI}iUpu_qs7^yE!(v^rUv4neW)S+A$xomGTqLRzn}}MU5@y4|7n9F1qZxhO(Wdx}jpz3cihq zM;e}|FA`0&6#$odh;wSz<6j9f-dDQr1i>#p=P!sWWp3DG_be~CK&uq zjC(6YPlEh`{?p_lvE5c@rUx&mF4s#{q-o6%owf8Zf^rle05mqSX}1g_;&q338!%X{ zfi_P2v3z|i=n|aJqdxTR7b7O(TGW~Aci;^%LkBc=^9QKTLbmTmqO*eB*$^H7WBC~q zT4GKSp2cNI{kmk|Vz1;;c{!JFTQ`IoC5p{KzleOh+S1ZPbP&DilZI zBIgD)8&l21*yvbr`V&VTIW_lyTPj*)*q$RXP zhZ(6K<2fuOVAy+v93+Czw&5ggpS>?WlbZBK&-2ZjV~5VR zO$$p8mu(6MypApJ2u|ILJFs}y%e&WqzaQHE_l+L9Iy$oH`g5;Nojcxt&dT0qqT8)_ zNj*bicrf=&=UD#OjN+`H_@86516u=xvOWqk}5 zLFAXQB%Z-PLU$AU)v@z``#0O<$9H8bi`;^0y{Mnfcdy4cub6yz{z7e|rQ;*1PNPxf zGnBYlov891vyj-gZ%@?M*N@CTLEn}k){f$Oh?n&7qs@6SVzKqj&CXL1ckbT3*y{+h zjia-l;&9Dqs*ep04DgsgIALI5@Fq5vqhCf&&Nw>b1Ri$6=3KQN*=!%lHL5$KU(XmR z32W}0wbjwp6`XF2;5>nO@YwKr*w#>{v-iAJB$azNg@aK(+ zYAXHS<1SDN+RqWw5LpnC`^}E7zN|gIWC}6kDN2dnlw#r1Qc@%1l4S)BAiiwOQ`E^+ z{v`j^eqOCt4#p~e)Yh&Wkr8DzL5{0{`o!yT?kTVSXONPap;v+jI{x-ooM$g_VdLT9 zT^16GqInB=2Who)WN>grE9*VFJ4Zg{f!o+Cf;gfy7reJe(F3*7g#`t5dv3OqE2X*z za?+V>cn9O$r`#@jiUs&jUnBcmy}vm(Z2F{=it2-Yk@xo~cV14K%CY;jT(nec_)W{V z2XUEKGw6S2ml9%kaS0!C4;9D?I$Lot;&5Cs`MNIWT=Ph0$-=LF$CiKb-kzmw`?L2y zUmmdK(oc_HUQ1XzRANh4*P5h^)M#)WcX_v9(LQ>uu1M(tR~*-Z?1+WX(1NVL7C+;N zUgrs1{!2A)i8yp$9$a?~^sg%z(us6!{^}j@p!;j~S8p?=){`En&aWb*?b)NFPi!a9 z%ekSNe|k=a1?7dgNI4?gV4e$|ybjA_a*jYb^I~V9)IoR1k6sHwno$ z6c7-W@)p_M;PBF0Sq`!iHSb6{e>lP}YTDG)guNe?2>!~q%JInBXPOWKelS?PU-;sMMI?LRazqq(zDTvD>rT2S`t z)hTeFkFm}Un4X?K5ndtoK!S)zHAKM*z zPex`e!Bd<~>Fty0I)DfaI#QJOz0Um#OC3L^UsJo5$CZ06?y)WCz*g$$gI2^+NS-jy znXoPRI0GT<1@;C0hFron6Q@4B(g(%A@%wWsp{MgH2R<^$hLbTVM;~=Am5bau7B`7T zqgR5YKcvK7b1U40Hkj@+1&F5SKF%{x->{S7eD`UTo8GJuJw$_Z_*3!mxmu%r1Dsgr zAk6su5_YCoUv6ExSmQZt_upBlSl8}6JfCLnp-|MjA9Um^p|uPJ(iucJQ;xp;0g zdat#uv^+~ty3?CFbH(W}v-w<1q(NSa>E_jIi&?S71bEVzZw;k1CD(<>Sh;5Rv#{QW zsV;f1n>18W#p@a^9WG3xq$d!@hn#gyMbm+*zAl618H!ai)H4hpwVtyFX7EMG9n z=5fKd_r_P`X6FSf?kvF-_9j@yv6d8@$&Ao6H!gQExq^wPDjt`V(O>Uf)s4LV*+lkn`-h9e+2HU%IJ)}8aa1jQiP0X0n1%rO6{oS;Tw5DM zadyKLDj8I}vu8iQ8uAm0Ytu==xnb5LHPeb2&y-%{j z*}s4P{2v=E{QPB4u||Qx)npqkW!i~2!E@g&j;q*i<1#7er!37@xp6YrHF|x~oP9&= zfWT+rQOoNrRbO#e3Gig zv-tQ%s2_#Niqs5876AqQr$-L*GBY_3N6Hrm)QC6XNpJ~ayHUSrWmBA?5v#fRNboof zKNEV?%g3M@!@V*}>4Ix0D41+a#2C<>>~$+?f^ndj9tRVeetkLq)JWSl&G>Ty)2*26 zng#C@Ul_L~lx|Zot(e$U1#r#mU&k`Mv!Qnbl~!)6{rN+WOn!vN3%tq3dJMmZ;PHkC zzjsS7Osq!|D6wj+V9ib%*lvv$gsC$v~c2k1d?;ukil$JSgA-%S9*WL)aoI9)E;U) z`?8?KhtShJ_)kyYdqF_M{KK_T=-x;svyS|NXqIEt%>pszV;`IQj=72_`hOPRVLW9= zm~oQ1#y@Xf;>zj$cO%A6vO(FEQ9y$^c(*$IOtbINlTg+rHyPV_hfD%$;Q)8$UMuRb zymD&4vtPuFZ&z0Jx!=D2Z&qOc+yM_xAHRUkdD*6`GF7vQRVVK^3H7`tx^@q6^eM6Z z7gbuhPpv&mLPLqA?%iYGx^`P!{1^%-uf_-#Bh;>1P2m1h*Z9)o%w2R>##C%tDJ`VtpGJKb-589D*XM(Ym|Vm`GYcM z>}Qpzr^h8^`x9;ck3-OC0O=zWG~yV5jNhD zkT@pFeT!y!9GrM|av0q%Dubix1(e%OO9IE+eL<|-xAZ)Yqqbfq7&p&#OeC-w_T$={ z5xB}rROA_*r}M3J4ZW!%ej}~N9R2t%&X$f~c_YpZzRi=Zy!M zt|Mt(a>>QU?$mznsMslAsW*bT!qM@lJ#Q`xHkVu>9+{~y)oGa}-sYb`h16qXc%+F7 z?_n?1j4$%V7f*ku>UsQTU@CCBTXy*V^n974XVhEzj&YF-PqVEbwfHPlF4dUh54mV z47c_S-f48yq;fcSPR2wf%^@|e8%D9ap9HH|cS3~0?}x|U!ez8^g@cCk{7`#{x#qV; zfjFP93%+%(>)$O;GhJ17!$M|5Xj-bL1JT>2Xxf1<>X~anUh=WRmx_yv{f56%nQCw& zSH&PLI^VtWERE>pf%~VyV}WU}VmvLStnjT@J?($gut?mz0GEXC^XTlG$I7m{jaK4B z5#ZeE1`OCpRU7T|CXZaw8uuB>%$L(Sq61VU2H>y%D5`?AiJfG#-SpI@cdnzlnetCQ z#S74579Q4pV73;sAJ)hdnC!Ioii?WUo+|Xux-WH94^=*dy<&9!X=6jfm?65$4>MXK z>cN~)Ff}t%=XG$WWPQ5T6#J^;4?4JBp1*ieC?%0B6Lzfnbf!)r-DgE7|MHMU+BdH0 zH>(mKy3?Q+!{VP+vONX^le<_ba`Ej)SN09x6E`XmIax?CITc%)#;U}Mn7Tjwabl&W zX$&7bwZB-|?FMQoRK(u3#u=?cIijFp^&#l)h~-q@3p#&sIz>Y)yW%jiQIXzb9y(?Z zZr>TPv_;n#S{GDwt%*x1sF;mRABXAaSN<3St%!^EA2NbiCG_M-?<`P%G}glM1OFDQ~70B?5j7Z(w@Cn~*WU{6QWFocHr&qB{v4(c7ZW((Lty>obEH-os*VQ-j%Xj@?Rb?Z*cjBqIzl*41t_{PfK)Gk*W>MLh z6Hgo7`Dql1eC*?vKeV0{o$358ivBLNo>s0!o&D-|HQtCyZgxPC5bHDtSEo@(g#H7E z{*LJ2J)Tk5}V(jor_V{HkS^>UY{V@Y~dW#rL`KEyJgLVkl^Ln_?XwuI^_! z9Hz|E24&k|QfgKEYAN(gKMRq!#HF#SS9CXDa>-34jIddI(2fEqA?8KO2hEuG3-2{a z@8{S&*jqg%)l$&Z-g)@S_6!c*{Tu?re9zLQm7D7~_IEv2a>7koWJ=LuR4FU>x=!{^z}SbR7BppL4>S8}G~zbB40dAS^X>F1gr&n5Qi&B&V95BIY5EZmZy_WSnzhTz)c<9j#B z@K!z;pmck(p0Dqv0s&Mx^)R>=KXT_}rgHPV%k5_o_?9Q<89wS8uJ_z2H;swyHCkG+ zORcFH#SyiTcU!7(9>b1Os2aP!(|6mFlJ4G0jR0P4yxy^Vi{|@yQVwnNuAa{qU*;`^gsi&tWe0rLISY3R5Bki<^%LW#JR#pct$0a0Qf?)1YTu*OwldG%N zA%I;>j7D*!F4{nBOq7;(G@&p-jxq%c3Y0Z2D3#w>JhG_F1}Vcy;)mkb_h25jJpT5{ z9udd1UQvmUK0YT&>8~=^`GgWz@r?}hd{Pig(axtfo));jlkK>Ex&+; z1-6`d=KYoAs3Mz8@6Bv3?qhMO#I}_!uvRmmZRFdao}Ol%_w}a;e&^ zDBx&`CutxR4ayqe&AZ66y--=eZrXLV$J+(-wK|7DC+cLE%}ISirWCbm&rBt&^b2o| zchNtrQ>GOI)Jthg~Hh5^%^eLcK&MYjT7dNB;;iRB=9Nv0=1dhfVLQ@pIM(Q>$VadPoe zxSc3_y-rHLE_<(ix?ahyVv)nKB7WNktwwKqd{j8gTVnd}=^0&BOFOlcpCP@!Tb)ts z6jNFFRryoP{=4-J_Eg9F!!QCg5bwI62G+N$Wpc;ou* z{I2#FeN}Hy^kIc_=NU7;TyN@TmGc{Fa$Y~b;=uiiq zPLjFhn*~XAouSxuE^p-|95r;Q!BHHTbX7x*c8%9)dW|)TQP%3E@SoZ|I3KgUa!+7(w6<^+L67<-F~kzJ$+%3 zV>kFZE!Tg(({P%M$i3r7qg5ng7!dw)PocVeCF53cO2ijBV}TT9BPSyj{y|1XwwpoH zPHyA@yN}~7sN_^^Aqq~f$DZ!OqmmoZ_-thAH!5D9Yd(#4DI#ALg5C)6(%iYSXh>i4 zEYaZj4n-Em`b(2f8x*s}ighi~*o%ytm&8m5x#%Rj7YELg5VQ(+c#aEH{n%FgrqaVo zUsTRLoc4@qH+PiIh|Ybk?&O0u^~U2~_c|F{c#ADWb}Piu^Xb9&o$wnC#F*DsYb@st zOkS0ygnSp#-jP*Hix8LYndiWZD#D*fkxCX+y5$qOoPUQcASM303xY^!YeM!18hQr!!Ree2il$oEz!`fMGp~}R(O-7xq4sFHe@g({T4@2!Rw}SamD3oYd zsr#O|Mr7%$$RUS5R`anRCJ%nRlH~0^IDP`x+A}&;InE^EroC}DE$y!97U&KuA?C5V zQTNgFuST`6UvieBU*qF8G~`Fuzm4+&w-UQD~;@o{V2fw^|Gy3whLKQfj8Eh?RCd}y)wdfbW$G<&_ z>y9qtH`wdC$C$tPq{gA=)h}ThFH#?ojv_@(;_kiOBK>%!@sIC|F(+uoR_t3zZqXm!zRFD4vXsjpY&Uv)yNUc zw9avzXEz(};WO7b87GhG7SODr;QEykXVMa8Z71(d?K90p(M9r}fcv~@x89@o6PoDa z~7E>7IJnt&zNvmSW~tZ z-;)f?;jt#3%5h-#Jrg#er%51Dk|7a1H*J#UEv842QJ8<>p|$yqsqyOjKQFb@)6rdK zu3Je%kobfd^E0wH;==7Xh$(_9EsbhL&w{KV+%~a}XmmbP;RU_q*(%UI(}frdJnb;L zW)VHQYdb2=6PF3Ytc;m48dftu&+9Zf&UH*jYUqDU`{DrIaqU!3#eFu#7^eNCBnk9P z;&#Ea3@M_~fJ^?o`@Mdtfoe2V{85^@*kv`8*$x$ z#bUq!!JhdlmO1KQU0aT#$M@@Q>FLGZ<4DYSaKGTzZpJhud+hGq0^#MZsglnyha>D2C==d4gm*|eZSarwq-Sg$^=l_K| z-P0y2=PrQlRm|scy&|cACT}<+izaPvL3-su06VX%c`GlY1XGj7DW#--dbxSeRb%BA3!Rjp!&xYX`;0e1%!0^-HJ@K&1n zxsT!WdQsi@reE;>t9kzxS8S9k2@EU8vo85~ebuF{VY-_8q+PziOT5^zskN0eG(%oW zRyOR{R5OXE+&ia6YX=8!Y7v+E2^{<>DSd%^QMeV^4^5Hx?ncm`JAaJ%>f;u2p2y79 zFMvMn85Y^cf{<^6Cw+T@W+$pWi%Z;_cpYn}Vnh;Og`TAlZCG%yTkch#TJF!ey<2(O zV(_9`M(=&80fh-8vYrp;+4M_J7rPVFGTN8+#R<9^&{~TH56@yaR(7M7eINT)M)Bhh z=a6=O*zJ{3de}Tk>bUsubGjf!P#qibOUINHP8T?~7+9~@c8EOx9+2LBwQI<~(|CK0 z+0aC0fUq`To}-vXf>ztMKYge)!Ob>~lWOfIx5mNhIP!ALnIum})`_k?XpzYd|KVWn zoS8<=}ZXRIk~m+Cy5r42w{^PZ&vOxMNN4 zhwmD~JmE zMkxF5`8F}iVLP-Xu^`9XnU$p?nsOf+53LkJrE}Z;V2q1PB{aktVpkQCQDR4tEb$+m zOb<-3c2Vw+r{zp38JNse9ASyx4%M2fxK+&=JcEK{A^GyI#LX(e(a*uA?`&<_0IP=uCb7W88XLroB*sshpW;ZBt4Oab90@9osS^TFJthZWYtT4nT zt^wN$(>wJyS<%o@AfjEAJ6apRf+<_IZ-Sce86!2aVbBDIjCf+g{lXe)}cbe-6WX zotDiyM)=~z))rDi4)W*SIy}OX-3vk|)a5$V^X>D|&6cM-(+Au`^i7rC7_Z%?DsOGS ze9Uv24)0)AH!dv(|NkTHEu*^py0uY28Y$`SknS!CQ5q@fk`Cz(0qIidE=lR`?(XjH z?mWw9zx#~$!?XWq?|r`MaB%y(fi>5h*SzAUoL3^qS%c0apmBlSR!v`WxCd!wn{1fb zv@an}|N8!gG(bCRo~saMq>cV!WN3jAmu1&Ai4ObFT;C`fPu82y8uczhk0)6pt}*W|)7C2j2rQqzSkm_H z>=(f63@2R#=D<%sY+jtqda(@p(PG#5AMK>@SBnT?_#7@~^9$ULDtPIr6l=lcc;7S1 zxOn`|LEeBTj;f7RE73yCIIJxh5>M+6^ZZ4U^|{*Q zm?N+lTxPpHck8jent-bq9e684#=-V3ikjSuc=+@>{+Jw*rx+}QR)w8PQU+5mRtbZB zziZFo7tqr8X^cz9z01XPp_-@?ED)-FF6a^0J@2+?GWm(UZkFOajC33W*XlenbQb689#3#WBEhR$nLTV_Z2#>L_M zUGxjT6n+`$V`lN`OZ5n+fPSfWIznMLc`nTN`w3(kaNw_G6J^K!F$1@Wq_lawVMGt# zH?OBPPuf=7o;dA)6!s>At8milr~H2b{r@wePAc@#-fw4g%P9h3zDU>wTh;p!x>mKM zUAJ12EWPAqnJQ#AAdPvxP5hgv5ivlFybLKhjC_4enNf~jcSCv0qwcp#6tR#4$H=k~cqF$J@E|sB;T1)Mks})GGVl?`oNdEtrtxed`~)y7bFrV9+m1~}Z>-s$ zzu(pKOZ&8Zzm&$lxtnag)~ZEac&AwMlZ4@0JY~nV-h6Nnbh9j&I|EvhBMd}t%Y_ja zv5dOrQZwh@+@<(Ik>(YXpXOpCeb8@LFlUtj`_SL5x;kDy)bf>T$!HQNinOP7Cu;BD zH!`b7u#dmBr6d(ZNp;n1KE6}zj|(LDj$*4o%g1Ro{hn6{vrNQ#MTj5%2lG6Q{FNX2 z$;eJ~zIXrpol^3XJx#K3*Br6ZL+|{hU#?+YFD+ttW-m!dSjL(y^KhA;45m0Cv#f=C zVk33BLQk!H+=sIID8-MZe%cmlo*WTKuhyM}uJrhCt>=g>0^KF2-H&D*!~E7>sntSi zMtpCJEurZ>wcO#W ziI8Rnvu5=j3}6Y3pn_?CU%bLt66?5|3`Wp4*6rJ}ZSuBBL-zbiOj+(qgq(0_)ZX#p z@yHXoaYZyTVyKVfs`WI&ZrMcMX?-f-5gzQ6=~BXCdnEa;OP>1L$U^n#OySpt?4>>- zpX#USe)YP3jgH#nDqBp%BIPo~lH(IIG)<<0e__z5hz^LMUor(_5g*swpd=4x z6mtTP*A8r}SXq67`vv-kJ^fDS+x#BdhK7jv9QPRp(q|jq{!tl_kMeIn0TcvQpdVC; z(#e*>njUfK9hgWRq5Tb<=FQcyVV=MH`@g+mBOl`FWTVCYu3BU5xnW6sb6MEuk0h}T zHkFK8ctAU%_Gyuso&6QH3~tY{dyGA>7Z*GQBxtc3Ye82c%tv;rQyk1m(dtkX#Bo5Y zh6W5M8d<*g-Qn(UN{`B|Q;tudZrM%TovZ?#SG**!=gK_U8&iZ+Lbqd>b&2nhUErU! z8>F_8cFJrqz7N3s{uTb6NY{8hjCL_F0Lo`X#^ZJSa9WHb3eh5*#fv&*%W&d|#Pk02 zA5`sGuX!Vf*Zqh!^RDY@;Q9DsdJBU-@=fANAqqs zznhAM@-~y9yhu|Cs3(81M!=Y0w%~&4(!YX!K3!Jxdz!R2VISZf#cqWcn&iSpEW)gi1NAA{MN4CYzxJypLu zj4T<(PkEZFI9}St$eY*ebBM;Pf(!dixsWi=iXPRp6~>HaCGJLq^uxKPx{Px$($#@B zx{rQletet(q4{&YQJ0ZqBtsnvcn^n@frGx3G zS1Vo**fma`_IiDj6D4O7aW){ zT-diAuaimQn6w9lu%nm`GX2`!z%IzwdF4qYWGTOEUwkc`0IO^ntYSJsnend~hjS~8 zpUgkq%1z>sg&+%EO@2Y&viR{!9WAb$0sH3f1l0?z z+y8Ym9n$;ViVH<4U{j)_dv`mLxZBPQ3`j?XF%L(XA$SO6ka!I1tUs^sL7w(lbm&jS zVXS4*JoJjr9a3GOZkxievs_$ht_$s+7_W1f+X~BwiLF&R8(Xo6&$f6fXZo-yZmlA1 zf`1q^IGH%d*^*%OFk6|(P7FF%U|hdu#=ui<`4$1A5Vo`7y6}Z45?>{Q6{DrRQ=!#p zU2On>1Nz#SH}CYhG#754i;SXZKjmWIVBp=Bzl;;nh+_sgm{EJ$%YCfQ)!33!80biN z*>|ZEja+rpazK&Tovi-Sz{ccQ-}H#OWBr!$IM6dgFY-+Kp_s3*{U`kCxRvv z;bYTHF1c4W@kXUE*ZBs{1eoV)Zxi`+kK(#6;Cj^NA9_-EMvi8Q%Od4dZdn-s6_MS#X4YD3SR$fpqq645NNz{XUA5x$CHc7X z^6=1To?_#JgX1rX?f~QcJn18s(V}8eKwNYwv7jIzg`4W$y%SJ$6S*t>y(>XJ&Ex!| z%VAlMxC-816W`$RsTkX}^j1DZxV4dKE~i6`Prb(gHe@jycX@kEbFb0jRb=CeOGK0% z9NO!76XRz-6>Y(acp~s{sN@guI|0P@taMq$9PA?CoNcPumGJoox%lzXQI_U&ICqZi z8uwsWWTamTe~m@|)$vjs60yF)yLUnu#|h~Gtn+Vq1^};bXsDUb;5UdP0iT5;n&ZIm zp_B&`GDym~KJ8UPez(uoU8@-s*(FYV&U;K*1T!T+n{8kPc*JW@cM5em*1gC#9+y-o zeE!o5ppLyX3IP$3eJZYZrO7^t{MecPOw@rA2N%=m(E<+sCKbg#UhmIm6Vjl0PFa!% zDoCS)s*tK1gW4wc8Da*?7vz@f>hRwwj}0#u^o=PI}d^eNy*6z6?8;Iw7JyiyhTITE5M0U)PM1kh{hI% zHMHdARlD{0%5a>^1Qd5ncoIJE?We1);1WFV&W%C=Wc3CSA;b^{CV<4-qY@x~T!VyK z_8wPLx%-sIe_-Hk!%xShN2I_LT@I#Y+ozs_hA#K|?;*R8roc5#9)g$!pH-S8>-YT+ z!cp1vxPu7#{|+Offtqi*FIS?OWccS=m|plM2~+Jl+0*2mN}G-cL}f4;$6eD)0!LD-I@~;X%iG=r-}`PQoU_&L_;q)Ie_iM zi!;I?C&IwC6r!G(8s?=A@`qAg_jj=rV+_k?`g2`Fj1YKvNa*-W+mm@_Kl$hGCZhYA zZmG(Icy&BYVX(iiKh<1ngseqJe`I$slVgV?+;IDH)L6ai^#>Wl2jdHGe_iYvNnJN9 z4fkgbB!y1NiE=xUrHI*)^~b)(WF%`jSoDe5t0w)GJ|s6W*0)@){3B`O%fi<}-cs)F zll=GRDn`wXzmk|Mm{`$O_4h4&qq0!-}{t;L>y&w&*(2jnXAgMM^%K3*l?l6n;B@sq!b%RN83HhQ|`DadX`A5OlHe{&|$lmks~O%lp<*qHA8}cacP>9=bn>+xl?7tCz;y z@>nmUS>}rnoNHc^L5?ATs0cxFVn(mb!l-<*ZcuxzCy4n;qu!y+bUgyOV>k^4vlTR- z&L<4fg5JXnrZdeL@+E2{!q^JIL8l;tD9fY^t%kLfqo{D3-pMvSL}ZDam;Og zsBe2pX~T?)wG<<^AgGm%hNoX1BCVawrPy5DrZ-)Mn!W0cEE8}^NRTde9y83&A6+E| zKS$|P8-!NHC2ZeaePb3^C$oLAE^g#>t=9ST`GKLs<&Xz%%HRMKv&*rzYP*B2mPt(C z=y6Re`zEZrwrIUOX@*lE5Ue_e7rh4W59q7)k2J=KZ~A$N^>tsGq-%{kK)P=mK&5GS zh&;CAV`5;4_;8_Dsb%6JBqNFa^Juq(pt>AwBP1RGXf#{Z)UQ!7502S z#O!Fnx%1mXw)9;46tZR&+aju=v6fb$HC|Jv+Z9xXm8MY=(E6I%dCmM`9)Em%^hW~H z(g48U!NZBr(8Kk=pXBm-R9f9P|BRC^vI=mpoZ;zP5XT9)LYk=o2RMQiSM$;(s8SUF zi?)vx>Y7vp%KJK9%IeKOp$#@YXdga&7$rJDrhW`q_r{`Ah5$z7I^A<~38DC_16k%B zai+j*us2F!w*Y1UeUgnXSLC5u-nl=p`nKseXZN9qNZ(LNwi^Erby$KB!+AGt=Ol1rTO*Yo)LHN&R}wCq1$Zo7CQWQu?r)>v zZpyeygoa6O=V!e@uR~mH)tMfwW*4__L5avou#+5bPt~yh@2Usqr$I@7lStklo%QB^ zaDe%TO2Nt--6#aQp2;#_gB(!-=+G?E1PvLLsqaIJ5=hTCFO9^|yYnZ^L0KTpk`hbjyB z5#&8+PVJCX`aeAJFS>U*5g=qZ1eXQz1Xoi`*zX5L&PH;AW44QdTQ$#eSdYWrJeBOH zDXFPdyHqY&rPh!jjY(!+CEm0_PNR~lkUAm7T03rj68Fl2kx;?$Cja-Vs4(>OYHWlA zE=>5LcngLvc|DrRcRT(#IzLouEa#vA?KlwVuk16(8ihsMGJ&%MJg|$ARhRQjGm^G# zSzT4dN1v&)HyIF`k^^Un^Trx%&J|3gbs3ZW3{%-9TLjfJ;B##^sLORR+dj%OYY<{f z+>|mP9c*2&r|0k^Hgoa!O7$*6t)^$ES%gDLCrs>_MLD zxEtGo+1{_!qM$TXMr4NA7&L47SDX<`lNGPav{A6=TQ@v4JK~qy5_cHLS9m(_dWoUD zZ_%Ok*KF@cEXA9tGO8>-x-Zg)o~_4&+?3c^C3!)rl9}M(;M0Ekl2hJS{`MA=d2LUC zXae;<9KUNDro%J-KEY5bq}k;Ul_x=5*_B6u^-5wL+QCM}0-xjS8wO(H)KZ%@Hm0DP zlNJlTjqWR%*Q`oQvShl90R#l@kZf$1X>h>bqpuzhub)$ink`o{QU`R?m^SwIaToPq zIN7KjQtt=||H3uA5vx(6s@eV0gE5;o36)SedEMLvCc{kyZnsZd)~yEROQxJkT~Ht3iMLTv_f~AU{0@*J`Z~~g#u391L}{eOrB3IE zumkOacVD!%#xO8d7ZZRmlORHgSQ%fgj2U~zy?O6WXBAHuxi|Llo*6CakJ7KkR*et{ zg^%;BDm9b~e$4G@VN%huSqkqkF-%2S{W?rGc)SzTrQ~FO-Nkhu3BI-%CLxS!sK`raIQjLWBxAk@qqgaD`v_Y)#63Zc1BEUlf>p}Y|O<~ z1G~@pTo{>^HLbcCZA&@O$%Y~2AzM|MR@L!Hk@@2H`**nFDhiW1&0|`l*{(#hc9ewk z`Owb_lq0D**fAV4s3EBMnzTvu&+|6Wsk<{8#u=omPeV|*CtK*KHa-n|7uDDrhP{Yf zHu14|k9YU*rmB+Yux|_01$|5%iKNB#74mv!Cuedi3o|3R!AcC2mxV^JEQsQjMwG1+ z_CqlmIGQA+M_#oe@`iBvzF*C}xs(=I_D9$;HKv+Dn78hvc_Mk9hNYz54{e;uSCWtIuuT*8R_&ewof7Ptf=mY+_g6am^!ns% zuOzOcFJqI+16_p*dhlIgqlxVAYJqK#9f`y*s8<9wBsCiwkt;jR_i4{hB+8O)D=pR3 z)^xs^zHWd$CYcasaFZ*a7JcSEHP_%yb9rom#)Hpen)iOS#ItAk&4BQqxR1I#$OK&2 z#j+if(VOH8f0X+&df9G7A!qjc8+{hs+vINC|8_I>%mE8K?bXg*fg77WuUU#{=>svM ziCznLlQJ+(mGf#w&ma|P|7)-dW9}OC{6S0cm-mkdtOC~Hgi6+{fJ=dHAV9Ffg#*RM z7WXD{rN^|Kowrn$= zbp8F~-?}x$Y&RvkEpj;o{L9NiY;OVc`Em@X-i;m%xN7U^dWv(t$!$*NE2Jn>eOy{u z>wt?1BNxzm1<&txDST~NertiLwG-ry?%@Rj!`~)O{#B5E5un_Rzf@ermO$~(K(lRf z^C36ql9Bq9dXEA7 zg^QIt9+!t3WbE+VO2llIpKS|fVAaH{2@%g(%($6sR80tcqRN?GK??bQW z==1CN*(oZyX4F&DF`b?({HBqx59vC0?uy*S#nW+#)3x}5~|IP=M;166s9kGdT5^vp1YndGt zlf!(z8N{I=-jM$@AG@uTK2i;xC>{Bb&Vyv-*FCpfS9^&d7BVuQQ1oCfptyYnjHB7vvEouw@cde(t5O8c5G!F$0A@{Aqd=+6>h>aJ*%%joDZZEkB&7vK^Q zP#ol^U^Bjcz?cA1uk7J^lczg-laD^a-cEx&szr#rYQ-Y<-33xulEX0manI^?m1q>0 zVK}i-_Au1KoT}nO0cuRTTuJf?u^4%K=4gaioJ_NdHY>3fSQf`!HU!=-Yx?1}B*XlF zWlCrHb3cYt;ovnd`Zm6ik6v?JvA-$9t}+2)-|C*G@?H9i@^^5Hc0&H+^*={g_2PLnci3UIi6;Kkf&7bz8ghIN!6QY`_|T|g&>YIBC9r| z^wj2{lL#2gGADl9{4&vlib#OS@9+VgtWd3_`NKAu7jDldB_x=FgW3Oob)jFkY@q_j z{J*3o{ztvAfx~FUG4Rj#pA%1nzc@di9mvEHSH@T$NXTSDeEEqb3jt%AnpTDn)|osw zxCL7IP%>_%f~x~3?Fy4JR@~|-VBxq=`Nv};?rti)R+&49RSzGL7(pqtYZd8aE1on) zLtHYtV{}N}j6$fZ97j7QOJV8P)8mD0$n8fg>VPju#rtEi*VlOu)qy4TGP7BC1~q1V zcYfhH#=2|1I=cX?7^Z%x`+L+qTIZe~-)Sh8`-|2nH z%lXl}cP+$4`yD^v5=9NYULbcI>?xY_xL*vIIXJ=P#8}p{i(K&$!6SHi;H$624BfCW@RK}M~p z47yVD%QFE;plJGK=AVo0$!EJ>i^aI;sbUcSL;1ZMel5!xtp_%X$0lw(zdLmp{>Asj z*$SE0iYIriyfGhuC1?!90y(`l6j&m25M`p33l6FN>mY0WQS%9~EXKU<{`$gZyV>4; zLMveL)mE5L30$rbZY=85`=c7&a}vbsZ~|`P`^&u%i7S?u z=7;_^`;jK-lBVl7@3VneN$l=CpbCrnz4-S&fvSzQHArjgW41lugE|iUd1kXMA2h&I2k$8D|55=hO*mR;d4hxgnx1o`SswOJ)^^rr2 z+S@NBpcHu&OB-A-VADr4Sq3p;6A~ah0_hLvf9fobPFs|$U(0U={}&gy$UiY1zEweg zSRK)@Q;z(nC6tf5FGO>YZkd5ZT@i?fkMXi4WM*boe>~qB7^mqG@DZn;zB%!!IMwUv zZd{!eYCG*|2_(Hqd`F2cF=%I30@-XDp}H^tW59?xxPc|}s5H_uB#r`s_z59Y5#ceT zbqqPj?NbC1yXjTq5-EcY`WU(+%cU)QP+WQmHf(2Y6SBl2Lz#V9|E!``*{7~^8^)J< zDwUI3wrsLbHvH+Bj?b&{3Ourek;Z+_0#9ne-=9RVw=##n=g zk9ZPDH9962KJi5<@!vG1jL){`^Gjq6MU|$uw#6kS?a+x6^nBRYf3l9&e*D3Z5EqA} z>&>dIRx62J?qm3;&ISOsETv);LYaUw{O+L})+et>l0xt4onNbN6h+qniD(P<#j5I2 z#*w{spCwvxcATAe3cB8yRf3b>Xw}0+{1eJs)&jQeJj$B@r;Ja?KUfK|qiX)_G?ZM! zxWivFQW_987CSc#0o%x~5kTTm>h5&x$wt!6ZaPjG_5m!Q$kI3ymOo_;e#u*lvv- z^E!#wKBqSTAfg{uup>f4LoKOO5Q_Kk5Z5P*iAXEtQuy9_Rw`wy;Fx}&GSyDnn)2{b}?YF_fXj&*IHJ!{qo#_9v3NTRV&1rhXR=?l+Hyow^ zdqwSx2MN-chOoCbH%-@L#ZUb`s#f25cr;Q?*Kq4O%fZ;Z#<3SXL1I#0K5?IP=>J`&abeMZlI2 zxBljk!rQPrg1KCN0}54$LuR_C`Y(gS+|88$r$TxW+kUNCY0S=&C}|Rwn?{mY*L#-% z$3VOcuM#J~X`AfX9#ADNPsB}tM$1N<>Q^TA+0+8D#Wsqe{t^&Uy2*BIST2!@`#K`c z(y|KjOR~4LTz`l&sId&)7^a2WU zyyB|pbIaO&jr@X$>C&hgiZd$)1c%Y}tZ>dfTa4FcFM5K%fe7fmqixs3-?NcT)!9oZ zhoE%#Nl9xUCsAepc+0BZ+0}&w9BdF$Q#oBVm@xc6C{5az=CY_?nedg>rWx=FcySe! z5i3{fGR^Gpf0lVRsn2dNYFwL-I{7VQNhc^W~9nkf%uc8~K5e z7UNH&Olt-Lt7oK#TWZU1j;&CYe#JZl;?tcCuD>3v$cZx^`hJizW|&4RhtXKrG_8~6 zUJZ@OiG982d(_T&Ra*P6n|;y(OX&b}@zjKb$%By_4tj>Ly>Y1ksiv2OQs7-|n+eUj zA1Yf}G~vHa@h&appXbqD5WAt3hk%*w4qj$XFlsF)ALwBkUr#^n(M(*3WCSpLDBbcX zI4-8N&!{IdeA(<%Ncg=?`zCy+Ww{BfOh^${!p8k_mnsvOXh`j4Wnl*kJIScOT=_D>2z}&70VRvs!)Gn-}Eug z2|0C;3=GjSmDGmsQduTk(x%R+)wSz3!js%NIimT}=$v#v+A2>^`YGSQ)#b!?t84Xp zr8JO2OH7x=VZ_8UB^8f+F9Dt0Ph0!pLdQU(>s=j2NEj4ZJnI9sC^*sdl7@V8BRWAE zX5A3JwdN!A!bTD899WI^HgNGjR-Fm=HW}9zs}w2_3nfjGuuQTGcqtyPhbt~!mK))x z2*YAJU))hRJ0YZSg_}c$q!tWiz30ST=KMg-xZ?Qfemi+~QzqeQ@rRs3akBn$Ot5pE zVQ3wigt>oE+CY&jR7uQF9Ax|6<|rH4Gw<0t^NFQwTgQs>UoT!zbRHmnfH$xQ%u>i zC!FX*L_aGXyEX5-A_%YCxz3I zicz9%$E+lpoH*@_RpX0zn~q>d)neEV$@l=BZ6X*CitvEeCihDfF#G^&pC%(M9$;hn z*Q*PCYb`@8aCM$@ivlxIhMuB2S$;~a)R@U*Js5$-VK+$BzTOl^;?>l}L znHjIej?b$lgzl=B3tzo`{KSlO;QZAYKc?fQbJS<)oqB#!rw<>6l{oqy8}w4y-M&1T4& z|N5t)0FqpR4*JwzQdn3x%5$nnQw@<=F9Wzjevp#-wFR6&TRS@Z;=s@T`{JTj@5o4? zR16(tb&*%b8+!l1z=3*mxB<{C#m`9iAX>udLUrBC$;q8}eJI2r_|v#pV(sT~0d35% zg4Co*pkpp^R`wCKIuMWk`do_kM@={aM5YMxyfXFnxk4`W=}B9K4HFkk0h>=8Y?VMd z5yr1K%)gnJvD*g{AK+jz@o(!oVky?NW{qV^^x#kJeyTKUS8Lw4Cp4|GgdI#ED!?O4 zY-~4kzS*|o>+b&f`gm9+fk%VIrQxl?kG~6SraG*Pn-u+C|CQ~fE`NAPiWArUf+R?OEr}AVz z6Xmauin%m{9{qgF5?KfbS0h#X?cKzyRUiZi(i2tXtqX`-&3eNId{08YbsZ6xR6Ql} zdn>r?Ur6w;de?lXIr)kWLC_rE+DRt{;ZIy#wvhvg;ooVWYp(zyT%3hbB`V;yk$C}^ z&X6L^{JJSkn<571lwPeMZ_esZPUJ+VVzLcrV-h*s#ZTQh4zAW%oHrDCu!%=tMAHse z-iOp?;?6L{pe59?K3e-_%;KnA2>pHfSs)NQ1g|xy!HbfVkxesI^XhrCBmjbgNydcr7rI3wM3Z(t`3lc z6(U*TPyg!Z;a%%5I%tuZ1l~XV!&)DFS4DJ}=LxbJ+FDV<^`@4Uez@|+5!HCH_y*%_ z+$m^W&jh@zjuA6vubzMnQW+~}08tMGsjuznMPXaXLv4$#7D~))8kUygdy_vKvSwqe zMSN9Isn){&lK0Tpeid(H(<*p|VJ3)ScFa|7o$x}ZmTO(3hMf5!CGd}ofbwFr&Xq{^ z;yEmvg{G(9|9c*Dj&X-vHT6VAHoxdv-!tr*u{u&GA{_DP&A zIPDMFBwn|WAWjUPmM1zszE@)O;pzYmOilOr3kd?QY#Y`- zC)OV+uD#LK+qTRZbD0%;qz>rm-j_-)>56*S_@I(Q6#9yc;?^72kN`%&Bq0xX|0wD$l<5NSMt6P64i}B$tIrmn$8nFMm zFmW6x(yVwxE$ij818C1Wu?fOEsKDq_c=#6a{)z-TLgml-4pN#Y?<+a~fY!EG?qqCi zgdQFq8Sgr}N9$$XZEPJkWNT~jBVd}YEn}R37nyf}?}Bg7aAvl}ns~3`2bm9gB;qVu zhR!GRuz{$@H7apV7Cj>qc-YPSh>OVuqT%K-NJCw;-=B}ul4PzUFTNmio#e>|Q5tH< zUxz{MC|6kl?ZSA4{g+>Y({x=;IH87_Wwk}OWH8C{I4%76e{GPe;D$y2&gNeiU=y!0 z2tCkIs##Nuj>gQ{&N`8GWxk9MWs>n?l$3G1-jAnb;1dh{d}2R}3@^Rk=(%&T(XwB5 zgPtZ4fO|;^-MBgvBA!vGea5*t$t*4sbzcJWqsK(9JRD|c7cZ0*=(A42ez^mL@2)-G zT|9PB0!{8Wa5bhfKbryexr?jo8L!&!7>>#=4|4z}jHZ))BQZ|kIm4s2u0;hPHw=)_ zw8dz{*;*eh-a$Hrvw1w=`=h)(yDMf4^_aAqTTC+q1&?_S?<|91vfQb@yvny+?wzf$ zhjn4~<|bvH%D|~*y<%23i(xl&sne10V**PtYa++nN1vas;0AR`6hENDAdUf!^vJYA z%R4PChRv<5a}G>gaN)t+gumQvL?)b$Ny5Gp)Ve6tszXsN{M<0p_=Hwk`Ah`lLnef>lyN;?xo8T!O2%xV;W~ zAc>8EqOjJ2Sus-df3<+JX@LLHx^hG=|MZV^8DNNZYi9xa8<}c~@9^S2$%I=}=05|- zn&Tr3ytf(X=t7Wg66loxhIM**Imu`j6&$h}TBEM6UVj&Dnkr&&PsP+s-I+velxg2m z#M}El3DKnsb=w+-n>u~QH~2?JMlA;7YjunDt!p7Ge2C{TWQi4&6h-k!aiM02=jY@h z7Ee*#XL7!fb-}Tcs^01Ev{I&0qY_G^u;_#{z?-mbK;{t*S;FAEUZyEAOiLKd^Q=Bn zREsubOQV2t2!x})f!A#V!QoR2R|h$@4(aPiX4^1*{1BccWGHWm6k*!U04M|(oeW-H zzSd5k0Gu*cQP!7?iynwVQ0Z&E{o!+$k2!`f9J%44_hPDy@DZ(mdDP}iA5Hpc)p>AZ3l?XT~mlja?~7d|*%iZmaEIS&xi z^NKa}@Y&;7S$}5^5bO<_Smd86p#OJ1q zVSbt9ZHf&8)gEqZE!2%3VVL7%STYh+RC($jm-RV6pvJ!KMGyt|TG#Ud3FofEP1aB2 zl;pl<;CvPiIhG+2DT{<)B=FmalCLHnG)GtbDNhRq^s|jD#_pdW<=`{Jpmm267F%Ka zbz9)09FDY_e~|wK$IqoIS*Kej@PO8uljT2dRi#>Xt#e33op&>}=@YPeef#aP@IzH%MDRlVx|RE`0>X}r4^9tvk6Hp3N8-)(Yc5S7i){^8NTEmkt7yvJA*`g4(q~g%HKgG9f+{q4$6BC zCKCSJ!-^6kLWzSgiKpQd!x61`Qu=vdoH5&@%hY@BHawmknxWl*Vz(@!DD;Q`T(h~} zp4NE3=tL>R|rHwLD{FhIcp^Q-;x6LTprqq8I_X$ zxn=iZdk>+@rwnr4@PR3~c8YSZ-z4;OJ$aC-O{`>aMuFGzotc7dCN1N9OLgl6}RMZm1`s{StL%|-kN-H(>Q zY>H*;%%L1rImybzX(yAEw~ z(Vfh0F8e6>b|0@Un`0wi-fXIx!fhZ(?h{qX?~vx(J+$oPx60fEMb1v%8vM5&xY|F1 z@d#JBckY7Dj&Q3O6!-Et!8;(|pZ{6^-}2Xh(9b zM}KTla5-2)vay0Aa}>%}vg7%byz)%@V05T`bD$(x^nA!!(EJ{M1g7{re*YSlVkPR% zeRQbALoBB1-bav7%I&4W!tAK{i(!&!>C;@KcP6*0b?)LXsiqPW;tA!kC!#iGUBe3v zjd~}o$%UM1u4-b#qu5*ZS~0{5MMM&cBD1{*8>yUa_eY;f%j^T!CW84L*rJixJwp@o zt%K~eyGK_R6&@GkXK8xcKckJOHN}sItLfF6x|$NaT>*Znu1k*%Vln#%ZKESGvDimx zN;%hmvRof8Jhzq7#+<3WnlDb2>Aht$%M19L))>xQCx|MW>msIei=&c=EQxmack$}A z2NSnfZsayG2gsUAm|kLvz4g`O+Mix~a>-hKyLV5^_ex2~ec-3}etu1ay2M&!>)}Ea zAQV@BpeoO-SsexvKq1##8p2|LeXLX)JCZ3N5oHeCo^6=*qRF;~#oH3cbcLR9;O2F_ z;|G?qnHxP5ox5gcZ!?RFfd^o(&&S2?0X)QR#T&I5-snE%+O+zTdavD4udClWPnUa2 z8dkuLKEv~25Q+HlwBsgQA+tqEJLP$%mW?)$IVUG)H0dioD)Qyo81!!F=B%7K%O z9{F+2>xvPfaf^eG$XC>_2?z-GHW7|av$XlE6RPg=-}abZhxJtgJX99eK}9)wA_rMm z;nO-RPV2X zi9eZNp8Hw?g{mEz`fP-kBZeQF@|LX~m&RNEI9z>Y^}2;f+gXLMULt>yi+4!Gez6F5 zDCD$H8oF)T^l_dU%Q|_XO$!`-a!-fU z_@B!@8j|r)W}#e%88=}U8)5LM2G|<^mY0&xWno^AWluMnI;EA9HXrKUMmsw@KFyvf zIjoDem}_ZSCOj zaGa>eiynow6-I1^+Eg&On3`6bf_%zs*`#Ud_ZAXK^>#un?)g26`@_RbcIoA8Lnnl- zy)7r{A`nn$-yon#At2%ZzyH{Z57h*VO1!A5pr99C#+m~ILoJs~8(D2J!-NzOlJV~! z^4tqmTwHv9d@&T@eYp;LZhuCeH!Gz5+`Q+ZU&S}oOaSrpy$XO?T^YEFii^4MVoxQV zYqp;o8hFN5gCG#kohT&X_<1X7C`zL3Lc;?eA5Zs>FgG`-zfS8e>&PO|*!6Yw`A~Ph z?>!0}uh=@RABG;PyLL*y%_GIf-Il-0R*80@o7v?0Jkj~d5Kbzm>?h>r#xXe@z74IS zn^PI#50iXHy<{Z%RlTp$uO4odzNE)Ja<=Nnn4AyneX%aP6dXIPUOVV14Yj6k_6kDr zI87gHe@A9`{8XZ45*KWXJ_%g)=acNF57Rldb!9A&9JWj{uHoZ`qoXbxM6|w;!aUSR zwZzfKsLd$lT)MaQXgW> z!25NG)@XK^_bn#}#Ur26xM>=eFQ))?8`8TfoYP^T0A_MAq!n5FWLQpf|JK2&Y5y6F z9UKn33Wx{@Ka(N}dC6gVvVU>5_e>s472O=nqy?aod?b_taws`IJ4(fx0TSzaHD&@t z)X4Ps__oQKuhEa(mU42{n0hW6C^rYzKVF```l;Tcz`Yi_U0pw34kNB>9xb)O7c#)S zyS-Pez~t+KlzrP1@qsL{OVG}}OmQ12dE|sH_E9s8B!`7|F%9;kH>#bdw?-`Cu*q}k z=iJ}C$O~$kx+tQjSC_Ia;3p5j?*MXtxCiFq|=QZWoHU1;o-QC@v92_{#TzfHS zJVl%hvP2Kz@|DZM2m#!=ABkkbb|@vZ^izm^FW+ zO=|fc_%>ebWO=`s0z)PiTLqo0OFdK+n(Y-&p2^aNkfbC6WI|kuCfL4reVm+C(J7v> zpFaJ{4qS6MnK?b2v)^3{OdFlQYB;XXR>~OCKr)2-ADk)(C?a^$)sk1~scZz0-hx{n z^!WeXNovie`1Y+udgrr&JOhQ^ZjQ@9SePQI%^uR~!OpmFckH~F7^HVBKEVb!$8iCz zgOC+wXYtoRV&qXgJ_zR&H*q+4~g zWetZhM`KZ2y%>p8ipNas2b&J8zXdG5f%aaz6YAx0r)3jD(gCKfZ#Gu~nZSX@c9yjh6v@U$h>fFlcnBoqStx8t=A+J2~k7Pnng5udS{9 z;pgXvyWjg$Tv2js9LvV}hLoF|yUZ^*IPfhqvzkm6)PJWM|G$;n0{r@n;1}Rx{EvR= z&{#Cn>+2Jxq@}l>K`KPXvPGGAvv!J)FC2jQ^D8Ua9-l13Nem=5ww9xGx6kSe0)ECT0 z7gsF;xYqvcayqo=>EaPD@6ky-%-qR`WpWqz%AOtMef9Ib6 z;@a2JE#j6K`2XUn|IJ%EN!~*7)irE;^Z)Li)+lIK=AQ2`{x=`oKYb*_)F}1LOaTGR zJSY;E3#)s}vZ|HFDo_p2o?R%Fa}YT>`3pfoy#-`%uM}wR!R-k+IXMXk3B{L|mfl-h zN(0Br3ZpI@3rkD3nj#bw6oQ8jg@L(cdmp8sS3Hn$!a8jn4r@pTj+uuhpcSPgD?1Rd z@Vt=f|Np*(Ufu+g{`mBuI$)?_VP!RL;p*y|10aa+ zJG;A;Gt$!1o>nbTV4c!&8XFfk2F!sft0?|oEYi5xTeq*7i&mzW7VP4ob6*e&sUJ|p zFL`;mmD5~nuId=Cd3lpl-}L$V_-&C{hBEt+JlHIJ?dDd~Y9}PJ!p+M&%2Yk~#>M3< z*0>wp`p;JQq9MUOkWFzVQiUogI~oiLoJL#2=w@5d@6Kl2sNTW%j!HS!Y&~c_U}a2$ z1`lD#9N)pJK8_xelAp#=+mf6$Jj+dg^gnvh!)#~~u@h`x{U)k^4o;@f;MVGS=t@*^ zCiCq?eq>!;9R?|bnvj%l;Ug@PSE80d<>lot;B2X)tt}0T53Qq&jEst(NPu#@;Nkgx zczBqbk@2R0h2|fRFFKref`8Ql__IgxPq)y&Oa$!G(RkyIUDB)YwgqfIT6WG$X5N+I zgWJEng~mt?MxYo1dj|#}z^W(2d|paJBi?Lzzj>`MF2r2rA3y2;{-+yO{vDf?zxqF_ ze)jZbpg2y=&qY!TvV1e!UXxx19@%qelRb!~C9(fq|{|La&iM6$(zlC~s#|U~-D* zi^I4ysHa0pO6sIO1~Xq^2B?6Ag~itK4~_r%ANVhSLz?ODCtylR6kM51)T zjeHp~-5Hl#S)^*4GCDjtDgK4lb$BFnUMgy00obO(!0_U8AXB{jfS-CeOk^4)Kjug4 z11hSjkm_qe?~CC=&GOaLZ{P5Mk<=r=P96y*Ve1CY#@wP|(w3GCG2nOuDuOQ<3Itjd zQVbS-8~Rn%b;X2*h1-Sw$bWVQh}>qNr+>l36b34At9Ozal2J5@R#t`l@ToGR3Q#2{ zfXT1}7Y{eL&&cHuHRIzdGfm$0t@ee}#KgpJL02rUT4I{(l#ZD>8?;DcK<0r}>;p`w z2}nulhi1!+(5Y!@$#%NJfS`B17kO=y$p9%U4HZMxVg@-`@lZ0Kx}dmDNpW#D&}a@0 z#3FeE0L~4XAJx@y&~smaC1s=!hnl|J(W@SZHE-jND ze73rTd^88gP+9Hg6SF5zo;bXl10(O*MEUEhtD*pJc5uZ(U$tvwD6V;lJ~JcqY7$<5&lll1<13yTAcyIrEb0(m}Law zP)H#!PBMXVu#W#M%(=p@4Y;J5t#(IxWd6WKpJLJ|eT~!1=eD1wM+HJ=nJvf;Xi%@Y zOBL_$uXw9s1d-EsNt>^@^6?E+KLzAbcfueB(yhMPd>dDL`w@(@L|$k5j;^kPAR=eI zuYRaThK8FU>ZSt^4p#ZRTtrmcy>o85%M74Q!sn|ttxloVy|T}Fu<=Ddk<&Wk`1rUO zE8O_M{ha^nslCUC53;yZcdb4>x&uzg6Y(L2fvk!`5szJ>jE^GcCPOK*TXxM`TNd>6 z^cmUNG-ZMn3fz1gUu|tWGs_3U6qW&(2i##{VOk+}4^s9xEuBjj(a@Lj+K}KtI<5**?|Sk96&MYg7S!z@_DUmpSPAxi&CKLir(S7lR+vSqDWrLL zK?Duk?-khzQHE5Dxq3!lXD^%|75IZ2R#sNFUluX5ne<1XGEG?Liu}vd=?@nqes1fNe)7wn7SJW4X9fbL`EOgj4WOAe*<(G#005Rpioi)@+ zw-nc_`JXs7e+UY}<(cAx6>&Eo7wXLhSS;S+fY?n$A-G6740Qfq{Vv;K>NGTv{9@M<=H&K;aq%N0%7Fex-8+7!9vQa6=A$^fBXa zFI540t%9Lp#y!WCmrd?R>yd!G-tZP!)m$x%+?>Lp@>fbf=ia<|vst%Y{EV;ul%+X7 zp7;XH%kYw}H*7Ejl81I}^Eq!tH`sz?nH>m=kiL5VSpz+2gw7{pIfEX;>laXt27nJvOlDBh>+vJ?0|a`k6(3=au2~HuJff z`&%@M8<=1UMLc8y?Uh{=D=_c1( z+X*?B#*>-hf0>W{!v#b+zjNuq6_ZJ|OHYy}?#2ow{4~?a*J?XiI6ZtmS2b!iR3%lp zxt~G&qq#lIom8Cp!(~^i=mWc+3AD-ky{)ahR9YI?nB*4KjvI2UzbUq+R zSgis`8Z%p4TV`X~vWKiI5n{~Xz;@_P!)toMTR>0#;(KIdx&=%tX4gIOjID^d-W8rb zJgk6$g%zEML?S236@&f}j!KKV?WN~8H2orA2o`@as}IX*II1PpOQAY#VWBK3D~mjv zyPew1x^YDi-r9F~PUEwA%N8}&b@}L}*VkKj{R1oMn!8VDSv1)B;uYMYb>U&v#N+>j>-F1h&P+dQ}DZ z%=qfKK9q5d`jDE#AWJgyYp2rqQLJ=&=sew*st9i-%dc#L+{@O1gSslj>U_RMEMN`1-0LxQsd z4542#EW&{dWOjVKh96lAZnkJks&ImhrIopLHVclgI3mnDf}0zjT@!Gu`jcqB%EyR- z^x-QhhB>&5CJhA>_nS3m=Mui7=*wLv9mj7(=0B~ook#f#|DBQMOwK`4^}le+{;kIg3|?ZSaT7sF6XcPV6=>ET|N z5g{SrR=_3Q_VNkC$8fJBp+AEjlZh6CSV26)587~SNl`izcUHzVQ@A+byU`uws$=Vi2F*Qkt+}+=L`D{rRc_=ETPab!0wr+G?pOhf7j;uIG{a7quupFx9DHq{|1${ZIZ0*2#ahtDu zPDXQHTB)a~F%z0MPYSb34X@BcrpY%EKZk~b{~J}};^@QIEl`Lf1O{^WjGC$k)- zhc}Cgh@#@d-%Q&A+?s9KPAlB#cj)DB!*{ASi~HtaAjyx?+ltR5 zB8qe`Ay4F(nN_qE4R%$x!iLgKZ0GqxtcC<`$(OX%-Zhn=tC{bbr$_N^rb)_RpuCBX z=04k0(AT=y)GqkcUtt%zsQr4$j1Q7egr;iAGEMlpfO4M1s&1x_fxwxYn z4fbw?s+Ceafn6RBV%D26%7tPet2g0pt-Q6L@$DBK7^;t&QhqAbPzm|BjPu}3JcxT= zSyU8L+@Qqw;1G<6e=Ejxh(x&FTsNBRB2urNGS!-aW_27$zL~2bIf+eyl9sKM+^p}r z6=3{o4GqR#VPhRyS~FT^*1e>3t8f>0A`{%Yudx)@JD>LCYSjHTZs4XaA-sRZh1FDW>PM`vkG3Bu@J-xG$%Co{+lk%}J)Gr!Qw1G~M?&Tx8KVBJ6xj%4K1VXY7>Y~ zh6tF)P&KPD&;h6|z*Jw`3RIUYkhpFr5UJ9Wqx+ z!F9zIOUR%1?B1o+mq$(Z!kbJg;;&^f-1)yNKh2h3CkUylWB>~&M0KB&{}4*mQBle8 zOV^cx?w9XA>O-N6&1W+W?&V&{d#T$sU@luW1zvi3dJ=tbJ{OL+*EL(=d(*^httBez zsX)WxwZHh0Ic!9kkd(usa4P!KCw|3dVg_ybYsTBxCfE&uv9w;oMM~W(0rWUkUkxW7 zovdYi{j)>+pDYfLQ0Zs^xV66GYtH0Cv>Ks;qcr~X^o(WYrMnq3`DB7U3JpNv{!+jJ zL-k&+_XS)Z+fL3pO?^OxGX|VXV5>b*Tg+M~>+2@VA(65%4g9;9azLphFFhUkWfM5V zWbinyD**H|?@52kuaT;FfrtQJ`b%?*nx8-4u+}rA2O2Kf6z|I(>N0sny0}KCoVss* z_3q^T#|m(gaIuu%IWIRiZD(gkF6jCWy5(S;{Y!l*sbKP*oX`PWi^UHq*RR7SZq`HGEM)*#DaBn<&{|J2HQHJa%;V`D@?(m`aYF zRJ-V#wcPBc8)%+&?51jNT1a?{t0(j^n88xaSLN|A$;X`xj0>|ymlw0T<>HY8waqJB zd(xTKUr3TkMh(3$@45q%;USCSz6W7yg<$mV%LqOmp4sk9rD4KQX2bQxw&6v%4hfGE z{@otj=hkMMUiZvO^f*URpR(iTULg_5L>%Taq3h|Sv~pScQb-{bAnyIh@>5l zu_?h77=o?dqg{}rlJn&AZj1Qet?qwKiuka0=fS?I`xqtLQz7%3npfes8!ybPmE9H} zW1PaIYpIFWe;OBsMbdDu!lUE`pV->klJdDQ2Kf8GmG5ww-1?110CnzfsZUd4W3xHr zzbmA07t4@&Y>*XA1lUfg_5KE@fhTBh*41FT+b+=_XE&F#AZr1u^E-7=>?Ug*DavfUiOxeZ?0i^! kNyuS*IDMh=$M$ER-d|! zd;QbCf~FaQwC$~4TaMy&M#Pv0Aoe}bJvurPt4STr)kCj7zq}j+vOO`=Zhy>;8K1v1 zGL=Y2MOP5@;y(`zP&8J2xMuoZVFvD*t9b%%>r~r#icBm<=McN==KWuZ9x?MelrB z($hXjRI5pif1;Y8tp!Vl^WwBQxY~c~3Jt-^3d}ZfZ^+C!%4;gq6qplJ-q@-2X>DT9 z(ti+e?m2o;E*5R~D(+BghZh47uaFVthOe)pGn1zC2Nf!d$v$7XSXk(9I#77&?Br$sVQ&gYpBHmpH$6pQKhP*d6rkkKV zp#*NOppOelOM3@f!r*b*8kd}@N4TCF+^4X95wr!sznHsN#BY6kd;sH#NucJ*_utf^ z$-~|=@Keh9qdeKgJRKb!A*rZdHeXN)>XoJpmfL&UQ9RGj-JOoj@BlxoMESC9d(Bbr znRsXh;L%59X5t$gO9}~%D$%hXl(r5mpX5usx%tQU_w~huhnq#vdtrlsmsclQ;?vZX zQ+>?VH&%|+V)pqEh}XbvrVx7kokXIw^~n!MheOtxD(ixUiwSH#IomkY>l$mN_Ek#! z{hS5y@qdeY@VnSu9K{>fk@Ya&B|2SCYMK7T-uR(eZ#<-!(woh@3bsbM)=p#yjOi5@ ze&=#qP#`%$C8*PMOMQA6^s}Ui5=n8+Rs_lMx>tx9$SHFPa9ovbx?P-{#_J*zSu7Sx z4g40urW&jO{NeSm@YP_);ULQAD+?P=A0rWki1qbgLYSemQ3t4MrxDkEp4sN%(_|_5vM;Qh5r;^7}2i=EHy)6wShL0^OWVmM?Lc8{;CmqOcuVD;+P!m@XL;2ZCn zXQ3W`4StoVU&RNS#3{r5uGJXbTi=yZy1Ffv%Zrwd39a`-I^fN;pU$JP>#j~`UwA`( zv`!A89nGo?N8@mj9DPak>+_-2)%^Rq%0nC8Jf6qIOr94c&TQ^)eWCj<#0;)YM^y`q zl-n_yK>L$vWPd*lzx^fCX!B4B)aVL&Atv$c5su6yyv@-}focG1w^gi-o0_#DG|z~B zCx6z{!TVr`)oG(&@qHVeFE6CDAz{zm6WjQaGx-C;7k8Q)9dE3*h%%5ZBF5cPbkE@- zsW_wR+U)6i-mv-TT?QW9u!)fLoaU7ODZywCf+4jsmDI;~=wY_6NE z3XZ?aanx+#QYK0xMZB;F>rLh!FUQr5PjZc}N(icOeYyDXQs{S{?BMD`U@a9;y)qAX z9r>k=A4AiKP|lH4)X_3nNW>d(f!d$mBI31*k2JhrJ;x zn&xNQ?-m*YoIvU${p;tZe%nuBJKLsnkDzqhUS6K}3Uoa^5-}Dz3te9+SS}o2>YDrKzqa*ej(3W;M9&OLr}YvQOjMafQv9UGgJX6x_s#eW@9Z=n@ZzcVWO$Z9k6;B0NU zT4h!NQq8K^YVR~K#n(NkcJox-dE-{e%ewR4obIuS{eZ5mrr5$Gu{82k1kjkXymN6N zR(R!aZUnJ~Hg%fx>~4|eO>kM_Qu1pscFD8omz#vOCf1&tSSfE4`5g~Sy?>w8!*p~q zLB0VZW>M2tPF;O%t@(hmd`*3Q0c|}*Pf01GGUclvx>hple~^s+kO8)cF|-I1Y&r7l zP6O=~eIK7D;!jlXe$%Vg`MW<*QKl0t(99pvD=I4XS{>LJ85vDZ8KV4MLo@R>`4-}= zwh&IIt52Hl8gpa8XNd?$Qcc4+iTAp;5eO#;T)!!xvnw!hE~z%k z(0sn2ngkoM62L>eH>4DiRvF9@K13E`N{WS8@m?Ah(8o2k+$B7T{e%-I)I7Xs8Z1I` z<1))miU)E3ynJqTFZJ0=m35iV>Bd8YT;K*scRtEwt}hFoW?$1g)~dkBL5Ta6LO&QJ z4u)Z>et)%wadA4!K|nJ7>s<|%Em3MXiJ(`O-c<6Bfe<37Jos<=axVN5^zTQGhMM03 zRRA?Y)^o~24A=Q;+wdOn;yXLAAC?1xo>*h16i5jx-uFl=+09#uBjQTpE-s<^K*^Q8 zH7~HU5#AKEne2LP$vzhzw^Wub->hYM0D_pAY$BThqg!NL<@f=~%h&jUu&pg|cq1ZR zuO{_J5oljfgvIp#7&DA5_rpA|CB_MTlw7D`@49tuSx{KRM@;%BW!Rsb?|+k+hu)ha zF_$=^eyX6XFG+^*k>rx|d2JisiJc<3^wDqgS6ji0>Q#2t@#t=%L66!CX`+xIB^~I& zXh(O{YSoFS;Dq+I7g<9?gV{`l`QgjoFuo7cLn)}6ZiSYbdZguJLLxr*dw^3aelI!^ zblK71d7yxxvDjmO*K!L3H%HcW&n&IZG3R~OV$|{A)lZrq zjt($x*);)5rkOP}bdi!^+{eByH8pjT|D+w%EfZ1mN*hD+?(VftAAjUD2wsx|*A3#v z)|(m25^CzKm#nOj-=YSZOSKwByjHNZ0edDt@y~G9#iw`*LjCCg4-xcj_k|bu-JE$T z+S{`x3wXwIx5!sd&011sv~JLid!Knlzfuzx{y2F~r#CoW`(pm&-5($OFwrLU9isvL zL;mT4Pt`+|(%BVI-<-K){8cIv;fDtY>}JbonZinrsa~I~cG=_Pvv%er&Fg(>`Cv=C;3ID6~ItC=$>qT^8K zyZw!~VYBb~v7<#{!9;>S$6Luo4PF~g4i3ZQskXk-8M+c| zJqv?s9;HjK>vS*>E6W?OH{k>Ip|M`s_u031>gqCYpzwG(Z$A#MG0!?Susj;W$+1YqodzWil=?X@sY@QM<2N`}SzygWWfMQ+_p$W7k7dh&o|Qb+^s zampYA1Zl1rt*Rkxa81eXtPxHADc8!6V}XY_Qrf_s!@CLg7-Y~nil}d3lLg|RcbAQv zee>x$g26Zmd5pw0c$uzCAO^A7=LT(If&>Fx0i=nZjhyM zUrkn(OT+o*S&g2Hp?UQ5g@wUH#>9^^^>LEN$!OWwqJT#Svp!oJ8<;RQm}&H^Zrv6? zCaikXhRro6ideWzBmO>=Ne;vre@l<(ZbZr;FD1sZB%|m!IaA#94AQR=Uujdl)G%@r zpL7Dt1qf(;zg;1Z5kUd65G=k!t2jWz@bXhHtJB0>egasJ5CR-bzJAMEI9U$R>HUz zA`$u|xd1rA!^0T?(He53CHBoc$tihqq8(Sln9X^*38|hJzCJ^QV?h4uef%7xurNB7 z=~8B1x7gI!7*=WTM;$Kz`gNKHx-VzVJ}c^Da6D$61>$Al_vAz7w(kHl=NzfO4^M7jmX^sp-!v4eK9)2vJ)otcxlyz zbO!zk_GR}VfAZ9#RQ~zA*P8O7sIExZ)q6`%ZS+Q;Ni*>8@d23LMic+}8r_{y9cdfUzn!I=pu&1S#5`O@YzF4Lgj*dhAU<~-F60ppVw+5uD z2)OOPYaFfyG=##V?8@`Qjc!RWL^VL(r!EcmUox+|eqwwRSn=1bVvP!>-i*QOY%27B>YWnP2 zskZr5@^PP90&?>iy9&m|3LYIYu`K8qKJ-XTOp2({b>S=SUTwIPgF}16cyj$_3T|xg z7&*<9@Az9OXb#1#wVge=#`(GSS2xvXdil{mJ7d13Mhf3gtd0n)@Cqf+$kk4O_*U~* z*hi@ysUjE&TR-h6SuR6oD+&3B?(=Dr@qCac2^1NvQwluAj4gKFe;6WobU;(|fDNas z{-*B0>2l)Ps^FN!Nsen1R1y+1BOGY>0aNEo7*^UrS;B)-B0=bz#8V0)ZD;<1w+V8Y z&Ls?s+Df()xJt}D|D_0wz#h%u3veE znr%o$I`NMi*m>XP7i-ZMQ7)h4FS_GQQ|Rtxm4&`%@4h`t(VqTw>!V+Lw7adI?jq)kn!rR2n$IT5bj8Z^te&StYM$;R#D|c>l%Da}O$4YleU0t-}&&iIX?TQ-s-GmZ$maDZ5O|o!#8p;c+us%)v!k zF(N|3UM`NKQoz3*4X8&*%KJ0Nid>y#EJs8AellM=3{njH^o|fB{O}=z4}yY% zT1NYav~o#lqe=rE_2=j3?Oggt9i=+JoQMW}%AOBuHej@W2~lWhY&8B|Ily2O6F=&c zolrm5kqdfhz}F9fcJujD6P${bp9Vp{DF_G4YwkMpn3fYpTJgswg zds0yaC%q!eb8>RXyK}6hfhBzdve(IUfmSB|ap&^TCK&sJ(EhaD?SHU|`42eWhu63d z6jF&4evG$a@?-B{3x8QOuMhH18rgB->*btTj^A)jpD9Eu_9T~i$ zY8-H+8k02c{jq(RrhHo@$MRF;t1RCQm7vQ!bow~TtCJ;f+}y;~i!9(2s4eSW3m~;u zMs1!qkh8v=Z(+yqp2n=7(?>d3&qG)3zzBlllm21D~18Z|X`Dkb&Bjtw_UKFz)GxVnTIQ z8b>HgMjw=J|6=Y_o`@N&PQb7>MaBJ4=Owu#N z^FWM?bW`*73FpJToX~oc4c3e8Pd)9a96n%{>@ki;g;TA~@;la5aXK_5iiK`At*j%= z5}y+WCSRM6b3;R80cVbppzpy5G)f9)ZRC~D|CDqNM;l9=~#_H_K?qaNO4eg z-w%VkaQvHb&$qZN^zbVE)SpW})$^ycumtQjgS`9qgCOY2l#|*>5nKW08SZvDioKlv zGguDxarZO%&(7GC%{8{o-cQVhCuk+~!)9QDLdfGN^7b6YZXyiyJ9j{ZgZjnxgIdt#f$T7FcTuR@ zYCP)b0PK^DWYl>##uH-xD3Lo{)-%s9=wg6TrsnqY`-Rxj(wBhsK|u79NRmq@-t%Gc zD;s(D4NTqN#SmwZt=xvUGINTW$$JwMDI!j|5={pm`r~5Fa`C>;VVB1+5#ZeTbgtxe z9c$pF-si)4SEypG(^y#DKIh@UIr-~cfBZu)9OTM%EPZTK>Accxfc;<3t-rxRUNWZ% zs;3<u3At9q3s*e(aY=WG`DY}IjKv-b9h?9F@?-N=<9GZmj3vmRLpSX z{-!aBAOFVh4@?za>P2d#XAUnKJjiuncl>Z}x~&9>VyGj((Bua_#z5aPrq227q7Q>o z$;ODnpefif^e|ggh})ez^r{DXj7aPZW-k6qb{;9*ntI}pYERpuf#Q72;RH_Cr~Ob7 zC*67m&GCsxIJ~n@0@moLpXPeLNsK;mUKikhU2YAgEPrSFZo149=N#6eLWg$Fcx@i_ zCp5E;xXa3$ENW_4yF^c?s&EwGDL=rV5_^GOw!B4WV2AO&L^XgQxIQqd_cnb27kZz z*D62q*ywH>vi)wnVxHxwS0neV>(J0I(`@E+^e#Z&C-n%qhXBEr(8FTP=omR-J1}M8 z^zjcb_fHnj->jp*eEBg%H4RzTO|(5}RL{p`$G+mq`#nljIdJZ^!8NjHh|NEVV*a?( z+}t|yl0xbxY;=$^I_1hbIp+@0sv7~-&Kp3Oiemm5Hi?7{bL8I-j&g}C+FLAou6hG)^9;W^akDaOC&^;OQ ze8`uuoRqBon!v^R-okn4GtSP?USN`Fe!MwyD2=%5fb$kuoPM}^#i=4Ehhsfg6ZxC7 z$9&i3`4Z+&AbcwoLc~JIm77>@+hC(C=Dkv%*VIr9Y{9<$W-S8hy2sMjhOdEvch56U z+S`kDql>I)eQ8Vw5~$&(-rkMJPR9bhg>uaWh>|f(qkoK@x6tYs(=NGqQc-)myN5km zP;duvLl@Dhxp^wl8Tb9rqFV%0N(A*=H*~nUO97zBFO74hEaW6iLEpVmpzwzm^064x zzoY$gfOeLzV__`i;l%Xva{*#mx;r@>Pwb@<5A~iRwawkUlK5fknfFJO)(fDRudu?E zJ(W;6+nBc|zY#-Mknw=ZRS_=v2nXiqGER4c1dW0c?3RKmT=FS)49M%QMe zgvgmkIrrSFV74|zUrkI;>E81=!Rv%uJ@xP=Z5_7OUnBh2XDbd<(BMZ5tLS)k+*@R} z4Z@g2%mnG?TSsJ9w`8Pa&BwAsmfQsT;(Y0{2a4wGgVsHgdwVf>-Rzo2#3pc22Y`ml zOt>i;8rtXc^}y*bcLr4r4GqP{%8Vq$=2h0V3QY4&5E;0FXQCWMy4d%I{XMqyg4oPQ z-;bOh!?0jWsoxFj7#`sm?M(EE>qQUge!tW#1)Glj?Gc+GAD?uc4PzxkeP(57!4_$4 z{#_vDphZ!{&&sidk#Am@-Ty---*(a;N6WqPzr(iG1f;ZitOa~E^k0RC`)MwW)^1Nk8FRfSuHUtOSQ93*zd^WbAUYzs3Hz6l=_dg80T|`r@uu< zi(WZ6I!1LZCuU<}VB~^x2)=GLUv{3c9ximP(Ue>Jn>+OOF|=@C_UCNRT4uQ5sIH8R z<5_ZTfZt}JF4mpXU1)Ra+1lEg80h33VsGrU8HB7yN72gTHJ=&6L7Y3+IQZd}S#Mb3 z1RKQ(x`6xM%oe4zwC&X-rH9X?yd>n1D|F&+hu;@(4Ah; zwgch{KPB6U5!^b$K2>^)p2}8MZYgxqyYXOL*awuzCl0+Df7e^?C%U%#DLtPLAbrehP_$75g@e;A~v)E&9ee$6f1k z1?rFb4VnlXKVHku84KRfPYX;S^)ov57ssJcj=RO8ev&oqOso1>&nNFReoGibW&7x8 zXQpm^MKhCSjb)gwX-!# zK^@44F?BunfZr1O?mS>3rOd1D*t_$a7{#Q^*}m}k$9u^XLa$y)G5&Cc1K~97B|Ba| zKG}E^so;Ya0iQI#(Kv4`PO4AZd^F z3$)**(OlVrLQ?Cf?iH&^zebscwq{;mPRa|L+GUX|Q34ejWViotzw3 z9X5we;A21)yx03lLaZ=?iXqu9yRZSTkzzQswHO={)j7yCbH3zrt&3fiGV@jW>?5l6Q* zGkb6Zh=^jz3|nb}=yX}n9zTAaGPHqxmX0sA^bW^|4gx^(yk&|%Ao!b~UMCWGK?q>g z){vPs*Aw`*hhMHw+=ef0g&N&pZ#LHkOP0CooE$1`XdD!}CS-hG z`LVJpk74DNqPGzn4^M@DEZ*ksWQ;*YtRltjB9{~eGEMmAW>J+gb`fuCBH8t6%rWA< zbdV9d^pZ`Tfh$vfnUzed6L;MjZ~RPXF?s6Y7H^;RoEYb~J=2cy^#bddp*ukxbQ{cP zmlI2EK^+f(Hk(5WQ~)vetQtr#`>*$Z2f~R(_#13)Bt8mR)Y4{V@x*(pJ;ed&`KSjn zx+NKUL~u-@oiPm(A)jyY6BCwZbMpevZE0EM-u!%`$fforcoc2iAvGA|sALupm>#qp zmZ=GSUfvve&RS9sb9R<)I071)!5$Kiq$#NuSa5_@dVzA4d|t}0`s(9-ZAkP)4E=$b|b=W}*^W7f>9A45zcrN?L!&leox03VNrCVoDH{LWf`uV~7M~va!RPy^ra+2+d0C7*zewKsn4sm+b66V81ZKJE8*p|5QR4p^As--RW= zpBrnv@Wh6_2t4^XdF#r?`j0dln0h z+si9Uj2G(!l|k)yq@jJ$hMNX=$=88~EcddV5HrZHvcdFL@Ru)c0F#x)y{h=`@`s5Un#$%=J;LP}ILOGAZ%<^^e(3ZuK%ZvyA! z=&*uqWRNZIG*4uBc?mH>)c)5envPq#g*)9-f8mt_u2$bOw3@q0&Uxp;!MZw3gntrr z{xEFw4>;^c%*XE>Q6|5rzPWW<9BrH{m<(p9Ru1W8wKU#D`?H0{Y>09awkI{5nm(^6 z6fcYrcReBQ{Q)-C_=`IMxgh|miC;}@w8xRKOZ!`9?MLSO??HvN#(g%(_V~3-qIOsCR@jg36> zjFTG(Bhz*bzh}3*`-%km-?Aqt(&delr(UNgyrY>H%lzams(e}-!8Ygt+1 z(a%Q)Gg#!RUd*UVsYI+F6;;r|r9RWhGqirFt*z~~S`NaVBIeGPj%7^W+B$tHgM+7A z=S0WDR~>X`Z>mg$(KakN51o-%n+ooC@e#A5Bd|@-^W;Z*PgG8@0jJfOA{dB$`s^}z z9RQhPjcmV9iVRPeQ%yxK)x1J0T%%P%7Z=@|1t8FIZhGnA?j9lw1>M`+#C(m5vruAI zslwv4wAbT9Iipb54;l?wRq^?x^c_yFYBRZEKYGjC=^K+c7BU|G5x@H9>)=0LbOZZk<6icQooMl3LK@Fo5lY;$iMcn(1&mOL7q!yNR z&IlV)!4(VlN`S}n>Uc{lcW1b^wg3fbA@PKA)yxglltOZstPzm>G1k_i*poE$R zObzu+OsG=QGuzzzPDY+nm?(ncKD#sMEwnvGn*@}87|J^?bzPAGJ3|5A9d3X>sc1i& zioGl1!2kpT$yoR<_4e&0;+9@^etvJEn4`lFF(D!%B08Os01HbF{UAdV^qA=A_alBo z<^e$x!{6DyXB3q`0#cVsf|y=DjC|VoqNWy%(p0Hn6sD{W2(O7Ez3A;fCMeAL&$Vr^ zjk~jG&#HJX7`?moZ^PM}=eO5|TWBu7# z_4x696?Jud==flO?K>Q7?3nGXn*;1koBYMl;9!gst6Dt;g~u~zCXUXJ9}fY6oCupq z7eem``?N0<{uW?palcQl(=5zLMM)&FVq=Q)jpDCb05!rg1q^y0KROMeOZTWgY8W{3 zy|k#^Tz`(-6S8mhVl7g!al4S@xfPPbvu}18ToR*6=#AJO3o5?c#$UB(_MaPGRD2c~ zvfi6<`jX}Mk(GIIX*_rGi)_=NF*|?e?o5q3em}dd6#qPzX;SN>PVu|Lb?Ua6_sbq? z9SKdR-9J7$a!Rj_Vo#Ts>Y^o*q0vq}?bFwStdt-A5;cw;K}=3^<`>yUZ#dpsYIN)* z-LV%g~~M?hpr>12mIIRewfJ&T_mHx}Ne`ZoPsY}m4pbz8VP4>`Wr zufZfVoAEt2E+@yx{iQh3lI|u2v>l6;cE{^ILJiu)-wLttHj#&moJFI{>>rji9M+9E zJKS4B#pQnk@~|2`Dx5p3k3}H-h`A6c)$L>vT;M!R=W)LFt768P_UtM~$*n#kJ-?XY{FJ651K|$h_H=cA1%=rT7J-+kU;8=C8YXV0#vf9HnG3v zX=MI(hGsGRaVe;w&AVg9x({^HPAls7(rWs0l~DX*$ax^Nnk%cTL*$@u7;C@QT?+UF++t2=wlYGtmwS|GXZk>PzqZqpsmhC+39 zrQFNs{>_4ceyxfS29F=0@_GKN=%D$ga9VauLL5IR(!SQH^KAlW1{HT(2q49P*pwDIx)_T2F1x#OLTJoX0Pd%J?MlBX`5>>?NwWE`*Y$D4#P z2nuua)CsxHuZsxMI%nIAM=A{1eeAgH?G|d2_%2SXMR{Gc@Yik3N^f>$ve7r>A`syS zd!*1_#3_^ZOyJ#GPepf*vX4sKA9jDW(ZUXwkgM5U>#`Y^U0uVS-sV4oLZVQ`f-Xij zKc*9~)Y@sDTYkGLzHHtQoM#Mr>hL-}%8%kVopPoE&P~CeA{#L3G40f!_7XNB;ZL&l zH9bWT%zu1s6CxVQ^3F4bso3OcoI2@|So6de>-mEmw?gfGXM1$IH!PBj*5c$n8HB%n z)1m16QmK5i@=-#I7(`#*{pKnM)oJ^9>CiMpgeXqH5#PI#TKFP~;9E%$CK48G@LN5Q z6S1qxCz=d)=phCm3VcgSn(;fP^xR=hU^B(BhBhSwZMnQ~f)~7w>oUQgKM!l!^vAOj zyzm}cbfk`DO!c{Vh(yA7pSS=)f#c>I>og9_rp$^8mBW)0h_IibS^HRa(3}dFUBv3rk|cm=AV8Gi%i7sopC=rtEkjm7@aT~g;nLxb z4>AM5XZo=I?_-CkPik0s&f^KV&&tX=)=mM@0q|7xijUmWnY4W}lak0mG{n_ebrkWv zoGte-BIkAbApVt{sk*BR7ou7)Ia23rxe0_nNBy2P(D8cQ>S%A5>UyDcecpk@jsZdw z-?QaYpA2oyas@Y?n^dk|3K$zFQ>U230VZ7cMxoD*cU<}tQEiiTbH$BbKKNA}AgCyc ziPd_ggwDpY+$imk$uo2)bp@f~&CjU_ZJ+Kbs*S86?1t_gI-1|`C@E>n&;@kW@yAjV zT3K7-s;rffTUYwBl(nA`qyA&c^)C(;k3cY{?9pl8qV}JTYv?{$B%1(QA7RWr2Hsmg zQM~J@Sy;kB(cc4YMvChLodsB+gZ#YBVOT$j((BJ<;LS764^v2kIljZNUqGV4L)RVY z^-SQ813>RcK2}w6Y8}ksX&rAt#k%!hzehXhoBOeT!nIk&bt8E?3caIqfkQ^q>=ai* z$C5*}0ONisW{Wu+WNIO8*(F2rc4v!eH48yw-l!|HI#tjYpm+b zep$=1Sx#%4^*|rjz0%-1rJcpG4>Q#|eJHi=i;gE>cZiMvZ^9Ww+d-Nh3^TZFagrrp zyS4cwaM(OP_pG{+?J@AXQtB-mJEypN#lg-orma*;ijM2B6wz$2q>!d$u}xNa`?>}R zG1l&pz%W~RC&G+;s)_pQ~#nN069P3pVpx5A?K;U8~O>V+vx%2vb;=6rx6N}FQ zn|JxDd~X&xR`=2esij-5=RXLgm=>*M7XF$;ytd^!AYrQrjnlSWj#C132V4V{Y|j}_ zBW29Sv$dh)US0K`u2_+4n`RIH)`8XG?p?{54F(_@vkAliV)eaJK1r*nL|=_k_&4M3 zi{JnxZS5E6!?I{qm_4+whx7s}6i_r0U4G2ROnzAXuJx&3TPjbKd8s#S^rlZSc_B}#J1)4>0JA;%Co@G1&_(%VGEk?sK)ct6 z;+&pta0s#%t6>Fq7-R#GElv!1z>rSe%2y$>E&6H-9z*V(qoQiPoGOaM*>!u#@+80)Nj{9viHOK%jx#(eb> z8;6J=`bwZq;8tXpW@5vIR}de3O&Ss*3~}STe4+Yh6Q2J!jQ(v6@z?LRP}96~{IZMd zg8rXwpbv^DMqD|jCMHU1YJ@=9hghd7BjXbuK7NnF>$D%YplIHpNt2(KrD|}2F^I9~o-h~W1%fj3ydv%vD_eYJW?M_1!Ei5_F7V>HA zyT?&WbPXoQFJ|ae* z55T{m?sG@W>LzHPppJ4MhhH`yud#>=xP@-jiO-aBg{i^0^C^`I20wb1r<^B!lUp;d zET9eUwcLajxE3U0O}bxh@ZV7H{vY1nJF2Pn+ZI*?L69a86c7ZZha$bB2qL{oFG}yd z1qcX&2uPFOdv8)hkJ2GRq)6z!cL<#T-}apIeRtgVp7)G%-tUgz82JZAcJ|1Ao@ZsP zx#pTvPT~~>|8ZxJwBa~HwQB6ZIDAH5>ym^vc+>?8( z(OCBaZe^b`7_tsyOOwh-$K@C`n>3?lr;hzj0&!HO)ucD@hJE%JYk$3Z(i(#`2SIvU zSbACtrkZJdMyAeLD0AJo79ho3FXG&zk7`I3)`tW~PIe-@^fc7JS`X!%^Eu8MbhsoT z>|qgE$6F|>Zr3Nqdy`eB)PUMRrvnwm!TiTq>xFiRdeX0T5uj&lO~nV3@OsG2`bUPsy3obJw;`=cuAZn#$^@$p0mu%6ud&t9rFSU|U>`aY=O zWAZ&fcblZ981MytPVKianX#WKoR}Yuc6kJN$VCVGgYR1%sn?oU_$P2NFi3eM1rtX| zlOkeYn_DZGTjSQq>f2d9NgC%VR&>Q#`gri1=^b@gBNkIV_Lo;|2!mqq&O7<|Vvg=y z3nIb_N;$Q1J+*@_&9ULS9&E3@&9_WhuvqjR>J=7jknu_mJ6 z-xYF38M|(qQf!Y!6BRAF3Mfk_05!MVq;HeeU=?Cd`M%zQjzX?sxgW5WGPXz+NELet zEu1Q2wB-Fm{&GtBwOC%OwV|4>l&2XcQ)4+Y1UAzR&w-wlhOe*K&O}YmLdg9v8x6Uo z#_RF%ZgNUg8s_S%tB$hj@f)F+fP%*}5W=;)y}iBIe(L0pSQhFgmYEC~6@9BY|KiE- zWEXZerGXUwV(Sr$MM_yfNMTV#P9R+Zs_x5TLYJQ}3@5rgJ5vXSF^lD53p!D-GjGJf zQctHWdwn8%YCoTZ>C~(ethPmoXs3``GLJDN0_Qoxb=%ZNFpv0?Z`s>q?Ic-QuE*K6 z)0%p|UblCInhnE0-obux>wo^5pJbf(+YxxofqR?e*5AHRWPmkTVO(6CI>paGYQV4V zP`e~B`qBS>yR30+o%>P#j8$0lhfp(w);YVJpZ1Ed=Q7?wC7Yg}7H9dmbFH+YDd~4Z zsnIC^w_U?HQG}NdzC8e`QuGuCu^41<@G?h@?I}gWzmgBqagPJC zWtjM9aCY=Jyt#lomn*<%N`|Os!kPBlFO~GbSex9n{7B*UHh2;+v&Y02qz$i@gO`@J zHWZ%fO*1sd#<>S1baQdqqYS>@=p3r)d09yi+VDsxtZl5yIcE>#U8)Yh#KSZO@!;S7 z+lTP?&nF;^`BnftjP6eDKUjf(zvR0Nc7;K!l!l-`r@~ZXL*m&-n)t4^@uPbj!Y$Di z;hV}YC4P`EQcLl-+6)Dkb@mTS*Z#8w&x*r-vac=wp_k}Ci!uLc;Q7lxRUvrG%WJ>d zU!mDmK9=dZFsuk25a0brpQg%xPqQ**Mym3kY~6qStpEMOEZ=)C<|}<6xdMN`u>W8$ z{C6%1V3WUv<^R_0-4MsW{@#a-z+OFEiJ1J?Kl2in+jy9_Ljf|dfBn7t6K`Q(_a_S4 z-1+aU(Eru<6y^Lmax%D}8La=SpZoXm`hV>z7Go@uGj`+IBEtVYSpWY#JpY}`v%($} zjkQ3~rGQw`+ghKuh59qio{8zY%^vo@H^{xQ{w89mW@BS87_%!t4U=M$Nb?%`jD(bw zUNj>mMIPvg-6-O%^Z(EDuKzk!dlCOswYC2k@A1EWeQpKdKLO4o{)b4mm;arI`hWF3 zCA5FeW9xI7sDJ%=WcvV|N48rcCD{M+Gg0LI=R6*FlZ*fB*SiSl`kj^DS}%I=uRo8Q zq)wIIhEo5-#m;iW_H9qqNZ%zhqnD$$R9)@c$!8~N{Qq`qg)o+T)66RgQjQIIBcgQ7 z5~RsHe?MjG4%Pj?IpKfFC;sxM>h+)1x&Fys`#SSG34WBV%FCgMJ_HN|8QsrsNmJ~X zYn5Ij-pzBxg=xI^GYYOJjsN&xAMaauBoK(ti2IDUJh`QEW==;4(XDVYY>bVUdiY&; z^L_>E33C6{9J0pfygY2*7BLncz84noqy(A1jR{5${Bz)NT))Sbx^q?JY9QWWRA{#R zYf_x~{!%~hw;#QyMXzU=s{2R6XIb2TQ#3lB9;0)Ul3rI6hlZ|g1fKn1;|gf7;3#s? zX|S75dF!tRjF4(X*gxqWSNU@MyHwieblZ)M_(5aF3xt+Ei_kMoP>U&GN3Epf3}s}g zYQJ~?p->#wojZh6RW>UwBAzE--ls`$GgQ+auTRL*C%pqT6V>b?05Hb|mT|N*<42)#Wq?v7$0zky;goOUYrtgoiOna2Fo}2E)$PsVP zDG)0*A(HKG&iDikQD11A>q0`O`Uu=m)RI?A$#IMyR_Q@|^yR4NB_j1qpo zZLBtJx7E1pj`?);r#O67$T_@`r^z~MmV_5@!-Ca1)v5aCL*@w7sCMIt`Ksn@RI|H{ zUX)QoY2|zWufgBvKCo&KF7>m2^C-hAroP#w4f z|JCJ&tilW(xvB^D^`{N$1C3nvCQQ@7?)LE!&DjJ?~ErRruywI z*jZSz*tIJ(PnZ&$pqSy$At52)5E=5Yr+KQI{fMd$w)UI}PpLF<{u&-uls_O}b#!#F z^6_bs@y@^Ao`OYHcM=Q@J|wu{x1ZE(-hG!|2>76q)6uE0va*h;f&A#`=oV|Qudnrl z2rxhuD1+{}jnzfZeX&y5*8>L`lA;m{B++3yB3yd9Y2MNGX4p)Me$l|pIv211Ngr;l zXd|tQ!gbmU5c*-_4yLj~W!^%Zsl{Z$8y$@DkX59diu%0ex z%;rbmdmBrJWPVLj-gaVQ(6ENhUYsHZ4o1c!nkBU>$%m8k_tZ!C1v^9BXIOJ?$l~@d z(JM3eM{)o9T>o=8=`Uf|DT4IRkr#N^W$&P4AiC+>)3LZ91v4>^u$zgGw8z8_4`#Ay zNj$q7aQK89nCLHgTbfX21GuFFTB#+6MfIKTM?fQWadFY?dU@F_<+I_S|*-SCk~9a=9nyla!@!C&L{cYdkw2t+so0|SeYP=h815k7v-CqinF z?x)n$t1UZz+p)af-ZzVk_puG+vebG!mRB88d}iC);?fg#`xn);SnnC2%9;5;TR&5< z{@s+WfO9QB!Dj{_8%0vslY)_1!j-c!NdKB3kfVe_u(y_<;l@ZkeVsiyC%ZxGwe>Is-YPzxv7jLCG=oY-wpCh^XQqr+TA5eU= zwf-zWJ@)5(Hsto={dFJ3fBsNOB4Rt+0x8z-Tv_kB!Y3dA+J(GvF)@JC9t3DV$^l1F z6Xsyp>>eB(tOk7GcK1`P|A<8;YyteuQL$5Vr~pa_5uLZqx|~=2Tr7FSYh|(S5WM%O zi|pH@!W9z1ILTcfjhmY3?4u+VDAjoo`AS83E~ICB$kJlvEQrLB-OPuSQG%F=pKWO> zl9zg`($ZGMcLe$YUQ3DXer(*5l9|=j)$71y`Qo82KZRY@C~O5#=mtFEqWx-;Bu z|34t@7jK__+u47#NLO}*&Es-tHD=swho8dTK&C`Hsr#uWY4PdP<{@|?XO&#YhZ2?f zQ};^_kq!M04YD&tZ=0g=;G7vLu}UAF7j93qiZnrTBe&p39%W6!3R_g!lj|QP0s*i& zuVNcdlGZ=9cmV#h=vwy#^0OtTZx6YFn!t%$^&eGu26uqO(Ub7Lx?IXbnwhv9(IbJM zDPCTb_8G_bC=3RN7MD=bB=ahrSRP`mhn~Uar#Kgo+fFnFU z+Xy3)!0!>fWs`kmP)JwkRJ&X||B)wisjDszz_u4wZXpuk0jbR!Td(D^j}gl5)J84| zpncuCJbui~7$&@(v@c|T*x=G^J#gRee^u}QUg2{yM1TFt5PT)?;@7oi9uN?qR|QBC zIC=SPthb~r0WG$Ck|&vnLkP$A%eUm3{S{;Fr}`ka~Az?t~XQnJf&;-xNY@u%}M5#<*%svSZ^_wScJ z?Js^$ige{V#^8i=pLm^LL|@LK-njDctjh-+@GH~Z=xHh$n}MYB}$+TPZR{66_|G}n^OW~iF5i%#MN;@UuwwJ)(uUHIhC zeJpF9BwX6Mn3V`-4GO(E89h8@=HhbX2!mP5)G?0FX%CXNMP|gOs)*|gW;I-7*E;Oo zo22!BZJ@wZvauwCg4w@0mb#PoaJt|Q^F}|#C925uX&|crPZEQaO^h)iSC}L;#)D2& zmYFO9^|<^;ms634YeH=qO+P}=NLHvVp;EBU;o)lz>e2k^7OY9g5qL-3Z}vUy;2OTE zM+;GPzU2xPNY}8;_-81GcA5Vebm7DYlC)}XV?neMzH@ucdW0pdNg$koXbQ3n-cflI zw`8u)BB%qx8Y{@8WUiM-z?RTeUV%PD|Cixa%CqnbtP4W94dJaSMC))e@_2$T#0F z*GLp`+m<3&L%KH=6%z=IL{})WGK|+c+R#`xR!~!D4qpdhpY<(z&AB`us8yLiu97Xi zYeM_rps87MA+X~Z)g=DD&KAF7ft-?p4YDiZ9Z8ff@6z;TlHa!1=a#{4{t-AC`Ra@R zp1^Z*GLZBv(Art_w9sw{@!-a-|J5hgUBj*)^l(@(+%ja#x4k zI|b;|d|Sn>qs9ex$f4CRzY<@YVn=P~i`>IRi@vQOSYZe_aLa+cJ6}KCO2p|9t9;fy zjdP8%*S*pf&0@nfHt>+=mL7rZ8LDI ze&Y2Nt;@(j?P6tqTzs-Mx#8ls?+G7kTUaka8Zp$bIqD|VCZVEqslUsqnFyAzws4%k zw0HMVU0o386sJ9B zu?lt88uo+Q0gK&}o*Bec>LhGWdPl_V!71mJ)oF!&t@Y9cLlnQ})N#-I&^2V}&JPNR zzum9sh0$+nWllZ_(?)ZDP6mnVlI?EO(UQ0Nn`60x5CVZxEpYD66ztb;lWm1$`1QEv z+*(@NqPVNtS5s4oLam-GfQ9V>ZWITIvw2&cdw~x__)D*Io*sl8Db;MPwxlg7PA5Yfr*h2M zt5go7(O;&P?cfb|5=NGsGfk%jqj6@F_3j!~-OaUIQE>lT=NM=@!&?JcHFU1!9(B>% zt@_2uH_;9CE?)&Ij9=lN?70W!4tK>{_|h91T6-D!Gsu2%vfsR9cULCk_QEp7L%Bo^WzmRu)RJDEV$TuVNZmKM zx_#F_gKx6DuuJ$IXEAJWH~i9R>?Y4WPU;50)u51S()#El`A~I@(&TpBvkUY`)=sW> zpq@Sv396sGZvUR# zL{+K)&N~S|5;+ZX{>=ZiMT(bTC!G z0E=9DDWq&dM+p4KOo&#Dg|>RuAx0MBeYF0PL$5X(@Mt=H5T(60+ZsBx!DSStd1dlm z*iY9NaEfNLP3BB?L}rMyiiqgpZxr_@ak);_*(Q47oqom_FsQy|3{(kS9|s0j5IAh4 z@cFJ4Cx1XQz)l;_d9+B4oSghw%^%~MF(1GbC!A7aQ+|-<$5N+xIUsirh=Z1uL?eLY zWD_viaYHL$d5?rQLC;qbKiSWFxLzg)Q{g)JBzX0i0V79W1KJcpEX@Fkd*#&$jo&o} zaTGEvRhrxKW;axKYf7D}E(S4fkiY(g10(B#zS` zG4WYIX zyQ=W!3?1Qb7L=%ppMCsPKM8d=qCo!!joo#;o@3~!@#y@5 z7X{lw#Y*P02vz+u^ zzB9Dgbi`Zz8-m8v!;tim#3l486y{Yb{Hx!+htPh#O5dkf6;$4|6_Ht{PSW~h^U)-~ zGJ!v2k|zcJ!-Gzht20x=&rK*8_xJGd=3@;?yKJsiVbH~BAy=r+h$XSjw#e*h%zILm zFPn0?m5v-s7FTuQvp0}BnWkjqoHBU0TVMr^BNfCR=s>n{Y})QDJ7|z2w|67|XyQb& z7rksRzELkx&?FQ!>t_thG)jHnTs~CzUXUQ5_2&CKR&YVo(!mv^%faMjo9Ja-yc&T3 zZC+yArAFqLvdbEmwddhpCvJ8Rqv__Q~}NeD=&9ueGYZXwFQJ=Tp zrw_6L;cWgE`83-+=N5Hx)@W9xH2a!sb_Qkfcu{O=?qXu&I0UBA;#VWAN2fV;tyiNY zLi~7IWu)y&Jxsm0VHljMj0wf$C~d7A7#IG^-+_x5rj?%TxOcQ~^h}`5TYZU({WAxT z7E2v9Drcc}rfk1iByb_8<=R$#IS{rtoW{N@9Gg(6e>nGw?tkE#@hFQ%-(#(v>s59x ziC63iTy=7}ShT*&a#WD5$HS>$>@eBcQ56|$1rUYLjen-bh|tJ+4Cny%G0KM)YQ<3X zBJ1f0UC4|pip6HC?Wy?w{L-ZBZ8k1C1cwo@ryyuX3eAm#8K0vV(~@1+lDmgq*J~3! z8}X<)iqjLNDGAvg6ZSDG$>#4X#~ZWC6kATZDW;}_m!maY{fD|g_YyPP3NO2oihK@B zOhB4RSh?|1n?DkRo-7~z&yCC@DLjq_-TURYd zO=6{N<<>^ynlVMs&FYdqbW$OabJ&vZDlvhp#y9d4%GfAs!t2V8d3Ey`>R7u$4O?it z=NaZx!g^uCF6WCUw6bq&j?{ zcGa+R(rh(+MQl4IN-?OA;mCEh#=5wZUn8*8Gq+qtTX=JJGn)(GzHS1g36U~$k{8?5 z8*BE9^S2AoR2%_!aKjH;PvOYU8c-df#=y;zw)agsig2my4)g3O$w6b$b@E+kO0Lwc zg9z;#rK10JnIo=OWBgpsJF6i+8yS>?BJ1M`72e@y(Fw`9ug@Ty#{Q%r~o%u@*n7fgDS7AJlh_NI{d0y}wIe@;KstJJh7b&NY ziA!7_8*mcXv8ug<8hN0~bTw>=2~ZIap9cbli!uQB8gylHAOzxW1{@tYHotKqDf~dT z&1)GxW|?O)uC33F{X)|(0iQ%*RxCJmLOD$+W)kM;h+brqOhPVoa}Byu?Uu$=t*274 zgH&43gQB558E7`sSR-;@(xfYr!lP-E&|GG&qiFQyfS71Lq)cJlRk7}kJ@o?*Msp< zk#|=NVe&l+83f)MThF7OBeiMSGhF4TRWcK1(lTN9z$`szC1c9wJ9hwq9<0KJi)~#w zRK(Xo8KWDoOE*Bp(u(2pMZL2a^7$;SfQ=bu5x$7HTD1QOIMvvXJ%uLAG%EDJFy=&O z@L4}_U;p*P;_~~>eL}+g3d82%$DY&gJr$2veh~f@QS74soC78H z%1k_T$M;z)WJ}kpUjJk?trBdi%a8ZP=hXa_v*d1iA;}?{n6PTy>Z1V1MqehpihZ{y zbW6bIMHDhcKH$AO_%H$1qu>dx5OP0lSpwON)s%J}3&g{lbo@7A+ysTiPIYORjb>mU z(#$m|;5Kc9;%W}_=$_DV>x4y*lbtTfpEnt!LFEQoH*e`bncMT*oc&U91z9stj~!G+ zqz)GinU;SHUs<#Dt>BhLO&qP%;3XMNM=eni1aN`Et3h9F=Y-l{PnRoypgXqu{k;Mh zH0)Wy*m`NRQmyW4RZkf>Dz*$sP45lRX*~?PB;1=#^Mja|89GZk5EIluPk*vJw;b1Y zUR|<>T+OK|bf4JD!U$e+Z#`cSi(m*`4`+7ph)Wj>PRbQug1V}8qs>kfOzpZe(axzl zMf(Xx-KULVZ2EM@9rAI?bcNG(L7yj7xW14sjrT?477|dPzpnjo=lB9ho#?(seA~w} z2`JBJ7Z{GSH2Q^Y{ACzKQINR@HnTLV*d~s`scZ%o#(;}}ueu@iK|G%g;+w-j-nYV- z2D-wvL*2C9+>nq*<}hjynO3S1$Rq^JW@B$)v1V~x20R`?CIz6-msgl=L;+7gdziI? zmcwg{7N69$TbF(7TF6EgZG|u;0dc3DcF%wo{n9eKu4!qU(`RyWHt&W#->_^Ta-PjJ zqIoLwXa}U)k2h;sV>O++hoR%pY5GJ9UDQ2T;9t6oSAP3e2|%(PA3R(+O1^i3V_uG6 zM?f#foym$kGyOjG82JtkSI5h(tIaWadR|_B%Be@;5-06mIYXX0J`d&GM2t0GPIJFN zR~R>|yRzek?_UWxCIf4s+|wftzix~3YThX0x2BRMmcZmK2vZ}&waN#U*6os4;v=ID zjG$;}_+?s&11%CYckzPkRAa%s&TXa2`OTXmk|Do#r;NjkgB3yE&|u7$G9TiDh0Y?Y zjutj?0@^mrWb@H@EV4L@$FL23%`9bgAl?i-Ylx~U_l!r#lBoyn9`yww-?n~w)BB?d zZQkvZ+_Evi%gGUV*Yrb>UfH(RvOep)5jN|jstW2X?Qw3x@R## zak|9!%7ID_EY*vQpQr&4F}|%t9JikIrJd@97Q*19cY9lx6YSj^PPwk;g9chlOJPvi z?tADSLR)?w=r_~`5%se&we~HZyD~sy?4Qs>vc3Xz1GAl%t_Cl%EZzt~yi#RGG-EK) z*Tsfg@hFoG`ZfVh^k>`|#E4F(?fS25&|3>&cmVKIBi~gIbOT3s=jedb5>irZVvHa{ zJAm4HWs6H6mzO^L`#8Yb?jIa1DA(sO?w+S4*Zuj0?gT{*3+~VfQhXHdSXDFyaNgfW z5AcXhAMtxo{8-uVIJ=;v*ENWoYO$N(iT|0e;II}UI2p#Xy1Lpgu`%(DBpVKw97q>M zR08hU;2lPBA!9>+Y*Y5@~(C+1CX(dgY0kYk$-^+-HdNqeDJa_|ez+wRuUYQ0S z7&B>eZEsCMWm+C0xPH|*r;b+&f=*3u^RzyyOUHSl`@ydJKDq-9h#w@h$J%T|h-igf zq{njmmkvf?Yk;@z(_OL~O&^HErp&dbP@?m}qRiVkL;|4WsQzrI>BZJ@z#2c2cok{# z$?hj)r9XbMsgnU0;8GRV*`jQ^oc)CrCx8jfH}^34g@v|@?lxB|ZWj`nqMpj;b-L9J znX@_%f9SngNYHnPkqW$U13EP>23}?4wjeCCm#u(4<7TY9r}fyMSPzOZ3y^3%@Lf4C zn&Wi3)OCwp`$|O#rCq6??Jj~?wh|Q`jUk4)Rn4njFjkt5nRaeHyAd+7*U)|9-X3)C z2pF&FKYkS-!1&juh$i3dE8$1Ryui&OF})v+&Z3Yi=QJ6}kuwaz36g7n1n*lA&CW68xU)?s2%nQqOv& z_MBmT-iIzO8_TnI+&Hfvp8qDwD@t(o=puRBA(g|h5@J<9s4sPo!SRiz_@?vaK<7$z zT}vD8pBlAyHvGCI?JMWaac`{N7{EAAIhfI|g^b*V82-VRHmCEc4N@I%x%>F&GHs%a^UYHS zTA2a;`mqXkXH1>R)=5TIrq*@=E9^MOI~z#yJs*q9IwB3^mT=v({B}&uy>5sitamcV z^r%+e9aInCD*qc=xqKueFOSICpV#9n@nlybuP}{$!>TT5y5SLD-kbkI;RgDS#oh5y zc|LSuD!coXecmElhvB&oyAs;p*@OloC* zYmg$e2s_N`;N=qvrJi)mp!VjQ0#1__#Xy}Z(jV&Ud%ejDfPPz}FY{xu<| zP-p1bs>8B&hX#IPtFZHvW9T9~&@dbwrWW>+ciUPQ?FwEARw6k#Fb8#}8 zGEdFB#B)L;%7w$*L%jWBNQykNT%qP-6b5~&SHJUF=Fy4R-n8JG1cdqFiRoOZG^@~f z&dbM}1^O`In;K(|uSE&P%Fc2xpvB^$RR$xzsWMy75J%gZYq`;c6 zvMC_j6r=o(aQP{=7BzB}E?>!FC4$R(yH}tmJ$FT%Ic35gA2tm-gS*crTklw%`4^P3 z8PtpUZL@Uo+2zHrEiEZ@bY6Il?CS#%saFc;$w8?$Cu%X>*$XF#VBzVA!1`u9R+BI5 zk7PR@CEcB=^Ngvpd#4By7nf@5(~8IB{_9V0LVb2Pf2X(Xq- z=?Ye%G(r;B@KbQm)?TuXSk?A0E%jDv!7hP?S>DLcM{~c_s%Sl0E0_r>d+KR=PRTPb zk?d}0rK_U}@U-uCi~SZ;-^U(4S(-}pbCK`}9D>^~1&n$qe_jrl_;DGEWvYK2=-~vX z^+3kY+E#jQPAlBDZZ?9!#|zsQY6Fq!113SffTVbfaINX37Q{ah=b7WW&r@e{8C}g< zYwBi?V|=}uO|C;y=)D6xt!g8yZpzQoT%e(59f|*`BL~@sQ_(9&_een7i3GGB=>$)9u zzI;SGGkY}rTGfqg8IPi3x-iSO!Pz7PSGw+7^ehQGyHue`f)VCwLdI37nD{r;NKb1;`xDQym$NOZv z_;<(3AHP+P-Ra`i+5r<^zyY$9oNMW9ecj54+&Wdzk?Gp`W*lIuSe@-Jq$C*vvpoIM z^HFq>blmSg$Xo)Z#ji1@F9iiaZPdap&#FGtQ4?%BOX`}bJ%YWx**^iMeXM~2p*RL3 zJ_|sCFGm7;(d$>0xn-W+3CLR3peha!)aW%NCGi`&k>OffRHWCJ_$seiAXi{-1()?m z)&n14yX3U~iymn47T8BXFKXZeCHz>Nwp;gS<1m@k&- zyG41kR7EA^lqFLvmgu=R%dz$(N(GU?QLN2{Cg=xi6;Jj*g3QdHd&jg^*05Ey4S>TT?Fl}&E*rLd^g+~N+uf9SOpd|Ox?sn+_27AXswT=w|p ze4|qv-L*CD<$#WoIgg9?m|^KNSca543f3$`5R0Gfz*Ik`URjiXS)+1Yf~@x@{Q%Ul zS)LD_Q{u}bUesB3ekPqXnCAw)H>@(jVPs}TJOh9IfzAi$V#7$RFMyrG*x2(&pZ)*J zg;M>2eT3!jTmFQHXShJdm$s|jpT>Xw`|VWp+tmAbMe5k2b$!1jF;eUW1JxT-?l7X< z@IuA4GaBKuh0xA+sGYCT%?dmt2Q3?^AbBHN?T%}&-|&UW4^!Vl+lLkCEZ+1hfS>7h zLtu;Vq{!T%H!6a7n!R&x+U${NVnxJu~6w;~2 zR`Pufzb!`BbGJoPb(SG=Sini8kqWWzvE+t%Hhf%pXMMlBd`wqi=k%1A1O*yE{n~3o zg9x(kf?zsA{uM2t@lsFYjtea?jD`->quMTTd9s}&xq5Aqq(awgLVD#$lY>)k3`@Db zI?7G)KhF$bkMO)^#!;*NZrgb<`31h7L$d6H8G-O!=8M*8!FiyM(iIi+Pc6!av9EP{ zl^iWO^GCGNf+JD>J9+o%x$|LUYZ`eZ)8zC5T~hvbrWf^$mN?gOFDMD_R9C$~@fvgH zP>4p#!;j%8=A_EXOp2YRtN7$j2LFD6T}e58;`Hpb?xUEO#P|2)U4z~kSwx;oe393G zl&B$L{DR#xr4q?C1yVuGW=eyVy9JJ#ERKF`^M6uWtD4WOzHrA%1D&~gmMX(ecp~W5 zEMw|W@EZjR8MGixmP$~xUZKzkzYIsteHt)cAtgr*$VbeLP42TKZQh(QJkojYSa()F{lu)Xd=+90~7I&4U!@tKp zgIMU4tgI!!waBe~8iH6pUak=IXJ9;OIQ7a&5|p*xE%lVE5(PP?3gwYq0T^?dK~3MQ z<~M4BMDOU^raCWNH>FCxSjPNh)F&E&A*bb?kCmoA^f>Np)PB!QZ6J2plu9A_b@|r8 zwpKnk*I_4Rl&u?F+qqRd`})|r{2t~Hb6`V+nP|7HoH}^%8d;R+A3eqU_QZkyT|e|< zqwBf)uL^rR?1Op>MD_?<=#07Zg()oh!E4_dt8fwrF?Rng3GWX&zhdk!zS`Hy?k~(i zr7*EDf*;qb=a!m=F0YAZ4u?BS}JAP>2W^*IT#}@xcw8Xe_~uHv+C(y=KHeD(4xZRI zs$-WPyCac1`s*9av=2N2G_RgR?4&f z)NZk2uZI(nyP|td+5}BcIx9J!WuP$IUfX?^{G=>x{@!yzqO8~7HgvHg=US}A2X0J> zpc2PE5WAm&5#l~`^Ksly=O|a~x8O`sxj^6A#W|(w!`mL^)u=&h()jPs&#z@`FKsdR ze*`tlj`RhQRh#PzI%ci-a~4z>?r`xsz4((oKQr^IGNb-ocM|Lx$;Cf~qRF#$wOTv>m}0UK=J~NklQq&8MY{x@WsE zWB(juKjV_n#pgZDw5=+P*{+sI9h#6H0f&-%7z*-b{Z8xTZ6V(-UNX;!%)G7)3Fud* zInmcAN;nRa-xAs`Fi)wTjs+w=9BH+tu&nh3fP3&*_FR{6M|-|)?eRw>YZ=aUzsuEv zaC>_QQt}kr+4x8cXw*m0@+#A57Ef0^%#@|`f4!w4FJGNjvw8Lf0#3T2R>~BXb(l*2 zt$}QNqX9sKUIkh&g@uf~j~|zVc9G*#AsPw0jdZibv%;!fIxSVnCHl$2#Yu`zCg482?poOKP(wV1}MtCfxJ z)=%>OZxneC2}%@(r1qoy`Cql08+ocYa+E3CDTE)&FNThVE?23h0!SW0L0+B#bO9(d zM@!mPapj5t&1(f*V%j(WF+@UiFkxM&xPv>X=_1K(%H{0<_ci}_jd{3Nws{W`!Fvu+ zYbrkigH;Joo|(QB_J1>S0EArt1;eb+OJ^|xZ(s&pQK6ssPK|0>X+&4MPPFm_&{($y zEM`+0=t64dXMo>dyCId9bfrFdcMuptaZP^7>d4F|Y34Q50^gCanRKi4bw0CrL zeO#a2uC)c@7gC-s1^wJwS3@J>ZI7!d{K)wviP`_iwA({E?GMUB3=I4p zu42iW^&&bnQ0;cr3XLbE7Er`NT=UL_34mBe3CPOy>g4NsOG5`u$>Kpc9{=rFKe1AJn*G&l6Z4S>Znvvsh-!9_bi00YYv zU(KCmn?`@|Vi6snOO>iu+e@+aNhUzqORtUx{;hv!1yTrnBOecsdh$WD7(8>aNI>yh z+X%?I3>Sl)tCT^q(@_L2ICo|(s_{yz0Z((*;S%5iF)l8ZFf*5%IOiGezvi7qir7ae zmAD4FOys_M3E+REXMmn}txHNu>L2y3%}>LlnQEI-osKFsmb~=rR}>&HtfL;+w*4Kp z=T}Q|szJK87~%I~%Qdcfyjseo zW6)eDr+V*>&RJO3)%X#X6Zk>*qMscYt7~K2w?%we{mS%x5!aeyHR-9wK??>G6_FyS z`nf{b6r6SZo9t=+Jg9K(MC{@~48Q@wVnsncLRVLG7z_H{p7(a}doSTZ(jym0cQ?n0 z@8oKIH#NUffc>1x9{mf8zM>Ee?maV#4ddEyaY`&m`TQ{IV~ozMEpI|%?U~7n&*sUj z-UUFom`UWY!0+f-J5z}K6n%P}17jwPgP-ovNzL8(@ReW8LHWw`dCO;^%nz&qA}Jr- zr6EVM1Y9@$jq4=d3fuA$J61F~ljuu~Wm70%>=%Rs$S|Zy>rYsnD3x~HKw1inlWYRxdr+ zeo`oab}sjtD@T4&`wZn0E5|W-ZMHp3+}knyc$bKlDfmYl#g;Yv_D346EwzznVtt|b zF5uuO8guX#R5Uza{CeN)&xRT4KDN#KoRWJI|11&*C%)<|DaL(oLYBa&+A3pJEAr*5 z*DTCX-eX=MXQ%kV5L6nJmBr)ZUhGx3Y+7{599c(tx^y;D_#p2|n!J8;!W}mTWU65K zNavL%HJLI^ZiH5#E!*I4M75AW2ES`cL#FMdN6|_3yUB@~!g%d47n=_;O7 zHm619OA|L+NQ>tkMeEg~yG=L7QP!8P8J1Dve0@^WDs%O81wj9;?Wjzmw|iiU6-0`f zdRxV10JF#kX%<%KW@+IhtXy=s`(6xP3IIWHP|9;I?6|I4&$@>h3=TYMfu9}S*hM0B z_}mVp&;sR#K8Uq&HnP6*IZ}^ z3*3os{`#HbU@<%9Eh@Ct*;iSQCw;tHim80AUi7W!Y1T-ypz4nm19{QJ7Y@4_ap~T2 z-98s*55g}GUUds^6eRxUv`jWWiVl_E-|L^_I&dD#%6iiAz+-P#3FF!=ly1bQkQvg2 z(&_vnQ#=m1zCXjM(@X*U(^(2<7{fac2xjG9M05@62q81db!)o0!@BMRv}`WAlojmv z@89Q9cJchw{Q141L5Kr4oQ%`h0V8GL?JZJ;XAll5po};&&7o{wasu6{wFLVKS${oe zKe3;xk6--sdZTd=pa$i#m^gOOOk-6 zIw>>889;(7ER;q%y0;^vqEKHC#f)3Lo&#df(w}hd-hB{d4X}}F`M|%dIEIU45`O(y zOaspYsZ5e8m$DVtV*-`e(n&^GmM>qoelG;5&pyXg!LFi5CZvE23NJa=a*G&cZcffJ zjhR1CRPH#KdZnA)9{rlc{%{>e+(Lvo8d32`Z4ZoT88BU{{Xb(q82c>P!q)V*tAy-W zCVb!h6HuTh$0762scsw3eYkSP`w87MEfk?9f28dFqhY$t&PK5J*_n1kiM6?AsZj){ z<(k#?{6$R4rJi$Hio=cG3pMC?W2c+pq=?}~mstsg$;JGeoqdt9ALP>7pJVr$9909qg$t`jgAL(He;vzV)m-OuxDPDD)`33&= zHPQHulC;rvRWiy9)LryCv@eeN7YLgiJX^CH=$P5; z{cFSAh+3mFIg>2P$7PmqQzVj>mv&fBpiD7u;=3z9L1wNOkdN8MP5Rm$!Jwib5o#Ii zp@1L)ko6Za1nhD4vKv~~{L63yPZ>}Of!aNEr9Nv8P+V=#H?}+Xr`*d{wJdA7%yrc8 zJ~1Cibrm*twOntnabEzx=wm1!>z?`z5eZO*VgPh`ePhZ8k>#Cj-mL7(*zDmD%i!f} z{7Gi<)0}T=@Vc6t+kNpDW>ngc%JrTNHhIpcTQb(C9l}r8 zc|U%dcB_%0I@yQlY9+`$NxBkK9())z7c5<)n$HVidquTJWf5R9tNrj%c(?o3EP|y! z|9ypofItdv$qxn4K;gmZEORS8y^Q12kAZ=#uW5K?rAKo&7ri1mz|(Fwi8DqrzE062 zaib>Gg1@VGr>o*QnJ8NQhj|_f)!R>)k+5M`0qx`J?~@5gMBMR3EbCZLHHoFh6)VEr zx~EW11I~V! z?|&nrAiC=Jw3U=YL@odhRj}0XkpC(#WqF!vWMd_Yp$*#|mkqn*fSjsvwADuDG!Ul0VPX%u*t za@UQ*gR6hNwgXGJ!8v0lbFQXKZcVaaP3_7q^jQXU{DH^<6LajM=t3167t1xYR& zN5GBWs4m*P-XJ3*iwHD-7(Toaku3Vacck!lv+hr|M+Diz4^+hRa%AAFu^|+$01k^@^I(Q}X=4NpIIwW_9>JOJ)KIQ${s&{l zFB^<00HkRn=XK2qFl^Dy{m%0*4vdBBD^l089xN;iT`3%IYeOwO4BKaE!l-l&TgI7000 z6v#W#Tc|aGXD$2|a*yn>jxAVyLD6|FDxF&~A>HA6|6^)M$orJxyNBNXt4FL#+sqZZ z1Sv2p3dVawkyk#Re@Ni@Pf+H#C=vOoyMvXK%#BX7ZQKLrXv=ianF1v$yzP23R$b7s z>oC6){#7R+K6);morxaqTe=_EE_FyA2+fd6Lr%7cOWW)~COvb0oHZ;^xV+ z-;?v++w@1^Gp@)Z@BbAajZzO$hA|k9p zcvnF2pSt#S$cK6jhUju#qB41BZ>qj$JeXYerN8axM$f1LBHiAzRnu$_CMST;x=Jv< zB0DRkv+>E4%G7Fv(Yp8|74ltwtB3lO9L^>=<+_L%e8OiM)PbDJ&J`G>d(D|w*=r`m z+qThp=`y!(teJxMdlq9)g0zlZS$-kGHU*n(rHlkLSBGfDbAo&2uRP~?lYykSV21bb z=m_X`Ggv;`*N!%AyIIugfT*=skHfak%XE(u|AayDX3wyw9P?10&o$Fl+0@OI|U zQ=jfHk1Okz%-Zjz+S7$AZtTSLWDfc4G}+!G<*>9{JK-37R;p=jGgf9!@9ni7ebD;< z(DvSOO>NuSuniOtu>nf8fl5_+2L%Kbr1z#Ggx-sEv4Dzz(tGbM^w5J!@1Z304j}{x zEeT0T_?G8>=e&ELv-f+?zW2QU@Z$$7S!>NX=9puS@r>tz9sG<)_jA$9Hw|zw)%+?b zpI|fEVyUuN^V~vu&~Dpz{~#tvrxCYEV5|Upy&?vbXM1pcTG|Y$B$IG=K%e6CpQYaG zD`r0D;q4Al)q$fK=ssB#18|8?PS1TQ!KCz9E2+TyFTcMGY>FtTzcO_zqSk5lc}(@g zpDgWS@O4n|)a^84U@OI_d zXOe5)yVJOybp2y&|1-+6R;bJtVAs zMIyDi8t#LoWSyEbo~>tgJ(FK6R%%teBmhN ze)F|7IoYrS^)#7@hxa0vf{w`EgnNy0rM%OHg&l%%#_|0>yni(ioXC_hm+2t3nB*f! zSk#jSr?p<*p3?NN2&HXZN#9`kz+-c16&co#`x(!UHVinrSOb(?wKq8b8A=c%dc1`x zb0GSlDW+ZF%NOwRZR`y(vg9`{}CnTj{^;y15@NvG&n!1zrl4;8KMg& z_5;RF!}HtZ(;-8@&gSAK?-~YZ!i|`p^Pjh8w=g=qdv!uttX&abk$vM5^UVi_UyX+L zwHu5yhZ;WS=#pIFwoezG&+Av-_tIsi%Q|~SL>Iu(XC}@CJ)JOW$0!1^P15#&U}X|e z+4r!_=N@fTKfBXpx#KM(p{23Ob98`CKxnv!Nhi1%wzP!F%UNCe_eO?1f z*%k}_Ah$W8%z-54jT19#@z!5hpRO{8HK4-weihMN%4N6RS{mj1ETuF_} z3j+%^_gRw7N9ds=n+n}bD_&iHWYrlN7nsHs#(-h8g5y8*`jRF6R&}-1i>h~kswq)x zm0{oNRgUz=Z8`}*zvNSPmM>ZKo&-ZbcKMzoJr^7%PIJ||>V)O+O&ed(hyN;dhBihT zeXPBQILv(edH#dcKX_065+;gA{5YxSL2ToUP3p-LlBl~eUIM{~KePC>^_T@M+dWV! zDscYFGoZl+=eaz)v6(yKKM!&fco%acco*%_2DE#QyK&s}QLn!eIyr-KF5Ge_w2 zr21UbzMMU@Ies7FJogM}A&dVJ$%D>Pu0=zMNc{cgk^E_PK~_1X+w8wry( z<)&ka3B8xri~~AOJ~eo4+6hi_n;yA^ie^WZv5Lh?oEaL-=eupbHcIz=l9l=N7~|Cy z9%`c7Ym;;T%+D2UAA2n5{R5gq$&1zoh_7|&{^~Ti!Rud>jjGSbWx3W2@j1oaZsTw9 zUAxM-;*yxW;?I7LjwfHW#oV8tm5%W&>u4zV%+VR_hNtWYc%l9ETR#xdi%B&ZMo_-5 zr~{V7;>{jLVMP_hQ!Jv^bS9+7a8`wZq3S%|1cEjF7LG?;g_8?`O}w-_FesO-{i( zKWqBN-DH0^XXP_xT;$Oy-Ah4>Wf592%7&sdb;gkP8=0{x&~V;rmP^GsN#b|gwWl@1 z?%WIw^!s|FR&i_yYC{YWx zd~*v`^~Sas?)YK59`(-IzhuADxyo@JL8oL50>Q|aIwy1P({}ZEILXQbJU3dnC+zyy z(&`HwR);Mu_ncY`XO=;9=DwTkn+Yi&4iI1y^Fy0YwWICT$b6^_xlJ;Rgmx z9X~XIUOh&^2V;2xW(}H3O7B0sVL_laH`ReQzh8ZSL*L(>rccgfP8L$Tb^kma+u^R2NLlb?)St{PzTzVJWa#1C z>ToRs;h!CEMib4p50{1C%c{Ucqd6wBWRm%pN9ojCMUNHaamv{3zJ+Y#i{jT!J$H25 zKSx|%WwzObg$ddQ|IiYytDPl9y6)A4YsmXrPz>ubEIS26T)OV9&t@|e+V=+rirOAF z<3|t{0gG+|kC_F4?h#n!w1TVSblQja?%Py28{nhc9t@R7PN=SNz( zcG@aM!kO^BxcFfmxNfQMt*VCXj$nO%oz*D2$YR{oU6JYt2Tn*Kkc7DVP-G>M*>*1v zE3%m^c!yHHBP*bi+I;QQ=4?v+TXQyq0k=K>D)->vj7mRejhk}Nm&x-i^Y-y!jg3az zYp=3U6x#T28SYi*Z-+^(e*o=cPZ5%ln~ArgUq{Q$c9~UAXK0m0g|f>zwm|i>&(@w^ znMsd|E>9l;hXm}PrH-%qg${h?m;`sbs)ar?Lk%=;WyY0GvdrFmBH@~1J#Y{bCtx&R zo^iOZ)DRV~&bQU6pY6nEl|F;M$DpD=79j16){YX?$~b>-#c_&1yJKkI8JaWIIbC{R z^7V60qq(5PF2x(BiJ_slU5(1B7uoU~D`$seJe58|c`VcTq7tGld2#(sU$#7pn##-@ z*2l+T%|igj%D8H8uYb_iW&Y#0Y|#qSz()(St`MyspDc}iSJq~;A#QP~C@LzW>iE(J z?;cqh$2b3|pp4&C)ZVTTS#sZ9rYYS{5@nY^y@axz?PQm?_H)W&)D4aRk_6hi9w#SG z2nu2@I@@EXZVQyONLYv(GxRnT|Cbv%P_9ATdzCs_SikUZIgCG`#%O7q>k0*24-7yQ z_GpxVqH?MNZC5WLlw zCTrsJw0c=m5>O~lZjzCo0&rH+-ue-tUf88T0Alk?WKlgi?9x!ZJ1ERkafMyX;Yz?x zJM*Me&W~Q-iJZrmN(%5b6M1TIZ+`O~7>wdFvELaTuBP|-BfmlT#m;P16EQGlc+27{UEfcI){m`) z0oDuL;@;l7=Mn6CW-=DjvV33yOO4_OGe*Rj*fCn6mKNsAFM!j>Fl8jJ?^8SE0C}^_ z`|x1Tzi0&`c)!{ak!dIqBk^1-5lF`F1Y`?-#H-wd9%UCO&xZeIFc}UaeXS zkkJ^|FKUF9XURZj#X^8!WHidGCFLmwx|fvc5*gP;6#)j5WDV>IZ_;KXQtk)cDtzWRBKMHfVs@)o zimLqibz|@Q{JnWJp1cpF9a*f-yAWR{B@nQ$)S5N-I-iw9KRPANWby*0Xw}!&wf-Ri zZka8?lw!G~l1AsC<#`en6Me!RzOv&vZ6uuEYoY6LR=o*x9RN8eb2F`9ubl!q`J-gNSsNP>2rk$Sc1#;(v%wK%;660*8hhE9H$df57etjcd*e ziVSI#De^eJ{A_e88i{1QZ|lQuX@7-D2}q6<f+bJ<;O)dz>KI3=a+l`HGqC#hV zq59boo~{JIKdx=rPCC&6y0eqn}K625upa)a+UX`CWF&Lb7G4yXD_*>*wn6IL6mg_0QQtDci4Trsomd0@?laQ}!&T~U8 zWoga_(ahu%$8V-8UF%$P=H34cqLE>D{?4pUiC*^L(MNOB0kv$M#xEb5o9u}?k)Mt- zSvh>7C+CC`rRH|-(I@O4uVE32D{8FQ>4Y(8w;ok_b8hR!pg1}?Rk>(#9=y4A>P)lu zDcjGg7cQUYeY?1B-n&kmz&bTgA^ZSn;*6iSXIOC=qgKha8wJ<2FF*M9Y>i*x;5BA~0?Hh?l8ueZAGOZLQRWj}fxgASX+X09=psXtcZYrGDx)?1O} z=I)TX-6w=bfFUQzBA4BVa~@m6t$g73B+bBg0puwD>Q??<>i3K^r0TUY`YQSX&>%L! zXTV*{`IshR_p|#{>Vw!7ew{I&;Cn9SOTH9oXQ%CHj%Keudo_ULK^7z&e(c1VYj6Jk zW3;gK)1})RShSy55C*e8!YNiRp75mkQdfUh6kXY%n0n&jjB~PGc-qsj&l@WydABC8 zpLz1D+&2Yi*tItrs)lV{W=`o#Kr-dV=uFd#%Z%&$W^;Pp3#CZKg7AoBEU%8&rdm}a z7dLmKobczGe0AlisOSJr@sUnK%1}eNso%_NNN3-Kdx{y4Ub@@JS;&3vS(oS-=7)xb z4|rjBB?>kS^atMD9#n=3d)9$;a`Wj1n0vj`eFwKV5lxAQtFt?}>OzM}zdl{%lU+pV zAE!63##guzO^wPOKq`iD6YmSGGozB$q}xXJ3k3&Bkt^fLLK#o97~`zP{dHiiExSLC zs!j54Y6{epVgfj&%cGG)P9vvmL} zmU3AaVMHaCTsB5?&r`{Wv`|tRB$yhIg3X?=`X0Y9cj~kh(hqKtdX&cNvc(N?kthGu zAmKK@%^mJ`3fWGdA^gMy>gBq~n}rIOdi55FJA!5-OI5;-jk0xVe&Xt>FEpfi0TG-Re%kLO z_cT%~^T~Qb!o9O9YiKpkp6@3~8|`W~c{B6bl?%Os8~S7;_wljp4OEf-Gd96SG0=>= zg&s40-69p=Q{&^`Bv#HsuWmY5Y!A=dV9;5`keZ%kdu$D>J0%G9Z{A055qFX-a@jM5 zf4esR&no%j-xP9B^=!oz>3U0v-U_a^as~tkFoN>v@E-n)QCwE7s*g8Bm2SK=o@``d zV-W!6VS0?o88Y@r+4*w|7H(47xsMvz+!h)1bewIPDDA#_11a`X^uELRJ?I1bnFh~j zc&W)$7@)w_Ri>h%GUbU>r}kPBXQVH%yJH0ii{SE#u&u!-H*G=6&~pDNM@TmSd*_!& z$~jHf!M2L7`>aqks3(i{^UvD@J;k`n8lz7iKW^qRQ10ldtN*CLRRJELKyt*yO*+T|HY7V1G8%r*h& zvbuhpw|gkHk5p z-@0{RYH;mr3Zl;ZBvEP$ye6~9BJ8_w6EtI^a_so2^9q0ev96@>a}3KMX9L57iGh<< zHs$quk(?<-ZR#^=miGcy&iL1?Df)p(5v(`OLWmU8XVSU*TLN=L=F$ zW?DV4=!^sr(AE%6X=5f1p_j{|!);ij$I4baB)Xh}0>0`^W+7o+M4D2sMT7Z;sYJI-88Q>MHK-kt4MPx-efAFQ}SIXdKq)Vlt4|p`a9267=Yzq<9TZ+2gUWl@P~MIXgSvD0aI6wfKRYYKKJMu(Gb zA@?O4QK873$*Mmc%#bW)m$DX#Hb;u7&G)XhB9!{X>* z=oKnT7uSgBDb0O>C*op?r%$kYI)`A@E`aW!pmKNI_aP8w0n^L$;iFmL3k>S)tKi}> zr@+YEOH@>#m1ZjE?)|%nZZdvafHy8kcdK%xzi*9MGKOvqBa{!I3f#Twu|bFAL8l|9BSImFOKbp-2W>SU zT_>Oh)9-jUtq&{{clZrPmfWWq@1gvG2b^oUnf86l*YOK$(7Wd2Xy`#-S-imn#2X@O zVu3NPeNvv!YXaMYHyMluAzSbmd46vgf3kQ_=DX7ya`I$?v+_?vG9!Jw-zvdJ4s^5w z4YG%*C@J*>9ihN-b8~h!s~E~QGjGm-d8_#xHcr~_RangB zWqqHsO#fJ#|7Vf@`EPY@rvw6)HhL!JcSCBn$Y5=b>_JF zI3Tn;O)t#8e*>U?ib_bZi3DGF2L#!QWJ?*zS=fa8mK$R9>pU20yJi|vg!I$3@v($waJ|g^p`l z6^l&1{=m|6BGsbNAX+Y<$EjrGYm3j`>SF+WJGIRcf;#Iy4Gn@$`8RK+e5V2m_SLKQ zT^2wTxat0Kce#7FPk8Vn=w2R@C^G8U{<$)lYerwcn?{xs+q>aAYX@uX26V*c98my9 z7cC*pnkw#X>j(I2;Xtdwb|6Lh*(sSx)bvFpoPw&*9fWEEnn7pH zHJ#9=!4=RcFwq#8{fb@YR)wSS)0c>6!>$UP(x!quwTI`6-X%jGJ4`(dYRVazr|gdN z2E~7wA?3DWB~#*}vR=ZlzHx%HMtmo^%|W8}b#qI5>Cv7Tfw(;oozlr8DV!jQt=oN~ zLu!U6vxadr;{`n`l%Xdc4gG3nJC$3PWBACzJr!VsSIWw^+?WY+Zy|x;xU(uNBaEC= z->F&7?ogs)D?QQNl0J)dWWwNd{1F$6?(-gH1iCltgLCf}6Ogfb!z|L=-%QT9VVstA zZ1d^n=!6IKMp|Tw1lI>;u8SNj4j-hNDSL^PzP-nNj>1wej`d+BH@}t%WqF6bF+5z^ z6cuW4E~_Jv4$gW* zJbdl0tm%|%eNP4;^7X=T;8-2U=B1{$yJDNN+}y2Nkvl&Iy}J76POZ#{I=x{`JD^O8 z(9n31BaoAULe-&1L5Tjq7Chlxz4!2Qd!ZYAO0%Rv$=$;!L9_4A+l4AMP8$@MGLMX5 zs;GMccCqGHrMHJ`aAXseZgm5E3DF-sOQ)Pg^LTNSwL5(sh<0 z)Ln<`Ncrj?THK8%^qipXweLedNc-xx5FugF`6*Dwvui_j;H3_alo;(L~I+%$vp zw|MzOW3eq+yASYy-jy;$Arrm5zf%Psqik+S%$=4E%wSw*UM8v?t)x$LgZ-;vE56fG zv%+B3YmQ6FCYEbQl>H8#M)PFG0QLJwb@cchBVs6NWzX?+slD;LmFlK?x8mjH#-rn+ zGwD;ExahjoekDAzo^$#}u^8vqLDOE2zMfdIivC=aC%jijz}f74l28`p6Du4Ug_+}X zT+G@itLVSE(a@sL|9a8M&zLuoVwIWGXl`NOSpD%#G$csa#N4#u!MRtm64u@|0@`g)oUD;+#ocT8Jn3wB~8Cv8%Tb_iLi3k6Ld! z?TPynJ~$i_c_CuL6|Z59yUq*&h$Iin3vj(4xz}TdaEQ2lbm!9TnL8KC=GxaW2Z2ZO z8a=quWUEwOKKmm|a~a;aEXct0xc58LU@vY3e)vvW4>E(kX=jBw?VGgqtmTKX!tOZ= zA&M^$!`_>%gDevwbf9n;#onp0dkD-)(40HefEkH-Bpd0frS+{Z03}HRjZPj+NXRrL zHtiBmz+9x7~y^t^02*H*@hW(;0BmudAtV z^6BIaY}3+@wlK!_^;wp=Z)kr!T9Q9ZoEC8mVSEpCo94DopDc6Vo`E3!=-p?rX3?PZ zKy8k|eOLRmkm~**(n)(iG3UwW0Ubk)8WvZ@{9_pBYeC*gh%3Q1^TeIfD<7Bkf`SeO z2}|imFG@3f_Lz1jlQAZk!H68rI03Up6AWfQ^0^%h6EE=&Q}Rgu$j@;r%nfPgt`t8O z8qw%ID1ZRT=a+KrA0Cl|D8qxpR{gzl#xJ3rO@Tk?hn-umNxB_;May>P2AxGhai9Hb z0!y1)1u09eKCW9+aM1Y%d3U5>%owlyw^9?a`j#bkH7ReDbu;`NhgTsn^+Q7+7%G{AX zeYduza?hB)exJjf1S<8Ztqg-P{5Gcl^Kjw6wu*UL#=3pSHeL@T`2CDrC6*2m9~Ne{ z&Cl?}h0B?V=dKihaq~AH77sEnR`M0z2O4a-t}hISgMgl$m{88ZaoWrg1rhp(Kzoo| zK)uN5?76}7LVh9HSq~f;WVYWhs^u@Wb#^v}XPSww_4wSZooy=>f0K}Wp(C6XMCEAf z_YvJ;z^<6istps&4WbZ`S>NC1sin)AiL^dDdEgP0a@=Y1wzxP#iaQS~2T0MXIzh=^ zjgQ|=dZ=A`n}6Jg+oj*bxcqr=A-tz*_9Ixl&mJbIJm)$g)OJX>_XdWTNkKr#|)!IO@p>?z6d4_WDdybI!B*NfnZA+Q$-6l#RlNow`WrK?6nd1MVr(iPs2EpjjF7T&^qF>o!A6P zFz-y9CmKFcJVtg6F|xasES#hH4ke3kL6iL#47bg`k~QzHFgjXPh>p^ z9=q#1vu^)^$z4XYPWz-{joHa7JUqb-Vji-3lFXd`Ls+T9e)VGj!~im&EXy#~BJJ|& z?_2;Dk)IMlwHAZ)GvM{h^fRLfO@7~VrUBS7r{h7vLPPT^vQV|FGOx?evPld{4ft+| zejFhXGZ3rH7XB|9_P+c*ll8YV`Y9y^=R5FwodAsoER!G?S?xpcP4)fF!n;09AwS@2?OzvroBZ zPfo)^p}VoX%N@f0Z3c6Kh*Cy+?AmZmsHn+FhcXtiAEjuJy?z7LA*v5V*~wv~jfw#d z9%?7eIDB)8r`&)pZThV$TL^o>;`@+w@=j(qT$=@#_uZb`zyEBF>!22DrXrk?8Z=o% z+-P{UydV#?r+Q&)7%xX5kWoTQ@!&c+M3ac|qXAn20V)?|(SH?G`jj;7t8RhT8pDoN zADNW3R;c7zIEEI{uSMM=-cweDd$Gv~1ZWEeI5|z)FZtB+R+lzqv^#AYf09d4j+}s! zQS6NR+}jiZ}O8ByTI4ZmAk@WN&kL&k+xR&yB~`KE?XMxdhP|4QpCC+ zD)Lx;zl+)-ab@KqC%Y}xifvWMY5?9Ek4C_nAL-E_`OY!U=R~f@eMonV$IJ)~)5eb8 z4;0yBNhC}mHWp4a%Tpo4luuqps>&P5HKWxdyepMi{f4e1c-~S*I zDOa*@ErX^FPmyVAB(uO^j0HsuI<@r?*)#{N@?HsRHF~Vdihd&V8c&Neg?Y~&j09p) zbGXDROe}}2AKIG0$KvaS*l@1zXAQ*K)MGgC>5S^3khzrGbAj7hB=4X}b4?fh+WLp# zy}Z8u6tW*fH|G(CQ@<-6w>g%dj=ketKbgkNiY5nw8=&#U>$U3`v}n`%X?e1l z^;ZfzCNmEEU_Zj(GW0Y}tCQ%`(5gM6XSzvn@IdYE`Vlrcz1t!^5Vn;i4^B>>sJYK8 z{1eogJ}{Dj;gBVD)gZzVkI|srolCdFGvwo%uymm2KGuger`5RIqL+`<%EcE!MSrJLm=p!5=+*5tHnY(z^=E>jgL;tx7{l ziJkz+W0ZDLc*Ix7eX7J!RZKIm|#)9JfY13%#0tKKg6^}}yJOF6%XnBJs9yDGn%6-ntg+NW!Cb#*mg z2xLjY0VEmHjmDnzlBTr|iOJ!CR}DLdLP4+NId0O^mh@Kw;8W?g!4ehcuZYe2!ETdf z;%Az6I#}UVDA2=BK(nd&2f5Z^;s#KJ5I4&O>MwA~S1fYmeI3|dpOMIX->DPpkkR!rd4kAC#8ER!fN5sZfdlwtS_1=%g3YgU z_*$U!Q+@q76T=kqVxS5$AfPYH&);9F{*wxO1?8m+v9ZafUQEnFrf)@?7ju_CzyqS~ zH}k>*{5Pl#xXvR&A`B*gYR8X6`JfgAA^Z4i7PYmjTM*k3ZkUQ^nB?tV6S?!$EG`9| zZS``p+!YlS@cK>vfT5)<@O`@n4}Ld$>)NdZj*fbEpbPkN00RaS5EcSQ`-xf{4<2wW z(#Avh^{&2asS(s%-|^A3g1`1aau6`d$gT)I`}mV?rmDt8+Fk%=;_f1 zF5PDDAv#MYdyRab7+rA2cl_s_@YIBtR3%NPX;5Q zpf9=O*=9eds$*Wi7qab&4^be{o^70eGHzT$cq6k7#nhDrSN89i<`3NUOv!F9dw$n~ zYlLwg-^QChUNy)0Cp9PuA`QU$qBZhh7eHy z;igQtY`}p1v@r7XG7QQWb23rVd@qHbrQE8=M`fm34@dCV!VWT2MT}4(t%!pbwI_&b z$$LIK%+gkr&-?@2>DbVtCIu0hp{g|kcHhsU>#gXNEXYTl`7%>C`DichkeF+wZ8*?U zSmlJ6Dz5bn*BS}Afxrl<-7TEo(~-p=VZX=cHF`X@yURY=HaQYJ%_$23$?haAH%7#R zV0$R(AS2DPolc9*Zze&a1`){A9nBjTuDlIz$1Y@EygawJdRb=653Hac|ZJQ`3|qXYd^4S~UK%74#B+(JCj^9@~_= z)Q~)Dx{S|5%3=N-;n2r05;Iel9sqHeU8}ze-yaOx4KN~p_mi7L8$$6xWJVv#1azv` zeEWbfoVHNlFjuR*+Sky|c&%;*D;s$Nyvb8GPZDN%bU?;XlF{Dee75WcgGi3Y@yth9 z4g4d7?kCHQJ-LV~#EC!_J2bJdTWk!AwJfl6^Y{2-adfD%n=dc3fN#!B6ZSo{@Si0e zBsp$lW$?K{-H}1tX1og8gJz)nn8*~zmUUv1^im#rrE09~-b&SM`tbv)Kun9Q#a5kF zCEGX@f%vMQ+(OMM?bYTBMT2!((0gFXD(kM1AW{_q&)O#>6+zt;SUq~=U8gp;-edr` zvPU0`F3&}X-Gn-NJ&gz;8W?oBO!)EnJ)(;JmR+{9zB4Uh{(S-?;ub>GrLLb;q1#|I8HW*qcUvwW?d+$f8$U zjC<`e#_L>{a_kXh=GP6RGG;{pjV3$Dwp`T>Gi#uP49^KsA(Jsd@qolY_s0u2OQ0D} zL{wFvs~5npUuieS0|I2CfO3)BQn+{nMauiVNh5Y;)N!gLql$!q&YinRTFZ`XyZX`# zAdFRw7l?P-lJMF{Xd))zN*G_SNowRra>(-Z#tY(ExAL97eftK_^5w9vOMvdq zU;+{6*8Nr!LH;2;>$o*JTg`M~r44Wpxfl_Cz;c*}Gz>k*K21!*0!jMr+v)xEQ+JFy1lup)!2a{hH^*`-FEer0V9B$Cr~E^(`EPny#Y?wx&6eY)sH zF3WelZ1m&2@74^_7vNXT44vaPje}In}Q)@m|wHEby^x z z0BUq>Gz<)o2yjS}ooW&I;+d25PP%(-ZAxIhHG6PKHqZms%AW!&zDfU^%KkOY+b38O zz{>KR88I|#oPL_D0ds|7#M7K9nDky>?cz@g+S*YybuFB7=!O@~_u~(il~ChQh)85) zw6?*}z^9+6s1{2|N_Tg&Lu2aDb!90Al;DFh`D1R+_rxR@jgMl@8@$lhiK=R9aV`kZ z$55a-j0&+42ORP0oJPUEU!SSVU?bg3Mg4R30hxD3g-Uh((nBTx4`QRQ*y(L2zRq7m z!Q>wJ=G^)SM_|+-KkC-qIDt09msEvV)cB(xii%2#>%)=A?yZ}*+l3X1Yio5Nnf7i^ zQSh?Zn$Lr^>`~GAEI2gCbkAC-TII866J%@f>!2Aa=Xhjf|CPH{Wt`79^QqC~_4Y_| zB{$@A93}MTg{&O7}7p$pBxE@A5jC)A`QXq|wC=K|8Ux8xT9oPI1I*#7>trpJfwKS~RJRx`@CW zFmOx@N}E1#n3%Xt7Q8$!i2(pXSm{wFT!F2v^fF9^vpioA#FZOx`l{%v6b%DiyhdD* zp_7DxqmzMWkXV|CPtoD_ZD_UF=D`kMJ$d!%+}zrf^P4YhvT#~SlNz`B6qo*DwNDWd z--6$TKEZP|m&j*9CTli;*qgV?rW9uj=X*%Rao$Ol^89uNf#*2KDKk%e)=Djz7Hd?D z#khofH&xFw|l10M%h)z^JD1B}(4)xQU4gxueNO6viK(4AIfnF8SJe zc<66$BC-t5WTq!QQB^H>(v)8!R+ffj>fr?6CkG%bb1ZEPGo);{Q#tY*8oJFOnaW{I zaOO|gM=tb9dj{3c{{BtX4im%cQOU`?ospd2eV+yA>7v@xjZRtcJsrinScy?D*c(N9 zrP1dnu-#o<Cs~=TD!${rK_F9x9?%CIy7ekMstW z>Dx!#wVJZjno{%mUMd0-BEaq>=%-inG7ny-w-B zc>`_r6*3+>RhIJxTGTzn`YT75!E-#whDyKHpw;3zqSYq+L90cph2^;TV8EITN%9j) z4sJI~SyqyaS5~de*HTP|%Rhm*ENDae(}Y2JXm2FS$x%)B*{=_+#N`<%UYaM`+NgZl zq>oY9eb4zM8OC7zbJK70LiY^rL2M}e*a%gaysL>5E_Gx@m3SQ@#{Jh0Ymo{rOB0N^ zocm{Nu8n3Y1``&usI7BzbM?ZMf0m!9Vb_~@6UyP+MN2B`5o#fF$h_8M5;WfseX2Ml z;!@159Qlp94V5i-`O+1GL`PT)%OgWAmseIDMUOe@Ge=w==-83!(xtu2Iyz?@>^;+g z2~o)iqYhrr&iniDvyZ7bG6k@gIMDnW?pM~<#*sZ`@qxc}+W!D%iHHS5WyRF9vVYiD zo7h7*qoDkTCfWB5ul#M;S5Jg8Q9_q7EtKToq)~r`M+NS|u1nl?jz3rXS!wX@mtLGW zesscAp5mA=Qb+Y{(}-W$r*rw?;}NEb6842#aey_kJ>XfLXakgHnAWtD|m+x<> zyYp9q7Z3R)Tb!JpQ(MOPUccwIY~v@r&+wW&cyt&qt4?+NR1fn!@$Ot`eYnB=KBXor zGASnTB=uAn8Y&-jFazGS<@v(_{A0|{u@m7sfF*bMm`)T^^JG}eI{?v9IK;d&Q-tj} zK))}k?{N3GcK=7;B4Qd0Y{{wsqjk+m;D`(){QE*0g&ibM#2dXqBZb~oH9X?l-bS4w$Ag)!kjNmeTLre^A^ZZ(n%OI?#2;J+2NcB04sg_CwPkrD|41*M)Y@QgaSfU= zWKI+0-Itd!tZ*ujj7}H*%I|n3*@s6EF{?>ApQ#SB;Wd>H#|>3l#y^-}{6MFzt5h&& zm0`{J7sgwm`NDriwMIrpSnGG==l?6RwJrh3QoKWXt3?F_o;~_<<;7+*C3l;VSKl=A z;)dA2PJpIoa6!Qx`|C~ur48&)M@_HYz1z)l3*d|b5ZNYs$FCm$+p2(_v1u_?GAyW( zZ_mvI(u0#WxN!F0ANl{pJpZKLU~_oldw3A@#Lo`CuhG#rfpE>Pud%D;`kxH{-^Rrt zrnNon28b@KtRTP|^t*EQpWNlQ74P3(!V(E2m#TO-X#RCP{%;TP7iQ=G&z*bzTGcZX zRo1^jQvJ1o`mze{k`^rEBwp>1Q|p2Os@Q_tt#?>@Gad zVT}I~1N*-Wau6_Zgy>B6|Ht)pdI208mL3zyS+V>jM9 zOe8m(Fm1gyc$PlMu-0(p?0@1Z3mk*RabxOi0t$1!u%G7H=$)`5#IDCp?d)Ak|y+ihhOGpIDQE=&85w-f;ndF7sVLno!%= z*iOSh*LFDPQ;ol_Zp@luCod0Alsj_ZF%Uzf0D0``>si^^r7J&w{`{3N_#75iY6av= zcmXKbihy74fQ*6mHL!!f)(yoQT#^l`XC1}+vd-9DyyZ?kbNi@~$Y8)jPx?Kq|1a6> zKQ5-%1dNyZ_0agMKi&vjn9tDAd;{_hk5yIA)1!o~0Hk@=f^Y0ymNi7PpSSH~b>ZL^ zP@#whICfN>oXV#BH^FYsh7flhgsiS2C{6f8Rw5Z}JAYY+h^?t9{<6Raz|QvV}c*wFb?XAbPo zsC;r%`s1Z87~IvRiW)19H}KPA^%r@6VgCwl?#oSvBTEFTvamltcSQ1Fi^cbt-D^fekg7QS5O@=C3O ze@y?MjO4%Jh!vWdfWbEBO4DR2eM2~4?iV>YoJ3WWl`m`~Ph~~?8zcGO zULtbw_z4P2cknCm-+I1(SWn&Xsb}eO0F>7`4rmrK@Izd>cyYtZvnlC|6~l6VmSyrA zDA2ww-)!^fA0PSm2kBqu)~4%(I_qvn)t~IEE-SRZnh83B{V!a&Aod&p$(k|H(nbL` z4MQr#TK6YSD5grfca-VuFx_d^v=bL&uz!Il{0|u9u@hLcYjrKo*QP@MWJE{f6l`n? zWIcezQtdQj45-F&4a`G_hqWaEel9jSe?t-7aw)D`x0F)QJ%fYbfqMphLix0NIeM?& z)Htzhfx%{Pf5OE03qxajJAS%$j{~!{rfB!Ln*}PD2{p#soBc8!Q z2LOEz2*aY*0pt$b*0!WUDYcvL^kqoZd76EeBD+9 zy6qHcbGF$;Na%H`Gn-0W^KWk-Tts{7bbNqPQc8*gzqzjNEg<*yYr%c`{5cBfDlyz- zp-xCj;sHS2ddA_@r|pIs?)u?2DmuhQWc=uw$`>TB#>gnWO*-{BKF(}qBH7~W*lB~F zibG3nw@f85_Ni+VR1>pw!*Bn@SpL#%j#em4%oKYzT`!^Rp0P=o+yBP!1DXnwaU3qHLe_y&WeRdAEB&e)xiEqW+opFwG zP3?SI+;u7u?jABj_@oi2+?rnc07%6Ap~v~{Ed6(vtVaXK3M|TIbg}l-=?`5Af#QuE zBS5xd?3`bxm@Jn}_0{7+HLv}zG}xU0Otsc22a)?r`Vi2yE}1+QUyuJ);sVMwaAS8j zw`HKdQ{QLeLNJJrin;-CQCI1g1czwIVn zRwl0MP$dB#U~VU0@$t;~Thifw>qZN11{ZNPkHH>QPA1W*U8V3}9dBir`+Nfbhb+zu>w{J^a0iKYYoSZgf z!flPTnC0bH_U3?!i9gO&Y&`)e3trqaQUEZoKuF{B;j~nIraAXL8LRg)VvDYg3t>Og zd+n2vPl$yccbn%)S0+;bGv3(qj>`&{`q*_Zv(g5|e<47=jZ-DlOoi?K*%6H4=yhs!U&|w2hFA#XmvG) z%;48xiVqbPORYqdT!5CetihNb8a1@&&#gL1%jm}->+anPU`r0 z?R>`hM7iDLwu{8UDz>ia>&_(yVF2p8u3suG*-0Hdz8|-b7J1S^-!$V$SxNZ#@#9xu zideus(@JK#y1JVc`yrcAQBiNE-^`R42}=UOMGb^YldcHt)Y%@!Tr8W@u(m5&AhGKu+1mCDbav+(AON$FJG=K1&iS_i!9eEN$4W(&gLR?sqGQ4x1uFbqK4))w6v8! zuGsm?Q7=y3ah8@vqP)IqH}6^g)Em;`)nz}#JmRm9~xbO zU!yDkP;|Nl@RW~x*Ob6oB5fD~Lm)r1KwQwsZeDZoD>P-WDUQKI5jano29dGDl~zw- z=VjcZt3%9xG0_0P-aGjk={RG@Cr>`B0UUOAg8)~K`0Q&%V4t)C0?mue%pj^jlv?vQ zDIksb3*7Wr1A6)Sn&`MVJxiS^(0*e(Ra@$Lvo>VV7B*iFoD8}LQl(b_7G+8vgfvp1 zm7N0sqx6@6XzvxkIpNkXiumXR^6;o`wqSV$1clsy)AHcVh|3%G-d}?aX99&Y)xnZS z0b`B;zh9*{#(ZRB&*c&z>c-5quOZGG1Hi}Z7>#y(uzpCa=@0=h` zP~(KXrx5bSMAhz?frSw@?%MxH+n2{f{jYCF(mGUsDeNT#3 zlw>!e>|1umRx109ee8Q?>|z+Z=brOC=l5Ms-}9XFJDvaLWjCMq`(Cd5x~@CpnO|f> zxZsugANczEH$XEcbbiec$IDrIY_3zj!_wEeimi-Vo+y`wH;`7VLdvOCLiehJINP1XqfsjN`pZ1$I*l5hL@gGrK#0{Cs zh6T@{gG^+iIb#&&${Wg+T~vRwQew+_vga7+wsxpcw&`5d)vEr`C_m+NdPZeiY51>b zyLYs5_++;xujD9NT-&m(IPWmYK9{lFBd^Csnkf5$<$825O=e<3f)1xAE|w=}KVlWA z>e&z5HPW>1KCTXTT}iuuj*LtdI-=s6lYyNUGiFK6FfbqJZ@AFUd-#G?F6~H(SP>Gn zWybHYmCf!?g6j^F={kAY?8uEoPRAH|Yx)b_@t+*QySGyo^&KJVt& zqIskjO$(wWOQe>G>{L``iZv{dTjrkbW7hK~JP>EG!vW%HvsYXC zB_{GC_m-4-uGW^g&QIFNl&Wrm<}R-LoxI!{NZQ*;OcL ziQCX|&Yw7+^fInn(st+)rV3p-E9NwLn(a0b>t{UOl~>nChp=rqcgbFox;c4nG6&x^ zuPBe#mkda-=r8L{5zC|zRK`TFrV$_Jgw4yWl9tUL9szm1BU&%h2+=_1Ew)C^B{P;T z>Ul1x^F+1eV3af|T}jhLNd$bfbDybYWad=UvRlB|M_nLl;u{qcGt0h_irAQ#hRqAl zEj2Y5456PFl!hblhAT4s784lg91xahstpJ16GZdpSJ=Kg_)H*!FG0T~Uq9 zcwp(wiguuDd5Qsv!=(|w>$DKlX)rNC=csBU|9_R%zmn#X*Z@!yb z==vj-NKPxe!0YZuZqoy-X-k4@y6RR6YN@W}!~6G_$b-CKpD$qE&dXEL*g37uA#4%G zHl26@JMnTl#=vpB^%`|uH$N9NkELa8mBPZ-)lc{mhLZPXn+vL}(|8S?4?Z?Tjy zJXJ3fmv`J|OJj+ch-*A0wjd1!<*0*qv?Y|F%uKVP7>xB4u%z3JqE@3`y?Uo8^_+^& zBs*7-&KC6C^FJAOk=)fhUu~N1;{buSU~FjdcCdMTF>wguF)(Z$+$Hr{$O~2=#e`&U zIb0szNH|0^kBhMvi)pDK*p+obcpo}Ao%lAUD$5ujBjB-QqyN0c@9$;M-!Mk$LqWgG-Ni$ar(CtKt%>1>YL80{=PrH=dz&+f9_Ws9>=K;dkXSos}#B+1@+Q4fd}o$NMXzD&t18Jebt`8 z!FuNBXWA5*&!g6!sn5T1?xNAPYu7Y_Vs<`jX-qS!d#ipw>C8gY;pS5cVFUT~urlEi z2U0lcq_D8Y{rWIY7hs_8OyByyT7ORwh&SwkLcj=#c~nnB}oACu;{Wm7pY#BWvfc}$&d zzQsq}MM+pHNPczR;9Cb8mDX&LDmI?D>m6H_L3!dGm}0QJ5HS7;YlsA3W+GN z`+mK%#5Jc>$+305ri7lfTn72%`b+s!f9M+r>~@k?)8RAAXtbGG%6icYr)K;%iGDew z`}eyHNUMW@3Tb;kknQiESVCr7J@bnrj*Ns|o6wf#2R@CBIgfQ@ZoHS&@Y?M!mUp>M zBwY(iSJ@CZz#je;7=}!&-i|jPoZ6l@+&xaq9kh31_1kFF+6$SCgv$n^a&xGp25{fm ziV?AuMUf`JzN5WTaI%h2%fhR56mY>@xYK2P@q?Pkvir~c)WIyMRY3>uc06AjAFA)g zP0ht}8M(fGeWe>K6N>_zoSaVQVtPrc%fQx8KgY{7otPukSjS3A^tq2bz(R_yLJWh8Z4&Om7qMwGY%L9=JEg*A(XjqNNb*jh6*nr4eBeeQVp{N+;ajr4-P?8^RJ zMQb-kMhZh{t80SE=_sP&DU~SXcF-uw;L|vFd00z%_7p*HT#SCkSd3eNHc3c`uwrQNP88GP{nKxUMgqR zWXFBj5;AF;PI7!d=&3_KB6QaiIF!`3GZnpAU|6%C8!|_txlYqZJ+Eb>&N5G|Cgg(j z31Pz6V5NWhe3J$2SXgh_dxdx&&>t)=`v!>2-LtN1tSnBMQ(C9m=5deUPek}P4%Fx7 zqOchDD%kzl*-~}}`7M#~-uT?(%rfS@v7(_pLTww!`$?IY1e1zwe?%*itZ7$RA8mZ1 zB~})_T+#a`iYK@qURM~0?tk&#O4Sx}sa=6pZ_np-)GU5}eh<2uF1~wf;TbN6zW$u$ zI+Bv-d^*w!N7FqS?8hzg@r%VK zt&wqxPXhxls23375m(RSrL85UR!GMSTw|EJ2&@s`qcR80mzS5F)Tl5{u?ARPvAIiP zyf=!vB?RAb+RDqz-@l2POe=}=L6<%AV-=&6!djWK;baWX!{Z^}(8BUO*+3bRIZ@jl3H4td}_2xOeW{X?4*VDQhA- z9W`tk8#Q0j965db*s&G@tsk8)eA*; z3|(@mPhP@y=uxh9f1eKYDCyt(+-E{w9==cuPC)B@3g|v3GZ8J<@1TacN81QX>T4&) zg_M2MQA-W1BE&RzJ{zcp@LUC^2$kKy7Vb(ZK5MmgIozbLq)74#1zVEsI)A^(-xx}* zm%Z;feUN^{Op~Q|QV~Mt_Z^#51ieo}^VZMHW7sIF)=;YF(GE>d0|?ZL%ViUO)XtJ{z_mzmb8p@`Ek!(OeG{YHy6qHfp~|C$Oo_s8lPWH zvurCBjv7|KMcG5UAki-oN|>nR9hQiRSx0FdQ#lF4p&1pV$GgF>(FLeXmB@L2s&HCa zXgmY=CsDY;hAl2IC}?jJ-kdD?p=^6QUczI2aEn1KW_Ox?d7r}EZF!%@SQS@`FT>3e zX+0YHA>f z+G>MuN!k_YZK$-s3s*u}b`X24ru6liDg>Ek3Av_f7_?BB(kjWxv@mLMoX3T$sT88eSC3_zGEf= zf4(l#Ddsth!M;1@jf!sFc<8&nDVRRE-{%Z7x*zwTTqZr(_IH=!Z@^kCru!CIFImdk zTdq6*Nzhf+&UcfHyThjNlA*`>z1JUxkNgr+kI7!zjbLBom(iS8-*=9T7+&sUBX{ml8Om_teFCM-251H z9n5?~dn(Azx6d4T|BQ{VN=W;wV%(n?5f#iQRP5eqEfOb#4va96)QqM6nI_Jv}$ z)cWos(n{bj=_F7ms8h`5rj((4y+W6ZN~6YCBRdWhoa`>?K>$9zJUiG2l?z7PvDb7u?84&HWj zXo2Mgazhh_$&%*!2;^i}UaBr;MdaOGe_S(YP(&fr<|N--fRP_oANrHY;_~YNCQ7Cj z7ItJ1%M$yC|{Bwc2Fg@X6QPQ%qaf*ucmrjCbi;`0Dp(IzD8<><_S zoPTLo)jTR?I&UzahFL)bFK^s|DgR2oje0yFdHmC#{ODv14vMHbTrQ(*9DnJ`(s|(z zmG%E_5>fb&NhKJ1L>)FPM`1FLQGv^xxsB~FH;Qj!Gkah4~>c8g9%GMZKZgo z4D(_ZqM`(ho)NO$yg)Of4+EhQp-etxR29fZ6~SvxH@=~8JSDXUtcf~c(bIR#=31gB zB7CvSYq~u>vh*38hFbBNlHvIX%y|R96Q@q;dNw#(9dtmdQ~p*;bh2hA-TlDKj8H~> z6%1<3{gb7@zcu^&r(e9F7HhiR!<&Cbg|<$(KJ?*yVyWN6n~p09d$5`hePv5VMGxy# z65#0n+EBB4%dE%5?re5i! zo2~6fX5?s;^?hOU_OzZqS(n;_ssKb#zw<7&!1jUS2|Jxi3>2Ss^Q;^g&?l%L{#{IXOc!SR^k1^lMCkC5Ue>$;)@PIBGYkTvpr9#H5&~ zgFk=%e7oq~gL>s&rEH|ccVWR?iUK)&b@qV!k=zuiVqLtAbo9&~`UQzAw6>OEmNruE z8CCW6G0&03$r<07iTUEbXXQ3P8+LBrlVSpWgomyUcy=WncwTky6ffJ4$UwZu!izkL>)*$=)i!0{0SryKJ z?Djc$xQ7eliK~XP6M%{v0c&gSd#HZbdMl)~uQ7a?aYSv!8xR(I{7#=fZ4)WXgd7=j za9T0P$lN}BAB{8iCJuqMRuAqg1cQzY-1oe`a&PZ~Efr|2ldDs5vxBVc!+u9~)1zX4 z#Z~{8p4wmYoT=uU&4p*$qLmP;cZT~yvMHp4n8=tz{i^rTo5z<2*_7+>_e)Qgml$VA zcy;R=EiQ4~*u=$~3mqE&f3|Uws1piuqY}^Q6JN3lezR(i&43|KXG;t-VjmThJ^=$T zOO5|$8E0jQi_M1a(>;c-8*J6xyKY?$IAZ$PI(%$pBaOx#_W%n%ajuU)hTka$PL{i~ zM#gPZf}nuF7uLA;JabLfb9Wv{_TNIC#<7y$VlevCwgPqPl+GeWHwNg{ToE6L&ji1y z%JnBGgbz6?RekxQ#p&!8K-B^5(yXhi%c)X}+{wh%(E{R}w`8(I)6r^xygH|lyGVPk zAh?IMMFn>4*!~Rt0Bo z7dEDtS7Tbd0eT$bDd86v@7B}cftuVYG6VN0CJ<-er8!^-=nTR9=}vCc#GWsCcfZ-` zym96OO-v*2z35D&$k?7Qt>MUOl1FKaXK$`)aOrLJGb>_?kS=Ng80QX@n0sP!==d*b zmVVM>ndu)bT-5x89QUoz<-xoji)VjrHATPD8+HHgD=%W(w>^k&VqR;7Cr+Husx+_e zsAQDpg;{tmZ4+w8S#IuYQG@mX>t))g9Xo#fyU%v^EZJ(5mSSZ?lmTfA&_-TGMICWZ ztFKq!$!egZc3`+&UCoQoM40dKw7M$4wOeX)&A#c5tXhIHh7ayb9F0e@G;Yg-d+^znd<-;H@hcUl}eU0ie2SkW3y}!+=QQl*p4y+B7oC_Xup-x z&5hOjZ=tgJzlJ{yN&nCA=cT2yojNKEr%e_i<&Qh1>6Lb!ebU&ODdxzgwsq10n@jo_ zE@b{TPs*{y{&ryad_<$Ac7auNsaP)t5ZUe)ppQB2=JuE=rKBBIoQfSbsmA1sK4)ii zL=Cz@5tH{&a3P`x>zrw#a>wzRUcrjayRS!-JsTP;R4lFA)3hH~(vNpFGOK^T-C7}O z&j-$mePS#NI=8$fx$ehw(nwx#C{IyCIjHH&<&i{f020v6bZ=vQZuEy<;1A9EPmaL9 z{>8C#w2D0aAu$N;0dkRq>vDX5%>>VeGA>G7{R5i&w8Yu3AHJ&VBxFZZ;fQTN!Z(m& z1VB^A0F8ou>rH1L!KlbH8(P(twuvIB4tHq^3LZOlEbU{|#rtB)a@#_AweJ;o;yJw6 zKI&#gTHU}pO{E9tL&4e%K6HG6I-Mn42mRROUg?||s_eyGAvP-CJZ$i=b;(`HNH4K+&`bXUB_GGxG7Hm+XEDaOY@0#Z?#op%Q1RI3t1BxjQ+BPl%-^g$ zCDd`YQQp&Orf*6(Ekil;ETYvxkBRE;h0Bw444dYw<@$vBO5J(VWdPbl& z^rupr!J>m0N6+Nuw+iFyYh=~lp*_iI(}#HfikJ7FW_ooNV4{xSN4PyrUzHA(E?*B@ zlXj=j7|XlPc&`UHSFWG5W8I2M;&xf2LgCks)yI-0kTJ*d}TIpd3%m+ z!Ly-8Jr#6UkxNFQxOxNppmi!c@`cvzN%0OSj^bTcm#?;_z0>eU2-C?%GoKE^R0E+a>ARp zE3SdMc#Kqw_i~-S#5aWqRL#!X79r9qPP2&;vD#N3C7Sc~9Kvr6d<8DOEKVUA`}N^V zN+d8d28hMgD(Q{EAFKmztuI zIvQa*_n4`ZN8{#@zzMEn7q6e$^*)RI=*=7A4Y~N4Eob!Y9n^JIRDui*4X?tUCzErL z^!M^K{218IKyM-}hjJJP+X7oZu=$QGqTRYx9`gfa#2BADIGT*>GBOXyQ{9@t{G(F3 z(!R2Z5s_W#DX=~kXhX+TRaI|lXmBC@Mj58f@Lx%i&7#0>k&i|#Da{0nXJtvwJG31_ z%PA7{%LF|zX9-fKM;o-afTfg&f4}cT~M~7|x9+{O(MMdT4jkmm_ zl^S2|et-D?)Bo+y4|>4jzz&JS{1N8AhSmS)AOG8*8=Jaq$I^tE>ZsgrANy~-65)a0 zBhF(j&hkqLR{wA&{~j)mHn!1zLQ8Va|B(##+f~4X%GlUsUAlZ(ERmmwCwOJW&A2?B z8k9w)&YZbU{xILx+IrQ<=)-{n2d+9g=Jj*KQ z4SnZ!?%6{Y?R7=P zm*9PS9p;zs6B1S=H4O~nTie^O!w}~H3(E~S4xNMnX-VPZ$K`;}hFI2xLcO)EZ8N^1rNcWeyn)Rpgv=X|_?Dk7+hRrOtk z13{&H?%%uj&INZ15FeaC?jfO3UoultVE4!M5wJ57>=nBL)x*xMWOlsNA6UYF4bA+| z<@)KDK(>bp-MwF0Bk*TmSfS0YqNQc>aQzGqkGRD?B=QW|ulq{fZvb1g(06luVgg3C$_(rhr;%qmn&Rvc;N`n>cdIBUQpCj&!@uY<`%r_- z0N2M$KYeU_MTBUlACxaGxqxksiESK+q?pzc*WqM^j*pKYH0VLVR)e>oj@!9o$2nce zK0f4hfjNOMIW;vWvg6oK&+^X>@IU()`6!IN+!`B3ZvH&1#v0Im`qZ%bw3UGZ)|juL z3uro51_%Jm+|LJ_9U6f7i(<9DxpC8vY1gTb>gwv*22~7A%iRA-BKhrmCDme=^)nai zCx%mg{^xC>!O;5n_?+#cc89Qoh^q%bt#IwyE5M8*dr2e{rX|grH}5$YbO@tRVZ&Q# zX(d)ZS5{Kzkz7YrDmPC5_N)GrSCYzbJ7b)ci;n&LF`M{5p#M>H1A;Md@Z2A*nr^~| zvlBu>>Zn-d8vsk^9-J+>TS+gdvxN;LKmVr#=C@TL}d5?aa)~*U;$boSBS~@83nS(1F>FTdJFxnJLJ`(yw$9 zckS7O^6|E0y8(s#UtPX`;}bFza74&l?G@Dcql5PU{AlzE6q1)U2)LeYY|m5gFJM7#QgM3!@y3wu_(+Gaxz0;bS7#Kkk}Qsh4GW{44NAo?>t;@ zZf=hH0k`<3ips#G`AHP&7L^vG2gx_?oe!Lt(GsAvgJzruw9xETR0)FthVADe?B6W} z|NdYs_2loUWErB}LiU6UT%o1i>KTAP;`r)TXlV5c%O;;_H(~jR-0`12Jmc3gum}kt z&t>#$zlEab^kmmi7=tt&ErSlCg_(ur)XE$maw#-AdWza15a*>5tG1X^-T#No+4_b% ze#w#FOY(xI-Lc%geUP~-kum5z!9)ArO@S^6VP1jDTsheirZW2t)B48FN~1V zHZWX!xyec6b9PhJ?)j$-zZb8VPOc6YykF|z)Z|g8!|n0WwJMS)bJUx6!cOHht&cn*XRU{fBq+pOreleKGk6 zwdlc>TG+zgjeP>+wc=t&rU@M?{HYkXFq`s&aj2-Lv@3z5ShbxDqXq@yz5MOZ{`iw^ zoOV(Bs=Idwuc1r)mdBp|5)RT)__0B#Hs6`mCv};jvm_CWrk0+KY=G7Jt!MTOS6viJ zPAnci=IQrx-_9LDj{F~Qjw?$&63$@QgX8B7;NVG{5~T? z3F4Nr8^dY^5T>sg8RcMmy^0IQQzuL;EF{L%QlGQ;v+AynKt;EI|Ndi;;hkEzd&lkf z-Fd7XlQAFN{CwGBF2hC17p!bfpH8|`6vg0<`z0shx3lrvs}8vMo%HY>fmy|CTd|k)%dU@SHSNbp$(W^{F~o1TUP3k}=R^d<787>qf;}_m>HPfo@9-2E&h+q(o7@6o3jxO^}a5OpT$YpiW;w z%5e&m@@D4)u@|@EK!b1+G#2|1pIc@{&ms*qZ{Ow>cbW_WR&Eia?YLTk0<}^MTc@(K zQ`A!pSIA>=6E9xAbObWwcNll_@o1#k1W1N3FMvU63VEi#pKh#^cvIhz+BL#2ud-S! zYTHr@VU-u}^wQ9Y8@!x-?z3Y9)BtcYYFn{c%c< zePAgM*fU$(rYjlqFncP2yyi~K18bD?(Qi+I6BZ-{GNQQztpJ<=Hc;WD{ zle{Hb&3CKN9wpyy1}Kfs2bRKKf(t!1zVKE=?iHozpi~rzQ-n;+&SO0gZau?t+H9mJ zB#qkR2W^Q__5oCbYPz8!Vspg>M1IQ;WJaQavU-!yZTG1>uG`9)pU@Wi=y*TY>HhNm z-lD z4t$827O;KUJ{?pJyauKbq9?*FEx(f=!Rp{{wh9z4leC3C?2NCcROyUa77P%HT8N?+ zchi1lgh{I-cx-pp3F$`5VOXPe@gD|XB2OgWb#-g#8kI_SfG)iup-0QjC|LMRl zDT$!2CY8wCAtv7O6I47ZCaNg=`M3`64LLl6P;s-(;dCq1@C_r>9@v;QL|HmL)VJ09$8^1|IG%iB!z$VJVy4 z#-u@bs>7e=Ip~f0EG!a-< zeaG%7Wma{Mf(|+q7<>gH@qS-TA4H2kQQi(wI6QQ93!(@MDm2B8XlyT53bg1=P0>&ihAQC%$p~&2@|DUSad<3kI$mSMn1A6kzly}T*okZJuYC{Mh-#3 zf{aq9$6NC9*24?yM80CB=t{QnJN;@iAE$?Z4aWA<8;#mYx3y`W?sMEdPrX}4sxhqu z;qCSEUrt_IaUE{xs2JFr!)7!173z3C*H!1R^$ml>aLap}_VvQ3V>d73H{+67z8?wl z#PD8N2wpds?D&X#hdi@5sMrh^Mfdbm_du_-~06`-l2!Dr1cCeK1teYOce{4&sl8&tJ6~^J@SZ=^?au~|Nz|Cnefsn{MdaEA zFtRvxTR=kMHt^)eZU-|&piEy6C$1u2EJ5h1fl%u}cmwHAe1^4j6TDjlXOyv+vp;Q2 zetJ-Ts~i5MS28zzMq4x90;@{RC#%{7!^7WT$$)F2QN5NdFf=#Oz;pUU>k&bRE{PnB z#O&>-*A+rGGzKtbaltJL-ZmzME$!~rt_kUa-i3eD0D=&CespxSmRd7_d-SL}8r?fO zrspJz3HL-cF3i4L)^x5{oOPa(%%10X}bu zbb$kgcfFk`eup14t}xAaNa9B7QEGWIMFzdPlJ5RZr)pvojfSrDlJ9q5!oMbhLh$2w z9%y%n=fqtaO-XmYgTmh-pi!j~_(Y=cZSM%1t!m2G)YU@-mE>r89xjqd|y+L2tp;N4is~fDfp?{ z5FSrpYQ0(Jv8T82fze7VjW5b8i5MPns}!IAsGV}YNJoOOa@}!e*1QrDVJ#5$lYPv&nQU*f#w8-7wKTyujXkrHN@6R0YS-g z@jZ>~iQNP}_l8GS;}Xab5`()#;Gfg+{}fsO(*62lyY{E=Z9Fj$zT|g3aBtEXo;g>x zeYV%wr#=*2F?Fw(1iV5E2&Spw%@EcgQx$EPyB1&}30kvs22qcttSI;CqWcQqtdnX`Dh>#= z!fd3t4Gv9V*VogV?j8A=OyM*+3^B-Z=cqQ;_X^AKF>U2U~PO8Jg7*9+QxjzYZ zxbph6P#xYHZGY_H36Zta||(sgBO>NA{VzRRtOW?2_YjYuo7QSB|87 zazN51O*GqxvJtJ*@H?fb}KDn2-t|($fbBEK&`oqvAB) zX2i@W5!=uDglpTxS0d`!Y?3H5WvkQkLiNVF78VxIok}slzJATEmf%AE4ohCT^2{Z> zl-dH=Vv^;07)Cvc2_c%1eKUlPj{cf@^32`>zZEyrq}066H0HWTy2JedHl!|#F#=DT{j98G z=R@efP^Vuds3#T>6S9Gk7kGX;y0};j=m8EF@{&OA?ve|dxoa>#Hr>5rM-WeD$<398 zd53wC*sbE0=^wVLIl7qGWD#|-=>u}!r@)fcwipCDQJ`O<+Il4xLA^g?3N879 zlzGx56jZC&ap%L#%-_jv?M{}5-V54_^Gv&^`h($WZrkzUp`lA#cjZyND~KIXrRBQ_ z^OvvLxsE3%dIZdjUoOo=UQd=MxC_W*?qVId=$c}D|BL4`2Vlg8gOVvuccxZfJJ!(d z+{5srFe7MoN4OW>H+yBw|Kw%`UtrlqCga*CofoQ4J@?|TaJ5yjj$oVtWK>etgg^}#* zqe`)W>oV0V=#)xeIdsURJ&{0FnKNXnR}M_>70I(qEky9}@N^@+uCLbB)nhjn1Ftr{THk*J$z?mX^~5p0nir+B zEAB?$``KT|#jolfaW6&!xTYA?557=_KzXOa0`_Kz6D>BS5fMnt4OS7GJE=6@)cuCG z)Y+LQ3_+DjA$e0biomD_#(U!j!K!m~ZqANMV5pmENeo;S&}kLowF1Q_40Mh{P7B_; zogwTzDE+xms?L)|I!D&Dec4l`oN7Q5lA7p{N?cHf&c+a&X%cv-^v%wu2PMI0!R{(J zC@7&q!PAL>L&~Dwp$uYZHK=vIu*EoM6HTW?gz|jXK|rqXAf8@yGKcaXkKAH2AG(cwp@#)8CN0Nar(UU4ArA zomq-s-nSHh|MxSbn%BZ>vZs2Kw{Q3NtNWr`Zj^U&MIt{H33koj;SdXDf~Z1d(6n#f zx~H%yzJ~1>vFYxVLfE;BsHJ*MQ26wZ1)loz>`pNH>bG|j%oJaqQ^o&sw8^j z)&v--h^$Uuhk}b2U^g!CAz14n6nd?@87KLTG{i`DcTzIyG1C2XI8fZsJBwWh3NOBe zw1BOg$tan-jv3BX#UukYU)8F3jBEZTzcZ_V;S*}DVyaW@kX!;H-kX}5#$7<{{hpGV zVFyhoGQc<#cm~v911@y33nkkN6&Ipb%6@3(;>!}%5{0+J<_H*FlgB(;j4L#ojPC-# zI9k+Lv{qW+!FJ>Df2&Wj5#9y6k3i0CbnTsm%b4vx%|b1A{tFUfO3ipoW8dH@Az%>e zKu1xZ3aBcVA&M6{$`GzH)cSLO`CI-`7J<=~(Rj2#5*M->7GL62y=SYX{h z-3tEZR5Adr3>_}vn*9PPRNE&xT!5q}G89IF!ZRrc+wsW(jFpw4FgVsCMhZ zLHZ)F-Wvhp``hRIWgYS27cOW5k{q26cv}%E?s=3aHg19hx3!d~k24(lZQB(GNy2UW zm(b;4lS2D6u`s`Pz3tzN`|ps@sT1Q^?FzxB;V7*FuAU#jOqsy?&$RR!NFaJ~4-CItgMXkI}F zr6>}C%lu>pR17cqo> zR&TlNa!IgrUHnLpqqECT5Bbix8EWV~m)}Zg%Xd>hS;bJ}?!8gN%}B{%0ld%p3H^^w zc{w6PjN_14=XV@!*#Mxv783W=yR-Rud4MQ4OoI>UIs2lmw0R(3()V6>bPvm+nrult zY;`ybuE1PZaSW6?7#|{V6MR%{XtwR}<-qS|HoCI1vd?X#5fUEYF)8tFJizZr8Q6WX z3nNL1_M|#MM(*0V1)@&R-g>K^sv*khwde|Yrrr%Tg5yKpUjob`TtyDs!0@RKC|LXc zwzXFqY`7#_=_beKO;`}!EyQ{>$_CFs*IEQ42{Y${WDYThBzY1>DikS|O!L&~Bk?1} z(^9BM#dmkF!2&xVX^}-e6gff)<(AxPkNiwai?Z}t$hgz@nHZAh3oF;j5-`9B1p=r0 z3#0A-gl_S(KIvcoSnLNGn>sEXw>TMj)ffwp?;P2#W5=FeA3uJcdu)I7>-%kLA2N!s zpLxD}WNBLQri;jGu3j1aC&?93JoR3&!vAHV$bv|TeDFP>`sRmUu#PbiiN%^!cS7#Iw6%}wx|v9=f0LbahZxWk z^%9oRnuN4Li{MkrR{Km6tH!~*tj|(*ZLJ{>P=2NtE;T1Z!z$$ThryWt-ot_7V?D~H zQ?XK|)_osRQflc4V?wZbQ@j=Dp5`YYwb)@W$~w_sUXK3=6URAlGlSDsR7X_@p%F5z z#ueB%p`ldinjwH*2|Qd}m#OA&hlMR>53PXrVlAMcI_MdwHcp;8RYj*Z{s}2UVwlT0 z)w=rOqIamCTk_&|n$f>|0f0eqX9G^7fn2N)(3-t>G=rvm<}#qUSX)+wf>Hq&@m_(Th z8223xe8EX1AGRGGFK!_s$>0DRsVE*+{zwoT%bLhI2X!D_K?q*wb*-gjG+8E?wCAMp24!a z{bZox6im=5}>roh(D^YfkJq+IS*pKgY@8905+L9qCKl6&dVr)X;v|A=H zP`dLDu%+I8WV!81zInFNo)jvHg@vq1mdYz2ty357y5><1&Df5|U3|F`_viE0*t-p- zB`wgr>)vXbNuk#juk$|igA+fHUP=7X%3JqBE7q{-WTkwx+|$ZEb^ej|MJuPKO+?0~ zdsMS0UD;YSM+5)0M&`}QXGPI^E;sM{-KGR{M7o-#>udd}+otL4rZlsYKH+3_$2-=( zhWq7Nxw1~|wZWA|^6fb!`yDTh!z;+DTThB+aFg>SLpN4ViN8rcYlVV&YsW`92a_oiJ%I*Pe*Q zktmAB8Ksg{<9IFoNEeJCc?_{hTqoNKu_5vlZ2S#sZM`)wn7Ywx;^dTHvO0~;hE2#$Xj$MdQGFd? zho8cH-Fvbzdi{eb6s)fb`rK}iS>CBiarmtGiMihEHJEGLsUJE!pqD*ca(JX>LD@s< zxoxzg#mZy$L9gw*D0QR5k?)hTRfI=#XNv3BcHYt zFp)y*E8!yixpk6p-bY=>1Fi&Mg=zb+!(j?MG(*7q-3jeS{{u!<^)vi;8V7=VvCaj^ zo*B<$h(+kb=d^-1vT4`1ZF!TUdGu)PeECTHSxH2Au{rLsB_cQv8&EB$%oi$GG_`sX zX{qFLkfCs}S=H{7@!ea-`U~&! zh9XNH--M@qiyXetKT2pJT<-o2JHuy1eVWcC$K=&Fy!X96EH7Wh;0yP}^oZoG7uH-|NS2OjWas8(m*tse%=&XXGXSuhl|C^r@9T z?zA-z@4JK|?#k%r1etP<@&!+0%>S|zmifP!P3zvJo^8lkS54&|u{fKiCmVCC?!-Lv$ymJXSeH?I|ti8LThNz79_3hr&+yqOF5O6l=s{FFC z`ZZ$-dp+=Jr>LpV$~QMx)9!mbBQs8dRV8W5b9l$VXtD>|_D=cI1`fr+zEqK{_P^ZR zID5ckb2GG@XgkUIpn`j^%hI5~@~1R~r@!G1e}6?*psrVf4dE_{{7OVy|J61Eq3+f3 zD^#m+AYPvU3MZ&(PYUH3d^(Rr9%5tb9a}j6iO8QdHuW8PturAfKVUZRDc#$a=eRI8 zJCv~HEp@APwgSiks38+$&=KE z5%g=?g*NZ%qs0pv>Pn%oj5=>*WEAIpr3m)LHw8(r7cEf@3ZV)$-V=gXzOx)t5cQy3 zv~skzyj_|T@e+aQekkkvIm(_zlUda9f4kHx1_Gk1TNa^#4kFtLa4JdD+5EBdXUO2d z8s)Zsa83L3T8xTLHC=+R@!t zfRX1TfByop7@VN)KuG`kM!nvh!>K&!X|Ig?Iy>&QqV2!c^v-{aT#T)dDViC7KC(TK z&-{FVUkv~3-1cq>K7nk_B&JzS9aT%(ItltL-z~J42j*;vPv{fPAoc}4X5@PvwYEPe z)BA{+s-d2BS|4|~M&WqLQ*EXG&RgNqYi2~d{*HwRHS6@blM~{#d{@r4q~k z=MdpsaoZ?W6d1gXNPqbe>qd40&nDc$SpUn74N8M_JPDr$K0N~b#zC0tZf^DiBTUK? zoYd_DmtkFl=5+a{mocW6$fKgAeH1(ARNeUg?tb>38(ie*6CCVX3(I`tIXML3)|h=0 zclP~blKJ~p`G@TD+b1f*Ps>#Fhr4KMsbROlAi}Wb^~ouAyv$E3D4&>9zlpm%Y^gi6 zI5=jG6nL&W1=>g_4(D74)rNC0ejOAgH)5H?5{$rk<8_Fm6aC847h9prr?{@$Tzz87 zowuQ@AI+TAq4V^{)LEML%{D^YwWkYp(rY2rg(9pTpR{U@NcGga-f6jCqgSq%!gFSg zZK#ReFrAx}Q^6I;V4j$eU5l-m@yc58K(I+G(Fd>|XV%#Aebl)xq{nyrdVq8#4&WF@U&n-ng86g zIz`W`Zm$(Yy&o_~anIE(`erxmGBYzV>33HMWQ}@z;`nyTt1=Cf_KZr`Y+Jml=o{Uh zQ6bV6Nh$7pQ$=L0x=J(I;>0D2fcZEk;;6b%UN*&~EUlwZ*=%Aw+ST!e_#KqQ`{hiX z*Y}QpEz^K;N8J2`s}9fkSA%cOIYg~xQXHqn>K2kLI-M2F%p&nqGfTMJf#ss&%^8Gr znxut=g`0ZnJZe`Mg3`*k=RUn%&$goMYYN1Xo}4Q(Bp+q6%XcE|v&WatI6qoY7_@Z}3(Aak>}LMfr%)HvYw3=5tMy+m4petah-6NubBgYQMp;k*o!Ft(^Zu+k1vJ z8Exy@c0{CzB1%;h5D`%6H7Fv|5u}5t^xium(iNmPrG+BBDZK|odI=C9^bVmVp@$m2 z>E74+e(b$HXPvdq@t0l~i6QU%&N=27&vQT95k|~h8xj+Sr$#A)#=>uBVft>z-O+*9n= zNm3Z{A>AIKy^GmhF!97~&5?D#bY||?z?Iy5+sANLQ~^QN;(3`nb7AR};NfUrN)$MZ zU?>%0`8ao!AkjP3BSz4-_zDS5XWVe`iTCi6YH3A;9w*DA-~P*?3`r*9x(Df&=6HG)rQ_SqvaEC17Q7Jd(%0t6>XjRLpIA!PU9pu|$`tI#WCi4y07 z$h)G`EFtQ{x+kRUea*=2zSWM?JXq@j(1VZ^lO=WC#H9bVmx zjEwAc1z}S~W*g~oPYk&uK+E(EIJba(q-Sf&vr9L*ZSsKFK*KhpJf5`!cWDJCP4ugO zF|@Stk3TKhy`uDQ?3kqfb9B8wL96O|lzj=ABB+Wfh7S1bGD<-R$V;Gc?&kY5Q;8;J zT3@HD>DsJ3In<V;@Ono@^p3$wl z9-R`y?|;u6RW$LOt*bW4e+CQj-kHDI=6`*x67Yjo^; zz*JAmRi}~H*|~TSt``{ zb|Ei%USZ&KCnx138yzu=I24y17;9c_ymV{S`GKbQA#!mGi8sKEObJ*Pkp8T}xP~a2 zML}0j>umD6OL4_<*>ScJTAWqZz5efADoZDmpbEHy$q=Q+WR!jIL)U3X_@k;rk?_&e zLrl=(inOv@S$TzH?+?etNCXjO*dEtIzpzH|>dz=FPY%M>>9K{Hc~BAockT|}wlhxV zbepbi99j^#FljFCI+e+b9KXMIa*7~yKT*SVaYV3BX>mfTp@EJDSVtP&CYbB-R<*|Y znH}rBlSJ;wgXo~~Aa^VNtN1R2_WA{152qTJCB@Dt{M6&gGPB2HXl8G1A`xqOKi^=R zP%Ew{g|hKjzI|N>rgenWP2LK<;rldbpk3~c@WSvEyI+W}Y2z-J zD8?e2J{ufGA7dfKao03Hes^_0@U!0PL&SO31=Y7L6H|ZRrM^LBR3n!!|NXZ|dG-kW zo`?p5pj6!hQodr__ozl-KhDW$)vwl+HaSSNvQs?{}AF}$I)Ms06+}P z!fP32l56gs)u37cp%-jqv{MgeHFENbx03P4k^s(mZ~ADeQpd@%Y8pY@O)@Vo^-YBl zw@DU)Ajh9CkO-a@Jn`Jq>u)$cfCnuAZk)}NAb|-dR3V_NddY5GF>T^A(1`DP*I_=wknYr~nmu!A3Lf=k%?b>X2{(CPM5WDps`Igo) zavx*0_<$nc@f8$W4-zG-?ghb}4F&5C;v9SYc+9Rmx2LOn7+tKpTy|q=q3rTXml#2> z8V^@413q_(l7}a~5aovIW!cY43QmHq?kBBq@e!5@q=c;7o9||)-&B455>68&r2@QY z$UAlRAg+hx1e9T`v2o{sf%ogE`E)PE*)nspL4>zmy-XE+^7f5eX1|(?5Jul82R|Im zFvfQ%7euf!uH~DV%@`n@%Sq$5hw#PNJdS%tvpd_#Dx3r%@*?^tsg=WSV6@f3>#_ENmjJ>r$;o7aIWSusB3&0%??iLwtcJs5t z%=p1zSy`eO@#vrhJHVbMoYZGXjqW{#Za;+2dW$S{hV;f3_rMqEu(hic_r|?HB;ub* z=vZ2;B@bI>CF2K`D+a#d;Zwt|<1yPL```lbuN)gBLS8df!+fd`y3oSP_+9OTV&kmi+Eu~r#FR*3R`J7HH4&!s^+f9inT!Kh1s{&4p4BS zMZgTS-?j?Qlm#(0H4zA)_E6@1|9rbNhnrGt!x5Cso^^ZB(<4aamoEyn9flwrqOyz* zm+j|CP>P)Q3T#CNMiP zpi}B#)J3Ic+Q?D#+y98tU!o=3#N&Uc;s5s|lvG{P3$FP?C0c)Zbt>5(1XA*7US3{7 zW7rfR**(I|K*(1C=`tGhl7j=URA@Zq@HOzhtUEk21J05#+`aqeq!)T`j#}@{ zy?wm)f03o9`D+8*bo=dij{=ZWm7NbAoLSl^m`E?VnN5E6Y6N6T(17Jv;uI&{x&56j z@-1Q(R8@2O&UGY~)1Yqd`E{!sh5?1*P8fxQE!&%wU)v_BEG|Y54G(p}4Gy%1@e(Yc zk*W9~D$v)w`gDw=WT6=g%Jg{&1*byLmsu)fSC6Z9NWaeDhWC{% z*~!4Fs_3kIA!zph_=%qqnslO#*X)p68v~u$*xz3---ZuWN^6b4PO#3OSBH*AH-|Xc zwci{4T-uMWLS^(hQYv!Qwgs#bp#F$LeIYpKkl6 zWx?D|ryRPB4Hw|HMUJgU`A$0?$32cESZ1qH9%MtUYy)(XuT2^=RwXFoy*udX&_+Ys zZfqFzb!GQZ!+OegbqZ$oBmE}y<<0u~XAcW7v%#dzMxgbFN@1YoFsQ_B1A)8c9E?V)?A-wEFg4q5DV|H$!*VqbPWcRdV( zaE$9dorUO5B-COQH{1j?Y$5lN#Uu9@WBG>}po_!WhTY{W43v}Z)q0!tZ93hv`Oliq zV4bm`AQ%#*=t#TXvZO~F&UBxn=!`0~c+GQE->KfkZCUyBpyG`VUe>jPC)W<2P~)wk zXQvdHyXJ`x2O@V$vCWDF8bOlNa-p2iOGl$Ha6T{bnq=B`w>w%VyPt2XmKuM_P>HTz zSz^MW5w9>RL$=VP?An2A9!B!82j6cx6ibwFNPSed@8uYJc#w5A)EfHMvOUTBEu_XN z)M^x_aHs>(`G?&DPv`SO7J3a3@8DyjtH|^}zPSm9F0L%=lHF2i z4UM=z;c2%~DV=|Ytso=v207i(OdU|Ts^GvDyvH!MXo#ztmw)QCEZkcMx-XF}AqEiu z94hDK_{A~-vJba4V)5V|!10=M^6-*fopdMaoXL$i}@+?ey4+VZ0CP0W&r;Y92Z4`OaA*1U4U=$EY+-O0KhF}7Gp z+&Ca$D~M-`W4B!K?(163;z&Q>daSdZzpx!c6JC7~Sw^9Uh5 zKnddzE_uhxKjYp<^xiKD4ue@@Z4NdKZ4+jm*RCn^K#hDat`!0TmRDU5Z=-D*jh!*c zvGu5HcR@4L_}E@rt%>lYhq&PJ4hLvy)-JnCOuD~lfT3ElR`R#mJLh6`zjt4GW|{A_ z;4zkvpK$_#Z82WA+3S&sYu~1vSZ65mF+W^C#`AK5)@Olt4_?V{j@k(rv4R6r$$sm;^L3}TTvq4ks6}*C0 z{icWO(Im`mljP4FLinUod)BqGo59d`S7O3LMZ;!_{g81m(gCbO7fTFM8|7i3G*zKY$i|aK~U_|%Yl`?Bgw|PTKro2Jq z^a&2#TTRI@!b2}m5S^XkG2nlu1`!SfN5&g7Su^hxHfGox@0|=1z;>4JzN@W`siEZGC7zJzKzP0P zo_#0>tf>xt*GV>EVMVx~ZGE`{U*ksN^l{kj;@MzX*$$1bZZ;v+b@ajc!O0&HBO6)o z-s7KSd%$o%cwU*QBCLSt=iDOZfb)XHB z0m{Ef027y!l~tpPcy4wp74et~%M8r9HVPfRy%qUZ<5c@QLz>Cg&c6(ETE%sK&o6dy z3CH%ti4>nnA)3nagO+X_eS^nCYFk zy~!t@1>!IG__`T!rmkjH{o6%$jThBqM)V~rnXScVz$HI_r7-n}>FFPAFthYG;@M+a ze7)dh|C>4wR5SfP-r!()kp3|{+bvEM4_h7Wb#Qg57e$tS$oTX?Yx%OO`sI2ye=5~i z`1+tzF}w)Aci2Bd@-l)Tk?4*A2V8edZE4HmUZv>HS-;XRzdDZVCvxP!!pHP4xT&Lu zJDiIaXyQ?w)-p!pih|3`(Ix%QSu1mrQVz{ZN2!W3KHp}k>i$*KW3lwEcA4VPu9npn zW=Vz1rZ_C5UXG6{B>P=bTAq0g>h%8Ws*8LVCsblpOz7$tJPEg#eolZ?`JiQx)NBu*vhF4)P>{|YC!Zq&Ebw`D&5p&WRW>o{|e zB#R5;~cG}M1NC}V$UVL7k!ar^foPp!x#CE$es|k={swo>Mv$;URS|ukTnK# zIU{mklgIF?amN$86YLObcu0l+zI$ImWc^AgtC~4pRQ~t2?Te4`6(KDmL2ee!Csp?- zi_2FTR^@#paBPNN6$hza1>daR&vFsC{nAQ^anDvNkURcd?w7wr1%<9lb5fJaBq)nWNI&)tPg2cI_w0wPzL-6a+e64tLKr z#p-0KEa3&D-YlWm3)O(B$E0|gHJyW=$*-B7YYFLTKrcdv><1gTs&}>qAOb>XkgBq; zgrq=58-J~^B&m%CS&-G~iZV<^bJ3wEVWZk zLIfyxUCIRY(_`$z`u#b_rxVJPKg>~=${)sMW-5B>#XJE1nN63?*ZGAt3^yeF*_^(; z+CJ>frnU9><}JAF?OtarBau;ashRM>;od{4k7q92Idk^1#feJ8yroRK(D0k>$LMs93Ulb0BT~5hnrhOc6Ro&4QAWR6clWxrl$SuqN0fa z?I+C$qoWl{zc4j<97NJF+#9yez>qT@(G>FoGW@PB40_bQJA!YBcP^i!Nu_)sQZCP2 zmu`bGmeOa;OcqgG)gsOw-jT3IbmfwO{M$_+4A1k94cWZxUwtjk6>H9FV>}GojHaP-0h~4Xq7Pr&zCsMT!&1gOtOr1GIy1- zKIRUjfq8W;bZm|1Ay)1|Z1j7#*cxUYltVB__78>e`>SFmR$g?IBciGWu0t0f2~IX? zfrW{JD(>HA^<3~1-m)3syY1gX#?!4wM^Ksm@aEt=V5Qlaf42Qhvvt0#b+`4d(V90u zh26ev9UlzPj+@tC6m({00?$I9l(&SM)U?pf z;Dq6eN%ULyh=4;+)gVdRYD(LA3`6<8TUDNVsXT=OpXR`}+yeCWD#pAh#LBS(T@RTH z%&U?2g#AtnL_A3Q0ZZWZWr^8-%xz_VRCQ}^ru}GIN1imnPIkVbZYl}Q>^NT~BCJyN z6#lpc-SLc8tK($fzKH;t7HS_5YE)(nIkF!~w>LMddVn)j*3{qE`-+Hv_HIenww`s` zHjV=+3#^x^M|kwbqTLl#kO?wH(Gp!0+q`uI4lyTh3P7r-FB9z8esvlFnRFSqE};y6 zV%&LSYjgAUTUYC4V7Sf%UVSxd>%#TsHZWny*TO&#M!2+BV+jg-do=`l@GgQLJN+aa z?CiB2K^vQ!>U(IC)*`JBUtR3g*5$3kUMZ5$n$a&3%EHgcf*-ANd)tux)$>WZ4&Y> z0*97KZIf|TvEE{}-{u^95SPjZe?Fo3m!I}CK9>5xScEUd6HV?$@Wx-#n9^0K3y2>>zbQHX`>!5%>y4} z3n6OP%POs}oAU=hirQe_@yZ7@7Z0ikGEv{4k2f)I*D%NL>3(IV#O3%) z)w`U=urbQi!pj+pb`EkJb9t|9&Hs2vv6atnQLL82c~Hj~d*+cmEAKR)kSw-q7G^Pf zrgWHl)1LjaZM>RXaESSe4E}8|)up4>?4?@;y1M;u1-YE-?S*nOH=be*C)y@k-dS8b zd)SDGNn-J{9*h0n?Nyz3X{_TC8IAYxw&U2)gWOT+og+bX@SXb4f=(INpe)iOaJs=( z$GN^r1Xq$|wps}XNAvOa9Rlibvj#LF;=6uGP~eUNRLc^jp<6S!oxXzE8w-Xf)n7$x zg|ttz=iZPJUO&qvx_|XsFNobraM-f%zbINGEFi%?|5KbM8e62y6$XgMw{l`H2+vUAl zC-gg^3+P(Y1^NY8Ke+)bWSNw^?QXve^XHEc*G2Imd7kiVTbqI9&YcL2qT`qDkmQ&2f<+lzx&p85e=cIKOv%#MwD~|G#~aDFy7rabs&FSF zm5va{S?~E)#Z=(ReFlJ|v`nprW@z`RR%vlco9XIp_W7O<(7x2WCG}eF)@By=t^+~I zaT>bbp;oJIJy<~j3$a*q%xj1DTdYAY0)($4l>g_O=s$MP#_|WLUWHdK{`DOicR5nY zAI;8OcYMbDC^|l#-A7OFYICrNEAG*GNg)+!(X0tln*4K!B5lsfAi|fplnEiDrK{Ck z*g=lyGcTviFsYPd9PRB9C!w4za#|TWdi6RIH@YEWdW~Ytmv> zG7|0F%$#nIkDBi4g=6Yqk{KY^afz3Pg62`xue5i`F*8j|Hz-)F3-m&_Ut@mH29K#0 zUpW5!fzP&FdmLSrl7Hcw_QNsD2P2xyZbrE#5hGY6n`77aE0@WBiiTOB5wr3hlW z`ql^bJfeab0NjFnUEY7hMlnC1S`RQ1{TMh*_VsIhuCNKj>6vOS31ZpS+y0I6SCcv9 z)0{klUZDU6nK_h?$j(kVq(3+!;X53ec>)4%(7wzK!_jh(Z*CWJgk`4To;dYteH0cAUlBp>)h=|vOz9R*oV$@}I(mo-V(`t@s$k9P%2 zY;r&F7reS&fr?4xlW+SmIHh7>YaacqHnecDkJ&Gbs|>X6B{8K}ew)=D9~eEocvyw1 zx?K0pue@PR1fp(M%4x4}Gd^4Hb2PtINJ3%@) zD1i0mt+aIjDBAp|FN73IGD#@`w6@# z{)w^(UF#V;L5+CrjF%I>H^f?2v?8Nl-i-{bceV@-fF+D)myZj5ifksPR9lMmRQ=2r z(u-GVCXlu|{wVk`g4*A;>ELS4ab<_5>VEK$C_G%r**Z3OB`jx_N>_D&%izsXdo@3s z9VlZ-)bS3GxIc<6Ukvkna5vcmLbwP$4G*|+sB5J(5OkY~J1FInsniSk#6=!h8etk{P-i>$xB>K7 zUz6r}27`LQ=ufS%I$l|uXO5k&TGTP&A~JPwTs<8`iiS}z59*q_u8=H>D&GZ7w4oR{aR2n zA<+i$N=m&u9qe5(^Q+USwpLt*eyuk(eh5h4W2rWD9NtW2gAhxFu%EWm$dX=~lK^c%J4Ud^!gUekbu}4f^#Tt@HwMHm*a9!6+Wk`<|`BZX4Nfc zx3+5wxMd|{{z6CnvcAD5SO1M_E1#`TWcqQHMYiAhzm{86W;JJm)^h{St3IN!zLjL3 z8s@@mYis+o!TkK0YM!9)cFYFTab(r~y|X%na8ajMO3=O?^K>Rh)P<50u8%)8NZ%=l zc)i%`*AQY*;c7@Y!%(iM??G}gPd)DuN9=A~-a=+(M;e2^p3!9096j}i38xmc@cPPP ztmuNhVfyo&Vh2>5KUuZIP)mo;Q!=?kC(B3v+vg41+dxEA=t)$JXeta04x*nPB8`Gr54MsfeLg(rm-Feu{`ib=i73Z~h=vtZ zHVPn_jDS(jms*mR4NXS2Tbyq(4`OU(EIu(KrlBXh=+Ax^hX^GgRNDf5(;zNB9yM-@ zP%1T1y!IZphK4EgClFi(1S)p=q+ooW6RCGjj^YOgZgUe;8L3&Vduvx}*jKo+K{R2bi&iP##FEV`Z(P{1-}7qZ+`r#(h34c~z4&{f@=vV) z{vU~n4rhG+`jd9aq;ELV>@DnFTr~38R;7+<&AJ>7{c7)7QUau%9}TVts{uN*j(mOthhT@fkpC-Kl0TT{9# z;h^jB_Gf`^-kYK2X1(M@dqzst=ZPtvvowCXL1B?`6s8rENaXZ87?W-HNMiS%^-3!! zcZ9wUbTmz^zsdM@Y~=agJfOgll}nRZ4$bk~q0d^dXZwY$dsiKfPT_kb4Tos{?TiKU$_`a+{snasHd>{!8|H_@_(C#}RcWs@Wo-dY(ap&&Ggr%GLc}<>T zGXP|y&iIb@UOd<-hSfh)%leWXMSbGv_3G0~(&WU%t0ReIzjHk_6c|V6A(9KQ!(0g} z`?=p84)Nzn_E5zL;v;l<>urka{k&woT6Yxe8VBb>>&0-o%5K0rpM%ld$Jz_>p1p|W>?Beq%ksVwQGsZ-qREy_PK^5(Kw#@lt z3{RQX!|YFt)TGrzsUP3hT+uV}(X;+tQyLPWUq~9C`3@96OmIDIBUU zEp~8Kj(Ab%}$vc9c*z+Xfm*&fCiS03)T%DKBk1gYa=8XMm z*)m~3USd}8l}XDe0i%6@!K6B&WE8nim?u;;2Y%}n=HU3;us=sOitO!G8a&t^J24K@ zC^9?0@nza?JB@_=sh90jlWw6>UY(MK_oFFazehMAH-^xE~x;n ztTC$E@pDO$Mtb@VUNMYW@Kge}F>}|#6?8(?r`Gt|oh@S}nxKnI_ihInpIE$kXt9g; zENb1fSNNBDw*PtaqJuxqR*DzJY8$5fz3U6`NeZMf`Gtiv_v}B)x>ZT=$uUk%P9}?q z?KCk1q{AxPBVDaKI1GI8({*px@T+umX?Ty4|uAtGOIw>Z3cRyA+G)HCuPq6z~!vsH*D8VhF;{_cP{RsqKAH-ARb8{ik_K2;62c zEp3*?-t0cD?jnWG)8@xidHrXLHYp07>n8=RFT3BqxMLroAO9G_QQ?$96!xbVTo1`e z(1F@Lm~Lw|c2Y3)!$f8#VD8R?fj~-ze?p!yP7C@qZp_3+80G~TJJ>t<)2mrnH?u7Y zakE1Fa7zbUkoqg<-8iXwy;v$aiaFHHh9!6sL_@&7%0Ma2yTM9FU5&jGIq3f=FZ7rJ ziXVKox=N#uQy9A&E?5&y6f?^B)=5vPkXcwfEsqLXYjzKERs!Nnu@)hNv|NXbJt@${Eiqf-X-VHt!~5h+ z1+a#xYRB3RdlHJerqn`Bo)b?}=Vq{PNC7CahUQ8$<#e=j5#NJiR*T!B!`+Sp%RhHO zd~m-0?*YA!a0CLeUJ5&v&_-(}QA$HYD`#clF=L75^B4 z^a)((hM~S&caxX?eK_(?{i7cN9A6&ot$>5b5PHqeAM}qnfC(uT21GCn_wL{K*VEH` z0Cog_=*B*a&-Z z4u~!Wq4h`Ht0UQh$)VzsE_)P%p6g~;G>R^k-)9nfWo&|zAz^2yb8o|12v(Q%->(SO zEmNs*%v2&pjh3!**6iyFb!WMr$`I;KvX$!%kv=#Vi&_0bY1Mk>*=?sQZkN_ zHoqFz%c=cOk{@(W%YWG%Qf@0qxk*w0J>F+H{LuAYB55zFrgN+m?g@o?yzL0Q(;d@x`vmRCfbDELK906T1=A|6l<;ntVQeVwiS0X?|P# zbc;nN{{lUeawqkX3&mz86XUs+EFb-LbyD61M~lKOqG2h=2wI;4Kc7aKwNMQu5Na0% zio}lbcn(E-TkHVB@)j3t)kUX#{+7B1dSIbxGS*V@REzl1zOZO0C_y_BsVN%Pb+pn; zdSdQY9Ofh-u3R1NI@yMOr3y3W#C7aUkpij>NhT56X|dxDm|OwQVmjA1*s z19VhlFqe0$Us%uIsaYJSK#2>k`7XWO!@e*$c4jIZEv)4saUsk8cF!Ysl7kl!sGq+T9zH|`q-t4WGWi z+PJ+QAhu=aoYj!*XI@6#*Mao3I2h~(SKYb8$7hn|*nB+g#kKTyw3X41@S1N^#MT|> zC)})w`%jt|KOY#Ht@bhPOd_*m4mA6z78|Oq6%72`+nb6cjrAv7`Krfn*ngLuw8<(C z6XY^N%eZ6RaX8Z7X+`W&Pd_(5R4WOI!EjR2^|MELNP{SiZA%h}rWPj{tyZUsq3zvR zNQAbC`6xJqkX&pTP71Yy-X*q+JM0$O_(}5gB>T3wX`IsmzrL0N2B9`_DkyC%P%pr zFow5P9=q{uLAWV>=8bmx(b-a@#y|qUK_mk9@oB5sT&iUG#uEx=0WSv3f)VH4>6+6N zpf*b&Zo>&?Cx^^08VP2s6UC;;sa2dqwe553k|}pNBM1&};=rq)+o9vMG;j~S*+6_~|B5-jS8kacyvF_YwUdoK#FxaD znh@$`xA}?jZW}fF9&6>1N_dHPt-t^>DeXE0&_w22S6kmaCw`GSFMOl#E$NUs=b|U; znN?-Sm!GJFQ?8Rp^}u9l)0>4QhE+5QeGh!Y?8u%;UJa}eZq(t!_)BG3b z6$9Ok7nSBDS{L6q2oz4aCoMg^tF9-szY;krNauQe&DN_tF}N$g+s1OG^*W~145pVy zojUaFYR~&msKDEoD6pc*7StQ@+A4BL?nyZ$Pl6-^m5He(=ea5&|24VzowzZsz)KNG2|TF)A^vWgdfojUS{+n2WNhR5`^=Qew&q*mhiGoq1S_H-J z4d)p=P|9#TFy-hh<~*oAREx2t714|sS!mvbK2;!HTu98^0wN97mv293_N3Q?&L2a> zL2Fd*hpXNVOoFK)Rpyi~3sxe#xEqgBkmXn|Z5T+HHeVUYTv%D*2wWuO1L_>F=clnT z9S6IXW$b#QJRUa9bPzNWQys{hrz7WB}Dc%ZR6JA0XG^xWCMwY5Js z?y}fLqB^@{Kr@>)=Uym42=-X9KIG=k0(z;a>W`A8qGohljB2Qh>Y>dU|Dfi9IgZPMo5urCh} z=ts*@y;CC#a(!##zC1mRf=}tokeXNjZZd5RIA7aML$R80h*n;C^&zmjCq1+W`Cz`G z+#|e2VvL;2USe#sdnn(s2d=DNKUvIXO#|IaS zvsKM{r{mPz)kDVym!rbnyVT$zYx${V14a{hbf}pJ&MFkuH4`6Jb~CHzb!sRJLeWuZ zT??0MC%YMnCdIDa++PpYY3FMA1)04I96v2%bSb_~P+Gtmma@eTI#>g^hqbD>hn~>u zZtZ%aPN6Ssi>4H-r5D*8c?n6x#l4K*l}YJO^P5XMGEPr?-X41;4tdvY^5AVBTecxD zGFX^%2t6sT(sL*3Dl&MR7kyv6(Ql39$yV*zF0Nk7nOfeouqjw7;}YHaHh~TECNr8; zUCiXExNcBN6Drm#tc4#&a9xLTg|=YV(GzI6ep{4(ZS{sWlPlrpw$rJuWh@$ca`g+G zG9TtSHP3W>%S?%blQRP}4U<7eyzQR&rSJ~C`so1@7CeJkwV1RlOipGzIl;r?gN^|` zemO0ODcy_p&8X@hO0m!|h!`=BpKT6O0|0wHMADU@!(`#>$_!Jcxf=j$-a~IbT#y@+ zlw>pz+SV87j!YDce#)z8pe!6=i=Ue0gAo}@@A{BXwhq+diR0^f7BMPIG@K2o&T9?v zZ9ESiL^ziZWCTf!2(q$jTMKB7jf@1Jd0xJ`+}~_5G&eBR6l;SkB8xA`%l}?zTB)_} znJHitZ`>s{IcQ8RJhI|@-}v8?E8V$Z1<0DtPegT3VZQ?9$8X$v^1=V>2#BH_U%K#w z^M5=}`&cS9PEP7~fAiy1**Ql+LGfDv{P`^alDlsDo$h$14aZ$rk8O-^|Jrb4G@Ekh z;j92AoH3&eWk0C%-XpFzxj609Tk+hr)Msys{I8_!o0G)S(rB-G_mq(wd8pu(o-JTj zUNR)KroASm-TKtL`zZE29`Z=Qo@yY1^_0e$$@B&M)uz_CtBCp+LvxrT7IY;Cc^<~F zoU30ha5y%^JT2^Pnz&`1+cP};@&f1H$_<6yFbWob`Eq{RUqf+AQ>u>cHnSHJBot_) z%2Y`eJ&)GJjciTj&({RJ#<#xFVS$zJ>mDrwCc98Nt9KXaR{g0i&- z`aU3amFb$Kl&4GT`md+Kq4KO0DpnS+Q`mCVJ{7w?ss;612Uz-@B@&BTET@1}E=m3? zg1uT;l$xY2(}-q3xFs+3`>%%`l&4xRKxZi(iJ#V!lIb=1^u%VJkzmmz+G| zf-vVj7mD4?6h^-XedEbW_l*Z$FCM%mA1*7=&A0V1-b%c|IHJaYnPp~59ZUy84Bj_S zu(uYZth$h-#viJW=-WPuv z&#nJrCM7!hI-pg2er#cx23^XUSy_<$zZ$AjQ>a^s8!WeU zy+T286Oemi>@fcRZgO%Wrp`>wfs?Oz>UV;_QXmXKp_!g@ba>c5@^ikUrzaVJB+N0r z@R*tAt(V!@g#`t$uVvsSGhzv+G-cM~8l^ryp%jC@jJQ?Ar=^{5>@Sa}8&3P;{1v%` zJhlT@*XgBgl~MKa^Vcj^EtmDYS!gtA`j`C4o$hCB&iq#I*($Qh`U06lw3q^!$80m0g#YHHx&i-mUgO-#Jyi2(`}(xilru zV*?xBFY75XU5KTc*2&`|>;_3uhjYIF>{UA!Fm0G5?x``sZOYBc%320s>0P(yN(hRt zgfcE1CRZ=mU!q{RPv~fW6~7B&qjgG6%Jpn5fPEs^1v_@vMsYHm|EOBHroUjy@%LRY z(=%He?J0DxVhc}xV;3fnqOGh}qkR2HXiT_srkA&R6F|R9?u-2Eg*o<*j0$_g)Ozqw zUB{}89-cx7_x!&s3h-vfKKew6$LGRJ!~8U(1lcw!r_<^=?$B1xOEd z1li-iohts(NBPfJU=7~E#)`40_w55UU)*{0=s6Q+V^*qU>g~hW^4PM??n41jk&Xb& zXWIvVza#(mJ)3uL8;8Akb^g|y|L-4Fa-8}{WhJ|-tE+JC$OyC~?8?7W*-55yT^^|n zkbOs?Y0%iw6d*R~m0Ok`k!SI+i0J?L{AJ0;f{z&)_ja-4npT_~9BKak7fMh1F8}wB z_2=vNskq-~x5+X(Hd2bSLr-cMmrv9c>A}Gc)&CcMqn*{EwGS>XF1laImflIf`~B(Khc&QW7VcP# zvC)^LNhAlUy?7^hWrHFEgdA--Y)6YaHX6Lv=4RCsdQO5oesRG1&4C_Bj2nk&Zt zkuyu^DWn$^d;y$04`+7&jQ={kHvkJsAwWCmK40|B9y$r}#ImH9yMW*~ouRjnG(OFkh zQIP~d{Mzp){kQ-1hyS1WlK<%}`&6;BzL`LR+BQXHuM`2%9F^2Cwzyj+AWE zx{tSG)FYnn?S8Ru7 z0o+~~+=m+YeZkl_H*Q&VawuG16Akm0dh+_7`LB=em&S{K2j}N=g5(0dy)*_!#+FR5#jSU3R{^nbDW;LT?sRb^kEF7^oRx%x zB(JDQBT>h>104_=+CwAyHb3P{|BUq_9dE)-jsL5U-v6|MH#*-1Y27Z~g5j&8(Z}`A z6?>zkjwMF-&++S7JqBk=JGb%v-;+)(E2ibSLvc79&IzR`7>PhY>?Lmp72D5J)d0Wa zScx%NEWo@n{D~mo19@EiAk0x2q_eOwGc(tKptKIq+FM^=|6LIncqZ{5dE z*2cGfxh*B8%)`Uu{+7Y$Py6CeI2c1}?C^-|V9x75#s=S=!R8-4wIF!n3yA0%G6C}T z8TzM2mv>i(LXwh`jhP#i+!!RLM@F4cBQ}d&DXB81i0CScXqNfKN&6GX8KA4_uQ?lK|x$1bJ z76Bnd0X_^ba_v6Orb~w`oWNsarKi1*3M)biEQ_UV^bp?Snc3MWKnmtL92sAOTZoH` zn}b2V!!#h1CMM-ijQs8dB=lTRLe0_5uf-!n{`gLBgQ``alu40+Zt{P+kdpbN{s94> ze;zoB62Dyfw}c`8SU^0 zZnI&R=!719u`N^wa##fh;u03i^$Rn&!7srS)Mvs`tjqLIVxeSo{&&z z8+PPp#$^^U&%J`0L_LQp_|{kI?f1L@raWAjc=Q3<|@bEHP z?L6fWX?}y43T=FGOimu3Gj&17Ld1HN3$qQnmUlI7ez zJf3cPKvgwx?zs9AE%8xqMa7;RGgF)2|8i0Or?$WU{~Zch-i<%Z_|PYCk7}9G=4pJl zuTikFsL_BoKb_D=0P|Y8^xg}c>0%NSEjKdXQgG8lyz4HXE#p(B2&NabNoq2o(BOFGosd1%&vcUyn+1S++&cK+YXcDC!VKLxRP6rNJ z4=D8w43q&VHw}PuM{k0(l3$A;v+2cnd*nUy$r@*eTKj+_d$;jD>^R5WyU+aV?f2<| zQtfk+big9`65Q{PFNe_cTf{u0ngTxl6;REv{C~W?cQl-R+ckWpAR&l!Eh0jK=)DdR zB@rcvi8|4H?{(4;Q4>T&86{fuI=Ub_qZ_?5gwe-f%y@r!)_UJ(z4v|H&vSp@v%c>y zBRLn#%y}Naee7c&d*?^s7x^oIK}m$Pj7%#(a27KiA47l=y1)kEXDmov0hsH8MN8hrFzgfK02U~+Dx?14Y(0R#dQ-VsgV4w-YA zkA^hp9tL8X-3&qE<0aA}!T$Gf?mj5UVc4lg;J==Zf{*D^ZvdY9k6P9~QQYOOqOx+> zpHxNZ`vd)F;iwcD?m|`(xzBxes3eJ{-@mz(XelYLphXe1|Fa(E-+ChD)-SGV*XnQG zx^={L@%-`QuQIOkp|Wy)_95J3In5EE;TLV)34vQ%^ty;({)SKwRAb>0MIb zV7)mXIF*1OZ-h5qfN6WJ{QQ%emzQVS*%a{G1(;;ZfpEi5;F32ATe=1M?06Sv=jbNy z(t#XTAfGzMp}c618jc01OKf=(@j`Obo%gaefSCk!&4M0YyR_ZPh(e=6w#@u z$+2~iK4f@Zk@~g{n$JT5STt2rg)kJpEO``6*ddoajpK%D0YlJ@_O#a%&FDKYD%*KG z(YufEW8VbKf+rrL5CKK*Pt?>hBN)X#GiH$8y9-;+OxDaSHP-Cyl@v`z%>9ZY)@Vwc4=G zd*Gg?hJDpp_`~TU5KyJ_{5h*tD)mroM9%-sIsD@(^>1|v|K06ho&%<-`mtpW)Vli5 ztvw$(qKqvki& zNLkcLL!%Mx5BT`R90gyZ$;pg=8(tzWEnb+PXGL1~8Hn0)0T;pyVEFW55)8hVzRbly*;VgTv~c8Hsj3(RXjSvAgIs&HF7X&?D{HAw0!W;d*U@jB)q?h zcJ%*`lSBPy!*X!5ii6sn><7IYvHmjedMaTNZ8Clbn%>@3mwFd3mx2h0FvgG=aGF22 zw|}Td^?nGINHE|AD0H~YN@JjPbkx6ronpv^CFN#Fw+loypn$nsf16>e-NXkBvqyug z@*O6&l9H<2herUvIwMmYcA z?#?KWIJI`l4%xE_IcpZ;J7^ZB@GBu;+d{NpR&SW5uN0?|3%z;McbSj**PBsCo>UF= zD%^TgD{{tV1=2Y>5X2?4$Z6L{5nsxE{9pdke?ZLt{2+V>x9vSeLf*Alb8Vvlp7BYE zTS5aF}gK1`Q1Lu{9L*l&e4y zIl&R*3#>ln69Ipo%W4hgAi^M@YPV-h4SJpj8+`BIXSU7m|wam6J!_^qW`7Cl71_g4`?@`bSToE+Urj^kvxO^km1 zLO1ukcdG^^#oudot>e$KDM#uCuC^KWa(<-Rjf*p$h6JmM{9|_WIFnRYmkR4bDJ7716MzoT55Jy*Xw+8`4MFG zasI#k=>Cff=6o;nKRZ)<8+9lt*-pM3_SuI$;o8Pf(_Fq3xw3W+%&M!yi4n%J6x|pF zA$|1^2(Vf0PrG*GhUMkdwiqu@&n(a)41yZ-0K_29`43-T)Rd|)s@>n)8!FTSnZ1UM zf9Rz4cI85FHk^XK`PXNHYyT^x z)vhK{4wsO-f2DE&Y5*ae0^}jQ@5B zq;c>z+Pl`XzOK&DANBpuX^S2cAs{?qEA;tB|C?Q zL58kmcA>r@IYmf6*eQJk#D}75ZY2LJ(_XWWVmyTnC(j}ye=9^yXVs>_WfPvkPqu0- zll!wZdf1`&rz^zPb~1G|wM;yj0xwJp7c=4_D6?`jA-j9-nLt6`)x(#z_(X4ivFSWl z-tcK{$hiE3TSf$rBFbMc#iZ>34tV>V@?qTQ?S~UX64Jh2#h36>>POSdODcwwGdG zW=+-`-Tdy1pt7^EEI-TAkci(Zc-erp)7yb2d)zgzAr=Rp%8b*7w$vNbF>l`eTf>BZ zA!w8%T>e8dR<8xmhAXIyz`alr!P`oshM%dlM<2s?l!Ay}cx&!9h_${chuIL7h^a;o$9vQLZ zIr^3alH@uY`~wcw(NQ2?*0z+I`fm<-Ly0qh)S{%O&iwgPj{a_&GQ{KeHJ4OlZAyw` z-0FZrV3ui}28if8GwBB#O(1Q&Ty&#wBabA4NX=j1( zkj63NeXxk`VcA%e>~Rv%b26-d#9~$CZt9IU-`}5XG`JNdnd2v3zhC?0?yyE}L5%m> z#SEL4^tD{6cCAPHywgWfFD7`=YBI0-u}iDWTqrRNx-Yl#;nqh4fq9WIKt0{u>M~21 zhdzDQ=Tst5-h~@AEo+hMrE_*KPNUembftDz;q=t_i35s%OqmV%$T1CHon5f1zoD?&Dx2b*=TcDYOLan%zdqawStJP54Zp3UHa!E;$PO82yk`? z-@=yEVEduNwL|=_9=rVF^*Q~r!VasZ6aKFxMn=$oHgV4%J?>W%>&eD7@@A%UA1dYm zJV&<#Ov^N4IMlAd@>hH$q@=?BBmWXBY*7zrFWqybx4>b4_V;gFy{(bF_Sj0*py(vvHL>mU%dXOX(ImTTe7gFi`TC$ z4FTGRlaCKtX<=#EQIpx#9Ml+th}xy?-k7dUTv$;5bgbuT`(slGs!GUUK0A6I485P6 z`dZgi@VXl4d`0BLoZ_MdXgjr06MJd-u+FYA((~cQFkW+K{Lc3q)Q7d7F>lO_=-;q= zoe#YuDXZ_V#hz)AaEkBa7D_yDiTySaR&E2On--i=PU_djhYW6|sMjpTbWh+?E*vg0 zE40goziw2$@r&kvaufUqMN1tEjq7gHoqy}L&R--?{ACR$ zEoMI^x3T~89PQ=WZ681rB>u0698jd2X zV=w1NZU!xSE4#PkVl329Y5vU2Ft^|b%g9y5bG1R8foOx)jG@b}`-8*|ZN=a#g?dRo z^>lOoApM+7X#dOzqHuts+xT7fU{=-%YS*5ATg){&WY@_@R0o=Uimb_cRw+$952Pj0 z@09OU2Or$Uyyn%3OB{!o%B;RwYVYOcWZ~Lzik1Ih}X{qtk#d5oI4_qi$JCl*rHTqI?3h% zglz^uH62+XZY>WVvoY2~+1ClCaT~qp=-OH-`Vh(8ie}bG05Gl)52+5poykUn86w|w z`8ty%;r5}iqc5n1<4E<;)+7;3By#hb`FMEL@9SDzA90K&L4QL%FdUO79rV1$3RJysox8*^nj3>Z%C7$Uxn;8BP z{&E2vzT^=8Cdkw0#>Tv7PaW*-%R__>Fnvm;Wo5mN3T)@^^jDs*@mOcQucM_kkq_)# z?(l1#E(*3s(gy}|(Y~fU|BaR3$JxuZ7+pUzA|~8FbyHWFKF+ur5ii%hq{k#r8efAWqYe5x2vsi2^bQk00o%I&hjjca-NL zJCuyBPo^dYI^H2VEoU~0^~n@}eAF&;7X?{u^Lwydn_VbD_3YOFJmQ#?pesoK+0KxZsk|9v+|l$G!A@|4w{~#08#*55vpn z-9W5X1nTX(i9Zo4bkEus508%M!<)_lc>9Htavv5u-(LfcK&{4WvL?;v=^l1qfppCD zlCiOBCP1x$N6RtYK)t#9GqTYfg;|`RPjkG|4XTa{!kQ6XV4(absaXy9GG8(K z!RpNv-7f!TVi&+t8>m6up9vS!SbOWtOiCcWb{3eTkj~16JQjTbb6xtA#_7W2%)$%k z=6x_A(zdbTEIET{1jC`REYkd(vcq3)9n-B)_(8N{9MxV*j>54ch- z5Yu}4AF^%ea~s%>(aFEBOD^&fnTkS#4p|K(ObUOcMP~fXx%ukBPlSzg zF$?^*YiaY2jQ9v{D?a+R62F>kNv?%tg*WF>uV;YpvetQzZ7pLfU&e2gvAmtl}5jHPR!Q*;>WHBoOptj0LiN zomZ=yfzxVF7Bj>lbGNkghE!=@85{K~!_)aQ#@7}wPZTZU+yyzq)H9bf72}pMzKa*V zYb1u|z#?3&Hb49K<$;-)P8}^{i>cnQ#|s}NJ$20`yYVi2*Yt=DuKsQ50{43d%E_@b+66mX8ryLM>xtNOK#b@`CK ztfBe$?mvFy3e`5cn59NZ;jm24(mrxWxv?U@M&7p=9H;UzwO=Gnc))piHNEBfB*J z`|)^?MeGaBM+9{cCY*V+-U@Yjaq18nwY-sfnhllJs1)EOW552(B;w0cRYND~N(2Hj zZrdEq&DF(sw6mOh!uT;JX4B(+`x46&u7@3%AFa)vpmBj~ck^*(lez+Y&9+oNs`jQ$ zx1+Q{_>3#h#9*;8v&}0c|3}QhVrPUb$2dC&*ZboKQ3|&gfj5Api){CTNO#j$5TXkF zaF=~biieL0j~mFR4c&_bT9@N=v<;kgKzp;112vBpL}h`?Ui+i!gQq4lExNm3kWYb!1f07X#P3dQ6K z+Cw98ciwyV9#4hiCA@$?-&ipi;}!13>s4z+-IjUG7?m5zEyW4UhNj9p_q&ZCq(e5f zZ^BOkL*HYr(9xw$zwrMwWOSqz8Wu+C{zlF`G1di&-Qy2NKrwP{FqKF1NizpvAvx!9RUzWhf_%E-t)DgG*|NV&p!EM+G?tMQcNN5|jMzC2lg zoOy}}JkG5NdzqD)8QKrQ3LH@_Fv)hF2?a!XI?LI!m&S_E{*y$^TIY4kUKFzw$J=5C ztbN)$QF}!Dq9)I^3(~tCX2KR-?neoqOD@1S_i^Yv>$O4JaIt|H4Ovx%;7eD*h~MdY z6ED+5))x@l!v%5Qy#V_22i=5+!3{FR{k<-6g}6R(HTYMHrnicwRaI5m`xpqsR3IOl z>?IqW=H%3H#D&{}yl#t3ezi?M0U*{BCc_RlPF`NE?C~GnIXQ)YHn12^_(AHgP%Eub z-6;uf1KcbvqfVPB5cElXS!%~Di<(|QcP%V)dNSK;3xLOTAi*9Ohsqw#WprVFiZPbw zax)bp?Gx6lzK7lDg*Ja29CkFVwjZ}Wr;Ke2VIjqMz8JoG1@)i}|E=5&7-&A_## z#$FavZB;*dcv3)-J+M8)tXA`@Epwpg>9&D3Wyn_|W}g06+AG^?U;+7~ATOKZ)PhLi z_UOc&)vyj`X7c*?*vc0KL_*`D#BcJk%SrAk6NB& zlyO4$&zPI#5$^ZZe0;PpnHj6z)Uc0Ky!!Z6VkS{s+J!XRD10%-U~gf%tFc<*+cfr# zLGYE?@b3B|xI%j@zxd*y7CKRK6KW?$|DIM?SGPYlQ7I=evD_a6M`%&7-_bExK{brq zs*E?X)F>X|Ri>kalb@nQotOXWoJ@hKcOx2->tcV(R$SwLlYo>(hI`u>ijQqIMxjzy zY2LIY{yIKr3El4*9|)@O$x!?*sC1sU;}~( zd8+m#i(=C#wGNsaJy{-Sg@7jn(=f^xKJ_kisrDNPNMGB}y}F+rvQ>6yY_a^?W0#2| zlKH7B1g1#Ge3v@7cI!>ZT0FvQNC+Mf&Z~d1eR#7R8*fU#jplrIb1G+gCf3)&G2OLJ za_7VpvmqZjW1^$|or=}Ii-hO%iM5>mQA<8TVrjs$9J{t!{pR}eKdQ2kWcHIg)$_wW z7m`$tgGd!C&nNs$nKRAXwG};b6O13@sB!KbSpI@35=Z^+@>XtL>6m?Ex5Lt%sy|Gz zIzpDGd8{V_`uw>(@SaWs1FbMV?{DiFl`arBR{Of-Mt8rZ4!YyrZob|~H-H`K$lKe6 zc$w-v7k*vTudt14$^skW?{KPmxkW|s(|lG;5+8yn{hawtT}qA!(NO`vhdGzK5#0|1 ztAmkcj3GoluC=wba{nXOr_Y|14`+5_CsL&vzycwdvR3hFX={fnkQKyDO&K09#b`X> zPkttStV;ZKu)-1~zvS}7?hSMBDf z-s4HYX6)VpCK?`Vr#d%o1xqz>Ot27`is}o7KQ`Nb6=03X6k-yxl(uOhmJ{#Zl^pDf zv+Gd3I3fTQ|JrLfMTC;S!)`89G=zc0f+6FSbqJQ*bYzeE0V4+O!vB zP_)992)^=Pz-!aCK~hW1J6rZwGvK<3ygq9ySp#PQ zzQ!<6K(%9>Ar7;-+D>VGvIeH$ zT|`V2wVzgipX|YSWR>#Ojz^z^h%8`(XF@XGpH}rsq~2P@s?!|owXcZDC;D!ea8FtA`*wz`1cM-L*n0Vhyb~%9p*n@;Mh=F;PN7 z)DvEprPmN3Br`uU&zqH{v6)`^*PiQKYbC!`a`RzHYi#>H+bbfWp#xtJq6DU2MScAE zQJ(C){I|FJrN!5oOiu{`wS~l9O0^f?qFW4It0Z>=M1C;Y>o=PwoeU7co87{B#Kl@kKZH zu15Z6&gcJ=SN$|(k0$1m5_T_A>gdLIE9V(kDu+gH+zmDIQ^DkTFNX1wX}z@dpU;$r zF+`HlsFzWQH+>AG^J{ubwxZBzIGmwOyBL=DJiW;tsQ4UqR)5vh?EY^r07g;!%K^XI z+P;~s-8A|W3JZZWb`}d0uizU`iB5Y|0$|X5jW}ol#558&xvjCV)8qJAi9a?)foPvX zZ?I=7ov1!h8oas2cK7ZhF#i0L4hSrFmq4y^pu(2){S1tP!tZ^iwOfC*63N1c>U}Xn z#rwJY!g-K|MXRH}|m2vRAM#rt$Sz>Z|VL zl#)nXej|RyFGcMk+v|UL(_e?Y7W%FP*SW*V`J~2c%W(!#TJxJoUVoZ4PaFjaAIU{l z^+n%l^HxPAfuz53m6lp_qEHTlG78r$r@~(R6aHxIYm>Dx_Q`@&+>$E)Zuw-7FIN6t z@L0gv7y0~|GJc-jQd>QrcXtI7q>m`sn4H6_6K2?ax0^ziFp$&SSrZx-RLphmFZ6C> zyprl*RM;zF=-l*pF%TN~N&j;fIigbaNb51pDx}i}T z{74YT@`Y6)m>$x$KxDglhC((nj+Hg7%`Ug83U&~guaB$VUl)@TUPVz()$MlWw$*o> zGC;%^js?OO$0GXFfP=o;cxCVPDG;ruS-teR(-KA$h;2NbCd@3QDNxk49TT?@u2h^S z2gofXrqR6fu3lqc!K5e!jd?B4`lHzf;xf>CR!-sq=fMIctKF!-O)#fX;8C3G1a$tH zjPLhuK)_hNKSLVX+$u_M5VD-IDIE37NECJ8FEXhY0|vG#PgK|Eoravs1Nt_NJ`W%f zG8EL=-vk|M3`KAZ9*=N9P^?d2Ak{3&o;NL00e<_?Wi>j z(J^2O-G-%N0}6%~M|VdTB1)aH>OzJNZA(Jf%N1_HIMH|1Q2QB-om-g$KJ9G6sl}HK z@mD7S(uVhTk~5Z0KGC~k$=II7pEo;-N5UR@otjk63b?nbEcy?F0INMWXt!lcW;We- zJkcovX;fJI>iY?n7}o~x-WHdSe4e2dGOoHzAvS?q(FydQJ}>pEWadzwHMu?ALn<@< z$LJ;b;q9h1Ow=}`?O_ZYZf>kP+OUZbL^U|h7*r}YbWAxF2qM;hGnx-MZs99|Z`zdS zu+k0T)LpC7qnD1=hwc(yk6HY58S3!w8hbv;D_PGdpf&g>+o|nNq%6DyxiqE(IvZ}3 z6MHqpZb3{d(f(Lt0n2DZ>-PkkwHXop+ev{b(xPrD)%L``_PomOingPn-GYlP5p%N8 zmx&|F2tKj4!OLq-L zCOAh5D0m1dmQVK+Hdc7fsSx0iM*ZI>!2R{Nmmto*X%tyQ7No4 z{Wvb_I3=-yOOv-p?UD#(7NnD?aF)%ndHXN<`B=-j*^k$|mj{&LCWY%}=jVR4wlboj zZwz34L6DPqGf=A&H%oH%m$oaGenBXa&(3sH9VcL2n{dq(=G{{oS)id3?WrE||t^SOx- z_<1R>EK=&8xQb)Vs<7R_B{BkzyUZb{U!PYWp&E~^2u2J|=73I@j z7qP9*7(J%7~^eKy}z__2c zl~^E7mi;2OoU(BmF{lB$wy38^jhKQoUnqq1aVc=QluKw*I!i)h#uBB_7Zv`CC@-XT@oZZj=*_^U6nYD^4d)r2#9-dA)Ag7^frHrkH}Lhb$i>8pqM1%z`%- zX}i?AKFU7f@FU|m^J!!G`C7G>Yso395zaEyok=ch^p=PxR=9XbeZ3ClQ$x&Jgd*d{ z>&7OTtG%xqKK@|vdzR;l^C^s034m`uoNe$gmr!;<+a2gHR&4lF+fT)@?de)|CIaAf z>1fCfR+KO@N$X8x!HZXMyhJJ7o`+{KUb9;a;}8iR{9U8Qi0*8G`2XDW+?K1PKg19A zz@MI;c^BTt-^(a9bOB#~x@mxQ5q^eiVmWybjSEZK7?p{|6gcvHl3>CJF|udI0$txHaxND)46dN5xJnD zc!N*>4qwA@<+u_2t3%Jr#d@0~s|HcLEq75q@*GL)ibDOUSa#azPRbRAb>AWzROP<> z-^maetk4P?g(i zeVGa1tz|`4R@;foJFwdXCQhLh`uj6#N=m`?8+qwX_l{ex9-li0bg)Xd;{0+x1)tB# z&L&L6R*K%~uXelXcY}e;bK~W^`i*?B(cXCzmhUclQ~)9F7uAi*;HOT@&W%cXP<~z; za@zjAhisHtzrKmt_&)E1()?-C5-bJv8=(r9W45Y7c=j)X8Efve7-#2ocMGwU_g#fX zQXtI9&Rc{C22A;i5{uzNSYPG*B+rSp&tFClQ!?8B6rVnxsXoaSw6WhfP3e%GMLL~7 zIw^fi0dhQmuWu&08`OJ>=#=o>pvDpww^Cxc`I7HIyyqrM9kI5AiuApR4Jj%4C;7;ElI{ zS8D|N;mx0HZTix>Mb7K-<>k9j;fHX(4;YTE;=+f$pM-~%+`wXPLP&!=V?D+@FBH#h z4Wqfv`MH<s<7-GXOoGRtwakw= z6~MR+Y(KLjtTPu$ICRSz-t!5vSn(wyI5FNKu5FKlJAb-EohR3o9;8}T2kg>&4h@|e zZS0Apvc@~{%vj?SS1wSOGdBL%S8*jf85t%IWZ9V#m7E}Wtc@$ji?};sBC!p+J{2-Y zzxwJXQiwxNSp4jr#X3W;79Qh(6vEyX_{fryg`-F4DaHMNJ;2x&9S^dH8O{g73Z{`> zNG91ND?D~Q4{7A|LrZu5m?{1i-2V(57m2@S_0?LNU@7x2GLrxK=KqHixzMS|^vz#q zXRCe+EHb(ux6WVXk)$E}8w_!$_;qlc_ZL78jf2n-I`^fT#?N2BJ^(S2qP1;pZBIcr zHvRV0UD3s*1Ptv%9k-@*(O|Jc^^~OaGM4Ug4m)U@zS{6#Xh(xa3Afb+Hmpf0NM$T``EhfGq1e zAhrQ#s)!0}h~4BD86QFE78$1g%~v`#k3%NI%49vr;NuZW%Q(e#i{FQ7D2}4z6TUKY zg98(v{S_(;^F|$^3%%n{6b5*u>k&zCeb~`RH`OwnTPQiN{IQuzh63 z+~stU(k;31_}dqvLoZ)pbk47~SHJv<7}#KrQghdTt$MW=l&4n|iuJ9XU|{gLoE+=g z>hIq>3dNAS3q9~#^KHcGnwv|QS{@4h2e~o=rdI@TTV@f+LeC!H#4%ocehzX;xcTK>bhFWJm+3nJoC*q3C?93Z^3#Pm6k zNb$`M(9fJ1?UC_(y1aV>Wj<;QfBAzG5^A*vK8t7c(%%QNof^*=2P9FarI`#)9wrTf zIdiChEVn@>JK}}xv2$ca!sOlnTL`;=K&QQ`nj4YXd40(&t#so0_Dx2tAbw!PDP~WG zU0k}&2?FC@flEWXBH%3I-BwC+LVx#o{h#AZ?q9x|8@_x&LWCwJ<8f-h1!=-Y8P+Vl z=gL1ns;hsUrB-?nUS`cd3vRjkv&S?nvJXKp;FX;h-Y6z>@pfa=%=CrLsd;!5riJK@{=FFKQ1UJ8G5fX4YIeH;k@=?8D$5}5Gjsj?CJsJ;&B7REdnX~M$e5^cm{xti#G3Nt6QnOg5nrt-Mv5(+N zjN00$f)uH2l3MJARGbDA&Y7QV&sdJZFb|*~UPXVhJlvb){airUHOI5g5{3luONTJ8 z@~SDC^`W_j>!p1X)MbHddinVmoU9b8PJbcttm2l6 zn0VZo;oe_`IQnOA6dusdzzt9`TW8DUTYex&(`8^ii__0@OK^q)8rG0)N#Eq(%X1Xj zcP3?W=@tSG#@qK6%ZiJ33)aNC3WOSXl52%AWgof2htMx;J&$Ql9`br7n^DU+I);Y2 z2l?E*QCnEH;#fp{%f{5y71uCZbP|E&aVuMW_x2yyw}10nXIskiB;DRzo95?8wm0CW z`v$8S<&2MutH?+Ydhs_<@=fI(O&E+1tc9=W08+fiSq!!}NYDhiul!I&C32ekI~4&y zpTZ>J`dD~OLsci1ySxnwpJ> zpD2OM6>GM{(M|ob8=J_=FIBSSo3@uNFR;>r9yKA`x~tiaUm7jl6yp720N=~1-_RTQ zOA4OZe_?bznaQefb70!z(nRVrA(n5vEyss6$Gaky_h}9KWKpRieIBEwR)1xTILe^E zFvoq^4Crl*w#MVN^P(Ct@WAb$@Y_?`!j}iR7!19^)6x@CiS6ZyWg!va>8xS*GeCBp zr{Ky6gW2ft$YjefJ)$~aYuy^XKFievBVtFEKR8394IJfjM_ShBgUDd9;xsGc$A|tL3$wgosY=D*jU)m>-N${&k}-=chBzj-jx zca)-KFuFskto-%1;U5s#zxyrE)jM-V7RLLIW@nExhiPRGQzLpmuKi7WbD{j^8{h>g zH3yt(y0*$iQv0~(=X+^ylvEC2fOVGNj`yRp*ofRDoi}7uE1kjA>&q#AoADrtPutYY zNFG*WMtxGdKiJJKA)yFTaknUvR8wDZV zIWd<6#J1wUU3UJu(iZB|AU5qa@)GIXm`t&^Obz5)bg#2bLU7a(XJX+*(zUgi!P3%DdT@(1$X9=1tG)8k+yHYn_sib>A z$H|E&Jo07x(ZX}2QWr7Y&T0Hy#*&F6F zZ#t=VB_!j!QkxXmh06tQp?@>d)3ZYYmq2<$Xq=u?ov8@HfAbz`mM*E%vN_xAJ&VkK zjzJa7*fFxlXUk!{+N>6!-u}b3oZS_1e{qdKTpl9PkBT-bnu_cLAt#g8BjWGy~B<=RR!=)r@vRR|uLk2OaDJys})BtN1^Kh^^`uWCwZM-aAf<1t?3pIoO zl7(KVeh90nYMnekG1pVp-qnkoVQo=P;%J!R!(*q}P6I5mdJtl0yRV6SlD&?glYBS? z-}yl&jUkd!`X#zHF?tfQFjI-Jqo-IO;wzu z&m)^>-@|*3rf3d_Ue~OC;O8uI4f-%1Bf#}!hlF9ixh^?l-!8CvpxsVe5#j>}5E;i! zg|)ECw0rj5ZRb0>`=IF4;U{PUA#}~7%>}y^BO;~9qCa@GwyV`@Ki-b-7VD@-I%eBS z%;>@F(VkzsNMLG&{-Q6HaG;+N^!W>Jflm=l9-VC>wSav`gnVY&IyUew&*`y3(CXU9 zu^4%!tol4#A62}vXxgLM#ob0zNoXXFTh?yon=?CO#RR2?FHw3FLQ;++172uB;m?Gp zG`ioHnOe+ueF;)7G$_;GPh)3IOMKQ~`q5DGi0g?EsZD>m(63?0{3i@uC7xG{cEfKL zzG`^ukAFSB$5%JD*=TxXwObYff5j)oEg(?1w`dO;$MKdlU7_DRuAA0^*#!#Jqso71 zRl*C5vj1Pghu3o2XA7OWL`Gt8|Dr6*QC!XW@#FK@SX(L^_i7)SH8@Cwyl1rr?AgGK zzS)O`yOZ5s3*^Kqq}J3tl_hx>9^K-96@7v$Iu(9IVmN1p5`ENhmh6O#GEr64jcglu zWsl!tu)J}7nR3i`CE-5S1NBrz<%4(;C#I&-m_^(br-WueKppg|gd#LaIJ9b1v+oxt~^Ij&b!HUfqB0N%ZDsuowSxIxmXNHVj_^M(gCbr}hKUqt#Bf z8DPTXk6rvjLzh{Ra zsXn3P#4#Lpyzo`+hvLf@si}~6{`+V&h6Bpg|@tECHucGqx-rVosv*=AKylOm% z=A;ln(ZxGDJp8+p{onXE_h)C&eWPAIi;Fq`J0kuci+AH$U;|Nt_P|bzT)4Sz4xT5} zUxi&=Pcc6%M?@~L10GTmB5fSduQg zu&@r0xLfhmkd52iiYf!liquW)aXnsk4)0qbRWZ;7h9&-}jZp(9Q)dj5c8w}XdCF9WnH%J@FO>JE9@#EBK$M55c$V0WP_6<*5ny(5VGRY*BJ zViP<{cUwxx4x|IZllzQI-Yob_^<^}ca=u<`02uMDzg~B0k;`z(r~87@D|c|d`o>8) zjC-Tkv8vx|drIwQvL$}!#goV=k#nv71#XoQ^n*jj!^Nd+tqrqMHya^K zMd$sxj5Vgo-_Jv(m;l$x|B+jPmf%Jjxdu;4I2TIk;eKS)W~OBgNItk{*t}?T<95A1k|kx9T%8||J%rE&aX2)+`HMRAs|r^M+Y9E%fqS%g%;Z1;VAo#=Y% zY<~lrqJ@?LhH}3a-z9M1d0$JfdIqProljR-Tz8dT8<~u2<6gM*OHJg_%GvAGXza)& z!Rbff?X^j#)cUo;WIa!rVLJbUh~?!%vl1!#IKpl3ZAL)n^sqt^uNvwZJF91=K|ck zZX8DRo-+`ZbSHbw@XXKC$y#Nyia&YMc~BETH~>2NIN(>FN$0p2$W3a8kV2>baQ1b$ z(e;BB23sf;Ly4-H4>s8F(6tyVrgL46(=KTB#7|9LxWXWHz=ZU<&%x2j9&c!gAu8b>iFxUF%5>aCFze0zwKILv*9)WvR9eHQhx>l@9* zNd%^b#1RGX3Yx$;J~E?^PPF?K`P?sXlZzl%;}!A62ICuYBI8axKVSz9BR6O$v97O= zu(BAaG4j+zM0yc}*s#1#lFg?ZO3KSe)p^)VMm`31hTyfLRowocQ31(j`ou$E^7P0z zrM|(*_x)qV8n|vT)K_Qobd%O%cUfCn-zaPmC7~hwa)N7oys%M3HxaY9*yyh>DN#9q zqdncn9EdaAI$T*V8cTcueKC$eRP2DEdofxsZk|o4GuCFPptXp2G$mw&n1%)RU7wiv z9C|Owvtn8Xj-B*Oru=)X`rp^yUb+i5>i3WT)rAhv<=){3hlYsiJZx+Vz<(Z#J32c0 z9FL*Y8Mt0uU43v1=+dtMi#t%A>8OPUcC@v%u~=^44Iq@nCoMg-kwJW_s;WrPp>Mj+ zpqpvNe(&Dc8BWP)$1VCR)?2T;#JEzMeBzCL6Aa-*wNi`j8{@?$$>tUgF^7leCARAJ zELQvHuK-TZ!06qPEHLZgz)XTt41_+6f>x+nEj>NftM`rXwggu{YL_M0mkb!MiK_n* zGI{D-_EZgxt(YDiE>>&l=-dOPT42TXjZZ+e!!YVbiuVGiUh$k+XV27KPEH#^i!Nbc zqaqZw@Re?GALIz_N~U|w_^1l6s)v!=qQ2o8>Ij<#TE@nX5(0@7P&jW>1 zLQm4sM;~5Xy;4z3rYa<+H&KjXOI1RN-x|I)3r|gQY17M!sBvFP-x{g)!bZnilC*UX zFL>K;mhjEiK~cA&Ej=MtFP##Izj$_=x}J^KNkN0HzIQmpr?4_O-^_V{qhcxgwDpYH z&a?I~oOI>pRZcg^tmXSqkI&uhmp%_2i*2&?i-T#7dHBGso@`e0BH{+Q*%Y6Jlj9rn z@Ao<`nepn1>!rFpQh3`d*O163t0v0O{wXftu_u!_5H->X-euF{2=9u%qx?B(Gb1T?T(KU+0=<5cvB^ z={j=pP--7;yB zy0n>K9hI@3$fYW_`DyY#!p2keW7wxCM765!E%efSy5ORl;-cMQ0sH@A?>*z1+}8Br ztq2yx4obJ6C{?M_k)j|1DowfwNbiImiUm|akSaBR^cLwQBtelP9RvcQ1f&x}Xdyr- z@8UQA^UjRA&)LV>^KJNKBqUFstaY!uTqPkLXoa)of=<16?Xiag#iHs0WcKooPwJs5 zZQnvMNvH;S`DY4LXF8Z>jy&zdSU6Sfp14gi2DA2i=LXivyY%YA>D@QJi@oCen&D)0z-|4P~+-UT2=?e5WeLCIOluXsz zopq;@@xTUQ_Vw~~tP7R>2ku5@*qyxuZ)-FttZ5E3m-~1V%)q!zpnpBYxqW>l-9bj@ zs(JEKMf#UZ@3EL;0-I}*m=Pc2sdIiBB$s(Gs9g9s_F=vd#=G-n>!_*dxoF!<>Dm?F zoGFInuU~>WTN>F>{4Za=6lgfKl;rrS9@lRX?V=VIo&BmIysmkU#*-K+=aS630aLs6 z>HE=jiLIC1qaQDi|9;6!zgO}~ky*rk8Ab?3=K=EZ$&)8rY(X^hV!?qi9x;iDEM4KK zFJBr?zzPi!Z=@xIX?6%BtT+F-EnmGl2A|mh%24AD!UQ{o6pgI&f-gE4zf6mj0mP+P zPC)_5)=j@KFHewaUu2}l1du&+*UzE_bF5{sqq_38LD?(vd1OTBnbWgY$HZhQZ%;dT zsy~n|?M5QFeVT1jM6iJDYhE*T(X2cD>r|afJiKQ4*~w?R69aoxoS5y~DdAq0T^KB& z(~R{w;QQM4EKMuQ%d5kakm@^|7?~C*8L9)c2HI8%ZbfX~q;E;5ZEU(R4qa1d0cTcx zfL+evq_)((!gE`L>G@`U5p#$_S@iABSeidJx#7@aH88Y-v+}uRp5(|pZUIiD$XC~Q zcXJ9xZYJN^6;w~IA`1wv^YI8hTBvd^bve}Kc!O@yMy*S>_}gYi{Bgf+;nu|u{N)sV zyK?=NWY?)bx`HhBpmh1ot!uV1Flia}9dgf6!O?qE)OS`@Z?Lz&W%`&o27x~Op47&P zG=iALYO)ORJg}w}d27|_;-mw7@+*L66WbPpbQQ zH0Nzwgl*LxqE0jod}Naifsa6I$}x{k>CkHT?k!_?%tVI#B5nNGd8|DvVeJJjyDJ=5 zIffFSI`y5(;g#zCe$7U<)FP*FiCu1XAlCdB4f7w1iC;V=V2!tP9Sqnh=idL>T)LAd zz|{AY0kDnY9vB!%Gr5Yo3kJve#%KWeIbfXtcbmS+bS(RmZ-S`98sfNx-yANab{Yl` z9~xr0G}EZGyrgj?BqhOkd(J6Nioz=+WzeP)!xNFA61&dgKv}z2wbWpfo}S)c_DQD< za2qzzyOcu4KW56hEjz`Ad?~7F7yPty3Jc3~*IW#fxc%?TldyNIC<}w3n0r+iS0S?* zQM9L=k?#gI9HL$4j#{xBFPmU3&4CXCZ15d`gENKLEx9C}EbU{;$Zdug#WSf-`+QUV z*0w0;2PJv6eih?@BiAC(eD(x7x*fQ2#albuRN>FttKqAY-gt+RDEb8QhUDjnH`Z0t z$4kuX3R%3NT6Rf$iC~TUpoT+pV_tFol?n^GPn5>Q4nn#0rTGpW-C~o9Ru8Y3D6Kw^ zg2L?FcZ_JL3RkWnTx%F!VtGDJ`q|BClPr0AdaCI(KlFQ9d&yYi?tAXR5@cPj z(E1{g=*K4`_-xB3`a}JsGhU-)V)Ox#%u9elE0r>LziV9+4k>s@s4GY9e0k1Nu$0ts zkYTIc=w8wctL9U4`+)XsUpu(7h1$Xy%Y^gPJ*pt{ zFnyfS)x&$ayk(woh$}Hp@q!}B22>;rMEI>uWxG>h5}_SGw1LeL**SKzWn@UMYU^EG z@fCbZ$v}a$MZI?1T7Qc@CQ1KbPTSt3csFXu&%7rk>Bz zxNtE9XX0l#zve!5R>{d~+(!EH4b6tP%j|k~cBM0sp1v~dkDzX5=FP+ILsuo-4;-WP z>;#`}i|t_GU)|6(*PmjjTF{SGdA%goUoyeu7wfxNYnZmrA9dGv=Rp;zAupr*WT7Ep zocO`_wtZVSFP}m~h^=dWp3D{Wb}Sx=x=c|{Sod=y%fmc^ZVYl$X*R&TQ5fv>?uHIr zgz3+U?_cbf|GK5bGi9?txy{zn(t>|~2NUqtdTV`Ys*6XzJfDh{KIm6{twq%%U%m(h z8u#>g1RaA$u54zKS(%u)tiR=Ga6VwBd$4kLYdX;elvE10Z{L0N=>5z&CT(qfeH(jt z#~Js4(o&(4)a-1f<`!h#$dI=mQsvgITLRWSv)y?*4nS&AuwxuZ(ksYs06kG=M*(%| zjgSz4Ih-$X9P{y<%Q23_)Kxl-n*+jmF$B-hb^ey|K6exiK)b&>$}I8_2zrKue}xoV z_ugHpUhSogL z%%J@h!r~dPprD{+WtHQJ1Wwyud0UGL+R?o2+&B1c2a?nxq^~U%b7skE+qJAQmSTE_ zKni27i95rX{O$?Oc)>_AuW;GIEg#j;RJ_J_Q}fmEHnoXwIU4OIa~R)x14YkmK@&zIhii`^Yez4hib^t z_J(QZVBY#oF3E-VuDOF+>ikU)O&{vzq%ZQ}ebpmsQ!MD$MZM-qaD^2}_NRBup*CtA z>MrnszGRo;B`>xot8iS{-H<_+q@5Zq3C3I>fd)HJ{Srb25S1tD4GajzN zrlozD3=zDe0>Gh{uZbzXIYMhjUPvnLT~BaYRT_2tl$E?u62jaC z%OjS@SbwfJOPCoTP|K#)aXpV-A5JY^ZcDwbRH3A(^*p4;IkHET#b(Jh&}W+J^<7qL z`--JFC(t(;{C)%I9di-e3@6Hmc}4F26-+^Q{=kv1UmiX(B{dm`rAaO=|ZXKGk`@vT}2sd1uA>`vQw zVnzOXCBPPr*G%rd8(ln?!`1H&Flyor=_>pfPDH*wBHmF(|M~9~(2mxJfI^LRqQ%=^ zU|Rm)%?o&X*p)b92%sYgy`uNCLPAgh+9eCj41n<*#le}C*vV7v4wpzJ44eyyyl_9N zYSip#%lku#LIJFl+=(TNd^tTZ|3ysZ}@F{bKVnKE)^u)cnj#>9g-v!@3`N) zbpP6%3&6A`$0=FtpDgb9%bnmS-`CX|w;yPS6DWWDBR#Uy94&(F+?SJQ+BLor;v)mn zdaDnD=D-l+hbG!zd&sE*M5Q7xw^aV=-)AMtf`AHbWt!<`YuO~(0Nc)M-9WMMbiA*p z=f+{Xjs{Mh(FKGDir*3qO&u zz=lpd8UQ57TpoSqR14%Y6}cQ96Z6#V8W-28XQT1mPyQ_N{A+jcKW-eDqo=G1JeYd@ zdmYce{8qC13}Cd+3uB%7&ED!?eWyO&H3Jqqm1bF3`7`KWKGf21 zdPuGxCER%os6GN7i;sb^TeMc5_E#WYhwYe9|9-Eot}X*8RCgEXivnE3JD?Q?*o524 zL#Bgl;ygScFF9wTR-B%$P+VM$U3(G7`oFaR93#M{kx>3<=h?5;tsH0(61n%j?r%)?i|9BPbxCHtUZDa>&gfgT5CDWLWp_3>6+@_^lB7ud|6!%~PN?r71qx zP-OicSGq*L+mRmN8zy;?=WfKfcU;)Y?R(KuRr-^?)E!D%s#Q2UHM5sAjW1sa8NC5m z?C#D^$BT7EcHD=Lp1WRa$3eFtp$lx*CYf%Mhg<-9eJK2QGn{{NF8t#|-OQi{-+`i< zpORzty>p&rOYgZp-QtxXKqG>b6dp||)2<_C(t^zvM?X!)T?Iy%I!2z8XT-SeC}1F> z&uNhaiIMtB$1KuM>MJabwW+OEBdz1{cypj-SZwv}3OH`<>`pbv|F>b(-}xn22JPon z@v;dz*c8P~U3ktrC{cJZO{C-Gsn3@OwACJhZk*)q){1~_|MdZY!3CHAD6fW19!54x zEr~-wpj+fom2*bEZb^et=CA6%-wV+{rxsS$S+&BQ5}vOT#T?T*E)`_+MR!!RM<#Ab zMd*K2my`RXO+)V{n@OBPa;lHPEJntQov$-zPxq+ z|JH5)ItyU@UO z6Jn1a{4Te5D}hfJP+Cq;O}#LBW-q!F7OH_M4AmNK=|l3_lP50#)6sxxYJ)6O1x3X; z7ilmltVO97^q6)(1QrXL7`PqO%xvQDMyXjEfQz1DVCdtbe8VfTl9-$rhJ&3L6P zJ#yqoJXBqlsP)Kn25`$UDSLLA31O#^>}IU&9e>YpX1A9fmP4fVpd!`?MT5f6c^7Tcv#tW+e{kQW#9pn^{Y1*8`0}ts9(3ZAxfYZ}G zMNCAfa9qAzf3)Wt)TRh^9|;7Zbb)8b0K<$Q&?PYkeGfn|v3#2Y6`m;oveSFy5uiAE zc00m7CCzwF8tj-19k|g{Y+V6rlbQ%L`*n-WUT;u4a0X?5Re%?DYA_ z$;-F7k+3zMB`zhWb8!%iVVWu42?Z|IexKKLvUee9ROGi7cgAsT>wVE;|+@DY3ut7O!u=ev0ASB(~xQ#3}2j#AF2%Nqx~F+QO22CpGz-8 z2Fd||CV3~s0f8-Wyc(^vplP)tzG?wWDbq-%rmAv zw=g}FjY=J<>gR%Nr@4TpR7X)FfhqqfJ)Lq%pH=qY%dw=C~Xagi8@CP$+8!&&W zlw@&`H4h9WrsV5(g@ihc<8C^ou|A!i|6sh<=XeVW^fvDRYadRa!sYH(ga`VC;Xrh} zhd?{kcb87AhX6tCG;}V?oz8^v6EDa6uR-wVHwAzd4XK z?c;(^mpcx7s^&7%G1X*avP!aF8r5xf;uWbb39p9z81QRfADKZ0fu`Ncoj=sfc<3hZ z;NwQhuUD%-wo4~_tQtKZxpP=EQO4tBHaq_BIm56p+540P0YUrMvQIE+7eEu+VgG(ImWvrFC!>hO07 z_SIjHT_|0{Z_G0;WMSTwL;(*wOwNh{-fJ47r>SY?kap`2Ab#m2fe}XoP&8aD*>7h< z0Qk{(>sw^-8o9S`Y~Mx||Zn ze7*c0@9u2xjo)=E?2|TpfLu~eULI{FGqQ2wD4821Cm?J#1KgB3*l5M3jmLnz+fKv6 z*nvbz?w?y)KOP_dqzUwo6Xt-P;`wx~+a}>6*E%nY-})?fsb(rh|06DsfVc0gEdfYv z_9=T#)p!oTG7!N7Ki}ogwERNe;@DjP0gnct8Bgeq&6<^V7h2uD_|?jljjiwiq{80HN9ax?ExRrbl-ngdy5$H0{nML|L8E!V0dRb#eDgzr+H@;m zvg*Phe482etnwAi(ms{<-e3Q;kY@5cCTw`-L$MdhdH{G*SROLeznZ6Aa0>cJ#LCJ_ z05}aEK5XTa_n-xIoWCT_Eg4W9K73f<$(KWv`y>_8E(N#Sx&jXcR#j=Ko?xqAr(_f8 zbqp?)Sag(EEah8fr@bu!j*Kg`f;PfL-#q{LM8(F=(#BppocekqLh;u8adL<5&L;ZyYV=JpX$QD!LV z0?Y@rljWTsV&wU7e~3)O+=nqwrY}Gg^?qKCZpS7Ok~f1k2Wl)@=Esrhxe$?jMWR=TwGcdK72c~R;Nbd^9%`6D7iHS*fg#)gEdfe|$D3f`)E*%)f z-I#vza&&fOZ<%i_Pimh%eEfLq&NgMR1;xegvlx*7s3@)N1*O0cp{-qLF#FVHarBl% zr+V0}x>cZP4rNsjp;xN#vkCCI!j6?@$D{!s2Jhe(YoU@uC#KU zi_ZWkrLh2!%>2`>F1V1gyU@das~-hLFn+;A+#ngfrTM0RSy1pB0avPxAkFjVk1(Ek zbpQS+{ep!Zyu-`*cj-z$r0$(JsO7|`Oq?{iPOv9ToKCBh#94TI+ib0VQy<<>k(`$C zUbF4E0yn37k(ZNGM70il`7VJ8sR+gDoZ*uvX-HL&gE3B7h~DG^(%I4AkU*dVY4yyT z!Y^oR?YTMxZVb@9ZH_hey>{t#NI39!E78JBxXnARI%)v}nXUHvUOc{l*RZ;0`WPvg zv}Y~Ay#*Y<6<1Xj8a2S-NN5wfe_skpPZvQMA)_qdOkg(~lkEn}%k-4ee8qObsr`|R zhZnm{tL>f5ReH}a_cm-k@zX~wY_Wz}P=GwPR6?t{6cLbs_jVH>*pm7}N5g+Q%qanE4}r$Ha4l2fF|QRoy#qxaO2{|&-16j&qp{q+Dkfd+5)KD z?^MTs3Io6l!?Kk}-QC@0VDWVWNio4r z{;OA;cq=;wFuLTU{SqVhr7W%v1L~;)d)u{k{y^`w<7ZN)2FUnF_SVv6Wo2&tBTMa# zj8WO9_h8b<0eL_rrx5ftH7DGMmkK*;QNXF-E;wfaNonBdD*h10&_z;c_56J>)IU}l z5BafB@*(VR_rAVK#HOcn%#I)tp6p-aLq>wdy;ielwlC1(S9scQaB*{AmXtIA06hRB z;9EP+FykhU+OfQ)s~b0c;%7OqA42V4d+2%s^hL#+UavyVQD63a2w3A6KBd~{A>5TA z`U}~#OvNJR&1YtN^Ds`VPXP24X$X9gpS_#v%M(Pvz?qclGjb4sa^nHwNrK2K#RYUcl@|0|Nn&KAHM(- zJjbnBQ`W|mIyU9HA{sHhh)Z9cq=w%X=`251R&5HG-#`pwC9t1)D~6u<&SE_cK+X8( z&5;$Aevs$^;^}2@&^v^`Xs}#KbB25dhV%ph4S8zZZGIE^yAX{44`Qweaj&IGKne z_Vp!F)4l)ZFUuPj7gy{&**s-?oBjB{?QTR#D@?}tO>l6MD$WB6_AhubkeNkv$m|Xs zrE*l`1KxKIwd|NAjW^;yULU7UZMDVtQ1Hm}exMRDh@J*fPmy@R>UC(SFxBqeyLVg7 zx7jU}Quu7Hj{+~zA>WxXu*3vFveZS<*89hKhTl5=;|u@htvYFWj}?EjvF@G6A)n$Y z)tqcTk|q6Yg1AB9ITyr>13_K|E+QQD87*yRWq1rttHlxqeGJh&cF}-887Jjk-rluX-~~lV+<5GaA1_rmr;#{P^kG&UUgtb!6Cf-vZU{Fqp7z1NFjs z&oEBl9#$0xB0v={a2T!vNzGkCi33g=VXUbcb>QH^!4}PbY_8v_6#nyX#RFxP8gCwb z`xz$dsrA}teM7~$?Zv^G>JV11xYfICJi&dyJbc4D9T?GwL*_V~ZoH1@FAF-_agOs6 zCE2DN*hu)*lsgpASp1>q;o*^YbTC8Ztal%S>JH$P*KIHYOhAsZOAqCffuR&QKqkQYa5J_r2j|-p>cdkL z6HUN)J26kf7Ac1D_dSdP&=p{qWi1}UD0sWvet1r>@`1$6#w)PiD22x85lQ!{&&pfu zpajN8=m=cJTN5OR_>>MNuQ)xtLcbT-=DZTJxA~tehRr)P`X%?AHvTiefyo;jX z1^6U8mM=1BR+)xY?#R3jk8P23@Kcz*yy zBDSghIWyG$U3}*qd(^s#=gg*G(+5%XRT(rvYh$de<123@+q(zb?Imd2d6#i*YaU>4 zbEn%M4UnGLmPUPG)Kn_k%YPR{!5*V>uJOjO*ashO>jq21(Cgo65r$|FXqzxb37j>< zne<63Kq|$qVm9_OCSTW-AFzC|g*J+mD?m)CZ1x#VpVepz&5^keAgt!8-?6h?5Ptmf zO0GO;-VFJyv;ni%xrVeB>!B=l_Q7sk?A)-3?aPt*mmdRCSSsG*Sg^vJ+M^p4l- zurPNUvVo-vfE@cSAjw8mV}Z;Q0SDQ_L5bk4_A~4dTP6$o15&%7c>vavQ{aa8j?zn) zqr>fjiydMyg0lB_hgE-5J?e);YUU9@Ti_jUGWqRy;NJ+oCqb5GeD7P0<~zm6MsOeg zYVa;Ha$IB!)QYYAw_;;rn!7Vp%=a30_=J-1gamG;(z75{bVKh=BR;=4oJL^!BWs^` z@+U`B!*G>L7K^0EeXyomdzrZ0r<2^@_zocQ^IMNnR<^ z6JlI}BWVn<1gcOKQc{;+7s@Aiv^=Ax9YS3%2=E2E*Aa<{wm}qDAl?A7JF126Kwp%e zFwL`>;XoHxg4(hx7zCXQpUv5cM=xfBt=~pczrc$A%l$n1F{RBftV%x5hWO1*d-} z?kb+N^8292m{OM7L~&7ID_2-&4+9vWIq=na_~5} zLK*FV=1lW6%#SbGxUXCsFU`Pba1}UBl*HF0%WTeE+G~DC#cbXXUHjm&3C01l6=9eZ z&Z^Y1&%-^PT&NI;Az0YMI~lP?5oI=*H|U~ONnYJz1u)X1uL!?mbBuG7rAZM^HC#a> z?8RXBjl`{;@2Ed%Q&a9dTwqZ3F#qGeq{u+6WF^pcD-k7|o59n6sxL7dqgy5iw~Jn@ z?e0luho!ad-rP|kzR)~RE%z?sD)N=k197gk60)x%Q4+q@yTUU)J3FkqAj#~;)32!T zj!V^x4*BvAC7RjDdQYD8gJlotQCFd8!cz9ZE zE1-{GZ0;fe5n;-UG3%%HJN7`0R9qan$8r;oi0C3Xg<}ii#I6Ud-&XiV?jn zYSB2?Fb}ej;IOc;3E%-(?KEhV9WO|^?-Km>ErX1V43woMp*Cs2h;;bSp>WVZKYZ+1 zpFGvK?(TV-lj0Iackr0^Hh`y~wz;uLBK1B$`R&^`LLk2E<-2$d&;|Q~!x{I~0GLm_ zWN0~Rp=YOex+n*haE1LQ^A9<9X}15Sy&V0W3!A*vD-0|?pxHh(17wT<1IdhUFz+a% zfWq#GQh^5UTY6@u9z;V8Y}luR-~_oWAu(v6O;10ELAX00RbNiz9Ta<1olDHxBopC& z#0>Eqh<>?k7X_BH3)0fw<5Hrc6`x#OGnt%*e(T2n_tLL(XAfh;Ih}u*Y6p9G-#1%X zS;I@9van9ksms&yAEXe`@SsWIp#-*{-mEj3T3oIcb|eGb`U-Kn2B(|`5ZfLEc;5zb z>D1uCFnv#rnZGL=_bIMY^wOdgMGeWpm17UT^*@x=MB;= zB--ncEI2kUU%%ct!v}n(torKyXbr$Ry#$~cpXK*IrSCso(!WkwZk}0ms|=(+biT9j z0BHAq85|U5w-VL{M;Aie_sSmf^1oL#7McENH2M+E<^b1$0|y=n)1N)7&ztuWG^>_Y zRw9A(3)B!)wu(sG;3EVHkHr+b5>!50e0X9a5BPq+PflhW+}_i7us5a`cpn>U;m#WR z!yEkOLxO&72~-_6aLM2Q!hJ0*b4|}5+q-*>BggY8&(`Oo!Dvdw+B)~<=37PTWq?Xn zoTom(G#(ul)da#L>)L~T0SAwX%1}AE;Qe!CW{@}adACi zJqT=E!CgO1&z1dbUrTc{3q_9;583A@v7{ygAZSB=5&fb!^hV*HT>$6{k#7si#WY#>n`~8^S}FtKds$=@dA~p z;C!|Bc=-O*kBk0a{Nca3AY>_fQb5~Df=@&K-AnxU-f1)t^hT@3luhpby&vGGt0t%e zNWz+X`}-UJyLZl?`N)aI=|Ikx*M6+{{&k@Hw{Bgj%pL#|CuaJ$tl*#S*MEK;_E%+V zVa&;AGGF|YC;jKsfBRqmajf}GhcNy<5$#X!=KpP?-`xWLw~2oD&i&se`pw`0PNGG7 zKaHpVG|Kto56FE;OV@CXk{*36AC!?_*$;Uxcxu1M{#&0u0hSp%Quxv(Lp4kI+xuHv z+Zlel9EZbRT|aKI(m;wxNHFEgyK8Gu6T&RhmD~2Hsl7SkrA(_R!(ct7^6=SL748I> zK`ft9Ki^a<$NvOAp{ET_pcs<5>yK@Z|L93rD(<8Ic>2s4vxTCMAMfYp=C)1-aE46_6c{6a-QQj9#w+xd9WTw8SrMaD5B(H09yxt@~=Q^;Zn`HezXfp%| z?%hAZwH}wzUmh{8Ec@8m*+B;X4rKU(W_MT(ot=x%See{vKSMu*LHqeFt*(|1N=Zu_ zfdra!50Zhubm`J%5s|*!wz!u7tdNtP?U>08J>f_jpoT5;t%vPqcT7%nnF9VSWX*nN+AWmkU)RbtD}=e9sDo)qc% zpDeKxmg*p#D$6RVH~96-)ZVS_=ukh7(YWBMW13xv=A*hr3of<&+(~rik6!^XW8M z3un*uKW6_R@90q(f>>iRE$YQpjp!xSC`)XuTvC5O7#$n?m5ghPymT!n1BjM6;7Xm4 zRU_Fxl(w_Q)|1XltBaipr#jfKs&5fIO@)cS{C@xRIRD`nrQUma(e|~8KmK#}@L&FQ zQ;-_ekQ~=?#$@vXU3+fEjQN7$it~K`jcWin1#ntRBvSN!-u`@`^XC@S+}`fSmCw(| zrxxNbTNZj`Deb(!zxN?qy^peK-dA2(vbRtrh*UMECnnbCzA;HfO7ilpO-^)0e1Xr*M~dItebni zfupGhHwi;k8h)ZoKt?7Vj7k8liVuXX+a()D4PiSY)37|kHnnQ^I17G!fEECtzoH>57kyi+Po{GXk>&^ zOUu{!Y@atiuel87fZDfjt-7mEAt0JN=8YHR#iG@ZUMf}9{yWQ-HF)u}a`9?!(=Q%m=9AC4! zYSuCG1qy{;2E920&}HPybChwZ&jD`qp>~lPEnxFKy_s_4C=U;htF?r98PebQemF;> z%iAxUm+vYmRGP6$U1?mKe@DffL^&obAg$&_$I5jBO1YcNFz;d6qOCkoByXLY$I6y? z#Ev#Jqz9v8jZwL!9b-fs$_P#rbV_^CSl`r@gfJswAyeW(&y)1V3Jmev?W~s{fQIs; zibCvj;Mh$3a#*a~9nONSsb84lI>C3fw4{nph^sl@+sfrA9@}dm!Zn$Z@h~dEhNpVf zFp1WIogLbGiXfS)%E={F5TZq zp4l6htxUX!ft{g%#zV8+O;Xxt(tLESTGAK(Mc3=`egMj+S~gh1%XhUCRmU$t$!T7< zfuDr%X+CJApblV3WE!Dm~QdZF`RA9Y?~Wb!{}q|Z)|Q9 z^xUHrCg*(PkJzD#Fq>3wG3(8p+?=j(nZ6z;?Gocke0QF?Z<|LYmM6;kAk2p3&gduO zhmfYn%E$Kj&T%*RXu?Xz8&?Z&VTA>ko?R2LT)Z#ly6C@E^E87+@*^B&5|3=xNA#to zAs&UA`W(|VjV&C`@5^}!4izuIk=}vYuQZS?6w23&_-souC~!{ln%}mC)h%D-2l5;= z<|v!Ef!FHHwNIZeIDc2DUO@WHUi{i(Gt^O5ep9CWAf{)0mf^I%MAVvka%m|RPndV1 zY578%H3JLYJ9AZ;`^0NTc&Aef;~soyyxU=f1g3UI`dXJH${nJC|BA8~)~TfsG8cnM z*sS>Wwe_?YJIV9Cqg0eEYS! z%!Xrf@m9hJ&kya<9|G$?eW-f&KRUym_FUL^@n(P*vP@nl6}dO&(sOBCgmd zh9r!URLlq6UD9)FT4(Lzv0WO7qPxTCAKp~IZtJ3RRAq$`ezkk&X%E1TL~-%+SKvOi z>1$<&ADQ9iF4;L|v)8e0jf{-UXu5Ku#UMuuVB$+_AH=R@N+qmSY&KXODMt0}3d6Cv#HHJ3dmW9m) z3(l_)bxA(y9f&+q(_?5(T_*A}vBt)IaHKA<8KN$o3g`aHAMVcPrDX3nhWpNZ;&HEW zXvum(g?Zbw@uRXqzI$k*5u<=zF5>|Ugb{V!_Evo?WJ+*n6L0ox&HCPh)ByfrXMIx< zr)nY`m(0ucNIlxY*hg7p_v6R*^6kb%P93Q&KQF|Q+dg9r3Ha3qbjNFUliB($9VSJ0 zH!DDR>>uGOA-vmIY4t~ESr}e%-zA&B?(|LWXQ2Olll+fNp+|mjn*j(Z&XVwq}Jjp z!=3d*uR0?a=5{N;k;*MMyq1=iPtl{Yp4IQCdfr;66<`5a&1XHwWE|o#{(7FWz&c^2 z&xQ~6+hU;)o|EZ$2Rky=j&Bj}mipsH~mg{{71)7Ql0$AzL?*7ZP z*EfZxpxEdL>pCXb%1OgNCo6=-^>1^GLJ9eX%#k~jE7wflUx&(y54SEnqy|36qQhj zxYx5~8;nR~H#KULO3vW6p|b5IzV{~9JdhEUmPR!!ZX!1IM^-wduhCBV+4b7<9L313 z`a*Z*u@G!sjaw+B0kP>LMOv?0{w6??ao~klY}H6^kf0UKyCWXBxs~jOhbumW=(Cd` zCl(AWTp3ZO^@YwaS(rC{Jb7$d!@z(eOlI>A@4N#fiD30-=g_Zq!4Ln(#63FDPd9@@ z9jK-|$8~zaGylPu@7$qrn$Vb0M~Y}+wcg|IbY*8Ek~{~;!_gzXb%JcaC|_j{(%%o@ zDmD0TAst&Zwk^#2wSrW*SR{c3kie5+m!5h`)ECV1ssw}VD^i&?t3!}rmjs1E} zDq-Z!zuC9^ZNf`O0s#U^n zw5Ja`L`q)@)VF`4h5p{*7d3Xa&Gp<~wwo@FKB%T}_=JyUpg1?Yh8{d9c5}o}67_ zqo9zkpx8?j(uXN3=m_HuyR%)m*^x(lWmgFk_azCg9{2OTXOCWqbrWlND`8wsR?1!x zE1J)5fNteXPgJ1cbmnCS7W!n;N;KwaN6w0;<~C5X-k78kuy!TXb=y{Gxg>43a|*bw zH+fBekj6g`bPd71ET{Q>xS%Ya)}vyFZ@|>%@cR0}=26{>H$hoCAKY{`3@_uQeUz8G zHJHnixW&C~L?eEkd0O)BGY($N>+XIy+no{2FnZdYzDWmQ=Q!1qqb}WfDdEGd_f`(F)X|X1f*{~I4-L}Tzg~uI0c0~ z!tyXf58>PAODapZ#qo_56$t>JY7UNza>kefb#_J(mq6RZ-6WJPQHD$De)K5w2nnc5Z$YyAia_z(Vsaao9q0cyk+}WArY2 zePN2F(U3yBwCu$4`Keo}#sd?tImx^g4-PTii)E8V=t}HSElKb18v?}o*!0Y5?2uR2 z{D9XXSXX#<(n0#dtT#vc^tT5r8n{-V9UV4p)wv$lxGZmLll0tdd}-;&`}RIlR8 zv%+Aok-{B~2ijK>(7U&MJqVDJHX}vD5*_I+3zyz3_3gHNVCQQHuP~HwZ<=CC<3Ff0WHMX9tF3X$zraq;FUHSk>gZxwx z?eDC<@y8SnKbf<|=LQ-hNf8VO21}QY+he(iyR*tVsxO^>2)%#(VM_D?B@LU)Gv)nl z1K$cy?uNI!xf@17<=%2Sgx8dwSt6dfa#E^2!hSpGjoaA}+fCtH$0GPh>zj}eAq4EE)8~8*C-s0lHt3hc z_eXAfPk##H*dD!ALTGwxrYlU=;5Bo|zE`txrDQn!9)idw=&Je>)rQ)wU>JnQl2%aB z-o{YH&!*PTefc^YviV2VL-nH~x%r2^5;T*K1PxU^$(XRhbiZIO#JDq?Ojm1h)2PO$ z!*zDA@n3tVvrse0l`a68R+I9%eqBiOI7LtbmYXeG7mDM(o`6_efQpa8(>_}#4df(g zy215$5$0uLgBQMK-nDd%sv3I#<_N}{luY5k_up_SF~o{h-;wCZ^|0EfYY}>m&l^)H zh{?k%Awy23zLa6w=SMxDt2S`E9=7ADm1CIaj@n9NI1j0AJE#A0J2VmUdX*VkxJ6v> zCe_NACQVXSjYqPmWddhZz5DWuD(!i_%M6CWM&e|nM5br4#`g4_@w8iGIXybd$@UKF z?cRceZ3ee)r>(g}be2?9jTEPS-sS<`q6khQu~GGxox{#`(axF)VMZ};c=VS))U4dH zyPAGvQ^I}qkuGwMv*lW4dZFA9s%!ruPw>gbEa`*gcpgfX4N?b&n(7(xAYI;AuOqjb zo7cE5$$5?$cQk<%M(OF(z^e8Kd%Gn*66}^F48_kA!9ncLWM2-1*i2A}Q(qI+Q4Ge$ zK$DKBgZ5NP_FY~js`WZ;6e~tR1T>`MSKela%e165Y%Z^;Pn5vV-c?W_px-T^$iAM7 z0p2`_-kfPm8D@Bub0%X{jqPk$L~`<#iV-7(A(`zkr2GM0Wad3l!1){G@$*^KnOZLT zkmEIqLpUHasm0eSHd(FQoNv`5UhgX|Lln{-b^9cAZvStCvh*I*me7;y3-unH7f3~O z9F@T>unDf&M_=CcRB-dzeV1-;$V<^~jfKg0-17ArzcwIFloBhpdN~Z54iAQ}va+!7 zBq!4ucl%=7Lgq5(r_Pk2{r&x?j;7*P&zw1vjuy2!Z)Xa*H`kl^{f+5E%JHK|UBBKC zo_^HN@be`*YS-%1jtIOtxu8?{GCLz9m?_rasfq>A2i8h?%<27L}s)mpoxy62U4dR13Hn;Aq z7oJ z?y&>Co!X)7kFqU}GG)qB?=D5a;;ighPo8z?Gt_!L*Hy>T+=#;g;$Ks9U)=#RP$Mv} zuYU>yB~8`Lj&VXuOtca&kK@d$m6t}eTc|Hc_<40;MG%sU{!2>E6UNRgX%(&^_2|~q zjA@%W-v?WXv!q*0>m6?nVwyQzmEb+_Gr!8d0Zxk$9v`a`*{4b0|3Y z%{;u+(hk2eJ~uvq2c8b@$puM(UEKct|4xLe* zo7-NUAB9XaTDyzck>}tk&(e%yXxY)i4dT1AMd-h{lZV~$gO5fOhLsVANh97w;YPh0 zkD~cueTgj4<7#P*6C^VVX55npKleX-YQV3pq0PTk!-v0LL=OImLhX0b(yGa&j z7neO0>eELddReIB4{^}!G*r+-oQW>Y?kqRUR#u+kqr}a^FNac{I+LbE7?jQlbtVQJ zxjneLeSE68gq}Uv9}bh=YFc=D$Bjd!YHd4?m=pBM760wdF&o^60q(hY<(-@bd0p#L z;uY?eW(8_Q&Z&W$@)2SG&;pP$>Zy#G{4!QIm4?MoR}Ar};GkjnPE99O^Oi6fENiwb zrPck-n{LcYhy*K(RRu7je*XFMoNd`;qax_w^S>t~>%E#y;zyqE%JL1oY=z6=kKZoO zuF{RMVcX5y7>%iSK=RUK%M?%M6mRIi*-Y@?95y+y$$0xV0`9QF_Qf30u2H|v=xDt2qTn{N*h~%0%+d`UKT$iki>-xe zkaQG>J)}$S4VTH>mueGxCtw%j*kfWZZN-?3OXlV8AxEj9KH`d^`E0}Rnm;$s$^YKbT4d$Lflhk&a! zl;bZW!#l$Zpp=pgAt6Ug)as?Et1WR|jF&li+p@*CN2+Y>Dr1UnZ3a-?E^GHTQG5FW zwz;G6azzY?s&_od>12EI1WdkYXqmP_Waihx)+yGM64|vFT}WEa3zM<0#ml1z5_^47 zFfkDSAVE|;({$6LX(6V5W8*1;oD)>~o{lg34EDupwB;>xFs!gX+l$@UT`y{!6eXex zh!3E#-tE+<%}H6XIKgw!diqmtTp>b4h0OfzIUASZIHMxEbwN2jz)N6H(?rbMksiZh ziX}eccAm$BSx2j(o^(i~ZTb_P$Ds@}qATB9Rv}5^FPjlAsBj;`*nOac5D|*^i&2#E z<>!*@8tCquZtQIY1ZX})knhDyhP&j5C35OH-h5(zmu4P{tCr|~T#83ND75GKjRI{f z&$;7$#a1F`wO+wKJj~oq7TUivPfguU*%V|H^-V)nZ6ZblJCNy8*Yg#Qu}Yp#5G{zE zR5|><(Y`i z3F4L@bFV=Uo#>po_ocF~!V&f4d}fjC4jlwzx5$wCu%(4q%#pf15s|qU6o9<56kT|P zJJbW%2U3SRM@&?cB?s&)je)2z0L8yg$WC~#=?^zZ~Ubx{s6^6CQb2{vX^wdA(@&XKV9z*2JxT0KF}rAMd*mH5l9P*L2tDY38H$8+sHJ z_G$q3x%rh5pASV>VLJq?5;eurj<+O>{&nUT1ox%hUg3g<$$R~YaJX?^TNaWyW8AT= z`ZhE35$o-&&ijng-wmoLsDl&V_|X_+3lhPhx3No3AI7f3-mzrbmkNz(wA*mV9)WJ^ z6-E?|Uugyja2Kmqwvl}Op(Cz6@S6OgF0MQ`865Wd)0PI34W{YY2JVr_Y=A%2sg4-D zeWjLBg47)p#VMn;@)g=t_d?O{gR$C9E!y|>+0Mu8_x+UWHmw!m{VN(r!zB}Qp|nkfn~$;+Mt7kRN@@kb@m~!4KJ!z)}p)ayXBE5i-h@ZDwo?1 zJXxbXb}S~Zu==jJmFV@{G`V$K6##zbxN)P)R(r(==+w-QAoW9-W4%ao89`KDo}RPY zx5L;9h>iV9!G=7Do=vX?8L#;^3`XcVj!IgQ_bz)zo&y(jZ)-~{3g$g=tOh*VLYKvw|O>i3J<*!{%)S9L1TnM z>l0>%r-hEU%oEn2Pv5MueovRMk4(naDesq)%fGD^;P*W1UQD}Q(Q&}PF zrWfCPK=2rAv0k~s)z+`?!e1RiUXz@14L664)hQZM-L9HHjuy?G@(yQkdwPam(*ws0 zpAEh?Sl+S~yK9>Noi)JiT8i%i&VyhsfG^IQSmuUD_g8wX;HVq+DgJ-7y>(nw?Yb^3 zC8czTw2G8~fOLa^gmiazNq2`d(ny1JN_TgIbW9o~Cf$=c`3C!(^E>CP<$Cvf_Fmtg zG-Eu^c*cES_Z4EI2b6a8AlHN+B>ZL{nzx%D;f%=PGnd@lfU65m(v1SLj?1|Mm_Ce5 z*+*6r=mFK+9KVs}Cue3BU^-lJ1#CT#c@0g*Fj_zKuRhQTFs3opgS?|J$YXx+k&Mh) z-23_py8V{*nS@2*zj6@pUbRT4CkU2qmdk1CXE!hGUUD7+WpaEl*JS@!Jl8+m{{MSU z=~su#={2XaH0sCKtk%IaaQF1H;f=raK`M}t+B^h+6wE3I$6nN0rR~&AY4lWX3$a;9 zFm(c3U7u$$$S$oJ||3)Aj^4**c?_CGtUCKX4zChBydi?Ib17%JLI6U+VNKJQ#s zoRUCCo13{IlYkUI1*-HZ%lJ{2LBeb1b)Kl9lI;T^ud~g?zy`fOVtC{-Cm~yMj25%! zzSC`6rh6i{GXKLLxwSTxrayux*F}*dG}CETy$Vn!8dh^31AnQ6HHka@@I%8!GN9tm zAD?^S4N%kpk*TDiywCWg%?rQ-rF_|bm|^F$7GQ%C2Z-s_E)C)Sxp6R)g2O-AJwC3G z&2D=_Jp6>+)PI%R<;V&jD?TM;q>-1Dm6;EJY4SqDUJQ^1YJEyxEBe61EG-PYgZgX9%2iK(&}9 zKf$?)uMLPXvVbu8raEvWAm}J30Q@T6hbU1xUWK9UIMjJUw+nJ~iZ8fIGNm)Qr1GUx zi;&xj*e|&}ZkS{Twd=JD2v*t}_FWAOHn%>9frdK;` z+HVP+1F-v}cvhG5+2~R^$_XzOs9wEN$k+WKmH)Z@Bc{`bE1&+AcB^l`?Wl9QwAtD+ z$O6O=hn-fb3PgBVnqSU;SyyZGR_`H-kR$cYFY`3t?MU}TO?L}8`$SQs8&aKiB_HL? zChYy+b!>O`IvQb02}u%PY!YF`@0eydlsOKGtc^vH61!{Ny#PcSqZ>MH)CPzT-44p? zFXr}VO2A_k0CQ@H!N&a%C@L3ZS4#0oz3z4@fM|K{XVXi7Y_4z)a09wbLL>Yj3D{i7 z&&(CQ7w~vAPcos%))0_u&YqPA>?55x3B{KRomEMH`NAQLtQ2PT^oA2YcGv)YNZv0v zSjvlIP}4@7^bfm?!Eb76@wjyw7Lg_30jcx!6#-QLt&A$xK*T9q()rohkEvH$!&*YU zU__R8WJlPu;0rEC=bT0&B9&G3zRTldyI*US?;W&({@0X2}gI$Q-w)lCV;!?j$#dBZl5w)XlGtlKIHU!?%`r}eB`-CQEY;f0>7(E-Ll>2yW3SCnDx<2f4^#1 z7x=-OnMeM=p}0)LvO8iVqJEka4nc`0*jY@M*4zD5a^*j=S#?`de^EDIEgn`-AN_{u zUMb9hWz@Uh#b)B*@!gCgCLJGpPjb87h&*y>tt>C}1vpnMXOEQUwe|F}T-BG~nX6-B zViL-Rrz!!dDT>E1@B35n<^vw!%%~$5@Ln!mDlsxPmH;vq+vr9%f~A()#J{_CSCm8z zCg*;i1E@3B1*Wxt366?9(;wveYfY~1e=x?)fx}s2Tq51D?(QW9Fk&A2iNSGQ&xJyw;tn=)A0MyO(>Yyw2Qu%P zv8&dQ=lE=G@>5q}*5b0e@~hOi#J6HJIt8B&j$^E;!&s@(4cw zpHWcANlNZx#*A>M(DLC}kS|VGtCBl-3=a*+@2WGh7r~A+D~4mTYu5`bY{0D_u3XC- z_BC$xJ6pIzynZpbq*!k+B6Pn)P-A$QRXL$zL32kWXR{Xo_$rjWi==x;Rdyslf( zu;Su)-A&SbJn(HJ&&#HyX1qdPY^>>{e^(l2KWm*s$aO?O$cTBMb0`6RU9v6qooRVZ z(YuE=1lBbs09_?waSF47>1Qifg!_23d$&dOt(2$|E7yD59vqC8ec_(pnife{`ULbB znciivtLq19S%KS6t>P&e-pg77?jxMw>xPOeNXxQSvlem~`u)a+!Qj{!dlFa~7^KKpz-a@%D*%;m zCm-G+(^c}w3#!a#G$aM_KJGJxF(PwV$BJmyNrFOgaemcTym|KW&C1J7D&O&=<2 zkKOopHhaCzwB)hP7} zc#aA)#mD&{$ZuiIZdG5pHTLENj zy6&wMWHv$~E`p<>gpXLUI;#qrphL_KVit7kDo4l;keFfM`V1!z9 z{m!Lvu`TaPBz8!6elQ^i23sENgR)wjK+QQi;G$*M%}Btr*Mw~w@Y$B<&@Z{R2k$IB zvLs4YVk|2Py~X79J#-c$6B0QBh!6HX>YpRMqoKjNv{&-<@)B)DLq{iWkzbyCaamj6 z!z?N)y2sHnSFbz!2OSv$)!OkfQz9l?7t1?53QTK zR2DF(`7(x@~5MFRi9Ld4izR=6>YXc$qn# z+Fh6>a>){gCS+CQ+m5T@x;8ki6v~UgzgNNc!?^2mj;MKdHTr0=42kfn-lAGN+4cOh z`%Sua^Ur0|8#{TX;T(8kA5Vum<2b2<{U-JETSAtd{gR6>GqsN`(+t1oJ#-)Oz6hh5 z{HARAe4pOL&Zr_=}f>fJlDb5db;&Ltc`uh(cPIdwH$!hfIi0Tz;>4OK^F9a({C%4G9c% zjMcPhUOKFx8|0~zm|B?4d|iS;fS#S5ZhSW)b&(`mt*#8``*7bMw^P-us^!FskH4*v zoLM1~S`WI<#54E#RrT&ML-KJNaNZX&mkNa(T_zc~J6Wm@KUOyEwPq`GbFzIA zJi0y$OW*E@*IxU;(p#1PJ1#Gg1SeJ(1XdG_hzjhmH!}%NwtW|;nDOVwURtl*r=Qmz z@VSRcyPafC)vjhae~GyKtgsSeO>~r0ymE27UsADO0pyPXewbUhw`apl#-091?h~1< zKke=9OTPoM-Lk}VZ8;8a;zwWev%P{$ZqLyaR&kIw#M%oAxXnh6YF&YF`lpo$lSuIp z{;+W)u?hiO!6nGadUsBni2a3c2w=MZXdnzbL1{)vvjEh`A5=?1q~gu|G~%zQv*7o2 znzq>odF^}Fx1?$Xa~}t#F3@1x_5==}bKiJQ*ZGhpjHH(H@|NpwSKFAh zV9-MP1b;opZ7GRt+jcpe5pJR=mFK(75}7Q|I?BB zhtGX~xArYQUMcR|x5+KI`AR3mN5%QE+4fL^%(30?Z5PRC{Y~(dD#tdS5n0@_VMy=N zoGf?$ReZ--EeE-3V$x6;2kdQQKjzZP>`bI$zVtUZgr~o|cXoFV;9Rb*ChKi=Q~14_ z+KO{>gaKoZi%5YwXb1)=9RLPdR@w>*`Yr>0yE{9>i41XNn)Um`85tR82f7c7S_O+U z?&5jC&5?wf2Xyk>`05HUd2{(BCl}Ku zsf|orOUy#7spTYHzv7(wXn4`A+FvA$OPcWYE6N^VGJOOvEf@i##i*vKf3*310$=v- zKjifCLHlwt=r=bvU#sL-&uNJ9r%Z`=9Gf_5^U+>lMh(n#4Tjacr*>f=Tf7eZ3B8ky zb{NC91uxP}?|1-eE`Z|JQACUEy#J;(7~@+5U|%Q>VT7&qeZG8(%*|%@ny1JR7|jB3 zqDxX`xwdG~iLu4%ucDZ?JK<-~C`9spet3x7#e(BHUPfDm=NFlin(SpsTck@by$ZFPdk44>kfo%pTCScH z*-6OqyhX-1{ME1E7XU8%uKSH0|^`7P3^7Zi87TBKU z{G+982=os}&fgOg2_h4o9If@ch>?TJMKdL&r|eEoE1oA+_sDTjyM#sk(oF;xAAt{; za&6t^65H=oX~#yZw83Y_P609U_xJY^7S$jTzyKb6(0uC-kkU;AmLviHj5J<1g;%dF z126%6lV)&nGzMtx>$ItWlmN!YEu3m?umgZF-JQXK#a10^Qhk&|!^3f%HqQXFqzmJv zhet#2NA#Yf0HC78Qb}1gbJmuQRiF{`e(AakexphnhxVR?z4R)-yt4AWykA%<`wZyB zm`jL>iK+2!zod6=PSuv*`<@fdCsFX9Wn~=Y_|=4Nm;1hd`cOOd9p!9{~Smr0i|6CcyVLTX~z zFD+z%l`apuBefmFvZ*aAiQYA{2y21NT1N8s0p9xRO|IE6i;F%+kRTFUxf-aZy}8kq z?pes+n@j&;R&DAFjH*d*-Xv}94kT8960zGGWIv*NT1uZ{?!EhoFrMHgFlswu@_9cM z@bIuHfQL1?95VvB*UU@b6&3&oxI#gG<$EZUik4OabGMqr5^#Te42c=e=e`8gIzx|4 z4rl!DF53yJLx7>mW4^D6F552P1-z`KvhGdHVe=tru0q%L>3xyd%r#*78(;eF;H1Z4 zoKN)~0x~8UuUXV&vLxVrYzz!lHum;tfwuf?jOX|hz`5WGq>qvyU5%j>x$r9V>yIQZ z2%*%-;HdR+Div$U+^+}79G7DM68i!i@4HRLVkTA7VBRf7As6efqb09SYw~TzoG}oA z(mFxQ3ml0t%e{IZvI-jo{8r)p7eJEL7(2Jq>?a6v5`lzEeAceV5wH5i$dT#reH?i5^3+#rTo#Oz_BtH_Hcyp7FB&k#GQVI1 ztWRq<%W;4m>a_#}6AT8T;(n}!+}wNuI4dyFLR|7 zuYvJ@rNy7-1png=mIX!YNpngJbOJ9PBAm>%%htg(g{qN_pFH+81_m478L)A1iX(+O zbgL34^B^)&Ddw2P8~1iZfA_}x;rmFHJ6_Y$7QKD_IyaY0H-xJk zI7RpSbNn~HEAqCsP;pkJI)+6h!~pKZAZ5B?$-FmAnk-k=acQ~8sjQxH_0OL@iw80j zBmoyeSNDvubgeq86rxvi|Er3?#P`1*qObVSAb`K)0=Sxozg(>4E=9m!=Le9h2(ZogLMVgFIrI6w z?!Gqh1Miyy=>p(rebh6D6EGB4M?L+&M}0uI3urCZ*7Uq^_8+`V!jE}7n0Jbsg{p?( zXm}A}VK`2>Ucg-CM_yhi8mgnRe1AzFBMpt6#V25b4R}HwgjYo4+6@y=#qbp`u;r>;c=^T=lHsa^U?qbGw4bxDv~lXQBs&W`T1f%yrdRO zKH8`QJLmW$hLofvP&2%aQsHRUCbc!(`5k6R$G~7cX=uTYhVZxU;hzrd|NL_kUGNzU zy!_pN;GF#PGX3Yj?q6~$?8F{(H^tISF#Z5$|Bn;l-*L0C1hXDPye!T2`~Dkk$$vUP z2Uef+^J?VU-JCxn* z5l9J6&4hpZ&tLkt{^bd5U>_c!n0_<-H{Yp$+!AIEkEROuc<=w)yXvohfnOBG+6p#? z|9^Ttes$O=5fZVChQ|{w8Mo&U1y>`*0Ng#69d^_RKJnsVsjUHyXvxn`$^lCgaBwcT zDCCZzfmf-8vh+@%O$GJXr8PVct-Bi6yQiNd7HuSSPc;Idd%$W%A$>oC^q-oQ{_pbJ zP8@D^>?aP-_VwL#RsCpO%Zk+Um+vE}e|;tY`>TH3z*}X8GW%avL%=if^7VW7ix+@V zUJ`&-03npthV0hPtAT+!IDo(bn2^M#wX`m5GCzT5V88;=%DoZ^xL6?>9QZbMHk1f5 z4v$_v58I{6vJ~(V5GUjXPs1$ehN%oD-nH5;42s0Iojot8%Z-DeUqnX7p2R%y${7q{ z{gKr$0;OIFByvX%mKdkcB*c`pr5%=V0;B-oK59+{Zp`F2Ioc1m$SRVjr(16i(?4Sg z3Zj14xt86{8r#_1&h5re!k3a){}%dtdyi_pbA88NMn6hPrT$@cdc(p=aY0kFKxck?TXGdIW)24Yj#R_#~pbeJg zI!>~r&uu|Z6+ozye7(PZDN5F4s`fiX)lXz-xTwiu%7#XMjbqH7+=+@dC9iPs+~-dH zU{|%!Uw5`S8>FDEXuWh;H{9BM_3b^_C5Em!8l2cQC0w6Qk8Anex1zox@M-XO;>-~N zTDHZ92pk-&S1^9qoq?Ni&=x)i37U=7ut%Aos8F!uk&B<}ZOEs2-@&TwJ!}PSdHBCi zZLwhjJkypkU%mYo#s3(ZtA~e_oSd~;>|*}^u=`0{(cPppoXWW~8KpsK%?DHKZL5KWNTB!iP<@rb5@k}<>S90;X3PAuYo4E12t_ml zjuvPs2LiFl5`fA&mVoDylB@Alu>fHzZ4oYgQF^VSUOKkg;PoX`;9}oXy>44Cbu^F4 zg@gkAX{T zj!d6$Ev`E{uWqE&_BbE!bI(m=ee`Dd@s)d7iLa6qb9{G`-Bl*XFPouS3-fsnglWuG}eku*o5yQO4>{IJXA5NzPBq|tdA5`29 z5c|v?qFisn#7Dl7dtSS!2o>6bAc-H-&`dt_r4&Pnw@j)lnpJGt zJZo-lXP>^F-flGxvVnJ!EC`U<#k6Oa6hiP`rz zYe41A%=|D8a_bP6uX%n?*?Jx5_zB(*%l){OaF6s`{@2#5wyUcJ-O_m-QF-i6|3V67 z#JyH(EQ;1^5N?~>)%?OrbL%iwV*q02smswt3iSBsaOE2`QviTD?IsDG9ZxqzX=rJg zi)HcdYHe4^083fPh7Of1%Q^RRYia{QQKMfGmu{;$ob$ z-##DLoGJA5CpVnupD!Z6%1RQfaQ1s|>Z+RUIX6gO37t1?bvn?rgWg@BsB$uAZ}cxqz3F5eTnSSLC|?H|cGXs?`V-dD7fxr@E?CQ!h7i88E>h zORZ5DkQtElW%KdM)()EDK>2We&GY$IaF+f2I(E^@wjMeOYWFc*%n3sBbX$FC_tS;h z{o1me_(6nJ%taDEwBz#|y+MBJ;Q(h1omsq1fuIqC^<6+8>3Pq()o#joFP3ZkzB5x+jcrhxzG zi-HCBcR#SBM~PWGR*@@U4*jd2eUA#Ksi}#Ag7SoksY2`$Fu_IzPmb+>TGcXWzfS6wPRE=2=UV=lv9m@Quv+KYs7$RKbv027S9EEdAKI^(F}Ja7>%(R5}WXKi~Lm_zv2zZkyWgYe@c`lzk?%m=)=F(i?8^Nirb*eP{s z21j$Lv;8>k1NppU$#*8E=Ar(*THYSB!rbs06;=Z$|NZfPb)ZP^@g)pHPdq9as2_Z# zXp^$4niSUJ5|fI%i*kzLk6ayIsi}YRnZ5Znq?^?!G3DqS!2;ax2}-%ll@Ek}y^MmSh$N(>lq@V&Q5sH! zh647DWzaM9CWTucuag7*jHIIQU_;GEYvaUF85u%);>M!mcU?q6| zBpR7N!2_N@=9c=tg#6vS&I)l3)P!8coJh;*kCsk0Gb!VTyRQX0cXb5_Cj%m%L;Hk zvwr+Q1k!P{MZ*aU>I@EccKUt+IR`P{zIFZrQnO;>;}L1DMC2)+mdg4IM16hrF-sm1 zQmDvx_HvEYvYQVpI7%74o{tz z$Q83j7>9zR>nqqrRqI=#pNv1@4>?EObxV8oxEz@9a|<6a$tkJWF<(PD zRl(CH&5+6GIOVC9-qTF~uV>$Xtjok(L4N`3SMhKE>fFpy#~v6S#_jPoHa5P@sE>?% z-q759?hNF`qBW8;HDEV-lagC1Jq5xNV}_qP*xSeB+x!5On2l?g#y)so1sz`d&Pla< zBV?J5gJLo>F#$I}-@w2dckok5MnD=J#15DuQ0UYH-tc}h=}naflL$Zn@7nLlZY)yL zyv6$3TDCQ(0)igc^bmkC!YvsL3=XopmKl-)+H#?Nb!}}VfY6nk$AO4c>#x)5F4F7_ zPHADqmr3KqAY{_1cOs96ss{35)*}mgxciruqWZ}u1KH2U~oWQ2?8Nw zS^yC25IXw(aCUYPO^XB^c$=WAA|!7fgoSx|?F#}2P;?CASD{N%(D5Tg>B^`ahD6p< z%`ccm$%`7ZDJdz_5A_BHFk~PkMjShV+SP(JnN-CYjYfx<2*N5quVQpgeSIYgMzg<8Am{_Zs{@PCI@wMrtB{ z-JjTGxs3YW6SO^qLqrFxa|-LiTHH!1Gc?rt6x$$kUZ&CJ2GWZol!`nuS{Y8%+8O-E zmkzrPOz(gU1>bGRL8LX$+##Svo08=R6(Xbof$Th@#o*I8L*Q%qP&qA?BA3d(4BNA) zQ?0$JK1_{TM`RyaLKR0+#wyEgVXa`hm4O3`{;~zO^&KN7qs>}HH3f`$-RnBoL`XVB z{g%q^w*mYcV~g1r;42Gr7gLYlB>Tu^UMoQdbQOgW%(OUTNz;eIwQt?ePdtx?%GvM^O$?kLO@qwp~KNK!Hb+I;0Qw@zx zdd!N()v+yra5vqu!HD+wUWM`I{P&0TL=>3a3K+!x#Jvt3Z|s}TSg(*q)Xw|{S5Rz= zM%^c6WnvxTiM+YKRVhxN0MF$$djoOk;XnCW9M61y&WN{v1PV&^g^3D(IFXu7>G+su3 zhUk&6FLocCtOdD#l^MV*9y*r2J8C@R-=5R=Iws}BWKtc4;#M%X%)Y0n7mD~|sf+2% zr`pNp91U_|A6w%xErvvUu116|RYBsbTUjgi*S7{YXA@`Fwhw!M8T{~HSq&Qs>-jM@ z3lwXm?><;6+I(Sb23agXm(iZqkt3FQX;gc(GrTdO>RL}0iP6nz^VZa;ba+$v8qp2O zuOgM4c#~U8vJr7|a56@-6tqpMVg7Cg0OdXG$9(+;P7l+n|*`{ht&TWo(V{;Curj%41qNY}g#+(aWe(AM4te85@ z>GO@V1=i$WB_jR0lQ7|QAg&|swR=d~8ZJS}H7_{rZ{NqijDg?e3Yh!m{C7n$+bK$Iddf3xYw5PzOUi>%dqUKVuj-uu19O%eKQ%thuJbo zFGqW4IwQ;KzhNEXKg$@)=xRz+kAd68WvaZS`mD=3bKh5LTTIGMQJoD50GAT6K6AD0 zVk3*Te7HjB=$}Cz>&*%?v!H-b zZNQteu%-r4GVHnT1BdOg*_*$v#{O78`z=NKUf^|u>r86|fEU@nE*h3+5yQg5)(+LL zI?RH;U`7;oo}8YpFU;$T+!gENV7bY~Juzr($!Oy~^QMtO{Ep*?Pfr%O_sf(vA4s-` zr!m3o05a^W!#qVo=X5-f7we<3itleWF)INPue`aY`pRKaSyo3sno19UOW zOwsounZ|Gftu2D0y{eF|ShEu~1dA5?2zSs$X^heJ;JM{Z?5}%3mCg{<0e$};{ie@% zMvq%_nMz@oSf16JZ^q-q)zkV(d^_!q@tD){&d40}}Ast)9 zIGqGH!WgAj;L|aEgshDou}xx*Dif4A$<_w59~2W)bNFYO*FFM;Lt8IB+SZdvQ`Am= zrUW2$X1PYx?)t+ICLDTB5*UVE-ig=wKa?j^yxE+xU%36EFwX>rp(Wqgo~8=y<7*ip z(_nj;biRKv*z;`>+pO?mR?}VO;vHNqosrM+ej(maj!;J{ z&Cb97fS7i;32iO~D-Q|xiTWZJYp3xOrJYn+u^)T_TDIiLLt8RcmG)P9LKiL%kks}5 zqz?y}XpA9zca5cqEKQyYdx~p(Eef>=7Ef6*$bf_f?o!|2C6=F8xEM5QeWa1`7xg>|eqT5hlKfc$vuWKcf@z)?B zYn$5|Pu-5imMXe{))O$o>$Sl_S(b(PvsS7$@)bKfgwops^q;gJ5kGc>{k%qBA~2Iv zLZwmj(C>DT9&^#iQ%VV9DNV3CTqg~oN4NPQH&MTPuX_SYbb-sWUtEWM!R&|!Db`j8 zUDW;Z=_+1*DA9OpQr>jHC%8uvOvusJvE`|)r;%x{wfJsUBtP04`c(*fE)C8>e_^1x z_ifje-xo|_8F>ueQ?TUCKCB|BCH4#_`F{3|D4!yg9MhL zud2V5eA&q@d4@6kK(~b`uPiUeDX+%eAkNLrkt`x*hMN9qC6&J~cE5n*ZC0}OG5D*@ z>-9bJ@e^kcCfM_b>+=#`2ClfoZ!^vfbxEHeGu#R`VD!Lx88TdsVQs}Sa5-x2 z{F=OVG;g|ng-5U8z;5SZbXPhDo1!NRXAgeid}yg`a7a<%{2GOH_J@5Rz zsjCX$^XmsI>@n&Vez8^-;o7KxG6Y`kQ|1>hxgs(>7V*)Oe;)-!j(7L|2wxQC-orOM zvOT%W|D}$=0$fGr@;Pmdqcv^B{l)czAEa-Y8s)U7=ox!*LTx9xRbO?aeRzva6DBYw zZm+*eKFwjZT=SXIpNXD6=rs4~Y&~(Y?0*5n5k!o5rKhjNQ2g<)f7r|b@nn4|80B`W znKCIXub|-km6Vi}oui`??_ocB?JG{q#vAmdA|z8&(~QViMzoJvjaUFz{$YOr+SACx z#nnk{TNsYg!+lo=NTrJH1%7%1e99MWgU*nvvX)Fxt5cp#ON{8wXmcDjkYtTF*PwQ? zlUlMiNS!(P4HCND5T$oJl<yh=^^&G+8*ZB))4RJphz51_- zNdX0{GyUSaDm*&$yz6Ku$1=^4*~qDBnvCPAe3(5Ns3GIqE@9LJa9_1uo4KkS1YbAf zo=?}&=zc`q11?rMnyK#eiv!Lqsn?WJt@rco87I$YwQO}G8QPWy8L1`iGV9RY-exi3 zr1t`b&8%v&tFSdMhyEq0$N%UT2wOSKC1yBL|>q+CKhu)qsgdxkn49=k!f!j6`;Dd$hG?LfV)>H<{Yl{Vx1e92)&eEL| z(7%LuiW6xGHgB}wzud0AJEd@hI|DPM??i5bp5_te%w#`i;5Je zRVO~8Wa&vi12~b=X)`!2t*t_gu#%!8zr#Z-ASo8n%fKHHG@8v6Crl{Y*}Vtit>Lby zpT{jz9d|4MZ12Ou*6qWOBgXO#cn{)n&S~A zQjnw*chI_1Z89ma{Nq?KpbPPS(^?I`(4{Zk6T>w5^DV`2`VF|t`C{#)?-=~+p8 zJn4roYOyxYP2qpa^DUw&MoJ9%SJY=tq+Fd!4RX5~^jWTgu@S!*+^rKKz!_U#J}0;3 zf958dcQRkv8FsaL$cf4$tL5i%L^{6h6~GhHaTKR|i$zoD;oNDL!B|%4Kkh96Z(5!Y zkGA^uGWrQ#lm1tuDfaj(ujX^SiVD)7PUpL^)dxT*?6%0pNcXaWIszR1;2M=CsptGj<4h5h-k3fCSwYmjWQJJYUBtkH)$m^Vm zx1y;i4VDv-ZSXL#)#q0u+*G6H=aU5~VG~j%16an%-f;*eKZ9(H-wJC{wB6?%-h+q4 zC_mb9uM)G6&}?ntTeW16`xef9%Q1;jRhuVY8YS-pdj9hx6q;4mw~lR;!Vsqiq?=tW zk}O{9UQ(}HHa}?A?_&$eC>fWEcSNHV%I}tMuGIl(M+YnM^WhTN$zqSMa8thtM(}R? zBIS?X2R>*oyIoZh=wOATvAq(ece{f?xNhc{qozEsGB@3IJO4p6!@0{371ks7{cR{! zPs^Q+RP4CFp`K}WNxye$V%b%+ zY@j4uT%@oad36MzrlRABGq|EU1z!{Q1Zi&z?5oYNtj@ zhQSf0;EMWm-<}cA-!qI@1W|jP$L0;TQmeP>%n?Ob$W*B%b8L z5GRyis!b16ht9^fI>!&o)fRCEjINOa^?Hco-L*)^*1(boFA3UuTe%|fVJoik^yr_E z-A}h<3s+_RAURoX9674UV8oc9ex+9N;sx=C9ax-p{AjOKpUhU=^{Qly>7XrW>YHbS)LS6^ zKDTX#dE2?i+q+dDF?TdMxuD&7RgX4*0DGpG=6IGErPgQc=qh6?Q2iXZahDfaseHBL z9~yiPfj9W>0%`GFfLdofcZl%B~7=n?bm_s?iij^3x!T9OQuBE88pi9-K%y03a zcH`vj>JHv^hh=*U8f!{&Ri-pdSxE(PywvAq7qn}=^Ar} zgg-O{F3<1GL0zZ5+*PC^v+0hl?jERE10tnwZh@|3VfQ&l_U(>gJKAn~OGVAS*g)(y zX$mcW7F4h;aRaM)>?m+G`r)ao?CFT4JWk5)w)c3VK@<+LYZ zbY?Ey`Cju?suzhF?|%VMXPa*Df03);clqYGwWzwnWvtiaC!dr zw28^KW|~?msFt>0kyg@4*I=~Jz>)~}H^@)HoTQag665(tSbvA93WJ(rk&P+c4sVq56J&~=Xkt;Lzn=^BDY`416r2 zl{{5}-e6W3Ms0TU*c!c|YWDqdn}Lpc3i8|ND%iomcRzYTS4O%am%o_VOntFF_p}_j zS_ejk!+O@MA82XUfBItnX2VnHY_81Ow^D5In3cx7_Gca5q8_<}j`lcW^LKv6_eAJA z0_|;0a+DKBw)rjO@#+g50ote`n&>~ zZ(&BSSlu}7w^2%x(3fN$29HSD&Rz+5hE)BqCA&`yUzfYNUSxVGC=3Y|?IsAQZmo`q zKK7Cyb4r%D?D6fQTCTr@w1@1P@M0=UV-yg`kw6}aeu1K4^cVLTx(XjV=F0H^0$jqi+A4kIGl`iDTlG|NaDrsbeB6! z@hS0RkR8~PYxGy2rEs2Yf=k>qchS$l+X?I_d3NuHodAVC(8%JA0e?JN2ymR(?JsP*&fsrN@YPQhtUx>qctgoQJ*15_d z-O(g)M=rGAPh5=xk{Y8*3))nT?n*@m5rlEq@4qX3pc$JceAz_y%u3*^OX#ar$ihpv zbSQNoJXTLY^Md=4(Jo@yMQN+}0^h;}e!Uu}~(qLGQQZGAJT>URWdn`X6BsgH|+m@NLTv1hpGc`3O zsM!<3(lIe1r=v^O8L|a9ZlIl>p7Ltq!3MXzlNh!Ax3-LQLV$5REw0^{FF{!p5}<06 zQB$oW>M;)hM*+se)Nc=3p%=eqxa|cF5sf`9{F~h|vu4(Se2mjHn-%wy23~(0K4z^} zcO<*dF(Dqut>itm2)nlzzv#Dnd0`{0vX#j9Y+Wyzm~4gMhtQvYlu75#c3JhgKSdrG zRYuc&<~Z{v3=ws5)l_*GfPDR9?PpjNjcx9B;gcYtUir+O+FBar$$^5lktgA%A38rN zB))NJiZ8@YUi%;~O!d^Qtt3}WA=DVV%#-5Pym;wTdJsgJ@){T2+gP|g@Y(34mAO6~ z0#DFaQEp93)1vl$7IPbJ{K%0)#)PPlymT=ZBcoqp%IA(w?~D1us)y*=;6I2wf9c*P zN^OKDENb1D=~-&)oVGRi|Izl=QE_cwx@fTARB(q7+$F&^I01sYTL|uMA-KB*cXxMp zcXxNEaPB^R$Lrgp$M2l(+wZ;q7*vf>ReP_!)|}t`#PO>`$Ohlr3movRkjGg#(>1jl z4K*1n1Fcex_EE+agEFk8F#HQKuIWlhfrcGoNT!Y`-Z0oRt*PJrav`k+6f0jec+Y3> zq^eXJrJhM=j)H!l#I4FLaZ)Uqb6uCYJs0~8EbFq4d|F=S81Be6kt8AA`%7L}?u>G8 z^MNRxVN`M?!79Clq^X-Hwimc}`n)Ya(w=Oa6MZLHT*$`Fv!dANfvPc{LnJnBZjA}N z@vvuDj>-|Vo43S3MA^#U=`yhExrO8G?zu!eSd@pN9K8Mmlu+h(+OKb4Hhc0LZNYsb zYa#V$jsT4EAn;cYHG;j237~4vBeRMEi#h5{w=ZHAp&D@k>D0szM{-04jQwsnJ9&k_=R9QojqL%nZn5--3Y8L=EoUK@((t`(dS%a*OsC>WLI0SOnYF zLQIoHcJ%`~)*L{+Y5WCoH}|sJuUam7k%k$1gQ-e2*sd&@;rR(vb@EptRM_O8%OQXZ z=$Mq2jsmX+uaEY;^5U{WfQoS+L{cp4nobl)S6Yn=^M@4~CYZ|ki!rd<7>qr90k@@w zKAT6U#Eg)YI(V%+6-PuAg7b4)gh{~N+hNDI0bZURAYKHCR;?WHgg!(W?truohs`N8 zMm*-#7F(NzvnKu2#H~Q=iher%!oDs8cp5LKp(PQXkn!j4+UsES6oR>KyT$ut&mq7k2^%i!0^7&dR$gZ zAucoWVl#jk765lE>gxPGU*2~Bc_WysPNz#@`Ro>tQT@H*&d%J-2qGeWe<3kxqIyv8 z5fMl0a&jI+ zr8RJ{Hb-1X+&uCWB}QjK#;k22QrJ@P^>S&5#i$wUgvdiEvXG9+f+jx$gTP(W@B3ea zwv>igB$GxFWTGC$eS8EwACHxegrIXes}jmKqG;&xL2a%!(-;x>MPe53v=)?at!Ygp z#)wUo=U28ESGT6vREEfB1dz_J88{W0dh3fEvw1cw-YMnHHCFmY4=Xo81G0hlpqSyX zgR&@(n!D+gW_{wl1@$Gl>Nu8^XkOHM@Po8P$ozOzfpDtH?3{Lh zejQdb$Ir6%cZ@22ObYp5p;#`s#6czD<4JGl(9LS-YFhPS#z^co2+-a!a58 z{gN+Z>lddS+6c-6r*<~qn~vkDw!gWhwW&q%?#FFO+N{*HDE{0n<)n14HH_3JRImsc z3U*Q1jf-y4Ow*xoD-U5|whLy#w|%)F%m_q*z_@ZioOBnPU~C~q4{|h*-8uc=Sn4|V zZ28yNiL7Ut7O?NVuYj^%JcF>?2Wez|XI0S=O(jADC!S~d`o!%=W)0W% z0IniK{+of9tC@mc- z=KSS8Z>pe>ZgX30>Buu}$B!n8_3a6VfFK7f;^()QfL$!*Q}vG&zJIw}2tdD*LyKR4 z8966vlK-)^pn{(<9Tbs0!p6rhj(pM!85xlha7j;1O`Y%#2nYz@VEp*;-39r3^O(3e z7@!B$H8VqeeSO_HIzqUgFaV6yVFq=8d@$A2I^hfnG&p$p-D?`!>1eAYYeQ&Z{~t&P0HlD$Na_L7%zbhSfv{3Bc*4k5y7p=>`H5?0;;Yu14=a z+}HT_6S+m_Ba3i39BJkQ`7l`oRn@orH?6ZuaB z9K<^1b`8w?$?W*Vex}*3b#icRGuG;A-yoT4uWTK)Gg_qSdvYbt`Bzd;9E!|2F_5R< zJ78SNeYx93|C~`#13A{8*I9W$#$nG4v1Me-mx@xua>G1G9qEgttladpefUX&%s?TR z)64;6V-k%-yFoF)RXm(?DP?yi$r60Ta(nyDEge6`^0XK=S)bTh^VSaWK(U`fsS@K`d9c&MjHMZRiRO`0Jb%-{iGRGhUj-iHK6k!zy~e|xN|)SubFnrCF@ zsJhi*fDe^XY4?n-&UMf=mQt0K>3I%=p9Lli5cWCvDsBRYxBhd#4`Eji^h7R5|bcN07Ju zj2?|zB{-3}!4>O${$r(F-L2Uw7nZVtPB%lSX>GVsz9r7Hda?{b>p_8Cwv5<}tt zSsNnQ>hL|0Wq4#Vqeq{Dg?X10?IQTY)%edoq|0uwSy-W{!~f)25Bwzocfd!l7j0RH z{?E9Tz%-?-0_mU?;Bo-rr)^5Yt$`M`uuN;jp{%U@yF2ca z5jufU=f@O7VZ>ai#x?AIuVW24q;!~owKXkY?v<^CddFugVZhR?raJT+drhibDt%~8oK!krNJ1*VSG)v+sf&6j2PbFHq^pHoqMQm9ojIO-T+^P3xr?%A zWu?-n@;FXsMrm!?MV~pkscwH9i<*W~t-ZGL@YOE(izG!XrchvcGfwIJ+ytkF65Z-_ z$%)p{Y`MA-Ei8MQmO`1%P&aK7)zt&B*rvX_e^!0`*>|QoCytg1YqAq}W8CMPDM+{< zU62NXLgV#BQlS;QVIo}(w#*4_%pworZC9V5w(97TRAm@`V?1#YC!m@qTD#&JxqKq*)DmJhvq+P6uf!~?3yG=*Ob&<#YhBiuwvEP<$ zoE=bY8|&+))Vqh>^8QJDzbf;ZwLM4kyv^^P)m(aVSr46-Dn>#PSsFRlDG$X0sugcF z*S)pK=$x0PIA@&uYV6ViKK>YSufZwMV6&kS8RH#o*;n)xuO3cTKMQ?cXgQ8`hSKIP zP=uxLW~%56HMskce!**rWQ0A`cyL#T=Ne07hlRpJp<)gV>%Fsh*URrIcaPD;m6?ha zd8=+wEN2dvzgptG)(pC%VqP=n#~&h9zyR2K$v}Bl9PLmb)@GKp#ctoLb8e}Qh+axz zcA^qX>_e`W{?g2Hk!g^IL)cBKd@fykp0aufy?Wy7E6IAkzb60H9fk^8;Ezx3#3;`h z1NL=J{(Kfs?}9hl+Pvt^U2Q)j{p6RG6VuuHw_{f3hhAQrmR}2+34MI|SgDJkLa*C&C7a6U~Bo??G`Tz3(@^9vwiJ=11UiyQE z&EE)dKk1rTfEZ37qO+!Ws1ja+Yckms=iK3)U0nqMZ{G?iz{e>vK7P*K$^Xaqzp3xN zMLz%%CCFiX`J^k`mrpUl!3cc8rKMMy4geO+a4gg)FX}IkLB=Kp%sd$x!)l;%f1#kD z{DzjL%cn>EX$rkl#Ux}GgLs8BJIxRy$yf{I3-P($RD4{osjP%(!4eC_fd?qx7{Xqt zs8Q}e8{s02s{%D$@47+j0B??ar`L764-Ppb#H#g!%sI-JjF0WA?Ko8st8y{#(F#iA zpufX1_H=6;gYjk+ydgRhG=+cYZNHJr^_LQLZH80(04hNrQt`+R}%le!B$)L`(X%)T8hBRQRgaeH5c#2mWe5BpOtw#^54?eA4&v*#Y}lsBuWGquBvp0M(Dk>6 zIvNP*(92O=jU8zVxPFEheBfr(8uSlsL zw`0dV+bTpLm~Jmi$6mvF`_ez5%HB+uFW&Af?Z%)iWeJ}9U4OqnVM_61+4BcCL6iN5 zsq4=fHCe(xe?zv<@3m&GrsSKMk(*TbNx6>Fe#sVhiMw%G8|rG37+r~Om3g#26#E#w zCwp;w)0A&HNZ|LBhsr+E#J9a^oHg#~2?-8wli>gno)T>CE|zzB&GEWO-i5p;hukBp z*ehq$1z1!}Ruk?As7p{M7P0)#n_a%ujN_g#YirL~Cp=~=V5q$mD=m*?Td$d&%A;*s z^6HQPM(@C1aN4X4pRw2o7omd|;Ukq2VYXflOS#v*mDj%65Lg*@4NTIC>5es5>%MNl zFjc&Kys(w~mSFRe#%)b>-~7~F%-^ox6_sqI()d9BD_yI1d|Yb@wyO+E&OLyRF19}f z`==G< zmfj~{31s+CF`jp^jlW7=nQ+*+fOasVpToKvr9Y91hQ0$NMtWBI`ugG*PRRr+OUVEF z9L#uymc0OYN0eVMh>4VrMHp_P`JDqDdhc);X{Q;hi^|I0W8?)1el=H-&q8I?)d09j zg{S}pVM9TXB)9FuhYuO$1%rEltvAMdBpk94tE-*E-y2pVi8jxV!kha+=>3ZOI+~i$ zmX>FNN#rrbWaJVliug063T<;U*+~+`SvRuW8;`S*AFqdSXEhm~C$-IbQC3ppSYVjb z>mK2I@^%IHnMT{;GYaVG>&3l{NF|F9K4-+gxSdU4p^m4UcJ+7p1dWm>LbD+?8iab0I}bjf9u+ zyvvUi%v`@Xv(P=t5D$cl&vBF)!PRH$)G=|vaKFh})lK-O!pQ zm`Z<_r>auZ|G=JS5S@Fy(&l~aAg|m8nTpu#iKygT$~G6TNmumKnp7{`Entb`cJ%Y@ zOMcsSa#;W>F;f?^B@4FAVk}~tL}=ApyPN&8dGII*@EpAs8YRpA!|kc zsT$Uk-#+z4Eb{@apkz+G$_8{JaiB?fQ;xahMik?UtG#spJ2FhL{VU=7ZeJpFk`=}j z6%XrYp;5t$0Ccw5*ZT(7>zDcPhT*xbnH3C?OW!keXV>LJe!bcAw_OvLp3zRFv@d2n zR7@n6Z@)`@&yPW6Q;8H(495F#;tcemgX;`Comz<}nWiX$65YHiUlr6Xncto6!7C zEBkL71oFpUXpF|jVI9H@N7H9ReWIj^ozKAtyFT}}g^_ncn@cYP(_2pZS3JS!-g&|w z0gH7{VA5F)`-eWUyFl4ESWnNw;p&fTA9&rX8^-H&xgNVMJB`H%Fa2&ZJHSPg8}Jbt zgz@tB{<_pV%C*`oJ{en_r459q2d>+H;oO{d1j)v&G$9G~n2vr@OQ;fG-BW4SSqm{1fE; zNlb%6wV+@s&dwi3oc}RSMX_jAkyWc>N4Nc~{bLKoUC1x&b3E#qZkwCIZbj}Qu^->{ z;IW@;k#Byt8tW@*1UyJS#iS@@sEg50%S$2@DvQyV^Kgd`(*yEn?^G3>SYwl&NYh*7 z-CEsGN^|X%`xYb=EkQLfKS)-90rC2MP{acYztUI z^=z*d5vBA?nUV#f&qb+>d7}>JAD*m6=3>F=eIr6^b5(x+^*rM#mu02RSAd{|tAGaF zjbLH8MZG3~)%eHJFWj>Bf-0TsFw@_1B}X3`5O!Fa7PtObJ= z)L^2m72U$AsD&Ge{YU#f{YavOG8C+hNnS2|#Ww6$OeosFVNH#0dU2<%=Po#acY@q^Ntk2=3)_9hnq8KEi>#^-YJsv4?a`L51f21hhgOaQ`3*7*#^7(`Sg!)(%%VBI%1*!tSgA;tvq?j>D-HjlQxa} z!{)Ua$e!iHO=O-Lmcf@L2)@0?P3>6HUp<$zwvR z`cOa#&5Qu(CV9e9UDQdxnq^X9qtDIF>6%an5z8`&d&7M(f}Agt=mNz)NvCi~I5Y|Q zBPonp4J9!%CuA0gUr+F!E$<9Yf21oxPG>=Qck4HtknMuXXMMV{F)%&K3%Dw|Nji~` z7e_`AACxj&CHL&;vvV8nO7j2OIbC`V2PYLr3-_&0!!)rh#!&y(?Aa$+s_)dQ0}vlK zox^}agmOYtYn?pH`_u547D>0HmS4tyK7L9NjgLJHp0kECqm@kLDlljjP3EGKuYKKt zkoVLVZ8IelO42|P6Ot|^bGx%z9-}m&0Ht*+wYiexVctkoN;$?F3C4-L{Cl(3!7u0Mb zn{4p<<|U*Q#_)OelG#<@vx@n^tKlxTkWwvKbE}hl_uQPX)ZslH-m;K`40h;I*&oIq ze~#Bk?$#4a3(xq&lA!8FsiTFR9oZbiPRq1U=@(lSkjOEoo-mj}^~xnQP4b~a4*^X?{jsrB`k?-j1^rR_r|?8@`=ofg9k47x)T@ zPzyo?w1aNiSVvUQ><-Nm;uHEpo_QgiHHmOn9ZGl>Gw#Q#x$l>J2%S0c8Fwuwe*Lgi zTz|pED}42kHIx;z*5zlS^KSs?Xf!M7&c8*5tV)QlctW#vYx($dvR2m=4|`6a8{%!k zoc77lv9F{)3yX%~L2dU*@04F|Q+`!=d_67P-Ntb9*m7_AM3|h|J53J&Jdc8g8i$W` zRPvttW#wUZ;>6lyUOEGxj{`^k*inY2bNIFY7}pvw^b2d=pJyh+ME~c5_TTH}|M<4& z5O}~}LC5xj@=gP?yLnXCOPKa0(@9~)fwnl0w>@tlbnow3`xDlXy}eRda=EB@8Sacs zOtSf(DJdzf9plNEV1TXgJ#9j)xF8H7A|f0D!qg$uXF)+hjE5{usVE8fPZPdy8;u^j z-;mNLw|bq92Tp#BrF55pUO-1zebP)-UT@lb#cpSf5xg8_50o)oU66rcaYSo-ahAeB zxTiruS^QjB{hF)Fxlc!3onwXlp)J5udYeA;pQ3@5ESQWTi@Q0W#wt;?Rid%NN zRQWGVa-SG@6TmYR6No%1r!GyL!VHu~osDME8(X(V2A#vd3ao$5%iiB_QahZfpEdG3 z6V~66W{5zMa|kZuzj-P}yQ36Ik~3oxcSuD61QfrEk1uH9%&laXx}KFTJuL}_TRwWL zU5OWh599SCF;I+*M7^G&#h!2ej^G}?jiUmL@3*HPkSrj1I7eB%i1uxmZ2`R)Q;uXo z;>@C>+41;mtK1(0_3u&N2^9?88*g#W`;sM~XQ2aR#&Em#<=tMm%optZ>*YcQ{QS2c zYmATE)JvPLt7KjWXk8o?u*okG-haBPQG-T|5b3vUx0 zuEh||aKp^tR2SNN5u|wRWL8gdY1aroCjAepCNG5Ih(94@WIW!Rm&So1Y9&0H&o$D* zo|r@Op!?4djyuO!wrc8WVmw3}xK zC|2taDCe)5U7UZ-bkf?CqAW>PNj_Eh=sWY&Io-7Q>|1b>*z6>||3sDKeimTtg8Ua7 zpYuT?Ee{Tr3C0_P;u52~D$2>HH*EY|KkZIgoBtR5tGZjgvLgHioNuM;9Jh-|?8vPZ zyFglQpp)gS8cEFvmAFbQd#x{^?@D{oWxAsVIm@^kZjtiP0-bUdLbY>KRa3O&S7tkR zFno(tsP99aH+R4aHN|LC?>2X;#P?eXt<=+0%zYVo$7r?vX$&r%r#t<`&z0ECV>A3r zqq>lXgQU6O1ixORNQS4*_bUNj;gaV{1PjI?Z!5(Zkou`UXU$0NAI! zYJ8D(l6=D%3=&8E*X`>+2|Iz4S5^k{)(tHuEmh$*?`uY_73{&HrSFm9H`?G0@fj5H z;UJ%z73d0mkj_H`3_|&Ll9!HttrtDR*)gh^e}KnU3?Zr3rYUE-3w{0l1%Z)py3+UW zD1c8auxpzy$GoUn}QFSIYQw?SwEz_gj- ztKBbPz61o-L349+e|W;=Mtj1Z{tHo#>j)q&`yIjesF|1+5<**|QIG2R_M##%X;g2? zo8k55&2Di-HLOvgn>pr8ZwMk_)N+l;A}H@XZ+}y6NW+AotMq)S2NE&KNbq6O^%v@8 zqOpQpt}H}EI7`&7`BmGVJxRDfWkH!Q)nGcFuR%;sVrOP$p)J*#fdHuN11>IgAXIgA zZouNMhn%LwhP*xnz*hh5lPXGAdzQrc3$n^Ll!qeY$_TQML31zH++=O0c7~v!s0;!) zwl^Wb^j38Kt;Pl280b|N@;OTwnKv99ltnU_nv6BRx(3c~jiIY-KysIFPhEdZ8Kjqc zU8qha6KeYt4Mkp(#@W?-j}-XB?6)&gS`t4}Q$6x8AMCBg+Mf_q2gl^e!*iqw85unl zzBX@-9I7L}jyUQ~+?{vz37sT!#M)4`wSVkh^F8*DTVAiSorI)aP*s;WeH5&nDje_p zi?SX|ujv!-g&FRLc^*?anTqZn4$sAOxwy~e7QBy_RAfedt5p;h)ssP5%lATNI!?2W zS5g=XXPge0{?)8V-3FgwI|*O7JJQ7%A%Zsv7P*Ls4v<@yVFmZ`e>Wk!jSV$V1hL=T zZ@4@RAniV(HiqsbJ#=I4ie<-agqgkl-~2TUr% z#JqgKkiFTF3)R)8%OCYMimB?F>aML0Cg%MTWGuDY*;Etl_J_QISjnBPmu?uB=$5XB z9>fnZu4-ws2lw-CZTeYFgIzqObfufwxy0QMJ=c*bG0>^MxxYrLSZDV$)%n2o@fJji zkpH0U2xk5>4l?yf3F1c%U?iTR7Cb9M`Bs?K>~phbBfj$i?gmM=X4%dYv=g^Oeboa^ z)D22-hsH;-{B;f31JoGdjNtR64}UZ>HQV4$x{)(inZE=2t*;dvl>vL#vs7&7P?JxK zoGt>BGc!-w2Q5hyvV8OGE#>-m-f2_orkvGad@ACYfSMM24ture#-U-$`TM2zc7LKw zUf)&3OL)I@qBpgMHaV;ShcbRbGE7e zKL$FUW>>uJHi;Z{cwKklQi8al=2^rcDq?KDYkESgt^gz@ z4nu-uWfkA2F7Er55&muvu4rn)($;Df$tONVdWzrF-QHs~RAI^dVe@QrO7qWFHGg{) zNe91!fBiGF$@F4)5fPt{qB-W7t_8+c+MdeZ=x^uO^&-f3|H%27Q6h0*-PqHgLC;6m z5WJX|o*3lT!!PJ)Zx8L>fk)iJhGA}Dk=fLweyLlZ`DkjyLByA+rJQ%0aBLcPyQ4>Z zpTR!%(1Z#aIy@x7M9KYsyZ}T8`aHU1<>W}r@vr$)uMR`a-|{Z-20V(NF5q zK;9FE#l*y{oypEog6_3K9mORj(c3_mmy_b|D=RDSbe166or1%{X2-CmRLZsefLV$U z6}+8|4TO6k%<~#KAD?z<;8mbN3@PBF)7#^~t+z8U*|j2jRj=Fmsh3AC%h(_rwTc=+ zDg|I-`ZwC0e_1G2f5;Sq-CU}ru?D> z%8YslysoIORK|Sf^1(o6*Po*wKp3AqY!S@mPLz;p)z+#M28@ z*T8t^d9|!pnG&lJ#P!J2Fp2rl5$gj zKh0nP>*E)k z@(xc|^0gvQU!+Nk6)j}Neh5WGFrtSBW^vb&$QIFH7mGr(zpg9H z_DznN9lUO|TKBpoZ%m8j!$tB9WL{CHyQ5(W3n+jPuTY5b`y3LX_e{0nsSV zNY~1MaiB!@XD%V%!XuwBXKAR@N`VC23D>b*yQXq-*9B~3-7 zS;iHgeDMr%s z#>w>I;IP-z_i&6JJ}s>e^aW+5b1LRj?v#|d!XR#7SoEU3oa1Ba@T0fqXp@BAFF_eq zrfhj6Cr~P*6pP4foAUmp8g>EnT?4MSba5ZXz0hy=_)b92X4R|sU{$ioiS-5+(tOd$ zc`383oqe`U#^irg@axh+ym*ybn1d9{CD3tJTo9ZaO+9NB`Q&2nJ#P1hW!<#ekwCe2 z#$~Ti`v%f)#p75fnOVET35W_+Rngyt+z(uOgE8HUyk2gxdwP1{4uNcdL?*r8AI1j< zy@|b^QT>r{A%U>Cjgu3)XB##?f|rN=^y@pE&VV8yg&PW}`+v)V`ul!?Qn4^FI&viw zHf9Q&h-0t8-~ewZSV+DDdcJ}%uN5VLO#(Cr))yOJ2S!IRALqdQ?hEb*6PXi5O0;+V zW>cQo)=bpY@P7ptj7XHel&DpAOe};zx<5aYNf%xu)2Z{kbor*06|r8r%@wN{Y~-i26~&twD=R6P8n4dSD>=kT z^cR;Dz4@H$SaCz3)XhoN%_%S^sNY#(i7`-gZKqp$8>I6UP)&c|aQWFu=AMTHus5Mp zqN_KfaG^*hmN8Ej2;_pvfgy{7Bh}Z>B9UOy2$iA7@@OqD%qn-A=Tu7ljr(0PXR`*~dUyqqZQslDwrtJ9$VMI28C9%N&o7T*YipE4s5?H3OuFmfPPQw-zpNMykJe^? zZPg^>))9wzd#9=+e&VUMk&CSdAc_jtYrU^O^VR#I_m_{?&%K|wSQ_l?oqApTwlhP| z0iT+VSG!Bi3l)0qIa9lDBLe|%7Muug_4c73tz+iDs%=gI&Mzg;`Yvn{R(hX0Ii*+* z&JVk;Ye=aE-OOIJ#fNAn7|^CTjF}Y&w)E2~m+x9)3R|C#$C_%eR4fE4^Ejq|`95L4!ABYrg^{ggfUci-wZeXJl_fV(?ePJfcoD(K zMZ~D9btAX7S??_XeD&x@ek6!#x56z&B5QK;5^(NJN=kL1anb4S?A+Bo!H~hrvBZT? z^{I0CQL{L1_GtdkLc-l$EB~6`?_TmCSI!OtaPHYKwK%&;ojX%BF1Bf;S_+SLO(iEx6k%N!Zvd&jFw1Eu`a7 z%y+d}85KlpmD?_=#GN<~f|WeOex|Q49r~Xnw18Y%NIa6NrCoT-5l3JSW9&=s>p=efRv)%5FivtHD;sb=UDxRbKg|yoUvmWW zpFiotw0t=>y08OpKj@Q@v*Qw}Uw>#}*;isloLNZH=jFh3gLJJwgvq4uRy_COfJhmK zmC`Swpxr_LVnfE$lA6^Y9BjMLXczElTr;SEw(vtI*;@QbKkSX4;$4#6ZZdyoobxI; zQ$LyRPTOH+3bb(>r;v&Lv{H&?dlkHyq}1L;edi&g)j2f>-|{qqU9<^;HcVwYYi4t4 z4?nSDPfd+WcVHCJnR!ZWZ=vt~FBAlSvxf@7)dYrywuA$Mm!C_}vOE5p9o|s4e-47V z*K|RDY9~#uSI5{l<)f(y#bJizay%(0R~_i*|GrXb0IS*Nu2xGl z<^_lmT;Fg$;Nu<{04b3h2L%sCcQKSQf1$7GI~+P~!!x_)gJYpwOi#ddGoRD94>?K+d!38yPcxE{KW09PDtBF% zXhpK$yKq6Jxg9o&d`ORn1-QbUs+-ACLbxS+fL|uzA~QVb=C`1uRJbU)AYO6^vz~Z@ z?EN{yD9ETccekq~p&k3rrsrQcI4;oEga$p>Canx7>KYr6rx3qtGi+?1^+5aXhDtDK zN{>Qd_^zJlj^?Bisy_(i%kpm$@H){;bMW;Azl<>JwCjNcItKcE%h2mvkdgx0nN4x_ zBikk{7hN+gwP#Qo?p_eGmy)Xgg19p_q+`XxPbS~5HE3L)SLK)Ibnq6l&2qMcWD^S4 zS;Bh~jp+`L5o;>wFLK8G(NZVpJ=!1y zHb1>@$wMh^lL_4BVn4`~@dKnNNmpxnKM4$m@m$}S>)!U{&)*iCLH9+)PjB1lI~0wJ zJ|~^x9|aZyKMvSJU>yl6zLvh4T9lS96~4^QJ(?9e9+&ekH<^~!ZDr9o0MDUM2{fE9 zQ%t1D-5UGb`9t5+?wED;z=ngn<~irS+t@?e`L+L!?VyJaCQV{|EJgNqpSZM8*a>Hw zMsTs~9k)QGUL}h*B3&pP5e4!naeBkpDQJ`&uz_GAT=&m1%BF|)Xx5L`~ZE|+?Y7F^IEKnf{+q+`;g z2umc3B8iGt`BNMK-Go?VZ>)RAI_#SRuRfvELc~x2sca`{wN{K%OZ{76*Pmhk=$)Nb_5qN`V5p*^R(bmDncUI`h}G+&DdqP?PTcr^7;4?~iL}{; zvE{<)WS|`F}F6}eX$XG&XcfN?9hf^-Jncj3vKe+E!4U&C?2I^Fu)B$TLzl4ZLC zU^~F2H!lYDe^NUB`7iG^w2Q-1KUHI0gdSf?PK%O?XT^5^r$XdH9Rg*mpUNVwdg`r* zi|QpWMOy0Wrl)nyDs}|jFEhy{^lVmV3RY=tcS~lekhe4VRkO*}v-l;YMk9&Lt{*mF ziQRQiSSZ9dr>{h*4PJxiS5``N#hgDNcr?ro1fBu-($8S3n`W!u)nVA_q-JLobnEZY$_dtHtlSRfJtFtdalk(ulMQx3O%wO?3Shsw0LZ#Aq+`th=0 z13lu$@c)WF|LT{ON<}qq#mg(EwZ>OCqRzOvT^?CslOQQ@qH01l#0A2f)WUyxrIOOQ2hdoqo3W! z{TI}nlz=QbD}<`D#aXvoihbiW7t!=O=SzJFNy+Ks+1c5vE<{G>mK3~pz3%segM&5* z^}rm)TdQF`PdfQ#gVzjB+uFKf#eP~E4G*sT%GakrdXtw6BJ-XGZ6pgVdY4N>;{r!*Pr)5 zynMUG+zKIi)W^@VSrq%B_czyhOwx}zL4CnoDJ^qT4xik^N zcy(_gaTE>K?gtnDQAjsSXRtV&GhpRAJqh3`UMG1u&3>CMbx8F6Z!V=@zw&{#dRuQZr<#ToYOf&y zV}HlOyvh&edcEQ1esuio(ctRj`FgYIsOtI-jxN1bGul8tr=?D_j(CxxKR7%{1QFt! zq*M&~bQv2T*_H0vSI)%c+Vgd&jjIJn$X1#Us01ViTk>u#djkbgRU$w-7;{btOkVgO z3JR;35YjX!*4i&_e2Gy|g1RRQmwkLQ=j?3{d#2eQnaWFlj+&nT_+-aDzKnKse9U$` zPaDq#v<5#F{!bRxe-Sg5!T47m8R9HN)m}xUY65p*5v|=K{{k1g`N9U zn55~?pOJfeKS+Nua&oGn5b+d@Ur((y00zPaB~huVr);w46PZHMiHSc$RW^UmvFLRz z%6QV#)7K(`tHb5MfZ`z@kS2=*B8;`tqcg}?AdzDAtk+Rm=BTu^)Dm1{HqSu1A>&fO z9v&YX>s&==@SoGn{{2@x3UugK-gFkx{acKmH3@>S|N9~2Ys$u!8(Vs$v&?;dN0-pC zPSTC@ebSI0IY;dMTJ<$`gEHw)vNOCe-kB6kbk2!%$(Ke62})`z)a@SE^9&J_K^=Z% zx+YfbkqilDBDxcBK=R{3`#9AUgV) zqx!F3?QK|R{kLXEw3=zW1NNpL@BZn_Y&Qnwl)f4Dlf0kc7RD z9z_i_3~O;P6j$I{T3Hp8=~C!`9kX|Nb6>(jsJf;8rQ-Q8Y*fGU!}GSkb%&GH_()Vp zAH~o@4%Ou?=hOM7>2}y?Y1Nx^=JUxpv4qm<;yEGIYu3U?NFq4*3NTdT-PSP~HOt`P zgRPc9s(bWhCC|&Hg1$++wP5w^xyQ}TISSFlXTuK&hS&sA_^%l+tMX6fl)06D>EyhZ z$L43q?d{*)rFfri$L8wRkeQ3EwrYLHh^p5(9G^~g4#SL8yZrl7>uWk8mP)0uADaf&H5E|mMdsv?@lMG2-7UTcH)`}V z>y|fXy4GcS13~tv4%a#N4-bum%34~dcd9BNMa2e`-!)|h_!q{f+eCkJ_z7gZLDSFx zS=Bo!xDe3qb2{3xVOXx0y>KJl3>2VbHfnEivn-2*eWAsroGWTfh$|ecDg@h!ow6nqB>rS_T@?l z8U|y;rdAvin}#i0HcNl{^y!2F@V=BdIzARzWoKuXG%&~xCFGv746V)VQwu>@{+uK= zH8)o)WAB6nQ&L!n>R_h=M9vGZnwpvAwxqDDHP~el|6g3)|Hk+Kk8knzrV{8_7jRc} zwUKG;Rr?O%rM*S2GTx;0db!!%>YV3Y8@p&;hX@`X9*zOH_BxXf{CA6w|H=D&q%uey%p)!SoVqex z9H!0ZwiWi7bRGB(UhOXGU=zobPctuvF9dGd9%rSCJ6p$EfPaSUA7oFDs zSN~(Gfp+(w+qGs5hja*=z3L428VdFUa}h;zq9+UuG<;EOcd7*zR%}rd%jMNobl?U~ z5WGzEAa%mf%;fcL8@P`D{7ZX1*V6KGSnkM=YPoX>ayq(^#I?D(A2WosG?C+4m8x_= z+B%J#9O0%vun$E6)Ga{dX!8d+nMncj|I*3wu|_wrWvj>Yy-gC2OO>|Fw{OvZ-QDqV z_P!#zGNLPod=(AFApt@Z zMRlBL0zkxAm;?F2KuEMy3WpqMzgo*|t;L1KV(H5=L;mAm5#0a)>DrDks!^%$*K#u@ zDX*bn7OLc?-R9mnsl4gwc6Y+O1avSgkgtmQcuzo9xHu3*%`B?)V?2$%&fDj&TzT#@ z6N8(B$twFp`OCYzc%TGw0iwinGc!A<4?~6i|GYky2*CA`Zs=q?4GZ&%!r$`}>qBlI zIGuwU`Dz()yX)Q6CD^=c)v)=VH?a(er)INSqvPb{bnNFf0lasE5SD-~=<%YstmzvT zgCKU%b6{Skv9M zE&PfCHbhZCsVYT5njpO@BE9#HBE5rvgc4B^rAn6?5RoPX=@0@4(t8aZloBBH5LyVi zi+k?5&v*CMz0Z3d&-W*SDeJdp8)M8lDKD0q-U4gEj_(|gCnM*EOLN#Y2<+?>0vH$0 zLFWe4KJv$pA0LOyX{bB18%Pn_3*D*t05+(y?^5PP>VO_}RBG0T-#7`hrVNrs@!$FP z|H8cr{Kh>aSy|DuCP|%RmlF&1-!k@bYJ`0%&uAa8JE%Nprn9qiSn5wHJl_qR-14$L zf`jveTF^%B3}P+5%mFn{@jMdb4GVC@&}5o0yp=XQ@Wat;XpO zOY+qD;*7OWO&T%@p8COW>}B|EwcXOvo^3V} zj~p8)>5;;Cg^f2kU2vSLF`O=0ws&-l1sz=D46BeKAzO_gO0ECKcm3@l{Npd`!Dfo@ z?=FvrhK8ClXL;A3?o1X|pYDj~Hir1C-#_t~>T()uMquNo>RJ;{`)&nK(?o+YZe#$D zI?eXxX4L!l7d0QdgH35^Dx&DCyu7^E?ml_FcW|KO=~)&V8~gU`K1NN`H}u`ROC_UU z;F-hA_Mk|8zqn|7=E8+x*^@wYZ%TH_%hMF|+!JZ<Nu-n8xEoiR~;!Zb{)@T|E zW-=M!HzDj_R8UbFRM$2%OKi~xZjh|2lJIb*-A#Q&vn*VMy__Lc}b@(k2h6n$R2la2h!vEt)>b1c} zZ;7}k48JMte)swQc7l_7dheNgnCx%Ptv;O!tRsp_Prq*218fH5xz?pUx*&h)N0XD2 zhgRp}l9H1_guLJ0(UFy#n>)ZZc(}3QdglE3L6^LO9Sfu(SG*e9>c2f%3)gcO zH-syhrM-RwuYa5yU~D=@aO91Tf_w$9F20B1Rr4ERzn3Ikdbgmo`b=e>;|?%Ru+ zxj8wmJ`&fj%Ybc)P1DoUYn5jYwdF`D@(A~YgvJ=N1OGcY?LVC(-!p)@(2GT~>A(Ed z>(!IqvH)P&-MgB=Tp`a^qoShtA=`@{g^&3YO(HZi0sx)r<!U~=}CuSXj#12%ntgzIZd!k6K%6uSU0j5$2?0}nb1WJh2h zdQ4Ff-@DLI58pyC-g4H!*B8Mc9bf{6CO;ek>qU<-KtF%~rtxuOkXW#QHI>cJ|4pR;0uiXuLxgK0br%2 zuYU{REI;SxtyYEBPM$o;#>)EL7EB`u9SbcR93E~5qN%3`+e-(2)K_yJkPapN*I}T4 zMQ*g(bB3z4Xz`+rRSKkq${NFb=oBuC&t>D7TMY}f%MXqXSkfI$@}aKTU0&c(%h zrN8muODgB}UZIJevFWifPN0^G8W}M_-eG5dq?RUOC)xR@uE?bgrkkj5R=;*E^`z_? z+S)AFu3bB}s3o;Z*iWtdzQZ4f9qjFkg(PctcXx%Ghfyec&z2CQX`?q3^wtILzp>t5 zKFD9c?Xe~Cy*@Uq2bAmyzc#EO*50Y9sR9`(<4l0KWg6<}JRMYJj{)l*-c?KM-%ajn zJ_b26*9^W&F0@rgVD0`XivP-9|Lwn>_d5X#tdsNl&1U)2+u<)j9{$x8pa|cao0UKT zHbO=Ou2s>_E_ZHWA>=IeGcIs9A0aC0}|?~ ze|M~tmy0Nl@y7R2Eb?PP_*`9ZVoZm^p36Gmz|?L5WSH*&v=fC_Te980-CEdzLZJ#( z|I0M(zl;JF8^_*#k6E_xKMmm@jHsFeEIPOBR8dmu$8>ddX&D&Y2G*-(YU;$G|M&%{ zgddF?**Q9v>fv1LkDs_x!E+xUMUe8B>kEUFpFvVm z(sp^<(|-IQ(#g#;V0?D)((m5kA5P|9|40S{MZ~N1yOu4#zAnAzNN7TvoT;goy?=f` z19(Egna)H3Dq7lGV6fo9-s8qMqojwq-5?OPSGvt^&vGuhEDz@PkBsD0bXk{xGhXr> zCzh3#jtJ%cArm@rV*Q3Ig$chov<4VAG`p%y|&9^+P zq^ldpw3YpUq(F|8BrjQTVtp`I`w9IrYGT5XvHj2a#B0CziGPup(r5(wvd1XGP$MIY zUICz}a_e*yqW2tEQdE4WqpyElhn^xM3pq=o6Bx)TQUrSW?d|QK&b3B0Ul}iw&W!m( z)}BrS!n=mFpW|;pX~@m=2Rp!=aco>Pq2pP{Fo30*nc1VsuODCj1=bleAaLbp4@68*@wmAY2a&~F)0_G`t|Eo-v%T1o^+n3q@)EUVy2VvySH!ok^pM(XmTI~B$+^& zajg-H#fFPf|1yUE(>wl~PZpTLa-0+Ra8*(L`t=q+$~ZX{l$Mq*mZ-4Du(Gj<7F=Xt z;JR_+#v>@W@|qO|BN1O$LAXt5i@8PrBM=n(Aic2>e=YVKBl>#K$-K7HuC1l@si2@s#7s|*y{V}Q2ztPN(=b7R@3DbgTS-aj`;)JW-vZ8@In(@{ zx?A7O%(=9H8cd5imNzt#+~MT>^!2M|4HAjl2l>yVN*En1A;BiK`A?bdWndC-CDTnV z{PJ9AqhA1s@f0~Z0{N7B*v42#24=~@#dW1*lpS<4cjoHNW11z3Ji6o8VIa`sT+Vw*{dwTv z`UeMD!GS*EPfU4}qftBC5~&QbhJm|7eZ#}-oDzI|e7#GRVm7j}uNcI=ROsmGQzHic z|0-{QApsc?eO6JC#$XpfCSSgK)zs0U4C+Rls}%JN%22a~l1bvWl#~>t6*lTP9E=(s zUdD!3h{|jZ5xuSBck<<@s{6h%ZdQp`tg@6J z51ZLJ*zMRBd=pbZ-t`^+Vn{_#e+TqQM5m@Yd2@imEIK9S%kDfHjd58nrDa^Q*p|#S};`c)uZcDt2e9W?o1E7 zB&e8Cx%(_-C73whVquXTG;mNpjJ8iqtxkZ7_AtFFXvp@^mdeuYqBc zGW>mOR4$eD(alS|yrYN(9}X!<{d`SEzoCf<*YczPSzr*N3@m0Un!y6|Fr1Dzlc%+Ahlfc$s2{7*dj0|oFwrCzSCTWMRHvwb9O7mYs%p&I?Vtp3E#!9#-8N_6y~Yw5-C zCEa0A9}!-K!PTJSR?^IM@V(T$DpX zLyz&7wQ39xvZn>TlHg%$o8yNTpT0W`HV~vfwXwmh0(9FD&}L@v!ov6j^MKK-sPVYh zuTLckyQG1-w{PEyExwUl6SR*706Lweu7(BR z)W9H$Rv_^T3;07w&#x`F7i>Yi+;@OJOev#0Ra4rF_%PVUqc62JDh^2D_zB{zO^Va8 zIH-@t@*U;Wg=U8n&`fKyLdH9op%>EB-_gL$z<7m($_Kzt&ul2#1d_WB7(`4F0PQ-aN9IB2o7${S3#f~p zwneiU>1BEtWLC3NN8~u;ch?gDmsDx;O6`xtvEN)j5owYsH2Pl3yx-Z^4{yDNL(>O1 z#z8K^YniNFx4eO)T>LP5Q=xnQ^@;x6LV(*T)){iqAWRMML;iNT9<~{iGiJ_QMy0J* zmF7U%41(8H8|`oY`sV&+D#=1!izRvhxXWbrIKS)Q=r{;RiK$JhC-Tb`)*V5{dHzRT zvuhfuUpIDNWYXs%A9-+49vVTzYe;j=k3*bL6q85JXrTEZP2z|P`)7ZPo@2YAhD48XpgZ3rNIYBn0q z5sC|dJT?)uS-LrwwfrB2Y-w595&=L8$6WB;L=}i{cZz6qTAFjGCP6u#>+V=yu}u#X zVYs(9eOLbB!`5)&soVGO--q~u5{?R_bTP;d%g28X_TO$Iu3Lp$FzNnEUGp@#5Zzhd2In7Jv;2Sc3A=88BdJsuov% znScL{6F5fVW**HrzWk7U;u)pX31x@;4prarQ_Z<2D0JuD?NMa@D{q&u-@!FeTL;s* zRl~J(Kd`VfOXtG51|spKWbe-II#d{Z%BX&@?vR(?x4u7ZcmfoA@7}$;D^^@mg5#6U zZ2auL*n2}!Mde;|@S8Vu@&o<-VGvMU<0W@O{l;y?QBpL?=q?Pp=>IOpdg%l-5q4<2d`BtFjWpN`gIhvP z-#GSq!Fd0}7Uruhxg+P!(+jD9+A6%8MLy!Hr+yq@$E%m)0VkSC1TZ;J90EnR>|ppW z5!HVSeg66i{L_CU+;J6p_XWE9ZPZsYJ)^jD-u}ensGm+Z2m095cs(CId^l1No1E-` z+9?GbNLa?P5;FDA03!eNQU2q)oi{nrKSj1?Ik1{4sH3l-`#9otQ)H=eqw%?LT~kZT zQKXfoW>mKJwcy{p>3{LC{5K3?lEi9@ML4gM|OhroIX9KDl(ln>>ER zWxYAr;P{Ehjir|JUM)H-vy;$e;p~&oM$QZZP~OSK#pSMDMu?M<$P@h#%i9(JjRqX} zGpjSrH-G7M{>*ogkv{!=w^3Ad-sfWLXo(_M0k@jX7LGEuqZWJT9fRob(#WD{sMV%_ zr1C^%u3AgCd@vmDlAW#j*ykitM@MJG36$b}g{yXrPrhE2MIhdM{p)|UjuGJ{kwVXN zrOefwyEmk#Xx8j?P1G`Qpo$>d@boBEIw2|AFSk>gO)9|pjJirZFiZcH&bZz71#|#+ z9BFpS!j6}`a>wY!24H0s9l(uLOA5We5E~aa>IBj$Id>0_)dNR*(8xi>$jA-QH&AYJ z55K4fyyaKO_m-A%HMczZM~~VU`!aEY07(JbwidhdjK8@TFA8LSe#C$0y{TyApv<=Z z%6y#ZW5oY?YD{MjH+Dp-o~V70I_QSM-hYfPA?_?WzY{)+=Cqb}X_FegzDwvP)Ui}2 ztN(93u?(6d;K#e@%Dn)8jr}9AQ1^{V^sF+8-RYE6U2+z_uFzcH)!oTD~!h z1O!MZPqo6%+N48RnH~V#Cj78nKS9#yO?~Cc#SNRLAHPIY1I?)3UK4z9`0At_@>F6% z;!vjU$;Jn4ZWC8G&z& z!(yh=zBFAuC2?s3E7&HN`|hCk;})H$uFj9PduQ(9m9$hUrOHe5)Y|hgl1VM;=hUxr zbgQo+1=a8ud7=);Lgjx1C~-)9m)CleZ1wZQUq0(4N~1-Y2Mvw%tojUB7`Qk%EVn0V zXldK7tqNTU8J#w7j)dKAETxPtiTC&QQnbn<>?+~}e4Dz=zg}>wHYbd6Y7(WS4BF>7 z23R@89!(eKV;H$m-=uoDd$qK|Zl%KBm)HlaH=UwB5v@NP7}0f0Zc2n*B^C@(N&LK- zE#QME6~*=aeSnIu5?mwtiAeKogiB80`)y*)bpe+u<8ANwXJTVV=}?7AR<%TKd10gr zG(Eu>DCqe851#q!Qfpm+@5t~%-J^DHyub;6|0DKC^FnLJer9#iaU&oZp)F#iJ9u6%z==d_$g@2GHd zKI-Y91MgbMfh#G-fp4u@WJg#?NXgVR)v}^b4}ON!;qi5Vl~Sb#Rpv?#4h|}SOrGYV z_l_)Q*clzNn)(WuzlrZVUFG$@b~p`uaX0`CoquHb9HaW=;O0c9S5$w^fR^9Qmh$}d zWwR;%<%4ND4DA=Zbf((;;aQ2j8QxOL(51bZWO-&nmfy~3H5L)*k;2WxW5(n&=WTQw zTt4hA^|bfm>xW~adKU>e3^~(t1>bPrj7^(XvD~sUxx(6mvko!7ry!;?&7?8&^1=WH z1p6#w4`<-(kY^DtrXKJ7aCs3>1jH9}!)H4y5N9(G6RL3|2-Tf>Jy%gPno3&bkl>f~ zsaWr9S$bmuxmsI!Cxe|6y+npdnu!NAY`;S`GYtCD|EGBxd7b2jLE)Exo4V6mmPE-1 z)?Csf%;V@3(2hV1rfmJlri_akFL#b6hi;vuw5FK2QNmND!*mEUSGG0yFu-mO#hGt) z#_aT*J4r$^Ux=7A$BsKp^&X}AZM;rDTFH=Suu=++3G-|cz5cd zB#_4*vx`jD*;8SXjvsbDvp{=xObrZdE8^&#EALazfYw(aqb5q;gG(Clg#RPhF?|~gnanET zs~sGSaE&Vz0sD^HHfLK*)imLwVa(D~&Xmi7Ji0o)Gv8j31F2Elyop$F;fu4oh@U$| z^bSeEk3eVg?Vo{*iFcZKYgk6+I(MMUkExKA63P^pPEh+DOn49nWtDv06(gmOY!sD~ zM`GAMgvwNqiajwzNSeY#uDhV5~IUu6yC(&`cg3 zh2-G7TE{$M26b=0x=)yemaP`&BOp>^)^;WIvL^$-v1(M~Jrzx!!S+r)QaEf_e|zK& zOFAN$(M!00zHi{~nE$lSHM#He-_ObUwvQDOkjUHtYHFr27R=G1wxVf~%A;{H{mOo1DAL4FhEvVF%<*Tm`B_~ZoFx*v}&Gg~IlH_D$?Qbu!taKX#s7_N;^9lcG z-L*C^4KuSerT|(xI{Rn&uE^F_g)@|t>t!#bEjM{N3#U52T6fV^&Bq(FiiwR~Eqp*= zctsfe_T>xLXwlRR_DMpNKY5gHe!2cz1$1 zCnlPIjAvqf#np^BZqV^lv~6;hFqprRHbj^c~( zzPVB2;_cU)Kv%q+S|U9lp7_Lj@hke={Ah3tt`>26ucRcSPnblSu;19+&^1PWc8Z)CAJI?ZcF_Kg>N~X)o$TJCvTuTTUxCIhfPx*j=TEC5NfW=rVLQYwpIFb6J4HF>7m_S$-*7QRvp{O9N{M} z)3uX!v1fVw=Hv8_n>3=92C_pTnN^m#a5xIhB=Nj=^L^jZN=eVLc8lL-O5)79a{>ni z)Sle(kxX&w(uBdWreE-ZuHR1QprYB;QbsZ{lAv*QGbsiUG#IP^vS|8XWhJGs>N3!6 z$35Ge>R(a|nOp$G8R!zY!@0)`@^C0pDd;fwVm;_(#ptY&2g)>$^?cXIi{%h+e)w|7 z_`>;fmttJxZ-<;!!edcuaq*u&7jpGESjtB8UaBjKkjXwE;r>#PSA-h2&d6ZnvuYou zOarT#)#rBWprswOB9_fumTGQpQGTF5@|qLp>GMwmyYT8EiukI+c5?9&vMs&U9U&)` zm!_5GZgK^O>&vRem{vPGTl=WNPq!041s(X~^6a9o&L6s{d4={Z>Ri7G`me&y4Yt@y zkIj#ws+k56UJh~h1dYG1pt&zSmU3?!v=~jizhRfXL2z{)u)%CoT4-kn?4}CiACn`! z+rNMM(fovnor$zU?{Ggtlqh-X#!WufXAZCtenCcZQX&1>dh(-s^Uf7w^kG?K=-DF- z{O2mhC8fHoa4_e;-f{YW!SSm}$7E(#%h0N>;h0fYwTOCM72_Z!`EiI@UYMU}YYe7L z0ID4z%6u=?ze zlXAE=+$NW@!1mzg_kx-l6KFUmH@B+!BT}+F*9K6-VTvaxT>~qaeT&D%RTLO4JDqY0 zmnuLn{<{$$Z#rL&QC!}!Q_7T4QTfsr7xlF#$2$w~jE?7}LBbDyQ!hh15|hfiEHu)d z+R^>So+eheV=LG!S|}MRFP7r*XmE8Jwwf?{`H_O((?tu!_Y)=4%>I&UzEh~Lsk1%+ z@)|%E<@89wqu8)w4K&chuIGlElbI(M=tdQS>*KrVA5Ok`aOU*l=`0;ou>-n1!&TAb zBnkS8ZLTPbr_U1AJ-?*qcv7Xk*G*b(8;u^_;>;((_+#n8Ex(jxkH4M5oK88$u(~4! zY&JDyko%&-!l=f+R7wXYry*GqapoapracUOcDKaTFnqQB`FPbZ#M06dK5BrP`$f5R z^(@KqtD8DS=CZP~Fq4Rb88QbB9-eZ&)iq1Yo;Q!Fsj0912pGP9>C&a)ya4#H4m0ch zYadA1&CT!bkB}=Ed5=x>+7?vT2$Pd4S=hdH z32`dR$i>3OK%Wo`mFDKqLlv|uhjeQ zGcwhFNBe54WyG!S&(~TS8XC5J@*2H*uxQ@cwwUaYF^_c`;Icl0zjeIpk-%(w>&zg7*+YUjQv zxqC*F-&3XLeB_w~mMXU5b%Vew_CMTH<8q3wvs|eF=|3}_?aq)a`g4Th`^%(O2WDGJ zV#I@@G?sg<=GNir(TZ(u(W&~J#uw6}m#e$$^o`MZzMhN$W4qM)a-ySe=BnrhXi);< zPOnu|B8EuzL##007;W70dc4SjqK;VMH2F9O2ekwu+H` z->6kFb{CgxG-H<(hR254sRbE(u(7)&PQ1$wJXoD5re<47Yw>AaQ-bJ+Xe!>!pEn;C zWG+z0p%e}_NjPq=9%6>QkogNjmqFVvcChVPe_m@2B^Y`F9-ml4eE5)<_!~ zSy*N8Ga|YnWoX)jZqwUX8WVQIV1fBr%ISdsy&(tbal%|ketc_KC~p)P1!0Kq!;kgo zp&~01c0AE=!it+N;I-ulcn=%4CkCH3ONzdfKBOeu9Ue{*@DA)u^-k2Wm#*7cnaY(! zkFu=_ok&S77)`ZYuF@)1HGmt*`uC=leQ$0u&TmFS0)}aQ`5k&F276p}>B{Qhxh>yy z&-6>psY&W<`f5m*h~MGJ)V3OvqwQ#oY8wmQ3bJLUGhhuO-7j`)%pUUyEhHqaM7FeS zj#c|gYWCed@X#+a%iX#0YT4nQ)D2AHHql`p?++ChR}@l_rrKo~BD3zXHhMhO6K&RgU#C7f%mAxT0g{ z?96m}d})hGMN$8ENGNs@EXdUtIS zG85i)QBvnIP_92hfv&ezk}A+8TY5dWt=Uai^S+CH!MQ3{cCS;@x_Wv$i+7jLHJbZv zy&1QHmOT#|w_L9G+?{3_pfR6Xy4vyzik$V;@~W=?iqIdwuc*zoD(b@A<24<-v|&3?ps#zemzlVCYZdR3GtloHG09<-w2L7}yq3{y*qy2X~=$}n! zm>a#4XJJ<@7BkK!Rm|eI?F;ph4|q1cZJLL0BWttSJ^r_0YogYZPZHL=C9$UdHFB@a z_w)7VnqX60oG<#yb6$LdN#HXaJ4GIYhpD^xlef+*u9HF91RyzK0plS?#H9-F)==iE z0I7S1=Nu1P)SdgYujmi9r$YT?kM;+Q9|moY(v)?x5RGoFJ4ri^JLywy?Z&_+Ayp=V zEJJ%^CG_cnIwRABo*G_!r1$GyF{X-g)hV-RLYt1{iUy9mibWYzGO5rwJN zUp%`^V8oQ;B zKF%lcU(ONcZ0ch36U_33z1K!KDJP~kC7U4=kh%aY(`;2cHP%#Gol!X8<>4W1UAb>c z0k&Xw*^K~)Pt5QSI;TrW4I_89AxGFF2q>3O3BKD2(lIX6*pr$W&4E` zZglr82DYzu8J}*s!kEwcY&+|qU7m=e$Q3KjpzLml{tbiiFDluSa`nFHj<5ZHmv@?8 z(l~J<;zxjK;(D9Gcu`()F@HA5wBGIc516il8Q^awk^bMj$L zO$`p~N5FVjo7k*P?DPBWDP+HA82`rkVUD)$xlS#SfOkZg4$IpI%Ir?=UQU40=ssVZ zjU*c4v8(Iu&Mw|l-qTRT`CV-^z?%yXXPNUM&y>6a-%gqin*ODtKaACD)8lF1UZQQI zcd3~LlX+CH30QymVn$$oN4)v4t%+aFbos6)?OHY&C9~9oUAN5A=?fR4=I`jWk25>= zzRWX=s>1SO`i7Z^-TVnZ0_^+XW`d?i>r)OBh47c-W<(ggT{xl3oj#W4G831JgkN&U zjATm?Y`@R__^&6x{H#_v2S|4$nPtjOKYskAe82eTLZNgca)sFlx#X}-Z zp89fN=7TA%LVp^|2o0`eIZGck0-9Q8Iak($r2~4sax`~0-56azlRd-XzjfVliMd1T z-!_kpAE|sU`B#_7=3hB`co+;VvBrZl>Cpw5)*P=oF>?UiDX*tbV;{=H@ICHOX(^?wg#t7f|uFYFC@H+`CRGeT)2?;ktvzp&?f;M-^?-4-Xr} zABco^V+}UX%;67x<`#7Rt_{i5ovS=*#RN>#(El!PInb9OC4U_hbS?Qd50B7tIrVsY zK47&G8# zvPxre?sB>L<*69^RZTfNIY&jpe7=cT7sS$DG0gY(V*cPNDbqvcMapz&QEAlWyCr)#t* z@97Z0YU9{sXCn^c(XK<@C}#d^OTZn@zj}<;YOv0;zNqGK44b4s9QQr|dhjd_G}os+ z|9ST-g&cAriJp}$i)BV99E$Bitu71>4UL!S$_Bxtwp!Q2kvV)>VDfJJXI1)7Sy^&A zt(lN8o!+psHz9jJrrT4!1G?-O^%+s76%(fo#R3jw>vQCyu4rW?mr(u_FPA=9Cq2%K z*jiM(%aBi zTj5uDihOVBzI`1MtL#4H-=nCUkB513#;P(B@p#1COzzEVmoD>6*SV!#I`7>vuRWhz zQ4uP~mN6RZ!j;O=XxV)fHuXNhWZ1ELkjXNN9<3fvsvU#7D3;9OoDct^obY9WYIZOD z9DCcy55{TbFg40MlgPAjc&z~<&2^SboD$u>Oo7kJ$dxNh71u0G6CCEdOD3vwR*5L> zyL*CJE|KVVm@wrFm$AKx%zZ|!qoMij4RUutyr*Qs2Le@J-`A<cy5^mZrlicP!APYyH4CK z|3cg$-=9PfKIKq&Ut7Jt(PmeQF`ry_z z5!bg9u2@D0cIHMS*Q8JnbEl8-&f3>EfvSj&C)_GR&DJU&!jSEiEK1W{|2GA_Qp!kw zzqv7b=b@8}I`W@rwDMmLdD-s@teS%Il8yHe4-*=gB4*cJ9mnByS^zi|c2sEKv%Q%e z=314MM7Qrem9RBSiOtH%QNTN{@X7{9^uAo-=}k>8IhytHA3PYt`wjZ%b9Th@#5aY~ zC|PK{@2ox`d-ty393N9Usat-%qUX8=Jjb`t-`Bh2z#O$`eo}rQQo+PeoqJ@RQxl)p zpX~yzn%_ap*5OAsNuXGk- z^b+E~z(9p7isk42-buBguVuhWzrb7k%yYRU8IHr5cyb{|Tl8)u1Oyy4?-@H+=@l1$ zxo^OETa|Pvx3~7)<(_-Zf?#s%&E09D_-L6!u#`#=>CxWo10Nzm9cLj-{p9llQkYM( z&|eBcHC8q@9X2q3R?fK|lR*>gf#vw|c*}v76 zxRlL2Kc6uD{)Ewsx16&r>MOB80`)~*YF}f@2Th?n6zcAeDG=??*EhZR_N>%O&I{>z z7ao+|4~2MFK;7oySy2cUryBDeSr8lTDpLn_b|j$4k#O6D4l?Ktl*FbgXc z!4jVPRxSlXd%%jxtJ-y11wr?^{0>iwCK-S7&gHArH7c5^Am*HN-hSpyO`TNX0~37P zqI=G=#=70rGS5YCH9A{rZ*)Wt6R>j7=H53_4Y$l}ygxtFC!tBH{4Vmeqi4OjLwAeZ zx$>GF2F(6pWdQsTm&(lD5ry-;pse=zYnLc}>gRSSx-gm+Dm-ahb^lx)Vr}9Qq-bh6 zm81BHZ?WSz%z0Zl`y40H8^hN^ zOnh*-F?3i$7c$((h&9~&m?ml@RWUuPRsOE&bpt@Dl; z>kPaoU8Z&@!ipyzTu^4cx*mzb{Nc+726ge%5JKJ7Qp-BMvSbQGfq33;Q@W@1wW5u~ zZeG_pHE}bPJa-LCw|vkKq%>Z&(JF9f%$Jx6XB8^s8CfeAUw68=;k`I>f`H@0ucGKq zk>$flsZZ|-bNlUgmUQ=_kuv98ow;VzDcU=_q6`yEuP^)B>IN7d#4t!E@d!`4XV)@L zXJ#Ln5T&)VO`qP2i@nm}so(S7XjST)mY3u7P4j@Gub@{|k$B=HcUKprkgNMH$FkeQQM2ada>XvFZuQA~(7nbR zE@#YIBZW{uSmgY$#nUd-I8Z3lL&d8k<2U;zfBe8vNklz3~&Alln~lLlvcAl zC9b*#ts%>qsU3HzeZ-R@rYV(zjhM6lCb|&ai-?ps`YurHx@qq-*LRDRtA^)Ok3_SH zw4Tx9%WK&OIz@?R2_>gMQwDEnZ=kzmOX5gr19`&yI-oW~xz%uXPQU zaBX@x`#gT1Q4&7t(+Xx`hqc||jO&SaE^%xR+oX_)OYFL%t?%7l*1db#NrJ z3w*B{XCrmgbo}?Jh$q26K6VeGIwt$AB=Gys>2S@Q9M|@vlM<&#E+TpFwbC`{8w~Ee zsGIO}uqdc=nZ#7L$(25q33wFG(9z{G#3H%$B494;6-U9CIpc0`xv7(Z|183JwDj9m z4Gjxqys=P$@EG?xjB{Hz=(6`ypu7afrQM?S*eYM|@Ck#^P5$;AZ99|t9=Ol$(>w9p zQB>sLRu)(o)-eN9=**Y1U0__g$q;5$ns}7$HU{>UQeCFEam-iJ)Xb*GH=zhi3HVke1YsQF|KbEQIuu)!Y?O;1t!GD_WVpf_Ujl5Qp#SKxj&%YB6 zsN~nl&3`BE(-ps=@%txdA!aSWuEuATE zZf;KD@#73LeM0qE)S3vJxsuGN zN^cHzqWB>o*g?)*b8F!95NS;n0^x8XvD@h4Tfr*>5_(`uuGb=Vp^JXC8{TkHSt$fGH_5NBqu_Op)3rlu zBWqJv^GUluoMatxSUJRIW3sazm~l0YjHz%Gklua4O%@y*$6OjK$zk}hVQ!grs9Zo) zmh6^6BLow<^mcVPRsHSPE1nb~O6}oJ%2^+ajmp^>qki~Xa;bX3bVX+DxntLlI+~SD zDg|%1@f(dCsj~ujmf^%H*=kWgI8p$ENr>Vjx zpRlU6)gSC%#~@E05SnHyTpta=NhoyrV35kH>U*a*N;)%|3ns1bKA+ajwe#z&2}sOT zzU70HPt}ngS{eSC_?BgDRfc}$H#-s01^5AO?TWq8mT}0mzShE?Kwi~lT54li63L0x z;6)+t!i6yWI?h|z#vs#D%IC`uymqGeGp%gV^e-P94m_V;z~4bV=;dNlKt#5-cNRI8 zF)j)qG!12 zo31g!i?c-S-P3s~{1)$X@aN^5T2T6kx-}L_2>V-v{G@L_U4Fy@&<;C zcjNp}8K5~$o{*65Iq0w6pJ~H8TJBlWRdiAjALaxWLRPJI`_8Wlo4Z}zwmI+oD69J8 z$kq9ueKkc2mce>@2PW8R5z+A@^WtLRfE%OqQZbes$ws1g5Wh~${{_x@`q`}$<3wRQ zZzE9$x&LI5{-HDwQ@DQfX2S==AS_^U=*Dq(7Nn@hvR^g>tYZ5yXX^}@(A~@vf02Jk z0}RtF)xMveNt)LY^1X}KL^>=#+sQ!BvPBR6qqMXU@-~f5*rGlc$ZQ_8b$3UbBD`AP zP++XuqMINV@|M^S_|6lMg&h^{r!7=WAICB?GjW#5EnxmZ2lLU!EigRqlj_wJpRlYc zowwG`&Jk8QT_s||4qqwml$2Mv6a>8g=(AH(BLUKCsoLNw%z(UiKE-n<6}R@xnR=7iVFId!h#z{~ zVc7|HKf!6pmU39L(PGQdD=(jbS2sKN)R@~7_L%dNdQhoh`@GGCOE_CK#om_(J6Tra zj7cAZ;G=h{9W1HzgPC3Y}3P3$S zcBb$tOq(JjrUN$kIR+nGsbE$}Fu$yglllHi9?PIQosKMOg%B6emiRG8zRGJ9fk(s8 zLSAl9KklTvLyFQ5Nq-tCSq0&yOi62uLiTGV`S@~VPabJ$QyN`xz^0_e**PMr4d8Ws z3QdLeblkn`FP8+irEsIt=*%iD1C4Z2fm`j(I0vgub?LXG!)vUcn`iy~K_PvC&G;3I zYId%EBsDeN3Fv|^X@>~)XK%D5^u3)C-&eMKBmFk(hNSA^XZN&k1VkwL_*8-A51Ym_ z={_q-f_JvpqfAXPwLFExFB#w;JX4tzDxEOwh6qRy(~9j>c9o|-FNW|$*A6?4O%{iG zv;>`p-59b8(sF-RF<5&28L|p1aN*aX=^yOi|NCRQ!x<6pg88CfkJY*;GqZO#N23Vr zRJ6PV239?qG;0E#a|;XXV7kbYGi(ZKYUO9P1jr8)cT0qMolci#%go<(sEp5##Nj4W zEDv$;NCm}rf{q<+ZHhnuVb%YsWIm9bDSjVI+t$HbcLNMC=t@+JU{LfBDXgv@TU1t9 z1iTk$Vn4HWgom}aMr9@g#D8{3jQ$Ro4-oF@ZEyalSu?oh4o^85jhuXo2m@+T{6LUO z0mX!lPg~pbL@{BR;iBy7iJbaoo~hq=7e`mvp3WII7A~*H+MFHMKH(PMe}}VG%L#?9 z`Pk2n*1qqyK*eZJ!O_M2tOjb$g0@S8OJbZPVPPgMsLw@}HFC<5Ur0%65w6IIqeGKx z-s}19Xy}5H{bxa$-thrbXT(P7BXnn{cTHLzr^8iKO78RhCNB?b=7Mcp`q0AUvPmt2 zaB<J9_1}iK9Hobg9$knhcj> z{@?joOjOj`hM%qlGV6O&lX2dGM~;`e^e&>wy^k$H@Xmz#>Y%|}FS)8&89i*EC^4jm5 zD!5v?`8A;UN8hQ@or&j)rW>E6Ud5E;KMX_2K}>hn^*UR5ew%##_7{_?^#}APC!OZM z(EjG;Fa8zS+pA%zN6qsd26J&7&;Ri1U}AET?dHt~%%2+?-BrFZaXNM~i0End)oh&f zZTUnI7=KoW#^@F2+eU?m6v5Q7lOnSb+5OaPJ)z6Vqd?kscg#;-p$!q||{H zv(1J1BJcCmIRk@N%V46<<^7!`kM?4KZa}6dNihHE{+9XN#t$71&b)Ix0RDR~vDIq1 zb74GdymOrbM{8v4Kp}dU{PGYpYO>;;q*1@;4?)7|G|ybrG!G2n~1DjEHFhmdveB>atjM4Zlkn*Jui>uqr*d4 zb`Ni}>*}3`Tv!yVP<0B6;V@npI$chF7zEIUmX5ZHTAHwCufi11SuVE$DQ#nIA!6mj z;tP!NKeTTt8~9;JY$%<_*?dvXwp~9)(X6x@yJt|Qg0ehmZdIK%E1d7%g*#llm))>D z^&HJowN%|P-}~*PsnJShsydRgCBe+cSVFSkvF|$&x_7Z?#rBM+ZSC#%&PyL|(XRo!#`EbX$-$W+Kob&zl@;o2?^sWO)<4D;0-s|9N zZne93-KKX#sp>zc%gMN-e`H(k%|Sc_@XPjoGc6EsxiN-sUr$Cn45x?3Z$L zq#0Zqp$mh9k|4XU0=X^Nj1wBiV9ID3iHT5bj+|!cr^)M|K>Mm%e^B-4X=tz%)niHt zj?T`}D(R0q26L!?R69}Zq+Ae81#nFhj!j&AJ{aAQZYD~~o9qI;22M^T?^wX>r0MyZ z-C2c@OVpIk9(a^+J7571@l!AZ0s4jzJC|z-ec2ih zWSTk?^eY=I!UWYjCMUaQY%)5MrR(2jS{5mzEsJK;ArO6^11{&OK{6ILk&Lh90H3~e zKL!fI$3s@_xMArY;!_pxf{dhmy1aEiL96;=;;k;wihBz5SZYS;a8>h2RQ>o;P$m>Q zf3-cu;4^OK0Z~4(z<)pJdh3$5|Jvq+QWyItW)Oy-N_&NTgd*+@~|}Fbk1S6!wF8q*rdSeT>~;iSv{+2>o&%9BN9|X zYFHTCBLfW%4W`ut{4BzjZ}Q(hA9-?fxHpSLFy;#pAv&Kc5>}W?)_&olBW09bHbk_% zc4uYAcn#*RuuY^8!l0uP=Qx!4Sj%3)qem=0hh$%|c9HK~P_e;WbSK5<-iVj*=$A<+ zOuAARFK%d*8#OFOJ2Vg;49Y}FLhwjqhb3!lMni+!#@_0+FiAq>gx~g1SJGB>s7=wf zN`OZwfPP1pEjY@5;N^Tuh6)W06|98%WA4NqqV!D0RRI*~KOSO}k3Y1XB1|gH!P|1? zwS}^zGOU}rE#+%dFt%vs=Hri~;*!PwP&47cp6>OjS;l7`(<#K1OjC=FwzBT?w)p4X zdRycwNR{TBY)bNABk_sz;xRi3|02}?@?$9MC0dv#6tAlFyAa>e_l&Qv?{_t_%f*oZ z!(U-&ri@f0*YF62mfk!S2Y^UJjM+I0a(+si+@(A{c0c8=RTS?><%zrLQ}Ob4b|LwO zaHVA5Ehk{g9{_NwyI*L8Y~QGOsMFm2sSeZUL$ElXtK8 zKFA}QZMtTtIHHv*k!-=wMTfLP%*Fl7$omNS+SOl2%j>y0AguSv+S zp$B@dSquUM78GEpI4KkF-tcI>7IlvoPUyZiP-o--9Z7A; zWhV`l*JyL{E*c`7m9{buFQF2K&tXL^IbZ$t9eC+LQUQW49fP;!?cV_u)kaG{eE6p1 zI^~2W0KBsm%RPc81X~`Le`XO?0sgKrBTv94*EgK_Kf=g~e>tcg8B_+V5`lRK$vW0W zE`2HYS_I4+07E8D&++RcoL=aI#ZHoV(QQ8Ma?8{jxgtX!RLJ85(jV&gUq#Q(zPKRm zyyLdAzRpd-nrtWsf{Vr%gn z!`RJt5h2C>biYm_Bl|n8PS!n*@t2GEEZ zzwHJ|%eDQe8ts{CvC8^R(@?$8e>ohzTsEvBc!jm8&Ws=~mmP9;=R(G#7An&aAC-gHk8e zJ-ztX5fXZph=vba?Zp&-2pk_syp;C1>NxyL|G|R?!I@RJ-tYjP!n3<-_s;>4mT&+k z*qQn2R2Q>8SKN5)8&V>>t3O8hl)ov#KxS?_!s2Y&=AV#QA{&6z1gO z645Si;}}WWieHj~QfMNg1F2|8Btj`G)&VD;p@H{`mkH&n#L8EaLtERWdDD)mdY@oB z4N=!0v~`&e9+I3F(YQk4L1Pk$j^#B8K@}S8t;4*W+gM^&JH(d~w@pV&GfV9!X<;4D zX95A(Qx+h_u_<*~a)+7J`lPe0Jxh`;h)#(H2Fv&ElAU&mtz3dq*Lahny@*3b=blqK zZy2et&-`jxupQ-kOq>PXgYC{%g@xDf&i>Y&_vb$6-6oGv_M3XKW>R<>@6*vW@VJd| zvt|oTY7_g(>!}SAZad1uuHJp+@$QmMcR0Kb{kqFF%)kaBRkE`Dif$Z}rC@E|@ck{x zYM#&L)Qa;^1oRrSi+v&Y*0c}ufjXTo0lrZuO$4c*UntUS^T?w>U6insPSg`If7ypn ze=?V?_QK4u=*eiZ?FH_OWIItEw=W1S?poKN(2C-w2lUUrzQMdA8KQk>84#YNGH7!E z%F{Kr$dj-@x+&qYvskrL{VpHYLivUL2#`>5S6%(a$@2FBTi*|9$wl}#Yzhti<+4j^ zoMi@D1&OOtOV^rs#)>^A3w8Z*nO!b-?_(){bhqCnBG}iU829$Fm@>Y!(6;Lxc3xyG z_d}f_3H(vozn)BNdJsU-Ms&J>{fv0u(w>5J~pI zU+X?hpEM0CrxbEG6u@AiH&2|CfPVkQELs8GDqFtQfPnk`RnvD$9X9OK6*UU$R=rpH z%3>6CW$m8Ae!ftdfvg&2>5+{W8NMnaoxXyE_0o<`i1-wTLMrmMP10cc&+p+7*Hg+}1+%{07<~BEo+H>RGTdaL4 zuHdinD3kMWmm|mS*2s50jHi@EezM)^{kNgN=$0 zTkZY}6E0cS0ojtc+QZE-i;7@~-0VYs#p$?JIXfUkO#blVj56gn>e7q1bQ2tCr!E-!Ip;E`)p~`{_`ON&V zSY^G&G+1&;^d?^Z6P0b15z3w`yGxE+WbP`>l<*hrR=QE1$1cTwkMok$Q<5^zFJCSs zq0y-v+K$e+`Ql;;KenQh@GXX8LCV80dxNp?%rciJ?zVPJ?2XI?4L)}1LmPw6|AWgL9=Dn_?Zbvz57sP;Wp8=3hQCalsPge0)fu_m)n^dxeg0h=)1 z3(li3i&3oQ4!a~FmR53bS(cm`n_bg_Hs4_K%zv2}`+ML~YEjMoat z^Vme#TQ3$mSjU8-ib@E!-$uLgOv0Mie&dFJmjMCngI0Y|3Yhad_q!~q{CVTRfEr+r zU|27F)!3N{AY1CJ)WU*_-%ZUgEhzxZV?}>8x+Ca~`>%;tQctm8|0)hOGj!Xp_rdB2 zd9A-7GVp8Q^BeAbtZ7!{-xH5^c0K(17>guLGSkLq-m(kyY(0Mk`|`_S$6>+ zD<`K-ofPxBrcL&Jhsj#Oi+C;ufI*PfMHddWZ28@5&Ce;^C!bZzKCiH)%Q0RS`#9w1j( z=i~hM3ns};&KZh%s7tAY;mrEp)oE|y$>iug{>@K@j8S=Tkn=p6=r`spP;7xX(~2AVkaFeJy2fa?z1+JJHQCQRz-?>u{=a5uv&-lOg_LA8j4-*IPCj&F5#l-1v-6ft=hI} zzHdjLYtpcRisgaHsdd6IRLXUXNaWIApP}4%KmWV(u}FXp*Y#EdCl3$A zw~V@w!r=2ro+-KzMRnkvO+i=u!mGAH`_*c80Y^lkK0xu9{QlGxnoT4)#6=deb~dm{ zO2XnPox~nF@U#oRX0DDFz4aEL^3*mkxXlC+kR>;F5eUoFhj2}}^w_CBe{OEYmpsIK zRHpz)ndHGjE?_ne|B=zzVgsp#!Z%Yx+t)@N=wO3`0{c37*=)kNA;j7yr-n{!WTyDx zK7776^>wu3oOV(k=`YwJVVcGc%~4dh6~6zg=@qUEhYuxvynnEY@>RGLrj2VWr@=&+7YD& zePa9`4H@8T0L}h&FRSEE-I{@Z)9pGCj!F+8>CpMuqV~A?Es$B1)kIn-= z8TSlqI($)Xp0~0#uQ$29zvH|>!6aw>WvDu5PGS=-U~)j6NW;ds&V{$Y!iq|W#SXSB z%D-Hcg`WzL=emwi?L@Cy+rUs3a4_0==<-#(o6kZ4s$o==8982qDA{qtE=f&!1a^91 zFSK=ZM8$hUHKN?tiwyi$M767bCJ<*8th-#PxIXK%QF%eh_U<#Akz&7s$mr-1WdHc! zy=X3dPDEGjL;A@%w@l;!CoZQIz-Bfr-mWhUUh><^5&sn^Mz@ng?50n^e}k{R zTgZWUSThe)O$l@?CU@>vd|71UsF>n-UNM7D63mNH@UHcC5QKiB{tb=F*G4eQU-=U+oL#Omh`10imNIJQyowG1Fd+}nM%~?uZCwuW+qRZ`7^vH;aD1PmZ z&ZOM)0-e+|=Y$*>K*S6-me^LN53k-~XOE=hh_mdS;~g`5EMpP89CRcH5U6yuv}1+r7^ zU0o~I3aEbM9tI4iss}+ETE?M=@pfcE%a3EnUL1cz#5NT~+%dy)!-b^mAjHjdJFY8CS%JW|7I>eWzorkFBvx#?!QjKSv$5u>OIK>}aw8TPeo^v^D*2|l! zm!D_kdzxl4dy9=tE7Ur`ah1^-I3(5n3-Bz#lbwJ4y z$F9;>vW2W2Dz$2=HJ?<-ZNwXo9iSV($~+p0(8Nka@V@*T1<5MFNK%xbCrL!8ZF~D7?%%^kX<0Tbf}T5(r6Vbzm>DI)5E1VAT+l~*awik`*7`2Y&abgk?#Y^t!z*5H z-X>}jL+Z`);9zf{es-^$7zi_l&aTaL7sjl9w^;QrZGu1ixZFVG1{dvxAbQ&Wgz+ck z3{hqr{?k$E5<97Zgd3pPY)A0`;Ehf|umyJUuam@-j6mW$|AC{> zdix}p!#gRbAU3h+75j7kO0{jjk#?n^cIj4_pvWc|5WD;BfITnQY+$OK*u-+#_ax<_ z$Hp{y`|f8y+*b`tLo4$EXx@=jpD?5zbtw*Zgm=Sj^|yjHCA`}QdJd|(Z1D3#R#b*#8#rV`MF(1M)x7CVKD7A+&vCVyQV}sFva8>N=2sxs5MJmm-l)2G0!7~ z>fw)ilPXWUk|+NT4)*6AMesIG?^m4onELM`^v|Rt@hs8ad#R+eS$#Q6cTIoX1t1sJ z1H4V&a>vT0#60q)!T9DAb#>PS^4TR#YRu5$``DiuS3DhuZ+Y$J^0VCGk{xFGvfM+M zV&rpwMlK4Gt~1_T+&9e3sOum3;_Q2ds(}3x+EUJoFu4rLFS&i-`RBMG+O-}CQgIawUZioe!&#T$e518cey)kVgLi|G-7i;o!WaSWOPT!R9)(80oxM4x~ z1_EWjlrEI0#L!cd05=pC=g_&dJVultZ1*XSI%#0BsNSTxwHEW1se}kCHah6Qv0=-DF(9N53-=zlZ{oVmu6-1BGLVMKY{!=Z<=Ok zWzCw~tONIs(1!-P00Z;v>}2=%!fsH)07QHQkA2znd}q!=D`Yg-8FVM1OLL zVo6CEfzWFy!@~$L%ZrP@_BSZ4sp( z!i72q(H?Hj&fx<}Vv2x~(G(zUlzMC!Bs>ay^X5sBLH$l;dAYz58_0@7_v4;q2^IkX zb*A{(ST;a{)HNEy``4BJKmUu~kR$xu7V4r31&=GNG>Lbg&wj(pX&D8-A!(6+sT{+$g<$^f-cy9Ze)Ug=?(UTU>6Dfu2~fv_rpC%R z`+kuipq~ct8`U*6D=tT67gg18Ua9}HXv@6dQN(zQ@|wz2js5srrtfTCK41vlbj3#h z_{oSfnf;`2Yj2r*?^l*ZW`5epjHG^Q)99$So<7o`UqeF!G|^2wwAlxH^l;b>9-HBO zUSXBvd!GRjPp$*9OetM->%9*jVVIu#%4r?na{hbZ>t3#-!-$S4SorAf<`f|(V__Yp z@V&XlET&#_J_k&K4lSG_e0dso;}r4vUMGP6yzrV_vY4y_H2qXexBw~)S2TOie}49V zMY{iQ_adElMkjh_c(ti`Zj-9ov9pV>7A`or?pc(T9=5T%x|><=vZMrtfuoZpeA+Rn z@l3!Aksi~u|9|qP9Iu=eQMxa7PKjVD+MN73t38_#fl9WQ^ZJ}WiB8X0y4BG)Av3$W z$~_ZMf-`X};=RIn)xrb5J{9}RhTHuS#6#AV<{fweA zb0(o#%24i-k`i29M+{F)l9N8c-VU1!726Tg)I@fSPEQ*i zvB;PdLj4KaU=2UdA@J?nHnSN0F9^VjzK|X!$=Bkh&LSeB1t1vNW@ctuM8V<)7^@9E zqKOA$gir}IH~2s4D3))Xw7H?f%J8YlwNU!7`m#Iu?i?OFHWU z%3n*tK|z)RKYIWjnVz2BP6;C;Bd!eO~93eo0W z@htZC_Cl>HHbEag^fQrBa|;liwIeS1>nPQKL18B!1G%$z$*48 zj;`FJ^&Ox?1T;K|m_nkR#H6HGfqCATJcUs10~|!PHqA5h<7P+gz8i zax1U^%n9%lTeSXUX9xt%4w9n^Y2PMUic;hY{Vn|?vIL65V#K$N>Ll&g)AZsFG@eJ` z@BUT){ZBFdXKiws{V05l;^;exJp1e1We?#VVt%GBMXTOneL8icDP$46kmnFo5~EI@ zB3?!Vva&b{ANLs1g4I>)I5CexdQs=^S_4P4JA>IOEtq0s(B9`4$UZ)NetGjGSZ|XH zB8`?dMrV2Q8P z)FpiFNw?*|{u<}(?Ak5=2L7>>-GQ<${Hccvl!9A*9;41p!FQe9oWiLI{WA8Day!Jh z*6IH?;z)UYb4c|;QQD0pevCAqkISt4F=)k&XXt`MjRop$d+=dn8_^%je zt~t-+Y_+9cV^^1AT6+4UgUe@FSy@ef0gO?)3v#AjcR0)z98+av0Te}oRG

1-nAk%u}^X6El&$V)~x0U%^Wl~1+P>nN4o4`l`Mu})5 z4+lrbvWt5mo<%l2;J8wdbOaHwt5+x}ZUS(6#ZbGVlV)a^Q(yM?_iqUaJs;#h6M&)G z-5#=_QHze$_#ykT>WREL0RJ9bMU6*<(H=z0Yd?xg+zS-`KGcjWYh{AM9_cB~LLcSs z_mDFsu}Iu_#rgCibaGPf7Bl;Zu@r+MnVyqh5btuECjDXl#5L1gb@k!)Z)SVWee<<8 z=oqoIg=ksw*vHTQi)`l~My&P=$VBwFYs))w`L@+i-4ts~##Kozp_fIx%V&6obwbqv z&O**s@G;8X``{!{M=&^VM20P8@cY?#60Dw-*yUF(fLSCl1FHA^_R>L3g1Di!y zoF3CpamW|^zSR%|j{KMTNp^#y!C&bz;6sNNC)7=&<53xFLm=>&vw8EM~y?kc*) zBhvgBGaj56^2T9MHfsuJ0xHj*-u0%1IVijD%RUOeuf9gAC*c0FPtsp8O`O-Fq=YN# z1|9axN>~+DenbcBh0g#tVc5@_>q<4A7Rf}1bC)yth^aU~1y#MRT@!VMYVFH`ZeYZO z-=pd}oYT9^1dD&W&)+@z@vkUFf%MWZ1PhM>o-_AL<>OMa0Tw>CDf4fPpHJPock6!W zJbkg1#c^b!Cj!>lKE=djk>J5Jqx+AorlzJ4FMd9H5``QisUiRQAD44-bFUoPcPaL> zt;pS$qub6uJ$0FSt(i(&eFbM)oR~T_3tLv=`f4W}N4kN?vbq?Sa&GW+RG#2De)%R1G@_RW=bp(6#rb z!G>P_l<;l!+vitUR#giWp7srYzGI#I8(z)^@U1 zqrHQUoWh1o@g>#yg;gD_i8|$c6rjHHxJS7blbp;wG&JOnw|bbuLX?F$8{@&$FfqeD zE#;#2y20PSvaV0MmRL-nYz9N797ESlmlKu@zpauSTQ;(utYBCtqkh&n1mormS{!9! zEwW??d`E>vTjXa5x&%X8CHTJ0E|yTJ*-qonsQvPo(a$86bKLqc40V2$lG(q` zH|_jja@WbwXwg9zIj_w9m7%>-zaC?kG8OpVexDFx34{mpE8|~2Bv7qcaI^1jR4y&G zPpP-w_d$6l)V8HUigeMtZ?^oxlUXr#tJjQ%>X8 z+-VgawIWhHWPbP9*yp&{{+s`kCOea;E0R1j`P68$rKjBR1gCZJ>QvwBg>U@!S2U@S zJoG}>G6Wxhs66XwPNX68SPdwMww(6W&TCx~KY61dvq;N^dG4|duoGiPsJ`}9| z)qz;;oij*=Eo%^&DYBoesYmTyIeER zY9Ze9YD-DJ96d=dY3R{?w#ItvF3bfKbUzC-#*P|ImnS|*sHCAF9<{A9mr23~hIN+$ z+=tG&*)`6?1|(5j=G#kS945q=PhZb{cJKMhXYiJ|!Ta#M%KeXuQEIbI3!`E^4wu%m zFx$i5D5nP=+?-^nQ%W4)!zD_!(SC`IpTdEdAxj(vT7-EIt; z^e2sq|521b(XW7((|UBsj3PYQ)fmcltj*F7vj{)LPt%t3;)dQ2FMeW4kc_!0+NSy} z@ut!k&rRaJcM6_H`IwJyP0TDe&UugT3vLLEz$IwGggQHLoH%u3W8;fii2_#PO_Bklw~zDtA_Sts!on+;E*Wv&0wclz*goavnTr`q?a*l* zOP8Q5hXiw5#D*G!SOg4%-0n<0*U!)QLnQEwjYmgJN2Q#(U&%vayc~SwS)8cTr=1Y1 zDW(LPe%Sg_yJ67?b4L}+#~7+N9*9R4PxL(XixcBz&m6F1E?jFB57%cC)OnJ{68tQr z=MHByliy_eTMybM9X*v)uPBY7t+6T_v+V`}5I^6>>hV1$@)bwd{6BzVYb28z>d!mU zF8G)s39feaqpHtUSk9?1JCDE3qA|}cY@rvAUvh-3`f7|;3o9-bOfa{~bIhkXWwmPq zFaZ>pz;*75oH@c4gN*M(F%6Pgx3pw-uV7>1$%kgWADI!#v)#c;fP`%g~$9|kvo>MZbsMEUFYTwVJ4XofA)Fde}%w22Q~pYYUR5(Ckg{;d~I zVCh7d8cRHPFBi;C$$&n!Bg7j_TdLgm19h=7(Fs6<#=^|}^-I^({C6*&l6N-t@cLVv=ra(7X=>9V zMZTUZa&33`sM97q{bHZ zUG}t)nC-?_1oaOd-HX?@Ij5?Xsigd2yFQ46ld&r%%2Ct}TE;th?R8ONW{Yp`dnb@C z;_-@0?IsAtXs)qM#G3dm1>udDChcLU;P~2_k&J!>5=!ViOEHo9mWz;;)bB3HC(wZACY$IPmaVQ_Fr}krGLZG^oJPv@1l-W#4OOlvBLpv-;Di=#(2Zd8 zhn9_4K5zBh^cXOkNJ;h{FCV~-U)Z(TK+bI-U*t3MSM_ICRjTUgfN|SLZ($Ygv>2KH z_&|?$qxT*i#ec?<1d=`H(GEV7Z~FaG_HUY+J-v2C){xnufagIW1oQDDJEwA#ann0F zxZlAoF)>{-I@c($nZ3EQV>>)EFfd@((iO`qL;jP4ojshA<9QG%g>4w0{e*}~J$t0% z+DOUPc8^q5>tN?`<(J;Kr*GW688T#QZcgh4Y8}1KC#9f^2Z_QgH{se5S>}u5Z}2%u z<%ts7DQ7111-)V=Wz~ZWU)Ln#)$y-I>VbgW8(DU7ar@kNV1jOi@VB;oPJFQExkP1%2?4vvDRGniM>H?*sWBNzih*_)W0+4-uW!SYe_b z9(g8l>(?}t%i-?g!J~xWmvAHh4dR2`)cT^Zq8P!SJRDgl(Aki;z9pVvzcTan^!{jl zkidVJyh+Dg22J!1y$_-KPgJZL>fp;(M?C><@j3HNG^r)#q(b|LjM7>Z{H4XlOAuu6 zd93Tz?DQ*uPMsXn5k<=8=B7{+KOf&M(8JKv%ZFdJiAxljKG zG{o-EQbA$3+}5Uaa;8moI~emL<=shtjUhqjg=wj9fG`w}>}FsF&Da)C1(ti?4GFFb z591`=UrwOEAwV_9ex($j|7w3NO1a{tv_d1aDhr0;|5bbGfscuX?n|my*O(aDKI_~~ z{pd2;({b~4!O~CUkYmAOP58ieMn?X(i3~)?kQO_{*uFc1JCsZC*=Btf1CAyS6rA#69%W z(h&9a(0wT=DCq9RbVBw+ zGqcwHljrBIt6u_kbFoM%GLC|H#bPDxU=4#J;fZ*_CE@@kzxM=rHJ)#X-y%_*@l|xn zunY*m$Sd71>04X1KD795-RL7_+shj6~j6=JNq5bv~O)~-Qwq0v#v0FslG6zX(%|nmaVF)dc)BF zpkfNOy2|e7=ZE7lWD+w!$ZP|wT3#!eG4zVepdw$>BsugsF_9C@NPYlp?D8s~4-8{% zyLE>2R;iolbU)I{9M>XQ);kI2kk4JbD0DIY^Jn8D8fR(b=}K0nAtJO;dx)AWEyb>n z&yVW+66n^080Al3vC?bxHFN>Q@xi>I>|T#pLTiKFg;6#&Ii+^~wb_B75XH@hF8AB& z&F60(s9%RFKSqZ|1xVa9UAo`8aVl;POt>PX3^X)Cs$oL~>9U?FijC7h{CKxk5BP&m zG~)2X)6b=(9P;Ox%82&_g}Mz4eGH+q;k29B0Zwkio>RcIaa`AgMfH^hnm zyMC~A78wXiR_66LUN&c*3D1|PeV}6O2Z+B>rI7&6QQ}sy{_Q;B_c~eWj&N_8(TB%4 z$7OROP~U3#U}J54OG;{b`eq&F|Vj!V{)O%2C6JWCUwbv3%M$WTAs; zEXvKk>lLI9S@?ELm@B>ei{N%K`G0G%XpSoP@Az7eSBwDro0l$MHqI9WPJNKcC*`_h zDXF^pbGoecdD9Eo{InJFU^m38tj~Kk^{Lk~dIQbN-n+4O8DiS+q{mQT z!p%;CyCSP;O;`eI(e9 z1CzYBlJRTN$Jj8t-r>&|P;L;R4fg0miw&g|WbV4S%AufEB}>P)_^VUqcPqbMdhsCk z+?z{R=+DZ0c2(8amdiBI#I7O+bS7=kI|d$ZnpouOx~oPO$1U|Mi|x|HSFS&Mdi(r2 zBYv+F=Y_6?m73{Bo9c!`vCP@lwa@=1M7l93C z#o%kaHw+uW!qQePX#mCjlnRvedHlhH$4uu(#&xE9QKgtFMnG^n{pizlewzu5Aw4fi z3@gy8ob1Qt16h21mu@d={FsDHqk6p+r%on-J9V1Mop%f=tV%j)8 z@06Za$9C0eJ5+}GxTggW%hdmB?XLK=)DyavDwNVrOw;pW~wux z$jSX8-1pf1#xM1Dn_r`45VxoM6wTUNc|LsPZs6Sb{6H7Jje>t*7)NdiQ6Be%|H*56 z7usleh&F8fHPeK5`#LEVHC&V>By#MlCXQ~5yrZ^tP7qLb0LrO`f(JhzUK(k@_ew}? z7~P$mX@6G$+v4VDjk>r6TQ?G!?u#}Qhw4l8IwLbT%~GIwb2CC}wYd|6a< z$VW;pZ%21fEkHhUR2lfWH;j7Tz5C0kP|x6l%qgru)Wv+d=h~MQc8S$#MVUojH}{ zenjn^4LgZJ|KWLFUJu-^d%cAsBOL;=|LY{cSiwzHoAyn(w^BJIx~%SGi|o>HMuxb- z$c7{#hvWYE=4zzj{KCS8s-&@xn4mpmhwCqco6Ji{mj#+n?Dk?kkA3Uo?pJ#|A=!FKa}3!3p_0t!V9% zt!J_G2>av-NFH-wuuS?;os2e|Us?wYPOjOug{l z#$c?ljjGV_O}G!gs^yeeg8TQnIEuOcvZWTUtgg;5Pa7HiHBrxQ0=pGs)nOUk-0NEX z66eWiPFsi8^_EysD_dXhHY?seBN4;Y4C(JnQ(A^2oO=d-zqTQGDL8;d{-v7@-^RfLv0a*BO@dBFi(^A$UA%H5C{ZJ z!_1G%s>*FI+jBEuFVG3CJ$W}2C=Dg8^S-OKf#7MNfr?|BepWbD+?*?Qkqn2LtYu$D z5fLuZ2kj;V8U{=4O`Oq&8b?uXwnFv8vC2_dhF+}PI-bt3%0eO4XFt)rp2I?q8NZ5ju|P5*LAL|=8HxCm?!W4; z{;4wO?*$Y=P&NmWOIvW042C0njLxd;lR-A_AY+Kct64`nIq< zyR;iK?Z-ygpJF`{(7v(Z=a$`5Sd@cZRg%#9?$E}p10zm93sdw5x(1Tn_<(}jNUf!dF-OgD+* zHFWhVbdpgQN%z6SEjO#daNmF9y?%&~7)oLL08VHspQG_Qc*0K6s?ieu zh>5tmvYavKa34VzHeaj+Sxj<&469sRT=d*cB^j?6{pb5T_J#eK)Jq$ZMs`7^4jW56 zwJLa6C9byOzOzbx=JFXWHIs4L8-Dt4f80w>l>QiUEwLQ1wEA6}{B*jOI+k~?skjJ- z!;O?#C}WfGUK`T!3Q|1i>~~C>VtiB(Q=O;uY7|HzR8Y*+e#&@CohmDxiUtjtQZnrT zYiMZO+~Y?O8J9YklTRJ`zW&=tO zD(qb#Yf?|OrX1kttkF7Ek?GckO?WA8aI<3b{TbFrppYPrZNYKBCKcnh9Q=_hf=p=x zhO8{5afzG}=7e7loeXVr_t%43Y(SaRZlCX1^dFaka3n)&@V(!^J#aWAcbVH_NiXYy z?`;n6V*P7Ui;+RoHa4=YJ$~qiFv9d6#;_%68n1L@i2svN<6$08D=sUH3_W_OX z?|dTKP1b6_WK$vPidg($xPzb}S;0;frio$q>r-RTV(LS^i>JwpSB%)E$)Ua#txbXg zs1Bl&YHU9@xeuHmgbgWOYL5eiT50A%tG_r0H{OSX9M;)Ja_S@xek5?lFQm(ElZk*O z36%Jv9;ocMI_BO5kZryljJ+TEy8@LWb^7!^Ixv^_PlAux(HOef9zqWZuZ^{az=n<3 zjnC1;r<@Qym1YnogGzoKa$-Kr7d_WaGt@==devd>WaWjw8|0nc2?VhW;hEs=V*|T? z9E|ksUnqRl&XX5D5QTl@;htYu=$#?2ZaJ6j#Yvb)Gx-KwZ2CF#F|p9U>Be!_Nc*1y z4Jsb(xj%_5=!FC5q&z^;-f#Di)W*t6)PCFX#ovA8chTU9Q{CzdqL1-k|9A@`@&T2n zNYd)^*Vts8JpIYaD=L~BAb1>JpoR6gNBG_6{831x#X!P=60!Zg1*)aq9T6sIVj0$0 z{_dBY2w>)TCTXf^Kl3}S`A=^3_t&J5p8?X#{3Z1`h5h5x{{AEWL?(=uNdc#JEn=$u zPn6^DfAjy>Z=N0R$SHIA__rKzpB2pTy}K`LL2>(U3lETe;xE#Bjfv6PzxkTq+lc?@ zzyrRrT>t6dsLxaO_a*#KZXw_#JNWpQ2G<7uc5M4+kMaNC{hz=4XQI+eW;(wyJU?Se z2fOR9D;;ckq*v51V>ZUF;@#~+lkyI^E9*V|=`HOK!xYPxi&X9SF765SO`<7 z4|~xSFDN0|Qxb0z#=3X{C__@?t21OTz%W(c@Guovxavz+r>_A4Y|k{rMB6z6 zW%sgYcx?yYWG72XwIus_J+1i_Hd}G%XZAhd)G4R2#fN`l`Tn=RI)5E_k5kJp=<{+S zA8B*O;x}Ujy$qhxiru^&mPBJ>eS1Dj`J_Mkg04vyo~L!=`Jw(GYAkkx&N8aBw6uEV zOF~*&+Kq&<@9!z*l6}@!Vyw7z%Go3d09nT*>+aWN;(dmW8VuRX`{yoQyGtY}DCo4e z5VN#>`B#iu_8%SAb#@Mpn-B-~$Q>~y8yg$rvH?7pAx;B)j%q$07rMH-N-TPk!}VK& zX(E#RzXx5`zKbUu;LD_*e8wRVh#2w5bB&irw!hkx%peX0*~tmKkt$_WvR(OrG%O_6 z)A^~$(zXh=Ka9BBwCl~Esp6jq;y-?M?Gq6Zfq33*1umC)7oG{-or{%NDCbt@OUu3Y zB@`M_&u!odsViFvsoqBTGj`$SrOGE3q+5+zM@me#LFuh_bFP)?bs1*;>T9dQdfn9Y zv-EM&q>4|B$#OvQ`cPMQ{4;}RqEF_hZeVoH%AS0^H2GGBektdk#2@eMU4}HSTL^;N zi52&9&e(8#yM;p*dC;`P;1a!8bKVxp?i*-oQaiv8+^3`9`|`v+sEwzM85UwtOZ1qs+1tFi?DWAzaFPbdAw+}DCyT3WIT3%d(PaA+jS zS`^(=7lz`X+wKp}>H%mdrxqFuQ=8ESh|m5{5~*ufk?~;MT+jaiJ*ub1HX{t*>$=bD z5OM1duBq`o_g&xJUjUcwF;$^Q{&4&&+y@2HQYfF9ypviRF6i>j(v9yNnuS-lG*vBs z3a)$3eHQ=euv;B>%Hfsyf2T_#0m&@&7phkhdOwr;F1~^@F-f4>Z=xi#aS$wQI^+x) z)k8HkwR}L1Bi#eJ+vO%L6F+h8<|m>{#3o>4fGK!D$l{N7D$(&sV|e`u`{_D}u?m}X zpljp2z_7dkI|E+O0^O=bbZ8U=k7-`)N-zPNZJ%GA7#N|r{WJ)m5G?60btO=9JkJk` zj*hNVG&3Sya~O$Mw$(z-*A+ha-`a&gD(Ammyex0zc$>qmf)>ScMk(IgJkeu}k_9Wc zKFQEizv*b3@53r&XGk3trNQg9*11;kbDr$QR<$-u7~PYQf`Wn)-@UB>flTftzSzaF zg&S-C7I&P#6cGB=7XSzaW2gP$vZ?;#l?>k>q?<@BS~|Ki7ohtd z6Hygejc_$(3BmE0MG5oH*zCMKjFDq?SBjk zC6$S)$z5#F{aaCICGqNYYv#fvXXw8 zoyjBf3bZ10FwEE@$JL*q3(Yp-&RDadi<@QS>|C`(=wDlUG8I;#g7ZLmP9tS!)5!m* zthfh805?WEXsXY*3T4j-_D;Gz9H#0-i>TRG#71n2>Ys!9VDe(D-#EZTd|2rZmNke7 z^72-HRHVOdC(qjhXYv}4V{pe%^VCV+4vm}2F(lo@uk#%0mor!*%ZqwHy-Ee8QuVr8 zOxy!CDBORq!?61S!kh0`J$8z2C1Cl1cCD+`)1-TXbc$ zt*xy-B;ZXZs-2v=1QFkNH|K7i>B{T}UKEW+Zvrm!?>-xlYmTv~FzG21*98k1|)~(cV_Q<->a^BclYjl|NHqD z!Z3X26DOYYoabzPlr}&+AwDu(hf7|55RhEsR)2h4qM zv{gIeP7t^4v~Z00!Ti45Oa|wrcd{j(&RJHCbV;@2b-pTK0L;kHP@i@#BRPGGyg-bj916uf!BN4bG`kfYhv(6S4;@iU-$2Y|fZ~QH%BKWBC z8I2|F@?5Q21R*&Ar&;&-i_>@q8|mgXdp>x^W+qI-3!P4gN_yUluJK3g7h)b4fW6GF zp^=UrygJIv$D+|2DvXx zuf}fW-&t4)AGT^BSJ~8Wkg}d`ZFzj1=h$$98{L8h#7WB`87|Zm?z_v3L9BU6hbraJ zvi(Yf(E-d?XGvYRJ7WTbwKbN@Z3g2-UuG*I4#eMtl8ZMuCvnVQrHFIb9d}G>v$LA@ zmj%hiw4^gl!eK_sS#*c4qr_vXD8UnFne?QO56yiWlas7r(OEJhr`8|P?dm+U30TAV zrGv{^&8GrQw14rIMZ?3vtg~Q|1q5X4J}kNiHuAjxcRuDfUg5_V-&Botxtrm3oY8Hi z_jQzFk=0H~)?67ePab8U7l20(@N|-JvPzt6T?~thii(uvB@gSs9y^xkiSr$DYvr1* z1?Ejp`p9$BL6_AQRP`Pva&Hqj*nNJX|DANWiB;hU05fkVih<`gem!POB1v!OJr$p& z+kja?9=umbEW*?RX64a*+W#i2x4Sm z(@}I@TIh9;hP?)X_fCS~WAOI|=sQ)kC~2K=6VbBqbqbfS}^)wU2v*ocoQ1@dhur>f*!!6hZ*cX5b>I)4_3 zaJuy3UM;++2_mG7T?`fri7%@65~ZTT(GKI!Xmsm*2)FDk7|7U7pK9%n6FY{fz|s%e zbV{;1t<9KzSmS@t8mU}hu3;hlY0^qO^r}C>C1qNmb-D4vjMOZMx>D)*f}*jG;d&Us z?CGbseTnK;CYx}*?^7Z3^76LqoGkaAi%>kvO}_`)9~00q>0jqdJnbs?VWgmZJC%L7>zZPQ<8uCRF{Q=rA>QO@j4??fDrm z&^;B7S9&N4QibQO_SSo*sVu<<8Srk;#G#Zs*6D+71_RyJ;%HA7Ft`|WK41zVxVN<$ zbHKZkO6ZqSJolb+!tZ+a-fVOsv=3)HH5|b3!#b2OX{W6OT8XOgD)Nlm7_Qa_0X(|i z<-20iJ+9~>`v*0NZK^AD!PQQP0VH~ulrUha#kqLtei&X@sVPc3E zVLbNc8x~p?tz#tL2C^q_d#v#l$aGLLVCob)ISos7?%EfTA1GUt`S^>DI5D;N=U(sM zV4JFP>tsIgUf#cX@UCZqE9kFBApbgjoXgma(!12BhX|!8I8wfh7cBKFXS>F-C9=FH zvnXZ7+Y}QrmloJtla*eDVL?w7QWW()^o%k=q|!jhin)AKm){Q2#C@>4x{6w)r?br9 z9Aw6RyMDWH1S-YZndwjg+FhHiT5?`0oF%tlC8jp(r6_gtV;4y-XgFJ_`zEt8R3hmJpL{*}W56 z+3Ra_BOhf11QuwXiBfBCr?nT$rVVp-jWxUe9jOp3xsMZEkGrgE9M#g<8ha zF+~KMp~9CD37isd+oz(w+oWP5+WnRXzzEl{=WUL*ny9bC@D(&I%C`(kM(kI}>5s^1 z54G*v@@Kpwc4cbaoSqyq;9W`#b6BhzVQ#|Pd+t{n_qT!smiyTB-V2T1mDLSB zQglU)QO`FOeY1d&R|jm4>S+;;}<5RPr^e8b}q2X zuwb8&ieP7=oOX_Vs`)iOaC-YVafuk8_Gmh%O}xuS z<>%)!3Z{Q)_4LPF<8lV%FNrJ_a+CHII~qiS$`B%;q;#Ilj%}CIAL(OB%Sy>?wmC?g ze=U4fUKDL_m8rMF96YZ5SXj+TIwoh0yZ;5&FL+8F(^N=FqWv_^tuHT2O6@z8%QVnq zQ?jK8%A|y?5vB66S`9DwUxJccV4%yF%YEtN+CBlUX5Yb2g3cam5kiQU%)tc4BN5kh zYo9LICst=gu$wgs&*KgZ7Rt*xyrz=9m+>LsosC9FZG&7NvH4cD#O#p8c^|H;d0DnF+2RNd*$kgQI4`_m()%p>o0D~d&hB@;c2NGMfg*4(Q zQ}FZ4B1G?pzpGe`vS2|h{br#*k6~kJM5~u~98GX0Y@bAE`*egDm>3va>n!3@8gS%h zY-%?Bm8<1cSEB8$gF|*iUA5H-bN<->e!mIdUhN}Fm7PzIp!+YZH|KYSx+y#C&fLVK zprK~Q2975C1xKlj~0jr>J*ry1@LpwC|2No>y z%U?4p)N<11#U`^;D8?O}p9_o5CH8(q=dx+2#vP+KwLjI_X+7g^delH`Cqu7e z%RMM&!Lwmsq>Jf5bYaNqE4s(rt)>Z2=07fCVz$65Sg?mq^`_5Qt@^@-MnqhKt@}O2 zlO_d~qI!u10~B}3=olBmP0~LmK8MU zi00*z0>7u6XRPpU$TL0d>!@S6gNBAi#+23t%L0H|YXY7NpTkYy7&Dvg9d{(I=k7oc zN9Uw0`%YhLKUsnsxM0kO+{k_9yjVo@>Z%4QKvc-71wQ0bOB4@>bAn6*LF-nxnnm7x z=SzP8F*XOM`H8KknrA=iXl(F>+uCy(J|l1FNUoh_`>qxwNO@c$l9QD(0fOhb`T14U z<#+KT=UX9Oq1_eo=@04}tR1!CaeeXSM}i_U*8%-(nxXe};c< zkSrOY_DC*{(sN1AKVp_;)>9wGZEja`z3sKr9f=qg4*q1df%H8Gi+G$E@MBZ7N7E8; zk|>>K-tb2#T8*kIc}j(`yctS|h%j$p(R|{4O1ck(>Koi=GD@-n*UJgK!m3ZnW9&$V zl$NQ|g^ixi+I7>jW@psG?XCLCobBV4l&Jac$7r59bqW(!rWdcjcg-ZF_^2!YXb7~~ zC_vpTkXrmzt>5|UmykPzp=U4Osm<%rB*Opz8J^4)YYEJC0G9iBw_tIQ0V;;J2~4bboRrZw98^98a&50b>5p&h{D>3 zVP^cc`@|C^72D_|#(5B7w@|uBjTu73sTI@4jQzrv_{*!ujRFfGchVF-m)sJsh#EHUUU-%b;JT&%(@H7 z&+1xSH4l0l_=zy6YQx?~X}1n$JpMMg!vZ4j8i5A6It8&X24GH1OzbVTHA&SdVRr)< zd$J@25S5^cQk@{sP8xXC#>*F^dAzxa%$L5#>y$6Fe+hK3@y@5_tnh(zY@VOp1dV{H zfdu-xH$6j(U@o#X7>T zJ{c@8^^8@I|Kt;KNWBB`*1l}k_*)z-6B-T_Om9k6_I>ABze#w1IJe*K?En7ALx>7s zVHx$rVd;m`tLdAQ)*}pDmDsBS+Juk>p86r@rD4;^X5Zm9)qZcf%4P!mG|=kaWWEyST$6?%dr9Pl>RvV@vmqVj&v1 zuVy8I{w_?KebMmWO-bc68Xzr_{*ciI2^7c9v~>2W@rO6DtJF;}eLk92LUvugB1 zMg_$1kA2x3r#ZOYJ)CPVeNXYUuMVL?)b_g4O~iij{`UOp*a+lwnZEelJ3vk&uSop>Q`2?EP%};@D1nz4h?gYq-Ia{mK4KVja7s3Km{RKuc zOu7X?l!%#`8T%wbu>Ba4_zvPa<5fC!GfeqL-YQcKVdV_gP7i3weftEdn?-G|SKR=? z$-~_j*VBS&LR%zs1eRMXlUsIxxfC-gXI>OofP}&Y)MSTbm6SpY62uVBjHkWTO6<%^ z_8Co&>Bkg&j?pKQm zHh2u*S$`STi+gUYAnDh^gO{H;a>b`+q7z*L1nba+nCd;B1Hme=6Ji_ly_|roU`m!H zQ;So<-0W;@x3vx^KAB^&Z{Lb_QJxi$YNzoe`&;!{PAc%_Q9+@3t8d*lzi{Zy-X3|{ zX~48tx{7AH?A>Eilu=>l0tg2u3BAJ%`vrDW<@ol@bTKEAohlqkQ{vVhg^~1rXc!uw z*E(>z!Om__r8irJdjEdojTa_|g;DlpDOB8fNsdEsNR}s=-MMf%#mV^roX6ODZtNyo zZih$gyK6}T{>*O6zFP~efbb}nI#?OJqOg(1OHX1c5EiX+Y2!ny>s)s}fHyerzT4m) zsWri6JyjdCKO0kz;R^uv$ZEIH>!LMQnH1y3Eq7NHaIPzGt%)%}Qj6DJYl->0)8cqv zlY$y-hR02!H~0XlDC5%)Z8)V^lTH-Oe|QN$0M794#djA)>ULgcZT*vjgL9^il zHTq=jiF$vORF=(b$HI2JNoe{3SQ_2VL`juR;bP5qn8K@yrM9v3fmD2(nUlb)1fVv^ zY3oqUP+^}*9IeXT0B{>vn;U%#BO!5YViUyGr#iRg4jCb;T@Lopfs+rvr*M1Txrkkp zB*56NK({O8RlUEqm!E>kj9irdN!lJ#@NvIPw*^x6^%Skiy@1>o!t-*m z8gJr*(g_qfl_|TWbR3NM=-N|dI%?)%m7B0ud??kW^XW!eu*r!+b6rPV(YO1x)H`gY z$1Ll{0*np-HOx`68X4|_`VSG@A|rdl;?~(=u`!#v9^MudoFG2}ncg0Ku*v$%?KkoC zsqBz@v-?u%a5S7ET~yP>ex2?FC==hn<)7sREIxwdizF*zz%7f@ixrnMHA|Y|~oVaP?al_%K!( z{>&VY;t>|Yt~&%AV1!{%mlxQj7{obukg$4=GMM9rjosg5nM;r)7rZ+HGHDc56SHydP% z7N^#~*5EZj_%~jS%iMgV8nLIQsyYtow?Bk<@7ud3&;*7XD^1J|T+@*+$s;IE9xOZ% zAQRaB6qt>QZq6%tNsKd<;D}aoTy5dFjO@~|sv~3t3|}e&G#>gj2~B&1LzVY)%S?u;;U0XskO829Sa{{D05&8n|e z9K#NmVFbrVsj4R;t}Aa3AB)pjcI{s-UhK`fY+kXqvEbAi!I2?|k zce9NVZl&9EDVLFUuZn5pl0K&>HGoB*02^;YoEfx{z~TkC5>qtb+naMr72)C89aiPY zjmwTp=0nH{O4qedrc$7f=ocOyE^J+bhMQ|5eh?4|nOtAt>_{p!Oyu&2NVEG$`tzUR}cwY^y+vF6NYmRUT3wT)iQsCJ>fD>8hj<}kZHfu}lb__|-Z zI^%R}-;9Jnd)3a!sU5TGV}Fl37%AAdyS0i3YL$+alFd*0alt*sd>{pj+wCSoY5Ljk z0{+W}R=-c5C-jsiHhQz1#TWYJiOq2Ox3$+Mcy1vsmQ014WQ)ejlvZq~R5a2A3y&bi zbZ4&zJzkK@d?lwE3mhhh`3XRcuLWxv#yC(qqZgTmihR2vfh7@ebHUhAT-yOi);12g zNjJ>uZeEQL3ApgO#T5$YeUTjIgJH;aTSq|w6iKs}#`Ac#gf>~ghwPZ-WA&uPAqXU@ z4&#r5=$9H#8r{0kmy@I2N)R6Om@EK2Z3}d!=Zk4K0ts&Qes*y(3C0qZ-_(I%Lloct zTQ@s{>#?T66*6x5wVb4fSxZ72b#6s$E+ZY=a!|Kh#o9CN~#pO|K3jX0`RzGCH* z!+dLot#Qv!+9WlmMmD9X7p*)|*??kkB=$5p>M_*8 zpq#Kcb3+2STY&q}IotL-J~>5qhzXl6u_ucWFr4RDC-9U=D5R2C_ieON)e6#A11JEZ z$gK?^=PBm9G{hs~9BnS$?i)qtuynT??PT(cdK@uv9o4rh0GTT-_6CQke?6XNV0YQ6 zEcc$NUi+_ku65FJRug0*T-h~$E2e*Q31a$Wb)$LSF>I*W#AUC{2z12V@#h{(D^|T& zlYT$_yX0m`Cw#HRan>{y+SCm05(zy!lDi>{v&)#Yde-b~N2j@!hZ2=e&P45BYEC^8eAF z-o6cqe?=y#P3&>gfqbU!bd3nfBp6*1E78RJmp%C(e_+nTm=N$0@#hz(Pe8oJ=LY3{ zN@JPJfA1cAm%{vW+XMwp1fx3(y}mV+e+wh|{uytI3095-6%P`L|M92(>GS>jXW0YJ zbVkK}|NqXr|JNU0rcdh#S?KS4L>p=hYdziWJ23ZmUi)tj^+{Ea6(JsL{BI%Qzy2=2 z`v;EPg$+JbOp^FFlilx+&HtKAPbGN!(K0)O@8h`t{rTVg;{QMWzga*}rPzmGrG}b+ z?vS)Ias4i^Un_U6!F#(dXtH3~f7aIDc3E*Kd~=pe;Movxo;N063;fg0{3l0_rS@o} zcdrxE@7$1ML6u*9&dO>i;OEtdG%RFUk4Mh>PT=C2KU*5IvG>b}W_e^_O#g2_;2;0U zqXzdLMY%7(92D?5*jS6fv%NI`x9;$<=Rjr_vdNMN`N>{*bYRg*SODb03Y`G7puWpf20#*Z z%_f3eif_G3c>U?f{M_6)VEN`f?qk(RRw$?1nUQnI^^TM*l}BLj*$#397ohVO{3*+w zw4^MTKZe!|6wPSeA9x_C5>)UvDK*DD;nAxsLzf67*sl;94i;?#u=enBlx1X?bEQXu> zWD1MO&*B`fNQ`JkGxW+PcbCEJ`Q+r}89P6q^@XvUsSZDw?@n_pli{))6k%;cDS4X+GIL$+Q`M-Rz27K7R{) zXNiTF{W77!cqwUg2fGKXYul$d^tfdBOv z;aD!5jKi*u5&=Iu88s(B&FwPo2B2Zw>OGpM7y$0v27hIMStZ;n)LP!ZQSd+bW;d^K z7wuv9I>GM13r(K*u3qd9vz#D4NdC+R#03VUM4+)h}}b-gPxg2HLM^+qDh zQ>aarja#`H5gxu$EcU>oJHNX$%WiY#@4_G?Gnj^xZNh5;Kf4+MzJickLSgWV0Qw)? zJbGZ5V0tEQA-2S+kw+6V1rtm>qCn@RwNG#Qi|v1`+4AdBR0ceqiQt$g`tg+af8Yr&|N z&j{$l_M{(B7EEE|h`gv z*Ox>WOFl`eMX40#&Xl?pHUh07E<1ZwIs;=GfW&=Q$3qN_Wnb#x9Lcj9Co8LXHc2Xy zcw~QVBilb@cU3liz;}<}!wcD_~Xh9jMmBh(uX)P6$z2HE)1kh_V?)LL78NRm3?OXDjI>ko#5D8C-;4^By($5}>=hphe}3yv*jXDzS`Dp|OY1X* zdP9y7mVD~%CBg8#-u1vd(9|T$+G%KM;v2s`>!9q>m-C=uy+FLqwb@lF-B9>E>L9tngOlaSFN{BnSAO;pf7pS4EDVVR#`tu8o*Ps5_D>GT5kPzM zoksJtcat&??g`+y6l!@)l#J||GeTtwZnf_E+-Ky};Vu5KDejAhakkJl&lQRF>hVw~Swy_wEE?9RN}=FmENjc7!?1 zRcAL2S}4k!r@IfXEUH*NC@okmGc+^#IPf>E{Sisb)|Omy<&4SUw-xtGCRck{%QsL^ zi<5D1)y`a<`0|}V-xJnS{zgg60kjOhp>8Wty}MH>(9QJpf4iAD^Q5dvC9F|598dkY zjviE(SfFIoFL75K8XB=^hlh@RA^#EW}PhJ6FUOYW<)oFpq8%=Hox z`14xag{-$Qx-R)0uoW;?MgN?6bmS22;uvb{r&xi zPRrV{lx9PDM6P1OtQU1_$LfLB;F7Bq3XVXI$*aZbea2a*B_G3?H|vDi!6Hnc_jN%2x-n)y)p-3&SXx!LJjjG^0~s&|-w?JZ_It1u8+ zu{+6VlSYGsDH4Nq3)l@x5D%?~ict=#fx?-wJC!Tf3vg0i7uzB?;2;zSD6 zOt`B!%9s6jc`*f23=iE3MD`l6iPeMhl8T0)Fg0`xM;%yr7;m5IK2|P8wr5)*9mCIe zwdl)>g>tE?Bghwv9ze`7=((!Vuqal1Y?favrh*_mRBU@Np|TFD61A5Dc^`Ip9Gi90 zf*Pn*hbT=Qz&k6m@j(?|a=`*R%%>HsY{-R_7mtYhr}=+pZjO0lvWJop!F~kGL>3FZ&!D|>Ug_(t14BbTjMbOcyGV6SU+0mA72dm0ML_U{79-j*XgQ^9m^w= zm3O#e6ouQ*VnR-$OSWV7Z=WPnA$Lc&xD)!X4{($7ptLJTL@CP_M$3!&Pi=~OsMl4Q zL`kW?eWQ0k@D?bJA?uNtI{Bjtg1buJbSxQlt+Ci5c6WBC1t^&-b|3PtcgaU>Ul6Tf zDi}OxbQ-w=)!{tcwE2(f#LSu(=z7!jM62}aKA=prc2o!LM_jX@bt^z)+mr{Hm4NA5 z!jZysE!hI=`M$Lg)7cBJr<`Fa4XVuR8i?nN4rY^LC|0Lhe6{xGl&FvNf{@xOS3FC@ z4H(eVK;%Wc75!_+k}b=0wspIHv9}ce))&U(i(}rD0Z^F=y)a=&>N~B@E0v{ROev=V z90j7-PnXi1MJK*7+ol2??D0X0cM)g@7!n_F%xFJo%Kh48HNyzshF5A{8b6(@}4!m#nn zG@**^u)EwKe!7ns?flV$?K@z*GWHyX1jj$JR>p(uL@S6^2oQ=P%B6)48pp81(H!LE zFMp0){Mod|wMTGH*E%z}b-v?cJ4wd6Qlr<%?foW% z7wACtOT*+)bwX`~Olhe59BJ_xz*CYIdiZP4lKJc)c@vZ><*)gr>Qw{`0JX=u#Igb+ z!#bc_jbsg+HA^Z2mKr8N=1wnxY8L$VG@9Li>cg+G~>pz?X|rnA&zI_7Z(d^4Ib zB$gDdJ>!p-dCab};!)Lm9Y+?7BB zcN+1NXV^ox7}X;>maL2>;3{PAa61x)j_=Ie&F ze`i@C*K;*0rK{}4R3Y@`*u^B-xIpP2L#G&G!*uKnTGpIG>aWl6VN1M1SWCpb4(M?K zqy*F9VozF;v51yBV)EU>dk9enxy6LB=m_&q1Bd9#`Xc=--o@tE*J4H!3-y9-Jm zDsQ;0h%o!QN;>Nfl%!;%UbdF~;v8eyVbtfWU@IAEy*JV}w@%hm$I~Y8>a+7s%&*-{ z6yc92%*)ohOWVYm%LwQQG7G4&i}Ro;rWeSEVFG-_s+Y^`1)1n5?B|5_WuuRAF*R%y z!D+?bk!3#Mf(pd$VR~MD2pPET=9f2sel!kET(>C}mE`5|IfiWH{V4dj$r#F#yc>Gb z)Osee@a!u)62vbfj}tY5W1=oAXRglgIjzTv)cYkjH~at2?RcMb}2$3&psXU?GRn2Y^9G zGONJZ2K?FVua#?CqSP8MW#jJLhE&x}9U_%2?eF6-O9|`_3q0fqjaZZehPGvag>;2Q z(Qu2A8u9K#&kFYexbvnT<-8qrAApThEDCx}Q z1%8o{wVSbjx8c4&Aw$XbZH)X!9_KgisZx-Dmh$P#Ye{kVB%0Q=GHDL+LuwpE7WK)` zjlm61yNyg-u6R;Xlo+vzgW zbqLtjTQ@(`eOLe=z(3c?`?c~2ChKGzWImM-rizjFD)wWrm(O^BcZ3@;RGw5>Hf~vg zX&sivSd%XTyJL7DcyZ$ypYz83!$x&g7Qi!IuyZTxd;R!`e4*|e;7A-CEDYh460DaU z9N?kaQ!HmRgx>iiU%Yf_Ls^g@^;6hej%RdNWLE>XXeuJU)PHf$SfSHXr1aW( z=L&-<=$g%dGMrv;F_qcHx|E9aOj0{f#Y(Z)XYTbQL-(l4f&ad5h+t#jUB<9Q)Xr<^ z_>+2L<~HU7p&CiJrI4jb^#q7g)@4TtQPSMA@n2mXZy4@a&npaQp%=BhjPFb*0C1W`L&Y6vlAVrfOF|Il($FuY+)-jqmoP{Ff#qag& zgUcRKaK~P>KWK}=MRx5Bt?|ps-i=}4rhHquW8+(&u}Z%kHTX`R#$>42_Kjr)h7BDl zFKSO3Qg(2R>y$3h@`q1rJvW<=J9z#Tsr>Js;a`sw{00WH=|9y_e90XiJ8osmd{lh( zMTN6>+SZKc=+eyC&8h`6WzNeE70#WiJaU%ppxr~UOMaE}jE#UD?@Uu3PoafHdwTA^ zyk#`5vHbB7T;@`laZx7qLY6B*&6ID1s{jnb&*z4=|C*^=rw|wKQJX0ZJIynxl{#cO ztG!ifkuH7v=mz$yq7G=~=?Tl~0SD+kAvY6QJ#>x``vaYyjJunI8l)V0kAXIW%DX7R zI_v=5T_p1F%IueF$DSi1B5oMTm3}&k0^;IXyG~xZW@gRT*B?lop`9+?(s`1up;Auo zAVc*ky*45Sg8T?dVHT5a#vbRvo)@M|ZiWfMoA=LW&~AQW-Y@RFwv`|m!R#r#XJ-sS zaRF+%ff8?@pgmLygJo3@udb{}P(5Du;U7Ra+YG$VzpQjEtE|Lo+2{M6kXgo7uXMAK zvZZ(rG9o%A2lh_A*MvN)580Mq*;eE1FWLU&iHiZjQMJy}qaBN(-b?J$u4mahe{Yli zwOxPWtNWgUEv8|jQ>=U*M;uGWPs?P8nw}XPP9rlLZVJTN%SYKJDrBfM5lOpLZ7dCv zp02R^7#X{jJ652QblppJKRRk-;{Y9(>1@PylAOCs-7<<^BM=hc4~UL;%}v?*O)oa` zb!v`TAGSJ0dgE^Y5-`3csqE5Ap_-Eaa8eANUz-6Lia2KgK)|Xw1}%>lZRff~d$p{1 zHs2r-l0259O^+HJCI*UaQ}`g&L2}zJ4ss=GWKYTlzQ3{LWz-Qb+MKx`0jTwk1uol8 zjrm|m)M0LMsk z$J7lC=b3#@mc4ud4ZW2$Q-+>X(gWTDrwPZWg$W6bN9}n4m`T0qeLB&y4u1Q#h(apb ze9uVR)$JuAHth_vD(tLC!$;@u=Qwy|seaNCbz5R?Wb*R1nhOr6L+_aZCx5dO@=IdkM zzx!_|A_)FOGXKZ#T?CcQ%_gtB;3?iIxSaM+i~XfD=h%$X@=# zZp`Lzs~p}yEg!k;tNM$;4Kt`o-Cj3Gh}uxA6uzCO8BP%xSuUnAQ5rP5LiWI_I87y| zp5WoTx0b@hUwc45B?X!a+BFB3LDlT>)UAV%`_4VnnT6D(!J7aX9E~ZVy6L5yrkYp% zNf9p7jVNHKSVNB*5xlw&>tf5YQS2WSlk}rIzRq^vutN9&u_+3{6h4B;X@8( z#r|F`U;E!3%<}8@e7FSDS+WiF6RxM2OiN|Sw^HhSHtF^`pQ;$;WH;=-OBt~@7-P26 z-+M7V{RnfmW~in`PPAit`KFCfv!(vB0Z=FvGc?Pz z1%j^Uo_Xd&+zT|MgG6?B-w4gOAa7mODDDD{spr))gh|BMw-%w~yvbMohU92NbD)^w8<}Dj#9aQ+Rs7l zK`%(Pig|mi5J?zu{u(JH75W%G10(W{xz7v>*`z z1yv*Fz{-EQI7;}|9UH&+?U~X${-j7M2SlI^m1BC$tqkzXgx6+5-_}o{BaCypJHd&f zAkQw@(g^|yn0En}W%8B#V45>M(nv} z1Kr0?lAMv!1t2CLh%sMXuaMm!$L_9UfcT{V$|YV=P#_^=7a;>_v2*$1>}KIxI(ERz zFTjYNEJXXC0-t*7f!df0$deo&5h3d`gGzZ7H!sv7Yg(a@o(cBKYYAw~M*WN9As7L* zD~G-UZQZ{|O$>#pu5Bc>-!;>E<}fD#M_sOm+7N?{8g2QJV3 zWFaaoQ0IyI3<;HiACqcsCYX2HL=Em$R<~V;rnWXbZ>0}?bV-rt%G>h2pe48;{9a9; zqRenC1nlT^Au1#Irk#aZ)nja()vSquAt-}aqY;XwbMI3mJUrY!6?&gMe=c8+b`;p} zHRxIPTRj7im738+%5bL2y|E2<$G$e#rsX~>bzS8EtV!VPg7?LGo3FzccpcgYEm!8? zp!C{;?1YZB>?!KL;b{<{2;iroX)rIIy^;cvX|L2NC*~2zE4>3EI4n-@$fDWJ`j5Jo zIjv_~w{p=eOp)el(5iQa?Ct2?6kS&-1CsXwC`}e%z$-gI;fpjqm5{4jLN7dV@bXWS zbJwn2zS)xWswU*)OPZ29P5?otQ~fkI0Z?AV6~gioJ@tAYYDVO zN($+g*e{)~9@!mbK2@PxhZxAx6OoNWl$ex9yYD-eOuka9K2!p!Xgd@X&K=7`@;wl( z!6^1TDK6?mjZ{=XQynu4;M?JBK#EaUT#pONGu#}EuqZ$OB&W!B5ZO_VS!jiAn9e$YG=6eQu=!z~>0<^w{Gs^#vNrymW^hYq?Kc6Y=!4?RnNCa$hY730>~5FQEpC)MEbH<> zxxjOjU-G7q%gElMy=R+0KN-|)aWCvu)=NgP19k@4JXwk1V8eSAJiI)(zDf>XElI1fw(&5SaN>B!W% z+2j0`{-!JY-iv3bAxg@Y|JK!I!+x*SQkSkOUS{-B-FXRSPb%aL=Uw*3qt@8u(@HH6 zJ=jUPb^_h$NBc`FGx(=$@JTegfY3zc8Gfp!{AF?q@-!H^&{VxoD3fTkC1f#|JeqL= z|H_lSg#OreZtVV|w}KoZ={a~ED(4)4$Awqp?cTkTFkJ$%r^k@{F&Mnq9-OgG-a>nB5o{;z$6-PW z)`8mq;-o>8(hb?LHt#+s!Qzbj9k#3PJH7z}WlFIV5R4BFj4Hf&9Nu797&9e5V4Qnj z*EulYCHlX$8S6)l70Yg?hl`iG_pqydog-0OtH0hI>u6#UJkU)#mCrRi*m#yKq|o-PP(4)@yZvRDWh`nlvL%cY62H_Naalcp?mYuupj!|@}Pp! zhk$>!O1=;d_6h7SvP169)mEJHrO>$dXV_PRW2-eVNI`5?)Y(W1j(V<$-EotS1f(rvj7 znn}ob9Wvo!Fva9vdYgtyko89>2jjA(FyDu<_8 zi+@j9E9eFtKavWYni)+nOp+lHe&Zv29_{H!>i{-DD`c2eiCTQSZ@-0G^^-jH4|2?( zxW3={4TYPrs$if3%>d3fW;7#WP7qGHcMhqhzx+02F4ca%y9I;1Ym*}CcA&YCR4M}_ z5$_O=)v$J6CMZhyGwm`qC?4owd?GNnjtZGTl7Agpk{}O4J#f_7a-e93BjgUr`zb7} zPI77P&U+P5nmjdCCggdnir1n)_ao@r#4H+K>!^4;t;HEK!(6jGFz#{9S@0qlvYRihn^{SW!CVJA3JO7U(bDprAA?wjA5~ z*A_>`=wlyc17+Zq%?(0>O~8e5svN1KsIW))0LDb#vHtSm`Nek0H|BLrhzIgPZ}%Is zA&`#1I^j#7V3s^f$!U3UlfhUMU?*Y#v_}H@x092FUf8wOZUAyk(Wxcs(~VJ~>!d(V z34FdZaj)Axds$!CS(@FgnCk!Lqx|?Tf|CT$M)ELS>D7A#g7!?hLCXvGc(NOYGT7_o z>R)_xd!Zmw^5uni^|}oFOO+|LJbL3#AdUawOM;&Xe(bDlywCpnIM#6jYRk2mPj8*x zIG@FuG=t`I!={#&JXpJi=2<9#>JG0S`_EvppG5gTq71RRh%;Z6SbK1-k%IkLdi8#y z&Lqd464F}KK+-~pKu56Zd0}K5?Cv;v|8Oq_y|5oXe0Yub&Yd5B^1}=N?0*G6W46dR z9ZjFp1!#8;M1I&!5uu?<`mZ9eTckXoY>ac*eQRqgU$5b`TBf!KSSkKVq>i)nYafdL zQUZF&L+)&HH;54ELF9QgJooQ@QV$6@d!eF| z^~itoFn`g4{cJg8^f7r;c1kq1$e*|of8!+|;-QfAy6e9B|G`85?1TLCd;fofel%l$ za?}3*2K{F@?f>7P-!)?Y{s&;Nsrxg z9~w}*t;y3&_J_;#v-g$BJDMyjo7c@D?)!VzE+|pZH=jHe^=yc#z*WQ~e4t~F!&olz~*5ig+}Tbn$S&v|#&Bl?E-cu;~> z`>CpagM;djumnv`PWAzjn@K>R;@*@1z@z}Y@v zZ3aZl{5b)?S%`#RWK!(R=D9}I=iRnncjxLy_(|OMc*JEpkL^zSAapnhdt#`_G0v6S zKA$O?tL`*8Z`gAq)^q;|2Qx-ghTaQp_KB+SkzOU!9xEn?k9zrN%pHuY|}iM zkgXg^FHOsLso{-So!!ZIZA;8lyKT~bY71E8*`#d7M{~M?N&^hQX)%3vNU=>obJ~u@ z9C;#!egqx}dYO(k18faO1Ki*2RHN)@7ZtH;#T#O5As2mCGQpoB}Rh-GS_Ppwhj`LPzW4wEIPUvvNY)}E&1H-(nlEZ|hNU@-CmO4Un`1ZOe% zaB(@I!2+8}S2mSv2LC?Cpz%Fvi#&Vt&oy&jy3#P?pzIfO_jb_mFzZa(qdyP_koK) zfRWrgNzj-em=3Cz1GYUH58!g-5No-70^wub?Fq@rGcvJpSp92aqLPARZUP5eZIV>> z`U)6owzeE0^%rRscEF(}i#PkzTlvs~7mqH39-Tx#Gx=G;Sev80IiUe2NV56KBNjQ= zi?w9NrWo+AuWe2QssTv=?9~YW-dd-GUv^jhbIDaz{;?sHhu9NhJmc6zGs%ibUrXQQ}7`jSXuYa=;!6AYw8j2>tvp+1u@BdfE z7Mozy4!~Ts7=Bk%pezD;t1+GgDpUnf=IC|WSTMp!ZGljb5xY^xFPNLyF*fs5P@lLE zDkGkj0!S1fhqRM*zvw^kF>iG zSW&Y8AUviVcq^&7s^Ots2T1%}*m#wF>txdAyY3iK|BLY?UG?cx}EuN()0j9|<@3CfTPi6Lh?QSJ7`_SSgL??CR~#T3(!dkF<7G} zz!cdW%$;=Isj^LXBCSglc=nmwyG$GYsRf{_=$=(u@A~y%AbO8Sm)oqbh~MF$YL__8 zqNmDEsNxgr5JP7~WMrha72xjlySlTZ!lH$fQSs2~YX&uWnNNqD%)Htjv5ut!8_ds`OHdcC7PVr;w_QHK#H3nbX+W&D9 z-?;o(Q*6~-ls4S_1XCJSzjsCy_GW#i7)$E+=KRtBS?c#bf}Y1tN%YiiEDotD5WSvE zt;L#j#F$m;;Y{Tl-|W=yY{mb)Por`y)Y+b?6Uk;iLUKicy2Sz|Ylr;SjS} z3JUK%aEs4h&+tA?o{gy-g08WS{#gmyxWh;OA7$?y*5uaa3oD9f5OFJrh!hK5zycyA zgd!qHmEJ+Rbm?Fc1Q7)(7J3iTLKCEh5&;zf=}k(gN`MHV2NDv#l|9#-nRm~e@67lY zmtHpVJZs(euO3St_)KN9)iQSkC3~95zqqb#VGjn^fcpML(W5tV_jLuu;=bJg8K`|7 zyxQGh=Q)*MzM!M9cQtuRmBW&)Bp_m^sKl~igkE@&Jw`2XSyEF6u39an&@!QHT>^;M z=%CAKMrCu$L5NC#tdXntR#UJFFO z1!lQjT=JCzlG0K@S&RU)z>H5>FG}PS&|}}YE}^dIAiJrA{pYFh;c~W*xUA~Nf}ZoM8wifw z70|?46JBmKA9-yYPk+eTV+QTN%b;MSI2_wg3Mg^Z)d#g-;ne z>vX3&fS%8-Q(aHso#7%|Ce&!f@Q)YNq&0@sGH)8%Bqot*%hMW<=M*f(2aavS590a@F>0 zIo*v8rSUcqf7HsMD#cc zgrv+jXF7oi$WECskTQy(k{Mfohj-QRL<8gr1;jMkfd!-*h%PYNoJhm-X^9=2bR zV#PFV`SmY0R&x>gE{Jk0jm-D6n|Dg8xB(IG3%D);&19P__)ZFet(i_PrZYvzJkIpx zdt2iCl-|xW2^k-MAq)B;GGYbUL3HE94iM!Da2Zx$_BQ{-eXbqa$*u$^ET5uI_i~vH z2AtVT?vtoKHEAB~6MGjoBDnZj+K%Sl$_>&z?hwZV{Zo(6j6N~7MKR>F1zrWJk`0plWfe;3a-~FGUV*z&+=BD_yhWc-^q|O)ag81q#|e)K%E*jxDhKrx6D{l!_yN zH))Q5KC88-Kqe{oXu*<0ber#3L^t80Zle$9jU(^-xiWaydxe+e6BcgZ-WIKYki)sH z9MDH~FrR*M+>t6z#qYhF?nn*NcDUzP_JH+R|DNQ*?3oKjmyj66J8-fu(7Wh3_-^TU zFm7eDWyEP4Z0Vj^!Ef7eK(F0nEfQX7Z6-ai&A`KeGJ9?z^mZIc#Ft z1jW_hz$(IKY^zz z%QoRhoH!R=W)t%I?@cxPGJs`_-;8P>TM(;NpN;w}&A+6=fq-|k`NPi}A>s!nHHoE{ zY?l{Aatqa9eb<&k-^8Nr1895r_9{chesC+aSIMnZ4TeRrqYd6@bApOLO;tB;XO7y| zgayB~nU>jKhQfO6ee5#}8bF!#2gI7z3T6hjR(CGaZ5}H?yCtdBE&)#Jo7AEPa|t>r z>j@{A?||x`(mvK`piGe|Oee&tbUguq8rMH);|zj~m*ycs;J=nJ9ir(2N?#sL6<>Z$ z+n4l?_-Yxvly`%=q~!~DrLi*ybWuA(46=8Ji-O+*xiDN#uoeS0 zUZEMCmKT))4xqWN?8br=P?a`%VFL-;g9A0F?Q-{Fi6h5Oz627DH8Z28$EFr}?(kD| zQ5yK9t*I@89!56VysP*|YHxjhac}X%)qetY2@kTtTRrQkC6*Glfl_6C)>j`6B&~9R zKM(0}L_rK=NY$}f(Tmbss7DfiGFK+t=2H`D9H?e=bYk3BrX#i5&2Rsy>GtLJpu(B# zm8qTIDsrikz16Ahy~uns$=+xu?FyACnS6uDQfF$0SL=z}fZ9&>dEOs1B*P7@Qbj_J zJ@6I3CTpQSW$oLqIxC~M!aE0z|8R9)qSW@2U-RI$Zk=@_Jfv|w9kc-EyPl?-iRjK7 zLWDo(={_0Lh$#Msk=#SQw|eDo9d8ZRv^T0526MaFK( z8^wvcI>^#u#kq+8X`%d2qtkx}@`J6z*Lnq19Jzp!tg2GWh8kai4PwPIqUF_D!ErED z{MniKdz`=XeM6|{E{N+2KY5&`c)?9*>`w34OsBlj$!EYS{(|+Mu}xu3!0+=-Ah(u3 zwFNlUkCG~Yl%byo#L?PVh#%zNz2azdbbzf-Wi_F^I%w0;ywYAhRRuZLuzX55&J}<# z5jV@Dq*@=Ie;JB>s8}kL>t=Cqw5w>_kS{&0T*CkADIFi``(Xl57pC|=gv9E9y>6@k zD%!G@Gefdgiy3fi*T4%(90Rm?c>E2+Glq;1#y9mhf#Nq?If9wVXXR{@$h8u{iQ3}T z-wBKX)l4httNZT$X736}>R=UZ7zX}ZXC$@=rLc!bfg7 z|D(~lGpdXy(F{>h{{E2sG#C=GW_92qh>i*=6Z)wIJ5^;NLbgS5I{;myg@n@gX<%o6 z_)FUd47y4YRx2NXDQv3XdhzyI|Haxp63qY?@gd4 zM%Zo!f=Sf0)&m!Yu$cLUrEQmcotFXw>XoPE+vU1YMiC6kkJx&Roh=YJ!G8ixk|q8T z7QL|zBrjaYP618eP#Ks5KfZMV66doQI6_b-U;Znm5pT#q#+CRmfNIM`I2aU7rHDV= zIv9gb-5GtdEP!0Q-&pjE*!5|h^&rmOq`pxXKazp@Sv`G_GVJ=ZP*-~NQ5T-@=eOE{ zo7`>W-b^GHlKj9GInYt&^QJu2shhIjL1Y{AR9(#h%S=m* zmhgwk!hT2XoEcq@5nuFj;C9N;_Ft9;T6v49-#~4& zRtOlB-epc`J6LQ1vs(oN=Ge~XBdkB^<$2lRJcS=z<=#h$WxFQI@(f6oM(IkzARdNe zwVu}XjQa_r6~T>ux~8$%c`>e)|1>21zuzf(pA8>#o5QX5JqFDeiYs~ELo3`TZWBOc z#Jx)G<_mIK$N7K)1;Y^t@Vk~@%n(SJ@$Z^C|F0S4pbOnb*Fhw~*Wzmi(~Ac>iYeNi zT;rgaBR(l%s*k;v2&6M(rL|KRe$0Snc>v*ssjRTbe^*1$w1+3WFnTQIp<&ng`qL2O zlQaZp)as2W zD7yR=U}z}=TXg-x+0_Ebd5Ej1OMlBJk@`JVc44;o9Z;Dd=j#Hl#UfrOx*AL0`MNDZ;)soc3t+1g}f|iuarXP zNc8EifvW#*y^Ku}H1ryfN4MtqZ;3#HMI=T>IHRV(bIbwyj6?7wv%xB76iAG86~nEOv(O z9*%>IY_(B`;*{m8OY6Ozci$!gHPRSevw76Nnttz8A|C_ zm!v?GttdzW*4Q5{$^+y%QO;3_|2(9Iy(wz(YG*Gpn z3|FE$u~XyStufK)5#w(5sWWrGt^7}Z78N^^?LC;h&MW6Xq(GbD4smkZV9NY*^8HNA z0yOOiZOhc4E}wU`fXQ<4)iaRLz$|`S*kl1%!B6s>MA0nuH+P*z^vn;ouW$DLus zEVU6C>x{UeW-GiHbpSv^GmQ?Y%}xYXvOqjLI;Y6H zTUIO&JQ5K-90dvvQNF& zWl9YwSDRoyLm>HTb1h!ZC!jDDPe4{$*{H~Y*+~1c>N6+GdVpS+TEPE!-9G)jBy^RT zUbW_^mTKb$)OVjiw?&8co!RFzEoGSYRLaU(oBj)cUb{{|);)Ss=P!j~0?bGz4e7kU zmxXfg2Z@7Gh&j=MRK0O%{m;a4wpG%*to^GdapUa=;JN(-0ub$|!@i`<11(IXJN<-Y z+D5!To1jq-wAig)u-_LAe+2{hJg@TJr>ZPR7V~czn>b4Ic-{Ptu96u#ED0D?g(m+t zsLGhvdD&`$RYut`73c_CR}2hHs|ppB7*C_myb%5O6LQu4mDO3pIbFq6e-ZSDLf}x{ zJfkHz^%=Yktmef}O8?EGY6%7kC8updl*sBHJB991P4s?(Yf>#{Ti57C5cS1U8SGugr1a!Y}lyYVaPhe z_7sBRKKkIE75mlm<@9vG<8EHh-e<`AMajX|U*vKBWAE5G0g4sBf-DYG=WpyK-rK{* zK=W5NKhqMf#VU|(z(U8sO$HO)2dsX^!IICvpy0el5A3)xq?7FxGi@aI*1?01mgcoT z2jU#ZIXNsY_)pY2)i&K&&@8L9q&3ID{cr|yA2d46U0&SZ16XdG>&a#H z*?4fnu=KQj<9?aw^0yvoRtC;e=tGjVZUhz#FL}u7P*zVnAvI1;y7(iE@lP|T^tQ!H z^2MV=%S;y~tk#dv*bb5Dg;G|YRVvw{s|8^FbL1+$lRFT>j?JtCV z5ZKd7JWF+kJLr*`iDFu_W5dt`9q9IZ94JRNDm9a$e3NeeYe-92gh&AU1?zI;NqK7-*1kipHQLk(S||l!wUp<~?EjA(6h;h7;H>6!WBfp-k_kM#FENC zK)1aDE+An^W-wO9x+J*;4du43OkSr8=s8D_p8zCu;GW}%G{IiB&Ebiw)qPvcygL~8 zVM82f;H%5wE3PeWRc>Q9cQ@8m&QfQ-0xXiz)~{oszHXvH1WQgR0p6?(ubZhbcU})U zgO^#nYxn?thdl5s9ZiriEczq~<_m!1soz-!uV`e#eamF0*36}UpzFHAj9U}y)(7My z94O|VZ9Cy>J17D9>4kr}HDN?0oOlcz8PZh8QFSkBY}_&bMd@uIXA5J#9PAaLeNFVI z3f2%tUc3TEz25x}wy_eQ!>Ozp1p{?kGfdQcqg^%itmF?t+&As-dz~r+?yHu@#Y5he}aojN6(SF?Z2mLp%o3TnuP67s+(c7-unGzaNbn^k=uQ0E*}Cc zEX`kx#H>!AU6ZzJ6}7FK4l=fOg7(~*ppiGrd6MHtH1`{v#8hq{+h4l)7P+byo$IBQ zLC`Q@JMZ5mR+}tGEa=VZxwWTbKj1&tli@;nXk*ie>V2m$Ei#@s8LqYUF$t_dpZfTM zg*sTICr?+6-Y#Zptb0O7St$%nqclZU#1g>4Ge9|3i<8l25w#t7al(U!@uFs(cFnn) zx~9{v@TJD;%$eU=ghqN=N@j0j_|7Lxiz-2nA_Dz5Hov!&KN^kd+Wj4 zpE6kQxq|n5V?_ya-^A2puW3U6+?!aY`*u#|_s-CV0B+R*Qt;1cYXAhDKD&w!7$k)$ zBuxX*t!)J1<@9r7nkCg5s`ZgRoz^>*s+2NkOk0A^pVO=PiY72vCa*3q&F zhsM>MGnOe;h0)EJ7Ip1lKm0qt?zcjhI; zLaVg>TC7H!ggO|(>*Gl0PQqLfvI_$-tgE-^t#ks7=W>~B>X|H;gkO&9EIOVjWrdHr z$PLyMpnALLW*x74Ls>QL^sT?8rpysKN#CmcK_y9Kdl1N%sH6fcfThN|J1rJjwL&Ex z&^#yMZ^?esJ{Th(P*)Q%_*$A3Gpi!KL$451+69IXziYdTxpAq95~h02%OG@&=i;;r z>f=J}f9I9^(D#tv7z6}@+Z(zG4M7McF1Y{}uHm1>Hl zv?8m>RmuSTL!PCt&IYGb`d^b>g&|jxB&;*nl)7n+i_OZzjQvgVm;)^m$1*|+*K1+W zFX@+sdNE2(02a&>tH=>*UlAMbAfK}8o0YkmHbSMP1_1DqFJ6mbJc$YlW0-dwI@K^B z)Hhrc1&Aw&I#x?RCXu!y-@x|_XH#7l55rBDkuSeuI7zp6HtdYMhTCp6WqZMf-xYn2 z2*pM<`fJ?rH1{u!lY8M9WA@G6TF(r9(*clXtz$vJPaoF#&^G#vB)#@YJ<^CTy|}Ry zlKd)4q<^tD;or>kI_y}(j%#{)U;75GjdwJlj!ez5aika6>Ze%4W_k@@MoC*5ifb6{ zcczZV?z;<*d7*u+r&JU64b}C4d0q#0XFp!S(9zccL@kxwm~{n)Rb$ifn4j>9dQyj# zVgHl_xz*tJ9b*HTr6|#|<29btT{A%8tf>}hyh#yKb$4ACdFb>A^ZLlYel~m!M}0Sp z4huuB==Br5GW5MTC~P*w*4w_yCN0*G3mXsSzg4jI>pH(zK9s9EZ#WaHOl3c}2^Ma1 zJ*hkI}dx>!52yI0rN-a97c^2U{0N4zm}Sf8M685WA|<{CM70oj({?e=8_R&_f= zr>YV6Rc?AAuIf(L46C(O_xR2}Dw;yJU^A?OE-!_Z(Mut397d8GF})>p%e=zoI{ATQ zV-F{WhVv(WD_$98k1?j4V00p@;^Wz~^EaOY*2DfZVktmJ(h|!n<@BUEcfRZgk^K-F zp2sjsiI$+xJbbL@fts#P0X0I$`+iqfEe9w4A* z2ftg$btieu)&HsN3Y$@nP^n*$!>nLz&on*0bC8ZvXjhH+xqR^>gM^f)2>DchAgaZH z{DYp&H!JJ2IWrQ$V7DDK7!X+|diTNBr=ppg96fmQu#8uP%<_v%@Z0ln3DIo5!KiaA z#juR>(Qaj8B{Q;D`LO#OcyXcM`@+#%+(iVp_qz;c2asQz(F&sD z9E&EJ(kB*k?AOa`cSo~)=f{blO>*tL`n>+>G*QTFzfs;{?Kaw8FY?q8hGA``w?MqY zx+6Uf%8*t(CqUJ_iXSAptYT58Jp+VqA@{w1YO&DCBbXh{Pu4HGCp=b=-pQK0HzZHk z+yJZmQOfCv5BH)K8q7uj@5xS1U*0T*b!U0-7#!l`uL$M2h~H^jevmVd_?$HonZAu< z7aP~E*4{2iW1Wwv$|tAYn`WUst#hfTR)r9;Mm2VR$gwk0PK5OU)bE`Cg*whYE40$Y z0M>?!GarADO%d|rtzH%MQEk!a-0y38j*-4&r3Zft{DU_g?-)m_UNQs$lM?gCR*P1< zL4h2zeiJ*^!f)76=~O#d>fHd9geXw%1|Fukwn+Zs-2CFm_XI0E{VIwemoJMMNUIPk z3e#f)wJ}M$r1s^*t87RAUY?wc>#~-`{vO#$`p{M+=tOCG4w}Wf;$bUU(c==1{yiE_ zZiw$$iRz?{;!NNay=5m*7&7F?+oVzRoZ@1IC7&CX)5tsXv%={Ux5AUczMIv~lli(0 zQ3J{e_k0!cQ4f=EZ9A0BRG~zs_7VgnS&IaWiU(pu!VD8p8kfoz57poK%6dYRzk9qq zewBBo;FdeGd5}|^dM+S!NxPtsMo*UCnKM46?;KiefnG6L`qiPKUPE$rXty7H<-aNF zhfWh=U5+-$NkH_sVDbln6KjU4AH*I$EPR_cjYM~=!oTTrvr_-zaxp+0X5`xY%4)kl zK}c7Uoa`l*IY#h*WhO=M6e#jpYWgYZ_ph!tDO;j!AC;w9u}|ItE|JY%>@Mz|6yZyA z!}Zh>7~>i8CG~ak@W$OX>OO7j%O^mz<>=OBP3r(`!|i+gB}8$yDeJ|TFDUhg?u~vL ziQ&0+x+#!=5e#-ur5Ii}Mqg_7PmeDGo`$n%VL_W-|mWxu6jHw?6~Fu zG%M5OVcsw=Z1O4oK>c(Fp_X4aZx@Qw$f~m@MQjmVZ2kG8yXjmAS zjBIeZ8ZsPYjQjGoWHFy7LYci5gp^yK!KKfWavdZ5L>5P=s=U`f_~kN}sls)Z<;+B57H*C0d6fESNtm(moo6BG&v;fXzF=caQGJk~bVU}?WE@%;hK<71mRY5y6?5NhV*q9qfx}u zP&X?-Ig9>)ff(tj^Nrp4Ua;;pV__=~m%vg<2DLcuYWI-arp5UcOJBInGak8XFFxX` zEl2Bip;?neKGz+o23yb=xHS_hf;7Q(d+HeVOzGlEK=ke6Ge5z?Ra*Bfuzx)P9}>}4 z@1kq0w>TeXCQ4Xa6*ef#ZWn0m0chtI z_oAApunU!Nhz5dwSWaDs#615m5j*xKpJ5z1dK}wT!Wp}Uq5VM095zh=wqBNn`y8yf zIS#;p4M8vy8lSgDupRmp*0goE0%ZN&SqhRMHCW+Ow+_7q!E{GilNN#EGjLTC-^X_C z4q|`zy#ug6+tNcfe`0%NK+O2`IWaS~A6W~-P%lONRkq1>pt_m>IbvsBxPn#x*j&5#$qQh1rR1;+xDdcS|;@T>mg$Dw%j`*d^%$3^~yk z2ngu-jm52?4V5jnKY6|P1v)`F>qYrDI`a?v(nMt?ZZGYsO0Z`fXc$a78R4t8Q-&ix zt>PM(4kxerpn7Q_Q7hbCray4N-Fje8J0N&$`~axbY{w7k&#*igV7ZFWO&1UC$%IaT zI2G>nVnY)b(CHlB!mfcX&}{~ju7_`g6>cYf2_Bepg5Q}Q&lx!_v#dJpIj%z}dY6iX zmfW9y=Am%*wSbH33X!@2WLgx@v$qMD7U1}t_aBuy5m5t{ zNYwzz05zw83_cyxV@bH^4`^?#X}PjRR4sW^#h%({Rc-t^t$9L93*d5w_1=U}tC{Bt zyc54YsSENePpuKxq!4sB3y8kZ4Deu%d*I}k8%!sv$vIDjv$;4Yzrw5g!_hp!i>1Y|PWBda;joP(UM1rmvOf2fv+?^27?YKZh}7>HjPmxMp|vvWKt zvHJ{=@jHPV*~)@`M-tK!t*SFYf%EJ!Ks9V;+g*!T(@MVHVg^DY7K>^zH|`3QIj4?0 zVNir8^s>k`&i)%&n%kE61@F(Hhs%tu=8u1$lt3&NHM{Qj-Cv2O>rXEF5CSzQ!U0gd z`99AxO{2GyOTJLFa_!tKv-JDPeiT#O`6YyF;aEbaf5~cMap5S~i^Lz-FaB2v^8Xb_ zVmDXx6ZA!XEKbui@*ylw7M4XmvG(<>T6GwL#$jsBNbLvYQS2#(xk-5!o&>=h6j=no zXz5xRvcq&pjXrJh)RaY95ESk-jZ&k_PIBJ7S`v+-#2jqG4sO*&T9dA#S6{E{7yubD z5CqL0iw+uw2VkaG0Dm4y7pv3-n6PS(X009>QE8N-+WQ@ObT4^<3#YcfU5J1)O}Eo;T&&wrqaMHZfxO*EE(P-&@R$E5V2cTj~{ShUQ@0H-E@e$`oMb%zJ~IpvP`Bi&~TE%pyRN+A{W1frZHmkhrLWQB0sWCZNb z%;qIoX#}Nj{e#vERrEf(6*7UX<78=wi`D1Y%>)c~9mhIb>O4?tt?9fJJ*x4{8uM}~ zis3N5g7yPG)3^WgK};jaQr#?NP7s&Z zX;BOwh+)3tL)|M6HfaHoO<_imz=wq|GvnubdJDr_Q}(Z4V?4Rk;exr2o-1c=8YQpe zH^FVn+^Z#YQG?@<-|QfxDCW==mNbnb!vYVHro74CmVN5ZGK}XG*>j|_Iz#sA?QD_X zf93Vt|9r1-V2%VRnxu8UqisKjS_9IBm1Ho#2ztTsv-LP?a^JV9s%y+N(eL zhTmnWX9;6<(>uppdUKcJ!)UpeCEQJ-ryZD2lN0OVuSW71Y}x0M3m0EphO;(YK7yOc z{itHR^^u#D&6QEGgH76^62jK2de}{hKf`c$e?>7|w!CiaA{Ggbscl6*B-E8_+tX`+ z^g;QRUw7vU(zkIgv5nW*(4E$ygE%9OQ4qw8b-A}={?bBXIy#_F)t`l6^zL4YdKKky zW_ObasvdMT zgc|jZ%zGkn{r`>3{$FwP|2P-Nu4G515_lY;yY-Dxt0^N*-^&U;UadL}QQu^?N^&5Ru$bU$%lS+~4W|`wUHPYFac4uuT?&eP z;v-NY)Ld24XDT^xF&hcXT>ia?@aB*&d>RcxtyG!1zlWsUC7jQbdxV>}ob(pjy`IYc zaA?b+IK;#dFFYI%gPt}c)h*LjL9&u$Y49c0ZdP1zP3Wp^GqIV{N`5k)i6k{lr!1e{ zQ{7fU?9cN?ZnHY}W^&6L;D~D7G?nRUWMBBGemCJ&Z1J@z0__nry9p>`l%TQ^6n?a5 zPH*W1Otb)>Xzp=hdBepzZRIQLo<8?GB9J-RLchA5Bn^^xZ!(HbjGo-g(w)K8+qoaK zG(}(n+y^JbdDmEqO>>QMJP^@|S`!mm98-2$7bHpMPK|pY3M{HfGcWvu!8`b1N(u-_ zySie@6kk>c@my^>Kx<5+`?5QAX+3g4#aDR!Hz_TqyR0&P!P5E=BI3{DM&XlKkzm(< z3;$~TJN&CnP4sXC_W>?DDzdCD+?}M5VT^20uYDULJ1E?ZVAouXQeHDi=`&0=h!Ev? zizlmZnN6Kb0p|aJ_3sly!_vhY*OckO z1djxA6yMo@Wt>)}^fM}3O8TkhP-%?!N3Cp?0S@Tx8SWz{o-XdTBqj7^6*P$Lj6WSK z^kIOkd#mCtCS{I{ijNf^G??RS_Pt=z>B`TlE|%@Ga(k^z7K?k-0kTeelc$Mq7i8jN zdS;7}Ee2h)3@?XNwi?rW;_gOg&g}rw_9&Qp)PfRn)lN-_B168{xbMp+M|62M&F?Z^ z&MbcC4Bwr#T*^H1TEV-M@vcCsk!j7Slai8dKdLuHK_9Wsdvm_FpnmJZx zV?Cw%B2E0ScRI04VpA&F_FV9}{Dv_B#~CD6FEAAdu*k0v;_Pd94aq8;(aVw$h} zcR171a0I2u+~r#2Hv$LpLaOz_g1~5&_%F)n88+obnzp6Knh;3V4>ZEPUR_ovSgpJdvk$8B}5fvta zWAQ^E9}}ZIBsW#`*aM5W7ALJ6=cf*6!~_3urg9ofzzuHnA{U&=1^e3r<$ZGe1<+Je zxW^h$ea(vjDHt%@;eZ-`KKK^AhiX^)u?@?0hMNCs$9O12I;#v8JDhR!f0Hey=y-H1 z{--rBD_XSI3x?zU)0(@V_wZZ<5>}36O<4^Xd`gg*g1&%^_>h*#B;wwtgbc7 zzHcAgiO=U_!Q_$Ydr)F+{59rF`QXFUe6!m)ta&;t09LcS$>tQul1rJ2*7xn*15)EK zrbD8?dXcAte4hfMtcgwux4_GS@6?!Q_0t05z!m-8{1^VHaDkB3OkR!BL8hq#kMPAo z5K08N@Q(@0&*~zRBgI5@!&k?efe;GVD{#CeUNBg#@KgyV9u`rKF8e$Rj_>R#`$oj4 z(hOxi@$e->MyFaOyrX_|BK4&JG zwi^}vr0~XlikUE;ScOl7vtV4pExOzXdV&LFCdmHW7pp?x-(V1ytfF)1KDuGU%NPCn zG%;KFPtH-6)L0R53R8fGFP$1Y;Ja?6dSbL3Xe`6;i>Uw!L3j^(sIG<-Cj{H$j znRATEI@JlT9&`T2Al8}++$(QRIz-&|1}pO1s_=&yf|(ODWt z9I|PI1e8sqtc=SnTr?&O=@ONX9tN)ztooBGiq{GyYJjQ}X64E0ULbJ_NqHsx#8BLq z{Xw-Bx-vyn_M>(+TR@0$RK3VtgCA;L=sBO6ZF_g*sYe!!<-iv*G50k(TpMk_IPw)J zYp>}IlqYsjy*5R!)vpr_4z)A2?5 zIMHDA8)Qyv^=L8jMh|Q221U=O(Z}s^Idjx%>&qUFuMPJXBQLp}$JPnf)cXf-#Anvz z`hY$avKNPhC2XmYM>gIQ_!IMP-Je9namzhEn@Nr=HLJY7sIbuxV45Z__-#dcP^|jo zn2GO=ukMlkpG#1QYKJor>b_;2#DbDk5C`uL;fXf(wbJ5Xw$yX(1tis^xmB0q=asn0 z5Bq+)EUW9tQD1tnsU8^3q4c*{+ojQloLx@N8@eaS{q zGS3hmbM@J?3rV~t#qg)7-oUN#?h}IPGmd$E#XZ99qWyxqdz35igXMf)xDML68DPXa zGet<*q*CIl{j_af#l?OHFZ}$l)#$}D@GQ|kT@teREVn5tLeysy5U!8T>Ev_;huP`n z0c!X}$U5(_#E*jIDvho$WxuUIX!Kt8$%iLTI8x_zkv|Pm3p7*C)YdLGYfZ$o-kfK* z9PF1;;2vEj7w**dQ_;vx%|>s71^?jtsRtoML((KkVL}+YT+4isW~fT%{>u$O zo)XrBo}Oc()!Ty9n6UJdza18*Mvt*vI7-4}D3DyzV3Aeas=7fxmGs!?_UlR=;9X02 z$o+P)DcQqnfB(XPmGvl8zZ|ry9alaceXAL0{wC<&j>+PEAPy+HlPlDJ-7FHLvkg$I zTM_$EPy~?wd%X)NCRW})5I?bOL!}at66@4?TAj;1MTT{StbWYJWr-=;jdANOIBLBZ z9>lS7g?+W)_0%#;o0iVd>Qeh` zeY>>uQ4gW9S74$@Fw<4AW<}rmB!I8nq%8w=`V>1=^o zd8Z>pTC@}u4&~OB2bQ=SOlQ$5+;TbYrfaI< zl2(GB1^*5BiNe-*ttY9dBX;0)-eEp>?YJD_fg-!SMQG-!I=^@tFdBTjSm-jT^5W!) z$U&tn<+&*Hsws=Y^lx-!%ik%w8VsapWx{?`^{Z1ORNJV*iy6Qvo5>~ZKFM1vvf+Hk zu(hA#HC7%Z_-=)0ja$53v1D&&Gblpw>X6SMH#!9EM1B$4a|U{WQ;xSMlGi?awd~AW zt7;372gX7%46k91aK)ew9l|bVFO8UcvYh%@<=(hGVy?uG!1AX4Q`>w0>glE#jujn_ zB`d)2I1`ddWGEUN$bTVy{y;o-hnHn*z;o^{f5!UaWE8`fC=v1R)7u5nJhb}1Mit1* z;+gj*2=K<4=0NIK*Ce6Oy422)Z?8FTJX3|l>-A;PUYz2-@cj7WdcRXw^o|=eE}?PF z(1x35)=0GI-f352pvuYTcY)p`RXXkbEC4kyVSw=&o54V|v1?tXYBO6~?{siL3yR6X~z80xHTf?5HY!@VNigP-|YQ*mfG`$0kDmefwfj8@rlzHln)IXd;uBR@xiX7>c#Wx(ryV8E%_E&Ev3xme{R-#Ek!+`Sicp zTYii70dtn}tRW`uN3X9?w2TG7np!*PeI|eMWyKKv)EaufWPHMGtpwVX^jjqD?%^jQ z7~?w7wAC_AFX-a?vkdgi67PfN;-veJ#5{ON`pS!R@Em~-Vbs=MaCr!^Z3KXn%yEY# z%X7P;lM<#G*`2FjHWD&JH+-vDy-d~6(x)Zt)W*~h+A%xoi1>m9UE=o4=2;#28|kxw ztS+o_iTdHITq6qll!v%>YCDW}V+F%WmItfe!O29$OGx0>vWqwT@HEp+?21}!6`k`+ zhOZ=9;9}_(1ZU&FMjdXt0>S%|0m?%{8}a?#Ng69*s@b|V4{hFnX!Xb&R@R~9)efwxq2_}-Ve{O}qvf8p(})n=6DA1_Y^Vj1u=-h}5))hWWa8ugr%=#R zLf4=?mx}-zz3YXFZ%Upxq30#yX!Me(>?g5lbjT6JULgc-8Q$wpdOmR&&AW0s*ZMUm zHOv27%Oh*V_(zV|ctNaY(pigsrP_yeKq%h@8BSF*yg9H{ zC2p{;HMl)mk68-EN=7v+QX!4xzj6-Umsz$^Oc??Ne_(0l-dzpAay|9f8q@u1EJL0M75NLGV`Ay-{Nwdsf+8!fI+Mo1< z9@y?zs@2X!{eu1cD=U-Nq@hdFJO@(4w0+yoPeEXA&iA?Gl;LL-X!|XTHzTcY4-Nj& z<3Or&Hr;i-LC|#yBsoaAj|rGcsQRbTzIE;NH=GTly*SD1P{6`z^y_-cAEmDN7}cyJ zr22lDdlCGqZ53z4l6qA4_!GRYVh;w~#6_-Y;7jgNV1q0K5{Wgva1HnVo?ljs7=CD(u)MHfZI)& z-usx%*V9STT`}Bpx9`w2M&oF9j8#Zo-9_NZgIIFJ(6swJlkW15mlnd2sPzvM%_2O- zbV3+INTmJq^!>j}!Ly$-vc=<*Kpf3aAPRB^7gsH4^4QDJs2;+)SsFm(4Jq(_%QLQZl{D`E3MIFi_iarwDym?ceRXUwC1Zf0XXer<6X_DLFEU2EtRtB;j ziyN)_9*+gEa{sMhpj?{oHoDf%*hYPi-zH%Xa9wpzW)Z=oWI$asnAE_Ga*yvu=RJf( zazlf@XC`km6ULX%aN&rjimmdDT3v(YhVXU|sAfQus4E|k9rKpNc`*>E=PVGDm9mO44IV7db;t7lyfDpE%^n% z*~1E~Yua+0|JuS*dMsB2&4v6O#i|S_tNMeuk0OR>6F^E`5!@tiKSO}**c@+iuEsw^ z>xz7whv7xwNbHSt9A=GtGj07`;JclU{bv(1GqYH!yRp$H)gV3R_rl%0EbO6>0i6$v zwnth}Ocp}FuGgNCC={s;+LW_mbhTB9c# z+@q_P$8XIpT@kbZX(!zwzq^P^$6}jD$Z;5fCvO>uqq6V6pqTE`gU&rMna``eW|gt9 zf>Z8J@bX_#vA+Y`<={_Sn-`p-ox+gASqF0Guv*BLfVXE$0iA&Xf_Ev^b_ZXJMGLm(_ zR=Fsw{YeRN%5FG!oA|RL7xuX0E&oF1d(Nk5GY|J-i~34yHEjZ3C*D5tT2{~kr^I^$ z4wa=4_iEV95Bk`gMQKrvO2hMnzbsz#L}20tYEeOK7WZ!uFWps&q>q_XM^IsHkNiBx z9^O3I`DT`6AGy?eCqlFVHLt^Quf(jnv*FG?hDFuoJ5?Fe7kPIK(>Sx9RWF&y_f#Y8%fbAk|COK?3R zdOBYIb>$DB2r9q3t~7G)TJuL@xk{74T@PEl$GKz-+MB8wY6eX>s~Vb`kn8F`}JXK7?{+bGvKQr z7-0iJLHNh}HA0HIMWq_yM*U3R!0`4HG#@t68morWE=3+N9yt>JYD7jebIS&|SelIm z5hy{g%HOcNjA2aGctd?KoT|Lp+m}LscM@>Eq7qlHSMuOamV1HT?_~4_NJ~!}_zr4= zh!IrPkz)6p&+`16`Hvg!inncprF9}dZLz_R;0Pr7KH>At1l9tDKuKV?%JKlc2Z(^n z+iFcM;Kz8&s-lePb)VSp0rU;q=jrIj7teiMkf z4EI|+mgZa3^d<_g^QtMAc2efF0VHv|QJ zHBxlF+(yU*nBp{HllXJ@a+zKpeekQfn3x=v2Q=qXB<~j6<=E}Dx8GgfF2!-&I~Vi= z{HJi%clBx~Jnsvy_BEe9X)otJ_ncR#V0a{gJNSIGC|Ub9cA7&l)XMn3BAb=B4Z~2L_}s~8bFi@+AsL${4g}O{2ft)S@z3$BT7~nXC!^4 z@L1w0Go&9K&*2ycfsHc%rOCXcs1ZW~&(q6=;tvNrRYW2xc*q_TE2EV!t8aC99s=0^KBj`f#x$j|c`qJ4l^8hps$Bi*U-GejwX(3trHt9BVyODJlSfiJ}E zlhjJ4$05O2EQGR#A1vdEVN4 zYiVBA9ozzlfP42|jF!5dw2PoDJ)2l>rS3=3hI0r{oVrtgH_^ES^XPM8jW^6_V8lHu zBSRHt)4dl}7EZtG-GQ0f$~n146hwnO6wRhU-}@v?zztuC8@3lI(|{NDO{MHvOMgT` zm)N8ZoARD8>yvHY#;h)4upIT#YpTW}dRL z&oP^JnacU_=Q?Os=AW*H0?kYi+78rD<|k?2!&I0_!&b&VwKH=>lb$^SD%E^r4^_dQ zbY+J5YQv7PVE%{i`OHj&QJ5P}AWUY8We}r&SGsulm>NG;AXq;tKTXCbKj2fAM`DRJ zwi%DuTGW%^yIvbiH`3fSLFI!${g|b^v`<6+IIjW+@O|p?z2aoczGAHLe7FneRb~sJ zMjMAon}`VM9USU#Rrg1-imS~=2M?E+4l*z4H&m@`v9{h--q6mFbpSj1HhQSWOInKH zI5z3AJG2uFQ2(ZR!@+N|_s&9Z4mxBon1U>VKTL{CaxcLj8*z@_VL+4DW?#uU_rq z!H?eB@4j4Y-h0QsvjL<1i78IqhN_R!lE!JcS@#vk5*(ixfl?K=N49kT`^F}|+k)#{ zPkszq45yALUvBH3BrnZgAuHT4xy<`KCpa9m+})l!3kh!%F(|abeCLzk?^jfW;|uI= z?HUM)0W|IARGWTS*U4jBY<>;lDG08AVlMZ90(%^hqJCE&VE>*tl3$fsRL{U+cx8AFQ~8M-oWv{%MM6Qz5j9JwOlx{)!p=dbZ{BtjS=~jxFY64?A@0+RaIw zc@X_{Tlxf19kTeSeJ02(D`9^fLn%Ub|-Ycx6L0&2p@ZDFLe zI)Z^;OnzC>si|_5MG`mw2D2o7=6KTy8vuzWXsrV=t;sKy&*5ViRoAai+Js2F_lOWW z^C2+D&3)vP5aUDkRs4t&e$HTYX<59GG}%g>eDdJ&ck7l(+eL#wiN6@yb$DvJP0N`} z7hfE~H5!{mc|4D4?3YUM8;s!v3Fgj2C6MhwmXJ5nocFZOJB8AYFSb3gMcRxo9hgYh zs@|^7W~r8^hAWp(Mui;?lV%h+BhFdgWAKMaK9V^Nn;SpZG3iybqyNu$ODL9sj93Ci z=NoDCfU^)#8`s3EE2XRCcwvE|Tk;QZhvx8#NL{OZeNkp0WFVzg-(agR0$l&eh^v15 z8%z(Rq1%4|X<7ka2ec92DGx8Bpw{7%mN#S7ano8}$!rXZ<5 zF5LFyl)1xCeH@}L9vqe(d%}1Nn!KY5{iX8kZJDz*FUY{+)&Bj05YqhpboX~6jSOP< zfazx=PKD712Wpe2RMae>GEJg=4>*n&)UsxR-Yzhe= zUTgxMDWt6B$y=b)1{P>=B@BNR*{Y~^6TfEghZW+jFO<2XX3VBg6mJR#mNjo%eD;Y>W~_g1EAJ+nZBPJf!}Lxlb<*q8D@)tP|_6O!G#_isrX~ZkefoUxBG5de9jv8>XsV)337Gh zB}N4pPk|0eAj2pMYuV!CjS6acOU_Wvk~UxqmH~4p5p{#(c5$yd5?pdk@X-`di$V=! z-PNz7n}DHj6HRTA!2=%GZT94*_hRYeZtQE)RYu>&M4P|NStl8ShA_-49IBVdS5JnP9S=e`D9LfI+pUPVfuh9<;gfs6-)kmX* ze-W`X0=AJ*@0(%ep<2&ZB!c<2L5JW2;FYUmeNr_T7-2rseK%f-14lc8T`4dQyEKj=o4O`h+ik?Eso!>+Ps@?$V+r%5N3 zRfzrxvACT2;P3haMF`^=7Lrf&wO5yrNB8SX+vOPeEfl3&mqC%>Ib2|HPU767pC8oE zHq1qd?ssRWxx78`byGC^AI1+LqlIYBfT>=Z`m^xR4R&gBAgGfM&IuyF(X-Wf;{X8U zH{mEU`)5g@vX*GPzx{k1Y80@W*mn`{>+VPL)+k%hip0% z59K^TWf7J$7?XxLI@J(R&Y_u*naT6GfaiX;O?Bh@Vde$X@=I4rA0?oJQpETN6DuUz z<_%IPwsQSZw{#pCzdKYnT}=X>nPdiM3&r>mRULc-7;T#77r>}*^)ofL=ssYQb^yeG zue4cQx$mj?{Xy=?aS4M+IfY!u*EbYd@qHCJsCnI$0o6m0Nc~Ww#+x7s=>Mbb&Euio z`~LA#QX}aUDMHd}?IdIup^`28uI$Sg`x;|OP70M!_9eTq8|xU7C3|)TLw19)&S1>= zzUN%ObA7LKu5*9ybDiIP|93hM#(ZYp%j@-gJr_1{x9l9L;s|}(LRw{KThAhut2u_v z*qvt4Gj=6Ndy5D0R$Aw$0i5?MOI!*f#ts5>;3hd5=`Uqe*{i+ot2MmQeJ>W8Wd~Px zG6BwHwLQ0o6xrz<(Sx_h#v1CGUvTgF0eP$x(9!DY$6ei9A2IfRFXq|QgX`Wwbj`ox zdR4tJ4lKGt#QroEf3S&GiNkE85G$ei6v&@{9pKABs_4RGIe68}w9`OsbVtfvM z?#Xa6!7wqj46EpGHRKJD8>~tZA>n!-R+KieI;~qoTzU&e>v{46p?k@3eB9S|XMbfd z{JWr)>=zKVA#^5c3yUVt_8LmjZZ=eQa4I`mIT4 zRFJ}uzYJKK4fouBHC6mz76@>=5g^N`74E^_F)qwUdsjv4alw6@$bfL~5?}tHS?OSa z_q|n-IuKzL%I3nJwZnWL{n%H4X0vhj_4e+wwIxg?h`AbF$NyU^uikNV>&O%}v=n6h zq;ftAmWewSzZ|3<)OfiDXeFk}**Q~?HK!?|hD9KqwcYz6CfHQ2jlFji!*YRUW(ml4 zMO9>~&v|^m9em87ZuI;~KNqOD&sO$4e($WGOce96ikWf!L3~^BtFC8Q-<`!5S>d8j z%kw#NqY%na9gMP%H<$&~$_f*iq$;FG1%pYMYz3aQVpMXRN&RD|O59-6q0x%q)PQ#+ zq+Bu6=?jGmH{p;)`g0+Yv`0`u)BR+i0x$q9>{?6v-C}{e!@#IQE9KK1f18K>E{ohq zv3V#8usg+$HQek`!L|dGU}U~0M4%X1MQEH)hEF65=qRlLrwv!HTtX;_Tpk4w1T|7u z11`_>bsMzRhJZwEE-a(g2o%Pg8gvY-OmTt}#eDb#xojqz40INx#6{udyOxq>VD}|3 z_w($WGQk+mJ0KlmP__ALFbk-;HMDuw9zk`AOp2JAeQqpkrTRBq5=hJoN_8tx@o}-g zEaOtMDEPvY_R7*t%(Cp9C z?cQ=xc!~rPVNX=;^_xyRYft;Eou!J06JKj-=dU>>25(i|WJbGo0r>CW@pN1P`c(tH ztTM^ky<%b&RrZ|XfouE^iae&;fP&b8BdwckYgsrOW~OZW7Jx6#nc5fHv$>;+I9PqB z!$tRaKjX}F5eBow`7HT+fw0>3m(+;{XtB%HwIS+zoiP8iteG6fx`nb|=s3LUfvXlf zYaz*$vXvz>A_(7Y|2TxPpP-6IC$UORVZtK_oDDJ?%sco4GpH zjqtW;HJ!ooh#EV4U7swx>p(jiAPYIl0pDL|>UVjntI_|G>cdW!mp7Cbm0NuIkKg~D z_MIt7_Ex=ujMJRXmi!cO%6X=1wDj3Bk=3)^61q_oymK$ld+{(A^UKwT= zGxjHKyNQK}<|MAR@0leUh)Vsm3Jg>rr@AzWB~>te#n{!sB5%c{Io{k?M2B$)J6GGA zke=R195AdpPOGI*kWBD4o=hQ2PpoH~D+lUAg!7(cJj!MrNOkH2C&1oexY$6(+T&Z`AvS$5h*AETW~YIK#4fmzW)rBR8+E25Ms*h~U#9yKB#ke-Q+YSy$*myB}py5)W@ zyy7w-uyS0WYUcgN27mE+K9kyE`iHN_JTG^nz9lsdG;6Ie<|@xCA!2DJfy4bOyA1H| z*pk0(PTOExR~rLThJ02y0EkCb+qaCkUtAh1cnx#m8TFuAI(eF?AF|1>SCgvJoIgTN z>_B|olQ?gm)C#Qxc7d>i3lbjro{#Ao%kQ8^a{}_HLA{uv%eco)K1UCl6_MTL_tbc( zx7jzILBfY`Gm3vu&Q+;ZYbH9+9vdidJfdv+{duWDAUATe^KxWLJ3MQLvC#u^=!DgX6?c&&JR z4PF}0Dt}?&aA|eSK&LCX2}73{2@B#)2fN7!>&F(WEojM$lo&4@Q(k9-_y7uiK*`T#k+>%c5P8Hqv*$Q-`Dmx`v7lB&@JFeSVe$ikH#n9Pqpr7^Rs=TqfsA28jpC2d*2P( zz#lwL;K=t8m0jYzUL9z1@R6F_^rh1huJ$qP#2?06l&dNAoXmbOxrgBaK_=AMEAX<~ zUZ`iLO#rAz zH*Vl|{2kjLomrMGkT$nXg*q0+8t&MK@Uj3o1#lbJURSZJ0Vb@xR!&d0628lCxSmq8 zf~#Lj5=e4ZfOg-UT(dVN#j)&X*}8W~?XNXDB0podtI~j-<3w>j-DtK6nY~}(@E%*t zP}+6RrLjUz!*c#D;+@-{`3l{y384m+;ji6K^>`Az8LW9h8xx{g(ku4hu(3Eia|vd7 z+p59a%|vijp~Y_yHfM4=pJsunBbUAd1gW`AC7Sr;7I5e=pUiwCW8Dxj;GI>*%#PU` zD{#$|Zo~=Ibmh_77R*+rKof~S5;Y%9TW|MLc5BMmx%2a?r zU+Mo!rO|bYVwY9&LdSUb9}GR4fFF=2ZqZ&^92GFGm~8_-aLZtoZ5P^lHhK$+(NGg5 zQTF&J<{;`cT{hmZz__iZ)jHZfR=M_Q@(kP}t% zOUOJ}kAz<&HV{wf#)Y1M6H1f4hs1eB7mHgs+8YzTM@>*cmBtizhBcrBZd^EVKIjn5 zP39ZPy`$MD1D{<>iN9{@w>|J|kS8u!)*+C^#EXmY%hAvh^!4LS7JuCLOeq0DmzZQf z>+*zsxic2^;faQ6(J8PpEqs`XX@{aLzNESs3ewJ@gtnd8MAq}FR17{(4>b3(u3p!p zT?eBZ9?ND(%EKn-^qz~x%Wq@T%x*}LZ+?36VMR3)mEq0--L$B9`uU-M*VH%AAg9+- zJ0>d|c!H$2i`Jz?jyE%M{=&t+;>j}R@7W#8O>q9C-{r~Jco%%fl-xYC#W%m;TIf7C;@T{J?jN& z9y6ApMC+6~RDENRTgUhOOIceM5JXl6dpgMY`#HpK`peU@my`k-lvxZy9z{cYDqo4I zYJT9JL)~raSNzp^AwGbHwgQR)6gJ__YY6q!pv6U>>Pru%l$SuHaH@8Jk(k!NSe2_h zdFvmKtZsBP>_@41GWvD5sd`&huo_u=_r<3@6hU&MC?gaIk+e!gFt_{k- zJj2Y}VGpLPRPOdL7_YhJ1+5?d@F);y{V)}E+x%=oR&R)HxJNwa*XCsoyiKf2sSY@r3owvDLQwjAR{mT|avWq|I0g#5g5sNMZX?mC=jFM)c zn0#b63p#kKNEu3{)Xrq^3)0oAt&cMlCP9T(EVDnwm});y?=#M{Dhh%Ff=nKF?8%Up zg#_QO0U++@mU+v`z$0|E)kw$jxY&`8=MEoz&vfJ0dkf$LQ8UXOI(jrzB=}s$9jjk! z&VO6wIj4IVgL(D>Bf$o+qFy8*;K#6W?t(&Fu{F*r{-Di=Vz>7kJyUZ5Zey5kNYYx!USN+4t^aBnj5-TuwfG*?B>&N*0`4PfV^e zUp}oi3FwdOib4fP>6vD%-KF8NlkCBne`2-&=POSA%h9Dlg#FoTkJo~}fkM%$0XN~s zum%p>i{*;d6i+Zg&0MUayAhW4m9gi@I4{7_KYjY-0Va%R(9$7QG@ybmdlb#X+;*9` zg3-Ov{;J|FP@4i_)4&gv_qe->@~TOapKxxEL4A|+)1^s4;Rsq2`onNq)ef3JSx@w; z!0w&iF{<>-3CLEZ!;5X!+r2zGIdPL0b3XBH&YUpZSmiSmAtL&<9`Ms%OR3KVVYxor zxRy@9>R=u&$vz*re|!Pv2UNRh-J zCW$155(3M1u{Z-8%fbfZ>WD2Bz|CXnC>6?5V_7K4zW9%K^o1Izc&l7L1~|0W+#&?; zQ=f_$Qk+~A^XFgrpOl(Ro`E11VT9V(f^>9nI!Izlts{Zik#S5?(yB2dfEv0-sK)K4 z&({^4O_@i3ON0Cw{L$BePcG8^w5EHp0s@u$zo+MK|Mdt79{#E?>HFT7vo<}StAuU) zCVJz_i^Odi5C)y2I;k$qyqcMhlUP$Z2f7o)ZCfHQmIV6}hbN$h4q$eRgtZJx4m5uK z$FqE3I_x*mfy1`HFL5j@-8r#PI#_Jp5@y|K1OMn(4fJoyVrO|mf{E@}B#$jy3+ z&c{){zr3w}{~VW+z=~OSJOA4v`?HVw|NDP$Khy)^1HX`vP>%Pf6M?nBV6u;*_(zV> zZ%gsN*wp|0>nV4S1AFX?NE+yWO_}@cwH~F`gM1Z`ZQz>W)Tx*8<8lgFnRMZA$Az2l?-w)>^`5z5n!qY=_{WF*lP};=)~}y9u!GU5 zd+v?bMmp$I4~|76{Xw2t8pwtOoKl-8&QI%;ty~1-~ahR?r=zn zrInRW;gd?A{4;;C(EazFy|Mnlb zL`$_lJ@k&}KllXxxygUqz<=d;FHJ`J{U<;FcOE>D2^>1HH1~7=&M*HbPZba#L-kLIC-L=WOt@a^X_>r=5DWJOnkfg!LVlPmE>`U3i2{wtBwH^BL@J-7w5JP6=^Lu796&-200eB6Vx~v;LI|1 zV?yv&AYilT0~S)nAjo?v0@#|d8BM;x-`~N1Qc?Z$A|0Uy-5DC)GPcZr;|_IyC9G_3 z&0r^5TsEqL&?)z!?D0}pIF(qAUtbq02Gm%3;N zrNB%PW~$x*`TV#8?$_2F)`nziKprIBpw(Kd;Iu%0(45bN~PdIEM7sL*MaA_)C>$~ zSHL7VGetZaAcb^FeTlDS!I)fr${$cSD?maA25=^s-=Yv;<$#_15Nu)NVn@G+ zcJ`+?s2(fenL4R0IGc#W@rX1D7HUr2t|pi;HUmlTO|;DLI+$=9fM_}dXdkJeY?C*t z|A6fN4}MFJexWuY7V@)MpZNPEMw(VaoAQ5rT}($#Mu|d)D4j@B{W)IKy0nY|$0by? z)mBBB_{fyS&%8H|9qCS#um%7N?=k*ws1sLn5Dn!TH9)Y(dhxzz5DgV-&H^=H7M49P zy^>C=*-ohOfADSp;iXDIf69LV3*>?+Jg_jUp*Yxcrc{>7NM3 z)KWZSrC{TRrgn|KD#ybGRiv1Cb+&Y_3kj7D7wUkGu?$8TgeDeKCK56?FvkW4!1>y3 zl_tVX0Muw_t2d}7OB-kVTeewn`hr9G;cm$+A7{v|b6Pn%h&Xl`|JsyXwdx5i2hH6? zN$=Z>B9#})3zNVX3kHe!V@=Py@f&Vkz0%RiWWAQaE^g3JhL1FBozgP2On3d;xw`-F ziz_gVN&Q;a)mWqV>SqC{WDUIT)oeyvUx9Xv>82$)xH`Oiubfp05iPfW4Nc&dI8f+% zss#x!KsqNO#U2UdTEEiXm9mr=kNS-4^Omlsy~*1VBv~ z-G085lLed)%}wAY7@$1y#DTSwjez`wDYuX9Oc3j%_h^^je4n&6YF}6mq{}{=XrQS? zg84;ub=fLao&z8n1F+~+rtEnj$(lvu`@5S^usSt1Y3Xiw<%1F3ggB6vk8oa93Mm3O zSQ|Bc(Rkndw}nx`ZbyALBz|($4(gGX2Ot`U{j(@ z%BKOAK_G^M@Qz`Sg*Fq8DS8@=0yJ?)WKRuY1VA2!U>DR*-VuGW4Tf*^Kp-TAsdmp} zOX&9nl-ZSDWx;Z=|9w(_DL50-h5%t`(mRt!M6>I$nkW_ffm}VY~jd(fmV? zc9+K1fn8IEokstE4K&K;F!v}N+T~|pz0(R~?)VQ_(0@2XA5!bPqXrM-GW<$SevT*2 zeaV`BNusqD_oNsViDryL@?D;4zS6lU<_D07&Jg>IjEoRD4AbOn^G!FkR2yJ=_S)dX zmj$MstV=c2IqDQlR6QKn;Qh><_w5ScFutmK z15SQ@kQ$0Q)C|hGrZ}nD#wS%O%e>A%s7=uG+g*ve@4Sm*cDnioY{q1q zMzyAim#N)H-s@X5%AI9Af2*E8DFMu7!C;uDBusKU&v;bHxF<7Sf2GG~;cCnMAcpbU z+W(#VRQ>(YwwTY&y@R#%p9dUSh5HJQB#(?jU#GuhX$qhgsQ^`&uB!ve6!pIM3@J~X z#=v%!cefpRmjO;vYLcnasjhO(DWx(J<1yuIb=X21G-(&*pU;Oe&X{K(`4GY!7Za$H~ zI}&FtFs4T80VB1vCA;zJ@^XMon+QJ)m+;@OM5`&Sq8rF$(1V{C!Vh9X4pm<$hb73s zC$@d?zzbi57Cl>jBY|HBIJ`0<2SWJg$|?J*$;r@MC}OufqQC}KhOju#SAql2{%Np}o4bUh-og}_`8Or1^jD{ar^<$YV!freNSxB44CSJNo*iKJ_!RyDX>puhxxbz|Zu9iT_m8o8D@%jsj z$w}Ck;9!XMN3p!goGb&}U9TzA0+SFmgi%#5y{&8G4-}9(OG%9M;zq8gTTXoeJlanE+wQi`qG!wEfVLlB**MGro0i-kjt$l_qJOsal2Hs{to8xkySM zc+K4^8v~t|!AOZE`6jCbijo7n=bwTH2 zmqn<#y4Z`fB&sYLX+IP09!dhFt{fU4gFu3db%PJLE{T16sL zZC0AB6n{5u*sqaLD1w2E!!4cG&vJ^O3!3gMJg}7jA7Y_kyH-xAzJS0U;$k z!E>><2_$tlO7^#Y{=@P9KlINJCj*!7Bi?^EG5ACmSSH^2Ox17lfk(D>$BD3S^$=#B zVIY{thnoGWK=EsbZBpYG1uK=gOnD&V;CqU60J=K=0Z8*wUsfcRvrs3o*EdeKK- zYPSRqgBlaTlPiEGv<||>;g#Z%&cBcGU3!dJFtg=CJJCtpK7EGq<3oZ%h7-h!PxT$WAg>`$m zE8{go$pu9c??*BPB%hFyO-9i{Q~m~_;8cl|TQt(Bw5h#34r(Pj{Y&(uSxz=y0Ip%hrba%kgJLE zy2JNM=fekg+u_eicz%)%GUr%Q{Vg1>ZjJi2yCT@+DVZZp&g&k*i>U?y#y;=;MLa!mNrXcT0$C>*Sw9St}WHs`x5fRa6q9%Ba}f`Y&x$R!8R-J2%M4FU1WJe7{O z@=BYDkl|Da_O(xX@RV0^rr^R;fg2j_8aA;(7rGO~&KfL(x#%*eoER8fr5e<44{U?E zP?d%T9>B20RAn~j1V~;a0V@JB#Vqv8p$d?=esRW=>U#<7NLRLFd3C$CfFdYCrmoU` zYiXbz_I@-+9jT|l^>Oq-+-+epoT@d<|Mu(@s7tHnClz^43Y_Pde~B}0`9Ynp_0hGk zXnB@kv`E^jB-0`UBo%a*A4MOKih~XZlRTXaLR9V05q!Dadcd0YG^E;f8jP}*Lw9Ts zG#4`HzbY#$Z+82|nKXnK6V%wPAxsy+a9kJhg$GbWm*`}U&1;awb#HVC>XrFJAdj^* zZhihje#Xr1Dd6^GMdO!e7QW9qTW%gYI4A!@Yqn0S>FT?(w#sOn<_T>xOxbj7Z?cO*a&|6BG^UC;Nm%Mj#kF4sEzNif-Z9Z9-*OtmuW`KPvFSPwJ=FX$fV9`VShy1b zei9WQMg!2x!kIWZW;0W?dW9q|{C9uipAh0-_@1w-02J*#vT37d0u_pEN~m`1dA+VK(Nu|vR`Su|tH-?}Sd zJ&3`a->}i`>~rUvR6|YRv9ZSi*#*gfS;V%EjxEPQQ*f|Q$;?(!!G}ZW7@JRJob1Xr z6JuG+GOJ4nLq1f!%KY@5*nsir#$ZLTaEig4TyUzXmFHd23szyf9rtS`@S8909fpSJ zZ`7zTrw!Hl`Dz9v1zlxc$eNa%C{F6zyUKbz=hjy}g{Pik(UVAZ%ti^yexU7?(}4H= zr*QGCTpM!vs?Xy2o^_-@*@qg_`G`iV{LNUzlv#apX4b!ccCw4iJ!or?LO(|)I%Y%+d|!^*XHdlJh#|Ix)_OlJz_#h9UKo?XfhrI z_@S7fk9Gd;NbvB{M=05y)zK&DYL-C=$K8^at|SR_fczXscm*4T%afaOltjHE0fP

4Q_@?+BJ{>g!gE(s5`e1=Eo4s2OM`nEikdTcz zR!$v@k}tX;OQlFo*n^CAq}$>XDi0+%>LblzV=<@609?nqu_%Q%K}BJEUdshDDAuWa zF|@_7du%lC^w;||lpwC4mPpQSgaL4hN-hT#+|c3^v3vf=oS;+GXgGoUm!nr6xf`zs z@wytu(4*b@s5l3R4t1o4#?fAg0e1o*ZQ@bDoe&1<_fkOby*cFiIZrf;xbKjjuw-%f zUvEkvB_y+HVxzS3bohswL5YZ|_QbDB-Q_YV@-0w&(@^)D7Xb6m_g`<;G^U3?Js^__e&CT5#=pUT2f zp;^W$)Cd=X+OiL349W38V-_TK0JW7`lshy8(GtMz#|-7x7ys8c_^&JPzunGEY=HC; z)|vUhPreK8JRvPp(%y@^!>B!R8I>+vFx2L;ie+Lo>6fBTJ3!;UBf7)Wx&rL=ALy61 z#diC77J^dU#v62fsT40MDxf0Q4T@w=SjiJH)u~tA(xm*wV-&D^sp5xxfK=&ZKE43= zW4=LcBYj1Q-EqS0oCN{0x@S(9=9!?XxbA?@00S5x*DPT>9xS z?XD+q^E(n)u1(l??~S`%Qja@2JoMVpe(9+g7=^r5 zpuEgJw|MWVk1cSs8h?y!kO90gg(1C|KiVb!w_oZ%S3r~ECF0l8XMI|%@88r9O4+B= zP}=k^)TDLui|lT5Ue~k?>=Xh-BI*o47wt$$5_h+2i`51=x`flDY{a&RZSPl3PeA?B zJg%oY3-adH<(8>U7VJ!j1+^2TCf?Iu^AhM)6vY9MddSz-2$XgRfD)KYCdVVeLY?rU z&CRjls2Hab_#q(a<(3Rx6HCO!4c#^5jW=`|B-8 zvxcDTX+tiiCay`rN`5zi$4!L6DiEP)Iibv^*rEYOYJ4{7J&N0fz?@{*L4x&n6ZflX zDPX9U>Lf$P7(bm+isWEGya{UA4hWb;3xYYpO30z4yUv&IK+~kkmn>wMWH&ELe+f1xb`BU&+sU>#}bX2dj?8$vO2t!$G5XTGYq zq?!j}RJ8P*KF;~a@Ci(4b#yEsdmZM6|^2P)xbo^>J zDY)fWtnU>oRE|OHeq43)tS6@0=Q4J)B>7sY@z}->{w$5YV}mO{JTfPnq$C)Jl{RB) zMj$g%+87ZT4#%b^?#nfMLHPBK;AtMMUnnQ8-<=q^fPbE4`+j7IJNB%RVz)m#!ZQ9E z(v~b@NLd#jdSirTyJK@Y&Iw$t(Te%#l{#eEs3uaU)n!PKo!McpA#d zgQW)+b*$w$!>Bi>VkYi1MqC_)VMGgyQJAw5$#l4(%fZmRp`x7fRTpO+Gd*UBB3LZK zF*FMe>?ZUAa#eOnDv+(=hS8C)svw2x6#T_U#Rp^b_DgW2AO znDr5HOy!0-JjsiFu@hrKPJ~(v*bkN34cJ?kPiqZgKXM~o+kG%7VHg~iH;@g@Ez}sy zdor8rVROJidQKF2a|{<6)lauVtjxSJNAlY5VnhlEE!TVBy|H!NZpI9` z#)*!&pK!!ZQby8@MeRrGYS=qQMJpVQEJLLuDHqQq=&nGzI7hl_AIA@w3kbT;i%`A& zThuGD)R{1TxLkTq+8E7$ZG)sUv)A|c;oA(uOM9zDy{I~tu~8JtE7$$o0t{HY97p)# znvJ1uXv|7@h}y`AtF_#8kQ4*%PU%l9SPLQP{VaBIg13{_qZ$CG<3bv$9#Oe-f;*kt zSxd&E5iRsP%4%vvmRXvG{lkH$#uEzS8Mi^+$2(&Xu{JRr#?0%(1qa#~H?t-B3RmzF znXzNWr_=6?BBA!+FyAnvf+5%)t#m~%neY#qzdQqDo&APnxQP?#Gy3hbp49lJvCgNE zr@X(EfGZg{fvV9hcTCegln@iInFG8SRMW%8okEl=OF&j7wP7=cEug^3oJvVsI^p;l z4ASFiSeQ3HwxvNq>4qOA;n6U_s=Uo^$OGvEG|uSW{*eEB5Y~rWRWCG=qNmhs17Hsc zOr!ebnJ%{jrAO_gjLI}+JQE&iWnnSAG~iAD-P!$MtB~kDB5Pug0MIRHtTGzJ6xcF19&|Q;p5|N|ipo-Z2E?A!2dAk?dd*p1s zM`B#+Q~^kcDn%}*3loNuOyd9!Sm= z?-T1KZVhoglDjJp2auhGp@ZDoE&hB_W5^Z11J}IrcJVn^9`Ok7ir7rQ1(t3LS}T86 zVMBkycI&JSIy=f;k`Yw`GZQ1DRx3=6%><>lbB-+hC{ z=Brp!J5|&nY4{{s+|A!m60aRE!99rAbi&OaX_3agh)FTb$h)f%boq*xhQEjR)hvw^ZE(l$x)J<;x`?fX>ekHV z9sJ~qv8x`(h>R#lQh0ca1m^Lbo93(z$`+oreo`(5+w<1Os}wxipfmrFvM!U;&bRm8 zA{HIG>4a#7O{?Jq-6W?dAAFo?@}kj567$yGSwR^m6vcP`wP2~n*@I+kVZ;TsgYSa^ zelmCXKA8&)Iv072(1}dv$h=t6i6q1uqPO#U*3^dhidhbJm0@}yaxotmJDF5)e0BxF zi=zNC1&Jf-kBxJMoAZ#wp|e)x_{LNpYN# zSXfqQN*2Nm??21aMkLXtzRd#ol0m2y%Lqg4xIHm~gb=N}6iuDPfM}#mmUWPwHQbdb zL8fSV*oXmQLZm)*bV!bOyVC%apU+gY0;^AqGt*k!eA^xkphOJ7gN}!Ed#~7JD-&pCLk2#1$A){Oqwj+!OxvHH%Z$97YNDX*26Fw`rfEIF z$Z85*cZo@#KG{P0oUWcv zS$w&OmjkU6ZkGLb1L#(b6p-UbsVueb_Brg|0LSidA7S_L`U1EcWG=|@H`}nY@SwZw zhSHrBf5oVB2h82MekqdsNd_X#r^{c+9Q%#vk$|Ttup3`k?dhta%0@GFRcGVaLPv@I z-ntP}{&9tJAsZ%#OjfGDWA%+aaSup3I+MDuyOu9$q6@CKkT7Ii89iwj2C*if{9J z*!S;658HcsP!bh;Wch-s&TEf-ZnYe`%g%|SGc~V(&wElNU%8d7K7VH{?f*opGI>rr zQJChb{rZyqSV>}d4LLCT;kgcfE}o0{2s(<{_};1ZZM+ep+Lr3wcx$(7ckqKYOMpEp)r^=Sfmweh8 zDX_2Go|v7&gG(*YJlnqb@{$?~j!SdcB>%l#-{kEdE4YTm{=_i%6NCEK5gHv%GAgd? zDc=VX*rLf9q%|p19S({gd2&IPF>x77EBrY5r^}7x_fm5rh5B}%vec>-yz$~)&!Ur# z6#T+kyWgl!DFTHJX}mpFkO(}pK+zy&M9s|3ks=J62d29HO?Ef6IRfGcEN#(ttYd;b zn`iznRhi*9%VB7mwaF}U*mpVI}!4C9X6;anqVds{{s!H9L&)4Zo zYI)yW(nv7^Bnwom+!UC;FqL~iKKF(HQUDkdjqW~EzX1GTjRdF>*1-RBi)0+SWJ9%M zDhG}3@Kj?cnbJGPRX9l*$Wr5c&8!&v?%h)`KNSgiyp&P@_5SNG_IhtAb^Z3v8LC53#&N`M_b@H7L$~wkVuR0%6?Vb)><_lx)K^{N$hUcy(MtkMt zxe${Z9UAk3P}nwI<6c?8>TtixFH4bp;+a7lVEX87^BzFw7~p5jP_y35wvyz#`cT}0 zTkEFOzXEpZJhW8vDKJji7*aVnrO6+q3Ca?ee9Iz9})#_!mH!Y&;*6 z`cwkBd}5pN!az$etKaUeH$A^d5^j_^%nTp)PT=+35I~I%_vGzaG5*pQJ@L6t#m7vp zpGg!>Uh46@{qAhPTKlQ6$cyuPf*d_f$E;|5uRgKxCy5qrUxyA?Cb_SU4B}1iz@woC zHJ!M^p_G{MgLF`UMaq~ls*nST6c{$%Mv0M=m<3CE$G#RD=Ke4whcy-p#TA;}S4z)h zSf+4Ju$FgPsm9wEswSR|6PLkU)zWyAL@+jJK5yU@{G=GFIrT2rTqZ`#1PRUG-4y53 zCiys3iFbeHB_H#w*kf>&$@-edEjS&AT(WUzv!JUI_;g^29Ig z32iK{msj2+_1!~)&F=c6*w=K1D?SX$YvK*tT4UxSVnBsuW=}bqiSIaoZQLX&fdF?2`qv5whyG(CQz%A~2IS-_XHGIET zx-|!tYwYjK*WU4b=_esWuM&kd7bsz8=FuwANlcUJF2kKW#j2&Zkf|2413f`W`q+2m z>;9|7zsDy0br4NM^D0Y*)+()Z=7gjSv0G%d*EipRb&;(9}p71AZw`I!2DIeI~6z;E|gLtYgqg zE{w+tY`^9e*4drCW`TVn4fOqNK#R|*lQ~(^no>m->lbdyEdXnhmy2G`mJ2w2f>81P4^gvGMG}G$`AJyRn93 z1z~@{i5&z`K5Tt7(h;?-gWtgdsZxb%F`+QcF3+$48PcUG@LA)Y@8~%IJZyjAcYjP9 zEOaMX?qRvH(I-(@(zr`If5A`zK=oiIiBWDBGcz*0rve;lI!P1~zQzRa2i%`1l$6aG zKqq?!F8EU_^1qiZUjk|3TzVjg(dIjm2SA@hw9N5iIadrqGkx)hCXw|nUVuaOqf7me zT%>zPY{QofGTNr_fzoj`m+z=0-y4@B?}@HA9!L!6@Q*Ao6vpacMm@h3X$%?Lx#O%u zSzlVUEmf_seSazskoa<1*BDHUnx{dck1#@;WHnf9nAfV0qQqY}W*2_G`Emv6(7X{)e=#y`FB)KGJ?Ep7eXp7w)Vdpxl^7C|+7-4UV z_~oqi_N;ZyeeIaWfWEBTrGx=vBy>|CProLv+-|6&>>#V;vmGY$3$@evtY(5-Nf4DT zQNfjP>U<}btWH#2)|+P&ypLzZa0floEH9*s&2wZwaK#!~WT_^!K`yPZxJ$E3QEvM# zcZY1ERwnac+wq>j#3lQ*MEF>R>+6B+Pwc~SgLfJUj@adHmb`Qw^73i%0pFQPX;?{n z3-+w=ZWlkB1G$Y>C(A!QJD_qn#b9)TJz1eMw(k(_>y?S(n|a~!`3B*mgOv&r zdD^1MQ0!niv{@#tMw!3Uk39|wLu=*&S*A{HC&nRsTI1j{v+8JqfS4IyniV^ggR ztX_KGL{VRss?XD3n0d8NMIaCBJ}&yCc5w5~V=3^}Bh}8K zt=V+^9Y{oniu6!vBF)s^Ne=UdHDTJOZI0W`=juq0vLkq5wW9rnNno80FDbY>5C_!| zJ}cFOSJJ@&2iw8d#M^=*rAifVj4QTT_h75&(R9< z8CUlU0D{=$j(82yIbGMoKBT8?U&i_sTmGK}2 zxXDmP7qF)w=em_2D%2;(RM=yr?fdfs(F@d~Wb3-sE}6x+cLeXjj<4gO5VZ!DrexDJ zud9(jH)DM;Ax~(KP)6xuy7+7Tbz=cpv?y;NUwa(z##$m1i;~GLjUGFb#XW1s7Ts3} zu!vIE`4V{ysAI0$QOff~Fv;+Z4>I`C==kL>QX!Ev;7mqvuQ1B^d|?xr2@~XOJ)JO_ z_=$6uqtyDjjm&?*vLSwG#uw4#aX@$HY?Rp*vx)g19Lh8pV=4JcWEa*Nz!(_H`GlNr2 z-lSq>BXa1INx>c1_+6&8*iYWgCW+!L;Ssw@xqebQvyuB0Z?qr%d|}A}W#!7j)akf7 z-(*3wZ=^7cCv?DmxW6~vk`9V!gSfob_JEP@Fe%1Nltr_w4Hfvxux&=eNTm)Y6=RtP z)7B>N*?d`1-3X3Ryt~JO*ezZs!TtEQnD9J@Q7nAO{u}(SLxmTksn(7yiUTdl1)9wg}G)M3r}Q@IY+?=q#&++PZnkWrK zee&*QBx)W2oCewyG%}H=AKztyemSpW;=SRC{F(Q&+H6$Q<}v}lFI@&NTRcNqb;mRh z5cc{3Uo^zE);s7x^ZXdE+J4t6sVT}NC5bHy%E^}~P<_V^lOXQh!9l{pE6kO?pt<_H zAkl1on|=g^LD(P}D8R83^(I3LeEJe2Z|eXOFLld!uA)saDc!X|%D%|ekj zrv2fh{Cae2iN(ZYxH?Znm3b(m1uZMw$~N3^Z(9VGNM;K>M!4uyCDY~3m#`Uz+nNB_ z7+62%@J zx)*4`t6NY8M%}b@^ErlxgBoNJ09zgf<(R|X)}o1&x2=6GE!~kL1FLC#2G?odQ9bl$ zSZhqDN(e7F9s6A%K7d*n>N%~&^M&jdG|;KXLu;EY zE2kTT>11%lzbd=Ojx zOORZDS&7*jUJK1-TV?X{{B||=K09etKzwzU?c|O!A+iWrMZ>dcScU+y*ZqT$8pa** zg4_7%NFRLDd%h7D{CI@&V~8^=7xR0EOD~YJ0U;U7UuxQG+P?_Y*3=7JNey}bwvOv_ zK;K!q>k)=yzOa(~3Ev@!?i)gJRm4Zt?+fw?63-py5L zEtd7tYKfGa)uV|L@WWGm`OdJh*~@GWj&4=;U3$Ra(ND~=9s#UL@BEh!MTCXFflo{- zbSrNKPf9h7x_$m%Q6t3{0h`twdwzy!rJYUVA%j|G#{%fQ(V#!P0uLP(6ouzYT$GXO zBQu`nGm>r>)^@)4DGw3eR>JyFMXiLCZk{$1%IL3xbQtD_u}yiD4{Q^p87ellU92B( zE%`512x1O|NE=Lqz znAuD0xZsg}FBp$1H61K4oD;7oeJ8=)K5_?FcrYU2M72%pPl8YV_<`IwIBO$C{Y;4rRWBVEtwiy;ypEgp~itte}aMv^AtPG>x0snx8Nj zni*?uu4zQNVK*buH(>=tvefe;Vw1O{>GoXaxn#iB^{83z&{GKBzNXS%7Dpak#W+9S zx^Suk#Xjb0$1iyr?`JPykHPxdvx|O26k5Ao>aLz=wadjVgYZCIBXxnSh@{vHuGca0 zzVs&nLp)oO;^p}uhrV!DdTGeM+cksY-pw@7 z(W|acboEk%-aht>VV?bDUUE&XqQxLuG?|Rh7OrR^LZe3Gd9MgakF2VxZu*O?Bt|?^ zc8%(Gl3{nTna4!Dn;6LcxGHlbAH`<+{IQ3l5lk3`ELU99f7W)i##EjGy)%w&rL3@7 z;OB-u*CE>`vbdg8KJ1O!NsOtr*bieuN?Wd2FI^<96%`$?DTuC)g9wcYig4-AnYv_D zWmbOGdi8U`%>{CD;W4_<%7|BL9tTE}uDvIR{Gqj!EUZ@u$rc{{(}$fMzk|=(H9O)H zy0?C4aF02T&`DcxvaqsR4VB+!$`mg|cUMO+^p`IfB`GwL^WS^^c&l4)`q(H9Xb;y` zJ!eW7{l>)aOJeDT<`6|h+l;i&^#iB+eH}yBr7Ne*O^fFTlQG?f&LQkPV&-)cC#!O6 zhuztIQYicTfD0I{=3jzyRSG5-)U1lTssfG;<-mOJfPbNT7>E_^lVAV2MasWoB>$x# z4d7CDpC4n5$IV6)Im!zqukqaLJzIKJT3p|bmFIH_^1j_tdq#Sx#K#Vfi<52LAjK$)ZeA&>DCdyzH`yEv<wy!#A&9{e0vIJw5%3Z_2%xJ=Uc&t-iTvqbxy&381e3(AxSyXsxumdbI8h z7{GNG`0DH%w+s5O(|61JA$=uc-DSf_uxKmxP)!agxZQrI?kJwgjom&&-%ES3)Z&q>w+JBc- zy@tJmp_6EHYFPCwM)kJL~TX$dXieK`BqgLc>P=mvDeSHw;^2%#Xkg{lIyIq?+4!B~3H4xaTq3r9an?V^OM3nIyx(=O#dNm~ z3va>3VERQ7!-sz31Fyk`Ql+XrjzsSTg@nA`yjtV2c)t~WfxV=PH2!0PaO0f*^4IcD zxRmPewy0C7j!9E*!#3{*K@v;-W+c-}VSc$v1cQgFTQfE@h7y6Paq$M>5x3sOXz zMmEH^pIWJ@Pwrdf1s%>hV&IByC1O4>(K(o)=#*Vj)LM(s)|OqSNhmIE$pv+-%lmY! z6>6fA!rMpsf%eh}PJF|w*}vhYsu+obOI%O`^4ya`sRwt43zDW~#pc{DoLC`>KHDr! z%yF#Xs)`K2Hdw@$Irrj%dXiCZpI`(`nEakz+RXAHHcsz>PX!5RY zL0apFpUqM^k#}nWcnXtG{oak0>SIsaIU6^5cU_mhkRA4FH{f4LUHteT_uPCsxX$?9 z;bazE%3k776vx+P(?mg1I1H+}#lAcshN|jlB?K#zkdW*Ex$ef?w-HF(vg0gVe~4R( z2+1NzCevP*)pn({23<7fGhZ0yz z9$PD`HJIxm33nj=J|yRM{1LTMen9~_WIu1U-un_}V^BQo@lOr({^cC$=a-KllFZDV zP0vVjFhbu|Pss>LOllPj4O2C@Ff}y|M!gF64Kqv?wFU(7apqhpFL1I~2cFh8RZpKC z$r7!)oQ>x7%y-@2tb3EbeHR`lz+mvAWex(a72ltZ7Y}}-Cl>{T;YxS}Ocqq(}(6tLhM2a$MMH<@UPc>X>^HsF87n_3sWC8OOr|FS<29s6{A|s`ur#ELX zGMLy;b(7HwnFUHcD=n{?=*d+Sid}<|6RR7J8l#Fg+P$oNkjb@uQV?98r2G|h%O1rK zZOt{YB{<>*;pDBi-Zb~#OE+P#^Q&8PM_?b2Dc*jOcUoS>%<*n!&D3!vn}|et_baJE z5u)Lig|0@!;O1tW6EL!JXn5vjpoc4j{%)=cw>xW&nHOnvJ~&RHL4H+dzW(}3od?s~ z0bS~iCJvWY3ImJqvB9N@1LnnD*m30mb=Gvl`W!~A`$)a@F#43S^=J;^McV-B*sVAi zwqfC%!|K}5rTYh8<~mG2oT|ktdoCuzbsD{9#qw$rFD?L0AG~x=F98uXOWiY*siFHJbR!oF8OL|!NFyWxjuBPl z9_{>WiBLrTeXh99m=a7%L_)P=?5!U{o+~n?t?%h3aB((K(k+OHTmJ8N<3aX=P!X#J zT~GsBv{9A)=>5XxOx@fV!q#@C?)e^2p9;+E?V?!*BBBDPCiI8|5%9`eT!66qj8kxB z@_$}$7^d$3-N|d#KoHMVMOyYiMpl*x8xkHaV7EuPgXm9YrKbJ3tH;8{HCPalZ>OU( zk-qidG$sZK(qK@30x`G}1UXku^E0HqM%95w9ipbD_5zeac*4R`FN@qvjR*;1=uhD3 zKn_VCw*@7mrhLAnsj~AS5J_7(g)2$=8&cF-nws-sN5aS=)WeU8>0q!u$!$DW-ILiXtrGy z20_`*O;U!~-eJ5(p}T_5`DeJ8vyZ`FrbMi|e4ZvJ*a-A*9jXT#Zne@5n~>nz@Qva+B?A2Ny8^&_^mEG&Y%p|z4}>Nd9NwGZ12GrGo``~|mAmG;G^ zjQWE%x4zJ(b<|EiqUkIw6*7$9|^CwgF%l`h9 zwlF@qU{FB#Psog>^7tkqfYlPMiFRf@1QS zrVTJ_+>PL4)3?zrvfe6GZAx2mky_g4 z)a2X>ZcxT3);rm)B^sUz%eWy4yqh$8l49&Nx9k{8Sgz$Zq_@rKA7_f+zdDOaF>s&O z>*-xX9 z110%exEXy=H>Q^B8Q}eRst-3vjTAw8tmdG%mp`{i?G~F7RyOafsJE(U%uU z*oR&o=ndS=U-6Z2o7+J?8^2Ce+ZT4o-Vd2nUr|t!!B|*>!S3g*T+QBXBc237B7o)D z7*D;}Gm8S*ZCIEaD#PiwRDnuwTwIt zy3Jt=0HH8^@;uxggYY=S*nFS{d zq7#|Cn~w0!L?bOEzQGn;ov@q2WmpbfEAe=(cl^k3$?Hc&B7Nl&NJi;d$}gCd79xIr zUJ;Hy$t@zuJ)T7dpG%d~dXx1|&4pVIS?TH0ExW0xF974HJx)UBy?%pBerqrv>Fht>#SUUDMh|rf+up%hOa0!5@Y6fW0 z?r=TgaWcBn-D$UU=NGl~KYw{u>I%T$rkluX79tXivo!%a64eY09smIqH4w;wu;sD5 zyrPd!lTs3Y53%+dZaW(ZL&XJfn90>?xM~(NGj~m@7aP_pMXAmBD<#9H>`W+*uE@}O&D~ias@GEM-r>&IeBLiHz3(qTB|UB zsFqk+#vZBAZS@RF2&Y(by}+c~J;3vtC^ZL&y^#oLx|Z0u5fbWkKLGK;3yx-P8s3Y2 z7u_g(Ff}c==%~8T$23U$? zCTIeL8#ca4&rE0RP<`=+U(asEjPD+hE=nLC+`c_K?>69TApvL&SfzL{3BEsx+ywdb z&{~WXX;ZbOOHh!sImZFLay`JPp~cPh>K4oWF*I)YHCQdmuge~z!PYBw`wTTSd$+M@ zPwvm6TJG0Z-c;1l31rT*cxtKRe$U$MslP-?(`wVwfR1Ht2U8}q0F!)gn6E|Ri?7QM z!uP8ORw73WdqbC3)A}>%p}6i-r_{yqK_7kkqtep)BOd{@y{GbC4hsM(W_H#b>hVYf zh&ehZS=6B~bysJW)7PQiQKF#LqYM=$XR+zv$9-#&+*`OJwogBL34;*EZMgS zx|Dj$ebINJs7r^{E3>VT0L|)Jf8W8axxJ90#;r>9N!q+GN58W3(GO1VQ|bFavuB0R z3Lli`s`67O(4zFpBGs?maQ}wxP+{>Pr-Bo!t#T#Cw3h*Qx(Dcc?}q_I&t2t@PPv)^ z^$ZCKQECL5jCujye?_(j4>nI9(f%uO;-Z|iU)nRZ1=5UUZj;x*C{qwHgMtlcagGBf z2=xJNuZF-qaBw&S^VZf@9fNgAZm0w-r7R~U!-SL7KrqJ7l)Z)!Ez|jsL|%s;m%_EF zn=A3XM|naGM^ztI$>=>+JX&B0Vp86z*%n?zElO!|ET?Yp`2I-gjr5W3*^K8?r{#li z<1NA3!cv0=+ZW4ATJV^tzTIbegWMSTmi2xH9A2$Y9`#~5s_*869VoVGPkXj(cuZ*GcmZH)rtz<<_1_`x^loKU@k13OwlyiL zOE^hBrSO!Bg?+8w#mc3pxenGdW!+iYvC*EGRktwf%g#@9(`WBj<|wJDUVnC z4NDu54Sgcnu%lkr+FO41E~i=iK!mFZwmm*@GJ-q>F?NwXaK|m(W@FzxY9e|6_69bk zN@3_QT1%5N#q~5XQ>>(ZmaeP*6ET^~K(T3WNV8O5wckAjPp1~z$=wp0^`)u@x^DFt z#Cnw{`^(-GmXdNUS%fEMEU!4XIb2z(W~1dkncV7pR5fg}5%49S$_;2V0s)!ll?pbB zm4KK&&A;Vl$ll8aRLj45`5i@e< zUXbbD8*_46G)m9RlmVExrI2)lcx3=?8~QD}oYnWA03S8GrNzh@3}(4^?~Ch43w?J0 zQTJ>wcIQ-Aj|sSOhxa>dedsIEwO5_Lb#3X^Im@g3_bXY^qyO%~Y%l`m9dRceUcRIs<>`ohf0{$%b$tcCL z4oVS8K|W0PpxR=ZEdN2N6P=WqT+Im_I>X*rLr+f9r(a{c^&f-$I|&toU~&v-fRa9I=T(9XC7bsy+@A zSB1nCrSK>6@=Z6<)4Ai6U{d7IUlNQfLnV5|UD|eZS8Arpyf$*SDv(`c=K816Nog-( z5KTNM4u9^kY7+F^QG=ufoPpls;my(%ChAOlP=DuL{y_Q4%c@nx~*HTlv6H z0%r4NZVSmRQF=aLRmXF=A3Y?XY37VP@NJycf85c*FFw9I=)WGq*$QSwE3Ra(8L8h$ z5wpk8!E2SR9XR9b4sJAZ+3Z|79F;n$wdB@W52Q_Oo}gnc#D{y~ZhN16{@AqFiRCqI zQ_#M)V8(EiKs#MIdB9gZY}CGY*k{%j!k$y!BIoAdtGuI17q^>7ns^M(9gMDq&04*$ zzE2`B>tCz|MW74xC7I3+Ek*T!uLgC!;96Suz~(i`yHNLFLLg?hjT>N}51AHKSdNMIBnoPiHeup4Vks0glv1+ISDuV#C(2pQ^MiGqa8@>T^(5JA z($IZr!_bX(!bzY&KHz~7xL6_-as1=JAF~M==zZ3NP@$V+;S0wEmsTtS^h;xQXb9lG z!~*m;y`fw!mN;3R7D96~vz}CUw^j!<3WM71ff?-m>Sp|*2=m{R@zVs^DvqPA9IR|` z@#k3RKU%qnuVhI-eCQ82DGKK1x!HMnif@^ey7jbNU8`^0ys6;nSwBWmW`|3>V`Xg{ z_vIro6x`BiQak8tVPWeNHsg4_JirOvFX*Kf)9DlWo^cF~cJM{14{-7sD|AfnjcI!> zQF48O;r8iaWlBs>P#q%Lbw@>A$l~CfZ^WaOy@w-@<<5cLWSiCD$J~67%2qK-J%&NQ zBLc+?o?z`t{MQoMocp?AXJ~>HDRLXoBtCbmgzt9HI=wXSO%hMswopz@fr`Dr)WGo6 z)Lo8#4)W_Xc5d!2E=kkUhJD7$#nq(fIlbMzD(vocnx!o0I_aZf%%DXp`uQOgg=>?1 z$&LA(_L4vY&(#5cjb{Sm>rezZB#7-`blQ#=bagkqEnQ3aV}w-Qao{Ed^$}tToHE`r z@}EzxI8~*N?fcEF+7cGEd?Pjh6P7ja4o72?8e2+w*_Dv(lbod^@@{km(Ze@< z-3ADc!yaf~D#jN!7N7Ki$%d~%wmC)Y{TBTG^5?^Wl2A22L=NjxfRJCWr1q01AAJte z9KM|5PC%QIh2#|1x#Eq$jbocm`ughgmxwo=(#uV!QqoReO`fcepfjky3VAk&eRLbH zI^6k;!pTidPlvS%9h~}sS`H=#mrA%!8zpMB_@CH!oy4y6Rd>iQR$I`=(4cThHmc5g zaiH@7B>`bw#>zy;MMOJ#;-z+sTjWf}<@NQ?@6etP8Sq3qc#llFjNxO`rfcR!py&Ol z(Ym^NtD?0QOyc4OX9afkYq`nHQc@sJgF0gZtDvO8NucC}gNk(mtF#q z^`CcwFUm4{_!!*P{tb%pGijz&PcJWj4iLO?0KElio3oAD5ws$AfGW0lfFd#h0+jdB zMmb7tP+#2?wbwM922yk)?iHWLgc7>0xB3nt=JVdC2?cD5ii-LmQH8sm8Q`5^J_n4z z*BL*ghW`l;sD}@SoWM51)3e=5eG3=AzH8~obF&j+c4)4e70m`s2ArRI_ zKi+?KxWSHk`dGKx230jFQeoRK-stdOA{wZH=j0IFk(Kuk5v880x9NLm5f9pzme?4G z7J>H-_!hRbd8lf~jp_8ivgc|>lX|!0c8Q8KAPgI~RC9`cG{MS78_8 z5c+BDg!ut?BmUQhjj(FJX+pLEsV(pvF7SAbfV!)0`*U{_GHb90;zB>&_}I&I3sqxLIx(jz;_fRcx9J+RE`%i>=d;qp!p%#>s_HVY$eTuwf`AiK0Y1Yut zcw%LhKRP=4#KvYLGEJQoelkuEMF>~rA-Hcz7{ep7oN-DfrEMOf$oBddhm#nF*bZ-1 zs}T!NFjngj<8Y!7a=Ae^T%5@IdwN7+!N=Vh7OvAZy2Bxt?i7a1f^XM`!X1 z6$oF2z9*Uig19{d_K0g5d9$;@Ah9*MRf*lqD(&<0*@cyqNrLe8_4Jm%rCr}?kEYq2 z_4D}d*+@@Len-l8l_9Jw|Dqeb9N*$`2d?N?O?!lKIcIF8kNzcK)i?qKs>k^gyr(B8 zt&~R=(I&yk0;`LlgEAlo98k|S{%9@CJO9a%hr%Q#Mphhz6t zqx@=~tZz^so!C|YdDcq%e#~4h)_nD2DR+|vgQsB{-)m8C_U1R?Xt$ZY3-M2Y%&Wx9 zKAJg`T=W3_{WqR-{-pzvz%YY5unz-_qKJs%($lB(jVS0@#(2^WHa$JPv=vVu-yO~) z0i=j~)7%bWsBT2JqUsDn09IY=HwQ$}zDw{KsKTc8**Jt*RZow+omVWisa`mkUPaBl zBw&;s+dytO^)%Q6aOJfjlTW zBi?YS8c^X;qS>KvZw^m4dYFYp;$c+Ob!KMf3F7hf z$cm^-Y+u;7Z+$^X1T?Z*SO+O3rg1zUB2!b-Fd;aNO$OJ?@6RMPdK4@v^~79aI)~aT z-!;1JA;G{Fm6mu1OsO23+jVmijc%C>Lf5MrIy>`)ZxF}V)VKjyn#bUN&Vfw*plR!m z_wHZXmn%0R)Iq!Liw?a(@io&BEwgQw%H?s@qUcufeeKEW<;bzEDZ(8+Leq7Fv(yZ@ z#DDzQ8${@pmLbj=iE-nm_xD9z%}HzpV=%g>pGQs?l8(4ekK>xqC+3w7Z56kocz85b zsBULksP55zTuCy16+Y;5Y!Q_bXGT9eJj0CfL!_M_xN*?oY{3zCaZ)`yw?c_CMa0@x z5#KNBb{Y>5=O91!zyQk*7k9!|ElM zR8jZDY^8*I2mq>PHqFVp7C*h)ufu4i8y&t|+cRl;oLy1%ZAu{BuE7aZakoF_$H#j^ z=ek3p@YvYD?s}Juetp{2oO*wr?D4<^cn!LZ+FaYz8xFrdq)cA6QPpdr30lzBnIQ;#zBxh-qg~X3q35zKM-Ljnkaxx00 zTazO!cRAZ!qmHK5&j%mZ-_88jpwAyR4SS5hScR+Hf18r}KWP4c9ucT~mp?u6)-AIQ z@>xo=Vdh|}?|!$jLA^9)0cV*hmA~zFcHw9K%xdWCPdb#}b+4Y#4fLk6fa8tE7dstV z4=mpwPyC51BsiNZB7Kkdzo#Jm>zzqM@rc|~uR*MIeb;=RK2?o8=oGfHw~cE*;bm)j zcK^^KL z?DF!VN+_E6`rC*ILG2q13{ve{UCzJtCAmUrdHHTjL(vU-d^|BB23maWHWo&1!3%qX z!Qa1sFZXmZ7)!t4AxWtGg+TVfx4F3$(E!QHeOJv2(?zdI?0{kk1mEh6T97f=>B?`r zWB;>(zxybR$v+*ajdqQTi3!V6q)&~vo?!*gPuJMdq*8t=_*ZQ`Pav1_3dm(^YYQ!m zcfJ1U#;6AIfVg`=%SlyL)x*Iyg1@izA2Jg^fB2i9|2G^%JK4{#{oS1W%WK>kc!9el zu@83t)5bpTJ-jwqze@wZ`wxH78=oeCNoo$8aMO}&KTFL|3;0tO@%JprANk1lI{=fe zJ6WX2h5uM6epgz4egn86V&vu~?Xh+b#ecf^e{^lRJMr2cK71(ab17H;&#cWK_^$Eh zWrFuu#idKXCHsHnZc%ype;*ha$dI~h@kh4x4_x~1e#AKJG6B(r3*p;}OFMt%E&SGX zpWRl5)P?{3d)hqnzR)Nh?YIB7h54gm_g|lLBqNaFY8MgyOicb(;mL>5TbEgQypsau zyPsOVtf~?ac%rWSCMH$%UJekwl-J)N)^ma@K8*;8s-CP@8yRNS-yKv0d+WoANQ@s@ zI+lG^Ru+0+WMv;$ITnjeTYgbo4Zpnj>NzX77BokfEuWl>{61Z3s&iSD$LK8O&HtQL z>0b=xFZaBt4;-gX&Zhz4pNiOQq?n_%jW`}YY?CY%HJxJ_9)89u4}!E`IocJm40I*D zwQ+b9qR1jBK4YM(W!og~X$g-ka!w;dV)EZ8_SdUwYkt8OtKHuarvw*c^{4{mQ$OiI z;xc7AmgZRE6EL#)xR(0)*yrvJI^6$D7AedDAPDPf!@eI(UvML_9e31l68fd$*>WIvg zRKm;J*QLJ8sS^5&WYrPynl3W4a~dtQx97|fQ*t>J#YY8sI231V9IFudMGARktpiwQ)eB8RefOOZ5#TR2uBKH*>h=P@de9v^BL(N?!I+u3qY7 zO|Y3Ta`c@TABMe?AJI#N?SQn6*a3rS4!bJo5L3}bh_GMpVC2?==9r`}#QY)}uQ(#9 zDL91s6PTWxwD{4Ef1A3`l_q{SM{a`QKkq#IXB$KH@f8YgNxy1KE0jqf!<6}QT)=Mx z<=8q9K`Qd2-9g@`4*CXLNvHqPO(BWDrn)z=K%vn4kv(uPkn=&oJ0Irz%!H5Rjw|_T z%~P)be0p}3O3T?6&4_|a=!{W{cSIj3ArtsOH7n5g+0PeRg1-HM*=WD$#Vz#ISX33&ax>Nb!yFv4$h7e_NP-_l|G?N#|- z*{)wX0_&jg0dVI(ot{!=NTsE zmNMQ91GnWqy^P$Z-o(DWLK3@DQ}a;wabTcAA=zH~L$3g~hh1&YO-zPg7Fm>mNzCa6 zO!t9IeOk_(LOSyE6VLY-77~ehB)LW(!-M~e9Q5zoOeKNGkRsksfy{#kr%8A{xt~nk zANmdD$B-te$os-{E40CRN5gaHn`EQ%Unj6Xw1F{DemQcJb(=Zyp&w#as@J>LohLDy z0mD`V@t$!7CnK3$AQsmtpLc^Pwt;wp3Ud*)J|wrE!4WsP;;U8@eCduq4cMto58E<; zcfX48atX}ZO1WCLrsS7YVa&R^dh#ea1*Tcq*_YnSlRoiz6gb0g8u3--X>3B7BN&Qv zKHc6?^E@1NVk;=Ee2;Q?{8>uWyXET>6`rehLhbYP6ZM+ZdiwotelSs17UeiIl^ETg zd~%w(YAq7R36L5ypu&Qyj7@1JD14Fn9siV`6{K-Dc+b60>*?$<`mkDHXVqTqfICj-3 zAMeGx4?trFBxTT<;pdvGC!@{AI%%K2eajy}!>?4DUZORiq1ijoemP28-K=y>`*FbZ zsGcnCaJa>A15$3$D9(+nPH>B5GHzFm>obFbXBYvy$~sEnlMa3!T3M58dc zh1GVTlCHf0Txn5vct2s#=W*i6+Umm*eaehBKL%bIj+-9pZAHOJBw2O9(VWnN21kU8Y207l$CfPRi!04j|ZrseCri#rzv|B2Kn8;w4fP# z5JWL$g`wUV!W~>L92st}br2ayX1kG}>)M6OL~JC0AZoRoXI0_Sp6lvp?7bL#9-!JuQS zA`06QC@0s44)(pLEI?t@ovQ+3yiQpvfVsf?olA_fjg)*>)aoi7^&P|m>Mrv)1i9Uv zb$GZtGBR5b>WN$vFi6Mw9o?LHe^#6Muh6IH+M(A z+>fc|u6q8e0o^@ci|)_KTqNv1=!x5&m=h7iwMKeM`r9DG7Cp7BtS!mHOjsi`Q=d<> zF@a=Ls{8nqnS%tBkK{>{-ME2wtJZ7Uhwn=0@NM@Hx_Z_{r`LBW8wXxW?soCz&L>FC z)jZ`7Tu5ezP2F}IH-^mdQ#pPhyLND$DZQ+d>D5}&4N?h)fh zgPA7DN4U{=LJ`~xjGGwq5cq-J&(TmSBmb9+$HkR5M#mf4u|*KOF89oi9F_`EvF>%= z4m9@Sfuf*q+KV^Y(?owJvhd4s>hHvE{L=VB_;e^kAtilul1boxy`R5fsV4qp2XkUOoAxw3h%gqrwLsxk2MV5_zonH6o)xk1 zf56|4JJLrcHGZQ&V!pK)R^-*Cw~iz%s%K^bbwN2K`)WGc><#9HmR}M|T!Hcw(=3Qo z%C5GcD~6%)9vJC7Ce`}#O`#!tYC*3Nd9v4@V>IvUm5L}R%${_5FTjoL>+=b|pc0}Q zQ%cq515`^{Yc7#J!hF!(UFy13X}B>gS4W0CDAr{7aS6k2W9e8d+dan%E-6YBep)DT zv)O&XQL5R(3yTl2_ZI&E6?2gQ24|Gyq}Rx$px8)cPNqNiEh`3<2jQ%&Y;E|uMW8|g zxTz3<<}}xjaMR|r6KpDA3S0^XZ$T-5|6b1=%$rj!%iEuLv{`#fj=7jH|JNCF4kLCu<$X0z+)HimHfwNl0^jUR(BrNzn>Hxk4Of=Ks8)+; zU4~UZUx&c&`&#_mo6vCs`>Tg=z-rCwp-H9gQ@_kDO3;WqHkywG+^~zoxMgDTLh1Tcjnfv-7e}p?D;M zeYM2FOX(YsnwK(h+ll292CoU3)+_gC$~)2&fphRD-=^b1`or0QD6++4i@TzC+nDOa z1e-Rz(|0}Ae-^Yqh&+EA@=1g6+8`vxr>obALnHR6(XziL^I9V=f z=(1&1O=25*y2d+1d@`b~q!8q3`*yo;OAE9UQ(tn3H%lxav(QrIl4Gfp5=Zyuu%h|< zNxDkbdGpqpW_q}T73;TGjlmdH)Ho*KN0q}1gV*+Q8u_-?F${Lo%&hEv%|IJ;M#GAFEXB&k zRuf-lh8Lj7NbPP|*r!$*dB=GddB*ez-N>}t@5nyr3H0rDU!@t8ZvlQcm74dUvDv;< zU^2Ralp9Awck`~zUANj(FJzeIL^=Qs@m)y(Hbm=Wo42#;?+h{1XEhO!18Qv zmGs`=+wj;uDik#NQD9)N57P-;S0*6f(dqMZf1=CtpTy-G!};O2M_B?2U2avihXz(< z-CQ|BFs+_9&8Q@NN#)v zoT~k63hNtT>E-wVX?n8XL&EEQC`f|Ew2aJAdPyIwVBQ5jE@*M4&0=;&m4JSJMrGM8 zyytV=uUC9x&6y&9Sn9rOR_wSar#F<|bTp29COo)rrIV$%w((|BUfg}!j^uomg8hpq zAjNg2MRp{%KCGysSvM^gx~r&Z7VnTtU*nyUH!HpoU#tp=IPSX$w;7TqCZVnBb?&Y& zmPBZE?8?cML96eQV0JYlVq&Le!|m*xa|?#;^(mG`^=D_Hlij;FS1}3Iq<%GkmFHh& zV&m;MhZ^Q68QOF~?z%h+kTRu0UV;LJM63<2Do| zd2LFRR8@Fz5B;xQB)t@O=8%DrczgtN;GAtTvNXf0zbq)|Z*)P%d$w=jIomfi&?0#D z!$r0d+|kY*k)tVfb9msSB8xDyhD!4;rBxA<^dq}O%ixUE@l@l>g@x+Oj91Bi`&=cS zL7C-(78MVAzVPPRZ>>gxkiM!@sXey%;%h@YNNGNh`YH|xDXo;G96SQaZnjK^NxxF8 zWKFgs!5mLUa5%T*PR&UrgbZlwXiqQRFq4z^*L>05UcCNxlAaAk%1FDKc_&P|_hT9N z@sG%KMxgJy=i)2|QO5LfKwuTyMYhak=D>U$yelQ|{6Qu%2kPqnwWa)rvo*AUL`>b(`S=387)oF&HMo4*ad1o6Cy z#jQW^YxJnEv>F!>KG_cNZa(@mbYj08_5S6oXDQ0YykQOXwcP^XnEraLH3BUNJ(gEM zFf-|(m?~E$0kV@cIOBOjz8Ddm}u-laD4IN}zGTy%4O3F$%A-ZPn&mWdP zG#(fBtMzJ5mGjV1&B>^)&NF1nY^|xEEOqUCBmZS)ls_>w>aNK4MRKbI`8Pq68JC-t z7p@3?Ev3^bd-38?HYCI|e{Bb@ZRk)d!LD^JaIEw^DfJ3McbzuFGwnDiYxdjJ0?cY! zRLqMOwi~?)d6GV7I>(2Zy}oLZ=|ONo04Ng-``I1wPa_Cfw^;^sb}24#_O@S3S6Wfg zHEf#b?Od_Z=KSL0WB0)A)G@xVgD~-yu7mYm*9ZT3-N8TEG43Nk5iXO_VB>`(OVjIX z6s#3@SU4r7FI>ApduLLSE53=2#sE7tvAc(#d7QlALzLs{RuxK!PwFacZ0k`s)3`_O z4dF@^zY82NTWI6^n$$_KZUUD5{SvZyxwrbE@2?5L7_-X7!I`$~!d!V_+^?i#B8=Lx zcs!?15=;RP^RV;ev+tWj&k`YK;fb+jPq=}Yw^iq@!Q@JhpaT(%=eWSzZ`z-rh`Q}j z`d*9Fn#9W z9!2qBCTEHPghkQ?wxEEN-1`|Fak~LBxxO@M8qEClAT1vbl6f5vhKf>t0l~l`Ps<{a z(uY%VH(^pYo;_1%DmO7PV&scfH-vPv_ZryQRk`o&tCD)q$^34<_-DBG^WXlHbpGRM zn3{hHbM^BEkGR=N={EmjUb8I{a@vKK&lw+{S1hDC^!QWyvTGjZ8D3v{&?u7&@+{o+ z!wISRu1DIyKU>c5f+Low&Rgr9#cV%d8}YsLNUkZpeH*iGgm-Ya>+>|iRY4{O$u`ot7%woD<9GyH>lz>6NTGFD@1JC)z3kCO1ZE6TZ0H(n-~J zk>N{Eb+;%xa5lP8y{vJ9t7yfExgTqmjz9Z^fz}&7zOeIkD8QGln-Pu&0GmTe#lhzD zo_A@XSFgW#;VpT~`)6ZktU(+|1s{v1HNkOg(RB^dCS^C3x7lF(`0h3w4QSM#It79S zG&8vd)!@VT6?u8LkU|3lNCx&Y)|_9a8~l+){cUJ_4lhgYQz}l-I<8;lnA|eIG!_6e z%-}Zb(u{eY?TS59cx2GdoqV?5=xa>boRX#$kM1%jn^Ml~=}zu1spixiG{MSc$I4&I z#4!` z#KtDVo~e@2d7p+a_Xc>-FB1N@Np8LZvf8@&evI{l@MiNkW2! z#5!YfZLOhi1EU`;*>=fJOu_+^Z%(LeP4&^YW)<;kOM_g5^v7+?kr?8EBgg7cfOpRL zLGXnXmbrtu)hlZwki3E;24+-B^e?dH_ty50>`R!c|MzXr$;HJ2RXeZeQ(@;sK|l+| z6Cka^0>&vkg;sZxVn)hu&y!WGW`Sb99F+Xv2XzxwIJ_o9yJ1c~qhsDv&wH>m2X0K_ z6FsXp9q@TadU@A#=?2p|`^V-r%?=Ju8HSjms;b&aL$OP{W*cwB8=EJH*_(WZZ!}88 z-FND$r$}$R{EbPaQUb0+Pe)@)M$ zceX@7cC(J)aD2V5D0i@!kXsaS2n2VcZUOPT!ZzF5{v_7?p&_@^pvt^WucwgIjTT5d zaZ*Zblr^gMJ~a~aIVb)tVZ$2xjC@^+fLoJ8@VbO~y|3-uokN_NcF)z)I=OMtc4}8Y zAmWy4u~^U7zylC0@OmOrE|8ON;uh8L@9le*_oijy<=a@5C)xgty^RSjZvHs%Ww=hy zNv%>MMRcIQXhGoKZ+Pz_8B+SVb|8)Zq4p=WpEvP$ljDEj4P*X`ff2c%E5>n`Z!k=< z(AnAXqB<~7o_J(~u2PV)#$g9Gb$KuQDt46HyeTq5XR{ge@ z%Fh>XI_kcA!1H>i%0SFD$Ux94g!TbPTvv@&Vp76`Nx5_*5I}B}CS0d2S^1Iutr}{p zRtxfJPZDIv0%T`a45l1nWxG7tscDLH>mi$;=nwM*;-?`PYE1E*$5qNcE018K|WrkMj0jieWfN>WR*cw zEQi$)&q{q&%ZxCpr`OqvC#?~{1jiC4fJ?u7lo+iQ%keYl592G-qRs{GL?e7oyvusa{++o7-_2ZY*C_lz%Z9@*-%UX(#mOAgX zHMI2@iB5MSN8>5b!gnLZ?smHq<*hXpRyZG}_$uN=fE>*RI0f+vKtz*X^G#%z1p8(L zdWhGC<1Hq2Js!>pd-qm04!RjChMrhs+zz`~;*(4}UI#4q^=b9^*?G%PiHaVH`(~4V zyVg3%W`*A2*Riv=ZpfBdj&>3o8)Q*BX8Hh`p{~^g|Gv<+blb&d$Z0rCaBj zZv04OB3ed^>;kcUxdclBGOsv%md86E$%t2V6{y$4kI`vlU+UVgyc)&wn9RGK%K$eK zPR!PtvOm14azh>h1W2_ap^Gs_W76W+y`T&e^~yN=Nd-QQXR4Wl*sn_(rMuPCs4e)` zEKm9%b7{}&&nVUZ_VsU(r`=(wKp4&K-CO15l7m?f(a8hQXthP}7k&yY+wX}8ni)9Z zw++uPVMWr)|H#qvPj>J(pK{j_5FgO!V=B7~tqSrZO-rRXSOvw|hkDk?qm$Tp*lv-h z#&Fsd_YWJWvn^YYDk{&{(<7+z#rTc;;1zAe$i`>-Ozu?vj!!>4FX=c#WU(XNX31oD z!rz?dh_84YeK}tb9>4>KjILVNTXoTTA}4NF&O)ovH9>I^Zr<*S-tM!=E5?tTeQQiZ z4J55X9`L^2f@_OzF4;vcdbEv_sxI7EJeswO2umY44_PLge7F>~~c^u!mWI zWEoO(%8Qi;G_`vf!e2cl5zPL1Nk4s|wB&9Xl(6xUy2{fMkb4UbW9{rzuzXggaSQ&u zFAPO9)~}4;KumIV^jAdkr!?=`KS~bMdD<_89ltDb1PTtBd~%p)FruX#9Lj0*B*D=Tx7bF zJxQ$0E`U_`mXe`KMZ71z_+jazC103wz(L5y#@A}m?mbPIjgsK_bxL{@(y?bEB;HvE zH>n~p33C>Zos*0Au5|Kce2Cj7`w;a)T%Y=$&I|GDOf0KI7{d(8U#!g!Q2HVk_1)Fg z701x|8 zC;K32lq}5DvsP`&a_XB6FKt*834|ME1s$!iKVy-&tJTuvVkVvIz4Jp-M9b)AWPOlV zREF34H3+&E0H5EaSoZ4~LM-6$4dY*E&3+b+f7eC&r|*W5`hQDLPai5*(*nAznlCXw zmV4^+=uxTZ$>c3E>h(eHu02`C2g1UP7&+BMa*Emae0(>4S>&H>&7Xba`-@8ips&$R zoCMdXME%hN5wDcyh9+-CdM0G+r#CZkW4cm4OplN#lKj~}`aLv3WrCNH8t55brr+*- zjVj?2kZPft@TV16!h5{$y0b3?qTktd#QUox>0g%4f1ZMv}O`zC=F+|SPdf_2(ItCG1s7Z+8|V~nWr+)16PuB3ZbV6 zm(#eR9EN`{^R=-5t1sfNLi{f9le84^8MWf#aHLf z;}H;FW0d}D9;~+F;o*)@m9D&h<*)wZ>Q*0~Kkp~;){gCe=hy$=#s97p{J)j|{iXT; zx!7o8F_tRh^!~R4f^(jCbm!n#d#hnTOrd9{HcVNSlVVzayy40YAiA0h^oZp&G&I;x zssm0>l9ZpXAO?p$9tk3$nQB&1-Kw6Y0e4(v{RV>P04(}Bw`GH}ySlpefHvi-<9e6R zsH)k}2LHd-+%W!t1NKIxUE4&OI&!5Shj3ZXt{m><85z#z85vofUjzf=PNuyb<)?nE zt?x}8S&Womr*~{1#k|I!Ubz7Cv~wQ@5Sr-&d{{CKm^tr8v*gP+A3Qld89Yttr!#rI zMRKsw)9iNn)zjlJX+KCjFpE76m@5qoW@9?G#LAA{vqJs$dHp8rs?x{kgfhqu;(g^Lg4FPoOgDo*!TL;4e4&JZDx}Znp8VCJA-Q zO|H5_2Wawey8o85jp*}!-ssJz)z#Jcxw&`o=c=sKQ8Kj^M`zb*da^1n z)tii&bq5`7Ru1meD4>W_KBCl6mb$TjvABE#<83K=ZPY__^FuGR)T}nHL01f>KUbo| z*N_bxz`&8YCScLx0cI(lhqfp0cEnp*SKbgeG6YhY`D+nm1fy$dEJW<`-2^P%r`rb>(1_Zs>4!d7f5N zDVHm~nA?M5-O5}pyZq11DNnrZwy$yST|AFcgL+&MeE7Q->-R6a^ppbocP@bcFVVh7 zcI}6D`_L)1W&mLxOFWjFGf*;^gjQDoTylr!hR z1?>sYW@H0~M@9FI`zF)tJyCVSD^!sSCuh=BUS7_p?mF4*RP)2C*k!D8)uy$)CZ$<` z686`Dn!hbq@kQbT8|6F(gT@y)Wvlkp{C*Yk+rI7++pRfWxpDa2cb?eycTo;cT?JXY z`DwfQAjIHL$-2hVDu7w=RlxY5lQ6`@S&P2<-r%%PMEJE%#fd<8QmGWe1r^_zL z{eWV=2FHV3p>wg^N(HeN1uCF$LVEXj{jrQgP#RhP_>C-8DRIDkv zq7bI%1r-J9O+-WlDbh{kCeB3M4CXfSmd@AtiG0hxwNu=kVuY2 zT1oE0oh;X6ED2kvY1q48>8!r{McmwHfwPnF-1{ps9h2w!g*~O{Q}{V|dpW=|(grze zSRUv)Q7~BTcYPdFQq=cIW;%;;m%mt5(Oxgt(UueyEJn+)nw$lm>e6))5^3(*VYvY@ zpQcDO72%R&ijS|^KCttpYgtYsD&D$8rqEAx3w6=z2cXr&5&BPe;3uQRE6nyoj zZz3`q>67qX^SAT5HTO*9!4~D&YW_4fYN_(3YiYzD53H4z#{`OGY4~xA5G#s38P4yt znVPK5sZ*y&WZm?uF8SmPle$w})&>2cH+np5>pMDN~sR6b`y9PNBgDh;FOc?b{$RORiM0hPpy3} z)_gd|z3CGVABhS<@Abmz#bH&?@F1O1cbAA3K1sid%7?5GQkBt4kJz3!&|rg0{NZS4 zE;sQ{`+Iz`UCbLiF86j#N!brwYI!6tI#6S@dWZA~S$#+2M@B|6S5YhnAHEyZGfK&< zan|4%R-0NC!)jeD8u7Lwwzx0`pI8ENtjdyGHh^0p>^;Mgz)yP?kqFao=|@> zjY?5%z)|%FG&mBqrtVoy=;v7(k)eC272QOLV$S-c;YV^DJ(+h@wT*Jhpm`se6VafsGlM9{;lRBb|BHs=}oU z*Akp&K5z%Uf+Ad)o*M9RC#PJbp-X>=z`j%w7rN&V{?i*R=ZYkM65Mj;v9^{EZM>^M z3h`d``T3T+&YLJsjQ|f;aAXI&d`T|0%bpq;f6!MK`6*1%$D%q&lVX;4~Dn9vi z8yO68>FX?oJ(v49XKV=hyJ-P~mn=CpJWdHQC~}N9T3c!zhEpa~ke1_CIHMbRkW>S& zlRVdE5)?vr=!{V$&RdwCr=HD&NM%&mKySi_N8d{m%kA-iEG6gb2fKtP0;s)lejI$y zdq1o5ues?QJ^SnWejf*H*q~6a+93U#a1g7DGI5+Dll}IZr_pHO*J3!ZmU`Gd)Ur*x z>|Fy;#P7&7RUx`?v01@-+r=EQdP(lIyekiWD(6*y{Vk09fS|&7;fwbkd?A?hfV-Ir z&!L5i>o6G!5VE}6-GkQl7y!1Z;tl4vxZ}&lA>QeOl3D;w5UqHx84;y zAN>`LiIz@Ix}Bd_x#?0DWGnn030cj5T++}o2-)_|0W0E&iaE^HQOgHk3tFlZVm!j@ zanvr$5BIU$x~$=$LI&Y*BtwH-mZz$kw{p5a&XduDZhGa`L=zTqo@3K-nP}Z zHbCW_Ov!AzamDoAs%Mt4a+k*rs^_EDRdyCB#ZY4L%JrMVf;ty1+xrG2ohuKH*UQny zk`s2z>ex%Aow<8e<=~UWSdQfP9$andYA9Hd*bhDs3`yTF<7nwvuq+i!ZVn-2Oc!)^ zKJpaPbxZv}Jz9k0=fun7Q6%SehT2Yu!5OSOyQEq*=q8~hTbqA5;mR0=Kgul9_6))l zN~2J9++E}}I9`7RK1r6QHM!8if@4y`=4%;K)tLn&+n>Hdc}j}!@qjHgyxu$X_~z#3 z1Pw;^u0TzByIHO>aQ{+BH20IXNP)m%dC>n(72#o)(%=5DvD=Tft{ z>fQ}LfMnEFIw|fp%{nLZ=~K%}ws>leQ--^R!5k}pOdj`m-^xXZMP0v{cc1zX+Npom zLfyO!hjCw7i6uRV->>V&C!jJ(qO7b*@PG_?d?+A+RT`&|PJ;HBA+&teVcK zBsQFD_Ls(Du;0tQ&7-n?|IuG^c<3yfUY+}1w1ZEj;l~vgL3#nGmIZaQ6ZoYn>QTt{PB>EMii$;{0UIj` zoTH9+YI!WavUZ|ckG>cKZima^UBz>kb>7eL z`kbt^a~q6unwIL+O-f5^AQv>qugT&j%QoFE`I65>S2!)vQog6~=YMv1|60!d8~+Bc zdG%^c_w$Di56Z;S$YHm3ao!Yf9abNVPcv8&PP*0j6*j5KT-@(=t8gY@jr-w#(YXAg zn$a-*JLfpQF+G)Eo~+<4Z!IjWjm8yy;f4K{kw)@Rni~qIeg5(#o?XWA)h_vEk&^ii zi^YCOW&+=YDMMx<7|}7y{c`TkEJv@OmAgPEmCH~l2`9l_f3X9*UHb^Mj=Wd+J%Tvp z&wskkxwz2{kW1HwQYB5fD+GDmR2cb+ zzQw1mwAY-ZNzYeyH}oUV?Ba}h_+WRAEw}19vl!RQOO?GbuVMriW7_BZ_u5|`%ra?p%e_Mu$ODpta!MV3P zL-P)wfA$y_yLS|K$MC&W3YwU;g?OWJRO$BZ+vkcJ@23-c50pXAQyxF&R&j5Ki`!UR z#xTmwox~7?n8pPJFbP(ZvM@{h!C&5LF~8w0-*0kWr61C*3VC@zBCA27bn0Q~y{Oq0 z2&5J}j+XE9+sWS1v3uQ7nG&u`U-;kZW-D#hwAO!KFW={HUzxpF*AgY|q51tFji$-C zAJNd*aq-u!8WOCn2JG;8R8aRMw=z%{(F{FncwSNA9%Jh~vWHtCY!Fn(Q!Dp$GJH!b+ndhHZk`+CHBv?8mTht+nkhZ zfVI-mjuTza#cy{6?+Q3>Rk}DJP@L9SaHqdo;kerw2-=Hw0h0t&IzhWLVDjRqMN6{% z%3N!Lv*!!<)y2W~Jo&oKg`*Oh+QW}zCeA)RbfG%@ubun0F!#Ox!Ik}IgF#mWTBgZ+ zN4J;#%D+a){x;1SFO^`}*6UqyZ@cxBu9Lw+r9|m(epN&kc+VH}NUjzEHHzt7)BQCn z<%_y(UFE(#6@CevtCN07xw+!woq56!Ips@#`ANvi4K*qg-9>uO;#{1@EZQ?ohh@l% z7da%UL}3q6dhgC03#}Q}i?PvABgKDusbnU@0kLvvD#$Z(exf@9`l6>C_}Nc8qkgeO z=e*kuK%s;f*!H9&NrvBm|NHx==O{P zl*bBWBZbR1_u&MB5wIa>SS-ov1}W$mgxHCczGyKcy2#b^O{(ANZi)^`a(^` z$_qTnWiTEJ6gfz+it6j#KhGAHl^K$~cFf){^C~PE&Qo2BF>kk9QJ*{S5RZF_S?cj zX-a@HT^Vli+fyF=ZS&KKU3*n!f7`__a`gn0=Ds-J!*_HF?wDqcD-Cr+6BIF*m%|;& zC7X6>%TBguoAaVvN0O3uPcS!(B7g4fN&9-|VG(?S1le7Tb8iU1)(j_o`T+*v+jlUq z-xLZNbD}>ZPdC(L)!tkB0?}WI6yRy|Po`KrnTICG&ko32v#c-3)7ZM1Zh3C*@Mj`T zkJeK&yoMi2F#pm~)pWR%tdirm>xzDlc3(!e#|-OmG~=4siV=170Q)VoBUg#%ijrm^ za^8+!OiGAWhCJ!+e;{)jR-}B&cAXoshl)#c`%`{SqokF0TRE@WF{COwe+AS+`{wKU zvEzg!g?Q(+49bK6Cw}%alYTy+GeUYd8lrK-P}wPqn#DKfV&-Xe)*kB9k-E}mvJIH- z&b+icHl}nxr|RVitxPx(_;kgM&qCPewJDdwA~n9dB;4QmmWG&=HaO;k>~W)t{H z@x70UsU7Z4tCd`Vwon-^YLWru@TaKCeU%L9b$YWP;SkxWe`uYnn(QMYR{?6i03E!w z?Ol5OsjrzeLN(%<0DuXR8z+rlqH#rYVz@0D24oMG4VtgT86;&SWz@8e4FB99J(_Ia z?a*pkbLMUw*FFBLHSm`p`-@0*_NsR)sX5Bpt8?-1C%wu7B#RYv!R?`-VMMvbVL^6iHU%i;?0 z!!HT=i@A5cmU+#Bo$`Ey3E8ppHUjUX?HN(_xtkzXU9t)zx=5VV$ApCby>CQt#I+Af^L!H?W)5=?_`QbC72p?e)ygL zU5_)Xh$`2qq_(|YJ27Yq^X5(c+AF2NeV@F(bT@^UeSP<9(YN;ZEPYi$*0*`rJ-O4l zUcP!&IQ6#qM!LdF;KrXpZziUpwT(^2F_}L>jCp;7#EH8nI2jX1UeYoJH_~*y(KmJZxp=$EPMXH(ZlQ$Afy?3=UFyj#sJg8FZB4eUjwLc z?73o!!q;E+OtQ*6;K+Ts&Im>oBlv^rb8WhK-3wan1lTz{c3RH6WbaV(Mh_GG(o`GU z`aayoijAAxoN+bSb*@7G@*KT9cwuU8B&X@ewa!8A``7Ii&9r;6wYj&2`@iz)|9kU) zdQ<-Q0ug&vO?=OG)K7J@p#8T;?FpDk; zS#Pl6``eA>gpvKI(yr#q|1aFGWBmT#oBz}A{(n#Yccta;j^F=|%|AOfSLR-3Np6FG zQF!_)_}ZI)czh5zKB6VC3M(tS{r-}10{pc=! zGW_%Ip>19WpFpjDjB=UL#W;oa_;r8#{%zR2ys8Q&?i{AOQ5PO!RXkOhZ9fd|GV09_ zo)-?ZKBBHZ&Bb$vvMRw}3Wc(OP^2J)*yTu^+BXPLP=rM>;!YGMt;E6n*D6jnw?N1GR>`m!Dq zj4STtOifI%i(minc*3A;41cC9YeFpOg*t1}nAS-Z^NViJP!Q8adOp#-?{5P1^R`Ro?V`2R}Ox&hKs^0SH-_+%l5N? zaLSO<#SPL@Q!joWeYGk7ifCDIqWBDMIgz3J?Zm4t?&x7Q8}V;y8T`a(k>m8pYtz=( z_4jlt?I`}#M1FGByfi~)6-V#N14{G}gC6o;TK1N8{vu=Lf8PE~#>uLAe!P>`{CsIl zr!t5$1|gqt37*QWEzbzdQsB*Y7m|UtAZFk;p3~0KA9n}n7#~|#gVq*;>;acf#v>kY zn?-PcO<2M{r*_k@_;XJW#bas$GOrQ+XJM#sHdh|go@JJRs3LH9`!_f~eE4t}5Cb$p z8g4g>xv+I7+mY?Ui>vT3pK(1N8~XI}J3<5Ffpcg8k$c0KoIwDL%G3=_WInF+Kcp8f z7Kw73C@_bMf;b5H$*=FSt-1?mJ1o*d$WL-=8cNNZU)vAIhrNa~O8BKMJudEG3Bb$4 zz!$2W*SF1Fo7kQuSwr@);PG<0aN&Z^kcs5#T$*Ry3J`Y4>M9M~r1*Kc(diuN&S)vS z8w1B3$J)C1NnXGW$~LVDotagO~5u%wGIQartj!TceBDn|f8_d%4?Af9OVJF*H8k+$yM(`3nxl zLP;{GR=Lin?|!UR+7P-FuxSagDt$W{H#Sud-gne5T3s4#PS(i^H+W=|30sqI#87~n zIlM}vG?eeC*}9Wm`q-#H?gGH0_?1y3Rk%P$_A`wJ0{;>}sz(a z;X*{qn66L!!~J51@ICZKXJK0OFgi5f052o3=YpTUIqvIJ%+Sm%iD1GksI0X-yLhI|KZ#&-LPR=4GX)lOqIM9z3!s zS?CRjsM}3B;j`Ii5%DTZW8YyRb8)LKZFB7wr@G^< zuQ1yLgozZB;xtv<+!bAd2YxZVFSjq5*}(p?oE3ntb>%D9VvH86wZcoPY}JbcGCZ7v zDF;abp&k*$6$l(PtwG9WD=LSY*S%36dR$hvv%CNGPI};G$RO?xx`MnLzgZOyzh0!o2I!ve^MqFHcU`6y$M~Je|Ge+R-5%^x__*mphXK$SIOWbo!cn*e-3331%vX)SXw?owb!>ululT@=eKU zZleZJk3<{CoqlXcHyP!*y6BrKju(ar{kP-@@!QI~WG7F2EWvg;0U+8>vF*9GNJ&rk z>&<#kc{>>)m>VFqZDop`;t*%=>uD@R{@p$M;k*wCik&%eWFci@EU^p*pH1k3p%{G3 zW%^t8^^Z?xCo6VI&>tNgS|(C&cjb!`4_6bGYY4AU88A0D+6to;59zmg{S9c8){<%v zv6D^m($QkbHBl}D&s~gsYP(_9pp$PDX9v`_VF)X=;nSbirMYn(+VIiC#QkFK{4OBR{aQeno3z)r7X@o zTy=g;bbD~O*enJwUIG+17s);#I%hd0O}cZZTi1mj_chmBd6YrVEL2_2))xVb$tcHGycv~$ub~M$abFUbw69&X&ZVZV^9G{%1Za&bBF*Ka;EEIOs|;J zdxE>%?R729wc+hLB@CD0{2&tmL^ z9btawY5SVIwo2vc@em!TlOUguai2bSB@4|f6>@r=fTFPkM9+w=J;YeJ*4gfh(^vHL zBFJLqO|ObMLNE#ey9q}`OC`I~8ktY}qm(tz>c#={d-2kEc~S9tBMeKREmqnIXpygA zbUlz)2Xu!tB~wVm2vm0=*GI`T1J_UYXakH8ntt6S2SX~xEf=GtkMCfY&TdRz=c1i1qXv1(qjN#4P1^h>zuwWnBZAkfW>buZv zHsM*;CCya*=bCATQIsASDCxw0g<1TSeNRgKh$o*f`ifsEEGO)!*|+XZM&lN*H{yY! zuOjHsXmoS2ph4lW3qTJ=xvrt3J6qrH^+Vj51G*|a-ZUhE2^AV#K_N-ZtiHAb$on-k zehtVkZ2|{UMT8W-aGemWh7rrQZn(4wjLLK?ie-j$vy5RN^b&|n%TJ4Utwj{VE5)GX z=n?3;{qYG;`y3`YV206qJJ39PmrJ#0Q0DFI4}r@P&$;|{s|$5Av;O1NvHg_T96NpN8tktR4oe?fpn<23bJn zZIzhtPJEzKe7qAi%8B%`oR_{&2{;Yr1;y4q<-WsBD#CT0SeAuau?FBBRu>FLM@VqD z*}~;>DaxOQsx2NPF5ts`W(8=U!W>PnUCmZHv+ti=_h5T_&w|n$&4_!fpTBIR&5x^K znV5Qv6C&>@YpIfl7x^~lxyIpDjc>hUx=2KB2ZvflTxn^ z>ZZ*sJ6XjAiVkn2=<*p%$?Ap|y!z2vKpNd#CZ|xG$Vpsn%0|TAWpye+?_03&cZCH8%#yokKx6^ z81zN=;%;{r<}BYiCqo)k01MR&6BQsCe$rXXO*L8PF~fcv%LA2I zkxMc;Ed*0wq4MA-!c4u4a9uP`2ABqNiVKE5DU9Wmj-yJ(wUEPf6UAw%DJi#Gw1)1B zlwxLOPzFlXron-!mBV`Hf`lg<+DoKoe07sE4Td!{&Zn9HBbd2bgylZ-t&iT==@WL8 zBkgpf$-%FX23`|;ZsR!wFE(CaHiUZI9?G+CS*mdN5Cflg<8Gv&+02P*{tH+~ZNqIF zoIY`$^s3?~Ztx@?4C>$DV!(KB!B^Nl?z&2fFO66R#GC%UJ}P@mZZM{N?B;Nwr&6mu z=Q{UfcTdEbjf zyDZW!3`W{rWD?PSc37eH5Y)POCO8G+)}%-dmv6rb+)WjEy<8-?!4s>kg_+@}naq$o9wksO5VAL;+= zwt#LZ+wHqjJRr6%KEwPb5Zrs02r&r37Ul6m-~+5h2#&@jl5qk>AT+;7b79;#CR#1>Pbe|&Dt9HS3%17)GTwl{JaoG#agYd;urW+~^ z-g&*GY*PZU$KJL@fj3%g42!@NGREcL2RZ9 z$=Y08-6ioWzyfOSx_mu*V=(@fD!Z?%%$)XATG5MWKECc%#ynEk#b|{E3hku20r1oe zO?D&C%zWi9sC_B51Ui*#?}Nilh%ZfLln2x7jU^4~PK&CAO-08Qc{QSu#=SzbZv zJSy2!9#1VI*Zs=XXRr!#l1$ab_fsVdutNDck=|(*)E~k6x=0vyRl8|1?@VODrPmjubQ9;Ro%EL7 zOih@0)}z(=n{+;_4uKB0a5bP}1$8Z(>*u~s^Qe6J{5d#VrX%sqn`-NayR(%+@GcGY zQhZaq(0CE_hEGwYyJZ%UX>*OWe;UbQsJf>vgGL)!P3av8sRXX z%RBcUebqiUG?eT~Jm;{^i~~B1{aHXQ{n|P_)ot_1h|v^{pKqU6ZTcwVzi9!!>+mzc zEBUxzy(7=sNKT0^eh163Bi2f$K)D+RB-x7Tp5~o6R+fZl*IWK}#6bj4eG(EzxIHks z>xu$4^-R~lQ1(d(@!Nc6p=*ak*W;)Z5qp32$H>R6*Cl!a{!L9 z8u&yi=jm6*SA-0U-bOp9xZOYS-kat!7!`(Sfj3U|8AOPgT_hP56Cj<>PE~OZwq6@+ zC9KXpX{^ZKXY3NdEL>lu7)uU6ZZYk61zoUW_J-k5JuCD1Xr)UeXnrCQ=%#(kBC!{> z$8tciTPDE;O8}LaoV5~9B}16D#qz=w(Le|1Aq)-Rc?2KJeODzgtd(9P6Di8ZHfAf( zmaI2_Yxhv`35~%7k%}ogNLnDN34;`5TdY^uzl8cG2pL%gZ{NIWqLxxi?BQhF!xu42 zBd?YI5}TUBx&Wv^vm&!WFlg%Boqxx@^bJ)kGg1vLIyC0QA#ocN=SfnVsCO8Xo{gl3t>F$@dqXVe+!TP-?-Rl z>(ykR@u;D%o(X-Wz(b8PgbH{(MK|Y-&V3`FU?eKvu}>t{cW*X{{p4+|uBJX$u_eUh zB*`veg%5>A@8zI)G03berfhe))^6m7ik?ekR&^i@x0M0whsm+jLUsM<2q&8 ztDYnakS~&d@Pu)F79QZ;MGe5qLeA$g32MD>RtjSKCo@98)kRG%;rKEj)Q|IC?(y;v zJ>-1|LVa&7yr@$a`9@b3l#~MBL`Hn~P#*#D_?y94vZt}t`lD-6dx1P8MbM#9LShX&(pM?xEBD@B^{A=(1P*Zd*E>WBj!ecO(v8QgkL6;MOu-&%BEeik8`cb zhC^>8g$T}()qr46W3m2PhDiTC7KkPnKezA)%DB$nM2fv75N|)nGcWPuIc1$iR+d@` z7xnV2QtYLWU{Y@s>gQxqpyL)ujL!K5!E{^0lo<&jx;$D!UuKl8|} zCc6ivC2rIkgYJC~CHO8fMz4)}uB6q*HL=;M*CLE69+Z2Uk=)XKQN^ghGy-ipGH>wj zyJcaKm0kyd`c3a#p96=q{Sn;K&`X|*@0o8NA=X^Z!X%h&vBzS(sC%e|4iz(2Ah#AcAmm*N#h@-L>18XD zN+H?RmK`j?T*=At2eRj_`08arFLDgDX96c+o|amoZa=&LbvtlP51Gcro``tuKd z;D7vauhj!0>GEvl`!Tz3#+(2-0L|*AvAtGZbNTGLE2ro%k(V}V9R6%|JMzdy9@gFtMRxl(uT zzw+vbqk#PKbmBJ|k$*hk>+mP`e(>@WmyRD^hu8YYA#$WWvi>Smnkf65rtTmA*?;;c zjqLF9g{Qtm{#RbzrU|ePnPHBCO@AK~*X7rpaDsb0x>Lh$-J3Y{IRAI(|H+~H-=Y80 zwDkXrL%$~P=Ct}s!(njOa^tZbb*0BJ_m3Rmd!axKyjF=hZF1-`W~21E;p8>Ye|sCxe)6=%S>J>7h&TZ5A_54vp;>Lf0$YS#c*4A3aT%s#PD@T z!@uV$At`{@!n(MfuC6yu{Qct%?Sz-_j=Od7zw+w&-+-5Ha3`qC>(9QNfAJaraVHZi zL&sNSqGq=T<5gW14f?y8xgb6)<@ z`eSN(7S+ML=E(96CPn4|QH6C(MTMPse!|q$6u6Gna;D5ey_G=b3uq=Tf@tk>_KdO> za{er?k@%tS?++e2(vFS2q)qJYltXx*rR90-bk5CBFTPWHjf}{L=dGU773zMCSsjjP z0#0L=d26!HQ$x>{xm3d!t#x_ueIA3SW@!XZT-9$Er<_R;d38Q7pcFYy;io?yR@C!d z?Mn{UE#^AKsfFev7kgu!#G!! zuvllEDN>;X7~@YfOn?!c^x}n`{PSlov*I%|kM3ZTOwVezA6W&|CLvW)B|-dCjnxF;^(@l%HxtOe z+2J&0{hT?X1g8vlaLDFoHRs2y^P{slM}NhzDS`5?Lg@p!DPE=dgb2*$+Z6zOa4;qvZI3fq~hDzMuqf63H%{fFs$Am|q4KaCGIDdv@uuGaFw;{Lp6L zST*0>u*qN4Hd=mVSald?OMFWmZ)AaofK<5c{fNnd3^)+S7RUl2o7XOo1{%`(Wo=tLS6V#*nPk+qzTw4vTXadj7Fga>LgXs$5 zb0Az(GX}yZG8E2o?P8|-eFW8fGZ;8!I(-9MiDAIdJ;V=1w+rTVJ^7Mn+5RL{*eLo7 z1;{t{<2kK2=9=Weg!o9biEQUWO0EEQz=<}VXGXbY-e>|agEUwY&XX#wlX9A-*@LLU zqy}ixnE@J=Lo@GNed;Q*)l68jA_Awb4DOTaa~oa+a}OXk<{ z)YG^;t9H-QacALaslEcm1J`Tr0G;Fdgv;6miSFRV!SQ98jhLANjNv;`}+>w z6;;wR1tkS>!MSQiZE0ccxo2`Kv%&oFmAARiPcgX%zxa+HI|%XgT`F;kh`y0 zV8A>*b|B<08d3T`gT! zpreL_!bmNL37841-%r6$WI`%wQsMQi6kKz` zHpKOZW7GFjG~7&q7hu}sQCC;jE-N^A%X;Vf3)rhS^VLM?;ttv%c>t(;vY{kkIC%#U zeoxo=cC!Y|`Oya@k)teVD4}z=6Tp3#;Fbi-tuFLgzJdRHjUt#id?QJjnSE(mV8xe3 zLv8?E*M$OK=zA>o4H)Te zgLPvxfb|4Au+Ny{9svw3w8W(^80}`oaMBiu25fPBF^jck{&q?--jlsuVC)cdLz8Qt zs5jlq_tD5kw?t2;N@w*nJYY{37l>6&Fn*i4F^>a67!nFGF)mv?0fy{MFx>Rl-VOBt@f_-36k2Ru0!MY25uGT88JQ9!!@|@M-y`U=m|C zCPm1H!F=%A#TUZcwSZ6Ki#sDz&q}%Gu?jANHyXs&1c}dDs=)v$^HLSgZ9dykXWi*j zWm1?ckrmpfiY^`4wTOl?OqsbhJ>?AVu9cMN1HYTd#C?8zP#(_V1T!;YqeKH6JR1m5 z*YuV6A%E0N2=4f$6L{*mXOct0nsDFn-BWn@{>2-#^z`%u_8+u`iJM@Di{w=w&dNbx zG4jKN&#TCBTse)f>T0Vxyy7wlB%tYA=)UHLH32_$0YSMK#ab0QF2`>;*U5KVYsyz3 z=Xjg}-HH@&irq&9=qL{kM<1b&eVdl13ghiGb=ibseOn@<=}CJRPgVD@d!PH`eqAgC z!<`GrC^~{j1@|d`*DK1DfJ;Q@T^)Q_zJ;eT%fGAuHhqyDLW4!>{E`VJzQ+f~-)B+P z=nwBiVu|Z)radPj?YlMKXpki}sO33Y+x+&o*=9Y`SF8avhvU=s6e6Y~;6y6M3mN<` zfpv0M3BBW;c{pWZoAVHrdl>R@O8wGjbyd?i`xHaVc(ILRz0obo$VP5C%xIKM@GP9J z=AXHdhhKyAs+{3y!870S`STThz8!r5tH`2m7;ItdZEl-2AKG zkF+qL)id{^!h4{cRLt)%4Krv-Dk!84gc=*)-rP!*V_{`gk4$+P4@5X95#QAHV6$7g zy7cu4BX8dNyEvc8XZTPAEB9Fp0pdwVCnFTMzn?RwAPgLp$ ziZ`D{m^jzu_{YOB-z5R_?N9~|_h&AFlX%u-S+SS`iwdwpRu?#MuJ$^yeQ@!Wg~Pt| zwFlqBT?8wnF;~^&%D>WJ1g)7ncDz+zJ)65tsO!b){2S)HE9|L8gwk0x9USSmC>f{F zIR~wm$C5=n_{T$F#GRktHOcPCB>j9 z_i(5z<+$>uX61^mj_`D7P3Rw3jJle82IBP0!SEebV!j6+Fj>1r~SQ_|)D zvOQ)Eqr9DcjTr++$8jhoAeR$Y#q%T9f=i8Fo_YA)L`}N*8f2zh<9Mr-w2G%JXMfz4+;w>yC2dtX1!AFflhw9GEyJLUA?wqU;%%#zr!)MEk=(75G6lw~y zPPcWoD-TEW^Veh@HSzpjY%;^<6V#M5#Mz1-0)D4j{g*;+yIeLgB#Z^;wY)K*j`)MW zDw=KO$KG&`s|FckKs@(V(Q4q%(9@QeV5;wL3$g+e%^;D=VwB_33@0h|&I4Y)%*(sQ ze+0YxqYs`>M^~->QOIi(HIzH_9t{aiQ2#X~sAplv35JORsSdwfwFVXsaUn}X`e?3w z-MxGFvM#hIjk5o&$SQj6bjBHAn_Uh%K(O|hiO`8PBDHsQMIvqOgT05<#&B|%t@*)? zr$3(C?PFE+C>8u{pK{&L$Pp=Ovo=Q@LGzhFSGtX7FsM)ID0Z3I-|F_p1cW)m_gJky zgd+0KJPw?$uPr)^wwTTV8RfN<-N5xZi`0TcC1AeHTRH=BxX@zPcLdcKIfGokEL^|> z4tTyth;A-0ThDYm{zo7ChlFZ{s(^t~+jFJt%=5`m%`}4=q=T)Kof%rej!1EZ4#;ez z&@e>3{vuAOddS*3kQ2%b{M^pW(LnIt1mpIq`g~FdJFGR38np*S0`XZ>**i>Fz+*yj zF_L?N&=T+en9zi9C-F_IaD?nh^CR+Wiw&qHYyzENmN9h2DnQP=y7Vc?BN&7#8jcop z??Xbv3|*5{eTa$+26Vl16ta9j#g1c^*~OKlC9uRqZ$>X#|+;aW&3 z*>lpxg?C3q5opL~CKzb$(DgQ8r~w;Lx~t4dMluLREuYC8s{XaF$hsYI!>mf?S_Ils z^9x?7fqVh(Ul>|Rp_!tqq5q()3bSaT1EL6{mg8`VGab!XY+p|ZERy=73LxE7mrp6T zb_1Hw61budd6Srr`AnY{Ep)qpP1ZTRts3yyfWq}x*;Do`=v~vLbhIiKL_l!{Hz6M2 zkesS|9W5=bUJUc zWc>;kL+`vOkd*DAeP9|-oP}$pcwgV`odtA(=7aT7L_AthGLe*c#PeZqG6DibQ(uN4 zwq{+VRF^%>8G=fkn3-@fN*Ra~{2fsK z9vRWnw^c+?)+f+ae_!Olf(jDPno4MgwCxqsNnk%&t+2VT7fcLl%1Jdi# z$hAN+zk{^^GK4-h^i*L<2@F6o zCv!0~GR~7%nYJ*W#A6j&e-lY(HgXrmO@H849O_1PmN0}MBtR!(8s`Q$;gOBiT)Rce z$LiyOqbPw0r{>Tl>pbp)3tVFrBo!v8r`ggP^$>Hurh)mS2e!KP=-t~uF*ViG2E_#S z%D$evMzoGrHJ?t!A%lhY&vox@3B54s`4ECHFMVCW)siFF0jl-dyfsp9M9JZ$>2a2e zwFtOhE251ViB<`FF4oL8z|JtDha5!p1WXD2+L5W!`talY^nn5M$e7TnbS7#{7N~k3 zHXhWAHiJXR>%B!U^qE-wZl3uS;k9YuVPrV~A8r^p#+0VUO6Xfup-9Sj2=x?$v4`TI z5&x9F5Mg=x1wSbRB@e}-B7VSdYDfXvhe>G^4{A|6h1Vkn?TW})MkpDF^H;AID+LXB zA%uF;*!_%U{X#cH;n;uCwOn_E$>zbfEBY@6Co)XJ?$JObJmu{}BN_vOAB{A!nRZHv zWJG*~yr~C&!O_W&4QGlo!Fp@za_J`@TNWzsTV1G<58Y{=R|;Mz0@*@aAnA?q4hRTl z-0+E1)HVdfDJkGYe(`(5YpQ~Ok=P)0(XN_O?hjUwK27o1VkToR<6u7;a>O{o+MM|b znEW170Y9eDsku zom1?C&!JdpcX=VNuy)Pe!V~~1GoJ;;t5=^zTI{}VF_SljI&>W^y*NC=P1^G@Ef$L& zVLOI;&sf9-PL(2`Rm*r-3lTNd5ai4Wu{1LS-Zd9Stel>4y$6e8hjq7967wOBXM-aKgUNK0<_8`4^pjm^6HS~c8GCxZ4|>^1 z?}bMkxNwi@r!lYc^K#TcmFuxsWAqxVrE?t%YG}P<88MgP1S2y z_44Y=rSg`6vGZhPPmRdxmi`zPci@lu4?{L;0z?BjSPw9ojo*AwR-Ddp?B*rMP|P=( zm?qF_qH6IwdVfGTIS3j&IdzATXvj5YZujkoOH=N;^hYhNf0IgeI@WkL|J{fu6 z{T+MmPiCPxD7|k$St{uY*W=p|`l3i`P}`t+P{JT@RBTcbFQPcpg6G3pD4>l++aH=z zXWmrVxqy32pF8NnthP-637PJYCZa z_8fYwuJw4daR?M7GJ`bNiX8xMvU`+@ihCdFd-QjgUl*nmktrJq_9XY`3j@j8xG?R2tfl z@bWtetFC8gMab>zaOs%cPa(P02mpP#K`_JApImACSJAFN>W%)a*}|*Dk^}dPg;U4c zoAVrR=l%ZH`~?BA*S!k!qINbglpmkfKlEoW^+!MYhX?CG{5H(L{Ez=V5C(20&_qa$ z+y6VSf8ghZnLU5_nf|@E`3K*mm(Xs=mYeUt{^7^_$8TlhYVoH3&O?c%2Tqd1h8Mj5 z&bj;7-^$&)@{~V#Uh9!Chc*HnZ*ceKx?k(RytxBk8)ViSOZz{kqY#<9F&_x`{_i{) z%)-ph{~hz+pV9vv^FK*`|2yXY7>oWF&Hp4B{P&}I8;RlRVO7|wv&+i*zQynF@E@nf zfBWCqV3CTU(oYgl(QFv(gZI_7gPz^r^ffd>dc^=wx6*x={cpeOzmO`1o}DnQy0_m! zZX=?}K;4gA9+AG@e7Gqdwoa_NzrLf&y74huyUS@O?aceEH~9apv37l)aP zKDTrfIaxD}I00t`ZJ+^WWMScwn#oYc4EXS*SG8pB{>SU_9Z zf?5@6{^%E3p{rz0yC(f7vFcxV#{Z=L%5OxgvA+KNxuxZ`S+vU`gKY;rp-~d_;8=-3z(0%A;?A?RL*GX;Yc%Z>JCARy^_;lf|cI_RE1;>@O+9A zBedNi!w~TMW?i&e&VP5&5n;me9pn+|p)!v{Dp$~8BjzL@-)gAeernYs+Mvr|c027n z*#2~bB@eIV%u1yp^hu$}YYKtt;xScuU^VEH zFRzLG_~nXX9$IU?o3+M#(nOg`{~3&U5Rhu#k!@~{JSP14Q_t$(?X&tb>7C z`S^Et<7tmh6gS`}>~vzU2G-ReqS9AlF%Bp?mR&G^SF1J9?JY&3%t64V0pJfdtRE4* zvAVoCoZD$tQ?FI1S&O!0j^PlaGK=~mhiojHmoFS`Kxa!rTKZKYP3>(ylb7EVoYDzo zx$+8>m&LV*E352^faj7`0uV~pmzC&-8A%f^_P+_Oky8z#fAs=D73+x@?1wcIx|9`9 z3H-orapfP3__55uM1N7Dzei6BU>R4~*QM@Lp!gFBa2WMfVKwUUyO>ni{H&cZt`3tG ztmZy5H`tR>vvGKuH54`{ZvNCij+uN5dIiAJT(ss5;1GkC(xq8;Id@5*JztM`F_RXe zEl(kXwa9RM<`PhE)tEe50U-{Lh{#fv6DeQea!$*BpC7uG>E<(nJPuOiD$vl)93%$u z>aQeCWNEU=B0^{GlC?^wLl{nakB7j~&C6#SwA{aa|KPS!%$ZshALYtYl^U>itm&Gu z7^KNg)9~v)+uEJ~c{87|!(DpYRRjpae(BdJ^uVe3ZlH++x{sMpmBIazsG4x>dFJm6 zw*bH9t!L~9g0<>*Ry9nkS{^+n02hQG?U<_Rm`Zr@f{R|VR_59xuSS-#%d+$rZQ`{CA%z<%d4umyDnq>&$i<@^BI-vMwda5dLzdF+d zv$1&A>(14Gbs&C+w`7P6I9s zPZQU_pUQs^$k^13QF`CtK~Df@>J(O)g!G>Q9%u7z-ma9M0;}tAU<0BEbh^FoY*A2A zr|awQ2SRtv+jb|PcEv=4U|`#4+7OC`6?U1dV!j4601r27%3$j7{4(tBi~=&CT|}NM2Wl64OyP9JI=rn@SK#~hgEKA{eJvWsT*|=Aw#@B-*-tF??A4}7J zkii?ZHuKR&DuwUiIg#tb%4{=|=J0N8ErsQzX5*!Ia$!o5fSe(|jElp)eCLUnu#UKL zN^0?RHCLn1M4bxV3i4pu+(^v9v<93gN)_rUg(MDmV|USCne8btV$ee?OFPnyPdSD{ zvPf2q`aV=dOgNm9vw@wRo$U(b7QPXLNnQ@BhCOdzX5)qNNtjsvqBi2gHZ46Kg?X+( z5n(jycx&cf)ebzi%d@I5Z%TA}r3Q5|?Bvtl{_twayfWQlj%F`=waS<|g;e5_HReVx z#VZ!|>oQNfFhr=W_olGj2O6v3yI)wPEzesc_h29ujImj?rjDx*CZ(j{Mm<off`<*5CPI;1c`QktyBqUCEap;iYX=zIZ+VaPaT7Cevna+oiLkvrQdFpr6$GJvCpDHXn6 z(QePR6`e$*_WzH)HxH{h@BhbVnsAJ5LS;}0L%V2EX&EG>LXmc5Qfb$wT|^WysL*Oj z+O_YUM4_lu+832JEl2BV@Ar6hf9}uynYo$!o>ABJ`(D@lGuK?R9Ot~>uh;YSd_A6z z<$_jq`_-ZczK5$=zP_>l-M!KEC;;8W{E~@)kVa=Rm$S#?O>=q6r=^45NIxJ}unguu zjaPc%a-wN=vsfZ=Xts*Dko!ENAKc5!?0Sr4t=H>QreaMGwS_PMOa9 zThrtPM>Rr5e2ezK7++%MDiw>u!oyEl#!(_W4Uml9rRwf8cN_zO$alSj83LQws!elu zzic1|i^N-ui+hUBeD#M6gBVB>-ifA#_hZnnr<4g_@D7k)^_vBSfwb6rnq9KShVfXIc%Y8Xz!guV+TAUv|Mpzj?5iWOx z%F)U0P-~dF9i>Huhwq1>o57%(qOHw~{`QV-$F9vdl$?Em<#9^!submN{zY_kT<7e; zZGzJfT72Ge!n!0Bc267SQ93PXx^Y>;u2Jrilt&a-5b>%C^MEH?6r|1Akedt6LI^ZK zy0y$I8o&Oe;D6hR_>tbPi#rgwBNewzBN&GAx<90RD3Dw6LR3thTsjXht#d^7wzXzvkWy*ab=wx|lo26sPRBVex z^hXn8bp4;tkn^Ve@_ro0YAD>Q#34NHeMZK%oIWhHI8lsf1M{w~@+GZN{wE`7`4|!Nv7B3>ANhD# zU9uG-+yVv)QTGsMDqN{~>r~vn-IJ|tMxK>@>7A|_7lxgcR$MU7doMCnC2My%6kRnb z7R__!(-(XsMtY=6I^cxd)eiI|`R4}UbzXTwwg9*UsqOKNOg5~pj&LR>LJHOGS{)fo zbBA%C_qGYa0Tv2n7IBfjbzzK%L18;Sa7DDKm2~dLUIx$Ev9`|aK_wyf-l_+WcSzte zqkzon{Y)E*V~UEGB#D|_%{(n{8`M%EuGYCgx7o%4ULr!&;_ z+q)9guOsDusWhk*OG=Pft%S885?wi2#w3;uGI?2Xv3XwhzxXt#lQJPO5S;k1NopUY zIQeFr#7SD7il(;|MXF%5e@`T91^5;v;b_OeGVG9*8a*@=(4aD!39r-vSP(us7QtNr zVM?i@%V_Cq?vGL4=2y->CApkeCS*S~5*ZjVC*)v^weo^UmS?#+*nTp$>^{e=te!0W z_LAnIv?kPC$=9>cy~cb$&2h0be0fY;Vy{^(oe-BnS&aK811!0YD?g+xNNpp#3lpQ;<>)1(3bD1eJ`Jz{B{`w z9nf8j3I@Wn3MH>;S+DT>eQT@6yaEdB@-qrT2JMGu2<3=LJ=8~QTf^r{Oq22 zf1l}bih)AY+L_;6{zn}ddTtWU`_kZ+o{@%5Ju&w^CIe+kQ z{$4qM@NnW8yq#>?gcZmHtsO&_w83)qQs|_8ByrbBfDegeyzQ!)jyeE1dk7RfHt(%o z-?;X(+{Sd7DF#-B;JCPM7k_v|uOsg$B07x=It;!MHjR|FU-V|Wm2&M__P9MO>`exo zD0s?f5D^e-Cww1kYoQekz7MC90Wtl)iOYxczQBfiGp=~&b0&s<<5%bqab6fFF*&g1 z=J{X-`b1sEDcbEUm@NUK4OjBJEd3llQr4%uQc~AH_0WuMP%s;q`svcPC7=o%Q63mq zOjv(Z)4I^>^)}4H7mHfiH1tO2sm*-z?Ap)VE&@GsE38EPX%ju2!P1z%t^0*(ln(3r zhnUY>ed_67L*fAk-o-cz`4Nr6#QS+tdx0qHA2% z#+^+EE$a~=0-|_N0By(dOs@pOm8^j3pX>&}6$;ty);jyns4A_TwXIkCk>9YLj4wM7 z5LQ)rhMj0gOUckTs{zAyy^01f7)bO5tC5v;NTNg$)MO+EYMYnD3-P`Qnv0aWJs1dg zFU? z`7RCvbLHnH$ID7~H(y-IwyEI2R_}*5!j;1V*92Jywk4pCnv?lE| z={HanPHkj}z172PaO%|lAm>p-GPCi>PNgV~kpxU6k)#hkW%|Ju0hoG?)=YUUKbrxy z745l0{2p0u90ier$cTM-)op5TlSM`Ri%vArk*XZJqnNjK_x0ockQF&I-!o(ShV^HA zmx=NcOgKtDzKf`lu#N16IS)SxTN?zRNYU`T`n(^00`b{dlzRlI&YdK0vCh+?cRYnp zBjpLj+4CvWdzP``e3h&l7Z&BYWV5?o=#|W0XDwh04ONxadT?>(r$0!jvt-w=`{Mw;@$w6Cpub~f7i=IF4M7z*Dq3tKlvuV zw(olSid7AAj9t0Il(d5L>z;9Ch27R>Ut@Wne@bTf1Ut`mR9+tGtv$IT)y~?nS{Z&R zYwDT$wu8GB$=12&vO}-Q0YnBb81>A~hDDry+iN;g#jwKqgIgx^n$(SAo~uoLS~7(Q znl82z{X%>x@6Wy7cy4)rd~&jnzkE`dC6ImS$6+G@5$n?}3{Bms~fgX_m*ja4lA7YcD~F@vE^ z?kSzRA*uFjYo8Np*otL7y_3xqHZFE98jz-|z83Y)M^19w^{m^aB_%f|^843k@Mn1g zXk1>`n?c#d3FWr`2eX<6bV5SmDjJHkQ(#rTxFUrPvtfV9A@bCSuvJW0dqt&B(GQBNP49{c(d6}1ys zQ>xo`PLS*mK?I6NvVD7&WKDqg_R8J1(;5_ksz5}hm}_j-v6VaniVvrA>JhiL+~hmd zo5SoxsBOG}=_B1!dz>Sp0p3KM46F~H*FyyRG}1Y3>QZo~EW6zXnaw9}QJ!C+FKsw{ z3qi|E*PZL7FaOr%5Sb@k*qY~XWog67n$tMDLLru9u7eSoLXp&zV{c>%u{sRBx6A$H zi6+(FOyXdYyLuMhVfTFHI_XS zOQZ8!Vjyb|%_3K8%e}J}RB<`Cs);e`l*1?@y&MERFt-;v=QzNCmGPWb_NkEO2Ih6(TeK$U1z z&5XMQiD$QOzvrQ!+n^t*KB={S`N7{~=wA;un{%MQ+qCrKqcM|RlO$%lEL1Vb)J~0Y zJ_?V%k?cYBnon6ckM!xf2fDcTqYwTF1G=NvTnGyoma6*Ql;cRU(X^P(wj-`YLk>jr zI+^56c~T%(Bax7l)S4XEmZ1L@Y2NHukzJxp*(_u2kKv(^P^a!EV#YVxdJM>!~4vj$J!Ze6Ch;}DbaZAD{4!!XM7)mx5B4~hKRU^@%fw?Nz%hLr6en_=q1 z$&g2uAIFYvgu%BbZ8ED)2s`G06ek%cv{kBSw5@gz*S%QdqEVaPe&5q$6lN)&_Fd`m z=9#+3!v6KQkN;NntE`=-T^dUi(Gg z$8>9n-?bE*h;8c=7Yj&K&@-)ikZA{lV!kv~rekI4@g=|RTH*cOyn==Uc2amjydvBT zllcu6k?*vwAD6V7wwy@Ets(1v)GUmqqNGh~7Iz0SSAra`hLln@7@H6a<7A0(G>Lmj z@hcC4`CG3)!oE`;6Mr?bH8gFi^i;JOzeUrWuIhv)BsT@VtqG5PxrxIa$SHCpQ=Evi ziOVnE_>PCq?7L_rbI$IPhTFI%!po}oceZjop}|{MkJW-wg&cuo7jNR52oL1e7JG<(Tboco7vW7N7 zIKA(5f4^htEZkNKiG1);>34Ken&8vPo`~daQ-`L}!A>Q{Ai_3kbQn2La`=ukYf1jZ zFi2Px2mSwvu=&`rRrjWm9)&*CG0`b0EshiTf(7e;m1M z3PAf-8aK`8&Ev891b$}tiU)6nTnlqPr6uXo0*}B8yJZp9FSWo@e#Q}p?Na!WPM2w- zITO)fw;Io*W%MhIK3g+cY?6L?Z89!u4{_u`$N*BtG}#+d=fc2LFeP}t*|L%l1enHE za0FlI?ygScZh30J%gf7|=OgF8uJACQKo4$6gvviA1BPk`)ck2XBJVq6bUA<+#h=JQ ztO-i|G@%^FdX;m(Yiua^)jJTmww4rQyJT+Ho6xf7pRUTVvrM(qa3Xr&2Km}y^x|IW zF*84-l2*llO7+3KP8>rR=ZgUPNT>;##F_WYw=TWG#IPCpt}I2wP2rF>Vk!X(u@Msq zhN(V3Z00u+xkBan1^92syqDyK!_8m31Oa)C%T*Yj-N*f1d^I(;nn_HE0K5Z{xo zE+e=BwEjY0Fa61phdil)N+!3*tNDv7E00<23I0I1s|ho2K1lJ8mLBZjJ3bk<;MOzZ zZy8AB3rgA#7i>fHy6S5WByzqgC;*wG?-UU|J;t*aEu*UC51&9FjWJ(qAN{Nc>fXxUU6({g!H1SfQ?_=CN%tcJJflC=7&COnir? zD8#Gr$z#m_ao^>x=KAc+?RS^WKlk4#s00sLv2K|vW6TFxk2>XS4>LMN6W7uegx0@& zodq5`DPFH~Ms!m_JTAk7k6ex9R~s}UoHz+ACqiGBz(@Zr+2%CrhX#)P7?Xnv?{IHOZ>3g;Utx53KGATf8UmT5)V0+ zZeSMqyX(+QfRO7xB|j8ok>EJEn64hHD`Sr@Xa6C!#r?xmJEj}(+48L$MPzTmuDDSE z1|C_Xqoa`oULuZ@_ocWvIUzR z{G8SkBqf{UHt(pgN%gG;F@7Rc*bLj@=*+cL?&uVb3$}{hcrPs1K$9f?w%zr|E=%Xc zonTa~2MF`R=^8n5$mKdgr6D0wVk{A?WJ#W<}6@Q9`HT?HeUq!(s4f|wEIaq*^gEgIs4f3 z)ZQVY31V~a>z=F*aw^@kjX;!ZCfa3*kqIZXK1n3r8m@WFmVS5dmY}2Z92z-zd2L>K zc{#@ibKpgW=vVGo-zL_SD4a2}oE-0CHCV7T7O#=?=U8|eLOW(1`xXoBlM^r$-YYfP zdrj%K%qwbDWj{=7;%LUm!edq+$DQYvlRI<3%0IV*{+o8TnxdR+Xk>FeUHFj> z*bR4F4E3+Qfvpp^Vuh;(*%UI`f<(lHD+|}?`rA)3m%17+^q2eQ{5!9GTr@eP4M zv0kRJtwv`MzU2gxHs$LFIr&^@@(v=RuFQ1&xjyL*@)KwzI$~e2%UQf3L4YfFoG~Xc ztEX1=ur}W8b()P5v;nbayLX1#QStr3h~gKj<@Z|p)NG7S<5zfBTzs&s=4igFqX7T8 z=4x(o!6OZOHB6IahBYLG%STXR0ysYK^S78MwtEh)x9TQ3F~FiDPdtp=DAC7aIn*OS z25PE*C7l1W+a~c)k*ojERpnw>k&qq*z1&)&sN+1hs{gc@KHt1KHVK9B6uK*HT6?Vb z^?21t;)B$YiJO@|Mb>ea)vJ;LS#(!S?`R*&pD*pW>BCVHMwz!ITfr7U0 zSnoDwy}k|3M6mr*amx-UJP8!P1g-cPF}d4vzpqH!*W&{UDGy}+oBjAl|IKoSL>c*( zD+`FnD#;opSat_sUwucX1w)b2cxK^I5))E)#-;peRdo(4|1|sRKR>BDUh`2yy}Hb2 z@s1O?FvO2DCIu}ZchVy&zs37z;(%kMtlo4`2msj$)CKXLi;F+^M--a4qH#Mp58UM) z$xA+3{bnuvg>PZMH#p5buvy@1Kj-r=^1VL`VkQ)*TJAHR7etyZ*TALleNie2-1YlK z_*JdgKYvSG0xsy5ql03rXJKhEQU-3};{$IDt^VA5{^xi2%kO1-D8wHDr7;zaU;R;^ zdzitYxRedvN@)Afo9Hk6gltg=I%xjRnTus-<;_ZLgkB`{p~Q^4U`>D9LPMZpZ3CUw z+h^s?wsYd+B{p`8{)Gqop9z!Z3LwLZhib<>WBS~C|Jv6ft%!`wPENz3nFk|DL9kQ< zF;{fLp3Un&|I)uwE%)Qx&@vIaC|59>tc2snl&&r!ERwA6u{neJUQV{+w^?y(a z|Nmd=wFgEN|LFzr2YdYg^|F7kMrldkYKBbt_vaSy?S&@jbZ4yD482udk>ET}&9C zMSgP(5Kn^38P@~SoiiQ~7d(IFi-UcPv^A}+x{4Z4w6`^8REavY`ot5bOX{FV5Xr6t zWUfa=+i&W8w`Im@LMTY)C+D0h>Nj3=LDFobAjj&diLmfZc{^-aEmR2GtaiZj7ow&<3$+qeV-Mje<0>?heHo~-z*yO_a;%a8=U89m*R&D=5!agF=k1wuX_M$nqiIb~#RVDx!0DTEzy0rj= z?(k)N$`J(3Oj&&_xu_G5otTevmODX#>E$pobA^kkT@(MVbw!dtS^nYoYtB5A=t#0GGRmt@14nsLs2h#(`yA6|+L^UoH3=%#oe z9fQy&7W|68A+Foj`Y#*cpd1&Rxnl>7lv|8iUs=5HIG9B_@3|H1wdNjK+1fRbS6Z0C z%|J#Xr<)_g91x(4w$|lfDw*j}F{BT1XSd%hW3Hvev1N;kO+9PHY3;~{q+0W5iwx^C z>`c<*gR_rqa|WwTo;p@XBk5(=R;lz{`XQ58%EwTidXB}q1GvC>92-Ze^B%+yDRy8VcUJMmc>!2iQs&LkQ32d%(g{a3|8t{LeL$1;LOs%n?TS;cF!09AR zom1D>Kf_>EyK5uW7I4;b>gmhZv&bIgjPCZP@E8Nw9OE2&-VZr*Wxds`tk(O|-JD(` z;|nQW^_k-TtRwjh4Fsbm(JISb&(s~7R-hN>R>R6$s)vbH)9O&V6Oy?i+fnlD-`2wk z3Ul-{f`fO%xqAaq%F3+O#6ivyN0_6=2i)>=`FAdUumj0qRYK*Lv!7*veMx;8!CXNA z^uECL*J%V91?0@hFi83hA`M<%iYQ_qZZo;hJwf?dBK2M2N)*eqtPO z53`mjKJHHgzfTc4S7#(Qrtf*I!?>h%<4$&M480Q|SB>O8$MWn$4x$~e^uKGvtEWR%!+DnL;kbAExf=Z0~_c-SZdR6X+6D-Y19SLZ5B z{@=3d*xTI!`dv+RaT)SFn2my+1m(H_lRq6p9}*nVq7-*L^}dCNH?-4XeK-9s?sXB~XJ`;wMhOUuS{1A)$? z9URyBN7w(bW#>Z71N-1ZxBiqO(f45{4%zSWl^A6;SiBjVoR+Q2v~_ZH=2=YEn96COR; z6c2|5lhA_kNjg<=iNwIcAqR{R#aF8j8Hzt%J+9(xbA_84fBL#^jnMr}FbJ1Fbz<{I zTf&m88|CBUbH6U>G>DhWsTl`uZ&?>}w2L#a0>hSCqnN{z+79%=S-@e;Pcyj4*@&mc z?y)|fz0p_W2CSVW9JJ@C24Emom-KFUneHU+wM(o zZVNnEK}T!BGI*L~;*!&t7^@lL1Xuk*8}-ocrD26Ta`5YtR>q5lPtEn z{Y)CSeJPSV4jF>NjLVm??J;z=9+Th=vJQH2F)h9$Ma{~}T5(iM>KucjGDl_XxV*nX z#@H+rrUa62=;X`Zan+pK8J*7OP);Nf@JNxesqQ1=WGOJra=d4V@W5E5gh9>nGg0ee&0&lSg)c5kD>lkLxrAu=6U0QwK12S z@pOA2WT70NWR_Njz1}*MFo)0%kj1T*X4PRBQ&q*lbez@I{1Ar*i6P@W_nt7u2fOPt z(<$f4(5{>?YKZSllN##EU}8eT!xid$OouClYx(m~8~BOh-)VBBt%HPuFuk-*3&H5` z7{|~Whq0}4qO19nyNsp2o4c_6(@V|MSgt&Ho^5?A=D z=tgCbJ1V&#!G`dIX6_)mcLgXzURN`1uk zXQ?=;0!q|I(yzF)Ba!UP5ImGT>>1bQIhYz7^Ndy>MT~S+lAPbnqnECH6lGf-FV4_) zAW%5`k3hqDWkf)AnK!oz%Q6lFvqFDS83)1$a{|eQbIE(Zt$O>3w7|j)#3^KyG99Zx z`p4%ija!vx2&f0DWd$@*F`OdxWxvwl!*noKA@A7=^NQsV4k4RQ)E>DKET=smTaG`kuCBH!;7ztl=>g7C(U_UiizUQDKM{osU#dZJ6bV@iOB?l+Y9LC8 z-0Npv1i4J2{dNp{aIUqyQ${U#M+c7;{p+VyxHg&j5jq8lUG3qY4z8NcwOdR2v1)IRL*_`vs z0!s|er*9z4CA7K3$tf+N@XqZ790Ek%*&l9FrG=MeBIs8 zv2>C}x>K^C>>zPIJPG`!7i*xwivN^GSxqt)<3$fOph({ZNw(Z8IENA=j^rkmQ^ZHM z49cD^t;uWV*AmkoOm{4VUXF;<+n-=!yAML4S2+_PFsRjX2gS7W9Kjn&wQ6vpGfT82 z-rrX4k)3_o4py!OZz9=??Aq_Smn?Dqbe_<@o1BleJoS281w{vxMLyA4qaSsz%*HO( zT=w|D_np-%Pg)Z$nCIF|{%y7VNvXIqc+|l~@)3#hz0bdrDT&q9t|bnu_H_JXD#?Y$ z>X8v=XeX!EocXPd&P*HVBW*#fC&a$58AHe8A#e!Wn&hr4g5Vs{?gA!y2@Zd*QI0bH zb8~Cpg?2|9zMCGg`f*II=RxZY;`Uj1zS0(4A`lFT{T*|2wJ>4V5lw~1mK?{ZV=<^S zv>yC1iXhCGrXMKxqSFa<&{3)=B`=VqL5!ZA7LZ+j&7r8p;^QndIQ|*Z-LIAi^(oJ3 zMcn%|g;ve&b>bpZ@pprT&xa{CHMmr*g!gxn2DqT^1$)+#RGYXl0W(=aJq2M|VP3W@d}_NhzvfTk$VbY(k0hrTEe`>wV|_caPc zL6io5j1nFYcaJRUCMQWR3wv-pr}-zV;i$603$qt*Z{3bx0eoXeMNodlowcN9lG6cnTO*{G?<8Y)ZHenTUpD|&J~`U1Oe#RCc2(?r5s~Fyip(G3ZeJZC7?Sq z-YIXTMfAE|7k_zrnd#+0T?!SuxZS`w~(#py+iv#ixeeKN8(GJjXT9xFva*pFs5#O5CWk?hRJz$VRx^0~K z^X*!0Y$PbXJ5Vs^JCIi=o9d@sYR@!YxF7ZV$T0sJGUn{2cYZB-MS}lef5q7t7h*46 zBsH?bPFGH@!0zoHNJZWP} z04XV?^kF-fpl9c*rMVrR`=@{Be{5XaHG-4+YkHQhHBb5;u6lyge!{q77~&>w2wysK zeI%KBLc+o%qwo>LSm2v?gmUhjoRv!fvZ5P0M()T5S1d3_Ny$~51!6+5!<_JRTf2yv z_YEf$4cGo%_zfeyfdM!EJO3%e-)~+5feR`m;x8`$>F! z-9lr#S^4y7X-dEvS{3JP%tWPw{YWC)wkNYPag}~Qj?^?;=M4SO8JFx#FH2K!|0>>O z`^>xp$lr_pvupi-H}~I*{@)?<|M@3>FZw^|1plt|pK1F4aq9h}(m$o|uu`59w8;-v zQj3i?lfNrzHq7}(;P$MXjP^m&CbXK8s?-M*`dA}XG_NIA2T`!PCRPIaQ}+t9=i8UsHuw#lo@>B6(*ob^onQ_JxT^TLk1bkN zC#BvUG!?^LLY-fY}pSRYUKHF!DL>`hE{@7LX>&*Z8AHSi5S#HJ|k8S6q2UE>2 z@%Jw@c{ZWTKX`uhA!THhl!XTCLQ%LL1;beOSv0lmOCV$E>Hb?Q`qpWr?Dm)a~nbgH(` zPetr^m+(gKoc!KHOMB#%qVtU=I%HRZSJ}jqDrocr#^&&&U@pkOG@99D(JXwybbLX$ zLj_zIYmpmTQ@m+n?as+ZOA6CCYH9P3z0f&qPIW|@jYd;f>QHwL5_Y=`yR3*}3$w$0 zQxgqS0nURF+98no2Iif5^!xkLA0LnZdrtnr-)yI2m0C9j1RhAy&N6lzpXi^mu)AyV z>e9e@s@5j!r9HkyOnts`DMP}pn4X6aDI36}uw;`r&VNu~|Kh)L>>!u#Pv7&Uo9NVuF*bbPfjRKuGVzgV_OsfmwL=s_F71+%D+=j z>&SWrMWm@71X%k*(_i$>RkV%jkuwJ*2zS9lz^)n08~OEnuDrZU=JMAhhK{8*UR+fI`~JRl zxr2oG&|AA1!A5dqJZr%pW2HwOsg1!BB2!CMOR%XrklD7&W{8OM&IFB!8=IOczyalF zn;}P2hl4(`h;l^tQRlKQ^fQ)2Wl4)DpPU zd8zX81TJ%34HcYg9>Fe95#-UOB3737T#rQbU){8RcCuV&r4HVkA;50-xu{cZ-8*nJ( z)ENt9wlt9E+T^Tt2mUoIg+9qDQEJ{t@W%atVDX_ z<29LYYKaaX-um3^V~H_NyfPGZGajZ|TjUR@_^%(Ts;$+Ct)nP={*X=4D3J3P%308V z7(*5kv6FE}bNz;x+GJ>%Z_OL;u1gnjP^i(zBzE}(D2I=a(X58lV~eK*^RBJYX6muU z5UaVq0WeZ2j!u`_0pL83YE09kIBH{JV+C>pn-|($&dwnrgp1(0M-%Jl1bwBhIcK6t z+-U4-?lumCC*#i54tvd{%xWZL4So@=jpkJw zR~(-;=}9L<>NY-sTbXVLMZ=-#@}?3@8a%Qnht)IAScFGS)NHaqEK4Yv($O7uZQR+2 z-=;wf0|vke4W)>a;ulLZipfk`vGnIt)Ztuyk0CO1A?9Xe?3YCyOQ#mJlI$;|24bcs z_ICT}4}0xf@94)(4!?+q$+|mnAF%(_4n9>o%(hEW(E3hVNGu!UWie7Bfj}PG?0v#m zoK^^)V4>0Od-Clk!8*B-BpJ%!MFwp8;+j^i07gs}spr`=vR695c;RmKf4sDL-lCPt z3m24Py2UB8SN9f0`HF;_ofb5;^+nhsebF{CnY|g^CW2W{w-=Oz$d%@MbH~4b-tKAE zgIqH19AMwQ$oIR8 zHExlp4JzSgaa8j5n1E`V3HsonH~ZZ(2a~qCOpb#xp<>KE1cMeD%Q{;oHA1osNv^k# zSW$|}@^YP1Eq(Aq(ro_}unK9T)1<1daQV zhUFU}=I+9kOnX%^ddhwVbTTrYvuDOBI*#)h618)-6^+WWSK6k?78YAw3@oj#zDq2S zmi5??SiXy^Okd^=c9d?C*>e1KH*X8p8dp*r_-Q<^W7;<#nH+DE3Z?jwOxN;NgV!WS zAFr6UteT$NU~Q{5kidr!U#+{CO&_~50xK(}afMKSJli__bGaHDy>3c(I!R%pv#>FJ zPbf)Oc&P*{HcR?J$Ag74k65CP# z+cRtu@gjlA4>I=@>&iNV_P7r!`F#YTfAnHZ^v=?C-e7U_UCi6Y@&3?^qp$5w4DT|{ zJ361wO?)}4EjO>2YL$EJ>2b#BY|L}KJa*uI=r!DK7kz@_RcPFxoCN-!@E z!FUbq?EB&j_Cr*%P?wq->LM9N(U`OwcS>U z??ijzF@&gs5<1q6AXffz+N4zhu4LRkl_?e{WYSHD$X7fQValsQ-1);+Mi$YfKwtcnH_u+8B zfsW0)d3TOGk2kMb!x}e4%u+!Eys4U2Dxhyq?R|oYzV+y9v_oVVWAg(3U4rsRxT6fL zg0Vpw(yZdOVOmlRUIEGH;c}-XrXLg!I6rq0m;HLTp4}S*e|2ZrQ>-Z)l8lu!;XI_; z_B6=k{1SI0k>o%1G^rq!Mv494j}0F%ys+Ps^(Lw4?NwMWSsqHA%;RZ@|OX z7dyrswQi*)##L%!@S45fi*nl4-6MJ!h` zu1ygj=BEb9$t6E_UQJwmg*7HX56qltr&KaxU5U)qDjs4`f?la;k|UT#6gHSV@vJI6 zyuLmr11Y*~?@nHuwmcD{JL*a+)|tf)d+e9faT2gX%dV%gdyB4Rg+KmG;`os}j9H%` zI8%uR5npaK|6=btumku#+nJxgCvbhsT9f<}O-!t0^Wrnh)ntYN}30WPBl)IAO^WIaLB;hvFu8nOK$EFR^Cx zZeIU^=1U#dTPbd1ECzK*>4#T0mB6z0Aw(VcA3dVna=?kcUr|Wi%)nrCq4&iJ<^X1I z!Wx!fo8Qa*li{Nh)iIM+8`ZO|xUTw%*KIx~koELYJ}CjLS)VR6m4VrFrygvdf1ihb z^)oBpM#co6QkA(s#Kh-J=sLiZf@=YtG)0(7`ySSNQjNCH!8lvHs~LY2hFSC>d15wb zkMbOE?=U6Wd}Z5V#;_wk#M*{Lw;Fs<5{*u@Nvx=;o><)C=*BJyFO#Z`yQkspTVRf0< zRYp>iU_{eq@kXfPAudIFZMuX(|H}glvA?)FzWnIy1GBYDOYG~@7Dq6*taI^PGxbEX zv*)!r^;j{n&a-xchpOrpExi=&g~T~sAbJx?4%Or_f_teURdiguT^w{W)&7kHmXY9=u)gf5Vx-{L}u- zvyxE4?9Mw-&SBT2m^fH6B3A9iy1pdC?W4E1l7eVRT!d_51Dud_C5TW1XEI;4w|9J@ z7`GHhGPr2Hm75M*7$Zw&M%4Oa+44sHkd5bhNEkb@S}o~eSK(ju-ZNKb zZv&I;>bC{~h_*jD?N^92_Mv1n4{-vl8s=bRm{LHQ9yW%0 zxbe#LmnkWloYqJzSFe5ioj1ki%KOw|&-Xb-(W#H#8l$sT)Vb+?GdKGzY55}UrpCma9Uu6QW`1f4 zd&8F%f#>@z!GX{dzA9hpYSb`Vo*cI}ow8&VZb>UaqI|G6=_G6Y)lJjQJj|^Gq2bfz zZy3%KA>MURaw)OIu{!*SMmIKpI~{r0tlcCy8^QD}-4Ma}T&P4CfRk#a&caJ}xJr$3 z$-z42BEx85V^$|tCe zzdGcODj*zf05_aa$~NP$=j;SRIyvS+-&%hS2Thz@juU_=8SM*72eQoou&Nf00g3-d@JgO6>Muy zHlAP_Wd(6ji*r@!vQ@;{*B%;&0w0z}1HydHsoei;VyLIik4TxUz)v-H1fRbI6~My? z1k8XrNz80PM>qz|3B6clg?x}?ra_xGHp@>jEH5ZeNT4O?oU-NW!iShwGR4yqa@BnG?Mx0ua@ZJJZ@gf7w{JSHkeps|6W)tGzR9k1sZ^Gn${*PuQ_$Ji zOA?BsG*aUzM_(7UydZoVTW+F8nRop4jX&JG7)vLXW)})q{C0FwtjEwhrF_5a-8<_l ziMmU_Up;@)kwn^zFf8UMitL=^J0>WR**7d3<}AC5wKle`w&{_dX?{+fSlay~5l2Jj zt#N$vpfu&*89c$e(I3pe$o0i}`4n?^kT-cjkUz-_`+* z>@27DXHk7gA*Q(f$6nPyJ6m)-Svj zLC#_`#01ZSB&gxTzJSk_;sGsJKv4RA5fKrcnSKe|zV>TqZZ4)SptT(R+@JOJ{b6tg zavM7nua)QhnU3@r zVIThXQU1yA&S)Qn!L!zwfytFw`S`TMcs44h(pmrP_xkeV{y!UTKn-9>=Fr>f6|?g3 zRv~yc(PcLLUt72S&sYA}+iFk5rOLkhL88FyeEfbq8_lq8tzLNObx zmNhytJ0I^&2KGXJY(@ULh3-~Ft=3;mbhxb)wJ{)@|Ly3jMP>2B}cRpMs2ez9TR z&*$eoY*t`**jusUz^oL13DEI@SM75fs~hg0(=j%cwpQNw#LI@@>Tf&5r*`l=wQ0A8 zRxP*|Ub6qdEch z2$&M(mlwCN50Mr*K5R;WT_0cG2?Ie=?{K5)2 zazi*K(MeosKqr?a3i~97anLBtC-VKF-0#j>>jIG)x9}qB5SOu zzvS(vad=A4UAUr{Uvo^V)k^JU1DtG*G4>Ik68Sq@L*Ay{Z|;f*zXu4ZHyLV>$-RiE zDO8SzP}b+B?wUU=-f~MRF8FE6_MExg-%akXNW;w23TOo@{c=8{E%JNn>d#WQ6>eXj zD_MQ`pNaH5FUiw=nFe%W9F{w2tZt2n?aYj@oH;DpMBak2=* z2Fw83bdWeJDExTUO98>&glo;w@`_cfh=m;qE9j-eMei4Oa*-xhZ8d!upp;I}KH-!V z=R6AxLdMY~Y54{a0Bjn3@N8QtBV+YbcY{pFl0!P0jPxIdZQIildRL-#olCNd%^P*k z3K8+>%uO7xdx&~{sE;y8;GRRN+UM75_|hz&oWn_2qZ=Fh z@wL126ywLy$O~7$w!nX;&HQAGcH1SneOn^f5|0S*tvA-)Ky^_SUx`pI1$wQeqS%>F z#~)ZaWuAa@olG{Nn~aLNPt3-5xr2L)O~%~8npM>n@9t^G#V@0kDhF$Kd{1&`C6Opl zR-IB}GY+yjO^Lpv84NqeMHowPB9}5@LBT_U~E#V)cdZ{74NOF4Wu)KRSY)j-|Az@lonN`06EQg;#xmTI3 zSIsaf_Ngm^t*;`W(b;<;iJ2mSa&MiUGs!L=eEgx&#jXw8ukTdEi;`Ga^%+<@Dy}kr zE%4&ux8KcOUZ6(8iBx8Ma=BJIm`0GR_wg}cj3|CjFW7e!^jnou5N=6Kna2?9LXcz# zB9CghX&4CzY8pTuvFB*xVKQ3v2-zdu2m@HnSs4FO$Oge&^;4Jl%D#$a&nC|4A&y#4 zY~G0nF5DPN?+fWZ;U)T$)Vn4^R3iaxE8@}3-gn-vtbp<+2A7Vl;j*;{m;s+*1jF}{2BDJZKF^`Z@`Vc4E^6p1mgcVSsX{%Wkh9PQVWZlhG z{cS~xNI=r5T8b2z-ngW>v(UOZsRTcwnP!fP7wwwVZN0#%XfilgLZB9$DrZCZ_Yjr~ z8ArNE5U$CdF*`6kO34&%65B*P{ijjx0&?>J130MZwlA6Yz~%A78+JQ58Xdn2B7|6X zLTL%ystU@7ah`>~@e}bKG@Ol6WIJav@O`=MqVTl-q>JO$`YGCOU3CZ_y*eZT)&6o9 zZ#|Ok3}$RZmja;-7WncjZt^$ZX<^!!bAj9iU{8!N;Eqt$;0AcSDlxWr`(WnsP-?t! zNr+~5^wftZIu1?5ckiQ=N9<|yq-S`P}=B2>6#mFM>oj75U$gB zscm~<4Ak;u`Bfg@q{Hv;;nh_lkBCR5{LeNn;QE!$-{gNCLV=93!w3(Eh)EmVNQ!HlXmYDPetTI{T9d z=ZV8E;X_NVT&FHzkynh_F?lGw;cfBcWsQCResBhRkivP% zkn3yTchLN@gYAy4IR5QN1L@*ZdwRb39KUMQ*ZovXt?B8?n}zp_?-k5SLL_9ClpdXh z?Te2eBSZY4Oz~OhRdIFVC!sZ-?2n?p>Ir}8$x747vypVL{YvudXL^1t6;~}}gvGE* z98jNy)&(EmvkcG1X{cv*(8bKXz&-fwZzs(-?_+uw)osGF8SARM^Ou2{FTGUqf%du}3;b;Hw&+o(k{v{zF5|gX@?uOj6^YKo2Hfcrm0sl^4 zpMl!^ccK6Ci~hUNe|drZzhCINBwxR6c7Hg(bkFLNE9d7f+4~}3$I$iY*|M4l%sz{3 zgTA)G!9fW#J@+aP=HO~O6VrN z=%Uwx4~@R%z|`Jv~CeF*lOQOy~M1 zrQBxh#5DZ^7b{{{UG0uUhRvG-uq!l5Z06+}4Iz zCQ|nE@G=c2!$mPNBC$=?UQ?wkVr0_FDpSIcm#xmTb4H6dM(P8!e80gwha<4eWOw&k zahv0VS;@e!@}`Jz#~jcF?)X1{H+MjeX?h+euT`opW_0RQ2{5WSYJFU2`H%p};Bo7i z`a)L+GBABqQB&C7=vMN`e#z1lK#wagj2+=C>W^Ihwfe5#AFX0s=-<9OCl61G(nV~O z7`{ve2K}VsHm=v`Jhhdd%_*nd(ZHf>!8#XWnOaI54JI_rpU%mxcd%>$q{3fQ58-4% z^-A|^(k=0bZ+O)hKP;J00>F>BmoSUhCmN}E&^~#I_v|GW7McSNfpad*a7T1-qw8I+ zH>GWl3^{B0U#!?_d_1i&{yJ5AszECBT0>1BHulA$oQX$;#;bdLwQstQ|8s4&)n)c= z$Fxo>H6~wPCZ&?!Wu(9gDw$A1ARX*j{V?W@04?X0;p<;_RcCZp7ww!h9p?EEL%#PzeDBnl14VuTHmgBZ zCZW!uZ?wBFN2J!@HbQ(-w^kDrGfMLEZF;{TQG$QbDq)`7*p+%PMP$1h@t{KG#F7xp z=kXCyQM}z^Je||3keZwO$A7Z=P;)8s`QW?SihHk_AK6u5rD;V~3uG1aY=+XWyI7=_ z&B#V^M%&}!3Pv&hfXJAA?0d!n2y_S)SqVILJ)b-VHu?y5BLgT=qP&`E3C1E!LxTY{ z$4xEwR0%D6^x2xpgTg2Ka$!4h%IBj^^Xo;2$wpQf!66@xq9!N?>?qTQM7ZQsD?P0Jg*< zf?aCWKSq>CXefZ(kV6mlAoWAQR#Q_G`sd`W)IF?D<-HR$7b%&w?+J8e<}y}OrqNzW zX4e27{fKb_%M%u(h4i){7fEqp>uZO{y(GKqT9b>2VTvIJ_U>CX-CyLb%xU{@Q;~0h{1ttYJV64ALSVF!Y#)^3 z3=CC|Ca1BSrt!KLN5?Nk;bE5vlGin9(ep;6;dOmXkyDRlRs1Cy?~=4yaQf}xEL{qH zkdp8lVlX9=)q6FPU*u{Y5jmn5DqnGeW3mVRVN}sJXKr05g4PbPwcX5BBYx1`+=aQ@ zt}bn;STi;J!tt29myUh8s=l7i<NrU4zo1B9N?pVVtU`nGz_tAWel-T5_1OAT_J<=oCeDG6U zL`)2%$ONY^P8E7sds!z-RpmGrEVkPxCM8uqw~xiVCjbP-??tMIb~^{vMB!qkt?5ex z@Th!IJXpq%0SF7)EgqrlKK+Q+Pz940o?k}c6juN!4j&WU2S-#15&2bNRhNVs$VV);#;0 z>@Pa)+)X+fJuHIjNK>*cNn)MQ2%n|hE;bc*!0n4`C&%7(Q) z4Zq*u)?!OUPUZ!i7azpDD+9DXhL13setaG~5@7p|`|bgwBa?*3lmth`T6*0{X9(Ca zqsS{Ci<(qGIYSx|x;ik7gz4103-`=G%d#WFf=VPB0++uEjT22s|G?bhob?u zkR5|gQVny{D1V9oN%BbK5&31KadFJarD=ysiRy*9!qqWb;YHq0n*G(Wu?5bPI{gl^ zcKWB~Jnp7-mhX2D9KcePRyq^G?`(b9gS4nwu8>*t(0Q{NuA+Q3q+aESZaZx5+R_LU zbi_ezQKDz@D3y?cTOGmcASx9nP0}(j7h<G& zZuQGBbS7WDzpV1SgowRKcP@Z86mx@n_q-K&lHI-RZK%U#YqXWwi}%QXT!k1opI<;l zrE*4`>Q{Om^=nPd8i92K^z-KB$7OzDJDL&~<|2h8NIeo?oAbb<#d_`363BX*j8nBF z3pL9CK>cQ+itA&Sp~R%;r}@ZmOwuys+mOx2>?J$H%kK~uvU>`+dC>`kVEl9f8f|(S zu~5BpL0Z^+@~vdd8-H>X@sseg^{N~9_w}#ZC$5-Ik3@=HTre2Q+1G2hCQvT#>lEYK z|I9Ums|+&%pTpl>bxrkw*~%G}`_r(CC#9a~aJML^dj};2*T|X8HINLBP@VQQ3oXsAeh4Bil09> z7tAE>vzuC+Loloah(q)<+gHt6{2e6^XuE>LFYKPMFS8wFNX4VAB?V^S1rCDKHxnZJsx;*Y1CXRsw|~4^ zeEQ0yWGTT8F?rzd4VAcCXZ2n~4-f=&GZEE`AjHC>oIu2h8Syh?KK9tPMOS>=)tJ9@7up}cm zwGKc^1@SL8d5GwJo_4`Xv*nns@j^F8s{RKb!&45f@=1hvBLu=G)T^u+JH~(JlM)5?lLd zQckBF6j_&Bb1{Ne@fXZt_}!s0cV%Q`q<$=itV@>|w&Os*Lo^7WTu;+jq1X8UjLwHZ z1?cI-H^=DEFIjRg`o^Qw4=y`;H7@=diCN~}Z5*&BS3fv1zW;-@YpzKmdvOnNmZa#q zy=v)Sx=b?nFZ&l(aixWUpO?NK!pcsgTw2*&y{Ly~%pYR#%CG@)U7MOW7Pp(45$-$feaw6uSjaA;#aDqSiolCQ!m)`LRoMAIzath+%ObO?%}I4ps{Y7myX>0``zK zon@#qiXPzf`DMB*9aH50I5jB5GC9YQ8F(I7un~GhvTL8Wu6o-aNN|H%XI?SuV34~Y$DT!(;&RqpfYxMEEE_grE|-s2L16T8nQwkxvm zFic-CZ-M*CG^f9jZ~bb&FzL%2<8shIXDfSg2YM-v+k#+}@&*C8297I4sW-UGnE;Zr zM5%ZI{+y=`A1Zz$B{SvJFn&wS65Lz#kDSIBPqG%Uzd>C63K<{4!1ANh?xblU%3xA8+FP|&I?DIG>Xg3M!v}_a-=ek zwYM?N0Q8!w=Vf7AxdnWpl86P$IkUuqT<^`jY7ZJg>$`2TNYBghs^*GI{W0sYh~zKw zk{TIo9gFK>r(MUdiNV%*U3Og8A~G1*>$&B5z+ zYMJ3RdKEbcT;i3lesI;|or!WUA)f*|FRq&!YHH2a`*e3L!NuYEE+_8e?_}^o4E#+Q zp#C*AgCjz*9(ID~tFkYQbc3L#BtB=>avLx#f^1s-0a*g>e&xyOP8LUXOpcnh z7VQy|i&e8CMcPLSyf=L$aTAXAR!(m6%O)x*qgP1t16zAa#58zq6_CECjq8USbpLQ? zkS^P1DJm&Tj_mIG5Hen{$lqE@uPdH4{L6o7-rkkB!*O$>|B*l*ZYd7O)t01!uomW@ zf#y;_T`d)hE=K7N5CeJzo%I@e?u?DPwuSe>lYJuPj3}(}jO%)xX|UU7Lg0)es)}`x z8VxJMfJ2H7R9&ESHMg;>=5!}79jzcp3gu*)gA+eIi<{|)mpTj2q2@~r+9r=q4;%{! z9eCBD6!8r$lnea$*tMCs zp(uwc3!%3eqM9@#3A^G)c0~q_CJEKt1jj~_LKYaqRm&WWi(V$j#k+^DNrEC$`1G5^ zl$mJ1)Y^WzONEX7{o)O4b+cI}5|bS_GOXbpXdIFwFD{&kfLKl zG|Ss>_%?tJAt9@;YvE$xd#^H9N(wc>(B+jmSL+)eM8g}u-zCCRaI)#TrksuZG9f{C zN%E7fCU@wvh0V&#m|!z;=wgnhFZ6G$_PSJ3e?M1&qCCabq1o94XHjHmvCquGDni`# zmP1@yBRR}H?7n(7?H;$qzHl?L1Br_E=W-0*Ei1<%*x`{qsQwRjdB$k5kRZ#H`D^1HZ7mpf|J6Qs z&}98mtD+Q z?civR7g@|HhyDr|L9~Gda4reW;XxLBH3;&k2-pj2!Df_yXYt`h$<-TwKF#}IduDjT=^pM#bxOL{`ULDF| zY`&ChBF`=(Jzb}yt}FRgEI8EQk7jL$tCm2}22803;)ke&Gf^y97~2{?O?riNX3V(u z_i{idrbqZJKVTP;w(?74(Es8Q{}26fX%37~>|n#M!XuT+*`TJ)__$iU0uY|7SeLMH z#2AAk^P+x3Gihzs5yn$yxQ)Z`z`2|FV~*$!?gkk8df1-R?XgpUo>B|dsn>p;cQgwM z+dTIpa_cLL)Aec)Su~0wE3fLdK~f&1u4zVb@9yLhjeIu>TrSzm`no;3FfaTXX;Q`( zB*I!5BS9Ga23z~}6w^L`y%obWG6rMyo(L!(6Uq%M@7q@^?caG$j$eH)6#u1yRb(7q z4z4Pd`_YhloG&75Uh~2<(5&)#qv1PE!QaKWVDiD8?AMhI-O4xSYN~~ESt%+`Dg~?1 zo27Fobtb?`^GZkKk%L+EZPg8;97MqBMds=s;P*J6BgTc5qJZ6*3(FTeU#*bzRvVC-U6-1; zav`fJvbwpp7iAUb=c!W$BF-= zcwY+8kJHWOkl|)eyyhxQqB!T6ylq0Q9x=(bXeFNJN4*Z+u?8dG=PKKe?t$Y&2es7Z zc~1u(i1k{sXkDz}ClRez?N9n}^FyyL-M-QKlQ6@%$B2MjuOP;2Yg#4{n58nFW_>M` z(I6cTcf)K><+sKLw`I%7T$8+LkTj^9?`Uy7*!DJ1>1D+V2Qd41J%xLWzj}VyMo-(z zYL|KPak5D3T`tr#f-qlhRoXq|<<9vH5c*BxWa$hrvqfZ2n1$5sYwYp)qujoXIou1T z0dG+VF`@G%2{=O@8%A% zYVxQ~M~iuqBPI4O`bYB+* zHXzFH0=f~yF$-*0XgIWEPJ*4~sMW=HWGHGL$I2lMHwx3m?qTQy(AX7}L*bVvUjc1L zCF)%lA7x!oSM^nvooIy%hNiEvictZ6e(dsUt6A(-g!}U2OwJ#EZ>^UWj^PQ|m+V0n zJn>Z*5Z{I#R-rj$FENPb6OQC4y%<3b_L_NZJ&w`$A5hZL(mHdMnmcTJLTL1;elKv` zPf#)T9$M|%A@#ZVBZ}@DM~Fx|D=|RAZp@8XFQ1Z`WHmm;Kgpu9ozOS% z{x-@{sOTKSB#6QNsU8f$>Fy7Hw@}yfZ7Bc0k*GmYJ=o^@# ziG}FR(L?=XF>V27`$+P_?RMv}Vf0pksr3sL6`hb^-c#Zqx$E-RvI{5lZXRlm0h;I# zpgg}S3XAqvuZJir{0_M3TXVbbkS%C~Y>5ngH1q!Y`55UDD8{vQQS3Eb0~$WR1-rpL z6J_?!bxc%61vEi2&LU~csMy0b7q3a8Si*&guGsaJf%Kt|!ZP20hQ@jr#U`8dioV9W z2ioPX5CYvlxv^pdo0J)Uqdx=d)!omox^Dm22Kte5&Vvp6M*Yw@YBkg19>}*AxH~VU ztS_bTTsuWICnrBD;d5oZS87el-FeMK<@Uf{oHFgTZ6)F-Uc*Qc+hhIe3Byy7U_p)J zmK+K7zt88WrL1hJ<|k*x9ElxRcCY*0sto@9@#}_R_7|+Fd>)>9@%iZV30jqalHP%Z zsHg6>9b7vteR{Iob;dj4w)CL+Y>pegdDwaFR7q|xC%(UNTnlWTbYJP4du)w}Y~315 zS9&z5ABU~!zD}93y`9-S?g`>`oo1-|<;7a@^j z0h#K7+8vQhT3ZqVFr(_Z>w3qQet>`i@U|6nsm&^NN7}N$71Rec)Aa=OeW9V&;a+UUl+mFYdR9VErr&t zE~eO+`IYJFoSiQ!cHGzV#dg9Oq4C0`kASL0p3!mW=X|xbIH;+%6hnJAC}RrJG2&1I zIK^|!ic{vWygZQunX~)dVBQd>JDj})#K`n(A5rXtMwdaK%%s;R+sR+we1%}GwSeG%pqaD-qQ1IXunkBmc% z^Viofp=nE!)r*o?^O~WMrD(Ql=h_+ACuy?JG2>E5vq`ol-OodfdUE!?3`g_-K6aZ; zl_G#6VB1n<)Y)ls>ZhC?Y&9u*ayjc20U){%{A@>C*>4r$#rUB07Fyr28aXfM{PDR905D zW>{ETi`Nc`-qvd=)3_AK7`iRmrX}^|CGu0t$lyC9AViwIe1w%dw8gQ}=TJgNr#<6@!QxcU&7d_&TtpC zVqqCtw!{1})st1qHsdkl{=byMaMbI;*u8BCeQz;5@FD&>EA=d*?y2&xa#*t-6}l1> z7qYgUEkvOBM6d1JzgN0@C+~Z>94G%yjx76?0N~c7l_#_C3eLU%tYSEhje{bZaw!XU6{{U%JZ}JT%THrI_7+ zkfJ4WaGRxK$<YC|rR2t0iDq>jgAiN(^)kjVi^*?N(f^e-rm zA3JlSB&nhmdqq7Hqe6c1cB0nQ)NIQeR#L+pK6~p8_gleBJGPLO>&!xpky4NPZiNQ28k&vfS3&z5kNh48~jp9_q%Nqndaay(or=xE- zX^eGxfW>nLI?PC=lOt9o`}e;@lrb$U$4G4Ox5qyNai8jOHpRnXZ(KZh?z-G&$oe8K*k+m!g*2Y!LZ zHlqE;w3~Zt`kRl=Tn&6Q1aZEfKnX$qt03g=igsQhzP_KYunqeW%Z2W-`5DMm@ZJ zkHYyK!BYxxA;3v@}1n=#bxxjqP7rB^=1C$>PF5A1fu?;n5dduIgt; zS|8ZE9=7MOCErN%zrI47@F(8NDD7ddc+UMLY?5mH5ux82cOT~IN(sF}9*uwr#dAqd zw>F41(u80TQMVa$viLjY=msi;tbhh(MJEYp`7sUdS$Vzm5pX$W1cADxg~ji-F!7jF z?Ar79CEA~VrT_9M{^X>3QIC${t1hFz-f!4zdwQ^|d#gotVRX{c?HLJglp(=nOB57q zfzB|f;jf}d1+v(?1Mur&SLOn3JzlrGzC-ePrFi2$kkpb1%B!3^t5YS3tPig*evYkk-lkCIOq{W}c*kUo zDLDV{uU?yRB#A^*TPntVoNLl}08cDyrb#C@dsvKFbey!lCS=`0@BP5GU{=*_woz?) zB`q8z*GRY969r9I{$Vap#V$vWGWpmZg#JLH-rJBtaSBOzI13ULHu)VGMBlAj*W{k~ zW!9Qx$9P^sQ|KARiX|}kDEK=F3k%2Ttq!XVA-@uu6M#74EN|7=W6o$kii=itesAOTMY-|70oM?+ikx#LgeOwwoB~@K7T{& zo9CftNIn9$&EF?G4&tF5r0j5eZY^2l{LtaFSffyv!pSJbOvl+%gP$dP=3Ac4pKQWJ zK7XFPINf=0dFXTAv|zNS>7sbYY)9zw$Rp=m!r`x*ywTmDA1riCA0CNzDmXuUKTC9a z?e22jcwE&fHRaQlk` zy?Va&mCgw01Lwm8dfLx{y>)GU;j=};|^!?28E42J+uBP*72nBq0P z+_M}fwQ7+~0kD4@sGI}>k4Q<1EyKjwuPaA=8kjfoXx;!YE1rS^l~oV{Dxmx#_-THK z9T|r}R^*5<@k+Y6MC?UDA9R?Oy1GADycW6}AbHb99c2mRgXpgwIyDtCorb~Pg&@cr zCA3xI=OASBGD@07w#A(!86W z9N#J+oA4WvltKSKdH}kSihs+8nH#@vCQd+^7%16F>!eIQ8WW9b3~ULo@6TOpvr54$ zO08ygB$ZGML2$GYXcc4MzOUL9mdX%>2~{@nM1O~Vp;WiCI8`r_&YLYWgTrW2jAlUO z8>m+!P&=Tm?|oCR#skH#Pr^lKpN>K>Ffkd?qqPV{iPj^l) zc=nH!lD%(_ly6m6bi@_R?#Xdgr~h{khkx&l^S((xxb9lhx*nu2jCZFl-E}0EkI)rq z@-&5<&sC5&9GYGjV}8M|8F464_RU+&n7@7k@q$G0{9A?S=P-2&yVuy~t%>EM_jZ|l zbe6T9&!;TgmVYm2z}az716YqUI0Hg;1{Bc7TkNsl={-Z)m!_&=>QW&?e6@aIPAmVS zZ(oTx#A1E+DIO@vxVOG4MU;1=<^x`TbTB6GdAsK<}8;8Ja7#3qmgXQK;jzjnj~G zpQ~X98ppY-E)tl?iy8h$b1@I0FTM=9O9B=0?M!>HT!*&cu!q%>J`r#z%GmoMe!i^5 z93q%cx+_95Ry6AcL4FuQRuyv@MVIgQT#TDy4kl}@n6lOgdf^uH41+wXu|gsc3pHBs zK1!_3UU5Z%^|N5-blrZ3Pcgk3m&|p1mHSO=ElAd``c@)M`&i!0EB2{ zd5bBm#woWdQ5MwbuEhfKVwE$Z#ZH@=(rtNw;=Gn#?LTLoRy7%h$|f4Y1Y$}ZPjWSw z)LEux{ zpJr4#q!*5xe{xOE?eQ}lZc${Be&*Z>zBx{+!_$v*U9v;Xf+q5y?&2olN5zWAdd}Y1 z-k>6RH`nXqZee5Zphaqqsh~@DWQg3MFFg#j^C*}ilqEXVS60;b?YH#IPXx`yZ(p}^$d_fQ>7^V0Zhsb9+H2Y6 zpnUS%*wZs8<*T!w#Iz4z*klpn;A!tRU9CkS4VTM0t}ZHv-KVRvB)pd7`3r=gt(&gy z+?=d~lEW>4QKq4%?Vp+k${ph|%%cC%JczU9wz_nu8N@;=)a!^M2ho3LA@>KzRk{&K zEwQEn$^mTuEHXeWTv)6P_PXI~gIdRE#;JkplZx)J?enM&dYpk#0L^!qQk0aOZkyha(* zMq)Z;2H8i~NT6`$NC@BF2YvzvWCqi~iN}geKQoJYmi18}rWQ8gbf=XAp4f4<4UZQZ zYgi|_Y{ybNgCvsfd{4pRVl^%%OYu8%@I234ShzaBm#wRv0R$Z718~64?DXvPFU95i zt1V&YlXcDoOA1YEE1NkA<7=g$tU4a|w8^2%X(M`!-v!oU*fFW_UR6L(lo)2U((hK@yQ#v$vhgOu}_kd1~9+qrAY) zg4`fo9U#$szTpO;O~?dIDKB*069@f@($ExY4CxpLgRiA*5DO2)JC=BHHwPA_ARh~6 z-hTx9mhRjGxLlP?)D@)+M#1e6`-!d>ykk9XGZG+F;PgP6Bu`fLq}RxE%E!bAb1g51 zmloGqGkIk`tSvQ@!UB<(sJtyS5X~Jy>GNvz*+r2ygaBr}z&HNo?yu9!NMS>K-lGu) zG=O`^84P4}aRS{y;92>*!+w#3+;l)g@DTZc3NRE4b}&_M+wKrh{6@G)Vu#h;^jLN> zG{3%Z*?^k9zYkS8owF-33qcb(V7`$!^2fb_Xs}MnF1v7JlOss{*vAZ{q!ue(m>p!8 zh32q9IO@1ug<9cMXr1X2NaCU-!Iaq3fmC`Z3l&|3TXQV~lUo$CT)z$b&+|#)#J{yH zgI~hG+kk~sDIRr_??R2qC3$N5{=RmH>dFKY^5nOw^QU^}=TM4uGrigcQs%#m$k4LGP(fD(B z;B-isxVpd+vN=*$ln}0Kf|K_d(hAij-%KGvIiu2yQjg2;&KXj$LFyVk1p%qWD0(X# z5kAfsgEmrD%m>T%HAVB0vjo+?2S{=nCNpLRDixzo0A^!aHkpvqD(*a~?Y8`tqZc%7p3;3S8N75JIL`0~fO>F1cO zFMQU$S}Emqzig+!{~Z$XljKKIlF}lNd>O(ynl~Y8_B-TtlSNt2eR^x`AR5rCC}#1e zk6w$RfgmNqcii+msh6sP`*q$xCb|IyNh0Qnv zs+$s8{4Bi6FKDKV*ta%PBSnjA7b^5j4`N;5~p zA`*nO9VUB9Oq#{&L}FHN&x^G`S!LYhUSSE6AH^)ib6hKL+ zm6)f?t<_$tnZYWDB#9pDf|5RU2>hOm1cu+(?%1H@m1xPZ=Z? z?qwDY0rk&o$4=J)lV(;19vMup!}rfmXwMm9ljr&)ZB55i4`kL~KeR6gOp#6(<1*nj zN*}Rb2mEfu(krZc)p-UjofV=HFpL}XGYV0ZA2RU8zkGSj>e6R2OuPF=9e|F*V@?5c zodUONqPas*a^b!zX3nudtLoQ6A`~PsnH;*zxjS~`^Ma)j8fKzYR%BYZccRobQ)niw zO`=w9@tZYeHE443CPEgx9}7Fsp-6a|?I2iu5cxM9kqO_-FC$zs*y*N3KOTf?{5oEX zeXY50;TA^fv=Rw)LG3)wefl#nhxaJXXl!m)D-bRo<;(m22hU@kBNMP6_cbbbI+uAFosa&t z?76V5F6tT7&kWW3UrUWR8Ops8%0}aUcI37$@8W397LT+d4AvzXjP39yva(zs5JcOOlwBy371) zk5vVm4=aQz&+)V*Ckc+t9-$B%5+^=ajmH%fWZ&j3p6_w4uifu19<$&3wQG^yiVgz& z&|PD62)QqE@s3$mUB_}l_FKu#ZLW4T(1}bMCnztsOJpzKU+Olovgyo9PV6`k23MJHUWvQF%P;RE`GBykhq52Tb3O_Kynr&!RQT+%MhD$7az$vJqOCc%SdCq zL1{YcV9E$a47!Q%;NXcgJJ&An9d!VZ`h)cZMIE1)m&dT*z+Ui@`#E2z4NDf@37tM2 znniezJ$DyHo+>3emmE}kgDOMW2z`qpO(DN>DKJLZ%Aq zcL7P*ge(9fZ?jv>bR8+`3(n)W?maB>SfYL*i2MPh1@(ZDl6ycq+w19!&Xjhoq`KDC z8<80Wg~*|Aa?D+D4#3BpRR;%x6&v7!+n#={a;`s-NOvFNbmbRYdp$i7Ut>O3h!Aw0wOil^;XmcMG&AZ(ogV!j5C34EECWRaHFOBGC!kk}62(bgp6Df`vsBBQK$>mo z59MoMLrqK^QKwYFeYB!9{7k-~6n^^ln>9SYXFNkT=wxRg*H~ru6(Zy{XUy|$&!P9y zxT1O;-GS&N89T6a3|nw%PSlnc9|@F6xX&5S*5TYNad@lue}9SphlltNJI0?6CI74S zyYVw|g+=tgUW!{gtI&2pob)}%qVv_d0#0LQWM(Rz13H&B5{1pc9XV)q5d*zPom$B! z<;dpB*l5#-^F4ukvmMK3c_fXi-RSMc0my_}@)87Ua9CyLWRK*ZVk=IyI zr+#$%jWxNjz`8}lELx>0+4>5E+YI_$%g06G=>J;g>a}|iDGKh8a+Vg`BhCD7*P)ZY$-dLq zU7L6ybpzbiBiO^w!?VSwM;Z&&64jps9X|Vq4gw4@!iIxhTEQ8xVDJvR;yLESQ-&h{ zria*sM+;xbAQNodOQjCh^RyezH{bD%?7GWXtIzwq&?+J%=BP8C7Q7r7BttZPj{k zGx;amjb47#m4^BCt9;_YEyj)IgSD@fE%to_$zHV>Bvppo`H}5=4o4u%1~~uZ!SbYt zy*3AvneQE(GF!gwJkGs)>bZb{j3ppO#w)mWvdA8VRbGlQ;%7^AdrtvP0PGqk5$mYk zbsa`2)5C%!G8n-PuTcNyh2(!Ur~Uo0wDTPlubk0myqcNsa#OguHyAMPU`)?xgRk$H zb6PXex+V2kO3WW*eD%>i`;LWT->GXP6Q{~YJA%lUJfJPb{oqXyu^0TE=j`=->qEB- z_tT@4Bq6h^D5A#fGQ6o=OViFA{oK51)zAV<%S=!yNSHft00*;#k`-(fJt?p}9gzm_ ze70N`gQSCW=fauJa*~Gq7&O+eqFm;BsnvQZlkPY8-f6cXTNBWKl@JJU=Cei#9bqEt zU6HT?4D54L)$1$O@o8y-FfF6Nv*6p6V=Fa1ztV1ue9B^26SeR1ai=t9tb*TFbAq*`rcrbM|N45TmG)EE<}(? zpd>bRD4TvXpmeB>?t>rln3X!uNJa>@p}12BXNZ-N1% zH(tBg6^iawvBLuoQ;9D9le(o2LGzMS0&L$;^4li~iSSVe!Rk%lliCDRX`If}=7o{a*l$K82KqRd@`_b7kU;QQ52+Snj9P1LXd zDj0xR^sLrGopG2W0e`GZ`00Oz*_`p}>}=T{*}!RSAZwM}!YYVb)V)Dj&~%>HTk~&Q zwUKbR1ad7j_B75UXVxBE=8jg3-rNmUM1tB23`9>i{>4q=yJH$F@2bdSlAaUQhQ><$(*Rg^;@Gb2|ftN!hfSyU}o2v2c&aXvv#e7^2+Hip0i zw{%ftihlClW)&3 zuYV)2sjleu6k=u~!KzDl=h=g0U;^=;78Wk+J0ri6%to669pVE9&Ukk(Ak4@=$b9eI z=*8-Bl1e~cew3~ACFb|9^1dz?FB|IiNYD%jdSr zxv3NB{@Hf$tJm~d(Ip*5p{BaJy5VeS0+}tNA)UqvElB~YUxlq(08g5rXF_(xt#zml zs(VTJd_^RWThIArZVV?U0FVm3iTgJOl?oA{a+A0OYS zG+FpbbW)3xx3Q|Nr6mG2hDM!r#w7elf~D465JpWd&QgT}FXkr%q6u1LBE#M=H*XHM zG8LRMc9fo?=1#GU$`SH#fN`!04wn{JS5#-70*r#fHXfZc(ix7F+-qZbs=I1``?u@C zf2)dAzXR}{y*_%G!<3;QCIA>FEy;!nJ6b+FY_+L`ZA32cqgL(sJ|ru0MeJV@+o>T8Ni zKqO4h8G(0zz$t!q6$b=^$V%b~P+G-dZfZl>P9P;@ujE@w3F44+Mby!pt^qFahbitW z$*e~O6S?nld~36sfh!eQ`x=brvrqGNl2LL>E;2EjR>_tLaz)d{Zf*M;3!s%O_}1wk zK=%b)`_}V><=oewC8-IU+y7{R6Nfa$H{JAmFDYJKpBY={-ko&hdSa^UK-)~0-Z~{S zWijKG;yr0S>_X>!p&Io?r~WI@${u?8fMxhA?KpdlT-V$;TScfeDwo)<&4622B|%X1 z@8{2Uq7alM#vGe}>IW|xj&ag9&I(?l)dd!1&u4IJ6BLW3hKl-!$BgRcs?WR)jpdVn z5PVoPS|h4pFU>CCD>XJbttrZ}@YFnrKb*8<15S)u8m#U7VaQXucf3gH-&&l1|7rfm zWnVP(Tg{?Sa{cckBGqn#pFhmZmC*!E^L_j^>NyoJFK=9b=~%wv&MOfD$2#C0Pm|5O1(v=)WA@wJV{OnAHpPPVU88rTWA`o0rrRa~B{v`kLHAu%Iisk@I z{MMhM<(9U^z=H1JPlN6M<8+H5xx@wR83#v0FXOadrB91yXT8<0EefMpVv3<)rf z0AqLq5!SNbJ&fIKQKO>f+ zpC$lNMZvV46DuM!u|al;;HTOSkuiR!U$YpvVT(Y&IAG!q@C;zWuXXRmMT`+3kbd+Q ztd{hyVz3XG8F)eh10R7U@Kluu8wzdFII5RO|I!OU1XVs%y=y1ZZc;DxT}-2ZEC~(z zO_~!{q45*t2*W4S>Cy$vh=0)s;+4oVyd5BnK%gU&fuIrlxd^GbGytR0ez+UTPPH3Y z$Qg_1@_f5lCw$v)rJAlFD^yIcDJ72m%e>7l|JPm6ZV|h+63+JHOV?4i>&PSf=-7nn zs#J%8s+ms*6yIQE0*VNLmtpH$udeQJ9i(^+h@q^ElKt2>IiT%9bAwm>TrddwJ*UG- zOG8fxK`&8PSk*mn{lQqBKmmgo#2*MjI})T4Xc7v62r5nzK6|F~!gw^4v;jQ-xp=F8 zke?iYO<>EwgH*Dw67g6Zfwc5iTv~txa6ND0bI-C_rklCPXwLEwuGQuO!#4c|i3rL9 zAWn`xonQPJS(Vaez>X37Fm!7@S%*-EHcu2=jsiB`BK**Xz_EBL|8)cOy9|65+hKhu zAfz%@j=tL|Egb1+&;O^6R@uS9!AqVF^p3doR|U}56ar{G{C6R(^C4W%>ueGv6SOD>tfN)%q7XwBa0|iEL63>X+=hw>mzy8Pr=!`> z+l~~lhSg|9;wSJSS6F5{Yz=LOpHa$?*V=R}{a7{^QrIGvOC7W>zA?Uv{pUCH&-V0x zyHNyxAqUSjhhpcL`@;RlaG<(?5F}>j_9s&UgyjARP>A~NBb~Se2N2DC#WJhD9f&71 z^mTljc7s@r>Bu^?CEq|qHtiT>jo^XqmjbMA?T3X(7s~U7@;)J%Ydl`H6`&_el=U@A zCak9P<*796g@|w%&Gj{=Q~dez-30eM zIG@m#`icViM9GY!;d|9Vh^l)PQDH!x!`J3&0;h=UX|#0SUBb__!LgVjKuX`Tjx$2U zKLbzvOYhL$k9Z-M)T#V4KjTQwhXa}X>j^Iy`wW4quwq;sqJ0$f?;DY)5U_Z6KB&Yt z;;)d@rirX-1OxRFJcu`FXDvgKM`@4+%#qhq5-+^y0=@+op`r~k;pC8#P|u=9-w~=9 z5>Mg;$O7C2&u}5|avPA9d4?OgU>12I|5DIljRtORm`5j!*8P;NA)KbcX)z$~gD<^~ z;x7?!qtn zy2WQDLCv@A01J0lD%&*ECd(c-`ikC0zcw7Ux--&8g%z2HZmYydfL%e|ME=y1Xj_!0 z0N<{AJcxa)(=i{IPMKa=DpxD~V-2#&Bv2=qlj;|Fd3SGTeDC{4#F>S3_#=XS%=N>SW4{cUN2_Wk%x=G>r21*fwjPo@e(w zct$l4OgrCG8DxwyZYbv-+;z&ny@3?1 zyhafjIcfUX9z&g@Wh(!1&53HD()%qwxj%D@xp?hV)#LB)i*$NHLgI*55%BoBu)42 z;p0!1>^{Fvp9JkRarj@#tW7x+3#7+>CwHudCZD98 zcT$DslbFkdK3Y;p8F_|J26ScCt?3~<)^j&_Q4ya!>t*Y+sYPL%wh*M8 zeBbN%GaBVDIH)b%44)|94y>~y!DS%l($?<~3lX)Uh=nqPg&nypki;r&fpBgek51FR8Tzy&BH zWbXTv1>^w@0X>qtDc}VG&a^koVoq{(R+ayk67Ju<2iF8ro$e5s=M=jQ%NmBg7c&U<0Cb~}70U}#2 zZqU&a(&tPZE-;Yc=r3R5VxpnrxeS^>o{=DF5|a9SxR3AlvY)%e;`&=wW@bp>Pk~`b zE7CN~&G>LEyVb`jDk4#Lh7Bkl9tgqGca~RwIEhir%0LQnUFADHjrGnKhyh$sP!3na zaKsHmigTpMQauj_+CNx5Cc(FK^}5+v>ImOjK|%0S(^c>^R5=$ug&sfz zatP_t%qMI=Y53_O&zlrHo*h~i$(7egmh%_&KndWq4l#4-$0pk$DXg(+;^|uwU`_*> z#m>;26$gtH3d6Frv=p_NGh_SbRpqU$a&%3e{gu#}GcoTkrT*|y!4V3rJg#6Pcx&SG z@)qChoKHx<`row;McIKOrR;I@M=Qe`xfj_g!9j43yWssZZc@~k!{O4E_JL<2e$L;% zf*b8v3~%i7+%Zwj^L5up)?JZz61QvH1=BQjC&yg7F#eLIjoZyzub z+MK`cpL@aYPQY?!^;h^gk48WQO3b^{C!hbEHF|?~--Ox|S&pCcXc(ekQGReeboHN~ z*?)J3|9}4(E)WPMe17$F`s|op3UJBpA_n~EHufhK(LsRWsTkM(oIwcnc8;T6wsyJ~ ze^5I0H|@(m9gN<7@J4Z^4{oxU?{EK?yP#bW7U6&WbM`W6S$LxkYW$Rn8~~6X007Ap z6<+&u_OidW`9IyM{@UjMd{_NzoBxwtnEK~$^B1ockpXu98hSWA?6-eL9{_fpZaRj8 zTX1lbdk7sF4j2(h9>aZH^*<}$oDv`Z=>GltqsnS(&S9O!X+L38W%xoh%eH98;hsG= zH#aym^awg5>X4*^pah~~Vv0`r_Igy_kfu`#bg_)cx!Kv0j}Q;Xo}0z}6CQ`1DA2+O zOh0BdZ%hM7fWAlQGP)^YXbyC@Rpp!IN!yIQTWF2#Bm4Aj{sGD0N%i{pkacy8gvMt* zGc&U*(W0km7GW65=t+)X`YCeEqKC8$r?=pKM`5y)Fv=>uOtZ)Y;gfK63Wzu&4fn`5 zr*_L)n43SGIUD+ibt&`*e!FOq1eg6w`L8z{gNSw^?|RN_8DL&m(;+xTS4lkZOabfi zC+I`J0>uKNRoz=dIdLuXyf%+z`k^mD2U9a$jTUWZXXnFUm_Z5KE!j3&7A|XGGUGM^ z$B~9R%o`@b3VRYKoH~VC<*37T8+ikmNaqq!<-vl;;c=(?U> zZ1C9N;6n&K{RD9$Q-y}?V^8MfP$unUM(ipNbj%K;2$Iaq%nRTvol8zh;fGLg2IQso zfcBvV`O#Vg*fZPV{~`$RIFCS~!kipogwQyIH^VCpT|wqO9_?HK)OXvq%?TXUh-l^l zo@+yx=C-c-&nu8+i?x+oxo!+uV0tpf-g$%xftQZpPq65UXASCP5UlV z(sM~FD<@~~085@WhkL7bySI8^uMmYI2J6 z7ohnB-Ertm@4dKFGBGKMmnpmx^>C`B)>j}E_k1g%0cLO)ojNmBLDv1-H)!bz!%|es zR^55}FsxSOrISps-JD~QUe z-N-o(-EyY%HSgs&%OR4SEA|lfi0^g%mtCb$XoFa<TXZD6Yn7+b!ng8BGs2mCq1gIcQDfcYiY-h3j zG0(WyZ=?%pP1U$KYi{a41MF)%1jBBH5gg~P39v-)k0fL^LA(7BN|Uq&m5l(l|*AY_qd-h z<@v?il6pAdnPc`>MCd^qylSF47P%eYyda>k@O%Q{LElbv5G^f{pTdO3KMm+X9x1c} z3rNoL{Q2|rLR$TK_z-=R2MJ1|^v7OxPa872M&&}J~OaV**Z*MS6C#Dq>v<0ci1{bX#k$I5ztETrf-fGB7$ie z{8iS`v@)=i=}nLM40*(BBXou+_?9XLRNlWiN&>d-F=+hKt*)*vK1ST5gld?&(YW#y zxO{(dNlr!aXWZ&{Ju0FoHQYCjf0B2Z^Lq-sDKv{{fD~}(l&Sh2cNj4Ajl3<&GtAX< zd*ZWgeVMc_R!3-RYBIOA4W^B77A*(oHZxFvO<8iAo15v8=~f(YP$u8jKO9*(r$JEa zh433!Ylv;9>653R4rkIT_`*bw#853E%@Q%13leILG{nZDs~%VVA-8ko8_<7Nrou@) zOwKSj4$azeMrnbJTPeeR0{EvU-MFw_)K3{?-&fXe*s;P+gh^Owc_??rwE`F!l?oS5 z1{w(RZfnGs0KZL3@Uk5^>L!sQVG_(vrM{C zlz^ih&^9MQco2R+TtW}d5guY{!y-!byHVMM7+ReQ=e%M)=QKL`RI{yH_oMx*^E4p( zh`RApp#6%XE0c2{`3V|@JJP>*$zvzN`P^ZKE&ll?hzRh@dxsq0SX*?10pTO$$_+v+ zIz;(fJ9Yi6?ql5{9u(3S?{;OM-dfK(H+b?{T2z`8yuI-!y;c^KP6LkcRrcJxR1R&A z^DCuY3kfMH!C+AF`>6b`XOe0Mw?fU&XfSvi?0ESv~8YpB%tQn5h`+Xjf zXKeh?tVQmF6X$md(A~aDc64;0++}qzxk38xj*scm#ctpmOp2x&+W%L2yhjv^5vf;nwGIMIjn|w@Oj+-Vm2XQ> zhuuEI)V>mgpkI407UI6Qly;%mr6{3xTQY>U3dztsC`w8)tRzXw5Lsqv zhe{(!gK=l7M5xS`NJ1z=#%0JnEb~0PpQp3;`JL-j=ePH1uj{?u>+Qd;Ld*C2Joj@y z_h-tEI=F7#x=XvyFr#W-mUWR-J;`UWO>ubI{ETrhZh4@{?a5YC%)EiVt-DY~(lFrZ zd(a|yH1%u^7Yu108i550f2aY<#FeD=C1L>Zk7fx&PNqPVE z8~0ZxXJ73o{-+^Ho5>ZnYq#Hy`o zj*K6M_1#>NCy^THo%cL^g?G|p2m0_Xge05si1APyED+Sqlcahu0M8#3kNCRVPbZ1V z3(e%zsVkkGoyiJMVys#Ud6k^T(mEqZw&zP6qdnBj(Y}F!S4a)(p`wxMw_wP?1mht5 z_7tt5a<_F17lrfDre`zMM|eA{V-@S0Q6Ya1nAlW zCE8#h6(IF}6z}!`=LuWIW4JKdD(olh*_h}Dp#0iejCRC@wFd5F6ZA!wSmtY$sx<7S zBvN631J2N3##(i$YGR{u9QG#m-X*DMnR7;n15y2RuMOq)fqOxBa%j`0Uqa92(1~;9 zPU)k^Fk6T^*$PNir=)}_i}wNB`+!!KWyVgZI&kRfh6R{kNqvZUGS2F?6|q1sCmPKr zmd{x%%LNL|wTX#|+jz4?+N!i~+qP|EIOWZ%RlQd`q5Nyn;bBy7HaTFnjCHcVukU5> z4li<}GOSm7euJeywbzfa85hRjCrQMrO8vH8^wYSwEHp>D?GFzMqKK{Ud%NjIzBA5S zG65h?idU*&VrZ%qgj!F(N%(nQA|7K8&+PtI1?ZPXQp!65pKHif1Z0}iz)+if>OLw&BNta3 zAg6P7)|G97j;nEw zUA0wuQV;jri`={ijSFz=I0%Ozl6)r@>3nyPL;@2B+!%T8!5uTAXcKnNRe#}s=;_2` zT!quaf;EOS?{Raw(hf!WW>2)^*B;}mi{aHtSd4)?Kb@Kz?H_l^Hzs>2C`ql@xHC%ao zrb21p)#CE!&o zG?*~&$Lm*q1_bz_xAe8Y^&|hYY5xA%zfyv}KleWxgwJZw_cil<&HUAK@B5nhzGnXa zS~LH`MlfHq|F8b;|2&}o;~&gNrf=PnMu%Nf9gMm!!dIAa*?kPYWt%bD8F=vMk-Q`Q zqe#03klBD??pv$8nbAa0PPmM`GavmTBcb4RF~DO!B%~A!kSQMmH-;|z8c5w!1bVp& z2?{53AhP9?gn;C5DBs^4%=Y`EqssK%cG&$VX-hLUHmt#wvF$Kg*<=0_B`K#M@Ih$B>(Jq|DR9)-~7|VdEr_Z z{t>D1!+Q!FjfgIoAeVW0c|;yA-p9a|FvG5#gv7(BpI1aD3Zp9eqogGHD6`*z`()jR zml0oQn$ll#8{Wuem6#3;L77$u59CWwhkCndI)o-5$KndiytlzyU~MR<1Q>|dA@c27 z@gvP`Cwy{#+v0JANM&P#f`Z=rDR>x7yx?@=N=ZpEWUTqT7H@S|9aS}sFuN2*(ADldGbd@_PBG?bb-7Ouu(cCBz8;#IXjlZ)wI%xxq(U*aZ2Z^uBk_l^ zpn|(nvAAB%*VMV;%6coc?dWM(Y8x5l@{COGY)NiOz__ZJ!4Q<){Q0sw%sunwM7?{R z^N;yrd^dLG%{tC%;zpvvl~( zo9aB!7>GK3`v!+h&sRJuc9YMd99I%6(DwXR^2Q%UrLJQz+S+o{rxcCv zOVI#8T~9PhYovV&6MFLL2MT@Fonyoz_bv|mn_WzQ-xm!mYoPpWA;z4xj1?z#!vLDB z@A|B3*ZkzEuVC9TA3$7&bq1Vy4fW53%$~qBEJ0(XJ#gh$n>ZCT7OWdW*kKm*Gxx!6 zX>Dz-1E6w6+cZHaz~|hcfbGW{fQ_ApeViB0TfXb{2v)>Awe>$@0S(`VPq(OPVoPXp zid}!}2S`#dz$I3tq>@HRrl=TvZbRYnPV)LhzPLABAl^A^$$Tr3*nAP9S2F~RtUNIB zdx^A!80TOI;tWx14`fyDzR}Km6r^_;);gi4t4Dw{#6GCP*!P-F$~>|7IB_flzRH-b zYMeOMt5WOqpckIzV)!CQf&vmK{gAeHtQy-Kjn6mf-|#nwn_0Iyrcr((Bi#sy71`tO zVJhxW&qwFA%ia)a1NCf^GzoixK9S#*;QxMpN$<~qDd7FkmiO=jf-HobC?m057s()V z6n5P~?S3=<1l;u3YYNAeG#^Z|_L4A7B4T;~5Y6CtpQ^q$JQ*5dnsQz-PcPU!7$Jy?=TyK(&b(vu_kfHV^0NCa0 ze;^6U1=sU$DGKj{nk>f+JP4C+cjqB@TRQ4qJ$jU@m=+!fsssUeCNg{gd#)5@3OjBp z%O=ULkeNd&wYJ39BXlrdp7D}YkUq~}4@)Du*Vp;RRp`CxT z8~5)E#ZCFJ#t#H=`~w~4x;{H^F8rVNYHQzH`5aPzoALfqHQQRK?6!^s7XkxsnSc+7 zEznaV$Nv6)3uL5{V(I;CoEhvXym{fSr1J?u+GZ~!G&nv5b|i!Fu&nW9%MyUt!?r|8 zTfT99GUJyDpT1&PuWnxHKvS*T&QIJzguqR+Cga9aQ zeGTV-b4Q25u}Qo;S+e#bCSlC(fmFgQVgd9f{=EerX%_6MW2vB>UBF)|J|a1a!;1*O zN9?ED1c$QlLYCbLR;M`EMI|RB*w$Dvg~Y)nJIkfqi`VkNY!SE7Q;00!%#hdh`2a(( zvI8V=O)KfW4c_q1;`Ri%#1K$Wi*kbSR|qZY_PR4C23p$N-(&$nCMcS>BT@avcfaE6 zrH14Tb=TJ;lySwH`}glJi}Df8Ons_%_x`uFrC&KZAh-J`;PWDHQP6#lS|=EATs8tU zdD*v5aH3Z5x6sh#bkJdBApGSPbnM%k3^du+neF3ft0wJk+`bTWuIk$lV@>V4yIKSl zuV=8OiqKM<(WHz{bTTF+V2ROd%{FBhy$PO5M=Ikjw1z0BIvAFVNyy&^*A zP(4m#d4r}h^cH2+A`wI<3r($7$t3KuUg7q3u*8RDyf7YMu8->|zk=OrP^l)`Za+yO zT{jz-xOcQc)+-?Jb6BfQ5yOTajsw|>HFM+a?Ow%Ys+(86|rpVrFVrr_m{JJFTAUT{5 zMCvRg^fu!|&_jm_7v3R+tJ??*DO&{olHC1UhCdX4e!}vqyA;xO&rqqHEr|<0L+$?J zdharv|Idq8e(Px1o0|;ET+sKo7b17oXF=|E$X#U~gGm-ls&+><5xZ zSiki*_|lT(TCyiZ`IL9>u5W$I|NiO!_~qFE60z|<{PO?(wQu@LP5i7+4Lk%evN-1s zb56tQ-#`0TUfcKQ{&~&({cpanneS`nuXaD**Ua}d^L@>HcDny}SKR-%&nB0V6T)|? ztt^OiGKOo|PHNA*p2YY^pPIe6A#QCW>hrfqIT%3m@S| zrgoYim>9Y?DU0i8%t{PU>&Xl#zaxSfejqMCuG}O4n;O;AUHi%54WJz>SkN5@w^&;C z?#N%{uMc*lRp|f zzOk$;h2bcv^hV8jr04@;`Kk{vVSswrYUcZ^ZYJ&3De~<7ZQw#eQgw8xGpL*j^_q_! z^E*{@A4LM#gcOn7+SFYXu0z&EExgH)Vl}a z-|OW%7Lu0qPqZ@3cu+cNx4pf6@^It5Xz*jD?YWZveoZ&1k1FC)Cs-y5sqx?<+8~zQ zVDgfH2agkx^}>q;&4l@?{myMF`C*A$Tc(iR^6}vx7o$IW z$N3Xat*c=k@0lG(MLwFr<1Cs?wTPq?dJC;)I_5fV{S}VC3z2WIG+k=2r;qAYSAqn; zezZN-*8XsV7-e{;4$Kc%!4#So3f_T4jJNQh=aINO$YGpoZbpo2I`?aq4MAr*)P2p_ zmv!;286?WyB3sDkXx?nTwJ$L)uS1~a1(He5IS4~G?Xj^YCCS~{{;;RMsBM8X6JP0D@aQqC>v33gU+tsg$GMopF$kN>wjuKtPHB6u{K@?m7(>PvD9g8iyfHwfTijkY_k(`_xM|ZM^W@PC0 z8bCq*+o?MmFfH%?U~tW_X*(@Q-4+~w14uzb8dnuyoVo3guyeUojAnuZ<3~n%-n@LTITAc2 zt=^maz$aT+V&v*R8WIh>TI+gMz(h;Hv8CqTjbW>duYq|@AoQ~9g$aeD+^vHhX3p~J z@w#^{lTY{N$rw$&2%5faJY~_n^fq-O&Q`q5`lEo^#Gb)0`;gu+>4Mv5FP@IOktU(X4I33HRjBOdH5J?eJ^k_<`Imb@$ z?6N~4=Cr~OeU4%M9`?ah;{bK%a!GIQKA(J@)=4svMDF^vzSPxgul(3aT`$4}H&)ev zv~Z3g6$dhO_7>CJikh&1EzV)M$KYIvo2MM>Qy32X3_--9=Os5@k-VS&=feWgpV7rxmq#ORaXQJ}s< z-%*6a;_%@kEsiaB(#J1_U{9C{U|KiX*-LO@v*5ma9}p5a(F&bwejD~rcAK|o<{(k| zhAbWV8!N{j0~pynmi{nXT2W#Z zJsy!=Pc#S~tlodV0Q0!*OI<{6K6&oM#s`6C?_M2^VTcXt&XYc)Ib3Ekztlf6 zWw5_&P>kY`R~|N6@PnWO7wJLTKSbX@dJ!Kp9_ZuFkw4B|SoCh)vSrH~UpZ;@aNTv< z>w1SJjOiMBum~N3$Al+qLx|-Y>EmpU1U9Nf z71WY;WI%Xc4^fpk2h}!IPK4JSJ0coM4eje)cM!lin5IGEJU3EF(IukvWZm#!GZf7O zCA+A8sro3GuC-%wwmly`%`>gGF=GJjC}}=1uROn3hG*jh5#e8_ai{vE7v($#@|8u* zZr4{z`bn~8g{0Bo-ZBoF3_xAR!rNu=9#J^cNiFtjJpCS%}WF^OKBOTwK!SMO% z+n17dmUBquC5lGDxgPZ=6)!K&BZdpD_QR^e2Z6vXXfAyq&t6=COyOz;Vqom_(3|^w z9Om`{lzY%cDO$r0(`LBAr`OuT5U){-OV5Hn{4h*8NojJppvrU*Difm(_O37B7`zz^ zF6a*HAe?1a6jIn4+C+GxK9Gck;nAx7z{fP_=9E_X?rTxm;NnUmyEi`js8t!@B*Tp5 z(6F>C0RZ%SM5DaUpi9Kpoa=cjxh|8Cd=7;abDz*$L9FgI)Q0bH*olGLl;^(h0>#V_ zI^vYs0kP50XM~qNBe}KL!pwuuffB*1lVYZF?g%h+~E&aI>~c z0ld@M2FV>~`8ZrOGC^G$J&?jdjf#{Q7l8q=aEkvgthq4meHpmnS35uI^B+7iIuo^% zz-B0L zCmQxa0RidVME&MzPUD{O0SG=glve?a5yTSxs*-bn(mQZ&5Y(#l=wSc#GfT3cjR6>7S z>EMvz{jFCnafebkY>2bApkj!(=dOt7}9{pez=bqD1bDldLb@dn4jn*&ng5bou2+-s@AHvBF4T z%NTAg?b4kOA3jv97}b!O=*r;i)r9pBPwcV0oQh0u1X#rbKKDq<*LH-ycomv1(?P7E zgF5gJ8U6r!fI6W6wn>SJ>!RQ$@N*Q8CR~?)>adW=MYT|k9|NuQH}h9Wxyppk_D>4? zj1hf=L(JEF_Pqb~qyE+5-%Ku98p||^nkd;y2E_CiF)eCIzCNRTsgl^N&&^T%qDh*3-VRj$lSwrkO!s6?O@1+txCt|vYja9{J z*9HaLblw#f&NV&>0qUxwudnw~0|l&iHX+*l)4ROEGJo4;-ggZ;?wo>G!3>E#>Wa9H zEVLZ4seLOysYe;*pp9JSmtU)%Mo$oJS>NLO;Ie>1;!y@HaS|&|X<~vyd?tLNamrb@ z6n##K_~uotOlQ{^82>Rpf7YdcSSTpY8WeNLMic>ial6+3{obyLyM1M&gK3NT3X~=t zNbwii#<%+Tp38hPkw0&iTo`sXrB@dej$3A0`}WPternl#cwH$;E-MhzP>(;tHeFl- zc@38dZQ}f=oQKSP`8&rEd(#=CTAl=kvWjz1J?b&>Z`mkq---AKb{+8+X4qZ?icg=h zIgL&noL-z`UDymenIrIb!mRO~QJV22_i`$n-(yd^)h$T@)l9;~KhJEpiNeHCeKd6H zSfw2?nyo5J?Mc>%Pjv6QX#ET~GNq}18?;IHxr)&wF1|#0!JWI2c9dw0z2b$n8m7NWK*kmtxjwH^o|;YHDb_ z#LF=NbLSmS8N&1k=1T6>C07lHT;fb~t+BB&LKo9mFJZN-D00MXXTck)sEb1j)hqRJ zOw2E6dV0_F=H>4VL2Yy66!afo;Av!L^ogo@*CaAq)w6ND-AGA(TUd;R z=_?gfiK)cRcz_zy=T}s5c%&+r)~kyS zjZCeDpLM{6v)2}EoBTFWCcMa-0cmH^Qb&kzskYd=EZyX``Aq+v$q2BlMkfqLx~3yW z=>ln)#2kCEp1f@>A50|KQ zBAyFI{QU05Uw}AWrs8lk zOVeq%hS*r5=ey0-Q=(FD#CA2B*N{`Sa(e z>|VtTuOycOSLJ@?ksRWEXXeyxFL5gPIhrlUT2I? zj54wcLsWXLgFLH~;6Hu@F>I@jzYW|-CH{j1L`A|LvAs^Fh3&K(EH{a|f*by3i+Fv^ zu!3tckcKX-{RqEdn2_p+fb_9XigLuL!|Jk$ZV&N;EM%bMh6sP+)9Gh+eOo*I<@J%K zJTH6^Ofx6fI}CN59gf5t=p}?SygoXocU(q7YpAN94R4l}i0&_U$9 zSQ1AdZ(W6iJfbbufBpHmIB*v$=CLteA(OVhesi2b+8uTc|KYg}aU0pfwBZ>L{Dh`9 zjiVk;7TGK<`3*Zbkqsb{1_@Hg(R=SThbmygm;HfANP)&&sS8YAy)@6v%uMpmz0~?3 zcLC8BvDI#K_!n_14jo=lr`fDh0M1H#RJ^1smlMODF2C{`5;sS+E>QGSfJwh1gJeKd zZ@m>@z{mdya1CIJig!jL7X5fyiv8d#M6WLd_Daz)f5B>jKV+FXk5^0vRQeGvT2lr}!FUc(H9WEJw)iM&4B zzNJD`Z1QgL(2E}gUxGO?msqbil3dCK;s?11x1t<4T=!!$M=^i!$vn^4ne2kp@!_M% z5lbyZ2wRt=%Y(YtO*m(S*b^xh8UGU@pQS%xN@m%N5k#fv{PE zo)h{F;dCspwgFu1pa=L(;FS+`K>dz9)l~6r$&L-@Glf`%L(|e$TVq}=3)L5nL2k9Z zOc+O;O*^}Q_w7{Ymd17NV^xlWRitt$(%x&u9&0e#9%MsIQ2>c>tHwh-o%{%v&|9x8 z@{aSEHd$U#QC~`%IHOpS&;t^cx0SAKgSSve^&;brjSJV?n8&#hXAd%ni$4DDHygxs zLn(Q`>k_kG6hZD~;xYLDW6(?d2IAp9J~DR1eKy~%fFMZvqo|s;5D=;)hJk7oCya!S z(tW&#;q+YHsbg$vdbLk;1y-S`hT6~=M#MdGB1^irDUIy?6!rnwAeq7hCfHP#03(;y zg4`@YG#%A=1q7t#<eO2Q$m!;sD)JP}h2mp?I@(L~x01 zO4!cRym;no9Ykv#aF|{p_PS(*M1`pV(j)GS^D8;6hhI5AlztZp@c8tZ6Ej*Vj^i#l zQ^(J25tISgE?y~l=CNK%;_;7Tn(P}KUHx!Q>6c-nX zJqmA?q#S?8(+3`yrSu=bxtpw}lmxx&(MgzqWT7JO99buG!o;LE5+l5Ze(q$=6&dcF zk{b37B{;AR2)%CnsAx+ih(TAOmX1eFtjFEORba zMU~rp7bpWQGV|R>v5?kH^o1#T=lLvfZzD0rrTFw|b#QRMEi(uva4Fg3rAd#11Ji)v zG;JbYN^M5!B(l36N@vFb&E$M2xi8&gia{~&Tb5~S2?%SJcXtgD@+v00MsH*~SVas_ z&{+))rSqg-kMj^~8Al|!G~>iStR)&c_CGq%(2v861PI)Ulh-7c-{BEsZQfBj2{FAl z1uCeO7TYQj3R6Z=b2(4c!7#CMxH6A*PUAdgkV=+FO_@G%cVO)l#n7%<|ALr{bNKZ( z`77A(93T>Sm2y|)fG7V5NXGS8B|MOCoSV3$0wxN0e(#Hm8>$EqtnEPzA{=B-f81Uz z0}wqP*-hw@Pgk8O&4iUVdmd?Q$xX{FAp9425rZuKnt;iv;fNUM*;#&HR{2SEbad`w z{x9CzzOfJH4QDBy){#N5RIrR~T0(sC+k`Q3H+ZsI_6D0wS zA=hapkqOI9!VV{cP$&i0qa%nS(F&&{m3e2r6S`nx&7v}*{%OIj?@F5n3I6BLV$Kv)+|tXIG@;A~D~^@4=Ld<3vm*`O*sJuVg8+xP?6&US@u_qH?P zmgzDfv8Rl#6gV`7_e;`t;`D7YdkgkEg3u+Tf~$5WO2IPMn)yE51Esc|U=9&K03m(b z7C-LJIJ7t7yP|BaXiUO`m!Psj1|m{Y9d{QM1@wp!f50pePwZVSw z<8vTg?Q@&sz){)mViQokiCk(d*@+7g38)g+iuoDYE9_Oe{veB80wKVt_AE?6bYJZw zc3xwhRGJ4)<}>n&M)|($!_DB>PgtG~dgNO7_9d=R#NbXtQ?tpyH3y`)Wo1f)K3iC* z-aPQR!_kU;F6qumJ12FweKX0b<_)W;;_NeR5X@)YiF)rY_Qqd9o^<2w(?NOiAeJ2J zOLXOK;&dWSgS9`nDSdX4t7TZnL(Zn+Lh=EPDv1Utr6!KPLKQpd_v5mygs+IxT1H#U zmDT^TXUT4(-Amov=kVvGPs`05JL!1;%x5!#X}W=3N|%sGu&6npb@a1;{)@ZXm&ax5 zk6mCHJ|Se{lNHY&N2HJE=guxa|Jh*SY??8`faQ0~Mt!S*r+GtQqWgqXu_GFB!g+?Q zLk=EpBgJL>w?6-G|AxPr;r0nP)+CMxE*8sDzt!dK%O7bZMA?wG{@EsGXk(D~_X{F> zHIMPs$^OMx{N>@qzyAtvl@ONPUtn)}f*CC=*9vJk2^d;0y}F4BrFSaJ_&%hYPbSNR zF(pa*`=kF4OYZxl|2nesebs+`w|_4siC&iV1>`mA!*u|hdt3)psU!Dx?wMUcjxnL}-*s0=oeK*ym%pHyz3 zpV81Q9yc}ZqzE=W{ST|{zx^i;8yBbfU79loRpL(fKlWNC`jh{Nvpwf%1DTkd%1 z@dcsD0(r2ffApbCt?HZ%%l$1T#w4Cn>$mYWU2>u{N7gCg@!JlqP!?AcwVPwe6p>~n$24bU%pynUza**VH{QKHIZ(XIg%-WaZN-6EZc$4g5*J&OS{JO^nhGQQ- z6vcopzj?9oClLBj{mJC@fNr)MwLJO-a0$j$3Xdwn%pQh^%idq(&av=xi4Fnzii?Hw zTXxahV^3LZovHWtxBF64SXF&F)=p7MtW*?XO?B*lM7eTto^Yc+Axe`#&&htuQxXO4#J!t=K69s zA`87V6PD(O<}NPj}F8W0joJyYSg0*2b^Pf%smeOpcUVKtP%0 zD`$BG(4nmq1?UVJB9X9kz>qc*PE>EOBeG`8RB}NR<-xt~;EL>qG?!__?Ldz)B&;;N zV_;>ABG1Z0H>-N#GyWqaRyhT|k}v_#?UeD889y~5HP}Ce4NgVAA3ZylS9KFa$#qt!RC>OUpNO|r zqohMEJF&{O_E#@drH}eC9E7DM7Y;qW;iTCz;aLQtef_&_f>$~R+QB^6pxUbVxVh&%k+oXK3j4^wm*&NOCPikO48* zU%dB8A529^_trE0MoMwHlC<^MfBawqh$WxiT5!}HF~r^xH`dbuD!h?qZP$gsk#Xw@i`uF8b0si#z3_HcPrd@>NXGAhqTmLhp#`N6U9 zm!I$5Vi|0NBv(u`Qrziruz#u$YyV2^=i(+9z}B_u+eOHGgp$C^Is^C|8TJ zNM&%%>5s1?{05StkEnwvU1j1bGlZ34!d+T+l`Sc4k7Iwno?fngT#s!~C4}U_kJ=+8 zcc(QZ8hks;iE0Or+|Ze5C7?Q6$2lk#;gw#+=5qRh8PEhF6W{P?^V)PAM|q(ky(H38 zC<^s{8>Z0JKKb45N@GjW2~B&z$QBNGbB=?3UKBiz?RBF!=%(L?j z3->Ioqrz@B9bnO#gM;?I`p<%kJEYW45d6Lk7e$P>?QJiZGNqbu#AXvmMI0#Qg^{s zOhJ_4s{pG z@7Q4N>UnOK{W`R~@<$NE>-xX~@2jz2`Z2NLq8urW)YUq8q8yoqP#7JxdfoWG% zX(oE*3%O2LM24sBAcRo{udgpckOUy~lRK4!#&R`(o$#$} zF>Q|>Fh(CXx8TyPw!P~OD~_?eI)$G6-*&RSmiLZuo zb$PWO+ya373t6g$?4?iyLHaYA*vYm~2aX!m5|P|LR9soKMwDpv>T31cL>!)g_Ejn; zyl5Bw(Beb!@CebP>=*?L!SALTindj-;7-m4fOHC%H)oHajcc>eTeQ8&7??75&FvhJ zLt>4nlkIf6C9k1H_~FxX-bveOd`#f3xJb_nUmsgqFkaz$otEK#HQ-rZj!>nf4FHr9nvth@f~SwtDQ@@LGXg3dt0zd`Kp_%M zQsJ#+*0eo(AU9rcn-WrZ+$QMquIJgGVNPG^6c<<|f!FqTncQz_3 zJ526+>f?Cmkw?yNxZ0xQ>e<<81;{aE>1|XN^(E6K%+2(u%LOkLgbCId4o#@)LG=LCg!-+kYv zNBF5x^+qO7;HAg8|0LYj2)QZVicMJDS7~?a%C6|FEsFd=AamUJy*^B-+~PEa32d8y zO)fbTeR;ocfu88xRoDWX*@oI4b6*R48xPs-$q_8;`_SDx_rn5)v9?ljH*x7wlyuEL zqlvJ4F3LoYPjAqCu>&t*{nBf#<_+RR!zN(JZ`zt-d(b^MR6yLl>e8>Ay)J5EK%t|N zsZkecc|fvqU-^=UT`uEdQs93dwa%n-Nw+LMWqkF2WjM}`B8 z$PPdAnw>-paIEIoi0Rm~HQrOOw+>qPiGqWz0U`)$;SEpgpd0B8mwufhKX+@G=PL$G zvXW(3GgF}2w@r%6LATgbi(`&hGxbNe)>bTQ+Bp*B+ieGk1J8;Z*nj0vkUL#?;P}w zauAAyyxvlRA(NBiQNMgWvQT12kjm;fv#Oo5Yk`mT_xcLN~OSh3|KR+>j0gOtFl`<5IHBBZiC3Jpdhk?5{B z$EXUq%7=EPA*bT`&r?>ps)afhnTdOIixQS*M5o}_L52UiP^nVL)HkF+;m&m$p0&@$ zdZcpQqrZx`s6PVk8cF$Xa;(}9+o5{2!}^Qmt;N+3R-w?SY@`>;W4&Iz!Y6YpITa2E zyz2TWPe%n(AGuXTK6Nk-MBB zhhLCP12eiqZ{Ce_bM^&R5$XqPPRR9?x*lX`&6g>NPqpqSC*q1X=#eO5Rau}9!4HWf zJvF|$QU1UrG*&jDqw}&dg%3^QKwsl5qKQJSnN>N7_EcjEy} zZFlg;)M|lVfxk$*WPkqvp^AA@;df9XbUPBGH}-|Q=tXjs4DgDs;IzLPVX<}*Xvx<; z+M=dNeJj1{%%6YtPd%?yX z8{A1nN?$GyPN7!pa#+Caz1_Ow>)_vi1#aNDOj|fpBj81nVfTrp9~q3v;fK8IB9_bV zqqvTSbR~oImr2}3EQw3UyAK~eJSrkSL1>}LRktC?!IcM8Dg)Src8~QIY}3}(4w857 ztca6DCK)$7kHlqSAjWoDOhV)XgVT9vQzc@dY^fGq+SRrTL`g>jc6RnH~QmU>DmXuZvQe~8ELup5Eq|Y(`$@C8|0JeSPnv(sVThV6iPBu01oBldQ zRi}`4NIcubk48z+x^~g~p>~0Zq{8F9x9wvJtT%d>UrX7+n3Gd?D*OUf67+9n_O|}5QxpoaM8ttawRr@6bAAW7QU;V8&=V-AT}1LS?UxqsN(lyOp@aBJNIpizuqGk+X%^w<^zv7PE2OK1;Kr!u7Qlk9{N}w{pG2+s$0`wd@9QxohyGyl&l_-%%-3;T2??(&CEVGo={YSq+d}j zu0#9ZKKWlQ%=zxh{lgzVI&^er-`aFz;%0$Q8it%aFv{FVj;hfvlCX(nGcICfMRN5- z#l#F+-#@U(m@V@X*BDFRSFg6#IwiP$-qNQ{7UZWWQniF^SdY zMa@RmOQJQ5jjJMPR;(mp_UAOo>LoKqh>g*3zx93eeCM%+9>nQ0!4`EU7w;3;DNOa! zl3L74n62oy(mUel0$X8!)FkGF<1T%Cg!>m}fGxu_Z@#%F6J-f7peeRw5le<@U_^wt z4gd!I!r&eH5W4B(P_2b_iYPS*)zASzKrL25MrTS2*S{~l!z-ra822)`h7eZnEcwr6 zV1KQoE5Dm{lc(y6PIJrx%!fJetv!_(F6bpA%hI`AT{4@yu72}2_~K8m!%x@Lp%WY znJK3D%7O9t>GMkmt@xPG*J9uP1Xkjv>5PL+`ROYp@Y6H<6{_6+)6)Idb@rFuklS{^ zU|cWcnM0ZVzU069V!ki=FV&e(kL&xA|0-YTdzJs{hC-E>$UaN!o@at!*%PlQ3t=TT zBRQXiDOGvNTS1qeiCv3SEkpC~^4Briswl300b@awsI|4)Ug>MtY5Z6DjoAWDj!1z$ zHfU0ndG{&Cf_nfpK%V)n>345oFLeU$X>V#;ss@`7uH;N{&CB?9BK22~0o z75I91Htvu;9lz?0f83J-bDGs|1kYxNa&AH#LwN@ihAyOgnIXPsUCn$}9j<8;Gt^JC zg`R)ZL@CA7u%h$!P&0?biW;vg<>ut1LysrftWYNawI9#Zti$30YfflfV4RLtF*G#1 zK(qAr^z`JS?_fq7otDY9g2sEV-10CB#uRf1OW`&QKUPRiHhLjY)D4pbcapgb+S9l% zAMqB@&-axJ!ib`xo?MThK_b_qWY~}{?JRp%iIKQIOh))bC(wtRwv7~Zr%mHLFBUbn{6cqw4`oi6svjF6Zh<{88xZF9 z=NG7z#OB@_2ya>P>XTBb1b8HhP2$Y&Ma|XzLhSFi-i;w0>gD33RXY{n68>tBIKd3CAIk3$;jWXipsT?Wi2Q zd<-l|Hsiw-GY_+*j^{t0e9~s)5OAE&8JP1-DClP)*}8e%?t9GWm8Z>J!Tx0dF*eiB$6PY;pjk(OUA4L2_OF zQhIa*p*UehUQL)h_m+Emd)FdFs&hdn4}IAnf8B3z33t^tO%O60SLRc>C7#Vb=wXCa zx144bMMzHyZlha#;4T$bG5A3YXR`ZLq_Q5 z3o=syoVqpS`nVSsn*G8{yiXvw&w!OqOi|eGdkf%y<@JmPNqSd~Sk!rGqx_#8EdqG; zsPNkm>VRI6%NZ*Cvb*q0S@UR6-glqHs)c810D5 z80e_jwCI2=hSoo?UggLDRPTyBgcaKNnLuiRNdcRKmw?RM{f(Rt)8PE<^)?x=N_g}Y zS0eAgAQagj{VV|(H9kWEm6v%EuX!AH`x7_-z>7ik@@O)iSuH{>$`au~bhLj$g9M;p zREE2Mgts1-* zYi&A?_^dw2I1*4)GyxE6mZ0;Ph1w>4U{m^?l?nQ&BiTc6*Y9miL9JLik-wjWq=)Xh z-Nd35~@HdO>t+~eCcqUtxkJi)NLE>lZ-1{(l-4=wq)7(iA}z}UGy zgF_YE9;%IUKL&L_PjysSDJmi|3rKv~Ti{$JZIysKezw@rbPbL#+F?vu100~{JmyoH z+3Ta@ym!-twNuQR)q=*0!YcyvCQ%wkD#fmbO?7T)Xb7r1S)*TiJtcK5FHX0Z<$m*~ zb&c$UL%#q42zP_0a!S^`M!7_lK+48z2p)zVQwII-f-WA0MXDhvOeqpD4{=zra%J8t zgYd(Y2H43rn|$E?QseVyTa>Sz6C*37BBo6ox_d7plVcbu_Y_8_f_NnT5|32(qo~wY z%QK}?NyPGJ@p>C6GgR{3w~;_a63#Bvud0beOJ|m^4BB;ZEhq?YZoRzz0x;y!j>;Sy z^|6hZ`=^s=n+V6qog9KEO-$rVpPJS?vd(%%eZ5k5{B+iPCUnS4q;9ihtgDgK>pS8) zHrw5tW?+6)|OJtgA0iK`K%Aa15gxq_x6)os(_$xp#*)7J*f)*=j{ zC=*C5?D*wN(*RW#h@rW2G?3LlM4J3N(nf`$O!3r_c$oHtbI2o3u>Cr%c5WvRV=ZE` z%z?ce?1%>F-q0WS?3rN)snS5Ik98cBa~!dndzT8BmCM;;B0?*6qp`7Zb#nD0On5c7 z7o5aYRZVH!s=2+r{gmAW%hS2lDfX84s#;;_RErn1qpKPQD@j)<$G72Nd%h*vQcFuK zj{0VK_!lG>-`u7j=30q75ranClHiA2FpWrghgY>#gj|`ZK6dLLyC~K*VlqBEl2cQ!E1S-zD7CG!J z8_-EDx3W`Cfr27$1t>}%JIdB^(YNlDFWtuCd09eu42nFS87=Cej=X=+yY5K5>u9FR z%d@o9ot-wYC4eoJN+|ptTybkX*&P)nz^Wm)<{;j zI&7L?Ti7WB63JWolOzz9-QiszpmdO<@g6L*)|S8nrWhp5d&LGJ;7djMtvzB+G37dJ zWMs7Nrb7J?Je7Q&4R%!URKrFkqDs>c?A0=J_!%68r&vknp*xC>b~cED@TBK>izUtB z+$rz2q;cI!op>q98mYnS;3%4-=M`o+0F^pVoU!ISVuo=3uriB}P8ub-O8L{TOGRFv zdzOH``1+pL%W8?Nfu{HhoEg5v83SMvx`Hh9@$n?WOJc1#YCZI=jfY=wI$b{y+k`7Z z#x&0L*Pj`L-~t}S&qp}f>4+xroPdMpdH6r1R`^!0BdLz~)naNxRD9f!Nq4m4=`YX- zm^b-R-Db^O{xhwor^o8}+W-Iber1XZaUAxu|IBa7-zoLWetXvO2M7*#ev_x`~FVEn`4R(ZQdyl@)V7RA& ztmCph9BoO+frteG3q&$^oR5Z^9%)9+0df3Id0e%f$%PH>ICg4bUlRnkDzeS_u6g4E zCm*G7`${wSuRnyLuQ;h~F~F!dQi73Rtt)s+YUvY+Bc@;?q0OGtX!611i(Sn(l?0dE zU6^{LnvtD<@`8?9$n{z$1wX;j{P~OGz&1H)j7u%(U~LOJOObKWGp+#u0QT8@1=%kMHwIrW?5y_B70G*X>&t-k*=%^?zLlTh_xq%4Tc#3b+_>nGs=<(oB>rNlyg$cdMRm1NCfB{ZPJ0Rw((=c1S}mcWs%;4in1g(@<}-A- z0f{E$!k*0DPx|0AP>^dMg!!|<@QCqF!oR4z{OrLX+eZt(=Wmp>=}{ zx^wnCjVlZ1HA*HZUJehRx#`DFANGS51N=KxR5GwZPA3&;38L+TuhL9hqRAm!3qr(F zx3T`XT_6)8{N(2*LMqXTkfK?psM*@ulG{JJ+})wCXi>adWp5h3DWhE*QpFweqRG?G zZ-G8Z$`}u9GzWH@>z6+Mt!DtoCFOV1$F^MI?a@>ixb(!ipmW2E=vkjXLzg29fD^u< zlvaJ?igMc+=&)i=%0Z*&t7Y7W_I=||`^vW~2eIyCcMR~!gS%s-fzV-!QYvupcZ_9ljWP~GQ4?CITrOe8MWnzB%hi@g=e6dD- zfAC*_#or(N*I>u*EB>qX?t7{ES_S`JYQC46uWp;K9>D*Pml_?0i`AvVz2%-Fc4sV^wNx*|ubwmPfPHM)MQ8~?pI18uI2^sdKU zGLvU4ZaZ}hJ?S5h0*YxwE76VE0jbwaGCqQJG#jSQNe8oZPLH0>o;)gKv`-wd<0DUw zW_!LZD_cky`brxIeCI#MJPFD%1+p%w=A zd8))?{{YQbOefKKoX<3VDVbF+#ME-@@slSx;GfW`xR)81oQ#cuRtJ-}DCzwq16TEl zs*2VOM`szOn>T%TkF*7ekEuCBaPMApopvcF=4q~1+7s>zK~4z`B%|=uLnh2-q~1&? z<3j)RarG>rIMrE$lSlM$;dGs}Rkx|pWZz`0HQ1%J)cJvbllg)VF@`GDZH|~n*q&m> ze8kO1dAQ5YuhXnZGoG@}zI)}q`~xcKy^}x#+uJ!xt7PRO#v0D;IaICyu;0sVY<$Go zlp{>_d03VIbhj&M5LRr2ed%q?ygs2?7y-HECE5PS1O`hYI{_*t&X0y@9&%98T_G}C zzbVT-eVlfiZWK>R-1?d#S}Ui+I>4X{)~PW8Xg@r}?tA4WUupyP!J@ahj-!&T={b`z zffVSKUak6Q);QK}Z239>qY-@w0(klaEUsO;bcwy(Kx)A?sBvFX7v>A4QXC3itiXN< zN*=4ca|d|6z~y?oDg!A7H|Ij}06ofwzh0UDw}H0HPe0017irzlv67`Mn~_=tCj@i>sIXjDD3^1GM>(=%o?SLJE zxi{syV!&EC=#vwJUY$0RS%S{V6)A14t?59{7emBozLuk>V4)9T5(GGn7!#gA2Et^M zO#Pk;LgRXLcjYLORky!^GYdE3mVI0oPGl&JZK}T0ea`{m7b^K4`nH%;Wb45V>tZe< z7(E&9`_ssz52MbXt1#eYr@=QOQ8l~#-55~@_KaIHxEbAuMHQxAa)zz)J<~*y;bRsj z$-IUF_nQooT12u-KI!cof!*F28k-oTF^u^fzt(L1_pejJo=|khgt<1ohgpWd_~w<4 ze!MI)$KKrjIl>f3WNju7WtV%8|EehvjdiM=`_MBZe{D`~u2)S0uVU%jx7Vk?%;ZX{ zoLh=0*N@hIu>#ZD5^sT^--RfGfp|?0Uk`md5(f0)`6+E142P2>7|-~B?f5N|jCSSd z!}-*7pk(E3W5iOXO#Y>LQe==Dlv13Ke6(9QS`lGo`m<6!KBv(Nx?5;ysA=!ktBddS zWhRvBSneLmrH$p9TAr3aQd0v-QAYBT7gp=t#*qOpG}b|%I5mXq8=v!SAqL$G3%1jC zkGUy$H_xpaU3BfmH4;ox_uR56-?ZW-Ew;}W@)9As$V7_O%2iKSxh>Q?Q@pH*;QgCNp7QO&Rhy|Bfyv5|6%XV z!>L~PKHw0QAsR%8CPO4tG7n`p5<+Gc3CXZzo)--ogf=0W3#*J7GP8upEMr(KLx^Rb z7GZh6zs~bq&pzku&fce;_j=#!+WU{LYHJPm@4mnHclZo>sB9@f%{=J8WATvU0b;`a z;J`yFLCl;OrUeALuu|_&Tx&8~)f-Fx1qYZl5TCY@73rIS+jqi}-DCrHsiMzp?QDDb zmu852aama>QuK0Wk{}%>2~ZeU;&4tov`5trX^~>E)dJ1{Tk$oKncKw{o)0~ zj(aoFueCT3r|(lkfc&6`eO=e}@y5bfTfYkCt9r8-c*)wcNp9m zerR_{efsq2;dTH+Fi1I1DxKMBKZ3}6TUJiv5IJlRyA~q)kq}@|mUk5rMT$VUp>rvp z|CZMzNzQ3p+XYlk%0c};C;>ri&FtGFWEg49tUxBuaIK3hN7PEXzXG+20~IJXU2$N( z+cwIOt`nvKLcxG8SvF%7aQv%6)c@Xt%JZNuxfodJF(r4@hLdXG+Kpb=oWZ1raW_TA zr(j6`!5uMx7fCk&xe0)-1QXH>3d?|GooR~`7nz&`6{!0#4!TZkjx9|AnVO}t1iw>;yd1MG zf#`UHa6qIO5R$Fj=w<2{NPbjs+tAN+V+qp$+vr>+YZTDzkp=B^*C_(hT|e*jbrjp_ zB(ncjZ;`7`A+`p9u4O>Fje)Z$@sV4sNywKS%zR6*LtnpNH~#3s($7KW`RNJEjTF`_ zL^?+&-=?nB%Wrz$OTL7mylofUiul2&F!bQu{}zxdQyUKDiVJK;`&wqMOj=#tcV#!J|7bVjWfmMHMdHp;_S~f zBMF`};lwPEna9T!xmRo|WZm>h-4$^WDPTFO{iLJ8x?*Zq`LdgU$OU0R#E)LL-n|kX z<5do6f($w(y%O}q&Oo34)DTFzjfq?rR(`Nj`39Fg?}!yQhs%Gowa9$cE8n?hp&{bc z&v#krJI>4svVZIIa%4gMx+gf+NzyvGk=MAx{Jih@90u5Dp3zZKoK!skcla7faI{5O z)|QtpT`Eu>&Df_fkAPPEQw<7FA+8aY*btZiX0w6#PH3BZ(s*yN6p{0bj2+bqAezcS zs3)`dnkj&g;s6&i>Ua8%h=-6MAS)XyuMr@Mg>QFscZyznDSm6()qlcK)6*+aBqt{kKz=XOJi&juGwug29 z%03ND!ziivpD*Cmm&wA%)j)|_e=PxHshG7j=QC~3e5kvlh=vw<1YfZd$&OY(NphQ( zXAD6!Z{m?a+SdGcw`PW}8Fd58xE!MQ84e*q!Qxn^d{(>@40z2*0SE5r@CsC%fjF)f`H{Sa2!PwnkaX%^K>04@pgeg_po{J!!n9bj0I>i^EwV)SOaXp_xQ zO~`1gy=-z)l3SGh=L>{)Pax}}6WJufz=<$m^OlDrf{`0{=_@fE)EC&#*en^Q-*?=L z5Z~K_*)KeEbb4KJqFJ?+b$6$pgw};Yh+YblVpG;!8^C)!cHXBMl77H_CoH$d7LVC( zBl)q6v9)(B1i>?OHOPNwbIS+9={;m+xF>9} z*x^9Z;T|F?6$e&v-7_7axJ|SS{3UUjMw!{FUA$%|C&B=5?}q6$k^7_)HK|z?V_u<++u=D%kuhzxD|s`i_ZG(FX*wzBgxsa0KNi2CdM z*b=Dqy^0&ac_-5q&Sby-Vm^inDFfP*{-{9zfnlhy3uTxFfO{5~LE2UlFGTY;O2Afd z?QWKN#{gRLmHx?a60$+7C80MDYP^N>_$J>OkVN=z{2@WEVKw208ZFmNU5Wbe3W?5ZkG7nUVU44#zyy1acj?R4o-kxmga?rJH^( z;F^obS6-eQdh2evx`JDGf8Y~nkq=lI1$4hZaz(DV<1G8_6*PG4z{Ss)h8mBlRCwg+J>iWbH3SN0#bN~?CNxRXH<(1YZ=R(?SqAh zQ;4aZgNuA42siS)^A{<)1!1A5L;;@y%!3MCSa!wqdnhIn>t$nZO(Hjol`^E41kxuhsfkuk~DO1UY?)cT56rj2ItT> zc0)BOo**U56KD55oYj+a^pg7E#F}}S;ppRcjtJU2y&KVaI;xw^H}}ZL1-JBG2q8y2 z2$)$LaIb7C&aPm3|HW07d(s`GUZJRsI2uSe6wN~NJKzP^jWM7y5BM@94k6%m$h1o! zYW7c&C#TM^g^GhM*=KYgI4Om@ONQFy0e|N6)FEs44L}q?fWRo9U@wxP%TZ^W?P&H$ z>JGmLLa~dK>mNVvMa2hZA~>#-z9oQfcBCUgsl5%U#!d;PR(R*K#)gHmDzi`xv9Ym1 zeTUr8_&OK(LlWjyPK|SlHIl!5jA|ACUg* z;_GK>z-2OY^VUT7$E+d;Z$&{961l$&^9WE7=_k)E$%{vtWvnZ*lR4T7Yi_S>6R0R~Gv zg@P~Yn(4kzQ@m$K$`u)>=$CaTK z69=&i(Mpw{5{5I~)YQZT)!7+(Q>4X}9%n6MEe&8|RX_|!7J~Srp~8@xuGBM6goyy+ zcZdsa=P9!1`!|LCngft$J|-kXB2pn=2^$ub-EmYvfDU*F#-O8Io$KH4aYtu>P>*0a zp_mK8;aspwVy)`ppN*m|h5jW$>1$?&2Dq{z8Gbr!lDkOa2X5%!4pM!L538P}zat4jR=^6r26hTj8} z{FkYU>J6XfGhAP!H|W(LgKp5HndE|9e{C_o(}Ulw585X0s`qVxIt{$zd%pdB>8!XU zsh{7fgXW$5J1{L{j>P-?XyfTWK4{gy7yf(e`uD|9rIm4mJP09>2M*cI(F$_3=th-=>DCM_JiDx?oQjY3xC26T03x zyUtihx#7RNP*mK@%*;f(pon8N;K^L`neu*w`Z>McS(w`=*;r<{6nI@H$h11tv@_J> zsY#XccqGqZrXYDWqZ|w@)#ywho0WKyCZufKo^3yI9rz^SsylBS z2-O95pP37uM4_f3{4=MID~5)_1ungHZb*- z`^`81z1<>=NKX!LbCL~1*xKdL$9rZaA}-F?hYtOOkh{Tx;?vVkbkWQ?)_wb;n$z!m zCs+Kv*Z%G!_}3p!*otq3F%@C`E6VtMcYxZY)C3;8-oJvhiejAbrS*ac7yL!Pml!G4 z20se=5@o;~45m_2Qo6f@{nuCfgKzvNK9%+)rI=$WVYoi^08MVl%M@#Uy#Ujcj0@CA z*RCko(ZS&^2H<^+T50;*pcUh4!q%||X@Mh-#la85m3TaedW3>SMY9d~XanCq8Z-#X z5`26zJzk{Q8<^@;9rRO=h0;z&8xTuK51=`xW?>sZjSLBty+7Xx>&-8lZN|W@Vr_kW zihFjizDWr+$e%Y0g8Xn~`@hqc{`v#iuX@a<#!m2h6mi$9q$FCPFn8pB5bZU5d$Uc{ ztj;DcGjq0}u>cxcoz|xqvtUelN%!rG7Y8fmDn}MV^UisCdOq;Y63kk*5ztK83Jsks z1G}1{rEWjVjgZZ)Gl;!8neH~{_6=z#3+>Qh>XOT_RegMXYyp=vjX(irW@aSNS<0dM!-@)6nDUjy$JyOVrF1hmWw%RhX$;DQKeK%W!GV{$7{ zdtfaF_=pbRBZyhLk73P06QYZrvm25+8@*0dWK|s(7iWzIo#goFl}3=|C@W`_;{eIn zCoCQ;I2A1|Ed-hoY(6Q~>4rZsxlhr-9qG{=3Y6YylRp#+9f~I&_kqIci(8JsT^!yW z!G&Q#KsbP3RT{3EGc0g8vijw`+@%r&4-uMm2redZKq0R1{-6!g=|M9w;0P1<^5vmX zfkl=1r8UC(+UK4nnJk|>FJHc_mIW{%1K1&@Cl-C>#mw>=*FP5>T^+xR20ydTo8ky; z1V-8|IsYzR`&WaO&(J|z^)0Jwr1crOvd~n$wB^)m5Ac}v^!177b9-){q1ReLydwej zfwkIOb!|UtwHsQjO8|X~p((f=F0D{?Uv@r@X&r8y#JWfCY-grG8J#h`X!g?51R5h{ zs!V^&FU}*QVpBfrVHO2Sdqw(tdeEgho&#De)1XK_vK_nNf|Xmzl2g1x(c(k63Zlzp zK(l5+#N($U2&+6jCuoQU=!X>dJEcCSg)o%+d5XxVzo}5IaEZRg-OKH}?m6R!QfgQk zOHNk~-xHO&Qi72xs>1N zX>+N`kX{7{yCzG6a^yh-W`Yb-hK~ieg56vhR(9caQSAHic$di=T+z%8}U5&kmoVcQ^-4Bve0hnmD}InZ`q*pVVg*Ns_lSw3(0vXKJ(57LRqGt-%K60&neA-vF)cs)Uv#SpwszVn2= zAO~8X(@3yk_~J+5aDsaE{rhWg2y=~cT%f_;@)q%_nEo};m zGV?29R|b$oCe-RF7_=*%nIBjlkQkK7>UV?ro--0270~FZrwf3_6z&C!v`CMU8?LE# z;4O3AOIqQmNb6Lnp3TLv{C951_^S+D2qNaIyh{)oGZ+ONo^YvbZ*MO`b79!?jeQV1 zN5pw0*n_a723OBg8B56%@;NvuL2onHr2$xVQPfvLmb^6BIXT^dS?jPc`1!hgrFP7D zuc^r7k@Yz_bitGp%r4^11NyB+geM?%vOuL20bs-!=Tmm-#L`k_yW?{q`{{`a8#2R^XnP zyWN#JM;n9WihvG2HXhw93qW(WX%+?iHCB{IuJ*$N9)RrTKeZb{gwm|0YG)kW7FtWQ z1W-324GoR>sWk}2CIEMpoG!dX|7Ha-7umcvv?!z@6Me#$-%OEyww8fZyI3^>s%>Xr zG{km+6-QJW0`a+M7&+^YAZXE#L)U}{L15tdto{{Cd@x6MIm`aOuWx3Xu(Wu$9T4S@t<^0`dz+~|q94N!PA zN-Dj)Z<^F5w|?`}vt0+p7TmI?T;Tzh3-vC&A4feauM@Rwk4GC6yNRYYp68}{3-_TI zqWFoVhuh|pQ&Q^aG9o5QWMpJol>JZNZ9xEh4mT3z3&!Ic8X7F9$e{nmW&@IY$_AJ%9U&Q zOGg!%s-A9Ksh=BZypLRtQ_gj&QXWgw^e^Avf1#37VN}L?S4^GH*hbsLV+vw@X9vr| zoXYyVN_l}JakhaKvukE`MnY2Z`KmG^*dca)14?=yOS+;MO6Q4uKbuO-vI+#6D2qfY zhV9!E%kNR#8ZC9y1U5|=%OnY4_xDh%11#!gW14CD5>phI;^N{_YeXmS+6PqHX~`w7 z5b*OVOUvF@PKg2_e73>lB@71B8o}M4G(X|=OKr-{q-ay#&FXkfEz;) zkvjY-efj~=TR_XR;Emn}2uS+u-OO*!dP2j@2jJHZ?*Zb})Z84D<98M56iml4dh&Tp z-{GPc*^fSD3V4^%?6kDBY0wQ+0zl+01aj99kzRvXP=$Iyp?9XpIb#;NX%RQ*PffSy z4f1Rcpku&==kr@S_U>G?O5yQvB~~`JOWl5NgI4ORDl5yf8fEoP;)T4n^n3X&2uQMg zuaEpM8}m;iwM!B44>3j*76!^7*`lnI58iLkc!^&Fzv89rcbz=p&WLxMe!RuK)~*C3Mt;F@Yzm*ft`&F5~AsQMTLk1lQekr_JcPw-wHY5 zC@W48g+hI;K`I+S5(nql3jl?xk?z9y=xFsm!|Vm{qD(ZeUE7x!wSMIxu2`+sii%Is zpu^+4E#e<8{KSIg+v*)Ym1TL6>0%fGf_kr~!)m=7x27jP-R@)A5K(*gJg4hnaM_lr zP9ABDVN{V>(C9r5cs530gI)fL6lie6E`O_)pxAdX1X;74V__3{w*6=F97ff0BnIce zVH2T%RY$@O=3c<}6~O+PelO%D0@#T9Jmq{EP|oR`ZcFzPWmvGZwr0SPM=+e{&YusK z8ll+Z16+qte?}c$_uek_gBcuID z)6dt}SM_Shx(&aYWs?FGu-H_fn?YZrQu;?)-5(oH=*``XhC*ntnja`G3no!xN{ zQX%2;88Sqga89{iIZGxfCKTsH`9@RZUs!*qn8XyJS1lP z-nrxtfza1K5(mGW-nO=o)k+9czedjNidp*QfzQ(nIj;y1vEps))HkxV6|O)>Fi1Ye zt+2AP-r+NOFobYJB24RkKDPKx{AT{JR_i_erq{OW+EiaZ-tSIWF=XAlw|ZhbBAyEi zS__)9QzbyLai#Ea6=JqP+DM3Mlz&BR0W1Hf*4C%KEBgTAk8bcdm1bDXhO~bUZx!m5 z%dJo?M`&BPwQd~4tzQ3Q2)OSIoY7v97X+YzoH5Qrsi>$d^)q6gi8*J8c`ateaKH2D zw68S6!JfXydNQ2BNE$=-VCCd&P!3<*OSJ=f8`~e_GN4|<+c^IGb6a~ZcFe3~v}1ji zXklbTGLf-?#6w^AY+c#Vs}Z4{2IL#1|3U)o)P`yb)<3aaB*O z++Vg7MS#5Rh{;^%ua=@6p2)z#7Vz=Yz?_q;=qtnT#F^0F_W=E{GNk%(xKZGV0&2_k z)Gr8%&!J=^IxPIE833rPhAMl=ZQV8Bnf@Lml=LE7Cv~}L29Y$;3ZExZVT6Mt%H8kP z;fBr`oH+`&@&VtG_oeSxCv%=~`+hjX1$)e?BGT#`*Poi6UDCeLLUd zmicCmLT&auFv0xoa2Uwj9bOVtmW5sJGWHt#sDy=Tdlo?U&Oki<=t|eK_s-M+LG9>F zu2vf19DP>g<=7!L2M6Atzx8!|m~nKPD;T6!u~wlpWkE&~nZsaoR}Rvj3b67I-ra%z zavV5cf7^h_wGEqgv=@@Y_1)*roooJ`)~Wn5HRAhpR&iM_g>U^x%3lQo8I5k$7$@K` znT3V!qxcV(_k_sPPplwhSb(veAles0m_lUJvZB!k|1Fm(#czi6BA8{%mMtSW-noA| ziTPd{@L|`hI!g;CzN}K{_$?LURtk|;pJke~tSo2A`q~s7sW9>Bwx3@XY(09;C+WQl zpSi9s<*r@3`Vq=E(1W&tBj$GYQ&w9M;v@ozn%5}IkSJS{P&@#fA9J41@`|J4y-A|QX!0K%YhoT=j-;xLqA$zfA=eV zdqFY%*d%>ka8##7TAQH}k&*PEfI6hxCAlGiNZ#lp-BZE7DG=I5N}V_$k|Q>uz=8$t zI$qTqVXXr{^)njkE92|e4==NGaw<1CD=?bd|NMjozM-}nr77K#A3sc z4Y%U}1`!Dc6A?Nn%&Yg(t|L_sKHt6{dbY+64%xQi)&$J@+5s9Wvsz%tC_uv~C!Ca$ zp3aESCc7X(BLJf)8%&i;nt%nFqxf1M8ZAWtfTXhG%F1aO`_g$g#C=G^PqTkX3Cuf4a_VQ#zJI(@m#xeZQNMBvhcB$KEu-49U5Wjmwm7cI z;*|TI=t5invRl?0@qmw>@*%YlYg{s6oa_t2AlKhRW#Nn1PTyJ>4eJ8&B+>FUJ3_z# zC+A*Qa{v+4O=t=+J)rP{CX3*gwhd^ygC~x@PZIu|1TiWqs@g6WZ>RX+oqI;4q$9s; zLzNuxCC=X24BGDHpu%6)*Jq>+vl4CKR6TeHf>=4-Hgq6bycPCMevfG?3F_=$fBm&c zR10Yo9LYV=0Oz-Ef|fNkVUL^df0~{w{Q(5J8Q*ZOK~LHJFN2 zFDrwR&tgbn^T&@Orqyu%Z3&*Fp#?6muXr37IIVdA?In_02Uts>_(egWC4+;ag*`I5*-$9!2}Of|o-P5*a=a0A5(bIopB9OAiTf zf`-SoxrpP_g#jNwer$pz7t00`o+>CJbYMlU#zL1Byu>ZXyf@}^+505jE5Oh%BlieW zY>0doYL}9ftjSyhrIOk9hn9?tj3W!or=Sd{D?Fn=0`mj)uVL<0OG_@VlHAs@&7fxP z=I*Y5LJ=Y@VC-LpRQ6LSAggzYQ2p4({LlYN`!VGdHb<~@w4kt10W1V|&UUo7?{RZ; zD+4bk$0>cFKIK-vEn6G-92XZ?Hin)c~|GmWXuiWQ*BIJk8aK6gSJbqG4j8{(?T9!&Y>Y)<=7!1#C zu%aaM@bZ?!n)bTiBYtK$Hh3-@aXo)PII1_0i_b-)az_7Z@8b88Mjun5H%1hgPWe2* zS{>$_1h%$1<>K&HQTXGmA+&DlEmB`xhs8|TS77mf(n?BI%jaXan(iO_NJ=0o8@##3+`dU=2 zHv8Va+n`D1Do`n00xjgB1ygp!u^6w%~f97xa(&fEs48q%ywS`mr47?7LgD zM>+R~Tk|wR@^Y88#u>=mhd0>*LJ_eK1nK|J^|g?s!U)0DGvgy{UeMi|{fbDY#jiIf zC|<0)vH$@B3K9puMnoIu!xArgp){-EjS8v&E(TNI6L#^+>^~RAnKY=5{VHc zLY-CPP0o!7U}lF@7rhaEwCd_=rt-CG+T9*uta)GsnBN4FP`OtTL@nk-2qa~^&=0>H zzEfeFiMSCxb)6t+xNV<77X*2t3uf#{x!Kuud7mLo>ZBqM_nF;ckez_0^x2RLeOAm@+zOZPlMjUw%w+7r~LjoVlgJA5mg# z31Ha{OM4$CBEETxYC=du4#XK1*Pc(F|GhB!7uVZIXPZX-&Gw@_%pk~NROH7Z)G$y# zt1JQ8$`>M$4zbCD9o=%w3wDq#2uvWOEQ^urTObG9iwtKV{W^2?>a9#xCub0a3o6?* zvXfFg%ozs5i~L!%oOMw#CE}M&VNjM&g7i5te23Xv^Zwd|$hc{P4N2kgTYVm_t&mil zoSjjmUQpBMcedmvR@mZtdwYq7b8ajUBe#Ll0>VfJ6d3OTPl)44XA@G#MvG;Dq+GAh zGdv0{c4L4U=|d`^Omuzt?NsRE%(gxbGO)=fjjj(rVV!U@ciNcREZ3F%=L zA7l})uRTMp3Yb4!H!)woGh+8h_us^W|4Lf$zx`@Og;*;J%SaXY4dDMS#Lw)C; z|07RM+=%-cITdF&1Hbn4$Fm!7Lf{KsVg@UTq-V<;5x@7#$36fO`9Z#d|9u`m_g&;) zLnrzY^NE;$-@`xSZ+7p1rP+M;rvp9y@!9yU0_Xenwc(A~Ha-VoX&%LXIruY9(Z4^n z1jL)=YTX9FL6G-S{RNh0$8Ljvf8U?+H?bO^W}EORTxDYp)T6DiG`C-DNI2WP^(jAa z`87o5{;DI<@28mZJ78(fsyb|lP{1Z1H5l!L@SDkgCyxG^l<+_N4BtUmnyrtHZA6;^ z_GA)7GPU=0|6ES|wD{~hGNw=$dl4)WiPB>z7T@~Z9LI6%vZLWeTB^~AFc zx~gp4e3I;XVgaRM)s=lj#|D6V*}1u4mKMa{zaIW-Qsr}2NL43omtm2MNTjsuaUC15 zD>WWzh}zI0n?}goU8p^)?EsczTpKEQaSf#LhVU=G=psPcS1FNtn*G3lV1c%0uph4vDb}(@YKJ`0bON42cT%wCOEceolcwnn2(Q?5bEv8jQ~8c3#7i)yD2wUT>6$ z5WOV&z!LFYL{yB0wu(5Xm(8UBoyJ*Qgm38a%ut!=?4H*DaD)Hw|0-o*dKDQc1GsN? zV73J(MtaYJA`iS9oqw05K${#<2XCb9^ zuN|^F)04cE;4yOS2z_0A+v|YYE}y0VqHcM3cxV#qNb#(8pI|lsz1o`0tE-wb z5tp?P$KswRUOz1v`OVVcnS5MfES&og7@qOg0NcFy0hIzYv4U|Hz>Yg(Q}&h*J5BXQ zEd~Yz_#&c@6Lwl4?ulhs0+(}uyxDhUrl$*WfX}+})UkQR8L6tiVqlOGdnLVE9zJ|X zG_2Z)PtByw=To!X`voS|7V*`NtqCIaX@}1V$++ z6;ZJ_np%WdjTjE_qx1#7xMukk5E0^3E+lw1C3Uh4DERXlqNj}pv%!S zFof)0(lRiR8C-?gsxS~)CT|_$9~>NvOB!2?Q7f{CeG84Wh`C$W_y#t5Je9Wt##5Ps zrIS59JxIviwhXbF4hUCb(vg#H>7LLqJ=vFz%z;Ejx%-_u9qpkHx&|gLnF?8Ml?wv| zhatc$^h4}#VGz2o{#qSd2HM?aV8+tChH$%WK|xda)Tz+L5Vicl04cLbGAIr=irYN- ztC!yIg%dhK)%+*ym79u?i=`IM!ISFid+b(RJ1qg}K@a2|%iNrt#06HDT$os9_W%UG zJxt9Mu4fLQ7F3|03(n|GL745H--w28X%LI{8*iLdpB^w(cW!nDZZ2@TN)CHBMoESB z9_md`O5(Rb16E}M=eBV38%IVl^*Aiu-PNJq zK_3=Tn+Dkbvk?Op8(<(d-iHDEeHf}=Z@CK-tF-oWr;o+Xf4%MbI}I=VQA&hU$2y6uD1teU zcyF#b^7ym^G{}+BML2jsuvJ!7wUpvMb@uegB)_HQeZL6@!|Sriv)uv4cR@E6Y3<6G zz;AS8tW9CYdNgsmtTVcMBUBGV)8&Ue42y;FQ%H;c7+#3j(b*ZE%JUCAOgGFWF7~0i zGVTfl2L~fC;sdhG8xhKn@*)?I0N8sI2)OIkTWDy?K7G=5!@=Y<+Y1hTb_oan|IDFK z+qE3eZ^UPahtSiMV9s{E0Y4eRA%Jn78|CC4uFiR0{yozycP3wy>npk%ot&H! z2Vqd!kI?z0G}GQzy=`yQvwB|nc9G9R(AmqT*w!$|pk^)h{)^SCy#Q!Q=Lra* zhOgr7j8N&!@yHT`F9-3D452 z#k{zx#R$(7aj2K){MQeAiDE847I~OEvz7k=E$im@cl0I|^QRPa8HOk}f^+-yVto^4(Nb zVJ9#@4X)Y9^8vzeX|L}E@tBZR3Jx#LMKO%Es0lu zg5y>U)o|a$_CQ{i(vjHi$iRNefr0I$t>akhEfAVlnHpjDLyvM}3?9`1K2k z^?T=-IS`Ri^DZYTTz1`2q1FJJZ5ioLY1|OLXMqq-Waf1X> zss&({$U7-@tzs*9MejCHF{qWWAI<~L6>n&6-IA+riJ)oniV@6I$mW1VR-WJ!I?tyktx&>2rb9lsyZM z$a%!hEG%eu=zQkb^CbATlMPti)|u`5k-c(!>y4s}$}^UaXTgp?aA>FQWz<Sj;-Yz?Mq`0UP5J~(7&XuQ1i)%gCt&``&U9q034 z>zfuk(W-W0Rk(6*w()CS^^t60tET&bEB@w_QZTjZd5w)8(@VKEZ&LaAR-^RX;|OV2 zyDps@^ou|?9M^q&b7)RQdgd4BYVNQ+si~qCYhW0rrc|yPf*7OhR4#5URWJL-l`f}Z z)hDF_X?bNM#5@w-UZsJ8yqi_kWN^XT)t{ZGjh@0kH@7sffOofp|6O@g+D{yTN^|o3 zbDvuO;4YWHy!(~($zk}TCW zon;uIdHc#Z6yg+ItrZTYtDzS@4#1LVI;ZZc@VfG-P$%CXWh z-Iu0>#3Or9u_7&lKIR6x(d=0lFcW^@Bsc?XcB=Cik|{Z#0TZl$U96JnMZ z=G3G!=ZH^)~d*@og@Z}$UzXeAt!T1q*`ZWr!0la&_IVFm17z2@iF~DBrcOJVpbL> z=0;L|WQ~hKjnY{$^ytH>O3NQO6-*blftOiX;N=eOk#3v9`Up^h!`Z?$G~JCTJAHT! z0a2Ef047sCdA9~3dVy7Vb)dawEY5a3-Kp87FTOSLGP^S{xmGUo&w<=lCkXkTzj*e< zuuf0E_{!sZovNvuYa-~bq_QcRY~M>EE3iFWvHIbEuJAN6{|i%+{kz-LABpkIZv~XV zK+-P8WA@_HwG1#S?OhH2yTA*^MSoU-jhnR{9?FG@1jqf{dt8%Kh+w-$J=EV>%- zhQC@nzAfFlB!)RZlHK$VEMJfp-!z=&Mz+r%j;e(yUBDKKp`zO z;)fkWbt85csodc`YVqct|hM{k?5hRp~AXbSsAF&4VJdQ$W|q9Gi}?( z!9$%)gn^<%{YmdL`#L+*^ztyx1&dcz3qe-xR96ZGoj83sXp2c_}jN!9+s-RR~t^(p`xm_6-tM zF)_EJbXFFoZT)Kz-9-MACGMr(6qAonG}zM0CW;IsY56QVSot5|lCXEF611p)KLW!iIjc0-rIfLa`D6fiRnc~Nsr3n*AmK@K@dy4rWr zpmqwgzH;T((CbOVVz;x~`Lpatl*NGJvu<)vRA{h(m^LRg5uFFtmur^(q!N(mOMQi^ zxj3>fphb)~Dw(olD8fPLF`H=35!RTXRp!H21{*;@SZ-J^N=Ody8qV;gCH0CbldVbZN2y%ZUN6Uy5$AAJ(aBNpe)*`io%$R5lNeqx&Tq$r2sz2^G#is$QScYPfmJ?Yne(=4oqq%DZis!YLD$ z{X-z7AE%Sr)%Nb0;3mCK4^w%L$j3@*74F$z8WWv_eaCLBCS0gQb-c{({#b$JYv$6% zptL~AjD_n8)U{a}A9;zLWL+Ma&MQ>(t;;FbRnE-|T_Te}59^*#OFQ%G3?z&XXpY=? z*%qQXy&nfxb2>&XkztRj{d`HJsHJ8&FD<0x??&(6{qvR0|J6*L)MgElqg;!m!VzTOVp^KWZ81XPv$=@6~Vxi^E$b*<}Xcm-a1LLxc7TmOo^)PQmhIx&Gm z(sAsw*!`-o^f8UTGO5YDLoJgJmst!Pew6~D^p;7gw^}3sC@8GCk4C#s&iG8EQ0~(^ z%`ZAhXt=Dn_luEm>jQp5UB|pSV^33IINH`y(VhbJ299HE$+0d4a_~`yNf}=q zQ+L~{*lz(JZjQEO``mbUfyiBP9&OxW)ILvt9c#(RZuP{vYgTzozuS_^hHI5cYYY;$ z;L6ezK2QBCeQ>d}WAxX^CQGT%n$ZQ&EW<64DiN6GfBV>m#Wvs#8}Z^o*7* zq~<99D8H@Q`gCIAn0mbMUfNk~fHd7K)=?%kEi)*ZH8DV)+mVky)=>I}UXHhQmk?*4 z%DXiU?Co+L-W16Xjwx0?lvlN$WupQ0R(6z2you&Oy!D6aGb2xT$2UA8S~#+Oz7nj) zTA?!0n`!FDc#fB38gCAAo+7;A*v%KL?wKKzkQUros@bqebHo0RMr)GBVI*sLeaRj9E^BD$hI(J?=;LxE@qCR{3&+JQ#sJgH~tve zf!qaLM<)vjYiW#|u_6_S7sx8PUxC;tK1eSHTwH>o%qGvWyW1w$NCf994*SQ9y046G zx=k0~o;9UaWko-&v=fL8r+ip_dPLT7Ohe8|A7a{R>a&WMXqT|3EIDu!$@}lq>L+?X zWW%PHS|RevyY6hi$<-z}2NvDSLm5?^#AA7Vl-L4hZ$VkPK5)|rxV>V5n;EQHF)}}N z?y)U4((aL5Ac%c_Tw5KH3mg`{YpvzU#*!9m3xwW<5sPjZOtaTt)_!B;!`Pl@(ZYik zhFg)42x6@ww9`;^OOsk+$gMFWpetyKs)wv_lE^T^_$)Y7as;`Ij;JSo9=|?87gm5~ zwpCuRC|U*qVB#J@-OosXpJ0BVYO?0OFg8>Zk!-v$#=(qNxoE#13}QsZpur#p&i2^3 zb`GW<6Fb@|N9vIl4yw1N0GqV|Scpw^5Vvy2?0kz#V1xSLpd(sG&9&IsVamd=3cPp6 z?p)_|Y`rp>S$hnO>u;ap2Q`2OE_EMv$EY^ViR1<0(wMf?gxf3i;U}t!K{>O83|6|W zxu_T_;D(aycY>toMNIK-CDnI}t$V`nRi}i6T~8%F(GN;#J4d~}H85=j)~w$eiee?M z3bk&bqUkd%G)r0D_q%uwdFFiK5XH)O7%xrtTi8pMF^Cc?h$_K5=jj@HyjFH_e-V@O+C+_N=hNM`lOGNR&J(}J zNXE@=8&3?-c25dl4D*p3oV)0z8|`&G0oq0RkRzLS=?l&UQ}QRpL2pgTa%#tUj{YtD z8izMUNk&^UUDSR(M!V(3r(j~rV;Z`O;Iz2OV5N(WJQLOX0MtMC=1CJT5R>jku z03pNuLJcR(iOYkCXqnP)Wnn(5bEQ;}n|esCNuGO126_oz#Ru10%0Dic4Bma)y43HY z)+D`8v3sh3c#O+R$uvGqg0=`ze+v>Mr#svWmcXcIq&2jzXGTjFPO3tynuYg;ZAt z#H_(ujH~bRU>&H>;BS=Nxy{Od1a+D!1O$6WK~+W;m$rW7K?LW`^geI5F9o-El>i#@ zqZ3_d;;kXLoz~eq&r+)iJnw!3_)$4CsPT`E7F|D#;jVwDDiM{N7F_vSZ%sE4B_(mB z$(RQVZrbfz?yK8Y9_Fu$E=>^pkX7a?&LOoBS{l2zs&1dTzL2J!QFf#W zn*euU`RJO>-1&J2hQF;eJJIs8W{{)fx4$~Nz5)h|T_ zx!ryqBq?b>S|n8WYm4QT^SP4AgQxLjYBNUm?GKZV)4J?QR8rYOU;C**Qep6Pf9qbW zeK^gu9KnU_r7q`l!)tkD`${KY&PKL|r&H`-d>P70e>QqvB_So?qRO=TrVrB|!CkL?gxK&euoKn4{!o^+OviUa^FR=%8dtj`Fdh<% z)4qt5NtR2Vtn9ADt3*rZD|t)SZ&8((<@Uea{%KG@h%(^_;-4Ux7c;Rk9Dy!?)&_5Y zvu3OmH?=I?ot4fKXwBV4wMi^Yba!OFOz4t;p5>RfsYPpx-8pR3S2WIPpJ$z~qZMH4 ziI#Eq&;xZHn@%r_!MDsVswR2CL6lVp<>DCqr1{Y9l!lyK!CAvcRVzBK`5(kr%dQqjXZ@Q`v$qA@Fa z&ja6TjgYG3$R8h_uZ6yHJ~X#VV=x|*=Wd(=WAGbXseG}~Imt2wW-}6;V30xT9+VQp6+&&O z22XEBS^&ziwS93n<0mY3>&;SMZtANVr4ourHwu*Da>8`Nh8zzPEqvHinRsOUk4qb_ zeO)N8_bM)Os~uPMKkkrzlj)J<{DR>FIUgabq{*oR3cgFEM>LdA{-C7)-O*vJ2L)Y@ zsbcrb7lTi(23E>ga=1e~W|ehOAibzr1_ahM9q)zCEb4H>AYsv`EZY+<+R&&RkeoA~ z*Bt`wc&_4x>}#j1Pg!?8ef@w-AZ@?nEdgo?jb_#np!-PNL=_!;t3$CR`1bOVSGv+i zVq*gm)--YxrsJkE19&G)OzKmuXO6R_M+?5*PAxMI>3j@2HlxSQsQ9*kZbY`yrSREQ z!Hde8SOb!h^2I9k=*k#IR^igze7MQTtENWV!x#NVB2v3DjNaW|GF#W36EDl>sL7TO z>JpM=Eam^WmLxJQ*#UY=`QRtl#S??grwt#@de!@_QDl8~PPVRYwk#osyI5s6pXx*t z$3qwX^oAzgId%t?51o|g%5+?Dd;Vy202cZZ=SUhZF+}mMj@vsbLH7+BW%1NFC4PlJ zQ3XC-lnxta_7J3>#Fo0)57$*MZ7w*o&jYZwrqMQu0h4eItu)x|JHIc8?U!k&o)Y(I z`Ya(^sC8F$S%Ws+q`6d*!U;WZImb8M!2?!Y3>TJ`1_LKd4HX@Y%-NfmXsT+H2kvNS zQ>>J=zPfTq%w@WduU0ZvP(h_xy(&9;)_MPtQQ0e=GY$6C4<7UO)b`65NA+tS!<)JG zt5GooNlvFKtv4 z{kTMcIMETfwg#3G<6*S4NQNv11HO2J?R-R20(7Iht`yMqYm~+EICr#<2{e zC$BRvbygO2i_a`Q8=pQfxra~qm87+($5v16z_ut&@rAOQPiozwDy3?!Rke#vj>(5g zTJiUgo{txYvqyyCed}s-_fx$7?uP0(#p;$bMdr=D$yK{v=DU#L| zLcdSDn6tu5{{@@Bzu&TrD;nckB~Y>G5g3;2SY+rPWpV8GP}PX+m#j-GJk+PM=XgtF zF24EYKldf~i}_q)oMvI1#Gc;LN!dTtKK>}AxuqV4t>asiv>9k`?3s$q*^Ux;Y3dp^ zG1jWtBtv9kAho$c5w#jiUE9(3D4ut{b8$AbORlB#_UvM+O*gZ?GR4Zkkt0G!VX_xt zN7eAU#gKwK#DT-$zVMM}QIgLGk3ebm|FHL-VNGp&zo?)Q#excmg=V9QAXREWRHXM_ zmEN255&;oKDN>~dX`%PtQ3R=x-i!1edLSXm8CmCj*Is+?b+_l9``r8CKIa=DWhQfu zImY<^+8+xzN&wWSr2=NjlSN=TbXAtzU8>(&wE=N8E^O+Kr{Q_pM_l1m zTXta?@LOaImz0d-830!E2T)!@tf^sJRiu!s+<_9kyb3~=$6m_H%Df7`fS?eh^94pP zF$aTOjePDHiZ;`rK+vOdfn&euz#Q%~WM5)r>NHq0W68DlzNg}Rr&V6{SZW;+ zB;&L-tPQ?}bAu%DTi*lc8`De1PhFOqK%olMVK-&OUjKECdM?S5lhyult z;yk0!)%A-f(b+aC4h?{0t^y#euDWT=HVKooOVns~Fc0sU=Monqkf>HwdnTF^Gk?EDtuwF&ucb4x&5Y=#I-{ZZZ)g66iE7|`y|ck$%7cAQ?! zD5-y-F#>F1W3J5<0?MZMMFi=IXEy_=A+G(8>_lJJ176CMw01?y)5t>wGaso4P%Oxn z7l521g4G@&{o#Sl)AM;`2zGmL_TKM8*gVA{s-=u!LZO>MT!9rY625ZB4N==D``uZH zVzn^I^x;|1_2NCigI*=dIuC2Zb}Y@^8(BWDS^{+6Qex?=ZMmbqA7+--E`N9%D@C%zn{@|XX3`$P{XKtIcp@cq%biOG za{D}do+f7a#A|n5Zc)F76NNd$8@>ag*>Di)FQwS^vGSg;*f!(4?VY;+4cQFP6`luM z0eDSoFqCk-i@!Aw(&4r}Zjj}lusbl8Xyvz?SPqCMVz~`^MD>MIh28}hT1cI$)j-y# z+JiA`=Se;`b6ZQm?nIfhg90SGKdeuhIZ4f|u55?1X8AUUx5`YpULWXlllC&!(6^c* z1&k-m3fQBlo@kMiZoU$|I$VeXWW0LjXVS$9xfO zwb(u|<91R3Z?yYBGWSg$6BY~jq~RT@(EF5n3QK4>;RxOvrVc7K+QyuXk}zh70x_DHh?#_r2DeX=tJITmNdQ{lf^Td{1{>DIh)!81So2tmF&*R^T!_|2-*Frw!M+p zO7B6+&cTbWapv|M+bBw@{(KB!>WbRCTe~w>1losHg0N#bb*j6D67#ck_26fN(}29_ z3Mgv?B)y+cUD#P3XntPZI72x_rZX%a>b_K8fCYG0f<}3P8{i8kz`oS$kTVb9QgYzxe`8lZR1bQ(l_ql`eZqeaC~?J3H-YIRc|@t z{e^3aM6ePn71B<;b8w%RDyKX?8+N_#8c6Weil~tdob}7L`#@x75D0p7TkZu>;r2FXZc4qi`kH~IUx_(Eu z*KW4}u7Ui%Tfe*j=r7^b<8$~c$XBG6lxZySJ*cssxLC^7k?OiG|7@o7nEym%YaBTn zk4tpRt)eMbS%e1>d!SL-6YOYk_2}A3eY2W|qoJEaY3K}X_QPL5oidm20#9@q(r#D{ zP7XTwfXYRO`yaO3?k)E=;H4v(j<73lC>0#c6CIy5AS6A0gE?5$i#MM<4s6B^tRQB5 z$?kA{77EEv6B$>pV7{93ajbyR=Y@>tY@DrTcqN#xgwzJ(?66ti3{LWVP3K;H@_@7b zzOK@f3(G$hGt)0l+K}J}Lc#vaY;1Cg{fCh$*{ zh9?mCRn zKT7cc0o<=Z>}4%QPR7F@H)?H2#`5ZR_S0%2`oJ!860}5|FKEPjHXbE9_iR&C5w#{N z+uRd*RGMTXTX7oZCVtwoYt^Tq$L^NO%)nKp{I|6*$Y@ygIbXUP~@{m!Z{@U zPEj}6w7k14=AP2AN;`NFf>2F)DEdPrnO6Z1TG;J2&+y_6NiOVDD&|O%Op|{CeeLYf zX$-g@WR&aUm4*F^$MGypY5raJ?nTSXkiR2#HY5CW58=>EsVOoD!42V}${Je-QKO}8 z<15XZ6)1Eg!3UPr;h=Kq(WIeFte(^RTF}`w4Xa{1Fmdu+-qN{+EofZ1Wq&JBf&4&* zRRLDEV?84!mi+$pOky>I11;wE(BY)QtIWw@KfcJMka!LG;BYN{EfOW6CZ(ll;nVw+ zMi4h*F8(xskV*LMpy`I%&lb?B_@_Pyf5$&M&^E$m)h$-CTx0pI{K$ziD^j<3LPkAy z#<#jmgDw)(o$vj(Eg2xTAKcV*iW<^|25%KGI=rv~T8G1keWz1YDV%Z(kbsYd6r$0} z0atgV0rKL>`=}*(lV&Ib!D99ENr8006{-Oh#gBOf(i{CJBJ?8bc(bxf0z?2hB>i^ z7aEY~Y-7{*Kel0@vvM9qUnXM^k(8bw>M7kiIVy>KIyX5cR&5acF-s4)W`;`-d6jET z@;%}1v+v9F^Se9FqtBkp{^&a^ah3WV3T!)_z|yia*P_l;$5c|i+auh$Zr)aA>V99B z0EAm}ppv!aOv~umCUSm-E_v<=Wxv1(s_*xSWi@qD@em|p)~1QvgBiy}3dU#ti^*y7 zCd7<`E8JYzu+exOM$RM%h!0rkuZ9{0Zo&}~Mn7mBJ(^dMNzUpU*pe*pRz7Cc#r^Wl`;BZ&X&iDfQWZQ3Rd;pvLoN@f;sA|HYlg^Q^GR2*UNcb~|Ll3Wv2k`h(!knCqJpYW z)fO;a5*7NXww`@oHj#3un@K?haYCyrZ^B0YO=L6^e#HVv)u0SM=Ffgt>G*v;Lkq-S zVpY??|5~b%S0-FHC*t;xxorm|XNlyP zKqGp}>-`cwfZ@2Q+-k66g=7aT-`1Hq-VLoA)^%v0G|@8)6(6EwuiAchC)7bGv(+vZ z{Tl0iu@~$P5!OW@uY;Rpqhv76dI+>GW7zBVU%wZvnZQSHu+RQz&MzJCagX%d9^bG~ zkO89Lq*Z{_xENFbN#g#7cFilxz$J0ocT%RC>=e}&7v*lDDs60s$_E|!m@Pmz$kE`E z3%}!yxzAADZ!!ehGJQ6!6sVj!8M@QK&g71g0}15XzzoF&n@0e4#5J83g(#l9#eLx= ztNR^tJz}d#+|hDkSwXXe5VPpRsDH=RgDQYa;^M|y=jd-{A|*OVsL(2l8$i}EnYNQP zgOea)UF=a3H`M?tue8SrkPdm%c+lOo8Z>VnE8Kf~!YcFih5@m2{V z_!6QD9uLZjo>5~afo!X83FBzlfW+HJ;iU1Na&u(L^yZ~H|0stp$ zf^WG`g6Gw!l?XVEZ(h?O019*xByzBqvi?pn`v-O)o^fUX6n-0uuw`2f~tvt zKanM}oo*17<*@l*IUy;YV`!$dZMzLOL(tbq%tQbT=`+cwC->$RZOZcsF0N>22kBu-IO0|sI<^F|N7r=E^+xwhk)0e1U8sOn{0k-QC%T9(>(F953_Q)$l%`)Fj=Fd zaTr+1g1PWqkv*HPV8uUgBg(Z?z@l4zw0F*F6RZ~O&qdYz|2pLOBvX1`DDWgb|M#!; z*O#49qaaD}j^>S%8UJe1jPq`&KSLfx!^p+b!S=Un$A5pCc=?qxm_YwQcS6`S)tY3V zWz>phUqHqcOyulB4mC;0e-^!GeIkA8h2C(+-1^6lQVVGUF>bkw;vZ+!j@Kr-ME^@npk$jK#silxlSq?7JOs0X0@ED zT3^K|x2}O>_jkh5;ddJTSLb}93g1A{hM8VZ&_TAPrWGQ#r7hSnG<-8~tD)HI+fMoX zZV(bKhkiH7yzSM}G2YiAO?HI`3C&+W=x^!@f3NdR<--}-2NCqTgGC;u*l7G zwKQL`lITzs;*%DWn-6u(K(FX>-5Xatc{$`V6+^o~aW6TVEC?3~e ze`!j<)n2P1#v8wN6uClQjJ@j{rsbilBgnzAedHVtjypozNI-MQopCZBR+6o49a;)6 z>yGW0fGY04O=m0j@z%yA>-PXfhPKpS)@5)KAH6ySv@5Tc6T2jYC>LYs@48?7@Q;h% zByojB=y}^h(SKjle?0Y1e+``RD|>I9eU%x4?tecr-@28~EAb%Fokl)h?M>sr-Kv41 zvi1t0n25m)V{L=&(*(jSA)^E1Un1ZSDZ-XRe@#zE zAoY9+ztB)$LWmemgqUzz2>#9+80-iaFx_~F>m)p*_Tk;aGB?6jr!Ur0q~1(337l@k zL6a|^YlQ7$D;uvLVgnkX7h9(pFc-TCH)1g+3Xd94QqTAKN0zE#m6@CBgmGBA+i`_F zy4WXKn;^MeTYGp-Vn18*>QW%qVsbb)TCD^o6>OM6fR0`Dnof_MrT&k1$qCY+0`bXn zh4@9qgUxZ+a`G+nKS3@v9>4dB$Jz1a?-u`#m~4ThzBkXl;OnH@o>##&Jyd?5HCiX; z)TF9{6$6x{z(lnC9aAkeN|pPQLM?kV?H$WheMi4p0#@41mt21vU*ViQZtHiy;&@puIx*f&vw~Y$=A;ZMB?Kv}7*qft@&_?N~ss0SX6>C={>+n!D zK_8(!y;s;;2NTwQV`1X_Jj{A|BA0b^43 zRE%CsFB}y`=;>1UeAulbJTCvq+*Rqa35{f_NBr@=WYvQFpoZ@r6RM;m5c#elEdgEPO9fmX9r zz{F2Fca-n{tb7!PpiETKVoItS`4fzZ|aIsV7 z%1-hhp~LtfH9@SeP<_6YwkJVqU@@ZRL!&jj*h%XToRqelQ+I3=)W2T&=b0$w*%@BD ziK=I1r9uKuKzuq_?NRnmWe53vCG>}3?=@yG=(y&LRrbX{-_Ho5AMxDn;eSJss)f7` zYon2S!p;-d#Z;FOKgV43w6pKRcS_0+;|ZuYwdw7S4GptzGj5GI+Qd~nocmDp^!mA@ znE-g3zwUS0@jBs9c!FiIp`GbB@eoHhuMpV#EQxD!L-+979y0t+gbXIO-J{rjjp9l= zIHB4nlgfBeBL>ZYf{MXpU6=&JK@iE@1H=g(_kLGp38^>O{CF14JVQ;H& zcBq*WHb?u&TMT1k8SE5=&8#E`2&r?})0ueFGd;uRv566cI;G->jot>=6EXiX|B&f} z?JAk?*)v;iGj9j}vZE50zmio7o5sfv7>ot~(-ie@H;{PXDcfs@8g|~g=(Q_!y|>m*a_v+%Eu*%gjiG#c@?3%U@=r<_W`74c>kgB>1!IstE7Xw+Qqmul2ria0!God!4LtniBX6igzo zu1uIGPj&5R5BdiC7G1M5H~v-ZgM+Tt&=TTC&YCUiL*K?dm&}T6#P`+yN#nH_H?{s{ zdH7caRtnSEfo#=E1$iq@+o%7$lKk6CKZ-wc%j1eN$}q;9GEdvUt`3aq%FVq z8ANUBf5Hdpq2I@r;;-+2V=01@60$$ySf&r&$7INx{?o1Z?|VhR8@H79j_~K}o%vFa zc>i%Li<3&xI=-<6_I7JfX^%Jf)asU+g^ZV3Qa<{Zkq90(-C|8?*W*9xWO5BG{I-9o z2_2k)M{JBC4=!|471G#qCMaI~k4u2~_fvgX!(els45Xz>6IAvEOesfIicX}W9ld?1 zdCx<6RIA#8Oyl3b{-09^@k(U9^h^D=8s+MszFjOx`{x0hNXUtF=>8Nh#I{ntjOwC8`jd)K)UZh&1E|AJLoZK)lqss)*1+H{cSq0~=*KAU)db zSA=qm6k8cTy>WtQNVf-Ut)737#;p8L;6H^S$7Tjj3aWt@;_3_0q2Wy`!`XxxsI< zJXU5o$7^VS69ZV03lMJ}II6F&gAD2=V>yEYkVMz{#l>2hgj}CFlh!Phb$91OW`G{0u~*v#eji z89<@VL>)QRQ-o#(y2Iuvbg|&%R5)8yrSB=&EpEP5qE`HvGqq zZT4{yynQHI@n1l{EIcVjxB!?{ed*&C72Y=E^7hFOzIa5jYZkl$ffCYK-QJFWs^R=r zIa368K#rvwP*uoS=V1bfW)X%NMcAD^AauS!FH+StO@^tR$*-Jp0z*!2oM2SPlG9GI zeZOjYO6|%198wfIIQq8`xt>XYSU8PZgaIX#K#;OXE z9@8aSt5Hj-o4>(}1Leqj>xru3Frfw?tSbV(x5@u{Ow=mZOw%HGKn4UkFyn1zMxcv@kIz&l>7% z2U5?+O+;f|Ss4~1Zlx(ow3efBz(zJ%i)!#<94zMib6Pq<8qJmx%I8u>xA<*0gUKNJ z)ZRG?Pp#FbD!y9J)?PR?9`YOfXFi8ki1fv@vLh_AC;!n5d>=YGdNo#l|5*km<7@h{ zyFpcw%Rk>?egW($)ek{0(nM=890x9S-yAPC4jQlbs)P&o0|{#5dSAwe{xH&GP&0>A zD}K7h{+Fp<4My@k{2G_hYru8DDaH_Dw75mQLu^a}n0>QICK^ zVUlQ~2hcNRr<%H1?-CZRIao~YnaEW&J#5$TJwyb14w4W5Gla=+^+C#OI~hO-J-5kO z(5-HHY%-+f2h^-JK-*pePVd+txKFl4fRcNC5eY{T{YPRz?a;!__plT=#uQ)<Mm&yTzQ>n83mr}vL} z>J3h|?~GyWX{_p2qZ%wq)SIomY{qxUE%5GNMh$qA`2OXez?O~f_vY@dROX`S4(m;f zbGMqRt6rM|Hc3DTz-3*>ED_Z({4TsJkO2)PW^;@g;{Q^``o*(w zZNG<7r;n0r4S`?;0;Ke|d|PBPZyGmImI~&8kM;^)`H10V8Ux7YZFPGReS~t_vudzH zVG$Qu$&UcNI0-mk@1izvjgFel$hR^=KMH&il!&$&yvoInR0Qn0a!~>){Uw9aUZaj`xbm& z)Mw-Rp)5tWK&0Ty@`cjDtfv-a_Ve^#J}f7x3CMD2zbkqWm!U*K=PPs9EEMp|y=k3Y zk}^WKx@$oQ51f#|Xz8UsPo05Dwo()N+>ARwJQ(WP7}xvODz7)GmI6`H_Um37u5k>* z6YS7Eberq4g-&!euAI8>Xir`GA#3#A-^1>pj5YfN=l+Bx4Qy~w8sd}_obGp4xYE|; zLIUr;pIOfAXWBage)pWsgeGZnuX1h)pNHb~hK*;!CtM4fGYs&%lG)ol@Y<`kW3_WV zLYyd`(NeEiuZ`@sV_)2}#APA$dXgL6pe-3>f2|)8M)Yqb2)o(o%v(a7z=|Df@1(K? zwN<*5P1NFx>tFqj0p3Jsu%^34GAkaC{K^>@q$v^g^hCaAPQC`=VCOvZ@>ZCBZw=LF z1?8_UKKnr}Ao1B7@uomqgp~#C9403ow$aY*?R^0)N-(d(JXgaDoaN=nR}oF7m^4|5 z&ekvn_@R_`g|lk-H;}0{6#}wE_5r`$s7N)k1NxH z5YAc-_KJm%o|Du1a;f%$kwme$y(@Ikd}g!qIIVg!#2mkP)%(%6e1f~_z*HuOPR%W5 zcrrN`?-1Rjn|PGrxMr&;CfsYcnpxyq%!RcHw@pl=WW33yFyR$SG5+(gV6u1fy#nLP zWRDG1-E$~e2!rRMpV#EndBds!SxA@VR8ENXRAv&4p~4C_e@iN(DHT?=A+;Hq@nP~c zrGl&Zap%JOr78jH8M8%Q`$s-z9LYF8-RiA7!<$(J1zv>a%`5{SJ;EpE>Syu^_cm`L zkGa&5xv--&UEVdEMI`B$B-iZ>yTj|oPIxIh{71{|3h(8Zo`i)M&~E4?#1$p*!)0X> zxqqF%uY6@hFb6u`;Ww1F`}ts1cJ$(>3fr!Q;i@|-XmuBPBo0q-CVxef$uH&FA=os{ z4m%1MFT%`OxIsGBVrm}5^_5Z_k8O+!BmRs^Vt~$~AX-A$;c?X$bf4@oV$Ln)q z$6Jz>fTBk*S`bBQn3u%PFk)x)RB)J=IwYjgd#7&rR3kWV5dHkb?Jdk z2RX3rxXF;mqk$Q*TnFy&e<{fqvx0Zl8g>B+V$0@tvmu%@r9cahC90c+^-;u)1{oem zO!PvqPD&(;uMDlSPgqbg$z?e>2u!Zo*YC$n8=^=c9y*P_^}59`pC%SRE~HjdZl-pD zvHpmU@b3j4z4k^$>MgeE^j(bs51(5p=_eeBEq5#9>pIt}$hQ#bjPDNa&40YkGvTq6 zv~=sy1;jv^2OQ`sx#5JorO+ZBgAt$%lN6G-E!%dRB8BAPh^%)%~hFI8<1)L0c3c6 zqIjg+TVuWBD@Ct;T=}km5~wcR7QakOlhe%{+MdfB?vDk{lv=&<@$I*NHvLGS3R?c*ayZ*dzX_5-I zh*zQp9t+XI>o+!x=XR~fy&>J^eR@*eC;LT0(r0`v%2uT44OE2E8KVz-U$j0`~5zSTuBk zb&|5uv~!^T;OjX~6Lytw+jue|_bnp={m;6qvKaj1UBg!f@c|lf*(HlZEKNP{F5gK- zs&`WkdRN6KzGAotWQ6TmJ6=&Vu2YmMGyN%L(lH${6FW%(uaslF3WZTgGfS2O# z79WMSvw-!io<=?Dm4b{=&|t1+te1p|<7V{|W;$rLv40t@f~Cut2);s2Oot%uX?_4soW^=MNMHe~r!e^*oOHh01@-qEQ!W)*XL@G#E_rDzB@8U<3rj9Ov<7K^MC8}Jt=L(K0gxADp|%|f-DvP>vri<= zFqMICOwQpC)(mS{IYp8*p1>2VHSaqUXwhzP*amXbDL^VI9(hF0#Ib%PW zL+x=iUK~p2qY-xkRD;hbZpCj;aNX_ZkUjf zA-|i!`C$L)KG4;rGQP&VbONqGv6+w@0G_H9q0q50X`E`W%q~14h4bez| zAhhk_`*88eRd20Y*L+m?&w3}Iudi*7WY*p1dzsDoY_F}jL5~6ITSxKPE#-n{lTba) zz~~)H$kYe7#d)vukPm7OjqZK1!kCv*C{3^t@eD*f`R^Y`vdZ7`f|sJGUe5?18mw3 z(KKi9cKBbbs=q)$M4VhL@b$itv4ok(~S5IQ!wvdh-Xe~65cK|N76IQEAB>kqBl2|9@7O&aPciEID1CDLTaGZvX0zpq{L~R*&+}XYo4QC<3Uf@#rIvW0TpvbiPw#*yWra;=r=U^Fbr06~15*!S)@7IJ>qB z**S*eCreJiel;3bYowis50tU`K)S&8S^x8%&iGy$vH(Q%h}tH*XjRk{SU)Jic_CoX zS?B0ZYjkr1|3Z18()f{Au2KYbp%fu`RTSa%3IMPR8tK!!yV6H7NW`XI$B?uO&w@&U zO2<5=^CeIijyIT=)-Kf!XF$-_KeLK&I(%*4eDjc|CJlS>`L6qBGj>7}iuF_FDp^g; ztUJuZ_H)8!VHI{0O04ptYkj$i{_^`bM7s3%y625dqMeM`o-*F!LMLT!4ig*$yng+f z7KG&Hu7I@?Ddqr&hA1x?u8+A2<#e(7l)U;>yAfab#P3*59IlMX>%;!+!-Q$pzzsc$ zRa201EB1{Iq8wGzDU?#Ry9ISU7ofNai`b{7Q*IRad9zs7tbxrW;mP{xdNGbF!|@*d zi65nnGiq=#Sq{;yIaIYK0rRe2PWNgKy?RcQ|55t4i5Evyg?%L-RPixAwX;HQs7}?% zN<3O@7&gz+*;6%9ZtS(XOF&$&WVRhC7d?_irk8Z&-o&Oo^|+9bP9Vvx3y9kj6S7>7 z^`@j+S3;G>C-3oI_G!+V(IKzONN@55(GgCZAY-f*@n9uZFN0{sXvXd7kfZ`F`*P#m zzDO>rsC6ZI&#$kOKc^V}ICnjxk-KhBsx-nskM)sWCi0g}o5m$BeO=Lq;&e2w6ei<{ z8XMKN#~{+p+ZlwdCABa=P*2Y%UqoQVr46}RmKXf)x*WU#hk*2gR6TFz2;4>*=MEKP zcMtRU_8z{!pJVU4%e4v4ak0ROOwL>RNtnEM%#h~;9xI)u*oX%PnU@OpA#T?u6o=(e z5TBvI0z{H)JSv5y??ZT{>WnlwK10SVBa)QEY}6z(kN1f z%cJ*T9WDMUZIS8XJ;OGHg}5px(BdBL9!cCn)r_ z|04irKH5MlcIPTJ@pMDM0o0Y^d5|Lg`>1KcPm-)(<|>~AjrfkE&h>di%=`7&x|8%O zY(_!;sbFk8HWeMTI1_%c;PoOc^-Fw`7|s5X1uS8$RLS`%HOm985WJFBMH=F2~iyEuKfKUg;7UeWO>@|?ez z>qOpSDbasX!I}cE{0&=sJHOZbz%Tu=PpI4KKzkBM-?Q9x-teKNmu!r+xVY=rBMA+6 zE?~vJwd4EJeO#|DS`hL5vR1j3y26D%6#D4yhi?%`vB3MfRCs@#AHkiu)?oGA^wY(E z!>zgb&eTv`ODsNY<%3sE<7b{#3Q#Z4SPM+g20Ssnua|N`al%bXrznrp08Qt%1BtEr zb~EPLeS!^&9vue7O%axhPz`t)HnrKM&6|}I1}Pc?T~=cmq#mpzYPNFIM}vfF6M(BDhy^L^-f0(UKWox&uS8&4Np5f%;Kuw=)n8-4eXKyOM-SX=k%&FFG za|^+>URFw}xUhmny(b-USsv@2bQrHMa0v=k9;MT*tRk~NYEVs4%aB4HS7Y1nAghG3 zIa9xuz1qAlu!2&2rtQhVu7$|xe{f{Q<}mHjAi4wS`kzQf0R zu?5JYxwH-Py2Cxf=H-P!6s^FII&u=aHWmQ>USD;|{E1!LT&*Z@&^w?7# zHyttHQu1ncgtNxe$_;w9MKaVL^z`ea^sURKf8t&WU$CZBdo7aT_NUAAQHU zz8pc!sIjwqM*RC(Rk5p9YJ1d!CBkza6fA@f<<<=7eRn@*Pm*!hWd59cygqnWb}RHcm~s=87kHx`mX+w0Wp&YxYTnfY(NroTN%=N9JyLtv!QjA2oDwTc3+tm z^5kp)$yLhKHJn6XXP`GF9qpg|LnRWPOqE2-KB(}=47IUkap`|fN06)U2q7=SB1?KO zImg(HCd4zBe@r)j_gA@2O4U*)rru@++o)1Z$b)yql*b20{)6kxQX_%T_R^BdlCOiD z2DM7}?U$W9vfUDb0R27IJBgdh5u_(S;hxoVR#x~(#`jCLOqj^d^I7E{!KFkNBVsDd z(vth#t9NJS3ZMOQWtl$~?mk(T?x6rmci9BW ztZFZfOpsuN#{~Hq5mQLE>uvYPoIs+c-H-5DK_uCY@QzhEon*(>>y{*$yo&CCbrEy; z5{A7#)U$|is!b5jT#qf zP_E^6(r?bQW!*LeGs3iIS1y8@^NW>$m@tb>mM{AfQo|V&pKt6G zoc2iA^|n`#kcnblyZmMGt}wO-yK~CK>vp5>D#OEh-$S@TNmLDvGk|xLekr_WvS4uRP!oc7GGNVz`!OwM2X(9=UiYOoW|y2jQ&UcraLI ztVwCV;4j$95n8l!t1$p8Har@WtEOGTStfPn=4H&2m7Q!D>nYMUY5KEFDj7Z6IY<`) zO97a|7Cqx!`uP4JOdQQQ&Kp6{^A$4O`A+FmguLOu46?H^H}TwP(F* z4V(${jt=02oO*wlX5tV*cP8cdf+Wd#)@w44&ny8?PBdMJtkOBEmzRFrl8t@#Ug6%^ z4o7~i9^lZeqIf|}=EIX-e_{?0%;@yRN5G%3u}E@BrBm+I*C(F<1lbyn{T1f#y0^US ze7ZxcA&2trKq;8d-cE#tu)I5~YMMmR!J`l5%3rbFN_}S%d0ArndHqrQM3F`B?ZDf? zoW|RO@FK`P=7rmPu&9ZH)(Mb@`;uzxQdc{Z!H7$H=W%*Sg$hODTf zEotB-l1<}knkRd`&U4J@$}1XY5*BmT|Le(rdF}tz!=Go|YYk7o|B?JzFl6%s>k*X( zZ&x)f>A$?Z`sr(Q5dgtnmi*GkgNUSgM)Vz069|LP-lyU_O@)AErcHcwiu@kw%bTap z>R!8j^t|E4{L0RA2EU?p6v&)5Ti-0o|C)LB3af4r&GGT>J0C$j|K$Wa&bWl?5s-s6 zS{iw;orRYBD@cn@C>v3J{9v(?*_7k8()k3j%j=vxw($8+no_rPqTD`Y;PI{t>PH@N z_JHM;I~W-t?&QFg5q~AkW7efaOe=9@SI;q-==r37W?*mK^66*E3j65?2+TVl6tRya zgKLulxd7?ND)}@iNAu|kCiFK7(qane@y`)?BlueD!yi<>?S)JEks_gV&zBF|JwKoI ze6bKIJ?fG4?1y@BK;_vu%IMB9VcRiY9)8O2fx5;(m+?Mz-b3q?+(+!UEcM!5Y&NR? z<`1`IU%klVN&GxxSW}KiXkPA6Hln8ygRok!wa+r&tdhnpj%p5GAGBV4M-$W55|%1g zppP-kjCWi4#I=@5SCbVp>BaT~7Y?Cp%NCM%stDkE7qRH|Ykas+8H-+5L0sJ(X+UP> z-KelDT&=X3yU=1pN_VEN!d^@2YL0Uw$?Dy(bInc5iCe`WW|AFH$u3i9Gm z-^e?i<5~Zzt}QU0%G<0W)qzLy9vnw2n?(?1Btj5|H zEE{>O2Yc_Dl{t2&9$9UqLRQJbiq>nq=#{_A#=e)1jb&Da;+1@G3$d$eVe)02fw4K? z3~80DX<(T{542NU?ML%E;Mz|kK{-}fIo$g4p?chYyF;NN-4;;uEa?d;B~b;Xzkd=L z)KJ*Y?Fe@s9i$KNdc*a``BX{O(|)GahVT2&I@E+D2W@^n;X{o{CV6*ck168Ur)ow& zK&9bBS<^~`*1gaCooF|#4eJd~7B(*39cur?B2TgEhQq;>^ycpIWG)X#8u%JaqQfd@ z7o+SLO2*|FOxIf?Ijl8uqId7KxbWTN*D&X^rslLtA@s=K=IjtT zXQ`X*L`}NuA717-u3&{vKl5pn#>=g(E6tEjC@ZEX-m1^Fewll&f{vpmX>GqP=W;|7 zN5Wp6T88Tz2kF_3sS54H9En`l)(tma%i&Qy#7Qq#Y=G#MuMRu6=1v-TeNtHn*zWbS zJRU7}OcFqU)Z7ayyvU$t%BH5GzBZ(q@3p6bh(5z)RZ^;0IXyZ@=Kt)?w$NsyeY{N^ znoT|TMUQP8K_p{fT#?Z1uJ49QvszjVSrqv+7oKr^Uz^FEfm^C^Ur{w0FMwB}7L|Es zB65;;8b(Nphrak&dGWrgmxxW4v8lbCJ!;bUZhYIVcpGOsd%j-*l`gQ;VRdztXRg$)D3}z`yMnBNkiBthD zK3V08aD{CnzptT%K@NBDgPMjbWG|vL4>Z~RgWu|%FA-Y3ASuwIIng9p252lH)wfA8 zo?B1ZOh6!_H<(2TD_-#Ajxl9lE~a`U{eBcZb(>} z@XfHj>zLE-WIlp6KyQHga@F+OT^LJN}hGLOIzo9-4?585nWA z$PbPcFf>aw2=Tu1lcd=siBFb zn4W+QO<9zF~#lK2A+gzhWBD%jseaL5(>MK=v;q^9&f6bA*Ss@qf=34O= z#&uS^-4)-ul+;lMj^p^ICj2iL0r>0{Kexc$j{ZPX0n$Ck%NUosZ3%|OX~lcFZJa4O8l$kyeW@W$FNKGFXZSGz4yY*2NgHH)XGtV({FqT8v<58 zI+1bCj^09t&{?$^YsyuL13vekh8L9KPu^H4&G(IOsx2A#<|oGAxhtzOrQTQ#eLG{n zR>Q}Xr&hfq1RL9oy?1tMg#M^Wq9ipdHoS}62NPDkYk2!db@o3_*d+s0? zGYRvN_$KR4wUpCQfLs4H`>yrLYWdVfM$$K3s_8fgO^#}C5)6$Rm#wr!AOjx-y*1w*B#Nkn0lK|{kT@` z)JvUDSESmf=0&>hIB!S2K&{=s^(mc!iSjwGq0gRy2~m|ngD=sGFfRE`koiA&ZoznN_2-uW-_dtBhumAl+E*3DSd=bBF|%+huf9vM zFjvh4L*EKy=Ibb*Je!dJlkwscnxHpSAj&Y6FS;@)+c2T}0wj^fK#DwLSWh29Nt-_tEyd-GEN z`Dez%lZGCn=g+g=xh@!$WawMfeC>I-i?Frobhp}0>_MMV%*MsyVPl;S3+kSK5Ow`bsyI%t3O};7f--?SJ&07@u@hqb3 zefPbsl)`OErE6G$jC)C4bR}n*Or?FZX-7xqb(9S1y6Ja{+q+6^A4q2;0iIVA2rzl7 zWNu(?CmiOPf*Gb`S@r^G!PLL@PLHQOq0qW`N}TP7j(Mb@Ok(_$=Xar&&nC27$kC%8 z@iHPm1meQ{-*krnVdLWS&WWekDuEf6yCHgODcIMbg;?Apm5bK5jl(XG^N(LSyT4!% zAei9MgC|!{eRbuTuxZFa;q;Xt?4?B*RG}<-t*b6t_k~XbfIPZI?j89-t~rH$*Yq+u zFHrVFBi4+6`!MMB6lLl0 z2+xQ84|T(khbc=XFNF~Q`WcL(r;7S7HJhD%nQTJ3O_lClClIn_P#(Uqtx!`J6oQiw z@rO=DE>1eXaci*khc?zz|GJ{dyoDE^zw=lW&}?*bQrA#=k~dm~hXDoN$NxWgd&{UQ z-?r=bFM@=0cXx*@q@_bTrKM{D0@AVQ?vMs0q*GWlDBT^4M!J#i#lGCnd*6FJ_xrqi zjQwSQge3|%)_GpXJm&mOoTNT6Kw{GBw0G((XWVBY%i>%O4&NK%f;y17<0puzRYfRo z(D{3Ljl?Pk8gZ=_hX<(3=c8;=_kbh#LD53qB5ce9}Xn8;tt8qZ3J^crZ3~xym zhkZcxoL$~A7TnGWuf_P{W%{1v%M(RNF)tT=OD-%e%ED|(0`g-JF{AoiG98G-qUL96 zSpe45MU{xAk(UxlSzd3LJCz=Z`!&BSO(H@v3diT(Kx1?Lo`MddNB`P|$?ywNyDj{z zR_HlF;HiFvo+|<$+nN};gh&orsIyrz3(`4Ip=^h2hZm$)~j(fR)Dgh}{_C#hX1BH{=nu3rC7#9p1Sm*0hBVo6F zm!#htHwVbYq#koL!0xdJ`djJEGh&gO|3Y}cGLt6XoY)D~;|-;T{R8E^3e)eC54YGT z4_<5ph>sVpthPZLA*rfrtD&P2q%yZmIbcB+tdY1Az35PszA408WRFhUhz$d?d(SjsXVcv2BP{;XXf zVJ_oEOVx23LwdEt=8}2sydihWN^?U8IWQllkH>c0*)xTvIYZ9wa>=*+;g|2Nm9?M! zu2GX22Ws61t%2_*0@(_Q#suQ^;psSc34Jj4`Cby?c8Kn#gYkUpInb|`35n^CBhnFDgWOc^ zFG)to`!M<6#@(;?7PosHY4eXC<|PO)Cac0P#{d4dn#ngNDae9RwRw*{ibN2kGpdh; zqNw^cqmbB)sWmJ*WQnJr{I6YwqYF=@Rx{aLya%U9hXprfOB0>ij&RV$P7{$kiiw|_ z34BENZ+@7RB*!HQ_730tTot{~H9ej53U}@sC)}x!mJW-tPVD7l1Ok>qlCW-FDmChN zteCw0uPp zi{@sL^~LM$J0M%O$$C0qK$%H`dGHOR!9^}E$V0`RlJ8V@-q_-0RgXx~GRH>r8!|Nor(SYw zoFQR@tZ-;z@MIv2L$>(DQ=NE4jh!Eom~*Q>e0h?HJY~AMxDmVuxiWC!6w<}8q)1)& zq1i`P9?9GdXEM4PtHBGc{gZu5^4eF`#pmL_UM2ZHZTY){n_Uk%(udf{avy{gT# z8@GJwxsOnl^WXl+Ir@tTuyjwyyD>ZparmwI6~MkZG@(VvllCga?ekfJu7nrO;-{pzbp`4WsD(fLC1??ToOeAqF|LLP14`GRm5TW;o8G2IoJsEi9tR@NvUg(Za*p^G!e747XbYhXUQm@ zIRw!x;*IZ2w%i{Ai36*<`gx9Y(?ZJWHnS!2XuvajQkk9sUKDVjP*lOFFDOWm&p$b`jG?o{%5^J zyER;NZGeYga4K3ftuTBG%cqW-g!|(=^kyp8Yrr63j&GX8ViUN9<+Z!t&u=<@tct1OmI)eH=a7dd)Sh;H z%Y8WJ0EQ)F9c??g&UXoP5}A|_H`1NPY6bp(loc}dSR)#!f8Yf+l}J^?%anQ*S4Ss2 z?53kE4|1$2Z&1F?*>4m+KW^U~G>&&#QC2bJkkjnjEmtMC+>aq^Eks${ocgu8mq5g> zg&R!oaQ!e%Q?W4!uV67WRMN(f#}`sU*N2@QC1WKx?Oqc&ZQ{Vypu03zIa!<_;mlDs zSGmg}%j7K}Choc4Um^g%4ZzG3x%8U_COPvIx+K*)y5oS9QzD4(+!og0CNcz~uS|B9 zr~>~jo~upaZBnRmiH}L!6Ij1L0ry)hU%B(s&O3C{CJ>pbd-f7YBhzKSlK*ou_ZvGx zyG%#(s_lR&No1$#fjMI%z~EGEwDoeL#~RysYAy&HW%2f^k zR{1Lp%j2$tO2C&{)ungIv_1Y#;#bJpH%EkMxT1xcc`q{QF>dm0@n*er4a50l=h(B0 z55ujOa{UPWc&m%_c2B;K`H1og8n`Tln=Oj?)g8DyZ|TD0oq`2(xr4S=j3y23Ds=-1-vO9)_Ox}P z@%(bhq1|qvaD{J&$ZhCgONrc1q>Sylh3VM5w?D1E3RFYI8q++1_r#0GTN5tQ&ZS&W zV+kdcLE0X_O%dL1)Zn$b-;mZDceiIYr*hn)g2IyKeUGbl7fL_Zh_Q#?_V;Y^$LV>! z<65jg&whRFBsHmeV(C@k+bw;I>5b@wvdwWRFa3Nm-#^muV|w0cL3ZW*p;)VSg8_V+ zvb;1`%~M#HKmZkEQk)>+dP#F_Kl45K05W}Cwy1aIHdAS@TmJj`v9-C6YxUXwsx=L6 zzN0BD?qj&HIU46G(gdvCs|d_RKKBlRJq>zbt+Q^{x#B!s|ZWW_Zq%}Y|xYD}JUY2wyQ!Rg$j&o{Z$+P50 zT zxY@8KQ>j=`?Qd(Rl)DS&2v>D)dfM9pW62GpCj>-xf<&Fr9UaOvRg)6hFa7E2Ot;_J`9$xuZK;0Xau{QWNcm!0#j$ z;k&ME6hFbqG+ugRD24h#!JgFMu*isS13;TpzU|L`CvL@=!Xf}w(np0$wV}TT$po&ep25-ovLY;B)$rL z7hla2nb5c*HfOOY_x!Q4*y+y|{Q>SJgYaOu8yUN_n)EcXEuP6&8uIKyDtVD-^*O&Y z>kIk{e}#vK%l!gpYREmU$(M~orTQ!)0vonN>3pc-$_52cm}_tR=7m%h$&lEN(}@7J zCL(eljdTDwI6W(YCd}55x1Y8K7)Eh6WPU6mdxlYaPuMU4pS_RqAUm zWe*C&+ce`x7di^A6OvToW`ey<-^+=BW13XQvA$*3fYHDrwWzQr=K@CrcT?E9L`w)j z3YPkt0*8^?j7wf43v(?7w~qipU!~(BtjKWKugQMukI_tK!Nk?^J?}k4?uVC?^Pnl9 zvC_r01zWJdH3z@_+zga%iV&QA{IjJtHjp~+0TP>MGlFUXjq z%TWIK{mx2CXigj)YT@VzWat_541mypu~UyRe@;tOC7vtAg^1-u{C+e{%Jf0etKu7s z)s&6FEP01VU=ccSX?-+r!P)aFhR5+W$h@MT7DhUrCvLJ-8@WR4P$)L@;(>q8J&{$r z%*I7hFgzgX5(bhqj2O*GK-Lhu{t85(zU(c|y(W`KG_38U!wNaK$%7g4_0eo5`(SRs zuEFcf_iwwpa1TuJ1j8(`h;*I|#WHAqJ_0ESj}_~6^Z@+y2O02N6241;x5U`@UahNa63Gi)Xnd0x4*iM4G(xke8z8H1Y|rRy}Yv`Oj&HdBkgnq6Mol4odDYI5m%DQuik?kCHq!P82`#GCb!AAai= z%Bw3|cpg&aPSQKvRvNUZRhqP*SbxOoqVQP z^FlPt5s~Ee2W$(u*sIQ9A7iK4NxBuOpY}HZjFa%&rqp-0{%Nk>Ey#Ik?+k&*a&hEy z1mX)=V7vO1%;Wc1;{2^lU`8@F@)@TC^rM>OHZqL}8bIJfQfY|sKh$=9Md{?ZhZ_IS zA8%#uKIP1Mer^}saftXCkbhCuWqfQuD@MlKL2zCR6<8*ek_GO+F9#c0bX#BOS2u7z zM85kl*D)V@kKZ=uX%XPR(Ck$Z^bXf{uG9y8A6B6%2C^{HKFHp_Dp)J$v!9;@3dx+U zDq9xg{R7ncMkc!(vcxOBr6ZfbxDt53T-nnfO9A-mk4ER+qJkrmROM^a8=BV93$dr3 z6mwy~r{ScsQ9)`|b9~LK-22av*g@$M#A@Iv z)BUK75`Gh2=0A+0{v{_(ISBdAhL*)OE?|K;hvkRVbqviZ~K6s8Qzr_Du%_DCxx7EAs&n@Y8kQi7&_JXe0BR=Ixd1M-1)8# z?M3B4b>4lr9U%Vx-Gp}yzlWR|%(nC+38D2wMSoYGa=gR4US_ys6q2-P`g9;o5qb!L z3c#mRgCDN<=r8-{{ULc7T#t7Z`rNw7)&8zqY!J06SCl(x&W<}>K@?_&5eWM!PU}>7 z*}Q$puH%l=P8k{HT^fNhNzzcvlf3?sq4uoV zS6s4TBOC4^$``yR?phwWwUUzSAPnxxu0@ov$;Wt~Bk>AC{a$L2v(9ERUu_;|P@p=F z`PQ=P#S#vkYzfesWaqnYkkI{`$u9=(;55ZhMnpzDVzQ1&vkGKm%y;;z1_8vq5@G%k zKcyHl7cS7n%fv%=ToDL*!Kr9r0Q;E8qmXCH@m0BQuE4k6dLAf`?9Zxn`DC*Ss{ zvfqAL;fu;CTyd;I|=`j#vivEIzZ~EN4rma691oa;=k^le}C1#TrL0i z)wTXsW_?eX8$P$Rdh~-Pu@jztvizS{A9ltt+%pWik}LH4 zJix-vRK(2Y`Q?JJMZ2IZ>!Me{;B?>tL&7?u`jhMdtBnr`Ddm0*C5%{!cbTT7X~2Ex zTi$XLDI8TbP$U~yIz9zFGWk{Q*ZNPbKvNn&4soGq49?E$CC7eFu0%32)r@fJu#hA6 z>K{UGMqU@?Fw{*k>?O3P z!a3oArXm>ocjOAYKaBLjVd(>&o~GVzO-_U>n)V&&=wROMG5 z@3gAdCOnT}O=C^d&NEJvvg+2I@4R7kOI|=>?{#HgtU0`gXXo*J>2$Ktzi+doK=w(t z%sempilor!!Tt17ZgST!S!eeW9eub5Z@ID3Ao)+D{qXk?J&yyj(nfKOWXzmcpg*20 zhD;6^phoVj2{Up%IWtL*RV80Bn*u8-4i&eR_IT1R-pzf%C~twe`IVcJv%2Yb;8&9* z2xl9VYga+U4)Blx{@|E$odRZ>kU?%N^5Qgh2N%&MC!kPrzya`(pwkrRz5BD|)S(lE zW6rz!HmWq`bgR5Ou{vShDF3sbiOra%{E>=Ksr=YK!^N=u-j}F%5iUKf@z)GV8kPk; z(#SV5_!jV6xelSDQHizNcJs0KUpRJgvSdHZm?KmqbDs->aUK)-rN4NHT-146ZE0OC z@9m@2iS39c>QXh!RqAugsa!b&j+`)9)o63OcCgN|S(jj-;Yog$qX0Zhw|6yt7rK@a zqxso)SJbBSrYo5dbYaPO-n(17S$ulcSSH?fQA>KcFLJeKAa$kx%P@+Y(%Ab?BTrO> zg=H0Bh~&uNk&!d6cyqWcs)vi`f4qX#oA6EX9WZ3g{1m22&}^8^O52PS?TGUn3foj} znhXWUaAkgy9{lm?cb7=u3(H8bKMV<$^`6=H_6|uVE&_XM@D9Kz%=}d<;;YpWBaOnC zH-a}9F3evt$;1A^!KtGX9N!v9W4et(#G^WIX->Vm<m{7QNY$6YUp+Uho%S@syBHI4C2_;v4fOAz_k=O$ z(P(V8MC6n5zN2XmDTx&uZU`n%P^QCQXO2(^uET}UuNr=T$@kdpCaK4=87IW0S4ZEy zjK-)}q^O=`k75&y!mtn#z>OcuA-*%M6=F|qPcY9T|EtF;{B|kJMdI#t;&<^8${%nM zFoHga_XvY@F#LRBLY2NQL)!4+^?P?x;|cj|8R7e*^G)bUoc`;x=9(4f_q z9G)zpgmX*Qidov21!|FuA2!7ibhmi)%ai}>Oh&^)aDi-y6MhFZwfuWI_5Xgt|LfIr zvKLpxV!iZUQREqC!_WsK_0!S#k>Ch4oDS37zM>QW?qC@*)wHKPpnleYioP+IKj>Q~ z8}Iwu`hzxQ42FIhPB$Nk5M|o$k0oQ8jT1D>VhV}CHKFB}i+)$bDDAz`pXg?CboprR z1DLUe&|Rdt(G93^p~v0S?1hyoU2*~bp%f1JdCKx6vKUQk^6sJ}QcwzS;%!2x2-?Qt z7J+Q&Z!fm$#oXAtAsCwX$#7wZp~)N+oJ702n5B&{NOe9o9bYbSvr^>J30jtblQb`gMnv% zD%^Eu-uW)I%sOu_Y{&}fK+0VdN zoC${fA^fIPXjSkXc%zjPGw9y-(JJ2p6%8|C+qKd-t&NVDBfIpcVY(Jei?e0mUcRjv zaSM603dHE|o%k4#H7stmZ25z9jGcwSGw8X;0F< zUp`Jm9wQOZFgh#unTe!is~yNbE2ziAt?D}#ifrt-3r$el8d-Gf&Div`8ntQPGdJ{L zDR@G9nwio|6sxsaly+Msn9sPhCmiGJv7vY{w2&893K4PfeQ-+wZ_Z5TTZo!o0kc4K zv8sjZsvLcan0Z9_wwmWiQbOH^AJ~Mk zp^P#!=XFKEI|6L0y1P$Y+-99l(n@xSb;OWw2O99Dd(Jsf+ODz`RGUPHQy3l(S9xPlPxXTdBi z<~e{#RH5b>t$~h2q*w{;_q0=9@VRX4+XyakQly{&;`Z> z*?e|c>J-HA&!Ns;R@6@^T%!Odf%Ov}|E%xvA+P3tK}?xF&jNA_QyMXYr(b8(%2 z#n6D91AL7kT6T3$wM=U9dpHR?nzQXH#zq%nt}C21~(8k{Z| zmi{=bK2Zp_fA!5bbc0*PB%|*XjE?tU*i&NLaT+#I`%BZi{niB{0l6|yr85gazGy*l zja6o4hLa!rgrgC#!X(Cy|79r;tdMzkX;AUteLB$Yn$R#mq&@PV59R;uDgIw){Qo-9 zsfBS8L=cu2x)U+r}N2-lqzkTxyngoSwYeuj1Y-;ArU!Rpa$Wb zmWj@$4j8Q7W>OM>vC&M-q1Lg-m@8fdxA4V~R_ zibqm4)msKfLB2a@PzQ6>6Tqv0oec$=nW8J0vy<|=kxY*yU>qM>&;haNZfq|qTl{A(jmZGv<1#H+HWRrSg(;5(Erva~{Ye793| z58VEFum<U(OK1)a%i} zre;XuE1T#21^SkBCUU^6&Do)TJGdIFNPM2t2vd5vec52P3YJ26I(f%EIoWIQ~&?FEi=5U&h;?_{+~aO)>_jB+?g& zDglul()3(1Pn3IVJ@h0MKTe&$UhVK|qqcXm!us(>l>2!JV(xph;$ar&<-sQD6|D0W z6pdh7i5*=aucC#C17Ag&H_AG~n?fZZE+- zrp3o))Z8bm?0Dhz^HSktQ=(L{yp-`rI3{`r`gX@HoazQAvc`-d#g*a0`s?J zYj6|vW~MEdf>mGbSl>-ciqpLKCza$nV2;yhvq+Kt^n8+&8S~iq`PaW#0IFS&a$Pct zA9|8+B_07Yg9n+5xV)~D-w}(<8r1SEX7Hd0*}uH~J384>BF@~bGz6Ea!grurq8xhg zT`qS3y*z{+B2h24k;;rdgo1ge~h)vD(vi>MV`y?(3V< zdJbkI5%K$SWjG@mLqwn&^$!x9u&@7+3%$AXC6v``9+g6&O=h`TY;>wlO_ux+ITcrr zO(GfN4rJzR9>JlFMgm^%zMLP`D6KF%0>L$V5Q^t|{LNL8(l82}5fC=1$IU?2j=19` zz%NzKd^5Ra4AA(rFLq>h?v>7eQ1xWYCq-6jVcwJK)m<)NW5StDTRcvys*$r4^O+@` z=@1ev6W+b)d({Lc|F-ptXkhJ#YZ|F&w5J*vo?CJYEh%^3i-YqC8EXY9GpGnXIe~iuke1L+i+k6JXK%aCRTlM&ig$r`P{b{(1hbE-zb4PJaM{Ds@=uBj-l1o zv_awrzsSwalkHZ(2tD3c2Q2=BJ&Z_7g!7@o|6bfv$Jum60}%a!{MD&yUUAEKm^M3(@p24)!1 zA6fyAJgYzS9c-p5$6EI!_T|x34F@@ZaiCzBh+Tz*~@*_K{EIUiBrpQ7vc7YwrRZ;u-%;d=R>Q$f%ZP zNRKaaQm?l(RkR((4lBQ7KEHF&`=N2X(4npU_D9)$o}47&9fbz4vo7=9&StL@;>Lnk z7~uM$a2b8eXQ8P8+*Dr28{;CpO`?<}hDcY(0w(2vC29XWv;H*yN$I!k+bB33&{zM+@31#;(rMGb2=0&U-R?a*nqCqv4_OCsF0@~`PF(#LyHqp#gbH|6KJr+(a% zk9)?CjUuyD#4H^S-St4N3LUAHyJh>#^)dRl2X9-=1>A1F&d+K#J}W)=o?myGp}@O_ z!bkQSIa-+@DC`=S7PBSF$PKzqS41TMA97Vk8+)wMviIPH*#p~tJgJv_{ z(v3AzdJUJpD6G0Rw2E()z9alnqu)T=^9w9i;}tyB_gph1xaEAUY-ehlH-onW9w_Qk z(^t%0aNoLju2ie|hEhlHX+dYctt=kkSqZ^<__A|Tx8Gj|ggU&+LMWj_?pYWBQ z06}s2%mRRjWLne%rdR!6nfu+2{H3t9eqlloto%m3*^YF|VPr?J)K z;Vr+EKlVE=pZ|M`WB`Qd*=e*Y)yK%VgaS|cE%Q`c5SWf(ARyl+Z9^2oitTs?Z+37p z@7$ys?~pnFjq>7ao19~D!zO;Auu@i#7ML=E&NINv6iN}&goR5fzeqiB0FXp8MSa{A zuX$iJ4FG>E;S9Xe!e7;{C2<|U*?!bk-}#pce!}+m@s67>Uc{+-i+V|nWTkS1(65hamvv+yshh{7&E-c6+6Js$}d=6_)QtsGby%n zttxgWjaQ-IX-rXTBz|M)8AA)T0CG=SK&kGn=6Tu3EeK%pttu`e87;j@8V14 zg=%B-wKs*1*#6u%>dn``Oo+$ZD$M`9PhjdiUP``L+mc&~e%w=bWXe{fw?~J@`Tmy& zbf%Bsy>^zXPdS^YOTLB6FMa{~=p+qKAndHvMnN`Te%kqCFfkZj@!J>N3qWG?@Bs*A3yFSmj`4uIfq|xulueD7+07C#LBOKbf?=0pjbd zY=?^jf(?qBCbtzkJgef~9}eSUnd?~pGVK)4v1d{-n6J%?+iH zSy9<}_?wiECclwb8M^zStar?{XT7{Hr1-(LKW()OM->Q4ehg}Q6J`OIS;B9;TI$S;ca*l49&NTL;-*Mu4L<%z=!_T%YqE79P8BzFL1bQ#Kjywj3LaE(>7^4KI zbN|zg^3z4}gV~z#CjU`GXE{svD<6S8rcyF0e@PP}y!8BnHn{_qBs7KNu2MXH8fM${ z)+1-uJ9;5W$=3?hh+ibmgFT#nI2eT_r1%p`pUAavVafKV`Q-$kv&Z-+h{sZj3Yp+X zAcbNLY17WiXc4s1QY`~Bh;Dy?!IWv3k!g`A#Xa%=?t zb6CA?vZuAL^tWjMg3N#>d!i~ELyS}Md9*138!!Kl#dI9kcF(H!iqKd+h3nI56hh-#Zwg5=)`z1{u|~y zpsKP+po2yaANOZlx&VxP`?Vmguin7(tO)AxHJxh=3YzsN%r4!HLLUqN+QBDc>yN$q zNH20KbOA8qjAd~ag!POiIgJV%)PRTcIM}v5p2iPVFNhfHftMwTQ|{LN#>f9M@4wDs z@-^rZH-E&F_G}}x|H9gVu$RLkJF?@N$*ZtMf%?Dx9 z(Zv7f>CpfAi2M&F;O~cT<8UI5W@XTW0|ReTVLx0q{-rYf%gIuMv+n0Q0LJ#BTE-k_ z6OfiRMZJE5U4O=A0Ih&}tmn8NwQo@pC((gFiQVtf8C58Mw@lXREl+lE3L2GxDx`yu z2Emj~?k-P1b8ik`w|>Oqc3KrtJ_xBqkbV!u#5J-6oaPEG;MZqW;@9Rdx&^-iz&Ew{ zrOU}t3wQJ=_qe!`VcPf=6q|Y7Q6rJy8yHD)o zLzdjdCh3+X35-Sp%>!^V@7urEPyi($2rp=fXU@v*bGy>&Veit(Ynk8XgtP*ueZG)C(wh8333Z*OmJc-k1DO3! z0^jZ5KR*QD1W+oiCTF>96jiDfWitKAGC8lUAOnIV$Yr`gi+0CH{#UuMsw z9U#EKpJ*Nzk&8_K0Z6>@N%$|@3y2v={Auub&~aLhnL~u+DMzk)3LN^zDP+yZm3E6y zTzw@+X+3yj>llUp18dd}-+@m$3Q%wj{XkxAoUeWVN&rL3^Ui=9o^kMZ@I&m7M@}xsmozZ#vG1Ke1S0%N1-g?^%`QcZ+Cfhgv`_#$Xt_+EGU>a5c3vYb z?MOnDAcxxA!Az{KRq$c!mm*>kJH8YE--&rI)(G(T_?H|%OJ0y)4j+E*5_E<>DY2H|gBYQa z#%V;FF63_MZ7iBT*!|ru= zq85?rq4yse>J}dYKr7S&)QQ<5Nkt?ttkX^=+!GE5gm2BRyR7o`*h_>G164uib&)DT zU3^#FbHP*~l)p@rzXa+s^@6Z5%+|NIR3S3wDrCpM#F%oGF{QDupX!ylQ*1@MRdo3* zvJk+s;8xbwj_cOPeuU<{dW>_vqaQWT8x(MWP-{ab47Q=R`Zhj6L>@lX*QmTHw6L$bopcVy;9`WeSRGb_C4VMa3lOam@IJVHIeDU>!>@aCji$Qc*%! zi)>fXe3o`E?kIFt)$6Z$zm2?ld9yQ`WiN0ca$Puxvan&5OCJC-^!y!ab@EY(XFkBe zln{kr+n8qdK~&yV=I8GZcqaMf?+@%4$GOskP^sph$+^o!DWw)*$wlH} zEZ6}{ORo8N*fRV5ZIuLeGZhY@a-Pk`cH<_%-B3ydwoxF*&duoY8@sk&A`ASN#T*s8 zAkb@3mv))y{CU)_5o+7H=GL=ZQAT)hcLfhsmZ!tmvBUC4Km=ZpgvD@XDy8YRtny{Q z;8`?5ye~t@MO%vY>z$ID+~*%G8`g+~ z_z=mtNvJgyQlQy)jhPmlb#ln=@-xLM>+(O0_9w^W)^=G*V#;& z3kJK9L=a~NPwy>o6su!K%PsJY;ae+-Y}yK9QoxEq>?UTuLpm{HYGJ8Z8F`;JPyu*G z?S11%4em{zGwPEcgMW^MW}HaW7jc}cBKw)91QV#e4)vyd+nb3XyJ}+EeLc9w+SdR+Yo6u(PIToH+_W+*3 z*0O~fh5S9|?(gxp%#N@abt&Z!vp){V8rNPZP$RsOX~&4`VjYnKnmE*6zCxccp-piA zd^o2J$q4&nuCAtq+Kh?ylY0$WLD?RUp1F2^Q4MQ$C}4G82bk7&2sr7@vIWlaXzVn!qvX?mh&kd zE6uY&a(D&T8tl^)`qGpE4T0XyUd?xD9Ij7h*@IUTpq5B=EA($N!#gPTM>e}fizRySO~;$G+p?@3%f z;&o`uiFa>3H>a+xZTPRxI^W7A)IDS$L!DX)hWOB#uPh78XTb&jhg*8MV8%=N`iJ=o$=u)40 ztI>0GV9$vGbSVyhJnwDQv&{d`|I7*d2}JPVK%@@+1&PC?9S>-m=*o@rf0H++dVJ5> z`+X*XCp=ZO*VklbPDrR2*KcXF&4q(u?s~YKax^Q+7fNw6-vB-No=KY5T@1TNDOY5n ztw1Fmwy_>ouS`GLy5>$?$iKjBx`Yn{QNXVkuZ2MiN#e$)BH<}cBk4SgoH6j1H1tsE zwrVUK#%oUOM;;yOE<=ETP6|+v8Kn$sJ_bVhH~bWUtEDc#E26hnZFhNb&9pjDl-j~J z!M7K0;|%YY7*FoU8=5Wqk@iyTquyaQyk~$Bl5PPjo5;gM^#dwP^xK7o@FZKzZ7G#Q zq$ENo<@UH>24>a^UnPP=w10c!=+dj3#8@x&kz1t&KYfpIXbhpqSQeLmD|Zl0VU;lP zyhRz{>O5TZWdJi{RQKx+%D z`G#uMCZ8veJEp#e9e`p~MdxaAV<_fCAoNdNVb}R%v+eZv3A-NOaM3reM#hyy`#RS> zPFPgugiW85L&>Pj7zUmIyWBSb7WM7#GG9=>xr>9x-*E-m&^Dr~1Ag%SYQ)J=Bky#X zGX0;8CS9ry0|y|;7M@n6rjSgaV1ZIEblvIw-Spt2i9`KcsGIVt+NsHCQ}y?_-a7+2=u(IuK5ZP(wrJKYq!Tvy^P2H~FSs6+>D2w>^Rg zvgKK;d3eT?$K51R)DTvQLU~!jb^_rI) zK+kwyz1@6y5dKftRVfvu1n#n=dfCQz9-GF{EEcwKYQ}q=qjuT~zpgIq?3iCO(=hhx z_hS@uAYgI#c2=GkybBay7H)7wozA&8{9BG_+bYp9ealMOye^X*Vqis-BP~p~W%=8K`7?IL*EnA1ea8 zqKHl;Alv7pS--jWeotVijORNbT?_SBlig=B`I2~F+=99rFV~4912ShyG}9VV z{7lc4bz}<|l7@7um=q1LO_@Wt581&w40!kt%nx@(b(1%M5o_N*OoQJhhLJ7)QwJea zkXhsR#@{n8EVu4*kDSTr|n`Va`^iYMgquM3^gmmdthZtE4KA(^Z8*hC5zLlhS<5NMp_f zk!it2i?EoNi+e=eY0leN@3+Y{-m5S3#=pX0tRtCibTaXy>Purd#;DgC`sDm?3tK`O z3e3Lacx;&0Xq6IS)zyJ9|5Ui5(1mJaB~`YP!;b_{ZsSS*jo?k(HGg~y3w5TfwH&E$ zd%=v+!>5x-qYiibwE-&4T#tjH_>atQWqEG6-`uQWLa-R7t=+g>p2lOvcd!JW|B)n+ zC>*j%Vy~?VLL4*$j3Sk{m>e7dN>vx7WRHKN@gv#;j)CNTA5)%hKEOIDt1;+;B4sJ| z4FUMDH>GO>iF8-ZPwX*IuM25n@&E}5sw%GJ!k_m(KJKyY!;Gh@)5W)~#~m1_>EnQ7nS{*oy!(VPSCn!Kl4k5(njuxo zWYF}Ae=HLPoX1p%JM4&)2Qj@Bg>8I?;`7jq&4;Q0L5ZDgjE1KDO692k%Yfj(_lo=U-@cEw;t=i+Cud{^hs~ebLYlQS;r^ zeTzL1y<6Eed45#N;2I+WF-vActZ5dVt1>bebWO)bA^cn(O}_Zt%&J>z7dX55hX{G* zHDxnZh|8!@Ucq0N8j|b@GK!2S;Yr@|jnCBx1x_8?Km%n?R@fcwH{ItZJ$}2T$;0^Fl2A>igSX==UgdTR?Zq^92K`u2WN^Zw5v{a=cd(xt8u;(mqwrE_eFqZWTv;CpmmQL&q zeZjNmx`4OHjP0V*-?$duKCtCA9M{%Btx_0ggU}Z5ps>);JH+_OkLNa7er;LKif7fX zF1ZH1VRrz(t8aMI)oNV$`|+U-nM&p@Ap@J?+gS+-~!;ee@!q{kd>~}C#>ACK8iYJLO5Kzh1fVa=` zc;M!C?A#Hy+oaiUnvbmT`;#(~liw(Os*Konjle<{()t6mF z(kkEFZ|Hnfqh6jCtDE9>sAf9g$P^${MTa8qRE$$$*R* zZZndC?ilKH=j2+9TqSF(;5$SiCirX|AE>+wZ%Z!I9}}J zFija6Q~< zI0&+z0+)MNt(yxAmecTD)`{` z3u(Kc;qX=XV*oqvOO|npaYp0QNX}=15tiXgcp@qI@neceiOqf+9%3N>>iQ&$Tj*;! z6)!0i`rsk(3vGtg+l0^r`jC=rF$!dHX~VNWM2`;w!6VnM$ISPva4IV zj%wmsl{&qOw>xr9P<9tUh z0t;PUc~!7FYe1HvX={!Wrs6%@bU;}bl2P|^)N{~QmQ@%~1lV6Z%I?ID?P!~t>}9R| ze4{?1150T}_IjN*;#nlaR`_hvf1y!p0DeCiLhnAMV#9H`=JGhmi?Fl{o5k6#49?F% z{FGXiAnV7&N|1UKA_a97gWZXthTXXB=D-%5;D>iZfOgONe&&2){CrsUpO1&$0r->5 z`%sV1ke?a8qCsPNqGj^{&MqIme&y7Gpd5Oq&-wxOJZxI zCcoB8KbURTAO1Cu{TJ|M>|N6GrNsbiM?2yXiJXq(hf{YsZ5u!NOPTFrP4qVMkvAyA zD-+k&xPPGRK|IADDXbAMlRQ_6AN^@G(tnrXOP(cA9o*j@pA-QlHd~r@eln;l z2i}@mL}Vx!BxEuI(ymdy8!In`({Rdi$|^BjmdQ<;Lx`ah}7ddeIL;jOId?^mf#wflPGfs4!ag?Zw1dhWRP0 z`snA|N6b{xgP}cO2=VqaRp_&{YsOnij8S#qRws^h;-;}m+oN*A^RdjA!`H%)L=xrW zrrKzoF2)YCAYxuI?P*&1XFNr0sLrn}8(~d;BGO1hUh8&WPI*W;4ytE3ogsW|<&H;+NX z*_yO6pS4%hzUY6jBQbPpu$?q7v+yz4=wP^mxIdPI&rmF*)Lw*#2{%<7NyWK=u=jv> zdCSQL!$oj1`wn)|uhJ^BU3<&M;F3S=QVo;OA+80!Xgp|3RzbSdpdEDK_rk+Yi&+0? zIgdAphJZ7Vh|CxoveHf+>J5h71tA}LOVw+tZrXj8nGqG8dv5dM>0Q5%KMo=n{e zrif>#7jFi4M+bfdb4<)0mY?@F)`#WN8Hv43$Dbh|ig^+1vCfGlPzoo_-3)V#m+BWI z#!1v)tlZb)7OIZuSiT+pW4CAlnyFM>Zdc@-4(YIe(*A-v9qk4%V#~Dn=(|N zSdv&{LA!c$#Wp+lkxJ0ZRE>LyZ|+p8F~&&H2NksaRQrxod{XhLt;_VQg!O3d(}erv z8zu%%YFDTMW-`{j*A7F|-XByT$pdJk&u=qP%HtyY)zIxUmOm-C6nnLwzz-g3f2-Vx zd>L0kIls~SLnr6RAas2u+T)rP78^8N^KJiV;`UE>=`@DKi;d_viD5^;Qioeizh7oXc2Xn`RSr&j*s9WGH@*rTxU$C4O0rrDX*Ns$hNVZ! z-O_1#9LH4>p<%?nz14HxHkqy*(16djgep!ZUJ^L7zjkb0QXymTq)+y!ZfI}>?0N|@ zE_7i{qu|W%ES=JtAjM=p_idoIoUtp4r{}yPqsvni)NJDNYP1Xl@*8ov(+;AWtnBKZ zP~KKd{~KPDEbx*;g7o~o54dkZb}p0FkN0^E_N+s@Au%h&@W%*>&2&vyKPW)@VxBW* zbw}~Zf5xEfj#`Qz$bb5A@gvKNp}o{@+0Oqdi+A+_Ee(rS#v48a$Eu%eHdvf$g%3aU z1pr`I=vdnOzH|vubvI8FaYF=YUQz;U^O8J~li`JHOW_42TqENaDzJ#uCB5Xm!}f*qU|LsPm_Y zh_DE)#i1D314B3O1~f`#xeI_J&NSOnXj4E*;Lot|Yw)ZL$Y?+{jVQftDw;_>_f-=t z(TvbO54i=w(e)4c^X|3BgGO2JmkYxy3QQ816(xYBY2m$6Y90~~y2{(%GgLO*tqdPScbb^z*0yqSKa`rZcD#ppona`6Y>-<6$I|l+P%E3=qg#t|03lZ)lRuW4*kO$-3U=) zQ|=y>pVViY#0C;S$!S>4#=%`)zga01U;$jYiKA>Y3ViEaWRNGa^;zaWr*3(Uo<6AyAsSQM+fF_PHleI*U4k|NONKQGTEMqL&26EvH3fdVzstQpO4 zP1Cgxct_hpL^03s_sLvMt#C!xi&Wy2Hya7K__9^NETP^PKbTcaM1~de?==2M0~3;e za$}eoxNUv+L3_nifaV;28n7|cGB$orYUj7!oAW*ey&j2Gi?;2Ado_rc^w5*c^Y{CZ z`xO8+>)HqDG`e!jg%*heZt^EuIFC_%XaZITlUi*=`BAFTP@uNJW1Ha z!HqXz2>ji!>ge)63Bo96{Fmu+f2x9~c^_@nT%H^5aBFqL?&%kQ=l9>&r1{Ee9{>Kh zVU1iv#9*}Xta_C%uH(gu6)5EtMeLrQ0~(CCbnXQ%g)r+CG_w>FIsATBZA_vpJPry! ziN5OS!yGZ?jqX5jjj8gECPXDEI^1N={ef zfKOA5LK(+Vu-lh=#Z{?wFP#uuIlaESulPokR}hUxD0d6!^wIit_sor_O*eF`TMpzT zmp?ny>(<+F9?zgm^(^Ool;TMf0loMiLujWMSpFyw0Rl#G$CM9L`4!WH4 zUmmUKj(*5m_+B(xSfK2?F~t!;GdyiNF~5GC!;HMa6B4KPV*;u%>pjKA9hvA&PdHWG zPks>?&$6S&#%s~oiGV~GFw~A@dsl>(8Sek?u%TahaH2%J!F|f3d5;u=KiF}@nR{|x zZKM6lYo*Qb*fl^Wo{B03rmX1wV7ty{;3lp!;{ElPcL;~0XTrGCqSl-%NUxDHyjpqV@iVsvLoyXXH%r^`ya+5A*Tra3>Pe5w_9 zIa1&FyQ7N@>6ae<-yIRm*Fh2o3!w6zc7En(7vD4tdg6}1qG@g<4ooCUeDOY9{^g21 znh4R}K6A}eZ2oKwQRy+o6h>u~5mKMMc`JCxycJop$DQubr$ovASi1T1_@Bl&e*u(f z$5TE~_6owp9Y=apme19#vUr01S2EkGiY+QI;7q!NUT z-+utKJ&?X-ri0@w$((16n9}+jK;M+S+-YIEvhEyFXU;Siev70DcFS16R9}8z2zPhN zk0&#M@`?_YHki$5B3IQGz8luy-XNp-fxrGQFo{V>}k{?ptR?C80+_2VP;bMPmkIn zVq&Vxz$J%9O;PeyKs(O+VRd$jox4LC#<#bk2_heYiIHA2zZ=ttSn~MU5YUU z;%o(da1!)}q9YGY`tW}DD8n#csw#3dkT!*~Hocy4oAWD>4aJa7MukhMRf$jPwz*w* z_+yTxh5v<|{@UGbeVO3{7Y(QUtC>1+^{F$)unca`H!5wu z)7g)xowO)hGlWMI-gQ$lQ*B9Ls3s@A5OVy?zSVTW?{JQgbAYi@o zVo#e$v^d6qw_Yc8*}a=_O>?@+>q5G-<_@ujq3BgjSf;~g{-Z~eO&(R#^>3T_H5E#% z?q(pq)@+?y3UaqWUZ}z|T80#reyT)0V7u$7}7r@m;1Yze(m%T1UJrE0x zFH4t!=kYFp1JrgFs*F*t4dL|ea_+uGp9gRvI_!3sB&p)jQepPvhBvjtY(>Oc@_ALa zL`5l`b0{S;m20+c;v%4wo1F-McscAB*-mj%>_?&Y#Dj;ec_#vOm~BsW=zn@}$Q)L1 zvzwfFGeHC&QS;T>6O#}84^>-fJ`Gd|DGI5Egi2gr6^cwns@P$^+GZ9;>}uyeIPVVT zyZRce7|)^Xf0`0*S$FTUeT1y zM7w3`boKU)JI?tpzJ5MoiN<;?zjoW1dcv<&DtDFk99O|_lJ$Dtz}61H{&Ry8M787~ zL%H%1-j|+2_c&r%qOO-ELHqGTLzblFFaA?zmYEL=(*S8?(eAyExO1OZ`*bN zcU033^ruUMVg5~^P}&u-Pg@kGb z&qZ{vwcSH{_fyQUISxkN5H8yJz%ke6iJ9_hq!cqbtG;^CV3E^VB;`SuWI9Txqx%eBaI&%0yG(9t~w zVGO^ed^VR~g-|wb{mR5QDNyB{U)4;yng9R`q$jY^kY=kf`x#CDgL+P0_}Rm zTurZZT(Z6XWc{vzN%6Q2Rr{04PYpak91N~ElgU^KYg?!cdfWPkU-S>afEu>88~&=G znelT{P+^SV7|*+HZn1z4_063Ezyxgru@i>gp$KZl57~C>)PabMus32}SYK*AG8R-yHd_q5>g({hiTKrQ^eT9J!7f zr214<<;t__5%FrO2-51|2>pBaRV;Qho(sH9c;+!TSonN!iX{u>vtZlr73%_a*r^$B z{@JH6XyhJ^HqFEYWD&W5nvVyL2XMj**)kbe1IA5?YuLQ=M%YE;af<@}xf)`NWDTWh zLjfJ5*>7)(3)r^oQwN?81w%er#<41oM$ki7VEaS#iZhl!tPMghgDJb|*UosbafH*j zE!FkIwXX0M@P07B1bku(@jTmE!0#M3)Zu6?K3uFTz}#_j+k_SpUJO2uem?yK_NrrR zl^(xHKhJ%mA<^a=n;m&-pv~fm1Oq4}^88HsP!VG2s%s=ku^ddlm9`tReS(MSb$R%(YWSzH9 z27*OoEsqrmm@j5wQH0P{0M54A`fLn#Sh&he*djo&U-z)d?_!!S_)48dh|*DKU8Jze zIvpZBdYuUpU0wpKzif;@l>sAVZYZzpIW(_1+`tP0V5d>AACQPZtzMKW;xry68nE%a zkse*I-QsCaUdl=`yO4!l5jZa6Lr0tfPFpCB%5Lq0A{Sw`tpcTot;tvx-qSL^{cysx zdY#Q;kz@<78(RUm5XVs~Vp(iNhQW9g#FQ{iLm&%su1mX&r&cGz_VedO<0D)yYF$QP z(;bk@o93F>#E~jBGtiIFO!96Tpqx0W%{4R!VQF7z-`j2zm9S9nAGub0>^z5T* z`3KCT3OSp(0=`^T>6&=-`4V{T`^7&h^`WNf|i-o0iUCN?AOaPuG^vMK_$ZWLE`h%~+SawiFCds~g!d_ZQ1T^Gy zFBx*ui2t(6)kS}HyWlTkP~;&Y3}FH$4#q?wZ!K{w&4jYWVYkXp$14^z{s`EiK{DZJ z0XvbjfI9{mfp;N9T&|y?GQ+cBkl@) zQvkphr7`pp7lm2pg{!T>6ne8ro5e2imL|M0?AZ9c-nG+1r7krvN_jRe7u}jPmwH)p zUlMpId2Vp;v`lZGo>-uO^S~K`{7khV=LL|4NZ;ANEzOBfmz93U(pNOb_JFu;uN8@U zpr4!CVcQh~hMpb^PFj zJemPV(FyhP`_Ku!%y-^fn=pC7p|5{kl>cQ-Ekvh8PqUyF$tZ+yl2*=cZ_C zpgKK31ab(&l_hq;VJJ~yMVRx$i+)?>D(re3e*K^rc3#}a(!5Wm)E|cv#SM!J0}ptC zmHzm{EEtuwC+&Z|6VYimI23GdFn1J1v%j%4Ah@xOe+mMKj94L1vvj|;)S7G7u~ zi1Yl5Av$zj0!`qoxlZcxm*R3xQ93zzj)m0o#^3)a;D7z(OhXcm`SqSaeSBsbzxE5b zGGiXjB@;$-{pFUIHQ4(DYEI@~_~@2H+r_Qs-L1#JK^HY3b|lw*60P1ARe#J}3_a)0 z_}?r?CN5Ax0Cdp|?+dO=nwUo)9DuM|z)EPq-sJBq70>YeAAHE)wD$?*I6*O$PssGXg<1ye3X?{^M9>urCvg|yxlrMVvYdYC`@Imi@04#7+$ z@16G%=G`b@bXE+bmw8fgU~c z?{>XB;raIOrPn34-^K1Cgx&aitwvu4Zqr%Mwd(F2Ej9{O#Fl}^`ZGblE!N`DL=s3j z!RB(Q=6sJPYAf@(e-6<9+8hU4KLB>&dukiXFK1s2H}TPVJbz0wc-jAvh7ZVbmZ|*# zf#yae2d1yoZazc*zsc}F)c7ue&HHqJ>3{;VPa#v^QMw~1w*RHfe^pLxgW+$Q+RtYF zRontC3=YTQy6Fiqt6s`y5D@{dy%UX0mYQ3fb^qW%{$YFZkFyuB`almwvZQpe_%0g2 zwJ6;~2gb{8Z$v#mchi66U9|~qd;Ysn>R+s(f8PAO(_>3TUT`%P;GY$XlyjWUV<`k$i(c$b0eRBz`gH6dvuoDu((!tpRmKc(xPXAt+ zf0N7KTkv0J_s)aucd~b>voA|;G^lwvnEH7CA=vuu1w%V^V6E=|tcL$#pcY!&4>Dh~ z)s$8c%#km_yp)Sd_i>}IUDT}KsQtTx$b?;1oD-eSX!QTR&~tE!9(xf-=mnY1pJssI zs`y~XrUJN7f+M_ZfX9n+H4uKZlOOp zB*D!ZgFPgHN>!hLun^Lb6wsciL58WT!(ZLWzkbvIT+W$yNmlhodFWk}HJ5zs)H2>?16Jx76`RM~7L?yfl?g~S-l_Tbc zd=BZpz@KHis48J<)<66o-~X#g&t4@zrPo;X%AQr9!-f*#5MM3>SK^x30f}B2 zsqUCyDx;^6jdl4FGt~6IDaaNnOS6WIE9qNd#{zTOZ1|EixEP{0X6LOc^?7i1vamD-x>d;Wy*kNC5Ao70InMu-w@+0uevfcIDv&G#JJ3^%+q0^7 zcM}EdhnImj^sfO13zC}FewRaz7=Yd%0DzNlwBI}~b9F`;k4lQeTS9z&_9%emP-Kml zuxQh{R3Fa3^o^#euhG-ldIFOpK-B9~KkvEvwPUZ{WoldcK=`CL!?(2-IH|s?Wj{#U zQiVg3_6EODbOgJb^2c}ra}=L89osuDk}9MOp^0#g-P+PJG3ZeRK`xF9KoHO$$Gv?4 z)7txW{x3~dCgC!$C3eimkLzhkwZsF=GG8>D_U)m{z;%F0`N{zs9`G z2=MRwn@j)+_T?+JLtHiL2D>Zr;<=V+_8w44spI;FkwuvfoqF`e?8KT_OwxZ_LoL_M z7LO-Duq#F;d)Jf?zamWbuE_uMNp&$vyahGaL}c0aEuHHVg+ZYqwp&f_3C)?o@HCSw z+%_tSfH44DpDm}kEC+(Ue`Il8@(v0|&XMWR(f}+D(h9j?5<@MSO0yteB8gwe=FNwEMW#zXkQ9zB02Fi1C znr=ExvD#i*nRGjG)Pu;b;-kFZ7Rcc~D4D>yFaNMr5N-~b4OcgNsgEMF?Fct5eIyXb zS%ONJwi}b-^LY`?q#t=%iQG6^W3%>di>emq^w8<|%n{%>t#p$6OWF9Nxvj@oj_9*Y zajVgZwa*-J4UszVF$D5EA`rE*WXCvK@#R}{SI8CkCNM-iUO22*NxTTQGPZ!6X6{Av zlorJwz9r$Ncg+_+Hs zQX$>YvCyrVmOjyJv2(WDQ-r8uO#^n#JJ@b)sHTlz<2JVYn#Xr5{I;g52GE<(Sd62v zB@j81Jm7{&dK#e`qZ9C>&Utsof&D}h+*yRLwMN)vz_%khZRRTGrME?yvVJ*A&Ci=W z9x+E0EDs>%fNcZPbmErArWXPgg(phR#C`N}>OuCeMY%n9%ukL%%f|2;6ii^|FmGG2 z){hAC2Z;;2yFdn~{F{C%t=dk_)J^LH;!v3Y%cJZL{?uITrll?7yoV4RuSuEy#B4eNDuB|a* zswzVOFYeb>Ip{j4YYNY-vTd|SX9)U9yWgzB`Pkw$u_{EQ`Zn)2!%i@iiTjsfF5F`l^6${Y^ zm%tQBnr)bSEHOzHC{wdydBl`40zJFlZj%;SA(LrcwfEM2b1eyt`^xR0{jmYI^{Y$f zMu1rkQ&Fa+^o6ac@p*0}{}?Qm-g`=RNHSGi2_Sy=9ro3<;qa(uI5K`_F_P+q*boMh#|qU1H4rW?rM@T#H0e?p5I3 z;tY?Zu`|W|0iR{|L!)CUnC*2W+mf%3Ak-RuN4a>`2#9bHiY+YLdDP)mGB_46u$7H0 zi0~NVaBj+y8B1U=pP8Q7``MY>Tw5hJ*j8-F!U>FHWf|CsJaertedYepgLcbXbc#5N zZB`Lx66ZK`XbXQ}@Kz9--+muF#+9iBhn1^Vgu*kI|sZc-9rqt7$39e?j zbsF^*s+)(9n%mQXv6qDsf&5@Xf;YUuRYM2cbPTEj)Jmo-mpx72!_IVFGk!v#TL}NA zG=9-S`HMZvCT`_}%4xbN*bVz?O9toQq@!Z>OXBrfWLACjvvE0`(VOGE7cmcEAk9xS z@CyKSRWgooDl^v1mtcToQH4x6JGPYr7cN9ke>^B%O`M5}E|bW~^aYbMf3+)tO@g4{ zKvF6)(Pd*4mrWy@XX2bWtk&_CtZvp5>99eC$r%Ilcky>Hl1`i8Dp7P)lbB)_((jXG z9_1z8>8iU;N{W|v;eh&fkWFV+%7(m!7$x!!Kb<8F8(gtmy6!vN%p{qgeWr3EC=V7e z*B2|xI?DR_qFlUozvrUqv=13OQvez3IJ|JFwEOnBh>7XXmWh zc_3egwDj#2-2IqE*Y!?I9PT*1_fEfvp$H*&T$#fm5t~f$p)*TID=?XDvpDX*8^IGCpU^U))YTx3>24m_(^PK<`w_}i;I&du5+2d zJTQx=)-M5fI=_ba&SUl(v!Xg9OCmq3hgNsx#45}OqEGAK-`MHb;H?lWPHw@(>foQp ze4$WAhQ|q=2!N=+J-%~d3dV8WX!%W6>oM5D4*m613PB&*FX{FQmm2e%Vy(ObqNX%% zleu=bZE!3;zm|SRTW1dpv3}5$_Q~F5&QZPIdTbv3vkK;?SxSGIEGIh(4X(Tn59>G@x`5%R1kp+?^G)NG9ttMQ#<+o`<`Vx%%TEUWx>)IbwJ_rtdM zgvThZ!?UVsP5X{W$fgJ7^Cj~i#~=KUUX9GxK4Qsy+xN7Bt$|gWS4v)0x8unFo~v?g z1b>((mc-+A2`AcqrsqcyLP@{*MB*1}J)BE^%*eWynXRzg@g2qG`g}=izHrq9I2G>r zVTWn2p36lrYe%+{#)x{E@pXF3jc{}MZ|?pZZ)K1};U()2<5T25LD(8IX`4B-toLp@ z&~!uX^!(pL!*yb`MiBCYQ!f}U>h-ehVYaqY(Uvrr+G6kV`T~uy2|4&zcc}tHVdQfI zam9R{^O^aHTZl0OKPuBjl}_&Fi>6nD!$Y>F?8p$&IKe%Rnfb|G%ywH^Y5>egq`kVN zISCQ)rpm}`-2bG+J^7w(F0_%$n=n;$g}v``=*ZwqFBA zXO0*x4kk#>m(_dhYR?M--b+7Aiz$5}ZGWK+x=y2y>V(i}RZWe^C0$%j4Cbu24{Ipu zVtsai(%y}zosxb3fE_FzQ%~~3w=7B~VmWumh6V`t&^q;bG3D%kuTrmRnIuHkvC4Uc zEW@(C0B4iVY<}%gXKwIjw&YC@$NRR$wU#FS+`7-!^YX7cFLA+^nYsv9zji5p3!Sr9 zWy5*m3e^Xmr9GN8s*G@lW04L4%Y)DTW$H#moCxhkG)d0we?cWpGo#BjYVsaWEcy84p-r`1L z_dFDYZN}ulUo?;!xKX*sOKp1sbyj)8JCpa~;n9dggtR%^S~+@)@VJQuz*WuYD3$5> zMZgM~omatoAlBdL%%$0Ovx#*}MZQCgg7%y%!{ zT>hqfoYTC26K+ne@by{z=38iCmVB-4bqEDS25iNsKG9pfSau}buI9kQLo-@s^gd_A9D7p1b6O2?A&AhV~-av2B$JTu@7P_ zV~pUVgNK&jyOF%q?$f~xT3qZr_*Pu>^8o2Qpc0K$(Xlg?vBeFs+nif4}(j4pteD7Ln^ z&p>3X8LcoUobrpqNZl?Er5e}m?dHkX?^ltwgJ73>IUYmOW5+w-$rY0W-*Tt10>___ z8lc0Awg6lP5*Q)s#0mg5PQ2Kx{-N&saaD``ewzJf4_Yz`NiNP5;B-E|V`egZ$~WEV zhikvat@w$vc~)@aF>}?l`>wu2#dfw5k~elF%bf0^o}b{36~h`Xcfk8357epQqX!7B z9TK0n*-m#EUsx>tz9w;zm7nGm(};Bcg52`TU3qx4+~Tjt1?O1Qh9tM8K(;l%I-9jc zm!8AhSFUi5MSQ=YufOcWM*U_s>URLu80dx8eE@DpNkzXL3}FEp^9=Ir|9-l2J6K%cLQy z17UK{GuFZX;|X(4`qNiP;s#b)ps!-bI;~TC*MnXGI{c$wlZx>nxa z!n#|+e)##&8<)qVA^iv#nJ41(L;0hq`6X6WC8w%Z;O<1p-IvTi>hV=to1t_Wjvl7_ z9FK13M=Mq==rFGqD=$y@s4>6pLRjZ@=Y<$+w~4<$_>jqeT~uQ%RI!xj6UeSk+(&b_ zQ)_>8Nb+S6M++m+pB^b#+`kosR!4uDQSlG^K4Y6L0Zts!}^^=$Zsz8z&b(P3HlJF^6s|Y@P`lzDUyQ4_pR^Kd3!IA~1-+c|L zwxr6Gm7x>%rG^-~%`7qLU1`rO9!_vb`MlC~4-;&dHw}3tc_TWi=W*77(pRK0DpSP6 zfnd=uhrYOSb=ObQ1 z#h5}Am*H|bd5GhM@ja`J?vTraFlv*f!Uw@0Dz|QAK^=%&@*9szyHJQk>k%nD)fT|; zLocfeLwQJWrg`Q|{|v&DW7h)!43>RM#G}+<6n;0fJY!ikIFb7r;HTu^w$*K%_nR&Z z=Zi1#>r}0I%gpiUin>ID{cS;Z$yg|7R%>F3#K+TplmoK~0z?>zE_3WyC9=Dsv&PRC zmQ+6uRr^^Y9Z%ep2-TmEY9A8N@uHPsP|eE)Ra!fZ~2^)}2BO|l@n{@l42 z*?)TUh$9o}bA>6WWS1bNyn2YNq_$chI=~4b9|rwOen!%Y z#TS==3R`=pY3C7CGe4j5cWP0^rnyG_HxDY zlb$cJV@u)|W}>bX5B7Am(2O5n^n^7t9i%=SIS$ZVX+KSr%=)OJb#4dK*8J!;C=Xs7 zHX;asPp?yjiE&Gt`_M8H`U3`ZQNU8yZF*$8PMLl_zh8} z$cy9tTWMkYsAW01qIDq=>-etNC{qnOR@Xss@Gmgbled&BMUAuK>P(8`%)0`hz|rNf z6Q+RYx~3n+#YWWKV@rbRze}Twh4rF!tyrHuhVj4+Ybug&Io?5%bGzi&Ok4S<7MXvW z5ISKnH0@GWcLJc8<@l02=wsrP0axfH-2wy_-0fcMI~wI6be;;6ls{ke_z>gin0BbR z)FzA|={02XHIJg-Ty9)1)vIs2V@_hM-cW|BSr)i4){G~8yTMIHccqV%9|^>G~H0^4&Zn~YP>0Xtxk+mBthujY$aWJuv5sEQI|m2 ze3h7@xnO?&3ath9hfbM0o#aH@uTz&*UrEeEk}LDePS- zYn)PUN(4_%2ZyEn>oA@b>>F-V+n=|ZA5;~vS*b__4~f5zScQF|wD_JtWoa$gUIJWN zJKfhw9c*_$`N~3KhfovAmtQ7syL>a!9UTe{$8 zE%XA6ho@cvCUmIXkp0mhWi)wPeSzhhMqE zK1Z0{K}F+xC!^oP+xeOaV*MXt=>c$#+74B#E77MB!03^}t^#({tBu8k{>!tv0O4dF zf%O#y4PoB&dB{uP71ZRUJH3=Umyh|P13dqRg-vlSlicMy(bmQ%Ig|?W6r20VzB03S z+)on$)pD9r%OWk%2QG6v4u!NE!KBqmg}St+?A?yfJVM!)h%{FfVhlH|Q)a@>HJ&S^ zE&+G3H9Fy6rKyhvU-UbERdyZjeP$TE_nz<4W%#rs+!dD-5mb8nH?0ObH1KIk$g7i% zarX`G)qpbwK70=PVML%5nv$gv*S-$S{w=uNVm29K&^;j}ja60T z3KN7scs&6J?`AyhCn@eSe^)!EoOIb8O+ia49wOXTzrEDOLGBfS^qnoRz9tVFq*?VW z&#zi$M#LaZ#?h~dT*_U0BiGcJih3N@ppQWqvVdE;_Kz#D>DKq_gOUd!VgYr~L8evvGke7kmjAgBB}_ss*E#OpDiuiJ8#9K@4pa`39F=R&%_ zbggN-iLmKA7^^|`kUkx~tgq4xyCTStcitwP zsfR&LPSqZhDI4gfdJ}4U%H|@zOQ&|j40we`)7&O42W_s6SuVGwBrOvSx$^w%BX78r zOW)fYt;{*6KC&+u;0|j|t>E-UzRMaclhN=qD85#wq&mT@gy(i|pA@_E5vv`7_A>N< zbD3ZHhypz@L3xcNALusBXYo;R{aT#Tj=g`s`txmZc+1_FU1&qm*ynxmkC-a%Fp$%9 zV7iv6_@x2`#2}mev1QAF%?5U~_DvTf@2kxP#cg7tTC;-q6=Y2eSx{xyUA|nY(?<_3lq)nSoa|+_O1!ih>-93a&Zd<~hFvC2 zJ5QfzqCBqs02NebcF*)QYTeqrzk@WW7@ZiLAn7YAD;pSI6@5G2SeNx{;Av++x;nAl z!6Z(ouz73wf!|~7C;D5oG?co{U8ruSF}O{zN%OdipSf(TUs`lZY*u9OspsTo`1?h} zN^*HFfV4#4^nFcOM?zV2bYEuuW0sdM?$d9bk&YT!fj1qPGr|Dz_s1_=9?9;B-T+n} zxB|iUlIb=SNK3T2l4I4HxYuY6#1sAexA@A37@tSFVdKRZ(sKz#4ncR}&a26E@ORL` zd0t9!k%gyvP*5-Su|G|phRl}o2+uf6uQ%d78vb$RD2?_6Ga$E(ZBFTcFJ^vWyCOE0~&+`oT+ zxqt8ea&rGvGMS<{%D*TaGo2q%5z*rHXHq@Hp40pwt;_l! z0Jh-yGSCZn8sE*%Y3#JF8E6JxECc7fLg9fs{QIVdxH-g!k3AYckVuEGH$IHA!QFAEDs($#LrvH+i$(JY7|;sh zVyp#457ppb#(9u=;?tciA<7_zR@5+Dx9~!Ms(|n^@rB8}6P-CZzI1VjzrL`b#Fr=v z88*Zc4wMNSkd!l4;@E~t$x<(MHR67D{dB5-|2IG)1br2sa$pP?#(>`@e%d_E_=03m z4%~9?yaqqTrn;20%*(cZ7scKe21dk}x5xR(*a;+A+Npl?XFW^}DL2TSPs-`WrYZ6l zj3$YJSjy4yCB{L1FytO(lbnt@x6BD>FGFY(#eg*f0$UF;#yYO|A66VayoHV~&ln}F z@@7oy&~Iv^j?H=uS(2`^DW*=PI#L0(;@pZulnVz^2Z*gs3@u`W%>&8e%7|`&4 zz0QP{uI$8ti=u{D0E$7W?YYmgnXh3(RTgfD!}!=UC|>o;2)VNdKDz?pDADs_UU9K}?M%7{uRCE5pD6LU^-A8q(fQm{6z$Fr?UXS*C9iEO!PAz;K|Q&k4y_JV8`@ zycUx;#a}^WHb9MSKhM)DIttO$h2h4GA~l1g03?e~Oou%NlCkdjytF$kB5#1wk&PIr zhil9hV$3;!ESL*wVoodWSNyFG;^bQqd9Lx{hdjuSVCX`moQz0X53eyym`fxOo{Vn* z;(0Dq;^X>+|A?m}23~jiu_Vg*SX=HV&KM*jVyGFVDW|>Pt3kwPeQGnw(s3vwxRIn> z4*><6j88k*7w^mJxw%hGRXLhbD!NO)rRCPZ-hC8$JB& z&+@}&43s<>jQv4CvEuGkC|O&F;dp-a_D zK<5^7p@r+qI1Z;h!ifd$87HE+8?Csx3Sgu256*^5nDuQW1^F_k+=!FDn&TiJa`q@<>iHVVDj1<%Mv9!2OXjWG zJm$FtW2Pn#^f~uKl1BPkpF9`o0v|fskF#{uAg%*}OFNpcwlVXyC2)Lw3lzZU-T+M9%c z&TB%VAK%HEg-xKuk`=+$UCr_Er3y_s^PqqkSd&mXk1$9xczHd&lEiXznK6&}ijxM! zbPIVzv2658Co@hHm+4HrZ-?Z4Tp%rCIo- zkaIN65@XfG{*+Ic9UN)9Hq3m|uR>FtajkHa>>WgaI;0^KnO6uVKW4ts*GU~aZuWxN z!IFCN+e|%S&sH%)G9_f;wvUaxmCZ9l&+^UuG$ZS#p3~R_xi+ZfARibFS=MYn|3c=C zHcrw=Y~3|-*rg-Rz7iLvI(K>D!5;ECE@x3qEMM;%l?I3P?P|pAFz2`%yEZ-Cb0H4)ehHRGF+{Qw>w5&T_{x z9_MU$Q>{;xFceSd8E?dgofl-tXk&kj!=dz+v4@>50vzu()>z&|5mxnjz&?L5XM8G^ zABVQVSd9wr3kq_s_;!+EIY6$uQnZ0Ip5v#Dq1cb+$p!#g%n$0fP4?!MST&cm&=rSx zT#xEQztft-9kV%0zvp)mpMhfnDPS$^3^@0+v5ezvqkikyvl*K`Th&`uSKWdR<9`^Fiytw{jo2N`(jFSq(SIE7w>>R5aSmvI(jJ1hh zeF%2m`0yFm@`_c*Q!yn>wOToabaFXv$M{*-aI*8_-IAE_pWd~*MA%r^2{YZ*%@lk}x+ zjakP-cUpYw9A8d|Z@J^6H@0$|;}?Is9E}eHz7`43af(0vR6i~N?A7M@X+xd3E&g^P z$u(!n#T^E+;lx4-!ocq(>m;>@sH^!N87}gK;qql(s9nVCC(fpvDbum;L_&O@$=kK1SZHf#}Dbs zul0~0#Ha1VyXF?dcc{mJPH4|MK4LTVIjmw^QI&Npqv^m}_*#;$5kp)33honKf2(gD z5AZU$`tkkomPkKRKN;e}#0Q$S<~lBA=TO*Z@PD=9vrMj;%EciDQ9oy#v!&$V+$wqu z1yyYV4*p}1+dcgx?)Y)dBG17S_ef>`kpJY5E^gS%`}}Wh138@r{}^bACBU%bZ~3o$ zneeIKa0&i6=Rs7mr!4za38CtJp6I#+Tl_z4IN+T2Y;`>5C5C))sQA}1K5NLL=lsou z>Q6h{sD3Dp)}IE_({2n_Ze^0VH3rG&8jS^_(v42k&CT}iXZ<{XQoGsD@!eDJvHL2U z$8}D7HrG@ADaR{>cp!bDi_d?kW1Ic#Z(REEGmH8GnCo_L8{*M!es4oLZK6Mn&shAS z-|WvnhTtE{pBA5=zv$DIz=^*s#dzCfae!r;TK8HPwaj}H-Y%nOj%kzo?LF^)@ACTV zU$^{;_q=y`_q*S{y!P5_%WLm?*YYYJ>UZT@uFI9ns}pJlo(lu(weDi!F6n zEcK`2b=d-*N)ionZ5iNu6uyS8FGQZZkM}W$1+MQ+LKpKbmNb6Pc?fX>B)9$iyXEy? zy8KH6T=R42w%32z<-6wm@wK7b#Ti&%wl9WJUiVjkOM|XZM@MsvGB3l`9l~9?Es9dZ zGN;Kj4X+{`!yKp^LI*k0!)}<4!Pa&o-b_j=MZUW(hJ@WP&B2%#8xK$GkH(n+=ea?v zJjYdJv(Zn=X*$d_7OU<%<~Wfi!%$5#D#{i|l+565Qf} zFOTp&=Xfv`k@R;4e1C=;V0?g6+(P6$K4W{tp5zOQckl3k1da249DVr#wbFt=FdpGy zh5Co6=$9W}>vKNj#QS`T54mK@fcXI+Z!608iQ>aY$&D}>pE(kYa@5UB;$k+3umob5AGom z0SK@nHl*i1iVUI-scFQ@UQB#Nf2?!s(c_0mmzkg?IjXAnI1qCqR{(H>$Vj_%W%Qevh*DzyGURRVHD+0#Zd;JBIGUq2550=O9AU^El z&qNTbAQ1&LuZ z`aEQfh!0u*X-eendVKv*{J_z5h3A_&p-$^Wo>)LMpU0jLd-ySh;6Gn~fWi1=LJ$2i zo_ZKF1{>5PzH*Wv>emC!!i+~o5gwh?SR@AN64#F8k}Alz@p*1?{prjHtI?NO7-Xlp z^t8c%V{*pEeCBl-w$QUSy#5BJJaB+-UK0}xGUCz^I;~6aoGhk$>lHGN(aA4fCK%n zgY0Yk#N)Ybe}>$Y80WuUf3-&Rp#geb{}PXRP(Et&`N#7z%%i72;#ro{b^R$|qd|7S ze$4k@yw>mpRD&JsQJvY-NB=Wt#78cAjdw8Hd!9&g5)K6bU}G9NWDK245{6h=YX4>3 zc0vrg@%@ZmS89Gz$S}dfH^enys#zkj@ZWkZgA78&r*?x+Yx;0+BM%tz+7S)}3ww6D zt{a7R9>Yu&r;X2b$CoeN6^DIt!#of+2U}7fj zXqxN7;c62zvZiYY>esbHFqxbD?2`Cepx{=kF|I$fBi34g9`s1EB`5#HEiI=}J|;T< zQ$Lp@SYm~q86acTD4}_G53{v?@)YYI-U;GR@X^Dj<`hTXTpRLDKPTY*MiG*8ejLaS za>;Ve@n+9RkT&uDZ+k6)y<(-E-UpHKh_BiZM?T6EcH){v!9PKml=b|(42dv0!Q8flNbVq$3jy0zL-T+adv?^Ewzi za~?F>SPA4rV`3N1e1RA`42Z>f^3QoZpo}u;@IMoc_tL=1TtW;->}@R%&5e;m{cfuB zZ`yzbPuF|KS8Z#&Ae;(C%A-RRJM5o3c!*xO(>9x8pcX0u0*cUcuh~-NGYn)AE%(__ zgtPVotr9LgjL4Z=pzx@w<=|+L#{XF!Ciyy}QwToX{}Cj6!VY)jh`cl<4r}D=C1EJ! zfSr!8vrM%>s5$klKPT*om3t#xxZV{veThx*0QLleHATTi0%6DfPa(rVu2eAa`NdxG zc_@uO3I&<+4adpK4$2x6_bI23UjGjFU(`Sk#z7<}XGr!%rtsxGT9~aFRyU37IZNl! zO00rE3X^HzYJFAHaK->SCBq@cer?&5u8LN!wG)YvxaeJXJbXWNp&e#x`BW$m4vayW z_Yuczh>P5OJ%}`6ugx8Pwp;Nwi9^kKxn_;HwktT|Z(iGkux`AUfSj&s7$`aB3xC?C z(or_~>D+)u{;V0p^cURf1YPVWiWtM!Qk$qJjs;HNG6CYCSjDb7a!dpHXhH#6b;6V? z?b$UeWoJLtopzfwl0o3rxR7Mf%pZ2K$kMEb%wxlmfZ(3}Ai(q0dw+BhyW+#)*jBEu zMk=y0TrCPfmbYt`4y$e*tyq?2&(3Q%IGb`WCS&iyN59*}Mp!X8f;(58dt31I-)UvH z7H!QhmYT}ba8~CvZZ;37Dp89MWx=8m{);{A?G@1EI z!At@fM_>Oc#PFq6+UVR)BZ+w^4K?clfBL|gItJ%KJv(e@fbfI85T?<%Xk@lt5wW_( z;A}M6ah3s0uQnRxz#lf8&n@H4;xVtd6x!Z$$}$E^QGE8+XMGgaCN&N|2{@O38Y%x2 z45&1!wyMoB&~Gq|xpA;?EhR%nXIu7c70_`kr_E{hwyReN+ZR{Ga6J0V&2imR@4W11 z+|z7~n>M>Rf9+4m9@!v0Vjp+=^w{li1Og zYtCjrV^QWj=5d`@8_L3wd0tr)@;n#&T{wRx%yUn>)6jRs`R+br2qgx z07*naRGoFSa}JOVlZ-Xyw42*rKGnf5cIl@Vp?dz!c$imrsyFjG;kaT|9Ua*yW6Sy! z-?fG&j>T8Qd2Ul{wO6u}W5nP(@q-il;dPf|TKO>I$A?(k_$%C4(n*xRCPA7& z(sS%a3&za)HLA9>i#H**VRF?ckk&{>4wP-I$io)V*JzQ+p-;6rj33(7#}})RYfqe`^#glTKWyb&V{*)vpzNI6$TRKz`mdg5G{(>PzyQ*lKJ|x z@i)d~D;wi7p2zH;MtlL5!(69h7L!q<-*Z-<*>1;Q=1<~tnhoQ;sQ8S{+#H{C*Gais z&A+Tw72EV^zlTfX=NCURkGj?>w(;Y=oAdI{tc9-c?vy%!R;;7NLs8!+R-b1Tzvdj{ znrDnDXY=~|y=zE$9Cm(>F=QAB_RxoZsf=L~bvxplcXR8i>-yI*DY8xMlJJb<*lpul zYa8fOHf)mZinoqy%sReJ@z)y-hnxj@vwY0O^^wV?n!E9pCe|=pD%kbmdel<=piO*@ zXpGMoIg{T!HcraX4NgY=p%Wfuw2_EMUR6A&FoSV8X(~1P{3lJ{`Oa6Dk9_1GT0ZcB z4=wL||NEEszW2S$$;mw-)WgGv5A_8b{*mt^+-O&iWXb*f!!&q>j9Sj>VY?PxL!Lcm z@!gt%TgyN_-!DSKCH*hyzPVgoB>hYKT(*EqCveRHZaaTj|NQ!e7u(Hi8ufeuW~<{f zP5{0i8TK2$fV%$2TfTqheRKU6^n4XudigI6aK3!6ob_evzpVe2BjlV3UGw^H`}O0T zt9@X8+20@in!W)(59prlo(ust;>~2MoK?yV!dx|oF-#B232^d-@|aI4PH(L z>=;yQ;8%GareIB9dtR4$Wpni}AxRf{CKEg6tWked5aI2$cnX*KjoS_lQ8`aA@f%L`NeU@Q_K8`p$9}r zh_T8cCV6C|AVv&6@LUfQ8qI!oNPF^{zY}x4)#mtFm^uZ__(}*Kgk*f+#Cqg92U;G_ z7k}NG*nd0mDGEYFHDYsK<8#NjRx-o&WnPvs<=j_0^~c`G2XrVt?TtuJ#v>eLfP7~0 zu@=r)oG32hQ|R~{W8ICd-4i< zb11xsBW%PLKj?|8{01O(j1dnZ)A>%jAQL+Bj|WsCuTTfMQjwuff;JVTxlZ#)#8)au<(g< zzQi)$GL2n8K6Krpzp%IldCqaOAim;__=t*nWePmSr?0}`Kt<-y2&RoDeqEtWjp^5` z@C8Pc4+mq>8DmZrhjR`nC_>h!2Yy&r?dSqI^OFn4GQ&i2+ERgrd8p$0M?=-CYbfiF zx@ALi`Vj*y)({22L6-=q5>?j{{#g?=vW;s7$Mhv8*N)ueLqVa^x#ayNuQ-HP_(bT$ zpug}UN@PVJf@NNqNzQ|>V;qyaYR7f*{-c~N0uMjc8)yMaqIjOMehi~V`f=igO%TP0 zjy(^oUn&VOBp38SqdX4ip%*9aLqv;F5A7oX4yb_-W8_#Ekd3@@Oxs+`RR@{fhy!0i zX>3L0JYou$y5L-J}*~_#OuJ@SsKf}Qu&T-A; zYa{<>?6n0f5b&O@KA=~7M*9!8!lNadbLSqjEHqI+O)^G+hmW|S9g~2f?mM#JA_d7g z@L3P#LuX&&u+=%nVw2Fy9_a`S?!Nx4)k}js_;nz^9|~*YLXHcJUw@siA~1LOL}+rG zF(A--v959Yr4IQh7fgx4dSY!cge;blGByfmx7tW7M~$QxP&kB8`tXhQB2@4vET0Rs zCZF=01oBH;RZIRYnE!6+&vF|G{>s=UJ}B)K;-t;mQnwm53&gZw!G8}#w(Vu&Ii zuTAF6a@|%R0+nVPEChMh4yR0J41@{CS~n}ubI2xOPeL57a*9)q!)m8Rhj6$N4|CbU z)^g5OMCJtpF$7zi(>OARt;XTcaE!_Kyn1k0V#V+J!6D-iM~!;{|E=S&u zj2BMuiEECov0&SXr9|L+!xk$jjqsv$?_Ius6>`=u}xE0bIykcV>K|em9*)qbJ}o3rk(hw&$`Ys$3bZ)Jk4mo z0%M}N!KvdIO>!PMPFb4C-wDc&HnNO^Wt?p;Ld8Zpz=7a)SMAKJYIy*vZ49Cxx}W``K?JFGWz!BDM31eE3&c9ot|}X5A)e;m$tpZRfdr z;v5@W=ia+e1yPvI{^&iF#xbis4fYys@=g1mdJ9}E9D^dp$6Vnyi4=RworjFWS5_6T zxD8#E%~;S$1PossBAMbe`P^n?$9TFb|=NARMb< z5ZitXAZEQG_ggFXBLJNVa%OxP(fYvE!qek3o8r5|4Pn$D3|Ot62Sw#^gQCy_K(meK z@Edy~JyxG;Po?qe_?XOK#^BuJ+CxloC>pKm_wZ?GxqJGQ>z=Tz(ejV3&k;~n4_H27tmfME&>bK`(J#E=AAN8jFnelzCfqV7U z`vv10mteg96(7ttP4S9kGdG^~oENNT9-nbH32ol~RaLT$-2m)Z>%88U@qHJ642QRQ>inA9c|p&uzA08#i0x zL*;lk8_4u?-Nmot7yg5_q*#3E4?uFg$geq!--9Zj)ROPYe_hEHbu-%V-|=H-dY^C4 z$(4WeI`dDtWn{UI>wHJ9-*qWxTjQ@|%WcECaoktgJg)Op10uBxSwUvne2T*(nZjjYT;omZ#Y;sCIQM zI||rbM9jk1W9!ovFEZ;b5!Z(^3hHrF*kZyeW(pX`pA{+Q`bYZP&!6OUK%FvT9RF&r z-}MzZZJ7u1Q#kg}3F;#8as5S6`mBXz=*5*_tdoMxVA!tl(~b^ma)=Rzx)}%jfbsRo zz%+}St-R^_(Qo`y%h!MXKfHYSLmye*^|fCs3?BGpss|4qEN?%EKIZXozhQJ$1}wB& zGjMAe;JJO7c1izBx*xnmT&9!@`Chhw3kAJFPPdIe*2~v#yteYq2{v&20nEIlu#@Tb z1xkPHlz;d+Fyf8H3^3;L9*FN1O58JihVzvl+_wEQEr{OqO|siGz4Y>58sM6wnGZd+~2TE=S;PzkXbfz4(3mG8lRfFavB~^JndLzGu59gV#p9nQWD_N&z9`Rkk4s8c^6I(G`B-=S^i!)OV_@DXUbr+^GxY&@MfSH zIE{fbf4#fN73xgTHKQ}&w@5L&i-&yNJHdngPEOFDEcfrBzjtr*;J-J%_{HV#|NieU zzyG^`Z~5)t`VG82MIb#K1S9nLR1SYPp`-p5hhMb!y+D7C#w0@)>B^q(=lnYrhWcVK z(U2NT8TrbLp8@jk�gQEsVLw&kq9AACGB*4?p|ke;UgRew6LT=a=#rpB@o|UCeUM z#PZ=5evk+?w6`5O(wAMCGXc?LlLuMW_|ikldz892N}r5}k#PfrD(G-uQGb)7`oAGNBnnH-Z z6A#3JfVd2*`uSii?jaiLkacnH7P)&*DZhjG3LK&3M*Q^Wn%wmGx$n$a^vQuXdGaq# zDCdAACjY|``+|E->l!Aq1%}UW|H;a_{2I^t`|GQP$E;e9<8 zvz%8%_4zSA^H)u97Js~yCrRJOE( zmTtu*>Pb8y;2>V&szba8lzjpWh~$tyiU2+FWd;e?!w;P!LSDzUKlxBE{7nw@`i_@k*a^KtQ8#gexN$9K&1j}mJ)Bg3s1iiE z`;@S~){lkZI_@#|a#k0vnCaoS%(1@y&`1U9pkN9sJLVTCe2vtux0(H59I+rMK8~+a zgi0O*L-7+gcc*fVG)e&RL%(R@l8ES(6Z^E|8pIf~`fwPcs|>`)Nk*HPGiCZD{|qy9 zaBzHvM2qWgUXvAG^2s22!&(hf4dp3pAwsEIj8Z1B}Z2r-pj;;ROznG4~mVspqavaN< zh;)t*@5<8#3=`+8^@%-GIbj_s6)q`YeuF#bq4S|3;;ap6{*Mqdc9A0b}Ao zPNZXx^^%Y#j2B#KJ7^{^I?+?8dB!9*?S>(T#-tL>>X>Q1u}Ey$*+xAb z(Ub=t2#R5~w$}m=^jMJ7X z2OD<=I%S)tAuU1|s}PtaCw7z~%zV{*mo==MBKY1&r{&b5%j^ORDcR1BI!By2fRSzBo0j3-XfQB~_Qie$O~rGpG%j9z(S zFSusm@jxB%@S~P8Po*2mltNhJCkK(Mbufinpg{(HD)JbQ0qqqGgY4O{A(pP8?4gsm z`X#bN0|GPtj~|tcgT?_E9iZXZ)x%JP|UdvR4eJ4hhw4M$mRF6F=;g7FsUy0((=8|5s>LY|EFv${vheYeej8|K&pW|`nq|s^q_H|D4+;NV{XFcarygIe{+z*?Kqw{Pw zD$v8e$PUcYXmifes5<9-b79{x@xHa4Ab8lb4e>b6;fA6NW}A6#Q^|2qZ?2&9^2n|_ z+m;F%QRh~irNCP(YnrD|Z8EZ7cdNA$n5hC?|6&yGm z5ZwMboc9Fh)y6(@gN|>0C98HAAH=7bZQR%E-$mm)5HaJr6~8cIil#T*Ob04`kTMd3 zUw(MLmV{SC*-}S5wsY+3_`%7~@-8sI=* z8gpbE%;j%Qm_+>bO-+PJLm|)(b19;aErLA4`4E?W>7$o+rz!Ws6KssZh|F&rpHezw z{r#aS4D^c{H6wmF3WGRoBffR$V~8#}8Syixp~qk}$9EC*<$h#~eI#Jb6IVo2z||4-Uodk26-f*wr=MfY7RXcko%x>94se`f`kWfy*prW3_u}u^ojZPF zZ1SpW#GLkQm=xt~&KtuG4t0~w&?n|D_S1^**vuny+>M`U`nt8*qfb)5@e$8ujXh5t z+p~_(7>@7t7|Bo>ZPaf8d-}o0Zfg<62uk@D(ShAliqAMsX5QAZ?4-BR(}<7Ydf!P*=9;lM*ziv~=teEH+mXq} z7&L)k_!Q+BVsP!^J9*}g8b^IW$;zSYM?YE;T)9>KGyvGZBL7(5F|V-{H0&=Ce+?V& z4)yM5#Eba4398)J_|I8#R<;M1jg34Df+fcc38q%2|>kTyP>GdSC zJ)7$uf9AwBvUjr$_OX74s5Y+OHuRZ&&zjq(V$D9Zc?R*vivZ&J1;C{+1%Du*6w`)d zHtA{1yzE5zghe|V`wxkvr>wNuhbrOokiUOvUVSiD{&RfF@ssu%^7^7be55}WJQkzm zc6|j1T|LsxpJ51rbEFoZ{}7SZXrmSygj6EkP?SNK**<5ilmBWuJtDUlc^vU&%pv07 zYB1tclJTYW7*ecZXer|lXWLg%2+)9+*Ky_>lCX{$vEUC~sA-R}jcp_?5`*&PmtS7~ z)Iai%FMskIKe~M6!yieD$IDx9y}kS~e%^kYKM(MCa9rbS(2|#HkZGsb3_Jq{c>TCc zyQKdm-Nz;JG9_Hf_p$|CD)zJ>hdYcBWh;rsuxqjPyeCI3MW@B5K{h6ypDWU5#AiI+D~!(*BRPKV7>_8_<2hiWXbi~u_#i0`nE_#G zofylV6U-iljz%uec~e6i)~}pwkn!{PQo`NEe_O5@l%ILVJx0Pr{WZS%mlpAvJjV3P z`Z+y_4?8{dE${6rE7ocs#bP`_(uOs2!a1jEjCDc-%@`+iu*3s1q*#?QeMBWcaG@LDoH`NsYm z@gwdXJRH=%T+;QSQFDBr6<&Y%(pZx4(V9}kIBGP=eNkodgNhKynb)82g+gmh1- zP7fu74Cf!GvHxrnCgL{hSNt%HAdH5T46b5Tf6ST++yoCai;Lm@Dp*hbtd9X5GANX*SIG2RYoap};^>ghMBRa*wLGj_E zc(4&3d}PWsk7R%mIYxYHIWPIbQ1OER;RFh8Q3rvtmhcwD6rZR{3h`luyjZo88S&v4 zg1}RPl(CU-)Gt}^#h5;i!VhNkZ_AidBnL$ST z1SV{iEUsc-a80=W{zouXzr4c7Senr}&p*EYFttb!y^`mg{|BZF$Pw{W2*%o%5ZOjX ztcCf|EbVC`x5VPy4K}(~&{U1S^rk=ivd)o&bdqB&m7l_dPr3>tu0O~p)2P?K0D%Jk zE56PP#NwP#!zXhNQ`I3~)~0nU3ZI{uq3X}H(e*Dw zMM4S2_!#EojdLF{Uzd9ya19Ooc~9wd2^Y zf5VotXu&?_6uA^9CfN{1IwT8v9vO#_8gp)ZEjk5kj6j>%D-w-$3>Tj>wxtd2`M=K9 zk^=Yf+88<4jK-sRO{re@`A{<>rdn(Rl3P1Gy4DAd-o>ElI*yzW@dMG0nk7R6lugmB29t>lK|5T zpuYbn5JkcaAS4lgfRKTZAeltNzIS%zKlkHtYke3>FTcNsT&dJ`0?|IxR1=r z%CTIBsv1us+WZt~e@vt^b&ypfT((|UW*5vJ^R8k%En@lDYeG2Ku0{-;%spqAk6za# zn~v|EpD`8Yv;j*PuM0zt-J8v!*I(&;eUE8Lw4S^evX91K{4-0Fz>7J1O~UHfMm-h4W?RjgOJO|<8$e8} zb!K*_VeZM1)!)qGB;*BzW|u+h`S3gDp0kVT4p()JPjlN=PH*zndHDptR;1NDEL+!@ z?sAWPU8&#cA#dw&+&7G)@#; zvg~|Fc0N3P_qTpGnL7~`EHk0&t?HRCfaYu52r&zOlML5LmKyt!IaVeOdgPwZCW5!> zRR9UhvFQNqC+xD>{8zTSaoi|q6UzxVvH%Xu!bQK6bv(sW z>E`dM_x#FL{A2!i{ScOS@zu656sO**;qW@3d#u$L`i`%?R71b|MOW4gRq^{jD2^)()X5loGcq+T8*m|_r({|RWrVmEIVccXQa-t`aJ)+R*WkYczc zwSgw*^6qgBDvwIkNrL7SLd}u)KD_Iv2GfOV_XR=cJ7^ytR?fh68nfna|HD($_L%Qu z(^athx8l)5EXY$M%xLwy9uz_C?aE)n;;OG4+ju(aQr%T9=(py7Vp`#A(DP* z=5hlf8U3^_=sUjJluvS-Xx=(tc9-YMaSvxQGaQG_*IJief9ij8SvNM*q0f7cuQ-&9 z$DgM)M6RE`mbJzI%2S}t1iBU88o$Z^W$#fQ{bOs6w&R_9S-rb|UJEABMRGf+Pc$8W z1O83%9RI{a_X_c=8uig|QueU+#guR`p_Y<3i&^903TQz~vHSXX{kw|FeR}VY zDafuu)S9~I&C9%IH@eq$PXy?_!o0N|g7Sc6yc2)2{`c2i)I`OnrmK#Wsj^W|{dp^S zJ)>f}>dBZzY-`~!z0U{X_VdDaI}Q%GkhPT?S+VH$aWT8R`sqI?|IKlao7nf(_$y=H z_9pwQ-PoM+f0KQETzTGu|DK1vU$FMxkBy;mc7CtFhZ$LUcgUVr<;C6gkI&s`uQZ(n zTU24Yg;A6g5J{;~K~PZv=^PLRQ9?xpsR4$Pp@*&k=`N*V2nnUT8M;%tn?V|e0j3Y% z`Of(X`@Qzw*Sntetb38myqW*AfY*Q6@Hs6V^UpKiV^rRz*fOhU{=j!y8ggJ9qOS`} zZr}6qAbg{DJa7TfxD6ueZ4f6%^_--R4F$F7i0!^GL)*MDf4Ur5auo^J`#g6ge)8^m zZ~TqDSou#^(?SSo_o@YN&CM6-W{azWlkjT-Kunmg@2=2g)o~v8`6NhhzwD&-%jz7< z>NG$B%Ioyv6Pv}&f6{*jx@~EAXnWQV z`xpP?*zeFM$VWHIoD7?dm$pZhl2=(Jz>h7TP&Q?W>Y_~TZ`4U&_n91>BFZ3; zmclVgwoV_6^38pkVFRm=2|*a{HMYHye92TT<>N)H&)#Rx6YAy}n$|DKmc)yn_?qiw zEbiJjGrc`fE~W3a;&~Y5m0%V!qxA6$afr>MLGN(@2(OAuLtxTE5cn0+ObF>!>ofe%JLi`1w_9E)AzMPrUY!%11diNfo0|#;L9)r)TnhQcG#SzQ#H#7<4 z6+EVI$%hbt9}~9 zuy?Rk&DLHv?t7~D7k35NaDB7VG^}g^mVZZWl*uO#3f1tr7P(Zya}h*R68iBViJ`$x;&BcU3{PaBd%)CKkGy4+!xK+_>p z@q=EN=_%mw{Gwr}<`DCpQjoSJi05k-5$CIjFF8JU z2fb2#RtAH|nLC92&PK1j0M^={*-uZBHbEztcd`zGE7Q`qhb;kjVlK!$9b6?G->x>8 zZGghR1*DouG1pgWXD{IKI&V2g zpq>Jd+;G}a$sgC%J2h!1f6A>F@_@h#?6#twFLOu4oF-wd#LIW0ER?m;P~ zX}4c$n~XAwaf?rGV5!B|6tQD6DHXJL~4t1yCv_F>bndPhK@> zzt6qY;x?_pSl)Fd@$gQ>Fs$$RwgDY+4(SQ^K3vlHWk4rtCieK6&k;v%iy_T!<#{~E z(k~Z&)k-LAZqt))i0eAtySP@JC29!A#HBaFN(o80k|D=Ifb|xMXp6{p*CnSxPZP0l`#0jLBHnnG`u7u#niDwWLCxa2qP)BE z9-P``YuFw%BYJdL1ad6)GEMEm-7O9(X`GSH= zLuy1T#7d^SVmF-?fH0C#;s%V;HT{q)`gjC z)~WkQ4VNzZa_BLyUjCyD-uF>DLzL^@r0Z5>|sEB%fZhx_c3xveneZ7D=5W^9aQ*A(V&&n#n|en|#7__kIlsBnE-I!Zz7(r5p8 zzo_%&)@OBMh?&awZI`5Ni8R5G3zip@zm#&@=vS+Ue`@I2uXak3Q*YxtufB<_F`@ap z)rqc#dHmZ`{|D2XA3Xw*OXl5A5R zX&EkhkzU)7?l==rcs~Q9>FgU}Kj#|c`Pp{q{%CvNQ0#vMq?0|OqyhK4&b~3s`OU;# z^TQtmbU9G9{m#end_(kXyqdRKi#xmkp_X46rQDgCo)>~~Y9g1lgNZL2-VNYY46kt1 z78-Oumd;v^kTP2(Gc)1cZ}^Bf8=h$H6{Em$wYeIS83T5+zX@s~W6(V;#mmZ!wmD2f za>J+_jYnBq{)bk$;^<#Bx|B(|PPDzBz!72go0+_2>bO{;%fZC-sK-#a+3lulBh;ay z&`%0fM~{y8{FT8%lh>_;l@zbL#;Gm8Mw4Fus!wH((O6&%@>pFMiu_aTqw&vYJ=?e# z{`cp`lco_{saozMAB^kWjiytY-i87f-R~m>7c3v!MAYOZiA<`t!Fw-Vii0AjZ&Hs< z@0LA4L7X-K^mBSJ$7*m%ukZ0PZ6q4Jw1AbAf?V-DIYn}&V#hU2)MkCGIk^`>gqRF! zXI)>iqG$BOI>Zkpxmqtz=3x%Kv=)zCPzlc`ZsRU0IFZu#Pj-GebI@%7w&GUj zH*oExeG>N^fM%JgUvSBcpvZTx?gFbM+8a3D-CTq9K8(0r<>3AC#z3>rYCEE|or~Bx z%$TufDpzA>9K;X;b2u>p4FyK6U{`F0EwP)Ajq$ypp_?D8NIfRbvD4itznCm>)D|U( zHskYE|FL*&0>jIU|Vppq&D7$}Fb#?vK-HpHo!Z#I@hNSY2)+J>$tSAl6tg_1-Cg+Fy6YCuBiiyx_a_c%U%F z{AoA(^?_Z}md_q2-&OwCxykkio9|7;hp&vTM*W(8=R)d^1z2P{S4_M6gX6~qLGGr) z*CuO;T3=cQSEJ>BCqCetW=2QD1ccSO>r~}h?*c)&HrkNAZNF1|Ai13l?%6S!xr^mP1}A(FTBnfAT=;4Fz5P=8|0N#U*O)jcf0 z>+)@$34TVOK>3pUuO`KdxW$vjSUTS%kd*7sah6}e2lp!@4$1*U!K{^MUZmDtaku>@ z?+YNHFK(sspf577VNFq+78}z}G9YO}glqILN7C8>Er~l;Kh0eyOKW*0?aD|#q~&a_ z%Of=J(9t$&n!-zO<1^_OiTFSyQCd^J+_tLlWE{2sW1NJ+Ecj%<_7YX)%Xsw z3q>)bM*5v^XP)-<=jq5`14nJYX%`l2lr|H}NwGlBBp_OP#wI3Z!qoXPW>OWrMzw9~ z-bXv9UZu*zbETYMM{6-x_9}veBjwcq33H=7zW7`K5U&e5y!c5x{`Xq))YrC*<WSP0F=ZRMw>m>bn&ThUSe?7p?C?FN$+uVjYuV0W-T*GklYW&PKZT2VU;U>5 zS@7iRfr6y_*8Q!NHl_tL@5NcaiPgcXrJ;kQna7mV9NvcJA{ermi*W3B)VRf)@s^aeQ9~`OMVIjyPHai?|K6>Z2VcX(N2)-0ThQGLF>UE);Oje_fPcn1%22 zDQJug6b-1Ux$7)PO6G+uaP_5@wm)yas<0|7Vp>sWJ>b~4IypM^krR%Pz)-{Toyuut z0>p*RRUFcI$5aUh2W2QPUkViaBtP4hx!!ayuHaVYUr_Q2qi@BswP!9y?8a!xN}W+2 z8@$b{WEJAF4DkT{d*qXXF&tp<)qOZvK&L-(Xb4Jfr`{zvUVZ5TQ7MQ*fDKdKD!HAPI}c-cobqP zh8Ps0c>cgZJWUrlXuCXsKu}qrw1&F!65pID?3+cE^$Dnad#YcvguH#50o3^2+g`Mn z0r4DtWY%tNk0Gr1T2OPAU)qlDke_Kq682+J{ANz;?^buj3#93|cQCk42$8scyX|-? z%V#$pZDCV+OfF&+f`w{njI+pY)SVxZg)mX>A4#h^25IA~Jv6E;pUp^bZMozuA+A-8 zIvIT%X@tNm33C@5gXPGK1`E*kVAN)kgOwYhGq3*B#-$c9xf~|td!8j!ICR~rvHK|y zpL?^Y0`k}&l^}1Oklo2z%@FXK{<*p!gK<4_6_OzE{Rz)dFU70NF$T5=M=4=0D9axQ zKB2!y4-5)s*bq~c6hxfPo2xkdZ!BdU&d}*`^A`#-Cofsj_jo=7i7{{N;kTJY)1N}e>**F1G8k&Rmv-?->o0mM|R`U*q^$dLD${ibZ$f4=@xUTt}nrvZG z9eT)JC3G5OWx@K=c3jK%dDf<*9o320XQ-Xmt?P27R*j^vkY~@a;2$pXx2cd3NMjPv3^O-%Zl-|)AY*{7iQ3hF-MZCZH|nyQ zTsK9jyLqW~CPGnQ%*9b5s#8T;K$5z^e!>nNaMMQT`zwWve3`$74EQH2PGU%3Zx4rB z?q*jwvRBmY|Iv(9N?az2SKo_(>|KsFx&tNn(1vh_H^L3SZj-%?rq0EhzNuQQ2nRke zu@DoP?30EPZc^Xyv=FxuK3GGc$(X@}NJG#>dFDRMdUHz{{Xw*IE9-*3P`NAB>O14F z5vJ!h0{j#P`cmeXr)s-erI*(QDti>3R{Si5JPyvHzR^%tG25;1QLvLz2zjnYdE5H* zXMN>NRwV-k59dSmdeH>avWG9-d%6Pq(gSA&s6nFM8e7+2XT;STDuMJzdS=ij6@h(P} zG9SF%{^y}W{#1uHIIf&@NA^vxnb*$K-whq)LJUmdEsnLw2~s7^~(Tx`){xkV7(rYsn+pFSE2GNb1F(#uY{w{)oV z1!E7vUX)_UxvzPI!;1rds=SZm;0U<&{i*{h(emD*;J!I|?re-8+uSq)olyjwu&|S1 zu4~S#w)3-+Hu`@SKuk^ZVeiP|23g$3qK9~CI;2ODS2T{E!u=!qIqe@}a9Ms*tNH;0 z>|GA~aSq0puIZR-qFqMiSE|nDZ~i|xN7BlVTMG^=)7NF`sk!I7km5hGFWkLMB<9s) zHRzW(hmkz4-7EK^6&5T8vrjbMsAQghv88<F=7#&f~#Z`Ptyb!@J3GUg0O1qV7T(kHv6yo0_9n(IRAcM zK&^8MPj3%{-E}Dw&Pj(=%ST#VfFGouKg5z##HRBAsqgQW3D%03Mo*tg7;H_qF{Z$YGCvOgY9#-17wMx zC8abXG^qCZmmS#%W4{uXnw6YJ;4STX280lB$zOJ~e%40a1=kjGvCl{@+WvcC#^wmf zrOGO3=M~k51DR;C(+1e*R}684=yLI|a$C7Dnt;~&uoj8L6%;IaHfOtbqU$BS7dhWt ze^&DSV`nqgD6Uj_OK9Lopx3j=srGy}qAFoDB5(`TlLmRjRHv#+UvRVA__}_@G--DH z*%E)1sL2r)uBhos7WNe~0ex9@Z!YYssLH)6*{a;Qp{b5WmMRA(Kh+AEYM(Ke&{}U0 zF{T5)zAgP8>G;B$xSNm#Ryck8<16Fo(sCf{X(3a6l(DW}NEIo)_k=-sKg6SDh67=K zF{Ok8%Ny7Cn?Dd##>WVhAVBP<^{J+Am&1=}UOm!0dFQkOoShYw;W(dZ{JExhfNOYq zvO*&sjkV8MZG_s+6~-G25jlGska)~i=Q-@Tfw)voNR0Sfczp~S&i;jv zVEHsBVri~y?F(#zxIwwg8!&AkG9r6H5=N)lqe2%nC zkE|@KD%EMy9a7*vWPjnmns&-C$0G^JK&zF_V?3zRQ<*;BB2*G?$Y9<*eRI%QTbuBM zbn91D`5x)q_q&n{+`L`gf~z`WLA2nY^29~!JO|HY zqYpLp-JFL|R&Efpf5v^Y*Zx{CHz7zeSg8=~?e}eFKfF!9cu1Nh2UNlS97~J>KY zs{k};!K)?XZT2!-K+n^0nmmz7hN~gLK}*XMkb3elZ_~itWQ+PIbuDJ0Gu>}yFob2u z6S8l?MGxW5Jn_sb(v6VUfE7l_RbS;2>p#ydx0L{tdiUj*S2GXSvuIrq-~7jfQ5 z@VNg=7F$%AzMthhaH2V>q>Ph*I>=0GL-D%L-GVC;oEeP1dJaJ~=Y{Hl`kd4-_XJ$+ z;Z-lf5ZzLw8)H5kXY8YJV{xI`1`nXzkLekL890Z^ogOV?n;ph|>L)(WF-Ue@+)cR{ z#W^4QLxKM*qx{)+ejjJ1k)Q|g@FV3J#Qzynbu*Z0?4eDP7nEu_=#1w)Q+-I_o$ugIIUck9KV=ElRdSXj)&xUJM?*+JMGQ7oDv$xtFnc zmyCElI}*e|ZeATrK8+mabbHSrJCjfTf#-MPkaH$CpFMk2KO1%f2f`6A@TiO_9J4A`Et&y=kij>Hr;ejA*M!2tmMn9E_%8Z zv6JLGkoxV2FUcHQWj%oDlMv#yq6Iw8t>@HU98Ft{uo(6#3IMr~2Lh*bfF2;$>*wD+ zgB5Ob37g=3pW!Rs(KY4kab1C)@<%|`Yt;6;t;|<6uXR_YyXsMWaQv6d{<#{ZH>pJO zH)+m!V(rF_^Ez45q>uV*%?e*yDM_6`55}KK?~tz)NJHuPGu|*X&qEUNzSMS)|1lp@ zV#7Oy-EZ1ac)MNGX>Gvw)V^v7ahV9C+a8q0yJc-FJ?1S1C`i`U+dOVb6Sn3`05$Wf z$wgMXBi?5gue?fHOdc$Sm?1DYa>2fCaq!7hdaR5r(*$uY04oTDx>xWr5Rz8(Lz(V} zoc;zO;pc0AM1@VUuggHO?YqzAPHy{_(~RKJM?X%qyhfPqFs!@zk3Z8FL#~ThO-3i!PxS_A?9Yf*sbivfF}|kvquVZ7%;aSf;0c`^ zkzr-El4iBy9T&&#=x^Tip#s~P?GzqMH)b1fYbWmIO^Xd1ffS+{*wGq02={m-P}Y*- z$XGO$oxe9MLI@=azgylEgWi$w&MvM7^T-;so=Digl_ZOZ?fN+WwNC1%$d zQkge4wp+TOxX%`~H=*#fSO|wqLQJ9q_Ey*u3f#3EgqLAXwSwu|W>FW+yeAchMhxo! zuO`*s?py-&DVi^)?I{=BR@#+$cBG9vF}as(FA6r7n<&&&V*ZZM8=h?5=otl_29)fD zQa6U_n~I9Vu}FOTBF=PCm(sT37L}5&nV%7`oBx^yqh2PO{?bZP&o zkW{Sk+FjKmqG3tg2JLJY974f&jC&-%*N2w1q;sjDBHgIlwHJLFz-|35=zxvD{IjO3 z!S{>z6~GB|2&mBCY#>_MZWAX^Wrb(@WD@TTXqCS+)3_M|wJ6qv>C@7U29%Sh*FRbA z{CcgWjLi3+p%m=jXHD-ZsT+OWR_mWwv^dSc&5Ke<_Ft3@PsmnmYFp%OdckP! z5Rm>`PxnZ-A3aXCxbRoWfoJWzhHD%Ov|lhJtAzX6Z>C(vY&Uv)b3smNrfAZmU2mzR~v7 z0sf(EoQe?_v05bPG=Fe#<8)re>qPc@zZheEy@{5GTW)eg{fdwrSbNX&nun~Vh%lz7 z?Cezv>b;so+kkj}kq=%_Q%7xh+n1=29_X=SJW=dgp#`3v19NrR&zEBT07&Jhmlkd3 zgWuGZj>~Xp*j@`zch`K~^T`wXF2uNFN00qM^5>oMtBJ`}e9$d%x!}A7(@J`pGv|6y z%WcSmAi}#91uFk`2%NV7lS;)H9w+YSGDvwM(XdUn|#1L`HnIS3ECewB&K#n1R z=9)bFKLbkP>bP+)sgcqRiVs!m*$(RRE3C%#bje)zG8!89kKe3&Icplo8Cr!^@hl0l zM-0{krRrf`aaX<*;Azd8Lek}9Ez_8aEAB5s+sHsS2id6l7kRZD$WnF$a_R5zpYDYH zL>HKsA@LW~Ocil!r$N*q;s{mWoqYgM%%-Od{G(61zn8>XSw2fGEb`P41wgNNbyFLV zo%$Foa!wcWpVhdGFp*BdZN?V+i^r;htzb0$P0Xdeg6wnyczM%}r+(6=Zb|ZjfRmVatuSk5~WfZmJOf^SrwDI-l zh_Xlt-`zv}?5&sic<1e2n)$9vK})|&GMNOBH$^yN1@|j<%D9zteZ8ITijg0MS zFlb24ItxCEbCoL=H(bvkt@hXG%7njK2+sWTe42~0)4Oo^F=_4G<011zrU0#d<*}~B zOmG6j>+>xjcB!}|d)P`)DnbPU>`Ye=AU74@;L^&b%CMQle{n5OtpJu;}rT!xO_@?&KS_??W zZOgQ@PJVI{D73PZ1YdvGD0p7s5PcWV;?@4MQrsnzMH6v~=#y{h()(IAeW8BXPZe?f z8ENY?Y@oX>YAp_*I85Q=ETu4(cG%&OK;luZc&IArJ@8QPG(I^&?)&B^CTgz_XAN)Y z_8%B@){oiqtVVF^zV~%U>FqpeMEXBfY5?LzyMZ@O(sT1Aqs;!~!7Wfb>!8N%z+?;J ze8|m;sicrIPeoW)`rK0Pn`nHHa68q3v00j9ZVasau5)8q?*^j8z5C6j=R$kN zo&g9aF{{qt zm5u&~nLP^k=I(1e4H0^5xLOQg{cY3Ir*c8V<2j0^bSr2XC)p)%`4|wlRL}G8nbZ}* zp8iURf+-mfNp-*I8L9sH^3^*#4&AH$x!Hdab3CV8Z)bm!rbt1A9@rm@H%W6&Egf}K z1AYJ^dTFfEU6vjclNQNrDo(Wwqw$;~zWpSfHQ00@3xDjlWuAF zIc#PiO}||vFhnQz4KJ~)x|*R|36N*!S2f4<-y&k~O~&`ybh8l6);urXp$uU9J6S#s z-XdZ<-z3sg<6wgV=z3JDE8dQ%uN0TEFp{p+93h@_Z58m<@kX3H3rS(%Rnuf_``<7Y zTlKt2m;xzli~+TPx2?a{c2Cq}Ux9|y-w#>ve9xr!(Qu=fq>ZV1+HqEMTO3mLoBmJ` zp6aUiw8fEk$9>oSF>O?OEk3dsV!nJ|()CtxuO{&43`J{kxvD&g-XVbdd8g#vb*Ha# zjo8P_QW{Un=&)=@uv6==Z~8fRytUK_*M3tK;6<|3>dK&jb*i|#nJuM>4ETi8vInt8 z18~UJq-qCo<+~GU)Q9}o_4AkU{8(^Lapn5=Pzo;)%zuu5B%&XsYyr=Q(Ih06WV&Px zdEG?Kvn*l^JT_2Ccd>H(60&|9y1%jIpWZ>`NX?%}OHpR8WSuhT>igR?vwwQIdOqQh z{WC!Tl!|(}x&BGc@KFgwN}Yd|9%_QE??57#*uXUz&Cmq*@fzEOG?64Jl(@9CnqULe5i;Ne--HF>@>tO(qa*Z666#b-^B z+-)c{T6mh_?}6~Ks@ffVi{byS`|Lo zrUR${RbYNlqVz$^`KTD|H2yq&a(Upqfx7u;LJa$v$aGA)69WD2ba40NTC?)={UIDr zIlQ~N0^?$rIruR*N<8w;W$nm5`(>Rh@m{OxJ(}gw3cVxQv&U^t3dQ!+H@+EzzPz(F z`ZBa)T-~dJrBDOio~lYB&D{_x)V+A=^B*q@!8Y+OzUBW#*gVue$?d4_|8@gkY5jLM z(14fvXh6SBrsb&e*oy0zt)fsmoRhbnVc+ixQoG-2%r(f|q(3 z7kbM&r!zFoUsg3(+)uZLXBuA0t9iaUyFp0#Cnx)6S-3IT`wFe@afv>Hk=ABl2VO*% zIS@YWO7ub%l3BUbY9DwBq}=H_7U9@c7je!$Ks}m*$yZKS}g7 zQon8!FH@|3+3y9zyyU*M5u(1l50Y}^cC9UsT6wo=-^j)5xOxK=zXr71AACZ4*7V-_ z`?EGI{>}qtywVBV+bF#F(MpubdSdDc2E13x@eGcR@w<5ZI^jb3K#JHtmIzZ!eK*1; zxP-Q6!sr+f0r|{DE?Ln;d4$^MjBen`3pd~6gqhmyV`D9;)qN1?x>>r}pWlYKtf^RH zz-gJm9iXg~czP(cQRP0b#(N%2Zub5NeDsq#u{7`WV*Wj+5N&?`rGXRdA(`tRMo>@n zt^gHe=c7n1slw8ZG#@fa^1)hi_a}*)?fiSS)qELW54PVPoMn!?XTwA?X<6}^QD9?m zzO$!Tiou7WEJ%{DYqPIi56CYucz*)qFcTGvwL{l!&1%D-^a{lrfU2$p7if7LwF&7( z+Pxkiw3PAkwHojJV?}{_^`{_WKx76gLDBUXB{Y-o6axLXn)hYaBQnExDD2s%&F~h> zX)Du|QEhydb*OrC{-iV{`=*~7u-cD%;j)X#MQu^(q3bJXNri{><_PlBH2n-+8`X4r z{XS@DqgUZL#?B@h<#flP`1BuyHOoQTMpb(J^d@v!_GB?vXNc%RoCTgF=>O%c3sYml zsp?!ryWly~xeh=zE{4tgmu|K3;}LDds~`0rShHuru zKT-Va%o&S&q+?9n{sH*>`yP9syu0qiz=={x`e{BNE9#Bb?VjOG10|l1KkDALO8W+q3IW%QWt@5+`){*?kv;0b*t?y2<)k--wxEoKS1Ao5J5KAT|@5M-;<@7d>V#9Z9M3H#x*X z>(ah9S_a42fhvz@4nsjs3*S3$61!=Q&b^uUt9q8}lUP5B_xgujR)FJNWU#jdsQNKE@iq1|D z_K%d8tDdAEFhKnN)zfB3OlRt34mxliL&I^8_vq_-!&6#@lN=k9P~K1Pd?DN(vOX7^ zJAOJW6Lm*3L$rZtK|o=?o-xr~`^a!~KWZtW?Ieo>w0qhZZls`c3pQ<#k>e*mCrZgT z$Es}wUYz-+;z{VPnHKWMes`erBQ9f@e$U}>I@+9!k0XDS)9wcizs8Uw>ctBWC{g74I8+|5jj*{nujUp+r_ zfe9PD4fCY;^ATMFBz>Z)3(dzPjTGHbp9f2C`l9OF)uG;zkQv<*#f0WRR4>pqZp;ZW zwAQFsY|l>OJ{5kk&kGz;^W2~1T_(-6yrrrV3WHPSThLQK7e~6b5OW;7^~rknj917e z!@t=UbDCbc)RuaZ-_4e)tY*$Z^^=@3M|2zguc6#~`8bMyW_rPIsJag|HX*spolFYn ztYurj$)Bl1HGdn8@ITpOQnEHAm6mAck2YI0xXuqATg+L~bxjetk`f@-xk;yg=QTeS zC4A@%Bb~U#)5_P3EKhw>`5OOe0H45^fnsZWDCjzI)ag)(ndgYxmi8C7Iw`0_tw(5c zi?}RF&J<-Vgqc8r?#I3mZiz2u zV%zAl){B8hl044cIt>?F>_exLsQz!jJhwfm_!|I<>>%yyW_!O-d`{d+85J%0pVWs| zG1-{wd`xK8&(WH?O`LZ(w3}$!=I$AknwSf8b}8alTPnoGK2h$zOdA33-Bwo^`WE`9 z>2wuQ&pkLRu^V-F>?h@-)0hZh6{0WusYtCJ2Wq%IF&prVQoi|Jo`+;l<_wRPtxmRZ z5B;BX0SR*j+uI*4&FcO>tK+$4y-yDvsTFHFewr)Iq^ch|su`pmoZ=;;aOaBRadN-E zFiaN!r@V0=m+T8EjoEJViLvD}rttc+W(TmDH279N_5tFAyO{Y%K~~XgD3fn7b$^X& zXFf*lfIr$N{8^zvkw^k7DYP3ob1QOz!}prf7q2s<-vfK@FJyNFjOpHbzkg++%JG(A zT4{>@?hJEA*>qG%g@{r-4(?RhP9Z&UcQAob8!6NDMsEK6V-vNwM2vl@n=kR zh|8tLEJ_Bnr$F%R0bIWGt9xaw>d_kS>r|Oz$7!rZ1e&BTV%L}^1RKFn54HE`v zw2lpO_EV309k{g)yI`JF0jY(8&Lk(WO;30dj_PHTRh6G6w%SsHAY}R2^9!>kdZyun z9N(QL*V&0!le&c$`7QnQ1iJ(eo|MkHh#nb7x;Pm8EX_x&!_kc<4LXQ~?@v$3u(^Ru zOW^OboHifA6f2F(c+DPn0h3+)_g~Bw z-sH14_?y0Y?k4g!e-Iu!s z^~-!Z&1e_2R&lOiAlH{`;@^m&-#X9{Ow$UX!kz$WPG=;Sn*@hGbR+jI4y-`tjZ&hq^xM2wq1K`w0z#j$(E~tJ;csaa1NPNSsT}E4$oM0i^pWtRR+Lj zc>elK;^Pd**Y$DagprjKJMFu=sb$VZ*W!&U2*&>tU!hpkOzn2fQ zF?++uYbH-45=i6V0wh;cufFth8mUy!S3h98Oj3|>Vju34gLLfw2w=!4sQNTU?dI+Z zMw-V@zLmx%HRNYDwn~!tgfS0qc(s6F<-_)6K$le1E02eyur$xv(2q|kOC$QdFY^h# z_lu2U)C-8}lYbU>2gWLLczn)lo=vYclSHhEhOn&7vityPmp&}-r=q`l{KvOg(K|=D z5Hj_HTAwE$Mq=jdJLZ7yk?x1t7?1BWF>-Y=jKmK`h$G;DG+_hAKWTPwSJqpHbh0Pu z*2+j4UMsx!xp5d^dBQE8JYQS-x2feFaqIFuA>lS=OvA7`_%{&g`spt-i+}Vo={h^P zu^AF=PqflE_8XcSg6+Y&U;ObCQaxY1yf{~uf5E#K5O&ef7b`ycaAgG;H|7eyLb%7> z{1j?x>@uUK{BbrzJ=uGgSioOOM_F?P!N|$jwTPwH$=>EQMaUbGzOQ}&V|QUwBjRf} z&Z##$bgve6eoOUw8`f=0)o;H%E(;naz)`=SZxidbA0w{Gdpi;J4QaCGYrK1nYb9zT zmXm6xA=utMhP8Ai(*dlre2#RX0zc`~rcrCZglrsm4=$7UqUq_+?p*_z@a)*SVCcXD z`CaZ2YX*`@-^p01_884vsil}n@sD*s$b(zR5$k}eP;xH+K(DjasNeS)1py`u(zWEL z80jO}G`$V{?o~wIX0j}~!%?AyvQGH853#=w|IJxnMEcN>Fw&ar$BFnkry-T|8o7B90RC8&0eE>0wtB`WVSVyn+117tYH3FL zPY4UzfOB1_<7ul)BUZJ*y3iVBw zzfxbnuWPk7V`Ov+1=M0fGqZrA8J3j&oGLNN_?|K!(wd|%VTPv_)s19;p>;@yYg(i! zg!g3=0*83@>tb?RRR23Juho4JuCLI#r&I*#m<%T7U@oH&$EZ%5n!O zrq=r0?nQRQ(kCYR_use9_JDHu$vs>5w?(h4%r`PJ|2-FmL!qp0%BQ|OB_c4~DBahaqEb$6d( z{k1oOtBMBWDoak#MHgBh!(Ep}6)={t(ovWOvDETZ{uI8iaZ~3!u1M^1Qt}9h^Vur} zq8)1r8F=43`m?#x2pdTWOz?M_Sh8Y(sWj)_s>+W0D|>+wWmTWA<(tB(0Wj zHm8c^>nv6!fp=|w4T=lg3}4wV!)Jmq_EgXLn0%T20w%{m-=X`TD@S~L8Mc^(&1y9w zLys9oyC_F>=0OIqZ<^nq6CFZqhHpr!TzaeBgDN`zDd}lg3|hg_Hb8C^5(Qd0Ndw=4 zGR39wgPF5eoo$3}F#Y=nzrrWI7JU}fKUeV-f+36Weh!52%f-!i%5JM zF4=Y)!92nHlDCTd&aC7~>GpSi&|QE=fG^aB<}h?TDPrdtd(I=E%5Kx>HfDF5y(+Gu zAhh^bDxkfFAz}b4;JbD}$!b$I5}KS{)i^Wy#?X4QdM7D}&q1XTujP}Tu&8VqGa1NV zfAKxI|2<*e>Sd)-_q?Jj*cy5y5GoKI4Cd?;d_SsSkpa;{NVM$;2sU*XkU}A>uh%)Q z9%%BafeMIUkVGy-`tYPUTUiHY)=w_bAI{$wK-7vN_C#?Lp*B2p=3vr(-E@IZ!?CK| zWx+`NAe;0;qBK|h7VW<=-cP;Pl8G)pVlGvhQm~3=_mF()>t~o7?{O2Q;*n`hf-{}(wDNJ$wR}GeU0i#Q9rWSsT{nj zG)NR24bSzbCxzd(GpL;A@B#_4dLC(;k!=?U0AD^F1;Q`@_Wf_n-9-8R_&6R(mWZ*v z0?xNGs9BghLwcCF;WaZk{1R^uLrXSQvaAY3;Mcw)SOTvHL-G60+=yT6zh`hCoDni= zT8=%*cToBJN8s#lVX3#mG$xI`)7StuXgZcG2h|90**75hWISqEH+~Z(O)}J{j;(n{ zp!#>iO%$kP3ZyyVb5Km9qhO7S^a!KL)5)d5&pgSvC?l(i?%H=GG$H5neIAtt2*llB zJ*$c== z_8swLuhK0AKTZ(EA2NtS;q>B3TP{4TUm;zpW1!cC(0lJn2d~G|W#sKUu8YLccS^Iq z=8>;AcDm&@!s~vvq31{5AFim-TJ;{Hcd|QUY-1ylp68!jp&!(V@P6%e35c#?O)~_$ z0;`u2AcliwzEhC$&m!i{bv31zN!Lk<@T&Z)k`n-~rM-)%tI; zD||*{Pyi=qqePL5!|Ik&A-fCd(AI5d zpeB}+Yr#Yx{y6vX9));mp{3L{mEhfcwV7k?J7fvA(XP2YEf<5q)ptDJgv=??g}pMF z9_K1{F$b^s-4mgB6*McNlWT!Zx{$JXp0W2mV|NIe7_$0pOO!JGVbysuyeqYuf6>k+ z-ya_4L=w>u5zzOzJOvO6UaSFa&3{nz-0x&z@~jHD`9=gCoA>zKbD>v$V`@6qzdtXt zXi7bx#7I>3wVoe#U`TRSBO{q{?AAbRuH%;F3nD|8#GTUjzjy|F2s^PyMJhJ7&lB6@ z_vJUfMm|jHt9S+;4iW`~*D}57IJK_-^z(jw5(vGuh;@<@!0Xg8ZxnEmThVOkG>KD<=?B?(XfWUY^@@F^>8o853phW&X~s0eeUE4Gk`Z zbAK#f@0eLm+!Z=LR0cOOQbeDM9CsVvm==+cy0LIEK2dR7b1-;l z>)oNNVDw&+NBNx$R-4%Ak}Y>>wugd}wIa`m)i`CKlCu>P_m8v*PLG^%`7+18N`8l8 zHWp>Tf%+!Uo+qZv+)H@hhDV6h(HALO40v>i1-xA3exCfhTa`!U-u2a#yL2MAfIB$_ zzJznw=7#(k)A{^MVg8{LAX$Q?_hp?!(UN9x=_sWZCW!|geV2smx)n@?VpfIQxPJ3Yn^y7rls85%R@?ybqX|xw@R}=NG|ofUTp()!hpE*WTl;qMx~K7!>ynfy;$UHl@F{A zIIW-wZne1L3#%{^hHn#mi;&ESIeLrD$Q8Gb@z1Qu4=ULNNPmGzRD#uqA!jUgHk*lD}S#m=SBN#=<;I`|tKk@FD6_#D|> zH_5VRY>eVhO;(SJZ#+5t#it~xl){;f(cKsj?M_+U*E6$`XPEu?yK4f zyAHV?Uusz{f9)HNs7<-XSUZK!=9=p~rr@Hw0z)!P?KI}Pd z16Zx9(YURCx?blF`59z)QthYTkbJf9C&s~>H|oKAn2Yob{5*#82FNbR#N!_YBFb5X zxT7qrj5T}yXd|S*d*u3{WReU_DXN?rCzNL9&A08q<{K{O?K+{}wsE|>G1rV0WU)c3 z$+8+n{owsdsO}0_P)l}*7a=`l)QePIoa%+~?|qZ}TcAYNIOz6Kn#F?kDa`l20aPMC zV9%`mnOv8uY_5OgnD9 z>x#6Mkt^GWVGdb2IBLu-qS(1HNctpucPIHd^{@S z1)UiyG4OWt)z|&su-BmiO`1^hVt%XUMQ%EE;A@ePGyIS@D*%@>KrD5qf^2h zZr|&WNdu3~5;vIJxpdk%b|a6iM3*0BTY=eTV2D%UzQuGsn-~LN?9{BVNfjF)hC29; zk1bimWb#0SBlyLvbtE|qs1p(Ki0_214OC4o=#aWUsPi{OccdxdZzuPWhYOrG8%5Zz zrGW{os3h-V9N<>0DU-f66}8j2BYDYxP*=6##Io+HZVC|Hp4)Bx`l*)YQH~}>%h~lw zP7F_?Q0c2!ez z93ZkgsdH2ITr*!JsbX-~0NU^~R|8Lt@lgxk(z>uL5QQck{FU8yksdz$DZvw}_%%n< zSnZa0=8A$A+aUpLb2lza-VC7Q9BF9Y6h#Br; zmjWYhzWRVi6MtItB_Kb#5ARqz0Q~kNaB?5n_*}@uB4f|R7>!(<26S=#)6D?}+T@x% z_>XI&z~V9)qY~2E_v;AbF%V81ycfcL4b(pTl&Fgfymy_J&hdGyS^OesyrfVi6@OO8 zPJn0N=-xuh9%_n(NO!sv;`B?_p-J#`Nk><(&dE~N9(+llS_<90er~*!-NlWdzy`F&$PUPlTYFKf zq$aM){kDUq$Yg#yg`xWK10KD;y%OEEs&iv2D-g3zvIKzDFQi9_Kmu)YBG#}Z^-|rQ zLh#{WoK0qhgV?0Onew?ikzVVzys5V6dN%b`bA+Msl>EGm3Z=^~2!DrZ=q;q3yopi8 z!{b%8)1Y9o7;tkOHNQLTK3{vwAoEMe;2;?(_(i4~Gy$FWWnfGCV-+#2!xxaUuKN3YFqfFIWfsh&o93;lvge_%FHWRau$_`}nM3U(K%cGQ0mu_+2B1h*jZ^0ZVE zVM{)MV{{_AHbA!ithrWl`&#!yD=TtrZMs)L-_Yb3qvE7m;uL{vPwjlAlfWlTesc`< z@|nh{u^aohxhFvDYURa}5|G%|BZte)U38;MPIpn2&j+r zc@LahhGeAh)Y%zdTz=mc06g$|wUV#~9WS$dr$ct9NtY{TtAmFgIj#7ydmH(qZ&hfq z@cOsfF9n(_^q360A&<-dsdc4_)5Xp8T2M9v<0i8Pb%Te z{#GzAWre4M&o|ICAB8-AP4B^)*P7hapo4Zgro)wOa9v_uF=#smkQJD&c_Ckj_5d6B zS$9K=nrtywR_W940<|@?N72Nlv24-g4o+j^-;>YezNIm!sV7@|M5Z12{c&lA#?MK1 zUp>=@?ZCCwMf$*SHL$^m1m!Km!hp~ob%OIXz_StX<{`hv|FlYegGb}^y^J#Cn1@#;lzw!3G7?C=;Uox$vvLHR_ zDAO{baYyldr}uRyY2sX~>3lCu$NF(f!a6gY%^fTcYro0<+mtjy-)EwvRJ~`)ucHG~A zSoHF$A^W%>cVvK`X|p8<$vE$Z^e&t4fpLUls>&WU^4h(xKrsTR!y9XvtTo}%g{GV8>ogKfthgn|-z;aewehrrYTzokSVWDIQ6P<- zT?TS*FtK{b_zzlH_7V>#T0@QM$4t&ND?yan-Q;ym6W}Wt$QIiuLm?2YEs1ODfdz8i zE(zm>Y`-hBA3XY&3YE^!ZFxgUXAKdrWx{6qTTIYK?O(93g?wK)I&pJ)z8ta_lu~^I zu~_b0cU{u}MUVXnvfR(+?sgD&|BNjo*bcqspLo2Ni7?PX@_buBfe3*jEl(w+RHVijF_yV;yeSgqohaj($)p>VG#Ip1%Yh}vbI zJhlvl!DkF?|3~WnxDhy8`PoE7zUu`+c2aU7_L;cgyL^yPfnN=3+_%sK0oeVQ2RN|b zDQg#`wcVU1Ev;olw60*>qtsVVHMDW2m)05=`;^I_y%S`w<|WZ?Yl}}uFV4P__TQh{ z^mLt5t`#8Pkj9-W-&!?u(xjbAF8Ix|EuuRtHL`GPEFD=B{@MI7phB@|V+W~SZ{Z*E z28u4;5TIm$6-cKX1K%V`k)I2i7iA*e6&`wza6?{drnw`E8-8_i6f@i61RZP;DtHOi z8oFEf<_lCqS^k09?|RmORVk%`*_DbNsOM_CEfrMxsG1?a-~MhVi%M4>%bE4D!$P zhtgu~-$}9YMsvwAW7YIHyf5ct*h|YJ*Q4rQo3vKOj?(YDNqqjQG33ka1@B>VJk`5M zEEYNfIIUP_GwW=#xwz^-$$P%o)m$1;R&TtZDLcn2-vk%s7hU@f?*FMnBbI&icoi(W zCn5)kB(uMGgseZ*B53QW`dcQX5Qltxn9K;9oPd-@D)b{A~e7Glgeef9x8k%gVY)Uel&Fp#NrU+qwVJdNWN*LB}E{A2C;bONzTJ|=^G6;g_Qe&^kd-_R@5RsDC^ z$zlJD#$C0xI!Xkt*;#J>E=+sc_lkUlDJ<#L;9_}DAM{d&_VAzTCYHqWjnCU^KVa?f z%uZliBmLl}=N{(VFB@xtqHNX>{CJtC7aqcWe2HFv4OZOES8=BuWaw^^_TJ`Z;IHtvk=3Y=;BlAk6-4svYI@N{$|+FYPqhpoh{*5 zeTv+&vXH}#hnC9l{g*W=Z8G^4HFM|0c81~lk+>Cp8>J>^HiAGA{DyhE0pV1RHM{3Z z>%Y7I0vvvv_ws+}WD>g?(w{B%WVP)R4DK=|f`6iz&(hNF3==VkU2{*?sY_tv{~Y)~ zza4{HSHoVBjzyXEeIwhXrAT^6Xda6i1m#-jbeD;X@+d!!!rd}wk=cx+MqUDPOG$*? z4Q6#7jdfe5vMd%KIG8$aij<8&?Tv-Q3u%p{y(4GEvrNKUjqsUFcn(vwAF&m3H(&#@ zH^no9jFhX6K^2BhIse^1k`;$0QY1f;KLN4Zd^HfsJ~X)a@FgOPh-CI28A8HBLm`m4 z1N(|b=3H(#%NEf}gaF|ibA#YR7M2KS*@I7Pj^EmLW4A8 zL8apk%Ock*A@?;ah@oeSK@a5q$Ds)SKCjW3ZKoPIKhV0JO7 zInxQ#Z}okSG>VE;LwG9so8>p%Bj*R``Rc=k>$B?i5eD%1nd$f<%(Cf~N273|fn&Ma z#8#{Slh&mxFA0t|j7haJCFJ(}tC|NkXp((UvoyP}Ngmd68qg9UUWRiwV79E@-=m_-IE`n7OXftb;a?Vk*ZYv2Hrc zmCqQrZ(>wtjg~`IkZ3{0g3IUFt#z)9Iw>W;6|1=W`ciD>5i#eQ1zb-PS>HtIvRYRH z7slD`SCbdy!JU_-f=?GT!`r>pj^Cs3IW5WU0EoX|C72>vR>;F+Q-KDG{?M*dz!DGT zdp%a^pqkwy?McJQhw_(7Q=U7g@Q(G|rk-ed?~FkjeDWS)<1tm4Iqg4?0}*HmBNDJX z|MgaFAoBBvH!Uk)z{%a8D<$iL64-f;Cai6d=3p?K{eFa2y3u6rw_-0=QWm83`cqn} z1^GYw=78{>x1`2QI)W873ZapWIB$HJIka3@f4QlqMa&eF#ZeGJ&{%muUg z-~$T$Iib5-+FK6^{zDK^Qk|Vs6^yUtzYxFCjw{X|+AwZD1FNs+Xx1SUiPDj2#^~H@ ztsZbHf$I-fUvjqZ2M8ibHDjxv|N4s~y0ngNV_bBXknM|ye8N$*_ORgNDqujo$KS0fd+%=Eq_|Fniu7m2XS-T72ri-%W} z*6%5#Q_&tBe3))6&qr`Yb0iN`7y`COZc!WBE>M#@b2|o1bx$uKeZ#9_^Hopz6bMb+ z261rkUN^jV`-zG`)|E_T-*^H(+23mva-J(^@YsqyasYq(bxc+&) zLDN<#3ufO@xLypFxb(#uwEr&5>x&ig=|00QLyz)*TCn&lgj+(J z8>w?&1%xK^{iBVd6QdK|KxtnI&O>R~>LAfubMO3@a+78b^O|6CaxrV&!1A zgeyNSbXE1Xi)}fL8zMlLlLRqMUgb*1mS94@YO;4;tcsby@pyvEsK}kF?nHiJP%rG* z#U*%?UBkBbV}xL{%K&Bby>~$%=x;OZTo&-rrM_v!oo|{u9XGkBci;%!wdS&ejC0b_ zFOEog|KiOzADS_rL_q$j977|OphzO{Qnyx*p4BJ{7U9c9w=;XxC441rO2Uf6dOzQ? zNuB%N3w1}}p#+?1QBlcR=T*x(@LnzlQEM!)={uS}g#!k@hpGLD$mD!(AE(L`r;Err zY1;*T&qPNT^6|ok=)38JF$>QysFL4kRIUFaBOfzegVP+*bM&h^se5-{=1_Zow5CI6 zpjBi*x}49=bF?R*+}Bf4ToL!ja|b5H?F`T&LEgn?aFfIRhw-lM{Z=sos=nbRZ_83M zJKp$7mqSk3j)EVbyY2vC{}s0sLx$Qw+@;u?W$_<|wo1Vr2Je3KYTF#|XxX}Y{X8x^BtuW8|IDMe+AKBca(3vaFR zW?lw#d7QY~>ZrWUM5UgEaDTj)$DTL1YaF$M=z;Y}thbg!>ORFrb6#533z|QSVPcgz z&=*cAYMs;7hG?u1ui`}$QqH$77%*W7RZ_~@K20xxy^ea86+zJ);?$IVKe%HMn z_fE*4d1;-bVg@Uc4%?0X_%v=v4Ax&CFQ)7OO{gIxP^vxesHiA&ZMC|X2rbcWcgg0# zak*S{*|4EXMZOM#O?P9>4LQj=zuUxPapc(!4DUHW`i&)bT*kMjdBnIInQ<>)AB57b z3G*@9UE|(O50*XHC)ro=eEq)u#ft}I!%_cRA&;{EsdR(SwZ(Tpx?y&rr8s!O=ZSfM z_mXt4ZrK&|;F!#oGe$d5PV+IoVbnkVO))nJ=FL{!kdQ8_gs#ghHFj0~XPGPZt^Bl3 zW2eva`zELKJo{FBfEcGBG(AfBz=;+Z*9i`mc&a0U^9J)bCgD!=i*c$y|Loh+s?TxF z3?-X>?qWy0K-k3f9p{z4;Lfl;^>2YET`LaRoL`!>mvof=0y&PJ;eC^P#djRT{}%+N B=6(PG literal 0 HcmV?d00001 diff --git a/.devcontainer/images/debug-active.png b/.devcontainer/images/debug-active.png new file mode 100644 index 0000000000000000000000000000000000000000..7e2b88c83a3eb2d4a446fedd5aedcbfc040ac9f7 GIT binary patch literal 293251 zcmb4qbzD>b{y(6E;=}@^MFpfoxP5V8B8rmz(L=Lm0~u{Eu%}zWm(g!vAEKXx#mWRK4E;cx;k4ZXf15 zda84a@bVHp;c34z5QpNAb$czme>wvOUsvT0k;{AHNaheR9Tv3R`84`OxclK79$ZP9 z*EE9aJSx*2csaTw8&bTR=>X7{>cEbbHTdm_)mlOnq5 zJ)hVz{34bi3cv3@*r)wN?)2sl#?K`0pDA@)GF&kzAHv=<4wyPO_d90_59Tko2dg^? zd;Gkfi@Ii~*sk5Ce*0R1`N4H{n2-FZpNigt7nW+j+G4E94vTD3mmj70ukjw`8#+z0 zDUocxeVK)zc@Z5a&S{kz_o>5~&V-TaeJZ|s*1mNj+pV}wrPvQOMJcQ)B~poG%#B4v zf`_Mb%=gD9(-|UCnX1^?MIC#3-`FSh{aCZS|M^nX^6-4%B8DC_I2TNP1|5ng^7o`` zdWj-_y_1qW@z~SOC!ldOLM4CED1DoGltGy!;evPqv*vCMZ1QnnJaih_0VJGoB~aZH z9+o5u#3kS7!5@6d^yNhNsUiJ+#v(JG**?HSF2Sdn>$V}036Wwr4^Q0SE+15~+CuMP zdLry5{cskEdwYASEN%VPaneQa;HU|kn(pC9)&M^8e~(kBEwqjExOL;RpiSR^SX zNXQWcT4vn3DYkrn3;)J4-(v#0&c`>U1V7(VqX)>7^8^mjQ+>v7mJ(OJ_lV%9^et7M z=YeKpELP9rNk}Cb#^{T03*X|CPRijgCicQXNd=9GY!OEUDsTa2LLyg$xQH#f0vvC) z-BS)p`Z4Etw~dq|WN_Kkk;aFjmx5d8oz?Grp?owb!nx>O0X3a&SCM3SS5k32FU|=m9K?uaNGye4uLM6u-;)!{Iym zO7t(z<<I33}8zE?`wM1 z2xh}a9Oi(6_zC%DISREx7CqL`7nUy^)Wk~{3oq62i{6+2%KM?!uO?LPEK`v6C6`jQ zy;u}33%?K7gyR6-m`(`RYv_va3RVR1mzU<+6j2tm=r?Gf+H5#!WCRLbwziM$j^7=( z9&_5v+t~62%v&^2HrO|)p>*K1a6FVKN*6_o;-tI-po`>4dTBIKFC0Xx5 z+De6Z!}$lz$sB;t@^^K#Hl4Z_x+c1;4R=8ephzo()rECUuyLlA3=k2C!cx{Gwqxhj_`VN<|B_nHGbt%(By^LlL zJ>m)&%^5x3))cZ$@=p2|W>{3GwCjA)DVbw;nO*GEx9S*e1MypYo3tI@shvAvlP9wc zXA8Fp7k|@Y9^5uG$x5Y0p%>;NStvw4t*F_jk-)r3K{$b?5Y$jE#?RcRE$AijhT<4$S{( z+56;l=&Flw9oep{3vwwuV&0T6VAG$_k7{X4A53RW_BOKzmvyj0P%)q?sxJ1<-E6(8 z)=Uvd`w%82G=LD6x44SG5T7w1-s87wz0Q0fiV%XY?=;LKVg&{kMny(jyX1Z{O%!!+ zmQ-~()H*aEtFzi+ir_a_kFO=KX|7HL=c#FnzPzMfeq1e_%@FhGF|GE4Q?@=f`3F;v z?hq2*MBece9kt4|GV~=PTKTkd$MeC!9RteqL7$z=v9p4stWcfMirXMSQ3&T<3Cb(( zA1~kQb?3>)$?KT8#H(xgXlPDZ)qA)~xjGD`Cr@(=nDUth*8rTFnu?nao4(?U6T7oN z{@fTn8VPQVX?8sO@l7T*e1bf~sJuS8_0$!QkzRPk>W7v+QDcNiY@fnnn&8mUuicII z4ex#8vmiVzseomfSdhBZ#Gn~uEu%k(d5>9!`IR)MN!Y$!sXshmYP>$C{!9JA@z(MD z9Uoa~**tlfct#tY+&Z(fSdN-zL9NBsDbMZ7g05Ieh2}@G9P#{S6EU5|1{O~*q-K)V z6E#y&);d$QlYxfj3I2f#Z{W`Blf$gj3RjXIJdbT2!gyw}1&gcI77dgUO+*+~T4snBpHzacXA6?DX z%()+B4#SR4Jp~Rc4#N+@_A7SH2XQEspAwM{O7rtI!zK$?yR*BwyB;1*$YM5Cjy{ep z7)4uMWsF*~)~N~Pmw}y(y9}ZGLytlC6EZ?lfgSF}I^R)9YU%L~wCgXnurj9RF?axcRrJpC9b~bRcxi7b$-x`e;U4O;X))TCS=sv40|^TUL%g&6 zuh)Z)2_5Jx#HhXN_qaElpbrP)a*K3T2K`=QD!xH-PJFUFj4tZ-Eu+spF;)IaS66ON zHigbS$BCE7H974JGpUYgc6=I^r@w;^5H&fA67kow7d>mkDH38=wscVxv>#YKMXu}z zy(3RZ>2}0Y>Gc7eY5TNhstHT95^_VI0~<&G(O<&EZy>Xgu+}OkTgGxjfrs#afF>Pe|Yi;zvcyy z`KfUObY6FK#-_$*dOl0B0fk)h($IKRE+8$VDtS+pqZ#?~Idwpc`I7cri)S`S!bKz+yTf1h`oEvnbQDAx5#q;v1@XztJ zvG30==>!yJLJAC{O_+Wk=>L5Pf8WJT=}B&-0T(3v-+bj>8(zuqf`YDvdwAH3CESFOq`(^c6l%uEWObQMH8Qsgr_T!#dR&AB_EQ z7VoE#dk?c-C~UL84r;#DZ>_H3C?7>T;B;w5H3;P}AIgFzeInSFO{##6#!`$f!7D^A z0wurSLCL-rzJ8Y%;={LivAt##YPSyUD<)E~o{*g2QD>;|EakO|e=djK9PG#-G>1h6 zIkQ!95$(nJzq3k@e*&gjRLOk`Kl8|@YX>hSGQ6CzL#=)u+bK1HdZBDaxOp{``Tp~D z5cHqFOY*Nl@RyhfP{f}nY0@6Lw|ZbI_qxN~U;eFh?D1oMHTUvl)@GfwMUUHY6=5Yx z1xKD*@{prmMa4;e+A0>0QQ5gRvk+TD;a7K&fNSF{xzAj4E6h_ML&Fy#-g<5hD@5Cc zkCRk^x*TO2l`lDay=)g*lt!q$6J6;Rb$AyMCDzp*1*@kHMVtvgE}yC_1zLF9NT;{$ z53WqG@HNYB@|M414RdPpJzm|Q6e9_G_HS46Ps{h0b?$s2SuOAwdD}($pCbPE$z~_s ztWP!O`qtDWs30%zn5ygN*AbtXC~WseLE-D?ES61p)Zw9X|KOkt+(i~hO-ea>{*z|H zat-hxEr#tzRg)f>vad97_-d3QMOi76ms#vp$R+%~^`v)l-WMmcf+9uGxWcjJ7#1rn z)Xwo-XUH*Jf8SG#&U>|gOM?u~XGv|d0`((D#Ta(AP)NmZ;zMyCJBl%xDWwaT!btfu`sP)hw5 zkuoHBpk2x>FXhgE9t!DBxPk4Kmt;A7Lq z9IgK4F#p8lrgK~axdp$j0`t)$^Epe-{)yFeZC4OEu&X+D!k) zaFf)&RlkRN*?jI`M7aW`DeJg92MTw*nZ((F!5?=l0m21F}?#?^%Hw7vcnN2wcXz2&(~>Y-qBQ zcJcv3|G{L7T%i>THv8!@qUqDxhvtm~qk%M%w{bfa7Ztmm-(s{}^~Eop-bE_C32Nv4 zH+A68vGCV^kzIKkdl}0-G7*1hBE@ldl&|wLbOJue^|>7*VKJI@*Uw(Ebm3wo!qrK00^w1wmb6jeS@yLF00D=c(8GyBfz$F!Z2QQ=2JXuv{w zIW@+`{sCV!*h|6_PHDY#VX6F(Q`A}Y>Y`hdXF~<4P#ofoP!Mb0>dA2)S;wST?tZV- zKifH*i;{FmoJ6n6FgPFYbAM&OFk6kSI2>*b&xiG8{>~=`Zj^>OqUpQ_*yMpNv&y}7 zfgj60UO_82Kfnt9wATN=s$fftGczX5h~N+y|sR4ovWW^hkNhlRSHh}5EqMF=fX@u8!R zb=Z*qrdkSSKumcx_=lpi7xCG85MAGvw-L#U#j+geAkts1^272{%&iky*`Ix959yps zi__aZQ>+RMRdNiE483lj+;xxGd?91wP8`;YKbbVpRuWEwi*g2Uc&|xzw7J8)W9u*< z-Sjc>H-$Wga6lRO|3ymR1hmjgRyW!&T2?;zL)rwyJeX~C$ST*a`LQk6)lq4;JKvz} z>nf(bP}7DvJeY(~ng9U}sl#{P8oI;uV#l(-HVeI=Bg7mU7J2##V61gSkiJEBSCzKf zr(esHQK{h2jG8M-IL*s#Uj@a{7&3#=1Cd2gh!<4@oY6WZ;}zp#+2~w!W}EJ@XZbKh zwaPP3zpLF-Xkon$EP}Voq>^e7c;z&BNW-%!0V5C{HT4WW+_*7GJ>9C}uh6NJbW8>~ zo%k1E_=ofP(+8K54s^ekbQ+Mk9g( zxKP@A#&Zy+b2tsYezBnCV{S*17(8UZsTj@?RKEQ?cVPbKfem|u(nT&DafQ1Vz%9!A z_ZimB3zVmgSzT|(0wNcVW4c3>D&~?`pei)<(-X0i0ZL^-cAd0vJ^=x%d09#e*O+p^ zn;|8si(-?->npePbeDDC!|5_`RlRx@A{hHU6Uenvhv$(L>+_v?PHhPBQTW;~JwFR2 zht&zY+UfgfRFQSD2h=;{) zdcb@e>p_r8phd@rgZG{o6ojUMT)OB~y5jrIegz^lL4Tw%g%OG!Y*uZfLDKC0tEL)&giB*k%idUP~0Y83B23F4*-6 z8nsaRDn`*AH9Oe3EgoXto*gE5n{~5~%C~=(U#;)>N^^+ts{X*8>y`?+*`VO5AX z_`@E*%QR9Ba58e*JM2eCeuwawdj6+1C4Oks8O_c#Zbw#)Izi+fE3;B;d_UT+#-|k>0^1vY3@QAZShWn`kt=qA#)JE!G+}-FX-sdVgJglB zwB-8i6jAV|Ywv@*Le(xA4Vbqayw(eo!kA72ggF-2&3GxXQO`C5$=Z&zmF^g{s zcR%iW*91Y`gi5!!0y!ObN6sn8W{)xa+h=tgJrXvMZVle=t!qc5&f|br5i5D7x%nnX z8gt+yW2JNs+g@rx$Lz%qtC2k3XxkKiyHq1cNsb`~JsA;kCxzEKc5QwA%uO`o{y+1u zKV{KBo#4LQ@&IcUuXMZKH`}k*7^J^A-F%B1h=R{1e%yZ`o;fxv3wc!YknwFyXAt4w zH@gM1y~Sp6I=SBY`$TYK2SvpQUh4;(w{EG`dZFl<*-`rFX5S05u;}Rc8-!mXvub%p zeLxLV z)bXpn<7(W*H>4wC2awj7#7cMex+Co>o-OOl!O6!wv!Uu6`Fkv7BZ$<~DH@({n$oQd z!v~=Jj{P4NoLcRN?6w7aKQn#LPS((RdF7F>R%SoLU#HHQV;KItm~3VU_TuZ;`_5DH>RwBC|Bjp~A_~q0^Vbuy0i|CsXm96>M@RNO#tXc&=JeK>P zao)dN^?fZ#@Mpt?m99|pZFQK0e^FK#Z%}&~u)=wbk>u0|KFA5ySAX}8CS~y5Ci+ZL zc;<_wDuMT?NMo43i;{Q$P`LwrL@OL5mwWlCVXwsz<3^LOlErI!RAX9jINmE_etx{G zuCBf}-=I75PFs7UxLG=b@kkON; zJc<(w?g>3KUh>jiJrCky%zTWS1h1>tkPGZOWl4SGH@t(crAL`(>sk1v~en3eY4ES#Kfcz-`njF zi(A%?EFEHLyBG(S!$=f0hD!Y9!y~>V9`&fiuF0kx4*S#AR@QwZPpua+sL&eCs56(5 ze3yJQkKs9KAY>6kul1*%oun(O>{t@2tQcN!p(U&AnWjLHThMh)qpBo2unscWSd267 zj;O7_W8)E+sj$&%Yh855nMqYwmxZ(AG3Sh(eCYG zIu;jYBScKjQ4W3hY1^t{yD&k(3oVMuF$J7d8i5Uoj6=5{vcBdllRBE2K#)V;sOLr8 z){0rIFW}vqeKSwe@fuxezycD_ddl>LnDw{}LDk~A{gku)IJT3^c9v`WB)KTducfli z5%d46JUvIX*PckNW!L-W<4nl&0tFDl=E1u(ok7d@^p*>XDTlqpzfNz3MMd&+h_gTA6TBbj1Ek!W_NQuE zPt;=poTTPJ(Yp(SQzh@rv2{Vp&+RSAKVstlOpPC!PoBrSy+%0!b|`XoOP9`X@L@J)c7O8M23$2aR09g0k}`kDpaI#a>j zGE9%`E&IP(23|xMfAFLOfoDw)nv5D)vU62H{zH|2< zJj3Rlf%&=dOxKjlYsWyi@aQ&L^+Mjg)4>1-#LNUcv^ zh>4fEhoHzWQO+70;+Tx^0*1^ik%VYqqqkMl$$FAeA}K5I@d}i+s;w4J{_Wd{MW={DA!onAEPD0C;h;Yz;QU&f%P*fbK*xe)B z7+PX&gk5C}87=E`7rLcA_gI=E+rT3vp?y?QX#36g0-X{r`qZ)KCS2xq-yFDOR4vRS zeyg^MokK{I$2$uFIuV{k8eN|!O(HHM1)#+*A%^4}8fENCnW8#{N@1ySsiTu}f6t)9$1~W`!PT|?a?b-C7eyn2 z?L6<+(i}Ptu5VHY{Et-W&mU;yec!IVH!WzD{p#mW8AXk$ZIa5X(^V5Wt3mKM8K?M@ zO%i(>nyDv3^STx}dqh?RQ4DVqKLg>zqoYZyz0r`2@J+=aVD|1Dxq@Q2yWc2s8I7ui zKa?)3bZl;Jo@jJ1YCeaTnUACk)!Iz6Ksd@nt0gx_G9u?dd<7>kf1~ul+XX{Z3a1!>WCqls%hII0;-T)IEzhzz(v2p_?BDUf21 ziJ8|HzC*F=7Zv5e)n^EPdlxy+hAmtS&DMpyyAvwEsPYxAI>c&sFyw1yLP+zyeKZor zIVyS-(Q05z>=b}4$6EEjCQc7lWh6dUtUzl_dk3&>leN8;j9vF}g5OIXo`{Z7v6FPs zv$ePcS~%ae^?})ipXvKY&v7uwQar&c_BrAbV z+`Iq4fgy(i=-!eoT%WrFjm^!Q$Tx6UE%m561M+4Ykn8Sc4%Z&XU0WL1NZBVg3Z7>{xf0|8&He}IWvfAYRSAuN3kVAx<~#@6^dwyIHoR0RLGLRhNv zq&To$H={8>|LuEI6-{0RyT_|1>x|7BTVn1zpJ1j_Q@CHhe$A!hm?TNWe={j$?O4iE zA>1=|qy-VQJl8Ef5(iB)`*z%%bSY%%a66l&O)`A;b(|D7IiMIdI1qisAVdXB-*9@A zxg>b<%-RDwY7QYe%0K=vzU^!2SYpx@LdsIutSpyR$IQ%}fOZiZ(XWCZYzTIU78Vqo zY2wZ#aT{FlT8(`t%F`&Y`QYQz*4^FR_w|{aekcjT4dZ(jDskC)N>iYj((1bXUULsc z2DOH^HLH~fynH#i?}?tXG(TMHH?jNq^KS}>5#=|u_gS+2vo24-*LIg8 z|9xPpf*XAO7df>Rz!@K=y4kJeW>Q*9PDFAwurL?rSO~!u73GX9_WT#wDJ1 zrZk|Wqy#$zdZMOQ)YR}x6{}QGi+&h0EiTtA1IA`%+UpO_ROtQG`&^>eX#aqm-169< z)xF}KOdg|B>SLF&jNjD(Td)+gZD{Z`utL=BBRbR#{wLI6GDzBJ7sR$w`oA=A8nUktr6vV=tJIOc6KSEu04 zk_RlIm(E}R>Kp{(y}!yhI|AlNk!J3&udN6`JGB(7xMXe2hE;Rmc#kt z*vSE?vRU@{Wa&4?)H3ueILO@c!eCJd-(CUK$WBE9Q-8TickQ^_Bm8$r;MjxDyYGdb zy~rQ^DWK~g%FEPX59Lh}SpOPB@}1v)@*Q?o7Qt%^g|_husrkGm>$uLp6tw&zc!m3Y zegqG%lf@CrIT}l^1&B>PeRnO}>@rNNBj)fbp~(ASSR(Fo9}y^>4s3|+y{ck(7EM|= zI{q7(_Q~wcK#p1OHTkgof{fdnjEv_J?F1a8-bY8HZ>zOlYqKuB;@Tjy8tv4csy< zCNHuB%peEHS2k{HG@zvxH|J9>P5rlZsvm3@b3zxa$<}G&#mZQK5!Q1KpIw_B%griu zo`Ng{#rO9no|^v3?}{1knaOQiv;m-Pvh~wCjPB3~YZ&^Xrf*lN0Z<5ZlA)JEJtcgi z;7#PcGN)yg>&eaX4lU8czGpoMor`9Ezz+nWEuZMlJnv8`QsDe(w-GjAo@8Kg^Vr~G zTYm@=-eGCAHEVnR^R^ewJg=mL8(c#O*>*Iv)RWf%MY;K`MhXltBEcL>S* z(M|^Tif^YJ$zG|{h}s(OIz2lZ_2mEVQ9X+In3}oG#z6UTSHm+3sh` zir>ui9$6fI_P3BdeUa@iJ^=%Fj=6GdWTA%6ny%WF8$ootApQ(6K}%o*-_X_*@+Gv2 z^;BuuEu#>_i{fr3zIX<@=>SgS z@lErXwoDt0=Oadl9~UBq6t3A7?m)q)mxPS}5%?W!RdR8bk?#whnPC@7)q26YS>7vj`kWbVH%1#2>lk&uD}Cu!l+BxInUvK2Q$ z*D>`#QeIYKAgV2ari#>jShY%su7cLqLAQBk#}rmMNIB~UK&7r)xvA7`qd>-5uZlBM z{kG<@Ke0O9d$j@rU{HHY3)?s5GkcCaTA@@l3+10mAUT>MB-Db-kG@ShR)+WwFV|y4 zZ3?8sAS9_EQY8pU8fbaQKy_3+lcOw5D3c&{x?4Q4#SK2y4`1~XMRYR9qt6fgRCoAbM^c>nXH%2l*!Cojg*R8Rf+Zey= z3m8>^4y0M)Xy_%Wbo;qsw$z6U?=KzXR>nXhxqxrDHwd(I3|%tM&uaxL(4{70lBonp zFct&f&cT90={(_9OuG{79absXK)YQI3&1o!RH=IK)m$JhM$?5{^52l3BxK)c4l$P4 z81=uZ)5Pe&z$T_ zLbXX(`uUcZD!*J$-DWVPPczyNNI%tTx#aPC#L@M1stmmuabX&)T7}8{O+ggwW@b8= z%M%ySR2;u)$s!s~*}NTW&T|fhFtFGCN;>&8EhECg_|5MIg*)b<^Db<&-@yp>{9$G? zgICqFrycV9csd!K` zd0n|tA4mFMN&D50h)PvvP>3Wfy>cQu9x)inVFiUI;X_P0D8JHkf@^bt#QD6SnIY!t z0#YE~js-s;&Zcj&JfbAvdBvjM=urSDpJ}kri0FW%;3+6BWUDx z)yo*ZGI0b9R_Hb;?$BF`Ie`5zwKNWBL4Yd@~s#Rx4b0&lQgw6}L39J=;lLv^(s5 zC%!3P!+N$hs79=$=Gj~S5qY`bBIh~uQqqL=>^fG3T6=UlyyY8}UoVIXIAuSQNXosO zMDi&I5mx7p@>THq{v_4Xu3D$EZ<3<*JytX2^=-G&)VFhJI|vcI-0uS3!*pEi#fc!> zCTEMTC%?45No1>;X^3qCrt_r{XmPe|J$?4w#=dp01+jL}OD6zC@d>!^XnU>%lMgNV ziKQa_DbZ8#&J6@&r*1Tn`CXxQ!Z4OmDK?)#y)l$}B4F&qTGahP3_aHqTBLutJ^icdFG+OEmC7sObuXjfa8p~kMn{^s zPNMJ1>CvEyznlmBUM?#|#>kltYomTV8LuR zFj9FzTk3yfJb%{>{#J#5s7boG=stQWCbrb~a1ZL+vK5H&;&aK9(c*I`P5}o7;$7H- zbcmC`Ilv5S>*~x=@aY+}s?KMkkT7?vEH=*e4^g6MD+!RWrzb-c+*_pF&4`?gW046l zv#GNr7j3^ybeWDMDs1@nZTdJcM4E5ERDu%j3}}SM*4vK={Uns<<;&f&T8m-IXYn99xiX{qsy9L2lxWmcJ(xfnTl~?J2j6Vx zerZ%pmiKL0r%QfY2x`ZIc&FPa_y=8fjT>_tzV)MOCm_D}tzTPg8jM~}mHF~!mnox7 zS<6PsH!;}ws~F3P%2Nu0p#|t2DvP3)uREXLLlCXDfaDAU+bam~#Bp@>D#j_dNA3Yq z8+c|!47hr<9iSMt->}5&SagAsqe7F(G|fI*dH>R@?(V*+6s%P?;_=EcEqWeQMKSHN z+clIf^p4hNU#e*H`kjiHx#;ztv{IDaO)9#TA7mU zTc~b>ie_qvSi{pQ3ixylHlakuzx=S6JON|Hnbb0IF*riEY(LemH;P7fcIFNW?(U0; zq7oSSki~VeuAq`0B2oVij)Q)-Yjs646uvde$^r2iL*Za5zf> z)?!J?!8E0plnKyh{VSx%VOXYwPpcy8<^1ReE!wDoIflIg?h2SG#sp}3cl|~J`c}i; zl%)}u+o<_XIto&Da{X(8EZd#l;O^ShOrsBzlgc@U7j0>7TdYAni*~R_>Vp>^8v`QI zKF=9`GL?HW6*2X@`M0XeE^@t2Z8*C0iB^e-lS)D*z&cJ5*uJ)eI2rI~3bh5o5ny^b^maWt%Z?E3Gnv&LmDT@bk246+ghn1~s2*OPRWa zofI#;vy#yVWT)bqR{R2yfUO@uZFQT0ubTH#2}~LtVD|W4yDM6dD_y4<+B@Hnko_78 z#>z0`Doop+;UX4k(`D`{#4#30)R*{*HkX!!WOyHMndoO`zERrwhDOZ9e{JA>Q$T@MOdPevb;FiIQrte?thIM z?U$3+cP@3>3d=QB*HyP=12t5^Z6^zrTrTu6$CE1NQ^jgCCH1!}Td{e@!@8gP_3O&i zI-&}khy^Bsb}o&z#+`V*7iX%bNx<)S>$gGBa^4-`9xT6OyFTreDF4!`Td_bp;I@lw zxk`gw_RMP-8geA*JBMMXDB1p}V_!Pw>#ODn?owN6s0cv#j?0Y5mMgdE%nDVq>`@T- zij6_i{6iH{leQ!{-NX<~Pj_j~5Vx7b)3M_3nw}RPsKZZd1B^*t9X*uE5jY#L*g35` z`RXge(BLUjB}Rf=g1h;@*xM1eZG%|%&Nw`wA&82_POeYpIj7wDu}rS``;HxSDO4#w z7%8z`@kSN7(7^GgP#hf=;lIxl78cFFL3y8oe$#Lqb}Hoj#E72_$|6TX7l$?BghfUt zbWh#f9s@_d{wa99WJEHf2zHRT%%SGIJAcMrpuszD+Z6xO;_UIVV{ijkwROzUxJCfPqnJ zNSIhdZtf(V{mhY;$0S#!4(glJYLBes+gA-6(q>PWVVmD5Ck=w(1jcOTY|`XFszL^X-Pfw;H zh$yZV*|8j^w%&d#NBZMMGkX4Rt?8zkPTQ>SPid9!H8o#(wpH58Rgs75&4(wJGkrO) zdc|neO&1zUZES2x5AsyR0ljdQC%BF9WHWP>w-p?S%4XnFg)Oy*Y12ZX)O(fTtDK$G z{eh7YG5|6KR|jyMk|T~$Z3=N~kggPa3(6`J+tN=7^-I>Pn)ay+ixS7=*k2^K=xb|l zwe;(rxcZmhWxH7+d2s(kYVRCCMYx;p_8yH>RTMT~HqwHw0Y@2}q#!64r&+!|lZ}W` z&JYgk(1IgsS?CR2Y%fgBA-PpzM`GXo(m4kKRQ&ZVcF?vtU9@G6O!#D{Lxqp>5nHxV zPc~^dR*rITJ;%bvh|&?t>P%s`Qmnp}BaPE{WVQ46crhj$ljzb!Zwh8y|N0pobjUL> zsJLDMBl(J(=g(>|0#>i(XG@%`x-yKSfs)4`Rg5UGpY794R9?$lW2XwiCMub1NzD$* zu|J+&VZ2p>0|FgiDdcQ&a=k1n%h_-Q^@jVj7GmXddjDI}mXG>ZjJV}@>mfxN_J%)MscBo1S?}?^!UORO1NJM4- zt^fa_B>mgXPr2WJn-LH*6%&{#QQD zYq4+2QP{EE2exi&x7)SB*+gg??$2(BL$j`sXU^!k$O4nDcbZh^CvQ$fW*6!#OR+iw zLPdPZO;){<*nk4xdYD2|k{ITu&>S6|zSBt0y@39~dEigTt zxrQn*0_^~pYjVm1hf-m7SBxvp-?(s&DW^A2=K4G6(05Rs(Ikbg9n0Yd8T%xRXVM(*}<(q=6_oLXhWo9 zzZVFo+ZgrR7;*gdA?L048adBS3sb(`_5CRDE4jzh;U^A8?68iDCNl>ezYRvMAWLW? zM$USovJvuf&9>~6B*Kt{C?JE-z5Hw3y16>%(}`8vBj;~}PIQ5zw1h;pG^`d?_c8rg zo3fYDtdg!EEfv2?LeqH>>o^&m2uHI{s5vHgxOU_qZ!l*JdhS=jtpqrkFfw{*A`r!o*j|7r~@ z{qlJ1>C5pSs|K@<+4f@%Fa=oMzSj4`{p@g%llAx(8X$FlhwtmapvpjML+JWtr&6TS zQfpCatB>CfboeZ}ynLQBYq8)BxxyO}gPK=aA1JS;9E-$rc&W=Iur&MdtYySZ&bvSx za27Hc+QGNjik&Hr-vo#JJkFf1GJ-MJmm$Qw(ecw|T6*-{7lg~G4l84b9?GOH+LOe$ z1gom=$gU0WUYf}b)ENH_KQ#j)+m^|4n<`L%QEWH7CS*Xv^@took2`e5yKjSGY2 zlEBe{UV7B622u?E1y;NkY=>gaHW5bObh-6jrFeRJ%90vkaz7c{pF=a#({105-$_3g zF=_|aSfKGym zhQRRYfx=!{x`o5J6hCLmefOlQQ6y5rS84=nlc%k+gT~8=?h&uk=%hKn_8$U*rP^K# zvn$@~8W6{I^T@Ua+ynM~j~qPlQiD z%{X7JuIFi7X@Q>Ox2SZvqZ4Cdj5TT-9EjJ=+r^cR5YZut zeA$qC>vz^u#b2FtT9gKTK*2_J*0Xc2kbMX91p3uqzlL7@oSvNTl%Bo46$woEV_IvKxowsm&vX0gIY<=jvusYQ1u6D{tMgMR(^U*t+U00?)=HKa=g12Mu z?)b6SvS<)Ppf8c(lM&H`()lgWl?+z$5u2gQzyd4_!n;IqqyRq9=T@v+m&P9wUR|m9 z3P}w0eCvKCI66-@LQJ^@NJ`8wx-d$7%;AnkjQMNj|KsoeZF~4vv|EYSkmltk)|!Uu z?zRGfq^@p(<{-gsqL6zwyN0=9F$J3Xjdlwg?r=)+Lo#@SR{!*u>P%g%9f36JXsW1m zf$wu^fbda}m4bqTVNg4E4wWkf+^w2^@QS&w6jI_clZ73&DPUU>KpcRSef?VA^Q>gK z31|!?v^!7E$gpE;y~rZS*;VQ-m=+753AcQM!0pPA*l(Bgg8o zIbO>W)DMF&dh;6;WgcVa0KroiR)%6G7p$n zYCnIHk^I3+@eF^2-hl3|$4#D$=n|vr;}0FwM$_Wl+(m&Ogrka#llESgb;4^~-H*4_ zKy@LFq77L4q4&I|-2&fEYFZjA*6PxejBT8JEKh74=NhcD8?~wofkfIj9K39m_{5By zoNA1^5MnlSwFOQQK=qj~0~W>*@iA;)s4%Xwhj4wHQ@P=3QLV-5wz0O>R54#hH;b4m ziQ_9zwSJKdJh{nR-RgUgG=Wb4YR@Sy+|iNWxC?hTl8u&9k56Ky+VtCU_kUquuT_IS zrp>9Uxx!rNC3zIGqHV^EUR_s`8uOWXovkNP9ZhlSC1cTE1dYf{YNM~z33l;EXY=W= zJ)oYw+E=jaD<<7$?Py5h0#?`A<*)YcrSa&ayFQi6%eq3YMoaKRd&>bP^<$-)tk2TR zNWB}xP*d*?FONpO+kgBXZT4KC8X$(O1}(1KQFH?K>092yfd4Oo1kB%iA+mCs+h}e? zDbe86VJzI6Q$Cz4@!yOQf2)K0Y^pV``I{XLwY`QlC$r<~;8D-Z4=Iz}w{A61?KBW} z)bp4I5dhLR@>qZSM6o6_tyz1Rs;a7Sg$+)n^AUb*O2@2cU;!BvV|5mgoOq({|O>5D(6Hei_l`B)uXDp&y?oTEY?KPKRQP` zmSA}-toQ!c!yCfrc8tDciySvJoAp1a(PEQ`OR%#TN&oE&`Q5~+ zNKGsHMaX6<4Or0-w9sbyGZNALkL}?#p~ zT0smjtmHfjZ?s=(sRp2IV$Op|#JMtwy*hupW-gDiuInq87JlR_#F=4jQ?le0g`&Ra z$BJOpu7wXful^#%KGDE0T^&`K=9Vo!=XUsSMiqZsc^m2PLMb{AE%#l9;=Wzc2tQw# z@zL9v8W)nsYC+pvg$~a&Dw2TF(~9jDTMbyZsI1H!*5*X9@(yr5&#LJqtcSg+Yf_N% z-ZYmD_I5b#C}3?pp{!WsJA(y2tMrTvb}SQq84?j4EfCnC>!i*)25&+5xbNO(`@S`p z-teo^x_lEz-IlfN>fqD;ud(bdRNT1WB-O8WMF{A zC;>}l#OWUH&{&RU+WB?{bogPr0wX1QTCSqD6v@~5;3);xe0{v*3HRGhXMCIdghc!_ zd&@g)?zh^9bp}N7Z7w)~4eZ-d!0{6)49`sfOWO1Y)MHHU$No5`v{0&Ok0rMx{SPa_ zKt4yn0sLYJ>y(WcXxGg#fFXBwS3>E&RfS9+5_7gavCurnPFa<&u1>%gKEAq3I$hJ} ze&Sds<0>(A{XEhQVz7Di*!A^a7B`!Ncq_~E_=NfIX=)?;9R(BBhk!Q9BmU$2RdMh- zpWbsN^*-4VvY4v}B|V22!PJhqpXO#ZEGM*Cmp!Au?h8U{}vK*a?aXouf6tK&-3ivW8`tmKfUJh`S?itCL+6} zsWDvRZL)+&q}Q_Ll&~JB{7??PXTQswK7uxb#oS7evs5KY*ck>Vzkns-i+i-&UZB7} zCjw-qoW5F&r==pVQXjU)#&V4lkP)KX@FR_V7C~1;kGzkJw9xSDSc7V}+h=KJ5|s1J z3bjH-N>=C=3I2#~8N-&$K~a=k_LahbfbEVEvl$H0ytMhRfYI7Rp}ts?nrax8fEE)b zYN4@s$C=)emc9|Z$*o(@v-Qi`S(IVgx&l)@G46sMxxrkLkH{lM+3arU=zPt6s<&=E z=}8xWcHpgIdemyOl?%yXS-~3N?)KJ%9SiHz28ExOpQ~8&J%1eyFw$mUOq}%n4sme3 z*{U?=O8ye=@S${xT+NTY3O`#>P!YcbbA~}?E9SlmIJ8~okklw7m@J6qRH;IW)+e+o zF9o&nm*l9Bd5ezQYQ$8WiELV=S8S}qb&9Q{7Qlk)#$CBG8ly_^Xd05+Sas|!vJA5@ z)kYW}n;xisx;Mgq=U!${OL~Pn6-R?s3bXObaebHIdiIl7C>VeWAJ&Zy51LGXP5A93 z{_?i-?(KA}Nb69RyWzrMUwzod2!iuvFo#C%J zMfe&^_jTj0VLR@cx^F%=CQxs=1X*PRxr-DT6x}}?&US(wp!TlFDk(qQLub9RBipZD{ph)I ztc&wN$;(@tJ!5C(kD`gNN;e`R95oqntnHV6>qo4QS6T9USBz{T%t(v@DxC}&8}X2# z{r}4C{_qu_$abih_1VqNwuohWisqSefGuzzjWXZL@27)2h%!0D3iv?WSPp$#(Onh< zeN{9L+w_#ko$47Ptn0WQ{alKU|fIdF0;BeT2{MQf3zw zcGuqN-l+yqMFURrPXh7x^N9qHX`>5c&}Ni1Nv;59#E^UcXKOuIZzmR4;{rVVX)8%p z{TTysJeL(edi(OodOSOtb19@5;3_$O9R1~63e{J01`VWxC%x9%Qz9dez&ZZ$gC9>P z`WnJBh{Z3j|H(AUS4t=`@H3Cc*fC_Jsfr^YXw^SIc*cq@@`^WcOI81tL5cGcJM@uC zMK zEeQUTfni_l)|#4{&77TOX^x9U0D!mIZtCmD&N90W*X^%wY1xaM9D4MdKD}@Bq1JtG za4&KvJwPD;{N+pM@S!7|Ki#Kq=%LoTxv;#F0@h>YdQtlre|Bj0v8Vx-@1VQUu9|jkrtM(MS$)VIj8WOk!}t z4gWC={@Vw4OTeRdq8LqtUr-kRwA_HkN71QCOb&qsowZ3wxOVND8~4k&pRW*r{RoEc zn)g&w#J*f%#FR^XWCi&S>HKt#J4n3;Llai^a-IegD{^aVOKjbnN#wlUpg zya`{e8}#M$zm4I4G&peY?QsA3iVFfi{%Dqlg8$Y2t0gl_*xt0Txgt`Zc|vK4V-F+$ z=W$fX+cid&Hj2i2%@mJo#}_jkc<8^aB>mA{D7dlgn}UQe>NI}*&RtU`2xl4d6Os-7 zU{uvf;(AWl1xA^zIrq;K=q|_i1?gt;beezqP~+M!&ix-B?^hrE!7pa|FbDCoe#3Bn z-UBU@?(9piE$gM)$`t=xHrtoAb%_k0$*ID7sr5Epw6_VVr!JDXIT0U_knV&+@{&7zIXRESoiZ~=aNr*i4KmN?W;D&s&r;&;g49lfmgdCeUq~S9GfnB zmOaagt&Nx+|M|K;;!NIN=I)%e5eT%qkkP0j?>}$*kG%aSlSw!Nmv4!cHUB3s@)zUt zo!uegsm__CcUAR@J0t4Q=1?k#?*5L=fnGfN+eGC@+yBanz8Cfbvz-=y+wkK*0pf5Y z-+i0yo=C_3Uv@SM7g!=ImHZzHHU0(gmEUa;lI%%)&3?48!rfh6{?TE=G0Yu25bqd5jNhT#%Zw+&S?Jm zSh9sle*1)|UH@td@7nlZ$gKYO_Puteq@>&oNT_Z7dC~vn(gNceAn_Z z&aHg(r{yaC%O&}?fN;f>_=M&E=xNu1`q!e?tM&iUSU-MkJ0Dm(w}`O)xOD#4F!}q| z{%GWT)_ZRv7~1Vm6>uJl!^8DqRTqy67d{KV9r}eEek<99bW-Tt^$!Q%rj!?5dojQF z_Dr+NTbx-Ym;8IGX#fT%ASY+oEJ@)4+q!oEg;cl6mKM9|qs7ag8?i+=r26-N_s`xg z-?g9OmCSOO?=io65jEC5oMLyBZ{IduUtLKTFHpDH`Wh|9&=WauP7<(IBrdP>;TC($~$ zwPHrd0CN*`*GBMa^5Fo!yj_NE=Z~4tZ-e!}O_hK1dX4=zfihwph>uEHmso0#5Ae4F z1)Ahf7GbAVP6`RB0v_Q=Pv9c|?pIJz<@WaW6o9ENFsWrbCnS{f?HK{?X1(@!{PO5& zOL@0<*KX9hahDrj3rHy$KR#}QRi0UbfVyxiYy(s5_8Plvc7RHG9vu9hgmpD}ptAMUsZ#~clbWCd`&uH)cBe*Z zNsF-Eo8i+@UPj}iD+%>W)QSa0slB{0AX1tDfM6SXo&C%wv-P zIH!mOA87lX=+m42y65LD+rPQSuW#;;+$ww*kPp1`Y)#`pt9`C!gEi>T?@xL8;>BA4 zpHjEH!zL$~SPY%90SrcqQ}BZgjX(w43GoC}ryH3Ak%r#cP36utnGVqbz50 z8FR9TtG#zg>@qX1W#ZwdPU zn>tzy+w>72X`pOomX>cr$kHfq8ov*#v?Z?f6m6w=Z!nCG%DCkLpwkWTK(D4j?R0LF zTGKGPA#yE)NJhi7+F}4h&v|rYZ+%sBU;WXZ;qpKIWQ$H?Q2`I(nxZM zTvooLd$b#JT|R6kIVUHNkuoGIMy=U7qCHcwn^A6a(<=5@6J|*qV{Ig(r+SFPV{&F* z&Na6h;7)F*tH!;e9pS#II1g~>Z-8*pRnVofeuc`FMXZV0^mJeJ@A}+f<2xpV-ocB@R%4_ zdBm7L4n5&vH1EQu##rD9=8^4TF$dT~J+sEh!6j$vxLfg$rIbGk9KRP}d|522KHXGG zTzI3vmV+`8c_r;McDIc$N>(9_{hp|G)cg0Rp-{p=3bQ&1%_>x?0C1EtCVOO?`<)CF z(PkDdV0m03eR06LOkeY_f?mV(+A(zjp@pMEmhvbzppNDOlY#U&Pj$5&QQY>`qaU;) zj<7##QiW~>GB{;rR@+5$0i3`Rbinb8u${6`HF-J_VB&@YFnB5I8*)wLV-HGCyt)y( zn!dxikEufBG+psN8O?eK5T}i0 zctyUWh+2B6>d@P#E}|?0@t_%d%|$rD=pmfiVE4{2!a%rYmg^cho82e*lt@{iOJ5b+U!YJ^>4KF zBWktojUc!-PNjt2;7bY&UO26>e>>2v`D~a+tH{ZjDIC#pc6K$OwUN--rmhAC(uv12 z&KhsyWO=sGe|6WstGABH2AF#tZ0Rc#ry1V2tvj{CWjLrRdD*cUKB~G-A5AB_lhbI! z0Kgjo%+W)Zr%B(;MI~87I47}<b^khark`QcvA??)geLincFLr}Kmu9qq8PO2$qlnC3#-68 zs3KT&(Bn;}YvIJAq-~#sv=as0rVA3LCDP-a0qAcNZ5Gf1d?E@v9xKuXi`HCxY;>rVDHQFInjEHlGzs^kH;T?aKO^9w4X{Y7ELbf04j z8i|djzV}jFTf_p*5YN46|8gLyWte)mf`Z9RLf!Tuy%2{caAE!ZfU4(pO zC7~vuZ?#wt6py5QwNdLx4cO#|tgNF?84oBx58J4F@IKk<&8BLl)}j{b!pb7ir~y3C z^aG1P9Z0fejiF6+N9U}tUU8!#aYN(?ittFKp}G0JPNA9PJpKX|C@M|!=k_QO7r8b$ zT~7lR9KllOqH#x*SI)B(SME0Z4Qh1a&^!a+--iKc!DVX)bl4Lh4yP|#M$Ts!HamPt zZ>f2E>UOL%N_(O|SGrS!+!6u-3QJ)>O@SyqwK3$Ci5@prJ z_{1t)R9&H)R3xMqFtQIXQbj$*HbWY*)@sQ)!7p?0eot4g-r^Cyw%O z?5~Me{D;9KyL8rSYqT19uQ{9J_*v=a6P|oIYG|;CO_U$q3mIc5CP<<>kt&pALMN%k z=xjgC&_AQ*h30_`K(?3~C}v(*#AZ^J=D9k)b^Q4=0{%n3yUfng`vM2mB`8E%0%gKk zz$SKqyh9mP_OrdVw7=tTK4W&Z(ySNA<4mom_2dSXh_t3Zly#k#ZN>?|Yk;;QfHue` zGsfj30Wo9N6y05Qr%>?BnOZjM=(_-?`XUdid^t&ql=jfv)lsX4&`JTxdE6$Md7^fc za+Xyr2^KusxvLe~RhAHKnDlr`Sb5eZE!v}`$OO5a&;SvYZSCo?4li(7Opg(V(c_NE z{WEFDEL^|O0}-rz|CrN9G7_Lg@$%jkj*;=XaMuljO`IxPyOohW)cE!50YtEfMJ7`_ z#`@x{rm3;O*hDW|`1_j=o0(chpWPgH95r21yFdAYzs?fzw0n~K>8r!2Z@rddnM-O` zT55Tf1{;G*#lhQT2i03{!Agq2a>{TQq1|aoYf%JpOT_1-BtuftU>`tccmyh-p*h&h z%8Hl;rEOEUBZL;|ITQ+|*E{bcS8~gJ8!ADG7ctB}L2#UO7PsrS7J85j8^d1T@bR;x z%XUr>W@sT5YW;AkEWT#lsZvdG(QqE4AgHx8)orq=^p+P?CfbKQX7dkh$zR)R{VOZE z%dz!gjG@ERDW`8B>Gz^+bekvC!*X$E8y2G4_@ZdD$!t{d{n8&f&hTM*AZ1_=y-d3IcUus<=io z&}vdiV8N=l#5oREVP3sk(mF7m)iImWMF+q<^`k;x8*;kh_3oj1$Y?8!3UZ7N0|}FZ z7%T%06r7qdI<3@PO_G=j@+3A!Q%#JTzRB#uHRyE0Q^{BGBKo@cG?VUPn;3F6DLh}a zbb|48-zv{=PX>FN3SObWi+5F&+h6mrIQ1k=TIdi})SH++Ee5HY#I=*9CyXMh7(Kz^ zLw~Q7IM8+Y`#YmOh3*y~mABdH%4+oPIupysE$vc-G)zlR@9p(livatd9lKA&3PJlJ zokh{9%$Op}0YNdbPUH&|?nJ0l6dd1WkteO9d50OWo(hlCo+`4_Q~V z5xGJa-9Zw$i34gMw6stmDJEvL4i>Q|K}pBd zT)z{iT3fR%XZSL@N7vQ89|U6D=SOD@oC~sBLN#v^MmcY?E$+Dea(Bw=-Kc9~vtFs! zv}t9Q_gT-ao(qL9+m~fW&SDTNNm_k^Pnz_UzqGp-AjV6YLn}P#T1y3* zT09Yc34R|{YxkYEFxJ|Zu^t_yrQ#?YV>5agNO(1_IaN9~t{W%x7%48ygxc6-)mSZd zD>S*rdlD4Fy!OqkRbN=CLIO6P6mdU~3ty5V8Dy@Dh-NWgOD2lDtb8>e2T%`Fjq& zg^8VI(wLg1fxK4z9_UED&p1m>vRbSIdzo%|Nl8f;KD+_q(y?PzW!1Xj^Ea>P((*kL z<12;yam@o;&tFqgl7{WEIdP9&a=s{!vcdqK z`%%zqR%13|*2Iatlmae|*dYum>huz|L&EBNKn`sJ#KnoNSIu zqkg$tPP_^kXIpHJ5m$RJWB{GGZ7=sXTNEGne^+ggim5h#2*gP~$OGoY8z8K)NeHUp zX2ZWZedbI9NZ$lE>4sqA1OFZv7}$KWs6B;wO5`M0Mw!4ZD_+{HZ*XSAH1wL7hJmw} zs3oYf89wFC{F2*t>4%zN?#`sqQ{ z2;yEInX?s4PiVsnee~otE8W0ugq(N7%w0PV4@_gU=wwEKhx2)9Ex`rODH}YV-oM0k z7P{(OvWj45&yP8c&J$D8mhUIG7$6TnU*~F=&O+uKAWsZ}a>o+mdV-OG5I_H0uvraQ z6hR~`0+i-1O>T+S$5&?!S)FF0tzDmbps%ii^w7!y8vJ)F?^);fEmav_J_tEC5h4Z| zT%wYVMC_09^4i(qTgT3&#~ue-dr7z)4NnpZq$4z7+#CBb_|sE2(lyFn{R|tn*}NGSDTFG^2K%FN^9;)rkoXPm`IN!BPjVMIWeJT{E;4rvMnVsJgr&q7`oLw_3sY zWJ+4g2J##IUj0bvV&Ioq@Fs;dkiV?;3mKM6+|~Nqm5gHtCCvPAGe=<(Q%`xl^1O2@ z*FA3Cxl`l{6E(sEN{#v9X*JX*U4n70<`PiAbqyv?Mvdxq6RpJ)o;-PCmamzxDGdXd zfDEo(yLP#_srx&xM{8c-0W1iE@Y2LY1t2+P>e`Egmv8~R|55=n%z0|2Y*|{%zn(08GxE97bU~zSk*Bj-;>6|k>)x&RE6Zkf^^ZEfjbYVj8O!Al8gTADpWYZg{rs7(PAZvJ*;uQus&?_X7OrOp+mYdWBviR&(R-)x0$CSBc=5ge6>4W8)#j zX>{N>+~FyV28qJ9D5PK7x^8fvU^4z!n%=*c?{(Zr{Lo=x(|lK{c4>leTc~XK0K&(TZQKshnindTSNN?)9$Soai~hZJVBo_?3s0Q~@Q ziU%xG`0FbSVv(Ru!DmTzflpSax)oGtmUpK=A5?n>G&j1(f%L_Vw$K7gAR%+%Ww@MZ zs3*|I+61Og^SY+CDaRr6tHe7PK(p`W*{e9IfV<6V)p!ueUCfFBIbM1y{mM1Gs{Go5 zGE*av0E{HLENgB1=o{UCVn`a4(-cTqIFfh=^2;I+>+m%{ztNx7hdnpI_3iD0R2%BC z_J;%YZ#ytJ?p2XEMo8riU1wfn&5)HAkQAD;Rn63bY-nJC^=TmR5qA>D<b!ZU=3x4iPf^iM^gh7$To3XwB;IRC#ivQ_9C3LqwiA(Hg2PhQHICHqvMHO=}9AZo2Y)QLiRJ3 zfK%uRj_g=61qOd8bViDo?1N?;#Rp@IAc&ZtoJGTNxwUiW&jWe?WM>dWw&53n9@8!^ zIenqq>1(w)b$X;-*RP4a5jqpENvi%-ya75%arxu$T7xQ(0@9*0vuuh9#B@!zip5U7 zk?ZJXS?V~ltISXX|s7B8Y@!u1xJoEAlWoAdM=&a7E4Obz@b zvI2(g$5_x+A(|uuWd2TMdp4B?L2muiL-M=LUZpwW@-F-!mCN`!1?C}Ft{?o>> zns`Be{sXAI9-!)w8#>{)gSFf&sY(jcWVu7xMmKy32rT6*hJ${>hd}{yA{7vpH+Q;* zls0zMIxMTpYD{^XJ@h^p#ln_@887To4{DhB2Puo%gK7)6=1vF+&~v-O{Y7t@M+ccB z{H=h}ZUM#m>LZ}T8@{RA+TXdFmRCC4i6+r1h9-`0Es``6G$aiyt?C^Lz%<-#FZKsQu zlsDu;bQ-&l=*dZ2viAnA6nQ1VVxl^sF%3owS*^b{lIM*=wt^=j4u*(;aVBUD1&lk<^**mUigc{Yflk z2`DVNsVF7vSnD5W)XH$scWxCC(IYnnbo;+nRGg}~@&LhMb+cQ%0}hy}jJRQV1xOP- zTijDNV*w?RJPzh%Eszh>Y9Z$u$>)+E(6P74q_lBfn7#PgHYVNc{Y3{=C92NPJ^#DI z#%C?Cltl%!mg@pzs*xA2=oVX#vp*)R=|UcWdS;*oV}v^l|26ZY=8UaNq)yu zv34N5oj1UUSR`uryMp}pFzRk*)p^$p?Uq!6q-cONC{0s3Jf?fZL|gN|cjcQ*^W{@l zMCy>f!$5waPQYzyCY@mf1WejqB!R3tQ^aK&so?{*%rH1M1XW)U)GOsOWub-B2m{Mk z$FPWoT$y@@WqRJPRFJ|S#_^yZ|jhDojJsPfWK zndeJt(WKO~!g_4hy=Qe|GED?c7{LDCjB+X9QDqoY04_`BZJ zs~4paN)vDtzlo##Bweo4iU{4Eqsm$XpT0@N)0{zdCZ%j*0T+`#@=C=iD|8lTP{FiQaA>FvrG&tiSgCt?{y8*$SO{ZN+l%A=}R# z%z&2);Ix_6Bnu01ZR9Ocx-rFs_wT`10zwoXFYgI_^E*NO_nM~v?Y&m}9V|;?eej0H zzxCk%%q2eE1o*upq&-3ZHvqo>cYFV;NB{L#|Id1V-Ddy##{d7V_W?T75qb3Q#gl)= zk>fx==V6sXO@Ce~WY5;WSKR$2mLw*z?whh1bB+8(LHu8~{oh^%1Om3v|GT|^4%vST z?!UG2|Go9Di7xEARQcuHzFrYs-PBXPVJ)(E`O3O?)b6=PnL(u*P}D1jNM+6m)}+!} zY6ZQg3uh$#JlOVl&Gpm*_vslr^vnKSPF_yoUHQ9QDhm`%9r!kUh!@X2&ul+g@Xd~U zm}BJjmHPboMmLoJ_U+J21?=JJlg;#aaJGn03}|KC-;u^0y!FY&C+)c=@^Fi?K=%SK z3I+-()F{+!ep0rh?7qI{RCeu7)Qy6FXaU@)RW2+wTcU3s_-EH|XwJ*}*KGJJ)9*6` zpv=huuT4-OKvhj&hLs){7cXJU`E<^ISFG#Ea|ikk|0$t)IU_+kIq@^vw7eeinYYI- zxm^>lG|^op-Ed#2@Aje*YQMbGyydWA!qFWebpGs{ojD$vazXb}Ve8+@8K%}7_^Apy zPG){@x^(Sz(dTbndEAIP2^IFyGUD^R%~Gt8+X{+($&6RUXTr7KoiWN;{_s#GkGb%9 zD2t?B*Y@YHGFVDlbT8orM6~@M@GL4CVkwa4&z|Mw!oMW5lNXcaScIPW@cIg&uwRXG z+&}e)g=3X+Jgq(?7*>goQ!{T>Mt*bh@UBvKf7m(SOy73U>s&hI`>NrP^gwIgZ@ueR zmiaFqD0Bf-C}dC&97Y)d>IBLT4%bt)Wzozm9D=%sJ|RV>9>~g$xI7QGJT6^46<$mA zu8p^DS)U&1mp3#PR`W(wc#7HFLhsAgv%iCW`>nvltX$r7EI4X5+Bf=pf{xvRw$JD1 zx>>f*NK@sGc27Qrr!}-k9GF6%Z07L{?vq}Z>rKf^xhn@;;Kuip7p`v)Ht@ZfK-N<^ zz5)(*>Q}k(TdMP)eyr9mKy?cm2tIS_)GYx0x+ZTa$}!f5Lx29PDf3pkWZG3#q%O-4 z<`)TFwi%m#?d^Gvid#ipZgLdnJ#BJkkJIMy7{1Z0MK>*uo$v^DQvLpIiX(R9OS%1! zrMM*C+r0nKIeGn=?85(I+~3K9fAfu`gM3|jw;PIzM6k+sf@;-+?>{Dn1v_%R7wnok zPvdN_H|(6Koz#3R(d#dmt^H2ujmq(9Ay!HbYp3YcQaCSv#A^9*bNwAFHO-g6)VV9| z8>3cPv!ciZ=3~Pb5+}^{6SMuoGs6?7PF<{tztx>|KWdINY~rB#U{vLOSB7@IV598m z+Lpw>(*c7%1*?E=KLwoWBVpb;UWUBs{uj2` zaCr)*zH*H)bp(WKkwYj{Uf#)p)u98APPKmmP|DCl?C+V&U&JHfl`id$3h>@X-F|`v z!i98=i;HsTLYWSM(_QqAn^D|LctV`g=AOD>p3tloGEK~{{H$l9hcgME{$PT% z#7?|Jrrvs7LpzSgsNK#kQ%^lrbLy5ij0+*P5dN+G(d2qgDEcUDE3@&C$YYt0Wj9W{Soy z&rQT`XiB|?ztV-2*vyL@#oN6aW*@2V3wIn=SZ88H%5^$kDxlRD2-_uimMrPje{ITg z5-PlcV0Mx->`5&uY$kR_y9SRH<_np`9eQ^t()Nmc^6}(Y#(3|=R$A2po|1U|Y7LdE z1g`uj>s1l|krFiNx;>qVsfflT`{#jj!ZUSKk=ixes zhWiQl&uPyuVOq`=&t8J{ep8XZxiUE5U6hQOzvw73)V7FohfgZD~ znU>C)iil8$Gb(u!&dJhC!tyEH)PNUFOwuJYVU;>WK_Ga`;?Gj_<+9&q@`Ty!h)?jakA6J;b(hPF zyzca>CZkx_N^Z}WtwjY1?@aq-E@F-nR#_2^Q21qWQ+V zmC4ci%i?kZ^}Ct`xRV_*v~W1T4H1G0(`zu%TGPQ4%QaKIAZ4obB^!6J{!}tVuhHv9 zLcZ>je_d084~gMuPz>YUbL8&Av|Xp@c8}Tbw;Qw6Q!y~cyQMjAqMYSUwYY5ttae^& zL1ez{ej>JIJ&N>zWXGVO3QW~TsEI+hjVdWB(uZ>5#Ao{XTvsPui0m>i!Ri;f69qrS zN$Mz^O;0UQOr0B(4yjvRoEMmuZV!@fnJb4;a-xUCR}tgS8iv2*i+88%RyxM9cTA1M zYEo7{!e|ZQ$vFj|-d2|vlWAl)isGGGsKU`Pn$@Ny`S4M0oIJ|Hcx7FS$_m}nnN!F^ z?;r!{+GQSD!2vl^k|Q_+y`>vb;6STG&_t77vQVc+&Ti)}&nQ$EYf@f0C=Hy~F zUW}Ty44ha)=W2PM@{XrRa+f<(iSnx76R?K);-*vNW7E1tuKfgJoCj_#j^u4$Ij;{> zLY!WJi>zR8HD~r$P;Dmn?z;A}qEb0~U%9)tzTDjI?jm@y%u3b4xo6m!DiDhKIZSKzZv9s; zay0*y<5_>3^LoUC;Ysn?{6~KeVyp)WlyLJ#u$8gU3mwRv5J}sNJL@&l?d@4x z_2XP-Z$)%z+*~|@l9DzbiMX;?-nGunebGF3Cpb~1iWuvFk};QM)phPBr3t!`cRfaK z809jM2BO_0rHI9KSgN_rDbrJPz2e>`!i@Fwman|Io{e@HS`4eu`!upAU9jRQvjMfE zppb}LrI~N+?lE%3DB{xQ$vGQXtqiS_$#QS_>_)UuGbP|5WhYRUtSvfhIrpW7?BqAv zT;*KUDk7!2?#`%;+n2?-B()c(rYnib(X*+PuSH8X({1nUIx<0+O=zd7yH8f!`at-y zO%ydS#prJxDBgv{hG0it>BUjQ;n<4GI~hc4YG*NadI~<{YrtIpTsA1iw%I&m)I@ce z$hkfPn#_!rqnH}Q_tMg_k2|d8(#%S z$10MqaU9Dpi7{d0sh!DyJv7bBX6&GfA)Ey7;RioXC`OLvHiijj~bGa{{ag_MvSn zJE!>HN`=nNIhe~}?7Qgc?59puE$W97bo&rLgEnW0Q_X5jOCWTf)er@ePyZHPYQEAQFs#k)YV7*N__p`&z5HXr11pY5+mZ^9e$DQ!h&RLx@o%ZT1 zKB*5xmd#xezGm{lHvEQb)4>D02kq>LL+M@{@r{N2J9+tq3;mMMbY0O!sETl{Rz}EJ zXgM!R-ST0F^c%|3q2^RhBizh+hF+_2vgUm;m4w$?l=9;O#i(~?ooMt#HZvA&S+_D5 zmK%DGtRhANK$hZcrs06JT`nJIt8VkYR|3$Sg*M9A9^&Oh#=_A>8%lz`FR}0gL7luj z0qKq{yCs$8@(ziz&v)+>@yzrcX^M(Ls13QU1sBdZ6$=;hADcu--IrGPy2%s28oFmp zMj_{jWShI{g4fzOPQEK?yf%0JCAXMuZ#fDf&#JteKTcCX*Bi6?pgRxdpF-_^^i+}I zJaq;{Wq+Hrha+U8^=Gj($}AHyLvDRNA&&aoaG+w|>)yDOMt5RMSTU{)K7z9AfA?zb z=%vz0W9;$bT}k~eqti@Cb*&Mo(!>L>6vP|(cg(zK#&f8KQBnNOZSO})ub9`5$)$Hy zw_aEQ05?HzuZ?`4YLAtd8(q{`Y_=D)T@;8oH|t0$@!-DgRUI=x-tsop*t%rHDt3M! zcXdm1S?zAe5?7bpqAUq{#w>oxb*{t9WNO-k5fZ+Gv%-}=cJ(YJnKEe?Sct};y}Uag zXTM>~u>=$!Lli7q(cgKzRuju~znKbtBruEeio;0C<$fo^S zF7vFS1ot%v-u=YK}MN4MC>NWRT@1)$t&Wg`OY`k|Hzd>Rdcse5(^pO+rJS!1 zSmL7%3M{9E%7#iPQixSSr}6GD$lX+=8bXM*QkUXHs*r3j+!(6N4NDo8kiLexLN=!L zNR~#k3O9NfF4P*~tuhbt@KWuxQf<;987xi{!FEJ1ferCBVO3tpjhvo}uWWQHi$;&_ ztHtnI@}xC64yR}9wSMEAkU((>s^F@fqgGQmamJm*)?u0VJ*Uv`>G#;MK#ME6I{LaN zD?Ns^Iz2T#;ufQhsx?R|@{?&#h2UM|=}84xLkxcRO^>bZoUV57qHfE*k>jR+T{N+^ zr$+})e$ltv>Ediqoh)8ypIo}FbAq1Au8SDS+30!LJ|xX+_f%Na%`+t}=?0|B3h!>Y zPgC({Ckdu{N2h;FAq>b{~+wOy% z9Mg`k3;fEVqwCfy=5OCd^6xdEhdRCQQTfneZGAJN#Tq#x=SnlTqp0;8p6hRM z2DBKyO2b~GJenQvy2cW3-u|6a_8>hOtMN?IhR_vHf^15XltdxC6}XhedG~$ zL&t^}CBUPp>%DN-aj?se(x^;0XeUqT&I$Jb5Xi#hl+rtfE4}Gv8bPmT2G2ho0%eH} zTEA;HRM~l_UXvHZ8MDo;rDgT$!3j}>$R1k%s%ul$K`%!!uE4-E@@@t9Gqi+}OphVv z7(F$CcSIbDQX#uCc+iWIQ){tECYP@W&;|jNJw|l;C^9--x&u~hSHchV&a=Sipao7y z3tTxY;s)!%zDF{zZWWEYt%k(pSyp;ZGi^TE`s}x(1qiAOTtnbU3?H&PH(}B>$I&ko zv);h!WvV5Kn8Q@|RB4dXD6Qrnjj&b=1ea5KqzJu80q>}#(n{MoN@j?pW4l#*+C)CN zS>C2&cTpOOj5cg9Y;Uq^Rf`L=jLFU`wgeXye`(0>A5$ahSUmZOqM6riltFZAcgH9; z>(+yf*^N3SU>1#Lk&PaL_5kh61^6mI@WY3Dc9zdu{a(m41mOIO_E z*j?AH+n!>#m5(q(ptD9qZubGK#-!xMccFYC}wE1Mp1SC{FQua5i|Ccm&uCafLRnYGN- z-mn}ogm^@3sB?E&?~PD{OtQ`B?jPWJsBvrBT;u#A%8JuE+d$X#i3@DU9aPGAu4Nvr z=Rt0vtEIiVV&Ke+y!GH+gyOZGG(8P}iu#Jvj8z)6li{K=FwwKF+9Oql9^+CGI4cx- z4{@UxIV#x}epBGpm{_aA@SC3RJZCn`RwNb0fV2aai9^8Tq+D7$T-TMML`2lS1=Vn= z;%qlH%N-BNy9+!ThpDIQZ{coqh1)m>+pVq&re|dbo#%C%_L8(-nRP$w5A`+6naHioCkvz5U&;aQ!>6-H*M49OOnngC0Wrc@M;lRNe!rjmK@pWt6?T zZqB<0l@aoG$6|MKND4K-EO*KDAN{!Z*~?bJ4DDkhUknTAE{% zp>usC)x%DUt4K2U#mCcr|bvf zq4fhb1!{-m&S&fDsj1G^$BvG(6L^sA8x~7ZIH%$V=QRDTTKX2UhuKH#t&j(%LDizy zSJ^dCnVj!@2gTwyv9xU^KCjeH9+DS*A$Df+vBo2Vu>3D2dU4rUb%wF+mlagXm?E1xf7w15oL~63? zFa|x%V^7ANZ(!;x`32WU)_^;mElUy174ip_%y`<$6T0^g2 z2aBd>6{@+O?WP@vnu%8RTTHrVywn7_X>dLFD^+qBk9}mXKEV;cH9(t0e)H)-i|i7H zmP6r_>y&BKf}jJi6$V>c?z!wy+A zs`~v7vNy_P_uNaQW$5o+4c}AZJtH$I1bPwS zm561n72D|&Ro=ox!Y!4CCp*42iqX=8PN`(%4c*(b#Ju}sS?#FdjCG)@O0T6xWwx#3 zQ%fY=I&WQfR+CgT4j&E|He~B0^>bvr7=OdIN8MQ~1aCh!^nf=^-f$(-5eo4Y?)r`^ zoUuDb(5UGouPgNWy}n-km9kfwEV&?`P&s^F%QUGY>you@lt9Y3p^)JG!t+-PURs9Y zqaI~59g|Jxf|rl(A4II~-lZw*PxXa$4_(qfqu~$ee9Vtmj^D;hNqq^q3_JC zHam#vvd+M#*uG(q->vwFMRm`kMlf6qYvJl*^=C*Fn_EQOqLFwzjZUP z#1qG?b@GIAn1T!HV6p2A{ON)QRZqORf$^dM!;`AeF*7rhfRQ1VM$F80SffRVrE6vg zK4|q}Rk!yaKl$JAQTk^8xO2K!a_h9d&bIoR_pl36(SI*+(9JPGcau0u(rSJ9{=N*x z3nkA}W^s$x`G_*-0NLJ54preXWhz};{*y9&!oQ^z%!LMfQy$OX{`O zBl7Of?oP)}f=J~z&1Ax(5Ze97F6f{dvv*xz<5Qs>U`8{t8?RR-z})X@xugzap>vKn z=M7db&B2EXU=j>*b1_srM}vH7e-N}r&y7+FR%oK0@;}b=!AEUfz%w!`>BjbnYd*v@ z&9Jz;{}mhFQ6p} ztqe%(xZVGqv7%ZAGOM79LR4j2xXHS&s-Nl@5A}O#7g;yxiFZ{{pAzoE%f_xqj}Qh6 zp$BS3QrL|TLs)o%{f>4THZt*=Ij?And zdhU20rDe-iM3u)st}iFY&DA*wo<2P$T)i%AKKFFcWT+}Av45jhzD=-E zq{sbA>zu?Rg2SEA7x;>XNA9+XcTTEQG~h!jFR#49+V@iDmIOAkD7;q6A57goAIg!= zpm3YGqz$w?*DnP1WzpY@_IkbqE#R#iT&C^1?BPx&+!w}O@nM!-P7S|-Jli;wMi&fI z4#8@W-g?NvXt^ZVkd4m~RiMU#ee?gkm>kfj}!+wLZpHMUIj zwoh!Cy#dh!{9_X{EzQKQT9|8O=+`RA{zSwf1dK7`5xs6F&`dEY83?;>HsWH@GG`L{=>nW;s z`Mwp-&+C??tSPF}2IQC!Ked!}V|3Qh6DYW4y7KL(yPn*T&D5p9AGq`8NEGeV*@rd7 zhhQK#uq*S~J*q$`a`g^r;#D{1ty-)#i?;7MQ=yP?zw0eIp{YMK z4;Tsjz{$G#9O-pxT6)>k74zF6e)!f>or?EDi?QAKz;BpadP}O>*|m%>+8bv}&A#f7 z|9IozZ$64eL-Pg$tEGl3ZW6374qD;1mvX*8@pc*hVybW`u`x^JQ^73;(AP52Az0ou z$5Oolt!^)`9|zbtm0tiL`eR{5WyJfUV1;4l?Ov1N@@|@*;`Xyc5|)?C9rM6P>kT5= z>xGXKa}*jG!J!6;2A`~JnSwBbs^Z-tLlVt^8dEmp;+O;fNbrZwl;uBfrdbDn=1Vo9Uw}D0V>E zeX3IA{Hp?97fBTNH$!qE+YF#oaTf`<4663QDf>8s#P8LAQKI5r2W6_|nx(4xl)nO^ zBdsrw8RAIH+?C!3l*^KD(O#n=j#E87CfP-0sM+s@Jo}ZiF8L!s;XLBlL!L>7s1>0{f+(Tr`N$~Da)Ifk;K`Yw#;#tIyk7gl3F_Nm?k zaL9IZrd~x3X=uK1sY}BaoV$>5uE}7b2*t%ovZtdD#aF-#+tP^EX*^!L^zk^9g$nuya3)6U{h; z)b5h$3T#G5ltNc6zYlQecYG|8MoI9dC>BYGOU45j(e1xDTvxN_KgRbJwy!?#Cwur8 zS6kpKHMDbA^(SsM72|ZfsyIA!JTd8v(uS^p9Bus@L5B z;>wWim4z2Ui+6|yhsi4U1}s{>t!JGW^C^=(48M?VKEEa~N#39MJVHL_;zPR=|E=r$ zPp;Zg(cPMQ+!0@{wFI2lk?2$pOQ&Mz=U*O-30qf4rm!OXC5#Z3^)1=HMn+sk3FIZp zzISM}=YuZ%+^cBzyW6>0Pz7ZY-wU~1lgh^}C0Q#2)WWpEIH(hrx)52|0S!g>9AG+q zHwks>w+fm)wAM+K=A!q0Pmg$@d(^mFnNl5K)l4WIR|FWRZbkZ@+D~=REF+}w4!Mm@ zZ+^166I0P~@J#4(vwC3kz5kb{?hz7^hT1SiTb8D|5jYr|Fqj3FOCk!Q-R^F^T zOvjinb{yU@LYE0!%L=>TFV{c6(cGjQAL zBOMQWUm_H;d@G@u#@?96WL>Md)W#6(t9iu_&gPbI@|WSWK#l0qS~d5L!SZ>pz}cq9 z41Exyn6@?p&>5_e+YN@MzP8AC<2Y1c_fB!33<<}NWno4UG3H66h7H?U+rZ9SY?Zv3 z9=WWkC0+;9PO-zv#9>x!T6cR4l$(0B^8VaL6O7qm&eW}dy?2tcgn!=nKD|$ucf*h^ zb-ce`nL9IaGGQ73)@X}f@3`R!rJyXJlJ{d!aa*-d*r#H9Jb?Pbc+qtfedZ%F*PgbS zerWLrkDG-lGcH-;G#wcXaKuH70!-T3BnPZcr1*vQui-DIhEcqypM z9MF}ND9(}p=G`kqEF?zrLcp63cM+izRfL{dF1?ypd;c`?d=Y%QB1DFG6}g10x3PKS zFpjNLrC`$P42*q0TP=;iUTc&)MQyhy>P6=8Xx~-gmWDDxKA5TjuOm!PP^=%b{~Fod zJrIOlw|!33&K^MlK=*8LmCljbmrb}8TM50FZ&)WfD#U%r=8HiWo-m!oyBbF_j?a)x!SxWkL@ijw5D&&rLQCW;`K zBZ1zRwbGoouuG-@uzuQhzh`3@ccwX#wCri z5nG@E8=JF>;q;sFCfP&8-#9Ou7&pGSPBN=qhRH`3~pnV&Smy@3v~grAj$K z8I2IaQ{l-5K8ZiQc1H3jNibTmSpYI_$78otqUc#R|F+U9X|JCTaZ#E#g-1E1=OWE= z8{2YZNr~U`P{8wmm1rT8s8K7X0lDF$Q)qPbvTw2rei#JRs&3 z-|c4~3;XII&RW$Lc{X{r-3XUqI}n5b*^7=X-~mc-P(Z-6B(_isW)BxBI;~kl8JEbA zMVWLA52n8qBsTW{=9tpgr4&+GI#Sc;of_B%cYL>Y4Zo=?HkcWCfOpFpGXsF^vr@+lZ?c7%x%%`k>F#m` zN@z)A0CR;QE_VXD%*D&D3{7G#SSVGKMWCe{aHcBpVC&LQj&KIN{CG;hQy56?p_EdI zU2K&g&R;3o7%`raac-39nj(esDrz<*;;QM7SNgKDpU{%@Erm^Sm+0fGX;jzoQ9ZcQ zmzq-7yj}B~lbh>;#zPj3Kt{k($8^G*ulte#4MKcb71q2x^x#lL=S|qvIKVqe=w)-eNB>d}Ir=E<A@Ol#+a_D8d-PLhdvD_xd`&+ zskP3G#*#tBzlzfQF?{|Xcj4R6@wbnt7XQsstm;ofCYSHOEe|v6^ z$(~1fkKQ?Y_nYZ5%T6VuKcLOB!oz=N$4bPGN^=M0mngUd{^LzwgWtX@z4Fz+NH(%Qvz4k5j_tY&C=ecsn$xE_U?0?m~xORSTg=gh-dl6#)jJP82pKksdxN*9I zr_J;HpMJo+ls|tP|Lf&E<+U3K80l)Wfbv@IBX;1!q`~lPRzpMAplk~?w{rc6*<7*L# zZ9N6(bDsk=7}DikC4g}}24-dwzsu?gn;*OP-Rg)U|AN}S3_JBWd(2hC`?T+UN3iMHK04xfi zl%NX;WX4>B{a`HgYXUQ$7JaW}{u&ja(=L185Ao-j8yXm#0j9+4teROaSn@|II&(8kZxAqA}D*G%>TjW+%8LiN0Sw6q&5XAy(t%Sx) znN`IBvjpc30u$ll0Cj9-(*MtzH*Ht?5tn^3nOW4(c?=+;df@2;>bs$jdAGkLls@_b zsyNq15Xrz~_@KM&6?`j9AyY1%Uhb1)AMyOkk28m2T!)kGIwXvd?`|59F}qGj9m!*2 zyWNifauMNPPuRXa`Rzq_KCgdv8X#$$#{7D6K1U|x4{pgtKfv4T^w90yV_R_zpEdIgQ|LX~E za@kSpn^orK<~|2Ah9}I=J2=l`v1*E5v#$ZQ~t=qTT zUvf)|08??(eLOtw>E)ned*+Po+R973IF*&|HvngM4$qm z^^qgy)hW~OSH;C02TlUl<@R{j?O)@HG7KNsUZ&5YyTt2Ca&vPZcPqz3TcJmN|8)}* zI&{kaJ`3QFL=OLaPU_>`zwh0>ww&%jmFD13DKmz?>=)fM;T_IU+RLzCv>7@UPaaS|QiiyG(M^j3j&g*~r)$4xGeo7Y zmHAEj{y$^(!sg>NFCPsv6*9>;#t)$^!iSlH%gx32)wr zjKoGo#cyqeEG#UpSg+GGOP9wjp(`7)+cuv!^nAY= zS?HH}NmwO_9ZH!t%aB6{SC?%rlGQqP z%%-5A+|UUr|0OLSJTsl!p|-KdtS9crIwiWmdq#zeuRCtFRAj+{6u;Q<+Tbx(?+Dtb z3$3u5@A%hssRf~Bf;2(??VX1(zTA!wytRuirKtS7_a>I!OW6jNdE^?1MLe&`EpwX3TF zEf+l{5Mo1)s;g=6ieSt5>b1|`(#Qx>_XU>H`bU3c=IQUtteF+g(B-GHHzftO*VI)N z&&_I#XzBuRvGHiH+U=MM>*^!nq%e6RouvAR9sRCAsR|?kmBfh@+x=di| zwskB)U3n-YDTQyvXPW1ovQ2d$#i;7(bJM~}H-rV&M93p>!}L(qB~j7#03J416uy`l zx)!ZDqaVtQH2#dYLgo~ojH+l>>9?t#uG+K48M^v#Z5E%Mm?-qha+iPU+R&fp@czy4 zUu5mJDKaS9J_T7l=>WP9|2#S{AOeTO`$k8drJTPhNJ;4)Jap)sM7v>?BmT-^Y`LO1c`UR@3-(0Xb6Jv3?CZr*O7nj@@42YF6NRl{1=K?<*!S(z{F*m0o}De|=`wr6U^$|ceI5Ik# z1p>r)^>SjsO}5!~R`(;SZ)n7_pxGs@9eD1S?0MB$YUBeOW`{zy=i^d`=AWqh&R8{C z2J<8)0F!i5mxO|z2##Z{HV#CUGiIOU@U>cC5qAXFzslFqa(xnJ4wkZy34hkcAl5#a zR%~DgSIWDoZ{R4I#L}@hr}Hte7N{yAO@lOOMQ67kJkxH3}# zr3QHC8p_4pfLu5iO;N!4cZQXY?bYVf&{hV|3 ztBEoBvJNGE494nRfNow5?m}NFQd;T?GX9d@`3V;Yx7`SLM=yQN%ubtL9S4PGB_)zi zK^t{&?vmy9rsdc>tET;@1FmM+2S!FloIBIbbthK;gz6qa@=)h%fdrQlmQ#kqMU|nk zQq4bX%>O07OBLK@P-sXN1n{jT35;2DifBT@(t!(l180;(+acg>JLYZhvJrDpi+=X3 zYOe0KmfA*8(Cue|luLjCUMbk7zsHMCs4p5iL zo3L_i5q&r^G<5a3W~Qp4b=|<}NQRZSp8pg)I_oG5qtu4hZLgE(hF zt7+?%ZPO)b{ca6QmQv57D=42XsfVs|x~G@9RLHt9p)k9J#WkGgr{_umbY9IY*O3Le zxhdkyl<6-x2hYjS znJR~Sz7HJ{Dl7ab?WYG?fT8`L-M8?ZUxb2Zl`mhsIR6T-cNNhF`EcOEfU*4DkcSb~ z5UVhSp^U7YMcL5`x#ylPp=sq&zPrlr`mgd`Agbx$6BP5Tn)akZz%)sf`U zuM(9rkQ(6|@x_xHXmVXSkLqB9>*gOFMAIa~e8UH;oK z5qAKyUMG4-DfDL+iT^-v4v8n_l`+O=!E9wt5*f zrL*Ai#I+SxSL(H_$$|hikpK1!3E3Wo>QdB@6DjEkWl+T6*PMXs%DqZQ9cZIp-Iw*C zs3h+`&YiZW(rYf@DJD?=N*vj(0}p&uq@lT;%rol8G(LpLk33lsTv8z@?^vSta-X|d$DpV8|>%5a>!3{gU(p(SepWMT^9KH za98rEVvs&`HY)(|q9W(cMHw&pLm? zLx!#1nEOgSUY9L4G!5xg%qm46hcyC0aAg!|HF5jGo^k{>Cnl*Zu4H*d`@XG{L17#(00 z?IQqO;36S1H&+;T8M*ytd3m|QX;7k9f8kNNm6!a>LrV6c1PV2n&=i7&4Equ$o$ z;kl|SWqcQ2ps9oXUA5P;&}-T4HTCe~-0>0m@V^`m+eZhXr+U8HK9*k=5`4%^rQ@mZvR%c1UT-UFhb^6{^V&#=tyxSQyx@3KJol83d{6=^uC^(FH zXj7$B9$_VSH6tP0K>!Ssb%tU4&KJd6#8-eP^ zBV^fGsJxH>B|5FmFo|3ory@uAoXls`)mC(!Ypq()d(%AUG)T52N=K)=g?6;J7tX)0v>A~?NzoO1KTKY5Hf?F}r4up(7WA6#x8yR^EVD44 zD{T5d@Q?&YtIv-?8G~Mjaq0X@PhAr>Z@3Q<--g={M*u(rtlq;SxQhGR;NpjoE&=45 zM7+jWJ-W{b($&Q@q7TkUrl1Eyd;%m!))GN|_xhdozLZN1>dw!YUK0{Z?a8gurVUoG zui+b^pd(nQRR~jGuxeJTTRUN#36BTz_)Cjuv#>Qu>+N?RTLY}VEHWCgKieUwu&`Zq!D|(O3WU`QUo`A zn^;9&cJH~LR|mS574EY4+gRMDyI<~6_bu~saJXZ}r##-!mAX}3FAqcqcuYvcobp>S zzxD6jj!q6Kfbo(1TJP+s2}VbEB9bX=SjyxtHrS(-#;jm1c8g({ka`O88eh^Jx?E87t}?&PY*y&ktN}-DN>&!3$Ii&; zjRP=J!KTkmFl>F1XYNtex>H$l8i@nB9$QR1RO!?MZb4So4O+P-KQE}mogiDtRAmGy4SYi&$2Rv*^`Cs#{7IPN|td zws1f9h@SukcN)=OVJ9lm388 z+*+0qIn!rY$3Sg=SJS%ls@i{R3)Y?9L@T>_OS7H2^(7ntJg#ni<3}n7^Q~t_!4d7; zWVs}8^+lxhE-O;iAs$G!`#-9fcF#cjB6&7bToll@uwtZUz9kH0`G$~fCwg6smO{4{SQF`UoFh#v{Q<)^eKrw4WMNH z!Rq^I1L$T2Y=2@c3Xp)R@R+y(%#G$$ijD}R0kj7S9A4S58|EeaaQ?VVCl^PvlX6gL zU)p09oPas;ou;|HAq9apf4ERb zYxe1?2o;l4y|1=x-e5bY3folZOr2@3h|k6K<6F>y2{Us}x^_0i^cql#=926n@9J3W zk!Rj7h->Yvon-ZRHRnKHe*QGAF*LRtiuJa)H33V4WGq#QX_KR&YtA`yZNt}oQZyCd zgcctA{^l;GSbCw=Qpd%mbb4mSRDFDWysx)cSXEUO2r?ZcdRw*3%+f_f*V%uAm6W)R z9q9Ug7EYW!^4-d_%lFgz85lCG`!d)E40&R$$(8`53s9W2*(`@402a!gISm8Z009DX z7*cUaePhmVrg3}R26yG;@Rt?!t!@1dAis|9VhEbn+hfVKK{Kh5wPv`}nuG=sene!3 zI)m!l4i7SZVVs02zlb!pbj%XV$#hPdfcU8_R2vf3=VU+!&XzGeh_Wae+E>`2Q3 z@P>v)OP>i*dN`oC-k}0R3!w66@USJ*;ki7p#;gtOst?rNg zI(P0IWu1fr;z(Nc_4T*;FBjFo0SK;+P^qcP9aKG8EU;3FSv;Vl6#mqkp;B?(*xl@e zE$q&Htr+^0pvQz!bucS7`!O=zyKz=K5zXkx{|nw;cV!I5?K2K9YOtQrG3bzW?G)Hw8%wx)^b#D8OW>D`%Mj@}d_t-aM8r^8t z3?XV`>8`0ARF4xH2-_}v+d+GI`BvytIgTr#tk_UtAaqpIm}Gkv*``GN`0i?sqRD@< z0{W-IJB`DXgO1AG3!1_yUZEfw1=&WT zxsJEqstfMk6TA@^Zf))d&LM|RWuj@MLFVYemhV-912w+ADo<=+@am9_l6(g;Lvh+N3O1} zny~nN&zy3&z5nLT7ssXB9FRl|8e8~?>oQy zkcgPrK7t1u{PXpy0z8*!9pG}bdQf+S<0|xXfGnW*>zlL~okplocigsmb{F);C|1RE7T=xH6 zy#HOi|BzDi|Jt>EksXxsmAiXy*nH}FE$t|jbahdKeqh4}q|**!D|XlEwm}ok)p_a7 zth2x_lrFxVj5dmT_3}+~*mZyakb~$yL8}F{B#zmHRB>={X!}{Cy49i{M;-fpV$FOX zlnv9TelaNfWX_?7yLRmkb|lf7xQbC=J2sBdj=Z9iZs*?36oW2@eubsEn=09VUI5h`{UpyAinUWM2h8YTkF zUF8n%LcIr{BKB6;g2H^Bbj*>adkE2neq|TC(Js2V$B#qyW>%MMrjtWy7EP}G<(Drh z>iH5ITa{L?5ud1RxNj6qUAdt&i%4oHxY9Vl2P3w)H?BxQ8b5!&6EImLmNkj(Bj7YGt?J2l@HuOgn?gxwywxmi zmS?E?5$gCHk2$aDxRGud{?3J*#v8uyA-gn(q~ZRgqEfZ((@&Z@C7Y-pGMEHUyFa~Az;aJW+>T!YD!gTqw%BFdFs=GRX;@#ZHL7w!*YP{q?^%Y+wk~^*|*H5N> znQf+PM#|b+q(D-2FfuF2`{=a?H+BQsSQQr`xs}wQIff#uZfw|~{!`ti4R_mnX{tld zPnDleqj!oSB*)I=q@;5I@5k^Wty8st`x_=C3gFpfMt92SFjpfZ3vvqwP1VhcaActX z)x*Iv1}p~+$XLxouPi8r(B8#DY`s!8)!QFtDq80A#dt1O`bv#Ldo{zkl6>$(X#F9t zm*<3~o74RPSS==5=)m^%*`8OFaaYfk_5-AsBy$L!nxp8QQET*Pj|{L%BRiD!G&P{v z0+4^U?HuXvKMSDj57j<&Dq8|YD6hxWNu9>(moMK)Fi?pA%Im`5c$fFC+^pQ4(7ooG zj`ynzQYQ8??P?`-GoH~DS3ey+aCUNY?sZ67*N?qQLCSX2VayaUUiD{!+SzA2bpYb* zo0{On2=Y>zPnzz3))c1VB35S&_S* zW>3BS7~1AusA83|M*=njSz_gvfLf|b3@eeI*OO<&JChIQa;xi-!0+z6lWJ&KTV`HGh+$tY_U2fIwCJU zGHpbn%rC_`c}e9~0s2Cut?7ap{*(~X7Oon%m!qj(YVdKD7cS@ouK*;gwdZ>r{qSpF zJ@EtLxH?;YbNFF%n`}9sEQiV*<#B7+b0M_%#dpO9T%8TQV?t1So6a>qhHoluA+Eg@ z)~C?J+jmOI;WC~}z>)kF(~EP@q|7OwRn$0GdGOphHBfzE!#gaTFlW_3)!%-wojM0= z>#=d{?{Rxu*zNpmt-FyUYOUMox}bXonW-5IX#^Xzjk1P`Cf_=;|tR!8T%jpn)BM?muzt`=aH??Xi z-Y%V>LQ}p;1QdF3)YvG&Xx5)T$){CzjK-8hXF__q1kl@N+*ng%T;I^pa&@CqZg6w* z!f;^Q$`jtCxKm;P{j2STE5LfW8CoTWtNvmxlj+e~I%;+%8rH%beXi1d5q7!7m76f}MEac>#fL098LhHtX=LoL0ghb^Laf~rfe$B-MQ zpQW-L$^6z16o00?R0qL)nqS{2%jo*1lW;gf-#Mg;m+i+BmgU}^!KTo=<=r*a<~&;Z z;2bn_{>EX^3=nU4eyLPLcsDf@2bw2CrEZSKlqqbG>u33`u%NZ>JlkF zC3b7%*?nggFzKm7hdwlFJTB;QgyR&}|Hmz^r!e2v24&O*!UYm99A%t^R1; zFN7|2b(_$2mTK{PWLzXl<W} z%=F}i(Hrt(GHK%3e!1Ik30rE41|cRfpi^|Bt(0>QJ=;g9;;B;@yOEr6JMuND>A|k^mbN$Fm712d4x_g}Z0M<*XtuyOT>^U!=CJd5)so{*p|4)v4+DkyU0|YH23Qa( z%P3tb{kBeS^LCrBigc9daRep(z`PoZ(0%(=KldRop7!i&KjnvR%+nk(*kJOxx-pMo zjMBR;c!!%$t7QqW@-|sXAp#ub#Jcq(l4TUs7gHBGVK>Zd@6!FN2*~iJU4_>tX;ST= z?%>Mi#N71R*|foHb)o&#ss7o_E2#}w|8SS{!w)!my;#c)>MKG^m7Boe_)eja7Zo_w z(0N5JE5zzBVuHEPJ)j4Yg?W2@WG4(^Os3`}vbN@Tt&W$K+uAfSwITXNDjUr*?k3+2 z*?^HUTL*HO&GnN$$t}Yrl`FVn1$fBYP&dmO4ehz4biaEy-ge@YptJO0At@CB1e1P~ zxbM1tNCN+A7UO$zY^wT`IORu$Hd#bqw}AS9&;7y@stG08^6m}~20F=QV~09$ zGBNx zjIPd)WPy((-sn^OF92UC7Sn6dmOpFy-CYcsSyqy;7)THOmK>R>y|h&BmkMb*LSLl5 z<~^cHC6HI?rgeTTP(V;f=??58i6K>Bo&~+J;BW^lDKSc6(efj+Y;>KRWe((Dp+>&orKGNt| zP4KAt5)xXKKo)ajy>l@m!*wX3R$9wiI4{@8A1qX4&{{TK=-|4ViCSnK_s1i?UqQEE zx1llK>KrdZ?eSdK8;d3at@UT2N6G7=4O`b~8^S{kCax&yVfkT=vOh1GqZ9udcTme7 zb0Z^>OP8|CoB{&sK&pBz##K$brCw(lfI>Ql-*X4+?(Q}iweSA37CPEinc+%{*^;MedEJoCx^8vT8-Fh(67d8 zMpM2ZLu!e^p{@LFH4x6N;qg%^v%TO9b{#C-WB+lvT4{5`PKZe5_ zz4b3SSxcslP>h> z<~EnME=q?C(S`L`l{B1xO?lmg&i4WA-1u-Q$bqhS3Qn=W_6JDQw@zK=j_%M&B5s9+ zkd)(7vSnTKrZX>lIa_|18Y@Ub$oXmAu3*NVonOl?R)In@~VXZhg7RZ&UNUQyWN#IQjxK=I)w1JIh~+C z4$g7L6h)Os;eu{bUw7pkO*ze%z`3fnzimV56gB(-UOtV!HoH;ykfvcLWI~S`=pnImcK@j{3dL>vY>yqpC^^Ho3J`zk&^n64s@?;hlF6|G$4?oD{^wW zk80}5oeeb_$f5oG(*e_!D6=}k5<(3Eb-P~AMaBf@TE$Rg4!!JmyHT`mgPN{-c3@wS zPYlyq+4%;B;9*g4Kv@09596pygOF-&nJfZx@Y9dqwz^nnBMq3E3h;Ww2Yt3Z~kn?wbK6*+NCWEs6RRR(bcyh?@V@6Hk%(KVm+nm~uq+*Ya`_6-T=vx&7&+6p%Be)+?eFdhblM+4YBiupYIYYL< z(GM6q9weT3e(m^K-UplU)?JLaJMh@;zMvU;08z!Sad`o9lPhCxc&@%UN+a2I_!5#bzB!OC21lZC`0jGUv#8lR`z7j*Y+PL4=P6M zyd85hi&DJTzkz55H8>viK{pcsXXDww61+4=60=GHuYWcS+D#hFtJ; zgl?nzx~7QJtE7hKB){Asz4bqdeC$7cQ7x>z!!^botEgCCHDFkGUj|!x!T*Q1-sCfn zUZ9MuM<0nuH->P+4?3gxz@Kqe3ZNVT(T|Hq=p$`Fs}o^K`;lj6zn@<+Lfo52t_=8h zC4QZvwmqrDkmYBq41bBw^{CEgA+HV$+0Pa#6?twxc)r6EbdsAw#0Umm`Zl-jdJgDk z7$5-;K5^qN?5Jw>^W4e%>T@fwci+9;)#7;828yr%_~z22*4o(33v-h@R%Uu94xyCOZf z%JH{>Be?puD^+rzw`dz#AQZA*!{C^~^e)4+A;dhwYhL!~d)F(X_wV1w6$)~h1hYOm zhedpG7F~4(Ck#6E`3_D!2}dHwoNi?KIy*Fo^4%7IolAu%yeZ6uaNOHK6{7`Jli71v zIl3FCt~?v-r$VhAKaaU-754c$J!L{6Nb5J|lSaF6B_H`jvtIJVP`mZ;LWg>^F-!N5 z(5^szE1$hBhp>Lx)nM1QZc26+p(5T!U1o2RVT^->% zqy7sP*|Mfq)-7(4QzWUcm}?cJ$AN5U>a2#1LsLi z*SMis2kiaD6jhrQHQ*AbzP_6b#*~iLHk~99wJs$kQgDOAk~CiX;b>8gg$1i^51cbV zq0%0?ehboac)`I0b=n#0Bmb%HQ{kCMAx*!zl=XMsVW?5V!^880(bsg@-e>T*SI8Gf z8fW@|pK(;_*W!Gbz8NLWyc*fkGOFDtVM%5ky0^NPt8BSS2b`-itmc5A2A3CvQM~q>xGt1WrUmbxXV)nNDbuCmTpsmXj5ClJ~ql3gp}r1 zTX`b*k!EFPn*zq%@QNZqJhORN{9~7Gqk3TKsz^7qH$+pvfyU~!+lJi2JNCC@>Rly> z)iXf<)Z4-dLnwG&(V<`6_bupoc=hKOcO;MJ*kj!v<6-WkAz_+8(ur=XDEypf_oZQ` zPc3oZl2?Yy_9NYIe%|JO8MY!2lYWxWvA2J^!rt_CrJ_VVC>ae(9l(W1cJ{Q|D4hI}e3DfpL|Ff)A=s@~1^ox(GR zSltetiiXQW>gS=Dvy#S2Y`}RsH^~24fTA>Fj(!N)zT4Mi@}_vx8I{0IyBT`J5rFmj zM#fII_wcLDT68L!-k&Z$4#WQda?LyLp*aK9IPIk3(*ZLh+(ik_Zxiq8qXkVA_~nLp zN*%x7WApPpFQY21v1m?u%E3umk6=VR?o3G{bGRr}E5tZk3y`hhUfm|~$V3@K zj^O$%x?i%>Z>XlIa2X3o4Fz>fc6NCU+CN>C6E@Dn7zJs`zj3M3QxI3v+R6EPJ-mD> zS!8QLdRjJ+TXFSKI~<5b*ILb3YYb8|;T$b_eNPY|RSoE5VTj9;Z4|d5bumD10U{x~ z7+61;IbM=Ch|@nWmhQOKb8Tu5wleoC+$LRFrLmvwHFbW$`zgi|&o;F+mHgHGjCqQS z90=OBh0ts`Ob!s;z-GT>hC$sDS%-~&x0)kAW?A*lrT%$EHCaF+gDSG5rKJ_c6;ty5 zeOZaJ-lKZOO6U7g?n%1JN0n8sT%f&F8PrLXGjaN$J#uBtf!a@0I1OOQhE9W{s=lZF zN*}lborG_)r;PO7)~wZEr0;V!d#+$|_c4gYA#X2_Kspy!mSEjXs+tv9wW%hiahRs{ z;s3+jdq*{$Z|&koVMIhgWe}C7qli*f1f;8sVxg#XLJ<)uA%KJ)AR-7eD&UBKbgW1V z2qXbQ63Qr2BOnP7l7I*iNTDSGLX!LCyze`6?^<`Adyf46`2Cl~;@duD@8@~;{_Kro zIL*wkv(UEK!pF2vof^O%0}h71Z^H`&f*YQmtU8E} zb`TB{(9)fD!ZB0~a`og8h{+LqyN6Y05p6Lp9K_y8N{W>F`9v+cH^q*Jd>o5AETsTT zg&9>w=vu_P0LptaIcfRyIEA8Lm((v|y|1lB>p&D`D>E&cm>xQvL{OwwqlP(*eKKGNl5gzCuC}U9HB5gHW7* z*1*{*+Jl5$Nmuf2^rT#a&5QXJx#uA{%})lPCG88a{)8GmsXkJy1|Ud60syf@=j)%SAJ! zIH7yCy2&#Oq|oP7j3n9&S+M9dVbb17BVx@8E@;TJ8dCX|J=sTHka*dVM~Z^YM-}j6 z_Hp@?nm6GUcJI(-*vq!=M&9=)dtVaJSazzR+0CD7<1=P3ryF@ll0gAmjHY*6@`rQp zrt>zUDwG8vMe3yAmCKjkf7~e}(>HUI{rp;8_*t-h4s`miWRXTi-$TW*{Rfs)n(j|& zP0HQ6U*u?2fqohk6gPkO^5whd=>Ac?6Z=nVc__DPu5T;!PYL$-2S3Tlz}_zO0Ls5= zb%Bm(?r_end4*nMq|2LFiNipc=AlqIo2<|MZb9`VDv&Iucjg=7wbB{WoLyiIFS~a! z?LjXXh#~7Gy=hlV{YqnMWEHl5MD3`C8^EVFa?O@a7YCLKC^QRE(V%M8;8_1RhJu{D zTsCy%eO#%%(XcrxMWjky-@V#OrpX>?W6aJyeI`x-4veTBgV@&aBpSQI(K$ULCrxcqcTxPt}*pkiL;vfxU2{3o*B^e|*Ki)0nd#Pf@;F~RqE)h2!H*j z`o}AF`!onLP3N0{^Yn*2sxS=|MOG!*&-R!uk5H#~a6R!BiPM*QFYTxwbt^rjR#l^< zJZVJ#_C+MDC@;o1O z>$B$IHH69flqyv*+_7Qj-todqpA5cBrqxckr5ZlZ&;1H&jC)2Yut|fE3KHsp{Iv@g zbH^9IQ8Upxw22-d@~j;8`F($c_Nxbb3OhT#Ykl%OSfNlEc@Z14XfqP9l@?ogAZTnO zR`4615fl|wpI5ESuqg)OoMt)P9D>(`Lk>%oVMv$@5FMKIBtlKyBZt>U>bSw0-zqY1 zm&PW&=f0l6slce6ai02)xf0tXD*3w=mBHnIPUqf4^Ts#@n2)ZlvCVWnK*Pa-k+H~a zPmyobeJ_D>LXh7UitHOc`W^AxR;Y2jPjL+rfmPsObH>+RN$~ra(q~fB2WP)eLMCIp zQu*;E^rnbT1GyS6Hgq&rBwXdNS1Nsg9E%@}E(Loge#++!ycKrID4jX@N}yyOH%vbg z?%JVh7W>6d;12SC2gzDHK(KSDS6?21XfzU?(Jpfo$GLJ{LnEJv;|xL7~9@O$@Jcg%=pD$FJ7v7FO?Ik`Es-a3P+*C zjUH7P%9{xC8=;7`g3eNyCiUot)s$l7*4LE!9bmwU!ush@W*d+v-bXV0OxFUJQXD5v zX#=WGKDOpd^5c+SE5KzDGOx~=NE>F9MsOp$o@l;nZVX?Fj#NEqa8l?ohQx`CN1aK5h!~E!@r$AoB4!@KkDdMMxt3?)CFEs7E z3gcEra!oIF00$}A8Mfqs5k?OV8D241%<6kN_Vr%rldPvqIVzUOlIB@mToG26ZL1bT zO21vJ=Vz#jAJ8KP=ax-t0FI{x8s?vMm ziRtzFE?wZ{#dX?>L=(Od^sK6lOPz1tuan9Vm%$xv0dqaV>t-*FCpx7fM>{y6qkAfv<;aSL;#_elYrQPS!&ARf~EMv467a zTct?^FXC!a#d&7BugR~P51K%M=gTWkZn4Aw5x$V9Lc6LXfoKQ&Uj4&H?Vk1KNH_N4 zYIi)~AW$2%D03R&lc|)7O5uxI*@B1zfqiy_jj|;Nc6@0G za(Xh`;R#y(@Z9Xo zQ$t%^FsCBF{M(;Xa!y{N5o{Q`tTvCOMJ_x%WmOqi+f=zUhGnVvnZq6n%Dh{VQlu^& zAJuo-r|1FBk;Gk`>w3KC{Jtt~s~Z60{Os+DdCIq|chWh-(3HugKc{^9PQO`w6py>= zSJ8Kd{I*;U5D3VA)JR)hJ+;AR3!-tiP&r;EQj2yR@QN!TJNUIJ{UNS#j|j~NK4Kw5 zkUrz8i!8(?#84B(+q3F4leTO$=J3^|TC~rjh`~25U?-iWcl>x|mFM|DNsJxzw^GjW zV&XgQi$^a_d&xHBYP?C~_&9&>J$a5)uSF|==X&&X5IVfB*W%hJpqKWNj2VZ#`KD3L z1IA9k;aYtq`$aVJehkbUTO3#YVIOAcSIi5$Q>J51iUB*F12+vTu}_ zcQ5pAK#}|L3N+&Q(W7nyr!tSA4|<$RdxW}L3a%vNu4QZ!)mr-_;U!)=fDpOn1l4}) z_BO>@{~ORI4+ovKVcHzlV9tJwvf0l5qbkE~a?hmPl)Z^+j*q-ml}2-JXRgyeZJ<=h z(De!q4hTZ~*kHE*lMYn1qD+tHpN#f0Xr;kyPc$SS9H# zqH!jh@1R4xH;M71{y}!8dH23@{0)dm8h(4-7>pGqS&C(YizLtK_PF{NR+}6QV1^5d zAy={9bRg}k7f0nifQ|VJH(G9gTZAE=$y=btlbXIBvSx|BSwY#>X9G0zvCpb2vfO?lb-S#d@2g!};D+ z@LD`EDoNPCm8bekv}m1w*w&KW*}T&Z86?mNke}Df^6QD8H6Vcgs60h@!S_siKEC!a zw7I%{!F+pU!jD&ENNhX~WV8oUdHe4UtuA5ZFV0mvGty4W$1$(eLbNI7=NfLRV{b<6JYD~(l``tq^bLqvx`tu9 z5GgPcWGVS0_HQ2eQIU11NgZU%cIcMbX2GAR{l0)XV>!>o^p2-T?Gyu{y%-uzKU{bN4}h!9_VFx zOog@kYR=Epg+1I`e`*2Hd(4GgQ}!~l>(-rut>G!3bwAg2k4iHrO7i1(c?6U+NXPv4H4 zA836axjzDvQfa8Qm@E{N{xZ%^e8d-nJPmcXYx!Nhaq)iHLx>{TzOXrVfVEBVrKB>& zKS^IYj~_w`tf$2=i{m0CJ9zY7`w*9*H_SkiTVoXHq2XsHv_-MLgjDYBDXm0);lq2; zZL@E+*6Wii8vNN+jI-uJRFytVPP`3+OZ!CeB3F}>nGj)dW{j5|H+~$hqxDzwga2IM zJ*svoUnB9Xqf+TC(AkOltv-6L9%H>d!ry;*)^9qtt+?r$^H5Ng;#~2Ia|E1Enj(Y` z900G2`8*Wml>X{f;;=$O+_kR0=UsJ2e^q!VEwi)p!{E>WnWEso^jm}*lSi^JIRc#O zJoVYIwk@Otnm{M1Ul8jN+EjCvCp2#)yy$}u{x&7|Hjw>Cyn^q_n&7VNcYkI!x`>zZ zN+M}YLRy65v`HG>ZtIMtwB~t|vL116L`L3mW|;YHy?0>wK$W9`Q1$dD-*&%X&;{!M zlTVc~hmr?4PkZmL>P4L$2S%mm&MUTFhX8#(w;rw$G7u_j}$h zR>22XIj)~)8(QJ?4F@jE*-Kv8M zSJh%D-XH1FI(1 zQJ+iJ?YP3>(wAW+U>OpBw9#-fPF1|A;l;!_UP3G_s@mT0zz?6U`LEMeTW@Tw6Pbto zq~~%FNT5Ddm#L<6$Z4B(4YKNueV*cdiRHHVyDHT zCQro_-5$xl4N^JnlB5Q*r1F}03kl9Vb8KlTuc(SYg7u_82_t^RP;*#ug^)hyx?DwNKgHa%-p^~m}?REuEFVJz^CUTN*GK7fVMitgqptIgfHW&-_? zJC#9QyGnWC#qY1SIk1amY+L(2F0QaJqRVyanQ!TGxhDI7tQ&h6gN>3+YRk&p>G+m! znwb{yi?WFdn=tU@aT0G=`t1D!A78qONq73f{5qMvQ>MG`t(V3$0u+M$HF>RctW7EGuDX@jK|q~|Jbrs z{NMkPII&gJsd8UJXnOkNv^4ovs!?0y{*4RWQ9ls9tWp*va8a}@=KuZ`$n>QQI_5J$~{XgEY=VeQ(+OUbiBZ9yGKi~X>`qr{v z_}plDNH_Z!yFQVLlg9_=N3N66%~`-)(Eztbt1lK=TK*|N1xyXMx1 zha-BYi@IzPsJzy>VQotN? z*I}{$$qx9RkNErHiAH;X%FKuTa}NEdyXpVD*FMOWR%(9{+|KUrcl`S)|L6bytBrfY zYAbLGRGfM0ubKU^AFs550ORNqd*+80z~9fDz64TTai@T={QKYf{4g->M)&{AjQ*>6 z{nw94?BBbKq0C(6E&p%t_#>YPJpxR-)n^^czlZGK|Cqnu|HSB4pI3sFqN0{DDfd`T zUTyTk%UU=MHua#?D}O**%Pioo5r1qjHl9Ysp_{Qj>}P$7#F^zR&8}HwY0d*Fh2ga&;RBbazGd1K4IG1U8OQltX8sMYLR;%ZJ%ah0xTTPU zSG-U*BObl}!E3eDKK669U{SqGLDV9R#YKt6I~T#C@$}<`q{st`AP3=m@oM;L50mul zCn>7zGI5g4vbZMfw%}&WITvqc0$Q}T1FLfvhfzn+p%=ke&n}KM$3SDIvYg+3iE=Oz zVBt&j?yqW(x~9`Yvhkc=QE5kwFb_GUyPjt8nJh$$7I|Gf_|l6EEjzCw?(?F_`3WE6 zs`Xi~wGUy;UIi6$XWuXXdLjMm-E~I`SRFp+#gudtrF1+Tv$f*kmvM`WsNi8m^N7pN z-Uf+YkhQIT#jsJJJ@=$+vxACgPh)E)+ZKPhpgaUxS8YG=k6|2#UL)6vI~ zg!bAfL>3lDk55s#!^1Dbh(@Jc6gqh1x{R{v7ta1SX@07-8;enu%&`c+$WmPWL|QO; zbK?`WVf+1i;-x|g=D86NpqLB>4r>cQ243eqzU3BfGnf5IwugFrO%*%+i{kx$UVIB97-x?$CS z3!NKtYI;V~4q=(&kD@_uicHv9QCu9E^Zwjstc?;p@h32`GWWdo!iv|*ulw%;<3BY9 zB{0qUx^?mHo-ig-ZmRzd$0&IHi`ta4Xh2tGNq-Mf;3dS+3POdXgjKmIu2)l;)K;`a zR5P-4oq}J>pGtF%LSZmW{31^n?FyUdqVnMD=!8=D$lkog)oPEZKV7Pumz`EkCQ0#r z1R-lonC7)&sj3N|w@WC8N5#PS)Wr=x8c<|J@Xi;dNu zhV#P|i|E?*QHutj@%K%2@kLD`wS@S|R%(cF(IU6o9YimxEP}fv&&i9*z zpjS5wO0cLi;SLi#wJZd}OkaLJru(NHga&P85Dm0#%31y>f{J=`y5R!V^}3DKkARCl zesC@rBy%#^X4h4)AwI6L178<8UX5=m-Jr1{a1H*^@%&jV1T$YdG?h*8qB2LDe63cQ z@TIz1W}3%TlbyT6o_(Ip-;&OTk?yv9loe49`wli-hoA*t^{1L2^_6>NtgTjycqZL5 znieb75^>X9aMv1`$nAqIG*(SXh`1AyJ`7df(7(2k|JuAKj>rRO^#biDslCsDj&xa^ zIZ_UjjLwl(G3N2jNS*@1Ru3GES5RUsUftUaCF!AY5))`Lt8i zz{*DpAqa1;(#U%dOiG$O^bIel7P`CQZUuzUs=S(O*VimWm!nJ-;ok@Xcb)*)f!U%3 z{0eDmyp>0XwcA%`OWWbygqisDECk`UVl{;7x#$c!|6x#)i)y7mzPlPhk7%W)5rVX1 zRDO(H{I?l;4oZ9gg*D3Y0wo!&QDjB)>U6#@83n;!!7>Mn?ta|w3z!(D4jHfeq`XN= z0gL~+I6e+a-*B-JH2JIO1;ORLR4nX`SUoSjtQScHbyrIPb1Gq4#^Ch1hkU_<~Z|1Bac=#2s zP3@y^;y}jf#549-V;zHv#V~-nrKamfMZ%!bPW57U9Sozk_IBq}Ds`yBImeJ1{fa@s zpl5uS)Z_(6gX7A`1O&ljG5ohvhJMsQcWER zUlVg;$&yrr8`LcXsP-QzvvcAtVIXsF6g`2fNy=Wgc~gjCJ+7VlfZi4vAK#sx$fr>k z&K-mW1@$MJLt3KQ2!UKW(#w-lUj@{P{t=A)KRb2bApq657BK{T9dDxs0jK|Q;potPzcm+%5@1B}?x9m?C zK`s@(O0V$`nn*VHt6nV$3uWDPAqzjUyi*yQA}Y3_8#LwlxC5&SGE(as0ljS@T849$ z#EQ-2qa~ED-b1r!ygt}eK7QRUmaaZeM&X6U0=4<^X)V~vINe() zsb=?PsH@k0rb2czXfX8F29;}#J9^2D-1b0D6H64Bm+IC;EO8~()xKi@qbtYl9m*kj zjr4oWezUioMez;$+#{}tbZDF5w28Yn7F*Kq!4=CaGCD*Cu`+@Clg6(Qp|o5YN}@7F z3vd|B6%}_mgbx?Yi4aQ0;SE{`KrX^1k#G(hAA-eI04{&Un|GGa!;&DSAsQ=1^+9(- zXdBGO(33KvT-=>j1b!Czx|1*oym$yVH=q870Z)X3GTW*lM?#w@SU@M%f zS%_K~j};7aFf59XyUOmDOYmq~7N|YHg0VAeE<=mD6p0b1Hvo0abbl{}Crl$5glH;w za&c_cby*8X6};$;PzSn*ts2IJ_P2#iR^?<%z}MDylW?4?&dTozGMjnTo2SM1rhoM5 z>$5LPSeuz@Uh30)q=5H2i4ti%+N-UR;~5*!=?4K!az*}OQOv~JklLZ)`cl=^gUzt^ zQk|I~6&(FRFzoY3ywEBt0z-1Isg0YMBSq2phPGz$F{^L9uvP10y6zOX|3{kr<%VsU zdc&&140Dg{^#uP$8DXcc`*mBdm@vU?=B9S`$u06QzY`Nzb9A%;ggPSt*hFJOX3YHP!$x}E}Ez16;8p!B}Ah;J4lE4LNLDW7A$JjABTs_N*Pastut&mZ3^ zP>;z9s3~ES?9@cjr(!{4*jx@mi$`6x9$9Y72U6Z1b;l?adLSBD&0!1j^yQR>NwkXc z=`W9Yf(_5Q3WkevV3P%Ri4PYo)p|j>pHFmZ+AP7S2PS(ii|$O z^AfyY!q5}eCU~0M^fYY^zbbPiT7Z=;Ogh@M! zaV5W!3Fk~frlRni(ABT14KJe7l416T8X$aXOm#thQ0N2tDElg{;l2CPg48VOusO*i zF0#{$Tm<`?wHPJp3PE9lLQ$`+ossQ`xT0gipbYSD_}7bJHQUk>5YR@GRji zbg1e|$f^`n&V5n_A-T&`J$xgF2|!7{fr1CF2^#(NMGl79X|M;#mVvK|G(};i<9wD- z%o2mE<59xc%7kaCaQedGwPqewf{r9xg`0Mz(^eELv_(9N<~k+g=#IL&xes&=QNkXXmE?Tt5P1U?NPy@t$SGUP z^~PRZPg9i}X4j}NHg>VkguQH@A(Br!liRYv8Wk$N9G!~duedhfu51?0rZ3J$b7<&~ zVt+!1_G%s5fVw&x3y#YebymT!Kh*m1aE(pPb3dY1{Y8+{T7Z_Gc_B-6Mg|5>;xKv# z)p0X69&k(3m&V)oFg(s!5#}~4rHWs412oXrrL^`}W`i@;QGu`C0yKms7toqIEH1X|^>w#5x$qt{o zDMSeb4K;yjZ+sf5yvbGg$A1gx0<{~4dhY0HCzwsu|D+SipX?_ctw7CY5*#3W>%MbYBX41k>SqE_Z7 zTpP*{ZE^#eGk~e+2uRrrsG&Nzm9HC6EAcSG6Wg=_z)aV^zY@zJU)~I$*>y1V7GO+O zQdc)x4CZ(x#9V$r?Q~lU_-j@D*pFAo4+g|4O$!FD>K5*rrJx|7P8y4X>27-<)m`h` z-Bs>b(X}|$ozXtDb5q*su7mT}f8OBEm4zGekuUak%!@IrQ#sw>YAi9H@DUf!@8UAa zutPLSiMY+0`TdCx4lli~TQ1qa!WV6`sKRR@QK4~@pI=xqoyk8oP=8%@c!S#{b$T|0 zdK=AE)-~<+jOPq(QcnlqV4~C68uZZfY3@_Ct4(^;cpjzJk5I(oUsf-4$ky=~jYn^C z{Qo;rrUzRy80K$4sr$`y#463w!bmsQdjIPo^FWXKoOnJrD^1Zbn}UfVFz)vq{m*gg zU*iP)SoyT$9WYj9V9iA!E1||cV#sl-M~}cbkKG^JdjBV1fZ$_&z$8Rr>rla!&Fzl) z>wAH&&)e!qP7Iq8GzwsBSq}3XTg9(1!bxG-rY345l0zsmLsr;r(hdBRmbd<@-atle z3|VP$LK6d^TVyPtbB1w-oO9eLyqAx3G%_rN(NSZYin9O^%743-Qd&nrVX0~8cuR63 z8faW{=u3Xm%o4C;BLvyHUR1|*N^9Um_X9 z*KhQqQJJ>JWx;DeqSI!a%)Z@#2i|YJ44`-*b|owcfz?#8G>6Gu!<$=Sk5d4IuyeZ6 z0;nf8#Z*O^p>DR`7q;Uz34aU50dubRd>jzU?9RXzzJ8Fyp}j_ZfKV=2c4TvJyldZ< ze-6cBqL@S%U}!PBoe=IL5VWFtaa>qH#qtg=${4jdZ}jRAV4&J#s7(=I!!{sl*}Y*= z*dv!pctBKx&BgLr7`4Qko6@ZTtXMDp@#5Uw4AEdP8CB&T-haV&qV0ii|H}(gO>+p% ze8UhOK=ffgh$9%$3u*zKk<|t;a0UvpDfR_m!u0=Qizu18-YTmp>4+uNwK|5FQK zGoybK2UsFHY@2)WW(*FnK#u^Z*6LQC*^y0>nK%G;_3?H#m~Zkvmw=3m^gmC-E^TIX z0GzN2u#iIb{!pL~-(~=N;vc&JHuHM`_sOPivt{ej28pHVjjwI;K8H8V)}BGeX0iA* z2q42azZTBstf=_K^T2(MydAOJv$;*ug9dz59O2&FCY{pbMkDE#}by+63GH*hcjQtkN7*G;_v2R*get;<#s0IBBMfM(3V*+onO;Yyv{>UwPu z>KTw!1S>DKt)Oi%zXuAQ!-Y#M3_Ba}so^wo+D5Qek6>Dd1_KFEK&F^yfNT`Gk*!(X zTw4Hys;6FO+G=wJrhD@-2}uUE=Af%eRc=eT-NtEn6R6d z)QrYO`7U8q-m8=jX~PpY}A`8Oh6+T^`Jz85)F7mG;>}f z!3Jn1H@TX?9r4S_55dKJenG`KtX44#qo`&1gKMUO<-yV+IDn?*){0@QMmZe48vu#W zKXHtA@{j90=*Jx&`t6zRb&=%S5`h4KdoYHHLX^)7cr>pY5LWlU#t4gx5d8=h;PqvbkK^*bY)i6k9WvfF2rl>!E$ zwq7GO-j>yCKKD`Rv9PP1`vS@im>C!tglZ!IK}zO2z_R)wc7Bt&enrP2XU~v8P2m9{ zzd4|69(1AJoWDz6Ywt56nuEwZAfc3n!*PfpEVCzGgD11&)0^{Q6xCPGo-uDs@RaZP zQmzY1?q#~S+x?h)1IR3duL{@^Yv+UVol7Q#q8iJDSLs~79%X^^V`hJ4Ba6N7rtroV zj=$qIIb&1N`VyvMS;7<}W^i=-k?n#;~kZ zV!r(*9O*~=v0>0sRTH9b;yWYnJbqp}#FR|FEs2r4rpZGHFfZZ zHq1A`;`+sO$<12NpVH2<@-uNU?#|HjYxe@yriU6)9Ay7Kq6soo?)b*3(k7ZKX$=qkKM zC@jdB3^^7BY#A%F2tYNlTD}}=!YAL16A5rY%8*q7iFK)=!D+5nC|*=bKIK)m(}Vmm zO);Ye(J@MBAU*7iNpaAz?QTYZ&BCX5R9p;v}jRQP|($5WJrG#8%88J z^i^3-$A8kB(jz>JD0;uAh2^!xDTpJM_m-vL0Dnh);qcgYYUz0gAdYxxuX+H5+1Bsa z+L|!ysSRaa1+Y(iy~?Jg+ddynC#wL-)cLLno?g~wKJ+<`2=23~vEV)BsUwya*ypwE zZA=N7XJOOP8i*LtWFBWH`U zIhnZJob`?^DOH&(bll)6R!ss{W>O?qy#~vV$mJLTd9jUkCJrPhy8Xx0nwC!+n`3d$ zrO)qBK9VX#sMU;KV#R@LJy6x^K&<}vGoWmUJT;lPm~+CVNWB;mTImGs!5-P}3|d2W z?5S7Wy9Q3e>T5Z7boyb&J)`KHi%g&)En2^qlTLLVARCs;O<^ zs0!y(ff?sSPiq}wB|Cv$#hMnMjK14^YcWaIe3-?8&^Fu}>}ex})Ux4hGZL0xJvE1X z=L4=xhb9v8QW0f9pmv#6RyY|uA-R5`)xiK~_P1s@-P18NEcm#}-Su1f`P} zWov~%_iX@T2zq<@a6S{w3)YUu3z#7}x^WXyR*wPM(V3(18xL={P_d*~7ZN`Q$~2$O z!7aZDW{5Yj0lnhznqTm(d|IC{8`cwIJq@fRLGyGTI2I#!zAsjZxM&{7sqkVFy@?*g z=^CQ&j%;jBN}->{k64Yr6ush7>k9)0V+KRz=}SJV{p@(dK0*^+Et?gsLen@!ZVj0#HvqH018 zJNkpWhJ6Ld1uEF{&8b5R|oQuZmA-&r2A@2TDMOui?KCfwbBn}Wz0 z1Ah#xI7K>HtD8tWH&ipI&hD?-F&gpMl(6A4JUL@cA)oycGR*lS1Q}`0biw1SC#;fe z-ia5Vg&Zok7b;pOh~h9{CzLLBd0=r$7asF{{kHO-EC7|Pw9KK|@C0YM0p-)A{pu5o zT*G5Pg|djgtB*!X8UdRnDt7P>?ojzTnBdkkwsQyPPQh4*Z;l5spKcs12-18mTdv{B zpVCv|c-94PKuPZWZZebY+?UT#w)lG6wUsDM-hLkTD z`kL8`W%1d%;ILvzF%s-@)&v|#-i=rITuHwzK);w68-xyY2fj zS`%qj#506XAsXg(o)+q1PoWWcZq%k-iK7bZQ zGs#r2P;4v2cWJp3SsPr38aQPLh?}gDkEaeTHD3)-NOz7&0CGT&uA4kT7V-?}bfY~i zxkC8)!=vAqY* z_wWK;GHj;mq<=el&E%MpnSX)sN=@0`^(58x5~)ZWV5zaYyvkeO4gp0HUL`wvMNd2c z7-aTgoy>c;+A_+P^Olwr_-h4{Bg7JjEp85hxiWoNkieoRAQahF7HijacjbafH$&FR z*>^#YI#ggm=NnG9c8eS07qhCDr?uxaeALE9QR2tJ-KKCJ21wzC6*uydA1t{ujRQ@P zb837j6ChG`b5Cjg?sz9@mA!d=5qpYyn^D@6W&lpbmfR`dQi^1|lMUGc(v&;!qT@?r zh|J1CKy$BE_|%ITqur=70-I?cnk%5C63yI6p+9S!dkym=UGK6opSL);d;sn*ofd`_2MBnu`h#)AD;h;a1Il>Vbh-3{ zqqj|loGjlUMF71gKZu>fiF=cYeNalVdD3|-C;EIUWP5$eA!xI7YUzz2{j{qP$t9vj zDYH?)3!AG#6Ya0C0h?6y6xk+K1 ze@jW9tiRi>jSfFIUzxMPMJOTmu-`YLd;C$HYJ?wO=vQFy1;npEM==oh$UqOZSJ;_3 zSyVSp=QWLhG6i4*QET!VOp)AUqd42!>1q)npu<4d&1i$85C2Rmzu@O3NV_6(_)v5O z4Cf8tv3(AGq#sMz8UJ%5)|owxcIxPvmoy%_N7wRTCGRsx96L~Z^%%JJ=3I@0XWbo} zvKQsg?eu@s4{9!Bg|rt*<_(>=+m@xjoL}O;)e~~9Qo0CW<}qlNu@RFmwEcobnD%|R!a{UTkDp*JykfM{KuY%L)OChmf+ zedGN?w?=v1dVZxvQiVjziBy&~Hf-%T*cneS;xkQgHA3%Z2iuAGw$wPGrxuRZ}6X^c;b~nWo#N116?*RyDy5w5O8j9}QyNq@S z?pwPAZXd@gPl}))%fL|6DcS|uoHfkS%`t5v*8sbmk7 zJh`jL>VswO=(Z1FLVcxWG5E5_Z+ zT?uJwZ8Z4)e08>(JK|XZ$4DcCsm+a|P&Nz(ZztX)uBRDNhowBY62^RqG%v-zV9Vbi z!=b}MBH9D0;2zqVd^LVT%Io<&R&axKmy0|^9aYCe^+Sv3t7CL?5=^wGIqq)rp85Xr zY;Nl0hTAY+P9_}KLFn^lU%uZgNt~`riBaD<5VyZRl8Epib3Qehjbft;;qb$A6;($I z#$)+?T%PJ_kr95|O+Mdl3RXx54jS2gr*2DESK22U*w$G$JxWB(G|2L!stSt%%6*0j zPcE^jFKBE6ycUKf8O0OH+zAeBIm267naqe1@C`@l`k8$)e*m;7;bM`m4Uqui}e;!5Cu=$`wMyrqTZN!Q543SSk{oa74;cCg^B6-jQ2 z_k+b6ks%sw)76O8Cit))e7-^24k)iht`Q6w2?7u5IfCc-PX&@WN4J|~8GJI`(w(eB zz86ajFRz%^1s_Zlcn|#ns&lx@lFcUa18K;FoaNOXKXd!h_p>qW<`TVj{GDYe6ADrF z6GWh{SRtK=Vv}#vcbYhnF5o{n&>Jk~$8ZGw*EBe@l8!nM#z&BFF|aC;_G$?v)NXK>c%IJ*-kw@jEux$6ZJFKSc}Px!(L-SH{v zKCbO0tIRU+F&yMfbIKos=xw#+dqLQYINLYUZqPVf!GyDrdO)q1+_9w{CByZ(;cf$udfo|I1p68wu&RS1c(-5RWsvJTjqK! zv8>zlZ!Y{XS3^7xhL5VZPf@8pM{GJea1yVXTUu5xgkwf|aF-SH_*$94qZO}}Gb<;S zdyRWcr=rGz)D>nhb0Srhg(9aJ9PuE9!I~)u_GPZG^v=K-(JcRuv%wk{He@u)flnq- zk$@*_9Pu3&sZF}a`P?V-V<`lW3xN39-J-?hzCG8dqrIpKP< z3O@iY{|8zdT%!!WHq?U>IiSfkx1^IHi3fR$n-fqCpmv zrMQzUF^JLC%V)V{nlRFkXl+mgtg5H@omMgF#W9um=i7Nc^~*}N3$fC8rm*RVfz!=Z*B4e zd6LDDcX$uFoN*ew6Ei9Vjo~aIwDrA1oLo*O9KOf8nh6~LD+oJbLjPtKRLuvDP7l3^ z`@!()cS)^pp>aQrj(fFTfeiIb!rsXF)QdBKdNYG&Jqz!M`8SETG_8zT~^EA<^k!W!9m=Qc5wK z*$CkbC{<`XYLi?1$}e-#2JVKgjw8aQqx>R`w~$LU_^tp^BV^??bU;)IQ5zuM))<14 z-^;x&syyW{iXUQ2780}h`GJ6xGT4NGoM|K*;rh1)@GDNCC&)^QKN~z=+EBP6KMe@8 z>*amP0%kMX@iCb*!U_>fm2^V2_DU*P$ar}stWE_#J4da$YK+>l!uoR|4dAT^eqPNT z6COm3WN>D*@C5EI!2G%8+ez_B)QrfgJ33)~;UJh7v)MYTAeT$v_aiuw5L-V+q_kQ% zC4D4)P{=1CkSIG8`9wq<87}damIC1uAoQSN_HF7PTo0R}Z{Ae`?d}7Cq_02%s3D_1 zkzePzfqaxrvPIv|M%7CHm|v3vl1q7KY$1wgtmgx2A3o?RC&~7A4aW8AOI(DQ81LQ&--ugiDgcl$rM+|$u11PN*14l|T z_-)v$7tPIO`6+Igk&n` zMz?Ln6izBaw%1A%-rDhdBnMFEJ}KGh4-nwOCAl_oBT4);7|cd{STbFhSmc(DNbRHR zZfy0$KkedY?Kyj_;*MG;2sor1z`-v3=2O;C*s@x4GqfCw8nTz@y^HY-OEhS9*Nq;u zF|^qZHs=oeaIUfIr1MeW*O3nieir-@$t|37a}6{Td3On&Sx{e>OGvyZ9FIOX++z>g->9q!-tb!5Xdujq!JsKZGSTagW@Z6xd2|%%#2X?Q z{9Md&Z?AF9u#y@?kqAvQ)ini;|BJo%4r?;)*2NW3%s66UtO)2R;D8iGKzh*;3rzv( zAcKOG5ClRGk)l`-RHQc%1nD46Y5*0K-dlix2mwL}EksJ-w_eYlnSJ)}`u2A|*yp;= zAKzcY0c~0r;61NloQ_QWkTSMOpF#QN@Qj+@F z&5{Q<-{St6e_aP|lehZKbmF_y=H3!3F9%y+Wj6rm95O*~iOj+jWP$uQ;oY_r9N&Vv5_ZmQ1G5G_v9!bw*4ThD$H@ya>zHky3pUPi{H zNF1z8kYn$jjGbL?490W`OC86T=4r05=WC(lYbM4}NM6g-e%vifL*8>W#M8Nrgf%8j zW4m@?Wv$ZCm+0UMGs6tYu81qoGItgfn2kj%bc8-m6;C8Kl5UZc@jLg7uKI6f5G^rj z1dGX4`t#j1=(D${X+{>+x=-ygDNw5J?kc)8(k}7Jh%C3cOG4H7X|6?Yj)Q`}uef%U zqQfZm!-Ji?mF)pxmQv87@~CV#@@O__l;eMehaJj@6>$uowp$`gp0450Q-5NJKPtIw znCq#rX8QfU=}ClPfO&f2d(Q)Nj`m4B-l0KSy>V?ej9?^T*Vk=miE6S4=+h!T*eWlH z?$s84Kj>r9#hNfD|B=^5isTsc{&r^XL>qRpv<|8>im^!7N^4kod)h^ALcJQ-@zIW? zm^$gkneU#E^c5>QcQ$qrR_U=(0W z`?}3DI*B(}VuGy8Qm*%IJI!`Kn8V?!efqXDVvm?QN`UG7q!l44G?cfa=KOP}&~QIo zVq4Ni`Q{DIqoqWYN)As>@+30{VuN3q?kp?7^-`Vd{RWq|*rLBX>$#qZ?{kh0P|y!) zI?{wI2xKbt%tu@ymbhRfHJB2N zuU*+`gVgmRAN%m7;#U>L2yadw);@O5yM>22roue`l0Vk<^?~XPntA6z^;NfeGKKlM4uw{-tJHo8?ltbg)A&HoToPVvM*@p+THw>hD!8gGW^*^FE8R zZeBWNF1WjSgW3+g6ZIhe74uvc67SFnF4@K7ff1HzN z5x@1aWv_K)y1~#)(N`6Zm#fxgA6T4&IfqhyOq{!Nb( z!{Easx}FCKOVXAvwC!od+6Y!U%dpudI-t?Msk_N~EYae9VKiUmXOIJTRag@u=F*?k zV|LOk0yVERn*m0@$eju%oQqWm5S>6yt*1n%0u`sX%l_iO=1gdCB)$# z_1$7kI%&#`5ITfx`QY?{!6k^R2MwM#iJu=&gg@|lvw4G(%SR; z3pnnD#(bJZ$u@uEEQOV*{JVKr?V2muGDAc&Asaczm^IBRZG&YR*2|yUbGkAmx|9Cp zaQSSlUNiVq@3S$1;>Qe@-wSrI@a{ z>y}}mGtkCv&V^oCl#P9*ClJRM9`VdF^$y>yb0_o8#W5DIl`lw^&pb8xEM``N^hJ5S z%ZqGL$`*lI`Vtg{_}ayvp^4@oz`|bG3r#G zI}kNOft8i766Y21Bu~3j?LN`(3I|I+OqF}-8<%z?Lja}3FB;9T(7RXY5}&Z5k;xO> zo!E-0N=5}*G$x%f%~AbC?9)*Grf=yMCw9^B>Eg-4yGHEfRmu@^(Ypn)nur9Y5cik@t?o zMK;M?9ksHR$5iC2XbmPs*-a>yp+dN>zGb|)Dm)H9cku>bf6ez>yMD+~4_nVMu1}`u z?_E&MmZ+?oYf>PbI3gb=)DbqvFtb8^O)8$v{;5u-q^Zn

FUywtErrL}1S!YV~uA z!>=w*bvsF1zg(E%Bpc(nyv+Amh9k_+lH+Rw$+K|fhDCqVi7{DHQ?rSJjf6KXA`hX8 z?0{^V=G4_!j0JWQrn44MT&ZBnhtX8YzAn*kihBZsxm7-`$!35y)2u51Dpv;t!~R zg5pYQm9RnH+q6~BD%n1jF{R#FdQDpGl*-sl|HP4>P8k>HB`RZ9hxejhiWq&b#1n5J zPEO$F&{iB(CtQ+#;G5cgI?{waujB1uuwU2Qqf%oDUTV6~84%w^F5@#x#2%n7Tn`R0k~1HtKry zWH$@8?gtL%=(Mfr$M5SqWPktG=+#$3+UHCeqM)YV-`MrZ_{Y~+U$gzkZ&jQG?QvkM zt;daZRZ4%oe{VMqpxH~hAK0kehZmBmYmw-t4eHxOF$hcgBCYE0wOiLJB_Qg>E4ftt z^)(a!`pi)^;K~k+8HaC>Z2b~ZX;>Bf?Kr%?zgJO;NX|LSc5IYn{{le5lMMxy>!XwY zr4$I4gxBtt;9|DHU3d+Q54hg+ETnJnwa@XvYsbtBtFG^o`SZ8HAKIrZ;VdyW-lC`18@XCx5+gE!sa(&1RbnAC7)?sVt#f`q62=)8ijKeP917 z@b%#qfuG*0p3zWpSu>wqhJDKu`~m@<)pV}b@Oge{q(Z{tm)hK?MwiVbpdzO z0`<3Ox~_7$6#}dG5b*d#VC~kXXeB?O=d6pJ{MU9mDk{fnp&nFMYOgDG_N+F9VSAIe zjQR+%5A5#1Hx9*8IztYLS^R8>@%}%2G5=sc-E>Fz(3Q)ca}APVK-9-xT!fOdZlKJg z4hToJ@QHP`A%citAqu*xO(J!nLV~7Vi?@>rKkV86e&B!g`+AQbd-Vs6l{WYF(-WEF zp1>4E#JXy4B?aL>hVsC_c9{}Ol4qM^9)`dy z$d%Xe*pPoDsI$hA#;v!9*Jyo&nMa(Ai(R)vi6(>6l}xqSXao=kVI04`DMzauc0$|I z51bX9Mkx`$KiQAnAH*%!8zH$-KM5S7AaTud0n+v%Gx|iw?Ww+^n34Ju?Hq_GOiW=Kh-Mr&}!{0yforN*gPxN!iDw!%i11kM@cZaJTz>6X21ua_2@rv;$ z$@l@#R~iqBo!O`v$;e4j^G}aq23QS8No%9kcldV%_`i74-1H~O{NjIv%taNJl!5;3@b`+A#-_r-O!hS0Q)J}WAbz_#;LvR_02}$ROW_nCbZBD#%ME^XByuZw zbH===K}{7<+cXq};yh6_W(QK-(aR3YgDD^H) z(ek)r)M^2R!tBK+{ex@r&v^LHZaFPPi^#%o8LeL%jyi2#U2*)4b=Eo){Xaibw2XCC zBtp6@)8l$(L1wEAW}viHq)!IC#*u^6cshtjVPNBTf!q%@SzOQ&sn#Bu4iDW7gAV;n zOFQ6VyXU}AN!RXoTQ`{6q=<-~rHjl|8Jqc(p~jIaPUe>_7TP4z_u*r@PZCC=;;gQ(5wQA6wM5sM!P5!4OUo}_kMk7oc{ zAOdf0&jfYrEv|Kaoj*_ZAPW?sCW?Jm#pjVI4Y%n3mit_PBdMk1F4AFq*JvZ}?Pl=~ zBjL({_;Ih}d~-`$5e#s4ZD_g`Xme^Ke-+}Upy|!g5IidL&t3k{PS!sIq>BZLv4q!_^mMIYP9J>t|v>T~y-%$VFME~&){$IS64o0$c+3Oos1soEqh3c&i0(ey1 zDLkX!B_=M{vdLsW+3iitM^0m}R3==mv|4%wOPyUw*FzVn#s_Yzu*@ zEtiCWPq`K9bvgKRk9?mQ{!n0e(0C9u?81n&y=`WGyltf4g~Wy9m)ls<9~NIxUpF0{ z`Bv*nxa3gVlqLqZC)c7u0O4=xgELrJ@5)J*yM{o*PVNF}f>vXUOqagI#tO9eFA!Jt z!Tw@U0m~de;ZzJ?7_k%JyBB#BBd~}hGWF3?xhb+Gp!!$GiyhyAhcHNZ z{5LM!jlo(*)hq%F>Vu>8aSDV}kg$m<`y?X;Msn&TXlr$m#Hn!>L0bR`X&%QU5foGD z0}gdUG3+wVlVkNk62Z&w%sxDDAji0b0$dT$Sw>qx8XAYl4>;|{h&9_b5U(LXzJj>s zdxbux>+hryE33~Ao?|9iZOIy8(0Ot06oF=d7(7!2w1nGIIys5Z`OU_YGldXNr#`_8 zw^+H$OB1QpGBbQdEY<>Yt=f_*U0OF}%zU(21#I1R)gMg*&jjMQ^ZZy#qbH+&=!3sZ z+Ft37i~A2k$(RyKEXdKOpc$t(_d3-ya!MltIKx0nV|BJWne~JDVISwAq@TD@h zs>euo^n?rKG7T67r{bWhGG$nm$$R&JkA%z51sKvm1TEI>+jEs#@TaN;6h=z|GhhTb zT}%J%?pdS?NC=WQK=l8JihR-$aaId(gd%WuGzt?MB)@d0TfS^R5aM+K4%4)#55ER| zXi~^}V&2TVe`f#qgz#b+SG_u1vqe5YLN-z6ncWSZ0WcJSeSBx_xmHNTq z?S1lI^A&5*&vz-qC`h+Tr^0IQ1dr9~;CKzFRn^8`^oE`Mt6$)EV@|T(*9uZ*G zOe&s2=~|K&=g2|bYtus?emI)=bo6u0o%v?+TF5=Hh-ShB=UrMnKDJt4oiuAR)FCr@#!MR31c+`eN#- zbn6YQ_q~dcJD~ue07&v;a%+!2HEreiJ_{|bfriROSa8w;>Ptl6map|@x z`h5k^fTc}PUjxP4qgoJH{JL9V32$XA+BdH!*HY4Z(gf$IAr`tZ1ms{4oX+8ElpKxJ zxgU2JL?hJmq*MxGskh2pu7lgP4w1B@GVOZay{XyW=Az@0KY)16c&;vzxA^uswW+DS z8R+wUZou*ZWatKqpm1-bggU-oTV0O2QieXdT&hmWI_ENFZB z3DIcW-uhLzDQgjG`MiFt4WIxv%Io^1D;6aQ9GGx$i@s~L74l_ zye7~Au5=5;8NxW$bM}kHD#!wa5#Lrn_cjIdTj{Kx#Lz1Q{Pzz$k(&0Myt_SXxLnSL z_z>kchRu0Dhh&QDvgO`_1_*&Lrz%mb6=*~)5t3TS-QMBMM!!5V42eT1&`fiXAvQ2U z;mwIYVpbX4Giv(=Slza!Qj2H^B{QzdRq^49-;jspv8b#%p@PS^+{6+JYprOv22w} z=hG$@KvXJ=;kvT~mQP`BbEDYQvA}{h1XX(?QmzMawXcVt@l6E3cvT9VMYDe@JN`68 zbDA87H^~G^x5JsMUt_TPn*d|T%dGiVFb#-&5&?J!K*aoTVys3R;nLGw|I!~ z8~vUqk&>2a1j2A|#hk7wPMptAyQiT^&rrD(TZiMc0dUjyP?MLrT;S?PRfdC!e+g7OV8mMUT!`82?^E&x8_BRK)3 z&&XIy!tK?SMe@^^inJW_np$wC>DHc=%ldHEq{TSH1)5yJNjVr&`8#OkS(JihSCB_v zLzHCLrzZ!(;Cis@Gw*)>&+731HncVaJXo-IIGV4!1nkGooITs_=RvNIXbX5LdPlje zcabHf(@;$uy2v7SBVF&V-K@X(uN%XYHhI^bM;b<9D;KVx!;bPQ>{y>6)1NpOy!4xg!CF$? zH)?Y421y;lWw3s42yBfTgHHebK>sw){U3Z~70quHwpxnzvm!>qMn8OoVdp0iM@o>P z;s5QO@Lwvo|LuRi8Hspzt6@s(HpqZ_{~jX2fiB_(?+@0b6xf_+%VvZ(Gz0CZ;vgcz zH8H}dY|ONGcX$$fueSN>65EX|GqgUQ2tvo=ZW-4`9hoEHd#Sf^(%xx z@oUTZw>&)Z*dH~izma5)lbIx&86>=iQ#U)Bs*4RC5WxpWV*-MU3 zQ4ft%DhEK+Rt{BGDQZ|)FZ&g=4bzaE#?8fr+AFR(ol)Kbz^AD`7#`$KAdPZ_=~?Dx z(2!-2pZc+I=eAL)FOuSBWCXu3@Q>xEFeBtVoO=KmC>l?Sk|q>R_)jj9<1n!!?#7Ij zjKTo}@F2{zz(YvS9q%wKdESSgo|q3NaF$ zn+gp6V7I>GzXqH$Cifo*BJrt8TT?YV3yl&?`Z{z}$a|3WX0N9GLJ>Suq%p^6Upda> zviJq`#Ew32cK;CTYoZ(d%)F`$v1bae8ZN6Y{)GZ0-A<`Vy((HvjPQ(VRT84N;E<-u zhiK>4mz22EC-^*>48j_2P#|fMJrA88qQT*VSd>Tg6TsPS7CgQ4&l_KB^Hb%JP~+{M z3RUm~$*JT^gz4=zge;v?TH4Su!9--O7rtFuG52e z`q4bT6&K3c%+J*;8f$%71nmGxnh-Tx!cXwOXoGMW_`9QayDBdpURQ9h_{f@s&6Yei zz?yzNM{H zI8LFj>P!fxWEhte0APFfl~$vR*|TXw89gowCKRT<9b42eMI)g}RcPrh{L!1QVnl+~ zk=X)sYFyu(uA`k#75E0Yy_t^)VDKNCmTr&Qjal9Od+Jou&L#g7v&(7dMe{Aa-%zUG zJVf0rXPTbJx_*81!bMmJpLYwg&b2<#S^^wa^lF7t`TZ^Ub>ket%TWXi~bu?N_O=bZ>IkYnJ zGEPR-zI<{(#Lg!8w5lJ&NezX8>frh!b zdyZ8}MddK3SfXheSO&>-9;t9xz)0e^O8Z z0=GvbO+R!N{}Qx}0ao9Eqa?mejr<|4knI923SI?WgC{UHnn%VtePxwFz{CbG zNMFaDQ$S@JL;pf;JGPn3&qM%PcJWawW1P6onXJT67dsH!#b~LIbVFI<5-JuDl;bpD$M9zxuTam+Nn{uM(2BqG?`0kmyg#2P<8v!k6-SPA^dy91K^cC>( zP~q%cKy5$qtmi=r$1~ON=|A$dt?Ue0UYGSkq=~F>5%`|e0IVt9LW}<9X3aU(q*jbi z9O}vKKIHza?+S6ex?8U8h?v=eUp<0^?nz5dDz>jOD>Lw+q->Ik4c&zEnMVbT7+v4@ zu1n@@Y>o#t*hc-myilM>>2y`LCWax8-ktA(D~XhTqI$RJD{=lnbKlic>hk8zr-4+KITy=jGm1Y?n^Z99P3>hqc*B zJPgb+cb_^l3LMO+Y-d}o`%=QFwV*d6@*|ww!}T@dOe*D#rszoG$7z zO&6G_Zl6bYjelpVR^K6cyW>XZ*pqzdt_I~rZlhn1kbK#8NigoDm-}*;&_8=blZJ|T z+~j9>e#s4?Xxzg?bD%+zud;n5pq+0iBjz*XC|O5=pY9?~qV&;>9E}`t=0zHai4wU# zpy}1V&o*gC3enW%9^t6U%3dNCx?xmdm!VGk8eAyQu5X>@p{TTG`LIOv5c~+ zde*Nr#44!rQ~plQimHA5nrxF7f6~m?F?aMv8Da|&D=-i!Bw=1jFgfmcjK2wsoVH-B z(j8b}vW?x5h4fA$pvD8OY3^vECD0s4pdpDl;IGEi`+EFy+&+Yye)yMm} zGmZB`0o3HD*}^=Y>SSI048ib=v;Q;^?W>MoYKvRgd7A)P%m{>fs*LuO$`ppM0J{Hg zrD`arwV_@3a~Rx>6StONYJ_-vTk-j+ex&>4r#F`#z`I*7NUV1SvCJHQAv)t~sO$^4 zpi{1ga=c-ItyOH;lK$mS&9+bOuAcmGNr)j^SuK6Ge?jBB*f9SIS%W&4Wl-};J14m@it+sUoWswoGkptK z_3`rwJmUD1uU2F8m&r%=R)OF>tmc<0I|h%{5(H9gxn=*c@6e=3Ls8e332PqYa{hx+ zgR{9!@*V@(!So+nfj>l`b8&z22r-rnw-h7S1Fmt&q=c;@V(P1Rl$my;CDO4s*39lr z%^hlTU0By#Csh~kfiJ~YuV1`sx?td=hQ2ydA-(c~{zHjfB&Mb)bW9fgm1QRD{8it; z@SBFlOowLXMM_v|F}6ZzpOQyDD+k41TVT|=5Z>a`gA;0NezkEB0?UV5=aG(IGwWW; zCihO4Le>`?A1NIdq(Yu+Dcy7Kja+U*AEw>@QR;F#cOqL^RO>?GrFJBm?c(fQRNz^pt4&eGGgKNwC z(Pzr@Ihfqvq9@2F)>JOtDPBI@nuS|nTf|>brlRW@=7|atEejO!j5SQ~@Ggf*lVQE} zSsG1icv~6gxV+w_#Ko@msoKwj7`o{iXHp+D{<9UYEtF`6h!KZ1{H>JnS3^%(Rb2t^ zMDBbRn<*6^uarN+t^Io}&lqxDsn4CJ7LwRG<%hD6LGjuTZ4Fap5g%e>+ax#nUPWCN z9n|(@)6qF2-iP5fm#$U_>=Q7BT*{(ol|Q~@NiT(Ev67AFtj<|SVN_UBB<5$8R1;*# zt(kW=VqRbM(f7e-j+3hUdZk&zaSST4%gD6K4Yiq1G+dsk+(M^6#g?;Ij~+zX!0fgs z$4!k!^RZuGtRJKkg%U%xA@B9i=ir(pFrAnwru`Wu}T`1RxLmkCTF z0b7+NwE&KSt+FIHiP@U1UnBPq%S^pbK=8$e*;}i@kDJh+C62XgyQs}}!2hXg2JmU@4;qPpgg^?_}p(u}dCL@mSj!SLt z!asY>%}+?)W(8~sw7|VWoMRBj!G_fcKE=2zU+y**c)IZAjx44M%?hoJB?Lv**37~hy=NG4}qCvSzZ=cI=8t0n~QENb3uC6uBNa&bW*o) zKEt;U8h{te+*Id^f)-;s11QmK195~cfy*c#8oAS@xPmSsW}xb z)reS4IOnA7j$R(%R^Z$#OF1B{{{4(Xzc-PUj99X3A6MHhkzq>jg08$_)pNuvprl)s zBVBDw^w_)NNNTn^N#sO@j{o~9u;Et^GcjvxthVO!o>=JR*nM^PA`%SdAO6mgQiMm{ z=ld+%BSbT6ERzfJYx7#HGY$2VcbxRwLSeWj4wDbJ642Ot?$2CGWS)iDI}^{?W!=P- zl*J+~o|tFmfy>}kV%04c+-xpD%!CrMM@WgZW6$JMQ?A;El2FXe*e+S~vefHcT`i4W zL)GbZtH@PNw6jy5b_?niD8bt2P+wXWF;^{&V^fwQ#Vi^n_gQl6Zg5@XK9O!%=r=~u z#0Wj;{Dnlz_6Zw;I18#G-uxt3d6Nm&GvXx&tKYF_y+lvn5Q&wE>gbeQR* zy9`d~#kjmhqi&K7qsj5*yQm9~)F~JjFG2ySxsM?0VkMP@I50PO4lMV@Ipf5%m|}-W zy^p+hIY^`LNX{Lifj_l1%aXqOlkqGsdKzBXa}5(aH$}T-Im{5F@*MtLESr0rp247q z$6+j%`|B5^_4?BY*!5Mk$AMEAI4SnE(=WO=^yoDrLSt6n&KF;xT~eo!I{Bt!Ie$4k zQ0?dds^?9wMb$kN7jJ3EOxm}d5yigugOFxJ_CfE z5<^ucM2;JjeVUoee6PB;c@S$8=nM79k8Oz;e;VYImA!MnPxb?SW*h3s2<}c=(Woa_ zYT)PPOj2L1GHG~>hR5|}RC$v12$B}KDLCHqJ1+_L6MkNEwu!0ZM~~Gked~SZ*4c5a zrdWfpC}GrV$Mf+ljw8}`OV46C;?2dqe*#@om)i-SoLWIG_!0?C;xrVopy^h11D3Zh zA}-oAwx>Jr7f-ls#uUx);JfxI;Nz&h^>>W zm1!yeKwp!Z@S=J$g*)-#@%{3lRs!3)(CMW2?xu6=d*^Qe3>*CI?fKiN%s0HZdT+$2 zUdrBC(Ox;=PCy;;>ZKhf9x!o@PrPoY?26)f^VlKvML|YpVx;{5%riMN+H4`yd8bYK z<+3xd=a|FCK=V-r2}p3#gQawOjTUJ z`RIGpfh?Ful4$C3=d^i}gA>jR=@m6KTMtAPd^)zAM))-gnd1CS$8e$Qg8~27?CcOy{m8+ElrEozTj6P(9UPBv0K7%eG^&KnNxmRo|wwx3zocvli!l;kaZ! z0adw;k1xb2498T4iblu>)|FyGhfW-yblg#MT#zJYpbsU&=NUdxhLS)gAf)s~m#3Us z0*i!Vjw|U+$8fM{Q+$cxOciUUvRleZ?}J{4Qp5pP?e{KLPpvO`J7a>*Ix`9YEpWcU zCFPJPM#AtNE0z9S4lst7u}JTd-yS4zpKZE4r6OS1dF*}krBsDvYYf-!Bjc<@QLCi@ z@%Khio$(#d0}DZUV3vv6);a7%GgOG87W9P~mhbWmDy08(dDM8NpXSx2trUoE6g>8! zU_^FrDl$Z+DNWc&_jLnf4hT`!E}Rk>X$r}vUcJsx-WBFHoIOVM$|xuIZ>F<8BRYdf z?rxbNb(Nl1uHsv&Krg3ya@odQ;_WQxb*$#P6ean&d``~0sa;!Cb)Xm$-v9 zefE?&wQToiH!%xn60MKII#=DANmyM{XDH!{w-jNgGsX0RBBWpH>IP9;u^~_WkMjPbNdvPIezABC-f?7PocL+@>yb`KYaVWyok6 z6U0&;$m*lhX&PC>otryz9(<GUVZ5&&G4eu4~7^uSBU2v?{of2H#L^m&;m ze_X$7b*f=$L8>V?l>BQ(iSq0%FB{5Lt|rDSFX5#!UHWn)xxB1;sT_m!4`S(BEmd2B#o?!xwb^DKu8%;DDR@IrKpX?W!m^|~)O1g_- zmPpPJnG4Pr{CuPpIu&_-!J<7Td zP2qMt#rOjNGpeZCr4pP%?mOL(E_L$h#&!m}*~6IUHG6>t)3piiYl)*WW9R5ayWD9M z$GCvS1sB`u)VSwflsTpqp3%AQ1^=?4p()X|oQ+;sWcs;yHDL=qzrDteOu4yqYXzU+ zCArKjw+ce9ParCaG`+_z;yfU>6=+qx1eT}mfha5E-_HoTQzdQLc5FeN$fE=M&Dkfs z=eMC2n9`GI+npVM2t=I&cYHEXR-@#Z8Xk=DyA(d@h@m`b+j9nEsTos|9Jc2zBbuc6 z--m^6`r*u_{T+Qnd#w+QW@6sVa|($r4|vc*R!-D|A%CHGhdZU&nx)B?)x$B9x;VnR zw6$59pTSh+DoFQr#m3cH$;an+7M4pMk1-c$EfCr~nUi-UA>(8ub6ZA*0WBAyET8i{ zRii$Q1!bst&+R_kT=eK_VaR>TpsmauF1sUNa@g;7((Jip)dm@0hKu&+Zp&j&AbZ4G z6N6i-=T@C~3dJ@ekbuI;2ws!?vH=)zI zy2zgK<@r)mdIUDCo(v;ber-YeOvZV}P_WOVg+jhr0?8Lfe$KiZp=yZfnA9Httoa0p^&9yB$;&b_N zu0LMWG^#UwGdNI3x`qQ5{I|Osx4m%>quASU`DAr}jdd@TKO^-b0cHB`>X?cG zQTn}!>D8=dvDOk8FK~%+omz%Qp)|e~+0?9$`>g7M=tN~VqrP@j*88`XHE?xQl5i+zViJJCHdX^74&XBJ+0E72`I+y-`+Lpj4}XOm-^>!r zVif1KWMx^zZcgVs-f@eVn%px3#Gn{v%^59IJmIK5!xg&;ohML9Eyv!;W-rYrid3If zYBt&TM@dl3<3zgn6bySWx!N=${c|6MNh@k2+~_oG%F*sj_syXnJkCW?woMaM2s*n8 zGRMfrJ?J>?j!Z*pEFG~6C@T^pfCjqJv%D<-JlDB;xvVV}F)`c1Q_|x3oQw&WEt3O< zS8-2$%N6>4J2rPN$(AfXEs%}9J8@+$Y$C!i`=*kk)uKhmu_ftw141Ek`DwO$lXfg- za8Veq*!3A{*0I@cOxdok)}jjQB=#cRv>MqcGJd2sB!;=f%z32FwobCs7BJpm|JY8@ z;>y14n$50yJIk+V;*|!W!eZ@scdN$WNSLYc4@{*Zby&2nNQ%y&wQEl8`Vn7ydWod4v(IO$iqn7Gd?;F6>d zm8NM3WZ4)!oo@Gf)@^a_6Dejyt$x?MP*HosA#nyqGt9Y9`e0N}??f4O!K)4WJ6MSk zub^M#8|D^~;dk9GZ*%8ZE%$1#HNiBR7Zq-VP|P6YWxYL~(C&UwJBm#^pQUfAV1p(g z7*6}pG%`x1zg^Y5wfy|u^dPD9Va5)W^8lRk+u%jiA9aN#U8<%)Zoc_Ebu!y(Y8iT0 z3SaL|a81}8rZ~0+wrzu!!P=Bn;V$WnnnUw0*STIdGBX8Fb=5Q!#4#r=>8Y0^nr3?M zc^UTp zRugaDOZ8PprZk>zl9>UvD0^|5*ZS(M<3-zoFRs(3eJB_O{;C$y#*leJ2h zYg}NxKn%4!)pU__)wYWVTI?%G!3>ct)wN(BAICklgJMmF$`4Z__1Lx$xjgPaM4F_? zr0I7S4Uv4Z(bE_oKa@<8^sR!z%|)zz#amt+@?b8}$uW*h;cs$3px@YwVoV5(jUMH| z*6(+KFovzJ73Xb_m}^}87P)r<#^?-Z+>)NWP`uwE;5!NAEhDf-!l-+r#`Psp%}@*C zCN!xkJh-#zzutLJ@8-;=Nu0CWRRkIr=YojQgNVIXHkPi;<*9BzLsnRGyUg3UP^5kj z$xmY{tV?KtTr!c0e>6%dz{oC*T7-Y@+JxIO7NR2v#YVK2@kMhd3{LXSdWp1 z?OgCgkz43+uY4PI#>9R6&0JU5j1omEQc>#JfG+hITEJiA)tl z(t*a`;_Hs^({5BhHYC{F#gMmsquZ*$at+fWd6X=&{CDV4Gdl|(^hk~ zq1jYtq=|KrNbb1I6kKu%K`?kGBPN|zdGr{iI2FUlpLfUWO$>}9{eIvpXKNs4 zU1?9aI!l{$ca;5gm$CHnMU+Cv=C|(UQ(+Za07XcIiuVJBJUuysPy zDDySDHP%$eClA#NwD8+{I?eNluf-LCR|P`xpI6$2;+qO4(ABA1jL?LFRIAueeghMO zhQ#C;7;sK4-DD%6>cXZ?T&12RH^-`!2%FVSy}GNMgo-cN=i{gjmTq=lz06)KWpnJC zc4y{=WUQXTW)iF0TwB_8%fOJMQ$QQ>8ZbjD&AH5?sh2iav4h1UWjw!iM~T`g=fL!o zCUxe@{0$WPMlq-GhKbBr6v(yJ+;ZbUqL6=14gHMWF+o&SZ-*N zdA>|a!v>v>plRSrml(CLXthEl|L-MnU)<~K$w7wgLQO_lB%LD6qH{hexNl9{iQ3_g z3v;J)))hF7cO!r$(ZP*uu%+pK?%= zd`A+DUA_Gh3herOSBxIs(`W2U6tEzKF30UQiG9jC?6tN`3PVgHp$`07YJ6Sptaq-- zP^YX+ikG2oz?AMju`UIJhhkdv9HPDGE? zwVZX7b?U-IL{K>1x8a)KT%-4HLuSd$$!-%o))G#(OcWiv@27T71lsj=*ra#21ek&3 zrE2%sl+Gw~@{#Lb#OvT@H|AJU+q7~8r!m(6-4bnjeLnBeXv$->agS5FiTQY3>MK<2 zsO*_I$14?LH5&K(pBu!|VG33H_zUtZewB=mT_Xff8F|mS=x@ibLTDa z8z)LccLs@c%k0DyU*&678H9xChk13b&cp0oFFIJOPi8|JjM(m2WNA+`kwI-c&sM=C z-&#ZoHm~*&nGua%)vHjHplm_S5)i@5g2K4)Y zo5hGFT*Wt3JAUL3+CW*bWcKszs^;FHKt{NTA=>?FoQDq|);X@@m20}t18qMkV2r(8 z9{caevHy5MM4i1`g1OCk+PHtDQ8%@{fm0Z&jY1QFb<(R3j2FI>(=c*7(8>>5izUFG zT-WEk&jux~iJoZ!^5qnHptz&~6Hun(_hqNT$aU)kbW1A&_6gpIF8P{Owbkev3vw14 zf7nTWetulHy+}rXJ%pVVXcGaqe{Z0Fuzvp!ZlLpF6BS{@ zcP&Av4f15|Giu-opa=G0-@-MpAbUm3<{G?!@hRxf&UJY1pz~jmWPLw`8^D$&k(!X} z7aBLAi0KkyXgKvl;)Y1d^|{d&Aj!H71G+~dZ8FE5K!6>hYchT+YF**xZ>2?e?2p=H zHx03~LaY+)X|6op+KXkt@Q$=540C;0XN~<=Wv*p-(}2wb8NhtTygC5YKji15^+tDn zq2%x76@5`r|6D?yj>f)a084fRG_)s?!Z=)5Mh8!Hh8Oe>ya6quonyv79SB#zdm+NZ zBIw8PAL%RqZb^Ii*YmC8hYIa|;hpb{MH($;TD!tUbt+*y}&|14HKvz%XZC(ZdD-@Ci z)msOb*GFjlYh$S1^^VY5S-MzS`sjhX*mp1n^>bIzF1P0d9iEom`=JM?d5-EtSOP11 zlsWm|U4Q@J(Ek-aw(kyqSdo|6Ewks`vWdI53b$J#qHsk_J#T|s%E-q@9LHnZ|9=(> zVqe)MHue?ykd$lh>7CdaRz&-YP?(R1{_sTr^Lw@tkTXcrP9Rnd5YDLfR)y=YSo*+Jma`2d>F`HT3Le#91ILEweba5Bei9!~Ib7#VjJC z6J$v9B&5E%jX$qTZSZI49Q*?bf~Tx%if*#NtTe0}sHZIP{X{@??lpHq<#r=QZ$O4ZBE*{TiT)2BTq&?x$7%obJ0Q8&Z(#iT zrrl-o@}Bp|1$m_m@h_1w@hOXvKqJawkv}E+?hCmu{{F>vteyQaAQOlrX6A^zt$@90 zii~7{cpfP9-Fj$u(79z-)dnp zw&h@4#r@rv_6;C2MmQ$qKy!5YAp@ukg8sXBzmDM>Gmr=?bgg;{BcsII&lYbU?zcQ*$4Ilx1sR{Q=5f&hX%Z;fR-cB;VFcws$cA6 z)dNTcA+vL1_S(V^;jC;m6CeAu+ZFa?9gK&ljX&?dO}g(t$)FC2ml_R96_(9y+?iY+|Y z$thhIaXG&mVbXL02_I z?pY$-=I2dOv@gr(H_4(%s`uAy)c3Z1Z+K_r0FYpxj@t$1;|Z1gHqlq*du0__{=H`}{d*hydmF%g@_%g`R1|h9ab>(_?L6VVh5g*kj|x?! zwN*w7SizjTBv%e>`5-S)l-;lbVj3BfR ze_21J?wJ3Pci#+FzSHn)GVVZv8zvvEL3pbP$VfIF14QLE7Pq!SK01E!SJKL;WDR{0 zq}Fmv&>Y-bD4ThV1*j0TF&K%duk#f&Jis!_E8JOV9+@5qk@4l&YD}CYu3VOq)x6KLkj4ab&5>%TlAhU=| z`C`|dZ8rZD4gTdAdePM5)Q$v)kE5_SH(3KJ|0cdXhsE`!)rq3Y0)%A?ABu`1fH z#w>77!qM(fD-Je>d`g*vIhh9)@UZwnW4eA|4HSqNQq7df^FtwWI0k;!*$YzfFJs6+ zu;9K(PiGh;m4I7Vboelfl$rE%rXOo#omwv+zaWI&yr;IgY5-J1c)#=FLm*B%vQx-N zDbcf0imW|uuCfMYs5W`EuweTUus}?JLR9;{g)ms=adzF1mk-WbKe` zO~)A=US!+m3%18TQm_B&%->LD;`epWgFfn+CqX?Z*Rrk7Q9G}R1m;an6o#Ikj5X9{ zV+}dK?fw0?VNU*&Vb>bFM?y$#7tYQE)OOpO%sE)!iC5cLX=Q*OV?QAAue>Aq%@ z`f*wJp?eV%)Yk1EBfZAKH7iTLS^Ge6P-32b(8>x~fky${!C$TCBxayE0f_c3x{zO2`cS!3J#k0N!c(pUTvpE%;FM9}?e4PsVb3my7#p9&4?u zp$q?HSQj{4#5G*nclXfgiw_0-_Y0{Me|y^P%Z2r4XXA2eKKCWQPC>mpxQOF3kCYy2 zX1w|-XN`>Ra2`R@ADIw8JOOkjIzPujWT{?d$bD`x_=6La(3A)Mz8fR{dcOl(Uj%C}cQY^QJMI0CvXV=Zk zO}Dow!my){>%JH8yzAN)K&vVE>w?Eq(lOR5P<=}vpiusv&bB@Fw~2sygo z!i{@#it4_{&r*qnvj2lEYj%)ezoez$(8R|9&gxw}ZI7md@GHmF<)%hh9!!q@{O|o;UTJ0%a2zS?ub8O%hCJGfJc<7<@tVU@F`g^y7D zEPD5&&e_J=SD|zoC%-R(2n)OK$_zGC|Kz}p!B7{)pIXlSk%-*hAMMJwA3|J|Q*c)B z65e^etViBU+IEY+ZW#349VO2ed|5`Q zO*n7YW*KdMMSki@k@Os?U=~@|2Z}`XC#GThPf1Mesm>+-Qo>!n&});h`|?P+?5>$B z`}1-sTv)})y3DS5kKS<4g#L+IQ!>K-coMx3-=ghhDO)14p^l`V7$C0F#zm6hp~znE zm0!E3Wflo%t$_ljJz~NQSzZ0s?kPpR)~}=5QrD@h9tfqxyLK4`cWw!gWrr1y`bkH> z7ZKxdivnFHXlA<+ghK zD-<~@<$gnkZhsE#ZW3MBz56{7{qQfx4*F=qO*sITodn(sOg}7ULz%<~0f}lkaPxN;m1xUvH}wG$rZk~&=6tiU4G;~?$)I{$U}l4Jxy$2MGQ!9QVu8%k z-R%#voNFiuHmx{uM}!ZYgCVV9@`4Wvpjw4OqJ&;4E#jQSmN5HDq)bGUcB(g<`j@qBrw=W8ol4+LP(NuZO^eta$OxDH z@sJjCR9V;&M+mTMeTOA92&KfP^UMIn$T`kA5pA>#!aIwpWeEb}qn%H1raqy{m2^v# z7Z4MF{^sW;ZQrU~{^>c{K>KVEXZSb$fmmGLXwY#0dAzOh_;Vvzb5UpX0)Q$RyDC7E zz_a}vcXwj6T*JGu%)eeC553?HfW8soGRtw?lKy2%J~*ISt)TW+uZ>!cQv0sM>cPCX z7?f;@#q6`&+ewtogZ?3}lr+}J`2n|Nw@tImLQvuJ0PxUkcAIE)1S;gCYtBHXya-Dj z1?VMKKq1Z=;@I{PRszPZdd3VfH@~$;u(wi3USSL@$mA3D`nH})k+@sxD4)8aH+9l9 zJ_~&4EOazP2U=27C66Ap%KDZE)x*6R70WSx+d;XWpvu54HK334Y67s1D&5)Dq=i{u z9T1*oA@+n2+gQ}=cYBPsWm!%jQd-dP;4@693R`5!>J=nig0i9ErC5#eE$pZ)hy0m# z15l~KsUJ0$Nr&ZxtpuOZQ7S0zk6MUbTUzh$7@=f0=Sd`HefS}QTP^9%9hf)Oaw@z> zCL8Z`#eV#zeyqqZo#Pda0i1oFn4^demA=X!?Lg)Zls8zmeRfJj*bm5BwBdyVIJ~F% z^K!VbTIW5R7}feGXV+LCaCPfhul!TNkwjdJ-{^mdS%dqBHxAY z8J}X)8-A*ySt9l{GkW5ni=(HO!}SnpgA1bTxZ)@y=M)6WOlF6DQa znV#v$EJe3)!SHrhqf{l273#2nuR5|VHJT366#bIF~s6v+<$$TFwI@cNi+ zvJSA|-VD5xAbxl#d8r(i|G+DV>mL=Bhhn2?o<3YwtUru2yj#o=qu~f0*!KM{J!R%V^_%MHcPu?n_>2_0a zp;oG@lM&rFq4|$l_&?WI7mfKlU7Th$R))mA+*ycpqV$7z>FJ!hCGTPy>AN2#y7qLT zyWXZ$l%dKVm_ACTdOP=xbwfAnN*X^#3Kma9zJ3Ul(d!Az` zJHIA?6L$i-8-pt<3FD-NvSroU^+SUrJf(Wc8%)1V#H@A>)pGiG3+en`hL$4zz;RD6 z?aIolE+Inw`kp60Fj8wN*O3>CL^YnY(4*5$mW`lidYc~^e)q^m8s;%B6i!|eo?)G@ z-Ws?4cGgnP_y(#b(EZ}wQH_m!V@xHckXk-*_{pTT@#9~cA=V4hxpnH*(vrbYo*M72 z9kW}@c5(GtJ^LCmrZFRau$nEA{E&&P=0K~p-|1b7qfG9@-B&6mbGCVMx#5#}7^HEJ z9K(7+Wo-niI#bD1;T1~XTH`E~&Q6SDqC953z0?i^DtB7TlUE)E<6Gw7#+8_PrJ6&& zq_%1-J2S$2P*{w-@=Qgt=-!cGOYgq@w~7Lx_1g9KwMWO*e?4Ent~tA&s~V^^GFZ#u zQ~b(Rz=7KBik&MlnLI2`UE1~h^g!p3-9HqCr$6&+U&u%-Or|8K zjqw$0$F(_pEu^7dQfev$OQ*Y#o-%AXL)WNC*<{6yL`sg=ergEhM+b-|?Oj+tdquB&u-&m;Rci|VW(Dp=7Xt0!Ro7~gZ;$6P+z`{lcv)zltrwK(HlNDm= z;SnViC{be9SZ3j|?eH@t#jAak8;#+XU+ei(HsD?F$XvUATpLpthpDl}9}}PYzkMPk z&8D5E_cIbfopNaoBu;VZo_k__5ovo2x|6 z9B>}KG_TrWIt0qs!Ofk{lbA-`ec4|^t52+2*e!y*Lt%L55;06PY(;qRu>H5*vR;eq zejt49VO`i%RlH&W1=jp!06W&u>e@g7rYkrW8$Yun%ao;Md&l+DR}+%{FUE1+1*AbC z1*L%fl+*vSn9p(wf3jJ%-|>i7W8_S7(6gg5NJgI6)_hrX_%74x`KaMC!)9R%|Hab~ z5oTWrLr#lj;x|G`jzSq{WErhqe8Ca5sfCXV3q7qg234a&y0@g4;x%asi>{UH-X8nq63F#npDKi>04VOM!$Q~4%`p?L)Jq)hTQ*~nVgF8;z%5wa?d$lR^7|9&zOdHG=bF!E3tw3x2s^Mj(%58(e zkP8bSbmPOsXXy)lD%iIVk%zGrOOh>+UKRv9Mp4VT$=!9WyLTrT;fcqS_PT-Lo=a`s11ks%gRh^ZRE(s zD`HrpcMa?+nannlrL5X}R0-uATp@ot`13>?ie6U2KE>ucGJliR*UujZZ@ZFvY7SQUy` zRBDeJ#_~vVM~JBMgQ@U|^j!MuH3Pudg9d&<3+c#>*5=#Ofwv}9+sEf4#Y0nT98*f-6?QI3sB-wovqzmLtVC4__Qa^NFs)gn zonDznc9Qc$E-=shBl0fpNqcPR^D=``sSeH5Mu>PWRSScgv{GAp9hr#9kyhfXX{zka z^7}Xn6p>X9Md!h%0`J1AI7PFdv7Q^@5g_T?x2W*d~OLi19-2$J=)o%h0I zRbqic78JO1O1K<1mOBB@PYbDr0t-)!bh{~nWft~#&! z^j(uucU@@f{NngrU4k*At9;6bBR9x3?S`-JJoAq)lhop_BS|wK zyt~~o%JrtZ%9A6dGku!ZgO(#^GMI*gvWE))N>6Bnj7-G2Dmr`@TTjcbdVgCk+}=Np zN>R>A40NoG!s1-7-Jel8JEkk|S(- zHJoKFr?)**EgazE98DgU2^B9fqD$@u^qiofqHdyughEH;(sb)?bNUuu=pTvoUL-8wzGRnfqYBey|H z%wuUnO@X6HKxc!xqOp@EgwfrME5E;&mQ?XFcAs-3quqq_b+=pzXImFX<^A{2R!?;w zr7=fNmR37X>(xY+G23B3Dtew0xDDNFjC{Zj6BC*oiIw%@y=bX%eYga|rcJx(cVqr7 zIckH^X6dYjsYjl$*NJGoh4Q1ITHIL_bqWv5prDGY-6Q^xysGh<3=AS z>viCU!mNZ*P$!9%Z#c5RftmUMCz4;7xQu41laEN&t(bN-Hp*&nTn?D5(E^sH@+)>}ZRb~Lk~-aS3r?lmze2#6aI#&xfd}<3Cz1C}p@gqWplxZ@ zG_VV|e&-aoqy7`di4>(FO46fhDF}H<)-@U_6jDlg*}qXznb)^O& z@w;k6$0)crUqARNwC_?FhYU4dN{wx>L=^E4A}cT1}W)25c2WHH z;he9I6*Ety0_(e=vx_rege~eIC}U+9td&nQC4l_W7$I-X{!cE=bn@2dO4~`bkQteMOt=Be}j#A1x_wympk)5Ou z#;cFdvPzDP&=%h}UO4tGry6^}y>eF9s6CF^b*GySX|J zFQJzQo({&hYA3oyn?80k%H57SzL#2|Fv9l>nJVElaui*(SW1rLm)l!Ls6n>m(SdOj zojZslLv?M=gYz;%BO)A|fj**Ke-Ax6&iVURL}%8pk;mo(*#p38Xe#8rw5>jE_Efo% z`ra%E6OwwW4Sb@m<3sRhDtm z;~F{>w9m75ZJttJ#We7}VpYX|5FuKchKpFI%OV&B6mxhnQ@2{tGmfvJpiOyN(2zWS7E5R8+LF@0g(xz z=+S(S=D&6Ku&~dXk_!9De!c%@)=tZTf~ZMx%uMD>FRj6K`VkDOt7?CiZN>`2!t_q% zo6m*x2RR9D^nz{?$=ezCeB&5DZ<<#1nJU@}=A+w}md!VJLL z6reI-msVJgv-sgH-Br9Gu#|gk48}C~+Smt0OB6j{At1@WwX}Pm=b#xo*}YdlAwN(O z1*diV1?%V`U$a-kR10$(4}DsTW3DO$eJf zO+2G=_v0Lfqv+NwnJD)$b?u@VneH?!BE@?}LyJRsTqL42tKx2KAsU&w4R5~nJk;&J z+N0#|$7BV$>W zmz@?i{Rx>}ZjsBZ%Y%TUBS@tkyCmo>mD||qUVPSrliYf!#g5imx^3EqU))a?r;zw8 z_Hs+sZBcyQQ=$c}3-=gg53dlMs0|VE0)+>k2IL}Z-HY5_H-~(Fx3aO~T8qWAnc-Tn z1o%HcghWU4TyF^*>`S~sEUC!l_*)Zmw)H=9zGsrlVGF3__N-cWjEMZK2yNq#BnU}Z zDM}`XPqL$nqY-w6L8>)0C<}S zm0LyM#Pga(w(y!2a6>C4(yD%Qo;79K0Bss(wzr+{I&8K%>$;piu|Yy;mf6KKbS&pg zqAr9wTW^D*4uo@iJX~hJY)NghjC~~ACe%vLI!`m66t&U9=$NBg9W((SZ~9utesW4M z|6(mJ$Usgja=+b`>%tVOcrU43Likq4k#dS(Nmw|eY?ap@Uk(gwTgstP)fg)(_*Ftm zm5mlTn0TQ4ULc+Cc%Ng4M}N0)#9&e7rR{i)+|CD1q~w?-)`E^vCc37Fqv^p$l07lP z@wTlVrnVKb5QsbnAzUxa0}EhPZd-X+igzL%TGhap?rhX_C-MpFvHE;GLmfkQe)Z17 z(r2?$96Z=NRg+rRJn8-Rh*%%p>q;EaV&AC&8wm}mNhcLsLs>y|)-h_>1a)j!rWu`I zBBN!w4Bq6+d%awSa(vyD9u-qnnVp`WC){EXFoP7MR!N+083u{c&#LOLs}eTOJPMT9 z0BRfQl$k;mGR8s$r|<}P0pkJ4inv>CWGmO&HO_LBoVIE~o*C~Sha_jLgdV8~MRg2h zr5G=VXSqDLIJqwI3nOdx#LC$ExV(rzaw}Z-qfN z?IC_oW2IBoLS#<6zB`bXV+E3vx8S#vEUs}xzw^aDGTH39g=TvkVC{ED>7PlBOiHtu z{cfcAP@p9GwCLuBYAq_9?5K@L`H2CqhHCh0J?R4ing5gFHfPnmI*RhQWN>N8y4UM1FbZCDomdW2s_B9XEa5i^t>L%Qhk_ zmqf<6zCZ>#CkxZGHX7kr7RI#iFI!F_t&@&CSE_;KM_jvBpp|3D+NdpGyK;2>q=Cq8 z4=m`P-;u*@*-iZ0Rjms=%S$v&SMIW*x^u;cQ#;jSWV;c6cbUB9@FIo0ZZ1Vfk==AP z(lgjS3hzdDOdD*ytzer=kYC|VFYk*CU-mrt8deZ1{$K&j7;-r%YRmDtMJ6fvEk>|I|G7^{2gha= zpj)@5n>4|L+#M@dv$*B<3puHX6~{T5?!mCH+&Yl~{dyI-7ZJ15Y-0SEyJQ4A^qa~{PS76EP<^F7wCdYEY>B2> zULgp?2%mnT_*mz<0m0hCn2O~ibS zyp?r)AV(j2ylR4RgmE0C|0L@8^ofqbQ~ou<4Z8u^YW_xdNZn7E;Iz_$7t?~uKPOg` zOA`CNd+o&Y2E$2u!_uzFa`Q)?giguc{Ryjnuv=joX25PFVR~Kk{Ih&2!a=ArW_@^x zIU@v>IAWwfoQvKv7$HUN>=^vD2_lYy$iL>IQ}ebMlPWCF1B^LrlY>dyI=H~zrd+^P z;w|{^YkwO?O(?H(iV zOaZ+6NX%r4T6yte1CiI_eh$rpS5~{plxNWfI@Hgi99+B5Ft{uaSlPSNJ)P&gi)MGF zTzuh5A1+NcHtH{}9OWau3GeDT$A%9|zIyhRH(H!h%c_rPdt$$$%#zK-70ZKuOsT}w z#96`2Fd*~FjQri0KtlKSvw8VqJL=zrbkc?N-8nqaJ4Foe;nL5SYE4=ZCx85+t2nV)3}#EJDtTXE$}Z(nwH zs!3vWu6R}jt(erp3}6w{W5U-G68ml83fWO0M*>T^pK$isZMRGA3+5zVE?r2};Uz#k zd3yZ8$+#6^->H!A-Zdi< zqaU>h73M>$#e2soW}HOFx;0jQbZc1hin{UB!!^bhSSVmTFXreN=o-OQ zh}mevtyA{SQmM`Qd(qmuzyB(WkO8Uc7&+Fey+?v71+2-3dwPK))PaQH=j#LGa!G=G zIW}k{;ju~(3`_|l9O_Q@EvvdE6$bX+y8h#^ey@A;qrtacu9YqhpE5Zj>ohY)9#^I? zG#~_Wzw7(dEQ3iBtM!w%r!5>jY@p>K46s*#l*IPtoB6f~Qy%4HPPjvaz_%dl`8fYz zgj~I)2t}1kERo0ntd&`+Hq=Kj#J7UV9st2sFj9z$#ZQ_ozfJQj`$+1tFEx?KL_F9o zp3QQQQt9}VJX2f`e_UBS-AOE*La1Y7xqQX;z{7>o+V{?MB!8r05*sEPOg)>pxiSN+ z&Jt5^f_|(%(b{-0Zje*uap3UDklJ}XG$V^y zxBY!J1Vqwsqj8)O_AU3zlqNOqJAr|{vn;tiwoBT%HEL3d?>SAj=#dfYrsXjejOyGp zinD<8L|(Z}1FQaQ*w^?+p)b|Sf&pd2p4tyI<-V-9=R3(BR#`G~*sJTp!p90ed8w26hU>9t#F6n1zkiLem2rqM z$Dcf1uYx<6iC<7;*P>f|lEwti?wYlM$I#ch|2XVm^zSM+B_x-GUJ$ft%~NN*B&WOuxqqugG$y6kSCAL);f(MF~u=M__? zhsIt~`bzKXp}~y!=ctWZPr$OXYP$XpD9H79x`3zPad11O&D`KaXi%=xWsHI9mkK7_ zq=C}{%eMSdnh9Av>>u^&&T`8Wm?F~x>?1gk*|CHEtOnwGJSW`b77BJmNKA7kJ+XwgB=&DZVUweWC>+n$nN)055-ctBCd#2*m zfj$gn_sRaRx?HF*u_y|BVOFOanM@BVQ^rK0`4Y(L#MR(s>{RHFbWrXnH|4WeA0l!_qIQ(s|R zc5LP!re;r)SyHA7gG>zk)zx10KI;cnOs$#St#_2`L!TUiwWMLUMTr9Xw_j~UIWduQ z^6dNMEy_z8CIpQW_dT`C{aAdSz4=P9}Rw^$e&OS+@DNK#2UqHJb@}L)qZFA?-US`^dHT3Y)h1 ztLt5fW^|On<}{|wn>Hnk`>`S{xZaZehD~*k#%O34q>G*8tKwj{h05r<{I3BM5|Yru zM7ag&ki^#u$Sdu2U8kMrRpG3z++i};JvvC)^cgK)t`t{5B41W?ijROBx9dx0z{NU3 zUo|M!H0kO7e!Dp?xV~J)rB!kH5uQ~t=}bvsbpUz8_eM|Ep_;4;6NB6?=~*Ao>PRtA zTdffWz5w7sPf#h{V$l~P1@eSq^Dd*yhQrQDtqI)4swJs2-Q^mJA@%r(sXVx8PY2Ga zwpC^+2*Fu5@u7(_AeMElO)|kb#u5n%tJvCPMdW+5B6kPVxE5)|!xe(hE<1mJxr%x+EuOi7_M@XUxpKetDIS^2=-& zlrOr9^^-OqS=T$n+Nbp=Sz+|#+mqGGWX?|d>P=Dp@|G!NHl0%f!BMTqC|$`Av$ZDf zOhORi(|I5IR%uME+-GVEr8#D|NfFvGm>}`Hn55_JbUcpZGJc=zU1?M(>%-rTiW8$B zW4^gXIn70CurQqBN9tHGYE_uB2+`KU4e~y!y6#B4hH)_K@9V1cOOT|=Dqxv@GZAOa z>OSlH1KL2;r^;8vZsLa=3@l-w39_-sc^qENDQZrA=6})aiOf87PieHRuJQsM-jLQ` zRUXRa8-)tx>{m`=A>Iq3YnAnAcE9(BnKh3s%=vlkYpMRU^T2Y+{^VAw9&9}wvEcHI zJgLRRn%`NpKl4m}`TPgijO}~~y-)Hq=9UR46MsYmkde*x0mpvqD-8wn(7{rQNV>1k zJ~Xf6a}O;PLnrVZY{y-kuM@~)nmJs1mEdy;#_TF39kXiYw(eI0E|8H!%jMJ0-b;DF zh6CFrXdZ8?STYBmO(9O$WT(sQC(5ORC^bcd%m=?oZ5Z%yG5)Sq^Ue@nddqvYO}@1! zj>JxsmCqeyY0U3`lDJfsP!a8o@bw}Dat=@3UVM?_-C3#>uQV{uUrtk};|-3S<&DNl z{$YnMRE#_48CG*tFZavT$iEcNv-uv;j9Q-= z2sn^SANEjp9NIHAbnaHkKgpWgYA2zjWE-D-nS9@LXP|NNM)tGEw(Iwj-MDP2LFfD^ zxzWLO(!nsQ(uJ~3JlK%a*j26)uoCYQJu^ydrJ@~BeMiPgK*6?56{rMh9zFC`iK9{lL8&)n5ldxax>1(oc8f{uGA1vC%oyQlLcmTS)E`v-g$w++PF&S!Tk# ztF$UYBA5snezJBrPtx5}PDah~XyTUGe7E!ULJG9*^CoF-#!dG6d%6-f@_NHS#syp3 z^w_o6@3uW~ap!RHHDmb3Y5!S`6@jAOrde?6PijzDg8|vF)Fxi@j9|7aRWWBC;bp~A znkoRy1k9#=8z|88nrbv5UVHB)({wam4_I?Lq;e)vi8tnlBci?}%TrJrRF8)J)xLuwEdg(KZLa^7M({;eJ4WIP8&tS6h`mLH zS^Q|vqA<%}xOgp^fr^6TsPZ0z0~iLh9DUu4hmKT+v&QL0$WAnsD}4!I6I7mhVa|IT z<5q2#kQ#@^RqJ^P6EoHyCca`dYt|rsohoZcgV^w3GT)H+$D7d^y7ZoDDLga&7IyU< zyP0?qx5%aE7@mmE-l$J(Mn~B_(iY2qy0d44(Xur2G7B3LCyj(ySf{Y|@O7RM6dyyQ zUmqbB(!N6oM;MlBT;)0xlPoJjy14J~Vm;Q#>NL5zs@kGKBL6F=g58yk5T^pjb%Ho! zeK-kmBxSt*|D4~W-c~CV9iurk%z2T*uUoT(1u4M{R)T?eLv@3eynXw&iUNTF0Z>S? zc6~~P{e26vMCNIMc91XrZU_*0%O$bYK~qsq-+IW0J!}voE~S)BMJm^osYqzakguhZ zG}lQQa5(~13Ueh)#IKpY@m)J#V_L=-(Dqwd>y8$PF%gsbDLK|2S>=v?&l8XyTR71{ zQEL9l*S@cJfbAW5Z8$pbuEWSF|C8o6d9ve^w`7T9dK4Ikj*E!`4t8%LFExzNI5PM9 z5m4o1O7*;dW||w4C82-nFY>eVRV5*){PigMO|SQAIE@C9Dt|M;U*BMQL_g67#9&(U zTV2ucj(Zbqej1*^^yQk#9WKw;rBD~kcD>_t>G1alT5l~IXm|K(HAtFj&dS;9N8_*C z2+eFNq?f+VckoeO_ilr#?Eu}=5LoAqbOZRj~rR=Wm z-%>J;mA!5`W5vvG={bIPSZ`*frJkzo_5hqU#SUs&3f z#q&7KM9v)Ov!hXwDyiE82nW`LR$bg`@6uY-bb8kYKsH0=295Nyj%G9{aIOmQ@0Lr=M^Kw(9-Lrikm0YV!~dV(=K?4hw(k7w zr%9h9YTc024Qsq-RdC@y|7!owaVWmvx3<^YG5p^?asO{Wj_D8qhq8C)e}35id9wd= z4F3Og!2kzCg*!Kcgf{X&z6>A^>e;Og0DB%;0geolCi8GF5a$(2F0=S?yyz4VE0`64 zy|?tBn%B3+x85v}`PtL=wP#?lj=k~p#i%TBV=L010-!=p#{n<|TQt=TT~$2Wj?kDn z-E{kjC0Ky_fPb*;uG$e8D=FXsAMnMJ76WhRL%%3(S({zJUoV#AU;dGY8+tR8oyQR} zIJ4IAD<)sC6S zUBxI#V5`NqNY(0DmIB9iTYm=0v*Zi52^QfpS%pkOHM{*Q1ngKftCXa}q;we{OfXzt zM>b%NEa%|JMfy_~*I#^+{+F~;{}J(3k0({LL1Dd|Oht;|IrRb0dW!jAD#t%_6#xu! z%-KU_$1w=_1?MvO#V8$hZ(u5pk&Yh8o*&v%p9Rr`O!i|%Uw=scD^)PMPeR7#bT{uB z_;h;T+#mMc9yd{%1$t$sWZ-vuYP_;O0z8Z+diiR(O`zY_AZ7J*dRh&l1?+dh-<0!0 z54fZx@gV2Ph+_(PWitrwt)Gu$v=Sx5v;kl5uH!HbNV^%B?DRdvfZ%PPhd0ESr~AvcjbUSjY1mO1FEO`ckj)F3xgtdFsv zi^>3ANVlZ?-_s6Lm-Spd7c;c3dj6RQm4+=1!nk#=2L7qQ4aC6Z9{$<9y`Hf{1ZDYB z@GG-_>)>sQ&T%Bp=CAi%AM3~22+#|;!VDU@`NGb}(`n>^Sl}{+n`@?kNEuG13Z6@< zwfVL9H{5@cZ=yZcLoUe8sp~H?4^k?LUm|G_XlAe1xB>yr&9wy*VDYTeIGBW^=WjaP zh*<=`sH5^h&u^iM%we#+mCR0G z8kzB>qwSLyGG|z8MMk>MZUxnbTk;b;`3&Qp^lyyr>%>q>Z35gtY)L*Xq98Gl?7jGs_ypDo0hiCFV_}k^R4+(87f#WbQ z5KOcG?+DtXO8g1!xwrzFycYZM{Q`_Jdo0VPy4H=Vtx8XDNBhYVc_f*JN_5V}1M|HH zs&MwCV?b4>{pn;|Al~pPJwN)J^9}RcIc?Y?db3j3Hg0d|E)|g;eU${7nsPrNE-(M% zrq4xkdh43UI1*OzqZyEq4y!HcBn*5{)lUYpnSSb}!qh%QsjWJy6%L=EYZt6@FUDaG z<3Hcn;yqHZ9FDlzl`xaughu@V8;ci@bC6{^IbrQik&2_mByGfJar+H9MQsDi1|uym zsXY$o0yR!T>RsEJc%%#VCj`2RTZkmxL`&r@o^J+otX{^0L?B0q= zK;znfgG9IgkU(;%0zv0*tUIBCA@BLaV+dRy{<#tG0(^Gb63H@mr)s~sM>5ERutTSk zv$@Un(JkYJW_T~MHQT0Vw``|_x~-}iMNqON9+|{Va0F8xC|7I#Xo5I-o)E*x;9T(4 zH9=OuQLjmkRbYh?8&vDd@r2 zTSsD|<=~S!f5Ho7W`yv1)2pyO0o-Fb_ENn)s{EkYaq0U4r$G;5OUe1RrNSxqc02@Y z(2u9pD0;F(rj=v<9w@@qn@Tu|9N3_GZHXW&r#}R!%)-v#0@%Jw{Fq>%A${9_LJ-Wz z66B^XZ4_yv;yk$T@wd%5e78_r9vNYbQqPDlCp8`ieY|5exNygE55 zPm;Ght&QNWP%!~=UjZuve$*S-ilESg&GiqrVsH#QS6!Welv3r+n2eyGil<+O<`?vJ zn+X-u$*%$`3Q=yM7Fq*50?H`fbB?`VPV!HmuLvLh<8LBv}KhS$dF&ZW17!EnK{_<+9z=Q-udH)isM}C9HX2>sPjkipY%J za6POPvntjIZ<=6v`5x{1BNtaIDEoiot7Q8x8>7V>!;<7@k)2SzV42vGv|Rr|Wtl*` z`e3Y0b%P&kuTtj0#8j>$J?D3qi0Sk5C@JOb)RRS?&-Apg27)J2Mj=+tPwS^3LKb{# z`TJy0pWoJi%`OeAiV>}xMo}jR`G|DOK#bea<92Lvd7xW;G>(Qpgo!{`@;=g!Au0M(CrW-~Ry(d)Pul!aCt* zyapihT-Wk{iBaPPW{pAC$nZ)wlH?LO69?AuJNg`FJl?MS@4JDBu78DBr&eZ>*@{mC z>CNq?{8eC=EninedVvTut;Pf(xWs*cFMNZMB-mU5|%tV5>CIbr9Wb8?&Ho8lgm*&UOexF?H@{e5!X!fO02XKSEf8H=38%Ldva zS|lJOSf$Vu+ETgK+S8{)qx!$`YYdze+&>lU=+@5)dkt@K>}n2$+p+t4Jsx?^5tasm z3zbs0pTwk|bYlaFpDJ~+3onQ5sN_KH4pOMMZDKrqx}8YdXia?Y`XkROWi?MP5={ z_;_%c*@-S)i^FJcn`4_r&dj_qRo)YA28#Jy(Io64Lyy#a| z(HoR@6SamhNQxuI<>Km)&q$of1GzpOcSoy9Q<{0^%Fxsq{^RQ7fxH5LKHKZ~E8a6^ zliMbmtmd0C^Ff?HDuU}+g@v@P6%X_Dhj@uLz2)iO<^Ahh^;6@E$ z=a_gHt>r7sB68Vg{HNvxo>_v(IC%D&HJX5zXwv=%Osm->ZLSg|GArc^;fx_Kf&+aB zV1}He6haV{x`smvCkqjeB~vCrY0GV6KV4lxtvm^!>S4sKcYX8EI^QiCFtx&(kVW}_dzI;iHrpNeYMkv zFek7V2{*mRkY^lPqhzVf~+>y1^vd|uQEF_fezyz>^UT^Zd@j54>2Gv6_Lvz>+1R|b2v zx_98nY@4%=Vypw>yaV2_cD(-*@-}+@(ei!2NaP9U?}S%%5AuJaGQ8DOxssXm#U`B^ zZyY_|I06a`iLocI)v0C0|pQ~NSE_1r(EK=vDn`y%ut3OyOVwr6RHZ_~n6X-p% zoQ135R)>UuNC8osJ5K(+PaR_-jr| zGbwM&Jd)HR(5;~I44oA5F~;qS==Hr#H2&T8Z~eKK)dvGShm4)YXsBWCoW&#i$>Pq# zOoYb>UbhbD@IS@=muchwmZQxSL53}s9fPRn@w2ZrKM<1}{xxOnEJ7ye%17zn&2bn! z&i1&T&)I}1lGi*lOP(^sN@Gt}(!nuH%|tRG#2v?2ubV^|o1{1E{TxCh z686g4@R;O}?R1eh-hHhU{U|kmH7RGk+%gdEx@L2A@KW|NS=$q-28 z>-c*Vg(UX6m)Cq~q&Ap(YAl)Z7W|SXWLw)&baKABUm=1WKKH_ib9RUH4U8VAu8aD zXga*lH?WRl^p&)bUNerRMOm*8=UOP48Yk5P2$WTZ@ z1@@v3x(6cBM&x+DclgS}D;C4AgWjzD<_Jrz-05}>gC&kUDUqu3`~BtmpL_I%bOHY! zeZQF;kKzkLvGGXXh+Ne++t%`!2o%;Z<-K!4l1^u=^jG8g3?Acg>!58FB(20Nk5Tn+ zH9@u(qeZlq)49c`4JinwciW=9I)(3}hPC7yrPYJR@BD$%rlDuqFA(LP#Pz>!r5IxDnYJC0Ypd+P}IsLa}k^#`iMg;OWoemJA4)Ac)gJgy{wEIJKc zMQ=H)kRYCbS1gN;;P^xSPXPP$=>yJXExg)MUQcCs-4)d&-iu|t!)RETMJoP}=Ozzo zST57@uSdDQ&1?mEZrEfun%R~1&8WGLA8=FhYPWHD==84T^Mvv0J^ zw*dmAG)NXY9Q=b)q2>&~J`^4nB>#Kv);1~eFnD7)oOn(>pfw<M{*ET30tC-q<|0qi{HGS6{z1gIM4KNB|AJ2YNjNYoY5Onny(YSYiLjC5D+llJfT-*jpdP2dK z-FO>cYm0Cm$Vubn8UPI}MVOs^zlN2hE&K9_KjO5~x*~v?q6*ii!TJ>CkB9Y?r{$AK zb#!_9F(=*pElFcN9Fex0OM&dy*{N^Z+xfQf5T$N>(T3W(n~?L*J9Kv8(-T4_%aQU&CpiUurIdH|~0+ge+=+=&X>W;}IyQ5zkGlnaDxhyftTl70y;u9%n3;_VCl zl2VbSrAFZ+<9D#O&Hhoh;ldo50=-?|$~_9WlrL0g#$52j#@CsFK;+9{H}z%BmWdJx zP?Fl?ZJ+wgD=yE*o3>@Lna1(}7HdkCRB(8r0ztf=f7c08If4gb*l3z{j` zD2PdsGxes*PTygcguafCNz#-5`iaCqx86q=b%i#6nM` z1`;4BB|-=h0zncI-j#jMecoq`=bY!=`+mN@-yCQhTvyhbYpyxx|M!0apb@{GCSTkd zm3VSM{JrFS>;0e4jkr!uC&sTG|4nh+3SVrCr_Y~sR$yynLk+7;Ux>qJrA_Ok_I_tF z0AE&i{;8fO97XFtqKyn0k{xBr2JdcmK8@l?KQ*?T9lGyE4HAMs4#DZPJytik-q)rV-DHPC!| z4;Y3Jep^3#St+e?;vVN(+jd=^dp6=jmWto7f(IPO0Uvj{O7q8J{DCLPjGY#OXRN-^ z?C>AHUW{|T{}8h$e*M67fMk;BL#p`w>H;cOeLDVzRT|BIvJTO`%G`V+X1eHxnD++m z7$v-ekv|{2=t0pJiMkr4E#%epaY)tirqVEFJV+v*X*%r=uwEJUl@7`EyY?E_zs~oH zU+i-QtP{I6q)<3qaBk+2{13-7Ifa9*Pe_KRr)jWn|9)v zk=^iPCmkjTdD*u`2d&E!QN0vY)2U}o8s`VVwpj?s`2x|#{cZ-*xU;!Rt=}U*?mQfi z*MwtdkTGB*N)cjPUgG`#O3i=$88D#0g`IrHEvTD#jDo#*9_LMOnqIDsJY!dKF|Q4r zf$x@u-K;*lbT?>8ThqNqOl0VyIgeEv$ zBmGH9GJyBeZh;-Rq1~$Yty_a`3DmQeyL9aiMoCBSkj(4y7Wv8}S#?j>srlAOy)mYT zrp-C6CCMlKt4xHJwb}P%{R)rd)N2IaEGgiL7rF%?3gUFzG^iITjWW1>hnOvK%L!O5 zn@#Ey-S$Qq>Y-?r69}~Wrpvy>16db_8l#Z38MY?JqMhV@MZMSVK-8ljs8hQ8Q&=}h z%&Vx_bTeuB#Q(1K_o6XZphV)@8vh%9yqH5{AG-;hIzMC z7TawXm+_C^pDTuasXl&UTi5<{b%{XvkPmN1`Lb{He?Kt%@tKmiwxIyjDLW|8DJ^61 zx1Hvd=@(hoeEAMn-akHY0tI+4O-#dyo(cFy-x}Xjo=<`*W&XYQ1{e2cPk)AsJZpn! z73*iOTtC8vUo6i8&mp(P`&um@$R}y%vpP&ackN$zY8EhYV*i^WzWWC8LQ-j{iSjr0 zmF7n-`Yn27UF-j-F>obDeEW7k!0iamPNeU@{q}b_7^4^4(-gKVdLQi7jt%#uY30c= zLkJl)m`#Rbqh4O$rW)K{qU~Gc9Wsuc#cm7@3$q%R&__ClsD1<(ADZ_v>qGCN2vHcRg%v;2c_B zNEpMus%<{c$@jJndMMvX*B=a=c~*XWk8AgbdW>t5-4O*Od4hCmE$b;MXz>=hpt_uB zX&*dn)g&M`M^t^IFkttbv#UdU7Y*EIE8eLsJVSL+wTmRCGs-&bQVppDS4`Fl%5BrB z_(0gTOYu7%iT`B5*L8jml|EY`#A)cpg-h# zHZiA`#}ClWNQ_*JIDq%u9P*m@qN%=nWM4&X90g7l#jp6EW_@i?Ar5+O+mR#BTdw_BoybZ&>rW8j36i4)Jq*DGiyff8%irnC}YKu!!-pYNuf&G5`gK27{a z6<$NR>CR@r%bw>M!xHtH;!uD^I~{tF$>UNOsWzjdF*$L@md{HA$F9OPMsdW9o<1>z zw93x4?wo0LnMthTrUybmE$3M9=Mr%2b2-`27}vUJEyS#Zx#Y>EDGT+6y+ACnJp{A%^s z_hj{_`gvRBlsh4+3Cf_n60}(Ubx9ro1LNL3-2xQPFD^z2V;UM-Z_Ynk9Zt-4w_a-a zZKvlWF|Vk4-~;~g;wvNe_vD@@(h6^$A26MIfs)u9>p!DKgMg}>QDs-7o14FxNZ2gJ z+BGxui<`Jo4u7?qu;tRH)7gJk-M+A{X!Jq(t?=4xhGDzu5>%FbZgg()M$9=;!UqGZ zI3=XJX6fFKe}=tPmxW|eGEhs>`?X$v6@7yn;%_?PJLrFmI`|4-fWkwoexzSxZ`f;L1XenBR5}F> zH1-{!>an3HGx({*wA@K~!#X3;ANGssE(u4V6UwoIQhPpq;sokox&pKMm`jq=dkZ%F z1UABRAV2)HKO2~f=lUV8L!WLacTfNG$rO=TFx0Z02;>YoqJ<(@+Tw-B!pGW+L7%c- zNHw+bdA#IGKA_e-;|eXk)D%7|S*Krn$mc0&iY4Z1?MWMzsXh~<9?i1e?7=FG`HOaZ z>Uh%#0a`xn0FCtmW(yd8xMc^61fV=5pvUK*V*VoG2~7k#u%@>5xs$xrJ`pdslA z;jU1&;q-+cc!^kFbc42gy*>(G8_z6MRVCaI)Cm(XY+=YFv25Wfn@-H{> z;jvu9wLXUHKp5(k{x~I5#5>`(sm5EOSbh5weJkoF7ka}Il&AXj_gc>hwlMhf@)^G6v;ou6>NhJ5q?Qj!3*;&9{0>U+BIGng< zJ)wO)rm3KqQe}O|5CQS9fj>JHV+ji@ThWvAK)Z`w*TLj>nxs8d;htB;es=Vh4@l}VsS5Eo}35+htLqjdf|i%)M1kU9;%(>0Y3gUxLcg^VN+N2Dq`D(&yfVa z0kMCcuXu5pOZ+<6NIn7oOC8RKWFg|)1os6U%IYh67hzI4)}?6qhiuQNj*O$^in#OH zgl56a?A3b7g!kD{=nv@x^?Qa#)!(~A@BUDGJYcQOoBG+{&e*}q*CCmrQXPF*tcho! zPDs`FNYGIc_tN7Fsed+&RPUVYRDW;KbWY#dpk(TE;H+Q{y6c_Pv z4dag(s4yHC#fby9oxf&PCwz0tQnqTOFfvE?;X5^-3y4{u9F-)J6_JCq;h%n^wN{em zOHF&6tg%hHKZ&v3)pQzs^pSOknS&%KrOVZa8DaDK>aAqcaX(s5v9@oWdnz|}p84CF zC;y8;%uGM|clq^t{rHnBHiZX^1wqh)K4o;>+ccz^*JF%@)%JUmR;X+5mmhl#1s~o{T;<+ZCG$1P!VpdrbcnTb~5QX!TN^xkSkD z*bpK1&$!-sI91h1^YgW~EJ*5SlHqSL{;hIr%o04bPtsVflD3u{`t@9ktHY`L@^em{ z1Yw#zoHHe%5>?`PjH+kt&JD%H+~LU3kE+*5uk8SpGC>qBn_2?r;6R*G@N1$v-5dkLT;ST38De zi&a0FcCY2!!}J*+6bjp;958k!R9!0&kvXXDf1rP+!9CV$iTncPN#C!gvA?99U;FB7 zb!TqRaN2`A;iE`)>^|@?=iG}gH??>_#^2^#<3m>K@oiRGWrih#z<^RuZ6Z7!ucR+2 zU)Bo|&H1d+t&}Lu{xz57cMOPh{8O5Hf=@!ek~5$=)-~5qZBm4XAKw1_(>ulvw|JdB zJMlK*SNx~NNJ)Q!c;MKl`o>7#RK^)JjMaGX?oH^N@KGQ!SrS^4WKvRYDWxf8dOPbY{qwa|n*=G|d_HD5Y*g`wJ$yE0 zdGzJP&##9E4JX;9&#mNj8fJnAtUP2Y)WA;cjox8ff3cxa1zw;a1E8I~az+^E!&jj^R;;%_U28Em*UH-)aAXF|P zMI=%rMY@*h4fWZfv6)fKS^<|6>nR1Q1rGI?SCle4KWuEJUw+EtdvJSPbHlef#1nBy z@T~1CZ)f@$+)1(iJCoKvw{9P`#|-MjO)kKWVR~YjjsPY<9eQSN87K+v21-t6)=Su8 zo4y)+=CjLUa71b5pD|TMc4(2x3oTTFeBlNdVTvEEPeVPWFO7Y6ZsIy0Nq576fSBB| zO9S_#XLE@dgi190GM-K9m>br;Q)xu%n|@nlZ~0?FCUB8?K6UH-0or$y=aRJF z@5^%POS1;jzur4WRg%Xwur741MW1Q(N!{)|a?;=8NUIU+mFM0Kt+>OPAt}8ZeN_l% zeBL?N)3Av1QCakC3$civ$ir_OMnnL0{!;1BV1QwtUVNrz_{-q)IZlQ$BwiS%o>8N# zab%H4OR&S>ba_TEiSJ=U42aWXsnE-w)*P$4`_0AdvxC`;i0cs-dVY6#7Z_4@ghVH9 zylfbHra~VdKk43$xPYVN*Z-W3Rm2{(k~HuTy4wDHU62R%0`H)Qg&>HsM5*q~(91KS zykD*P>OZKO{6-H_T}b6Oouj(yiUa}_uGH$;6J-Y$KpPRIu8)3761SX2rPTJekDiAq z$C-4mN&L`Gyi9mkL^AD;3mx$gm`ebiuI7+QEX`wZE_l)NnC!-c*DdSr2?e)Qm3`hJ!`m5_a?1{?wSAZ zB+PLjOds+{T)clh5Ea+a?Tk4heazgRM*h!r`CX zA*rhrL~lYWoQzle4%TvHNRRRvt0tmHJ4A|Zs}h|mw)6JPt70;n`z&CcDp;Waz|)Lr*FUzcC)f7Jmj2! z0ZS31+8Wrxw=HXQMmGiZh_cezj`h3;0PAG`=e6Nn+({I$`x3j>T=n|+N*{Yqe~`V? z_#CuKI@o@*3?IM}7}mA#e%T?Luxv7Yf@Wpn*o}z1)lyZB%MW5s_L$PGo%&z-u1YTn zOz0xM-mFzh_KCRNys~CJ*e$8wmY_EFfIH$;<#`l3%@<+H{M9+%Yl99G(TW0XP6a_x z2(Y8b1M^inZ+as^86#Cgbu8lS%g{?cS~%?9*WaV17B81UZ%f86(z7M;3kiV#viLgy z<&;yej@x5GN!RXpb)_3bU6*Z2*{=OwDACOP6+279qg-yKPd3r|tJ$Dvw_5>(tYRzC zV9oTNp!>_Om#S{8*pV1Vyf&{&{P^HM{k8uHG+PkT(P8Ub|2FwTaQ3CxWNkb>EKP-E z4ja$??Q+>S4LY5%d8{oqZsBTUe8u=~BbJEgmx~>+szyI;%VW?(IjJ}@Dc)0evHjmP}mK>`AsL8f5H+Ev%JS`+*75O2;`F($Mfo;ZjZWLT_#dtb88MwcvF z`@9GO-5|WupwxQU%@kba1n7-Xk=vf@W8q6aw1qGv6}lXqF*Ke^R$21 z^AbsHOS4sxcc^E)7n+^WI$&)ogj~9N2<_tLB#Ny8Dy_MnObW)ac8>>^1KRqf|4B1h zp-z&m4<=nZrQ!TpdhDi})+-?et(Wex^V#|!(=gh%T;(B?Qy6c(jSY;&I!XyHArAWs z#|Tg7?}Y??IdUk;!oKqa&u8O}dPQW27lhuc)Zw{ecRNc}!xc(qEJkK+%u?WW^1oGT z0>U$q=+gZQU(#`7H|0YT%k-GH ze{0{xx~&7$!Be;f^$f$1Q#k($VFPf!{l0}qRTR|V)E{YN#{_B{LZh$Uw$MvNckWJg z&Py+Z9wNJEpgoZbF#2j9sc(V)vukIWm#u&1789FC>lk3qZNYfrczBl%SzVL3*^ zCBorUd(;C7-9T)Hw8TlNlTtAsRGt>|UU{k|bU1g{QI9fMi&$x?qZ_%504#os-&3ki zWCByax$a)GGQ0Y?PMX8o(XRS3wmor}_r4eLNW&@bC{%>O!xTNYmgBQFt;i<{&|G*8 z%4ET^*naESZJfbYRV_7}{&)!zEM}ww367bqPGKMlsRj;Jt!tC!_@bVgd25EB%4v(% zyjs}4=JV^Dy$j5Fnyro_wQ88@V2vYJN6**d;LrWN<%<3Hu1%ssY-z2*5Lpvh^HBz* zXU1K!OyDU##em!b&zBq6HsqvSwZMQ3_zs=6Vf2v(B1y(>|m}_3 z-O{0dTLZ(=qq>>&%-t(WKSCw;RmxwW&<7Xn7rpn{4I#YN^4TLddz7MnI&-YE(Y1Zn zt&B%%da%6KKChd&PVxaYAkqA**f z`6t{~74qYS_q)`iHbrz|5Ygc(UBa^9lgiR_XPNHv2=wKGgAS@!;=dL zx%COal#9Z0P{2LO{vp0*DB>2Xb$mW$K|myeosW4>W&9~umLBL)FA({Ck7GLBJ`ZW& zwFiG;(EL}Od|DvsMl%NLFp*dj#;#`PFjPp}32Rxj(Bvy+HRy1F^O(B>DQ4l$Va>K$ zzR}`@^1DL`%;sE&z`*^BW`3DwtP)3P7NpO6-;1^NU=KEUd~16Mn_aw)XN=uiiiJ(g zHjN-MhMtg%qiR~k)*m6(Iy@JUg%fkT6XsZ1CwkUtf*EP8N((Bfa5hJtekvum)lycT zh<3!}9{ojAuq2TqZY5N4>@6U;RW3#+C#4m^j511q*!{T5QT2%0niH?#K*-LwPFGDp z=JurHRyNNukVpRvZ|+@bT)ve~VWctZteVl}4q>mY$%J(yN9I7-dS&E9}o_dpmW`&mai?P^OQhtek=S-P5N;khL(&}x1B)!u1ZNRQBCQF<3o47j@uOD z&Qi%H!);yzk4P8&q8qi3I}nWmmmu#Zd@8rtyP;KVJK7ly0WM5(9lX%^1b{sHAT)=& z2qo%uD4BGY>NYig!W&0+p7n|YLIHM^JHnfxwaxI zaHy<aMfe&zSnJhzD zm{G(CEWoG5m?Ss^+CzY7BXF+o$L7p#jfG}iv8PbE<)v7K!KjfCLMjY1FGpCOiO^fx z4xfU+)Ma3*h->om#eoy6Mtjm+k>fU6ovc-7u7#hH#(7UVHTI8zufl(t5KT#G)9*i4 z)ec8ZB>}G-cbar6F7D*ma$@2F{c)p-!BC^+1B(&sd>KV)1$t_R zT3nP{A0t0FonhN9=z`bKfw)JsU~653)kV>`{*UDNFkSFD814ttv*VisF|?4Oi%D+r z8+J?8LeWPBT59R2hCq_p*0&p+$rfNXN+f>7bC5I&?dw?4c-nwtK|Tf-N{kff41Lsu zYt|vft%TlP60VscP)U!fOc#2+7pQ0qhon@~qB_y43T!#Kg zqlD&gHLZEmUQy7u2wgzef-U!Zmkn?3%Z$>1%!dYGdIbEwoFHBFY8~3bDi>DDv=ou_ zynidg%E5Wc8eY1lF=yc(jC2o%puU7ohxqg$P+v&*Hgd8UFJDro#Yn&P(^}o=b&(v> zb*v=|nMpHV+uah-;=WuL#X`PByo+)iuDum?Ft4_h6Z&CR+^iO@7{{9LP}xw}{x_pT ziAwZ7iN(H059RkN1>F;B_qZG%=}^e(AzvP1UhvwYH{o`?U(5ZL>(*leVjmfPVGUT?ia&49SU<# zBPQ_N0mx)J*NRTqGHdlx$Uf$fx1vCoT5Imj?f_)VMxS4Tgb>eCtoj0WXg5*`LVmN$ zoGCC`7hDJrtCP>#y&?Rh`w{2NeBsKsNO}J(g{j+V_KQJ8U#$PJkTL=7bqbf`M%EUe z&@~&?%58R+#B1_cC0yJhJR%_Q7G@59pdYOPJ1^jlkFBCqvKiGv7dkP=%}ISCG>1#92=SQXaVTlT7fN$>LT)Xx&E88RlwhS)b5IMP8q+PP~F=Q{&|}2d_rWFvew>A1CA8Bi4p36D>`) zZn9oPzIbuDF)cqqvwJk`%jDIEjll;SR^``h7Pid0N)ie=<(EUwuvg5tHBfz-bYyv` zd`(>#S==5F{$Obxc(<&ZtY5r&mDn4vtXFqeH6R0MSOJl0jvT_8Q}gov-F;I6YkpL% z>mwOKkkZTDxh$qlJ(A$BuwLVk=V_@Y!?q4Iv!%qofd+47eA(#YkQ?>Hx|9$;t&n#l zOjYF8WDcBNIm(e|n{Rcas|hqXeuuQ;D6(tSFIf((mj1cf;1-%~aQ&InFr zQB%4O1Ru_s^P;%2*jup|=lvRLF>nOPImwZ<>%=0d_1p-n<~k@VSkh}E1G^pv<^euH zBF1PG-JxG@``ku2<&%(w&Be}hSlqd#!YZb3lh63Aj{zJJBbEANE10#kjV-Ywxebm3 z*nz_%fl9@#0E#JBBY>e()?YFtv?!}lPhB-S1{uy4>w^|(%fGqJ4p?dNWZ|)8i!7ZZ z;Xi{~ntv*w1r1k@J0CligK^E^-M!!;NtdTp&GMfd_XmQ~=NuDZ2b;+ePE*LSbEQ(% zkf@dAN9;r$#%P$uzT^ZbQaNcigbSg88{D{|Wjr;T2C^}S%gaY6`<}Y~rA_@l+3?)B zux~DUp7(Cy8F(jaH{|!_b%1T^I|45O!b&wS`buVOhtm6z{MgS`lK%BzuD$RN#o6?Q z;898bQeUk>m2nG6CQRTDXog)!>Cnd5I?~XbDarXR$q09(2gmN1^DondWq2-l^qgm?;BCcny$2dR@!Ubk^%ajEC_APtmN{T2 z=NTa%^9m%vBc%z9OnNFqIfz40)JW_r?(6YJoQ_BZyUm3#pWPEPF*wJPA*++C8(b&9 z>9~uK3tQQ5n=r6&!WyL}BiP-aoiEXMcmY-Ix5r-3p98d|x=hmxLG}VW7Z;X|3BFMr z^N8!^$4M8T)Mj~~g-pI+Om>@ps6bda-iEgKY6$4DZ|G-W+$=h(z9r@l!Q2}dRBBbt zz$AgA4O*WQI3%M=10QItG!UqN5ktD`HTtd;QjDKv?5=7;4uB&mf+Qvp;q3@FVMPM) z;aof;Jp_$xbhL3gPnVrIY?H3hv&wqaYb%F0W4MXDeUcm45_^N~t2|WrpXVPN7fM+* zC`Apq+=wWG>`g}A9|&D+n7qfT+dx+5j}XyIB+wy3RzA13g9JNzXT76)-!H|YXM>vc z3yVU3A~mZgy^v~HPJZ*8-xH2UQ?TQp!=QdZ;?Fc*!rp= zmchy$s#HqGAq603v7Ruagkpv{#J8wNvzziG3%`NxS<`Eair7*ic9Jf$B}0l3)@-EJ z)>jPv2Fh_O#0PTf1qCxQ*platWVcwfhK|$@Ga`yQ21n4t?CN21%C^6GYK9{rckG2=cCS)D0hs8Bs0KQgHQqIbtU7czL#MCfz=WEAH9Psy| z4uFaZF*G^;%7p$+V_R%uVTr3hdoKn1gQH|e|3RK(xe%@{#co{A;6x;SQ-f2fF{MqWZi_Xr@h?$2-C`8-h8Us@v1*t zX!Fir_ocS*L!F^-c6RClz-R zm4u23$Fn_yw}ETiC~c==_a@M*sj6Q==#Mq64j6UpI`Y_8`c=Gc1|){-7u398O`7Zw z*rzgW?kDDn!0hZhUVeF}9Yk#Pvz8B!-0>Gl$(V+P_ip%X$%7H#LY`)y_{ZP7AA$#H z(-%IlIN<>uUtX%?0XiY4v`fZ7dAM>T%PtK=&JHvU?Y-C$uYbHOdN$r8j76=(^teJUI#<1skU#|e(HziN9==Y2)WK8CD9anJG381%wTv3u34;kDEm$nHo>RE)5xsN@LH_Y!3eROJ}yYxG`k zt^oqD-FYu?OB0P0pTC~!l2ac)mjZuqp)Wy3I}p51fhCtKrTpb(>nz69$9=s%+g}4G zr65`G&HQwXs@Qzm!Cohks6f8Bm9);QTK#|m)k7n9n>iKmh|NZH828`N|Jw`5{q*rs zEj{DAf>tKcjMq^N=P15*SKc2MLU*uFkz5(S$IvHLlH6auGkBy5v*_e$len zP+q=s_8^CFTxy}CXhC4;#U@-vvNS{T^v%D$gtkS0+2f-*pPxLkUY-*NarZ8%Yy-n3 z1`%Ak!V)OZ+08ar!2dH{YU}>PHHZL0R4|wCuntHYL0qOlx9@$4p&Y^IU@G`qQV;k# z8bKulp|>*||M5&^oVQimTGbP?1bgXAfBRj6r8CGAD-kmKp5~~yOCR8T2Ay{Q*E2Do z(ec=!)gjNe-=Zi1QljS40sm)4@eQR+uyFS{6`S*HgTfc5T#gp|KRugZ^FkV zr>KKqJ4)i-yPWtZkNUs=S5|>w>3c7|8kPFHdFucEe{g>i&Axf5JTywXIN{mf4AlQa zZ3^rwK1Nyn?R&BR^(Fj!e_$AF|2WBBF3~*ofB9r8vd2do=S-hT{9nH6QOTXW5$hdQ z3+eyf1O3;hMzS9`(K5AULZ1F#zUu#f5&eH{Lxw@LJZt*0#wi}L%Twi__EQqHS2}%x z(S6=01ovD5SXX~(@dlT110HaV{Qd5^TOc=~_({?wRQDY?e&OQ~3OmD5nb^Vw_h0%+@LD!|2z%02ULHiN-%({<3E6Y%}iyC#1h$i_lr#REEj z9uG(eEIagXEaWL1*xymLqB~CtyLw;l0;n25W}gV{5sJ$){yq2l(f*^D)rDeANCac? zNUPdqrwSfVG#4zr-eraiz})3dBro}GG5ppu{dPsa{lg9jpeHVNh%4E!L49V4%W@cc zUt;i}EuNQaN$#)Cs3+%8mH=?@$nd7W3cqU(VD`{Q>W7@T^_)qrziwUw33y5_6=eBl zhHB~Bp?SEpjXJlUj;MR%U<`YL3k+I=A7^C#^Tl2A0&EO}axRq281c-^IjQIltuJ$Z+mVM*B;K4idt70hRKvS@Nkoku-%|dl(M{9 za!PmknOU#xFb%oh2#26)pBQ@Etxu7jy{eJA5XUmpdKteuex*5M9q=A%5}Snn`;hv7 zOkbjeM!$WWj1e#e z;b6(?$87>Yg-_i6mK-3Ow{O=v1G}^Eac7_1p=eNwiJ7yxe_mQ$q0R@)*w{T5Jlt{c z6ko~vOURkrl-U>`TM0IP^L3Zw)|z7?v{3TH@>ekf+WO+ypuDVc(?IUbvT2sptG07X z5ZI#*iBP*NaRj7m{m|oo{!Jc8mn+YG)SL#^+n>DR!Z{_<_E?$qgti|$6`A(?u1BDxB%+Cl4m{Kas{)A0m%-+98lSgnvej5=)9z_B!Dh5 zjLS58(55SN9nz0Xmx}J1bpSRPA;``A6o93zGx`u(Gz&V%e{J&q1)MHx@m6ugWc*Hd z|1HnPSCSGNRKF;#aPK>F1wa1wP4vH_Hec@{?pG#~z~9BqTVjlboHT%u#oSr>AND-y zz-^4_@q7pl@=S$$usH0Msc(7$R7IxU6*GQ8dD$4{ICjQ03D4W5%`HHJ8n=JVU6MOO zIhn%UtlF@9FuvX&n~{K7CN9|<@QGOO%k^*eN1Oub4I=vJBrY@_adUyMgd3bHRmXVH zJ?}qvD;-Y%!Y-uVY02CCak$mPule6uh&y=1G)Kh}<3rLe`H9^vdE&mSNhCYv(mXIv zHR$2$jV3@uXq?g%NiV(B{=83T`^c9BA7Hcy$ZC2GTu-Zm2XU+1gjD9>8jG~m5&`79 z|eI@rrVC zO-4I&daTCV(%$DskXBhtnJ~w&s|5v6Sa~(pjVA81;?$AZ&KrjqQ@C6B5*{4M3yP2GZN-Y5zc^RjS$H|S?DbAQi7lAAiT@Mg?$&z^fMiYLW>F~BoW12-?Ngra9m zTm7`MVc{4y5plswm+Mml*v-HlN|;D3S%Of*26q>r7)H&wbx78#?%Is{fI$Jq196KG z)mV0_l*o{#zJEM9h$O7X+2J-?NQD0UaKdJGa+rI}{OX=DtGvANF+@%0p^6M!I01)ww5UqtQT75n0_0kbu+AzNdZ}s!w;TqVhJ_eDn60;0@(k z!e}^;H;g;7haLCra$8Ug){IV(1TevAYi?o@%Jpa@nJM*S^2(Bre>>dr>v6yT@CHni z$_D)uy9@8`CQ@iy99km|u@sm$WeYj@%6x)5UCdrdYxT)Wp9hU5Toi|%cYG=TPvQN& z8kq{6sZ!&T9zeN6Bxub&PYA$f(*YVwnO6vp=!H zyR6>533JiZ%6nwi8}u~Q%bDECR)R~E*nCeJ;OF-*@@5PccpE#RW_0Jc8`W4;ys!R%BBK1=ETYe}~n{e_U8~X`yL0)wTijq+7FZhc2yg z!HgZj)z8MO1}$sN!?PS62Xh8nO^)tl#W`;N_~2)}O^5Z0CbTAc%aI{Ptz*BtJfWY} z0zCB^xMZ91=i}THD8luY;*eI2?e|spM@KQ8DDwpl6bE+T21;goMF+qlli0xp2|5 zov-& z&s%)2Jmvp=uGaO=*O*HdZ(Kirh`BtsXU)Ble?%r*=?>xab3L?4CSFo1@brw5=Y%Tc z<7DnjL^HtUfBjgK>voTsf{AqdnYY{&--f@U$p7VJcE(K&V$2)E?)ocqEP z0>=3V=V}}?yIOwVdvO6#)@+zNxoDdm2-~0X;be*SnW3!U0TH41lr%!!Y&wf79nG?{ zWa~;L43{oNw4yr$=Hr;bP*nUcf&zM@7dp3Z&3$8)qGCLWk!DTYNMHk@D3Kz%0%u4$ z;|*s)roL1OS+gQmX5b-ytb0S>#3P94m=lHIW39zTS_uqI6CF14jB}4&Ae)h-8HjEG zGzQzXK!>W$047BvMV@ZLkiqL;`Ks5EwBW)?L;O%$zZ5r>gX4`lr7!o!^eAQqjAR6RN?}DFfL3N&L%eZz|D4c_;ib~YCPMK> zqHiUQjW7M;f>^@vmE(mF_Iy8UC}NAfo(S<4W>0ZPdbMSPUiM4dik{E&+`ki7g<-$k zHk;P6`qqE+loSd~nS0HoIk~ql%8#eNFyc{4)_+m*G0RR&el>-jnzYjq*njlv%8I5T zsFJs%NU2O+XQIex7yPeeQ8Q;9u&RbsE7AN=sHBU^9U<*L#Zp(-FY(#wF4wbqPrsJ8 zN*6>Zz4XS~%YhZC5vyXH$@ctC*!1}L?fS#ycIz<=q0B3*M+5EdO0@&W?G%h~hoJ=1 z&HGhb?n5xmX2Kv+HSwp$ZX`%czb?pGt>C(Ve?a#s@+X-5Ay=oFx{`U{a?dex)7!)& zXZefk6c667LU^bW~txoa+|N%4Tx| zb3&5L?|BnF#rV_a#5>MJkDN<>`O6t=$&9n``litXy}A@{nn@|LPqtP?T-TmXqFg|~ z^+N!1mI3VDr0rlD`6#xs6i7zI@gPM}J(|&2)3|5`3#^CMxpcw1D)L*gLCk2Msv1gl zYTE=cj zqwB7hT8OY*P7CP%p2`k<>Ex@0Thp#)vM}?~UWSdvS$!L(jw1N<8cjOV$rO3=2RL-BdS3HZa4pKE6w>};ovPV;n&?@`Ppfmgm#%6_>;_kw zJ}JBryX7S(@3DIz%6oykka-v|(x+v}uDujm|oPj15w6 z=Gy8NB|*tW>L6TM=h5Eh5T*;Ax?mnT6?w8nkCgFM%k|;k-y{FJC!RYFDpK3NDND+B z4)Peme?z3Mxw-8Wdg=8&smcB7Scha(uzpmv7%-v%8h0Za#oMHU+ zVEN9~=YEkc;`e)z)f+HJp&*m{MJe%9qc_?e)~Zxnw+I-e=xU2f3>zwh~3%x_vw#?J)2B^KzF|X*p7(~l@Gp$b}Ck8Ea z`bL<7R0VGVQ|9~YqhEVB$~v;k%^zOUz*QJsKTX#7-emzAmO>}6trnH7r6$B%^?YgHJWTVTBK)iY395s)9yeW#c-D`>mM4g8k#)9hlanRH@}it>Ob*18c>4g0J@+IedLJ(GSOc=YwN&Sizz>21s> z6Lj5kOR{Q7*vmW}8x@a4n7xXF4r$gQ8gFYefCEPXHs*wF*TuST$OP}xd?YaGwPpu( zsNKqwWP6Oe3+G^U-pk|LOJM9K?3>oIHF>D!cPasT(kbf~TuuWQ{AxW{a@RY&`G{D< z{y+(`)=lp;Pqnr2HP-vLNJuARa5p}}pjpi{Fd-1>^-k?FBZOMOS@ga#&SfOgLx$>3 zUMICWczdYzxS_qK)Ja`lq&qmhR5L@zab{K%NNS1XNQe_gTieJ4QmFl%96>QIldT)4a)L6;H>t_d7(iSOq-k}utb7$*lW zfmYA*d)S?+<#@$@0r^wngFKOL75%RISrP<`sQNE0n2$}olv6P2j;u?Q=7zuCr^JYO zzpLvrYvw;)GjQc66@jo{*eD8iZFv4FbH0JvctbW~EXw`j#q z6{048XszbT7-)4g;e+q!y|KpFZD~z z_Gn1S$9@rYQwjd-wYONKM+^GM{JRPTGKU0QGYpBH&@=L{*vpM&TobLYxs$3Gk}oUI zShj6^uTXUh$dkd(41;^sm?5@M5sXT9OSa$*+uy3JSJQsEvm1;G27W#{kUexfe58~L z``MyJ;e@xaQ8X~+(<$Isy#h{dEdN^VMsPkD>?V?jFVaDs@S?088t#c(GZ0t^PQ!U; z6i62LC@9&ihovbajgRG5@(5}KV7@xMm(N2;3)@t2WCNL>Tt?tcL zKWfCiS~bTAv(^_JJ*j`*_%J$j;U4YQET`Jxiimt~dYdamy}EayR5$SwPb~i>nVF<- zHdkDaRA8P!7drF!uS|fcvfIxOs^i=XIj6TL#mEbbbnyk24kgVNcq*tEr`;hc9^YT<4#~JI!7p z_B@TFhT|^c%>$z*VqOtCG4!3qsR2kPv75C3h~^-J&V>g@6?z7$_@uT?o=iL1vKSjc z3C?o5uVV>|^6pfm7mU@_F5PpWsAwK^FtOi*s>@Cc*8v@~+zT%Ire+&@G*v#=rn7UZ zee~PPsM2|71gJgvYf7!VehFn~t?t+k%O{lF)~kV&7*fQt+UPY_!-!Dao6U+E6uuNw|$Qfk{w zqL2~jZD#iFE!)g&p)wA_yvA+sQ@FSJiJgb-F8omMMQ)XL5k%$3Q z6;g^#SMW^?S+%vfw&gg@wzCysfx-BM-qNX25dCALknPGIk$fw#CA&3)jz?ZPk++M? z`jk%}VSM?IX8QlTK>kMXNw)wUQJbRZSuVcI|EZJ!J7Owoo2Ml9{q~B6G2YK!qa{ey zp85FeVcZ$cPacCqTwxZj(dvq>yz9&3wvZ3XwC*To`7U$;zYw%$5a3kIyrVX6eew>} z{n?yx@J30V!>L6zlk#HAHRDNef&MkpX33++zYcQG?{+_#msSEf_^y;_ z*BylQ-gm&PLI1F(pUPr(2%e{yjd(BJZK}D%(TqbletH-Oh9O~vyE+2J>-A5i9L*`F zw$%1(+61B;i8e3=dGpNI&^^Cp7Kz467*tiSA52c_lSrmX>up*;zpeu)9tG+zX9pR> zIOd||Po`w+hibnGSdS$61X3A#aWG;HYUV>BwTH+wg7*n%S67ZB-|oW5?o=SwuGr|k z(eO)NLaa^Rc|?>OcEls>dV}^6u%Y`#rVX=TFm2*OEK2rqTb0kgYk108^l+s)#3Ie! zh3RT8TDXAeuP8zHnK8|0!mbp@+AP3U7rsD&ULXD}Q_!UYilL+R?4&aOP*Bb}*vr zE>ir4ev#%B9#B(>G~^5sD3PR}S}4F@_La`c{k^HF^d5W_Av${Qa3*6MsShF4;sTb(!lau<`_@r+`bS>NFnD>fvO*AvUO8LkUWB-}hsMB{ZdA{sWJ?xx;vkb+h&5yk%#! zX(v=pvWuBrz>d4i2)E_Fwp}Lv({lfJ>MSm}`H6TDbi_1j>>Fufl6W6GziBSh5wJ$; zC&g%GH2$v^K%hNOp)`KD+?%dBKIRe{fnCFRLlqDoa@vb`gDVF>WlaqyvDq*t-Ua!!#DuEN4?uex6AFsshdNb4v^d8dSdBEfDmVmaT3<%jy7`Zy?6%4%rO_4BG(bZgV(R*6VXi4cZKy$S$LFS$9 z&o8R-iIGvJOBAk)=~Y*lkBuC?7O8xxbRTN#H1s08sb%thY__oV{wyhl_||;bRu(EC zvp& z#6j}EBKdQd^-#&f)coPPQHl;VqhDdf$kD0~s7tS)vmi=^^Yx*@)f`0_MFo~uyW3>6 zJESCKcM;&+76vx153ciE%W(fOTbwqFmWC;K$**evLWcVYS@ezZ1lNiOhp#gRCYt^8 zcRb*?+Zq6zFs=LT9N%V5+)HD+H_UDqPRAY5X%(RP=4?RrWR}(AP--VpmcWd%aRq$TU=JEFox@m8dwxgg;spjmo}^l znk-a)I}>!jUTLIiyUsjn1|$eeO!AalNDDD|PP^*a#_%sV5()GVhAfji)-R8{@R)iJ zRMNFtBbG_YYsp`T%Gs|Mm!!6RB$^1JtI2awBJph6|fW& z*O0lMvU**i@f%yyMpOs%T&pldB-r9i|ig*2q&DYHkl zcPX!TuVtsgLn(tz?l9RdZ5(9HR51rW7L;F@8xs0vNZVm6T+93!CI{Aw+a0W_enTE$ zLu#?09qI_^+FH#eQud9-Nf(G&+1`p8MAM*Qyl=?al}Tm!s9e zPxkeUW2+%4dY>*+e@+MC1?&bDr3-DdUMXolF;MAEb4LbKO_ljeQBZ}8Mk>;p zFE8#rQD(E~4!J_w8G`+gttOwGtj~nkIp;&mT|sbA3XE5_w73{#NcqBLQ%ng0szyV# z$3DIBK4I3H%5}eFy2Z$luE8-KZWM@SWf*W7l{z@r&gk;Bx?~6Vb=7Fb&{-?NqfeTA zzs(wU;q{40uHy8(@$tOzyR}r3=pK-sKh@W}Qgid3hBeTq;CiF%X<1X%+1}^d#wiM>+6u!VkOg(mV+{f&p40! zTA-_SQAP7o!OoUfx`xT8GSjkm{Z-!}Ed@*k6t0UFc7F$1YHw3DISvoc`pqv!p{qLN zEDHC{?=g)eyTiw9x(lcq_8|YSt_ibHk8ffcX?jaO>MfW$ucQ%GlTfEUQT*-f2T14A9t$8UWLyftK&wf0NDY{^(RK#ux2WRTW-rj2P;d zMN7zU)b&NveIW!}o#fhA@no9)k*V65oCuvtBz>6K&kM`*LgJf#1F8Z&%*RP6bq@j% zpI%LS#fTRbAFa_jl~*d+wMg$uvu`M6{Eb2qSjVW*DN@f^YnYu9iYav0>mYmeUIAz# z)fZ87w56j4Jt9d-(1j$KZJ(WX9=Bj6442zuB11M2PdMLOu+lpo@7O7tJ!rkznkMn) zp)o6Q*gi?dvh0=gwjWOOfG`Xh(}rf7w66;(uZ=mK+NUo9G?Gdgl^{Si3wV32ghH=M z818+s-uW_h!poKU#NlduK$P=)Qd)lH&eJc(O{)q0Q0)B9(2NvtQVZ)Q{)$=ppzRca(G6w>mjs9DWpf9w7O{?i z7AoYMYXO$)NzuMHS@r@wMOhj2Gfm{`GC1e8iaLIqEntTiyT7O;BkFlli+O4E4p_tZ zdYUCvS3%NP(rN2QLd>os<(B5nO(VMdpbyGK-VY2`XxtFlW8dub{Cu`OZsrD%yO@uP zN$XFKR8y1^u1dE3-JqNAR(>yiq@J;2A#A->T5Ulm7^p5(mvX)C-l1<`SL|MRB;2wI z1igqHF9LvuCS)vz34gZR^ZWxxciW?`ZF$!&p%fcG}6Mr@?&_r$XKr61?8 zpRZAU@YcufYfi?6@Sl+CtA=Q14k%>!Y8R&VIMpm_>-mlAOpJ@Cc>4h4BI?UViWQD3 z5UffqO?&Qrs3fPkt7$kcBzI5g=%VpBTUHLF9teM^Q1ze`5)-diSrZ^|LKCtV14_tv z_k&je+z9U1c_}|?m;ZIzlsiss?@h?}szI&PHQQr#BT(zX8hvXhcj+2szB_$=Oma z95i$J1&Zr(kCfB=Jty=v^-=$V39#@mlFeH^D^E+94N3bo;7Bf`;x+WTUZ1wPLK*Wj zfwu`Z25Q@d(yfkj{I5sdy=hp-v~s<~BL4YC1vN*ySK_0ozQf~2BRnj14!ereMd3N@ z94ruZ6WZx93d-k!7Pu*i}#ho;4k?zgXVU+uoYj@w4M<_=shZdtuN~2HBT8UkM zSqb3QQ>vxn7p6 zL8nR>x6P*NtUigKK`T~_MRF|_eXN&O=(4{)1i*gM@!4@?Q?!$V12;^;Y>&D!0NJY@ zQLz5jSQ8PjR8smo+A6Z@rAx1-;!w36r35K_{9-X)*iZT+=0u~0rLzL5>Gf_=BK;Xk zurgJ4aO+xvnU^b-tXHf1DIbn}Fnk2MciM5xbOQyayhv{XrEz72m;JpnITYvZn%`j; zI6PbM`HN`*t7RFPHF_F@ZFu;Ad{LP?a?ir2|Bm-I)yy&P*vsYG$7y9eGQQoW>%d9j zG+QVP{r2=D~TKC0p^AGuw4BBmH$_0l!H_M1;LX2ixJhM#b+ zU=@UC+UM$fH<6}87vi(>Q?Xk&fMI$u58SRZ0mF#YvdQhKY!uYU>19PIDk9(_#RuX0~#V#+6l3(CD8VMg?UoAEH$m7%AT_qZL0U zXRK4-k&jXXO-8z;I>cpvB=_mxPguUaSQgo&9^5#Txo5tg3Uk}D>Yoeb{|lAOe>wKU zqA!&%X20Uu(1N;Z98^KZ(vRP*VKzC$fF<|46@PVLH|RPL#~gS5Vq8DSW&Dlon2g>I zgb#`eT0JsgM)42D>GB;j7*9I;-t@GY;!VyivG(|fdWz2h(6LvOB~o+TO_^WgrSQJy zQ~b9Ry?NumjEFmPbHhV=^;>OWucu8WAIwDa#e|pblHK=w@3;6EIWT8CyzUM^bWE+Q zdFzoitig1imI^Mw#y?L|F_Y1G`qs*e-4*;7Q<~1+s|dENq*jepVJ!BKMOt(*>u9kM zMuIgwq|SaS&Rnb_jpoFVj4Jn}tfdmuigs>%a>2&4D{Jk&u8BKB{s1fvzWI+makKQKCOPh%1bWaU5!Vbdh}&Y`fz~e5sCJ= zWgV%+33YE)jX{APm&{bhCdiM8oY3y4{aZ2RS5!JPhF1zA|27uj2?Oq--6!?porxcL z^nu3Mu@eDw6z}p{zXB}#nXCK5xS;D@Re{Xm_ScPQ zo!PFVn>1TumXy4h^-%n^yUl4cwIaU&;YnyQVVzoz5};3GBSp8!Ef(Oaru?1*XBm?R|Es!Bf2xv=9~rHb z@cm>(le=kAK7IqF#tpP|cl}COHH}|z+=AwK*Z{01N@Z{b*=?7b0eYYTm}2_wga~U5 zSrZ-r=+MY_k#PY!`jJ;HKvDY!7L94}i_O>kOA0#wvP1UK;f+D*pPC^P2uPt}@GC&- zULY!V`YB(`!m4`#pxbg|fX?c*_5PIPBwg`ZH;gnklLq*dh0(wu>PK$?q*Gf_F64jc zsDE!wgpsZQaL8_779VXW>N#j!%!cq`(E&o9W-37N(D;*nSpWP$(0Qw;85{LFLRU0- zN;UvJahY~jSAR$)KLbyFz8tXcROB$7rz4)CBg6L>;L}L zf9$-!@~Hp!dHyXt{Aq}P4_NQL|1R;pKr)-nWI-WAo6YBq6f?=eyG@cdnN(MNivTfX2kt|`VbnU0TyMg|I zJq@JS~B-6bIS&HFsGzy6?DJ- z8hi;ZzeYs*V^ih*&W+>3VUU4-8#IkMl%LypsF=8J3l|Ez;jB$k?3biGW|zEdGrl!5K{Gb0kANd4hhS_ z9MigS&$cFnHX!RK(jG-kpgZr=<-vH$)(!^Y^fPgyddoDf{{Pz|9r(p3Pr|`sCa927|oGU^jNyixTaOwK) zWIek>OZEFPG?gb>HqeMQcSjD(0Sq1n6j&uwHd^+x`OwHZ^?>sEV0{??EpS#q>yrp# z_@XayLdvR46O2|S;9(I#FBS&z|JyZ|e|gx;>NabYBQ>iAbTInS%Z(r>DIBTzwnN7m zv5^8T<%|rVk@Q8*VnMB|FmNVXvQ4NNTy`)t4k?k=IYiNo0CM_mKSDJsCdv62h?Jcd zcTzVvOK9%IcPL+f0owMbrDiim2d-KY(>ok?;aD1cB6PWoVM4nD>r- z@3fpkx5D9T%YY4^Zle9@9nD^eCXk_R(Z=+i<0%QumL%dj-=!-CA|Iw6t(*g^8cY=g zNLl>N74t7!?#P=2+RK9l+kgRE7-`oPu1rJFi16+4(jwyskVoX(xo~P5ox&4nG$Kw#G)@1S;;5ofTS3^-% zFU;LonbT-wPozJsvYw{?_emCi-Zkay;FuE1LiEDVdMso`#wZ)~E_5=l)6z!#{bs`X ze;uH|H^1fbK>7wX@BbbpcH{xRq_%!JcsWq4K$YWE&g`fBHRjU@E#es{Xoy*?*pnuuJsxf%!Kp5B%%v z{^vjbFMks@%L1aQ@we@NG+p2a@{R!TB3;M1fBHR%Lg3uCxP|}QfP{a`i{2>ObRF+9 z32)J0$N)Pjc_d%-pJn_3M*zbl;D$Q+)xZ7H-yCxr%)wI?ewa)}roXrs{!g=4{<1|J zWibfDHU`+vVSUjsknSlucFh078Ngdjfl39T#?=(*1OuSMlR{P-`F;ET*@1K5$QvtA zHxCd}|A%$UBPNwCxagCOKP+p`{htQrFODnFdHbE}Ki5+v<3P-#F*y3Z`=STv4}e;; zFq12BmmIn~?|qm$NhS5wr~1jtJ7Swc)*!p2Ma;8y7-4sFoPtrH7;7)#d(gkrqKn_Q z00Gd9VV)|u_Xb{IlDPY2Z?&7n&3VNzl!V}G*du19e@pl14#Q+cx)KjhR2Bw)Pxhg9Q5nk(pIq=VG`+B%rv^P$@>i82afW7N%F6pFs3 zc`s87U%EG-8%XH77gAp?knb+Y;!9|ZZxwhWS@)&j9(n27%~i$cdpn_2NzAKI7V>WX9wBs@cXL|!V9ED2 z){7o3bDEgFpOb0V&uW;s@R?Cc|KeDqzxVICGjKgvK73>9;R-WN;Hn-#I_~X+G(8Is>jShC;(|i- z^HFQ^W~`!NgWocd2JhWf!S?Z$&wmPrgv)Orit2@Sapu{`fFJp_aKAlFXo@3SaFrPy zfCLBX`7L~e#6~@6r#95*XNEeCHM~O#r|K|(;PIxgB_>wcHgsnZgE7tLoe2K^RTvXW z%7mb(k$dyG$!@k436|8YPwhpGdml51-`(YgkR)>CjQ_8t^=r&QY0p#LpHVm8hd($r zM-yGC2S%>;S_OXBB9Zo8i9{fjka`LSgWF5l6Aq>YVe2sYz0}P~f9u8o!tzf>%%{C2 zZk5>B9qT>HeET3CrWk1M?%2J{ex|&PVVAH+ZCJUmhmQrJ%u?Qum^EYhHCF8aDMm`; zS3;UTs7vKI(;+#X{pw~1Gk1Mz!3y*gFKgO%NeTrOPOfOips!~mqm=38*S{$+-D*3S zI;uX^llRQvc4V@p0Evt&9{{1-MM+pEvDT%^yU_yc1dUN&R|(c zrOc1Fv7t#*v1Q0fxovc9QX^y>9k*C~7xcV>&v~p7%HYe5lzV>PMtZV!1F!5&+{0M1 zEsYDHdB^W^3(IE`f~b$P?sWe}vCNjeKCERsN;fz3bZAPBYD$}B%8+HDUcs3!CnH4| zp1=Rlu(Vr#=cJ>lS6gZa=Q*Hujlg`)1^QJ#^R zk|LO#oE%^d9~$4<+H&}ca%SRoV+aY}kgJ_JFE3 z4!dxNK~A3R@YGlA{^H(nS*y3+O&y(9kX&SB#BCjO{ZG&S$6NfR|Gnj;V}h3(OC=;G zri5WzTNUFq86Kw$exI2k`55M+#D|LfxOfy5eOXl|yV_NPTn%k_0&gQah3v}IUI#eg zMqhrt>+N2Bv`w(HN1T#%?V2dy_VG6wH|CU0o=H6^JVLQZV!8TgETqPzbGOE(mW$1M zE#;!HVBGUKc2ure6=rbKm@Z0T*d+@0!T*lE=sk}s$+C^LJM|K#iSE5uHzJsrzFwPQ zRI|JL@bYA({t4J!aVv9TbWlTJ*Jv0sJ2&t7Yxly~k535%stMZp-Fvok?{uyA2CuiK z-(JD}kymF~BPZ6#uhlg7PuCLVvFu!|D<)ZuQ!?-cjXj;`$IFOSSD#x|)Z!nBe) z5p6<{?MOTlMR6xY`3rG+Fi&mZ>Cw3OxO3)7 zmtPh0bhur~f8U6mu(YUkvl4Zic(8~nYyR9W@Dw51x zed_ikC7bB#x{)If^IV9(pecbe%&Y~<#0iklol@)yISkapQ`_m8BEJH$t&0aw?z#o> z4y7o>P0br`aOs@w#^GEj_uMFF&z|)HcchL2-N?K4_7OQb=ewSBbakuLGWmS}Xfq>L zw*01l0J@-~TjoegQMam76RmZ3Up4ewTaCMQOrY~^N2HqbtuR;Xx&e#qtUhz-%FoRk zGds5DCpLEvK7abMFrOPinD}&48Ke0(-RX*i9Iu+Cr z6ThgRw;jw=PHF_8j`Omz7I|9ff}vYo)?De!Zmm-vAJ2j$P28`*vi?sLkpn`Bs6fn8_UmDd|xe7oCSNhWZ0%9{xu6OaI(N zu`f8#>th7y8b*SbP{Rn921H6Jl2!bX-mP1==5zuA>W{jhohJ!H8={YNXWC;?wqUZw z_TLD2s1;A|wzCn$clrd;mzb|DCtTD-I=zcma4SxuOzoemun&CxgM@aASI_h}3ySv0 zLKe1s^DFC#kAQ^OK_nfp+cUhM4b_ zY8@E;b4XhpU7SmWFlWQ;;zr1;lkUCm{*7GvN}9EyZ%R&ZtyHZUqHQi(_=-C z*^*6o@&MZ&42xQA-yRAOQw-Sds@1l#a-Wd@*?IDXeXrw-B_%B?U)y@TK&fnp^HQaN z{7WVgDWmUvrxQwt!&~FLbSZIS+@&pn6GKO~P{F}H;zdzv&mPB`&sK%latr$-3#*r@ z-^F;Af;Wc-XP<}4UpcD0&{JJ_bt{lf*5t|?tf`ed8E+Vd7ApOq%zo@x&%^ZK%wgku zO@L2$3-oUEpM$H@WWiALS}fY4_Ysun9R{9)yHeVI6@dlb>124*q%3QX~rB47`EnpqG2zG&Fy-;$Wc_ zg?g&p0gA_$jl4^6XX^wf`QRQ?p`uaLX6|(-`L9`dN?U^AnXQ|*iVNG150%_qA7rcaS-cMnJ7l_ThXS4Ey7fsbeR3OD zI3--e>*PXrp`xL?vdF$_@6mhuQGJmr>p!>V`_@kpNuo`iH9=x+A0q1)1*|JnM_|H( z?KO_`9WwDh)@^aSla(I!6={B5BV<{*dBuM@ZU53a^*^5oqaHs{#le8-<2MU>6RW$> zSM;UGXPUu63E6|>2-MLqEYde573V2_GPA@CQ?Bc3HLWlX!#tsQ6nbgwq`IEoazK^>C89{JQ4-^m zYI+MLPaKEHJ}BU2Idmv)J~ML$eDFdc)##2j{;hoQHs`+YC|pFqaERgX8W1EGM-XEw z^0*CeW0)EY;R8UTPPeokCmow*Rs9sP8qmrdI)I0d#BA?-{C>F(ZChY$>G#(2N@Rwo z^5a^M1C)Veh`9&*2MlrsE z`K7VC!DIRb#+p@3^8(r#6H{x8RX>}eGnDVZD6t;l5fL2={n;2zn1^d?ICDKa?D4S; z+kAwX3~c-;>yv=t%1@E8FHc&%K~HfqvT_w?S{wFkk2&t~i#eRelc^D-&9o{#~AY%T8_HxXF6O{?*7Kbo-QHZn?;3-){S)&Jlj~^u%2th|e$B;kkPcWE7dY+1*kM$)>9mCdiE*WA4=5 zpBA|_*dM;9Zn(IHZcTpIqy*>fHT*m!MQM`Uplr^aKE=be;2GfYF!Qub$jcz4&-->M zrEStTii9gPq`GY+09p7#rz~|mh0B!uB`MCuU@7K$P5zF5-UIIDl(*wg`C?!8MX?kH zLV1Q?%go?~&t{2)*Ewou0n@VOO8>PBWA*SCoJ;x~;)X9rwlx5mCDp$FT;IN>H*ZYV zu)_*Q)!HPf5B_V)-j*c311>>7zV^2{-hY)*Bu%BTy$;>=j@jHCLhcnI5I-UzP2#&v zVjDoRF}F<~qN|W*Q+?;f2{TJ-K`R<)O=lgA^D&6%?d&{mcty%CnT3Aa?we(1 zQ0jK|_Gs^DGLU?Ghln>XLA+Bm+F2G-wW>CAaY67qZ+h?*%UBv*t*toW9HdfM<2lc&*Sb5GZa!VjIYfG-ms7PEfJKs>_ny~c4jyWdkH5mK_ z!Is@Hx!LXp;%g~mYdrY@>f=hNv}&lbquZogX%T|4eH||p+#YqbEO;_swT*%YJd&aU z)R&1m?`T}V^#>6{_rSUCWYIvf>l!H#sE(y_qyW`JtL%46SI5flJ(dO4>$uEGkA$D6 zKK*bHrKGOoQQ9GURKK-10Rk@5Ejg-@$wCE)A?|2Idsotx1YvUt?!C~9@t5@TlEbzO z3hL)2`!}0TD}=l=6-Qy51vK8|L=IE#M34=Iu4@cKfj|a~9g=Bdz{Cq>Tre&%E1X9~ z1nlv>dZjz}CSVzXYqSm~Sfg#Dii8<(Tr^A&8E%S-I`R1D$4V&zR60MIBC3~~Rm%4is7w0n_-Oxe`Df`RpKi?rd;@l2k6sX_m6cUWz2r=RBsPKdF7j9_QHqJmhi_byneFze zVs>M5K2q}q*WR@@k|h9VmGLq1V;CF==xF#_B~ZUzAepa`@>-p)So&B0;97k6u=liqAsJX*F6{d6cnWn(eBT@EfU z**YiGv~9L*he23mHdY{ z!)uhrveKKp_AY2=g~`EVtSOOY1VJV?96W#S9g!;O zJYW|K(yo+RNs<)lBhzw9nIGi?&f4Q6zp}}ev0Tt>0%}30j4SB-GnL!O(Bhg0E9bTr zvinLj*L0DR1lTZwBVdr_0DhnOe5X*^pgG{GKelspT!d-!1b)HBAW~$470b`JZR6A} zKD;y8Sp4Oy$ZvF-N6(C+kMpy6FL4BZ`t*rZ+$hU;)7jvsVZy4xfnJ19vJJiR!Kjz| zs;bX2)brsCO(|k3kpU$Mq5kuh$-dY+hpXxlt#pqb=lb;VLjCfCgXSp-tAhwa+^hHP z2d1SFe7pETh4aDC zQNOpQKSCxLim!ebh;b>vM7u8fJ7=RwOvy>^% z0DoKn=^UJ~xX;{i;={8V;cG>&GySk*da!T_%T$)_@lQ?r84ta->U6Pg*xfF|NB9DS zf_mNVb}Ia)oR0Qw z={uCZ(NI4jTylq;n!l(uW8D{=YXwrNg3CflkUeUi)CMpeXedB50I}rEo@LbL<^%u! zg3VnZApD$V8j%-bp%f9^9t&}ID+(2iVrgHS?~|k}glEbCTj<=Q63v(bI?QB{aJoHx zWGtv4Ws9z}ZNKS=7vL_7R_TV!l`|SfOt$j|c8|Lbs~D=*R&@3w*h^W)icXwb*z&H_ z&TP^`N%#?8tb$(gjc8NuwfSZTIP1YHe4m5jXh1K?bdVNDB5>)BJ5v$J0V1esldd7& zLs435;<-)khTp79iUg0M(aDaz*IPH>8*j0ZG;$Rg!%OjJi0Nae#L7O9eaqo{+WW!N zC~mC&xz->%k4aw9`!*Q7xiC_wK}~)Wu{*CLl$OZ2nh7&G`0 zG$XPl+$JvGxpODL#BhIC*45t@`K^&W%3G z;Dv^o58@kMy7|59$>T|>NqQDm(>|(Oci;)qLPb!Ya#SB`tJ;YnKxIAp6}bH-Z9cVm z#(ePgR0f<;>mU(*x6<$@ytcWz%^=sRD8a};wMp0T#=Cqie|!dwX{$7 zOTEznfwPiCA>@hKIh>8ViG{1VwQ^BuS*tHdZxcU%KF^a_MfU)Ao2Xbn!Vtwhe?T9x zF#{lj6H`I>8>9ld1|xNK^;bQql4hyf6$1sI(=#*O!&&elch5@sM`9h}yW1!xpP#kw z-c8sRpi(BsAhyvz3y1YaijR`UT~yIcUb*N`-g<-U5BjdEh`Y-z46I1dRq3j#vSS)* zH<=i4$ZBN{`yz%Xk){|%NY@K>J8;NK-e?~OoP2k#1n6V}phAuxnnCZv@-n8BjuGtYhJO#=#z(`JFoS%D)Qb;--9Xz#}?gO z28@g1EQw%)TchVc)r9Vav9o{Q)Q$Z3IC5c)h)pk{l%|(oZD)%HCRZKcMMxh^-}j0= z?su^m1E{b{{Bdt{2LFt?uJfbsM~0>9+tRD~z+ zn79^>C)}{I4rzklBQoaIc9v2~3H+Y@y$Ttx;&jg*Z0blliS2ex@Gd{_>z4)#x?bm& z$9SxHP;KeH+T!BNAWle!rNqa@oqNp4D%yAQ$PpW(pCuI$nPx#}FWayb{4C8kvZtpj zv2piPP|zNf9{#{WL>O5T4&)RP5W#5inzv?t?(+`^KW9Dj>f2ID4zq%5=$qNy?aR}E zuB1ia_0mT!iWGUUkj)IAre7G75ER^ap6QOcY4WrdrcLpCUxQ*xL==@9hm)_-y-Y_I zy3|Qd21OoS;BhiSxh@18Ja|x+$Sdvh2AhCk;#9|!&0@MMSN>&|h(wPSmrMA0o} zZ*NZ`o9>53yKw4w8qq8jkwrS3ZOgV@v{BcPn4X?HAAMSC zeDVDhz&2hJ+Ct29c6CKhk<^Ka9x^AmmNwm?rpar5+35Xd_sT~$U(umPWIk$Zr60YZ za2d-7l^CXuKEa=^Ir^_HgTE88wCQ5P!}B?#0*~tq^AR)|0x{K(9?@mL!&q6~8JH|M zZLX*H-A&L|_((x%vCBZed=o`4OEU!{e!<@#K6p~P(!E$Vlv?=R-k{P|>mZ8<{e@I- z3-9?n2N@`TRTMvbMu0ilIsMCE-w1X`V)rqzZ!# zfdfW3rl_QJ2Wi9wR_YqxxpO|bW>5_|#4_%#dHHx#nK&g|Ir^F)ox&`cOE%qcwsY3a zPc!AZX>8HArELy{0c&wXe%x3qjaRVN`h;UpuTOjva_0xt zk*V`+e(9^q=VWHi+8&-t!C&6~RkaWK&h}#+<$vqVM=*}3LcgJ!v<-=brZO*qk5&zb zs3Rvnz(#y(K~t&IrK4LYPL6-}9b#WBWMciH71Y{ReWYtrU)ZxBKHW2VQRV4-ekgBo z`|b>+PdXyNZ)sG-I+SY7cj$xG^A|5ZZ);HI73S4EJf3#^C{-&R&!P+5w=V|Kml-m? z?o#*ZiIgDK=(>)-xgj56q(tO0g02PlJ9!4++F~=`)(%&jqso{X9^{)Jdt3?gOck&U zP1i4|y((j#7`$cOF;Qd5A}W^aYt6BJkT>x5qwIGnaOOL8{yiyWf_SV~m#{;w6~_%< zlyWSuFkq~9%^fA z>jd!3-2IEVJr+QvuD)!sS!Bmm%E2+KXFIBu5%j?#m_(W@9D0)vVXBB+mvr@j)WiLd zI4YD1xkH$&ffY44&%KcwZLoVracKhpf!6>y-Y4De{{H@}AbrCJYcAf7 zl#yTaJ~%Eg3bjP_E~)v?Qe90yyt^x(DmHqWOu%Z2$nvRK1)!;H4JPfYPk*uc4?Z@^ zaDWVyA;$bz$%wbf`3{rwm!AGuG-*5Pgm~EbfmPGXK))&`aESn!eVjRBlFB}{ETkak z9f2jPrE}ob?M5HgBT7DPGx_AIFB_nwZCY+}ia8WF4 zoyh90#eQ%*;XT2@Aw_U^vYl$Ff0>q|Z&1}fGxS2F-e6hivQOzwv2Q_VzL9tBtwC)C4vqm6ZZblb$G7YdMBc&; zNix#SGApv@zBLP$McbhjM1_?1+^Gb6#}p_64tX%O4|Gz+1o83?;a0V#k=2_k(~)~w zN=RIF=&)f@N|+TY!mu3WVrrV9ltbMn)#i2JhK1nG6}>HCkJpdezs_8ica^j6^jWDk zL|Rw7M9BAIEB1bS$U$$!@mgDY@wgn}nE>wyHP4rEojj<&XJT4RA&i;UR%_Jc8{TdH zTo2`(Xm6I&?yLJd(fVI{t5d%nDG&;N@Y}>)m5E1Cd(|SA^ag0fve1<)ev%OtS{J8g z2^i+G&NcoBhGDk)x#O>IfJ$w@Qe29$?%*0HI4FUMo3lvp#^z`)Bsjj2tw}3>X#nwjiUWs-5vuDp%K|sJu zmGnQ0)&AB6Tw)Kpfl1zD<5P(lSd(za=76;B>({$-RZg!cN18Hh@Si__9;=bvyW3H0 zI=|?jo16Q6d%wU)udw;);i^D#anX<9Ppq}iH=34*e*7RPGyJ$SvVK91{Btd?<+paf z)kp59CmA%&-f{@QG~qi6BGLo8cRp}vf7JV>ZXPWRc>H$o$P(;hd=Z_~moG8TJ&zuZ z@kj|a<#4GmUgRHzq85Xwt(XSV9ny6~f^V)7s1_}IJ*GR&akwNsDf4rzkfeI446xPZkGhuv&04g*9*u9wYK1=Y!rzg?h)+Au#1r*Ii zJG-1k=jrKbaJYfwhgB;<5t#PbPQu85p#m`4e+G?NT49w2OfV1NaN!XO)f!OtGQ%M zJ%qDxq$se|pgeeOF0Yxb7Utd9Yj9IuqGlHlx&^ADPT!6MH>JxA!Y8ZW`?;4mm$VJ< zg+5_}TvCC^DQO2TWKrPFh3TA;kqd?P9MzR#4Z9oZ8Q+{c8KRCG7Il z-PfnT`i(u=$P?6OWMoWnynFZV%f?38!eXCrO@p`mmoBMVhmE6j?x@MV(u!oZgH2}j z@vt8g{;16GS+1tM3_Hdw!(lkAXQs=)FC^wnMsr!Lh3D$|Sx;Y|HSGe#7rs>~ejdc?l(dj-Qvg?)Fr-*C_*Q3RBhq$fuNZet)Lp?{E6S!z z0G_>>JD`aUDgf^0pVC)X(8kvBN-+vrjT;O%uRK`N_1~)J&dGWE7E9v2MhRk$e)bAj z`q&|Zg*gil1uwZ~A}<$1--vqW?X337XaOC|))_77e&^z9$)ODb;1k)=8%g3>kkRQ% z44wez>bQumE!#aC11u{|hS)q!ID)y&K@*K;KDjvA92y_%?5bHk`4uZ&{k}Kl5~y}~ zb2V(^@b*iiD_XWMPEd(eFc_`IIh-IDNL~ohmv(l(lvhaNJHLV1cxmCEn~kVt*-}{l zW~=p)z{))$`C*-ik&1g`vay#5`oyy3ZwXL9XrXZ7##*`}}8GbajVF531WfPFzU$MXXnG3ccXH1;6Dy3<>#s{h5Xr zJ>&3b<&~z_t!bx+VeyHejXcCP%!7=Y*N;dm1+D0uQgZv+}2f+nfa(>nLYff&W!qS9LYsKvyMgT?_!$8^OZ!@Ir>Z9j)&j6>%cen4{k+F10Sm7}+ zFAad9t1T&IXM%~9DtOGB-tfMoz2?j98Rx;C$=a1=1G(hG zzrI>+4xAnWCG9+B7M9gbMI8>vaOUt*Ftk|2rl$8mEUVZjDZwdd**9p9er#P`9q)cA zvOkml-q(XyUJ^q>c-{S5Hdo&5E@>J@@606_6O>BEjc?ThSjzvy-g`zh*==p34~in7 z6cyv;?J-Ktc}?%DH{^ zyWg|-`|bCP@#yp8{P_NfW3af_Tx+&#UURPN!Ts`6CI)AGNK63`7!FTB*}iG=Pa{_Q z?Ce?1PBjVLvNlC33>bqxi5>d%(GdtkqPcV7i=)riYG zOQnKF+rbUy`Q-rO6fO5uZgn)Oq`bz*r0V-~btd@-LE357nX0~Lqhzr+w-AE;z=LvV z5@&+F8LZ6>)bIX5C)=z2BjZ&5gO3|?j0>vnQ_pg*iI&)&0{Vc<(>*3r7A<$4bL-|k z5<4l*9X%1zQBjM&`!2XB-Bg{@#MJdvZb}UyVXZSu90SIkQXU1 zj6agDv}qI%L+hiYSMBWB5DNfVNe0&}WwjRdh-6-$1=JA42>u#&EM+}_E%0*RC`5iaEhI{~<_>l8$){-~Uc zA=R|pA_bU^<|R8)q6&=1thvrX=emWJpt8xBl_B8u)IuTdYy6kdn6+Fr z&Sd`?FJuC9e_DPL5}JPqyy3Isfns8?FUj+(edcd;M?b02g~a|Oj-Xg&>Y#`4-w-wk zI})oaT(ZM929=TkT2DOCg|BrCjCz$6FZt|SWPp%FJ;r_b_)$U{S?vK=CIQ{gx&%4Z z5(Fj}AczL9PA(K^0ndM0N9RX{gp81qZnIO(N74vJN{WgsrG>cES4V_x9czN7SiEskj0owR5(POM-vMAk}h|gD8$VkeejR- zS2LwrQu+02@67>0MMX^Pxz*QF0~11qAkp*Z&e195Qk77BO-M?52s7|pb+}=o-9h;^ zh@vaz!_5^&MlLxhv2*r9VVuE;GgHxAY0bV3cn{+o8d^{U_r;VLTm1-|T@-Gm7xh?u z$*kz}c4J~x*Y9Y@#^u6%wNxzJhl7z(7=E{4^vbQhCk9VXaAt&rKx+R=4=Kv?P&m9&x^xI z#2)jERD3)MM0e$i5D?DAmVO6X z@{^?muFhP{wBn46DWl_rhRz93-Awb8hA-4uqLVmaU(S@fehDn!N$To^CloG~BBc6$ z9guNrRJNhq9pmAV#k>*t3Dl+vzUSXo6t&3*imVU4tV}^&*21l1>_X0qDPmTn-I5B6 zwoPx;MOIc`zz`rfPS%iF?ky#90556DEeuqoPlt8CXg;S*|L(SV9Kh^ly0aUNMaRKC zjz)C*agUuG@pupF9eDVD|5Dw>i_3y(aouv70M!arxh1wRN7!6Am=J0AjLEwHcK<<{ zOUBd_fe}ZRUp~02-*sMvHF4OE2mF-K0LLlnD?WSx(=;wQSpcvX;&+>;dgy+XnR8nn z?u8DO7)x!5Qc+VctX68rPEPJpx+raY6$AQ5=X#(7bc2C)eIp^(Q}|W#x&9$t{4=6Jt9ZMaO^#K?oS5y1m&g%336@@=Mn*BPs8z$qUA( zjN*#l{J9CMGd?~(J&zIf0RY?~GaHiItAt|Z7Zgl1cC2eg-)+Jk@{hkuPPPGmn{A_} z+^JXObKtyv%J*PfjL-%oIy4H~x3~It7VYfp=7A9k*G6zuUnGBBzypuSvaI`TWdE^3 z$&K$zOT4U-#Zm%qj6iov+CYiZ6&0fU+rwuzfq7oNcG+XiyDuA0j$u=C;_0UYXc(WC zTNFM@mo^MuU1QWUG_=**Fuf72c<}x*1H**ppxUn*Q=ry4P8;C3v9SRo&PmhU`E#B3 zpfldv%Ul3+&Uyi}y{*STUjr8k=NhPe1%J=Z%4&1G0MK9nvf8A==;?ninEsVd z8CMGU^y$-)Tp2_3ll=>?n@Y}o`*n!r-?H@#?e~@BuqIi~3kGk0UF-jqHSsBcSGkP% z38q!Y{cix?U)k@!R(JxmZUU^OONx9Z7k~X){mY*J@Av)dY5nyx|G)D4|DF844^tvS zHSWG|JLPwb=HVCmYGR}9SGdY|6Ec{ZO&@SEo{k?3M)$Zs3>Ua=WxwlJBJ=EJqZjxxlB8=O-^p%53P%+kXC zPfRNcw-gP6Yf80>7!LE z7bo(&HZh=-ACT_L#m2_Q>p;ia#fulePE8prC9kZkR6v)sn${*mBO=73UD%x*U_fyA z1Oyr#uX^KpB1Qmnp?#Zpd^;Sy<`;>N-rV87I3GlzEkWY!H@i7=>*?UFw4)1ZV84zH zQP;a!))__RT_n-DNKO0rqn~mW+D_Qw?TQ%;UBolAIK>0JsjU1$tvU6h+=YJs6zizM z^#+F3YQ&P;tKdlC8PjW7`9hLJFwvhkJQ$JVh@ z$a|eZuY*wTg`RNQWdD}+reedmRoOtuZwpq4-}x~G3=|?IDXBj@JKN*z1d|WuFMeuj ziss12x-Km%Ts87J!h+-Eh#+H-R5m=-2$TT&j#MzxGYJ8h`JiW}_T;xTH28allaswl z=chSPsA*^w@u*;_pK4e2E4kFZYwp~=9TR{oA!y`7IF~!?SoOi7*Q23v#|Vn7gn2q0 z8Mz^6SadN+Mc1Hd|26-f7=%PA$D1#w=IQ1n&`+t)uW%Wlp>d6S14|ViwsQ=xSdF8P zei>Q#r&DAX{<-mvDE6rjF`4=Ke8R#AbuKix$$RDDCoB^K{^KYk6ZD0WLap7P2bxn+ zvTIcUscA2|{qi0=Xki3CRKM4uc|p^?0dX=Qtx(F}*u3|B$-6PbL)9K1-4IEyEnoX7JP_WbKo0$Uzz$(|srO_B%2->uIFw zO?7qc`+h1~qQ66YWYMsd=OPCm|INhC@nj4-@!M}U*N;&=5;Lpo(%^qo||UC8`*Jt zM2{gDEM#kIYrTU3LbMwSX#kZb=a|I~3n6icR%TE zj*dn$ztdwiWIpqxLHKDQulKS8IE@SISq8cX~cw81+8aeZI@pKKJ+ zcQ~A%Pe{mdbcZ&ft=|1osK$9QC$&J1BL1S@Lwq8iRY_9GfMqX@TKK zOGaNHn+5P)MgN)nUhtG@0jjxEiaM#gu#$EZF%`gl(Q@C(c<1uYG#a+=)3jE))j?!k zh@hs8SLVK4Jo(Dpg&c;yBNFsKJmg>f(M^PmsNN~$aft-01JcYZphBde@uNo(U`07O zV%-6?EfT$bVg;Pq8Kce|!(i-g22 z^fLOD(T?I~_6BSLpO%BEWs%-4;9AV`wW*_DZSop3A;sW1VeL;%%STz{adCVVye)di zJ4E5)Y*o$^ar>O~+t5aukV)E`fO6&&Os~o`U{9^=`od>YiF5THx;3B>WKQG5!^4KO z;oRA~Ztl~39W=?Ymk!>|!QG@}wB{v5o?#c-W-v&L4quf%u+n@BF|` zf%{P$acX}P&10=Hu5*bLMpflObf>wF>#FHfk?N1B{ot%nVXao}S0f`Xco;#} zJHZuz-}=(7Mqx1uxZ*~^NfP3a|BG2M_5C80!Q%(CI*D(Lb2ZZypZ2xjA2jJXdc>}3 zml>QvjzS$INcJ-2;=xR0lG#?t>OO=c`4RpXfX$CgSkYBHc{4-`THTYD71A8wuZ?3O9Z;0~u z!S#)e1po?K2I;ljI#!RtNPw=+3sT=42bdk~F}6+4twqe^FcJ$tI@^KOAUR{4WJl~T zl!B}7>779ZP0AQNLN$Osf?)-yNgYESL4?A7bv55yKF!Ec--!B5xv`nn{YNnqoT9Qi z(T1QPiu2)89jhQ;&|Zz;6b0fKo}A^gO{ddu22DfIFGfaCN}lMAn&Bjh#|#^8so?8h zX0G=8K2r297|&Q#JecujNJ)d0^!yGS_2azOoA5Im`T%d9T2`i)(T1x@LELToxeo&$JY*d$SpXh|bdEsS6DBTkwqs@)!*D5VG z-gO=Iblkf^WZaS3T_+n7>onuUv+$3~$=1d11+d?Qj zG5a!PR?``jXzQK!HyE)i>noGVGcpKFf4{c(?rNd1kbr;&ab<*&NwNmXVPc~v3(^EB zMMlwzkS64)Ki1@pt$L36uLevH(IJYGQk^mRNG8N9(!$`59`JGf`=iuA@ks#JPbgJVY-L1jiteaRDjYz zsO7?irOU8Mp7JI(kiUW!)sf#<0;W{|P8{xMr!7wckfT!w+){b-ZQ? z%@_#D6kU58yE&X}&td{3R?VaprEr89TCKtrw%6{dQljz8O_2Yz<NfG0dZBDU5U@EzOs?7U!D95By~S&L*2Bu4vb#D!ULRp|$gKPJr?qt9V_Zq+ZnNA59ORb8M_P=LZu|G6)1hAx` zk@r<#XC=8JMnX($<3&nJg6-LeXldJdztVZ1@tVjKAbw+BE4aTZuhGNb?x`T5t7m04 zI^wJ3F-3|?Lsw^cqDYpk|2(081%dy{|Gn3G^~_12<)X#&=R0A6fq_p-VEi&zdgZhtREyeZm$Oh z1$voMt*0ilXI;i`Y>qY+g?&9%s854hT)g`ers&u=HCOZAbWFMardNYq`WnVZ&)iC& zw!sCI%Dj3Z{JeM%7JO-q-TL_D@!h)hcIL(E47a}f6ZZ17f{;603fmVm^|wSZr;!SN zdG|YlQ=y<3QX%Y02$kIMZ!0~`BQnJ4ts2?IQXgMmo|~OIu@Z7}4bO!>#Ams0O`e~q zk~Nh?s52_H)H~EsK^>n0FwWGQ#G)$@sg4n!o#aNDB3(>IlLZ1maM)bO|3IR=#v{xf zJ4!zHY|9r3{j#i+UD5CQuXoZ%jo#Z266;O8>BT z0jCXq-T_7A;NYNlb!sXL-^~{@uW}T<7*~K;h?}3hXtEu&ascmmgh!ABPR2_~8Fjh* zlts@fM*A9pF)V0CqndUa1-p>9s@qkPXvO9uMAr680J4$6&JTJ|RbOIbxhf`{#jhL1 z4m_7S?2zw-;IuPs5$-7xa_z`_lv_~_)trh*IOwR_x!`-eJ9{Hz_FIE?LZwj3wQm^H zt&NQ&4M&-=6)#Lpw%=0&5S&B&+8tpL;^2u)lixPY??*=z3CgB*Bd4)RseWQWg;^9} z#g!XSUpRk$gc>0HK6vq>00X$lc;Jz`We6$?;PeC2g}nn*Q2P|5-FNra$S{!9=Rg!% zi8z%t1sOHnAy1B?da#RST@j!3bS}ndVL3sSY;FV{{3 z{n1{TK9$b`6D}uqzmKJK-4nTBfCEwFLHc7EsF7V}9kuTCF*b=pM1)LL*6{dG_!--; z+YJQQ{WHYEe00PwlU@Ir^t;iMExDO6)-8|KKXP(%`bh$-H34S9s2mygVvy~{9WgO< zI(N*AtZa~uFGh@r%HC{>lIk;k?TIVaW+3_MyO}Ar?g8owUH5F-SAsi3T$&VC8Pr!9 zt&S&n9So7Wnawr#I$;i@8&Rr!{`wsfe%{Guw(MHzi#qJ={F~fmIwJVTGULeyK|$8 zC@<`a&d!ujpf^Y$7jX{9`x$P|v!$DaL0 z>GQubD0`}x?!DcP8AbXG=4rz$shrF!1x&^O^aigNE-?>Sep_$X*-*Lrz}?++ubl9m z$#Ipi(sOMqR1>Y+LzHp;;NTpd~ z24CHdW45aj7$Kqh;N9;6L{|rP&eXScbVv!KCwB-ba?0;}&j3)`%Ba-CvyqQt;&NOK zE2Rw|hIJEhjS8oaJ`&%*2o0f%!#6ADysl`7uxqbVy_z~Eate$A$Bj!pX^mXE53<&0 z@CWhCW~h!X7H|7-g-nU`Q``J98|l9sxI88K*|Xl0qmFa`Aikh$W$1qw$@x>Ul-16; zB|SqJs7=c+-T!CM`+E-b`?E_|$6;j(bJN0q&nE_-qg!30^UwRoprpL>7Xpj%GwEG=j!wjT^3kz;0H#Sady-WnS zJ{h{Nh}ug&;9CA)m&*G}z~ojdT;h+obougitWGsR9xE&^uIhbJ3pC3*a1aOtAarb2 zy;^z~Xhr|{{=G6#qheKj*Tl|00Q9wTcQOqZ+dr-JPTV+5lE5+D@TB=kl4F+j`EdXK z{f99d&A=0(hy-TB;N7{VdaG_#bq&oGHpa<22C)evYFhI9;#;fV7IsjJZUc$pgsRV6 zT%s@6A0sJ7$MA{h2IzGGC?mlbdG~xxlCpvCN!8d<=}_T>%z%JM zp`6y^AF2{&lL371Pho;t&5tp@2j6V6d|p1oT=xw8Jx`VK5t zm@-4{S-S`?(7pV%_Pn<&UcLoruAO3 zww44}Hy)K1uh>jB7+CHPskl=xac(Ibp1yuvTyJ*v(l)Kk_QOYUI=LNB>X0kNJr1uw z1*{+2wn9YD{P($hKbe5h5~QQVoQMpu(7u2_)L+R^#O733T4~f+A)rIvU(irI=a#Px zp{ZflufZNsX=$9aaJB29{`+@gl((AYF3*a~JGta#++?*45?(Z|y;D)LTmhH@KR!f`I>plGv0 zsS%%PKZ{M&=u^u&!YjZ&wiPeIB)nnX^BKtFmufS|^Yd@nWcOAQV2_a)g3n3Tbs?ek z9i;iN_1h-ho3SFCr#!zLr1T#RU-=9B_|JQO=6#A-Rc0`Fo`yztc8Y`Ba`@)0TW(R6 z`(_Rf4k5-)YHGnwm3@6$2IEE7%x3Y|={U2lhN_45^+qyf?{#*D#0%ZLnIJKWORsZ1 zGRhr6nI;1I!AA#7ZRJtq`rO4S0RcHEnl77!MTSG++dI3mLW6!gpikh(Pp@OOQd3fR z)*z6f@yEQ_r>uN&x=-#eA=}pnVj`lVRN>fp7*1R2N(mC^5>k+rwLYM6PTf6~d6zx8 zVpG-MzlG@bP?no}cv?Fm?WE7x-(&bkXj(gVXW;Yc9~1QbVwDvii+w)MFEKteb3&R= zUB$W<9ravxS={GAPhM(2KgadO=-yJ#w{M`h*i63DZ%z;S%+;IJ`3$ZJwKe*Ds;8oT z2g`c*&bj;W;>yZm+o|?ykD-z9uMg|I%{-ow1{p8+jI@;C6tLbmh4>_B>e}Ms;`q^~ zri*P9y?xVLW8n#78wm+Xa$Ay$LYPLnY;_haE?q(HN!r9b&ZOC=Tz?EQzO1LMsTn=~ z$Q0FWp#M-yt5o{DrlxO=rsjo3L!zp~lEHiEbtx&ciXNZAWdb3wuaBmKU7n?RE5*rg zF4Z36TANi@n$2Z zhu5mQj?4SV$h4Zyy}h@M`=lAB>{*GlH8!H+dQ9<5S(iF3&H2vg6I?LY!Vlh=V~kR* zZ&3sGV>n}LQD@CsgC*fKZO}Q%qKM9yGsnSf<%`Dte#7S?5sz$%hty^<(~Um7ElnjL z@X=_0-bgvKxBraD^YWYl;*76`U0+sZ8&`*uKam3eu3Gs_-^m8ygyo4%-lc^qukM-{ zyDZ;>ayBIo>FfQlxcIas1&Qak`B7f&lkTkPOZI1KY8o;ch_a4o&PHO?$k-mV%pK`C zV>=x{l*wmbTiZ-C@E7tY?l{SvaxhklHb$<|F&rNs7$`BgpFV13Jkc6*s(Xc#hmnMx zyo-WAY;97{cl#4B@M>4LD;*$D6jTZt?A#OOk5;L<)>gY>=r@mu{>Kdp85{4+zs_a( zZ)n6N;f3F^OZ6Z2q{O>^kB{~tJyApVw`^N=3Ew=&hrDZ&5#4fvE)omty~h%q0T3}7 zWJE+h@7Rigs^B;oF|ny0`!rVRNtfm3V-)g)?OH8OiC59_LFDGAH_;DT1qc0JvisgZ zAtbt35iKm>%dX9ITY?|H$Yd59s}jXfJCy^lHCH30gQuK++msV!E*hQFCE$iWui1kk zN>iobrt!~Ok;09KAcGLct>dK@|H~T-f7H;Z{WZJ#A1+$J3gsh^xTe`jDSt*6y?b67 zD7F;kCDB$Jd!S-ul$sVfl@UH$s%2@l(3u;p#Bj}`TB^9OT-a};n@cOi$YXVx%UES( zLNf0569EvY#GRzisKVeG)IlxmH%Py3^cnK9j_OGk><3T2*2@%w>uJwTR6!2Re3B5% zVwku4t!jxSZcs*?|BNqn<(We0lH1_uDD#s>NC!S<>xFj0+MKrHTK!@W(xALDNy&Oq zS$t!Nu|-s6#D1zH#U>`{3SIYDx{`gR)xtL_skP+sI%sqn+MX@2NtmVV%#T^iG|n}b zrBc!YZsrhE1vN0ulY(IIQ|{`vDL%wR|IBOH9ew@J`<^W)(WPY*#*%4OeTjD5-)ge2 z9jq4=o2;E<`J&Q<@&5LxZGcv3^R1NJb<-w~Ci&g3y7VedMurHTr+Sx%gbpnME!lIo zmNml@#issokcLXw*<-=2O>*CW`ycAko|(LC*{pU7Z~ksBM1KjY-9l?E)cNA{U-XLq z$LZzKDQAnEQFmiTAl3wdf!7mOa5!ogGJPGVfDW%GxJ%t>uflkd4rr0Js}yGs zBHwwy@0CI}!zuu5s@xP$f>v%|b4fX9Hj zIsMiRkke`7tITE^TNfxjUxVu^o_zZzFn#08y)Uk_d-NS2byVJB=k42G09qM0%o`nC zdmBz70M|v(#icw-*&&!d*w5qpbEJ}!#c)yyex*7ui0`=zb@J`O(FyZ*209(=?GZ8q z!z@L2dF%#$vQp}8$u9J8oZc1!NlH(bpJ;xbEZ_k0H1Iv{m9hpCCuHhMnGiFp+y^EN z4RY+L@u3P=ojaM4y1da{coL^Gw&-z9?S~N;-|7X-^FkYrbUEmx@q8XDD|UXsCaZpF zA1Dv$lz&sm(!ACY;opy;n1+8N%?7gA+7%~bFdTfhZY70%1F3#BS{>WCq4(-|dP|u3 zGb|#W{e?euudl z6kYe;-?V2>+tszcKjCdQ+-A{>Tq$KPbdZ_R7RRZXA{gxuApLIhqh;w#30w#1TI?dL zRL`_LkHVr~c({gD!$ikgX6frKfn?zWs-tS*Q@| zrfTP5Fv|bAHai(%LX5W;dYtOjN5(jopXmqo+niBy#od3n3>}d6-V>8?TUY-6b<3aO zx$%-Y+Dukr8_C@HW$nNz`aK=6tA%PL@ZlaoxW ztjQ?b!VMO-4}p+fs>8G1L(x|-(>b$Dp8u`XXE;- z(f$8n#~d#OFd$cCJ=d)CUU{qx@e~#nK?yqSTYAelhMlnyrloIrg{^W(`p|~3SAF50 zGy7W!Fj;*{I1m z@KZi#T@F|QwJdgOD|O4}H1FaG{~s5k?@=hZRK~@}^GFHLC?G@84aA8L1+QvLs@oLI z978=Z$MM|t#3&7w#5ymps5cu1EgS6n7=e@PFgz_L9$A{lIerqt{dJ@&%>HDroggm5 zbG#QkQ>XQb-%mgG#384!{IkJG5yaiGpt~TlGGBZ0LqdXw>?LD_kNS4Sv1!1U=rcK*y}oklX7(38c`S*z*e8Zh84YrvZhH=pmQJ? zhv?^XbM#r=)p@FF%RsqmXV>>zt;tm9x1Jhx;ycT+2&vW7okd$Cgv*8nvv zm_sj0cuNYkKDzZ4%t{6tnV>HBYZQh)&Icn3P&6+_LMCSXi4Yk7Lc2)nucU4Nez3Ji zQt zvJl9fANCHbBMbR`(P*@3TuRD96}lYSe>q@1PxFq*bKU3Y1pD~~##%3a7CoDXEsrFMCK{SP_Y3yC_w4Domz4Xz}2whf3#AA)wg_t)%OVzRTZ z(v~DAb6%FhRT|l(N92DM9IOsoE`E=kmi`WId@T0S?qxfS(9Dp@uwjA*gL?93E!}5K z49maO-Z!HxG&6aE%_LDCO}Bd8cqoq=Bq`dYyXS_U7n^BnHSld_jdTec7GCG!QMWUyFBnFEHQKOQVvgTzZJDFu%Zvwkv-=ulWW3rlWbfg{8YPB? zhS8~Gw&T6GL)R5%fe7P!twnIZsZ-kewnaa39jEE($2$!;5F4)D$(5HXx{@}$p6bG7)h{ih3|Hd@`MX%$z~_4G@r`1D1}3|_czKNuhz*VjY7V9iyWwJ^@R z26n$v^ZFqJy`<#Gl*Q7^*>QTW?Tvn!6~L}(nL={2b95MjY+sCR@24)@eT(kiuZ(=EjDWnmn*iUx-w0Rt#QbMP)3#mjPm;^Ypu=My3nr{Hl9g0y6^3 zp5pp=TwS-Ot(z3kj@~tt3v(9`qyi}=dB7krWiDiDYiV^-5Sr#Pr|$dsy!Kh?HWPCk z4{)!rA)IzS7;%~NQ*bPjR?9g3Gbo+2hM*oiIMW{*#{K19mUgsxY;5exWrlZ*%8i?} zCl;A5SykdQw}oj7JQwfpxi=l%TJ+fh+eoe~_$dvRayBjP6r zWto|noK1L05%%`LAhaqZa*F?nj?ND%KJ=rDp6mg!vCA1R1mB9~YfHa2R)`jBojAqa zSW#}fB`M~A$_9I`_!?@xv*(*jWsnV1$6K|YcNy&1o`Q@5fnr&-U4g*r&(yN&*a=nI z1a6XkaK^q<;Y29y-N+>gx!NiKCQ00H4-X^3E5e?NXECl zEvP2%*foqgp9Ei@RE?boZ#*?3XpEe?R_C&oDwjXqbLNqyB{^GOb$2rcQvlnof24+% z{&p7oj?|7r)XVE#F6hVNmgrXd}2_JUEreHZ7e;rKwA7`O# zc}jX$)mrSiy1ssrzz5xp=NcN}PH90wXSpw)54iz4pPrt+8shIO5bxE0X`pVzIz4NP znu_hpROIryu)p^gb;L|<*8+5BlShg@u6CiI$P1ip^MF0;67DN2SkH4O40l}XP7*4V z@gG}3cGiNXqgb zh0v#~vhM5{L=LaM{o39hLZw#(M|A~GZuRX^Q-x3Cqd2o#bStJ(w69s>pDxsCH$56s-9(#aY-XKooOEF*IO0I6x6)IS@ViA9c380Uq!Pk$(_wNU zW2;EOnvIkALa!4o4hw})RzPY1x>rXw3x2Vfxmii<~hrxmZ>l0x%=0gvGXEc zn}s$RvqKe$eIlQ0+pMk6X6Qt7$ShAa7Bvj_YKPGF=|~O7hlt#TvSwu5v9V3d?|75t zJ4*$ttgP%k)QpoDwP)ulOe&(&MLQ9K02GXt9%Qpbj*i|rRt*Z~={mP1q4%KZZpWGM z_cao5Ay(GXFxeivg4{|f*r=glN4|(-dIFGZWo%mR=iHNqbnu)gEFhv<4h!AfJsz!m%(2)>kZ(D^Ha8rt#xKtKVr>Q9;-{229mCYD%`RiU& zAi$XT_GfEqeHoF4E*!1p=H-6uVENWdXuug?>5*;)U8cx74%#a5|)I35$ zeeSr?L-V-(L_P5}^G9jL}}if`0js&)wgm;gP=>Bafk-Opr|bfiSgrW5M?Thb7% zWh;vdh4CHedYq&Kl?#oc&$2GkA@8gAu!kn7nl#Z2?SG`1mw+fPaGRQHh8LkU3xO$D zX~~?K3$V=ic-$fq861{jY@CX&aOL*i3cH7XJ(d1K?DcBw5Beqe!D}-2HIR8$WUdZX zKBVDA6o4>0x}ynh&8nB06clo_$|O1b<|)%m5_0jV!a`fenbWFekT0axvxv^AB%DrL zN0GjPS7nY?G)q1X$mQ$T8fn%gp)!3^ay9F789qu-wEY+6o*kcNoElp!Bc zUD>}5kK97yC-63NHw>%uycJD{e!pPxiB5T3F533?GZS4%0aJ0Y1AHzg$v|I!(yp%@ zfe@ZgzjSVoUfOT9EX~wNALxs`!!;W^r#4-&{E~!VbW8uppvIU=x2%)$4BH zy-{^7tt0@*(IMVt&;>>sht}Vld|_`7JrgGxJ-2!7vB{GgGrkL1*1)W~)0`T;`;}s2 zY4(BknvtTCk~grg;1+jT0k1h+kF#rP@m(+VIsTZOaf33HaIg_2;+F)XzcRT$WtX12QR=s%^Y+~h$$$12@!3%dhgAfA=|eF?CcQH z7h^8g)=7G$MuL>qy^{ln8jQl@x=YfEib52$KG$gF_sXE)XJdx~N_#CIYIYl|YNqJ~ z`@4k`T3fI2-RAUl1WS#_^j%q>UmkqZCpIdy1|8jA(5Uu)CpnV+QgdfAMwU4!IC8vp zkMG)@47DH7lYW2id(FqagcKN!^knm1AmYLEdl}2}cpNU#r!p%kA%RtKKS)=Z4T8w- z&{jNF9xI*sUVD||Yo!?-gFJk>F*nzAd!q2B0nq8wZ+D&dqqG_@kM}A4+_^f4p@~EK z*EU|J&+ZYuu2J>DW=*bLy}Gg6yX+0=P*d1}53ZL<$h0^SXgus7lat}ubcd)NnC8rS z9l3eBvs}5b*pNN3dUC0K4LMnM^8$Trmb{3&pkV&K2NE6atL2^E4{k6Si>{}^bx>hF znWVPiaCg`J%`=r!)er98eLcUx@Blz`Ev;@&e9Wo z|DA7_2S1`F#GhnoMqW@I@zT*p6uQE{wsmyZtdW&lyi5ZenDp$}`r-N(5RkB3Tg^yM zPuN=Odu!0Z-4`EmyXwBu$K%opZ>JX08p4OLFdv#5=R}^Tf1cHTHw377NpsGeMRHXl zkSKb({FmTI?~@h0w+A8&5CtZJ{HG!=V+Yv4rKN2@pe-He`jn2BeJ4)7b4S%aMd|E+ zqguLD=;YKK)-iK<ult&Wxz z4%!c)SgA5q=8p+5%@3DyU%ZTX6AR8B&-?j>LJOKqUqt zI4~?UW^r*b#I*21+2>k`OhsR#!-J6VnAcOP&$u$X-@4dWi~N{-VAq`^!y)5(`$K)y z)@n*TmshM7=D0g;6R=>B%XB4BVkF8e{!6f8_=w5_KbUb*1T(K4EB1Q>-L!*$B~X)1 z)hOV0XmIJtbnL0;88L0TrF7iS85X9<-6rRB(q%3sFV0pN_Qfu-6znSbZ=cBKY_HTT zna^c{q4;8x7R-w@*^bcAm8Brjv6=%Dzmo=o1)Gzttael1>mO(pbOJ1U_o3FMkN8|O zaezBo82GG>ZdK0;!xp14icR-OSTjC=u(N{O;Ydv=+Qm)zo`OI^*3s_?`jqPQ|pVrzi6K`Sa8E$d>EGwAffat9Day zF|qCtW8;W{Mn8R_Cd}tN8_Q0qmZPw=k6QWsyG_Hhiq98P%^u%0#OBz&jL?qg9{3(Z zZ(buy6wA2UM*st_FnuiepyvwRypQsCGDEm|RB32zMZ&z%#(iyVAAu=t+;4(hG`b@T z79Rz9DFT6FTxy)f+pzed(Fwj@K~!#LgI_;H(knDn{fUwO4X^z`QH$M80Rtg*PlF|g z)S!{B?rtgH%hEKh*guMW3zj{Fpq4T{$c8n)yBuSpGKL{LxqVwaJXUdzyC+ZQ8cT5b zy{i+Z8SG-1k9aG@;g^=TBXX7|Q_-q)3&DExxeEV7Go?l`r?)!yex}c#s>mgs&_c9|+XcpI?3k0enUhfk zUb5d+R{Z@_-74b^vs!OE-f{gAFs1SSec1zjee(NF-V4L|TGJRZXNf3QVKxMJEGY=`qlrWFnmI* zT$PiXYRU$pS{e7vcQCEL!JYV#)9v;}bCz&9qb@#e$}`%ern-xFa&>)z*+U~17JJjU z_S66CuiyLLak6vIu-qaLdas^v>6h3<{|10is{yCoTK<9e+%$;1an{s*WevL;6RqTJ z22{HVaMHZ>pLxpFgje{JOP4NXr=;Kcx8MJjFSvD%>}?bE>sYO;&P4h>086eVIflu- z{sm&xfBckNTmcLkFCjt~e)m59TZR?@3;LrK16$OA=Kji_|5pNxhB|NnPllEz|JGHB z=K&EDdvX_5e;=*>7cnHo0W$dbp}+cXT@}xK>Ku%aqShOE_dg!!|0=uxZ;{>N0c4<| zo@M{1&HB4;*R&X*tr)TBRMx=1YssJcd-@QNL2{fTD(LTAwbllxRX5piNJvrroyt&_ z0LVay$G7xvRWav&Ag_k?%iB3#{#~c`uQ%oyALZ3m(}xEptbgaK-!r-BVExm4KLsmI z?vbz>H?pV4%)y#;Pc!Szng91MedoAJmkhpXn+QvnV}Bvd&uxmr2Q(~RvAISUpTNaD z8ZA9~)+s&y$C!qg#D?I^(=tQXIH;wC>s>|2-cv_RNo+;_8~3p7`9{TuoIqH9`R_l?@;N;ZUOD zn&co`(ZT`jM8i?*{t3x)cJXa-pW)mztp7oDx~*dMEoldVNuenX4=rYmoI0~#cDWiV zf0!eJ4}FPf-UHgoodOYYadDjgyAp_~Smf!)t`%E@TgS(KL@^nemAZ>va)F2`Q7Kg?{$5yYx~A0-th_zk8R)e@H5`2SuyrqdpTN0`rLtCz8KMSdXK|$ zd0bOmT5xr-RR}*t`as+k6MT9wcOllcPfa7`P1AFN0^7LV6U*jlmZ9umudNfPlUE4_ zk;wGQbL^Jkd? zc8F^fvlvJ0q~^>~TNW zQh^*%-HB85+(%PsX=z_;97g*0_9`3Fj$~fFQi8kq+-C3$cEhE7S!i$#69OMjtEmOO zO7n#tXWfeIbL@FBKG;67PU1*O z2YZorzCdT%qGaCcrqW3_c4RYeI1u@rM3*l$*C~YSQPfTaA2qd3d+_Q4>D>D<*hRgW=>2ywS8lG{NV_}m>89K zSqfCb5_;=?SBI{B8jh*<`G!fkam=hT)gx~>tTyb^!jSnS)iV2{skBDmpQZ_6MVtat z_W@-p-t;gSs|EETW~Su@)=4 z%Wo_YTwkV+Q`pP4{Z&y*Z8txh;Ch$XtW)3eY!)i)W)c}f;-d!R`8%&T_4xb9FyD@^ zG~YjX?C!P)^uiULyMSVh8h>=~B!@a5KDhe;FeWQ)Of(vYB(TiykAj}}9V1=71khv& zF#f|RY4H0`ncW%iMC+0D!>YlXDceuz%O z<4?G0Zs!4)JK>j|%ASlU6}-hUi!vA{0QIAjWR|^L!`fO01-$__3qVwpR&=vmeDC@6 z{&e)dZ$>7v2_DKGpA#X}sl<`7c{ot|oh=VRc@8xM;|D+x&m;L{Zyd#2Px-7zwnhCJ zNespg;V!uJE6iG>^@8>;PE$hx%@`$bu9Pq-Dq({Ne4`Pa+8X=l`Ot`aE>^b%yr!%I zJG!UX?u$%(m*O~zAYU077CVKOGfr_RzoTA>t!N2Vb*7&WQjrjD7Dl~o`?TNJ>RF&b zXBwE5wAv}&C*lRk7Z}KPp?w~8unOh&$M2EkP7ery^944aI;oUe`?Ww_k=6{%g4UZA zlRu1bCV>e-p2Ze(&3MKz@3vXkz=4ompnjE9=wllOU-?|$-yr~r5`Cmw@;J(UP$Svs z$@PultfVZnLwT~p!1l7L5GzUZj~2I}*-5c=36h4Iyr}0gG_vlP=NWnGbYXi_!#vfT z4gF_u-S4`*8zv*l6I~yt9@@qt;jwl8&9rww z{X0yqYKqdV{6iqXzl}i>C0@itOQ!M)f#~oeZ)1dV_dgEiq~o5ucp)!?>K=G@Xs!GC z40(sT15I|L?eIwR%@?wZSaY}aIeZWQzzpM_HE{?$U)jAm)98QpHnzsTdLo%)y7iuI zkhQ1wmRrR$cf6ciVqE=9eSJ9NyKZzf_&hQX8YC5H-@N@XP!VC&mbdZNdhib ziXfZndC?PpD;t>V$#4ii=~Qix^|nk7AEYv-r04G=aj_c}msX*#+ZBngG@J);FSHi^ zvcS%8*?Qm%v308dGzlTL@cw4UEdR}p`Dnq@OY~#Oib^+yvYOKq11Xk#i%dBngNdoB zY0;0TPYZjAR5qeI;+%E-KD7?OnE?>3r64?oxa#NJvsr`f~A9mDqFM zrW2;Ga<8f=LU5?UwC@qwFNr*aXl`ElFfYqF}o4j$WE&QYIe{*-NGP zvBS>))B<4Sg4N;F-a6!Bc{yk)jRvDX=vDx*ruzo=YSyh=mRV>=f-0rW`dcf5j7J-V zZ(3<>yi{^mbR^B`=NnEW#9c96gK=BGrV)Yhld$SNjLIBpbo8sby5dGimZMp*jm;-Z zG9ssGm`P&sbTSGN8GR2@XsEpuZ%;yz??d`xQdqzqFddj44%Fpg{d|h5NZyEd@dg&5sT3D6>!kBuRuUo=H+mA89=P2vnK^o_mzB&HVULW@ z^Z=vL(8I*?K`UAeyrNxYNL;-o?yGrg}g)m)>DX`O+Bkwy2Pse|(3!!R9nksVlsy5FjLR$0q?=~$8B92!U z!EiL+_$mC@!Nd(I>&<^LkZ0oWbfqk2iU@}~xUrWy8i;v4lw@ij^@NlN+E2eam3&7D zB$yum!8tO3x3 zOkzdMd(N#%2suw)5*Mk;piuy;q#ZiuNkyp0fa~mB2snZB64eI=W7hjuoS;h^{)4zXn+jARkc5|;3U-= zS|I3bF(@Q0ecS?yI5T~XK8v{AEm?^c_4M>CYOGa1I3yj!Mrm(3x+R~VgI@{^VE+nU z)+6Ez9#Nse*a!6qapLvyAGm!aO*v&@Al;Lo-$vk!hW=y-cyF>L~AxPD>ok> z(O*c_A1SXdlS8i{Ukd#2pXH*Aib-6UXLvcLz`-3pM)wae>h+~PgKGj_Ja&cnuAd(GW&8^0niK zVDbm{l4rjLEWcM&?0j{;Iz-8lQuc&D%1Bmc8#LRTX~{D?so>8%2s)PRKdPh9qNPM1 z9iGn0xD*kOZ`!$@5}0Isho!%5OzDFc(t6);E<$d?ZC5)$wiNO^*DSA2V<#KJNlD-U zUxU=%8=2f$6-+Dg7pPE)ZC;=81fZ#%8GlU4s!R85^W!u0SWKH;NIJJ#NC;LEQ6$_N zKiop0WkyL&b{-)M=9jJQyW>R2oz2TomT<2}!nP_7If1tp_w;IMnYf)7;PsP(nLh@+ z{1~at(C1ssba(klCE7!Sn|3S=ox>F_e{J1mQ@>hOhcmSM@fMn&_Q?;5?RxQ{9r}%! z{8UBVW*;XJW=og{_H8~Z96ZL`LeU#dctq5&E;;q=zwr4zoog%G@pV^eC%F zlTGvvkK>((`{nQD%x3Uf{1^}}@#;7;;dj8DEZNqg@u1wB)1{=wa>Dp(F>n4keMUct zNXZ3@wrQ4;4A2uVm)uH_z8(}M2avfTI)F3M&p@wRI=YJ8U;kb00!UA8AO^FszmR@x zm`N=2u1eR>kUUnDTpCtwalUmKWQe$^G~F}E1_iK8kC<)D%ZE1buZCpXTNv$)Uy>&! zGo9{I-S_Ui!%vYZgWDvzBD^8#=HD@Ov#_8#Wg>Hfc@fBK?Cse&wFXVsL~~=fSD=+0KV6x`~*c%v2Pysm}lQ5<iLtQ^M6j#0( zlT;i73qHhmuSxDL9)NSN6xCv1orV#J6J?%&XZkjG=&(k>A$^+h-3@Kn%f}%^e11QX z*~e;O51ai=ro_je?6Gc`k#yvSZrQzg`OCu16-jr>C*iwZ8+6)X30ImZR*|G%Jm_2?6=MYC z1Agd}PF&X<>)PV*%nJtQA2`C^2LIER#lrKO7grG{*)PxiuECuiO z%|UKO`>-9a4H@?QR?WA7lw5bFKW5V2NxAdU%+%M$?q`(wh)dk75q{Pv%^M&G>?Up! z<9wDxxyHFbC46T7cGeBXcf#}XuUNgJ8M26YeT(M_QPGW&7{7(*YZ)xib=)UI(#F2I-vnr=xw&3Cm2xJ z9FxdAbS@E)*T*RD6cUN9#n=Z>P1*TFOMQPenpyx(XbJ-}!r38zq3k2EQ=*~81*CQk z^k?01=V!sXO7J<0Y~%LxPSKS=v}YxC7|ZjqQ5qF90OsDTRP@kWo?CzLsl!o>{xwNhR@3 z?W*8B3D83_5RRb27LY*vE~4B&t~w3_JJBz(h}1;4w?X!M4V|in?s4Y`ilN}`tqr@0 zb%<_w4bp`BRKH|KRomLku^rzpr$u=jfZkYN8~B^s7f)X)7TR1J9gdSbEyd30)mrFL zwPL4JmaspEOt0rJss_W1b$1_6nUhnW&ws?Te#xo}st3ZiE5X;7ccpw)9vwS}N;EZ9 z&k1o3)l}JRFrD=y+GL0%#DU{RB0v1>yrE5OSETj0=lo;4u3;yqnz~MNgWvSldfQVk z>JvVF_U>C(7MA6L?&kk=A)HbgJy}b&9KpRp&dj6*rdCbd5&k`JMD%c40KBz6dr(R^ zs_g8%t)%DT6Cuf^DK;LdyHQxe@eDKYtQW)>L_~}#;qNDOAm53>_YNY&4SOu;cW(eh zo7j8Cr9qxYzE5gzIHNJC@yOo$GfEQI!aCByL!N5^B_2Ri7QASMch|@59k4YW2wRuO z7n87Sw0kE{Prcwzg#p{#aZH`EfZa-=2aY@;nBGuLS#1=cXMR|VEcI}CAtqm+-5sZ= zRJOf-x;!D2*x4#aBd6bH{is)T_7<%n1vmZ@)R-f9TeB zvB&9uSVQM@cOZ9YF9!*qmTvj6vM@!Toj=m#=BPIrci1sRP34x8dk{P=$J{5-=9CAvKRLnAH#&>+qnx5A8wVV^-ED` zD!W@4G|U(Xl>l7JUL=`$Ejn7)Q2vJUkN9TB(v|eE)oBa|ZxX-){x(V>ij?W3A-OZ! zYxT^TY3^D6um+su9|O>se%=q|*9I9LT)c^FlxFO8@uUwS^wq-?-fW$`{cp%T9_TkL zj0`LJT1VJ)z6Xl(jLJ8^M}m8}-m4@H}~S7+Lj6p62gtd(>!s z^KHG4hO`4h%wKD!3^@?I$tE-H8ZgL)6!r&^r3hmLT(~ zRAt9NYS&09ig{6&K~O8SMdTRbdC*V30+iw2egF>4h*pFAh65ZDWNxs<|CqsiJ`WZZ zkQOa?TM59*@J*jb*|+ho`nDkF<#!P0*_VwTdi8nNfdq>&i2{_}IbLA{Q=Y$sYk`1O z2*cVAAnItBnG?f7+;aFV*6^`ybNtD9;5zM!ChY!3BJ1>*m)I8mr=smn3{yR~9r%A} zsjGjR(tn-kqNUZqAnW&PF17`lvbI6fPp6w>`5=fz?Nt0IBq#8aBdQK((^k!IAMt&Xw7?6Dh4knyDZ^nGuWs z8HvujCz8d;#X_MoZB-}9=C02~WH z1IqdTDHRqGRn^f+su1HFC@Q+P??(i`l|I}L)4E)rPDmT|e>uug^*oHmrn7{)fArl^ zD9robtt-y{H}@}jsrH*=^uB(7WajdzAm&P@O10s2!~eZC_}}|O|3{qe%R=lK9{QCk zD7@YfBHYF#vUVL(bk@Z;V_A0M6kVJS(IZ(Dv_GBMcCsxZ=_-(jS&s86L0Qpl(!d_& z$fB(v2yZi_r?BzI9gw56xPu$|DbU=tfbzk%L-RY9jg}rh4MQcQ^m|1Xgw%p0O|0p* zTzew|B&46Xg3>ex4d@GlAP_?}w#&@XTUg{AudK%OLtTXo`{phg@eQ-DH*p=q3H zB{^^Cz(hiH6`e^SgM&V#;Ce4N8v}gi(Ic@V+RvucjHY2T!`nJ2yuR35YJaEAQ+^Aw zlVw}JNX)?*m2S>r#;WGGCRL>ddQgi??o$Iw z1Wz}K;Byv>Kd~Ry^M<}3EWZgAlficBbr#P$7r%4ClcabuvNz?&w&3xRqCPDLvau4wJZorwL;37Ww^qR z!l1Rf!~T>lZIX4-fZLzfO0W#6f^3Qnc_XELgQh&n^9^P4M4FOEP99`Mro3{mh(HfF zW^n?ghO8ue6$kIp)&GimD;8VYj7+By9bwYH7ecHGg}%??24T`$&$GE+cW(+-D((pp$)ht9|7i8}4>iwNQRjMOKa3->5M--bri zK{fiNOd6}{^;(#F(Np^B6~FrCDL2rjtGjG8i*L)&Q0VQJ&@!GNb}OujP%gl%?eWF^ z79^5wjpQ0-c8H2H)k*pL#mJD`Z6NkjnQ1v;Rl1Q9{GzLcz>mE9 zbz1addtAQyedI!sk}DZOeX(GN_cINUA+y2bheJW8rC6Up%fm%jUG4_P(xJucWYn_N zcf7Tg?UeBc%FY38k|pDq>%XPwS6VqMSpz0J) zJ?gu!6Ss$=wC9H^;$09VxU;G;?XxbeD=EbfC?Z5SOVWRkGI5HZr9mvU=;b+wNrr#f}^vDk#-DIq8~L6Xu*P zX8TFmWbeOhc^7Db4Bp^pnc}yo`2IKUR2Dbs^-^41|Lgf=4S(bD=UcbeHrCIGaxIPi zseBe+vs*B!GJ(wQ2Sm&}5xK*Zvb?+$#iRG##5S2`5 zjQYG|7+FnRX#;yf=WZR~sW@&yo$4QM9}kRJuU{i8;b=b14w+qE{;|g*Az^&O zm`vu%-E=^I=IyH`A4=6&a?(JR?oVDmdAPI%xYiIsgzB-FO-F?3t}8nzCtDGBF;@02ff21cT~E9$EogQl;fxsX5QPhz%s* z$rjHLFd*-tWT;+HNuC$xIAJ8>O8^`pWz*TXEWdGm#e0YP-Q|f}Nr^Piu0mIuIpJD~ zD`?qV|Iq{50DJ-`B;TxkbfaAUkE)=wB;T>}Ghzl2^qXyLr5qSZC#a{+#J5`iohGnt z7QMjR<2XGcm@w}ZIU57NUz5_~GeSnC=L!W5B+4_o=Zf85Jl9s)!_s?PiRH|!f5F$q zMKfOol}<}2Z`#D3Ef-b&f9JGI{IR*fb*Tb2GIBGsxb&N*s>|GCq|MGsTWj}YfQCcC zVv2G%|0xqMg)D6L`OTC8$JANzfHZ52nw=xwMby@mC{RDO#icuMl%BY#fM2-yGzmRdvrezI4Tyzl7+cwi??P>GfbXlX zX(?Gt@bF}V*N9{(g!o4d>cBFd3S8T-#TOI^VU4ZdnPU?Zyxhn=8vU2DUU|m=_qH^YVQv9RT;R-FbHx# zUNbyOe5%P%sg%1ulke7NmAKzlcyE3A{&?EYV<4Wx>{hCk1BQ?|^_6BYaFC9>ULV)h zMM@n#`>vx(a#HzWm&6wEII8cBino1)1D_$pYUYF@Ud_PyeLVWS)M+nQK{8SZbWN~E zHmTN@+KrR$n#cQLbj@Wv6uCJxATXS9%xZeTKHkNLm4W zbg5?OR~5T86Uo6{!$ke6$J{@sN`+DM&24N^h+WX{glQ53OS;O5pbDvq28(9niS0*i z9Xp@e1^I8>@inuIJ+^@{?*^HEA)b)CXG}5D_}$Uo(v=VfjokCV*X?eun`Skr2p^2N zU2!ymQs!#fq-M9Z2XFl;aMSi%Je+a2gIM-`K86gY=J*g z2n^Tj{+issEFSDX2|ZKuYe6fQ()VeLwL){4r94&p<8-0Qn$RZUhYNBihXq&J5N=N59zThNywbw!0Qa%DM$~oj4NTg67R{3MbDjDhMzI~hg=@ylg zq$3f0&}ho=d^wv3*QG&Vq%X@B3k~vI2;ANYJ&m%j>T8MrBm8_txoC`RID234<(?RX7M6 zjUpqdA+^K6c0R-N;kPu@U;J%!?eaV#8L43464G=%SAb27N8i+lt2~LjP?U;k%cl_= z(cpU8{ibL`eZ6uUFy8<%C!KDxQ6NDs1BqfTEb-~eN6sse9)7W+2eHq_BT4OZQ7yh*SPlj}LkxnaX5StQ>XY?MiL(44a%%rF(<8GLV(;4zciD6zH17jnFS-%3OudjyD+s&njV0s1**sfRAbi%IO+*$nt)b7dLq0D*! zL;8H+$M}+(T?8@o1>`K&01Y&BgDsv~(`&|)gvwQXAtTlV4z}WnoMk1Yf|Cfvd0$Kl zWZsufYysF50)MlOhGuBlRux8T!2g!C3DjaMe&`nE!e-E@@4jm?8s=NvY!b54EkY~A zUlb)23M*UkTPcQk5{Xg`Tk+X}3*JN+{kPN?jS+|Hn{~t{VY@#aeQ`+cuy@qL!cs{7 z$VOsMPF7izuB_>pcdP?+fgyV_hf4OtY1&U&*jckCjp?Kd?4fM@c&yIGIp79hT#kx> zE#12m|NIYump|nxiF81%BpD)&@eeXOn$)n9{*q!Gy}eynSg1I;tM(hMCNeTG!EjxO z>Ioh5w|j@V%GR!>y`J6OR@Ap{eZ1bcY!w=&Ym`hPr!Ur<{)_bT7n-r%dy%NzGoL3` z9}r%c8u!->e=F;h>UDm=2CpuqUMr=0c#AX>)X6&nPK1zAF*|I>YKW&U+A5lh#*Zx7 zJE3_~3z}bByu>7*j}be$BJtTA@j`{vu`-oq@{>gqlDqc)Szl>ZWc5@T0F%PClA4us zz=85#L(6RQw0(!ld~TE_p`d5xHQWxp*~a3ymSLO6U#c_Fm0UfTyk z-V7>VfqIT5JW0gwZKf@I^sND4M9F-_R6=(&HLg$c@K;n%EWVj~DmB9c{G@$tI)>zN zAW>wXZ3x#QLzU@xSR;e7Tf8xbMKsZN&m}HPJYPW{|eqva*u^y?$p#?ZTY&bw|A||;=mL*wI~3vRCHsT zX@~kG#Za%AkS!C~ufgxlD#rh;f2vJikpV!IQNSga&Sjt+Yoe(4UsIlTI=bH41P=OOWLmWf5&`x-vMcVZ6v>W ztLN4tn7wC2YZWo>`Ma^!-0Qr>b1i8eo1N5%M4}tP-L!cS(rfy6^bred_u7B49c9O* z889MPmHg6kWAg_Zxy#XR_RdKwUmHQhibziB{iwdEYaOYimLt=3ip_(Ji7@#_t=JZ@ zq*};j82ND8)R0Ke9nC3Pu?KnKAqOYg=>qvb)8)^ODB_0oG;T%a)8yp}uQb#~-FAU%Xh`-dl06P+i!k4bm&+bFAIp?=IN?LLLjHtMpKK!=&r@8QrzLDH z+y!)x(nXL?X89tM+4wIW>A{nCw00S^edm+ynMiQS=>e^Twe3hSJ|~V?Q;rT{jc8Mp zw~SumVxK1HS!PuRnx}uGv5joZb_s2kD>FTq?|w}P3U(=cd%BJ$q8T8=cgn6V&t#zP zZR0_PCRSK$SZ>o`L&OCTMcgatuK)xR)#Y-~2z0e2iJX{oY3k{No`%VIc_Nn{4@cf$=y29>%xXau&r!~@R@ z8)iQi!$*vzrh^5g-HOQqn62J=)wJR;ra~ef{kLWKH`AdV(c!`ke!ql1FAN&9w}yJ% zi&NtF&h6r0HK3(sPKm?>oDpVGy@vHcLuIK?QXOx$t?8ijX{s1W{%M5NnEf}@{lRWx zB4rs2hTGMMXfxO>`AEbdHzdDuv5cwcx7am%iE1<);*yk`CaUR`&VTYss~V>G2L1my+Se&jooQ}>#%Sd>so1S*j58Qj|* zYR`6px5;AfvE9=Tn9H^n~M=V1~hn3m;Vv*~<@ zS+UK=8E1Io40S^U800+VB8gs$ELQY+;!zUEv|@jj+z@|u@b=BUJ0*ZcRTU8Sa;cMg zI`Z$K(sf{ykQ2=Q^TkrA0B31QwholGo&xoYq<`W4x?OD* zaz~;k4qawP?sd3#t&iTf|;OY1F-Zeug^YQU!NTcUd0yaB?%#-*V`*hP)4XNA4R z3^5YaHoqG@f}0r=drCYOHO0=y;~fhi^KCowICL7xEKL8KgoG@2d@17IGd{?x?tsh! zx{S6To4XB{o3&AKaoa?FAX2Nn%Oke<_(e>SiD?ESm$jHp*h9u$0EjYoM9d4yJ z+xy$jb35ECdviC*VUAdBq8Rx#qytONN@B$`2TfXxOIS1oY4ce&KS&arh$1y3CH?eE zKbW%PGq%0v{q@xSs2`Pxw2P*^KMb%2uG<}!Y zw9)RnY=ag%o7=h`9)5j59>|@Zfn)m z=^f|X1%a5JX!Cl5*fWgEM$Y&1>UJ!Coyh+4N-Y)_~=zImnm zMI^8UlUw5fqhMA!JyUgnv#%LS%-%IF(k2Up6SlA)iQ;J4S{5N;try>6E&Tl4md3QK zI{@JQ5S8wt&9MkUPYtdz{MR@ZMuyhlKJ7v)^n{TDKC21Ewh zy0ShUjWVWWbGmy?tSK-#@=G(hiAQR50C?b_kez>X3G_#2Rb+0N^37x0B8mLxa`E%i zHDER)F-{MA4#;HAErdFab z0i?W_lp;z9iV}l<mMaFc0)G85-zCR=hSxOiiI(_ZfYq zb?6tgeCc}Z7sUXIo&|MlLX7&I0GubpWpM<)+sbdS_t2y~X3s2q73nhgZ94T8`vTRT z)1n+>gMy0cKn6`c}R9v4Rr%q(2BHFi>*BBQ=L+u<)Z9%84t2yJwWu;sFA z0k|EJC?SFC0JT`HTb4TRnS6bA|Ba^jZ(R!T5Se!l5l-i7PF7c67pFCe?bV@7u@+5( zPoF-$6nOB6el~!CrE=yb)Z5IHze-YSX>ZM5G0|`Bd+4{&i=I#qISB~~?OF?2{gJ7< z#!vp9hTnM@$d3DWIua7E8>{k)9-#bObBm z-e#kbGj;XeYB>#NjG^#f=WTgqCt}hj-zn$0_LZ zbhK{^4!My$O+)I3o9}6WB?hsLo{$9_So*oIe9Kqp9$M%=DNl0BO>Vohd}u#%bh%y$ zfcJFJZ!GA7Fz}JqRXfotAVIk)6cy6rgn)%qQ+^Auyd0aN&1$c|oSi6f)gkKP(14EP z9w{kt9CW3&pI_DZG9x{*9CEPCtQ%Q3t|i^M>Ge&K!=$g;ZZ-ulWOQGsTBgPUi}X6l zA{eeCg@~qtgTt7BZl(l)KZC7Zl-i>%^^fmws;*|yN!-B8k{EzM1@w*|o{s+22Ga!d zwCNw0VanGfPN&%X&pNPI9n(2sK4GBar?P9^BA-w%5e`A#UBNPhsQO1~;r$`ur zL~==fIj#m6#_6pO8U|MkB6$tx_+gINBdL|kwoQj%iQOi)wS$?QB5)UB`3U6k`LEQP zxOXXVXZe~QUmDXG<>t045$I31A0hVYKM%&U4ICC3i$9_%a-^P3`AXT&-3*CQf9H_P z<0>gE$zr1KSv3v#_=@h?35+|y?$gb{T^k;uYr?_DY23dTIcw+bxTT%fR3S-CCG3W* z=DFWr<=H_r%^b>UQmO5Y&1Hk%m+Xjyi9=q^0@j_nP&>8k&qb-N4zah#p_4Kfr0&hI z5oX?olRkp+*hq(t1{mQyrQtg;pz5RSHMoCzJ8fP)!rT|6P8bY!lpo<|f>lmWIA?|) zj3F*EXm zW$1n>C}bWV$&O<9UA3sBsbuSt_w_#_^Fd;dv z4%%>+KEKW6G&4r(Maczq~O_7Wt!1)yCM*t1Kw?Ns+QqeluT%jCptDvz4+XJFm(K)o74&I-;6*yn4^z; z6E6)$EB7?L+BGy{YYgBz4X2-8*>kDbRe%jD-oeTW>2ghw8(ZmVOSzP4`_?*tvPTe?d3AStRKEFrld0IpG+~K_HyQxwWwp zQ;zY;nWu2LjKLETDK5k4=!VRY4R9S-CmtzA|qKW-|myW#n|N6VLBu> zV}GAPnsxu~zHH5kHGHaSfQOqyhV8e*Wn6|cEghX_v6DbUU6B%LOmv0Q{9Cm(E;)RH zj%nchX>G>kLk@m1OEsUJB*(*d;W-#S2lK$C?1n3L7-0`|*kZ;$t+#QxY)R0=EJBif zYA#2Yeh^id-ul$frKGvnH#G#h_4v?`Aq$eLIk-b)kK|-z*&h;k@C`0@DL58J5k|yg zR|j6M!6ARibyLY1u>RMN`twr>io{CXakU(iBvZv! zYZe1)DH>iu?b_tkqxYGvl53yI{`%ND#epvqvSHJLBm*@y`a%JYj5dz(sf-u8-7PaN zG|pxmWt{XN`C0m1<8i5Nax%yi)Ty`Ye*TO4p(hVt`K4)q#hqU%fBK4f{LFnj2lm@R zV^jGC+$W+ntJe16#Zjcl?pj?n*3`jmwjid><(0ldw9iCzDBa%N7mXV>=LZxAvpp{b zUUHT|7wS}kk*M}}E+qXsOHcz0sO9uUt1_FIhWlPqft{?rOpp3snmj^$Q}G6mjIT|< zA8>kSY>Ank6MEWC=oGtIu-s*)OMCWiHi%k*z{Du{o#B{Tjb8Y5hwt!WA}qtbGBUX? zzr?!TfJUgbW!a{$a;CwXsnkW`Q%IhH?-DYnfeuUO*C2FyVo z(!KEDIw*o}(8toP?%)8E#DKP&=RLmcE)gm2C&=gwXqx2N1WM1~*%D-|A^@L;5apeh-=o;nzpo0F$Q>K6!F?~;VL>>&<{fc9 zS&I{9aa(xM<9jdvY+;i}*=lHA#=@X?Y^b z4%@Yg?Td>#R`90pIf7+-CE0Y5+*{{vPwD=F7u_TBus&tStuJq{FN+K8ZWO&1XmKK$m~up@ zcj@|0Y)8_~n3Zpxgzk6PHMy5?IND7BM=CE?az~7(9;I$;ZCHY_d&cTFz79Cm@a3*m zY_#uWft$;(THmjj2p$}|9Os9`h{%-WrmtP%T2epqi8__PyF6cU_8$osB*@*sd>1|n z8qoW5B=;F(x9~gWc+G-uw9+7JD!LL=Y=wF^=l$WU?lUxr$$Byvw`$02PDu_WaWP-_ z^2OM{{WE_yIXPkmh?=aW39bhji8q^@NIArW zTHZNEwk>$I%*f6nOmTICq5klc&~@D2jlgtdhxXZLxm+58E5A?n#Do2a`Jv)|{8za1 zC@!jvGo3Ey%C*bhHFcBSjbrOQkBI2xz|zvs{O=YjD$1+G8T|qQ4dAiE;}Em6ELTSq zSNfRgDZV+x=}g)}vxoWIoIIFH3Lsy=131SvAem5s{sj0>3P$5fazm0ClEV~1tDqpW zkmG?X!1eZAl6y)nhUZ%P5ceSb$jVZoZVX zG1aSJ&lqi}pWS*x3uv<@=f{QO4^E`OdJUGMJ(aDYZc;q3@t?inIJ|b6&a=B?cfpfF zi~rlS^8elXa_{~1c~Vl+X&el|?0WUvez&yr*&9{WuSU9O`tw9ZfY@}ocO|@!p1sI| z{aM}jv+cZj-O+_>FK!X_Evt|SM7;_jknhKm+@FCgG661l?TXn|UmHYsW{^fR79SMc zGEb#fpKD+<%#qRoT5UFmUg7yg*<%g52Guoc%U`+_sgW1?tCwnh^18vcG9b&j%f>Hb zob=EJ5}lco=P`l!vgKku8w@C>o|Nd(JD-Z45FAVF_FEwJiHm%oZg?BAooY2b#a(1_ z<`v{QM|#bf`p;U3kKuO4BW9j6d;He({c$;Q&N%ZNJHxW+m0rQ`u@gyu*r)Uur*8k{ z_(kti5YJicp1(2(`P*4iMp zrUB%m{p-)~Rwdb5tgN@79Mq4ccJ6EQPvb5?PpvNTHf;*$iwF>Y5LXrIr+1WhYrrWe z^t#LJus`ja>0ou(L_ki;A)~73h7k-A`#c=z)H8G}X$>Hq`NZu47o&+qU*%bJWtbU5K-oYt_&&)QX94^-9EOmH`*UT}9H zL2~4#Zny88Kv5D}FYJ4=ol2pMC(-s3Bmbbc8)y%%uh zrqa!K)<5j=;mu+jZVeSznpL-nEBYt*9ou5|{+#hM?)|w%5~v&ahZ@bD3bP+5 zJ!{4hICH%)wT082(w|vn<>;pUwg|y7M4@iQ^4cYAN?O>_&$Cl6CFg$TI~bEfFv@)E ziF0!GAnBWEkttXK(LhkrB0we8(j%aW^F_kH{Wu?92@oxeJ8aY9e{xbg9tZ=++2+MR zA9r5rJY0|azANEGMe}fX$ImNOB~qCy%i}-3R2*j|F@22o(&6A|GagU+lf9Umk&~El zuIZ3Pw5c=-3`>u)q6OwVpUe$>#y#FB<}zIK8k3#mJ16ZC6&2w`NJ1l5pjBG`?>pUp zekD^qqCxOunSBP)>vt-0e|BV_Q87|))!d-lBuu1d%1%7_yDA`>@k+@f<=bj8e&=Lx zA?srP`E`BSXR-fagZ-a>`!j|5=}e2Amdx$=zpkS>1RUgnKJ>J?-%>Ew&Ng+j9hKhx z9pqFdl9;86p);nDV$X8*#Z<9No652;P8k2UZ|A>?{9pa60V9zx00{{RGJLii^j780 zO&X%*WUYOGG!rc??Oh^I>7N@d|JOZ*>Ho*#jj&*iD+c~Ozp-0VDG!*n%cH? zw^R`k6#)ThBCrJorAh}8>7XLLia_YSha#dPN>O?TrAhBKgkGeDPJoaA(n|<60YbuC zo_Ak4XW#qo-tP0~;}3oT7HiEp#++k~ImYaN` z{+C++PyfJiE#%u121_O~u_E~wFTQx$vPCNcM5kh#FWgQ3>e&918D6F!dA>yx8rv%H z?@^Uw5MWYL&u)0U`8Ny>(7_81`Ev1#S|pHP)yF^2x%`;?Jl2`$F>vMI)3p6f$Zu_^ zdk?6#NPgk4^G6A_t}p`j=6LA7^80@t_b<*K(C*V0<+T4ix?*{bn?jFAvCY3%I;CnH zi1n%TPtYH<^PPXwB7f4HXk}~_r$OV@KMWOKXzAGE{H2Lqegtf)%h!4SXXpCzWb$Wp zi??|Ao~;ZhU@t~Et|%@~T{iFvc{63J8u78>1kKJCyPiC)JNNh-YhIijclcX;Nmq}g zb66vDKWF&@+0B<%Z^_oR&tP^l{F9ltrd)ekFa6J3|5d^8l`n@v@88esGc-!+?CLTs zd;k7C6AMd~8L+K*czG3xIgY~dqd==#pqG=ynOk2f-|bmei*rpUi%5vx zjZ9|)oxY%LBGzPA4xZ+tF{q={7cK%8XKweOK1+({Q<^S_$xOa;WkpuQX(WQ{8IbEQ3gs|+FWumHE@16kXu#{yK9rrt!k){Cv8+?YH!@QTvA0w z@5F-Y(6NxoM8?#vl2hiMP2yqqNY6Vy4q5+f#)Pitrt*Vu^KcJcIF9l{O-F?F-RJzP z%Lmx9tvrnHrYL8Gs<79D;lAp(d1`1q$ETmK>}~WC z&M88PY~*<R_T;+YA8W(p9@Ipo>Cs)h{nWNsn-=QLE zX=$k`Du!O9rTs_|&BgUB7_%Mo8!0J4U7&+x z;dZ%;a)t>6zEI_{+-3N60d?reh^bbKYmkf7)+$?f4!{)z0*n8LV-?8ak*9fz3SK7$f9>Zc1dRJif(X-yCpdTvKErP5UDa2}8 zm*gP>8W%rOAZqMgJf9_K(BK?5UarjlinnC3Pvtmmff*l<^Yrvo0fQlH(=;sT6O~ zPs(KO${_20SZHZQjl4MM`AccD(`QMe^vM)HM;5F;zkxX#WliK-tlD@9i~ z-ZNr@bvVQ4Cby_ zse7w_zLj&UzjN)IuViCRRdX*$|Eos1tfW|XikMS7UWYCg)_80!1-$3p9MpNK_~?AJ zUaE4x9@W{|sb+F|Dv@&U61Ij{TwJ@4&)ZnH9buH3Tk$2Rt%Lf&wfcka*Mi5TPBu1= zA8W+#cBO#9M%D&Jsg(Bq0v`K&x!-&tIk~y&+CFt6;-V@pE<5)AR4Y|%^rFF1%;K4x zf%WZ{gV0kT&v1x5UmcKktT9d42!IAfrwsMDr<9fv>QnWsXmh>5@3;|f{AclYIB0UVL|v;-5@V^e`&7KNhywug<}WBEU)Z{V3UEqdms?K$ z(Gwmv;)KXAndD97Ejpx@|Nk7XvkDX5r`N4KTOAn^nD ze#xyWe-?6=Ws8Q~@ifSG*i4UqyD@*Ay>gSi5iz*9I~6(!ZlcmzSzbQY7`xCy1`brY zPIYsq6KDQeg>GdG+vRfhI}`cwGru26I-E0RC8wXcM!oT+CTC04GQEEA-*!e^nmF#` zNVBjJXuP*^=v{G#4-z9|SH{XO5VGSUY;|790oA%2~!b8Ti9OXD4OfxCZD=97);sT9MdecOPBhW(I*gj*G4A5W$pQ^Htxzh>B z?sn?vWv!Z4X}#=_!SPM*h?@l|RaUO@SJ`K6iJxIVlJ`&1iIgA0<&J4#Vp@SmrL&Cy z77@Kq?87y?yltGNJ39_0bi{;k;`X9th;dtTuHR);n@@juGz6?S4OPo?0ijc#Q>K?B z756KB!o;T_2r~IPhKqcEi@1xum5GaIi}tQ$UhM&a2EO|T2J0=JPW4o#%w@6%AC~9v`UUS# zBZhJR;oLUx9$%D;*r!Wu=$P)d3a%1v8h=G}4&2?Gi*ek~Vv_Q-E7N%@afXn`P{9iY z``3qLYeD3J!DwZ7VU|UETD5^>CR0Ml63^5#E$Fx)rhXunXe z+@0SyFx9>ZMYf#b0b@bHTi*DkV2nYye5ab;4Bw{hJ-9P7g=?6%vd0U!-RyW$=KtWZ8ywiVE1yRzC7P zhgJqw*0m&H*4LBw;z2Eq94fi^%hv4+bHEQV%^042$qM}Ey4g&9Nw z#p;bONc+OFsZbccf9@oTexBxlY2xicBW|>Rt~S988@_X4woCb)xvritV zYRP%Dv3TfRW>LUQ`^5}=LWfry^m(zMT{a=fhJ>jNMMI-MLdyq4hGX2af7V;3+JV9(1bi8$J$#PR+Yaql4eB;O^v-I;kyzOlYYCPVVb&8 z6*ll`ZxNNXQe5y5@gz|3#0XKGv2Gm(_EBv zK{Nb?uKom}$ccs^B`kKITRgQfr(gIElr&rKK{bc4A)D~TiA7c2OV@pHjf z4uOu&(& zn(@XE%~XdNwlOs$AnEwr2`4)s&woDHFI)8_tos)HIfHCP*&~suA~aPMyEqHPO5}U3 z&7kPvprEswg7*h{l3JWOKW$4Owl+dr3*f|_bvVwu)u|dmC90hwUmJ{XfBs{_DNVY1 zY`Rv!V?pcVtldUJB750YQ*#9D^kRY2ZU%lrnhhPCyQ&PQsjD?w1&KDxv6~eNbK;LZ zzG-Q*PAzzpD%Kd6?9-)hL2=rbYQq}+KoT@u4sQ=uRw&lDH)6iDol_O2bsY|qURoJE zll|TYOHgJ5o50eD1BNaY=K@>bm~|ZbJOn92JiWY9KFnOnlXNXz7Y=SK6l^+*@o*VV z_80sH_2@q#6n`-*St-Jm<))yjT8N`{kJ#5<)M0D&ic%c)^}_%!R{h1(imh2)o3~)J zb^Ec*4cO44c3Rw<&f__C``paf6o*7>clW-N$fr%v&ehXnu%0>8>UGP>W%~V3SN2^p zU$=iHZ(-l^`e4$+={#;y#VdFsyI_}?G=6Lk8@YXw3~gN78+i1Okk4QJ)~?!$XWUt+ z)_+khXcQ@qAYR&XvSS$|vFOd8}EZ>m(I6FNH74ADMcO6LeM! zu`d%Y_(CidcBGZ|+A{<{=^kh%{>VJ*z3|&+XI{5|gJ1UJpq=bYgL51-N47_sgK|We zp)%!m^1QqC1e=3V?zCB!g^T60n6;o8^j2bM* zkeOakM&0XdNo~>!_TYnm`1pp^*-*_=xJeBFFaAJP znbFx>!6zLou%~knWBwuNj%dNRV)wjb+O?Jte=vlb-+?%%6Bd1g`uf&{eg6nfaoV2< zgp#oszWJlA9GnL`(~Y-W9=1?s;Z~j`a12 z<}>JVH2HKHa|=lFhz%FMkkE`??ZC~MmAfPg`14=t>Go5!z`mA|L4KX^LVJII<9upt zV$x)LH08`F=!+k>GkQ8wdcAlN)O<8Rb+}P4M&pZY^a~8?JT+I8CZcDj$6&Wgyffm_ zCEx9b9t54fk+CIz5789;9y#nR0>k9%70bA{_+#Esg?jrneaW%taqEA+PIGOeCK3Lj zGLk3BUcBT7gaJLiEXh0W;DP}GRXI3ZL0=zwl94KM11e(dg=l7okxB<@u7D zWSTUrzVSyBMN|UUwTfi;mX-Ej1cF{W$n$d`N)TSMlK8N#-cjLs8Ev=w%{@8Pej4AW zowtc1O?KiqPapQ8Kxr&i&pl|%t79FBu8rBRN^X|h-mknXG$X?&tkZnXG&4Df>tyGh zw%oC+!Z$c{3S`rav`lal9DlNc3Bs2F&i4%bRlfO8ml)Z{l^0WlJdj@YKsuN$%&*5O*8mI=kvN>2D5HU;gVjH!KPB@RRA zbIk5_h%Pkp7n>SX@1V*)vPo_c&|h?OkU;ALuNn(i?@@e1bcCkSy-ccKTZRv)?`V8` zvyUnrX^u}wP@5%OPNSgS*w`R(mJkveO?IaA8597a}pxTilQG$EUpOJddr z?vbu)cp;(qmAY&NcbbdQ(O^Z1j*gBW_uI-ubS9o6c9pfhBZ7&cqK;=S`hIU^eiwK4 zRh)u7Y6+oUg{eHwbNS}sDN>F3jEvWl%}6^au`G_ikT_O|@&3NsXXy~X^yav=9%8xa zexmjvnx5u7Z>L{q;OD%`ugD*oT~lF5ktUYk9gA`Oy#-9+Q1&%VQ3aHO>b z&Up=5K-)@{oK4v;FSH1~S%L&4v)WW;3BVEZ;=vaY94Y64?6q$bb469PkSUB!;LaOJ z45lC&MLj<8F1^-lm6u-_ai8V-8trwmOfmRCb2HoK{^Ff2@vQj7Ov&S7TXGATXzpC8 z+=_*ap=ac8m0-Sy6Y8*?XQUp&s5v*p*MJr}^%4j(4x3xs7Vs-!Zh4FQA+4%qU6WHw z`#>GtEhz-PXRD^BhPqIDhD=8X#qpL{(MTLQfu&28Of$PWI677{)~rl(orLX(kR@;p zyS#>esa+bl2zpA;*!G(-ULH@rV!?4AX&f)w3N+RhdHLF%jwcHe!{8{Bxt?NU6gmld zT^Uk{766U4wHI>n+}U&riC!J;s?sVKzb#>SH8!RbYNpiXod0oV1_3LV`ShaQ!aG$Y zo+DJ0X4iga?2?7`>XM2_ERMNg)3m`;p?PnMT92^{p-Sv%9cHR}}nVXtjkW#;nb^poH+GTn#6uYNA7GGI~R?ytK(2ne2a z=9iI6UB)lU%2fr?`*VGLY3oqHLYX{yY!Y^;W;4wkg|4qJ{J zFzpRO*tOgJJ3H+T`GcY&BK5ZA`j`a(gD@#$0+;Yz`=(v)vs&uDD*WxtyAbfjxBYu@ zPEYq~`-aI^6Lyc`%leC`Qo``BB#(XziN7FyN;a&9b7Yhq-G7<*wfKke2I5Q(lgMq%WeAO_|@3-4PltuBt?m0)oxe&)m}K1}PKY+dr*q4b|p-%ym= zN^oJzvXYxu%x8VzJC(tWE-9HLl~1Emzxb$87AH*ChI0#dPKx{!j@2J8DgO8yJs4Bv zFwr|Y`fT-9b&8w-W@C?{B8{o^oKLw%QS$Q2ijjxtEjVJcL^dzDb(_eA?d5J)Db>99 z{uTE<+3WrmZKbY-{FgirRR(+V6`!SDH*I7#S79v~d8os4L)Dly1R?IQG{ve(~&nJNz9zuM95#^Ee7Yzz}!)ECnsL>JMvjw-2$~eqLInJ>MYnIHgFvZ$x zMn!1Gtbdk0QzD6K*-LM^hQpOrWp|i>9CCon=i|psEuuk3itIsQO(k~E z=Vleg+q2Df>1VUj80hBS^1g!qd1(nD7@mXWH8dnL>BAq@^xu~@E%28!_onQ~G+xHt z5f#<#>+4I)6&)^WL*=GOO*se_1#w$yPdzbw^z$ zUyqE0D5$Eb*W@WbQtExrdyqBw8m9O1HP1%EdBmfh?otc&FR8^@`*&;lCioMV)^_P8 z?bLvJ?eTGukqaNZTlMZcBkS3QbLJLlV!OIK$xXU5uG`5*dv9)1n@sO+CFZB2H%J+O z{P>Yu{B`sK>3XBiO56FtNE&Z(mX*NqH|}$iV6Y(`oYT%?!*-o1HnRn+YD0SKIo+Zj z+Xv&xOEUBAgiw@)OHKoiRX&dzPTn^DBU%&E(MDDAk=>`7>htsqBtul z&rOYsFF4{p!^|Yl1iv%s5ss0TLb=EuZdRzm6YCA*_BiyhKJ`P1jX*j$~Ieg15t`2{UuHHeF}!W{CsPP zwlH!Q3lb9b^A~Ygb*U|`JVR#J1Kk=D8j~T*Za)#k!^5-GFWBPyNkGv^JPj7zGyAbFG0q5|o{+%i zc{VoIq@}2X)a#8^Q{(=bUH8);VaEn5ei{u z-dx+!yHo|AD2(+Uvj@77vgOIUIHYb#ySL6filD;UxCq8<=Os|iEKOyJN3dLBswi%@ z$phWGX%mz_o>olWhFYtC5U#FfqL+E6>4ZcSUfMTi?l-w%P_)r7#Q+ z+5XL&H?4+Hr0&p_jn_)-eg{;b6pCO{nd@z4StlFTem@FgC)c)R@V6vqz(tb50tc=W z8G-n~cEg#4Txw8>eJ8dy!C&w;lGA#bUiPEi(b4SmFs=i%Y#mV_I!qTUd=5TdSjW`M z!Zjr&A<8ArENSgxm*I5>a-r&$z)C4VQ$Tbimz+1#e`{WHVr&-2U2~VZNDfj|V;}z# z>HVPARhF$;Zs90=cRQ8>jAn@4F4=a{1|UIjTgV_;L*C|TkCwEZAa)ofrI~9Ax#_rz zjd?};_JQY8QgZW=z(pDwLt2OOX!P`|S)AM{-i5*3F1&$KV_xL`2;PF+^t6d8Zv#UN zo8Edk>{N_9wzIeY1f(~N!-{B+zxNA%io%Lzc4&)+%yktWH!^OE(e5W*&-^r1e{4T& zR3k3Tk1$;NaV(e)tP#s+`{`YIJ%b>NQT#9^sQV_VVY0+C>mc*`RM{tQEXs`Ey!hYR z{|iYq-y{-L%T92TF;z$NqDGSIP=<`wH~r9aKmn8?HpAQ7TXNIZy5hidu28Qbk1w9$ zJ^FDuJYk;jg6g2or?(u`x*jwqto=c+k7n`$fB$l)kNG7rM2f5vAK;%Eh&mcPUuN+% zaa_Kwvkr5Xq8*})Lc0aZ?VOI`HhmiNg_rBbdp01uL!UO2Lg^lM!Y`bjZQudSA7qe z@_rV}N=Q^>R2&c%uT&QA#IM4ciwmKRRYp&7yyj9oy;Riv?i)?9lsoeRP%-0O>5lRY7~1K7V+Oh@%7(1wN#9ueHCw4x9C4%SX<#BcIx zJ*2|b*7&pUU17}RFr1dy7ARRz42zZsL68gUyR|2eWj<)(7a2b3^J&4H^1uhJlJM_> zl_o4w;gmX4C0XSv2iHkNOGZx!?9BpH;S0z2KD$cF4X((_NDBS9*L)D^fv!g({?VYs8I`U5QX!Tv)gmEUJEcf@8kWX@oZej*tDg4X}z;*fic zI|&LG_gPKRNPd1{`rD@Q{Rgz;qH7QXpx*H+O+`bh-f?QtWX?09tBPckWh3lmHVeTSDBxMb+NE zxQMSL;Ue_Ds}HBXQ~*>l_3W2X`{OV5>U{v$;JG{N`o7B8p)s}p#y9Bd^UGR&DzS8B zLFzNkaMkA;)k}$(xHoZ2w!M&F)DS*!-co8T%DCZA6_mQftV0zlmyFMLBPZ9W|grDU4iXwtX;M;_|!h=ESzu@~L8 z6B?_c4u9o!w{J)z;YXUt=G5bEMwGBzV}QOHcqOZb1;AnL#WF_sc1hh8dLYD^TtMYs zT&Z#sGdH)Y5uK?A=1-OV-Yi$_C63sYzLUR=^MWS({2V4!i98xR|J)f>e%**e`USSvp`tP^N#07{68Hj0TW6KeHy_>b%cx(0`+ zt1K*_!dQJZXH>gG*Vpt?*E~HZ7sqzo{Scb4-?4tW<`!%h z_apuG{whW;!4Ul5Gkv zwZJ@C>{>1v8vV7f-SzWFdDq%4!Y1t*XM>-VB0TjcXliNOh_47IhntlybFw2Jpv>>a z_@G41B8}3Vo8`fB5nPu)w7xHx0^<)P3Ia~+50k596Q$H|!JG7EN&^p)rBBdhQbqYz zb`KtOFu~_tvMex2^@(Tx-&wXa#1>F}bSQg&<{vj$ug7#&U&}8m5y@I8d{QdM{M9e1 z%}lh#{rGDDI;b2jONn-JQhz69oRYfaY+AC#$6u%SQEZ{mf}Tz=LvB%rd>9pVhMyK} z*`dPPw;ruTGM{yc9UgT_m3)o&2cY7lq5pu2mtlMiLW?3<*+%AF${ASbZ)>wpF*(+X z$_$_82}Jw8>tQf;;T9IPl>$gLv{UUNGdBklEx=lhhZk~NwCEh0{p(CGp~@_8xR4}h zZ{uh}5QG5tF(}u>DVR#BF|~jiD84fSS4$yg z;9MFbYit3R+j*|>g|3&Zt824+BSkwpEcn~onCcoaAi3zKBBBTo30blU#3scpRh@Qy zTn*?>WDf5~aU*W742>AzOq0`h^cc+SO~F9{4`0iyHEC;y;h^o)Pk+grTIigAnEeVO!9Z89TnjJvFI8gE>*Nehq z!p{h8yh8TvZ2eAE3bl;InGMNIpvee_spR^1q(pE2>4OOVS6`!wMm8`Lck8uG8v;0U zO6S0ngjXVa^v8jtnX$1sa-Ou_tTV9 zHd$V0haLQ*!z1jj9&{^GhX`$eU%3p27bbj?MF^K-5Ca#sGl`V04W*hv`))P#I}@(% zS$PX{!f+PS!I*?75NKb_a;{-dS1(~WF?z2Bx4ukC<5NJ6qZ4T8{! zd(qJ0%}(nsJrjmcn#Eh-T4HdAN5muck3)V2ZO4Wsn4t&<1b;=q^;KouOK+QJ?^s~Q zkQ{}cPPB5utW2PMCnz(+$h8DcFZykI#JM@O<%BUa$VRcLRAcB4rtX88c`$y{{Ci}I zgU}1UqZv)ih>;x*=W^PYVFitjqM&v4PWiBZw$FYhx5-J@CR9J;f=ovUNlPz{m4P3H zwi!XEkd2LvuThBE{*vyWMI|yBW0`@DNQCGohq=(hKvxTSS>l>0)4j9q3Pk4{+>IH4 zrojc-xGmg!34fwtVtK1(>ozF7ZALqNVfo_Ll!W>187QnlI3JmP@z*dPw7M3?3JMDI zj|LTyTPtW2{%oFPwdcFLyL!X={D(8a=Ue=u{r!~n3=C{bvO-orf1c-zTs~~9%;3ORC?-JBdwjEL`+KR-8_{N&snEW z_v!fZoMg|Hlp2^kiOLC@-@KWfQ$ftAu9KU+(4n60g5)i+kP}&=K@qoH&Rj;+nrB2@XUE2%&&4NC zMReTi%gYUbmzmWl83F9ym{XJM*E_ca#%{&tXGpGBMVg+x&ug_3T6E7h460#(H^3q{<1cn#|uSY)7KQx39 z8b+A_TA4k_+zCZ*pq>TUU-#7j2x#Oh8#y>cNl8g{+#l0vgJ^!|EBa~v61QXR%Ozj2 zj8{Pdl#PugaDOy(TQL}%e`r(|XaRBH%KDNSvcXSVUBR1iKvDE~ko31&_iy@~VLd!K zwO$Xc0zG_aJpp#^hJG^l!@g;qNps-w>z9!>89AU);7lYAbD|^)i<4w!o$;P4>y_*vDi0FA2W!uBXD;F zkeUtDTfY}FR0HJpF1=Yi9wE2`WqZ=Ryg*aKNfyhs8M7d6jGgX~RFR)^)9OV*5Ql&O zis~a`Gw`Slg5|*c(ks6;<^1I>Q#u>5*FQsNmkZ@f3pfm)HTD~x&XB%)lOA>brz0%( zrPXzj`}4HneQU6_zoQd>zwG&Zz2K7K87_SR(|fvJyo{cQ6O1jKh}uDIHs%{9l{4F~ zFX`Rml#=QJmFVQl?l8^SbM-{Y@c@UWxVDfG^01(_o%?j3BCGO-QijY!3rm#zsOgKGnGnh9&Ur_)9Tn$E=5xEcDo%VbDD?YqM2LQ@Mmgh&Y{zPSpMZcnW z1CS4?13kQK;~zsbfsSFz>Z|CdsDDHe7|sv$y6!KN>vRM@R5MDsA%p#PL*nGy0oGF$ zq#Wj}(JC~dG1pKvuxhrmfX7H5bc73YP8jIFou8a!U=j)WQ8F7P zhv`Ir(|PI^Znf&GI1EGpQe0~b_|85dY>fv=UA~lm`@a6tS!-!rnZM|C)3g0oqL%;! znFN4c^2@)Z|9QF%nV_H2)#C)3Aj+l#%>Hsjd>K4PEqmx4(?6Kg41~{>^rc$!EpPBY zf%rkYFT_)%)TNAFy?WKk(Q$mk9d=7rJN?8}6f!p)$eo|_zB$Kz;RSG-`p%dcToilu=?-gtAD(t)rbmMbo_R;|G?c|elD;0+#7Hz34zePV^Drh zRaHmEfYi@=!d9NE*VizKr7*4Dd+{^bUvCCRX<(=TjL}{j-bFpNAPvG$QdXuNMBG1X zU`U<0hp=^Q;yw0zdzFQ8vuen{fARv95f*rRLSOKBfEss&;CN+)23OTd`~~b6fF7-- zzjn=c?0M>$uSEO3%Rgb+*!IQU@9(Lcib2%*fri?Ywf{SnP@E_aaLoZU`)ZcYDi011 zzklD^@kd`k&~TIw#_3M($Ht`ab*#*;b%@*kQ9gfS9kf2a_7D06+g3ODa~8KwX0F~4G? z|KsTvi$8Z|{c4oVzXvNlB@dv)#fN(>^?xZE_=lN@l>*@2NbvTQ$FIbU{t#*ip}BRr zCIlOAs$?-iZe(n%57n0ZwaUAH(H;ralM3-q7smeO*T4Fsfi+-DiY}`8{L-TQ1-Hi;&uUF5Ia`u}k|Jwt%A zf-iKG^_S|R|ApJAinE5d{4i5qESP@b{BuOHNBO!Kwn4(KRQd^s6f?R<5qD(}Csf zGZzk`4!(CKP+xU<2%QdZh)IugLd&a}e2BA7P&ai!&um{d{t3VQKN|j}Pa><<_Cl zf`Wo)&!6844-co-vR704AY782tq5#nYa5&HWClkLPELgnA3rMLYf~w}Lz!|e(R*xp zB&3UM1>5yMwvalxyt#LZW|@c7VZ2kD-|ziVy?2fs_?=f8d{g*`WPck$x{|Q6$s=^%{d~a=i z6%iTPdvH+Q+0&!0sv7&$piAolQ+mWw|%S!o;** zEGaI|i$o&zRO*|WW|Lv9-E>LGsYqX`LAGBzR{oQ^9G`{U8HVzxE*f0|#l#@sQ-d zfgz){17P=I=@b_e(*vOV=?%c*0KC~$a|=tr#M$JflggO5b~4%geft3{Y=iLMtW`+A zIU#B_`S|(MB@`7EAC|)xri4h%#nKbxLUg|gqj#XDo5e{bNq&5&mJNa+=cepc4IPzDl&%Z3)%kmu00V(5hg@lB1s;kG{9GsluOG^bnX(1)N^Op`Y zTqJl!StpEXL%1IQ{Z$pBOZVQOCPU0s`R9vCPjBT$2!+4slscl3M75$s5oKQ-bQ2Ow-(@fzt>n)Y9p| zOi*R%n1DHqiOE_fqu@Cbvh$ZYvCqA^gl0EjaaM9J(y<=Q^r#pfvcA8bf{g#*u zO8SN}+@y^p9cik+vwkD;&)n?4x~ATMBwMV!uCh`nLC`#d^02nLy7L_ki$DSd|7XYf zU)(xEC2_ zGn1W911i2%%t3sF9#}OjxfC9}OWvIrJ>)Vog8U5E{nI-7#QpBaLW2%{Zo%l~=8FJ+gN4XD~+zn%{KWA(HlY9KbLe;yIkzvgw zhDKHYj(mVyJuZLMin?;@>iD;;6^HzM-<8W#;ALrbUe3Qav+HfZI#Ax}s1W^|qUKkY zx4^{j-${S-UkUNg*?S8z>hoKyZL~d;e^b=|e-Zt6+wlJ{qW^a9l->xb0LrN7$ zS&dIlKDM^D#`4|19X>fZxiv96dxMpgRne$EFOR1?nmx1RzW3JD+Sb;W+8~koZ!);^EpMz-4Jq{u*VlHE5WI{s1 znBWFnM^BHTYIQ)}%!BKYU8+{dNc%=~wsKVGjJ{q^hD;=(^!?K5D$Z}SWj^WtOUtea z_@j=9rE;EOsZn;d-VB%gbK&{w|C6#3uVnGGq>)!Ph7UaYB7mB z2e3^^y=d?B?T@Tm3Z0ms`_bFO-isjc(>84eK9%#bpA6hv>h*O(&II(`twVh#OU_{K zm!d3)DB3{w7`rq{Pz$kIon$Gl`%I@^nM$RoM4h#QEuUTe4cU?tC>)FF(}kNPl5Yha z@&_kUO5}U=@FsNCvP`zHDMwvArM$A;h-ZB&Q7QycI((C&KnfmfP){sdYe`Q^3OF0G zO-c@AWA;HuxC9W2@&|8w-Z5;H-fmn4yv#|4L@GL-&T+f3mkU3*MW%)X~`8?+ZC#9VdlVizr=6v@{+z!@0A0Y%!turOwb{|V; zwlkxse$ioj5F8S-Z~kM?gmdsH$!1E%I9WE(|Bhj$RjZvHLl5A%(J+svnkCtgn$6`-Ug=@gl?&mYh1GucL;{Nl?g zf+6H-YDL}AIrayx9KDzP0J=Qm?4lxmYROb7A7_S7sWA0W95XYsC2kwpm3Ua-DvbJI*_Gg90IH4K8` zn)ioxlQZ$TDpg+jR3@0<`L?4OxqyP9G?6L?=8HzZ_r$(JfijQXz9d6iK9QZkQbc(% z>cZb)8N%W&Ehl{`O&NM0a1|%Zi9gmpX9spuNB)TD1gByYZV{L4<|LmtF$pNKE`>72iN$?+cT;Z=8fWGx3%qh?8 zuLElRMb9Q%)nc3i>&>HJq^YS{0UF9s+3ez`88xl4(JVHq;iKKw6yCpdZ3+w+o2huK zU4V~I!0cvGKEW;v^Hu3%r8o1IaV*&mtF-S#S zqEcO;G7#^L>UCB5?Ix9~V+O!vK<{3d)*a)3y9DlUzWs6<*uN6_x%q|gc+Pd}+Lmsr*$IV1paTRidQrm_jFQrFaUiV*BGIqks6Wsqf*!dy}*vP$I|1twdX z1@N-a!&<5AG&4tdzxlZA$(#+to72b-7`AJ+C-iRy4yMTP>XkO-4X3x{ zhamX%O8XFKC-g4PocJ(DVdm{K-*rb*_>^3FnsA;la34sv`jNaQc~;VAe#qHkozK<^@5v<)j= zQz4NUdnQ~XyRi!UP#8}4RfcNC*?EQ$T(^DQb1c`|`l+}ul~9_5OkW@W57#l&ga1L= zdxtf(ZR^9^%2ota6chw>E21DE(xn7-3({4jS4BXigx&&)$VOC}Ql%v#0@4zC4?z)- z8tFZe8d?%VNCF8-zU8^+KELnYd(Lyt(SPH@WX(Cp81Hz;JH{-}Q@EPc`*ly+IU=Ec zm9mFFKW9D(QV7VeY;41#_;{UNjvv31v^S|RzY48oA{61x>p#d?FYSsjr3Xk+ufB{4 zTf50Jh~fowBiIh%m6-)0}#VJ?Oxy`7l5;(a|3cWGUD2ESRd z)c$_OY<_%psW*S|>ufmg7P5JB&c9+~)uYm=dPSRzCg)JLFIG&t##}IRnpNJCE^k-P=xg zCu;ol=+Y#^HPsnE+q6LRSMCUE#|!ZmcOAxr@0SB@)?nmGjZQRmf8hlWWzyt?)PMb_ z(0+LM&TGyL#Z?QTl;xv;r+6+Qp&#fD1ra$vyTgZiJB`5GCe&>BRzRC z2X-QuCHUvp%OBsrZhbR!`a3E3PhD?h!c!{GHHq71|0R7$`Y%+9J;#G;7g1McI~S@ zXSL1axbyh_2P}lrGT2Jj2@CEvUQFLe` zr(JkH?X!P)-{)}6vP+E=<~Sz8vUw9NH8}h}qC@w={1l$48@`o?_)=@3?rql$OgHJI zV%g_NfbZ6H_7>UVexApRzL>(ig%p>SHN9QS!9D?bV!bKrwJAr2Hdyjcr~)FnIKlUk0umkmi7=UyB90OToozk z%t0`hfe0H-*^Ky<(ik!&1qz?6Y4?}Y)#B3;H?j6%7r)Wgxeaa{eRD3#%_}LIVYIj; zpdDg!8+_k8^GIlWPMuKZSth%c6HyUr1}@*^1EVhrU9vhhe??dswFo{J*n8iH954ltKs=irL#`M2fmDJd^w9MD(ccplmNlUu=#fZ_~BlFzpfs( z`6zca;xFENW5(TzeYKKUOoKZtTg^}Dz-G>gWH;qMx5sgWOmRuR$7sNC_1ssAeydY@ zU*$eO`e?FI)+C7WC%btOZm9e%zV%KJ(Ie zAfaTf%A-VTq+@3d*{=xew^9R*N}hz_*Po0lh4=$LN4Qq`8>>t0B&rnZ-da&jt*em7(LxVYQs2!hw+m{ z&gG-~_R`_AMR8&pDywS{MN<+U!#$+PLxwB5nP}%$RVh9bJ)JH8&Tn9EN3(CCtUU6C zF%}a(83D|g{3AhCqKlP21NDEutI1t|j~Q&^YuiB5UbIkmWKR6R)?`QhN));ODMV^` zq@#M<{{eZ_EHX+<|MVPkY*e_wjcf>pc!-ZTLD);nCtOFDwPWFKX9Lx%n=U%+(DMe8 z_g)fCX96>IADZG@<|xC9MW`J!q0>2Zay)UM+66LApJliX4gNN9u}g$iN50gu{&Z~U zbk`KAo?5!bF9f6z37qe&#P%5m4)2yz&D8+B2%<%%p(27cs`h$si)Fk7LafTq&P8*p z1@W@~+;<2br=|adN)KVz)C^2cW<}8ZHa?V<^`(hECB0Q=B6w#BJOE3*E1Rd?&oIOo1GfAJ)su%&1rq6x$JA)giP8JttWqQ0(S%p zqe1|GRKUVxoGnj{*RbOBCersR6j~?7_E6gTUc3G&mqMu#*>JuF$vDn7y#D6KJKBR*1g%v8s30DbSneFUECU%(iXIowc9DMxo63M23?(; ziU~yN-?WA$t8FgWwecPnAMIn=r?{Tt30Gp*M50o>jUMsaN7Z_*lf1?~? z8OHt;jgEu^h}QSgfx)|S@{u*B+RE?wEJuubs~#5!2LuLml;+2p*k|p1$w*TeFh91b z4!sM0Hh@z<+f=(9J<^7Antv7vOPfr{dETvhr6nOt?f&?h0PPd}T*>!>c+vei+Ez=m zpP~iN8$Ab#3)dAPjy@yrLMYL0tWEos_&qE}yCZkeZN7ztKVIdEeW674jzC>Eg`QeGzPOE^w3*syJos;v zoc^K9cN021K7}pF%{{ZawnoJ%^^h7|@t5S~6Bm2Z36XFqlkDd|z^O;Eo%rq<{r!XV zd8udB6Z%7i^o+XoT2WRtcKE}GQ;>q(BU1?188L5n^^lNOLyg$VlC+dGel^1Npn_|N zM6C@X)nUV)ysg9Wcd#mjt`1w3JKgb|sI2&^EREB+IypZJgI?fWwQuyinRchP1^O5u z7Wh((&kPz>sp9=0JAkR$`=pPK3Mz2ob=E4JV;EI|)r+@UP?5V+s2}}5WRnT9e7)@M zbk6zhD8cy$?cL@IZls+zS6mEIBrzTbCHc0{Gmk zFX%We10-{7X~Fqjp;fMZ-H=+ZDWSf;zEH@8)WLHXeA{0hzhe>fvNkX8tOJBtb4!sc zou01a#`>yw+oTi`9xCSjrpXx8?$wznKwUj?_iX@EF+e?KQ3jdN*oDTjLy}%M9ljUF zK$D-Bas7ur>@=8G4Iv@4)b&*D&f;@|RAbc{A;Tmm{Po%i4`kCBIE22kOd|D*2U=PZ z_JuCU%IY~A95u>L+jzH*CRA<#bQjCWG|GKy(grxP#k!4&!f@DmNIv8iHmq}sl(3@c zx?tPL5EJ-}XZI1PLELU1xG7h;`ezxD6D>eZKy@83mIt`z(1wT3&Pg;Md`q)dib3X# z??k1`9g41wwMccX_e`T^h}Q*=H;R6HuTI5?dxlgNs`@mQRLQ_YmuJt2y$9fLOLlkH zxkqL%*4=jKbu+1E?@yX@S8`DuSk5PTx04=2ZwEC<%^J|}3(niw12*cf_dW$twiro9 zl}&R<2nl;)klbBlR_He2GL)du1#7#g1>U<~80n=wopmIve%Bli|GNC8bo7`><}qW4 zuC5ap5ic3P>CXVt$WsE%tOx}#=c#ANr@vmX3;8C+yQwDwc18Uw8v36_hwNmXF7>{a z>r!LG!=FDz^HPWMccI;#$PFn9`qJI`hUvOMO*qIp^EhS1(lK7i8Rge-aC83}oVZty zA@QX!B_-`MW$EmVuo^^&|L*-mSjXIBmG6ZnqZ!?*+9lDoj9lJnZfn$?-%lA=`NCMU zFazl5)cj&P94lKDH^k_G-G(m)c^Oc2yyiN^Ron@sQOR)1@f`ti82$MqP}}$@T3+fqc|| z=(7I}N3Yh@`axj542eu=j}<1|z0i##aa2-87pgC zVurA07>g)d?9bT6DDr!9fc2ZIrT5s%0lZ{oH^0rAhr4FP+U~NKP;RJN3 z6yvTR_34LSQS+Vqtd5$0+GF{)X3>hi&MRdV#4?Uv4Mj5o7_K-mM-AUE9)YLGe48c6 z60z@%T~%1Etd%Fc@$dRKo92Lcm4m1+tC596S9wA;%67hW=~3wmU1k80FA3n>(jUR)jLm#2huz*bAz?P&QpV6| zzQ0uZK?Kx-&CXSVb0`8-cRpnsnD$ljm$;`eEtEkPU~)MQvDatmBI&QUhr4xA{mQnU3hp z2`1d=Osv^FkkoP;D}{;tX+S}cydC6V>DVD$XdM(AMI1bhQu-QPUJ01stvye8T^=00 ztsM9m-`YD-?d12_QY@mm{MF21emD+Bs{J zG49rnwcvC&zS-^wbiYl`LG0XGw_@4+K!Yg_RS*2yHiwWWjm6wwEx18R>HT2~5fH}b zIth-h3i$5Kf>ooZ3$zbuukp^;5zQXC8 zy^s6h8uH*mJg7aNi*tZdwyoG3yzOSXb`iR5y<1ySu=5G$Cmsy7F0om3UDKlx8ZLej zy*Ze-SO#&)Sd{g!-b8@9%xDplU@l8l`scfX*e|f>BAYav!9(yjR*Dy0`!Z*wSS03{ zLwrJl8HlI-gj9k=V!WtBY`b9^4N0Szc7EK$^8gF)SZ^6BFivC^4OJehBHsK+ZC~42 zjxqg=CWo9}GuV?vMsw{cX<6Pc3bY_|TNQZ<%JzBCuzUPxbf9X8x=#*+cr(Lv*+fah z^mbryLekjBaSY5c&X}XtzPY0KfEkw&TJ8_bnn`!OWH(7*ha*f8?MgrE{7=;WuufV2 zRbv`Zqw9ZZ1>c)>Je}k5-We#+$;16@&|Hy1YJ=fwSyw{4Q?6nBndGv9+S>BX=MdAXIiYl=A#Y};VldP<*uiuUSYn&h7TR=M zKgwLy%SwV*SiY-q(1|eNzvP1Yl>G@J631E)OgxrZhz8NW1Sf$$`6zjZ^cYWAG41UU zJ4c>vDi2rswyg~S)5pl+V^P+>`GnbfCB0UQ;49pO73?XyvlF@of?pjohG(OZHr4f9 zpHW*hzsoX6HgO+__qJ5SeXQ1jawmwS8og5MJs8bDYQ zoU|Tfm|ph$fc`Vm_0Xl2!u`EMwkJ&S5^P-EyYE!EOE|z6x3>}Qkxi~B3gp|pZ0+ti z=TGU8*OHLcOXP2C-#jFb{%#jOi{cPY?$MFZ?-hq_HVsTnsDHCr(Q{{etj(c7+y+JD zo%-(+h#fU?4gsZSn~o_|hsBcnTkXghD{xD&1U@WSdtpWw| zv`pxq% zzvDoxdcObXlC;P>r!NBu+WqpawmUlCo(tPLE%jzh$O0kTBeLGgI-p={i8+-zY~#>#@|x zO`!OnlA6|@dxK|QCn=usefCD-J`8_>Vv)CB@0)>F4?pA_?MxJlMFYMOSD>XZe3~#< zGgMlmDB{{NTr^Y_kssLzVW_mvJ_Hl)4r=vf)t&BnJCn9|N_-jvqOZGarb|B43I(7@1-s?;`<1Q%rP6&74*to_)3DjA^(>~F>&5Q_%ml;)Vgu>~nCWRJGqGQ*T z^iSe>-FL0G4y?$$0yZPmHbJ@?T>RP`6DJ~B~!QjbnkuoOV9%j0lpSgS}l0+hHO~bg!I|jRO>d`+5 z6(Y|Z03=aIll6g>2b5?n8~K%7*DCo#;ix}8 zlk$K6?LYa%srrZUc$rRz{wzQ9_ji?h0T_zmCsM(`We5L!ck_$^uk;8q*KhdGh>w3~ znE{uk|3i~{G)VPlGrqrn{Ryw#E_uY(e#38fc`w-w99~?^AHa>Cv~>WB3oJAdZs89lh{G5TOX3UvWZ1j2oUueM_KX-)OQK1E6pF8zn3ez}5iMJVriWG< z=k#4%@+oGZVB2P5WU7K|Z_yLnrw~1e<<6uY$o5f~)UQ|+ZtoA-f~}dE;1AC8sV}R^ zBwI~^{P^+Xmw>_kARt*UWlAi{x_3W~Wif%04j!O$Tz0jvJF8g-chWK3{0pcH@%FX? zpCxvfmX#mdW!yS2+cOLo8VWYM60(q+&U6SkS;K4};`bo5#UJ6ebzavz+J3TGUbu9lQS{}W5Hz;vPXz<7w zuKBd36}vaBxn+*2Zmm`0z%_8jfik6002d*dFFElV5#h&HmtYsWC~kNJfk7u=^d@}o zPs5_W?Nn>~ksnL$e%TukEv`>gN%4M`T_PXqf1Mb3XBkMMi?q8 zdZxjq+HOkbDy3d=o66HyoP+G4EA&1V_2-KsKX%ZEvRBv3iA*O>VT+snfie13>jn8h zx2u7H!Mnmju+xgpHFP^~q4g768=D88{yJbCoXJ-0Bb96(zx4p_+_A22O~_@-4onQB zj-)#%$_zePt}ca8?v;Z_)!INS!_OL$&-UHc2-NjjpRNR{lue28Flw@AUz*L#m&oLW zuNU=pcP3OzTBkN86SU6Tx^2_^=f?*|$D6%PJ@M75NuNKu$-3)od^*lov9+2pQB#7L z5aD5nYpn%FA6QZE?&jf8)=i#fVTHcgg~J2-CcEZ&4fTqxr%iY!Z8h>}f9h%L{Q@2W z5Zm|Nd-V7nwpey)G6g4tV-10XA}zYE9(;i|=k!fU&FV!xDXnBq7)H(6b9Z>e^f`#d zL}jZ4F(9ZHo2h9^RtylAEI`Yk!V_ms2!t=lh5{?@MEy8V>EzDlj$;V7fP9);gNML+ zvsKkSV03{Nu~-Y0&-P^Nz)72?I*B-t0ck3%SqoDOTNIOM*2ZyHY?%SDWrBBN9zb`% zxa=6#CZdQk>sWsl$03>T;pc7*1X9{T5f54`uDek}4@N{Yvd9i1D<$>Sl96Z(rviIC zxagN~kg%0b%F5}tfEu$$&-A>z4U31l6cu$3z~f&Qlqvr`3*cW~DC4Rj4jmDG2}c{Kg9|;kwbJOj&C-C;Us%0 z^39RU7RdH}f!)c1nDVa58o||yq@ips$0=8R8A91+nw~P~_{JH_F3WM1`e_>A2SkWe zwbbdrT?+@MPHqeUtPFvcYXNXI4?aHK_j*60K$4GNJLLPf+wz!q1mbuz$RXsh8MI>! zjFuL7FT0t3ej*-)cDbe^)pvol8aqYZ2I6n`8i=~a=!jDf3}vMfYTL~cOJm!3650W8 zJHH3y?-5s0{AH9I%_VZS;!Qa>fy=B2RF zX$aU5j9dlglLsb;Ty{sSY${dCZYir3;z+wLUH| z62MrBTfm?tK&7!p9bmH{QJ1Lw(9~#NVcoD9Ku=!DxUK`fD$BPzQ-1%((c6Dv3?opuSRDrhIrk(I7c5MZPvp$TWmHw6WWkFz$NQSG3eZ2{_bba!+65cAzrwdwi`&{fgZIe?Wy4@VDeFkB`V>pUV@$YZ^EJJ?iMpigJu%#d>+Az!5C&4l^T|* z9{hG=2ovCj%W+)=XhzvX0oB2PDq(h0qtj6hAQ77Ik^=Z8H>{AV-676!PAcUs8(gw<2>KJdw7Q8(C+$( zj~$l51a^C>yP^km2?#Tx&+yg$MjMWFhe1Z@`wYmC&Kz8|a>X_ICC55>@9zTlGK1)@ zUvrf58?nHpnNo{HB$A|Nc6uXG!d_Sax>FF2{K+K#zmUx3FaWgEA)|bJe0Llj5e)C? zdWEYR8dSPdYPus-T>|;x!*c-DzR`jNrJ?J9AZmfM%Wxryt%hwsunchlVjESkh53nI z3g3@2@%qrU$_kP=dHHwM9L3s7O$@z1*j{YKz>N+oT`=0%;MqS=#|RJ z1x7v`VbO`PH)8nPmB;Lo_c78^QXWRO*w%Wgx0&bVu{tz_8S2ZWp~+Q2nb+!Gq3fW! zUdOIT6rP0ej%BOi0Kf=3z5`5L1E)=E^TOTo7H_RtTV9ZrSy3!($yN3DY3x)?ZDS?o zxZeW(bC~#lf#d)F1faQoUyqpIH8wKR-W*EZ=$siJf3t6CNvy3D@TlzotZ@ch_{72F z^Jw*tAKIpIk`3!_9Ad;CoN8aI##bwmR@-H;2Qki(J5H!v8+wAD+tA?l;B_tCf_=xH z(BN?RBkhpz){0p`-_dpBVzkp@Zm)98|Na&KNv2U>2^^yH*eamwNJ!4^4QK)&)3)0z)r-=Gfu2FsSYX@=`{VIIqwBnuiE^Z zUs*Yz3sL90HpgY%-y79qtIoFs6zjtLoKQE-Bm4s**bIK zXScW7OV_Fh11dpvXtbMy8}m!724y=K=6 z^b$_J=*v=d{N8D1IVReh;kpWN+Kt~B_1Qwx<@9?h3n>xn<7N^cm4-+j^5ouxiuK8f zZC?vemE&g40fr;UT-jA%22C~KLM`D%x?VOqODi1#Q@Sp3ff8L1{3~>w zQ_6w3$vE`??352KCt&_w6U_(u;{hRC8XD-DnIErk9snX6AR*O1KUr}H$g|xozReAe zhe+Fc`QjgyIYRt>e*=RH7Or>TlBG;L(#GhAx~u$qI3X)5eZDiIA6q4u+f(zSko0y% zQ)FU}E&rb`=ApfrjuM8JeJ}SJn(ng#QTmjlkm}PPf5iK_I_`q=#A0&6y-qHL8}WyD z=yJXqZcr!|1wUCgqgw5Wj^(j_VMag;#GXL62mnFHZYo<%G>7_UtNA`CznJ&fvz_L@L2cn|6vd$d zenY`!@-rZUAj~eWsApi+%@)C&g^F8M6o(p5T@}f`X;vh5I;>y?Y{P|%#mrT}!qor9 zlV}Zo!ztbH@pT7WTeq(p=TyEwncW&#vGJ_oM`IG!;kE>j4|s+L2JcY7TKA^&O@4*W zin|<%OQ|{Q=?ta^{TLRoEyPB-dwVCe#R#~a4CArAlv4$CJE;Kx+G$94W_&oKW+Fpi zT}#B?e#Sb2ljPpeRw7UQvKD1N=rjRhGPoxkZ|x4(m~84-s{t}NP3mXn)@<-7T&1w8 ziqSa7bQi=9QfjcE(dQ(aTW3Ic_W@9WaWq@ljfgs%36c8aF1DRst`7B zg`UU1$IAUfKOQM_$I0l%jkXE1cMdP4Fs*JP8bO}-?%jKc3RqG4y&jF$0%Cq8b6-o& z;{GEi9PLl~3!BDw(FET$zq>>yx+iGq)A3RIzfszyojd;gaYBEbxlY^3xm35hc8ar? z@EVLZEx*~32l`C{ zzqs)q0PU_uu>_{=mq-hs&+^ib;*H^C#4jFc-5Q;V58CK9$D@%DQU+p%@gtZ`PKN2z zzx`5qp>_GlG6~td5aZ>!eh?_h>2I!yGM~5$Hq~Cxp zhz0s~29DflS$KGb$|GO>c?{v1fJ9d3|Np|rtAi=$U=IjpU0la8QxPUNDL4ooC*^Qe z$U~*>`njK2Ub!2Q3P47A<7GX26LP*2wv+$tzF5VIj@!0)w<$7fD_8mcwr>DMiD5txiS9$LOS~w1mfg-6muVZyx_i&UxKT^Uv{}1} z*4D(iV$+nEGo&*376)U!F7llkna8d)ep=wun3@Mg_=1%r*5m?0r7o}T6EbdAL1t{$ z_RdlYFo`#a5IyvP-~K~apqtj3Am;M=uVdNhY*U~ejJbJnkurgYi^eY9gR@;-|F)iy zGWXtwdj<~owP-`)v()AfYUMj00p11><0h=GX71GZ%y#p_lKrhJiaoFI3}-tU@BW?q zTzx*>ZWHJfFNt+ajK?!Kt3Q;U807XN+E$DteYOuO1+QbFazltdMn5yZhjBXSKSVaI z$7OE^)eg<1JUk-vaCK&ITpUI-<>?R7*VcCJeY2ICINCYfxbdM#E*{H8Q0H!7D%1xL zwVcfd0KuOCr+?4F!WETtF2W}Brb>jes;ZuzUT1lojlI1XuyK7TP{8u-Y)$p|d%L!k z0V#&viO2(H$d}I+8Hk|=EEV=;elm118>z58$D5K8A3tFUI^o>0xxdZ}wo(Gzpow+Q zx@frD!>ugD62TEG!H8?kv~iK-s&Q)(OANK{!Du&6m9?=bBF+u7Q3AC8d=f}cv(#lj zwFNpGr<@0SJ>E6@J*XA~9hTxJzbumvzsOGvr+mT>zub$w9LW;ZJ}&8OP-Pa;L_zg$ z2S`96UhpDD!s)>$_mZP%rb({hQLf)Vk_Nk+D!#3(yNU0}Xr^fg8?} zonH7)fknPH0i77=pRx` z(;M2_se@`R*>eZ{uWpP}lK0W!$>aGMcB*TW^-K1cA;OZqnAC%@NicoIP?Q(E-Cz|y zg;^d#>>sbKSzj9pz9W+UO+c&Hf!0z_*TPIm{eD$ztv>UlLecE%n})f_a zOB0Ze&;f_Fsk)ObIMTM~( zl_Hp%R+SI+xumLE;Y(Iur9Lo9h2Q8n{TAtNXnAv{Ia*<{IRB0|^6`_CjR45F<;1bo z*1jFw3q5N~dJ<(BLZ~5gFmsJOFmCl*9H$d`!g2~@nDtxaACXgqE%IQt6Zu9c`+(UPsJA-3avjQkeZuT6-0MEekn1y0Te;B!6ZS{4ouC*} z|LFM6I{wcgrr!K`uGk$AH|L|xv zgPZy;b{Z>Q6S5GKpw5y$Q^(#Zz_2aF!3kZ0J##H}a3-vuG2xl*7s)w8DO_&fnlH*7>P@W96Y~4y+E0hmK|eTdpW1Ym?F^12nfKB_%Bbdu%~&U(Zs$vu&Msyh~3SpOP{D_v05tZBIIvn7XvAJqE|pon3l|J%w@{bk_q3LPI64XvW%YQPy^WIk8;iZWpE$d_ zncGLaXUWJ(CI2-h#ZQzcb+0aVu?>J;P@Aj3oFO=gREpyweoR?_G&bf{(L%VhrS{FJ z*AY_4@E8fS@=#7eEqsHX?7kEy^{Dg#Vuq9q+d(&t|#9bZweb`}$-PcSn zcvI=5f68m}IKEv zRr|&YbGi6@Uw?tvB<=14R4)6%r{}Pl08^ip}=4Y=-nK7Ki<*kSu^q=}>WW|l^r?@9Up{Y?A;GHMQL`p!xb3K4xCBKKF4|d+ zn@-B@Xd-$T*Y4+hVnuIl>yKqxDXJfEmAQCHlt`3%M>~Y4th@)X-U6ZaY8E~w*N_Zd`DNyKU9M>^Ln_7ZuQ2@#p z5;U6PyYt&Q1MnROt?(_KW)9P^OX7Cud0VOx_dVl+j0O$j`Bq(4wl4}^q`57o>3%l? z>dv&UhjHPhT7j#*^#nMhbBiMAJkuyV7cC5ZMU+Ko-f|gvKeaJX6NBhpOD|61fLA2g zT;dGRo8u$fos?h*_>!%4kg%1ImHQvNrH`)9j6cwSr|{a!*^pDw{$b!)eCFq*&qB`Y zFYe^Md!Tpi+Tr&XA}0DRY8f5e?1tXy#?+?r;O%~DDWf+-(alv`F_^*B+#!`{>*3KC zZk{iQKC!P3r3J1YRu1fXHZ6q8PUDEeb0R(zztMEiO*DD^>M$*%p!lAFLC^=nTiEef znl@8?$neIE`05fYUs%_dH}AD&unJ3FkBco4IjUWafwhFb6W=x@BIK&vB&0Gj)K@3g zlFUnR>F?eVJ1(%B_kO^Og}H;l=41%%Oi|)Z&>nSlf0s{xxepdWrP5Q6f1wlC0BJ~h zqE-yn)e!??f}wWV#Hs|2hNGk7jEwiANA(okNK|H~$orZRDq*Z&ORO^Qe$+!fiO0RF zl1o0@j~OxOeqy8VTa2MS!%gg`rUEbPx5_Ik*Nnkv(C(cRp$kg^&fMe0%&~S%_nJEr zN@JCT&VdH*Me3MF%&Pl+^3h~B?{UpnPV-_>`>xssCa^y)wL^m-P$ zlH>atMZN>mM<0%sT91CO@fa)qszW{_=kfh_?^D6kYV)fAgfzd)wQoju7d&hkJh)?8hddQSM=Kp#Iw{1Cn&ez#%%$=Tvs*&7RxlU#n zxRp?A)_z;puhVkkU&EIiENkZUNHoQdP~V)Ht>K2+9JFYNd3d)_?7TlLpsWIHXdi#6 zfuLI#8W1xd8W!NZTrRfkHO8VUDaJ zO}+`8oRRhkO&BQK(_zR7uUHg{XjjvH-YP1ZQJViqHYtU9qMR63mrm5w~Okq?wxCHXPt?KHN&>bvJvEvvLX5V3= zF?5jL!u?)ha&7D{ie7iMAUO5Qos3bmN}@|kP;gC8CU?g3UV}1A6Wy=P+I5_%Ju!5C z0Q;qwyVE^%~9ag7(+cAe`eSW=qiR(s0(SL|KcX zw>@}TRSQ;kkgJVmB)6~(j!VzX4U-$^q@aFd zap|Qm(F_(8=i6CzRMdl)xORH$Y~s$l!raQ!E0@&IEb?^F!5)^~J=+3wwb7wxksLXi z5>LecxVPZn9ku?XMCbnfx8s8@NZV&VXxsMZFpkda(wS*bu|>GY-NkzJ?EVt}6G{Q) zV|D=}DBN}Q)$f<@f7M!-(S71xeglaK2D;`Y0gq0@i*j}U3& zqGbAs)sa2P{;u7nRC)g?H?`n!w*eXP8|V(2k=+GFQ_K``(}Q7genhlG%$t|k$TvBq z&~fIlO)Xon?!L92o$FsGw4R009?>A~bFX6`el+FG*P{3-t55P9j2uF8CN{S+Go1zY zktR1#Nvl{pE#B4%dPRny$;zo9@##s|YiKS;@4~Up~UfbWtSAE>yKa_B5 zLTT-t*z~bKzV+Rod+F+B+|)Z69!C9UUgrDxmZ(tNj=76n=gW_wj_3uo#V3<_gZ!z2 zNOpPWZ4}%ypkvl=kk7EpUkcP!$ZCHWtL$3MDIYnPN+x=1q&fy237G!;-3Zu7j4! zJ+@Xe)r24~_+3fw@m7e;@Dy(5>hf(=VFRNEOvg*PkT7rNQnwtf0zfw{(AR~RngiH^S67#)_V zHg{}b*2$D%&yA>`-A`*UFvlyWm)VYG8W&n>(I-75QmXnJ-vKLyyT+41=%?-EA2JaX zZ%uve2U}eYDv@`%&5imX6anik?twpY>$h`?4x`aw+$naf;VFj9qv{x1=S}gsdiUGJ z$Q?Pc;a%egekQ*2i$s3pdT=97KlUQ0^^m*LxznI)9f^0iPi#{u5z7S?eqF>+lSq7o z+FzDI@h@IfECCmqS5Cr30D8@Q*Dl*9K-yz!{(RkHWP=Xzo*XI~P`wp-;<(k7Jr87S zM()~|-w=`RJ}0eUee}HeA0KDw2Ctcip{r0VtBddG;d<3Ch1U<>^sv0u^$Zo)opdp# zH_4YOB;von_}iyuLsWXAc=OEFrdsAzYeuo`t4BfoYJ{UQx2b(|uvp~L_4;LlCYC=% z;P;g5z${{j-G;(B<*p57AW`kn~3X5h|MRh&|21(Ug;!?h-s;;~X(} z2V_3x4B6jt$}h9jHax~G|F(T(0A0QIrLS+%&@h`8Jn1cdSyRRM`X9uP6t5n{W!00Y z$TP36+>G&M>_;9NGso(if0RCM(06Yvxac@C&baG!Z=2k0!Zx^2eKXXQlTh~9|L*93 z$;(DvO8DUJ?^Yebk#APEtOe$%!p4(CA(s9Z98*HO35i7^r;dAHntv z&x8HKP|IJL%sO&X7ca{E+Pr$LdI9`QyD0vOfOB&gHEi>*s0NUU)Iy$&KS8`iI;%x< zxe7!dS6s|b7f&rHcyxLH5aSJ5ZNYz<%zz`dbKICk(Le_B`mgdNqQ35a>%Xe4$YbY3@0Ey`uIH2R8L{|o7CF>n6#{(gR%=7{Z@>kXJ3 zWq9eOxC7Lg0;URs*-RI>rZ|;jQEaPNI|5dW5 zDQw_=YCf#N@Uh{+QsSbmiUB7b(XB9scmGQv&us8qAk%Xq|0yPHdR@*e4<8Ps7dePWdp?jjM`P-AKskx@N7g-}M{XX<0_ z-uIiT%DsU`XhlR0r%p)^tvGq$R)rVe$l$AsOH8ao(6;5lo!xE^2cLSxT~1cf&kAci z2CEvsik$cYhec1MJnIH-c&ccND3Z34eKDVywEWkl7y6l{Pq%zKF0P$^>==u@H9cu{ zrm+&m&$ue5EV&l{_WO%5*dMx!)-?)*aYT=>{3X9rt~G(*#uPS7Zj3cnt~;fD)C3Q_ zNY3UT!QZYLGI@Lx)H$nAWWjhQ$xzcWy(x;jeY}{gu)8Jf_Vp#r1FEL>FTAEOI7Fb&*-4O}Js@?No)2C1m+05e` zZ1PmgVI4%UpI>9=5P9`3gSv)wX@4nTehVC%k}h0wd3m<@?rMH<`dFk}W8FE!ui<$O^%3_)hb7#i z6fk_1bk%cmDt2liGF^IMRN{Qm*Rop%;jgBl`bkGf#MN5!n?!P#oGrb;b9yWKAa&^~ z@!gH|o;38Cp+aoBp*%aaLiYT5oO|5-OMc_Ex25y%N~*Q#<6f%`7XsETjz1k5q26aD z{f53~xva%nmnl=Y`kckWJDz85561E{Iyw^4);(E@`JEv){aOq+lUxTee&|X*PtG&% z@$U^`bVL%b{7yru{n}1Oulu*lRwwltg^i8V2k8kCu;-mlDE<&V-42lrCUpULt^(Wi zO=ONwAkJdsErbJW)Rubq@50^x`P?_j$UQc9YwO?H%QeY3X4-g;s5|HFe&|;~1??~f z1Nk3`h&{+q>JoqU_|czPB_%HzBR^eJU?cK}jcpz7n zpq-6x`hfZ72Wgq2k7KFk`|u-6#c`kwwGyICd_vlJYtDECfV?6&E?HxS+oSPX4&BIj zNA4;th;a))i8D zY-z3Y+0Z2R#MfN?F-ez=0~VH{q$@JR9zmiIUdWfocf~T~t8z0rUX@K>g)WV; zt@U<3`&JFm83HL=6*1QADN9YSni&7H!HdBB>Ov?2+w@&w?Oq*>k}^Un$|YlK7ZaPJ z!^Ao@p0%8v@6_-XsiZr>>puK-fKI)0?SfdbSZ`89HQL~TtyzuPhp}vMn+8Tf+Dded zN&e8Ly>x%s)43{9J;XYq8EqYiX?jxFl?!)QPH1c9Uz+xhIjP_6{I!wvQNW&6dRohZP3nuUCZ2aXhRri!oIfZzD>&v;V<^5f-T z9H!zWIycuGl}FSwdGGcpmQ{MtNm@)>4t>b9*efuzX`DFW-aO&DUU!6lc5XRs()V~1 zTxnkg;VgUD-*BwUEEQz%d63wt7mKBZ>1H2GuuBOG>nSR^kXf5wZ~~?deIvh$^vt&a zJNx=JQt{SGIOnfoPl7D*(iBA%cZIG`6qi`3f@*BuD_Al<6TZyKyzT&#;}}#UP^B!T z%pJn_5Jxoo7paW|HXD9{Os_u02-PWnyybUwp--FD4-IovtI)&nH2Cu=v)nVSEs?h} z_N=ag+@CV8cdYY2e8s7q;0CjqiN1iv3&LnVUtc-=Ht9K zEoHHj*^=c5s?_Lwk?H00rNGCm4rRDabOKy!rVRIn!E7i4!~~AQwUSS=X2Qy8A*~C- zSFX^nibZ3IdX)ZNi$)|&LkfwEzum&kBG$LLeTp4yxjD+R&Mq@HSu*eNporAy>{Q!Y z*k`>>a60X0%6e$Ax-mLh_t3kr1nK&kkDNS1PTf%d-RJpF0!8XAjvkoe%W8^>B_++$ zsG=^%*K#B;?#E%aBSqOqhzh!T@bV>WQD0xQN}CAav|*^Jsq2B5=lUT5hchQsekiP> zgs+E;(x||uYhvn*n5L7#RMe3dSsOGpHEROsUWZN2q}iP^*XjQJO?Cu>%!0B99(dP3 zD;I6c2a;+`hW$L-JNadOhmek`$^gWnvpcl0M7G|o5@omWR>QSMws1A*N8k~$sL}C$ z^Zq`G`_2>(cxk+)l9T(3%u3+F#^sWunQFulPz&)LHgE`ZceU5q6#h z-W(sB$tOvkw*Hr)ZvSSenf!16o1MM*OxybEwGf8bXBAyOLE6d&(HaKVFG4=m0V6qp zWMNqM@L5_~!|Rl$4i!+S1~4a7CMI`S{1hBDsZ6O&toaxVF6S3pSc@dqq*17jE8Qib ztgf6x!QA^k^yj!5#drHprmZE?k)I5?7qek!UteMZCq$bPe0$&?kOyDgs|iacpkLvb zQ(CkWV}J;Gy;PKhcBnnLwU+YnEw;wbS9xffHuG}(ByY3e&-09uV|&C*7tC3tzB-+T zaHz)mpzrLPp-i2)Bs2|j^xHSr_L6(+*=3(ZvxpOkhE2}cZo{TR6@^2)K{;Zzi0CLw z`$zv&rFGNPdd0Uju~h{Vu!+W!Tv)pj2N2EKrTY~=S~Q-?oxap+!DB$En~|@lS@H#y z*BqG-jV4nztwi)M=~}joI>QlS2Fs@H(*s4E^*DI0hCzf_vUZsLWL0bK=%Ms=!Ev^S zqB~$30!AH?)1qV*tMPo|N@4k=o7*QHa3CPmlFPrqj*2}@^iFIhwsXf)u<+^#NHq+{ zwpv-Y@RWdkR?wJYWe%3%;xZ4|h$Py6P0_4@_K&?e18J!1Zzl>qLBkofA@wj=gmtBO zWo)ZljDcV0Nf*nMS&=zGle5$t$xIAWGt%UepYB@U{JghpDd6b%*zk5;A!&OZmzfk5 z^#xhb(?dUa{oCQ4u&Y8w2CwP@2fsvS2eo(R3Klk08L^0C(@EOP{d)d=RTZro#P?aa z?8lvd<$IRc|Ue1!}k$^;_ckE*P{ z3yhTEUHQh4g9HU^V6!>!JP(g`(jdkl(!`e9N z;oQ(d3x@st{B*HjPu+x4^{Q|`m^mQ@)@CALOmu^~h&_Esbjx?{JSp?(NYSIWsi}_90^Hm{Xg#e285|@~z24Z^ z;AuGThO1zKcf4B=a-YA?aRB8#vAnn_>6#;R?v#|td!oM~MBkyyOv>O?TRt7B%M7;- z%Z25S;W}NceZ=Ry+|UUC0u)zUY=31~`BQ8{Tik=eQH_OewgR3tR0$oX^64S-&XWqJ zr&m`Rw`ykquTuj#r4b#0klJNRmeO+ac6q0!YH7==NGX=){5F}@U z*=9|Y#XR&2^rc@RD7^v@6saW72{SO0gVWHITVQKUEp}oifVR77_9ayRf%w<#ZsbTX zLTWqzJRhId(Dd}p)m4Ul#`ivHD<^zJJjX*2kAg#}zpTeOS2(aEb*LClr7ZZB1^hin5Q^_Q07a4Mzp?E|kF>>Bw`w5clONj~Lpxw-+EJ}Onr&OtzJd!e!v?kx zDx8#|!|0r$P9*I`>@~NkE2eQE0BEpT>@`w%`o@j?(L5?(;$rDkdbqw#E`@fl5uld~ zGz~Ro#hCAZmmGSSh!s?UD;QaeM3M`$4)1q#tXb*Q z1U9r@5}gR#xfy0#bfqb4KX2fupNhD!AMl|?#C|S29+{mP*lLm#fOaU`8NDKG_i|s; znXV_`V1u{%`Nptold?*eakd4*ebcVLmEkIRhtxU70e z)f_{ayBE%22-a=EG>wucKbCTlIB}Aab6i@>-~wcK$@A>FN&^DXPou^x&@$UoQeOsb zc_}_V{%uBv3#%(Ioak*g1z*z)gYW?KnnXOA0eAsv8<^mGS=O#J#&G$3 zmh5DaCsf+AP1J3Bb7{cB^49X#cwg0YjK~tYJ}c>G^`Q|lIwm|B{H+P;7~^Fb$b&@& z%#Vm)elJ&? zW|jWZr8%)9{~h$~MGTE@AiI(h8oCe1Nt}}|L8<2>nhai&ls?S}$g6}EsM|u91vDkj z7Y6>Ea**`NCPms^3Vb9`5hzx94g2MmrE`X#o*n{7v9LYsI6G6{wHom?G?Xw<15*&a z3SC5w=u5a_YH+PP8ke@@yPq^H#Ds@ibE%N}1e2$xXzYglybfM6_?J%`&o3k_?k)&; zzIW<-uVd34v#sqvZNU`2(=7t@-igcOG_4fpu&#cwJ=#5g1r;zCO6za=M$LC(7m7zwwrc6N5!_PpcfVX>#a0#xd%xw`hZi;t}um6M+dYM-Z*V$B;1W_VWc&?rMw#Mr2#Ij)WV)N?mM}dx^-vxEVfp zQ&wFgTW<08ZI`-2yVzvJ{<`lnX=H!O)@%PEM}>QWW<;HTU2oK9Cb9NuNxcr+!Bs*K zc9|vZd)E3ITjkoyAU9GrKOaBpwynb2k}h|24rJzL@Jv`3*WQzJg9v_to6^WFEBl0c z|Mn@Jkx53$#sd2czJVuAtT9kbfPdQR)cxF?`SdP2Z)GC@mfPVhM5{)tGyi$_njsI$Zc9N1Lbv^{hK4w^sL&IZa)^4k13L&~dvFyow)ByzE z@c#7ig)4~cvZ{7eChUg|6m68-SkS}#HeFcnz~J+gd#d0O#o6!(_q81V6BMX4P+oDt zfYi^g!}vOs!Jegwi%#^s+a*)gf z083!_@z3vftR-Y@?COG3Rn5Tp*A% zFYeXVgtEGc0Y;CCCcFZ6vj#69ARr{(gt*B$-fCt;Bm|%0<>l2V-5VON;o`7<3oB;< zQsuS=&quN75_t21EL=w*CU~H&?b`M^3%kkLpEKj*gTMG4pYL|3W2cRg`8{z`Lq)=pDJ8DFm|aP^^PImy>UbAlU@bNp>!?9G)>}3Okl;oofsNqukEW zUA{CgpfeqRJ+=6H*CXclaQz~2OLZQp*FTD6bTSeX^G}{9%<2Y}M3jWIAoxNV{r0Y@!2=o^;gbTYW(08Yx0&m-aBUrN<;rAia4M?|1yHrdyb`-^}jjV5-bi+3BfoNP zi(7o#w)D_%!ayGREN$fW^V*)~M3pl#H~7)xvc7X(^jYo=)qDCfAqqlv7)Sa98#=P2 zW&Q+YmwGIiChS|hw@hcdepY8sB75-<+q&UZ8yn4cs%*YWp_)y&cDKR{c;3w=*0E({ zQlrb#SB?yCSA)QXOh2btGWkNaed7t;Ruhw^_go^^%(_%;G;AK0ig=HQZ2GU^xBH57 zL%!EVCU8l7CP1WHYt8YH7DcJ1)A1Ms`$8xth80Aubeb~kvr9cm31BiAF|%MtmcMrz zjC-_fFm-Pz{@j!?(%sf;1$A`hmS(4kHyI7X#QYqZiTD}}+oWvoO5Yejk_4cP+rb#H zmJ^0zaCx~wMC5r39T!)luAW|Y$831l59=679U)<`P2c<2XzWn%+}4(wP{4uy0%~iU zcFdM@ntd2v`3yRtzauu{6u8-^UR=&!gCtI-Fzv8{R^ab-@)474CiP+izk_bSVQ~M& zOWL@$fU|_tyTmU_;?aqz3C^QPlr-UUVk>VP-(DHzO7*8->607xrW)zf3mK@Xer8Zb zXMW3S$z~j2{FEf;-ukumAX%lsh}}isE@?w}oTCDQd#siwsdMsWNHlkcYV;+NH6JD= z^Ce>2_S4YA7LA;@y3yGRRu_a8Kh~6@J#*nt!lHUUdtjtf3>9z86PwLgo3CPQmodv+ z%PB1B9km%aEnV{iuZl1{#v#$opuqP}H;UMVf&?&G7~_I z4&5#-BX~oyMFD6M&{X@|U2O=mDD>y!y(8MsTpv|Ve`Za-siEJ1i*({~l3L6ROjHA# z?tJK9#?@!VOMqmp?Ri|NJDkct=rp=rP?IEE%jwW+wE;M>lE8EFp&>D zC7xf4EN>xhk7e~_hoMfsm%5#vXnT}VBImOTzDwR@YkNvY`{;XuPme(0o;dae&;{%Q zX~7X_VgM_2Eo}Mx*|^XPF*JC0t9>xuFR<3q$ESWJ;$uv(i+SiCz@QjOqint^yH5ei z>gT;=iVGHbdG%!1Qo#Pb$HxJOPXzljRwkFC$5Q@6Bi{p}YJ$dMopz(h8J8uQV z#kQ-v2i%yy%Js0V$VxqHn{PUa&d4B_-Fx4WQN0@j%CkXGg>HEqO&WYczZ~t&;~BHa z_&VIaC3&Z1!D(WD&U9!nXIhvaOd!1C^WSyN)vd%fL-Zd!U0!BapYF*oPun+R|0-Mt z6`>7Nw%n0V#`Et)%ulyu;=hR%^UlnBI@y}ad7G>|a;-y?zyC_(5-#;yar>92$?ZkH zIGoCt(V9bA)^2D)vizp&_yVU|reh6_#@c4Y%ZD-7`sFX_>^NEyEJ;0HCHqxWn8xOr zt#mXx<1KMfxO#C|wNz$U^2gF<0WV$PR=r++mDEg8CT2AqKC)?C?HJyT zgXO1vCxu;7_x~iO)5Pq*I4LLEwG#JSCo(sZwkR!f!GF!85`5Jy#!FN@V~V&VtHBmP z=eywdb>aOotl}5jZ3TSg>$;Q9^7QIYpGs)&Qt=Gs()|9!N|I^7ZO|CMxVSU|1N38` zSx>62zEK!3#yBQvUcUpNY!)sq1bb-VhLp2Z%3@^Cry)eQoxA7!1pTZ%bpx$kc{`qg zc}<`d&Z$Pf;5;*^H#5cMBd2#$l!ly0TJ<|fN>cHPbp=Q_eq&l)V3r1|s*|kdo3E7rfUbWb!E{a zv{bsFg@;E1NG>ht2#jVCsW=r7Xl?y6euzkF}~x+;tI z8NdIKVWLMHLv#>pt)t?SS-4h))2l*_`WLsOnl2TeoAyK!yQd2qZp0G0g3rZE}h<<9v@22t=|5q!zcM@4bJO;6`nP-qA2EVr`q zaKk4dheOTJqAPK6K4lKbA;hh)JJ8?R!W9LlhPsf7J~W&_d| z$AY~?dTf2a)#Fbr9``#O>DjJub#qzXhC*fI%4G=ZUH+_YqXl-7gv#4zX}5$=wrqOb z*hhUru`$oz;@(i`@-y0DYdp%QssLyQ-zV$*T@H*XW!s{WNIL@rY(grsroUy#$w>d= z4(|xmXP|wSh9wEg4%#6TRa8RrHn!}}lgQt9vV^E&NE1eB?(uqM57*zL+39#jp#4_+ zU)LovdcIB3yz;cNI4l1r^AhZTVMTb{)MWJfWpuS(CJ`<1MUy5zeWMQZgj{9? z%0Bv;yq|46XhFU|bpuEjwYA@vU0xOd3+$%7*;hP`Sm7z<5FPNVoYE_2AftG#Eg$wg z3%w`J#NbNoNQ(;+bi_Na?2wJ&9O7r>O!?~%1l8tqPDW(~tgi|FSU;NN0|A7=a@w>P zExt>skv4ljKk1s|4v*-D3s|q$*s)rhFHo{KJHW!=cOir-?J%I-M2Nm2ZS#%NVNTfw zA+vQIB~@6n!NI%h@T#Rvg&0za_ks&BHZUZx5iY2BN{{iJa4Ww z5fM49rQS1{4~ZT8F89}Wc0K^YY<2psNpkh2VuQs%Zqp=L=klKszpQ}Z{gb9tCW{!# z2(CLLhI|OQu+^1|#pOmvOzj%l->zaYZ{H3nA3ZnW;fYveKiZ8h)KWr@4GrCK?q1os}hKPEOuXmk7IAh8Lm83ug`~> zM)aU4y(v`w_elnl8F*E~iq(7S1roQ{*Jk2Iess^ByC8oeIGdr!4gYq3DLZZEvVA#p zl8=#5`E6XBT_|rKcEG@cg#`pmT4PV}!paIa?Mz~Y`wv`OSwRhK4iYo$ZmC}0-p@fi zOUJpFWE4{r2Y?bTF2r^zc0Z*0RgY!8-_@n!=;+AQqjXpNKNBfIbkz6n-|q$BEP8r+ zejr2|8qr_xG!p))ok0}-iRU(Yb)1b-;(cg*QINSjrSI8Il+0_> zNTTo*{>*a7aekrY+Uz>@tuK-{{wBWlf3YF6*pn0xe-f?7;Xf_*I4k?>3uLd$SB~9s zWw>=Lzvf@o@aLB|oBaMgy!+O-cM128q4)nyuBA=&)KhEg&7iu`uy}S;!3i zwQ;QJPGrsTxM9Crt{;!cUINQo`2Wj0&hh+s6fDm!wiKEDDgfUFj}LbrA-&h-)YcwqE1-$KeAb62gY6SW_=<4d;FgG{XCZ_QM)jWys-dzO4 z#>VF7pH9F)MithyOVMLTw;z|ca!y=xaKt7lX``PBf}b6WzVq8Q3%;cA%r-f?;3-26 zfA{LuD_JFkU&r_FHmM?xLqSV+KV~U1{SiH=yCS<}H|*l!&6DBIk`8if72AKb-r}*lp$P zM6cjPN&Ef}Y}@R@$za)lLnXicyLay*4}b~bzet6Ce()7`@ZHWfU}}M`sVT^N6BQ{B zGOd3VhWfb#E>L~onhhTPZsBdq@F$*Iu=G^X_+%$;FwuvBp1!m!F)`7wsg*`fPHxa3 zu%@QQ78v(3zfR|4>1~_Hii~3s(29?H^7YR7KXILAhfk6{di2O=Z;SC<`xmUdtG0Fw z#c323v$%-J0|kZPZjRNGmY#?3rl$O=sz+Pn0024&P9b7hfufvi*W`im&G)`36>7~+ zvhw{zBrGImJ$RndYDNHvNzyX9cAB)w9Cj*dz6N3XV_qGh|9H~JJ-gj^@(vC~<8Ps| zUMQu&>eSTK9QUni`+l~GDr?nP%25S#))k<;kZ6|_ZPc4Lf;`)&DJfadz*wCe-Xk#p zZ==n{U8`J5yD5puaa)Xmc7J{;IY`fj5m4=q5enF<{E23*Mtm5xqWcrV6%^!lW|!FI zh;OaY)Y3|P^@;);G+FPK91}weLc@So=s-sX(O<=^<;BHnVs6uGwS0H)4th}`%_;Z~ z@eY!9nZO;cR^uu|`>p(b2mi%a`a7EJgP zqx`XRTd%{y=$ zRic@>fFnebc>kjAQGxs|nc*H4jjuvOQ?)E)&Y1bdAWS^ee4EmLEby_Z4E`Ar$_#2< zz%mjLKr)z#Id;a)Y0Rb&AeDrJU#A)DGxoJv1T|RT>M@_lQC-`Zo*74{}ze&jtuiy}=aTYc< ze!T+C3vzO%DYbyb^ZEhiZdj->8fJFeMRE#C= z+|it0SjdP0Y5?Ipf*SoNA(6LO$l*I%_hR^ttEK)i+5}|%YHhm(KwoNc1gb6lr<*c) zHZiQZIXO{TnKuWsXPTRVt`Wl(6mM0fjbvRx>s_b*#35X{dy>+nvc3s2oBar=w>368 z+PXxABwoCD@qw-F;u~Lw*BC`tgwW`Fc%$v?PB$v`FVyM3tD*(Z{qlv@fi@I1{q?!P z!EfCoBO?R2U^m;_+jF4%-rnBofTINXu2(9EFFst5Qm}a*)co_u{qQrJ$&adn0aff~ zzFNS__a7+Oe|tUj6u^2a#N8~6jFLsf#QeZLAy3P98{|_(_(yOilc=Ue`gTJHy|Ar=O<~|Qx(!=TWxW>Qn?!Wbxwi;kp`uVs1Kos;#9A*uGDBfbx zM(7Vc@jdGEYujsz0)OH_0Dsp4aAC0q+BcPcS53#e)c?~q@5~m)S@X5L90f2)EnQ{t z`*(@5n&UCr{!s@5auao*jE4~Ov8hM&kAMYd&PfAe*ojYirue%S`0a=P=1Y!8LBF_v zP_sW0Qv|hDGF%&%UUNNr>sSEpzdVy5{i!qmv$k(H5H~w&qhUvP;RNufrmTIxT=B`v F{{_gi6-fX9 literal 0 HcmV?d00001 diff --git a/.devcontainer/images/debug-configuration-run.png b/.devcontainer/images/debug-configuration-run.png new file mode 100644 index 0000000000000000000000000000000000000000..a5724cdbd3aad09456df290dcead85b08ba3f333 GIT binary patch literal 796195 zcmeFZXIPV4w=Rqb!a@;Lnj#>&1nHvmu861zNC~|ON{4{-8c-3Xsz{NlARxUHAc3G# zloom?L6BYo1PBC3&dl2T-Fu(!y!+c{$)EG%{lRtRN??*_&M`;1$9<1i546-78O||K zQBg78y>m;Kii(Mvit3MZ^vA$EDS8U6R8$Ow4yvjT?y9O@c<=;j>)`yDit5g*_(Zw~ zdJAkJd@y8K0QAdaUqRL_a>9t>yw$M-%@>SN@CVuZku8#rag74a9;P;mwTo{ znJ>%fuXvlkR#P)(Kc1PnA$s-sL=Ya6;$z!&fRZKb&!v((4(z&UL+<~KXkNHV8*)M? z=g$sw+^I91t&NP-!YW4@Ha@xe>59usNYG!nR!=fl!q9d%`Hxv&97LhWC7B)Ucl@YS zKGO4VWFt>JM_-U@I-_yzhzi%OlJJA6n^CAOFxweI${z`HCKY zGwB#rdeh9kw?{6BGs|C!OpI#c^}FDFdFr?tedH;mijuQ7(PKRO826TU$BpoP%emQWZ{6>B!mGtWv3z zF@{Jr#@#K?agOu(XRYgKAb*Jm#d;ELnr#oX_9ZAMsf1gJnhj*NsePYUpQ!P$h ze$C03hV}u&6}fv%k3+3LA|LR6meD_b@2SbNHdWS-Z4V?r^XUsMO69XlJ|{-CWail) z8>L=(x~;CB={KJ}FF7wVf7m{jEmyJWlo2fP248BMDbO%zY|Le*I z>yTiA;GlrFP=n6JD`y4D;@Jcq3$Y5M8PsJ<+~R!@C1AlK`j|2MUGJS*^|LxTf~G>@ zSM07pb(HeQbM|#6mTqzdyh9dplR*O^u6Zy_DUxYVR`JmwcRT{iVL5u0L;qmIs!p`*4{=c-(*bheBa zxfiLo6t+yZxVOa4onYjNmWbv$w{=ciq9@rl884aWusVdymz9W=YJbcIHNX_=Rd73g zF|jpyXd+Z~(y7WR+J4D?&mppkU~k#O-TQILcmC5N%c5EL+5YUsx&;QW<6dHm4c4Ep z4M%z27S9S3FU-xJE8*{x|1|VbItSe!+mHQVSwL4XDwGuP$Q4!4AT+e~+Np%|o5+`y52huEbortBj)V8%p>)`+ z@oCzzcWG@(Ey2?cGXm=hOR|eI%T=RGZ>8JD(DG=+H}z)z-rT0SypjfJIkXB_no*Cv zhteQ%kX6WBB!bN7dG6eZ>*psqO65LWe$B$cZFG7^_`C3()BP+b=;&y0CxR8w_UZN( zLG<)LpD&;AJKc7|{2Z}8aCyIbHyfW3ZX903;KZ2wLhPjSIg(-`CS$E>@7(eoO zr>h^R59znB^zppm3GGNt8W5MZk+cabV|1^n`CPM6^M+RGxVH$$OL#0g8ijaW>$dx~ zS}i%Ump#q0urdj;<4MiOEBDj>tD!4BJWBrU_q*dMG9CD-mD&2)fVJbh&!`P=giflx zb<(}j+x}?iSK5zf0;>XQ0;)H~9==+0$%ie5_V-l2u8gQ$-<;nZJrQ{O=IyLIYVY_Q zjWa7A?Y}TISar>5N^@Fw8XEFpw(gHLVJUU>&y?Rh>RazH&+)I#<|fEMM9MHJ|aH zB35ppTuVnEl>YqIG9RreJ1V>Mga}*P`zU89Zum9;8rPn4R5=sILK-d`@y4fjV(~kE z(i=q^ksB!2pDwlQaa-EW%F$5G(b2NbhhwCb;g!r4ADI%@oD!au+gzfFN=>?1fhrCzI&Uli|!q*Hwlo&aZR*hhw8C5u+AeZ zM|bHO&a-eMVc&5N%-_2k_dHzwS@;bddyC8A;Qf{dq}J9ico)u~qXvC!^jIU_1~Q;i zlr@(B)6sZqvTVmDt+hT@y5Fe(e17)OYz7toBYumt`!aq6{mH!9zQR69yQr>ZMGeIi zL%M;Y&z!~Dc{rDsF7u8j?44boILPfq&WN$jZFa?{8!Dn!sMl|Hg{?=9u&ax{5@R&i zY8b~NYj%6$lZ1RsX5pS@j7a~3WL%X{(ehyAka}%-$4m1kwo&kFekg~*K>S= z9U|spkryyR!r?t|hk(U5GBS%tRqMOt)DHRXZsQ@ElwymM7LODmJqA^y;rGAvamH z?om&g(^CC1qWYZneZSPoF+H8dev!xOZ6j0Sd( zV-p9<&m&f*rnOq=hBy!6bE`MX3Fl0+l(k+cKM*&iBk}58-?v;O%`xz0j)uaD$<%*- zr|%EAm(&i@SDD8~cWpH_sRY4mda5Jg4pcPY)e-P>4*XD2QGcNR$2&~aACCUx^&fwI zs(lsiK}DrPb@$c{ecvO?6FxQOkJF_0Es1xv{BJVcrI)OvxkC?8@mE)K(4{Ml+W0Ip z^?7=0w8c-I%j;N1kNYhZ8Z{Laolg-eRH~=xnQ1_h{CpD=7q`6}&|Fncklp+AI<9SQ zTW-Y1lwh({!L(ii4eqS-!8Pznb&tZK87rR)3dS0>+G*&SFFdfkK$iFHN|oJ8jQWH5 zf=US05o*f&fAfV3B$Qjx{}w)9i0=@q{M-K?&Y^zVIQ9tBQxjFw>=|f$}1vfADir?7Ze=PCWH>l1Fxv(ZR08seC~3bSv@2153?j_E&7Idl=Yjsf$I(}y&~f4QLl+|z%0B>xY(AQRU< z#32pnLwaK|V)dL|x}WWG?Ob|Ko?dQ}xXtbR$r1vq2wX#wq?1AY1Y>wOPq6Qaa}rmA z*CQ>P@*xH1T!&-qMk^i8WRUmgY)b04M+LQI19#SH7IIRoJCh|%XM$bJ9e`z~%s!U> zr`!2|8E{K!XY#e`I=9cbdrzTpMa_B(XILmanb?AzS3E_tI{MLW zL3x<12WcE>uR}B|%NMon%qU;K=Y6RAWNLN+LQQJoS9%lXYglY{R$F2HR!54onD@xz zM483US(!OGe8mmK#lo9w!(}#{3fg}3zUx!X>)$WMN(@&hYMZ%zp*5!W9j|d;?^b1U z+00sP*jsfUG`4%Z2d&>4G%B_Fa@#Usy_vnWtd*M+yk(%UJ#51nlooBOJ_#O+wDTSt zlRUU0c#FL8)qMR|5*E^N_HSo6|MfzQ-M$bONI7Twv1*r&bVd1wy$M{)=0aa&xZlPP z{^^R0182|WVR5DHve;(BhK=|;4}T&Dn2x}30ocet&hY(emv6H3C-l#DrEy-m9W^{} zS6oma^t4f|VaK{7Rn{Y`M3FG=k)@F+`hM@W<)dkXGe(B&0RtOT`h) zZpneu(b7|0^0J?7d|J`<2x z?f5XW!h?Q!6IE3u$yE@nSHX5aPY(LFG3L*;H|Stlld8NQ+HR)eS@3TsSk`8jF6xL*8l4^21kE>GjQJCt4&!g_I17 zOyVK*q^%Md*K|v?(5x4|Gn!gHNNw`=vqn5^D16THKDv5~)}-2*)!ctmFxXMv8#Ad| z>4N<@oKfsDSU7U5#36!l!4h+a+={FvQ@0A_rk>uzp@NdR+9S zp=FSlUTkT`f4v5OtvQuvv=zjI zN%#!)f?j+Mxo>q0j>|D~75iPkY^pK|LWNMoG152Xebr~<+6;6Vp1pTR()8?ozdrw? zSx=fw%ymWEb|yE^BwAXS zm8e<;unsRgYXrB4a~R#0f22g@6vnED<_PszRpb6HzJj4atbS8>JC%pn9X=JVy#H_; z*2RgRY~_Ikj{8nW1Ao~Z!Ma`+8zju__v=k`Z9n(#=4jO)8YxDQ9MWoK3z zb=Hzh9GWg~7mb7lEt$GccnzrmPgt=fk3(KRevqK7<;NkjvNy$!;s{u>co7KKjPE zdn?z784go_X+r%{sp4@Y|Fg#Hvznu#4RM=d$0~8-l6#3qlcz#Qy_Wk~T9HfF9UaHi zQ>s@mTU%pGVG99{LmwZ0*q>0qwWRjFBLqmJYc82xhhmU5YhRB~hp}6H=O!TWU6DNd zlXRT>(1l@}*yt43Isp^7E0>p-m-_(3usJJMsqPZ8-0nBs<61g%4VknT`4uK&S{(&k z^mQ$z-Cy%q6l|MRU|14Ext`+IO)vAgx4t#zm0BH0xsKO33qG#(-(EI`jU+XCU+#W_ z@J|+5ySg$eal%b2L*D)PxWjbJ@^Do^s&_NLP02H+=!7B@cJ?AO9rkII`>rPzs61@|C^?PKKK63#4_y^|yQRUYjGDWP~P z)OIUMxG;Fnk_`Ld;IdN@Xt|5fRg&1HB%rTswun&0Fs`PI;Eg*5X-48F2m`79lmhqXHjl6`s;Z>JTj6H5}f zt+2B<6_{2<4IFmOd}id-_82tw%QHGV$Wz1khOEsJ&rjGd#FhE1*ci+GDfSUmcUj=> zM$JZ>(DW<*^v|fyq~G;;E>~Wc-+)hen<96nBHgE6@wa@T<2f&K&#y?IV-2{B$X4zE zVGG#7)|S#k?ql3CZdT*|OGS*^qQ>Q)lJrj1eCQt0qQ%6qhURwp1*8OW(Vh2m4xCk& zZf#JF6?|H>`|Q($HKk`vk=o?77aYEud-#P2wAMtxBUT^1feEF66;5{8%$WQ954+n# z=?FI7ah4X%kK^C8$tr=XWQ;Dur{Z@1+%;&O)WNd&+H2u=ChpJ5Z-k3ZSPv-@1h&yh z`VNCO@Cl706QIpk>cXk=2pONXKXMHV z2Y5bNIm-ztdMqVZi@SVH*@8cs-tZZ7A%~8T@;No)Tt)|4T=%$*6uuSySQ5OI`(ZU~ zC`eIs|LahuxOge+46EST=X-b>-JsM)sl%da78Ol(x!aTg&ExD;MiAOL529 zMWZMoK-{tabJWEx@&T4yzk}l?$ZmYUG@Xdrf877BFj2&m&Ctv}jM*(_I_~#Qz0v#1 zRojlF8WM5IX0bnSq%V67rwt?aF}?`F8{U05`A#6;!1F40I<7J1!WuU{bxDyz3hbc%CS+~Ds?CPqih#%0F7wXr;_r>0_oIdE5wCs3Vw|m`iZ&}`oJUopX2x%J#Uv8pgevV&#~#{W#WXsg|kj?ry*Ke z8-jw^Iz;$1(pa+v3-TCT{WL!Qg6*$rm#?`fkvD^UW+pzb^vlZOdVLo*c^{)?0@~!u zJbS)Qjc#Zi_{c9;dbA}95yLaKL#>hi18u(RKhz`FWixin*uIPM-Amil$~*10i^zTe z%}+`d9vspgmNw3RL0q z<#~_@f9DfLESK-VVSDhWb8Fw2&?F{=OI|s?w-iP84t5Po zI&U`a(yD4J%4?yfcq$$ePo9+9Zt|UFLUkr`2IdHU&6`>iBX4OK8_B!K6tdh>TG^<= zddXda_-ncR`UZ;%haMOg8rREl^1w*h#*i832gK=+teD7GHsl1RpoBk!Es!#zwZGm9 zuLbn$s6S?f87ABuB24&LQoNjwsVS!e8l*bh-@=*15W0!Kcikv|Rm~sDmTiW)LC3{1 zf$)hPvIr32(@fUiTCek5I8DbB==Mo?BvPz_BX9muRrOqYKnti?(jbXi@i{(~+vx@L z3U)s?i%48t7WrCZb^6f~P$sOuszAuzUglS4hO!)$RU6cuhNEb9PzQS^Ed+ro!m9t z(~;{HgxwKCCB0MBTAb?fU+bU^n}P0~AY6zM2juc}@r;%S&fv2E-4DA1r?d^7dE^&M z*1JWNMZkAjUq`q`I-J1>Z*K`fLI=;W8HB2-+HO2dAhGsuY`^Of~m~ z>_mnm(p`38zkPyZVU7ICyFY3`8CP+CSQ@q4$#Lz`oo924qg76U)126sLM6y+N~HDJ zRznnVpzy<^gJ?>Y8+fo}iDuBT@R{&(2etnYwtOPiXYqntJ6lnfS9=x24iB~Ndg|ck zQxKGskMv7Xat~yq>1>_J$SYso*QJ+)hNlPGVqDhV=QAjqi{WIl4_F4p^L{2aFooURKTp2X*r z9O&t|NQ-d0x6nl@YA4XTImvs)bRjl{2RFK2>&E{=Y6h;%L{x0-ZlH;{gnYsvG(0hX zJ%^y>GV-=rd|}HlLIm2dW41qEVQ8zYT)P@q_UOyLbrJG9X@))GAwlUNBDktcLtDw@ zRDTx%c`eWg)2YN+V6orDS;D#}=RKA^zogG@ROjhnu;tVLxe8KfTJ8M)!0BY3$=b_P zm+~zi9ik6XeLU3MXF@Ut08LZIx?YplyNnVgJJ@3sHonh~*Lo;LVd?|y20|lWp?tdJ zmI@>C^t5EN9j$7t`@E%w^ZqJh&bgsem9xK$C#27t=x1D^Q7A|EVr zY|>+Wzm{>fjXxog`ik3o?~wXzDke?3sv6v;>Ej3sEZ~1Hk#hJE!bV{GIlI> z5Y$)4JR~J0agN0R;L}+dJr?ewenteIW#_P=o>#QcKiL7Qed(mJ-ZPyVH=2;yf~c8z zSN!gNg~IYkPMer>0~8ar;0Irvi;PeY2oE>ROlA~VpNg`Fa{%q^^_3V9idoPd3Y#}!1 z&CN*t^(X=2Oq$e+qelE&?bsu#F)z)Dt87Ik@K>8$2{7rIy`dp7rhTbuXy@WUv`F*f zR-vSSPk=A)fd&&C=a1bb2YuiFs0Sf}XU_B%Ay%AsI& zAxt2?bJ(e*J|dh`%Gsy~Eq_TprbCbx4$y}blS+FXB&aWUpRDixiqmcxvCA-zQjg{4 zs<15oCe-26G5oHViY{kpRLxX1RpyJa9(vQCvNYSZ1Q;L|QNDv(OL z?s9K)BmnE2r-|@pHGP4FX`jb`JYHe(i~R-*);CV&)B3*hJqWAgDN2 zuXdqTY1np$(N!ngX0zQ3VUJCRDx*tubU9{-txZ-3V4CpjTOUOtM_ z=3#YtY;Jxl&)U^dpa$`Au*`{Itzn*b&)rWW-ai+0V6ZtFiSB5JLt#T%kBV6Z~m;4Ro&8!(lUnhisGVjphNIGN>TP}( zn7q*aj#}W7H?E%Gy7t|DxY^m{OieeZeXyUdD8bmo}UrgqE@%;h1>tslQVbf-< zsi+a6LCkL}KfVXqY_gb`zVD&1J~lQ84=N};*oyUO-Ba?t!REgLvLXAPd`SO0>IN>v z%G(KLMf~wt>HF2W3}5m_T^$jdBO-fdSe^;*6+K}w zEr|aea?l`4^UDJAo?CF|3#E+RZ_w#^-On<#5s1xE$KBQPqyfh<$*?{r(@(rT^n|1KMOz#EI{Bj3*MbsU#>v2!Mo;yw+bwq ze}?mL^Bl~pS6p3VZ&(X6s`vLQ(+>ZAk45hcrS62o=^WeU-d{Z!@U`zR8bN2F$$TwQ zusVTQ?0iLnu$j^F3LJMt4QA@CD~UN9$M-1qHFd?aSY?qI1^oEb8$RT<9LMJV_i_Ae z0dn4!oaaRO7QK=sq1-ESo`SZy+UG4d@m=j`g;NCv#T_rI(&X$QFT&HG*fyNc;xXm? zCCVq2SrPbSDoJ)>#o5juPH{5fY2I3=Hqtg`hYNe52U*0`dQ0)GUy7)_b0GUXc0x9D z*ig>X97cx|NtVuKi86<*v+-L7dR013ORRUyNoWw&GEc%zk9R5x7GUk`9z=e zgT6W^lWIpU9#V&LqL|^P7^xQ?(bnMb&^M34y=r?<1I^x-_ZA9#!;co@8I1Blv5^q& z(`$E%v&hJwXA%qOdKRlFa1sPmYemS3;z5&YSM&Q~##c+g>bhP(8;)*UN>`nM&}fNm zbuEeaI44e|2q;_;vgc z_9bhC*d{kHZ$}sgFRtIaMZD`W6H#|t=m2b7RSjvF$@092NtIwrUSHlX z{QD(n1WSnMsFwaInfg9Ujh}0*m$Nn!zM|=Pe4eD@f1neeVl5+7wdJnMd9E5XWN+@( z%e|P`ONpozk(HTwr&rGGwxsKeC@vN)u3OCa1>Heu-}bQV#c_&X_zSk)2FQBtUkw7# za;p8}TIX ze>P)(H8#t2p*Km~;U=5R%3y(ZrR!LA4PTL>A3A}_ph0qWci3+2=Nsxazkr#NB_@5$ z?lV}l5Nh{XU_h$>NbB^k$dV}8zQJP-i0#oTdVG#%UO8?ByXRkq3g)K`P82oaa2fOY zY;@0dVDv7#xv?B+C1oqUWWznZY%lPH}7+1sT)MK)0HTbozGV} zVV(0;6N}epQgE+WPNpk*J=q+0A^CiTt|9+=M%`$eI+}sx|6ln=qHBd zbC}nrQ3sGuSbR|r;Ky-;GE}>qY-0|x3^P#ZuJ268LN|->SJ%>fFlV0~V~p_VlI5oy zSIy5CoKnOSoWDy98kVDOPY`K$)i*UAn|#3~=lOD}7$GX>vwGe|V;7lmuxwWbT4Bfb zdT$}TSEf8N_RN;y*kINrfjfaeE+;mLx1K+vOzerZ9xOCwT{=cnUDf#F(&`xT4{Y;+ z56(*^)qRImjb4UJ$Fxsei__o1(*Zkeo?5e;xWBudG7a6Lt`^uC^JygY1jN=0-E0J9 zZY24jH`fLP>=f8EW9r&3MY!~E*~hlxxYp=sWzsS+v&~)Z0<8yvu#k8l0qx0@@c@{; zJ0Z5=OhqnIuLH7#+~2em%rT6oPA@sZV;~OdvF~tXk;5;s*@qC!$}3%~s$>NNOz8lH3dB;GtVBibvWukgxhyA zv}SiUMSAxH`|q~;OJ`^?!2vF_1=<-(#>4Ram^}N*>u7~IO)jr~o%L7RftikvC*Lsw zQ+A4EUIT6WDZopJ1mqAI3QDp}BpvM8)n+G%_>2+@W;}`VuN$>?IY&zNl%j)a5uU4@ z9_*d=owFN|t4i%A=N(SSLjv#brV z;B?Z%`e$XH!-1}l_0RE_`6oVH znOWM^YQxnQ5f=z^W%8~+8iq)FOl{OXlr-YTe0C&z^ZwiBokYu*oAL+|69ycmH<_|k z;zXf?bSabfjgY?Xh2ytzWg^StzYD>~{Q3H69eqRdC^Q_w2r~?&|G1Ru zH~aq0*T%eok`t-30La2Ruk@(%M2|sH^%wO#0jZ>!5)B1T1h$;DYvLiTg*%rh(>pU! z%RgrJ9egSPaWO2iUHMNF$i>)X?NvgeA8-8={1-4zd- z+PMP>lCG{=>dv!XI^#pGvo=%WkoJERILFf!9b=AY-5DLABXLL-MoEwt^1%`HL6Ft2%c?=sZfD};2Y8tS$7*CrU`HInVL-6}#ish5?&V z;@j~yY0O)AfY;P#jxAz_&3s5)#8{z4g&a4xmuZJ-C27*${R`Xbrw0qBHn*Wa5zcAT zdY30y9%(7#s?!30K$^2b@%(Bb+wt3ylfZ|%kIZYltr^K-@A_mN$a*N0N07Rdk;WW! zo|{qh+Ku1mU}_4w0Y*)W*N{0oVx`)YLM7WX#xm;CPO@;5mMqE1E*kN{dYp>>p2DWp z!b?MBo2HkijE8+=6}P`L*yh|Ht+ogBAng+zSFN%z6=ic81}UQ!pwaHTT-GYJbqzF6 z8nw>Sh&C%tlkA{^VWB+HBt-(61Di~I(vhs}C-l0mIfuT|!H`ou!^2`ZXsvsy+>Yet z(*u)Ev(08`I2x;@)K#<5*E|D7$?+wK8Jk6U{dW1NV%5r=qznuG3&~{)oIJYTK&Tf3 z!8Se2YlyJfsUcf|92gjQJkgaVKc~m2G*;!5*jZ#$mibv?+^WwYDe1bMR^XgG_LUfb z8jRzoi`?4p@J>=LCZ$hXq1ST9m#Ix-&8&x?%#shHmBic)YMOk{e zTFuX@oJX$x#r&dl8akuTUgy&d!y+{SjsapiYu+_C7Z(>{i}BL=U!ZC6&LsozVuDAc z_U=ENED2h1>iMV|UbJxnKie6}5;9n=9hxRbj|_SnkpE|QwmR+@@1z=jwuzCvG15t$ zF96{Xg;IjW7;3Ky;GN#Pl}i8HW&B&AZ}|gt-d8C1unWNTLDDG6$~(DKf@-)pOax4w z=7-^2Yl8E1wtT534O>V0*+}+| zNXdesrt!0SAfT76&y7JvqYa^h_)k~eL0kV)nlk8w_)Zm%SqJBpoci6gH>9!a^6T&r zCdJL}lSJOhN&wl3HGO|`2^8KTM~+Sb=qNafOI`|~t85FS4MBUhL)z&Ivgv^2 zRET4u9*b0|Se-zWjC6migkqJ(-s*0gqimydvI@y(9t3u&m79p)P4(>cKTz;2KsQqy zt#;vz4hz9YIypK{#bxY2I&t>epBec(sd8S9`>n8jbwDLVSYtvOt6AoIveYZ>hl(ep zr8b$1OyOPCg(g*ws-{I0ioJ?r=svC+IMqQ@@!zDfs7y{U2%A)1!2qt%=c1x$G6_eH zVHGlv@b7Pn7n%k*XS9G`&MgMo+zbjS>G>aLrT~}`Lm{}90dnT;61a+$Dg7s`3u`Dm z3>k3x!dm+22d8!vx4Z&=pA0VXN+q9u9C=sk3H|R|@xPnACXfJ(e@Z=h>HnbG{XIMD zmH@n6&FOiTLv)@0`U?O0LjTiA{A-8)wL|~9W&h0%{J-djL{ersaw+~+#fG}7s%k{n z+}zy8wBryeu+U@Fg4EI%#1D~N|5dkGjUE3?k6b|=)m8~<)DpcKMBGfI410tCB7JZ0+VtaoljdBhLNz~G=?#Yp* z8kvLAc0q4pk+6^w)SO3IU~_MT-_ifZ>HSaf@INpLO#vYIQ%qgfMvzXtxdjg*K6l4Sq$V*{SfrE)fyPscp?4!vX* zWyxCw5SsLl7uWoognz$6{Hx%5(TmchJO-%`> z!9sx;e?z-U`<{!SQrjyop1_DX<`eGS=EMiV9s2l^r3o2Z+oXV>yN7tR#uoa@@gz-L zv*L=QoRsfM@$z9LT5OW*=*liOkX#(Vr>83NADlt67w91h+(d^0H^RWGO3g&Yx{$(GL0#-x_6~6@1!h)%N7UnLr zX1sS_!&ViGXBR=tvH`g`*y#uNwDP0hDgAabvRxD*>`z$bngNi9SajdM>|APGSZSZx zL4v}@oaRpq6Kv<(i2N-0RQW*kla&uKrWfOh#&^k!fmV~*^N_vv61PVP>U@aLA~U`j=%O z;#wbvkRpH$)~k)tg-o}YL&gapXMEGipFzaxFu3GmBlUUZpm~`dL9J3QqmM$T z0%Nrg<7cf}PubT_D=ZEM^*RC(2Rg0Bizm|)&a3)DpT=&kGliW=X~&8p9t}ufAt^2u zR$QdD)YF)Lc2e$&h5tgf^Y}0ifD@yY4;Hk`z+G|H$QRuIO99uL!l&ysI^jJg!lz}n z*9Cauv0mJ5$2@Ac{QIffxdzIVFR+Q2ykn|pbQQm{^v-ZWlORy?AmwX` zpT>YwpT`{Uq(nykoYKK&pW2#aXEs9%-FY{aMO&B6`5r&%<42e{u72PEe2xpUP$+W! zHl~PJTZS{>exUVn41jpHb2DG&e#Hf^qR1qmwjF)z@6`{O9|Gt-ZYWqu>fVCkf++@05`C&BIDy zvI*y|#Ufp3;(*92HH|sR@__dH6mxI>0xsJtmR09Mfb8d4I|O|}69d}Cgqh;29r|(t z1=^m~gUmCA2yp?u8uZ2SjwiDoG0*$M?qk!8UkngjMG0Dw;$h1_R z9|M=qx=7)>$^F5l`x#1#8*6S1vk7ouPLLMOpQFF7Sv7`4bh|VBIag!?nFuV}uOJ~9 zxfNt6nS?V4t*Q~EcLI9(=VsAwsmBFAq<-zqTf`y$_*sk#xWfIZKhJ%di9FSXQTjV*+leaK{^?f9dy!4lf0TafZ(MymlHtTuTT&*!ow z4Wpau#GJwy42a_ z+scFM8Znk=ctq>t2xHZz=#mq-u2CRA5gL1&kIN}_W01`iZ1w|Xl}VvRy&RA0TE+f^ zF6$JFv(_wPwa)1m8O|Jz!`g#X?Y){mVbeTk9WW+R#PhYG#yLMM-c$HW0C1y^K8A9{VdZ zh<*JO9;>i%=X~JWm*z|LK(zG-Sb7wxLJw~9?Gl;mF$cG z*8ZJ=S9pV>C(wq3E>~fFMc~7yb}2%cdQ;+k7jTiwK)$}8G*w}a@K%HEZp^3wW?ERh zJrpV1+4K)-p4l}a?$BO1SIyp@Px^awxN~#zb zKEfX(JDU{9K~bWE`lO7Kam;&z$!;V1`PTv`L+RMs!PON8LX6|0H5WwdH+yS{iv`mM zI2deKw?~YLI}tSoq*l7i0yx0A&*R8h{IaDwyf8xH<;?eHYaEWb478WLp;g&h(v?e! zm6&W*w2Z?VZJ8zNTc#SGt<1l3G3nY;XU+60as&vnE?%zycjPLii4F!|h?EE5z+{(o zFsVY0P1Gz2lDpFVQ5DQrDVwUj9eoa>bGOF2?A5Wnb2w0A32A9O#3ot>*IE|`zD8+S zJoEt)>`3jPMZFOOr4ojO;H&oQK=CZsYhoi3_FP-$=kth}%Nhwyz_5g7d##4deWK01 zN3xT&zx?FS2rLhUY-m7UEx|!Ub||B*1qL(+*4-a&7%S7Jhyi(HVg6dw+3V#vKH91! zy7U6>M{f_4z+QO3_u-=3+1rc3YoE27LJwj)K&m&6G{(;(+LhclUPt!26~IBrZ2`#^ z*Fps{o60Re-4tBEr!@lK>#{)}W~%Hg|G4elv5%u0a};jE{x%#H4H~=ewAK9+^?%d^ z)5}2ET?@au1veIyG$cb9yIL2ncS4*5J|o3lM#>*EV!((KW5#rOWvA`s5x|t1DFU&t z2L&S+GPrS5YyEUMRE)h)S_Z%~R^85fAF=g9wi`EMyAC#14alI$Zae;@T|^xC&D+na z@pI@{Aon1w0|dZ%5Fbw$)4n%wQggt!eXND%wVu6HeR~SDVdO$%N=7_p1}LocPH;*I zXE<(N4+{VVp-CAD=tm5r@Ha-KT}CSdIY1C|=&uMaB>)8EN^!xUA7CR*10GWTIX0~? zbCpV9SW|?Cv{aIryN*NYM_e{3*yb=d-l~r~R{mZ1Q`*SI7y$K_uK*KT*lK6KG@a1E9f=~tq)YyZC1i!Xuc}ZBJKBEkz z)4ay*;ioo4-soCRCFS~3W+yGbWsx9tLW3(X?SN2F&b&bk&Y+Bf;*j&S_wJ$$=Yf&t zV1og+yVewLieZVxo7K3dt;gAfuUHQLwpQ&g^LBpl0n97udGZW_vEf_|BEqKLo*~PQ z!dJ|YyPLIVrpwq@g&JHPqTF!5X|9=9{|9`<^ ztAankw7!oPwfUkJ>1+4nS@p(%zGyBj5pu*8gY;{j1~yx0jTCqW#*)aL1c|aeh}zAM z^Uke-c`HJ*Ck}x!fo%FH;t6u1;|Pf4|VYNh}|?G@B|F;`+ywm2EA|Z zr@QMwJOzfWnBO^E+Ijv6YpAq3x@zo}74RE9!1#@-os9v^$PX~fGdM7r#a6K$*m))} z!!qmUh$LyK1#)Z9bRE=h(82eje1}Q_onurgbU!@ld~wnq+_&oN;$qi-=gJ()8<)PP zPLubEnN9I~(f$v+B*)h8#Z(js5?aak@0R?jdiu^y>OVu7^RI9nd2?}I+g~ptG}P)gel4N zszCsgcwzQ_kqEU+zioJfp#U|PQ>nWA+bjH=*@cn~RG4>Ate(n;UC8SK=rx>t;BvUS z=7P#33XEYTL1`zn4`rzrRIIq@!Q_pj`lg4PY6no19VkEt$fh?4hv<0!wYx@il#UYB zK*B$PX8x8JAejOjhiuS&aM*hw54+!T&p~r4+?Vm>VVMsf%s??b z{_W+V{2pL*gaeAgDs#yf-oIsk|Kyk79oJ7}il%42L;X#fhg-7V=~@)OrQfx41`^1} zS5vlzg^62>8H&)wWq~s1-E#Qy2=}eS+;7kG;0Byr6QxZ505x2vR`2jI2S|D5sd7gv zW7ob_ltj6vAs*AW!sdpPOyvn8M|Zauu$@o8FN9jwEgWC(ejbh~w+moCjMwXS2i7$- zjhF{h5l(Q)Nq}jDaTynBLwN$0%K{54NVMm&-0Qil)qWB_9IB_8l0)f``r_*Sw<17W z;TEy~pX~qNx^b0%f;P_EHo4R>>qwDu!N#SvQ`MM8+F-(3QQ1~V(Q&VroYT8`XqQQB z%lbb8;_sM#s3h>^7J9Xk$ddegK~zOqnK*@sN+F6zotM3qF*H(1OCmN|O1V&B(+^|H z-zg{Yjfs~w#I7Uh6d2iQ(myl=>TSirZvs-w|BJovj%qSp_uUrM0TpMYs0iqwGIS9s zQdP#v01AW_ih_VrrG}P7bPxpr6#+FA1?jydfdB!if)E8EBtSwDLJy&Z5R%+CbNAWz zoVCv0dmXud-F5$PEtf>rm+$-D_kEsUd#-q^-A4@sjiAd~T%niai}l7Prd8bf{Byd~ z$O|f#KZ~k5#r#~x*6@i}POWK{QPDp-o)b%uXP~RD;nO&o0;zWpI>`= z6B;K!#Jj4yJkv|!=;79$ajxLib}^-onuOMxz(JdxR%S+cHa z4Xi>6<-%6>$&F{l&|EkHt#CowbprDC3^q9b{^PMKG2xqMNLe1lsbQSyr$3q{)ZAXh z?%T?9jtErw;st%%JrjT;l)|qCHjnl+~OG# zqnV`NhnHNw=3JqAl73>RSnoN37ol>SFk>_En_BXMw@1I3keS~v9$L@Cu5XxD9h%{g zs)?;%-o7W1vw6!|sQLrK#=*JM0s2x^6G4ooisJTGAH~;))3IygzI{<8-2@A}*LL;G zZ9Z+Oro%T=+*g-V{0*e8NQXI*R@3b`kFe9p#Kf+xrM%8szVjRQ_F-mk?@U$^-|ijV z)6JNy(~PgXGC%CTN6RbWBgRcKJSd!9Nk`kdFu&OEkD;d_Y;5*mgZ~s+G$z&rE?9yq zQ!A2t{2(RZvS|Sp#i!0m>;4Esh#KK=UyT9IogrJjCrl$W_u#a;sw?^bzLSZ z<)Acv?IUk!bW7ymR697TC0X-Y&^HY$)xG17kq*-Mu=RfH%7B}sD!GbNZJ8>1wtK!K z6ywO_xpQRSFlnmdp72e5+28XwP`2=eqm%DJ*13xAcrg^%F1v=2XBT+ zNrE%c;b?I`ZPwp0Uf4b)bQIU;#?-sH=MNB;qo$AeE?dsnZy01<#8KQ*gVdjXeqtl6 zQud&=UPMb^4EXMLRK=ZkHJyP>2b8epY?%#3B`A(E{@O{C%l%9RQGdRE8@1EE#9o+a zlovvy@NPQ*qHYTQDh|!JPPy2S*Hw@ze$U>0SQ|#rCrqRGrZ>h$Xv_5}nWdEk$(IT%1aB8$_K=teJX+AEUz^{Aq?SqVzv z3e@h4^`4>27A;GUmyX?sA3royz37-TW73i}``!O*&(fmzw4s^$gwp}6`L(+>0mfy# zkJz#o+_PILY;SP@U|r&fGzpOtj`dB$+xVx&Yvk}*f70OdCokhGb1D8*BT4hQLGg7@BAM^MG$b>Jr>+m6`+=W8)Jg%f}!%f!mu`P!jW4 zbYDn2Y~aDD>Sz_iIJsr<<7V~{rHn>lq{&bmFW(=oGKl_^;Gl$3`htHry5P_bVhN3xr4PPtU!yiD0qp69%#d#awr_Ic&dz0o!g53i^; zzUM@TQ$Rp#_+64!ns%U{9lN)nV{0H+M4-ZrYHtiiC!$K`hHW+MR(gc$2i|j632F4~ zsH*GKYuDwhgWwP&vKHS-Qbi3t&>d}gYT?VHFDAE0=xm5t+qee8)9)M%<$^@(48ZKN zG#3DaKq<-1eIgk&a9ld4`}?N^eng&&KZ-n3RbA3je(~f8s3R|**#Napv*AIhXk1#2 zT4=!hn@AY*Xf;jVhPyr>JvMi-Z=})`;sV)RPf6$3UGk^!s&bF_9g@nKgI(9acf|Jh zJcQB1udYl}aGsd18fI79?q}!T9SD_5i8rUExzV3igKXX{-r87GFp)#Awik5omp43$ z)a&}eFogajZ?k1b{OT;DFQGmOPMgU$DdSDST#;FO2!Dj03OaN~yJt1Ywki7YRd)D9 zbBSxjSa)CQ_{t8#Z%|umX>A|7Q>-|$F_O-*KHff**_XP1c%t;lid9b!3^x&hGI9;r zQd1Fo^PQjbrkTVb%-s{nr|Nr-z|(iP8Qj>z;5sViL3`%7cUDHgsclY#pRs%u+*gw8 zgVvb$=MuVO$XQig#Y)9cJ8Tewq?RQ9uu-XM9rCYUg*00Ho!CO3RCX_sM_P2k+U=-uFN1_Wzp? zPd(rtc#BzDzx<~M_(S*m!Y%w(f5mpm8vxAOQ7>|3t9akBJ#(5{gbdHW+aYKHYfwA) zOT?K7et`Hm2xzNECp&V)t$)W%%fr&cCqCV^{#tsOjeYv>HiG|VUH_x%3!Vjt7*%_=Ty_;GMnb_n z7l4w+D%;mIFHLkhgCs$IG&9iBC_p_*rv>+d14dbAd};5ypnG1mydGxJ&#l6Q`ZEC9 zNE!~?gvG^zQiFI`T60SqyH6^3x==UC#Kc6^fT=IJd3jIs^Ybm!YrzndU?5C(8vPhq zRP1}Z_dsrLuJx>ArRovlMw-Tnt*q$&`tuWHYEN9zPZm~IZ4D7S2KR2u2{TU|0XmN> zB@T7AgB`kC+rJtvD}!|%8rldBQdJ;8;M?piwrN53EC2nTvLh?*L30stmS z^ViHh4uBQDY#95Kx83saCq)-8+N3 zGc59xRZ?=x zhS>pm3%}IWtakK+h|jZPO7^c-qkQyrDd?^R)w>lJRNY2X4)MrBjPDAj=xQJSa^j54 ztEDg4hc+*pr^l2fq{l`YiJ?Orr&~a8E4Cng5ZdP{$_ZPI2mPbd4muf!#NQ&OH&RXf!kd@jr?i{Me@Xk&AjShaMm#ZnjPPN#>(#nJ2 z1KkQcpVFGeeKszV!aW|@3tk}lgpZ(Je8jW_&1}oL1aK?t`s0`w^MXxXPfXLe^ObO2 zD08L2w8ag{c(dO4#^Bjas5fzr!iv1HaL#~x^|P&3!JMt&aYw(8R%4PfYrmmX_NTpG z4-U^8DF+PAm_-F)!M>(VmKt{RsMh2=OL*@xKD;w|tXhtsj>Buc*lR+ezdDmVR<#0h z9mR=5oC@sfC^gAMbJhpL+3(wD>iru^nmuRkJ6i3Qv?Yi(qDt;YwT5N|k^J)%P_EX4 zX3NL&PM2(e_Mhhks~1k+iLx}zpMDNNsu-X2wPCIKhF+-NGMG|pR{;PnUjX5cEeXT% zTAr)R{{h~{+$MsihEx@hq<&BC%b?jFt@%CxVozD+_CU!!WU5`bM**K zw+`xAm`P4YbO&~6u3!vwnSI$lq1?5|V?iGCd@wXeI{0#oa!Z)m{m_z|Vd7B*t8yRk zwsvAaUZOV~*#oT2yY9{|C7GmZU!rv@6x1k#`8xLc-4tHd`TXD5@wA25vV^u)1%U1L zTudAs-SN2XUgY&ke*YU}F#n);oKnVYePxr-nT7^SWBj@O{w`Yf=eNITa%UgEK8JLj zs~Fbz{irXCKI~+ynSE^b5*_y&RR(h0MAW;@H0(H9`iyqB{`%ZhPo4(?9;mG&Ja|%g z%p}y=?0q@oplaaSw?jS1t8*9*_hv6nw;i>;HW{%9{R*IxIn~(MSevY2(3Bn8r!X@< zKUgoLzus+Lp%)f7E6Veq6Ccl*)&DwomF3Z;E8FV3 zOrYR_m1>svS^7M_(p#3K;wS}-?vitV#wF~OLNG>OSKKuj;(m7&I!=6i=9QJJiQ-Nq z{pqYq?eSeqiI?_9jUy%04W!F#x6bCna9ywN%Js!Qw@dKjr%~jAPXyP|v68fvs&HeY z)N$sy<7R!-Z!;1}Z6vGI!)lX+_SW(2*qA86<3qE`SbfI?WeX9mhiO4>u>Y_qhIiUK zY=!B9`B2>yq^Fxrfa|53CdQjLXja|v>xW2pJZx$aAQ*=zFUVo-!YBlggVWs<6gSLg zbxtG7u_xH!L=$>P8xwyYX%{-Exy+CdqCBZI72K6`-tV}_kdx7c2`7}Jj!HN0Q}tKt zbrp|gnNwmH2a(80pRW}jghOc7;+R?b7EY{phCf*Z<@S1xMUgx!x-yVFZuLiy8D_ml z8~rliv(6zY(i_txW)KfR>~Jofu&F1!ODZXdaIGlZaWXu7kA9zL4y1d+J^%FbQ ztX71|>zr@_KZvvtWeLX*TOM^ygfBNDwe@iIhfjHHQv*`+51OLXs-^=ply|-CeV0-0 z=duU;Y37oVxah+cXVm8-Tfny?;*JBcXIrrF*D4R?ZY8wVZSO!(^IZ>0HVv07enW&&sb*g#O7Wxa6>M)YOQBw&knPq`=-Fsq5)eeU>sE#oRu%q&Y{lEXkP%y|0rES2>wH6&|9M48KdWAG$WAd{A( zFKzlqxULj@`s>xi$U%1iY-!KT%w_<-)00#kl`78X{A$-XVn|Y^^-I6&s!hK^qkqGp zZ*e!VlQ~vfJkbJ`7G0-%0y!dVjQkAXHo|?hT)h%@t&#Y@fjMNs zpsP|!-vSgZS?Pr%7Q2sPFOD#?**@~nBzbB2IX}YH2ugZ7(tdM64bxITNVh^~2b6+? zf4!qbMUG986VV08s@Cd*-m!8u<#;?|G*0oTU1<6ig2xU_UEMz6a$TqAlSV{^g{5UH zNWaSTr)d@>X`DUVyi72Vo;IJwZqKWsXGzzdEg7)`jPpY9OkD6{p+QVhRHeNyN zB5|AzIqF?TOr_>)C@Wq5tCE))J`O3nEKcy5E>r3Tp>n^br}OtT_H;E1Th#rs=A@EC zJ)ksO;p1GGn- z{p1Gy9Z;M|?_}YS3@7dHyu{n0lHx*dtG=;pO%09Wy-ba|{(#M%mE@(oVlW`;8B1-6 z@iypGt%kmG^+YFWUTz)7+fRQc14H^eBRg5tPefh`FYG&Z-}Wpf$lK1BEnI;Y*#y%9 z=uZq`dWvhq-c;Roc*E-*&G)z-z#@5XwRq0r$$I0CJgg4a zmrnhk(i;i0OPl|Z1@K?Nzy`8Nt{n$hx^9~qYgMn)Pzf63oD1py5FFCl$=Y~JQ4hgq zbw7xBH1_V1uo7Em;+vYSt$W-SP>DiyK$BKoCe_D27M7Oc5118?mp0Jndv4FdD=R%TQx)S7xyI>#hG9GCxK zrbK!(5J9-0Q?Ky2-xCx^ZtIgxGF^Dl`Bo(5wZY^-U0jT+A?$OTvCiQBBR@OpO?#Ae zHF&*sh)!73JGVyirn)Y-JOvLo#cIjeUu{yeq&;Q9AgIK-qNBNmecixZbo7q7r@3oU z;TOAIZu+4?)H}&Pc%Xs!9zBL6%<54COC08Qa9Kz3b zpZlIk`iZ|m;j7pCv1}3!G|me#MedJVfN0|&kYCtL{8Umu-my*!A-c|L(DjZL<3={H z6A@6S#+L$RV9ks_!Bjci#9~>}(rm*N_#(+>N(&;!Wt=m3idx`7{y;dJ?UgvKYeJ&G zD*xiis1IbY3fPFlSH$ywVa|Wm44Y&UHZSOEaT|kITCO-P6@F4JB|JD(*3z!{9S4+D zcdo2+WbhtAuO0>I{$_R~*mrmg3!AHBeEjAc$(D8T=U4Zx=C#v_Zw@*$$|w6OuLzTl zgRb%W`qfcAy``}x#y1617tsgoAo@YJc)ki<)sLWiVyHCZ_<}Ud(bs58b!QV0|KcM{ zGRn(CwoOXug;s_<1btLh$Z!kBVWdyfA$Bl*)1%f6BU2ugGgE$L-q&KyD)cR04{mj| zyz_mQxeKR~;3K_Zd=$fEkirFbI4-6Mb@qQa?aAyO?wq{7TdsLy6^fVQA09Vv-h2@W zH8og#)^n1tlFBdW=g@OikBpDaszlRM5H@1FOri$daPV?``Hm|8=k?4Nk*5PTJo2*W zfuEF;D+A=xjYg*|B(X(;P1KtCo?OS9>C{ZaEiew+(dU=%xL-L(x*W_;dn{bT*d~No zvX6UPdqvPW)8$xJ1S+Gftc+9_xEjdl#piU?YEBT%Zeg<4GI7OmbPlWh?)1hh8}qS) zM1&$(brW#RFCUUEa>A7Sw^ zgHm-xmr!E}et#3*ir1*uN<>mtS5j5sl$G!yGaBP*e47pEe|jhX@S671Rb@~aODoA_ zUBeotnkJ&=Mi+~&v~W|K^ySMETfshaD?oQY`uru3`?7q(IU#3dj--alD}Zut-AX9h z`%@vh0a(c@!X`mVLseB*Q*lAvsBP{0E6Gx-q3u)rHq;t>=e90)2`>|AXN7_Me(83+ zmou>l79$WN&S!Q%uR(|5yVedL!uhb*rpS37y1Jw9gS{3!3UDp9_6DGrJ){>L;Mrf{ z`2LJ9Tx-I;&MiP%m}yK!fiG$P z?(av>TxXZfS=m$Fud%*}ulqNOf~3&?0mTbPf!?~=-#iVPX}&f~GC&{31_sfMdL5$y zqtU+=cJ7ur@Y^^D;~#)@c0MbX0i^RUHd3_%!F0joHed>O29|kM*uoINCG3P{m#=Q0 zbsSk7rW~Y61vvyg|Ea|E$ueT;>nbwW`1{Ts?7h!AyRo`#bd{0EI48N@C$^qNi{skW zdZC6Z!tgvG7dGW_$B)d9pZej~!gB_^Sw0MvTeMVI9I%|CS>Hqi5vzSx73c4xgzQh8 zA5r>wYB1BsZlyk^!p#_f)^`3(Q|e1veV=e1U>6nQ3v+WnGa0;Z$8x^>aP!*WE>!r3 zN6}i5xAnn@nHh*%iFqWShPw>hiNxnEmWmq z>5PSYC-aTHVT6UG8e}sSM8kbfH!w(2f+oe9pZ|;eyVL$WH$T54$n^FIu(qF>nVlsr z-t*pKME1Z9uqjZ-G?|~(2)`Q|8dl_Fm(uyKM&m<)vR)G%7ovi^Jb$L2&0Q>M-&SJ* zHTaRInDte($aZDDk1tOe@yX$@AoIYp<}czg>->h7;NAsIEwn@}eDAcuiO`_=!#;|^ zGOpdIpLqxt^(L+m-4zxiu8{F7S_&IDhwU>_#ZsTY)*7EUq{AZdmFK?Ka0UhP1x~Zu zplwsfb(;CMgb;^Rmb)&i+)vG6cpq;({AIMiviXLFwC|cD!K=HX?2tZc8t*ORY?(k zbvege1Km>V_(5sMBBt$3Z2+r>uV_cFE_Ow=4WdbUySy}hn^a6WIPMtsei0Q?zCIvk zpkoD#n-{`!zW3G{#Rns1{7LknK+3iB1-KA1{%MgrI+|Oz(N;?iQT69O`$%{3#KB*B z`AOOi$kb(?42%&9`}~qn1L;g;5{$a87b2Ak-2g<9eKwA(Szd6MhEvP92o=3$iF%m%OnCfVa4RZx%+aGh(iP4^xTW(RTD(KA zh1mfNJ5TU_S(aeqkqGoo5c;QJ5Dq~d9|=I_FW_wAyKIMNDy|^)%^J{I2kzI%3EWZv zaucoF=?9_1GWJ&?Hpt~XD0JVp9QEnLQFDHGf#y|qpH%^T8mp2V`9OuY%(UIRO&U-g zz>490SAA!S)J7vL?TA$h9P)mbU*{;fPkTVyF6Cmej!3>dMr^xDya}B)m;=`|(OF!v zG+iQP>Jxzx!fvR<4UgS4q^j(Pf|10bKAQuvfEVg%;e-8_KVt%l>o_7)UUDFClHQx? zv!Y-zt>krY-bcB&Ib@P)W#=7O4eMw>NGX)`h#3RA?tLX6FWsJ(sGN^}m zE$yQgr$NmYd=<9Y`Cvc>W6+mS%l2Sw(;*RP0N-PSC!-B<}iHimf9!?=!RSZ`lI9zmWd@4QOo#bsvr9B&`6 z9R$kqvFEA6pH%Q=w_Jx7<0bg0PMQ62Pu6=_>KlXcCOY@3SZ%6R?sIZw){O~G{rmS; zrpPk*03Mb-#uZ9Vmikgfgr?U8+yP! z)JH1M-P^r0NhQ`I0(%dowVar3?g3Ac@8FJChdFzWhSi>Nc2ZQbfJy1!3Qn=i{avSW zvDjSaA7uAOoPyVMSoUIIneiL-lir)eePCz%{1^7}0OpbC8N>WQAV@B=_?)(WU@u3r zrRktl$9AIJpDFpLF`~I$KAt_K>P6gd6wT?_YmptTrp@0-=FV4n$IGZ|>?_9fx8*uL zKJz`o2!$HhLRwc2FYJx{ygq=)KH?v31OtS;{UPNZ!66dHHE2VqD%UI=bP4;=2qdS}lFTy4~0{$yr{6D~Azes@tb?vvJOm#l8Y%!rK(AVRp`nMFR%+P<>Eeq75Cxtdkg)7=)o z8LXe8?-QC5I1%M!!zuS%sFrgU8tp|kuZmNiM@ID0S8JQP<9SS635_YD<92lAy<)(d z)@jYn3242Du;{}#EgEG995}RP-ZRHxX6O2tuVeJYzRs9r^5*A@={X1;_Wpaf$!rCD z^$D|fY}Q)jc>QbB9QyKT0U=ssmooa!(l;P(;mcDr0w;0Z(FQ!WDLC{sBnY-z3Oa7S zaKX&U3nLc~X~Ls0<$9ZAO{#8RQ?Q&*c-PzX9yk0Mf2ZT?VWw*cvp(84v(xLd7_Q@V zxfXpHD2RX|15^|6JI8MEFdY0HV|IDKi~>`C_KI&l%b^zZ2eo=ovM zI?d(~7Mpu$K`9Q(RxHMitx30f#dGUDZQkm55}TYihKS275p9!g)Nf{g;}#a^zY>Uw z5lTZX*$tWBuSVZbt7HP!z8hfxh{ij<*Vb6Ysg%8c=3EdgbmVjPv;4BAM_=wx3SviO zx_yk2KqC0lPWT69pLyV6`fGuH^VNmhk!>}$@ZAvUI88{nTG>)lg$@tq?9QDDuOoDg|nXPJ9!uyU2(j7XK1lcy6SzqqJ^ zeOAZq>)iUhAs$%&9$XCUO(H*Kr@b--F_BrvM>a3MPgpbRvw`Nz+tnzqf(mRbOnL)h zvu7QNSY=rnHe?ElKD*+jDo>ppn>B!lZC7^S(=^H!U8yhk^{TBMse&=gqSz^m%@YS(GsURL(FMQSiPCC@mg!dLZq$}Z8wL=#!?1Yf%ew1v%B-|=4~AF6Nn`su^J;oV$30dcB`WWGLQ^#dTi%@TNQ6nOGxt$BuYjtymmCAx;2YM%A+Ik-vG%b3UzsZ zeNIBi^)CmnMgE~MW(88kVc|=99d0$QF;cLK-}`l3Ts&K~4ZiEU+rrnXD-_dIP-k|u ztwzd!E)u9TZy8;Ya4*Wr$F>9!&0%6Vm-Kj%d~sPOFpzXk4ys|7))dGUitOTPO>0ju zsWgsr8E=z_nbuLZ3^DOAzgm0G2xu3SbgJrvZZE1vQVBDU17*dxx3wfuy2`>N#raN8 z%N>m^RYhNYxJzih8b@z9n^H$Ms$j?m>bxjnE~l%tsQqs9J!B1J zP8L(6D0s7Fyxt!CMmEAqV#KrSZlF&@o~Bmy zHZrC`m*CA=p^wpMj^bH;c1GgK-GmY^z0)ZR*AlH_yzX90B%QT7(qIgUCSC$Xw@3K= z_YzF?swGO;V>#4ATta9Ss^dQBvR>@lE9>)#GM#_1VOr;vWsC8+g&uamJy}^k2nFv3 zY7F3z`<>ujw=`O-ad8}|5(va9jGD)2;hM4%yQqqtZ7CL~uoK}^!^z8JY%HM_i>PLQQ+bfv>`C32staH4?5i29KTfF4Q z(=^YA?d<5hjHd1P=+8S3hr>Y(pd6ayikdrz@+AX=F~!0VfE8h1Ny)Dk<369sN5$afT1sb3{1c>%WRsFh`59Zz~k zp4nVc{HBJ9&dAD~FHY=Y8DQB0`2KMt>2#(Mfzcil-z?1a3qceWbw4~QM6Ri&6lcxU z0~KLU?m7XN=VL7e(+#|$yZ&)UB{Ilj|EX(nf&gK zR1ON#HY<}&_wZS?(RgtVT@hz_R2MLlzCA9o&ATbA#sMETM+QPu_L4gkzJ$nWPC|Jd zc4W_68L3SFu(tCZ1e9Wy_xh=kWU}TX`1DQ)1oA?DNAfOeKlPJtwT#f_G7EWm!^rDC z{seH5iVLyghUdfB1}Y9GM$_Z^MZ75U5Uy6Jff*wCejw$+3IQ zxRJ_%1-l)sW`_wiZro&5DC>?n7wwAZ&8Uu)|7119ZJJXNKvL`Hb;iEf3&+4QgPOvA z(l^#&A^eaEP@gTqe|%Qum$wZd)|Ny*__+jqUXYiB7TMXqr!cMon0v>QnVeru))#yk z1RD1RRlEGeH|vy?Gai0rP(b~N6+!%sN4xVo67gN1PBOFhIfQar!qb7-Q*3)CXBkLp z%pRymJ}_r@l<+joPHR<(xPv822RR_iJjY!J-TwI8|ABY-i`#jMBQ!NXI&qhW2LZiy zP4s!pd<2MH1RBR0{ftN$w6^4Ic?Ry4dXe{ax zGyhRWSuu#%K?A%pg9SzaOavv=ma&GYq`l6$UdX56CZcwEbBtvKkuJMkmcbDQCake=2d)k}vnk zPOk7J>u}=wU5p~W_fW})cf;?d>MiiM03k;I3OT$gJyG5&+46Jo^l+&9L?!FL=wK|_ z)!si`PBa0m9U(*=1w$a521;)ORp{)6k0RTpz>G~qK5LmqgG+8#`YC*~-Lx6~=rT|T zpu&hIyJ^Hp6^G}{m{gIG)WwZI$4>LL##5B6FnyEM3vkR6V8zx*XS3Cio$Rbs32um? z{t$9SXS~#2n9!D$3d%lT7EnHd{Vv(0q?|YOs*Euhg-9sTx&QfsZ^QoG01gVtyP>oO z)cq6wj@k>IUY4>H7@IQ&1)Z29)l4?>d5oyN`Ew0829sZBz2v%cQrS9*G_vm-tDS{5bD9AK;EE0~w9h0JAxJ z_U!LKhn4{>H6ZISL@>^aTCM_N932w%5VQrL( zd@oD(hO>(P5!%tEuXFVxDcr6WOzSX#A}L&Z-_a9j<>E-QuRjMuBpl&wiHwS6urYxO z^Sm9ban-kT2c{XE6?`AiReYpZ1k9i?5+4`>v$5-60r{&e6pmP5>#&X(>44#Z|h~t@LfG8H;h|S79+-=yo)R zFGxajF6c%}7Usvz*8g$Z&qsoh)|WOs3hFkO zI{9)wbQ1RRG4Vq{_APe#v+Uadvm5JgamfBVYh9y4y$(-+ghq* zm2CP355ZhrpSzhJ%QwH&F!AHLSCJlMWez8c(d%!uk@YTcLjf)Fi@o@T5i4r2x;JvE zgpoEJ*DjTq-@I1IJWchpGs69Sj=@-xIa*D1QQQ7Sm4{39%zV*Orz9$*k z*1RHQQJn;(Fp%5pP>lVNRfU=5uq~ioN#|Xl;`UJ7cHni40j-;>=z~G>xuTGb=^SSe zVCtphAAA1Pebe{ap7}FmTO-k{yu|@8#%Muz^v2`<9Zx_d@(BB#$ddp%DJAd3G+&A- zp=-_Ew-I^Dd}O7$Gmg+-WqA)qTFPSJu6XlZk|?jlZm4JHY_d3LZPjRmXLK$@hh>+4 zHoSu?-QJd$aIsp}A;?KrhxMkM)pJ3c3i#V+3Uq8nKurrma09W(mVVOa5PEi5SS{J;q6D>`|_vqgxHbgWa-RbrBgdAzw{Sc)BF z*kI8|12udCMY$&P)A8qDF4Tw!89$dlc1*+b)`d$qkosa4iq;{oTpJ%oKRhNTB^RCX z?Z);!J9`wSZ<}ibCTvdrk%Ci$zI;AxtnnQlyw86DOiKw{2=g8(F|Ah(hn0vA3Lp*`)rWrso4~qv3&xi%D;XY9sZ;) z52j?F{&4gYEi2j4y>zIKFm%wrfTnRsMJm{@BfvUneNoa}m#6o^ zqXf%ZvQwwwU5M&^*C1m*Zp1qg5d=m=lB_TKACv-+{HJvLifqP%kyFZn`9DQ;baVjU zX*;s#6-dEv1G&o1efba;;$ZUptENZ0_H`J*1kH%wzIj?bLRThl9H^^Vi5rF;KFkT* z`$Q@=?0ZwZnppP}x#d$nzK1GGU8&x1XZm|~bA!VUf1>GAntx-rab&CzQGG2{UX*_B zE@6t4WmRZbaYp=Ds+dX_Lau-^IH0biXW3t@_;~H`5kNCN?bx4qv%)>(v#qX9_UA6r zH*cF8RawkR^;rmTc%d!7 z#gX1u+?(Z`taWQ0q^1y_AJUx2yPB9K1bO2)Z>yw=cVr?|L%&RI;*u`X<-&E&F(rIH z;ZT$q)oP~m`FQ(Z>v%?%icb#<<yqS5UX}`oRWjOtL+ekCoc*+<(OP2LB0FEYxKO8CMj;RDTrl*tutJeY=YeS0;EnxVe=|5rGo@n4*28 zeOvg2&jF)Ee{O&>K6va)l7K#_ITh+;jH~1KT7Uy+pbd&bbE0;iBNE{ zvXwL({#`i>1ddpn@GXXGgScF6@B$Z&yF-3-3IE3$?fT_6 zpZ-2@J-2Xs_8vL=8lwz8fGRw`UXWlTMnd zMr#E3Z1Z^Y;F3*vg1%8LyP%oNmvIm4fIwabL1jJ-&X%(x$_l zmWHnFD=tthc{a{8INm`{RM)~Fnl?784$}U3Hc^nIsrAEYLlMMcka;A*@-qKhFqlgB z6)598uNWmMJ|&aMbJkJdTgW_rn35hoo3o^uUVkfebA@g|(U-Wl17=_C>LM|4X&L=R zncU)%4Hi*dX=l~nmm9VPQ&Cju97#W0yWlRJjG#KaVuqZ;_zzyD zgAo5JN37<6nJ-|TT(xhmS&Xk54~cM5NOnm`DztvN3VUUe-^@^;t!(cn=8^y3#SqJ)EqMILt(|fglqjMOf^z<5{QXY zk%XnCr9=AR!3c3M(<&NFm-VJeR_lTF?!exThfgJ4mM*U?)D>DOwyTgwun3N4wM&9a z;Wq5xwy*T|$6`uQ5ozowr|iz9Kn)G=8SK?`>Ly#0!7$f<5v$q9>K!m>ogw#~%wfam z(gyY4bG}w*_#-y4oVfVeg=&rHN2HVDKl~MLMFFIZ(rqwWdb=s3uuu^n1K2vg=@hdZ zH&2PPC5LZ7py6)XV(3I>K);Mqcc0dwo2t<;q1O3z?a2$!UzGvE=b-JFFl1;XPyJKCpHcxlMl+{_h+fId{~4 zVhlawHP5wFplY+rYtPgK3^= zi#s%^FCFzv_XIL{9IgrSx%G|`YiY>LFi8BzS95IE8-Q?X!q4g`2lOEHS^b^ALOhG8 zW;a;=c$TNG4u`anGxp~WlV|aD6Fs}e?;R7kk7R#>N~EB)k=JW^8%*^>raR=GZ89*3 zGbZ|r-!Bsg4!R2Zj0)4=1)q8sug+3b#CLLR_tG^pzUIk23-5e{e+rf6+Go

_2pv z8cKs*f7l)QR6@h^iNr#keh(c}MBc4Zf3{m|cIf3GXKI5N3q^32UzVZ6?>F8I?0X-C8?gs8oC5XtGC#WhSG(6yb2JU)vtO=pm> zo0SSjfOM@|?hAVuhBW9tmvQz_TV(2_lvPmfvvlN2vhm{wy&HLE3?F?iY5+!rYlh$w zgtbp1;L}R{AGPGYWaz|ImwpX2(H>FqW) z|J+Osh0ROSk;}Ws!jP;5v0>J5TfMBbnQ=lJknE28Ln4z4t$)Go8&HZHp53?aV||$L zux#8Q6YDuIU_@(E;jubjm)*ZSr+Pm=m>@w#32)E&>7F!G-`~`NXyLXjjbOaDHVYWa zfl|ZIYZzPC1wriKG);h>biZPm3k|=d!|P{Ok1U;dCrB__6K*z1>4th z+A*|rr8n?}LPA?LRZj;69lGWbKK9Dg)lhD4Xqz*pt@m8KfRT9f0`6IK6H`kU9FXmv zCcd%)FIDtdJ)g^hhRN7zF6vjvT}oEl11(;zkki%l_bej^%;4D33u8(7<``Frewg)|L^k^mltGcYkDJ$zR`BQw&>04;Z_}pb+wVVg`WTY-_U&8i z+F(Y|KqT~+yY>-nr}V|r*$EOB2T=N|sCh|`TQcAXVo|%{6 zh=cF4C}Z<8?RvKTax%T`+V1+SJBk7hLSEjhL)a-Y^A7VGkq3CxRuw-;s5xY$a_yvS zxK@2o8zd5F$;%^89v^6|+f5XR@F2cQ=~Qj%9>UTM4(uY71r>-{}cKRei2T?_9Sy2c>-^29U!MU$z4b2vTP%|=~nXWnzAUT``cqWJtC6h7~Wd>;8g=uu3vN{5xa z@=@suVp*hj3?jXh_ta)x1G31W@^IOW8*+PfM<XZsfb?T)o|~YOUW>ObVfR<$89GkDI^QZ|8=s1}ht$ z>l>E;G_C27AQX-HeK3ortXfKI*mNs79@b_Pl`4vHfK*q349 zu5^j7c;(W;TYg^~#wKF?A>q86XL|x**7)0`Pa+-RAD%|%;gR3bh1$M?C#}E;h_0Ep zbL6C{z4H|w=+8pc4;G^P6w1fPx}~LXGWzh=)`v}QPyZteVCEC2hN+^TNRR&nVJTJ4 zyqy8mEnX-Jx@q56CXWgmY{Iy3#!T|%YfoSh%zP=<=qTrL@}I9_XlM%_1xJs5JJD&B z#3mZ>9Q=loghMxp^7Fp)NW%rCGHSY=U+<~pYse&J-h>M(W&DTLH-Di!8k_ro*~6** zd2F8yu?Q+&;o3!h41+0bA2hk;usU?g2VM5deCx5r2X=kEO7}opGxYKv>zrXI5poxv zHJNy-#OOU$B>Ru!Bj5N?=eS$Ej~}-`<L3cinhG#e!hd>943`g(*+`Si`$4fQeSe!+YH2~D>Bhzu)2&|CzNh0sN0?a2eS^S zm^Z!r3^ae#-E)f#QlWed*+0u%{v8)IzXVGG!*4&FF10Hw#SZpr=@&=X8(H@*fiLLvL)RpOpeO#Qjvmv$K3U^+PZWB`~ z5E2%T*X*YrkeGR_Sr%V&O(F~>*w&wpQ*Ub_*z-1m=CAYSl64Kemp1kVBJZ8&RId`< z=Ylzpe@$pTB@!#j`*oJ6DS1e_=1$H+cdq!(1!^Ypk2jiGq*GShg_yFMpg^z%{V+hQ zgFb(6!?O*MB7MDu@H6kmu475J zWKuU82QFvdF>L936lS^F-YPL0P&}8ik6>$IOH$YQ`m8%;rkd2psnN9OXhmKTQi9C! zTj|l$JUw{h%3Sb`5-Z0n4A$K%U(3!?B{)SXZFXhGmMJchs|!`^4MsYA^+|E9MXcP6 zH9dR%hqwHq1HeM6@CChka<;z@vSYZP8Dy{>Ds%e&!P|ZB;jpfxl>f!vdxkZ=b=#vh zETDi&QK}755KxgKRYgHWKuYLErAp{6Kp@%ZMpT*&kQz`S5D1}n2uhRQ3BC6gLJN>~ z7yF*~oKOGv+`pbr_c>p9csA~o^;>JMF~=Np%=O0j%u(Hh7#2Hgjm^x3v&-&`TU?ib zkCNK=CyvQ2S4y+4_x8ak-d==T-jzN})3ted)yV-1iSi(N+ZEBvY*d;I#hZ46TBk}r zu?(N-K;G{i?Q8`x@VQEsh-b(LJKa{T>F#LklgrtAPIuk1Y#UuXTX5xK6 zKx1{$IGeQhQlI7sw!B<{RbjQtu~ko7krNoY_2;k#@;^8iq<&O13P{E+^0HbYw`JKR=5TbFfWl?quvF8%6UPX6S3Q&<=lQO2tC{BGpU@53EHk|L*kG zK>qtljz{{@PN&XgzdB~-wu@fx@d*JQf0IgIAmf_jgJt!!f^E-`4a;<2q07xN@3CGD zZw24BMkeGrj)C#{TFFXdB{%IuNWU z4ddxCnU-^WIrSfeAPD4URZEawKaBaYvhw=Q(st)3iLhZm6R;)#6G+#FwxncAA$r}HLL8v062pmT0L5x^J{x{aRl0~Mw!%zNqI<`e(tpz{>X4bC1K z$+VB%onL7T6;gcEeU@Yx2W#(Zr;T~oEG|~?eX~jZtY9KR4Hfh`A6lsIc z%fkh*A!>(ZEm44O{(YgKn!?s*Sflxa&@JuQ$1XDhueOcW>~RBV>P#hV;yRm7lPt5OSqpJg1Sf4c@gnSbZQN1y{*zROKz> zfVXV;jVIn_LnRAaxEh>9g^+GvA>hD<ef%I-DK+>M|j+)K3*3;Q% z1-5`Pi758DIz?YmfC0WhlrBm zT;k?u;8P;^h{}%mJ%)~z7BBs~t{+u}fRi6799dC)ie`VfzmFqd6JjSJfw^hwv(53V zVxErTVl}18GhHY0!R_J^zvg!e$_zK(uuWl3%Jd?(34%49ks7@6kegdA%KnlFf0A}? z4o9&j>Ym2k@!h*)o+|{#E`(2M;Z5cOF)a{YV}oANDZWP0vbC&OZt8cVwNi!FC!sJi zPE;$zMBHWcyx>tKXZ+;FfWq%7o4CsLI8sR-T^Q-ad=N$6UFWIT7@cJFSf4A&VL|Lv zNla|hwB9HU?@nnG2VjJUsC)2dy)3w$bE|#oR+F7^N?eAPK3+;`35fx1X4`=F_}yge zs3Z1Hf3L+{X%zRvNOh?LIHo}TWtjjTI9jlc>GJ4$HOwZ`vuMhfkZGPL)b(hFx{71) zT9$5xd^nIDR=`28n5yTl7Ze0T-MUWH>9&*k31;js81n;Oi-gE#W7D$2sbbgnD~v$i z5$=C@LdDK> zlOHZ_ux-6$RH)+O)i)Ll+7+|1=PmF2gQiaC?2b~rZmaxmSloYLlW71rX`^q2=_6HF zib08Br$Y+L!`3b3{`ULY7oA(~IoU`!*$CFYPG2J)qoBSB zmeM*#>o>_}+|xGGImB$*^NpmA8*Z(C``GSE=A=KdC;5r>69=&_ONySTGkwsf0QU$b zqDVtrV2p5s;`f4qX}Wr(dzS@9&Y*VNcycnu%-$3F6AiLPcj$>G!+6b}=nSaE+lKYa z^_dUy3hf7hEpraxeZ_OKxoR!gkrT?dKb7=&6waA^Dt!DDl=dh78b5MBc#Sp3aXNR8 zuXvm&|Ds7;I^_Qx>i#V}30xL=@~hXmP4jbfwA#+r&|mP==T--}(#$P+wKaWjGWrv> zOP|iaeAwez1k->#MT>ojV%&mB>_uz+6xo2n)Sk?&w>c#Xb@Sf}!tXE}FudYjy%y(8 zB7g7mRJEReQs|+OivHcW{;w~aZ3WT*q7goN_;;c8zp5CQKz%^Ifo=K5?^mh*`B2__ z^=JM?a<1tCCxfT`jW+!w;JSFf`TL4!@CgI4r>~5bHkmyDzv>45!(^)ckz;^~Dj?vZ z-13?K4SD(hA_k7)SSUi(OtVf}?yE3?Z7Z*o(xKXR) zR4-8UzotZvYpYz4GHaJUH1MFT&tr8?*0K9p4*7kB)z(D+4e!oAABVM1IRFMYl{SE! zst>unf2U$;0A^HveR1cEyqlwf@_LC;5n@<+ScBZExX1E^sdy`2D)nCAnoL#TjL`DA zlq&Y6P?P+@Svrj{R^D*8tU}xXXU-X+?Wa%_t!719dobuP;ryE|6i?Mo0km3&Hvpb7 zR?+6({a?#kW2Hnb5IfUivCvb23F=AaWw}dkGJ7H3(i}aU5$Eh3$FT>zsdFmIZ!zIs z$R9ru)msrod_L|7{3x}WFj;9w9J~zIP9DT1k_+q!Su4YjAm~xVly44@qM5CIV{^)5 zUpW#^c^dCgQzFzB@I+jJQ7MC0=Kh?>xmT|(xwEqHaUJXS#KJ&;0q0i6#H`Pf1!y;+lpsscQe+X9ML`Rfz{Dg`D zWOtJE7TAimNsDTNoQ4UE&5!J^Bu$Y<(TUe=BWEri3B4xZ97$Kx+BJFw{t%|?H4>*p zU7s`SFYzg^rOe0R7-J_+fcmD496;WaEOy8opNFX5LlXM}_oh2u2z469W@Uu~3@Eds zKKqXb)!u9@jvFB=2k~q~J&sIvDJQ;`ot3w%pGB-Qo|D#U`yZfWr$2R|p{S+e6!{ly zmI@S&{@f-5@etgw8zi2#oHtR1r2j*LBeTi_g139+@t<0tVOp3+{=4VVb{g7WB+u^= zwxn=qYs9FsyQy@d$W`Q4bDK>)wqs{iT`+8%rfRJ*sad~650`nNl* z!W%?n?Oy%1E&dd6`ze|X$p*7ozR0*(d_n=U7RUPG5-AWO2ePUF&uJB%SZ2*j9kHzB zEdoa5;`_?42*hpM`;WaQKVUw>J~_v>#6e} zFk6KN@O34Z#wf&gO7P?$a@U~QNLKN3IaSwxfjhePWy*Tqx*h*kVdii5h1^NF<7;jh z0k(_S#p_=gZ~Cwd=aQtEs0f_Ypmeh`^6?N)dA@&^|$1Sz3fgU+Jj z*Q~pLv620A7SNUc} zro7#%vJd7?f;!XW-|L!4axjRV@4(X07mEKk>A2D? zpJbK@U%Pma=*MMF#NI76VRS{hC24vv%W=uG zp^q(#Vtjnq%c!C6wp}6z%S@Z-S!md+Z)Ca4rrt~6J4bVKRcuzwsh-|SUb^QLgHZKt z0+u&NhF*d1q{!&kXZ}kT*9sGUP3|?9Emi$+4h^)ePDul zlB3;`zLB=Qkvia}2Zp&h6-5*DL$N~d4}1Wd%8V(W{xbdE;sX~yOaH}$(YI^4bqs-* z&jNyLTLjBWE*&x}*D6(l)C}wIspj?~y(*Z-S_+^62NB*yktw(jj^*t+teaof0Y|rj z{-0B8Tl~-4etcsI?kA($wjGr|4}I1w6%UH)%9H9*a_>}|G_S8LYXA+GSzpU9ur|>S zYZj=$l&@7%w{W-4f@)~WtX%PjRZl%=ui&TwLrkN`g=KjZRL19K@DlQyYpSEw$t9RP zv0+`CnR^=N7lbb>>&P}6j?vaiEE~dE5;$~;X2wN~pFSS=5b{kpDf6R4)qLBme1xyz zE7Og66Q1MF*Pn?VIlRU5#r(Fn?u&CfeHA0`*=+1i(+AIf%%Ea_H`#e2((ZE#=NbOZ z;M5s8Py6rM$tmpp08u@kX^zn`H#a}CrTH}Y)I%caQ~HFnI8_GF-bTfaI!m2acjCQ& zopqaA37$bsgSy?AB%8b_FpYwpNL-e*Llj=B@!jiJ`&PnScF-MKzTO9`1qvsg6XRSG zo3qdz5oiy%_?1=*DxhbO2Gi0e3t=~cO zgB{;z7H;$cZgVibr13}nGTcl${y?mZva3g{t^4tL#Y^I{yFd5p40M0Y*50t2wlW*; zDY>h+{QO#R?SOh_SH?3^zW@MBORD4TtTlXVvXB}*@}B$qOG z?F4dd8#4EC4Kx;rS`F`d1yw)fjA!BW5%i&>+#avUh~(3Uj{weIk2zRu&Aiyq#L;=P z{G$}!N6VaPWTN8xqXujTK#@^m^3aaVOcX}S5-~8nGr2MP4vkjipT{3b-^?<^$|}!U z{@>O){v!fa0Cqxe0qM&O@cD~c;W^+{Me9JH_$CG!t32c|O3RNj>Nhgb|( zbBO@*(&)$WC9bNW3Ad!dL8xEr@$70S;zxMDI=AY4P_^#Y{xUlPf?mWp9Z|mFO5XlvW>mSx<_e!JZI0Wh?v_B$-8}Z3f{A9*%GezWH-=EY7jSr+0QMqgP=QE zz9E}YRvfh!$`Nhfawj>)XsZ$8;U`LvYfkD@ud0#ot;)I19F3*ejI<#mjq(18q`3zK zybQ(z%4x!UMfo$!W5y~@`Iq5i@zA1LB3*Ge+7a6Dj_+PpK@-ix2HasAbpPFrHtV}% zN)M8UKQhI-wd3K#76w@3NbKhWKd&B*A83>kom@~xNQMi5?#kyxLWN7yk-!iPMZAfr zhh_Oh$x~0}hv+S!JDH4#7>x<~s3*11Yo8!0XVb)mK;3#zU*Z(8Vo(K@L!1-JZ0?SM z#vp6L+;6$@>`6y;l8)DGoqV`|)TSw__Gb{wo(<>DqpDi@dEoqY{Orx|0MvqFtWl2b z1L_(IZ_j=}d}O1I;il)^mxr=11=FyB0H(%Z(y>-?CbrgCtUfa2I-N`K81uU zm04$t+Qc=925wcw?6QK2_MYFLxI4_Zk#P)K#>eY^MPEgJ_CNn!TnvsJXJ8SDCEL2; zqfw>5FPJJQbM%4%1X8TuRTYhNfkV#rGPQ+jsPe7u6EHM445&4-5l@7QzxSViYJtt0W9<(x`s55WfsL z11FMVq33hVPc!=rg7fi9csG=c4W|z(am%x^(>?Z+$V0;^x;hqdU0%7b8R@mqe#7)x z&p;S{(WZpmHTeKBg0c0@2*^-5MoNB8WtG4%?7d>4QnO`N4~CUG<>vV{#>XTQDASJp zZKG=?{`hU$;*$}%p0{~%3%_}=`u6W7Hzd$VJKuSkXr!lida^zuB7i(BBlz+0Y0Bmz zcUP(=bd5*&XueP&;0$ERn=TP~Y|6sA>^>e?EAirD|KT-96SvyliB+idI6gs06cd-3 zCU=EfNjx7k0C1O{sI-%aEr8q|16_>$PqC?o4|6ib1#j|mS<1~erlv-P5@T4{Bg8O` zl%);3M?c%RQLgG{8>!^I8s^1iyP3cmvQ3s~eg$D02GKvCj6C>;74SOMm z&JEd66ZwMLCd>Z52Ace^XazaCVl$U&gsGxL4p}f`zXq7MOEFcOmWo+cD3mgaL|j2n zxRs~)9Ae4B<=3d~)`T&MqUPL04ykT>@zgD=(MzLn!qvs3NX=P-sIX;jTri`oOhSLT z>GFskRXe@}ff^P}NoN8^`F9ZgnAG_vTd_Xx2<c4>oNgn-P1;cc_h`v1&zG%2>Ug7O!=DQeufk^`hIPQ-?e_8BF4?~HS6bcE6 zDw7vv6_0mWqBM>M+=%Mdw?pf?dJ`(k>gI#vPa4i(3Pv^=be=tyLX1w!4JvfAqkr@j zf<2}P0{BfeVt&FMoL0sKgdxSA&l!33T!>+4vJj|kVhp`G)i!a(Jj6nGX4ci)&Tn5$-0|IY8gbhQ+Odho znsE{6o5B5JepB=^9s4E&X⪼$ISL`x`1cr9qUf{=v^r6Qr#9Oa**2utrdsEn0#4` ztJ>n&o(UQaomfcRquy2o$b>KJjZH%1{gy~-l)YtdWe3*z7X%yD=i?k8?m4IrY?Cso zq`fO;ubC=8F;&1nQ7rUv^q@%QsgKBk}Q^ZOM*K|akk8ER#Y1QVpOIU^rYm8 zl)kXIsUGg%`19|zyS{Lv5wKGZtkzK_2iPs$hhg>msXt@3B=0e z8y@4KOU0&WXJe$7C}i9`$M3;+*v$eC1BrZz(XA9v_A-?X)h{V-=i*$(U!RHltuydf zRjWAYSv)-Y*XH8lPneBO3a8%Sn77m0I~!>WCodjZN>m4`fxWhurQ-H^vyKvw(ZuH6 zG8D@vAT#E+K%U_#mieJlZ*x3#V90Q$X728{bu=6{Kir)UitH|*W=$6EW7_3_W{2vY z&f~~DA&sv1nDLQXji;YusGn~lEPK21;Tgx=rUcY%&v$X$|0j-!kRr>J)@=!xC9qhd7n*B-4CJGUv}t&bf6tmD zJbl8`Plg36n{RqXlLxV)(}+aw zT}sK>=Zo1FFj*nPA;AwnJ|HQd)xhK})AR9J!0ZMiO*3ez%P-vlmIG?otF=e0!2H?t zxPoz7upO6`blzlgz-wDt??SW5 zEm4*OY%7Yz4_xv9EvrE7RM}~3S1PNEkf5t`<&MAzwAkYZxLqy;-A18y{ORkH_~A3k zj9(J&`{xlmS1D}DPxJ1M<+W9uQ;kRmo>Vvs&e4+H3^3W*kW{dZ5bM`Yp8Hw$u{Yrs z?D-JDT0%vAE`5j?bvaV!61PSxx8RbLHLiH3Livh7Be{(-Qj(LtkM!ABkH^eougM|W zBQiT=Fb7_7Uj8w}NAF8X`qmyrJOWr`A+%wp@kum-_W5JZ?hy&;HGj+PVeYR8o7w6R z3=_8@a~9r0u5xyrEOqpNC7jGQ35G6q^ldmgf`%9!s-0{F&X6(A+rQJT{%lr1vb5d8 zZzts*LFRX^iM`8(!TH3wFsy<({eUZjPRlbFv$QZAzRBBtzP;{HqeqW3ixWhAs!zXc zPLl{-&`0?1QeX7%Op@i#FLJ{G(D(dYM0}#4--)^f)Af$WaKJ!c*fdxXrGKA3sXc=}*2X@7&ND8q{UwF79J&A5bb~u32&&O(!oDWO&>ifai`Un)}(( zQsvO`eg@^^n)P<5)1&SV8-m#ydR?ZT)GT3!ZtjSoGsV5ZO-@$a&cYrTAUNOT1J($b zY*nk#^aG^7zwU!F@6ea%aXgO$XmbQRE3z^S+3S+|38Uzu2_FOQU?7zBr?j>Bi*v6b z#DNeB2(YYNiRb(Kh=L_zi$&J6y}?Ms+@TgW>P_7*CB^(vESI=3C(t5|Fh!l+IIgxH z;op-xW#@sz;8JZ_3H(8C_^ghB=~X0lE6Ucg)zq&KA1Ya#K!y^O>{JO!jP0P7t;-TP%Ut_Mn*7T ze|}zh+@UX5b`Q6(!#>e*VQ##{iYA z7U!Kkuty)V75-gAlclKxVZxo>?w@=8s6d;0M%MKyJQn2W!A-`@91Z_%(N>)!2LQ(|^uti_>2K|74e}pN|GZDOBpIm89s3$*SSq@?lhf7it`n2!!R{*Kc}yz zB@UpqDnLaH?NAP)>~+>QNTpc*JWJ}V$muo_@bAcgO1{jP6%&i6UmIEd!Rry3NNf#u zk2ve`m>wWHv>~yH5#g>gU7+mg^4MlZ`n&zS0E4{U*WxxRNmey3%az@!`Xq_-tlXB^ z|FHhI-4S^A@|do;b}(4>Au82``It5sahBdycP#&QV1_eZWRK3AB1d9IQ=i)IaunI2 zm3gfWN3t zgrsV_Y4kh+Ud082dxk9+f$NE#fS&=~Al;7`RA26q;T-p}IbF_m_f}69khkf?v5=iH zVW0%jiB9)sAn5{EYX*7;?U1yXV){Xux-1|_c9CNG#d3b_=SWxCS_cYo$so(v_>2RI zsQ;F%B7?Y&*hm(f9!=+{Qk3H^)kIAcKAop-8#zm0`%|0aPFa>LH*Qn=Et^L#2Yu33 zo(er&^!OPGG%IKQ@X=r$+FHeyysLRN@%hzAtfe$l%P4@!C!F0{%ts?Y$|QA0=J!G$ zFl@MQzGKXT6@UM;Vm>du5JB7Z-?t5{aYDQndz~CG9)|`#S5-?Wau^QNdsGib@3jO5 zTl&e0Q+9-(2V_~=hcOw<8nnG-$+|6}JKeo22JxotRnHhPI^4Q@DG2R_4v@GhQNM*; zWHRA}?x{Ps`;`$<2_|}ju3<~oI(Fvbt0hv)rDeFVy#}Q3=j`>wm<$9#lV(;0CHO?D zg4FceFYy^8aeQ$O>5WUAGL`~JM%yS4&|x-E{cWc8Q;O3K@-UZ?jJ*P+p5CK6!gPF* zokrW*58hD}GONy!OTsdqZB8p*(k*ZBG4Zj7$r^sHlw1eOa3`YF;c=^L8vhg;r81yA z@i^u8BkMEyM=X5KDIuF?FVGSm zz$_A#U{-*Ic%g)>ut-tE8GMm{N`lo)(%n~UY$oRB{8CaUUO5fwCS#XUuuI==P(UkU zPJNZ)bF!J#2=%&86Gl<4*y3jR|lGto|`#?*}(WSyzY$h*r=_%w)Oz` z$T#G7K-)MY8sRK*oZ`?s5?cbuwcBySR`w|KZyq+YM#Y|Yo6T-XrnbhF_S=a<4Y~FT zdx0e)83+B2|2mRrCmw%NZ&tgB>B+1k$@}%j*;w4yxZbp-Cuj4xTf%|)j!TC?;r8W0 zpXa$}6EdVLEVI_uL*pCtKA}Q^(wW9Bk>ATD+9bN?XHy5L@acPtj0QtPXXj!Vlsxba zqsDi0t$og-M^OMJE4`;>DA16ilmgaimYgeM7)I$h7EuQ%q}Ym7rr%WF=SKnWoFM)F%Y}4j91VeckDrq${Dml`FH7Qe+#h&$1R9*O7ri@{Yv8BU^oKG$U~_UD z(B`&dC7*vUC;QL;>kbqs1B;?Ez5Yh5j2> z?|-+@f5SHX4@RNSMZG`&+0uc8#5=%vZtotD+I`w1)kEs5QR7v#`~7hQhb$^U&vu3k zv;#DJitJhA>}Z1uem4-0#7aS*1FO`Xw$~?kO*Rl*KrMX7;}Gi^#8WfG0B4x^2QZ+G zvK14SC|NvxfUe|tVxWpM+sHsmvw z6TPhQE+L20R+ zgM&liqE%63MSf&}BSFxLccfem5&;ri90uh+Bvxne4Ax? zWrd32K~Yu`;)XSzRl59Uh#h>C^d38GK!z?U0R*7a+jqHrDJe2asL|0*^~2?b&H?K%anPBb zWywh&140n7Q6%zvyQ|f5C#>SClKVJs-0}TrsIDwILdIYA@FuaN@6=9CSA_hzN-C*q z&&1-`G!V{p;qaoYXC%LONVUq5s#<_WMNsgPi~>VJGboDJeCXWoLD0a2hj%(X<*9ua z)xtwDm{O6qA>0z-8^)j@_&GB20a`2Jt0f-M0sKanv*n9G2Ldo0jKZ2lX&U7|SMMeC z`vqFD4PR7U8IUl2x>dfgT>}B$G?GA$lW0B>A_#}_6*AsXcWx2Q?F3FLS1kW48q>jh0>%KsdO2W-hT4({p?a_ApR}Y+&65(f847WhbDr~N zXBotaPt3tN?meLNYsh$m3=g;p_6BOZeW!lvRo$}3vni+&(t2B?I8XW@Vw-1p|$Eoabtd-U#@ z6IIl6sqaRq*J9MLS6%4Yz4?+$vR(#Q6HZ+D+9M?nF!t;p#ZmcXCh@Yl;-!)(aZ64# za&BPBXI!*t@|)qvDMG-`OIaV(vmKJ8wruuY_U+t|@Cc4pFv{eV66Kpr%@C8udcCLt z_U$5)*5;E^dRZJkO4`Y(@D}{Sb`)LZ>Q*+lM6iqet4mIhN^QA;=!~a+M$zcWUy58` znEB49?@Vg(%h%ip4t;l|PV0)r1qd^^EZ2e6rU~l_C4H1P`=o&B!eha1u)0!tJR{a)zGa zt&zMLMg-6`6A3j?<&pQ9`fXN^gE3cdZxoL#pM{_3m;YDq z5D;}Zk$57fBRdN82vjixtT|_sp%az&%xh4hJQ6N@FPZ(9Z&4oT$L26>6bqFhQy6)$Q4&OdUa%gup~ZYY=EQO#ow(vwRu`MkFu3>X zXY;Hvs&FNHL>>L>;W1_mRyQNd)Y$myj&Dh?n8{{Yo(?C$fkny8*~`3AaJ%iE@it!h zi-%jn#Y-vB(C^DlUC>=mm;uL#{UI2ZJ=@}`CzpTz&&;`u1I3t|t2UpsqGm_8TPyEh z4nK>jSI!zvSE=fq+U^QAGGC{Nd~0+aKDXLJZuKzMgFP`fzu3mh8HTp>eeHYYdb_1u z(2)@4yIt&e_U%9P+drzV-eK>1(XpUtX=(X3%Yqs%p_9bsIXcx_;KxfvN`j{0)hvN5cME3u9E=)$i*?SPTb=)RaD* z;q^k>81`zF&|?-CT4Z3)M?!ZdW*6-&W>~ElqOi;jp9U5+txwRlv|$xhi`Qm5sHRO5 z&NqpQJFK@W>)lRqj2$mqU{Y0sAOlE?+}3n5t{-h$&L}3a>Yp(#P{t#0*ZQde6>vVg zrS%V@0#dW&nePof+U5|Ku-K!_M?X?hhg}Y}YP-YzH(Md@Z7<7G%73mCTjWT}+W1RX z(}%IiJBrIxk4y5RT{c-MM*{aFPK{Yo!g~s$8Tn1iV*1%d`I-0hIW2lp!<6sRcc`;| zPSIbE4v*$nuj4Jfc{qK8H#BY%!WEs8G}wzxpXcBA!kpO1U_xE9z~R#6Fc(OxR({3J zCvJ(bFk%aB>i0)?`CY1S)Q;;ipE+~xuYCuO{_c~T#m192}Hw$wx9`hxhO%-#n)k)Bo;;vj` z{*vxJj&5eY{_loI;4E8rj94qYAZ3hm9W9_M$?Q zbh$K<(n|b90Ekl3_Y#DE)uPQD4;%C-u9S`ml+5L@ESgsj*R*$AHLrK)DE7mxTe5mS zCdP?3Bz&6grlZvzh3(F)2e)Y4ha4?5$vpYB;>A$QOm_L##{vlA`NjA2k(lYqcNrF| zqVmLRa5XLI1Lc^6ZpwYqCMgoM_4pZvguU@{11?wa&EB+Qo3Lh)YR}p&n_Ni`w9fw9 zhNr%rvhGyZv-Uxa&)mlF5O;(v&$&=nO9!Do)!*HH=5m9DZe95>!5-#DhzmLdCo#a_MPN};e zRFZjB6xSXZWOczjqMv&}lsIU0ut`3DGs4rebNN*KVCx%cW(@-G>EkKYNI& zbbLfOV_Y=7`m!9I*lvnK89uqz(<9~g_{bjwOAu%sm;j|SF7d;HRD{7iI?T#W%%-{PJ;$e>dk$JjQ~uf!0>{ zP09P2jybGQd-S`>auW*w9$8L-LGAyB5zhP=i?ppZkxD;M3rN6^wY=PmQi*a4ZBY)| zh&4f9mz^^4rtYC)tG1|vJCv54_^*7?P)v3<>j6VKv+xqLG|s~!N3lQa@9zKc^=I3~ z-LTI>ad;dIy&fvkY@l~{mO9}NwMPj4Qa*>fhAYG8hQ0E4(tm&;%|tg}&&CK~ z540}GOgUkTznft~tFR~(uB6~cKxt!C!jT0hy&!LumkEs4H=$`K?wYbdzDQrV*2lN? zc>cL2fug19Zcxd3+>?giZ$9~LV|VS{qhVsy88Plq`4K+((7#rl7(RMjEeR>rn+?Z0 zf;kTfSSw79Rkl_!gh#Uo=8o#P?T!aWhkabYz8Rbph9%!bK@S~_kqBb}Uj4x)D!-&)G$W$|XbDsm9HaP5~(!w9W)mHbwvRO9Ji z&|ijP0&Zs7Z^Kv#vpYQdeK&JV%pN-xn}jv-x1L+Y6SJ^2*cn0kC|Z}-!rNeVnP>Jm zdxq2rsRA5>x>Mw*Zs7buL1|W0G4+oZefR45*&BXh*T#s%M(oS*I2o6yuU{_&2t)S! zv?twt4q;pA_!gXLshx8F#C^2+QR^w2hu+V;D=ILJ*bMKisPTZ;arJ(6WKZKyr{Xa6 z0E|3R_kAlcC{GlJt2v|G(YHCd&$=jgKV_tACpxYc7YX<;))!4>TGho4%BNCtCWwm? zkv*;NZFL{#)_A{@ipanlDw(gVe~UN;V4=Cy$4fWlbPmuCZu)suViGfz=!m)iOgy8O7wddFK?SBkfAl4MErz9h=E8oX!Z@mBH=^z zD{_-zzQ0 z#tBgldkHlnucVW2y{Fmnig#>X(~Zs*i_7}bPA0YG24`+ z)T%to01OVu44{qanRovLyCpZ`RjXy)WO21PNEQ$PnT4B6lP5SZ(JK!&

uuqfqpSUmb(5!X}Q*mMr-+zaL0SjrB*?!o}+|?^@e`F2AuTR`R?%Qj>Xq#=3t%`MTxF zic@~Z5nlQMmhgJMh6dPS9HhNa&*u&6{^&@q!ugUSGDLpi0Fe*ceB%32P8-jQRxCWeeJ&^raH@jrG-p;*$7k9Du! z^_sX)5wL#wn_e|RGrfB#I_a--S8-ROM~+pb=sgtns04Q?m&9w4%G&6GFFwwUVS|9Ntl;c!AKP5v;Vq>%)FZlzjowDUOBW_#B%Ge zNRKREvs91>#`~LTt1q3pdN*)?t}-R*nt7heOeN#nkpH}WMapASdqS-KvvFP`0&+QA zK!iI!p!|~XeU1A@*?iYTA|a}Gw!x^9s#Z8V9pNY4m_1n|NX6K`H%0-?7X5~rD-yEjhM(&-Pr7}`>Up`Tt}3h~ zV!;O4F1WhCEtbd5M;|p5E*En|GOT?Cp&qJr>);owh_k{hhKO@|uTePE^V+THuL=u= zY1vmUULR7^9%a-8tPQ8SZ1ydrH8x^?x==ly80VQ`x*6_@!N{J)>E??sH&YanaS(+m;3Dj@+YNyTiN z%J4agWn=bdxB+8&sTP?7%lDF?p^}+KuOkIt9l~z!#Y-&=j+76Ed6!A22adM0nzGAYIcEg!&sqU-Z}^YP zk1c#UQf@v?>cW(lKNbksmiQ`?4_8@C>^A;5@omGP(lket%!Za+$-nEj1F~H&ORruR zH~QIpR{zx=?c9rEgFLaLvwI8)XCy>dcjh>3@t~^OFm&t0tGyu$>o{4F%$MFOdtjM4xN#!io8)vOHXO~E`>i+j=qi!B69q}G6 zcoJWLpSQ(_%#ru0^_t6O3Z(nTSedU!8}ddXQ2x`#epxe0+P+s4*cX|!FA&_Uv z=Id{1+5V)iS@B47JMGHq>0+MHCD^--P-6P*tT+NfHqH2Uuh4+gw1DyY9tK-*#A{f^ zCfItBj@{)#CVHb*;Fz@xF2~`b2e^=k(CDew20uryI(~TJ@r9X84rq(ambtl}m{9mB zkCM8RmYlJOv56z* z2pIux!5;^OS?9%vPkkF+8G8$th&ugRHp5z(ybE(Ccu9#IM)_y1w*?1u*nHBCGA4xg z=r#4Od{hyd1|NgVzxe0EqrdPdvzsr91u|L_@bYRGE;<~XbD%C!YZsbQ_~n!06ub$y z_z$!;ihT@0GYl~qP_y0}f5Zar3w+HKZ*zgyqP~Oc)UT$dPXda5Z*Vx=_Rda2d$Nj< zqN4euM~|AHxZb<>^6%HL7s{3grZeATgy+w-vmSb#${K0sLdBKmE%9HKe3@@|T(Rpo z$;8yMcD5Z%rukQ@iv@{txBwY#eVaLOok*I|x23et;DZFMcM5I3jy&+Uj^EH) zvZBvqKFJvfmMJ=Gh`Jg8uhCGo4Rjn#xO#gh_&e&xO5`cw-)iRp7yvbJ@&?21WM`7JZ6~6FtHvkgwgL zmSlc3?T$+lG6^Iv$oN}jBZ-PUaPU+~Tp}S_u-D^DT11cjlVY)#RhCq0NwWehDk~qeg3KM&IpZP%!b^KU+WFvII2B@E2t zXni5EuC5BP+;k&st+YjpI(sne>MJcEOPl&iiDpG5L%`NR*klw~_ zdCpJbBO?rumzY$ql&rudaIRQtrnodEa_~M=#A0D1hS~Q;N61=^8@6s>Woh{4a!2~w z$QpTJxC@bm;ZtN#c5-b-xhS3$h)5EjS}v_zXt;K?GWuPkh;g}pMm%!8%RTLTCAz=> zG7GtD3Dc|?G@rlizH&l4w&&$AHfN^WOFUtxe2V{CVd_SaA0AGgZI~KW6k-Z0;LO?l zVJR00>G4AI@WTgS--L7jk zirarg%m#*EW9Q@)Iut0sCXtk&P$m;(QDGx7lFLTX{$9i~89 zTxERZKXn+*lf~niywlr>^)fc;^-@f=N2bF|@)QMT{|q02*RJZ2xWm3ZhpbmPf8c0- zPE~ed^>@R2MBCvWoq7A-o%ql{eTQ~Blm8&&;_4yrW`Dts>G$Zv39tK3{OKCqDdR}G z;9BPI0QnSZ5q2J-ve#-WNlf5Ie=kK9s43`w;HbcTGV{^^eZf{zKuX_P?xB zYY3UT!7kf*pbbF}O=Hun(V4%lZ1iV@z~0)n^X(svZ`fb()!QR$p6HQCTbuFUo3Wq{13fetk6FL2mgGd{s%|1cyzm_uCDi% z_x$RrtH;~waeK$B^(X)Hzt{Kqy`I;7zwZ0t`s4S<^PgUg@%fzRc^v2Qejo4SIDP}Y|Foy#{-N)? zp$E?Q^#d}T`%C`)ea-^=PAxizg}P}RI(4&%fj5x1OY(B#@NF}l{7JSM?!l9;-v59d z-E;sp9-^^E)H=q<_+fEzu@OY%(*@(9gFFT;!8qTjgd&A2;jLu1|~J1;oTh9+Zf-cNed zuz&aT+3I(ov#+I^8XF4{y0s~*t5F|6oN-z#MxMIoCW&+?bu5Tm>p)DW z)*h-v?i!iE*Mb!-f^&IYTq%~>K|0CNN+q*o;41*&OVqqAVIi`15*VNrib=*K4DH;Q zKzYXi{{3FFW@I`P@$UKf^CRS(+@l=ir^?I9yR5wDQ{r3dw|f_(!jH5UbIT9ob3ONFa6cTj(_^`}#qjX0`8xsmr z>XhO5ET{mA$ew_9fJ*dbY`E9>dBu6k_QF`;_CC+xVW4|U2n#5 z#o5otUGx^a=Cf$=`^l4%%r=i7zoK=R99CVEyJPd98e;jw$^=vcBgKDI;T>rPTs{@#g2e{aw#)FPr8 zTX3|lJg(Y_9Xe<>c^$nLu(`1cvu>OwuT~h$lyfyS@)^q8F+omI37PptOcfwR2CZd3 zHom}w#o&|OLmx=MBRvt#Q4kil9S$n{BVxK}f8h~A64lHnSv_k+HUr)3uCUP!Q91cFPzp&ujYh``?kL#t4iRJeq58b+T z%j4L?#CM5_BVQ=8U8!RMn$br^;T=}T9vWp`n|O`VvV*XCZUw4(4px4@N7sO`7_zif zkFN+Xbmw&$LS86HvV3&3i@)ZO+7hpb2ft;i2609?^h{}>9*5?tOA7slmzmO9y;VaP zCvcu1O6KAM>N!%dG8jZ1_;8}jptERE~g1Y{ApBA&K@cehE}>4>1n$$r&w5xse3q$EW^wZ|b)#G2+VjC8Lqv6vTAw#Nz^saaUxB;(J=%r^PKw@OIrTNJ4CkE$S%7Q zZYik8?yRUQz~l8a9+Swy{{n1i%fwbBt@)dt=!gC=ugtH7_Y>y$jW<81R>3sYDTKrq>_=FvBbt?-)?F$R~KI^$DwsTf>)^)0o=?&mik7OhB&sh7d zx!S@`d<5+oJDLC77x>>zh}{CWv)Qt)KBRkK;2|m=OmiK{)Du3%dhYVq#01rTMfb3C z13$h2ZEDeD3Uzr>U`L!GdR6$RfdQmxJS^1oCIq4_sp%Ht}#f>=e{-zLNw)+|!MW3^lyMXRiVsne05ZKx|!DmOxIb z<3PX1U?|erx%oYYK4UpE)-Fx&{4matIofpbj#dG-(m8Zk*7oH`4ql%e$AKy{oYapw zB%y$Dw%-xA3@4C6#rJ86qmB${Txm*pW%8#_=a*LV0yx27j1Ms}{W^m3irz1D8hdg6 zZ-r_|amc%sz?XW57&~YNb1RvY6q?=bf(ISO%L%uvY0g?HO?n1EHhR$wYKlGs{D&Oy ziy13nZVkhOYuN_m9Kz4*X4UCt#~zN{Bw9qXSC>kqB&8SVpa$&9Q1Z>-~P#m+k+j0bb@k-c!(5Whj02HHK;ZR&d& zm&@-5pwb4trM>jhvQVw9yhF63ae9PUQi6A;`mq7@+C(pRV|TKmb+Sax32+m*4xT@_ z&nUF!_~9(j!B&i)m-kQdC28sY6DJA3%Vs=d^dG`HM%px+zx^!@)s?g516`8~_V{oq zjnUcvaW#`i&ixXDcdRx!jSG(njc9REK&2 zB+8x~?}g!#?g9VAPPwRW;yzeb66`Z(`V6@H&X%?Te%kLG>*QvYvR0|3Es&0fc&_8+X{{umvZyX~xFHx=-+K~DIY>_sL)L05ChZ&78P zqN0c$A|g7o0HOLvZEDLF?L5R(uj)%&a-)ETxUirY9$nole3-j?>*2->OT?Q>gkBu# zjH6y(*=k&m=*X%Fb&A{#UOlVOTMznX3AQc?QXhoGzF|D{*2m&5?-9n@wRmgRo3%Sa z`dk;z3-O2d?Z7@~WT@&No~?Z%cYFw~_1 zp#}g2@=Abkj?iRxNpcf&e9W%{d>ux*W)3)Ah~gHJAK^TQEo)ju+9OvyK?2$n50$OB zBcp-4?^!}g6vLK2NLru8Ysi)rek;UPMsK1d&s`|6Cy9PEadsEEHkNhOxewwWfBr=o z{wEY45fHJmUrNgPG|w^r7x>$|(cQ+zoatj*TcRQ-l>ww$iYyxaDQQ9rO!HFOs?3Ti z_1sEkKw!}tso$#$;oXf4sxWu2+q9o|%UGu${$!}lJDQVJ-F56Y?kw-R3BQYm&TUYE zwa4W5yn-sN3;cDLd`F}pQ$rc03WHVF+GT%EFTblfrSk|k{cU;^x5j}9b^0ney)f~| zguD}_^$-~3qkM3;N_ zDkLPM?`6a4?X$AD6*$3(`Xf{{3P#=u*&g1`r2oWYo+8A0P^?z_^!K0ncS*Vz;|0~K zplIXv?c1}(#YG9c1`78w8yTiprj`eX+E-{G)*7Mq2#SbxhMY-FNO4e@%b2h|eu6EA zt;&d3wax+&d(+`L){1l)+*_+2E*6EPGKg(0Zk1+`cuTesq(bLhVZ>Z5Xl7Y1Zf^7= zuix;8#Eeaxm-Rwd*?e-3`5(6u5V+L?Y1ggSH~c<5JzflrG%7{bk4#iTyG8MtC)dN8 z%S(>LUzeIwj{qVJkGY;Z5%FD18B{%Q%-QxTWz}SH14J7aBI&2Vr9RX8^ZNz1*LP_c zRnr|+S65fRBA~%%WMo|Vq#1C4g-{J@8_sY}%Z$SA@93?(rc^AJjaHFzP>A%w#R(=^f<;n zPGTUcM2|ex-c5>x$Qd>|rKLJFia|oV-MSuk(h7*CgioY~3p1;3vE1+EwIk?W3-+H( zKQ|zYMIBKwY@1u3BhacT@W?@!(oC8W&N<=?Bj>+ zk95af40OFJUd5c)URyJNOj_x0v7NivX*7+mR8}-8(Uu~OJW&iqB6FU%r5#BWO$khK z+LxEt=3_fG`yg$Z%nXh0(cAQB z6>w{O8WTqW+?0fKy?-oq#6*WBFNCUKq{)4w5+{=I+#_0yQ66E9>kk1cgUYJ)}A*n16YqS$3g|SM@`-%_s(ffO zAt2{-F^g9z({}ZYZLEy#OF(@9v2i0Fw~;ff2=rXkCM!67bk+=b5Hsd|6Ig`Jhfvpty}_=*%HxL64E<&XO*;yf#I?o^z3zAoWW= z|3@oen@B}obA9Rc0jlLKC4HmE`FQe^teO@ntZM`2%_hC9g|92_~ng9d9~zJ1e=m@8-db>le_DVxXmz|RiA+~uB3tvFt7E&F*& zl&a*|ajw`uv=Fq9ldMyHIVYf|dXDD#^c~~%PgfsGU~qmV$_wNQu^rn(uV#p=5Y?!j z`hTe`c4;KRt0EsOXY}8kL$Vu?}TSG32|pZA(0OdIfFMyFTWc%%(=~L%c}rEEEc#OsH>eI zCMV$yYJL5xVDhV11?!z{0PRbm>Y8}n?V?CLo(bgC#l7J1RNun+|7_SCVbWx`G)Tey zhfu<)i|gu2ey6GRU4pg_B)oS+NE!YG3d#+3MO_y{js%~_ygxArVDcmfCN|>+uv?8m z;eDU3(lf8#yg37IxAfM4eV)|65BQVRXN(MVX;+bE@P&bX3`_5q+;-}id*YRbUsvGU zqR7$#-sPEJx&HqAo>LZqX~v)ph|ZRu@6AKThCH(J#(n}TPuDbbt@Nf~yvK$e?uza; zHSuql=%WAoIu}H%ww4DB7-!V)@A)>jRnERoDgrze=e=EdPHE>Qb044br{gX+Wj~y3 zfAbrVpT0Ww`V{vBqV=gYi}iTcBspgKyxV?RNFeUu-<7IttM&6O-2hU9K88E#cN_!M zNg@A!)BnLz*&o7D|Lz6wpMG39uW)&4J8M#(ma^%X_U(D_PxBqoiTtB5GwVSVx-`BWA%+b%L} z_v&d3n3tBxZ*Y~cUOznDGky~P%aDlv#+?!I4|pHPOTd+dea^$K)9KAXQC-*G-X14` z$w4Abrc=|>_^({K3+DOqNUHIiAQZ_QSv}Mw+%#2RYT(t0`Oc&p^v^-GA&(DuW!KiN-e^XOcjicBp{Ar=l!z;^O zu$`qMFTnizAK0&xz*#yCWZsFO(dkwC2isa(Jz-nb)$*K&3{otHIz>i7k@z;6v~vX% zLfBZ3W-wl=yL1opW&6XhjM0yvTK=kQ&>}_&>#6W4T@$nUHHk-mJ_1$9sS&{;FXZUo zPoLp9odeoenCA58*qt1KAEh0=kFXL8syrF3J;8;nT%vvR)YUhh^g>CppT!yZ2l%%< z($opx$XoNiRd5#Mb}R-HOQ3KZB@z@-Kg_&A<2-$aHz+LN#9gi{fJG{58)%q*tC8x@ zVGsBaAbyW;2Eh0d<|ck#E%;6&K*9X!>Tf>EG`$U2_`na1zH1FhZ%|i#smjh3bctW8 zuG;2L*TBb|EjQMR&6v*J$XoW-b}95A=+n6w3!OeDPHi$XK6Llr_Z{~Qaez8kyS8Iu zws8n_=n)T5nD32UDMB>1HuHd^SB z6S$$7g)LBmTroCCY~{%f*v`+U{~%MbqSr{ z`VUdUbH#RCEPWwI!nRX=E!%HvcJaKUwwcc5v)fW;a73Gk1ZcS8m)v*nUxI>Om~G0R zDQ?7{v2L`_ovUqM+Z3L>cuo%3;u-{$r{vTcy*@sp`Qvd>H<>kzZPL39%5-^)_?|=d zzx}|I9R~Em&gr4{vsv2CckTq^Tpm9BM8e9QK7HEnp{{N!-6LG{079wVchipfk!#fp zjO3VoaM3IO zf#TC5ta1Uy{Mm|@*GUmNZM{jaUO|4uo`!~`bnJ%@f84oqN7uk0LptwP4NwmF<@R-lI|VkdZg-!U zGuHB*7{K2H0yIg775c8!rJw+0w;@w&Rblx1uhVV=3hXgJo@ssyk6%kX&mawjnk$GU z=WX2PrnT1SNZ57EP5U$iE-VjuQ&z-tif#HY6fBiV(RxoZt(5lV5Sq0wX<$_p0?jviF5K_?e$}YL zD*g1AfIHzt*94%~Bw88RR-ImhaOd!=diVZ0+7c97dTa%(e$UBDw0Mps4MloR63`)_G)+BN$l%I%DOXwT;v3e_LUoXi}m5 zra3f^p9=$d=ezXMd6G=t)DQ}LR@`fLjiEP4@8zd`5fapHUivd@VW?n;`McgL)-GcCYg7FPSFsc(uT=+cb_TY@GHtOn5 zooM;OhZ(?c$Rk%=H4~=SFe)dGx=QQ zbN=OaDNF~TA&^3Etu-$DD?;TC&PX9={7+<&ihh* zTa(izPG;pax4p4{m|f)>vP$S1R-5iO((lAfZpRB`o9eb&{jT%7s68;++y;;;0JM@L zyyx)<>M@(my-qENUqGky zGwkewimDbxTFHtw=XX2h7`I6?tR6xS7Ty(ASdeg6EY-_xi5EB5ukjp7@+`8O5!!Gi zMz|Gz`Hb@wk?E96iD;f8CHX}(4|IPH{fd7Xhx|ayXE`UAEKs9VV|}mSg_+;QS?()T zjVkj94g&BbBOQ+d97-Pf-CQUxNuFzJ5W2brYAx^TJbmwQL+EIZy$BvXob@1~Z&KX} z_stBnUfOR!=dyBqoog#%RzYi)Om;pJkjJ?I;#)5=PNc4`4zNRCva;@$It>0HBO}vy zW)6p{VrT3->v1ZJZ*e(Qrbx!BxY;2_(^bOe7yEL%OuM}Pk&;DNjTtju#dz(rzjaGee``4mk z?No-VbUb-Fagf{yoUW%)?LQDM3xPgX&OEZR#vy(HSpZFO_rgebSJx$}(o$U{BXh{h zmvN6Cm4(L6FYXE|mgzIj(K-j!8V~b{enh_x_=#^Xx$gwjZG0}YB9rZ()^49I5TWr9 zLqnoH*A3(cw97 z-7XBf#kf(A6hd~d(&i#f-o(l6P_B0&c-URVow@5VRwwp(xgR(ro4*SW{Hfo+f2TR6 zrzahJ2Nbud&ws$-@M%BKB;j)xt4{cbtc+)$yEKj{XanCWzYbpPh?^;I)=>le=T=_ci59xHZ%3`36Kn0&lGj_HTDZ8R3_Bw1fmwwXI?X9~|j?l`7 z9958ybQ}R~JT>tWp!dygFAFQ@dH?Nh+tgc=2BBfImYyT;d%;W7=b_8mdg2 zFYWUtd8SNf1w}hA$pz)*5Ahn1qa@H95Y%pi=C*~*=~=(rJ+)(kPlRVF0|g*@$J5qK z46W!$X|SigVBb}JqP<7jKJnVlW(V;HSCX@f1q3v>3G8_F)E}uU&#po0kZohzc`^a7%L?>RuRR>kfZGkI3C{#px^*<^C%$5 z1f3nuT)cSo_3PKE$iq+(IXNgYCnt{=Z+7(>07w$KGuPZh04LBCUyS?Usp@I0mR_3x zEpd;Jw#%w2w1S0@xzO?~$733gu48+P;J&lTdU(Yw=3v#wa z@n{pNbZ3u>pZ56HNWt26>7ZJn0UEe$elbJg@20TP_u@{AhDU57)=2VgIh8o>_4orv z&aZLaI>n-Wh{{sZGu)KEGW{XSw9Ls6YC@P^F!bv!g5|`QwO+02zuKH0(5c&ewR>3i zp7J^C_jioWv0EIm3ET)!YCwmOTl|kcvN$!iv9z>6mq~7)@o$r9r*P7VQ?R>l*%hUZ z*D;Zm;*SFP|58M(CKjS}Ba4%SIJq-O0pdICwD519k3`h~tQGRT(3L z^c_9_WqM3KVuw=V%QB|orSRp{roxw%9+57sc3N<<`PrC6f1@vSt?!fG+%9fwgMUbC zPyZq4;(v?xTcYBW@kHFq^5r$*W({`GzkW|$t)KlCxS;>pQZ9fbJ^z*C!UfCa$;PiP zV?U(GypZ3Lj zDPKg}2N_qIp=Ox5BCXkAW-^p9@mvpTH4r*6$d)X^*+#SPa~c4hU%uAW1nBLYw>5#O zrU+5=L~QyvGiLnYWA3garg#(S@+4ebMp!{xKs%n?24^M?O6iu&QqZ1GS0BnE0-B2| z>g!u4D3xqQdtD{aF&yU-s2OzRq@5qCYPL7Wu=EQWy}cS8hd&nh=FOYgzC5T08K(f6 zs;1@Vi|VqBu8c_dRGh{-xvQ(aJ^x;zyU4mZH6z0&9)@mRRX*r<^6l5!hMyhq+EjB0 z=Bk4nb*e(#zOyCEJ_~CSGnf_da)tBEgxcGPZPby+yp!iV5-VJ${eqe~JOfXfm~>|U zp?dNH%Y^rULZ#;dt7ML0{bu@cOM@{p!iBQ88kHncFp-%kEq{c{ezCWtSDZS<#z?mH zO2IfBO#Ugc$0qq;B*cK(AsQGk{JaL+jD??7%H&y$U!SV*-1`^uD1SC(5IknmnSVX; z_CEIJuh}okAz-|p_mzUyeNTST0>MjwQ`;VAE&SUQJ5s<%8_p(s_x&u;?y4-D1te~A zeDU8SZvLC;9RGfR|MLfrEKq71vOJWqM_=)G-+W~{7-@r@nZCN;7vmHHQAkR)l)(S_ zr2m)0u{#vORHU^Enb7^d*#A31fA8^sv6BDq2>mxl^Z$=t$W+$Ddv}7Fg&f=YVOy8^ zDhk}1CA#-&s9F-Ne17=l33U1nG*zt(`NYncqnNdI=$&3J@19LEQ2IU4+iDpLi3M}e3S|zj4L-%Mmw6+Q^U;FG{0WF1y}^o;?3>#S zPT?!$@SboqVS&T#jU@KHG9C$c?HC9eulagZmCO||-e{!tv-UdI8yWR!2Q@~nsQ==y z{x@4y6AuMR-;+KF0DE42wQ5kMl1Ac96%GgKL5poP9>hzD7!;U|IN-n_4`;cp7Owe*9R4<0ag@p zeAAk?<=Pa3<4k1S`BK_kXgc1^z1d_C(9YrK9ukJIpBJ}lci2#A--ev>Q5lo<8BxP; zEbWf-#8x-GIw1EmjJpDiwB7R6ff{0`WzX*QajTd9dR)%=Z{3<3Eb(!1meVb!^qgaD zHWb14A(l0Z&lh`_;*b#)OpjVN4n3}3Xh(l&0>qqFBZ>;4=x2- zF}-aPjoR>sr!xIFF89AY#n3QdXRQ7#f;~`&)z#J3TQzk{_4V}+t9@KgaLV4`xFGTP zZcCCv)y;)?W#PaBs3WR(cyA^RH4B@yp<()KueQ8pcrJ&>op)z#f1PQz4!ioWk|!RD z-|@(wy?9nt^X>Z})%rqs?Q!+^@z}%dKUX%ot>&5xhvZ8Psb-xhd#VF`t||R%LpV$o z`9OA}j(w@47!g)kUpcGW$>-qP@pk+l32(Jnc-&G(hnBl_LW)wX5*+lj_d!}y(Oki6pznfH3)u`n!| z(Heh2&+OBOt?ee$vf%+xbnrpVFS^G-IyXEj$IxcWLyJzTHa|gBx*DDT@IpI!{eip; zz0twReOn7+4Vl+jhYFS!;5L+6PsrWL9I#zctecxJ^BBgFU*R_w`Zqr9ea~ZRDsT7q zd75JVyC z^euJ3z?REg7YZ=CQp)jt=8NGGk7v^DdZvbuG>B`RW3mW`#pVzCj5i<^4t-^WH& z=cAo<43FJTavvF7T42VX3h-NLY=|i^=CVah1ieQ$m)x7UTxY9=lCRw2voNX5aMe&T zS)CA`NMUD=Vv1QntUnJO|42>fbRfMXVz|n-XESW9oL>f2iDEKavGO!zS(%KXtn07* zkor0Svoin{UEyq_YiMXJ#mrF~dX*}KxP`sYJDu@qwp7oZKZC}7Xo@qx+>5p59umy; zv+l+-R7?%MI>0v`Y8y~-N|xKeNfz$2)9TtCfESjdZkGk{;OG&AGV10Q$;X0r(6#QV z;q91Pzmn?QoJ&4)9&DKRbl4_8_n@V1-3Jxk1f}zi-iUr)U1s7BEk5OP zK`UjH60xmKD7A}8T%KDWj_v;lW{uSe&c{x-%ON)@--Zh7ltBv#Rz7UQ*q>I+;W>DE zg_KIoJ>IP&UF1iUlI5uQ2t4&g`COXPlk0~P@^=Eu5?S!_JJ4X+(y7|HI@m=ye+LuK z`d*NYeyRv*M3FX$sYUA6uD&_sa2m?gmjx>sJTv*NlQ+A~Snkzhp2L?VR z=cs%Z34F~bpo)x!QIeg*!DQ?Pri0$En7Juq^4hSbz|5av)NS)zM`Ng0D6O8h-u;bk zNf^!+hjr#Y9MNV=3wbMg=$O*^x_6Hl&*G$4(VwWx!$q*_qVcHmY1`z`ZYCK%-Kbtm z=vTWtn;57f=fum1&1r!=`$D%^xn`O8KyM zR(vOFV-P?2s0vjAvBnul_k{;`*Rt&*isnU0@g%>oY?~RS&EeXw9#dWGBaxV}Z)#8D zQ9cH&rCZw#@OOuAcAGFBF{c!_$A~u5m1xb(#arEyaC&Uj^8H-FUorvP-GejpeC@As z!8J2AtSmZJfT`K>n?Jl^CO8T8OFXx}Md?O_x3eJ+aBoJuTbjx=J3V9K?FDZu9j@?h z;*L|m-4QTJ2$74|_$YJt0IuuvtZ#oZM>FH2QA_ne;?ZPZ9`r_)^G~!K+3=#%+Ey9s zpZG{-S$<{)tz;zym~^Y=lZnymnQ*COqjHBw{#`le?v1)}0A67ue|@RF7trQnHIkgB}L03#kStMlQDlnl5w` ztt$|gUbFhc(A-W6oqaUDH^4C0ILSHYR&U+?k?v^?pdwjomOqwot8350;h_b}b$u{< zEG{w63?+-m0ubVEadm^u|gkMv5VWzf?gCd zyO<)!+;BASsQ;fS?%0Dwp`vhhsZtN5ky3C#sAJ=DKSSf(`rJnMo7%5gevkUJFw{1d zM9LBswYuf&;^WKvYuy~P-tM3OjS`$}8i}_@>YG3YY0lZ8o#*54MBNb0V4<2RW7m)S z%2{0TXe;h$Yja{prdslOahH(uL*7r$ArLAwrpB1Hd0e%fr=rem?!yuZB@qWC|Lsh}n3H3y{T@H5Ki{9FI1)LCRxOL-g90a6 z@vekSYQpnLzN29eLcRjuq}u%E*Wm3j#58*IR!?6)D>H@M^_xHP)o_vLPjcSMg{dEn z>6G{?e46%B)qsI?wZWr}v%#lakcX0nymwqwQkJR0v5u~$G?M8$OlTvSpNs*9?m_UY*i*66A3gA0i z2to(X;-=wr463Z_oq50Ll<)&)g2I*UsZY!eV`syk7^IgCzciIC+bRgR{7pR3(D0Za zD;D|TvyEwO<&xP5Y>M~iIYrUZ&LFjhs7!N+ya}1=6#Sbj^v_Y-46U%0K^%4{qeOfn zo!wUw7gW!64zo>_W8@vGSel#{U`!S$zF#AlfPL>6^QdYPYv`3dJnCKDTqwTbD&-b`q$>2g-C6TQ`ZW(4h(lkqtK-L80(CXJYy(0K7 zUyL<%``)#&)Exrc-OOf_{!Ft^o zcir^aNM?EdeAx*?Ib~-{G~XAGP>pEf;+(!t;Eu|cUSlA_8g^mrz(Ua~=LQVsTi3i$ znW-To2$TNF5FOZoYx-j#b-5rd>vj!?Rhg?WfgKp zMUU@YHAl+>N6HGss-0G>s&`!6;HJu3ptQ&f8MEdkx~I!P^<`V6V=w z+>Z}1mA|$Xc(QVs<87!)C z{In0bBvTFfM|A~usD!xYKUtwRPV|O*28nj!3duAn@-IBp({Yt1I>PI&ZkT(Vfm_~5 z7ao?Zu-W~|Fl*Dq0YDT%ueAI}p1A(KQdky5z_-JLaQ942O{*7w9Jek=dj7qRP$S5b z>uAb=*do3R)+@`ea-uth4^7O@c2(Gy@&rF?-=0=tW2iX}O)PBJq<_1B9X^{6S|%$^j!%tX&X-+ z4<0dlC?Rn9ZNj^Scp+xYdvZA+!dZj!R4N=5qa%7MSx6Z%ljJNd=h=U{YN|ofv&7eY z&#`hINO$-UVFE_!qvMWwCKW{ks~VqG4y|#aywT(!BbL!V-qCLsEsL%jmEnXIgf*P& z5bn_^Q~Z>~(Tg_(alV^X@e7{aVfgS0v6iP&rRhwB3xs8Lh*w?<-T8K=V4USp_0z!_ zkO9>kUg;z^j4G-WK?kc&ZQ?%hxXiq1<5)QcD95J$lXLW;lI1{=;kj3MEGztlO$^ND z`}NlF?(ZyR=AFnQ%9jsz-_xU>LlYhLnkfRX;Pd!N%t7gn2cLmnO#Dg5XMcz9&kuve zQ&v0XL8>NUj%w=}>aCqIWwh5ECch|hk9S`Lp~CV)_y}=ewhw64hjDFRRB)_nT%Hca z?VSx=c-(^2Ms3O#n&Lsxl&)aX4Uw?gh!BA500dQRnR^mM>g zDBCnyy&28MOuf~a*J*3NBFa26`QXk_8vFeMD#$y((eJGq$Y_f!exVpj36yT z0{JLklNDDYs|!^2`0_P<0zAhyk5otEP_P)39iTd`A{5qMfqEBfN=ZqHj-H<4CnK+e zL5GHT7l+laFBda$?DWm*eic2Ra9NgRdt*g#r{Gl6LQ(-StId&l_=4xjoZ^Kl57Gt0 z1TX6^r`#$G2Gb>Q?u*&3oxiii#N+H5`lRy0hG;|c+g*5?jI)w==&(KGh#5$NcVcX@ z2kcp!fi%>)!fCM(h&}5fLw6zVun`HMCkK^nwzO(}EX=GqsZCKSy!-;HrJG zE$*;)d4{83XSl)ujw~2Fxi;4+0AFrQu0!dO!j2|ysK34N&1$pz`%aJ0g8>~aJ^Vv% z^D2t{Qg)W%_sBUJ1bJ%TVTFUY9pE< z3-o3+_-QhXNH5;n1zs1gP1k%Xd17-zQqtNA<1;xU9`Jo-lP0+0-?c3;)ljFoq;%n3 zINp5`_NI2wJHSe1cw?RO{g0IF^xs?0Pi{?5@Vl&S@1A5%w?9M@2J@l&;{89VajJ9d!aw9IY^M z7Zc%(SeFaF-|k)46{SA0IKte%4S!?ceGbmOcMwtbR~`ah>9ue{<>d)M*y_0>3F20& z`i6!viPCp1+!cFx&57~qK~6wj(K}?>n6~FSZXK#IVduJ)2HEXvL(!KySw#y4KQ5B zUVkOs1W~%F)AnnSvUr|OM6R)FT?8TT7cJ;QL@>|#H(xz$Tw6mX8;P=H6wv^eBgcfT z5(mX#`2f98$^dF-Ib^1fx`JM$*pC<88kK{i=0=W}Q}r>9rf)BaL!^0U85vn5P_ednDJW__Ce7eY4^d#@{k4 z1obkG9f)C(c&Nz(@fhh@Q^Hh8Il&hDilPkldV9#*V=v2rh=bCcYgBcaoT-Tf40RYk zwYxAQ<>tjO{w-R4rN8_Fz9@j0PaOY2Hq*{xsw$t-hbOGT<~P(PDyz`35mCe&Qcjgx z6#>%Lxvm;k)jRgK^@&=;?9F!3C2j@w4`+%6`@s_Etd4(@w{`nS5zWsrGL7`jct?6! z+U&Glw%#JLBW7dM8yvqQ+QkLjRkM>PzDKE^y+7%+-n1gbOYvj|LO>C-SW!eSUy->_ zcXTREdfmDK6E?HaBWIUu!O%OKE6EefP^GhT0i_Oe&eXDC{794%T;$5I8%})BtbL4f z=AS`FBvCjK;7o*}y5@M$r4DxLud88w0s*gY&GIT_m4kJp(kt|E!PQq4VwlC3u?8N{jSRZ~U==l%kG?OyQ|2#*67ba@U3Ryo9Iky8Frfz%lAEP_kpVgQon(3J=f zyVVkcx=p^kF!p%Q07DaK4e}_ca^c-?7+^ZIb^+xLQYO{+w2b?;G52QVV)tlnfq902 z{zXZ8?{z`{{<{`*7VXnM^Z;toUrG<0MW7yfoiy9!+r3>-?y51tv3X8ZYmb|ztoFNu zF)b^N)P(-)ezlN01(G`>Oi5jQXZ{oB?)PhH@BZ!u@IS#X9cF=V){7)Tq*s5x{$BpbfZZYeLpVFLV2-^au)qIm zA=pHp#9*%du6>>=_?{eJ7N-~cc`tChYh;1(d$RiNHMIOYAO%z$a3a%?^3(f0=tLmJ z>NlD_{h!$0|HR(@{tVbNAdihR98>+b1?};N+_SSq`8jI98J8Xws?x7dk|V{6Jk&?s zoJPr)Ez}WX@4>#H40;RRJf&ph*`^EbV*v^Sb{VuEbaGF&-U?|%uFKmF+?a1@G}=j= zcw&E!VZm&7rq;@AC*SU6x=U>g4Glf9vl|)>xO%CO|B&X;&X@Ah@`%SVe!D!w^)i3I zG%>kv5mW zX4)gz%>Bic%*+K2zw*X9mdW2v=wmv6jYrP9HBM68lhBiulLN)GP9Jl46xh!|j(6*{ zd;-^7a}nK#K>!iwp+Mm;iFp1^~JIGKWY{nvl(0%50v$GdG5+ex-&FFfyTA0 zq~+#5{?e|!NL}SQR()E`8y`S*H2Ch#r`Z~l@!L{<6)BFpzrVi$uyK}CO;PU|e#nul z-B~3xAB~=4O_KL@LmTXs&-m8^ThLEGK^S2d8m=I^0LY!%($A(=%p^54RBwzP@i@YC z@l(j_U1bVwW$r5otadpt5Pj7bw=2ezbphy8fUUJec<#{#{%z*mfN_^zHtp~0tFQK@ zq*hkS%DE2|KH?~;1)~cotH;?y-&R&uZr=2yQOWpupI`5I#Q_^^W5smrP`2m7e1~eI} zOc!GFOih4&VUZI3aTz>gaGl1a=uVj0K>5#5@!=s!TVN#<3e@lt z?J|zI|Ha;WM>X9wYs0sQf*^tdati`tLqI^JNymzcfP(a@^xg?IhzclGrAb#2kP<@g zBnZ+=5QNY}4?WZb5)!_h`zhx+Ydz~d=g9f%d*A;s%aq^VduGpE*EKVxmGjNfWy4NC zUYuNS0s&|vF^+k8e~pqnokc>R7i)WifZAU|L~;GYpFQ@<3ohdtadrFG$&^YWzwWHL zupCGpr#`TXMp6NCU0Ua=tZEhp#1y{cfQ0rb;FMPW zbY-o8j42yuaWR0bRX%X-XsT%HK`aSsa-cMTj>jXMOUX@(r&c&sl^g&W7wuNc^{K3w zP4e&`YTF+dq%|^1cv%X@B-l4KMiL8_HHWO|Z#b5YycsiCf$Smpf2i@2Zzcm2zJYGs zOUHk6&-re4gVOBqzbFzGQh-f29kOibYa$EEYX9&Iwm&PgzTz12qHmbZMLjNRq|Y~Y zkM8KOJHq_{M{J1=#LT0Hy?IPY;8_4#xo!mUtK{O7Ush5@7nNIC;fAUERBejp_ULoJ ziA1`o?iO6@R1yE_m(8KezW2*jToI!XhH0J>bkXjw+5~J<7h(S#u%Pa4CGtD*^GAF~ z`nnaTQsnQD04HNk+{?}YY?;@Ya#bBmX$4bTE-|yv%B`;&Gq>{=b=d{?$NvO6t4Ku! z-xgOtEz)HTX?o`b`7ukTsA&LwcQX0vt z%o>IG(gE(QJ^L>}1RYHlG%;CsJH8CC9sJoWfXBFMYH+J&y($jZdHR40dWf?1q$3r5o7b5{o>^P@Dz_HsT- zIop*8BfMI40c6C3aag7@>`EqpVfPXhIBw(+n7ms-g(KKrA+QK?ZRNBx@@-Oe($t6f zA(%DL2whQ9#1Y-i_4&a6WsL8Rreh3RaHgzs={Lg zHNDep^{;t{2FbBervKQD{cYVCh+p0?95qz`WO;XDDh@Jin=QX3=RVh|SL5Y~7wAq% z(>=SX_UVet(&36yhC>|KUI;^-h-sNTFQ?WwWy4{rKEotOS~~|pDR7QcwH<>MYTJ zO8Xl@_W)IX{vqJ*-#%Txp)IT~tj(tAJ^FR(DL$2^FB7Jv!&~JsQ$|TDvuAj=q++PC zXZ}@}Fh?payQb}`KKVTIx6c|aJ=>9|v?323f^fi>VRauo!~6m@EeQdd`*FG^Z)ZD9 z86C2Ar-)M!gN&1U>B_mQa{2p(e*&ADAF8uPlzuMa!x5H-lt2sddA^LzX{<@o$+GRT zUDu+R<}A^V<5!mrQ&ce-N9%Nc%5GB`G9b2<^fWAc>bR3~0p%!3@ja}nD-x-sR)gD) zx7=h^QSU_eOAoYsoHQ@i;JnJTsl%3gTvQ)%d6@uR)Odec}+T z@<_;E8q;Vdrlp3D0;7fi`=&-}UUULGqy|RO8A!}r7_6wMh{_q|*FW()%Z=p?fF55J z|GMnIU`8kyQ)OoSJb7|={beTO2DGF5<*laS-dtqn<^?*$=`1z#4qe!lRJ(z|XKmFO z?~=D@8Sm9htci6~^@4H8$_L)3UO5p$8c0D9B3mb%j{ATHoWhx4GmoO`HE)_$=%7~BugKprFGlJCE?JG>63>ctt833WZk?jeumU|Z7)^q z06N{2p3m8aOVYcA$#~eoSW7}uPMuD7jKaGPV>adu@WXe^eHe=hCih`y4r{#4%F4Rh zT7!7_y^k>nW5`=6*)6}^>Ayd&;H$!LIvaJQ#aNGCLo^z`M?_A4x8`X@&;KJ<{he!) z`utp1n6`9ubecgxTapLYD>`rDGaI+3t~ppJk*{xxq=aSczLgzGtp^lPg+9GEeoB9R zGc?fTn*r(8*9oUwiPT{Z6w&Rpi7;I$s3`QWH2SmrhCVU*Y7{$Cm2f30j#OZC@|H+N z*65&+kco)2kyrjsr|rgjpx1(9cKeH$3{GTSbLuGn=KCZCx?<}({IzfTn?iKh&sPvT zd`03T&5r~UZ;i~j-^#-KT>1q2eFzRRE!u~Rrs{o)Fx{lPfSK=#-v)#Ym9XFG6-E9@ z6^vTBA0##v>qFBVHnN2hRZ5tb3?3rH!RV}t*<4uj!n0|RcTrWV!b$H!4eo9 zkkn|?Q+6*X*>7r!oA^r=)RMy-6psXAs!1bLugU5Wu8l3TSpVgnXhs?==Wi2eEayPd zcO>vINWh%{HN81^w<8P*DnUBXl2TIl7#Qto4H%w!k*GpGacE$y3I?)|8%iVcyJgd9ho2j~m!^q3u@R;wR=45Dk8Z4WvFzq7OQbxhW zJwFiTm+GA?0wkyFz@&8ul!{ z6P1h^fvCB_j7&!6v6Y^^wM<>pc2Z_4+YdzxwCB=8tY#pJn-Ia4CQ^R4AGSaJ2ap{f zU>O3ANr(zm2Ply4DLFE%MsdrP>wET_)D38BsPT=1ZauT40)sL^D^yx4Z??Lpr>BI3 z#2s{jamhNUgt5>Lw70YS0>O=od9PL5eWK!30Lrq$%AI>GxV9WFUVP4$vu6Hv_%z@p zBQc7u)>q-MD6-d((s)39TNf0bi9JnH`^i>8nT@}J`?gu~nM$~V3nJW)q2EbMS#l+@ zAs3DY_Ex=vVRY_{XId4%=tP_+OylXCqi6HtTgEd8QEoS9(IX{wo2ENM*y&J?u@4HQ z`tifl1FBBpayGy<-0d5j@vrn@{j^E$HV7=6%V@$?4D3{9{LfEoN=MY^t4-hSR&5c3?=#_#$deYX;PkfrW3KQ5FgdodVdfPmWDin8^Qw81!} z$H2#*{G6(>{WSn%wB%?B_=~A`FuefA0B!ibu>A-C`VFeoQ8hGq zJ8+{XdKy-P6mDkXO^D2Pv9nc{WXf7>1az9Sm&wBSluPbY+05jN>VTk^N@=L)4ZyZM zOt6Rx)mkgh82Pezcl{r={T>UWl8h4Bk3EQ`+0-JJ-fS4YMSyTRmqo+TUY1J(6>#gb zojWnsKGL3Zs(l20RoXJ*_ha93t)Q@#t*Vjj!P(r90_TkKfowsfR;B*rVPExTo8>+Yfvs>B7B;Rwt<=Ups=cD`sLG)Cj#BRVtuB;CmQ&+<`9>KCo$>kbKjT~R(O8{Rg}rc~^1 zHs0xdQJ6Zr7`XfXL^iGlgMlVrvRES0kRCTX4Q_}p4%15}j1RUpRONixpvucOIckf~ zQRS?iCK7T<4EqlERncR0F63wA5FoaCMMVcj%yphcFAiIB6$gXq%D;QB6>=ZjT0)Bg zN1wq#u?qMF6Y#H*9P3El4yblM0E(|Xv3*37rE+RJLI39Og9v|ntor!VAn@v)DggY$ z?;i!QKxT)jDES|4rw;O9)Zbue0MHH9@R|d2SWHy7^N)+FzrB5bM`#>uscDPw>VY{d zDP{0vhu>X22=qhUwZcqlXO_~+r2}(Ve}E@rQZ9adu&sabzj=tN9qKv3mJPPk-UDqw z#(w_24Tw;UT*dDy`Tlx3hZ9t0A@qyFfsca~ShTL=c5(+j=*hRiad5vf{OX{qZ$&lX z&QImP-_z!AmR~4CHR1oCF425(BB6vEJZSluAkazX9wrwtwD~Ae?h+8+mM2<|4D)^k zb$82E(`iGFBDp4KH%-z;3Jlf%gL*BqXXgKHgPVvv1@?$`7l828BIyeO+2wZqx!>S$ z%se+B4^EHOKv3Nvm<^llNO0cbQ3w8XlhMczubZJ_8SOC5i1fSJ>AgPG6?jrEp8baH ze$3R%X~hp+3LB#r))NgCjlIT*M?>-4oD1ApIwjSY$H`4G0~MoZf7_#%Q)zpz+7F;p z&!3+VHMIJEP0U;14Pyq@c?U=^q~tMU-| zT~$ewY$OgrYR=O6_=s=n=@GpHo1J11KB3GQQ!p}bWJ~W2G;Zso?x?2rI3ejpTP^L$ z=hSlnl3!~QTZ{ki2l#*UGWTf&X+Rs=PauAu>q_PTqgsa&8$*~zTDi|_{^9-e%iZ;< zaM63_=H^?=L+%*_7n&fLvDx06bur&obuqUdd-g&OUD2prcxQN93BStpa5Gai8I32KqiqmX-v?{3D+>RXMi5EuRGPx(+TtMeHS(K@0g)i$k!Q_iRb2ey}$LaOf-Z7=@J8;k@s zIW3Z?j)=Ughl~xn>+p9n2 z@ME?ZYIG=8vZlxbU7ge`vTHh;o_^YEVe}Gy)D=GHw>3T#@DI+Ht4t-wy&7t4ZtO(? zh_TjA*I!g`OSr1()jeo>1n8rY55a9cVr4`QZ9M|W!O&kN^52~EO>sV%G0D@oY-ep` z1E%}+pOQ9Dk1s1+BRPr`m^`ga&*56`gZUAF&cb;C*7Tt%Jc;|a3phVbQyq2#J|{aZ z?CCLYEdz!>kXyZ~MOIx&YD3LcwB-i>i8LMZdvtRL`3R|0Kxxyq#P*p1l8__a!#1T5 zcgzwEI)5pN?2cao<(op5SXH`E&`=9qi(@S6dzY#jx(Q_n7$?>XuTLY#)1n=1tbcvt zo+buXDT01lX{j6SVY*YD`!W}Rgx#^M>8oqZR7ti;8eG`8r!tGLfVdvF4ix4OLrW;u z4A`?b=IV8(ZOu@(SP12+funY-{LJJV2zOM4VWe|Z&@>*ZQj3G(!a>2Uje8B73j#2J z<^b?@ELbr5DWeFPleA1ax0jtdTooJic2qW?$CcfO5Rj`)eLQWFlEik3(oS~10e>XCa zz4z&hdHI+WWb7A9rO4GYb9!04?ZZak=&I`;WuJ^yOK*PR2D& zYP=*W^;>#5__1@=|ZIfOhsGUPu=~uxx5vY$0sYfZPfXcKh-Md-ZF5=nVSDM^sVOIq3yDgX!&dw z3GVlz5Bi@4ZV$r0lowpakNNC-<38iMXrct79c8QQV3mmsey3G>;5KIttJe%iNJCb8;Q+a&E07{Ykf3P>+brxj%w`XUMPo*MFmUUxC;_2v7ML&q-g|Da=5k^{{b&n%GlS{8Jh-2zh3lY%*@JlKs)hmfm^@>xy`m$SVH zC}i2$o5LZV&~L3$OT$xh52d?J2<#5>rV#`7(4rJ^CH2pp{8nUP#NKzfg*mlgqml9Z zppp_9>#tVizH6(?R`UdeT_Ss{NA%4qZtVE;-67TR2Xavx4pMgCl!Q0JNp+x>)(R~e za?@Hgjh%OQHTVfe53@MBCI45AyEntG2`G)nwg{{xuaY;dO<3uolVc-Ip^NOU>Ys~U ziZV%$(w}pU?+g2|+|cF|AuKnQaj%m*R05xP!{N;sD+;V1kGkre#Uf7**xO-MYI|9q zL$h&`HM+B*tEtIYu=+<%%s_C(zLFn-+w^W6#dYri?g;&Zb1c3pw61qqn#TPS%3$2f z#(@O|mMeLA1!0yeN7()J*=t^231bWDF+6pS_SUK12fJP3*ZAGtacX?hbLZ2ig+|>$ z7f|udG_Jj+jttzyXXgFcv+;=?R_&fGCZeIyHyS#37az&*T^CO^d?&=AE^C@=pSL2z zl#Z&nRcVmwtCFMxD;PE4ldg4pb+t7OSJafjt8`vv+4XD7s4)NjSOl7*paOTdv0hy( zPbP2fqZ!eME=`nopZGr3VA3o5$P__^AnQ`$7-YU;Ur(eEaD4#p4&Q`f_08yB)p#ym zcGSBuTy-)1VBK(g9tQR3q@fnTr@Rn;XQr*_S;10+$n&!@L}r!WgBCTUA(C{|`yUn$ zm%hZA@B96-PYel4$TxPFLk&V|7vxeY#&q{FThQ*uJbP=0qFD-M%sfknm(<|n6KNYG z=&)wy)Jt$W3{a4FavC)b%J#j{TX zn5;<*hvcMlP&v;`vTftcAbobt1`2w~i0KFE3JZ!3g!H}TW2BGhpcU4lCq>r>8C>L6 za&lrG(GMn)T-QB*K3Ruj%X9cs)NJH+Hw3Meb zTwzk)@+i-iv2*+WB=z*q_oIUgZdyHL7B{dt;?W`4(K$HggTq2*n^~R8vo&LSM?;qp zau;*8-)38qC(5!iS^WqY!|q|6!%w@S;nIdBCQ(!VGS4z-1!t^S>sg^I0`GnvZvI%r z8hc_4VfsY>y+;JjhL<-<=GTQs_Ua79QHrm0f(90gxyvy% zs0A)mU((c>B}aLR2uXKbShiO$mQB>r8@BD2G_-7<;!XYBlC8r<899XY>6Enogj*ar zf|0P!IliL!E59$dC!l7lEYPFZr)3yTNHMMb&fp6{f3~q)043_Zt4q8=JLI1Mr5pG+ zCKpPDGGKyzxARH%di{fngPlrQQ2g82_*n0J3S|T?-+aK9+@DscqyJKc; z^_G3vBR3;zQTm}`?Si>}iECu1$!_wt_(%b5{<8;x!Wrhe?pLh)$`^C28v6C)knIsu zU#1>m7Pi!vRy-{4j=S|at6`U2vEC_^kud$pkQbh=A?)uw4N%<*vv@6>OGqU2L@CXW z)!gbx5vR~shsBS!zit#MyOovJ4-FW5`1DR}i^si|*9x9N(Q)2i7*b!L~bU_dYFW0}E1WfiVc!`IY3&5LH8ltJ=W#JbD) z&WH_{2{9}Aj++-ZUGFukgIaI<#W|AIr7DEmlSGNPZy)fuo}_n7?{L$mW!VvD7+s%J z`r4XXza#-m8_95ImVv@qXQKL6V>Ku^tt!90x>KxYrmwE=Jkn5?o(^Hx>^hVeqx;c1 zwB0-zM&#>lrn=7WV~q#4);!_zPhxb!~jP6+Kjlp>d8cs(V?%Z z67C~HarZa3qYO!;48nWMBT#;g~GKrzS1TbAhcjIN0Je&%F`Wl`XUNL(RrCOf8^u2`lLtj32TX(jy zyg;!>Zef$(!eF4(%Gh%{KC;Vzpd#AKP`}#V%1MM`v5@7poRAXk(7u+aiUv#zskSa@ zm)_+zJ*ofF;H;i&Co zblazhn|S~19d(nI)VJMlQ&S7j*)`9dU$Wb6qkBIrBKau;J4w!0KLLI1;+}SvY_U$Y z(~6u^7cQDK9-nV~wF2prtdRK~6F`UKSBaE2AVL{sk4%VxGjL?q#4ii@g}nR;th*^0?NA2U2Mp(0W7puAE1eDqC*~B{-XTK5 z_gkgTnZKwS?Z6;r#A)*xeLYrf2PBtmUJTlvN!<%A6|bOcNG)4MrKk;AeS7A>ltQvo z(DK_&Ix#;QR?BXMY;IVxdcr6xOeU{altf$-_?HCXh?;vFn zVs_@e#l2)@(MbD%`N2ep;@F|3!k%kGs9dk5JZ`b6`=)(|Qj?K$kdkzrK%S(k>yqqD#<>mSujrvmW1CP~St#>+Idrf+Y_Wddoe8C%w`4c#Pk^Z+eT7`%&pS-;63IoVL^l`TiVcwRWtNm$KnYp&+vVexCzkdDtZ?(tr;LkG;EiAq+ERDaSW0o>s0oBy^9zOKf#cb)d{t@KG*7HZK$4wok5d$g-Hd>XFL+aTTQ+SdIx=%|dPT&Wes`r)?X& zs$qKH*OJC3_FgQ~Bwu~eVuKmpu}f!c2IrEt2z*f7(5VHp`^ouO;YV&t{lb5$yZE+47=+SpLgvTr}Tf%|dwdZW{L_I!#sB$>1 zkEM9{hT|*YzNpudEiJbn7|v17-es5fuku#jDoYH*zk*&(50 zhn^F}u$6w@7{yh|t&{YZgKnOAbtiDI3?8`Op8G`>gPlYp0=4fMexDq-ty`HU*PM7~ zAI&{crgOV|KV=F@Tn_od4%ySV{F*Xtx*^5ofYWI537*H zmFBoBB_NE6?Qb*Gi?dHXKQ)u@YAqLPxR-+>FDIae`xCY;0;HHeRvUU)cqG#XW$*38 z+gvh(ndE_pT3QBIzd4pre!GD4&cLTaWY#kr^5K;(G<=T!$gNjvX)p2d{@Sh%%T|Wf;~0~m;T8;~^8yQfki3w0 zUcZ;*w?%lIPHa1Cx`I>aWissNrl{{CjSmQC(&MzYYb}=&+83D9?R0tY717;+;`{b8 zE0cW|i1ePKf}v8&7K!uJw#}{E>>F_-cc9zd@}`PIjJYV>Po985DW~N;j1(>_ zy1zAc9Yh~BY_DkT7d4qZxq+Y6G1d}JP!zu@!LpjS;O94)%+dK-Fpskoj{o)R!3Hjx zw>(!J?akdi{!v(0Auu=*l6xun?LAp-Lvmm!Id#q-4K)=nXb9NgC0Rb3yNs=~kaYFzu3GM|w#Im(mj*IpkH zbm|O`KyYTVrO&uq+t4qMKYLre$48gWvRq^io8Jl8X%;N*bkEKC#O2 zdzD|Mdtilqq#uL42Q6vH%#0J>Cm&~KOc={2$W@N8$W18t%`V?-oIyC5BKbik*ScnM z;cI2Sp4HXeClaxvCTd9g!~tCWC#P4i+~y~m22ak*9H}aPPTsHzfE)&S9-7<1SV^HO ze7;6dP^dVNPFD~4>aJz*%H2lKgPrqFM`+sG+HSE_9x=P>$QxwFPm)nFO0SQ8rO3N2Qi%S;AMU;IIY zOTwPp-?dlA8XYV!0fRBQ*?{Kpl}ieB&fxNK8sH?Bk5{xQ9C){PSm?LKTG$RcbnG7s zQ(6Ls-FZO|8S(sM&ad);F404#Ak+=Wxfc45FZi!__`t)zIXdMv zdXSs`U$l7VMz`kwc1{Xek43C18JseY@gHB$pGCGe3v&hVn4dbJkq_!q5#A}a;McG3 zgTc4++2tU)%E`^O8;E-F;K3;l4*s7%f1YAzzhqe9RE8227LIFZXs}xOex77K4! z9bCF3ATq@Ny$&~i!IVtNM45k=NMwmQM|WJ|@vZ!QuhIZ1tX9sb!NR7;SfF0?n58#r z5=_f9JI2fy1E8XgFeagy3{%C}uFT}RZZ43)Z#`I=mV~ojV!u@EF{arz6e|o+c}4WK zxBoox|8nX5_g@QQ1>XB`{O8Y~KO`jyo;h>olvQwUN_1em_S2;<92)bz|)HUfxtmT zqhHiJp{UwoZ8XWY?Rc9|`{wZU-Yb!J;>}TnBwX^iM)Qeb-EJO8)I4M!a8z4*?roo0 zEzFvgqh(BA-K`3r0c=#va-_XKx7CS*?I;a(Ht3NzoJ2JZjRXNg?2hQkewjhBRl zVQqb-57$23e05PsDEyjBjKNh9S)BT_$MaLfnQK<0+vt_vn-lI7_xL+^?<9)W-^MCl zt<&^NUN0Da%Mks+4^@lFrIpWr@RDyVRH~{OL&L;~bXf@Bn4n{B#kwnQRz&z5?2few z2EOO?#7a>Mj9ZWNT_nhKJ?t~ zHr?)(XQQHm=agwcrv61qJ#W-t)&r7+Ix@sKGwW=6YJD9UuXQh75ahi0l9|&pdY^G{ ze??tapQ4sMvbEBc+s215>^?#k?a|Kd@Q%PZ*(K!X#G1B~7ouW8I_{H#wJ($nEc2IN zxcqjECM|H5E{tc#_{^AaR@T-d z{Xx^y)5&$J`ud48Gc)(WJ%pB#g@2y_r7lA)5@%ClV=pF4Ic^wq&{Ds*zFYM1DFRc;RiFPIoRPe;0K2@7|J=* z|A)(yC+`ESe0_aOAU%ThpjnHv2N{UWRv5kmhl7`8I>Soq6dUo1-uu|arpv0Ywd>#fgG}Q$-rM)B$Ui^2xIYG`U;g#IY)`Hg3*!mE5jgtty|_)zJxKrHu*;vkO-( znBOMMmAkKSizsbAkj$bw{{oeN!S$(sxK zd6hBuuSQ-!*xdlwzzT_TF@9`Z(q9lJYuXTp@dvR=s3*jZP_@hEXUo|^3wViyQ%I3eaV^1F*aE`F5B*3#9r_NxV{ zeD~9g^b5X`??%+C#;_*7Ulh^P>53xAtH}%Q>5U=0BIvX3Fm|33o3el!W-977R6s51 z8LI7J+c++ksAxp5Xeg}Hw_)C4#W?a0GgU1?8f?=$iGvH}ZCKz3-kam)2gc>Ps->6? zcI;_HSvYru_iN>Jo<7~ExC<4QwrMHvMPF^n@ITx+)<@}eKrVdj)7tKJE!7;*io(X~8)z_i7A?T=Y zKp7QqiV^W0c6QNy)y10MvlU>iII-jrUB#tQIpq9lQ2!e$vl)?;7D#rL-Z_3~iTJVg zPoJGpm6=~+*}Jl2=H&2*h`q*w{$WO2Z7YbM-@Q$mu~m12UU+W7^^WZtjRW!u^^A{C z-dM|m4U3&We{1x6$<)-8&Pq!g{qiD>y7Kxf)A0lx2UPT}*ju+|#B^q00!6Cp8#H4% ztVW#t6y`~~d-qNUz{)K(*a3{Hp)-rIT#A1Xx^sd`wk=>hU-(sxDG^>E^>1R1i|+$= zdE>h%?|psCoaLW>8o-tHtvoIo#|rb031%xSpGgUz(3q!)DzZ8lz!SQ!g5J=L`lKs zSOczecQq>HGxHg*H;IC0_Q41y+h8SnJ$a>v+kGm4xJ(g%ONNDSQf>e_Y}}@%X+*6kxHVU zUbRQgum1i-F%X{ERK3s<^bCFB84ALS77F3pP`))btyiW9xcC7ot~t7mPvzk=v#vX8 zSCY?Aqb}#LGkMuR581J5FKaJxJpY+Nwr$x|xs6KHjdll8F#CP4TlL*vkACE(teJNA zoVY~Fb@3+-ieJ1g-)oYM@&Ml2@AZqWqdM3?WWae1DE_tIL)m7?#y7UTAKCk2;ESH! zY`aVajIC{6qO4v0v-qY4xrtR@~y631-* zDSj|SA*h}nc!FzDu<=W>vIa!_ialN*39XBbjr~YnC{QKpeA<6y^9~cn?*0uC*>1&g zp|S)(sgR78()@|x*`tm3NSrAi!?%Ra8O>!sT=G*w3Q4EAl+;N`3UtX_`jp=7zL=#2 z&1W8}7X1>7DCA$8j4UKyA$8FRWl&72E3knMH?z2YMb4_U21nf)dWazmNSFU%F?igC8x+S zRg?9jthB2GIW;7S8jM(b?uNc@ z)%w++TlWKI*yj>GIsGFeBjSp4uZyFH)uX#d8a`J?huGUM*^!;9Y{Rt=Rdkd$j>-BY zQx#p^#w9-kD~GPy^|;c#EhD;^s|j7LbTGx?LQ`<~--5Sf8I#LrQW7 zs4yBITBcbd68BzMtl%k*f$0V%O4x$|fy&ch5x5ApeHkD{y>8QU?rlUwDO^iS z>jG$F$436j_d?l>_LhZV=1LaC-q%>$)3R@5M}P9^9^UiD#f!hptJP^p%!huJPw<|0 z5&AViWIn#c6zT+jzUsQEc3eIUb_6SZ+Qez~qYSg0b3xtyFcWE22-bKep?RxU5XFTc= zyZ6(#5Cs_?2ZI^Stl5C(P_C|wLMEyD`_~3+%jOwm>(GF9lQ!8klg0FVK1Y1B@EatT z)KglWMdkEK)s0Pw0t%gFoL0HYp6ESB5SU2@zUxmDY9|`tK_m zu=s_x1*>uHtDcu7Ta$l^HS(NT5_>eBCe|eLD<1{$fX?a@uH5;)U3@xZa~wnKgQB)C zpDnXtuBq5g$-VsCg8fi7KqqqYIJx<^+Xlwnd<79-0#njwKGRVIK)H^U$VWLOJQ2H| z))LLFA&D`AJ{#pakg;~LfaMT>M^pFJ8H4x`8*Aa5H(3h|RX|9Ham#X$`4H{ZAady0 ziN0s|37=1K>6^NG&4$D&qRXs$>#%?&ni5U%ZTQC8Ww{Y1{Sg80&JyP8@(9cGg(q(H z3FKT6Q&GoYj{_yhQBSU`AQZH+n>~svT>CP5)!o1IMZj10FZ*E~R-f}q>>35ddvnW3 zOyej(#A`LDJP$FrRFz-6fV|+&xR}R8c(~-)?d*h|H`n-Z_=N1Qy|d7nq7U)onN`^p zBw0zK2Y$aZAcDIT-a?X~`#Z$;TeuQ6@m9Y8CfzbawH5sEv7jqOQl5xOt=_|ji-&#Z z{s0#m{Tt;+77-H15q6nFc~OY=Wq1&JZ^~c%#8Yf|l~$8+CO%}^d1Kh1v9!+kb3aub zVjt=Eye#j!lXKn&7dN9~QXz&yhpcsuiUe`$)&m?+1HL^T9m^F}^SyJHeYUOFQ?+Yw zp;m^>1b{Zvy1k$ho-HmHMXJK^!)^W>*~96{s?r@FJXJeKe>95541Oajm-F1$SUt}l zCEJ$2>o(4jh0$vw0*8SN4v+HGLMm|kL z?3{s{KROtE4UpW|bSN0@e(LMcP*o(9eDUJNAEOSy!WObKGatCQ1+3-Q)*9&)4lRq0#jzLxIbXRP%6Ev z&yW`Liv>A!(GKjeth_*uI@j&w>j6JK^lN-l72w!TBPp$7x6{5U6e2UcEyrBF$x zrJv-z)KX!Q$lksZ`|dn{q@sTBhu%&Z4S! zoR0>wwENQ2h_PeNi_!aC#5*GLJLgGfw)d!l3wPbF_rkM=%UaR~{jur0Qwv$;Lpjk@ z&54{+oiM*4#?{dvm}n_ zukAfJ0?_1%rjX#^2LMgRh@U@y{!U=Z-0G5%%{R!Qxys5L)>SA}h~JLUkBeaM*n1Ys zo}By%)Qg8#(nA=LiTh=Ha~JZ5UB;rKOi2{&Gh=}fIm8j<(jQg$!9yk^w)OaQEudm@ zzVUe}tt=Oze#7BQ!2QGD4JOfJUoK?Sy{z{gKa9hOR-|k}x+N5V7vLh7xDPqYIz51~=_s7$B5oeL;b$sr{yxjG>p+?J_5iLsO zXq(D18MVfK4S#&4QNWfY-i_(-ekRUj?pJYcu~Gnw9xomUKq+ky{@+ z1_g3|)qJ}~c))%bNun=sudihWUqRtpoX)e|(IxCpBoG3)@p6Q={OH+sEc{&@myY*} zv6j{}L0;jpme$z(x)RY$dwYNzF;k<2G?%l9TL{50TWcxcdn-g`Z*S_?9LBi2U#Eh( z|K#`n=YP?EQ@;Q3;lr4Pft?+1(id%Q#9_ljbr+;=e+p8*cP~UiOHc1gW@aW+6s4%~ zZxV=p<}5!~1QXm?l4`rllait)mo{}!z*Fi`WmkUC)m)ik@0I7f8Hc0!PMuefCAO>HjTgVF z>&(K71HD|rU!>|7=nIM`bd?4g)Z`pZi?T`h0Z)(pgP+HCnBiA8AtTU{3$|0AO zjEWNu$k2??-U|AkZ}z``N6-YwqR#r`Ud!D&z(M+#&sL_V*}U{G|31j40+AFw4c(;b zWITZXJZUWBGGQYxN)8sMQhyIUP0-r8N;;=Q)W5&g2giue&qEy!2pIw2uj~i%^-6_b zRhJJGI{wEkq6S!8Cz>~n|MAL!{wfUxyb=B}Ht9g0@*nYx1Rr22j-5MkaI*ieh_Z)= zn%>?{wLe&b_)nYfc?}--@{1c0|9s_l1J}Pk0PHT<4Q9`R1DfwY7GIeaJZ|zIQ`i2N z4$BI4H~!z@`^`Q6-#>iH-mEP$f1SOaH}!z10eGV(K!YrA;$Pm=Au9b6L&Sh`FH2Fq za%du3{Ar?T=gEUz=RkU8OeIEzOg!)3e*^M_H&8nvQPBi2wfHh50-z+Q@bGZf6_q=8 zS_fc;nP0x#YHx410ECvNt}c2;@hW&fo}H?n3q=L|K)me@)0A1In0w8KILS_49?Ad_ z+vwk+??&$7(3oMKnA9_6qR$*_K|G!tSw9ra0G&s(v<^<%P4}wp}_M@WV;;* z7_IoOv-43ji;KJHX`XQpynzrcVF|7AAtoldMtJG3;Bokg+484=+0}J|@9P(16|6v= zs$slWx}}C&N^^>#SgIIJveS5(-p|`q3|t65#l^mqcEZ~<-KV!n!zcK~7>BF{;r48~ z7G*NcE(Ut7E?vq;S?cZqZvCA;P*&sgJ+B|sA_SG4UyG80;d9snH#asc+CE&`Ab~0K z&R}3TIJPlhHi)X4TI7&HV|~}L6UnUee_c&`lQclTuo120B#j=^MBH8VAvnp*n)0_b z@+w@EEE}PiFf)h0qeDSk^XUSbJE14fo(9m{bgmI0H#K6Z;2cb|`Q%3e6mK)dC*EJtMp0F1Hy2hT@%6c{* zk1r@btKEN zShqFfac0O`V__gCxwEJtu|%iy!(!5+RhsZAkdkm-?AIwOyY*18oP3*BL5>is;2Ryg zbz(uYFjM(7+}I*iiEBjf@F!4)JFHmr#1-(LL7k?XH8zqXbLC$LEtdB9J^-2k=q=tJ z)sSYJZNu5mNsp*F_LtR^g(5OGawhFYpQpZ#^P$nYGQTc z4C4&;$1Tk89(fImN9auF6}2y)mHNqWilY_7kC_s~Iro5DQr>lvwO2;0|Ei4TR*u(x z6`W!}m$Z0RYRaW*s#R#kk_zZ>nbzIpk;5tV0tf`I6`uciwMoPDB3FgO){WEbCoff` z`-bi{IF}g-R_G9A9Z*g8n%etSOfQg_W$NK@ll^jO=QzMf@2$EIRF=#} z6it(LGW%Kbh*T04O6WO!_~?mv{{N4??~H14?Y7+_sHlj_Mg*j|rKku<@5POXbP)mR zC{1eUJw$XXN>z|vf+C=_(0d3-lN#wQB=k^1LJuh<_hsMvoga66XPk4{_viV?7@Bvy z<$2b#=3H~G1r46G@26t0KbP1Bc2eD-XV7b$>XBY@BZ(66n z@KjJf^AhZrhoCBAzRPu$0)i49_V|^LTD96251tn3R1A-K*f=va^=5rOB*hQoH|xx@ zl%0?Z#l*wnu7$IH<#!82ipk{#q&E(y&}@I{(9N=|{etTP%&T(HzJ|{}4O>^BLYCu&B$}O>Fb6(BuJU%RR@P^XVaXV!haDCK923z< zwH1cOKT1PO>%lC$WI%gC()R8i8Z2yB^K1y{@h2RxoLILgxkK$71(}apsGQ6lQ2l)U z^L9IvVb2K-R`(GznA)$i&na#xJl^%0mGt^>jh2vXQ&Dsy{RPBQT9J>PeRO3@oo7U+ z)1auRDA6{BzIMKZ+<4sw>k^n&K0K(?#Fc-+&ljWXc`r^&#*U>uTV;UKh$pDj?xPz5 zaIQ6}^?gzwick2ktjf91l;})GczP!8hyUXMJs|@K=&#);D9Fm1h7j?hT&KqJKj-OZ z$TAJ`_=udrSut1`nTk{m*h<-&E|+{bTh!wL)ZI<_x81!NUU9`yooI4LdZ(^7mcFYu zEuM|KOmbH)B@t|sSv0vF`d&)-tfdZfv6L%fXZ+^-FSB3TIPbV!)xABOz?qPp=^6P! zO3_K0>zj-=N#b51weSR*f(%oCexsJ@(H?=L zq>8dI&zF~9W3i9h;ZX2JRN_>CD%~R8fZS-cGjGCDdbC68V>j{!wz~+2Q1Bv ze0{Q-h&GGk4URc#O5k5A_4)e50#UJ*vj^bE7dv234saYG2wO*~npV#pIzB7P+A*F=E<}-so@=T`%48sl4DWsYv88(8rToZ3i2HP zXg>gHAu5j03>0R*n25+^=0Od9dkWG%`B*pk&d0U2wSXoKvDlV@Tbsi}(64}#TQ%!Y zE#59)HTJFe5%JpON9s)&^tNPr%yJ5IIH0D&8!$hYlIHDsuhdF@HSBv0L*>*mj5KqB z0~6d3SZ(H;Fgp0i9dL*^t&Pdi#H5O6OKJcK-BRNlOph;{Z5jSXTe0_#bf+JNUFO7t z0{W4o5nHZ_9Junv=e>c8$W5V`0! z5V>sr>`e_KllZ1xt4o))=!?(Y+9Q`|D7y)JKJ3I376vyF*zJ_ls&#;nN_pTfZ{tM8 z)2e51h4W2$O%teSQ_z@QqbyjBkGkE=EC>`5Q~e`w?H25{S*A~%;3FFw4fZg()&mYi z@V(3SZ2A}F6=WyPuaqHyJn2N}P1%1!I8Ed+{u%hafTbc*Ur+B7z?Ki{wBRp#X==Xd z%Th9nidt(kz8A2Ly1;Nx^vL5v3L4Y0xo$_)M@Ve2Nclzj`#%;LyMULSxCR0895#jk zAqZepEo^8&bCRjo)B>8)kRm-&fbyfFA>Se!X!_zjF>lC%mpy+%DFf(;A$2R@%{`>o zOm8k!dHxbZz`$VPPp-@U>8AT06Z5&XZ{Bkc$X#<|pFq7L>y+Ua4EW8lfBvbluF-I^PmXBbC9c~uN zcln78nrJ@lig?kw8_uw$jEndOEJ)cp^HHxaOt6PXi8X2bJ8l)F?oQidf%*^(|7R3B0bbLFbRQ8!F2gQbF^>T^W^q;bVZRwz3AGT>)9RX_A>n zhQYb&+b2>?lNB|Nq-?87JS@bx6`3Erae(Citsmdid>Nig#0w`4mJ{9pS2R(EmBLT9 z4p=~-_4Sk6Yr4qbYc>@Ez4j>6lO-0os-6;)0AdS}*Rls;i_>omm-KW`RekaMx(AgF zygHSAriD-9(x6jHRLN2R9e_^Ps=>5LacKE%N6=+35}#}bKN-kB4tCcf4}RPue#W|K zIvi%tgimETHChT|o)h;{hyVC-(l$#z6&=5m8TOB8tzVacrWT@uXE&!5e3w&sZrr#b zsGwlp5J>PeJ017#-G|Q_kyA+#wVoxgKU@rsY$UN~zY2W)2~=qAEWE{u<1ZG&5`VNQ z({JO@-y6+Mt(rS_xdTkGFi-gY(^o6E^@s8rAp(RO1(yT#X!We=Zi z3e^A3ig@sL^tAOkowI$x5o@2GBtIP5FKp2+*OvTQ=nAKQIEmYkX*t}FxfOuni5q?Y zN;CsUQa_x#KwQi29)oAX=?X))J|}|T$A=$2GF>bwqu?)wcZ{{r+c27pH#g-2vT*C@j1^S@!HT54Gg`_j1^mBwd-SdK$k)Bs1gCzIA%dWc|UOV*NKS z{hb3%ta#k^>!337qpy%P6)j31+9KPc8Va$|O!JX*z1M6r^7Rp(@I|Wd>fU zu7Wc?i_|KMTL_CTi7NYpYc;v#*vl-t%||W*JPV;$^<-B_u{SG_#P%HdCgGT3d?(UGJ08@X%@E#OK$}b|No8 zncN!u4;iZ(2#3ySaR3$X^O%ggCn1-^gw({+#n#X5d@ZgR$sYH@%`6c1g2(YM3z1CI z!Wy-YIc#$SPXQ+iUAnRR?@4eaiwnfFE#DAo;>4IqpH&zAb?sj=B#-nh7SR4p~ehT~No$bfuJ+W>O#gtQ*++%pkD(b0Lm*2Z;S)gBkL zI`z2-wHE+3v97%L!4DN-!*bt^$<@O`l-y>kT1Fvj)d5^ebE4uvWpi|dCzIt`(Rl(; zYM-QKLDBo)hKdPYE=eAb-k1@^itez1Bd4TM8&ygLD6!G%(Sb)*KIOx*^>|F0+lDhh zw2Y~q!~PTI9hVO9&#yP(DaoGaZm*TRdGqGI>8XIzq*t5C^@5DA9?a&#f?ku^ezA(l zL)4EgY1z!lohgo%wKPfKqwlKi$G?3*JW5>s4xUvYUxM{sn7*z?LJl(lgGxI1_4hId=V-O#7Lql@u~6`ahWlkJ{zKX6=z9zV5I5d zvVgYVwqBT3&jNz2rU7rmu<&&bn|rgus-aeB3dx!%38O_dEzQ#g)+yjwI7NAEm9jBe zPYZle&MrnA2afkYfP;q**5*v5NPC+dder5Jq7B>J?*5~0c{!p?%DNY7mXanKCmDE@ zJd5}Xgm%}Tt?JW#`sgQreOHTyYhJ%T^QtW%6~`6e`f9qjb?z74P}0|E77sgYl9Gnn zpN^F|Jd%Brn-wpW63So;wB=^Y&62LrY^aLum8WX>D}W$*M$uo+7=%oHPL9Ae?JZ>R zPQ$lndVwx`=HMWZ$cJl}FF%J3M|DA|x^n!F`=DM-+2E5~R(-K);LqqO|E;W)v zkNWvI0`j?V@o8Z=3>8eawlQ(p`)in}pwW4LqKi-u^a+wm3iCIz`536_q(TQM$_f!S z%GAT6GejI}_*xJ8HSgojfAs=*YWsOo@05{ql!#strbr_)^ldY8l5Vw{nd*u^h;;#_ zhVv^~kcg4Re0|9p4J;pH;%54uDzRqniL*72{@RWalv0j6?OFzSF>l?xb$2@J?%Mr$ zOb5`HsebjZjQ*|QB5VlLoBmeQfLBY0RofEsJpTm4aN6@~N0Ue*6bJJ3CMbxnX2v1V|DEfPsll@BklQ zUzMZ&hdJI6w#fsZqFL+PZ9ZL1ylGq-s?|(B6iI7dIo++ddR-U~{$eISG#;0z8u}+q z$=lM=jK#Y-Xi|53c~>s4uIcGp;x#cX{2by-S*0xihF_SBeV*2+^@K*)dvIgF0?fig^E_wvrz*05XI8-;$LaHNFZ-y) zOrNea!ghAGS=Qsu1w zp!C~P3WzD|mU&Nn1L(Yg5UlGfDk7S{WKajF)AlI41+3{-JufS@*m^(Y!z2mDp#Sef%-lb2FL ziwEzzyMJ{K!q`X1)DdPvmsX>p9|7Wr^2_K({FOuRTA;hqWnNQyU?k;f4%z>)@HpHr zmb#u9xpB7)ujJHnmEx>b`WadB%;0cqbT`ctvJ+q%+4px~^s;Av%NIls|6W=mi)FOe z64|oZ-tE}#6GToV<;%Qmgt9k`@&)z+HXt+Qz_ifYvxk8Bbg}eS;Lnl*Y8%?Jt)`3M z|7zS{+DZlJT?k)3sUWe`Ra^WE{Pvp4_SMj7fXp~zyPCwdfUZ$LfukJwFEW?(2*Qt$ z?W+GO!ygA0H^!;2lXS`5_M&dtK*+Dl#*_9RizYhv&>2!oJNuc=G#wBL~(KA7gP> zdRD%K*1BZKY7g%QHWv`Xd<`CCNV~YSQRdhODiO#XTK4ZW(k`25EYea{e4ueH)6e|! z!PH~(rVyjB&285E3CuMv+WY$ZP{lwC#V3vBvL&FB1XM0ukl8aFLo|rz=0lWgW}w1# z3zHqdHWmkuOGOTw)+d$hx7Ipb8uNM*E3;$bZG!`f(m>Gkz59Ju%JxOh4=a{!4jRRs zDirAOJgwh%1V0)(yNR1iF-wzXVRwM`#kIjBai>%<^dE=bgVnb0*V31f zI?cYdD*kR^hh))+AJfWur-iAr$@G4jSj{e_{IjP<7!j1x(Qk;V>Ms}ptv$UP4#^o4-6}TOy`oJVnLDk*XD?rH2vDSwUlB)h6cV=0IZ$CrCoH3@|Cr!^2}_ zWW-_J8fa?U)c5YvjS3}!2*AD6e{x!}4&0bbxa~Y?GVpPBL&w>LEE$@z7YBZTXIpq1 z7hlai)|n^;eJAj<8lGqA*Nc-7L)T$Xlsg@!2Q4l|R#K`1q1(Jm-Ywb2&qrE}wswmP z<~x|gowj#9cj9OFRrC9IP7`^qQDP>9$w|a`fnSo$$(i**PQ{aDP8p$}{KcceT6k^^ zk;sl5)z@EK!6tpyG}k^0NhM=jc>iAaUtc^mCA<&XuV#01DOLHr*gwCMjEtSs#X2y! za#Xv-TYEn?*EZMVR1)mGz?s6loy~h6ix0i?)c-UBM$BjeVfQrpNv-G1moH!bNI-rCW>sAW z(0Wa1*Y@`IO%V~@ahO%Tq$~)XSz~f^4>?A&=LiSScQ>pjCq9}{#%#r6L-T1WFsr>gpTqv#X5 zTfY*ezJwcVWDr+lC{?6qLYMjftDX4o-au0+6C(qtYhC>I?Woq*r@MgE;|oyxnt4W} zlFGg2epJn5>so(0C>CdiZ^zmHk)oe0;fY_jLJ^s7&l0ER13sHrK|jY2W+Ev{mv~Nynj;gTB-8 zQCivAoY=61hF9guTy*fjckiCT#B*;GS{9`+-Vg8CR*Ma}d$7AWy9_Wx&-tdtm>Zz`e@a!?nx<46GReTu4P}@8&u$q%c;wCuHGK5mU5|HUB7KZ6&vfAhM0Cewit-zRC;^77laZ!3MG8=5bF zix3lkWNFLoCR?lxag`hMCn*tP&Iy_OCgx1uJ5<`o+6L>2bG z!`r6C+1*=&kE-FmLJ#*>IhH%(A%UQ&@v)v~#+`Y_&`|I2Oi1^h1i16d!T5-R_ZSl* zrm&iOXp5M6SFi+Yrb;c<7*Kl&LnQCN%^+1e^_9r1jtLS}1SP3?CM`sT8qHj;N{;pc1N{0*v(GfEhu=Kr4r z-~TEacwD;a(ktN0#WV)9<20oCd(IXN$Uv#!N~2!88yvZ(;-Wq$wMk0Jbw!`EiCNt# z=<4wosc;M2Mf8MzD!BKhJJjX-@BSiDXq6h2AZeh=FNNyQt|Iar(Ffn>tOxBY$@=3* z`r!E>Uu(~JfpzN3h}S;-IOowd6C<;6RGHmlVcCS2lU>TW6Y>!GMgCo2yh=5Ukv2Q%K? zBEhcP;gBVsR=@hFa^K7Vaq|K%#H)tx97vbu4PKqAquQ&*G{b8d$Ct%}!qGe4coS%E zz!Iz%nm8g%kWeUXoF(VaY!zsg#zSZJhMf+1R<9~KSXq&}MNPZmhRwU}C8uh_*NX`b zub(A4qp9us-lP(>hkOV_p-s{-h#vn?bw{eCfK4(<-~-8R94wPP!1#dhb9?+8Jvn=B zB0An>%LqCU20{D(Y^=101moV;ZO4gNWXgS^zdIO+Y|dbI^(2YEt6PR5qKgO=|7f=z zCE`>lrfwUH=qE(E7(?G90kQO}W}eXlnn_@n9IQ^pw6qkB*J>iRpB%34R$Z5z4BP2l z;>h~gfF-Mu@on?mYR!VQ7zxoaxhf&S)(?x zrX$p*ey;A2_Cw{u6h!aZ_FI+Vt*;e?zvh@Wz7BE{U248xIBq1kc+<7*nla5VN9y&< z#MxT!g-*vnbd`&7A5;x0b%H@jeKx~6tdjqXJpEDu9~oV@*aun)WFIk9p8a~zT@XI@ z{Gykn1WCo<)qMnb%#mrmX7r}$Ef1M9^5%`icl(aE9^@v0N41r`z2|JBtU6JPXwWo$ z!j#X*^zoI%2L?J_pwP9ks_Z8hdKm8$GP;weEr9C@ci+rpw1XUcix=o0uUeE;0Bu|p z)>lv{rQtx9EDQ!?*}$~Cj(9b1N55X`F#55n=@?pYS_OjsV#0Hl!GKpeNF54HJwx1; zD-lj2W*_8F*tfrY)%;b$XCfJK^@dy-_FF`~E0A53@^gD#o~2~h8ftg>CQ)-RUqLVx z?$;HGnCM2nu4#dbAyRcKqBfJ0 zEmFU4?V9A=2lsq*m$R}>j>#DO&VULDCH=HIe7Li24P7+x0V4|PBRG#FE8)!4y`5uYwmUlMJA#Fv>`N5z?#9&}u1@>J-#Jjmvvd^@ zEi0etH&v`8z1p(MEo~N~ZBfAz9{8$MxP$44dvUD9>#p|5c&e8xW$uRBWuktg__C<@ zd7=J|a*?pO6*WmQ`MsT0qXhR(Gfbd~UO%eHP$+Si859S4S(Q;bWOhB10hr8%J;2q~)uhi7hCzV9MCt%9fDU1x* z6uz)(iQG*#W7}A{4TM%eU2)YW#O*B$K0|D}&f9ndd z^dUB&6Fk)aqv2@yd{!`*mGiRC|W>MJe?H+gb zDF*TH7DLO<%VU9yJFxgeK^8^>{7g}mSuxBK{%@hn(@Xat(!WX zd@m>C-sA7A<}99-#7u?Dh40j39$dD|_#|-mAc30(nA_Rudr8BHbY3@rwcYB5hAAi5 z%~}ONUuN6t%XFTn8jJl5$O89uEhGzj#;r}Qp+1Qb&Bx$d5OGs8nQ*OUO5Sj8Xm_$Y zaUB%;2iZZAu*?u45<NWBZJa=<%b;Nak(z2Rz$ ze3HKoGpD`+MM1c^hAS zhE50wV-TzKrF4m$=jwXbn$4!rrb~?wif1MNtb@J>*aLNNU|U;F zmEkmG_?%K=o~}x1za^Z%XO$OdPPnS(_h%_51dMxIm0i@-w3%18)SZ#*a?#6Enbd@D z?To1>QI?RC>}%ahNT%1qSke!Ws_jL_Or?bqLv%v7tFrjCo}?-wc>Z(!XW-p`V)jF_ z{_J<$0q<~kb>2(tav(H@^pg)Dh$fLjNoain)L(8@gkYV_9aUIu$xzfQ#rXzFnJAy6 zz14d#=ZgrozGG{iDjKx;QgyYV^$^&B9@h5!Uf~bsdc(uDp1@$SfOxsUHsZHMohwQ(Eq0NX5=OILEk|sYh$4*F z$Hw!(f*qEUOjyN`PXS01dyW21_rnTtIj7%gGq!xOnz}_5p#^MGNhgxv_N!4clcngi zmN_eJNxINdOd_j})LDe2vo>{ufOMd6b8$&REt?@p;1DND0>pm|JjC)hjd2Xdq)G$e zN|eeJ6{~@o@PpW?%ZxQZRVq~t60TKSmHk_U$C*BB+1gP~k@1p;CnFNoM^d+f0zB#4 zCz#xpVG{}6)j2zKE?vo1pkg`u@nj7(yjEHqK}gbsEy@KJk@e|hORh6bT{$XWK(L-~ z76?VSM!3+@basQx2FQZ*sl;7Xe-xtQV`5yCfChd{M|-Q30xk5`=*rU)7rhk=LlEYx z;MF~KpBF57Y>Z9V5#$c`k~qTJNg(m^-|2nXvwbjxfUA%{fk?V{@!-Xdp#2VD>_P9I z;LiFQx75DS#-5D7%SBH|O(X!zfyI8F2u)Hg0&;@MVmj7ZR)8VW~ zeeu)AKX|Sx7rMKm|CSLO||h)u%FP?kkFpxi6)iafDD+Mjx2 zvQjt=EKbI74~Ooq4~vw*FuziH5$hmFKhr9Gc
RtW>DE0A^Cs$Kcp8fdCy==2HmfL(d)B ziKGV7CPd;pSV4#PG6ou)H0)oxW?aEJCAzN5KG4=S-yb2UKGO*y)0?UJ-=-%HQtWoS z9mxGj)ZfrwK_;VQ)FXk`_Ie+RT0zHdTC`99)kl-5mxAoU3+V2@sJIrDP``K}%@Onp z)fQ4e;7C)SwYs%olNm0Y*jyiNy8N~Rn&l0B#qu|ydYmX=1VjPu&x)ZIj*d&RwZ-2i z5|-|EU%PWLD8owV;tL}?FU&pBec`Ob5IGvJm{mQ0mK=!GRAmD|am|@1i~h4H#21Mi z$Xwx@)rKRzw0l{gvTtbEemm0fq;TXO_m$V=^HGj&$sI@OU&uy=MfWLc&0&0O!aRO5 zSo`9p7KHjy@3+l)KkHI}IIxubxjdz`=4-404#^(NHcBI^xF}*r^#T^PbA=omLzDMo z1Wk0)4T7y}#!FzaXm|~f5B`>&rYepP-R-cFq9_2oY8Cvpcp_-1-rZzJeOth7b6l#m zo#Z&wKIc-IA7F1`c>7#(vDgdY*#0zi`q2@1j~+pZz4ZcVTUD4d!%4g~@#yvOm?(8_ zfPt;Ov{s#&%*Y_Zc*Y&tlG++t)8M5JjaZ$avd6X}fMELb)VYB58bJ&pwblOlSc3T~ zirVw5=d+8H+DrKjR7BGJm+|HJ&8gUG2@mwh1Y~y+w}JNl<>I}bDAxrXS``}tzqawt z1lO%)(6yb;D*9*lE3?b@TDt$*Y7@%enX>p^1k)`r-9>G4-1^E>@?^VGjVR7{vAYpu z@%D*lz1cABYZe`T6&2{EYdke0XV=nl5bxXks0BChcek@+^pEou88h~ zP`A2jLlOagFBKqn6|vt7vZKgka#hKnFV!hbap``3VT648xcl5!BZ?+$$i{_^%c~p? zd2DW0DdyAq)%hANqHb3_<@XrjSfB>a4Gxh#r8HnOw!f&fWPnd+T`)}n2**BCo^FnB>UzHYg$JkFnw+?P=|$#av{?~s5T6H%*-rr8Ip*GB?{KpkYWFFy`n8kif}>44 zzdf@=dtY7*T}`TG@6+ZwjrhF9qek}I!7KnNc4g$+v1$+(`G1{?5FM29NPTg1UIu7I zWap{eU|#GO@6hbX}l1}HVUEIr%b>dUtXZrx~u;?sR+7bLIkt+f4 z>QdGEJ23jPpne5cV6^8Jlt6~vTu0x?8XwaM4?r&n@o|7dJ*I`!PHvvYgqT)pWkJ@M zT*_Q4TlKnP0B}qSMiyvrWYMbi?6zK3%~bguptaf^`N*Ebc(L*DHBx15_m@Mxcfqhk;_=V#(r?!-!-8; z@W)@wF29WCAK9Q&-+TT1aNWp!@@i1cv$nUXDvfu0SJp=d;LJ_Q3{d&~#58rZw>SM9 z(OK%CnfQy?`7I)M_{QPl0Q4(>9gp||bl?P~@&rPAb~6b|)wZHB}o+^z}x zYuNrFrZcBq#FOsrxq9I+GqKw$lW{ir_dq1g+;4^iiHWocyLqM5;?t>RRn>*9R8{&L zo{+e={VX4qu|T~AsVXd?qvKN(DTQ?@p{^%&Enwm(M4VTGKFQFw?m9j##BlinYx_z> zXnP}uioZGtad7Lcoq|j!)^-ZVA3oX75{#G{&xTklD`C@~0t|G(%(kBF5)^Y-`AP*J zM2Z{K%*&jD!P- zY~f9?xWmc5uJgQXY;X173FIhu|C!~0m>KOgqc1GVQ(HP`iQ6`gs~>@a!3UQTfzQ?x~?aUi7!1@9+Z`MY#jS8i}j-q7;W#WPLpnfV$W9UXxDbFfOuBanbr zNq|~)!?5JA%lu`&OaL}_sO;qh7@Ut(X;Famk;_isa~Q^dD}qJ$dQuI-mQ-x}PX!4@ zl=8`cxm)SwIe2oI&dG`x3E6b>v~dm-!jd~MkV{b2IjPBwgqO1dEz*eHn;YeA0Jy-; zY_71l@O$A&tcYDN_W|m#MOvl10gATk;XQvs*s-m-Bm`|y`pti0y?D?-}Ffm{N+Bj`?&M=?z-4W*uJj~=s*{vgO z8V=~XWo1^06yV;?gVY1Fk*88BPE2(NE@hq0Ny>~N+J#i*Z6~7_Y4^F1{QzonFF`<0H<>ru~EnM`@!n7J(r8%>E z3ZPbsHoYSWi6vP2`cb86oJItZtX)*P?@-Id4;4$BarPe_7!4SrSW%#OoT1_^aJ-7WOuEy+FqMAJ#;knunzy(Eh9_GyjJiR3G2P_dOUwx zV8BDPRy9~RGjvozB6PJFXG2<-^>A%AtRNPIle@na+GMH8Si(xb$BEneKI^mIcdabX z=h0RtQ4n-msv@yIU&BQy*swcLg4q;p;j)@(nSr>`nJ_!K|7mK9e5JtlAWN;QpQy@_ zAuA)z4V$jJC5B`?SDVZtUpxC&2^tj*3Gy8o@$B=@gR*cAL!2ZTA!{NCeTqe)fO)uD zP^-ATqltgz+#{R8>4XbgzEJWK85j+UBx5dr?Af}Cr#T!Wd^Nua~fg(%<-vw z12EMKs`@n}0{`zk-Vq!Bi2sqfIVVHJxrfpLni1Bwe)*Xx^p^U>EmA5(vIL2T9=9&a z%Pl7!FU$Pf~?imNVgZ`e*abjZ+~gm^P)>WMb`#|*l_ zQ%nppFhm4al^rr)zD`6}a_Z&^F~N5zeZ znfp1+0klDFK>{X98?va$%H^s%nZlV1rm2xeYp>dzm zV`X^EJw=a)_K$w$UhqPF5U z4t&Rcq5mR36%7HMq(YIEfeWfRF_gLgL_Py1MQv16-C_dU26b`df(SjYnynTr zA@$PuG&0d@7;A7PsOugfM(P4xegAu)N~p6{z(QcaHgnBk-F`Tx2A<3L?`zoqjn6Rw z|65r|0mk|LJ7wWmrTYag>6>p^xRXmKE%HPu9v<-W@dEV(lfCUq$jI7~Z^U|u!AeU@ zr~V$#)0wc11%C zo!y(3(wklY=TOjPVOy(8qyB_GZ;fIaEUUjhtp=u@TMcqHQ{B#G)ifto_)QbQfNcaj zTkg^bPr9)mtcz0%@d=o`A+B=gVjcYD@-Z_%V6nG&iUJ{(2L|f-bZane@`)MDhR4Lj zq$JyJW2(9&j+6gadQ08)g`v;%rsdu(YLm;+9jK{>S$|6U)RE5OHdR$s(<}>sm+v!A zQ;Ns}W%?0E-?RQR^YOoD{}E5Qz_fh&#Q4ZadsFaE#biWpZ|`)u?!t(S+gN*ope~ov z$Qi#^>QEc-u(e|PAu$C)*K9~R8^I$wOR33yvvFLTMGOAugvkQAACmVbf19-uI{IEU zzNd$o{j$})jl6f)XJB@1)R%j-rNeWb37t{ZBF}x7p~*VhM%n_QHBYvs4r`>*oZuw5 z$PERJQh~{LzIhN$`c_#@mt;ItXV-%V|b+%UDsTn4-8Fi{nBOCJj^HK4&rEL z$f4|`jCvxp9i6tr5?jMDaj}VPz}a~ue*&GAW>+F0QcU831{L1 z{iwl{TFw~K+S+J&m85ns1b zdWDiWa1@3{%Llj)`kjH!{-N%G8ms}^6{o6{0L@=Q6%BNsDwEwXoVr1de@6&gX`ECa zP40w|u!Q+FO8Cssqp5LmHoYw0;+dyx!nPrgfkJ`reAa2W)b{JrL?(dQ>+BeZsPG1p zKKg;3&5q)8N@lPNP9exW+7dQXCR+;LWc5C5gSdMuj|WfKM0Sm%Db+W-8Gpm32)rXw zZJ``eQujJUli1J)`|>-Y&Q9)HHPV?ImQ}7sR$hC-xRa9f!X8E@$VNPeW3w9)+h9SZ)*3>& z2_Zs?ieR^BEU85Oi)pxSXh|osSVw_1659Tt#&r z`VI=|I=a3JpfkCGP{O7I&aPH%-^i3WRKYh(qvd9^&Or*#@Vrt#KxPS@+(qB0ASPDBg`43|610tUGJ1$_|=xi@dHvdVc1d=&8avW!T}Q1LjlV=QL`GJION!W^9F zjM*P4*;?!qJ{xC*0eGNP;-B|yhaOgp+IX#DhiNSS+>&V!Sk!ml0!^r1j(ftWEHhQF z2N1Hx5qW5|g9VN8ydBG;PyU2U*z7QyfS~@jGFvZ%b_g+=QeSL?5%ONRh>s30&_;sY zo|z6M{Yi_+XoPZrhO!i8)qQz}xlO3^b0`lN@TxtMtYqh$vC3?q~lU3 z-$(0oMrmmHO6USWx;BrNB%H4gR0%XYl3}G*`US{(1p(N83lLnT_pfE*wlD-rNT$zf zce%ojp>AGfGl-`iIhUps&oyy?-JC(9+2sz`LFHi^+Yc+m;{n*8FiR-cuo!4T4Z(Mh z4L5QskL+m44#K$M63g0^$x3IvOnC{@5({=I=Yg2FZ{HeBOkS}zu>)_A>*#MN=Sl+y z>D3A9gZcJMY?d!jQhNj@xb`o%Z8*w&>Ag@ya{@n3MaO^nY z9tps|>4>q9fY~43yX@aX82tY#qZVt4c}q3+SaLifE?wHTRC)i8VS|%ZM^W+xtlOKg!6+ppz;a zA?X;@tv#@mdAP45AdwI9BA={Z4ge1TrrBbc8x7l2)N7+pTnB1-CAFs7%BS}^uWHwz z0MYxf%S?1*!Co_*oWI9ovicL8P~3AG7p%VjBGTzqtFU9U8ep8QnbCr;$64ko?l^~q zldx*|ZcyQ|lgym{qwH62RDo^0*nD{H0Wh;l0!-dbRSx#?>t(zp_9Y02KdM zQcO#1v-Uas-Bg}Yk0PQWbd%4cXWtUgtj_pqnJD@|f!zd1pEpNvg9&}VQlN)zN5z1DGYr+$)suHx>fgXa z_IgaffQRW+#Ng}w7j4DM#~{>bQ1>IU@Ry}YkGzs6hDxjwVNpnK9;O6YGG zr>Az>w7>%4)b}FOzcXgyMm!Sqy=x}NvDO)9Uxlk1luDn*)(9lp^FE`_j z=0lTT1M(*w%U9a#Yi_kQ9T&LWCYo-|ggP^h<+HjyPLpFh`hXT-CXAO%3h_=_RtvD^`!I9XM1yrsMY4 zD$MNZgNc=iTDyFMHJVCxW1*~I+lKX5N$2KqBC1>&fK=y`@9V=}%2HutKlVsu4x?|m zP3{OqAV8DE67TJZg7)@jY{N=n_^-Z<3nw`6dFx{C#GO;re4x_t8e$fJ~BpsU8%8R{2hEqi?+{) zaFIA8pH|kDBeB{vQ=Z@u*}T_nS)ta2nER`4vr60%_K`7J7_$KImo*_JuP-P_8z`@4 zF)f(c?hU6>)-qqI9)BrSX{t9&*4*4^SI|BM=my??HM9auPZnm^%Nm*QJXKIr+0LH6 z)Y9NOQ|Nd2p{ElQeWV~ek{qBvCu!INnuCIknd)r-bgm92x>sv^t+^RRHOQQ@hZVVy zkokZb&zT{D7$h23tC1Z%UKx0WQJJ;)YSk$ATF8Xu-y(%gU)+|khkxw7WABElBRnXR z#`DV-p!08N#l-;Q$!hCDy}i9-_|#MrkXGjPK8~epi7lSOAD~&py6!Gbj7`!;LmQx{ zi2xjFsTTE6{&S2cRBEz%h>R%*??J`RgdPfy2%1GDjBPMkb-KjD(RSpxqoVDz#Y7LMQ% zdSvmKtDt#x#EF81jAM3|iND8;kAh+>p-qBZvU0!gV&yzTx5o|^%b`&Y^hNB{4lMd8 z19g)t?l-V(4hW`F@z5plTi?{Sw{LhaTdJmRaE~~9QCH8&wF3uvG?2b%YP2O|(Yr82 zN8ws$Uu*ZGF6aPSw~SJAfYhFPa{i|(Fl%lZCKk$80Rbs0f=E+(FCrpcL3&k6r1u&^5fv4IZJ}2Y zL3$@h2muk08froh(gFk$Y666i|Ki@y^BzB2?}P8)JMln&;7ZnY%{k^6W6mjXOoDY} zA*VQpu?SXjLgq!#<<012%L)Gs;1(`)2|s-db8(B_i+j5&Pp2+c*P`>tqkl z3W59bYOfkr!aQlRgpVu9@Pp^nvDIX;cr_VZkws{2Qf+%h()0ji4K+ zPpBMg*0lnAe(r$%KWYV-l+w!p6^y$HHtzuJMptZe9%ZNQ->p%f1*~s#LkOGm_KNFz z4~?f(G6r`6!J54biML8N6BBDNIiC-i;!Z#wt(7WKR(|2Gb9dfCxS(bISMyST#frdX$%BGf3F zE%TcgW>bQKkK0UAJ2VGI#9RYZTx!%e=&(f`bk$$-}Bg@%R(>Dt;pX2sN_IK3_TyF{mIK*$?nVtp>GhBTeBUQ?I2 zWj%gI)Hki}PAUQV@Y>=rX$XM23gI7sCXBxLL=GJC5Sn*M#V24*$`5k`XU9G&gL`t+ zO@G^cv-f^AJ0aovw_yPG9QR=+2n=tnuA1KV@9IrORMP*NcN!e9{3^rI zKNe-J|NEjI3<0QR(^Q_ulP76lsp%^{uBKZpIQ=*olA~3 z>$-pVn{qXQ5=!X@==N{l@PFD~qIm!nFQl_!;t$opDD~K5s^t~($#37d|2arX_W*q| z!M9H2Pd^#+u~^NT)Bf9;;eU#{ptrzT;+c0d|I<L&MnS5*Jta{qH^)-D~_0v)5} zfBMN31pq9o8P5LOh5Y{<;<4Muwve|aw!a^?{`pM-fHv(DyC?elLF%7FQ|U;j8`N7L z1n9u(pVUJWx5gX?QUUaJjVA z!3;Y^S+fO%w@;(Kw14m&JD9TqFFYDL0C11MSc_K+Qo=x@d<9I|3tG3Zvf^4?TpZ5< zXdrC}1QL`8VB`A{z@V3@a*DoSWy$Hx@LA!_vioTs^Iqx?aKKND3io;4HyDPv8^ zlnz7ewRVal6C~{5^8Jm6y=GWJTIcJ|o9)4NW2>2w`Y;IqwpsJY{dTlJ&QsM+{Cp zqWr;^ojVM~A83r^=>s0cfT!oUWkrEr&~-7OaH&GufwkVB3~|4nR>(S*MSn!uGb-$~ zuk?$UI{eXB^<@1`t@r+fvnyOmq>kHto(H3PUH1)FWbDz-3+}vzueW^=Do7E+L*Cf+ zK#QQRh_tmI0D1KpB>wyH$)iHu@#7Q`zoBR)=iL4AzT|#TEl@o+^D~Alb|<|%EVYJ; zb2}WPERT*~K>Kds&O_9NkUqLFVEP_lP_IE^0Ar}?{s*JGwvg$dEYN1L)+W01=)J8H zq;*Gjy{b6~(%RIQ!7aJIewI#r?Edd-J#>s~0>B|ykLqWkDK9E|9lE{bTtl0Zk^&7) z0p{WY0v}{(-yho_-yX+NxSs!h4emBt%X&8aH6mU zAIeV~{ibL9KQ&Mj@9}%y7OSvFsB)jMF*QxHRR~xf2wJ}tzPAw&@t(c`=uTBkEs~ZN z;M8ZMfyJu7r^t2DWQw$rWg^fY2wN?0qQ8Aw13@$)rR8?E11T6_VnDoCT4Z{%L5AG1 zidrz8H6bn{90w?}E7_EuQ~A62cA)9`I%g@+!UM1(1>067=T?*ih}>{s8iML=c4tW* zqbwyE7qM*43@NHd$wE$vi=#nliDindq{~2RswA=H(uDWZQX7~g;O2dztU_KX^MWE@ zL7w!^syG6p5ywOIN|HMc*|z7>#*ufoye5nfcGkI_omGa4c6WEH+!o&)_lW#<3CME+ z2t&+>B z_CC#njAUA(GJiAq7eQvdzn-JQ?lQfl^@{`SD@*bZ|e#0@|cWawWKM0-zM;;^Ug0>dG-{cOb|mU3|83dkQR<=<{agb))Y zHQK>48TLu1tB;^Lkee9>3XvOt<34fQP(ke=g@hy+;sB8?;Zy-ts(G_8ZnznBQ>}3e zeLF1iHhmibOnP1AvGV>;$SKw_)#$u+YvO^8DZsCNic3jOF2LbdSMvbhizjJ$@Y)B< z8d1*@)({oO012(u7P7CWkp<`ZBCT=JKg2@ADG(0m zCA!Ss^+}lIfw{Dcq~XD_6?U(K6XO9)sYpAPrR0HnS|<>udz9lpSr@JK`!R3>n7PWb zccXhJdY(n+K0iGT-FZg1+`~8YqGPN--oS&AZ8QB!)a-TT-8Fbt_juJ~?X{$0<9t&3 z1DfX#h9)DkqeG=&xwf_lmu;>zxLdN5N8jJXvWcF@aF&#hE^OnS zS+~6uH(d(daxjqyaz(Gb64K3GAZs!p`O5UmpFe5urKvvpqY3%yz?l41a{x*z?gWDl z#l*ytnjvJ}`Ht)~BN=YcaDl;kU|L#QUgSkOB13eq2QH%SDD%DfM{k;FD1Pj!n#AF_ zrRgHb?s2w$=KhNnXxR3uA`{(A_3(CxOam|`HsvBcMBF!iexaf>UIzO~qnTv12em{+ z*$3`JlbH7Y&emKfDj^&6#3A_e!=3h8*fU~C!?1g*`|FO0UK0f;;oMNqTkEHNPxH36 zrXYOM78;&q$*6~R&vg+)Vj7ucCm(A3=1PqJ_hVnxqQ4$Y?lwa~!S`m9#jMl$XV=y| zlxBm051)7PyP=MeQOfh@bf9-ebgW}Nbp1+);jiOg*CmE&A2IJEJ6R5tV@?T9NqljJ zA;>(&in`$*O~{Cucr}aY_8E;9!<-6i`1MAkLID{AzhYwH2hZ`(gH{9cdyswanLg1! zSuVkUyoPrq1~~sXRu#dH53r^t8+HjhQKewKwDu>?DDo~&$dEWIZrk`1z(##xHyPz= zwD};VZ!arMSeBx&2fJxoBPNNa?%ayz_PIu3d^Hb=YKsI8S? zeJz?q7_*N!d-W3On+`I4v$)vF6S=kQhZBYZLzNFx7Oc}UG{q|7!4Cll`Kv0Fh$`dl z5&h5O{mCEC#b-IwxDMn!IG?NQ=)BgJ=sN+J$x%rYpuTjOp&F18%sV{13D_+Qb~;16 z^!x?HZ1(51#CNSREaz4ZfdMjF{66>nMkjB;O~Ex9SX9nsxfa z4)qoMmo5Ezqa5@7apFraXeaDxV`NM=aA>$NRyiX1Df{CyfBf`7I{>3iEO92fC4Cod z?_1$7NlV7*k(-4py{5Sa)pQrmI1##&YZs)+Cq93Ea+lV(&9qzd+>n@m@^U{6O+YkDC=M=e&dEu`u^P$(X8~+Cu9Y~f|J+t3v`SdhPTO=)+z_%^J3O- za#~C2^ZSs^)?;SM%N3LLzKL2uTaLi{u#|;5cl#7n-^3V9Ew`uTCT%oQnH;_{9IWQw z@Ztsi)>s>rz3-{vpU2K`>W}(j9iBVTOUrwq%WVt5C1z#%)3!SI@3RK8JJ3W=D~|ld zXy9P&l`vjuZ6#;IQcxX;H5)F|@wi}8QCxk?F?z*s>Znu4W?sJLvTM@!xjXw|{ph7i zD}nl3fssiUj8ttC6qn?;<=l3<-lwBb_Q4Z>9jB~6$$7=XKshhd>NWuZBD~8hV0Xsr z_;{HftHBeq2|P;a^}xu}YIiQCn~cxJ|4z$tm2I9I6S-deaAVj$;$idCdymBi9}fD3 zimP!4VJ2Dy6OHUzzFwP0s}#*|5(<^v6aFcYp7S!`Xm&V@%7rkEImUI zr;~Fzyn_%bD6R9g)~*Jhz0vX%F}eIki}UOvmR_xEBSL$Ek}f3B^BBSm#U13hZ1&MI z(5UTfYHn?fnd?U~-3+3Mt9wZM0!|xUN6An_B;!3{J+7w+%yx!u=>iS|$cXo;BsEAO&UA zgSs+D{q-4~2)m7$)_;pMQctNiV$iF)o?k{A%9CUZPX1Xa05-DdM&A<_7B;;H6%-Vl zpaqtfVM0wDq1?j&(stg7S;%P3GBBAQnYmih+C)A zxPo;}*(rJ~)na9^J~lvqMPSo+v)Z}S#S$8rRXS0t+g(N-)mr&`=%HdAUI2&%=h5

s~$IQ6KM3deX z+}cP_w1@Bz8pYhTs5kyNZ@m*^WgCy}9K3RjLH{_6@mG4E0R#wdyWoDVKYgM9Ir{wH z=^5z~HqQR|_1}5GwG03W5i-zOHGi}R>;GNLS3W>sxpqk78}eWH@_<)BE&%W(c_|QE z`p4PvKbiHa4Nws>BGfPQ{x{xkR7*3EayOborxo1)D0BaB){kc7;AfTpF2Ncb`~R!Q z@5$A}J$Yq1){QHFXJ>msmlhW8dwG>7@=E^~4rI%WINfB*aAFVM(l6MFGKx25jtK%=F*E2bEJS6gdxp70YR ztcR93?PhP_n4t?xUJ1giWm!90P{m5nzhjTJX!FN?HyQe|^OhR_y$&E(`un4B7jOpLL8y|5jf- zm(2V8e1SnDF#yQ|~*ozz-WJ^7%f4HgF z9ESoJBw4(4UdqCWaVmUB?0x3I9o-(?1q|N|2$FoSBii@k;|ubXzlWWv{j}?wN2E4+ z%Oq2ZM`zdRF28LZ=!9eGc+)*Q%F$va4IL1c)=ceSoKdwI#`DZzMTz>9+8Fn&n6^D7-J+}Me z`F(T)muK(P+h)f81Q%)5_$Bazws@H6!Y^dxK|!ObVa<=jygJ-(>A3 ztTel|hyDh0IKWEBNLSur8gS|)$Hj|38v}7`Yb~!|zt)IASUf}4 zQ!?=8Ki|Meoq8cEt5-aw+}>^V)1xCB744nGf1c(9&8M>)V6H|U>)%+rT`31ZKAXOh zqmKEr4W}_8slf5lmB3a~?JkHgoSz=YiNixT=WXF(j zP3*k&&x5sHNzkZ=lzD2rEgL+MWjQ=5;Qq=DMS%Xr#FVaE5+P7||Edzu`Xg(>`syXr zJ>sl&kXM!3DEK~m< z6Xj$clzVDER5zuaGtQ}hRgKc$?saN9XPdiXH(5sv5|IL3^x95!4B&>(7!FdDv?8UN zu(Gy=+a*dO-|D|bs%7q`uY{`?o|J5uWCfI?xWnedU|cha`Zjld#B9)UWvC#I@^;|L zml%&3U{tVpznx4^1aGk$f)}HKJLD+0c2LqSao=lUIShZH05)Y9hOc@b4sGqwRgrTN4rviCIUB!k3z@U0jON51sHB$NFzlW4mns{Sl zZ4l|2Rd@z<>yap&~tKfR!306NULsWGKnAo>}4ee z{YR=IhXIle^fW-I3&^2^D=lp~wYsbBcKePbfdfg~7)0~c1D1ojDawp3O6@tu-cV^z z`hpYTEfgTCrgjkA5C%Ip{$9_*BTWWNYLsff$gAG*=BYD++@!V=$%ri_!w>r-k+VnL zqw{OdObl-5tJ99u#(0K6Td7s6ns_t2eY|sMaCbF}|zz+DYYaT8kE1b9Ty8O^- z!Imej;#HWfX`kE+G0+D6;xQLo6^L+VcrvyI5W?o-1vDJjjNg9JeizR=e;K0jXYVnBs843kq^ z2L`4L&5en;FW&YaUG)mOO;S|F`pR;R2-PiTzQZ0*1q>Mq2aUV zE{qgLV6_i%mtcfz94dlbQDuwm-gbYp6w=EjGt3$uB6NsBTm!0G&3^?=?;DY7@p+Cg zTBEGM#>i>&Tj-@>M5GrY>JAjXymB@_n5^nIDGW7D#|88T7dE-uZl`2TTln{IqNe=n z;7tK-#@`MQkutcHr5u~P zJ&yKoF0KVbHNPZ9aCuz{hEwh^f_A%3WnV=nHn&=yTQ$kKP#*s4Ok#6e7|%_rB32dV z*|#LKRlW-@N1i>%qYEC)UB%gbE9l;Dfg2dCa_t3|1ga$BBWsb5cT_0=A-MH}BawUv z9|oJ|+zzvfE^qFZI2)OKtXFb{uarD@RQ>Yu{prW<3nII zF41yiAi)TNEIos!ESAgN7V3kM3C7Cn{au&QM9%om2=Kks*42CE3jFE$`3l;?+vdrH*19 z;bt?=xc;&&sGL`lFM90=!RB|?Z}DTS;TGN{xowl;8_BZ6bx0|jTv+MJuA+g0(nQ(eQwfSzCdX;{_3(d>Kwcd)W*1po&xV{jc?#j|qXM8Fw`Wm-aeWzbr=VBhtm-Wl zEtYNl^|WFT%I7eq<&eYo-6yjYEpRSn&QFn_B4VQI5)(rAZ<~*`+8K7-^CXF>NBQnA z`(>UvVGyjrK=f^ei{r@Khu(9JoP)Wy=*1^7ot zs!KtGQHp&FOC?X)Rp98Ih#hhJ-orc6Ck*3=!=b3%UB{c@dRPM%@ zxEq}9o1)FS@xfmCFCxD~B9GNs11`BFj*5c{?b+;MZKMYFVc$#6Y~w{(f?HEYf|;yW z78TNWx-VV!gL#=ko4HSTeDIn~RR0CODalrE;J-v;3jZSW3H8lqfIY>Cz)}bJiV8xb zrLpxdNNmrfTmrPd;_y2S;iS7HpS9jp4t-q8dy(3)| z=~-z7)0~mcSa3BnGY=M&CsavG6}sGlPjnN%bk1JvJ0b&m&bqpp&~OCLlB^y3G6{w;KG4JG3;(&a9(GFR{7TW?LkY636qjko3&tOqoXzLX6rs zWyB?V2&-Ewd0QoEt)x|h3z0 zJq$G|5X%zey4V~FPTr|*4vthH-c<50nGp%j4u!rA-Mc6(yql#k%&Dm+p|EA_AGy-Z z;Vk-bJ#dglY3yW#M9LM^^fa|%|p8x|=N zQj=e6F>|gn4{Jca#3(w=$pv@{y^qh{U#ha(e$Mr7dU=gl`IWdx@HL zWHeupcI9jne$eyVq&}6ir(jYdV1R+r%wP==KTjI_Eh&XX?gg{lh7GMYCNi8L+ng7u zz)?)XHnW<&qDAXxtCs=XSKG?KLn@ez=P9{+=(6(Z?jjFODr#+A{AnS<(A z-L!Hn#EP`uP&7VOXCO&QhYG` z8dq-bI7BPB{2D7926jOp~z1>E%u!(|GFF-D0>4*AE} z+OwYabVXIRBk$gF1b7@1d5q=fUmQ%9J3e=BMuFD~E_lnvenCFx>r3VLFZ~v_ozOSb z)}5_fi+(UDIyiHEiezmNY2!_&b!0fS?x4$mHCS5BSHcVj*I4>vH3{G*`V6KNJ@{Yt{r^sL9iC-nT*DL?qLX^S?VOF^BS z)LQa#Bp^n96tQoZy0*8)B67klfsGF55jj4X(!&uMF8=MsHy7Cb;*pO1a22e`V3bl&U1UqL8ikbL(HBTA}@{OWQxL2&ErDBO}~b4Ygv9GV{>b zEv$Ib_xE>TuF-6-wmt+R;1Sc@LANUVcg+(^FW=owU}MG7CA$|qWMU_=Ie@?CzHuB> zFPpe=7A3ZEDJYk1WQmT({qJJ(%+B(%qXt3*ug=EAJn8`nG)=Z{Z9c$$tQVU|i{fYc z`!vx;`g5UD5Ab05c+Hp_GVb{iox2CNGIJGMQ|3rT7?E5=dd_fVhPdRJM~Z_f@3wyk zdH{nN#5iZ>X~d%sgG&LDq^2jR%HATk^Zl5>u_(C~P_~OS7TMU!1BrhW6}e><=Q2U* zJ2Mc5dpYfIZ!<4Agm8>ZgSnJE!ZR-kq^Jgq>1f zeyP8|=`oq8pTcSOpxi`UVb%CUl{syYMC6g5$e2u|K#mo~M z>xVWcMZyoY6K_i?nRp#w;@`vFOSBVZ`zGm6tVDhO z%D_H2;Tq|PW^}imIYkv*wNDuc_3JNI*ct(fr;Iw!K{JK`t_LeKEYdE4s1+3~9slZX z6ArHAoW47Ep>SEH99w{hrYg@H3fJTHf(Jp&LSIcLWh!SpKS`)G9Hxpa0_94b+%QMt zG5`y5XH>FLnprGOou?O}Dw*56S)dtbW}TeH@`%vVeO26*3mr~Q8I{Asm6NsemZxdmuEO)+$>(?!f%e~1+AUD^j|3Mh zoK>!KPx5)TI9B& z$b%DUE{lP>anIQe>xMu}_4>p0z1=e_7n#_7-YB^jUl{m|lZK^SxK+>tZH|aTo_N?7 z(&W{nxc=l+Ezc8YwuB$X+}O`2FCYzyFZ-EruHr%7qoe5wO7UYW7G-m zQktDqQIoFD=GJGeMDHmEhn`{w2cE{waY(7jX|(jWa9ygfq-N$tkKv8Ex1+&_4miBy zNR&ZgZM|g2jNeun5i?-dmgz#Sanu#6DYazEk_?+YZD`tDM^l}}?@;&*kEy?)S?zqRe3A@dvs9wvA^Pa?7>I&5QnFWOMKlfYVgCKR64(?3=DAUxLT@0e1nm zPz$RbOtgpHen#B}XbCCckshxGd+&ER_va;@KA&MBdh1omya~krgR@bHqM< zI1#@D?XWDgEY8ZqSO&9J4woa9xW>x0DiW2H;KQ91&hGHp89Uskqxx7N`R#X6$kd-8 z7V`t3x+v91riS2TLAU2r+jdLmRI46TB!b_jqjoQ4rd(~XSIqN&&2Z9v5G1l*_@&5P zcFIQ;*e_IhbYbGxfVFVo7y(Uiv_YG`>L>B?}xsrw)M?!VOGPD(^ys&Hn<>F|q{U1jyfp~?g= z7TqI(&=7ybDOtj~m^s(4nt|<}$r!0k8`c8YX7APX zFV)~lJTXVs3M_-mE2X$UaF6}S9F)OO15qO=)y&v-_1Xw|!;gw#I?3X;3spAOXX|`b z!^EbO`>S9vrNj#khZ7u9Augza0g(r;-O|5(B{uUh zNSwsMy0%lcj^ta~XTCFC=?PCtYxn>sOIM_bk935yc89K#irn4I!NaZ7FJFCt1OdkT z#l7gy>%=1-qSVRcbO?H%XMkTSn23KaczTIdHT5962qu!Q^{7Tc4s&4)^TmK;kiW9H z8+kVJOzI1n0b+a^rVv{Z-s-e~!jxOvA;!Cn$)Mc6@6CoJ++O1;2@#1J`=(!XjX3Wz zr3@&{TVQlIyg6N}3wy;NQ(@3a!4R6w=k_^Y;LF(dTd8^mswp%dTFN*;^+Vmw$-pTW zAWgJ)c)ThI4Opf1nwrr|!0A^p`-)iqm0mHOR3>1`Kq7B4H5Im^ou3S(tZ;tP6 zUq9kw?9Vh!WOel`dS>1MCV<7i3eyb^ef#Nby6}iFKC0?j9!;U;)b3ux8%UrY&gJ0g z?6?YO+C7=p6j1I+u&_?z`qpX>a^KcIL&R-9Ty}9UTMCL@Of`A!R;x7M=sIRn72{0; zuukCoxFzU)oMwfT$(mNU~UKAtP{!A(83cC46Zo)TUvx7K)YsGTkU7yt(?zJ;%X?; zz#8(e0vqgm7CUXODE5~oNomDcVawCFdmlVrpZ6{gl(fb5b9ILF*VWzTd+ujETy`RY z=_{(*zVpr7me^g@-gAW#mJj^v_@)A1x#l2(vWwhN2EkopjY@hjSYMHMwcXS#&?gp5 zpRR<1K>96ZI?eqbc-l^^F$V-Ga#)TROmnVg5hspD^a1jwd8*|!o!45}ua}6UcLR10 zY-YFV`NKT$xs;{TeeR1s(}>-J@V|6r``BNL^;MPiTY0X|u#xs_ch9Vn@Z85I@!k#K zBxY7*rO+<>mQB@uCvOmo7kyMq$VxqRt14sI&B?z@0J21E?EL@*8U%nq zY6NN6zg&puAdbe${toHieC_ig31lF~m|swk{t%e?DB!t<*WBJj?Utp)97F5-m^F&C!NdZq8T3O|g`%PMZ5K1R5n%QMCR zd)axOcxD>ih&JlqT%lBjZM%UU8eR_1D}vsC`dCubeI6Sb?t)TCBAV697CwE6RBzAX zw2BFb$1$9R)%a)oFDn%EyrU#mOBxcG^QK(sLyn94($B^)8Xj9qqMM`95zW%!x}LqL z4}nYyapFRq7zG@wXQ)dr$R`jqYbc3$CU@ z^)mX21zfD7GIeuW=O*N9u@Au0x#clyMiiuXPo&hYVVOuXnrpAZ(u|3?T0*|4Uo~B}JY@fsi!#Z)x*n8f%2j#k>vKuIkVKAdZ?HTT2lNtTXj*wY%VIM0 z>p?OA}A|?^rCnb*xNDIr9gd#~s z3(_diI0b8{NjPZPT+ zlv=&l^u$|TSqDuGXNmI-WV{m4@ikCA?d;-mcOgwR;Fsq6f&8l`q_@se3xJy86vK9I zj#)f{+_9-aiJ?3&sxB?P`nP`Kua(zE3^I=d=$`H=4%}DHK}J&b%ef(NNW*6aUI}mN zL9(sdO3Q~nVL(E*kv@Tjh0tYKY=>61+ehWP9E>`!iUGB_6)$DyFQweYw<_bhb&#Po ziQO1uZ5o)=IkUC3_aKS)bMN2G9=(ytmSMVoMsT^EM|4@?8TAXmv-Bt==3K|}`9>et z*E+6CoWRcYkH_6%weEw4c=Cq*(Wzpr%sWZG<+w}7Zdxf{_oz}A;^+xI$i3nBX<1iR z#3m;(T{#>_qJTCn<2RgQD7Pyq(gvw)SFvv3q4DJFhR^XD)!a5rts>KNOhiPdlDH1A_5lG}L?l4d zqxWxDYSOvgtaQ-Ol5I~N)0W2hx{=!*I|A?jZ0QJ21A z66Yc~bCKWL-ji3mp(EkP_P$%cz&AkIT08L;sIhgA$$fyJk=%-UxKyjQ{f^1Pys_q6 zeI-6a{km%T)oV^2s6bWNQPmvFpo0q29kfHgCi$|Uzd2P{WpY=NqLzBlTy&~~tm>mUFzEYVO&BPO8NZV636Ui`xY@pJj6q36C_Bz$=d+O~+O)!t!v)2HB zXxu^BC}#Va&goNn&}e?uRW%jrQqIFz`arXhsfuQc1nrY%+{;kF{QRPAFGveJcb=(U zAAkxKJrdn1Yqo4@5VU8}o?S^1ahGEUBUzNB^72S%%;R$y;f2-Ko2`X8kOV;Y3_>Al z;rnGB3;Nq{wBP+W7Ei_}vQy**)Gt{U4xcs?)vt3PS{2JOf3i2H9 zQSw-IL6K8@3VAcoZ=kN}!~HOn8lYud2O3&7${9}DZ>_ZxdxV=#17`W;gl3AJYLORZScWf&qr#U4j z;t=(@OqLx0DQ;nzFWO&7MoueV*zgBt>2?1|%gJz1V|upkV+xy$5%66&vy$rLFY)8pE)Qn+64TWZ3zBBgk^8;Ix9+x4C^JkNO(^LVqIzjpFzk0Ydc(B_y+~fvpmEH}$eBrS#oh7StENAez^1 z^SNTuL_pmb%%OE|pBp3#?8Oua8jQaKE{bi=y(TVbct-E$k|6eyB6MZ$Q9Rt0(ZuAdNblM(2fWmMUUQ$1DO-r>`a7LhfhvxG&)w)yUT zn(_XGhskD}-cd=uKQ8`0dsjvYW>PR_86~F}$D1=fN!+mrk|>?F*;Gykh_9VRDXs;A z?LnjD1i0cXmedLMNdEWsX*coNG*rpb{Ovn3bWa=|uL}!zdAv(Xa$W`ca&wR9p4gmx zM&C{!!LqRBSiS)hw-H&YDEnDo8tsU0dGUZWC@5oa+~Aam*cNXR82MFPXA2;eI_4H5 ztdUE&2kJ72o)*wNF4Y`j)77*9B{FH$vc#aq#a}6p@R!TDt%Cnpn#;qQt%EcDK8j6h zyDEilpcqxktW@t7+2kfF?H(VSP)%l{DL8N#;LCb9sS&G?+0 z&ArmbhU|`J&d{LF4FF9YV?E~adnGG{oK5ha@@KXMT}mwzmV=#Vez>7((`s&%RNu7Q zbKr8X${Tm}j>Pe~u%xSO@fA*cB~whfPH{e3_a^()drz8f-g!RaMCBBxUH8ZJzwzid zc#=W4%H=bCItFs84=_(pcwi;YHm$He(Xv1HiSurj-}Evr(`_IpeRo3ms9!55jv4R! zYS=*9+ABZVrwg;7V$kzMKG$T;qUX4Xv(A{h&C>JTzITUY-|dw0t*2Z2pY?}G zuIPyYi0~OQaH2s~$z*5WIIem2*N*1RY@YQF6>8C{Dl?kY2{&5(_fhBI}H+9z@dMMH7qqOv=vXu8Z*W0^Qu>8tF-9&%Zt1?^py{d1$0o zvp`eM^k3^FduEa}!F+-&_Is~_{eOsRukIfk^`g%bg{)nu_nT-f%n8=19t_Uks@ zetPjSoVkv~$33rf4XA|#j%{w7_2Sii=~<>V#@5@dOIaCx?=t7ktjfi!-sB2jq$A5> z{OzB%tgZHytj`$cR`#-8pHQl4B+O}$B@ zqorRL-!Ldd$gk7Zq+BEOTyG;Y%k{jo8$8!(s1Vdr6(k!3QW!IWHyh4oy0ED>B@#Fk z9?8tSXp`7tTtgiJsq?Qak<2ZWgtx+IWn}Z_Hn)qu$|;EIrm69Jjba>f#(=^gvF4HGw=jmh{c7=IaTAf#!s-}uo zi2v1y$=od7w&X_M9377oAjao|D9+{BpKS-1#qs>kb?#0S0`WFgD1CR*e()_GQ0S*h zRjC`>UxLHDYf9NDyh_NAydpMde;ph(yv%>|ub~mEV07xO_!^^g7cN}525d&Dj7iMA zV5qMjQ2ahU{bpAen}*i^HUZAS=9q!*eCN1jwbDZVD0Rx&QcS(wnKJ#B0~Wl@*hW%S zMR)C&;e`wZduzb^^e|yHvNnm6FsrCEa7ysddZzIg57|QcKIqVZFhL!Q{MGoPI<(Ve z1xO1#fVu$MtlIobE#>aq{?n)xpmw>yR6UZX@z_dwcn+AHu-1s6DywYjgc9Fi*GI!3 zGfjB0P-ORN$+$Z#Kj^Q%Gplr-tIE_NIf(=A?%Kqh!-Od?5z$+1Ce7F|b%2>MCK3S0 zp%HG$w;}!X=rPC!Jkru`$0OaypBshbYM7Pbt z%#RVE@vyq0$VDGTAj0I}LMEj+*i56Dp_u`kh22?Hdh)3jtxTltPTc8>mzB1-IAu0M z_JMS+6=OL+KUe0zE)HNVNeM>Ai|Y8>Au=2z8vxaxgs@0+m0=A86oep#*@e9&zlNlD z2mJ0{et0=1zf2GMZ`yuE@%yt-XM`o%F}P*s)yZr58EiXc(G^@y6ixt5i;4wEE)l1(rvi)OjzA|kBYJD)(W znjO9iBMrh(MX3G4el4K&@xxB?3bC0=*omBoP6Vu%Mca-=c;;QX@w8J`a_-morW9M# z+dyN8*T4ipqE8OxsOaelr`){p)GY8Kz6Spe$kA{5FBqbTb*LWNh)k+x?v=YS1bY~s ziJWca?%d5Y5?I;U!zXu{y?G8LypJj&$YKI}UqjqW9W;4rF3UWYq_!FEGr zb1b}}!}sbwo6-=6(ehcbu=;gZxtV~uzUs(AO4+{i%ctzd(_RiK(JnFGM~4%1eHk5$ z#Q=D0j{FYUA~MaB8f2=PkrHqE>HW=+RRozV(kW{VOiY=3w)sc%FL%C@tmPw&+~+O7 zbYDoAWd>q76}FqP=#+t88&=E#I8rcff5Chubx6lhX+hdOyZq4js`m^P(9Vw=10aZ1 z|9+_yHKA=(|AoH$&Gwy?d`(?#g27F(*ln_js}I+|7dzbqj@yd&@;-k)#sCENcy2j% zivJrJzE&Xzs8u+aM1yqA%#uwOFPx;isy+*d20e)WZ%Ebil+K-WXQYz#?39fE7jLqv zS+0INsaclUR_dPW#vo;jWJ2{K=*9E^gTWt>D`bi0laBXR_w_3!FDpj3B(#oPHz_&S zJj!2e6hXdgsIvSBEY&A?kn)$gf@Vm#s?thYF3r~hi<35nw;H8dz$P<+#o+cr22F-D zspwfHp%X}jD-^?HUcWyNiIj_om_FmjEiBw;ytbQV6?~rJ-+f2q722M^k|C=3aJuKX zjX5Zof_FOshe^NoG!|yHK&x$awGCaZ`m#e9z~IZrRVlV0Qb?UCI#iutP5`6eh*-7I z`_g(20x1)zEHis6f#8S$NxmS!rG0?C$n=xM#&`&0qr*3Y5IN+mn%BKn3O)V2xF!LI zc(#p|l4X?we6WQ^9algRMaE~+d~kNFNUvbe%2WstsiF~Z-?*kw$|TWuwMsRpYu>L* zio;xiFxqvJVeB;n&V8Vq!NF~i-y(}+YB7;5@)0NF;Xo%#SC6Cp?TnR>{?v)D(HYS+ zKnJhQv~&pa^nz53B^#ViI<;0d&aTti9%0D~-}C*jXhW;LD>1e;tIhJW#%v&WJ4+!9 z;dqzY)YFj}zx5prvk(6T7k{7JCSwl*CS!yg4H0%2MSfaQ?+62!^w*wBSv)A|!MUrh z8TUg`=-%xQE|J2WESEjEmwV`U(uP9I1A3b&+Zj=$82~%^O=dv5BgI3;vQu^;I$etD~aoxBdk|Iz$0!m2T-yrMo)>N4ljMQbIZg zkVd+@8&Nu>yF{8{=#Jl+=e_q`&;6~t*1gZYzH7}NIyz_0oO8bWyZ8RYj&D!7TAX?? zs%O|N)32Y@a*Mox-yE6WQ1f#pwA8vWnr@pz zlHj?<3T9kxZf<;C>26SRdenTcL3yA1jRol9xNV7;lvLi`Wo+DW<&|J1iFgP?QGsUteB?0x_vEh;Sd<#r^UhRVP~YQzH)3|1B+NIs}B(5lAbr}WA3eG zNA{u2xIIj2XCa45e8+e4??D&AsMfrD;jy>W1Km$gN_&g^@OG%5PWy51jv=hf>bYq_ zE~mU$Hx~frMj37X9H$_n9Pv2?1_3nI#>T&YaITT3r}I87t1a1iioR(m_Eaua!oduK zJHnFzz(G_1ZyS@@sxH^}23$US)l%zA=di;i&J{=JP5$#*W|qQ>RtMOdhh(SPsaZO- zY4XjADaYF|o?#srY#h8G;T_qvT<14;Z@akW+H&l3cHRjt8|DUvekf94owTkL9!mst zIH#YH_hh70gS)3N8({&Sj5hhZT)nqh`K%SyK?1i{yJ|iZ!`?UY*F4?J3z_5q5oHCq zJZbTl7pb(vc(-IHT5ZWfeZmx2+$S1e*(ltW7$;Lm7JHr!U(O|EZ0PBHzr{~8nA8D=lI>zRC!ZWh3oK`ZQ|zm&$_ zHU^8gExvZUY`)iJt$1b^bR-p#R*AA&(Y{yRd#iy7M ztDSvW-gc3FhegeOm;WH??nL9PLR1|n-bw!a+1!<$0sWTZomMT*6y=K2b0MKc!}z#3 z%ErdF`_8I%o32H2`W`&`p2xP!(xd<~C+ShUOD!~a2I*#tfR;oPf7HqV+#eu-uA2_7 z0Rc9(SS#f9ckj&l`y&{0`2CVk-Ldzl^ahL&dCPmw)B{E5WGVL5;fJg+l&icDx#BDzYQ zB-mGj8XDH`l;Q=l9{y#Cps$hNuV3$8;Lfn(Fus&{9_w#Nxvu?k zo%iKB`6@52xj7=rIq#c&5g5XC4QKP(C!ENHBKAdY&WFP&08ke4#t*1m@QwUBV%$nd zp8#LJLU3{Yc^>r5_p!@(Vl_?wT87Amp~7DW)t-wZbK>&Sh(|?qiT@%0G|qS$5*3j+ zuh=-0dVK;KM?>T$hC6oowQ8-fQkKPv8K6vVAvrqM4~Q%kT|^X&8e4~plA#HDtx^KY zB%O$}v+JYf^+}jf;pj6g@Y)(mWL>p7t3i9tSYaL@4eHr{71C`D^Lc8$kN{T=Htk9 zPld}uIsY&v*aIWxYKoG>&%MCLFX0pOI>76_T2KJgtb)9&-Wj{*fBf>lghYhs!?pY8 zbN284Xa-z|h&Dn}IGE{~>)0Dg0c8RBIUM}1`5*U@0v|sEWPu^EhE3b?XPJ&`4ZFEA zYcvQR>a9gh*CifrJf16GBbt))OPFL?o!xuT(K8p`K3p6)KUgneUH|nWUm7s?Q8+W& zgun^$a03v+Ht(fjyuF&^Pk%WFsBlH)l$DVw3=uwZ8U$p2XUTxmjfjxBWab$XAUuV3 zI>8k)JoRTTPrvoXI5NdJl8Qx-{(lspOl;)j9$Em(rB~I}qyZ?lmBMnn_OLzlzl=XW zPettO>r<_+5nL4{?*540k;$r9Ik_&@vhzy2OEFq^vrYvrXQ`d@F* z{j*PCDFGoS$W?)l^8Y{czkY7OC;T2g2WrEI4I!zBe|e+(XUkl)>j_|yy=tH~jQW?C z-9Ij||A~B=2!IXQ!UL9<`G3bw{@F$O_uu<*0ADU{(-4k-wyghBwEdsu@&J(yYlV~- z8GbkXUZG(E-8U0c6KX)_N>HMQo2POPeG9ZWn4x;LiCYEcBqmaKiaJf+GRkz!c)HR9 zIhroZ;ibDd6%DTnpj#jR*%kfw-@|$hJQ~FMJ(3Z`GODVvTlon$H(vA%4Co%;-VY_u z&huD|y#a85+=>cibaZq;VTo}ut~>=6pOb!fBnAod85+}8N1DPjqk0_UyuF& za9^?H{xBUd`$yA(AgRBb4j8S6092rOz%o@TO_0A2_l(DwwKxK2@@PdUiS$qCKr)|kHlJi)7sI}zz=FBqR%)`@ixY)zKc zWA1WUM@jPebu19pvP3VjFH)kq!L_oB{lA)vjT2j8E#mBL(^nG4DF4-Ya^eEvxY*$Z z3KlUH*U;zLLN(eb-(_GXur$yBBHJtO{GJTbei%{vt*2++uLp2nFX&bo!-p^BOkw0J z*M*TiZ;dJ0#)JDS+CL znJGF|s%M4*1>CP53CTJ-R&6&stVzz+Sj6eDFfvy6OgvcG7)qIk&Si)izkUNx214BY z0ES4CseY4pVPUZ9rQ_5$Wo}cF|1MDeu_0<5i*Eqt^PNre^>+33@^W$*9v?q{eimij z0T`>DHrlwj)S)3wWf}wd01|67ZsK#mt|S=?FGUk+2XJwSh2%V~9xnVvuptZh^i|Wr z6=8tJ-_zZ!Q<0vDg>%!4v84Q~LNi@hVelFK*)LrqiaUDBC`^{FJNB{Xb{$xO0L-vQRW>%PM%y=N^@ z0GWI``&q3$spmBL)O=peBmX=>bBe2frb#iuPM;-=o#2tPB7pQra2%dlPpfgSTgP7R zZVVh@4HSK_Nt%((BGw`N%J7F={!}~YgTN2s^7fKpU1q208~UW#q%(e_`_bLUgip*g z`KI+rPLT2TK{n%_3NSt+YJLV?lPs@$&fU|=!H&)Z7v{M>zeSwbiC^kTfEI61M@ULm zR<7hYBDQ-p0{S*oF6<%kcP@*UL&;EYw!rG;Asu|y3j4W>zn%yGIgIZSy7e)pst?0bxq^U@}K*g4ZF&p0vwN!_Ncd+r`^b6 z^6x_7n)`8LQ|0N-v#LkRfPi6nkRKNM$ky9_7YVR`ac#R+N~(KTw7s#X)IN|X;*%uk zx_(UV*Plr4oCHaT?{9@IQvxVB+x%rwPQ83$FpJllu~=}s?@FoB5(Ms5SgxQj&ljA| z2uHCPg&vrAHouBn0!vub0stx-BKb(*0&Rr32iwhX_9 zD1)1i=JxgFfXgMN#Qg$wIh~TC_rV+2xWaaJmsG$&!8lMT;*jNU{InIY{Kmf4R>JV62 zBKyD(s60Pe>Bm4Pucada$uSxtOJ!B@ur~iC=rE9=61rySWDG!Nl&ocSIPF5d^@1>oA0t72K~=5;yYX zQ3jpe@~b64%t`+7(S;$P#mwk&y6G4_`f6l&1PCQb3K}2r-EaB_gKc4p7hBX(*O-V? z-c98LQLSG+xa==%$AGj0eAU#{ zA`;Kw0NerMTAPnVTe?u6wf&prRrZ$Un6snMh=KJqqh)SDNe;Bh(u!^`dqPF1>Yr=j zB~#6G=Fnmb_t|OAvIVOn!R{JXXyLlPX9KOcBu^NLnFRNP0j1@T{&w<|0*lB7x&?s0 zFDe9RwkLDQ9H9#tJ&0baYK6N3ye|Npdl`?*xw_{rr|M+jgeOM`esl>OmE_y~QN7+u z4@?7@|T?~a}I3Ewk8>NLB50m8xM{*w98rFYWxFW48FaJ&sK zsy#zwPk~rFKfO5wn5Ii4h2?;Y&m1R1ic3TfXk3=rP$FU+mfLl=iAA^$(PU(bdfPk! z=1uQi8cs#MPHLmJ@In9klIam6_nTuWiSl~2GXDK?;eejB)1{1iUZ{&xOVd68koN(M zu=tI`p;FO9jGUBsF+Q56%JcVsH{tHMuXZIr(0FP^;)6zwtLyvV%Q=k%J%RGm#~7%g z$evx;1SJceBISmybynpehOL@8(v^P3U5`-dLQj^g#4&JXQCCyUy5u*k&r(xUt7%g^ zj*kTP_6C8Mk4wJwMp`10wC{iSdaj73{J0^6k%pOBA#+c!)>4CBrz)q$YI<1ZQBdy6 zw{LGMOOalqxor-oNu<7BibM+K@dL@u5{fX_7EN%6cBF7{6Bb|=m8Tr^xcNCU<&>*F zAQJ$GW3%`4%k+)u)0bEh9S+z-PXxthojZI`di!he6?q{F`An%VDX@rXWI(Z`xl_Bt z4TeiM@69_-aSX1MoZ2jUXc|FV3MPzk;tuX-MYEEXXWjceeHY8^kipxejV8a%MT>>q z`cl`i-r+u%n~l;W#$$*oTL~Uvyx;=tu@fVm0gjiaF91XjUwpx)y}OLBDe_F!Uxq$f zD<|Vgon5A@5l6eosoz|XW#g#A0fl{U;g`6Mwq!D^w?TqeS|VyJ6KRU zvBd~0Ztiu79NKO{7Lnom&Tkn_=AkXl*FF!KUUgZr2mW_=?aw#;xi=csH@m6G;Z(85 z_On$WxHYeuXz4R+Mg&&f8tJLh0ku$$nC<5XcyxG(8QPlqRvLxt+QH7t7eCclxDAzm z7*vC5`OX~&^|{CC5Oxp3g#><86J_kEZBHJ0tp#PfLkST2({Q}(eSGmMA_d=0x%tH# zN%wt>b(B3G=9iAei~Gf!t6Yp6+O3PGeXXD;sG%H`g$pUPu;g$m-fVN5qB|rW>B6QP zy93V{*Vms|X7p^&^DS>QlgqZUdLOnlmg#=C#FkrIU4169E0>K_643e1*~73^yi(9` zeWz^tb4e~t9zz*X@ zTQ|U3>%|&dG?MglZX}m?`_U4+gfavC%xNV0-aGh5{<+%dBgX|fcTJ8ie8Jk0j$ZfvPhMzx*N)%B- z+V~q}^=M}O-erHLRlybX_6#{YbG}5ALq@p77+r3;qE|1vMA2xS2n3)+V#IE+7xeL} z5LLUTHQU&^Z+t)7*>n4QvlE5h55MM1&f(_jJS|#hKPT&MXEOfMRL^e#6TeW1Ch$)in6kfkif84<3n3CfA<0?Zox;3?s$tB_g*O$Luqd})xc$E zo!#b8U4|~^d48?n&@1A*fmdtT>-J1{2HbsUF)hNh9)}S#wEwe5p$v4dbTPL;(5N$Wm``vAfT5?SMt40@%m62kxH2p zNm7B#!geChkc2)%+i=)?Q9(AI33_1$#4-RTN#XrMN{{b^f7ALCBAiP8b;`!TDhpUt zpoR5*NZe5Wm=$k(tB$+PU{mR?JTd-&2D@#2_WSi@+w#w;<%&i&W2I_bHSvZ|MjcBQ zV|!3S%asSQX*3u$ImBYLDYyv<9|qfu@^Uq5{vg#-l*K0Qe(;;(H4yjxE?xp5TSA)x z4b8pZG7|LT6%4Dm<0? zStoHI7nGK;;k9?d)@=~ImKDc(7VdaRpZM%vNXHWq@?oruF9pW5m1*JpXzQW>(%3 zP6q8K^X0jj)ot%v&|kKk2?d-9ZI}#NudTkGY508zfl1V|{oqgXyh_%x80a@z7H*yz$UL?r~X zg5MNr7UU@%lPTG_CkuK)oe=IktIzsN@TR5?R z^#iL=d z-~ZJa!#^+8iB1YmAQT>`&Gxya+Tt=qpq7P1YuR}zNGg)i18Ny+W%;(9lj3+)TOC?{ z2(QT1c9&P8FxMFx5x03m+`VOg(P4iL+$%he}SMxV35$6);*) zxs5YOk@zJH(`)*$+^{gH#b*-*QLabed>`_JIQ@Ame`*FSS=&R9@66%S?FVYUJl#D> zeGC2a&?S7R4-`^ZsJaK8$%*@5y`W-DJ`*_~5a=~co9)8k&erI@bzv&Rtn=ArNi1YKKXvp9vrw;8QS=N*=$Pg?>IJ+# z&tNg-W=ibNvyJX%MDEM9M?L)_IVQ8{V={-|JVjspu7nu4Bf>}psQMvI3_u;I^7FK* zasP`xnrczpHDVYv+q&r9aRY=QVIj^|6gT;J}g_b651 zM2xf|eXX{eAKI2HQ6agstqWATiSV zj%29XS~{ft^fo2C7w!8re5<}$a0o~%mo=g`^(JFZblKm08(L)*An?078>%LpK zZlrFGcszO>x#6gGnMsDQRrv$!0GE50fnLMr8BRUa(1Z3lGc+Y@x zTJU1^w#sXqy{D<)3>-zPUTegWJ`L{%VdCUUNCuY3;mtP4-223*qcZje@ z0{CXdx^7TsGFnCU-rX2SvfnER$#r?((fMLL9lY1S%*XWd6czQZ;aYv5v`Zx*Q0G;m zH!AbnE-BTDSmqm9Sy{hiYak%mvkdk3A4&Tg#^6ayOGg9k3wph}5(vGTcU-fd{9Uj1d@|M>tklb1hW z;AYTb-D#D{xFed>;nQ=Q*ts`~<`af4`?K`zEJ+)Mnbyl3Q?`&ovD2WjDn&VZwW9F7 z-UXHc9#)(%wj)j9%9fh4Y29Rcxq6F!|Dy%2<9Fkc5tYL(3;9M2Um)sCS}N9o%PQv) zE=WP4F7HwaaK z8tS1ocPhKhO-gO-b_n|#O4ES9CoK!`Ax#UQ>k69+5VqEmr1`+pSn=@OA-BkHXPeC{ZNlerpYW(jedr8dBczD`wo6Tg+YW?X(st*r)R+foq+*Dh>GtV0 zb`yrWlQz`OMN?dSvvIXjGsg{BK)^e@ew7pCK?HQm~!0umK5_ z;FGPXrj*o~lN?{B_Y{K9UE7`VNmcJ7srjUfE5DaDy*;fDP+jRBkrTcHeP&v&8DtFc z{#{Qha2$s>zM&ls>O_O+z`5Mu_VPjU_b?bcFs7Ly^=(89#ba9d3~|Bg{L1}I!;T}( zu5z_$72KOAX+-n>y>fnzCid*nTSHoDZ)yGpn#$4AY6vbC?zzIG>0A z&UF1y=8veAUZ)o=s9B)giPqQOkB%3xM1?DW=)5!GfVT`-^S^ulzI$KtZ4N1``=>;& z2Ref5)Zq;8p5pPoM}+|Mg;W{xq}Px7WD(o~-tEmg3_{Y7see}<;Fs+u3P86%ULK4p z$1y$pTM6HQ`VM5)7X&3q&0q}4|BW~A`$ti6wm#bG-?%UQDF*gDg+HchlS5yBTOIzV zdj2UPqB;@_3)gqA|BIuOssVAqOJ0KqL+GA)?mA99FOy?{g zpAZNlLSt9<@GalgkMcwhgNBeDM@1Npy=nG&05O&F$Cj4I zAb353$rzzS^QU)z*Vph~0r=O&R=H^c(Ch!x75hDZ&U}VPr-6Aq$P@=}URJ(PZdG-T zn@;m|>A%~%-4Lw&kfqL`)yF6DVJq5tw)XqSQ58-kZ4rsCBv(Fuw3XZK9}U@Nt8n;% zNG{(qh%79mU3jtOv_L0Hy!MM99kI>-nX06*yUZFcd?0wCd~(QgGApU zF+fV;NB{&Vwvv&&jqaKqf*qgMdCSs3Amq?t?BrkdK440|B9R=R)c8fKEH2xN7NLmS zB87tee!!^s{brQ<8(}C(t?QBBeBiv{Q4 z3BahH&EVt3X4e!WMQp>F1GX5C$Dt$pwM_U-k>(l}FtTYeKI-_s|a-7Q_C3Yp++?4y;y03i%Ci50nw_8E>n?US38vZz6~7#r}72!erb zDuYLM2z;O*04zq`%X0)%DTkxMF~i0hCy{)lC-*n9h8I6CP4ts5`mX?s(18vo6j_sP zL1g2!u3e*M?vk_8iqkl42DYt>2j_PVOE?HAl-oB4KsNqdm7_6F&~*_5J2Zd~WqqM1 zfN`=XdAfR9c;wKke^5ynG8Y$3gkGW$tcGUxO969 zN79K+03&q@o0LE8y)x{-SsLBfsAB2R(u}6947P8xOd%NSu{UKETMO z9K|$#)v9+gabJNcG4Hy9{9TV(waQXCt)}Gr6R`BdF}@r3b_Sq;?rtut?3RV&xZz*% zJwsIdQ_C4*u3vlx<%_=cxOL&&kC-}XZMt{oxARgjNgP~9+zKh$JMFWy0GD-7c?t?TP*+{Z`AfodWsIAnva2At$xK3QM1yvo)WaxW${a`*xRSHl$B zzBS(DUyAgfJGC=@P_@QEj|eAxBlAan;CRX4_=;99{n>E?|J8htM3Ru9A|e&;$BwQ< z;g@DL`x``aEt*a-+>7gQR6C!erw^#GiK<<%4JU&{`EX;K#R}?Q+Cz(K*Y7YK+b1da z0fYS*o96njNlG_67;CxUVxY&@;xfLgs&m`=HQ~`DNiUi#TZ7rPp+79@ywxWPNLME! z#a$oc9_+dw_gnHh$(8Shj+Mh?!0Sb2S}A%jM_M!XsewUNJl=DDt_`o(BCph4po`Rm zLY`mv@&O#_-w1>^FM*OuJo@99ouy^bM3IJECMM}8(aU<9`MMXZ-@$V=7L;KG%#KV* z!Qq3VKywIq#_?+(RE~Ti>`f{ifmp_?=IC!b_9u5D)V{ux)Tyv-Yq>mCHmg5WR)z;H z1Kke}Sv4vG$!d>zpO*e4anUUyl0^h((ok|Te;aL zMx`&t17#nc?B_oW%VNDyvZIfWK5w)*d1y+xg!Bm(l~Mbo-NIoXuibe~Ygl)})}rlo z2x+MFDhpzdLVRTs7=>10Gwc=m!u&j95Hs+1~G#0ii|s zMf{<6$ls$tZf~Eyyan#z7qCF%Ed8*gHL^`Y=ot@JBLTjj=_T$XnfdZfX6d8v!z9q| zS?F-gVRaj3ufRrIg}K7N)#CHZdLCWRUQM^JIS3p5@*1U+;wmc!;1wqg9HQK<4pJT`Oc??=*YevXSFQrTNSX;>Y+b9A1zI;wpQl8t}77aO&# z1I!UvGreP0zJYHO(V``29Zh}-;X*`nec53h1s0UlmFii03(e#BU&q~E`XWazPDqmI zF5O&VL4U;n1$PjVx4}`d3f`^Da6MbgcxBv&%Wp^i$j7+atSz9eq1gB|{Kvl1J7yzy zLI~&lALyjg5-|_f{tiZy${}$VV%-R*u?^F+bCYHPr|>OOw2t`R1XB=TC0$x{DpfJq zOGRkJVhBn8(hkr?>3TuSK*+MSf=2f6tW0 z62`-n(9M-1eJu%H-x)8D$zhkFAt(EuB1+{n;Kt}s9=W-xh9um2O0Xq}paV_g3=3V>HuNmQDy%HXoH% zMpdGE+e*OwcQ;?W2ulH*2XD>(&g^{(o2T+4!gr($h?|u7dQr_Di#E2t?M@5l!2Mh{ zPM`xB-*n&cOWN{XYr^rfPfAjU)b^Z%%qi2B`!!^qRY%<*n|WcfF1pz#d4zH1*2BkM5iF| z8%P6?_P3pkfKdOVJh*pe+w`HdsLn-Xx~uGR9E;-(MeB`9&k>=babT56V~YYRfaAO` zV>YO&0s4V#n{$;Sp6xRU!gAD**mt?+n0+b&CxkT@-I47)R^`CHIR7KlQMC%fk~Dt{ z^zmNI^35ueH`NGgSOVQbC(T=GpVB+IGm4q=YPFTe=s%cuYammnbJDR@zIDKe<({1Y zgCN8whcCndVXtbT>bfsvY@8bNc*UNG!& zhds)4>Tf;%%-^O}Whd>bip)a16X5xs3)Y;BRPK*9&?dp9&8%IZre?WLW1eXvKzE#b)GytH}#^VK371M^FTJB$4jl>RrXx6I09EzKI_-r2R zxW!Z@JT1fT+KDe3aM+ofV5rRj*glcp6Ok>ukOXPXt;9dsVnDge9EQ5b8r=z13f806 zt4WKg_#!pBl<7Ym1AL5wSpRgab1opei6JNg7weUlb(q*(4S$fCuhaoDT2ImWoi-ND zO*$m-`8!4*MINIzNp}ICU@9tF-B`ZFE=cigHL56H~{6v;YdJ7={l#}@vCZ_75%*}JWENceAmP@Uo&`!b1qVo)EcjW!+d|c&kV(M z$MnM4?X8NCORKXOk5qV3J`SaQDMtSQaW^eZeSR#@n*>y89zUo8ep_+Qm&v-AeKm$S zvwOWNggQA4WZrvsOWv-ji0(ILJ+4tWf>}~fjhQPkuNpGl695=#j!I^{an(Lu>6sY- zv!)W(3G!nJWW)&C@snN86e%)V6wD#kJdCah=d6_((oJf0bn$~S_xrid${mE8=szw) zVn=Id{dWDRxDi*od@{_9MAMG$S)56DxVQWMPUEmPP3jG4-`N}s&XI1jtWDfHz$)}w z>rl4w%Q!Vfh}a0Bqk^7S;IA6DRty|*oxhoMLk?xbqo68J)`>Lg3vkO!=mHC zk50rM*cn$$q^pUBh|AJfhuuoLZVJzHSp4wLY=D4kUncz#&8Oajjj(BfNG_xOkUn-M0AWV?Qda~wT4U2FjWp=s;r6kCXPrO$=9JX3k z>mKU8y(aCS&NI~O@#*WPMwD3fr%Gb^{_IMD;YWYmjPFVA6_lnxya(!UxDwi>$1mF>Zqw9h+n#F%vVo>4Q zAsulB{bV+C_?*G#w1LWmAjJTR_y0^l_Y@`0pxK2;Vx>r zVb@efGXQ;6GUk~dy=*x@;Ah#X4}RkPy|B@t=Y}6hj@}m>o;$*EA}LnSL7kd?{JWk|ouh+ZpGO+6 zj+RyIEl0T5KkxCWPL1 z8c^_KY}?-fb?|$!Fzos$w_(F}KD!rFmr7@xVGBx@9#uC$`IEL)Jgzm+OWy^uUv4Ln zOW`MDnrPll6Yytf+ICAzaZT_sysFSGh?$Pssn`oZ`BkYzt`WxLJ!!}$K)!r{Frdae7Ze7h;(%48Otw}R+WQSQRSA-+g$DZ z`p@8a#=`Wbx76iK8@Vl$`5Qepvr|%6<&H**bu{T$p-bV(-%JYoT!f>T1~pUHd!V*;-4hIB+h*Ymc5to3c~axpay+99VMfdTktu$zFP zUyaKHa%)DI+P=ldVaRU_){HTL-C?t^QfWgESJUVe2Tlo)d9)5tD!a?|J-U`on2S9YBBbRWm*`S{^Jf9`V304Q1J-&A4yJuItf2F;83G($O()E&3%8;}01*!meTJu-D=!@ z>>_SH|B46BM~6bUy`_ir6oC{ey1orOPNdc{cCS(Bd;C8jwAxR!cRy;$xFx&Y^#Sl8SWh4>X!x9+-Dx| z*JFay+A=7B-RFG`eD@h0X1+DY`SGX?sM4`RPtq&^#3|rcgkI2w=ThhGC2M*dK;}UI zG*sRw!ky%KRFt1;XKKjvF;;lvafUnz$iKK?DEP$5M36Z+Jq}>+HEaU7Gsu&O2Xa4} z=Z40O)wB^`+~R+9DZ#OH*zA1-Vgam&&oN!QwJ$Vda=CBEp{pPR7T~WV;JXsc)>Gzj z!nff;ZD)Qs`y)I!N2dF*o|$J(^$0rxNRj)(>ZW4u6e`P97<13RmD_Q6w}_m1Rv6iM zIo_$Y{u)kq9SEc~{9K;u?Gt4MkfX-EeJSR`k27|*FKxt*!Mfm#E=k8|R-b!u!=!^M zZ1i1oJKaxbyoTSS+I|2`D@TGn@Hq4x=k2!5=7MdNpPkI-C<%rbV7oa#&K9cJGyyJE zOu6~SU6VeqNA(lyNZoR2yot}}fgmwAGL%*3pf>JsSU zL2g6cql_U$q1B&NhgXp{lbd#37?`3oZ-@XyM$+33?GcGb{4YzKB3jO$C;^77iX~C& zv9TuLFuF03r}m|-2RmQmt{#1CRH`sm!zf8Jm(!Y4qWJO+MS{Ndx#ablHh`q(+Mkx? zAEiVFTTy6*$+SRxAESiv;(Cwk@a)Q&IPQIU+Gf~r_uVT@@&mcy&b_1W*aOJ%qCYY- zj1gpYeQV$22Qp%c{r>a97?B322$@OSe2rTB>HSYE)-VI9eK&7NPulyOP2~-@`(c~_ z1_Vk2Iz912(y+zWU;c`OAAujwl}{IVw0a)SN%Gh&_o0YjvE9;{CR{;)v7zkPe(_7L zMoT`jA_z(19o<4Oo*?TSqE><1XwVCaY#0TJI@+`CfT7u*49fU8#L_HEOmrzq7#TkB zwu7R`KIY{``s1Cecc~ue{kyhuWrEP62h_&k)gd8UG)w0|h3%!mx%Q zH#rLmL9)r0y;?KDj%5XYFZmDQQ1z{N`lq&ww3Ss*@Sg5o-FX(`3;8TU49!a=uRK zdpObkY;P^DpQ1S!{6bOA&yD6vsYXHURli}O2myye`s5CQc$zQoh;k?TB zMV2~*!5Ky{oUtRhSDG!qAaa7&?AAU`7t%1$;7Eet+ZPvvB!M zzo7g|c&m)!Th}=+o%SWQ90Xa0Zu_;p2;DUD6YWH6gZf&uyPYUBfZe}_d5R@I(2bj7 zu){0(2v3wu;tE>wN%d;VKjQ2aPSl&M%Y;?ucIo+t0;T2~3Esm7p|6de?Kg~!w7p8c z5)(3g_y%=D_JZI6f)y(FW4#9NFKgIm8Ajk>MUmvAi_wfM=I-u*&NhVAlr4akHZhCk z5k9$4B^D8M6cu(ia;%3lR}rbe|7hsR!++gXeV&d63EdndvvC)&U-6{}+5nxS&0Y5C zX=yfPxo~>_1+MQY3bVlZJM(;}kKe_}(i>Sho@3HhgwNJaZbynR6%PVh$#0z$vv29E z)Z(6y6+3IcdN@#A?tL2iXn4YZNl}ke!#G|RqvYHIL$+f70HDilJ$KTNsT*sk zH9e^rjYQ^6HD#L`SThzT{4{EvAvq{wZDD?`-Wu|BvQQC`Q@1hXu3GOYNpR} zl!5?rCal##2vV1>5?1jg6`}L%V{NnKJSJZ9!9JG;bH)hmH^)ASH){Ky_vEx?w;3Ba z?O&&&(i8<7C@79ULzI~8svNUb!vo_rPzk;b>E1P?1yJeEs&cfXE%txP4{=}pc&QEKOyQj6PD~Z955a`8Pyb{2;KETZME(3E- z``4rmBlrJAWn!`PW51FT0aGz@vnF~>?(|K{@~P`_2C%Q-9Mcq6;PW@xNzu)BU6m!2 z>@npt9ZwI&br&l90vd@#yD|Kc(}zJE*D3sByiA%tck`Q7WrL~?R^`_T4(T+6ZW8oc zX^U=5lF!Trk3A}xZz+B%zR57qUtmU;k{#iniIv9bnN`#*bO!3aJ!#077wUL2#eqTT zde$Vr}vSUn%FVIuTFm+po(r zu>vvq@5w<9M@nKTh@C-5tP2OR?n~1}-Zs78^ySJ0j1Y6&nX6ueN*brOw}fm-7@lj4FS(9Yjq7^xA?%=YF!y)e;K( z41cufNl4qCBeD;#^G3uATcJu{rZ6DY9-TDRAMCu-zYHFi%)AvY1!;A@$F)7&y#+Gs zA@^O6Ms&_6?;~6{RJJg#U3=VW%i@^2XWc}M$z}*dHcUnb4SwurEq`m)X|r~hk(Ed1 zr>Q;$FRUJY#hK!*9YcG{fRZNCJ5fmfkVU&*)UuH8Qp2E}J4NeDTEI_b-ZhK`sS)>; zAc@{Uh9S&TgUnCFdM;MrylpvL!)W~+CZ1&n!zFPK>z}{45?Sfeq`y*b3oL1v)|HpC z;d6ue0Mh#Anex{&OSMH!j$3P-Jx3{lsrvEIZ_u8LxhNnVJBPE{ zmz=ML{)tr6P>V){Lu-lgHP?9$4`y@g_xdacj_!Wz)4SYa?{b~ejj=`vvs0lpb%EVT z&&?%Fcdrvugu4q(KX)o5O{;UA<%^YiAtwRsbYM2DAe`DdJoEVRs|=xXu+m6_VY+ve zYgQpe`HjR5ik0tY923mkcAXc@2Ob(aA6lDsx$;VRtA~;hmc^l-S6t^&IpFGJKiKPv zL186umv&*B6jY5MijAdB(S|seN4RA_d^fF;;fhu7=8Ai5`r338%XV;;jnE$sg(P*c z&Ns*xsTaH?o9qtj8 zyLaa@MOw&CyZIG%+M~$P1Qd%m;~76;ZXWv~HSY`Coin3)+|Wp#Ioo+AT-JTEXFW8v z-HvCuscu2K^i3vRIiVo7#YB z#c5zYA$O+HYNK}_+`OoQIBcYXaa&<74iJ8ig`mzACZUk_gxC0FRU0 zM)+foCAGV>$!p4ffnj@%T$+lM6q_IvwN~)XU5#EwB(A|&B$nG~jouMx00U!Rm3Szs z$y#e~l@rG3=RH+3x;hH*^g!Jg&Z+~ClacP(7W|S*Pl69X;!12BjHGZtXxU>C=sV1%ZiWNW_ zFiktLpa^p~HWrdSwNcuygjd=hhX2Iaaqs_1e>9r;cK8vJaoG13JMXw@?)hmSk#m9T z2_3;=!oo*LNPK=-4Y_2Es`MA4@d|n4ze{*mF^Uz4tmAqlspFI}N0hBv>lNRgN%3mHHkgtKK zs^sbGR!B8_qorEH>eIlUy?5l$e&=!n#sWQ5ZnV#ZSJQ6;90x*?XKZ%rRYn{QNzfSg zd$-4D zp-?DL!HU*#s3FCIlu}x>Sa2v%++7liw@{!IcPParSb`Ir;_ebC#U*$kA>n&?*IwT_ zdz^jVwa4D)-#LF6g9M(;IWy-yZ@I4PPD;OTyIJKtJxpKXD_?SvKC#@g8>6x|bLM$m zkH&i+h(CvhH=J=rh6A?}<%CJaP2HNkoJ=8+x2GbuHsen}-8kfdJ0&E%f;gR7k3Q(HD~!g; zhd=71B=jEQSK*+6^>|m|2xxEnkJLJ&rGk~WnbgCLsv)1A38%51OMTIz=m^nyGCt(Y zRJkeC;23>p)1=}`FZWZ>7=|e?#<3NWyIW+`_~In1`IM&<`HWy@K5{uVQbn$QKnPRa z{;JtI#Jo7~;rGTXCil-OCA;K-A@@%*)5##GucVSfzPc5`M!p>WTWlhF9#u)Y^Fpuy z0XzS;+4oqOVdBHr!q{uZQe(W(emvU_=CeGjbBLck^%L}SqFn{)vKx5J(VX2A$HgY0 z`;&XXF@&*wD40t}lPi;AZ zcI$KbReM-X+wZh*ujZjYO!nR|Yp!zY9kTWNkd6;;r8*d)csrEKo%`#` zK&kTC65r1NMaKI#L5*hBXeLYV1ts?HHQDLT=N4FLP?}J(T%~gl_%JAHG?H)Rv6(nC zQ`*AJ8)bM6X`|dm%{{?d-Zy7!qO+LKm10B3xeRPaqD3^}V#fW4F-KKQXT?|WKQ&X_ zR&~>HPpd{PYa)L=XpFu{3inU8Qo&Sff-5zdp1=Rskxz#3tv4JIiF_rV^HuigU0#3; z+QKT`+0YXK0f8o_(7))NCXttlB&16-nhd_4e0yIxtjTFCemktcwED(dTdzea9t-24 zZ^gTwiP^h_=nzmz`t-g!gzG^raTQJ28*qXp_vKb#E5v3$kujd8KcSPN05N;{58%fzB?3Nv=y($BPXfP@B( zbfy1gy6&lg>P9LGQ=>2MDcr`YvM;FTTLy8_h%64_)}ymZWBXO}YoVTUmLwlpR$K#H8W0~M z#l8}bZo@1((0uRiu)XaC5?K*}BA!lLOW08`97wu!0#rN3M@B5fnx)V3+k2$H75j_> zVXBB#QyC0?xtXo|!y~Md?paw=QBKi4QF&f1ZRs|8!H!3F% zN(6H);j~#(*WaWIVQ_!uccpV9+eeW3f-f|GYZ+RsQhU1Ty1uTq^<#}2sDGF?Z4EnP z>4BDc_}Zj_*KDd<-5BUhW|ks6fRdV6OEK+#~uTME6_rryr zrnfRP_?Jlt%9XYQ3E=sjocun8;Q`2=O(RB|^n-IbKtL%{UfN*@+oK}CBac71M!L

oo2uc3T(b+^uwi&Smf11o+;Uk1%fE@nu6PFrpVlpbj)xqa+*(@fTU+*x!R=K>$YjCFSBMoJVP<0m} z;T4)8l#LsbSS~$HDf4pV;PLBKw81&bOsAsXjN~fO1g~ z6+iDYz?r~Myp;8k%ZGjS@)Z(7VWxpQ*#@tPYyqbjIF3$Z0VtMnj<5O_6Wq z(!J?70Kl_cNH^}AdrYSQ?pn8=E!TVJ7{H?NRv?%4PhQ|a1)+WUaG}v()SWl+Q%|Fm z0V&BhjWCBb!h)fgh-Lhs=NIWVO+A4kc>#RGKr30SLA@(AU?)bmM16WSioJc6X}~}(m>FACqf02Ss}TgpXGFEf;Q_(NfF|ew@!uClnG$zF?x?dV zkpP7_&9IAqTGh-Aj7g!fvaF!L@p9)h7RlcN%LPregA~V?)}tP-FbH@=YL-)GRl+^| zd~RiCYV;3uM=3IBX_?yDQr#o$2EBDpBorL5jN#^?v;{M&E)?KN06&~`J$U>YihsW9 zeVUC2tnO*v_s&?bkWz9yeKpgUn>^E-9Zy_l<&~#ZdkEoFc$IW2LH@%7hbNbUx?SQ- zS870IYnL13RrCtt!dO%aiVW&ZPZ~evYPgqwbY*E|1a)6)ch`quDjp83?JegPP`%(% zKON13ab6yvADunU&$1*emMvCZIF#uo_aEYZ9QZcMR@!HH9b}wiNBGjLnDMB z@LeW6W@~KQML{1-;i2ox4Z9CO^cC=`|LzVd8?iTmKNByT$w6Yy`h8zjbFgQ)05E*AGXiaXDq zBnxMxR_gUzv^Z2cjI6gd7cV)CEIG6;tvlHa7hAMN+D#7jEk@oLZw6_$etE*1b&W5J z!0qKga2J3w2BwHRSrM}WYh_tntp_WAy-?sAp)L4KCJ|d4Z37r$i(q4PZ12ef4-v6F zM;=-{1&M0nN|a`R5*Nxv>ZjVduZx9od`{qRvG#qR8+gx^sEEkSXD+V#+6j7m_$yMp z^Fjo#4*cO?L{YgFmp~S1JN0q(U?Buk)~j>Zxqu%<>&7;0lM8KqILP4?YjedlG%4Qx z>wj5n=Y=YEljO`N|MqYH*&oPKiNJnkTI(6npiX)W;pPAN@AX$7ObQeJHG=5Uv>GYa z|H;SpS3mx5-$;AViP&>y3RtJ$sDJ&L{n>}}SKn}K4pFm=(icX`Km6|h_g})2i2%H7 zB)I^T>g9-n1gA;3@26!a483Z=R9t_??)y9WE;wz%(5rp+Q#8#e%>~!V3W8Q4kJNiaz_bJMM~kn33030A5@ z{O~7&Kr%zisQf(I&>JThPq{(s39jvkk>=(xpsw+v0rF&dny`H0ZVELk`!CW?<(0Hy z-i@`s7W?(X0Cq-BbpbFKaoYX*t}MBku0zBXuO6PL&2ljNs9tl)LQT-Va7RRkvn=5^ zY|@-ss!4jBcAy7Q;OhfZ7CLc{hX3|ES)Ncd&hKspIGRzIADy6j$c3DH5zHDIghgBNq&2Rm^_mR zX!vbqAP;I z_1i1fphKTTlmpiALnKRLmA0{cOR92~XT1|pJm1@D(qGVUA9wR_BcN|*QX?VF@8siv z*()a;UV6b($mA6fz!cHvY)Q^0woY8(WX(Ce3##)lG_&jZj)*pZ0#MCX zUI-uKN>>m6pdIz`&_JS#)=)v_0V{Sk2+}79IR|`CAas9 zcNiRsUCn^z){JjPFhRLpfTi-%m=t|b(()vq$GflS1(l1@IofdZBC0#VAZ)(%x+eV2 zySpc~8{a>jB)Bti;Aoe(%1fxOuSe#3K&9uf<|{jo(q({!7x0E0c0V!<}XyDjm?{Q)sbB@DtGN0O zsx98+RXqWxX$RSV8BK@0DnO@1R;w1&B-6>5zM!nt-4nFmQK+waWj)wL;dysFfl7Q0 zCG@sV`ww(hZdA7ldmd}6?y^yF=&)XaJ`!zhj9>vgU}Qwq$$XF!pU+2s=l8!y>3<%l zG+oqToElw%QATSZ4=|*+7CG%kQ#T+%SoN+WUV_pyq3l#fMzz_jTgcr2D_4^Kh7&*vOiks_@|z9NTZIFCzip8l2-+M()obw*VXnLJ(V|9*&3CkO;A zg&FKDD35kbu-Jl&pCX9d>=`!PfV=}&3MVc zWYfhjA7voM8~}byqj2ot>l2x|$!MD1IW%odm`0b2Ukkf|b@@KdSqvh^^M8BUfb%NO zi~`Od{GCoFIY67v9MHfydFenR-AG`DIw#)E;k%0zp`qh86a1y^jn`nh>L1{tHWl{| zaRDo6Dlh12E|2`#?b~E)P^~9|u0|lmeH>sC#l7B>kGSX{ki)EcEty zFIiHj`M%}c@DZ7?{?!K;)WG+0_*14dV;#!uW;g^Gz|8)K8`y<|+&+Hm(MwZ%@cDY`0q&5}+>ZVx`WnTjokJVsnXh_Ow zBjxSynCZ~#=xoOLFUz>Ibf&!#iYQI{E@rCb`ftIPR92TlFIL~B=gr^6!=jVP-X$cA z&RqJH_qYQe3Zym_Fqdd>6#yyZd+FpB>PlB23&2IGQceAt&DBo4nodsu>e}-bUL9~C z=@4jXhIe?wyXs3?Gxg(>`kFXbM!pD`e|gMNA&hD~7}1|NM8N11wFN2wwzcn`=qVTe zK-~uq(1iQ}s8xS1m#t2us*hXIfhTFlRtg26m}_~1zl5MS3ONl70oKKNj^)SP zQ~r@-jrQqkc#k7X4tF!bG`zTMmksQm8NA@;#oSmHo;9loaR#X5UfmLSBxq-LT>yif zBn_MH5JdEL)}H-vQZ%d7*Vpi0Pc$d))yb|pr>%izjOY@`Smpp6Yys0MXfsm16tpy? zu>xOPBH#c?nOWw+M=~8qEQ!SE)8YuEP47vP{fLA~_=Qh8Io&peBUWvxP%A%8!q@f- zhah{@k6*@&>lrEeE#h>v&v9mrPUl(EKlPL&KiW~jBqR5zwEf#wxBu}+Ot7&LdBKyk zKj$~xathr`I?E6P>kO&{2S9br9?4>h7vdlYp^YYPGXp@QVP*)70~pW_!x{MH0&v+T zP%J^SueY=e56*F#H`WK(!5(-_H-H6gzx16HaaSLe+ge@Q6DE~}b;pPTCDpkGxAm`= ztx+<3y#}}hz#~<44MZc!{WM*O!gA#OgUPS!xDcE+k6%Oc8=xR&+DUNz($%3#tbcV4 zsh%D|xOV1{@fFZOJMkt>wln+jmO2IBe)fU}pNA-w+f->=aoq9+vfsqkA<8RGiT&*Ca{JEN!{yX^|JR_7;| z(m&@<*noSjGqpC(`|AW*ZSZxnWgrAQj}t$V1>`1$3KD=Z&e)*>Q?G9AVW3PfwE!vZ z_+Pk85}sZ`scT++@pMbZs6`s5<0R+zufS+%7B)a&aJeyXhG~7~VT;lmP!` z2M)1mXwi$sI`izpfu#T3F}O${ks!P#J%;rhdZAF1CJoQL{Zoa{-XA44OYjZB@fnh6 zFmXh(AL{B~AiZ{t)A06p%=wMzwn@fD%uL{=wCnQIm*!N)`=9g5F$IHMX4Km~8Py_Y z1)_If?l=dukY%V+_G3Z^{ zW%4H$d{P1;WK_fY+r(CaH2^=o1%(r<1O$^>4|U}^e-l1)6LOi&H6f;qH}=aNGzkP5NyrHbJamxX+$g^BW=*LT(D~p7jYN(HUYJV zEN6hfr{0w2E&1-u`Oql-BkExiB(9Af5?lF@(V*AzM=qcY1CK`g&W~yj+}gU}1i)xC z!>vn4fZxDxHX9c!=>sXks&>!EC;Lp+Ewme!Cf}@?tsb?uGh^6U|D%v#2VO(^-KBU+ zzsN&%DN_$p#u9#_3M^X?C;!6q>r_8l=2D6KzA3WkQC>Y5>8D5#znXAEjlS zif-V0D_#=}+<1k$%NMw?9)fHTsXbl@rbVcD30ezFDZ(HeH6v`+E*@f9y9^hcH-C|y zjwW3<#1lv{uRHXU(4aI#6xMDeZa^KVNw``-67nrFI%*)7`P<_cXyf25?a{ibIWGrJ z&-g>P%{RzNLON2|0!$xF3(Nde0Yy4c-E{uywg)JA3_rdWdxa-OstrL`dxm z25v?)7Y(>mb$v&Ms-SG{juJ#?a$5T})uy@qhP|UTl*C$OqL_Mo2QSd&LinF z4R7TXWV2=FVQsmo{VswfZUI9dSgmVH(sP$+o_d>zllr)2^Rwiz+lZ@j6)SF&a`oZ0 zBc|LAH!o$*f@MXoTbKP#I2F@G=zVi|Zr3f|7+nyvS{=n_R(1olqV|T({68L7zsFDe zUL1?u5=pSS;Bh+OXwDemHZ@HW^H!d5W!?8M8cC_P$Vy@G*+hZwAgseWVS9*?6Qa z(?C3>edM65_+}sNkVy|!!&)7X1=At-RnOT3o%@XR;HYFWM>ea&*TRjw{(_f!*vkFw z=T_^!etm;D@XC^ z@IXDM&_m`V5#&esALiMBUs$S#5YwS(P49i7QN>DMo5EV&$*(6)`n}=)30czBzRufv zEAZyPpkTE_NvUV~M};s7D$~!@h)2ffB<=(|Ss2gUX6#>k{!CJ8VpZj+;mB!k+8!I) zyeDj`(IOBaNZ@KBSc|DQb~8@81BF8M#)KOHHT<&WJVEa2UDmZw(uM#NpE3?r?{X{l z5+}FF6kH1zne%a+Wv;uJF&zY#y0K*ucmz}>6jmOthddJ@&$2I}S`Tx@07vho(H7}N z>bDmmAN;(eiW^QooVEkoj|&oV(60%#0z0@ikz?w8gas~qL-*hfAz!n-0V-y9VS8c2 zNgwQUurdg-oqCT%HUropo?EPzB+CFQws-*`&q8(;e>=tW;~`YXGWw1+%VLb$H+XxL z|LVV99|Z#N`Y8W0oKY!;sy|X#)(Lg`UsZE~J+#vKpmtMgg24vd9QCbQgzlhLoEvBd zH2goa#m<4gXughmT&Rv^pHAVmOj|taYE}i%Lu}&3IM3?_y&3?9tXQ`+QEIakunJ}Z zRS}t93K*FNHgTMRpDPiP$Sw#0?aK~{n77agvd%YmFwCL!TemzyA$Fp+-iA6doq@E+ z>=_GisJfyDg@Q^Lho~65i%tc&5SP=ipPz=%XJeEmMUxsN25RN%^8ABjK#$p>&yLc zxGa2;_tm|)9(X~V1n&>v*yZAchfvc@1xRNwpp{sW;oHti#OxTBU((1TmyUmlq&uT; z=GMuO4Bj%WkQbmJkGtg``>@V!E*m-6M*}G={2wh;s7qar(YV%a5}3-=A?;-VaaMyS<1OBq6OSokmXyE#+OjZ$Y^B z$ELK9<+X3*GhUA9%2jNJ@6t*xgkR7Eg>?{&k4i>v=O@+#S4~#Y{38-bAGl8!yOMIW+OIzMsbQ&I{X;_-``ECbSs+ z)SkZYzj2EA9NH*{suLbqmR15y_ns`c-zGI zHi8AZ!6YR^E7hC$2xmQ>doErQk~-C zcWzU7)_%X-r*DK=!;zhdCOG6uMF>S_{+XsXB;8Jk*~K*lk#*dQX6#)tWtbQ|6{xGI zaivt#w2qDByN`>g&3T3Gr84if1sU~!unf`|zRJ~1IFd#>Mfe?^vhlxJ0M{%C?vRBs zQjBZ;X#euftsBcDUTU0*&;sz=p=hcr9w!uiJGDGgcx^t?NNU0_yfDj!ttIv5=}V4` zaXz{g|6+4RlMv0m(F8D+*L}XIEcS0;WoZsC?Q$FocN-g0kdtK({XT6J&Z4(<7!P~q ztO>%IeJi@iYyoQ7FRcZxvAF>R3$8>O)1gg-_l46X-+9qCV5&YBZzpuwCtIl=tmx9D zA&XU^nBtLd`l}20*DByoclE`+0~<_XS!qbmHPM*zM(G|7rmDUGyn)tHJd3ytC@<*d zK2kP4#NkjiSpE7$kgV>*nY z&%G>mQuIToAO4drnR(>(_n^)aMS?+Z9rtVZJP6~iFqETx#nq6~Mw6Dj6W3I7PO3=` zJo8beNWpHUPG0x}0I&QxX9i$cRa-FX(IH1z2%D|&>=stcAlEK zN`q;DR1AXVhuy+iSn=Kk&FfW!*H&-4!S?uu_|dAInXraIj3OS3n$ru6&t$`eaU3&Y z87@0*#G^y^P;R>lSg>BB89h$h9kp16lfhJDMcCuN{CfBDb1+%rRP_Aor`wrX2Niwm zoHD;%nvBV?;>9UrX@+!z9Y8*E|InwB#C@^6v>9`o;NtFyAO}@p_D)+x6QRE30{=5s zmK;Gn6nYhIxW(~e-%7bM^6M5;In`X7Y}bj-*V)wSP?FoG_CLvN@&N-YIU1evMB-2)$y$=+s3s8sto+L^&7o@G9^$cm^Y9`jMyV;8Eks2@rQQOTXSJb z-y0JqPT@7e-qpiWn-mT-b|-6u!E7U!+(G{$$A&SrJ$&T)t#2q!rTI(vujs6R6#j+Y zJS2SJ7H!$y)Llc}zI=1)#u8$_WtqULFK}29N-AHi>YTfJ0 z(hY`Oi=Xf*ZOkZX){Y&knZ7h>+P`~~r7^^0IejRp*`#=Hkw|ZudBt)5=koJA8r7h= zNwcV+HKIs5heKuY6z8G;IrJxMc|?Z?Xy4xHQ#68-E$-^M%`X=3ADjSyS>%meYAvwT zwncgd;*$~^+GEYW{kHWC8id~-6*l+-2nJwAOigGT`}Q$DY)FLPGy!cT<^fwLQLDx& zexg^G^R+|jKbX=weuPsyXC&0OC`d~tZ9nF6@t3%M0tl9y+`RNHU6h2|ns4owf(X=4*=QgY#*w(0#AV@I3h8qC&J=(C9nXpQSFh(+TRL>n!6@ zgt{{*U`6ATPWl{K6NvseiuU63GSd6WDItHs4W8MX^j4aXkOulGaceMG5hr_~TE>@O z1%}|W(cN{jdPI0|@v7pyKAHo!gQbAND!ErHKcU8)NDCImhu{{3)U9pEpl09o`VA#T zq6^8*@0fH-s=9+9+laH#-#S!QKm;_=PSvoWt3%)ednURa!Y@nI%fu>emV|-bc=Cuc zsAbE0O+m_uMa`_N(`|PcVN|Lkn(;@j5{bDWT&LND+9H|ddJwi5zJ=6 zIu?%funtiUr|j-FL4MBFb_AIgqE%1gj~S^0eD9QG=pG9#USwiu#M$VK@yRHm45kRo zws7+H1xE3E87)XelsQddFdebxXpXL!R#Q^BJV_9~sXbopp2gH7_FrzC2M7^9w)3`4 z9X&-oWmMnr7_ro^ndi|$qM=+K?9BzkuYE42+1DLXJL%*vX@~@`bm7P{eqCP3M`Wyr zUvJf)EyrKLZ{0_}M8WMfDl{wm@Z>kaHKe<-bKXZe(~LS4UIte+z)kqB`D-m;d<^{K zzI-`COy2htmphqyYWreau0aooDBrxSmP9A&5sv7=w6fq+0C;Itm7W zd5W3ZSwpWsgVsN8m^Uy^-KMvLG~`9A8qY+HPT{^J6(3=}A2mmx%7oE;)c3{vfaIqyPA{0yt|K4Z=CJCm8MF%*xy8sw{qrus@%9&4m&F2vhp@A za$BHr4HV`4`eDX85G8`PZoJjN>AT5R?_A>G{sDp8jc(np1Ish~$5hP9|-oi_u> z+2pL&4gJDLPXvGt6Hlsml(p3u$CQo7_*v58yk+f{EePsNx*g=!A;cYy&iuef_((dOI+2t4*qqs$m@>vOjlp zSX63(CTytBu$A6*>rPbV*NLV+vY!?4t=d(6Y(9RQ!9MhxG0akZ{G4m;vllD!_L-Ww z&4S0fwab_iw@#?^s#gW|wqzzkc%!H6wDx22Ty5~4D^r`~OaQfs``8`WqN+5#bSlxj zKiu^;tO0sQ`~r1+wP0LXR}cj*fpZZAl4`~dtfRSgJB9#1DV5BF+d66tkVQ$Sc9oep z-3?um)6ZJY@UhLJc5T^qzTHB-X>io94T0RFN>C*1SfJ}i1r5~<^`40axSaO|IUP%6 zV%?^K=uk{_H2oXL2Gio}eBIdf>I|d9od1jRe+3xfLSKFQ74HzE@@wV-l`HY2g<+?y zbbq=O5^GP8rofHg0>C_aN=u!m-+UjN1^ZaDpyrw{!z*zJ1=Qi%mnm7j^=gWl4)x`&U0$dAjkx0nDp~br#2T`xC!B-$!wht8-@I^mp&%W)IUS@1poF7s*7=HT$q76^x_Fa?UoBO+&fwl+go0Bqw^xF1z}5;c zWTzgj_nSI6RZ+p60TAH;2->0&!f&^Ik3quqGSE_~WgOq>8jFgOg2kik-^(bQvZ;>Z zn|*|lc5tABDk{%DaJ3+dR;B@ubOPA$W-)mpMR!SN=|JlBNG~-{@K>sfPG?hM39>6bBOakpiQny~^U!oto>8}41#(Xlu4yK}wMt8s+;KQ{Ge`Ze( zmiPG&8ako8jYr><6L(GQ?xz<-#_kn^Pjc@ltx0Hs(dpjo=JiHKF_olCW{4|?P>OGv z*D#38d;YFo24&Ac=6h`&Hg{zEI&G3}X>5@9-uFmoV0p=CX~y@52}_~f%N@#6a|SaU zdd1mz*%WtlrFQbrb`b+wRneCyT2FO=BB<;N;Jc&3*0Nt$JpfbG&ufYmK>*vQI!G1p zD|S`lQh=$CA_weVsp#gDzxweQ{XfTYw6os_m8f5Jp|yX;!7_sq?)IGs7A4r}afENZ zxOcdg|A8Xt=X*q#A(5$tzW+PcnRE&PmlvyQ9XcViv~Ku>-;Ub>S{W1kgO);B8)5or zo&bf(G^&bBak32Oj_a1!jk1$iKKQHk^DiSVm=QFF52MdEZK=*vFM~JuEX3zGde=!Q zX9;gM;$jwlEOvR|6Fn4lDCh??{(l!wgDB;0Qe?#$!V8AV)Ar`TgpY|j1ZvM z2U4+Z+zn=cnf`iC;Y7uwCx@-=m= zsF4u$C;weKP{fiSc1X1AE^)g=dBA@<_zMDDQjwxUoF(3)d41%a!=Eh=wkrLoP;y86 zG@B#-OAID@waK>#O2WOjS1p)_lq|L9->zJOUO|-ht?{-_av>c$?@M?}gsZ?iH|H8B z1rgcZn3Ao=;mfL*o~d@Knx-JCWc0mky0^${?W?t*$};m4kU18we+>c{xGOv(q@~0I z21lnpri!rb;Mu&MsXqq3&`{}5hmB9c${V^_9{kmpvY01LSbRa`I;7yXX~|K5H)-DE zErnAF)UAuV_m-{DyX==_nNv-J+OvsbqQMKA_p%zy@EhLAJR(YKs}{+`xhCAhAFhm6 zd_`S{AEmfwpGVUuU}0j6@~ch1&N49Rw7m3InYda7!Gav4^wA8d4!5{81%^pv`MYZ8 z8LF`#r3ywpqPdmB_O+0dQ~#YSRR3qL0P77rlbOUuU+1tuk7QqLz%>ZdT^QItW6~NA z%DO3#DFny-V%ZpWO`|$!|BBp& z#L|kdO}Na)%YM`8r!XK3*(_iDtY=^h96);-0jKEXCs|N>JH>^R`6DAsHI|t7d*5yp z)~b-xa3>#R&oakOh~8uu69R1Mx>37nKxk)idY12sn~bG2+Ei7!w8Jjp!rNh3OM%-A zDwH+NZ7O+SyN`2W(#_Q`uP7C?ls-+jsiXED%NdrVG07|$O!kRzu)y#y9yJk`g&j77 z7Zq#QG1ysUY*gsF5DsSS_$bN3gJH?qAfef=>pIy_#`qMq z=<_RHu9-F!)j5ZkrqVNxhoS}SA)WBs>yP|%E?!cjB?i697uA#CDq~KVwaA&w|G;1bJTMygjo_b5+)X?@Vy%DfWF2#eVsIFC^a^pq<=|ah)6i{JcVaBg zf;;7Cd{F0rrMo_+^k;o?WCI@H=-*R=ZH%$y`N=G&*$zxvi$5y;79rRL%hMtw39PLm zJ5iJsbPPQ>4auMw61~*joiLw_P-g133+d~-{ZC!PbHYb1NTDL7_<~_!*4u+$EZDU? z@9i&hRRJjzh3#D96_{p5XHTzy3c}UjI4cRB(cwPvqK#F_5RHWpSUL66VEy^dcthrI zK0V7W_I~d+fp3?ytfl)qaB%aUYCemgGGKsXVWu2WY`R!kJL|TmCC~UjCIS4(Htl7u z!1;)PdHIH+7v<4=8(>f#&l;G0uO9UhFw&s1?1cm9gpin`Uuw_HciE9&XsA>iu_tbT zip~>sGm3~Zr}L|NEl86lY#E-)ym`M!<5vL@Ip-gkF4u2BR`G{nh&Y#+;(pTg(@&V^ zoU?=?qDySj*XX9MkFj7XL>8pgNm}SUB6QE0_3xA3zkpwT(eS*TT@)=l>7-$-V5R6n zq1ci{)qx|!s=X?AX=M+EyC~URNM?rKc?8o#mVjfg)j9$)o1AWbM&wDjlERQA!~9Wne{M^p;h`9>yRqA z4{)}$UJ40b9ZRAHNLyS-i!Mk`c}*<#Z7D<=)qg`Ddg(jqU$7vDxm;gw)hW#z_O3#E zM!hv#M#S|ja7S9&0{eVzwfU4lAVnQQn=6mgkv6HHBR_BO@Q;!FK$EBc z>K{@c&|tQbp*m%!W)K+DF1f`QSXPXzXKa@80Uw6_1LQo5!Z=w*Q33n1XE%z~ z>~1gRs*!YB``0Bl`g@>;JVI(XOx1MZ`Fab1xz8D|1%KNW1%m7f5W~wXehFF>nPuN^ z^U;2Sy}UIxS~)C?PAkXb#BOR!%fELADtBc@*B^ghN*|}&?EQL0ZS!2itiD(=R)zN? zA?Ejet;$*Kt$*bOz;EzTwBB7>#3~FjaK`dDrUyeq#^ZI!R_V#A^$yZ#qu9^%c z(3IH#6}weL8g}{i;c|NZ9Ca(szll&)O^Hai-%XI7UrRSn7j29_mTpjt|FR@koq=HK zw<0$&qomFLh2m5d{?oY>|1Q8}vf?{sKBa1d+iJMucvI3%Y`Uh)D}h%xMQJI_B8M>} zboI_9RWo0ZHFU$Y7d4%!NBk%FQJFyunq8c*uhC9@`}n-XZ$j} z#ez^f)a^4LLUfQ*`!QvTEk>j`4&ypJAx4IYXR`36kT{BKuAaNquD?)(q#c}Jiq~~s^DK&a%q>%>g9I&WsC*Ft# zcV`7f*=&CH$^0#s6tb73gwCBf#7RiM7^~r5Rk#v&0%kC= z)Jm44BZr>qOx~IDvAey7)5>>g#iNs`iX?eryfYHnA( zGylZO#GRAUiv>}!9hgo?F1YT#c?cMhk7me81vy3@aZdgYvTu;J-0q?;3GPEgDUqAb zUn0rx!%$Crd(waAev?ZftI={;e9lpM@;$21cPAtYxFT74`P8|0MJn#Mp640)C?zH5 z>YdN9hqzb=6(|zM8I4#e&V-e3?3CRH1?i1IBZRd91Kva|jgqY145-uU=!x*HF9|iN zq$D|fH6u7sP%7h7i-V>4jcS+w)UEce4lqx&el1hlG(Ka~6)%CeU}cpw*ULZ2C=cu( zMNIxa;3%i`*J*;*s@^F=TcqTgR1sD8=NM838YA4y_OI&+&jUUxVD%u&J`x75(;Osp ztzUh3Okz4-q%VA|Kg8m)QM7MR5uYu90bUfA*ILtARKk4mFH{j3>wU^Q4^RryQ99G# zq*@TB}_rf%0CdHP0&|{-&Tw z$IFE$OodAi0~kb|@B-=IPgjC^GHjNvryMj2n9FR|be6#k-yA*S0nkOki?@Pg9~ks- zqR};h1aSY?95vAEY;1t6WtoFafrg#@f;~SMx4$#MMY`{2{i20$38btUfe`B97w&bk zZLJJFoYFi`*TJA!IudRfB@JU&(fdRFidWaZFt~2K{evIey$NW*%f`sslaEJ@TYLZg{kfgNNuRP($@%F!%QF>%;8|71+ zzQ$qJPD--xQa8nZ6R|;XQvYR98s4`gDDRg-c(1h7hfBheDeYkJ45R{cEQsFP^fBbt zRPXvF9nUuu|D!dB@$WT3(yO#4IH7L+oNVLiRlDE>kQWV66#5A~fz+=ku;M#%3&!{A z;Fn+sW^UOtgxko2#!Jn|zde|(*q&jjf52}j?QcEcS=s~ks%rml*<&X64wDTAi{iKo zWwz{VxNn+YQ5#8-q}mg&L7`xYQ2mX|qgb~x6qH+8$Z_u)|GY`0^__5|fa6J_y1^^5 zW{ph}8?D=Xx$5wrAHbCn{NGnb4XR!8be-cfI)ukKsOMSAUw=8`DHA%5v?PuEr5Ikq zO{~6E4m%OE400Sob6e|7~Bn&}CGoj~1 zgi#v7xXNLbM|p8#oQEb8K}xr{8M!Qm7NpBvG;?{W?OuesRzhG2QCoFfW(QsXG?HYq zIgBT*3iX)6yzsS`h^a~!m zaJwAZDcl!vDP{JT+ReQS%OFNXpTT835-tgy`yvn$N6cGZdN~dd0r+a8eK$7{qZPj* zfpypYDbZ?P%T0dJDq($MA{&K4jX>h`{8j}FBD2iIZuZPUC@V|9uuOTMSDH8xX`e-j zOnqI!<9{2#&I4PoA#HyDI$Y4abmb(xG>nXGC1Ow!RLdu~Zm?>Nz6|msYqIIi>NXUh zs`hxn;*L4OUac|Vbjh1KrXep(4&V$mWnItao1KCUAeE~Sbvj5K0H=_kzwYPIEs%Vm zPhd#xl8gJETrZ`MfMsEa#$U9)7y?&Mj$YC%RC|tuF9XX&iH`Si3wV^|@#7xYf&1*m zlk>BGbq!D3YK#EUhfGnffo;Jv*Cycf61?Kq%cbhouWYe>C6EG8jeABc_%;xgRqy8@ zsk)Me{dil3Pft3#=eE>oZJYLMULEoISXy22&%{hYZ<_5dQM0ZmNV{{#l+ea1&5Ewb z|2?MS*Lss5g-;51IH5yo_J0rQSEIgvcZ2lu`XTU=qk9q`_iEw{+?OIx{Z_CGO{Oq4 zEq1?I@rQ?MyY2IZx9W)V9tsm6EV*ik6uS?daKv!$J zz%x~hYBJcVyICy))&hAua%5WzvX;lWobjnaoOFASyiV!K#BZnc!V(~5W)r$fK@+fS z6&jgY6OM|DI%4u4vW1B9e_xo)|GcK`%dRnE!%6<1ZlQp8OOkO<+10Pi;zV1xf47OD zU+UMmv^3nE^q*Ux%-b4x=@=-}IntO2=v5U5%b88@ZpXV0VM?Y9{{@L|zo8^^LqJZk z@o>*e`?K*s22f#hHEHcyZF%uj^fHNTj?h=a-q$`T=as1C>)EX+1XR`c(KS;A{bS>Y z8EzWaBm%1^m(Inwi-osTby$L67Ywx)c%xJCTJQ$A9y1NS@nO=vC;^3c1rr_t!Nu0U zI>zh2EX%QmiC)U^AHN4DG4&x{@s|tQxI7W(Wuwh1uESxi&TDcQ!pfP-FbECaLw*N_ z4y^;acXI`J*Ojy^$bv%z3?(@!guO#Ci{{-y{Ie`3b8yO?-n|J^z8{8-3hDQG!byd4 zta-VN(VgyLqjgaa`#T9kwkCqA&GU{brp3i0%>jjiU{>#=wz*ROwKhBoF#-k5Ev$fU zc%b6T8S%Jk@N_=h2MsBh4PU?MH_#+8mg+oNkm_K1F7t!P1t`*KRT2u2DPBqyLdq+W zKRD!)r{U$b3vh@eK84T>rk^2_q^Rxv%&6v64WDY(ev|6p$cKF`3nM!krLXLv4vGhz zt7;x}%F~4b0pL=c27qeM!W-b=!n9L`P=prTYk`^qc4BNwpn8#Re}iiNtY5>ivK^h&6*fo54MnS=_2sTD&yxPGqnYkn#kX zGy31Z4F-)4wfCI9ZoZZ_tZNY0;^&%KV^(!rA2y!k?#rMOBcw3s9N*RI`yw=2hYn8y zN?E(D#q0rMqaG^i0B^?%<~EW=NEu6`>8*Wt4VJ%lI{VjCG}IcCEJDOBud1eWVfn!Q zcu=%e>PJSxr=&D5ikQ{&PuIec3if=f$|}f>sX)nMG?Z)qp!e`8=2~5OI4rTxbOd{` z>SLxR-`HzwOnx4_c<$%*vvW?L3jqn20xH8<;{B|A}&E} zAe3)}EIKQ^h0;e?IBf>h<}lLBk9p;%uloK1E}0W_)1*jawQqCu3jC9wM^)POFKbE2 zA_#&fK=q2or8n~yC#bZRK(t(u&ygxyX}#qd%|bh^07i!~XktM=6c&iA6&U5Z5tR#* zjc_HgXS!C<6)9$9G6g*MpWDIUN%5!Uqx#c=VH6ptb_p^EtCw%V!+IiH(HK=0Q%vh6^CD zuGgj+ing|Y{bMB)59V<52^D+CL@atCcN(`bDV-EHFFSj0QjdeJU$Ac1Z4n8uSDwIr>(jnzP2k zGcg2!ppvVPx~7L4fKp1u{~lK3hHA($=XH!N-ta-&8+YqFQ!(4rOJ8do*t=f$IcTK{ zmCP1L#Kwf)ORiEXzSs?~s56bj-^7<7UK94Cu-($EPh#lw*er3*zQHBQOn5!~E-f`9 z6EChw7vBbSmY8wzqxZN(7^>>7iT8h=IIQeuam1wlVU!nIyI2V|y8APwSM>CECI$Z}vvXVOp5YesgfUDl?)X-O0GBH=JDoi$P1Oz8J#nvX~9D z#`sn)SPd#EkAl6~6D5h0AmMngpWP)zTXDC`okL^JO0^_0ea|D>ZEgb4$8y=>PN6f2 z`hEgu%tY72v=295PtAUJC7wd>iKyUWj$u8sC`Wh|qw>fF% zMaX4k1=Y#`)%{XQJ{M5klZ=!$x4SEUu@HTL*slRdU0wUr`#T5u#s z7Hwv;Y6inkB>d5QgFhDe7f%nsRc!oyIQ)wd+_0SO3hWT&r<`Ovk%GkC;8$^Jg-518 z!u+IYw$iPLWGs6fc%R<>UzyNHLIf@(7W8SBj>&l`4)7`G$Em}LpX%&+*nMRN5fe3# ziR3%~%=Tza(CWb&zs5%=WMiX~k+23EzmvSnNABC%aWdrv)h3)0XCnV}ebmLV2i*M& zzmS!8J<>^7l#X-O+;TjvIJu;R>5v(g1xG^7E%-9~BgKANZu-q~P3cZRmJQ6OT1{B@8`Ak>RYN#^!5!9}eT)>XgNSt+s0fk>TRyJ_v(uZ}$ib#gOPm4q>UVdHPcltnpam7O#IXy>rXdP7!8#5TtdaQJlxo1)3s7l98%R+x_S$1E0}XCq>w6WT}aG?p5} z8Wn9S5=px2d6A*DtGA3rWA_k6J&v4d?Y8TaYdj3X=FC9z`6kw?mMiB;D%d!w6`Tc$ z&?4OD#uG$$b4jjEj;+>1$Ipks!^o_7LsuO56B(wsj$2+8!xHo+R%+4K)3h+X=5DU^ z^J4m86Ee1Pj;KzNL!+Ev`X&5$_{Jh%044uhir>WJ6!cc0UD5=0=t6&K29%30^I%gx z8QcBtEkD;7$HQX*96g%+eNuZnk}kzKZ&D@u$v**!p>wmfO74J`6|vk*ruBmD4_?8> zSQX0>6J{(Gl*b2oh-6=U9A8?JtDgYeJKJ8#$w)&)$cj~<*?z2h$E1gE0J0o!DixFA zA;+GiEC8v@2Jp@nHQEDJ#Ef^nm3UFT^2Ze065xXtIl;Hx%DB~x^5;h+vH#2}8N#k1 z@X#Rke-H3mBsH&=xuTwEX9pG}tF{VP;R+|AK!)u47K9-Y5j1>RbJgz~8o%t~&-5x7 zP=n}-Uq4Zv0FXqD&@44sKBdJnms86T4(VNa4>y_hY2Sw=0u;DrdP7*E4Q1{ZY!a@# z4OyArQC#Q6#TG5ISQz~74AEkW=YNVgQ^7f@E<6Jux=_^C+4h}{9xy@SnK^Z$G@kwR zJHdfzqBb72q2ujY-S;UsjZzhh`-mn5i-@EHYmLS?Ze?P^I`k4MKK1s}-(ep$9EB!o z=*@F0AWPJk+(NVaOqkNPOM+8?KjT026fYazF)u$#bqO34RFECJ{&HqJwMSbyuJoC9 zp#ujbt#0-f)lDjGGx+4Iktz_q3`+v1*MV}K%BDR_5Nz{QxRh-tH{)K2D6oO*XJ~FS zVd0nA1F&fnN`PBbFbnee*(j&q52qBEp0f(NP?`Mdr*^YG|M?k{x9^X9wL0pgDLBEA zzgZ6fsWxW>X;kmOl93!1y(x)wzJ@|=f*886RK&t-DJDwQ^^}RQ_e;ZyX%1ERxgb0E zl2SeHbX)e;HwKRkjJB>K?!Cpy>47s z1fm6I)#(u7NJ3I2UtLHg(<6Uj58`^*MX#O6r=T6d-1wp%}Q5H@t0J-S!GX$~p`BIIAYWdfX_acpG_ObQd(h9ytn zhos9bpu*0v(uXLd1F zAArMqa`Q8M8ue3$+t1IpJODk)SdIVV05Z5AhDi-tPVhx0L0z%0zxJl){2(82HC0KZ zs_*2CKZ%oLWiR*LF;PmPx=-#$$qnwKdUX)rZoWHr=De)5#i0LFjWpU{R@_Z|acLq+ ziIRZYb%L`AWE&WF$bu|TEav5+tPve%a*8JbFEj6t+_n15qTHzhi{b#8RGGmU#aj%8n04vPY1tJHSgNt>%l37?u(K}9=WFq6n z){F)dX**f(cM5jPoQxp}?UNdIK4dugu_3a@)O%YH$cVlxJP9HKo9X63(3`1;-orPc zbRf6-{H<3J9_pj|{%s~R?sS2`6T|>$kgVCYGTBhsv~7GL^@ET5$BS$7Og(M9dcR22 zlV*^>@%LODl_$S6C%QN_quDxq5oAD^z!u$3=fu)n+x;*l5A-M=0B%dyT<|nc_>B^+ z6nOlNqqx_GhdD#ajeBtW;q~B@LSYW#U8zS-jHbd@Fk3J~(Cz8ymx2~I+GgCZ5k9*= zy18FE;8VD4r9**E64AHwC=rm_!NwA7N*tdpY7I_4BU~A7TZqe?hT8!Sp$AtU*}1B3 z*N&Q|7<4fkl?w*n_+D;vymWX#NXX|;9cvkIl*x<8MaF)m5oUtU-S>#XqJE;UkyH)1 zsYkyECYpZ!6w6pNVhY7JASGoegH6;}vuRuR2t2eqOtwlljN2x$ZU)^Zzj{F$cq8s6 z0-N?C$e`*Y)cDa1T&N#TYhC=YA;~r83Kh96xzmUJok}o8Cjb_U$18o${d*6pzu6OW zVD-ggKF{ZF9>*y!v?sny^9MzmzeN9lT+5*c2Z7ni7gvj6+!HD^fmr7jDQw2NX~FCo z_?<>d|4A3OpnEwteBxxs?RmEZ0$i#{l=iims(T~PUGC4SrRRoMd@#pZ8_5c9dRGuOdQjmN zbXXr2HbSIf7vcN#9@P%dj|lpe?5ju#`k3gZbQT0(v|qY2R7n43v~8@Jg5LfnKBbro zIDo$9oBxb?H@K=9NSt04&8h&Sp+e?;z$^69KjDaOy7vES@&W18Kmlnkwc~~XGL_)N zPG~QyU$R-m?kvu*^#5Na2yH6ll9XiM;Q1XjZ%V$GW6^hrlJOFQe0Q=>0le2B1xSO_ zu*+}&;`$LyU-9y>VFd)dl6)JR5Z1zD15Wkt2LB!?QLNZk{2N$Ihg(qp@sak74{EnX z-w0N5_1Yx#fw=oaAX9Za$oV+wQ4Iy zP2KT_R`&68y?)AioR0zpTjfO6oQ;x6h~V11WB<2OtW?_aobS!m}|0$k5+FfE&_EMv2U}K zRCFHK%gSSIzZcNfG98zwC?NwOySSO3_nO-@X$#$RF4JOa4?i6Fy@O3qf252L6UNqZ zUMHy4m{HX8D4m!In_^+wrFV$PPcK$aK1W1>74djLi#7nwx_1Mj>jAtoe_wUVN=J%G*n~%yn zZsqC6AvPH+Us^4@ee}$vk1jcO!=*`bGw$NV>y{0t{%lloOd``G)oxVcLXVNq{0Ntl za&;d2Wa@5$8SbC=EsG*_1Y3uoA2EfX^!YCUx2t*EE;CI6LqPpB1}Gi$4So2gsfo)3FmT3Ph|OP1REa>lc(qH5(}@VeS8qv$KGzdRy1N(v5V3 zl!$bP3lNYl>25(fq`N_+l zp$Vvist5qMts{}YHb8Ixp_+Dg4H(3 zmKPj=$yeqDz0Lb*zUwaJ`iE6zR@v_9)~qv84~+YZEYoVeUi8xNJKg;(g0FgCW5rSI z6(`S4PXr!s!unr8>J~R&2-$Vh|F%wH)Sv_>{eiK>_W>79%VeeHix^4!YA!LQ2+G%Q zvItBMsE#G#oMC|vu0R;|72_>ihu_^Qs@S_lK5a@%I+PqffsTv&aWaB$ux&YW?{2Rb z#jblVQ6<;&&1tu*d%8;oRdrT{(fMX~_o}p8!$vnafg)XA&#Drg;bcU^B&Hz0`|l^#(pkpiy)pI1vlofke0hBr#L;k@VhPaaGqbNovCWM1%C)}qfI)zYkg3B zNDOe)(ZL|iQ<;h(UmTPB!>2~-B+p4h8$tw3Mmz9NL~g$0%@V-jY(CGFjmSqme?%nm z&A>^(cj^fN#2kQVL424hIO;}9=^DsSeRvP6?1(AUUG`VGT&7RIuPz!YV?B#?%$vdzfsaLcEc>!Mdsjb2b z8;nPE7Wn2AatTx;hjzsei+aXFC&x}3e0%*f?T~i2lMxKto#J7Ex*Qj;htZ&LAq;gI z4C4sfDMl%L$5V*ibE5Y;P#dfHb>As=wIAWoYC|`dg}m7Q_0Nq5^ma{yHYCfwCrbOy z3dfHXEJ3&VWuooibv`gL2@@~G=3!Nz<*O2RbAwz2xZ=l6jG0wxd(IJTJKM^1eq2#) z@p)rkzp?tY)lMA}beZR~!A#pj&B7pAIYAr!`S}gTRL)sw}*Gg>|sq%2X!~|DN zeK{|2xn6>#PD)cqz0xOSDZgYxik+O^LD=T(@~0&IZtg(u z;#sE+3yf)BI+M-RU2O)cNUPCQ;WCR_qeb*?x}L11^k3CH$b-~UpYxxW#2LTM>$(sy z=igmBL+NoJ9pnRUS21ADEM-54`Akc!TlHoZV-ExtB_S8RG8IRqX@d`rXuX*_hJbV& zQ>Xmu2_S|fkP@wL_|VhydR3GfRX=EgBQV!DKG@h*AgpPe!Qm(5)@JlZs`1mPDF9VC z4Nx<-3=sPT-qz;Q$8i&`oV;NqHWS}djH&BVi@NC*{P%VPR4?=68kp7*aocjL?RNlf z#!+NK6ks3sn95(xm>U_`Wke@zIH&J{49>DSyHgH}gocVrfJ?CiO#KEU8IyMrN@^Wn zhJN*G&r0v|!K@NxYJWD?81bHJwB{iGRA8+R75OHycaMe&_P*7yn8^M`noig+>;*rK zGz-=qiVZ=}3V-1783o0!!6x1rZ@Hb=w;qjRrP%V6CrQYp+8=LW;GsO_sED-=_Z!Yn zYaC{g#=#buu@f^J!ha$|1|PSVz18~OPUNNM7t<{%Ij4H}u7yolD)@@==2o0Mj#O(bhtx*_zS(fJ{I`^rtgooOe)!H3nq*B|! zSqiaoT}J^*8>ge-4-^F3*_+xNOFLqOETU<5$AqO8oAa7JF#U_8iBVbAgVDei9Ff(y z>^)l@$F}xeck8)vrhU~NA~AUV^b9#$%lnmsw(cLP<0U-vd6+xXStn!7 zY{Bv%H?|((tRjiYt;}}DgGFASk!r)Yf{45e@>fhyAT`3xqlySdA-tdxx~{`Q&GNL^ z*LHGL(tqphC@qnfk`wiLKfD2p_h2E;j2lhU&xU_g#0TwW^Vsw@z;n4 zb%lK+Nq@D9)-l0RyhS2XMPGpUKnS{G{4fJ9i=jlEI5=+Bn<9zg;HTH~p>A7qq*W@4 zWessbRgO?zPuY$y>f*t3Pv~-s_cd8*EcPhTfYsC4>=LxJG6H?!ARkkde=;Yp&@}1; zibY>1Ry{`eQk^f$WeETC#pZ>9Dw1$*th1=L24-sPKVH|6L@t0ESprFS@(0|>*6Wx% z$r*ni*kv%#U>QvaZ(gd(ADG~3Leex!x}=B{o?@W?|~ zH#8l8@RNj@!6ILlV`;!7iSl#z|L&5V6{n>6QzK8Q1L)CMce3y|>tCPZKfkdGy@wq{ zLECrzJa-h26d01fg4SfYOb6J+OAC3yIrBb^*E*g|==Dn_NWdmN3=D%X3czXL3?t7d z5xz_d-dynFfzRR@=KUD|u>+dF!olm3Q#b$l=KtjdFe3@(DBSPK`Nw~p_=WZd9=yGv z-Y-w*9{6D`d4^{<^#?(_- z(ZR2M5O;5J^H-&0^1pp|pJ_kK1zC&X;a!G#g}T!45B$#;`|myq@Gkz_AM>C8PEdoy zz3?uV#-u*NpW7GeKU zDMxgv4G1_kMDv;hIC}ToiK(W0LVVvmYo!B~1WPKM?EF>?gfb+V@sg8NfO!kcwJ;K` zQFSRN?pqk;}m;VJ9-`{)B|6Gyak+VXh4Ax`vwfry4cYOQb!+cvZPLRFIH2v9e?ZCIJ zX{qt3P?O!`)qCv2ke!22bb=AkX<0So#im|PE2Q3mhjo5WRJZ%_Pd0a^e0Pq;L(V_h z-Zgi?akj(7K#+DZ_@vE6N`6xLN)=b#PJ)`(>Kz+5);A#cZ_@R1Bo>yKM|gV@KG8|Q z*VG&!*0bbP{YU*yHq+4~yUgW7N4w7jV}Bdc_DFLaL^~X7M8Vzrfy- zm!PSmo7!pFL#hZ5o1X3r2si;0v_;|7?V6&L6w+t%lR{7isvxl@iSdN4X|ElN!`L<a!}1pNmAJHTK5ES?-6XTbF+9Yj}A)hZa& zR>D)`_z%B3=Y71u_WaJ}1E1(Z@a-u*z{Xi6lxNjYenQ?K< z_ni%m8_|SLpaCasi63?Al5>@M+y;?p<9|9OMt#=c*uX46xx+3 zHm4lZ4f6UH$Oav z9C8dRA?XB{!n6nU=%<}OY3V@7Qxjii4ji`qGNPut%kfXvb~=|4Rw1eSdLRwV2|eOd zF6;GSXJ<2f%o#Mmc9t!h`q6lO3`h&i5t2}F*ND8su>PCOE%hgv8|Kg(*r4d>M1Fue zOKkEyNeX2D)IrlZt(t-PVFa)_lamzLD#*ZEfa2KX)|1hb`bg$XAsOns&1l*OM1)NH zMhE5f?uyotg?AZ9%FWRQ*ftcE|1hqDHgS}|Lh#lyR&4^8%=QRL9Jxph}Z}@77LeamE2a(VFxoWR4-Rmx_f~^R@1mlF`b4I6v z>G${_;D$)EuXzCP>8_LRkfT}cq@v(r*TLaiwmbXeG#@Xi0S|jt_5uv($gZeemQVV3 znS0RpTw`*q`~kSmlZ6AWjgv%&v>ggL!r^7JIqscR;uV}xUBK|!&$C;R;y#mr0*({* z$CrVN@7lF|^uq2Kk?u}O1wv((d7@Zr-sl43fiUTO4~1vDzhIm(+0hP*sp8e*%H1p+ z1yo3eil0k4sPJir_M@J8G53NSv%(|*eQANqt_yG;W*`&mJpAmCVc)=2+5Rh?>To1e zh$r$Ky^H7eQHGrvO*gIVPN|+;`41L-U572D|5dGHhzROtj~MS?Prd_up#?~Q)jCfD z9k1G-e#;}$tAH}h3u3JKIdPi62UkPDm5io=76jryTO)a4cSL`XsK4{fJYR($#DykV zvL){R+a)D5<$ZN;%_Fqd@vci6BnDQQPd+3lzr{BUkx9H~41xIHT;OC!*LvcBs3LOM zIyEd@dz3YpsRr(g*#e{LJaAw0#s;twrDwS>eC~QcTDKNXLGEcSxxDZpXm{NIS1mdH zDiCf{fe&Z$Ed~dGXak-ys?>k;lv}!&xp#Yho4iC&6bFZ`ul~clJackLU03k7EthDI z?=SF3aC3Hb-!}q5eJ{*3YT)f~V2f%DIf_rFTqT(HU)8;V7X%OhPxzHfA8H!?6`VD- zK6Tl05!Bpp zDHWR~G&1r(l2u?2k5JYd$oJq3~%X*z<@qq7P8$5w;V zwyc`ct;;ViG=k@A{s2L{keJ4`K*0T>JjFZmq}j-02@Z6Cs+BYRN-BSz zzIjF>9e9}O|GklXx+I25FDAktJ7ruIYlxu;PHV1AFUoxV_Bmgh4a_Q4E(l2qvS1d{ zG68Jn+USqwfXRA}T*9>0D?Quqm#zy?rxulN*HuYSa4kp?Y)zhISH6e^LM;POR~$)| zK#PYRJ~G6!&gBT2f4oIm?&J;$5In17+QK3ow**_T55%=d5VxVz+j%k(wtxwvm{S$d zgDBzK8gTS-gikD_suoDgy{<2nzUH!I!h}Uej1XF32Zs zv~C-hqzNo^oFHjBbP<#^SXi5e!4-L(C$wY&Z;n1vrmyveSVsmvLLfh|*1RH#;i`Dl zuo}kYw(x*7!ZB3MY9%nlrvkoleFXz`%kE`S6fjOq#3e9R+9D}D`Ucdpf@HS2_G}V= zY!7F2;8tcf^coIyHm4{%?0I})YkZyF-7WnuK<9ycxzK;NxO=TMeVw(yL~i3lsaLK6nWOPkV>+Rm%o8Acrr#Al1y4;5&X$sa7uS7=(*U2s<)2>d%r2 zt*Y9O^3CxAP*e-wCr?oBPwDcXHLB<$VWN?i(17MhC(L=@0=@^XT#k8QVduB)ami#)>dVA@AqwraJ<$D_~17VlnUJ4lt-^ue-RyLLhC_z379#GA-ypfnfof| zI!{$(6-)JYHHA@f*(LrL5Y>4EtK<_x8>6JC1LQK2fx+mPEMzeNoKRHJfhQL;Q7hmX zO}IM)Gv?JsTN$QktQMhmdHb9W&AeA6@6k~vbrum!MUWy~Oq9L@w70ze0FxZhe#CzCn^mMW9?>a@cBkSFQpt>ppub2Px z704^#-hjr`0*U(sn+pl079I_1a*G&x$W+dWG`qvXH@m}zcJn{%zyC=-$YlWcF$4T6 z!?Xh_62q4&@g7|BK+YKjOUWKcu|f&oxy-wY*&XGeO zN5G{*2sWi|s1gUv1_tCM$i6#%V?VKeYA?=H)~|z+6r5L(f5jFv*b6)T6I)zVaB#>o zCRkA6%zHua_<(;J9)R5a8a`Zyvi!y1>L@P24v0r0`r!)f&3((kT&t_yAxkemhWc^M zz%xniZG2Hz;hW#V2@cu?b&{1p>(@6NclIs2g|qYY!~1a`-m^G$UEdog({%-cq%Qpx zeXJlIczF>@3!aAt!S}IG`4d+yB>9O!fBo9cjgKSl1vS^9eR4&w$vq1}KmtE`UVoH+ zXs{HG@hvpvxgBqkQuZ<0DJBvRO7qj?LT#ZJUH?f;U=sQy#d0{8IHSc@kpA)qkOYMzIIN zf|$i@D@c36{QgidqNo$v^EASRaqDPcWv&PJ+l=@0GFvrpHqa#>VKVJ3 zP@67AsBNnL0f^xKOkXXGB25m#528a@xn4exFRI<@%-@JdYl-!`Sb+n{Z5A{OZoB4n zWVfClx4xYN+;y`7b55i_9r92i(Zyv{C3)rZDB(6#F4dU(-uw0{pWHcXO*;o5x{W1DZBn=bP zL4)?3JuYV);-m;Ss}-1st5mwajy=HM~;K;uKe75aAr&i_+~;0%_BE&MY{GcYd&C zN}k1{+L4sRmKSlukJgSFi`JOB`j9P}XBy>@PQXd@pG+i{GeVBY}%u?ijZV@FTC5`Ss!il&?^TKOu9 zX@5MDX?K4x|AtmlB$Ia_O!u;^X6VUmZ)5b_D&rgs!SH*+~7)HC zBU4Xy!6pG;h*8UUe>mR)E@=T~JHQLzm;I<;emcEZ9fGN6loR93326#`X9-f$f11mY zo(OUA_TIe>ujkjak6|nIt=<>cg-C9Y*B2d3by~$ZN3C7};Lif$hj+7Qfh-Xdkn10{@HPpy zu3YQ;q=_QOL2qhjLDnuq4)`?9Nqk9PC1@RfZjBY~+V0AmKT36PrACys(naDZi_8Bj zIQCS`@m3$d=YbBI_aqQM{~$FR>;5A5Q@>~O=x>Ore+qjb4aDL>uFNXC`bFm=4L7_X4?WH6`VHchdLl0X=a4g1!zygC(aO@0%i*)VwLP`4nn=6}Xb?8tPmWLHx z{LJ$X_-~b`uI1@!#Py>AXlIxnQICi{3O9afvcjeptu z6Z9!Uh!=353Ea4uyf8!JKZ(rt2Q5;qSH88F@M_IWvc8oWTUr1_A03u?h}vO=&uJD{ z(gDQbG+-D^>;X8{zw8=3nIS zeOVfEB%#$CaVBe7sHU<`K%5ccg2sBhCB3&nd*Eyu^YHfu?uNGY;o2>EM3^g4Pm>0k zj`{7q&?9VFEWTmUn_(C}>+xKv7oHQj!!hEU8#IHgj|I-59!Ar1qG z0UXUrzxxN8)!e#~O4;E#3h(B-jtAlHsVVFCgh*k{wi-Ixy+LGWP=&`BTZA=*r=Ubg z1C^3sO=v&OoRQ?@Ph+Qh_uB+REJ4_8w&yzf(}3`S7bAH?FxldIs8;3j(_sUV4W1LQ43Z-`uzb%wQvaLzuL-hbf>A_ z57*f?g5yya&frCai`XsV{-POg3>RHT5pRguwY={lUdaM^`(QuI|4wbcFCG})6^vAg zjxaySlHrvg%M_@@VJ*2Ti7Uc;^zO|y7%nLN`hyFEhQ3UokN#8@iAH^5l8NaJV4eqs zDxXm(G66-^4vkHovn=R6Hd=To`w8vsx0bm-IQK)4TVQy?0X#%mMLWj&JVk@G0V1u*df z+3n?8$Y>M$*r!8D9HBmkc`5I?2aA5x8J_^n_!Z3wm|qzj?}Jg|fdo(a^$a4XGbE!9 z$-xwvA3poD_oKN?OqfGQr#NRr*RpUg_lj{3y{$jS^g!EqyE!lZB%fx-Inf-*C(}B$ zWVw5F4=0mW=4K&vjwx3QyMqmsiNeto2?B5%>HavLy*t<$X5!%1qFq7D*%sD2h#nyL zQi4Be-A{5cTFj1L+V~NaH)e0(JgdN;SK`Z;)3gqI+GWk?u+RyCAE2^qFv2_k{UZzW zMoaQ;V4&WONlqY9uTfK?<;`HZ-g}+0M2Sz|Y2wjzRjUWtbn|syv(OqE)VyX^ZDlD{ zdZU);vlHI1)H(jce|*fve;YC`^lA$-?v=f=eeHcK>@t?dbCPwQ#=|qtyK>2IJF7TT zqNzX;AxkNg?ET}R_eETpxj!A`oIr3bl%P!klZ5@W#~IN|Ov#-2ckpS`?nj~(-WSR4 zkjIr^(|~N(SevA}^d9#$Z<0rNOxO`zzSRgBbnqIUVFLl}U5|0zx{~LzO(=9(Y7zhGx*}ZvXq>%b5N35bOA45lRet!aekNfA1@iEhuJK%jHQnGXm#x0xytr z_&T~^Q#jhJ%0#`-K$daNfbyy9&MG4!;>&5Y`PL(sdr=K*2mQQVyodDB{mF%RRo~zT zKjRLY>o4{X4`fRscC$>ue5xjIZ+?~U_sZkI5KOt@^@sZ!@qywWjZL~D`@J5JqIWrU z6P~oMdUu3r!h^qPlti#NFlwwYEzo#gj~B_t^V)UlyWH1*VF-xM+cQH+EGNZTE|p)- zcn8tuH6CP;z8SoZKar4OeZ)rs7v!@R^u6=8hi*IUsch#evLZ}Cg%Wg|Ny`3^F4|<3 z>xryMDtj>UCf$}>apmO#su%lb0jBY*xS4wY3!!=Lup-$`&|DEQS_wQ)AK&TyZ5Qv7 za*)b~s~#}Rl_32+l&gVDpcNkVhfg&24GRsuYr^*K<}z|h{yGmClX&yxeaUYRg+O8C z!rrTHN^Z6|E?&etKx3UK#Huv6A@LbidI{FTD%~}l%%;%JmeQu+RR*S@On%MZ$VU5D z2jM`uK=|g#dOFI}<$gj$xdmKL-0*C0I*oN)u0WfG8T~^~3PSM}bi|>D-Hw=^ z?O|P>nAVA3QD$!S-$sWx&>!Fy=(bU)S_qibpiOdnv~52m zR{QJ0B}3TGTWOX={sxynnMVL7r%rV`LwE5jigC-saj}9#VY|w=s(Kf6wTglCL%&4Q zolEY9LBZ5RN}NHMdl>Xybc+?{Uw!}46*JdE90iKG(Ytb;jc1D;Q@)*#B|C(g%*H1r zX)ylok_9XK0^M$}v&#j)D|pKn^CvtBfKnEloEJtcxq(9L_r|oU*%M){-geG=d?;A< zFgWB{mayAvS9trXObweSo{z+c$h=z}UqrETjB_WG-(K$_CTMzsrY*wZM`tcM-KmLQ zsdN~`*1L~;I&`hobEhlcRbBM%!u&+T$DB`Oc=KDd6GEjA5JiR~o2@4EGfzG-fjA6U zeh0w#7zrvrbRch7IRN?Dhs8|Gs%@Ck_r3$Gb*VEWB(>ffp5nD9waI7m1(pa6hSZf> zKHXo!LWj3CFtSCSR|z2!Cuz6L&vL=I7QKI;Ke|~pMfS@jeRT+A{sqaTZz&t#|6~zA zn^qC?GM#=*nyvACRfM}tnNIneqw>@lO{wiI%%!UtTfJ?7Q6U+Lv2;M&>|r)kaBzgT zY>a`dcOJ&+W=6$ht)WF~Bq(KqhBj^@hXgg6s)VOE*<8TZnZcyvfPHrfGf<4JVq zh(FQQb&P>xWdkR^wDJ4rCU(4D$1iU`MftPKMhI@;YFnUB(T~;hLc<1Wq`R`7di>hk z28GWjk@kVfa)XU@qbbh2P!pVc5OAk_lJP2SgPe4jP(8kmWDVMdIs;oe6<}D^2AFw3?8lH0T;LI z53Ci(?pb4?V?~h80P%QZDtiFdX5Tevx@&?q%$ZvsT+s=BFM=h%T8|PHwt)t5UL2y0 zpv)IBqorbf(+L_&W=v@e*o%k6*{_}-&z$u~ktoy!53qhwXMG*v(Fv?0ZMhw)^j#tK zb-JHItbL~6mS`^=+3k~Jl__#zGmq}0^$uziL&C|t(=*JK_q8%{WR5G{d|?U&tSqE-QxZHxZ#4*>X33}&;!&0Tw=|6B)L7Z zsnEGj&{O-ye>phLG}$XA6R56cH#gn6MI_;Umbk>o9&Uo!}{C-$KZf7!OI>lv{8L0)jTA;C}f@{Yn7KqRTmzBNie$%MZqG?#SW2)rL@j7ypgG% zFhqh5$}z}+jkjEPZY_*cv8PP{wV%U6B+Pjgpkjlz>bEbyBO53Ara4Q2R z8}$=XqwfUMi+w78nppJ6p{G48J78LCi|7Yj2Ox~FXsk0nq{7nB-&g8Bh1@y9!qle-in1dV8B!qIs2l%7fPT!_%*Qq6lGWKkhSo; z&5zZ5J8(ewD05rM82cXeXWI4)MwUkW_CcQ}%Lq*CL?2PYLcyWjv5yXV-HTS4$q1Cq z4devVh3JvH{>&Wb=PY7-c{{Q^>Y+eSx@KgRiN33A%GyqBMSI&H$8 zll^GL_ekCkms&&7(T1}sFkm6`?PX5XPn8XC3I;i&tQ0K9!YPYAiR` zc}cA~;!V8W{AoAiDBj=2k{nI@{L1v$ssD@OG**UNPg#m(CTp1CkqOoCl)hW#FsSx_ zFkALqR14~R&012Uu+ zZ&EvhKx>pd$yNQ{^y6+jl@Wj0}m%Uu+Z4;UG#>#iOXM8Db^@*Rhyf( z)ZaS=oVyW9qKOWEhi^?g8PEG>dcR%VM+O?Kkz)F4m8v~8<$ zyCRc(Me>Dek*gx=Dxw38LgU#gt)MNpITUNA!Ct?dn7>y}U9tDK8973$)!g(ZKHmY* zq<4?7*3FF&Hpo2*0)R{14Id^NBk14VM3TJ=CRxg1*N<{ise`7eQCohn)bh*Z#Bm+I z|9iKlKQ33;LAt1A=xreN+K5~y+KS!b+<}nUWDh~bU`98YRd=0;Cd$3%gHgM;X`^TR zy&%x=6y-%}TYi&j#Il)A35r06FflY@F1H`^svP+s^zt|FxX!oPQf-cQL4|C&4J-Eb zh&5{idg`4-UieXqQbV_u&(r)!#>KhbV0Zx!vwPGLANm3uG1wX|ps$6~_OlaBg{EAu z{+N9QT#1HW{#=3~D;|cMN=sRaoQq@^tJk*4U4?^^%IiCG-xBYRUbR`+xdD05hn37? zh2}Zjxw9|G(+@ddJqFPtP7dC2$=AA1TUNV;lj|Gzv}in!_^!1*qu0c@E!$ zAjlHy=|ZpV?}UM`Ryl*5tKKvR-hq+T2!jUjIl8bzX)1=ykk_{(rpZb2je1h;ffYv$ zjD&s(?}B-|4^Vl00;8H=OR_GvO*z+TaMyj#qApu`>=EDbF5>zYaaN@`)3iB6(K>1E zwdD9Qj~m7ftfq}q^5ofl3IG{0Fs${rs>>g|Q&*xsLn~{o2cH1qy7NRps^6R6qGP6I z9mDLcJNm$UVxPZqEWX>)w3Q#=oEH(rJC$m#Agt`Jnr-&+eWgek&el1da8gS^5OssO z0dv%WGl+u32+&OeMa}l7*(y^>3x5_N0X7xj)WvoK%F(XI@#uh_CBa3Lu8RHQSr^t@ zCp_uSd5sO=aXIII%2j)?+}cw##kJ zDOx(KK)D@hM#go8DU(P6IZ&XTRB^p0m$qX5gX#5BdK8xFJG@7*hnk9Hz4Jq{y4uMO~Dg9QDil-dkG%uzdc~Cmk$dZ!8G{aH(xH9z0be3t+doP%IzQ;vB zH5Dbn*zZhJr%utpqdUZnm7tRQMdXKrVlgfkF2U$6FztUBhwtqVY!KemeGjaGWWV6! zu!Be|V35Sf;I%&tb6`R-;=DTc>8u@F-9{P_W&Z5=aBc&a#6mt@T5qFA?Dyrk-p4RZ zl0D}uNB!$3ohabFU z^(q!{O-res;V4g0`DYnhv zw;!3VL1QYXv0O9wa6d$hR316f+SO)@h)`gM9Lr0phgf~s&-0P(N{8QAj_2ohf|s$D zOMxVOq@_@zj6c+*H5%dyx1ZmHUfja{0Wfbp5`nKT6XxYIqC8H#$l&q~{YO8L@UVYK z^B&}{sJnsVRN7m4UEyV?40|&*RPQG$m6GGM&I?kRcuuLS1~)8g6WW47;0vei&NPoA zW=q^n68_wnm|&7k0M>7OdFWM;H=CKhiXmqhJLk8c?XHJG-Km4X6wc7CNNorM$NXmL zj69>g$}OWX2y<&!0Ik7qDpk|;6oiuQmJg85Wu)el^;6~A@&!@YY7jBIfZ z;Oeq}6rsI}kMtH?TNsp+6V08qP631r;x)H4K;pBe95&c-_hU3FrT+LKF}?1 zazBeyQRl6l-l}CDq}mo%-zWVEo*p5KR^W!yOkXB{ z&F$hFU+14{(0Eg0go%0qIMc77Z-D)kdo0&4!a+?Uz)&9C$a`UoDnKGP@P zRJsK<>5;|_5R}!h z;>l3vfuPhi#$OYXxL#|%L7+S~j1oq&UqnFGr7|<-?-gaP6CXRF7e(|I{fNLdT zlrrN$PzcklSJNjw>8}4}x@)v;p(<4mu;(Wuu)MF^W`B>%kBe^&RAnS}F|F6FIG$V5 zxFFwVc1nP}y;o?_t0JbN~~wNpD5b@lg)$;9lg!jIZPmQkn|oHG86{n_ZhcxP!<~T`>S9y-S3q-ng&fNwN0Sw%&QuVlwf0>5u=5x&Gh&o?`>eGZ)Zru=mTQ5Rbb)abk#2)f}M)xkJoa#2hue_bOuT~j7YP-pKQSk zl)V-@m9ca_h3*HR2}!I|cfW>DCP(FB51f-q-B7rjn1_L&)onjsJM)}2T&bqr;9W4* zL&P86eTa4X{$dNj4OB$NK$z>N;1wzBw@PB$HaG7rFV{a9mN~D1fA$C26Em#96(i1{ zJpEEsF7LyO)u%Y4pTA5XKee9Mz`WH3-OJa}fu@f=;h?tBM~5yA2dJ)L-KZUlfVwRU z#8bsJfi>{HRt&g2HU^5Ii)$*7$j7|WndG3KbxEH#k;bhp;>Cr|3wEDkVQru2?u;;KlKF79Q&4j;>U%EHysZ-BN{2pk7dPfo}o=)??LBxa9`l|Lh^=r1Q%jI)_kd0Ozz*LGd&f*5Q+G$(ESY=N}n19_o25d#lU_; zOoK;{UobtKe**(9aIC2G=6&7tf^ka9C(r-3!thQGOl*v8+A^zr1Q2BIvk0-9Zl13G z{JV#7k*W$FV9s}w^jX(N)b1HFCQArb(EAQ!64n}C5Xd~c*K!*4=b&LJ4fV^axk4uk{bhw4th=5P66eg6>uXbFDzv=5 z0S$W$Z~u_$)Rl(@*#me{!P_Hg=0>l{q516atC&3J?4%U=;KWvI7}uld$6@dk$MZ84qL9Rh$B?U>?QJYJ}NHtkIu63T5k8M z@7=;$XJ=+V7*Uip51%*&)qk`7^65QNdqEU$TOTFT$kB)0VlIcN8o3wWwhj6``U%bL zemfGWcY@iQ=GD}R=p0_V>G5XL0EU^xGnamHlAgi)*)Y8ZyW*(81_FwYsZd<@z0@dP z15Qy;Tb+Vl={FGFDj6oG4!cG>tI{!>_O}DcG~TffS0F&v!hF5O@K&{=X=Af2n#vAp z&S`^B&%+6o)-UvsSn~&Si%($Pf|O8st45QF19^kJ`-e00nezM?Hk0{bJvqizX*yh; zWC3^1;|b)b)OCNd07mjO)P5rvHMrPSKtFG__6qhTVpH&^78OU>FHV=8!CP&`A>#=_ z!yWez%IzA+5*e?6MAB&t(irG>8cu9e>62DUfeU8tq&JM)nJalnzV&B5t9V=0b7SqJX z+LLqcp_Q6{3Nc;YUoA(#%&693S6mgppRHEFilMAGS7k*W^@+Art6UA{K(1}@f!1rm zw^0_60x$MYbsJUhNs8v=t zU&zvi39{2_HRFS+fdEs{V|K#;oThP~z)-t{&(LuIs%gu^9N+W&9aH^*s>|nKkgcw0 zH}@u&rftLU^=C#+hm3%83Q@E{hM=bm`=sr2el>QXmq=mqa`?}a_ z04(vQvtHu|B<83eta+&SL0h0`7F_yrWBl4dv(o%Ks6xE7tBwpJaH!f`76WZXIJbIH zl*LytUBkE*!3;x=>_OAv(u_dLOB|pd_ZKSik1vc>6WIjZ5aqwCfX(iuR4EbM9@&i< zHWumb8q4!RW3H7l4%v4+a+JJfpO!84h`? zQ%;0h727)sdM1|2e|t}V!G>n10ale$)aY-zc~JPf4H~TKvF%j7(?Y6p@jclZtv}~s zMe3%zlz?_>k!^W-f+4ucmM-%L#GB^MyPzUX+KwD**96z}GjOnYB11rgB*a{lRgLYX z$&QGQ5+diO)ly46yGWa#X^~oG!^mGp`rJjM#3gQo8ZHi|!=7qL>i}+x=7Ybs^i`sgD>G&_uoX zUoN_20jW18Ul^8ms@9|l&DFg+)SzK%*=3ZfDzL_vpYi$Z7wXDB5$VPWyX}2y|Fxjd z-OJ@4VH(14gX06b%P#&LGRp7p`0oEo>L$7`J$$iL1@iIsR$MuoN@C;t@A`j`hJ5vxZ%+=c>8_ELPTxWvSxb^^+9>vR@jnZ_bXeVjRi=pQ*A)MY@u>YyF z%(+MEj^xSAf9!pYNLjbfjv|`|Gc2VHcvs(r)vl8yBd+Z0%LFaBn!|4727pYzzyql+ zAHcS|5Tq4QNpQ_lu0!wlKitjN53!B#D=ZfZ?{vZ6+j#yy0Nt}-&V}pJY4xR~V0)d- zB_f%Hr6-};3E{pNC|p=g47;J15_Zv0ToQBO)rsmWKkX6~9Ad&{xJVMAsWJ1p3XnZC zY|~tokp|Z4IsnhkWx&c<0{S6Fn?&|t85ym!n0f^U@E z1VPeQvzLE%=-)GEyW9ioL~ z8QrdQ`5=gEP;@tJB;VKvp|)$ldAgN*c+9sgbB^+8y~| zJpkob|Lbc$-^u3s;L=jaOu&FZ(<3i~LhB|as~Wa&b7bbwHS^!!H~;Y`U*A4GoT2&d zHqNEb6Ei0Y;o-HydFIRHCC9kB@iTXE@Ljf`&G2igKCRok+I0VMd~`GJ#N2Q%bI0c2 zcz&ecyGnOe6|Ht3|_a|fj?oax_9Y~BK3jZ6s zvESBmUDd?5iKURr!26B=cV*gwBR)K+brcm3oCO6*MqjA~B2n*@^8 z0OTswJluu2Ss)GAvw;)iq-So56Q&CIs54jsH!uxupZ90MLiPK2E;sVl)Sx!ZYl)S2a*-XCn9IfamT^ zR04VOr;_^+c%=qg?wFJ3a2wts*FJup$Tn*7Oibj z*zI!1OF>WM)%(N`Rwc!r6)dF1Eiw{&$!{`5U-}zYrQss*vZ8C)1zccU+z%Tes!}Ho ztz310!~~zMj%P@89I?!je0J*g42X%;^r2tq>aPYP1O+Af+C3n8ZPgKS3(JeP6Qs8C zx6kB~e_a*3S(yOHaWII6m{4^}(G>7)iRHthE(3Xq8y>>Zp+47@;Lht5i|YlmK|>I; zYkJ8ZgS#(fDD3LxZL0UHollzL@A{g*dOm|x zo9a31&xNTX-}CF$VFcI@5xgmbd4_qKIofaX@m)coTJZdQ5F8B7-AIfmVLEk&Ms}nX zjQPC7E(Vf){OYLdyM2~cvPhKl5)FvHfzvl-sKbJUVIq?S#P8QGy@BMtH$FaSZ zm7UuwUDNUt6!tF?Dm$Id#gyI~GNqcRCNaB4axi{tC|92%(2IAF4()WmcS_hj*gaJ( zULo+WFQor?WWTOM_Ly}BcYCKcmq)d@_x$(Jj^C94k`mwokQ8`|Rp7RAP#SY!gGhz<8yfeD774Ck4E;F#OC^@yRnkwHTvUvBfJVZ~7lJ%eI8iT?Ahh;DtV6?&wjgya zF=}ReX^5NU)|;2t-RqAJ$B#2<1gyR(;>OV&0A5fF5OQiNLOIt)OJS61{dEv#q09== zp;}5CX`N2`y|T&rQAN{dZ8wFXyxH_q81}b>MohE%SUQL%RY>*=m`*p-sEjIXJ{Jm0 z$uix`+-p-mS%2eiyfJHd!7eX~+xG1X>61GJuzA#C!Ogp^ed78Bj0+QQJxXp$Zf1UC zBnr9_$)%qqzB7S!CCKeznDn;}6t4p|gi|)0O`!AGG48H^*hQQu%&2^8T(7i0p)ywGIpqWioIZ?e>;z{1HHa+Q5^Kd!wn2(Uc72BL^F>5#Wv*6m zvNtQfx-@4nMD=p#)bN`Kw2j1o>L9Pv%3izS(c9V1xO4;#B}RvaL%km~xG6^XM95-B z1h!!VuvyFLo}qUdJ$u>AKR)ui|K$n0wW&rcxQ$(WNS_+x54@Ekd<4e(Y=}^nTYBcw zTk3E}0O*(Ad$1u%Ec=4PC=xi~y#V}&L{n_E!>qz1fGga+G|BV`1f?hG7SAK#C>O8` zsrO3liG*1lkPvCqkgvllE0W^5+|D+}*~Gj?d{p(F<`DWkqXr-13Pdg1%`=npzDt!G zl9ed1SgE)#y%TKly_dTe#ksxDwG*L6v-;yRsA-gD0JUy__z4$*uLOO?J5`{Us36N* z!MqKIS%QeSN$ts}?82VVb$gIS?j%bfeYRT!pekgm2= z@#z_y&bqGOzJd^F>jV5q?XU3qMzn(dsY<;qJQlu2XYFB&Nukix2nTygPcD_Z_<8Rj zIuO>h?0&t_I;{`adU-^?QZK;aEbK<^;0KO7q>^vHN=@mm`2ANJ;<8}E?erwZb zsvGx@{rZ&FfY~z8B&q#+IqK)Qry&yJ<#M6IDbzRY$vCNYp!Liy1&8L{?)V}7#|e7u zZ3W*RAtN9tvKt?BeSpkSnwHaES4)nclacG`ZtMxM z&!+#!>sl|gd&-FjH)r+0>ZD-TO?KIRT$}6IcC8+WFkwrWVrbHs61NPoQOP*CjO7_h z*u_8jDDa{LmB*OGKeENTw?BPxU>fSJO%Frkdz8|($XkUxaANHT1jFFj;-ii0ustJj zx}z@Xrd1v7S$}||Yq2xas3EbailQUuD)#m(oD*w;f1@}&P=FnJ4sPb@yM1Xv-Yh&$ z_(*Q2!TmR8aMz;s8~8A|YDjA;Sig!SepTxNPuN8eEFeNLIqS%(>W z@g39wSC7JjcMXC?e+X|uVuM`mYrLk-j5{hb$U%)T>k;Kj7X2=ySyPND#)~im;iOx5 zx1H~Zk&^30Aeg+o3xWkLhuw--GyKa=VG%iv2j3p@8MBRdp&`8Wv?W7r)xYQUHLS0Z zb-Md-h*Gqk8H2Ss-GyhzH+JE<&q{rEJx;{$2>X!@a6LZJt*jbMO!6f~ZxN2;9wGP$ z0oVtx@S-~3tlZGWoGvIK+ln(i^uHy@-uIdu>BX%>9_%USaJkKrE9=)k0xcfL)VpN zKAw2krEbUT5=k2MaImTM+w;2IxV@T2d67hHGj#9kibuNLIk(l?YbvVckwr=GsX+@G zSY&>*IdScj>5OprLp_uLNzWs&WnQVqFv3q%YFik6cDlR;@FZG|S5siId}Z9{vsQ~k zqezpj&x=&(mv0{OHKVxp4_RIC7D%__8xH3rjx+N=N63d2DN-6Q$m>8U9^(l&3LyNx&1Lj zH~?g;ETEh87Mi#B6MJ>q-;dwDH6Qh`BKS_<-J!61dIdeE;G*dH{HB`*tb$QnI8=JC zks(I2(dukm11aixw1)xn3>gE6-7}7wFyVAIYN9X#TR|Doz$L8)H zpaz{42$tS!q4mbOf`mkvh#`)#3H`1J(Dy>4qq%Sy!EEhO24aXl{$V36&vZ5_GhlC$ zfw%?*s;|21kMW5VAO%6U(&(1q&TbNf{>ag~VmqG-7k+?^=SH$xb^0Pgk`a7c4S6iy z_gshaKhcgSu<@{7uT*4T?Y|%`oUN7DrK?rHelymu^D(XZknvNm%X$u-0>)X3OI+2Z z71UBC1bJaRJg)z$2RAeWg z}vL=g(V#!kqqU;zMGC8J2c&8CmD(MP$QQU@k#9*vX7@;>2jRF@^}!?29L}lzqK)O82$su{I4iyGcBhY_ z*jvQ*v&}ZmC21a(9W&7jqkj5GecGZGoDdB4n|-&#!puZ@DJ{c{xq3sa$}D@ zf&Kx;mJfjc(7Ed*=6i=^4bx=I0b!c3sii$dm?oT#-pxKR8T7UIifo5{XRk>UA&VKL z`<#CtE~AajS@MEi&_xgUZ*Yt;8FFrx!IWdBh*c)8kX))36;qRpx2POiGr^rCq=fP{ z?s*h_ny0tHWEl21qO7~#L*9Y@C&kTfJXx#4r##ObR$@8qQOwh|Nm~&xHsJ=+ffmbJ zQ??~G^rcCqKsoOSsjmnFXaE99&pj;97&-{}7!d2+(E(}{%5}u_3BQCCasHD@XK^gs z1`0+a=Tj?tKyY0Rd@>_K>00-iKda$z_HCN=8E%d(#!NcdXgUC&U6HO~mf*a9iT_l1 zthr?-kg4pg$F(nEZUk)<%!*kpz{N zq2~cV)JxwV4;w$z;KlSi740J_x^%lxP=Zoje6%$FHUCQkhn~c;n~X_EvnA|=(*<_b zhnjXr*a?axB_{a?(2-rY zI`@E+(w9Yr^MP;JbCkc3W$%sR)N2OM>qeO7^IMtY?vfN0mXNQMiufy@!=iVZr(neA zG>|f69dn!Lc>tT8Uex3T(q#@JaUX0ttV!zm;_5@&E`}~dQYVNM3~T5VSO!OoX{ z2sQ5+_Y$6JHfPUldFIub~*fKquEkk=iV(LiA)UbjjX0nBiEFzA3MF44RLjk)2iv?{6d2YW^jCSRy!;F9jKp~^bOd@%eZ1C`%tUPQVLSv2$3b-1pV)zi=V6_N zDMGi6!WJa61To9wVEg>felSeL;@S)y59Fz9vXiqp!o?DI@E~w7=}S{2Ou!2_i6~5R z5IdeMv#XiKSe+sQvHCltR^7BSbRue8N#aMVmc`O%pEA|^HIICV!?qgoInvA=y$yAu zjw_B|4>J+_8jEc^^i9*9bKf{(;f>@l!4vV+=!h!OpZ5-%>3uyzu&B7er#h{mxIJno z!EK9@r&4=b8Q}O;+KyI?r}}f*BkKgQiXv|PGWBYuU41XXz2_{6Eh;PV4qZJC{ZJsj zOMLvJH&wpN{g_}jtx=nLTJ*s1CU3*XyoTd;e=}PT{mrSc-yT^$!PX;#J%M~IMK~qp zdYj4EYX;-Vz;V(Y7!|IgFHU)Y{M>;uup>cqNSBp>k)88~cQYC_cOBLMe3kdr*XtSB zknyHm@<}3VBQvbp>(LPAA!~d(rA6Xsjl?$IxA8KMf!`Z@afJWa4>341QeIvgEn$q6 zzPdc$33T!O*JY{0YVte}t(gKIR$w#YhR?5g9{=<-SmePJht!4&2Ncy2Xd2ZZT{YfG_A!K~L64vb%YrpRn|jkQXssB_21n0N0oZyMXC$CQUd4!y5`R=hahJzal03eyXx zH;LgUOZ3PqfyoXZQt{dvG1!081|HV@q(oux?(-5+8CPQ()Gn2Md3&p^9Hu)t8y#V`T`4|5yI)mOil8a z9j{45r44_)X1PeovYfNMZ{PN$B%05whZEZ`o+Z)gZK6=!0p4uDjZZ=oKNWs)M;d8p znf`@4k`%OV%*8tX)3D8>Yv4d8)*Y*f1jhD+o2Q5+8(9t1vMb`zR2@~d79Kfdo-(D# z^fzp7%Xh48#EIy|+vWMecX5N%4r)AAzD9Hy8-0ZZaaE}GknE~SL^`rV_!8i;IQI-t zloAVDu>#gEA-M*XBZTSa?tjf?85q(ev5Dk?-j%7T;;3q&YX65?lH2<8u^n>SVPl6Y zpBuQcx`w}9C-MTZ@3}4BC8v+>=8MYZ#u^XWrHLVc)Dq;EGRDp3lKjWMM zRl6c3r*>%aWg>f@Z;&$3RZ3*{44!leyoBDfo+&D``TY7JgiQ3PNA*jEC=71hkDT_p z_wKp*ZoWTQ9s;E)>9?~5yJ4t96RdNArZ8TdYvc{`s0cWPC1@KeDRB8^M7xKC>>Hy` zmiNpMWZSa+I)F>p1S_xU+8qVU{)r$-HdbwIYSQ!60b16Kzg4Pvb`&8TDRS? zD*Q>H=_zczV#3F56Z{YQ$Q>h53C*rQUKQaLE6`n}5UmyxdQlBAE5^>Rf*>+4L}wQ- zt}Z6-bZRD*2e<#kD0gJ^c%^Omz2x_VV)<-;<&VVC{lOop#pQ~&tJ!ayeKnun@I=^< zy5s25GH?96@u*g;UYJGI?t7E&Jb7y8i+|(p9l{oTlyJU}!xK~cQ+)S{N$AU4*v#Ol zsc8IE;^oU|g0kVNx#|RW#Mt}7jNbBz^UCSB63*&FFMl#yy*|*avr)HEoB!1flD=#{ zA`wV1plrb;GzLRWM2)MZo`Py5|K|NLW^{KfT|o!G@eY@Pc>bsH2msg*qX)*c6<7GL z2rXj%5(F$>~%)XThc+i!c2ynIffW7s0Zr4d+uU}mTg6&UFbkbhqLSaOt!vov& zYSn0P5qYSysooA{sMM>`1nhmvja|-p%y%&#qN3TH@J`px67kezJuG-8>u5!B zr&gYD?<#NCm}!VuQ4~ihcQaB!doRK`X1y*=g{PvxzsA)}JK;ur$#{Iql7!~a-sId9 z2ii2J5U?W<$Z3Y;HC#mp*@wnhYA48E_A8h)UTlCnd`Ag|tJ)h3^wnSF5e-K3&66YC z3jqfpVLxT}8Vak`an)Zq54jr5ZBQj@JXhnQ$}cf!ay=*NsE+cCIb?3f?Ye+rky*tai? z3W>d&jC=MEJW2c?c#`~e7X1-*1XwJ;b-^}(=IwwJF!NHpQ`RN zLK_gtW<9gaV0J+g2NTmxO9es0#WZ#<1SXn~KwUp;b5}(c240`hO$)Rga|e@1YO*KW zhmE4S=I~&9{jQne8eov@ZGcK&qBCRe<8(pBZo~6uifpdi-!nU^Ru|Hff?qy;S+YtN z;C!+L(DiTgy)gFf+bH}ii{#tI>iioWYuru52#cibT~+R84Ku-xkCDL}2-sQ#YT4%A zZM|o21Oz2-7@}l4elj@RwoeS99g;F!aPbhkM~zDQ8x@coLUv1iow$bnCyV5^NxHMz zTN?gY!WW%$wsqQ}tR`I7BdzU2cs7a1`mAF(ZHQmYE#4**Gc#s?$V1$AAmU5Su{&KV zqNGZxTW3 zS^pndBoY6PMe^<6vPcyF8;hg{)06;Vku;tAH!KoTU0{)1jQQ^@63I-2iEPb1(Rz9; zzD@QQCq%#KC8!~La7mE;+Yf7)1EN0|*W)fHv<2)qoJh>Maj$HFnILk;{yzareEI$X zEWt&9B^i7s_%@^6G0qne8-GBieE5Bu>Fe_t-ScTR`?jiVV8hLMe>wQZ*QizC$fL<; zo7gN}59E7s%~KOyYR=;7ZS8+#--5NJVuFZ2 z7?p>Z^*@0Lf5T9k8n%}=w?L)h+QXii^zu5>GVQnB*NlQitdS{V5*B<-k9ea@+j(VO z7rXnUXpZ=k6T#>DcJ>U*7(o6~x`d~R^3FA^>;sR4?H1XsDa7z%r#YdNqhId02rI(D zsA8Dm4nRVHucBNpnS;Xl4JOMO^R%TbeW5-DGRMqj$c;z_9cfDCi2$zX`bM{PIDFFP z9E`sQb^5J$>bJgsz#sIXQ*rTI)lzbHRqxh8+0ui{Vt+#fbzjlQbco<`<)X~_OsZ`D zn=xh40fFJOGYml~&T-vLfAB~;9-cNReUN&rnl&fe7M^vT^7)+U9j<7S%d0h0#v7GJ z7`$kQn$ckZY84r;LalzODBzft$nl0zVEm2nU(V@A?qC>uWA)70?v%^xh%NFaFGy?X z!DZnJdSd*LVWHNDX3R1xV0f?q-gQnHMozDk6zr-!xI@?DE&Hu$4r1xFjnFKZ-D1Y! z-{J`6vPFhSBuI4AcxVXDydSUeUgB@m5VdHRY-j9V$rOY$8gfHBg_C`3p={EuWx*3=x0XuY@>8B4UQ6G%eh#jyPP}R2YI|UO@^Pn}} zO$2#FLFmgruQ_Htv$I@ZQ%4?n!Pp4XtLM4p zu$hbaCT(T3WyvWSTOYl-xYSL!^SIg`!p?f`qK_bA!09N}418JQva{q8-8Ed(ezrS~ zmQ?+=L=3qo3XmiLUdiD%J)5{3>rKdPx54J`kt3+kNk^t;=fI`U`*y~uR(jl8h= z?A?HEYQ10t5Rz*N z03l&{yJGga(7cLcJ3Wmn?I-nqL_0S?77z-_?ki4Fnm;HcBmV=1B*^MpX;JX%cUziE zdsK=ttwNT+T%tTNN=h&7s+>}*@VGhCgalC9HIkdq={iu#!}scw7^ZR|0ZPP3)BBFC zOi|=6DQ|y_4)SuUhp=0S1#IZ`Z+1G#R$t*Gewyui$m3jMVwGm;*C}E=D9?8*vMv{_ z3Nuw2MH^{%%Ha6=g&h%6rB2fK*qyNg@l+Z1e0TnRcc9?y9Y9C1E~ok4Lh%v2#a-vf zLKQjgd$h5oXKXKzF6lx|q{_qD8e0>J>G^BQENlYghyFu8q9@4oYFU6x`Z~j`-D`-R zk!JczUc=AIGkWGdeK(O-0XYLQq{4NCgx4Ho{E1)LT}Khc3=E!+t%n$ zJJnB+YNoGXV}Z#%oEB}WjgpVNzW(8wPG)-QglY#G!IQ*)|0MVePeN;e;7N)APcr2G zUYQ5=6%vRxQ}?!(T#MP?CB0v!Me|fWDWwiy(PU4z>Qy6of6xrNhb-ICkGC(`n7vGk_B(Fm$9C+=EuS#SmVv;bO*{5^?<+V5 zAH9XvK)bJ-jknV0KTQ>=V+W`HK>1@k-*M*M2Do3gQC;SSF&}of+yb5d4p2!CQ7jU^ z7(fTXIJBGbiSPdGl;etY7-kyRYJ*0CIfxex)(Tcx6d;V3$}wPwkaQR}`jVzK4#EBl zyVrAD*I<{a301-c#2>qLy+TpwP-!C&=K*ZJdkHJP#qbBuGI*d8nR$z3W1%S`#L_wK zFd3`&GP(4sZm#*Vf8)1VA%f|A(5K*Lm4fUF&)}!w)8bG>Qx^qxt6S!mf8N`{OnY3< zlg#iwai6ZcKT~JyqI*5msuk=;k5qz&8Ih}>|qRn}b0 zoR9TQUMe6*Z^TTWi#Yx04g`iJUen`kOHe0ypBra$AQI=7vp)KjKK;x76)Jb1B-zZa zzG!;zyI-R40k)L2QgYfHB3rv)5Wc1zzd7B2Xd~+kHO)b|awSW^W>`69T&_#8{U!Kr zB_YZ1Eq3`Xn9ar=)1bj5Y%l1z>06Y*)|3H~Qmi`BEPMcd`L9pkCWj z4)*ZHzrsgi+W!?k;vx38;3H2!AdBq%PYz;t_#Q&GNX#RbBkTtM8c(tLFM7j-`i^7H zceVh9f+zKE$2x5?wluog@V=8J$DQYD5_N4c{6TKgp$Mw6FrWOn#E0ED`75BEvFxTN!+2!UnSR zuP`!ht4&Lu5|C{@8-4KyYUtG|* z<^Etn7Z|~l$a$zu6`u;s^lmu2GU-an_ROQ}K>WtaYg5gAzl+PymUemLcyp5k1Yh#Z zsTPzr15fRsN6zuyAk}+%|77KU{_u*?3>R`!G^IvVPQymG=B8QF z9l!OUGd3H1NyWB9okgU#ZY$YtI>Fmw%c(Dqu&Y+Js(>ZQO;rqDTOuQ$-bfC>$&~B( z^^ul&mn3#-&l^d+mCKufA|cCSUsW#TE#5vD*t0|o&ID&CGV*V*BWvd=tN$%_ zgz(9R^J@`M_xwlfh!*$1U`HbU1v|o<^1IlPBQL!EzhX!B$FrCF5X6Y~pNNrN!>0_- z!at^~^nZr};#Ltj@0&#>0EbFWRJ4A02rYnt8>d-R2{HwI{FNw0hmtQTWfFmrxbk1h zyZ_%|B+b0<#kYTa72OoNmg=_eVS3Xkazh@59~JV5bbNQOl)rk^%{DaM=p;rQ@4b_Y zH*WO~XrGMBhfR1*`%fe$Ly(eQ&?frvJD5?PG*Is&*A)XK({v`D(hFl%u-dIe>I}Uf z>5g$AQ<)ns91*%`DWTUL@;T7H^2Nq@4I*>=4VgVA-Vu}9 zpDq(tO3owdvozO25^|XH+G`PO8H9FYh4P5PJY1?^$@};k#2+VuI2is zC2v^-D}@h|s1Z|H?ue~19D-%Rc?=c$%*iyg!Wiua&H)aGwfrwHlNa3QKyDS$o_TgH z!5`6lkOe*}Qmo%D7a-t?U-!b_j6nkv?@_htsT_yv^Q~sOgZRHY%2{CV_;mTZ=QcSAEB`S064$$?a~di^S^*WOz3_BAKETjsQL&tPl_U89KXO-s}uU?VON}sr1cCSmM$R!7!g%FF5lK40w3+7`Sj1GC$v0ngiAKj}&xhq`LCm##(LyO`pEJOT4`*JR?$#Ma;jQ9NecLlc_fv6{34AnoVYo=`@O zH0E@3NO#aTQNocHT-=gfbe*BgLTXu+tSV$isPgzfV1jDw)AT$fM`rzr|1jo6D!3&_ zQra8+AT?zv2RGqN{GH_n9JSS&CZ3%HFLAQ*1H`D*ylZk0@?iS0N~{Th7-&3GbgG0c zsjT&!AalyKDHw${QA|aIEyX@F8ns^Y>4sqDwIn~q51*3W*z&;a!v-Ocw3&7V>)82( z2im{?v{H_ee=`;!bKSL_I@ibh|$`O!~#t#)h?IJkb% zN_8s?9hX`kpGa8K9pg`PR0%HX^%p%>v2^zd*yW`%{Zce$7ys~=V#z<*;Z2DSbqGZ- zUz>ZByCk@bUZK94&|z)J>Dm-Xy(*38pW{yH7(S0@$`}~ZL;v~|5`p|cbn~vLLAP9a zVkF(X4^NWcFE5~1K5$+o6z=bQg0epY5Mf&-vtbegZDmeZ#TV&N&s`wXM zB=E+6XN$C-qs;%0Y!SkMKiML6Jb!~NV#uXE|md=Y{8E&n4Fjv;w?JqVg?;cYv~s_1mhi|SXPA% z@48hQ)q2MlRJ0%Hr_Q`!YZ^WpXHN^}u0D8B%ln2}!g4q*$$|IiW>)di+zSD&r*E(; z7CzW~R;9wQWf7Dk;Cs#b)9x4|v-;xn{JqRTK1*?=P`kp|Uth$OZL9o+_nzjSdt3q3 zQ4K9bE9c_OV#Wwkx%8YSeNVda`1uu(jhwY%pF~(9c4NcZa)P^v`~qQ#oYv-DESDHh znUkHBV9&HWAvC(nt7WRUan6LuxDB=t9ew@vTq9~!mL;rrHJeO7n%jRCdR_S{=(5k| z^=bs9Q;)a72WGBa1xk`8Ded$DNGy$)&?I)P<<@Z6|MX%;mT z>-_W5eq_5@Q8GVUkg6*o+b>QWR!2EE0O1=8*c8a>ufMxH*O$F$2aE}PheIdSF-AtR?Xveu|)4FsYi zTw@NYc)~xy8s^H%*N(+F0E0X^F{n!nPKQ^ya(jh70dRNgXg`T;vmi0*(bECm{@U|) z9xb$V-1)*Zgg@%A4Nwzo0&R6uDUXN=^9o353#|s&aaPjo8>MK%(?M0lpMM%7Fy_z} z=SS@*FS@}Wo7X{K$!9b4VB?(eRgnkZTF&MLlhH3zqn&H|oW-vlK4&y8t1F*?c1)Lv zZ62AQuyf8UF(59VGRPJvD!z35m^6)Wz4bBo3pxM<#wo#zO~y6$R2#`&t>_q2l%DF$ z$InNxLY-y!-1-a_?);+`RO5Q710)FMGIO_Tg7?(8{ihu)+hee|T+AzN>&YR}xF=m= zw0K%`?j+N+H{O!=g|^lo&F|=swg)-{WL;l4($iigcd16H8C`GzSAGX4yg%qsa-up@Gw4LO(x4XAf{xwg!FUFia^eoDf+$3mX(rd zHH-R+pHz*M*sJfhRa7Y$rl&W}nQ3Kd&whGlBpGo%{6>h$hikqMyB|yZKneXQ-O*fh0zZQq zcjtyxv-^r{Rn+;$@D9(E0iofD)>)m=-Gcn8^Zr7)6ulH@5AI06)4+ zJ~b0!ml*W`P5CoUaO>1wr^QRU-c#1a_elbIn}a(Acv%92IwvxVwY@#AZi+%<%Vy=`253os|pbqA|dVld1|Vhb ztA_56vhRYAh{|dR&!aEpX%}2~U6GcE`k1oY$uuDLOIm7qS?pV=WRc7YR9@Wul4hzu zEXAUjLsCRo+>2#52wk~2T%Imybu2wv?C%--GD%H7O=ZLBz19wE=_I}`&a_*pU4-u5 zPUE-B9%k10@uo(m9O`K{(KAb+q@T-(+LWAb99B=vi?Dwa!NMWaf9BwlPT>v3IKg)r zRt3azctZQ7M!7tj~?!$f+8FLw4tLwik3Cg_KFT^Ca zA-{p+v)dU`pwqnr8m=KPT8ESjpYeR0lJT^%6H{7*Uk&1pm!`E%5mLOg&5WJO#_PcJ z`=ST0b>HS`2C64H(!%_flW%|l3oeVCu>beLV*rJHhDNP{-PmWfYOPvg2_g5 zOp>#In*1&*>;JNJ&9?GKu{nQRpP&Znh9Lgt(oi=are7_-FZ{&I_%+rDMLd&Ypv`5w;fqn1F1Nd`Z837L@2p_Sn75?jITq8h`0EkOo#MFs3TemnD7}5!7 zDFe^LN8BC2AGqp#2C<%JY2_t8x&Ve;vjp5T8Fbi%{1UT2?@2g*A6{G|)0QLKiK&76 zXOrGIBC-aSjPlth99Vw;yTc&!SA@@55VnRv#;Sz5%HIp{%ELKs40H$)_2mZ7n7O~2 zK9%_~5n}*63B(;F)jGKV^8t{-P56)=*kH!?e3jJOU&4TIX6*6(|2Ib@^r||5M1tjB ztlfOAK%fAdeguZT3?`?=@OZ`zqW}8QMKO=o z1iHZVm<QWyOnP(EM+7%dr(dHczG7`y#jE?K*7**#?<-0WZZudcAuxm=n9!h zu6O39Dw(?ijLG%6W2M32?E9Ui@>8Fxtko+ z511WGY@3Rwi~Qo9Z7Zx;)sJBEFVSD!DhSSh_mm6y0;dL0D!%SI`@?2N|*1bqwk);7raiaGJ!q zW65`c>;%Rj?;sW#E0>pvr-S9TihWCM^jkoD?43r98bA!9J>6rPpJ3+H0y?gSQ7n>l zF26_(N9w⪼{Jxav}TeI1I1{kmc8m2=_mbMXWf}ML_&kK#HVgF!x%48PTfo1;t5e zCDW$B3k+l}7nHxRY2TVfx1znWbIastF(iAy62bbh>aGtw@H1jUfWqZIOZg`tWCWyd zn-=#GZFyY@Ic>iYRzmrYGLG*({drnLYnGZGGNm51(Qz=-%l777g^_DIE)Xw82-AK) z&g7pLAK*Sf9c>9<{Xhd3Vj!UD?IH#@yCn^#>6=v4ga?c$7U7}>XWjnX@M{7lSf<*u zevvdiSmT*pE_$5d0~ZVC!K~cIN1z-j#|9F9JINS;C_wlrD|&qiM!)e~Zq0jX`M}Zb zG7ZLH!QJ?ijYve$*jx`osU=m)pqG&%5^13`71;b@ zbtGEqIRRqsMP8A&17Mn!L2!oo#vs0J7lgW}fV6m)nrwO!ybaQo;8=aLV04rPrLfme zm}}-CC==U~D-hx#0Ew41PL}#b)JbKZ*gEaTeLZHPo1jZaXfRt%lAxnf$tZ?67mnt) z%6I;JqJRGg_rgR5EGJ0qqWn%&q<)9Fy2u82E-D#-i6a?V8h(`r!^5Fg&n6EUKQ96h zvOn=VVi*mUMbgQ zy^9W2wA7a=xh}g~#K_KG7}^@w+5f!a+cfac+OR2pBiV+hf)%8{+%b zL%_yK(zkD<_zb;hoW)G#ZOStOj9no#p(mMRG@oSnr(t##q@gcyAAG+fp<7I~^#G%1 z$++mSXWBx-HHCY~lE10B?}}jJwmE-rrR_tmd~kzPauo0JmczHkPjVvIn8gw#c=Yxk zcFuQ-Yz$JZz`aIbCWa@k!5L zeR2W=6Z?Ps7nCO^rdRVg@3Kn>T-hHsQw`4*+noW#5X)7ZUsVGYMf|0b3GdJFO~olj z^Stq3b|83oVdCr(W?r3!(6Et@4G4ES(_*c%j8mK1$JSP&O@mvx%I4pGhrr~AiN8k($zq!dCBWTq)Q#UFAU)3`OK@Y<8O~8N#O~^d zsFbRc2DMFt0B0iD&Oj>M3m-7?UFmG>XRu?uQrfrcrC3D^F3|0VZMzjTQntTu7&k)L zBVmPivU3XM9H9daiO$pUyIVaq4ioDLeJ~AvhUHCCi08Z{eOn}$EjYzD`Qap*m2#Up zlhoqs5H#+a9EMH`_FJE~n}!pL1Ji5z?92c0`u+17qmqydIcL9Yl?RbOvEM=U{UeKr zV~9$4I*@OXn6@+pJ?1c)xbxM$;b>D4%Sj&-%Ot|MP?CyoK6OMM5x zNJ}t!y~UUsSyz4kS$*tI*FjZjDLvx0(TRge@-lYQ!ig?!GuWBKwF1se^UQZnpu*DC zNyY!97y}!{*6&d4cY1*5IZcQ0)MJ3x_&L*oQ~hAY_H>0f{4#U9gK!ZKuvCb(vhI4# z^}RTcmmdw(7EV{l27Rw%5yNz>-30Wd1WPKs)vK9g|J%KXTsto=9BjQ1r!_6LGp)w0Mc5D*;yIlHRkm8qqPo_V-TXoEP2+iOf zdm9(`V5Wd!3ymSYV!F&*%Zc=smFxCFhgK0Io#PqtBfD#4kFVhG06?LoY9nE#-=ZBV zfxhn`IQRNV=|9`lHOrS>Z1u}6ect9|DTrpuELWv0 z+#C6(E-h4_HBy(A*u3{O_|ZB#vTH^7lt#Si8hWoF#GNw^*4G>3$`FU$k#vb3K%$W( zkFwN?hxFQM-6W=g#&UbJU-zCU&8wG-)V5}&Vh8I{)nD$ua`QklHg9Nrv1afcxXI@J zglUGuj=PgKXfnkkIMtMHP(zRV>)H3}QR}56inQt)t|Oh|I*&_g;JerBu=!d1s7L^z zdyZBw2M`DItfxyHvgumC`>?JzGuL!l)7sTuWXQB}-SM`&_`Bj-$CdpV5q0-vtu@Yp z&JXnB%P#$~jt}fIE-|LrRjf6^7E06!uQ+d+Me}JW>XclPb&81h6^nD3g_PxX|WmX zq2WH=m;#l~@^^=%eLcq-3_LR^&0Tublt#9ZK%VbVq2^ilw_c%~IhvP|Xw%fQZ*)5Y zI-3@YXk)+cYDs(QBWApTW8NR(hnSR&-K@9|A#Tqs`V{y&^Ba4xY|ie#yd`2eT(}-6 z+&$%T)7HjWCs5|f=^NFsw;beRPZJdbGXHGW>ip)x4v^Ab;i=-uB@3pVaJ9SW5*`Pq z(}oVC{!F&xecRkL+PvA1P>y~|>2%%0q5 z>I#J!Rqb+*q{?pNM#)k2T9Dm0TO~J6hEy=)@jIAsgi34)74q4*_zi4-Q!?(!=WaQ?JQjOwPfjBGc!Zug)^ktXQx`dC{G~yg@hpbnn zto`u}v5(XZd!%=p&Mc*l-dVnPwzn)nJVe7eSZbwsO(kY$Lb;NB`97LH<<7Q?vxx!4 zkX~}3Oe{UUKnysRHf-z-cWOyIKHYycJXFNJ^@EpK%gyr|nznhx|K?hpF?cpTJzH0= z9dHFXe2AxU&q$3=Z?m5pUfCGmv+pc=87n6Fa1Tv6npa4il_h4|EHyTW)BD~gXAMRR zV#mXp9M;V;WmAvMuQZO6sEWWG?>+vvW#(nT%QlW1!0cpe>anqq`CzWD_>gs!KrEL; z(%|gEw<^P#%0j)QTZyS{bQ);Shf^wJ&u*;{&s=VsJ{=nWf7<)bpeEC=ePyF$EhxLv zktnPM1QC_q#Fe5bNC}+)(n|noLTF-_7EqdW={?c~60kuO1f-Wx6pVC{-r;{9_nmoX z-uV?~_WyDHupe|blRWo%?sJ{%T<1E30-mt}JzTTIb~40H2J=5nq1I~NWcgK8Y&;wtDK9a8rZ z{S{{(BKlz0PHGw7kJVw=sTO9Z4F^NIws7aR`P~+ni%z@@4z>+4Diyec&Ux~%$;h%L zPJfT{Bd=211ozGlCKsI!p}1F4;{i&MJvxrIVH3>%+=F*b*+V46IV`M8fCwS5gH7Ke z{04d8Jp!6|(Gs}OkmS!fnnu?A=w;~A+jFA0X~D@!?M#f=oL7jc3~i8)Ab`mbURp?-iStDudEPHI~%({b-&%Q{L1khcX&Ge z=qp?yYksE|@}e`7rj%ur_Yuaw;q;vb4e(uUmDo~+Y_i%zY)2|htfFl-x+^zDC~wv) zuWL%rYj7e&cR@ynG^sP9DEw-Mq;b$W;`gbWGH|!x%FVVpG|hXEY|MsZ9`*Hf=|-sd}h!jI5}Sw8JG?yG-qN5ma6(| zauU-kD;9HqjMh@VfM0>I=kT;G4B0x1;P3rc6#Ns3%p5&a64W+RsJ@t@8UVnw!11#^ zm`#M_cU9rY=r|l_aAHCVH3Ia}$Ac0v;JQL5mp}DccG9{V2lnjBz;9#4q^O zb97qpp@}U>XM(dC;YgMaVd7F+p|g=wbvx`y6tN(8Rs);og19~?pgRI@zcSlJmggI1 z9s}=)_e1o>QH3Qi+Vo+iyip8{o~T}FbQ0UQECX(TMMR&kd|m^~!nnF5yPWL6F&$;8 zeC0{&`8`isVQ`s9&g?}BX8GeST((kH{LMD|`MQr1;vOHO+*WEfnt3xNSp4zH8Wc$6 zm7-by{&;h`%MF=@AM2pgw1RusaS<@~H`$-Cdba!swJ>Fdw==tk&zPrh_!$N+?gxFz4gsPiW2139GdBF-g{) zFR;e0SkLzF*3u(X1iLd%QbjR-Ei|pvffx|f4&TrM7Q$WxSNmSKX0?MHW3y$~9Ond1 zU_FrRj8S`(KV3n^DaV}!ApLDbEzd}igYG+4CX_ecUFWAX-GGn~Jd+XQ>=ct)_p*1t zsUD)d$y^krXW!7XG?YMh8J!)Q9|-Ft*~Q$s$@^*u2GT#k*+r5Wzo1_|I<&Mg8j!0$ z{SDiZ-tUrQCqE?T0xBuCI3iKvlCVkm0Dxyf0#CuU8HaGqNW6N4US z4Sd*-%X$7*^IT2h%ROfG0JVY&=DqkQUxLpyolFc*?KiP{W;r`DOvn|iS)Z+)Tn^K& zvVFaaO;E>nG493tb}I8ocg>I7YMhiWPp&MB6#j0Gox1&md8Jf<&0S3bG_Klg1|QC7 zkeBmgHmwe_1lH`D=XGE6i5+im^sO1UugS5_RwHek8LQ)a=79jjcCNa?s0>gx`)Hu9 zMf*FoH#qTZ^Kw?baO6j~6fRYhhDL?@hiJ~5>T{vVP!@a*kSkOZ90ZL1fb8r6fZ96R z$mKH68Lj{Vb1;`ITFKcl4FU7huf>x*r)x$lQn=CFl(n*0-cKhN+Bt>Wx2XQ>)G(a< zG+co)XU^f)gV>gNKfTniguT~AP|4N2|7~Xz0s&?&`k|ym$5%ubg{RC9y?DKw>nnwi z^?s>H>t$KqzO|kh_cK_pvoOm_4m9OOJv03snt62UZSH9jX73O!y3xIc{ zvFdm^@Qq3mP6qnVXxu+!#Qs{I`NyFx-bZr#v`F>vig=KH5^m9cLYvajuK;e8SlXD$ ztV^2_Z=mzxQBSo0Xb2Ld;+MOV07yhwnm)jmU}iKPFGp*V?0w9oR`D)h!=cXOj4Q+aW}>^L;dR`mqi}0H3RLSKo_}TW9!sU$_7ACAxY(y)xhxb4-L> z_n~G5sOCHj4Fg9qOZ@Vd2f-i}pD*A0EWvzhRaUoS;Yp|oU?tm)*%wcdR8eBYINY)K zBS00s@vP%xL8xhgH=}+em=PI{niAlH{vDsI>6RUxTz5NN!iOc*cI5BKXdUD zDi9-*AWM-VSbfLVhPcP}yKY#^ujz-MxWk!B&2kaIM8{x+cZpwtq-B|^_=`x*9-@+T zYtxDb(|Aa9wbsEa6_c}t!8~56<&+%F`Js4C)MmyZ*^Q526R~1}s=CzNG9wb;)*ngq zWwA_~s(S(0qu!irEkP4Cl%bu7q5h%S^9OyxL$CVV?n0qSw=F4(xLYN~YT__>9=>G- z!@wCuZ%(Q^Bn*xy>w{MFRU7Q6yH@U_UvWKIWRKnj0a~)sf~}<=c44&anqztaA3Yl| z$EsIe(v)5g-(+mRKVd^gM;QImM`n0fkw1M$()oUe?k3T$ym*~xW9Qeq6g$yAxzS|+ z#BMBt&M;_3N2wkY6u8d(hcDDUWkq%-vl7$?n~4(*3hZX70Kw_z(us*e%AYy4f`;F! z@+%s4lS)2&%f?Wr+p^U02Y-N`|A~Kmfr-1lWfgXC$*{*NRR$}k>Q0!_{i5M0f5Rl# zXY&z}IbECSf%@D&;IFpBwb2*|C>|P>bfVOMvXB~EeSHIT#`}7{gKQ~|@oL7inIV0G zWWoAH!(hZno8OR`TlZs@sRgWr=hlpdONNxIsr3SfKT6;6#)YU|x{?$7J&lKsOW=DU zO0X!1=6!LLFgdO)1yqe;uLHyhXlv!X!6U2Wy~$#ch_zaNDkW0(o=*;{Pon;lCw2|1nrjN<(geqUO6^`%DlBjZkibiT8GZG2oLoe!zFRdpEY*h=eim}^{#M)oKWLON^RmZBSDBsV&VBY^S zpkrX0J_+a%qgi*hK~U=|axvC=p5lX{V$Z^@7TPL!a7zu@Aue+|Yaa(3cg#NGvJHDJ z*}22&w$-iH-Po2yrh~6v=GQ-zn}2>|5J3+&d`gsu%GK>^?8^`PlVaUF^^2jgo$1kX z;p);*_25`2_UBz>5~(Z<1(K`mhHQ?O>jd+50_w;aPaqu`r(@edO(>}ZbSrm zlZ(oL&M%zSP?{f|z=|*nH)d)xiK))@9#-0Ml`;=1FqUGP7e|d=c4N5Oc;Tmudsz(m z8M|4|4PtB$k+E?kwzd|&o2RnbM!Eq)e{ybvwWb!#Kd(o&l_7eYivZ)j=n+^`BA3A? zJh7{01DtLe5Mbz2ik7Md1y&Kds0Jwexx_GG5K{K?GCEdXArhp!##h2SWs!=9C!=9! zS)t4wwbq$OY=x;KvjSS=L)`oe#}5zR98e;)hNnE7a5?Dwkp{k(#S%@-g1`S&_pBjx z&$zkaCi)%lAqhFp7(Zq{E;8=Ja8lwEX3KxZQ0|&$9OiE6d9vxY3S_=bGm>{7?8~ZLsHCPbm<1Xpm2e zN2gwtQQzwjZ&G~najpxUQ*Jn!=`_Ndln~ zWL+`(;U?_bw)5)GNm?@)_~8wu&Xi4v-+)?gvOsTJ%V67Oryx4+cH8tTzmt;yb84-I zD|qF?4r20SVJLm}0M{hY&^>_HpCSZxnvYUX{*s9p0w`Gkq}Q z-8!le#(Z6l%I#_awUQOjN6vuPfYRn)EbO*bisUI>>u7=~2ubceWWlL$ocZe0R^95^ z$n&v^&Cb|NghduE^2rw}eD_CH-CF&$eH|LQ2$G-6`^+`S zJCa%tXPlsX_L^{i{!!{J~eb%^g*He)x9GFbV8 z3$mGhVJ{SZ8o|W#i0k6l<`3b*i>E?qu!HnWtKBb!eUf4a zA3irbCIw}JjXIak`#bfhdd#`U$utEOa5mQV0N&g>&Y|c-Sj~M0*e!AQI>pR=wARK8|V}?*vz-nG>$3Trgxe6Q@S-H72Fk{8;3^R-Ki{)<71R7 zMU73s&@JgRXc-&PkP=+{7MBzGX4zbmv^5xb8?eeAi0*nkGs?e=*tBh?IOoz1H~L@+ z?VVK#bE#xUR9`{$>i9|?So`xgG~g!NW+d<1*g5az0C?jnLcU}%?%29PBpzmg%TBa z0h2*n9A{K?B(-g}*9=m^3OQRS)1#6+<NFg_H&O^`MrQ3Zqr9H>3UnEphK5mKXEYjiq0rOsna^xz&2UGPsICL~PB{E> zk)Q*&7le=g|Yxkw=qI_MXnI$fU#P9Z6I(K{zQqkiaqnP0k#aYmBg zsvp+;NZA@Nx@-$48UJ8~TOVN(?XCCsxxp*$9_kA{Ajg+UE$0lc&=c>$YWf%}BKsqa z?<>HjCJA=t9+rf`+@fVR+xsj!?>kNWHyk3dIv;*HaRWy#A%pI~GBe)g%2g)q@%zf< z(w+zf8}Mqc;EM}5Bb1Tykt=DQW=qg4Z=&X|3lr+%p=>I0sd7b3(BmEr1dxEFx*-+v zPKqB3!H^5VFcA?&JkR~kTv{`MO9-QmH%s+(xV4E4ZsoO(Dz3Un>sdIS(flq+5o>@l zPv@h+QUvZJcQSNAFuz+4_zcnx!u%keIZ_ulFN!2Bx=-U{?)a%>QI zg2al}1$h(-04LovzVC78_5|yhz;jL&^r&?&F)@y2GlcAh?iOXpOOSyd(L50KQenPT z0;!>bd|K2@U@u|qydLMx(2(@h4srpUcw@P#EenHqpYxxKbYXu<;hdhit1Ptfv|upy z_#^05YkQfpQ}JC^w9L;lms;_qeGthp&NO46pmem0Aw{TfVOSR<7wrSjCO+Stooks|X9P{l#u6g=l zG(e$-VG-UMk6rl*j8_9(RZmw~=*W!(Mh zxuuF`OCSjxL=N+DIlNHN`CgbAc(!$S{fOlW{Ffs}4{aTk=@&&jS!mlc=t)J}5eCloK zwV_7!?%!Q%XMmNh#6OjG7bNKd+7B8jbUDmuNe&z-)M+kUMqj-$Q}{$l;T5Q2Tce(f}Fy*hm;-qg| zeRP{yz|eHI(Ac*Wg9<<>7ys91J1k-3M=ka60i-c^qu<5USfu#13VD=O*gHd8(O6U8 z9M4V(S2}Pme5keyA>-U{nWabS&3}t%1>z-vsCKULe2>0$LZt6%TT+wBC!{@9Jnb_g&2K1|mlCXP z%JNsF_)qO)EESrZkF~cRdA zZ6o9M4JU@TUfe4bp=8Lpn7WarTj-aFp|83TNP^KVW1b!O>zNtY_S8VJ3N300js!2h+As$F;*;u3?>vRSuO;Bt z?*0($*h^GmtW5C!Qy_J{oPtonjbeXnqcVlYCHJpr6pu1vaZ;5FoG5FY2`pYOQuiI# zs&$)EnZMxuj#=5FCC;um;*Q=heWuxebFQ(7Nq@0waHAk56lVeijxb9bJ$zJXMeyr}35)&GZfFk=&!yjQEeG^A(B^P1Sjej?83RqG7@n^@IUW16) zT_tgAC25O4<83jHSPv=5I(!7-I$k6`|C{;6J=3Qz{h?Ujj)~=5bR!L%IUG zhFJt_gw-CpyMsPg)sgs2I$M3ua)>+Mt3T2)>z^4Fje$>%nuJ}OA5t>&q57;G)t92@ zLk#KctHSSPoav5QA|=cy;P=9(_4Z6Fc{OxhjE@GEyE`n8IS=a>?(_c5?%!K7Ix=kb zrm~f(6p~;rzz83ecs2T$P`>4AeNtH|%c%02hT+5W{iHcQy!?LY3f&C%DvrgJ{p0US zewG)v%%64UrwC2f>b0+8jWN)bEly-xFrRW&TH)Y0p=Xu^66T_q4~nSdv^j35{8)wUuUn+*M*a^N8MDYRC75R&q&;v4NtuRHbO* z`Ephavx+T@SgNPW9$-Opt2i;v{a~*yQy^9aT=YoR8q5L3`=MEE&7WCTmi= zcY}T&^b;&k5%yIKcDb;%iMX^VvRSsYUB>d?IY0jKQiq9Ur*Sr+uDlEZAXRx!&O#3j098>0 zI{_3ml{sm)Qriv<0FA(ZNMT_cnNd3u{qABPuP7rd@N?))AkBnD;2AlsF3aCaYb|{fV_) z#;o-I%D0Y-*>Uc<1fEk}&-+~k{hGQ6(fL(otB-SmB%XzGnX z?>D=-9Kv*EeGl;--(053i}fe`Y(zy-m2Wk{q|DJdyAzzg%h_UsHtN#U*r0N6N?L1< zACD@%>|9=oEZ*9C*5kM{7~5L5WL)ApgsFKvXbcnT%a86W9&{>B>_&3=x|cYM8@w3w znxz|3Wy}GI(5t&u2C&2e_K4`Qj;z8yq=YTX5xJM(jXalzo%;gZ%2^9S*m1(m!Rh&4 z%suOD0U5$gr$@y0Ymlv0vgg3$&jOGlds>@{@%DgQmdb@A&Wd4yABv`Zr@ed39v+TL z-_hr3TZMDV&NtYASA`#!5$rCv+5%Pxt*bMBvKo;_zbL#%osE5P5Sn{KV_IMhsA`mjYcq zKuL4>i6}$MP%1}$+M#!12(GRHx6P}+@04`El@|pVAGK?L#b!@N+YD$gdN)SDdF8cjWDzKiiPU=c zv9H`grgLb4phHtwpG(izkKT{L$c`!sx!fL$J-5G857J&D$m%nN^ z(fWOwCSYVg@u|`EI(F#+Y<0-!E(P3L^gnvQ|19_f66n?PZ!tbTQ=ydXi$@qNq%ODc zA=Z@fOS6Y4Mq*c(54r(BwM4Ras^H4H=h3qSv&Sx}<(;GW;&|R4SsGW|AM+S1?``7sKP4|V?_=PwJT$>wr&N= z)k=6X!HI9(QM9;|r_yJ=;<#_J@nRCOJMxFmkobRI1Bw=O?sR!uNe> z8B(@@@CS$-$*iINT>S#F8)%Nm({3LSU^UTqvftWLCF}_#k5Uk zy!B`MT#jaP63>T` zs~#j@A~VlkuWZNrOCw!0)w^7qWp5!l)p|yA6q-(R(GLyv{SVH$4Qq64egxgB*AaIC zC#2DOm(=D)dVrLQZTcnbP}H-@PUM z=dVzJF0=l^ymZ@fx(&u5>;|6F0YJnlN=vh9A=Fplcn75@aDyvCEbAw{)HO4JMEiYC zk7c2tGFZWj$I$FPOVP0?J>DSPAH#fmnNfo7C!Aq3hb5@2jWkr&S%U}VQxoFNQ-$PK zX}Kw~hc^t=ISu>31GxAQ$_J`|Zx|EK5Lu#iJ>XKoIPiU$9bAQNpkAAXTc8!^niYT6 zlBF6+V^3S#JR+m&KCA)Kn}_o2W@W8cPSGDq$j!51e74J8_%qBTrd;?ubIWLoIiL*X zw?2%qW_CL`2Bdfc6X;ONIx(uxxORz$r2Ag)>O?WY+R2}+(>dr-&h>ymvZptYoX^7&V92Kff8jEU6Ak?Bt9jc+kZb>B`t^O%903PT zYY90-U07g1^nzlb{i0)JC#erl=M3^4`)yktoa^dG7y{(4I|X>5(7~7h^ldWGD@D-S z@aLdFK-yd9lF|}@Cx=<B_}-umT!_g22*b30kV7PQD)0vu4IY`Dp=w7A6-CJ zzCD|Q^_hQu3;A{l)in)mqm|=baQ!)iE3$q_S;~gHPcqIb*0zX0BZhaHV;R3!@;51f)P5uaJg`ED^a!I$Gwo5#4YlX(D+hgR6ly4adJqrpC? zT30o8@7LdpmQOH`roYm2Q1>2t?y$Yy6M~47#o?!U59eqz{KDr9M`{7(oZo=zxW&_J zVre*#T`M6Kmi0q!m-k^S!|o~E&Im0Z+SMQb$5O73Oe))F=q8<){uX0igg}EMGCvE4 zP4}lcCsX65h~Fv^22F<+WKvG+V)Zzs*SJcNDC_TZ_(UUyFOuxEmg>XbDLZ*}P{r)z zqG)e$p1}hx+#iKR4u2d@(E+WgU^)2a>j`bIr;ohk0Y$GYV3up*QHyiS+skPnvPdTv z++;x2#k}(F@)m;)AeM*?=OU0r?!g^6clhM%A-Bt3a4M(6+)LT6lKbXs%h|F!8Se5W z%N~w5e|~&>`4OI_smz{_a0m4K!Gd0gi4zZBZfj^u6*OGmR*?M%?l8cL0s6gO#rvYR z*NOfQB-1C%&VW}NH_Nfx50QU;Z(M^>5pjB9*x&qZ7yMBuh9zph&h}6EUq7hxECmT?IKzkBq(hX8l}6GH#~#r`LR{%`F4-_ZRhg#OEQ^#3u0HZjz^t1L?8 S%+ww5=dz;OrGks5cm5wP?WorP literal 0 HcmV?d00001 diff --git a/.devcontainer/images/docker-settings.png b/.devcontainer/images/docker-settings.png new file mode 100644 index 0000000000000000000000000000000000000000..7b5c91fb75dedd35c55c635634cf3a5b3dce5847 GIT binary patch literal 416841 zcmeFXhf|a7*Y67g0s~)KL^_DnNEa!gcL*Jn5-9@G zLXQx7Xn~X+p5ObPch5fOA2>66=FZHWgh|M{u4}FJ{d`xfk%2bd4UQWmBqVgYI-1W& zNT`oUNGJ-Zt`lE*mKx?xLUNK2Bp#St=pl5z)6j3 zVUb2fksKfIhGZiWLP)jA`W1gg? z^@f$Epx{VMJaRD@y_D^1JBEYFpJ9f;uN8@PfPel;HeBuoP%9- z*B+>n-8d?8^M59xC?!R8=V1rlTxE&kS6{&VyL;0x7y()^!m8s>qMA=7cvRd@8wtOo z(8r|zkW`ghbLaZ-!+xfPaPcSM%pVSL)CPI0`P2qE)>2=NW2w;UU#^qn^=;^-klvBF zrFcIs<5S;V|2t0nt2A0vaST4gL$7xZ*LbWGxM_wqKJqT|!!l}VV+yth65 z3?c0?w{QcWoF_v_7H9?s2RZGWLN-WplxRtwDp*eiMxrTS8neNd(T z6?**_>Gdx1*Cd?FBxa$M2c)ET$TdS>S5qCR-WVcbtfsBFhEfw7qMYv*GrD#&wD&6` z7iFocvK*yYgyXWnUvlMThQAbK%hGJudAr%j)#N_VKD|q)!}>6MDe9R0{CjBW@i=+WDRy~}Smy8BJ; z1*2ZLNyJYLmi(Va(%%GLh-}MzXO)h;_%u*ZW`BL|+HUx%wswL4-{Qa0e?|W?dhxg3 zTnz7w-_xKkgjo%-iGGqFVDIhjdz&ILEZ*|v-edXA2b=$tP)dekKJ>radMz-`fJ%(- zFL`JDuIcTWrDIJ-wfStw4%N+=$*#;bGxxi4Vq#1gaq|(1(QO}419ZzOD=Y`Cew^(9 zm79Pb*DltT#8tp@+ach;q~8{{5n&O| zebrhlrFqxrlduJ|mR*_s?8;R}$W(kUcwfp<+-lbF;-vjOfLlwp z#PjdgvGeisc{(qVJ94IB+F4Np(rZ1ZeiJ5f3@IpH}0aM056#!JO>bDVG( zN{wgPW}&4s9QJ0~zspO-$qd`vc73%}@w|@beYc6NiKU51!%fEq$9Q{`{iQ=(!?19d0r?>}k@8eYTTWyjyt`7$c%X-ox`$qprlzNZ(iUgK>mEV7rSn;xg ztU~s+>>F5}MBU1tw7G>E{`rf!ss`ukU`IO_!RmQeUqs$}UMJX(&Oi9AY{#9L-ugz%oQmav98z%us0`8#+! zY-+qdss3aA;ql+&IohB{>W>O_w9*9LzbUA*#-xbVw8$ARv`zVMRTcN9sOq*br--G= zSWhH%e>1necd0g=vGMt3)``QLsoKfm^o+RAO;B;u8vp({C&UiKxWM@6l?-&kv?1gr z;{EBihT~W1SjVgxj*8JYiq&JT<{JU47xgDFm+CpA>XqJszwuAx=j2fy7vO`-dex7SrAJ^f;QZaK4R?yTjbMd`!jJM43Io03I#M`EEa7(SDd zmXh}jJ~7u}5-7XRy*P-N=|EV4M@e_dFqEBK%slPjp?xFsO!qhAmOCpIz3@a$ZUqCpru<#`jkC(IY~T5V^WXQh_D(Jy4holX8vqvM z@mPAEu`+D;+M)Vb)M4BoR&B9Z0G+u(=K`X=88e>#Ma0)+v&qYht~~&kwcj98xicL% zV-AHldb&8aceg$TPp;USw*_DR0qug7=U09`^&LKZrBV9a?)l6@70u$_VuouVqSGhF z6KM-?&#P)n_T5Ls!Da#>V8TYkF{LZ7tuj|&{hq|8`x4X7)PhnI!{HD~TxH`-{#g*j z7j#*7V3&B|kAs3U@ObY#NO_F^IL#vKOMtUQ9_KOlPEf=0?=HtfR89T@FpV&KIj}yO z2~@^A@g}hI_=)%{;$4OVN`JyD;FX{PSUa2PDa%>I zdG=OQ$$l7uH_`4>Vq6R3-nvkzIvR#p7*4)Q%ExyUzAnpW;kV8nn<1p5w#py+ zF69p8J+kOX^0xF}F1{1aXZ^wZDoq`-2)387)=`eSN53mtrpthq~yl6r*K4FoNcnR&qt4u=%FVL^SJSceb87T4O ztOl>L1fEeQDCNNtk^5_yOFz6y9&9iekM<)R{`d71jX|&BX8w=sDG(ggPWaz1GXj2a z4R`jR%XtA@+VMB=RhdsQa7(%qaI{!CwTC+o2mp2xbob%G1d%_PaByw*P7(3#MmX}k z?d=+B3pZ=m3PmDb+j*}37!!fEPk?#F8j68fb^NT(?%LT}dpr)7Ltd1i`d$`)nz2e?!G#p>4l28*{l2gCGPs%al)8yjHh5fVx!KTfy7e;^v0CKU^o02M&p` z1`ZVaWKGT<>)|F(tOxb4of|Z-Ln@^SR^|f-5U&iZpt6+NFrnp~7YE!VxZ@h6|GE=$ zr$G%nDHmt2!9S63D_n2|?BDQNpz&y85T_A?$ixjKY!H2Rhz(W(^TH9t+W-hyc?qoa z-&YX_Y6E>XcnSSKF9=KtkL6z!EI~%q-=2V<@PhGEA%xXKq$?6eaNoORO@u@Kb2VLJ zx7ZJ|kl^q1fqB5n?1qc%&JP*ej|1fEo+)jm&!rNM^_;ip^ThucoL``zvaaoik9Z(E zTNz%ZsI5TjGP)A?PQvG^(z7zxBSVc-%$VZ-y5PRoQ^sdV>j#zr#iz$M9mo8g`$0&> z(X-C8j!hKe{1v*x7b3MEatqWNc=#UO9p^S%q}uZ*Zk=yw5Q2nHjyhh(_pt&L0-sR% zr;wKb7*w9{q+}nYrif!@U`A;Ge$g$h$yBOUf4(Z->>X{yv~juY$&--O#BT6WYGpLx zw28LF+OJqHkXIsP5iBc%xpDvK^XmF@)78my4DTSJ3k!@tf3DXLS#`0yhfk3A7oPrA zXHWB3$yVsh(0>$@hk9#9`fS3A78iXG&j zHHSY!L!9_iD@T8&R`ql2+A1`azFswc5nVS0AOPoe*DB)cZI9wLzMeYCB*ujmV!*eZ zb+tLN&tC7%y7aZn*x@nDKyO25%x?$IX+kxA;-skUq^=%sLTCZ4-|hdk2dlT!_NV6c zNBAC=;?IyU7Kw9NyHYg7YN$bAsaQI7S~J0>lQ56cz&g+sk8eRO2~W@vvFOhYSX06# z5K5>Ycow|<>W#(oY4B8aJH8IZcjrtW1p{jlsQAUA2-Roz_60pTCkTT>upcKX7>5S;Pi#H`U8( zdQ7W`-$KGF3{X6mG#34Zkha+V@DUog4&<=feT;?-G!jT3DQc{>{7E9Pn&WM-sdU(h3Am+7`SwezG;ey$ocrcBoPrx5Ix>gx}P!gnEe?t{RRH zo)>AvD{_JrD9?Fw2{UJq>EIFT*5D6j4VTiRgh@W-(ua79Ji?H!fp0=hJP_?-@C+*t zaTx8p^a4#*<))Pl>3bxh4E?_JgQ|cIF0E+Sb)Y~c9Bh*DqZ5mi=Infif1WTYVs1!U z(xU5{N~jQRs)PV{rJ7{ilsnTFOa}hgENTp-b7B5zx|A{ zEKJw+IB@(#KMRcm=d1~r`s0ww%=CyK&P}ob1mR?i^hcntKE4&}8-iZ&nwdx{vXUoY z(zc*Yf#>6dB!UdmAMc50GL+YEcwp0*+k4n)fU3(S_$)CQK5qdM9Po4gdOWEe>%K~Z z#@PgBt7a6=PUVQVy;4-e+z^LGzv0NBZ2GoY4}YBuOKZboWlafB!4s9v1}3TjCwSA_ z;QdcP%+B_UpX_a?gGUzxwNuDu?Gx`#!UwxpujtYnys_VghHlE?2fc1Ns{X{G;mG$N#*xu`nX9XOX>;4__f(bZ{9%3;OGo^ z{Iq99KU?al`=@x{-MPp68V2umA@O|k7`$&ip>CpidKx05y{i(7*R`9NScKRXVoNWW z4t<@V#K1Zn<(*(X+HB{|WK$z#lH>hW||Bv|j#H?Hz z-N}5JST&W`o^S>#7s)DA#_XdETcJ9Kr6Q|_?+PI*sW`}d-OsMQpKjKkTOfE+qoF^TAZ=C^~%M`x}(S4RK6wN`?0 zb>=7gQPQv&f=`(S&*y3U9XmS>;?4y-kRfZ{sNVEBK=ecCoY06pLN}O-H_t}<647Ba zhtyTeihaR5XP4S6JN$71R7sf1J1#jrZvQ=<@uem$`%6*~Ar*|z+%}x&F-K!o-zfBF z9BrtSjhY|jSqPWzVi0)R21hzj86pXcG0=OKv+bG%hJg9YwgQeI$K}OG`)IheV>ux$ zr5HmWFNgx{ux^6HE=~aWdVE_$W(l9U;TuR5!9FfHO+d!74POYStii8!%EWtibP!NG zUYJr(5WaU>3IBq#Em(OG%yJ0b1dbM8WZO!Oz6k{6zR4o&`3HO`#YFpg~_*q(fKC7B*oPt#rJBvD@G=BbGI=8Z)n%%$= z{vv|ck_e~xH81?+k)fv*e)6V0P;qE~f#nG6-k7FNFw3zCn*E!q@bJ%fJ_|d4TRj{U9E@T78YS} zh?IKUJ_^`9zdvoODsuvG-_5Z4$EhZ1@)}4DUBMeK8 zJGh@T8h5Q(bLj3hwwC)!_m&h>0zPmaK8&9ED#7|d+~rFTeGgtv?{qbNG-2Ii(qgv? z0w{ub8JozaDOpnro47}g(nAGTD>`rFx?m65548$*EclFt^8t~ zmK>B<>u;Yy(@f~?F5RI_A>_64a6%61j4YN>Sgu_I)ownt=y{m*_0;14YwKg?Sk<4D z)Uln&nzZ^iZ!o?2^tRohx4U&e#QZC4NKK-W^=q~U zKZ=cY@p#@aryJ0|27>C>KI-d$w}B+u$i0h5`cW}ZB;P1f<5G+{quY;;q|gmSzu7Cy_N zzUGcwTG-fSH&|k~oBzHw(bI`QoiiINYx&;ZlxsK^pM79)QhuF6i0=IQ`eG8}Oef`J zP)82FxBpx{FbDy_%P$I!Ivygn+YbkZiO0twE3q9@ggM|e%$muDN*h9gi~TQ0?MCNa zVZYl?rcE(4!CU&lTj`xK8F?`5^{!);2FxfJ12p;xigt#zo$+-Ru@c7JEgAZaiML^*3pu_Tg84&iT;wTb!+_Aj>W0+bml7_#k z0|IADLW*$AQ4TMUyWzVh$oL=QCYuvtMt20~^S_}be+7oj*xmDbUDKe`iYNZArCV5z zFTs&3N;ShbOQQlp$Vw014<@R8-29W{i9214c2^sCv#|1c{?}ntj-#t|0__Rw;~|cZM|Umz+V~An%7AsY zR`>IELZ4ZYZ%^h-0w_|&{+6@~`KsFUMABaOkT;a)bot^sDMq`>iPt&vKUnf5q69)m z{m(tC5G+P)kJreu4C{!eZNtnrWL%sY7`g7%sxwPG4&;AwXl836f}APcF_Dwx25=&P zkbI)UT6+1r@fYoh?PMdBXB^JooqJ#W4(wZZQ@&q(4{>`BGgsHr{E%V;yfYJ;7L48d z)j9*A-&F>{?rP9u#i~!r4CrobBFA&ey&mNpt?0oPrMcPJvROr;`s565U>#)&zr@1< zOwuHCR1ugbfoA(Tw*l%F1ib--B*@F|xm3e7n+uC>(;E#bKR=fizohELMK(j(R+Z(U z?;_?98i3Ln@27g_{Z09r98s*l)Us%vfBLbguI4gGubv`Clazk5znC2n;gpvAQu&}) zoc0N7(i*ere~1CK1;Yb_OmuyyJ{I5f0(@4<- z_b9Zw<(I6OzXTE3FQwr3Euu7VCf}b2jb#v&Og&u|B!r$#A1DtEaNo-`Tm8+({iKU4 zSAXu1rwtvk-}Sy}e5QR*%OxJVmLarm89Cz60}TrrA)D@`p_XQYs#*OEe?4B;*8uut zc?U4#_T}Y@vd@Xri=-f)*9(-mi~Rz*mGQht#JUKze&)f|UO2*TkKeE3&@;QdktGmC z0cTS=I!KaTnUkDGK${K2)W2v0i4nX$#`uqA9Ce!97p7OBFBI((cY)aH$<4Enqx8+^ zypCDCmwk?-gFs>#yr_fALa=`?iO=vpXbs@8#%MXTGYgn)i0DVhonWtb)`M`-oqTs2 zO2HmyKYU@Ai+si4VsN&scf#rBFbMB~P6R84Fd+hgb3uE)dD0Nv=)Npr5J6bn>^L6{ zL@`LVNIdIxxn@Vx8!ohBy`o7X(kr-l|A`;VLsza&Cac#x@=ohMOPlRV`;}4I7pC~w zs};Ig^6v_T=?J6}v+V9`(0OHqWw4RF`ZcMm6=F?iRcGrZh9iz#+=JzXHXCoqTgN~2 zvOX?>V3k}Ro59p3n*E%)I?KQ)wLg7gn&Fw<#BXtCm-*)|VD4a%jSTHU7x9K= zsW3p=%LrP5mY*?LquvKBta4@+(GizZW&}_dy{hP5+o3)X8I$PrN>Qcz;*#O)F4;|# zr*7vhS?j?hk=4gre3pzadvsT$74CP*e^gftDV2+Bf(kib9xEM@EvUK8>tA9pGVht9 z$xehyDO|bjV(b!TDAY38nkQrBhcY!KVrJeF&)^7~#lVD5O@$dq)3(>VGhx4v?X&iG zZ4~FToazR*=iqFaf(y+@8lSnjojz0!ZE{D0856|6A2y@QnDKnv88lU(=(upI*$7${ zF0L`iD|FZVxw4_iv0t1ycWkiu#+p7LrnW#86nYzp*2y~6fi(q+i_9&(m< z515YW6`%P0+iPC;w%{aFyk`}N+hC2wj{C?h^V%z)yO`^1TAyednE2{0&=Tq{QolWL zRk4)<-tVib2RyNjo##)2!RK}s4k4Ro?Q__?rZq%M@RsLjBKE*>v{dD!?3^ydbsex% z4A?COY-8?$dXDuj?*;#Wp$R2$`owP-2cr$#DL|nt#Ok?TmyOsy>sm#;VMm<*^d=m(|K?6*UiA{O%!jZ z)O7B6UUgG9Ls^s$-+xN*_m2+Sp@4R!dR9n&75BXjuOe)be=OjF@-#&}e8ON6LF}10 z`%NVupWQH9uo!R$Gqf_yCOni$Dcth;6=cMh-zNU4x+yYf!AgDTUa^;o127TU%VJCI z;HHee_03{s`^uL{_8C z&;DZBPRc*c+I-pM?Sp<+z3ZCGEJLO#|6b10w zpB%Bbl@#rL?%nHj(s2oVaJXj`PU*X1Uftof=+qtH=KbFy&?l2tzg(1lsJ zNcW4a)?+PnX?OU(aZ&lsOGp&q^Jf6V?D~28g`!(?!kLa23@^R#u*&v9pQ({2bA}I= z)}xdrggkoG$(9c}RdGrGbVb_!a^T_v!JRCse&D2y)yoQcYvrX-ce+rQzj{50VpML; zFD@@})H)V03KhTEpH$3a(|`U#riG>X?N_LF?vebyaczz=-$L#;8J*rJrM1TXptg~g z5Icz=YqSJi3$I0NrKb0Hn;-8m{tlhb;>QyZx5kcuLAMw<>URFV#Z|rg#4c#|#h8|$ zsq*Kyy$S#b(Ob!*BOH-X0sB+#?6OnOMlfm6hv(z~pR!Hh?3&zI_cdZJC#w=P&+5EO zy>c`5S|bk=c;hzHUlMguOO?9C?c~R-hxZ1e%u3&>evUW3!@JF;qV6J1)D6To-SQjg z+~KY`*poSm7>ye`tXL{*&j>D!pTte zoF_4$vmEINQWFzlOzNySgX8hWS-^u-s1)#M0GVY7UiC+p8HUti4q|{gU_}UEpFedC zuutUfiyc_NcF5&CA|#o%nC{}r(f}L=uh0;_VPZf5bJz~>asFlo_{4V&0uL@VLfoIg zFK;u${Rzv$_k<>5BI}~wQogk8b7)RF)T<3ZE&&sN{mtW{-wDaCg$9brp(!_Xk*#rzelbYQ#7A z#eOy6J)1T3%OwZia{o$o@aa_(ZYW zerQ;dc2i0#-+}jmsACZKZp2Er)Tab)#^Ap};sMMF6ig;@l=jPc!dNQW|EvS#|5*p< z#szl-;}4Fd{D|qEe#rqg>KwOSk)aJG(m81OsudTpN?-4O)Dq4cZE0_kIF)}e`{N65 z>GP0*(1e4&uiv8m8kD%&tp#ouSda0yhc*reU5;R^FEv{Qm4aAC0QEC7qBKM3^duJ! z{%{@Y=_Ry%byb{DO;jY>J!TlhW(GOBz(_;MOtgnVN{j+UD-VDy_HWD+-h}!WMfY+@ z+46*)#)Kl*j)RoVyF$I3?{lrhMReg2bN8c-+mSHD1^v^+Z#Q4!D#UL{H zIxPedMS;#dkfBL=@v1=1YmoTI#5VP*ri)jX$heo^tpQ15-WjN0VdC1;UWl2x_XGVG zX$G6`dh?FoNg|AqQZN>k0dubY$mkYB%_urk8brX-SOF%igEmXAH6b&*wP-0P!+n3o zG3g#^^f*)Jh9sM`Wawb;e3G*DwhVa&ZS{G>)7~UXtf6u9tGmp7Mr#9d4MBiUTw{kk zYfrX9o5u8qN>Jz5`Fd|*_uRgLZbYFSV+jY^p!fK7c*h^?@jRg!b3BiDAF?wTQjeJ( zRJo1X*Tr8WR?Xs$M$7Aw#RkcJ&b362s@|IB0&R=_xq z`X<;JE0J|bq%@h z(kTDkZjWX>+2z+v89S5e8?t%s_CEehV(XwuTz=Fe(#}tlC-?M^qClbM7lHfd*XHtq zgSV`SX;$>1)WezeH*cIcxRJR^ukNu5{(9Ib!;uPt;Z{g%N1KgfYwAD@-+%``M%lAzkxZYN`xJq3#t%?)a}7k_|o8 zYS$bp=q{IeHmn=#2vj=}qFt9-c{%$#_w~NBd9P_v8R90#9*a#VRS;;IDl!G@q`R7s7fc^YQXvK3eBZKP5fU;25*YeC~fe^EU`^^L!(~kDPHt7idQAeW zgxGrIVCVx*P}kq2{pXLErn0zKo&9~sB7d~4tMg3Rv)|X6J0L3IPn5P^{lrWIZ=SIM zTHNzm6hQ^7##plbBZ^F2lR?&$+aYf}hb^`BotZJyQv-f@Y2}QdJ{lJ|7|H1=H4&wd zOo>fTgI!K8NTLTfq+o!`NUCbZ$^D6ETx6HaR*j92uvN}?!CsF-M~+~AdCs(DKvW#? z#gM=bOd;?veNz&GH9+4#gzto`-{<`ST0+mCrC7p(;FnlKR0;hy!XKHt83)3?L!%(z zQVfJJ<~RxR$3^M)>Z?Rt#^XrGV*s zS-;^|WM9bbN0i5)L8;+HZBySlbFgl`ejFe~%X6@1ly3|@=#C&$O$=-LF0fFIq85mV zd9Gqs=BItYQy~uC5PRY2*;9BIfcl%{>%jbZC652_Yi%t3$@dbKaj(SRclmOxH3j}T zxWSON?zVB^@+nL}X}&Lm?n1R=G}Xx*N!d0{%6!BzmC$R5n(2(*9Dz`du;^Vl`-M{)7l&>yCInW~yTZ68>%BzR=PX4PtlK9Jy!C#$)I%5 zi16x+v0$x_p(V;sGTt8}Gul|}sr8)-n=qn`YUmEk{7RFXu&M+RqUNw{m(ID--uq;p z{|E|xwArwxSd%U{1>iKq^$gFNG?&3PvW5QbpGRhzyv@~R%m<+#tUaHu&KZtlv$Wc; ziy|8n#*-$aN0Lc)&!v+RWA7xGT`}EQwRrk#hGT_7Tr(HlRS!m+B7CS#*DiK@v;2$S zCR{4HaA@VJofE?-zhWsK6Ol-J%H+Y}IKDwIE)ZSlqRg()G=9jA|${rJ%DmUb)FyNURq|lJA9V;v~afCSJ99TvG0m>U*3)# z+T<)jseEs>E9t?=#JRp{zmZV!FjF$9drbE3IMR_fA7?5hWY_eGQR6=GKcPjJ7k?Pp z4)wKfo24XL0}rB!M`e8@g6}HvEexk=cawD(kFksJl02l_H;ym{y>Vm7E2LeMT$8OsU!BqxIr) z?b;#5kOv>Z^gQK7KRGfLu5=~_8&4{qe12_D4%$-rSz~~dsNaJhV~k)wqq;uGABp#f zEg#!-g7NenOW0UA_7%Dgcv^%R=f#b0Hq2NIU%ti8pHFn^z>)zt&o;wO%&6-oV(6>^ z8eEAv0Us1^LUBOg0`@oTWPUVoUvRMLL?LswE=rYDC|`Y9VaYNw52wX()bi0+NV0?y zCib(7r#<}P!!HB>avEXg=J4u|i`Wy~L7SRzCNxpn#Vk%Fc7!IiUp2^~JE67ZDIzkm zCIZCL52q%^GmWCIz)o~#pS-Z!W7Oi1dsb}z^pPOT&h!CQC2B{U2= z-2dGd#O5UWK@d|bgLvS%!i^shV_l}^=gun+4yPN`BLVL;@2y}IEL6i1H?=3tR}PjZ z0=WFLDTCPC+^m32Gly2u>0oiBK>rA1onT z%VTY+v6hg*Ur+lXewl+-Ev00ePT~ea{+!V@ zVFj-JrO0kFSzuuGC1S7f_7?6D+aY@1(goZQ57+j~c(c0+>-Mc0Il{So57N^8TzL82 zdK#c#h4!UL>-;X6Y+Hhx!MZb}&`TDq!chK&)XK02Yow<3b&tHm$;dl9STWa3On{a)W!;k1!Mr_B+$^)Dz zU&*Y{o0ud4tSVpj4`SB)*o)1Y3E=wdS&NdU_Z>SK)=7GFr9SS3TCx&RukAadwfKT& z6aPu{pl3DOuCFkZb{G_BY)SH^XmQ{F|mp+c(aGS}`2@I-w{c4U&vCT62B}GBWYM8Q&P11FPX|j0rJcdI)#QGLho#h4 zeCGPs21WowPrueRwl|vFW_{%n3JQSQpWi?(9y3H+1zx+C5h(b6%%OuWP5Av)+Y^r2 zh!)1)*-0$423Y*r(b@Y!SvGFfjQHUB_rd;7O&ddM-Z94y2hN)~(|hdwG;+GHg?c5U z<9n*V`!H5$D8n%yV@n|N#&V45 zVAhFsdd|CP=J2WeW`CO5D3pHyV; zNBQ&Z#~k^Y5NcxAu8PY#n6CEsRbLi;f5H{d8=?LgN7Mxm^}dw*k#g6M)lk!OMp?Ga z>1I(@1hX>Qi~pO|Yp$}otK5!dg!qEdYYn6`0X7D-48sgY@QIl)_TMt(zk^Q(3=iJ`5wCn_q0HZMssOOuEg3 zO9$WtR0vZpc+p@G{wM(x2Fuz=x7U{zg>H_EXuUZiji{kqca)vMzYeS9%y{HNP{w!T>1I(tkpKaM4xM(^faZhIeEavVB4%Du`#@w zr8qDrI@5k9{CE^IJ`ACHKj!&;=Xbv3IWR(U+By>`N@k@p@zxBvlYXeZE<3 z8^=v5^dW;V@KUR>_%_ZRNrpY4vVJmV4>)rO-H1w$8}RO)NVK2fSo!SN)3aa0Ti)hr zj3I~4LdlO-D7=z3dzh^}nv9a>4MseM+Tvw4D zZ3&SL3%;f(?Z-0k#gqE>G97;xHd*Gt$7Xrh9`~B{TxEo#r}9E_1w|u$ec;3IkPNvb z{)B^=$a3nBZ~Iv77mVkI@mx@RNR|%_OdkOz~+S+`}#_R?j&fOG5*b zP1jK8{5SmB?s{e&INsq!hc@i1tN#nTYVW){Ce{>IE4HCwX)fEBeu?JFoGg40%G+mZ zFnpVkfnUAgiY!L2=b1n|F`1Vr!2*tlDx!(|J-kHMvRg7bQAuh2N%QHalQWUM=U;Da zj>B6*n!@TL^=98)YjD6heps$N(dmyT>M#SV6P^M$BqX$&zSG4(^N3(`p0xM6VAU4Oyp#maZQpE zv*3(z-9`i$$<)v!zqKXC($+LOUT-K)=4uY9-K_WRtEjVY7IfTGBB-FThDpDkOPZ$h zM*Dot zonj{)d&)d_sM!CeJy^?Oz7(0vyL>Zz-eL|8Z+e=2C8*>@{ZMj>N}lavRIPnoxdtO@ zV|*Xw|HWUn0|yU3H^$j)T-K6GlelXXt_&{*0*~|_1(2QBLi^uw4W!Vj1pGCPeup^%R9pZ+SjLQ8Y2>v#12*%MNAIb zR8^355*r%0?*Q8SG}l&WiO@#E16sxdV0g7(+$bo0k@0U+IJu#u1ZWy&18EO;fb#^7 z3b2wMqGqE;a<{v<93~Q6Rrlz+pvPPXu|}ZX8fKR8q`; z24G~b24KGB-pTw8No4RSEc=Y|ec~it_S`c{Ixk*c5@xyCU~KUo-w)o_LdOw~k=gK| z5?p1_)^Olf`l)`vhVs!Lc*to#6u$_NA@qaZXSss+aZ2=6 z|FRvI4CG=3>F(4$Bxz5Iyf6H~l`EtXn7^>*`|;W;^VO&aX?201Mf|t~04|=?vCQJ< zk>GuOq1o$SmoqZ%|GJ$2*X8{GtIG*^tm=VVnSn?Vx*-?p=om19UK(=VCwK%b8&(QB za)g~a0`NZ(#Cf9(!bKagE&`i?mjO!neTYET>q0s!pDnH~Z8qh{ zZ(_HTc5c0>H76LvXSG;K=PJMaU-qTL(jlk1WfEWhTp$nKw6|!jf8q*F1amvj=-Jj4 z5;NJ`r7V+rJaM;DY?|i&w@*$6T<^&e@p+&WBi(xHTw?_7DT*6^$VEwoOiqSz3Y4$G*?5WUNX@azbz02 zPTd77Vpl?FlB9mGPd{?kOP*t(t%N9Ls2^!qXZqkKcl~X#|8bI$ z)W1Sln0eQ(6f%{}PnLhX#ekxlQG*5pSh?II$?IN`g4eaA`^q;~miZ-XZt;7Htx(jP zZ_e9|3C;^nD6g!PzYWRn=yZ8QR1J|{lR^xddex_S+7aI7nz5pMIf;s9_@3p9v>78}!Ks(K)~5^pKeN;0l#_IENBc(U;qa3Zw> z-g3(Rb5m)aI0X4HFVQ$>xY_COd*!;v6-s|V99!H!2t{XBv@8&-lpoi2#W;ehu_MNq43u_a*-|R|0beE|DO%!2iYGTSrCN z_x+;M(y4%S2?h=bNY99XptMR#w}NyH41;ucNyvbp;0=O;l0$dMNJvNzF@(f0)R6lc z@8@~mXYX^~v(DLT?{(JN>-`^C%r)2V8=v|mUtg4fT&Yz=(cH0?d2A%JMujnZD{;%o}k{y6fX|fYlOVbas7Af%G;f z;O5f2>=E<6kpTBAl4~JU{&pp-qVf0%&f&agJjdeHW?KqzJX)MBJqN3T0uEE$-r9&! z&Zfl7NYDxDyw2jd;-WY++ZBdstd-%0;{zydD1p@`7lAPl{PH{rg_o0Q9*V06{gz-R z7Wvf4m0c&n0*okpx$`4!$OB7R(~IE19|{4B8O+sz#&NrEi!BGg_c!K;cgYecO0*vb zu?hEk3$ln{+Ht_*tx;0s$WjGd|+|0d*V`D?R? z$2Sr!PEq%JhBKSKO%TR9$b|ZU@2H3pUI?pLn(f~w`d(ocGoJ6iWZM3G3Fmwiwi*ZM zw6#f1t^NM6lURVAT!oJgEQmgI^1>+x0MqkQah-}UaPEMAi?rz^(BRMBlH zn2yFOJOrSjn-3$0Nqfuw=;!~Pn6z3pQgRaci;<~}68QW|*Wp(|j2>e<`gfl6`vGiS zs|e>wklPf2m>lsRs~#D3rJy~GxqF|KpcT4QXGaVnuKF&PCTuy`x(DqIB!AY4F+H(U zAA$t{nCyw0Q1X^?AVZ7}-RKU|+8!&{+D+c^lIZZVD79^T6|k4E+q_=R(x1OF!Ch*0 zw$6oMU*!bfP+vak43rnqjUfP1n#h4wfL7bIfdIuZAUv0nelAr0kY@|LpalQ}0x z<+W}Mnfi6+BllI#CkEKoc3@z}8La@K1bc5_NQLE^0So5J{CSc;)fiq35XTk%_=-ZA z$u~t!tut#;xKLb|w!9(m3&khxz?!5zuC!~^9m~e*(PjgvcR-e2J%=|6DPMl4!&W2Z z9om-6JoxBeevM1!e?|CLx=1AI(Ln8WnBJ)50WsEZrF$!40r7Eq2CmmV2RHGvDx0H( zndF_Hy5FM@x6roc0G+D^2>#G@iZI(M@kHiw#l_#JF^pSkW9}x+VO~EsyL(;IRtH-E zN|!TEe1p<^QCcKd*mf{7FS1eNkarG-`L>dHdbBMGY<^!($(r_18y`^1Bdo{68@(3i z+i-km(0OK_e<`s>s&il+tR#w8)l+DYB__l{dZnv{)pq1>HdDiu{0^hB1mny5v^hRku zo4>*@(!0>N4=7l*{Hmit9DBk3Il`0mgY-V1NJN&TfSMiC59p`}0)i+1q62i1Dm(QI zWBb64O(4z70n(fiP;}ENEdOeV8JAV><3`_FtA1Vm&M&@Qtp|A>CcNSq+|WWv&of!( z0}E+Ci#&<(f7Wcm!Xyj8U~t`c^4qClkDgK54ER5YToxb*&E}|MnmgB^OPu_E^RJrM zVDyc59O>ED^|UF#DFE4Xgx>^|a{a^r8}Ksp@U9Z899Jh4tj8qT=I11H#V<0aT4TxL zB5uH`+t>P*dx^!pyyNi9F9hvtzqB4f_8yT{;kr>D=3Jj(!PvXPcO8A}pIHF!I=&&^ z;iX~;VACtELcU_!ECHflSO8&QR^qIS0)S=a&}%%TdAVwOGUfZBX2#jB6q`)dUHem! zQn<&hoQKe9$ry!Df+*Ott=*E2f`|RL@RH`uLpZl&BOKKpZ1lEn=Z09V zGC9DlP*^qTaP{`v3nN#WY|f{{EDR7~3V`e}rZ#2bk7Y;P_7h-wFni{EO{_I{v0tXq zf^m!251Iz2u$0kFth9zL)%xYyXOVZTQjUWkoYXk#4!W=lMG$}*_7y`7#;l)2+dq81 z&;zB>n1*N4xu^eZhcaU$^H?DW&RxsP&17&LCjKS0nTrS5un0jGW!&q3nBk0qOSH}`xl8W~3dw4~!Vy9Mxc>R?7sKsoO~4Bt=& zNnI>7@7Aqg&RY`ixi;<_q&D?n8aUUaaf)ZDLC2ue;fnLFR6uy{;O%3rBaUKwCQKpf(w*s&`2R<_nRs)}M_K zWBe~X4?drRYj|1F-iXJ4%eog5Ik_)ob-`Ya}yg|wGuz(FO`cj11Kg0~uG3b}eS|}b=>mY(Lkr?1? zH_gnVcUU)2CIRX_FYDn<_fRXj8-|f1e#N)amYH_v<=~06vbk(xn$y+MOeQd-qc9OqGOi$;5JlCdQfj`F}Bq5PMkHfNrwMn89ej3=s-Z|MVlqW?q6G2T> z(J@@#?~_H(-rluISgHKy8w9f z5Y}g>Ifq2Ih8gM7Q_HZ=T9P2pGF7FGM1(4_7r`q7Xd&x)ep5f*n5FmOqB*(?$W^a@ zZcJbmGhMp<(EsInYS_RZI=28i%0YN4Pg@>eNqH{;yv&v#%WpjUpWqQi1i5ejpUWfq zxwtsoJ5O*~J0BtWywxBkXj>6lSG6C7?%h*e%-tAA-)^enHVV1@z3xE%{%&0xPUnhHxUwVN{daX}3>fL=W0(>nkTBE_~=|`}s36+~Et|L<4?f7w< zcNf4#183FR$@&q|B!ENH*#vNC=F@!W$@1LH1bhbMqZO2{v^j@cOHnVuzYqCt0j5(q z^6&v2fFxuW8qi0+rZd4zghc{Otl6gE_dkX!$$uHHG6-(g*UQ=Z3)B+;&tm?KgjMe5 zeNUEWvM@!L%K}Z`y*FAe)nzgwU#D)e+9#olzB(3rJ}1Ucu@FR1%NGg z0vZO{dW6r*#n9zloMif|7FXoK6I}7dJZlaFCv5%_zN7{(f}ZVsR7tRR9SbH91zK+9XM21)41MxI6wWPuy?l=Mg(>nL-P~yNe!jCcD}U<%FewjI z({Q9GvA!aRG@*47tz}f(dX3lQN({&FxlYB{utQcCY`o?$!I{ail4-1reJe9*&S%rs zu6D1K3t@S7*0UDa_ZghIMD4EZLsQ2;n5GSIs6x4dE+rDgxrHKM0cHgdk;M#G>!1W6 zEnK8Ejb9N6*TQ>Nz{2BUvNPuHFg5B*`to?oa zsEIs5N3D#(CE2NO<9L;k870z@Vfv z>|Qs2Y*#B1^;)rKzP)wf^o0~XGJX#C^+6&54V|EPS{_J70H3HWKXUh?Z37*r<5$v& z2z0msV<|xpLfH3Ai`xKuHV<3zBvgQR~Y#~osSY&gj484qD@ND zlXnNIy>Ey7BHwS?WC0Vil|&9D9xn%0I^_Al1E`lGFlz>Txiz0^j%!GLj|Izb7BEq^ zlY2^u2xTzCc~e?#qn!*9+IRwDPZYk51XTW3Piw>2{)YCVAXqZ|xZ*AT0Dh|o~(c+oAkMYrG-mtV|O>q?inx?M2(%n)BkHFHyrvQ|m zJ@N8M@d}lb0*9wPJS(~!)V%i&e+D_9S(&>qY#xFgj{v^SWYA_j5MXf1frqbSF4{nW z%g>dbJaGLj6(exVbL+*n^to;O$-FbIjeI!YhGW7LKtTeiY!2llXzNX1^V<>sC-h(o zO|m;JG&E+pa-bM~1TCs%61BWl>0uNQ5}x9DMmcl!wH^gu@BqNWYsy{%+%*8MwzAAl zUdf6Cl+RxVUvp#*q9^wuZ}01+E&g2e(fx3v%}K0l$)(WGDPqk$ICiREW()K{ns`dD z>!F9_3|%&TjGz~51mi(QQeuGSW#gi>LE%jd7FOGKn~%2Kft&c}EmJNza@nM4GIK8# zET9t}jvKceaMebMDK}KB(pYe^rc_b^R7i}a?nt#}UF{x0nsOLroBA5qdYs?nUPcm6 z{@%8b`mI)JBtpnM!JB#np+lu$_iv(jgX`xBWC&T=x7V36citci?1z$<@X*0;2sQ6+ z&wJ)AZYgKoup(o-IpuazP z`;vlg9LpWOHQpTYyz6INxF7Y)1oUtMLTSsZHL(RCvg4L=v%N3)ZX(HF%^C4vAujnz zW3}+Z5SQOq_>ojXwM=9(I#CCu`Ropyu0yylS+}w8@mIPE*eXX0%h(Wo*K3GbY4-L@ zo`NxFk29(w!y1@>k^_c2hw17!u9*P6L6C5RKkyy4-};hXqW$f*@ofm`yWwBrzpxx_ z#^;gr{10pZOLp0uew_GX7&R_t0nsDeaP2#08T0hUbk%|d_oanmBc>un0ipmm>s6(s zRGcuCa{a~ct6S*6RkxsDKa*GC)mv%hxM8zQv01Fm5V8_L$Hm9>d;0lP*7$)VkhJlP zrl%51wWRzO0Ome@Af&@MOVR98LqtheToc~?0GdIbyxL1H{UDcDhs_7`oogWn?Z!IPi?xD+eds zx!RyAA(oVlqnURqyD`255#+xa@02M0m@FnvRyk0B=I!a6%dG##r(V}34ImW}|MX(k zA_$w)d{zd%dQrV4Lx+kzt5f+wDliOy1Eh`FAU2-Aldzxc;+^MeY;Iiqv@uemWo|2HZI*%LYX_BX*K!UUXAWJX+VG zJvB;ut*G9sN*$MMC)lq~kh?rNOL;+f!Pt^$M2`Y_X-6j6)(ry!V=KvGBO1a8#01HY zdS(z~^~ka#+jjQLI=CR8ckEzQQzJH>x3yWI>IxX*nh~eMS8_9Ak-16+WMXx>- z+YiP(HkO|Z6&aDCnFAdU(gy0nSbz9rxgunN&!~PF7FiL34?j4rwugoYwE#;y3PR@^UFab2j>h(s`~xF=I(bED?3Z8Q~D_Z3B(s8gkV!U z$)H2!iU(i?Tm+C?s<7j*%;Y`^_0M+*GO`b3-@g!ocB*;{lp=Z4;{ZwOgH(jC&3%LT z?Y0*)H${V{BD)$?v*xe-NA0ze2*Q>iE*)MObIO|QWVH#`q=mD)Xy%4WBZ>e$%9yS7ouA~2Hq9`t{nOWQpDAjZxsCt$MnBL z?SFlG(Ry>*ud85kS*tcFNb4~2>NT>XyV~Qiw|iOPL_TZVjf>Qd0SEi!w6zv#shWet{1t!IRp@?!F@2zDfP_S_OFCmnoLf zpE`}vlW_~s^POAhM=}ey>JB{u@8g^@(NZPavj0y;#Z`(bdpg8<{=F6HgYdf+@dU-z zDd^{|nCn2&0+0s+_!Msq%9Y{V^gz38fQ%KGsU8DK3xDH1z9ztd9q%w0(JhWhw;}sf zQ1Vdy^YznfJrr3-#(+!FxZSW$U33xPGe|vW9$_@38~m>Lcngo6JUM&!w@Xp=@&9Ww z5I?^p&VXX$HU!*5+G4mPeeC7d(EDRw)Bg5(p#Yy3@sy3!jP(0sAhe%GCQ^rL_^o!* zvn`e2YyZdi6t^KWne(wSqZOvE{1up_4ErcPF)g(lu4I*GGKs>mt72IHzPo=5?kJriJ6zp4*Tl= zobt#0_@&zK(BJEmb#0>+hj*}wtewhj8h6bYg>m)hbjNFe@(r~K$P?pVWVvm!J75gs z+#r<+BgaBTr7jR{pF$O1@z%^eMPHN$?_a3cucxkTI5F9PitC zbSU;5UH4Y@Y$sG~z*b|E+;#HhrPNFD$vmfYdQEkN$&kRf+N}N?FF3XM|A7~zy6^$~ zIRC$Jf*D&5I50JVQp(EZ`6WRIkkz-=_0C@EssHhTpD0CdAv2ju0z>}kM${6ze=4et z62LIDlDM8|VFFgYl>&NzovwZ-c>pj4p}8ux}?G1At?EF#wi3i%yTu?P~q;q*$$NOx54v%PC(pRH>{3=GbCK z_;-Hu&+!_0!5@!KGwQEyIrV4sE8ZeLHb{PIgC=8}I5z zUQ@1cT6C?Q#kf(l_80ESUuqBbPrI@x(A~Kx*$*2=vYhNfuT8squaR!fy;G8HuuEej zgkIUdu@F_YHJ|_*8wcsEd&XEzx_f0+F+)ptBGpCTLC-*OA(C9<)-;VMmV6poj*ujwtH=|}kvPb9U zm$5;Oah0L4g^z0FoHQ6Wcd^NHm=Cf!%=^!hB>c1yT*yH;x`Ca z0DooJfxb-kfs$U+6|#Sz@jYm_;_M-A1ada=eWRjz7J0hc{~fSA;WCf&PO*@SX5`WC zc9YGjR$*<_SFDz-d8GJF8afNdR(TrXNs9s7tw>+>cG$ab78G`t^yW&8?3#;z;13om zq(8MUZv3!&oBX|P6BsaIiIxivN3SH%S(tq0+*WOi>#m4FV@L^l&k*CGDnO(fGGtk2 zUvWg|ocSuCFm>Jde+yB#{f6HBJ(0aCpK@c{$!@`-xh;Vyq^Xe&FbYCEPol<}%t06E z`e)?wOcNITt~^9nURwnGE53ha;=BCF#ya~~8u{>~^FWy$!x=2u4Q_%;APJy2%}Lbav}dkDUp`sNMIhQ z;Cpnuz{(dKM}UyrL;UR60T29}Ob51}zjnAAj=kDWBC6r>E^lD74$#Bgp2ao?Yz&(_ zm94~9QYSF1XiJK^P*i2@@e?|63Dc4j>=S zldR}M80LYac|5+pYOAG6>69T%tIy_tW6=14wYS;~#S~WF@7fSDR+8-6w6j((0@yHs z(wt}Oz!_oiUQSgJe3>gRvqS%Z5?GKEofhnmJdydhTnCUG{9^pHLmuG-|NRyu z$rE&O>pOk(VfxB9%;ursY~b4dicF)If3kCV zTk4=u<6w+Y#j~z`(~X!Q#DY*0FA>~yUU@PMm6J(1Q|-k#CmyxXW4P)_)dMRm+EsLm6bxN^F+Z~Mz8KVvFx*8HgPMPR4KlZZlie7h z1>!WVn8;E;9|`1tQV(%IB0oLqHU~14KKmWi zxaU#xMJ?pS^CPp^@{qd;T_uhuHwI}0N9N*o3 z$j@u^q;5Pw-bizJM{vWCHM6%nx<-cH@3;P+BPJEC(EV&Uju-AWH9+dC>Y#OzaAG_4 z#La6TnmfLY|AU&`a)bAxuMxzkl6q9>e>7|V%zU+ylh5?CbtfbX{@qtT0a8>q_vA|t zuO`c}5<;~GW6SPR_38p~y7$d$wkWu7PG}I<8#bRxO|$f|{4q(jo_e&iz!?s@^(t8_ zoP7kxNgREJ%3bRq;xBosV}MS)`A?_mXLS}p49OCq|1DLluld8qf?Y`bhl)RRTFY1N zSBmEBCHFBquUJJsg7Rq^;s8{_;i@2@)Jk_encz9Hm7la*8$%B{K9G!9ej6dAk9y<sX7dDLq`g131??T{+-t_J@Hn5JM_%aS=)rp@rCqr`De8th#M(^P0MA;Kqx!^w z-Cb?<6md+^3{kd2`G4YO9oXqocUUvs+m-DxE2OTok0a=n}?7r7CWWTSAx>E(M<bzb+oe23~(aZud>S?%%^^VY;I7UY5QR z(hb2Q_1pOw@0p$~`2)VU$Xn6h_1lbVFNt?68*7! zNqD7lhuTf^F(SCK2u+IMpOmgH5o@;I#d=ChPwsP|r;@P%+NIaPZAJigEIap$;TK7S zSEX&D?Q~)RB+sTFUZe`xh%Tzv2a{KzYEtnnP?xDCbAvik$v#3vo^m%3t*#1+%` z66iE~!{g2JwVsv2iZ$uT$f1^nrA?)R4e4@%GZtMLUO~!Kf@4VTV9<*|s0Q#+iSJ3I`XI=EK8k;jb3kSrO z=Iq6RZTr;K{9`Hr}uS>-G&)1-Ihe(t-{k)Zv9kPLu-; z57e(G2UwsZPZAeA!6+S!-etm?2RTA_;#SUln?{fqTfRAmb0_BKp90FwNJd;Y0+xT$ zOI08b>~Vb?Jkh2_WnR(gpMf~ER;xE#4tiovltbH>PLI?Ol0n$HBWGL|;OlzSoV@+h z(Bk{WSC_kIOFA8{ODDV1v+|#&j4cIK?0O#T+|jGKx<=HSom~<=qDgMTCJVaJfOYVK z4hqkxwSPmXuEe+dTGR9kyz*-UrqLVKS6$X!@xoLDx9^*3{+uo#*E35Kkoi^H1TIKl zwEu_Qauf95*)8*rTaR`^jr-xXUp$o!A1;f!Tx$DVB6^V*S(T;;+9Y7N|45$&j1xSs zZNSjg@wwa0a)j|I~YWCB*p)(b?VGWpFg4|p}m zI|L_r1+J6WCkcotWY4Rr>^O4!RfbaR2(*$A1+(+>irr(2jJIRV5Iwc*4NkgD8TTo} z#O%}h`c_$A87Drd-St!B!K~BvH9u=*XJ+VC=`nrT_jJ-9br)z?Ye+vEN1eyRT@`Gi>K zIhAu%VH7IU==>dLA6r*{BV@nN^_Tm8Sa;^a%LjsPbm*Pb(ET%Ek8*`|3{H|lQ9%sF zxEY!uFsBs0Ct`BR3BzdSJVw!0l??49f{}iybAIS&raElR0FHaI=lPgU;nh(G5oQ97 zlTbR@N0VtC_20K1ta5@XHh0lSL{m`lv7O2#v8C=@_dkiBDwf{bn1U&f>oajsxv57x zi>zr-z^^mu>}#g9D3f;yy0eC3NIZ&)Tgd(8>={L;juny@22aLBqZ zu(x2NZn!d&?YUP@;k%N98Tm zaXjgJJ~Wd0{BSsiT)Fer8J$$x!;qgeIIV#sJL6VRRMq-pxiCv4KW^Z6n_5!&r{*BW z)U7t@E*|_N%vbVA}RzVN;6B-KU+ppK#8j+VY6n zm6^AmdtIMDWnPhwP^mQ`_mic5#A9#a|+$NoX`OZ_MsnDy4pK65gmTvw0xpZ zfcww*=DIdLZd64swbXhF^+3rmob@zJueHl|TzK!E3-WoVNWe&?nrHLmlpS7CXI1>V zA%qHX_oMijZ_k{P@s#z~jwb_81;e8pmU%Mo_6Y35777N$@)<`fUfslR)qTmZ`}~9n zCA<%MVtj+w*oBw!9dR=$8h2kVQ`VglhD)kWVMib^ocMblTRXBGvr1&xqilNlids4? z`iBmS??`r4$OF`M_vTqUN{iG?X#1?TPv32MfTbeLpB05FU~~kE@OP8%j5|NLi&-Tz z7gC0{a2D@q@Pcco?>jM6q)b>wMPD0Yi1*m@(W7cy=IF16o3D6Eutj)tngcNl$7*h= z?lm@#^T?#s)*sN#-ES)Z{ypGj&nl|&>c>&&x2h#=mL3Y9C5rJ1ZMyH7Q|?-#lt_6V zTvLc*k#W7e>!f7QiP^ai=8;JCJU?!nD%NR!bB1``F_q!tv``qQ-}G39J+J9bD=Lyh7ZjZf`FNF&*~Ixx7hI&1pH-ksc zr=e$FCkahOUYPT>!5L}onmx?HX29~tq+LV3<)g*-0o9&SxSPx20u?=;H!)Kw{cB&% z-uI-nyRv9An{U3U-0TJEUS4n~<58JaTMcMm9+^pM@;o?^ozMokAlAk)VEB>#1#STD zy+vEQH63`i_lv{A*Z(YD$Ejlat*xY!^N5%}sc#xPt+UK7m*CC#5DTKYv%Src=8MH< z*zw@@>EH-(-Noj~As&Z0eK~`GVrMhGfh0D|Gyce$lE)Y-&)I7wanuGr;U97xsIH2~N8PWX<%WO>FtM__FdTnt4;W?<_bJ()5#xY_E}uE624{ zr>Lk7-zN^bqE5HzJc_&3m1tXyX7r38d~?-gyo$`g5y|2cwpUS;>>GNXPuirg{9~$U zpM&SN@z_qFEzcMPa`do9WV#?H25p!OOwnZv9Wtxt!vh3g_3S%kXSi8w5 zBo6KyYM>cbN47G{HXGNvsZIW9i2!=$gF%khrzT0qZgfB?d)a0rPTb7arx(EOPItrl zgLshqD|`eAOKZ6DUw`fMf?xW!UnyOLtAgP!UtS-< zR3AxSdqMhW*m5acqosa}KYmj(mks2Oe@b4E34_72#$(C~_d(ox*VXBAU|GEV>+7qO zVu`lOEsP!Z=0v+X#4h8#7#sVm+;1>ZeUPuBKMVsDj&lVNd^5Se0fR%&yEpwmdUA~` znwO?|Q4;e!yy1fqzJ~A%K6Dt)E|$lvnsIO7JBeEHq}u|7dR9mbVV;9Og~V@r2PUI_ z*U^bO65G%KAC-=*W0hY$LnhQ$k0L&3Ha*yZ7DD~ghs-))FC&OuxHmJ#D`fAh!%F6_I`L`yi`rhWd3H=bnK-yR;7I*GLEsUUj9I<5gfKYiL&r>;FAZ*koy zfjuEd5q5CYx`t1sD0WC}_VGX169|O59xn?M$1REme%u~x1P=e^$mTeBS$#{I=VPko z!o~!+!fkq--MYb)G(E+E@9;Y`-Q#ZgkTRjbKVf}xBpa1z7gh%q+QKQ zK(nVa&^Hty zWzjaC^Zao#Jc$&>m38q(eC5;CuP))Um-<={plOS#_m^S4k}JrWuGCBBcVXzyQb`7% zK=qQCy{+r~-pL#=QoF^Mss3sMx~!Ff_iC8^!x}`)58`w0%(B^n)uSR1;ZP%NCBW=?Pec!Ul{`CB-oYUY3_miKbkJuOqgKZJzTt}&3<=T-6dGA#W@aTi(WCkxH zrxbj@&Q9TOFD*T*CJ8Z&@p>&dkKqNEzYgmpJ7ro0FZT#rD&9YVMq_A_fIC!@Eogfk zn-npejX1aBWaNSi{F3exmvrf(AZ#*Z=U1yI)248gbjZHUZo3FcMzI4CPmAC4@3>OZ zS+S)+KX=~!jpD7GP?pCJcYtGGXg-}!#nUnCV;v;61vFiQHA&7o0ThoyV9Q}L)4D}m zq-~+UrVHKh=bz-mwcLNjeS#MD8BQ<^3tX8^9Bj9%bKNjppKW@jH;BxjtYoN2$V(wk z!$n22slI%`15ZtkptG(z$K~dmT1hA@^hoQy+P(cbl%C)0I+tJUXfz8rWWrhP{)RnT z{q3l9cd4O@mqIHj5=rmQ+2Ry-e9pYTFAG!>7rkH$3Z~E(!P0)|E%Al13{%_mkm|7R zJC$kyh;jTr^jXW%X|Bi7%`sfx?$X3IpR71tP~F7Fp4VKi*fB&o%--Z`*T62C%`;V#YiMw z(gq4Xn!cRahxbcYIV?oa0P*xoLnp<;Jm<%2*ih7l28<^+Z%ue-?K#ZQoB}iu3IA(u zq}xJPF>vpBv4ajcZLZkgrxG#mTb!%BiFsky)jFbl*9O)+%~8@ylN(C1JbzXHh<6v< z8vJANjvDdprrG%qgB zhtF(#o{iq0qCVL0*{C-hJfTg8uj`??)wZwgd^)MohMYETzXbyjz>&^E6{5?*Vx?+h zjQ*Sha)xfC=N=EsQPF=f*+Ub@pPo4t*!4kMq+U$fwxX@|kid!*za0ZHT(%6yQ+2t5(T~K^%8=Vw zinD4%e1z-Q!k_Aw_SUMV$R4Yno2txGbV)?Mfb< zt@=%7?c!>NDr$rKGNy-rUgPW2HZ9{^Sk`s%)ZFuN9DRcqV-Z;ZXQOw~orenoA{>S} zwqn*1$J{AQ{yVW~eWqC*(rw3szfVAE4dra7KRkRPMF7PNA~CW@boB4q6LG1ochZ5C zrUgO}(F)DGZzkM2-D(~e0~Zt_Ab#a+YJ(N`A7>jvFsqH%iiX%5U$Dim7dRhqm}JtE z&6bes23elKJ5CrV4Y~a{VTPY>_59huslks@F^Dg(qDi1Q(glo+EivSg%ty~ME6JNN z9l0qB(UH}$$BA&yb6&%^tP|zjFxiR;KTiO-Vu6MxMI*axu4sK_#PdV!-!5oOm}PJh{*==QsO{r<|-vL`u9HxYjFr+14nXp(Z2VlXm6YSR|rns^J|s7vlR2vt!7C8#f3v@?UcUNS=#exP@|Ar zr9ZG043odPm@t`in$DuxMjBaRbAo(Ow?_hxFZn8ys9II}hNu{b)ojDvfZHRKTD z=kE`G`?*}%-zPP>D@g$O%pY;FMX|N2M0q_v1&u%{Wd`t*n~LM1(i4zo83YD_xK$kG zjyy#7t_e3CSs>1nozA`M8{^K`9pJzBAn+{aWF1Iz*YBp75>+fpt~j1 z5@`0JU>N5K4yACI?Bg7iHw*L$6zH{Gy$T*yj;KA{TgcoOY5;8%?*s}`5}}k*INPTV zXBB1w&)$yAoNTXBYq}<|o0-PSwY#637ePmkt5G9+WV7dy?W>P8wq&;G1@t_o^llC< zWU8)1C_p*ANz%hA>~!k`{(B1)#fgyPN_cirlf(gK{nn}m>~PK>vv-_xd<6sOSLN+K z@x3po8Qj2sQ@Hf`Hy^jKI)BuB^mdcy;oeioL5@a~$6IyL+uc zkJrsar6ZA67Pyy2hC zsrvn~_`amQN0(+*X+P&B@{6y~s=~=ru7B9+=i633+17EqJ(q|+oFvN3fPgkk2R92hryO+8QFaVRI0N(z4 z$;a3|hBjcu^>7)QlvQhL$pv{ZrjYX!;4T*wc~(9xj}ld`3Y)lcApIjs#iR5jQg>qD zaNWsd(8JOIbM^6V8VQQZTntrA1`3gBzD}>XkNcWiZ<1@VWRwxeIK9MiMVHBb_8~T| z{&M7vQ%zfwQ{H4?={PRU#Uy)v&NCEPdx93^QUNhKWZk2EYOlDp`-p@i0Y>q0_x(Lf z16OFIao;9>X;XSjq#qjMsm(Y3x+vTUz)`;Vw&)oio@M2OzL-BSr-|fvA2kYGJt&KB z0pKnY`K@W4y?oKWZ}(=3?v4v=E+Ts_RY$ zeHjGd!P>7r`w}F4uuHWcTHB^JmIOM(=<3~804tj{IqGL#K z&x72ma9u3LB>k$oX-LH_)%`JW_PeZ_E6tSu)RhrO ziwhNbP5zjTy;OYDlxOW@-?jDkV%bknpurb|AU__I>5_h zLP7ET7qE*%;1_#ne5$fuK%Z@^Ut-Q_oi#Y9%p%|zJ1%K=Oc_{XF(Ug8@uOJ$cV8WU zR{vQpdK*`rOcIYP^VW=z$=l)Z)(}>w0!Er2dPhWpG}m{i`EVP|<%FTCei}Nn{Ts&( z9?6F9&DWd?V;lY8ip{O*_e?2F26e#ay8Q=}z{)@VljH={Vju5v?O|cd`{QX?>eJCH z8T~oOlzYt=0nMwx$!==tt{D4BDcvVVJ9md0ume4A(eEK2DJ;Y#l0{jY!xR&cO6+(A3@ih0Q1JcK z7uw|sNe*eOd~W*g^{h)oCZ!5dys2$^fA6yd)OE`eF;?0r|sB)-D@^^T9A3!B7gtk+ErN?S8s4l_q?qa9ojvlR*4ib z?*W%wT?~!`i3MJjJ!LS_vEjz_gnZoat$ux5t-(k)JaWQm2TP~pE?Z+jgQR7aRS=sJ zgqW2RS>z34e}B6NaI%qQ0eeQXc6AQtp4!HNU!6CvsVplrQfav-Mw;SsFoylYxICOR zBIum~)HXOb_g)=s22Pz699HSw2sY6g3o=<-r>*(T7zd8bm)6LXWa(J+5+A%VCWT={ z#_n!s%JMWRq(Jbq&Ata4adR#Jl^ca@@c~_M|wOe`^ZVM~UmC0Xx~7 zbC&iqxoqtS<%30clH?JONb?z$U$L^_ISgnzB3Ra{At4wZ{^3-0srMcohv& z?}=sLHlJ!f1>|+i3hvrm>o>;93Ffm;+Mjc5!ZHN%R5(}?;1d%Z3>~^C~+q|E9!w7G> z67AFBk$~&LOs?oVMWWhIO8h*G_6bX{#d+iL!4f->6mc7~s9H0p{taCEWeZE6zj}&Y zyyj|WmI{pbH{RC8&2ac0{5s?;>^2uQ2qF{PW|TOPI;ksXUUKB>Ecu*w?HOm_eeIca zwf9Tn28TY4u>&?l{ocQ#arnu_M*|*Ki!CRP5ACJfO~qB|Kx|j~{;I34iyvIc?C@b8 z6kBC>4B6tkv#+0r&ynUC-(VZu@3dRRgv0R2cHvcb{?{CC=QPbA6n&8m_3hHHx6#&8 zYEl^~LJqeXxxXf`=D{Oskt?vZq6Covo?NKKPL$`V6tjeKgV{+-C{k%7{ClyvDP6Y? zqTy{R7M`}Dl(3HPr~_Q(T}L&L(;#3&YSroAC~dqQ*<5PzMgHur#rGZqt=|q#S^Byw z(0hnGhJ`W}rWT+^RR8T%?hhv(E~sPuv^c6}JW$8N0 zUwrI(a^sox(Y=>f-kVu^cz09{oz`=ji@mGl?jbJfkyYa^x$LaI9+udS5sg7^{FCF1XQF~0Ric~1`sJh0RcsdRH*_=2{lv! zAyNc_bV8S=Nbgm83q*P^0g_Mz0-=RE@$-G2^~_JR)~uO-;huBveV@Hwd!NhkHQ?E+ z4c-gC!`vYG!XVV{WxcY0)5#q3mfw8jF2=beji(RE(2GZTSJf`X24@wHdJ#9a(#cw` zRv)>xTTEZA>#jFvEqiF+{64YPAK1mWH)xYj*XZKwHV?!@^YbuYW4^k8%I0{u%O7Z= zUWCFmpe>^i_NSdTx7w)=89;xjr?zhfB43`}ptjBI)_*aX@=UzbGLB1`+J|YV(*gLK zmDc^AU-ub9%o+Sd^XBcaxJTQMnDpn}v+A8J^R^>Un;%2VIff>VqQeHjs@W>Kpj9%` zF3qHDZkVL~_m@-6BDRy@KLKUS4dVbwmXm&@(X&>|&0wjIzDd{)Pwh@u}1yb~t z2nk_uMmsUCpai*fVvyz&Pfr5!Mk5Kofyj^+>=mVB&dp#(1~IuJClcIAzMSRm@>hI8 z{8n4KjkoYBjsNK*?hX&EUXHUqk29=`Vk_c=)b(|iF6?z*g(Bq3|AI&UT2Ljw5XTf$nPes)#v zQg$n#)A0DjGD8lF2PG6@7cAXC_WdZ53u`{$4t_$=GCSq;T)}Q7Fa{%_P(LW|(29V5 zhjuCJ`zF1lei-F%fDG%GbkmbGQ(7F(-H}p^+rsxW)`lmFF1vWdE`9wyRskm={J&fPs4rU69&99*-K@_`@i^Ja3ddYW%?XmoDGmrE5=^P#rcD8;5XdeTnbSwP{V$s$3-}u0>(IBCU%f>*=(q`<{ z2g!&Io|Mzw1-ZquKxO>6NZYC1Wt+_d zCp|5ckMfrvdkPA%?%wIRz-o<5O1Y>8AbSwcAY5qnkKh-=Ij0-zmT!?Joe)YtL8&_i zyq`Tou(7{K4(Z1(xw9yrrd>BF^@BpWKamBIck^Os2{Sm^KM@lBf_!EDZ3RqZv-PS= zXh=!9_(f#^(qy}FO9zDy>T3w_OOeM=6Aw36_fWtn=kBD0sP1=5>2(80WGR@<4xQxUs z=zA&kDY3qz8ynbktVKG&NgH>_2_>H4H)5C#M3lB ziTd@6x#jo?@(2j?(TnTn|8D>dp8o(14{-vZq4%m}AK>SyAiCG{@`-lyOZw3;OUlSk z^#2~jYz($3>U$4I07JnBWipX2vy%Jo+n;YmshJ_Y$V4<(M2I5gvcD!z1ALr>S>jK9-*v5{J{FToN#@Wwnl>_~@XNONC zU$HOYCpMMO>y(4elIq)(rMp`?bhsQ>STZ!mvXsUiEE~lSaSoA|E5^cbjsqzKNyum& z@HY6G6QYVrAnV1l5=@-1@ipq;@peAQCd00*y?N=X@n@-D3gy9PhjSUrzD>BZ>2gZT z{L)`3cn6*#jKkzMt~BsBj`ts<@y1WO@fV+8n+0LC`yW$*yK_?f_mJG_`Wk5w#PWP> zbMqSzle+Ai(R{Kb+qz%kqg%ch?0;%rmq|JD-R3)JO4!YLouHj}Ki-kDcAK!G*l$5ozAk_8W&Nva zHvc@-Z%;ANLGuDu=RBa{1zs7fepM1IP<90PL(Q%PtW=9u zDi(`iMcNqGr!YFu?e=Xt8Q!JNl`h^98xcDfLywUDksv5%HX`1`_ixfr>BfwgGYL2P zXPO9g!Mo_P#tj>95B3BF?2}dHKC^5r6(aI*0kx~aQog(yIemx;WR%>N`g}s$o2ENb z)B_N3&)$2pAUr+fxm{ub&jEjR?oG-`GV9e+etZ`Ki9ey=Yi~>)aW*tWGcKvmno>1A z;0I>i*~tA3CQMmf&BPqfpfIp1kr*T{2d&}+ZQkrEO2wi4cp%g{_;GfD$(*NKWqic0IS=9Fu4G(a z5UDq2s7Azvwk6jA5+;6v2 z01woc1lt)v!NL$%YeBNCYLjy8k=FXX$c^-Rjk-GB%xod4Z?GC#xZd z0kRdFes4XW8g^r}&|BA6x+(!uatNi9%>}_kZ7r+wJsU2eLh%^QAB5(e4%y4 zdyVmdB;lN8tY&{9cRRaTH5gBCuaGLaci#rb(lly^nv8fC87+3Q*fFObbVAwHdfs1j z2>Duc@42ssjQdrT8XtR=Bu3>gfwJx?EYgCdzh@~Qe7t6d4i(uwIAi4KK+)(UQTByj zT6lPf$*K26-4UllqR`^|B)8TUa|chrzB5_0Q<-}IiQiKrtRvZUa=r`@dcoQfI*J<5 zWFT``67Uk$C~k7wCuC{UEB|4(;`o&wpeI=>Ih)^$Zz|iP?$Lj4DlI_n#dNX zvQ&93QMtXXk%A+!QGX)`(BGa%+wM0GqQ2+uM?e;c_+>Zi0O+5GVUZpm$88sW8T$77 zzwP%ClevML4`{1eV6;?6#eZF6Fb3IKUDx9e1R4+G>%9Ttxj^9Ud(qu|ys<~gBSUqby8D)wn_%pM% z^ma0e&5lbX;1mtl5Nl7RaqYzi!13d2{VDHjounLy}=o@eZqi6`_777;^puCA2kbN0koXtjAj9xcB)78E#LO7{pTwB zh9|YZQow@!5q7}e6mOwt)hmxMfuGxC7U0^$J6`$GC*}78N=5b+&puu}R@&|x=cPVU z?>T9aII#%!I0nCM9U|$)ND}sYnwOf!+JO=aspcIV?k zt!39Q%r7OCx|$#8NLM`@n4weSu2}CUD)5Ep$k)Y?2y5B-fn6SO)aU(`k9DD|Z3-L; zvlHQHq~&Zv#B+xfyfb%EIdqVh!|F^}#hR7`ZOBf0|8-08FUw_bY3NwI(QB#^;S=ZG zKd17v^_Zt=P^U*&;j?zTTgooZK!9e#{a&Sx+${q(Dl*dr)YqY-)y;RmG-g#3i?$uR z;%p*QP+cd`7}8N5A3v3F?`=rTS6$fy9Z#C!c7#avupdK5jOA4H6}v(`Csd@J#i{spf-Y~l?U~?IGV-AQ=c_YTTb|SzA+Ozayk8Tb%o$NTi$9{6f$qo&f9SIw0uY0%qrHvkj?!B8arW~h`kJxe_nZ6~l&k3Q2pN_9IxmKGTXjl&# z`Ts7yEI?SHt#LZ92;Ik5fLJ7n5AmC@6qT0s?seE(P<7RTP3CzY>g$EBl?^zr4d-U<}3!MY(OZ-eT1&%l?_Jv|QqKNKxEYwftez+JU58urxkZw)J z=)ULJv+*ri!&2Gn?ddGdbI-@d4k$(SJa5h2(_Ep9;;uLARn{#^8?K+tOgj3FFE~;# z(Z}NjJnEVReg5x)8wMN7WvSBWRA0`&f0O}|D$4?Ht?;A-pV0eB22`~whRDU077`lh zkJmSer1YDGFp&hUlHdk=>l4oc=oK%xL;!2>hGNUou0fk4H5|9OR%$mhp|nQj@Dsd< zMh3QrVXN2k7PF8$=w{(t!-l%QM&ydGP{sG2L@#HG7`kr(?Z`^UiJeh7h~k&QQIv-|+IlAP}6_CAmN52>KYi8<#^G^eo7*^gvCiP>Y=8Nlup`;Ph{N=Ty zDg2D>67x)884sc4GrUQmxX8TR;$IJm^ts0}xs7mKsbMCFU21&gxdYr>q9&AX=m9D; z&T2047V)sNSZt-#er|TP{s%#N(a9S!h)0Hec0d*J+fp<$8-pOY7>WzYe#{EGyVl;JK(+&|;3%to(tl)=W_(@ek2FTuu z+M>%4p0jHG$J=mUnPWX-DZhiAs}Z#yD=g9II&x+F21OAsb&#sV3{714Funmkg9&^^ z9uRqd5-?K>5&3I$Gk9k&^N_N8ytTe<;3Q|>QRmmAJ1_^WU3)3Fu>`Ufl`VBL%f1=f zBS5vmHpV&JJLn;5a>u^7TaiLYj~&9B;6BX5?GbB{;}84NJzMOh>J-4~5D>CCYBrbj zzVT%_v2IWC2)xrON|#+3py-Faa-Glamf4BBtmy!rO?K3~1n+w8)yjA-sqxB^qyXNU z_bHgEz-ch_d($n!1l-9nc44_GaJs$5!E&K`=y-L!NLTmdumGp9d`xsbm3@juzV;M} zs#E*$&ZC23tMG(_p4!dnvx^`yUlV@7ks7-5HDdB-=NRMTr-k{x8Y7{XQd^+8euCx_=r|*HK1GkK#)Y$5<1L zouN_!jg8||{=~0&q@{LYxU}%@(>;R7;xK;wQ`W-k3pRrDD1i+Sk9lQJ#nzAS!U+W2 zBS38xf%dSN^i8N+oQ+Jx$JR8cHgMhMe%W_*CfUt@SqtK&IEGr-$VqQ8p3H z{7->AerI{;OUTx|?4oUsSi^@EQ4@HBXO{rhgs)p-jdBgMPno7wlk}ON6A8RR349>i zgx=W$Vvtn}^}EZxN8kqSisQJp%;+pAfoR((=6cad_5T5A6a0Sy+Msc4J<8T`vfTcj zC*Vv=0%9P#kC#JX-;`n|(T(4O=4Fk*{!g*5DyQ$Sn`-7|P>>aDtBiFi1cbH&+YL_$ zA@yJl8y2bOCvCg0i%74hMSfj@FPWDV7YWy7j-LnblxGKR7hP{PEKgiC6|ryd9t2)* zMwbV!p>0?eGr4X;2|a@MHIZCjhBa;za6m!|!GjCHk6FV| zCx=G6uY+x_Ww-poHU?>w!#%2_=)wX>|9~p5;xA*t`NGv+W$kFu`h(3~`DHTUwGBHu z+iHk@n|)vVCL4U)H~=T3D75bQdL2vk@|l}6!<*hkI$(JobILWxfS(}$^GayK0vZK-M`x40~LzG71BM8%Wy zYRHu*$66n8op>5tb_CCS72opv6Y%`Ic-<)duv%O%$OU|MY(3JH0!)wT1nSwB8E(sr z92e%W0Y~uFD`~!r5c-&!e63n-El0m$yeIq@89=t(n6SGZB2ZWoA^(wV6$9lDkI^4e*1jbS zf~`BehUFUHX!pQ?x>G_92Tm*bttmD9T|&G#7DM>jHL;6iqTQ(avp;;Nc~s&HU9VpG zhcUi7<$odje5P6K_hx#dtyZEkO zf5F|@$Xjy4Oh?3*-h(y8{Zv>ZaS5+ZwMinc8r`JKCGeF(IdzRT>wV>~K)Kvmmtp5Y zBBX@vRqZD;YKw}7o=cttQ4GBo;yN0>>32eA*XjT@%rN(7csr(ANp`@q{=+57=!svh zA!?N~%VNPW)~s?3=e|WN9Bwv^!r@>Jh8rqzHs8e33PeDnxF6rkx7oe55&?1jVus%;i}MkcGbKJs zcYP)(DDuMKynac*3-R)_kx(uX2J#8X6#+i|%L_qLx7WiY3DN<~1V{J5F@Ze<)W7(& zDr(<-9JtV-j!XA_^7cKwLD(~q`)$#Ty1g#Ss-P7B1sl|<5a_#K%v`Ni@vOmcVHlGi zz&6s|1h7fmkAXsM9zMGuPPj*eB^Rbitm-8k`+6y;-C6gr4^xO-dpN3!W04`yTj#B% z^jgn@VcUiE0XDN}a6zrXHJivtrD*8^F>mm#E}zk=YUg`N^N0MBJp@WceJ2+t@&+v@ zD0@JxLHAL*Hp($}ClGN9OugSJ+miRynAS|oS-;DHrp4C?B=s8ie0nuTbMg;1d2qcPBGh0 zxG=Bzu`c-iB*y&oRz4>hOha2i;GclFdW4)SeU?HhH(7bH!q<7{sadc0QAqyX)yW;+ z(8tu|IAf)2G=M&fR2Q|W%vy(eRVYZiZcBrqAy0Fks*Rq>p~u09x`JbzBI}ej?rM2+1AB=B#u3B}-s}7~m(xpuCx<%M z@VN6C%r!i?`iBJPg*WOr+V$F^R26%Za^lL(%(mFH@mF5K;JTLd~YRI>k$zff`KWrW3lH3t-!4+cR z6$cH~7V}cEg_o;``;fhCHs!N)=(2vwWWf2z;&_IogJr4VUR5q`tr~T75#{Bg;iU-q z#%Ad#g1+0K66iQ{OcK1iF}*dXyIyTs?LWQ57buce*;7NYUikBqHFeiw_oLA2iivMi z9|D+2*i}si-udgPiF}YSQNK#f&4?&kc&%sohhn$9cEQ9H{qe8+dJn+$?;kM?1}QGY z-5o-0lNNt?qy4s@0IEOz-POvhJ7P4OQ_!2_vqIL(;ANQw<;$e&L&#WN_#Qs;TF1d* zWSP%zkCrm95vIl)oxW=e+t@gf1*xLb&Q^$RZqh4W1MdtCqpB>OqaPH5xSRp&SLoF> zzkPxAeWa**=tkbMLGGdsJYYq%=#!@@jV>mJmumRw*@M$7Z>C5>Dv(b9vEI2e9aiFx ze-U^+;7%V6aOsGaEkggzadXXL!ZGb{RvUlF;`&Ugsq^xBCTs}+&o~@tdhQ}K% z`3eXrDzQ99k5% zcS^kbXB;oF;)t@XM|{*C&E0#8PbR_81~B!fOme%$5!ha;K#Pw$a{=I332h=mh4F)d zLo>EU6AQs*d}GfIkgtk}{pxR+`8Ms5jzj;}E@-N;oYWB&Ae)q??9*c|fah z`mjp~8BrIf%`^XG+m0=R_&4Bfd@VR`q@T5#TXL@#p)RAl-9R0D)P~fi@4^Z@{g#0< zYTk8SNpusj&3%27;H`gsN4l36{)Zs>?ydg4d@j&~w%=)afv__ZzI?{MWDWP2*-GjL z43X=~t+X|3U`48@RoN<)i2SAZ|>37PdOt~h|%}U zQ63VwQlf!uWy}H!X7rYt66jJqYxLx2aZX!02mtz$=?ZGU?d>o>TK+HvNmbO^ypbi; zH-r68aus%$!pO=9B%QK;8m2(4jd3umxc zR?@KSfjPI+S(^H?U`nC!`)bp6EJHqAg!1ox{7*xfdM2*Ug9Uxh^Wc+!^f&?P!{;+{ zwh>Iu!oKv?OX7s28|T0bg-mSzKjkaChjoVKQr4!q!%^aU{>oe;$7QJP96aCCZ^Ic3QqPJLv+5)_T<>VzF zU#nVidyp18t9YOYoA02JXypv2=ERu{z6+uZ+##>MIi;+8t~XiTELdbsmW+AzvtO3# zPLb%`?REw#=_nGZVs261>{)qq<2SG6wf^c$cVVPOt;{?*{vOC;_QTsIw+EIWNy=GF zDF!duz4qAak0lj}&kzzx;%HuWfw*y*lWT|p#wI<&#aJ|+IqO;%WiNm=WS3U2uTkLeWi9c5q zDRWQF`q8zamey{zk9EuGj8gHY$~v@us@nDFJS}ZIC}`@Y^^;zF-tNOPzo>;?BvJ80 z0CRo$(Ol+0Ba_9XHA9xHD_3^3bB0Ho11`!Ux^4YopHpOvJ@P|0ZUfn^nmoQ$uHZu-EmHWvF2*j&m6Z>JU`uhyr?ymy z^qj=;3)#6g%b^twll>E2Vsad&q^+k#?H}1)A-fnl1{+fx(IA|eU|IyECPrsde7~g2 z?Qk9Gf3}(tlv&o+?Q_AjtKH;slt#QtU@YDdxZlJ5FiYjl4DF)kljUJtq=yr$T*F@z zF(p@lpN>y;$NZ8(H*xSgC5SYA-j+NCeZF2oO+zYp%bl4V;`2?Lf@7bpu-Y-?%bnH6 zun)E;?~nx;_c*l&Vrs`P>y`2k zCQmJm}$du*+9vXR+SMczMTeXeRiXlQ!hm<|Tapz0#=+Vu@S26u-VHadP8 z@npYyZ-h@6dcPy?Fix>soU%j2(Kni5b!Hnxj&xD)6_fm_6hQp=;QCqMgP3dUK=-AJ z5gC1|q1&47@+z{ngk(E6|Jz=#BQ@$|0@xeH=pBhAE^Oz7lyjNPf*r2bIJ*d`Q<`o{ z&ePi|xO^3MYFmOnRo#z-{PAO=u!cJ~ zFCucA0HT7Gq47)OV%c(ycrOIFr%HH8u{s_1(Dmsr-b8QTOx5A{+~v`+jpT z4_ptsc!R2E!QUG0EfbACUo?7Mch;~%o8~ZGZAL(AAqs;K_@MVl-HwOE565X-KS&hJ z!IX54wFR8+3hbJV-lFE^k1h$at*HYHbUaJiuNax6F+bTa4CLhmvy3!c9hjPh2ZvgGtSz`xxJqIG%sPYov0 zS}IrkP&-!qIosoeXW5<2E*<+Q5hz!Z-HZ%*ywrOLq4J`QZc$lMonU|%)j&Z(Uj!S` zZ?@-;$8Ob%GRw7CoxQ$$q7d_UL39NG65(!$y8UNG^J&TXrq9O_{N;Ke^fq7|DA8;hho{Y zKN$Td;F!r)^F2lgq1Pi`-z@IOUq|iKA6{$ z?aI;3A#d_&m@opPU6%sP%57w)=~HsE=?_pis_dM;$Qv%d@iY-M>Qq^5>0HgRLZXbu zSij12D6S>41uJQKfbEg1{d$m&>!AvNO?L3OT#mgtW5T)KncX*Dra$1t2B;z6ubU-l zS?~F14bw=zVvOjX5`MK3aow2h_Uq?`q>=}AmUr)0Y2gfFiu30uyqUUG z6mIb7XzaYjtPWguBIm&F_J1hfgh~p6f+$8tbB>)t0?x--ERjMgVOBkV`**5 zisu9h=o@u=PS5Fg&zr5=D$W`iV%s;sak_IGB|H1$(M1;XJM$+meJrm12=&XOs>-FP zwEeMrw?^X$*j!ZM!c=pQP+jJA<5R_gXOE9PZ0T#$AJ(<$aGy*%954d2^i9}pZ@yZB zaZwvsNppI25q90^G8I}fxdQux&F7z79(Xajw;-}V%CX(C=zpT?V;MZ2;)!qhC2dk9 zOVy{h{TjF7U6q+-TDpzLUI8 zfE}nD2HRH5l(E->g|UYjJIja!>`Vv6TR{q$h#*a!LtdJ!`|C5jpGjag+kLuYP@cjGmcm=g9V~sDAwiQ zUj{&}ySCg#Y*N2cWkd~8Gn@FuZe zWGY-!K{1I-ImWR9R{Z=!^t`+F-23sB#J=DG4pX!{4Q=nv#QpK=3Vg!6e`bDtsJ#pQ z?6d;+d}@)_{?kU{BxAUxFB-t4TC0v+T)OcuXeI{8 zX?09twD7bH-q1 zHD$7n)$hI+=*zjCO7$C}hl`q5^Hu2-r6R4~?-^cQ82xhD-fucW%GB%3m`hqtY4ltC z(Z1P0q*Vyro>9V#?;g&haBr7(UzR_mm&$_47{Tj0tHuV?NT)X^CmtY^Yk{=fJa4!F zhlrQC=G?cba7(_AWZK;vtiM#IUMQYYgJPB5jzV8qannulK+5xPHB0$nfA>~4W|M%@ zhpPIK#N*!&T$xP6V|WWQaX-<&9oszk(ao=;IhDwcMd?d7|Mm?PYq>ak016P?i~pV_1v-Lb zhzXdHu%cG$I*2SbfGmF`RcOdPCf|W>JQ}aoi?O9+2w*L+tKA3|6BdEKWGDa3#$szu zzk8F+lVlLu(;UJzMK#1-pLY`}`1L%Yu3vlSY}abW<~K@^CiCIr{p$*^zglA#_S z#u%Q!w`q$kmwq#5-p%)Bc~f#88Fg8c=3!^J6qlGEk@;HR&G;85x817xC`->44&+1U z@7F<;cG5p-VG5qqU~BsUz{t=85R5jO7Ic#r6BO5)Xcjz6n#_6h=h3)2UCC2 zm__vp;T@WN4$mBCKP6T6Ity9$xIQFWJ}1cy?pt+jyFNT5z7)GaT&GZf)*Za)6|9&u z6s3(~YYA&hn{*suKjo`34FmGJB?k1e02I{lb*~?xl5$+oHBl7^Z_G zGV5!P{!$_pT=symmk8qdn#w0p7DHY$ckzM{gH6JboqL+C<2!6RpaR1PrK?vw?u@7C z;HzxK*%Ulm;MKHl`;o-;c@iw>c;DYbe+OhxwcanFVTl1ufBa~5DuSz!c4hj2cJIsp zTRcfpV+^$<%VrRz^}QHzqbbD=1IlxU_xsob-3T=%mGyf*2hm3>&^GuFyXC(qQ{lx)w28Iw9Xrkz`B%Q9>$HVVQaM+0*M&kFj1gFFu&B-BRi>+k@F0 z^Ek~3n##&?5ST=^38Hcb4UIrSwkDY%VKs1B7c#B|^rpzGWjHDFm5|@T`?Tr{oF`w= z5ZAv**ZVu8lKI?M4txSA3+OA@Z&TiLSl?$o+$ISKqz%5EnBN$ zJ0b;Z;&}>F9?vNn6~<3FnqJR}s|Z9?4*u*)c98c+qBkAe(#7upmsAJi+;uHQYKSb* zjbw!~Y$l;9F~pf?+xCL=bEM@Al*XX-$g~E8&liCEk0d_4JQ`aXVB)_rz!!N)lYAf< z0=t%YAWAde?v84S;#%%aGD!##F*^C_?yE9V^5ZwSTRz)kJ#F1q`QbnZ^UuMur|5Dw zt+{d*NKwO|M-~{FzbkZ7=wDez18FA-#ODgcrdD!k@+lsz9E4OLn|N?c7i!^x+YJD< zi#D`tQDy1VZjOi(Pxz)PXDQBW>6yjy-1{D>cCnG#oAAF&_oN^4;+$w6Eg!WvWV)?W z4u-)hFHhpTW#jG?m8lK!mB|@W>>A#eAVJ3Z&1z0Gi!r)3T%=JbmDgIOb= z>)^GSs+KLfmtH=amhj_eKJ{Kc%6jK+^ZV-S$FOsKVWlM%MD564H{~u>ZWUI|IJ;nX z!0%YC836G8<3@YyXHS`2gk)3}UxlC8#(rb-8{ym{Eng`~CFP)dm66ltKPy9B2zqIj_PlI->QFR z$HJzmJ@Sjt4Cw7XD{N1!-^Vvd6lvsBuvefX;e!H8ppu5tE|qC4I2a{dTIimUC}?)l zz(nqy-Wrz@gWOmDi-h~fjawY9F!LGh5CV?RwYZmE2;Gnu?m%XRjPvvKyzusxRN zr}eG7GC}CwfvcG#qGkWkXINglUMrllLX1F;jje?&*$aL;n;QA2fEI`#%}9y)%R*GhpC*@SzKG*hTHK*Q z^0#&AnqKI9RurD1br7nnM=ZV8t!iPK*y;4Yy8wKDX>!h4*JnEC+$aHDZnTb9_gOw! z+>$l@!n+h$in4&NW2`=RF3Z-X(}B1C<(smy0uFn|x3kZVA46`9 zBkF7pmsg(KQ>@GE$FEO6WX}*{Ax#lJLSpkQK|-R${ed(us$E4r5+5pTaExpfGru}c zesxaoFb8@&8FcS%?kw<$GsBa&)!K0+GyB%#6G&W}fz*OjgPv~S`qjMxV=cDKO4VL@ z{lk@?42spa{T#&}yfGxS7a*vg_$0HXRcPge*UOjsW^f>y)D;pr>*MPII`H8^JI490 zu_QeuCjV3JtT^4%%1u zZ?@97-f+Y%#51MuJ%x}H(h(BPIZH$*6uP%N1qAuY=)$M>$H*u%JfkII*aD)MY-a8& zMR@tAx!bP=!CdSib39Ip^GnEus`eIdrB7KQu;yU@O6OQI&=Tg3*K!0hp}aX0vUvb& z6VIYN3I@D+>EF-nx$z_=6SZ<=QZaCTWKWE1OH}KMI{um$?nS=|!LJ9rg;(D>z+3d} zfP~bHb&sq`bY3oQ$Qgwif*3_E6Gb0VKkBPw(bz7+Wh9wAB{cQWqdGxkMj-?iGK`G` z=ByaIkm>iy)A%-K=?{Uw4Z!#+U=G-eGTiQZow_F?A#64DW}Xwg3Am(8hI z;uFm(S19Jyy3mQ+eV$9&dg0prcvu|r{iY02yvwU8cl9T}LGX9H$1A84_`> zxMfbY+--ah;8SgZ+}<{3WuUU^F}@YKbV*BS0&@vG))GFkMquo2W5sM0iWTOl1#xu0 zWJ-!S+R|augzE4X_Tg=HO1YLW|BphrwBsaKgg-o3P{;qH+`(f`vFHYGw@P+fJ09(Y zcZngoH-c7ZfZBgJ@4b8e)T~|Yi6B{A;Y7|x(LE^64stbN(Lpbv6Yzc44u7Kl6!O7v63BY)me~HZ4#&gQ#g0S`@cTM*hs<9& z5B-N^l7D3?qzfqrzg=H>$6`@2QMj;k8GwqKG$rMa^BeMTn4&IcsM8`ek4V%^IvF)9 z=`dufQCR|gkQUYi?EdcOFO=CwlSEJb*n(mkfP^GOB*6cK>z1pip|OGE8CLDr_Dqk& zE@;!AY3pT|>h8@+V`^6sZ(57n>RB>354lVv^W#Bb^tZ9^;23SR&mIn>P*yxETX&rx zKy%(MHCVo~BzsC{P1jpX+3y3rJ$^Hi=U7R3n$V~#_yy0{=uPv2msOFDGk3*-6Gw~D zEnW9hdee4=2Nx`+c@HR2$AW?$vN0W*y~PN69P%-PkzFzl(oy&xn6JbL#%8314cMl3 zWbn(a(YnDO<^)lg=n)W9}SDCKD${~BfmyP9_SDnkJbDQ)*D4VbIj>9dkkIcyf ze|TQsL&9_;-1O8qn)JW(~O&V`Kcin~@Z1OIFZKQ}B^`9y^z`=@EX)+nNo6!to{1Dzes=$5t zN!||d+{SVP*IMF!SwzE=D8Q%#4G&{kTJ4Sx`A8IA^S6}CX4-5VR6`*b&eC@n*3Q`b z{_wMZw38`E9_a}9SNWs|J6%_|*?*~rzKh>!^^biN5tC@CqlXfUEKj8YZ#sVR`hTk} z%h7L${9C0u&`aU7siZ4qnHbc*%VC}IEXF7{%**p*tFNE&Pxs?{s7=2)?3$**AY^aN zFLR>)sr2nwUi5!~2a{g|kUu(-%S!EVm&{=Q>RO8vv9*G%0xP4k2#y!r^X9(#Pe<=y zKNpB6`ffq`-hZ0)D#PCci1OF`Hr(V#-%fG&mACdoZ`7vtN#~qCi%&zW%kpW4Y;?%{ zG5A&5B3P#kFri9MWdkl*Pjv3LKkdP~MPYW42?-ij*gtiLZ)0IFXQC&oWc-}WHDSjo ze)lCX?bt7`(U+Pthwpi6<$nhCDz-+lxa4X7{61c2(mP6#h_tr0-EbCWC0t(S=Ypdj zdrIZ1_Z=m-9JP7yPFwjj^CBz;Q{j+KDvDC?e&ZkOM z)SXK#Lyp`A86WL9>dz;KVhZU4sJnVc{%jJns_x{PxlzEoqY32;Yr0|EZNv5h%#lwl zcW&k%rznM`MGwn7pN$+1USbGjBll?#n*ZkeW57TDYX!CYHsIlwFO#VI0cIM;#r_QE zmKK2x5?ciY0}$zK0rwS{%XkXPnRk*8LT_DQKvQ+^0G(^L*lF= z^7QmQ^pkl5=<}atDM;(zyuc;(h_#Opd1Sc5zlUz>_K6w0f8uO#<6~|IS?4OeS4^`Q z!tqMR6HLR2e^n^ON5urN|3EovQmav78681j>@*JuZZc@}*L6WwoY5|bVBpXhbU~?+ z|KbnM=I=TLm35u_g9^pNX7%t> ziwf9H=?h!Mh->#r6cZ`#l9G^p5F$h$3T@~rbkTzcGHsNx&Sg6~F*ra!>!|Ca2)Z|x>Ei9Htk0ZZao5|$=$V~Y zp}&KQZJs%g$eZVFcptlE)q(W_GcivsS^{`h}Y- zyAI>bU^3s~Z#G^6)V8@^hNk>glyCpMD_tLlpM{FA)XH+tfQ4sLbACpHC@+w9Af0i` z$uCE(XrCWR8jgGeb3fP5&l9(}+rZGauq1>%d=IM!?vA3xw*4E$=kvw@4?C=mVpQBl zwe^NPFuYcIt&P4^$@rbw*2ue=Yq8YN&oY&H+0N-^jsMsWzU^P)vtJ+kC;!X$PCx&v z`l(+<-<;V0Ef@1QLtxln7gWEac90QFc*9T)20*%$5+I*^ttSI+1++tfAjrk zr!VTy&;QD!(_j3#4^MyUkAIVYk?$wO$&JNK z*ba|e=4jsRLLThUtA~lmZU-O2sHJ|Mh9}CQyHR>pD_OP}=a==I=a5nSmUr!^Lf$() z{nh)Y*PeWIsO(i`CHZat`XBM3FZ|g*cY5~G)qQ?^`~K~HcNKRF{D)v-$C4@$8x?{?vk}!RjUB+#vZDmMi2jI zqRjkyt}i-0ee|AuTSKq=@(w6S;J1G6Ef4tlFWOp*35`5*eMH5sZx(hP$FQh&y3?Wi z^wF12cVGY1>DC?nid}b{dRlYqJj5k|qzjHboalAhSM!|0>DWgUY$(*AXNPS4f*`U-5-^KK3F6~NWdO{dI;6Bts(Ryju@f z?|=8DcHrq_`&HUsIooMmS>zenk9!Fj?sdu+--90^h`c!K&eiGk3 z{e)QlPRV};vOO%>HAnUsa(Km=Ap>b(hfZk3E4-lAlBwE~GL6_!QBg8%Nn`W>fl`P}`}fAU}bozv&P82`l^ z1;p}{brzJ%m1SAmWhx3eZO1B?f=zMJlSAh#7!K?BI#S6UofcBL%jOS z?Ht)Cm4;h-#G7H#GL9zt@E$VnjMwtQLpfhE2m280^JzIsRyp!5G<~zvdT>9v+}#hA zq~A*0yP9Cg;RQ=#Bsh*l^1>j+u>=hCk$oMNg+;Z47+?2BACYB1+kPGE44IT?q0baSx0 z(rp8T>{R61`4yGfc<8~8;jA%b#zy6{Xl0$I9Ns~mLs|DNkJ`*r zcb*B;!(8{JnsN?FV*lUa`G8RLmfO!K$PR$KGGHq5c{vnp)#rY9M2Z}K1&p#hx+kQ@ zS?yM4%TrJq+vC+P?BR(XNw&-{9E=4lh=fj*MSNcA_;FOo=S1Gp`U|3Nxd?Lc3 z?ztutgy>=z^IRI}IhgaDf7bVm^SsG$#hlM{%X!qrTn8~;qAHsCfmdYNkagjuziHIr z_K(V*tI$g7ahJ=LpEl?@k6fyI&LiaTeUv-DY_G)UX}GU~O5(2NG+-A~p-xcx>Bw`Q z%Ns_CO`sx(8_uJgh}Gv#i=BFm2dZb;$W>GXkE$0Rhi_u!$@!BW?1-7tTlD5)C^V0ftd@QU*?;a$vi zT*l#NW8{+NN;Mk5c@;ZRGo5mH!DjtSn(g9T>T%?osMLJ5saV&84`No9vqi^3T3@5y zB}cx6Seb9ryZklZx1$_As_tXd$MeWBto7o*O2+Q!F4}Rr z;h)n_ocs6wwf~>J_W-->sIEk-bMBV9)j{f3L@0s?N?5W90>gk2K@27sunh+JeYOPl zdp3A%4=`h!_!es;ZOjJ@==<`1>fS z&pK<@P8CkwbN|2obJkl(ZsPmu71)Gj<3}awE3=v_%LynmsfZ7v5`zIw^TIf0{Zb6s ziC3uc^!dp?@qduXK~ql#vMW3cR1v80 zm!7(@!##|Rqqj1~4GV{Ve{ONf8;D*)0ETWOH|?E!_9}~V+6l`N|Fz53TlS=_x9rBh zJ?TrAZ%^FZ$Ma@sbxi5WP;1xAT5@q=?vW6P2e#L3aYLAxTO1l(@-n_kvo$;tYd8vz zZ2YQZ7|*|hG0!DG|49d#<*DrBVf69evSE4p z?Ps2p&U@5RX8N9w^7r{Sr}tcZWsF8^o+BkCvIesX;TyjIxfSzMmOy$yJj7HhN zFD+QGz@Ef6fBt;CH{nzHc#h`=^6`97XRI2{0|cDKy$WrEHun@brQET23!_s4JQOV? zj}!hffn_Y3vgzy0QE{45G1e;I5y+hEDi5zy%p2-(-_LQ`(XCy6bl>8VchGxzMAkOU z>J8s9TD6}yN7R^#VUzX52Qb7{aFh6#Af9?3w)x>3mZi-b{iaMVh}Ye?BVBv*j`WcG z`ORBhSJ!Xpv1L6s`LUzzCa4EB?^U1YMZO-|5yx_Gr`p>=4!#xd3HzZPIfn$mMWhce zeCAQhRY(hxwVZo zY$Hona9Vg)P(=%aW=Eyl>Ke92g`sS^LSU_gK);xMR>_mh^4Y=hm4$LD{9C$B?TRPCvjh^@v zWE*Pl7%$^fQ1hPa8}raPAgL1ui zMo&9hAJW_nxlK%QxJ*d6Bn0zHFU!NL0<_VsY&;a7Dx4i&Vw}MxpN!GnSsxq*nyxkq z;)7V$FE{LR$@6^If~7{xjBHh1#2s}%s*w|C+gQ3>@+oN5=-U{t_UDn>CwZ5Le@$ek z%_DPU$E%1p5XAU&^zoEl8DFzU40D5crYGJ&wnppENJRf|2I?wquOFE+I7*uuFS@wJhV{e z5{vgDgi1)`ID)I!=u+dE#~(724sQ~HT@K&$=PSj&`o)CJ_g-m zxqlHKhn6ejYW$cpOXeXEF9xock21`H(I?(YjSxOD5bHqvVwWlFb0j0OVy60epOVz) zl-HsjTHYc*7A^~yi*>MFEpCW|Ccpq{Jf&B-N78U)w{enrBviPcb-Cmf;!6d#DlTfw@^7~{c`S+ zN~W{$>=7rl3t&T3dfc_gBYz)`#0Gi9$n_B;B73cf;&)I9sY1NMZh}xoJylp#pLw!Z zN3!Yx_g$7Yu3c#SGHmE!x#8B`cp6ppgbQ5|#i8jjfM-!0i#vJ>y1w&#fpxCO$Fxqrf{WtOW$F5Zvm(-<$b%yQ^($vYVF9r97> zWI^Yotsy=Q*V>e1N9$IX0i`|urp z3)c;VM9e{zka$6yxt=nf@cC@2JXFQ(Cvw-&xM_SloVlXp`fwa#YYLwV#|?bH`J}Z~ z#Qsz2`cvdmdcx1IvQ2#N{q)`GjsJ2Rqu^h=!{kSD@d+q5QZbH0$i4f;(PEr(JiWef zm$U6L-iG3Vhyk%aRyx^x*2C+U+N<@e%cBtp!hU<%^Va9hdukqW>E^=@$VR@ypY;rL zd+R4Zm3CZzLmgty=eI82V12}%>aJJlA#||5Kj+I@!yPDjr-PN1#!oyV`sh%|QDSMM zON(5*ppCE0!h^z%L$n$Vu-3N`4Qj~6GkRuaet2H$9%b3)k{dP}03sf^Z|}CWcl&L* zXBxI630;*EPD%F8{(h~bO3dKD!szpA#-QRZrj|eOMRTNuib7Kckj46?cK98Jp2sWJ;1)% zz4Pw0aM8M4rFG2(W&Pqz@=+R#*=0H5P|;jPJR|3>|KkQezjjh=}rRUs^-F}Sbx4UtO zOCDxmq+p>P?VEuib@Nv6IV&=SA8im&Pl|F3Et_LlNNVIUB9zue|Vh+ssFz4~Ahh6HCSPopyQ11s+vw5~4jhe_BoFY|Ca_ zAJ(LcK6Yce^c#1U0K9psgNu(wr4xSYbd;Ua6rY4`H<-ueszz(YM z**q_CqKS|@!{zz94Y|xDFTCNc<)w7-bbaqYtzYp041dwFTF?6CJDr;vPOP3B=UHBJ z3RzTNaml0Fs9H3jrs`RdH`CUa;WzVWuXsO3bK$}3#cPc5_9%)r3a#DfPfiVXtGKl> zhQp>6bDzSc*Fc!rxN=T%ye!8ShJnW4erQBJlY4H=OVhW#E~!Ft@r>4($^o7ISW9%2 zI&2zhp2r9@D8~i!+u9!UTznLwotBOKh}Vd^YIw`#L?Mgn2YIwt0qZV9t~1`K^oC+4(KMuo;=S} z5Ek)P0O_f|A8GIHh~`y1ucaiEFF$a=pp9KCwxtZ*a+p z7=1Lg7ZKEEQ`CD7oGmUl4&vNv+uhRcHu2Gj3>ZP<$(9-)g`OKTV~$?@%v(W8KbO3V z;YJYiS~SvP2f69Y2m>FG;-Jkf=WwifZvhb&&9N4Fv%sUJEiU;~R2Jc9mgcBW7@Btd zMIOCY7axO)1Y>JB zxg1q>b}IQ~jHua<_-KTpP0#S)>kURva$9#WIvt(`uxEWAhf@b)a<{Xs6#VN<#3 zAy#y#+mYvnd+KCQ;Y9=68D-sKGLKH1qJ{k=@@oxoZ_W@q+#BDg!sEzIZ8T>VW~& z1)vs*XADmR=9)e-?{JuJTxTyaOJBwHZPzAbr4?m-HLl~a_M;a2$kM+T@%{$rK2#%O zw{cXBhKSDz;l`rkVD`qn{iSmS$)5g)9MGDViwo^-9OA=Iazh&>VIjePES#VYB0s)SZ@rAeQ45f9vtG26R$uU&I|3LpP*Lm#ipg?I@z#(B5T7Ys1_j03F+ zG?~jl`r;ED$Z<}XSyF#oX=~aK>CDt?#HXXjD|+IA4&E0yS6rdAxb)=_Hm$L|GIM7m z-5>)df!X92>Hvq5sY$O2XYx7m=0a~bvY5Pv=!cs7WQBgzTQY1XgR@LS*UD-^8z2`A z;Rrjbm@N*x_Bvd0bTDtO*wM41riJ;h676sgKjA3j0kn%1=Bkz_@d|mGZ)!k>xa1AA z5M@01q1+hvsXXGfQq|RBX(OO@w~_9FO=ZlScq75KJOZ)7)Kh5$Y*taFRweW6TgKuO zFa}tD_@&GIgdh*s6s|G;#xXaHwXA?FC-eIqF zc0K8vvW3z3DyC}2qiYs@@g9W8{zAP9roUM4tT&}Yy{mdT9OeOlLX5L_Vi>4i0WvCy zg3Op!D*e1UuKXeOvL*A=_MNyPfgyQ6Ml*7~ct0wK=H;)9=7REAq1;F$USW59P-*p! zs_$U<%yRJwxL`gVr?ht;uO61+b;?Hy_4xxS##`JSz=h=I&~ta!F35VV`k>{4>?%^C zOg&fUF85FoJAC}Q(P`Tc%(c9jF=B#4x zNSv@!HEcV8hMyc}{A z8(+8asHNxoxXp9xVcAGuyg~+HwTgHHL5z3N$FIo64dK(w;J?8o??qp)%+Bh?yQp^N z@6XU@$(&ADX2zBQleaPrn_6L%!?(G4gKuAtB2Dp82#;`5zITf|=6Dl^-*wckY!N4t z524glFJ6!}dHn$Ca*QkHH?O4*#)^{V;u*sqVwm62s4LeEv>urkCD@A!fXXoep>Czo z|1fN=Pn_AcL-8)UJBDV-7$+SrdCcE{ydG)c(fZWo5l4njOJMPd$RyZ474bm&W`9J7 zG8g|P1?wTTYSi0__^gQWrXR$hR~zq|OWs0Dfcnfsq=#2kuBp#sS&C1^@RaqOGxxeo z<&mvs`FKPW#Io>yTDasDdh_7j<}(beqoAPqJq^_;>50#Ph=#B{vc&kJgCsW`;;3xY zXD;~^jEGvFG*fhcJ;Wuql&2jm!Ai*!o|4#5Lo8v0k9xUnPjJb5Q3*Bi0mm-K2EL8G z8~FO%Y+Ac0Z8~$2ZSMQXrFW&bedsp4W^%Wy(ltxQIB9b!EPWrIj_?mhMNiyOX-uE~%70dj2r^SZ@xW&Hp{05K@rfbcLGPig-*T(b z8G&wD?8_Nb_N&>?ya~;EYRtXRmhDs#chtChjJQvMzRM+TbIHe|x6r*X8@1TmHOxKd znJ!=JtKs%`GWH3KK+!MY`u=RuA=Y$>>5v|HtiKlZYk1NeF96jSq!H~}XfZ0ect&q8 ztQuu9XKky!N<;~ZcQC?axp+bIUM0}WBY#?XHr?^&>vUN*;pwH+a=o@bI4W$tfR>HB zc!l&sJt=7Y8U4B3UXW&+V2sWba`D!Xy8QGLm!~(s_^@1GpYV0L{KxX8%XiqhKZ$RV zJynhyqsZ%5@A`(mwb;L0%j-;LIj`Dl{Vom^??oRc+r($} z;)p$k+dMEeeIC`V(R#E${a;U9n_lq5<^xRHEn9Ws32o8Le9N<+X*TzK`#b5b%f2?V z{gA=cOOLUxDD@gw?;;-aIBUFXwDl+E0iB>}fao^sZY46V4 zp{<^EAw>vHSzWNhNwym3Vqo%7re+WE)c`Zz<@@u_^D|N1T9 zK9GD3FE{vIchkKlFZ0FSRNZNU>D)Egw=8>i-I4a~U7zMJ@ZS?p`#v3JW@`rpERqRl zRE`Nc1rJ-d08cwzksg26iuAtE-kaY48EpFEYuhXH{CNVm&p&sy>C^3--*;DfFE*cg zJz9!-eJpUj;+p&TvzD9wm%g(zz5jFfrY~N;)0(FHl@i8#s_Nvk8GRr(sn$`t=ZCIalK$xV$8{^FNOtYsm%e_*-RaN&<_i2S-mk|g zCI_^deY6`J9v3fL?c>iOLj*00lhM~N(}zvHUTK~Wf1g$}G_%~E8~6B+8~S)H^55>= zyRnfE6NsuTb`eyl3dy@XEC(ELQL(CUka;*N4Rk$DGP|Id1ODj;Us;Y5-MCFh+S4B{ zJ=)PNei1h;VpT&@iegl5HLXk^nx>+9@rme8wPMVU zo}PQ*xwk9xNRS_v-A;o9iWW2U_+`0pc(eLqDxNW_I$ZKLLQ&I`Ir2-B@gDTyEA`Gj zXZx~c4yph+wf4Kis-mqp#LdBhJusK5aP71bC_ao*ce|E3`Yy&>sPS)e$z#6ze1Pwm z7NPFkLwcGxT1-u!7V7emAC0GRb6>{q<8M3zPx|wl*GHWH1$z~@KEDcbJ~9p18Hx+N zrlcWWB(xlTD;UFpP+r96jA7UvsAd4wTPs-=c4~&S)xjaRza*!v#u2!A{gU*clUAn_ zk6w|E+Ppj+dFZmVa`}R^U;&MOR({kTxaIa;>Bd`kr7N!9mcISNd($_*cXzt_2K>;G zLzWjlkWm~q(oQEc#*rd(Ch8lS6keHLzwo{r-f? zF4z5Phui#z6l&Gw@S|~ys`bkIpsYh`fYznLy-DKEN)L())!sG_d1E1lPjN%oSQyF0 z$D@Wt1Dvyt6K@@JbAfoqnC~4fd8-*(uSTK8^Z_+}reTG-(DC#V;j^N6LC?I)C2t`* z%%ca2XY`(8^Q~Z%y1bc) z?mNe!W?h95KyfsGhtS%F1XZ6;B$$G_-euQpO|{-I2L5S%nj2RB7$^!;!o3yw?d7bji})Z$MXnbgiHem6T7tm59<_MLbsy^M z6Z)(nN1xfaNG=`-mzE_CF&&&sJ_@~^K3dFi9G4y~>Z0+KEdTs2CYX3XYMsG)fCi~; z=F8J6VZ{}w%_Y~o&K!!=jRkEJp1$?_zp@dp(CvS3iIy(x=BK_3=r5+R)cp z;1J9L_Mnndz4$Ovvo1qia;--i-^^paPUjx2=!q)}?_jM{)j|RVwX4E>Jq@AQsXOjRk*q2<7L8KOFDB|cEk~B-7oyS*PGm7h(x1!4>7w+4A zFE%vZndUFwzz`6_bG?8mkk|f*M>=DfjHe#IIKAojHo7W~=RaW$HkYnQ=e}gC%feju zoiF{hb-sx&EMEHSYtw^|TasS(*L-a`W>w68;T!*-^|qOh>W7`pdA}mP;59d4^R>T* zb}+l>R@JMU+gx&e<j?@7Lx2wG0Pilu`8_%%5AR;k8rqT|50Lnr!1wb6LD-emeEU zHR*3(d20H|=Wa@`cR2y zq$ie)aZfu73x#W}4+l>nzKg6g#WX>OMFv1|Z2TOvdOon9$y%zOS$bvX=dAn9x)6ncD z7<)Zh8Xrt;)CZR2PkH2_>4Ik*WgGfl_wFl8`1S`|sTp~uB)dpS`6Y3TiuwzcULRp( zuBcVL^co1gF7Gb*?GFHPT^EHbaD^72hfCf~fDJB*Ri->;)2$b17ZZzLqT`gp`n18# zq^fsLZ=Bb%6R$AlyX!$N9uCD7Si>{KCAXj!xIZ&xG>qB9;0bfF7<7NU<ODcX7f&%83`TJ6!S>2F-ThHqKcP;|?zQWR!h{FtF(g-}|%9KE&l5xlto*;;84!c5iU5Z+_`a(!_|^>Nht zm3h8mycA$_Q(eR}#!2CR#(OxH@#s;)%!%3OQ#(-{m)eL`3alMFQcyK@ z>5C5|bK`ipop*Cte~^pS4%|fgj~JSsPOU{|sQZfX zC=V@+#s~P)NEOL7ULBqV;jqPB3O^wip8>tK><}-7(?Im$64)&gS!bukmdy*T=FjJ{!?Kym&foQAhikTn(S+qi3pYQ z{n?Z~eVWER&huCEx`9x%0g=9V)mgeS`FKy||-d z=KI?aG_&Q^TV_^xfMz430bYs2_ZYK$zZr=Xj+p#E67FEc$Z~R~IaBFrS9^j4_f348 zY!hA`f*W}FggtJ|YZpF=kLA&4u1df9*mb#@a&g*v(YUJ-ZLU#}Tzmq;RdYJ~`h+PG zAGhMuQPW)OS8hym0%h^=Nok+jJrS8~RWc2+ct4`AV*I9JG%)K$OkNS}VPzpyO4GQH z4z;B@78PMUGD}{+D&pf%^C<39;DniKc&DLaYV}Zi+g$Q4%7gkxd=~6xtnss!V3O$j zbAy{4abT{?e=I7y{Jlx*Rg5?L-iu@5vYZj+&dg>@*ycfQn2!L{RpF^VABM-7Zxs4mw;8~k{+faXAs3@v@T_#>l12PNL5GxJv|h-b7|2(9rIZ(-jiK5pRS zQ}njp;!h-Gm@vx`o19VhLw~Q?al;;;cBTz|+%V;@>z#+qeEb|?mKvGta{P&ztEF-W z9&+Z^_x-tD?|R-g4TrMoaD_4S^~=IFxa0-ZPTjAZk5}rBDGS%EP6wTS+MGA?ZNK{J z^r^ERHYU_eI^SJ!a=Lfns=Pk2rJNl4K0FOI?7F#U#lstJ_=LR+urZIX)8%HpCqL?_T<=fo^Y!2j*y#86SNI&{W)6+{{`$h9dx#AZrXI|greHMGMsd14u@--K%qOK$+B4cSpVmxaO-*&%=tnE4% zH$*6yb3NgP(RSh7JMDy}cw#A@oELhI^BSA@WOwQbOF|EQY+YanJc(~*-oz(eA~y@3 z|K~T=qW*Jt6Lla%7pUZe=q_}Bs)6)eOSgA;iEL+_K`b@y+q)Z2 z#rb~8gKC{p3he7LzkQU3xNKA}UZLEDh*yQ4#K+g_`p=&5)J$yXTgdnB^5U@4!4ODp zNkVhjpyep2>_kUms~zP6g*{W!57Op_wD+d;p{I!D1cCfwqQt*8u|sn`PBL%zOHq@0 z13T)WFS*@BF=m!~k7T)Bq^u9QcrSXNF@d49RO78Inr$vUTcpfcc+`L$2(+HcJ!@>1 z12eKUa=^&zy=A;3_wk45;}zx`qKGUJ3j>dlX7`k~FMs-Dwk$HgrU^qS+F zxh5{_8K^GcCL)I0>F7qhxni+anSI424~?v6ymfH1A`~Bs#nR4r9e7U7e##9jBT`v1 z81=h_vrDP4R(v$F+u0E#jgM76K9m!@^m!e7gHF8OqH z%d8iU6i4BNQEeIPoLK6;U2U%UJsIJM=2f8|%O!UgBoubId}> z?a6x)@MrK7>VZS?+4ZDzHl&B2zBYa6Q#Ysge&S~Q}MCdf?#WS`(pU^QJ3;&^jS$24MgohDD30fA=7Z0@i&?><$hYji_Z%jY0 zih9q5u2_cA=Wkw@!l8KoJm$4XyNQmYJ|efqRpU7+Gk5T#9ldqMhrTyUB0dgvIiPoN zU1*v&QR|eq%w`X|VAA(#&qe*D%vwBXdmyKEtJWXs6+U^~ef%{#eg!bIfi$vQ8no~- z1vUSruK}Ag!q5gJlC9S-i=q0y02n7TW6nIo5vO8?@a-7#%q5=@5u@QxoWY|g{t%bk zv9De7z}%Yk;(5HIniedL^##JR?vTvL>Cc?fjwhvsO>XNBMym(4Ao2c+_2L<=VQd@P!up=#v$s?f?(NU_ zozX$!1>LsGC7*&3nklk0=O=~Ulah<~qq#6IUN2r_1d>P>ye5G7Aj&=bl=KGEvFxP> zQ*TX;KBJ0UJP`BRui_RrIs8}}=$!_4xit|TYvFld$vg|PJWd?cAHlq_ndB3BkwAPj z#=O<|HojjmSJn3-qDIH*^6zqF!vEP(R-9YMiBCeAxpC6^7BW~v7roLCd^9Iw?`1$(dGr6osh4+7d_LkFcZdIHRmM)&34qmmu^3Ll= zoRsy*4TiWJtDdo}D4_UgY;~AAZWJPj%oVT2_5D~kDm8!W9~_a6+_X4-_UrfJ=~&lC zH=~cy7U{)h8mc{A`PG>zWPZ#P#VLwveFx^b|Ub?`Sb8IR@dLhcA0^r?oV|+XxTJ}REgo}MZ~2m9;{xxf$kuGK854V z!?ANZV?htK9BNoRpsARqU7TiOnZPt=YTKaAvmjhyZ~PdlOeI^Dne=iBVb zc{We5urS54zF1RwIQxcrj$3cpZBOze`UXC42{-nA>2iNfFMEcwZce3bCLXBo$8ukI zjJw9S7dg@_WxN49xsm_?KmbWZK~!7rSrZxt6_>n;@_7D}4oasTztoLJ9M_)pkaXkw zKah6capwr_AHT{y3s$9Xt~|vifm+C@`gz`X^d8CU51i58AV;0*8P8`UmH-NujHochwY+=8b}?oKaz?t0rqrTX@UzBm4hzj8OGNsKyjiA1wJb8kqg zAL59}D%$yJaHIL)wV4i|gyP=a_t+EpM%xX0%r$(H-caENyeH#dT`slP?)nvSEuOSj zm%dGWs;944zUZ{{i06G!%lrh?=aqFE^u(LEXV;y0#qQl{!Qxd|pDlX%QAb_>u7qQ(T$N$_4Y~zi0XQ7j8*^_LlEWOo4A{d-5X=O)vTNW7FC-{_vM|2Q5yoe$mP4c`yG;9_NWp z4nU=EeB7SqV8-+~YqMUW@#P=k(3T z30%RbMok>a#hX|es$#MMLNmLu7eZH)IkL!uEh^+uF&@p0wb}g1uN-@It`BX*RsN1` zUfS2xGkf}`SVepyqB81ze8f3`9JekvIgHE<_0F>!xf_96(A6q&^Nd!2W6_C7O->aS zE=r7)xk;zKuV#i!$p9mTz`M))663SNBhjtas8&c%d^|F?-8?Y|49pOhyoufx8&5a)bqC#L?vMsE%k|=rn!Lqb zo72GS#S6lqRp_VPede5ctYm2*h%V4Jx^|e99QY->IN_P*gBvv5SDM3euc;#Bn9SAw z0^R(O1gA-)k<(FH6A^}a0H7G-?41^ds#k!FmR94SG$a%kKID{x(tm#RCOk@fjZ}Vy z|4uz{(5i*$8ILCm@cWm=pe+)yyP?brW+OU27(0l z@e)TaI34~z9cCPF>LEtBnE^+vUzoqujKcg4&R{GvV;E$+d=mazJO_yC4wt+K;mR&Q zRGC+Fl&?P_&s_3J=uWhLsl%(w+Y)GV&#FESwQrg{d`JzHr+GaA>2i#3jMr2|gE-Dv zPyQv(JmR!Cs1?n_!s(TzH$iWJ5^tcJsGp}|#L)N}^%gZ8wXbh+&yiVr3ksK~z^KUe z;u-y(b_R-PCjX(g<{svF-b`jR?j&xTB|{<$XM2d=WOU5_vuH zanEuai=wBdsJ?KUDWY9$bQg#&xS26rH~jSsM@y}m%~n&mI~wLtw{)c^?xfGOb!!@qYoUKR0OcTiDrRs*; z_t=yB{`Jzk)Bm_|vu)s`1z)v$*%jN%6aA|3HILJH72CScjQp_q5Ip(saqH59j$4-2 zuJ%`eZr`~tU4He>^sOry^X_!*O}os4brWLg`|s?CUO)nQx<|if9(lES>AO~k<#r9p z!=b9x?iO!$A7-?TkCcI?FZl$F>$ZGp2mEHAB^dwXZiloQzQUo=JtoiFETK$|O1YlZ3aP}>C$pIWa< zt5J{QN1~tc$ydMgv~}rz$1F_?@eAx*@7$X{bjjW6Z$5OpLN;*u()sCkpLR$({iJ1S z`I7nR?rrbD5X^+i%2cC&SJ2U$qq*O8oVItY-r;bE-avSP zvwS&6M-FjyxYj4-aM-#<=->WV=u*cv@V)gGY$PqeSAW54Zm>D|vgaPs*kIY&(1$1V zF-H}i{`kL7d&uUz8k%n|-@l6+=eUv;J>@(X+>F=Y*00Td!@Itj-t*C`@C3di?TLJC zpU?h-Po}LmF$bRqTW{Ky&Ux+!?Wug+sHak1&HHV(VnHyCuEz zgV+AVnz3j1_Ov9e$zL~HUsJnsWM=af<3`jDsg<-JI6$yVDkkThr=v?Y#Br zig{boH|8CczBli1AP!8Wp3IXkG`Bio?KSCshx{NNcks38@Rc{GLzd$M z2!^+8Uz4u6XG8k#?a1$zW72nSJ3PWfKdAjfD7Bni+dKx`KHZ?)Lc1w~@8#>RNh>z| z0C;U$yz<7hcm@8_0P4H9ADnjHeMs7N>*49%8;=1VVF5IL3ZGHol!kal=1`|0?r4jU z)emtvMwKsC3PSGZHql)H0-x}l=&s=Wp}+B2zaXl5w{xwB{>JC3%Ot{?w}c;B>`0U9 zxi*$)Of#ZW$P)aFlMixU9l4qBpDw=MV%Q`LeN$0~OJDv5GmQ@CL^azMH#wYzcn}qj z7;Vc9bdk&HM|>iB;!59phb|jo4f;7@C zAl)6?2$3!U>28pgZpqQZjgHZb9%I00?tQ-B<9Y61@BiRBc3j)ec)efe+UGCV!D1L1 zW_PuV6D+AJPSULTw||J#eaXM0iTGLgXGOlWZmLDl(85HZU`(;}M3 z%CmyVw#q*uDK5Hx8%tftmh+XFk;7@^_E0^DB3TJ6_*$CGE?l2JUdNh$&M?qso#$t7 zGgqF6jqsbB1qtsAcW-KM_ier8cU6W`vw{5@57NkjK`QZHEp)`86;e^*{-Y^$nf?ZGE?@2hL`E!)?Zq>#?aPO145GDt(AjU>^*=<97(5$rG_J`6O#B+l8G1zHwU)S2t(1_4W1{O79)2sE!3>^mmx z=7nDTn18p@1>Q@$$|)i;>5XeSQLUs<0gHEMQaM#LCKD90BtAGFKloV+cs3N!RQ9|w zOAEr~OnnwUmA`d}yi~b(EIBEWSMkrKJ?vqUB&jwZki5NpPlN9o0Kj=auDugoR?r5U z@TQB1{oqbGPhi!po%UD*&K-YKyZ7>U7mHi}PXDeu-z8Gmezk`$YUl4C4MGXSmCZs1 z$Hl}O^t8$J%m^+6TG>}54rF>M@wfSYi5ifdhHrpAu~>3v`FO!Z-zq(TosGALGn)wM zm3j@j(zAoJbe>-vN3)#q9Sw=EXIY|{U#WVfThq?Iudn)VIqn(5*3tu(ZG3{~mtK6S zoee2cuhIjDT-ra8+$L)A`)4;7X>&D)ulQc3uV51U4gb{^dqg?yey97LyioCNF%$`0 z^dAW+)QZqxUmKffg=Yz7A%`sh(dK`I)>(OJ`h62OqDnsG?yw~Y19p_0xyHjuEVZI~MHXDD=w{P1Ys@|>dRlB>+*`af@S>(Q|zF{L%mIPCc z1)3MmUSraolv?XkVSA_Z2(jI0FcwuyaGRIK-<*1g%kq)e4@`LtreC=2Mr@Rb?w-Mg zBFFVs^hNM_F6yS>^$yX$!0F5IsR~2#$7y8osPp(;Mc$|av?5)N^SD>2BI$aWQ?u#k zjsF(o_LM9#&Wko|&@|Nv{508OYN^hgr4udSg&zpET>q9964YaIIQa%#8fiotcNyqE zhvfdTbsKbx{qY`9T^}RjB>L6N(PjKfJLT`zW=58Gf7skgJapvMZkz=E`h{k3cgXE= ziaSb&R}p87xh`#yQVFh5BvmyrbZe+DpPaAJ*UXmNqHWN{>PnHl&{v0S#`$O_W8&L{ zD(Ov@XSfb08P0y{GS63tpg;3@3ke^a#&qoYun8YOmkUnLejqZfnU^I}B1u-{=G16_ z(lpnO0};+OS>YD-LYcpzk^L-_lA#XvH>7)fnBRsM?8ZMxAT(x#%;z36ZBQ-@<~I$7CH_Ce_%O*Nw(UjtQU2P zTn`)dRegy$&}i71a)ur_dI$)XG9KlkVHe-?FJ?PclU*#cH(-1jac&xO{spd=i>-)A zlgol z=Q&h1+kZH0R$lB?n*6{mvW?Y%a0MD($VAVBt1m5^r>e!U(N>d-#`EF=r((7^0(1UE zm#u$n9^`X6sC~QzzxlN!cvuI{XaC7Boq9FIM_s?^8#!~ScbG>H#yex>AalCdL84M+ z8hKcHyj@XTplS$FxY(?aYvmSq@{;LGZQ*&BJB^PxtCOXs(OX8JMV#mq1;yZnj&8lv z@Ewv!M7+h>Zf2k2&n45MRx22@VZm8shQoAWtJB4|mbD$C0*OlS`#I0yf0=c^-b%64 z$t_TmE9~{SQ4F!uzvPn94IY1mk&-%k3vxB)S!)&^R4(uIk@NkBh~+JcV%ok!$W=9V z`3;GArx|nTT<;=Jdg|^=fU{l4in@F~0ZwTR_Iv(O*wkXijLLS}s?RB&US=d5P~F-r}FvEk>3v{l(g<7&(}1?`H+1m&E--t zEz{MSkkh*4Q}`xCItvAwzUyy8I}c(#RvuYOk;YUI;AqH*gncZRvwTxdV`vy zlQeVu->mbd^hT2LzSPjKQSWj=7k$4H8TiHqLG0J&e5kYNM1X+agYi3wH8lkCT_$#VU{{2u>q@rBF zQO;_0t$L;vD5@f84h5PwP&b9Rqv_@`cOuc+m(@9V2{i{+3fPI?RLLxA5a^ZxQQ|5aWj^Yr*j zz)5Fy0fr}mkI9d6oO7crWqqviwEY`oi&pAWMC2hgQ{*JP300aPk zfV_4}J&^r?bDe~iBb4&IObx*oYR&$Qr|xyy$4I$6y05-1GL503qNyQC+-w%IIFYR! z+8=rEw1JB;cu{{v-iTogMWy>SP$-l!em&jlqAM zUq;C=)+NQsc7>DD?kRG_&$1)P$@(pqK3H@en6=X&dbbVLfD_+`qJR4?G(csfs?sCk zJfK~p4-5!Mb@FSu zg(MZ5fEM)UMUT>!<}z-MogC$}&*vnQ(x*@0p z*#*$(06e($=6Yd}8{TQ;S!L0GiFn89p=lXm9MQmIEXdb>+{}PqE1zMzk~=mw-TAUk z3;E$WsS3@=dm2W83sl{PJS3uZ4;Iz{%8-Bl#7G!O<846Kk%lzW04t{iY7(m z^F~(Bzb-pqo^bg6Ux+$Y016Y+2mCcUaG1FM9rB#bEX6>u=eUnSw9T*dT7SA1c72{W zwC+|pE~4<5Yd_CLr8#p8F2M36Nmfi`2Uldbng{U4NLg_8lO3d{&W z%;QKl5p))4>WS)df{%9&h$_pm&(|F&e2no};)7CNs8kpSj`;Z9P?G)Ox@kuX;0i?A zabriCr_*$)#>TMO|Sy@UySi50w^zP2&e$?>~(03pt+n(20z;_Dt& zwLxyJ8fOz;qp<5eoh&BF}>6>opnc^ zaK}r*fD`W};2pn<|Adbp9f{oVM|QZvd~|ohrQ?n1#qyN^A{3PwH@^Y&F;&)oIP~FpJLg4k>6rHd ze{zvq?75-uVNEOiPog)$JVBc)?Ja-nbyIA8hhg2**ka?9sdB@lDaJM_rrM49ZNJ@) zY~*cFEu6^D*|PCgAD^l1$M>?r(7~2VD`f4&3@tx7@mLfrSG=gA4<{uf*LWahBY z=JFXiFwl?@P7Bt;aNx&qpXBGk^R_&)3hgT%^vRQtgjZ`DY$n zpb{u6bi0}R?~k%o5l0q=ltAYhkBR}V8ZC$0a{AfrXD7+#=GI<4g(izpfum^yal&t` z7MzsFCNEZtGPfz#2f?X%dpj6mv3q+^oz6pVtlK}Rqf*u7Joj1%dm)WkW$l0zZ1?7D z*vllbQo3_K)Jt^Y;#;I3_spZ*<+X#WS19`ttR{Byf`-9kqVsrChdn#y5w=ijtbQwB z@t@S2{g)2Ls2sanz?lWi5xMMdF|ZH`Q&E+BHl$c{u1>T@Fb;j*d1#Ztpa^F`Mk~+G zJl!MYzQ*HjXRr&V8eJ+=o-*NB+wgFEwt2bho+-J@j&1+AQM;L|aZ+qbO+V`d56yOh zV+dM+->WglD0F4c{JgEN%Vh5>ukX>XcihZO#3C+9B6fvBbY!xms*vOUY{_s~>rwHk z_mw&~9Kq7c@6flZt*m|zK!EI zF5~=Gp4o813Vhi#o^jK;K1o)H$O=QJ!I@BKLxeHlGSn=SW8W|ff=!uMO9S*uDIUx>y; zjjdYa58zk zI+3F>x_-|j*?aY~&rY%kts;k`gG6z2 zp12YT4jPu|fdF#BEFVZb_{C{7X{}If2>ejnCt9Z|Ylk=_^)G_b9NM&#K^_8R?Nd)j zFv-e1X3m5cg-0VpA#Gt)Ga`jLw?C6+kvTU!deYStsIYKVyv&E z7N~j81q%`m&6)dT^&c+c6YL*3sI@uNAHF%fr^&t@$E~JiRUEI{55KJB0@CMNBLv=U z`z`ceuuE3xB<59^v@@!VlI9QlQWeqHK^Av_8b>3k>0Gjq!)8cjM@*EvD?Zv|uV zPM;&=wROy%-W_m+wdvQ+(%VltA+pyFn}34JNTJ}+tcFu^#SR?Wu@gNreV#l>y=K^XS(az3fRILD+2 z9BcL-)c@%A4uAuer$cPWtQx~&>#!i!A(Wg!f53V@r7>kr(!(c;5sag0KcEMV7P+=; z<9UEpK4kE;BQgPb70SJ=~YF=u{|n% zl|2QXf)tN}wsUwqwFtFL#xLtU&UKgm5I=JS*tVM~%|+6X0f&MW5w-Y>0r{3sE10Ax zT0}Pc-*LBS)ll;3qNMD|sQEVR6+--^-%B3%3WOBj75Ojnei;9dm#Sjur0wNenF~`8 z8F0*B8$@he4C*p5j4dwTgK7wP6(j>d?Xm!>s-cbpPM{e~?rLHjN~i}%cOXsTE(2l6 z=v`3lwiIo;)y;kxPII`3e!)5bBtzvyX>v9kT3}9UVEBr?O$E2iwE@@nx*Zh_?%gX1ZeKPogJ6*^8#_;jt7Q1k)(l5yCg@ z{ecT#XB)$-RH7L&kyopu4XJ2xz)E?!qP57yj||nT%jIkq8_Nk4x2MTPQu-eTPopQv zgY+2%ysLrxjuYO$CHkPbl^-?_=<2(>Dir@GJCAPU>X=kc*#ILb$CT%*nyIU1u8Z|X zNK+2Drfdq`zT7uT`mt=1&Bm+H&TH7BR7wFg?YksqP{Ri|I!jp4D&{EH)8 z2{z8jn=NTyy!eDM`}3f$BH|buUobq&xC(?1(JO)59c!T}k3cbnEa_#jCa8&Zjf~z=BR#UZFgmrF87Vz`0oy;^*_5idP6K5_m)A0_%56`&D zxRdriq4`MxAJYAB{W@DgbrFYgABpp(;t@`p1@w)+W+vUb8y6_dSFLf?HHJmNC(Gce z!?*$x9SA#5cB4SMRhJCUbW6oXsB_fd0yGbld!rG1+jtzc#-{>BS~<*h(xPds^u49r zwxi@J#kd1~X1trgqY76XPmT;uyXwIIVvfm@r5IIa7qu>ldNSTP`BD$WD3W5AiJ@+UujQdRB9cT5pIyVoSX z($D88nkV3>FHo$8+N|2Gejds2WBlq9n|Rw%v4*2}>(lg(u>I~)&o>_(KY)8$tB#dz z_Zz}=1~e8Y+746Y3W>A)o*4-}773iyc>KKm&TZ4bJw5+3t$9tGHO93;y=ht;HOjKy z>t>sfq2qJiU=;sZ>`n9F)`>r;@Fbx^M04*|TOGtPH=aa2==H)MKRsU#VfZ8j_nSDj z(d7?`!#*aUjQAfJ4d8k}rT3Fb4)S6(mbaF~vW)_e&S`x1WCyW`kotyie|*pK(30~+~JuE!cQ;wK4#yXB4ToEiqHCixbt$U zo3#2Mg_@S-H{vCK3jA;Eelg#i-ugv2cqbqgk%vZxs&?=MmYPQ|SX3v;`TiDlVwt-} zRopjE(C25-v|Jq&9i>&yy~Npm_rR`e`A*27mo)Wgg1T%!N?A1dveZ96`<9;lLkJV4o3Ahm8}p+FE!QPX z7eJ-#As1zx(6S)G$}||GQWB|`OUKn8V@2jV!=Fa73f__+3|-Z(fzIT|AEkKPK#-;j z#;u(`C=CbK!D8KG%jW>SlsR?K#G=Eg?};`kBreJMFnjQf=O;=l6JMAOWXSNyS~^ao zHhKpj-k!nlAtU`?*xmra@TnpEx{6(?y(_i-9?-35G5Obpc8da`^qVo(3qUlf95&tX zh_t(tN}R>$O@e|!TTXwh4u$!}wQW>q)ANPD|3xPp5Mt4L{=+>$|ERUEyiA4U?WP{1 z7jM$QFT9HS-v3|Y0LT9t2O|I9j069!i`IiOqCXCvq$&dMSJ11QT|ag>Hrn=y`IgfV|lo=9FNPZ(y_z`xs5bik8oC7wck{@@c7Aa zz@R~Dh;qf-p_TcCwywqwDUqgiN^)k?Z>L3E2PtbdE%M{i^@>!hh_}b&t?C~G0i(Ne ze9$H{zxg+gY@C)dyjlELY$1Jg(Z}@nx%6X4BE`CMX{g@+N5nkeyU3H`7Pa|LI^aRv z+nORdkYIkM{g6aXy2{3_^(9@i=8w*z9z&;k!SO-bf}T`J$l*g8u* zddd_{>l7mWWH=;SN(di>vo#v*=fIQIa-vhHntmyYAd8s=1YtrU=v_=5f*vwI)r zVU@y?Dsgh#2PfvXd2mRe$CGD*oyEEI&m}Q*Pyg8)F7_Jyz8nQ0w^+C7BJc@{!D80$ z@Y<=Wtvl-pZ0VoU6=7~!uE)KR@mv6onuY45tiqr}b-t+1MtJRO~BXmUBQ> zWp73s*QGjEFR6&-_b;uhNp#z*cC3Y*x-G-bS;S%^B&@39pGii>=yu|`84%LkGzAD%!#E(;17L9s( zFBRkQ5}U%$M0yVIyJ3JaNnj)-V`#4YHb5IEUIxOeujCouJ?ma!fb=YSh@e$OmYShI z=Dk*g?A~r*)smLCeJfS%IUJ3*!m`?KFjiG6o!-9K&sON0t^d+feHxj+iNmPR{iZ7% z04}zDJ1ezhg*_?8PXDmr>No19EXit)&Vx2#X0L+3PqB!UKRaob_;K)>AUvu|p5XV% zCtwG4vg$hGx}Y(>x#hHmi~ z3j_bAhxjbnwlUSXre}1Zv=u;*<=#NRB+7vZl3`Doy&c|T`Pj<9?Uc4N&5dx*aQKQN z5|LyjC9vPTTj`FFyXkChNljR!na)V$HO490z}jS|z+$F4zq<8$l0Y<=63niwd(;#+ zHmGMDXTd|*oh;=gxv4g5Sj=coxMbk;**Cay)Lg9U-CDmU&?Ppw#R<&EeDhuBX9IEe zIPUwjCc}kq*0|T}qh&jviV~R_>INjmC*?kl>@Y_&{C5_3AGb1Spm6thW|>u`4ua(h z##a#Ae&XUDuCrEIJ-vK1*(76u4WVifb0Rj51CeKS956Lt@oMTr4=;rUsMs!u6F_U21cj*8>n9Y5!Yd+R{C%j z*YVZtg-^hbo0R8pxEAn$QG7t01w_(ZWl}_BH1-R#R6IHHE(lz-!c3Nq)AdI86k~aM zdp4Tdr;2{+=(a1{O5~G0Q*q^H;tkyCW7C zE9XgRlVayUW+vc(HFCG@t^8Q|&Z{2P0*A}wBC=wH17@6L;q8kDh8q`QrNl`qdS~n% z#Vn!9VCae>po40xhemEwb8f_7cW3xX=k%W}B4hiRT=3G`bfMMArS4nI^c?ES9kX=Mg6vB^T>{c+EnAj9ef0g{M@++`kbVGq zsmZ4T^5WTtyvv3Un3@j9`=~@VH!ty9Uu$g7=LpbV>%DSQjTim`;VmRDf(D*vZZakW zyk2-xNTTDQQ{}tz$RW-lApfUoIta7dvAFm?aqSaSn+f~DevH9a;VakEdkaxs%qCQ0YT$oIIXNN|jW>YeJ)2p*m&=W0M-L#oX?eo~vbIezQiA>yudpO9+OG ztU5aMradB0icP)z==5lTdHKuNR) zxQ9LKLPU2a1#ezhx9p1T#2hP#gNI1$_Wb)nlB)wo(%E6@&9f8?46{=`A^S<1rbdE%(C*A_36Ws=EaL)jqfXuDy{Ddb>7xV%8P%K>J)`EW_I;=xFTVhmi~Or@o6zN?zYH#Y zlemJi#w3=3`uzd2Zj&UyS;1z=evR1hlJV8QE}BjsP|L-|z72G&ecK!0m$q+@OFXu_ zDh#cJCihDGlRMjGL&9dnY-@Xwyt{c)uV3UrE(T-0S?|d1Qv52fI+(VjkHpk`g`I{awt0zdKj5%zieID(GezBe{WNSviv=q&Y%ppKASdkNa>YI( zf}7K8rw}u#@{t3%BWNbhe2CW^p-?7mrZGcXyfFB1ZSnpp^9+ynyVxgl3v>4^qN^BI zhX3z0_ppUa9EY&#Dcl-#pOrlEgS zl+$nGIXaay&zckYCiX;r7jCb6p5OCwvvc#O&P1B7+pO5{Vsk$FS8_lPKjD2`s?d8cyG&C8Lk@h=q@<71mh=Sz#1 zm+v@dSZ#qR#?1X;QyaNiy8^K5XmE<+CTl;_xf_|Cj8eb@ky=`lok_>PX@;g?PV3CH z`zy$Zt5a9)DOvE-{1?-au^;<}2zjKx8prAb)?02Th?<+&E=KzAL+Ez#zk;-WyXMUF zjJd9EFZSNz=vjDP$F9MNadd)N6zkbbefKEQa!N8ktay#H5wBL}NYq&e`-0P^yUvFU zs6g~A^NRB+O9=9oBEFAzVkFmcoZY@&YjzMZw*uOER!aRh2zr_s$G;bj8vR~tncP4< z_nPN^tF@LCTzI@+b|%+;GhD63ef62NeEQ54qTlchD4bOOITkWt+cs%R?x+3>PFA&) z+Hrclj|XbK4OVxB>tk&6Bl%3kr6fQ3BE`;no@*=@x|-_=@Tuw>fcIqgu?ezC2(ltEqjt~3h&ObZDo@pK zEA6bTd8tP{7yTwq-A3fBP1^+~7Xl(2m^Sx!LmHB@PL$h2}?-^>ByBN`OD> z|MAY6HM#0*MYQsD^kju?&icTdwZ6DC>)J#s(#q4TF^MD+?(Z`eavaXLlpumrw-6BKyS{qG{Xt?Su{8?{=fJ{Kxp<&3Ra7z8 z)z!{bErQRVM#`-&WQBEPO5C*X#vQPE>y+83{Xxd@8Hl@*ExPzMu~SUz6yKyBfG&`~ zH#O=tQ0C{xDxo!v7~8MlmyBezb;oT~?#q^|bT!N4jljko^e}4G#?r$FU3~2k zUF76x(Jp@d(XoMh_ZZI^PYPfE%X(GQd9J^Re~8y^pVzs4Us>6XKqI+^xDFx9LUL(g zeyPOS4^kNN9(cT6_@<`F@s#C#YnJF;le&E|!E;BV{YxE~cq*>?=(?)(5+vCuC%juW4 zV+y}$`G706PLwPrUc)*zmr-u8gI{za!!|QNi^U)_&$;)hS{ic6RHxTA+vVS|WsgHg zeZkS_;cOJcosECs6>O)&^jR~}uZntmHkxmkaBEvfE8o=*ERS%XZn1}gz|KuW8DAkR zrx3@r(%OhVFcFRQe$A4drIY+Sd0*VWFH%JnrKLKZ&zs!CWx55whcIo{o&sKjuhL%a-lEs&A5Xr zbUNi$_F(@2HAEo!Y@usbsvBr5Xe((mG?p>bb%H}< zqv2o*mRp`pnZ+}@0Dt1^s(RhGB9zi2^mfFsLs>888`pgxv{E^C z>2%h8Ba;Ck;v^~lU4wtm_h+d^XNgzL0B3fxwqw(~3dz%28w7v)VUY>gRMyY6C$LWG zP7zG)Dqt;pIbLz>{`;kVg8tk%F-UED zkUZ#F+MoZ`R!XpnWJbIqs7?R6cS8AWi{*M?H%N5`p|Ml+!$A{U>Z9s2k?TWfnE#G) z<1H-ftB%vX;nx}}O)kGRmXorYw;rDNiZ~9X*W)X=O>+NRkEK8<>_ZWZ>{Js70?h{A zVTep)(CF{YN9(M7_Jws@0=;0gquoA^H5Eg9sW=?(PX^9MW?3!j&|gDt#cjQS=!A1Gkv?MIVxC{1VETRno=cv;Zi$) z-@AngIxf;8t-ffc?Uy6Jws-P#=IpTQYfJj>)n{)VX)37!8PX^L0}OYdumbA&7O`Wc zU9u&Emp;QRu#bIb`$rWNaXv&aD*V?#NnphiaQB!gj1AOh*V|0zqOxk2*Xp7o$0CL5 z^dmfoFmEV2L{=wyPUvh)9!~`Ahc*rsMoW0175&e|fnVA>8C|xH+;0#uDyR&-jy*${ z$@bYz9{;0dcQ|B~?|XM2ZyWO`pa~wZK_HkTLD4VKzPCc#RZDJKEmrAEcRqKR&2}Gi z@c~{*uHW4t(!H`HJ3mLzWMz!`grS_z$fk34!in(7ah7l`Z9|giKfrU2<{zo-(uj4w@^*Ie%mMqgr?#BNVdGBECw>Zrb-QdR*3W^UYjPLJ# z{PP%5Sq!|V zrFi)B9!2~DO3zLbg!Z}^6T4e+ech6PF30JC_UosNL7kUvDDdvQ1cCUE4TkJ&+hm); zNQAKC!}Of>!W!B6$?i{>ck8TYQ@g)A0!>3+AD`o=qID<@mQ&`_N`tq5VQQPNO@ap> z2Kk854d2zcBPo%WLp2>Rp-Ho%w3hd^6W$^S^x)p~wWtm%6Mrx=&BAX3Du3@oNSO@K zWlKZQ#DuOh2HET{8`TT6UrYa?~cOCYtmqwGpwE@mcNqSV=Tgad3MqX zkY#Y^hav_fDS?!e^r>xJ}I?xwA+LF(9P8-hd) zti>2(%{Mv_N2?gz~eZ}jT^$0twxVqru zdB=A-zf7{^?=MD5!~`UNFQr@~Uc9;fN-43VynC*RrZm^keOuup zndebUU-M#TmEv<5^YyCj2htp$AR_8c#gnVjyCb^vGX77)m8Ff~pkbs^pt=Q&Z>P}o zj&L{w7tCZ)p5(DK!_z@xoyUS-zoe8#Ddalm!e7KV2bqzcm|=))+y$nIB@&e@%<0y? zpSB(H@~Q%J?`o06K5*{yv@jPMhNb&}zYdRxX+c6mqDQzaTf-yhK14?J-xIqcA4PAc zJhOC7d;dp>UyIP|_{-KLrbY2^co+U?H0TAaOg+DcUE=0-K)T@DntfvVA8Rb9dfxmZ z$3CfuvrU7>f~A|t^rM!-6UATt3*I|+Nrf^jc)J`$XT#^%Ij5Lwz{=0_ZKm5M&c&vp z%i+JF=yna?-LmAl12v?EzeV0+R_n@oUJrFa=gmmP_U^*Qc*KPm4^#E@UfmLWc1Fk< z9WRE+r9ya4(?it{v)a2=8lPBk0d{O$9nth9)#_GuzEO(*h90Bo zlKwE?9}_5uR&K*>l%p3jv%I$eU@vh=CQvW@1H7EQyuI)?y#; z(qYN`ZH!dbHJHj*OoaT+KWZ=4OuAd^01pP_X2Xfo5ARCLioS%boi*#7y$i^M&8Pui zx)XTToPDY{maYu!HaRxPY7({ujV3 zW`+k!y9tZbb0VYVhU1Jb2G6Hj>`P%cHB~QT3{vJRDQb?>>)x z4gQ0oFwJ)qui{ga(fMS4T>YFz)YlQMIzHqjqsu9CAx-hZGJ;Zk2I;z+Ny8RYvj;~2sSw||D6nBwNw z)!1xQBsHy9Z+Dh0+u>@}k?RWKc;EOY9c(|8oJHo$)SH$=r%n5eSCHlYI!ufrJY@b=drDQndcQkrsHpB z7}?fNW|XTJL%^zU4HCxWOmw#-F2_}33X~(8%7kVw`iewBg{05_K&9*+#Z*8vd6KGZ zlEXulW^8Gg8|QV#!kBiqc7cZpl^MtB8%>7wrmhp18QDW@Sn!fXij(=1Iw%1&{T=mB zoo@P93HWh4{Mo;E_hz;qBOF0ozyoc$PBAI)#A2L45KMTk^yg>K<6Pc`tQro7`y0A- z31=x!KWFZDpUYe-Z6f$PmENwoR5l2hOy)4*D3Pu{d++6+U$iq}BZZq7mJN>+2W@Wx zgTfsdlL1*sW#PIH=nCS>2Rnbe{KpzkE5Aq04vK!6en5-wzP)pqsJJ_l_|n#>YY7b~+nN?Al@ABp@;6}od=l9|ZPn?POKlz9WA8#HMXFUF8Z?fpVYQn4 znH4K@2aeOxZ9^fec|w)K$>p-t$ESs+%S3W!Emj;C3vWUWy)_#N^MWqF8|@&Oqm&O# zdoANu;Ht)P=t9~1T6}=_a=}8eR&{*dJ1#iP^xKQ5;!Z-xZyoG2d5!)K9h*&HkfLlC(gb3xjkiahG#I_P zc}QP0tCO^O#g1Tm)!{59L{-$c8*E1((hDc4dc+ElFJ$(O00kYS;NoR8(8|h?5ULJm zwGpSzNQ0TPadSsjagsgo?h69D&GYVf7t3#chN9{K0-GxV#^;mpta^_#{8M&B!*q_d zPTHTTd|a-3;?Do(NQ%&+ujamr_v_!5$fh6CS8a3f=@mOy_VnmkY9p+4WI}-B{TAA0XAj?fGmEM9OnuEv^Ly zeB64-hR^MEcIt>azqqYQF}u1UX`Vu%Zgxw5N!3ssoAf7%)#t= z({0`^b2M_kSw}-0+hj|i+Gd+X?^(J>(#4&o&HMIHrrVCQ_LFTQDdg8hGuM^Ktd=qk zWacqLBw|DU+qz5qK|28|E#|L^^zjLo2r`*hHshelu5ACo%Ujgf#=o5a7d}MaB9YWX z7QPFDLIP-3yGEMHy0)yxpx8Q~Sl$Dc$x{8a9$PiNa$T3t zMjqtM*}l6k{wwA7SA%h7(a=c4ifG?{yfo>(kjpc!l^kCNjrv1PO=Aoa?)z(_3}d0> z2H`VNpUtXlJ-=~3TB?x#zHK&tUqhHP_X@&+uJH2PYpA;mwXRk5<*h(9Rhove)|Y0OR*w8_D?ZA8}PYd1F>!(maF$QLAvg`!VFI35Mi%juHL z>4HvN0bJfxkZ!*wIwBJ@)nGn80z+j4c?C{?S>7qR-4!cU0oQ< z&WqUAGt5Ji(^82DARDnslOo-W!@Mx+WRyAY_erJs-?pyECk)!(GIwsgp11Xj^ZNC# z%DM62K>I*}{d(&M@g;Fz;&SOMc{4 z)Dpb{$b+M%Iu{>g-djQ#O_H#O;|eiRViT)y_nMd9LT|L@v|k(JEVW_{fgsT zC@8Tez6W%^j5zK+UaLcVZ#Vzo;*yhgqzk>H1eG!o)+I)reN^~NTYqOZu612i(QT7Y zNwwu9;y9B|uD}lAI-ovcwOw$$Ea|ACs^{sG)>zy5Xf{u})-n_5ojmxKSX*wnL$)H8 zyl-V`;l5igHsZJh;N6jpHe$?|Chqo{r# z>x;MN$t@E-4F?u#<}(az?CtchQ#YD70b|^7BN4__;qpFGoqz5r7X!b1SGrfyc^#T4 z8EgN3tC?YcFfcRQtz_N8sw<=y-1|;A^>@}0M`^j^{-C+Wqy}zi9&OjaCD7lsAp7@R zt&g2epG6rDE>K{wv(Wz~;EQEI;3Vo=J_B5JcT#6d0 z>Ki1e+>R*QIyCdaC zy?F{T2=OGRl)biHM`%;J;q-Cfqi@`uknB-Y&O3jW_B)1I<{CVnYKHrln}2_9?z57( ztE}lNWbtIITLp5Q-ioU6UPbxZ6`yOx(p*CBx~DPQ4O(B?evmA4_Rl&*>F9Q|Q!Z=~ zK?a`lb8iGo!aT@B%t_ZseMXHYRHO-594-yvBruoF)3bTg#&a4dqyNoWN)s6KMReAs zr7!(kxCj0G3p9m03{4g@x){B9Vtf?EA#6;|0HQ3gs9W}5PIziECP&qO{cMD1%HX-y zUuimMttipcR@ILDy;W#Rl1t=+eH^y@rMu2Y%K_iLuGWG+`4_ZO9xVaS8^Sg1k*pr5Y zB~j?qZ#Rh*`K3uiOf%i<))nt1C}Z87aIpL#6UJ{b#avStCe{;dip_6%4(X`dsU^_SQa1QM0Np?$ zzpH6rG_~moJI04@u2(eS(^hyijRw)43ZgHf>=N*oH*|>1e`N>ZGSC-t+7+ZFAzQ2f{|3ZS@T-{s@X{7QWw5 zee^O@w^{hYg?jsuuMswvqoL@p@rB2sVM*&3AXVh)DLj&TPxTx!C4~Wg31oJt*RWF? zwvku@bhM?w7c?3ePzZS|8h_!bDSfR=cl~h*@rS8vDfPkwG>kGvr7(8#e^OesF6x1B4>Kl%k15n>|SkIs0x3TzH>-gc8L2IgA@(7q5WTBoUgWYwur2p@A%hMy4 z?}VNIcDCa`=^Cf|GmhNZlK8kY;GcY8b-H7H`DNi}zj;?$clTCH5}bqYL7s@6`M7If zH&EWYPyE}u^v_>i=OA7cf;YT$vGwzQoWk(hzgdCrwMw$(cQ3g&UBBY~^r1i7C+)gm zMta$^cTFGs!dk4A>}j)n;%l&hA4TxSTkcHXL}K5^-?FdmPWGfj7hp#}?wW-=BF0xy zAD7Ca->pKXF~BHIY9l$}@u}UU&ZR%P}ed*PX_jgiH z`9@kkKf?o<&bM=PppE6H_0r_|Qnw2n3xU=vj|xRm@1}w}z6NvmxBqe_epx*;9f*5u z!My3|jW6>*{=Mj`O_q3S4e)Z}i}py1cA1fG$FbEP!A@>W!29tH_u=FbIz7ViQ1YUu z?vkE#SotGjvj6%scf|46#mD^khJJ~ ztgQ!u{rkVFVY5LPpu#A*UX018#?O22Z7;^r$XqK~hA3rR&fA2z_XVuI7c&9M6HO@L zJN&^~tY4u$@U%#Vc3r+BAFnB;5%Rh&7Jm$C>fEwP3y(#8oXY2E;h<1xYT&NT1K|ec zrvsl!qIHbSrw8#eeW%%J*>4=5c0T0M>9()^Te|%l-%4BV^51dosM-xPc1{;BJSP2c zmnWy2=042SR1u83zi6-P7!me3Qv^oqlktUnsWlt9erY}9u8!Jy@5}G;T#DjVB=q43 zTqfa3&g+ZEOo;mM+3V9e=WVbfb1AE$gueC>)T$?a!O1JFx5k57YR>D8Ve}dfTU16- z%@fH%m+703;`~@^XFk!NXfHf2eF=8Xd)+Jgf9G>bB;nP%>f>~I1n(=~^c_@t54fY> zsc$TaeoWG1jpoTJB>SE6zKcx8*zv-IKKgLs75JkJ=w$JBHI*iB#8|srld=Vm_SE`j zH!bz?=Jf_m>ZlkJZcw&mgjIz5soxzwA}79ZA(Bn~cc7LKiaGevbMEf_xW>77;tLic zY1I=dIbT2WrMuHD>-dKr&1`idXOYqSnmlgLk2aQ^ zQ}s(+VBL_KX~H9EXrxM(pc)Qma(r~_*zO2A9!GU z`q1ZZ{DnJfvEz`za_eJi7el6Ax3rSzeQXGe-`6?aoBo{=cVXuyd`z(2mhj{N)p0Mi zsqQiHg$r#pR0SG5di#xO`7U#D>?{@lo85T9h21oe(*odiblW53^KLqJpL5yRA`jJQ zKXZCozWe-i$od=7HPetF2xWSZYf}Y+`s>MTuAuU;MeuJaj?=}Cf40?KRCti!MaFcE zw=Y-_wFh%lZb#xC%e3i!J$(i!0=v)B>FLl#KaE5_Dq#sK=*-Mkwao?s%#!(g{w(c+ z9hau#NZoB)k-P^!Uttkf_{Rmv^bqkVUFVrn%`zrMk{`*E({aS^!aZlFdC{NK^j)P3Y4rD(G27BRsa{d#KQ3iaNH zK00MRd>N`YcQJX6Loyq8j^mDbla$|j^CiCP8XM*A_j$OzcSkvE&*ULZV8t!yN+dcy z{rAtew!I04kTbJ*u_J!bhq^EUjY)iUF?ldZnE-a$XKug_Xm{F?zmj7T*lSAN{q4Gbp?>OV7ui`6ePALZ3zLe>x+bP^s~0q+t>d4$7y8}5qn;(qopz1w zE|{Zj?R>uYakG7~;4!(-582$#?kW1UDXsX{ChH3m4^ETOGV;NmWLeLLiZ$p+y#aQC}&KXP<~UjtwJFkf)&YHf!}e4H;T zl55kIINp;9luYVmd+z>5sX*%Wi``4dZev<1Q@tHdqvOIFX1v!aN zHjn?+z0)O#CCgPmyC)ra$kgv&2kkdMos;lkk8`J9#|)bqR^UgB(Ny=fx6|xWJ7MWA zm=Y`<8jQ@3d8+B!UXMm$Uo2oJD{#Bnu=*>5!a?=?skjI`1sCC>?j{z01cfUWZP+$F zE$p6_b!l8IIj5suM~rt~076dKD0C}sJ4n?`dc3z(>oxq6hnFL<#6`;oa z4;?j;ojTESlBonG*TqvS(6~vV z#=T&TlIDSMP%Ip_{=h$4YOYUOmxgGpJ8-^l{faJ|D_oy;tmH^W^GR{bYM!T37ZXqX z7PVh8Ffze!Vz9%VOr=(Q;UOyXs?X~XZPM)2)ZT|Hx$f-;19UFOKMaPTJ}avjW+w8d*E-t5RQ6bqlK;NQM6$O z&CP4RMEt$CW6r_hB`+6jw#KR9A;eFW}xIGTdQ^ox!RW65=Bc$)dbqNwoc={>T~ zSqM#`Fx`vQy;#3;cX8njx)e5TAXE?JCHR65DWz_fewv>vqh7esXdTV9{;&%y1;;qI z)+x;cmy;KaHRXj1)wGef8Rz&$qXDdO)5ICV#)m3fZD6cm_ob-UdL+K^Xv+SvcyGPG zj%^lLT^<%kB@hb0NE!lVKtk^TUj`*FyW(dY7g~>EAbOuWHJ?FM?-bpMK=x9YFfZ|9 z^}L-V{k;<&gLlD=t~XvJpGdy#~AF{m%3DNXH+$nYBWSEo(r+U<8Sxvmbx_VnFL?@io|Z!UJ!d*t%j(GFhZ z`A;p-bJKm6#Ap81)uHaFIL`8G=*!C6a0FfzUWR!Uk`2FugudrKVPPB(j9C_X+=B1+ z$0R=5@Y(3}mUUZ9Cy({rD<{&Y9o&QQ@mTFObFYj?v?fUD)Bx!0$IT zSNtjrhT_S_xoBcc>mtm1lcj?*BkD8u3$@b%q;*PIRO4T8*a`*eom*jeV?0H%z)*MQ z3xn1PWlZ*<%JzCR6_!o5V-nxne-|6JRHZ(Cx3F^{EWt#4Pnz`H&_nD&lbs)ZaN^IRXB?Y8{l0Ie zT~=J4_POuIiS(|RvwymF{vqkg1&>KTo%bkTN1%aSZ$)tm++L3ca1L11XB;l)xN986 z7cO))-ZQ5voLkKu`l_9l!WOUihjk3%3n2}C=FMi*Jc(gxf zzZLQ-T3au^`hH7TC12htj2%1}UPw|n>W4l*>-}5xN#yWS=E-abnxt^n#}^Ne^G%{N3{3;H0(7uj8gWzu3Z4 zQ8|8%x4SlmOB`YrAEiQ7BmNK;-?h}Qp0uX~J|3;h-S}8$a%S*>!>rfTs=@G?(<4B4 z>jq7H;I>t1&Kw?1=`wt#qz(TP0z5H7Mb5mYUDWZH81}*6oFfwjnTOQ*h`UxIfsPG1 zsr#u_TD`8Ex-@?Iz1xa3Zw_}5qEig5{AVNbNFa@eTZVu^^6Yr(0iQCaj4x81M#zJ+~|xon^?gW`(?h5qG}>J;Q<=#%9wH9^LpPBR@Dot$c!ta5dW=U8~7}Jrd^qh%}ryyC5h4;-94&4n&OwB}*6W)9o{$i3l z)yWYETL;>dJFhXJ3)Sro(m+-A#<+~N3m@84VKWU>&BCL2>tab%NbYiZcpLMdk)XpF zgYQXG*EDvkW4}3ueF=-Q!{o8zkUWW6IcmWnPxWn@(o3pjO!~rcsS8^)ZU->9-iXgQ zx5tw0+rQvtQkn{rynH7<#v=5QvK@X*e}z}V#s@xk6XwHXOa*u4V^W(6{Z_&o6aKV* zcl#YJa(skaREk0AkHn9|IM>JHQtXvTV#|GLkFRj<8C$4u7E^oIOXp&2u#29GkB#?P z?W`q)%a=L?1v9Dfln-2&PJOK(gKFy!<~x(`%yb0&BqZL|g?%dZP^bYnAz{$y7kB5Q zolm^uP?NA^OROLC*`@M3Mp2tvOG`!3i0uwoKG*c^=nE6-uDj8Xayjfk|4W-4)irD8 zv~9;8^6(ZJS>Sa{kvFG#wNLr#5|oK^v_#==h9>zAMZcqTjqp6RlQ z1Yfw9q7{^xywwX2&@iIM`+!g(k0zzk(4tZ!ws0>6Qx0hy$H0mjRcbur?J>{xVeCEb zU9X^!U+TE4^er$Mp)fBe!v?IK%bS88Jifv*vpt|}Sr_3!in+m(>xD;Bw=%STc`fux zu^0`?%CQ2~BL|k6OQ +U9sj&N0R>_)RQ+P&6_%9B;}CXPVWzTrty&-NmwAso(lu zL%5#rW+Bh_=p>zD8AV+RauUppxNyGrlB_0HE7ce5%?;zl+*51eOwrnIh>(LXT95QT zJc!+l4`8PcsvL)!r}D5%vu^LHeUC!5>;nkb4=WWGze_Q`woYj@h0C}Pzh8yDJk#8) zrf+!BB<4WH>N?~d7>f@*(pOPUKUryF#*7|%Q@%PLhq^{Ruh1lmhGP^pUrjz*j#5w> zn4R*XhJ`ckmG@F3JAh)gnKAhArw)QP5FZ6um*ew-LC&5``^ehNFrqZLX zJsviG^feqCq%ps9eb}H07NY{r>UpKWcn+>XBA3b%9H~_nsu(%h8kb6$Zh+{|;g4wU zf>n0tYs~|+ckjg)t|$aFeVMTL;V<2h&i?*-922|Hj@sP|{n%;NwDh#cF0h|#afIhv z|6w(f?f45R^b5Xmy*l(^b1iX*E?;ovMzGaMFrxdcy9VtkyVs&w4Vmj!ZchARDQ%@= zTG|ZX)~?@*?@6bpc}V7S^-*8hT6d5ClF@2f)qCPtv|V@hQw9G0vU@{^bs_AU_4KK) z-t5PmOrt*2WIG4$zgJ4T@62D0xdY)wwC*Eq3E@#xx+EuD zC~N4YN*A*i{thrX^&V)_#S>?^ca_xkzHm_3ux4=APkpwXP9U&(E{$a>QfPjN|uD zA3SSC+Hcd((!TfoEG@flMcQM_?P-tAx2K)9`Q`xkPoI<4&R(3>&RU#S&)Fy4Jm+Dy z``(5bCDBl>HYsP3kDpO=Xn4Ky!0Gd|ZevkRi#8TN$Eo=M2zJw>g1rS3@>qJ0+->d9 zM@{!_K3xLmT7%-E|1CO4ts66)!->nj~b3SY)>Te-4Sx`GuwUP zTQ}Jc69&H>iGNJ)I~wwAFAqvD-O^|bqg-nd?;?xKDGPN|-i!BI?Rh_Ad`+jz2|I-q zu=_qw_a%yQ-f@S%51)N^v{UQ(Y&?hY;|_c* zOz30b{W6oYK98-Gh)V0AfCRgA@9npxSv&3Qy0O}Cv-5pv7P4@R;b1GxZyvGhfkGYp zw40gI0CxDU&FE=q#_U;X`F3O?!zbPNrjQz~FXPdD7TlI*?&N3JGY0g7cFi~JwnuXu zB=X!oeF2jLX^#7Fny*MI)Q9M{bVq zU-G%$GMQ)~VrfnrG@FVCHLx$(95KzBH4D1eKo{HDOS~2={zyv4Dm~^XvG`-qz9chx z^2=VBxW!|CSytnE1%58X?scT>wu-_rgzFv3D8t0E(>{HJiTlV)gFn(T;NtU_61EE( z5(i)R^8Kw%enB&~+NC8sIXJNDR_MGEsaDzs$~+Ec3RteNlB7n z9r@?~_)cDWfjTRb(r6}9?}jHHDPzWCjG2sN9hzbU+Oaqt$#Ayrprzl%)aZ`(;qx)( zv{xri?!9=Yv;sTF@%C#M#^M6Rg7=%i(AKh$Hl5bY8oTeK@VoKDNAsKY#FC4Jm$soj$NAQ>m^s+ zmEQgL*QS4Z*W(it@J1DG1^w0Ut?7s@m_IW;^~mzUc2b{T{LE$PYyW<0T6@>#^e6AR z!gM|7sY{IVxZO$0K1dq1k+umGmztPC^**8Zci~=YD$tN~(iTRW!N%1(WzSPSgPk9W zoL{D`rf*q?n)6!xJkQl2=6mMD%Fnm70;WI>QN1BpeR+S7I6u@`S7MzK9*d%*<_$t+ z^1?MmT{YZ|WzgcJdJ3_0aC2g4JoP})!O^iizOGfH1nP!%oVr4}8|t(E4%Tp~LU@p( zf&-#)n}o^+ouhs$El-E$t@tgfw=d0a;Xw+UW*#qcV`|!bf8u8jzl*z68dV=1%<{rb zO6x36^*q|a(IM3r>P>ssAE=y?FRPLx*7}2ME5a>Bk{fLx`WHmwlxg(4gT?PqIrh*{ zji2J81uf|23XA-xV}9w8_@UO^$JF97Dc`L;CDXxRzP^wxm{EpG>fq_0QtB?2}Qn;dLKK)oGt?zkJD3Y)8yyt^K+(Ia(Cb;3JL zW8&EQLnQ+^^J!RewG(W|B1aq*EPkPvU5DN6pX+}Jw{&;>UO+c%ub$8s?n%4cnu;z( zLRwwctVIG`?j|l^xAA$ojcrbP|J+5+(Sn&&^6{^%P5<=Owds%p=B8)j*xRS$$Xp&b zd*Hr1rPJQ9PvX(JD{q6{=;M;gr&nONuj7tw{!zC4-E&v>eaUY8y$S3pd?B#&ycy|* zPuV3M_VBrB&)sIG#gNzcBl`Zly)FWxz1sgEj&zJ zQn&d?N_S`;FGhu16fhS)Kb-R)8}M@vlKFP-Pv}E39(UejavtU1{=16@6ZoW)>LakGVwvC~{E%*n5K6mDH;CVCib8Fsqzwvr&m zq`TrnQ*Q4)%O8RGb&;fEc9Shgmn|u>fcTv(ZMb|bCwZr1yni7^{hzO)zE(`5^hO2@ z5wJMrTIi*T#aDG3t9>-i#FLxR$52bk<8g<|>f8CIS;x@V?>_lkV%OD1hfI*h*zvv+ zjzoWp-@(_7se0i|p;PL2fcpClbcA~x-T$iPlB?IJ_x{uMc0%NTY9A0nTTg5}2#B4Q zg|-Kq(-pt36R2(!;h?+^_`~~e>(;Gl22NOIQXdogY?kNy4;P&LoB*0YQ)4xdyzsQN zN5b)iGyMZ0A4I&wuLuaiqZylQxU$>H0)husVQ{D6=v%7`N2br1ofai#-Lf^?JH=H4 zi$6pc&&Li#GZvX89$9Ox%}-n#fRpAYk`QUfd?CdZ>dj+TSOJ%^JZ=}q|1O%VBqk~{ zB|Q`@RpZi%FzD?0cctkwxN8vYK}RI?*LfVs0(c=3=Qs~*K2?#=(wG;9Id9!A>scBY1}%(UHTElanWIe$o8O#8 zv2bW>$Ks^l+%NHGlG4_}ql+)Nl1ZJ6ShIL65Q(T7mr9k^uXe&~K2lc-)gaTRA3~OZ zidfZ&XR6EdI5Y47h@Ik=W1Cye?_r8YHeoQL@TpD|;|`b9Lsu{O@!gF&`oRQE&M)qk zNB?|Y*{Xs0;Z(70wC#zJ>f41s;Vyd4*Nv3j*NxRfxhvmAh_&Xx zQ8-H33I{0Gv3vuyu?)!x&^h=k>jn4{can0>xwj<#)Mf5YGtwDvJ{(8hH^1DdWyZaJ z+T$0ccfIkD^qzmXHr;XO=JbVcuC|{?>^nd4*jXm_aSP{33Zj!v`Mm?vD^K}hx?$yp z^vQE@oXtx{uN|AWY)kL>Ad;tBNDf?!M7ff-g4TN>Dn9bP2c5=mK3XAXNid@EVF%G6r<2*n}u0he(@GxZ`8GnZ1o`UGg6GVl?1q zEN=((a+aU90CDyNK z1-rVzowjiq8E?_W;)BvBs!@lU3U{fiqiL2*QDK07EdB@zqtvW*D*^z2vSpKKW68PCBVOI{BIFK_a4dJMC1>uyeAG+p z)Dv1#>DG149gYrv6?}xF7z~?dhe@+%3HdiHc0H`|H>4onHRd8zAZH(e4Y&FFOy~mw(VV zb(xJsqXqcB;9eZB z0GFjse5d;^Dc@t<3B8@L$mM3UB3ISh9TVf0KOeWo(bdpbANQ8pq2cY}OOrcbw(U~< zaW$(0lThlW|0=>x=?m{)%^YE;;`;qwq{JVWdXLMh;n-W#yCLj8%dUDbHC6v4B|Jbm ziFl*fsDW~BX6)=dEhHAI&1*DQeW7HM-=b!t;tL1edG7S|s^{#MjznVDzPMNF@_Z!J z@TXn&TRJP9{hs~so!$0y^-cFMq_u}xM>a8BHeU$ZHRNs~dMnikMgrIpZTv6(Sm z&=gI9-I*{XFb__z}vllYqQ2BST+#(2J{ zb<8Xis$d2GG*O)v?0P1Db^om$FKuoS0SNa}?{oS5EbL9`rpDX#6l{DG^Y6O80HvhLh+vrJL7mvJH~1zTw_< z-ev3la~!R#+IuL$Q>X}etCvbBC*KT{;3xa-M#%~L2pt9Z0!KLrW|wQ3VTzdsR|?-5Y^wJXb&_dQ zRcCQ?%yd(U>0z0rCti6Q zzMw+kylqm0*^c@pd%UN-RrJ@zN4}nV(m}}7_86G1P#Dux(-21hcmL9~os>7ySdRdA zC$vt{V5@kn!Dp4aMQQ~XoGTp9jzDjNX!qa<=SoVEyj81$FZCF+>XU!rN95LGlU{R2 zKK73v>Nqz}IsIDf3b=1hxa00~+yziO0W$f{68eyA#$&3P1ZX9~6w}1xSvhm+>khIV z04tVVp3lV62(#Uqp@-{e#*pM{WZ1@{*5WhS>Lq8?N3FZ7<|fm?b(Ss5=n5B(*B4xm zjqBAsKoTDk`|6T+@S_OJq|{s4G2-4n6nGGd!Zwy6xt;4n;TYuchwPRPez<=*b??Rp z(!XDPhb7#-=IxiHxBk(=>G3$O`@t3_$?>?^?_6}d9f^DCRqNCBH*c`r^uF@lHR*kC zdQ6%>w|t2`j=g=C%}cL((Z1>LKYwHT_!n+U&wk>bBb)KB(Vu^8cbCDwB)ds{-UrEi z+!^q49I?w|f4_Ut9kxT?Kc01?B`$v8Er+Lv?NdGgPVFqlpHm<&oVXTNL&E}^06Rj< zbd@%$W*M7?V3v=0$Y(UuGlIs=4$@R4XiDgh3{-bAz102f3lT8Zao6SX$T;4wjX>8! zLgAOKCekMy6a=NLTf$B1s6<>?RO8yl!EY?Ya75TB+F0Dg7apJHxSO8J%Z%e9W{mfi za?a1sr)?bbyWuXH_|7G09RoBaHJyk9oHRLwNc@b4FGfVy#}~~d=kFdd?#B0?WBnsT*lYyiwCAb<7-`Wi+0(5Q8V#{$EF+(a$d zNAylT9xeK%7h$&2!Q!{598|l!(1<6-F`rH3q+e zK711HP(?}=!sF6*JK>IEyty+>s&d{A!-Se^_X!-ysZN8tsIuKw5o;Ep! zhOm0*v#_AC@rB2ynnp6$z~(M=^M5R`9u2bG;n5UIOpmCKqqn9W;eHCk)>?AHP8*74 zph30lhP#@Mg@y{r<=Lijj-F1nII@iNp!|t|?i?3HQ1W5?+xhe~)L7RF{ik$F6 zN;MKvDjbwPS#j#mhGYnPt@VZ6Rx|xVer&4wVB;<;!!*y^a3kX!|8O;9I7lC3z{}@n z=Ql9LINqo-zTs$|=Yg=O&jhVglTfI)V(tlmHZVb5ga>I<jv?>Ij)%J7yOo^5J_-w#^G1z?3-jNw3D2*vho@*hiE< zQuO0|O(AOAG@4|-@Gzx@x(MIDd3*ZA*Vf?=^`@m)K4*8^DevLSc1qW;^6%B|-B^xf zeBWnpOLtee)>mI|y5E0+L>?1T-uSXT@r$Koi9w(Gw{_{NoA@1L4n+E=x9p4WnQ+1o z?ghUc>i!nZzD9b$6h5k1cX#n|{+#KSAgKCrXtrQM(X4Y{v_6%|pwTFDYA>(*ap|u# zj8CQUp`@At(kblJd&jya7QaZV-t`o|_gBvslhNXnw-c5(!?@Hmue6$oTd;d9oGIrb zgokmA9)wIz3n|*LWpjOMVrx;YWAe$UyOUW9=1ouU`Cm)ZBdc8}bLAKpysr;AV2=Il zjU!f1|NI?sx>$C+qvdC-H>bCJWDQP1*_NJs*!*IFJyza5KGhI&dMiC__ zqAPv$;%hcx_fr4cxYlOq#t2V__qq0n8)A&iM!_O0p-s<5cUB-#d9- zf^D~2sM&;X;yaFZC4gQ}A(qB?fhp{@@k+i4<7JxdxX0b}h7$VfrksP6V*((LC~YM2 z$%nc@F%yo1LAeNE<9iRQa^J@PJWT^s>Bi+kp>C+g)27cva!fOsOZBcT!Xq$1Pyh6l z>67m|)@qqp_Y(d*dw(P-ZAd4-|DrhN)^)AAl}UD`eBxbCPba+TyGXv<6}_b2$+!5}SGp6tPlSz9$p+oKN?bw~nx89IZek+%HrWd42N!NnmAV$KqyYbU#y}S?;K9 zYJoP0@{3}A8NADa@sr}7bj0rI<~EV{1S3xf{~oKLm+<)H?%7 zbkBOip7wJK;`J|ITbcgltEicM5r^`iaKH_p2)-L!gRdJm4+ zefE>4{*qxfcK$mVJNb=UcEo2M8O$FhMScax_%hM(&bv3KKl+PH)7c+*VwyFJe|<1q zHf-98zwAZ5)+3(+J_+h(;!_kqyq~@JoG(ugqp;dn6sl~xnqKgQGxhb$T(pTOoCR!s zv$aO^UNpRP1CZb0qP9-!JDn=E&UvpY9L;ig$HLHV>y*cWI<;Q$PVL3{j`a>o&e4ch z`b4!VhVdeP1B*XI-Dmrd9PKrpnli?QJ>$b>h*gx{`;3~LhCaC`{ek5J*Du-?HfIbQ z7yJRL2C8QpD{nW+#;0z@T(1mva8<{c`Fs|Ww#N#TH!yL@gEgW# zec^aW&M}zQ4!&6Z0ELi=*=OkSy{yd1tWkA9^D}F#=Ce6Ah+RWgM(0?DsMn&tDd4>- z4To^E)qoiYnY(fWwrqV8KV$KSsosaZy{tpA0;>Luq*Ys!6&|2DKHkUt`5NMEq4$IF zC}uYT!kBg_I?~_^XBzfkQ=ZcOcJ~`t4pNXsc!#Lk4^Zky(ew<&o|3x*R2o_|Iv=Dx zeSw<-1&cpG-3(lnW--R6-b?n^OTpBM@r7>xC2|ux-%Z;uf=y0%ObQF8HLpjsZdQ$Y zZ5NC09*^-#rMUn!Z}7n4cd4F7!zsk1F=KQ1Wo9&W3GXd?GX+Lf`TUGd7`QwJ^hLavgXb$wnH9w;$tCQ zy8G<3W?i+*2P`T>lfQtsiwQu z;+H&qH%sEXe&zj0NVx^SV1lnSYNbhuysF6$;i_G<4zc>-}L|D(^JE%X;MfVC=oLv08TNZ~fY? zIf;)6tLI<25lOdPFFeufrZrm{iLu-l1e%iO)y>Z$5iR`rw}~vmG-jvD?lw(jOhSM|$@skq~HF z>L_~;3x5d1Dnd{`KNs6}uZCNLZ?9Hw3Z%%WMRhC%#okm`K1xMGI8(F52s%gO&ZIl- zsK;Y+#V^!#M)O$nyeq8X?t9e1M3GW#!~ki_1Jsz$75~VCNZ?xz~x&;s3BpKP3k$DlDi^7=IrD_R=Qf&SQFne)vaaECqHp$`dA zOwy}&=(A)eB=CI%34ENjR@A)0U6!v;xq^@Z=T$qShrlDP1cl)@U3a-X{mV9a}a z-n6Jx*!Yk_bFMG9tlNsYc6a(RcFEgoj~VGl*WMrN58D?xm&XpOkbm39)}@b}gXe8) z|A2d8`Vax@gS~)1EqxSn{NcLJdCwY`nX+?U>1sj{Aiw`czlBHAP?zO|n`Y#f%yy}B zG|tneaW}8}J;(L^_v`2gSnN2YSybzh7_5nL9!b?k^1>CBx?nMpP|p`SQdjrP%x#wC z7n0P;l4)EBtAclnm0`Ma+T!%M&3C8SOyq+YPo357arWWKv-sl1r7}FZV$w1t&hMJg z4O{tmUDR$tHX?QF1Lls>n>Q>?N8i6X&6>&N1KL6YVRn%IsBeBR64}CFFF^E_?>>;z zLkI7<&G$c$R@}Rnx0i|m+76>I>HYUEPFptLfjq-m)>jxbn~adZ`9lcyX`6+f#3ir5 zaNlg;DaXD+>VeGj~1Rnx}eGX`!mG`UH4hOBXL!)ZGH%U@3W^bO{9 z?j8oL-CgxUeBm}-dFy>hSSsA357{-H`AsAWLLb3UU?xGHv_bS_{0&QSdzjrE%kS*9O&neATans{G{ zZyIT=D%_#Z5_ZLJQ}YfD@o}_XT%Ey6cJ#n!m z^8MtecUuzLZVP9pc{svFW!?Jng|m3K-&qnL=go21n~`95{R;mJnr9wUJ_PNBc)k9W zk4U$zy+3{Xg4^){=T0QHZyTB9CR?Jj@aGRaV)uU`@$iRN-kBb-3^>*97@gE-{zW`( zvpnwLUDK`$vF$&~f_XF3OP{mc{`&r}KXzTZ>+UV-%Ioh=kA=)sWyKo4PuL{z+lzxf zIB`R?Rd2r($6WJYj@!(&x!1rp%eJ#Q(m~Hh#_K7-ZzBDpwx#SZ_lv^JV3#Qu>CK~sxTX~ z78Y^Qw_a)CQN3`cxo_wT4fT|A-+E=i-v9jE8F3LVG}_Twlpy0%Z(ihE^Hh;)&tvhM zG?baI{rxTD8?w6LHSWTLl$~6?cUM#28}0j5L{tPs6p${x29Vx@Qbl_2pn&w=5+H!| z4$_q>AcBP638DAUdnbn8LkppX!|&X2|G4)R>@n6@d++tkHRoq`tCv$8=DlKCTz3ny zX#C)>@c&SX;*|mbq{5sc8p!q$kq|xrD08llt4|isW+FwWrEa%lgg)tIAafk``?bXj zh&)mksf?0+M7*5f=4Qkv`7ba&{dJ#kzM(`Qq? z{DS9yz@nB_(uSqDz4!Z@nAXwdaAd+o)}QQi@$Pko*J^gt$l5=U2=}Ru)5$`~lXR9& z7BL(0)}xN=OJ_5EB*c6HrpvEaroE>nh*^wse`eBeo!iZu5*5uEAq4@%sHHAYcDiZNsISknM0?IlZ6(3#6t zanpvSC3@!^UDPhCfhBjfyr$shEDLLA$rCBsc9zH2#oR<1xwf{HnETA3aG^cwZ!!Fz zR33(XFl6o2nxm+18kENb$!Sm&pHty7a|=t&*ir5ZUl=FHm0G zu%K0qeU_Q4W&CvEA{jl&QK4_tprFlOa}GWpY=3+jGixmhdC*}eQ0Z`lH%xmHPW^ng zwARf+`s)E+h8Nk`trmv0(dm?K0Ez@wc+_wNYdL}_nW_j$){>TX6GE8 zGfHP`nk_bO=M(zSGww;eQ+;hQJ-jJF*}!Fx&gPaAkBJddJbb;DhEJt^RRsfg!^gQDU(UA44n)Al@sO#CYHv&~346p%SQFj5^oDXAZ`wCPjf&qY0V>4vC^?x@C zc5B6sRSh1NlEm+#>Kw-=TtJB)1aoO+4CGJt9NOsaZk!rC1b0no#w&j z3!Vfw9->yji|HR78FW@k)4Z+o=N8eG{ZX;mPMod-w1e@1X@UPmWtiK$_u4qi<&LfW z*pk)B*1(1>o^^7eW$x0g&reu>B#=XczHzwb(*#C^lOLEU2!k$|%0ZrMq%~ViZ=*3L zDZU)Lj&LW4_LhMWtF57w^|QW8VA6ClPLNAbdPz*xLzd6+%UOwQ_w(zsm(s-tjS=g- z-j`>iOIA_lb*AUX%N2pI;+<<+Y%MgJ09QuNrxvt86cq}bD1)3z7m^v7O>tiZN zN+Lq#g1z0^-UH3ZA49l}-RCPWevUU4Z^@V{neT;un8`k#&z!&)T}{LL>afIsY3*@J zM2gT{XQ++3OO+F?rAnM<`y4v$aNoEF@Kq%YL|6FF2Z;S0?Il-a&pp~o2SMbLO-8QH z%j&P`Hl!~{`WW6>KO-S`DNB;kEp6_OGv;JwGQp9^Acxdob7{OZlwF&is z^+dBT4tj(4$}~%8vds(l8GZ6$Q-We8C+DP5ialcx>zYy;9sj-Mb(F75z+GxDZWc>> zpK7|8hq-Qvvz|C9yhJWwGAAeG4LsPmRbtoNnzpk1lwoJ~OY|hwD!ZouLhHhYy93>s z2$5{ChA&DW1D&^D@C@`1vfm+dd$wu3S|Kjf<^+82ZDB+;cT-F*+LhYL>aCsO)bfhR z@v4&t8sU7$@a87AhyD+Yg!P(XfkNUuAJAD)+;EJIm@q?8C0I;H9`BAdx(JwyPF9+$ zET+QAo8tyUzdhnQ&?YK;5Zae-Fa5q}MviZ2dM1~RwFs4S7L7O{pAp>P9iPhv2m@dh zzI_`+IdK|--{V;!g=&xAhtbnufi_PhuKScgY2@tT2K+WH$zCTj6|s;cZtc{B4l(=&*jxui5CAamglCI zvUkko%0%q}NXj|0!pX$mQ)sG9^Tw8!f1y(yxtOh#pS1Spm`Z6pFC2arlj}C;^ra?> zVz?{#Z)y+CF35n^PQxYX^{3+(MATH~Au9#p`MuY=x@h2pvWP~dApZXs&f~B7$3YXl z+iY-C#qLFf|74BO7}8o>^)0JXTcm6Q0*O8jn>ToUb6eC)zE%RPgcW$>H-kE97oJdj zb8d{XvvuA+rJNGhH7z#xs=APUWu&?@$(EwW zpS1-=&ibyp4eX{p66}{ zx@Yo1sI`|ejB8O4b5C+oQ>2w7L8hxHS4ag^v79DW@J;F5=4alE$ ziRPvq0>p81rjxTTLS8pGk6@CF>utS#2PVCh=&up5-tl^@OI~V9j^}o;XK$=TWlfvq z30MMtqwlTk$9vwY9-)f1kkEMXIHn#h$dQ~ja?KBsobta}Z9{%#`=EoWr0p?#V0=$! zEb`n0-H-&_p1Kq>^VgkqFirkR^4v=`(GhIn6v!Lq_0?IUS+Rs=WP}@}-Cx5_kfY79 z6X-R!d*}{S=`Xg@F7;FsQWTwaQK%oSj*1QJsqZ=YI4VXV_Tjaq;An$K<)T5W0k299 zuUB(>p7x&Zj?iw5e9V26_m(+%u@dLF+43lHLm6RI6@aHkd}=-8ecRG*r)N~V7b|E} zWVZuk#+AJfCUTL$eK?~d%o|-l&L=h)-0eB6(YoVcK9M?zyywCq4)@Gq?54+)x^`Xu zH@5{)o!V!Z96Oo_+bV9K?GPWoX1T&0vd7bWn+@7e#}Z7?d+B9wUcNeDe?sE!|L&5+O!i8Z_1U9EH>q?;IBm=Lvef|PmGPtjsapTDV!s=fn3PgU|0OAOY` zGQ?ZuNa~qrbf9`1~-qx#MvhgfYJ6w+n0@vN-T0GrMd1!)zfp?qtS9S zU+KtjjUM!%lfhliH^SGKfjQojFhYfKI{|O|M$SvbK@`A8@{oZ03z}_*3@t9qw#L+6z11{4)n|NwRx;XY-TV-6GqpTc&2r~(YCQN>OV|9-DeyBFPk~ejneeHqDjl>F$gsg~{kpU_ zp{8LC?|i0~Zs09;#rKxd`o8yozxT1|^$4YVYX?t7sETo@-0;1+Jwd3&w0UySv+;o}&!rM@>7*5|=Vw7-6g zmRJ3TsSRbkH-A7-4;Iuap=6Y%#}^d~f8%+6eE-{7S4&HuOoWV>G1{{1&UXpZ@;K7m zvJZZS)i|62;a*=5eqcV}=gw#<&h#ebk424)I!7X)zV}6Y?RC}_Ma)H=0anOiq&_6w9@?QoM#7$Y@S}At)x*@ z{A?pee%KF^+h@g^G9UQgN;|7&9`^B9euUq36z)yTfBbEUa`sDDB2hxKD@yv#F5xPG z?y9hx3=Ej~xOEva*z37@pTed|MtL(wjZ&>`)K!4NtK~r?@;|4xn&$kEKJKp|PR0XU z-umAuI`9CxW4HR+z+}8-G@k9-*)J=a5+x|z9p^)NkGqbig`g&%x$R4;;YQ*OGu;m4 z)6XZ0`!So;3sJdM0)LDu*fnQ80Aw}@hbLZ@7p2c>S@pkc8GC(|1*_~@Y~t}Q8|^sQ zJ`E_RjhY@2s$SNSP65D_7ylXS>hhXYl@7;$u8sO`P2mKO9i_mL*yHix3yV=JJyDgP zH=TU8DrniDw;LAHNoHhsQ;8OGxrf=*TVDg5uhKTCfCXQ9y<2^Hm5tg1@AJ&{9TX!| znLnN{X2z3~RCdruebqj=PY8Qyis7yad7oSDYrZtETGCvYa@OlIspou-P!9j(ek&?@ zpH@OKy#h;&X=w0K>q4GUmKR@+h4kbmO?Z^Z`4uQEk+jv$7MF`Ao4}k6q7;%f5cL72 zK0Rb~zYZlh3tFS*L7+kQo~z0W|CD=f%!BIwtc(dgo>{O^LFUY;HR*V@h8QD#tv)RhCFOEDPDTCI*or&Ap=65<7tK&kqDF8 zp-n>X!g1v(^F$#Xrz|eIV8WflA|r{7kjks6LeD7v{8n+jRsC98ZNX#f zae(DkO}x>i#jFsk#F0))TubW?_4mbc4ksbLvP>)aZ0(EA0*<;G4NFt1;s+{o@;&rQ zvfr|;e@1KlE^l}r#1YWD-jm=N{#>cd@`(geS38jR59cI>4)~Kj&)7&o$=uA3m$!3G z7$|d3fh^pbpHq^&PGMzXomM-Y|8LqoE}u@G!(i~gn^S$nh`tK^x`r%`@xds_g6|8$ zxY>5DgDC99at?7|_tM$oC{N%w@EdP<^Sz+KDI4%i91n{yw3?*n*22TMV{~ffowf0d%*wWZ2oy1I8Wms(hdaT&Gt`uB*io2g468wFP5*tiv2ZzpP^m*%; zfroxaE)*+WGfgXnXS?-fD+c(=op!?_74795h4=eNTXUvLj(|q;cg2aBaBmNwPanO= z=XKXY0FXCc`#ih9JdOE1RhCXlIqRJkBeqRBLo_SMEYLPbcVGi}zQ22I?By=F;%b6ua3^y)$xf*g^8b0+O6e+=U3my~KOj zI>}Zs^q?p-?&Zjjl>_gRCkbuN+NfMN>5P!rZ6eSIzZhyPh}EAF2>9b3kiH}V`^-jc0u zjiJ@t{|xH8aj0p3G)s!EpJ@Y!(3B+V*UXZciCUwD;q_zURA!#mO3kVJdY3q7^}wUt zN@{w)(a!AuPP5#}^IvJ}21ny{qgDuB zywH60cIfGYH);&uzvoTLmty5=T<^nn} z`ik^)L$s(~zR`CdnEUR2DF)WK`z4F@nWVk6I{q0jFQBX|NXjvmIK%mi6-x9eKv`4( z;yfOPS~>uQzjm1I_v_n;DJ)^+p5|Brh)Xr}*o~*a3Ob`FED~`)qiFoR9YwN{&uki% zwR)rfi5uZTw}!@r!dy>hYC4P1tqfV9O_8n=A=rQKvo-H-6e$jNntbzM2PVL?q0u$O zr{m$)qv)ZW2vCH&3yfiDC?28|#8v%W6~$hDB{N2QNw)(2VgR~o=&Eu^Ac?U;1(){3 z0(S``r(5Yx-gtZ+>2*JSx1i+@^Yz%OS5(<@jxrsrExX%j%-MSzW|zni*F0uyoG8G4rS@Ucg?Txs_RM?$x}=N+wB!Mf7xLyv%i^bJytr8HsEOptFTvU zR`?e7^PfCLDUWxTwx)5GZem~?ww`V&j|XEB)Jj zv66bxTBMHJ9y;-KH?PVzlgo=#j|R9LS&*Mc_gVLEPNr>2f*0%uTI%jLN*-r+*;!L| z?iA=3@i$hrZ2z{}(pZQBCV}dqC{4~@@Z`@o^AjV(FOoE+{{t{noS7or%@x+;1kU!U zty0114vJ%XJWDH|s9VBO4PN|Tfwf;d3f~t!MtITrbrkyK{ixT;HYz{mDQ;faA@=s& zW*m`^5r)y7aeT_&(Y@8B8>}m%b4&BI$X)o90QBToE<|6xGmB~T3Zfe}9RfO~e?;JW z#hQ5yH&{JDu9ccmoVIL%0MFCSaQJqIq=Hw*2&XT`^5~tD-Cg;PwnqJ_%ux5#it{)? zk{`0oDISwb?w)b?@RQPj`4RW1*dMR-&SGY^tWO`@Et)D_<=)b&$*yVT_zhjnfQUW6 zqVGcI64g98&{b1yj9T^OZhxn)c#&`^M;}{rgEr^6&U%OPTW|1nUBgejh^apCwi=|( z>vAnGybZ&ZKq4JDP0+m#Kl$G_as$XT&`9+HMiM=29o4aZMXDD+BDu%)0?zs zciCL6Z1D38mpP~}Z`&2J>$ne4=M6ih?F+o@ITg!(qPz7vU5eF&M`A5b-1`7XnRA@K zXCyx&;o$|wX6D)lsshVLckf(qC{NHTGnmT-SN6gc){->{SxYQsSrqQP~%kk@2V`Z_Gtuo8`S6!uz48+p8H8;MtjfBiNjL<=A14dG5xguLIwZ0dr;~V52sjJ@#s<} zbvlVh!pu?Vg!oFk)bqwC-EIdMo~2=CvF!_X*ui#t3VlND!L{J9u55;Ss9@7s#UuL- zMkv(|5_hdPm2OQ}lcCU3v%nV4?kqmF%Wjj{{84Pcp2u%1%6Nlq|_K%aQ z`Dp{HK$EKXa&Y6{>o89f*+gt)Jf3t&U%LfIT{inucL!2b3*~{5rGvRF{4>zwFs-_1 z?dUhZ0{I8LHCs)6bV9AHu4ieo03tC)cq)`G`~|Q5W%t{Xf3Hi$z)0EauMKd5$xaE= zA*{63_?-Cwu`kTn+!IP)FpztFOqL9QYuuK!w~VPvy{iDT6~wrU7{)S@PRTpmVY0EI zNSyp7?L3x-$wlp${VaP);0h-XG6}~o`vUJigHP7$O^`WSTQi&+R*J~{XMNa zZ&r9HQfuLCZ24>MiIc^VZ8B8iNjq zLs_uU4`mmGXdX`SCRWBmqLcyMf}Qnz}(*6NVzHB0j*fo z!q$LmGeggsmbrt2K7bg&1dDFAniZLMQnT7d>%9uPxit)p%j6pW6H-Xr@a%Wco0IUR zK&BEBU{H7Xl!$_J?Z$UtnZL!RMHmMtDzq+O6YGNog8AU*qrwrhEmL<=@}Pl9`sGyh zgt<~O-E;MF$zd~zt9X)r`rm;@6m-x7#l>SdExnRc-Og)1)&-4B&aU)67d$!~ zZeB;e0)_KJRFU@)NjKGPX#QbmU!L&FnS(mfC}c;m^oiK6P*Ff^4D37asKhpPoW1NV zw(Cluw_rmua3a}Nkt22U=2|U7QSLs1f96(I;_E2*7r5mtklrP*>P3>I(ETs`qyv8; zXy;OJ#)i&=9K%xQMR)M$YOd|fgEpNTBQk|LED)8%Qx*ax*}9k6+~Cv|lV+dykT;iz zngdk5V0&3Kur%ca7Ui_xJ&+hohdJ*{C-YxvNpye74XEM=?rb^fH^T zAf9itmP>knf;*RcmsWo7P)-2AjFIr7`%B_@40^2f7BzU%elpNQ(P+LKDg5{15qLr|2joj(`*DA z6+henAk9YFIR7Pd?pqEeQ5;oHi%3YQAIuJ~{6?}Ibm%+pGol6fFsW$zG3hUT50b69 zS(n802^K+-v(_A87+g5xm{uH9T7HXGFA+{9_-|S0h?tuC5PJBdVHg1ou6TJ{@A|PX zNRLvyiY`Ulbl>9uE&12r;!i#=u8cRP@vi8me7Jezbt!1uPTW%;uHSOxn68Dyw2{|l zPpqf@b%Du%lqcK5``wicB@;KR%rv~7>M!y-&;L}XfZ4_N8yY88Y{_`sZt6<`Onx^T z%V*dA^@!V&YCG*dnyl_u{R(dlUNybtYobgRJo0`$^&`3UQ`7ED*W#km82(QhSmYo% zw}RNDQ|dfH3A?7TOOlDlcCeHwLnM)gdC}k(?|@D2JRzjK4=J@|{*0l2oc2mQUB&(M z^9#_rKBnKPRc;^!H(BhZKfY|KHo#=GE&u3tgtweP(yM;R)#F2BE&*37Ys>V>0(K6T zJUu^fpkd^+`+4UNfxj{2Lma8YOQUC#H@@;_27mlL8unFePpA^=C;y~|7-%(JGCp*c z;S;V5wQbr1<4C5-JrFm)yjIM8OWcpXH0}TmyKyY0&n5OX$Y9^p1N9K*X}bW(XsZ4+ zZkS$D2!gh}offv82ulg%*^oYoC90=X2dz)aLtw6GJ9Y85a7FS?sh#E-250bb7+YxD z#d1-ojj4O}0Swz8kN1J%c*p59_%wke&~rKr6_IPUnWw?`U2=;+xZnK!u|9M;F0wAF zX}A&SV1`@As1x(v91EjN6Xa+pO+ z9<)zIjwj_#_p_tU?M(moR=t8Ok=@~~Pf~EQWs#~?@xBkEv9N-?9{Q^65iarRfC^__ zozxHzLzCt(Kilm#@T(Y@Ot)88!uLNzVl&3-sxpqsc2f$;e0hibt31bNwKJ*bh_DjW z8NEqQ3Fft$581RlkB~l7C%&#?Nrfwdy7*nqt!7b)IFGN#(4d4*EXOp3iL#XSWv!_3 zc%fE{W@^I5f&y2IoN~6lroYQtN`l;AAyo{plc1os^vA464MkOq_KF;);M}rR7x9m* z;CkCR#w^av$(KB%xN0sinsxo1o^zaW6Kn5=;x9Ia!487_1wIK<6bmdNg|B)~=0(Ml+Uf@9}y1Arm zpe%p+l4bLUvQ3>uwLVU`b^L|#e)+&zupa9{(Z6LO^-{56Lu@9xdpJTop_L8k+qhla zo4?h|RPW&-v%Yi=E_T|Lw)Y4H#1v|gB=CQ7IQ3zV{=?0?)nei=&=h&}!FIQ$ZlG`J zscqg3FTG|nOI~*7XO%2$!l2=zLHU-h*+JhiqJU&KYg+|)?q>4xcXksq)#C!;GK56( zsDZN=Yofhltlr?TP2HOf-zp33uRTBNbVBttIO}A>IHh&Xq$&_vEAcQcr1=bJ)9*O^ zi0aa3)$*(U%Nh=+X}+y!*N)ulak9=j{oF}|ZZ?_fLF8kHBA!xzM*@+QYCSbE)iCse zAN!4YAa~5A)d!@a3z*pv?viUyyl3@=Hs(Tj04j2Kq5fozm|=fG++KgxT?o(Y}LH7v-rHV$t{7$8nT>=~ikRezpxx+|(r{w%h2(q%Hz%>V40iiG3w-Xf$=E+e`sa5&TI0+h3{ zZ886@gC7Qyn@dJraaEv-3U}E*tFtU$BbTF1FX3jG3{SQh(AxD{+bpulf$5HvXvbvmnKOb5a}>GRT(7?5|JMVm zH(XLes3|K2f6roH9%ba&uv8O&c8tGc>DB|GA>6gO(BHUe4Jnd+!1EpnB0gnUdZ*r|e62q1 z0{B94nl}2YA<#p6e*91E+tQSfJ_Gm)aJhniuqSy*Z6uY~EWar!@R9!+r2t+vo#Wqi z0I}U3`XfA-dvPUKOU+-VO0QpxOIp71f`qsiV+tdqw=|gb+lhz700IWQBD~mW53Fw$ zorOxb@%^(N_jlC9>)0yWQH z4)#is9K3!fYua5D4GDUS+v#izA;3mlJ2&wzU2o8nkgQzQCYss7d7NL={Q~ryMOFzQDstk)%daPkUN@J-B}u*Xl0F;ECCpr}>)v^YlG%|vuFm+F#oBQc31g^$X=jn| z&A^*~3g2g1)}u70$djTC(%84VmihI8i7r+-!1xT|>>cZI zl-72a(A1RmbF_|@kW_=-(MGNcO1PjAnk)!?EXnfj*iY0Fq>l|Y0g!PLnk#eL0|u#>(=fV z>atzduM3A4(Zx}HomK8a@4nsHMk_%QO2l^QU=v;|Ht}xl3a%KC7kC%qXQki$`ux-C zTbwl9)LZN(7fEb>6+ZGcH9$RXZ%s;9#Xnf+RR=-AlZ6BQS3lC;!H}YmHWvS=z(Wqp^iKa{U_skJ^L2W_e(&40D9s7EQzaS;V6cFbO57vUb@~u1 z3mQ4pcxZRT=uu?s|F}>s^L~0jd6iu0+eg5+(S+7Q&=@^SF%0Q(<2I0^)MK5-;W)1L z8|w>IFSScahC|C|D^Xe<_*Twc1PsF4<`seTyI#G%-P z+U0#$?_a;;X;AFTH_gQ8y1Z8J)1}F@h=b;J&_fGl&};!PPv!mjt-gJ!If_(W%FV~X zV}I54y5)MkuK8;754%ghWDnMUi)%ymsSSe51%nl!7C|Qm`W>BAg}fPikM$9?Y`MX! z`IlV{*5s`lSBy64rlgd0tKAGUREC2IKtdF zJFPD2A`jkwGuSl@LX7x>4r}z+i9McoEfbRhlVru*b#JzfNBD)LZyZ3ih0~L)L|4uY znO`F`4p^zykw_()Gvo{A;=`jv%Ba!nptXr|2xqaxddnIftkL-_kMIJJKFh|nI}$M6 zqhrdWi_@Qg#!t`4S~x%>i$eRw9!ys$?@@02$a@OM+j+c1jZjr{+=hGXMk#mh1zfHl z-MXQe{%ldzNtXxArdf!zHr4;UCRL`5a#Ag><##K`1539a7P5tH0cDY&evrhOn@3&W zixq9zB`Z&fX%}Ja8eV%o7>(r$|MWxAS$|h)nTNpV1DhAvik3y^rv&F$LPNTtB=`G< zed>OMVWN*{71swXP2T&c6P}I+p3i#+U~ij)56cy4NxvED-L+fP!8OrpiL(vfJ8jbC z#CPZA^deGMZu2f?HZZM@6gFl3azd`zbC+lQ**|lRM;a+^R&#Rojl&^Ab$#gRKrpsv+S-p%3Ls_D3 z`uZ(eH?C$a4BMTlUuhMo1(8lrB?bw|q@M^67by+`!K+gOabM&`%KWXm@csypw*5^w{ zOyC}JQbzoEra?-NVj7#cJ#9xRm*Jz*$ovn{0AVt@?nT$&e~8?9c;B=yY7^{52yb6JWU!tSPN%1Kdx#HHJ0+^|ApJm=QDLIB5W;**(<5`4JhR1u658K zfff@!s5>MJbXOXevmDb$>QOLx@8~af6 z?J`M2XItl;2%k&i;)^mAsn)od6)*$j+|TsdzVR{W97?$~w!1qLZOBs0Zs13yzQ@#V zXh`_N_06`RYyCC~^Dh4{3xJFnzn{>4AJY?TUtnPSQ89?U*aM;T&5#5|m{ddZF|ci$ zO)Z9{hM)yqF8x;8ilnacyz%SFZu)qe34Mt}>v}K75F{*lT{~^rghi=49m_+6ht><; zYvLii&c7UW7V4WMD0gP2T(Ij>{|P@EVIw zeq1ASs<8R?-tzdYze6(h-FnX>D#H;lXCzyl-j$PHzOCvWX=DyQ^1#5Rn3QJ8Z=Ix z8@(?!ExI9-rI`G(v3|^RE)iU7uq7|uCp^wr`ktof1(1@9cumw+{C-w>R$_~>J();6 zTOwVf8GhsSI`(m8*TsR1a<=G4fAPFu1UohhspC4E)OByAht!k5$mdc;N5G2H2_xo% zp3L|Za?a=}>lh{EZBH1|(IpZ#Q#Ryho+Pqc2#NfA%1^dozdHZiJ;9x;$e9t_ z@LGTDxRKxYFs)aQm_GhF{m`qWrB};WfmxrWjCkB5t~FDB(2e=^8$;>967T*?43Qv@ z=GXX4lSUq**G~57=T(x=p*mMW;-)6$9!Glk!t`IWPQF8wLECoC&tcv_8q9I}kL)xQ zy$nbY*~1sw*(G#Gk@kzkeP>yAh90xZMscQ%F`R7A}mN<(91!sh&VXw0AFFr9XL{dJ?(S(Y*)%m=2S z9vDssvsL$!+R7KIpHpAlk!f?N04kE7E(4w`mPC4cnGIf(q^^&dUOB@|@0J1L8dy6kyy(pUBf+dIa58PhneumLWt_16qaLmp=+j|HE zOMm+Pr;n-rS}j}o<4%B8!LSb^Xu1osy|Ho(_FJQwM;cpJ;|+8GU7YY#3uF-l7u-gwkv!L9xc&HL^YA@I zk+js%A&!OU>6%iAwwY}6j~=m2`U?%_>@GPILLgd`nm?MMY--Op^ zWAfewn@pzcg@hLnU^VM`-rEv?;>K3%dRV0To8sW`|4&YH|iqE zg85gura6xk{l$XJ=%ItSq|UiOn1MP4$(}=|n5U#UPPO(@ zoULu9*tx(=cvcbtSZdy^XrnW`%tt5YqRaFKj2pd;mao^Rn|E57bEI_1@mhOSy(U+s*MPoHeXW!r4d^|N^InJQw(Vy3(t+p~W*&gr;7Ru--l6faVRe|dv zqtf$4WgiX|5nge>O8nP!TGyt5$Yr%O1)W@v*;vM}di^?4_qjQ-AkC%Hy4(UD{5a~# zly9KPUg;6kQa9SmI=RB`h@-CpoHkY?ev)l?=LS(w=Bmpj1?Wx5+nu(2S6>n@NhloD z^KDaZjaf9!R!%tsd8`~$ArkjDf5&=HFpeBtapy+>HYY8|S*n?kn@-iQn-Rk0HXN0N zvsR`Iru}6^a^da^qJbkQ>dplE8whw}K)Ea0(n{<5GFqo0Kx~#|{;bMEc^{GMez07{ z1o0URI!cJ)eR>Bs0Kqbw*Vsmyfj8?-xv2x60}Z@lZ!8;~Fl1yhA7yUSpRPt+wEA6- z92FX;MFck9zCm?WGw?|@88XVV3ZrG{&Wa-%P*1A`kWaS)SslUqd6m13mi{21>2OgT zzSFyU&^;(```3P7%U&Ywx&2CnvyU(Mmkk?m)UoxS{NJ6KoHy^r{jPU_6szTs*_&Zn zR9W@=kqW%wx^)&aIdZ3L^~8s!t{A^+Xf^=$278o!a+cb#+;yljejRL+%@|WQ@~U{PlNBJuU-B?VA)!Z0jaiDUv(QzrEC#fKgM& ztbZ4gsP@b8E~10+seyW-bTE(XUZ}6vaTZGRv3D|MgBE z^7!^|%fd{L&xV?x&-)f*^0{ftiQWsyv{1tjq*7iMICjIlycmul5+f7ym#@UCHnFR2 z0Iprk2fLnu9_`($WhPz`tyWumRW4KUaJ8o4cm(iN-#G;;NyL$y1 zh%@n7-p{Z%qLVWJ_NMXpk76f1Zko1w@NeLUH?ut_yBUt~^>MZX`MhPd9#XCdwlkjr z=Qho6m(kbm+1fc4nW$UwovfNPix(-vtO_!yS3edR+wu7U`5ts#E}^oNA#UE-qVl5{PZjjh(U-a17sM*T?2^8G zf%NXV0@#a7+z>6nA>|fn6Y(cCAChRL8b-WdPC&+(o{L|u7Qf9k?_ChJKg$$to#dDD zUjixR$2K`MKRb7EJ^RsT^4|yU`XiGt@=yOxgXT)H3InG%LJ*5$TZR|09a|5pH2K>C zOq&J?8J9(WS{7whn%rl#%e_FY&c+|ScPH^7#vzCQiXs3jHM6Jp6DiGf_T^E$_{HZ} z9qyuA=s{pC>bBoi9a-d7k`x$CPE0(K(x}3~pgASBK}d3X+wUJj(ghAolx&oQP$tFs z*6-3ZHFf0RHZN;2gx|nZlkhU&K|j`^!SCZK)e)FjfLL;j2H?-1Q@<48DnV)ml5EwGEprOk*b`H^6Fa1oAgATW6IK*s*on zeq6nWyplQl>e9+~NG{UzUpGw#inRG&A|c#0*7VGvavR-6;h)@maOup9l*0iJ)MlH~ z0aNNPX>OU^LSBAi{4gE_d;9T|!gC7K+MBKf+X=qJ9t1G&&&^bc`dSSRa3!46UdEe( zj0~#mRbgCytUrqS2SsmHGf8h_VC=pVMm|z!EV)l@a{avx>g;vLvM(mkS%6j*@)M`j zFvzJZ1dEdB3Y5H=K050X2@{wtd&Z?#o-~~|=w+B^EL|y0Gsm{rj$S4^^tH9QSh~MG zR|f=GT=*W*Mw|uL5E}jFfi$=8QQT-8QuulWgFBT#q4eUXTqx-*+_dWzhq4uPZ{y2+ z^w%$m%qj;vtDU!gB%#ZG=i$wV5|luX(J&NJ7{~#+?WkG4`x%%fT+Lx^wa6`1|D; z3SkP?hxda})FnuBpX-gh)%q9E1EFTqXP%_#trL3Y$Hr3S$;-DTF=KSs+OtYtEZ^gE zG#4@11T9Xw%_OsK6m<50@+5uyMdHAB42a8*W&}4_X#>j3xAR0t&htuD;-lM=-r@UZ zMHS>Tw3{nz5-hvHGN%2PA&eEt9?{9+b&XzG+j}n1OOEHD7v2MV_n7^?d~xqh2c3BK zG1Kh@@28H&p`tRXB@_H7vb=Y}u2<%2EUFDUW@XTrlX9B~scw646}M>Vp;|HFR;{U) zapEj~G>k0wFk{wxtbW4yPp`XhzG)_aXEOU@h0|y4K|?%@x(EPRZ#+ApKB#RipvRcn z#^7&Ew|ID&xT6-1PVR1pTyciO1glNem&Gf`?~aBSLE+LqXx7VW_88zE9@qjvw0EkT z-C%0F*$&3>KDT=rCUW$a-LAotAJuLXx|-zkc6XQPKL{qW&mxcum}JtK^oM1EbZ5Vgeg_ z#3D4Dd)(rYKKq!tRp%pGm5+Y zoy4n2AX$(=-P+6lCUPf7R0Kk+523t+qevR>GuN9kVeLS>x0hwKz>LsGAa+CA6) z-kX_c-4gwx9rwL{U|yf8&w17x*k9_jjX0Ue^qaaJ1huGf;0wc5&3rUPS;eawPAudHTz6g-K_oU_uT`J5q7`pl5hZ-^BX{f#n3k1!fT*2n%`4Y{|3X3|S_Y zsd}^>&T#o|-p8cJufu+yo4@_gcnKWijhi<;C%ODzA0rCZTruvwUl7j0MEu)Nod33G zj(vFlUby>cGahD3q9l4S)Yk2@#ES_&w*!HVLS-vlz(aFI9)SL-!>z8aa0#d zeSd;I%}&&WiTj10%r)rbraeH9a9%6!-ee`&&?4A$$*ZeV_tyHCPqMt<@1Ty8-{qT~ zGQNL;=IW)>+5SXnjkgp3HUFDi@F^5!m2aai_hEewncL%69L&T#0C(#_h`?lT%i_EA zg|8AkOiVHK#>K0txO)BO-O77zwPV*n>Oijt^8WnGalcp^Y_X#x(D`GcCzYWK_5Flq zP?u}Qv=EaNy(P;>9EE(#(V#xX@=98X?X`L^4i##$L@O_a7)$)t{-H zEn}+-UE^vcsfSOUbSMQcZx-4!rQ!F@pR^1P`D5T_pkK^5ZUHK5a1P|xsBt3dqMZtO zH5l^&zj_I!&!DTDK{)GFQzQ~_=$^Z^zY+3k5wy2R&`QsU+SS}Uu+?#_)`F)npO3@5Ad{v(VYHG9U^-Qc zSX3$8!-5577tG;2kg3RCNk{*sjWGCq^$qnlNfcZ>DbpNNIC2#ypBCeeik_vOugsEt z4<)Bb>Vi98A)DD>^~h44pIPPdC3PakdqXMnf!nS1jKL4AVGN!$_9Ro<769b(AXy_G$e@25#%t;^q>i@e^xILJ|op&(~fgRUzgH72;`$aec&~*bwn5 z?6|%oI&sSpA4y0Zi8O6}!JwPz+GjdQ=j+j`;aA48G|S%8b)cX~SS~%5r9t1|fJ$IH+f$ zgJ}2|#$1ol1AFAR<+Xf@67)>oN}23+$@K;Mb%pA|c1V2c9FzQdbjxp3E(2rG$g~lPWD;YBy_>!f7fI%t^0_^s0kme#}DSkr5 zUC@981936=%^$~6WfmD+XBLJk3T{Sa9L+fbPMxA8Hh&b)wt4OXF>WsEH-3GCZ^8E& zmz!54h%o^PpNIuMqvkOH!~qvl!m%bpBPH7KkOX#Uf3J5c&bj5iApLel@Ft#BIE?4B zFr}@LM)Dp4JVuz5BD}d$S>|r$WAXOR1HUAOU&2*Pr1awZu+Eay-kJ>ND3b^uj?CS0n_lt_V8GFFapu@z6oh zJm6^GUdRL^EQ$Uw!Gq}cgTJ0Plw&)8`ttW|J+RkzLw=6s(bXLO3Nsp*0erfLUpwdP-?2M@H1dsG*jmDAv?JXWd%&?jIu93cgMWDK9WDhJ> z4-BtUc5VR1ILx`q%Ra%sp#Cf{rXl-@e4&EQnnh{xq<6e?)3W=4!k~leU~XySD7=go z+_QN7%9!Gy{;>9kr7YStf+VXz*&q9LRQY)L zw}LeDT|&{Lndb`>D)d|I6BO?W>P39DeiH(fEt!jNiy#ioPwA1rMA9hlz013QL|m-= zh$t9aXTdP44_QL|vQ6bTv%0f=BYoRsywdac{5Qp4*B<&+&I=E+`9aY6(<(Iw@y71z z?T<)d_;0;apEjp$WaAh=fJI`q2SeC*ZaVJCEF_m*&aYDqb2)bB&2KWuYirS_4{Qc6 z_D9H4|C*nc@z0!Gh&0BVAX_Wl-?AoK{%RjzyX`rtTde?LEuCKS>*O z>s54iSG5Fon)#kTeD3@~;#P6IJtCS!a(;l(J}<%br|opD!O!n>J$KmPl9H~+`sTO$ z#BaUf9L->}oxAvp33xT27|Zyby2ypa-F1+<*?BdEG5#L0<^6a@)ZiuY+aToGC{S*T z=3l4pLN*KE)~wiHn&Wsrbuz|&O1&g`2N4OGFZgprLgk5pIJ(RrBKs<xrvZDhQ+r=VL8rC=3oRWL}ccM2@cKP|;@Iw{(W$EweqD==2PnY%TAj)bpvb z(6V66NU^^yKlHBN8RPl9XN9`^XA1$fD_?Ko9I(%-<&!^%E)P2jV~+dBdXZu`@uU-;6_x<2Bc84o-kM~a;ps1z zHxeVN8tu8Whre3BM=~i9PWr}NMW1NEDsICoY`Iqwrjj?5k`lLHg72oYHpuGsRh=UB z8RC-XXWN;1m7Te**G|DAQlx_H4rJvP*`N<_ux&KS%(2GRApXWmThA<^-jxnX8F)Xp z1F^eZ={BcI{&c*RrWGw2yA#lSih+=%0n`scusmz6&VgTX8pA)8G)T%p&S}V)T51F! zgnJjkDa%o4O!NwvoM5)o7q>DG7cFfMN~@BKcTt3_1Cu#v&m(o6Cy&F@V?QIz^OWDC z&llT(tDsI;W_Osw!jdr+?3N95x-p3d7Cgg z^eYADoOfpW@H~dE4|cmxR^BO7(4(17`St0#YL2{~c|lR@R-$2@STOh^w*$+qGr&*# zZf=P?HHy9)l6KZ@xE`hjU;0}Q=MN^@aqZ83;rl-FQYYpv1rfEdO?D;z_w&w}o~f6i zU|qmt?2>arW;Kh7FluaZpnMAZpM1j#5=K|9;rKiHuz|F$!jd?DrPm)0l{1%>GHD72k?ym(q z{M^=zPx8veFAv%MZ+;>LEsZ3B+MCvb*y5k-?u)r2Z$nR#(x&DVGLKdn+JDxM=#+6! zyUB~&UCbI-?Y0j`4FW`p%Yn3Rh4^XLW55UJzE!YPhn~gK%3rtK{FFJ{Tjy0rtzl>- zGgqVegIRYDFCXK!`A+EN>*`ZLuJu4I)igfrDQT3WhfN)$F6?avNaY)?oCYVu^<1+a zGWV0X{;3PH&S#3H5r^x}esN)+ zz#hbp^ngt*25?C*Y^}UPiT3bhsYd(duN%vcF>DNS^ z>zGGMMYk_Wq=IJ&WC~M+n$9iFPkc_vd$>8v`e#8K>26)W{LF1uBFun<+AiU1lhZ}_0xEy1ZKFSg>{|A*)@ z-sk*{tL38{r4(g8T|CwETq$|~mF;k^jo~=^2DN083i1yZXzEby-Nw*m6`fJA5jgb6S|?yDQU^3dO0ew}`B1oZKS_#Xq~HVEjZ>nD_v zNXX0Ht{jHsPfk-y7-9~4=F^n~Ui&1iq{!k^){>yn>zK2++!Kf`x@SF8;P%)ANN-6g zB)>oNd>?9G$vQTOwMRdW)VXDsqlx@lA(1k)Bp1@r&3=OM(VL^kfjaq;)ptOk_T@eZFaYA%f3AP3g>Cdq?E1}Ep{cnqG z2fnc#&fdiq=XXhIc8t2K^lZseGB=65WnU@A16ij<=>}ob^b2Fzn8UV;7ahi7My4ufI;VCaZ8LR&3S8Bhq+cI9rb3HY5pL~U_p{RFk^K}cbkE6oz zZtYjH+~z6Au5U_QI<69rTgPu1lli^EM_^M+2Xfte?7~fvC-{C>`OwRCaa{}}WTsBRM#U`^En)m? zQb+`oxx@DT;qdPd-p71mnm6ek=dcZ-=xKzLv(WoC@-{M3>N6e56*2C|GI5qj<&~DJ zvj(@})%hue56C8bCE|Y%>3Zt6vwNq|yL@(7+ zz(I$X2AeQ~DfD>T#yqNB|IsVMI@ux|Q%?v_Av)DX$#=E>@ol;8baunvH^ob1v!!Z~ z&-`4EQPqBDQVMfOi33roX0TI&7X&gSe6-p)$t+3}`PX0#3TO;W#;XmwrPPvH@v#W5os?&j z%)BxKC0!GG=V7Zm!227rPZ�|L;b11q9I7a-{L_KSziWPHMF zN9Y;(JblraqQfVOU|Lg{#0KNg_Rh%}gOXWt;=G&?hWgGUP2H`wx%oV1h2Coq765mbGdxs3)A$6MD<7IlJ^ydF8pUC%XUs0rR zN71|HriK%iB;%;QUZB#QZNKa!C=I`m;Ib~x*B)b*St(%!`Hlp~jFYb^Fu(@Mr4~eY zYh$+c`~T4!*C@b-2D%@k)~wLRJ*ms!oJ&nE0xha1%JqV5zjkePleadK#%%5K=*JXo zzcv`)Vl7le9-CBA&{!R^Sr6MEz*+L{gd2o6fED+TL7`YB_YW5Uq2j+A?EhpJb4$xb zi&B8@fy?;sCI1qQG!Xd5KmUdjBJB}L6i&&DJ@eFTR?;lCc<49{N`-FPko~QEM_ZtR zFlu%0!lH>wvgd$afO{yMtD;a|*$02S20GigE26#v2@aUc)wIgbNLWwK(OGR7leAo_ zzQh3NAN<|Uf2>qHq&btiNjEfE+pl2?%@!NCMH`DcMttX%_8A0+Y=#);c^;Q_ZPq_I zvJ)65RbM?N%mgHmr1C?;Vx1^awq8vF4OQduDs<$^m@0W(Q7sMwye7j58f&FJH z0D!UnHUuvfu9Q zZIm^I*o-MVnYw4{bvv2(KqgK7d~1Fgw+&Vwy2i6$R#jB>SHIRyg3$L5a}+`8!_MUM zTS!GGOvhTrTNf#gKfLK_^KcW<6ta8wVm%bd#jhmyvf>Y$QhfPSl21=O!l zJtaD~?5DA~{TEri+QrueL%o#!kJnf7ALw^2HCqvehD?gka;;tzC^K-V`+AJ!igZ37 z-X^>cyeL!wlQs+J{qp{3B`8(Y#G_(GvW0N-Z^<`e&K``s%aK`;uvE`B+Bh9~R`-QKneBZBJ8^?3wo<%R;M}xsPRO8NYWGYSYX8_%SWo?z`oEi2h+Mh z9WvbOIAP=as_ak7?-a-ct=me0vUTEo@)by~dh{p7=j1qX!b#j=b@vpW3rtrQ*Fsl( zhN?C!Qg%FM4*_wN4{6xDBZ-N#U-OcOy1I(qA@E%i|9z!+B>o9g4+~&oN8uW8X zS~#G|@~|g_f-j$xQA40$fOd~wWNv6)<)`8kuL{$UEFqPK3J8XoJR*|JkGP)OWxuO8 zaDA7`-5aA7xfO0ad89O@>~H2>K)49d65nA;CNcyuWn$$ZD%@LMBmfTIc*)nYiHJ*n z%?-jF;LPdW$GLhO9C^2Pw3W7frNV$4xq;}>#ZmPJF~bU}s0ldy2E(FFhl8v812_kQ z5`aaKojiNXlLWq)X!X++cL%l!*aEMO@0B7^#7fA2LmyKA4o14f+MWY?>% z!qN<@SbV82lZG8CPavARFG}cc=tgbJ zH&(iw;7`oqu7wTmGPq*zGBFD|ucf@uagXiDD{mLcWV~@#mZJ%R(#JF4b8k=@G3fu! zB8`pKifMI!MW7(PjSeE6T|b3u8JWjSc8Q;(J@`3?msN8SP4tZ(Ube3ob{_=wUljx= zIW8@o9KGyrdA<>j^b0WKE?8^a9sYusLGAVXIu7~60qH)auu;BcTT%SD?CgsI)WLm6 zE@rth!wtqH5^nk&e>L;%rU;b3QIt5Vl-N|Hf1~RzI4M>+GdRrgk|Z}Ve_d!2e^X`I zz9pWXGy4v$seE`4XoGm7GS?bYgd7%WMKw)J{Q-DB@ry&N^#!i(lT@&<+n3y=0dq6p z!n$+*VzG%%%OQZBU4Y)^!JiB9qPZa#{cJ5nl@Ni;71Eyr zJrg#QQT)eCx}2#ZT?NaLE;APXgLchGIa_s~zJ(+|m6m>wr~EiY(fyCW^ZFPW=H#z* zpK1|-BO86yz?}orj^s`<60<4gj3x|=0PCwJov>hQCe`t_6#Pa&PiEpEFj))rKPv&V zt<*(GtYda^%s$SuaXa$64VdX$dJ7v5lEeH}I-A3RW(=M^E!vX zs#8f+qA<@rv_W80f%oyjE5B##d`@cpU6a(~@v6>#b1t=dHm;XHAEEsQ?Vb)&0fqp1 zk%$lKG?D1q5M1?))NI|DZOu?&-K;g1Qdf5$IFuz6$kxJER5By$F6P66@OVun1Miv+!p59Yp!j&~CekQ}bKg(wHc0&qOxGwB*l>ZV!|Hqk)H&d!zvo=61hZr+;v( zC2=Wy?R)O~%(kxdeTRaAEkrf8;qpdY6vtNuNJU<@_q>rjAXMZaB;I(~b$a`~)2d@K z=O4Qkablef0*OL(p1+T*OO?S|;W+&gq2DL<+FQ??Q!{>@%KC|JSNJId;5|8mZgU^- z#wO^un3y&rbY9(sXe%FjbjWLCYmuH)FZ&+qtMyD0Srfw{u#JHjF@Xr93YsI9Z~zjr zi4>2)RHi6JlGxsi2y^6o=0j%m`0hfx zeV&KXKf#9)NBx8OH{00jo=ywH;JL7$fcsyzvH^o+4myQQq`0O8{%rs9Y^2<2mflKY zbY*%%IX#{k?%>qash2F6&;G7lS6_6&h$zhvS}Eh=!F@ptf_?Jw%7g zgtJEp^L8yFW6eb0NyTi8vrf|+D{?Jfr*nq(docg{)_dw1yXi-o_ zP!3{HZ7N#xe;$}l{Fss+a9xaU_f;2xTU&*_yc4lDMIilxT5IxC6`)D>ozFXJRYK|v z_vqwL<_uSkatD14Y8TlZ9S)3O_<6>gU-p+?Q~$e$vd+-6?Ay9?qx?1n=J4V+qaVIH zn%-4l%uqW?+?Je`VO|fOKfUBxm-4vVU;Q26j4t!WcO&rKd`7DMfYw;kc$V_X-H~1S zww968%WSr$i+Hx!~Uq+C*+A&QNCkN4`Jm+@D^X&z-wCZ)9R)}6kl z`8~nPJ(I0G(Dq#jV&VC7O^jC3YDxVhYA6AMta(J{AF-_Za4kPvg+ zPCiLKd&E-Z+?r#76R~+bB9V@i)k3=OqZ#1MN7lQqFE)hcLU|~itQ1_g0I~5XifDC6 zh9949I4wNzP8+6_Cj_dDV4-UV>k3i~?M7UN>#apyQ{T7)zFNAHrznz&wFgu(>f%4Y zI>C6NQaoM#@ZUPj?%xm{KjsNs(2vOnHKf&DSNldD{MgrOd=E!;Q{-hBo83Ku6sB$y zU+HWO5b1C}=nSufH@z)+o$fAwN4nXdXkG~zu=I#P(y@RV<-6xm&OeoVm=I2(6e^)y~KW;`A%^ zEt6@ZDLTm)gimqi#WUsjfdzg;$s)&82Cwxr#yT33b95ymEqG(|ULx1#%Zgx@j^QrS zQ3;jLwJs|+yF}H>*Z9oZoTFL`sR{Fmc+Te#igAMSPVzSH^7AE_*4AcM%sy(rIM42| z&HTQB_^a!Lhd!RP8BVmBJRxl*Z5`kwIgQnjFpxglB%wet(8hr&s61fn!##N<=;u_v zd%skW$FhOq9YGBJSwD&HQXbe17zpU`P)MpKE+tPGlwa2$EbdP(hx4-)=1EovWeQ7K1Gwca6%*4IKf{v+05v*3lPt?pGz${O|*Os#+!fa5V!U1nF;r zxF;>6pL?~8<2y<^ml_JLn3rOh`PvF6GPDx(CM;njEND){pu3+`uq21!ulw zMlNQyeXzyk-6*ruC$_oyh;%1Ip$g-`wFJlU6-ux$&u^98F)tebpAnoM3n-|aVLF0B zDD>gY;JI`2Ja0M_>ae0JiYY1SQQX)TQ-5i`iR>O->ke=bKC6}|$YKq$@M|o^fg`%5 zc!%w;DfbXUs#$ZTVWb@?w~X1*_L?|b;*Rz}zq>y7&He629Qh#~kR~4E5$oz7@Urb+ znl-WV&R7Q;X{blTAurrMWrSw)!K<&<>_p{i=sgwUIhQ4&)O{4?-@sMswu5D;v_(Kp zC;kJi@k9$VNHIj50k9CBx50S^*X5d5$e6p5()OYF(Z40x^y%Ul8R$DS>b}IQMvuYrk=Za#UQj zF_8ED9{TkidnP1TW#uklkbWm9v#G)?mTjS!q!@t`akgQK)$der(LU)Z(X%M`ZuFi~ z3gI=A*;<#xeJ&SlC%`S-;a8GCrir8mD&!=IoQ zsn{_x7#%>5`1ZKAX;Pef319N^D&cBPYc4A7QyoUyrKUHfM8T}a8T(owwmyE7#x;IX z)pnf0hyJH7aY$Hj0I%p;DD(F0Zgqd$!UvAVoW3y^o?R36;CwngCRSV2+34dJ7P9jL zbX{!NR1z%PJ}I0V;@%@qeZnkU?J&jykG>kd0x)Z*LL0dJBFj4Z3lkuq%x)*|Gz7^J`i##^1jkk?S!S zozwU>o=?^OCqLiv`8(LeZ>>7_3(+v%b)Pal8f6UTJEfgoyQUm_rD48!lb3QN|C*l; zl%L@YAfC9dlQ>1aHGtv`B09;f^Ww^=eM;>G$9EbX@8S4?ep$XmWk5XVqF#f44nR{l zy^G`VzF7t6+lbY#`bp+>{9`%Z)t!%&d*w!V(cs)8?yDRqu&DlAie9d`#!^I7(>pJ~{kB1V(a5O8+R(NIxqsN}&gslz|Js^OqTPNNPo zUdhepQu?Fd%l;iwQ`Iz6fdF+7h3tTf*+=Fy0xnXuS0IEU{?#7VED8?{Ec3j}!^Vg1 zfh)9Ic7LT#iZGEF)PIP$CxYJZusPB*?Y56`vDlfQzF4La92k#n{%1>{(N_?ja|K?j zzk_*G$`m#}IEhR{O2`TXRM)ghDG}4SD6{^og} z%J^bvamYD^gi;s^_L4MX%>9lOdViVycR*c z!fIDW{Cx~UU_&jHy6gyk3OT`*l=IPR+b;#3uGs>4%3zQBRr3`JL`7P-3Pmu5C`hF0 z(<{wze3r?WwxKqOe*|i>!o(<)PZTEOO_E)n=ZLVno=G}P z&cE8?X(hQ1L;BX{*!@w*dGsTfC+JpMl0)#CeVI<;t3!tPB^Hli%>21DNXyPTyu~I@ znc*?zO4G2*-+EhcaeLYOmx3CJrdQNgFIUL{RraLQZh?k}dI$c000GJ@JU2YS{ES8x z4)iBGAp)@|&993?(Gtp_#x!EX?qH_XEXqF}@TrE-CHQKQmv)4YKExi}_AKc#l}YX8 zWE66e&8LNyc~LXs7E#42BXzWQT_Tqb9mm-8{m;o@t3V@zFR4n*mcns*^0?o^SnAG!$ zMHGzuju=FXBFyx5V4M#YL&62!T%VDocf*lvn+D&Q&7ix0AaTc`Ja=4|*n+ZSWBhZH zPyROhZcW$GqBS;5C2h>;oP^DcihZ~Fl$)u>jLf*Hb*uGkl4lA@OCNgh$&S7*Pnphx zXokL4#MepFH~=Skp$+kK|2*`*-bLPthu9=CD`@uj7^6q(8Bg!jOB%qf-ARpsb5TS7 zy{Q^SUt8#d%;X~NqQYN^LS?N{t@Q*T`K3NZ78ohZcl zi=HbBHRCPnmF7$Nfcc1SvMu?5HhxPTQ-8XsVi6Y=XT`j#j6F>H*&*zgk8e;q!}j9+ z2@$my0@dT1?Ld4yN84>dj~&q$lp|E8fwMQSAKHq39uZKlk}qP+etd}XDyW~2!~t%2 zPs$zcGTvY5XFo9K1Ju=!6N>_SAAbJXxucQ-JP>p6AxaGi>|W$@iS~rdl(&KO_p*xp zsu+@A&R#@V{Zi0zIby$C!kdS8_DL`MS`EYS>FrR0Qc_X(Dw&qvl65D4$W{AJljz6j zIp3Cv{W!osAc;6?^Su_a0CgkUV&aPBYW7_M(-mmvV#uLbri!`sM zn!FokWI0z_`h2`eNt$Tly499M)KwHbkr4mpjg-!k0TxQ93~fp^x667#mjw_x7hN=$ zGy0KDWH-XS_mOcs6R(0ecfH)k{V0K|ixlaznON-U2MN}Mg@4~ZuIlnKUB$U~*z=89 zesW2%lIILC&n3x9x2CS92_25n(Zpa9kJa>er6lv!2g_jDx{JdK&^ zbiP$vyw!>Cc4m7tbyf)M(J7N6D1|#o19u!C1A@@mj<%dsagO-QC9G>yfHN}W^M0Ye z6*|l98)K}YK*RN&G#t4FgCWyhr$61&!vp=4s{*$Xn=GOvO^z8VS1GqaY$Um7U+6cr z3)=qn#S~W%_9F=kDUnBY+uc`A9oPdFT9P=)%5VE5(uoqEmt7)dg)__uF;7VeX{aHS z+q6X9`3?+6#NZ173!6~%a*%*YtM6Th84gKtRrVcfPrzEVAH7Agj8}=SrHCDNOdxAb z+STKm0Kfv&>?v9nuESi5y{RHz_5%N=-yogJ#->)bw8z}CR_b+(BOmRv_M3h;#Tl1% zzmy2ANNY>XvP~*1CMtN<6&gOFpdt-r+G6XyEx0hj;h370Rb-c*$Br*Fw5~#N71i5O zFkZeHd~3DX`>VC$2hb^PY+nr_oSixdas>{Q8c=4YiMKDB<=fD6x7ot7e@tcsNoMwa z?vYm0bIj-3udpKwy_I%r`m*QEyB!>W;Ew~mN9|$9Luw!eBz>zyIe}t1!>8$VwZsq$>|C5^t>`Q<#6^nK} ziu%y1!y0MQAwjr^-W;9L6{W2^RF!r^_Xgg)(nNWeFBOYf$OSD8j$aEM2B3p=`=K=$ zjxv&+DC}E-ReLA6&YrO*FTXio7rxRTiPfDGrft^?6xOMw<*@9cJ^0{@bGD#3>g6LK z`6HxW;iX&ALkZb6X%biL<1En!$hQUN@_@vW$tAw)qs;7YDY=&($i{J>yCKaYq=L7X)K{6wUR_Sv zI-n8&5p=n;Y#y;JuJ#FB7%o_Y-rZ`FH2N0>7@I6{zLGkQ|<01~$ zI0OEek**G?3B|GXF5x-k6&as-SxwLtptiM6+y0YCtG@fQ61uf^L%T%J@3H7r%fBrna?>* zo-mbbf1CMPLMcMUwnJsa72d>cl}+;soG*Lwn7!cg1FlwEy?6!tG2bt0<~lgZhgzo! zDZb#4?5bk+k=;{@!FPin3A4dm@V(RyOxG1ALE)_-=B88hxmd(= zwpZ(vA!Ppk`0OEgNyn?5E!hmwM)v3vnesnw$iRL;vcJD8%RLx2!z(~#7kuIATfJos zXm{yrW^47687`q*CF_;bn{Cm1KvQNIOh}zo5M4O-LHsoi{@3rxjgJ2S?3Yau7MNNN z$UFj6))nqFtQjV3?J375n7Kmf6Q_?8aa-V}{Y&Izq)Le-z32~KQl6uAmwOV1UXjPd z5zrWk%s>!+Z9>rZU6xXO-&DP|h^@Hyrp~$fWPV!Ne(ntgb5o7yP31jvuW)xad&-QStXCN+7Xi0|>B|Hddu?f9SNcTdYy;C5HUVsa!28xAyQROXCVDME8oB zlHoPoF@G6Qv?|&@-y`kiv^b&W& zNhYQL`b?JpfIz&tjOPw9Q}?0fOHkL$$z8fHJlcf`xO)(kxMzXyTxsn!$`X4cq3(FHUKG#D5>8@r znikbkF8E1PY`(T}A+&iaG~R10un8@@6nXb$J8JJYimju$b6d`i%T^-=fH)B#7RQ^m zWyizo;a?^V=ZE)kDz5?oH$8#4gh{d?Mgsvm)~vE5ZI=Z44z`DZdESKXI!_+@W8@u+ zUF7-r#Sr^k&Om89T|Z@M+>^6>$}m_XrJPQ@e=vcjR>9J6}1dFB+bRMpAyx zXz0Q$N;^alsL|fZewF?Py~pkN3Hq?)ipOcJ_i*k9h|q-)y809!?ZAzMMhEKe&MXJD2|0}Wl|;h#7&zCJLsv#YYc-BZY`sM)91i9 z3QcuAjn z+$OS8TEjd^*lAjZUv&c!?<(q7oM^m7D;$u3mV}&!lFdUK=vj<N~`Umr}03GCSUWia=Q1An{r#o zeOEHQ{Q-R`uj{t|`^bf3RyXfntI*oB+0u6B^M)?n%ymZ2_8rD0%C$}nF)f$3_M~%k zNQZKD7}p*vGT7ap8gmdHslp^0jkg%;^7o=zD^9oGCW-BA@XP7gkVHx#D0CLJW=k56F3& zPzDhhI7R%1pdFbRx^rvXNAps?#$}SZSe|J^c|eUO7Ty%m`f~&|oAjd>u56}wR#C{S z?j!pt^ywaN`PRL2q3GLSvmf$IeQSMf5RGyc)hh#9hl{I^`vG*O60p8~WVF}y0MdS{ zQd9wGZUKIZ2q#)Vz7xj-O%$f?K?Z)HlokIBfC-H{WNBA=RCSnt@Bt#b)lMpcd8c3I zg)D`Eh_4c3`~Ao2E7h0UT6iG2=7*PiuQ0fT)H#6*;pz%ynh4UESB{G22Rud@`Hgq8 z1w(>@Phs<+)`1bk>d8yyF=-bb^MEUv)i$0E|594ULL!`%%s~Q;%XJicZHtRkG`X{x z%98iImc3@pI3>W1rJ9#pCYsbspXAdPW4wa}Kn8^rQnc;y0Z&`~Hc#Px#UG5c3wFrM zH_&z?G0LR6+qBzpzsy7SaXrWhfWN{t+jC6^LgnMWlZeJK!-Br__$UW6qY**}^C&R> zgMqYFHg&=hA5zpQ{&uqRgUy$qZ)+xnKO^S?Iwn4AGD*-nQK!r77e$<8B9A^-BzHyHv`zP2yMZwL+y$Iif z_OXPULzciUdG#iH%x+o7jnJGF~w*o z|Dz%NoWUE7q7h9uLxV$|vW&XO`(+#Atos*e#H;U6YQ38Ja@0dlyervKB4^o z)P4#7)P7QgtF%!7C++P1Ipm9Ja$Ku>vK(xH1uMH{1i&}edY3I>bTQzOgt82^#> zF~25Fx}s)Yvu*<{BLgcv*T?P?5aSz99x~uKj22O#{RhhS(-P{T0g5J8Lfz$9(;t)v zHMtMyTb^on4^5eVA)y&)k&b!$(-T)Nojz2bubVUCfkenff*{FU;O+8oY;!8Jh|vYLxgy%b2MX?kzMNvskbY%Jl zC?kUFwNHs9EAs$S)XwYwz6Rbo*D#WiUy}fra0AaTz=LD$7dkh+ng#AS+GUxgCCad4 z%f;rY8B+EpMrJ*cqxecC^~#YyLzay4wK_pe?tVP$I>Y8E>Hh0OnR>9_*Q^E()xhWp zEryc(Nik(t(%EE{e-_EID+JC6+!oyE=g^(i_zZ?o52}N_ZuMy_eguJ^aRaztVF;1_ z#$h<}H7ZAnFl+Xdv^9A%$J-MwcZN@&KepZ0lq!SpHuE=As4^$Uwuq;$EqkIme!1

A#R}|HH!;&C6YM0RNx!_CAb968ASoBQ%=j_Y zxMWJP^R>;_2Swf2i39Pwg3afNO|{_DwRm7;OmY~TBGy{?-ieW=Rck*^|E90^UlPmF zQ-!lZ99@!pW$psCz|hCKfu{VcB?V1;k!!7}9m4u|ZyU6unK7x;9W{LMU2_{)B+m$( zh01GJS{FzOE<>9C{vDG={2h?I`ZcXPob7}UcmRj9iYw+I`OJlf6!b(y)DCaE-Sk}R z9yugd>A+N%Mf3p}rGW<)wo+F`swK>tj@lL8dF#-1*Rzv(>;$i~84vlU#>MN1E_;tx z=W?R-#{Pyxn{kl_JdL)i%)eF~yyk~|KDjzJRKR=k_;`r44AmgT*PWkPwU#atG41Bb zSZT$Me>?qd{gf`2irV<eCgR!03dK^H*=R;0{fiu%%v}>1fdQxYw^b-f9u-{Zf6>79=tqg zu(QEhN8DrqoE1Bc9Zow3is#zmQLP6X4C)u&nb5(TqDrzDCvB;ygime;A_dz zA^C+&YkN^4y!Tai$s-v0^$*|)bN(Vn|#Yq#|3TmCAFsox2N+t!=AgIE&tWa%saN@HE+Zs z82S)5XV=3_@*MYt`Rf4i`0?dU=aGW_FfB3mdSuFJ{&tDc?vvHIyLq>7Gsw$wxS?e| zB>4U`^m+HNn)_*(7rP)f({KG@?GOSJ==QVdb`>*U^m#3*)q%0S-M+M5PNW$*cla0& z3cV{2^}3IchDFTf3cFc{7QpjnnXkGYPyUO!HxGyMfB%LPl092?itI8}LKva!g;G*7 zmZZ(TGc&U9Yl>`xgd#%O8Z-8_D6(Z4jC~tpn_J$myo?t^uf`C8jkB;8lOD(XPY}B&grmC#Xs6oR;O!!u_v`)9W}UBGJX6=qD=8A})g=@7&7n^mm*P8-c>ndY zQih6Ab<$X$m+%Je2}BO{qR)@Iq$NU*+Y#c5ky1$_T!vjKPZ2rXP=Nb zkDU9wfx#H158Nz%^1W_aST&~>8;2fWn{n1C=orHJP)cp{ge-dnp6gS|owf%*{oKBV z{7QK*u6Il0;kokp_286&Tg_QJIif}!2%bg8?>HT@_hO*#p_X=uU*h9+wX&q^_1U7J zxV3;}x|Mh#sA%t~B9igPc*)C*8%D)F0eo1!uR3x*$@@)s$IqNd3cH}e453-67_2HU zi!+oOUHM)=k9|E`e^K^xcb; z(P!zkvl*^0B_Sg9Dd45vY(uMisGNbi*y(ofj!aw!S)QYGM?1-j(0E=xww`#!%BW_G zr7^X*lh=Fjvqj1}QP*e?#Spk+Y4@FYdj4G!QYchBYE~9!KE8irZEh)K3NK0;{XDQi z;EsLVh2Y!#;Gy1v=4$kXMV5Dj4%TZ@T`ZdedP)F z*323!duFf&UAg#ENu1vaaPodK%<~G2IDPPn#}7K5VmlMah)x1w$aY#4NOc%#&)xC-QZP5@Jt0llKR9PPc~0Z7V~r?K!-;xedPccenc6f zRx3J=Z-yH>e`ucgB-S!uYygsixq;hk-5 z>Stf(EOm_bu9S89bA7q-LWcW0Z9bNleYSDojbz6psHnJ(dSqJ7(y!je9)tCPK^mHg z{LuQX7)%@mu-Tuq6x!P#)M4f=;yCa9ySSH8rpUJmuwqn;KC)N^Dv^h2# zm6;fC%WiI+PSAKd_9)!$?Ojc!+Sh9}>dYAxSYego_iqn>?a|Abj|B#l>I@@F3sM}6 zs-0faSDijUIvw(_7`+n&t_2w$9O$irc#tmV@Lg*@J->A@6F^#_4kfv;fEL#D~8U|EM8G&56y7k%P(jGT76eu95CUoO)ZA zDf06S;i^jCaQDF&`j2p1d-yemHuq3RvsUUd6FwGNhT1>*fUoqavg!$->)uJAJMa_3 zWPEc?fEZ3Zq!y;aW;pkL46{Vu7cRXP`x%=Yk0qB5#ncs$dTI$WcjU_Mcwybbtw$zy zK4{A1Df2#jiwbzC=YJz0*PfJb>SLC%>pR_f@MFi(emXe_>}k=|RNUyLJXZ-9McaDV z=`7W+UVSsbEECvMDX2Ctm-8VYIVs*7c%B8L2Ii$lRL1da+9CID9C0TKU`jN9N#V+q z4@-^{4tdKJl}Qp&oSXM8jNQg6yH9=W9N#N3g*Q+}0APTV`Yz|lhqKUa67MZuP&{P9>Woo5FhrF`VM3|1pG(b}+nh^K_ z7D1jMUPHMDz+@G-1t=0JFm>X1XmaOtJ61jN-F+vElcP*xm>ewW{=F0We)(n%&2?wQ znIr^l=M3$)1(Tu}EmpWdZVY7hW|mY>*1&gh2epdDp2Q2cCSxvt79Cgr^udX%QHidG zLyy@LAk8)Q7y?wd-8%&`YhBchEVoYV=Dcyo;alDl>g%aHxiaxVC<85ykC(0oumZs3 zMVfoxr8Z%Y{eZVJM@qYAK8xLXArZae`7_9(C_h^{XG<;GQOiNMTjIT6h$EzP!RNh= zzL2fC7Q?D_J=lkhC7=5uQYdC_DPp@w(7ojz#wyP<^0H`rCRh`6PKvJr%a`6#T3j=4 zYiEE3ny<{YYU5_61b2~4tCL8&0};0^wuw|lv1d6joe`XAp81hIyLf6ZB z#59-lP4d*wZHIoZmh1`k>KV_l#Nbhh*2-Z;#452R_`>ty?aVKNAo){yvh`76Leb(e z!SkuF9n{PBK!KcOx$Mle)%nkaHGb=Eq|C={;ESXKh?F49##!tgM;jqB_EwUcTq6RG z7tAgd-*uY=o{z5^6Rs0@Sm04;$Y^q7EEYifh0)}Jt?q!Yj%TN%abkBSws(Gd;$JQ}klZ8c+%zVMLMzJsw#a~J+X%9Ju2404(i zWqhRu%J|MFz!6OuTJlW9T!aLQMX}T~>PI}?<(;fjuIL=+x2(VS<`Rc{`^`e|aFzG* zJ%SWTAnUf*zG1tguHrSG-X-|Krsc$kFL{lpro(Ez{X;%Fqwgh>nNPuERdv^yna9H3 zzI(i#O|O$$sqsYTGm;vhQ=3NA+J~Jx?Nf#OT@f8+wLrPD5l?E%|MBFZ2Cbz}$n!d% z?(yNObhI@hU@}u4VcBInJ*bZbEbqM$azRV^3GIHkWoi1z`))a?u6WMy3_@W(^H$ed zs~wUuvpcttP2~3*K-lj)PYp*Y6lTZaI)EX@jc6r&!<#~>inXKzSOaDsf8#(bG5F@E z9SaRUgWZC)mK95NKC>qZV)?oO6h+*b4OTW=?gWIUJ1S5N_aS6~+~6Yi)hO)yd> zTDU+vg}O&=V9C~f}e!#)1~m6y}}(IjqN!OpvKOzAoASSPdkZ}&gfa;Q-d zX}pnfd^%=dP)8Ns4qksV9$J@-xAZu0yy9j2N0~@paLMSF#eQgX3(D;}7@-V%ni5v` zZVzP}vSw>I0h_&k$EJ?;+&cHc8Rf>mwy3`~thVh?b20cuEXck9`Z`_|tA{r*+8Go@(!7 zt*lLMIK%c^ndU|=!pR8%uM0PPXobrdb=GyjBeR#6y*Rk)%P0KWvPc4`c-BWKWm$hT zeCVBreCE%)T35rjY-bJaiDqs^uj+S@j5`YpwNbacnqCY0v&o-x4@h?Vd|4?^c~REB zbG$M?#hGr*J!~5*0-zX!md6cYe*vT6Az*@aPOlrv0jVpWvQtkV&II-Cv}h}+ypr-) zn&tDc?Zw{SUMF5_xF}X7zv;5R0qZ-l4VQW!Z4i0pR_HjB*a=c&9Loc_dIA4Q%HXNP zw7SYlU(sLSENX}3Q$3;62k);=Jkyb;8%Y(S0}As3{r=L+zQ7=z+UkI4n0V~2wJ0n0 zot9is&p4~qkLo{CYHnf~JFl0t`h$@lUfb$!Jx&N6rW9>yi+O}dm!&`O!X|Z9g*-iV z$YWP2;B(6Br+STqL_D3 z&Y~jxStk8(aVzFuTj#sGc3R>gT5+142U=?bU)OS{N+4*9ZM)F(6FAG9;>EVKiZhyPWJe>$k$FVgHj%E5B znO#V@ew3j>>|hM7fA6Ul#K zKus-_`7@*NTn9Xe+(PB1l6Qy;Z3H3d$)Fgmj+P~r5W8QSU3^})94#s7RuQCmPF(7o zN{|aM9z}cO`7mM7$W*9`5e<#zf{H0~adj+FHDHRx8bqvy(}n$H%ro^%8`3);?N!eGR^r&JSS8|CoyO*-5WFTSeo#rn~Rp9exI#Dw+XE z7cImH5BjWK5l>bBEUW=sxaVtvKm9v-a%qdB!`2LODjW}hWwU0nt{M(Oaoz<}vFU=P zTME%jA(m@_ssH4Ka*t1Cuzn`k91B&rrEVR`tR6MlDMcsr|S^P{0WIKn>7oS#x(~s-L z+IV4WXJ6|z&Qe|lB2a0SS}yqNR%F91?0T7s^jO~0Dg23bw=x)2=s3vCM;!IUsB2UG zYa_c!x<9b-+H_|K>*Ec|MP(*_>_u=%Hn3|5x|lB?v<)%AMc*q^?2$E!kKB8)`F{)c znZQ%UPuYry&u8XS=ip!1K||!NCVpG@Hq+3{b8xdbiRPcliq{lOdIFA8Ep>%eCa5q( zikrP(VCy))N^iPVX0%$N{HyRKS@XNJ&rY)c?c@lok_w(728BBj;?bM>f9Svl0yv$A zaNnB?$Gx7P1j?qZdPZ=QIY;A4!jWHx%(f+n=nJlJzu)yld5Yxi-sR%CZXFMkTZN%E zpVw_T zM-lp0AmmM|=V1#cJOvzy+nA_h9w-0?B7(XB48-VrXO25?bH8P08jrl29*ZYRVh2rn zox;X@;*k|*15wf0LIWHhJx8Y?tcZuWyDhqP($?IWcx5*c@Mg?BODwRNd_h+h&^zX2 zs$F|}GE_Vod+7g7NL;d>?%qNCioo$s8ue<~`+&cZjBLsWaiq*TNEv5E3 zo6(wZqVpQaU}B#>YJj(L5b|*CN);#Fk4hI>y zklVPfa^k3?LS9b}f(3Xzq;1Co<;5Zg9>()SZ0M+Sg3;n}!3+@o)^Dk*{U{-)u#K$V z2y0JZjJBKhgLAyuO}PhHtgSCqE2!D_$S}_2F=JxBE{*&2OBi?wdsQzz*pI;OL@&kp z{YGC&zx5W@lNc;ywG0mW^m1LWGiQzQ;aAa32>pS7CMJ0@x_qqro997L@;kpV{U~_) zvrzL#92-S)XP9QsCwA2V@$%L6Wc42JWz!pxYkJu?PfowX{>%-(NBH~zQ6>O>m7Vfx zaaOqM70^1F%&Dzw|Ll?3ve0H?XQ&*3@Rf09Nc||vsP+`l8e&IA<>$_qf_z~KCraoB zQjQrMot8C_Haf!()S--bH&JnG4$hl6cQ>S}%w)mS-umI&ZU`tx%iZRX!b zxOZmWTZ3#`w}sg*PDDEUqhf^*9tY0G5xyEl28v?dJ?fMMCOJ^efyc|4Lw3UfDAfVd zV`~K_8Y5lQi)->`UD+xpMrz&bTuJcv?l(SXtJ|Sxu1zVyxH#Gud#{_tw$M9^%$r=E ze7OB)DQUZj88eD_(&)Ztl^?dEn^$;M%R#on?0L10aVrCB(tr~MDe-Wx**)g0sg6k; zK6Y|-<5JJ1vyWYJ$hkw6b36xwjaSfjqMz+|mnvVP4eNT8;+^@CV@SiUj=)mS{p$$= zJ+9rR*e$j-vT2AC24ScayA+Ygh&cb^uKL1omoM=n?jUsq4Epk9e91 z&d48lkaN5SUbbc zo7$oZXOKqBmO?LX9Sh;xi1Un0O6izTwc^I!2Zp$v<$9<&Q!`Igw8D_}Lz!~37_zi1 zT|ZDeB}$q6k^u3;FK}W)^?HX|KEDk*U{oVdy_$;Hi!bkO>o&J5OHF3>>H^re*^3Qt zUsUe7X`k#CLMPqYF1)yXlb>?$o|O@LFlNgp!HgIA9&HS*2AdID@g48u)we4+h+5Au zQ}G`!CAAjGK3cXWt~y!sv^#v&8J4d0R}HocIZc{CRTRMTD!PIQYYqX4H6TY`r4O;d z4ZH!8AA=i&G$3y)+Yg}~0T<38jv?bbTi|x_j`NI?-w6y!YOGi>zx1e&s}mse*xYPJ zC**s#C6c)Sy2%oAYdoz6VjrSYAeF)grU4*<`n!BOEwEaIPW=KN4)AM*3Tm`=iqM^=HrZlx9((tjLDtu(;}oh@wRd|=ar|pSl`>U=-DL7kcwUkx}d|Vk~e+4pJ2u;O1vB^zgv_gpq?jmR^%>f_it5}CHBcUZO%VZNEvd2@3N zeQglEb;Trrak~20BUxS)3$tx3uDxWZiDC!U!w_yRnXhVw=wbW;ax}#sZrO4p5wU?o z9?tA;lBh?!hwm`jP4JyI<@Oq{vDcCg0)zXH&0)O*J8yn9{2cJ=;`P#+<=p!ecPbKq z)$(zbR~^h+IQ0mLU$$s4rJ*N}7%-i?Bh=ZYo;M9sg9om6^bx=GR66Nk79pN@;@;t% zp&w^R;;=ttZb(kg+&LdDg-pE`fohkB=e{_7gPuZMr5d71gc5PeRy1&*uQrt%bFg+a ziSHi>!TV##t7zDGZriC<)PlW|H&5#W?ilk6N}?V)=W?iHspB))52&~E8uMon&jqq> z$cVeQ|3Q_BPgeaI{rv+1@!TQ>Jz={Am9=sy+@iw@ll)bqhFX%3g|cX>OszfeYA^HL zH+=yKSpz%jYe?A3d&_Oz>b_^Vhm3*>MS}{PPt5+a)o8PGu)k-;b^Ojg2TooR?hPbs z9h>7zIQ1dUGVc;+rG3d0+kGJycm1^|Kxr>d0+%;(3jyU{H8OfheiTm^E0D_ecmE$u zsqD{-(Yl$UDNUnh%wK*5_D?RyjAJ(+r(WTw)&3^GvGb+0D(bTS&J&EV`vcC2CjL8K z_r>Y�k-akt$THN2GW}+s5)b2$ePwI~gxt)ER>hlpKMj5-7xnu`b$6m9aVf9?J-p z9yz;~a{B@xrV5rH%341+dD+1-Xi{eE#Z90=0hn~2{A6R}b@+)dJ7V8-+gnt5w^mYuSZHFW(DbW9 ze1JGA$%(ppG$T6rA7bag^EDeg9gEH>+aBwyNd2|VW3!^wLCKxTx^Y$wuZ7i;x4ro) z^Mya1NW*VgzOC)KdF!n*N&4K+N5Cn4V4dse1}KAP3CyN-6Lp?=GzD9?;`u=n<%C|9 z_WJoU?PH01JN@ixT+}{253k+zEtbb!a*w`jUs7@`0`or4!*|QzZmVt*80Pn5gkIQx7Yg8X=>Y;w#Mv6qPobGWf9|vtq!jZ%)E)W`Y=jaz_)phUy?> z>`FF>s$zgv#j>1Es+bCx4)hG-qatyAYM5kdKlMAVNhcI%a>W`{**CgV#*-@=eNP=Y z@sXk^aU|FK`DR)@W_m!9<8UZ0{fh4f!dWIt|mI*sO2@I*J-a zZfYlpc#8}yJBGM{%~s-a0|k6zxIP?AhC?MVh$GUF_)&{^&NMQRhdPfh8#+LYYE$(f z)L1Ac(^odF?`dKUCzF!&xdVq~J6RHt_Nf6Cgo`8|X@LOw6aPaa3FLS5)Dw_D^UL|< z)Wjg6t=VCiav?!UcZjk&`4 zb}k}6lq&VY4q9+=+x)!l`lN!g0Sl@AyRY>HFKA_Gu!RdjPkb^I(lJ|JGOzc{?T&pn zt5h!4$Vs^> z%bv!Y37c{7Q2r=za}WuqBPtGo8a&mmKJ`dUexm(Jh{h&PkmI8i$)^f+-mgUnCIBPg z&GC=qo@OC0VvaJXXvbA*hrf@~;5~*@kuT=F)LR{IIG!d1-x9lXXAkcy3#r)x)**mG zzkK$sH1nGMn7-7%}Qu7)n#eo6Nx$d}n`(4;J+{!DrKfx4iw{m%zO-Dl4&EK_B zTkmARm7=`k0PdA`9S{ISQ1+!m$j>C0sm_`*&f4+K1ll$!E!$sQM84p-!q&0KR`1Ba z=d7g|v&5ocu`~rMM+sqv*E7%fn-R}jBwTRVzhP9`Llg7(F9pP!F9+if+ja*g zPysuhM`2SWz zo(?bUZ<5C6!w^h&2UO#Y~PxE6)dU)<>Pkb2FC3= zcXQ7T3+fE?DBflQ4*k4y)!K056E%MNf4hikjXg&0{a-Jl9S>JL|{)yf_oB7MF@7Ml0Ot=sEYA=tU znAoa$pTTd7Zsl|1D$Swy;-S+jA zb<+~fMedcxqaAs^Z>768m)hoP#?vmD-kwZcU7gEg|fNke-i=S9ejOa zQnI{-+Pnb}Wpx{q--P(LyAde5(IxO6L`V7Yg_|RsCYGZa|lcn@!0o&zpx4{|2(>w4$##mGSCMw{CLb#2@XY;hs()Re7_T2Oowzj zg2jTtRJ>`(Qpn(LE`KF)gLfiZtcE50h#&BxZT$E7V|z;iDygx#b>n zxK|Lai7+U$oeO#onJ0~gP;h9{aHaT;ntZ%gr+7ppF&*yrlMINA-{@_hv%xkRnSRxz zP|6g8dlEHI0HUJXb=&wZ*8N;VzR|www!H0 zd=IyKc4szlVYdSxQDNF#9&VvG3E=OW+H?T_4^Sn=8-g6Sc#(9jOVHqCPNg=D0j8Ks z;nk%}&)c#2CbuK%?7thgNgvdjT}0BkBxeM+;`BI=uUU3Tdu56-ePX)K(#YJ#9O5n8 z$#XhF@zyhf%)YbjP3tVxqL#gO{d{=jntoUQF?p4?vQSz0Ou zR%&+iZrz%_Vy7#Z@a&3d|AO-+fDR7OJD1JymtQiDY!*%#n5F#qEZQ>%?0p0$GHU*y zopWT1>x1pp>HAdQtS9mndb0^Sh$i~FYHaeI$ zifKrr1Nejt9_5d~Lh+nUMNnGkwu0KGeCNwQ`x~_zM3fe#8NFsW)sDXcKJ%-M;u7!( zdB5tEyZ&ogkROyT@*;!I@irH)i>cl#BRkRMTc>@XPCD(>h|pV&or%HRyY`h_vo}hc z6J=Yf&#bHID)ehi7Z98jG`e)4)Z8H^+@}L)aMk5AfyHy#D$*R}63~$R$?9*>)n zRYuXuEv0%VORv`pIf~xsu^6425AKR%t@=!kvPp-xOGDoL0b4` z=vp!uw29Uku7;F%QW#F6+q2H>M=-o-`Tpz9_CbcbIdx}eBqVM7r1o{VZ z+sGf5c5pucacednR^su#0z01-XhRBN|#cS-B8Tt8zxbXFQO z{g5g|;)2KK-EMM$Z0p(I5(yD$6w48dH2;Qbb4vBO+gs&!^hgUT?f>fVTZn7h0*vrO z4U&sGm(VU6!1sIkhf+-kqgwvEsc+v`Vf!Fr z#Wb83Df+37qym80U_!W+P_>tAS^P%p$&ZoMJ&yQED8tt5Z~Hu;vsY1AI`=<|$uC}8+4 zFmGryc&ovaT>OpZL%Z3k;@YL%T5G6!d-v-kl9f&WPu{HZYdIk^g5%Q%*wJ4a0uZyd zl}l%SMOQGD7|vQL7XSvn6M%s)x%ppOcOdIxU!N=c`}rWC@&&AnrnkhV>|JfO9KKsN zC)7Z6&-NYvjA2;l(g4aKA?$}2BY-0vM=*{EQ{E4X?iYRYaId$+W^|D}UqzUK{Ky9sr3-!&F{bGAdKx z^)7dbCES5uyA@wnN0sokQ(_fp4x$N;rhO5Ez{*ZdCNcNdZZSL*?Z9^Q>_VE_ioE$)>02;g~`uk(eSd; zWB!UMFCtO%6QdBJ2dUCKJZRo}RKG~SBZI)pL!0Zx%dDfk}jvp9YXy!~BUhgs5aYi23r8DWj+jH*Nvf2^!k&J9VU$$y5k zXAXD>z}D5`yvCc~B|t82e=O;06peSH4$4lV0X~7__R%h>@+NgLnL4#X2%!?p zmmu@OTn(tiAO!X8R0e{)j-l+igV8@^wjZ9K51f7H)!E>lIED_0YN3CiAm99xDL6dR zi(KUa?7D?t_|zUrLV^UP2GkbMT{RIzsDGDf zFI7QTm`GWFGrSh~E9$?`NUfiEPbI+3E+{iu5U`$T%O`%~6O*n@C|@mKeCv+j(9q$m zT6?^Y#E1qGG-~(-byIFS>@bxil2`IA6MWV;G~$yX_#)kLw-%e|1kSkabDX%Jkni_3 zw5aia?qSsVH(7uD)n}=;=t9{CdCGR!#jg%|m0A;@&$m`s&U*r?C;<6>pEh!S*u`|t z@!IS?fLE_;zd1Bk(wXbT^ibdCMvA>OAj+J0OO)8;s$M2a^M6=Cc8-IT_i}g0?;#J7 z%p?>K304vE>yijll+5+F+@bEeV88s&wljYnUxUZLGj(G!v|O$}M9#01QVO>N04Kd` z!26VyPC3UjdCC%YfDJF#eiNTP#}#H6imU?W06^!|y2$fPznpU2JDT*_)G64?q9@G8 zNBN90-s(-1wH*4ZQ$qd~2T*#ZrD=Co2Fn%9wsi0gGF?B%G&O3$(wT_dN!Gcf1Xv56 z3A{~=v})#(LVXrxYv4=kLX&=7&M_yr&ht~bZB{Q<+C?pS{~W0_4Rs>_c2$sO=dxcm zd@gF-s`YQ>wh9GnSYHFy)^^$3x40Gng~q^YVPUmz=n0Li`yZuS!#~IWZ>8HmX8nkE z!USk8gV>)4U*O*>ez=4^EcQ+4OwH5L&X}nI@&Lcx^)|T&FHMRGY{q?!`wTi;5HH-F zKXE1yNh2aY%&460>2y&(QM8oabKKXh3#vJdacN!9Zb&y&RlHpk!w%5grzJd`WC4Rs z!>Q?%je5i7y;7twtzDGX=7Q{^Z;O)PwZAi?$kY7rnd*R>^(BMsfnM&iKu^FuZV3PP zT>!e+Qv4&pgX*ei3M{Rs36+_%f%8`u$)+aHlQ9P_9V>|1MDvbdHA?W_70SU9e`VUY zx+VUvQxIIl03i)W03Xe+ka4h}pdE^g+~Y$j)DHYS>&MT6LbdlSIN|S}ZQ1|?BmL1< zlXXeRo+fo=w?_t11ew;1Rv*EVr+9tXuw&FfLCP1oUR+T)o0Kz32K(GKL<&6}Vv zHo1YnmlNBr+s!?kb2}CLwpg0>3tPO5?3Mi zP88rJHS4#O$^h%mVyd1s0A>N(?KwxlrdWB_xN|moPON1#a?9;eVohadrv10#3$u4b zNY-kAnSpaji&0%6I0@o1b@}K0^vXaYLxW4Jn&U>`2>V&UmoQG2bWEP@Tw)*K+fd(= zET{@nWF1zXPm#hbS$D}Akv;Xr*=GQ2@Tu}nJCHrtJQQI6b29HNT>_13F-y5hGbPpdqvJ3o|@^?cBNr>6TNGtC;!rzKMCvlZLspsTdAVNj)sX-|aC zx$Zqo`M*+hYlyTxc8O}&1=?*2@;$8^GfVSN>%EjqG>V)JxY*fD1KzHf%H2=Qemq@k z{5ho)??J7hW3~-3aw-A&3E{RqQQu6bwuL+ZFl|f*Mz|Cur(e6MSZu1bm^32e{w=s^t%riWNBZJXG;XW&&3LmDPM!?F`VVw z+;Cb8iAkN@@4N1tv`2ZblYtwM%xL#+?F<_@eOFi5(uP+==ah4s)O6C`UR}TM@2)qP z68<3>pWx%QD^lBUnNN8DG(nCF5aTDuw6x3d3$C%9=!Iii049*sj8( zx|u4IEM)3aWxJ00lufkCSw3z=i@=ua(atvvoV>6y;f}rnEW~TOPhsw8va~H!7y&fH z_e~ylh%q^k-3gRdQ^0{dB^U;*z`n?#CT6Hwf$ujyc{=J2bRCkx-uzu?TV2=paceLz zh(R|)@G>F6hhz+uJVe5wLxK*roqumnly;TfJ{oEa*_i@`z$TJ)ik^ddZE)6*^KCFNmG8)|E>HQy=#u4JP`9?5QGpha$OwEmhIavU5`dJy8Fw5X0m$=s8}Kxh5>Kqxx)SoeH@$PQ z%zsAZ?8oqQ&U-l?N}Ox{>@M5${ZdCK0Z$sc4N-pgjQ!r$nyeJ)iX_fwHaYV8?8fuN zlZcM)Yb`^*$S`h1Ipj-)V>Z~5}C&nAq>(U;j7upP7TmaRnrPPSCScYXa^}Z`e zm_Tn+%5lGy!-_xdk3Q{wBME3Xn*x*76?J#g7p{v*q6D1^BX9qef6;bd7}8oIF!UX^ zcI+kzoewO+UY-26!vv>yT!ZG%$1=qBUYt%)Q3foSDL_OakMy&FIyOSIU#=X$dt`kF zeDx=vammEhC@!)aIoC-~`xR#h6|RZ%cMc5wxlqyWqnT)^R)-V%TaEL|NcW7CbA^yyfAGo!0K*0zaRvn7{cP}i)4vMv${&u`^E4-GE8xan#|%HA z3*yy(3uHfDC;>(??ykMB6&vbqOEnOPbEA}+(plXEB3HMI^h>9ITqXfmsJB;y!O-Ly z;djVJ# zSEWN&aZ^S*fwj)9pr|f|@=Rm))wg$5uQc~Tskwd9?x5AjQ zsLo6MCn?vPBP}~cMQjq~V2FIax>#8!4&}OZLJrLP@uDU1B|ecIE!4I$WBBrFWNzl> z-g%9=VRe#JZ6(@QysAKi%RRm(BMSlrFR(a3411=I_t+g^XT*kZ!SO?Sca!s8H5XxQo)yK zLAKhx&r`vcQYCvT7Vk@Gl`p!cz-CR60zg$#@=mBrSC2}(!06Pfc@=0d00@d~QO-pIl*>7J z0nY%Q&LXRyCZPwm_u%?&kt5kuAR$sQg1b_?F7s`k`&IF&BJtTjoo?wqcSGpzII`1b z0Q?eG`_B^0MPRywCwVW?VQFb#Qy41wSIHeU+}Nlf7 zXAbmc0SL)qk(Q{IFEGLn34Qc748z$)adugLpxS?PN5Z823{8z0_M70j*Ic5%Dp%_1 zM}89E9v3waBVJj(Jza_Ccsf=^ZcslJ{k^Ru@mCyE?@Sy(9^qQ%FN!Qf1aTq{{QXZN z^+)buh>+*6?{^uG69JW0OFpwKfH9u5vxUmpd_Mc`g6pf?qQ7EH{y$<&dwl9Y0pJ&- zMJ$LGH~l2?$87bB7WDF#xAt}u1I{EIT}HIi51z_XK!(M4DXiLk%UkD?+{?XJmtaT< zM11t@8udl$%V~{lE1dHM;;P4s!}geDJ566Gq}hYvhF|*i=3JjNEsa9%tMU%**|^!* zwkJ2w?;w*3W{~}5{OP4j5o_DKN3?iq0VsR>Q>W~MTWy@vF(2*zlSaG8kN_>f%XdZ& zvpP@-x^GxbdKA+Z925UavNu8CpbE74Z4K$86&YL(WzL+sxjO_{pmrC3WbY2Fpth(lg>j!^qY1GJ?e~&gfsB*>F0pgp%(>O&r>8G)X!|#@?Y}%)!ff?zz%mKY z(fPL<)XYY&APulL|H2P-!a7mO2m3}9EPZRbJ2BxiIRo}m=afnKIYwvk00EH%`KVWy zDj~V^lk65kwphvg=4DZJ`5Tjd)Iz`r7qM)d~U79ir^zf@h)&`c2l%Y0{j ziwSWQbwZb*GdFfb02E>3#V(a?_L-u0#VeDS?BqkF7}Qx02|i-swnDjf(-1b z=>JpDnCIwn<|720`{SR5x%OW(?@#|#c8u7B3kVHA<75--b<*wCS5A$Pp=1zs& ztglYlhy59|q@bWvU~vtSQo;pkU(4xvrpo+}8D*(J7}cbFz&asXcjZ(BP1-|O(4;;8 zGd8xs&K>jut+U6e*tVm3qb%j>D_TktN?)@td+H+4tQAivFB@B&4#UzLI2jEf0OwgS z_jE)b*@Twn9hPqh?8-L_Yy-S${?{%<(o}-`FS)<*Cjm6KeF*iG=4Xu;312H7Sl-*2 zAc{pwn9+kK^}$_&9`IFp0BgT(Ku<(a3$WqV`sMjInrG9{rLYH@}urPNdHK zsLfadHwsYYOHe2Sw(j%#i2$S6SM*O7b^5&1d&C!=$^;#z_36qYi^mWztQdWKnEcoa zIzA5hCz2+_B*uf8rlFN&I6()2qLOilX&7Nj9fk9umb=YphMY!p6Z%4kAH7^+TbJ34 z)$MrA3NApy%p$ee9&CR}yUZXaQDFx8Iv~9{qy>_=k9-0N@w;p+o_a;6_-bln8CX>Q@nYo+)a;!7yPPXNdIS2Oik1~n1zAU9VM zzQv6gximI_tzX&Oo#gL&j}`;pel1Tn)N}T&@Z3q#UF#MG{#JV2IOo+1^#J7xbX#_^ zv6$pxXoK*bejCJz*Ae%jg4U4>&t2)&Kru{dujN(dKb87O&w2vsi2XVX60R*OzdIp`623~zhE@Kp} zIgLl{o+14`8FO)~nO^#e>5mz2mkK?O6ecAwn5Hvo!mSmzMX#8+4B!kY$NhOH6CELT z?lpHE82)BZl{{GLJ%V$&zI3%bjgXAkm#{;2(OCxG&*h z4HKP2-!D_qgr^ez!-!W8W`|j>+cT#d@o4_5UmGO&=v2=H%rAkzCXmU_0?Bm+ytE)U zO*w510_Vc$j2O$@nPPui=v83VIuw8ah2a|J({g>qxr%?ur>+B5($Km5HPZqk(Th1| z%BQj{y!?#83OT%wyCoHjK3Pmu^Y*`>VdSbGwulaZjE^|-5gqus6TQ#{`W1tRHS#>% z?msLIk@u)HpUqsvfCE7MRQs3s3EcSnSNt4L%c7`%aIDp$fsFr@IlX-L;9rKBqUz3g6?S|s(ch7Nh-aT1thTkXTqjE@Pw=Dj&E{cVsdWRgvXLz1lbWbY^?3m& ze^+|ImIZjPN<9uxJ=FnRL1GNF*(%frEi8-cmD4IPKRY86dD|`p*>KAnEdGHZ1<-G6OriyAC2h2T<_#|gC{_fqMF=eMn$;-(EbZrp3bj$Fm+|OW zpnvOZm_}Gis{y@3VYP)T?HP>mPTKwC-qDW>Do-!kS)I|c^k8RH<iCQdan@CTs5cdTb7vjrnoFv3-D*joA9+Le|A#x1Q$lDJ@Vu7{$$F=_V4+g}m z0W&^6k$j5EbHZdrNNv;jXLyrAgj&IIwL*rzFhDH&q`njoJ)QjNQR2X-%1ay_z|9s? z9RW(&lP7XKm3QCS1@=VemOma~R^$I@I_M+EKUpQ4Y}%9ffX1_QT_^%9*M8i4AChvl zM=%+^xz9K>DOd0P4mr}j_QVW`wv&VToch1a3?dy4`L}!A4AvT`6f0AI74rWvgX*ID zZ;6xKnYe+$2dv-DYE*8y(5Z4ABDXJAh@0Xin?CHDnD^F6RV+m(K0lj|CY0) zAqm6JcgqUd1$a(*%>}%9l>v_5qMM#|t0fzEGvo+MO#?1i7%sDx@In71>_CpDXzO4` z|H8jRqz1(cFVnnzLc^0>c5hU1<>X5zT)L5=@=u5~Z$p#h&5csAjqseAn#TXq|F0!U zn@GCy>^2(d!ySGO48y4dif5b@Ho1NaVVS#(D>G&of3tt;9QRh-47UWp=CuUgB+*KH z(9`HB}giVOF)O0EiR4-1g2{b7mKg8$Mm7nwi1 z0XNWIj><9P$^8Jt%|acFCN7E;U$`E=VyEc({OHORCT#pu_1qKZ4u9^=?8@e_NPpqu z{CP&pn#cttScF&3ZECrUn-cFD_C%0J+U*Uy4A@Z>&9kX!s?0F$8av zl@fIwF88zcPqOh#-y(x%00e!1N!FP0$^#w^#c2nOp#=F(S1VE0JkHK*|M;Dna=)I$ z?5+jqf=2R=nENv+>r=oTPWHe>F3@DANkotQ0wBa-ffSKY1SMjWmQ)|3CDpx$qfU>} zFqsYC&m#R4lm0DvgLlTbZz^X$bgDT_*FBrS;0y4mQtrYzAOugJ%BF;uRE8F#(SoO& zy(7u@mk7j;dvdpFNzzDf><#}xtIt8fl3)0w9JS!Gy&1P@EtYk@!{|tv&G2ck!ONoK z2!_lTnBN{p$bks_lK*T=P##`IIPKQuLM=Ah@g5!uSzdQw1LSkB0Itse&tfG2p`3?3tqEsdic6)Irsg1r*FLy#!lBv)jh6ZNycHGb{Pxi zx7!w=BOLgM0y}f&-<|orWqru7y5^66sgV=nWL!ze0f_2+SmFyo!*k)WxFfdR?HXaY z1R{(p9QZeieBi`@Y{=>$lF{=VR@2F3t^iBv1Zj&N1hhV?1x7>6{^r z(u;R>0`v0a&O(B^tH0J%D4?x)$!L^qiH z;$jLQ&H`1JPO?Q+18n0_0rxscI?jgeE*RKKsXDnpVTYNueIa`**p$>4ArY%kH3;Hh zLHtS+Ou^PWDscr>l_KIWkpm{F( z@a5|@<6Nd^f1XEJBF6&y-P_R}3Mq zPCkWU{?)<^F7j<{)u{C)@35>Gr6u94x%dE|sVI<#xg0N(*hZJkLC+UM*|0*(XZNpa zQ!1tGHhJEe)>mdfTu~ZzePC)gm~eWCo-UX`UlO~dNE;Dw(~ZB2&)Q$B{7-Dg@}VI% zK>9C+5v2t%j2dKy(V{TyKdD326V$rMgMK@BQIFghdUxui_ESKw7-Uzt%VY`64K5na z=?Y%23jYlppQ}~aoW>Jm7pAX&>qA+A@mcq?V1PnbA#veqLPglTS-+SBlgY)mcm7`` z7oDpL;$Sky_G--mtLJ50pGa|!=`4gxRf_=&_#^iP<}W2^+O7Yj1l>Hi^*)nb=HY$h zBRuU@^4P(wi4cmq0b=l&8H;~`)gdVXaF~OeSjbC zVg2!ifxEs8S!biwB0`oP@pm)>s@vXH+i#9j@@58k&zq6A$uuFLr3{_q^1;!1x0P@u z+_LSWFDdm+e)*T^bFw8H(lh#2M7}XzE_PzQt?i66g8i^*b77{z=4ShBjo?TX9SjO1{2hH|xg`^-ttSOa)gF8Q0DSydeT ziwSq&qc>~$6bPjkdf7T&+F$Cy z8JEY`!7qB2dQO13v!<&}cuu{s@OP+5S!ZXXo?7Dq+VHnx+r*x70~v%i=OAq8)8?91 z;0LjzhA@@RiVLwO+`lFcd$Ij00+<)*B^W8xopPEhiSNyInY?zn@fG$&%lDIKr*8n| z<}=!B@Ka`E@d(HmPRLWQK#F$hoM$Xc6^-#=>dVVj3MQh_QpsyT^4Iy=Y^g#G7iYaX zeHZJ@P`jx<_MLk|AA8EjJX$wnXkA*xTFPziZ&!(tSD{RCK-mkl-0w!~ej!^96**y@ zM|Vgn*f$npFX{rmM%I`TZm_=UOpVUC9K!O9EX=={H`fTn_yC7$pqCN zuliShd@`AmAJ_5usb5B4)MsIKmo@^ycuoRm@ME<Eyx-k8W}PVNP~B<%$)fqyI9TGGHsI+PjY}g zW9Rn1HL2NfxUrQUNT|w(?@x2*i@8j^+jIx>&jniJXKVs@83Rd~-B^t}>6I!*AHn-4 zXmZ1uLx5HtB%DD=|L(ZKI=fzhiS5p4?m5S=EIc)7%CIuP%UKnE2N8SX6Y27UI`5KoWTt_{EEbF|&S1XK8J|0}*1Kl<)MQ<5076TNEI+L{n+ zI~9td-A|t(elGw+qmi0}5esJG=r10ZlqLo!;ceh?@$PZxK9gG1qws(*x@EcX${P^_ z2Oga-49e!VZ9X+DFEWqJE%+8WG_Z#QmQyzrCzIarxHAK~{Tk!Ag>5hYl7%$GV4Sum+^bL={~z+vtKKBp4G zPM+mGFpa&Mt0bIqR_0>+>}Mc=yf86e9EqFq1QWOQ@_=!Q%YSP+Py9>M3Cus?rf2Y= z)vqfu^z1ax#txQX=8;=A#BNbPWo3K9i*x#9wGuD@<${*;DS3OQWJ>c@VSnV=sitCM z9y`Hz4MrNf(<`=1({Uu#o22ul$WVjd0_SDJA59h}Gz#$a2vTO0*X;~x=t*}=|T+-Qd%~t|0)|9?uQTV3pEa&{08=T`cSI3sV zdRm*W&^*!6q8hfw%D_Muc=M${8Q5-^hCe1yL5_{g9gFB`h zKVaXP=$x@1r$$7fn?s{?=rhbA44`uZua6}8;pVZE9&4PkxlI~sctRTMI(d*|bO>7$ zKdcpZ29k?WyIV6(%Cy_fa|G$N@T&#)t1N9JMhz@Iz7A%-Tm!^C&1PL zq+JV-rfQ&e!sj=@xF1b1vX?xKp-CyEuAKID*E%M$0-Xn`{(ArwXj=#*hWkTzD9%fh>bZiiSuYs=0hfWf2s@Lsekdm;_Sr7;<^t0@Kn!Opwo$0}3`y@a=b&9oQ` zb^N92*?x;lokLlssUmiqXQAle#D{Op(`ygj?%THdm3I@ne%DtU|JuD5o(-3&r(i*! zm3tH=QDeNM#9;G-5zulESteqip3J$f3ACuFl7tw5agN^1Mx-Go?fe8ThtZOLBRGtD~f}+$##ehQMVDQ;-1{n;3|9muh%;vOb*ze0!g(+V6g4feid0HBU^|_%GY; z&7yOH5`{#7#j}tpRS-@)Z;$zhv+M3(8Tm^_Ig_!L53ds^{fYm_`!0kItPKC=#SRTH z@Z0;(= zX@l?P7qtYEAWz`ewfjHuZU0CpFI=m%`8;)R{tGSXy_c@rltdz6A{(am@Iv7_M<>v+ znKtgU;nE~Z7eD*QN!In+Tn-yH%z5l{YnyxrOLgL<%0q3&{a`KTo4h>4#^&GGb%nFu z`H)VmJ;?(o6X&45-^`$1Un5a6UaKTB(mWw>+)V8U-qzNIrrx`Ks^~%YuVCN=TbecQ zA52y21anDchkU{oNnD+D_ViB?D0soP3ehY0I`r1RlkBqrJLmn2Y-<2C#B_N-E!jc+sz0VrB#g+gY>QOrxW@0+JB2+sgR5K5l zp1vr~@X;Vd%<|_GzK}-$8y;hhMZsjEp5P>-{Z61R zx9z$&rH1|GB8$AR%fa+q4Y%9EkHXE^PXoh3Pm~xYgS8}XlFdz5N{`G<*_5v`0)8;; zqpOt_xVP~EAAL3JKyg=#QmCf=B{+}YMuMX4-9o=uVlez=qH!9#&&+= zE7_5f;CDE;FclB@4F!-Sc)i#Ev@GmnB?EV&8;C3E4F{i-WEm7~l>65Z7UxnY>7VgU zTMj4XrIE8yjN(uu{i~S#1#7ffT9R6`1ga64YlBOMmWiVdO(=$+*T7&VN5CYDL zd(jOuo5b5kP7DQ&lh@k;EO}d2tWoxo&8~MO<5j@G#2T-jFw92BgeGD)&1dtIM%l<2pa|ivSI-tJzv|dlpM1JI$UZ93^m;paS@GY$y>Pvq| zWhUW1()X8BiEtw3ZVmju@^d4*D_P!6x*rLi3Cc9LrX>P&>Ht?Uzw(3esJKOyKN2oe z`?Eg6J>+=`ZrZ->v)%D?&t3-iG$xg)ZalH9xR@9gtKUo$dCrCpuu6JrJRt5D4siZw ztJ~vj=J(`0cW*HZqcyz{suNE@+nT3Vws{SoSnMcV0F71TCJlpkgOyLGi*}XB07wp) z2jx@=JUCEj{@`&|_!`-y|K#$EpOfxQQs#>;w<7R!!^3vjR)>Jk^ekO7FuKwY*xvq3 z<0jiV&}{n8{0hIZq|^9=>n8RYPzt_<2I~%b3v=;YAZygphVA9icn4W}m~O7t7H(m} znt#Rul#05zL>2GSRpT#kJA^}W4RK;p^;^XkIYlR2;zoyu_Rsbcozt)vobxUe`txZU zD%H0P?t1!P`-hVo9RK>Lz0dp6&@GF>hsxIhiR~L5%^*fja_g%=CNzZMl#A@B55SsJ z!R*E7{(sHNfwEGwVAr;@EAe(ewAiUVnVq8vWQQFw|5bK)s+}wEoy3DB66xk~ z>9`kxQ7*FtU7+CsAn&b@hu7GzmFnOAHmY^2Bbv=zb`sFok;PkT(G@naRX*N6LsajHa*y+xCk?9%?v4>urnD|RAwaZa=03MO zHD05Zlfk8?`wzFRQEqdb%U{yc!_?Hz4Rxnlo zNTcXN6-aF$`OwyzlBb6o41{OZ&I@+3mNtZ#+rugc5p1#|uufTkiJ~6oo@7+jxU8L;{ zD74wz4&FbU*YsusWXdm(WXc9kw!!LT-&H+Ib%~P&(-%sgioDrEv(P8m`_s?D3M)x$ zAm-I*J`O%$?o9k*`|rzS=`ewqX-O$%FkA|qAk}yKGlFbZYXzSltib@-;as<%@#dVq zi%V!FLO!OAPGQfDd_n#tB6RBhOGKEwoXH#q$G^UFurDZO*nJOdEvMa~m=Zx&R*(_g z2c8&8V0MjGsL8tt2pfj?rJC1$zPT&&Cz<>`anaN#dEB9U|WQu3=;qJZS32e{!hNRlR2 zNfQhE;d#ZwLSxm@0R zvTaTnE9C5A_2~bGm6K^rrr>?<|K|?;BC>VAhA-7*nf=m?0x)a^j6h{hj{@Dh#=NO# zS*{U(K8d;M`7@QXpXA-;x_z!YfBT!uE5-%+B6n}|l6YHKwszgAZBD#sot!YB3;AY2 zwy>iA*tT9I*GjFhmlWYOFJxWJnscb&ROFIHjSsVqN#Iq%$gt(V)JYN0WGa2JIRd=! zFUM*4s^t*RhBz=hO`h90|L$|i6xC&6gzIf!lEe6EzTJ|}RM)4FlD9=%%6I4i|G5w~ ze?Zm##KS*18si3(tBe_huDyf4Qo)H(7&ejw9%`^oo4*ch%R=d_^`M#@9;* zrz80`!2xdRMK^C=9HbDweIu&*!)@ft8>rh+Nb#UoH~3=2<5npoq7c{lx`MvEJyUuQ zb>`A3|5K+~Pdz-P`|3u>XP!b?!=!}JgoNpdwVXNKLx;tZ72NU!dd$3YZgwHR2A8FS z{ZN8tggG=a-_ zDsd{9I|E-f`g&bZi?t98waREg_kBco0auEbAdaY9r8o1Kt{t!G!5-}%`&mP`Y((Bi z3_(Eo?N#)Dl3=Pw^*Wr4-JISJ-<)@0oy2RB%n)_fYAfcG0aK=n3b6$tAZpQH^0zPd z5_}=!nEIe{h!-L}AMhekJXEB>ONLtVmtG>Bp2VkM&PKgaj}zi=gX`Y3zCaVzb9AY&SpugJ6 zV7_`~S9}N(^L{waBXUZ2b41st9o3)9q6A?dB!VB69h5(FE2b01lV~hvqrgpi4xxX1m;Mj-T(dKuXq?Ey$l}o#YcF9?zKARC^;VjNfQTVL}v7PPh z>a%|A(5X#LLDS?5;`iqOeC~mL8H(#GzazA6-H5#W>AaGb2rKkG-Z(BmDSNFaZ)1c8CxcSb=)-j#ek@#+ zg+z?;40%={<5XAqgy>0N%QDQFj-|X#76qEez?0iL+BC*eBL*v;LrS*Ql^Q|>hZ^72 z-QmKQ+P2|L7WuvERH*NN{`6(|3zSln1zIBINIr&xR9>1_h+zJHfL=->0s}gKwhCZ$a(4Q(mGL|nHO6^Tfyz-*qV}P z#0ZAiQOhLi2!#L_2a4Gnc%o~@g>#Erv0@HcG48krq3ThY8GnW2ymuY?PAoM&a)i4- zS3fS&a2q!5!Z1z%dA?6M6t}H!WS$u*sW6Fx$iCN&ogZlU66K_o?>!7MgBcI7H zL|>t4Or^ysid1|He0N+xGvbF>jUzvvf4oXtctqHzfo~|c#%mY%Hsn)z)~XJ5-f+_$ zOtz=q#9O8SA$1xdk<9iV`xA+WwU2%L@Z4-}_TokZEyEP|sb-b(q~v9aPS*~>%#}nD z)J2qq?lTouJNPSX&Ub&0_}SIc%4369lq|n>=&&&cWQSYYQ#W{V4H0xPb5$Q7zTS3Y zh-pRDsbRqFdjoHpP}UW}8!DJK1$YR;WN}dut7JP!C*+tfMIXItUL!Mi7@*nrn>)+pWSX=tO&Ac`3P-Kg(G%y2Sg$HKO{Xr4+NDcXm?C8@Y1WJ*GQd;9k=4rzy zi7wlpzgD>eC-$MvftrhIeBB2!v<|f$FnN5kHPW|WiCba2q^=CohE-WwQdX(Rv$VIG z3F~cmE3{8hP^aiPNi-TyV~@jX&6SO#zylh~Qq_T?*fJxvmebTye%1|=zUhnOW7Y2C zDZDz5gyFD&rWk*BPl>_q?_w$T#a`z6Y&PR8!Oj#45V6zsrFEC3<>tHL?M4l+lz9UY z6=+GwiQ;d9G0M$a{T-5*vaWhlwWRtp}mucJUD$+`assbIOB9fGn9^*EI za+p(RFQqMVtFw2FeY(AcS1#%rJiNG9(k$tkfSpY-0ZU@_U2F1mGSs<2LXeyd>(>Ei2V#K zmcw0Qzr(*|S%Tj9LFqUfWcG`QRI%=a+m<8_ee0Kh$+q4nH?+uAkm!YCZSZ9XY*2=U zIkHk8xYiUp(kZ{xGsU8qlPYy4^f43zuQu*Nh#tHv`4EiQcF-R1#~yl|u*CzCs8XV6~am6?J?Ni=p*7C83rD-9+FG9)Kt)EitkdbZsx_^1Jkl; zBIoHKwTrf?22Xq26IfjHRtq$JD&} zJi$p~HfSIsBgN~E{jmLK0Mg(xvdpuGHiWCQicJOfnmgx41m$Uz`BS}aeCYg1f%!NA zL_>SHT8PmvB&6*MjS!K9YzWyVC3lc$ZdUJCpxw;C6*(WUb>-{Wb`qib7D$oev?kwRP6H7O>|ip_ho=n)g1Io5zl zUNP^8M$&$X99E~Gk<;qPjAFLnhp<(MQixtgD85Zqs2&uH2?%lZA)apLX@;rb^9c}m z^ggzK{nUqto-1nuPpOfin0Mq&Eq@V&Q&a~sFb1!(i&%q&T9aIx2?^YAFId-)HUjpv z#Jf5TqzMtqbxymOSLoHXI}dpY_s@CqSD49tr?Q1bibLJtqdsNSV?STt8~^>=Vz@bK zcd21ibGW(tJ08>Tzz3S{pq3Q1fW1mlAl z?D!$S+&^&!qf&sfw6i+OSG_QGF~0gzsW@i&%fJ=l?WjO!Lae^$WPAGRMi-!F%T;{1 z5hFj@g9g)LmM_SgmIIrkeb3&*SI1{zUJQd*V0zz>I8XOO5i(R?+5eo)d?oeajC*W_ z7~-7>GZ}^2P3?bR5q%GoCkGOrclIy8QKzZG$-E;7Bw@w&@mk|`eK{jecSpP(AJcFf z_4WpyDo{*i{B|J&^m^kWjOA2qs!=J22R>*(^;V^r#d5LYkJ*uug?X><6Y+0IzIs%* z5G8dJ=!cQ$>nesWM=3P>ymqIp&de<&7)Gsds65fP~IP2rN$Hh_%l$_oYU(*7{ z#4t_8U^`bJur=sV2vF!}LNyxhFX&_T^oavL+dcz(4y->+G;35oSTQAo5>}Ktprf{u zxZHaOIIYW_@}lBth&W9veY41#E`G1mq;b~lCx@ljp86YAa?53&iXptXPF@!z(a@3kiaE^_0(KLw z4qWKyffe!$`Nmc|V}fltXR=?}mlgad&W;FTLeyQi25ST` zJ>UG8y~;Tjzwh&7`e3&VUw|+HnFB{JN+OgNhibo%xIPfN@iK#Qn;6=8vbe4V#SwEO zp{pz$QD=hLD}fzA4HY0T9O+H9Ml_H}{npId zNJH41M?xflimYI+6jU7l)V-~c->5Cq$${Z6jkziRzw#9Xq-#77!<;s88#wnQ6gGdm zxLC@rdUw?>_U?nZ zD!>Pgdu&Z>q^Nm1mFz&^)HjU5n%6<^(49T;E??aCEe+2mD?WH5oVFIy^Swhc)_9cP z<;DlUWkel|@YW;?Eogp(4R^lQZFYZ86?{fQ1$HsX#JGx4^hSj-fKwelQ5JzO_NKC! zep#pK!4F&DYgQc^_oy(0OOX;3&^%yywl6-s$y!{Iwgkejn9pxqQ0s7zhnYZqquh$) zTQlr=0_3>gK`@ZG_w(^pucv;R90m+=d3C$M?YcIt-9$^bJ4T~w%ok9p+|&qSdZjXA zRs41hZ3?oLBtC^862Mr{_9m_EAMSNqXFqidr-qEu<@s-~7YK z9A2pfzATK>!52I`xwne+FOkgNL3Jg2{fV#Dhi)`ttc}wRB&qr+6ou@!n1eUO35$dAmJaLc|7gok!L3dY zYj8mI0Vq&X(e*Vf3W$JIF~(B`^(l<Xh%v27VDGo zO$(&h{`?GEH2UoliPwEEd=qhazzFk4VoR6MSIp;XCN?1iY1=>4Wz~{d$z#_rS4@>dM7PrVu?vWS#C75koadxpOh73m%>} z-Fqs(&a;TMq~VhMD!+?BxbUts^ss%p*VV|uaDt<wrEeinZt20JePXN&U z81`aPd@mK3N_?^#*5;B}6W=oAbKst9LJdhJiaGw4t{!ewdlXHE4GeH|r%Otrg;&T> zA`cnzzsq?>yr&b?KC0>D;s0E#f2|eE6cEZgup6%E8(_JhH==P0K7FQbLlT zhq41Z1FX)pQqeZsE9USw+J8mc7NDq9y1Whgxvh}eS>fq{P!=(o*|th{U8nxGv#FX~ zD^>x+gg9q*jKna1d;=k4$=T3~bcJmMv;*i%w7FIjPB)`c+8}u3Gpg};kL)@3;vuHO zjonx?e~!no>f~pBBi>-IU(4qrYz;OGV0t}0saz+J?Yytp-9x9?J2#) z$optvvAzo#xlvC~3s!f}Q)~jqZM#EBWHwF=jg((3!z#50dcW!_>M8|pro~os4~gd^ zk0woR*N{VOaCv{@tDFp4C>M`tex2GDkZ`maZ9~SRz=AbJTLGOJIKjHox|Vsb^M1Gh z%q~^Ilx~dCd_mw$>BE+U00pK>tSso2HFAXYYjddtE1TlNaP?|FqPg3(T;}&ix@9M& z9YryK5j>x6kmzF{v?Hg6uWM=@Y$HWwA|6(6b8{^qA8jX8c%tHor zHcIdG9TaI)UHHh=3FWZZ#qeUOfglapuYtnqU@ZWm4MYv{fFe=gO&iWkZhYyqc)0>{ z-mfPZb&p(H$u(9+rj2 zM29~LD6a|HfKVg00q6mkC-AH)ZoxuVIkR174tBSs^<;2Uh0Cew(GuV4^notUcqEO* zHnG52w?poNMN4`J?K>V^&=z{5r1f-L;Z%`)_ThXC*PNc5V@buc!#?634bBILdKJc~b5--8$)R(Pi1H2nBWfpq2ZVwyJPoc8ucKdrnltmdnwy)$%Rt72xh0Px zc%lpHvz<%W*o$w6a=C+Tp#7iJ6WC$ZnS-fmmOf}od{PgPYK4jd1)v%s_w6`=2pLL_ zkn^Pv?<3`J%n`z5pD$7-fF)P5fn58l^&CZk)fZ z{0S#sf+EJO7zI|mB;VYp6@`YEqXUWpzexNZkOMWyR=k6=NtSwN&5*+Jivi^iQ-gNq%Urtl@N3)u1iJTR}{7%W`21T z2pdnHnYo1+i3tn@t^zXr{Z#yIyRYM7q<4SFlLm>+o!^KRG(IFvn`3G;6(qS<`QwqN*~|}(dVhR+ zn*pj5MEPT0*wt@HK*sIp0kjWX0yTT_fleHrjx804#USkLK?EA(>VZKrZb#QU%L9cA zWqOQ6$E8y}*9_)5kf?@uC|C4`ZG9!~=~i|z=gZePEz&Rj+LDg0zny!O6xQ*lt*i3 zUluuOoBn6Gt1-%0fEedH1hj;Ktg|%3Hr|j#OaubS>WlI25AHG@Ta6;~aXECNBLx}k zA5R zKDypj&PKJ8Z5l+)()C8nW5J)_0ekMP-QJoVpQY7RFZvztq0*c{+``;ebqw;rET$n{ zBv)-q=?(TeyzuP@6epXiuouTXy)Iv#MjdT+`>aQHK`lbceSCqS1~o?;!+vjXmq^)h z97fnBEnbIykl$M<9p0_}oS zjutF)ha}6X9u z?~HWJA_*@C!V0D28{#SMkx?7&E?w@nX`}>LwB)Em9aND%0U;Ad9TV{$pbcsL@Wexj z&RHmPPk59b4GxtwHSp#W{pbUF(KzkS1pxs1g3|ZfxZ%KJ zi_}xdy}LX?TWHZ=NVtHuLPrUqSkRins2GSm8@NhfYeJ<~F_htp5kJg9px77BkT)@f z|2eJ5W373lqBMg7N_)1Avf||}i)f!9Aroefmo?1mCNo8Xu3#rbdOia0&f8H`LSuK)tIR&ynF-G6bOA>&rQ7aY~ew#xo}tYzLsw3BulxWjV7b*D`1WM|pp>=(K|(_Tf&rK{jKKa;*35mRZ@dFig$( zd2OGFqXMVXX2l?NTU*07esJ2|iLqriuIlcIhQb}yHpd^xBs+1O3DAm*MhJPE&M82g zaIhJ5c^bJ|9#D10Sc3<$2X6pyV$ALmU1km4Y@1Q$H4ofpzu5KXg`EJC4*DBfG}?Br z?S=P`dM#Bn0%aCZWo~!7&(LWeKJE+pp$Jqww79^Y@*&$6!&W+3P5~BUrm~v;l8)L- z0}-@sbH7;JkutZF@#Y@`Z3js$0zsmIPu|rv^M0R`5JFytzAZRnYJ7W#jNN1_@O_@Q z5H7g~B-BR02juR7_BBOtcR-8|Td15qz&X{1VEG=Pm3iSmN*DpA&k7({39u&Xf+>Nr z%=`FHn6}5G1+{UlT>*)zpKK6a5vOmir9GuJbHe%atv)T1V8y0GOBGhRA#(*> zqC_y$VOQ9Gf?pH8_*Xe^eY!`ZS(F9S!5%ANMx*J&ur2cw_mj8#fUe?TpU@qGW>ita zKA&$PM#Sp~4!ydY-&X3F;?VFnn)+ly=j8N$vLF$_YAlKk4|~rh6-^khE79DD#A!Hm z0G+)|VP+jSxJn7D>BCq=9N!gD3xH#cMS(@sW}sG*R0X511``?g~?&!}4tRk8V5|i0uFLSM1Gv46L|MXI;=Lwp0Iy6zv8`QTZ6O{xY7c z_Hg&oeS2AKv!2+yOVSS!j>0(Eidyo`z&tP$MXIN!#}Ibs-61J9Kp`Uz6f)T!`B)jg z{GkTqVb3@Z?qa!VlF~B&>VhGoma9T9=*bD*#+$gtMHAYQcgB!r9U=j2FEA)$!e$M@ zFl_~VCs9BHwM#~oMO_h{yNvEo2gPpFso=>#rG6REX! zFq&D1T87sCbEM%-#P&7&KsAN|Lw&XG0lYrYcP{F$zi%g9d9SCn{sYvhpw6mSOxNRq z0c`wqTL-CVB9<3D!N2yR1j(fOiEZI>TfuBa0r0c)ABx2xq>Aul7Qn83+6eS?h4^Fj zEmn!SZHc5BffR|t>p3PtZNxEeY+t=VgR`l0gyXCAdHIb8P%?8{fG0e z4&Q#x9*}?sFmNBy078%pS2+W$5m_`z`HWVJI4_$TZ;?_}a|FVnFtI3!Pa_&IPhs30 zOxQ-3!uUM&7oVnY4`WcJ@`kPMYm-{2OCxi*FS)IyQr8z`9C_=_>IN5cMNL5mDGI2l zX`1peSi_F1j|^PW$4Y^QzepaWPI8w+H&PiPztnVzfkw%6fs}^CLb#>M3+g;W2z0o_ z0E(l_?(4?H-MP`t| zefWgaS<}6qzc#ZS2U>k)E{w;YNZ-KRX(krb9kl7t><%_jq~kuv8UVct;L(~aBr&5kmzcKkS9=ARi}`**nQcLx%xbiYpi-@F z=)*vJEDBWz5vIH|GPFiQ9~G-B9R$)IlrldAR}Na~_}O`nJofp~yUNrE3z>9H$!Cty zRNh`!G`6b;W0_5o@{Jq_##+TVuJKIB8xdrA1Zu5h)h!Q()H36eqDiLhaj=@ln#wRCS1-S!4x7g zFMQcC8!4gc^~xnem_BXjwuPDJTV{-WUCnN<0AJbO6L8eBu4g@k6b7bADm2{!D)R1p zc;b{>cX|6o?_BOt90JOU?dJ2Nyxrga5Ytz>_Zr~ICe*@dPam(n`FKryok8i7$O|9a z^v@6_B+zAuZvhyuYH?hE-r?#(O+;yMWdMabp|DvWaryy3w%lWO-yycc#R9WOvHcRs z9c72{%_AjlpkC6uUnny^;$uiX|EeQqz3Q^0WRiBVUB-yv5xsI=MwYMilJPEDzv_L& zlo)2uQS5_eg^r}=ig_o#=&H`Auaw<6qQB!N_9UtX^o_%=?Jc?Y4Gl4ZmFV}W+gm$c zQk*z*J?P*6W6JPlI!Sdb+HC8F*o!~k?(oB-_6Rk@-0Gai_z>V5WfdA{$IG7VZdv&l zMqE7JGo0}-Z;aXrkBE>{BF8QTe@lJzikCXwv3|&z>lXLce?3+3_bn=!fqhsh3q3`7 z@}exozyC)%o4vHq-`19gVSD=t z6mv3*xN$K9!uSKvP9@^mNdz{~KQP#r$oMCZ}dR;!qudW1#_byr4t>Y56KhAOl zUt-Xrgm-?kIpxo{RF?G!eM#z)N7%oAuFhP)13sl&Hv}9__Ckkqe6uV}@SCin$6E*_ zr$vi@<%J9KxBMA4V!M2D4UY8_Ufi^ZAFNQgxA_EP(a4Sk_kd7tvF=A zv()Bh?C6QM4M1OFqs`_x)_J&tK3U}L;_WTYT7I;gBoc`uKf%S{^gOG;ah9Wz=gja0 zfBi4{H^3|}&k+fZw~l?RG-cy46|Z-TP%gmHlsA^K;D2(g8*))L*YAXWoell!lkytr zD_c)EKzjb;?)lG;vn`Y-pHlKq_s0YOehJ?BQ;EY|?c4d|eLxMTg@Rv5NQfmDc=78w zf}?3*piG$mI7hzT@jmA=Wo9sWX9OquCG~rTY+ODcCv=jd9{!}`j&$KrS(7yXeA&>B z)go~TboF=-adEyR2)BKE#L9E(5x8*0>ftd$7O;E4D`yRRa|EcUsMde_8@0v!5BB3_ zP-l}(nBR_}seq9Z2VDNu@d9s5P|%gNU;Q3L0^yMh?9CgOlZ3ouZfI*oP!#^cSL?Yl z1e%f@?EG${09zQMT07p?11ITJAN{IbI5;!4w3KMtPj#HoKyhNq_Rh9(w*iI!IA_OBL4Bg>}~2=#}37yT^NqNZ=sQ(9uO)0kY?LJ^$d~z~hCN zd34Z~jfFNK_u1qU$NP@C24{eKU_E7Az?Gnb;kLcZ3LI8+UI`qK=uv*(mvE%br_Y2W(mr zTs*p{>W_uzVmK-Nib@3DyzWM@myPC&wIxzVL>&hQ1vS1pH!obHUuGl2H(&N^53#qW z=ppVAe!S1vz5MY{{p94NYY(s?SJt-i_y_=$twRM|%a0YUkpN6y15CW5b{)^~EiIO% z-agj9pSj*6O)0HCWc{ZM0p|bHKjlgNKfxgY+;{vV9j#xL{}Rl^4AGzi}(8)i_u397Q*V&gvjvq>8>ohbpkncmRoW{qgVyu*YzvPF%IL}BI z0pBD!5bdC!n(C*z%~-3vM#5B$o$O6kZ0@bn(9(v#-o4QHFW51)5%oLw-#?NTV`mK? z!aF;LRD|JCyM4BqF2isQpK;kn>)$Nw>~Ycf^6D#F+rKi8w=Y6c!6EpZHxE$yQG51R z)}J6(WuE!wIVBNJ+$ZJ?ECL&TW$Tv%@zXYJhwfOgvGKfSV_T=%RCuL(LwJSIc>1|!F zAycpRr$1Zc1GbRP4Wu1+_~HKCIGVV!2qrCP#{aUi{Qd9WpB~fT&n^B8>rlLu;i7({ z4Sn_Y_I6ko*Y32B@!lgt0D6oq9EbB|*5;D`CaXUVM|x$%(-2PZv) zvsM zmVi>F1*C+Mg7liulaPd*6=$5;&bXfk_j}HDzPumwivHUwcm3UEjb%{)R~DHwEyo$Y zJ{i)MWUufY&e!WZ2dP0uqm-Mn&B6V7G#azjwtvL_$>}nJdZlHq&9z1COk=zbA)0fb z$B_iypmH!4NVdn6^gE<|uW+wP#>ML+T@k&~jECAhtNPQv!+Ow>IXVg@gkFpYf@zF^ zA|y?t(W(zY5X5IuM(I-V+lI;K-B-#Y+zwc87wz>=3~}ewcs3+U5Qb404{>e9zHJir z8Pl=^ZJzB@^Eszbqbei)#?ztV1vVx5)dWtjLB6=ZLzeo;lN8Et{U4_b;GZ@8XS4em zxq_*Db;pJ5I=934**Sl#0&{_4X!S&uvTzM6_RM`zPHCy=)r8a+5L9(td6cAsW~gkE zx$oUf&49KMR(h#xci_}jsuD>KhoQ;zH5i!8HD1P^ z3`J?w-H&p3RkaEIj5(5qZP1V_sCvk|yPZaIHJ4aZ=`>I{bJXT022Mh^c?j5r4lX^{ zXM58Iq4*DR9>cfrvja;RD={5vgwfQJyxryDB?aZ0@7$`_%^0|$1XJf++We3%e1|5b zg0sjwYZESZ^MF{EWMg1k(A&t#M1JY6<~RauQRZ#HHeM&wGUKqx&k=;#2}OopX;!r zdXg;$oiKjEnjx%bXJy>;_+DMkgDY099Cg;RW)8o~`}8^7Kx;VOf8GIKuhMn@%{H_{ znFfQvvcz}5&;`*-b}Bf>);y9XD;C}zu=4IOsOo`N=G{zqBQf`)L#d>sh0ivTE9)H3 z+j<)ktv-}|A-zLztT`pEDh+%A$*omQ?`0MXQUb}z;#l51S z{=Tv10lf-EV;cwOdO$&>8`>%R+}5&LGL$Lf&;C5I0Hk`^!XO6af8cW6*mJ$H4V42{ zNbEH!i7aQrY#Rf7P_!Z(KAsx|pLoBrmoT;!%Izdq7FecV&H8}k)Iz-^uek+qyXXsB zVCQpKVEP)f+G#lb~0Azy4GV7OfK(23bvP0LB)W#vE;s)o#v z&k1>E$1dzsy>2-DCL7DoJd+X#S@MZQ>)lB~z!)cbYhwPL}mCf2REk?Cw z62*_pxzs}DXmQ>&DgVsksb9UDbR`R@-gHe`-I}R*pPt8R1|{!USKi@a^)VO6OmZ^f zWC{2iAAh^8)NqSn=h|N9H@ugCZ8M*wMGi1BStMBC#z{bEx0^38=DJ+H(@d}-_;V#~HQKz-;)$z1!IsrQR9xhidz=cadW=j?~R&z^|XD4X5Ip%j1n@vuW%DRi>S_5*P}|5TpL~( zZj>^@P0d%$1R_C0iGl5;RAEfukx}Bn0 zwIB8s_BW*}ldl=(#z{=H9_rC^Wrt&UKgYEpoGTu>`qr9X%h*lii5aJ}^YDav{v5u< zQ)Lv2JxrGOY0%`%yhE$l-i41kCQFDpYHN?uI3`-X4<2B=y)|?8ZDu+2Lg|ySMKhA5 zLT44(+k#tHkD1d2l)^(AJ-4|TE2yho>l?c5xbnWRIBp&4%yKjaE;y`;yg5}&Q$9_4 zC?$gB)E{CEz1)Q#UcqNnn2QzK(2h~-J5sNmq=ljgpDaqQN5F?3+n*tJF)YWmcoC^1 z^A@gGNraxg9d9n9I8}obalRsDP$V7{s?AtbOs1PRt)#8v zg)_!PK>eAOhYZ>wV3U>K*T9a)4%z7-9+FxH5gn_Z)3%E%MNPA;;Y`RXqsh8n|$Sg+5kMKd@++472ftxxTQj zo8e1XF>(8fPzdTV)kdhxKt(RCFIW;HN{+ISmi6a8nRwKTfO04y&5%66f@_knn^nrsay?Co^J|$8^i_-*-zs%c%MM`Gl2;8 z7=EdYwqmvz8hFxq1FEN+ff4+w%Xcu2+EWqSTQ&5SloWEJrX&4MUh&Lp$hy!FO=j`* zDVNY*LVu+B2S={mKwUJWPKmVEH=|>D?>e-P)%exVz2L>83o|L&$I*mF*!yPd(Divz zbDsh|Y9r-6>@dhYmB&f-r|fl~7`xfw`2BYC!K&v8>^3}6Lgsavk=IH8emSW7!|k^o z;i`UyA|@-MiB54+EiqD;oS%T~K|AjbuiwzdgH8E{`!Bee#21{a|Ex*8p|%;Ri67vw z`ObrDA9&6^YOxWEWjG0DZuQE>i!w_PqmQF^6FrHK4I5CMR5z|i;*eu+G@n5{`|#9c zrzi0U^9if|7O*vXJ}A#lzJUD1D}%PF$?d~ctXV0K?++t{JC;u|1$ElnI1ihW5>#K% z2Dd=W2W6&0`*Kf}iWmD9s^^_ar0!s4xC>@pS2Vzm<=EhQO3(|ef}ug6sq1=Sfu}Sb zp|!2}^xGINE!*dOUMPn?6ufG%PNos2+>4R9I!g1bG<1o^ST)X@7tH&z?n6qCrS#H| zQVC?~!Kh#q@dI)^JC%K_r+b;I&B*<3`@lN_K01N{$50MzJ~zNBn!~42QiwYwO!Z^b z-d~vFF3>=OzJmEkBgWm(hD>#j?Ob3 z!fqlp&tRYL%NN*R-tlLRt5amri6s9KllM9F!AH3hK_xo*8Thx4JhR|U?fmT)d4hmq!6;ltzRNM{?|-71jO zRDK~AG4+v=j%x_=fV%^G0Jerx=Q8~1)u*<+;|uIwDiE*IB(MCNt%tma5+A}~XL81; zYU@?$v8JE3bI@@ResD9_5Mnx1pki+?;yLA1g_-Bn$2^LR(T)0Wcd1-cSLot)`rhwy&G zog7qMU11x&!sFvgelKc#a5M@c&NUTaH1p;!Wt6b_9*i_?Glt64@_SHr>0x|0lN^cR z?j{3doG39T(yz_8b7Qcoadyl2hIBm5&+)}-Y$}eEB5WfAuLBr&H14PfJ zX#U|QT+AffXIS*|}fBFX@qXkF1STXi;we2S?)@UIo1i%8A`1nLx)us~}7TiM~H>7RC0z z6!7^j+=P2*sLq9v&S`oQAggh^5FSp)(xF@Ca99+Ac~;C^+lhzkGA@W9^?RLHo@Uaj zWP+V+c!iK2Ij&mYl}*L}T3lpn&GMQplWzcM%gsT>T=#3T@gkKRHJAL2_JBOQ{EDls zE+X*`iPT`Hhk45#VQP8Ns17M{l)KACV>P##gkm$4=g-O_TL_=mxw@%HTlg1zejq)S z_TfBAWsk+Y-AKzDtGWD{N)&$-+U!6gG)T5~{N&x`jDPFixhJ4GSo5YTVY^qmRYOQg zge{gZS2G54?%GNO>aYMDIjwnK!Xb1vcN(;p*NR?oW>-_M+kUYtZ<{XLyn9*bfxT)u z>w(AEV(X?Jn9T216>y3>v~PMvpf;yRLg`s2>ay|V+IO=hj(D)X%vlcCQ>a4cH|Gp& zEhTNi;7s7NkkLw@B(MxFfelM??2fjJcL#21%~~X_*f+X3x-UtVpUQnN?%(~XB0xp7 z=kfmDnej_sdjZ66jfvKT=fSC?mV;u)`@-BTSFG^EraD;nKh7exy|5Y&f@+R3P>20y zTsmzT`?<%|$myicl#mL@CTk`$1;}Hk>Czq*9*17wqI=Wt94XPr zI(A5=`S4v13titzf1otaf8yKP+L}f_Q}Hl33hUv>8-09l6J;r_43>l=tI|2w*dJL% z3prY>97rF|-K9T+$N#8ld2pmFuPo46#SkNJtY+UE*H;x`>9k#&;28mL(H3jx8FQ@( zxo-?(;-8UZ?m5{|Z{O2WZ6$S^IC9#bwFU-sGCJv*w^V5|5{Kgv?0Ks>Z321N2S5RF zM&&8NdmU%pDW<`($PK9Ou;E-9Y{#M^eNT1;7zeX&Kbn=n6>%Q$6DxJPHjavdbeEAf zr!0`~QVr1Y!T>X+oK{yCCxYX0JIs7b$_LU@RoYe=zTb4cs-0NR{Z0CAD|g%uLu+Xs zGV=xda+IkWt^w3_y_43yJd1oct5!8t>h0#Yp0*}+vB#S&fOF2^Gf^ctkKdr__7k7< zAnUYK;{9$OD5t=gglSOjNo<uWicBOD)j{Lb>&IiH}O%t*eg7Rr49g z{K+5`08WR)Ka`laxEL)GWli+ET>Nkm5fL4xXzGfcnxCfiDUIWK$eG(8X69d#bt@1m ziD5Lk&ZyZ|5uw=zB4FgDbEK<~0bKN4`q4|Zpq&f_08kN?O|Vw(EEY9Rn~KEe%VCR; zT9yFUeL_umw5V!2PU^FnMcs5@o)fUpj2_;=&E(>o@Kmn`87qX)@#ahq0>7lcHq9;^ zCnW(D%#(}IE`=Y*vuhQ`Z+A2y@$Cl=@v^P+c-e5qKGthJN7AQAIwa0KE54oqQ<~~X zGIyQAwVPUXEGaU`h|zTU)pkohYsWF_cp<<1wo)`X?vNPzsN#uu^4PJC9YpAC(v9Xg zmwf*#M^tSuZ&sZ)YRC9_gY&_M$H#MFwK%DHr^u7sUpk!pN6E}X^z&2%2Y1ehww4|m ziJ|0tiem}lCy}!SN+EImmb2dBANF{RBjqX)W#?K03yp{DfN69NZKeAW#UrR`)Udit zGmf z_#b|9T0y+M3qwG0$MNbCQ$nb0*y6+JLs|d!)=UQbzo$AxSk zFsIKO+i5$JGuKu4fk;Li0NaU!pT@CfxrgdfeOir7JYSLYk7bh-!l}C2=AXwDaVXy# z8C@>HH8?NzrhM13py|0;B#-549B561^0fSBM$mJyms`tqYj^=??Ivifvl-p8}`1FZX)4pNX<2Kz`!yPw?Tc-kawrFh(D+GM9g z;+;uMNwHd8ja{G*R<5IDK3hbS`?7c>(#U^Hc>pLw#SyRMLNg9HjvG2kw=E76Z(r{t z*tKx*wf{hI6|Y>&7<$q1ZbJ51YtNO&Cf9L1Q+VQdwmQz@01Y>v>$%VrW(-7{R&Ds2 zNX50e0GNcG5ey}T7IK*-+Bk){mY4vy(zgkR^fFEnWfvwM5-;9N7%)JgO3VpB8P8lV&M4M7nIh>Wv8K2@iXI&~WCuzsGRi;=M@U&Et zsEux3JoSd)`NEL_BToHkmrzCqUSo!RQSB_pIdd{O&#A<=g-Am+y1Lftpgb$6rwx$BXS@&uAT|Z`nIO9b4K6qCRYL{WwOoj3)|)o1;RRogcSwj*bn7*n+nk`rtNoKav0i`z@M z++uH&WlA2~kfl=AiDmdS#NB3WWTm5cj(%A$bC?Ua12LBr4ymB8`Tp$ehxWrd=c&ul zxc#yi(a=a_nOsU+Y*RhV1NSnmMDuuG1Do+_;sEV-5q;W5ZOFzTA44}T+NwZsjwVCU zs!ikguICqTdyn8TnTPa?W*M!FM#Ffw!D}%ZhkV_x-^E1_I&ns9YpG1+hU!2! z%;;c>b{s)XX~9P9$(pWA{`jxnLLeQz2xy=@sU#$KH*=CV0@l+L>!&O2j5ywUJp7x(ke}U?3!#0W_qTUSoR`^)j~CSGw`%2GfOW_icSRN9q_|F%cxl(- zCjL}Z$!$5~^hVgOh8X4A@tkJ;$-;Bt2#FEj!GhCb$A7l83-v|L+t{W$=s(OyLHXJlDS;$@c4Qb4bF6X z4>JzAH8qv7zfg&$S{pYP_d4+f^9~A0amM%G>9S5*!g__Odt1K(Urwro;fmsJv*#JJ zMJC!?@U&g+hA{xAVvTJe<`p}Hc5=-Fy7!0159==sY_wCVm(RC*+T~gF`17Sq<0E#V z$<$7gOnx}z=h2p1J=zU!tOe(cBJSs0#-nD;+R$36n;)jAcfmeV3w~ol*n}tiM*;B!bpEOHElsb{S0~o zvkYoFwlGs_=3V;OKn?BN1nW^MTZe?2$y`(047+i~|Als*^uk0e7odOndk7DW;=6jE zWmHd_LZ92|dI{zlqC1O^m{|?k@s(%w>6IASYoo-0;GYDuJ4Pj4FsQP5&K+Q}50XX| zi&P@U?_T?S!(aQ>BD0$U7@|YxvVTu2QcqAV(tg62y}sPV1d8-LkOQCkxW6|f{W>XV zU_?F-tEoZ`VtuN8zfyM0$+#p~q40pEv%L_BC^INNI@<%{mKivy!92>XTAvIKqj8nHytxG6{9%*dY}(?s(2h*ahQc(M^oK3+=SYLI?;tmC+xC{`UXjbR7;IF zZx3XjSI>JYW8<{kUquh9q=)NLZC2@86f_1>J};H7VWr2P7iN{kyjiXFQA_;xT2a%J z?e0}OBw;i;kFCuq2HsHqhzS)=n~sk`cO6EkG-EV_Omyv(RcGX!^N6zip|dW%AnMmy z4ilk(z+75e*BZILT2i*162$_=pEc?--v#wkIf<5<5JIrUakG=bP~Pr_j8wN^`MgIS za4V&CF_-*I34Xaak)oMfl~Q*3hWf|%5)N&>sz?X$E7}yJFT{3*LBH1~1&)~om4wNs zu65~3o8)NlkvAzvN2ecKyrR#y;VDAnlxMCP)s=J`b2Ym`+uA!07d`MvsrG5#b?3Z- zhkP5a6wX~`xqRuz6|kMx0A{XAmc>gbMw&)quMH9&#A!CPt@&JYSe)B2S=YK|Gupyw zfM`p~^zcBUjIXrYXPL6cHWb!BF>qFxL&~#|9YkBr9M}CXH7~P#1TU=3(;qRLnbE_? zlrRJ>ALbj+qH|2tCgP(e%8y^l zRi(JyE8`i&h&j<7&1wo4p63?H*KB$+(p+X@I@1 zg+Tn8f+=rO;<KToyIhLucX-q(x>W7(UMqRSPuk=7T)Pd` z!kenR599@o&8?yym!2(>bUm(iQx~Bk2IX#DQ+)=2%kw!O3Sq%*u=C>{UCxSE3&HfvNZPH-V&D17pDik8`^Vb!Ug!pJ zl&8l)o%`G?L%AN&(AL>3*W#0I#Tl#Hb!~9W{wTY6-+gu9d>L2C7>nD0^PCst7i%I2 zQ>{U|XuHjA=TpjQ6(dZ8_!l7b^Cda-*v6sJQ4f&ULM&qU1dnbR?9lZpU9vJ?osqw% z{LJ{2)*`7$IFTbV%hK~|MrPC9NNeWDa{2A^s~46>AbLL^8k$hlnyTKzXft`3PfxE}c0JpR)>$TkLSt7bYT* zq%J4NMRWcixHG8QKzq1?>@=$nIgdB(e;}e|u6pE1_q>yt)(=fHTBQvV-W`K7B?U0s6FG&V749>=}mTwQ#E>KAV}fh%%|hKmRIx7>*IJJb(94i`~b ziUEm>tJxqOt+(ODGe~mx@*f}oP|rr)(0CpZg8+qL)utz*KINIlUMY@dx{Gke|NWLt zjZYB9Em8iOKZ*a?=RpbRPR+@9*bvSXl%LX-HGiz!;RtbgPu0+T2YW16)666giJU`N z{1*fuG5+QS$v099Dy4k|>?(YEDb6ZRJNKTd<7vOwOrTyhQjkS_?W6>2a0@v_rY zAJQ5&NL)Uxh>@7<@RLniQ!;t3?9z{|VxmX&+8mj`FDWWAYXR5!8zAAoI;i-S;nE%aN+=>y31}P4}h_^^guX|#! z@yAMVehO&X@XlJxe8q~F8@1MO&J1ca%KZpyma1)hS2fc4GMaOEM6n3z=ds<_Ep>5G zzdvPu>K&ORM`ie2(p@cd93%$g`mcwl?SAkbkR@_7P#+<-(phQJbO{uNLRBB^lZKK- z&IW(|&SFHyku^e5DZzO2i1Z-g15wNT;|~=r2nFS)#yy_SprUC6w_8io#kt9P*(nUe(swb#Q z-aO^`F&4I1SLb)}@@P4TN`SJYd>;eXt0$ot!hf-z?>boNmf&pC^aN177@EPv{kQ@w z5_wC;*@t#K73HKChW;1jqq=ZVX1=yuY1(0j(v&ADE^-meu%HcREwM8(Vyt5m4DW=U zTC;v<*qy|C2R@zr*Xy%k$&U`S1=kpH{#BfMb$v_PUB6bntesag&n&^(uU{4svMMof z-;Rwz_h-%=P-4e; zsgnQ|eg2v7uj&zm)QICp@okI#?9PkY0qLbC#yzznh>VPk*7sNX(k{3EF`fT$z`x%! zyWxP`WJCq4v$J#eQe?%(qW*^YwHYRho%K$goy%*2z@XEpF7Ho&S;IwqblIvFXhPnE zrD-B0ZA!TnWxwa^2K=uN2Q0{6v^aym{1k%saG)M-CqEw@y}9URzN5omb~MN20q0gx zdNpe*?V^r4#+d}L@nRI}VO&7D?t7Z%W>PBoo6Vl5~6tLz4tn{=lZSDOORAN)XsO8x?o{qhD1^A-!R|%wc)-HJiw{`YyP@E(2rFVFC{Nh}ncx4kXx}1Vuta25 zvic^%w)O}#FETPxmsD|9c2V>G!b$;!tARYpJ_^-}svXOFvQ_b=%hJ&oi(b3+Z1T}U z(`bmSZ31MefAGlkrNz!$Na_2+J`?8V=3WZY%cGVM2L=Xuz~WKcJxjx zBVrekV!nbKb1UV{q90w=Vvum{vZ~yqZ7Sq6f)mR%|G}qso`#$HKrl*plNIwvtM^x! zXnSjJTC6|~c&oF5Q*+kzDK;bHLKybYjeCn;^Okcv<(Rp7d0Qgbw;rvX=?4o3J4rkd zJsP>_S6o@1EdqtZ;mXA(GSxazLz$KzpqTm9H)aWSqqc64rO1M~PzwFI?6F0%8X&m@ zqKK^}1mh7+y%`4iF&@_rSUYa(=-}|ictDQzruxU$`_#^~2{7cSR(bORgD~vo$;A_y z-^raz5d|?WhK7cUW`?FQSjkG2Ws8*#>xal9wmy&z*(ab6=FO(={Sblfl$(f%U}ygX zb#!#}JR-q)yIEz?8>NF>R`V;uc9M{nmk0KE1rI3v&;rZV|InbuI^8{^@lUaQYp;Io zcaa(4$;ppMM8^!Z+oXV6uSDEGp8#WM6cw@6B_3@txz9E;d-?kND-z%$8jBj{sd0M> zs9Gg+9=vN<6h&(pB7uF4|a~9iT5~; z@8q<(L{&-i3xsz+)ndj%g?HBz7DRGsxm~leoQSjRru)7Tf>OVJkH~)exd^1nuW7lN zRF~%*d1skik4&m%r{`0*VlN_i{s^8?mneJ_wZO|3W2jE=9FNe%GM+$%zZloLRt>f^ z6nGVF7|6>x-qL{gf;*6p>wile^Fe>uRKu`$5cFo~`|hRx;K9BRR``}K&;)xRP- zj+UD&V_W)De;XF+L!+r=>gKPrEPcD@UGu~E5u9ps)L{G&(syBiI7M`7$3bP5U{q_9 z+LXvMwp_+4%Jh(^;^zl;MIJY?@y(As%(mPiY6yrLEJP?Et9qmRDYy1Ci^L{ZuB z(<3Qjo6Ks0|5$DFFROhJdeu{-_)rJ=**WsJ6qI1H{Ah7h=q+F1okU^LexCbQ{B1jg z_cuN+6+>fbA8GL&MkFE}_P}q~*9m;x387ZiUUkC_B5V2#QU>p+IfB^Pa;=vR6M`k$j3+9Z;6Hm`h%y7#Df9f8ToP4{~k4>-EIh9*yS*Tlb?{7a*>tXV6~!}c_NE0BUoX+l{M zj3Gb5Iu4o_Q6G6&AoPU-%#v4p2Kl>?0wSyUCb(z;*Wcqx7D|t2gV%s?1LCHC@{E6` zP^9f46?nM_MNy`vovo8Be4@MNw~d;rxBfpDR@*ERuANZ@Y;<5L(lids(TivsQoZi~ zCjsyct`8+7=TASAv@RVHY?0MQ{Nkiom`mC@(_gUv*6$h&vgsQQcC*B|pDFNcyBRXd zKxCeEnd$S!N)$O+lIbK}2J3LpXriRua3 zt8?Mj?eDCbD3oi+8zlncbF+L8-IZ>d-(jQpjcS5V9QU~j50lg)f!b}iV$`+XE4}84 zXm`bb-o8X6?Y_>LS$|O1Q6)SWcj-#8^z@6__K$xl}40!!{L5AP{^S`0}=Iv3_~$zVl`|)9yx1 z@{@5@bNL3s4NKnSKp-`y9?l9fFQu!erYk8ebX^~Z={JRPDCmnwG$Iyj<^kOoNX1R<7%!`g&1=M7X)PGL; zABN;t({y&zfvBeXZcE@66-E7*{(-r??_BQ6blI43d2Urns=rr-KU%y^8Ve5sZ zr0j-_vw| z>9lWWo{G^i?v?{C>=I&ITieL>LsLcvo&Mv#{Qc_z^Q)c%)z||Eh|9A8qV;3yEj#3c zHo0%V@jd4FN{wMcCt&Sts|&vSds^x1ZGTf(Ban;cK3IU&7;$1ov~xCmrJKKx?;qpP z5o}3SNHTv@8P!#g<03WYSTpPSJ$dpUUXN2||ClyU z4|sv&ze^jE8E+laEqO1fQS&jgI~Y zx|vVWfz4)5SQ_`pMUmyF;cczs7|bR{%zygU-?!55(#|qC2N>j1-E#Mk9J4U2Bz@KC z#mYb(!R7;H@UO-gR8R1;``>K8|G*i-8C~yRb>juZT(9=!D$GuLjj!yJU;l@@zq!Q! zWoJ}ty|M8??cl9wYUI>)?J2jkKbZmfOF~A5JV=S&mUQOn$R=C^%E=&J<2a*;Nwjxy z2?4Eg4uif`n--{4t}7jMAKC;u7HQcrZ$?)(zdHeQw0x&082@G zSJc7yXf37W3uq}|8a(nOOUc|@xo)gY1J)3;$v{(6euYtH*L8xYO>Qf%E5+PR{~JUx z;K6#Ka>48vNLo8%>!~Hd+14X}boEzR8&I*F0TOK49}WCBmar=zJ=J?cpD>Y3crfOZ z8x~SDmdysqPg{h2u^twDNiYXVQL3PS5MGQ+NX3-i6W7`b{$a79kIO;{SnQ@y|0^Z$ zXU<>WyXrhzMP6$laZ5n z^!|#a;+k9N?5W3!ZuLv3F`V))MhKh4*!`m{He@g!l~~4BcPhEC-G73ncspa)j=3m^jQ`A}8goz}Ddi<^zEEm2xWjS> z6T!{5NBT;=oOR8hr0Y0)W3Z&=oztuIr3pfRqxf zoITka{1ZI`PwPzCeDuIvqBt`3#k4j{hg(LF8{FYPq19@`HGXU0&#l8$CWT|3z!~sV_KCMLIbUSL zpVDX9wu?fz{T^IuMD8@Apd{P%QZ{zUp!2VP-oZbAeW)>U^05J8w+qMutbXmut+||2 z@QMLyI&7jWyoT5J)Z$%B?<|>o4MD!~*^fI4UD*B9SUX@p260sX#PF-FM{oSH!Mf(z zl(g*A(zidmfrRQU_;6t1tcUudgoUabdW7<;Z)5Y9$kMS)9XMAni<2x}rFeG7b}0AL zYWJ3|N>6w;d11C~cR9W(b+%_(!1>(nHClh4U6?Ug91Bv+9oy#zVA83 z;j8O8TQz*#e5*agMYnrX+!evmfog-X9z8&)Gd|Ni&n74?1A^B0{0)%f3AH}un4WcJ z(hd~!dh9Mk1h3>r=9h{I#nx2^k(Fb(v#&?mOBVR~Zl67{DX4M~UH>%M&E8@VLaCnszB2!uc6pZ7YJd)LN(RpTqG=n|%& zSfC9WLq6L@O#iiDx793aF1z?x`+H*8De(nBB$2{uG@T3jlve3=#Kr^A_3()%;qSZ^(P(x;Mf>SMF z@0SMmdJNW^EFpwVd>eP%X1enpTo`U|l{nfM#hr>$;aV1ipNUja{i?B+h{UY|(y-*< z91-ZL(Y{m*&0R-qDxau zamcm)*IZos6f0RXupmmhJy1@!yW-c@0QkbfMa8*Hb!W1bm~EJAV}i2!7zDajCg(tP zl-|bvg0cr<2gQB=24Jq+A4V_9!{bfL;8K0HktBKFBZl8ZZ#5wkMRdM`LgCQMt;cWO z0L?rwL!2cuS69WBy6~7^djYt8SUm}v8kK`C5?jn&3ie8fq~(;hXW8_|IA%TunpsV# zXxl;SE*sD<^f5SCyJD;Z7aa5)WcCgma_$}g1k{LGUQ+`%vGg!Jj9_rA-+Xe07I|KJ z#%%g%u;nvxxY@3vOT4Q@Td9DhwQr(G`Ve<1Mm;3vXK3@cT=JJ}I&C4a9M zy+2p+=DlYY-hHbAR&1#5e~B%e8`yf}`ct1lAk&V^Y1a<@R{5>@KV&1)&&ub-3NV;N zq3ddYsCIfbi>qky7j3SSp8!p&Dgsu@Y@Hsc4;Hr8bZ@tMs62zBX|lq)r65l2MA@csg-1!nJ&D*8sJU641FRo?0 z8e@5xqp^TzcPl=udi41;HzQDb|Gzs20SmjrT3Ok)cd+SoCXBQzN%(XZ0sEL+)St?R zu=j{vL+tKflx%CB`;d!h5<>mpx{k`MJkIG0x0&kusQcpJy$jm{7Isd6K8VK|pw+C} zWcj8&QH@m4r^^O(LwpK)bREhpS(x8?%>E*85Vc^}hdKF0v!wfp1TUni_IP4D-ZrDV zV59XxeA0Pz)3Cex>SIBrn+)`y$}aSMu$D^nzVcRYAiFRwSGnyfp`F^AUEu5-9J#9| ze1+KdMpMbTKMCuLYZ>rhLv_043RaD+rw2F?P;XSFuIt9`Kj)Now{)7ME$fOLHSYy| zbA#M_D=UP?Dz6uAl#f4C^iarD4JSs^t<8WnNAJ1d>Sy@ypw>j`(uz@#4E{>3jY8Qj z1l`qRdzS|g_l40Zg3scp1Ic_@!KAF-c~nd4C3n!|tQ;(Wq$CvKz8%Gz)Qh$Gg3--5 z2W%*73$nvlZ1otFADTJyAX7QNT^kr>`k`It5;iP@)y3|x7Nt(@*|;X+0oLdv|*Sh(Mg_j`X?jK zwsGg9vR`R6fOsHG(AcmB0m?$1LB}f@chDTsbR;*#^@j1!decsu_Un(`dWGWk%03I7 zLMJE~+`gkDyS{qObHfyUdDw|tebxGQ#S8PJl3b6E7GJznW6c21HYu4A#~zmO3N&m6V)aRAWq8xA=F=<0 z(|PGh&4y!ti$Ja0-`LV}CC<=zuoh!uYKH&S`mgAJY0zo}7-XoBKeB+Ct!o@0eWWy7 zUvA%gjY-L%Ci8Lno%Yt=J+ho%n%=L}nh5BLT`qb8+dWy6r1on<)-sh&`=k+!yeS8V zQ*rq8%9^#s+^MOTgS0F2eO#G?v@sEy6QLG9&Lo!meev zd?`2*-$+9V2^-7q^>SyMvn)o6Riu>O9yl}6-nZX+E><^@&>76gA0_tm!)&Trz;oX? zq06>i-Whxa081cjy@H)xgUCy!B>o#6zq1yBa%xO^#&Dz%6T*m*JEuRYsxk4jN&0CM zh|x}zp+jz~@#xeg|K@N~zpvhS%j#v@uI<#uh-*xgT1N`|F4n~;r{7Q9S1ggD#K=wvx!Ce;sT22boIYZv;&kZw zgDy8H3$Bkgl<}?4(S1$0Rp%kVLAYf6q^{qs1UWz|ES}83Zhpmk0T zedo~9f8G&5+a!-!W$RSOM#A`jt%o9YR@?=>4I6gr@R~6T$Apc% zjIdpxKD@VNVYH;@U71)K1NX&~NQ>7|*yZURFbA*@-clTT3;2X0_}S%u@k!@;Iuu-g|Qu zc^mL_kz@C$tzT&F)3Pb^ zdEn}8)*B1ip{}w*T&6fjZ@W+*1sI(NkPBgBAKLOwL!oi{@#{~G#uyZ_fW6CaIZ)p; z!^#r^mReVLpVW)LF8=3o{Z3QY19&JtZ#iGlrm|d!I#;^-*6xv?I4%3uKzum zvD8|GV-Dxk`)hs4#sL7HynMaTB;ZdEP(4dF1B@qVU7L9dlvafP#(oPRLc#=Cj1{qN ztl!Ht4uX-BA|?}24;kOG^|!PB)BpYQV`fP}-B>OjFR3Ii*%Hw+y3{rH;I~1iZ)f+H zBk+Z1|4evH--aJh_@6%XMGby^myV6-4SQ^QWt83+OfIs`dCUR5@>Ca`a?OJN7F!fODMRC zU83o@Ocwz!)@{)+Wn-|=eLV}(iGPBE99QyP1c7~KYta9??0@V$z-PhZARm}kYy5y? zHoyPz59B+_o&7yPy+xP3jAPuuy?*6euKmx827Ky*beFt8(j8SIR&t*`H2*Up;NPk8 zyAvTCx~PzZjwT?U2N2U6@Tpo*tbWz?MQ>OFYV{2tVaPIn_}>#A1@qV3@QZy3aKJ(8 z9xwsdL-iBa&MEin{|KUv(J6T40`}}8@FZ&bz5b6f9=rc<#^e7=Fkg1{|7JXXmzlmt z@ht}bFJ?SumAe$+v`&vkEc)~7e-T*|4??_@l@`A{N^S?n`D=gB19pXC3PD{8OJ`AP-O3&3Pqt|&xSpY zy&XHUOB{QTjAL^g$M}7oe)rzG-CNiFr`OTpoagyI-|uI>-|tV7(m)MfQ#~6w&C7ZJ z1@w*pVgWPW$;&-kSderCz54k-w7b_hd^ceMeSP!77E;>989Ew?f4s(j3Ibf0ss8}a z@hq^lZ2X4rNx3gp8#qFn1MuwPMg@!us_2A8n|= zZ=hAh{pt3AHU|n$&A2~Ne0*%Np<%1dcbV6Z7ohM6K~fSh>g)G6CXfvYucYo&Qlf%H?1{bJX-|yDz0tL1elJ`(*MHW#U~|CQdnZ_VNIW>gzoX zE`m37oyH?Yya3(Qez`zV|b|(l1a;;TLGo+}2&A zf-;gA+Ljt$w92psL(PO#pTFHu`JN5f2T`%4L?O>f=-0>N}s18DrcaJ>j0K!wk~!)J3|PH zDB9GsFlvcMP86Sk^c_1v1vB+}$^D!5hL}R@f=Mfk7ou-tjmX)^wwY~kQ&{dqa2Rj| z0o+>g+Ra)tbd21!d)H^VdzjGoPt-2&Ao-0XSIsG-wCFHSc*6mxMn3@=%{a#X8i^SB z2v(G)nar2k()@=D^ie#hTgPx4OLH1sHVfq7+S}E^*5}ttp(hQEja8mu)*Tt=JHw2H ztgjS|#6Cdfl=YQ)>~$J^o*RN%uH|sZH?S+{#`k;idBYT(*Gpt-7IlIHP>+2IT2LoI z03|>0guYxSbgyNiury0g*(4>9R^$?N6V#^ej7Dt8xVkD!?GN~5WMYDGCqOpA6QMDC zJ$m^hSr=VZua<;;+S87yZ8OCpl2aKqW+Whk5AaAR_{WHWT!<&1C(UQsz~iq}&u5Dv zeK~&P&YV`4_0@rUzixjdxlU}DNiuQb-Y!1h_@zw~KD<$|O&HZ*tL%r$adAOmg~w8e z(K`KmDp{Hiqy*e3p_yUHSl70SsDm0O8>q!x=dVX$XZ@fr*IttTWJun5_Jx5R(#A?z zoaQzz0zpTNt>YaEWVAs)wauLoE9(Nzcaw=d?M~dM&l{n${@VNf!Qv%)exIuq z1y)+y-dFEu!rD2^*}^q969qbPT?*Rb{*z8o8nt}x9<27Ur-op5*Ao!2!TZVad23m> z>0TBeAr!4UA!^_uoof{SrfW!LBrK^x(9^U;`8-u19zdc?Q~~yKniLACJ(65u(X>! z9t_p+E`lm~IiempQ0arwE&{tVW?g^cfs=ly*?A8xSELmJ`Yvy5Z~2uKc+f0uEN5TN z2TYPcf)Z~+2rE*&UnDemvlgt=j9XF8G|xMY(&4P~1<-Z6g=s{Xbw%$tWuEfk%>_bL zAVZeJh-i=6!zDx-xE#hNFsJJ`@SZgX@n(h8^#t^)!3vC(!J8M*REvYol8h=c3d|eC zbR;AeQ+<@nzUVIAI%P5=1o}ApgpDcT{Y(|T+Q23RWY z*mT?J?>cu3vq5H6G5c2@w6{M^e{A(glaAVE)>x&s8V-w^MgP^sCt5c4vV&_V17X>M z6V?f#0eEV(_?(}dR==vqyWJG_*Dt7GxHWjC^IzjZb^NhrFiZ!Fc#1$Gq*YBkSgenf z8Y4sFzVr`i%7?Dy57FPkx2m0;d+o*R3DV^;c@Ch+^a!f#Nvdl$^`RnW_)Og1W@0?2 zk`U5s%z*(&UK~~@6ap{L>M=<;+B)J5(cE0y^(dz)B$v+Y$`~IDw_xa|`8*_MpmF%V z%W_l1-h2rdj#LTzb#<(d=IHRjgk@dI85kX8wTmn<{QB2A{}1d75`#-g(#O_O>F(v6 z6M>**PTq4UcQweb+Cj|;<4D7Xy=~Xx!5Tj6*;N-P7*jSgyF4jolau0sz9oZAdkO^3 zPR+@YFGyk-O~}5VR5;~?X>yhTb4*W~0wuVyYk6J~AacoRO*!LNiAYnKpD>VqlzSo| zvu@0(4PiYmd9v`ioI*_eaWrp}M!uynUL*m7wck~$AyytRf><4-R-FTaM_xl#h8XVb z9?*>28=}TC4UHFW8;8Ht7rzUj{hmj4cQ6SJ z(uuP0-%T2up_vlARKw?)W~CA~i*&tz-F_-kO!x5!4Oxpe0iZV6QzOk7XRE7pCXcDP zM6F@Fj!n`G;Gw46j2n7a_3U6x-S!3sp<2Fv03pV1J1~54s8u8)d05P}w-{+Ado}j- zpD8wvq?xs%Ghl{Ro`$_B# z_0;hC)_fk;nend~*0!&(@|sG1^#>HCEs=ls&DRqpzqbiKmJc zCCvF}tygnno&eSXqk5k3m^1tl2y4;1qzpQ3%sf$A(pGiK>ls#quhMUci5j@0y-U^E zb(bH9wU5YH?-CJn_}GW{!#b7aXGl|-U(jHv?fn-b}9p(%N<){(HKL$_-47>aPA8 z19zlpH-JD6%_j=^gK^6CIP4Mhw-PCvmIuX8ID{M zOG%UNf~BeTwJADAKs;nY>l~!sJcq1MvFW-6In1I>dEkwQ1hl&fn`(wE=Oz%d+~g&& zKk=L9;kOU_yA@1%E2X!HXfFKvhvq`cF*1e}2gq~8XOC1C&U+fx)NzETUqTmlAPSdX z&i)N7OhB!iawg>SderiT0}j&CZUtr>xTGpg0qkr5dQz4FBTfTMJ&$VmiVA85YAkw@ z=oa`DbOGTAU}a^l!KS?q0e1jS>BMRAtc}H@rU=#-Ib1L|P-_Cv3*%mW zi=7q?29ImZS6FO1`5~>#IW?Y`-Vb-?GZOB=3sK)xIh+p-#}BKpG(I%cYfF`q-ZT|M zQ+f;3bG_ACpt>Ek}fvmjLkf1)7^#W7)K^+QcJvNhOs5ZdBnh{}wmt>$+QS zN%3hAS1!#3@+Yj_NC~rUKbnkP9#e(xsTW`1`Z8wS6Ng>QluX*SXyu&Krj^N z!0LWmSr-C<;U{~|Ljh#BLC}co{y?(^=K9kP(%a5Jc@vj~O&pcD(eBC^FWCt?HW2*^Cm*VlTc`^o}hm~b150O-kzR)+Yz$kYMZ zevE5YckOVQVbjrPf4Ux7} z75;%h7C40*7Esc%@@N!Upxt*>EtwFxO5pOJZ~}AptOPzkfb<>U^oOQ%-pUnPfqjM0 z{F1L?|{rTAc?FE!{z6hVl>;fI8?P6bGApiC^Umm7wIDM6_Rl1)aaW+>|FFQ`G zb*^me*@ph~i|6^x)tsRV*6a%p0V}gWJhd@D_2oHO?Wvm91_6!_E?+vR78VvWz%enN z_(y8^-+b?vkMR1l5je^7z)3b&@$WRow6W8p2TkoA!T#kTP)wQZoncOqTEhF}K zGXD?E8!&#VenBTkcK}@NNsE&I@VHy*|G7RJdfLmG(B;4UFtI-171nGMD@L*U^b*;#ha2x5YzR8R$qLh`Z=0By6t@NK{w_BCYI^~p zXFxp#4wFsI4-=IdeMji)=bxrWlB{xZg18bhvykO)q4Vn!s>E%6^$qyDQ-Z>sy8~87 z^Tu8^gie?2%WLr+Gh|wzU#e_s>d)_4@3|S7Jwb49wIHzg-)XE_HC^*G7ua@V9Plk#p=~Gfr;66saz>*=`XR&SVbH%7K!K7AJoAyWvlIk61u_>7PP)5wty!WaCkkK^FMR4DZEn1!=^U4`!s zJ>WV)$Bi&Ft<9ShBB}Gf(k%97)TZVO)fFXH%)HSXU|QP zy78NI-|xRIAvxXnCbdE@#L{f>c|IoB`R2m1*z(8A+^LBj&zr{S9ojq4@mLDJg4V2B z!pihPMfRS|n6;TJQC!`n`*Mcw=}zj%@Y?FN*9MB3IDe=(_##4;y(-{Lk?0h*=oGfC zm7o9SQsWRK@A?%I%!y*_S$Zez*@NX0g}}N*rz(HSG zFE&?e3x!!GcqYa(9k;`@uXFx*tNBpgy7~ag(1=xl$yW=O9~XCpSX;^2R)lX>#HG>C z&RmnbeQgY&%Y4F;MA8@J43g5 zJ1Zd?xHhJDm*bz>i!07A&*?=J!_Bf(gr{k`zhe$EJdVL@FB-VhA61UelGymA-%yR&g&5zu0cI2RpFNUv63LQQUJp=`% zu&U}kr4CNSu#+}Ox9Rpd*Oh$1_2jxrAR*|0l0pTNQX7_!1}pB^dL>>-B1G8b3=Qi^ z(>U?&>FkaGd+$Ar=<9E;jw2}3#!Df$*Uo-&Ht8-j9vF$x9eDSY+drZ1`YbYEAY!SU z(?8$S#(9naQxlJ;9U}Q2kiI$Dnah2Wu)f-}p5zWna|A@py{yxGYbOTAD5b)*nMx?+ zGM&(?J@RfHCYg5*aOz<81et3Ave z3#XIyVv&K4N4YK^%KLq<07e7u+CYwIW3tAQm}F1(Mp(0G>4Fh&ll?&53xE3uAaMVr zV`|00tUE!d?RMMuH>?_iz=s<7bL2kov8PoJ*L&A(KXJ6iA9 zoS>a~?hz)-3$$i_eb|-^c?H7q!uJ`Q=x1WnBA^X`rJT1S-Q@gntBz4=zYA{wIYZiz z=Wj%H8LYN_I<#PUV-kLMS%sXwE`(w8{DT*~CkoFz{lra%P*+hV>1tQ<#@DJYIgqe- z2-T8z^I4aH#Hh^mJd?h!C=8u#BsTkbKr3Qp_L=7C1wPa|&t&Wqe*OARRg1b!seM}x z4hVJ_F*x8;bz*SnwE!lrkskVkIEGzQ4!BolO*}U5>ax38rAATS*Lboh1l5R)2So8)`=y2o;nnh`T7WVm$z^w*mfzE)6--x zb}ed;=bG~zNs?}4a5hy`x%RXnJ$g1EXZ=;>>!@52Z^_B75AD=`A9;c3Wi}$dgSKYO zc|!VvO`wX&QbS1g{`$2UjHemFVU9J`X=v_12cdyvRU0HKsqL7WWE;lj?9!$@Gh(== zQn2>9sOZF&ZDY%;$M}|E43y?wECO|hp-*o+3pE>%xg3JF1SnsCSs&cQTWPYx?msb<~(Q-eeUGKS~|Pr2N4QCVY@w^R+L3ayXc zcWlzH^(3)5p3LfWe8Fon?H;n1Cn3K}Cm&wMAMUA!(o>%!A9(KUV$ctrp+X&7Z3I%6 zs`w}r833o9`K)G0&*~GMQPf4=Z3WQWPP%QA{1;ZwUp!r+lIx0y##$#QTbhj#BP}j4r$YX)yOT*nDY7Qz(}Hk! zi>~ifi3expr%Ok8I>v1rw5~2p`VITL79u=|UHweClaByi?xZvD;f*Iwt!+vk)usAy zf;Ubn)q(ViWYezfKBK3?YT~#mm%8AuqXSfm%8b$U{*T$1Cbobd^Urtw;K6Iav=0bRo4|Qx_JA}9dDd*w({VN2WyaKt?o>(W}e<7z7B6K zr3voJQT&KK$;Mi;(q&M~&(oc+;uG+lJx2KA&)O`NkjjPpe08!8JP2StjD=#ir-jE3 zHdf#sKBk!)O3Q#zK{iqM2Mkh?-Y??2kui#1bK0Y25C<|L^RZ}H#ZJK}zX{ao%#KP{ z0QdKIuDGXVUDD1LRrTHjLz~-?LZT-(H0OI&p*|h(hCbj2nFc&t#tVRP0)dXXTg1~Y zYicW@#%f%mC+m3@!h&we{2?5nYDc!lt8KTqz$n5!J9I72VPZLNsf#T+@mQw43r9+B z{HoFD&#UQu)A83o;p0ZQsc)N7x_TKVq$!zpzZdM|7&$(8j@Nb4jl!r8ym)-}B>?n|?j#>pQt7+4Eq; z%vwK7U#PXgu265}@!The#T(W^Q)}K@lD&@Hig_=`)g|_+6Ivxa@_jozbg-sU+u`5Z+KM_pI}y&cc!8!Ld$lN zq-KFXd6{icF$%lBMY=tnrETE)xQ(Taa1x)xRCA;F$NQIDsFsgD!r^-tTT-0EQsf8E zUHjNG@qAA1F~j|dPtNG<)%vjfTGWzP=VAwgMOUIbrOLk4*vxZ8ed{p6c$8Iw_2wc= zqDt^Q}kVE4IZzEnnk0@9hq z9ccUMI0}W&WXm+=lC;B3md~+`yAMX*NXatl@DB`2NBu6(U-j%>x7R}Wl@5!|S>!Iy zURz&}S=EaC&9CwB=2w|dj8@&B8h=*hK?zE@t<#d#Caz}Pj*I&k8hqA4qMW|1NT2Ya zlV2HcTs|!9VVB3bWU3evi&dZ>wfkyw1M%Pm7gpYeQ)af=_59L~V>rjD^U?c* z+vg)o(eD;lYrD=!gc*)XmU%OfXj>fFSNGV-N>mYm1C+C~=fedyBfg@QwAJNt%;I~_ zh}Huh6V8Pm+gS_{hZh}V-liMS7A$Dkc|0T78>NwU>v4y2ra^Om=H+ZQH(L11SxXM7B@Jnn8a??+C9jgLBaQg3TF* zF_y^%$>aO(tJIk=S$hU9O*WXS`x4Ssc!JL-5)H52C^(&&kWcQCsJejjd=yud%a(U= z@3|`~%O{v)WGE)`Nu38(^4}kRI_Bopf>}?R76f z85X&^_82S0HrQkah>_h)BIa+AnR>~uyZb!YCQBVDSZyOkpTabv24qg3)ul4`ZRs%2 zugLgFH@&uP$tu~t=A%B;D^r5Y-H)2(Bv&mHloM2HD_03UY=(QXujuvzfS}dV2bwD% z)iZAQ)vtT;VN(vv2DgH~nm`u?_s@oZxc0M0HmJ`}myM5|*e4lrO_TTj+_|qaDWu4r zLBn*5-(vI@znL}F)b`<8QrotOaX&0gsgnT}NjX-bUY2CwY<##ZfQ}oL&vEhn#l_MD z6Ma<@ZlYS*uwN|Wn18?1?ZO2CZK zC*)mM=`aj)$E_|kZJi8!RyJ;ML?<)tOmmS6seHRw-gcSk%g!r%oJ1IRqmqm|vKC>` z?s=AErMPR>&=pW?2p50w>Mbt!hPAu|aWJK)+K(IW$(?LEhYVWFG%ggaWw5RqIj7z} z*{h%U%PZ?7u6sdAH3pC7V31b_6xemby8r=Y2{uWUJsiEkx$Rm0 zUE(ESOiF|aqq}f=mT{MT_9dqbCq191Ov1U&h7VquP^aCAz23uxivP^1BY{d(J)jvL zQ2a_L85I-laQn2mZI?+=56hsUOv%fax00eO&J?4z5o#MIdO)t`$25|Ih;9Rg)NB`7}>|lW|K9U@(lkUBH1jt-N(uq}$TOQ(N|=)DdbU zseoST0*qInhj_}?pG{Lyu-v@zSraP|5x#mn|ERO>2NA9M&0l8%xrS0(PUb|c+6<~T zrQ{B9y68~Y+%aUNQo;K^GH`6er>fMAC3|u8;5+hyqBgt6zWx-i5_c=E1U>Nibb3Ns z_RZ$W8}|imO`<&WJq9?V*H5mTUtqZM)wPu*;wbl31Q)gO} zvS~tfn8oz-qfj)i0OrL(+xYGY{rU_Mi(yr-y*#h&>%zr5;3$syUr3e&ru`ePLEX+J zaFiK0%G`4+d?eRw6>eb3#KcL?azbo^=be4DpFzdd{Bf$jZ)KyJ);WhAn(z}3%(cy?cLiw|6JIe z@~+8ehQ!Hsm|Ftm2EQylN_6lG$w7lKaZuq@DD-mty2|ykola()+y> zWi_lHR*OR?PaCh=Z>eydJzDu0^B zsiYhC2RRmBxfUa~6VILY!%&?c&c1Ow99bNG-+^jobdFw-oOCkmt=q|Omew=< z9#=zif?|_aDfsSA3*3YDk+J91FL`x2S#dQ+>6UF&4%0IMMpt*X&dF{nN{x_D(_fqO zFC>(33gJ82oRwY0ZEknG3qBb?;!SApU2hNA6VtYc&tJcJL3+}8aR?{0gx}F+@3wTZ z*3`LU6DiYDdG%yLGHY|Zijdt%b`rX%#D6tapyq-k{-@tEAn7@iHYCxy%hf17(%h%X`ZLg;mqig`KmMv#DRA_xcsh5I|Rg$bKz=T#z( z3<%BM3zJPhBJ%Di(!F{Z(i z2ZUAG?(wdCn;pNpsNuP_%RZoj$nnE6#2CLf9 zo>eENkY|l=zw1G+l6gjX{W6Tu`J|hQ{$?M3UCrNLMM`a^ZC8Btt9U+_qsx|M+QAO3 z2#l26g9qR2cHdL3-grXh$1|U=$V%gfGZ#ej^0iid(v!@}?0Fw%-WWJc->(>%B$Ixa z_czqOva#jyIPD})EvC(7-lr11n5a};qTW#5r<(EO)_Av#=+M{3`7kPH)tYEGxlf5~ zo=5wPL{X7Ao;Wz*ps{M7*{M4!I77#7VIBqsD-8(!l8aCrZ|ioL!aF|>k#xaQS2ibW zb!;mn!MxNE_ZFVS=;K`=0j3X-if0R>O`IzdO^t=i+KK9!@i1eq4ho)JA*ZbjfErbs z{7N&|yd_$eNfZh$_@~0%DZoot1q|Ma@%o<*yNp!bdZcQE4a*pDUSe6}czS}W) z(7;)zcv}>02N-XolKbS*`y)y{sF*+g?Roy?0143VJ8c=;oPcVeGclDOi+(%7sxCYy ztNP%pA(MK)S3zVv?~HBIk!&iu>LAv~cLz9SZSrFn(e*DEs8Mxe%3TNbHOeQW#;hS1 zxIW=0bL$Rrs%5KGB*D1Z)%$~hGR(@-z$;;@QzIpQ>zhS=#8P)VrOiXV$nNx5}neuQGJtJA}F4cVF z2RzG8b~zVohM$&=wpomLG|hy@qGHY;Kcq&qoqX=}`vZd|xW%4wYm{xVqd!VWzuPfn zx$X)s!NOzp{woJ=-86Eqf19kepOZ`iGg9hMl9HFqh(3Nz)ia{%z1-&q_wL)X`Gf>- zFZGz9ovz8@)v9!?JyMQKQ#&~RDOp!yu{8Rt7ZKUDWZ8L(WZs{VVi>00j9=36rW^_S z#~c3U$+~t@FMY63y#GrCrk0*}ZfjBJlt0g<*HW+V+qbE49XjREO_rb$lh?c>e(uB9 zb==LVkZT_7$D{EMF@HwtlSUWV+Un{!Cm&5Pe6^wf^vYEnEu|(-PB@vEY~rj&bw)zI z)WVwVF{6-h{=o7A)nC4Z&s3=)IhtbIKYh-({|D8J&hYb1%2pDYv>Ypxa~xYj3iWs* z`^>pjj_4PyV#UV2cNyZ2)&|`3bcAL?#>_zF1?D@1x06pH!ckpaUP#g|v`5g)Y6&Vy zua{H5S)Omd=IiZ$^Q!8x)U|8ZT4kGww8M}P{8oDI45g(pj?2JSQ@LFu-}%kax59SI zJ5=`h5n7To^tn|MA6=XVY+5TaPd4w&gDq+p?ZOFY1!qGhS2@ve_GcFMy9?X@<{sBH z@scA~aX@e|qxCEJ`jT_(=8Q_;x0unsSDR6 zsXmsHAg68gqM2D;B$+#y4CcfZauvfldUL!S6?g+1`+{U~Chl6)1i&gGF3!uPoq#sH zIqjh00=7yZFbFT%GMl849qb(v5dAipOs;3FkQ&MxivBBrk1vPx6=vm!aRZEkOCTg<$5Op1KEyRr7T z=Ox&h!Oa+S52SdvA!Dzb&wwVRsKZPJz3dIiZFLZXYjr@{Hu2;{eaf#p#Ev)NGtSbj zYdaHl5$9&q9Ivbrca6jFHTf8%0ER5qiAelB=n(kW!8cW{(9`KGv zJQ`UUfNpO%$&wIP+6#|jTtyu61Qoc5SmV5CM7YYBXq4Th2U;^*Nml}ommno+QxXWp zwLu5uS+^Qfj23mLWFf}A!3@{U%BW$r>Lq|Wxp@P^m;k=H#khxp={Um~KF z57p39UY_CZH$P;3U+Q7;t`gI{_>34Khsl*I(vG`A0?#@`JP8?#U%I0~zDY-U+N(1< zGRDbG#I5*dro80pr{tV|Dw`(af)_oXkT~tfe4w}C0slXr@KJmR^QlHC2|hDMYKIdc zCRj5cNTJ%01qxJNruEJTiTEoAva5vj>zSK$01F?z8ev|2^jShz2H69uuDH0<+KJJ= zkyGh6q?b*H+A|HytWFn!RmgR@n-THENtr_dw+?szR`iMRwb<$SgkEw5=$?L%o7($UINYbzURaJSt%@`hlQv=c%zksyr>AN%EH4e17GTH)b0z z7xPQ^4G)%Ke@UoTFT%FFU_^o}z~cZG^xLY#A?YT~*6`s$S<$?VXz&1P*6om<(q|@> znn8~vlX~Xp?b!XHWUlRNkV=`+jnK~L!!E=_ZsyZ25l#(;?UEmtacdu}vj~@OOy6U= z{-z@Fcx=p=t$;o7i8N)zw7in-fDLdp#*eKB=%nwJMLtP7!f&L!I_rA+g7ToE!)R21 zW-tF(@v(n%jepwy{c>d0bw>`qiM}4ecvPaYIN%)RIhdMMx2Ei8GBf3pBb(u~yvwz? zbAq$mN$^-g>Gk-Van>s{l`*0Z&pHQa+s82pWnJ)L<&}!*({K9tvC}t|YS?O`^@GtI zPzF6nGon{3#00k)B6!)nUNoFk*;f+V96BI5%3g!E9i_?j?EOo#z*EdOa0$klDJ@`N z=6p1s?ugQDqxDsSO;@vUy21TqX^A3GjVtSRB4{}P(nXWJK*w9;aOaz|4vfnvSzPS? zh_jXgV~wvKFkMrfTc#K*p=jJ;w8>7RE`{182js)!%tO zGCqL*#@YRR#U8!5ci(aCRp=Ae&BXqPHO3#QGYq;DtBg6J{`A8 z&hvoy*}Vx!FWNZO-KN=$9m-!5+xc1&P<+FUxl|)z0AJyiioId%)B&}=ect16nm*aZ zp>xfLCXfzF$T5wqT6Y?TeqkTd957LI!MZ%jMN5Vnr|Z>)>c5jias&weaXjIoHpw#D z`p%AmVyW`{!goF%8n~h5YYMd6dK?Aoo6{Q)5L_Lpj%18j9INKKqkZs7^q@u2U2m!I z%}TnMp@y~PE-k^b zM>56&lGyly5sa4fI@iOX4{0vzYYaQyi~YE4@tspPqf_9J5OiCD=%|!N*7Kv&vm38+ zSpCBMR5xw&8P`yEGj|qnT;qw&5w>f;D=cX^xni0d@rYSYINj43Yf=yaO|1yyfR1bv zVdX+a2QV-bJe>S2w#5C?6?h@?lpk(0V{ zaT`TwsvV|ax!bgCn>Fmod@dJIJ&k^UsqZ~d!%Icxrmmki+pr(%KN?x<>xmwHmFPJP zL+xxlmK{s^!YOW{!GwH*$lCsj@5Lqo3>7NdI@6TNZH+4a=s848(9%OuVG>IJSrB&Q z9k_F1d)&CFp{iD2^HujdrRqW7NCq}k07&+Pek#9 zoHu_`fsD#%O{2I$mUc>*Np4%c$)1K0@MG;DL#v0u0>+I+v<0cyvYfVjbo$}hdm+Lm z*3DgV;tQW*7Z~VI-fcZTz>cz-^4Bm(Ez;C85PxF z!pzXEQRG~xoUGY~@w8v;D={B>op9*9mG|8Js_F3h6WKhhSVnEs8HqwUfP_JaL#hS# z3O7o|4CpHL1VD$GmrV~Zu6*|Sn&JNZm6Y6O+QGRUZp4#eulXJl%}XytbW+s@5ymI? zqj&a03|v?!Y_92TZFa5^RU(<$#_!%$_d%||a}+6%!3M6}R(RD%XlR^uP!?a zjkWD4(*TneYvt^^Ci~kt#r@X?>}x6`E*N|7k?#@EtxIf@*(4;m@TfT&}RHV)n$g|(K z4QtQLNS7bQ$It6_s?sej6GrvM1~dk z>@jXotnBwP&grar3Tt41DVX(ixP7WiHAyX9ukWUE)?CuHs7pwEk*}ug575q@m3Yer zh*L927o=SC5TD<5nk}WN)C5a}S9P(T-N2_~&J@e0rVUgi!DfT-r)3e|jXr7%kyD;f z&+I@xgys4P`y&>a670~#rR%p6osUWX<2&)}5wzaL$#o zCx9%MIi8%)n^+seG#L}&oCaAzv)c+_P}lgnrqiGm#czaJgo<$otsV(N!>$$Zjk3!9 ztoEM|2xA)2P=f2qSQofn{7ZtutNTY&tlu%{w}J`;i;AD3az2EPZ2*z^6}O7W_O@ez zT^Rk!q?z_)sDQ3#NXr^XxDO`}!B#P^nVlN~URgF2QS-DAz*{toij2&w2Z8unP* zUVFGl?l+s*l_i5C{Q%m}ECFIa2 zyutJbs6Co`WQ;F+Wus#hfzt&-S`dUq`Y^0m@5N!+YD-~J>xmQy4f5iR$3U4U&{BDz z1%oz$+kICoCW9HM`cqv<#6e@yKroJors z+Ve;#od{vZ4K~SF3Z2ESzm`o$-gi=tS4wrGreEf@uAoD;Mg?dy)?bi&!YuNUd~roU zE23VbdFfN|$vZazQsEV%Vuh`mTL(Wkf#f#hz-ePKY@5YYdm7&;r{5-<*!yY+mp?bE z-T;?uM0J7dRIG~+tz`imkAqq5;z4Za!sOGHP?XFMi<=GCW>P+`)OZak=J5U&n{o*1 zMvKQ>6W6rb)01B&ocZ_Ne59HTggva?Qk0ag+>j7|sdbUP9Q6{NB|g$g+Zb}v$e+mo zeFW0wY=GC?yfs=uR9=m449;)3vb$)g%q1*l_xD-c(e;z z-Ijp9ed7YN*+Zs&L4nO9Hj(j;@#Qh`&dwTc)6ju%wqKmMBki&MDMNpg#CCAtAb^lF z9NYX;qwdTcX`kFdS@nrEF{E8$1v~lgYG; zoL4m|uSxF$HbH|i4*aO;$WHF^nC-+Fzufp$7U!kDXx!OXSBRh4O2HMhLZ{bA+MR~~ ztmBNWUmL{+qdTedn}(EL{yMv(E`KL_=P*g*cxpba^1Gx!AFp5Ni2bGeCJ$YuBbNSJ zZg-XrfAVc|sTtMSQ1sD91Ynt~S9sECMdf^qx;&z1fx2T%oE=IY)2s^??2`ONq{}t_ zm-w6ETx2R3ZSk0pp|}X|s5vN2x%qJ^bD>C8K2vGBHJWtA>X`;XtW3*YjuZ$X!lj1nuk#Xlm z{?oOIq%jLb?KnKE`8?D}Yg@{E0>U>s~uTxruy{wzDJG zB8KT2s`69pbK^%^JZ}&9?s4^`s~&o*ahCKcLGj=#lK#lwFZzcuhZOtf72iCn$)lfQ zc1DC}imCd)e58}sAg&O36T}@{B8;O)?i;(=P29(-czgWtQ~vgbL-@V34qOE>`a_E+ zGm>`@_%kNM3HF@xo?{erGs|pU%`7_j<)@P(0GgcPw)+7XHC z?>klym3iJ;5K6??C*-B)7y^h^Vh4ZL8U1c`IMk#{3c>QCp2}~hnvdg(h@az6Homx4 z-`l?73J4O%P@R*K9-C}UE!!3o5*o_PstD6eliq$U?tjz2`tj9C^>0>sCT|C&ZQ9RG z8LaBzZ~4CM+HPdC{FZpHVSH4rY{LDFL=@@vcX#`5Kl+~9zMu9RZdxsVL%7Ab5q}|bMrxD9x=7Z2Cxf?3yO*jDadK+F z<011YPX6QLL^l=EkBbNW6k_xHLP%ZRso>inNjuo|U_bgkItXBGoJ*7wtiLaF+V0-M zQ`{^q8#uhQZ^6)E8GGu(M716@Y)jJc<-EGv$IsvY-EqU&XWX^_=uVN)?JljqUVTV zwc3C2b(FMTKf1V~<3c#sAtZ%5$Mo!-!r(bGjSL5+KgWq9!7oBxya+&LC|C4cY z?dRzA_@JyO|0l`~gL|GX^TT_-?z2ZV+~1Uv_x}BR-bO<9{^sn2&1$A` zf85x&X7~61Q#c2X$YJJzm5}{xG;`S1DLGwysm@2r`JvyuX8q=yF45bWGt;i_O}r;OG~~<@@?|0J=H?o>4@k|F}I!QtG16%QT({xaLK#4hAlZe#sgE= zM9#fLz~FGL@m8Yv&Nof789Ri|ez*9M$2ZeO?h*Pp(7l)34zFW_wnh zyGqk-2#^aE6=Bxxt{>ZJUu{ z9Utu*zq>@w#7@uu^t&aOdPe`nB!5>fr}Tv zH)oNjD34@7$9s%xX4H}Hb5q*j;4O$H`^X2G|F}=r=SL!ci7sWV^$0>aW+8VCrcIm8*{4e%S(SLuii`%OOSA|4 ziE@j6XVQMVcQ1bGPxOg& z&5L=rfBD4T7jYqbvPkD9MQ?D{dH-?GzaO4UZ#Nu7O0kni*LOWn>Ebl+*(!R+`pI7( ztU^D6=em6H;#TfCw;IP%OnIDX$=5AiaVc^@#>=ajXr4w%OR;G(p?{jo%$wulJ%_YI zh3%S#SLu75kBwn=j(A9A6w7;MUEsU*H{7tym9JnB2I+D8T|bLhBUPyqH3>M1{S~uh zr|$gq%((96ga>}UN%qnub6oh~xM_ldKp0FqY^zE#uc&yz1ok6yU8a_DbJ z2wF8HY8_d~GU+h}GZ{^TevVeX)eyet`=j%Xxp2M7*NC+neW)ePP6$hRp;!6cO>$f- zMhz;)@|mBGJ7-|};k$Rg{ZS#3OuRkdV(ZNA+^L6QCq=)@8jd_8d*(&}qLDNmF;)=G zUc}Px@_}0=Ig2i#ki<&V$rHs^)apZRxFc+j+u|BjGeb#$+^SLa$Db|UO)HFajU8^$|Uv7G(ha=HAhL|juyvQr~_7@ z5Jb8IgT(qEceEGFzC6G(7+lH?yY~>lwk}aCSc{S?7xxg!NkrP*>&q#<<&e9E`o>*`n z-$b6`&#T2~RlsrCzZFyi@Nax1(m?XI3L(4z$~73e?A-Bu)U$lPZR5Ue;a=_I$4$D$ zng~zYfgnOTtGig5%KQ)JBeI-2)WMP*<+|E^Cc#3yHhBx%sY+Lsh6_XgRslSILk7c-O)65A&gS--CyObShw+Kfd!}GXXwmDu8a= z0P}asmr70}2gm!0y$zQkJ?o2irgGMD}yH8@Nk6PFhf3YON?gvE0RAV{ivi^^7kLZZ27|_3Biw4h~6E_W0_n5yQhvxS5)ckyN6Umj>;J%{4PoXWd0=HBxnU_@-YQG|e^t+|m=uk#B-YQqPn= z=TKd95cQdi5NP7|V_F;QYl`v-faRwwg1BOMq!q!n#jx(AT+lyhjedS*Ygg!G-(HM^ zEz*t#i;3gSGRM!vT67VcK!y@LuEu-UZ2Ev2^OcVl)l+6c9bZ0i{+AQ;i`Qv7o_c(r z!@{5X-v8XP>3B4cMBH>#=3dh<%|&@i*nR}{893A1>>*{cukwD@W~>MMLdZ%3b#ArR zc&2VV&a}s!)A?lXX$xCWE4D%W_fA$?v#qHY3)F4^Xuj$gZJPQf+QCJ zK5Pz$J=9{SAY?H={YsAKSm^R=rbcw!S+pP|WCBA(gn|xK;P= zY|8S&_#}u#UTdW2TuJ5{}8*>FB;e&wGn_JmL(gAP|S*?}Xa03;Q;j=p}Gmt^;Vmsm}4H zBx4X_W+8GbCc2<#4&Y=jZ zk6(OCn#-;OU0gS2P`Ah>`vIHi2PRT=D^QMR5DEP#MJr>k-YdpVNHOd}f=P~px&YCg z;#-4I8UVf9^yO4dGAm4U736|_ zO%n*dxNu45Ojn2tr(FbHXu%_cR_>7clZv57D-ad|;X=298C)+?dr4@5v2wEq2YO5j zHrQJ7+|XW*UqEcB4_J@AGpdakEem#!^oTlU{E+t%k5G?DL?#EP`%*08;34T`3ts0^ zJ^KM< z1>fSs z7ZB~NRmoa2)9zK^JoIH%4v5lj+kJBb@{0G0Rog8Cx0THy<&wu3{V zVEnBy`lci@-SsSUby@1O$E7RJ@uF^R+8w7w&+}SSUEbc8ssrxsBU_VXwQe-jH04@h zVU$MCBtFpx`)#?PVwi|cU#6fwG0)VJ%?OFow#qZu!Ir5RE1V6Iye8Cer^56rAT;Cq zu8B6Ll;H^5PT-d9O2mieo*cNOcT=UW6cD%q!Y#1%TB&1E@BP40jZEsNn}KCa5A=K4 z1xq9*puCFtvS3uFfo$K_a!!fo$O%xaT)OanMMj8V&Z6BUbZf(%2tI)3RDB5<_J!n_ zI6k)Jxtn0*)VD50AvOz^^Xiy#;J75Z9IT2Kp6TL!VF~vgde!A^;!&v-$hELvbayt0 zX0C567b`l5UQE=9CUA|d-e7I(Utl{!diveK@ZT!+*Prw9{!Jz4JOlQga-DmWzZ+_f z%{u4=UBb~A4&N>)`-p1H4*%F@sd4j;gSX|u1h&vLddh9Rkh$@*xTtUTs!FnZ(J5uO6~5E>uSCwkX`#( zKpJF|0!QBtuQ*I~clk1kA}P~L6{Au1mgsWIv>q`yKcp?s=4GV&@~F170R*iokhS6! zSXqvLbmBns^7Z252{_hpzc1jnN(rOCV5FBuxE(0HeDhsJepHJYBWwSh#LdpU4BjIN z&t_KPu~4qhd^hv`uM@_l;zSLnhPUShAI@1Q6ywzL=JBP3H)ir@wdUdvV{RwjAlY&wZ@K%i9fI zI+)9A?f8a@_C|jArmbu@hz7A0h>BhhTi{@k>jw8p&eifwny=~|BcKL`PxO?OfMuas zNQoQ)dimOwDIaUOZHL?#MKl~Ed+xIyQwV0-r(0<7vI=+fdyM0My@D#%)Y4}C{Bxsi z3|Zm*nmap3t>gOntj9|nG|l;|=7jv^mrYw+;2IP6V-q!v`=XV8#VcI%ZZZI&qs?b( zd8#lO*Uo4vT0!Jg9|2K0UUkmqN{R{ND@W`{or2A8K?`4I>H+dbu*YQ(^9|Y1t+}8S zZGi|pVVQ7}cKIA(RD6Nq!i)8_^Or8s*GYA4etY%cY{WjF5Xk(tDc>{B__&mK&G-4zOtdAzDMo8naaN{OScaE;R8)XM~8XiQuks9%Je3KYw7lD#pncIS!&%^;Cqgj zPp+7j)2%*I4bizmFSfZ(c}GpSnByFTjfW$m`O9i*4JqVf=ut`xC?ghDubDL_JnlH# z0h3u;-)x~mC%9c5V9_m++lk@i03-Z!AnXenNsf*cB1;~o8KEu6B6StqnLA*3s+^hs zF#e*CJ6+!kyUD_{XGWWP_5MUqzWwI^@6RDlBW`=%6wQ?ldp09LeqNwjN zYh{=|VAs(sAKw|w?I0?d;tln)0x}o4_nd-C)>%lMiKzOB_K%OjrA2S-IzRH862DCW zsNM4^pqTPSgkT}U<$JKh>0oZTpVYMq`DMdV682*^ptmgvkAjA3>+Tar2p%9jDmMgo zpXv$y&j%N~U9BA7zdRS{u%Y#i=)Sg3XV-(4gd>e75B}Jz!6-vDs1(HiIV-7*WlIXX z-%7vZuEpE3ZYYgpJqyBzVa}N@R}y(KdSkT`qI=A9uSSa7Pe9XtxBUXJE;X7;1)y^> zhi^$0ciggb*QRl{NJmVKTcHq==bNKik1Egwze;mD7T|k6iJj zTc6Y+N8bzY?scgQpzf zRA$l(=Dk6+iqMSrmihpYV5+)uVe{oo^oK++2sjGH;ito`+NZ!cFt&(=ipdV0l1X@# z1I!QMXXYAEk>u}51wt!o1Z#9Gd^YBA2g-VG`Dy={*4Yu8jlqPfrYmN zvCY5&ubS7&Q{6@SOH;7pArrcjJfwWti*-Yz*6Bdx7FC#n2z8e1XiyKf#mM1lX6giCX%9>ymM6L)NTNx^EsbG2DBP-` z_pnzxVGY_Hq#f32%QWn=fvnBSBMMIN-wsf9Ml_TUC1M@Ye0ogacYV>>qq2y=E~9Lk zP}R|rd~XuJj6^gdIWDK7)_0?4^LdKSqMW;S)Bkf3`SVv>chIPNDf?!FT0l-(RO%4( zK>Z_E>VqxQ&pjEIcCZMwlSpa0pw^5-MIQ1C8+$!@G4> z9$oe=ZP4c$>J#lUK$6q}aZ5FKmcaRJicCriBcIA016@dsiBEBJHDV61je;0!D;hKj zh?0H@_{7@4IX5vBZuPKTumDATh7@9ZwJMdX?YXyvFB1O)dB(-ax{4_d+24lpEpA611^xFez{v5cSZ+88+tECo2B|!u|7M zAmDQUKES_$St9X1ePJT?dey4*ZR*l)zoH;JD$HOwxq+Jfxz$Be2dh=wRjhRoH_OINFzfkZ0@_)B@k2p6C(}}5lBNb1B(pk{#PpK6?Xo%q zZx#79HNA|{g=<$a@JS=$uN?dkY`Y;l1~Ch@qk`DrElnblx1j8OPT{{F`eccX+3#58 zcl67D`Od!HU9`1V zgL_j4V6Dj*pKV9C21?rWpLT`qW8e@(twy=czW?Y@{*T`DzjY#+Oe&Vj%oO!Vj3 zkAh`x+F=<-A5x>|4OtH9Cu-d*tIw!PXYc2aO6j+uG?Irp&LE$F1YBOGSa*(!i3%mA)_S1bmI0N zNWe)ktbT@!j1nsoS*(}E+&d>W|Bpxd-N(!${JT^LEH(W4n|%G<4h(g8(*JKR`)?2C z_fLvP!K>7VR`=!E2YL{SwEX1h)2`9|!pW9bix2MxD)F0-^Si(M`ya-{(JlGAfokfi zy|f}ei0PNq9Y6EOfAK0~x_h_~jE-S`ZCz5B5aV|l-;q-P^1ZZ{qnKI|bt0hlqmv!E z1q3(Z1XIa12C?4Rzy2s% zqnFL&dZx|ECW(oOs^eOovZ}w;3z;Fu6Og;X(IAiz_mhewEmnumB64KN9BPB*l*s@y z=0JO*yD-+2)%mK{`Dv91arrP?9eQz6;148!V5tBgp_iSb#h_ z$Eb$Qv1g?FUZty&We=^GRX5UD1&B96RWBfyR+Y@(AA3tp%E1NpM#)VfLGrzF)?X|8w6tLzDxi;V9oi? z0Nij$*{B-8;wG`&S;Mocw?Fi{4io>pM4**yiFVAirZ_C0%TOrV(Z&sj1)`x4n%XtA3 zLx8D>9$ie9jp3mik(QjVm+!*0!i69)mhe)~$*l)R&PG@u7k_YT_#lE~!TtEj6`1v* zHr%3m15LX?!(^uJ;}&u$Sbq41))G96x@nn}3gNQ{Y~8*sl6w3%p3Bte&=qnRcwUTL zEX(gOI8sRzJ>LVd?@;B%96h33N%_L^si7pEYrfuIxt+HH0Q0DU{`n?udESOx6b~VY zoUSm{>~+CM4@ey?qP4BS_5#58`dFQ010WJ#+%4T8CdJlX75W}$C!z5`mD$g;%N*~g z{GC4;vH$(`1xY?n7QP45#5AFXh@D+O)XaXP=lAN|>;^67BA_*`;H7TxrDj5ZAY8tv zan8BVmt_KpXJamALQiz&XVITV94pe`V^O=Q5?mIq6v>9kSCE;GkBiIe$~9}LMQw<@ z93-s9FnBFoO{P8zL{D~7{gbBr^lk7>jBv0@I;9tQ%ok0B7n33G#YQH4bPh7!yY3`F z`*mj=@^SXCI5bH;={SD1j79?1%IOVO10QU-mX&_UFkX@(} zx!pys;iOLpcZu>)7dYSZg($W+yvzd~oJ|*kHgRfJYU&&tI(B9Y>^q)cP_?G;g-EUndMIH$})wyq%w5_H} z2zZps9t134!^$KJ$rHH?~~;jNo~wD)14Ve0<6AVuc&?t*NK90h`P5K_pv4kcKNV&aNpV8-`oRq3ajR% z4rExS#-N|*a?;#%99-z}OV|TN_5_-y50)ah0OvA^mL6arCzFGa&Oe2o06C+gvF^dMF z%CQADkiN`uhQ_uV2WVweM1fmY%uXLk($miWP6)N9v`FlGe%Z-LiF7|?XkL=Q$=L_PMqe&d4oDZk2 z>2>vbZ2d-k?Yu+9cL(O2GrZ!8O&7fxj?U%0yqlu_NiKN1$PFY(V~+Fi3sIWAIdga`AX%*t^gWew^e3Wz7S>{?d@Y3athN5v0~>3#?0}ek~t(p zjLheJ+LA{`1zYzp@|>r_VOI#ScdMnuVWa6w^r4uN+l|v+rcjR~ljv54`84|$fOQbY zjJSa5>}7YFdT6yr&p1b&$))*~D~zq#8}Rqp;^&~n8km1Qaz{3H^U~D;$SWD~!?oNS z8GdtLvFYI2k;qa`pS+SAi#QP)68zQ)Bimz*1teEY9j4(?5#dc}24c`A_1x>-z}c>4 z9hrK}DjF(8pkCItgq@!|SLK3{)XC+=N%n=}=Uw?du)PfNBkMB0-dgaE_`Ez=_~7<6 zqzDVwYv2Am==z9}N)sp4YCBz-NZKH-x;>HJ|LPku>Jf_O zZdyJ}W4J6Dk?Kdkh0k};s38Q$EPJ_NBD4DFo@;7yuVM&M?C~n)bVE78ylU^f`7T&y zL9ZZ{8{WX_bsNp&_L93FD)++lipZ=dY=sL6Z}Lc3dh}@L&4fijaPnitebA1n$^$IE zS8!DhFg-s`IvOcBLY5;{DqztXOx#qyv)*H=$j0r^^_YEGLmu%Bt`Gf+Yg+9}2o&zo zW2u3nX|bdQtG9rNupN6loV%IeOeCL2MTiVoTCz<&&j0kn>M9*gQz*jU+LhXGRokO} zt!}|&gdt)6n6V0~9a@NodRA#$(aTa#dYI?tk7oS#-P^H^24-uI-gudVErr08D$U$0 z-aT;LX(m(|~ z_`t%tGb}#r8by*iNhf!WeZ(|&0GMsNR!S(_M0kgf|G=j$igH}2x}~P>Kw-AdC zpIU*jztrMsmusB6rGBB44e`sMogcX>;^L>YbQ&f*O%)BY98B|ic?;l7yoE8wlnNHa z^O2Cn2T8nxv!jMIO8uGfpV9R6~%yz-Ku0 zWVNkv#;?0j04=t8{&MUpdY%%0Bxe1QeDK?OgP?|?sSDlvZ28WXNU6S|ZI`ecxdOWy ztz~SFLnx>Epx)Ib@KGMFuGSD$+$!wRtZl4q>HV73act_GyXHrp^6zp6WNn!1hY$Wi z*FT?F->6L@ULFAK|eMLKo_5ZY=p%< z7KDB|R!_D;LJka{!Yx!VJr19prOV9|a=wA;u|fqyQzzGgH4(&nJZjQq>&p0@N)6+! zQiM0L?!(A+F$v&Utplf>Y)m?e>9WdA4f0dcNlabibeJ}Vy4tC>odo7|o1PV5@|52- zh1RaP9_5(wS>E9Ab;C8($GLByuZ$RAc7^!Ksxs$|5t0shXGkKi$3h| za{2{&vs}QLSf}jfE4}AX@%7k>m5*(l|0xZ!_qMAn2#R71-nY(|CQ0*rXl2q7hq#4f zf(~=Vrast2&ihS>s!Td$L562#L2@6obE~w8L`|l8O0N$?8TuL9>_o!LhnYz9%T}?@ zEADiq$*J#qY@vDcU;b6dm*Z>pW=#^v%pmPpzwwrUO4B7@LAN<_L=LC_?z4)q(a?jgw3$bXnYZ@(&8v$Z!FVDYSF^g_IZl&r6n2C4f>)y3iCk+-s3&um|jF@>CQA40+~ zzE7`-7M&X_I(q$!)X|r8a}{UaY^)|S_P`|Zg|CrsAT{1q(d&foO;IC-B+FSR}HXXp5}a# zs+%ilS^}al8%{<;JsTinjM)YN>8MkXXIqXpJ>7s;&V>Pq7~9UYZ56QpPAqXr8lHI& z3WnDaCFSx_LYT&lGutuZs@a^Fkp^+pW(s^qD>`a0_M+|fB^IANgG3b7_tQ_%@Ro$^m#=S7ne;h&w%qLni zQp@V8Xm?+MMC!Om=uNewQc3%Kt4koC3d!J5EO#A>r+j@6)@9uH2BvX+g5qh~qG$Vn zy?YvVpq_WEJG*Ge=2f;`3lbaHKkInhTLlgzjPP#g_2}AJ<|~*7%1uYWGH8ViIbUIS z9BjAPmf2T+NB7H>^Ys&95a%rPMJiENHJN;Vp$J45*EUg{0)w`toIo!{%WTX9dfYCr zSsAZi=|{58pzJRKXNOP!wlZC#K%tC%<&4f-%s@Q2x6y@Dw8` zgb`(cPW*7(sT0u~##7S0aeQ@)fjyS7i0-BcHU+Tdk*S$E=fh#O+=hrb9;Vu z(@@yT(4)T&1l?Pv6UeCT)^nV<@QE~26K&dhGwcnR?$=Y)OuSs7bfS+2(G9J5E+BD9 zroVX0o*BaQS+kHhYOjE8PSDHG1XK^ElVJmXW@}C640g-BQh<7fbryz<@Nl!{BE1vl zn9QMtsLv(RWA3mwHowiVQM~Z%S)1t?8u}%2Gz_f)&d*G|lL*i7t+CxWwRhJQmD~w2) zfvg?Md&!=pl&93ngl)%dhZF+HvFcHdA2$InE88?JqK@J3hJ|ciNz$N?B|0V1%wZm% zx1eJlK$Z$5T^V2*E5Dq5XkLD@5q-3AQL_{+HN1;1=%5#(yJI3X*q-)q2hGD$2tJMP z3i9p;7pt@KXqeT6u=^S9Y#Q&qa42%X;QE42l0)aRtB;rL1;!8wM@yAY!1im$%Ov&n z`J6HpNHcWV+Q4#51mf`rNDJ+Qzsgv?E9OMU$-o)1lqw>bbVT??J#~3FLgC~vy};@I zK(ENf-pM8k@BHB7F;;e_SkG<`%g#Ju(u(p1+jjRU=Ni$L5P}&&{54;~ojdIXE3tez z=xjbZ4;ZH@ZNgIlW1>$y_}>i}e@C6dkj0aZj}@w;gj;2W53ua)pJ`?OrV>)Ns{~77 zEb8whQ4-CcJoj1VyHH$q+91bJpT_@E48U=udcu~t=I9K+4Mq%iQG}n)JhCj-G8-z0 zIKGMgb;Piq*HY^VFKR4qAsE>aoa$>?Sf21C@*U*ZvfBp3j=V-pI0OejG@D}KKh0!Y zu5c`1*1rBuh|`{r^Ot(BW}pv4+T48fGdA0yj~Sqr;TckkSC8gnLwi)>g40!fW z0h64|dO;G!ZZHru3P9KpsIzmbRNFXmaA%@uT6_H=(`mL)9_>ZlUDWGqc!tkL-Nwn} zC{y9I49H|j7*3DMHO(ErLp>XYN4uYV@WSoEz{$`CE1$t{UT{S0h5D_2SDH=ZC1Or}@AdH0$6eb{8cN z+0F!94c@yW57HSdpuw`S($ur@m3R)YM`KDBD0g~0x5=zpi%tG|y3`xDBP?x$2_q_1 z^lZo|;gl9&P6~3bkN}PRw*A;~c$h-RkMr%N!o)YhV#T0QQQ^615BH{L-3%DGl=Zgd z+5rvhtE-$=3QyDJ!9b7y$+d%85C1+fs;E$*medijh>suDfSs~!~osl>wrVwZF2#YTME;Vep28xgb? zLH|aiIOA$Z%T*#b?h(P9lW1W4;*IhkDnYpl0 zCmnD-Rs1r{av|R5Oz9JbYoX_3&6bp5*uEy7F#N&_n=p1Zf2+vguukhHuR`>Qi~#fN z0LQtF*hJTohcfRF<@S2HTI>sGaVTvhgS0cIDM_CIvxQh^`-YQi^>be!4dqr+7ebxq zmaNqj8TjQk^e`;Do+^*lbaHlRC_HO~FVB3kce(^%0>QY{`pBqr#isGKR&e{17L>hO zpby!EPaY2Oc=(P;=3h2k&z~HwEKr^|+rOc4|4^OVcQgJ0#YtAXHkw0UZA;z%oHoMysZBA*CL+i3}|! z$=2^smb^-+?Y+}IvaE3)T9y0gVii0a^pPoV>f}4aI+p;o=e$D1R<5Z2gw$C^5KV3 zy7{aqXV}BC1joqX&J6R1dD%L7DNYvjwLIRt{Vw0C!~ZL`_(4Xn7spA+{LQ5?K?J4Ok(VTyup#3NdiR% z`ydp}a$WQmIQlH3(TrnLPo{fCk0zJenJ}xck0U60j(J=Ex&Hk#E1FRfrk0dO5EEVQ}u6~BUq`FIv`970>{h~`T zCC3|5-@;Z@r$%qmB{I+X0=>aIf+s(5W_9VpL5ib7sdJGShG!bC zB*%h!vlrA^aHG9mgLMOS$GNJ^ZWuIb=f-X3i2-apI;_~~C?Fp(rY=Bvcbdf+X!@Hn zH6w4}VM5QY%I_Y3)!`T+{qgFT#dO~58y6auWjf{e?kF+r_Waff7Q{qVq^}QoMoA*^ zIevtt3UIlvQ7<#z0xLlCi!=0^{aIa|QiG`EjS)FCwQS(!6ng-4l_A-~{XmGK5+|o6WzJMMny+^&#;sUocPFtOP!MT+->AxCRzL7-!=YanHbF$Jj>drz^Qe7yr`hz+K z`+FBYpW5_Ilk?pr|6hN&U+GQmCyceSm$V^SPgfr^(D3tLLgUTwf?af27*VDQZ^!xT zPm#z}G}{mL77Qai)GyJQuI?QFe*q%J*{SVg%YDPY4b1KB{82B)?=p848c1PJ+zSej zClWeOglaTtDu)>V>$CcwviRMN5JYx}1~Ux4#WOOye(n!*LGlHrcP@BI-BU;CIu)zx?q0eb2PF!vRyTUcCyX#-&!IMu&#T|7WAxzZ}N@oXtm`X;lz_;v|mZ z_~t_Vm%sY!7e8Mpn>QVmR*xsR(NMNq)&15_XWp9EW>gzG40gDj_MJkyAYfOw4K&k8 zGZhFE%had|*Gk&?;LC(p+fO_#*-=Ki_K~xM855lpdq}nHdXLXrCq71Pq4B>cOI6HL zsd%fj=woH$(XCzlt>jci$G&1YO#`Oet4FQM|A$KEP%C&n{Ef2B@8QgUY0z$u{k7 z)e*6}krF1Bp&`IlV2U#>2zRzS881JiE%}{S_8(8k#b5|50gybyamv6^`3wXR2cAYJ z2v{axbVE;X9qDN)3tnVe3SjPMw;TM0W%km5bEef#oFA@F)X-(bGGZ@Y^oR9=kNaIG ziRV^jV;-Tdq2^r3W0v@6ms5?8`!SRI-m+A@{q@JcG|wwYa^TIwLoRJ5{oJegc%$2p zf|?d&z>e4VMlsdu7Mf!kSqW%tZtb3zLxZAkpJ((0LprzS@sSS!F9^$LCPQd{=5%iU zO+`cbs&sZsQ~j6MuSL{Cgx)_N;^!XzV6t15dP*sBr@g2tUUwI_boLm|am=pzX2;6q zMq#J_UEsf~_wd7@8(=xLn`2%Ui5zIa9iY5Dnfv(=V-g#7%0Mbp@BC1Dw8q^QB{7Xb zSeGUe{Z~ix?|%n;Wy1w^C*|NJH&^}Wo=bf157p)e8+dIEKYlKK7p$vMSVP5hKuh$zGr3m$#~+}|d1~o` zFCF8{SE4y~4Dj#2;jlv>-L7pcffXu-zsv4%xf-^ny`{y$+B+)ZR@mQ zX_q;GX1*>Hkagh-qLR*;rnAp~;#ko>^wb$QUHafgBwIMBt(N^dd@KLS6Rt9iF1+kxKdvPn=@LU5a5hmOCDr(bE zb`I0W>{fQ;ou6RYVD)w1Ik&q)bH%T5s#`GQbHTGngGh}#W7E0Hu}?stMyhSDpeUy! z%UD_NcrMVcqLq{OTh?B^{XfU(f0goH*_|p*NdKn)f^P;iaDq{6G?d-H%J}PYX@m&5 zDZ!BH%zoTrn-JgUQF#U_krUmBAY8$$AM9vZ2#M6uVO6px`=g9XUTqpkKI@j+O4kr< z=-F_tMH;mYgXFZQJvh1$^E`Z_S>Q%&1&g=O^#PF#mjzR`g;J1FfLneLk-!0{tL)l; z?@+&`xZ9GoV>gnA?$I`~itHZ)JS-cW07h+=rQRqYE@jNX%_ZS?>IvjLrX!onAOIrD z5NGs18>H`lL8ToPG^uJ0h73C?>DK4lqqN(Fg64!yQX{=VMfIX)AJpboX7|FoSouEU zFS?tCkLRYan!K0jT`gAasEs-%V=5-D0SN=3soryuJ0AegGkY{J%Sa^e5NryQHVyTN zIrI{Xcbw{Wcd*`oajXpldq|RPX_JPR@P=LCQfZ||_xe`G zE9#ard{Hthko%SPt$u0_QF>rllb|iNtmW>0wMQBBatRmlA8ZN7HJ`i#z1i;DOX_k~ z^)YgYhf!_G8V~}IX5H?!TVRnJ%CPxzRxMA3yBGxXorv;a{PU{-SH#8|P9T9b^F7e? z+gw4eamg_UW)fDb082{ID9dp zQ(cJ-Wd-)kt2)^?cZ;TRF{opv0Q0!t?ptPp4laVl4WtWpAh9bT*r@U|&-nmF*$P(F zPVES=FD`=l2vXn(uAPO>wh};=rhsv$R6Ik8%;2%)!>fXSMg%z4X56d@Y;&zW8|#kz zYVr4xk`wRmBGzU1R9C3kooTNdtW3D(Hw|{>t!l1U*9KqCVd|CT1p<`CNB3*`e$5Go zjQ4^LWTo~v0YDW_DB+wbmqC%@Nfc>PJ>iMFX%d!G+I(_Bf_RgEzb=+Kwv7bIVgxX1Z zf+Z?#6p4HQQ{z4{-B>B#^`n6xCGG&RnlV~}Fc!sO%t5%E@WEwk`70^7*W=^vi%ye{*=-RW;j5hSALd5vFI(oin;3B8Vsx>d;719e_&NTa~H z$S>4(sI5Q^f6k&g#r7QkM^m@<{3sq%A$AUsiDe>8G`L92m*+Vsrw%G;AIkD2Zb>^SwlEL4?tNKM4d@<3?B=_U>`wg1pv+UH3HZcx za>6J=dH8OIRWz1>ycL=C=%%!9UHO)p2--5 z>#;b{FC!}@kQ?sndP3qEsRr6{IE6uJ@@ZNbWfu6`X*v_{*a04M2v}X7X$}zEKz8nA z)rwcMg5hWmB)liog5`Y=+3RI57=B-I|7Qbe&4uQ{;|r0+kMkx=s|IN9;$LSp4PLhd zwJ=7PITO-zO&T;DUm%4!tSKpf%ta^X>X&Ed>AQk0^P2-i)d$nKs7kd~KAIRHAt4a- z@4$?#G8!Ym?l|)cyUbcr?eVex4iwhn!AVdUn7PiD7UeR1$;_*t*C3hvv!wfyd7qm>n43+kx47kuEFeFJ$Z1mb{ZJh1goCw->j7> z-F}N&*r7dH`{jEgy0I=PmU&yWOWShIwM!ljTi&eB{4em+DV++_iHv;!2z z4uk~<*-b8@z=MgvMf(YsOE3E#|XDTH0Q-F0Uv68G2@c z)YJvfz?A*CrNf~Dr#3#8#w6_`LiWw>s+#fU{OcKa$YoDFDAibVSaNNt0g~mifMmE9 z5X%8X%Yn~GwR+VDL35Rfb{5kyo;yIgosZb{a$L!lNMyDYu$$V8P9Tax%^lU;B02fG zAsK-B90yRlg54Dn0%byg^rrEZ&A#Kvwg*Iext6TglZ2ZBZKMfeSiV}Gs$XE#c6|3k z1x3Z0%m~&WKS&NY-({ zfOHvT$!R!}I*qP52dUVJNmTH!Thu_@voiua6+x=z3Ia60mOlEA=r zrK>FBW>0YuqO>@U7<@ochrk$?#Lp$O|!299;hKmI_ps0^P51$-((+xXJ!t3FP9yWW1W``(@rZs~hgkfH;mO0d8> z+|7nC^8~o;rEG;h*a)!+Cf#>L!s9{1rgzN&VIYDLf`i~#Oo;ADJwoDyR*9udt)dW7 z*LD#!(>M}c^4?Fb-`)2x9i-tMzzALAP?CGYE$Z(X;e9OB zXM|+9r6*;j5rYT41YbQqoEnF|@$cn=n#zN;fWRdY#{M9S(rp-6>EBIZQfYD1kpbJHGKc*vmi5 z+sGoi=fd2YLyZ367PUNTTHCv6Tu(qn`x^XT`HMN|C1%5$8bw){P-UtzSlJe$JU2Ax z611eBXC2!S2h<3q{hU&zn&GMJJ@W=xBj9hLGAlctxChHNmT->DfX zH}v_tJsyqo+381Lr`-$P^Gl5v+p$cv4F6p1|Msh1lHf#n9u-B(QB7C&VT!)qd+xB; z$4R^FZIgD_F9VJwIC8=J##mE#t{Vey_Nz^M_0$O`QBwwDF6#eHp$He>izTy--Ipx!w2)n zH$nY1TUj|&N=ga1aPnhM?AbCQt?r>MKc9Y21)tVsp&ZruA1{_s%+hHN)YP?MUI z@}#}!{0X>N!5kPwy3WO@EQ_IRis%u$6e3hu+#I_dt9AQFQ)!UzmMaH7Fe2q^WEDf1 zTSjR}ICni9`12}Ld&5r}8>olt3t+~(8kD7|_ToK#!Un8#-O%2W@qc}-aoSd zmS11Ec)TNn&P!GnLuP7KOVWR^l|46v+Wp5n6*#+I5s<;rP?OuTP%15Tu&n$uCaWA-K7(K;b$H)e1JTssZivgmN_xb5jFeb`^#>=PDdPk|1Y-u zk0Zk;Ajw|g@dcrP)&GJ8K;2d0kx;w;xgWlizkYQlBBYe^<_*iciF-0E9xyrhGjBQa zQUO`0J4Viry>^%Cnf9St|Eo5y$@t>2Qj#!QIXNDi|wSWKI_kX2+(~cL&JyIV1iBA2G zKdmGiEA=2KC@AJ=bo9A1#c%VojDPNIM|cw8IN@`M?n}-zltMc4Paa1vPinWZ`0${h zfrrl^yqCE&nR`JIwRPLsGsT|Xn}6;R zY~R<*KSSwvg|iqh8*P>`ZhUa4euDYmKmNa6&HI1vwW9vN7Dosc4)enr6zt`GhMM0K z^?&#zp2$OaA16MB#St22`kWJ&E_>+z^ch4>5$90D>$Iv|tFRYt_g)(RpP=G@ENyfX zEGnJ|3}2)2M{o0^`-uLiq4$s+@*aSH1P;vH8KnEUGsqQFAC>kl7r0g0ex31C-|V&j zp$ZLu_W|jxzDs(ZRy|+#N0TnC@>5jBny(9UV! zlX_`*TQkA=%L{Rl@AW+YSb+WY-`rVjG|-d}gax#RMMaw~BOS>j9uP{?0^p>YS|8upE)KBpW0W?eTgUg5AVwBnSI!lC@ zmv0GF`v3Sxt`dg$FD#(Bmpdc95yFKvSyp^jZ;NRva@^NMZakXHb^T-B1?)+s%NxVexerfT%ZQUZZ^PN+Ti=wKO>C|7J_XB7nVhXCu~ER6Q79j zU-lA8qmuT(fcnDvsq@y^QKx`tH(|Q@reuR)J{(7|>yMv)9%gC~q!vb%`07r6*2z_0 zMF)`gGsn5wbnfp+x3Tq7ii_#E^D9nY!ZAHHQex+bTkB6fEj~Eqa6xzV?Txh4*X;rd zRV^lv3#+=e^WvzDy04YO{T-~$5J$1{YsfPJqTz`s*ti;B~y0siWMpf$a_ z$`XM8WdrQgj$+ZfBG&En5{ddC*_?g2+XUp?t{(@*OW^g$?|^&*D}0oT>BohTd;fe@ zfK>yzpxk_mL6rg`f$i=R2j+M8XQyKFlrRe-mL_aIxJC@zs_Juf9cih5#0!oRYOktHnk&<+j$0>j(%t8}O3k2sXj)q%$?0 zWZ9`cBoT%~3J|Sk*xQWIODRACWM~+3{L7K6I0)Pp+F%LcwqXBTQmv-BafR2V!Z%OO zkGE^dH_fP@Ni*DkQ_Os%iIuzHyrHD;3L=u~R@-Gg+h`Jxc9&kot3;h`sonE}uxR4^ zU<_l?+)1&NabJ6{7GGg8!#=h9dZeS=@B&I%{`V%y`EMkb!MAAPr8j~#Acf|>D>flvb&`VK%76c z=m<-RVbRp?I_IjhIVXj>>&4qJD*?Is2E)oxl5Oj-IJ2Mz7!(UwSegl9fnj^GuyY?yF9aGp?C_5sZ!#NQ^!>#@i9s0J;(f`f1>xa<4>oDiqFtz9e^7nW`9+ z)*^gcT7kGPfOz8+vmjbhrlZS|)Y&HPFcD(7XOFyv3-f$5Ao_@e z=plHx4v!1}%V6!*zgR_2y8eg<9;7&{}?!ZT;V$%{x#x-Gv5OENd$YPJc_Vz5eH~K;HDZ{f8kc#xQN3qMn z`J{u~L(C%!TURgC$+Jop&uv||{VtY#B;%zRo=YUSwiD-6Ctsd&>yv_ItH&=VrWJ%| z<5rYbjQTRC`}amFb&%f`aM3RGyy2~qzGjhxc4b3X_{zKW*~4<;550W=T(c?+8=Xqa zM>3gpvq9dW4POkG5DA|@8x7OEc;DgU!~0XnEczc&cjPBorZVKZrkeZ zc5m4_Jx=e$@M9UO?6)jqJ>!#VG!I?1f@b@M5tqc2zBoD z0Og+nhX*)uyV7#p+P1D85P_5)O`d@#O4Kj!a+p}H5NOL9 z)^zRtG(55X+slcDx?*%nk;ml}*X-5MPdgUtwkVF`=Hxe=x>Js=l|=hKyP+^MwJ`QVG zQZ6m0Ywbbh(49d|iyf4et^#svR-NMOzI|sqW|_@aC(NgwgKx*cHBfT4DsOy`%Sdc# zW=;4P&GXwd(278FN#sBbk=VIDVnqAw814)h@KWIBLBdoIy~Y53_1OnD88DMRn>vtDl^Ofp;?KjSnU1I4!J`WS55${=UqV{ytLiI zpr6FBRskE&TdptR_>=!1dw(4eb-uoFg0#{xbPq#!KKI8x=exV-oDF}!=g;TAO{YHZxbOSAURSI( zR%(3$o>by+yh6epQT@>OjVksw<8~st?b);K5AU^jeyAD5SsrzkKfP=F(g0ZHJCd}?L*l|4X8@?=~0&RM4 zwni@B%=M{tXKG!v*P_U>vxXy+0*XmL2S*k$ptJ_lzI_pu8J|g{&lvT_i;QLEdbU`< z#bBv&%Tp1FPTI-3mO18pVe6A@+Nny5iTweg$?0yaoY`)52M-jQUfp+2;2W5C!G7-h&)tRPbj$-SEpZkcSE0cH*L~uy5dz zc1|W+wS23;h6u0_!kKslo~72nh3Yhy+qqgD4Vf)mg$M}JV1ueKO@6REV*_tsP`;gVn z^=QkWeWqHU_3|9!^5+^0N+Pm={==<9m6ABbF;}jau$}nfSk3rWoSVX1B=WLJJ(8`J zunUuQ$gX&exVmz<&fX?3XIj`jVMdCl#20^JGWTN(523eoya z9c4|u&e%G?TZ+z@=2(EJZ@Y%YgWmZQ4k#M=O%7227GY)393)+!ML&y41|(n2xJsvOH%H@9qx&t_fV{hDFY=cJ07?|BUOx?gnb zJ+0tK%|KaF*chB!l@3raURPQ1YgLc6vZVXp*=R^>K2d$^M2OdD*x>ab^0Cl>xqdC_ zF)!|xv?P&_rJuJWEooKan+5u7Q4M9KHF&K4v`(~JPknU32XXfp_R190ha9pcwRpeR z90&TTZS^2)JJ*3?jB}!X(wo)UP~o>7eazBjgCBtnOa~UXy&i3rq@Qi?*7}@nO7LTt zrXE#>ekN@S!V2EDwiC)zDe19y^9@S@ZFw639Ik)egSc)+*==uvQweI4Jr8cw_8(%vTl0v8X8j;NZ2Ay(tGrlaKIzGB%j<>% zg8lf|Mlg@=v5LQBr6OCeEy>d}U0TrdNErCwfh-DZB~AsS;Qmeri+h=@)@>3fYdkgV zNFy#R(}Kx~c#qU`2*#PY?<_27?=^tP_=3G4OfGr8fpyh?!83deWuor25h@d*%`<*s zv>fK`mACyDidn_7?B8_vXNQZHozQAH4&zSVcqdviDhRJlv|w>TQYupX?$}iOJAH3P zvz%9G7_-Sy&QT^Te(uUVHCDvEUt4}^N$0BwCjFL5 zy?g89&ksxaESDYy__(!Y&}~IxqA5+G#4=a4SOp_j0fmLZ%he8<+v#jc4-GpmfAQ>8L@g)9gY?DfoTzYvMup#Ms|*0Q!dfIl*?~~^9y~GSzEJ-?e|)F;(3kxr zKs!C+FsLvjatYr`SY(;%A5eB-Vj!Rbs7qPE&TS2`?xaxJH%%CWx+>*c%zheAFVl7@ zm$A{)8mK6wePA0+SoYc93+fVw*G#-uybHn8Yj!q8=m6j2<{Np_)`;;+TC(Pa*thZ(Z?XswD+P4~K zYv+O`sa_}Y@_29t6jeF=i|Ec#FQNf&Qdh!UF3Tc0NUMyMjcHaY-L~IGszB$hGm+b7 zE`{oGQ>6N3!tOxvS1Q#>+Esx~2IQ`*^|kUm5P@a{i4&Pf1kK0?ciSgT-RnU+NmKJk z%LXjsL2jT5bItIV21F4ZbopDs!vrw`BlTaR#zDg0*FlqkCP~Yf?|((g{l}n!-T!V) z`9jTCEvrj0#9@aVcKHuyR0EAeuXwkor)`UI%kqgHAT&hi_AJH53?SCD9iy5|6vbuT zL7~K^1T>qbN`7J&rmw_>ezg6x>heQL?1WgyR9$m8~0b)|9K@?03_SXZRXB{-+! zHzmFf&7vVxpQ2&>POp14z;ivsK+hKcB0-W+KF!BRN1~X8)0nw280{P>(j5lWVGE*w@f; za;QE{j$SytbfL2^PWt?JZo@|?g=}t|=a4c^^dr}o<&UC!uO%mx7X@hYi+P_R(tMp+ zdd+9fO7zN2OK6dzHK?l7tEW9%ZQrg6)+UU&Q+8o&YR>be_}3hro}8Z2A@%{9^DH{U z9?~eBKkqfmDz|?n?=feEkdY0Y(L*!2pge~31-lz8D~ zoy4zUg|QQiS|3x~-swi!n8kF|b*$gk?qg-F(^sLKk8%GpMpd*_v)K(y;^h z9=RJZH0>&V4?|*iTaU9;kDbRV-75k=2Z1BHgQ8%Cq`$*Ogf6>qzPjc*G5mG6RYhaq zad&(BXDGZ*k=8>s+mDjAEu27#4N#$|?rs&beU6$VGc{6nov4>ugR7`xE|PAg??GMJ zp8z^cn>yeLb@(laqh~#aUi*)NEsV{%03@mN(ZVmEKHh>_&|FX-Z=wJ<3Tgaqp6V}o zdiAeIn7f2`h(75r!3w=lc_NlN7H2cg@~z+W9-%*J$}nrmFqxj~G&aP5Woe7rpA@~@ zaslTYluYxF35!sOsg~v0HM3k+fq1V*K`*`CU5$Wh6Ul79xpdqE{57ZTx)eM>raPTh zp@f+S?d0~kB=vAUN)-{`gvgOSo!dP+rOu48Y|-he(a5Dh-_wAc8@b&95)lT{FV#;K zOP!-N5)D-N$n&V#LXgt7)F){gpo)+PyYB>GX=7sP_ew-yF9S<^5_QbBfbP_A7rs*q z%YyZ<+bz{4&mi$y*FPNbZ~4|wFi?m298&xA^B&qLw=F;Bc5`er@%pkaF5fQP>2^~& zYN9U9+4@b}h(&bpbbaDvhEtm}fh%dmMLQ0EBrq4A^7(wl=)cXyK2OmQ|ENlFFB z!{*x#Hf)j*(iRA-5V0?41uO>AHFnsC3HoskSEy19T8r162w_>W&+WiUAzn)?8rdjwTbIozJv=|=Ge6VV@A(43a_N4Lv zIUWjh@K$wBg~>(Pf58XJd<%!dIv%7GsJqNV^y)x1 z9zhR1?`%cuFuolJ>bi4Gi>K6X$S^H(iW=T1<(Yl%fzcpZm{>YCzt$bS-%1lIla${z zMc_`lmr#zyzi)c?bC{i(Fhq@`NAxf8;Ozvbn-0=YYRPBJA-xT|cI_t(rH&Ok;8pX%V9j=*F z&zj!TJzu!2?cc>k*}USj6_}6|Ps73-bu6Bqz8dhf)HBg!tWU5`pJ2e-6jgG9ccmwB zS*M$l$T79Z4-#gSlSc08AjHQsP!khlV(XdBnJBBTcwf#nSQ5NnJ)9EOt*0zPKt!HZ z+Bydn=>uKuYx@NR;Np7jvJxuu@<)N86GyJR{64Os0!i$;s+t#OZL!8HW4CHqqR=8# zLv4P`X~|{3cI%b67J&Ts6z|&E(k{mN3nk=PG<~hEZeDEO7F)6}-8N!U_g!p9rCNbw zK=1=CYCxXk_H(7%_i~`Qu(|b|qSw0z2<3*!t3;jrMv*2it{%UIInLvK>(lqI&h@J8 zYrkXBkhnk6Oz|kxmnN`*P`->Nf2cl*iV_KYEhe`xm$SZ5Du3`mwA1^McF#as0sE&&1O|^S-rE2gj4W%M~VO=ydI#Ucg5?AlWOR#!ovY z2DhB!wm`Hha&&#eU)l^)5Lvi#ekT!WIf*qQYWE1DJlnn3##_EiTm`V+#*gKS=~@RU z4{c5Fwf6Fw%tfwxFCPiock4R6)}2grCku^5h}M}_I#oz#)Z8Y}&?$W8PxUfYt1hTy zVn*K%JG76^ooF4gPz=Y#rFiKUe5GLKpLeR*k??mN`!<_3t9vuT`3v4isobdGY(4YmI3=~rm?&YxTE2y{@lJ1*mBg_;PETuJQ_5gWqd z3h9J&!LE?({1l-o37g2Bx9gdk>f%iz3w&-MttZ5U651x@xU@mH;f`tL%Wn4@!ZL|$ zO+fA+6jc`K-L#!&kJCkPf@J_}JIig!hyoxSjgX%}z-|dW+y|CUlHezZICJM_{hZ2d z7t$sV<`wrGKbZ$^PJ=VoO3`<_VMs`t9c`&Yvg@Rg-sDWGJPc7!>YkuYg0D@#fxkl6H+oKit2{A5!pOLOQ_;I(Iz~xI)A6tJBn)<|D6(OJ=(JS zP-&}+rB@)rjDx9>?b5EhhUZZYXp*ga!Rw|x*GyN;t_LoG0iro&jzv)dDemj7S3;{7(TqXPPrnn_>HeEfWt!5BCN+wS6C%cDA{yYsYL<-SqSCCtpLbJ^MR%av6* ziw0)kRu|PzV0+7PPm^$l+}dyfhUtiP2NkK&b(xNyJ&=a4NaBw942UfoaJSpnwXCXt zDnKGffdG3I_^;0dw+^+@!7|tZQ+5t>D*9}NXnIt&hGH>dHf9=te39Ws0|*j+zc$fb z;;U|S{KJDITEl~g^R2Xrc^szQgl)W1^^j+418Br8N;nwrWk9uc^s))R!8(%gI`6#- zZBAQ!C=#Nn$?*|kO&O>t25SHdQL{nG??}Poz&;wJMkX1MlwQFdfvuPe+ODZbqg~%T zs6X?aCx6$+5pC#9338uw;(DPsQMIe?s_kuI6n=->YOQ7eT4)YFe%{MVM$)EVi>Zfw zbA7F&y?x_&ra+lwzr1+6)YW}_rX1yA4t3#PJT9Y8PtQ-2tS|OmX1*Loa+bt-oU_f5 zD1UL0d?aW)IfPK)LOP_EVFS@>gj*d!9#w=LZc)pFtfZXjuVL)L(uHnVA-L^^(9%oP(}ylUSXZ-=z>v9!Z7*O z-#AGWF7B>1d&s>cqY=)I8%TNzxQwx#^4r}vG7YnTuBcEyu2v+CYaY!+3#dtMLw#dK zPiflK$TyxAE#x{o06sRKlKZ}1MU_@Z9IMw{TavZARNQ;=05RD3{>HifC08ts4lL=VZFv_45O1s8`ig@l>kV9UN`XJ8nBgcx z0E@Jt`*7SCcb>z*b9Vqq5P{HVlcDqsnto+@k2w1F;3?08a@AXS)9SKC=j^u7|DK)zCkv@_u$q%09K%F(bl_ANsluUs6z%!U&2<9*yUZB2^~LLc(!fX6LkPtt$Gl1bY`;hgB45)WGb$ z^3(2CObf*a3MVL!9CRD{9W|Z8-DltEb@lh>%_wFn-C~LVgf9-GQf3b1w~kt*TeqEF zn2^b}eq81h%3hm5J^s72BpUs`KqtDNzXdUQFa2Pv7f6)PMJBTzUT1JvzsJ z%=+|^Hr{MG`cdsqg%h3}3z}I5H%gz$Xqo7QY?#eSo-k1CI26)H>udk(ig(9@qZ1G` zlNEd&QhOY|<#4AHdpP`mIdan7=~LUYMP{Nx@&-faJz!orMJ{jfAMzBam9(tJHd)w! zz)f5HTEl0tn!J>Zy_0VCGOgb-nR!a6a%)QZKxBrA2r2HlH$3>-{30R?c!va==C;|39k!d zgeDh5bI%e<{r48^-+ufNJk2h|uF@@QGUrH2dBJ`0a5v*w|7U`+vHE9TghhPN;h zhO$9jrG-)_ie#;O6F%t4=UFMNQ@Z`H{B;-pk4?YB+6vvWRL}|~)-W&6oQeAwEpb%) zAS3$#&HV~aj9x8@s z%cOb1kGN)HPi$$d^5!{^& z^;)&T!vFhlfA=aNs=pL**T4AvfOfSN+XG$6j75pvKk%(|7Z zXu}uQPu>gE_#6K&P2|s;7yr6TxpBC{xQu9C7q6XRb-hVj5-DGYDsHDoH07tRDGJ9b z7{nM-17y@CW4$^L$`2?mUmhs_=N>X7Yso>aNS0iO;*blPnQ?T9c?Uzqse`p-hx70N z`sZ0)i**tUzPF$&VXGgDdw=3DE5<)w0M#QIC~+xp(#--Q$)ieb@(ZO$Mlsl6i4mD- zN6qvl)$MYhqOx-bw*Lr2Pr;m1{kEFlyd$YSnr%j~?7SuQ+e(DUfCKs^7@~JeX!)s$ zIQ?@wHUHg0@821GoGC%F^tffUj9!|R)9Yx3ih-cSkLbiVqg(&ETKAEj z5!jz0A>$`7dScIAroMO)xZERmA{ev8RKFBDml?M{U&isr-Qcg5jzSNkmcy_7N8n!= zn8@*7hIcNw=s1hb|g{PK`{NsJgcI?VhxrQ&~m>|MfL)9yKHSFcj} z`ZRO?xzYDu&&b2w6I2JyYu9|rvH!n9Ao0bZfcXCp0~ulS|6w5iU%^0Ld?bA=yW%xB##lY#w%)sNUYzbxXQ+F{B;bWo;%1dcqn0U$!}Qz8 zW*D0+{WZs(BX9OyyZ0zD;OC3FJFd5K(ObDh#8+yTBgRRc;b+AiOgjxbOM4wX2j`d9 zG6uuN>!!x0|HfX;zmC|9Z^((jfXqu&^M%;@(Akqeu>Zm4?!m;4SiPKt*+=X6KMn3# z_+6aef32whK5V>K5UY_qSd9*ySXZmq```b?U;ZJWlg9*&Lnpw6KZPuM>aX^eKknS$ zkEJK;zk(WLSSMB&a{|@o`_~WKZTjbK3*>3IlmLPQ!NRa7Pr9J(H)oFPb5koOIexQi z`ms0DR{(KFN%<-F4HJMItB%e0N5T=rh^V>VKDMzZ|nkN5}Q-VTLW zM;5rU2~7#+C3KfyAI3eum-}P>i)35c;#ONH^e=I&87ZA zyv6?n%|L6kO?RS6wzM+^P!9}>>2O~+ym^sqk<~3pVYW2$n*%jMKvKk%S|EE*uQ{-oNlXU}df|MCsz_2NZDpB#&!(b&r2(^emwxBi5k zGPoo>qcf`hl&}RyOkGj~Ko$XAQ+m{wuLtojF_Q?e^;MBIc zH=qV-E%}#ScUS!W!~FS^`u+J+Nagsw{9aa<#@Uuhwi8`R8oVFQ)*F}av!5z;-MQF> zg)UerY5mznu~rOQIl5mgPwaaSqITYXZmF!Yv*cW^>-eLxXPxMpA1cDnu)>Z$_T5ts4UIdV=UKa28(N*me1VETB@Y{Z+!$shX8M1Kt-PuhUFdGpQTpMTD(NPyRI<6<3_ zD!uxW$7vv#xAj(ws-%TK4@EtK3eRG{ovrgfrWnEr^(Yj8z*-BrA6@Z!p)> zMZ*b#EDZS1VHuAM74OsBoyU9j42bDih&+p6zi{`xK$gSbb_#x5SL!F3uqtwVBMt{B z7fdK0pSk6>qYO8H1Wt8ECevB$OA>$0^%vD-uu4TpyQH8XstSQv!W>ETQdlYZ2a2rI zjKzNQFpx$qmfz~#b4A32!S8wyNkHAUEu#v_JG+GDoS6mTO$o?r%)l=20W4(KL5OeN zRp`xx+Z##R!33Th*QVY1;B57C<%s0|hr2F6i4nWcfN3E;xiLqs8GSBpanI&=9O`=1 zi6K~{9F7u{iA7cmH;{}t!z5G>B;f`ed0;Xn80P0V(OVk;+NFvl#85Dgs_%d}q!mbB z^lB8e4G0iRbolV${^jhm8~^#P+4mSY;Bu7-CYYyc6%W@`)*@fMJ*bXlM5bzpGWYxN zl`G$grVZ1$Hy%i{{IvVbZRvrR#%~7t`UBc*a;w1KIlMi|G6$?q22aGW!4Q{{MXSvb zHOSF{Ic!P9^>h4}y}{d;OZouDv(Ch&u)|!tf42<@?C_2wXpZ)VOIr=JM`akfJtB5K z8>!YKSoqMJju*9#V~TPz2u4?FM>)%8?RNdyUCeuBr@AS!|0BEq`x>UjsX;9sau#bP z=KZM=PTij+AG*WatM5T`FeFqhR0msmJ(wNsI9#J958jGgP+qh%_kyn`13q<)-|R>u z(Gmh{-wSHSH-nkb7~kvyAl+9=>Y$>po~G4qELiAab!jizE?sGpKil|nP$$DG+`zfT z#3mxej~{d8h_>m$2_*i8eRDoUGj5(T>G^o%cW)gspf^&Aj5C}4F{_-@js-TCBxET| zcfw@n$4sRcA3SQzG($1qPLOr}%m>Pj18Vq+GDI_W71(jD&J)#B)Vs4MF5s^pT1hJm zb>c1Q*kkFyb?nX{kK_&epRwsJOOc(zYNYP_`)us^HZ%1cQH!<$j_TInPRQ%7>jg_C z8KDXy%4E=S6A;L-kaqH(%8CF#B;yZJ)n!{8*qOYpB9ZKpaA|V9?8@&x`R{&t@U|;)L7%5#;gsk4w3xp^1XZcvq-g8~ zmgKhgf+IQ4EKrZ#qw2Wkx4M4*cArsPO1pJOOiaQEmSw)bLER}ANRzoG2Cm(H8V4v7 zXJJ-3AT(=Eg*8hD2<}$f;Ot~J!&dG56Gzvwr!qU|v@waGH!{@>sLudEN!Py1s-jmq zBUdEjE9W{PdB!w?6{qLiK}+WnE@=;Jr!Y@OOG}P>+wSEZ&wly4=C#5_E?2j9&V9#^ zc^r_leN)i3_qf&Dd>I=8=F^|vR}@a{K$s3DCi-{BYnn{3Iix-9KZWURWzsz?8I)t; zHyzDAgU^@ryjH)IE_M<)IBsrx2jIw!lefBmKu*3Jq0s@QIJBy1zf}35={krPTaibG*nxpDz|v6pd3QZwq&Z(_;52CnTDvP8C`E> zd64j@7)3MO=l+R#yCV&}&}Y!*wGa?Z)0b+5IVPVW?=iN$CqG)tFAcpF(cVAYjKahh|*u4wtj^` z>ktbPLPCQFu2NNg)o~f%ao<#fXz(Au^|b`$4Cdz8TZbiD+?}5`Yp&N4P)zEdUNWbs>)`u56k;y zCJKKl!nx6quq>T0jWZIG<3%tsHd~TH;@hS#Ub=J=cNI3OV<{7+qta$jPrTstPSwoN z%Zxy0`-ehjQT;swb`xu3#D@^Mji?@vF{(&5SIHKu9`e?vA!+hdo-i`k!VF zV2KAaSs4I2f8u&lcOS7=!olWyR(AnZ2?n>XRB-9rdFR7#s~gD8vV_o|LDy~d{D=y( zSSO&7xwPAIB%J&G!SLJmLQqpbQ3R{bv<`X$;T6dY5GWttTEznoCalMBN;0&pa|^7M0iiU}dtb0~?znkreh) zlDSV{Gk@2b_?7~$e%6iN#k;%a-}sr;g#Sl>ehQ;-HVOexzELZuC-o+zT{77`*)Q*T zM@G37G8VS&b8y@zRjuq|U}+9zw-H6EvwiVv(J540L@vL(!MUR@4t1k3U)uv42{)sQ zt+-jbl3Lp!QBV9;bhkUx#v18y8JDfNEQI@w_O^wnuz36}cv75fKoYAjkv8EiN?Evx zWRM{#+N|20cS?C}q8b5NxoVS-FB+Z&;QQ`MgqOfk2{7VlJyKV=k}o$X`BOc%ufGB5 zR^UEKQG;a+*&MY)O_^i5SQ*vU7q_Ex%h5<91hNTwh-%8p)aBga_=qdf2t)up4)Ugj zReZD%wBemWl#x0IGw6+nyIx6{0s47N<`NIVA__lm-JbPT>i`M-(4y@SXMb0K)oawp zz0m^;mzx~BcHmqZ2vjk5L*k5uS(KCZ72l_a&bPvW+)LR>+xMZ^28yYA1l5~8uSt@a zsgk0X4SU4W8k!#OXCYY#yclYN+nex+R<;}4jOWsh7&$HkMFPg{2!;o1mX}^%$5kDN z1Ias(aYa7T!o&6K+r{Mb8@%&4HhYZ~SGaj_2H#g0X5S;@d^y^0;paq!*kEWLc<1fj zygte*Hb~uj2Gn)8j_g=#_X`tm^SA!ba*_S$#(u?_367=o$VANMX^w=&e!0H#>US&%7fbEOmM%Spql#e zaR_PpmB2eY?>CEtG!7D+iFo!zg~;MCikEASZ+|a~?J?UR;Hu^pNRKip7eNWLwxJ$3T3(*N>;5i#yBXF!ki;2d#aE0nv|c8k=KoBn^(92 zzyutgC6<(vpdPb-Dd*Y)EyY^1Xt(<@%Blgs>$zO=y^Ej3Ei~A=c@m@sLh|w8#H}$o z%l{`Afei}H5jrd02`_|BQ00{deX~KK7~OMi z7V1#eNL5DMSi`&fR=Fa-eNo3?THN%mJbWQ~N6l|KFy!1Z08rQ0lY zEWXT3Z#k72?e!n)j0JB!6DyS>#Yx4z)55)4Qe44cSM#;C6U=@`$eV{gtQqp>T z4p+i`#?GixxgF^6Hmi|m9ojv(9InZcwDb)4dRSvdKrQdE@hnmEa^Hk{gDlfIiCbM@ z%s(5ZZ~u@m!)3^2SWTGc$5y6SWaHSd0*EyqUJJY3@4C}^PMDoX{{&Cy@3uXGhYWl* z?N4npLt;v+GXn++|8sTxt6)a~b82Tw7sCCvpjxg;;uuYGElFBWeB zwWjAnMow!=?3?>Sy?%s(MgAE1`%v$*2;vzG;jAnn_?loO)P?gdzCV#(3yAPq!jOu= z80BWs_7oFBhR@lz9v5kvuNVkk4StVrQw?_9{qUDb9Z#vp+J$s>S*e7wdDek;yFw~t*OEa*@T@L(AK8L87tU<|@G8Msa0gsPAo#=V& zdRpm4(tMk(e1X)!hgOnMr34@>UbanJ#0kCTb*xoPS&C?-IgjNXJw8krPck94*5Sz` zAl|(xZdQHDueUw}-7OrXqbTQvW08@AH8DqZ=|ptAR)94R1!S(|;E3DTH!3z>yqZlf zzfN@4udDV?+h$`YCd-H%z=P0g(H3cwY`q<|>P_S+k9L1~g+Fah-1K<-!3fqNI`?WOI(M&lOtt|_igX90nRPW zf^BcnQ_!)W`sHqocJy)k9si?z@qThwj6dXM*3shgPsHw(+)OWg%DWx#60L94V;FFY zyzf{sDy>j}IiyxgQH_oK5k;mTlxgr4@m~a{3Hg-Y%F1nsUBLt{>cd8z*}

kU2un{=5Dm;cR-lxQh3JzGsMSVwqoN@%J4GVJ2c_)4-HCXQqYse*1AV2c>MJgu z_tHiT-1ZP}UF@S6A$(GCbg=~s!`e)pnoXu%NI`n(mr=59g-{ciM@&vPSnH83P@xVi z?n+rEDY}Bf{PrA^B+<-&%Lu=#ix$m4&73bfsPDDwLJv@~{T$ zPe_|5$M1xe>{Yrm>W-@S8Pt0u?TL<<2*Y-7AGhwvYkBtU*~z>seAftIn!WEZW#Q|C zW#RXnZ9u0~(cykSIHpLv4$OlQRfmCavmE{yp;?6EKF|hy(daR0de&gHhZUIAZDy@A zsitryZWg}mBUkQLi3aqojDd)6@6(i@McMk0<~yk$dV5i#u_ zwub~xAmL_ey?oG-8Nq7x37@ca=;(YPG(J1j*fOx4o0CT$wK!0Xxk=PLwXLzg)JJGN zj`+E0FfY%X7BS~8mes|8Hc%tlV<7$}J>sol45STtmp$`X=&hjE0<>y!Ge|jNL7Hl^5-)qXUTlEd zTLQHLsR9uf#L`u_C2ZkF<}8I+{Bo32<8?Rp(TSp&s^bOsi=(;m+KF?YJQo@(@amaB zoB-3BPbYhm!yPQ!OvyQ76wbqpY%|tC2(xZ}UxaeeLX|;mYp;^=@4X6fzrD|Al2EpAYhvK2_!1e z*q0dDZ{SpjWnqIn@~;%=;6$8th?j+Qg_Jm}`Y+02?8l}L@yJ}8xN_q#t`MGmURo=e z5W_hu<1(fnA?uN$$3?KVuJ4m^)qsxMchNq4i}4m%B>1x_sp|zF%d;f=PQd>Uw?>yM zDbv1fCl5neL(rq98keR=P%ZcNIrG46PE_EmW#chTlUztT>6?2}wALM(Ddh}mM;~i9 zGXGDg=sJ*_d5yvyX-Q=n0!)aIc~nGmT2GNwpiyCMG*V{gkCU9&pR z=J4KC@wUmXf&S#C6T`v;vkbO2gb-cmt1NlWy6XeSry^FyDFc4G+3`-bvMqn;-$2__ zfPW)L)HOS`mR%-6r(gtbAD*|F%3h1Jdj*RdMVXjTl$ITwtv%6jO_H8kXQ*r#J&*9A z{M)h}5~y}1+rj~=RQtMU?rpG?kd8L39!V9?-+%Jf1E7y4gFkhtQt+w=M8ki2wW}!y z9Bjmd)1;-lv=AoY)hEJQmKgg3DA?0L|b3KRo?84LQ z4RV<7+M3xK78OzbtlIohC>=5MXtlHb?9;@TNIT{7#fuMHQ@HTaLnIOU;`E5@1V(u; zZnbYfR(%4>@fgR)fq_7u;%(1lNcjD<;8H+gH*s#wO_Vf#R{n8RQ&aime}1d~YOZ;I z6971}P*%c~2TEA?#-*|x*)NoDn@eO%kH+G$vN=wVUPbcVkmH?>-dOXpb^gA8byN%y zTO+@Yg`kDrc0r75H&fG;<^dtNC(hgmm-nI=I8;d}>Rqq01tUz`nAcu}3u8=hPQssw zKOV}KhMYF+f$orT-9Cfl2q`l2_PJEeIRHS*2d8BXQ43CEPOY_J+CpdI*>Xuo_7E5% zTZe?2`ycm~cokh-(^tN&TU#V)oi0QbC}o%bqvu$a5PbuOQ6} zbX<+sYWB9*m?`+FHX%-x<)uc!l_o-{!}R_kTAi2N8r+}TphTv%qG?$ykJg}-!piUp z+H6$~W{Rc1Vn}{H^VB05RnO!pQ4DN6_e*z*zWV9U^q_GU6tcPc#b=V+qaS%QbyKeO z6%q%OVvYSz$DemyINs^edo+#^%M~5gkQV&bSm0xrb7GuL&6vTrllUE#hUAz4rH})u-|BeJwQUDkvJozs9|M7Mba2IN9S~>^ z`>Kvo!X45$xBv#u4>13W5ZX18g%56mpz=(EWw2Qtds}iVdktC&8PT#HId0$*lq7$& zhB%5Zi%1)N9oTE}G*4KFzD99*h17&xh5_&M%^V%F+diUbT zTmTu9V_Da90qS*wI2AvJ+1a;358PFyQ}U)RL3d)h-6G$Ms7tnQiX}y{ie?oqnsClk z2Fw?tZ@lnMF~AU5+WpSkbo|70r7hjOSN8lNHGWE;~MVqw(}4YnyW=%+rn-mY`4Ea?OWXnOaYBv#eZ=Jaghq z=73;*!j4x$?dB1-5%~VdV6Ze~-;HDNNNbW5L3J$8Hen3xG(r{}SD-qPYfDh~D}Y{0 z&W32`j&$?q@C_o-Ik_D=*1pD3w?01D8Gk8|B_YY;Ext{Qb8DB1GQqGRP{;F|LtfI?;-Uw4Ba&buGw}e_dgs|Ph(6OMM+GV z`RC;x<-Lq7Oofgu_q^u(!luWz@@(12cyjmm4o*0|R%~8aWdSBj4W41tUaGph5Fe`JUj?1TMugD9+*IEnS#tLpndf3+&SxpG}6qTjP zPrCkYS0uj6#O0W7dYN{zPB;E3(uu`Qq0sVRLtcjEaxPkfFmm@9MiA|)(C5we_!7>3f$d%l4IC3sv~ zd84G?7BUH6Z(`OrCtKT;Kv8Wtc|B#R=*iczDvwxo8WjKfLmDv&EF4p$D4lanHSTbd zdoma&SY>(@N z*i|M_=D+<9y_+Wn-eINIse>KVXH@E&0Zd))D}%W- z%xk=AwV$Xh=KrFERhhpkT#k-^?jXb>P_WY3oe8eZR^p+jgRrdEq9xqTw{(x64S^P=3uqPtww{_CDI1;wCmr zK4K;_T9Q-miZZyLt1>m==sxglv6FZBp3^mPAs7rT#UPwA7V9k+OJ2>5sqc zZ-0aUH-p7%LU-G+Q0`z8UD=ZQX7WhL3xfI+Tk6u)44aa35d}s`taC``fxQ`7U@)1z zli4bieZ5vr5<6}#Jc)X!MYVKmc{1@LE7U2{E>`V^d@=UU*As%Q8+B=>8$X)FfwMe+pWc5G(kK5cayVXcv1E8m}Nw($?rfHI=ObN7eN*B=XwJ#8~i zmH)$2{F@TuuEJMNbsIH~MF;>pq!G6Wy<@s0Fq?`SR7yQ$|Eqe&L9g9z)%TkPmS%llJXjVO=hL3~3mmefVjloeB zzW;jAJLd#u&Emn$+G)RgZ+}=u|7(5qeL()`OIV;YTVNGE42Zubp7tfJ63?ynrj$?F zpF)c`;M&?Noz)`@FjTeWPrKJDMqRD`V}kal?;ZIUX~MsTBmf^eekGd0Q>(8c<;e83 ziqWd1v2X8^b5_x#t(^4-(IT!K^%WLcL6rcx5-kY+ku(ba0z{AEw^Us5a1nPi__2Zv z1BDv`6ek1iLh@Y)3EyH!T?x~lc5etAY_9wpq46Jnm7bjwF!OFg4{4$(CnrZMc^IcO zji^n=J|$?Ij7)pO_a`57mN!_j^Oz6bm$k0g7idh604EYS$F zcecrdUtNnaP4loCY8HFAz%@l4J4y_QFa5yk@Q)uC7<m|pIW1NGd8nRo0|Mp?|?Njvq0-A{WdaX=? z503lY0?$tc?C}aMBiqt&?w!GCj>U{)t@{`&M-?FZDp!(NX(a?@>L0$=zxrEm?9PA5 ztbO@06m^H%NS4v|_XiVlO|xUz*3EDBo62p3_k=3Ae1|J8@N&azM&4TblR6Uf3?XG1i=CZceI_0-v3MVBoW#N3%Ej}Li~b}IR< zN^ZjPd)awDtldE~Rs7Hc%_IonJo_O*H+1(b>kWzzcHbHFv5idA>}8ry#G>)oSA>bq zlx-CvJR<>4Rz$toVb-GfO$N(9`YH#yKDa{^Qe`x$Ho>6|oyp&^vHEG;T_3mE#|5ob z0hy47(pGmYTD>DLYG_g5{eWC*PqU)U>PVvF{Y$t z_dvh4?$0jwW%fh&%C?O|S^rvc-|6a4~5Y~+4e)#aAN9!o(z$ZH!#&0YF zl`a!kdwm*MdaB&g&bPyKrc3j%JiS+Va@a^jbl*++0VGhvPA8|-eDDZmub^@TW`Ip zIZ**4!>oRn)OaI5S+U7;@`~9XFQ0#XG(H(;Kqll8wjJ%|VPfO0BS%1-$%1>h=xM5Y zS7AF7%(QlhB~gb(Yr`^H4U56t=#D5qHDzlj0~JbH zF`uW&4UE9xd4A!IotMxxZJagl(;D_=8Q@QiD=fDsPc;9)zU(Iy+n57`EfOkGy~w~n z%>y2T&YZGw(N{O3+Ut}LCDF}W+9QVl*9P$?|4gBKbK=1m{3N1smrc*Bky~z# zh8QykgUBCr8eBUBn}gTF4h-x+heNqH+OYrM{Rec1aGWfIHpCh@;h~X{R-kPv5blla z4>muNY?u%F+xBo%A~HQ90{M8j@dFGmrnHS9rbHX&F_$k~D4X^6TBb`zh?@luzXVx@ zL+3s`@Fa%s0DI+?O>RmYz`Vh<+2Yuy;|(Y(1cHpDY-a%2)bi^aKaajoP0}$%&n6m* zWZCZ(e!i+_)d1w$f(@%BBaKNWh+AO&Q)HXNct_MtVKh;KS3XJGi4dh#2Tw}a@Qo(h z<`*`(Yi3RjLLrCbBNn|HhV67TdKj-=yJkHdN*tqDXpuORj=fh49)DV66g=F#^Z!2j z_iZ8e0ZZak^x9an%U4vanzhp`%vN{e>avdg`{{~}WkM)(xiB=d27ysglCV~y5z@J# zLqD0V@zV!8XuBajxBU(lV4_1v;m!buYK3MLufulXoeKQR3`?WI+!E!6Zv7mHM06GY zM{StEjPecD$RecbTnO8MuF&=PCnUb5l0FW!{tb{C#7Nw(EhKG^mVhMc_#)bb&)N<= z4&p}5SC{8&>Hd0|LIp=@|8oVCXUHl0Q!^H?UiN z%kt)RR7kUKn~T6rQ`Is|Xs6Lkqw$tv}P=uD1RVm}T z?9F8+dt9>DWu)xO-k0%vefr*=bD#75-si60Kj-0`I=DWc_jtXYujg2?sz46}s%>J*@p{F$N03{|4 zw*b+_vSff2-{s6xdVV?bMyU~T%;|TT56}Svk~na#Pai)FbRb4&pgQ*w3V^J+-JRoQ z+s5p{`sDWvqUgFX59@BN)(1}=GJY?FN5WQG3R$C-$ zke-DYx>pSm@Z2s@ffBuq;<3(6!!|Ri6EYT7wZ_mv~6QO8vKc`nYOo zM{i3>$$gD3@sgB1=C*R9_{Kk1y%h?PM>MG3=WJJ!kqCe%DAYcDC|Sk31Q^PAS9M5w zIy3|ZaJerPCAts;@FZ%!b#nifUC%VQhpRK(uwGQcE7G7jTTIOrMd=xx0K(R$N(aXs zO}L13aOK|AOmR`ng`2=Wn|y7Wg3L5EfeeELR%i00LM#Q3%Uj%+Ic%YK2 z;J&-Sv98^w=WcRmnpLK&0GTs)?9-5F@K2@UyDeKI19s-92Y=3h-YWu?^h?h-KPEi(|xNPvw9i>O@Pt zVp<cTNe}L5pLN?QKCyV&_nPKihjd`x{eL}L#-@_s@&23z&P8 zjBS_}^{)9IAm0y3IYEz&m>$07_Da-wdsu?~EV%71J3+#RoA9zri@b3DKveg3K8=h| z2&EOw3e$TmN{Ar5_{u%Mdge{Pa+##gv^SIPeeARMIUfpk=-|7fqDfMyvmTG1zVoxuvjN1Z*Yg~Tffjf+pl9w;k%JA$<`x{IsIi*$UHlRyMogL2=B?#2O7I{mNpmdj4Y79!Z!{G{m{AW*4naIph}1pCuu( zoj0AR_34*`LR*Y&` zm5Z;pyTx~2wM;SDYKT?OW!77KW1$7J_KZW?46G4t>k3jSw(SV}=#CNqB8UH_ysNh* z*^apYHR++>ZKSj^C6LQ@vUOGlu*jP~$;5(Ro-IF}=R5X+lBs#_>Ug^@(2d#U#{HIr z4H$C|Nu-$piW4c)x{(W&+aSpPY=m;{!UL#O@iF#m7xquXd5}s!zxOKN42(O>$QGhz zeO||N+{#b1=sk+IzG5#r)k!_$iWT z^~b8~_%AOqlXN1s3FPfpI|@=O)s4A_K_|3=xq~N@S`=#Ayyp+rGq8#N4TGUSK(QhE z1oU?$Jab!&xH`pFl=;7nqhDb>*H^^fVl9%v;MZfZ?agA+Qa)-i(c8!&;R6yjHYg=A z$R4BFWugtro@T_q)bE@t+DN^OvMFZ?xd2Pqwqv) zKj@BBEgyE5h~9T{55>mQ^AMP#J)qUb8FXPdERXLYLBCh^#%1=X(uLHLAXT}(dFvZ2 z6VMgyWPKKi(KY0;BXyI6I4f7^cr!=pvn%96;(J{CD;JYVZ_~FqPPCH}XGZMTh6vvM zMu?XM=k{F0f;BfKsQvp)hzPd#IsthC+NJZUxSe8@V`(gN64$ztfLs zwBA_k=z*j)6O)a^aSw?8!$twkDnkohge33Pcu;#OJ;$ z=X0qTEazKW)mnp)i7=u8?ADwRh_ifCOt&JLwdN>xR7sm^fr%HD(-LkH ztwDjX)4V5+?mccYgqixgIP&_eo!L`RU8#p?&7>h7A{voV8N) z9%mJ`{}3_PLZCKpesyrH9T$B6%B5nKExRY#ofgy6){wksTo;m>Vc$>w)aPPU=*qNv zr!KjJdUtlbih+#Pz9yqPgJ1L}2exV5BIoQJS<6`6GyMA5wm&i7?_VK{8;^qn(4Fn` z14O>c_;O<8kLM39`L#FDo*-$9>aM))T(B_a>B52FkS=6o8bygRiNe|CAlZNbBGeEoKgXF=b962(ut4R_} z#v=wx1)A9=Q}Y`z`PPCWglO~th+$cs4SNF2E3RCWj8Dn?fl?6TRd`6MjlHL8(vkgmAX$TC~NotTm^Xpgf)4R}AD#@ulYP~&&NnkW72$sGva$6#z1k?^Tt55qGDKJWN5H1XmXxM-N)MGw5FZT=v~s-U}b)g}1I z#tuQ!`H7^=8)XH+Fs;qzj0D^T4N?QZPr~g?LQ?6(!1eMe^t+7;=La9{VXHc1eZ!~f zra>{H*0o{99*aX_9Dw?0=tEAU@ceS}4dE(Ki;g7kRxt;1?5Y!WxGPqw0d#i;#zwxx^-33w^arpGD z{m>EUNYcM=Te=m@yK!i%-l$1#=5LgCr59AH0e{S(wBwHTi!T4^D)P+RgDx$RNd!opsHAPd0%Bq*JX_p&XNGB*RJ;y_0(SYn@^hiYmvVzfT@5 z+8-rq?_*CL;=Uoc#%AB9pnm)5zX-6ced;7nLHcv|*p*&vSM{8J=g<2f_kB(Wi!i1> zw5P?Y1msWllehY}&3$`+h~Cp>zfu|*79l>-Hp?w1(cDI1XG~dSZMvQ@{Z;u5qQrXt z$kG%!CU4x)m}Vg+R6SK=L`^tJkCQYUmWuXFmBzPYdLAjpUBR|YJ-)z~%VXOsBNu`% zKZm)+m+O1ieLG5KU~|(wGoEdNZGLvfRd{>H!hlXk!3AQ0;W}IV`aOwqb$T|l zzxgdD)ns}r;3d7DvBL=U%;ApY{`=M=eCf-TiW#PuO<$tGz(JO!%3Bd48$FbTC?Lfib&dBKr)S*NASdx8NbI$Vn3xKBReq*r9~P*PVdbPlA(d7U;^jh~|lH3lN(` zTmw14ho0yzR5n%u0$I#~u&4%*Oqgd^{gM$2rOdSf=t$EcZtU32GF)N6L4iu}Cy$t@ z8xjaJm7-O;zMc78!rg2WHG2+;>=o5C0v&_PVRBhK5`Q2ZZxy@drV>IZQY4wQ;n3L- zc-eVZv4s8+MY*UOd4sT2u1HP9KKQnjCBEB&VCLA+y}0y+$D%8TR3gKzpq|sdb69LW zqRX+<=b{_+v16~&KRtRB7WAmvNwQTG!@D_^Fd9zKzrqhHw7(SCCyl>bwRpKW zO&(bF-lREBisF4wR`!?%s||iJ=bOpQNQs_gw9I?3@%9hXBl^Hnkhy%3!mR1B$+FtM z!o7%3>;78vl4!vW@w*y$h%g>1&I7Qq3!$&Wg^Cc0^-GXISLn8g7MB-UT6_;XRfFq5 zqrS7lZE#|bvnxiCM}G&V;kkZ40Wrlo)L;}CA!D48*04eh-8Mf2m+OPFw*Wrgg4c+& zB2&zu?GUgRM}3utItEDgU+vRbFnMKQ13s$D$;sJc_1y0fM4ZOT$4H3J(N*GgR_;T? z#JDMo)i+|?d-9kkWHEydeghBXghZVh-eZP%GPA(ZD!+cNuD$gVFu zJ`DSK6-dn;M3K^>B#qeD-VfbOE@6L*x#B(dZL(I5kh4vbG@?6CO?mv*?yS@vj7d~3w`j;(=rx!Sm$q#17xNkZVwpJcLvWM`s+lpedmz#!#`fziXinHe7 z1)HHN5(P;}@8EUGc;u1Z@w5jXS32R>6yl-n1?Isk!c zpf)|%e8QX{`G&i-145XAK*Qhw2xI8v_q${T#uvSBTbGsr1;|CZUmM9i+x=c#)TLUr zQA82B_KJe}d+y}43VH#F?uDH3bOfJtvz<9aJ4eN{rLA<*9$@iISZCd9%hS_X&$y^^ z)9rr#9(1p(oQtq~a50{Lf@w*b8@M8YrK9A*5$`y=0%q)bwtL;MUHcd@>C&-Bp)cRE zH*>y>>w3jkVi&xzeilNWZ*LUXeHu(ACH(GQ!azH>>bh(Hv=Q7{&N>W;iBTl@`HGMEuKP0m4GR5V{|Z)9^nEShy#baqPu0%stqv#! z7pZr47QvCl&AQ#T#>-Dce&hSs;O9*%>PCzN5n0Me;v3>PUtmWvQP;MTNn9ML{Ly9p z<+T5Ex_j}>*YEkEy5al=z1C7vUepU?v~{l{d%h~5}O~--J zSnCygqK|wC)1^YF6l5)vB}M_ZhIh-qB@$Lj`LAx`70MI%!+kLEy9?~rG!XNJ_&E=s z_^%(+25~6{%e(q`qvRF=@F|`Ze1^ljSgapo0soSez~^m^62G4p-2c035AkRZ+Z}Pd zeT|85&c9%ii@WK;3HZ;-`LCzsp96ZRAK}e?H^z(2#$0pDoge6ncEa4sk#fN%gnq6z z({f<*UZX$Mnt$-Pv_8y*j}KkR`(us%^-BJ?m-OQg9-Mq5RKQ%!9}|rZN33XSR{}1G z3E_kFDYBcibK^WqDm-B&KMCEHrR)40B*j4r%w@id^INBmNe z0`JrKZjb#M(pPhqf*Z3Vp%#T*- z$5jkUqlx&hW2^ikx1e(|o9rC@?QT*&AbNq>BC-=Oz%j(`N`Nfwnf(l3TZCV~mG%{B zfvLd}S&7L<|7mUf^|u2?`L(@DR1)8e>A$EjNYH>Sb4KLvx*Gd2A`}Dooyyw z3GZzDauT%w{%7jP>V;2*C1PEu7{031F6IpdQa3h8O;I(9&EIHw_+Nqz{`{4|_;}{D zEyEXZ3in;flE}a)W~83mW;Lxrop4k461ao3QID%uY>GjlR@){%*;mx#s#0BZ2_Z7P zBxdx=_P@8$$!C?B?R(&?IQb*${=dBvB^Rn!{>p>m;yk(W@9tj8OI_(>RF96KG%;p5 zjD4l9bd;3etSfg(N49Xp5rEt8!`@j4y|3scrB@xM9!B7)h6@1i^%hX`6`tuFNx@H{ zhLd&hLbs-w7C4}?f6wYXnI0!p3NI@IvX(k|^S|y#5{N-tS9rVJXCUkVr$QDW)(vo> zTOg$>($9jSkD=@#t4BpJmry2uaDCeZ_FLQF+uC7Dp!U~<@{)wu7Qy;^A9c78M(DYs zTTqQ2Op?Q=K~eX^A}4NWytq5d_-?4KQ({B704Hf-!1i{(mLcgYe(Q!d9uQi?C79Ufop~);2}&(9sIU{bcG+vcH=hQj_ZJC|*Z6xi z`z22k=Mkke{QrKM?scbgJHcOJUv^_j0$70+f!EepcPIDWTe%n=Ve?WC3L!ADiU1`* z|LJj!s$y{Ac-KBw0ob>W!Gm%@E~S@Xp-O5|J|Jg!7#tIbL~L}?D|EFs;i2ZM1$K3Az*G2q|)HT+1>?_wf7N* z4}6{)#PCEb{f)*vN>r*+qbft@@ZbQz zFK(lZ&%MDH67b))+K-3$LE)m{@~cqg9h@8-9C_~O(H_pZI=1f8i%8-H$=K3!6WEHPv*rRE%-acE{5s+AV9hg92R!O=2IRcI6k9MZ`IbxUM_eX;xO9+^s zX_X0`K6w$;OFO$^c$W-;9YPTLlt2ncf2CIcU6nl@LV=XYz(Z+M5E(m0hN*Be?0F&3 z)FLwOGx2HDr}OqQ{gm>2XNZF7}DY!)U@aHY}R)oVi8RfnCEa4w-^o&sIx zA)pcF>2T!KpV0@V6T&)*YtIK(OEyF-3MH&FNle0gKa%%TJZbPZA~^4q<2zx}t@Bus z2U<{%1aqgi&te+M;9r2S$y&?__bYxldqjX@^i_iC3|SQn3(;#6t%)yj=g!}6Vpmz= zYd?8?nQ>z6*1y?{{dHUYST8@;l?P#BOar#akcw~P<&xj_QQr3a*Jb_@SD%}Mb|BCt z1EPQJ9!8~vTQQn?Vx3#VvGcaCffF5^q89ZeR2ElQI|Qw$FDeY4&(23nPQbBP<2rC> zDy*Uwj@JC8{MU9MUNv%vq-7P!JIeJm&uP&Fr&r=ua5Ub$V}kSKt^|uc*n(ULZ!YN; z7sm8V|oEsb|=gc(sq2h7Glry2=H) zd-z`bv@7HXH4tYAzH0fLk>Ok>5;Mb-Ez;}IO9|9DMD22efOHs>V5d4MMmI;blkPPA zr&XYznFtux?}`$1_Q#%D4lP-)Kv#gU7u&PSwzcA$NHSOO)oh=F84f8WCl78N^Lpu3 zrAQ%O&8(A#&-jJ|-BT9&sn>;lXL?~GQ`;!Mtld-Sm}xuJ+Xc9yWXCvY3gG@7FV257 zQk7YFucoiPK}6S3+6^@a-dqY-F7<0Eq&#>1*#&()$AkY=?eP1!xE;dd9l^5{q59O+ zyY6u`abGA{>+7X*-lm~3`I<9=n!K(-`~*Am_Z!MMjqI+51|?f@Nd%DtajxI$E_Ixo z7Md^}(_(}k1U1Wd-?bFU-0o?J9GXvIP2nEY0fPt#!>u%9b%RA(=7Qd+Gg}$=GVa+l z%uy`tnH%c+A}&1t)4z8-7^e8nl8KJbhUEl2w_|o?MVpI zbKhvA>PsnF(k$WbA%HR1qS{F%hS>~exY;kOsbmywcxf7rb46_a=g2j zX2E2&r^MY|g-isOn-Y-@0;FxFAx1l_BXDKxk@6ngmWv^F6Yok%N$qWW>{^;OoU>Dd7UZi5?D;Rxu%eQv603N_0y}hDG{(ffvho|uBK84B+akCDtVll{NQn)@*;V-ao-ST+cOqVMJK4UYro2 z>^T_guAu&S`t#1|w3}AP`MX_TPsCt1CZ4?IxYJUQq@B-Sb0OhowB-9KWFXC~rY>Jj zFuA28=shWw+p>;DZzbGEZmpj5yS|2;5VLNnJ5dD8RYLtbm)vUMiHCx-3BZH=~;r8rx_#R+B*mHR>S+bz`=V# zEyk_XQDAGzv}1v14Sb9{;e{F?zLFCv#bDT2ue4>He5l4+&b0s3-yrh;qaXjDEmiGI z=_V)V7#n;SM7?bx{AYeAa7I>hLn_A8P5t&!_=V{IB0QBQ<}H( zEN}PV?Nhb*9Ionk&mqXCaQ~KU@Cwq=34cnFau})#vcIcCuA^o=bsyjyZ`kPH#oP$s zSC$W5$#zOltWEsI94)9(&p%%lyA2DhONK z0p!pAhpD;5I^+l>^nGA?_6XzDoZACFog{4}5g@E#f^8)Qu{ zB(cHDAZ%*v{Ev6QU;lvJVi(W{*@j!PBnwmG2s4c9A;Q0(uY0;{VRZG*i?)9Ed5dcp z*|o~VKKJ(oKJ6`38+U2kpb5b3#!zAS>WjPnqP^ z(4bJ-z`CQ?A%ODci*fHRtH9@Cxs&JJmVOotuv|mA06#>H$g;}szPXNRm3Md0@o5)# zoz6Vud{1=0UDvCF*5(zp**SMdFg)mtytWi{+ju)RnuK0|u>W23E5IAALKhC@`oy$- zQ_X^w`8DtJ`&j*ixFJpQP$|Gt+77WU1QI~S<2O6csGi;`GYOgaDJ zcC1^*U@Yf}3t&PQlKeDxQ0OyFL(lA-|BF*2{~d|@^N@VT1Q9H7{Dz650|pX@eY$K_ z)*oJE-1Ufh*4qyEteo$lll?bmymGJ$Oy$1E|)UqJ28hEu>i4AWbu~BpEKEtTemo8`YXG*9^IyhH6F# z-PL_jVQ({bFZs2w9fugzl8tCy@~wQK6~h-}O-gS*dYt2MzT#X*^Vvr}zqRx}X88FZ^qXhPjZ(VlMCjU`3);nW zRGv?t!)GeQmn)--n`&LU99^)VI$*D4Scgth|Kuh_Ud`h?kB`nKXV0GH^yvv$Iox$A zkYNTlm&mPqMf1A!VB9%L?f&kOSn;V{xsM%xWpM`{Xi6(EaWjz60WT96y`QSo3maARK4xM~65IyI#SwV*+>>cb2=zlP9!K(TfJ_2mvuO~ebMvO^o!tK@h z5&QD-E3j8luADo%8Yy<+Olb*|U0g!Wyg;)D&b;80(yqyuQ`+OP>S|fecDFUBwP& zL*czhs@TYf=Fi@YXlDWS{l@C!*F^8fwOF7`3*+7mm09%{+* zXgJ>E@tFQ9L?&pJ`YnO>w?x;=t~b!fWLk zzjQdV?{%b*%!(hhZG&Kf&#}C%Odo96Xnyi|{;|D|@PQ7Q*Uei(UUqe?xOzHT{2xF4 z|9Yv>jd&t0UM_n%^USkcClS5RdY& z6~So*+1RdNQcqZ1dG^&s7K~o~uUrEPA3S{8(DPuF-_2&Yyl1-7B7Sb5b9wCan=~SH z3*8yPv*992-YbV)XO`~WF21@Lk@)c5(O)TjKT`UQFHZOOV*yGAg{_UVih+dvlbPZ% z318|2l%Aoqi-@gc8dL4wL^tW>a`RvK)&n+s!SWVd=<}tOk4sRkz(qu;{B>d;^w^pk((Pk>`J%)!V0it-VLgHFK4&MioU};$#=YrqOVldzl}UW ziA`YY?Sp={Ojspy3aZ-Dj3$XJb{k!_MV3ykUpc!=jgP(Yb18tSy_73z)>w1?&bdp! z^78)Y4u@s>qoT>T)ca~D_lqYV`vCRH>JdHqQI*Hjuw@yCQcIDYvX|R(W#%^0lAHGz zgI*6e%=>o2lI7>Oax>%(^9c#HqrbFtqZTSYeah?EzS_KWmuCB1WGT=HCO?GgW_0K} zH=IibJgd0WCVJc8qyI*3`Ef+-JrC6M0i@N%ePm)~C3(4wH&d;x&$)2s(+SD4%To8+ zcIXJ*`SkeS$Qyby2$D|*_y>tjafaC%;@Vi#US}=Aw_V8!PdfJ{6Ei5GENo?<;| zbxI!Nf=MY-u29=B4k>4J=YzW#nB|a`(z3nsM9(H ztpJIAld?nQL${!}wboJUq#-y9;+jsFC<6rJWQX-~fiOI)YkE;F$TSqO$;P(SWwlw@!3xYrmh8F3B7=sMHsYaM+hKq8z@9OFgq2Kbnxwn>!0wA zDflm^czGL{g)!gV2oQ7bGF&%I&=DP#opsXI(% zn(w_K5%C=o>od|IhYcF*ynFX9;&fm)=*`p(ga8Xr8`CDSh`eQb2i)>%aO50nykuxl z`zjrjE}dH&{aYHKtbbwlLOC9$y4}DpngnmvJu4^1n($VT)X@n!C5U#=s%n2>A?S_( zw&lh{?AIh>j|!F!tuT0=UTaOa8ExWlu&t|hjlL&6U5Pk(o>c&DAegEfp_Ipq5gubQ zM4`m(<@(v`gWZ1DWf>VNh0ATL=lt&P;VAalec<-?>%pg@k5w}n2A?y^Ht9RxCGvb+ zxGONjp%RAq<4&j4lEPqg!fiH;`O#6JZ$511HQ^C-W2qy^Ru zc1-uElP2X4i8-7(lZq(Z{BHzL(@#1BGWk*!qcVeOjJz;~xE*&Qc|du5HI<3IP5FS_ zZ*On%eeg4CT5kMYrNQ>4J% zOY6$?{D3)wq3X=dvMVK|{*rzO7noOzq z*+@o+9j^C^>e=bU_-OtQ#=f+yCa_Ml^?OWHi`uCw>6!6gU&!^Y0~vn%@Wv3^)~+Pn z6JQ#&BW!M_FL?O2Iv)zfotN_5&@u|(eD9cojlw@~bf;f$IlJOYe_HdL<(}86CXQ|` z6O}-D8lyA>7ELZPbKyM~KM?uR{&l>y+AY3b)2Hk7Us@#Yy)Av?<%Hzz?yGULJjz+cWd|fO+lH z{IS0H9Gn(TvvY5Z$P?9)F^N)oHPzsJu*Hz9x#>LzZ}1y;{n(S(HxbzP-lohbTeuq$ z2jhsdcYUa_#^N-|2&)7?h+(K#VGyEW!!6P~waCb~^|ziomEsddV~%~X3?2aaT_`6i zHea6?Z8C#tKo%_6t38_kXo<-MF-e&+ta)*qXlr9*(|NZ^DykgDpm#Nm0IC2gt3YnR z<`~SmaEI+7mJvVhv2DkmvI@YytaLKK4HTR3|S_*PmNb-lvQLliqxHM-rEQ>dFw!gfkkb| z9hu1C@zZG21@+R@>Jem;s3<)#+^h1XI#aGR70Z;8(N}Xw`u&=C_+1gp0T1M~<+A%6 zC(nX-0(5ei3MP>r?LN?(gCZq%Yu`s)KPEx+c$R7hSTL9tL_LoiB7>E4?+GsN0)(=R zicY+VLY*2)xO38X^%XTob?DtGDcWzOF@ftQ?$cI5-u5+&S#>-~gII2AQU9pOT1u(_5zc8LC~|EJmboPNtX#PDmX z#j?KA|5uHVz673HI4@;t?))YO>D$ke@x+)9XjH{5QoxohAN*8@L`>6SUH zO^iq-k8R?hnu-bHhT*@ysG`Z2yoxGF6nW$GS*OIUh`M7{aVaZDJp5Z(RdVgaEs)iI zw1bhjh_IxDL|@U&_V_2+12EoO0^jHepU~hZ?aL3Hou1e3Zpf{Mj|!0-TF9vPu0k+1 zd2zxByO!Yb{;)K&Q~1xKB+o>*zlxci7k|Apf36^q<5Q^U)V;xT}l>YVGHyM=3Fi&3Z;?gBc$HnDIp{RisYm5wLOc zu_twZld{rG;B-?H-V$q@etJ-#c~X~w#`XrxVfQ47S`Xh)*RTYBDJJ?w#Rs`iA!r9y z%^<6ShUUpGh8Gc#$uIDSl5qtcczX-2jC)TIne5aY`~!~-`o5LP24#cI zNEE}*;7g^(>~CD^5%^t1L_~?*|E;a!L(yRy$wyFVnZY?JP`rWafTO6RQlu=u9R#KTS*H@nUsll-FsR{-MQz($=b`xglKW1!R(g`-cI2M zU#~8&G~d0kyxhOJBupNW+;S|4lBoJw!06d-#CqKyr86e=jPJlRN8-hK__L zWBjw|+~geRg|eQP-m6F2EPQDBU-IDAq5$qbljbH2#e@CJo?Hw2OW6=#v+AEQxdzNg z8dY+OQW6+q>4Yps^#!iax2_@L3>YPUuvf{A_VPi^a^(rTt*;y_KVXy)Ym;)Q2J2QV zqedJ-2_dq=DJc7yCz?O_gJg}U>oP0D)Y$rf`6u7<#YP6D5Sg}>)<8DNsTA}s?ppa- zI!dlx04!XQb}7?Y^(-22d>#0`$QbWoK4AxbbSXUo1TleY%Wl=z(euFT4ZWwKMx60& zK_jO4sGj7l?R5Av)P`##i7DU-6Fhi$!#V*9TtANDr1QRDHa6J%t9&8LXoMHJjUZzHA^g9&}zNExUOJM>&g$FGKPu2hxF)`ePOeJp%#| z1(!RvlVOvMP*xZAk4Sfh)WzVH)&-qc)H54yqLpl>!aR0TZ25`<_kdGe85o7%s42C5 zzeY33E_DFzm@HNam(ImLIK_`Sk2Sr02pa4fA+t{XAn~OzoNB0~`{uEUQ6EZ;`4K{H z$@(|Gnvm6r3F=Rl$@*npo?Vc9nk9SK@tCF7f$n8EewRxNlXiWg5+S?313rZvtnVJg zmJ6JXa)=;wRfDsysm%;7u_gG+9q5-lH{V~?&v&NpN~Als@B0rP9T*E#M{oj#Mr9@Gh(?r*(|!tv(KEpY!pEToS(1hBUSI zPG6aazK3a(z5_qcsbpch2MWlz=K8q0ibyRmpoF4e$1z^59SLax?o4VpZrUkahn~UyJ?W&!0bo zlkN2JbCQ*cE8q4}D+oONE5bF17M#_(&-R*4gb%m2xE$VPD$cd;=j_I|MycE;xj+@A z=Q)Mg=K(2}pjV;8bXv2Oss~dzdj&bfabfX%++ZeQmaENy2T^Dx5}~U?CG2_@Yx@vk zo%PDoh>L=;&qQZ>EX%eY_h>NY>kbG?9zysU@_Ku8fj$g^atShMp-D)7V%eDzMYOB` zWtEGHm(F(~9xUx}VIVDHFLgcSXK2fOM3TYil|&zWeT*~}p5^yj;sRV(zlBaAVga+Y z{madAe1cSD`UftXt0N>3LSXXOn)BC2rtM#ZyllrqsLc(%TI`X2#9vU#8?Jmiy~a&o z$;G)&bSlI}O}eJMeU5~nELT{0qZoRbD&SVM)w{{#u>#K_zr4kNS%yi+hTpd~2kxqi zDSJDoizJVon3A*Ob>6>RU}AzA4v0F_#@vcC*0IR1^kY07X{OU~-fdl2E88$iE9XvI zciP061D?q}`)>rD&IX>j;)_JULv6W!<92lA`{8Odc^;rd1$yInnI^$}VkFPx$RPK7B-3aKvHxM`7sND>;lOv^L?p%?7^~N4FZGQ2E3w8>+7@h&k$x-XJqfz) z%(0euJW~o(O`2fc_;TTS$V;_i2=SVP%RU2oMlFPY$5f5=3Vrr$VC`mt;zo*IiNv-3 zgGE;S%lT8XQT>R$45ce-5$3IY!4Gl#qB&eNCNl42cji1FPkcQuaxdq z#ohdzl0SZj=@owEBV+vK4=ur@LN*M2cDEqz81?L!$BA|Ra)>=M`BocJJI5X)5xXKE z{9alzXtmCU_~z2XfrvOlD`0>ny(1L^ZZDEv)zY9TRF8{M?Ot4M*qWSl4{0$v;cD0( zq^BBg0g2L6JC7&YgquB=NFDdx4+$kUbqnSDH&$Xnm=lL;#r~GS{dr9+@l3P?9@m|@ z_3*_#)=dd%$<0Jy$Lm{xJq;+3+7|^OzXV}f6CoiFAlqH)+>&WW{s~8a7QdbT>pUN7 z-dLnoarqn9ZUsiqJ-bfcYEMu;s=lfa{B^-V5AO1tlY;;;KhQgY?Y;seRkL@}y3Ys-1tJZ2N}?ZR4$pcO}gGy2CF{L%P7h6y9Rs0w-gZ%mJx~b? z_NErIyFo;xJcY8jF8G z_RaAwVT}(r9q~nSvZiA+2cw9m&wDIGRoR73QCTdoWTIhZ>800hG16RoOK?V&B|7Ok zMM$tDe$3X~+T0)kk0fN ziyGqJZY@N`rv%5&&O389OXbhJzi@mz|B*Los%kj^MD`HPRJd@O*h=r7s3Wv$K0hL(-6n;8j|9sL-?;M*cYeeI)H+3_{;JnE-hX>fx*p0) z0*0BlD3J~|TXWs>f*=)*iU~Cn?+s(+&Q&N^z@=d*t`11PI_GclwS&OdlHp+a)YI_q z?F|q1GmdRfxr#kG4L=EP`yY1tcT6RG*9Di&Mt1EZhs_K~mJIH?o%O|UNdhzA7v zEp1+`?j1BC|2|FUU!Mg-F=zKzmkkVCN`*Kxw=Qz-3!B+$YBtJw_1ee2{Yz{6HRGPi z*QtZ1Z40Z3P|P3fGe_`-Z~1`4)OgR(Ka#Uh@fH{K{?eUm!Dc5wwF+-qJl72H$%AX2 zJ`&boLu8H7a&1Qf$cHws(&olOy`N9$119PN$unKWu6Xj(gBW7gusEdNr|@UD!z?6P z2kvTP^N$byVZu^vK)L32mC3+)q38wMWQ)0%Oa5fzu#EyAh3jmhiQ7SQ=9>s_HxU!Z znT?Hkq;~O|ZR{>y@SiRid+|JO@Cidwota$F%QZE$47#u`Fr1QS)98E&Yf2UwrPnS{3-g+UUlm3AbBtR1$d-EDm{9|pUFgNwXQE6=2_s8qh(fni$@3h zUQirgtn)xwF4d{~Nt*MhU4iSs00+y2V^UzhzG;WW9Cr3_){EnQ8f~=29;dHZK*cQA?Ru2&RTzrtfHko`YNVI7AQ)j8&=A&i% zryC;n&jXfyUbZRKVn=c0SidFrRqrXWb=%A@B4@2)ingpIJJ4i*Ez#Hkx2@%_i}r^b zB7`!i`ObG-30SRQX?M&v@64*$aEQHS=J~8Q0tbw}rg*+Y1DYQ_oV=lnBS|+@iImDvV~(7H#O} zzP%BP6H+W=tXk%&eg>fvB6+sW^FeygQ-Qe5<@jPV!rBo~@Sav{+! zE)P@T$FQvq)*nNd0^t#Ma!mH5394f(6q6{3Zf1c{J}mwQKekH^u0ouZj&DS$?Ip= z7rQ$8yB0L&9}1^$km>R)-%xtJjN3E`>UG!h!7gxp5}q0{P9ezkWM8*`tjID6lYG+- z^Njr!{>LxG4X}vXldLAT6R4v%4QkCMgzsN|fz3sQ)<}gud1>Tae!!l_G{dc&QN_}n z9C)DYY)SuizC8(bh2CC$Kt-}MK{XS(C{Xwm_K+c|7O4ACzD1KVaW7j0A| zg)Q%t%M)_w{GI989^D+{I=dEw;*Kp+pHj^@C+@YE-R4=C>+osh^0&+~oz|{4TrXfx zODXyCrN@OVe(=pGNsQvZdbj)3I5|g(T-lN;){t91$)mryd>q z-Oq_ap@d6yoGnyx`Z1Hq!U#GgEX%2HboQk@$8{av;u$ff!wb1`q;9%7G-!{q+m2+I zK~rwLBx>IMWaNcf>zTZR#$_9(=ZRUG&}X0K;NVDZYu4TbQ|2A*V@(_zZ);1h-1r9w z=wix#B?m=$nb_WJa_GM!p4Bpx3|`oBu1Ac_U*$-uRf>^^cg+f#Ha9hz+J&HTnx8|G zALkkijC6gh;4$-7N1Hb-OUB_pcG2lFh)I6xC@@gL=L{WBWR(ixQ>n&nE(D zX%unl@df5x1?7ef8uwHRue%{-{>+d{Q2&tI>=4^03BJ;mVSJ2}bSYbUhQXJ~BdH&I zHFS?(+Tg#x)LWtZn`H>~{Nk3~qqY={;~IOFE|v7@?ouir!}8y$q6H6+DCS`XRPKkm zjy!JLk{eN^Y2L|2!b`(~y)oST^}2IDWQ(LeVc@!1O`U3B2*EcXyU(&HE^|xrs$Ppp&mgExK9$J+T zGRb)8Dk8?vjV&2jns@n<60ZB0^zS+R?O;j{h+UGZrh}QOovQZtHZF4S7ioD2b!U#S^L{8Jxshr+f0!?5~rOSWV^=4r_prWnci zKOs?Q_rF|cw3qH5e>j~&bmq5N$}G~4(0uYmhSaE)vRjp?lAsv6TvTgOJ?@U|cbBA@~y0t$*-5Kwxrf=Cw#y-4r9cR`w< z6zN@%BE9#7-g^%IxiMLD%N=y_=kr@g$0W8tBi}@UivseS5^w3-t7M#3Y4fDR9nLcI}>A$YPAJ zn*`?U@N+5oG4&p{tP!g3lT>|J(05ua2GN>2T(Uhr??=t}mYyw#()pENReJiVEKtWy zUxbSqoH}>L?h$*f_srPwmNo=ZmsKBSoN}1*{I)%l_ltf?{mUMk+=773+Xv*YqTtRS zn3WbglzIrI03WobFL`(E(PSIbn&DrHfos+VB361kT=*u_iec>?VVQVoVL_C~;G-D;Fj#OXP}Z|o;cCO88hQ`b!ifc{N`otr34Vdp z+-}IT!Pb-p4}fvyaQJAd^lCU$s*!KV$Ce7ECv`nSV4?SYlXinh{hTI$1HFG;Mb4@- z!fNeP^6l|qcwyr7S_8A-%1AZ68+PDUbxh#NxzNiy`Q1^$l2deggcCvBpomwx1%cG- z9^vYlY|4Xd{prycxF;DkSM`y8YW!nn*gGV=2a)86N2~m1MELg3!@tG9{jr4|w=j|>lviAU~nlZ*;UCWUIH9K@TRVueoM zRXGZED+_o6ttUCLsm=EFXlmZJV)aT-lg83H;@nS5`Q`-_JRY-;DT}C279w5Sxe_$@ zNQ(*v+#oz`Ix3Tby2_S>C**8u9W}PH_Bi~~+6AI=3u)czbr@;q%j%7dUoBaScVHh- zk%^M9k!m20Jy%s;ryZ{_pXuW=45C(KPUa>caPcKV=2RF2dWUz)q|Ss0ZYFjUe01Q7 zjnIuxtP`1ER^e6zodA%p8PJAQsTF?@CcO&2y~2)k*6IN*SRGIVYri|!KzHu|W?cqA zUw25`jE4lSCnqs3Wi(eLa8lV*aKUrCnA>${x@-Y(1Q-VZtuJN$oL5p%HL&}BizDu7 z6W|qorL6=U^Cms6u)1o%N7N~p+6j3!Z78Ns0I01{{%1p@zg5vaT-OOdoyMWVC|<^99yV0z%4#<;!2lCqTU;}Z zMZ466F?wsNta7->%8aXMg?J^&)!uwABJH?W{qq8wS(OuUYhlY=z9s*0*SD=1z@KgR@Os1-Yg7*b#g>hL+lyJim1DuOJ0ksL zQfY%*0Q@N#-UhmUl#t_G%;f*h59Kww9Cv)&#nx6*&==}EE?mjcgFx}jSJOQR=U<8Z zVYuOW!Jm1kh(-dldkw%5ubnnHz>?1QB$LZxtOIAb12~#h?+_g1pTU8ZuKODbKsuMI#l zsq{-kj;t*IH}#Wo>8B>@G09e;ptExTS?WCLZQ2ofb{wzrHyTJn(u(aQ*r5W*`>?B^ zdGq%)goA8R@wQ#jP=(2L_A!|RCJVpQaouCw-afb2t|1R6YKJdej*_@~?uVXy<5^#L zaTd=jOBtK~sqFS_U!gtx?NjMm6}4!9E7!G)bp81aYf&Jdd|bGB68}njjrDUAwGH5q zSkVuD`kDNg2+HU+cjqDdEC@XAh|bFl$0_|h8>genY(KCxH)_u3*Of}4>zZ)Yu6M@;c8JLDzLk|jMMgBNkd^{&b?>D(%)&?m z3>9*&xyxV24r~1!67x!S_?tK$(M>h0x!ii5Y=`O=WGrI=Na)RgtxSJX1|ajYoOBdx z0>FMV-8=)&Er2wIL)!T{$zB{JG-vZy*(46e3>E+#Y)YO;)D>aNb|HIs1u(>TF(c*Q zTx1Tw&ouxDqyca8xtf5KWSPjx$*DQZ)BU+I|J$>u&wl`90E7BlU}x;=DRzH%<^vTb2(KY4^Pz6tQApU|K zw4kCACkVp!mrzhrB3yGsx-clX9nehnm*`f~{TGmem-yxp&InKq7Ipw4v>%Eh=jtZH z0p5A7G|mll0s0^|9TP|l-?22>i@m$!Y6Ng~oyl&=!J&_Fv+>#7rt+>Iwt0Cto zSV`M{0xno9E`9Arzj&?erYpc0UC4r9kG)K4SghS&=h%?AXSS1xC^(0wc#>bYa&Og?3yWi$-;tD6W4wJ(ykCIM2Nf#6=>%Gdlpw1uZNIPPr)|%fbtIeZw>^vw zf^E(|=U8v@s^50l9|O5gu2BZ*MkZ-8?*XImBqlh(n4JfTk=+aTI}4u!%mKEZOQi(! zY*0zc%p9OnuV&S4s53|b5?ibRT&T}l{e6uJNRYU+(V+d77m$6mb9sTfEHdu>{(kDq z#5aJaSYHANe8ofAlzWc;#hmjm6aN;AS3gjL0C#Y`Ng_NV!c|O|rUXzwz4Y01eUw4+ zSN)BshJWw)`ZU6)*{wf}lGzaI3g+DLd^xCUZ?~g3K5qgGxc@X~#D!Vy_xp)CBv6a$ z0KMn+yKZ_2P<*&++_~_@xwg6iYcVn)A>sJCgC!7gQ;DYL#%FUJZ*)bK1DzuN;3Wf9 z9&Q*tB#A(evvCAWof=h$*DpGSof-M_{$WY=PXS9D-|vzIfRj9P#PAILA>Q1jZ z2XtRW8{dWh_bpxYiZ&zp`oX-)4@G$CX4dJ4f090lDv*uf&lJzypEv2BqA3}hi(JW@ z7NGO7(f8pP04TTCc#z*_bZhmkfZc6i#3DaTZ<2|8p8G~KcGNeSbNrs`u4^qhg?5E? z95EI5)B>wkb{UA^Q2=)}O@8u1bsDQfVUcEIYZJ9FYxQId3($T`{dlAY?AkZFtAH{^ zyUslb0xh(gj!K1ph^bV#^Io96kek*3zXKHM7FAb;%9e1GX3&O|9sjmwY2 zO}EjM+^x7p_fm{u{_N3~YiB_<_s6~8vAZE6Ly{7ALu&3O=zZM6^hEzWUKhxyM;?Xr zl7XDHn`U9Cg<%l$orR(1V#3fkru2sm=>Cg#xmGcBPVUF00AQszo!aeC+vn8EX)e%

CU9u-^@V%5 z?syfafNJ}tHLe%cEI@$c*Kq(w;HP1vOKvZo$b_oUls5KEtL*^23uTF>-SJCt3JElK z!0Jx;qy$wM=m_0b--Wz^)d!I1fBAV{TJ=o)6Q2O&{)o1w7KBK$pHezO*L(>jNIwh7PyHzh*fs#%bS9 zU}|qrw__*qv)q%q>xD8e8N1k5G{XwyQq}M<^qytuQg?pCHFgXDz6uE(Wh%3sGeXQ5 z9W?7V6g-G9qf}j=L8k1~QmioS$&9y_3G>UBO#B`W{D9Og{2xf&nYpEIfYePCt_w)r zMwXZ(C|26$Nuc?^65$+YJZm!l7IDFQtl2G5!J5=0{=705d%uI)K4c}J6e4xI9Y%Z? zWc~PWQn$rfh2?BMzeCe}_y}udZo^yq@UE%SVaLcXX;NqL38z+0D%$V7sk;EFTa&l5 z&*z@hZ8obQlf4$_3iEqQOJT=TA^LN2y73Botco+Iah{;oIkYr4Idz}7Gmb_@pjmjt zwXpyEg^u4;WnO!7+OhBh4=)b~nn;9B$8&H#k-c<^ zASB9~v|~MkckbN!Xqhy%>Ncs^;QEcx)xCG~XYjGp^U-CiA0PYf@W$4;Na-5?&@#ZU zGJJXW%GizJM{$fsFc!1w*0qhC04QFtO>DX0h&5D?Ig~l6KjiK-4}|pS>CucDo&N3w zSv|);J{#edAs~%{)44n;n(@(s&jc86E6ds8oVASR9vbz@TI-U0WmDDB!*FsKbj!O3 z+UOfn*@xlUhBCbfuF3sQK})9J6_`dbcGkQEu4>ZaGr3;O0aj8!=*>$=&J|w}5PC~R zf=~7w1g}mMG191rPSRZ7=i-7$B;x~;cx>mOiRENM{n+LQAebL%CmSfRESOn8vbiZ2 z4k^|LqnX^bP<1f8o^lxDLsZ9tr>IzvXS9|zDCP(~*BnQIEjUXJb|!}t@NtpsQ3ub9dHlLo)X6n6knxm8dwW+gfC$EmP|y-VPmK=Z# z&a+hL=2{14$6>V_>{8J;j_?lIX4-TzM23skpMG%b@)ni@D@lvl;kWqh*7+_JBk^?; zV;JKU0A=GtBF(YxA7Z+bkcAf24DSjE`G}H+gtO~eYv|2XIrCDBhSjKhV5!GOYrsny z&_jVuE6v)M{2{OBX;m~&jn;ET{EHji^fRpT_7V!H$?8(KEdr-5{Z;BWJ{A|qDovBm zH_mq`x<0BoXOPY|bld6qJ&8+pav89wY&wOwXxK;jKjWHs{_z zjkPZ$Y+vq+*Mkz_vZ0RtNpAV{L$wlXn#tH^az`daLe-t?aM%^CMjxCj0ltonV4cGIl@U9|eMOojgS;5myC zKDukg6mTiBJP&&Sk7&|#=rPsfE$?VU$Smjh1$fL20EaXy8%i8FIj2^|0~^dr;m2rP ze;JL6Jdpcl(=YluDH*too+!JMfFU7LYuuKw$MzOaZhLG$PKzB!Z^P0qZ076oo5I0JIKSLkr(YTK!JzNapfo33PK6acj7zE%Jxbx1$6iGa#PEuG3)(9;RSGQgbo3V zH!5WiejP^!chOSl*6V150}&&`i(v*UcjRVEy{VUYV6z$&o9OLAbb(&>cueY2P9!G0 z*vtcg>myXSM07)XE>r|y;F>(JPVdZJ$m4BpOh5*+#+wP&?q~cmIlJ_*8MG_*?FVy? z&SDQ9Rg!V?>+|Bxt{cQJyhfW#F!Xy`hCy%{Cg=RR`})z$d(hnFoSl{<$6mH7Oq~hY z)G((qD!W^Ksn)qgu>N|NM?8~rZ}vRTz7Q=arR{( z?`O{|Ws6zQAFQ-;d4Xpv&M+DpE^x;+8`3rC?{W;T!513iVu-?Bx0%C7MA~i;Cc3Eq z=L%o6qa@0Th|OPeuBy?q<7`$g&EsMrkek|)wP*|)H1>vhRf_ZaCmd#Lx_K-#dvUiH zucJq~R=|^T69iJaq6ylKu&IvRV7btkd7@8*-9}*+0 zblLDdZ4Q=pL_E+jCo45PD4WPF`bJ)vI8;tdzg>5=gf+`tY8mmsNAMMc^FZ=19R&9rLjhFNh(P#>h$I(bNs%&@$jQhVE!`{$?32r|ey>lUl%% z7M8+`cWpGMyJ}>?;PdFd@{M0V#3aHUtBT^}_JauA6?kzUQ!U3zoLD$8KKxvKCr|S` zc-qxxgTSnP#vuvg*YyI0sW zSu>&*?u4`YSrgT|$k$y;Q(uQ|2iIWZVbk`#zodaB>?@8qp&wQN~V?>8pab)+2A-TRHHZ32mmNW?VzMd+@bk{wd_lQC<+!*$)% zQtOJ)w?L!zGG|1i(?sq{cozgia(A7HJ0{~5SgjDca+jHv8Z{8V{B^a`Q(D&E$Qwy)P178;W5;@Ys-c3;BAz*T<{YrdV zgODroA-X2+0@EOg>7{i{*LqNR5M2#1+2*UsCt=0ISdWIiK_h{|j$DlJnUmY~8OM!% zG{73c+BQJxFvsZf$;n>RA9uTzNbxs=P8Wu4Xs_&fdI#CZWL#?b&!*ZAP^jHB0v9WTds8b;Yd-RA|B5}afe4hn8Ph9T4Hnb>=UxfqW$NO>Wz1d} z`YiKcU^`>-C!YkRP#yTEaGJGv!cdWHZ(3~0Zbs>HR3;jime+tkBa6IP6aRuIJe#-& z^-=gKEzS_ea|Es(C1)^j#pdQ^+#ru!N+x>Zwv(WeCQJs*gvQw77Lr4h!&slaCR0H2 z^|)CkOVrK$R3~+aRgl{r?)I~^3@=h`;~zT=!`>LPZuYY-Axq5Z+bM1tesShxC0UGW z)-wY+6C}E8!!fIlA1fM9dp%;;XQ**H-&mRm)_I}5SqNBu1jyUq_~59>>xPX$Dufh8e|6`l+k6>#U zfDBG7e}_5qA_N|0KXoG;;x*$()~UsTEi$%<*DnaN37}9O#xLH zq)NNkFU2H7rfLeS8T*~~Ln7tM z+(Sp1jD6*Li9vbetKgNZIFsYroC?9l<>cUf0^YTZN!okxHkIgX8~|^>mn>`7DQFx- zkCZL55>D0iTvs`6#pE;UJ-F1^0N`y$#-GXaU15?_7ikfsX##hNJzr0o+ z?E+sCOfq{A`uzr}4gm#$lkD`m>&!$P+?{qe<{he(94!*0*#n@(P7MSa}rt4`7XxQEHc zDN(d;G|58eFxSa{`oo8@bYCv3QyZmF=>%vuKNj-27SHvb7PZ$!eGkwC)a}^oJ0BFB z58|4xle2V&LG+J4W7N^=*mgYOkV}sV>)|B!ptY=;euHZj%;0Ft4F-gg8(J4p$+8qQ zj6*qSEl53XY@d^^(E5hhD748b@&Qxq6YAxu^wfsoMPy4}dCq*)T&?K`yk9->;GQ`Z zhhONTKTAeWMyJE{un%VtD1tx#mP^YAh&F?1U@sVTZEi{7?TI?@xa`xX-LlW}5q|iP ztGx~`EH?K52q=`;o1`{)oIZ94c_%v^OFa|)uKd&&_BnA|C6KVx z51Yk?VIf&eq6E$qSl5roaZdLnJ8HdLd*PUJLpm4&wSQ9WK^<&@t9lqi>CAhh@`#>W ztx72@qt5sg*M9NFhoq=m@(h$jYzIrYF{a2@fhBRb+%FLxQY|BIDz3d@zD2Oy3#KnV z$Hxccn$1RVhXCRZd)Adz?vQ}%cRzTPwMD+>NSkzDJhrKe^(bj(R!F)t4gM{cxZY0V z$!<(W)A@BG$8=^(n^VxBrI=xoI8b!pt3yel1s!<3Z|Nca)y2*7kGl4Og1o0(a=1HC zR4mIfeL!r-nW2)i^75z_Bjvb$>!3q8U)QLMHlDH39IWUqu%eHTSgjZgQMp-^Z1qWm zf0Pa}Q?JL}Xlm`etiqJJw6mIg$=R?`p2j+JDzN|&!tk`KBCccH1boQoscPL1O9ip5 zq}kealn)erS$Pq0>I+NwSKZJn%-pQUI^0G+v8wB3U2YH@boe;0mCY9VjM-nOSa ztvp{d}+-9nYFv&2xsAJ`xJELvct!oudWY_C3yDDI`)t{rjrnfX3 z%696r7TCdF@q6lns_xsa-Y43yHDDgdAG)fW-vG@j-ml(CX!WA-1oGWG>;R6>5ytli^q$X!yOCbCcY&hd z@*uBDs>UM3*i-$&>#o%c^e4NF=ircdqY){*4vKooDH_s=G-jAgo7<4iAlem#^T*DK z$S`Vpo^&L#{-`#ar?(m(dT3sXH-O26Rn=u&jt#;|{;NaK`^zwM?2y!OMe_MVM)C@~ zE(}9)WP;)W8D9%G7%i^9%fQIf0}iQt43m;l?UEx?rHEwl@-GM2r~k%u3wk52R)Z$4 z9ceCdF42sBvjFjHpwUeYVT4&ig}84)J9Plyvvz*Qyp6pJw*)CxLizasUg3zRPmKED zYh7n3k+>o_z~)zM?*z#lW50Uh_~_Jm&Iy7ek-t~XuHzXpXcTM2b&|x?F0&__2NU}l z3PUzUgkMBoMV+;Qo%y^LGVx^uQTLlW$$D6e7Yh1QlXA}|a$61%fBR&-gKX5ka7QR7 zmIskp$L;ARe@C&fn)-n`etkn0+EGf|RKqZT=M=DOj(uM)YkpxA=^jx=Cc<(;&+%I- zEH=F?ixEFFcL7zd45VweuquP<77#2IQ1pTN%lj%;%uvZ<}tCbnFIH z+j>sM<9PryO1z89Z^U!bv|6=NcI^`?w5!B>Pi$7Wu=z-F4XRn^{sUr{6Zcw)_s8fe(EBVR^mQ8h@*Vk zmy^49Z39y6tKdqD8f4ezO80 z1iehKGlNuo>X`4@tcvr+M#4BDAZu#?Paxb)+3AxQx4~R1EBEa6T$r0cm6esI5TJw) zpC%VWn6LDYbh^yhXmBMkH;Ak~cndr~(J8|RO2xuSQ+^C}o#S1I^{vuc;KWyvao(1l zkJ=&il(snWPn$6vh*XR zB-SoQ*C>$2;(&46xjS67ghFA2h>I=`WrKjv#veB|j0^UiVs#}f9h-fpE^AL++loUt zb=^ja|8gbzhlFvf5-uQ{#Par@?aodnqM@4{4Erm;k#L4IM&J}kc>?g;5d96HZ&)w> z!p()72ikdG6B>IGvTsKu#*Y~6Zah;c7eFK5U$*g^u1y)u!>i`Rz0E7YuOs^4H)l~$ z^w=rJw^0TVel*owyBz?>Td8!1K5rW+#@*bvUJ7VpJn<6PdN-_{>^k5rQtwInYy`K) z7!bDW?g`s#2=ngOR(kyNl5o314;-gCMy`O~gI2nl0ng;*0jEHt8_0!S^!7rMp5I|Y z&FG!1)@w?BQ7^VLZ{+KlQe3z9K)vw7X38&9U|*Zd>KAM^P?>Z9l3+a-oM)-uDeEtNw0sQ!`foO}N!Ea;kwY8=v(I1hl)aLpA{&H}?c>0NZ=T#nBLw$(=h#%giL*e}O%F zzTNW?NIzEIy(l!r0GRRCohVn8C*eYiIJY*CGR#uM*9GqGpzu8?I`wlZw9X{R5wHI| zcA*@lF|)a%IK-{ObZrl-E(O6TqmF6N#e$Wjov6Bt)Nu!uXuVGeAZYh<_%bG^mAy03 zLp+?S3N5`y_BMj`Y@DVmQSy)V+zf}h(y_&F%rKLT{ZE26x)?AtoX0Sg{dlW1fhbvF z^{u}_=MgMuhi;4Mn9=`O-PbvQ|KU9Ae#cgiuG&AUk04NJMU>pQpL)_sxXQ^c%WVWv zchP^2x{vQ059j!U##_$xL?W)&A$BT$#ifoR8$LS5jdRF(L%A}Kb6}@g-P)B7j*p(Y znd60`g{DepC*WTlF-PhHa+oCVGyZjqN@G?|32Y2?qU#xQa~WN}pVHB(ykCol-64MV z#a2Q)SlRc3&|hVZg!5tRvsG2ZqsL=qP^}Rx>^%^DjGwpY%e%nvc>hGa2T^w-^?dU& zOucIVm`%ynJ&4h*oK%R22n~aThn*ovID?S8S8CfF8RBREqHwef&>ZTR30GNW>Z;Q` zl!N%$xNgN}{qHLVLD*`sJ)7WQ%7~}ZxaF2+-Rmi<$U`He$RQ{s-&Od9`1HcdIHk{} zU-bKPw`0Ws|eCiR<`cnYq*bC8i(mQ_DuYTDG zr*@?xTh*?{U0QRAPNPTFp+A570nyhE;%S4?knRHa&FuK28hf8=S!4*Q&H28%MwoG4 z(rBqYkoz%cTbh!tWBq>R!n5QG*O}5>d;CXT-^~=iZ$DTrf8gbJiEp(6YVWY+~};2*8p>8Brd@3E$S3_7!_#&zNJy`?L7EN?JWwF3fj^JdZnM z0E0NfOwQ+?nyt8S+ej;4pCuh0s~XL#Ca-(6uyU3ir`3C^oLU7WDr>fUg}=a3?1!v> zZ3vk-1-Va#h2J^qw732B>32L1a!3{wFUyc$FLfw^ggD8g9qtdn!I&fo82traVr&;BRBl(wE~Bd6XxC7Qn(%u%)8WB8jbWLYb` zSL^N@Bd?mHM})`k&9v0f1ua1=GT0{F#kbysU2owZ4HRd%Cq}=6pBye{8h>rM)(y~g zI$R9)_d$yqzJKUzUYyDA8cb**uRw^p9Fgr^>E*14;D8b%So!T5i;>@9|^^ zScC|_-MRoVTZ8w_*l}&ROV_$`xb<%h8Mp1|Uj3gARWYut_Co9S4f}qh0gKxCjA`M% z?f{M(uqyp=kjw&*Q6i{GIa4V(B?y(1a>bxyZybMYJ?jtz&QQ*)LA6VF{^@=Ja)PKs zIju1*V`#c8wpP9cgw^)^T}_)znf?Ra(Y=UXPT)-;wY~9a;1jbz56p)m0WkZgit_)% z*;|HH`F8ETib!`#P7#oh5TsiW5D<_C0f{LM0us^~AYGD5cXxMpcS(15hwHla|2)rH z@4Jt8@4Y^GcpxyH^S)w?ah|`EgvWUdonc$D_LB7GG4Dqd3No588!a`lRmBYl7y zXXs$H^A#daf`HkT_Jm{QY=17$U$>lJR_`Aw3Rv?2$*s1V=CW?Ak#X|N6}hmLz65pe z+tc!T=KE_vs;|`(1@=Ux@-teJo#OdrJWKc>NOGVRyjHy@5zHG;-mC zO|59$vp$~WRqqcmchK8AfD53yjbuM7JFiRla=C;7t9IIUShg2x*#ITH-BD5XVEYK5oVO%?mOGZiauH|c#8>7!3W4A99WA8s?P^uNgR0S;oK{rW@1n_1k%B2kI=3K3{>m zZRukYd?Ow>0q?)L+O|0{zhYE|3Q6xDRcs(uzxN{>V&MvKIy*6kMswrtfDk^y^AMAS z-Q)K!=Dw@i6pAfXg|DE$6ak+}sQSqpCtoRHt8~MXnLgp52h<>aayA~h!XQh%I+jD` zgYNj7IzPQZ7LO<~D6IRNeae@65G6aqbb5?z?c7p8uA)VYcK_w5<+R-`)n}6*T&>N2 z8QISe_^k1_{LS z0s0`gaSo{CO$x@=fs-w5+$tCX9`*ugSo8*8;i8iq(3h@zX(>&Jb{>q;;>X)q-D*2# z2NQikj+FWEeuG~^YCck$Xn(a>A|m)c2WY$#z+&XQ0}}--qk}6+_xxgDYB9rS3~Nc@ zj{@q0nE)bNp;qVv;a^0yL{Y>=>{et7#S^8EwIJh=AND(-eaFRi5B`;ADq=IBk}Def zEo|K90f}M+W@-97!)mR1$SWZ}BvSGvc0Mg-)>JR3r&TeF!z!-ELdV*^ByPY^>kax_ z%91_d<=J6^m?oN;`FE!Unspt9NQxFT$QQ zBd>(CP`_xW850qjAkh0W0W^(-8tueGWn~!TS5Eb#-I6OVmvt|u6>HhX4Ix%IA1<|6 zS5YEgo57Q0e(;azuDAgs`wTF$8U8Y|=OC(gmhM3oRUS7o}o?!)ow z^~XsAVjJMindd^stCH(O1VSaoM#-18CtdTldh=d)B;WBE&A(9N>3cL!)eo2&dtgo^ zwRH(`x%j*KgnwUasLXqvH|Tyvc=jZ+|5)>a1$1L`bzk4 zCV0L@?lX2rn8Y|FyidZ+r#fwZOse1RP%Rx`Gr{IFEwJy?IRdOjv%OOB@BTUC7wJ|R z6Swd<^xx4lY7$aBSbwV8Ca)&}W1=T+9 z_H<7`p0ZuH7;4n-(0k;t=IoKOmM3{sHV@tkaj<-r^mUu=I|3-1-XqG4op=!{y5&P6xq6^rrzb*y>v$an3_{PVh=s*lW807SU`-nS+Nt0k+K;|x1 zi8vs8;qEwXFqkK{IFPZk=Fk~EaYt|bd)3CPNDUVMl8-}*SN1ezR>DBk7K6ia+C!i^ z_zgG5_k5CiNKW9$>GCyN;J^#T-R=GF$NwDmlcM0TFZ~c;el(kP;`aion17|uQ``3J zju;_P?X`+d4XJ!PtH!B*Ka4@5Lt`H75eE?jTiZC6(`uvuv&&E=3K?v_4n-6C&Vj9Hb4ly1kaAipW7wI>g z!r{i6ni0WQ1TO1Na^oO_Y8I#VmBM3BOzB1=lwL^dZ3vPedVR-=O$?0ZZ2AQa!6<<( ziW`E&8iKl%l_{dhjX-tv;A_jTM9RSHX`#F=#Vy{vY^p8dw{K1R_U_gjk3kpgsI1dU zoXM<;I!tY~ZykG#%_p_KuI^JN>AjO}R9|E9(lUNNgmklgcu4x4`yg0lby+lwiS<`Y z2O!7kR+J0d7c!u^;5G@r3`P6P+YDkJEsWE;Hav}8V}~$q;WbdFWlSBQryGtNFEYa^;SvYYjoCr<0M3hIGPqG z(xCCP1dVgYH-o66LsddRHg@kP0RVu{k*15qV1={q2hHkXuSLPJ@;AW^DXT`#ur8{g z7!v>u zrs&eLnd!$p$APLHnV=A~XBZf+XrU=jIXB1Gndf!tN>+?RMkDA&!eJad2~0E}#;m%g zAuazLvAE*qgGttr8UKqa<+(MNelVt!TL+Zk^;ec*6R)lo7FR%5y!-pYJ~TL5(;(7u zu|De7xn-|U_wL8~R&s&TH8za`(qgnyry|Bl*u553b{t+#PjPh3%A9G&x`&CoeW(N2 zpym6b^6$G*X}n+hvktlb2E?*HZuu`Apid3A*EgX)pgqrc1hDgYO?&*i74W)D0{b!7 zozn4|$?pjY`HCi*6J3sag1nk1n)D!z4v$Y_v^jS>3J|dc;}m~C)zVi zRZt;o=&$S5{hNr5e+xoj)>=Vh_DJBpq~Zj2b>PHRFlc#WkdUQ}*%WROZya!yVQwGB zj#+jGmUCfIo$U;)b#;6`73K5<9I90AEj<)NJFhF$SP~fharlN;QX_`(#aBMW zboeZ-$UI%dP^UPatZyTxYQ};1l+Ud5* zb&oV7D2WzMeb|(VV0%gqAV7fO=Z=Rcw~Lyvbh26Pj3T{!@)qzN#TXUBzNL+v)C}Q; zfR(4=DdYkm1sZsdNj1$2Jr}ToLBI}X|6BaXF}q!yB7nw=f}(Qr_W<6vYl-2}19SbI zL=H;44^5dc>=Lcd<u%1DvZy)NfO4okGZK8(*>b z=#9{;<9>k{xm9RXGi-%MEazYHl>mn4WO_vOffYLTc=oisqIp%NOPM2Sxn`y81xxm( zAAFm5Sm)#4LjFetCx?9B5^`Daf@{77SL_*s9YzTQhgluV;Mr%`{q09>!L&1uD$UeP&mMdXTVu_sUNe{VZ8?85c?P+4nqe)F-j$nJ+g5?Wisn3n zlrj}DU*vJlGy{Y|AULU#22F^>6y_I#xiQ3Jp~Wioo{LnIENt+w0L_jlW(L1r`QklV zb3NSt2A?neF~Z92uOnNE(Kjk-^#-<|$W{HG`+Xa!;uplolNS@|bmXuc+CU9SKD6HZ zUagy`T-CK)dhYMnww2{->v+o|VVVeu#;tt9-Y`N+Ai;O24{{V%YZ0qG(-${z8K&Ll z8zu4e3IkQ`pC&C%+VzyQGwD=WjC;#yT$W&|-Iras?W?B1)>GH-Vuw>*w~ODC!?`+I zgDl_p2VRV+u)2dQtdlL+L)L$>+smo7+SzAMi4?s>b>3WTZ+A;@$#Hw>f<4?*YBI@N z??HiH`n7WS2*#DI5}WDerxtf zTNb)BRymU0oV))%bDt@?gUy$S=CYXVhDIK(VfZ7p?QZBH1g@VEx=f#2M@zpm0;SL^ zDV9H(6JG|ab^FwrQF{+mg&xo;xr{#!m@3ca7$`4$uh?0?R+Qwy^+fuzuEXxTnHKkc zUA_T~+430j%YdzAu6I#j7}N{)@$YM?-W-%KxKEux!S<2*;19#c=y)1ji?beMKmLcF zy*i#-Hq|wOwQ&)2A6Mt9v9o1@EmO#AxT15cu`*`4(QD&u&fUF_h5Uyb5Nxddfn|fH zaeP#^M;_qf8W@kNGmMs%39y~T>W{-O>jGdW8gaA!ycnC!Y52hh<&gx0>V|nwHDrVz6sc5zROEl2xAlM%+15+z)JeeMaZoF1tq%|OQ zyT-*^t_Rb}`I3X^YRE|3m-QHo^i~18kY=ny(bXNa0=c8cl^RUefYyg^hO0(;Ux8MD6zx|F21wsh z)wB51kjE2f`vi*N*&k|OzJ(S@CWSG-2nXxh$@^DH4x7WvQkm@s244x;4gY|!x1CWn z)mv=VV}vEz8)UYN{RnKjANeb$A60V4Z7s##!>sn`T#YR7b0(d7vNx>w9Wbe zV=woQ9R`J|cKE6H3iViA)#h0#tnl(KB~6`IhBjKr&&ELV3Bc--4sbuy-Tn34OoOFzXp$(H(CHA#KLIv3B+YIlE-{mLO2I@dg;q;+G)t+(M%Ue)VSk&EK zZv8sI=U{8o3-orRUG}}HA=5;dvCJ6h9Y^*T@a(9jR z_T4WIWlzDiCrU+CBh`?aI3?L#nfYY^fKt!R;vkcG&VYN49aS+mzVAx1w1bG10BqXz zYzCd}(=#q%6E}cLLhAbhR6jh+!D2;0%?IR|OMrt7LV++=pSkn~8h!j*Ef;Ozl>rX6 z(_6s7e(NPW@6b@pjONhh$+dWQiGB6scPb)mAN!C8$>y&_+ssil%!Pn<(*Rw&#;fN7 zZinI0B2@j7t=x8D*q@_k4y2gI39^2{Z0E<#K?f9q*xHX9`V7^x)}Xokji0i0*`u8r%X{_?EA$JtcK?P`-&pSiTUVObmFna}V%FS$K-haW`^@`5 z5Ym&Oko;w`>agnx2z)UQg%v2gp!d9?&&qyVHS+88_yRxI%RERNrU+(LVvMs4H(c*( z!W#-0UFAe0vT`gdnG&}^PvOB@*2GyM!{b<{z~+eE+OxM<8q@7hHt5lnLGSeSQM>Rh z+efVC_K>_#WmnBRbOaEA8vgc}1;nV3F=A$Xx)3n46wG=YyFwFGa4GPEm`}|nMB>K z(DHBe#y~q)MguK>s0vGPC9sG`4?47&a&#_{t1YY;DQ>$!tE+2FGYtDYQKvEUP9Okj zgXwb&9gd#O9RSh>-E;%-d57YqK>jg;H92WcVV?J*JIF7kCfKS$G6Jv5df!K{FT-px z?Aul#JMJCbk^Zkw#hm6ax&0-oZ$VDBE+=8bXaO?oRfw2J$l=rpXWO?EJJb38R7h0qJheMW4;$vFXrmOFD(*hD`@0_z?0NJk-HQ*G6P^Jv?;Wd@wUR7+A_sUe z!qd%+rxh=v%wE-xUP!tw7djH(Zrjm@f4S9tuR03MFDdI+CA>ee-~aKw)TAV0e$e9S z;aT$M?7WAJl~dUsfQUKJh$L`Y3`g$o!y z_c8kwn5bR?Gf{Ex`~4o2G7|XxTYB9kPl@QEf1={PM+1t`$QWz9k!#J{%!-jq+Ax?; z*@~Ul)H^95(fAb+EKo9#lf_qr35v&pNwkYYUgY@h$2xm$5Q6oeb*=Vf81;Q&qnBlbTp8J(&2X?pWBl^Iv+bQLmRb;hye%B4G}w;Glio6S zAE}DWP@Hb-L$8)GDuN)`2(wq5mvv87g;VOh3Jbk8qT6~dXm`~8F~5V#fv(PkElT>B zx05$Ee>?9Q+_2XFGl;I3${@61@F}C!&|gh|LA}a2SXOg8!0Z3l^@8i{f8feOJISK0 z<=L)(>DTgLWwC}3)H0HUL-Xz;r`BLh`?LU=?XHd5RW%oJZPtcK4^Wt*kJ|lly%cn} z_x!8Qi@Qirw1Hd#0Zs(_6{FtMF zpDKae*!hu15RYz!@IH^|ESNh%fffv1ilJC^)xaRyBQnW0aUddTa8yEY5bR{dz6EAm zv9U4hi>Mr|mCJa~fN^%bU*jhtrrb4<7Iw&SKG$3zpx0z!^4-3J%*-dd1+YilJS5}X z`=N?fS&zxTYV#qa7Xq8fkQAi>ph?91R8pg-HeNu4N8W?2G!pU`C17a=IZ!%`FD>go zNJ|Qq9{1aPA|15ywcIaz$8R$?@;$$6^4uc9qQvtzKit3 zY*Lx{tdmoh3DvGCoIl7Fmb~>s1}v1O{r!x_f3W~cRp7LnffkyxI=<$2HxE#E%)zlQ z)Xwo|KX@v9fGU2&rrPf7VB88774Y$NsB=Hl(ll|i=*Q~B-%&c`wtpcJQl~3>0(?)) zhf{RX@UuqHO-bF=BC&bTR6%8y^>DDPMYD(eoAEs9P+5%&@Q%-&dR%z1maU)hXcu?L zeWAR>CzmZ4B#h@C&(5X2BcKKNQ7()v4f>Qq7&{&5l*LIjy9~oD{)t1ih zpS>$S?-g#?9B?ckz5tH!^=5K9z2qg~VNTHa6T-+h^`BrmWFG8z7U+Bgq81;RU^T4Y zgt|Xt4E1B65NlOZENs|oHN{ES5*It7137qt8?pX4?LIh-x#)qu#|y%2H~3Nfw2%j_ z%jMV3d?Y^V6iUw0q$^R)-@R*&wEBG~Ug5$6!|8{_^*|e5LSb`2 z@ckR-BW#2EnU{lQbx|McaIs_moc~3AWd|s=K^B@qTm+LTMK!HcN@{|2r_`#z9lL$@ zG~v0rN1iP0>NNvYjQFHJEu)d_xehZP7%ksRj`47NeNzFN4f+@Jt~&8ScBLpA&K))kuYF7+lPd9H zPizJ0mOkPQomH2-VEJbGX+txwbnH!bu$6|}^ZwhshB`@FHm5foDQnnxHpp)c*8dbN zr7&e7+rIvT;6QHY-Pb|x@A0=*irvvEEG_t`&I(-vgC@n{;wU;)2EdP%D({6yZeH0wK-vBcMnUh3r%%s>f7;SG9+)SHE-qx8gS-7>e(`%Cvv8}RVJq`4 z9nZpYKA<)k$vHPPbH5ze&&BV%$5V;003LKMP_Wjr`ZQf<=a#*(ck1s5p*|YUL3>sV zivY10#pjED(ZE06rc338ed>BIHe;yX-F-M)Ex*Ty2=;1e`RUwiLhXDsSlxN$Vf*G~ zj7{GUUIF|aAjIr;bfUY7yW|7+-FK%re@NLp(n2RAN~zfat;x3HOw@9OZ$N-z5kU-> zBtPkb@(56yFxou)lAJFu!W-lN?ENnuh}d;O00REn-BOC+DjPOX_uZsi0_|n+0Eoz_ z%lTLpc(J(91)FA}vKLgT77>DxwHyRTHCs6qS~FbXc6+_Jct8(2efN|sWy!dy^;DiNDquT2_ zF8US7v6@4tvpJ`@urSS%x#FKVhg$S zj$V$w(bXO{R+1tJ`&;ny;^2m;9^WwL>(ESbCGj36DY|$BPR1Vhh#c0c&x(ZL!m8s; zT|)lVF^}kY+zU!;C7&`C=c$Sn8e5Fg48h#isrJCph!_{TQ5KddaTAqYR&jx=6rkgR zO^G|wZmZ*3$VNUF(U%+VvMa+t8%@JAlZU5-4q%S}XV)u#3iQ|`waLKNdE8`TWiA3G zMpjpg)?c5yaeO5i|I-~OnpI7-o)e-QEK`Y#moBj|*4+P~2qsj4$y0HAWLdv-Ob0Qm zk4m5Gm2%{d04a*7Sp0rEm*_ImjB`)Ab}j#^+nJRl$W?x@Vbn*bc|MbCLj%4*E^%c~P(r z7NXw(?(7J@-s>OJIDg>0pn~RHBJZQ%iGBGMh9HiPDa@GLpKG6UVll8mo)O5I?&-Qy zRVHIIC2r;;CUU}oRi88z%kIVSU4Hlv2FX}3Xs7U+t8xMk@H-GTXqlKMO zX%0r81Md6@-0XSQZ);Wo@Em_M;f_wDb2cT#Obk<8mOKIU2pD%u(=q&|6r=>ECXq&y z^owNmr(Mm1%{9qjwQ7i;K5a&AJ~u_ww|%u1k*S$pyOHfy^6{z^|BTH(Cw5u+t)|zf zlt4gcvD;bC(kQafKIW9geNCZ6v5ts1zkdO8132(og#>Hxmz7BV!65(q+5ojZbCM(} z9aDG-%Mys}!b(NU5^r+82!=}mHtJ1)=Lo_|j~;M{AQ&)fxdkk| zo?t35)1hMt@HL29D~R*DdX{o0MT_w-EdBpPF55~zT;cbFvZbK4c~xw73nI{ZL6x$z z+%;RC%)~HVR)h&buPJ;*_@@$*($;A-eBX`O{-GuF;ognawAat>>P)$$@=8@y1do27 zSVHKSNGy%an#oUT2!s7EeD`0PZ?C8bg#mL)yyGfKF~FO>$#jAM@q(zILB5+1F>!iF z9cc5c0^K$zYwfXOTpq44q7aZ4*W796mLKu{0|H0Iowt|VaS}}kFL^ZZ8D*V3?H-wm zIQZTFh9W2Q;=DZQ(+AK!!~OZjG!T7uu~CTF4g6m{003wz$FqPaopoFqYY_5YQ@dXI zjY@bWmUu#}Meqy_P{c4t@6}Ez>9laT%S(t{$=JQoaeA*o(HVx1il{71^IDk{A_beE z*bb3qgue3`eHI(v_9$b;84qDf$4Sxb%v?id+}Zvr`xyFX&v4Hb=IUIl1)7{5BQci# z1)2ZDGyfm{5XAZ{wddUftPBRg&1wt++&#-8>O;z9NC2__|hK8^8Gbfc)RVtpEL9|4-kZ5Q`I)6dR@T_MgrB zKcCS5^j-g#UxOYjRMgu4$EWKh6J_pFd!T!c^4p z$PnOj4SgA^;;oB8hq>ejN7s85oC*-o6O#i0umu1Gsc()$;lF=qpXFYF|2lu63cpqw z*rocRT!YX<06%&PXt}DXG!T#%^A-nWL{@&Q$*sS=G>p(Nv|jxK#Rjmcy=%ao2U10@ zTBj3s&`(cw1jJ?+Kkgo#6MGYSkuMm%AcHsONhcplM&9^cNq1Y=m|d z*F5d}=3!o^FA`$S^@?%ED#eO}$D9a0ccP?h+SI|zUN{5fcSjH3Rt^b6=ZWQ$cOebQ zT^t0%6=PDPmaY|~Pjx?O7$gRKJ8P2!ws8mf(%AkR76|+JpU;D6l9XCwkec_J8hbMO_^$)q;K+xWsg+6!BO>x zb=dj3r979+1P_yl{PTw`M3;ROPG}K~=@b`oMZEzIrs&_Qo*iIl_T$K{iy=JxP0#X5LxGs;VC0T{cA0 zfb!m$=8 zsq2dF9uY?t4})K6nHKY*%m0<&Ti?xvqKDYCQcwb!01(NFi+@j1n<09PTXlCZtB1mz zfM}v=mQeMBLH>G4p{&{^(^ht^X6*B1%&es zXJGd4AxGKo10&+Acwj@4?}0)Vz`Vfd7M#rJP6LAq1g*{^tnofB^5jrK>#MY55dln%f-S=x%+FRJ@f zm4$~)Usi8PzOfC1vSN-25JfE#_kJa&&u4ziYC06Ei0{;0MuOcyM*7>%ncRo}@Zi_A(@ zU8%HJu`+qr4nFq!Yq6F`arM7%osYm2Z#>3nGjkP~(epdMQMgn#Qs# zXb)^o@yXlgJ%D(!+M!c}YrZmThrYT6PbLaz%{l27w&>9%wOM53*1bBoL%9k)uiIhn zE(4FLxddy^#1hbKyaKqUGV%hge1vY#;g*sbHBX}6S8ec+q$iu33Yk8jcl?TNk0r1# z0tq+Ab6DreFZr2}4_W-$pVPgWX45YIAS3=!+dn;051x`p2Hm+ZtG>#`9Lfs z9-sxZQnGH3EPAn->o!bw9^L&|U6SjO)0_5rX*E*oLuby^eIj*{5d~Gd+R5C^6DU)J z1L5xzX5x}9mrrsOWIs}vRjw(&luzO`HT*O@OwFQ*Om^4y3-&3P*u5753?%`ZWTnMJ zf2O3wM3afeA+a~fBpz?grtm?ekmP(;C-3t0)PxRUgGTRcKf5jk|2XO%M z=}U2l`6}t3hf$!c8=FCK;vay4(R&S2*t7V$DOz>X&!(vZd6J?-&G|XzA*XY%r!^)f z9*5{w1PfpSj{g8DL0mL`Gh^19=HX)LXO)cb{F+jv&vNSbOzJHHc8znbQBu^6+O0>5 zWj=mkP9fT+(Ri6AS7kaE|LbRLLVB#gZ(}3Don`w>UuNZ-3~8B;1MuN#U9X1>`9)WIXDO}tY04e??nGYQ70#aDGd9Tbhk@0`J>1<)n6d9N zlf*B3^~$s_=~h{PyZV0rlE)(S1*J4&K;G>zw8n57@z?tWpaXvj#xNZFyX}2@b$9u* z)YwX#tCjB#XO&qH7G&aKXKksNVy=jT+m9&7!6N$dW-UUB?e}YnEiG4*@OKQyB`QV6 zwXuG8V)$?h%x1t)kor-^)bN`JgrFW4-OVzUFSQVRQ*6@>dNJ>(?Kf>KP+MHLA8_?M zfPJvoG;y!EU#MEcys-7Km#xs|1lS!7z|VMwI%aA-Z>!E{5#crg=)&|rV~wu>o@C_= zK%Gn}t*O<}u3TLIH7jk8UPNg!|N}MD!GAFwH zb5pLs@s8!MFgE@9C>ZZ<{MjVK1xhOO%-U3w!s!;+`dQsa?4-TWYt-msR~1;Vk8-(t zDo}NP%nl#3`yKBXtwvdcljX*#KPojSM@b$fAfC0vSXQv&;=G%+2cA63cGM@}r}3e$ z($q}{etVykuj|{sf|8V{WuU;}%dglpI6{Czcin2_sj=HO1@1W0%(*l8e2LmqwU}YQ zS05%+&63BI5`hx*B?tm5w4GpF=|ss0%zO-9yomgZJ1~8v^XsF222wi}=Qrr_&?Zke zV=`^8Xx7%9bjm^597e!*P+5lfw$6SV+#xvBw5-L;vj8XPV=-WQ8*V_!gkZ9l;Rp|!Qr-G{>+BoY%a0QbKzqAk{3G^Pc!z@4DMc7@K=lQVQ z5tc*0=J;zWZSz?^Zl^c+XBB*Y#+~>W+N-itu}3V~wNY z`|dGw)a<%x8UXDxi9`CNkKbLEBHmrFk^IBij^ot(?mS)9Sj*4XZa*{AxSsU$$2%VH z%dtT-RNg~D_D`=sW751} z7{TEJbV+c@&8NPX5`_G*krYT_*x7$X-&j3@~E-hW$VV(p1(!n>9wJC7(Cy#Z~#eVZ* zuYkU7Ee32p$blic{$*Oxh75CQ7?2nmU;u*ngO4zvnNw_qABezOVM1{=;1oaN16#pO zk3>DNb*zG*d9%1aYL*zQEVMSVFlV3?+$y6@_pDfUc*5(2S_-do?ek0zz@1T=1^Qc- zX_QvE_SzKfvvAMz#&8Erk|&u=dwvEMIBRzgq8x)|WiEx3+Z!aSr?5>hteY_3Uh4{d zvu1c#N2xDw!Ak?^iuy-{PO#xKv8@-pYIE2WI^L?@n2YQlCCsCke2QGW9@s3%K{A2i zG4E@6+7XLhH(Uq({&p;3Bg)tfj5Hkfeey2tn-4m1;p09?+G6|vQJ6QepE6p=cb745 z(8bGS3da8W354%XiGbS}S9Ed;(ol?GzgS8nMo8}Bw3Mn7wVz3w%n-$G_Rg_XsHnS5sSEJ8o=mI0o za$QGK?T}F;deShOnc5kwaHDj>;o`R&Rhxr;jraPIAnloBz1hMw2*P$^E5gB?GXrdS z+5ES)hx%oq=C{q*Ay5vxT-UCN!2FT4Q5y_T`@-=}Pn354tl@3jN}`ikyr$ws(vwlb zA~}|%&S4)R%Q*-pO(b(7J9}f6GwAv+8OyMU6dV(Y%$wdlh}7rjh)3Zs2M+3k)5&Z!lJu8>2^-9rsVvdgJ5W z*kwW!3fmg)_x1^I@Yx}HsoAi3bd=+E1a9qG`c8=R!d;Mbsb9Cy#cms>>mv2G3-|v9ewC@ zg}`z%E7!LRiPVmc;(rVHRol~~i2~e2zrALA-x_FHQ__xWSzd7IP~OvWl+ew3L8+g2}-Oph{Cs6$w=RbU?IcKZsaw+~?@`#H%nkIFyWd>3EN zBJWe#Cwzhe2DGzT{>tA3H+{okE0BStd50-K&mr5|&aO`Ad2=s#H1)xt88$B8S29p$ zhj;X<<=x6pv%F4eSD>Ob1hAB+6M_h#qI|7CUN(hnKwb8<>L_|hfoTY+j>$O}ggamA zK4I5wdcGzF0JzY`c=-&Yds?@V$%(k&Y*2|D$jZLz3Q#l#L?q0 z?CCtX%lXWnTO@xy9+?%2FnG%_g}Rm&fLWOR90&QX0f1Sk-`dEMbNQOT9z4g%+Jac5 ztNZ?F-4hRZc7~B7sNiw|x|r{8&)bC!u_p7()j!R*gh8T=6Ps0XfD11$X#<0k=s_2- z#t#p0Q40*tQLrpN%VN;`!-R$6x&Re-gN!9p458Fmyzu7i>`# zE&I#)w)lq^a(SNzMcTlmZPH~ZNXeZ7(#SdGB+okHckaL=bZKc0AsXJBH z?*kdVG%x+N=}50PA*Z|Vpwc4HTzW9IVCSh6ryESG?qptF82ATf3a$tyI}5Z0dX~u$ zj+d)A<^>S>#ts8iloq^esu0{gs6Xyj0l{T2M3L=WwvJhq?sHaWjR)7!NlUQ#>GayD z^z{33ee}Se2eYD>@M>^j?S)XE!ymq6rCG?i8+{`qBOl{&v@z{ z5eRZOTXuY{A%HTG%<(0wA}gdPME9u*Rrgvx5?PHspIcb~cco~gHae)1{QVoOnixUq)=S8E#a$!6Sjl?3{jgV(o^l=?2vjwmVrv-%@@>)|fl@aV zc&=HVfAwzb5akffgJ$NZLZMxkQ?Rg5hdLHc!%*^TQa+s^lH!X?qP-T^xmcXvE?@7} zSQc>)v^wKY$T-!@+=O%um!cJYBHk!{(5be{cq7D!q_oIw%R+nds&i}@GDeB(_dI^J zPC8|o>C!RUMqM(eIKyUR!SKrOGG?!wiLK~P&}(fvChKqqx%Q2Vwo11!X3gVY?6$7m zTj331!{`Ar2e?Ua#j@aT$|mG4n;R68vs441_|!kP`L+SHsJ{QP!bInJOJs^V9FQB*95Lgjr5Dfq6{&M1BAdsGTOxb1W zn6iv!od_+zzDXF{cFXm3vt7%vmL|0L0MF}Q^LC6J>AGN$dH|PCohA}!-Q?>ev(_8Pi`0X)e~9f5So70So#Q8K_Sf2h>eo+;#ZaAme?dnhK$7*9~sS8v%_vzh!e2Pr_buTXRvtCPQ z)bdQf`xCNq3KZ>?j^~{xWaM5yapzr@KYSOTv5MmdEw-Cw*j9|BR4ak`ur{sq|VCIK4!WD%YV@yNeep^vLZx&Z$%%!lSfcfeUDJ;{Vn-6e7crB_|DuZ@XLaQK{W;+$Z z)uF?)J@B~1`i}e>40SQA-boLDM7!PXT}vJ$Z=FYdZxTgkexa~NSQgy&kf$P@Z-X@5 z1aN+j-xF@|1P6uueHbiEw*H_@!R znE678E@<1QfpHkd4*>0-uAp}Ba}+Y0At}1b`JPo6c!?CLk*<9`xISz}BiUmg!68e< zg<_D+f&EBhJ3A;a(L8+;n+!Yt3g|2Itm*>YJ^=n07Y&`>A4>Mn>j^v(#giL675?HD ze^!<+e_-3%E`Wq}7^0uEe5i{NigCT1EMe=q4dC{3twH&LpCxhtZR0ZsOyJ*s+*A~$ z_~WqCk#q|mqtf)ykl+EfCgmLlDqKszvrR?Y(o7KTC#b^N^yS>Dv}YtEVDGb&nj=In zglngo!5u1l;#GhdR;iT4X@Y{wW$7+!x6-%Qn(C>gPFc5)e6GL&xFw6Vw{PVul7Thv zNHJL)^--_Tr2>)F&ufQfD`}Ko_KQR50m(1ZjACWBLYE0z29HdFf7aMn|-+drt2eO6y7;Pg+M+9g%-?u=x|4o z3&RcdS|eh-4_2f@d!xJ-Ezt~q+U5PVVa%`CJ{sH4(fv}KU`x_I1+4M#R^?0W=Ngro zA*{=;_Uq2WMTg;qFosL=HA_Y}rP1>eC0UErsO4=ng1U?MNhJIW*-7!S8-Ax-eS2^WW` zm{R^;^C#6bwF2ZAs7DkZiiX`Y5+H}7VyO-P}UT?S)%EV^d9nq@W zM&Skued>ElSZmBYqWWs~w|C_>K5d95RE3Q6YQB*U;w&?4ZJCYh+yk;aADX#D{tJqnpY|Sq zrLy4$#_@RGcSTM&&xau7Ts%3AgQx4sL94Co?KqtW5p7g}RFqHQw`23*>|eNXb~@ph z#aDOzSZCD+>;V)aG5%TmdxmPtCo+8mejfhe$^tEb2df2Ndma<yPP^L9Ye$ z=ne*1@4GO0pY#D_U`W7l6#rmN=wU@3-sxXH_Jzx^;<2j^rNiyOf#-07gEywHiDqY| zJqC z2|2u+e26L-kV-}ChpseNq6}?Ry!}8Dos63eCkH@WZNTVe%d|H+xs1RuIkBIIrT{P9#z^ppjOKb9L!T|RVI_ck#0T1=D)MrCLEV;5zfm*JAsRiqGP zlKq5`>dvrH!E%1_%ZsX!sGZd^m#mQ}imP8kt!%SO$@Sl3#iJLfGm-{O0VJC!)CG1w zCiQ75*U=9dDIuk#OL%@E+}`|VXa#$Q)Y4F6vC^cyx=J7vuan} zmts4aAbw(#FOu%@>?WHgo>J52+5B@iWSJGQe1>T-3&5nmNYuk*V?Px!5?%LzCWodpC zHy3ni8^e29SAFQL_AWw7jui}51AY{aa~Lkv*+elDCGoZPAl29_4v!uh_s4Cv+Ff4LCUE-y-($gGrd$YK>P5)ROw+ z-}=lUF5-HgTmbr1q)rVICJgzYe$tVnWQ8q=ytoUy-|z#suZb#ga_10q9F4FdATb@c z{a_yuW7qQnckwf1-FJ7!SR^%gtcmW&I7zlq_}v*OZvKo+83i(6eMl}_g`M2Mz`X~; ze(+8%cnS)+HT9usVVnO{sYafY7rrSuvK4lz;0%eaa)p@YFs6m2R4{2QN5Y;585L@V zFxTgOGxpQD(aGja0pQmP+jKl42PIV_Dfp#ktseHHCqE1~`A}Uz-SrgacCLqYkJsms z9@usIh8Owo#Ykz7WnH1x3T&2hDBjVNIc$4*nwB`k#cOQMW=+YzJmk& z)2mPSusX;Ucz}UF-0o zEyW_MS^C{)s){64z=ggk4`4Zq&o4KV;ThFRJCZ1QzuX$6BH*agCt#!wXjDCHc2Y7E zfAC==geA*C3|DSaL@|@1ZNzkmQa(al^ko*Q=0I}I!bH<9O?;EY(Sv>2Tq9RqJ3{p91B$)0>(sh%4_ON8Bn>dM;~$Qi_sQR11K%^!FXL$ z(?b6H<7ZcD8KqnCB=b3eVe)T#LpEI(pJJ$rF6b}PvMwT%#HOI40)Z5Y# zhTt>YKyC&^viy|oCW#VN^w@pGpKCW?VWy z;&I!&IwERXJS@5eHl3dG)R!bku1HQQ5v@8NB!ziyxg0L0k$Hclecfi3@Y4S;dZ9`C z9K6~>y$p5`fcc52v*{79JL70}2-7tTI8l~1suOay>d$SsT{gyq6vw6VCR!HBo80`L z5ZxXitFd*O2K{SGn6d!q5hiAZG@->bf%$f&c|w_067rc7F+(sVn`W+~Ta0}KGLaS* z9^4zTn@ITvh-t5eAm@;RP`lC{(%BS$ia0lDG)=m7Qf<^C3)ys|qVV6bw^jc#algO6V#O{O0iNW~brcEy33pjY7B3sE+JD zg+&|HMSW=omrpRajzbK(-E==9{D37xP_P9AC-t_AIJHR7A~!PYlrFO_GUg|WQF@^$q z18DR%2vuazAe6*}Z;7o^IQ;fZ5L>9LIUw8>1pcDX5^@0y>*U$HA;4SbDN!{8adm(MrVR@jwGhQ6+PY0y&aFV}lwbsVo9TIDVksa5(F zteod;#D=1$Z#cqYW$KxC!Wy*P;3%_zdOquDWbvWg1KE`6uF!MKI?|(`X{HO3dRaTC zovJUJVWdYoE}~D0nxkOT=`o)5sUJd1oOZ$_n45s;6sr*gFZ8$pFyIsXkY3uAczE)B zMXX`Xt@;UZ!rPDJvG3NwPPs*^pf+LBK^xPZ5aE8f7PXJ7*Af)q&Q7)0E%Fi_=b^FP zC&Am#s`p|(N5a4z;v$1>z|P^m{D_;!hkabP3Hi3dnl&c;>e(o-I%iOk3+_XBP*U}U zy1JbvY%}^1Wm6#a$ev9U)`ZM&x&2seN4_Dyif3j^T?hGpwJ&r6ZaupV&U9-Dh&TS& z?8%l~r*nAceEJG-o`^W^#G8JxC{Yo&f6s{fjh4`+{?zp2l7<3bS;IRoq$(FQ^x?Go zt4~RiB5KsT9S9+DsL9$NQf1g5AXMtpqa6^v*tO0=7WTtu?IE8Hxi~^srkB5w`1V(5RX{Q1DRM9nsP$hpxEO1p_259+eQJL7)^=L0 zk#zrN7}fhK zt5;2jbk0J6X1xuYPmmoU5#$AqA|ErLV}OLpICuzu$+7{I3oz0}g0UkPxV^JJmr9>L z`%>!;m{u1SkI<#HP94(zK8@0vN!NIr;9$*S&d1O>JKYUFQ}}hHHIFku7{^yHePKQ? zc(eU`d<&vfxXb^3psq;`NFqRZjRmW=Xz7@X4KYtq~mv z@0NTS=n|kandhCT4~WY()-E4V@Z=&N^xHXR122n)HFB1t?ZT(Q^?HB#N747AFXJFz z<_nYl2Y^}#LSq0+oDnTFQ8r_tC!hk{C{(hXe&5$q%fl>ecj|G>plk%WnxJqE~42eflNTjz|MvAC3s=ek;QjqD@d zoT$0;_Nk9`oZF?esQ3!eBQEE&xA5pxrUbLO^oZH|lgzH&M!IWzpNQ9+7Z+Cr#mO)E zJKn3~;Uqi~#D43=w}~rAwtt4V{d73eCH(Xgzq`|U@uSoaxEe6_ z$m^g!J*|jLKvA(o&swDZaa#O)tDjARqn-FR^0R1`_R;2KC4-Jm7A|nqE+-3OEC!0a z{OvlABbc-0kvDl;;py0~8zGj;XtkN2=X=4*)p4zv#+PMLQZdnLYX&yaoJ`$e+nIDt zy4M3gZ@$@^UHvfcgXR#q7}ESV%6w99G_?!#E8n1FB%J%>QrUnhB)C3sdTgl90F^!O zJ`Lg)va3CkfRpwfMt#Me436%V|zN>UpNr)sISJ_$MR*#ONcCNqw_D+(~ z(#4@MQ{JB%8|amD|BAf%CtM3~e^1pxS_XORzj1%HtLqn$Wn4*}=m0M|PYy_*`4nWF zM!wZR2?^BoY}x84!rn)zoDhE0lzHf+*96PwI zF#-f)B3L?`&~CFIT?3FV=>YDth4GM*04h&c{b8tG(&q6PA31jDHv?=AogR56{C~LU zI|%Z7#hMYX=h3b_8A=yav@pqgf*=BI9_pJd+XIa?BPP*voUG@!^>Q-?Lk9PzXW+BaoyXfhg#WGm?E zj2onz%sQO@%u9#EkTD(1m-^r364g2f?^S#o_YldTV4gh6ffjV2LC%}oFN>H)$BxIv zt&H18Lr@FV6DD^wjD`pFugpK4UM6}mUz`u7;qn=uCfdV$vItt=bn#_h|5bW+p-093 zrt1ej(&AJ6&I4xQ4r-Tyt=U43%c1E+G?C)YJ%@VaP6;8^<>~Ste~Q<(=Mm%O&=509 z?+BDt2ZiV0;bmrlis}nKr0YPSx8M`cL$!i>d$%Bk-g!6II)x!3&fDlC^Lc35#?PNj$6&OiMWRlz`gd7DSM z#|LqR-1cz3djJ5PGfHabvq2Plj^~XO=hoVXh={)fIExqWRWF}CP==|+xm#=U)D!N` zL7?7>54gz(gh;92D40WfH<^)QqhfbLgA_2g+{F34ExJ(?glq7xoz#$o@aCyZbH{i)YdMzd9iRcO0^fpDX|ZaHpLIP`bDO2#mf#-oP+4sT#27G#5oq zO|8=zT=86Fh$vG#Z(R_(Ove5MY876aCo{N1I!HX`+$q7fh8uONlrYRU_Z1h;ebBt7 zFOiSll|uqN7k9HiPFHe#+6q8)n4ff@y;N9(R5p2J`59ArQt9Fth+phcmSr`er~i%{ zmceAjd4q1rgYcJ>eK0scXL9cLsKQ<1YE+i6egWmng$26odUidg4ay4^brJ^p8nG?o zVESlf!svZDH@BQBTq;KAZpkD&7fixVpX1LWIC~LH*MAZGRz%Oh#D5uR$hnFX` zprq?HLYFg733F|*b$%VYH2^detRTLm@AS2dknDHnNA7CXt@V(TLi@pK*Um2@`p#&) zbfu)Ot4qx#!kRUZ`z||k^sw++k~OEC3D5TtVQPhX{)>%s1@oYZN-FUdWmT;AXOn5* zJY=@C_&B6cAdXe8`k@^2#n&U&i~aBRTW`1O9Fv!OyQ}-Y_w6U0B7YzEc5^!}bss12 zb31OcVBh7aWveuzI~7y2t@tk%K!q$Te9P-_Q7(abMixG2HXdBfEywpgC_nD<9M$*J z>(qIa)gq3n9{Xf(_N!9BGsN?`_|**@qGF*Yl5nev#?XQC$p~9a%b$WGhSf>}7wQ?h zcJE;gHWZacUwz!c8OKeQZfAXVT(5yhzW#vsBs|zBo6N~*?3>}vl0YHzSob&3hg-~C z6q&I+akpf9^FW&!lrMO%rpw~hD>X(=V@(P6TsyanpTOhIl39WPzd~? zdzp$BdTrJfRo1s`fUk22cn@SRkd0UyshczlH@@id>K1M6?KKU!E=0|fp|aU7__o;7 z8mxcvwS{yw_Clm`;SNum7(JJcZvj~BM7gsrAtkz6&S(uVj||nzP7;ikJ)*C0hKMfz z%8aiUJG}iYxLMl~MWlK;sM8xMbvPG2oqIVNl;BoIvo?@lDDJs@Mr+abF>;y#r|q{w zo7cRjAcY?o^YlgJOvRezoz5)UCw|Bgi*pm(WOV&Vy1zW!A=&oa2d?`vV81itA+)e-07pQo0g0F71{CRYVIA!I3U{R1}RQv z2_4)W=IlgmxB<9rENGb1ckFBh>Sljh`TX?jppBxZCY=I(Vdri|r!&DtB&WuxEm05c zB@}po556fQQ$T!@CbuD>)Vg!uTEmQ(Z-&7r#Gqk8NO_D(J zbmcX~`2597)D&%0%I`t{Q}BQj-s;56ad7F*C;D*qYhwFqZkzXZZFT zEFl{6q1&MXyLf_E*|K`j39XsS<|?(DdiJXvRvmGWrf?KlsRwKQFl?AyAHM%;5y@83 z+s>{Qqp81^4li~t-sc-ofj(lM34Yx-I-25>%bSHv)iL8sNRGvtX$#by&a0#z6EO1x zpSX8LS*jH6yE|i56id~|AERY|b(^uXo5zE_^hh))wpQPhGuUc@Q3gJjHEnxxp|lM% zojTt(X=mp(L&=@Yvp016?%xnUZSOL0z9{lM%!|B@_;7IgOrG@A+Lllfx_(B~`J;Ta?2uhFZ0b>6b-(5w~Q9x-PkJQhWd>`6h zvcEU$@2Fk&A-G+0$D2$KOOYkh6qVQ>|%Cb>;GBQ z(Ctl6Ztxoqr93uE>}z1c>XYv{zX~Lv&s^bKXl?*~%h9LJr)FK5OG4*_{F&jQNL=0BXIgx#y~ ziueYxyw;3HS!uctWjjOsb_|!XRt*pjsSUBl{UfcG8GSq|oRFJHaww7*BXzkk8$ z`FjhT+j=gTl>Zf+Jp|a=G~NHK;eCkkEBq-qXJW9IB3XS{A3=eQ6$7GQPrmI-jd8}) z;Why5mXP^QJ;vqxOKan^)#-r3$K2ORzk2z8u~jdGuhQ`itpn3`a~cn^5q4K>-a229 z(c{*)id!d@7?h~mH?}?v688d1kG4@F(p-~>QfDjM;60+nG(4P3c}ldYy)$U+%ljq< z-A`i8*Jx(csoSH8KY6%(et;RP2%lSze8Qec(s>Zrc)_6X*{k#IWNDqO=Xy&<U18*wt#VbfqN#V19fVL-T%=8n zHRX%~vDwucWg_z5YsC&g$jwfr% zhy!Z~#R}}17%750-u#N~`eq>3Krm9wMvdtd&KhaSo}i%SBA46axAIayN#R`m(XO!I zLM`KtHT}8LhD@tafyLkn_SK;x_i4N>*Ocw|g@HJ`(&u;&i{#uJ$l^?vJ8U!)%tprL z*w-`1HRznJyH_NBd}L?}h@!B;n?~E9O-9u#O0E#p z>xgt*dAn`GN53C2vTHcCh<=x3<|CVM$o@!v#2nSZ4jNbAtVHGGLYe9vl^?|?k8C40 z0CGS%oe8*)qdCD<_U)G=K*Z)wlL(e+c1r?YXu8XsU+>d-!UEbPD=3X+<<9_SjD~Ml znfjUE_HBWQ^k*=P{vdI@K$DpR+_G~}rUCsxVZRwNbHhTIXu=4|}W8-aNlC|w` z(p2;UXEk44^lI4ZkusSvlo|NC-JcYdo1<_m#K$E==@Xrclv2cDrqCP-vVG2$ze;!GJkX zSNH0_E8%SHw#f79E57yPj7^Jd1poC;o^Y@iE*zeFROZ;0rB+U?)5f5if%BNsC`s8R z9}l;pdv6KTZ8t?2WbI~(Bf<1+PQ$bi)Q#-qQlNuo;s?KNHr5J|8@FBe0^qx#RpXgK()8i(EK@ujt$~oTu%t62@2%d+ z3$!UV2i;uHhF&-721NsDx3!ZxklBY{k>qvd<_L@n|EuH2b$aWvoazvd}&?&`~nEYBhb}Bv$bFF;P zC6>4sQvesYHXKJvz1A;d!#BxEl1Yip_@%ivXPV0Z{RR7B6 zxl*kndpKT4h3WQYcFD#Pp(JPh@Q9E8>g{g<&Ga0&-m`7-%gxu=K_lY1-y=Z1TLacY!&qhj1qvl=S4in3aX=-o7Ynlh*-cb%m!n>f11Tt}aRo{y&(u?Lrq`a`DaeZO*C$+!-#tXv#pCA1v|L`LN0!qP zTJ;eW^a6D!M#YoJ&6*kb&#yr>i~gbZ3%~aPnwBAA^TFXO=$k z7HRl$2@J~R5w`+7jLCGRut-ne`xsp9#ejSOAX=Xkw7SFt<2N>xd^PY$L1E81F?~IF z&GY*5I7?(QqLj;7n6>O(78}w|J+%RJXqE79Pu2{p>yUcR{D{)f?}#wF7^vwbjzd(< z`mb(cFdRTFnn+fP9}>Sb-!cRTyrd}3p^CU2Gw-nEB2m*IKAs9EnS*%#75s=KkoV>j zNb57W4RlLwZqVK2xrcqnUPp$zZI{h*ly-gKQ$vXtv^+h%393!uvN8c?*&)=nSrfQJ zJ)^V!5w`V$=~#Rs_PYE9;I+hI)Sl9AfDrSX8mGLeNK7i>0;@^fRRdj3-=8g=BW&D1 z>3sZos8T&lrkBp^rrYYSzb(F;m4JK75S&MTTmLD>@ZYlWuph@_AJc!YQ?<92>$m*= zW^7k@=9b_ieI2F2=&e zsC;^MJ{MGITM7z(tuI7D)JWYYFob}~oMDWbOI2sh&T(n*S_iJ6jWKo}vSDiul~v@l zSOh1xQCqOa4j@_n?p5^Vnrqo8)j8;t@`1K#+^Hyvv8BE%Y^#)CVsp%<(Q)Hg_@Bej zud5UxLNz*pTIyn(41iG?_!VC7Fc$S%boCeC*U?0$!mkP#691~(|4KMYv?NF&%jn_X zOLisvRSYh#cS7H>N9SOnV&JZ1ob&NNYj)gKl^<2z7;BVMuP~ zD23n-HJM-!>l81I+?v^Izi!DIWqPFedhm2g6NT4BbLn&JLp?<3;Qf(9sn_ z^n(=|5s+DzyfCXBR1m}q6zz+*sbQ24XdzPs?^Y9gz~ z<~zF)$rnGXY=p$(p9JX0RSV&s@ z0X$-@Raflzt{fPy(9XMR;2sYgUhqGL;z4kh-9W*qs<-EAsV20|2XA}9+c#zUfK*5M ziiF~3utGVNZ)hKZ^?UMG77|7K<66{ZuN_&R*OLZcVSuVuBF-i70>o{-Nl&TkCVR|7 z+4d1O!Jl+7jTncl2@Njs;2c&7

RRYo)Rp&DkLNw?o*lGg)n7kYs#M;78Gs(;AN6 zkH-hXclR7d2R9kNeJF?HTPJtD>@-k&Yrkudf#a|{PeyOi1`>`z_Lylw`G|~H32HbP zj1*kr1P$*Nwz#H`E_r5vtMFtaOPzzY})0uvmT?| zgKt0H09Rm~&T~Zd9K|#=t{@=-diOa7ohrnz^tC~0ryb#A;FPgF(c6M%ltfM%aR)3# zE)NECP)Dklp3_Thl|^Oyqffzq70g0$?({&35_!ydnfcY4a(-eBk}Y6V?Dyw4G8ge0 z?Grd1u*ud;y-Dkha}`FY;%ymeiMBAWQrKPz({RY;rCVwA@zUq5M9BTjynvm2lo2ea^4d<^}| z^;{~oabw2I;LB*5M#=n3hP>~-?YtFi_^$8$|6b8*G56&FMGu9wu1#EPBi`g(?kDbA zIVe?53_!wPv+%8ZTj_aqD{XJ59)?{cZJtjP3dIg_jxtWtBCreZbSBH`nOuArhfE5F;6jm?=(FjDzd#XCl8xp5p`Z=RZ| zcqu93!9EUHir0Xq9-ZE;U4ZVStqg666a-p484K5Q4DWa;3|vY?6`m`=Y1D*yfo?pG zLgd!rG;2*&6z-{gZ5NpPNlIV~#&zo1*L*K3CwV`-Y z^C~G6W3glw`5iDTsKFWjD!8QaK_K6e6f+leIMrh2(UfRExY4E%ZUx9d79l@O| z@1V{#%{_sqpjj#yze=cwapYtPLyQ9Cx($@n$s(Z%qU^$t`iO&e247)DmN+G@5POV( z>Yn{93h)dV0>AnY-vTGsL7|rPSeh>{u(r6<<|hwTn{623K(Livto7)SlaoIz>NHPl3v z-ui+qTCA0-SO6UcE&){>Hbep9D1b$g93bk?dd(8bNlVlOmjjZ8Bkz;2smJ;OyRk3z zbfXT32Wu)WKVP-@1=#A6URr;UXY&dDT(4|dzs-!Hai;l}iF4`A?gM-P+*UGW`L|0p zZCmb!MLuG)1^~CAyTAn4g?9ezLa6AVm(R++56ymeNo;ircR@tR^K#}D)w@5|uaj-5 z-6STCiylYq3rPRC}8}?g0ZZbBsR!1)yO>I?jm@30ZE>@MphQZ*rLZ@Ymfk zhqKN>q|xr}v3DP8_#9j@p1SQVNJxjHc9PzqJ_kuf1|PEnAl!EJi6HMq$T8MRt@a`k zbhvf(8nm3GN$6GQ1#u53P<1={WLb*Ms0Od=1-=y#eq@^<80cbTILgPSQl&d0r^moQ#BZ#L>jbmK zcNseed#~+CDK|^^4%d}JE6+}}MAvyYFyf(CO1CE2!rY_=8{|7qhRN|ymPz`UY=`Mj@NnY zd@|wZI@~Y^ZuOm;Fr)B&HO)@RKCq*7zJ}BCN&rXM7GWaHejf#yLHw(iK_HPdUCW2& z8^HiY9DbdE7(lqlG7u&5)Ldeb#c%Y;&m03EYhR=ZhFuT^t2vr2fHKHMyf*v`#Sqj& zuj$$VX20kxc6RN-&0cP>xtZ^_ndfV7f%e-JPhcm_slUfwH}eTUq0Dk@NpT!A42T05mE+YVj;XI}HPR0(JQ6|?9xKs_L_uW`ZN=E0fXLPG z*MloWz~Benpt8>j@6p+}(<2l*SN-PSIu zS@hlzjXWx0L*5VSr<&R@wABYhg**o7EfoMv*4V3G0E0BVP(UFofTQd1Ryk96i6`<< zig)$MVqEkGyl#BJdo^JL(tnpu=0hvfB3hF0FIn+INSlG|rBevIBq#d)>#M;KMv#8- z>mC;ja=Yga-0WvKEFZ*0yk@*HCOQV}vh_l9WVKy!gz)E6>MTz}L;(J?Zmh)O&3RaW zZP>|da{ztN&0mz?G|AbSb|vox>DtdIKKXktXQ)L@(LlKTu&XVkx-&Ewd(*(EE8_yc zgjUg5N8X67+i;Dx-keB#q97A zH%lJ~FVm|9r6(cpd^&c_1j)k#ailAn(L$ZRrCpLW@!DduRi!X%(S=a`j5%$*vyjnz zP8`#`Q~{VIO{cKNC>Sr>5Rpvx@L{~4j(dNb1j@Ew9i-aM_Og)ZV8C`f-`V+9)BJ;lHSlq7kS=EJ5necoT2M%(e`XOG=FFfR6-LAETXg2wVP+21i0+g z%vn7?+m!@4M*}TNClABNYV0VDF7Q2EHfpisultWgos8-UMhe(e=}}pctSnX=Gdff` zM@EBz#qd;Ue?ab9Mc3P)?tIy`x@J2S7CfkBbPfMTMQz>t24%R<%x&$fbN}ir-nLHm zbZN4XB?5a1Kp+)+8h*QeXPzgd;w>$#`SI727e1H`yR+BbwzgE(`iTcHag!t}x!L(C zFWBoXGAd+&%8EZFz#%iE>bUXCsY25V~4yvK!;wA)E)#O^;sth}6m zbLp@1_B3#kEouERaXTPkgvCV^=Olf`wsCg0w*1QD>IwL3LSsYQO?TrsT$_5{R0$7c z7`!BjFNSb+`#)~tzEW+@DngLqV_$F<^#-@knvOt@(CVDAsCzu@z;?!s7~>f2lTHBe zb#gw+nMmjMJA9%Ohoba0wE$TQ!uFnMNtsS!>YJ5eOvwbluuWo?9o_Hj3IZ_oV;r{e z<)}%9-@gxV;_t>!bW5)boN?Evk(HNTv?N^cYRz$?hYD%!)!(Hj z3Y&L-C-zwP9^c)C;oHuTHBWCmylU(!dY@RpKkOSk`)!jbx6LncXpD~11^qq*wwEe*DpeyR3 zmKPky-631!Q2)6pU&R`*j>)@>0%orz5DX(Fy*yq-@>b?2w9frbW)-P~#bEoPJs^}_uYBt3+}?cM2%jd%Qs@fF*^@>_- zLN2j0nK|kMy>F^-XAiNWtPy(8a5+5#VS-1~em!0cnJ?*=YTc*TM4j)r$&599^$5fD zQY-VA3!O*=iEzUzfxME3sb-j&k;IB9+uK66!=8cLR(LP1W1T#NLIofpU*b0qfl9fA+5X~-))pcHgL zEICb>mSvWqahvx)8U$*^LWMGt+{&yHgcQ;8;d<^gVl09CH?wM#K<91xMRp)YoBETQ za&WYc(dc9V)&H~`x;!PU1&d=sO5$u!vD%)V`Z$yT<}h)7vO6Ck4@m2y()~NEr7F&e zHiMg^Maiqfc`=Ov0xWcHpeXjB=5qdZ2s*AfDNn@m3+H+7BV6e!0ch}nzLb<3P4eaW zvEl}`4Z|r&9}6c_1g1Qdst=k%cZh%D&-sr*MBu!V@ozP>C3AXvSp*@Q%aofo}ogHo)k^Dw!*hK4V!!;yEEf$zEBSBgR4KEFgZFY z?cdFY^ye>KbIs394%qST8<)tm^NMkBJZcG0H0aPOaHwauR-|paAWtJ{2-S;e^*M?D z2R8nd%~!U2a5PD#U47HSF;IGiL`LcD7l<`(;;4Wl-O(a0$X?jHNgHaG>}o)^ASTFO z;7ie!MnTX3jCdsE&-`=@?9Z8g>j?p^nUm(}_8Uy!i6*AyHMUu`U;4U8-_`=q_BI6x zSn~BfhJzIK7KV+tiR{V-hW$d-N2>KYoA^WzhEJMrgh)rw(Qdb-(!&aEwnsf&N6QLc zq_8;_j|^2@Wk}U^<>(~q5f8yz?1o;ZBoq%SXzFM~}+>MRfYZ&lL^029X zDh~H445*Nw8BsBbo)m&s>H_QKxOA+{J6aGP9Nb^?n)Oo`7?g7J8~t3fr}2RP=~ebe zFOBMA7d=as#kqp%IpCy`%^y5SlX+{IMt08Hkx7gnQcUG+#m?!B)yT%K2qMtxYTM`Y zwCWDtG%>9MTLg8(n=eqa&iNah)0*uiv98<1sm_ZyRH;}){K&NDiiDO1bAOfc{V}Lh z3?U-=TUn*S1fxCUB7>61Emby8SBteH@#oIpJxoRi`Ke&YDpFwCym6CAVy+d(*%Nc& z`=gySWe>}8_;6RsApa|hJcTCuB-gKvT^7%#K01JNSEEhNxFb=m3G#d0ETUDK7cT9d*M`)hXgXx{}Uwk~_T9 zvDf8$&I;V{ru``|a;ny0{#MI1k<^o_c56zvNWi-%B~hshcP%T$>HKOGe$#H^yY1&l z0M_<@fc7XwAk+O7?~Poz$&>tpKV;!-A~cT%eby^y*6$HZQO+%zr~jfsd$(eOHVJ{m zs3%XWl-Hr;47Bo~Ou5QWV0d+vC=2gD@Vw6zMN<+R9;_U1aL5k_ml#%A6#jJ!B%qbO z)BTcx0AIMtlMP9#(a#V?iap}VA&8?QFBTS*asF=B)sSc@0wrq$Up#5qJfLc4<QClOGosYF2IaWrl}~^WU`gq= z5T+jVJFm{AP?ogh@P;D6G0Cl=BvWzLKuN*L6c(mdCs92b6RY_&L-D^L78+$_@Vhn5 zaZF~9Ki{-=D0o0@g_kzfjp(~uCU6`VHU0$>F2R(Ga4tRnM9EpQKQ6rm#-%Sddi+NVgfH6Uq-*$SMX8x!!YlXa{YuL#LYVZ zS7i+XRiXn2|AAdU=f{lXr-TCVx@Q`FB1GcP6=A18?^400LJF;`DAtuT5mw9$CUSTy zuWn8JLSGF08nG6xAsMXkZ**^n53TJ7y`KjIn+74hEfWU*+Bg5}f&TxbM+5kKS`v1VtD3eWX3`15x}$2!d!a{lLCGQ9uG>pE|H zH0aUD{=kYZSUkE``Ttta|M|SqKT1Ji3BLHK9iUE~g1V#a=Oo+}2SLyEYB|?B(j5ML zN&gcz?sV&h%F>K!lG_qz1id0J6eF%PniH`$F!KK27~{FJxN4FG760)hq+pg&-w+_S z5=&+5`j40MKYtPQh}^v8l!mxzcR>ID`!)UVGQz#j9`AfVE6GfN(4GI|W&eY|`#<%^ zDdvjAI1+I{{D1##J$#ZvW@5!cZUV9u{$nxx?|x+e$#Q>0<-NM+m3tHekaKN*h2AiwYA{$9PK zV$eQc=TdcaoepnN5-*$hM(~+VIn`l!ltUWk0ne==bmy3=kkMMWazHHD6FY@=0GWI9P)S^GZFS#DUnY^WyxO*mvQ;6^P&`Eqv&?GJ_5n;dC&8s8OIVuCIXkZxYyFYm(R^d2 z*Qzm@FXs$s_C;gvf*Gm}CDglh8$b>l83vSL#$~kT{@y0kP07kuRxY) z-YGjVADBBJj!WGOc_`vp=LR|?JpdF=BB#O4bi-NfH89ukkXe_7K?wHnV_p!d9vla# zhTiokC`t|7srtUvLEz&TKIkTM$Qw|`Py0DjGMC3dYlR2P9u=4I2asi%90%ncgVe34 z*QX%dFAjokaxfPo3E8rxMWtcy+5jXcHrf>&E?HM!lSm#yHU8JyehAO{lt0_HJC<_^ z*uU73V=1?A^hXUY=7>#!F3AJUYlSLYfKSC&R|7Oe!&nr#<3agyiR>gxGC$Qc@+ z0xb~Qk&Reyd)3|l+huA%Snv8wWb;|NQtim(*Lrl}Y@nj)VgK7$C zaiA~YI07!+2Q_VHy}L5B>6i!4Zqc0SVD$svM#|U~PgxPdi}Y;d`D8u2QR|B9bg)*| zSST1;8ihg&rkMhJ)O;{-dH*ot(38LgJzM9CLNJ3$MdC*-!69snv{@dB$sWP&I&?A` zd&@`njKtzeo?5Dg-;F{N;0h&Cmie^j2OmH!}=g;HE}(@61cF5PNV8g+wWZ^kQ{AS4%PtyUNf*ykZf6suGq! z?Zs`HcwJ)Qs8~Lya9!<;9pM)A@;i$93UP1}EWM&liE%K^_Ho`EGAthqU3TL>!1zWI zLT)4Gy4ym`nB7NyYeKw&e`8d@y<*&y8+fCQo1PHW$l64z=@pf)MDc@zjNu)C>fU&C z_>N{mLF-inn@olkSBJ4?Z z7)L~v*iDnp3Nh+Dk8<6bEu)7up*m)Q)73jW7U#fdR=BVJDunFY%WE_;M^O6iB`bTe zP%)-Th2Ek9tKYoj1ySEC`WN$HH+Ty2C_2Br3$;T&Sp&z9&DqhWRWB&ijB&YVl zPpp!K-ymY#5iI#w&bcds2X~*W* zEMa*ze1YF=B~jT{c@~lU{$c%x6E>0MxBYbZ*H!=sJ2@RO%X`Q93Uf%U;_B(@26^s! zBCA0`;^Te-0K6U{NY}NdP;1L=5h-$tlBMKonRl+!C(rAT1WzcCBUwwOkH8=<9|R}q z+ymB3L2fi~fEUtcdf=hL(L;an(a(=) zPB92J-{m&8bO!FGcmPWjB#`u$=bMhKTLN>^jy4D9Gd{QjJkGmP6&?v?r+_}&B?Pc+ zOMei&pZP%^W+^BavdFf;cJ5pXzyq;hewgp3Hw_hOQxX~$EJX}ZF^^gJ<8|M++IsHC zchikyP`dsg=Uz;?Sp|$HW8_{JyXf@KngFNG6jFe=AvqX7(+i*H1Cf{Vbg4WVa?86{}!zUcsWKX#Mh{*||K6Nykge#o=Be!H7mp@ujSu z^(zm&BL7mC%8ta`tWCBU%QAkQ+=&zxN@pDD757O*WI@_}z%tA}@b?Gx4ZEI`mZW|Z zz4#+^wBbXN1D+yKtq!4~mBXDsi<<4H2&gNb=IX975-&0ZJuB{vgMMQ*CmB%aan1o=yzWKNsnnxiA8#|#~5`dDXG@?N7*wAIdg5F1de&HJy zp%+`_ZYvoX;&DJTT|b#kRby1Xi#@(I71_IMU`zV~)h9ZaAaCflBY2eJ0fLajL$U(g zQ=KLmm>VT4n{Ga)If(_0U2fV?Dv{sNuDnz=AJX-c4=hSe;8z`doCL*{OjC$Lk5o@1z8(mRzDnRAj0K6;n>iw1&VgqC`@ps^9XlMC; zFkm`WWslAWTbR}~BDmZQ^+FKoAUL@}AruGY!*qz4c9Sg2)4BZiBhqdU>BR8@O^<1t zI6GQ>P(99N z%Jd&z0WJ8iaA=Qwtk`~=FaM+p0#kR!f$Xn=IUp(uG<&5{eO!B((N+rh)cf_&Xg=h= z3ZtDv0qH9Ja%9ci<-5IdIs20RZ|gIbb>pOj?@#m8F<`VEQNt<%c(y zo!=2b9}hNFKK8i4U!bzE)Bl*+XHqeP`v+0&GHw!4le+b78%iuloho)s37)eBLpP>F z*-931RkYZ=4}(UFpHD1GnUd2_Mf+W$pKdi=U-_4mS;!n!rg~)b5HzK_bXWFN?>O!H zJd-&G zHI$@QfoFyEJ)qEr_d~!WXKEIB^1xA9HbPqDR8t1Dj4WhUNLKwo*tF3aHz3ir`>pd& zpkIl$W+mJkW+?mq>Z(Qvj<`Sjc(@ObPJELj1J^CO+~tWcaS}bDN+*W4GF-M-<3mI5 z{>JAs-zDntoh$XZ@2a1KaSDQ*U^#~zoGy2rKT_=1+U=IZ)9LYnbb`x7cKErBsvemF z?D^mqc&^sG)Bl7`+MFVktH?mv<9al#(jO5k={MK7{^W(&SGI&K5-+K@7OMJ6<26n! zPM>7Uj5aktAaW3|ADgs^p0q~<_F|Q`|NLYqx*&Rnrt`7FTO^Ud)C3>ygNYieNM2-M z`8oRPooL$AV?$csMJCG#y`j8sRBW)^kccmQJMOB~F|qt5TRQUt>wB`}DW9)0f`W4D zp=HV-6>Ny8H*!iG{9@V}RA%e;QtuL^jY!w@->Kvw{9X;;{(j6`)zRbvE=u+egH3=i z9e&{(oC?^3fr%`95EVZjY{D$36lGw(4ckncr4w8PpGKgddpS3l88C%eD$^l;Pl9U= zBXHyB2!2B&h@a5i0*(rK-WO=`LIF5U;?vND9lEPcEdWeeMWZZ7%v(?u_JAAy{8LKY&MbbpULM0c}uIF*XGSp@H3pTbk+4AbrPq^6sY>95xHFP>CLOuUZ%A zztAxI+7VeOX2$OSqU|livfkGA-8n^3CMhEI5K;mnAR!$B(xo5>Qc?o?(2ayhNp~nn zx6&PgN_Q$P-5`y$`~K;gYpwTPYajn(?_=+8^TR|1o-xK9*L7YUdT0GpJuSBfZpW(& zt_Z9Y!UT=cg|Fjg$*`K-=P+CzM|_AfI~0_ZTM_8ParWJ|1}iVUMzX?q=6S(gNJAEw zIFYM;EO7w&p~z&4EI=+1^w6(A8QAj8L4j#_rGAwfO*C>1!6U3X$P?$TB5J7OX|nTy z!=&S;cPoV7x^A~kjGFT{)6yb_en$2b9r|0ZKLr-rwJlRTtEp_v6=d@ zjG2&A$)e**lb=mFdnhqVVPQH7|7t=`Qw)%Xyl@7JB;UwjkEH`_&?{`roi9j4I_|q5NZJy2v(ATsLPg2znn!OJ` z3ZfDo?Yz~1gOy6!FzUDc_$H=sIzOGo)|gEPYvk@h%Q4mNG2>f1l_Qk%CgDCjx?C5! z02f7EdQFs}_v011v0)Ac7NfD`l`2u6-Q%|cXRQ}<+VCq`cjF90WL5KE&5|SfwPBG| zWFy0%BY0i!(U*PwSkpA&Z%JstlDy89-?~pCWOa>XA#;4|heiGI#6~9wU>iNYFNCIe z;wvC-ckuxq-mAVBqMXb9*%PbAm?%lo-?; z8*Jh&F)ACwm!$noz6tUKZET&ze5>a<%DftIaZwM{r#gJf94_Qz`~1{(XTyis?Ci~$ zm*3tSksF)4Cvp$p-;uvuao^444-r0G@4!l_*=vIJ1;Wt>Y}Zr%alIW3klQA)OXVb@H|po37y+bJn7uZ_z4YF7*_R zrO-mn8MlK4s0J6~A|{6b;q7)KG?4}XmiRM&_7I4K^?c=++@}RzYN1qV=FkWK( zUeh^OXc{M01k0bc7_yO(MCZ+sKKu+{OtM@~-G0$1#a294%Au(V?y~t*+s|w#I(5Aw z@usq+ZmB+tc@^K@Pj_Q<4e3ctDRRl`fgx`x+_VvB(&`9rp6N0c>NThiEx%!#5!IktfC<^+a2RVeX~ zS;%s?sA6!8y!lt7cztd4D=vBkg7|1Z9I}4%$eRJ5aPyE}HM0>E18gHgtE2RR-k>Pa zO=)6z-8p%I-n4Q_uBj|7-;je_w{Ffn;sQ@t7oy?CR@Jf7i3ml4Zz)_iKP`Vucv$za zK-U)!Z)%IQHL?L0GkBaG0$_Jd&?hB2LHT-ct1?$npDsz~OwN06^mIzG#r>6Hw37lM4hmnAN~|BTqwk zzO=Q#je(|b4;>w1AI>$J4$>zt9PUptI66(_JY%{+ zKtbC;i5F&O!q`_|n!9eOEpE}DE<2}~MCdw*h5tMf{pdcvG7hc?KIDzC+seDaE5%vA zp>dQVh(YgYyu*X)J7-6x!dMB4kMChjbASu8jjTs zl490IdHRI{?=X!Xl&DapwbFl;EhmX5p&n8BHq61+my%UL85zbJO}P^_C$Z?Q6Y+|& zL8eU-{)>~j1M{%_lr5xv%MIQ*cE7@lUkKv0FCJeO#M^$s#GBJtOB3qEGOv=wZ=-20 ziodAd0#W1sXOb_aUi0}ZxloA?%%Apt-y+T4#1+*b^$k`ZuJs8HgNG{7wnQV`W%e#f zb=$>?Tf`Gg@=~OM!9TZS>q!&vUZ6jecA`F^w z!n>%mLQgbolDH8;c||Vw=zIToi=r1%PIo_O<6U7tdWG#?I0nVchO)&iZR2RQ2rcKW zb6EDDx+14CbSQ}Hrsz%h#%o_i^1lF^&4K7IVyq*K!~z!As=}&gh7upv4eUu@{IxptwpHZ|7*WfY(&8^72#g87a&Zk>aDwLtzt1ukbVdSnD%OX#suR z((E-(;0V+E=mEpU7OZvp) z=f+QlKGJtn_i~^NVpH_Rk0CV-KVB65DXY7cm5!EZzGd9;m85Xky?&sDTExi!2TMx< zTdVw=%QG(?&ng$enz*wJHFFQx6frmE|GCS`Cwpm_Q1J~4AZbEpgp6b`pM zPN0s#u$>7UoIagF!c7hiMQdXVb>6d5&Buds}fYRL#iZS8*H*d#dqF8&nFycfbs^srVQ zS!WHb@tt5!CL+E0oDNSNdvC>S?(haWPie$o$d|iFsU|h{ zt{5^+hw(Y;k1n5#Z;WHRD4&dGv3yR~b>!lS4~3E?Sfj>b$FuNXfVwXTAV*tse^9zS z0RVNXeXqW7gn-eWjoV;7E=oJSIjd-0@~QinPhoul4vJ{BXJi~$$?;0zg>$30QH-ow z)CvqOF_MKW5t;crYqYgvX6Z(#XQMNqr89=2*CxS>(`}wH}FMxC!kM zhwD9^C9-~9`qgtH2EQ*J?xVPT{GN zI~Kdv65{nrX-W0zx2YTTH>w)D!w+?dYILhD%~w3Tsx4XHk)>28X7pcO84fP4Kl)P8 z|H$AzJr61nUk*knDW|&=7PO7NL~pda!3Esyn$?{Y}3$bJ}H%ZAp$o@d3sAG5aP1KQsvPk7~KchC=Yl3;|{{}j>QFHAU2 zDmIiB5?qEc%@gt-VbGm%9(?rmn>^dEFtaZjaRYhm@{{N2@rsL#!+cm1FULSy`W9u( z(VC{1R!9SDAM;0;LPgbh*L zpX70Dj4HNf@FTg=+KWmEXgOXNh|kk=_*t#}f!B7GAwWbFJ$|v?E|7V?EJ`0I#|aUD05Yyng1T#Bum@Jtr;vs5Aq-eoOCRX+i3_b>@Mf#7vo>!1 z>WHISj&{2hzVbuR?PS_(*$ZDJt~T%vRZwt|(|J@GNRZTapq8SabvPLNB)iL=XL{^3 zDYhdv)y_M8rJK;T6r1Y7B4?5-7iZU>I`h+a&A%_*;cb-d{e!ZW>mxP4D?xg2F~Y@O z_;59&C`qNfH#5-cU5ig6#=^kKTc&SA{WI6(RCmcZ7kbjxz5JrI4UU*{M6`0**tFdi zS{=>^Mj-Dd9>1*+f;Yy89Z4b#<=Y(5G;!OG=wbSfqQ+z4An>6r#QCNpjuV>uvA$PX z4-8+M*I&c#HmchpVGQ4(bpshL`ZsA>NE|w%rGsYKAg}HAIiBR!ilyNV183LYY}!2` zk^fr9JllD{&+VS~62W#r5!1IX%N8*^5VuduU!PHZDAZ9ZR(F~ZxIrqokUDfz$zUBb z`o1qZ(BQ`H^7QIPp;eI{yqtKry}#+aSS)V#p>b-Qo1QJ|-Ma;Fg7+Nt-jpn(`!sXzlBi7Iy2XGs z?@9zln&kHVDo?KUa6P3xl@+oIR<1UV0SNOhf@e@0%fzb7C(Vr*Y#4{f8c;9*9Hhl&m;k1vZP8 zL!>2ngO9daj5o^J_Bh)~YFizb@yES7S4i`9{vgkIwmEn;=C1hAVdfBgZ0IIxJFpwf z2<#^dK|g1pUlt2^xof(ylaIW%;IZ|V}t(KNvd3N&N9H#3I}C&sNjMmTi$NwCOO zPTjLYMO_PRSNY zHt32nmdHwoU&#!^T@e^SljUkSE!do7TAh5Waopg34agsjbm?~DQFP;eg^I0eJbRMW zQrx7PFFTcrjsJQYxV?fSa|7RLC-HOkP}6B)X|+0sZy&FawgtltbsL9anuOTD50p1K>Er^&IxfO3_rpz}lyjv9# zEY~eMH2kL1I69#5En{2$y&rfGjDrs|*5Z`MVn0fV*Y&$L0-xpx9(Rg{7bLPmu6t1x zByjYeHV>ZkulrPPN3+hSWzCTewS>r4kmQDLl;DWiDP`M=>j|SJkBZR*PCv|!^Rk~s z8#j*5DV0#y6^F&~R<^&FV>9j!x1W3zn-1i#yY=j1X@So*_1@>#R4%uoj1Q&Q(BIp} zKH5R2_y!zi{XX&*;|O;7%=bhDFOX&1g7p)v_~_lXU}LINfLU{nBn-ZLSip^Cal5gl zM~eE+K;xuyjOG)vk`A_-^uFP_cD?ug_|SOkRsVsquB3d4NnI;+01FG%_Lz}7(NbTB zZNYDUbs=Oj#s-RGz8zsOP-Cf=Iy*yfvZBTNj7HcV#_X2p*q;KCsN;@jeBpsCT@H0po4!ow)DsUMqE5f)&1eO^HJ&{}mDfeN8FWw28pe%IGNq#-AxMH_&b7Y@R7jbQn=3$B zZa;$EY3s8(Xrl*vNOs*|7i1=6L143dPN~Qlx~_h^aW4r1Vm;R_`Tz?OspOzD_2L4! zHT%uKgY}8a3lo?^@!O&@*`c0?*knh7R^n+;xTtIo@$23#QKBbWQ`GrcM6ZaxvA}! zOE9Lbp6rxm6-_oJD7ca={|99nDdLs2Un5044+P2t`+wm;5*^+OibPwmmw%5UV;jKq zv`ljER_j5Y+lTb<+)BY-XQ0u5{87GLU3F(k#_GI0`|gCK=B&8hnc)C(e2ae{UyZ(U zb|2~Y=#DA6QWzCT-l*RlRw2ZvhU6$|*{RF&61i+e0xIynCjNR~nT4BKpSIj{e~-?= zD^fQ5eS+)Q_|!!+wqwn_KBmEKkb9-i89s2qA7Z}Q%U;c3KPEGb6zp?9m}2FChqZw1 z9}nyMzYjE>7Dm;*p!`MazHpTBMI6$wud$YRa&+}OpeSK+c+jv3L5@$Y0>QPNk!aU1 zi#sqTYG9SP2wdb~(0D=^c0yZW4kly1e%hO;h8%&?WJDU*`C;Nac)+bQTT@Z^))Myx z`OzvjXEs$r1?y;hS{gzx@RZ(S}FtV6ISyrbW97_FKNr#HVOqWjXYk37XcMXlpwqDr1HAUCLo2jB*l0{F& z6iBVK3D0^))9f7#n=owtVdEj}HW)6bL|F7dqIVW{;qm@@{F$zlM|@TmQ>l!eZ0F%< z5$EVQB33EXNBKS4EcY2}Uf1e=WyvgJuorb;4V`yFfE=aW&4LfRL^a?0mG!EIxwmgg zR@3sxw5&GE>{j%vXo**w2K6iD)FeNcuX1u zvf{W|HSnzhgXb0~DIUM6%P+ zu-+y!R-h;9rPUCK=3Xp~Kg?Jq9H?(BKb5lo0Keb?e$s_vKMETe3maLHl>ljrdHJJh z*s3avBJM$|3dOjL{WmTST*Cop@vzpBU4x+G$7JT`2te~CC>$l29O zbNete5OcdJn4wHYC zMC`>Pw1+07dhRbTGT{pwu9Nm*IXAzbxWwGUsEm^-G9MLQZn3k*xw0hBRbXklubUfW zox;9BxXkdiL1vU=nWH`(sgW7BUWHqexq6q!#<|GMM^iPtU}uJ>_kjTwVqk%tg3OW( z+4=?7!}hQFfxDy?*)ZVC(}@kUB6FQ9)7l(T{Z`ZzqMr`MvAAlxfXlaqfO5A)>3+)s z>)7;l36`(d9p9X8e!??jSisHad>126W@|K25fg29ACfKVfv9D}P7?5CPe`dQ_J@RE z%TCuTAR1~~sBK$xcXWItQ8FlbThP!&?u<-%mz5FZh>EDtFdveB%ov!$z}sdZM%ULc zgFW6Iwi1)||?A>nM%-lqtB`pjRp+>28nZc35&>_ITXnsLqhb@z~^b z-a|r6ja#oS^i?{q!ds`r(;Y&=AK~6Dw3@nVyy?j@Dlq{MaQu@py%%VJ^DbLfN{%>0 zREH>bmy!|1+gdyQQAO!6>{*MMwH`HJi59;V-H2fi0A$No$R}Rq(skv;grlst4x@uT z!nM>hTbn!hl&)8t0KZ_WXSTEUtff-h{1L}A$XB=`DJynHMaXUJ)LIE&n6hdc1WpQ z($cbvAScHW97jdp3;~itd(-w2t;o6I*}AAZ$yqofzCrruMo4;^kDtlTyyZE2)wBSH z4tYF*23P$F`=Q&&AXFgh5A%eec4em^R%OomyFXRb$1aA%nKbAJy>jMTlTCye;%=w8 zFEyP`6m_=a)-4Pu!yF2VelEZpX2u&?5B#xkZEnpm1xgu*rIMRkq+`gmUBbGxgM@2g zk=t#HNuI6Fji^8(yZ(Lk3+g2P;x3PDGy^)NEAZ|xNd7zdIU5OC<70a`SsUDc+ztt!|FapbLPlFKUfLP@3l7<(+T(p&2RFcVDE2T? z>;(5@QB0N=#T~^kM%U%XSQ8y*t>>NTyRHKVoLfAyO0qyACj z{(2JM!;{z_&fC6?E9QJv+BJM&pIMan(vD)tekzq5$&q()WC^csB6KajdiFtD97URI zplazshkf4b$RDG9#pV%0%0XL_Yzn?km^B5w%_gcm68?BGl(EJ!;;DJCaD;(OUEI99_>aKdij zH87eOC)O_BY}0|QJ#2aUt3!e*5X^|U2cW6iF!9eHED#LY?-JUG@gsENO|8p}!P4QJ zf$3%sNB|%k+c(KG6K&Ws|9BCr$S@(%NVEdVbfe*h$5-Mxws|hgY<*g`dTktsb;(qZ z|7xkgvc?P2$eV8;53N`GwKiq;F^#ukE<1g|=J!8~F`SSbS)b+UW=x8IbXXMO65vIm z4&&E39_cA7z}eWb)>XUXFY$5!04ZYSNcEu7R zU2^XZ`ClD+E&$;zqH~(QtWj&0I`%V$c-{3Z=9Dwyn^Swa#i0=&3*Z>?!ZEz711}M= z9Q;(ge^Fe$gT6Rv&7D-9B-AO3kmPaB9Qf_jN_>A4y{cLu1e9Ny!3<5Ez?1Gh`Tmfr z%r*DPLq5C>`PqExAn+HAJOJuY#nGd_^QmK2;IgV8=Z^2F>LwAK$pR%2SaMO!(h4Lz zWNY%9f>?ygZv^bl%DT#lp~pMhDy~%U^4ufiP-c6`{G6Ots|JsvLaP3@ob;iqoep%c z7M&$uTsOBXl^O?AI%`t|npf5DI<5&=C9F-Z-2$X^Po^q;XGihC&Sd4J(nGa4U}j<7 z*Kr*cnNI;kA4Hy-bn?~>7o+AwKb2mdDE4?aD^#;45UZF}F(EJ-le!nHf!|OBpqmIo zcUi%O0eB^uZb(0@1_SO)UI1TG(Iv|Pkwfv7tH6fZVM=nDpQb^?Iy9AI&h4h`G{t3y zGsC<`dG`g{7Y$qJjpXN>g|xaZvWKqTRiJF|MCBURT1eWpH1tdS$ z-V_x68GO8Mr{+_oV9=uCKU%`#~J1{RcYUb^{D%{zp^t`ezAXLUk@o`T4N^ zNbN|FCl?`fnpI|J^_ihS5@{mmJ9#JI!2R?nqh5b&8bPi2R{0S-ZS%!a^Ipt@sLf?% zM1eyFc4%@3=Yx$(pRZ+w-O&ZAF#AEps^^h?cWsyhEAxOWA-9Ub%S6B$z|N~@3g6;z zK9(1SF7!k^rp0|%tp6Qi9PoGs(z$r95OjrQou{Um=V|wfFZHCR;Gs3N#k8<%YS!ed zO?C!|@fFdZjCre|XSA-q?*LW~g@ALSjTf)qt-RgtKxp%)A{%OaaCS9)Ym-%!{S-!F zi9b|rO88IttY_|SU%$w6?@n$#?lO!2MHgS#Q$Eab$76KaKBGL*|HB!~bPi+b%C+*p zKJ?66S9YR$?Xk!?>{~muNGLmI3rt;W#_VenX>5wjyoaw*7MR?RTC&U-Jp&KGYt9zN zO|v;7d?m4G8IirJn}WY4^o<`qF}hmA=_1dJo5@VLpSHqpQK-4H{L}3I-CfLTxL*GoXxm2 zmS6-TL7xV(&}h}L(M)q5^zx^4V;xpc5q!8wr%c9^jUzJlI@4PbK!KNO<^7$#bS%_t zm<>bTAAdzJANesHxnYr?CGhspq^vq;xUz5fRX2Hn=8RdsOE+~>_8c+xBLDc3I?QM2 z>n%tFLnX!`tuZ`4nEj4B%$EA?hR3Dx;_J70+5l{OBkKLM?LWE2m=#j6ShxYyK@gC= z-pvB_fXJS_ldBQS{lxRZ2t8=??cQ)#;^M&{FW6*_@2Y}sVsqVga)x!jcyh{bS*gaQP2)QHJE8bVAo7;onGVcpZ2DKUp z%`>)w88}BbYQ<)xP(Ht)#f#opS5)flJOE(jX58LOqzp}fg>9w1bMWo2GMWff9B0pQ zI6YL=QCle>R72Q)YXQZWvP#HJzBSQary^G#yfS;N#W=FpTW)DcYygs2i!@T|n5V}^ zj-UF#i?(2dhV5$i!ISX3Qff9`(8=Y~lcRLO4Ryrb2I)ll<=_|KR-oDymZYQm z_nAp9G%GTKHH(bXclyxW;}zPRT(Y6x%_~GSfL8SO1Q^p2pIrJ-#maE+rF5!CxWzHj zAi6ja=AOjXpDECSTZ}Tr4^OZpb!p9?d%CXN~ z5R^LEw7q@Y+%jsftIPB+RFaQj`>FQN_`T!)eeMV42_6Su5}OOu3OSIpu-Sp!(ZD=I zqWpf$%lI71%!0%X7~8(?vw^G?R}TY2SU+J8WrcC*P%e(-eXLyLq;K(omv`fdA?e)g zvc#^0fpE~SM!@W!9-xAe6IAD+l3bS_aUHh#3yUOA{*t+1XyZv!CK(D3KpW0czwdzv z#)}rz@gu6s`-C^(JgEg+!#6eL;}=+d`p=W~I6t=k?1p)mosPjWB}n{zf9BO4trXFJ z0I}(uQV}(U5R8f9csGmRMFs9sX#U8vZu33y`W?P+^< zkomy9U-QkBU=K(PpGfmJ0L#F@W{kic@ql+h@3X34B7M%oz3T)CCS}CJJ8tEv3?t;+ zmMr@fB+Gz9&dpR(IsTOri@f%6-PC2qzQbyG-=yq8A$~lNv>uycyyEi6^iO4gmcAGF z5CzLM{a@wwh*s?6qbF!nBN%%QGVI@4UP9atia*az2e!NUW`hRxd@o-4{F_583>;!F zynk_sY1|kV`TvbWtXgiBx&aO8Gr$;xH%}9@B}5qtGK(V|Iv;BQ_lxou^n}s!?p&yCqGs;<`3^b!?)A zw|ytHYeH513LW(F<)^=rNZ`;ilOj%mE_msZd{NHy2iYj9;1#W`$y=6;KLC~#HnhqN zN6a&#oM8R|KO6c%Pp&(5lY|Nzhg(#zmP`_>CP{pfx*r2tpQ`7hzjnz6dlX*JJxU2( ze@7B%3OCh!8WewkCRkBrmwP}V@>BHAfGI_&-EUn0b^-69+iq#Txt_t9xYL1%q4Bd= z5`#!Fi8rBPj{H*+M{oZ$ZLTDJ{wRH1YO*O{jy*!^bG|Bn%0JV$)kr=^iM}h%N-3T{ zX(-r#u%455g(#$t151z?;-RP_dTxw?*j;V(8i{C~HHW~0mU`MQ$K(NdU*1YZZ;|m@ zTz<&TTCUMG&3tdT2xkpN!$j3Z>AyCV+E_fY>(qmkDU48p?HsOBI?tB5;&WhSC3R2W9HDaB>0_vcA@)yo}p#K-EmsgFYPZ0j{2jOe1>q$?qS zcP1;h5-~-9?Urlj2ZRmPW~_lW9ywXA|8cUK4}YDkT4F$4r_yAs-tBQO?*iPnv)wNk zupHBkHeUMgK&o;00K#o_n>n#rHFH^`=PFuzF`s9$bkZHkG(UGxG6sg`fXoN!K6qitK`X zXuE->Ottn|7OnP&dyy8_=cq*w+mwS=xgA?$C@eVUx9`@T$4ymMess?(I0(2U9Fin1 z4lnZ!RsR^(gk8JsYNv9o6Nn3HGJuj*b9InD6?x_k1HXVLh3i8V=~34hXAeewY5pXf zw&f>k?j7gq%SIN&I8VTq$;#m8Fk4-Pi?skMY+InrQaxntwojQ=uM)EvgPh;b!5I#Ig-@;WKog zQ%Z`<^3Ip4J9mVb|elz{T)WqV%aAPilwYn;|C3H^J0PVNyz46i!o~nIHx= zd$5$58}*`rjz%jU-AdY=d6`ZtK1Nw1_xI^^%CbRB4UexKY5i7``9tpmO z2f>kuOzyg6{po(&bMDUzNMb@(qRWj7@gndZUZGNC8UK9#+4~|X3$r0@TSXg!%Y@1J zd=SU`){McF59|3|xe;+9&H2jSw02f`@?YA5V znACL}Hupj~zmW|e9C#c4Qb$tjqB4TZR__X8g6x?-^O^5w`YO7o6 zVnQ{ZuiTg%a&KI@=oF@bPshO~z(bgk%aQ-9GA{l5IW(WRNe2N6H_}Ab6;%7LJH9-fD&9pNRE%i7 z3~lfAWd=hb#g4;byjSrSmzrnpl2bU}GXBawRH)a|GbapPM%_(kkx*m=eipXytk3jlI zHvSjM>_U=#KY?rz2VLJ+WSaN{mYlLm z5gL&7$mOj4=lI!2OH3C?bI0Kko##*Z?$9SmV(cz8f+#XyLlqmTs0zVDFX6vTI>D>( zWSc60s~jt8ah+e?gMyyF;P`peyC)` zlY%7Z8O?rt`Ytb~)T8d&n@I(^X%C3x^UO8=NUCkqYvOYN4pv7apJ|ey1*_m zM5A?ce72iG`K%_2+VA=l55uqoADSF?g=Jlkz?877=p-BLb*_*ZRgN;>22HwLAUj5A zl#};GUf;*6e;#GS<;I;e06>ChmByD&W3mAH&9{Weir=8$R7rI6%LW6x=X8WeO1sB0 z7!!Q+QL3F#V=Jl2Boey50J7baxW8~@ma5O=#-HXM$uWQ3MLO9Rf~Y=yPEpI*W=~LfM`4 zQSQO-u;uaiZGhsYcg+$B4(Fbo9>=SxYckkckOtZS*qK-Xf!@$m_|_6OY$7_^h4iRYAFHX}l{n|LjPD!Z0Uwna_ET%Nd$OGLfDX@-V|#9ySn znLfQICOfc8`YP~imu7_LDBa$Nc!vJIcXSR)Y4K)%fGnHNS?@e5WJBlRJ12xJ&DC^( z4Rj<5_jhyHq^7BdWHH3X)mLts5i`R56ZF6CA0phAQC0s914(D|7&d^~x&IGJa>>6a z$$IY||0g9milaWS9aDCS$-KqD`LEMvKbwv)bF`ayb4-z8b#+&XA;r%qKMelNp=6!Y^VefavVr;rDHVLJQ`Tg#LV#=_T z>21lKr@bxht6(?z=Dkn&@5|>evWBRXRUW-d6;L4D3e;M2n6Q876xpPEB6aQNiv^T% zk>=&VzrKQ|kY1Sh+y>Zb{gckNBnOC0M2lWTj6)%=@GY6q+)1*bh1I6KAvg#bPEwjD zM`=91=y!n-LGBLGQZbSwM@|P$5h!`wo;)?woC*Q3SV?}u`!By4G1r%M{)+TTWitO z7j42bYHbmg1}C|!6Z=Ox=f88nNk-x zxoY33#1ZuF3A`Rug1_Nirew0_*rg!nOeuZ{_v^r4~5*J`7D!cG_yx1S0+*~ z7|vNck({kLGDTq@c@=5uyoGg-)L2$SpQ{y&m6V*OW(6t3WPz3qLTRHQ)^vlFTWsgqojlCz0~x5c8f$RQL@=!R z=(pfz_j}k0q5wLQHjw}?!cmi!L7!N?GCk;~zkK>Z`N2EHlSGTBZi9`!CB}KU^oIMv z=5(7ruan97v7owh9&=U@;4Sg^@3MgxLKbrJ^h7p}oT^mZa}MR1Lt$jUEty7I8)w#;D;FsZmi`%o*>&(|9M(OR*<+`@?m$JrK@pUd7z+&-qJ9qgTlis=W@}f6Sjl0FU; z$e7sPpKO*e7>Y==^I?j)UIgra9Aq26Q@c)@%eH3(zO&L(cpko_r=9Q+q5JO6@yW(( zmz`#NCCYW7R<4ow^A~?m7ypshrh!6?6PN{xOQcdNL;RxS8;)*xJ(`}>sG<;?mpd^=rb>lv4lcb!1ylu2H%Kxn zm&=UFDD$%(tcx_AOvrmP)$aGp$P0t@RG96>`iL7_{Me^USS3}hw=Q|1=xyNjp zjn9Bwsat}^DO_|Pv|caO{Dl6^$ujI+zx(Ev)VCA7o%vAFGrqh6w~|9Bzf3G3!N}Lp zxRV_~7srk2ncm*QfZC2RXugHmo=3J%IL_kgQW%3oU5g}ZTGrnLH?x{551YR9%0H;A zy000$bi18oC;slwm)ooT`-X>5>$`qeyW5=aNJPku6gcCDOHk@PVXK^a2`gL%(>eVq z)fQ5%SKF(caF|8*q+G_fw#=5|^v>aLUj21|4T*jq;GWYuH!p7x1Je{-JaqfkC%;VE zetpEduI3e))h z2f@Km0S*S-r;aoZI`D72rtf922RXpVAL>-3^KLyS3Y|lRobt=>44*2?rWHe1hbhNl zGi`XM`|8F+*A_VPKCvB#{(BXpm{kXR>x=2@ae-N3e4Ur8SgIY;a7K;{+7Eq2?a*W} zlI{>1Yo_C-VA1-2-? z#~GcxC?WCr`cRvDluw4G9+{wJcAz%>LaXyC`3_(^gd>FU-b&9$FS3jY32POFsiZ$470)345QXFD`uH>!SV+ zrE^*ph?D-BXNfRHcpnzr$co6NK{?zNbjh`v;0)@-;p%*R>sAx(!i@`KmQd;>^e6^ZozhER%hzvnSMAb}U=Ic0w&Cbf7<}Tkz}vC^ zO~DOJVsU$)53a58HeZv}4AGxBpf}GPOZXtuc%ML{5#NS~#&#Q55YL(vfAZCQ=LjmrMl6qW9SnKGG)JKD) zK)XHP1m{#KJ1~kB=Tp&5N(^@3Jx>-H%baROU)+fWMOu23IgmM)^+n@`xCQTACHsfG zpXk*k<*VkvF(APjk$Oefb)!kzG-*P11BbpoFyman?!oY0@e#>C8*W18e)^gM;pniu z(Se1C$X<@9)P3&2vQWy7g#_}5h`>MxUG2AH@>D${TXj6Geh#{iumoeIwPuY8!bk_y z_Q*HLx^_XVY1*M*gb`kWR@dSne+(<%V8{j#LO{GDW#C(@F5h|3j z@ZJO7Pk-Zf&0HtyZA)!++QZCm@a-|3!}+r;3nz$KS5|0r1k?CFM;lGi`Zr#g_OH#- z4FP`;+@n+#W}T`8Qab|0ZC&1B(+cNT5pyz^+17M z{Zc9@O$ij!1}gHU-`D;|qhSb>RTP1VaX_H-U1ZJtI{!Pc!zGUhVFDbdzI+H@<3>d^rgGbH0f&Y(~ zyO*7(|58CO0+|@{=b|56q)FcAW>NV22bFncg_c;1g}r3-c>_CzmKbCC ztPjiY+)FD?M*WXT1-~loJD78?m`zjD8u}XU?$+r`_EX9~?~<);`qy5Zn=(tl%o)GU={0S?GNI z;kg5$^P7KwN3$`{$>ab5CV8Uu!PxgAPwRfMTGwB_7>!wHQmYbKJ_u`2Vg3bi4fDMt zxSlqe!){jGFZA!E)%KS!zJKYU^}i)D2smQVyb1dA&7stm0MU%RUY6MfhvN>}G=>w761 zcfeQt3){bQWbbjD4>;&DfGOFN&8bhB(xFsa%SGoqfQH`%n>6EYp&fgJe*FZ#@J%;tvdFKGJfXrJpLTvg zoF9e%??0CR0}nR&3hk|(3c-@4)WA1nTu%^j^#gKGhZXsZ3n`r}=iU-|I`oUdFGWd! zqHOFx7`nYi=SR(`zbLtxZQtr$_@9530NJ?}rm?p3`4eh?AHx6nKM={@@R#|U1@OPI zv;Vi`=Ku9){O_+z)**=dpd*la`u{f<_s-=d?MvBd=*5VNef9tL(f@z@9sHNC^DGy8 z++Dux?{N43^S{Vb$@gOzjYQ|8XL(omTtNBvq&aGZP-6ZyeDQMHl zlC)?5IhnAFT~RQz{Xaj|1fI9QYBY3$zL%q^INwlm)CYv(VV|f!LliryVajEM)SKNk zd1J0jhvd9nLUr<&s&?Y4C-QWfR|RFNC*=y@7bn6RE7aZ?yfVNkny@c`UBY{hwD{QDFxMx zH@%2*TfA0}QU$V$g21n)UjjJZxREFET`zvx_ilbxsPZ%^WT%&)q z=C5l1p)jKc1fjjwB+G98#i0DRU+$N$@#L?PK8sOeYp7+-NV^$Sipx8G>rJ6mG9OT# z8W{@+ADk!hd`gSFleVB&lAE9OauZ`d+XblZqyxjyMnX~bM}bIE@3ES`HZLH_9iN5CcH82 zey-fn1LHB7H^o2Hl2$gnMd;e?J+v4o=e+!Mvf5ob)yf?v1)o=U8h*$vX64Fst>ty0 z_KnRGuWfgE|JMOeWJ_-MsSxQhUzeAP^y}OuRjc>K>tR}42Gxv%!YMs`wmN#b>0V&# z%|Sh(-S{Rhg()LJ{#Qt=zOFg!J7HVa`K)7YREq5wgjVm z*O-e<8<&yXGE=;tHES9?e{ZjNLR{bnBFYx*(-vwE*Uk=v2iVXYdw-$hgK?>|c_vr;37_LLU}eugU#CRXqi$4Tpp;4u{ng zLXUpdUiwTbyx9Cib<)-e`fa(~biw{;IOGn(EX6-*< z%#ts;Bq+0IM)<6W&R;t5f!eN_Np#-I!0!F`N8FUL#q$dzlj@QeWgm|zx!epzGu)yh zUr)w<$N4p$RV$*Xr|d>t%)A>ZbL9-I4e$MagBK-h>y{0LL< z=ddR_D>faIU)KxoFD(q}YtxJ=JMymRtR%HOy?TY)*RMX2V1EDk`0g%z0x;xK)1TZ> zt{g(K_t9JVtHvi*Q97tAPTYL<#7rGrPn`k(7{1B$ z@=Efqmx07;bFauKw`p2{|Jx)&?g`=l`Syc1hw0WdDaQE2hdAu)GIaiX4M!=Y$a>lX zmIVG~@LQ_5IfcVDd|=G|XPNZG?g;0_O9O1tVgAB1J7@lfNjhTJJH>5fM+ppU1s>mu zoB!uJD_Gx_0p_bBwO!LSRYBX_{)r<}vytCNiP4cNXuSr+j zwg~UFL84Xq7zHi=v`%hj#gxeJ8LzJ=38{kL)SPe3Mr#mN59se{KU#wfreKt4U_j1^ zOg||2Ummaf*vp6UUgMU|sc!>t z(9k&?pbnQmLrlbVs&w1snbMAzkO)9?J6>6&I-VT8z3RruP_UZ<#&r`{_TE-%-S!`Hx~^T3*i(Ts6@lVeKQcv96Q?l@=7 zJ@i-}+g{!^U1gSs9addM#sJpTQjgMlkK+rT7H5c=1&-VOq$!+v4q= znK3pQ${q47W;R-n3jb|@@UN>%9s;yo4!9>DxWvAD@!VG6S`9_NP(0I*Z?sx9A~YXt zx~aU(!-fFm|MBt;E{hlXdx1cedSf6fU;N_oYx3jLKh$EHU&25(k*2cQlqL9uRGi2`1%+@(}-^ab2c%@=kxKPP*@H+pefK}Zl^w>Ei-nraw zKc|!w{WFz!HSOp0pf&n1=Vc(9eJjPTL{H4!=MLsswsR6PJE#mb zdV1~yn>RzshiGSUa>ARtY=2MC=AdeO2&yPioaMW}3Jv8rrp!x0DZ+>%-97ojvBjIFmV%OVIhuq$TAwGv& zox0ns)KmfcY4S^LgGXyjXW>G)H0z~2#!$i(yd7LndNMH8^L(JnH8q}o3!t&tLo$r2 z(EB8gw-0goY})an&r|N)@S%nbVPl!QAJ1X(r3NRlWK=lam2T89Y)mY{--3Vs%NH$N z%IqV%*+M$~(~is~3DqF&6rw{ATr9U}FHU1v5a4kMwEDMHt?EEYTbdNUhg?QI?++l@ zCD#QsY`bTa1a}%0AMdR(@JCpcwbM^>q=}{f81s5&vlB?rP&mUn)WDm_z#O&!sv@&~$u!Mpx@=W&unUXp;vDM~~Z z`5ZpQ)_LjrbhYCTwAhdW%9W_9XR(oq z&ZGk-aEEy;vm?GI{D?1CR&p;DqSbhB>^6&BwNjy@?^8obg(YN>d_&!Q3rR6Hgl`1@ zKHpUI{t^{rA3l{Ug>qIBMKr{@3ese%AVIQ6gSljFcA`$7$X*Cu=usq;J;tX^Q@Cgj*tSC z;VAVx$|(4+NBSX|Cub*+jA&iJpJbKl93$H;X$vC};N?s^H_7KJq}|o%Go?P8b-X5z zlBaM+p2?KnkfP6}-n+VLURNosYL)F6`Pi%OdGb18JU`$dhvw5_DVz-pjW^!H+EI)< z5$!NII`=MapL!`sHa?iPebrHCtAx#^5&gi(R@fVpR8`N$?lA9Uo-FpOafQJw5PM@0 z*WyXFVx4AVG#=Qq8o z4|#1*2+4|Z`8R9G&iaEv6;j%$@*Qww6>PF+VtV(Nu)wYUxak_+P4ZGPpdB|^(O#fZ z{eVl{bHhbo2-F&a7MuW*%=vW-)Dg68Ls!xtxacr-f4(J;Qu{2RiA6yl`LRcG7(6ER zx&Z;ez|pofkRqz(;fKXvEIf=jTrx!}_%l^6(93fd%Z~?SR~f%qn7?`GN0p~4{wKS9 zY9PcD?%FgElhU|5Liphy51@=U2W4l3DIWU6O>hYPCP3}M$6(M0#oj6#)wPnhhgS4H zoY7{Cs$zU zbyU3^l28gf)FkVYSr5NBLNhEQB##1#-on^`Nx&Q+Hqx3iga)95&_$`C{vPSdX(_Z8(oe^V`D2b73I-05QW&OQ{ z9!8UQDu=Z~ZinuMHA;W(5Hk_fLTwX8ZIUK{89+EhWXZR#f3zTA0K?KLD5 zK*~g$Flid|e8Kgd@3v4<9*OK&f_V>eqwx0ttLQw4o1=;ZBx73Gj-kv zv&T^7kZtv=a z{^0U4g9(Onal)_IhVL*m%r3UtT++k`8L?7zaPer9fvI9Ugm47?5}=HYpla+`5vMIj zxIQ-HoNm@Ikc>kdRT?+?8_>?#DEl0&Q#a1K|3TO>Dy(HL0sBGalh9_+P}uCSijhNi z{AY(0-A+iye|=1ubdnij7cCl|ywkvQYk;lkp;H0y1r}}B(qRvg=gl@Ms>OyWf3G+i zW=E~SOfpgoz01465?zn{>Y!8U^6;p`3;|cDj=z|bHlif*5pV45$xV0TQNxBN?eEm7y>E4cm@bS%M>tFr8 zcnU_3FvmOGWETTnmlv#U^RX46J5CZPs`f5@U*yWbNFoy-bC3UX?@fV%7n%vecEYQm z8HxPE72@EU_b4AC$8*5{8;x^x;qt>6d31KhE3C9-!$VV6KnxSF>Ym9u_8IN3l4)wp ziA4aA7d~?M%88vqk$=HtbGT20%r%1Q4!a0kS}f=x4tlmlE|RuzQW*+7o(iyMzx<+F z`i=_Gv>TfeCdS6@Y9~JZl=d`H3djR&oX&(Ggt<7|<&@-S&WB#eV37_;jHai#k;!TRQLO}%BpK82obQ# zq#Gzr#Op)6A#)bi-`AOTOkR#Y6oskO0$U(sbbOO6?%BZTBC6<>x$F`CO*2Gk+eqIz z($`v3VmXoTx8iEjOrY~03j#}*7qsMpXIcv%OGM!MX!>`)YlkB6$Q6*^Ko(7pQ~IAp z`{k*4M4b)GSGJa|4e2N;g$gxm9rCeL6rr;hIn2`id+G8nZ3vsUN-~`y`@|F48zNX$ zvW9ro_GU=SUjl{F0~=qz^-FhA1Dd0WqRY7G!tFAWg(}{<$W;}C^)T{s_FZ_WFRMW3 zvLc)8VdDC9LK8kBfB>ioS5)2^y^wO+Qki&w$svO2x97FOmH&12A-$f-_$(qy-0Y+7 zkC0Z_2ay>V93}!m;bvq$7h5gQMx@+#QciBV87h~KY+jZ{@nZ?-&4^!U?~NDrvKxCI zqhNAreRWvu+4c;hr89Qtk*dK|MVHECHOk6oG3|ktC-tLIo9X1J5AsI(9-fv21ofo9 z#k743d)#cOZ4X&%Li^C2(BpLXwY=A{JDaZo3S^;NZIMvw#7phbfH?fzUwFJafe~TTpUg!ViQ-desd?&haKhehGq36b0w?WP zJ@OfdpepI8q3MmrMFiBW{m6e`iv$S>t!_{oQXY11+E8U^RWpO#X2n=|SGN34q!;b8 z9iJFu(BYWaC2_1R$UW zr*9tK_WqY+ERvM|_hKa~OKj#Gv}>H`aT;xXA^7tcPx-*k0h&F<&skt}JZt&jqaDX^ zl2sAI64nd`oxD05YYZPeAPT^bLyXdAB{ zNT#Grcc_ax^-9w8sqsSH*CW@EM0Zh=Dl{(axI5|O0BPLeO@l(2;7 zo~DPyRzfHRc@r!UMhm-Eza<>+X}sLD&9WZncg6b)p3#9J^XxaR@7=`t8syuGqe~A< zjDzC~1>R)rSI%sb)4_~oW#~-$KK~q2m0;)&GEei}Y_^>(WnWh*TlN6rt%a@Z35{rk z7G4B>s5b|KT>3l}_B`q`u#{5d3E{col`M1G6ehoz=%+R=ow@B)3YPFw_PZc}CD*=m zVTZpNsIoPB+ky#rMW>@KAN{4PjQK~hi*p;NmSBce>|zqjWP%6`dDJ1tqgBaX8|lis zuqNK#B)eKh!Z)R{#*hpta*Yp!)M+%KZFiX0K}{Z-rigXplN87lw$vtu$yh2Kau<3Q zxyg4UwOL)=(l1Gh`>=3vUb)I>aWP-=aJ+?bx_I|A>!IR=_)?$2NxP9;%Epih#7U@7 zKhem#D4S9phCRoJtKE{9G!K<+yq2UL3wMsXzoK*a=bnfRnjWonXi3PJ;r>inP~*sQ z6%jQ#=W=I*RX~RDw8&BP80FsmEr#d*=@!9cOnf29x9CbU){VVbzIC_+`L+uKfV9Kw zhyY8!Q8y~yolQX|g2s3sf9QqevheX!e~`DZ7I7Q?9pZHO1rm+KW6N+f>h#Bhz+Jx@ zzOrM;)i~$3D>ZHRCLG|v4p9H zFWKIga~5Vl^o}6h4@4dNX4Vwr2$wZr){(V`+f>XprVE=XZ=GpiMLzm4+~BsE?yr!3 zt49ArDwuwqp`R`dd@cQRMqFch#6P)KQpyWA2OEVqqPk8H1qF_5s3$vS(w{d5X8|A8 zQ=sc?i%HiKOKAw6QJL6JaYCPbpMmnAx5bvJ zA1Nj7w0xOx8T7((A>}a^Qs+89vhLlzEf&`Nx*o8W7DR80fxx=A7EhtSSwR6#{A_pO z3``s8#CkF>a4cxMSov8Hm(40>z!9GCVTjpG=o`jW1y50hjsmmz+~oSD-w<&q|4os2 zZR3MK5qVrA#8!8Qr(R%2Z8~m@a$-jK98SayUvkp)d!+P>AMdI5xcW zf;G;*rt)p5{gqa+qlox|pu?Z8lU@{A zD(*@16g+7NtscTnrA_eJ61_N8b(;v~z;Z0@B#Q$?u|!S)ix9^rW~K#@JjUxH=o^+M z+CI2iyG+Bbr_J>3-9+shjz_jrGgo%M4uW{n0*@@d<4@6(kIsKT1Ps?HFf;udxZ%>8 zf17JG!Mq!}G51c2NWX>(K7a3*;>(?{a5}f8-i~s@XIA7!&zHR5FZ^J{j9+~$2u`v- z6BaJ=o&(&%U2A)O6QdlbjOTQJ%%=cI`Do}uj3Ui=fSgwA?)C_Jxi53m8-SE$MtSod z>HUCMR@ZJsZJxn#g^(y)v}J;jzl$s=geK#o!C2_QQr|cR2U6ab92Wvor+gLN|7wN2 zsezQoAt~o#I!gDKYdxQG?=?Q7W1;5P<4a}kRAgj@_c;u%Rxdvtm)5ayVCi425q;-- zB^cip&_$0Q_M#!JEr5iTQe5e6igG_FS!llrp31Lj(oIal^5LX^H%HpR)25mgjH9{e zo}P=CqLj95^K1pjIGiKbK{50(5EMgWylM+Gr0=tcCYIZ@IxDkLzWQCLzN0??rHo7i zDCNuz88(>An%$@FVh*jL$=5JfBR%evF}%H2a2H#tH3Z7k=3tvNFu`CK7pXx^i;-Z*^7?>5788Jhjj}7A!-FUB^f$_59qDP;KLrU$QO+rGYJ#v&F zPttgm^?OIj2dtr!ZYCt7u~Dh8it;s$&qOc^J!2UGAI=XN0hJ5tN zXO=l4EiAPs-i~Y#A0Vnx?w%?*l3k2ea6BsSE?t_}5|F^GbK6DBeKw9iqV!DiAIbQV=SIcEe%kG=#X(GSuJ|P{Hl^AKlyTdZm1H zV{pyUOcZy1@5CXL!(DtZ2zl3RpCs{n&jnN9ov>F^Cc349k>1>)^4R?xajlP#mgsO9 zf2)PKi!3ol#CG1dMMz-+*b`ty(aZH0AlG2x#ku`20t!%t#I!wS%I4`OoFbkUggjco z$aSXTV*;aI=tKN$--IaK1ZA4Ds&093q`$h0U(Us0w~$ayZZX4(r*h?`tNvT z7Z);`43m$n`^xRD@h6ztP^ETTt~_e-FPU1jggz_+KnMF#AW}=R`;ft;aptpHv8TIS z1MyN>h29{y^JpIX-tqKkvuaMYqFAi)! zd@u5fg0kF?T)*LDAtZ40Ix)O6T=97>NoV2%V;OH@*7|QZJT#zN$EyRJf_J4k@6yso z4f=^PWvmwt&kiqlac^4f=T^)IDs^3I@;zGl{+YJ1e*x8LN;WEo1a-N_B zntXtfrz9V!`3s=*()T6=tJG>pql~ek9DZE!fB?{ zZP$-q&Igf~0}&q7G1uAPc-uxVUIQUN@8piI@725UcglDua}bf_XanZ8pg5={ zi){;$)8RS5_~|%&Ui_NtOzkF6Sgx@cI96dbR!yX;?js#*P7PXRJ$o@ZJ4)JPZ`J8% zPYDjs->P{*xACLUqH!YKi$9rodH0C0TfG)5wI)~**aKX_jmmg zeeEOwUkN;LGVj%o!$JOYEsFsmDI<06W^sW^$BkAx9n+{*dNE*5ToBz?;M)0G2|rz= z3Qht(L-Fu^y0aa5qMJ}@UYmQEE>^I@5u{PkpQlFwTc4cUwDcDV)fS3JUB<3pXN;4` zDD`(MgTfETI`}{U8zvca+ya^755T7MflBwqTPo&6Or*5<_1E*+v*mZ%0$QQZvE*)` z=|YYcCLw}K1f{b;$Z+VZa3Lpl8$r&-vQ_7UNB65c+KM1~K431EOs8xTHUp$8d<@9% zKDGy|{;^kg+)>(jhn3xqb979G5YrTIvJ_K*wOx0$`IT^u9JcdhR_;9_=DBDP+~tXt zhAzAHo1ftqbAK<57F=}9)=gTt#FxKBHp#lrzM8p;Y>I6SiV&XXngHEgb2oS!u`EWr zS@_HI?M$}%`|OF;FP_MiLPVM1>na`7RZ~?%C-k@eP^YlE1OMTK{DKn&B9=6wy6kx% z#_D^y8WYU*=P$+l>ac%w?$xel5~~8gd77NAw}SUqMHyW>2U?j?y{C1N`-_an6{ka! z_P=Cx1yNR7x>EZ4+2?Powo4V4ow?1{vq;1s8us887v)YfP}*Y3PAfUZ)PM%HZDePf zsLy2R8uRqdd_=(=FGXCXZ+a+X>oMRc1z~d$`*Rr*LUuE*aE5NKT!hU`rwqBPl)v&r zP1ci61?#n^-=64enCo&na)X?Yg-b|P7W5o`CV!|P8tJtiqss<|c|sW`-ME|kd@^@% zzl~Kw{#(efG-k>yRb|}*cV#E=fGax;ws{gy+%{Zg@W@gxSyiUCQkZ9>gV9>1_IS zaEF-xVKFndHuVE5a~_x2&51IL_d?LfUv;diU*Pjne@`QHfaovthpVL%kT)-bA^iha zJZc^m_(8wy7gO9Woo8#wxwOqvpL)le|L-Kp(n`&O0J&Xk9H!+1L`4uf5q+%z^USgq z1uhr=6l3tuShTR1fwXmlhhPZ{bod-&oDndYkxT(vJl1M_x;{l_NOly*axYqIYgErR zOs#a0XMG-il2vQ>t=+N-rUZb@Z~oE5gy+SMt?~yEPA-s5;lzT|u)jC2FUsJVJnB(8 z1G}C)r5>7OK6kuiwuV{YB&fdk5l937(z$`9%Vt5h(FrQQGxgHmDwqhgFB4kAnmAalG4ZU6yyv@&YWGn|YjxLKuG#jMe>Kr>f3w!k ze90?auxZ~70qB(v0m4Bh#c$W6=h2v4_{-OGIKh^zRQ0dkS|IVmh1bv|K=Q4T)```c zcof92;KZtzl~P;}mN*)~Sc3HGLE8LnlJmgyw9rxzjV=s*1dGTL%bnpBoJoj0(JOhS@}b)pZUn**R!TaD%67wfe>*xjfSir>Wt+5S7_(UpI*+`sK0G^& zsaDi?gIM-ZQGNYBx>je`Wi8~oxqNp`!K1nXL&N?~Q`UQ97|+LxMjiZgV`Is$u}Px2#&I2brcK;aF*GQQg-2D^U6~r6`0%d`$s{vY=w_x16?9NFlsF zB?{cs4mLqo{A#$~=J7cv^$A$jik`i@c|?-@p*9aU)LoFg@ebSd{bF4wWAo`~!fT`8 zr1K_83Y8Ngb;AsxhP+jsCcUM|y?FgUHVPbi4)BN~q>wNunE{Z0`co z^SNQjpdYBKiw#yoWM4JhPEH?kYRlrSsV-8lCr9mOo?Y|MKk5+u`|k$ff6ro#HBb^) z-ap+BkF>CcyY7KtOYBF{Lifu5c+Y2VkEeKg&&Ix0S5_&w-5S8maiuuvb)CVVMVyJKv1^`4Y)k zgyvd?|HjwmJJ)hR*yFMO}Qj~QltiWV)}p1f1SvuHAcCR;dUGJbV* z4wRY11tE!!aFb`5km*su7S@_uedrU{<0z712s>wTI}n$%Sd2K*hmpiRpsclh_n2wy zr5xqHXkpKbn(P5NLr`<~yk$OpAjmha8Uv*89t*DaDgTh5JD$ee<@O+|1uZQ$0Uku# zhy%%*12y|Y+$cu}m@96nb}Zyt-3cEO`aAdc+;iZ!PQBm?G5IqxiH!#y5)Z>g`EG$o z<#E*}r{Vz`RT3gfgvk4@r7JMEGQqe8C44Y`W?TCEZb=zis>n@uoG6S`M{qwW`4vHe z<||34LjfSnsrLX6F}K6c6K{!tH=*OwGJ;=!o3)%)Om!(+910Y|a#t8;n%I@n-J+V-?sR^9RJC!SK{gJuTKuAnEu zedEV*!m?02m1x@O8KbA%`;4`2#}!-VE~%Y6*1&bK(}k`)?6 z*dh?&8R4;{EmKlJrbb1k1QZ|l8V#scU{BXdlKdG>l?tku*9m&Ktzil7VXL&xMh+

|lN!oK*F)0$jH}oSHD+Pa7rZTX2OZJRjbA3VoQahK)GJMXjlE)SVDsJjMJv=eE?VEmEgEp&6muSuRzKUnK#X zI~hQ-XGs_GKhqb5S2CuDq@EQSmt14Nj<(fWpLN;sH zkV}Iw^QSuIMl{w%Ou6pg2D*-Y%zXdX6xM_zn_PbMa3mMQ2ab6Gyao*6G4v}8EjpVT zC~`0t3yfe|;9l=M{|&yUR|cJZnLtDJo^!Eti9ZMArdl0)VP9<ev-6C zG?{#sm5quW$y-{qO^-!(0cI2&Fr+`ZBn^Gcvl#jvvurc51U~Mnt_uDhGmade?+`)9 z^tJwxkD=<9{Z<{ehzy&td^T@O$y)h20W7?36;Ag&y>CW%Ex!IT!IjP5gyIL93wKY0 zi9PpjhXA_V!EBy0tm@Tb%{T`_wQhL-PeLCwZd|eEK!607*M!{tHB+S7ir9@R?4d)W zW*gj>zNdw-f>6~8CI=f)wt7kUU752NrUr9D?dS0p8{SayP$)VBZ0Dg=mte-e~$7$pnZ@|?o3r5$>WHliDdi3n^X+kKbRn-gfEmm=?jaDx-le8Fq)^gYVWIh0`V^{47 zY+(yduY9{kK5k8w?^bXY?c1^W_iuX~*D>-Se+aY@=3*bJ2Bk;lx4usJN--EvP;16u zqI0p-Q(Oz4B7eYB#6N4O;8P3K)wBAb6dE}5hCDFCT-YmY-wijKPyYoN6qd&= zQg&1pSCHoP^r_>2GlmD~>TKbbaFlM1Vx^ny$d$ZIrHc__P=05=&b(^qF_c!LGS(M3_9S0j zXVuv&PB5Z{ukDU^f1*53;5a#C$fd+B+`#Da0MMpE!Ob=?iL{Ih!_lVyEw=k5Gq#9N zKmCGZO9RE_SHE(c9AumVT~4ym#R8rBh`acG@=d_&8^_582`Z1l&(rK*I`ez^)rjtP z<_}8a)rWSA+k|^1f)%){-h#Y!U1gJr8AEq}QWY8X&$j}{-dtO=Y0j#%Q*bQJQqFO4 zDR0%WUz>m22tvwAOjN`7z)a1hjuN2EHQZf-V-IVau929Qwi{Lc-Dx4mI@p=!{G*7z z$1?$@*2%$Q2J_IM1h7UqpZk0DxTp@)iS71shTx|KCG{zJnQ;%Xa|JNcVfGF{cNnq& z^nA#a1ZVGlV1P@9KBYHY)bSF?Dxh|ML}^{U1wik~5eU|iR`U=)iXUpm>{u%G`cZ|4m%S+k^|Hc&AP7xzs&`cA6s6=qd~ z**89<3*U-s*Z4upJSS%f{eu;dvy={w=(kU5Pqs?K9WeEXZH3-*OXn`(_CZ(29xI-P zEde^FhioidHZ28!z-L+VJ!Wq7Up4 z^PV38=jfwGb@PXZij2T1*kzPy4Xp>O{8alWAQ%|9*szca8KSm7J-dTMTz6ha68XHV z)6X&OnmQ;kc122T0XC>Qdn)ztd%(-lhTF&_ z`G?!vZ*>k0_GJ&nZTslRiE%TnfAxAMomj-hW8LGN!@Oc^vA=;p-FLZ3llTK}V{~5r za{mUF|9-g!Va_f#i6;lG4>T_4SM3%HpH{1u6reaI;;Bxv!3a@MVFJfP3g~u zS+I0E2+`=_H4To6f!2=lz*J1me_6Slfequo}0G(9R;&jjiW|7 zS`si4tD)_!V8+Fg>t+hPuP~j*K>P@mzKXksxREgnT{z@gVNS`704lyj80xhHfINNy z_4~u#7CwEb&>)!xLMc=;`EhzV?j-(lTQQ+GGIAg_qc$R-;vi7wRc)KJ?3@J#0HS5WeFX6hSbwBd>GBCK&LEO~y5km)56@0#_-w9(*`HmiahVlezZ8s5P{?wi zbWfcG@nOnf`ZV-{5$tE5omRx14Qm5TeCx~fAMgtF^&D9+ie@EAJs&3jZ6&Y*JP^8h zK7%LrJtPb!MK&V>Y2$Nv zkKAQg*Z9=jFBy5@KK0M5l_^Al=ow2*0dm*CHuaZs-isWugl3PFm+g`c`RNgHZd?1u zH)jEF>UFpq2M$GrW3N+rI^A?nJEJtqJ|f+Gi*_U*8{Xu?L1#FZEW?!YF;G9pbS)lzR~ys`p%r?9M4)sZRm}!n?SG-2$ZiEBzJ&U zD6htI4td<>2HkxNRPljBF4v8A8-WV)S%ap=rnuXX*}TtwS6DC34SA&jQ~k3P-Ur5# zPHPMcIR5ps$v=ejY}8L8B8WS41w!2&UM=O`GfkCIIm|8s&8h9Pn?`$2C2B}-(CU~{ zJaky>sJaPBhW#L)iQfPlreGQ^NPDuk4wM<;FW78Akdd=}MWQyA$U05w3F zNU<7cEgu4lcX5^M4CLp8GjfR1F@5TWr2D~x@uuB>EW}ali^ru4g@bH57cZ^=fsSTM zq2K1{_tFXbCa55C7lO#eTfaQy#Gym~OjcN>EUjzNP$>lgf%jdoQyLeM0T~JoPgQ#K zDx}0;py5|23mM*$7bmqGoR{H^=LOYaa8<|8?!X#Ol`!$hChNx%-c1!V;l#HGXxJmC{I=o`>s#kso}Xbga5Rs$~R!R!eF_u z&t1UFSZ6s!&ZraY<&c(#`z58lmm{zA?)(1%=~zM7mqB1RH~Fi5$-!~tH|2i(WI`;- zz~Y#gTV?^+?Ha)xj+&aohDN}qFtxQS7+A=kc{?+&hnRfcbtXeR`U}|h524{_eV$ik ze?|-S7Nc-GR<5;dZug@NOU!hz6vFu&sFEH+8ZR6cp+CWf^9#=0w<{we^(A&SV-p8r z>INq&$_E4f1v9&XOI&a#MxA^`F(naqZw&X_cb`xOIq{OP)f?GiCLFr%XWetSF1G-n z)dG-LRA|0pA42l*6vE$bSRlj}rQ%TyO|b!Zkz`+eTv!()qYHs4i3JPm;NtIXmA3iM zK|`?*6mDZg04I?t8H{K;F(Ul*J9cUQnxgHF0F2iSEJ#d`jjpo_?S3Xg9bC)3);$G5 zop7uTfo(RkW-H0AOErMz;2=VbW-Sx{2sdT^1#%~aeNxA{N7ZZOnNrr{KToLJfqS+e z!=;^YM`&edkRzq!_KvW)ln$+1KhJBf7X&6)T&6F$<5@nmNqdvuCSl1HlEtIIEt6Ze zuA#npxdqt)pT1%)J2pW0><8^=wn)p*TPEFGD(`Ap4&1-%Ti-Ik>E3;YCQqKG{S@0N z@hbHf&0HN3w&XJ0qc{#@FO4ugamtl7hVRl%8L9OIo!)v z!0BTP6es!PyHp}2?Y|U!4TwKcxCE)Zi@WM*;T)x&95#O5ZV9RmUL3%;G%u?C6362> z^TB6=3zrQjFfm+>JRZMx!OlED+@K5=u)olNcMYznZ`dSImc92J&P0I^Ou=PrI8QT6 zECPZrqkZ^i2weblKSAU*ci8r`tfk*0qY}@L2<>;~v!*`O6$+Xjp?zged8t@ep=k^o z;4Aq;-^7rdF7mgPN{t>$vUf)s>r15?Xh?>JQ?D~k>VK$Ny0yW8vOw>L{?|0mB8UwF zD|Kz?G(3&Re*H=%giU3BhCpN#U~dfkkvt4CyOEJ0t&C_>B`p=~YW@Zr^O)s_8n*{sSC>_mLxwxcfhJ{)=G3Ok<=2b&A?q`1Acx%gVwx1v!@f2emLC$umew|I!2yU5< z`kMNp!SF8AU8fY~jjaFX0SV>yt3T9omQ}vvo;j1%qAX+Oxc7iu_V}Oi`O)|-10!p9 zr7C4mSq!eh5GRb=Z!wSA>(!>~KH7qb>b7f{GYGo;g7cTavpGXvP@Hk*7rLKnhzi=a zINL-{Q~7UsWsmBG2WZv*|DQ_2y-39C7*$%d*K@$kCkiMyu>XUU1vQQ^h(6w@^-<6j zw8Sqt2rpgSxoJV3lK74=g%&9Ea{;Z61kdoU{O5T>3*jy2P=xCflb?HZ@Thd!7i69~ zc;WH?YQ${Q!JHq&ZJa*eAPS=M8d8;hUU)B2hZg=_WxMe&>K9)<=v+Z-`jF;#J&0&* zW(K_Mfi6QkWiRZ#tBuc)@+Rq8^=d%nqzo^G8Xp0bxwY2w4b*+66y<=%dTGXp`c3mV ze2+wJJO0nuViq_U01s0IVm3k(PDBCd;`>cz+aqw~X0cShLm+{h)oNzVrV z6`$WVjSktm=u)*4_t*4i35V@zeNV8z z=3=I?D}_kS(A5g|s8^1dgdR)t&yu+t$O!u87L!H)G~S5u!gT0tbF$lMRIr#0;JjCf z{WLtm+u#AKPPu+VDwW3Fa8jL?^lA4cNDjVpW_i zDOzsllA|di^cZvN8Pg1CNrn!#=cKN_;|{cr%L4e48Qf0Rz=tj8)4EWbIjJ z{91s%>~i5G+hG)%Fl@(STOg0No!q*tlmJ+2z*Lhh)Zy22Z=hN6Vtc)cFJ=jK+Mbn+ zngN@8IYwffl$3mD{OH~uU(-{ubrBtYPOt|%HI#K?uh1c=yItR8UTPz;K%tE|=(^gW zgEM~w#)`eSzwCiFdy%6?!TteaY$Fo2bEL%w5vGfZl`xGF~k0=HtTNwrgPd7 zKpp{i@v%_o?|Ch-qlm|5`0hYm{J&X~-&s#_5q6l>NU-nBwNAr6?=l2}!(iK-uK^4; zB7NyA+h8AvmJ+n*Lk5e=deAw}*BI)2nyp!L1~2fxUgHE2w+fkb<&OBX%rhriN=lQ^ z2QQJzO6BQDMq#7i$+=1yLT9CMsk?dTi<;H%44_j`FWtoSN-qD`D@}0vkfa6Bl>68>oPY{cc~dO+_b0ES4??t+~#Ejphv!@7O6<$1!s#res$gJ3~iXjQUH-Cc5rZ!sHoRN;L+ zx44*6N|PQbd_Dz*d=m6|yz8xBoGS4^#(igxzzCkvgvLwxGI-4}t#^&&?0q^>n`KiT zGYN(1JHk-XloxVd`$}#pQbw0}ikjjyJK)eggqDo+MCv2|V;MaTGU+T4QX+{YMP13_ z5s<3#F0=bah=}Wy%1^jsV~1p5&)Z!XBv^z;gW>^}#%~=2#${49eSWC=to%Gq6y5ot zy-6Y+Vu{EMwfbIam=H;V9@Zv&I{x6Nn!dN>hrA-3#>}ZrQ3#lkxqO`GD$7b;Gip)V zK{XK&(aS$-okb>Vi-uJVfXRY;o-@D#z``-62HxXy9nd>^w^N9WU?Z_$niZz7TGT8}? zeUh|fQg436zR$G|?F221>cSeU=F3jCQn+@bE7>{aI9`=bTrDYFGV$=u%*1GPb)#cO z(fv>$b)&Zvz5)gIq{5QAg7j$cv!bT@Q`Xmb88;P^zKiYI3p7>_Ez_>1e*(EvDR%9f z5_w{Z1y24f<^~UllNJ%B0ev>Qi!jZ;-idT5Yt_4oBM-+XdK!j(tU}?n#owU`V6^t| zw04=`1nkwsDNp-dS|9H2gAwAcIO;mJJ^w|Ks=sDpmsH|yf?PS8+*1)pj@io!*La63 z1>Wx^MPXmXeyC9UAOG0MIH)8(6}d{hv-FvMff1%xc-W{~X2OCa?cEB}0 zL?glFll_4-_-^_WkDo&$4cLZVr6bpVy1op8HZ*UQ^L4nFLV)Hs%&ywyouESGM&MkZ zoHhs!&-aAQB|FJg5b2d}YAmOQ~C4tpFp z=zQ)1dq78K+g;K8EfomTigoTv4Xk;1rh&=cH`+%K)hEFRoI0SIG~sy4 zCd-~^-$16ja!lnhfzmCgn|J&5s_7af%-_CY3MM9aTPs_n(%-aEKR<2nKAdhBRyw6- z=8L5xW%p>#(~|uTg|_)Gbz? z`(_u)K28BRs%|n*_L<(5^-9J@0o){2LlBaL${rvw(kmlH#~jTd%Kd_@FWYYow}1R| z+1F#@6?MVs_E-;~6>{2Uw4;yk@b+>7jq6MiNF9a(S>F>nN8)0UCy~Hg{9iZQEECAW zzkmR6b@h>qRttGB!&6=X#S}1)%YrzSt16dA>y!V9IL+kGLl0h=4YqkNUI0=)I8N6;2i$`SXKEwy~ z2+r3*4qcqS5iK9b3;N5OJcu8IB^1a>*hzQJw>8)JW~09Z&c)W2Gbe(h(64qfym^G4 za$)4+5ylTA@BSzjfj;}55&OsQe^d^Nq9+0lQ)a%SX52EaAfES>y2) zy*KZLrZGXniz*nz8_Z%dOzBPPrRjYibAoFp)@e*cyriZHl+|yad6d!!Xs#*P3yW>m zi0Ne6r(=bQhk^{>l>ggwoY0MxGRdwEvg`J(7UXVJx06_BoS{N=fkD6R95$sfUcbtE zX4l+%4QSOU0Td;4?fwTzbFu>%l%Mc|AK>EK4DE;)Gyijr3 z@6sjMCVb$|m`^faNgPsdR3`De+lZ)H1izF1#Mm9sT;TX8x6St1W^O8}D`Pb(NJ zku9pJ{r=o@mN0KRD{9XjRf_rX9P2u^061= z=Qcz)ah05^#?RyUZHGGoEYv8TkfX;+ajIRD`wRlPFkI-w>SFDFfi@R6Qt0sUyBFWZ zpQ^E++nUG zwEJ~$r>*}D3;Ra)b;sf>c~b`U6@!+wOHqRI&z`CNiA+>{#AEqJw} z4xv}!b-VG+l z{obs!(Q)=gSk}a#%aiZ4O+1PCcXU1se?@&m@l{`ja7f)%$W?1iAvkkA2I~$uHUOwTPI8bYrK)*KjgXgHtCgM@S}PAB#oU^pmk=N_wD+^6i!-$(1=d`=0~C`qN| zhKjuER8^x)clUYmhyOs@?P=~4wCmGD>^gOozmT$D?Z~V_mtBGc0z3xR_)566c*VzM zY60MuxARY1C6>DY0~oAkQ9UMuG!6)d2riFXf8IpuSaLasFR^(5l7wF;x4QG4ICvvg zYyWM)CTF#kFQ`D>NH?vI+7#dMysfcru^WT=kY9w%UXVpM{9QbP5(I{noZJ^U85O}Rh~3PXv04e*s|MPb>vQEX$j z_dldjiN6SxjCFYb^qKy2I`jY57iPl0oB1YbZxByv>M4_}(tV!0d>uT5gr#(Mkx%fC zG?ae;XkXm-l4h!<%yO09DR?)baKTPwm7@uu(~20bnJG{30hCS+0LXB(eu8nD-|=ME z2$Fe=Bv5l=gR~oymo^?eF28^BpZ=&ubqB@N>O@iAxjF}SpjwhWHHuCKL=^(CYE!hP z?VnvMWSL9T(?DgO7%Sc{$n&mvJtXVVy`A~jLL3Z3&9j&aQ;6M(4#VPQh>iOF9ww+& zBSHl!S5Z{-egDBj|5uFi=In2faonfeJ-}J~M0!q=+a;UC(X9!_Kn;PA+@?ul7W)Et z!Yw}{Uf@xr_1OTBM?M+~91z^JTVL_|hrVr}a@CNchsVBzNB%`t(TUo90^}p$P|LL~AllYo) zCJ!LmR9N>cWd9w)`Rgk34s<`r+WjA0&i~h?{xAP6i-N_?6}C?I7v}Nz#`WKy#Q){1 z{EzJct}P=mVBcW3E~1y+6Q-V+af( zZ$B_0`I|__W%m3?uPr!F8fTB?_i??HDOju*UyT4_3%kWM#|cIk$;LIUmif# zKRg_}TXN>gNCoXu19lL-;hv|N0kME$5byPJP2?Y+xy$!Ep;?hGIB!zFnX65dlkc^F zE?UV4c065zewR;HYj9f=8mw8F9a$7aLOExZt-=I$&^T!b zbXfvnl9(k=qOEyeQ{X+V0vp>>v*TerQFThG=@Tikp@(*it~bqJvpA{&UTB}_*8*Uk zdtsmBSdb;hAFT-=RGGtx6L~bY^25PHo@7+D1JLryra;=?3p~jUn=Y2o9il8S660v_ zy$X6YZf>#{y|7<3!I98nray9Km87?5f_=>Z_&9{`4)q`)ATT=lPggG@O{CWWH)3?( z18@)5fj0YXV{T%x&s?0xii7D=wit;Lf9a33*&405+u{JVnT( zZVFgt;k-=B7v2V_ensG6AOND3bu`T%W82-?iF|pBmO+s!Zdw>`sYMYTw5Tbdf1U&2 zq)++)`6cOSrIUYX!xum(p_M?ThF>&<&QSL1lq|SAn)(aS@y^eJdCP{pj%QwPDazWO zN+&SZ%nmcuu0{=MpMlafJMhjd|Ka=#Xb1E_&!zVDFJ(;|aS)RK`8rj4860=a2=>sy z+Hn6~z`S8YPIVwHIst;xiktxnK(+&lgbhEsnDALlP8yo-hli>_X1DSj)Gcp$Qn{as z>Su;>1$8iW0ItPcCKe);h`S%)n5oVmZc!Q^HtoY^EDZr(kOTZDyn(P~0GE6#pjbfr z{-Z=A0`{i<@H0A7Kw5qZxUhB5Kw&D2zm%G2r4W9`s3v|t33{@FU%0$UgEi1cn7g)B zZX1Q?MLx0HATUa=;zN>k#S!@JzrnGo7Mvo)YdrF6_pJ)EyeYGkp@Qpl8fXpEff9+G zu1Zi1Lz&A-i&G&CW({BGScK}cLkp^KrIc$ImSLNuhuL9lfOov83Y{UVF>L!iJe6j% zUf1+N>fz-gnfwNlB9Lq#vI8U~Z(h~{V|%K{`ECFyx(%84Z^i$ZOTPHEIbPe9Hnzl& z?yd=HjLZD?rCHptJeTlwO71H7rugKHzRW5%d_WSaC5xLt zIeQ&6XK+^jU~U1+_K39+>E;_|_M5@)<%-%100an2?!DCQ@*EMZZ9n^BhHB?Wy0RNh z{6(gvx%%TwSNZ@IXP5|$%ip3*E(EPJ5_YhK+bbc8*sB;w=a&?fNXU}$u<{gvv-F1;C{U~`eD3OSE#d~j;!VV z0Ak(Z<%lG=fKGO4E$Bd-!4E^Qg?Lg1zu}T@{sMzU(5v$U(qGOG<`*MURKooR|GfR& zkAev~jAZXx1D@d=6p~>aKnsrEoDv{C_y#*U@q0K9p!J8RkmMe5&MNzWI*j!+vltCJ zgh_QXY45Z0O+{bXWg$<;c4m&#m(W-29VV66qq2MXva<1pPaGq*M<~aGB%g*0S3(dixKfuq4S7o}jkiU=3O*Hbz z2QMp0O)B0{UxA$N^v!+u#n2My&_;uh-Z8WLNYZoPe*HnJ`tw9*9m7Zuk7da#&L+TK!M-2*acpkXmm(Qo_mJq zvL99QlLV`#%ig#2#kgaw!TV8R70yS|cV%y#!7`=ISNR<*(s}*4UH-LHsgr9%UEYkd2QSQOow>#2Bq=T%$5}dI4S*O@#0NMiy$_rHhu%URUrs?5* zKNMs$TMv@pQGWJ-#_FDps+M8zh=_hW&>+7sgrp4g4LllLD|l9_h?LL3(%5yvhH ze=*7n=G6xHdFhR~b7enLZVmpa8>L9eJ8bdr(Ys*NtdM}b1t#+FSsv^}swtIl4^ z`V+t%C4m*n94Q$HDjR+ozfp`~o@wsKQkppoPr5-lcJ1co;8VD#If1ZegO}L)R}t@C zS^hm-{@GHn^bLWMf(6VF$i8~fE%~`jU-UCpNIGDy@xziCm_$}ony-{vq<}ATx#46l z7Rd{S>QROD5cYnS3p%P6u=AS%|BlBe;Q5y@xk6ef9?|zPh9KK?u?waq4Fo$D$`47M z7w;h5myG8@TQJ}O((zBe4qK5@Ut(+;y<|R)Qt@YAny9$C5A%iI ziIzH39vw=>0xgueN7hu60|+5hVCmO0727Y++6qfLMWH}@z&}JYqH2XV6^AzBNLbjw ztTdtDz)Z-UqqW||C{2>fMZUlFn~q)2FjMOXGFSS!K}2>DU!GC`kPIBlk2s&}0YHJQ zIWfSqpd1K;8yF<(c9!of%yrbrU4*s_Iu!Gq?$&< zyj=Xl<6JD$_xB3|{vgJt6#(NW>%ba3$H3kLSc_rYG65~j?@c||=8^T?b{+Le;EGL7 zZ9D6Yvx)q6m5c0MfOzEbcYt}Sss-(D)2nl!A4mXdWS*-bzoxf!;Fy`S47e|=z_=zjf%-q7dn(78E9}4DFI7B*E!wbv{UzRG{%sh52Qksmdo^wpT z<^zJd>6S}{DL?&5SzLQLRZA1t%GEGkTR6{hz$CZ+aF$fR`6;l8VE`orlml~c>p%)d zKJMq(DRaHy|B7Iu_AM_QH16YaK7q6!=%d+rj>vY}o@xjnKW-mTdKiI_#sV4E=G}g? zSy7N+_gyB%-Zc_Hje(kZ@7PDvx+O^ZFkR$lW(v@6@>p7e<|@Ze z$Xplyc%DGXPw^EXxAI#s#kXo#-H<5;gf-;B9%vBw^S_|6D?%Jdg^Y=K%A_P5zA25^`uK@ogoN zrSz#(iu|Dh8bF$TPw^6u^ z!%KsmLUb3MprGq8*29(S-MbDR=F&_!hoQo0M&`ykY>PgQ0{X31&z&82PD1(~V%1|I zDT;b0YhNBGUN>1}KuC>VcS3)OI`A+8E$-F@X#d{fQ{bEO$C}52oO{HzntbcvrP@UI z#pVw%Ufj+^G7U0?e8X6`B?Gjn3GEU8DotY$D;-AiT20(-HQoaJnaSG_Rzkc2IkZ5v z32ec23Ou2HR_?st zs0v129ibz(1HhzR(eO8DozMu}P$0V+tzjNUWX=1d4e4(x=Jlod1s6gxZOGH*w2r>Q zhOne=mf#PkskPlV(8uEU(KmhXlLBd?{3rJ#?I<; z^JwDB?2ChQwSzRt3ofFnD{mt2pD(o~1 z!`$W?c8!z{=|m#SZ@O(AfFx$Q4w!yz;Yn?z$>)v>9!_t^HEm2E60*?ar2BcE5{P^y#K7rT=Zx4Xi zW6;GFNaQl&TaFyaWz=t5$Q~`eECxAWa|Z$bJpyW5B(8(=#v3VMdX7x=CT3R%nm9bc zNCe@}S|17hz8qiXICC%yDt`ttO-mS{1=PQZVH#0=DE7sw$%W%_y~9o%oY~;s#y&{1 zxe!9ow_y$$TXu-w2<-5(S6_JEp}B5?csDFXClHUv=eH0Btg5V{P1hU51W|)|*q?PE zj#S5$yM9O_&WCzo2@Fj++ub{_fIB6*zY%tCroMH?5I9*N)t>-jY`k}du;VV9=gF6a z*I4NzZ~hDN`s&`}9qUy|XOO7tlLT?tPl0iB((b#YtX~hoySCXS9{2wPcr8`*1SIfj zYWks^n~v`76G0$;O5;g+&b#^58$%XYRh)K|>9+QQu@Jnu7JqygP!GOl1&Da z{6anVbz)iLY4EYh*%IynV~(su7TvqlM4gx2vOoxKnZtCxL}BS8F4~b_5{uClVhl+A zNh*z>M!)DohG|Z}t!&XipRN%=okV@VfXILkKzPDsC*Uvt?jh7oGr;_b#4ED}(8~ zU$rp&o(9HB#90VWyA|NY1l0FVK#Hybo?6yDoZQ;r8sO62NL7OObZv|v#mU1#i?qnY z9Ko0x-*R1NOmk?~+6$M7Ae{Yfl3pfAYYrxHaWR{Y1tr+iw0ugK`;x8)rB{u^H>iP- zQT8Jfm?Ay={;;-;d(BJOiHOfW51E%+V*Y&P(aYNTnq%ZJr{nNX{DEwmf5lT< zrv3kbr#>cV9KgRv3P4Bh7Sj1f=02HioI3j$(_eWY5;_-9$LY>F*d!7@;hBkG$fO%QJd7g#c)lwgWvNg}Hi? zF%gK;T(?Y??hPR1M@&dSL>pEKbR^dW>6mk)6$N@6S1|)2)6M~qli1*x-`d!-n(925 z@6gb9G}l5i4h=qC;~k?2l1vV5u~XXI z4b#?1k0WHSya&>AB7|`uwmJWyWqsr4`&p%MKsh%JFA;KnvxT*MM}<`A{QyM2sQfBW3LgbR&)?6p!mN-ipUe)xDf1 zGMBsAzZ7RNT-$m5oaS+EKXASo(zI!R7NgYlEcYdHWE2T}#$~>OBC@e_?gzH0A#K_? z!O!keSCv!^zYQFB1WolWm$;C?w!TEPt_RemgFW^UT;$ex68xg z)5~8N@OEclMf3r5b;MK(2#}_DS?jHmmqPl;B2M_34P%)fxDk=(*%T;gB5 z*lgoq?tMIA_HQ!vpzkVWFrHtz2o3pS);LmtIwJMl;xiUcYE&ib2E~0WS^rNjA6%-^ zBXM$@SytMQWh;TmYeOxNr-?6qoibPy#Dl?mYIpjZOk^u)!d(*91ER%yR6ZFDi8Td7 z(2-bb>IjNgoygG{`Ptit0(DLY5U75Lp7u1E50)&wJrLmGPEs^GN2toKqICh;9>FirwW3NkkoW)e4kH&e z#}^>AnEU-!$_Db4SiSh3NKN@ovN))kZx=^6G*?cNx;*$C-gWpVR@Vn!Fe(amhcamz znH0X*j3XtaVosO8yMx3bz-Msr`a4Jv`6|bdK0P+!6Du}4glNl;(FDB9!~&SAOr}iI z5aSa}S+K3z``MSzNXOtr?&h}=Ra%Frk-@8kV|j8e`@qQo;xQq}Hgp_Y?88I}3973D zx_fM(lY_%nU7xsL3h9e!Em(u>$Vf=PwK5A?m?Sg#OD31CYh;H@W4ga#%vT+7dfTq_ zP^ycoT0bl?3J_$bLRI5E4I>O6LXQ?Rkjhu-l~#ukFNr*Dxs`h^OwMmMUj*9FAy>Ux zLftA}zMPhUG(aw<`1-WrQ^+W#J$<_L-w3a7A6^#Onao~qmUHlh9#byNz0wfxQhqcd zq55sU)M!LWH*IfPhj!{psQ!g#a0Pl`(`fbl#Vewx2d!^5%QMV9Pgy^N*Y-@S>>Af!->wu}S0<`$` z4S@Vs&-DfX;Q--9f3BmEU`zS5eeFEn@ZfbwpV^A-Cm=FNZ#6Ve=wkL-?FR{_NuRcdp|BzO? ztL^?H{yw(#F?rM1I}L89n@>DkGMx_QhXil2be0zV9?7=0cgqGd!V-Whkrsxmf#~-w zS)LA($8C31H!!WY0@w8rezyq`?x0)Att_~Hs6pgWHwp18mBk}YmY=-Q!?UddC^ zzljig99Zu+5@}<~vW{u+K+=-uo?gQ^I+S21%KfAJiw02eL^UhF(& zD|O2tjN;;uU@cVvosguF9@Ne|_fXz**ye@f{0hb z8a3z1NLgnnkx?aCoL|^IVO(p`qsemp%n_GG_q!BW{Zt&JdBj>`hc5`fiH7lnt^?Gg z%c=Z>x^tjRlL#vZ6n;H-b=qG+*s+=PtKol04uDaGk&pX}uk$!3G}+;uJ9#U;(ix0KWF!c-~yKW9JGwMXY8%a&G&Gi@W58 z>S`ICOItw-e78_GKmO|a6wu24)*bQe&Op@vG0-%R_2Tz$d_tby8%LnzYIw>()XY3+ z#cq=x6L24r&XIK$H7vMMM84j{j#Kn`;MP}3?zM;g`vCKo4z{SIXxN5S#>@-|fvFrF zW=814?CPc88vM%3LxSIMDGQ+p#~=Tk@B0T`id>@~iNZJb31bb*-yV6)A&N+d(ahQ% z8N4K~Zr*z}DX0v9&RQGh`yPmdchqv~NEALbqXwP~P~HkmuF)!jX?Mu{9-Bf1CeS1n z$nAMnlQSZIWAIznALgVZfsxS|Vu!#6h|K-H&gM3|4(0V-K*ayO6S*J0YAjl0lg&mB z-uetjY)d~cVY-Yu@vYe**U)Aj?O3aFKUD>val;dpl=xnogWROon}71~QAt+WfAjE{ zwA>$oDkGY>oepwv%MNIyCDyJ%N8qv$v@l;fdF0z9)&B_j9K~h1i6q@%jFF0mATT!3 z2OjT9Zyqp5?G)cvjk1%S9(UZ*A^7cl@tp6RsQW9>;BWpx%nY8{#c#~k1$-cApvZk| zpjW;!XTtH@|jM&}Ow-Z+<-_(?hEWd?Wf^dheO^ zduiJA@o@!>;_9EH$JaBSN~5wG*`~BX%l^{^!k9tEPlj+U1?VXp(SVK0`_1_F5p z&in298;uN`Hs6uFjhaqU&U@XB`fH60qtK+jHGw16NH(VUT$jeNvGSf4 zzH65qiE?rof3Dufy;U*KNo4&$39M!IL<9eDg`*=*}>!xtJN`g{BpA4TIFfETHG-)l9OzWEiq zHp%vJU20v@33%Onjn%@3F)*F@z3WHXO&K<~IY_OxJcbox>$LqK35V7#Xw+F#?FQ%I zTz!#Z9v*mYo55h&)+RN|_zg@&zO>6=;1l9E!R1;7ndIC3nqPW5e5)Zu+)Rn~Xu?8u zeMvOv*MWiC<2PWkpT%50^qsC^MS_ zzJkf4cno)!Rz!CtQ{74VbH>&OJ3yT*`SnW~*$$@8O`P|n5q=IxZsoB5jGf!)Fa<1C z-D8&G8m>-WoTsmFZ`wgBv*$pONvnMQLexB>`kJ`3o}+bu^BVr1u|QxP<|4Wf;>)mG zN&H-~<#jTH|AW`SONdJ!?-?%;1^({e2)OCl_=|X>WJjYP2_zw85?)Sl7ll+HNLpjG zU_vrgS2wbxpDtKDHq-s1oSp=Dm$PaY>1T`sM417oCVrw^alDxMVRFjcXMF9vpquva zhmvedO)}@HF&>0#018<%Fu2A@h=nM>i|uFH^kcy!i12noxu|>`%rq5P0cwk%Oy@PG z+-5W5812`V8>Uu73-6`ouJOw^lvWF?PPzp_#5#VuRCqWW$4bkPW{(+}t-TB`9AK{? z63#N`G*2(|U$2!T5vwadVB+YEOFEboO@KR@Cs5L>E#E*okOqmiT0?{a90ta#*_IOM z+6L#nF0=}-&{uA1n&%9ky`!3Kcc?S09fns7BQ5mrs~0#=0tmj;LjuxFT`fCNo}b<%lYLYL`&liQCR)UHm@vev%fXYO;|F065DKEvnE zvKn-y3h_Xpt1PLX?Gc*jlHNUFR=+7mDP)^YURRx=4!13ugBz{VHIfEfT#H`}XszZb zFLoZr>dkk{0<+g<;_> zl*HZm=Z{H+1VW=YT`ob}h>Ppyv;!se{q<51qFP_w;xRf?SNENSfcrD{-~w`R5?Sv^ zoy{pYF$(JKjL+}&@z~2Zw~K(L9cb0^3|wn5>}dO3jeW2@RTdtMLbJz}%R7G7r=ye_S$OKn0NcZ(^@bnN1c%cfJ2L)| z^l^NeUG&O@KnKX9qPnGkqp7Ubj}pI4%54YStv(&sG6#N`E$nf$CbYeL2}lCo34fQs zcl0llkjZ)Y3u*J5IVSV?iiFbulspU%KpYZE;kD;3~873Q#I=BY}RXn!2SVW7);W)J( z8Muzv1`RAJt5}C&6un&IA};Uno()jCHBgb?{YXb*9_TQ+KkuMmY3$~8oA3u47#@Bt zAY?8K$kwJ&(?HWSV&@d=5Nhjn_{00*#AGX|RSUhV%#-x?f42jMs;ae5!0>U7=cUL3 zP_hhL@4kpp!Yixj+$n8Nou?L5y|0@ctNix!>U}7$4Pms&2^B`GA5zeuU{Inn;&}mX z8J81qDosH8p@WHLzI^6{2;FPxvKHA!HCbt_P}ihv(w0dT$4C<>iT86g3xXxV_7aLx zwfMM=DreVeny5!DL#m#W33SiswZo1}U_IK~ce0jR#T!7bWp!;Hm z8Y=!BOJP&e^P-h>T(iV<$}dFMl#2xGkcOkBzM_5;rwE^9f=Y*IT zep&osns>%)0r1`^!OGoEt~9|f<5V*wq8~h0{kpCxCK3AmPaF#k8l`|OE6z?|1!|p7 zn+d}7B&3k(wWrgP(6v@>8GdHVE1`idwh}{7o)OItj$6nLBYPL>gqJjcsSZwW=Mo@F zHsNUCZn*{$Uj%9Kyu@%x{55^Ho7Fb#?I zGm_%O{EdZ;-NCVJ>r|uRvKDI=#lUy;-ZD^|;%f$VLY8VjU~6TT0~ADucW4|RGyw~6 z+mlTBi6gH9&Apf07#r{ul&$WoFKif$Iv66wQv>dROt2FdgPnBr5z0 z!_R06DRw(|d?#1{r{F$$sl@~Q7BQb^v{a(p9+vC_`I^l0_brv>b2ge(%$wmzp}2N=v;pW>C1-1m-lp=1mHCB5khp#!a_^XRq-61Q*dZ|3B%0w zL1Z4>QENpamINa6sx+di`EuVwP0-^XHb%^suQ9d-b^R5Uzw~{wL|eb-UjWv#!YGPK zjD>M3w1Mrkt1|aZO;ErbOymZ z-a%NQntqVNeG#EQ8X){#Jrx&SArg>BuV~bjS)hyW8mAGu{_`hF_CMGD4%l z%}fS1(8vkPbR9XD&gcAoLrmbDPf}>gjJGH;o{6`q`e}=&c0K17V9ucI4yVnflrJCp zkQrDpjo^4~L?CGwLNvqOCVDWRjhV~U|x zC#4ZT0dBP2n&TP>w2hKZ+X8VEn_-f1?@$%rLAt(FY1oPuX+n+1i_~cST-Fn*5z^ti z{sufhZ4W7_y?VNTAtk>=jDiC*`CN@6&Z2w%*pbd2dkG9GD$2c=K)a@cLsEZI7u~&v zsqXrQmkjY?oAPFtzTWsldRTjmMeel2g6$UF5O33aqPC+tX|{dM`qGdQ31LTb!MUU=R_xh_a7j-rcXRJmp zz?g%{)n%uWB3FH#e?-jutD57b5f{+*d=)>JgO4ZnN97`f&@Z|Ea?S*C|mfj!C zW4k?aVQmgx+gefVd?5y_$F5J!_GiYzB+8PP;{>Vo%iw$~a1$23A@@2jbOx<84wd7a2_7va_$zMR+nD_c7NJV&fJ?8HyU^CfJW zoU*(OW6X)QZ)ePGd{t*P%)$e_eE+_0xeP@2 z=RBr830z{M`S8?@(-$d`hG_O)L14a`K<2Dy171do7&fzi2bSM7x3K^YypE9VanunJ zYvC0Fxd3;-0(?U<(iKc>rm{p(`{7O++O>t=A=EeNY=rITwPE2)Yd+fN_h8tGY+=1MMJnGU3rjNREr2+89T>!M zf&Rz@rejys+8@G>oj;p@T{jzSFyyC=(pHs#x@C7q$|2K8-bQEE10GDl?d%n|J&@{i zB{&C$Te2n~rEMeKo{qWlT@3&(SQi)vo!`sAdC^15456|$uNsn&>IHc)Z{ngC4lnQh zvq1;KwY!NG=2=aat}Yucm+(3r_<3Ob%R>1CnVv=!?PyQlI}@Q415jdu{hfFW1Kw}8 zqPqz(c++QEg4Ru-u|Ixae=xWk-z6Hg>NLW(>Vkq|mwp4+D0W-*-GdXJt^4)+hTK`2 zngodcov9batRXVZTAe$DH^l~wi3XS1p(n`qBG64j;G#1lWd>7yPl)@0sL+zXZ(2aN zU9I-6?);5LIC-M5d@fk7imPZ zF#bMHSKfVNv7F`cZpM)l7+O@z1oAtn#*X__K*Tbr34GC|v}y_r8goY?bl3ce!I_$L zW1*b7njp5F=3w=#Mbx>=y}BZNcu_@J`|B4_;gZmPK{5W^bc<}wXOy)q9*V=J9Bm=L z9laKR?6C~(rlXL#O-QKe(#o{=IF9WU6Z4bMCS0rTa!_mL*i((H+L@!6sy_!G@L=9( zz{5O3Vrtr6Kdf(DEQfmMwG0FvLS!nJuGo8^=i+jluOC51fS2FuvNe5(jjVEw6BSC& z%dabTMBg@i;}VbquWe4qDydeYe#VhyJ}2YZ%KhSZKze5N$8wus*(!fegEy7`S zp<%Z)CW&^TS8$pYcq6;dd9Debhz&TcEz^kYLHtD4LSw1YMukk3c|>2Z+)RzlE^AfT z)J1t`!or2#NC}>>pNU{CRHty+&T-0xNu$ZUUa5*v{G{|qFvQ@AStm#5&m_lQ5EviR zsE4VYD~X3Q%&9+FXMY}P0i;xKnnbtrJM3cQnvR`~kyScWCvI7Sy_Z?$T8)&~t`pmH zMk|+-tf3XvTOGt-iv4Be#sd=sVhFga!nzxt`;JM|NPwm&!C0A~-$z<$OtT!64-@aHAER z+VltqhlmLP`Y=Im9@}syhi<<3qv{=3Wml-5gMu~(&t(;fnv?so$)?(Ci7}9dA9~7+ zJE?h!J73KzUItbmlxOgHtO4%0_8x5ui0h)XTRZ)oW^E*0nFP=7$q~e@b@q#ZSlZHc zs|B5z137>)P$_WC=a}AiRmMcGo$CiQPag%=Z|90;zzmn9g}PFMdD^43kK8qlo6@jn3Bp8hYg{_oGeutn^+j3 zt522&^J7Om6k#5j*Bz@EyPH9QmDbK8CqSw#c+~T0+TjK$a%HIDOpT|*QVN5e+g>8% zj-j^5xIBk}Xm@mFr^@9bC(Y>>7|u>|qMe$W)sCSj(EWk3v+G0X#uN@_L9+ykcd*Jy zOTJ_CQ}rknrnQ<%R($eL#YepX))5C>QVZ)M(pa?AS)drM7e?ryB_<&QIbK%I4qMw& z;b@rKtNSt#VQT~RnS2p8VMc3uTBC093)!oS?Qz3yFR<>jCq&?0A-TBS!F5P*fhNFw zOZ^(ol_Na?(?r8aQS@8|rAlc_I{;EU)_0ir1t_Pa~#UbB?ec1 z>d0Vbfxz}!ed0t}rFm-Ws@e{V7uSGES68$aa|4D(-q3Q-iW$c8gbBsI_*+3WJ zEW9h&Pn(R5!(8`GUFb5{61rlbILG^?#Iud<0%S*>~)k=Jy^B*TX zBRJuii_0AYAePC>g3ZP;#b4qhPC%BrSILh^5$QV6BZDSBlSH2C`*4gc9S*Qp2#!Uh zN8-hsbk#DbFuD;cz)JS3a*r11zR8%#@jJOs7o07RmxC8Ee-B=j7?Xb;ekzD{6FR`1 zQm_E}7=_z*j$^gl!*VdKP#fLM)8mrPaV(H3Q=%7_$8;n#D>)WnKwQ>92aV2kbfi3S zf+JN2KFFPwYAPUUayW>5?@(KiD*GU>RXNm#6F%N2-Q_~ydYBk7;B#ER7~!fWkqq9Q zz}2to=Z?-VQy?9zp)?izqWt;{JoWmIc~`N$%g@2Qk=fb8r(d(i(8=)GHUTE%5StyF zn1zS%x)Ov8&5mgodqhYnVs_C>2QiL3)e{O}wGjvZ2RZ-)@et-_l_>uBpYi0CAE=}XUeK%N64hn zM0NhLC|G_-;ber#9GLD?XWzoE7mM9ml{_f(4`y!qreZrS(D1a>uF@Ub+6su^j0rg` zrmIGob>OwzuYbn-mJoch)-3)v2ctgRlcObY#j~kGnEZJ>67YKbU8=(3BVyiqA^U z-XQ;xeNQru>C@FnTGU4w=bO0$&-nS{u~N@55GgZl)gms6gpBb>MP^;mbycT?B#SFz zO+buo;66bL9>I`|jcJd2ouuO31GQGbw%f#KFl9#J&P!*GE4)3}Cm`X=3Z^FO0k|={ z3VoBzU9(MjaY*Q~mhTR-yjYiqtK9AZ;HZsb!x8e#@)jDCa2wr5ci6T%4c4A5+Fs_i z4gIu{*+zD%EL3Nt%-4kvUS2uCe>KR5BB%!{KCH0b6-CEyKO>QzlmqW9W0jP<8*_gA zK6sDWwiM+Gr_ZX>bdFVPmk6Od@R$v83tIwLpN1Z<{R$zIX7&j4pey}d6Kz8APk24S z2SgCF38-tjz(1E;_lGO!jn(LZ+04jbMeJ3p+&_}pD!b0yVpC>IlFE(ZDiLM>gv>aS z;GsJDSQ-8F72tOqm#mp=Xy=G!TXAV$02wDhP9c0yIQg z3UcTla;ag`3162V^^7U@*N`RK5I=cJJ`=B8XL-OE@6^cV=EnoaJF|0BU2> zz}VKsWDH*=(|oR>>mee)?8<`o&&DTUTqs)V^tOA1O;Sb;r%Y zuUjiZ4*=7YxhcuTxL(S6;s#;s5KkiW@E&K^-DQt({6wUIV);|ntVaA=BVMe_g}j>IMEg0n>-;eC>x)|ZcIm6(%Ih!37o;2o ztM=+K#LOc!U;C{%#2a7KO3ZYgggL0*Vd_~!XsMmU;GPCs#I^ErrxHAcCfGs{VWGhGQDfb6u0%yA#trRt$NY=>($pT zm-=?+{2DkJL(Rsp8(?QQX%6O1XhV<#ChI_1_-UBc$ib5MuXe)r}GYi z&$KHq{%a27YrbM)yzw5R!V=%(L5BDQA^6(!VI#Bk_OaZl4MG@;oRM`!{|1SNF^QNu zAt)bp#>I(LhEHzY0)e+&RQtmxQH7(~^E{Aqlf!`6^jN$^tDW=wTqTQZ!U5(u{{vQ- z`P`|fIh%p;&XZ%NhpxuW?0@#+Q_pzx9@x3?je@=pbC}gPKdl-QzvICQ5kdrqvY)ax zgQAOhwjd^>M!xXRs@$qv%apPWRtK3@&_DI~g4L%_KO?Oyq;BF}ae9OqoUh+xGFC6V z&fVl{tKqr{| ztLMe$%$6RVF7y`fOkG%@U$W-de)CdCiljuR%4of#bWKX z_nzQ+?&rR*>-rT`tB#Y>T6|-tS>;mbMuMn5e)Y`qB#Z0@u9N~%;v9wsOsVv-#0}t}Z*n0V`Dq2Hjh==WrDG?PvtD*p->KVuqpmJOluDu@i((^rZ9EN!Q zggm3h%PDp>OOTY8-Bv3CB&uVw*zMH=D+McsO=5pf5xL7WC5#)cj(JmGBBHb40%Euw z9bC`6{#-Mi`%V(Q9m!?`{po}I#>3%2pp-ICcbzwD6kx~M4`FMdi7c-?NPZ|pr+dth z)H2MIE$A~|wrb@Pp=Gu0N!0fn6sM`n26y{ZYqmmn#+-_FK4quE<06utX%7WX%_pe1 zCc{T64nGU6->#(V+tYR{>BPJV7^)=OG97f#PFih$D*=K_IzdJ%tFM4#iP=tqqx{Da zmh1xh9J;kbAde0X@ZX^MwWbw7-wVX1zWh;I-3&LrtqK8sq5S$pbzgk*U`^L zDh$B5IL9xdzz%u%&3yL;jr%*L77@~{F!lAAi>PPXK*`lB1DXCW=YEl{5x?R}|9xN& zSP~L>zOA+c23vfP>}%DuAqhaI(>)Iwpo9J7+cW#Y0!$yLLR;>?HZMPufiVR1a}aYG z`dYJY6Nu)Wpe%E7`H5IbZ(cVLs~D_&IGCe3!t-y3X}dC=rl}$V?2KpKuzljmGEZt% zWG=caEiLWcrZ8BIcs6R^E;Uo7vU*Q;AC8UZbaiRqUyZQFuHh4EH_L4@Z0LAP{Al}B zHiatL=ZG_2Is+46tJZsEo~QE(7Jk{Jrn1;R$~*pT)sW-k+MLo|sle zKRHeXtMO;lmWI_oTEHwe`Q;ezigd!qm}vf%GI){oWc;BV#qss;Ba<3*8Z8Q@r3`?8 z(U4Ij z4d+mCkm=pq^yR8()$^SID&SGhqV6X~eew?lpul4JZ&@TOr+4fxIRU@w8_eQ!LLF8$ zAnwSFi*Xgo!{sdd^`Y&1I^u~2BU_HqtD#VG6pX{WHTQa3A4dt89E%qdlRIj!yf`%0x`RJ_y?}$Ap z=(7(u_CQ^TOG)y+uF48Gpx`x>xdp}bPPP%E9S)6EuS&#Jtd@+9nLr{^1$%0!HouN~ z?DsZ119u+83`ey3i)U5fL1#KH7sbyO`Dg=>O2@PEo2dlm?%FdKAKuT*(L9twtMo`N zUpp=a^fnd=)ZIG@bU?f7sQJ*H(vBACOSJ#Jon6sUyB+;`c37TZ?O4q4(8}ddHe-^&}2N6*9hs8DoMU}+fOIcuStwQ z0-~4>V1Hy?7)T?q^FDsqNh3-5*XKVQOU7gdRDzG6G=8)HppCXX<`UP1#@jqdzaata zDWt*zARZSN**cfqXoiq2J&g2`)*k5d->T2Jd4mY?yb~>E6>4-;bBR6D<#JDsEWm^4 zR5Y#CPG+=3w-q2(5+H#dwkJpW-7h@gXS_bMpO0u^UiZ~&*o?m7W*^Cme6dy8UgvS1 zIwRq)8oz)SrwP^g0&{v~vaQB3ccakdNE+JR-8>Mv6|BU@n=y=`TU#3wxb5`@Cys9UVUT=yxB{ z@(uu00Z6sv0{`MvbxxO6X$$;&LaNCI6VYfh|HDkZ7Ji4aUB*VYkOZGh)mBFtoj`>w z?c81p=92$zs>8FK7R?olv9cDRo+qH4sjzYB03K5KHKn-cus8%T5qr1 z&HIRiGGS1Tgt#0uMa53$Z-`%U)duy-Ts4+af*VY3Ny z>mexW-bu3uSudjdT4e#z1gWEeho~m)RkMenxF1w-X!@wKa(6*^r4>}fEEPX4`JbmB z{*l1fc!9dSfUutDHNB_uAu&yTwyi2vi_g?9^RPishKLebL4e5GqwV0h6Q&p%Z!}{e z>Q(U)8O*?^9)Mij<+P50m9VLqJ$8i0#G6HI-7+J|0m|zu6#3MLx70MKr=iD6$N$%5wS#L)>a$vWk zarpvViYW8$G7)OZPP_xkmt4JHE)A*;Cw3N$fzJrUfPLt?dd+G?uVp<;yLP*GVE${k zLeHBGPkht&b8;tk;~;`6ru;lH+2uNEm&ud)hrz574uwNH&I3=wgG0=?48MKE5`F5; zLs*p`?bsf4Yv-(deBKffGF1UFNk<~d@t2r2lj2$k-FllAl@tT4VW9<2@X#d8yT3LR zsxvSrjRzt>a?Fcd+aL5_dRwLQ6Dlz#0fyB^0W=Oled+0GB0ySI3t)#_$T$a@7pgn|*y~%RD4|;NH9I zh?!A@$q4po6BG{oq*wE3bJ2sC-L7uckJl}*-Tg!?1|l=gu@qkn#r*InGd)=ayhgt z)%X?*Pk*wf+;Y8CpC>a7rd?NaqxyakzvhZ^4f%KrYup0x=Sj0#@B1C?p6en`{=%2E z$AEjSeS%O)2cj=)1Ipx8U%9mIrx)F$`m0Nrv#Q%f32=BJ;+VnqeNb)mXX}cs9~o9? zxMeSdzjWotz*A_=f(3T3xQ2VWfF>f)!sSF`@3v|43D9Q#(R$Lung=CrCay#vi_KBcpK@EZDZq5=vG$c> zdaTpqa5eHMa{rQCp%TBTc!0%0Op`y8Z@6QTfoKZ!Rd^6u9E|g6N+rB_&`G3&lB4oP z<0`$&q@`(?Y&d+XCSnh?afYT7SE)mirAg}_`24`OfEgMeL zPfn+Z=ZAJ(u63qcQG?U{It! zS{>|N^G_QaJ|wJ^HkxYyeCb;Ial3HH$m2$ab0bqFIMXKL6BCnyxD?49(ca=rv@0D> zKv~Kn!eX>^CKAHhgqG7lv@wf5=qwVul6TuA@HEv zl!z!YTFSXtr4%APwc*<<3=t5QIcG$EaG9ckF_+W0GYZ*6o#kQ>lXW?wC~9tF^PP@P zpsKwzE8F>Nta{T0=GJeBmM@`L3lx@38os+FxF&nkdWw~3NgkE|-v50X*BJ!ao&?jI z_MVxN7}49M$89|Dr2UfY+rucUpffT(;k2ua`5>O@H|{*P9Z_M0GzCPuHx??opNkOf z@RD#*&G+wIv_wYj{7bkay|G{rF20{`?0s>!P@&`Gb}C9sPT#?g9t z`vFgm1u?W6BE~*1SdziB; zkkL(1Xf{wXNV`7SO08}URD-U(VWl?Pz33@@q&dKed29*?EJ@Wsnr}-u3;R5^piP1m3uNq3AX@IQrD)AkyfnLaOgaf| z4qumExEkO)OC;2fj`nP^fGeIF_&}8Lh3d|zKQCr5JiVX#v^yWU5|P8+HNu7N-X1Op zb(M^jXV1`t`jVEv`jVT+uj7S2Q*((Z+bLs{hO}MMlMMj)7j3i_%oP!%zVH#OOCzYCuRCAQM^NoHq@WQdqu?nh z(X2t>*oieKB_}K;UdWZt`qzGsS>V&(7kX5(<1(M~vB)(#V4irAcy#@T;D}+cR*%%K zm+1cJg?*aOjs1OE_h8&$_KplnaP^$$)6c@^ZA!*bGZ9(37q$@Y?t}~GPq?lXgP}wy zi4EQ8ykT6-km|=p(p#xlyION5vfaduMy-IQb|>0dY-r_v*|xLz{u)`Fb=j16TL3eJ zeAyqcCH8`37RwrN-ZPITBJ{qXBQ%%tI*);c-`ABykAU0sLsL^(sTI~PGt_Mg)gT4y zIrFNAPi|k}R5UX)k>0}9G6*`K2OaJX=~riWaQ2TYAzK3(Qh-?Rk|(>%1OJ!?7j2bg zCzYLzxo|so3vGH)hc~=aBN#Cttmm~~FB)nWBcvAO%=a1ACZK0RB+dez3;fZD8l4x( zt%nAx36MgS;D?p1+Wm`!m5ES{PTPgMayz?kKl#MGop9aPwgs-X2TxZ~xoA9Vdw@!E z=bveNCF!fj@BftgnNF!gJi2u1`z>LzpR~C%wF1TIshJ$#RB@Ru9wC;8SB#}V-j)oX zN%x&?2ov0mOzv=^l63GQg+G8qcLk#zkWVOR+7N*IUfcBPdH@cLO8oRcgmN<^!fWX> zqr&L2Y21I|33^-Tb*LcIwl===I&LM=eapHTy?cn=MSi;cU1HR2OR_Z}<`X<1ZXGgh z-HauCMq z0zzOIb17)wQhf2h%2RsIWqeBetI~dTlQxKS?-OkuQB$y-n8w(oo{H*Q6VbeV#c_aX(b_Q&Q!r7{zo1=#Wg;k^AQP%Q})q( z3Ob(MdVft)m{zrh-NY9jIrV>Q>`nUFCifDRN>l*-G9>$1xyjNG<9clGC)x&}R>_9% zc4ds|ESu}B0IOkk=3+bh7$8h)RtN$qiGD)B;5Rx)j$=8!!*G#8wKB(C9AbDWWZ+^# z$kpv7@!3|k2~L%p85@2p%gSEc!zJtU3E9k;3e5Jm3mQ^-ajttj5QQp86rS*Vu(W1? zT_u8xz=8M?gfw2Fwg_zeF-y3j@N_}?&N{;n#TU5s6k2mv%6Ao)vJjnY`nr`rZA=x) zAA~+SmzDbVWXr%FL&41Lex2p)tvhFLZ7|lImV}Wz_HX@)6gxY}4z ztU&Y>%KNFo7xeaJSKeRq36)utiKo4yXPgE)QE?Sg&ECFUt#d^PSm{c1sO@0>)^nd> zyD-_qx%%7F1bMN|eBUoXR{;E&JbjP1yw9+eHur{@`Xbr6Z;#$4IzrtF z=@@iwJqw_T^j5{&2cUk+QX-?tXkbitu5`yoSt$Q#yi1GfZ1}^?uxLQgwT7Oc6RCu^OVdjGef^k7J7?$W$TcZ!gghN)l9I zs1t^V2F26yTzD|GZLWK)akqXPCi;wPCg==7;2DA<@v{mcmcMyBI)A)Bd%gpt+S%li zS3fXl{FGR_7jgU(6mxXJszycC1SM>qp}u4 z9SdzcgyDpnYG8e^rE0ONgrC8sb1A-H{Bud}cyOLuu{KW+l)g_CyF{W#8{JUkH^~Y7 z&_uR@*V-hA1HRm5I09m=@6XSg9PeGaTP@WTZz zk=^Ha-GC$LJ|R)A50`m=;mH*XkXB~YM5>zgS=e@7&K3;22R?3oya4{2Og!vLcTTCa zkdo}b*27<`0{ZQ-b^&wJX^`MW#!GFHC$Y7VasoJ1QJ}$Sx{TQQ5?iIeR!^l1fG-u2olvw-=37R9rF zedE8rH&dYedlF<}`Mal!fK{Xqk^Tc(uklHoW4ih57Z{DpFdC4LfO>ZX5>Y|s(x#7K zZWktiVWAkJaoC_iBoD$HIKO-l0uPtP%VhNGH}chjxoz3xO!iP5_`@tb$L=nDuPSrg zhNZ%G?=>Gg^PVjUUk<6+8!iwQN@AwEpeD}G`sxz2MBlM=Kkrfk`5J5Y=E&=La_G4y z#tRAZs&`hl)}NOfYp*{~?yL%W+;#845Lm($MoPO{gdIZAEB`-!9!KAbz&nSl8+^Xk zk)>YP0aza6DdiDKD3-b8>}ww|!HrNQwX3rt{YZ{2%;Ye0L6JkjQ!U?O54cQ*}BJA)FpZ z_xFFy9gjVxZUi$1_{SBS68O^y@$UBh*@XVadj!2zckBhHj;D~yu}KcZl(QuR;%+2R zZdJo%{WSjmm4AkS>B79ap2tN6tIK3b&-{4-JP|VjbYz{7_iL>CsiSqV4-vf;K>l)> zHpw(Cc(#4SPkv}#V*H!;jz2q*vS*zZz&8#OsWJ@B-vXEBD8ORl*`5Y8BXdA~3hXdf z_lU4?#+s(y3pe`t&GZ?XF2;_!;qQDj{~R39+3~(^Ol9CLh!K7OaTC{=)EE87^;`TX z5ddG+Vx=ZwmXle>4P=I^0~6goTc>~IJNQ0Eg2C&;&_uN}3x6%JL+1k#*tP&ujHEx^ z@M)V>`}hNj#{3474L{em)`+(So2dB2qrEyrB$ zE5jdiT@_d03)~5+R8vU1!#AX53w$rtn=L>qYXs6AmSB#tlzc`J7s<6Al#7~l$5)L~ zDE$3<57W!H=R(JnPyjDe$k(hC@S!8(5IMWAdYJ(3{l6IH&j7FFx}IU6<2i9#0>o}$H$T4SStA8+cZQ!K!#nW`=9 z!{pB|GW-V{;C~lz|MN{usLzE)vsP|lIELy(z#ne*b6eqPZ#CLJo!JHAjCW0fv3S2C z(LZqooQW5)6~%X*AXDCCGeAI%Q$7V9`fG96-@IM^ITTl=;%!7QZh*eV_5;e%J^6K6 zTn12eAi;rCc%QkA^oVI+O7he{^-y5sLt^+%U%hx!b2!f@#Zs5@mC6Ciao7nUAYuOQ z_7Ck1V1IfI=s~eBRHE!B9ADRZ8-po}ToV*L@+us>8nflx1_`Ho1o zR><#Ux5WvhC53)*0C@U8b$_MfZAg$FZ@{0%)&{bK#e*G{4qVR{h$Jik#6e)-k^6$4REC2%XC=fcqv=7~}G4L$ftuILZ6NQTzN!sjF z^*aC$7U0SNW%|(R01Ej11V@>8FJN!HfpEv30;$ znY`Sr1`w;DTn^ru7IatjWpcQ#>+bAPMuyVCs1~iR=<&hA|C+O_vZ;&x%FSHnVbVtDMzDIuF4hOZBPjt>LBj?pZ@@54{> z3AfWc$vu+8G%$WZD)4!G+Lt>D>^06!+{g34o{IA12Min*H-bkEeD8Na$|1)|;9cL* zpZ=OJ_wW*+FJqv5Q7E1OI#71~CpJzq!etw-hrE$2#FShZU@IUzJGd+S#sSQ|>iTik zrs8T6Q4;TG&_*wfsPZqUDIy3^Rwt-sjv-_x^?q@)0%p?>fvjKc6=zhJOm?d* zOMkYLA<+uQ-;)PN|2^^M^!>^wTj}IK4Wl;c`< zX-71@YlK}Tn=HDck^OcVxCT+cX+gBd1av<0ASOVjc+|EF)(KqMqP`*SE`g#gN+W zzv9l$1d1!1pG1C#Kgl9GB8D#XHqHsnZeOc(5HmQ;lKPG^|Gn;x8eaMShQi~u%4jIhvjZ@D#to`LDv-cBSH*ZB$zx}YYu=(} zj{L&rEY6q$OXa8v2nU&DS?JkyMMtwpi&W`2Q^K6yRmdbouYp%1V%?5Rw@;YyjsF${x43?LI z!UH<4t^KH6e;&*n$r9^um-_|Vl!~=&vSEcscgCI)2ruP_nARD1h{AW|>%?z(TRwBb zmCDJaH7ymvmos(#6in=dBWXTNl8XO6vE2r|!f3YFDG}lzzj}V%{kJn;|ECv8e^&Dv zs33U((OS3uJU%E4W+kPQc(wS(-C$EKhR^{k*CH%9i?28PzX9Du-eC{gZ5FUN*DQCA zWk-=|Qdh$_tum$5m7bT7STZy}fxN?S(hs8VScLk1ACT4;_3xzkb+n69jdX!0#~xvc zvTfKZ?_jHIk$Bcp?;>YBYdB#tnB?r-K9^9^ZNJj}+JQGt_=4NX41Kgt^}HNGgZ0PD zwC@7H{Bo*Q{ntYF+jL69zqwWz)85o6%l9){sid=2T2U@ZN1MAoDToAFTRJbp_a?#1 zcQI~ayOo1GQkEWXZd0?f@;vQwPNAFA{jTk$j;;=p*QpWFaV}$WzYmh4M)?h8JQ#hh z^Z8_zdR*t_=oA|@X)Jg?+`wIH$aOqQgP)VfI?0Tv>=IG(HqzL3@T5CILl6Aw{14g1 zXI8+=z~Aa~jToqTrP~+3+kEy`dij_SQxeZkYfmlqD_{HoazC8^X8TjAoe@_-_2TMX z4?5|`Nwov-2Ln)9a+Nthiee1;5hpzXc3Cl)JeEbQpA(kkQCO%ncGjZcpw0j&zuRjb ziM-1xpT|^(*?a62g2HW74CG|&7Jb5- zgy&0&?1TMtuC&`|2(6IUHW&WFIi;>(fV)(|Kx4PcWVrq=;xb;N*Xgqg_vj!=Z_k-p zVzaVmwW?;{dpIejuv&c0II6v*U`(?5+@xQDC0r*XOd%4bos^?$lW0+R^=*yLc2uzs zq2j3mg|koOmfI;|p`$SA*ZjkR_ULi=Z;jYbOfKV7ve8nRLe+FAMl@r*Ojs7P8THz9C zxGE?`P+5@3qA!|ybs~I%RkSGeT(brD|6W-su+Dh{NdfFNGHW&0-GLj-v4B18F%J%@ zf@$Y|Vi79fdpGtc`V{nU^Wn88NHoShlTR~L%nb4XYo>VQEqsGA!L;20+Mxo4i+kNc zP+fLmv8^~g5mOhR58*vd zGaK4N<)qSxgy@#4iDQh%R&ERbV15{_UirNR+{1JQ1MG9h9`2>Ru+{?0+^xQY>Vg=X zF|L{2SU4AzU79uq&Y0U7rj(*Rl!k*jC1zz^m-fT9o^-+NTklxAhxsLwX%|fa+raLt z=gA*dW|yQKu8PwaN=USD!aiImX6=nK&xuU&Q;8kz90w#zBS3Dvlxd?U<)-Tsx|X?! zt=7t@E6PA>UKCX6^{}gcku0GNdX^_wx&ypk;>I2!{lwK;giC9R*o~3>eegN2B^1|L zxe|{Cv*60Lip&?!z^TF$Bz+$pSeSu*9cC$Gin98~KGHY5Uxo|`Qgr@t_Xf1-^q(05 z#ZqJ_T!T&fBQXcb?`iVd2Vkh>S&=bJJGdrj?qv;H{lVxJ6A{O)*_{(`oXX;nj=WWDgAG~z{{~Mp0h2m)%Jd7?RT0WlCwI9$5^b~~VLM*(ldYiSfMktSu zLQk!dY8$hT=;^^spJ0HYuEW&DZ6L_SiUI}OXR=lt;N--tu$mvoFlUg*gutEC4aCW> zrUq}_!aNqCi(I}nU{+e8p+rT{e=E;5alSGedmFp%SCW_6p(b9T_AV+n_$ZBipik|% z=lR^LP{D>HB?t)rtNBpB0Qe;8yp+$*A#ZIQRu{;@o*-LF$}<9nMys`+w7=%lQE7+s zp=0jICgqeiJsnXrasxqindadES@q6VdscM2W4g>BpDSiFU)`i;!pQ6F`OfKU``P8L zzn)xUnF?P1PI4E~J_pZwewn3D{G?9wWSPV0;I40!$|Y_kTi2xIaMMRhf=|&=PuX2; z03(3PrR>~3u;5D;H&a!cv&zs0o)6>oSXev>CV9O5{n108GdL&PM|`B9kJ+ysR?&4U?0CPA)!B12N_ zN#f9-`>i}#u-@=g4F`ew+e!5J)>!5iVB`yeQGGA2RPRqL3+6HBUyW1Fj`NiO*y`u0 zc*<}&0n=Ax1j=!bDZ2~?y6g})Os_3GFu|s~!FpR&BosqHM;NJEI(YTK`rpOpQ?5gDB%s+RPd?MD$Z8Q9>QZnCO`Sba? z{Rw&GO8$|?JaxO7G zUsh@e=Oxiu)3Ah9A0)FpB~pE+(lv)31^7~Ocoam0gu=S7!&B)22{lsKE<^Q1q1+K9 zguZ}d+(5{5Fs&^u?@lhl&?Wk0UoKeL_%2JaTEY+m^QKqT0{)#wJ8; z=Q|7;Za<`1h(e7&H*^queNwJjrGO*3IO%0n!UNTKEJO6q`y0gvk^3NX|ReA&)d;0DK!&7%k zmXz91n~ZsMI<8f=gD-*Xb@rsL!Il9o%UatWC%IBd1H78bJI_!5I&7-ww$}tUgYY=D z6hZoIvF0t4;?ok*cxlC4`XDbjeX^1`zhO~DY*Pw%JET3?Rmykl^`r0Wk^p8Hg7b%h zVHa`It{+s==ywG=YS`P0UkD0mj^=fDPY!ZY`{ygm;ja{@!rfo?v1_(|X}dOUUIyPC z(U8lgIV8NdvtRx)7Jj*LD2qPfXxM?uH93^jsmMZOd@uP_4ArrWKF~l?kIrW))W}(i zj=-77ht{2IscSPq_v$Ct+VvlzT~}z>ad=(=_!|hf-5F%W|Vw!m1*_;W)#q+5sP!hMeAwP_!wrR>XrXzELeN<=pJolDSbm38 zO_{$CQb*PxSxT^M-T@R>6enttb8f(d!AUXgq|@3hxaL#y@_gxplX=*pl|Ha5${R6F zjj8bRoNHr=vw#fAXQ`OI4eWj==0wh&i^(H7%dBVcN;6DSUGLWI;n{NM^_V`lt(^7^ z2vo8F?FesLvpYbgnJc;aFSt2w0ZYgzNkSne+$$qBlM$n<+t;5OzXN$U_ws?Lm9G%Q zQBY=;z5fw0-Zb*1@o5Se0hDTvH=X|pwhvPfNQkhON3)U_U3B@R+U12gnAoo|-dLDf z9(m6xw5m4rm1vl^U$RofJNjYB4Q6|KyMCp$um{%$K% z*lR_YicZdE!!vd2kRkDpgS)!;W!1Ki#!PCB&3e5x z_zi*YUFmIVo4bqy*y_MZ+2ZBAWjGbY{2! zw9&`U)%A$a;~**jJ5l|HJkJg=sR;j;hz8}k^;SY&wG|q`egz{SKz7A+o+qVtfTF>W zeHW>xB*KjRSX2%Ib6QqFf%ciA$OEW;>P3N7<1340>A32RdfVn*wTOD`7VnCajLs`5 zV`qaSj2gA!Za2kcb@jb8q0=krV2_Mh^_fe1+fhhA9COPxcvW-Re@OC}JiQhYrOLz@ zESp-4hC3aAtuUMdyq563re!ou#^tSq9@Pp#O5Q@P>IGLeMh+`D#Ze2;djJkZ)|6O{amWU)Y1tDouwvR%kPPc|bEkaWVxov_U)(aUYVl_a z=aR2D{!$VS&=tm*JE$4|hfxsSdfcm%@P}0nO5%ZNxc0jqsWw;Oo}=7(EaG>5i;VaL z7=##;sT+P}ngG-eOSiqkIAjX)yyfH<+bUnHq9jf?ta-gZj7?>-P>U1t22?ySS8p)zO0&JG0C0c~KNwtKRsac-dP_ z)vVh74bHT6TWl+_XHtWCj{<9Dc@mh^&R8^#EkaD>oAPv;+ty5qG|pZWeS)h%eoktx zq+#nC;>Jn$lsT@K@W*=aN04<&S0D3RBwRu}343c%!<>qQz&Z;~1GIJ?$n8X%CyQR& zq3DQ}Ln+D4q&4s8S6Ywsl*pYb#rKu7L9!hnN%{36|5l6%b#o~6d9mLkOuG0vQ!I6b& z%aa=2A%l#~V=a}fAnh0W31DY#9!|Jwse5Y&xSQ|xFW>B&&+>bjLbV>8O^BqKv;Hu= zbII;eKPkTY)r@_<+A+g+TF?CVs_xASZ+xJWnmb?nMbqY;W4Q65=C>Q|A~sw^3tPh# zN<}%N$2i&rPBxwO0K)3MwiVjP2HK32o=t|j(Sx-qc5!~f_y(etx!FgL<@VCb18sX{ z&{-xvxxejf8;_`mPVVQwnat9RCi4z29ZYCopWg5+`zF9OqxaY|hG(wB&awK_WX$6T z(iVl6m_TdJ`2v|&Gnv_E;a?)FXr$)>Pg^Bo;(8w06 z^Qfsalw9HyTF$FjDXv-94KP_-GkrPO@}0+ymcCpAgpaqYTh9}hbni(-{L&dz7#fy8 z21CBC7^Z7;@t09)`N96l^*o~AX|i+}X^*}D%YF8dB~5Qc?+RP$x4WKZCu(^53L_yo zOy}rVvVHTtQlJoUSy7XVKEDr4SQsR(P}_p^b>x&>Gd(JZb2$zFRcw3yQ(Z(=zwBUX zZc)J#i<{GMQyRnVX&|eim_|k6-#8w8i$h^e%V+G0f`O| z<2#@A=Ox{O3rE;H{so=Az$^MSn)m2MB>j$ll){?XfDEXk2Pn3Umu56ufH7W<@sh`b z|6?M9MvSTALST0qB8+V{{T|Q4NHH#JP<0lTV^rRsvSxg3ylhQKOe}EyDL{33_QUAx z0=$~OH?-VFR&)!hCL7oD9$&h@2f8PB2BkHoktbijMe`dzx@)fBY@lOy#vxXZ2eyIY1ubVC$;swF4dQa+Ut8`^6DvC#Scf!>f2VvvJ7k_O?Dn4pH1V zT)pdYja=~-#b|9vlO%^b60=0G%NQ2-4Bs6{9F0Z=tPj4<7P~5EuzUXa35O5`4s{EjtKyf2LGmGG93h-(8fdJ~u}~7EK;kvmo)-a#+~F{1@HT~S$?P)j z*?oLB5IfK3e!{aRb&?KrO{5~lvqT*&jLP#S!)M!f$%`f6*KTO0F*Gc{Zsz%(v#`{| zvHm2qegO;@)m`=sYen~$I@IT5DCrlpe_q#p`>W1s>b1B-t)^P_`)9mlwr**00?xg& z)P?r@@5Z;S6(8csS1^-Lwn>jYCNZYpeX4UY(k@ke!0-uG)@0=_#e%^GSZ>X>%|j6d zYVx;5YO!sF5&b^T4gFEC{PaEP?N%|4f#;Ku+qW1?O|-5*nfn+A%AR(;m)>of5m!DB zY|Z&7NzF~yz=03-nYtF1;g}7mhZ&~4O;4q#Vk$C4L<08G-@p-T@V+eSVU88K(Ph2M z1}=~EafHj7VGTsT_U=*c{J@Yw)D>^j1+$tv2q+9Y5rrd|3a5eOQ2E^^zS4 zNx44tOI=)fM!%gr?4|fGz*jsp+`pCe;&-;SD@Xd|6(9KvBBmTUKnqY5kf;r0-pk|g zN@=Y!;9vi9v*Q#^u$$wXjswm|?!1vV#qY$^fPefQ6{BOQVe@c>SKP_VKUmyE&u1Ed z<}8*LfYHX|KyV1W7GTAhucQwU4l?Sj(k^31;5dI6`O+j83UX^}9L{yy&0Mld-W78y zcD>8&WMEHIM7vT@4Wh%D@ABy1AhC1@v;I-0pd^&L`7r~q|IDTJwX|K_f8ar7hXDAG z9P^<*xiM~|?(XPSj1{)XbkBx2U$Z@@W&WPZ3x_91FQ{RSmqyASH3xWp=ajFtrj^9T z7>Pe|tXBYdA-jJ7k;G;d1T-?^`I{9`W04afQ$2Zq8O48vt;h3XYf5k3ePZ(a?$hrR zH>q#GE{Q^{QovrF(RC_1exd4CZRlPTH3r&Q!h)ztT1O z^~^+aLd-B40UVdtBbNG7S!&g9ccS-1)Ux-(q;|V1xl7^-Z4i@|>Oxze>@$b$>aj8* zlwz%|w%I>rNtRlE~(Y9mr;jr9_Y!=F%34r zshM3hEb2w4Ic{vuTYP=x*miP#$>O9NLFq^^AXS*#PbX4Tu<8TSISTG4bsjzdI}?qD z^!D`Bv1%p3U}kPjl)YxdM)&0Ys)%m(x*j!q)LTzfbh}KVRbUGK4T+gb`NzFuxcjM& z>2pJR;E@^{uYV0;Xo9tiW^ufpjeF(21I-PI@kh~orNhsbwP)OStL;0{zu&3KM>rQO zt~}=k$Y;8G*}jX>;aT5kYxiPQ>C>^_2e@64%es_!GPS&C{*iIU>juX?E6;U$JNfMK z{%)?jfd!e%Ekq-ONO|Fcp@M*jU-qpGKHtM1I4;C{624$wXLtiN_k4d0Ode}^OFA7C zS^-YBcaOVIOF%W6LY)#nPhhp~l4k64^)8wxKkV0Ne!|&R0QO#VkT}))sVq zI6);rcr!rcg9+5bW`Hy#1I5tkaSNbBjR zRvDY>L-cPZ-RN{hhseGDR10lTAso`Z1hGT3{6QBZbPGj+E|2Yso%3$;z4>bZLG?waYjdYZjXQOs8J9ki&@d$l`vA zc6roH--+wb&=`9ixXxB@CV9??Y8Vg71T}g&lR_j#r36_bM4uA19*i4k2sGcaZw@>V z3ZtvVoH$vOr0nlp=Ro8i z9{0B%3`dF@a95BZiE97`FxoyIP~-HD%uk_#nV+saD$aj9NVx zIHpMRIu3t+RYpwGpNB1Z2h12m<=ra>?dj6EQi)nP4L4zh z<@gH~yhl$#9M@yfzv8$keCno>?zd6sBY`b2f}V zId90ReD~POId@QrgIoRRU?-H8lin~;M*SmDa^0ED0TF8xHK@q#nbG3vgCGj{9&Mq zO31Bpc6xOHxl9?^|ElvyujN!UiRRdj3|wz+XSc*yUOdYw=(Yc~SHFJ6ru}|6=X(bL zx<-RNcmzUfw!)}t=S9>G-FWw^k^VvVg+Du%&Sg}!F-KFZ26 z&PW52*akeYQZf}%GY4X-WTBdSu1L@w;$m6Ei*n3iB+a}72Y4xPwftO{D~jj?lMlIA zWJ`G)Fiw{~{1lUG??^(g@H!qWDup_?&-T2=Nk__MzOvRxkhY*7xEfQ~+rPNLe>BQD zjurCTP0HL6PIpsoiw)ZxrFzksn%kd8FH?AR6}&w#O3Qpj>)R#`*Xo>HD411+Wi6NF zky_Srip;+z$5_~k$q7ud9M9IO?>B=P?@^^%;g%{&7&(H5hss9c#oTjOGW^8^Wg5uL zS{HkDhR8LC3X7IPNr!{$C-4W1wj)U-9p6hUP*dBT?y=YHjfcA$3H^Efvo^#E-Me?~ z9Gz~5dZLXrrhw&WF2A~k;`+>nr|m>Ww<2s;Sy){W^;m2x(=GQ~t5+M$ktCwd4!EH1 zU=&m^0Ca;tXJ*-58y6X%w<8s2A2`-$t3H(NTF%V1%F`~hidjXbQeIbzIx9z3}sckA86GD=+}MO4I7B^ihppkLxLE?Ov)BVNr2N6N$Z#?U;4XeD?1iH!C_HMoQ?$!;xKE7|1j@A| zdNx3EloD+0_{kBus<-HVzC=EfqtAcS9G5Vn+B_@Emjkk+Xt#&@#!~}Khj%%(T^vkC zK*kIeha_0ha<285qEs=EF(c<}X2$#w4Dw#&6r~0|D-$nST}YbKki;Q$?#0-MNb@$U} z`d35kF3danU}Ps7=_pZt0D@a4=NkLJ29_aV=MQ;r^i=yjLT<52P8J};+8R`rQ2%Qtx|{#x;3i)hEJFR=T#Qh_{9tg6{C zx~jk&<;=zhHmr_oxi4tj`?&eFjscJZ(;&_Dt9b=7CasQrv0>cF zL)=8fB!_@IxjEcTppUK3O*vT$M3JI?SHCKpcpQel(VOQ*#al$F=E!3=j(LMVE#%QA zkbeZG1;%AWVyjUHznF!pe<W^t z^TRQ=!RHA|wH=UDX2%Byr=aMl-SA+~-a2j=cg;Z}weo(|z}$!D0&1Txkqi{kz(op3 z>>D(;zG;_?a7S6#-o1d!RfQ=b$ z9bH};S`rYGw?&qBIu5;FU*Lt6SoP`V%`?|h+f8!I3jF~e(UrQ@c z$;fj+_osKbqU`?DNDJay2N(;dQI?$mL6{DPU^rwEFwV5b{=6)iv5yaz%{qIGZ7?W4 zc{F=ju$fZN64{e~`En+c!r}n*>{auO^_iEOk~J!%K*une>(RGgO6xkEA<(QD1fEYX zTj?9Jg5M6$tqvfsCVu`^`Uq?B+mDz#l~lvt)ZfZb`|B6={CNP3RT3fU{29PU%)g&5pT%8=MmIc3joex~#TBCjck6Z|FffLAQbKcUaDEtki`1aoGW|n1f;NRK= zRU}86nmapg+?Jlve{#l|yoCqRzw~~JUaazRRueuyIb#y2ZFc@vm5n_E>)XX_T9jsP zMQT(>*i24F0D)-^o|z;jfwKYDt&5e@ALl=!Hp%M)ebs~D;rY>d-Cm-|m$g2jc`)QY z{8bH{g4TdNS`KwkQS%5!(I`WG(SkL-d_`v8*o{+OW#FasLnUI_5&>K&aWS&rT2R?LbNMacy&kz zkKj_16@Fh_?j&Hi9damg@=(#pt95L9$@f_iy-Lf^8>}l~qmtN+0*(WRG;cZDCNkE& zQexz;ZfMv83m)t1aGJ4quI2SzmaM&KE9J~oEmWHgr6x(hV1_&)f1o zz{OmMyIHRoBC;r5-j~k0#k%EZ|LL`~k>a9v%a{oFhp817H)^aE$iHl`cd6{u z;50l(sBdR{cWZp?R&-nrB&Gu|o?_`Uy-Z7D;~F%ucwY2}^oUB8`Fa(XA%^z#T-@cC z-*8-k4`+=K1#XDqc`Czvk1H|PHrwx$Lu-ZmQ48|RY0TkTCUB=Wm$|j9eO&UpMos?e zTCjm=Tv*i7viS8_-N}LU=KO53%NshQ+=zgoRc z5EU}B(*0c*e&j$!WfckgnQ{&~bppr(UF+~2K$r<1X}y0hVIYQBLb0`>QhN;cVVUvgkUzW0nhCzFPA9|1nTG-W)kuebyuk!5 zG4;OwCL8OgIj?st{um!t+ybrqRrLW4l22G4t8f_C2|z>z#g(lLqn zTp#8_FbQU|0+RQ$j%MP!c}USMd&2JJpC3n7Fj4Q`Oe&RC|)pqJ8maF;dRMayt&^I4I5_i}qDhU^AE0yp`X8yT|2 z>bke=LWLav*4e*eFPE>PzRH+p7j!4Mr(Vh5iSJ|@yL7-_-E3o>XVO{2Nc7MH z>9H9!+iW?}c$g(Ts0o!sx%d%pX9BMSe^M@kS2Yy@btv%ZqP|_$p|aUeLsC(%A-23moJFaUH+}{3{aA3W zRSS+|R}5w?U16-^6YdFX-MYwF^$7}0QQvpknfX%2(f-n*7kN=xZ$xYITqFEV#&@z} zui8%E_OFz~^a!pKUb*WaI_+IDPlq$gp(O~GbCuurk{#Q6WIY`&7jgrVQ33OMPi6um z*xbS<*9yae#;u8?Y0fWoDHscw_3ZSg0xAY)6Vo9_!=GX;1~62Xv`nAJZm6x20XWsh zo`G7Zcod@KN;>aYS-r8SQNxJ6A6yZn1QwYV*2*6cNr>Ja6Zahl{Ci zy?M=FEX8l`;1CsywtQ7GE^9^{md{37Vdi#<+&bCUyEsh9)h~Rw>y|G7ZEtHj1n~48 z^N^Oe%RB>`=E=7}6Co_fGX#g93xMKZ+1#ysVs0b|1l_EU4lw|@$o&q#?sq6=^y2!Tk-dFp+_8~*q#@2J6YD>0zYoj}8i>T(0ol5pUio#xl>u42BIq9j# z(1!Tz6n6a!;Hwkg<347s^Fo5;-)My13WSvC#c`xEcO=)N0AP^Vp~N_eVDmwVD1G5-5x6w5UH2^yRkz6;cgo>g;roQ@hC zj9~2?4Vj-Ke7x9HrTZec)q0YBHYTFJF01cp)w`$;bWYIQ%Aa)T#`j|sA!c8Fe`pvL z`Lh`BMi3g*V>6qtQE0A(5>EySWIw$0@;@srT)ou}Wp(Y#lljfEwg@q7o6OUBQl&6u zQTSabr7);cZdBVU55K8H0{ODe;bkNJ`$RinFUyzjUD!N=_Vdnv$KW~gX@vr42qgHb2cN?YUpq2u893&I1-17W zL>GO`x*|o)^3I$$Y&C$QG`X@?eY3ugf8CS0au=$j$Z>flS14(zLNRKOh+Y)e&WYyk z=)Q0^EQq{BKK&hR%511o)ws6mAgYsk%7J)oF@TKVwy2*qkD%uhy;$2`yFB82r><}N zS&rMLZ=}_{tZihiVG<@gx+N7b5`&c5#Y&bxNgDiqz3=((+;Dv_y!v)0uZa81Q9$av zi*T8D@i@(uoI7Iw4Zy zfH|lTo3rkj6gf;MgLoqk7`iaK1Fe9HY5;Q>ai&TkCU=NqZ2-X$H?FZaLjs0N>+xLh zj;fMOlPe+E57R81pE-EnLID&hbBt_pK;TUW0V+7dfpFGW_L%<`Pwrqt`B=T6$N^Lyuy;K>w+(`iG~3x|I^b8_9A>cQ=K(-iry%UX<|HF;$#Os&*27fxN_6@0v*J-3$!k+JiO0Z2=OmZ~B|Hz(rX>zwla{oUM zJo3>H=Ryr;cd}HS_%A0}2iwp1Gq)5iUR~|c&ot=ey>c!#IlP?IcTb!r%V%x6oif`m z?OVF3VtjC9cVsW-Zx7V1-U#%(ECjANkE2HutF%Ks2)9YEtAlrBc`h>EL+(0Nf9&`x@DFF8>woa`E)Ru{Gf{XZj zS;JTdQ|E4^*A^nnEL@BcO{z<0#8_HALx!xA)&{H0@JEEbDy+S%R9eSRa2-VnM?qYE zA#jaAhk)(tLdgF{T_P%XNa?c6G&OuDP3|V5QqO;WqC}h3zS9x&nlhVZS4twvAbWg} z-Vk1VG<%`z^Bm{ewJ@N>>*DfW8fYA6NsZa z(JAbw0{bgY!{f^f=ZpfUx{?Nxdm$^xMbE3#|GHb>2Yp-fa zF81=ZfRu5a*k&skcOF~B+|MedqUtxe+v(GjjCK}%+0^go2^U*g!hTr_TEO>%=k=M7 zCT%7PIeTk+WHJ{qOx(P9+z4^7z;anxay1AYd*YVFho2Mgug95jFb3URUy6+OLRaee z$aD`OW(UjGuqJ;?DGAn-Z~d->KhIgM!goL$Luz^p2GGZbrSoo=8IHi6k{U=mb{&gx z9)e)aLTuGDMHwCXAvY#G&2zL+5)~_Suv~O~%PwperFMP6@E@TXj3eY03wDvabUKx* ztsULrP+{h2HWY-~C$)fHznswjwDfyIDaExnK@j8RMI~V1g6hcJ5!N zD0=YfB0)Ocf|4=8gTWgBcm+#0@v>+lNRd7|$X4L~-IOP6B3j2%6dr5kQ(lVloHZHo z!g@SXW$TXJk^(0&U>QTmRthE5)B&yR$2ur-gwKVD`ABE)r-qbl{phInXvOZUk>#fY zhZLrni3kmI-YNy=N>8f&e)jpW8*-A$uI% zM{R0RhrHba=Qhb5X67ekZ0p`jVsK#=mG*7mH5vW$1mJsO0jQJN@H0xP6J>htq+c!* zyL_UgCFx#@Sx^+a8c- zg5b;Kn`DYk6AhE@`H7nBi*~vz>FM2!Y)kqN2au*Dt!RCi>@&$5LZvcz5Or zkwUrIiV?XL?Lh%>{`uG0F$5<(=~Lj zyE^NS>Maa8-yTnMBsV<&W98xx%(ep(*UWmq4Sb9>{N>b&TR;d78@>RBNni{vQr|g= ztNR|zTU#v$F6`6B78LM-;@mb=mr#jX0^WUx!RKJ%3|F+@1;Yzt0eM0q!1k1R|(qX zXMgFbaRt)A%u3`^tknjcP7&iJu*paOnwe@nWhZ4LXra0L&05~qZWo(bvIH*Mk3@Ff zAu%ve9pR+skE1K>ZqSBN;u?TW89ng@0Cv+4xM`-C$hL7a4njg6$6s(Y+21St_~&E# zrOp_oun%>E@FBN+*6M>JKdP>6Lho55!S{e-FV#&?IqLOQ ziLG@bPRRsgbq9WWx zrdyfzR~b4)q`-6*cT-&J{dF&jy zzuhLuM5Qby(*i}kfJDrp8SDRvP!OE6=yUSZB*RDb9Tl!HeVz}~=B51(k@w>xnD!xG zxIXq`yA&X-$a;G9+ikD@k5a5c;pa=t22Wne*jv$ZA-tfI=$buwaz25dr&q98N?PC9YSRLbNQR-b1Fz zTK;HnhPMh1M1@^hu*+8?6TNPkfHC3*I5n5L#s`^)KXwjSSv-<_R&L^TBc>sxWj-D7 zOJkgvXmM_Ub{v*|t(l!DS0+TBHg%a>!06jUd*W;eEFTxNX577&7Fc}kU!@FRMvdI0 zMLLE4ITP7ElPmF8*QIw!LC4{6&emrH5ePlrG1D=R&}$g{wpK#vrhH~q1hG$iZGyd7 z(+KZ#Hx2uOyzz)DbHb7`{v}{>gI+WpK6E+JWN7Vvaz z^yzEPJR7I5&kZ?W0KvYdWLMFkMgl z!g1Ux#9utjKrVO!272K#gf+iG$!8*#5K#$8s2OMW=vnTG0A`)}TQ*O%L!(l)a9rbJ zO8|*%#&vtA%b1kX|F#JzbtlV2|9E-4DHjj@8TvV|pdxieViNk(uI?4u?Icia(v3Zz z)cft;SYgH7J7GiGl6#(td{!Jq_w;t@hPID@{ zJu9G%8bL9m@H_g37^vdd05O0}M`oHJjNzdArQS??Bnq0pMS8Oe+$j1!gzi}Rf9fLf z>FGdntI{CWaVHi-}bi^KtGu$ zRS&XoSEL_ufw~WbE+!XB|o^&6-dy_g#-Mv^-= zqIx~5E=D)AitYps*^xx7rqo`l1WOs~rtYfDh3$G9A8rHOKOALV#@h{hOeXH;a`6z- z-kR|Hk>*~TFAVR~gKZQrLPUOb@BJC70%yVK5RekjBwO-~VE;xy9RS+y2>uwcQd0q$O(e3AWmDG9gv=p8Ey^O^Fwj>2Nu_bgyElFwEFmE6lKi+ap*H!?io zE`Gm#0}GYbt{pcO^}i3*IJe0{*9du{WZoRHo-Al`UBiDIsu0q=1dZLa)90PJGtzl3 zB@x$h*A+yqiut!pc_4oI)uTu#9JTz#MC{#q&r=*QGgYGssT&8?)QG~m*R|F3H)!v! zMw)VtxUscC>1QYwY3vGSoUF5T!x}X%ZaD5I_3lGbG^bWwI=93A2Jg<<$(h`2?$V#X zv8xk+*9hgMvq%JseVphenxU}#+$gR)@JO*C!GOy3h>yp(n0~}sP|ZF(BZ}|rJ7sw0 zcpzcQ*HKuduDv7AXc^?nA*S&or(1l7mFuQAFN{~&3z1qD7it9*(KmaUAujtbtuHj+ z)C2#h?5{lSO^+BuACd8P?fV=dml2a8?jR2Pz+lqE>1vNqFQLcxP;kx=CGRvv;SVt( zzn8%6*Z)xTcxRfYzFlLW8G;LrU1#eaBE{tcAXMH0h!*0q{7LUh_kfwH#eT*%(9jd@ zK1Ipw0)^M-?AG8S#{rD4cy%Y@2C0m7KMQ!9`=dC|1fnB-b~FVO*uhDiCijtK_h2m- zz|rj;3=mUo0AZT+-2=9i_}6!Yo3XwS0wSKBXTPH39sT-hplQmDczXu4CrnYzhPFq5 z>Pm=GYKRAY-VqNf7*(rmhxpYZZa=_D#YeOgN0QyspW{!R%wIQ#fWfJwLHO}u3#!SQ z@QMqBdMwCU8ID@I{qSi`HN$_rf80*2gOZh_yWP@glmk4!Ccwb$mL)ScUFiz7=Ne_M zc(k*aw~sLo%2-99z1u;@8HdvElD%B#L^~)V!Dlj@79QqwDtG`%&_8Ac?qG&tuOP6d z{`uRRFG&RqFrNa+%Bf!+p7P08)v6Sb(k5o!eP7He-a3HAhy^z0Y@6}>p5kJJ9tzX@ zbH?F-@CVg)C3Q$|qoqOiJceaT&fkIo0v$IF$%6p{XIaY!49|Xx&@Nv z!#{4X02ed7Z@c(q{F-x@*NK+My8=9NYsVi!S?W}tuR-)Bh*)Q9VWoJ>R-m1Ai4>CkE$Q9?kc;ae~4HI@ob%q=vB{qoiD%|yb)*^nO8RIhk zh_vhi^~=_bN&DS2-4bNF?8)0~o(cCV6nUnQg2QfQd-j7_ zZ8py08_AOTPg)YT0oz=v+x&dH((4}gh~YJ`%_-lcjXQ;IouxdU>%GewjZM&? z^v#F;t)D&yj)_j?d5deOd4wI-B$LHT;NVC89-7-z)_hHeG`2&5)PsXEoNC73?$JW_ z*FiY^OB2}cZl@+k`{YIAyk&*I{W{KE2&fgX%}WP+l-*dPnnmymHIe130GeL zSa~v?b`f|^$q<#|bq4YP^QPyiCQS_eud}?C41YLfiNA-3*H>eazXZeIr7|iF^sK4j zz}E{Fz!X)!^t~tNJX2uwxBaDShIsR^m1f*tl%Gl*1iyh<@W^9M^(E)0CI_y2cdX%_ zIP=HfZCx_%-etKoWE7SBdGfWt{DgnX;BHC%TO!+FK14i%;OIYj6CFXNlT8VAB`!CsA+&(P@)H`khcuNLbwT6j~w0`$xm{r4h z2WSehRJv_qR9Jr6621wzZz38n5g(0*&C6-@1q8{&zGKozP%! zIvb4umi3T$qM63F3HepftSnefrIj$aN~JJP#Dz7qWWRCB#YZYI3O~)A9{Sh!rl90i%+g8sUZy zxho~?o!g~6;gGm;T;FkJ^!CY{>b{iiN5x03{x?y*&C3nDQPCELzmm2u!H)2b<)lF} zpKZh`yG0wC|AxTkhbC2ek36yk+9HWI32mn>LxeR+e)Ey9+?|oG{%{~0zLBPs>~;I; zU^g#%$_<*^XxBXwYyxVR0=025P`8v~de2W=OrBMi@5j~3&4`v6^v$>TA8Te?!VQbh zG3%o@O5y93{Cg=e1c@>8>$wcr-7C(KU|$HLbXg5G<>XH!5hpSQ`@#Tm0d5owY9If7+F${-=XQDcT3x&~_@mK$0a@w%{+)mgvVcUY$7 zas0#3-gthhvlrKJU6|K3_H9)>;mZ4bvZ}J?0W|PE&-P53ME^up>VFMx3xTTqpoZ)*G# z^mz9tGp@c@ADeS;0caDw zaQH!+>qy3LYcRCxyC;^$pj;1(Loi=>{5N zLv;Y8+rQB4sfP&X#Ue`(gr+u`{4?|f>Q%PdvM~E7@xwN-ewByqm%5@ylkVQhQihkr z5%-jw)Lk5oz|R+4J>}0FPXNVSz_pdJHH-hjNJa3?cjy!8xhdqYz85vk%z2JCcrnZL zI&N`n2PB@-NgR&)KAa;;3-%s}S5;_GL|6E|l0TrWSZE-tZSLNCj!oGrgXF@Lbi&zO z4;EbVBc!c+7bJB@!^3jlTlj&dc_&u8BXwJmr}}p`$GRz3IhdH-dQE?+PEY)oND_?I z;Zss~nQ0OS>baG2p%oLx+dFQOcRKvDtHPZ!I<%}>sYC)VPj z0(sPDY>Rv>9S%)qJZnsx}v8`+^P38E3Ogf#VB!Uk%h`H_f_#$44 zEt7-)=mJjzrlI|>_D3p+c~9PX`*`Ur;~G^IlP%*}(Dn7bs`j3xmfw>Tz1qE>4~XK{ zmLD6ezu=&9<+2;blsyU+LAa4Rtc;K6+Cma~n$pxxn-3oCrqS(({Ae~zaVWiH%B{>d zdn*#Tl@>6u&RSITuii-13L7?YD#VGsCwfMD*Eu-s6hBwIR+rVaq+fpHdHGz({DiKZ z&v9g%0KMIqx+NkOpu6|8$QL;KoNk<{Xm@F8VU=LI5nLn?KC z@Y3Sx;OWr}?RoML*Bh8?Lrs6$!(aWe7uen3jC537cK!Unm-!i^R0uWD;bAw}m*5uZw zvV3KxP5um}2;zEiEDL3A$4%a)xc`tOBtaAj)DC0Gt?G(HnAFCwq0cnmdq3#|b%W_M zzZQmRbss4rt+xD<9+vLO^@9==`9jOV#+>z>BkvE2+$@yy1xW98XFgw8B&Rb*PE6-i zK(jVacV{QT6t;CiTC4K{2aXj+Heg2CJuaFyl zM8hCSCY$(#tVQAD4<@UE*=*#V*Oh6vU1pWVn=#IBVxCdcm!e>ekS#|*OdxZkxPOoS zDhCzA%1>!%3XCrek2&%2J_N{Z@Jl}1e;t6E+z?he({tWXCLT#~Wb@r%Nz6@;40lPV z1w(e~@84lY$K(}>M-CNSjCPQP|Ku7=y(#0G5EF7ap&5p`AX($S6t@%cAb;XRUE4SF zVra#|*h?zVtU(yltD;(c084KPc${*O#bshfc>m)j-BLy9?jVFB-gVC~yCs}qsp)v0 zEb1NcV|)eRka${)6SL5mJ&l6Kf(Kh%*A0Z3%8iX}T{I~OmcrGxo>dWyfP$i})x2*Q zVh;`69lrf+?cVKwpw^tGb;zG9jfRUw7KH3`4xS&=TLg-iELR+Hc`kV)=@;4R2Ya~! z70KaSR(f^iI&m}71s%fu;J{V1uyu9QDeaY;>qH`Q%cDuO()ZC5Nyx)v=6!l-0M3fl z5Uc$MtQvact-PD@z>O`le|)rhu+$!=$Z>Sm1IV0X?lCL-jk&wUBX0AZti0kyUYrp> z7Fiu*#r%#^$qj|b$T**TMM)v<0M4;2B~trPUB^Pr)K#vI1T8n(K+vS{RQiQQ{k7ec z9zBV$Z8j;du@a3KOtW2rn6Qa{Qm zdV=e*mJMU~2xb6uQ=hCmXYd+d$vv(;Ki0uE4A&GxE8RBlhIiKJxDfjeGx>JvRE;Kh zvM^z}k<<%(CG;N27nARLTPswUD_b4vRf;vL3Ge*K<4m@BdP|E4pWG2Z6Lfr( zrAYG&bP@l&iJP%SSLIajt+Vt-&I|yM%GMh5;XbG`d4N9zOIZ2r%3Ga1{@g!IFF(_? zph~zNUNFGpEe!qR>v2*1C+o;aKA)eT@_@Soj_hg%jk^`mShH^WXkHNKZ^rdbxO7E& zm3=H#+D%^Jzr)NHH+=UdP;O~>K#VCcKvv9S^pC4&x}}B7F%177w8RhaM7lujESevf zOlXNd9)->Jajy+mHq)zpAJWK4ft3MY^+zryN<-qcyJTUm{Y-Qb;C=U?WSsfXfbCBW zgTmwgSdM=`eEs9~LZpasdoOalOm$qo{5W-wI4TQaG*e?4!LEpqo0eDr8%>Gwam547 zY*_9OZw@MeAQv00w3;vUYSIK=_IKs&ExF212F5M2WGlcpG#+xjA$@FUXkcTd^5dd>gP#vp^t@>4R4;QEU@3gFnr6E`S?TVSV0it zH!IqUAK~Wt;UC^^tNvY&$9O}0Q_vxUYHr&Whk9MFh?>9a7w|$2F9sMNk%H_?ZR)L< zF#1=NG$tjDe?SUY-T;q(Jqz{FMmxm3jY4nKu}8dod7^wjcaitxy5-XjS)_Sp!S?Iv z*E2)wfB%3N|0@vssPHd0Q3F3KNudLwu;-L1A;-w&oh7aoqXuv$s~B>X%oH-XzQz;UOz6Xkltlru7EA0?$-In$^* zqZ(QLNa{zTYe+#DG^{YXGrdRf}TFlY5qlYCi0dvlM?4wIeD61hEl_m|M?a8 zU%Z>4_{CN>B!SY%Tmx+~^Si-ET03-FhZ$pxsOzbQF5Hb_7sjSmPP{7rpC9w@C&H9^ z(Yc+{Wg_%je?BEHps7!x zpx~V$5PgmTBKhuNmmswl0NoO!=CC*g@CG$^(aZ{~GdG9Re9u8YxgP~N#n-x)zW=EH zEeIn9+8<)sMEeQ?b7Oq~XjG1ynIVcYSp=o z?xtypRqt@U89!0Zx9eRqjj}YXRyPg8Q_`{W3K7#luMt2yxzIU*%+2zvI!XPY#LHfJ zJq^C}ocYh@`&e#MFFu1Add1zSo-}Yb@!t6g(#%*CgeAwMCxY1s4Ce>NX5QQuPaDO@ z0tm{}oZC=oDy|}+Wa&c;*3|%Ci9As1XTssh@yHv9YOw90DoT@qXFb727|R{VnxZr! z?7{j9qHj$zGbICSAR~YfRbT;1h<~k@Jy|K9z4Mp`ps0rz8vy7ja30c*JXro~o@xmi zd+%zrmGHC4(0~bF)imJN^%Kamg?_&Sc+fgLz{ugQb0gqD^#N_E$oGyYPzN~G`_j*U zxc~}D!!~fn<6~i&FdH+p5(2r1a0=#m%ppMqjgNV1uDjJ zj;PaSr0R7IF4~mGr(d5t>Cq760s{%a=H8$MKI%6ULy}#fVXND3xlc}a za8J$rMmnBE$ofMVPW%N5-B>HLcnJvexh3FOow>o6rU-Q*F$4EQQ8OBL!PJXdRE7kk zCdYL@HQ(cNbdY!mNr0N`2Hrwe8wUp{Wfa(Q|JR2bQFh=ItQ!8O?k-xQ|+lTeQ%{FqAov&#AY!H zE*#^z)~uw-^AK@j7W`=aKSzyv$7D}(6z$DQzkd$77-gFXkS0RVeA!)6tj)6=Pp&Db z%Dqutx3P3>Pv<8eg&N!JE=|T4%#w(h6Titj{4MoxLRCF=z9=9_wo9VQHrlMVtol#x zEOdjl*H~UytY7*BBn-XoQ$C8qIlIK0tnrKC^c~L<)1!^}0*y9+)+G=E<-U|FKgl)G zIe&{jgK-B157a(^6EIbXiaej$dtLxF>MFdto_a3-;tp?d`(1yK63()o(=V) zIn1wMC+f`ys8Rp6DME(ox9S%8aX#rz2a~-3HWR{Z3w*!Q8Gjg3*_Osb_aReEd>|n) zXU7bEKHp^nyI%Q2%&?v$LDFhRK3!2Ox!fho!q@_;eDK+aBv8C0fhCzXqq(QA+`hc zSF2ZZAQ1$-KG#05t3-E8qZ*GydI$7!4ea* ziZ4_II3i~BX0f{=HoIQ@lN@f(Un}-=7Kp{Ik*IQ+G$Ptq1Wm2^T#c8V@~-1{t` zs&8c!z5_z*1In~c_2=KZ5)i+;*H~QM?|{yj?4QwxWZ*tP|B7-@f^UP}J+2xhUxqqD zWjw;eKbx{aBNBl%F^}?`?Wh9k%orwb{_q-_JfRkd$5CP#TOY zou)Uwx|nPnFb{JD44l3Y6NvB&P3vy@ew0SyzPFecdW#H3CswtH4SoB^m?Pi z7e5|~oMgjFSV*YcptRZ_x?@oN=cOvFN`h-Y zbN?$)1rd9$wh6GHG6HgCLI3m^uYzlwml>eSIX)I>9Vzug%f1HiqqCm419^*Bg%Ssk z$M>Ai{#XD{r$9Og6f*V$vy2w(!ZM2}t_4^WiaCbKzf;jYFnvdPTW2+Aets~89w4qU z1#+B+{Gqh(9&Z3wtDPS8YF_^e1Wpr5gY55-`XE&4+H5{?q^&2s>#x>1D^nKu6dRGrrkqyP+@ zz}dReih;k6k4{Br{K?4=PAlvUYMO{t_D24^#{S30pmyzd9t%5GUmhk%DIdwC`N2P- zT2;;slKgB;G{f(nW64I5c@7^AHqu4LEf`IBU{Sf}Dv5*b+hdtZd~Ymnj>RbMj9UoW z&*gl0)2Po!9vGS-vROxIs5V!THqo=J)tR;WUWczIap*K}LPKt&>hUqnSI?0R7xb|S z5&ce<6q=z;%xuWEElwp&th{()yQ%$a1Z>7MZ6`{{(gcO#Lzy6Yjw&2N*Ng95-kddB zMd{gVm3Gkt#t5y&&@ziV9UHIbJh#_!yG4mOqxjZF!&1ZwVE|10{0L-66Ln?1y;V!7 z+_jnG*3K3>gU?7`O{^Z5vnJd!+su1UvuXHm*ZBL?KYBjH~i z95rC+Z}n8NpnO2p+6~4(3akWIR;Pj8Awx0N1`#8{IQFYrOvsPr_(s^AR1yv#R-rnT z{^lW+{I_7ZM#xMSgu#Dz!3qe+8v&4nNunS>*Z6msI7^T+z}o&Au>vym zge_`?1S00Gj}Ea$(P`7Esgoo}LGDcD>@C1nT1k$X&j4-kmgycC?n^Yu;@-7mruRi`h9 zZlqFo;jM=C9$dG8vlrcW9g2J8AR@EhY*ImhyL8t&86d}S)=MJh?Qk-_a^1b+y=Q)9 z?~Q5&UCrNK>mM2ed+?qQp+8=tcULY@xh0}q(A+%Sw7-4jxSLnRS=KvyRzN~LBZ~a> z*z#8;G360)4kID1etp$S*D~U8#+5K5E#X7*E-UtWyu*W7S`{s##eFW$+-J?Pr>`I9hP*=GLf}C?FZXe##k_g?Je>V%h$+ zt;-sxs?X?ygO>?VKTFw1L!pP=)GnWd97Ju|eMk3$Y~DP@_Kx|CH{8V6mfUf}@tV7R zhNK&RdD8#B-hX9Mv~ZuY>?#IsMeT$mGRBgjlbK#Yp?cZk^mI!_VNTSR0TskO5Nq~r z%CC4Z2hzhk4X%WdciD5e9+Pv1dB_6dXMqsx0HD@rAUSC z;?P6!wcJV;F)f2PjMRas7PW581KGfGyV`+N`>jK`uvlU+>iuB0E^;z$`t&CRtvI)H zc(z;hAIVe@R@12#^HP;h?6;QE#!ZyrBplML#{@jE$uEsnr!`AsA1?;hYna|3z=#5m ztWCU%$qY7aSutQo%V!lrHTs##b&1*~B*?4Js#n|Bzu1mL`uUEo^<*#PlFg_A5{MG! zmT;4{UnCT^`o|~ix?qKbVGMCzAw-5`y9{^CaUdbYER{0nuhU^Vr zU)Ht&Cy}tRMJI+tqMpvT(v*fC_t2m!-z7;9hvNi87^nI`kK$)8u9xki_1|y0wqo^RPCAV%}Qzn!!R0gsmM)dcC zzLfScj^G^=pX`Sx0?;Sr5fFU(70c;`OPoR?(%yCh*m1I5Ee$`vKG1h-dJ*54fOtqE zlLS&CJ`0YrT^lV4lYeGKU4&eztj07B>ih(HJCvd??BD?xC#g=Mhc5}>B*>-IMX;;_ z0L5itY0rH7^}!9YQ#{iZ=itEil4@oA-e(XPN zu|twcT2nyl^d~LEel}+rp&LRb+GLU<>GM$5#scW3nuzkZtdsN~dlz5Jm(GZ-O_U8& z!CS!bFM79{5Te$67qZgwD+1#;BKcDb)*8sYFx+(?BT~M4Zvm}jnv~6!c$U@{^0jHg zM`Fl@55rVv1iUYN&nl}p2^MNQg2>nV$d<4Zy)+F^+z^!3clRo$7WRH-zu$OuY4B^m7SR_xk{xhxkS5ySMqVXTrdnP4O|2ahO_hho%6$it6IGyx&fV{ri3iS2D4JcMw(nD>EZMcPMM_E#K zc{gL%mrj87EWXN~#!AJLOv}RML`_y`Hhj9ovK`KF9qfUgnc^BTM&fgJ8I$Mxo$`lg z?%=x14!R@U)(pON$q^W+k#pc{rEk(pUdD3X}oiIJSifC0*Ew3+XgY(}B@IaC3Wf7P#KA1l7{~ z#GRoFB=$Lwa3;OOSpM7Xa<@AE!&^pVQ-{iodEdETv*&0tG1TG3Wi`rQU=-mf%-{cr zQaFOqa0xk*W){xI{a%FwWB`u*Fh~$2IoHxu&(n{hkBbFWIoryF7J^mO z@ZSvrrb=!p%ffJ;M$rnXIpOZeBQBRu+Qs%gCT}SqBATFWL_i9NpMoiNfI^r)yTbB* zn}C=54c0twZ-;rsc+srihdtM033^G_5OAj<{i@~85hMUE#Gkj@`mvJ5YbqyD0|`qo zm08|Eh~Eg7$`TnOqk|3`-c=6>Z>O&me->OB%Z+%E=$CE@?|5dXX}*;fV?V3c0g-z0 z4biplf!kGP6SAQnH-5^+k@C!Bgf1Xc14}H|%eP*Z|H&9Ffu!f)-A3S?^-EhE6l{Gw zu;5NflMjB*zuw`rJmP8?$~2t!J+4eymdK5tpx;Q+KX_Y^O8ud4-me0eipwcJ+sVe|K&Zbupf|ZtA1F_l=)qgHM?lp$ z7gC0zQvv2Rllj+&hUM32Y9ggF02t~T;$@lm&5=Rw5P$ZgfPtPcW-d~+0?VsFNzE89v@&=Hv_lJ~hc5g{=*mzI-y{OTXX z7;~b{cikF>IJRv#&x8Njij1SRA(gmbf;Hqj)C0?^zIB(+p(7R>6tPHlv#XcK8HFc1 zckN{AzEBT;jOMHG`rdHumLH_n&M5zVlMW(y5W6q-?QjS6aWwJXECR;LEF%ucYRY)Z!Ln`haRVq@_r+oyQnyi5%LEdrXiHZ0 zw}{(M!XFR3HkopKkVjWcTfPgzc2V z4L>iEa!WG^7uN(Gc(+NCYUq>S#Vs}?R))*x@Kq@37DrV9Uy983g9Gw>cs)2Bx}A6@ zh-PBw*B3GW?dHkAKKnBtje_w*HuJ9KvL=MmQF#s8>B%}VgMo` z9n#$)DcvcdbO=b7v~-trhx>V*-~85Ed#z*r*vGN|>6AGb?-)V9dnl$K&)a_qQ%!QG86`xhF}#Yp5_$W=#HRF#khT@bh2)sf z032cVNkT%UQ+8JcxpU|-bmSP9M%e3bU4mc5a4p)TDIJs-PRLUpHp3kePra`_X=x62 z7aDF_n69?C^(K}#m)uHfSB6KZ0c%O+zL(q>BtYoY8z@axUNa_Z-U5v4Zyn9OK7;93aLeL}0Nm!6CzuywY_Bm9u*D zwbvFw?!iuI7IO{~4eC@D%pSS=@`&n6dRSB5A;@H6va>Z|$N60(Kf)AflTlU3fER!` zZRntjp!AZ+>ASIAP<>6jHG0H}mR+fhPx$>PDB{Obk|JAP_4zYa9_WCUk24wvnTl4m zJ$}fo*~`A~Cnnf%+1pWzWvBs;p}2QdRc@f|Zi$Jk8;`s`vvLSZ7(9^AK2ZETjY1Q`;%PlF%sSE!C##YstVN_6RgA~pymD!P^kmw1sA2=fin ze<5<}Od&)}FLoVY9#*l91fT7?dR+cbgMhBd*SSgCN}i6^C#CnC_w|~DYG(!Gm?58r zWokTiSsh8o4T1xQHCBip7PBI#Wg8iWovVPVN8^3;4aihPO=H2qO@uF)#C4Cu|BvfgmVdBb5o^hLj(QH>Ar_q?)SvJqfqj*)VI>2oTgRmr< zb?yDnxO)8zd)Ls?&UfE*xS}XXj6o*yUC&h*mp`z#q;EdNX0)YPaenkiExIe{z!dH3BL5iEfBfvX(BQPJ?F7ZZwbW%UE!*3=sBh*-`g^ zh(^A6u&XHuZeI3CWwIguJfZ3Fb@L5%p6-zEwNs>|=C6YN4+(uygUNpi`IX)kClEtq zk~J!o+?=BZgOv|9FP0rEx1-?G`9sP!A=n*#-OYKip1k(F&kY*k- z2KoXTbH_{x5j{gOGQIubot7VILW7CfTp}N%idR)A9c7Tg1dwqc`*Q<*-%Omy zO(-n-A~PZ#A|aXUku@j@^Je7Ysl7V>hE9CaxO3PAwr~|RJ-P@6zVyzn2Vz{Wz*T-J zIuxerR?AH^VBzvrQmKAgb(f%2No zVU4|;G~$wZ_1kxMTr5v#ZIk}jmsQ1=rjbRFN@hAy{$-84A+>76nLC$1%`^p>C%bve zvX81gj7G2L$PG&k_-#nmOE^Ntgn2m$N>XgA^^>rOQj%rrBaD*bma=5@bl`MVcef+)HGW){^F_N_={H(|RSb}-ratSQbh7qfw(Q{!sP3aKa(%jap?fg%ak zZ_YpqB>xJdT}JDc@yVy4$W$PurkaQO^zb4F5TI0`AAzr$BCpM?J**HyRbCI!e#FhF zX{5TlP-t9Nw(WSr+Q$bZOPEEr8BRx9E9p1aSLm+$m(02`x zyB77^a-b{F`^aMhgAd&LPUqtdd$2uKVHoR=JEz3E4DXhvHwDB2rwjKDNq}YK0r{U# z|ETIANuAW@r0_+YI0H&>m7g9UZ?Q~k9pN$Si{~V!MfwJNXn5)dhT+FN1V2VBgFcx@ ztat&+YM@^{KXg zyA-Rls|@LyKwyhs2E9w|}x)?Ke74Mk(cH7WS)r%(+Z z&}p`QsgngDLmyOh;6r56xF}-f%(Xs$WYp`J#oG;@PdyqFAg-sO)LM#wCmGwXo9`jT zN{;0}QlUwsY6PI%WRRt&$Byp;$<#|f=dWP=b;1LQW)KH6Ccev@GS@rA^2Yh@{G||r zn9$>bpp5r@^v;Q=EvQ1pfl>@GY%mN7biVl8JuaDT^9IHk|QOtNhnMCrjgCZh3 z{3F|3Px80qz%h{s_kD)PYL0RoYsQ10gsWi-C`mMu6pOQfO5zM;QB;Dl+ zLv@lZ)t3gb=;XBM;Vm#qkAL3TfH`Rb=D>a(E=M(y`AR`?^06sXih=VSYhO^hlH2{t zs-H0!X~lA59hB0z-cuITTlcuL+&eI4A)y1inCg~)qQ3(C;w!+liO3_TM(JUvGROzf zeA!^*wVH{s%|N&MT~UPebaRbCa9HxWD5pmS)&bJxh9uL2wfQu*YLV25cwj}0gT^l0fZv{E-7oJu9!*6Hn3u3>TChFvTHlsnn13ro zyW9hikiE9!mYTXz={(Y)GO^Gfv(!0hxpn*6m{_u7vc2{9#MW%1=yk$1F`wyzvZOa7 zU*OS^$rvCizQmyy>eEXaYl+p#lvy~+Z8SeX6m6cLufRS(pD5U$Gduas*sAheQIHkn z6fE;}0zlxw_r>TDzVnocnz^(K80;Jbnw~VAF1Z{)mXG=bw7%^qpLw?r!3@;^^$kD@ z3ZIm2(dediOFU#PTa?2zbIMH`mi zZP_L$z4iF?#Z_J#Prj;7P6-uBVVK=CNc}3tcdB|*;Z8*#*6qBX#->%wW#XCw4m$;` zZ!SP!>bcPB{fBdiXEi_MPZ$JNa#sEAnUS9T3iFSMzflseE8fHNce9oSqm-Mq;oM-p z{std5-7V?8Q1{NQ+OrRzjk-$;Wb(r0jNGTV$ba`RQU$qd@f#D@{k+CYr=$gsGvo0e zoj6yam!GHE!UxfRA3df&CdXS{OP6F`7uFL5Bf+Qj8n!n=T5IbOwQ3_>=C4UEHTzxo zqwE^C^Eb9~q7>ua9Dp9IYjxF=yBp9`eY+)P8~z0VYKRQMWOq?bE|Iq$#79jj;vz7JsCZU>T#v?ggEd${{buc|-yH?*Y69lw$li8d!r>?y{m zE#6&|AF+FoUk2~nne+sZYklooJ8E~5F_F-8l|AXoL2dRwRr&5cP>ZU~D=e}3qX~88 zZ@$jWignS#9msDo#ge;;rfLl%cVVgej%8WpW({*CEf6>QhjbeI5fhWXaX+Y<=A}3N zjvtjHAp-}iCIYGJJELJ9;F?Xl*!E_Dze?b~7@*vqb zE@)|}y?X7l<^o>E%wHfTPY{ee)l7$dfU27DJ> zou3qWLf3U^I5+MwNhl7fS-G60Azw4v>-O&BS-B5KyV`bm`M9`fnzP~M-x>0jaXvLc zG3)8*FNfjuZp`-X8E6RG^+?z;j%n-myuMXIkw${(AuH-ifJIu9(|;McLU&nb!lzVP zVe+Ro_#R70zenBy1JqoJ{UIZuIg!s?R@V|>0+F62mO(~2?jlDw~BKZ3CQUh|kIu`nmA3V*+XjK5YZ}y}ej3kU-LKUlSSO0p2j7Z)OYaZCV zivxnL$EJ;1ZkZocZBl$CMDGwOW5ln_5n<7GIA0A2*UwzNKz8TnlvX(NBZ0-JB*d~ODs zD}wv8=ILvyez{Xtvs%xkU{`Lq?%?F0&djyPpe!FQmGR3ge|1&h(g)#>54OY z@1|ufln?2#yDg1~pGA;C|1oIi*=&7%ffLm9p3THdaU3_Q`gCPZ${t^I)vOoJ%VXmQ z_aD$AI}G@DuYI!>J&Y#NJwA&}=BmRGydog{bD6GCvM{X)%|~HXPrncP<#6+a-thG& zH~s-#zrp_nD_kg>x$h^|+(dqlb875`+rQe=)BVb?z7eDK_ev)&IxsKgyKy{6trElwb7t>Rg4~DPASN_~aYA z=~*5=zw^?aIvtv!LI028o4b(<7G6NQm5pN7UG6DfiTh^j)Iw_gX}n)C)L}%U`yA;9Q(l4mO=ft#a*+JYjOaYX$pv9dzSo}yc!TzcrDL?qR#sL`{xOr2`By%eE>q>FFX{H zqxb}La@o#l-ndO}g({#RVR>*C_itVS*_dtR5fd_Oe?aV^9PUShlvJMj&ogCS1?Bq@%a&_$JYc`@@es`na-n zCmm!2x`J>g^&AG*IHfMzz_4%LMy_`3BSY8j?TKKpk-BB&S zfALP@%^!c2^C<9CiPXFdzEaxzb^1`0`&@2t_stl%H*~ZcOt%V zr=lB>)`#HX_c1XVnULSwrx7G<)@fJhm6(#>n|R4lKmg%c8~n4NvCXzkAuUZf&|+!>csIuJ)|MroiAEhBj5V!XXXtP|Xji}zHQ z7N(j)!zPnPxi0Kb8o&i0w0pQ2xJ4Y3c z&k>m2i)>q-Bt4GGhdC=BeezYg8lE(O;rNHY8lNvI95;oD1A?MsSGP7iQz$eHDwFny zP{0}HHYfeT!|w=;T#UaLd=L8X1%zg}0Kc<_c}XrbV!!f}P5{KsoZoEUsYcmFcX!s` zH{C)!--VpDnzwGeU<4zSCUtr{ko)Jz%T^Yk$-k|$75wf!4ex!`Zc*g{w=X?+8H1X@8N)?2|oe-}axTKf-nZ%?o4#HuklIve1b2BTdfc z`MU<@x4{N50&=0ka5hxMYdwHWRXZON{&Oq;Cr;=M=ECp1TRcibUWU;{*;-Gp4ub`8 z97BJYd32@Pp@7xTLeseKkaRK-)b>wVzYGgC@`3W)0OYDiiS@_r8A%JMJ8`+vJ-nl_ z@mckBNpO^FS|MN$TwWJj#d3)swViXlCHJ*d@m!JfhMJ%vgrZuos;-!0MeX#vlUS4T3i^m{x#JR{6bb1X!)6$SUq8!aV#|*Mj{+)Y zrkiY2>@fX~zt`}%n=`YK$=TNC%Q%Z0*BSwGeNonQ&ZsA&Mc?td%j-4V=uMgyh7P=D z+$<-W{Ym3Ks|4NxOa}Q00*Ix*yYm5X)11^6e|QbJe$gxk6$^0L?dWn^(TF?Wsf*rf z;oGpR{d4=iE|UYLZ)AdB+_@_nRaIK9v-1^m$3a_N`7s}aO&0u$bB6^En!c4DChbFV z22N7$YSlK$o+gEA(6WARcG6(HN@Z~U-FybpQZP3HH|bn^amdE?)GJZjTxNAJQau2j zTtP~!R6@dL?0*Gv);M>7^~L?6ClVT^CE#?lkxBzqb$5>DElyfWU>dN2 zu2ef6+N(3==IP{sOR{aY0U+grfks(tJXhK=_dkeZ3Xol%_IfXCbI>@d+GL)*oYHgn zCe8smv>)<$WMTP$IP)F^=G48@hi*^}P5ZT$(c>?`BocVoi7cvdj`T=Hw=SUIOKcx` zs5Y!~igmweY9dA-EmO$ZYIba#IFeFXE7*kOxjJO0YjyFjkTJoQY1k(P6v6GDII?31 zlD_tROmao;P(?zJpjSU&6Jj=9tI&JcAA%40%v|oHWV39Zrx9aMz}XsX;)}9i?itps z)I?{QMJ6+|+{=tUFPdeP6PGoUx0!6-fMy&uT^q*Uo#=WQpFZU6kpdBoOLXnKo;hSf zlr1sQL_u=Ty_#YhL$~|bpoDamEZtO^R@NN|fM&{!*yP|IYrwHIjT6yxIo`w{de4%m zxxn*svf|`g^nc=@Mbbw(+}Qm*kh>XIo_~Ljsp-vdGspNs!}|%&%180JO(KBWQskf_ zxz<&c)*ob1b3}dA^7Q}}UqIbnXbRTUU#Rr{w*6}L+V-brHqkJtF)5TmUd#}oe;4ac zEIT#PIO@eR;YZf~Yv?ieZ2pA%XW^jCTtj^N&ZT-!f$8wMMqf9qLE<;{tXGVi=rPe> z2yz+7Kgdl#_DgT)sconbNt1%@7`W_IugW^M>g0J5X3Z_g0#$^5#C&5jhfrs5YpA=TReFzzmozW`pM$-e+zgdac} zANY3o`<2`lMD*nt-ZBRse4hsK3RzhX(a3dSRRK^1H{}dWG{~%)iC3y{PD{7N~Va`Sv$!O#5Kld6`mfSNJjF>NqW_HSX4}&;SM# z^@u*j+W=%i1x3WicF-g`G_PdCoqhpn(}`;6M`Usw4JS3S_a6yAxxCI{TszY*Zz?+` zWifCeXc-9VqJJ`NVRNw!dbF+E_V4u_2DvycZUepH{dY4qLqb5LHAM>DPMA@^mZf5= z*%aDjxH}$uvk5wctAy)UC?vIfx^Wbvtw-u`xg)XJn#&Ujzc4JL!fc@rA<8;DWoa%b_)lgU^6d0Ef8kABepQ)vDA3+JM0 zytvLYk?ppxgKsas<2E7Q7trDY!DT0O;=BN{V#F}7u}q%N~v*mPV@p3N1&I| zo3URKA2H(?w$M{|mwk4*2DnD+0|UWwvq~RS?1Gv(z5!yj9bx!jo?Oc@D z=%09`FY2SI98tyS{IA)1xp7bamS@W3Foz^SDr^Y2HuV~wdGWU2n5vExk9V_dTIm84 z7U@t#ydaA24-S{ZrBf>Grc1x1Yx;MzktSXGtUQoNl#BIF&9%W;?ZM9P@d9+}3B9W+ z?*%|kOWA}H%alM?w9>j+tL`^JB%Vy!Wb5zl4iAphEbYqODlq zV_dxvXh_o1AXIu)#L=YUQZ<#>>m+qC*G;mq88}^XXfHLfeJmntKE!^bXPy301H!d}3!J~L&5+FG68|!} zkxH}ANlMF|;HemI?B{P7rnU4DUXnV88b*zVq2bqRXDoooai>#?*5VNl4GEZdqJ5iV zq}S&?{p?7{>o4Wl*iWDP)F6BR#9riJp&8BV-SWfLK}pt>liT2W@N*v17r;|alb`#e z-4`X6o~S8EZ?6;XJpv7=@BwL?LKMl%vD^^_4f=;t;-dB3Gtq3}3Y3!d+{~HoMb0Iw zQ7k{%hMRVZOLm4<-?8sNwYBGNpfok+qCw#ygu^eDXmtbPh}8D48E}dM!XUifu3Ogl z7{#zWs=P#Ft_7SN9jqH64Qt%eC}Nt&aqmzQ7H69OORPK(@?zNf*AcO`e6t8hsQ}uX zXs@Lqt-_$(mjh}KBa-1PlY2bC_XFxDvvB5<7YqXFQO#AaeYw<06hXhMb4uijBUJA1 z-S|8<#L#mex*Uz~JM8HRl19q(HG`E{{LmL`iGHYbr}#!h4SRfE;h>W(Bol8I#2-G?eW)ZLC))erzIpq?xArj8F; zx1fP~A6$g|Lez~bnlgl|j$z&4DjaQ?rO(VY;5Q=aa@yR5cBr~H;~51XG~gkf!>)-e zOe4~nNMmXs!^z)1Nxgv|(g#_)FUIQ1-MPNLURwciXYYL?6*7LO@(i9Z z&BTWBqFBsIPPh|&$G0tTc7ru{Wusw8pQo#vk$j_gw997GisZ$C+xv4z5OnM^lP{O`C;BEX?y0&+vCSYU>ZtDt=q|u zvbXBnGjCpn3*{0{X5Qa1s} z?wRQcrQ*QdGP-v%$;(JqLFpi{tJgcIY=QBJe5?f}ne9EeS59DD_G!lrkOfRCqUA|9 z80NGw02|g6fZxjI~OGYdc zVgXSN{n2Re<`u>|Qas$Pa;vgGJre;kn6$}mrQ`3(k4PDRpj;A+nkDHcx-zW`vx^tZ z>w$oAgI4%TW-Kb_52SvMyZ;SM#8i8McFM--xKe$X#JpV19e`$cdw`sIyIW~QoHU4y zqB{YPbxcY)lzoojkBYzWDSeHPuMmC#W{zR@;gTOZjfvH-)hmcF0AyZ-LhN5aj6vY# zhSv?}F(&P3Tmh;Wu1NTu)10DC*5gObNf!0|_k|LkSpm=4@jgJfTFaA5S$q$T|I%us zQN~7vil66RZetDcu0f5kn|ANpxrrwiD;aekc z3rQT9+!cL4FqUw&iDw0(3NNPrA?;on(=NHSEVZ@K2Ib^G=d<&7^e`r8AzBDY?CAb* zFd5@o7i%ZHi!<<`shZp*dAdq$V#C38`Z8Bjq8@7%UDtN8g?&;;xfN1ZIFJ=p<@u9_ z)k6A;|MqdJ<_Ld#&ZYU6hjb?TPaMI%m`nO>bn>gXMOC)G zPLS;aR839hyfAM;*qzATWZV{ojlJ(PE(-Ej7lE12zRPB+@J*=xgQgx+Y-2}V6ujp5 z9kgTm53dfBa7SE)L2x?M(?jGCeg(R*nYRAl!`jN#l+yzqW0!OwhMa=YY5cSf>(*o^ z&~;T!{Iv_bp)8;w@-;J7m~4Bu_U+6=!?zs>+mg!w88r-xzXPGcK%q(w!82@k+g*f$ zv2Ti^LnX=tQB7{4`HzHa7-0-;-G&14X}qJZaG2ZztJE!Eyq}8xV+0SB_~r91=El1& zeMLSaB@0kM$9Y3a-ac8PG}jaM8!A-mFmn^1@zrd=*in26@(|WGkR33 zrpU<20_DNHe?YBQ$2-7azQXn0V)qd_(+6&yPj0= zsp|U?)zM-=EJ5Sg6|w@2l)VqT|Cl-SM3@y2fuG6L+zI^tO6iJ;c-nRWlISQ4f20JEb{(Xd|w5@Oe)M--==mVw$y@f8a3R}AJ{m50w@XkyU&kck(n5uOs^M(JqAO# z=Z_tWzWUpSB#p44CKOl~+7@{XaOKbMT;>QJUw+2C-*cr-_;~jQ_IiSBv^9S892~0# zc0Z^t3$aMFzUHH^eQn#CDAA<(=KbgXllw2}kq5*cK0PGE6zOo>^qc84a;{(=zHG!g zoHdufvxcB*wNhzYQ_)8H*uy1jRBHR58Wc+J zV8ve`@URYPg(d?FmpAgdlxTg^Z{o=LyqVs>^0kdVsjf9!HlN0yofeLbL8)x7L%^5&}+?&plJ>kP;X|dE8v)Q}s zq;9k`#J46@1^67T?*qQZ-HD)!)6xAuhYk{8BTYB>r^hluy6C^iVdxLy8Xn}^dD!K# zHmwuR3`V3Z>DS?Yx!o@`M#8?k%-?$|FW$Y^PWDa_|3e|-=Rm?=v4^9(34RA5C`_j% zjksuBlHLDX8;*W$TAp=+P;{S|8;lQ#t5wO|v{xjusHFbX<=n&ovdvpI@)g>@?N@eY zhL*cj=APmGI0Ogqtt_MGgv&f8IjChWLrSvkMJdx;!Q(jlJ_;sa+2y3C{mL0QT<+v3 zC|8yo=_o2MNArkBoU&i-rY0O8iCGH(p1@SJSy>O)9y`+Uu4B^XHLQJpKYi*B)=mmY zXZ>TvE2=!+HGfu%LprB<&8e5RFhloddy4F+IxdjdxZ@lN>Cp#TM~W{dIb2w)jxunzkl2$m`;mgTC3#0 z!dY2FF;%d8y#VrRR<=pbPK3u@)bxr!+Me5 zwBggz%)b9NtMv?q+H`WhvV!gEAtrF+gxvg2{_oaCSjEnKGsm2ea7-#5Renj=4Fp`) zBL{P zZ}eSUDSU+BjHhY%Q9xlU!>Z`v3MJ3+oNttpSkEn%i%$h!v-G(NQO<~vfaG%n;i#K) zG^_@|a@KnqdJ}$?2P9B&wxUxkU<mjxVcWf>gHc*QfL-=;bq<~K9{8{y6&u&5}&||hmRiKOFBhP<)8t|9cYZsPf z%@-}=Ht6%NJ>dp3!?p*2LVq3@bK8*v$CIDGMQ{Oq}{XF*5)7A3o!_|4}krUlCr5eu#Oq@Yn+5d6olNNL5}uxUt!mRQ}eV!xALm z&>>i`xTQnvLDu)fQ8P^a zWB*&0?rmkgo4)NiYTa5=B)6q~iMxgY0aw$-vvLl3f$A1#M5|^jW{*11IixMP08Jj6 zmxIMf0#GwZ`(FUXMx!PAVj;9BvG-lRJ z-+0U%06Q;Es84eRtfQZav41VCuBAMwg?pt+;cnXX(_c-XC?#$ zRT%Uoas+zO{-9V#5qrnf-`ys+H{JdLhEL)BrSHu>yHSUKO#@_1ayN~>!4)CI5b_br z1xjG4A5&0_h1MCaUxoSGQvQs2p0Gk$GyFT3>rwAwm+E5)Ne}S!cVYhMv6X7jo)joMURCkrEBy8 zH;)rjODTcDIBJ@grl@KX&FVHyzvqU#wknDHWG~r}30kzAip#*vkKUz5*JMdY5DMjD zjg~IDYr#~KROW5f$(@#fN>#Xv`46<&2wScMg_A4SJz{8L$6LLwUrrbWp>(H;8u z>W1Z$nRDyB`v>!(1%V5%1Hs{o{k^@tPkaY_4jX$5FF6P$)-Zng&W9xLVf=7t*(?0n zdJeR@1z@q^Il(ttLX`Ql1044ebtL5;D@sM(M#XPGC0Sry=nr>_NWEM?@Pwhq^^o?5 zJisJ_6K{L^aHw9UDOd^%J)@WM6>(fo4P6%)>epO;M4Stp8;UuGcyqSO+9#}O42pgG zH?PSQ>veQ6jk{AzOE<6lNu{TSA*>QilHRJzu_FU)NLu|N2TO(SbE5eBo{c4coaU z<(nIYik7IJ03^s0~ zAb7U<$CcQ~9%JzT#{pXu}k_*Sp)KF|dZ z1XxlfXOp^0PP>x|PJ7dAzsa33hyirYV@Q5iYzatIVV?4Ft0@$(h#3)W4Z-?|r^HoF zknnM12%{~+d`R&MKKKFV4^f{J8?0w5G2i{(9)qRy{LO5U8tp`$9Il}s&MDfIn43b4s7G}umw2no(oM!9w zk{*d&%ft8JkFex8q@dT0K#3A>6Zhda&&E{Dc#kag++2wc7dzs5^Xiv!25R9h^jTFS zU3!f(&Jn7jAU~X~iq0KP^UR7&pwu*MG?4rDLb;BJm~5gAb8D(1QwI>qv6^o|wlslE zn-)#Ciu}*o;6#9{*^MBlJg_|M1k&zgb$qC;^A%2BmUI1H9k<>|8)IT6{doV{T9 zLk|s%m*^Aixl$gh=EMA+;Rr~=r{MTX)`+-fThJIByO{EUm-j*%2|DVmm^sMz;%xNq zHOv9eE~L+KG)8yb>4o*5-$qCHP>3f!;>9+$?;++APxEqr@JlKq7eXF@+ z&F1q(-rV0_v9V4|oCC;+Dg-!65%P4?8ww|e16Bc+9)2NqdOuL1NBS%dFW)HEXh1PS zr2wCT@$mYE0-bubIP`u0^I*ORVsF4A2Xw7Eto<{w62fGG59KKU zhDiWAyDU$xr++j__a_dsij*)2OyweRR-?&=<$iLJIWc!vbhiq_+pXt@&-F~63^e?5 zB6nxuj2zcGf@wjMS^ml8XoB#%patpJ3w)5^mm{Hp=k%w+JP$(pN%9bUYf*fegllZn z65yXhDZ!(9#(+?sIUJ8^h|>Ds59gnE{J(uKf1kyd^6<{?ffcBCX`XBhs*UF>pfuGd zG)~Dksc*zsa{s^o*#DQ8{vZDj88-AB9UY?oKR(9@ zrWVub(`xVkkIxYw)dqw_>Y&?^6BziExY&F!MZ+rx=KIg5n)1Z=_k3dswvr&*iY0)8 z?_{|Dwq&^fXSx6HpF9Q)oCrc6G`L%=TW^bLT+w>p;0DmIo#GXN&9mmIHa`Kvb9LZ( zPXu8Bs3Ie9A33?@u{Bo~onk&JTfhI>n zeinFMlgxQ32w1zRI^V(1B|3@K?M5&FExdyDD?o-+pR2Q(0Hw%s8l{Z1mS3lv5yd77 ztax$=gq8!^)!jQ8NF&0`2yZxMIzVywH5w7GGUU0u15mVYqG4>$-jrcsTEz2(9uUc? z!zqnL>{aj_-yVa8x5T113m8xzt*S-n3;ZoNv!hi8dq1N~HMMTR&=JjB za4`>!97$4)FklpNE{=KCJb6YICr+jXZ{epC8hGy}C(n=oj}JVpenY-@KkeXsA>L4e zi^a1k1ay+pL>;Rlc>@T9Ti%cu67IbWkd7sXVi=Gm^iPm0V2MM6P80bGsfDniG(PB_ z4cX~N?oJV!r{K=jNqyVrrO66IVdzq; z9boS-1e7|O4lH4QJ79vsS6Y{RvM>Z&4nS9S8OhrqcZ zbn^-n=?z~3S{Ajvg;X6DiF3SG<0wX9!mtvtHRm8wNo(!cc;#1fyHGOajWqq-J1eKY zLq7|pxI*kGDw2sIg5C_(x`|wR_w@6cb%ALn|0}_yfKWs2!sKgvjmE}*7Y`Q~O6xW% zsgNK;3OKvL=tufMKU&glfcki5V^RdDcT$jx;}(IBqiyN0$-=e=qV3WLRozM2xb>t2Ixj zbd6PusD8YfktMb*o7xymozl^+_`w60tOy#lgD3KSk6~8=>r=K(LD#g6)2(v2{jaOtW zt^6qJL-o4x)uC|rcTh0SwnEy`1uJB{9!Ka8NEH3h;?MAJdPu!JY6^iXG}9;?ir{w& zpE^+X+yRytYLI1n7{58--^=s2xE6W&`~eenug`$du0I)0jVIpvNb zk+%e91GTSbxI6W<0|~~36QrKCPMvR!Qc{Gck3k*%0ZHhD9^g9!y?ITjG;OYrv%<3i z9ghu>pJ!Ji1z74?STTG#;j)HQgt&v9Uox*B4=Lzs7%2{pr?}}lwO$Dof03NKEG8g2sboNcp9XE?HbMN3+t7K$si?Z+J z1ZaGXSI3w1W-i%l)_qJCpR?s{Rm>T6ztR?H+Ij5`NZ0@v49IF-0-vc_YO3P^F{!Y2 zQipMcKqN2Lw;HK>47qU+YX4uWp9a4w0+9!`1%)z3$@ccoa(w|O;A2|shc5JWMYgoT zi-V{?-iBjoJXp|l+wD2&i02;v+#Wp&dTLcG2*Ka}eqyzPz{KX=*1fhr^m`8d%gf9r zabduZsik}MTxyC+WEJ3H)oteL6da8}5Et@!-tQ^DwA1fj+WMf)8RB*={xL8=FG|Zu zssMCfOR7wIinYI(Z&L*52k*vMaV<{z@g#8*VxkYtu*43v6g(I5rrgou)?q5cg{vJI zcRQLy-5;ZQD_4ao9DL3h!gVCQqOw-1vS(?Xz`So+_k29Vd^KB6ch_a~_J%0cXn-qJ z{~|`M?0`DIR#H#m;I&hU**#1C9NqgG(yM=204LI^uqfM{@Nbh0bLPp6`?b~A#HUIn zCZ@Wp(PB?S?Alp;B(R@{K?`^S;!V2BH9xl=+(ShneCn&bNk>X3-nj72>c>-evKK&h zSi7F6D~VHC$m`5vm;ZD2c3j!!y-tBns@~XbV;WB=Oy8yC;-%Tp&CfG8xukvUhZIX; z5B8H;KMvXpZ}x3O=b+&d-Ednl7s`3hKm8IAv0JUGa&U3BX0Kyudo zX@PJN0P9G->>BEw=6WvBS7$j+GkOE=7hTXsaSvhltOkJY-O?0p8y)k{i{J<#nnI?g z2XmSYZ<;wF7PGQ}Hpv;t}S(d+k_B|&*yt)b?g_lp% zdY*_3%RWbn&nkF6_=N$J&i@s@7skFNmK#X-I@g)h-DPJQq`$ZxAope*yDAzCi+)$n z=$}RdS5%3Y)MMa6b|t_MPuc^q-$E?ea8u z@06HiO|R8tb2flg@N-pAeP;4eSoB2wy!x!U&>SBo zTz5LfXacT-zRN=^Mu|7TllW-J8{o5zhz4lUdcZCtin|4wD3(a|S0CcX0?vDdbzlt? zk~ou^Qouz7KY+txa4(BTZ8V?zKqq30qQO-Na9* zuB(2k%2DfN@Hyl+fa7HXG)l176BMZ|wi1*_hd@+9h}gSABv5z1!PBY&7FdPVV#~`= zoaf?g6iDW=pN+=ENPM^WJ%QqoU-!bKY-3JPQYw<@(}yCK^|S6A7WpruP*Pt){|gol zKBZR}bbn9%CrK_;M;7@UeRZF5w}<5{&f|w2?%5U8kkG~*|G4~)d|4d~}2<8@p;^Sv3O_Q4c6u{Wh}dY8?(EMr+NIK8+67U@3)zxqO{9EfJ+ zJn$ov5H9O#mPM}#6ilqn_hv>f>>%%pSrDUXa2!5nN@*9id9Iz@FoXJ@?aC+vX^s4q z{;*i!I!FmPpTL1q21QZ#KCKgz{EP~VQD5GS+k~=jwZLAb-wv1^a09}pXU-P=b4D+i zb0Nfq75ERD`i;&S5ctONPdvRE`v(&F#lI5hu=m58L+NwInqN!%fbWG$@JA`b`?Csf ziFSGIGf`GZUYpZKcsu=2`+?e?xt6mI(9NyT01WaBZ&Z@y2A5}6A@E}4O%d_r`Ss4v zwU@r)1}bZCSx=TG2QFw}Jcgo4JzH}O<-A8`n1_MH$e1t<^Y;m58{^-J1iXwnMr zSUpi28W#))V|jAML4%Ibu#`(+0TR#hU_&ojYB?@He-c7JMcJ+LCcf_pl>GR^HJ8-xE3F0YZ(@N}@86`_^JKmN{bUfX^e1O0o zcofOk$^C69#uhLw;90l5zGd8mdrooNXBNFpi5xr$Yw5{dH};d~XQ`g>@QI99aNZ8; z4f<5EnHJ&YgPZPgOQ!Hh3fH{>z}$;8H1)Ys;$E$Sm?R1&t+FW6Kcm?*!W|o>Z}`e+ z*&A1o3Ks330nA>P%*a!`_$=LZ)a!JF6%0eq9etUo9p$Yb?-xmS{Gp@AolnhPm6-a# z=e+Y%W|^2bmT%$MV!KNF^pkLuV(t6+$bF)`gGZk9r1?6ACHm-BuH`z5)D_k<$!;`9 z_hMszqSvMZCxM$d!Aopo%uawTo8JC}v41r*)6!!0e7LsKM0-EbIF8zbAK3t?sSjhR z8I#xz^_A+i)s?>N;oXftwvhdQXnV`3DBHGeSP=;kQB)9=lI|3w1w>i|lpeZMI%Ggv z9O>=`>24g5l%Q;j`M&2{-+I@(*89sJmlqD_ocnR?`?hbfo)AZH zp%xl&rJ~9q_Kn-8iUkdSI{yo-3?E`FfuIb1shEa;uf}gktuS+Qg5dz7^E2|QEjZ@gckKxP+od|9ol5@ruhP8`$~kkj^9!; zhhv_EsQnmpx=k?%c5LW;t&5^y&e(}?&v>~|o#=4SAD!ldtH(Wg2PCV9BF1Nf4m5!` z1@RH1fkA)7Jyj-~5f+Vhy%QQj;na zVJ+qz!Abcj`^4#Vl9_;U%1x*BjUznvz)*KPVLPF(jaRwOdH$d-O6$<}EK>T0X{l%7 zS#JXmkyf4khZh6Vwc3<V ztMuIou)(BsG5A^Uu!#vHSfYJ7&+GNJ9;@EgVi(On0~me8z_wW3-Nd2b`ey?&r%XM^b6UAJZ3hA@p$; zBLW7Vpm{AqmbJh;pFK!%9+k5KJ!fdC={8G&JvopwJ+Q&{1a#CI4)vCcZTsw&`ivKO zNohH92D#(lIHG5{1U&F@;GY~^nD_{tqSfWJO z|6##{fQe^+$y&%i9*U7O9TW%w->Ot`_@|KHCSE2VK&D6$Q25Ejd{+p*Lop7R!oykg z#bO^?uj5uTl?B@9@M&kXn*KBj{sEi|UyWzBW0*F7`x@)KJI%m(xBM3S1^;cYyUejT2xodmFZ6Q4tqqO=Ai%&>s z3-%571W_)XRLs^%cwHhZF>2$$dNBibivqS}NbD2|>v;06D`mS47IM>DvwpjFE-MQ& z`d30VJ#KNL`>(maZ9M_2$0(B=TY%Ou)>7mR z68n@AfZ!vgi<<7T`560`qeYj*-@E1Qchsg+MN=0L#{EchdA2m*d@P(>B)wMZp3s3Q zZlj|f8D(fUe1>SQ8MP0aNed?&b=EaywT*_HT^FNU-Ktg^)G=X1rCvuHj<$M4zU?8B zN7!2{@7}>ieVDDWj%Rq7x}10q_Vv5lkOHw#p5@uJi&DGD>=KQkzt_RrW56@S=4=#y z9%QBr>y10&JDaZ#4;x8KqBS=BwdV0!Z8s8@7wN(#q*wW;hPeq4EFY5ONVV~9Xql(R zeh~hpU`_SxA`F6{^DRI=p1)p7FiNONa@X6Xi{O|mLt%|P4~Jd$ zXR99jV%}11O(+76dg?-LaI!u0O82GnQW%K#sID;<6Uv(->||K$i5ogQP|hqW-A|cx zdIE8QSe1@L9ky}*xLk-pkb36Za!5D&BKCE9Qf6B-T0lIZ>cS|CbnNP&RbdSvxy8pMRSSm{b-z;{x3gN{a z7eFXM;(6_pXTf*#Z#)>V777nvJ)Sluasdq$GD|gVx@H#)4nGK^q_gq*dzN!!UJDXa za2dRKpqb&*Asc-?Z+hj8Pe3$W??8lN_|1V>h^HAfnckg-Jk0bwJMjj&fH@vsMzF0X z6}|dha;LV3A-Mz6`oe9dhK1n`4K1@yv3lx5I@s#HgO3Z%!_hhQJLDzsI_=ZR&UM&I1RA}wi; zU?I7(bm`fSYKR!g7)Hkfqt^O)qv5-9pL}U$Y9*2zNCSDJ**$mj`*-vY;as zK0vJ%v+M=NyC0t!&)=tm-#=)f4+6BZ@8)7KmR;DK?-JSHWENNGXKeJdj1FJ!SQ^I*Ny%=$yy|@NkejFyk~DfJ>9jSvl_;C} zL6SUFjiArYciiR8>Fs<~OwYdDrclF?n5-o9Ef~B#->v5UP8STFU?FvhmfMBc^8>>d07c4M>UJufxtgjsVqC3fksREdXeE zsQ#h-PPULc$@S!ubuRlgLTr+!>o=R|;OBdNx0+yW*T0vhp`~6vw+MdX_z4rWqf-uH zUbrtj|8zm&_@3}5Q~LAg1^OSe#5HeP0Y1&GCYnPaEAIhZ8%E?a1;F5Q9$umWFK*xk*I z*ZaIb!J|1Khq_DP(TLOAHq#|fr7d7KlvZN!U=&~II9U9ghUHZTn^txe$kTwy!{_6u1Mw#*Oi z5ij1Vlh{cKOuG{>-^m2PPqfOVoWhm+u9V4&r z%4jgwQm_Z)aGwIqf!4D9x$cvBkCE~&Kq7E-S~P^ z1&c_ZT(#L`*IY-vYr1aRUkkBv+S!cgZ!~WVg@14iVbrkN-ydvfrK27vS`%3^ zV?GN8mXpnd5a#U-;4_vEj+@GI4VFFWL#N!KGm~gDJ#UcUBfsy9AOd^gf zv?ROz^6-Q_%h`UFC^5xGs?xPgv7v??T6!IX`EQ5I1>;Wcc+PcB?tBDacs$8Uret3ll?N54E zv~v;Vsa-$vp$_S%&Fo#j)mM6|ZF6rss(%B$)wK;VU_uARd1={nw=ZAOGC!{FO z+-1U0`4QAj#i;vU2bpoljp+QtgIqo_IA|!AJ!8o0w6>=dIN(nFEy{yYt8F~VZeeJS z5Rbv&S2O$G*_(|4W!uOxONw1la2<5UM;(ZJIbVQ*55}L=>eh2|@fgtv(nt;ycL0!3 z>Tn9skfmnlt|_9u@9n>(H+2}N*5o%%)n|h%YK-B=gU32@>^cZ<3n92?;l?`cntW(S zn{kPYjbWesNNKVK-F~g(h}+pLH5y4SmzX`S%RH9s#qu4uHw$@EegOua@P-%fr+_B` z`AxH|yPUJaE}J?16tj9D0fkBS{v3V&{dLj3AGB5gej6d0sfUB;1QVQI^;^H&3W+@z z46peD#Z!&qw=)*?T3o7CSQFSNG2KP^b5mbaylfzX>V7n?A=g)wH-ji*pi)F+~id)S38 zH@?r{b@a%;KLMnm+ykjrz`@TepA~l|c84yK;RtE|x|I+kyf}yd5+$ z#=yj*_~1pTB=5qtHPb#4+XqUj%SV_!nA^jb3pnc1ZO?u0o0R694f$O1R?2N$${pSy zz_$>_)(Kp&X^t3?n^QO-2ov!e%pC*ZA?+Maqq}=Mj7Y=_M3+3?1T@`Hw7(ZEU1nK8z~W zIb#c>K}t|?5M`B{$zYoWZ7)p!>)FSK9|si+R~xu$ko@&~FpbthWI*5>jNad!hJqZKS0WL{DBwM~^{+*gR(HlcgWhXm`ZQH{Ifd-J3pVb#* z=%UBMqrGF4Xxw5z%2PBW)?z|@s-GE3xEEUzqja<_LqaL$_@?j7780)9Ahs|O$3t*(7J9vv}lspnBG_foiKhg?2*;ymR3 zn*DXE;K}vvu|u{J!ovcMqLpU$JX)e~NLv_kky`AH>jimIS233blY#Owq!a`bBN<^qPnzNYihap$7nZ>ZOd*_H%(LI^t{NAEdRyi8Db>uc*c=aa}KF z{Hu12Dc_}fhvlqJ?8xrA5G~)zPpDQiT_H>|&!pB!b{Q3&Z?Ku{o(^ODS})J4jvS_! zkqZ?}x2LDkDDXbnESRh~h;%X~j`Unln7J|Qaz8ZC<8cF9v$e!vC(ekza`w6phoA=f zIFBb#npOYKGK=e~B4hEZ5CbK;N5{o4I*O?oqVHg}Ighf&ZR}ggVDpv&)uBTTupH!JC?$^(w@! z{-d7P=2^&p8tnxyFcu$V`kMfNe_L^$4<+$t0Py*;CSO3W{mZPXz#B(4yAe?^)RTw2n~{-A^hE@kiKveI%KeQwJ2b3V zPpYEAF}19o?$u}Ga(nv}eJ2XO0{S^)yq(3u*Jh_Ff=*dR+rmg8Vi_mW&0RZ`Z~DiF0IJq@8F|(H zVtT67++`4#Xm*V4<#u0hWqxg?(s9bs+sg|}>$-eP3MWBM<1{I8uWlFtr>3(CBX);b z?)4iu9i1Tc)+(h;y2~}JP&)l{^}Wq~-AH)6R`(iN!|khVMZJBCE3keG`hGCp6?`gGN6(V#sQ?wgfWwQg3}El_Fazd2^_hTeE6lNmg~1d$(T2p ziSCgfWjy;&MFdXv?tgBf9If*FVN3=4fHdJ4&gdgwSw{-<%{7VXG{}9KE9OVilZFTi z!>D3vx=_*k<>el0Ox#0q!#|cg>zY+uAZ=53I`gCd1Q&7AFZ#%?Hx(Qde5itR85J^vlWM1V_UA1{G@vHn8QNp;Bh0|@X_{W?`^J6C^8 z{cShFA9>D(<=(44j9mAY4h}MaT4QWud%l~ zOboSR1-#E)gWVIOU~Tm9relIoBpf%o9T*+uU!txqIUSha&KTu(VYZng8c@I19ZFHp zm-$*m(v4|-pjq8;_yDkpBE4^(1>gV`CH?*#4{xIK)i9Uq%z(V=#m8Ukt+v%pATH7D zS-cK|ZvjKtO~Uf%EkK;0LcK34Tl_?2zV0-&cAM?z7P5zVjvCqp|J$p?hCS z4sSOFr-4wD4VGOG@RAdTC(MwWl>5ckIsl|LwGFo*FZ`MoTg&-gNE#amnGJEmC&%}@ z!>G#7RAiZcsy@ouzo|1)*_`owUpj3=;9Zure{i*~?%G%R^9SD;1{50S0U1gV@^)Pp z+%L7|Zy4EGXVxFdo}uq#7;d(poZ7*{_;!>E2A*(HPvnfMz^ZvYohz&y*7$m4*%Mhp zsu76bH|tM0`Pon1N=V@In;u`p%TjhXs@r&Eud>^F#5)HmC*CqWO|3rzKseF(KQc^C zwXBp{$1}5I0thc&2{X`#_3Ab}a~Rp{c-2j}<*9ybvjb2MV$V&`4#%@8+V=KV=ktS- zO+0!#NrVNj&bMTD5KU-y?65t#kj%$y z!Og85s}r-WMrpcVNqVF?ZNaB)J%-dLe)+_#_mz@~r;tBtDkc<{_wL}Q+ZL&9 zcV6154rZ-n>SV1;N`*C)BFKxTxZR?*G#6A%X6$V`!GSaP>t7`{(OhJj6G6jnEI@2Z0ru8xxy% zMW7&CP|NMc_hK_1jR5YxfpZ|a&n~}N^LqIBv0XjQt>Vp}4OMM_+R!p~TLzd2#3Br@ zNkb#E_Xq$upU)Bo7rMDAUgA*FM`Kf(ewo8Gd5hPHB+#?2AMLkVQ+}DgTc(*HQd}2G z{7&CkJgb7GRz_X-Xd~z6X4D1V!*JbIg~s<_%ON8^YEZmPncH8q`4)0xRTQ~JPibs2NS zS7Lg!Mr1DDyN_7SUvtK9$Pm>Rmn9}T zkO3p~-wt?AMD%7Ezu1=&3RdI(1}{v(>Wkj|7i?O=j&_vDUP3cG)_N8$GFxTVTC2~m{^AmIM?-u{Cf6LSV?WK zx!583S0jZmQXTz9sgR0+VjuUlT)(b`60oAUB}?`Eea0-ffF^3D^osfyNVoWHN^O3R zzS26D?dLQN1y;YU#&pe^&o2(fXg@>+2ZDCCi#8m^(|7M&%K7~Ny&N#_K6afPAwTFoEDw$iOL za*99;o7weh&!WiKVlF0>fN~U`%dEglJ*n&B2_{x<8}XCxL`%)~UAhO|xBHdGN`9Zo zV=Nl{;`tC9YkA%cKlLX?V@)j1&W()y=}cIC<-i4RIvCfA%cr}={KsG1ZkC8G=eiFR zKu0idwwDWAfHxgf7#JNI=KEFfk1n_>yFr^>4z5ZT%ufYZWuIch>@S@Hc!|wewT1Eu zB7HP1ucrS}*J#VUW>Z+N(t?Ej42+rN8cHp!zX0=X*&2vJy#8m83+bM4<62|ZAUEAt z4}c4ze1J-!p)Lopo%m3Rt=}=e`QKH>Z)%N3S~k4hv;9}GCE3S2$w36>jwi3|L;~it7Q_vCao#FNOfN=ia}R-?I*|9_WB!{{j;yDMj=`=YhW@*o(QV3mnc%bF5wv^T>~Bg7E64 zr=l7iHwmM550#S#;wv8}chnD9Rp~iKCRA0OSe76d%?*7q$Q3aF)6d*O9X#1SO0!1ns5?`N)X)#OsaF8dYGQ7)+byVi96 zcE5>^vEvkTnEuyr)L~>yrHC-ACGFKHO4qaW0I77? zaRb0z0#7@HyqH6LeyKY-vNp8uOAerO5Z3FLB=}17qx%(Zk@>$XP6a9bB&bsI!z#p zjv8)O82MGdwb`$)ODVCf*~Jb`7%%#hHWOciH`vnV^ab7t&bm8st$eT+XR?$g87k=8 zMbq@!9sq$ABmr~6M&K{~fD^tC>zE$Gx_-f<5#9oLy1>LuH1^#ymgr5HukOEj^!y2y zyF%4Y9`l%dYSTmkC^=^eFMmhK)7Vt!1D`2GYofwmc~ zYbYa!6d+fFAC_LP=l5D!#1tVZzOK?mRJAc2%3Gm4##5Gf>MRPi!xUoC+@auPBbC{Q zyw@i?Z&tsR9zB5irPqOtKq0^i6>Tef7zzQ<(K}B2yJBn$MEPAQgZ;c+;B@&2_gy}2 z{yC0u%~$k)IXeXcWb^V561|d+6Hhw`$rwHO=-hiO1{;6G6vc?TMA|kkGuXwJzAMZ} zRgJjd&uqFv!)pEn&!iRH7ZZu`C<_Q{I2h_En7zoeQ*SKOYhJ$;2f*Vkf^Gvt4s0r$ znhEt?Kd%H0=SJ{4xYRPpBs=It-+5?5*Rj^%2O+9WvW)I`cxV&sBxJ_X8>2?gQreLn z5{OD+-_V)t3wu{tV);c$mvw%v4HlrRQJ^gC@%OrHY~fgoYAl^|i!6a_P$`LynxZZA zc=yqsXbavUxgY%V@IH@{Gs9Z*%>V_2wL>`OLyrCPA!jkK-lWSutzP;ItzkHDXqo__ z22Y;(&-=1KeGJ<**mojQ><2FMxCP1*J;tMVln1yI^3wk(Og4D5lo3Tsx5SxZD%~zK zRFEo7a{r$q7wxDhYx&^+6JusXwL7))s}hRq!VlP9Fj-=P0;-R`~e`O9^7vc|U zJBG^wo6d0lFOt80+VuY9yEPSo>4x)c`Y)HXBk4kABKcwC1syPtf&O@Ig!*PtNGfyi zfhdP-f6kiF(bz?6!**Si>IK(E0#Dy&wi4M|?@f!q9Ao}HUL?OiMBr57mo$eZdF&wT z3_z_3BBK-Rm5NDK2L}`R2Up=XR(81nzE+=ga7;9f3u)kY+&Th z-s~Hd{guTcuIQf_m4^aGKL@zi@k{%~Upy$9hTBHUWJV=o#cVO=O1s+=T)h5{V9!j3 z2<`{F6^iua8`K=`V$@1-J^Ic^9iWdl(x&O*|1*A^2y&~tS1q5~_fF|1@~iahVq!45 z*wx#4wjWOWd!O%y`}AKt(#BlbTNakd0Ir#3@csw|SIEPzyQ6@f`SxH^@(|n?3Ho$h z-bstV+ob^PFSH?lhT!ETWrbkcSVZsV_ED+firtHwpVG6W~E)W zzmCJ(kX{VwF>o`S=l2qijNF1c4kz)2V?p^^f&AG2KT)4i{j+F&q@3yP-s=xonS=2 z?6|7207Vl9b!xwlJ;tXUwL_7#0ZE6Q({avM1A|{D6uB5c5cE1(giGg^m#M1Kb&IMi$U`d2UGb-DChX?4s z7>@~sQGr4vctt^=o5tFgU=M*linb*cHtU^m*-D1K__d-V_xEZ#;2VJTH3XC@48Py_ zQ1d}@q{8Z=*!A1Uwr7$!X+w@>{WPdSxd-&CIt3M|voqVMs`D!8ea=7!Q&3TZ+n-LC z_rd7#XsTT%Sm=90FF_Pwdz6)`@79AjxUXP9WGeNC`~u;Z57XC7^#JsGLhOAlLJ_3( zC@GebM6aBoTGFTAk&Ik;^zgmfSfHvxPzX8ypc^UCsq5df3Y@@lulgfHoz_6e=cf%B z6TjRIUsuO&#%z_j6G1YJ+Qp_u%jY4NE;D-di}H^jSfLS_mUB;XO{{AzFUyVNXc0Bm zQ}tihZ~1amhCZ(7mkrn1S}&h5OYZzu57z0il(@s!i`64zbI^vbZOWy9yRePA)AyKx zRAGTXFyx>uw=Xdd@jmQeT6`lXdWnek`yODbk!@>gheAWV13t+-gG<%JfyG%Dr*Can4*sl0D>Hay~dB43L5PI$gpF158H*b&}%cp)6-f0qp(A>?5-G z^IdCh6WrCyNa2`8ohfMzz z`5*l8CpXMgjc7lq7|(R3Gs8N})yQ(jw^luGB_iYK*YqB<`>pNC8an(_e#@0(^*^L;3V%9qDR=G`O4;jxhLc?nS#C4anVbCqRpb5FO0t&0I1(8Z(7= zUU2Zs_KF`KcIN;ZN&ZWCnp4cnt1&*CG~dzV*))N+1lC@)PnVwG!19*zO!KD#qZjGh zgAd%$A&fMjU!3Aoc3C_$W{)Ci1(F_87peqCP_wzi7}$79$?4*84>^9zU;aooF)7Es zH}8fgd2$w@kX%|aU2r)#AByL=T!6PiCF3u%@qRL%DByjgRhebLxJgdL%m7Ja&0W*k zS=wy3cmn9J2MJCW>Z*lQU|qX=ASl1yh#e{~GVWL!6J<;9ZBzCv8suc0S@!GN+`TyD z`+T{kYK-s-az4GNWnu)^-coSgL8)7kAU5?TpK;gi)KK-@aYnO_3XZXEc~*^0q31v? z+c5Gc{KpmGu&S7+x{y@9yYG5^LYyIE4>T9LhiO?4`ytAQud}65E+ytT1$4Cn+KlAqWFFY+KF-q=#cdPufd}B-Pfitw&6T4fV5nH=` zI(b9?3LWoJ2&@#Mp9?7WFT7GaGNVXu4zL+Gy2qBfs-Z6+PR_lOUxv)~0JPquux%B` zpOSXqOf~v>vv_Y8IHkM`eZ>8gqn#r|^BzZP4%#=q&vYi!Ih{2%*|F^H(Cruj@tv>E z%Isx{Fv|Kt&M4z6z{G^P5{x`L-?sNr1E%4jVkPb|>oOMZZ%v+Oz%Wj3Ka)X@b%#gt z7w~AeSoB9mijjlGjw;(OKk0IN+MUQ-py+nAxmFiG{kd5l26f7k+PvwT9GL|yL625=wX z)jH=q5%jzf%>{=`eHwBiq$y`fjX4nS&$C&T|G8E~rI!CXG`ahE-`RGdev7xmH|M;# zp%>E7KF_&|yEc_E7y=h3A+z3SBg`q8o3R9`>M0MFotANS*^2Vrd+Qpk04<(aZ_*R! zz5s2&mOMiv3cOV+m^h@E?xz8lL|EGmdI66zoBFL_~KvX=NE~% z_~XWYA_z#^OY_q^yF6I;U3eHhY=rH-sk4v=D1^8`g!0t)dsH#&)S`Hc z*)rWO<;0zUqHb>x?}3lK^*d+%fM8NITWkB6v;pT`CpHfcaivmpr@Z&ZfzQ>k z&u;0fh`9j)L`rGY^W#WczlfEP@%qj?ot^>)UiEplWF{v+Xu~_cNm3sc7L}5xBfq>A z2k5_;5|8$UfOW9(TTO5-k7JgkQ?dQ6uZ&j~}h87Zcf7Uc(@# zsh|c#bjsPZ8XM)!+d^)CQs#0R{1%I~svME0dOI~pu&n@}{U)9W|2iDMZ z7!haz0)StD_0K*l<=!iSht-2F?3vV_Vr#Kd}u8HVQ*|nk0@Dl<#*U<{SNa z(tieKNetie?`7%IKXDZ?>B5$fBXG#wlFf}6OS*^~JVQ&2y36jGpXr9U(y!?Z1jC53 zQHK@As(-mne~AfQ<7-Trz*=)uWZW8aQ6^EP@0(R1#f-&6(@XxsMQ>ICYM1Qo`&Pt| z#0_TpFi8DqEd7%2mS!ML+Z}J930HZ#ummnZMQ5_PE@K6~mwv`;=^zkR(y(c-<>~@e z2zI3-w~R$S4`hEvyZF7E9!M3b$RfkK*dtc=tOuj{{rHh1%(?_)e6TJR3wDe$hRJ^b z+lh5p%7EOp|6+yHhs<6n{NanjT%fI2xj;{~g!%2<{S<6lTXD7oboP|Fi?ur}I&rH4wg(9S+!U#X7eD~DsbxPcAL%ZNFE($4u^0>m*N4o1}HJNNl$G`9M& z5~&j&RofD)JFNpjnR6fDACi`AhF;InU3jo(WVlcdVzbQA1gPM)?YAUIuOB5WHu*9EX>Y4i_1 z0Ik_uVA$ZQODF-Ih$^xv8Yyvw82ywSnI*-p}W{RPD|^LlS-)1RdEq?h6^ z?n*2GT8FJk@cS^LHR^D=Xa;H58=Oz?W`u`VkC1-J2Ww%{chX~k-&odqjNvVChd(qh zC@Ocvcs|{ydXV{KnYNnlS&QtKi-TY-&E{*uBpUJ?)RqYEfB@W+E-xL+I(Ka2WZ~<| zDbH0FuTLuy^OgIH=)Ez}>pBnO2OC9~n?A2_hq9GUusr1aUQupmt*G+LdctcC37)m= zAnz{NF`NVn89vk==D)vcdg2z<0}|pIWcyVt6?Io_0IT`pYj;Bod;ew=YzVA9)`QDX zZ-VR-1C`l(7h1p?hkq~9pndmC;95Pft#~!$fJp_Ou>0#J3?OB*f1f2$fyy;J_%nHP z?<;yt586!!IhIo;$kVgd;78TqdL9wJ)4cXk`J|tB=qqr)WJWu@2T6P?7@OH8iq8#g zb|YdWC2Q7GBVnAB#DF`lO#fFs*5o;(hFJ_}iXQs-Bz0BS%&9Fbo?*CBBSag!SV>~| zR3qD)xl3k0O5G%->Y8%H+x8f|UQ1FJ@Kgu?igqAnTX&;~%Hk?Y zfkOq8-#Py9Jm^L`Ayp-?cxQ|h4@R&S(Sw7A8KK%1cDf1p8Cq@m(F-772b)vN(?)oe z&Y9vOVpuJj3Y~wTtONyKVQ*{Y)79FREs)G0$YIYS_oe0?!+xX^2x!u{pc>I zV!DiM8_DWOEpvR5{Q$qMZA1=6=pi@ba-XQc>)R?*!KJkj$IuJ3Ub-=p@nA46)Sl_G z@efhhp*MyEZpsDERITkA$`Tm9DQMaGs1B1@b4`+0yVsh@wi;2> z%FE`~nDr3TtNfad`+0{q*Fd+v`B6jUuF+JdbKB-R$jXx=Wqo9T-9f!5ErvDP|J6Ch zSeo@V`93Xi4AP|3!jA{rQTcQVKbQL;!?U(qwDdfhEbSl zNrg~iK-zU;LI6xE9w9FnxB4yr44wiJhB;2J-CRQIzr6sSaw+G7eni4tI^4Y>*g)eO zjA6DzrV^ct0DP;rLusPRALZ9m8l-Y&$ckekYsmeyx*0iXbmqm>Z~EEXdlZt9Iv|N|6-1FCo6a9SNge@=LHU6ja+2L4 z>^?quhJVKXfmeWI>fM}_y5!Ymfd2~O;*oy1XiY6yYeXs-Ua;Ycj- zjp-_0O^t7DmjM@641N$YWxE|V%TM{oxmzqaFs%!*iptJS`xRWf0X!W}6{O z7t}$g`i6um>Gh^%DK&p+)7NVw3Q`t5eEZ8Za_^wNss;&Kk^g8s;tY_6%Je2hpvEB| z1AwAJ(NdX|nr2sok%qKqH_LR(spEtFmTa0{vnk+Ozw41V(5|`HcdJzFOBw3!=za>l zN#cZ5R7u%YWM{_T`qpG3fic>GU5Sd@T{gh*IAdrukOjYV_46rG^5e+Hqv&CtXM96GTJ|bB8hmxvFe{5kZYE9q2+byBAx1Z#?wkOAlyx zejzGLA}S|3kY%s4%8S^n)x{KbQf*%?%766u?1YP)w7^&tR5sjNs1#JTce=5K@nCE` z7z@BUc+9x&*WacvMEV@OIbEl(de%MeT^wG(%YVUR0*IpN1s-E;Wuzit9Vw}oL4ja1 zWtjj?#3(x2w;GVm2)0H$qs3+G{Iz;dU_^5uwY<6PBa0MTmES)T79kA3Vjo1TMFK+8)HPF^kJ4lwVqa^jspsy#0jge4pUgi zcq&G?qj3woc&A-LD#~`9F-lY&Ws%Iuhfjo^*YBpz+Rj_5GI87gISQg6y7xYWf@}=m z*BlJt=8eyVxXYw4x_wCdbda-Myt1JU=-%hl-A9fy{rreuau zz<}f{gJMDkjD>RddmqqY78=}Myq(Bg#%V?oFXCz@x>equHBkxRuqNOZktzfxkV+02 zQ%%BUd!I8M7_xO0pgnaiAAeR`j%86``|`SSDDB@_PI!&?YFv2A8(0k75?*ekQ%mze zW064tuY&vZU@%Kl`Vix)I2p5pzKiR zNZX_!WW!Ls=;g`svY9>r9+@8Tb8zu!USP9Eu48xK5^hQA$*0nC-uvy>_=q)JWKWj4 zsmJK2vD?7G3EvqWR3Zc459O;A`8Gr^@(i*GHqRCUF%_t}@Q9rR0sFLA*)b4xb> zz*-gX(h!-wH@fwh#HRt+Gtlbm)g?~Bi71n5G1N(CpZ@I7v?Z|;{n4QxX6ZJ2szaO> zW0N?Gl=w4#VXsU1XX>a{HJzdHHz;!uWEQ&b`L;i4r41@ft8LZ$9jj}J<=YXV?%9Fj zTMxbqQQuw%0*iv~R2U?_^#&AdqT!yOfem8B!cC}LzV@6N^Nf|41*rDLBID|O?Q9ZC z*eoj0t-AlT7v%g@Z)NJ>r%Cq*Aa03)2Cs^Vm($lWsT}zvcLR*I0103kaw5k?WS7|} zJvI@$sz2!KzWQN32nyD)}||7Ufvtl~WsCu)a1cT1BpoEz^Z z&tFh(FrKuP{_k>pWF|~d9}+*RHb8)>d!YId6xi|bxt>QeEm^WQDs%2y;mIVRK0@O z`XPDWGItSml_ERyya%1W!XUnu^@V9oVHJe| z1aBk24s2J|UcZoy&DORORZl3*0SKhOj`KV=6W9DV95_YI=X&|e5MnDHA{tp6!b85` zi>wO&3)?lultJQ3lPg)Gj<1Ef3KY%(Ybm$%bs?*QJ@)ia^mQ?3AnrYUJ2rx$aJDUaE%{a}>N?+c zW{&Dz^Fs0?Me z%_70b$R0>aS}W%lWSbnjIX9cZv!HkWX}BwjkY0(zu`*7naEh zhx?b8Dr^XrvhIxZ{Pp$tL%al(%uXie}#*kjb4$5&EG!uS_2(sy)lU02xjN^^p9Ha{lnZqNMd9@WuPoY`#t=Lqo%tHoTTz)(p+5i}OJF2*)B=f(kU zp_J_50+2oDTz?apaLN)6z(;K^%#EFTOf+?>K8quFhQZZJAe>4P*mwf>IkDbPdkke-s-kRf?hYYK0K14^wlfi%*U2w2#y&ly1V zkU%l;8x~B^GCCBy?%(H?JmvNnu>O zN=n+K7pL2r9!kiwo6%yIMU#9y!d-x{R|-1_t0a8LWX;nma__yg0kBO`yMcS>i(Pk^ zGA3t$mHC%Bb;MfA<97-4SQukTU-f`%YjZi}A^+3K*!0#Y5adjdnWv~6OfGCbyU#h% zy0WkEEI=FOGCP*DWgQ~JJCpI(oVYr_hr7Kh5KnevTJrN@ANZ?>QjzSyb?S{Wc2ZB+ zL{$8%osG|%?`U_P((9n}rE9VdC!$9yCjC+_GYAP5LX6fHdLx*wMOuFrh z@$8Z&(W29Cr6L&OSIt7*&8r5+zAJ5dz;GE7-yQS7+P@Wq_l>`LZ2RC@&_EU#eBLAn zC4Y@I^C-=suzs3*JLci0rY*Ly^%Qgb?2o{b-?SMwOiBC7+E`y^2m-IGr0MIV_^cT` z|7Bykhp{v^lK=0P#=XD(UzW!14&qR>^D~#taS~@x%B7x%n-AlWAC~-Dc|!XY$SMgH zMYdj3;|-@V+@uMSp`FX1V_`w7)Qzm+$j#*KE(+eehBc65EY>_6yy*Tl;M!p}u~0KZ z$j5Ms=&fLEb~(NEba~mAVL>@IE1uHw0|D1u`d=rVa2?0DoSQnUdB$4_%NHyCV?0|z z<_ioaIE{ST0`LiOZ$N{&q+c}z(38UFSd=Np5BJLHSN85|0x8}*F!e9vVAg|wot}ro zYQz$!l8iSsPd_zH|Ksi)XoLr>eILCpo_L9;3l@k<9fVpmf8UVnPl5SoihZ;r4W*oj zJ45(27n|#OsX{KQkVfZSoO)mf${qUuZ)%LPptpJJ4bI8-cF7kMlB5v_txp%?wKwL47i zNXjpcj&opP%u+GgmsD=XO4pqZiveq#`+n%=DX`vVIp_ZO7rG;{P}#?^-|(&Uc+~AH z>v=<{8b`zM_zD)nHWpXd<(r6&oEFJ{Y@Zh&Cx=l8cXa^10_!u7DRq*PI2n9xTN4@W zQ6iWZ7VBSM2Fcg$jU*_TrEPto^`YM#_h0V6|K$t&5fA%QD?nc~w9A0mL_R;TH(uwQ z{{e8R(jbs>&T;3c`JM-}TJ85+pDAduls>illHcFvS(Z+ge_)k@#v8)Vg{c~+JBszmx=^{I{n`73veEt zP``Nm+n*Bk&*6l5uH=N6Uy(1QqUGfa%Io_&4qH#pCUxu!fZj=0DP0T#uTYna9EvS@ zIcyS*hyD55wr7T)VO{Y(P0Zc@#iA-GRN%j!7v{wK`(?ebmRdMlGp_+Uk|K}&)dI`0 zyk~r8z}8rbz%P{%tK`AIT#i}a$yENU+W!8(6Mwy?B`5xxN&kQR+<*H)|L2X6zPk=g z?%#&`R!R>WQT$(Y3pThr>{|)L8KZR#_&@Va{?AAL&qMkjzYO>b?|m&)m2>?A`HCC*}K&a&iCh@%|qVfgB$gJ*!7f3L%TLz4xNi{}*#_9Tf$;wtXui zVj!Rh(k+ODfPf4wE!_>$(jW}d2vX80-QC?FA>ADVNC-&H&@eRkU316Y``yod@8@~H z^{n-MYw?H9f`OU2;*8_`9U@hz0xv_AbKIXR=_RHmU>TeD(8dJw;K6yTftV-{OvH;` zx`7CD0!*?H9#33;`QO#jUugyAUggYU;VnzykH+kjzd4*mueFe6Z_L9(&{6yNv<+Ci^rA1TM% z?6G#DSXouUf-PW7OsbH8K*vFWcL<=cPT`;f@gQSM82EhgJ2=~%VBRC+RcERiSBxVC z4Mm%dRd%@glXgbN0KuZe$~W)TnJCbE6Dw$^euvP$_5(P=T*pa?qsa22Co1hsx(kNCq=FFiQ%=hv4}H_3(VAZmL@Ij1W%6j~G~rm_M8W21{$)Y|@*}_f!GgVm#hjz#*=D zizRSG@&5^icx@m-t3&$M@Epa;ai6*e*Zt%yfCn_{wDgPP zsq7(atC|It3Hrs1!XXpDjTdF0Bucm2H^oTV$Rk24<16^aoN9Rb_dF7EigNsP2a*k}$ zgBQ5;0TYJ~=D;`t0@`pBEw{+E?PyhXnh8UVd#ed|%|yt`9r%K<*ZCcjtd1gm{RgH{ zyOaI>O%A&o(J0Z1k>S4M;^7vMGt23wlLNa3O+1RA42#dHb|5~@2cw=(>YsaFU5E^C z3*92k1l{OD=ElQO5k7a&{2dz=FFY$A+nlbLKsh{s4z)u>D|0(wO2^wES`wrZLIQ5B zSrSN^F5Cd1T5tq1%_FB6k9z=G`gFI?bp8HoszoVtMsdF?Jq@*oEY6Its;HrHWI?^=?s}Y>jWOHJK z_C+ey1JBiFER2yn>nW;T-PN6x{v;0;ymhVxJz>NLO=tv)`_6n2?ZPw}KTU|wN%AK| zx^Zzlob*T#MfEcWUC3biHwt!}+JpaMYw=&ML%7$sR*3GUo zeI_mq4@irkz-+uz2DqPkjPw?qEMgXrpyos$sTqXW82MqM`+Y-^?}m{;;hT$MUYhU! z>`{;_vuAS*=?E>inyHjLyaI{`Rg@4oT{>kGps^tZfNmd6xPA;gcDtajdL%;K3yIDE zUP4@eS1t*nLP=2p!r~waNc%^p*0SC>TkU^vXYN*_K-0&`h z{mr*)2Z}leRk1b)kKKU&S-Hk~F5T_`kUiE^3e24O_Hv(QSQg@-O+C_qD0F4w(l)Xk zM&>@aZifCleqNCZ>|5=@S5-NYML{nTj+4VT!M6R0WE7EJsVgMy2;X$6=;ox6w#bpJ zvg(1(V=HuNJLfSi>DS=HV>2wIPNr`vf_G` z<6;_zGPGetg^+G=k)ctZ%~aEaqEL}tswKD;Ep1HQ|3mOe;U`#t6-mlwB++oNfD)SC zI`~9+F7OJ4ub18jS(_w!&k~v=9!LT*P{sloE>rH|pDe zNGGd&@)Zb!CQ^ky;(2#MU*XVSm5+w5Txi|`rrg}ouc5q2;oxL3 zYgqu{d?A_3dfNIe%f?p+VC-&!N?tXcoQdc?efWBpq7+lqTj$mOI5^;yDYyA!%SEa| zB2v@TUWxLc9L`B-g6ub^&Jq?b#8CbQ`R?aO^or^@*MlfxK|xFs+Zi3GhCreNx10+D zoAux^%GPH-t3DD&99I8)K+GcW8niImwt^MBM`%K+zfr%RYNNJh+#vmTlh4@#ENRn# z_S$5szchhHQ$nzzfoY#Vn2COUK5r^LS*XB~o=Dj#Igx+wgAz8`<~7ZCyJcx1cq z@eMaUFm>Q-8QnzZ?vPamoGjYOaXvgjYpxgt{)g$IFP8$=6;Y}O6@dKqo~iypVyHvc zFS^PRnX^Wx!{r`XE)-up>NR9MZ;?H0kpXyom)kY=DwkVL6{#4vb9+63DC)pp}7 zB1(mM_&<1s>Ngk;mdY?Y0iiQ$Y_wjlc#Yq1p-N`f6dsptcyN)v!)jJHMe!vx$dZFR zmD>1=&YAwc{wjjoG=uzyC>^-~03eQZBp27ryP&)qLRM*poqk;&QxhwWzaM^g1T@hh zKMi37^6DoGH?eOM)1>7*0OLR!0oi)8Gs*Z-MU!%4G3k6d6jHZI$25gp^CNZzUiXR~ zXRkYrAaz1fWgw?pp+=!KyqYeS`0lGi8A?UkHHJLm8|Q*Ro1ZrcGlvO#Bo|D+??GsC zW+zKF{0cu5pgFBdtJ=s;5F7GQZ{Gzne@B-mBCbvL)g?A@9rjF{>Z)J=RlRJ~)0@?= z1{<@&pBQ805d-|GctGx4dG$+~deJj7GDyy*f1xn2sYIgYJ+PVSZ1&13dBlf(6II|H z{iDEJsl$^0(0JT_QM3>L(kmIRe3+Es>`6Z)7*BAqO}PiGg6%(cPOPY7d-9E&LLWBc zbn@em`|o`4S(pU0q}Kt?e|va(X;PMUAF~{;!t%?gwl09qSLLKa^5nz;Bq2}T?yA0? z0|S!jXW)NvGl1gyZikfJBpCD@WE?Ji9?HJOjrAqyncBi_VV9WdumPSQVf!bh+YA9= z3@9s(llVc3Z_6y6r$PKGKxvSA&_%!+k$6ux)WEcjHd;MhGz4f53&3vE(E)-_rsA|8 zfPJgl=z1Jl>=lEuXTai|N)^@lH(u=zpbJuSic5(?1y@iY@u;cwA*H$njPRmv)EI_x zi^(K#7K!rV#X@$$WxNWnkrF5;x&ZFcCA%5As;ym?Q*}rnPamk?)b^Wu1;F0@Cs#$) zGYo_0CZ!f|pt&T9XxUDyno+=CCR)}C+j>DB&SMnBZ%nJSZ5--8MN9fNjG_kUYnew# z^E`aKZ=qp7XC6RzgA)Bgv_+b&j`(AEOmTx2D0RJt69Qw;kZ?0k_Tw$=Q1512W}zDn zvXBj$D)1CkS}$818$sV94heAFk`3!_K|jub!jiWh`X{TH>ZRxyBiq8ipl&H*W0(AS z4_AQWUyy*}F@`Jg*`w~37>n3jtuoj}CsA&qL z^U^kS4;&be1>)>+3it_qMw_S8XEU$n1P)G6JmagW*7wQwBdmugU^kMfOdiWSA)>Um z^0ejlPggLTE^g0=|9oTvbLr+ICQPK1cA# zNM=N>{9@*3^2nxv$>dhLHhV)b+&Y?>Zom7XBlgGFHCnKtE8REiv-QcWQ1iO{fDH|t zBfSac$Vr4Nazs%+CzpdG;$3g$1|rIy?;P;vUg4<=C)kM|0DBanH4{k@KD zAgI9O+IfRBc{AnW+%ZZ-_bGRjos!{%|AypAw1T+OFUu`JjoQc-F6(hFUpe5vR9eqR z@a7;%#MN|S;-5kFw9mcHH&V>;zI26K>6hnp3>}{1&nj#spdWB)GS1#59Ww(5UD!MV zZckG7A?pg`I&$y)HRN>NEIxXuZpiH!GMMo<*f-$Gh4BKMFY>MoQE@|TQ}ppcr(h85@s_$juPqO#r$ksq;5?oK#!I;*EZ%?~*^Uo&JJWyAW^I8IDq4p# z!l{1Xy&EH+jXOU7iTlIg33|@K?L3I!2LxYCH$LQi4VDqQq$$O_5_Yo zcDklCmhuu#nIDZfQaHuQiA*S9V7f2qyQRz8+XH^~o!8Vgiwp!n5&b>gFA~dK=;RzN z<`m!Sc(wTY6CJn8NaHU95J>4f(k=)55|1$}Etd^LsKog!{{q%QLQ9hei>MISyX2G#ImCO`9ORI1nOLoEv z#>h?ookX1?#D*wN{zQo*Umtew*RIZFg9r+@7tsVXL7d;Dz^%R?-^W-p!HTn2g@_|P zZ5qb-=l$8!HlE!e?P^Y~HHX4EN=U57c19j4Q$MgXc|<{|cLM;49J5;=4%-lt#mm!>mjM zX8>wjdO7CX$e7$_!{Q>_zB9?WK;s6YGdR$=yq|sS7*!?n*~R>OwT9kr3t5Et@e?P4ibS0Yh-g&`Tgl?O5utsha!xK5XdU+Y0|j z6$tbg$}~BYD@hBb1IaZVUdi9{=87o&Iu7iN(pWmWP_oTIwZ1ox#2bYf9ewPvB0HqS z3;S~f@MHO0t6PIs9ZcIOohAw_UWPC5&Mv|8~y+ol(yY;ZjC%$OA+V!YE`@FH^PKT zFG$e_I-s~;=(Vctgm1E+^}1%f`I_6~;zVKyI5HD&;bAo3s0Ysx-{<}rj&7Vt z{TvCPt!Y5Q{0D0FB6R^w{+y6)8l8X;v3(7){2g27mb-|aLu;rgD3Jy@micTi`ctAC zTO>^&X+lpZA3Zj|oB_(@N1Y-?j-F9JD1$JZUdhusF8(&L>R2K29NRHulDz)crl~-X z!wthZ=_;aglyObMz<>u^qr05Nbfe?1WWi?tNb0$%N% zf@_8Z+@!pB6N2AFHjqw(8i-;QC~R+7i|`D7?|!|IYmCvqyG-}*cvk$FYcg8AZYxVX z;=t&lso`y0tT?)&L6kMkCR^adhJFd~k9pjaYXK`BsVekrDo2)~*v||VAPoJT{rp&O z_lw6RLQnjz%3Em^<*PeI8x(dkSbg5v!_ahwjxot^7ic4VI&5}>cLD$D*@@3?P}NW_ z!ibc1cNfh1Na1?|wo9=4cm7zUPO=_Q#y13E?MD=4${cO@f4aWkWbYWCJWv-&9yyU+ z#OEuJ`Y<`D?3_E9eAm*)H>Ok`*YcChyAjsm<0^!Pdu5AoFNWlL9%_!K{CO4Av%ch+ z?#WH|tqrsnZqWYr$Rj{NZ5p!w{7z%)+4&mxf$sNS_|923rUdR8zVHCIpqZ7~v&0*uZpXIi;|lQN$keZ&Ir; z?p=je6!nyaW-p=@sG#v~4y2a>6>q9RDkGdi5Rsb^`ik>4W-sq*tYP{aG`!gBw_dVn zRlm)6+saVmVyd$#VF%)1y4_e_=W-%2evWs|7dsL6ZQ!HGmW()Afy+ZDH6e8CH~tE5 zK9S$)k8%L2Z_j*jGUxUNj$SF`jq8T-Hd@c=KJf_sfbL`dEFc%#a^z}4l|d$pm%{ww&w^j1DRKPUN2 z6$(Z6^Iisgv)BP08^eZiuY;3YkIl@?IvbTEamASniYMIM16gcD8tiH3OkMA{%PfJa&{c)~%lR$}jS?i=0Pjf9bHMKC4b>LS* zEmDg#$=d_B>Fk3Oj_ThJ*VQDxFnh44m3k8%MTo&-iySoEDF=nj)Sf64{ ztr10AGjJZ;^6{3qrRptgQZ|P}S_5%I-i@^?@{Bvx9f|zSQ+H0;$9jl{}*UefbaTdO<^LBVM#4`H>4NQP#F%n3%_mCJm>%x$> z5bnh^L#$C&IcWFrNQ|v?($Dj{WC)>F!JxVv(zDYK`NAUF**SU4ZcA&eUc$9b*XJIc zc+=4Bl4qd75>%AN_-jhp?MZveO%E^*P%Y!6Z~p8#JNu+-WHF!gOTNUPw*YBXQcpx9 z$q=zh7>C@o_(gg4xFo}6VJ${rUn)^Vy}_x>4r^cPJJn5{W6S2FXzNK<7JEi|i*iV{ z(|p*AkA?y{7RBGI)=iS{a8IQecrvWM%FIaM#viYGt|&mA^h_b$hj)PGDU|5M{{B_* z@lrp5*Fo~`j^{7e{${J)gZUqo){_)E=Sn5#tO77-&hk=KLuixJWj`w*u6k(O zTc;2=gcjB3Nd5HSlNf>vH64N45EGX1>9H*)#Wl3Q{=%_At6Q3TL-pOzMt*4kYRO1c zU>B6nPAssOaOxAWIhe%LM${ANVyS!pQd%N1F7B{qH~ls#&e=tlh?mlFY#oO;?olf( zH-ny{gqc({BP*eA;6s$yE`Uf3^TH1`PpNw^&OTBQXKsrDCN; zK+))i8ZHPGAh=QDoWlws52tbB`3O;CK%?Csu~MgBPB5>J3P0|$BewimK-81JRj$BA zT#_#^uR7%Vsp9(WKD8Uf^`%`ZR|*TjuL)}>94MF)G-*ohc&Ig0G@#NQ_36oLwJETs zvj^9$gF@b`mFNzPgr^FJr5<2zRLT*88<0bCl_hP{8~!wLs3JxR*P$Dyynzf_B&5pM zFmE$$_?2T{5aUS(i`=R7VT;=AJhB_j7x@C zmc7R}b|6t<83&;K+qgXf0YTO8M_Yvb?~%ISzW#%%ZOCH57g8QLxJE!{5gu9=m9&eq zCmcpGTfs+hI}h%_r&7X=k8c)&qH{^OMzAIJvqmpNb!x^s?qV0_IEo~#omM47NVN)9 zf7=exV=yHIiT#(OW&SP~r$*h`LtnjmdNktp8D9X~=-mW`haM+hD%l-{z2T?PoZe@= z1VP&#(R=&Bn_X9JLrs2Pbn+BwoqMgZ4*=IN!s$uWO(tB@-`4#n^)B!7Ck4`5o%loN z(Vs|!6}z-+EIJXq9anhgN?)C`R-Ka!^9$9NJ&JtGs%_MYo%WX45{@0L(LC4aQRcr- z(iOsl7Sra5)y+s#R%&%VI&8`{Zg*X1!ZKtr$?s$;>N)%vaUXDYw%(mdN!^5fJS-&p zX_2D0&E$RNjS=Bbjrrl)Uw@s*P}q_gUvAn04PoXYF-7@E;0kuWp*H_cPe0bP&+N zAKP7k{45H9P`>r`_jiNRkqmg#vx3+clKVPaEO8iqmMRdqPFLNnKm6fLeXpi23Ba63 zi|b0AA+dKBEo(cIjY{fPi8dBh6PKwyulKm2dbhGtRk}F+BIUaI#R9HUr0}2~)77q`xm%q4-&IhoHssnmE*u^NON zhxE;6HR_%(Y9ik?`g|c|N;%HlObXHyjN!7;HJ>i0WzwwdRxSdR8a6%vDG*r5~kr?B|LlSq{Ly*_7K_jpP{WBdO>OzRgPTU;&C?)4^V0!105$Ld`}HF$4&LN(tL-F(RSU}9Wk?@^N|7U zBtyu6r=~TGGFL2A}D^yj#C+jTvd$i73AH|fU11ygBZis zfZ+37_VphMHP$*`UYA{k$MIeFzk7LpoCDNigkq7cP7!_OF}ejYDwM)8WEWX+nE7^} zx`Q0YTa>Ln@^KuH51DcX7+)&y^k{SP@g+_17%}>-=5M~Wn{(HvHuWH;`$a!uw(GJb zZjPEt35Pw^TMOeqdporRL1Hq5l_ni;fZBLl2*Lf`szJ{NztS9&rYomQWh|KQolOl* zEQnF={%kwAFea-T=WR~;37I!%s-%c|v$L{%pJmeuB$C0^^AYZ~VoCeEhT5~U8Lh}J z$tH4lh3{(w-nF;Ea_!Sx7h8A>O&ny6UW4wWy4vJ5#r_1{?eadjR*tW@8Gny!xvfBN zc$8tVa*?J=v~q}@@oGwhEyjhL=Ie>(B#XAE0(gO5?TjvLWW$fbXBK5V$caH(# z>*;!=e<+7U7w-h6u(;l4EM(xof)5I*R&6XxhW`r2LgYcCx#bYGM_Zamm&U1{U=ADb z3DX4Y+thD7`I5$nh@z7t6UN*5Vmg#eTA)c=mkAw&R=Jn_ zz9}Y7jR=k*U7JQ?eIT+Ew`d!1o(L*D;rl?$ec?R_GLy$Dz$l4$LZ0(2ufx1eW3iC# zQI77hp+^zIdNmRT$r~pqVXSQ;hb4Yr!zj7DJ>$WL2?D3)qlp-{T$Xkugg~AgUGUmp ze;Lq*Kb!RK(Us-sUM4SqV_snFogoq8cu-L8>^r!~k^=LC8wDjzR7YZc$=85fja6}> zb%@+tQ=mHrOX8jo%+TZi368rW9*(qZObQv|y}0qL&9mLyUzvX99+8F6K$bgJY0l_phprx-5=th6Cro zYS%~sVcLO$w({11J05kkZ-Ap6(lIIqss;ulb31I-$M@mxy+!w$&+&uYkWIh9E$&-n zaA_&Wlv^%;FxUQ%C9K+|I#;6AMLRk#Ca&iIG86)f=6|f@7o(4tob_mvkmW`Z4>x$; zY|7oFJr*a0HJwkk!IVQFcONm}HNA;s2OkWL{)-r%_tpl6LlTs~t>`(h(~olC^_wOF z*^^-}JbG-Iqt4Pl)_@hAz@44J0_Ug4JV#RS78D%J4bGG^aj&RRw=fLWWu+zbj?SyFv{#_kN>YTqC z_@yzrV&K?J8s5)C^=TLvtc}-JB_>qfC(AE; z{!4HP__YN{MkVpQ7h`-6>?RWi4+wB9@AZm}I10s(<&$tVK%ZA3QaHkzU&OMT-Y?@) zUbL$Kfl{U0={pMrn3;~dGq`d#K(FhwODPxq5qgzj*ZnX0_{4QVP2H_=xZqu6kZadq zL2m6)iv_3BN<{~ZQHtxhpht;I_%Fw@0&Co*X3&ZEJJDp(D9>aim=bgZZ_gpT@Qq+ z8$jTd3fKr=AYm^DlTCnqqc&E?e~69cIGb_ar7|MV zPU&WX$V>2x4aO3e8KK%>3tNMjr?!`Av`%70gpbZ%r)w(Ev5{oC$bTjoLf3HEGE@&) zjU~QRmK}i?*t07(iXcVTo1OLymI%6bgX*SEP%bF@zHV-MxG3+l2P3s4N!m4b3iO>~ z-Y2{S8E`MA>|#kc^pU!68+~?DUZ6Cm z#p+y-w^iigmO26-v1d)7H(yslM-Eg{4fQEJ#&L}(^SE@;NNV(*AuR1dV--6YsK|O9 z#TK=Cx(8%CK9{VO%zVn+nWum);K;-*HMd94cQ#BOVI; zhEWN^bHYU<@m@99eH~z}er`o0_Y)2&a1jg}9}-EnZ)*#)v$GEyZ5aq_S|9EUxd#eM z362>PcI;j1*$__aqx&A4Oc}_Dk^^vie@UMpnCCTxp8Ns4`NS>@Z=^+nDO}-pEL0c z94Lu_GWGkq$M=QYlcnmtO6d#da~w7W7?%uXU6RNz3`B6p$sK}t?Ub7>h4JagzE>EVum=prLbbKmWk%ygv*Cy@b`8^3LnE3t~&T9!*(SCa+*u$~rM~n_c5) z^+(V3>AZ&M6!Tah@;8z3_G2{^+pve1g~fx%6uRf|yBh>dnmKm=|RUfk}L zJjcXm{_L-VGBJpk%4!5~r*bE(PC%{`l5e>S0ZG!+RUkD>)3UA;%@%F%Nl>3=|9~0c z0gN7Aa&Ip*FZ@)AUPvZp&J`F8GMdWrC^L*w0hx2$BLp!TI0P))^^L&bXE}za-5N)! zxWD7pj3g_V^Jh-tbDfkpAo;=7I&)LUCATweHigZ&cZ!1`wgJFqq;zIotiPbS1?+~+ zi2kTq^JD*PHIW}hkNoJHf)n#Olg(te!_%fi;c7F6xELxs13!_jzOH( z!_zWY%9Wx6zBm(&Tj(7h1l?4a$_y>Tdd7PoQfN_5?o!)mT5ymj5kXZwSD=^`Xw^g> zr#m@jd&a0!A9-R-Z^`I-abl-YsE{GXR?NNx)lq}m^$B+oWf~^KQP0hw#8Eu>>+P}o z93t;~nF@04<)qSON|`=i)garN8MrQI@{19oQ5#SA^;^+3id2g<#k7&KO-4NrocX7z z%C_}u_24rbCObF)BWy&>!s8Cz7EnHgJBfc)d&gJRkZ_ttM6oZW(B^ACk?+eRTE8QbCMF%;o-A&nx6c8jX}eoF^T4R3O+B6}jQ;&?mfB>r^MMkyc-4ir5TN zNpZ@77Wytan8;G0a#4{CvbjN4{6a%i+Dcf}#{cMz+%Yh~_NPqpB*}iKk`P=O1};`7 zr>L|77V~D&*&bdjcvZ>rspzh)%ORwC@@TfOhf%nO%z9@U3~@&5C^mM0dYA-I^^Rwj z*dgm-r*U5LE+8bMdc7FTWpq6TmlRR|c7_RC2Nl!9Rs4#ZFtg#T5&vAxg*lVll%rrF zg|8j1Bf*^|<)G)od@;QV=v5&!zjEUR=;Q@F&wqTx78%KWSwGk2G{=L!=gj;RgE8&!g{PI@B%4{XwY zO6wD$3&B+;bG&BIxbRMg%Obq^G7okcyA7QS&5GfL7K@#4)8x9_o!|TEn~<9z4NDxJ z-hSME>5`r@@zHIoU?IzDt{&i+B5wUnZT}it(?iULG{%QG0=jGD3=Uf}6S#OtnOtB2 zlATdMa_1NUlOv)pw^kiWyI4U230v0ViBv@s6ERecrZR@#s1N4hTvok~;)^TabM$U+b4z^~h?tY&I4n~ZP zulD)gfC-&yV`z8jqfH7W7*V?nykQ}*N_p$fLPonw-|>B2dvB74-C+)9-5mwhChP6# z`ZI$G+Ich7*`B15v4hW~DdKjck)f@R#E=`@@gRPgxawdp-fleA_;}oFj?$z_Ml=k( z(;(&jE&r?9q1tvx#z4-%_AaPmUvk4AYgxEjPa1&$#(rqN$^Gl5Y|m%fJaE0S4d8NK zQ}mQKglq`6_PO-3gc)FDNyXeRh=bGq1ie=MK4-o~C@^eu{g)0HL5niqlXrYbwrX?o zm!Zf*i%%jjQ%i1lz9>OH5eMz_bmt^kQ254C?v=zZpe>9}`MPgf1CL))^=LrUP5-$i z=4UU#;cz89A(sRzlSsQTpy zs$lf$$$JyOF$>u)Z336|#NW0B!)lbvICqzFU0Eko`@F1rC6lB%T+IhGjskKK%V6G# zNNFy0ci6f45$XGSjE&h8m$|SFZP-n0oi3623^O#b}MhdouBtLr{a!W&?JcW(<< zgQWGLtKX9C`Y@$|O-g+m5W_QuP)}b252UpVWE1Fb&(=AtM5z%;@(Y0C%5oUi)Jaz* zz%$Vyv0{Py-?KbD2~2L?u#(0jB0#2?e$MtltdZSxFcXTHB*Y*DDjY7t=S`qgqmW?K zIQ{%H(zvmt9?k%`rA>uhV(uf}-^)UtaLt^8qQgfNTAV?>GK!}A&Z56!;D{=eOB0bv7L(#*GGgO2|*6u zcv+&)=PA);2qdnO5AHcJYE}kJSv>RH=<;j2pthRyEy>|?J+f6OO4F`;*M7M{3*&YTYk?#re( zd=tM2wPf|=oI{=6QT^-+vicH&=ndN43OnEna1VEBMIrG73^HT{B70w$-(bE|`}=+d zIJ}$H;S55cjem}9v6eXhtZ@+A+7ocKeq*BgF79;>UBef>Ok@>G>!#!{CZoLh(N)uy_vO`p4&r9n! z5tfl=SmL21w-KTWObACy6+-J}AlZD3g7l8oMuy;Q@ovrZmnMio7jzEYZ@4Wb ztQyJfnlLRhNd^-N=`%oKcjYJ-h$g^^>jyXPjify4w8GltSc@}FE;AwCKpDlS!^Dq7 zT0PC*WSoGZMDc-r5?D)HU+sE>c;55b`HIFvQ7eHFJ8%ou@&}U(Bs*Qb`*9u!*NF(} zDfBCctUj(WCMC{sy_MuDHAxqt58V7Z`>dUYIxW~2o}I{{d+fccBo{~gNJEuo13U`E za}LHK&54^;6OPahC|`5!gm~9fzSUQqFHkrTh45L;ylA5cJa0$L1IL9D#~~*LtmgHu zom2}xW4_br55HP(a;EE)8%frVY3>)nlE$Dqpj`0J+Ao$R)ua-s;j=Su&!kH!|bc%H9LDxJZ(RQlmNUofmuI6QfcgsOsx zEVB$*|Em;{I_8=MJ8fZkxDrDL-JBYc_YW~XKin`>lyM&k+VJ^YTE4q~@29a%o+0TN zE2<}sm>Szy5Bja*C#^vUbs5+|rSW;|*N$>DXh7Yn1@C-}@qv)W-HzII-u<J?s%MN_ZtEw{z`?ubM^<&9F}^KVgeV^y`dEl;+|)-W0Qcl9jck zN>o_b-WS*DU73wPDst=+I8J`+3~0SO03zv6jXCwVH=in_dmxf@oPcI#13)z+atf10 zPnq&jLl%oFV)*4EQwdK!ZM)r(&q`safiRfU!+IU!ekiz_UVu3A>sU4~=QYEyG6r&m z4_!U*3B|+;GLYn}_%FW z#B8RFTxe%N^DJvm)|>btip|5l*y-E1U$qZr4^Eb3q8BuK<~fRBIr-G~Cc+OnhfO%k zd?fY_@^-TC5eJ45arFL-Q|?~m-$k06QZV-h7|IvBm$;yR5(gcMZ^UB}&8gKGq-;|K z&b82wjY$=1+i%6nAx7%wPex_W)}dIVcFih{*DB~NlkFYdPJPi)&4P84?h(mmVFpu^ zT$iaWrcJo|fy3^bINeUsHNMwdDc@bIW14ce3hZ)@F-Q#yESQwfDVHv&-_OhK6Cfs` zeKTr0_QBur4VN8vei+*jZWAe$7(z=@Ln(g=YP|p9jI>p* ztJ?AP4+njk&?Zdx@r*Cdy~y^9cNH+z?-P$;$cxr9^^!hyhjG?wa~^A$QHe_~EIr1R zQ-H?}n68+|1ixJP1!m$+T6JQm6~)wUW!pP<64p2m`D=T{&n-(fX}Pu!42h9#1N!WdfqxNMGL- zwYID5PL%H2Ekp~;_|KT4nE|_|c~HZpnZWAOE44kpmuYB|XF+-wCVrdJPvZCZv&3Cr z`?qS{+%R|JYQrE@=Ro=JCTeHtuEo08d^_;KAEPMrHAqJA@4tsF@x+45$@h`Xd%enM z{riO}A?jlw_v5Xy_->XQdR{b>{hdQ%?Mk_@&zc{5sVU&h`uI5m_S~M+LI%~wj-w3t z8}KA!)Q6lKSI1pH!q)uMq4(98G0&j|)}Y=%0J8=QYH!I|_ZI*NK6=KS`JXN-W(g^& zzH0Okt%@tIc7b|h7CRD@2j(!yQ8qm@SS#fVRGHeO9yg~Qf_8MJejA2nwWY>A4kUrT zTrH5Aq=AIzfoqL^Mv;V9NE2{SXUo8J?SEtwV?30PM8LQ_hWo{0dx#j6a|OYW8(V|Q zzJE>sM^7i5om8o?z(>!BF7;V5Eo-|l8v9~c!ld2^BLBHYKx&B4e`%zmgQ|_0 zdXNc${t#_)j+<4-!Ku`-i)Mxx)>8A~p#w;0$@j2XfQgUAWMM?ZGO1m8F=CbSEdL+6 zL4uZ!zL5==d_&8!WHEA9Qu|=778jzVsxJ>@fo&LaNkkwLDl6DEPZ=>}Kj@n1#*w%w z;BYM4b@3+YTMbFH2U|K4aE4l7G7?13CP$eyQ%76l+sMYvbw zEaEw!%K|h}FU|r0BzE@BQO<}4&(kyu?ZisL;!W@rGOZGhKzsWF0FZ2fn}OU5?3!b( zIg9Y^-%12y(7Br1=|Z*)NYNYjUmtShWMDH=gJq}VKJt_<0(J$aEpmU z$GrZx1=}T=R8UJ4`|{L`{(Fg@Ks~r|LhhG$T*Ew^PDDs~B2uHQL+yLyJ;xxL$K$+#IPeECVdJn{LnLb{_r1>n!P-M8bDaE$A zVUVQOGfbdk7<6e?SV6TGHOA5P?hdy;FvSQ5S(v@-M)jJ90oHyn4jL#sD+Yf96o7T_ zyUfpZe+;oCi~fy(1?QTV2o8>4dELX2+6AlfTQWzVd%YGu1pY%DnVN!nf!Y6fff~}M zMN?q1xzO|*x%(k503FSRk5!n;Y1UYi7HQY9iC9;ePuvTOS@OxH9u?wwVy}1c_xDV1cEdf?aWD$@N9oGzL4##g`$9zMv4RW(tSs&=WEe1E8njsQi1i-&ZR?4+ib^Ni)$``NY zu>-eseJ=yOG5E*%^yXiSo5?(>jUPGxAKK54ST%Ne)H{HuY`!M5sQT z;(oe6xIy#7m~<@9|Goy~{PP`GNXv^yXX*BqHwj3D1Zh8TXO9Mu>DAg&?vbPY@rs=& zpPP@B9QNId1`Z9oy8j{eyW>kb!Q-gu0yy9ht#hYwt6Q*BPmG4Lu@0Y!J8k!B;x z@Yk;O%5bUje)9F(f4-~#SV@2Rk8l$7H}nZ4%XpYfa>=|;kuN>38vea#u}4+wjSDCmu6f2Ngsy;GL%1v(jH>7qgFpoaKJ!;2p*H-|8$WIZ%Kl{D?Z2NJ6s z-4Gg}X|Y&H%q~lY(E9CjhkV%Pla>X4_GQO~1QJ*5m$xiM)R6;9_;P>&l*H%?K;ZK2 z?scG>TTf&D+nDfoN#%*u4{xwW)OpYP9*_RpRrc9OaPX}+78ynkOP+gNuuWF13 zzvrBc3Vc))-RO#DSg*61(47Ybx&A3I+x;TQu(bg?P9CA$M&JneJMHGbKK}C_nrI*% zE98#wbRz5gI_>}HhyL{m{@Z_N-n*_(pYY7s#V7Q?{oel<-|&+j?Rn&YLR-k--?onb zXYa&c{BA)wPInTc&QrBCJY>TGQ9T9hCM84I3Cxw!x%-+|qS%{n;omL4@}9PpnDw3M zRIi2q50~y=uIImcut%E0?4Gey)H7KQ=DfuI!ZaStlh>&(Td%A4rJ|l*7uL{X>q*e4 zcQ6CpSTKzxJ0B`&j}vg?x;Bg5hu|lFt4R5~PR(CFPT__Axl>-%I5HwaNc=vTT19JT z!DPN5lBGy8t1l|GlC5K7bNU{nbPZ=~raGl5uIZ&EAL7#;m0ra$Rb;NE@8?L>{Fh0* zd(TLxTw^&4r^N)^YC1J}4eD)2(3Bfxt4DVBcRWMY`IG4oTtz}1Qg|Hk7pFN)4z>%p z3kle0VL=v=IW8duN>wvaA$B@n-#skSE}yqsNIF^x43z=b)T>4sar2k6wVSi`G0eRw zL%EvymY*c3+yr1v?ylxDl}}ZQG^6eiFiU^0vB?2qy|Iha12Z5WXsStpV+B8E^#+lF zp~C^NV@wCe4B0L*H(<@6-PD;m2ISjsK~01;N|e$Q^M}ix|Fg{hoi!#Xk4cl2wwX+N zYu&d?T-<1CE4q3-TS%xS+wIY*y^ zBdFIn+kCP}I_7sMQGz|D%z#%PnKlMOpmm^ioy=Y!_q<4x!AI{9O9k@+cm-*jpfajY zPfR>n8`+9{K+ym8@2}qftM$C}n&K&zu_5Jn6T&!hC%pkTXtn1{Lh;r_a$pqWEAp_@ z(dtbB@mX=>(J|>YP=^)QR`W6F2pV2U*_II|bNP7xyHh=rQWMRbgBD$VyMg61_^lNu zot^uNQANb>N3Qt%jWtba=y|8wcE7}ll}D^fHs31AXgJ*;ZY}Yw6b%n(+FWq$R*j)B z3MJ+W-Cyb3H-C1>4X&sj3+rE3mw7an8%*Y&UiPx(f%i9FYAufpe! zR`yUO%{m9tqI0u?yn?N-mCp%#iZz-d=G`d&AJ*PFs_J%I`xiwp2mz%#L^`EI8kFuv zSaf%XNOyNhhjceccXvv+bk}>YXTN9s_8DWJbN2f?&wmbOfUNah_dVw|uj@1C(KchI znTOBb&yOAH`6y|kWcrfk?YCsmv@Ph8Hhlf{6f8I|O;-VBq9K?ub)+h=s{`5|6oNAb zKC8jZ59}oLK-Vge&3;veasphxDGI_yMX>Jo=Snx=#cuBd#je4O4I2u<(^}2dcC4a* zapwR3xGX+pyvQm{-ydx!-}V#F?A}Qmdad2yajC6ZX3LF;@6@8b-uHaw!<6v{mwX+z zz7u&8m13r?elqzyL%vvt8wPeMA<9%;)Rs}}3*=-h6W#IfnGSgMrU)>tq1 zNLBWiZTzdvXEuT)`Br4=)x{_ks=fEuJRX@+ns4>%B6!?w(VC8CJhtm<;6>jn*_nu? zHCeFWPmN+UTvNo{Fpcd8-Y}Z<-hmNcWe*59kSW{%^i*~PwSoCkV*;T43IP~h2AC$` zY(Qat;*xkeXiM!lRZK^CLwBE$90DD z0@&sd-tPZOK%7Z92G^G%@J=x6^}W@i54dO=fJOvuC2R0O1<6#*j*pSL%r%Vi|8$D} zH(z{)BB~-VtNi9**-aFkN;&Uaa8S>o!H}%y_v?`LYv4FC9X~#^$d%X$4n~l3o@r#QX6P8WT!fPUr8+1}*&3j_PwKsI#3_R4l!<{%3WEswf{r zxsWN9q;e0EE_&`9&$3VLRF(qkWG>G7;gd5et86) z%h6yOuZaZO7FgDxsDr=I70&<>tloisxh$CC1vhpEVc@K>eQkZBlc|ML?{Fxo{s%17 z%LFHW(0({ce;qJfL5F@sTWo8<0FVJZFadB#xP~tH3F)viZ`20z0dao}EUXm(P#T0P zqwy}?)}fDwEsyTbz^%KHToy`mTJsu6NsPM3>N|jCmhZ0sr?n-y1^lr56m-);lH369 zsaX%uMBb`hWgx|9d$KOJ#(}aoyfdDg4^Y=R)}nvUISAx#NkXN4A-R&QU7@L=Csv2W zrUG+;3VpLr^At)71`MR!?XAC?lJ@sGY^NS**zI;N_dQ&_dkJd1ldY)53g_3&_rLZi zmW7-)oKPr|G(QV&j2<>KDk40;cMvvv(s1=m0$a^KVr-oD0^|n-fcwWC{J(wEFNGhArBOr0A%Q0<{bdI{mIA@LDy%H##Y!cqkdF#sqY;!Y2?YGb zN?4jD7Ev1^aJbImD#K z&sMun#3oPDi&|hN(T++khy~H`xG_z)4ixSA(;6DOH@9_EdR!{RO17rNA^cL0_P*$Y zDiPELCgV2C#a^X{V9U%rQr&y3b;s%$LO8 zEM&MG1J+V_%q+yX(34yH=H1Nc25^5OT9n|hm=a#h^!e6-h+Y$ON1|L9x)9=Ug(Mq*gCC3;Msh#6g9SB}pzEj9YUYCSeB=w{V^P># zR`iBT0R}F@Ooc>efW=}-93Xt@8zDfkR=^G@C)!+oxL{SwR2#xrnaGzr12$vKwRYin z@PDC42vw^xCJQ9(ECVzBv812U@!Z}+X}oDOXjYBSaQuPsXV~xp{C3$2KNYd2`GD0V zgrPt>{d)8krP8UIr4EG%u>rl34kvOO8EKGruz5r91SFc-(>4x+1vc{xEE(xXn zpOhu}9$1RD!9#Ot(JeFO^VT9=usy5Ju zAxKpcYZR$|1Su$&d^^+`wzx;ZuPHtZ={>IqbaO+_S zS0qD;6N1dq8;ro_$jyC!HjewT4b+21fW9#Hqz>HV)xPCIfx0+Jmxs$~NcaORvKYQK z)JMS5J%E~=^*CEw4^Y~^GV72qZej3d1(`_A9617mxbK#hNjor1{Q#GmN%d6a{B=6z zijZ&Ip3tP{n)#U{pkZZWvP3o=cj4$k-OFcdVZ39&Sfqzf{LeMd|K`t2FV;^Kx!FzP zXq6&C`zJ&BI9Sng9?N4RFc$ff zk;F?^;9?ma=v^lBS<;N5j)*lY%>ib+g@_uqYQD zWy9`^rB;{#n2F9oXbm><Zy#C$%7uKtrjbIX)VXWMn%SH#PCLkmbm)>&*}8zynNT!n&`lltVz6Rg zl=u`x6tdj|T#u3jnY0b9A-otd66Z9$lNMJk8VL zA}HsKbj=?4va^aJsHsXpo}xXdM60hhg`j}vuT){z;%@rTIRm82n|au`kxzq;KUxUx z?@_x*VLXqD38FqZ)lec~jwxZ+;d8rwe;=BLr6}L@<)_@E#{zZ#{JVW?8#PLmdbSV` zoASk-*3I+nNzGlB!=HMLsk;$(&&#=ARuH}QTTSSyNU>;a^G|y?K#*{B2}F6k7q5;R zxqD8_c(QtYxVuLiH<*00p)^;k-yjbE@#J)v_e)p?RM-Tgn$h*%+360z*bxDtc&2=< zAD>|4=1K&coX_)Qvp+}EY4Oa$;xLz&<)r-52T!NO^c~=!QtXkbc{e2m(gT+=c;A$O zTw?UrJ}%`cni;&Ay1_E_wj?XYg2U>@0NpnqlqJIV9Co`S&{+-G zr`I7o1xo)+03n{~LsH!YE>W`(T@@*o7k|cck=>3vF-Q@9%~zRVC<&-sC@1Fq)^mT6 zVh6=D;4W^@R)%Zb#@$2r|gv-E0HHI>H?K}cr_0OitW@dhN zU!^KQbg~Yu%#->ST)By71qwf7DGroYf#TyH;JbkN;ttsO$|wE`%KHCZ?aq}5VU0(I z7fBtcrSq+VIAqh2ml8fx#TCXGHHg*)8s+RaH6SI98S5Mt3nU2FJ`X7@-xxffu;vR` zcATG-jZxq=7o`*s&#&!%fy2Mqr&o>kxXn8*kcCd0__5fP7$4LqK^PgI6)HmFTN0|- z1aozJzJg#FKPWLbC@$!KGDTA=1dfeYG(M|PX9-VXF-tTto{U8I%P#8WD=po^Hq zVis8-vP*|S2~6J9pp(_ax+FOPF9q78mElw&7I4-kfcdKg(8U%bU%jIg1g3&a&^BS| zMINV3Cgt_9ir#Ar*rUipj3T;4F2;i2;CO9`ga2}l z@bCO(E0$+8YxKeBPj2XuET%W+J$tsu+ONlCa4gT=S!ScD`gt zeGJovz6Xe9>a{})&jDa3aI(EWno$55e!J@fo)f2 z;G!0obQ97*7N1fsCwK)$LEqV5kV*NRkRz+$XpRzr5LAj^jF%@~ftEi`Y!Pliwp2oQ zXDqwJ1NXgT@&`nFoR7x3a&yV&pwvxqbQS#iY%5EWbd4|g?8?L?e`+eE!SFG)oiU{_!of;snrmCXfZZ|}#)OiOYY znR-b;yY99B3p`G`>Pmti6Xm(}R5z9Zt#682?go0T`8E1AIYiFs6Qv;CpPD(r;A9i=V zyP%f6d8O`8`f#M>E)Ew>q1=q~K7f)it4A{I+X|Lh`E$qGe0_EfHV2O6yp`#Xouv~h zrTHfQH{FJw@h^c+OpSx9Io;p|%iz!@n|Lycn-GdV+j3jVY`;?O_BhpE{dqcRenjZ{ zwAY5}nfb!ZRr!~!;^6O=rT*>o(9qGXXp=*?_0?Q>EHUo2wgN4}4Q&wXU!Mkg!z^1TQzk ztW!BIo8=E`8<3KdW$#17Cm8@K6oTBb>HwW3Vte- zfq2VzU>~BZ07P`EHNK#{B`<)w600(qX36iFeiO_gA)4`iBJK$wgiNPkKL9A5EU86> zvC4mKO#XLHmVf%14747+CQ<9ytGz{iWJf!ukT-jwjl4PraJ*-}J6t%^)rVtkJya_7 znD;LGB+RF$K9w%rFqEo|^i_uA-;C8G%`7kb1LP|2ZqpW+_eM1a6qUG$6-!!Y+lY1HL%03Vq@lx(q@M?p!CmzUGm``1m!5n`h z^4ZQM+sm_c#;!7)|8zkGj3Ldb)yg@O{zJ{`izM^6$Hx$IBhZZ*%ZZ^F4F3cZwYOlc zL;!#z^X*SofmoqD07&(vaJtl~)K3t!uYm)46p;4=xckdlyP^39;J+6Dj+J-sDCPZ& z8&5tL0KdLCHI)4f>KwFp)XF0tJOHM9983m;g3xIgZ@PWcK#%+p;eA~ZFni4blaBK2 z?Zp98pQR@t_r7u2(Ix2wg3DlDdp+=8uxIfAc_mZpqotPMZypA%kK!pDF*8)Oeo#aW zST|yNw6*sL*jCvY^aQS)CZs!GAj2VP#a^Ff@1y?NVHu9!yyFjSDsTPS{9Cf znpOj;0D(d{YnK5S`BMf>qB^^lxcpK9Apz9A(G0`0R8-wmiiL*B{b{@{riY+AT%RN< zd%G#13m)$dj?MnK^EUWYIw1Nm+;rZrGoW1}5+qL3j_sXi2&AVA_>F0`7veU%1m9o@KuZ`?A2S9OVEQa3-kd*@i!UJmSC|ZWW#| z6~`XBx&f8i8NlLo$&o3UfmSwTrZxJR786u86hp#Es*rJHgvFZ<3Ux=qV)UM|q1LkC zlA1+hcnm1DT;Vrf_q=CMV76e(7lJrS;vmKdct_}N$IBLsP4cO)=eN>g zi*j@SxP)BjIww}W_R#Inucg>cz2|mS%LpEaK#y+lN*T&?+ONYFJy=D_q0IH|t&f&E z6}@TFmr{8fi9rjwBC#01nVjDa@+cY^$ac*muMSMj)@} z=`OzB0>`%C+53L8B8`UFKaHo7?NLB1eZXeiQV!J^(Z1_Vg|6e!1Oaky4K!a`kO<5H zbELUcgW*uidkg|909&wr3@g=X(qt3hW|@t~NN>Q?K+1oy9rQm<5dU2@?RRSH zb3pREP&E6acOzTDSCMEtOu}uZx4diDdL z7luG&Xc(EukA7sAI965j<6^d%1BSw>r>-KB<0c3!<85b%X zwr-{u02H;e1J!qQNanzY2gQXp5U6AVSc!8}cill~byo5bvr5#sQ5ZBPCcnD=D> zEhI}e?&&zjq-bmmsCHr|LJ+6^w(;iznkcrwY!QzA_=MDE{h<+3u}Z0>`&`|}{x=4H z;%BhFxf@JW4Z37nHR zpj^|#MtLL3>8(i+?pp4%Ef7qsEHK&a>$ucU7-Oe7K2XZngH0LlLcR}4`2-m8;y&G>cqX4o zV4eoNw*-rD#=s_PA&`y_(xz?zGx5Hjo*z(Q3g9P&p$qTQS3x4w@OZT|KoR5M-*hGZ z55MOp*}q==tQ>?5H==MVC0dTs%Tl7-qhD)h?G7fcM)3T=Q2AZxH(=^zwfj{R-vj5u z$a-&-S2kfKj3@8Qx1bIJU9Z`lN_r{zIzXE#S46=5O=CDqQK+x8@)T+B2ire=W2WzNoa#w!g+iJif`N(epl-#x_sr^Ar;1>pO3|^IjU9C%_sNn7%Sqq-F%l zdC#$GC{fY_7nBir3N-+)mk6>e`f5P@aH_Oe=9#yVWKsin#`VcYCg>PO!M%~97^cdz zy@p!#jOVTY^vul<4nbkUZ*}-ENRpmUUPx!%(o7+XhdaJ$eIUV)9`#jv3V5I|bIk8` z>y^OFHTl)s4}|a#kU4;6<~o9&OpQB6NH*J-roLZ}f6lk|!@U>}mSu#9{UzzRDkfdq z3};6W^BjyP^;35Z8%e;o>dFLkQ29njD}m^tEl}bJ!G{s{KasP@T${Gr6Z{DTENK9= z384gIc#?-N=Wlizs^kwF2=3drV%?=B%oA!^xAAx%26e!pTJ@^a?&muLb)TI%PIWNw zuXa`{kf)&cEe}Y}m7HeKSkvMBkjNybN8o*(?xb@^L94Lo$7@UY4%n}A-&j_lb1ZVM zzm46_#ed309`u$%=fynGi^VT=G}Vx998x7q>Kyl{pBa5{5zA+kXB+=9EH?AlFE(cn zpnBPc%|Utg`P2eJKZD1&hDPaH(t7W1Q)(q^e+c-d?BD41$qZJ?%4a*i2kvKjeb1pNnOWW7p!n-Dd)CFeB)oMB9B4nF^A5+!8@^wwYB=oiwmU z%!$%1%GJdZy4Witpwp@CZ1atiQ~MvgF1MFo>SF>3-$@=mmq!6lR#Ot187% zJt{1B=mhc|!%^pB5*kK)cj}y?l_W(FFw%;p8?M}SJ=>O1ZLp_-mZQ#n(SPP^O2oqm zcs09dW35^Q4{|8V zOBH+wYAKu7;oWG?vd3k-;p`5j!TWAJn&C6y4!U7Re2O;SHq-fPn(W+Mw0<_13+jW# zhUwa+u3#**{DK{IaEk9FniLZ~n3f0zpmx1BP#FRr8pE+Hv7GW_(b|pl-5dd5N;(v) zhjd41hMWZUVdyH1_u&V)gD@d?AZ$Ah^047As&K1zrax|-r5=dx(EC8Se|<@;C04PA zX7y8Nf@fsn7;^7%#G4SawWf>Eil7#~#>;i+T+?|sKQ~!ks=j=*S?x_V}RkE`MmfKWk^G2$sjj7^c^G`zEX`L?$Mhs*CsJjn*pw z6AIDi18C-6$hgEt4=bSkq9oaN{id~0&V4EUO-;*R&$WkrI6coN#NoIGxOBwG`kfQyy3zOY@2R_-jfcq$ z>-etKIX|dp6hXkMn;&-!5Vn-zG+rsNRsrq)cKI;}tZPgNJXZUrur>y?7^s(ATu)Hv zcdMs7&^<_ceIcgaR8MjCPcX8};2zW`jXwYW1mWW%G+^ z-6QDz9L^(AesX1{puCt{^7L3g0mK72uqjyl)`-RT4wz}$?EgR)M<4Sq0)M+-w045& zCzsPf)^Wgp;RBX8eL#{~E2>$_05U+Hif}TwAPDUwnl~JEls zNN>+Uqrh6%aH5+zC5BF4Lf;Q#0X283Hk4T8Oj zR*5Eerpm*wKuH0Wfpf>O_jAu+-i$~P{^QYGboHX8!@mvFO@{Ch)FkIzM$M1wRXGj@X9Snzz8y;s(T8dEa4f!>3F7cq!=Gx+ zDtbr@lrZT;d0}J1H))zmGU1HE0wu`1TJK!g_j0Hr8v~yxfV70$LA0n)>xX;q;F9);y_g@kk9A8^L^re z+A!W~A&;yhdSUhQ>G+ROvo|xaV(TW(DrWMP9X0 zcEMVyWuVT_R7pJqtf3sx8}-CNfNc)yGlnuoZS(Xae=TYI)Tmfx011-V*s)Rp@gAUj zNQbZACD3a>jiFW$%CIKl$0hnsBp^*J=rjwR2gN+64MXcGC= zHL_||n_?9ymwi_(RyT5`o31ufs|R+Z>@pKD49wGLu;&u{V7<~=>oepY zVrX-+)Z~I=6H_t|&iNtH{-=q=e=+p(Ia52iz#f(yE8rM;eGlME>EPGEF0U&AngtVA zUm&;7mhjq#Pv9~;PsQt|6)~fXxk0U}u%djDq4+=%e&d%`~f9K1EmHQ(gR z(OR2`97+85SR5f4Uoz$AIAM)aoi(~;jnr)i6-un>c^gp$-TqNB^S%T~v8#L>U9WF= zFyzZZ^OI7xsnaGyVfW6mn0=}24zVn_eHUZetl>$FO-_QZmd%zwcS}AB`#&4Qs6V*FuG7+H=4 zMiOj)Wa^3=DqICB@j6Btj3T>W6%=AYN;k_StF0dChVa9~^~KlXZa*ef@UR?(J(*&7 zoZ+`dhZ$fPfCa(WWYKRP{xogivn4b!jFPpfKM(ARMOkA9% zTNK-)5u*06=DLVp-%?^~&Bpjt=Us{j=1?d~`C$zMX~BNpY;Iac4gw>YHO9>eo`GnJ zXE}UWFSlWy9uxiU23QAX5vpU-Z!Q8{Mj{rkr_F4IKSVe_6q&mr#tjBU`GXJ{af5gshGAqdsBDJ4T4vtB5LP| z$L6>3{#L*@U3~m30orhQK7Af+rP1ulevEUS`P}`rTj2_{vj?d5yiREMbXN^GwE>(8 zjP8agRkE$GqG{BoM*NpaoqxB&kZ6M1vwpYWXE5tc8oQ0})xiQ7R|MoafeA(kyJCgD z#2Uw%)k;kj=Sy?l7x#5|7d(XgpnVeKCO=s$gz06O7Sg(&`A0^;mmxNJ2}tu+_iD@0 z!&}5YKL+ero&BADgmOP_mx6L68Vs%>slIE!mZ%+Rt)%z-AY^k;vBnF&y=9=iUp-6+ zc}i*<)#TdJE%0ND`~3|tOOmWMTP4|Q#Xd`$Fs z0gz#&2_?e&Y-LLCnwKq`z_?Ka_lp90x80J3-5>3RVu)l3J7=n*FfmPEDyPGcBTC@M zv~dowbjJEEhpxavTW!f zqPp5GZovj9Pcz8yELaW1Gx#bwUx@dngIFBO8+giuFd)$w_a zNqU^Yx%~am_ZBT_fvjP%No(9KgB39JSUh%kt*(TbVzWS7x(_uLFJqlJJ*4(x%P)Fd zt-$XYkqo9Wy#i*g@9Mxa?Y}IOaL(ecGb6a72Jj?ph#-Uzwf{{S_l73zPCj3Ivr zZUmg`DQXg$Kk&QFW7WUY66`l7x#%wUMGv}8ljjIVi|2=FgzhaxMq`t<)-4$)U5T{t zwCLQ#Ix6C|mPPWD7doD+<+@PFgw0Q!Cq&}hPjYDfnJq~E(b+U$_a`W>shT#YzF7@~ z(isd=hV1rSk8apg6jGxqx1UX~7|5Y4xSQ{6UMp7iilm1r~5j?cZ);F z40N`O6=+U_`CJQK&ykDMqDs{MwDj>$Fa0{;(sL6WArk2MJeA48qPdk{4Ddn9&ULJo zyteyZsKb5m0Zir$f1(cdJ{o9MG^qVf*`rW6Mv?O^_S!@-tEYflR5`SyjpIp)MZU zjg6ZIWbZr?je}i}ayNfEu&)!_L3K%$H^PW+S*YQDh$-SeL}?yF*WJ>VM>C{zZs@hr zqsK+_Gt8 zC^TTsdr)r&>s{jX2kW#|%|f^Dete2kzs(}_aVGh0$xZ-!tq8q3GZj+b#r|pW`HZ$ zRD^t`9hrB*6fB(#Shgc((5nYgmq@f+tCMRG#*-RN*aFS4Md_10>)aIk#2UU05D-nJ z4P1G90JMxrq5AjcfN=$vt22+JjD*87knDc5(2xBF3*&yg4iS*=z(YR-15sqh0#p6vV>M+;6=R5@i%jk@(MKeA}v*iPs zq3DFq>06TAGPktTmAyDzEgjo8$9QwqV;tv?`hvKD_=9x;P+is4Z%9X=|@2VuzohnLu>c0}$+g^4^gbJYb>i+gblj5#;a zm%*wY!T7Ju;wYP!74M&WMNcD$X00PvcD@q!(o_Qpe}ZBb(PwSzH8#_hK! zpn2|IuK_!o=_`r@uT_>-LZQp-66~f_qFlkM;jnAKlusLTa55b7T0RQ-F&a`n2yHb{&LeCbY2XWng^EW4pUA%9}sN`%6>=vJK_QVofkzJ4o6(1s$BU7 zvn~z1T?A&uOEhQS3$;Filgi^42Q~8c1L|t8#v6II8sf-uXj@6-r(S;HBAeP_dcYZn}#RCSM6%xu@$&l8ui`$BqmTP4)iI=iwd&Rq*fSkAk1es4|eU? zmfNX*zRF-nF{KkC*BN}P9_BL>EUHa;EYV15XSATxDJL2ngKFbPdFB?HSb`rFDYr_L zGmH`9u`uU2rY?9 zG~ycjH2gz`>&FU>(wFcaXDE}MBy+mJcp-`YUA^T?=SsDpsbw3nKx%uJmoip=riMLN za1TglDMLtutjknPz&X%cTH21pN!nEbz8|Sz!|%5aj7L4X4-ABS?LtbF#dv@;C`517 z%M|&X#W0C1PMr}Wr=X{vl;AZ@rSysRcNYAUzBNH-4z_RIrxM?5H%e0HjdD}Q(lnCL zA-Z@;6umU{+ZpS2Jn65E5Zd(VFb88-ER!yPVI;zYG>GvRyg5G+1TrLofS-)STZVd! zNd@9wf$KRIsYt>VAneT*)^}ya&*f;xj=7-|rJfpvYtbLyezjc|&jY_;^^6_Yc7P%` zdDR=?6qzy7CwL5Az+lzCC%%4yYRaLIRF#P1h0{-F&*lM7ETet*!T(^uy0Xj1O}Or24K_C})#=sAhYs?W~fKVT@g$H3@>X zBSV*6K_D%RCno;1;p#YsVZ?uOkCx}nmY1J5Qe?Os^b`WSvB{go-FC;TJ1Ta^DMUqk zFtrPAqQm{CA+iUuK9^u6x5+Dw7k1Z)RmB>yNUyNA>W!B-UXMaF>MD3#e{7m4fF5t) z{kA?4?o}5aPi@=|znyl>(q#WGU1Tj(Q}pSX6)yK-bb8-*gHZPp?R_|_+lgGysrj9T zNm13<8U5W5Q=|l%N~-><3`>sCo(|vdcO85I3oGG*TI5a5v>)|vr`jdyKI;1wtIgfb zXuHaFAda57T~-Y9*kJb(YrWeY+jU^*J(P)zKe3NV{9=`e`rvHBu7F)Zw)>e`=f-S* zf$x=EfQ3n!9TC?-Zb@NWm88Kb8J>NS+UKU_xyBnEHWj_C&rKFkY7}c7RkHq^@vKP`1KEyCr9lH!KgUPz!0-U6q>Y3Lxnl!J^-Q}+7 zdxfyhFVN#?2+rq3ZfYoZ#u=LpZilQO=YCl{A!d6s^&PQN*GXiM^C>)kjQrd)R;#2E z{i#mcd2;IP*ZuLF%ngTV=6c%<85(CQifL4V`DYv+qs}$N8a*}JBNnMbdrE>H(W6^| zCrZqVl|pFMjEiUEk_MZ7bri_1ZkO$(Oe;wxP0H#zClsyKw@3YS`+4;%!p!UBgHcB3aYv5nF}V7WRH$#wKZie{T6^EDrB#C%itYZyHEru3g$9bfx~ zv&E!Xv{HP=*ioINow58Dc2k>j1ZpMLTCBGOnN}zCSa-j^A>&)J%a4(@3WrgRXNt{uWB`2dfqHv3+X zJ%YbG8Rcj^<54+jSot z`me2Thu0tJ^J+AL3wc4M9Kb+?&NLcYn@xC_qwkJmpO8eAzIL@rY5u`|Jwhas$5%pE z`OU8!hOwWKj+Uy1BBmJ&R^51LUi>!)(6}f9Bo1saKdT;dPNFgr_f97_*XCRPb%6S_ zu>3PWDx3*@CHJ4&wLJfI3hpITO<5aEEpGJrE&4ydzG0U$jEggo3A^8Qy=iPcZvI}4 z!)mS`n4hH?R`jLs?WuQgOfzoh<0X|%jaCD`?eM6qPvm2lt7FB%+5Soi3DqbF+4rRfAF73%Xv~(XMjT~hkeGYe(;?Y-*`(`% zY|`oIyt^5L{dhdJX4{8&cdC!mp}*vJ=M&{M9B;3BI5wytDWQfKZlC`;m8_cu=r^w2 z?jvt1$91VewGbVK$*t(avqcqGd^Ts%ARUp+DcX|{8&W)1RU`FT(vyE+!BaYT5+X>x ziN(nxI_RadOBkcHk%`_b86H-!v#uK5uA|fPY&P3>zzVYA<@jPUH`0ts0i!@}yJ8Yj zO`78k79y4%Y4{(TP~wctxi;zQN8F~tUL4azwONKVH{;OT?!~&6HNV;S zI8CnCiw-$T!}$7TJT?hMaeYg%{>;N}(pu7PMgt6M;)F@{1P^=7o%XA`By@jr66zm> zTAE!g=M>J@Amr?EqbT>A&TXw0V7-l$$M@qQ5S)&~JS4KN+lXayyE$W^C!}dl=emoS zcU%iWq&bsOPZ-v^-&LY;a&`5FL8$}&ZDNMA?`4+$CiV?bj$VN024JXZwA0RAL!F=9 zxHjTCPl91v=kz|jCK=-LQ#&;L)*1x6J^LqI07(pZ1yRa|IQFuR z7v$cl(0L)7s&jx%HRIr6hW<2(kOQk9-<$Y=j2cc;3ld99MjwLWm>98rkm`VTKF;_% zAjWP4lR-z&x(DWtzQ+=)Pe;97_=`0VOxc};(%1~Yzdy^PV+mXF3B=to3wBY)^jzU^ zKy`e>y>JFKc9DCq5yhjwrnmU!$@cKI7TJ9VU9QiBSNp21TWTA+DwB=jOhnauMA*s6 zIsaJE8fh)FJL?Ab26J%)VNG|zI+y|Gfg~^K@!|r z2wxBB60HSAjjW3j;Jux%mgQiNMaDpngk%S~YvOMDT#@(*Nis&?-<=LK9lnpw*^b)# zM!ZK*X7j++?5c~vtaI*+Pr&0Sx=r|!{jYD#CGNJ`KatC0W^!71!|aaN)dkL*M*OJl z+X>nt_ZBi9)uv*N9HbMxtruty2$K-1qRPl$TB%SUvI){w-J5ez6}_+;#2JBD6V7u1y*h@4wA4< zS8p@+)KEvqa&e!IL|iSw!QVewdx1N12@+4_d*sSVzAdRy>RNHQ6??}E+pN6|oVtsQ zVZ4QzYa?Pee*(S2tbW*XPw&>tZ)k|Gy1ZSX4xkvN{;My_u!f|{LhKQc^)?W9YEW&= zUWz-Vy}qx0FB8{TO+mRA-BM`Bk)gFtQD#nY?QU|qAC#Z6%u1au#VOOJ)8)&!P9hk_ zhh8wU<*GLpqj_tFK`Cnk4}IB26)G++#d`8P7Cgg)MJ1Or5n1b#TWV$-~x}L6IL+XcLW@6Kr$4<^iTc|e1*d5L3Y9;)F`I%`#zmWUr^k-zchLP?X6K;kY?Wbz6eHazzT zSlC)>T_k6jW*>sC>h%8z@lJEOUFQ)=m%Ui{;T<+)N#9n17>8XJBxh{q05X1Lm2Z%< z=e9GGQ(98mUQ?HT>MQP#-%WM-!vHo3h>pKKuPo3|?;=Vzz|@H#sY|!aBxhkilK2dY zk<`;E8O-024Imc4D4hN_3HPX|s$(VBdCJXx8v0@p?1TMFg`T8XM<_ zNIz5B5mI&B0E;h=WM1|jUVzD(E48b^`5xxl((wBM{li!Mr+y*axR8z*hNaJg+OFsE z@@eg!uU#{VSl;rprdV}h?FcKGlCDEoOQUVU<$b))q*Te=vLeTps*OyAm2%rRyK9_7vzVZKPr~=HdV$5dlzH{%CYjAjNA;Y2E1Bs$ zZsX;ok6!c7J=WLPQ=5LK-#L)JLIcPt&sV;70@xdQ%_1QT%j()!dEBQWHiuvV3b)Ot zqNs4;K%#G69i>wPcnJD{;xoE#*$+rN6ANH6r4KgIuZc0b_nzBH!A z=AIIBqYbiD7OmG{!x;Qi)3`6)0*jBz%zu5j?pkK!SMZhOuMcg(cfYp;lmr^0_K~jg zVrgCO@Vmz8g~JAg(IW&OnqJ)t70{|M-wP;2GI;#i+X}yXui27i{Ge*5F%#IV6^nlw z@$El8r#$BtigPm-qv^|BNeV5L(M)FV;tk1=)7-g7)$bP8A~F!Hi)VK=-S!Ht4cKVse2 zg(!noSoNAYW2%x}`D~3?75#(`wtO(RqIe8faCOYPJSLL3%QOIZ2G-hFskp)F*BR`c z!>r4$J0cn#E1QIgN2e#hw{V>1B)W>Bn^&yc$(I}L0F;Pxyyd9v^-D$F#>N?)ATrh| zS)G^If?sZCi_0H?Fs%EdHQ?gTJ7pj&^qY6#A?O<5%WF zMH8?J5!jCK1$b%!({ZGlkd+sO!wA_rG@W*mBPGdN+49Z9lrjMT*U{={&TRI}x^whe znJj;|GMlE6l8n+4@&Mh=;A}-k1TQ95WrD;LKIR;t;v%PAfl(qq&4Tg);7G;pOLMD{VS|Vhy<)a}^DZVK|Q**!w93*}6M-yo_LY z+4N_%6aN2@_SSJxc3s=>C31;Kia~>vgh)w)ARyh+G1Sm7bjyHBNh2W*BHdC$3L@Q| zLw8CHNW-_s>%QOn`QG32eBU3>Unnti&Ux;=_FBhrtYZ-{Q_|DqmT_loE&Uv2Ect^v z@D3CxE4F`RJNh2ITyS3Lyq-IJ70{zNb?FwGR+smmvNbCV9JdQVV)}W@T9j({ah%uX$Dj_^}2wQmw@AZ+WXh z!Pk!O$cq)>*JtZ%V5)Dw;!DfHFDtK9<@V%0_T5V$xLM-^{9{VH#-qqsF#_en?GIo& zWz3EgIn2~Nf#xj}PXQ;G2tvNG3A(#W*S<+yQq?!&ldWWpX9XJ+roY+#%n>~c_WMZV zZ}4c6fEcPYe+(yIUSqE9uh`a;Jg!@jsq%4M$po-`PGqjaW+hFz!J0l23yn;ejsFc> zrQ0?u8IkQ#r1L7X(L3I_Fw%`w8k#pb&hOTKK0JJQ|7*t&4aVbI-PkK=7BawjaL1>o z2me@pfkuoj_U2dYfWR{ZAX zMdf4h^OT8BXRtf-J-Mj`bbc=`>NOjf;?WJ5Od84GKW*c2Q*Qw1Ubj>v}lhn ztUmnBCo${VD-K_72~^?;Y?w_1RUd$R5uLOSAZRrpUxZ)eG{tkyt#vWqJ5Fpl-74cc zp8+mHFr#nb63;#6f5Mi3;}J6FVWe?w{hVSE)I1d4U$27Qr}V!x>-BrZH+t4h(!HsE zb^im6-B%hd`^Gf)Q-VXejX$^`4Xa6-*~yj4oOpY@m)RpUxTqHy`L!voSvpPRZ)Fjv z*^pptD%;o;W}oFXD*tg3_ONyQm^bg5c%ok1wS{LUt5A;X~a& z=rxHyAC$~t&$I5hc5zMj2d$wgv65tyt1}=i9O!FozC)gXuDz}(xtylV;z>y^Odt+D z&#Spj)q{?wD*6R`D4aTJti0lLtvzZySjj-zoC0F;9p4{Rcgj2%7x}KfQUO)b3$!EO z$g3CT@Kh*0kGXSF@zMI`&#&8`TZM2tYnS=<4o|tRXk7EV>q!=gP%lF)V~@iU<>T7a zRO`&brX+jV=pY}9gvTg!+zA4#U6KeIch=oyn9kaP`_5;&H(fthX|jw z=X;Z=efB;@1iU`~2XTBLCD|c|eI;hLG}V1g3n4aOr}m9A?G4(awaRV^CT6aXvzito z=B?k0&+iC9z^C9POgXKkqk^JCh21ZH>$%Lm<=vWyxY+Erj?eF*WtBZSj_gR3*gMzz zH7^h;I`ggOL?qQnc(Y!W%Q{e2#AwJo$P8a&) zK+_;?Af6yC{u0`B`m^C;DtB}KBHdR?l;^lhIUWv%(0}h~w;J@c15J9H%99?$!4c$i zK3A@qa~^P%UH`IGO_RnhhTj?(Le#QwyD;k$E3Y)+OA@99w{~G-FClZP?=0;t-}=pj z*OpvCimsShR+g2voSX=d@-%J$ki;f@%bhj50*;1Cc83hwMqdK^X!(JC>|jRlBAQ2( z7qv*!_;k#5dTMe=LcC?yaL~?Oc=dC@{`^a_*l=si%jj}^It#8l0gi0=1W&4a*y^Ju z7FvIlQ`jdHDliI)f`;%aa8b72b40@=5@&1*L>n$4*Xf`A+>KcR0tk2K(+PejvC^x{w_wx#__uKF{ zYp)jquXu~S>SQqp&{%!hHYL&8;iKrLBH`m{4twve_T6X>z>SE7IkG-&lazq6~by~gD7N%Ar0)xl0x>vDY z=@r{$W14!2ph0Uqf{lmbO?*K^=zR{(`OJ?}qyv++>ZHPtGIYihAXz(HBmSLrqxwRR z)#ld4Ps(M++Qy{7ncFUy8d}Y@oHcJRP)d^ks+4OIcmdaE$?v#lcZZ;@8jME*1@gTW zVQw@&x?}eFmr=QYl4Xy*BVly1yzt*9%ZH8RFK#xh^O;4`%c4<6BL~=88BO3FbLUDb zLBdSz%jpkKr~%I3dHGJ|yEz&A@A#BxR$M1lrN{V7zZv zvPd?d^U58NchL&Hc-zqr>Gu5ZMJiKY*S~vePtK<0=ILo{C4AU@5MHW9d`*4=4#V-~ zWM~Jnx&Oh}4*r*2j&^{d?)(-MZ*HqzSWUwjL-RyM6Y?WuK%4YO-3xhA)DsIas!xFY zKWu<`7_#Vc@7)eRbT}6|BO8i4PqqK6`^AF2`e)_uhad(6_({t3`JqreyX;HNtQ{{a z{@-qb;7yU6Ogou=^wXca!##PE2@I&>gA)W}6ZzEtIT{U8(SQ?wyQC?9seTASvxGR7 zV=axrVOm3)F!jm$YWArx*xDIfCTR_j>?11~IpAD=+FK@yxc3q0^p?E(Hi>VW*H!1^o zjRhLpG=u`4klZ#!Wm3_&Hp(mF$dBZq_lw=Uh8I6CkTOzKcONu%n?1OUJt!%eXI;@F z+ikTELF-8SfWum%9^r65_lUygUd`;p>bKu@y9gv1*H$3s6FXM52|-MwySE|tpw8z? zA9;>G(MgYUJgRFnkdUEExw{b63byL=O?i?IC6Tk0l_#baOChf{S0P~wAJ3>Hxw}2u zd$YS2a+&(L+IPO1X+5V*A875Zg8n%yHHfvy13JA(w_Vugy2F;8=cQKnPhx4$#5rKC z5})RwM<6YJyhyvNAmF{~cX%c&lreBN%Et~%+#N3PN!FU6Js|Rs8D#ot<1YU|2%MS* ze@@Lj77v+&jKiU->YA99OgW&pfQTpu#~Gt{?O?Zi*`y#{lRCu2Ge0`4ZM?1DP+95B ze#U;pa@}Ff)%e-D$ew$#^~s+yS05n+OKsY*A8Np>Rd7_O4{bt{bieTvIq$cuI7)F& z)Of7@@oR6`$T9c!^UDXQ$m%(n?Z%;TgMb7vod=3OI%zqmCoIswY z5Hod48(eF4+-zwz$?3ckTM44}NeB$}I)&N0rJ>=8@FhM7?V(VhlaxP5$tetu$d>y6uXM7@=Hkj>IrII6=B^we z60e_qU|pDlG?)*}s+1&Z7sb|zpL|H)EUn8-Ltw|Bs~F1hx;>C!W<$=ygw<)vyj2&^D=drO^J|78K^A=vik+PLImWPPVvBG$WLd!R9Dm)z41S7aO z$2G`vb2qz5>?PJYnAKul(s+ec7mo4=jd-6m;0T-e90!SBX0*$sqo}vpGug_71J>A~ zR1dpx28d~)odd|6m?Nx?oV*)=hAYJ!D%M!7L{f^M2VrH9NJ7}F%Le%51S z2;&(8Vwz`o^}?5?ZkN|!r_<8)7Yr^oq>^$LD#}j=-@~oc*bwMjo zD!0VML~1KHm)~FKB)kHdc>RETFttrG4kYabiwcS_xba0{n&t0;L$-EK>?^7^E0+(V zZqIYWIO|g#;}UG-jaUv~ieK5xD$SlvY?^G-l_4JWNRXaMpbJw3PXP<{?#z1m-JpPi zX*T1k-~opBL73sENiL874z88ZApAr^PQNCm(Jb+SATE+MB$b|8V>q{APtJRwAE8@D zxK49~w9z;ZeGLi8&=ie}4QneA8eQkwnHaS9)+my{i;DaosDJ{El zZZS&UI~4zH4cl8t(s!jRgwk+FPD)5CIf&io+|Yd3_a-^Njkm`I{<`ln>H(8D^vGY? z+NqR7dECe`&7dM7ZCtS;lhK9Le3bATZOFc{ne2ycC0^V)^UYN*-xntvn{v8x6e7BZ z+qDOatgU^V9Tc@wr&!yOqWxrysF-n!M6<_?;b3^E&~i`2N&^qs#wpfI?{~e>BZDu90_IZjT8_gW9*+zdIr##sVu106x78@9cHcA|dEoraa3(QfQIC{8 z5tymFtVq8Ko8$uhSY;Up_)_PS9IM+QTdtdRr-#gm23}OHo|(U2>1Wn53;+YOFGKm~ ze#>g31H@4|z!7}Lc9K4Ao&G2v6EC=KWo$@Vsc`y4qCH+%*n5d#8Uf~UyE>72`$xp- zrxolsQfDforgJt@MA@6{y^9RiR|A%4GW_UQ)IS8ihVbXi46HT{)vy;UOCUd^2%5G= zPF+dJ)y8sDg+yT*zGY@%KZ{4jS|xhb;&6}R%bMM4PERmoiNJgd(Ia-QruDEVdbCO*(39Q}}p zeG3E;iGb)w(BNoSuxxD%if5I&8$I_~*ZwhYEBwPRw$KZ5Dh3AF9G+Ku!BbJ_4dQX!Z`m^0y$w7EV8oF!5xf^UV{{Anid&33W=>AJ?+} zG|q6djQ^Ho=KLsCNCu4z^}x0ADA(~JGeH;hYxs-VeEpjvZ2uIH8ifT-h4mg%Dc#bK z6U$fV^yKvO5(Nb!MoMO)=PT;-&d=zNq^GX3Es=7gZ3Hjft@AmPBX84eG9G|37@fzj`(_ErI+suMD#}ZdJFfjY`AAl)&GnkryM9;({%6bj zbdOS(oS(Nk&Si}o)n{k0zVaQcd-=G%!0)k6Z|+O7VUOz;g5K7>roO=$%QA+(%L=zy zQ@4cz8=xgzxK=HlXdMf^o8Pl0&j#Z)@XqfwEKTcs5xY9R&;MvCoG)Z{&1U&sgi-pX zg4I4}#0=2lO3tmEp?imoQ+_Ntfidv;&+3l&eY}KI-=u170RP$aYkx7;$aP>Lle4+y zsXN6s!xWdUZG@@^{!de?{rfSv!ag_e>{ z)tKgTGg*_rNO(4lMtoAYV#NNZk%He>Q3q`Sk}~?X$Z4SVFdd9qqjM=Ln!XU(JK@}> zb`w&qnM+9@ZWUoT5KE%|5F4%7s_FA};|qEU^hh({)e9Csd-QorEnHqrj5c-5CG`k66~x z|9lGh?(XE{@npi86eH$#aeK=e}`Tj>SYoziXe({P%1ln70x1Q=P5+`VeoYO9-ceMVGLz{dKsK2@rqNoKoD zMIdg&nOCZ8v7i_gG%mfR=hDfiyw6%JD(>j8Dj`bCc)XkS9M>#kK-|I$lz&5o+=N0U@_lhN?r5QwWa6Pe9p>^s-No*9yD>4 z`X1howBBI(Zz5pw2Ykh_$d)=#Uotbqb6B{`REb zw)>T!_s8NBobZ0mOsIUBUz&yWGiUgpU#M3^d> zhBf%+vm?hxQnse1ez)EN`i+h#Agy}d=WP-`-)eEgVYk)f?}gu`AUPcwt+$FhJViWT zwKzTN)fNWiJ4Ew-9*iNTT(?iD?RjZ4ZmW%?k5?Pv#6r$g%Y271cY z+IV6*$MKMK6;xiQJgrBipFm^LucAY=UkYcQJSbF@TLmk^%MuiAB9;NfPK^jUb=gK&0|QAwwA*4_t|T$!3-2&kz71){El z&v%1*jhXBL8NTJbp5m+|IRC*>U~K)9G!-X-@cv(ANi+M`G3l4|c70Ptg$92JGukbiL7M#%zh>QpR`!qbxGM! zpxAnzfYgv5Kf@;&QPqP#)Md6W2E|z~ot--YRaa|DI+S=ha%@}O4HszHWyF>Kh~qg{ z2Q;@v5)iAd?+lMOW6A5@Np1+@9y(3T9y5RYI0hwxr&kBZHi3+|&G(sWR4Da4zwFC3 zmbX9%!@XTnZ+9N^U6T)(0v_>EXnw4Ej5MYs!`lC`_;|d7>TR#mn=_81A?oY>ph~I) z_s1_+xDZZ_bt;DtNRv)0!hrV%-LbL18#)6JDx%u2fOijD9SrI`@LOQQACSNoXgx9w z!bJ&CDChbJVD7&>8SuS!p51e*k@XnYu~5W;gF5F;)2`L=d0k)Rp0?F`skH~FaFm;% z3(2#j7AdM4ns|F18QU(yaX43041GZlzen*fT=zXQ-3wevfGrP}T=BYHssBr3T88B2 z*3WjW8x&M&ENGl3^351f`2#RDupAEk!^GyX>=L!Zuk>kvib9y)vc`J6#2HHq;=Po$ zhA(1vo^=c(4lWZjp;}SvV9C`u%bV5H*Eq9`Q~De|Ke_jc$h&nbviw|L2H8F?iJ?3g zMN$EspwxH8ZXV5fa2Q@%08m0rdVLLuw!gbjxVrDBaVU)w%h0;5w@HhJ-a0{X)xXvtoyZXCb!)dg6QWteVO|tWvfpEh4&F?Mw{HDCzyVR0aJan^Q?Ch{2AsCnD z=yaj2Pz$sY@0y?9#^tIBb_wSh=g|Koe9-!UXC?jZF98&&(Q>G39G_7iF1y78z4q`A zej@5aGJzScyU;to%+oyAxId0mHdDL1&p1ju^*oMTz6P4>pF1_n5y6YtVQ|njW9>H* z)dX7l=%*Ody-k#ab}PAi0N4rx>!N`^jG%>|=hp4j^>kl5O>N@<%t&rWO65Z2D!Mo< zIcg8)pWH!ph+YpZke$8#Ron5Gno%&qYGv^0rT^YgrZhQ;=&C@#X10O!Nj+xVl7WYM(EI$`|F$Yi6$jG_4X&%Ks3wf z7?qE-tMBVK7nB@-|I+2r^_O~ZKS)v2Hl+;7_s4Z@inDG|eYBUaA7Ny(>M)*5rh^cK z3UxGF4(C()y0P##CfbAa(3Izz%ajs^v&{QTf49pw{&1NCXQuZr_+6~bMZjhb2!nB` zU6cL<>ikT9NlgvTZp2V~?~CbrlX_&e(h2iB-XSmH_^q76&zV0`-s47@@S)EY5kqD# zFdHR+d)TqX87zX;B4VrkzNKCKtprWGQg27popMKj?I%A+Ow!7xpRm6!l^os4^iH+T{r4}sUdw0G>xXg=^8~R@us1i5pI3T{( zt7rSav>{*jkh`?^@psuZv?of2QH$D=)kLpyyDAXq}kc7aD)S;l|T*wk4kL?s{deiu`$cT@Lcj zvFm*(E-uZ%_sAJE9p+#}E^slZP4UYUJk{ZW{#^K93xE-e^>!CG0qQR#<+ai4&=zLn zNqkCqe4CHn6*z73!q9`i2+&Xmtr!%n7*1`y6b@tY!`<7A^UKH$Ad0is1g5IJi$6X} z>y0~uT&Mc%FtwD=nV^LQ$C1W#U^H|Lo^;3{M&4JWIO;EaW-t4{1yf4?+o zS9xrO(6vtd8CWhe|FPX72G2>^V}Z(fbl?st$% ze3mFgk@48h_k(c^YzEVZ9rU17Qp96bPYwk>-bb_&$!B#LE%e}-m7QUd?|~NED|$Q; z5#Ya2V&&ygqw27R^*B$w-pHZt&Rzad@;kgU8>9#PoPTxC&Z+y&FYNq&=LmawTaV-k zGO+xMGZ336&0qa;&vzu@)vd96BdJThK7tT&=}`(*)WxFmFeV8k#Fw6c@(;es3JS;UJ5Dk$f@0}7yZV|l(2J2__xhRE}1IK%_=W>C#Hq6n}_Z?n50E9TjG9>9MWGTk3rcu*g&Tyh3MQ z6zeg+?%{u)eZ<@ynTQHHv|q2dNG&yp{{b+4po2ss9Fs7Ahi6CmuaR#c>gh^i;^OUh z0Y2gXdc98>dM^KHylRN+_vCPaKx!6M%LO|n|2P92B2q~nW&}cRb4h2HNJ`2TaJ9&) z?q3qZz<=73zUv_K6gS#7=r+}+k@N+hKWq-@cxbfB6(~eMvZMSSb;<`F6UX~GB7s(D zRbSa5J2D(+EP&{b{1kD#FVc(GwEOV8ml*;1ulc5?RQd-cj3F4N9lXs--|erYtMMS zfdrcoItiu@r9}Ol4DmC#uUx|7%DfE;+uFPc10wlH3ZAJFe+nb|c3T62UnjfO!uHRu z%Fy!D?BC_Bcm2^%%QcgR~8@4m&nRl%hF<%QCDFhp^#F;{Ao=Y(%aY;r}j+ z_$#+(nl*^i`Gae3cgGAu*&5-&-Ew}vAeS*WKp3k$p}-!NL-zeg|ypE!Bz=FtTa zfKhojy_GqRXN&mRft;*!pfb56g1YV0`Stl)`qBt;&Yu=&5*NhmsmT$4=5gOIj#T$8 z+iczVr!s0h<&iV2a=n(ioNki$3B|u!!%hRRhz`6TWKB@pAacV*t9489)1WSD3izz= z%|smZP4i{C_sb#Smus^nVKHzHbBJ^EwbX|@_o+~47Hb=C_qgnpPyN4g4Jb3B9Gjb{ zI8U0+yq;3sk`>{1B%YSQ+?tC^*fO8W`K<%|uf-4Vimf*a`vJ#{cMy^e zawzF<90o?7xhG3gdHR3d5`iNTY-K;FQCs?v6n5s6T&6NkYGuzTEe*Ujv)4dlp7T{o ztL)%HtK;%5rBrFXMQ-7Q1KEIdEh{w%P4P+8ILkGhO_P3N_7`eB&Wwp6$5pT z!`6KPHY|SnpQ{cnuM8k6S{H8EN_1`wtCs=&#`H%dTd#M?xcVu*HZqu5Cp$xlAI3`{ z7b;nuv`<^`+C14_m-=ZcfMThvBeuci;Q*3X*^U`Dr)EMGD~+_creT0C1WZ3I9iUMZ z+9cQ~-{R0}-BqmlJFVw#80zLQz9|8~HarZexlJZV%=hB~J4n0~Bnn@7cqY>*eni5q z)lL1PaZ>nn>&Xg;A^p;MN)fAm+arTzM8{F+FybJZ9<=X)WY18}Uc2PA2NWdP=pHEF zFsT;A#If4CnNQJ-Bk{gTz4^9UJ|f#IPbBrj>!PrH5r*Jy5$F*KQ(GlY`faC@)0*Ml z6FmdAb;j{|TgsKC3HKDRJ3O};76>klc8Rv-5-yhao5}5Jn%lgb{AlsJUVFt$2%P48 zi1A`bv4IRd(#k55+CDs`w^*5hg~fLvPPIM zkZv*u0}q=VACH1J@#S-ETye*^{yvc*ZKG}GbNnlE+aWj*wGc=TX!nI2i>25%^<}DY z8x+j9_fuwZgkK@<%$RI1{hZSp@6pY5K6p&Fp83FJ&K`A&YU7SnQt-|b*`+5%eex47 zg04!4M^;Is_p}T!&gFhLLAJGNJvxVN{F9!r=_kK*cQ|-Ls->=!y@oH@gDTFnua^nK zBSJkXu+XU?yc)DnZB!SrK6xzPEp2%*b*7si12YhB8FiOvw5adKC4CkgH0Y|IfBkd& z!8D@Gby2wWlmXo|gq3`wq7baq%Xd&P7O?g3Fm^CNvV)fTT6gFqSai#s$ct57iQ$}L zEGUg8;f;YXeB#V=PV<7HQ4)2sqq&#+EOQ_u+Q&o^#jSmS*{k2M~oRQ5T`DNT5@smttud`dzyQ%2^`LeBUa=?Ni$fz z?{3{z0JFtoka7o(MX9spJ#5J{!lyuWngp=SS{03gNj83F-~8;)Tra(jI8-(!!v^I* z$Ur4N($uCAfKVh8&Vk_A`QR6)-AqmFpE8VU6a@ep9$|_*qzwPC6j`rc zdw{3VLt;q#q|-Fc5{cXVn9jTW_{lWp;u zR$=%tIQt7kU^6B}T!C-Y)6L6%4?(9=)WqNHE`3cU)>^%e?x;|1D8)a_NR8JNk6ay! z2sQ-d10H_L&*IV=_#+!)U^MQHE8BNLhmleDEpBhCq}@i+*YRM8*%8o2H998247hfM z;^}YEJl}}2=q&S?O^??CIZeCurSXGKf9wa*u8y|94jeV~3{MszBfMDefk=iY7cs^z zY4SYR8tSH@5}7Cj+Q^S#&vV#_c2(P4>n6Rbmacd|uXCXa!_08YCij_dAsW0WUYggi+nIdAL*R5U zZU;`}s^{ZYheL93>rCIUlN&zU9?mPF zX>w0ui``<^7=&`d*$hw`>M-5ppK-E|e0 zAf0`juMt_*h$onOJFaZJ3XS!feEWe1)=>nIn~ifm&~aiM%fA0Gl?#YxbFY6zzS|mM zHScT9jB!yB8kH=7X{4K9gay_SMn#vgh3xK)T+<>0S)k<}EIg90?yF!He0*0@s#T^@ z(5EKU5UN2gwyFfa`|uX{;f5_{fe90Gipjlc+BGS|_QXc4xQzD8T_%i>ceH~fx31bJ zNaz$Z?yk@bmTX_1KNl>O>I{?l z>f2eMYJ}`ikw6K2v}k%APbHMK{39uc(W~hhjr5i(XGpgtvT|`W^DYObdO8=!)3*!< zmKKz;l5O-@3zZj>Po@yOB4nDF@7{GMbc;>h%?pbQ|2C|J{;*%F?rxlW*&LKwZ>Am@ z=xBt+vH!U{=pV)0_W(p@_%Gzf%40jl+3U-7QS#}*J^>N|CwhVc!++ncf8R8>yOk)x zCZABd)S7|}+wE_AZVc(5`DC`Fe^aTY1D58o6l~7-UCVPu7L)> z-7FR>2+O-4aasmCx7cF;{`cMc^LyYXlHGOb{^za;=cDh+MD(8*$rD>>y1BAfOpyYM z>eY$35%BLc4`%q>seXE1xu-wqAZuN=Enzt?5UI48UI<#;`&pb&4)5zu` zN^EN=x8Il}H4z!HoRVK8?psPz#!fs;RgZ5Fv~KwKn*I0EWyN%Xf7g+z_7ym18^4C- z@%-!A{ZC)s_e;E*I1?&WOoq_$#KL%&bkqL4B+&i?p?=>NF~6;>!F2Rm8M%K7n45Ub z`_-Mm=cRrPRM9Wc*dJLbl_+N8=~5{7?GC=$}3Nuh0Kqzq~5E4^#}rcDJ54r4kOh zUb|TrTOSH)0Q9e}h_j$8(<%GE|5F!CjF|amw9p3nR58gEc*3qCO4L9kDkc|C)WWP| z2BHW*!F;w^b&9I#e?7ndd>IV9yHT%A&YM*JKVR8D&-~Bd@DnDWL#j4Utn0f>)&IQA zfBhi;<=6kjr~l2*#w6e2n&pLj;#Vv8M?nQZ=lfAxQTF=uxbl5fpzY zBA{mdIKZ3TW*_ThDU>}&J5Tz)wRFN{ zI4r@-DdbRDVD;e$7;EDn2fR`e0Ba$VP>hy4+g1)q-GLsVdpRj6c!1|43Y-mzO_!_e z%`QBdv?@H9Xk4fQw0tLntc+i$`V4>rHtmtr_D}YJKa^-MAUtD?J<<6)TBy)^hS>-n ztX!#8>u(i{Nm%R|98 zU|?2XQTjMN6X(}C552X9eQ-?*6Oqb7yWGxTsLyBZo~5kqMb(s$99wD3B%XCGQXA>b zJp6&a=#i~aZ2{(xSBX$JRjRG*XHcrFbMDZZrB7{{s(GnL`3P9%c^X zzVGA;k?Ioly0EH(3I)@{ZV(KXiZlBTK_a>noTgxv)PcD$EMKARvVsL<3A{w-G(YT& zW|pmvuxc1_Y=fK}Jr~K{bEe^15t6Ek!9Q$U25i%d5hbBE%zGDcP?=E+ z;;XI->cY$28Mb1=(|^`gqM2LBpLGR@A6qM^i1x5{xmQwLyfC<7*H($zz z?i#7B+WTH0{reL*p}nBcqEd{xn^*LJ=v*BnPKKED?RxWEkWG!qT9r*7M?p=uCfuo@_|B4PQXW5?X%OFK(IVN}W zs0y|HDnC+EKGVbW#t9v3+#_i0pO{T>{c!y*LmgxfT#x)So}@;9qz2rm`3vBU3rrF& z==q4uiQFx}^dfduI#~>##~0Nn1nw-4Pbs;x345OdF@5P?!=u>cJFJ{OuR2m3eqvwd zj#BqX%P|epHFubVKL1S8xkS1}Z>bNm-k6e)=%YlMUxCt$jze!;1a zDUz@ByiXQlbwAd0B#$blO)Yw&e?;bvgwMoDE#YWEVlKo* zg=ffyQfpR`u{t!xt=jF=#;x691d%I@H=JvoBb9!8c3R~(pmVKQ;%maiQ$;aq93>&g z_f>RCeaM-E!0D|*eQOMQd@y9Vd|!n$wBsA@y=k_Cye;pSR4q~ulW20^?pA5F%lrlz zG7p+A>7E9i6LtXpT5qkn$GDj4eb^<-ulR*Z@{1xN|5jcmSNS!-7ZQPIU#sx(sG2OE zgEN<1cw2ZmfKfU}w}4KQ6HE>?ej0%R6fC5keSkdN;Xb-J8c`nM);N&)4NnNwB*Uy(Zd#FdE;+RzeU zc1Nj2F7f2kg2aGpO{_qA!Qvl<4Sw=XR4qbIa?2OdQT zA`&;EaF#Bw+)7v+$1c6js;iaz%l7SIIp5r)S}qQC(opHDf;tr>ZzD`7_(S7>Ml}z# zBd=iV%NFe%S^qSI(Y+uA@wUEFDybs70Ka=lbxeh^%d46v_T^dvbeNn>1kl?qBW4-_ zN@s5{#leFnkW@l3gQ7@-Q01j&+~*B_5%u z?ew5b&zhwb7jNAs^6mw_7m3jwU}_awFy*`y%xJ!}{Wra3QT3dc)qSw@ZLR4;Wo9PN zfxXHMNCtd4zk40a4KKdJr13J|tgbEL$#j<6nvlmtfNIeo%*Gt z5(d|8_&#inL}rNn#SNb@H*!9>Jkd({U%lO0G>L|!b1y?A;i9YL|#(AC;s5Bm3!scMPar$q*qSG2evR2XVM4OV@;iVkVtJLC~NgdKnmfcY? zYnqB`1m+$|>6a^vvU;@FqBm#C!#BG~m$L-`RZ$a9zjmTD1b85h& zdO>NHYX7migHg^#6z-alI*(s% zVql3{c<^+l#*STZo&Ajx6IJ8xQh_v;Z|pc#CKJ^eeTVIQokL@AZj`%e_p>2HMqSiI zHY;$ydY?X6g|mW}sCUSFYyK2R2P$zEjn7xPocy>^$7q*#C0X+>l^Z2JaA#~=d&W&M zaw5_5T7=Ewb;tTuz@YJ1eLVJ8`0(e0^{6 zQ6&6|P0BSSjkd1^Z;^8xa7FEw-ULz?|ocr;7n z-{<43OF07h+8{ke);WySgB$cX@)GU6%1ChXL4SH+mb)Ce>0IIziYS&>l334u{S2`e zRQWs(k2PzJgT}jN8pH8iBwq5V`Stx_HhSv84sg{YC$+Z8ts75%@*(yt1n%J+ToHUx zv2XI$#x|}E*)k}Ch00kLf#DL#jHz)w+WooKY7rc$%03^AH*%8gtQmXo&}JRx z03TBJ!76@UJu{s6IGO8@Idt{E&7o1MFl^2;|<_ zhV#BR@N#B~&pRY5r-2gmKb{u9=;zODCn0%YHPgw7PQphCcAWs!pNy`>c$yAAs*p9E zwz1=0d+XEbR9IDI7G>fCa?hAH2o!h~kZk&}e;YbqrqVK)rCJ6GOPuioN5u!MDo^dy zK2V+i%h#FxA7AG_Kq|y8B}y1L!X$`Pf)&1#-7$=8>^+?(VdXF%xp#RJLnBLugYCI-6Nn+UJow~!ij z5&-qfUbf&vxf}%4eDw-jC)jkZ$*}rw9G;t|Hh~XW=h!NZcUAz0a#+ficGtV! z177)dm4+=>Xvo&_*In9dKbOX|5i#0KiFN#v>u3uO;3a*+;OzVM`b~B%?-m*?Po#S3 zMgP$R--f!|ua;ybYL3(~bY4>r7MIl_D)QTCMik_4BlDep0W(0f8u7s#1mJtqQRzf^ z%fVL2Ndbiy(+H(8XWx6ICqk~*pK#vzQ9I~upv92tVBC@1RTb_Up6`3B=7dRBv}Uubsn11Mi5uK{MFcio|p3B)sg# zkdT>MSQJs-VUpS(?riLzG5?gLaG3xVWQweWOGXS~sO|3tLdo0i3wuuCYZVkDQB@RL ziNYmJRKm(KfVWfy&IB~Bi`uOXbn;cOBDR%dnx+*p_{XsKkqK3ygSFYCWaNuX2fcdG zmP@Mb>dI@~y<|-$suW*z|M{YDTc?%n{JQt)IdtC8!;@3+YA1phGAmnKJoLkr4=!t^dGVJSp=f9SHy1sxuAG}B10 zJBe=XOxRMJdtrUW>BU+J$y&>ezG7IrLOdQD-+I#J7%@?tN44xJemVS>kA9l>p;~?| zLwck!9)qb;5F+pVEuyrcwX!%oe~*fexRmoeb_A8$GUsIZ^%U5S-R)!|Mi0O#m!w9F+AP5`tLSP;~7SS{RV(dkHC*= z9%4h4Rk1EeM}veYSR=ll6}x~wCygU4V+PK6T3wIxMn09fhO?l(l=O|Eip1RyTnuye zXLG~_(sOFC{?WBC(@aXURFCTPZ@KT2r>`?uj7g|#!%Um0!`Ai5{X!4>`7Xu8h#e=t zbrolMQYp+iLYb>abLNeQB1Nb76%H=3Gy99H=ce_+2`a2R6Nw}ONmV}x7!N;&`*^zE zw~$GA5*GI_V`UQuiEXYP));0-Knlo&SwN)9Wj?w!_dTohWQaNI05u;mB)`Tj*3~w! zomM676YDoIB$^GW<@jTYs%@DO&^wqRG1B$2)El6Yc$5@BmJhgI;q#G2URv+#JWJ&0k2C@?=s$jh!<P(QhOqPE9HFQc#nK2r^*arL7gL=3OuWdtGjv?v{~~At%?eDYg)cD|8)D|s(%V>J+#m_NVma*5 z0~rLYmm&v0RPl=0d}fag75NqKgM?{K%Pp?m9s2fo^J93ge5Yap$NPp&wGWXji^k+# zIggI_TL%~R-lKsRyL_}(dW|nF@k4~JnBnPqv01z3!=>vVna&$Aw++Orc15{g(y5Djw)JNVJ?oJN*T(?We4kVP@QtOWy9ma{`_7x~XZ}YL zUnS%D95ad(wP@d^mvc-lA&5*8Ac!*&ST|$Zd7<&x5CuMEz{qVGl!sOOl;))~GuT=1 zG=Ld1ssce%aG;S8ilH3A#oC;We{j#_OTQUp@ZvgpC5m#yx3GvB9U{V&0sYkk3v$DV*{A%c;Igzf~*1E=}%5)K=G1H(7{?Us=Q^H&9}!mkbbxH zZqo&TfCx@WXOSv;7z?S7CW8>gXFzr$EAoiQ)=|vi6H+FBHrMOz(n*+~Ee679SaAIN z1cs@mF2#VBmthxA%jbYa_S@VkVJ{*UxKA>~6-k+p{YyUlG%hMMGF1I;&sFBJ;FLaF z`sX^y>I2sa>RL{Ly=5JYAkdbGw)+4wDg0nJ5Ui)VzrScy%-~ROPFDthF7^qi} zlo#JU?*i+W6}v0Z;#;HUDjPnxhukE?{yJ>Nv6tR7n4T;He?SDM$n}L)KLZK%62>kd zj!?_uWrQ4?pU?NpUI2A%ZX9D?t`bGxQxBN%9g=?5V2l~^Bva~l|01SWthID! zk51CUYc7#aC}{YAzci;nHC73(&C=`95_P5))fM>`; z7A}WFqEYHkMkZl&+#g^3GPo|rCG%zz4(uTqmiq-K^NvVPynxl)5TIlLxYBJp=7d~O zWUXB6+T+!XY`?z2hG+7bvR&j&2= z(Z{-rN6F#scC`aGy~AnKO-V~7>83ECzJMuOhz#oIqZ?o<-Q|iZuHwM0njds3gmo9bWLG56n9rb4I8&!yOaIrr1 zr>2L9Mu!jP!FSWxfGhA7u-|+LPPbr2o9%k!#cT&8DAFCTWB!sfbxYY}+;N!W-mV4R zL}DoHn!cFFlKEwuz)n$QhrObj(JxfkyF(i=JjosNDZK$)r$nNeR-1*C#U>lz=UyeykDHrD zVrMg4qsE_X44pTN7w8yt(C2e#6|k~uyU&O3-BMUGrK4EFs9Ry2zIKKatkfGZ5#|%S-Q^S zr4}k9mQIOIUIifRRi~YJDA6F%>4D$7(kk_bJil?Y^k1f7KwQd|3&zQ~0$A__WMG_@ zu=5}q(W73l&bNXMa5{z^@NFy$N`}^KatB0C)`=QN4OL2TL?>t|>lmb{c@CiGCmPN8 z7U_K6C|mcTaBf>&Iw>8zV^?-9D&lVpC5s#sRd%kPuE;~rs0U@tDSvkj+!#~&g6xv0 z+u(>)hjZ%48HX7AzUKSX6H~1^JdP8U#2Cee&^>!)`#24l1uEwFMa|`vpHbcB%`7eh ziwfe^sk?gWl0e_tr@Ho|Yg|pm^)vJ6`)6bZ>&gJl+`U1bZhv2YoH)m-d{AX(A2X4m za|9ERHgNOLrr`G55_`5|uC6&Sp25TAXsNnmh^O)HOB8Y}#~9#+7}CCq3(H~HZqA>Z ze2I#OU~zE5 znYgxzXt7E85!CWVL1GMKUNoqlU6ugazG@jrr(jDc;E)%oPM~2Z{-g#VRTJyifw#_K zS=3iq8VQa&3AY`ZV=E3Xl$7;b?>r#eRB_n{KqH5HRZwHB!y)Vgj4`9`wW$%Y~P$}2j$1PWQt5J^L4s(Nk8xA4ntr62G{tgSU` zJWf2WDdq8qZSv}AW*J}oAuS!!IpVDTUE~=#y8I8)4)UOn00zB8Kvfb1wHxpvvsc?3 z`7l2?{A$|=sNrde{XhXR8b*j9?Y6t_CU=Czl$%7iKT%qS68xr{z&6b_Ijjpv=V=mW zsCn(DZ3XnIuoy&``QOA06ni3<+67?i-+GU*cT1mxZJT|AoZY_7iyn}S8A;5G6^fC< zw}|8`$fZ~fZn5Wx@<+GW_ngx_M(9*Z_{c=cD;~K6B5pr?A0n?W%{GVGKd2jgN$91>X$Gdm;hT`@$ zS@#7#In;8f`T^pho2q_aNON01z{a|y!m+qER&7xxUFh^hSv5ZL1Lf z{$ZneJz8aHxv!SmaiI2tV{iW&*BNk~yKNQhJQ%0+ENU18wPVm9Ei|ko=}bWUIwtIx z$vUO1q(QFIINuoJ#P0AACzsY|(0VcVjOKcBYDLHT%MRRXl0KYQWA&1tVpACr` z>nC(->DI5#J~Z||pD8;$jOOU~YZzFQ3D$E1HW2U`N@zB6VeWdh15;;=M66yI?x|ps znQ=VP=U}|`Y_vJ|fcIyAF+I~8x{nF>hn8^u{EdZuZz|;Cp+h)6HVhrX+1Rw9_FqNc zag38O3uc4MX2VcAgk2C`VF;gwO#zcw9+^)H*c+H9pkDzXvij=W+pqH8MlZXcT9MsB zYh(_EZ4lI*0AEG4yz=1}Mw;m|xiDBG)=wFR3J;qQ)ErBoUF$bot;_Mgqe8C|AB6Xf zMf?jyr7~!Bd}a(T`mq6qe~f*kjVx<`Dde>N2{@v$i@Ka$0Lx9zswle+Ncm$sA2zH|h1(uex7sa4?t#F2LKS+~^;*J)npvZ%MN zr<>uki~+>2YP?t}K7uj>!rr$ljZGB(_1Oc6+{h1i#t?va zy9DZ%|x01-*HM??An*jdV~*m{M@;n`sK10Z@>&I%dH z*B`49aWnBytCUwrVboyaX)txDlJP{3(SZ980H=2=xrE8*~~- zJM`JJRBS$NLUv<1nO5UNC2pbN9-d~ek;*M$O919V@OyK_EnMCX+WN>PBfvoJ^M-U5 z2=G~s6dx$w*GDJe+oibOrQ3U`^Mk~LD!EO9wE{ouBnO?{WANO%=z>0D$R`P(p%GA@ zU-?&{bYCFkb5~*t0mN537x8%T53(IQcAFWHwV@+IWBYd*FK0!Aa{n42g1aQ;Il{Ea6!2bL20<{$5!PM~C zaW;OflhSzoVC-L$r`R|8S*IGB_8uVirqCWv#py_OY;dDF6Q6hbZ^~|EQ}B{#tvWgfX^|OdmuNl z2d(?hVa^keRfgBrhXRMXlk-H5ZS30R`mS^wu+*cS!d)BH5`S9A-E2Pdx7GV9S&3km zt`O-M@@fs$7;4atJA=K3yU2xswyQF8+ZWP%YDsd!!IQfB(vi zekNCu`~xS!*kT(uL4gc^QlB_65m*%5&Ccw_0H@Wfa0xUFTX7{pegXzOTaD3`5aO&u z=gZP&UsU57EP$V>W6rm!>lH9^0ip!?#ipDgFq9k!BIfOX2S;!97?RK0r$>Z2TD)%W z*unIRoO=iM&3-x_Dd;V~V?dzB>$nuQU#AfihLe_6bK^GRnq9qsY#mG8E?M&b#4z>> z>G(Y{3y^M``oq#8#5u~^nYq+t^nv6Ghrkk@+rIJw&dvniZm_q+XXrl+;}Nt;5bi7Q z$!1vpJ5mMrtx*y6y4#rsp}Q53gYmFWcBJFgTQ61G-o!j#*800T)&}i%ZkqCA!rmRW zIf?Iet0Pr97DO&_lsZ_XStpK$Ks2>gI&8J^#?NpK_qH`ITF|5JLFmRk8qZ`CiESH} zDemeWu(rsd7P2>3g9^kKHm#omk`h0}11%G^yxthpbZ12e90H#M_x_1l`N^&LBbAW$ ztBq9aLqr!}QRa22+jFBV$i>oJyd;78n}1KzW2?3;h^^GUQCA0qPA8m_q8^lip^USY zoeZoXK+0-O?s_RJQb88hw4?*)sZlrsRu7SIQHNHqctcK>uY|CUu(|l|Fg*!tG2Pli zs!C5mi%4m&F?gILR5!jWzO z$2mx+F3iI^?5!b6vpu-K6@HH0ok73;{R{JoWFk!&fgw!7N#A#aH*624Nfk~MyZ9T zrogw$^M7#81VhL!9lLW#3dbi`VW55p%en)N>Fo48$v+H=V%L%MVV3B0N5Mg1(yk zZK*)b$f+NOlQa{@#>Z&L*|Ku?2K3M@I;w~=L2TGuWwX6L0!rij0xBmjp5D$99DxL` zeq)A%_4;~Lw-xH3JvUOT@h*EP_ro&*e0x+xgxHgQfhkhN@4*PkvdKZ|(;ruls-Cac z49;+zY^rgP`8u+$aNvIj^|A?3@b9!U5)uEDg;fgCOx+re#)`TkpdT6PmT&NW$b)Ji z&Sf=EB;a6Tzy~_wjp2d#4}Usbo8O=E>YzxUqI1d~o*9eCdta?6OFD)fb~{?b*905O zhY#$4`5eUsO<|Xz_ox!NSrr>&G<=7}3KJ+A7IH9wje+4z@%eAA{M1jEd~GXB8{`7j zSk8oC#H?X@vRl~cTsK{A&;q;h_E0VB}MM<@M)1YAK14nGmgSY4kpNdu&l zq4h0QMMvKPfJt>Akx^MZLKo}TMTt%mEe9D_TP>5IlGh~&5Z7&p;}^-@3Y5~^1Kr$_ zfcJH80m|i(i&W(m22hUbn4C~zokw#-bARv&rgio6 zu5t5OWn)tO#nY$d_51%uW>$*km_hV&H5ET)*lc$Ly=N!rJ-sgKFhMFpEB=25=^zz> zH>9f2dfs)*eP%o-8z9sF=Tk-lPT6%K~jgbo?hd6r5JtL$EsT_;)3OwY>pE4p8M5W4r5XocGlx^3PhH4GdH|B_h! zL1@}DEV?)cYTV3{VrHs;YFrf9Ur5O(bv+hpbx~&?g*+do-kcAKVy`s72V0=6iY3$T z@Nh=gDa8=OPxT$!gpZsv2=gG>Q%QYN!N^8&&u9(%iN-d-w}RUGU9O`zjven4SO`By zP_Ay7a@2w!S{ndKEFXBd$be7vc7sS{1DP!Y(&5PyskZ?g)kZ*x5eYB5dD}DV?~`FwJb_~2sw?uX@c-cRI9G#|L}=tliL5`6BEuXCdVobU}Qe# zLxycfuiVW1!zh-o0vh0ALN1fnX1j>Y-8!CkXRGq5!)55=A)s#+OmBoT2NB4SY*sKQ zqR+ASzS=p@*wnOGOC)iTN%SyBLTF>frIBSKfhmcw$3MzghTRElftPwt+q-rIj zEn@HJdQKU(>@~7v8KY18EDgM2g9X%v4}ZrQZNdMtnh?$ckKI|znFA2z)P+S7So4qT zM9slUR@{zj@}tR_7;^cX^#Qp}&dMGh9n6{Se#`$ z!0`Avs*Notm$uqWOz(>p`kPMA6^|I|Nw5GV|L%BCL1idGgqz4m20$=gKH6`^n{V2? z!l?p{*rFuGV6R{AUQ!NS=sZQxyXD%2NLoTytC1yHGD*1PYVA~2%kr1{z-WK~AuocO z>m z{~w&@0|OVwV-PE}NPr){RBy)sg9pd5ZOzxY`_r-OvD<8FZ0zz0ByH*W<^pm?hjS@F zx%g$}%|Vsx7JX_ckg2jn6Q5Y{kk<>b;&3?9Kex^cI;wpdPFjafLU+R}*td1F`g02x z`J`<3^peqLPl=HEb>YLtc>5{p5!}-iFDtowd;Ba|$qmna}4@sIZzsf)7S;YKGflC+n9xkWzlq}*wdR1r$12PK%J0?sZhrdb6 zB>iOM6$i^ZzXufW-deb#d;u-7g%SqJ}ulU!#TKE5|R7@fNFUjvy4P2fEZ4@4Pcr0~=BIOsOGwV?(+RaiqiNa}`rB z31P5$K-*pZM3#;rU zR^RS;wcC~-nTUgW_xELVsoc? zvS-{R!;CsD>zWN^C%9A$2mLT1PfP4F%Zco!UmJAg>~(|?aI`T0Ivuv<9RKh`#zpjN zXzg56WB0rw8J%c}}mq|}5M2#22X*^>c zkYDL+XVzoyAY{}{#x$n+K z;$>YTjg4^4YmZPn=zNtVTi7FE$~H=zAe;CgU$)cWzR=MJouN5Nj$7S=gUGqZQuciu zQjCVcs;nq)9X+XV6W-Aapb1ZDT9?iM;4Szkb7>p)x_aZanwuh4kgx=tCG6|13$Z?K zcISyqcg)CXeCy${)2vh_PjJS?u%TDKNC4$umJRtTxgC$)6s-c0qX2zdFYD%B6p<9y zI>nn75WmKT{IiP_*qWtCk4(n)1%wvBe0W7Z`^V3Hz`{M~i-8ZWm(8}+kN$IH&ie2% zOlvMflw7KxlK#w|iRe_B8lbk&#|w4a-#reQSMO|++N=xYT#wPbj7skJT)b_@@CehK zi;!cDzk2m2vBa|5EGsZ&yy8IayI$FkvJo01^O4mH2}?kHzO3(kc%Yq{wLoZN5zryN zYx;&%!V|xj@gRZBY{JF8!C89p8L}|w^@i|57((suthx8)W>oa1?C!DDKM~y*gYI*B zWW8UpaGR|%WXL_5=bJMUIAW!kWUt3BcpC;?XOtQ?XR+&T+>hf&#%z=4(1UtQ#O-vu zT-J`Qxcx-=Qx>E|s2lvkQ{-%gFfZay{^yqwT_V7YYUlV~aesp)qjy#Mcaa0)-VYi@a-_y0;RwQmBxpTv0HgNJyu=L|$qlYA|6ZAo`E!#0!&>NDx=jb(h*t$ar zA0%v4UnPw5gdvo1vdwm98x4yMzr7%p@O*|9l*6!V-bsB!l9UU`rcH4yyE!hva~}_q zB|1#`d{FB4CPf1{e+(hxIp|$rD=y@TJPr4^Uq`r}my4 zp*&l^V||n57A}PCl)Qb^F5Uy)CsTT~{7TH6+qc=mXVEMhe%$JZ zDWJr{Q811A05%!B#}r(`E9!iu;o?XFz2GYCB(Dlu0Hab{vZO~pfRdo|!U}2m}!LW#{!m5}hH~8$@AsfSNv8x(* z_EhZB&2bz^6&`MW05z53`^2jfLhHsmr&u@RE!Wt9x74FP82z-KTNOZ#+(CyA(u4HY zjWJ`#&%pm?b$YXw%Y3MkXh}wWU=4Du;z+LLr@Jk?*db;Qxb8*z<*)$0#%lAaAj#Ac zhUcX?^M}b;@ci10dq>t<+$RKRoYVyX4ph1GkXCBQ(HwRZMjnTj!gEieS3N2qUazW+_ZwH(ob+H@K?mm}1BaprSQ z9t#VX76Ohn7xDi(x`9GsS4b7Pre}52p|9@%ICP;^x=5a8<5tU>-6kpg@%_iDv6%6_T6E2B~ zd|}NA!k=WS@j!~1n+RGj3FgHWsU+C9Sa$GceIW#Pbuh(|rZ@+FgS<=lao}z4TvV+N z`?2^Hg@^!y`Gt)b^W|c|F-S(G?OKtxCV7a?=DADl0S)^9sFc9B4YIioS>b|jymQ8@ zX*31TMLM`&03?FYuc-O3t`3TX@bAp~lKW#4E1R;>ze81NKL?tBP53!^TN6|teXK%pPYz_2; zlnq;kr%P^>4&(lCue zNUjA%^R7V-L+yOsM{77KtJ@{`O`wHrgND0yBpSxiY8m$fBHz~OBC+X>w*-dRT#Hf2 zlk_IP1JW;>ETz|KgSNq<&TCjdhE z@*IT?vsCFpQkj0;5FOB^o>gCS9)9yjd}(8Vl=OsM(jA;3rNo%GX8CcHuy0jfqt3ls zwIR`}Jfk5pr~Gc^NFSKt-GZzHDfM^TszZeagCi9Lx-Gz6H0r&{*o=tevu*m7VSpG} zCpJz0r{0(b1C3UlFvW%ZkDYW-FAt1C^>Q5N`VO}HUtmN0Jk|YNbN3QCfnWv9e2Jc% zNc64fh^d`tB83vDY_8F)*GZAPmp50xTmrps@OWr-=LuL6^IvZ5?S;Nj&m5yhaA0Siq&d{+pl%pVXi z$dV@c(6%Z|KGs<9fKzZXk)8%4(8B01=Enl{aSg}N9NeBpr$ zkrx)3yS(6ofi;EinvdjQh`k}bAG|bu?_jMHyUrhD|Fo&B39R}kO6p@LVrFdftu4*T zi1nS>pGkcwsL0q^SKNz?klMw?KxRi&us^tNhVT+Y8TYd-^ob5&2b7Q9*y)?pmza7Y%oyW3*J`k$xm)Du~w;d0_39SA{y|TiN-+iclc8 za7I87w^g8}Pr!Yh-S{wlhhJx4s+Leda_ZDZFB(mDC0j68 zW@eRfPm1(Z)u124z345g@{U&5OZR>wmY~0{n`pp@lc}{@33t+ylhWj4TF(3m4RV(W z$sbt*NEY(_mDGqo;w}RDYvpP%fnnHor14WHz(}I}fSAav$uPsDVDL)op%9`LU;cDRS(;-PgT0dV3X@D zmy3BAEP-!#{5JgzuFi%=n&KiGQ`68faDmIZYsZx2zKMy{z=wU4*u+p+su1a`1=R?H z+`8J^3H`{L%w2%CGVKT=jMQvAh125Ui$?d9@B$<1o!>o(x9>ccR3CKe3DyIxWj-CI zOmLNI>Vby;F}71*OkppdAI2Q?#W#~(bwJHU6@4%OWfOs{+6zssH8X<60KTra|LcJNgJMSMhc zCKC@u%Q~Kfc=UPZ(@-eGY;_m<=u(sXZ6| zEcIm`4%y|yRGu!GR(${>Q>4BC7I)iFVn{NL=Dhn+L^}5Y-CEIz5kn}LRj++QEA>(R zK)UX;`1pWt?_+5jRf%(K^TLN`Xo=J*;KP0kc#JG0wo1t_Y5N+?gu*HhuM0y!X;8#d z-H;hO$Z=@U+i^Ar)KQ!$iB8#}1RRvpy9ftC?-DuQEQUVf(KV?+F8Zf9*joq1LB(0` znhyDQbw<_-kE1myvC4WYy+r12zXNbq#jleec6QLP8Y?P&=sGZ971~&)QfQe4PLEiJhYbQ(#vTL3Q2mvuv?qhPyOs|cxO@JJ%OXA5FmUY-Te$3r z*mKyQHEgi&9pu+Z9-rFJb7WDXoAT{PsjKXNxuBUAj3m*(hB}6kf1q!{EH<7)VecU$ zh-UzHNzx-Y6XhTh^*U)aslQ^+^h*2?{0IHHf!qSBb|Ppq8P}Du%d#uI`xN~pyVSsM z#$$m$h#GXviL6+kf^6N{Xc%I*w68kFt^?Z$qB~rk^3Vr|?kCZjMiy3*I}WPk^Lvu6 zQkFJUG}^yTeNJdj#nB)=xLACY+zRRiemqUvDk|r)yr?jAKLtMJq0*-MCrRjmI5_mL z62XAv=&1seL(3po%A44Lz}m%Jsl_Z&KDlLYe!-@2$oW|nnfWOSnq1=0DZQ2)Y{@S% zRgjNDoB-pLk>T>ptKFpl7&vLRSZP?4ye`PiUQl zjE-7Pq}$xLo4bp^$@t`;Y)gcZ<^pt1iC}A$D;zRRZDO;mD01iEP=IXYqms7kq_1q~ zN4s?mPW=19R14u{OG(eB?sg4aW1liGX=^AteGRKdlZ|wL^UGzca)kGq#lo!cS@BNT z^JJmm+NI0c{ugD<427EKm~p^LH0M8J$f`eo-K54kkTrL#aGi%Fq7 zC2lU3z`WhP8%PKi^yLZHcJHWxL+5+uy9TDT!5&%uI2!O}%^~i%hg3)k^y?JfpiN*OuK(8!4XC#dWkYo&>=fY%BVH3S7z~W+ZH+50;=yjM<>9meaD0! z&6K2`abVcF4W%2&B@@(vZpu?ouuIKU=W1Kv^^g#nLx#3;%2oF)-9LCRJJQCM{%Sv59_yp>8pBU|aiszW(tYatQ6@X23w= z$#zd>tUBvzeB0&M>z&~X@hfn!-S*U8c9b2>jGXgFt*B5-S4W}W_OP~v@J1vq`UAO=r5;NU&EaBPTga@c%&PjKhw5ZbMnre zu|@vGcvctpI}uE(5zYk3>sY@aI*0ubO?Q0)18(c`$MuuxbLXnEm80ktxeJt71%_sd zGMNz*n1Tqh6n0DYFZ!R7t7~uMQr!7W^j;wcSIr<~AMFVA%gmH=rMM0MkX%jQtRgn< z8h@(N&%6Bh;nx|T;vs9eNH1G66pxW-?9s{-mM`oa^YGqAbVj-(L*N32tqRa+H=+uz zn|p~JJ;-sgsSw4E`|39cLnH#$@Tl0$Dlj+SifbdH$5lbD`Rw~r>qRGeNhN#v0GM7* zV{wYm5IKOM1wCClxvEG>gMA$My)R5$7>>}0UGJahK2a50jo|*cZ0J+6QF}cQcB*}= z09IvVRJLoJ(Pd4uctTQI1H?Vj*wZkL^=nc&iDm}jE1vhj*vwpdVo*d4gxB&L%!?gRXlPIbwVJu zH%CAxAxO^n5_*4VON!?_$6Zv~K{O=uE0RtzB_tu)~{KP z)QvqjvQ=AL$Ke;NTlI2mjEL&Q26*1Pmf}qg01+fSl54K&X8OBcV;9-71C3i4s#G^r z?6MQ5JL8soGj7Wl1EDAeQC~;ae+VKyQjln`Mnm&$=+)4SAuW_kja;Tu zRs3nR7QqU2>)Ote^Eo?lOl07)URySt=#4;`-Z1duBNNcuFzM{)W1+EwsgkTDvkT}>*Lwd(?+Yw zdlJAxxL@S(9{y|vgY72wRXlbv;bGbLk*}kd%CQaPJyIiwNMllyN~fCMzy;F2NCh|X zOtiJ4zy7v_C$H~l{G)E%L_=9>w2xn*c8}Euq&wPji5|S`MU5D!&93pjl@$Q}rs)9Cak#z0(;ngHywe`n%>ec=m`=?etFIJJ{F|KMSeO!zFJpbc&oOl)h)h zL!oD1Hkjxo(xbKr^G*S#K@+(&>CEMlbFe2dQ`C}E5bJymo=@s=Rwri7;~7DQnyjII z*+P5I?&T?(xiN&A!Tug5{mwEI^IFtL*!H!I6H}b@qlvP4!f2++-X3Wl;HebbjXOwc z>~~^@55@eIR@M-w?6PJ4)E;pjK~Jb>_&<+ii}4!q$31)Ovf>kHP18`exR!M}ct#>s z@!Zoo&)!oeW9Q?Bnb)nEsTBiqVv>&n-E?SCrFYg%-_;I%Y;Cc1#Q|M~@}DvCYQdS# z$DuR+^*E|WnN%dkT7fL_hG34u3t@wzz9rW{#(pD&Un=lKUq5fVio;K#C31j(%I8L1 zVR>sd`%POfiDogo-m2Cq<-@9`OSg>&9ne)fr>XSS>q_iQL$%9e00~yH^{|(5E{gxv zn;R~jziF*aXb(xPBb^z@WQ0x?$R3VyxV#Efh5}~LJSHUxL_F%RR>=R-C^y+V=FVp+ zZW=q2WAd&&u&>CKnX1AGrJYJsFbRyZ7)znO37VIedLi4Hqq2J&caE<~SP;^^oIeUd zvhI-bNX^ZGgS6?K_)_{vdO7{$F;ZTLd!Q*{qvkuRCVw2d1VHz5z?!8DWHvxRBf`y{ zxceBQU?oRb7W_CDOX4#{+IiHMBY9QqP=!iS8P!+iG8Va^Xc1)e>qo*PekbjvDJ) zmqdOKWtuBvV6L*t-{|Al@WYscM?C%k%i(R}2dh}GNpJ8*I6Zz&nq&s|L4ZZDpUCXe zJO|sk=Oa1t&%t=68bbH}Mt$Cgsdf*hD)B(={aUyBE3RM-i*eT*%(paS&)`Q>Xnh#` zrRZkTs2MxB(pmnGepDJb<1eWF!PTN%=^d#1^kK;7Z2~Frm4FwpN7H)8NBP_NJ=u(_ zBRgY`P6Djh`EyDW#9Q=C>8P^e=wASXRyHI~Ss5^ULtefE`x+5AV|f;gQ*dptwR$_P_9%|AvQxzvG2Ee9!Ig3^0;{($j}hbxu0TJuM`I2=wVD z&Kq!MlyfZ1ndpsQVVTfBN;dH-dpVR z%;J6>IXx^SKY|BnSN~94Uqk{Hty5%{rn}atQl%>)SBe+JnXDLpTX?iLioggy3C|@>(pU-3WsVyxF!B1M6Ds9KY^kp6IFTw`?4CmSl z<%FD3|& zp7Uf9PCxnY|4ju@`~a%H_^0aH96fGOb`pq^tkV$v{cn1+n_m-ji=%_D^CqC*m#zci zsfq>kPEo>xBSyJc@m3-Y2TKEhHeZF33HL$gn#|*J=_L*%Zh>IE^m`x(mJ5)H?3Qc( zzAawUJ~H#F&8X`a*ogxv-9LA{td*gq#R;(BX2C|5lcS1|9`Y-<%CcA z69DFwVB!1&<^_wz>JDh$9fBY1JqXecxGCp+N`Q-ZcW7N4Sf=x8{<^6+0t?IEAj+^UGV_w@d%g11TW0He7JFT1U`OdN9|DrsA+YZt)v?K^q`(Meyc`mk z@q1CXep_I;7io%PZWf!ugH@MPmEXsq^{5We9?cXZBb0<9oXcx>s6Q2yS<=W)ZI~&Z zeH0@Pw$oW~iaFd%4_8&mhJ)}%rg({=D&5pGav|y-5^#dTBbiO0NRxbO&^xTP zeR&G)`}Xz4_@p1&zk(+bIt2jU?BTJO63@`S2wco?dI-w2z8Ja1+B`ig-r?H_RpqC# zuHB-AfX_sHy)6gpz?e>-n-P$|UQE3G_m^$bDBokI+b;Z#sbf^Mr0N#KBQ%M{Pg)U}K=cLxO=h!0Xs)9muti7fUrG**do>+~BwYiJw2)p90mA!?U`udG z#IR~C8l#YyK;h%|07;twWFvKQWGR>}h`BgKvCD9K3t*+(2kI))zaAjWFNW!ihWHMC zzWe$c0gdbjKjvx~@RURQ;spo|duvO{DoQ1Km`HrvR0{kK)7?kHPNT(?qsF>OxpxBI zwTnw%eL|*KP1ZInJCho59GS_v-KVYKr_*!ytW+YmRT7g}fB*eu(O?2SLcpwJfbd>P zncAm>l6Eu25!-w%v+y&^T%i52NHppU==#I(h1Z${`!1`gh#>cpldL1u zg72$}3vLv)?f06b9s5Yv6iR*O)GFoUTC2^Ccd% za~r5(4DG=I%q_Enma?!9ZeafR8=TJM1bqL?abvI}3{GjycLF+>fxbcv+=s+pYR_lF zN<}-hw0hR&?6uT%S@zPkjgrhU=-SQscZz;yv~Jowd)VO8R`m{wB(Qx%8un9W$CpxI z96gbF$U2c4-`^@Nqzs#$5e+<0Cd7{}KPNv@V0Q&G=dCy2=a9aDKCKl(Dk%jn;nHr= z7lJEELb;~8*BC4w<#203qTn*lAT~zrlswKZB1yLE#eQ-a3CZJ9l&3x^!k-c{Lj-!j z-@{rXNT7UAtKA!AiF3Hs#*?+>`c^RQhR?BbivkTJwgD2p<)%F8v4x8v5P1hFflTh{ zL;Q}haGnH7A0CaQ-gDW7wU6;i4_0qx1VWD$HZv5vgPc1DjGt40)-ALi^t@ksH4{w8 zUj~*;E`_#$A*VT1+|7I3Sjuwp`BVp_owQJICx7z`nUW#&ovkqJU+@>e`TfoU!v^H@1hwPMSG@p;0eEz)Skf^QI-z`Rou5o7B^q*>t0 zdJpD5LG+6@@JZV9S%Y)qXpR-#l?sl$HIsW)2f3c|)*_$-gQ_I6Z%sf?brQ#v^ekHx zD@^i*<0~R1LRZFE8xmWw3|~7e6Tg&wfXPFqn}Yg1AbV%BngqBF@;!}j_$8CZn*dYO zJJ-z4ng<@__edlVMf9mx;zIB5LKBPo{^tGgjIc@Ro`l@ytT9;YS>d#E1)-|kS-eQ0U(6Q~yB zLAk*D@C!9La!Uv=w%ZFo&|@rV*mKsw2SZm5__Vew9r2kBQ=1R;!zJ)IfC{3hxjzAk z*s?qvc-zeTz_Ug+HzERk1N8E(ML$$dn=#$z4Lb{V%oHKa+x4>Kc>Z;-)L3)UFZi>p zg8P@O(Dd}{;v&pP#(h_6oliu+$CF^v18PpeL{Y#C3izHl#C&0SvG2~*M~5|qg~Do6 z*U~?0j7L+()hp9?W@@LOA-4(6h4}QmdDKcflowgTD^cm#QZ7^5Gc&y96jYVn;*-Ljt@VAU2;5FGW0i@ zCOt}eaTJR;4%)IVf0BVkcvk>B$Tlw2NqD*72X`oPe}rKVWD*}u7a-O2KKNd3`jJmh zIRvs)ZZ1P8;n*HwZ0gH6P@!UAF4~%#+>wE8Y#TeK;!+{_emMN3%=4b z-o~ro8lXP<4dUQJsJ+mzejq;rVX}O}ZA;%2mVk#N%VcfBDY!}#4Wc*wBvXsfY-w`b++BgsUzJ47aMeDAbH+;2Hie_TDlo>h*8? z-U@<_YM^4ix{lN&IF>_CA;2fdMApTqK;AHZ&#!l{(NsuJFmK@J<7 zkEYpwI9&n|^l{MMw235}DX=|K^eIFJ4AgbnaJKSzrTy3w8dqQ~|E!Y59!vjz?+!rd`0KC-BJdr0yt7n2zFn~k0gfd3>6rVDl-1nMEx84}w z+g1>BmKZLI+K<#Ru6Y|$Oz`f)z^1hIDTtO!_rz+$`snQN+=|TSd>&TSNg|md;`$n? zIXf40kI`I`vg1h_ASt|4|7HJ0`{7x{u*BSWa#(-vySqp2Oko-17;irs^V#k9qfd7h*Ri$a@~{ER;Xa zDkCX7s0gg*GH->u-aJ1>*FDlrsbN9l9k-?QiV6<#+;NZ=ohqFbzd7~uwB8hGlI{He zSPQ&Qrh@k2(<17KwLATex(#Y~RJt%Yjv^A^yLpRgBPb8DaaILbXDCLS@Jc}n0 zdF+*X7#)6mNM(ZYUT8X?fn)hf>}je5=`Bne=Xe_yF$jKeh@e`&9+l?yarexi>(s3| zh{C9iLX!hm50D6ZkgD}PYc?r|$DbL-w|Ab+ebxFPeqbBwBK&7UPC0Q~WLdR2GlrIP z5GQa(>XhpBXjh{E!SXXJiT{9xQ3Is{Ho(__{u?xm0-#|MK!vqBAdj()Pd){Nzh{=y zM-g1Ze?Y?$-WeTNt!k5%7)kkmZ%5#-;;!?Z;#|6jBcl~R5HNbnocTmDHHcnLz8N_> zD!jV|I{O{_lfvCs;z#|1_w*Q6(ayM$>?zI12!esNnpGD8k*z!m4t}yw z;}9jjxDNs-ns2gv8 z4cKhje~9-yd{#COEW-sh9QS8ai0B;lnV0R?X}+;VKvA|(Rv)8oV`)MYguoM=uw<(J zR0P!*(0n&tC{b@Y)|3#68)Dm?!4aj~01uhrfM*jJeAqcSMbkoq;T5xVpdn-T!p0N< zM?ZZ80pZQRn|$#zz|u=O{_6vOb3YuQ_Om9Nbk?V2ZE+@Om&WRYZuI3jSKTWwbfjP#nD%Iyd9Jd17b;`QNS)G!^kjsf9hA!rxZb> z^0%6~Bhtl}0-E0wC_UnCl{egOd~fhPVYd;p0}N;b=U{Qa99GvNV>xqe2C#>3^*?P+ z;AmEQRZ#xNMAIKuT8;d2MZ~+l6&~@|BxGL6e05M7m>cliq;5GdhpHOuH>&ToL>J$I zCo<|8n<{4rF3&s@MKE99N508yE}GEr2W8PVGPVr%M6Ez|Dj|X+Aw6Yy+{2YQRZ5H? z87*+PiJhLm;3{MvoGMknKzpcp8bE3^aQf4-fkb_8mWl{Cl8W~1&nGya2(@QCn-L}gud6Pm%(t;{a}TzL((a||#2rT3#fKzwgM`5f+O?f76C z)Qeu8J^z5n6<-ujw-#$boOA++DWD2Tk5n0|7mna4BAn}OkrXx>~|<#RtUBxh`B~I!s#> zIme&op*{{w*(|4M`;@5o=372!?=SU5%hy}?t=rF=b-2NmhrE_K0s)Dci}nleSXP`? zhWJ{)BWO=Gy$xziTz~sU&&HPz_CJa5&L{Ya9{rxW>L)DCm{%*&9yl$^=n z*U-^yq7N8q%N8ucNgvnmah^~0xqG%#DS0H9&4WwNHEy1SE>Z+19xbSwH?2{(GNDrQ zMJ1Ro!8b*5qrJ9rx4fk58g4J^MERneAvD*+(|bG5I8fwETI z3x`&&0VQ)CmiR0u*-7tqQ28#vE7u8i%n7UfnRl^UyTm}|7rd+h`-x0b!O7PEVjOwI z?UWjc7Q9}UFcU^|JD9GaiTlMzk)t2Zo@E{eojxD#FG-ac!eM2(9LFnGRK+DVvm zey~Hz#M??|8dD$81f;Tesf<}5DP3ih%@4I8h3f=p!gDA(#TpL!B9dMYVY;Kt2>MM2 zfA?E%*GmHhxz466>JO4AG=8EyDSqy83J!Bnc`uz8TGq`FGg5T$pC4H#>PE67{!wZlJ96 z8b828;A@Y&C6EWa!Yj0IETu&_0`KosP2$ z=j5Za)sM5WQUQ^|0p^CEj|{NVYJB|<)!6A9oR~JD+Zf{K>2lo(w=d^v?-uQF0mSFpWeOLh6K*!!&nE5hI{Uqf`E z7wCYyA$LnGULwaDRmT2Mg^_5(!jEt6HsJ=nffHe6E(Nf9y!Xi;}%CelRK4&20>#L2#wp8kF~bp?e0 z5wf!>z?;#C5Y3y*v0HyGV`~UTpS6ibk3Z1}Sl*IjVw*o+s=MC*jf)&t=o2AZDpyJ4 z)mPve5pd~#s3J27#P>`=3Tckui+S7=z&kW^O>{dWNi6jI+~q46#YZcAFlKOEi)8B&CI15UoqY+^{GnQu%PPsPQHs0p^vEQgfUW*xV?(_GIlI z#%wpu?Eog5;8-elHfhw}y;B;RS^Xp&WtYlC+t-rtyf=+*XH zamDL8fl$}{HLPo6(n5<&jaexGYqNhBtpaQXh^i2jK1N9L^{6maM|HkIj!OB+q4;Js>2SN zIGX31_0M(rX9>LIrt+KvpTNv*bmrP8+Aq#fP!%3hV0OmEg4CD4NA;i=F_yDU3Ag1m5*d{zlD)AfS_TGQw+4yw^B>*Qx z2_hpG(n+^Je7nouG$hG5 z9I}fsz#&sVzlZ9R1~}xf3huJBcg**Z?!sDv8^1#2a}1>a;E+*VRvxDX0Ee7oBV)s` zqt-U8jcJrw0Zwv&i4hevHrU}Nu4~q4Tzcpcb^s7IkGIly(9u&mn#rhqY`Ro|jETq* ziBS~)DVmc=tfBWb5V`CKqrT0kub4p7gp2vhQ4e3~t7_%y@=vAj{sX@pDzZr$LdU(2 zS12t5CR`JUe$>q{nENyD3qUTw0bW;S&aUKIU|uXZ+}9TXjh$)Up^FGrs@u~i+!}j> zeV2?C=p;nRn}VCv3!**aKh7rjAoN0q{X?}Bl#SuPV93d}MdhK}cFPfww!q!1_U3g} ze#jfpqcN}l4MPTEe=w61vw=I5N@;;huI~>3xla0T0J34|FUnn|Lf{S}$YdBMZ{l0f zdz^wL$z8U19@L{M%$0(MG3s{+KfMm4!D?|8e@GkAcM=qB;3EFekkx#QJ_RkAl)g=g zPS4&3#urW0_5qln-UrW!QMB)BCK7>8@&zg;d?a#Uu!-!IS#+Xk0D^#Itw!xk{e6+e zBV#WoOMPiy(FhuQmc~fv(mLp?9C``otSJItxHVs2j`eg9jObkL7JVIRs~|0icDvX8 zr`jS7@%7^@ zK4^@ng}Ip`d<*2`JbZ*08ebxtfPIB>6`w}m@M>ar-`3r?VPGB3^%{4eL@1zOV=&^b zWJ8niyQ{n%_!@9R_(v7X_s;w(;Q;!NVW7>^aIni<|&*Evx!HLgWqrK9N+E!sMg!V5vZD zkrj}`x)N$uf@2Z!t4cY=xB7*M&-t+>{5^jx_57k3O$FfavFt&uS9}%I6dqI$$xmZW zKaKb|#)!_6_Ka2m=}@8r!XytEGmlmc z2_miI1lwH`mF7iT5SjhfF|0cqIK%4iZ9+{r9#myi1{kcNdk(Dee`As*JOZL; z_xPr_US_OAFh>ee)|UY0s1RkXPAzMm3AIL%&bY6U_6;#j{>NYPLlHY5s1T_`o;?(S4pd?5m1p$Duwbk)f zxb<5Y7Ft*LI01{G4*>?_+1n5GBE5cfRwWsGZO+^mR481Q9_2CrRr~49_z{UM-o=LO z>-w0+ypIygqQ*qFL@CxfHRzb4b3#y?}l!9i3$f4Q0K+ZlT4+GJa+Le zCbXQ z4B(Fe;ko|yc4YWfRb2Axo)=eoX9LV}h2Y<6?p#q3qA|_j0s#TlvJBrnPrxAip_b&L zwQFmxhg&1z6EHE2Sj2AWn#~}XP{uO1WphZTaLkp!Wz*QC`AeR8EK5^Gn8nTPJr+q~ z&fvS-uvD-3HtKQjCYtq75v)xqJ9u59I_nY{YI7WIVgA_uWePXj`+23cN(iR}cY0{nXUI6MZjFmY^yOtmbKZH72WDjx}CQFDHcmC2K>tvk;}4HOCJ8 z{yPe`9(ci!x8og$(Nxwo9}S^oNF&+9D#gS~P8m@aC`g?;UpO=|wA8gY<=&I>EQpg% z!wHWzePCiPo^|*$%FA%1z25tS4T}xKvK+@|o@vg*eaJ5q*`S0E$1M4?`xYl1A_yd# z#mw%WDNP3DLGdJ8|-*WyUxArE1 zd$Sz0J6)jy6tpszYITHEZr8s7uivMvX}Ip;kanfu(LZN-WApH~N5I5?aLQlV&(Qa% zvC)PY;kv?9x9%*R1*5siPmBl0OL(nARa1RVu7(ytm7FN=cBo{a>a5f94E|FxfJ3YU z9b)F~_Q>K;0uKDadsAftEX#yB%~jK%fvg+hC;RO%&wif34MS>HKKH_v3h za~%5#L$Z|t$KV7X7_6LT0ve28!%zlmh1}JlT9H}B%dx9tSD7^;`3%ac~ zLoJ}Dmu(<3N}!xDU)!miHk~!B8)LxSwvIZaFU(1id*+#J)J19zK-uO!fMb2*C__c; zY0c_nmHoQSTMRG1z{*}Q&0LE2uHsWaP6i2C;PUgOl5`H9@n;i)xX7ak2MohtH%Dr* znEjVJqe^cp;=ysX_fnh%LWQh#HB;#;`Z7f~O@jI!D;!N60*T*+XT5)I7G@>V~j;zU)Ni63;mgqTqeAh_|n zS0e<+JtDLCupd!a54N0jQI+7)KPL8Q#~*-iLToFLXU323TfRn06FUHtXujJ^GVe5nB(t~Zqx*18n7xZP-NmGQZqO1qRMzOWz-_$Quz zkq@JDd?18JUio%i>YSeK9iJOOrhIUIkxqzyo`I`z=)ZDel-V{Zas)TF@u;~aevMYB z!>;5TPAT`xDyc;D6h{G2ulB#f^%VIacdIP|vi{>axyBUs(y;dP0(Y@k#+faEq%-rf zIGSjZB{BoW)ml8rn+uGb=k%$5Bnf0&59(~NNiA-CP^fHu)okI7w|eGwaVRe6&yetL zP$o=tQ%F?F+ZYGt+RS8UL(Mp*9y4MEhNbt%P$9j<^r1kfCJFprcu+ zFO1JHU${^ozPCVil(d&UJpV2TW#Em;LAe2UYgKE}wE3s*t|y%%7;-10j5%(R_aZD) zh6+X08B?VvGc`cW(bl>>b$!cp@G8xZk{$VH;eWF}$|jx*d|gKyM-z#r>_ewLuye#N zbnB}C%=Jz=d`E#3NUmgj!A!$%z`*5cQ<3J^^Iz|Rq6s4V2GyuEz+&vQr3;nKT~^_# z^XB!_9K?8Rp1AGixmIn%Sgqy~JWlYscO4jIY}_n0wb~EKQ1k}aWx8px)Y#JzPQxPZ zHJeqpnt?sIJA_@1`Q3L8jWEWc5k`^Qy&)XM*$5VW3Tl8|)~z?s1lVP72)kUp5<5ht zaP`jz=om;yTQxrvrWl_%f6@yMx=#*(=p0We?fvoZ?$~?54>W2Gz~`v1-G{GM?o9uX zJX^odvpYs(4G3%fTPMd;SEnsAg+nGL?o`GCn83edG91%oe50s$9_+`&FR)@g6&P$rwlOP{smqba9)j zA?b*YJ8ob>&-+8&4Md*`0xGL!G#Sk4C&*&bx>svLKkFyzu;bFQBSm#*Pe8sMhzR&4 zIwDgFg34yXI-7{`vajsXGf?!&1Z6bRYO)s&YXjD6D{W;1IMdZ$=qT(3=_|GIg8k5} z=dKcxliY0oil8L=E6`>*8f|{02EDoGPAkPmM)%o0aXCLQo8WSb-T>@>RsylNMgxRY zeLWU#&I_DRSXz0fyPB!kU82C{9Ek2cqrgwDB*11xZBnI)-L-&DfLGajLqM3nwkIBc2fA?^85HmBh&4^e^bjz=H(U)#R z_MuZoN5HoKo{|4ct~Y&BxaO~r3+Y83W`gJpT(FU{*>@t{!#nIKZ;C7u{$=VQTPqStVn zJ~CJKy3hb;s(qyDd%eLOZ?kdDA^inI!sTK@N7$PiXc-Vv+_iAJ)DyFW5SUyz$;?l=tp$JKN-F5o=?$>!T^xGD6ih8_YY@`4Ud0V z0h;Ktw(G1EOaM?|0$}mv1Sc6pC%{vX5g~h;W~&LVu!%8C4?q%CSEnHv?o@xKrwaF2 zGG|^UOf{8h_u?M%iGDEUR4_?quc6P(%bDJ5{%O2$WIS~vck)!w%zoqe$__)1Fnuoo}nhE9}d`m|2%@SA=BwA47iglF~0U zp$IwSWY&bMPR-cqjJ5wvy)W2u$oGUss+2iAV)QzGPL-W&acyd=eAnfP7gSTfhw61K z6+6f%IY8HH1w}Q{V7fXBDIlg=1_x;%j zO60%$Bg}0>-1re8li3|6u6}piClv8lW1uQ_iw| zg#h*@#EGFHG}T+rp`R~$`Jx8{HVHE!K>^^={X<4oY#w^>scX2x#>fZMx2U22?L?L} zI9yH;^K{|(xsN*b*xBdMmao?Q2s&?D25`?QwWo$_QJu!4u9aG6(ksV3s~*z_nZ!+1 zTDlUjy$d=3h3!P{Cr*zd0>|hT#cagjHsJzUf~tj^nV`<*$>;@8!#vY^5NlBSY(jJ0 z6XceFV!sMRnj+E0k3pgRY~i0mTliAho><&QKDo^1mWTW5nK>#()b$WhOY1@awI7pU z&<%oaa1czMsW;Cebd2*YKsP>JDrF)Ll=&9itzA`31)IGIL*#e`5O7k2wVzyKw5S<6 zi|l^5mJaZv2z(x%R?=)pU(izJNto`KMfF(v@47og;lJzd>SNuE7*(bGjo>mMsm&Yr znE&)05&}HaH7D~YEjwPN`Y`X({rl+mrLl_>xjl{hLW>d-{GLK3dp@SC+yJ>D(N>Es z@}3)12h{%iO75uRp&N z=8S7lce7#H+@sby(X?^##h{-ikvpnVvZZ2gK6!9&+Yp#dBfNLrk51ku~)3laZMWk=0mx)A$#o8^9dYnib*Rdk}HN z7cC5Q2;D?J+y2!;Dy5hu!s7bfCv&FcA62cg>sqhrngL4{9&QG}4U}garYEu~ijGud zoda0iXVWC(1jX(hgU*UH{SjwH@zyqc&O(%iOFWa!3{d)yE@tSy#&s)PtfPFjA$^_p zC$Rb6+)%iNYp^~OsHQXSbf&tI$?4lRzc04H;U^D{Gf)@5xMPtWdHo#S>C zC~xWwuMHI4`}5jnYU_uJEuXSjVM2zIkU^&Q%k#Y+KYHYkxB>H~Qp>)*;-~laX|+lK zDz&=|eRx|e@SOYeFe?Qu76HPMn6@VmIq*j~WnljSS-@$}#)FyHHD?zO1$OrwL^vlh zKU(}CqVOjULVv2f-dn3jZj{AL>EOM=dt#>`KCZl;DWKk!gTn&nsz?r zUbGRB+w?Sa^SS(p+3?o>=^UppPX9VoX*!$V&ReRd5z2+n$L}imR14kQWBuCz+`M2bC zx1B(U_@BDY#CojcCF_>H1qFOwWLBf+8VrP=Esrkw0R;3y)bn0P!;00(`i!4@y92e! z&y3@&lwXHpt8l}E)(}dT}};hPmdG+QwexOXf2RBav6wl zfLk&|F!Ja=cWBz8C_{>DL&ccoqD$lXo~&L%`UNt!`4VG(df0ok$zZ!ir& ziY=@J3p`Z=Qm{A8VaQ|wD-t@nD{LTMeVM8~uCaoqmj@^W*@!W@iH$^85bX{)z!na$v&Zf3m`!2Ls_X`(^e(ZM_7%0w3Eb))`%aiZT`&s^SM75c~cV)OGOrx>w%u#ahcwkgue4ah^%-q}MCSYiLgXX)CTCbv*w$~U; zU#h9l-;@)N4FihBH~uI7S-U90b}C=50Wb*dLVMwWV~ZG9hFi?+)y0P08|>WnSvDQD zjhC1Y{rB@<%6Cw+>=aX$4bbSI>*hF{m<)uaLY#psqq$sxqa#20=rS8GtJ#RehJ z>PEq?SpAXpPiFo;)PJi52*#3;e~uX<1OWy^ZC-lhTxE;aTFtJt9qUgk{(iaCs@Q=v6h4E19NiDW*@U>OWTi3Hp7FMepiOA z)ed#iLeVzjudE_?PqwYA!SrbnCwwC1+55FOv><=38ZYRkn_l?y zhXPiJH73bmAL~*57=w&9n<+Y&B)*XZ&*j(pAlElI7)9@WJd1JQM`+-CgM~}@asC4& zUfdC9P0|jm-TpQSEd$%CK>z&w_Ow})@*JvwG+@emPr3Q);cRd+S+!Kx>DwbPPrLs` z@g+EsPlagbTypraey`Aq@BSBpI&;Ge6!mJkx2VP?7EK*>RpaYmzJXar(z=kmbh$`%@;tLBa_|x1T!Pf^HIm*ApDo8eb9Us+9TT5@p%c zi~>@6+d5b;0&3{4TQkAKmLpwa_Opn`DeDx;C--g)S}tWO9>9B!Xq>wv^vr)>UT6;L zvs4cHWb8NrJ%n6`g9oU4tmp43-75_^87}rAo7QYG$Ca7z#x~y*Y@(mw)?pvtg&=A5 z^|VJ3h05tGUtJo8Pvq4X8oobt{WVnmcB{jd&yR$WWIohoT5{!!|J?Vez6GGG6cH&! zY3~7T4-;MCgkjJ!aDv&^=iYW3frGJP(s<;T2%TIM7vN&Xj`rjwpUg3EQB3o35LKm_ zR=Vi#dT^Y@1#orGMf4^aE}f$xRo}E>G+$MBQ}(*cr3~lq{;nc-KAMCsLB}WVXB7CH^SesymM7b8~V0(rjIUP_UrVo_ZiY zRJ3>Mz4IUWGL0tP^6B*JAIQpVG*~<{0h-5QmClR2LsZS)VBRVIJ_nbUmH)u8qjFT4 zY0<&N3EX$Se06B&4=~#KA7Hehd|dS|voOzstFvcSeDfEY-mP>PH1F!o1PWci++bOc zEhgZgCZdL=yn#K1|B|{B?CNj-Q?Bb|W;P#sRsTMKEJ}}mR92J)f^n1%K(FUPgv=2; z{01J8Aa;Ku!`@XdgzsS2frf}tCPAc~(sl7}_f;)@njdfNFQl8mh?Il^Ldwop)3P`F zjJXC(opsZyW%rKJS0v*bHYkKurSg|_JuI9ir?t1G@!k|o?Ip9-p&hM4uXU!`+Qk%u z5jXA~jmD!-Mf2w`gJ@qJPlK?(Ckqo!F?tUL%n@Bu?xh_h7oYzCbK7iQhZUz>i?Mgz zxGS$a6${e7B+(Vd@8__&;u{$ULFgvUvaLl1xA(Rnn97we0WZkMNZ$T2oAU2B-QU)O zsinuEY@%<#W!>}z_s&Nf>XnO?L_4_Xh^a!{|xDZI%Aps9td_Lv}F)f>K|pDO^j*y`#1_p z2!60H_~y=9X|=p@+_pytWO)6nUlh*%A!S=$3f<=h)M$>sY;U*>-2I7kjafNs47=)< zp@^?*s-riRw=Pe`BSs*)_mYYDh6Ab+vk&auiFER#G0*ha9eeGMS?LW9#Z(mlo37pm zdg{VFa%^n9WX2p-QWhfc(gKxBwO5|)eVrUD;8S41m`;>uT`FmMyE$Fp*ZM zPPUh$xrD}I84yC}{XqC@{Fj}@+7thRwdWlUjo{T1_4DD0l207v(ngMQoGIyv=Aopl z&a1NmS7NOVJx^qO=DX7Mhwo3xvgN+s@5R+d|kjusMKm7JE^Kv`e!+g0Aat_kgH0@+phjK-4I-|>2rdIV9 z&jqw9hj3~^_Ho8Z-;wF}i?6Ajm(pH6;FHq#$kWczghGI)51D|S+~W=GRKx@}S@G_c z5vYsnCiQZ&Y0kLeJN>S?&{j##tKRlX{+?-3exVOmk+r@zM&F`D@=>meIWpcphNRnxrT4qVcbCfbeF!T)FMSCVeF?bA&)SZrWVh184GpAcS}N~Qie2yLBzBl^zp z9BQnh+@ItbX05;hi~W2z82lG(Qf=K1)ATB*p-@j&5tlh%mi%3#D0=bYczf1^=33u; zQo_J$NZ=J=kf%jnrjnZJq%jKRVzXWg+ebxBhC^YY_aPQ)B9d{y5U=BB);Cs7g0dImRm(r_vt(0c= z$`;PVu3YhB-V4ylBi4eL20;!A)wHH;NEpzk{Zpbg+hM`IZ{ThLr^B>Q;u~XJ+Aj0H zotFS7{lUPdJ*RhfUyQm1lMko}_e+DZ`^P}#UMIvoaNnmji*%v!licAy9B!p?qB=&2 zwqj7h*3?yxo5Q#MO`m>2+>VvFdYl$1*%hK=E?IV*x)1WvB$BDWRgSYE=P}h_Ll$4g zCg}2kv>|vMv;tYsiYl^LQ~N1B3nPPmLP0N0TNW{+e!}OjuUg_AYhz8v6`t4^R){?DUQP=w-R6f3)2M>^r?zwtp1J zBw}rEL1L@mgJSGYT1|w(8kM)Sp9%B0SUOFXy`N!#R7ssUT^8M+Ux$8Is@q}#Q4GCk z=gV8PSUjm)+?}!duU=}oiKM)lH@r5Ly8C~hI301kLDo`RCw>hFXw1^K{E1f8w0#w= z~t7iVm5yBpdxfvr1yE z*&*Bz4IOL}kBrqI>v-m@BGWzvMVGGxdTV`jWUTXIO`=9O1j}XcAT4-Y%3&Mls5Lo#I zWg!4x{bJ7F(ubdY#~UJ21F0pZ8|cm>{GmCFMKV|OQpo|Y`7=@^70P$n+?B4IwIk5XYj*RP6^JC{alO;XFX#&;CyYeoER=>Y>)0dudvIWhce!Q7K9A z=l`ujV=d2Hw}KYPIpQ(DH!1-6e&u-%ZPdzHWs%a4vqL2RNR{?DJswTw#`C+X=!Tut zDSk8R3A&U&HHO{Vy4uY(=1H|T@$UokFRl+0ZPV|Fe{7l1dfmfgh4Hox$ELG7osDM= zv;s7ot{+l2!qjM^o`blGKNd+VuZ`FEnWqMS_SZeCwjxDGBxMzAAeATj8xY}xb=KOe z6-x8LX1F%E4v~3-B~}m6>5W^$$K=)a)95A8obJ6^1NOd9DB*h!OR(&E%uC6#U!6+G zc+qVU0}M{bpHky>{i26LYr=p%yiFhP=GwqA^MnTSfXhB~3-BzN+iFA(;Wi(MF@x{xLMWnHcE`Kq^EBPBw{dFe# zDn|Ew{0iN?1NUn(Xt))SeorNq7L0-NO-y=i$7i%e&dCS{JZ=|02h#^PB$;AeRYudy=9_h&1fl$8SEq$yPLRC7S>SB75DOT!^x9 zZ}btRyyzOv+?tnhM~mK0M9fCN3<6r%hazzl7k~AP#45~VOVUXnx2MnNWhZ{NH;^7> zv2?gp6`BnQNWZFbxR`y`G?FRY`K-{io*Q3(!aYU}1L0lEo zT^#Z4ufUqeNQEo(z|=W3E%nJ+e~A3OklFPo*_LVcjdxOtZuaw6A+*e#M+l{}d(Z*fgq zf8fdxS>xrw=83&O?kqY-tYdR(Zhs!AtOIUhv1BeGZa?`C2F#edgzvXvX$Q!Se1{$J z^kau{MnScW@T1TdEZX8`UjD2*hT?>Sb!`8uhaMK#lOId3`raBm0{W5wO5^o)zXP{<&qa zQ45?q|AEXKX^&}wgEE_i1ckY*uCF{t$Z zyiMn`O}6tg-9K40s2(@@LhE2anRhW7t8isK?YU|zdw2JZIp`taM5d<1Wr74C?P;R) z7BzFQe0(x!L0)k5FEcN@6xphF!QKT0{3qSwv%no~K4fG#R|Sii&l3SKL@ir9IO}=I zeA0LD!zFmk^yAtacEy^f%bk+sK=ay`BhZsyB4y=0#6WO~YX++te?^V;<`xOBdqsn_ zQo7DVae_EewKH#5Lnm>H*ODMV#@VMy?$<;PiBb}*~^T?Xv`=6bT?ck zbUW$$Q$AuC(ctQw^T?L9G{9~^qs4|s@|LSLL>_OX=7%bO{#E4~9@-LX>l?ZZ8i=y? z+FII%7&$p1TG6sbK7y#Mg1@%B5(99WqshK#2`v({WzK1}7yOm|6-;!#gJ5uOP9-(3 zyRdU?YD)az7ow#m;Z3Vag;x`M+yGO0C8Hlz@6av;Qvbeh&o&Rzxhwi7t}=^?1lEj#t%==Kc*qM7b!^6ed$XZn55&SdYZV5uxp zcGJsaNO?<6~Dbw-NfrH289)V^%#No*{3Ff3xUe#(Ol05I5X)#H8b)?RFB}o{SkidQ^o_wvUH<;9Uv^4n?}=^8vAB1m^BA@D-f1g2*pX*l3wlf z=Uigr{x+h|!D%k}fzGg$y$#6fUh{5F?iJiK$|=~=23YISYzS+Ok00Iz8R#r`C&GmC*d9n z4IBSKS|{5|`@T!Z6WpBLTdJ?!U0IC5_hjWmf4QvPzfhC-6(B!R%c?qZI2K$_B47mi zzo81!6<^S)LOXP>Br_JvFKE=vK-(?-54CIj;IMOpWOC8%liaOD*R{w|~2;Uo`wopDW5i-AAhTvZxU)&%)pp-;pto6vwlW>8bk(2WfQ`Wxk9MzPSJS{SYtZ3jZM&RFch9Mv zgdA;pMw&Bk-TBS0Z;pDBD<*0OGk;tsV|W~H`A|j7pW|*x8)3 z{$@f?Aa8$QK0zzs+1+DOA=86^0JjqbS5(x5{BUQ%{I0wP&`TTMkhtak1HNwVJFi4R5_1Pz zr9szjvM|(ns?$#Cnt8{y4d+rRnlOl>28AxZ0>WIu*qr9ol1_Sa$vhjZVcIm)>2Ce+ zU!?rIA)iRn=46kjL7dl^pt-)|Cj3Q=g51l#0idVS$M=~>8w)?5>P#AA~#1qf&s!7v=LM?z8zG${eU%Q~NpAB71oQI-R?kDPMzOQEsz{HS*=wG8=RlY}teUn?op zsx}m+8)RVCZ$0%K2b4CZ+QP5t_bl}0zstM;g%HH*Rd1g8;Wrp8P|Xlt(dUq^0pA3} zq$w~G7bIp9QZ@zrwBls;#V_grS5_gPSmb87I6zlp$@LPVMb9F&YuTM+3l6RRMen4( zDl)~oqXDRBD@kGir?eYOp6PMEgP}gRe9P-|?y(0PqotPp6N}aw`g(r(YshEUU8jNQ zH>%8@jZV2tDyfg0eLPQG`S8xy1jO5DgmU)S3Eu`!8NU{7RI6q#00BQbBUTd~@#(J9 z|Fkhws`4C*EXJ1&CHJIKM3O6y>?co3G~xlC@CHv3o3hiRZwv-N=)6{sqt#OS%S*1& zx&rWR)%39;Acv&-u@b^iZyvS4m=zrn{G^|XM6kN zXk__|6;YEK?`^Evna%T@pl?kMWWD_#C2A*yG#>BF6I=@Xn^VkiJrUR<8Cp5H@||m+ z%=Q)-EJorfZ(_Mde-D(0Jz?T?Sy8+HqVX;EI3RHi+=NMpMPxnv=SPy{_jcl-Cp^k2 z_kY7C_mM$t?mX)>wI{vF;@?38cba6v!v7tr_P=4z(2rn{SWSL>^|@sM!F7n9=*T4` zcL-Jsd=Rb&C?Gx#K9~bxk}w}iikaiKU@CQp2>nGCyZWbkoe^W-6Fp)}`l}*AR$tUA z6#pA0?Lv8#l=UgEbz#NlyQ8KU!~@8I@YU-eL^Uk)MwUv_YdVjaEBBoi6rSWAfd7$< zT>6F$LwedVHSZbwIt1Iv6{99hs=gl>ZRB#A#5agCeYwb#7(gcLk7S#724i2%gZ&Fn zNp)3O4-3$&Q@yhG2Gy`D&VO5Mi8dD9Ejq&BsNceWA@!)#UBKkqRO^)K`q$R6cPx^k zhm@vUT!&*9)Jj?cByt3wpUeC|w7qvc*6sVpe;1L2>`mDsBFUCLGn4EJMO@i4GcvP9 zWo4&O)+IB0?;Y8)_sFi_@zy;)pU-#vet&#_e|A4^^>)3l^E{99I9{*k3zL*Ige}O7 zr2g4Y7xGS9$JNye;cJi9M$5)u&+S(xBqRvhbqGJ|Xj>k=)*Er5>t|1dZkciG`_i$z z5u0{r$cEKmCtq7;lE=UnA2Gi~ReO`S%ChxZYZU z0E7RxFZTcapGZQg+GMofZvX$p2d~2O1{-y6HXth1lacH}D1KR=VDc6Je(N{=g|nz{iY*9I1W1fuVH#7rd~W8hDqa^3Y)?$*_$Y}D-%LSAM4Z3vjd&r z2Dpy2>slZQvZX5Wgd%_P@yR57U8u1vHPzo78*2xEx=!Vm-ql`NzJa;dp7N z-KndAaHv?KU zDeHmA7NYv&AGO!?;c*4TVkmz;OxELF_P@ur!+UKlc&txoW`T)N+6%rujC&2mw193a z5*a;<&=9+J;Vk)94)PzI{TM@6bL5ml(A~hB)LL|+N_MB`em|)5h_)ASpD=h(-2yVB z+}$bDQRw`}QNLFcv(@gqn94+7WeiRG5DT{nZ|o`OG5ND0@S??g4CW8O$3llP{Lur6 z7Z6!`dDqXLi0^ZD*>ZmHSLl1TgJ-Y?(A`6M#>8vUk9kR6sR6#**3cQGIgM+5K(wIQ zf>s0>o2f_7&U%xoj2)Wsbo-mF51~b=j?w;e5R~M?bVp^AK@GqxvHq_6K_?(qhFk!# zn%NJk{J1@WR<~#o(|-EqXiS1^bWy|3U>qHV7im`Hh&Ikead>OLG>g_594SJzzF;35 zl^w5LFJHM}^+@;*ncGNF=XG51ex4g?BlTpGmr;7fXuS3uB%yJCK75IyUxmL3n;?*v zHQrish6z^}GFUV(H(wvrzh+bQ4S?BqcCYf%qY7jflu4Ujh|YKCXJ~8S$wA#x{^h)Bi?xCk*}z zvb&jb_&bER@_~LWqyzx6d(+bT&t#uX^dZP@;K2`_AiGgAY^~)NR1QtgnpW4I!KE!Q z=z5=2OlkMiu`lo7-9qm}#;)_CD73QHdsURJs|6VkfyUD}b-Ivc6ET--uxu`ef=l6o zZuSp8+SvT`S)FloFkWO8TG5eHbwu%=EZ_TkxFa%yaii$I2C+fM>O#)(+P!<0v00I{ z1*R7L?!r4I5AUT3&4${R4b_AWqqR<$-C$5jw0NOTX*)xiI$V!cbWYXHDZfucNv2=* z4PWy&u*PL&$J_TP_;peu5bpx$uVu{2FjP9c2DEL;ob`KA0O?=bTEvj4l6{+f%x_}Z zwK4GI`_yVl&gI;gS+$O99oPM%j*9d_;@N%QULgFBagiy#Prw-x7x(6G(lM9&3Lh9( zHzv~5cT16+@*Wdl?8?!*Q2^2=+3)MgWofCLVn=CSQR0Z$u(Tfu7y%A2)S-E3vy7V8 zeR=uT0ZQ85Kiqd&y7yg$9%_A}w~k(f>}tuI0_Pr(Up{A0=6D_I`=GBNa$j1#C%^x} z`bs|PgO{psOL)eTx$Vten?=ihDJnWHchA%iennBz=xHoY9*?Sqc!&`{Ql}yK&d5SS z5iwy5s**4o6Pq18BEH-&KV5rE?B+0W!6u|xW9|f65hSM|3;~o8?a#|XKQx8IF)!ol z{Tj?`P*HC+vnHuUR5Y;sFb{aL3mCQ@yRRv-SbN-=wJ^`ok<*J&$Yn|); zqLCYUn=*f*juh{^+&#D{zIa{N%t3WhADP{NfTAM3;3E1j5Kv@!4HdiY2ro&%FN6(# zRal4PzER7dg1PSj)RKm5#E#t^`rLUkXtcTmx;~}C6b)ytr<{#G?+xI4NKi9wc)E=I4^4W&zs!%cjwxZHfBLk77?Cfn71N#BI7 zp@OFK8nH?~a6oTlDv$n2>W1z|DMISjLlwO&fuCIUN^>(6)T8xLO;>zqc0 z^%*cpR{w%P(ev}KU$1!S%%`Q6!%2Qx1|fCZ{w8%x{z>ZQ!u)+e{7LHO_#oPk-Z5`q zj8T88JBG$H7?0`4Qn)y_>d0A$V!oP96vDgUsx^#OesxDdyM%M)N#keEoEO^ZouuB$ zi+2Uyn-)DEMo*&jn9r3aa#&gTg{qrEM2Mst=s{n+Z*U?;b}wRTe>&H9)y23}B;F~6 zY)W6QJg{V=5>6lYIO`i~XBxf-UBysZQ|$8;YFIJSF7s-k`6*58d6E|dU_d|JD=!9~ zxjl?&$;+B4C$$xc7p&9MH?<-mJ*bh$I(k-iB%SY8@{2x+w>qw+AcSbpKU(wrr39qC zQz|6OV-;mzL2Z@lCg85-!_XCaw(3+w4I)1W{IhCtH!@$~-z$T9unma}nc!17rSf)9 z2^Tt@E;G`hkE~Buz{I8}|0UP0l(pJZdq8#1EP+>UF+(ltTIjOfEtd*uq>p-O9fy(| z)bBhCdvikRp6^LlN|{9%?9d=+i-&g>xb1p_h|dgLqVI$^1Ex1o6-&e?j8rKW50l&- znJ6s-yl!1^4u4y{a0y?|{v41Bm}T@lPy^0!%<~Ya`DW)G^FmHTDzl_T`YmW+WM^4h zn8IhGM)c=f<>qL$hc} z*%{G;AYoqByJYY_-!rP!4XHV_-4+wae1Em00*>&9HNH3qq#NQC5mKx&=}Zb4idya~ zRMk|=SbTtGd=1O(`hh^CuUYI842#I~f;71xXPds>W(rG;Y1 zBefnJ@nhwn+QQ0=o5}Hn6b&9kUA+MQ=rkiX0_BaoOeG}HrwuGpWJSy^?oeDHcYzQ4 zX2pc<`SYa&^l8{MPk{&y9Q8P04KVj;o&dqO=L!D-f}6IGARDoX>9tFxiT(s2!#sN3 zHtY83n{DfB(mQuAMdIa4Jwo8r`sq>|H|gug->IjzA^4}kK+XJnsd=wzuzSqChhI$l z_U3nCtFHnB@%=~)|E>6o&lRqSWi+x2&RbPh4|=5a&sj9;AL>&jnjc*Z+58F8BCNOz zeYm-9Cf%F;np0YhEu1E|`mh(WTJJ9OqWkE|$KM;UZbxYYn)Y%fKbr}D0eo*+&%Cp{ z;j%gNMsuTL8$t{)LDSi)I_yOl`jx__-{g_qzjC=bbUjw1+`oQ37rtIg3w1XCEcMgVQ^So3%% zl3U4l_0h#flP>RRC*995k#Do|*ovF)26{_k6N7}$*+^8i=(5n67cxhbJu4f5o5R}L zdSpefn_qv?<8j%5PQO_~|y5m+aB(MLfI_iuXllVl)Tf-Si@sl;G@c zda(8VDSgkb`;xR^?jz|&(_=|ffh+XXbqjliSDH@=Y4CsbC*Z;kJFIM-^fK&$!C)=bz43D30`&qm&Ms=QJLxW)@}mhDI2^6J=(~Fpye) zrCMe!DmPx0)CmaJOMz~OxG%X|uh(G_a%oJ{+>aa#Rrg4;P#=G?w_ek__dxOcO{K?A zn)f#YV_gzf7{jb6A5)8sDVE2c%L667d~DPK9ZOxPL`IjOCly!7^4$o2HcWz^LA5eN z%nWmZ8;V=6g}qoNFZNpnSEWXTrr&4G!`iHm-eQ!Hk|gWUlov_sOz)2?M)hv@Ie91+ zN*-3Kj%bWlNj}D(u9ef(yLfBRPQgTSmR@W{^5E3d7nR=P2A#|!Oz^ao$?oFK5#zMK zRz#N$4`rjn1f~M^ijQPn3K9?J&B=1Y?Z-W=u$>gN52)%_m&*tNHr_X05t(R(1mf6yh^TZ3p}@ZsDn zl*=*)9z>EcMgXzE8<)$t=jXsKO0=J|#2N zR}joy56V22DpN1}V?2a^_#I2!$6Pp6zDLwvJ3E`lBhYOI#;zBO;-Ch4e1O6;K854C zS4*D~+hxx5>0)i*Z4k=n4^Pk6iqjvSVighCWV|$_SLbspu*eERsst89#Gt z4#O$>jp`nzE&1}eDh3B{Kvx% z+N$DFqkNiKKYUuM_T!a(rPs5=;d7t~;DuUGlJ8CJaNOoSE-cYB7e1AZ5qN^sqrJvP zy7^(SsMCt4o~8Nvb2Ii!SI$=;T~>%Sh2iuC`WB+*X)-8b3*2s#6FWw~-wIO>rxK|$ zPk!}OV+d%Z>{M>wEnYmVEIUhU^rn9|56vR?v|Jp*c-2nZv5U1l!{(o<8IHyl3r&LS z5R5AmC&MhJF7d5PZaaNBG?2cAXZ8L(_v;PApqfkmG(^V~!A~L6zP3^C+Z@g(1A4c0 ziN|;7^(e@Dt=I!+y2SY(oX8EJO2H51R%H-Qs znGcnk4$x%%1H%`aZ9-dP217S^#cUR=ZZHiGkZWd@Feimg(gt|&&YAi6)0&wWV%OVG|@`yppqr;SL^-cQDl=cBnTaz|h6^N1kcj>mu;sbE%9~d!ZaNakCVd zEPVpaDSrTh+VQI?u_=;I)8rDv!W8JQX*FRP9Hl)!O?oJ}%50X_{ZbLqJ!)Rf;Oq&! zUL&b*y_ftZoqnht!*kn4oLkQ3UMbL|UPH|8v&hG}dlXbYiZM}~=e#;Jl&)xL#t^ln zEJeB@?A6(KsiE&}BA>S<2s?$+QsQ9f(?jYTLi6s!6&Q{?P4jE{Ldp_i)m451$h?qg zbHaIS!R80nRSc;CUQxRA00UQM)#<|#n{Za_XowHHAR<7!$`owBorFZQ3kANO^XXlN z!H}~CLukTM53ss%R7&nZy#W~S{ceI@8k>Bx{oyc9S9vFJQoG}Sp2oDr9C}sI zA;b|h^2@6cY0@!E$#rwDAc1P6AU!0jcgSX9$}oycH}18FC(|r@!WdcZWKMp0!NLc= z3UzW#S}h*F>ld}|JkGYPBd~P*@GK0dSwRlxRIaDFY=dk$!a7ohvXW6}V4)tSJ$IDp zLTkk`@6=;1N;8cBkXzHgK11x>LNTrB&xm4)Pl4wNhHhpg_|)z7WLJi{;5>)4DGk0# z#dUQS5lhyucmE=CgFJ!P0y%z&|2HD{w&AnYebTtc-|@uke#!!Q@~k;R+0Sh`vSI#-kn? z*2PmsxCE-e9so~@d>%po{XKiYkLfyFv}EpfvHc(Fq)Bs4A9IEL)5RWiUBPg#xxD;5 z#r^k?NpiN>SYw6Zx;Wknx5m=Q!r8LMpnM6jX??0)F-Oi2l~g_iajQ*;;&^V($f=(+ z7}r}=D>R~In1wzea+6)>W;)OqbUpAEVyg6y_+%{8zJJLW7XAN7%!k?!#}zl4P;tDsQ|` zeU!@YeBL%Fs9L#k=c5(#;LECu_E)f|OqUO#!^e3y__P}ZxsC~8De7>k&Gh9T!8drN z_pGThO%X6G7AwURg-bk9Ks9}6s({NTbY0j!uw8eXtR-KT_40}$&%?zQ(}nBr)5526 zYhx9ukB;aaHz%TK??5?xLjYX&mG;u;;I0|)4h_XljmjUTb7)S6oeT&F1Px??@#ckSYKks(`f zuF~eI);_Y(vJZ7+gXb_xTluG#usF-Et9 z5E(Ytu_+)3BCbtxdu#;1qs_xm9Z+Zo*f%_Q^Fyg+I)3~kwJMx?Xt0E-%z1C&umoB2 zC;z;;KTq`xySs{XC7{>L<9NwPE_8N#8Op*y8e{lLsN*#%i3z`_attH9Z#eFYPk7%5 zm^1o>_x%*+Pjb841jLxD_ks!XCWp>HGPe}@1a()Y&?8NkLq+HPVS>2C545-|cAu22 z-}*hVU+7^z@QPTQ_a*l&|M+$VuDezRv@4hlJY#-~S?#YvU-C1sEE;hco4yOR!AFR> zkv4;ss_9ZFwRsx9uvs+|^#@AOR|py&ESt%c z@__Nu>>8ag{cO7@L^GwDv}vuM`f1=aO8Tfan4&F@?Px3MSK7Nht$Y+1iDim&IPN7M zqZhXb$VGVkeXnFV9Kglfs*Cm053{)oyp?<()^?W$x%~uIDtwseSG?rT%SsSd`n@eN zOMGwkGXV69H?f!Gej3w_joh2Ni`k~l1p!oS9ls_kd}$?7$+yB*^{#W*VUgi-eZH7? zf897oNl#tk@jnD^vohaMb;NDM`6q$fY{YL!aw<9C!-r6B|1KwT2pr0CvaI|(Wx(L* zpYGLewJ!D(G7JO9Os99xxN1wg^yCsb`}TxKGT#CMH^YArxO>o%{DQs&p{J$_$zoiS zEPFpXabG7;{7~DUsCdNna0~qPZwVoELCkvXAGltA+Wo~hccMid%=J2u?a9n{k)rYT z%7Q(g^Np9l(PcB* zAtAxvNjU8Gh#ypdMVV;*oX@cbbh0&}q&#!j87?cY(xBO1JAh68n~J+)r(uWPMA~DO zzJAed;f;1m|fV@RTnKhTwo=1w#I&%s=A-=GhT=BuTq_1=8XI0R!cC^Ad53=w;?zv9_PH`nM1rj0Da&bDW9+pVsS-{w*4QC#eC>C#eD1fGQPP zmy)!JC{eAW!OH2G{* zdhvg9rGvtP*wX~XdI|ttXOPTD@)jGsPxoeSzTi_{MRbjO3oHn9fbj*m86+>08A+@` zL$C}n{4mZ5iy%g44O-I$vxhTZt-c(ePrBLT|J)f3ce6e_! z?_w8tuek@SO2AnuV6aNg4f z&%%zIQq~?crXA263?a9wJj^+hc-t2|rw+V?*kBX*6|hV-+N<^3oVolV^reEdZnAMa zM$r;Y$bwC*<7>mmx^0bE5u*eNwS9IoHSGP{w$#Q1v(kV&|pg%G$8pm>p6V^G7gGcJ$!PaQzAMmw zr_2aGeAtN_h@G9eFRWf(n?f(jraJbaGhRFxjZ3GoLc}Yp5b{+cKW%a`Ul!eZSO|4c z;eL3zQ#Vf^^}(v7?GyI>&~|LipP_gv`7}!9AB<0k=sXl5@~l!?#LXUB_2N>pZ$WTeHe#$4#w^~Rt^!^FS5d5L+Ejc@*M$ozt&p+sl>#+C)MLdC`aSmVCZn~TF- z%{?qauX|N28fY4FqsD7r+W@OHGzvlxBmahOztnEd%YSKW(og$7^DXWiE0hx|`A8(~ z;?bKeFFcJ7n5fU!-AbEIXXY1pHjUp-ybAWsx(4#{a_RB_G=zG{LuXd%{rDY(ynX#I z@^&y+>AUI%@slYwbkW*j#?o96%}-Y<>vvD)hkNCH^2Hh~ZG>f*?&;oG@go0q`8v0~1)rtzKmuZxVq$}1od zRWW{WH?UMwfAw%9<|UV)(@omSV>FwHzQYUP?v`-o*eG$o?<_&*v=_}B^#NjgS5Pmv zd{^c-Cg^+rmxr?)Em#s*v6b9cwvd$jC`@{>Q{yUXcL9ULHoUIudu(>sToFs`;dEY| zu=xoQki67`U1Lylf}1Z(F<<@<=FvH~xh10fXj5dZMpt3*wS3#Pkw0~&QUW8rXsO7a zwdKd^sPNA}sNbG;=Jj>6mO6q(8)`F0ds&6kW~PDKs;!+?{K|J2`Kesl1=pa=-3X~U z01?n7+*Nwb3@*2YCAi_zMbW^}l%|uo+Fx3Sb$h}`$Cjcal^#ZEmNNl^Fe3l_I6ei- zV7gR}VEpNtXppRSyl=hJO?kk1M|3&31q7jg;OtG{bl@Pw-be28*P$p7;22a;tW)S7 z%EO|Mbz1CW7t$ihjNR<|;`wXu2SPHKCYiK%Kg8Yh$B+k&5<@-^y3?XmQZA<~LCcqT ze55Q}sSr1y6LMm4o;rWCX{>jc4UwOaa6l+JB-cR@Vn8!TzkOdD=bV59+b!}>!cEYy zl>bVkZTajIqJH=j(fyjg^*#l^33NDbb+wg76w-4!DwlQ|fK}olAh#YSXO)Rnd*k3! zniP1Esx02Z)o_!Cpf6AP-aK0&-kd%j>xhBah%xnLArl~QuRMs2EtJT$qlhCfZKNmz zcXBVPkR8v6vj>CyP-5HdqXyus?=EmCMSPdsCUL7)Kw!lIjbzLG&{VHN#zg4}E4CO#Z0&^udtnEoc+!5cijG4zsWxBF2&?OkiB6^i8Qt{=)X>2=w##=iwW7Yz>=SY(q}gxJ|WGsR3ZO`2=B& zo8~P!=`e2PN1~RDaRs?GY=DEG08A97K|Bpu;OqJ@(VKeUY~{O~XMPI*$#vx@QLW~^`syzhfVqg; zo8VA|A&2*|Mv&i;57DYr@K=$ArmL2p^f36>9;=4n^z$I+c7H;W;x4(KQ&2f~50*DT zdAV+NTo8_t{aLVlS+#~-(%5IomCOEEqcC?4MI7j+6)AI?per2UD_c8iE-i(Xcm~>j4~j_vO6 zNmd5bJry=mnqw<#<85VHZ(DM13e!@(z_x%FPqKw+f1d8M)Hzi-8v3DdTiZr894bcx zja_j3WL)aB6G%@4oSaG;&;90eNFRHdZ6sALtk2T=qL05=Jg<8VQqP@$x@9)H0gx}% zjtI`h{;1DF9EH{_IyeT6*zesMU$wPp(A~>CE6}32em|=7F?qbDg14A;#?#WDhvUEa zXU><^;tNx(vf;YJ@K+}#doO$`uaPeGLARF1Ae8<;_WB-q>8F;r8^4$MID8 zH_96-M}nK+#2r$2y{qFIblPPZo6xbySZ2EfkT0E8_o+jFmRn60+8jn-o6`GTj`!pW z-BFQBKQ9#1ZzL3CpxUcC=$L12azDt;#S$+54YSz0&N#CCn0E2mz3+f&Kt;f1PBfjf zeRrY8^V+80BD=HiH4cI!`%{S>(;#`t18a-%6w~}6OrXdG@7#AAhb*!4$7cR6182zf z?}fs&O~6xUWZ)4#F)rzah^o{8kC6@p*5?vs2;E>T&#p%Tbq_r1R8?ii3@cnIkUfaq^ZVJ!emg$wu`^)(4`gK!6hlH{YJ-FDs@*wrVZD?CANthcm!#*QHfiJf4Y@*smq2hnk)A@zyBX- z+a?lmzJ4hO@fIV)wm{q70=5FOQuxl`xop09t_5?ishb&K*7yP{Uj3sd5{UHi8DX7w<70WjW&rN2a?)u&C|&g*io zC(Q3F&=K)1_ET@Z@MJpQs4?iJX_8+9cAjZDyEYy<8ad3+0s@iso7BSkM> z%iiJ`-sd177z3r8fr|H*aa+M=B$P2&p|H}9yVG$VMIDYW0W^qBCHwqtPP4C(DFIK8&3 z<1)-_;F`@D_YEl9ECfK=1_~!a*#<0wJVMzNS$zLt>iQWoV<)XjJ3}+~$nVSzu_*^))^$SEr|hJ& zYwxS(Kf|OqZD3SdW%z$3Y_t70gzfhR`i*Q{K-gx}sS0bQ`Z_yajQSVC_87mIvwSBK z=DR=9Jf64FzGkVrGh0dIEDx>o`k0Zq#HCo({gjqIi`s0bPdep5*bYRuPt`J4oE2-~ zeONZ3#{Dr&^h`zgczyn!O*c>1#Bav-PKREEu{2PkU7WDk6pHa=}^=K=M8Smb(XY@+bn%5X8@Nq+bp zMnz?=S~(}PBRGgIDtQ^71ny3TgZL|YiH8h(T|4o)b9*-`T(&<^y1B=^M^`v>P={|@FvsJJ_?l{Pj*u5ui1U2bOZc7PkO zTqBdoq}>W{Ho^=ba`wU+bV_oZ{GRSSWseAn_xM|@g*v)qBYG0pS`#GlE&wgaGY+={ zQM_tb@|sNHKMdKcX5z4#$P`+)6&VY-Llz?Y-7Rt2*mWqf!&k2FoD@y{=S=T3<# zct?{P&uU~K4%7P=E0}Fd@5udoPs2BEXVJ!;|3TeZj7B9ldl1q4Q9q#&KI~RVed_`> zZh!bJ%5bYoabhJ}3qODWkY<6qk{z!8g>+hzbGHYM_Ava5^=ujsZTt2 zY}gapf4lFZ!~qFEd-vJZ7dUx5$mWHrwDV zkN+@W82{mF51?~ybZk5lQTgnv&%Dm|ejL4YBz3x11QisEQWe?ot$v7UKgBXY4iF-Z z#Ho@^`DP*^;Qbu)c~_H<;~hc~d;>ua>khEp3JS}giePsprbAe%Se~qj&MDQpso)5V zFszmM0qQVbFjiQkE!8OwKNZ5Ek{+Ma^}P~JW7TUiWryG4sXNA-wm(t*{V%9CDKoCK z9Sr`PPE#eL)lT-cMzzG^kWT%OU6~G5-S}Q7_E^~u0enAwOa@q-LKYn&IB-w;Tzrw& zJMD6fB0&s3y0dA$yy6Cg^pXAfF-WH>JYh-m|7J<^lIRQ!CO*qVmbQs4va~7Yx+k+; z*+;Pf^HaCu=iFRsE9fFf*LhiKK?fuN$wHF32dnJ`Z+pk;u=8+s6Am5ahYk4@?R3R`XXW) z;UCMLvevs>_RivHZ{zcAhUgA;N8o+&d=ltC=c6ZwZ&k5#hf~b`E;Z|2!quySPriNL z%fbwK_3GXX(tysYR^Let6AN0~l3iR;LD*Zb&WoeS5rJP&(xlV~f&{Cai;#V#IR;vQ znhApYND$5|>D;^qs)$t9o~sh0uz?^iaBHX)PWCr?3`x5$!vUXVgD=ct6NfFv^ZEb? zNw=rdRC(opCu?jF+n(fbU*a`+c_ld1bR+gg#pp`ul}u#caI;h+w4;dMMvmWxWdqx0 z=D-bBk1B@paiy<3vSLoRAC$jbJUsHP$gbyfjInqa-le&I2p^ja_hF2_t%4oM`{kx_ z9V1FX!rulv#vR7U3ZH(cThya~p#6&#TR_Y&HVYM~t$#xHwbDNw#&CcVMlRg#BZ+&H z4*&{+5VS#d+os2-Erz25D8j%>D_jwirV9l}o2`w_cay4F`f-WeqDjMCZEtK*s>HOP zvrbI^1A938q6A~GW5qVZp9Jk})<+yk`xENYWqU8wi9VBF3dS@N<72W+R;>tWLGoxf z(HkyKmx`X4F&SM;L{Km`*WG;L1UBZ*dU`$)kE)V-=I6_awiMgd|DszWi*~W*6276cA-V4p zG|}rnEB`Ev5Wu%Yr-u+b62Lu&u?NN<~8 z!qD@0=N0q$y2wdD^@cU?v+3x64vYvB|2brB<+=PIigb^`*E5_=g7Je&+MEN+cfNI- ztKuv)^uvd~F!2#Cp!hZPvsYC-WUD&jFsszEzkEm%>*#0d6xO!0jK_ z&}w#guR=wT*|KCZ8;m2Y2cm*$rb>=8o_UR7&SBSn(NyEScku~3o+xx*d1aqeo7D>T zg(q#pTG|GtX5~InVvf9u(9ZH*G^etH@d$wIQ|ZRrX*kk{(TO6to$pNs-4826UWegD zCf07RjgKSDP96(^?<xU*Z1QmVuG8K4xY5>BBLD3)lQ7zps3T^M`M9 zOlemy!E;8&L$?y>c8zD;RG$RnkX(qMFiJc836@b>t3=EQ;D>k2*Y(IwDXpu^icmEh z_|3uK>gjKeHYgVmj<)(o4RgIA;P{FP>g}|V6D&Ax(55a<#yGXb#H7=y%7{lHAm7cB zg4XzP?ZzrO2xevgPR|}mLWif>cX8LRJBUThQNxWJ39Z4=d61kP5S$oOw5IgYh%`(88Kh11pCE0Qe+OwdMfL+o`}zq;yBM|( z-Rt5n&GhuhJd&L7H8JV`Y+l7Kr9+pWUtTxng6pfbo-DM$=TqYc&wU}*ke#a%++7Ve z!WzEEpO(&6?7kL$tCEx_@mLgk)e&@7QX^GdMnxWRPUS^5>m^qHVzJt}zn7nj>67S> zZGVBZ+o|TVIv75t+eO!BN%FmuvKE>(IF0G?fIUHL_&>5{?;*Nd zx{#5fnj~i9POfh)LBq}PteT~dPI3CuCD!yERIvoOmKERbSF4?PHms0VPy z(t7CKSTzsF;QRp6}c6;rAj;4#S&@Ym#rf4|>7ud3&|>ALGA%4kF$){^pDQg(w=Z0jsu9$=vn7il!V%vGreCRa+b)cG8YLRHh7a%2X3zXsmS?D)KyL`nZ zG5oXi$mRiZ+=)yj!!57%Dfd@EWb)8Dh&d%B>QYaKZXRJT4aeswzzSqK{3(G=YqA&o z89}7Zws3rGI}-}m+*-!i3FanW2jS;nIM(c2xGa%s_&gGQVW-g6@UCjd9nr0NseFUK zFxnbqaY+xym4<3K6TOMg#0q}-7@Eu#=tSOQr&ROyt9HEoujw#x+5V~2bD3?Ii znQ>#|rnp>n2P(PqJT8goe}u;!oHLG+ka~k~>?foS5>A=j zHNPY@tE*jcbm_}Rf9lBlN0oN1U4jObgI{wVV>G)mFPl?|bN#^hF0~^y_4L)l+*?~6 zzwz~tS?J7#X5Pe*YigH@cv8;c$BWZ-2K#^fr(cZQm^8(ORx9n?M_<`c8N36d<&hYZ zw;$GMWZw|Di{BX?r`G*yB;UDT^pZbdOWjYP@d5C5&p%jzfgR5{xFn@9;<5&W3+0DB zFnPw_T91`rH0{kpY6NtP8AQkUz54fg2K!~doQl;V1CkYGcJ%3$zB!Gdu&9>Ll{*I7 z4U%VMVN|q#;}jCa@HXxHWkVr3ohrLu$GeSelO$eRcXXI5iy4Q$9wAqu9TnYl-fud# zAREgm}g?45V-FbtKRi03}- zbh?ftZ!XTFw%5UR?0$=ELW1?Sx2jv8s<-hqkh-(bTxIVB;l|yqZgJ66j`-7RyI>5I zQn;>N8QcVLT#c=AHiM5@?<6E)rCI`r`xG|Kg*6g_V@TGFmC)B6%)5H=k(NixY4M`3 zvl5#>AwJwf8UL7NWrpA6l~v__8(5%;=h6fC=%jCKyMm`^FnsUJufs2&6S}Re04gI* zr+k}j8GJ@0As=B-?vqE`Gwn}FsC`)7>^sDhCFbAzxp|vu^arWkLl1}24nKmb^uOwIc5viGCWBA0fx@|G^Sk2i!JaH?80&|vM{@5Qm5Xkd5> zm&zGSz8B=_#%?dHPFC!ei^T5gXnUj**Xyba9rkYOubp4n^jA9RSeY z8Pl0C=|eb6T-z|?tKZ0%W*TVHaQB3ui|eljHLJ|$JfRAoM^9=!3*(*aR-0gXc-Lvv z;hIGmw92QWCU~$AC~=kxsE~;q<)ibTzsrBQC5aso7jqqxAj=W5mMuTIHCVFiSQ@@@ z=f00y;QS+D%YUB283!^=>%Q^grl$1nf1_U8*@(j+U`?=(oLrOGzZRr~@UtYzA_I*K zb_%oIjUF7=*fdken(38s(Z}gy(&w((UX&wTJ8$WxzbdtyRk!wlt9+o9`te|(5BgbqOJ2M zM4LCaptXlC+0A#jxA4GVMed!47dDc%JdhD-=fN&KYXND?^1TE=;D+3|+5J{tr|>#P z>3{0ke<0fCdQ(ZcIgm&J2Be!1#iL9Jlr5D(yR;}7Lp^h!py*bAetxpdPmnL7*>~s) zZ{ho8J>TOdt-O~CpaMxV_={3&Th1(!maDZ;EH<5k>1VoNcQWa1HQg}KwxznXk^kcu z2}B@ULJG2Jt$;Rt*-Ko|&?rDK8(apZ(khzBxUbq~Qhpoq9gP-$H*?6_BzyWe$##{2~Booi6` z2Hb+3oJD;afxPB7fLU|ZdZvNianu9uaqZySV`%h-%(>QVz|jXfPC~F`MT&jG{9HxM zbAk?T8fTEC6tD%-oU+-15FVdL9|Fmfm(278me#`u5|2u5(}d0l+`{>B;gm`(wdE&o zmmgmrF&;jb`GfzQmnQ!GaSWf_ z&^Z}o8%ilA0@QEuuG;LuxlF!uW7~aj;<0#u2ZBwu+cP8VxO;YwV$@N(W+;%{zX@Yh zVE3C{JGA$1F-U9Uh}~qntxBxyGA0lCHh6KzcS2rjz^#bb*62(b-S95zNFNp6M}w7F zv=Jr3^QGb88J$zYR0hzX2yB#DxXUrSMCASpoR$1wb4D%i;k==kzA9H&PP8S{Hf8d{V740BOx96)aiL2U z(g->C%Hme1_?PN(i>bOm^`yqtXU@f4Kr}x|U*NZu5IT_i`mAq{0ahEH%_sFCTBmR7 zC98?G_+n!=9_ArfVPcFEY<7~zfjPz_2|6Y-h~MGqZk%)u^V`64-~vn_))r;u z!^X0*-WXqRx$u0fWw92S7$rMXJ}pVT;blX)CER==$X~kbFK)IkCqF$% zI{$;4{ou)KKhTzh_oyI7{y{O;-+y zmSXwbsL~Y*a}4~$ZgD*$7<3X0PYrOw;umvSgJgHuhg@7x(cFExJ|1lU>_d?Q4|DP} zp(JTd`47p-{Gnr+JVMT97%0wxk+p#0NS<1vo9DDt1!%_JiHMz)6<=ZKLlKjOl3FpR zBKtRpf0p2vw10v4lVl|SDCD%mW*3okfQ}fG_wRYx_HaL$;!erQ3_T%f*j|5)d3YeV z7a0D(%lP=5xMbt#TLioC2wlpEU z3|H!YEpCIyt5r+ZwA4%p^p8AiBWC&%=|{ycJCs(;S2=+K8J^C$q{sCaIh*$%ayFz~ zy^tFCv7sTKTwwyKZALtnfbfiWl*@U2t=~qhP^1Dr9y0W+*GCbM+~J zV&cYs{wVHlNbzm5`jqWA!ymcrNRUD%08*4~%%T|Sg zTn(BhNjvBOOp7nzjwD4CM&V%*yD10#A?kIFay;}I;TQokPh$S zbc(%bQNB*v_Cho z%tbZ_;$9N$B^y;|{So@baSseD8mbp-X8+g=umZqDP*ByzL%8;;lFX?n24b_{sQiJE z#&-<$G1@DI?^@Xy~Fcq_oqJtdz45$@1nPye3^WxIt|G5m)8cU&p>WPaxWnXR@zS?@TDrZhhDlkML0bJ@5ag+FVHIH)c92DoFL+{+EK zKKC8e$I=I)|3PQp#E0Z78tT~3(V{X5kT+YhuK!=q*-eoHhB==yiBL-U??e;){zhjn zo}jbUmqzXkyNT(O&06NMW%bJk39!tWItNEQt>)n-2YE{w(j#k>Dg$pISx(A!Qx9xidi-tt7W-% z*kx{Jq3S^yf)?#?lNOfKPvHgX3H~(Hn8x6xdUW_wvcv|`q&?mlRj=*Ov z18+;m&96K|8#m=lw+b1i#C9f327K^^*n|XmLRhKzuYM)*@IZzS{Yygu|HuKHf z9P4w@SIEg^9KC$V5;At+l%tA&u|&0}z%HOg99nHIbUHH+37L5*(xUISQ6H$O&Bkap zi8;-OEe618M-vHJG~I^CdTwKL{Z(b1WHy7&_uL$!(F9{$=BOkss|x#(1?pq6%nLWp z^^}G>W<+JG-=Il~qkM<5Zh8DB*N6NbsMddp+PvZ1pm-*CM-RY9&zq>16D7TuPQ~Bp zJq=0Jk!SLUStV_#hHjn;ZADi=&<2(YTS}En8ed1!$K&u%#uNU-{g2{-LgXRG@EXKw z*A60BRPGTL;yGSO@lqgEVVk|=8^$N3g9Jr6>X=P-8r5jwwoAI@5Lg*zkOVvDm;Qj~d56$6 z4J+``=UBl`vNBn~9k^}ezN5wY(LG<#k-i)l8jBq-dFC3PQRkD9G7ZN#Gj2qW zGK_yT10(<!^PptFDjTFV~^u=yumoS8IGELUZmIgtEh@Z_Dv zu_Hm$l|cr<=oQbiRrMpw4qG?uQ7wmtgydm|GN2v&1;`0L}3DH`^Wlhw@2eM+mN&1Xim!PS#Iq&qZGr_q>FK`92`(aDky>!Ox=H^W%zE~1B4n?Q~8V~HwF`l$yHt61%|h&3#iyM(704DM@R80Ol|zd z)i#7iUH@>k(~4ZLPyKcYrIcHr^?Z$R0X>;k$~gWa`~IJV6R64|#(6@NY-T}rOszTD zfI_Rj`T>1c_OxO%$tbP7(TC?0aCGklUMOytKOaJF8@TujVMmt|q`HVkpp2B{>`((5-XlPAIf0UTnQRB-ekFM? z*0!Td2y&X~7&O6Ski`HfRy??r5PJTySDC7$)ka=1tU&NZWW)dsN+CWJ2r~&uSyD9s&JULC?xRV2AmcTr zCBO9YF{#6(HF$nU)lH;_==zmLysKGabFRhKe2dt0% z?F$%m>sqD4GCdgz)<_v=Y@$R@w-h(9(em%c93(XL+tI)Vqc)_JHpa*~ZkbT8Bdfz{ zaruuj_(4nVptI#Avo#$1J!^C`wRPxZ>bmkNJ$VPHpJB`0yK)wYy^%oIXyR1HSyh%e z5l;jjD(?hcs5Reu$?FwM(Q&d#SSdkc06-l4vej^c%HTO+h00=BTHG6Js=qhb=n0RY z&XP;|TvO_sd%#}QheO7F?dRS0wfIU|k-y6PH<2u)Q?`<-*w_46y} zTeY6JEw!`?4MxEG1%pX`iEukZ0_RtbP&iiDQY>t91=VD=y-z!{DciW&LCjfR8hf>s z64nqQ6L^6SXG|}e@<$b8+jM)fw*H2Wnm^xkh;Nqw{JB*7V}M2O(TR&*RxwD_I~3q; z1tTmoDW0p zMD3fd@}};})a{tRk;-ww01vgUGe2T%ni*8lhD~8{Q}yR>os8A1jvO6}ZGDOi8M_~K zD-gp$SZuE0^MI>Jenh+c$+qDiFt#czfJ7Mo3yiIi0p+$Ti&4OouuVvrw}+82}>LeRxDJP|$e24Ft+bO@S_<4||`w%x?6>fYXy}l*dkE zHsjK61iKYYh8w9%hVoya*+A6cBNo39fNv5wSVfb;i}yA{Yf|}4+zk9VZBUjxGg4JI z(a#uY{&h?5Au&Bsk21|{#e2+`s2Nqpxwkn6JF-1J(M$&YC59RL?7ohN?(BcCvHkyM zW83VMv${?MpPM(?E%USoRfH$>n(Uy4j5BBqRTScl8AqAUGF``Ig5OLIvcluXY%Wmd zMSx(5G)mDA7b=gxfveW2mw;!8t;pnZdAP1H{X=zJb`qumwCiO8K}IR}#tb-O=MWX^ z+X0|S*%Dr{KKE@gIFH2v@u(+-!2V#K8w-(~Z~-9h0V$gUAI7+gLo=RLO?#q58x^Hu z2SV3T{!=be=););mUKquKUC;nga8?b{<4GE&u6}eIE8}+X^hCNY#P)q^@A<}3-Foe zb*r2M>IWn6|1n6=Rz#?PTtgb3uIvpoVg?d(gbUR_FlSYwh#*R+s-%j9P&hV@JbJKQ zC7+l=K+X@EFf)^t^b7w-s9>MvrojG=iZ@oHH&QS*f2zm}sk?*t-Jo(#N?B1A6$pHg z>&h*LON+{e{w;~>O+~at@TplcG0hh~=K^L}IQPGBbxxCSag6@07$%qa9E(XuIE_6$8r|Sah=Nl1Ly49I?0>xlke@3UApxc}Zk$Znf5A3?uC?94N=*qW&3*Cr`}F_ef6Tld zvG)#6E2&eL{XhIy{`u0)L(j9*^K*avx99wSf9n4~{^^4n(K~B3s{%>t|DUkfW9Q?K%f>t%QwHW!=_eN(R=wG$k-i$45rh?Y=vk-DJlR(ZH6_vryL9!J2xp~ z{Hi{A0nuv~b~KcRh4f&tAbv^YWI{A55J8La{vhi*XxkrU7!0b+;%nC9sEJ5x?#;Yt z&>bRTy|u9?IfTyCUKK(sHL)~oMzXu1Z{|bgGns>`irhX;PnYZY(&q}1nXoV%!XHJ@ z7Pz5xbYmE>+K`KI6#$MrCH?K94k9Sv!h0$aDG&E}Qx|&L(FWX2ck8PJuSxaug^w9G>XdkT z(fjO0v97rS$r6{BdGrHy$J(PA0RGK8$`{md7 z`u#C6b%2~RkPmE}Biy)Rp!s+FQsoU1w5YfL2GGiNphV+ZQ#`9~!c2*1x*SKhnA{>D z;7f16k8bC2y^aBTDJ>PF<6rpfYRur1O6$6IekO*|fJ(D8HoRP_i8JJhIjVf3x85Jp zk1AuWW1Q?HB|noYh{MJ)Kgi%w>zz~~$q$TW%q=Hrkpdu2SCA+BO07D@@BKb1(Y`+DRt~xN>e+Lq0|W;2L8GvJRE?v zs&~vBIDxi#08r|{tVNRnNZcIVfg#T8uDxzR@Wbbn0>4y5G_&6KV6gngr9GPU z^L^O*ZaHuZ#l`B!Q4+}qN9Q|L({y_*kO&82>jBPpWImDCujt=cSVT5Y()40Er#Zqp z&OyA+5Z`&XB)=YljZTE*|4;9$;P}zVjc%c8iwDnrMMK_qKqYBGqvvzOoEQ5F}O;a0-^ z>|~etJEtVs`9Z^a?c^b#mxgHq{tOJ+Ek51X5j3(ExiAgRT|xTvTUoWpk0pi|VV|9D z>mX~IAtmWX#W_{kH3_Aaqvu9gbWakCLy@Y>KLU}USl|TZ&_4hodf>_)R!d*L z@E6d|5LgP!3srYLj1+P-ezbIprMxkV50C8CYZJjgOI1$YRACCkPt2=m}T!Y;`aDK!5~Kez!C} z{zgBB@I+x+JBP#1@4IlV1%nsa;KFwKbiv!4bW)1B?-(S`tiIv7-XS@0S7alp|E zPw(eCam$B69G7D2b~KR~ASm*bG=8(*1efaYpZ>6c>Mvg=z{fvmi`a6~0K~X{&05q? zmZ#17ZP8k8H8sF!xNDkGVK`aU`jb+cWjG>?vJNwODr4hm~*~`ea zstT6x)R6;3lQTIljkM`t0k~Uim`Km){Iw8cC@Nq~c=!B~HIEOM6c>O1lb>a#L6pMR0s>GcqQ_QFr%oSV9 zcS}X5Te+;CIno+&ca&C{?VyD%J!&G9@Dy$`kQg7K!A5s2j0h?nfGHm9FN=wEz6iXR zdVQVp=0firzD$K{EwyBc=x2Q5%>(04!H7oV1+V@DdG~7WjU4jr^**NrkBm6L8KY4!?-c9URx$Mv;yKQ7x&_~Cvtcf zBo4HkND0EzRTf&-zyuu!+?)&QAT6b5P$PG%*szcUuI|iIrF+BQ072J*=~d?htLX4y zfm-dHS=DcSkWn59p|Mlz$|=)BRy?rQ>(q2KL4r~I^u(yiEO6hj;LCH&l0oE^Y@O)B zAGE))^22CIkLFe9J z=A>^*yXwoMmkpa@4n(2nr===i_NVS-)*)ZCLj;9GDO*!T$=~gH?cD5vtansU`~7~ev2=x*t7=)T-gr_}m08}krW%apD^70!+yw80Y}L&h z;M>uOQZ>$Tu$J6acLgTt7=Vx${!syolz=ReH8AP{bfK`c5x>fVh6_!X2QUHeI7%Y| zs(9HJ0AsD<{>1p&bA=St28C_6kon&F%%)w+)NVa5ciKM$j`euZ4Z)RIlam8gTh`y- zv_MaKlN$CKoa|E#Bm^~7y0Md=bdcTyFLu;2eq_p$rU?Tna28chOQm=N$t(uIKOxW) znXFfcEtI(+6_LR%#E^g~pqM-46*SW!x*<{_UV2IRR!f{AvO^(vq1P&79P>K~3=^4n zW0mA&ioO507vL<^vnZ-iet>~KQKw{dFH6RaRKcfc99?>fJrP`5?s=U0*Re9h`@`lO zVPIw^C5#Z!;<2+`sLSPO)V{UZ62;9P%0m1|vJ`IyF;ab1X41MWJ=e)R=lV&{LQG*I zM?9(1DbvZ|JZ)%$!PHFpsjThxQEEv~ngrQ)%YdhtRxBDpy~Xt)LzaqN;}yoxl&0a5 zcTg#h3kenF(SRR$lHuWZ*jDhS#eO(c(T+0tR0nJnCZiDURD`|JeY2EX)@P3=&ej+6 zE5KFfgXQyVJZfaM3@)U{6ATlu&`YH6^F;yEzj)Ukh2Q}=qy!H@u1%JiTE^syXwX;3 z<}DZYH^}xNp4&Dfo zA;39ByS$(d4pp+yI(G7;SB@S7f@U;P8g?qy;60A>`P(;VHnt#a=3G&w2s<$}&;>$o zY%>`>@#ma{@C@yCseGiKFD$s;R<04)Tx6JPgK$^})j?#|dsU39zdAG}l&^NH=c{MN zI}n7j29B>WGaFa%rIGH7mzu%RpVC|eBQo+bQ(VU`QkU{)FGZ%F5&W6}njtcbP<~l_ zTg~Js8aOG47fw_h^nJ;R@E1rib;@PQuC6>!&A(pqh>QADFZBVy-jEEUs!Rb> z*ks@{2^d&gJkbxztwg_i#H{-bF#4YkamBv3cdAUa2xQc0y5w@JHhGBbzy3*swLm;t zH=B@|l%9_gsCYvck-gGq0SZp>9p6gL8e}N;V1kL~xIL zwA7XJnDP4wT?sOzfWiO=I)K8`!PmL7uz#%lRKVc=;nuO)xX^ z2=<52_Jc)=)^{nY3oN!swQXP+ zt*q&oVgBYO6$NRTp#1Cgqo*#1t;w>r!AORz8ssXL8viDJ??ZbhJnnX=Q3;Tx!5Ixiyv>nH&=MN5Gy8~SOHryx# zi@^>(@w^h5^;1c5UV)Ahyb2 z$fWM4oLmytd)yc^1!swmiW2*5ru^4|tL+Py^1Qo{PE_)_MIVCxu6J}-{Zp>HIkbPq zNT!W02LjiP7Ks$mlNYXCuhQ0ZJgQ&tm`T`r1Vwy2U-IZ{Sqal2%~GQuWcW^l`R-w5 zC}iGHN>uM^qASUJ@XGH%=5Ls5N*>C;Ehzk-yfriSjOHsz?^dlTE3(E^<@vir>Bp1M z(Z>owOJtTtbyB*;V$q8o&~I1JfLOxkSv1ZjBDz|k6T!RV1R4^Avqo10RXl40W0f11_CwsZOp7YI0Zk)DvrEQiEwdV}3jq3#clpC0Nwk z7ZgF^(h0@3i4wBxj8jpq3fol`s4Aic8n(YDeTFY= zSh%B|!yfAuvt%sZ%#RwlO4u%o-+F5I8eO-OUI9pEE{=-?gkPCQhWBWhQ%TOzNaX`P z$>la>&&p4c=R>1Z-R0QO(x#j6 zKjZ01x#ko7rPY^0u$3?&y|$-H7OxJ_N?DCfq-ZSYC#$G;hZR}vyu)F}YQqSjPuEEK z^MH?1(hoU#<@&yG|0ns;x8tzur9PC%@YmFSQ3sL5MxdDTwr-kXnP4pg!csnjCS4dK z$3CyjMrSw2+@#SMc|q7@aC2`C5qCTp=WZK+b;P^YGu_W+U{PPw0$+rA|NfrXdjIf? z&Fmq>y-{<$cw$Ow73cV}4PIm>smzwa00qJrYA_vB)&G&c2{l7(_*2~ik^a!jtYi+D z)~fp3w5yvKR*W;vy5B_@7Z&d4IqcTcIrmaXW$I-GJo#0Zdl~-3_nsX<*?o1{6oYF({t_H}o_I zNKm_iAz)36nD0zqxd2m5+G_h5l<|GZM@1Tb#EXIn7%sn#5-8}2A@?~{;l#G24-;&0*HMVJm_+7 zY(d3ZVEkd07H_8qmOexK2f^hbR^T7bgwC1A@G~;6D!~}GOHfh?di2d62XSAEKRs8! ziQiHFl27m>!HosHiF)kc9fDgRp~?isvgidC8NNCNuRcZk%h73If_ibU&d-e#BAkV1 zi)Ymw#fP$m38%(Vj+9XM3`kbselD@?^rLtske;AYqwDhP-$-$|zmVb{!N(5Oe|X~U ze1CZ2k-SpvU(&nb^a4>DYXQbDS_FA0`(1G0_c0#V&s*=;NnlOBp7`+I5?Xaj^?5&i zE+xsnU%fJlFEVJ!bN(b=9~2F+qFWB{<-fE4Hp6v|61k}pvzaTU^A9}g+cq1 zYdc<#6sT2gdME%JYl%)*960Xzn9COtt`xN6l11huW1K)3q}sBEpzSWuHnX4IDJZyr zDh%xjOfbdmis8Q59a}$}j`?Bgh-UX&Br0YkCp4slaU2ef0R7}`nvinOl}~WccOd-} zc&4{A_qi?FhzERRsvM6mx(T9BaQ`3J>#!9G0KIN>omGO6-5ft=C+QTQCG*f%&90i? zU>fbs%=qGRyXb*3ia+tI1|sjr-UQ(NZwc)Z4G;6E!RwMjP}z*8j9F z9ngamz#iqnn~Eb;&h=S3J@tjCwFVYd3Q#r5K4=-(W7381a@aCmvjes~R%mAiIYyUd z95wsFmj>uSSa=9a{cB6Rvts{HDT}=)#v-sbqD4A`UtmAM!(~^Do2utJmxK4hbL>Ql zpTYWNyPsQxBW@{NZT`oUC2r)ijnmg~k2p$?1I z!ZNGn)Pj_+dt=LEH;Yo%;f@2c;^@;Gx-$_f=_$r;7|mZ(+9X;@d8Y@mgfZw%jn@1e&q!>i8a?k7W~G$sBPp}6NxWz6C3JHdhnr79WJ*yzWC*}J99`4 zF%O;*Tg>ENL^bZHX%@j|CL~#?`=b!xg_nA%+Y#`{B<=VNRnyb{Y=8YSEi2XGkR>z- z1)HfG*LGYMZH8-yh)zONGZ%7^amFOrl}$?mz*Xv`>jal>CWwUt zFTUK7=4ywSxjQ7v-OONfvFqGC&5wr}BzjyM9~ z)KLh@7ZrOk!L_tBWQP}8#+?J@Fl37aalQGO6hEPX&fwSQ_zB1hX6Re5siC(I&v2U2 zB_>XA_Y;(VV(0s;$mp?DjSBfFQPZk}T03rMN08Sk`yvm}d!O_Fg&Id1G`#1NDjk-+ zE}>_({-EtkbCzq12e#Q@B>ox30S{5Eo9#3m3N_}NFDpw{?f}iMH#jvSJqSRm-m4_L ze{8qd2=T-MvaY-$6FDmUozYA`3Zb+*fU@}*zMAe^64vLzAjxq6dBy_GB<}@GOCrX*#v5?f7nIuJLh0yxE0H&) z9o8iBSea5XC-7@zoP=c@`jOLtRWFmiM7KB-|FzlX93OPiO!Dgya_!~i6}~!48eEsS z=Gkk=7{8uepLi)>S3llBO(3)tlgAb2;yI0?+*o$(1DM24s&HJTU#X}Xh|gV>X-I7( ze|S?bDE3ix`S%mSM)7$QH#{|lciB@sqeH#A z(myXh*3X>Ci#cOMCV`tY;#q`6RM3R8Jt5(14y|=4Tvz?5x2hsa9y*w5Y>Hoxqz}HMNE@=e*I#GV3w+RCSLv^pPrNH_ zwda*&z#w-IKVxHd?MdP`8Rfm+?u#pTf)6z8*SmYmrI$Ol+9fZ2QQkJ2{PErII?3oF z6Y?s8Fr1?=Q_7vrE+nHlW91m;mJlsX5tZ$?Kr2bA0qN)Ta6`*uYWAVl926n-E32_FIoro`-1EQ}uWhK*|D+E>}syt4|suc6Q?VdQp@HzZ_Qd~^xa>kg8o=O|t3unAORS@i91 zGKImMp~GUQb5?Q6{Um;&-D=53Hvv1q?a6OXVph{9|ASJVF3(tO%`WvkCAi=-#&^7` zmrx)_e){GVPy>r*&=SAmzWe-0h}h@)a(zS8w-5z~g~p1k{ikU83fMj4*L8M*aaIt(i=+gIis_EW#RYr8E5pdDF z8SKE;A0$nkQJKkgE3QL?%Wa8(c#SMIqX{7E>84*ld8F?F5^?`ep&-Jr71}@n06kIW z#DZ+R+i&@fT|1H?5#8N`lEo(9y!`XxW%+NwRok*$ou<{B643LD)kXt%OaGhcw^Tn( zHo1Jq!UF2HUvC%2-5qvd*r5~L$u)QV_ymnYbB?eD)?f^9Qc6P^9p9YJFhQ=9oxPg(;K1t7UL*x0EYod6ubffoqERugmunhWSe z1#U%1JpRRejVriI{K{IK-u9$62t?~w4(|T;$hWMp30PyBHloYvy~_0lWOYMFl>F;5 zYOiaRHVz2Qt~ib@u%KC!8t?&Qgh(cFv0u}|aVD}Ne3A~||9l^mcp;WY|b+$`rDn}jd zV9VETK5yJvBIk^DWA>T6rY6;Xn}~0a7^D@I$Mn`^*XI|_A~`5%8lH!;K{TO&G7!mInOqS9G9Ru9#t$c(8KZLb?; zY7^;91&gy=@6N-+uIsaEyo!;^Y~%q{(-*H_#LN@&(khH`rV8-GGk^EImc>xr4B=-^ z^_qtv35mhtX#emWRh8ngc5Tb&=1hS{Z3p%PyNMGMNo8Te8@ufGr(73>N+Q?;_1J;s zb=Z{SN#d1e`GwYw+RJI>;>13SFr6#)ajt7ZVn)&l= zc;uW`{gA<`j`;_DJR>qc4B z#m5s<`|_r|iJPk(ZJ6P#JeyO|VB}S3>9YIln>?2*4DPMld0FzB&|-ZV2$|>(I*S6w z4(UMi_a{iWqVllgKD-FvaGjd^$}}SCxE457R#%UX(2xZ&izyxr27JXrhA%LW2H7|= z>tZfoVR0(?X$M{fbps%~7R&yK_(`!HdvB{>8O`E2C*!`u^GDpAyFlQ&TJ%VaN!4;0 zIUx?_(uQ6F`+JZHc1tedIjO&L7aL9P;k)nxNb%st5mL}11dkihkjRXkU~z)JaRgjbo8Ex84{$pO$ISO!0muyom+nFs}gg zyT?oRz*cW4$Ho!Qw|$$#FaVdGad!2QC7Z6g!;+UT7EC8IP5G~{AW0{$aOxjOX2^)_ z=ngtMv7`z~>jEuN=$RM)MMVeUAdeXWJN2w*uKhTRZ-aQ*_C2&XIwE=@$}|ZpE9AQu zVEsk2UlY^Y8>W|XH35_~yU$UHj+`s9Yk-uYw>6^_duPle*AIA@_rOwbpu_fig-UNK zLwBiOcFrLG7o!bQ3Ez0K_6A?O$LWMfmyA8=_(oN)x%(DQ(}i9Mg+#uG5)K7M(a#m2 z&=aJm1(!O#jas2k4Jt#9I>ZdM(}I!w&D1F4ar=A_5qnBTg_>xPPWW$Sn-RsWBJP0D zj5tIVk+mH;`;F>=S9{}D@6XGv9dgFVa7IbjQF(}ba%F|1k~8)LerKn`o>4uB z@!gEm?YT9Q@<8r1IWv%s@iv}gxB+Z1RAy|^0`lbdXHI5=icwXwV6hB_grN3|_i)wRGBtwfLa)INfm2PK&x&2z+z> zfTPpa2((jDXZIgo9KNgwVFy#BUAw|utT!L6`jH(iR5}Uf)6)+|?3GPj0+2FryzKhq zq74}Q4rD#cNHPV>w$;VA6VWGdtRu0@bR0w#S$-{u_g9dQ!8B$XGoo7$~F9v~$dHCg9PwmF&gpJYH%YoN^QG;jeEGkfl5we}xj3j;y?Q z!(H$;BMY5_j4xfJbTAm88ryF@LIO(o1c}$FzD$v>%P}yDMk#`0(G2aiEP1@TAloh7 z1nUvVw-dVNb4MDh!E2yc3?zlwzAnpnw-;(GCwW{~`>}49Cz3|*j9EMyms-9bPxbf3 zcf|m_aO2qs*THA*;}Qr@PMg z11^jF%>j5RBp$;fPS=)x1+g_Y_gv7@a`N3vc1|qH^8t*~MP;*y*FcTx@xl`74uT8$ zscgFNSuYV3gKi7%{DX=1j(XEiyQjGiNoGUBa99m!3Nm;gqSEzaVIMJ?2RPTO9g& zp84dF&kQJO;+>s4{((sM4jQcQm*U)OFT-5^Yazpgo7MU`S{Rkp14$GoLGpuCDd4R; zNi=o&^tL9K2_#dS(eUq+Hi~$St5tw8YOXQ&=#^a1%xJw*#;e>NIqSVolBA6VVm-^P zb0SkUcaLa$E^O%Lo1mwGlH(VNd`o+?+%yP^)!vR_iVUGilaIs zPFBY@9BS-3Ne@F(MxoFe<=9n3qwh-f{RS1Cg zk)A)Pm`ZID?U554dnlCRSRZm-K@VG)z?o7Q(%LacoE^E4pJ5XjhJ3bu6!`Da4enZXt)$8kTu>lr`6we3(JUd`g1{CYF2I+#mY z(_3zj(m`kV>j~pUT1^S=n^ZhpOxKqo2KOw`rt>$rE1*WW@Rpb)V+a_!u0%9`Ev>$d z%RjkB-9U8Y_}B$FKaA)#TaonhwP2c_aFqmgdgU>WJ}!Qqv0M~hGtK;#v!(5DR&CJU$9?(1dg(q zoHVwUh-cI22tbL#6FQ;J!hvWt^I}E5c*97N{!@ro1kYAM^BECHXZIcKX?!MuJZ(3K zH>>=?&9z(HcFd6{Omdh~JMaGB>K_N3QAEKfLLJHO_l`+HPowBGnu8{QP_3U7EK*Ei z5h{e$6SisdW$xE&3(}2uJW!r_BJexv14kJ%=r5Pfr2mvJyh6H8#+JjX7!uX7K4y@= zs;A-Pvk*V?R?1^p4k)s(oX$Y~#z?_AF>Di96=d|@Jl{(?UoI|skM;Nc@Z=86AS9KD z4Nx4DzqreFnZ5#xHXg3&qJ*!+tZygKPvV4-U8%F16bd5j9K6Cg+E3R(xBK1k69r$6 zMU-D!$4C@BzvJYz8Qf<8SYc3+mANSR>RP?WQqdXGa3a5T-+D%7%awrybHKBbATjxx zlLdNlwa<7iFUjB)Ydfh@cA@nI?nQS}Gz0QtBKpG8REL0;Xq#UtW@e(Dsy|tcID|jP z;7sa4|9iORo@H-ENy_gO3LlI2pnR&zy_Y49OnWU z%l+K}h!(Rz>%bA4lxsp4J*F`HpJmBLJJjj5takzEI+%UF83EV#%dCGhPMOFmI3+(=;rcG}vNB2zt2{EeFv~@nynuCJv!ij=Sa9Lln6Qnu zdtR@IFJ@sXhVUi~@815tjMvocu6_=AH*Vsb>mDM#JjyTS4}Wen$5dSMFjf&;^k10v9Axf= zG>9kO&&MccBW%RJJJPKVZrZeTDeh^SS|$0!$=l>^ds|IGt};xO{vAWtKzre!@nmnX zv)--!<|DgTqArha5PpLjjTpsBTjbpo@d2a!$9ee!Pro1^3)kCFYLn4&Fr4gIEa!q{ z<7I*1K{}qpU6p=&N@*?b!gLG^7$LCUd>7| zEK(g^&W+TR?dCBM^+Q`8Z!|&~P62qFli(=+&?EJ<5g05aQp1MNfJ=o}EkaIJ%!8m< zha6Xr^s+dQ5(nop2SyiVw-iLT0tgMJ3o0SKUqw_l5fkMe8DxQxQJIXo+*A?p=iZKQ z0CA*H2IVrn(YpkLT zKHHKyxJL4`^y`NfpF40LYzc8|CLFSh;0CGtlUz4&*IBnr_Jt*|b0u^DNLs4}bCp4! z8&eP7dK@1Cnk2E}qet!+Y`~Fd4L%8WJSLs_q7#-7>@xNNyUsq-FB2D0?VNVG8{d=b z`^Mxu1$1-z%3d#_pK$vd{;KWl&yYJ(h&1z?q)-g^;Z>tp3OEUxa&?v9I zHH@P0psPa-(xOxQGb-CjN@?=xR;7!(2)lga*{pqQMFvv0jK-I!4Ylezz{JW;EYK*W z9=>55-J{`WE8)EKyJY>FnmNTC=Sj;=TF8-35{C5{*fTy-^X7VmBk0#SHVl2x77>iX_M zgz32O2BgMmXy1bj;Vml-*H&k9A{y^aezt}Bd};WJ13tcma$R%kRc5?7<7G3|7Kt-3 zajl;&rhFTF)5pKL6{B~$9fRD(5q%Q#a|(J0llIopNpF7jekACio1QOSwt=C^wziPK zvK?(ktkLr^mfz=+=U6CsHp6_eE2cAP>9w0q2s}J-Y@J@-0Fuf=Z_Jy263(-!8^U$c z?)$5-ttU2tZz#i+~N7HLxnrVn+DN zb#^i{y0^t@?hXQN`im^Pn;n+;?Hf)}1j& zL@fgoB{CLs5C#;0nX6WQ9e%_XXm>Q3^+R5TdZA$*6T*bGNz2@cKdT~)Mu(~rrcfmv z9doKt2q(MWN(T;B^YwCA-TG=U#JFw%T8OuVjVqq&ml|djHt9gtkOk|MnOS>z-o zMtys@2TTKW*tVh`Ptff%%kXHl9X%O-4fnSMAKOAAIboTX6Ay~#C91`YLOdeZN@%A8>Nht02ImtN8z4@0Npx5W~BeJEYVU z#2IIDH-l)OboJa1G;W-__RiSk&Yjfm-rhpLm5QCDD!&LMA{Ccwp2$>_>>$}I{V8zl z@5%>xRTY+c=QLD^aCr~*$W}S^0u4qTMiup8W3Mg7?JozVDGRItwQHcVQR@P}vsXV* z-;*7%;b3nyh|9fYq=cDn#C$_i5da)`K&TW21hkunQA)UQ-s|qad&1 zjIS(N2c8Z-;BXy$k^AoS&WWBsZc*@2JPDY>`^TJ#Ev7H-@1KUeO zl#0DxpCJK0Aq%dTqB%M|^;2Gd)^S0ag+fzNl3Y!r-ABJ1>Et}bedtLz8xh}jnb_`L z_LU0BpFts=gXmG}^+*{{P5f!P)Oo~(22Ypo#1}AbIT;?@sQDBtt0^A!Npt&`PD$zX z8qOBwLtvK~cA|@xz1nn8)GRTO${U!jE(R4m3 zYBa@)*HbEMRX>pli?z#j(=Tv*_0GQGbb+ft_7_#4W%4=ClJ))LCj;3R^RyvahEaT8 zH^EIH^P*)Z9~oSFyeG9_knC!OwTQZPVi|{UJT^}eSP0yZh(bubTj+jT?*jVZV0N?R zE*?FTLvXpU6;Iy*hf}_h%qhDHM2HE1GP1j8CECS7rzj`R_^H7QTmvr`02OEef%=rK zGa1~WuCx)9-F}T|Bes{sq=n;tZYi^Q&1|e7Rr+Rs?u%7_41*&(JT^N+izw^XH6R&64wrRO+|O@Jx_i%+axwE5A^{}mwJKi zG^|vI&}AB`KgA1oHweypkDEk`wTNtfQt8^b1EFq9WoDRnK5lN}K0F1H z^Vhe`2-69+-64c3Q6SiNv2799tF)GmhIIE4|8c_cHSk%-fcg|RVjd7vx6{z3Q+&lmaw!Ak;OUP*4hHgFVLR)QcAjG03YVu_Q-OqgXh;UOaiBGT0PNQN z>{R!@!@f=|4l4D0JN&UyCb#J;$6hHIBG3tv_x9S%R>Alk%n&Yo{BA)$6KpKP7-jU) zCo}n>$UP2T%Uxs9t*;}RW{$NkhaaG)56+0nPIrZTI%W(uEv{9_2O7B=yBN}6J*G}Y zAW#b3wHxpYYEh%B)LpW;&T+PTXCE0V*(M_4R?fnc;03#jrGZs#y;*mFl^A{{wR8Dy zA3?we*_M=CdZnHj=hx*kZkKN~h-@PT;)VuwhZ@Z#mnr>Xb{UaMxkUad#yJ_#++NZK z9=p}AHw@Z>ZdzE5zOZXbhCpp9_T`p$x7 zUt)G_xN_~5xbRy4b)dVa7HyGi)b5jK9`tls&Y^l+JW-kf{6}1yQ&- zuYX1R?}|~fE=!2K>T$dSiegiY=bh+pt=!52Pa3z)8f%Hb85i8=j`mCI<{-r{X@-5y zN`CJ=!|`b~C!HqYBKJtD*h^6_beo=X?~@{TwCRx~INNb?^P>(2jm@L|WC$_*AVOpuUiE+SyzlxaTFVoAmt%Mnk0AG-q`Q zNIx8vpqFK;YXmaR6}O$Vr56aaPDdti1s>q@0z(8#{sGi=;okK~q4T8pOWUzaAkm)b ztNn;xdz|8{-{2&}OVe_}V}_$H_Tz_3 zOABC!>KGsa-&_7t7WS;G>JPXgsF>GpQDPltu}P+3L2?7omeCKUya^fOXZ529p$>hS&T)?4iJOb`l z9^|j4XI+wz$9*+~du9HLu0wol{Qk=<56fYHDU~S4P<2xiWSn4VEWCZ`>!V(ge#n4R zdPUCSdbZ%cK@rr-kdBJ3d+yoM{w{?ejoDU1^T&+Rg+@KHK_d%mLftT;WiHD5D5w0% zo-A~%53go!sPSNKliy2*0DN`g(E6mjhpp$(fWu$jtS#s@JspLMPQfmc5z|K$DGh6w zvZv9S>_6RPy8&H*+PT1&1r>>(RbNBwr!G%j4l@rlSX2GtRyE1Q?_N`xw5&g_4Sn|}h^huT1slxFRX~fX^y`Zd@e)we&j;odY0SA3X z+$biWm|I0YH+n03q$D};?<4D>nNNQ=^?CE^rAWg1Xi?i0P41S+Huay;DG$ZA=g%tl z{dzTUW)sCkL!bH2R*pOgve#yz+h;A19{LSy@&3HVPG!wZ6(;&&2Orw$SKJRRz|Qr0C~K45dp}Hf85@Mn zae;^`lXdmv$S5bFy%9FF`y>kL@xGpCxJWCw0GMsA!s?lezlycSaVxO9O3#3`cMo_u zu$`wAvM(T~*gRV}M_zFerVUHy1DH(BaHlFCJO+?Gk-&o*BCS#bws<1kMOYB(!2W*t zPVmD>BN(@FkF0%GWm-ZaR7z*nrXN1?^xSg* zj9E?uL-lYasS`OS*4y8Au^y=~am|r$q`P`Vu@*Sh$7jb0-UmsncDaN zg&qf!yNfGB9?{qSQHDG?v8TKn~QkXHzDreZUZY$6Ys6dg+CeVc8_r5H^Hg zK6DB6YNi&TpzYN9M9LYIUC!b1s&F73lw#+em_V=`xIUe;1;%b0gJ*&ZUcPsTe(d&8 zQ@QBKCURzICiHjqO}a<-aaC!kt|Y36NOnHY(b`5^SaOue%zDp{xuPrtnW6)cZa1Xu zbbotPrJr~okB!uvTu1K*Ea5(a0NXpbsc9c@9%=FUq@UDL8p_kHT#?l#yA|u?)foQU z4MEfruZJ|3H=IuFdH;QSM26l8C2a8YDMOFAUR7Qb^?0NVP&J+??YkTk6aNNJV>WNk z5ukAt?dZ79juitr`&|B{wgxO-{%X{R3;e8{MA^-Tqu|_vja_w$-sqbaTnldvG3KSk z_V~J+j=g3x3^=R|h=l|s1Eo!U-(66qV&=V{+zxehg5nD^uE4xz#lApV=PWulFLiDH z-42lVf9}=JG^0@h+J}9I_7-GSj6%k^H0o8I?~^lcA2`Cqw&CSQXXNnXQ8pYotClL0aOxfYi0^WA7)Chnup+30%Q zM3v5;hO=9$Lts_)daYihy7Xd*EtMs=5k417dlpA_N6zI4xfVWvT2w5 zzqJ@aKZmKSX;@7a&PL8c3qYC(ptRz z4Tg$mXysc>ss-jxy_H`rv@Zw!zMK)-+mJI^u3qiySx}jBUeWt8!vP{dK?{n3m3C6I zAQqO)_{96cqJHAK>3o&@Rp4qy*ODrY>RG;Q5#f0x*e3MEYXjqh)N~OdTG z5Osdv5$x|9pPoGpC&zjE11fb*fbFt>?*|uea7C>SM5Nf_v)MB7YZrm0c36?`8vzmQ z{?j{&W~nA9)*lFV80rA~=q@I6_br!!?*Mm!DVnnb_9rJ^@yjEq7%vv$STkgw}G zPFTEM?EdddpWg$6Lraq>xf*-cNRuPYW5J6~uosiLPU|(_0H`upFd-5?yDVs12_p<2 za)s*_%M5-EF+fXb_Cqu60@2OClhX6UQO-a>ZO?F)GL2;T*RT|uA?LU9wJWVI!VpXy zsMG^QG{rR=g&MzC!z9jZ7*J)Ibm%Ws%bXYd4#Vt?K_YZ-tl83?nJWNES)KA|S6&mC zChE5q`aT`^n~kv3gotk&^$)`wj35);K`avJ>?i}^ihre*>(>s^13k5`?&5*luQnQL z_4`40)JQHxL3RA<3ti&c)Kg=ypi`eO7g3dF_k-;2vf*~}%S=B*N}}S&Z|&JcHHgef z1UV?hDb_l6y-x+dt$#^f%p1lvn4mLaG|mqYmG1M?W(n#QH2~X=U}R*cKf{6**02i( z_r>gQUo~q}ILfm4ccwWcYM7WyQVUAdVIOj!YiPGzY?$j@djB|EY-#0XZFeIzh*RFf z<9s74ynBi8WA*_?q2$BbGYpxq%FTQ(B9K`}oBgMyu&*?%-7>cVQBnEA5k5GEhSL+< zjC;YAhWK7{HpC&9gEvY+r_;_KM`WhqP(4_Tn6}V3T-0IuX)Vvy$9=w{J-TxusFKFx z0a^efQJUYNjI(-Lc0S;96IXBRyCftWL__d16^Sx%-|ok_-65Rmsq>#XXw?^FK69;e^9pDw+U%9Y~6Lsd=D>DZJr>K6)xK34a*?vz#cp6 zzwOn@%U(Cpu`?2k119~KSQqjrbNkr*zi?{^YsUj{@bAs#08NIsX4^TykfFgx338I% z=lQw>`FCphQW@j1_%QlO$Zv9u9=nWuR`pv(4>C_aijM@8P9 z`A1vr!x3EJ1So;5$XU?&W+Aqn{0WaUXFkJk*kRkp}l|1bv)<7_>N~DEgI#ohEZJ)`;_$?Hr;uC`~r1D@I zTIJ(W+7|#9UyRJbJD!cxYnxC`r4yRZ0{~tm@iyCG?UB?}H~zP9nhdX+d4{k|9zCc1 z?#S{VbKxCm1mq4;^_M)3lN*+#e2Y97KAs00kgEQyTj@fJOGFkEv4G~;_IbYOt4d_4 zp7(jKuOS^7jq9A3t89N6-}&wjnyB7g_g^5@q@N-*Ch*Q9u!F__o8NKR%0-reD4kp2 z8a?tg!ja%i81x?)&QrX6?U6(k@2emoX5d2r%8VjWnEcm0?{w$!u7mj{0N~q6UX}6} zyhH5$me<*g_xD(7 zpICC$%yl}|yEWw{)kQ(#oIY1E&r&71O)2SyI4tDX$ ze6IFg91xSr26c2T9F8RDf+kf(1AIXNt`%#<2XBX%iHfK6LEd){Y^D9X?;SYFDp;oU z5!CXgw3sk7>S8W?@zQ`o3r_5L;I zLbMT@)t)q|;B@1{&lT$o_Z53%=Fj^PXBeXDyvFByH|>P;GcJ?*LHu*{-w!&!1Wb#C zm^xpZEZ7LI8RqQrt})Z6*?p+}`qqN{tmzVE=bmjCTBj}rpkj90e*2CZq5Be<_Wn-R z*|$ale62yeIv*<{AW+P%47fIAfOCExTHgp(1io=tfd$b4X??49lQQW%1!CxGh)HXh z0PT)*b9@ik-|bFYa^Ld2{hW7C4}yzAa3Zlu#e!9?m}PidAqct{WExz9mvga~bDdd6 ziDVC{e691rreFLzd8c^B_5*Ozx0#w2ip0FWA7oCf#_c zTwktsxs$<1Kvf#sD5Tu3=#ubn+1+Z`ynHQGw~`UdgVQhv`+OmXBeh^DZD710)YeAV zu{G&R%=0_@I$*8MlfF2Wg*I+il~L&$_D>c-H_?}mf@j^JM6wd#aA8rA2lRAy@4kbH zZLJqv-rI9@0M6jedq*B0x-8Bw$azFLM6IU!l6|taU zT$&ki+Qx>1#V4Wf-T?4$g)pB9c!;5Y;2*bZ=kZytG5Bd39EuTz@|={FT8nIvJhVh- zhAF)fKNgI}fl|dKSTLD@!_EGE{+1(n;M92cgZ(eNMZW#NYKwD9?5IDp65q8Kbc!nl zcmx40X%plyTMX!S5k=~W zM1nsZZp2of;=9~$QK$_JcSIwzdmf2Lbg*dno;l0<>j>eUx{6lxc4MlxQolFhEXH+{ zhO!zWva8lwU#jA(wwO3@m~ytcen$^;?1@<`kFQ4O#ciRTVPPdRFCINfOKf#U?LYT9 z@6m&@Pc!4#zUgtC#0SfPwCsSh1vN@x3I5?SFfs(B@Xl~{@FV28w+wE9Lp+N(@J>&- zor?X*@CPo*a41#}aWiZ>L2oshHn+n1vh%s$g-)B%g0;LnHDPZV|+vr5SD z94o%PPD=}1)!U5bD*KNNJD)Rt(K#cFc5LrVcq1}*;K45n-+zOAOx)P8l;%&){7&!I zO%u*foyB_mm77V=J>WLBhi9Z`1;6HunIlxdX(#}OpOATvvNhQvCADv-2WR90H(;^c zc#abR+=$(<@&;?!E7?hKgB+Vo;x;<5#wA%LA8|$7HqwcRZ{52KH=4~s-+C54^cM6JA zuf`06-j%Dflj_NndBoROJpFnaX{Sie+CW<*pt#w?7PI`YyO)ATB@$Hz4DRR)+lnN9jz*p%59MexM7{nteC2J-%vf_cPK2!sSOFm68E9$vKyh%FTIs12zeVFD(IU zLApf;xfet4yvjd&`y(=SO4E6!R_Km0E^L1A+N-5g8Pe_JUa+ZyfrPsllIIOkzxXR{ zgWgClSN%iEP{yH<^HN=24e2i+2aL5?farX0BCDoRuJ?zL{Hh-uZ3(QP#Bt!;g?)!}!Fs4E%fPqa)R;=M65xGR^z;c#U*w6Ai6|# zYC-osASLiZMs4O0rB0V-*f|)y<);91D^@s1ni29LU{}Jv9SzHw)_NG?wSbws<`h37 z-7~N79Y~w&b$Le#EM+SdXhNQTs919XwW<^A+_Rv!Nd+;V4?Xi+4PwCruY;IcnOLU` zlk(?Z0vKS?1a{lEl`8-!?>PrzVoWsd(oEIXF$to_zsTbP3KZg6=6`08VZd^ZI zGi+AD*WFG?1YN9PCULKMx_CF-K{xo(2HWq$KV53Lcrh+V*AJHDP*DRu0bk5x5;vOm zpaJzR4eQmzh6>??v_r>mgGB&TlwBpVq6tiR0AcA}+=1 z4#R*r{@pAocdWWGet#=&$I{Q!ENMC6tD$j);V_6(u<^snv)f>X>9yB}fzUe6z|V=- zM7|0@YczFMTdK@y{C;-twU&K5VIO26^h)&`A#X4TIl@GC6`Z31QE$3u7@ZeLsX8pK z^iev&7T~wj#X*8hg{sp{kvhwt|Gi(jrVHypy0+Qup0XU0!vlBMM%2pQ!woGDYrS&J%4_kgMdX$~q)vipg@)Uf3vn=kuK8td z@H;vmEAt)`F`>5Hd7|<0#SrU~92ftws}CSd6LDD5QOp|o3A`XGK!CX8EiR777v8_bawo%lfFIa1<5znQ^g^uL~grauMfs64hiH3JI*8i^0A zQ+d-QAD{%jpH{xx(Uwn3k#6M|nxAZSI}JujN{bxtklH0gd7LHi#UuI=${2j~9<$dU z;PiCZ`vyH*_8aGt`qT{O%~1G3?!S?_5qNG}@XqkkYqRi}n~kU@Aja94De|#jgCl;Z z74bibzFyeAu$wnobKhD=RmqK8?M9SP?m-czD7h8V7N`|EN;F$il%3Hy6hf0_(KM&P z#YJ@O|G^ALSca?VoHvr)w08>`htk-XB z8fhq1ln}dptR8rrby6`o8tdj%j>YuJ;1%x=>L~<|h)3DIzaT)G-zWf!=Sr%t|9O9d z9?(x@lVi8yQSE|8@yJs(Z@{_z2a-A~xM>n@*awQXun>>DdoQW&z&$0YG`RRr%<@0r z$w$)WB@Un1gjCJ=?rq+h!SgYM#IqONz{WO zJo&|pH8P2u51&Cq(|`Y{0n&`{)`fSys*4<>NjU<~boW>?4p4#smPRA^;7jT;u@1$a zV#ZBAyKiHX>E*(u--3DwG#r)hisgSE${a^mX+H=$+ zjpEy+uQmQ3LC(qUL077rs+0yA-^b7YKAiviclCe!eP;cazoMXr`a{v>;G#S~?avkY z-~QkK5B_Z#V92fbc`m~K{|AvrK-}*~ypiSqN;vp`^+El&H?I)c6u&H5d71<%(7oIv zuV7CkBgxEvdTg?;+BSrM>Fg&6;|X+d`CcGNFKX49-vIv=@;77>24mscz!&JR??8byPV7#VU*YF_j&n^$FbP+ZS(r+9N0|0aEY>|6E=IpK$V4G zO_jBvRQb4_rm4>9c2&uXVs}>Oj?tBdArBJ4vY*ViO2o31FTIQQ*5!_!VuiQmww2H{ zj#Iv3mkhcKokg4e;F%N3rG$9?u77{Gz zpBCuef#_2ptJ~4wd`wL*1hEzini4Z)L#VYywd#a2P4N+-@6OAtDK}&{ zygY_{6LzFp_y$B@j9au7jZNh1Xqx*K+9PkY1@vs?Nx6rW?Er9zKBXWpL%`4ma1&R+ zg?Qh@3AmV_LV2UjB*MThXG$s+@sO)S2<(lou=||LJ=I~&zc-5I3vuSHzAprtKwB6; zkrOEr^G%E^noWG%RxhT9xSsC?nN1P6$G9Ye<1iN z#zcqU$!wwyGB3g)1ZQ!tEDL1#K-T`)IA22tlxqo|s{z!Wq3P*?b@=OW~zAScWT!9aqxlVLDfl6O2XP;-eZm(hl z)-y->dxf`=qiW9kofu26-B|_hLLl;$w zN6T^?I7;s{Uuy3&EDmjz#%&cKtiO%NU+Zj}+gnGm)Xd8Dot^_!VD!r(=W_BxYc2G; znh?o!=Xzx%qCeST)*3+(xVr7{MvsKUnyM0nTrB3wKE!O86UKWSIE4z|>6}IgZ;yv2 zix6yZ=?7<=N3y3I`FZZ2fhy7XOPWJ0Gtu}fP|8p=&|0K7#=I`Az0S|ckQL^2a;U8k zU#OkBTX}on&G?k`MA4q2medpoT2fgMWf}nIlR}ju0M54uU}OF3LSRcC)MYlPnnQ@4 zkF}zNVN8Igx%X-i3T2wR-f=Y$D=H0pQQ-f;S0w0tn;SFA$7v4q2ZEV_kqPN@ferX( zbEgu$Bfu^JSOPt_fx8i5(cJ zzh-CIV-hkUNE_zWyX;YUho?UiICezIfq2qZy??FW7m^Z7E?^@Db;PW z`&g6glU9TCD5MwJI(r;D(2^?zL;GEgo0O&am~a1XKUM8cO;LKNiwc7aydSVoO~ftE$WDiQ|v941}j$cu&%_{n$?HeUnMKW&!SXjv>pTjssh zOger_MS?UI7>acEyUucvW|X5p_G-!5nhx>Md?HsgEZClLGKP3Pb*hzX$ha|N+VUX3 zd!(4N!6_6gR07KV3ZYXhI+!(z+XN%s0j$|kwi2bY1_M9M0QxfeWim;z3Cm4}+IAu> zJF>n6HQkim8ojgZK3?_vQYd*;S0F7gSF1kp@gSqMR*QE@+~w)6Es>t*ez+8iQ<77> zs!o~n2(u%2G%KKh+MV$E#%&F!;;q{eRw4ObbGJUXl=M%`J_axReaxQ|WY%E|^+tMd5FjS=gjZYs z`8HYZDzh?2J!d{r$=GZVR|H>X$$$GY*V{(_e3K`tf=_&PcqdyLK5yb%>jnfGXx^cl z5=uAgtZDXEV0MWEQ0-7l`VDgoGEXy?P~q(&>mskYlD>;qYaO`+%7X28ov9Iw?mLz| z)yhW|WtCz6k*=~x*&ovuVD0=VevPh{ltyi~9g`G!>uJMjeHv?;WOg&9Zw;cPk#<%` z%(=c6sg|pZdT|TtA;g%g)Fj8?CyRP-Y7ue|Imbqv8+6Hw2GdFgM}W3gGEaL6w%t=e zRJ@=mFcrA+fJgEf~1Jw?qcAKs<*yE+1G9!l=0c4z(0f5P7=-s3KjoOG80ZU($x<0;LLKVd?eO!;r#p!+^>^d5uD4q86JK~-8SkUIXT zikI*IJk&jUdW8BYR0=ODy0&H-#8X6%Z~f%7kl#ci-~&}49t1zwwT3(lT;ca?!4>XQ zuQiQ;CA-9xI%o*YM%rs|+q|ke@~UN3mA8I*wYv!+$FGs)sd8&v`d(VRE}jKNScUA1 z+Y7}b)(%x0=6O|e?<%U*i>9-vDV*!$29G1{<4X)_$lQO$oTFm_&aX|wT6tt0lYHp& z`#?_MSTolE6?gt^@O5ttV$AmWZKw+))sVRv+n=-v@yrr3N`bcK-cIR#rr#_>Bs%}H z8ThS}v3MpQ_XLfgJ!80)9{d*>E~C)Vp!f=aisT`;E}CxRkX)sMGRXwk?K$lp<^4sk za8=zRNos90|1$C~`a!4=NhonK$M>SdZu$dnd1#t8B-a3P`kH5eg>41gp+DwgKswf& zdT3*GP1XJR2UN?=pcx7{lH|qb9@n%isS5?%8y44C32K>+vY@2~9M&sk`SuB@V z$nm^(LFO`qwP_{bUTohL9B13w(6r?}@d7R*3oRkNX~aH>3&9<)C&jLoE=y-hwryGi z;EeyW86B}POB%QQHa;10PkP-W(>}gEgeX}^-=5NC+XqMcK*)?I;yzn@5|=3tB;!01hSCR-VaA>Z>NpZ)EyJAmfFb_hHp1M{dKffxhN zCINw6T~1bjUEe!Ru>FDHji=Z>0I)vp1rBO=XJr_F?n2`bj;eFS!P2yOO~1Pyh-c}& zg~<|KNjD7n5sQB#^N@R-rEUP#t7kx!S8=-d? zPQpQ5Mv!OJENQqeKqOsztMXwddY-X<-HU1f4l2{vn&zhKL=M7-SI|$hU3#kqs`s4s z{kXd?!KLxg>iZDG*@2=YvxIjJmVWGlxC1AiV8ZkA22`MBgm4bLOX!40P2LQR!cq7*oYpyRJ* zJxXa+aQ~55Xf1AkNPa3q6e*!G8(&4RLTSv&ElUY9)fW6;BW1?f-T^&iTBfodhg^^L zLWGQs^iG}OJK)kPKh^#bKyPoY($RK^-tH)BNfLwm?w!%2W;|R+`SQ7 z$xFkQc`&V)@2OMD!4qs3^Jw*6T%k+&L6Ej`$?Uy_fFyK4Z1PPUorygp#4kH^bO{#9 zHqN&`b7S7uW$MTX?55U%SqQ%hC--{=cl0J^Yj6oadfAe3vG~GS99!mcp$Bb)URUfA zGa)JQ&XIu_Fbo~X2xYr*FHNb*zmQ+#XL^9c76r-ZeDWOo(Ko~S4TaX5!|*|VwxQ5U zLn=TwzfHg>NYo;wkqT~eyp&}ASJJg$Cp+W3Z+$$DEA5|pp_cH{8aSm)LK(j>c#eJ+v-^nzM|~YJL73;# zghBwbF5Ls!oJKH(rY|f_FTPuxL7h8rxoLj9F84v_70c>eLeFNSnTodyB6@v(8 z{KHo-(dt2xbB5CI{D@A`;jr<6`r2q;cawSoo7r1b>=f3yvYpUttJpYZ~7T>+oGmohr^ zAE_o3M6dzG>ptda$VmL#pqt&_H|(z7bh`7n-fP)GA3;>a$Jp{sAQ_u{og_msjsoKw zmYoYUQVE`WXQiN`tS=APxB%#sIDR3&w}hmA1QBZ$d2?4Qy!98>>>bqj-q)LYrtH}| zw0lnj2nw(Tx1LT6Otm!PUi$Vuoc|HE2Yhp@OEf$BJ)nTiG_v-6eV@S-7y{3~OPE6? z$vJ?6WzHIeugx_!Y5*Va`s&pM*h@_TKGJ86t`Y_vS_SaocH-f}X%1bH&jSnoUjXBq zipEdmE4Xq~putjH-_n&)9+V_9ni#Yf0|FR0JPHlzZkN+eGm(oQTTDb0SWFZl!s5Zj z<{^U?@(Md$@cV^aO6v@{>r71F_4c`3`pR_lYND162l(`z0~uDno_rBX4g-Mh6ui7M zYfwFDcwa3U;&fcc$&2v+j-Yl!zXUGU7@Izu+HInW$D;IukMTzkaL42~71p}zI zVJO1;6+8O zyl`>Xd&jh|17>Q{ktDS+?z1ss;Ol#klh;=JcUZUfripwJqGVe6R5O+Y#A5S+~KhJrMimvWzW30Sp(4`bYuRRsG@%cSzN zCN#8zz4v`x@P@|p?84WjVb_m~X~81^Q*F)^he?a)_nw!{V-F{5G=)i7yLH_gXEa%QZe1DnU#tf*QdV!4C6W6}P$GQ&+e>Ue>i2(IAwI^YG;w`8P z#X=xrP#0F7f0w=jN=OZO1W@kCUiWbT(Fg~QlRB|5HH?79`k1VRPs|D9AvKZhgKp%?SRM1an#$HEq-b6u$`qU7uikD4ogz z3Wwt98;JBcB{L^P4*Ldz!tTp6wZS*j0BJg9K0Yj9+xUe;9Tuo*+{A05$ivnho5<;- zX_`79^tr~&P0)GgeXibUI&rBX_HEo&v^>J1yfmVA=VDq~kJ6H1c*Z08_R&&g@Pl2i z=>XZl>Bs411Ru)P3gG1r)xJ(`V^Dc)ED{bd@{L7jJQM|L&xbgc?!EMPJucQ-U>4Fg14m7!GdO<>DN|0Bx3*w9x08i!~Cr zU@upyXH~yk@H_(=48^Ag?Plyd6TC-SYCi+jw}jCg@=8em7*?6Yc&K!IjiD;|Oe5$d%&i?_{1+@vQTqYEcw zQBlb~{35c>xLqKR#2>Jbr>COIHuNu;Ru-fF87Wg4HhRU4Xp|P7J9)fCDQD~_*1=DF z3erg=@-#mFn#LMU_+*{?)H*O=cQ<0iDSa<(o4HH{8Q4(!*ju>|Go)d(GR8X#JLDJ` zg;>VYC^jPLk9$6hsiaa(((uau`CMM=Fc_vVSu(vR)hb8Tr87 z_szAKNCi9T1e}h6a~M=5o!WHggQhJRiNWcu(v{Ewu8?6O{e?Vz$0tj0+3(sA7x)!z z3^!F9?GjHA=iq%lcTt<8_{04-2svQYR6f4uOw&pSh5%X+UjB&D9%Ja3)B6j{W%kGj zhvEXZs5;4ADP}&~W;};k=Lu(lFx41R!J0uC5xxL;VGhefeHNaZk<1&TuY!NUv}sp0 z__SK8%eMUGSX4Tw1=3(=K(QrByB`{Y3qz-dfX&xOd7{ri58%zN_=w+f@v|1oV>$|| zBEa;S)Dp(0r= zfyUVDz4RMICne1k5cR|O)=B6E`#3tuOg2lZc=%$_QSt<>%e$VW+~#19a=VYk_g5q- zFB?62kR{&=^}I?K*tj}9w|(FaOlXYLN7Ds0pcwxxl!R6LYJT+X5$W0!vTA+Otg;9( z9VeYwoHeu-Kxs?fHu57M<^kjWSB){)rgm>Tt=mB+Yr-bO#j%nc>)7TIXS{?ucuDjU zPi}(5>&XqAu7R<&FAaVF@q3rHbrWOyXNMzSA*)d;7W^H6HoyHq5DJu&n=K~_zRb5D z?wS&m7rC@^xY=o%Nu^01wo=|aMXLCEUxGm#XXm5@u@1Lr$pb;vggX_Yx5$LcfEMG| z;75@CMqNLEg*@)QasUd9`iplS*e;`r&o%4IoRcPVF`0JF;LvngJt| zcY+l%n*Y@X;`k1W%gpY{c@R!UvUm&8NJ}D!RU6KdpVz356Yo76E^H75nhlx3#5*(@ z5doAavhbI9H}_xcG8Cyu97_F4$U+ft^S%P6cRw?ty-0j|(#P}Hi%@abelA*<^i{l= zwPJn9t9B(|vdLhldi4pJ2^dO`+BI+yTRvTugQ_6rXW!e2QV zAbC27@NpPR0l0?3U`|K6k2UuvJYX@@6&hz5=#r(*%_B#^;(J^)*D0&@ z{#-nLfV}K0S*%la-cX^ z>Hk&-8~FnLQ!_yT1PM!c*HuZHFJEH~$ZKg@Z<REJmhKa%F}r|RGfHbOc4*JV=_8l zDHbe7jc&VRnWQcDI^9gf^0L9|_p~>`w!*Fj$ zodvgZu;IY+8y%(!vFTP+LfU{VJbWJ{81E5K0;6(DZ!>kn@5u*RC(7d>x2I7e*lu-N5&$yG zgg!0rvRT6l1anq11d%yN?^t2cPXT9A(R;ML24F?w%F}o-4d$Zn_`5rXn?hLZetdcg z>@0+2#^<*2ovYxAfk~N&kAsw{S%`aHJz4P;7u~WLE}79!<2-cyz_V##A($reM|;4x zOJKZkG=0angN!5KgNaq)0{MqDFNfuc`!8+`QU~BcSaE)gU$mLU;qdE+Rov}1_}cg~ z1Lh^Vlrsjgo+pQdMA_uvdkVY9>}jw)e7{>$)^%sC;*ZEC+@qWP))qcbfF#wYm#u8& zN7VP02*}#@(K@~M~`78tM&wd7mC$vR*9sgG{ z@`!3^l)5mT_f}D4g2c<|Y{RtMm78P{8QsmiqU}ZDL2HTJ=qHBBM0h!ydd$S`{?njwNIO= ziJz>!R-YCi$I%E1>>H7*lp@I@z)~_*doR9uh9pdCKK~fXmWPDK)GC^v=r0UB%_ZhK zFR?u+P)ldfGwl-RbCmZUrzq=Ib8!mauGwgfoE91kw2_X3E*R7Iq8Mk7r6bEBDRrTq za2Z~vgc$r1cKK!iGXzaY{?PT4o1R>lAA|gu<&U(+a0EET+xT3PG7(b%9&2~(E{W&~ zswnYitvHXaI|Y~?(#st&2OGxoNLEzkn@G^ZlgZW1wF<2OtF?`^=HHKa?gtf%QH+<~ z5=3cJo|$@SFB@JTK}bqwV_@R7TfjSD>y+r^eGPUC-q2T}s5VG+dJ{7*wMzYg)FtgN z_yzf6#SZ>Kg2d}@#AOU;TmYa4xJk|`F(9DF64;NL%X5iI%j`HJ?poD~?OXjgeD^%k zk*&dSD>+Q}8+S-0sftu6q9n8c$Sg)7)#KOvf-iZx5LoW6C>fxB5#I}DY+W_X-qioR zrCtbviO7qlPlt%$Zqidx>LS`6%SgS?MpU{67Y)D20?+o_{kp45MLfDMLG$65y`Gu) zsS%f0#9GdH?GaZe-6JRPO9D4q;cn-_i}J%F5rU2ZeOjbMCOW;jsVwQQkyCfQY`!Y} z`0*|^Hu(hCVeN63DV#+r6N;DI2Bn@ico#DYZ+wc75*rUSuE)DIE9hrC@5+R;gQf75 zr^5Fh7;@C;e&$}caZoeh{R|wT+SMd%riDnG+P-i~QIP@VXCHKG;lU&*{V@n}4K4w` z^-gS{Wa>&{t}D1rw3tkMdIv*`RDTdGT4U?dzPJX+hHL{aV3UuKsAmXAeNbW{R*sF4 zFF;A)t^nVS!X!u}WSGWN+iG$E%>%!CfZsEs&kE{57H6=a06!vnieC%?;dTnGZ1O_V zgY!qUOX-E1R~6Xvz9Onb;5kLHDi7KZbCLP^{&XXmGtryzyQ8U^0Qr>y0lQ}S%vU|bF9bS~a{k)tCZNtUlePaCQ>=farCGu4&m^09xy`sMJP zTx7y}^>G>18+k>Vw9Kz@bo^ZnAc3#nRHmPtM;bCcl@svBL`H2)&fkj^K+=ZNb3)e4bTA8%(>!r%cXqC0~&R9lA znd(=L?ah-1ZUFM!We;=kW}4Eos+aM~?7r)3J7?dY_-s6K>Zou=u6QXv%7K~HC0ZE$5CyiP75Nganqzf-C2Ja;QuelDp={F7JidGIP2Pq{q;CXbdp0C-HymTL~kForjz-Iu5=r3`|VsA2cILSjjKI4}OqK^DS|kHy!&FFRyapH-#x}SVmO`<9cNpyOiRKD&_HvfM zcpQ#PXibj)bsoJR9p7{EIEnT1V*h7t`T`+X=ugm?aG^Cqei%X32lUAYe`$#=0Afmx znfJ1j_$B69&~1P;66dT@pY$G8lv;Lv%n1aEtDirIBtPjq_XJOG=E+vz(P1h3X7TbC zPT?kSx98=bgLv2jKE1(Huu8kS&iCR+F6LzW3Xo%a5BKl!yikW0k!b~VNO&1Lv_LLE zXQa$&H4uR(SO6H#1XMU(M|ZFva_bt{e2DYVc@c_(F6_J?#0?fPqRsOneKFPaBt7)t zo6%#0p407Y?B;$K8=g8AbqQq5+b*T8Uf~%ZeE7Nm{JGu>L{z<+1vF1S*Bnl1Rwl`XLVbD|Ae&=YerXypwNlgC*4w z1qW|n6=}2_#F+qtK3&r0Un$hovE`Fi{^9H#UUQ{$4V@-Wjg;*?)}W1N=!!WluD=9p;kxTPp+>P4gCy|h@_{!=)<0) z#=Y47ts1=m2JKDk$hmL*DJl{W$BEg2W-tXb1BfOahN+xc5q~n8XKkG^mhp(7$nYNs zEv8vLt63TM%wcePGwu87OvA|?hl*mKz+G}=g|poaIIv38YP5ASzU3|-jbGN-i%I= zq|QW~w4&LDtOk}}03Ny0zzZ^cUb-uq>#@jy39BE_FLH%Hb+|8sl;JSss<5pL*$$PGr)M! z{}T)Yq8INeMWO9Pw~XL*-Xe8~Uxp3hb8ppr-VxN9$nJqC3U|?nB7OotoXOTC{4VBm zd!{{r)zHL9@Gmt4cfM{A>Q??;DGhXyt&1KjTo~f>^ON^G>lYx;lEfi!7DN=>ca0Bd zc=c>dMdJ<2uNqK-7pS`=jQ-K`M2}N4{Ubt~D36~_nx%R6`Ms=tPw~X_f3SZ|InZZmWNXe2|G>!rLuPrjkot346x?E z0bk(i`Q|i&$}w3xKREc$ktNQFTcyNLc3}A%6uiboX22o3m`6{uJKyYw1;Z*^H0w9# z4U_A^=W1v>xt1)4&;;jPBpJrQw>&?*73(=l7^Sp8aBT;ib*7X9d&Rz@bw!sDR>V5X z-_%gRK22?4H3ZN}n%9HclqbdZ@C1K$^ka&DwM$@J@~fir`RO$D{3AOB<20R7I8$6F zy>I|a-A&=ZkGlJdaBEUSOlw`*9gsfk+|d9=YyUX4pixRCwmf=WWJUAlK_axY?a%U0 zkn^+k)uck`i7RfrvaGbHXd>zQuSJdCoR2y;BG{mhk@tJr-)Ut+i5Z zEA#d(39Z1QYzLAfq+tLlVc`uxC(|savh|s9TQ_7T2A$jGs zArn(&Gcd(ybd;;X!^8cKJ;6YCt*7>-H_-NCU0!+gvzvDoo_NU!8BFutq0GLflf*74 zA9f_!qYDTs%a9e4l9{K1hOX%3GDCVzNwxqBAU$ATG|dr$s5C~emT#8QXuRX&wM?$H zMJ8FJbCfbjt06UTsXf*(&?DWk{cI<;!pp3E`j^c&N|8ybvNlJ*qJEbuxlmK1V=ZQc zlPWm34S?z4!0t+1v}v67O7}#ZKF`s#4OBNmp5NC%t#NyM)VSy^*-{u_; zO?#Juo9s^@#08PKoIsbs3!0(UMa;B*bs{nOPL>?CPA9(c>aHX$)|FwS=ve*JdBZygx2`^-Bo&cpH9c=0OE$@|mNS3@@O7QZO>(@f$INqjv*ULUWQ8 zj}m3eT@Uv7X)O35t~~YK3L{=xs-)ewN%d(nI0R~f5o!8@yFS>R=YXWon^!2)lMfSi z_eiudjod@_=~U;?BHj8Wo5=767QWIOzxWU(u%!6JwcE+6!4b&Z#*uIp9G>+Q{lJF~ z^crd0?@e(rPHGjva2oj3~ zK|{mfS)IgzL<^F12Zw8|-4k@5ouK>lJFUe98hR@<6Zqilbwzw+9Q>(-lCwPHLs zSo7~+cbmh?#cTaPID6}`s=l`0_a`7B0tyHM3zmqK(h`d<0g(m)X<^ab4T_YsG?LQY zT?+~6?(XhR!84Z6^Tyd{?{n?z{Yx)Um}|~C#<=5qf45&dvuDIS+;VrGIaxP6{PUftQ8QJE6cPQHki<#D;jJQ?ELGgp}_ z?<*aGw%4_E=fr*0p;nbuNdxbn^>PbVz6E;)RO2*G3Acw9*aCkrJuI!qrivUT&yfB4 zUn=K7zPW-x3rRz>btywIJY$$>IM)6 z6|Jgg*~gQ7r8X64BI?>=}NLls}*QIAJj*I{hnaXcG~R>}TWI z;;%4v)cKe3wp%31adTCk=0>;%h7hZO=zW)6V$m9u-OhPTVqUa_mcz8Zp*R}b-S15W zaFkcC_bNsV1zYbC*N;$*R$A2J>Iav70ytqKwJ+)T&WA_p8&EbLl}zE%Z@XYrht(NN z>OlSw2&cgeC%ra(n2+a=w8JP zZ@rtq9K-OU8vN(yd*8KNh0lRA%4=1CiO$+-3*6yP0{$vcTNzz!>JE)qY4`r-E2p(W zQFTlT%_7H81^mm*i2Ds!d{k1MD5RxT@_~4=v~N1(ldEMqHA61M`omuJ|4bcN`wtet z)=iY%(7W(MX{E)uKZ(8Y)@Iwh6bzwf9qSGMnn@mkUUW4K^+}w7B+J=?JzL&rW-w+K>#GHgBVY)@`%ceHhr=em61@rfnt+~i z1X-g}CHb3hV>Qn)MW!|RfZ`T$2jbtC3k(?k2gqs3UCr*8=InzRgZeFjil+C!KJRc@ z4dkuyQl@|tmC=ZIhWZyWvz=nxt?vJPkv<<4NIx5MV#}w^FmzKCEPjx9L=TXrugDFS zgx+}(T@Ld%^@IM??aS;OTUX;);m5Z4 z?6!Je!Yzl-kon*uo-V*Myar-Tgc=CiUQ5Vj$N*B3AyVfXt7(g6S^g|_XH{B=U9?VgI!wwel z2s)AC!`MiHBc@*%*#v3XZF0TJA`{fcZJqKeRZKi8?K)$pvei3PiIjVKBbdnOmpP3N zSazM=A`OF#LIrF5s6m zzA1B3a|cB=*R@nMzMTkE$S1=hr5XI<8oyp$=c~aQGz#~I@hktXq%zT&wrq&(D)1B} zet7+;1qh_~lp0L5v2H=1`^7baaTh#Icns*;^N|b~l}LsFWh>Yi!esjH3s0&gMG-$O|IwtJy%W&v-hvy8}<$!{YAX{eU~d9s(RX!1&Fc*_?f8Q zEq#ZGDHAp8hE*)Nl$V6s4c9v`F(2Y=zGj6#z)XLMGo%!NOhu6$_~%1R^hhM!bXkR2 z=&PZsDhA36`pZEh5f7TxoiC!NY+~QRFTbCXB(2m!;}m&|X(AP{fnGoFSoyEmwOnK3 zkG9@y?2n}ZmlJ#-fmi8SH4q$S{EMAdGd;)m6@2lr)LQLlfTc1Dk@WG3U+E?6MK7p` zX8yWFSp`KJt^teEHN3R?RvVr^m}uAk zJr)9}02HwlR>Cm-f?ksNr&yKnVGrDFCV(#5<~9SdBO>((SN3|+q2oygGJzzvLYUy! zF$t$XUMPgT%ABqW=R-6(L~7yf-EbOGa=zWz;S4;wQ1nRIWrA%3by{R;s;EEDNCI`$ zuxE`k(#Nw*AJ(AlH0R(F0~*VtpoYzP#V^Kk{vM~|3iFt28Z-SRf3jSj1$W;!?uX1) z9ir3YSqf*`uI7VR63VNzYd2sh?F1#2wt5W>{|!(OY#}}YhTBF0t?;Vg?UvkBKxSWC z>|%PTGkat`Zqor6zPid%oP2TtM2)A0QeVW=-(_0p@^1KsteQ_)r8>W@mfCzehFP5l zuc}}OaejB3;KRtU5`oHw9K?@Whkc7OWr*7&h5@QE?25TN8 z@I9VlX2SmpUYFvIVH1B0R{&`N$3mlDa2d2tCSFbgNAtb;E0g-`phCF)f-Kn^zBbLw z-474(=*X@^n5*VhqKbK{(U>(;MAq#c-1{x>x99GBOC+|{c5&lMX#D{hfTlr_Rh*WMqf`W#3z+1Mo9BtvI!or#w z>%p;DC9>g>#DOep`u_%J<7-e3Ips@!{sp7ugBx9lzfYp|c1K3*6K7sKUMl|iwEb_uH34GU@!|%On2pD? z`6H2WcM~WbC*lcYVU%*M^qQ0O9k`0_Z#Q%MG&&o7ilhb?8|=s}*FMmXRcXddI&)2( z4I-@IPxZX*L0^;3j(OvF+dH8mA(VpptY_JrbJvld8=#W3e@}9AQFPb~&yP(`0EEC(j@48XEDF3Q2!1 z;=Cx$9=@fnu(05s=I#iw(9nn(L@@XHBj7vpRz!Qd%vFdLL=tD`FS+_*z%S4(ZznY) z1bpmtXk`>ReZnl`xwrR0I&$8wVc)ST=oA?*9>s(NNd@2Fv)2%&+C5F9%-nf100imj z3{DhUy1q|H_wgT4)`~6z=SICA3y{j>4=efZ_8uB$TZ2g|CHBqhAf4Z7s55UCUqTpX(`5&U|OE&Z~{oDl{Hv4xed1;gHP1h9=6~>79XooQbC`>uJJ; zfi}90i57qf@7NhBdv>D;R!*%8AK&?rS$1}%F4V|ciu(P3dBRDZ|H%`s1^Ax_YJe#G ze3w^6ky{gVqk&0l*NHtT6lfzU7^IuPScskDQfI|a6ztUt!tiA(6}f$2R|38v4iz>HxmtuK%A8XDv=I8C}h z1Zhsn3Thh1wXvjR_IE?xJoCAlK=qBYpth(#3TC5NnNLTRdVIRs zs~(t7f6PfG5z3yOX!~G}v+>=b0xe(sgV~mc09@p1Vlkm z!*YA^Zc60+RKH8AexVR@I-zcKGz9A<_4FPw4{##)nt=D(uKZ_>ZF^RpfHZb0M)iOsVCpK0eoX&3$F zp+_t#w_?NVlB1(qU~YiF@XOuVB8qFgh+yw2-+zXd|6Z_hRky(19cxy*_3V#)#B;@H zOp!;X0S`<7-|4&^p=y@v@yaw?P=f&NOzB3^CuQ37qME2Q}yd2A(fGK1l~cuC<0x9H~Hu&O3s`Ppg?6#$-*0@4WgeGmPk+ztkU83;{Al5Igc zn2P?@$WWNFxV>P9=l*M9x~= zbMNipO7P#w>~Hr*u{TK7evem(yA(lI1Tb)vNK?3jvzn*IIb>Xug67*GO<;av3`rVq zJ3{NH1usBIO8|5vTTX5=na3fI2NW+AANTWLXgYv#t``@VmyfgYmZ_0Ym;&%B{{Z9h ziR%`GBm(Zvt|&V|%=5$grRLiYdI8jgJOV^`FiIkKd1^uME|DC=LdiOuT1BC}0XiVj z*#@mf)r&c&ltq;PWp>F<44Ys}VwT4aS=s|LVbfk5xTG`+yLv--THItZS2aHi=J6fRkTIi*xrJ%Mtp7t zl#MbG6;#hG?|^C7usQj%L50I65p;j(;|Q%s|C5d^ESL<|U)V4bVBiWy<|9h6m~;ON zHVmd>Dz4cM-v(g3vDU*(e83_O6lg{P(!iufj(*wO`L%UObyU&Lhg?u#VGR}V4op)RJo*I58>=zS5Y2yV4$_WKERe<=u{) z5OIfuI%Pavklz51k7AaTR5Qnh`W|cu`>`>x%tncCPX6492qW`+YfEzydPB$9y?Rtp z3HFbg?KdC#9|dCgYs1><2nbSG6GVw3!yISrrbNgN1P(SuXP#bSdN?Vx&kp;^y&7iu z1m$PUVndbC&~4B3nN``?o)dy@UO$D_n{ zO)je+&}1deC8LDN^R^FN$TV8d-kis>jaToL2}5AEGo|v$?w?jf8x1x&-&3U28f+#q zRXI4)`LS*RAGPTc>q=xk=UV(p$HxxXAL;wRLi(Ts$VA49>p-eTxoiqT2OU~Q6UC7_#VOiB z97(Z1W8iJxV8708nJ_DR^H`L3?E}{j{wfV-O*8$?H^0Z786S4k3<$SIbsOO-iED6O zwRjjn44N5aOJ_jQ=&_8zc^WOs5~}ew9k!8}`}>k1aWd+wBg#WC;2qy~CU`wmA^W=c z^0T5pP{E2wG!{)SJt2o?cYeP|%a&~2f@N4HlHP{lh-|hlv^Z-H-W<9)Ko8(QIii+*l|f4ca)5djiK)5@hrs*SXm`gb5XKbe zWvrc*vgx`?!2T^gOjUbx(@fv6?ym+oBT4-cZfll1C0(Nm=b$jA0xWLiEN^G=q~{jj z^Zb5-GwV!P$i)mjY<-H7jRL!iUjp`>70E(v9P``P?j7%qw(@!QJ!BB+EV{$OWWs%>A-o*WShBY^;z8 zYKuccrhhl|)Wv+>SMY>9kjeMlyH>5h3+_&zez4Owq-njfNJYbUxKcm=ti!Jrr0*$` z`!m&6>l9oNb|DP1!?**_Z$+qyQF7dCgdS#%wu2@3j&C29`qsriUH4tQe^A`#R2na# zdBo(67!V@mlxzTmjYkI95NDrFU%TM6AD5w1lx2h0Gvr{wyRg+D(l?CZi@!!gcIvVF zYYiwk3*SLO0j6vUXP%^)6JGE$1$WXpb&96sUvIuxk4$mV-l(|_)4{cIqoz&KSrD@z zq%PCpW?ElXzTJV}Rjy44q|TG9K)OFjjUgkIUP*6Vj#xf^Ubaysp^ zF8p188d?}x)NKn2y(Hj!Sm)b{@?(y&S`f2erOQ+N*k){c_nn#{d4T# z;wx;4g^ffFzr~+J|7{Uxg*oUPC5&WOD!TTnpsW>2MGm45U6(#kB`m!Axw z4)S%2q+`()%Z`n~2#c?+k9R<7t?WGI@0Eb=Va_b$ElLZ?H6O6%VUU#`)LrlW&J(Y_ zRFNk46u4x{5z1ma;GCXfCbDB1NhY!wp~HsF!K9R-t!)?^vOBr{;z82m3hTW5zFf(T zW{37*l2ZWa^&@%E{B32GH<7|5Qk1}NNUSjq@B2H?7PpK$qe*tJH$TXBtFlo&(VDS-vHKkArblLLtXho9(lfU8vHo(m ztj9CiiKoE8k-?sD42jO+eP3PCv^s?{x`Ll)4wksUuTkU@za@*MQH3!}EOdm9Az8gV zqXDHiI)AQX%e^&u_b`&IRtpbGwC})}tCCA!WFKH6NH`!TRT5vpJ!(OUMO(#2-3D12 zEHng#fOM0^?Q{)wffp2Poc4ZK{;#SwFJM~bLk;%gZGe)|E*X|5~xJpwCxUb11>2n*e>MlNqe`S1gTiT1=927L$ zX@$-sc$Rcxw|EaBa@xWzt`O|rvHM8P_?CU2htqm9riVz8+kSS9oL`kpbWWWM0cI=L zV_ZCf&*40(KX`iGIMav^PXT4C#C_+9-D{fa(Y!>z*y%LWFRCp3na#x)|rkzSqV0{ zZrx|~aa{>=WT-d*b-oMM_@Y-Ux^I=zVKefl9_sn2%qTI)}=$AvSO&MNhMR3!`;id#SzDNo&=4i0{}ERx|~|7|b@`c=?C z43^C12~VHn<|&;DK17+%xyLA!&0p9B7dTwdckqCra$ITTr4F)s=kw$2F>BV1+4}U_ zaNr@FYxA13e&j6#+cM+09K<o?K!jc)lxTJfdxct zNJSXd@+3SMrVK3Og(V-zCbafbV8Wg}S)qY^1q@z%_x2gSYbLmXnj=GuK*ui$W8S`z zXel0KD8AJ4`gpuCq;^@i2bxC=t=EpxewGr1ljhv%o|M*1hGzmVA8#}Tvb8+bV(o1J zov_%7&+K(1{c?y5Y>|Ujs}Yz?|L8OfqHLvP5*S6?L6(c8L7bsxnE8$8G44HO7saXHra#Y59X#lV^1 zAzO2*6gCL0Mx3;WA4lI7Fz{)fDT1ch>CQ9kSjN-l(gIF&ZIKP!B0DMQm4-60hx@oS-56Fz`<2he1`ITZ}Wz=SO;cL_9L`{ju?u7J0{JOSl=_d>a~cqgX#=-OncN0a^Db_@x~3r<|HfU!uY zerP#4b~9CmR-6HNz^nNHq!-s3HTGZUq;I-R?Kv^-TsvRK+90F9cFpBC4qX*8P&Q*~ z)UP#lC${@!((6*1UBsF5bgVxzsFh|TRaxvNoL1^>-9R0scw<|Ycnl)NA{w%SjS<42 z+IP@xzLV4FcCn8|kkqbF#l1QO0X@O`X`oGrc(dEv2ue`~uRD{T$rGSu6i&PePm&J? z^Cmff3{4x+T8o-ZAZac7%u0AyJoC2pS7@aUhQo%?^anHcUDF9M=E9+%QGCD86(cOa zkKaug;6~D>WMHFw`TXn|W)0=D6$>KfW~w0n*(0iF7QxVwG(tJx=H&~`eB2&FmhB1P zg-;kswGcdA!w)spn%G5iP6UYE;>SE*9pyygD*&u1Kz?Go;@UxeRHQvU(d}Dil*w?U zmrk>@CK%)21}Q#PmJ%(>@c2$fUq2PLtRKh?D;2$L2pfF*gFa7|_UGTINHSRzxMz6m z)@^3GH@?ML!hFk%(;-iX`LBC{iPHDz+Yx8bx5e;ZqWhPRzj2{6%MqdJ-**FfTX61?Se55sQmFB*hC=U|z!!AY z+pUOz{4H}DFd#;e6bo1n0vJ7+f`~0or^(Y4Y;2~0f&2C)cq$WPD`A5D#hT)QfA18V z$g2!fpU;zk{>FWjQ-;%>miC@pe`&NZAZ!*JMM!8muEM+QF{TNet(rlDcPxu}FMawt zA0JFA7re85P&_97xjboHmprpl4MPp)kZ%*7|4axxCGnweHO~g0g8LM5WHO;NBvt>d zdg7It11}RKx6piNnXV_5HC2HJ17u+XC%bQHab{8ZW{#Yd0+^_Bnr#}6tLgFC~aLJcksAczYD;3X&+gAcuV3SFin^Gk`ce2fC@kmSiMYjlH5BTd1jJ`+bn z`eH>fCIa;Qu|BfsmLnNSlevX&Bf1En8IsuY?jvsk{=VSy&rwGAziKf*Hl}369DQ`} zd+Vrt?(>Mhm-X-8`b6|c@B)K)7)2rIoMizaba*mFzV3HcxF53cG};+X<)An^@v^6- zP(!Wh&D?w6+W6=424wnq8M0+@WwrA`{0?H$$4-W58BJ~J9{aThd=Xf*5X`qXi$V&< ze=lP2u@_Ha`ZfUb%G73dLMCvSyXI;i19DC68S^mMlZ2k4l&RpgGRF+t_41H9S8XUT zXktPC`%U@#W01G3JfB&hGTlxR#j{IMIPiR9#2x7n+ix5-) zA71YN^~W^z{;63R{s!&eEA4-BYyJqjJI3FzSF0!s#JMNnc1*apKY2l|*_YyN%D zQZX5Tnfo@7wn}#fQ}C5X}=;~h91hTHYUhkSUB3B#AXXorp9&K$Q zlOu5z3gp_F6V-a&+xauwZ^ubx;g&l^w^bZpIf|(brDgWXJn-P_(Qd*&lri5|9#lU_ z>3=U5y=!7LEcLLgJDvrd@qHM^#F3b}yd60+5Gk3)YB?%^`33)LFvZ^{S;eg%k*<%H zH*B?b5gS1!^3T=F;&82w+JE9EgAkxA5FogqY1bF6$(x^UzH6sB!8!gi0V3KIGOR!p zSpiV;%v&YaKVVxKk(0c|j|kDwyiA`DX3Iexj=N}Sdk5lJMUlWC5@B@{K~LZTN6*0U z7@4YTgA&n0W?L#upXbjk7zmqfySav?URlU<4<9MDn5VIbBS)&b#EF!$q!kAEPJ-(IAEjaI zov`pTPBi4iRwad~-%&kJ`na}1f$hEV0TO}^$obi948Sun5E*BGXOB$)Q+({E zWF*rUM-eWYgQzC?-u7O(t;TDw9E^w@k;AFQQYi^;Ir9^c~|2X49*?SR($ zDug)1XYd0!BqOVWsssR$g*G9UAJ_zLgQ7HJL-TzMoR>QQKbzq==b*{~s(>S_F9ckU zSE~wtk%m+o^kV}}{H{HtE0DkEfa*mPD%0LuV;>3L%WxhIf1&*K-^1O5fp}7>)+L-fhW-98}KwN5+n-)NU{9EV5+gH}vGzoJ3NH*6I+25je-qtqe*A zyz6-yO6UEaP&kWVQ003ID#stj5ISg7CfQ>0@k!Y)&j}$x zmPR{;PgvCmy5k44lWIemmCJ+$oUNm{K|hCpR&B5jyy}H7{2!7;aGx#%@~wsQ4-#DX zPrfJj{8RYB4N$3zpu?Pe^tE;&=IAB}2UYS!;>Wg`{)A0GG}rbWfHEhUCRkJ{SjYGt z^doi1vSJol)5dd;ZXgqtA(bsOc4sr+?! z`p(4#oMXc^Z+P%ftc76vH7odD3jhJ`0Qfm&Sj-l|IPX+M(ukd4M*WFf+BpPKIYGBI zK&dkZ{EcUX;nqc@e9k4)fY(U~alQk7QVyL;6FzJX8mhf{&xp0pKW4vr%}_O|_W(Cy z(gM5x&n5wq$Q*$q>yckr6|a_YcpIzZNm7_@{&oRCid!Q?O2O|<#{IA;h6OQp0>PR? z2f0%Y(lADpBK}beMkWF2#xm+L6d2H%0==E=rv?-&>rN(92~p#pp3R2d=s1%QOxGze z@jjZPkUk35fE?6l8N$wnW;D0h5rC9hOUoXVl3DVKFr0|M_BtNvHMic!CMnk%G)=62 zVt4nlsLw3*Kp1Ra#btdK4))v&S6hy0dWhydMf3YxXqe zkD`}~2K8jB1NC2y@w5O4oUbRxn{U~(dsAo%HyEWdYhjaL%U08O&ke*`mdJi8=3YNs ztkd-3-*~FtUivUs}xI(6PuG1U$Nbg4Y-6zLICyZ;lrxkP5ih zAY*3IeSw^li6y{a-uW!|#Gs_oApv5119Pa_Z}#(-T37&L~+D-&=e|j?W0W(W62I{3! zq2yV_izimv<){_QiihtO|4aR_b6H`v=;e7u`L@b#ZsU_6{>l}_U!!@G&v4Co^Fd3x z2)C-_b)^Gt5^*YJ9FcGUm)w)R59GW4<9bQ@Lu}DDg?hY%x}pQC|uKGtsyodX+E}(jm3E9z~CsGY*{3Yj3Tn1^KueUnUi-pzs6=xQf>lG zghkEGM|JtvLq-L){KCT!BG902W{RV8_Xe5wZX_9TM6pK)=abD(B=8`T$6%qrlBM zt>hI=3*hMGS^|3T88Dlqy|{*g!f%ka!-7b{6c|0+O0R0yV4Yvbat1d$AK`IBbGz<^ zLDAVWK78u9JftX`Stf!R#kvv8se z>g%XJ{3R6H>l{{WL6~_7^^yKkp)HGc1{Td!{WSm;ql5<%m zwk&{Y?!QK|_p@!t7tsO*HIO(3d|F#RZ-PxQ;Az@Jq(v&R;E#H^@aN9S0Vum2za4-^ z`FkYe{Wv{jKH45gYz`LbdYUEtyZP~9mvI38%*G-2olOjBuDT8S9{m|ybxS`|o&JdO z1Nx+(BCXo&O53;&Ko4(&nJy*Z&LS8=$ob|c4JNzw;E&Ts{#13iDelJsp;fojc}JXb zgUEdUKtW@8CPYHRC+3|-ASf#!KQ|T#Twj0(j$Gi%MWEo3F6)#w!(;MV6V%U^p2kR0 zR-IXVFRL3Y@+K#kt21s;cM+=|8wT*QGe_vC#01}0aU@RcGxcNmQViiQkYcQD5Tb7$ z4lyypgNlJu`UCC$#Wf_5`=#2tuT#+yEU z;`sRU^Bd02PyiWh#UrLC4aP{kcX$EtVmV;T<}U;^;nX=jN*}xoi)KFp*&Y$-n_8sJ zL@JX^JWTijfug%~n3C<_g1dL|ZONDfIZY9;>((GLi#JOtUoxTQd!?{(3oxHg5}nBI zs|p+&UsWmfy^{5D1${33V_4Dy=y)r_6Wp5z*_Cr3dU8>w-4gIvc(ExedV;487|GV} z@Ck&jr3L9sjqE)&HOAWIW7oeQ(>s!P+CN0N-lNtbBV_Ye16>&22jP)yAa}vdZkZ~x zox&sAQ^~qI^}xNe|AbmNxhs+E9&cnPkR|uzO)VH6>sE)H+~1?a_UB4`i)ob4=3Q)A znK(*R*9#iHohmVw9yWG+)#^lnV%l>&R!`QUE`U&c0CMYfADI!!afTZtGebJ?eBQ}@ zY4gUq#+;C4;}ejyL{ylfc;|kFAIWDJOeV#>tqQnlE%!NOw3jIyXF7Z&ivj*Geb z-PgU0xw1dG?%d}~Q$71X6HFh4;vDE6?vHPfC*V8jKj5)>HaWfgA|?{tc7=uyu%%^s^vb%9Cd@sH#vm((C%T82XA3 z6K;{+x~$Y<5Kd1%3w7*9c4tBiHlt^fiN*>oQ|y_j&rf+RY%5sjnA(y}Um)uJCRw44 zgN~sHFTs>6`pk6d<2~j&cZP{aWEnO~q#NusVtaA@2X>4*GdNIfV-g){2kyb;cnw8_ z`!Z{BxyR}eW4eQAheqgyBIWt0D$%~J=0Yo&m+K_t*{EJxHtn$IT`I{ga^9??#K^w2 zUPC=I({{fJVj5t?-tTseHa|9@kRo*MZyP z;*dWBcc3Eevdwc2A*=o9Fj50>SmG5g0n)>v^*yQauEF z!WYPIZv_s>?hKJWyAvsyigb(F8>Ic7yvqxG{ z3gZ$)g&K$6j(MU(3p&OwMMo+pk8IEO?9?fy$GOM1Da$J0A&{LL)yoZrv zIajAv?u84{4udUY?${+cgCZW?!{=3pz|DZ#VKUh!`|8*Rz&YqYdi~>#F$V!v-Q1J> zbplyS0OJgH1?P&rqAe0LPbk1CAvA?luLsQB30tW%|8zA#ZZC}U`yHW(+`B83VHC8gHL~MR;leVvW%!dvI4kpDF69~ znU&R6K`7tiW^Phb=?-erKb`;{ZwltcB<=5YSdxQe^mQem4Qvfo$Rtmv3wYqtvhRT$3`@9T0}uq>$Rxss)bH_6ZS7Srs5D)V6&GB&UzR+6 zV3PgenI@3IW2sdz!{l{0FdjyouDI*}#OOm-%l!p5W-f9W5bU2VC=gKsAzWnn#@cOv zx4lV+%)sfhG}k2{kg|I^xtykpEa`%*t-G(^Kv2H<&+WpWOgK*awMuf@=FCNN^_0#r zWE~VrlO|u=-Qg$P)&MdEvf}Veoz0(vi=Ex{fh1xoe^@7sy}v2SG91-Uj$#L#z~f9qwl>9D-}R%#=Gbp*d9(=r*Bt@2k=r zgJX^Y>^{{ur)ua(*RIFd3-~$F3E1&$K0kM;GIPTkDh$Zo;S%T62BYGc8$AB321m#i zx|M*+s@v0-qMOrE@P4_gAsbcR^_dF?kLzu3jM&>jzQyfUjPCCiy_HSYJ@~@_WBla+ zV2nloVvH-3*3Uqje0=^YPNqZ5p@+KzG$0YTzV!z;$M>{4;|Ir|8)f_U>bjqSop0)L zMh^k6%K9~Q!NC}sf2WO85$};A)}-1@vu+IM0ksQ?2MggNpHZz&ovu6an(n>6tWt`U z-Sp^$#G08eY7_WP;w_R)kBd6!#W-mN4ILxO25YG^C+K89eOjWhA{)~Np~PBTZEPK5 z&ejEE9H1v}!3MU#hG*LEnGLyJ@t~YO2MvEVBRiKbVc%WvE1k0pwV_ELmy}!~p2w3y)KoGl~fvf8NFytQPfF#jUxt7y`>A8d2S4ymL&2c$M#`Eku_}uQL$~3z5?y#=apPX z&MbGIMd2-ZTD6SyKbkG)5VBcc6wbj2miMGcpQxH@EGIgJ$by!2A7ic-nhxS% zQhuCku_Ld+$=o^C9t3z?)P4Wb0K`AgcqXdm(IhlB&M><}tV-6Fs*(ROG$7I4Cv>Xs z!-l8P#{`VEqeVTW8n*msX}VpA3NWNEh2pXQOHW6Qrxbh2wwD`Z$uXcO*ChG{>><*> zKycKu_cT_!W<48N+nagtlIdQ2P~+@0N-VcIfOnYN$7kAj)_c`;4>A&G^_5tA%p1$9 z`Z`qQH)z(Kc{rtBF`8-TY}sj%RpN~{AMro*Cx2zuk4GZ97iYGx@e|eEA6-^Jv?;KOC&jYuVPPqb3ZG9E-!@?t(<{g->87 zQB-cJhJQDRkv#Bt4ieN0kHFHHBQ>rzmJS@Pe7nz`Lslo3heJ{ng|){NZ4pJ$0Rc0h z7?*)$CKHeKms>~qP?^n}6kXCmp~3Rz?cM*u0$6_0k5rf}=?h9<+dPkPwDc`s1sd3V zrpD7@T)jWw+GR(qr%7c+&={p(F3mnL`dK-y{;Cfiv`Fnu!P1N;>*oTDNuS6ny-`d2 ziskz4es;l^ST+<|sI{WFGpK?RqGRoT1Cy!=nY=weF;RH8a{}R2r8B`X4$;ag3hP@2 z>ib@(7~96n`ib+uxze^4i3r>h#WB=DIVNse*PlE}AdM_L)uQwlQ2;?%7Ap{>w|##k zPSo)60y5K8-YF+H;Rb9HIIzxNoyvv?$kI`O@m57H)6!MJO`r<)t6 zcr$)R<(O^lD^QHfRO}k>^zX9lfkT-e-vi;*yW+ z{04WDo-1!%Q61Y3{zF~>-NLhRw({1}dCa0y3(EA7uv`BNd_&AiUmAXZZF8aIEcpPM zdK_dA1S{$`-w}`U*tx`}_e>WRIs0q_N0((txu`+u(pI_nxV?x2nI1L=o`I&;%u{Ee z+;8TnUUltQ4|+9Et!Jc4UUG#q4@bgKx^9dcn8ywR?I~uWQN!d(HOnSf?POl1AJiWU zo!k_F^nw(?Ehy{OD!M4$8OPMYdCw~Bhf z@-7EH`TR9jv8&xG&F7zK=~!2ei~Z#5kFK317iJ8n&fBHrN7#|H_z`8lqd7My>zYX z0tK`bn8Y%s+w0HsqImonvaltewkzBLt~q<9{PY3=S7Mj*c{eLD+E3T5B77iBKC|9> zR8k)(a7LI7OgBuQwueEBK?auGmP!cy*gEvj{Q9@>*HO(F5Qt$zihFT4+f3Bn@(dA+L%NI+`Hl%2&sD4$40E+YDH=Q^@H_Z+ZdEKLAi41?zkM z2MC+K+eC>?gD@xpru95D%+eyX%vi~~VeFoSRP5u$)xsIfRo@XT8fBi%s^Bh68aM0q zbT3pq89drXy$Oup&G*#h&TXEvAz{f9`iJ>)tYZd!uLLXs9L;+~zhVnXWV6u}e}4Nx z&M56_$>$$`Epm!azmGB+f3nU~UrvVcU0a6^-iu>@py`3@A)PY#a6>=QHkdQ?T*%4l zdPnC^{3J&tEt7!AOm0^!!hg;U^t1|Sms(0)ks9t-K;XN_3~PMY-^24WSwTYWT6)8# zwkkbD;jXPniQTY6>y)j2)QJ^Jma*r#3CRklB9_e^k8}*?k0bc*)#DjwKVt(l)B}(o=koEb2|olrBS^drO)=q@>RDrzjD_VhD>eN zWksiIOmIt2)j2f#!l8-MRKJIW9k4;}NtiybQPAzWqw4+pjkU()Ye##A=JQ(-pBMfYn~a zWTs!<5N643p4x@6(I`bG+6a8FU>h-s2b1nBnFo`LFQiJ_ZuooQet6LNZ|q=N0Mt-S z=!~2F4bE@BFnlPlEz&7?a|c}7yhR*(fY;Sk$Y^w>)NXkYpZ7uG<`6RRe=VR>d?~dUCCMPbC&6T$d74 z{7#Ac&kAGu*3`3bY{@sw-Tfz7$r=q!APbh8Jl%s93dk%n$CPwFigL1;Dh)I1to zGgpmue0NjW054D7N>&m7G^B})k%lI|aTkHY7n36c*!#|I6j-q4$ zd+%@4W6lXfxUc*A$9euvMx&-(KAdz79hp=04WU7S8=})r^{Yx#glvroPo~I^wB_faZwIjIV$( z`G-YMsk%;z72u2pBOHW@tY+fb5n}5Ajp3F}Au^1+6}@0sBRaeuE%yCu@(hrQClQl( z^O<}pOr2AF!ukH>4zJ{c_u6_F-ZRVZMb;YDpXI6q~TEj&4kpOJ-<}-XSy|2zW>Ncup=6jY8YRHSXOp(C~iv zUIZLHDM(qtJ@L0GIbi8V%eRKg`EZm(&JJJxd9r4&`vMnG zJ{>ivpi?g?=$iDFf%AU4h!zc~-3!WJaQtwj0-|9V!AG{)h^WH@)sskrx{{xS@nEL#IfTdydi=03gHB3<(E z4eYgjWuIiRsbmWlbp0t@cq;}@HJNBocawNFS67w|n)q*dMs!8W%C$OD*^4@G&fI%e zB*kzCeErrTB~@mbs@c!j96ikE*FaZ&IBxG>xnnhZXB^&$2H4ExUu{F2!H6jLz^H?j zM}m~kQpa+hzJITYAf~RtLi`8eHrRW1wGx*Iir3&wop)*R>dYlH4w-GhewjCt;n78U z4g4kEM18d?evABg8sr47?f|#W(G& zZ&#(be<5Vhd$iD!&Dv{wVRLr5Mxvd4uDSP{%zV_1}CmBVTDnk*-ERxaR%w=-V@ zwM9|;e01wW-&~CdZVqPZBvm|B3Hv#p>M{UlKHvUqWhyz73Nm318pG;F%4!kK_>Yza z#EPl#1bGe2ziW3aTWRXeoXm+w%&FB^fHmusA*o27?k+)dB<1HXD#Jr@{V>dT4$fx% zEzZ+B+GRBoR!GEmYQvG|%{Vl6-a_1cht;f|aaHTXiyHqp)qmRo`FbpRWce<9$4oow zSUUmV704^XxCaBG4t*xAoT}whsAdEcBhQD)-?4xiB10{4NpxD>eSAP}y0XIxI0ChP zALlXlh`JxHm|iZGXIN{j6#MS|vk;vbE~qx~c#E}&9>;`q=IhEfYxEQ4sddZq4!$;< zLd4|N%gzM{W;gub3XxLEvIiekc(7`!51ma_KAtvHr_nWf$u^u2^W%_lNr=a2bQVy{ zJSo*lK=4pm)r=g224~nk(I|mqq6+=z>(F&NY)rXH=K!m`Ek;cyqs7SSz?R7qi(Xee zYd4HorLRV-Rf(onYRa`1hpMWviJ%_v`}sn}Nh0in2tF)w2ruZabxeYUDuC_W5w8KV z{xlVHA2RwEWs-fsJsP|$dV@hro^`cLw6hy3qWQ^Z*>T*d3Xsm;&@SRJIwLmhg}Q0w zQolY6fz$4dl^b}lE{6kHiUZiU4CEZ%y&vm6U{yGQ17q3gPnELFdIV=p)dC%gq?yHJ zE$O2v5X98#gqjov2`M+H#|sHa<`J(b8-yvIfx%-a-CXlAp{$_1Fgy=T3uJb>)ra{G zug^n)Pig+p78)7*l9mEY-(lygw3Kh4G&{0%>O(DYEK2jwLAlKD^#g(OL{-02ZH{Cb z(o*>IKT>Ez@+K|w;RKR$iv70mMcY3`9V39{P$v5tzW?TgHgnjl&Va(<+<%I;H5u zwUJAFCP5n%t&1;b5PnmLK%qmEB6&>p)iq4DW6^-K;H(Rxa5|R6Ey4O5$HvPFcT87k%<3X`S_FJfL94R(Hx)cr_E;@r_8cpzh)a0 zvk7B3=IF*`c*b6IgXuOuU+ug&=3z5Pj!kG5V?(BW!b)eNCx^9!PGg zDxrc!YR0$X5ymi5v4fgX3dE+Gbl9UzHnyxtv*^?w-YF7G)8(_-Kwv*+RkMiT@#N>5 zRyWThub3`8o2>-1`LveZX{;TD$u&IF(NkJh^H~B=?}rPL`ldxpo%rr+EiY(*gPtHa z6GI8%!E%jl%fg)E$|cLx zm5c499Q(v4zY@>*>b&NP5W3xGm78z->V9~LXP9=*Hka4CcQn0;b2M%L;w2@p^iJI3 z&xh~jc@1u9!Aj_sR^H|_l^5_l7q!XO#j3SDpfM6rA?)AzEIPrUe8vIz&DLudY8*)Z z!w(mLj3&Y$pkCNG9QIft#O(TRH%8q-5uZ==i^?r8$@*2H6N(5cV{>&v&pg)-(~Xxl zO~Lu_BJSldg(=R-O7&Bs&gIiYQawx)X`V1=)yFu2ir@ zS{_c+oQoWWh;urKt4Q?i=IG(-5s-AG*=KT^MxV}n2Z|Ow`lacWQiZ#Zw1v5}N~CHp z(8rs>Zaj}#C13Zj5-5dK8@0#-ewLWc9qJr}adzJ&2A*%l14MOGV!gzy!3G7F&+d9C zgC|e;h$g?Udih%S8&-OMLFwRpZ`@n4&5@V0RICLhxQ!GHJ6wiv9)F6`>} z!4XeOVn4H>RFDbj*uBB zn{t>{q+-S=EKDlh!wJS8!n|y$jI|(|`0mf%xVhWDX9Pk*r1n6Cm1}NjM<8zXs#*o5 z8XmOwuw>_H$Ps`*$c(&y+eu|JC|^0ocjkRBP;E}i!5nO(=ve95WgDocH6hMkJI1TG zH+1|6`JC z!9^E!tVWX?5lKAWqUCiQ1D3kG!TJFD9Q=VVte#{Zc6`^#>k@)KCz;@IiELH*<0}jP z)8XWct1wbhw3(T0DpS`Iw|{kw#yqhP`_1oseSODCqiYsC{d924qNQ z+1Bq!3o}I&q3lIRaP6r017vxv!MQo5r~?uT2W9)uD@l`!nQ5#J@K zmB4jj6XcqHbvoSvU!5PoNSrJ=9?xT)zQ0ZVVqq~CwALIJC`f`@?`Uv&B6M^3KB1E; z2DP>JR>v$5jYJZ$Gq6LMKIb^;P0@4W!sqhQ?t$s#=nj@{_WQUUjqNG|ZcTgn(fbMf z?A_XH&eM{mNQ^ssrPS^(?xgnMnFpB>WoX1K+1R^)w}@WRg0;p#6iRP)-mQNRnI6VK z<~6`>Vs#irx&ob6>AH$-gaLx4DmPpG!;tS7m6OTs5pWA*;z>Bb-2+oCq8&66u3)UP zZ~7727ZfC(WeVi@yp^>dfBh^IM~(w2SY+#75)g`gPy}n3_$Fk@=#3@7KWN_!_x7ma z+mX6yC)UxM`-7r2)cIIj_h_Q3TUf-ETG+*@2zhH5o7|)%xC+qJ2Ds4;5c-N$j!Fj3 zs3pGEh@x|t`8R&@YXA$Z`E~-HC2ju4m)NW#>oafeT zBYHr$Xfk7@QpRRoa}-N_J|CpaqSGUbteTe(*HCMF#OP*L!=%y>*hx0FIHO!nQP#WY zu`pfgp9s$)rxvVO2|sie|1Q8oEx0DYQ*{auGXmK_ETZc_cy%Yer3X&8h3ek;LcaBh5)G7Z!o#{u91Etj1y-Sk~llMtbFbR|vQpkHn}Rg+Ef)KsnNc?*#1r_OGUJqptjCL0>rBwe8x`CvTzmaxBUofAK4 zDMpLv;())s$<>C`xhLJ<;=9PoID1Yo!cJIhqB>B+z#fk>iVIROb7clM8$>^DlK4l- zeea(o_ltLj3?0kt0oKwiHf*u&zB%584W|gSnhRBjABI8LS>kdSb5G0YU?gJYYtGf zwIc%xT!8?~&?{80lw#B(eEV5sx!e6^IiNPH?XQ+>1khqLD3(1iX$y0m*MV{FJa&$-q>p`YQo_P1>@2pRS7$q=5DUir%)Vg! zu6sCC?!UI5I1)5-Dzag!2)i*LX5HyRw7_3&9Mzd7dtvHVmYQ)%G1Dx^B(g=af{Gsq z0Fy4bpwD_=I4cp%xTci0TbD)TqC|?1y3z?+GIqSo6Z}0vn0KpIN%Q+TpR5|n>f@ZO z@4vrh$ztm#T3$6BWR!iDaMZ^`@IW+5*Li~EYp%ouyKVw+)Q>L5S2L+7$@K3+;Bl7) zPe)X~`iUY#qSa#sjEFk3@TH3M7=#CJ$L9#J9af`sKJ2@x+U$v|;9nPEi!>{dsR*-b z^s)+&I^(ua_+dbC2HN$K+~`9Y4das%!4InCL&|#ZVs+*k+EaIW%NAY-xczv*rL9Wa zw(H_o_93hOf!zaqW=*k~k(s}e^FZ;9AMpx(hEH9d1}U6e_2^yQtux;9+{gM+4qv9_ z%ldjau$fEbeC`Pe-CYCbS9tuK=meuGl$cid!JPEaN3j4geM2B5Z(+(gAT2 z&5M@cdQ(0$SOvN6*8)R65l$LY2d}T#D{n~$ozzJ1V^Y6dw`g}$;B%$EP7yqZawSxs z%4sp3A?r2&jhZg%hyr}-*6 zSEi}?>p-K~*5=ZmHJ8{-1<$6F7fbZ7g0^*TFxXPAzRwysv;kYlfxa|l>IhA!RJ_{RA${cn@*gVe^> z{nIDW8aCCY9c#(Np`L-bj0ilpP}m4?8->+^x#)e)pDFkf?#GTS0%G5Z11$Z@)tuww z3L?sHx8#}U;!teey_^O^uXf+6drEJg$AXnb`{`%O1YouhJc^mQOmmZ1-c|q-`Sl=i zhWC?$c;?nPfs*CX$`GERq{a+|7RYgK@^yupB9dr`!NuAR3_|3u&wzX|Z-U=eme4|&n~dRI-cwMfi&>WMlfuKhvCZR#uHlu~ySj-{ZHcXcw?x3+ zu)fBqM2{`(pz%*7PEqld1{+fo#>H!#C|ldzaSDdoDOG#+9~w)4gQ?>npd*so+AW4_ zub$xi=cH5XA5DSunA0}$!f*vt4YleUz`73_?a7EnuboKskq;QKdf&6vekIRi0qSbg z{zKA#0S0`(Wd0BudJ-XY)R)^{J*qH0qv4uAI&j`2J29l$<+5R=>502P*USV4W75%i zCw29EmBWONKLN-uXJd2J!mO2gtD54VN$+S$2;YSI_hGJBeoX;9ePe|jyWa;sCLg{% zHTZ^j5^s^C*)cnk{x6OnwwDID&|y{Fy2ufV2+{I1CK#An{M}kRkL!}^b`(6<-CYxf z6noX@OROKG?waTf`1IC62)k>T6bWo6V0~0M1ZCE%=HOfet41}W1@M{DQmmc0mgHLH z-bAV%si5`kt8HLlo~jfNOA_I|*WR*%6}41|nVwv*k53~uFCcY*!kdMJrY!UT8`0S1 z3fTF=YPnu5g#$Zs{esViZg}G}HcMnD+12PzpcnzK^WZm_y!^|2?Rj9e&mS{zFCg@E zm9VGi*V&Jc{Y7XPI1&rqg22+YCPeSIb*pgq`BMFIv{C=WQiLY#3l!dtd^delWCz5b zF4Jk*1+SnR`t8GJoq@#iuE9E_U(-Y3S@0`Hxw;$%@Dzbfw!oV{)O|UF1(#zc1Dw@VTn0>3N(vfmut+PkV}yl?=43wF;s776BBY$lYbNPQqleT zW)N)QV~ac$rcLXwjt^n1O}fIyhox6dobl+f{(8w=d3Ca9+tanxr5&I{fA@!CJ!)qU zfYYIXVm)oy$&3uYr>rJ_1%y1ZJ2u~RPoCGFVRi6~V~GyfR$8uw53g~0B`$SWfUAe> zlSA0Y}-w#J@ zT>!lfTGFH{-qiA)_@jgj85TGE_z!$R9%T%Gf#qM&;Yg${dtg9xrOuRJW8{#bo_=&T z|F3n_qckq~#K&Tb_=&jl_3-_`ia!S~^X~)Kn`fK|sJ5+vMr09`RzUf(b3q<2$h09c|qkvkEG7$hi)dtr% zdCYTfijF*+TrkPN>)N;3D1X_eN{AVM!FX7iWclaZ6-Hjb@I(i%%}7)Q9Dtq-mGp5V zr#OIqB;?5m@I_du-Kz4HSzawKF=eThi{_%LO=cqMUH-!U?k}gB{AR#m%Svu%p+EQB zUQZu5EbW6c@XHo&09sD89=oRJ{0(NIvlnULkNn*e9TH4Va#5NNYY&gw8RF?ABk7C* z2+4>48F*!sayin&g++c1<-2^fPXoexib#vrXU_Jn{O-nptDGep4?_-vwLXJ?1VQ67 zf^o5mz1bi_cn6zC*|Q^Q;hZ=&Es5DUm6>n)_?Ne@&^<@PvYXD-{jI#4Zw+QfEX_40 zK(?o4$pFUKsf7$S5|L-a-9f!iu1Q-3{uTn|II#mQ6+NaAc)S}+1?fC4YJhL;RfZq1 zqxG(mhnfHP;X}ixzL3YDF5}sVUZ(XmqO?Cl#54mbYaTRdf<8jw+GI-{7-MTrMO&6w z1&~7%r>?=vjj+Oq=PF?0LZxS1wG; zb+YwO>_7+lT8QXNPC?TxLx@>^xu($T8@BSjxzseHlOjTUT|1QToH;i}iZzVhUwr2g zw%*5!iJ8}Np{E4m6v1&ipYcEL%Gcv5-h@iO)@uqYV?cby?{t_SzxD)mUG77^My)kq zR8C!6gfIoWm!Q^?9x$J80q&K!=@^2|d1%j+EtZ}Vt?M)024JxfaDGs`&RD10q57pL zEC{y42*CKcZasygl0`LS=-9%I|5_pV#2jeyWn+J_#oPR0!7 zG|dlunUci($-XWR5ts^cP4zypbzy7%b@}60ii21^MCk%gAY0m@`~a_VeDmY7b1oQfgpvKO);UnlgzaAwPXn+bp4t(D-&&Am zhQ*G)VLpRMj@3ZfxmgHc6ctE5-PYSm#<6-@z+x-(f|XvU>PP>fQkRw-HBW3W-sIc+ zJ3u5H=AUK(j;7L!wo~rmx5;yO#(F9LT z55Z4GD3-jjEQ%pw!K(y#ER^(r7_SD=_xMl%>vWdUNFFjIU*XNGhC2XLCpoN-hv>)Z z%a!b0ip!qqxJ2-*ztz_+?-JYKMfsh(QD5F?J_H?Z+TPm-)d)|flpsfA1-g%pNY!O6MO*$@#|3rt>BN30 zLW=R6DhxJY@#i{9(oIqxu_XgS)3^0pZ-K2n8#eBXzvRM+>p8UjjRwy&=JT zm&XXmJKL&Cqx_8N1)Xb1IP&LQBfU*CalpBDX7g}gC|AC{0r1o$zwy-gunJKS6d@B} zJAR*BI1h=k?J70ptlu$nqK|#M?YtbGXjMfrGFG@s8x|<%XqY`Smj3id|70eA`{6(HUPb@lKCsAz$r z!g6&utR;O1)Z#feb!807x;eJNecBPk;7-rOFygw9QU{r}Lyhd1n_aka*j8v(D3q1w z0Ov0cx<*k8xvg#+?;>0_IHxV&lSsuc1U(Gr=J=XAwbQ1(bpaNZhPMX5lN{HYeP>SX z>7Z7C)X}mbIJ&uc@d~Wb^tC-N&9wblL15mOVoVHER2~mt`gFDV0Jo=|rwzr1FXB_7 z0H$p>B$&JxkX#32~?yqP&W=_9;ZbpxJ7DU%P_7{Ic!Y`n5Vz|O}p5d+- z$CvpCrf+MH{ivOGU7IBHSX`5T%q73%MbOM5tR0G&`rpg4N!-UDZw2$gOwfZr5qyP) zNqwJa9IoJb{Q*Gwxp_XmZaeU-{sr%5L37AJ(4J`2^c!qMh>13dC^@I@&Dwl7b^IaU zFNxWZ3VybP$03AanPN2OKI{9ZNnijWco5m?qT}6DRrxoOT!*6V^dkVZ&@D^>bU-{ZM|EY(H!YF z;LZLIN;Ta7KPlDfGk{XfI>!~;`^3vshRSJ~jUE?VQPyfZ;Cbp2=1-~v+ba5lJcyj< zOeKKUq;#}4Af5}lpeTQ}pn#tQs(_>i7B`hNcs#Hw@JNu0=$X>r?GTr?duCq4ISLkc zmh7K6d4!NIAe-t|&u8H3nSdgsA$TIdV}J32oO+#Ev^;VDw2N7E#Tx9dMA`i$ z%K_Tb)8h}?(sjX+B%t*12uc{^KVCea9YnSqq^%-*Z958qi1qg>uFQ7TP`2`1D#KJp z1y~R1DMuW^7{KQI@b7BAyNr~-F7nWPhJ{>bA$1BldP+8g1sx1_nesww_L**mmMsuw{~yokUCg8h1fAX zc0N(}P_XO9F9y9Jf9%5(NT`zShR6TtY!n;**c{aoPg)>~O_37g0l3)@79RN$>iy1Z zX&H@+scOu$K7B$~vG?emnFegu%LV=4+0!@l^_{+zLm2Ltvv$Q`+^grKz>wO7*6E*r z^%qcFtbRJ4Bb2TM5CErD_y^n11MDb{F7xj+UUUoxNz@HvWM%mOl}HUyv==fyg*vaT z)fL$Ah>zKpvooS8*WlU4in5Z)YLb6r_hOgD_)M#xEF&_TV#wbig2!@^$lj-ndQ=De zc=Y8YtgCA|1qYJ>MH$}7J0MGIsvX}g0kaOYW#lggKKZK@RKD!%gHC1v9;hNYST9UCem{~s4I^V8a@GKFI2%9@Sj zBg>Y`Vb;1!0M8xXG79B8`<<)-`UN>-wRyGUyEdMeEXz$+$u)ZQR;3$&d;L!va!lR0 zmMkA2MiV%mQ{JI4kw!2cE7Ho>pCKhaJ~ncmz$52UZT`s)qAq^4Y=+R(?|n_37@MqY zb6SDwiOAux?F<_xf>2Y@6%Wc(h4v3bK?I54cfKZWxotR-5c&p{BEO@Ai3D1|V2*#z zznWb}t8vHBRN*~`txR&+1s9zJ%hsjsA3ZC=8v?bi|-O2(%h?5jY{>?e;1I>d8Uh>+}aU}RM zohuW=e2}lEnTfi{w70@seWTaR8K}~65F1u?9H3nfn7fJ``=Gvpr+3y{2Mur28C_22 zyaw#vJaACEQD67-*}Gxe9~Ov6DT^ajc&))zq;feTzpMY@)IjKK^DKG_N{i?u(pj!D zV1bBgZx`x7f$3|Mg0i((Z&PL-4<;-YQ+YG(Ge6s0JNB+$o1_67qy079>*<2?DT*-^ zRTL-}pjgr1w%vRi`^^D&$!#5-GL|+HoQjUI_Cc2g8Z+NR!3Mfi!lDYnDL19bMDZ!@%Eb`hr`Kx)bD^0m<}#I#q5jf}6GXPU>x zw=aaDgbklK;nG}7MMs4s<0N+JATxzwzrvGo!UnHaPTJYzb{hr80b#`ZGFA2PP8S1* za~~OY$ffLIF@w@y+Dqy@2h4hyt?_xM=FfgtbiXOccZ8x`1i1QDC))hlXX5cL=SaqU z`yxJDycz%}6If+qW_$9P?qAG~Zq7WNs7!ofpagq>BnX&yB%{tgb^cz2g_nM+({!DYTr2n_Rx>o`cFj9yl>)9RHX&ybr%xa^Zj?6b^G@J4bED(=LaA( zln?vwRQm>1>S|CYUq$xZ%fLIBE<_4C=h?M60XI2ay1T-3f$J1tRE2jfaZlBpi|+Q8 z@BvY2(pe%I3IiLOWywA1`VI<;snLZcC)Qq9%z})h!16MiPi2#~EcHUq>uQg|n zmTaX9F{k|j5|NO25gVuuOm2d|4M(?NkW}@$Mpv()V@Ikgv)AarP7sy}LR;3xw*wex zNgjEudh}d-tZc1j5eo^)-?1(+a7`P6t98T%wNQrOiF4{N5KBp1EhpDq9loc~@pQiK zcLEO6hA|=j%!S-ke<95e`g=>vAe3U=;!h}ry9+)V85#CW>Ekw3J(IxlzzML~rg5E) z2g<>CFMPw>ltB(w;5i7iegyQX%23rbluUBDkzISf=E&a3AZ zM_T}H-0SjWXH?JVMfr#L52^`wk|Ju(h)WNO=r>m*5=vM0h3aKzMvlxi_9zQ~QW;O# zjC4O#57X@Bte0Wik(ZPZ=+^DuyVgb#p#*dXP;0W~#j;avnqX(%rYiKo;G1yi7ytdJ zA7J1R8t}u}AU+vkJNVw1yU5#_d>*l~esTVcVDuN%Xws|6>^NV% zRcJ!zFwY@3_=r5AC}(0)H?cIRU+R^*c9hMhNBJ~fc;JahqK7>gf`p)^4l$wZ8*dMMyh@9CQg}xUhwiKS#aq(qO<-~m!YjDJ0h)&RqeJ*r&886uUBdqGylPmE(cp5tu9$Pc-md^zb}=1bHwzE>eh(4wJ@rT-sVP7(k2z0GyyZOe6$Cv& zpgOA*YtTpwhP)H+GFzC20Sa;zG|IzL{JW!tvw{6DOQY5yQ(4owH1(i@V*-hl2O0*T z`C+qNiUD3VsPq{E6ed!U{^}e+B8zOcuk_i|VQyLd66JP>3njR>EQXjJd_XmBT`9u zcH_l(-w8sa-h7qk86{Gl1qRsm{I#63m+DM!sZGHr?D z8KDp-7iHF#Eq+@)T4>z9vt4nhog5oMWc9IqVeH}55JqKhPiLoA+rEJm0N_zrRoUhh z+sk>!yvh*54Gu_lPH@TF(GuB=+(8NJ2@ri2m#AjzY;E#tSFYZkVE1~Q{co!&@fgc3 zR*EWr`+&|w08TUC1K!mf9+4F`HHUV~p;MOSpZ$>s+Op~+yZBMr7903j^ z3#=K-m%2)lV_(xauT)H$#5&557z(cs4g+bHNp;|_7E7x5|FS6d579z-e9Z*E`DyZo5Guj&f znw5wF(x!A=tuWyXA+w&(rXMu=zq+sj4g5Alwv;4kM3MoXpvpzm9Xvx1z(pF)7#Pa) z)p(aoocR#v8Zuq$bm?neCj~vg=o0_Ix|)kVYn@=yfJj)C3*yhlNrcm0K8~{;N8S?d zr}ZO$3cuR^Q2*o|SCtd6U6583xgb5|R-9Rmxd3~5UY>zm5nZLi`pGfZg#Mx_&vi8u zW1bce>sY_LE;mlX8YdzHSflR(0jqi#!NOfd+uLFL&cjAg{zf*ysGI5rsFu93u5(f| z$$@{D{FoWXQ;K#AZ=Vbd1&(eQ5VrLXPu!?cd;-8{eGk|`d@DDggV1^X)FRwwM2{M1 z$;?$+eJRkjoUD-MUE!|Yc zX;I_$Ux3w>LK)`&OoBYLQg>`TlgAlJJv6NOwF18o@g_vUE*E@@EyZDXi&Av>RO`bi zb3$zJzi9Wl?-G3eivsrXd?22lu4|xKboG_WAF!=!k4FRLhsj_pLEFvIj+-o2RlIM8 zUqRqMl*zLSMp9Rx2YQ|h^69exOFIj4dYJG&KLk`Zshx-YXSaF58iqf<_ko2J;7%*y zP5z&Nv&W0|Wrsj|*!xd=c?w>Di1m7__y=qqbU898T}Z;uZM7^tl&>kw4Z;C*PLvm& z{{hg>^L=TbTf_v?nqED;sbB(d>PRJYl%3)jhOWGP7G9D0`tUb#z&yKu-$Z)+`52aa z344@kcy6rWK*X`U$<>=L7qnfX#H0X?8M$x6q#^-?} zt3@yFsQFT*W6-3;=T7SlSAds(NgkH&!`~jlko<>PFDHHjFx16!_uJ{V-0-Cm>3*aB zaQ|SXePxtGAm;pkP?CEq32uvz_2mA7Ke+-%gP4v01sw+2xEz*>+3V0KjZ6K3DV7t! zUm&mfm_){_lTsg}XQ8 z%=|S7g{Y8<^dUln%=z05DT?d3W zX89|v>1DEYSW83cw8O?jk%pUxDWPyiCOLIZFe7v|1X%21pA&GeW&;Py(7E)TiNFSk z9_DeAv}v>uF$DJg(Hsv=ggitZfam%B{eM!mGdcCT2N+)LEya`_+SXF2&#Z!N-C^~cTLRhZu$eh zZ0|n=?W|G$`MJtBTU=CMJVKMO!ua%vmlEacIF_G-BHJ4qlt0l^Z`$L0Ok zC7i=+Pzd}LaPfDVwQwTSAIv7ygDkY^SIT$LuaRG8Kbhcg`BMOuEW-PD zMc{us5=cGBg-pjd3lYq2{OdkCIezbiQrQ@sXDF4T@+a7{|DBaB!K;i*CHNMQZB1|C z2|}B3{>4lqk*KQNCwgy!u*pl`d+~Gr&C0$;5Mz@l3#9}~^6(x34Y;9RaMKA?5|x00 z{?8bR$2A5}f%)IN5~Iu$robwF5R`EM5xSa$XKx^aMI8n=K>6Z-|G1jyl?BMid{=w7 zY8q*(GbnKruU(+WfPVCSDCep!5NRnuQ?L=uk3!C8z71nk7>xIV?L50s-RTVmyrW91)XfWp{s_CGN&>7|*P2372T_3fb zFyU0p1I&}d7am<`l@?&$wKev?4!%PFtzg;pjEQ3Z;*)12A3W+7sJ^VXgJSOvA&~J}4w& zMDkYp?Q+`hHEg~P_x6I=1+tris{j1TMcBR;U1F6a#qL{8*+24;Dch*}gF_w$O<>@I z4}XZ(+Ok`@Z#Oe3BN)?^S}-i$PpE8>VA|Rgc*JJrTCLV#;WmQfU1OhR&<4=pB}5x^ zzTugE(65-3x1u-a_pkVCotas85q-%Yuy%s277#OEq`jE|+*V|b$_;XTd=j>2LSTnE zoU=7vG2Y=vr-bMF_QK@*C<4Ecb% z3$DuqLo9E~?C934wtPS?x1o2qIpW(j(#&owmUwT=I=}X~gSQPcf

ABDb09KpOKTXYr7-5$2KXrT)@jj52e!v!XZ3= zjIaKs1t3=PAfVi*DK8QWN+zlTd-fqv&+1y54^xqy9>Oo4}$za0uKPQ#L9qcR4gay+&o^$u9>0am&aOaVo@35;Cmt}0k4kZQYzqyvli=jX14 zpJ<`#?Ae>!py|6O^Cm(TiLh9QAKppVaL;DCo@-#dCYeA^c#+*FLUhN=kHb z081 zYh{IL^Ll!8&#vDC&yS$@aY>nFdvdrqLu{d`Kqk*Zr-&ojj{@nNZ>sB=i*sN_0*wKM zrp|^nwev-$6WMj|QcV~}3zZ794eMe@PsZTc7C_Lzff53wjBrRX6}mSHkXzIBuHEP$A?J@J?IadU@L5n(We$UU_1%CPVy0m? zhwes6y>H88k*yDo3cD0bWeO>mK~R*XJBvSc?+aVM$Xm44rPG9r@ zpPZ*_Rtna;1azU&8UbBC%1Z^%oOoR;!WZx`=v_7|TqDpynuj*f+*!F%8jzVFg`qqw z-DlGLa`73&n+5X=B06ucf`1$Q^hUCkS!wgfuwPC@`v)dF^_>EqcUT13xoY2V>gy-@ zHAN~;do7_=FHXV9HGxuJOj)-&xKw^-0fw)Tu|SYbV1BQ0K_iA9aGb%%A8Q=;SV9r! zA234Jisv76EpywfD}wFY&f-f>c9U9fs@D-odsbhW?XPhKGKGz%rSov~ zA?6kHpvQP%&ZWp!q*;9Dd{ioalkp_T@+NU|Pl!7hqLo!L5Gbv(%;};fhbegu=H}v$ znIT7tH|R@tMBioL&VxK<7Hv_{){arZ;OXP1r`fzCo*H?@{M85S)!Fywg~3@cEm{Qh z>}ok8?CAnp8Y0!NYa$!N;R@p-@qB(Vfkj{6lqXI)wPC0dwLf4rBQK`}_-x$_Vwm}C zLo_AN)XO5%aqwmy$IaTbUp-CgJ1Lwkifcyw%1n=Y6=y|56{k`O7sY>E{8ccA>d^_f zTUM?%+tS+D6*1!W#yr}C+&pGfw#)0Ua?kn#UBcAf0n)xvlEL?a>$xV4e4AA^B)*H> z?$ryS{u@-zCW$fALS`*By+e&Fla`@nwX3Ll30R__)5gPW3j6c1ift0z=3uy0*DUqgcX=~8N$pa$y^vh{} zjEdM*==KIB$`dK)_Z~#nQAacMx7+G1ole$|a=lja#tpF)SsxBZvn(;T^rkAJ=%+qs z67SeOlA?d)Yr}qU{|Q>#ZAY?;>PThv*q_3TJ5H))bfCA$ zAbr4rn!Yt4QM%CTCld?cwv`d$I<9v%FZ){>jN@wx1=SBdEU6zo9M^TNAt45FtS)7O ziGpNnn-g#v*##J5m={x^CysxSM6C8D%~h&~%gYU(Y=4g)i`<;I0z|LNdCb`QiV!po zi$gbeZW^_J>(UZgZz;nceSL^~xffSZ2G=$YS|Xn~G2*@@5L!R8QrkQuu|MZU9ao3n z`^a?qC=71e!`O0cBDuI0&Tb-<#?m1{{+dX&ycct8uqvs({`=v( zh1?;UWs>m~V|yLdkqYI&$5KzWgR{?_q%HlnE?yH|a!Nlr95H>L{bTR-GGNrlXY7HH z@W?2==*(qtnQUsJoh>j_JuaCbsJ4B7jh?7fm(RE|AR@ZZ?PXl^=hP%qz;u9K-R=G^ zjp)QA);UZkz$P36=~Xsf>y4TLtka;~^Iv+~9oLgTfMwi62j{b;h<2&DQ+@*eT&KC) z1iK-_D*CZQChTlv9JY(Apg=C)Pt*Xs1q>@-*|M&tM-$P7fVvnTVR`bZR=RV(4?%lv zbLSGg?;^q2W7t0grJR{7nh24 z-Cq0Y!_ma}%SDE@dF5j^esbi1kc;|z@UTOZj1sCVmE#J7Jr1#(=mR3cM8be zt6yT9Yye)SMbRwjb>C5vO#`k4KTi6yc#BrjsdJO3Ef224g|7}5X{^JsCZ)B+vk(D% z^c$A@^P1jQ4WDh87QGz7lvsh>$7;0bcf^?bEG@>cGay(ZHOsUZVy#0|5dPdD3VsC6 z7suRC3{fqLYOgfO`FM;$=*K<%n;@AN0-q>s9&K8RrKE=@cEotzd(G6_$? zifpc;UV`A+z0;i9#Pv`x3Ud*KBinX7ShB2fZ#0UO&43-t@gPKUc+R?*etq3ed!5G? zZ@{lASK)9{ie|wjy+_!RhP&d^lnDDti76nU7fr7w*R&Zd7yFLxrK&hn+qScmv>k-b zHG7S)jr1oo3hq8~W7T?`R$%_|bA2dNX(3rMn&@#QI`*7VoD@UZ0Z^2d;g1=+|_d zCmo_`H#3R-*|YrE1yYzoUUmr;DNVJGi>Od-j5vt_X?=otSFvwzW$G{|PpAAsTD$anB@T5RjFbEa3m@bS-=%ftw`98_=BP+5DTLjnca z4@I%I1N;FEA)1$8*F8?eO7#beG-)#X8&&{9=MT%UG@0c14 znmkg-txQGzKeW9EP?X!YEo{WC2#A3wAYz0jN|3A|ppry#&PYab#(;p5kqiPN0uq`W zBuj>Fa?YScX>x`J{O9LB_nh{J5iko?Sq0>eKk;%MHwu#`u@S&g;2Xmus6i>c(PCTXvI$`j*WaMevoa z?X;p!#)Bjo#{=nIuEY&DfPsL6s@|Ru<~TW@&;214+F-f%-J z?}tg#f!vP6PovwSoA)$V;@L999K7n`u)}$6ztP;!cT3bS3Qz9bMxz3f+_j1Fs45b! zk1JP8v~)IP4uf)Z=yua0Z{Wb?wk)&zZkg22HI4c0r|aSyTdWHk{&D2R=UNCB$-v@m z>v6ant4@tP#bnGzR#h1X6>qLFyD+D;KcY1(7kyfAmRoB~ql|L9NzqNnsHASoovD#F zH|vz;p6@McwQ2^ffiUgL5JtU~`i}<6E?Bc2zN3c=gzalFoBDFIpj>E$@VTfJFr;PI z#{l~%@iPd4v94!)ur7 zHm0rVOWS;HTm}Zsy=OvMi+{X&OxizR6d0Mver1aJy%^;a9vE)3v$Rg{>f_o}ar*An z3d0GV79prB8%v}7noYM75kK9ZX(L5KL>J@XO|A>p)(H347i@wE7W<`Q$i9;gQ6%Px zn%Dfuy{$c;c-P9HK{HK#>8k3~X~CS89v1Ehm%5c;n zK^~4T4MEv$hVV(Qp)mD+i_XM;?)i|p2<_?iiF^=HP26ITrLA#aP?1VF?znJ|_!PA* zSnS>K*rs!80Vd-kwxL^l$vC}@;5@zIv@pYi%S_Dgvh?$ZRFng|-3xFmAw#waF1fcw zEzZs2B0et3nPr-PzGUu@p#gM^u1nju2YTTg@c=ntE?8S}59zaIe;Ac4gQc+v8yT_B zf?D{QFO!{_!%@6aG?!vsZX1m(-v*KFORs~P9{P|p736nQXvg$!v$N(d!CYg`*v6Mc ziEyW{eg@sIU7Yj`n(*I1%;+jlzvH-j@l1@=&4WY^(>JakCMe(F^vn~Pu!1C%RzPdx zw!&-F#A6wR(iMBWT6U?Mx4x4C^;};eiQ`fUt$c*bn)`AHIuimp$4kj4FHp$hEMJ{a zSx1cezdr>4LMAV-$LV$vQ=E^`u&&+X_;<9~l?0W5c$3-oGu@SKIu=B^v#-Tui66}fg^)QbA}p3>8x9T%A~nN}N~1pu)}6h#*=a})2W z_|W(Qh!eZe=2?F;YDzcv-69EhykNsh4#)Ecf_gkLbo&#hnk6nR6oSS5cW@YyAsSIk;<4K+rn zhz6fi+=B+8E%k%k6|M#4B8xsu?frrETfF|RD)$14*oV#Yud}jYvf00Xk6&Q=QU>*H zscEc=VCJ_02h-^RhQ`N|pKt>U+;<^@;^=XpY0s-r*X@>GPqXczViGM(o7Wg- zCTY-f3&0eOgL(n$E=3SE$@bf-{b|-vofgHF5I^X|@CJDM+=|jy-3HmQQJ3DJ7<+0C zpW9`Y?yu?t@o_@GR=&UEy=IgaH2!{ZbfS#do z`1K^GvHOM_?pD_yybi{bhmv`(UD|O#!oRd4QJM^xCyw4?m0h8^R#YKX_)b_`l z0=amew5#C?Ltj>z%fyI}52#rgr{;1LVBXjF@MNM~=jDr^J{#)($*DISW$@T_NQ|K` z(4^O|Z=bWM%6N3#fplv-T-Q^ikyjc2gntHe+a_ywiD0ceOPwwy#uj^Z!M84L-ra$8 zbo8#8JvDyeYF~Wmv?)-Y@oZEMnf|=OQ4K@v36)kjHgBJlgSVZv5%sj9dwxc$A0^Dk z`(tYFMV_O57&+@Ul-B1SMi8Vzsb<(bIe#H*P}`tV$eyXYzRfy0^Bg~!d~uAsusBKc z5f3<^NZ-ZP8ut<|pDvsKe3trR*LE4F@Ah|1H=NM^iYSiRO#r0NTEJ*FrVd%h&`m~g zw3PY2p$3xJ-n^t-vtM)dJsSjdGY@Vhp=Uu7`)&~`7qXDRVyYZY{D&=#;Z!%puM$~5 z)^i6c$G;FWRy`p*`K<4R?^$rIvTy#*B=T_|>P##Kn+JBOa^dFLXP{q2;Ghd%Qdwnt2AD zsPhQZ1yH#L%(p<4O0eN5@C?-QpD1bNTe}51r48^cTw9n_8|+);?(T4e7R?=-wP)I> zxa#KYDOprVHoo4uHRDm%1Vy8dX-G(lSQ>V%sjwX@O#zH zLghtN0v5jSceb?6)qOr70I#auX<@C>R<&D%_;+6OeFrlQd3_`{_i}V;jv71o} zs?Qd=Z!knH=zcG?qY}szSlB=W_HMpVIbv}WKbNm^B~TbO;#28BE+5+`_+xqoQOzdu zJ`h4?m%I-D2xG+!KI9N0qt~g@E*2x?df7Dic@nRVQ9ptT}2z~KRrHV|0oH&EYGT$mVy^C4=%)i z$S&ioZRcvlJYh~3=r1y?8Sp1j9dPA!lR8akop)L2iVd{ysPJ+jpda3`09?xEikm`9 zY+!kx>_=!V9AhsVb-kY_)4y~xt~N}wSV*d%;Xo$g#SWW00I%<#kv{Y+VW-X1PwWFE zPVW$O8g8sR>l%%j63*9 zUBhW`k2s!kqMgspu9+na?2-=(9u$HKTL{4N-RlQ`Ggg44Uru!P)wURvf-)VZ zhqVhZdiL*r;$v(nGJ;r1Vp(u=-7;98Rwzl!^)?Vc>OX#MkaY|zE)|ZP0l$iU-{I+cDp#WQQunP}-|msb5|_8Nm>E_o}=yYNv+qb{`rvx%$j# z!9QJ!)*x#<%up0S)CED`Dv?B;A7}i{FF;VW5u$+KFaZP?3PM# zUI}N%Awu{D+ZL`_&IPOoA~%H2UmnHmFklvcaIQ; z=){6}ccvZv9kMIUx$5&-$r9%L;e3yT8!;?Y;Df9LAusu9YfhcDFikq|PAYZ7ZmHzw zecRUDJU5F2+qV{}O{9JaD_o3a54Ye{Y%h-t8~T3y_RR!0o4m;zHLKr9>F(Cl(D2Jr z2)fv{`mh?f5WS#8l8eq;e%@!%)>YlJbV8ZAFHfvL|Ctl~9CU{yh4yU$GK)pjU5vnP zK1_}g*Y8BDU^E^{w{Yx%TgxJVS8Y>ii4wie24v-Lz5zItBF;!#Zp2$6e>V%sO9N8q z87`6i?9B7ZqRO2__f@22M7BH6eGq0M(WX_~JkKv~7+%jKm4Q;--5X)RZm`>D=n^Kg zs3CF&{|M~q{DOgJ=JZn2wu_n1%$){1-5cg+lBz`!cw!{a>q8`1Ol;(ua6)lo4#mw7 zN8M#?N75O6hqD)W(Ak3F?!wMQ)evrZ5 z>qBPn05Kq!yiSldF|M|`yIoMA8fHyW{n!oVr^VwqqpA6 z8h=npN!)En$$-4UyhN|NQK0N?VQOxvS#tk>RWtp0`VeTIKH>+aIMQxyPRs=+QCs5U znw-v{WiY7iBug>Ok&@cK#Hz$JURwBbK@LRv^cxHCe#}A3xn~8PWSd+?#vKOycc6Tk zTk75}#PY$!ZR*uTiMO?Q@;-EK16AMfii-Dvag>Sp30|YgyawAvs9q-j5wG#Ds(L=k zF!~YPS`k3L0s0WEe2siy|Rau<<}e@|m(VL(Kw6tQIuslTk)7*xe+Rc}+nEe?8>wb62< z{JPEA0LBJZ>&VfZW zXMGx|R^S^rkINaYz^fXpAs-Ienfa&-$Dl{X8NV^X@CSmD zoWDkX3+vUbA{AS#L&0qTU}xx6+k=>`+QvYW?Gosk)n(>k7>%H!k{Kc-GZ$Y%cDWS;Tr8IZs6j(R|vvJ$hBiHq#DQa%Pr& z@#3C-$O70kM+Y+RJe>fYrj8tAP|%cH)4jrf!|?hylBX0B9$Wbdy&74jquwpLrf0~U zK2?jFjTDO+gKG|fJoXsfm0FoRz{jJ1cBcjr$pr0m9z6gF0-l8}`Y6t)ZzS?jSybSn zBQ@^0?%2M{PGKgW<2naU(Lcl=wL<`z3Ut+QS9@kB4&e&`2c>o^cr4T{s)@?^c8n{g z1r92%St<_G69gZOhegsvTAVU?S;P2t_e5v+Rd;t*IVJhW{S>~Ej$o*-os%|MlS zp_~#IDz%>kSau@#h4~ZnQ3oa|otH(lij?`stqpFhL&!m7Gp@*YW#-Nz$x`_6H{-jwsNz!k_3bR2ltkCw8FdvOb zlrVnrj@eJiWw9jr21$ZLx;GH~ho@l$jw-}d-wZE6C8u9T@?uo02BF@s1190%Aq$9-0X)(;5W+xOj zPWWB)yUS_%bL#a)N@8KHoLoY~>8r*>l$Kg*voMKXR2>-iT;-)ZfR4`ZEbY}L)DiOE zg}BwOxhQu17T|OcX&tH0`sO(1{LIpsbBIstNw~Iab1Q1{SmoMFuRJQ3uRqr3Px7m) zJzIPwSlkGvqT>xL-UxTgA2RhV4j{AKlv};pFStFTA9`J)wa5d$LQ0tsHZCWGbR*xL zXpxLxTQXISHQ48Lj=ha;I+2-O&(y2(sm9Zl`)gQESGSIDd_8{lIat-u&yY-yi~n?} zYYlTh>I#fW$!roDKF&>S{a2F-o_Ls>AB5(1yIJbPCkB}XuiY0_DBTgot~)9@0YPd_ zm0qI_qnd4*V`?sSMe-T4eIfeOc8rR~`pyT*sRNstTR+uVv-|~8-YVA-SXWy5H#lVo zDwS@I%&)_Y^+9fwB40__%d?S(K$5Jx3#8&BH6NYes~)fz6s4U$>r+jtgc|SF(cmJlawxCL#W;51@5oS6QT-V`@hk} z_aaKF&8NbiTbVmvjvT}~U#;OXc(_Y{$YD;u@s`F)f7Xj0mDe@(lOFeU%*v?wUKDE( z$NY5ze+*NQtP`bS$S!#Wg!V)bdYD3eZvKJe0XVPNUHRg+sVC<=cR>q>CZ)^Np!}5jlxkp4_L;+Tu4gLr zJ;*bZ5y5K?y+xM@+DZXVxZnAEq1zjQN~zQZ7p(D8`^^-=fEUWuhL2sTtQtA@Dl^H^ zNNk7jMJ$4Mg=&R+18-~tEkKIl7i|2U9T~0(CvdV$xv$-3us*xR|W2Sfo;I%TWn%0x&9; z6cE;_{V~#NwA8ROev+(EpUNH=aeb=%tl-)n^9JsA`+(jo+t6l>tB5?tbtA7GQhJVn z2<@e-X5+3TApt>`f-duNJn{`lp<)i}wM?bw!*T-tIFL&}^BaHU8hhN=y5{&)l`|^5 zb9Sv^L412YcRFndu*Y}=d;Db2q2Kuy?ducAwKj5!&MjCg1~{1V!U8IHU4eLeomJF~ z<$XP2fD)}%<+mk&XBIoh76E6)vyC;Snf3arr7XanF=5jpK+jG^&P~g}^O>Kfww12D z=I@nUnbm7?fE3huq1nCEtY?3C884J0a~#(QpS27Ba&s-2Q3)^7@}{-X)0Ce(b`x>L zqQb`2{Z_Ef)+IOWHz~45*%bNR&%LW`say%{tz=ci%_2>Em;ra=P1+5TFzF%Yk}FCc zhQ`3PyX_6V-`ks#L6?0D?(W;HT_b;mt^Wo7!O^iO!S>-a?tm)-iCdy?AC^}-NcCkf zG0p4)po)GJIO;rFKgIDng7&G*!+&PX5Si@u!)Xqq#agANcBQO65S2^s{rUT8nI;Q5 zWod?G@;PhT7Quf{qc53rVZxI{=D?}rYqt!4G|2T}b$Ha=PE3P1ZPu>ZRm-VSXKltS z9rEJHU3(0G#2bxf(%<8_f4wzahktW}?nTW(O#`)+Iq==`HsX)vtr{xq_LdFob9S5g zvl?!?Kd*D=20@XpBtC-8wp1<((GprE*t3m|j)>F}%D-@TfSg4v%2X%Qq|UhArd-k6j&tzoagG)4pF6gm*|Dj_T$}zU_OX06@p^pq%+DYC zNDxA`yTY;Y1rxPco2WGc0qD$L~=_@!AzWh##sZ2rLa zp_%-)I1e>XM&4dDDW~b4!{`0k92A@HKZ_W+l;Q(zEuA36JA;9Vme?*|0oGD#a;)A!}tW`{0UCg1h z#y|=`3K~LkN+n-xK{tz}?FV=YJQjY^39KW}`uI%^%B>_VkAN(bHfzyFf&f>MK_$_d z`yB2JMv7Hqj|@9?G{qA@%Z$n}#CDN!ghBcHZj|}5VV~r*V;H*s8{351EK9in41bvx zX*6U-si43KFuNBOTtl{^S|+AavgQP%L;d9)clGN2a4w0}o_`bDgg8fx{xCRM4vM6z z)!}DD30tUc-@;|cX_RDm{%#ggB@+VY;rsM!t?iRV=b||RP{roTZG>1OB1>Vz1)mbZGd?%$LL78I@Sd+M97Y{i8p; zd;FM^#+(JIKXdtn>=xtPH1*5FGp~oDstT-ye&!i)F-Yad{ir1bVPQ!J+Y>(WGQ7zU z%|%i>KQi}^>5h?~VD~|6JX=7%JLX#bF%36&!mM^zU?hIk#=!qoB?VFzi=qoZ~ zgG*u-{GKMDs=}5-StOMxb=Ml}%7aF@F#V|-&cE-UWI0tojmSmG?!ZgUWm=b;#{!Tq zNZlTfAGi`wTDaSAITr2HB3tw>iX$wVyC+^GHEO(m4KsxVH3v(V_xf7lcY5SvHRn-^ zEKfqE!me{Rv2coq_S%4eUSOV9;eyFSxZHwA<~1|O+f&v}a8&kY>jAvn>Lk$#<`>uv zZ{4vlrVce^>T($2cqp^PwXK2Kel!dCIt%OwtXbD`gIRA$<^^VI1MH9PZ3`;bvljZ? z?hEWQJe33Gxa1&RHCfBS{&c4VO^0Y~1S{V1l7(dF8l>3_s&zx`t-Mt!H0uC)3HbKu zE0w3ug(Ryp)ws=E&6CA{CcLfukiYk9(AsTfS`s2kD#O#?mr`ygRlVs!XG9ukFRN8J zamNMyZV6hop>SApV8z$&Hm0w`=qE2Y8K) zMXN_XyvU>ZdL+euH8RCYaN)PRuIk)7HYt|vAv0E6(A)pcX-#D@%5o!zLo|@e<;|2j zE0F^^f$&|_gN7ex7v_Au@}E21TZh5L>mIwZWoVF$1rp+*7rEBm<}-ULf^3iKvgES5 zzmPYD*?Y#hxW#dkjPI}iXy@wJaE^Q**SaXSd!4~8r<$+qV?#W45~P7|$>R1z7krr5 z>H?cxdZ}ht3K@7SMP;Slcx+~9+pB-J!hTHl3A@lGgBD_!2q?;;XGl5gY?1-0)*DPz zV@nRB%+DTHeB}@^hcCv}8GM=~EQ9(&P2Idvbo~6kVYQGg! zns>TVW$A2T$)iD@us}Uzsz2lT>fp14MY2W$okJ_~Z_VuGkL}Iu>)8#68M=M;xSX0+ zW7bJRSun)t3kh~Ro!?=I`Oci^bCAFamR<9<<{I*8Kq!@?HJ}dEg{sBx#kzIur3@XLwQZg~Wu$>mR)R1qL^3usL2-lNL?oIa<8x&dhHlC^ygB1Z7sE z{qv0HE?pI^CG(ydz9s#T+7r%Qz={i&sHwuUDf^K{=cL|!70bCo9kh>bsz~`4CWhTg z=ISTztd;Ig$CC$?+GEe#K%SPU?~p2V=Z{@Y)Mu9bt|kw1y?)JT`bj@;q?3kZ=07-y zcq2E{4P`~4T#ozal|I`htKO?U!c7J*LUaaRHA%NoBf4@nv1)a9Mt*ZA*S0i$?3r?$ zE5m`ocyAOrH->fD#T<{c^z%AmBu!d&)uCdZ2vPpES(EWeLXalbS$gs?`K-I>P+9{t z%YKJ$=a)#1JxS!KG3mXmoMbtg_vS-n;;H4+&a$`035iW24L^fxY9dxfEWx0}!&LN|t8AC9xCk=!8*7)W=5+EdoDZ|&q1pj12o zKK1T>x~s}#R|jDecZ+AZYUp}hYC+s$8>+KNLHEndC4SZ!NOj$k6c4yYp_+{LWy*i` zIr^3pFn25%l;>@2rB$NKhM`0atFp`bbuxYMCh;J#n&isFv6mJ5(toB}t zJ*5B7TR({|5G$sHvR2g6wm}n2YtUqU1ye3#;LI=~PR(ijgo@MpM_msq9Y)t$Ccc(9 zT}<=sL2#bvVw6KdZ59?fL|W;{NTSh#laJWm&KWrXub}f}^mB$frL&LApr^YmT0dE7 zw2uk$2$?)wqWicZnV#oeZO7XU31*w_W{!z+V9I>w5;ZiVjhvFc84U%YG!NGztFBe6 ztnB#+@6!jYL6?5m4N864c68$`&U0&$;i3AnD1}l{yIh8)VLZJpMfBLFPY;?YX|7~z z;M=Z*+*}cZoI~u2E_u#D(W8_KP?h_e;)ECLjU3l-tA^T|UTmMR;#W=z} z1`nwN@Izai1(wN&EC1{#0YYVxvFA73u;9#O5ez)qFNTeJcK3!l#&`7AEyVXg%zEzX zuzb^pEZ^JkP*pjoM-qx~51Ze) z12YYrRfx>>X5{y3BHc{Eo|!~B8Pt4Z?HANdoa#{Y&3LD)0fF4P(-G<^vt9Y{0+{a7 z!*h80li>T)D&$k&4VqgI(#a}SY`Ud+qCt3um#CISW8nL!y_$=0fxL2Yuq|@yiO#bO zKflxX7+o4}_-@njy(Y;bo~8C2^)=zEwa^XX+}B82p7dzsb34j{oet1cwN^J2&a(^A z-AShvx~4}X~OtVe1Or#7yB?9uxw%bwY)14IBocKe?d5vL?xBFrP$YDRTh4H?W*-Zf`YXc-I z)|7ryEe)fo`5iJhU1;FMz&`0FyPEKCk=G~LLNRSaNSV)t{V{JN_VUetX#sRE*b=En zrQW%#I=k*KR1iSV8t{yK$W{{jaZqBx?ich3t`Gk3`lDHK{;3shkkg-360wNkJpdpT z@s$k+e$(Gw{n6??Rp(;QQVzMi5x~Bpg)qEwr=i({ZXK@?PrM0+E|QbfS-Sle@reQj z2%r=Yo~THMRiITjkrl-$&65Z(-d;=_zOmpe1!%HOcdsopO)YM0g~2lPn#f@ z-k*_oJaa74P~BpK-$oI8o^Q;h7W1$}#+^mq@RE>F%+N0As1foZ}o`f{hn7sGi~abeqVNC1&{3lna^fpti(Gsyf;nc1IFj!OeZfCIFBckul0v0ZL`3t8)&*Bhocbs$(|3Z%F5{rk) zwZ=&^VS_aaq;H!;T|62<;)k_xUeVhFvP{2%Cdxn!MwGg3ah-qiHS_|hEPzL??yVFM zt_Hy1&6#rf1s7<$Vs)$(dD?*+@|&)}%swc7}xczhP2W_nu{-CUuVMBZw4UW(r& z{NVZK^L9wfv+XS3;Ey=Y+Uy4--QCpYsZ%sv-%R3bNrXobqAt-HO@;6?O)JK5ZE_nB zPh#GtsVhgcm-Hd`C%L_Ve04tuPB8yl+ZQ;ep2f@|<30z9t4*_~65Bls_6|Yv)08c{ zcnK+ItM+=c7ffoCylEAGbmn}M_Rj&)f$13sz}~6$zYzJbPk{IU#y^9eK|V*~V+8Yq z2=oVXmy0DPa{5ljy+9M22GtjUb$-lu{Tb2uZdtQ;W`j)hJFagHic#8P1;h<~uq8b4 zxJjN>8F=@Zw-Kf>8VOomYX)4ew66B8b?`Ynt|Fqe;-XMWZZ`=_X54PdLqP%ym#CrY z+J40vi^6R;Fc&2tRMKt9nM72a6xWaSgR8x1Pd!=vKo*rY>RV(TYx# zdIuC0#2MJ7s{%Edd`Rfx=Pb0vtME%@tv~{cMQx3mW}r>A$}51SRQmG^eeES*R`#=? z332+cS=QtI!pd8p7h96_#`2JMXT-Mr9&WX)g<j4DAUZ2l6_%7!|I^`{lZtXo|6LCzY$qv8p* zl71@wCw(G2N4*|W@UM1|Sa)y(EleuEm3w&L>NN=>!7I0l;`(k~a{7d%<6q~CO*4Da z)r$q#X8}9Y$5&$8`;qpO6y>^oK;^IO7YA6k!`<1RHL^{06h6FHmlD~u>jcIc3o#xS zJ4y9@556DMUjsb=V>T95Bxk<99dx&G6Oel5-P&W^ZU#o4MBHp^8CFq*O+L?+WESL- zEH!B$QONR#TWWeI-prrq!wb9A%5TRADO$=9p3LX=N$krUMbA?t++bjB)as*gF7Qx} zE0wF#c*A|$^X|@*0T`E3AdkkgC#ndh*Bw9ExSk6Y98cs?GJR~^44umyy=VRFE|aFa zpfK@1vUc?{(IoX6)I8UTX6~%T)3h(G{VtrvYPrnm*GxCdJ0i&2b#uRI@(DB+61UsR zNp$IIG_0#glVe4bv^X1XMLueZLc@e$kkSXU!5Y-4XnbemzcPHX1fw^)he9A4Gv!Qb ze%Iqd^)kza8&VHF9HXIaNu8ef=b4mu1~&{-x7%Dx+Ic&iXMknS6Lb#A_AA?Mo&<8l zQ+{>xjc*)6Nc6t*L$|atHGTF~{*5%I6jz9eZ|H+;dZ>HH@sdW0;As47iA)46x2!P! z;IkFUv1Fxg=*fB4bU0TfPUOX;XeE%v%$-GMB9Que^jRZE=2I96>PC_MA4gH)%)VmI z|8*2K-R#R!HX*(+EW@>w#Q7%&PKke`FjWos^hj;pX06FvIg6aElwI4{4$tj3pTgFIIPN7#dCgZiwv5i#&t<=uAKN41b_+i+*sa>Y3Cw(kV z^{*8duFmo;G&w;|QBqA1cbs*gT9>Wv81=3p%^Uq>p&Myy*YCbjpY<@g%*E-GNoY?>9=6Hz|>r4$H>1{3zeZwjCN z6v*BN!;20@rJ)Q$B5#7!FWRFE=mPA@VXFRpeU<~c^ac@%K>Y3qOgWlI0PlFillZGd z82^LEyF0IAH0_vb3-~8r)=}n z`2tpx{VT1617~WbMS~buzmcG}j`ONsUXaP!8Uj5ZG>@QZ(@QqDmyPaQp++37o?;m1 zvgRQtNCh)H^!=F&oRxI7{?J_U?{+6c1mxN|rq<8C`OfezQp@Fbxv7k&gj9ubpxpV# zb5S(%WYI4&4ycOQvd>nw&v6Y=*jeKmwg~1)>A2WQzwC14;K$;6( zgCVJ{71f>DY+su0saHkkOoa&)s=Bnv1*oMTy81(ZlsSyk;5BCRT( zJ9hHyF+0#(P8AIE%?~aK1eE8lltj1n5jm)~=KJUz_E#Mi8u6%R=${QLFZ}=lvX`t@ zrZ394ObNK;)A_(JV=(8xE^qT{3YQ*Wc`eW-HrTlMU?$EqvOdUL581%pg* zN)ga1CTxTnqlv%B((pxd{>i4s#=?Bf{yF@66GT+tfGOdI^4%=)@ka94Lzs7R#9q+f z24xGn<&!oL{5F*#jxT&%(*YW|#++T2&s%xf2^!-)aZHnkHsF9KZEnc;a4<=(SSdM* z*FXG~{=-qs2K!-DZsN@rVYk6g2T<+73?8zG8}NJ0nq)qurndS;rgwieTeC<@QO0K5|2pOl-q>BnJ#!)7=GYgH_}g7;mdu`;FYab)p8kpFrfX#w zV<=ko1cxn`l23l~gw9K4rZm4E-DoC$QTxDW_3)S{D}ym`0O`-O!iWH{QSC9CQ%XA;PG{1h=K@L;*4 z6ux_zEL@&J&WemrKCD%lJGmC_-(DVVe*KII|MEC-(?~_P7AyWPz<_nMdXCr2gZ;hU zBdRIi&Gnrxwmp1MmnCABnJa$&_2|q>;l;ZPzNJtUTqk^+)6w5ZPvg+A3xg!BP=PFj z7N~20?^y&*24qbLgy4|z`Q;G=`Kwjll(EvU6v+G0*eCf`lQl!@i4Yz2HRtD*EGBb% z`a=T+u3`wt83mPNdpYRqNmo3(ogde5P74y}RuJ9`U*KMc{(Cgs@@s30OvkXV&1zF2<)5lK=Q7Tyxch7X(FIE%&>54 z4>bbpKcf|f;Oy?;@3GG+b}G5Qw5)R5X{ltp8EP~6`B+tiX|_@9#yufpR;Q@R&EzJ~ z)SD#+@%G>~9wwqCZBP%5GAiy>QctGCSG!9mk$kxdTFglC{^%eSSs|Q{|U@>Eh4TT%2J5>%Yb^48m_TyDz4Rk9Ng#XYmGbdutfWnyKOk za)-jY+Y9EeOFC$&gySXS+l0PXayLmhXlW4fN8F74&Ub=y#tvQH-k12q;&v{;1<)fr zzH3%NazVdQWOg5f`Pc>YhP+~n7+t=)6wa4lvW?37_kNYJeC2^yl4XVfQqu>xbap`w zU06uU@6(wcsfM0UP%NqH=`SBp)TUODGR5g3?wvdiAq!x9-3o2PVLL;$P8mab(b=y< z7Mgg3>}B^HX7xgECN|CC1GW7zr>oc;)y#DZq&SNIn2|dz4Eqz;hVCQjS&GP*I=K>+_MHL+G zV>g!$wV4bNe#pL0(stgfq>faFKVUL4vQ&PC&3Rh??&;tor-NV89StllEN@DRIMu#! zIw#=g9cIQ=u&(0T387sA)(l70PCcvd4YWqN45K8&*YX!855CN5r3#|ac%!wsYt%i& zhMnmk889SNo6mAg%_37$504+vw!;NmNJZXE4mom~GvUah%6jx2i5JIO%~Kbj(7uE381%0#WK5asPlpoc;xZ%Ga9+H17hpA>JvSR^U!W0fuoUc2%~NBkLz z?(!Icp+SP)r|iuVdc*GK9hvHpB<+umz-tW`xz}(7hQ1F6ieEQa(WhLuM~8fiEwD_gu{rnL_Qc| zQEyCwKUuO@wM-L89lE>7$hI@w2nB+H5nMF|=MbS6!1LKt) zhTpogHN@U6YD93%E0Hpb*`GTKdj-=o)!D}VCBl~-PL0-5``wifC+@wp@L&9BevIA1 z-xix^mRd2L?_S_|P#C(!?vNRWd89cU`_hPi@eTf#dhGAtD%5bgcJ$Fp3#qP;Rhp*- zz^#Pfh21}%=EV645!J|tr{Z1!hk{0dip=Z8!z*vT0Z-NpaM!e$&+;i!>M-R?aS9RT92_4`JbZbAFXYH7i=iIAL;uku3ncevVWke^2hlruh@=hzc{duIak(H32d_& z;8C!_AhbD^Oc32GxPR_SU)fE0wekC*y*u%FG*Oe4lv6D9-l_8wms5^2g^OMN=i9vE zW_SWmQNO{Tz1D|>=U{JB(lMw|<%Vp$IjzTzt}SrahCe>08!kZ&*<%p^6*=EixiylneoMiTmq>OaB=-9Is?b zgXTZyah6cB@&DVhLrn1>14$fdyBU$eq6|Jpso!V9zwLqldsqB#|3)zOrRFVu{q}}$ zU7-+KfAvoR(@~Z%i~g9TvH$G{`_KQrqxSU1{Kgt9bZBPYG6X*K#~ApZBjmsNzkG4`f>dt#J$3^YX;-Ph#LMGPg$4iflmFjGz~ZBiji@k~2Q%xY zQUgcyzx8bpPlQ$=bVl|(1q0m{U}Sg2bBUuL{Wpv7Kbv1gm}Fg0lk<9bYDId4}p>LmwH|(~ zIf1CB8uREY+G|+XUus1RR?8lex#&9%bS6o}f==W`#s;K~(trasc2!8Dx@}$lUmnJP z_q#)W_YBD~db7%9i;IxxSTy)k>LV@3_56eblre5%jiu>uu;*jbFKkyb>i=)HT&1tXlYjK839DtYktd{gpQn8jOo zfaQ`;+?0+nKzb&rKuHS_L#Hde%I^7S5 z1Q5<$7X`%1^S^D0TU5C05mz#WWZ28Rn`TZ3sY#(_syUR%F-+RJL-eoD_$(wo+7KF! zyWp7b7-GUMPRU8ogzxDKBC`x)dh?wGLKGs;zailbl4AO7_l_SzHoW8tH6eV-70xgRv3 z3atv)xinY`oFywmj5vtM8y{1`btP)EmnwYFOtAiUe29*Q-`W3*LkF~l23y)5j2E9J z!+1cVWdw?)?<41K{?+vcR4m4Ke%F7TS^I%`R2qvcdC-IEJtsl=ccjRdu5>UsgrSc- zOaI@e*Z=wRe0=b2=@x&|djVhizhRxOyh;IRW$+*R=KuNA{4c+u+KI1El>Dwu|Hb9q z?`(lH{0KRQ`x4I`hQDE5I<9{6%2T^``)^4Q(qL7J(!NGh{tbEROR`s5YOino|Nh(` z-H!d1kOxBsINX<94Hv*rZJO!ZWxn^{psU*^BxROLrkR% z(gK1Y9fP1SbTc3#AOg}|BHi8HIdpe7(lyjs<9Y8n_ug;&%SL|8thJu!pRky@m+=-x z>mWqA&lykj;HwKTGH@4OqT_;udaxGFD8%u0i-L>1p_{Cu(6yeI_0{92aq5-ySxTV} zkBagqyjtbK*EVC`S^laSeHi6Ff|O_JsD7@Y z+1v+W3}nmA=4s3SuqF;xY)5)2>D~`>AQ~=^?Z8``AE@Nu?9COxwL=gctj$|`lP+5IEEYFcX4QvH4 zQ}6~V_ZNqpv=JyP6sk9)T)dezs2J?^zqR`Xx#K{*Z-Gh#?-NwZD4zg5AN0p@%8QH5 z-iR!f)G#`rFW^U&e<&aE!bB$IKmK^>8mCgJ$f^|F^V70kMqL0){{H6&q(PO4gx1kg ze#_yTjbD3P=7o(d@XPV#CRX4)VUEK$Ti1*=-Cmjk)O8>Dmtm;+1eOi>$nv;P zL~}H&4+fLQzflK&qzvkx?gnmbvayW64glfa=ytJ(C$Fq`58)P0==%cQqet2h;v7VL za-y=bT|npToIKx#+itOps|SK_BF$r>6nv*M0yu6#>jYhiWdhimiLZ+^M-3DDK5~|W z5|lWUW&Wv}a&(=$iPjU0frd`dSdiqr>|aNh{{2J!K&0v>xZua!8~Dd%EFd$*4_IS_`BzBw7C{mmBD|gYLiZ5#190y*-ZjK>8h*R%)xR~O1izDM z*3(ECt()}cE3-g6{27(T{T-u&p3QCcXNi>hXEM5%BUN(DxeG|Ma!|5B)LZC+CiReP$z$OCPVC3I?sPtFMBZcewCuSCFi2`n!yN*?Hsq z-Zo{Ik|p10JrVwk2AOF?>2mYjZY$MOxt}Ph;*rDM*tkOBnoC2>QM$`={^Rv?<(uBR z^Qla}A)qbs%EczP!2M{`A(g|V@uHM@Wn4G*b^MoOoLPC z>FHIA66a%<&l|^B@j2@oQ0hf&q%d_xEHhSgOkK&b{>#c z@-kD?-S#@asa-Waf~iacLJwNyAjwNzg(I5)(c6~B+T1JZF! zWQ-3>@P@~O9DeDghu={Wc9d6=@0g!8>w0G4RwK)rlp7N|`XbC11X7S@O-1xxykZ6U z6*UiubOu=~XKlN`dANt1EeCM$qa?s&`P>_bO%8RE4c_0Vs0<)?G~*vpieV5)T>y0w z4Bc5h`y6|HWr1$Rj_XU?^A_5h>xB-tz*);cg*=YzJmX3v?#wEP^2U??=maDK#G=Y( z<+-0l*o?%dp??SaSJ-A`F2%~G_EHHfY%j})lZ1+3r#t!KF&g!(q!mS7v#%Q?%k+%K zb}CN4+w(SAeJ3p#+K(i4;gy#Tg-irq*7)9Rrn#DH+z6z?;?<*a*3>d|C(L#t0b!RX zmykZuXFB#;GORHfBCl=g+|}@p7D+c|1BK%-8Ma`WPkTnnZl3`SZ(36q`-}LR+z%>wI<# z^^Pq1C{3DJ<3-|aUX$^7yCJc;!+Rs!VE2bNRkNK;o z`lji{$MZcD9q>m$IGTrIWu?@(rQ29?$A0AA`(?-2!t*lMAv4K6)k;#RWkn$OUX8T& z{ty-vYAk3mDZGC7w?P-(<*L+#m3Kl12jmF`MkP3TlpY_k#4ddg!$r9d_GXebq`&bSdu?ix8Kv_P&fEER+E1}o_VXOLN9&#H#?X^ zr~x@Gk>vo3<6ft-FixD&`>0;R4I1ToTHHmV|0A4fTKW<$vR4)^_u5?f3m58dA5xk# ztu}7?*3uCc$2>JMxlsij4O8}PmLUb~-I5fJbs{*nec&Zc^!WZ%|0M(*+&=K4<`ytJ z`jyurJ}v>zPUPuJk!jRIw{;0di4bJ(kq&s#GV~igx|cO~zkVSaG+a6u*S4}eC>Fa+ z{ix;o4#w}L5vcMdzdVXW$kwDn;-Ms;$+Ny37%z?(ugR!-i9Zo4Wvwijb_NJGyRVTG zjr_q7q}iW`J-~OK`%HFmm zc4M+GEpqw&&O}n#c5`?tg4qcZ*LTvma^&`SQJRVR_vr&g@b~F2voQWm!mkLuCaWc* z6nsNp#XfNNC}dR&em7MNFUUDQbu5e?M2;$a0M&Y|#tdDR}@6L{y^y4<>_omZn zbC2|5D&l3t&MQCY^HV9^_Vq#Jtx8SqToBiGC;9%6{arh{rInpk0vh9y_Nbh042FG0 zWLu!yiUW^He|2988evv-Lw`#EuMQ*G9~s4$&mlsnTnIfKFE^m>9ib{`$+Hz0D*$!K zFvC5{!N;e=e;r=k#7lm)tQSg%#R4F{3;5)FjODvWfas!_9xOa3Qum#^=W76&JL#JG zt1Pqp0`Tttw=_zX&+TLRMpeVj8W6VmRfE53jd~wwFaP2Q&M2KbiiePAE01si|54i> z@VJS+8~`S;pdX+piyL0y34W`1R0H6;Yb?WsS$eM#7-{%WjUe~X1QR%_SHn=w322VQ z)N>k6;Q1Ic<1uV`U^n!JC{`s^dhGjz$WVxivd7RDQdhGs#vH4u!=fkSH6UFi);L&f zJn3a8sG|Z|Ra97$Ah~bM(m>JlIV5{pkjOhHya&JaH4j_t=ixL~{49tU_uuv${p}9Y zVM3)(ZD&JO`JB=_kKgAf4tta}D89v+gwWw2|2Np3^Y*KqAM-e-Ll5oZl^ZlELBrR{ zD0%0*t2s2@V17^XRc?M|yTnxVyyrl|aV5r|&!76RRuEsP;4wXu4nC0x^Z@pxq*k7+ zeVvSXiK!{RetBu9SW`NCHA))gXO7>g*P#)|dR-$72hx*n1# z|DY@g%t`8{sw@NwaSlF#1$Vnru#k|sCwlBo7Ow;P=SXgWDRcs?39Ir`RDd@xNzK2u z^)w^VR^dQJs~s&5qcCk$F3IT5O0YPrNKJy)Z|>gDn(lChc<}Q|4Nm}(MB<+KUyUfx zQJ{0UmB*8D8oc_$-GDCwjN5JE!1xviu0qZ!^Cdv)C^ytW0Hjy*hD_AidblGBfW>La zDSD^@u*Q5gfSNn+HpEAlIuAv$gicsE|G+V;tbq0YTmc(~1);wCVH&#)>K!CI@!UOF zS^)w#$&;eJSL0%O=yL|%IDKILNGKZ-rJRI5uzakPF<|`ZI1Y$g!To<7?9x_tO5^%U zJXe0`!Uf7q+5j|dv7o(m=(h!*k*^xN`e5>2<-K=%OmuZKE z5>2>uS&eUCB!B*Hz#Geu(R;TsE+H)PSE6M>uY(=Ssiv_ffELAs-RF|HBR%BO^@o^4 z@4qI50=<+CF1R?aa$4{9Rmw_0h7kzYs(PYZWzf}ACN*43l?0kjzR zSlk6?DQNvWf4->i)e{D<-kGWAYtTYF^6@Zy~;EJRoB9*$e$5@Nizi0&{ zgeZbW+>y4wG*c%n0!jZ`z2y2!*C}J4Ha_nA$u?e6t?3#@dRPa2^+Zu;gU)XMoAxYWpAUapn=2sJ)W1#KBE zqrZ>KV?N&i8yn$_DSW18hSDf`t?J0V-;yK*{hVXm2Qu@s9-{==#$CQ$=SQ%j(D@BNp+pKRf#$QT=3SF^xMuJg)b)=9`VL7v1_ zR-xgUx>lijN%z#WuaEC-h3S-8U%Jt>OqN(V(mPILPC`RLD@3og{Bz&9(dV_UPmC#z z13pJ(!Y}GguO5wcW{eQCfS!z0=*V^h$LV>ov4&^bM9$14B3oF#{RK}I97FTPy zz085>ldrjWi8~uw&Z4+wI2*R3bNOF!f(7nRzv>5)_(cmi4SoyRBOE?22VM6j@?k+Y z5*_&MrVsKzFVCJ2W35--A!YD0sErd-0^-CzY)?Bp_*Qr|VZ2_*A*LU`|9s}|_xg4F z`2t_&tdlZ+Mv6?(ft3{*hA9uA%juS9)e>Hm z*$3`D@#>TRsnBA&Je&#&cw+?E=v=ad1S*hQWD1<+iq~5D@fH4HhzoarNTr{)0Q#jY ztr3U5WH8Q)V(#8VuuRWmF?$}zFQno9IdnKiEz$D!l|}zD!%@A7EzL*&rv?fKOY+d+ z?oUDN>HWkaf_sDpMk?A-lDY;@pG~e-yZw!w_dF`-Jpi0)tYyWNH2T;D2WX@)ned5g zvQkR&ymhe~e2oFs?ZL*%pHVPO@*)ldCe#|bF_4{MjyK4&=iMkfje`1 z+|kC{u7@cz1`xKBSzAv}zcqX%I^3>)M*`MUzvkrN+)rpFt7XR8GC~HugSdNtiD6Uk z1T<&Gz^-zxil{c#E_}M{f}i8}Wr7O=YPiH@i5frh6}`9yoCCkJmTC>q2X-vdvk0b% z9kvmyt&xgbM3ldFS&=l;ZoF6y2!A-xRrDjM`49YR`Ab)fnpzP$1E3>aOJ0bukiOiT z>|T#C{?%QR!1@cTnCil;1CW&Xu_y*j7((-3#V*LcFjOVF_~C`3oXmxjiwq}Un+EZX zzg6OrKG~ZQa8a4mtLy}_W(444AZNVC#60t#`wY1wkuQrtuM)Qeauz@gP|&$sDTR$} z0s&Vj+<}CN|J1lI$@tgSv8#Jb%k&ZVuIpPZ)i;?gMjbtxWG1JBF&J7}XIVmbkAVF) zHF3{xEz72_lxi{&-#DB?dmAw!*-4b$_&>FA)8-Zn(XJOrzRqZ3@c-iGYg@*X=V0`t zaB0-=lW>>n)L+4wXjv>Zh&wt_rB*wtm7Mx+Ib0hPpcU^0m*ZSdh>SjPy)kAaew;%U z$Fy&I8;|Xp57nfLAv`=tMmo%tp#z&oUqm~DvZL7*Yp#BtMT0g+G2IuyU7XdLar6IV z0SLsQ9My9^idfCCf-`S}DvsKN7OZe*5Vi9TaV*k@b_Aih0DscvKB0{S*&6W0>AeOi zBYl0n=+ni|H=GIQ%w)8#tC*eA=gd-r^0Fjk+kwE_?26M z&FH4xpyWzY5kYd0aWmff&9K<%s9JZaI7!r6r{BZFKtlNJ778I3~= zii-YQ^dFySz(<&dNn;nikKDxb8LKj|LuD~w^t1aV>R z-&=CIKT992V}zpr+w|AP^Br^eq|GPsx>+*xj5>w#5Bb+`HA)^Gmcm!na^ftMrt|R9=Me=(dIsI3qW5RHJr3Vq%RE zv+%9sssnS%??Q@^&zTy2F_2Ht@7!a~Nfr)_D~z55Z5aY)ttkbYV2f@HXrIQ@k`96} ztoig$@a_7Iwj$%TIJ$UDXDfw!7nUtF=R?1^R7G`G1pTp`>lhF=g8w&rqWtqy`{qH> zK<3_m_&cQC#4iZ1rt5CSim!}D&tJlgI2bx_jf!OuJ_+H{t|s&%_K5ws)^VN6bt^BS z41u3{7l=o#t=c=B2G4CSUh5Q)Mw@e{H225YuGQ4(we7RN=#w)hVub3pwxpN}vO;=3 z(goBNJO3>kQNq$ljXnJqoqF)e^TmKFsYA)l*$e}oerdrMAHzziI%i)DHy2!vuC|I| z(J82(@zYD7KAiz&TSx8k_5c&N2*L!5omz=A|Cdl!nm>A|G2Y%wMse9niT7WF*OyLE z-SySFG^Fw^p~e5M?qbjQ*Tq8!T3lB z7&^3Gfpld2Ff7*r;LI_nrj&+Qd&J)#{)O(@2hEjP0Xg~Xo0509t_FUjwUe66-fPVoMc`Ir*l z7qQk%oUyf9pb@l+oE*6unE%kEtwDB&q3LL&YvI+hjLQbo&3nei&i0qR9rKx10_MB4 zD(yo;%xh~#_V%A@1~x3a>_t$fv%AK9t@Sz~7tm2m7Y-_lt&T41oNR5wyI148rIcQV z5+B!I97b{t{utX~hdf#L_WO<-7NYi;6d%geI?5oL4mr)%Ue-F@5~QOu3FK6V%e@VZ zuRUvc4p$$yq2Ec5sZC}t8=2mpbZ?rFLNVPUa*eK?%|^3^Ja6QPrq{Q585E`j-WrMz zNfD^iK*_o_6CAo9*1^m#H`*ic}xGCQguyUHdDMyhSdZA zi25~c1$kn^e3V)?1T&^>8}G3WJyOX3wn9ZKr{9Wf=kcZSGjvyjyBPp z@Ycw)g>m;z)ncTiYI4nXF9T}@E5wEG=L|E+7v4t8HvKNE;e`zg%8y!vB38*xOu8{f zyMx;m%2nxu#!|K0JnHeeKeJC1gRz-Sm9)4ok zd2N%+ z@Gv^=Z}M7!Rkd4ss^dVjjokp-)CW43zgWjH!aV3#w1`ief8^E64t6q3-E7vj2)MA5;>cAQ*H3Z==+E zN|7(U#fd|fPVP`O*2!frb5P#)lF6}G@c>k%%c z`^hfru?Q52mT~nubD8%5XdDE1UaW5|1*hCYYYL^6S*J66gx9JgILj7b!v=~vp@ zerX+?4X&&eh?E8IdweFw!?FyBz-#LO9w7xyXYJQ>sG{!^JJU(F^a~e~ZB=v+sNF?#`jJr=4v02-;Lp)yH)gpDeH{B|4l<#{jofxEV`fw)1 zq1QzNE{q$bNwN}?1KE2+>qzmTM9;PQXv9a9Vtv&PaDL{r!^O%r7haG{|}XM+R&-d*AsxEkJhc`iQbPqCx9DTkr{K z-e?U}{kC_x{mf2Ez|k^b^MGMo!)E8f*4t4Mev^o5$LMt26^Cvs!X_3lf>9on7)SRw8-tZz(+&J+|4+tdlrJIvzZO zQJ#?_44!^6nUZKJ{ytcC-0~;?hBxXS$_k81Z@v9c^I&JrX@M*x94ry zlSTW@KHkn`i1V$g=OjsauAamdd|AKo13v!W%wSv^O#B*7U*9ynOzy)^S$TG(vkOms zOC&R6$H^O!!U_A|?&b!h<7xLB@}HPCDvTMQaIfzaB38Z8<6O`O4ES|^J8RP{iywQe z^fyO$@P;dVG+3G0pR1hom@-~%pL?(((6BiXji*#w;Njl&a)Vp=&w`FJ@db)Jy;SC$ zM-i6XD`F4W0d;H&3Np~q)0oJQTB)jmU95MolMz$?66Nc&J-R5uMx(I}2GpJD=0oG9 zCllMQsG2}-GtDA-F5t51DRB5X5QItKvAcsx>@ z9{$w;D_0MY(AEd=pE!~!LmqVg^d+fh>=^urntJbjK=XCD)Kc+}!aHGe5a7~13No2| zU(reF_Uz!lc@T3bTS0=iHVZ-)uZVj(hA)6ilE<61#in0qgO#|aMU$n&At!I-^nmdS zL=>Cd9w*EN+od@{a$wf%IQC=<`n%_bWK|#UHhjl zZ;}PgzP%h`+((ruw;;;X0JUkzh3~sFE4%pm#Cl|hHdr+5W{DU6@po(0J@n-Z?}F#tbOs6#&cjF>l>u9seVnCzIK?7)b8dA45keKY-eU{FUb=aZqv(!e9(n< z^x{0&^O|<2b&Eoosh(Y(u%GM_j+B#=9C$(@wa4U0E+zU_9BzW`;*@*)s5x>6kGR{G zHKjJmb(@LD{o=qkjs7J20gitOFRNKQm0HEkPgcQHpA!xx2{A8-Fk=NQ-QJd!ik+42 zN{;BJgfkH9PzINZunPd<1L7Qgii}EQ3={X%$Hk30uc7Xj|8AI5ZixFq$lz;yTjtl2 ze^{ZQTO)H6Trgjb^N_qA6dfJ!!T2L(1m>OT23?L5%4xkQ@F99Pa-R=M;++aT$YF(5 z`mOxN`Y5xw!<5}aF}$9({=J4jDMup`miXkWN2>sdV3{Q`-O{^C0EY6!8?P9PT?Zws zlIE?}KxvcWZwN;QrphG8D=bJ)ewAyGE4*D;w-#i_rGTwY>qgZCPS7`KJ?RgN!AImA z%Vj%Y^a!jojV*K>gfLsat&NN!kTd9+(b+sF@-K-PQ&iW=JOKmG50A*qwrPzXp%9J? z^&TC1r9gHCf0^g=^eb8JCx4j6WMsSi9t6#YIW#CsDA6MsCAg(Mp9IBZN{KTJEp$Y@ z=Fabtd5VCA1`BVk(zGmDWjEws2By=k(rP5jjpa*ewR|ZRfKnhWm=xUP`T7|y;r$u9 zXGuA%&`Und=v@}IK#GrZXI|=ol;Jru5tjWJYTc)+(ze7$WOx0fec~VLK!oTZj4gOZ zL0U0j+uBDpe(fV<6v@}O9&kO0y<43gRomEj^6hdU`flwt{JMcRBgt&}eo%4L;iDTf zvK|_D-|m;0$ycKA%T3AOruV8|KNbjWZhkbtuk*QsUFk)|9N4(Sha?0e-j?DOI3kr? z?}masB1(6-Git!LgVI_Y395_jNJlY`f)m(iG+pM2DMoAP6k0(h!B`noBJVUQq zWpB7x{-(m{WBd-ImC6yWGeX*Bg>(+}c zU}(Z{=B@;~3{wH3ME9faOLPl%mD#Z$qiwdcw?`BhuV_2xtyF{^$>4@ z!+X$R(cgjNpUcr-Rsv3mkj&CsFk?mW`OCaY3sy7Qt5!uf(kG@w_N7zZ|k}0dt z$W>B2S}bD9ld;9{o&q-{i^zY6fNvH6*hl^p5ZgFMeABnZi7Hg?D9|R1u^5r>n~p*p zp+vgYI}b>@8vtz0c4JERkq|^N^1j&Rz^2rt5cVbEzgH>e*hAb!J3M<7vX$ypb}lhbhue~6pBAm z)1@eK@nbJ_y1A4^+22FyPou-(c()-lRekw{;*kmiJZ^c0^fMx}Fk+CZs}y(dO%5xg za$s(FV0%Psq{h)zLV(9y>vjRw%+Q(I78jM)+o^ST&PW~QGbYd6>Kv+oTK!9 zhR9p95A|ug=cjJaLSE$Ni^sZ*uT!JlwDj}xYO6>VF?W>>Q#(D(`{Bz^k9!#ED-SNC z8UuadJi7wBzS2p4Ebhxmcr^_Lfx$WUMJ^c>Fd$p)DQ!PJf#6al^eXvyfRrvfW3l;r zmxG0FIr~d7pU3Zvq***hWkgBe*n*;p*d&7WEUl&q7i@}DLMdbwVLM^RitJ3rlS`X zaqMW!_9p80>$0@uMCKh-Lijz**Zv6poY4zY8SE1HavZVkWZ3klpLv zz@REFrf6BY;P^kNNdLYjtHma-sr)}x%@HD-__jbkBIa_;kV!VJ*Cfu5jdDnl=vr(F zFaMwg&npSPh2||Rd7e&%;{{|TkcaSO2{_8*HnhfQy)f4JTu;o7;s9tWe144hqz^w; zr~DOE$gb67z6u0M9+bgu){k0H+OUU1do9kgLkn`h4Bby+?Bhj1fE@x~p4HG42wxQR zik^ldhu-FhOh<@J<#zCsYZMbEN;3Tb zNgD0#MF!*Hu)|0G8=-r8H2FjwW(s@!C^*tQi_H(5s3@L+w6z7|Mqa8gI8>pUZUnhK zGRfshI}bNekSMHmK5Ukh!;tMVXT`}bsp33+ET4@kpIX;C&1NDN@a<<2D#%e5B3-(j ztk93LQ*d(u94yZG>f*~7gZn(K*gPgXtf)1OpToPMdHSI^ygV=%hSwQXvidUC1pnxz zi(G|Jwvb_FVGt0^^mdH<6`<{gz0cxQVGAJtE%<^+pc~b{X1eSjfI&nX4Ir55SDgib zZHMEwweA;xDf<0d>GNFJX89FUdBsE8DTi?_27MNkxEz7<$qg_2M5ME?IQ&O{h@hcg zgdF!oxVH^Qfhqd(hb$Esr#8MrP$yJYi*Pg`I4@JD*FQ8gq%3>=RYQ#LK@yFkoT%zS ze4MGAsQa|ewyj1whZlG|bFR-eoFVY{y4GQv8+1r*vS3);g6hy$` zJCb*-lFvY^9Cc2i4inpFVI{0kC@WTBKw#t{5h?o(oIN7gFgIsj_n5B3+<#F>% zC;$eSF89^Bi|Vx~-`(0A@}%IZXN@ZLi&xybKcufl$qbjb&uy%! z_6T4RQFp%kks$2Ovfr3in{qItgtug^+3H!LoR*+;LZ!x~|A*C$RBr>BH|Bd*8Eqol z4t+6Pmk*;V*n%J6^aLce5r{F(o^P@204P)2SR;j*e4{qWmv?-$3h|tDp~XA*Tv*dz&D}V~KknQ| zoYzveUo6FN=%|GI<`=bKqF1gpr+6g*R#)%R&{}W3NaaVw1<*D2{&BFs06|)Ix79Z9 zC@;J}wf%VN_^$QbaRMvwvo$^r_E;LZlE@$2OCZK#sh@)ZLm;b(*4TmdPo@mUwA?GK zz-PIF3XWAP(hyN{4-0f^NiCQl>+9Bj`R)1CG0h;HJ$&{MvI4TtOdVB*Q&Ltsu7pWD#4Fm%Eb_^;Uzx}##gkUjphKQsv z=NB9vg3SVA#;mq6n<0|*A>Mk9mbgH1Lic9t7!^`tD>(%;z>qt!H=f!rGrLAVVXx$N zs+LuQ7>J=J12O`p`3mcqDtN67Zq8SRH(G+)>Q{0}=(i;``G34aAnk&W>?IQm1F4f? zV^q|{{al^oE+x_{rzNePA(|4&a)Tj^^0?C9860NtploTL<`Ey%QO|JDMHW&U6Vh|S z`8gKf#8Iori^gJ;aJBnw2 zvpqyFwq$QlC?Xs0*gGwJ<}kq=_mNO24V7}`EuNR$@`7+hgPgQ!BGVU}#0V@(sWR9$5dqK-7wgri-VsI*=3+uyZZ2{*cbe9H`@dj+bJu zc2b#A_cjeH)L~1=kTC;)K|ih6Xu`iRFY{w>@ul2l(q~*L(JLdlt?5&RAeq{p=W$k_ zMUkoQX&t;}1-10LW>o6YNAf3j_&51j!LXQx9CzYyIfxE-xNx2llDEB*uch#_K2wS~ zqq6AClwMkIOYhoBVR+!>fi8W)$$2%i%Q%w~!)A*{W~}6F*&!0&O?4LsD&yDto!oH{r|J9tU+SY=3u;^gKoRf4g zcQX7Gn(Q2a8{3{I=(fMU26?Lal_O|KKM0x~L^5iZQ`@V^ZK!YD6sqwtsXrPoDe9Wa z{m=&p!-g&w+>$+|#mi5+m2q!Dht^i&IWQ~g#hH#~sa#r3J{b-AMMnFJLOVi0Z@wh{ z*qQvV)rb0~-$2rC#ed<v~2EV_~ko4+o?!`b)wuy0Dg`*E+0wz#n7@n`8 zF>R+nEP{7L!R7s9QXwuw<;-3rYSW!tl`k?td%}NzDeVjmSMUW-g4oT;$ks+nDSJuM zw_pxeWYs$-ATM5(-D~D=^zwmObkm+Y(?Kbu`%SPhS9BBvyOvg;*$SrfM6Ngxe9NYz zWTc(Yo_!IufO!l6k2UK>ev0Uo6|^g-hAFH{r4V`W3I`dwpAr{-U`}p3201ZoA+`6^nT?5}-jWDNC4Wnf;qugS zaW}!{b*{x40R=FvP;~iCP=sY^myKFa=Y#O`p(Rhj?aNT&?OY5)0^@LB zg4^Hf%W39iaKsXPled+&(#H+b$JzV~9mUf-t{sK=Ck@a_!Sy%OEW04tqZ)lEe2?H5 z@y#sF8QIUGcJM@kN8OXGCBP)^iB@zRL5C4)G4;RzBf~bG)VNyST9varNz`ZD2T78g zidy5$WopYR^mjGwvi>rjk--r$hA#nPQl(+5s`TwS05BhzwS|#rB=-R3$-TQVn31tipa}I_g(-14C zFxS3JU$qJ$Dh2;f*{3FdK16@oJ?{Z`*eG&SPcxdk|C~8Yw8D-R;u!8cs2r75B zYAHqITP_VcMpUBu)n<6fj z_p-Ef*guIvt+BX)>|fBAO=EQ%5#=yz z8lY{k$Pa>;?XLDJKY297K0*#U;-B7+tAkbPOkGCS%deGx={3M#1W`lBB8|RrRy2a%TxE*IHJ$)%vqgd#O<8_)#JWMKh9tVqKjcMzL}rNn+#b zP)i>DxE7HfL$E#VT>JUsv8BL$PS)>~-%|wP@-4zU0MDNDD<9;WgnZ|1^8XKa7*+a# z0HXCccx{va;hAD-|94C5yk6(T7e6jdU-PPp!aJs!j_}fB|1{#PrO$0$XwsP~5eHQJ}R4hRMFdsQEb_gS-2`%X4glhZJHL%EYHf}5LP@{GPy<8 z&2$%ZWl5TNt>>gW`Kw}JMz?lb3>tsj9MS7ona_}UtJl2~()+BlY~+UN1Y`T5z*l^a z%tXgHMg=J%sXbSrt+a5=3el=Qe+!q3H%~z&vd!&HI*DDC5aAh)b=MV87g@x7KmN{z z4Xeyw9*ydJX7Scp%+8aCwYvXYb|SD~=RBfh-U=J~c+zj4)Q~U%hF*FSY?}Fkr~A8i zUyfa$Jzg1vuJAxTFa*T!R4QNgDve{s>%Rxh$Io=Fb? zGk0vAVlqIWMkjy>$MzPLRE~2zNBqMW<>1_niMQnQXU%o(bu!8on6xJ>OjPpBO zDE7(;7e>@Q`IZFm4Ytg2Y$q7!C9oB(Zqb>owmlG=quW818Z=YQhRL&=k82tSS@6(d zi!A}-tYr7(IkrN#Y!?!!r(dmpOU8G9@JTQ1N#_2bsVXszF%KTho?f(AWgX0OyWt-{ zj)Rz&mf3fXK$<&ngeKmG@$$baw&wpi#xFr>yGVS-{;)GIqR8lbc1Bzd@5}uwREljU zcy4`v8QNyJic-4Ea%me zI|^GT0o7Fg^w2Zf?8>nKf3H2GdqF0UxLF@({P}OsT|Vc8S?%?U8W)BIsak++Jco=n z06`n{4dG)vb2}!~tIMvMD3|8_v`KarYzaBBK)+t1iVDBzAO2p@EbMP?aL)_qJjV=< zg|-(@MwAD}u|Ua+k+-6lxJyvga(26iYTHwNX)-1i=r@-!rT*LbgQyO8lT2)^s^+^eK}eZU%cTe^FWj!93s|<@XAAAW?QY8JtD$|wwwM(1n?=%B~d!e`jHR?8dc|^qLq27ld zVncTUK`k>x3IRllN-20)*KPg+RL2e!ORVohlfZ-wxyv4sE*1^*>&%3Sb-fHi4#`lh zF@(LKO_+VRe)0RKm0xj z^|o6uJ{=$Rat!E$rm*?GfuI{yvE#MV-%#*^THlXb1;qft--f7RZ{BWIHM5;8Ve|AY zMkex7>ctBD=nFF3Gb`=mmZv-cLBSgyTepPYB|ACW-e*yU!|bXYT+$;oXe#~ z+lchMK#1+fi3+OW#)zdQ0(P)c9_8kQs~tR@{$T5p)9NlRog6i$I0hzM*M$Sk`u=0A z|JOEYtx%oZ>siW2Zw@E@Sef8?@&7+`q93x)TFj?CYS|)#-t@M-w)*z?WmmTc2uH4N z91#Vn5AyxoO7->NGdOaZ@#do@kLkGU7v5nN`Ph0M!p|Vau-j37h{{v-y<2h|RC1^z zKlq|GJVqyQv>_a{G5MEIvmfgc-eDh+@oS)Vzd^(pE1nGHY)EK-NT}IlV5gv~+jHn@ z7Ax7P^?iM!$6kGcqKUwYjQSY9bsM$P=JJJ~Xk}}9D;h=000qjMKdjk1f5yHD6|aRR zp|u~4{5|<8Q;d$pqEx?Pd@M?5_Uudcc|O5amfqi1I6nNn^IwD-ax~x{2~#6CmVK-p z8Ej;k5f*I3Zex`{+HI3?mJxMbF)lwgz>p%YS{V)cKUE0DPiBkLkrwlK-}|iQW`nTu ze`YJT-exp;a?B|E2|BQ1ZPe#964)D#mAoyF28(A-f?RoZ&ZN5khtAVgX7}3VxA1>Q z*F$w1?}H1xMbHW{j?CFcxm;*Jr3|qpW)Z>8SB#C@w`}8oiLOwIUQ6JS3(KK|4KE74 z*p$HmKsm5FzpVa?_5pG3Au?WU17LWLXpDAAJBbN^2n@nBDhp1y4C_4HHz#YJENJ$S zi(mW+WmA5HBciOAl;fH>asl|3XRJF3O0kXlq&@co-STIQ4fATI6OJR6RAUM&l&-XA|P z_A38wl4ZTSbt<26-z$0b8o?7>JMWB!>RiW^T>ygqYl=*&s#$>Nu3#!rb|}La6aTQR zfE$Y+&-WYCipyk?p-Y`~lH)j*fZSSQ2!dmub8q3|>M=t?h(6UXBm@|+F9*^+7Vm%; zYQ2%le(-g*`1p!iWwDEF#zwqs1@H(km}CFC$nS8BkNVxrv(BKsSoTDJLa}5%YZs+( zxh<{F3R4|FR$y^P9q;EyS0Lcu@a8LZ0Ckkb+D%mRf^W3W5v5Vm@U*Bi2MRY_x!y9-mJ|2 zo%LG+*y?hX?MDP*2;Ip)4EVq{d_hKOXZlPMNyO~A%Toc{yOy-)HhX&v4*Ixd!@vx@ z59z0?d@^s=r)*=CjPIK0{HXo^V#rT2uBVj#&mjkoD)ifYx=G;XCB%3JGEn#&dU-kE z*jMofPSYnap16J*kbT`JiA9P_Lh!KZ;M0+=dfK1Oq)!G z0@NJz_%!N+Za%2`yB%w`0EN>7zB=h=mtIvtCz>J?2D;Z*fm=FTJH)=)&x`#7$#HAg zv{Tas_gpi`3;m*)*5lupB{7Zo6o|C-p99^@FBOIgZGS%g#|rcfjc+4-CO&-@rwX55 zuu|LDlhn7xT@AO=U16qdkK57!TGszL)aJ9=3}-3@wimv#Cn^mt$hPxrqJM*LdGAE` z{~YR&U?W^ZtG&@~LvkWDSr2U%)q>lX;82%Ehtxze$~&x*c1CQL8gEqc`%%YC^Mc27 zteDktDyMEjok(M8?icNtUfQWwq<1T*AgWT~dT* z!lE%f`1Y$IwE%mX=mh~0b7(7Ns`LUsBc-P*W!0)F$ZuO0Ujr;nviJ&`O?A-N*L!G3 z2X{AxW@yn2e-ABynhJdR*HYkZKfL$RfQEsUL2cX5kg?&Dn$`v7+OX7f&sTH!y0Su>nDdONsCBI(G;0Wn>*A-$yDiJ+9OZz!4n z!SAv2NOI~jGkHj-XlWhiuHr^^-!cM$8MI*KvX%}R;@7cWLW$UN2CJ^hCy*h;4cnya zZDSMs8wHKopy*Fp>#wxOrT+1DW_{GsSF{#wOxrF1`Nh7a#G zg7TamQe3i;!+TL8FlzC=vJpc5-WQaR5`me#{w-Ogi(e@Sm=>s$MZ2`6_x;uBNM==6 zoQ?EKPdshGz!XF@l@A$$aG&gxC30yC6BF;(M__I8Dj84fr>)=ur_uR_K9tEolGqet13J$# z7Uc%OZf!y1bsG<|o8)`@lpR(w8{U0;U!ru93)yMG*ogK_LwQt>;{&J{>e!BX59E81 zz%&&?mV2bF=PYh|{Nl1-dH;1SlgO4QaA5x{BS_9mKimv|ZSbEGfB78B3O&Jd(wiQw z_wfhK)B^re2p4vG(2%jJC2pqrkTX`t+WRD+KN|$NhFIHY$5ywgG?C!ZmB&Lns?a6( zvetns#H39KLVQ9?y(20DBHi&SRr?fUY2{cd{)HbGR)^Xwg-zR2-yP>$vdjOGX}pWQ z82Ru&7sW5hEd4*Qy*f#ITTDon)zY=YG-@7@3%nF^DnKyp>i*PQ375Oo6Myy1`P(Rw?VtN^yDS zmdL$(?#Ez)=q2^26*_1_Lqw=4#S(3RVW{_}B6IFb5x;nYv9JhScLAJ<8TWj$1qUUd zd8{eBe%5q{4qf?ojGkn#`VyJ&}XlCTU3nPK*$j?B|e2e4=UQhr{ z;RXdDIau(XS2pR>0cDg}p=$p8GF5NIb}Ev{KeBi4M>Z_9H`!s{JpJjD*zZ)QghX3- zUyKW@4dS0>tkvwqb*f(pG3KU3mB8z$$h9(3h#e-jIfA&5!sh1YA1LfJ7JOXRBsPI$fM{xc+kNBIBOSE>R^_>CCJT*+VR!G z9Yon(S(5LN_9C{7{8DTFI?S~a`Q3;XWUuIE> z%V@5XqQ3Ego=4%yG3FVuFXaOWBIAS>YAmG-)f-dcdBq*1u?oZMKA;4iw$|SW2kos{DKWRn+cV^j{+)2G3JKaL?5xEXYA9Z8edDg?&A6AC{qx)3 zwf{mFfHl*EOi=@bX6D@-|1Z+sIxebz`x{k2x?o?Vt zq(da7VQ2yAl5UXh@P799obx=t=f3Xw=ed8)AIi+0J$tXc)_Pa8#0@chJAHBq(QVOC z!$I4nOiL9ooQ6wUpogXU0hc}zJsLkuUAg)8x@ci-pQDBR8-W3&+F=Qr_BJbbC=&ss zWNRxSL^y68qXJAuK$`=MB-7a#S}yT9tqJCfICtM=o^Je41qJ`xP3`haw*x zXiyRwC2j`C_I4@0b2Ob}!%ja0dexsLPjgh-bg0c=!kA4I1%bsLFTE+lzqo02m^-Wm zu6Eb7w~<(Q3!LE%-;c3JdRZ>ew^;MnulXL+?pI!Enhnsj*Rm>=7@-a7h%f-EQwD^} zMHXkxl}3=LSlPT%hqq zZ+m>-Tbm9dzmZX5BQjBNlsU#Y+5jZ3dY3;6AvdTyDtWTeeG}bp>F+mZLre)v09&(C zK8iem$_6dgoY-Z_}_I^2J;$J)y|X`Z*YnGLp85-45#eeJC|n$ z-Gffl2;Jp}9mj17Ks#1-5%l6zt>>ARU){x7>AxB>*W`Sn4o$JB%5%YqS7I~yiTSH~ z%d>iH9Dvnd)pSr51j5R6-S4=3!^MQ%e0P?`Q8dz(d(P_{Qo7jnlmA8PR}J=~mMdzK z->JkGOtx~Sq+s#OoJf@JW4LT0yu9`$l_qDojsG-w88ewHt}K4*Ld^QDpbq$1R5kV1 zrD4>FTv)1gjpzwB+q5Gvoz{2aQYf2KTTLF;C{&EJF$P#u$LIH0E7?h;70L! zO+CB?Oi~_Lc54b+>iJ?LU$mWFI=gc0O`QY=>G_gAH+D!oM>9u!=0s0C{kOn0mgbX0 z&fM3puHrbnSCAK4k*`%iqGH*AJ<7uATMw+}dVIslE^R^{Ti@Kt!zNsNKvw&?%Wg6% zRU;C|;_Hr_4~VoK&p0l+_sG%D9rAvYO-_P#AkRn=nV#QLt60!liXP!C?1| zI&dy;zkZ&w;ny3~kh;RZ{*KnfpLmLOvP%o9^@ilLFuSn{t4g8$JS-r1Zn#}5QtB3IssQMqFbOIi~ zEt=hiw&;a2{g(ctWJDfYcF|HRo)0?e2ItLps>ed0XD^}3uxn4=bO?7GfXPb5PM>a% z4w<&gq*tm@+sYy=M%)0)NX6|L#}$sE&dAWp*e7n%qDk{Ub%cU&J0n68?tL92&R~K4 zW6E`O>naa>;mML5m8)jWA<^Fb$cGoL@5P;_qN0)g$OSQc{$bFTIbHP?J~bBe97y)F z)v@|Zn9h-(`c?l^@awP2DXa8f%9GOeokgT>)vt&zyQ40pFKb7q_kL=ZEBue{Z&#?@ zOZcSl`MkQWW_FCUloSG8W4vG`E>5RA`73GfS%3%0T_5EPQIrX|@_tJZXT0$q5Z@@FMA61HO&sph4rLiQS!dw+rEI#-Mb>JKMR|t$kopp(#s!ONWarBT(Ov z#5nGr*|&8ab!n+as_5}SdXma)G1 zgp*l60~cDvn&gwFAoktIA`Fgu|7*^y+phU{vk3OOt6(8y;C(%zU@OivzR=M3D;%%| zyYz}dx2VBHN`UG2ZMJN`_WMDGm&S}pwfVq8|Db@e)jT4lYn}eY@Y7IC=EBU6P_vgV zX3az6rEHpy7YdTt6?xqbp2li=Rc>`|R;oh9t@(mC(zy0?)$(ShMd2SFA!-)GiChui z#xtYZ({5r7MbjFvuSD9NO9_o4!y@oBO3}6aFgHwqnlYE0U%4_oIQV(;?bq3w-4y*R zs)hF;CiQ3HYhTL8k^TLP6+lwcY*wr4)T!N^3=_jZs&*FI?vSGn zuV901^zZO9(5Ak2q|NFFccF{vs2fngtVy0_>A)n9XM0)bZ0W*`dpy5+cKFT~#aQvS zaDRIu)8@W##`DPd+^77o@v_Y9N(FEs?=Jt$2A7x&G_>1F%UIzry%YaCKsz%h+b_|>omdllH*$3j#14-t* zLucs?k7R;OqkKRU@Btc=0?5UDc4}xVTWR|H=E5lLp$581bjN?YOQOk z`~tZ#l#d7Na_a_yH(iG#SQN-O+_Ke4V%t6DQ+l6vJ@tAS71(EW9VPx56fo8Kr0;^A zTMW1NeWj@o5jtO6!*va0O)~z1pu6!okbo<=#eMrQPbIt#B5dG`-)zwr$jco){M7B< ztbUhv*R|fJjYiw_eBMb+$`!~A46;Mcl9@w0y|Y)^ZoMhnJM3D5#FEL6XMaH2B~=Jf zB6NR`hCxNlTCgY$v7cKb_w-6t^0!m^a<5z{2`jn3TqQ9So$J2xJO8q|6A8MKGj%== zwA$f)9r})|2Z%I*)jyzp|Dzw5g+JFGhNm62@6>}vGwg`@Ey%glxW2t;b=>xrw8dQP z3NTdQHtWDBP!~==JuIgF2`Xmkrsga9T1MN)`Q0E+|rLh0Bg)hC-$&AvS=jxGD-Y}vEULIy_e%?2t-gV%yo3uo=eYc54sf_`v# zu~g)_23!bZLA)DSE+h(rhy^Ec5my$4qC?NziY$)Y1vWD-*Gk=q(7NS@cBy~Yxzb`0 z^kchPxJyxp!uQ!JUt`SCseO*tr!{QsyFPHyalM$x+F?$bOnhN9r^C(2!bn;9G?n`P z&4SiEwsN=N>%}CbShrrZZsF?KgjVSQR1U05{dqaH=EAI3Ynnx|MIW;rJbZR!K4m9v zIuvFUI?`U{4i$M9dY{a1FtgC)p1v-yDNwHQ!0;)kp*XS|OnxnI{6ZwC?DWNVQlqTl zhUlkQ8?*?Hk=NZn9qjI;xfq4G7B;rENSYqu$BGDRt>;0LVvqKEzlYQ_bCOF2g{Cgd5pZfb z<`rV|QkfZ_B@gVSXl{8d)|Ny6=5>^*`c|d= z8|Qh|6t|c_^EBGq^;$VwauzW9LUtve1mrJ~x8L^)?nSc1GnejivAJ!7#@yU1rp=1Eyq^AjdM?vr(;k~!=vrxQsvclGiE z=Q|S%6Aw<)z#XYkxX-}_kN+Ag1cAu??{JCJjps)vAK+19o6(3!PA$2`Yt=U_juaj7 z^~)jQVUQ1Auw6IVF3bb%m!SuT9@(B-kix0j-eMEm(3G!oQOi@ne{2VPs|l^zUOC~@ z!sxQ0T3+GOF|Vk*ulio$ERn=nIYjj4gvYbPRq}q>Hm`N1xU7=OW?gbMy$S=VBdwjI zx92u$m5o%CFPpee8g**7@C=v(DV~}3I|G&v|HG%SyQPUi;2>)8)^yh$EK>QDw0V*2 z@k5lofHCMG=neIGKj?xaib0^9O`Sdx0RSoDyis8->WORyqzA9^wx3)u#9HdF5M zbp=n~`JrfLlW^HEQqO-56v|~&hpv_>%ac;l`z&NT`BP%X{K@$~%x`{1yr;`S|12#r zX)&+#6P;fBuFUi3J~E z{Vb}lKHfg?S2k3c*iSxPuvQX%+xS_D z#RL607~9^LG_#1PRe^8L*4r;t2pk{1Pv3C7W}qyy)6&L6sW#eH!|QyYJPY~AZSr1( z+bjWv#>C>ue3~k}iNfalb$<{Af#XNKda!|y|8cb&ivE>)Cp7u@GF>s4Geo-Fu|p{# z&t!z_v&jtSpVp8;*pHeWv5=irK!BM2u{@TC&IwKuH>c;11b3Gz+$W#Rs=5}G_bC{5 zCJ=H95AQ!3R^pyef~#$5qJYzpGm8(XQTD}ZAC6o`=cG{y@;{+7L#IMj8wJuG<}JkS z=m}@`Pl94%Y30nq@xZ=Nt>9n(CFegcC$CY2JVbR{v}=r=>iyZ?J_B|uulcktO8;D= zhHu#WF0apk(k#*tR>yJ*i04sXMwL*$e0)C2v0-w`##UwajWx`*8q-ya(L<_g|pmdtd9eh`OX08 zhucqE<*&5Fsm|ZxW35yjxGm)}3&I=@845TzB6UlOWtUt8WTUNw1S_t8Uy%QK@pngQfI}w| z(J#gPAl0AEN{O=#WxXAXg9q}GMn=W%Im7=cuo9I!Z6$Oc#e^AxOP_0ev~Spont&6? z!thpN4cNr2v=@A@OZ|PirYg<9-PS$V$AM#j`ShQk6&VFu7m_>XvOz~COaSAvO@p{N zm~1AGYQevdwx7s=TLc`@BOD}_ZgX&+Kj;FM!8h^r>%TxSwEi_OrYg|p`gb_|g>LQl zQf9a!!KONjkQ!R@D;aS2l|+%3{pY%XK4Bg@DGlTDK9?hho<2LWf*R0!LwDi-=Zl{I z`!c3lq_sbTc?0rpU=Pios4QfCPVz%qK}*Y+N-v|#k|K3fQD7-(nx=Wp`+;jlyyK!Zlz;nP+c^VZC=HTJ8M3*0H{ZC>#5i=5 zDq=xD(F=TeF6u_0Y#SuEDT$vaR<7+PJO)~&WZ<$THvkfR>Ev3%W66PJVDBj%O$O*KgPIyja8z8%vzE4&DPF9p9 z_1|^#zrT##_vfb9J>UcTQHv0t1;4*OmXyM7yHi3HB_hm7RMD-#{@WH6huq>IXr!LJ z&&|d4$?<=GH*jE3asR)6*^|nNkKeUORI)rkI|t}51+2dax+uv|9Q$_xXDE(<;@v_C zw&8y&;s2k{`tOH&f`vj()~gI|@A~*%5PmTxUt=sEL{gQE-gypvq!T0SCTT`6}YS|Ly<%`TzHO8b(Rv z&047KN(Q3B^Z#D$lsCd2JpD*F?29stK&{S>Zl;9DftH}|Pve0MPfke5xFAmsJ)Uk! z{2><(3bq^IZvRhg>wUCwng;^^R4%=!_uDzm?;$0UWl`am?Q3b3p4;;U2eF$2=?w?+ zG!lOqQo}JtUpIhGXwvr)9;~YIS5vU17%)9hMD1YWztGJDB8b4CIPrkhALHK z>4w=+Tm}}{S9y(TP&Ac&hPRF1YMf2~l6UJ9kZ+iKS#E^>RjgFoXDpmzykPu|^oH}e z<575i+EvatzkTMZXTgMBCf9eyoRMZMVSE1OcSTXI=7ya~g^4o;ih{hQ;z&Ybr6Iah zF0@y9EML;-%r8I_x1+rvy3JnDd^GYTGs6>GuOVR%bLR$q{S+SX8 zfO&7P6YEn@AT~`4|wI`j;0AUybw%1AiqcXKe#pc~bzlsWX`>Uf9HnMmA#@NS$h#TXC$8)!MfiZ&fG zv;c=jISs=n+6Lw|mPfvj*DX`FcU9{Vu!1px8X>8)p?+{Hy(y&!Od7sRJdhQEO~&1+ z$UpA_Exvmz{?SDO{|8mFA|0_Oug4fZG0?P{L!L3tKLCx^+3%GKcJwPPUB*Pio~zYF zl`JZwGeAX6N27MnIl50u$m6c-cUo-xp|obE4|)cP2pqQnZGl~SB=5F^MhupU;98P5 z`xO8*e?z%%K91IM67(W7ZL#aqLMVE?>)K>ChM8{W%B2aT_MK(3{Yh0rDXr{X0`jNU zm6pV@bku{tgYTc0;0 z4?%Z{fdou(eG_4&mt+)Ifbi8S@(uFkIWI2w`{*8W5JX4R^#^W4hR5CFcWNaEPt46! zBM5(a9)=!+2JKj73{Tx9@=gHY?*jl+m@hz>7<>oaFWB@Oef?RAQPyz01>>I3UBU!t>)x}D&LpAeL$X= zZqtEEAPrl^FedVh65n(u6jlM*^zRadqIDj$ZFPd_RpJt=6yJc&`f6m}A`a^Gt5Yj% zoK22R+u=prP~=>r3a%wcL$7V<`tWc4Vrq`sqp4%0l{kP@{KoycU`;ECXBA(-zS7>n zmIEfr?CnXhS+r8bTYawe{pVyhQ6KMS-k|8w7L>AU@UImJO&g}OAS6N8sl!SwBU1Fk zH9~B!9E>_+PrF>l3xu+rC$$x=in;be_$FCAo5o!!=tDCDtPRf$J57|V8Lw^|deWZj zqNm;+?I!U}8t>FlT=fy#z347j`>Mso&8%YBV%$);r@h6hpPR^t;GEawC{4K18nY|z zQ?K<_KTCeH<63ODCP%PIi2}sE;lJD>sds9)%AU_(4TIT+WdNj&B{5!t`{J8uu-Fzw zS67z=)L|bngPQy1kG9G+epo5#fZ>>Gjn8R;AQ-G9(CFXe?5;WnjMJn^^C0Aq7 zSixtLXHsji9&XaVh%&32&9q#%oiOpMk=TE|WuaqVtS?%CaTY zY&83q5_d1dWjFr?2cCsaKxPRr8#S8UPJRCmg^(w`ct z(W|AD-%Xi@2E^}zhQ<~`1%H?Tadzo6pmkJH5WH=l0$l9urVRoxw7Q@p0dsLH$qC?K zi{lK)ULOGapN{puy)vS-vQEtn7!m}l8~WXzu7gpMEoh`4AhHTZ$AD%hgmWt!OP$$W z7%5k^x3XFW(dnVcXfBYPUDDRRSYg^xMYPzncn8AF3U#gXlLvqinf7~$gjgigAyN#n zN74Y&OM3mYYm<-%SL|XD94^?mS%sWay4>Rj=;=qu`+Si{Um)Z2JAe{=0Qy34uL3_p zo-h(W_1S;{Td&(l4Fh1~vHqLCI zoLdXSGkVou0#op`$0+X!QZkr4aMgYEf{YHCmkExvw0(+PDb&;F)4wQRX>K?lIcdo$ zt|?3lMY#UjnOCoMZLfAs7@NtEy1o_a)3MUki*#>tF1AS@Z78jstNtiVm0d%Ac(yjV zWhY)!u9-O}Hm#89Y`DYcS}z>!Td+hy*i z8F)WLlG!c);-p-?cb>j*gNP#MeR8aQOPWr7X~OaNOxm>76F zKLVT`b83Vr6f{0XAK~N1UJH~qAA(7Z1g^KhQ6o}!BYmw+f-?ajmA zB}PS@#n1}rm%u;$AScQ{_EQIFk^-Uu*o->Fr%#a7(7#5>w576DPAG6&C09H`0*_6Q zx(EQkKFtlwAh zyGn%IO|YX7y=~~ke(a$d0_}c;Ba^urx6MX2qPx=$~O|gDh99V-~gU zc~uTV0p{pGauV>S>m411ujnqqNJZU!HtqnoL%G`V@kzDikyZil~UX+^?H1NFC85vUf|!DE<@^SRPm1yelb*=Hyf`s5=SCJhK!4aU+sqWOU4 zZ8o$C+DY>mfn{`an#Td@R^4E~#rD9_I#l00ns)#aRYD@o7|tX+O%AaO*QDHCJ)2TE z31HPLqMN!Jx(UbPv<6_YTdillGeXY4XJdta2o~9UKfZS>_b))Iwr4;Qo=$VSDW`h? zs=Nh&L`%ie-8{%s{h$a0fu(ytZU9%Sj}NJFIUg5mDX?To@C=O7*}5RT8k?Nk9;sc{ zAr+YJSLCMqyL)OI1gRMbtSyTFy;RYy-hE=nMmGq$iVuo8_HAM$3e8i}1^%DcUBBh<#lQEXD|iGE~NQB)*hmm6EDrj!SZxr-2JO&w=)(6y#Sa zR@+|x>E#w4>7G_daJ3J{-Pb06t@#r<-OI4oULvx!m~`{tn%+{3IYc7sGph=vz%aE< z{uMm&G&ylcDjQI1<)+og?U?PG_fq=WE1CP#m)+Vg@=CCy+o3$OI@3|Ugzuw9PQ8q7 zs&)&~*QDV!c!B-0xaM~tOMpH7nx1<7uqJUaaMYHGx)ZI>XU4jKH?v>ed-7QlDgwKj z8Lffy#;qR8oZAK7bkiz83TQwZfr3LP-|%36cxQE(^l$;+{#=E4()VgxO1SCvcg)+| z!N4KmC4{RNP~aqcOC27Rl4=X~UF6ld(a0>xGfls~P6<9%5(yrNXDNL?AF?fFl%jd3 zN`@?+YeOne!CkZJiqw2aT7?L?VWhIR>L#a{Fs*Q-s6vnggc_nkuCbMum_D)A*SQ{a zRH@HCtvvI~<;lQ~TM&F#LoZvaR6jvQEJfW%sEm)%B5GCYl!cbyZ&C^A@|QPW zxfirUnqDYU?n~D4XcuQ{Nx0R(@iLE4D^>at|&F@E|Usgn}E~GCWkzssT_@WmIT+WPQWT)!;=9ztW z9k`Bfbwq|`LD~V;bg;(ekNdEfXSE6DX{w^@v+D-#DZM0Hw!6|$6RMO)VGc5tF}^{5 zN?v#nzrgwL?Rjdv9ZU>FoO}SIrf6d|D(Os)C=LZ*i3)kpTWQ?}I})EYNSW8w{j@U9 zD=HhPC@GNj>#7tan30G5?ap-5QaFZ~HvfFDL!r<-VT9lZfTr>Y*6{X?s-?18@{tb18K zH!oI9s4?ilf~y@`GiY&^r4FD>j&U?>EB`G(^HROYG*Wf2u+Y!X2*SH~A7u|bImuXh zp1u=1mD&p9vmk&6Q1Uv3;ZZ`;(Y-?(;#6POV$!RoZRa0ZNOvto@%j((DB^$>>l&Ld z^8-ybZMRM|@(qAcNS6C#)#ak1YH}{R2x^M(9jw%($o>IN7WI;OfnBxz{q?A z0elFgKk;Zdx=ZRY2Xcpc=6T+4uB)1HQyr^oLuiqQh4O&uD7hXmpLZ?Rf%$(QcGjWv z!@0M41mxUvKt^!=Ib^U7l`7CXHIPo`waaF1XoK%hVmLZA=Ly5gJ_wX5s30Kg!z$p; zVKIL zP!5KPdDpci?>chswqsz=z1YH2PP~50E1FDo1F83KUKfae9<-ZvmL3Id+=r1sk$qs? zkBZEgy23Bq1eW8Lz!%s}<{7Pb9eP&}3u?Hw!CM(wlA{O6Pcp6o{P`9#V$nC_Q~)(z z%#OW!@3<=H*S#9}h11pCLP`1Z+a-tOC|Zv3o$*u8anJZ)l7!~4&E+DXm%MdwGgH*{ zX1Tq81?eb%Pv-bpuRV>(wWIN#-OC>^`2$9dfs+rSzJ=*`bwE`+2!cY?s%^1tXt)C^ zVXJY75dkjiKpeiFj5Q9CQe=Mz^RGod;2!way9X%Z)1O3tGg`gJ-FG-N z>XLld1gNh+ztT1gzX*F!<7p69;xByguHJHom~u4kJEeA(NXZjw5heL1`4csktKGON zM>ezd9(7lWVk{4j9uC2Eym+nyf^TjFLN!Tx=Jb?|S#TR$*n;_O%7n3@jct-2Gj$TR z3RHoYM7nycZD%*UFRsitI7C`tRL@g5gJ)kF$Qd8)u;@@eMm$tb+f3;@1ytK{#ABEOL=!s+P21TZqHk; zW5G{^8XV6%PD^Ht46J?HKcAz^n~=}Qy@)n-Z;7qwv4*_m>iv?LB-?c?7-%r`oBtB0hD&t6a-Dh}?HeIX*%K*Ry65uh z`fEcEiz)EWeU7EF@D@M+>CT3CH|O)%tkM$FRTeIzjfJQ}O8C%S)p>E|EoHYDpp*Pz z6;xT>f3AzRuYMddb&0hEyT)GY$RfJ>>5xBZDg`&RIHl5cG8F#Ok__u0CV0~P zYTR7pm3;c~bf^?VTlOkKUjxIkz9=NqYiU1Dy-tCLsl=^|)gJ5r`Hy1v}XOq4QvtTc-c;U zEM(Cym@;|t&}KPjMIk>Wkj_~X`0d^2(0M9shPUtej~oR_qd_Mq+E0O~f-IG_l(qGQ zu@S8>FK}`;P|Ym`c9ZY9Iku9zy{rhNI|soaA0eFZn|@FwhhP$3$UsFU($BB41zDa? zzP-v5n2H4-wL6aR7pr3?>ODkjoZn>bpQ&_QO4HAZd^SIf!Yq@S@@Zb*YBS2DFPk`5^~;m&nzTlSyhypp zkYT=eqt>y}5>FHG1MEpYg4&cGa3xYnMjjXg02YROnP5xZqN0b{I+z17gA2jd&Q!xj zS2s*~S0f>I+DrMd0N^Vf$zcAR1*ug|(z4VsGB{3kZ8`DRZt9wf2qEHk3w zee!2g7FfdF+W=Gf&xg3Ts1KaR)Z|8NvNwQz@6RZ&uA_C>^^?iyY%NpoQ^=hX<{#Sh(B~Zq|)3F@aJY!L{n1*bZFB z2#h`}VeChaA2Ht%RDO8E#m(H~Ud|TP z?EiYL4!4qJdai89lk3IxBKIxN4rLgE%O!Qo5$+bakw|42xVO~DNhPys zT#AZh45NtZ**osLuMzyX@k_X9JuX#=o5p(MXI$*G8$uXL0kJ|$rWC#E(>_^TJQpJP z1#`*u;2H4wfJmkLHkSvpQ`D#e)wB_2Xf;~3AbmAE{FZi2X@~ISXEq$GPXzZ;8gY|U zv%3{2r`RNarUr)}V#Km26$4rsgXdX+n=pd2t$`+rA=E|Qm(sTWjHC0 ztB8~eeCnY&ORwkF+RKShrPDn(TDulpC-PbCmy7INAuKC-$*1ZChn{`DW!O7fA=f`Q z7*5hqqLW~*pGp)4D1c#ff;W(cGftYCS%6B`r(ZwzZZ*v#(84d>40|Q7+ib>Q+=sbh z=@Gr|)SE?#H?#6?@iHV_ab8o8m-z2OT}^J3#BWbNn;!LoLLOp!t~py)gH!~PxP7kGR0%7VQPy{ zgV}>t2X()EdvF9{Aqlepsm7G8f?{Z}?bEv?MQU(JEtbH3dMHZ96gwi_0a7R>k>}9i z8Hfd8T^p>}PYo_g;LM5w7e5bt`*pk3VPHH@qCI>67~HmBXk+200SY{{8(%f5mZU{H z{=_aIMT+o)b?HDeVO`GCMO4dbTG*z_vq2s{ebk!Zoao5&9za{<%-*<{-Ln^_AoV`_ zw89rrC{brf{O}%HoN14qTRQ9et`N1kP7Im%>9@me5(IH?S&0eRG63UzPE2MFtkRA- zGwK4<@g=cvXb`2G1_t)^Yexd?cqC_59Y_~#EaLwp8H{uOYNw+-Q6-tH!ZcDBcp+x; z89NjaE%}gb5enVeeJ&W3my0B9{}of=3b+}ubL;>)&vrGnoM+W=D2*(lhF%CgG@;GT zrQ&(_!!auzRXWECsczRJPN~O$j(ZMA1nCgp|5GdDs zOpw-2xy|ma;L(V1g#@vGk;#Vik?Ga7M~`i3e2Wp$TTnHu+?2z0rkj0nG=kwiwU+9; z;f(%qU$Zw55gW!TiR{AZ*BS1-T45iUXuia0)K-{R)6o#LXXcu#6#ILYm%Z~oiNHuK zrP#&Q*u(rhp<~_t-0HFd4(iHN!dbZ&U|5B}T_WR_dn{DxN|A>Z9!jhNEa&hlZAjJ4 z6$*K4R1GRq>VSZCz4z?}&P1hb6fC|JZr+qMQG6_q8;e5y|4wG$_A~9p`i)OTtWldF zBp4Elgf7a#Lz<$eQnSVHnM#gUe{=x2hznh|V!&$$s*r`!J94Y z2xVij#A?nXe#UD=iAx=Xy`cZTFZF3inX3kckM`ELBx+oeNg;ZRp^p&y94@=yUoU%v zMwW;01!X*;VVp|~;cmEjQB4{xv@NyE`Z;<6utMxPzEN#s*1#1OB@{NAY%(sJ*~K~jFr@Y*{Ejh1cH0A9(AUuUgLXVE#-d;wv<7jPrK>`UQ6SMSGPSnXSL!r34h=WZtd>!wJ=%N z9guf(PCbk4M>P?_=&%$xF`SCkcN?Mim8Nt8%mTNXSj-xpVT?I}hy00jc$CBU(b5IT zwKY6<9~uK;&o}J@Bu^Ue14+vgbYZ?J+eN$|;vlST8ZK}X@FHm=UXGf};cN~S6IpIo zvem9Q2TQlz?t8_4;4K;mm(Rc(cHgb+z8aPgnR|q(51XULls4<(y?9QZM0N*_rTiyd zgQYHyT7hUWova*}T0|f+R&;=)<)+GC@-;nLI>Q_B3h5Qp4|6dX&O}p{R6sEA;XNFj zNqSb}PkL}~*W_D>=$DH409v*Mg+Y%tyOyv(x4;vNL?nIMAM})GlA5xggXd|t@vl2g zn47@v%F<0Hj%aG3RhAI`eu;So5mKziUI zg&o^-PxVI!&b8o*S;wKmAz52Y7s$o82L!}{9O7u?5Y&oQSu#dLOtBmtJfL{YP(tS_ zYkZ7s0edz}#0yhaM~1M`%#bS8j}|-;2p7n4(xVm1{9EfojWz);cg!Xc(K}GggC$So zMcqsW@Sewx#*s~R+-x-nsfuHP{Z44y{1n;4dKDDU?~2OIA*8Ap(i6{?=Pdmi*IeWe z!@(oZx~+$qWOq3xg+%WYLO*rT5Hnl^C)lqJ-(M_paEjXkN+zaf2C}e)61lhT-mvvn zlT=D#uBcp7*#3&ti5!^^v!xR|vi%i~N+Dk;UkK~ml8H!!ehlqO9NMZRF7lI2-q{z2 z1gr&o#wWNv2=R>i9Anb3O%%taBzPvL3_yE03@ea40#E zr72T8?$bfKVBfFk%2#c@60q16M>Ivf-a33!b~5J?;32D4+iadT=DHIYuGzSEb{LBH zMdx`=VhtxBVp)Ww=l8DejRz1%SG^U!$y{W(O4X|N8Cb9qLpLzQk|XqX!K5yYduku0 z=q#b#Ty3S$GIIZwduq;oA)RNfG=jD!POCp=OC{Kk)a9U);hxx;$Lj9AL=^F9%r@)gx}zA<^`JVXuV|W zK3Zz0w|Lqu)6K7FMyZ(sVkibDzDv@dHR_Pjh;gHmS9&%@fv3y=QUWWGeGyw?IW1I~ zp8@qX`tR8r^CF-bp#!6Lc#Xp(R#SI1>8GXRq$zrd%Py0bJiD*Q#a_O_Hs7E*GCIFB zkpIB2!)FnLouv`|Pl@fgz8&@ekN1h-c=gs`6ZVDeuhwMb zn7iS*Z}Pa6gZua;rMi67mYMbEEN!=M>iM`K9$74`^tQ^}}7$bac`5-V~2` z^-`o#_wM)59)}R$maf7Oa2nxtCMfk=3gexbK^qro@9q8(@vOO)F9&tFdAPsVGkL3NNvI z*_%#&?LI`!ud5@huJEH2f_Z&A;0M{l-U}Rb9Whv>x$%LbLtwg2GBgOkF>!d%Y=Rtm zvPjBboPbOXjJuj8|H|R=nC!mbk1VU|djg_ms_}5FO&%$r_Dyw1y%R8rYO(WTe}jy= zYO))Nh2DyMaX*$5-K`$Le2?)E%@|GU`*Qi?@HCJ&HRj7VTn0jRb=-ZNpV z)|WmSX(#eJGSR^by>)bC=BJEGgbayF>9Dm+hC7n5wuuTAtz54_XI%ZB*Yv(h{aje z2n0q%LSYtW1&evk@8c;1brckYt;HTKZW7y`r?%WM;w>Yo_^VE>n&9s^SxCk#tc2jVPd2o z)mQShGalTd5@>uzMXHC5M&cMfgY3IefV4=3YnMO_Bj)IawHz1E8Y223qYt;4`^#Fc zxuDwMF)Di^!7HL$_bz~eiR|Y&fqNnH!%6~`L41`R_riCc{fs20sdVb|SoY0`TH#KR zp>(PH5ttn33KVUAFZ>!UqWVDR7{?4maQSI77W~dLrlqisDUYLfuxIQbCfs8fS^;y~ z=hA#WK^w8z`1aGz7%5dp@Btp{X@*X)#xHBL6R?yN=$_0lri=?9%H_Nt)Uk?6WTe<> zmGQpgP^&`?V|^bOxL%QHH;Xx2WQl!&hUg8MzI|5n9)2)H zJK3_-1Js7ac+#!3aw+da6T)hP{@+H$a4Zj%=`-nzT%Lqu(tqMPG(*x}V~TALzwS0M zD>xl5_%Y~DGPrNo;LdT)z8(?DNkb-mqtk>-UK80S4MZN6Q(pgy=r}J@@%t!Ec(upN zbP!n3vZFx}8+T58OL-Ay$3Y8^pQ6W4a2V%l_R)kgGsa!TQXA$5H@gR*w(#R&`trMQ zA5y}9Dwgnxj-d;8w`O+%cd4AzgkeT!Um;Yfwi8&XNm$J@v|jl=G1TGxs~kqE&oR#z zdsO-?oGXfT$ZcE!7`FM%U9T1C2VD;QYcj5?>I`{TRC3J4&WWy@sLcE2xRl6ROlqT+ zaEFtys;q`wX7*tM)Bh?@V=#m^C{Kc3G??rzLG}TajMHxxXNAuC8YtQK^F*sTF;``) zh+{Z?G43yPDDgns>my4(O#`h1WNhoD916!-mMDv*IyGAR@b6UiHjMPskXGdSPWC#; zl&FK_P`bWw0DXg0H-P|jM(auP`9oL0Bo-NUlkCQrgdqqY!0 z6wNv9u+CZ8Zi<%l^C3+nDHuQnSL51;TuW!;xD<0u{5gOFM(wOJji0>9%kgmO4~~hu zA8pEXb;5EMD#QHU>b8rD&jis!mODil`^}CCezkN~`w078Q-!w0DYtFC)7fNkX1VxE zK@Eqi5X5L;T4&WD$ZagJ%DkiAH$cWQn7X6wqz_&WKhn!pu{P|v4BK*G><-RgGWLUt zQ7j(yuT#PqP>hx+9vhMf`(+DqtFY?U(l*2$)2*GybFH#ey3qc4v+6!Fd4ZK(+faX6qyo5ZfVNZLlBZf)T?{Gx2($yxF@x<_BY{SWPu6y0DOORCp z7J1an19Aw46QQ;KY%zEFtw$Jw(fPEmNMhh&;{U{$roS66_)^hJcQVV`{pyrOj((12 z_N?D2#+n1plOC+FOJJ2EH?R*PJru7A^dVY-{>=9C$r|fxWwplyU)5ap{HU%h~~7N5Xh~mJVp)Y z%Is{W1o<>VIGGDCOFBT#(}lKvw9)LtBICmUvwx};oC!seR)bM3ud6y;tlt5q$44Wq zkPmfRL|*eIb7+k`Q$eP9v}6wI0))=9lyjYZRA)55vIK)V7AM>ws{-nvS-W1~W20mV z_^d-lrWW;p;4-W-oyhLe+00>2!|Svve+>9zER7xyZx&Ou8Id85_mss-ybHL8_eis_B$7wihR?+a7?D(}QId-#W6S z1U`4unpF@;XST89T#J~>W3p9hQ@1Rk>N(xuzb7?v_Ye5SG+z@zI!1rA=87cZ3$}q4 zZ#@K%TCoHh?O7;QdXQ~zRGI1|Np5VbdLMg;>12OCq7}2hdmtM}HTE=0f8?wjFp>ri z$hY3c6GWM)*~2nE8NH>r1myV?LxC5lzrQ|f=(+&vB9u$9pJk+Df*_GVCqa_ceywXQ z5{fN$%i}tb6I=wkzP%qJ6{MY6#8XEjj2Sie1%4ffhPyQ_p5tqKN$YA_dpnrNsD`~!}waOO_2-p?)n&UkwW#qDEwyMF) zSZ}T5Ig^qXJASs57+n;uUCmf(_I+&^!dd zDq@RiE5(} zh)9Vj-Jzg#w=`0Mv~(lgwSi58bSd54-Q}6<_dM_W+;hjdQ@75xD8i7M-Vq>&QU~kaZll=K<>z6>PTzv{4rs=}DLJ`I2ZZG*4 zad)-7&d6<$ie1=l1BS~pzx`S84mclMKG~Uc5BLJf`x`1;O+QAwcezDvA z^&gh7R$Bpag56aA&4@|Rrk>%nXJ)xBgs>&Yw3`Go{Zd{yP(kjhB4~6~Jrq#KMObOx)fIH1;1iG>xbKFp^N7;$dV0bpodetCu=irYLDr~)oAl9n z2d#7?kR1YcDW^3ACW|g=$+SSJuWQUAl)cjByE9~>N>cAgBl@q1XZKAINR;tu8nFl` z;RVqjL;&zfEP3c7rLAhJo`jQ|?0oFVpVLF!$M(z@OryEKYI-!W*GsVPfGG>Y2ob{f z%;`PJgD~~Ry`?rH95f0#ntz0^ms)=du*Qg;7HK6~{mHeR*G1F%lk4~5LM3Cj-ZtEV zgFWGWo8j4`cm1@yDN0mN5@ho29TEq#pXK7ra#Q>^zoqTCXbZH;tHrx!r@J=aEHn8h z`zmjbSIl6AX2MU0KhT*ZALFy+3W@zWWR7Eu6Iboj1~F8&^7ey^-<{?DHfA<{B73!N zPbcR>0seTl`(ZS3TkVm#Q)3o!iPO{^hg##SfcMFRvKw4zq>(1;l|njWMr&AjMnXXz zf_Ux+LjFyKR;K(-(o^vc#IhP{T3Ekd4$FGTVE+)v+OX->X}j1eBe1}}egoOM z_i;XU`>4-@6qsmYAiid6j4##HazJ@Kr=KLNbaB`fmbKf9ws9mrv{)_lf@n26@ns89 zQv`PTJvT~iFI3dzPO}IbIuh=u1AsZv2ly9BagSYBfuI5(P?6X4EM*YjlqOA~3`n0~ z!PM37ItP}Wi2!{4G0xE1XqtQGInJ4^F%yPcU71nW+RcK~j>B`}80603%3L%@#R;vi z^NY=^rk?SIV!om~cRxe_d)d@!IA8uEhz(Tv80JpQ$*e!^2We`WMZ4s^7 zgWB|H+H%+RelqU3Q?AjY7(cUG>B?lR!iet0VB@_v%x~UJTu^5m0$8+aB~*P>A%bC%%Fjwfiv$c(7|(LIN7w3c^xIMLt98sFynSbO%|XMW{3 z`egjTu4|eBComOfsO~XL;6sjLuVTpg%izgxRQclOLNgQhQI7h_OU6IgczAZ*^AnyK z`0PY@Q!7#q1O z-k-7?5X@c7-S1dq{GpriMfT5`H|^S_H8HIrCAP=gHM)zRJd`G@iX`9KoUFZ2*nZM* zup$iZhlCp2d?H_?UfHSp@enJ6;z~Xn!{{0eR1KK0O*Vm3Q&J8GW!_dtP56?@qto1H zy?;OM%P*Xh<#&CND?m@@Fq0r-mQ!}$)hgeAMkATcN-y__MlK{fBQm1=MX)hT`HEb% zxdvYFn-_1t9vtuQdo&H)rhF7TpIaa3s~faSUFSJ=^$>H~WBoXgWVhD$u6`3h;YeBx4i|oK>X-B4dUiYHzV! z#*d!7Z7LFS5GlMu(ee)o$1Y#6ctR<*X|XUIBRCz1?O-Bx!hB%pNmS6ZNy5r33 zJITwoR+E)u;TL_JoGCeFnyIKZZf9}whv>u4-L&<*H^hkAYGvKQ>-1}OUN%FU%4)X2 z^e%Wt6ra_otGFt6?s!eKLzr@562mp`WUgjP&r%t;DoTZ(rWU+ZuRb%HsyEI?OXl)O zanLTEUtS}zZAnh+?8XI@zDIkiRrzgQ^Nfla78=pl49(4FCpBJwxhjVSIPjbR< zeX)gpcHK9N({UW0#9tz1loRDoPZvWYJTA&{NL_n&D%0fJ)>9L$La3#ZtJrU4_aYq9 zHpaJ1i1D=T;ilVQUzzoxvlU&O`iN@_k5wQpjzkee6m@$s}cMV@gV`$gz+|79V2Wvf&h+IOz4&vSkgpIli# zx%VuQB9t1r)h)6%sr*iGD8(!;PYQx52{~D>mPYsU%QX?Kr|R$B6h`@WXN826x@K*U z_A-50omqA}MNq>6EtPs-$Wu)flI1J4Ft0h4<%z3!1tB~${wUGi4O{Ay3x_m-tZjR#4!99lT3wjG!7*E}eXMJi$Ec@(+oHx!Y<=aov z`{9J#gg&V`Dot0K{M%bt1spzK`mAJ;GQ)BQYb`Qw-^A-^5Bi^Fvz%5cjx6W1T<~?Y z8P5CXNbe+Bm}z0lh5y-9jpNXC+}iR#>1fR{*( zNM0AP`r_QrH+cp%4#q6RS3Lf84}J?`UxlE1$o#@$GiVkj;O_Wgi{`Oy{-sajyDI$^@=ODbcWj)wnR1>@8nl~sk z5xx9$VO{K^QS@;}6Fk%Dc&pj!)B0F?(U3bG9vfU{aPfw1uhD`zEyg=VIOa9cp}%1&k;r;j%c_qi(=$&=IM`V+YhuXv11TOFQ!-v#M32W(hPpCJVh6|%bEeI z*J>+ukJ+c&_rs~LlWbW32+YR*S=aJE`HmrO9U1Gj4;3biB~?msHE-4RbZN{)WJ{Ks z#7?}*C&Vu1%NX586$JWk>50_!y+y*@eH;l=QtO=&CB5ji1S8{rbyQxCb7(Z!Jp%mLxHG^q;9~Msbw;p<8p;8>BZo$ zF#LDM0NYD?Y*aYrp5Z-w<;7cRpqG)Qs?k<)w zWF`ScmxBXI%m)>pu;yi5iw{Th?}o)3%6WYSocXhYp6#G^HrgnWP3=>5iBw%`Y`)0c zRPMa3%6#XqK)iMr$p1^@VV^tnXrg~Y1bp-GrdMLXE;@eI6(P7&+QtCel%rq~;Z4F7 zeBy4HLRfBjpEd{Qy+i#|qxTnl3RDh_duKd;9PFXE6u$$o+7wcOytA=4C1d%9jgIlp zuLCtBM(FO#KRet%^PQbOmHr|!lss&gq-e!rNt3(KnGqg-g27&^?+5@SYsVOj*VaN~ zfLh3V-{YLO7-Ui&k|eVFbJ5c9l(zbIt(KUNU$HW`13TF^hC6F1Os?B}auhDRCFGrE zY-Gd&e)0efUjCw~pGnestZN`(?K?UH#QPw`mU;T)RAVymXGZh!V+;}aYn<6ZgU&jQ z>Sw>0tyh+xYdvArf7enhXC+0X*;hm3XrLn=_=89?oc{ukTSjB3C=8*#@C2z%k|>~Z zxR8nZS56yY~mGZMupT}W{9_#5J7=Wr) z0Dby5ncD4j%u!xaG}uM9!|7S8KR8x;&z*M987^nw%-)UlLWQ7rAxb3Wxno4tdtv9> z%t&!LRNKeh%j*AyU?A26J7S5}cQj{vV{2?2wsm(evk(!&vOlHws%=B98vRRN;1|4G zqf~+0=0Pjq+#0cy#BL%GXB#3=vxS$Ix`u`@d5>L+ydd^C$)Z4#MBHBEhG_G_w`s{5 z02CE>1NMj9h*{Ztij&ChQwH!)f9soZFB;Si{mDXCedOyliO8i<%#AzPj2l)R=f@9YuSa*(6^Z>+0%Gd); zPu2FI8IZ?x)FTk^SLAQ9Se!TZQtU@$J6Lpg`~cXk=~V$-VgoP$+`< zH9%AZ6nQjgZ{ScS6%TzF>g3~Y-FzU{k^qjx@t7hz0@r1-dG&W5ppP9~dxu-hIGE9l z@tDAU6gNYh*F1^5R#p}XTS~#_G=6z(^@*Bxndw!$(YNke&*bKnFgq2E(pFkk#a`=U zg^CCV3}Of8-W6T7&i?J-&^l-ThVUp|oYfGy8e9rvi#AsHM#dz7U1+6svRQouDhY?W zPs&E9Ob(>Kd>8l{hN5bux7?pm!diOp2+j95mC1#U{jjtPH+D(V39WaOr`Sn4PWR_S z<2^Idm4nAU+sN-muN+njoeQQPl^NK32vD|a5xpFB+O|pD3D1d6)m7venZ=RzjF@7! z;A&D2zXc8PBA7^!E+o5l8J2y^r0*?5v^iWduk&jjJYQF_gjlfc0&|f=;rxXTi=4Zy za8GO&j%dm;ceLcpt&K7Jf$BXu3Pp=`jg8i4prg&9iIn^#?* zFO@S2`+=tKtVy>^0EQN1O2hfBUCVm2|b2+|Jbnoy_OV26()X| zrDXBN%|AyrRnos!pX-bdMRi%a4KoOAae|Stv~AuhgJ!wy0o>{IknK8&(fY76)?J*i zR3JB87wHOj|LU&3Q(u}=!6*7P5bXBf|I=>oh+%OVH~KjrUlHrTBB*d?R<0zSGMgI{ zT4$ZupcQ({u?UF$teHX z{#&jK6~zRwWxDMVMi+h^0rhG75yXB4i?eBiR8yOJuj|pDA?>n|z(TUZbuCx?Pi>Fr zB~Rl|efsUrw`Br9`&g?d2;jpU2gY9~S zQT&I^b$$TNQ4WP3-!7l|d8elSdw);&bWv>cu6a538Rz4~`J|%yJ$PNFU|{E0)-qHI zEka6D5wk?w1dfEc_qCTwB`IT}m@aT`WXoBwtSAe2=*Sg~Y=)k(^70;Sij-@Z(bLGJ(9Sat;r)Sd;? z;(sn_bUZAk-7_vZo&g8_5a$UReNx6-Mj3d@YJ8iED`*k1HQTk~jQ@oEiKIzutZhEU zlNBD6MyL?gL^xq+)Oe-ajB^(%tqhrLE$Kv*3Ej9Kb;_0m9(81^eZ?-XHuz_%RJ&rI z2E2Ehr7KQmUw?_dk6Qh(&g|XXw5w*QhX))F#Z}{HLVZsUw%nKK#f(wdkMM96JnKrw z^^LPMQ!4wsjo@u`8|;*z}_XQb@aBGMgo>VCi9Q3?|0q^zv za;^mB|9k&Oi8+`^&J`KUF96S@E`+7kgvVoTLr*z8Vjb6jDbBKLDWY*Zoh3OY_Smz) z&X$kGS-OSLwkKX8{h4PWXf8U2oNR6~s&PUOz4nQERPEsZYR4nGzTM{RUPNmFFNlg5 zRn5G0E07DH-hZq!7R<4Hr1Kj8w+y4!1Sfpg;HYCtSIMo3_v7*s)UycKliq;8)ens- zluPYNao9%roLF3V%V4I{BDG9LjNS1Tlqi?HIg5Tw?C6VF;daQ1K>j5bvTTWO4aAzw-e#QR1@OqT9 zl83LR@bwUOX(WS^`~J!TN)j*q#udkx%U(B2E)T#K&QiaNzG`Ryhw6TJ6w#USrzQ-d zfaqnkl2v}yGx4v!KiM;vD@%Geq~vRpD)NgUg?3W;y@&amc^v*b%ojHpo+1||WsG=T zss*KBki6bxfYt!ibGVzN2|Y^(uVuuqlm|Ucit4k!iBwhC#E7ekBc98-$4A&DX`5IH zmRJ9ND`!$Tco8*SFiCXt((bmlgw?J26R2RDRb=oVPC4ox97dl2fbEQU4+KEFcaE42-K^@F8tLoLGgmr!lHI*mHqW&=@N=m2Z|-zZIZ+DhILWF*{|DP?yv5p#G=W@twTT+ zSivWMT?dS!-xYxKK-9$ae347f(T)uH4Fk~gGgnr9I(C9vTc)J=$*wKMZBOIihfRp> zn1pbKC-B=C2Y%DQ4{bm@@C402>7m|jdO;fw+Wh5!6W!E?8E_5jP-Xa>)SE4CF26oy ziw5Ivyxp~m8(%W>2h$(IN764?jc1VprjfaPh73LzRmCRiT+bns6i5&8*lC}*V(Mu} zcE|tO^er_o4VPjxrty9Z{2;VG@m_Tnodixtq$~rtWcL&q*$g~=pU_Be8ac_wm#gH# z*@vdEHMq#30W>E%_W;biXXdo_iEeg+;=0??QDQ?9ZC5kvVsT|mvAA3B=udl72pb$0 z1131xLy70$rS5Y@ofhTdAKoN8tbsyKz5d(shj+IUTR@N@<$fA1S0g354y{($Z9o4s zYg=(#v&A~-ZO1p9d1x*S)4QJR9^Au#*f23gfa7o0p>WW5A4nkSn`vMWXM2g_71`4$ zV2`q&Y#cQQcMi1$bCiJqQwRb~J_kGdzXMF*)D0Im3VYc+`&21gf$48Ycy;5YYKy=- ziZfuFb3^bhc@2~|2KU=CI4tMEY-qIjn@7m09ErzOHdOJ`zF@5J4&1LHzZ&iocn~Kh zw$F9-d&!B5N_)GfbIZY-LJBl8jA?SAw#ZZ7KZ6Eaqr`JtVz^3ICmB9;giVb|=H=U? zK5361hm>*jYkec~Cb`1AWn->vtlsvY_;-l07QaNOTM$u3porp^$*+VV`r&@tuEH-UqWBhS6_T-92&G&6g3^eY|5qBp zx~{b;`xT4U!RRFZ50pkM>`Q{*1BP<4CqBZ9$2Q7XDSv=mgb=cNbmaAKGWdcX#qAGzF;@ zk=%Svi_#+pq7q#@to+-=A<+~Ot?}IA=$1O=`FHXL9zoOs!?x2u$si-}r+Jt!zh6qe z&`ar7$eA(Ke3F*@@T_+83=+hW9rI(HUuma_lgC~d7SRCu1#%t^)`WqIFls3>k4K$; zFGcXI#r_aI(E*JANysHJT}jY%ACi2wc77s$|LPgPv&2NKD&2mF?@;_se*)^UvT!xh zXr?;Sl$yCgKp<3Fq~>lUrU;N*@YjO`#%^84vd?4RZC*>;sviw!EFIJ^o-L!0?uZhe zNq30q5WJziZq)$@!wxk?=Iy;P{2R*m!oOM@JyJvt)neehYJW)M zjdf^wu_n;;gTmprvJ1C}AL*`(Q0%K~YI1`?ooJW?X9% zl}u`pJT7(LUTxrGzUZMQgLHOme7-Jx@J1~)Tzz*C`49?KH9^e7`?a)$Pz7h-P`I`!=y-Rn-&O;zaX6TxMy$e!tp#Q<8_b_Ogk@LrL z>Ekk%GNLj$_tw%A8GP~|Dk~3A?6_+l^Ki)40_u%jVuI7rpx}Da4GtpPuj{BT5U0nqJ0!L^-z!xG?MWVordSz(Q4{2hv< z&fN`#;%~R%>4)mB>IWT$-)yg`xIb!vUZ)Z9zAC&F^Bgx3%#NFB&!(lxs!d2dP`(G; zdICwjwfT^t#U#xhc*LmkCE+c6ys?;rl<=e!1fsa|fvX-fwJt=*Rd%S@?Fg&$cJ<>7 zP>;2pYhmA-E+=}+rRD&GB@ijga%#_5hziENspS3>Dc^Qh7;KJ$49-LL>i1pEcz3bV z_p*u8q>c$xob5xTzIfa#Ej)|P5nh!2d^ioieBtg;)v5Lq3-^)wRxOO{w%wY41xl-b z1xgbw&5bg3lI>s+^EO$p4547Y=e#`Y)Ti-FXjc>ToapGF!O>HUqsoY~;tk2oQJ4tZ zMaCv)pToOC_YKciGip!*Rw-(ZP@mjBpxeF0Gb?w|oZuwnoSE}0Wbx)=FSjhSEG^&E zp1VLeA>)KOZ8*jA8-sSO>A*z0)EJiPanYW{S1hSpb!7bk0E}^o!!I>)?wq#S zy0(Mk#TiotYjeDV&%9>FJ z;+2ixLzHiD*!faC8s^PRdukBk_G-K-Hs>gJfh8z@>kD;QTDnu9PK`xIaQ z6$-)&?+)lFtn%Iy*eZ{Uy7etj{U-XhJT+`uhkgTL4VrU|V^AdMK$xzOuD?tAxQOP_ z;&KM?AHC-dqYNkdgH*SXx66>M0x#9+ZzB7rJkTHlJNyCeN}BzYF(v&YwxhVnFFV75 zfxpofL$n!Wgx#e~_R$13xG4|p48>`^ML%nQdMykj`HVejIj^ni-V^5PE-WO{-$!sd z@|MtXtWCPeXxKP+EUb6F5a855pZrKAAn5cJSGwZ^b##E3jTd^7y5GHRtW^AajSLRk6rmRgf0OtSoOe3L|A@dC~5TE30tqJzMPZt7TDlfiw@^ZGg&5#MMD zzh%}hme2FXT<+v9AxvhMaxB^^;Oj)~jHR+$)y5R>FswX#QMjr6M{(4CqpMajZ}DOq zg<-Xv?5nlo2mEDnabbss`utnWzQ;3ym^$L}Wkm}|=GN%5xa%{QkRhvZ|S%;ubP_uiw z74X)n2$~jB550xl0q4KcI&Y6Ayjs>L#I7+V4agI}TKt7X_)$&6oQq%GxwrK!%@?}| zYThnAM>STQ$IV-;sKv|GO16Abvrx2v_o?lbhfBbb>QhtU{I&;lv2_0p$eZbUR0RJ^Smn zZ(19z`C=DSH-sRoW4Cf|(ovs^eP2oPPKdGls4eAYs71Ra^`Ym_4JW4Le|3+fuZmI; zwp%@MgEeBa#qVc6-Qop@BU?F4rwdKug%4Q?p0r&hdgp{G&Ad(>`Ovp-CFM)_Jq|sdjkI;Fyer6d>Zleh-A3NFLgEha({)7!$eSv zs*KnU^!sUYN8*hC`#n5_lJRtg{afQ~oHf7Q8uaG*yGI}X?!qoFH-I-2VYtoSdT{RE zK8xb~%L__$q<~HldmTac@?x{c6_%x?o4oAlhhWiPbh-blTTG)}<`Pg$R=B3MDIJPs zl-_07nN*MCFZZR#o$sJ`;U4ap)M7ykJ@4M?M{<-ZP@oZAyTKX~<}0nOW14`ThvYBS z%ZGtLj7G$%&sd4#x}ak`Eb(23Y&H5l#Xxd^cK)&u@?Z|ez4QZB$M6@7>ws zSsS)*M#j$tHp6D)YK=*LFq)E&vnm$!D{1>fa)o-b9UYX~ztwg&s z@}eONPP;MEAz1pRRv#??v=4u8*+e1u&QLgzi%t29G_PvK}{t}3K@8-Bk>_8ue$PWMC1=y0gg_-)0bVtf{qA7{8FpC07$ zhzyaen0QM#f{OM7Dds7~TNoY=R(>N6HqW|<0|G6d^Vg=o^669_;q^?vdf*$N;P(&{g~309 z+I=;4;stj8_X?%$7`JG$`TRu=fqw=E+H))Z2TV zcVcbkjf{2lHJWkNMSj$BVW#s0Bu|%=bAd$dfs?3i&p}qG6|qU9WebtQ=o<=SgErIU zYBU_3x)>qVE2)LkWx~LX?`A_fafT13&~ixmWV9==Ad6(Mf1e zSU~+?>^0FANGZD3Y9hI&2%W$<6?Dc^c1@`c0i;bQ!wII#QP|~Z>Ycr(Ty1CA zgPj49!Aq$zQVz#eEzn4TLn5=u3#4xw&ap-2*?Xohdt3s|Nr6?qcb* zv8}=~_gXv>#I7K961l5)be}pa^6pZUjSN|1ImVVvo(32&7fRck!eyF$a^N~k>2}f0 zXjKM=7Jwef}pz-#JB5Pcn#<^pH>izEJKup=ueaf-EQCSp}xSyemJ zWd4b4MAJkVuJ=Gb)@9XPtMU9@_)LnsuUvTzhuaD zR!^5}F+8Hi*fqtevl!yvs9P16`}#w{7=PKZ_Io!(Ly-@DlVW7kNsER)O{QV$ z!OGk8@~dbf;GpB;O=kKa;Kc8XjQTW}=6B*Ajm)k6&BkoIe1q zbguJ&52e&Q=5(ve^J!9Q2c;VV0x33zcynv8I!TpOPLS-bV-LPvS4q8kw;6;RIe&(a z{EYHg{;Pb7z>Kxj@&}{M;aZya5m=*1Y0np`1r-IKTC;2c{CE<}EdwLhN{sG>jHqSj z;)-wT-AS%cukc=`xV2B@_7pS={0Q)*2~KV%PvG2Zg$G|_M!88Zb2OmBQ?H>*r_+5? zSye2SgT}Ry4KXB6MUk~>0AiMNnGMVB`Q4*mdD*iL~D?Vd;6+P zh%$!iv7B0`CoARh%W!p<7vbC=&>-!`HP7c3Nb^W9qZ|`r5C2G54Ai7M8jK>Um5bS2 zFOIUq5E?Dyfe7`@R@{VYdZPur&%zf|u{5_-?EytOitrXYCM)CL zV>Id)FN}$entGwp_{-AFpP&3?Hj+dY=P_Bo5U~&wkQ@$gTl91MH?)sFGTX&L&*M`I zK=WPO4M=vH(r=F5Rh}^~_7a60F8S&`+g7@dF>MgPE%=u*To;S#x()6`cywP;^_ty% z-CQC3&2)LMYat65YULd7hO8B}Lx4ePQ0HIu!2JQ1uTs2=)i_i&(qk%hOpLzpVrle) zT90PvZ9XD2BT4m?ok~T#5+0RC`%M zvqB@R{md>lOX1AvwYc@&%G2l^@5@IrpX&P6#vd?jB9SpFliPw(^WU3RJ{>~hi`vJa z{n0SK;9TPr}(KCesmupIQ$-}23_(|Ici|3FtfSoM005xr(&_Z8` zJKrjXLzx+%dM}e>dc0JOctD=BDel&3!`+#lU>nUy{da-!cDdScvFTuS!54@9==e3? z-&%cK!9w&7i(i9Z)G0`0Ci4ffPF{Gcqo>6~-jU>(0~8k8^W-5$j$RB1eW!j#e_a13{at3mYFQf0(z!yEfQqHWkjuRW_ABgO%q< zZes%#ooJ^lYM7*6p>yJi*?zpN6%Ug>y%7&JHV40=2MOg9m0sw@+p?Nrn`IJbCIsg2 z99uqgkFq6;a;3!A9V;v!>5ZboZFkRLhuJz;0g_7YXxZBN0-p$8m5Y5Mm%Bhmc0WIP z-FT8D;ccTK5DKRp#V+Hijd~*B8o3s`sAKupe2J;P1%=EQtd9@aDe#%%;N_2_3qnat zGr^fGi(ss2v1cBvQicr^2fh8ex?{SU7(DCfj?H(06IZ0MWL@cz{Qjyd%Mso5U-4>1 z?7AqN`mF3@5@qSb#jGDQe1Tcw*G}Nc$j^J>ZvYpHR6RQN)%Xy6j=1}(I@J&73BfGC z!OU_~3~+{D4`1v#H6;qqw|@3$797Y1^G*fNvZ!gb4O`&8^#RQ1aLN?~W_h)M7o6?H z45@qbeN=*7Yux!cxBX-rt%8T-@6V?`bGTUCw09{Ab2pt9S@kFD*U?{s7X7beE98l@ zX{%Jd2D*KbRA7W;Xl{zQfb~!U51PyDT+-riA(=aJ_J+ZX=<+Yot$BWf4zG?q1$}hu zN_H~@#*p8D=yxmhFScAh6TIRcBQ?Wlrh!%jwO+7&Jd&)Ua9@(2X2$b>uI7n1)crM$ zh4LpG*)pybxz8iZHhEXumjDivDWMstp?&hiWA?iEz65S*5ZDXlpjltGfDvsh(}-YW zWv@Z>^$3bpeP4m!^Z`@Ei5bT(+a_0!(9gJM%UlBLM`PJau1W-6NXv9aTpqIg@}xKp z1h0;iWs;*m%6b!veh3OgX6;4LUH|r>b>w7q`5gG(hgT80X9Y_J1RcUY3Td|WSrOUP zvdoCY?l8ZEWjGRzo9lENg9If%awO&Upf@D(e{?o{S5<-8)tm3t#`RR<}HP`a2B#>K6!QqXre@M{9oSXEtWK$50xtVW?nGU^D)|<{~ z_l}GJ?>y%^-lUho=XZ^|myK8N=E=q}@zAGfkwPeoO7BRKmuOrWps8pt?Y< zciZ-RHJvA+^5(bj04iXfv;zpg9y;Ge_DjCpe(p>qyAr&HuUBV(yZQYX@aP5 z9VmW7^B2RvtG{_~w;55IqnMl^+_Yrf8&*t0e-%H1kBo=B z#1vs354#F;+ohvg9$5U{q@3Oio3vm49jE*~)$ilK?*VM|X@XbV0oBY&3ykRYsYqr@ zR_89!obm*(z;%#*uci%-+H7=u3+Ra__jw}9yOkZOjTOV}!;k=WZ6E zS0D&*jHtASBPGpHON^?GjPU&PnbH){O&g<5Toa=eOYxCA!;!iJNW@ceDF3s#phXr+ ziVSnH|MOmrPx>00k@2!>pf<(}1< zoCEg`j>bPVg1;SKBTNUttYMLBLXiyZ(|?}j|L=FrxJ(B(R`({MjlNU2p3-YszgtbC zuRp#5JMH-P4DBs=h2}ISPDLTpq$_TwyIe;+@Vora1%K&nQ@+`m$DtDy<)`%j@pfJm z$dwgo0b4oSPD?ZGml;HjO#k5ck}y@E-)d=YGo&UA+;rqMY@@4kEqvnt{UrYNJpRvp z=mog2CESzo4$Lgr-6nf=V?{4lq9#GC&Me4r2A|05F|u{E$EKWKLgU0EU8Jc0 zOZNtS>H`tv6o8*g!iM$cKtB&rA`=^RD_4tNG5q>he)NC-Yg7c%44s^Fx14U|JgYF8 zYy>=sX-EjURw0(_EOJciHP(N{^tQ8ApVOe-))tW+{*Gw9XvubY4V z^evdecy|9`i57GwY29q#@yn+2FTd0rA3AyS)NTah3AKci5iIr!(JN=RD8~Jrb7nRQ>fQ+7REY|6fg%)0)rFH zT?$0qveiE@v)=A1>%Uw3dD34dO7hiTr0494X^`W~)oAL`ZR*TQtJqNY7SptYR*zaI zN_NyVWsT0dT;Uu>o;cH7z(VYnp9*!iD{S{|{|oQ#=icy3{>|`i>ic=&ZE4NGiX?WP zq1WnliRWoS1<3dK-GDSyfcNX%Y4_P}UA3KEPXLD z<79ZGp*!-TJg%|uAjlaEq2Ml=tW>j5Yaxjd=1pncd_T%xJmz-B^Lm#BIdK%3VY@5q zwGWAj`++Z2-v!NAYe0?v2(>8Ps3B{Ijz8;6afz1jJjVHT6ELBojO`Ba zblGnClI~B~1KD|{@TSIr)_2CJ5VzybvF|iGOJM}$!ax#0^OC1>MJ90hn{Y8#p5dYC z%$ro7Sm)>AfG}EadI)?`nU@r3xj0pU3c9xAcL&9LOAFzk&qI^QZ=t#TfSpx;1L1j+ zN!1T*tU`9OIXv#8vDh}4c*C~;EPQg(C<%XNRWGl?rg4*Vyvp%KQ0WS!fr&*x zAx_9`Wr^n4Q_X}mi-Wd{Q_4@qq;Gh&T}!G{;9ktm=y0_XS*f$+cVH4H3|i;Qz(+AD zLa7y?ucqyWuEDTC+wGnhSzSC28hPv&AYHz8c*3EahK39mk*PZDFGEv!`(urO*ukx_ zpxRLdI|iIL7t5cKhZeorrH2G=f8@FBn*FBV$X@ir` z+?79!J-Dp}Pq~zvQ;=@grX{909bEem>u5{HSr^`$9eh(sc7#0*0HPM zx4>q`PaN6PAd3DUuWKL#pWt*36&ZKn9~0^5K~|$qjoUhx!is5tTI>2^m4Ln?WO)Y?i>Nb+k2=v9G-_E zE}g*pFO|Y|BOMPYL>0(|LmM-5iE7$Epw1F<3m3%QIm0PY(9 zyl>(!7^0+7Jv;1CL)ap*skbjZukU6^G={|L%lF;ah4Fhf{D=Y3WTN&7<;h>W)NAc( zU@S%;zT!(35|ZP}i-K~6k&J~&0du~OaEFk*-+-OX4nSl4nH06bAQrus`eiY23Se5M z6xio9qOoW(Z4pJ=R3Uxre#Jv=frMrQXX&aQlM)j*nM_8f@8s%ybDF7F?1wx^bI&3b z+1EdiIlcjveWfCl@kiAt59db3)X1jB%Gs!$nt`=>%);O>#7hy#CGgDEW2hnQdz*4P zvv}(_xzhM^z=k38AR$8V?{@tRt?TZYwuxs+?8#87GfusFQ=p;YS>mxSJpY4eE$1X( z!4$M|ta8?$^Or-S(lKENWQS04vcCKdsrnFHRr_+@7;

-78p4!+^CfSdn>lnqdMz4Y2}pR@sOg&qHNIPN z<5OmKb4ulNe3p#vc*rjUkpOj2+A4~&B5i4-EuPgb8#Z9*^cNIkzkuOy>+ZLtg-@?;hPT=51Mun0$B8#q+YZ$eo``wIa)q2kE&UIo~pbf^`kKE^ugr%*rW}P z$;ko9HPuBk>N70Lbc#yjyXRf+W(O!k0xO?fS2izG>^sZsQTOujsy73)4L(ECR4cQ@ z)MJNfi<FA{s z{OJ?H=J&N7rr2|!gwih_%snQRb;50rjwz`aIM@C7CH3Zt?OK%qD!s>)-1dubT~}Tg zvL_xw8ZMwER7b$*p{YnDn_RdoeMNOl{?ED*4N&qePBaxV4gPpp^WLngf4(Ctj6YSD z@mj^{UFVGP>MpD==I-re)64SXns$Nz(gIMr9{p9*&M1D_oq=9+j~|Piu$K)N5>GUH za!aOR<{cf+^hV0NctDv;h-vebG$6OIEVCI>GbsWvDwihMyQIY4E@pZD>&gP5$(X$E zPNJH>H2ayY(-8=)dd0+J&&X2)JAo>wI>43l&gwE`hEbl%SQHZkj;n8p1MLeE)IW=K zAv{cOclAr{l+!hyr-$AV&GhP5{2H=KgSzO}xG~rlFISGog$-;Q zLr23OL9>iAFgxP~`|>WfsaG6>7)egt#GHnQ3Mkw-jJ;X*jkhWgat1;A12E|NB4+7% zyRE18gv|7cbCYZ6TTUmbavD~mc(*$3NUkI$fvJ?DXo8Y7J~H&z!c3c^x+9FPCnK~g zMFm&9hx~qt%UZc|SG+~*JFA5uyjAi+THl7~Ni{)B32*AXXgBJ?=B9dk??A;8$B1kL@D}}( zAOPL{ocOFX(?4#)_?dh@0m|L>?|}RYCn4`A*9k)n!Q_`Bf<203-@jk!$a#aaIJfpP zyr941M@jYD=WF0h*ZOVfGpbl_Y@N9P^|*@4I!RpwEve*bl=TUiy&h!vK}_{)2>x7h zc^u4A{OjTx%zVCEfCQODaT(7VX|;s45csHeY%;^VQ-B7TNrzC}2d*=ldk7$eRSqbr ziTGDepgn2~r8{>Is^xD0Nbm5Wj0T1X121KSzIR~Ky{G*~Cs2s*M%=7&$i1Dl<&d7Xzass*gZEzlaPXH7Aq6w`Ha?Xi@Vk3^%(F6Wy(r|YBGOSomnfM<%wE20rM!s z@E5<F>nTSll1@dHlq+<|tdgZo{_Ql_hrGm& z!-i-|;i@0WcSda@xYXD?y*VsXN8B==lORVH#wpWhL!FLLJkXLPqqhuWC~k}3I@|fY z{(jzxiS7E1FX=RfJC|z>y}z!o=H^zo8G0 zR*OzlMw7_INqldp`7Nd@Q|{_LBCfJ(I<&xTgFA%w_m>^NSD$bDjkA!3<3fIl1i6=C`fmMNJ)2hOLxQ2 zE#2MS-T3^*>$?B(+0WkltuIiAIgj&*wZ043?(_U5vIapTFUW0DCtJpH1gjrrieDE+ zVeb2oHUq6IFe--6gMf+a21(wHH{7aAX}XvZi%`RcC$wfV8@Tk3oiH~~ zxtp&0r$O3Cl4Zs<$dxM0U$@LPZkd(W;(^P>eL4eAZ^Y1Av(+DT^0fgYe8?hZj zRVu!BZ79oyXYf4Ae7p!)^H^jQ8;Ka?XJR6OWG{f$VrvuxwhK6eTAVy6*?a{??+SAUgb{11ni8-9MRZgA+P@ih8Q4nuIf$PRM4A?K`NP}&bDo|)w^TgiGf<|ca`%} z2O%MQRjk)n0NgnSTtw+@&mHoAywoq>j&DMhZL%@yvJVb-YOXHRy;+`N1*gnfw;GKN zH1mo?HJ3jn6+%q6yYR-aSIndrsooV>f$#!t#Udkm2J@!nxrx!+r7+o5Hjs9K?Jq;*Pj~f`mxv_y2}+}fcxKKiw{x5Ri_LQl z*@s$b5?e0Dxt;}}JUjnZFXoQ&K5DE78Y$!dY2A*+)QC2xM^J44vaZ#d{4VvIEEAqjX{{(%n7SL5|OvbmJ?Uk zQM4^d|4vN0pfx_||Jf(7dfRV_=(Wv;Hp`CSvxJ3j+JBotvm4J1vx~dJn zOH}O7^rR~d+}peB4kXBA`fjvTAY81SnEqKv`jJhcjj{$dsP|P*Fqk(rq)BK#hFk~N zvO6jFL`T|QN<~Lqc4VL<8l_n=)MVF|`IqTBJAbEXa9wBAiMw^u0&@ECpoY*kmk|B@ zJ&l*wzyzStd07?rC7!+>=$T$mh#_3W8PiSyDi1TO=nTj#9Bg>6#@pktZ>*Cbv3w7% z@8*)pN1vgeQl7by-W7E$OoM%lvj}ezWeJ7rnL?5#(IqohD$M)ojk5>7R+^|Jv}#-8 z*uH8jQ`lg&q0?!g?taxqQI_pc=6(emg4{fo!6SOo068;ccL#n6(w)cL4d2L>qdKa? zY#-IYVm_xq?y{;<1v}YIiDFSDNE_`iP)>#|?)-ogYZfACN+sPEU>pR`Ek!g`+MJ5XXi13em4 zBhx_$Snt6KWzXRHmZg4=y@d_!S`XWl}$Dn}xmcHNNF$S#_U*f%8kx0w~#XhJK@80q|uPW!rOU-%Fh2g;$`4 z+0Qvp0IjzI{RZ7G%BM}M=apyTqv1&R(?r#fTQblGRGMza=ibrvwS8LIm;lRyd?tRL zpjnYiV3|&T$jdKMZ`Xf57teq=L}{zLcb9&>urVdU>X#viRt=&}8-3T59c;YG3D17# z@NGG|fEQmsY~b42LpdfSbV0a+4Y6%Z8Pyy}zZI3qgJDiAd7q3ZQnY?>M=XcQX70^9-e1`iG59l@=c#1$7na*f_KCy<74+nE**) zE5brd8zw5WDr99J&ifw;aG)rK>DH?}K_kMM zVsp~^w3Wju$OKCdLp}KGO1e7Qi-(x@0ue`FlT25)>PU{$=ifiO3N{g>&~*^Rr^~k; z=<|0YE;1Hbhf@D)g6fq16g9hVq1ezK5FI7cbkZaN||_Z|{8Cs}Du71UXpMt7$Ud>=AdjRz*U#bBY1+ zoXx13k+0Uj+Nd#Q@55(Kn`9i`O(KR}W$Ub^XZ}d%5v~j$_gwAN2rl$y?qs0V@)?WC z2=^q+NSD<5&mchWxw&Y&oD0@&A@2uNF>^N5)jVt%7EbQYn8p*l-rx|NxtgyqqR7;YlHo>nZVWKCO_Pr4gpl+% zflhMs*Z6)G_S|_yV|1VvS>DDot?Ye=QQMCyCiH2(-WbnI9DH^@=Ue7mQbFE9hmt!I z3okk0%30n=-}kg>1{mG=4n%pzUP>rTq?ra57CPd58#N-tKb9BJGo?4aeg1I*l(xeS zOx2+>KP)e8iHq4Bg1!_&e!56A47}?sq_c*iZeSs9FWOb z&=>UAIQpXuaQ9`}W-nd$-e(fOoL`)F7lIHyhvU@>K)n^E3apd5FI>F#x8 zCxIAsLlFhi@4z5lEcY%3;p)3569IellPyco;CulhG&423WY~30X``0tNOb~gMt-2SdDqm8?y?fY2 zopIRi(zoxSfk0(q>m4GdvVm+_s&DwFXIphujXJtvy<&%*RxQ438*a0q$T!x~ zxfO+WEyrv~;xmz$7QRKGTfeb(#Mfgg2VnC`l4nB1!U&w5fF1UvXw`c4-ZpcyS=rpj z@?f&?EzPm_w&=MLjZJl7hsoQ0^M}dkeRp3lx?VbVHV*}Bf|U682IU9+!*$8QzOBDZ zYUISH)4QdRqBzOe7ky^DN1#l-Yg$5Tfm|4Y%r0;{k2=&A+fezW{mf4YDM;i5&r~F?p zMdxo4gyYCQdV7XI)X$9`#Vd?~m@!lWf z#ALI-+J_?)>6!lPa$pI9F@GS|Vf3*P z)SC@Cc(?nS7Ta4EE_9R*cIu}4LpHPg zBf=LtOq+Xo4;(TSodT1%+yPe5MN;MsUYLcT_y?PRnVGJ!z1RfvF>+}Z(|!n{nh+3p zpgvunXs`QT?DJc=fVYpdVrPfDKcLc6Z!68RVrCb&t_XnukisxXKnz4jAn!%2rSS`o zL-N(S6ruho-T>!^N-BLAab!^Dc!aX-<>L5J#I&w2*-60F3$0`qTG+@rlle*$tcf0*wSMS5T6+Xv>#dxF1MUFRr-B&*^RGbX^LMW^fL5K{ zAc|!(2a*rBlvx+DOh&&dD2S=TTO)IwC_F)mFaJ|nz>50u>9|FO0NxXI|DS=&a=$D? z9g+e)o~^&-dSV`?fBzOr*QKKtTBhW4SbE-QE3V8QsYi^GL8ymZf>L!D#6Wp_U5Y&4;g7&%}Dgv%3@c7sGYm)WgL^d_cE| zG$`)?x{%TIDVIV16$|xzul%Aqsq_sw>4o%IWWtz4>=vUhb9*$jZ#lhv-tO#+k348B=TX zCl^X*rWY2y_;FEA_;P35b#gXHw89|Z!V#xROh}WE?X)ko6M~rR#ja)O*F`rZYB)Uc zAw)M$I=-Sqlcwb{V#!dW(}%}gSUD$8V;6ab`!Qgr$hpkB&k0;6u|wC&HXna!b;IE^ zxxF~@X!cc6lygArzq;zizyW@CWlKH2)1|Lq!tO-!y&8FLXZABG13U&(P-M9?9Eo1o zHdAgTT0s`~i{Ps+QtLH=JdO6Q6E1Or9f)d|t3lv}z9|ypZ1}Nv(pgxD%L^f7Ny9cj zy{QNn(sXwOh`%b5$qU)q=;meaf~N<-+UCOC6)$m?8AF_tbMR&W+GN8seZN=l@!N1l;a>sbyTQ=kyof5hgn3+y*Y`C&Wo(JB7tu z2u@I_*bzZOgSJlwmSBNRsCQy#Ysro@k&Nr;%t#KTVVnnmr;>4ye_Nq{V0<{;;!Q@dJToT0(6%EtM5znzXF6NCrE)(e^^f-`$ z_}+$SU*ln7Ym|U7VIZBg^i{#lV`_os8k72iIXF$agRaBvYB6= z`Bmy7$Zm~(n~MhEL}>fKw2`|N5%<^3YZvQCb^KFJ^uVgkdxa=lG!6cVY#bs#SMc`H zlUAFdU@LRm&WhO}kSSq}TWp%%bpspNsBn9bHN`km%UoKBZH&}0BzoENt@y)M-G~#k zvP#$GTy-xtV4jh_Aqaf^LCQsQ*w=VQ?`N-*0ZAYdWMjX&EN$lYbM@TA5Fb3g-2;c} zm_<~+jLL1clTu*1AUz4h!hq;sK@0EhOv|s7pDqy~k!SQ}VLFG_8bz@U8c^-g=GC3~ zH7;G14CCL1ym%Dwy(yRn-ztC^O1;Dm79U>#M8$;*$U4{8rzB(+E6ktWnjG7QFG4-C zu)cOPLXWUE6^9iH_A_0zI)hf>>7Y!SFU|q}HoJ`6Nn#0&^zKn^TVdhcJBFBb`2$gk z8~I~X#a>Sw$DtjV0_{K=hH2Zx?3`=&7fRow?ef5bqyRd)VxvQJmL!b>kO0PaKzJQ= z#L+egru9)FJouvK4($(j*Ef}xgVl%DgxuB%bU_AZ+f1BG@c!S zwRtW?7>B%`z|)VSs8(C!@`<|TIosq196%{Bww6#c6KcPff4p!$qoBMgNt8m1>GCX( z3tQ4{JVMe_=9Zd-&Vbai_c5YSj&wKmCm@sRqZRrb7vc%j{q%^8Mg{;fJIP&$v9OYw zC8zQxTj+Lra07E}DTfTx!91b5VwgiUXcip3>uZ#-yD((M^b$WIY)9C{RSZj-m9&CJ z;4M~KzQw?XXCT6G%#t@%i0)T1Sc|S%4HqLBheg2z0jtntmog-Zl?-ezZBRccJ0X0k z=u%sGNk`rT_zr=nf|-M+kjmF(geeC5g;#flvwWW{q)WcTF$Ky#yg15;;OT{cbCIBR zZlq<3GGDiMpYv}Q5=&ovjZMSiy?f+YwKwowOeZ%z)QM8P88|v5)gu#EKy~ zpbT9-do7{XKMm+Q6_Gr4=de|YlLkMMeMxfxDpf-zAoN_RW`f|Y{f-&T=&E%9W{9)w z<#2a#czW+&IM7A@ph}>(Ye5)bJ9GhV-|^8E{SpE9$$uUx6EOY5)UdrbiJ#nrR^n!Dgo1ep3pKE1y=c9-#f| zFGkrqh7hqnZrkh;psg+f!VzE9Iu8u&6Pcgp9^k4cH%EQ#j4mS$2T7T-2?kcmyrUz@ z!yBi899G4N@M<`sUUl&%^PZ4I{8PICbEm1&t>;F-IBaF8Vre7pG-@6^ zRua3Zr&}R-7y`1uW@hlY=FxLeLn=Kaeli>Ay0`c8eQW@6l_zZoe&yVyzZLNRU>-B3 z&SAM7!IN)LO<;nt%BI(<_(OMHS z0uWz}gPSQ89_57(7_snZHqAMxU*GqZ3q{}mCcR_usB8vu`ncQqFduz7>rl*U5GWl? zVYF8s5vd>Hiu*9 z5CoRbE7by+Le}uX<$J81x$2nMYw4csIjURAcr`XSn_nN>bj1u{XlDL|=YVq;!6Y4X zX)%A~l=?LkiRE$YA+p3w-6Ll2WNK&Ib>@?+q>rSzq6Y6B&<0k_ReVSs>vZ_El^6O` z4%XF_%S4Ules3enX0)qCyvgY$ecG28%R!18jBt(p{O~^6;UpvTMe1FJbwK9ocPfwF z*-HJ~OnreRI$B+jx)@`alblFR2^;9?_xsX($r;2>f_4)11Q_59=&in+aN3#;--}LL zjrgL^fYMj|k;|5hhDwmAjIv#q7<8v4;G}0ah={JWNWFk)Zu!CCV^O+WlG_{gt{8g4&$Zu^%69>1k$0g!Ag+1>_x?D41u~=U#0&rB|~pM zhVaf5k17EAkspCS$N*e|b!eLCg5eP6j9>2R8aHDx)hrv5DKqXuNqaYAQKg}mTpPSc zKgn3BT$hK$Ph0cNhMc5844w}>XOQOy-~H*r{AR2rYP{sijuVB7S~hdn0K90cor28YgRFn zOz}f1J(;$sl7^k*^)C6m3m5^rxX^@9NAL^hhTf%=`ZCD6q}D%p-5>RuZX`Nzd5^(k zR>wBf{GEVhbUW)$%I)^y*@o4rD?n?A&!i3wW+j4hu35MJ!dyG`g=dBm+%2o_BATh; zZA#h{+I2>jk(MwS)I=g6eIT<4jBIVBIW zCr0{`Dos)+(c#B3RJ150+y|u$gZf?D%7L;YmfjCwVZe`^*596ux%Y$*{Qbg2A|m zz5hq{<3xCj8p&wJ$#ox%o>f2L4jxT|C?$2v^s2pp&IE_k`3uCQl-h1Y{v;#%UJ_Bl4negBc=Y~4`aMZb`F_{T+%{SBW!&?cB z3klJRet)B{HWOY-Nb)DnBS07_KT|ZGI3I1wi~hd>gi=qYo)1e+^u-5;{aZn@=PC$^ ztaUkE!9PT1_Lx4$J>Ln)%3SmC4W^NQ(+IjDt=dbO{i2&4()j2=HG=1)I#?ae*F6ad zs_dE>+hzGP>qe0SRUPhi`t4mrqIWy`(z%h*_`E2@Rj{cW+Dc<(0q!w!Q#m|ao-G{7 zY*lSMZo8uu+XU5w)k>x|-mFk-J0*8pYDn&hKNilix!1K;(-Q&hs5&Qsv7kic*bRJ@@hz$GUEpL3$Pmzh zrQG*Z!Bo~aRe>jaI?0;N+86s~o zs=bbc3jx3Vsv$?xFKLr1f%Z0ok@O$vk{9`I?+@LDLi&X6^ejHTu+TSF;|J`~t0BoG z*p1Gd%rZ0+0yV;dTzxVkGeNh!Ncx)WDAk9IDX`8iT8kIO(GuVg0hJF9SgB|`1A>as zW&6#EudIwsyV9Sue)m@*Xhrk5Jk^Xp6B|XI9y!VsbX*C*-^ut%I>P;7P5f`S8G?h z!}U&}-PW*>p zfb(chD$jCHi2ll3nuskg5f2pnGedpYNvw(pO#q!>n9L@OBz9gyIcrzh;RsIlhaF2; zg_|5&{0>)5Zk*5>k+15}Xf^GJ=$<5vwgjGd39lb6$Egdm5 z8TPJ3JJ>{#Mi$|G99OimY7i9ygVVWcs>)WW<`6QH1UGGZ#~Ditq~k7-A}_~UO#0`+~6W0fFiJ<7G4 zIL3wX8!-0EizX4tm2M*K5?uO*uWYHv)8$$c%*CzhsCSoOYXxVZnPxvlxVz_Fz^<8{7rUcmYl2O?n=^G?)~K`tk9gg1NxsqVP|j*d#ubT zEJypUOQ9ENraA?K%a+bZVxSyI-br_$=+@DzMp!|tBPBh3-qckkzur@S^^1XQ3{)DD z3keHaYK8%!KX+pLb)3rpj;IxB{XE*bs`784!AmmH1*B6zm;t!-S`0@J$TIKt{|ID> z@0dEA6n_VWiYZ?>c{S^fZa>@}rl=Uawh@w;E*fsLf(DHXvt1Y!2u?(6V}<2T@d2}# zs=9nr5O{pee(uXn?wzv~jMqah&c9f2>D+qZ$nv!0I2ap%ekJetacjoatRHI{m~=qK z%LWifXiZRz{HMMoxLH@kZUSEP`KsgF zM9STj(OKx}lwk5W^$ec4TQJn@u$4jVnMBj;o0!3bxH90^|1JTDdQ&YCGrqou&3V5Z$+CFtu3h z8fNjM3(K1iVCyyQfI;_y<26`N;>t#Uj+{4Pz#CGq$}e<2#xY<4)`Pp1*DJ8ELJ0Lz zB!g{Bhv1_$x?j{+w?;yRz}Km;9xag;!4nGsX>jY_$#Moz+@=>sZOnInH<~W$Zld<5 zq6^0u*mqM%+2*Q~M>QYid&8jH*$F#)y$(3;A~G3nx8t?rRVcq1yoT7iV-KW%1uj2g zwCHtVK=5Ukn0C95tP`MhGTxfQY_CNrW-t_6VIU>_3WMIEZ;DCNs*#2wkP8J`-$*JU zH+EE_F1#8&c8dAFs-!hUn-)nwSXbB9JBsOOqFjlbNO>TO$ubA%gV1++R9C?K!E-xa z>=tE7!psflvW%wFeMV0~C|T5^^aweyqD4cHORM7SG0T|8thdqi!bHtIzza@$(s1ui zn0_n=;UvRC78jJSy$H}bNJn_@z4A9hcsFA2UZ4v1Fr}c zfEJ%B^0)7N0O5kqJ)V>)4f#G8c4-p0CG8vkGlW>)lARQ-GiJJJ*zP!N)w_ZCO#Ft* zR7nyC8-szWRIFDbXY}VKU6l_@o@5s{KrtEnNA>6GUYG>AiT50gL|%vj-X)f@9&g;Qu7NG?p1uRJ0ktv|tw}KPx==A??-7fd%5a1WNhVNU9gI zePeq^;@x1m6Y!*Qme87t{mU?cDUxlA_F=2KR-ZGnj*TlCdF`vS{@1nx_-2hPja@T2 zt6!wAPdfF$Qka(ss``7{;6AS4Hloi^IDU{@BEWIrzeAr)_Nz93WjBD(r%+yvqo7hD zCWEB5wDl$D#L$|#_m6KqUs_1JXb7Lucx6YQrH1@h2~g$=EG8dysf;9BYz$X+Fyx`K zQWx{&P#H-5UGh1w@y$xJ%ElPIBhQm(1e?Z@n>b?Gh9&5+#zJ70r%x0rWuq^C)_@z8^E`!;K?r1*Jt6c8E$sf0-aTS<*v_Z##qr5o%bF`&{u$Hr} zW7Hd+?jhUTW6hZJpfkzHV)IjjGD$!kjPRc6qC$03CkjO29s3D*EvO=Pq+P67i)we~o_ z=b-J2B8J`U)dtC-3cJ3VL*!_L6eq>6Lvma=+Z1=2@ZCrhq!ch&Xv%kZGEB(Tl8XqP zXAAwHl_KV~Qcf;)#vD2&?e6mTKFK$rXHf2Y6a4EY=hQ|M4<%TAD5KEw7HkL_a&(vq zKn@pu9h2&E+OpTs?2l}Nd+Slv3LPLuAfmW^OAC{V6R8YqJjn;Q0akqdra+pdEV&S& zm7mYcfY3C%z%coXw}i^J!t^oRXH8)CBXS4kFu6|EO$ycEA zprlL}d_~J3MhT*;I?7dOMpS1*_hl<+6-VIov^A-$(=5aPL49ck0pur{jQE(xVH0Iw z^e14?3Ws#K@fcr0&Tm>OdnZX4cktJ3_x~$CNpW&8+wpIF(kMuaF`B72ut^TCUtgPt z?I)CHf*di4vF4Mb{bC^%YTO@Fe&E=_@(N>s^2%-+28or4V}JR_f%b~}L!!ymY04h~ z4fp%=m$et$&-EXTaF|iIRR#&A5dD*|luZ#_m-1IH0K|?>RS9eV6?5`!W^#QzD#8g; z2J#e)xHotW1#FzvY4mP}zG$I=ge~B-=04^Ov;n0MwFygFchp83s=eB4Zga2BOt?O9D&!lo@ z(>~qpQoi|}5!KPkBJFoNOeS@FiSZZzG!-tQ3(N*uGg!-oV^KNL&m|*r21YG=>{B48 ziBHVuFGLsqO_f4E@cgAurBCJXjqg0a*kCkATd2n1+6l)zFoUTi1Ze9_F6ZqB6PE2# z>+T64_rwUG&S(S`OIs)9tVWiX$ek0~EZ5gWHtyb(a=jn? z%{O*DT$ze-H9txsu@`5qFy-Gm&UNJdW|P-8sW(@5;N7~S@VvFu#TC}! z%3=-beVy{>>wl-8$r(GH85bLY{uX>Es@WDNmh+8ru9qfIhV_ZHx2Eimm*(w@Gx5lY zgE!QOf+0pmMTxS7Mct}+=8^=yLNQH>z9gTQX?-z|_+Me>H33W6>B`(1!!5yZsiMTE zW0vdoc^CSw52VR1y@O%FC^mjHx+%K*tBT$GM~RR( ze|VUefcIG0N72R;Lgdv@H)_=^NxHOfs^ zUl`cOBuosSJ{-7~uh5e|5`eCRL2&0ruv@?^x)7CTP^#IZib1vc*AK0jB3s`m41Kmm zpDAzKd(to3$bvIV(%qy6!qr?idLAms=xADmBW6u};F|m%R%=?m%?}m3dv-SgiIxAC zGdOOs6||>~7dEH=USP}?MHVVu)cRSe9BOQRD&0z#3TI=$67vW-sl4kv0gi(7`gsG; zS@j7~vzGs6ueHW8GI=xqEx)h~^xhsSqp7gw!#)fpPKOD0v{r`+#id6>?fX?2U5PG|!hb?pj84Xyrr*U2a55Kcn4ryCss2lmD*vbP z_}S1YFbl$R{z+EZU7Hc<+*wjtR|~vnm}1)o99pF+(DH6j?sUpVaIw@Z{n&${_Mq4P zL9Q@VjzMM7NShwCFhhSl8HMro-)v!t{ z&q)csrKs@KfhL>hn`2J2H%Q^NUuY{BenV!jJb%y!WWutf#0zwTV{`}><0^7Myu6JJ|&DMJ%o z5VyhADCUM4#L4owgJ7`FB7iBlY)ggoE6N?BW;Q?3?TRXc9EL{M@p(9Vh``Cu0frUQ zE3luj`f$#WUl7iQkFsRh$6SrOo=;5y)W`l+HJS%7V2sjmvd#W`wH!}C-E@U*R?!H{ z2O-XbV*YzwH~r>rAJ%q}7g-a$UCMrBPoYA-fg$iQbRlc2lEj zdd$l`% zY5hfhu}AcY!Jrs{7RRjJtZ4v~nIr#hLAn2B-cRy786-oBIuH-{I??N55{a!5h0`n_E?@3%h?o!M0L?N@Y5nyI+oAB3f-!~eS!JB zVcAGP?{duRr-Y9-RyZ380>u^=2>)??)ti51ct>G|a}{jNV%N)CY>m8*{5M6(aQc6zC;?4d z|4*dS|0)G_2KmS7x<2jK%QCGn1Chk}{@SFbbL_uWgMlN?3nwyRqe- zcCfm!jk<&O^4e6W5LATgiJa~Ij0on=LNn)Bm(uw1EFmNJGI?qMz8_R;{J(rGaUbGZ6o|Yk>c`RMMmNQI?q@+(wyy2Mcz;kHYQ&;X z3UVBBk~`I^J=^lfBI@{bx`;*|30O1TiW6LXk%2 zG!7A1NwHsA;FTflN9M@|M!PspBx%wcIFJLT1Fx>%A3!AU$K+Xhlvc#?&C0}sZk%ICD68c18T9ubwjt)Q4{MQg@qCk3o|{TTUy=XZ04 z+%Tu*!kBk1voZD@-5rHTU4Lu)2)LBAo4x?D@V?_D>rAb}sdkK?pT?1Lbx3)|tWM8l zf;h*Y7dpv&tX|cRyDp7*&6a12>JQXYo3~|P>H()BnXl9vZ+W;?ms`5ltIk3Ltmo@D zoV9rW#wCr76MatZxYOgks0OFdxkvcKiS7^AuuoCYu@Dw)0Wk| zX3$|1mJaQX*wFpAL@i+GqmXZ|oTy{|F>Ugh(MV3w`|kRvKoo(+uX|II`xy1CKhPFS zVVtYGD2ks~vZ+l?NdOzCX!9Z&gfRnjf5-XUyH^ER;UGlGtoNS~r8%2X8L`vA^1Q_& zWmR48^h6S(|7)g_=Jfjf*WYS=by5FBKO21P!s9Q9#nF7V!zrJ0rX^#E2U|*`UEIE^DIhi zSjEPo0I)>|Z(TLQQZ1S1%fk|q(2$t)Di8!JDUc%>?|18{3%`_dHwwA`sI=&Q^cpv@ z;t(Gy5k7#Ctt8CfqzGkzt?uZSVCMa4u%S{@s-R6O(^RIfS-RB4t62ROwHU3W@z~ch zJd+jdoWfpQ3f%S(*2%Box{HMA+^=2e86l}r7E59iM(*DQl~LA$V5Flh6d2fAmh#zj zL!f>-f?$vJe!~JKwE@@k=LjhY2z^@w#>l7CV>W*%fIy;zDWb`-8t&epW;?_wfbihAJ5 zKFwPxb4(I0nNT-Y!ef+~q)l@JeqwrNocNzs(kY+c{D%cVfFx#NZH~F#W$Y?lZ1-!- z)a}4Jg|SGQR&Xp=s?BB<#D3^ng{P2Q0JE7(It>{V_;rP>0?rz`j;fGCHv`6N)_wGF zc|C%R)BBc|VXn4M-p@I6+-h1-u>z@4x?QF*y4JvIcy1a9EEvUPQnn0bF^fh$<^uEN zd}=_{tc+#JqikFCtvfx=3vSTAl8Z*q4q)-`m2}QmG-pVk8O|NU;c6<(Q}1)ZEXH`% zBJ4<{fO%sUb_d=N^q)fBGLpTGh(0acQk;+CtCx@2l@jnFS9bAB%FtBz`3=NhmX<_k z_1-K6t-NC!Az^G5|8x@nh9#*Pmtc7H zz&{n%KXA;?ejDt47`ig5H9M(SEpQpCf@q%qDYqy8q=LISOX2+SBktR`@}=^77-9-7 z!B6U`6bgoa4Npny`BA5LHoa8UKQz<}cmjDYt|0tY>`mnNXC0_N^u)xTG&K?=8w^0} zH}?(%oClIm7p%1o>&wf_Uk~18Cnq_62^Khcr$M?H?2Q=3B`|!2k;z+CV9T!@$)%?M zJ|_%6=oQDvNT!7|rqOPqxEcX3M<0Dx4rz*1ZCP==!Ea3NT&;`)+91XtA(L)K@zqQy zaOc1K!RXA4iq-$1{4B8wV}vxNF1U+h)^-`J7Yrz}q7c0z*11E)@5FMgiH+!c9p+`F z3*GYxDh~khaRV+JJWfm{lL2DZdqc>JH+wG9voywI8h%aD*Xh$=tzFC3ehnyPq>Lgz zPb7|UYkJyS*Qr`hw>p~Mts7HXu!^-`7K{<`xnF?m{WE=c@Kq8hDq5v9C093ke_Q|T z_}fKwcrcSbq2pv0*=U}1k@3sQH4EmP*0J?Gg$d49xahRE}3v1%x=CW<>E zHd3>#&|KC)PkI?WM3^zT+i94GB;o{}t6FIOSZ-v+XrnI7TC`!f3NoYU6v0x`Qomn; z3LFP>kcavEA7P295z;ZOP>LyNdi^N%QaM1?dhLjm(-VD4;)W=G!cxSOE3k)T)IwkA z5d75>2@CU%QtJf5MWza@?4DnrVRCgxMM!rP3zQebM$aY)uG`R{@MfQzc2Dq!@s}f;1Hv-%Z(;PTa~6k>hJEUlx6D22b9CE`p!*z{@i=(h*y zXQw%apgM!D@Jd2^wZ_N`se{9?Y<21jFFtWpX?QJIHQcWzh$RpQA<62zg-3?RI0nk$ z2E|vo$@&s83ysdV7=?6h5a4F`GLk6?O*cz{xJpINnSrkg&2k6{_rUMC*R=9?Z)3Yv zIA*$W=x}C(+#?=QlMYR-Oqs+2tLpgTI0?M*UiKr;6YTRaj3DG*q~G8e{>5S@r>Yjr zKabbn(LGw>&|}Ibcc7fQ|b-Kd5Um+;IC1&sm9Wg&JO=!Am8oY7TfsWooU{J;TZ*xi_sHT}cZxP2mu- zT6^b7(Ofl*3{Ts=3jbt>;D)>1Pnfau^~HA#eGi_Dr{bDZlJk`_l=}}{`!(_-0hVOA zbEck_X@q+YUL~fUZbYm6GON9!&viI%e!Yrda;*|qZ?zg*(avWM3>WN+U91cg#+)n_ zCD-qxgN$3WUAaz`=spmlnDV&kFWb*m7>(X7T277Ug%2;KJ@pY+Palb|O2n@`Furs1 zTlvr<^W416^0QIIY3Ot5l%y_h&sQm#mqq*ZTpVrOn0LDGdA|H6eC>Gh`A^0+n3cc6 z-k;&-bQhTQk_PX01}n8B1d0SWW+;QK^8WttlOpB)T;m0w(bkKx`&*+}BWrWHmbUZD zMDclF(wXxox^;xV<3R2Nxf}Myr4LYeLiI|D-ZP4awunZv1@2Cz88&UQe=FH2^E zaMUPM>^XW+#oMUW3R~HX0#VE$t8Y2Js~>{p_D@okI{ioReMUE&Li)AY{`@R`xlv*% z<>mTJbmr)=ZkJ`W+I;bo{!Ps#=S*u&$!Lx7d9_`l(JW>Eaqh0e`+TixN5g63aS5Xy z*5%LF7%vX%Gy@bjHAg59@eLYSPL|Yn7k9)8ZdDPOXaiP5!+|)XQ(W1h{^F`4dhtfH z>y<)WRF%xcuj4eUp^HaS44qcm<>q%+XcFVKoSHd0tC=~JCJ zmLNAEvtF568{%>t@SHua3HCf$((Q{GPrk5!xiY+CZW>n}sCxu8=Fe8x0@Z2 z3f@EB8(}}%6s6#hms64#v zE7SF`9>0>_q{?+X{$N0=O|AI-wxd$yv!Cz5?=4G z8UM1MTc9iEfZ_ZW9Wow?SmL|udTNz_Ch#~arxNwKih6bs>fCgH!Fc?mRmUvH``O?E z1~H4qFbZC~S&hX<`^a=A+|za#n@~@wab=Y}QfnPorri(o9pnaslxOHof;KLL!p2H4 zUzaSA0)LqyNGA%bq^4krOYIK(7Mmzs`xWDf=d-X+hHW2#QU9aR=Bnw0(3UIUzy$i^kg=RD7 zET3eZlT1g`2WjnIO2_kAk=0@{HKveQcRvlAOpYs8dkG34$K| z7)Ge`>f4i}4d&&Z>R&t@vEtslE77*-t9*8JBZs^MZYO48Clj`JR7PdRMz>OvCmun1 zrH&&2oUjrAXD|)C>SOr1pRK3DktSqfz5C25V@k8c!9xn_4~=o)HpfUhtXvjQlcsdx@FNPTu!$w6r;#`S??8b&K=rtXvM6a)E6I39XuIu zq#>wjZ>)8R#k&?t8DJSM+eoxcKvlha)2bel#nJgn;W{Q;W+JazteYSR!r$QIy&I7s zrRu~T6K}K=K{p68vauY$RM5m&d7}}wXn>wE9PE9{DKkH*$+%7JThh)+Dm!EK%{OYi2-fD6tQQ;T z5Di59V*kR}=!17=5h8R|n&Ov`iDQhlEFn9HcX@<&+B8&II@z|`2-9cpRrUyWZtz%0 zt%YJdw2`M3d)w|s{RTWla|`uc!V2jNzt$CUXgcc~C*2ZW9d-EYv`47=)xyiXd;(n? zRYT)w3BYyTG3o5d-}-|(&vlDp&XQ*p94PSf<$lVfyv4log(er4BXQ5Zk>vbVM1Dgo zKjT}*gdXW)DyGAaKK1fX>%sCZ=&ZX*U5;9yuh-hswDnTueihOMlyLS=fpxYqnBC-b zK6VFl^QT*806`%^!+5@jSElzVGY40@z)o>*g7AOhlSfLn3P_cls=#TQ?nR;K#ll%Ot=FyQI^U; zc>1-ok-FkE)0yZ7HO<=;^{2KAZJ)gS@PAt9w7_K+DWIy-h>qhVyT-lBU#(tI(^IFE zZ}dLP02e=-`#L8ku+5C%6#5odiuyTCRlU9W`|$o=i>1P@z;I&Lj!BOt%Kb+k-?GJU z^vjoQghLCCxekwj`8!UACvXS6z<+380zqE3ZTs+)v~(9&IYctDC)arR>W`4V6LU>w z32}>{m1{X1jwM{a6U?I8h?T^Yqw`)4HLxI)>HV}`D(}3=k>nGWGliUS#-wf-508Dg z<@Ez2LIl>rjm&!q1*<-~v2Nxx-!}Zd6kNS;GW%sK~yRhn)au9Mj^t7^vVj;G^`?0em5Rdp9RBAs|Qs%f&Go+tU*H;>xNSRa?@W_;wN_b;w&ygqR>^+BSd6=E&KcTa$-3E>4_@P`G6N))(PosIxhRwP`(c!eIikN-d(tNm{SnW&= zY_z%=;(AXQxf&}xv#m~jXySD`ZxwqNxPyt6wC9edzD>ug{G89U*_L(AgKMo47S~7f-&pU$ zE{zc8{^VCsqQ*}5qGbX0?Fw6}%R*Z7F{tcY5B4p`*qx`cA@ylaxW)&+s@~K^u(NuP zK_70|eQ_*f@?6nc-E3?=ba}3puy{dgSWg#QIMy_py-k+A-OF-jagFvmmG+(Ca-A8k&ArB=Ot1eb7Y_Iit$|b za1ti>e9#^3Xo?%`=I~ulO@EGcn(Rlv`o5p;yLcvo%p#=8-K(V?;4F9?W6oS(!|`s= z9?3LmJ_S5IZG{ZM?_h)jR} z77U&fKvvv@Hyt_IyPuzrk$tKtPM7xYqY7NLZC^a*l8R_;YmaqO;fPW|glHYtEL#qs zb$oif4!|i+Ih-06!MnH3BF74~ucQ8CYn`JfYL~=!VQkAUelqbnZH)Dg*L3XF|1L;> zr=c+1=;>Y#9Ai(kuD-TeNb>kk9~BicPZ5rnw)o))W^Bv@U*mbr#84lmHJ^n*#vOXJbF>w*vsd(3|7!nadNHL}@t| zuCjXjHje6tKq9k-#EcPbPLap&e$Q1u7Y-l^cK`jVBb-({X0sWe;v>B`h2)%t%Y|eI zR=OL%)};b$y)mCAtfRG3EQ3}mC7{`W#&5eqnlZG(A@(4x3a_WUssAw-B(AYOZMmJ% zrg14nIc}HwA*Ys&Az8R<3~$%MV`o{>s=lZz%Lcz$Zho`AyBQn9xhf?S1AyDC?eLtX z{%iAdbbEsFfCf_e^<3)eG9$7Ye}b_78?(%qcwJ;8WdTsHVR~;(R`M%wRw9~Bc*H*# z1$Ag82yD6OU4}?gXTg*O(e;qDrtB0bVK}FTdqi?!9rtm-9}0#~WRtk54w=I|{v@UP zbRg4Xn^uQ%YpzhT{8zt}Q>0IQ6yrC3a3O&gadtCTzoycp_*6LS2C}ScO9M7(62_}L zS%Gxra7Ken4Er@Y!?8|bjy-$uWtw3&XCh4Q$ssW1h^Uwg=2#iLPFeQ-L%_02Di&~;}>*~-ezM6cEnN{ zBIIA67QuSm#!8(@N;43L8C`_!Y=ucyns!rFg-x)EHh0ino>}=VH%`78clgW^0a+Wp z(#57M`%~>umP^^XG#XBt{S)3jucf@W&mLAMtvP;|F|2P_+s;%GnyZkcOn&`qacv|o z+M8#w#$mA!sLtcrh5H2O?AdsMMa?%?zye)@?wqIuRu0jEoO{xIzNo%JmIFW=|mkZw-mSDoQu8U#u@0B|lZsg@OJ4EK-Q0xV|jm zvD3GEeqd^Y>eP4>Ty_}0hp2sz5iY!Nceq$zLZ2u3gsBrst}=8M#b#@-r=Rzwf=Tig zcxYiDXJez7BGl;WhgpB{%IMpUDdAP2IJ$%->gk_ED$QrZC#F2ERKAGwB0QUdi-Jc1uHWSdGB= zd)D$dx}l7iYML|_PSXB?G<8ZVt|gQ7hh&zA+cR~wOj9B$)_%!^d^d<5_+m2hSR;9^ zUr<=jMTD7eblY#L_Dvf#lJM)Z#faaGb@I%?Eq#n}cD!Tf_UHG!Okiuq+0mAE%13Ip zSm{&UZs!8ud!|pL)doxp$nKSEmZKfdvGIqJ1g&Ck9y_jlevXel=|z*{Jm-rQd+^ho z>5H-?i7ELTf`pqE0cwrdfHG--q;3=4 zR#EN(yE217eA@LOKZ4_E7A3yL&ImiAZLp=-puN+7=%TP`?wRGSRxCwU-|3|betG|v zwTc4&vuK$o)laiug+ufepJ4k)GRE-6RoLUUo~ef4=#>$9?2#k)13;RH z=Zuj43VV-lk&JGJ7Au9RuW<7s@0NsS_bNg9W`I5OMO;hnt6ZE^9pvU%v~O;L`nmB45T}7v&V$6{jL`Iif-jUC4asYf1FEELb>? zOUj%de2`FOJ2P2fHU5**zB8QG zj|YUO*a4D4XFNz`AA1v7d#GyqnQ3BwhxQ zcZ7jVja~6&iEy*^lh30Vz6&4ho8qBIMc=q9pho#t4yO|g^p@|Icpx%c%@Z+nCV7=a z1X_j^6&OR;{NapQQv7xSIK@l`;3k&CUsXlWhz!j|1pf7geK2(H>Hx_aSMm5C-EdmV zUiUK4tQEaZd@S>!=V6`*$;RccL?=OCRAi&VJq$B5bzWUR-w<~?TXnc1Y4)?-9 zh6^@{6*~u0r-x3+d(OSVXrBQ6#H=+4h%y88i$6jgu^v)&SHRN$rLA%C;RQ7h6y~97 zackayI#g@Qx0vRneT*rDyuz-ay)v1rJi~9eF{t2*q_E*q7XKO=~ubAiXSnS%>gJWl7Ok_jB`fHUsvkEO<%Tv zCQFV1TL4JpfN3@J(1K(n+E$U-w*H~7*8Pv)7#$o{VbE~g8SoNngeTy7-MSv#M)-Y% zKm2D&p%<3L7)D0~y&cHGFn^8N8i>c=;C_7M(u8}ByqXW9@B0eN?EB$+`}JZUM~Rzq zh%;*cSV1p4bUsQ_%op7MmORU>3jg8Qqtq?9meHTt>AMyYhKbZo(kk5leAsul!US@x zvMOp~sl!!tvG+Z}i;~~6_S5;jr~99^?d!()!%q7!))*0o@dq1e)$TAk2W-v_z+C+? zKYWPkvMW*U&n{Q-tT?dmIL_xm2v|9r{*>uQ5_igk16xLng|^fjKde3Gz(kuK}^ z$RV|H%BS;kUlNEcvY=lhhlUhG7^9W`>pPJX+3^k>g=9+q`2_#%g8pZ}`mcYIeP#e$ zM~@p|FeoL-|NH}eAp8_w#MR$7Yz<71p>xf`fB7`> zf3Ls4cTOJ+s!umaO*xiU03v7&EXk#2$9LyjIZjrL|GBSh_`aOg(?ftp#^)<3wbcod zMev48jb-$If{=~@bbOm{Ur{WuAEvlyt_PFaqUJqMB72q+;MSQK%c(6LcmQ&y;@5_A zWyCWXv0p{s=!FZy$KU9<9!*R#t(($hrPv0(fq;`LB!*rpDsT&4Ha)jfYmz*4!Z0jQ zk$A@GSf^L)s%?@pPgDX7R+E7LN)LKVsy|!LpYO!;)-N_KnCE9Py|t0|Gh30WL6m6j zM1b;#v?b0PO;b{IJyH%59pZNy&%@=*x`S_cF3TDWD+vjL9qwc3%>#FRk3FfSa!XO? z^^tCRV)=Sv7RCD<#eyuqvK7e7+lUn6>A{}6Q-A3kmMuqq2@K=z_t9GZjLwZ_NZJ8O zs@_*(*C6t3TR)F2DU5NJ;a?WWFUDV+q^3ZoC*=3(K|CR&bUaAUtoGjqvp>sN9Y?uY zJo?$r2zvc}vHpG#WMJVu>*+F_{v4}(NS@;qhaFH;%sRrT&C$s*0#66Iu}Knt0BZy| zustCt2gCc*Ln~Chs~Nz!F_$mF<`_ZAZ>IR^0#vH06GkDN^3y}p9zdlUfJzvu+%}H% z9!PznROh_a*TYe44On=rY0NCNXh~w*SDj^98rYqPL`R=ab!{8cwv(l370jb7vN#@K z+b+|znNh$E+$S18tOA6!A4rPhH71l8aYYNkHdZ1646`mjNlwuo0owByISKNk=yA{5 zE3yz?XQUyPgeBWOy?29BmPY7|x~CG}V6R95sUljO)^R>Pd-m9IJ7j4;uvwE0VnGs- z>{GxOGOxS}HH8rI(h?JWRToiW!*3w{D47c8Nqh$sSfx)m`zgVR4_hlroqV}slRZ7+ z`SYk^O$f=>a`A**s=dGPtKy8>>xSx(>7sEf6j?%^ZW&K5zrl|ivuj`p@qqI;?y_ck zQ}gUHBeoO*&#S|INm8S?P7~Ev|GMu4+2$1{8(iB@vo2 zeecUCy9sa{34)gC;~yLu>yN=ALKN0_KZ!h|B9fIiC>HnZE3Q|P%jlb~ecKP*ut^TT zvfDm!Kje!a(Df*7PizZ{j<3CGNep@IVzE{EB%VI#bWmGi@VW)Z)4k#1{Iaw&F*daf z(g%Q9lM>XI)IK16GX&Wz61Pn?FKi!!slbMuN6-Ixg#Wz>{W8F~SIidDjQ~cGpg;Qczh>*)X zNbCS=K1k_7dFy01Z04}lta4PHU-ffa__8X-vlMhG=V2FL@f-BgCoyfufY+UwXarl3 zC3bt4cMb^giN#_yAUjIv6JAL97fE;EdzpZ)6{o?hTj>Ic&*g}mubHe|k~~upStcn5 zUYB=>Pe0?`n~|O7EAZsA}%O>54OM=q>;*!=oVm;P%lXQJpje^G!D)ReX{4 zubC}Bo1Zvi76;^+d24fds!no$cyup90D?5nO@EEzCVRJJvtAmy-0wf1%cvUWn5fKf zR)t-nR0W4rtn%U;xqtu6ZM_8RVeHmzsL1UXw3|qkj$6p6$^~Dc6n(CuQM1XrPDOf? zhnA~_3L*vMIU!u%zbf$I92QA8=_B}ZB4eMKDwF!>#XTO^IjAB$>k$j)?aV!U#j8J6 zY4t|JAQ=G^Z3NQN`$@A`V-U-J4$r;ixRv1R^CsCQd$B(yt$k`Z&oU$6VV5&41c zjC**$%eVmBl=CF)`4{>Hq%Bmz1QHj&o)`rF`KjfwRMSangCmjC40}a zZh2g10W=W0q<(l$Di7S*IDc%Zr<*yfIZ`2HE6?oSv>JztbVx+1PE(&Inxmk6)eO0u z-wI^9L&_pvnp4lb*pq#E?6Su)!;_%;(`Ok-Uw5i`9dhlz_rSQW1O^0_euGxE_(6!3 zdM059@Fa%E-rKSamE&;d`vXFL!8uaF3)rzrSzoCP{cm>^?HGw)U%cf99hzTCX!{(= zf>ylcVRfafcC7G5B-Z&RM1=Mdf6{siokrZ8*I88;(m>Z6ui$oCB<^d8cVK=J zxX^Xb0~L8PQA#C^BshBz98w(6kPclJ8R3A`g zrXF+^H(h;yAxB1FpJ9-%Uf2g>2e;2#*Zc&SR3k9H_^_D)BF+kcLSwYAAET)rO--)R zxqof@Lp2m^z6;zv=)g=&`6V9JTb>}yJ)@rVr&8wj^P49C@PYba;#o#DR?m7(i2+8< z6-HIEksE+EpfJSf=S;aJN*aMB4InL4FzUc>06F!3lspEKpWJJy!+1b5YDX~9GKE1ny-odpJYr(3{jNFc|4nrhu!yjp(@87m76@I#fV(b2% zxaiFl8)xVKH6_6IvM}vq=Innou)$l{H|5q>d10~wZrm2goFOTQ{L#GtSE9DdM1oMn zeh)D2hwEp16MYrEwc)%@(scp4Yb<9iS;?dy2dKyKZbI~4C+Vjb2LqRfcB(uQCv$#E zgI>=^M2&k?{-vh>94h&c)O4!KhFZ2MxY{a}!b7nx=&}Qze-$Phy(B8%T_usoY;N>rmW080K7 z`H#z}mhz#8%d00om}`BKWRpcMt$*|fyxhT*e4(H?YK!3uEH_Pe$KaM7bZFm=XY zv%%ShjkkZ{E=y~EGA;3GcK3BYUX;D=*%Sz4YvrE(>LOe#B2qmzc)Vq#<_JwD0HBquKjP0M@|MGbG359hSUYMZp=b%O$Kmp(nkZ~qkN zJ8f6`5{&ILPSM3y)5_GcZdiRkFpMK)#|kPi#m%S*r7a8P+!FJhK1mXDEptU>WdngUvLO_44xjyftzvSz?HJG;;l^*!N_khhL-%rtXqg(spuXt%P1C&r}k zPd$*+v3D1p>g;!LnN!V52z1gXt|<|Zfg*J0nx%~;5bedCGwc6xpmM;OR$Dr|mTF7m zRlO8ETCn3C6?_o=eqgRK?fsPnL5qr7%9)eA;VP@cBW%V|+%#$Tu#fZ28f#>Y2Q-;4 z^$5f5fVuIWP#IobZmr#x=lIT&=X2koE#Qi2c(v*|?mcjxU!@7`ffYqnFcVayt|eN} zQ~gfI9nIQF-~6F}?#!!gTN$I-nw0B9vmomiYS{uOIY| z0h{IvWIxTPRC;4M=lg|1IKNv&AMgF(dVb)!av))q68#71Xr$EAfqIN+C)4gLu8vs` zaSnze4Q}6NUYVHn+DL0;KL~&?%Dohi)%S9hX!zJ_Mo6A(|GXAEF0#f&XC_4TxHMh7 z1D_{eJ2#`is^~BH=)aJa|3XWAAsA$PWV07h%kA|jk$Hi6N1KAXp9->zhx%Z4< z?I5^~OpF*uyadQJFCDGCK;*iqo(CZYk#X}g(q!wu%J@Aru`(Wu?){HxFf&t1ZJr06 zFLb8PSVm>YSe&G3DF$%K6%;=SjE41@^dqA z_!)QoZp+*yC>upe>a^@Fza_JU3_s6z%7Cm3u2+w2*+2fg)1}=-V!G)uP`;h1OC;sa zR*Q!GU(j%h1h?D{#`+ppbyJ_$`?OcT4>V;=)sb)Fcz8`$t-N@& zmIi5xyQ{!UO8~US)CHgLCW|7(&)9~V)TvFdQY)GQ953-jH|Ltp0K#!X9Cq}9 z4Vz!in_zp6-joYy@yn7PAQgEdu{6=1YX*^J{@A8{fM_v=MoAVBzY`Hbv>LG7w~ z6Htflz*e&duF;?;$hadtTA4LpHpI$7vwN%)bb9ivW~!HEtz0fIjXGC{Fy(|b57g_F zezIc?r4O11O)b?ZIS1lVuT<|)xa@!+v=4(#lZFT}wzn^BX-K>{ZQO%-DZPZMECv~9 z5Z)022K+3cGmD|pl+h)+lTO&JjXBHdgP665myx>Yq2foe8nVJCN{Q9hDw$0p-x0i3 zxz7C>7A~hxSkr5kLi`Dxl(h6SP)du=;L1>2%VPP>W|8Z@gKch{*fJZBe7z##w&dxb zl!1pCZhFx-jh2Vf{>b>{O^B#MxvRHzWh>c_3Ab-2rH#!ah zX;RBx#4Uasb`Qczv$-vP>rXoOWrxa*fbDB>Kep*uL|jUJ-t9xh39S8Nbf@L0E7lpVbd9*4XLWzO0PY|ps-7OoY^Mp!Q;c2w? z)eAzd-PYUQN6#TzuJfm>emiGJ{5I!iD4oYE8?jfT#SDId5HPY! zt=$4>mzczecJEO8lnJHTbdAH6bT36x5FWHFe9E5O3!SE?FXyt?PKML8KKncnhDu)j z{O~zLS`aNzx60mbpJn48IEMSikt~dt^NmTED zI2GslDsXLu6D7!bPH*os;Zfed`GtKF^d{>DneW&zjf}?yR&Z2A&e3hFKylXohT5t% zU35dgA}@DvP+MlwrLFe+1@%vOpG9kW)h@UEyt)MN z$CBMN-6>B?>70#QwfsHSpmO%*Clg#gyjg2E+t@fHi->|?_(WkV zmmuz_`>GO>ZK~5|GvO4gy7@Tj4dN+lw`a*GM?sc?p3y32N2la5D}n7T*V~A8yLk&_ zI>yK_zhRT+uAaLsB#w~=;{BKh92OaZXepGn-NBw`9Ah$1elNF6NYmcDX~!t&Lx|0n zX|(}NR)sm0b>~-FpLfo8nwn05LXYmS#?r}K$?ln^;>dP3m5plTd;b^{<}G*;mmxA( z2OuuS))n*7nOn!!?qfVgj77UQ>Lh}~)Tv4E$&WS9wAoNHkGdJeAX>qe(R+%aY-7C* zp6zBg^zv| zQ4Zk)`v9OpM#&6wDp5YKFEYj|EX|(bddBsqiLJ9L3Nr05+vM%7F^b2sory3ZB8rZ}0`JO6Bg82rPi7!5SK>v>LDZ%`h_@%ZsrvStN6BK_q7$>>+T(OZ3d2s8b-!9Smg> z>q!$PQvabNf@+8Nx^A?kPE9*%_HE*+8kPI^DxM45#B+3J%PtC3KR@V9ML@-V+uZsm zxoL$L3wxkE|xY(1H9e2U_m((MQUHr}UwTlqQiKjY8;KAHOa&)<{` z_AF&I9*HN@iCB#l{Gdh{eW}Ox8_q6@K;}8_FLnD~%ad*XZ3$3QvOWD-n0RY=Dg9uVT~D17L6Lh{mk+4H?V=z=}( z+)EZ?!z4b_wk{2rrb;#uHtqmtMG%+3+D?3(6*~m}FKOb&19| z?Go#w-pQu=Qj)P76LzJ#Z?C1{-;nr?RjR?*y+X8`78_*MSaSqR^sKVd`oV2ovU`K| zcFP=M5Sy6gWXp-eE)q*wnXURutDv3kLJNxM|6y`RS!mligH##ZxZV{0Wx2E<=8wnaTnDptu!1D;g3~^U0$Tz4}kH?ZTHd zP4v4{cd5AzGZ`wF;fk?*fxEg>hisI?yT2^`1VAZ7p#}eBlsLv&d?cWRn&c}7lYn^(d|E}bpQiOwZR_k@!2ldP>Hf#dsnQtPmXfFAaCpdtBD}rTaOV=&NEKqU11|F z4wio=Tthh@n#Xzp&5WFO;EC>P=Ka8U0r(&lP>r+;;ucoim5Iv-TTQS8cz-)@Jszh8 zT2YoKIC^~lEDf7#2_VWTH?)4VqOe2KTd`8=ec78_BMB!yhz5qDADXL2vM}F1QN8j{ z*s!ra8|sR@5<;q@^3qj*=@~XF?`YJOWLK}u#SCVyx~pF`kj+yO7{_{ha@VX+7_gmAu^swjN2^?dS*z z=#FB-f_~{EM=QI2%tmG>i&>O+_RP2ZGip6#(mK-caASM`veuvQ5lt|1wOV*_5LrFw zq`jkCK>VYF*YR=5N%RKr0$=BNyg;`DLF)7RN@l}@$ZQ`v zuNAjq%~kb3L$~;C&ff8NoF9EUO|sRS_#B-BBUi1?82X)v&!#=ulc(?gR$kbXYNH3b zyAldL=r~X#?`>aJ6HlcVpH3@|{q6(3|5g@;IqTn!o>3Zc){5_)EHQ;3@WD-+TLCW-?Q21*;v{|%sZ|*Tmx>ozwa>?;u-|Bk4N74Ji9Wug-!fUHq++k zfwM2buF`9KiKUx~a6<0~#jiFH9D;z0f@#b*oFZR%SXl2EH;|973lb;-F-Icdsk;f^k;yt4zi}^@*?YR zZPim)f3*h|mYBi&swkyzY)OGZ>WwvjU|OD4>RL<$n;d865ah?lg|yTzeTQVUZ3z(9 z{6Vsg?#%hroY05jJRH)VoaK)6h1e?&W7e(|swZu-%a9PniHow= zXW3FMeyOS1gg)pN@>?c{EWCIxr3rz? z*gZQTI{_Rce!hF;IgvNr!sX7{3V9WiY2ec#SMFR&T5ZK#L7S$!(!WB=1Tl*q}BX<`sX{Qks*zaeP2FJn>We3dQ~AL$t&&`v#2H>`^We{$Gk= zO*WT)wT|FPvRDQ4T62!V3bkFN`U(yWhsKxtCwbM6{;+Gz&YjMf`I&D{Ze;(cM&Nf7SXs(WQ(|)k)w6+Wp6j`u{XLqqjZO4C#Cxrar zT`yH_dsTfDZ-wv^kn^nVq|IMePJr zgXj!Dk3F%*MH{Be#A@3G0@NhYlB>2|;Z1~XWJd;NSjC(W?p52xjrP@k=z(1+e1k(T zHHKgHUDaj5`XlyUw_AOh69YW~nR}3k$3ort`Nz|qE)VEdeup2dyp_tMPD))#XA9|9 zY&TdOZPIg2m_9q$R@G>KG`Jipf4Vz~we$#Ac_T~>(QfAo(~(JOlfHzp=mdRvH$61v z@gVP!f4l&KGXIs?<7-K*Q87t4#wYF}8AITxN~ZK}+Nc+InRPRY zOTLWWO;jF~qCM`a-zbIczj!aOOqU>U2FIyRH@7gvqt$38Hv@ORp4hqXJTIj1@QIkL zR3Q93O#hx-3kJzaVu3~vku5%i&OTfjz6*$W(Vcq!C@iu^&zfKNHKJa?kaLSo zg~@lNERs#$1Bbpl@^q?89~>2qI<`6u$kPs{H5aOxU6_CMx?~MFUO3WE* z_Z+@c`sqU<6UPo3XfskOD2a*1`e%x{mhYiokf+>4U?M&GaOQ;S6G$p{Y7gc~1@z9C4?=-@%i+QTkb@WcWkRG!Xy z#=Tk<#sGG)$$`1{&Yq`#NS;&AERc~})KV4^Up^7|rZZt%1dIYW@}3k|@xU)&SL%Nd z%aqR|5e(^tbzkjS;aJsy6FKzdvD%S(fVcgS8;GP5v@#W(fdufp*Ag_&P%w_z} zgckbVf{=VLw2#^Vd3i{t0ybvNso~pW9ti6wV~HTo@;ma$CC~Fl)uRHE;<+1kHiWUq zuCBt(wcqE?1~;3P!cK3s&j_(9-nYwfKi>9jkd2j=55au1^%zUaQd>^lq)jg0$i&#C zcKrJ!wVF(!pQ~pd#X(_p`a6+Kn7Ce*a;=_dj^~G4g%l$x^@@=j;?QF4Xj^wp*uHmtqnwIsXilIk~jDGQRO7?S^*=&~&_1Gp}P;M5`9UGG0 z%h4s@3}w%ye-RMbuH+|kezbL4%Dl@*pm(V;MW)2qT$T6e1EoXj;g0upoy4b#l|-wv z`DYJbwfGM4C{Kj(X*qtG{m<=ItB_R-XA48-?i(K$E|57XwLTZsFFS(4)?_zwQey2dT(s-d zgVJK^#`~rqHijY-W#S4iJMITpl+KrhH+En94J7cU4nM4 z@NTzaP8rzQW`S4+N?|G$oh{1TjJ8PX5U>2UWZ07=V5*p@8$ra4M^Ffr%}oA|ek!&c z`1HQD%J7nnhFMka_r(XhrtVZ+rW4z`8(umET!+kDee&BB(W&o-ZKSybUbx_qpoRa<%4d0F-C&m|*(Ih@bf1I#%x7ljN* zTHO78PqTm_7dM}9p}1&qsVV1VDMLlKmht1TioZTr*RA9hSUy;$Yij>2Q^kN8ogNM0 z0-(lsl7NfBFDBl;2HZrs1IxMN2A5gEa`EN_xb|o`G3-k=vSQ2cKDo7bqR#G>CPzt8I1nuV{9t#gvNzG%40E z!sb778$B={RAkJS3Mq6>!Qs#hNe0B)QjLBh1qdOs5_06m$d=am$WLXLWNL3pq{kwL zAh{?sy29Zx6dJm-U_-_OAIgei6LsFCm|o1<6jL1BXq;*4nk*L+=285=4Q>7^?mse? z>~gp#M_@Xj_v)}sb*$wozyp9d^?d2Gq&`P*OwCk*GQ4O73-<}q{!guV0N*T_t-nv$8DRXhbqhl&D5PHwnV>B3Svnj<@CAz8l>T^WQGUBsY ze>?uvxPi* zzWJv!W05(1DveP93cuHWd9+x{mL2px{3J#X(>&eyE~)^fe(qftQ}Bv2GG=oU?iftD1-v=KKxG9Kn4dU*JfgFRbrRJY2U;kg&USVUE~|?z{mR2p z3m>_ZcQA3aO=IBLxLM}!7p8mWn#9^_T{0g?N^05)a#z~F+h3G7T|!k6l`4_A=WlB} zPjZ3!!0W!MNyGa&N$=a41QI7d44&`uqSg>{{o|&}D^ll7!DSp3)|8Y>sPj!@=&^D@ zz>uz%aayviw}cAS&-GNJBAXT~!%g$58TFc~87sJ5R)vLqU*^w=tsqWD=pV9Z6V$5< zmWCpuLMQfWGPASXv<}QXP4SZ2ek~k?q5J!$ej6#x&=@j(YhHbPw!;ou`THCeEm%^; z=g!oGxdtgbd4Ht;g>@l$E8#9Aajo#NN4I)ctI=ybKiW2-KP=uo384Lb_&!uFt|eec7k3P+sLilvg)Pf1_c2n*zeirqvlpFM2QZ}KvW({<(r zzNh7-G5RIvxednNF>UfBcqF^2z%0fOyBQ*1_K~UhJ3+XrSfKCFHJWl-&D!|9O#)9O zxQ~&cyH@n+sV5MiH5wJX2#gMl1A=f#IdI`DZnycX%#GcB-tyC}aw@#Q@I}Mw&^7$8A$LclBoqHIrxQ9UQz{SXdzqyrG5h)c8ZT-Yo+H?=Ae(BV+9+%ciH6 zIeO1s8(wk|4F6MP7Gg$&<61tguo=tH1g^42*Rkk)?t90OqWE}yv^N<{LmC%0E64S4 zia#kO@&!t6xy5CJqYlDJ5QaYLEYZ&lj=Gsm52bTkk!$z?l!k2T<)xjqwMuI?JunTCUKc+dpnpa=S9?UQn~ek6(P5j=1~=J1*~}yUr=pKxIgUypJGFy>MB0!FVa5 ztnOcCF5-uWXzx2{+=}COPHI??=ZHB-Je`<1o?cAT;kY^XXCxMtOg!ef3EmL69uA%K z+!4Kc=}2nx#;f)GIl`6uHh%pNxNCNwm5;`1o2f-fY2>@gHyZVX8MmpNuv0e$%xvs6 zMh;~(OGG@5%MJy2pn5!aE*rH=8NbOd2tA{o2d`{wVadHt8@E4qQ)8w)1a}dGYJa{r zfkq1JQOH#Mqg_dye;J+Kz+RGka5;t$xf|*7Swqo8t}DI>}Tw-lhvZje1Qf>ulV9D<`W1wOl&w zUe#oeJmR0CJBnM@^9w43gmzZ}sts=>8{kqIYI*~)f=TyV#ShOYN#qA%(hB&Z$&h-% zcZez#uNU8UEFAVFgf7>;Tk7eUx~r$H58Aj$=+itOjY9@9-CUq7f{Va!VB- z0b-h&)7N|;19rT%+lF7eIkN~RnwAHEaM!iS0wAd1o=mw9`M-C;^q%4(1=L=cPPC#b znGngRM^bhltas;{y)?-qGbX`l!E^z6Q@8aC;Opm8Uj-&Eqd2`0vkWz+^M<(!9Qr>P zZ0NI_xr-|#q1p**&&QYyYpMd|7GyVAfn<`#8D&B#igYTC>T^DUqw-0L#@@O+$f)0$ z7FY{j{LA1-pk{Jep`7+@OurdDey^9=RO{7}xDs_%WHnK7Z{?&Ta&N-4g&EJaF{$!N zfFi}})*|O!^fR2+6T;N8-Cq`d zn~uZ})jvh2D4#!>(%XO5rlf;DCq8mjMyC{OZNX#f@o;S4avT>VOSp0?X^wYke;Qxb zvJu%l+2os#3KW|iWi!@XDi?X}Hp`W?jLLtl_2LRB=BTY{{K9JOzmNPB-J!AW3i6Wb z10ux-W8ZX!N2b2rMesy1T%{_oxfwQ0*hJ|T-{Y_kH8{#qa z-X5G7M@UJn)xA~==X4!B4=0Kzv7-6lLZl&{Br=Q(W{u_NbnYkA@zsBn-7Ad_w}i2e z#O&~QjqDbu%Q|9(mIi-ni+a2lJ&QN)ivk5>{oXua*Yl#xcKF36tnW+>D@)8ksEB3c zXhZjiU)(o5ZJ#u_#M-Iu1nxr=^Z9wiC#3xXYFYwFvcjLWS$SE>aoAl&c7}F|%f?{J zwUV3W4OMvGG+YY%0n#vtl4+&@h3COKd8)TK;OooBlay@teizDe?+B%w>^6V@uX-fa zNXc?l#3jhmpz!f&nF6$3zjJ|D@LW`oZ)-!@Ag|vms~|ReecgVR zTy)|IAyyaDJ^Q2ZzziOat1_Kj#RQ^yvg{FZu|JS1wQb4g_wj@*JTz2c8X z&|7%Xws^jeQ>v+@2&;HNzoo059{Sj%>$7a>!g{py41o+143z&;1^fhj)4HcguYOu| z!CuiV59#)s3u{7uO1i4!l2`zC35A1U+}r9Y{K6{L%qC73qS~3CldNCj6wEo(Oy?tI z8co(R1!|Tf$?$5+{L=@?%sy2QiE07}wBmrJ7x^%v)HJ(d|)~x$@Z2Ncbwc zKW?U1thSv|+(9)c5$urMWD{yOxVes|U2oSPC|~Oxr0JqfGYmEVT9;tTgs#}I`THI1 zR`b=}6PfK=%l?8}I*tT%dWL4LMlS6OfIyzcZ1Q}(K4Aa1fSmQ%!eQGDy?%M=?OKI_h75)N3e0kY44z%NDW90f6M`Docfh6;G z`o8Zek15$Mia^cVxKBMDdjx%5B~;+6jYOR1guXOx_qgmAGCCYLt|(LPZC|lOZ`8Zf zRfxsI(p(*m4)JE#G`p@u8LIO*pMm{{y1btls2^n$b&8}4-)asC469YNNvk<@q{b1P z4|37(yx-9MrT*jHF}@~+kZtlrpOwTHVI03%HfM=BQT8hix0!08EP6ppgi#MA$-ka} zOpH9&3c7qvg2$w}2z6y1wuSi$30_spe#W0KqR5a;y4H#>EQrqK~L}`Uw+e0i+LUu7C`ktWx zhd#Zz<@M$>dY7_yBJ+YRY~+pV)JzT*ht;4DzRhG^I~hVGalXm#z_ldEL9pe~Jt-68 zmsl|{rmP^6u*_lYo3@fEW4-CG&g^a5#ixppf;f^L%^?ybFlLiiH%0cyWhJt5Y;P@TD%Eys)7b%Qr8Kwj-GKZaNKd3EtcUBt9d}{62~sshdh&esN?PTAKe~ zduJI|)w=fkC8B~TC?F-FbSg+U1|?k*(g;cm=%is$A|N0z328w@lul`-8wu%S?{>#vXxfHfzbMHEG35D6ta9dT2v5=beIK8ryCJ5M6 zJ;jsa$7!jq!~G=$9v{>ogIzC7b>fXDEEF&}M&EbxSKZ1fjwDIPxmltsJ2DpjKgf&! z7~*Rc7n$X+o6Z8@W#DVvK)g zDfVHHrnH{rINlDbj`S|(7rxoC1Tb5K&Vv4@M=D}a!8|_{ATERJqTO>dxFKT7Y{t2G zYf*e@6C>DmNp3j7Q_Ob3-k1-Fw9*%zHO~pyT*1p~hT--Y-gZ0+ z95stf6nd&|WjXbIHPYYjn>O%yLdBOnzpH4{U zDg@w>3pc|wr}5~tSHhNUKI_%C5@ZWV#ewnAA? zE%zUUrkYW^ham>%yt~QW`;<~?z=dYOs@8(Niy1Mxn5hBwc6@H6qxi?R0ee@cK3%;nI6rHy#9kGU)TTQQ(QD@Uh zsjrhahFE7Ur?ssrzA`L%i*tZ^VVH(YCNdeX*`(~9x3_~I%s<+9-t$wz%a-TAoFKpd`@!3!0~`g9;>m-f zcGs+vGU2gJGbbF{j#ima(ejK&5M4%Zn(wI|1*DssN& zh`5>T7oWfga`5nRIK$QC(v4le{JZoE=-+cMzcKY#-A4MZ5p?nr1@=90>;|4Mv6v0| zrz(t_Bj|9>(0PKD8sjY`a<}}s!;8M;hPe6kbb1bB$LyxU)%{7%Wsw0nO|lkKz2iEZ zgN8e>Q}g=`-l93Y0f*RNWMP_`6^(LU2plCN zVHuph?7kDgWIw>VZ}!KuB5I&E{yTB@EWK$andAAO%Q7*s5cKU@IM?sp%FucSpb|7K z-bt}d&*)HJ{-L+|seM8xPmL4ZxTd{FSo)0f?(|d7ovS5<^VCr|f7dmL49xV*`{PR{ zGvbc-^~WDFh$U?VW)v5t9#K3IATb>InR`CK``LyWOYH$7Dy%3SAIunjdFOQHz>+a( z_1ho{|83{YfuS{j1@nD_=DU&ew3Q(`%_qhSc~1$iHqcnwxCmCX-x^rHF~R$Ex-Ylq zPexLlgcd@ilnJX^+_o;vQ%x0S5gdX;FHnIc30#?6huIgiqQI|G zH~m=_jgWCatx0SF|1o*fz=5aEqUHozv2)SBq30^b^y7Quvv8ZO+h>i2bQ;$WTCJlU z-fIgJe%7CMwDZ|4Ia0c))1#7KaBhJ%(Xwc;Enm~oxHzyph*DU|mc=kYPGG2iyr z+Jd^<+JzKkzC%CN=ZELlYw5(2K_U}bQW09D((S$nMcxhjjXI3SOT-JEybtG82{u9& zpz4x}?B<5N8Ev-g8Tmq@W zt0G1Qyr^t`d zFf}d)vv;gOA~cwPucIof9paJ<#zM&FF1L7g^2oDZx?6R#^BW_vGtlYw7cM@O+5XCCV?Fiaje_oPGyz@LQOIsl) zJ_U+v^es|Mynjn@+43y+w=yV^ppK!!Z6w6ycB{k+<5CYSJ6#`{BG-03h}CryL2||N z+j+JoT_E0dd6LH7Rwp5`9eC^X#6Ua(DT*Y%a{Z9Qs4l88jA8G*nSlW{5y=3~WvGXZ z4TVk(WL{@i|JT04Go3e^-AD(~!1?vpZ(9eWQD)@~*PO`Yhs?`ZUA3QzR$u^Z?1X{4 zwZq}g49oHPrhG$8QlUG4>>r!XmyQFHBWrm$l}n)Lr7?V94VjO${Ye|kMRc3^f4vPP9sp?l$w zRr-wO7mpa_skew4TKMrVY%UJQAi5d5?5~c~qxq*P z7}`A{-P@ga8|r&%C}T~~2uUQp!$w+a{KX zrP9t$O0Phkfrbamt8{*(qXKMVp;OZb+Q?$Lih2>5+0dw9$|D=$dX>b=V#SadLC z%{aLpH-2+hp|T}$D0Zy%h{9SAZ-Z&8o^wnTNb|3IoD!GA>5pSnPy6_M19BF zI!~}zwm47B-{j*J7PYL7b2P+A>ge(gnZ~2@^et83 z-qDQgDZps_w>{-n$m#TNE+M^)siD7tS~Tnfqfr&qqjqQkgMYK)p6-h4wK;=Iw}Vr4 z_bwfesY86;&v}u|x#A5p50;%j8Kc$&SEwRQ!V&q%jkBU`Hs-2#h zYSFfKJ%OIQwK`p!+@s^NwpcU`{nvZ=m_3E$*`F|V%7VM}SMJ8lj#wXQxXUuu-(KtH zTZB6;)e_967@_lV@C>=TwA}UqciGbIZ5Ge>jV+~@NRmB{5|-BPPiF9D!{n@PO}^0j zCm8WG3O<+PT5H5e6|ghjeAy0)(A(l~>_VsW)fw}GH+b}hx>YcIJ#rUdJgDy~M&~t3A>*{xW%DvGwJ%6?P%LLe-d=o6y$8jT$rPAvAT5@QRdxhy)PEbp#^4aWQRK8+? zc*WvUYU4QO5m}N)^Qmk!eAhcL34HX!YS1{B8}~H##gz5|8NtT?OttDNnWA1YVNGo? z_#JG0v$$CJ99yR!BHIUYh`6|kfzz?5AeCYkrbaXGv+^-RsnW^j=U;S;4y67zL2H37 zW~}IY3Y2Tyr+0XYUrO7DMGBv|9rP+kyj#$K_cSF|7o8s09;2Wu6oDi2`&I@w^Ig3p zM$8I)Py#hU;$KJ<49~i}9X<(d^CuUr8e`IpPDJJyYg6RS=Lp}*UOR(>20?>kUkEwF zwSioNwMeLnbW=6U#M-QsELgx*O9Dv}h)5sJn}JC@t~@7a$CX`!FZxDxLc6}_C` zu`a)+JI%So^%2;;+#$U|OOnVfkjXc{=ZS#^by1#EEO0Ja}z97abIC?Qv;hD~%+4YIO(N`F`tW z&#XSpTPSqP#M)MhEM-U+Lz&_fTDsbJAyV;~7rWz2W8EfxGY>C*U+@Uo$sHrqMB5GC z_;_xwIAFM-t$$R=vNS+ebJVA5rE6rG$G{B>FBJ!P8c2kbzh<~@Nq+TWeHF9 z-=vqXxVhw$AmfycO37DcTi0wYxqQAoIUQ-c;P@m4{y5Q*)kg@(^{$+6av4iH3_954 z{k)2yu+buVxPmu~b>&e{vEALTX!ZrH!(!gEUOG}hb}4xBytw>P*nMC?%qbi&r{%*R4Iqp& zxDi_22h?BPIvQ^KE@0_?4281WqH8caBI&xyFFyQwdg=1w<^z!IaBrK>#9`&2?LAKr zF&of4H@if6>I%w(POdbw_4=KTzs}mTmoD|f!(Sq*j1 zRt}M!NdkAy+9-9Gnd^9hEe}?DT;4rdlP`Appz_J<{iA-wZGPudHD2raiTXV&>BEfq zIC8%NngHii1Nl{+r*HC2l9i(}%2n?5YMHa;4cRt7qbiqU2%&H3V&EoG*;#UCFmBuE zk%hb|@8xJwXcNU$R!Ap)ctyTdL8hJQRNz|WBlUL06HsJaTo*3xXp$_LJ7l-c(C9lw z!hV5IliXKIpOfZqqV9i=5u> z39zAb*IKvu2fI4Uvgm^)%)I7c;W;*M=I6I9TU|Voaix&GW}qLww;;J83h+K=(upAh zIc6_YDC-_bH>(N15NEOG7m?Fqj!qEGxYDED;5RP7^Ar#U_F;EsG8hMGs|0KwtDrLo zR+#9K-WA{3$I57m>A1~Oz#ML$-!_`i{9oSru_H=ooid`3843pZ53xL!(Nw2VVkv)R z0v{OQy`q^M(W{^0fPI{^BWrW51F)!ZM?`_VX7c&Nb2mOD6!=CTra|o@o5BIXWx8vQ zl3xN)8Q;*u;>}b|DyIby=wVau{Cm@uQFu$zzhRQ4Jt=v@=?dnhWp*m#XR`@K?T$^b||Y;Rn^^MME+4wLk|}{A>r_p`t!B#Sj)e^Oq|9fQ&!r1{U-A@zsAY$JhVXh-w!NJal`(`EawCI z{UsDD+I~j{JH2zDED(dB&Jb{7MeYKcNd-aq$@OOH$RXhNxa=`Un6E}?O7ES;^SkY| zRvQMXr_UO{7Cus#n&Oz)m>fTtsLWi)bxn(Fji<$Ti}p8+K-D_!&MJ;m^Vj(?SgEEy zFF&I{5{Z&k!41sj>gvQY5-=D*D8skMs#vi5Fg5Bd$if$CB!jrN|I%C#WAy4eXEe{d zME-DZSHxnPLo1+DewWP)9%x}<9GtRTlbi$0%%$5>5&3e*c~4A*4=by-Zt zdw)F*e^XcfRh{Q??Tp3?SS$N(dXLi+&-~lP1BIOa(}Bp9H<=}`p8;R`8E|$pYHj>0 zLpsMXJud^QpxavvQ071_k0v}W@h|koV;4S18I=G_`H25I^{h5OdvEO=|^G#E(Q$5_%1=4xrrxL`>xhs>@eGl>~_<#GxybX9gSz$Nq(d? z_=m4^5o07Vmfo|IX77^z;pF9i+?{{$T3{?K~5IoS;1qvJ5V-0#A2d`azSHhZunVP95rxKxOx2MPUEK zUL85$3DF#s!w8zm?)q#Lp|9M6J>+1Yp{_jyouc+>y zd-V7zc9716CeR?fPDdErBNMcbR+`I%nTxz8<~Q3+75l5rtuTL}!?VE{PiIE>vYOgXoQwUbfm~0($$C+F+d6_`jvH z|LkKCTg2`TPqJ9FQNpv`4;44N8Ie zW;G$S*4*Pv*GQn@nFZWp1!g6Li_F|4aYhh8dk8nzlOfNf^-AU8Mi$6Dp!gmc1&F09 z_oMl2lK5v|!28say1?XtOCb=YBF|rIk>4R<5+Y87t$TfELW1H5uGZg&)Bk;3{r9iH z!S;&r_8RLeg(C=5D)0UA^V?Nf1wC4?{d1)sBXgy6BY-rh_;h0+^aTGXp?FYiSmP(@ zL`BT|xefrKLr{(~lT~R6g`pOW*GHa;UBieIc({7*j?Lcz!T-~OJA%(B;!&cEE{8kW z3Yqz$$^j4u)Llx@>>M7TJctUS5R8UGXRXj$3#Z>G0W=l2lQqnp*!;=4ea`p~aa&)1 z|8Z&&=_|xL&87M0;!%l|B~dv=DSQG*0S}CQs$mDgykYiaJTL9j2(e&FVOcO_>#C6W z`VTgme?OxB;|IBEkw*qmK%Z9Pm=nT2MJdGB{)rTI8k^lZ&;w%wG|6UBIDy36gk;tJ zxwcIYCsHDqUK4o$POFgiH6)sd!})s%OA~A2c>m*f|MZu&7ZvY`_ZM0YN`zLWC4=6< zbTW^z{@dgBWvD;jdUOP#b(=JynM@$VdO4JqkKo<{E{jmL!$+R%$!0^KiB!=|+F~_V zWvy}>E-n#`F`Ig`zDdu$c>$lVzkTv5zSVeS?+zx|(CC*uoHr48ICtkA-qeHr?Ul6U zbr|EugRwKx;|yp-xs*2IdpD3>S+eBQF(w(*4l-ScG`kQv&Dffh-KrT|S7`XvZs#gv zfK(rM#K{96+?Y7jKqE5t0vEwQ4MVHkV9Ii%d%hwDm|G16u_X;FFxwD=fEd%Wt4^8( za`#|0@vf3i9hKPM<~2Sn&Tsr$SuPk{ko=nJH#bI^+D__DGSmxJEe}FMZ)MMp3*oJ~ zCts!chbS6{WYbYIl3?RwV2xk9k>iPvf0giz<}qfClgGUyGQ>3V7d$l>a}T!Lf=Q=G z>_FRo`)=#)Ij8UPE8PMBanu%dG6R+3CXf~3JU8*0@3C*IXUj;{~KrQVjqcz53L z_&|GWG&f5I>;{@^VD5sJ7npsqDdRukAhEzlOt-tgo+_#n8_=X**U{N=0XIlw_cIru zchi0O?WSJrEaot zu&Q%k0kdq;WzrW#AMiBGGob3_$e>ZPs>3XVUf@qe-5@*#wfjAIyf za7UHMC1%6fPE%1bT+#jIeAry>+Oz7G@yR8KlvCLk>5}=)66-n`^lZbHlY*e)D4=y> z>PvxYaLbx{1D&l6i`0*slXc9y$cK7|TyKAzIAF_WL2-Yl-CYES-|)$nIGVFvh_f~* zHzd&!bi^qDB&Rb^5OsGG0ODS*(_y>*Xro$2*ZUxv;MCUzhsjh2jN-~psR%peCG`GL z0&4lE?^q4?nm!;hdYpr9hV>m+j?-j$T@9IhQmMIp38HvQ8;2@vh8M7uQux|f)M(cV z8L(zt_vruO68U32eP(928hV>C5Z(~%)<42~Pk_~!-b z8XsM6X*_a*T#>c}mAeD2uU-ymo=iZ_SO`o!;S?C|>AWRQ)nTA!xAz{;ja~ejOGTcY zV|KD+uzYG9N~<_6MOTfLEiNe0OG@l(4TDGroixuQ65SB?f!njzRBGv6@nnzssjN7v%F@_A49+c<|VJQbFz|A_|mM4SpdGz0+7MV*mxPm{A?PNrE? zeY>X5_P5_youzMFRlQufZ|fh&GeJ=Vo8Vm@#1Py%xbg6)$KfVN-@^e@#iM~!FdE#9 z3fD0XSL+04gDBTk?>W)^F}&K+@-EJ`!q+2>M|D!wo+Q66plmGM5v0~O-0Ftpkl(qe zUXT`*803AheVe58P5o%|NR!x1VUb%L!%saR7d~8KHzY7NN<=#R%?@{4qB>@7^gFIi z8)N$**K>RKv6mEcDatcD(KfnGoF8q#zrNN-W3#GWxvLhzb>0%Fn);D95F1vmN+I#k1>jxlkV|@QL%_7P zKD^{sbZ=fYEh)HclzCiz&B2| zgf(~BjcVn*|BJ(Y(W{K3VZFZNaY9cYYSkjo-{}4{Zysjfvfpso-L}~NRorMnd#e)I z-t$H^TRztK5p;ntXLR)t0Opl@SBe(5_(al(s8)AgopgjjFA8fB*_$%&`_H7K0dM0uN@B{U2&MJ&-97onRb&d#@vD;r^gykz5Xo z1G~czz{i;~6=@Yx`iC2ah_3p|~Bf-_Eazc>t(9Z9?bs0w`>msmg#LH8W1)VAq zNAuGQI>{bwNwuIK%nKgx`6EvADWJ(A)~UUeoinfFG9a^%WDf(i#)58jK~IsW1%W>| z8;3C{Tncgr!0Wk*Qq<+=CA zsy1Jazx5aKZ(~ju+8VN>aCYA8zZa%z7P&ZDKQ)jjaOnX|W7b6DSdF0=Ef?^tQ6j_jTQ`rF>LXr+BXDw!%0?=bF{ z4}(c2snhKVqqCuxEY&K*PUOlPDMGw*&RiIkO8NRqUopjNo7u=euKOQG*okf!1#)O% z7?@Szmj;)(B{?LmbON}PR%i>T=))xf$v!T&v_0cwsI_{E#590TyEXvnO+cIxgIu)g zkbQ?Z@wpA#l-D-sJ=H8tQM_5-fd!7gQJ62P3a2k2HRJm*ugERMM-y zSw=zsz2~voYNy-2Q2R2oSp;3I|8A8JPQWgJBK@75Q}&(jiNdzA=!)BG6K6-cXRk@p1wqvz8NQL>3G*K_s$SUOq_>frqYS*m1(N)`dxAb z;SE*)VS%-pDM-G!T4Q*#REkW&Jcng~3M`zGbma|MmlCzLm*tJ~T6xT^nS+=QPxhd@V zteHrqGQg==d4n%$32OHh`;SF>!HUnFsJG7QQCt%Y8}y_V8x2AfqnckY?_I5f#6*Tz z1Pt=5bFOKpy7N^=4=CzG>16z^z|%kpZX`4`naj7zm)N2Wg{P-r7Dvh&)K4f9>>@BL zzvuRP${FHVw)!bA=3T}u-q?-jk5ig9IAVFc95?lQXZ7QCrpm9c$Wu0KLl6f0!H7D* z-JH%=anzHmbo=J5j^VlUxvqvKSnQDBe|MyspSJzyA`+7K7zMKEatM=8uEN#2vPoy` z_#uS#jLO5^9fPdVoERNlT!GJt=%u7xm{xxY98o^ekE_Cj6Zag&L~)x+pF(|gjtM`c zi4Nc0`Q}Sjy_nuL%+~Bar~sM)>qvJ& zwF65MDOR<>WdDLg7^Tm_G60E-EYvLO112_amL-5m+!Ml5J(izbHWL2tPSO}(Pzy2| ztMZwJH6oK^uD6iu2(}LO-oP{BFFXi9cpqJ*6|Nk2tN=RAXiN1GU(oVJv7EXDn<# zrU{bDp|PZ$tbo{4^LCAUzj5Tb-kI>e5Z=)4Cc0_5%Q<16V5}gL%48G?_nlz48pw?& zW)j@p1^~OI(jw=AJpK8wTOonYLM~!&5eGHKsoRfUjEvgU2)RsiCN$QOAA*R_390ZP zIQ>YvJtQ6uuXkQZD;8wS=1eg-Etd59krkf3{$Qqw4qJ9n!=QgpXt9kc?XMmm-S9|cx= zUa|=}4cHt)kz0Ohcn*Y#l`mo7<_*sZj`z=OpxNozWiczo>49aDD-wq4w0SrDCf~!T z^4)}0%N!h2+BSOfUwaD_2L^6j^VUqg(T`Md>nY@oB>T3}GPJ^97w(F(@IFjyhZ>gn zs1kL>YG!c=Z5bE7@kBptAPR1)VGkNE`rh%&40%Q5m$zbiIS0p>*4dsJ@i_92GnzP* z!cBnQ+h$`{;EhZ;$)erLXFv}F}!{HUh(pH^Tn{? zW*=W}tCswJ^Fb}px9&x?e?cbV^vgc}!mckpGzNzebtK~lq=H%Y>OdeEv^AssYIXbg z+&?Sp{rO2Ks(2`I2eQa83PEGxHp;cx$Q2@jT#7YhCn-x)7+sY155d}nX{${K>mijX zKBRR-nb6zSh&;rz3huiqkup^@s9Yh)P)lRy(+m#xcltA(bM|JT6Bs*CPgJ^#Vn*O+ zsnb`B#5-4uDmF3**H%G1P_*7FQn=a}-xi)VZ(d$G@%YZT7oG^;0ceC~w;z*?0?~2p z0l5F5gs1}Z?zYQA{?mfOx>PC(wTf9FoXbUmYoU!b?P+^vsMYlqvn_RM1SNMlIGeqp zjwt);kr}+n9ktclWv};z^s_@#JB1Vy)vl5xjr7`_GSMl>N@gBugjbmB&OU;J&A}Hq z%)+&}vnyMPrK`vW3h@K8vx$B0$md;5egKCWj9lV!JYNb#$xZZ^p4Xvp82VJg!xES z|Hc=_(k^+y6zJI)dmtW{reIMd3vQr{7oZ3pk(7Ducd?rZ2Mc$*dMh>y)}b!LTWi$} z^#>{B`9kV{0}wu{><1;WYQJS~ea4weqj}Et!GZ$`**sx0`?BNY6vKIm*0IRPJC z=PWxna+j#r`;2eEU6P=0V*k0j#7s=0<`{hL!8Qcb1?%|rA(OnIEar0EU5~KC#X2K3 z3znqP$dskJ&`%soZ3IN zYCM{bMVtq@srfClso)P6k6_5Cd|DiRpau4PT~J~PfoxGUQBu95{#ywBktyQhrw-#l z%=C@1xE3V1_;56e-JmLQ@57OQ(vA6kfF?3wOw%2&$$8bzq zcokhkbLyw=#9x2h;}NzL+Op3Z=jRgP?-!&y7nBMO2rm8H z$NT+FiRoa{HuV_O*Ixa8c|TPuyBGEQjs8b+Z}0!yy8nLAJUsi9@pj}h!V}*w@B4cA zM;Di9fPrs(o@cCz?x)_%_xeV+xLA^fj)^k)-}n6cb^e1_el40Ges;eW&5zd8uSN4~ z(R|;A{_9iX*P{8gXnrjkxC6gpnjgkJzhasng>JtV&96oCUmvyK)01C|=GUV6wP@fD z{7Sih7}D!SrEC=mO?F|(zKxj>$})~WMu+8-%|Dwq{$>CC` zqi;ipZ;npa*Qu6h3m=`JcEK1@pdz*Sb5Z8O?R$#H1r_gLckysjo8t^%QWSKDU^rF z!IecBN*Uj7rkzr(D>|UH&KgrZ)<2MSG2yd(xr&P3D=f~~EB)`ES=VE4xq7ba>`u=6 zv%IdcXqoNF?vDo$A%J>yhRE&Zj8Fe0L!hvTI(&lZ*KtVJq9XpHiC8K}ekg%>7zP5Hx5MZl2}vQ*QG8WxApAY^Rve;6*;Mm{uMoORqI^NoM%j8 zYNEc-iLC&tU$7~vIrboIqOUc6rQG{j z=$R69aL?Nt2m4;{@7uNi*WRZ>(o;gVuZ7ok?K-pf_Uoq=2i9&J`YUw2;&AEirJGm& z3KM@{G24CQb?cYoGQveS^tFVqM0reITG*>Ub!=hZo~i4S`vJct_ukZcd)WM}=v@i5 z$nLY!Z}&Ca1eqNb-`{@gpqbi*NTZbtR# zE{G&V-n%L~9FsV$eO1JzHR9FY=A$Mt>3_yv9cey!C8lf2@s%u03Vm?vSIe45@ZNo9 zhZJ<~i#bO)^EgWYw;#4WG_E(4JSGzg#G+ z{(AduyTjtsOT)*Ok`mhs9jqMcUToQWRHj$hjl!1?9ElzHl|i=kIjeQ$%8B%NVw7%7 z)7vGi=oD!B`IHW5?Af;HDdP>n*>7-(|Wn;m$+h@%Z6rYP78W<5n~ye|Hi7O0chBn)1ecoAHC{F53~QW93P`+`D0`Z5+VoogXP3_#*VA9Fj5L4Oz80_1<$TK9a(icdHpzXEWFSWaB3fJ5;BsB)FAJ(vSehOvvy?xQ9c3+hM z9dy6u-hB~H;O2H-POF<7R3zY}14TKkFyHsSfSjSm^ z8&mNc9sh0XhQ>F0Xt>l4c=j*<9NSX9d&)CjIo>@UWZdZder|tPXqTqnVM<%im}*f# zZ;(=0iGRs?%cRmLrF%*>pK4lTs#L3{$37CqD=!k+gda7~if|8CFZl|hcMvJZ9pH)S zK#%b=qw=HLa)+;TUCD3zSxvE<>-#Ibn`M|BZNu$2a3wU*)^U2gMHy3-4V$4A;ZE<+wc$KX73B&GO-pyq$^n5Op)ueSfx8h(!dCy@;)t^U-+ z^51>wtj@ICA1ki|bqTu3fA5WFYISeS(B@m_!`4K$qjp=}jF>V^_OQ75ughsT-aj!u<`N~HPr+@E%7u&g<SW zPtr2VD$i=&QltEzO%41B$(>0x@c455oyX^q)1^Jux)r_Nc5|UK>}m$atAb!wG2Mz? zNPMVG&|dOoBi1;%I##My$zk3pU4?tVc?fa-XysVoMotfDgB7B=UbY^;j`5m?HqcWT zrtRQF?}r3JWsg0PPaCD>(Sm~NSBsU+uKc~SK$2>%`tjcUlNHN;WX29^7-%RQcp|7P zaO;%tNzG-|@v3nANb<+z91HwELd&x-%~jb69BHJ5iA^HyeyyiecIicF;&TO%*M4O zX%0Rel=)sTGLI6Hcande{Xi>Z>+#gL`GL}b>#hmC%lgLpnO4F>WyR7zOuwx{-$EDM z54(AK`M%WQ#LodwQZ{>2bFB0+wB7Vuz0vgeF$tq9?|`CqCg^cebNzOI>L;b3XY+Ob zwxZ3Uyw9sON@dH#@gsKSC=Wj`kLKTv=7@o57rUl#&KQJ-&?ip!nFn>zEe(nuxjq^h z{~%1wlAfYpzM`5MDVVozD+AL($$2=@*%hcmjkz&yn7gU53?64gK<< zFIDD_gFgyJIoR2r46r`m6M&SG3swrz<$HC7C2pMrEQ78ky+P{nKGA(VudSwFi#qY8 z_%cWyrdiU4d2*|UmAP0~xEetMB)KLe#Wx&ZnN@gwOWfrC?kT%{LbFeWinIT6D_*$g z$yOL>F{#1Fyl3x5v`hTZ?vwF6(ZoS)uvdH7K1 z@=p7J(5~2*LVI^wyLPVAJJ$}%{j&T2-`RWj%bx$=-hJdhp)M zxy3rgc`Sew^j)oLK4f`?8gfHSvhiTv!J}txTgbHEw0PsB^hXT-O5qQ3O@tx3sn4C2 z0FNHhzMy`={NusT=M-NH-F+=|+HLdkgx!$chMucs>WDXr(-buKE%S->MxTe(gl$;4 z&#GX|wSH;EuQv|CDCZ9iUFjSuN%U8;Ed8Q=Wo`N%F4EjkcbiIheq?ArM9J!h%$75b zj1R!0*HhnOe(ECl54KXg1+nv9l78B%KZ>dz!#rg)HxnV-@)OkSOOZhrFX)>vqlbrB zLED{kD@7#Uz{;P7flt5^WlhkiSwe#{rOPbzDcO6xu_SCe5#n)P95H`?(gj)e(4#Pz z=$QhI<@WJ|8pTL_qDwjjfUGM2Bj9&qG!bNozg4*{&BeuqP>Y`A*9|f;ulW93WN!h^ z1i@+bUXpE zDyT(35%cgKLF@)MXd*jI>JLHSAt>hw2xJt;u&{OF;J9x`)5h5|@d09ctU z(Xm~jVJ~UBe>GmIaeLdCynR^1;hUIZ;BfBFql2tR^HAnS#mwp_^;1EPT*Q`yV2h>I zM;_*1`2#szgiWFWY)qDZDRgb#oZzPef&NOaF6Sev)dHjW4zWJ{L7+{d z&o9IvcJGYW@rZo(XOQQP@^+RCB`*HrwetfxdG6i07bpDl0#c zu11nHTk2dDx1$>&HjS)kZC4M_>?`vvW{rnpYip~}s&k@>8dNv2C##{1Qq({(w`c5JQR%eUDZ#^}eobJqp#d~MCIy{d%4C9bCR zZzYWtqZc2y&d#ks{`&Qsgw#GU1yp~N;74ONunqQ^+R2pnz7&ad+v-O-(4hfgDD{6G zcxOr1W}FW>q8J1}i#ODr8?$W5O)4#E(IMOzYI?4}L_r5x?@WcI+aO=_Uhq}$FUO}-l#sN!j8$%D^*m{I5V@CD6jGBP|D@HHl>)0tG=?Qsml3-C?97t#6U{qF zkBLu&ym;j`*GK$yJW1bFh)L?pq0)mbX?dROe8 zhUe0N!;yJ8aE9wCiH6FufnLV45$8eT2WSkve*_qSONS1ci*?32Bn(S(&C|l4aNCK1 zzip|Z)1=k3klwc+w1&7PymBNsfIC+|r5(erQ0T%X>j(z7V?$=fzpR8rhh`&|xLtaG zafb=d{SNO8A~!w$r{^OaN{4^dC`)>9iKTvTd7cd9#Epcs^2Ej!q;S$Tbk%XeCNZlW zFw^RX8Y&89n(}gUU^Guh(+~6TE(6f4Yld&|x*y`FN@Jak<=T78-4Fddg=22^4ehU} zNp&we0%KGU75&t^OB;W0J<_OSv27OeuiNH6{+{YbN-epI?|V34?p_sICnNTGJ4%^$ z;{2dD9S6TyUh#G-5c)jvGUSxK_X}uai9ikT@ z!L8(;ifl^8#=XYD=6~~dLjMa!Q3|nwW_wz$Ne!WB-GlMKIK~~UW@2>f1R=`ekaYgCv7Bb(f@ao~^Oo%8W1v|R3X;G3D^E~8Jfz)aGXmF2TLCK{8}xhRGM60{ z!~NHBpT?M$WXE)zw=9TX(9k@xwehpRCE zSw|Z7mTj13Bhvi%=CO`(8?M2gk>#-eoG{{f#*;k3p7|dAIf2X%v?_EURaa1TgfVU@ zaliS2jbj_`&b9?}td4CU2Pzut>hjlubMleCL<@%3ZJWrpo8J;nL_`(YQY@Uk4zmn0 z^tk4@bbdv;t6dzjmT)w-k=|EOY-E?A`f>e2v;XEc(` zP+#?$g3!zDu$C;-BemBBp?lZ)hbVVA7@W-VI&6LPJ#SIT5o-6DG5s>%``gbr65{vX z^s^f4dO2~Mi<=h);*QHvf8`OwUtsq25m&;#+Y5 zei0$6S<>t7f~6B@SB$3&JAxTm1i`Pi?cJ9gE?HVQ*XF|dw$7U(*qu+iy5LhUOMpnf zLH$W*0O4{M=)mVS#yJ1ykqwKk*`KDx7DMn`Mz|I-XI?8?am&{S*$Hm82JxemTr4EN5HI|({CH#r8`3)KV z-bLEq(?AhhRCd^gmguefh*1UgJB`?kP?mtsj`f174U1-g@Z_MKlv+J?6}qBTo@KBw zo0q6ZG+QF%J=!Rr2W*^K4XVushOC^)*NS~V_n&Pnwsv8VTe6MQE8f=BUWvz5hYL%! zhabqct^VLD?QUn|?=C3eC54!Ac1|a)Ayf2o0NuXa;KMi5;x*PiT>(2i<51E7#IL(D zv7B$PiraTGSBFRY(#{n*$@;eg#;!ruhEz55;z-jR%T;MR)+yMt%_Km$Xn0rbcU1U- zv3|gmX;p_WbSU~bpvg0nQHpwg+Qbl&93r6bCXt-h>HWPUjf{B{;>v z@O;Pc1=%g{nW1jM^>xFCX^&I{<3ecwB)sDRe?s8yJyBce32tPm_5u8q|PJ zF$&{}ePd@>)VU>r<36&@3cVc-<{}a`*0{gALNiS5nq)LN9k758kA6a&+380ZYM2=b zes888{*!udO1G7ScELP^Cg?s9=hqr?-Y|`FZ~oE96}-CVVAub9h;T3V|Mnv+%}|5b z&3=r7Y@kAJ`FLr0fBn0z*8!sv=0ai;Lo>>+_}*uhJkVV<18#itNGHF@e?DIlpJhS! z;H#S|^omjv#jSJX|8q$XUttd17&0{JfTzBcm!&#`0%*Q6|L>KT`L2$9UExnByn=$g z5Q=I6U#YJ5Cn9suQ|5Jto!O5Ok`fI%tiQ|*6wftV#zr>8Y#!nDXvDj4ea=~$ck9E( z%^yd&w)l{DOWOlUI_wdYFX2?MH3U?B@$O;JLvsV2%q7VZARrD%WE)DD&AFbLI=D9= zpdvT;>S=6U85$aHZ#==gMp`i2!Iyo#^s+6>6xA`|V#nTq&2mjRv~R#_Zms?M(EEdD9$&>jF09;09=ppQhTy zC{+SnPHTA1f&7;_Y;cgI6aVd!JG+DYNJWnNhIRm9JKfRkirk}#ayM67KUrDEPcf=N zi?U`R&zw{Xf-V{Bhfm9MEW|i3$+#<9)`BshFYH$8l9fK8voF&!0Y%Q$EE7d2q8b3y zn~DaIRygxn%IaV(u5R?#ueZB&&xDxmep>3P@6=ER+_uns%#29L>**6yWB7#^gR5I( z#9)V{Z{<9;e)JYhHBjt?wm!lIQ%5ax3EWp8MT4Z7aj8zIt1KlG>e= zQ2$8m)#=p?A00O8!F)z^OHgnOG(yK!t*5qiyC^|>zB%P`YfRF?19PL2IJCWbnF8c8 z8pa#bI0eP2L{p3eZG}0w^QI^!zE*YCps2(5@SGXQAtij49S3ITgAcWIte+AMa4%9# zE&?^%7C|FSUx^)GS8so9%eVDb}g$MrPHA-eZ^pUM2; zITs3;9l%ArLJC5_bvbq4{76t*V3EEuAxy773A#CL=go1QDByMhs3!4ACd2BWk75_Q z{Pc0TKM>pNzL`2?X|`2e*_r7Z4!EPEg*mz}CXnawh7E(iYWoYka?zo*7%$?FqQ;W` zjs@ovj6F^NdLWIXvicQ4hZCeP6PI@Im^LWETbIaCWus^5c_~D8H^12CBLs-n8H>?@ z-Cq%5jQ7?KS2b(D1^;D@2Kmci00rBYBIjDJ+l8eVr7IYP;MhtcolN~7%vek zKXu(sKHrD*h%Z9vqte7X@X9-rZTtC1cP2!N>PmVe?-nR~;R?J@LEXskpQG#1* z8`%b4sxDsS_(*iE1#3`cIMF-o8KlNAZI0dPOIC&N5CMl7xm1O!vLn!?F?Ar+o`4xQzb=5pvFI>0U0o;AIy0G_A4K3 z+>WnhRYS9KO}E8vaq%sDj|l=p+QxS|stz+E%iD|^w!^(30fy+hKc<6Yp^Uax=w02V zD>Xb#&(Xdz>#D-V9G!sgP5z4(M9t02@WbK%ER%HRT*w~h3s52a@VV%6e|04n$5jkL zR@bkT)2mCm6JWa%2*U{mnMFph}-N_^K6;5c5!!fdib_fJ%C>AIA3ef}zM!E-AULOMPoVb!FGsYi2y1aqv>zy>l# zri1Ng1f~vqg*DpL&?~(HTYJ6uo4GNJmeT@@4b03I=g&kAB3h8Y&1=hPKwESwgTi)Jb#3J?1Ka2W3BRYS2Wu4*09U=QXX zpCd241%1}$NiB*A-wMkk?t$udJ^RH{Ul!A08ujI}e_bJtLbjQ@kDRE^HqftackuNK z1d6?^bR7I!ehQh;8@lFODaspPA}!BbmMxyT0`y+L{2B&fm}} zZf?)`EBMnoL9Y_wZ*`Y=M(Dz>&BV?q}F&A-|A^Oq@$YvO{^i9Z2 zG_c(r$2T@0P9DqLHfq5HOIb&YX3jd4ezIpAWopI?uA+JG&tX!CJ4gnWpJ{he>C3rq zYm;Jv=4s=@WYNWJWD-JzOsI6OB}xHCcZF74K?T{?MZ?L}!Bx7UIDbgv864E0{_6be1~ zcA2HlnBezJaP2Xi5KE{iOpN_ogpdw;D08wQW)QCd_9A$O=Y*u7(0ja{j!0r&gZF}YT%$>jZx`` zBB9Ge(Q^FRmipjPfId~Xecwntgca)lDpYN+G;C4qyQ#AUi)tREcCP3y;{&cZTa8E< zv&;#Xf)FCxQ5-460P|@KyapE+KdEGO1tdvMdiXn9bIu%#qED35R%KcsbSYiuZ!Fl$ zyzaL0s_;<%pCm%imgeSo`PcO?ROdsepO0aVR|U!hQx9pYxFZ2^ff*V%xz;AIfEZ>i z-P!h=UU6u~pP~gK`hI_bUNr}DgM`k)E_aZ7Sy$0vs(ci`4tzw$6~_zS?jccK$dynqgN5?VvgEM=s>bPvNu%LmpB%v!Cj z+EO;E&7ylx@^8x=s7J>+S=!3mKCgeXI0_8l-JiSZt%(jF#7mc#xrXjTDm9|+_`Y%Y zZ$N?n>KxiTG||n+Zf^anDtQ*Uw<%YYR)9q41v&ATr@g#*yF#MCa144m zU0l1pa>5hlDJ%BBo`<@`K?O5gxVL`<^YdUo-1hB>5cyQ$C%{LnkDn0(6iAXuQnsWh zy-H=iHdmZdjsEg?Fu%+@+$~>DC!!7#0Zi#9FM(edO&+`1jt_TAiH+s*I! ziK<_Q7sZ@MV~VoNCzwP&cRUW^SJPc}sp5=SxTo>EmQq%PyoA1b zrF(0nEPdr3*L?n3l3<6MAtXcD0qcK@pax-wr2jS3J#|t+^ z?9N35!FFgC4g~G19XJZd%m*G&%?A$_rIw~_oe!w-(+lCBZ$fcM`NvVTVZinD9L=pm zg6QB=cSaa>6{^Blj4WPg6!xYr&%$? z$Cq?^gR*2 z@9+lVX8C-Pyl5N_n`gDwvf1rLj9k0g0+Y%l=E0o6LB$3r<|lkOV%3QBx2DQ_O`(-} zZL$aF`flriZLtaZ%_NbfzdwW<3*v8|lWAXFNe~eJ7Z8`>nUCqQ!BgH1R`hI6Uo#I! z-!{}pcB+gfU^q3rcfA5WYXC1%d78O6zlE73?G!@E0D4SiA^kF35S^%P_^)odbNOAZ zVS<;IVC5XYRAZs&B#tDF5)?w0Uh3gux_JsocG3%FNW{_)c@7$P)I?^CMC0{CW`3OX zeJ4+@JqF^Ccuihg>g9oybI0CuUH~{ORsN_3EkyY|fGORQYv+{@dKfD_xe~ra>)H#5v_zSxQik$QI{sH&bMaE|6qzo3TU?HPdGvi%s4o)mgoafX$72n@8RX%YIl2PQnsl<1x(GGsvR=l>F zq(5ag0!Xf;7(n!?RE4@kWV7daQvg*gU~0p9g()G; zn|R0CeEE#qT}5i^*~#t;qd0pz%wI;j&p%AFXE|IzeQSR7lMXG_3cF`)_!?MG=?w(e z_uD?O@luWj#%HP5Yv{A+1oi1I-)ZjH%HR$!ImRq8;f7vgTez6XPz?~CNACkLm=Wz> zL$X%q5N?v~+1znvWzD@Y9caofPNawI7nUgP&(}CLvv_{VLTqayribWg+eBy?<{t9D zEO$GIKmN@J^;18fvXxTt4CV}3p5w^d>8uA#yt&hPk9`vnj_Mf(03PO@}q!IHo=-G_1hT&#^ zRXJNJOoB!5-xaKiZqrz>U+Xr@aCNiNw8@XI5pfR^s@&HO6uWxO1urdYE0m>j!q52` zEVyL2t#w!a+7h4J4sTFtmQ4Z^%a9F0?Ahts#NZdCYSv7I7`EAEqHsr4ar5O9<%pdM z?Tb=}?XNuFVau_-D-VHoTn+5s;ZV7*tA+HbN1l%$D@>#G$g*~t3b@Xy97z)=rU_TB zV^4Epk4QfIApzhlr?7Vr!8*&asjgt5QbOId2r6hgjd&y4MV2yX8j=rg7>{SQo#&S! zNwnLLF{3Y4RaLa8)ml=w>E!Ge&|rgV!fJiN!g}Sey6`R{mk{6! zGf;Wg85Y(j-2q0$R(Um*3Ek41-`;Pj(T48H>@$&JSLjOc*Kz@#tWkj;9H}T>2O2J$ zsL*Ct)oxF9u@<$8?6kuCaEP3y{#Ut>t^`z_fT|@>1F9?!Y*c#NEQ4tUYp#f#cOkDK z{*qhmA`)pb;7~u0nJz`KOlW4P;a0!tjtwaau^(ueMk56Fn=;=#u#_FMaxAiD*>kA|5oVNyOGIt^= zqY+}{M6DE}Y2tOH0eE-H+d{X5*l@^Y5Nv+_yQI7$g_%0`E0{yZ<3>jUaWiMW_c#wh1?p<7@qp_~lFB#(PA( zjRGfIO&7}|T=Pt2VjCu(YU@xmg=wbU*?v4FKZZ6gM7!|~Dmqw1%K2?{<7U7UTg25j z%rktgq&ikad|TXJUpwgcEnW=W zQRdX93KPYw{`7bH(Xw;^Y^@(XLwdoH;6KQ;bmvd7`SLL#sJ*6Jm}b*PZ-;!_Ni(tR zW`U9s7v*law%POSD^wXmfU*a_KT!KoMANIKrG*w^z4;@O+|Vx#LCF z@8A=y{lS+7lu6bQ)7e7b?e%zee8DJ~w}Ps5krQ}eHk;^;V|+Mlb^6XbRv38~!U#Ok zHX;X!UBeEGZ8`uZCjt`*!PYwau_ zSzr9MT(}k4Hp+geI{ccFk_0D&pOz4uT3d?(0pj$iZMhFS$eJM7-2cWKYf6-?o$eSB zq^a0oA#bM3ASB2el=c9mI}b166sJ+9%65E!F7_nWLS;@giO`*?n~VIRENm~`=PXJG z?e@r5+3}avk0WaSAb~k{hjCeSr1tM%Wh8mFBSj_T62Scd)>)QFBRYcLMymXb_c6!Y)}J7wvTX+RC2*C1Cb$Kquomql-cYM|$-=RlUYnhe?=WlOM$s;DRwFAE-C0>mS z&qD$UADPW@<~-jEn#(EcJM?p#3_8F`u%?M9`u1YPN!3U&3+DNh)K!uc;D0gvL_}X1 z>8Q7e<8#0LZzW0WDuE2xX%pgd@Wlgixm{hu#Hj%k?wQ0h(g%*U7x$_g5hwgpH*M0x zmfK#7xZZ1}x70=xFt_;C7jbW+LC(hA?XpL5#VdRd3jMdD^b6lhP zv!fg9ne>V=`DZ~U*liEzHliec{*M^=wkLt^r1zSU7`)Wou|he90_^hT&dVU^hE2RP z23$8?Ie$gt_E^)I89$$vKil4C;clPa`PI;gQUpkSU|=kW zZN1eI2KM9~LrfmIEqE6?(`Te&{ZsXM$U_917I>W*J+c!G`8(w(4v-eXDvP2E11`8f z=Mh#D$xVV9;_q9O_Ii_798>IQ0GKr_(8liLD|z$1E)1~ShJLqr2cXb`{7dp_frCB%IJ3EN~7eK)^{ppnzPY}f= z5a{4Q`ubUL9WiY<;i;PkCtuDea@+ghM*iUXXShk zHL`Q!MVP?0eXT$0&)A#oMm}$PMV9!!M(+gjU2IEf5iNI%+5r(C$V4#tM%51(_jeI* zoPr_fGY5_HA%W*iY+t_?l>qi=rpRBR)-Eq_a?2{~Qw!~GsP*eoFX+zSODK*zCU=L6apI#b;8$QaPAL>SgK zH&DCe_JHL=3h1sbGoG&T+edf2;vKg!9|LX5oS5Z~;4w8HD#B<>h`vd7%!C$vu)JRE zYWW?AJJmb9PhX*W~U0)Wq^Hv9>6rvZkDuC4~fA zF`}Meq;$f+CwNmm0Spy5X7vhUcn6|}alh7Q`%TSWhLfN4iSvx7RpIl;$OVYzbA$`x zzK7Tg`jzUIxHod-T^s5Y_R@9ULo8|a5#by@fG`Tla&>;OaK{KWaYE@`RFN0)N{{<- zR3S_Owf)G5(0rab9s`o1sb0r*Gi2mf5#1Z9`Kk8U{@%dCVMdTT8Gt+iVV^BTEAbh1 z7}jgM9hpLsrn(^8RgBH`(LrxM)Ktv-HeAyMJMYx41WC z4OyTXV5qr{=CQS*gVT_=4O-G&tM~q7x4d#$1`^$h62)a1n_*RSx?uw>;4CQJrcf5O zk#F^W>t8$TmpU^$&Rf8cZ%Jjz$>VeMrMFh_b>veUxfk!XPS5vbHk~(`i3DR`W}E_O z!{&F3V@^5k$dSZk(-wU$Z6u}2x|+x!gXYj{+wM75qb2wxbfye^*)ekflHg*e<+ z8GCinGG1o&2(GH)lmoz?(H~P^aB5=gsohV?93+AAgF7@T3MV$GXhm4am^FPm0j!1& zIP9;rCtx)-;trMQHeal!7;)2Xpg6Ywm6#EJQ(xnJO@It<)b!d4!G!Hd z`09vR=dU*{UMErg@`DEry^IeGR%y6DQDxS_| zm19{0MM)(7%3leIwGW?y7rT0Zj{-@$;J3v0Gih@yquX3RkK}^(BsA=}l15!yS?%A3 zx!5J4-j0SZ@i5-0<03qkSU9(e{~aRnQvNN$hKAJ;hM*onU91o7l9tTw~`y9L@(N0!?*%RhdcvsywHR z#e<*oGE?o+Qfarcijy<6oipGm6qP+!Kh5jEv}BILrpwDVNODre7%4nZF`ZV&t5P}g zyy~|RuF^X88LkkVvl&{gvLok0?ND6gflF{*ijgd!H57@0`pJURN`aHSeue8mX*i$=YXb574r%DB!d^kUH7i$ zi59o)gwBcdR3Wn?F5^1C)9pp@XQ$(@LgM->#})Wjk%7i^?;tLMPxh`kitGw*WlqF- zH;aiOMrr!hBQ6*ot_*&qUxv99h(p~{{(gi!?#5+4l$STja_dlA9-Z$NwoK~7YAVI| z77>-JQ}PT{ulN)0ZCm0H^zn|ByRd29qsHqEhUb#fojC8J071?7oYhM}c>o)-ZH*us zWAoKWa5u}>^KJfJz5GRATuC6qD35$wFLt^BC@|RnN3Aw^zO9Ph9J{3|n_fnjiMu40 zsxB`Uuqs#sVtwY%zYJn8M6CRp1O)9Ak5Kh)uon8pMX_!|`N;VwX&Qok-2~IZCX?pY zQhjc1h0-@P;&;`aO}-J3dD`Q&egG@w>C4{|%kW1V17JJN?gxzc|m^FNZ;~v zTjf3k`y&C*jN0ROkeh!Mp2OLsj=(XHC%e_1!0~UG+v+L6VZ!;s_bf`F(Y7?X3w-c+ zEh52fku{wOs=X%;*W;sf{hB92|7GD&kBqj0!p_~S(D(8vSSvtnWQ>R;l-OOvKDE4^ zjd<}Vz#u&iz)``|5{)JK zkJ{hWKM4UbyX;lb-0iz=&l8A|!AB%{u;m7P5a71MJ$HvN$NKix_i3@{x^GXNOg;qQEr+RSzwSxPHdUrJ`D_GFNyY25 z)0b>@=k$&a{SynD*@Gri-h`ifo>bDJQCkqs{iXRTZ(IQlS92~9=Ck9`^{?Y0i6*$H zhl#ri{tsPW9o6*z_D!gWlr&PK1eKER4Mad%KnW?Ok?v+7N{4_7N;gVLjvh*P=jhQ$ z3>XYHwrAh_JkPoB`}z6(Yv=47*!8*Mb-mtky*}qQ? z9?4%=J14r7~Edv{=B|anc0X2b|B%X4}l)L_IbdMF;Mw~ z`dY!^z@0@JY=KOC8=@&B@(C*qH?LYenXO9ya93~SyM&wBz}0(}*@&9v!BRFXTZ`#LV*_R@nObkKp(ZqfP?`f{Zw zH$CZ^ID2;{9~J!JEmZu%E6$!OS$-Pu>GQ*2#7rWb0RA(#R@CruH68S(srS}yeb+|- zvDq5OsPTMG>sCcTJ@Yute^Px;?EQaHW$s=qOXcthJ z(F+yMKIr}u8MRbdV$uE!0RgD7KvRYPuz?eWsaB$_>gjLpQy{|NizLVeWqaij)M%!( z^u!^$IP|fpNiA<+2X3dcNHZ?=U7{sa*%YRKCSJB8vOzg$~1?N$5jdS{HjL6=H)I&Pm&SuZ$Aot;*Xa z=CSeC4rRb#cz=Pm2d0PR>f_2MH8894;YA$^KPP0iAq)Ij{~&cBN+)h#`jexS^WZGN zB_!V|sI&y&Z6BZyf-1Tv=TTD)TgN=K!<^-{}q2*GsPFkp*lnKAhufMk)ujsP5fA6I$c<7#B#|3p3 zWPF|L-Bc014RpW|UluXn-XtxB2cZecK09QLl02f%-mxaq3+$kOCEZ64%3m`R-!o`f zvZKw|Yeswp7odj9tUXNQs}rIuuVxJCK0uKykS>@bB}6Ez|!ES>k6(p05`3~I~rff08VAFdZ2s!3_$6#U->eL_}jGYt4p`RF7;CF zF5d&M+SsuszO{&I35L@*uYys)j@i^tfn%&Wm%oWkka56Mbp>n3m3O@W{7}bnL4}X) zb5}t#w(V>QCwRci0{gu)p!9sN0$L<${sP`7eQ5BM`}L7j!)e~L6lSAXx8=JNp)piT zzWX~ns3dZQP(n*a(%`Flq0sLubW|Hb+Aj z48z{U2}Ae;uLj|t(soC|*xH7a_=8=+{OwU~_OTz=kFlH5U)t%*JkGl!G$988l@-Pt zs8M5STtzetXa^s5Z?W#~*fI`3J-ooJAO^Bnp;Z^KgqOF3!J824%f-bM#WJGSGp)pu85fdqMI3YH}|7Uy-4fMv6L z!H*0hJDgw<1kPWm55O;WjHYBI;gBwka$s(U6V-Eo3;0~*4xBIGy}=g9*x;-?B8m;< z_Or=5^n~M}+)uKSPqNE@&TYnZ&*M0!le%!(UIHy4vEzZUY}2yyAB6 z^K!x;FPcOFsd1i|2NEn)-;Th}d$fWJEQ1Yn*rvv51pbaLa2a>(cXjsNE}wl0VUWWB zXbNO9*iMbZC&m0sv#4Wt4r>M(4l76F6%pVeho6oamr2`BKh^nWn?!^Ske}>{UgT0e zF6XC>6JS~Ru^*ZfVjQ&|$0ZEgHTV&Kt`7r0v_whue3Z>DPqn5%#!w|$f&LU=-UNMf z`!ikZDzHFjtpp#o=Wj9BZU4FBn{s~ZoAg8LzB1Fxq9h&L*FJUo-~F9BCUe}X!tq-N z9BNgP&WvO?HZ*15>8>aGXsw* zAB%w|xlrW%_0Zq}V}qDS5^%65sh8godDDkgv)c`uKbtu>T~D>3=w+_pkMW#qe;t)X zRxpd-=oG(nIC%@Mg&%=A+jKC;ZWw+<`E9ty0e^p0f5RWD0c{!V@tvnVqnRLpJ-wc?IWc{-S#A6yNf&_xU~m^b6M z2BJPccpm5J;sqU3$__Y}K=-wmYa*$Jk&Zw=m*r^%2DiIRS0l|l5UolY<(!Ne*TZEH zs{Kvx3mNg*THW6FdRvn{yr)wiKmwYGpGrNwSK>LSK|DLMVL$J5iDv)c5?y(nOF5b@ z1H206O!Jd!0F||}C&B1^yJ}e<2pVd>*V%gb*i&as@bR@E(e*+2HPiYWyJg`5YMyGM z=|`FrMzCPElNAxB&-U6uI3JB16Q-8X$U@EePAe;{(ZCafvFw?4m)& zzqb7+-Qm0A+)IY);8#QU8*u0Xsc=-2sK&;NrO=jmIt^=1j)Ik{z`-M0k_$KpD5NMtV5hg zcv|~E7+qNiWA))w8yTZt`q;BR)(Rot;9;d2OrBko3>SWS!lUR0`(y+ZKDj4yIg3>r zqJlG+rkq%P_VIGw>YG{54MaqBEbOZn|n7_eBcVxby|Gb2j@)xW2Hk+E?NFZJDU5D;R!H%F0t4 zlMZ4O?m@2fpp!Jo1o2;qR3hO z=3~LdWt0xjquNok(Np}ucBmX20%+3xYOl31!ygLL?J7LZ39hy~lupZ?+=}(wHfgwb z67}p){r}Sf$n>&m`=tBFQy|2Sy?xHm?@_x53=8PBu>Ms-4(EvCvwUP3TjArlwb^X_ zPD%jPoBc$=`e7Ams{H7tbA-iVobU0%Mb-TtH;gm>KETyWBiVR2+-JC066iE}H%IoS zjQr(3RZNt4e(QElc=-yT!b#-bZ4vNet{xXZibQt3~J0mC|6TCEzA7O>{XS(0qoDmm?YM?0!NC)DId!WQH0Ba;10xmcdPgyaW+;Vd- zaRGl?gQul<6enom_5}H`*GwRF19Uok(vpVzPbU5-mH6I=>Tl29##8G8j@gS5as|&jBEaH~Uh24~+YG z*t_2JB1dQe*U0erVTV6#FZJh|vp6GZGW~a+@FVV%*@FlG zkYruyq`Y+R(TYnts6%wZ8<+>X z8<%>dk4xo%m(~~(__krI1>csnyqQ@@&y%dtI(Slb-kyaU27kjpG!pe+^SLWa^SDJL zv0*d-eSgm21gp!Ua0e|edx$$O55n{VE1bxNyZupPRG#q8f?RvE1(R7gxg;GrRtLWm z_RR{@ls&o#`9o`pzOUl9fI{XiHUJ~>TWKRZdY%|oukW&w>!M`u7XyEaW_yl^2|i;u z;|on8B0ErWW?GG>d~$glHu16yu9U8~ovo354z@W8TG}<}g-yI1S=wo%tBTk>|7<6B z5&`|A>Aq@k1m1k(xViB(Qux-whF(cWK^@ulnQfbh8hC6?tf7ES!>eRX$Im_LSE`YKo*}f9+=Lxowa$HI;7OMcg-a?s=kSCFx>YeCpN*7;7MuBY` zBE}oYs9I||46@;nmrwF;Bw0>Bm|U02Xk@q}-00TMfF>hYzI1T-Vdk2Wld9IKe^3q>LWf+jxwwUXtcVr)p6-2*n<2iuz7Zo~A z^o|4Qr7CN7)NdEUmi4d9EUzY7b?d^3KTPwtlJXqlb`yI##nR$HfvBU-bM&fsYfLiQ z3xWXjur#>Q;W|j%>PcKe*H~~oT4?xSvA@G3(v&}O07hwCUG;}mt8xunpOFO$dAe(j zAmx#MW%NRYpp;ms+h>qnixxUj5HW1*$`QZ{=n};56-0+k-3LDoc(DzDEnP==Y&BqpP8)9z2k(t!@iNsT zzq9_ZL}n$;mw40-q6Q;=kBXdqh<~Tm^un?)%42nnIP}~lXF5v1h7vn&U<4X7`vl8b zoFNfM&!l;xMTQ~r-j`bZGIld+vyBH5(DI`>`l=@zq=+OCOO*v%!Uy{|{xo$4vJ1`o zyS`irJ4@pc=;n)cq=)a*0Rq%p(G_-1_U+FotNrVG?C;5&i`w&F1!@i3!^AS~va!s{6zJTsm|q z`L{S1xLJ~&oX6*=oHyiGs8ayOwudx{wnm za_%n<=yXFpR=wjnP>0ffd=;SpxO2T;aFjgo!c!q@tLpkrPsE&1gUdk|t85G1bygR& z&L$XxDvmPT)|_(4FqihjuV*8U=#%eylh>W1)XC4i?r#~!-&24jG>`2kP{?em%Jw~! zX}@;CPl7ul=A{<-(sj?gjE{3JNcNgS_!LO zd_ggglxi8K{hwMapsKZV>EYOqoDC?BcI+HT$UHjqX}quLzz%C9yKK+uV6fcmQ>l^O z4A;f9IZ3Z%MTc3j>pDkkpZheS_<8UWFJ8RXs%YvGE*jfDxeb$-d(~^@& z0=sqS1o`89y~GR|y@zu)a~gNk+_w~uKf>S~aF>Tod|Ow>YjI9$4P={vh>Ry!)&Qen zi$pIOqXKgXPH}OD9$qLw4<((DODc9x%&977?fIH}%ovlB_Slch-Zj7ZOgJ$yp9n9cUc z*jd&jiuzA(?Cm)*zvMGG6X*%!Tj9A;Gt?U?8SE{v@GHlzfL-)Xx_(Wlbr&G`9_ZB5 z9CZBUM_JDI<|b&Li>aHR-9$`Q5@>~nhXqF4rz|2)*_GNa5oTB7<*_y(tW16!krQek zysjEWD*^nTBYTgL=^#8D@p`yGZK3R0RD>!O=r~{jRjdmvE)z5zEz=b2!4tDw5~@E( zhTU!Tm=w>wv#*CJ1U&94VFhVA>K#StzBbs6xJ)#9y+)h8?-Bib!IYnafh>6h-=Tz><|+NKc@3jE8yEUC*_|8WjoC4g%5G?= z*E4Ez!An&6d|`%)Aj2yVb@f@-d%Elga`dolPHf6~S z5RM7Y*@fY3Bx;*Ao2z7c>KF4(2R;~)>Up#;M3Ar#d=)W@TgYy#6F{W!{Q4a zJ4k|5ZoF&rD8lbX*!u1-u*TXb@zf}QA2UAKLF7>=1fmqpEYJAGjRp7XZ-$Mdy0Ef-r7Ga8ATb)T*i3?>#CH(Ch+O{q*b1c=E``jkL4dI$ID|Q z#z_{=j&5v^%t<+xk*L@O8H11o(A~39$SAt?AQZv_;GI*{%+n`i>rQA zXWUpa$JZpt^o>%mBO`wEWWar}2GRB$8=B=o6S8Bu;N8H+lNfavr{tgc(nJ_Z6G zqP#F=Mn`|PKnYHFdwe{>ev;<)vGaAP5h$aD|M&X=&N&KR&2o2PcVU}d5I|Qhlh|w( zBlKRvpHh1eJrsxK

UT`bz8!^T~3y03{X;xdn{WGQ+_e`CCaHUqdV5&@5ZhXs4~ ztjL>1r3D}tmollT4@njLv3X~Ndn9b=62L(rN>L3r7_;&TP6cO9luJ^>OL_e==xs(s zNmE?g%ek;cxjeA##$nxX`!87|PJ`S+N`ltvtLiD$EK1Q>2v*x*fRaTKar2BHdNsQK zTat#8aOeVuS?MCRuOWKfJ7VskcW!*KVKC|gYdCUn(@xLG*fs2yRg>Ia@Y!cZO0uX24eutKKtuS$DH<;$lt42A%fAHZI3=E zaz4LJNAw>b?rzkp=+^F|Edghaal}Ab&XGmJ=x(De+7x_l*$l<4Q7s6f79)=iq@?sDV}fPH^-stVpvQV)DyCqkNX+4ULZDZ;z3Yn|@Z zSN+L0+rzt*9Owg_zZf|081OfxxW^5U^!+o|D>%=o$dpX5ww5Trff$6M>@GmpgW!8q zp|H8k@AhN)|KX|s>%QY-E=9`Mz2^r@I1Ch1wUh?M#2s|s6-Zx2LuCja7KqPt=qfyv zolV_U2AO~#OeO^{ER4JDnUJ)ZeSDb4mD7znfL_-YXWW#HilTHAmIh;=T$n z&tSB9hlTj7N_IbG2$$5Y7nb_Ab%H0kf=cj!EB2VP6 z?*ZQGB_@U#SVDIy3pu$B-jk!&yW^G;v*cP<(4FALvsI&q|52|0H`_)jiMA+1aa33j zNC-OdJYJucPUapb*A}BgnVLCp>PZbzR$fl#SYPv8%1*9Bnc1C{r1omD_J)ZqF_zAs z%2Or}e;-KTlLF0{Eb!H+-r?^B_xyHn&)vu4$D`OwF!X`a6RvlxL?4=OvIA)8_c)B~ z%-I%Xgq2{T!?)%iw+HHP@V=h))=y*nQ}{=WXE6X&Ykp zA;I*qFtzM(E79MJ#B|v%J~dcced7=F^dnU^z1`aF}sMm@ASxtTxe4g74^IJGkt~52@kC-r(bE1X1 zAeiAlf$^VugCvE;#Luqy7uO8mY%QzfX!dd$!X|)rW_nvPxi{v@ky1-SR7_amIi#)lVdpMyq&*TXKEqUUQ@9{;ujd*6787}<+aHzZnte;g9$(Kdr$D&kV8&pu*^y6IVY#hJyhW0EF>y4M0yj+}0DJr`r6j}v84 z&m#eFz0rg7kB0OVLmUvd6(D;&CLa>3cwfzxzNv=)ZzbdZn3|*Mr_27#d3s{&4pDnQ z=_y6s8mw3+PkX7Mm6x@@qM!iazp!S#!}vAku6KQ^eJd+ClcPUT#G=+tuyDYI`ycBg zf3p6in?JuT?|%EEnK9&zvZhXYSYQ7gIr5|rOwTn&K(D0)PPD8xHsXLA->rjbIp+B! zzvjT5sLZEm$zMO2EjOv{Q}VSyvT*(rVeadczq+4}h>DSDgUYb#)wHZO%{waj(>uIk zS{Bl>v}!f6Pov^E`#>>nt;ZB;=HuSE+{G_ew=K zXNO4>x3eXE6|u*So{0jEJ5^n(D2@~Mlo?jB%N-RVFM4jj@Z9KO`mFjlEbb@>BWNN% z1Xh1^eteIx-UcXd!^=B0sUtJR`k@ssIcPI=S(<|^Wg#=y*wRar%E*#D+!_7x(rfAW z@6DkfS3cD4aLuYRv)}(x3VEtw!9;#J&plm#J-vx({ShH)oBngBDejV2XlhtJ!SPBa zw30TbAv8V*cCv7Xh6wR%EYN#6T_x>lhfTD%dN<8qD@vcHpLByT)%`l%|&VW2e*dt?z*%Zm3G?=k4g<#-plGkrC!!%pHIF zx_d`ZoQKOyCdG?PhFXd3E8wokd>%WU#rfw{z})MkY@Y=g>L;dOu{EKziP%0j5ubRm zn{BmM>p4pM`&L|Sh6U390z39M32E~DeD;8WM4)(c~M{gprYklEv4F<+idVb z9w;ZOm@90Y-viGiLrk4Z)06c|y~uxrg{f0J=KV{X3vQq`Hckid0Tj9TxE(TX_s5W( zQtjBaH_HI>D5u_;wKq59nHc5BBqFp&O2tBN#pv+HiuGX04e+2p`j}4Q?C+j<9o7*` zf6&inT^VybmGX8ZDgM9ijY;n2ar^ge+M6@_+L*(0OAen`3iL+Vm!C7R#Mf9IZPaGd zxnuP61Yi9dcjI~u{3ZFRFydxYx6O@%a^)EO`tfwp$+Gr+<4%+7yzpZ~RVfvI%7ytlzHB%EH?0f`~o zwYYk68QM{%_AqtKS_TX}b+^SSZL zwU?cvVh_1OP--u@|8tS`Up_g!PsGFLiG7`3{+Kj>`7!Pz5=kr!6Ui3v3SQWwy(4^@ zc2bbk`rGDyq;&ZA)L|Il$j*+v8#0$po_t4r{O@kfz1wJVLrXEe9oJ+hPL~ z;dx4PHOA-5;9ZQU*Gp<>&D;)4gX>9Ew!@r4J>HA{%4KQz^DYmk_Fk5Kms_-)`LBqh z$myPQ*H|Vn^m{)EEj9i~pi_B^k56F?k?Qh&Fp4sSKZ*;lfU2Zgo#iMT)8hELx$x=M z&>u4|2lQHz>)qW>xs<(tzag0-=W#BlJ95Cr_Ev~kvQkzsu}j=RW(U)NdU~H&OkS0i zmjYVsi>J+1r=P{k{7Tsa1{R~lKC?#eJk!S3+(TuJf0AP2%?rq18{(aC68i8y@W#_y zORd3|C;5dpLxL`747L?oCQI(;>e@qUwH+ah}cP zh2%{=-I0IVZ4-UQxfkeD|94L3-*=be=*{nUm8k|C9&fma=8u($o|>Q4jlN)eD0(f4 zmm0D?Dem^0j=t^_`EKwH{K(|?>7VZfa4qtar~*8&0a@EBE&heYQSlR%Z$8%h#iS+u zoDZs~G(s}}828#V%kCqV+$d&Mtal8`Yf|iz=pui10HDi4D8Hg0N=?a<>>x*6rLuJrA43*fo_M1dC2XWW%X>A8<$7CIgS z_U2_@P9Y0~ck>~0rE_vYVPZV+%s%2pHORAnN$FK;m5vQ!bqX4a;Adui_H(=(T3Q{0 zmn0ia6|6r5k!E93$yVk|c~wKBk~^Cd%T~nPWUsbWAqzH}B>BKY@O?G*=mWj1zt$j% zoO`TlkK^HbET!iiUM_;jVB(t0Qip&jy?4KZpMD{GAPO|G{2Ie#(}@xj6Z?^nDm)K9 zx5xO#QBK zd@#;nQ+oQ)ZZ#Zah9-?9$R{Z5Twbr+IEK8%Cv=^skh-AfaQY zrJ0oURz@mgow`0sBv~oLY9b-r7bs zG%i6Yw*uU`TK+Z~`!`@RCJNWnC;A>kx>q^%I9W+D(TQ8C{gOOxc08OtMwQ@WfL37(j+Fz*Y18tJowEFQ^-MlMp24zp0- zgrp60Hemi`)1)IywZn`k^m^n`l2kuAbo46A(EQI-N#&yKrS3VCK z;a?YVdAMGrxwKg-b~*Rc`8Dw6zx1}2n6MRvYpjL0##67c$Up&<|;kc{kfDY>(^ znYKjdCUmq>X6;Z*cu@22mW^?DERlz9i;suBKWbputQ)WHi|XzD%sNjc8(cRidc7Of zfMi{Hf7=u4rF)8JRsH(E+}(8tZWPGTC2sU}>UAtrLGWTlm}=LMa;9*<`#^p!YER^k zerg&Xk%ma4=Vjx(j-qm6Fa_+~q3dLE!czNnPEUnYTFd9;annlHOP)vqMRGzN)#a(4C7UsnzSoTr3LKhukJ=k`dsVHrUiRHxQfhQS+<&t zhA)DS(o*#_@V4jSK;Vw;384@g7w;wc$~l>51gJP$IJVbjiU@gIw+EIRsUZ zJkVb#w9!8sM()q}3IlQ8r~S1WLn+9KE7QO8yG7C)SHgKb0Mv6-;y#~RSc&|;{^*Ly zctn~}=xck=r=VdIjFJ@iV_6wxE2h7_TBRW+_GV9`)|~Z>`S-$)e#@YdqiIFg_KVeF zRc;wkDJhr&&WuNV%dp#duVqP@_8O{X#UsfCi0q8~P#z8QSQldUd>{y(=$`b~i^hHY z?B%sYHVULI)8N(JHLpwPEdRH>Yq_0nvnpq=W0+q0Q7tnw3Wb}OqatXD{gE{4%6y+N zhIg-(KgrC7!c9qNsN`Xv{WPS}gTx=4<$%v)74=FQE1j}qEbg2Gn!U_j?nmo!0 z{t;m_ph6V7VpTx?l&hS>Zar1&(c6jGukW08Y7TeU09)ri!;if75euaIQXaqZH({#b?>dI~v!(E>%q7Hdtg{n3KRX&&K zx|F*LNrlxuVGvqu{>f1NmQF%~F5ywaa(1K}Mv>Xv!&76w(xWkAXT6Xa-;pYde8$sJsAsB;LQU}eL|Ek4`sf0{43p|?VKU2d&cq&=c}Gu?joUv=QdKMFCiacxWf36* zNiz8gR*KjFXye$~V?V>q`t-L#g~(A|@ORU4R9nSiXW`O{hWo$dg(N)%IYq^(CjDc= zVvezQH`eLDSfYqmpAMCHH|a&CC}kesSx+}riw*8lGdYpsUm>Is;k*rkVzDOG@yn<( z^#F6IbHy)Dn`JxGxh78E2tpC^u^r<3VjMPS#gh}q3xfg!hf&vX`4lYkDk18P)}kZG zzK|;Pgn6>>TioQa;L34bawq{kydqr4Ys)#C!Q|_wid*9uET-zas>F+Nme+emyH1wq zSIujYEX~v}H~%ALcEWE}La~8>jO(je=s6;Y>Zu_YZ*KV8OnJg0moR~lkc6n5I|k7& zsU7mffBy!o(mtoT+$dpN?fr1fPZ1!ZCF>y*W4Sv(yB~p>w~8nI@U!~K=@Z#I7sh64 zwsKw+FLvauN4-!KlHUjY9`94v-Xgqk|It+7BrNd}{scPiDrkkEOeOFpcz>5UeE!p0 z%HhHs;f1LQRadOi9&G*1m%6TrH9=--%wU>Jnqg&gKT86$fu29oPuX$xJ+02O73?{r z4J8b|9NaBT)zL6@ss9{hRBoKC1DtO#o_0X2ckechhE%>YSkLxfkJiRtmnUdDp z)!^i!N2O~&>eqgnbyfwwF0<&qK8Fb}?dtgcM5sPtsXZ*IjV}@c5uSo7qjm_RXGw#n9ae?`etI;wG={W@m}p zjgmgHSQLEH1+p~Lzsx8j}FvRLGT74114k*i{F^F3JbUi-jU+zY}Y*!@n2rAh$U z<0#}=mhXb&0AUK?dPglL{N3#^J8QycSX3{lI0t)H@*^;?gP8rN9w86y^z}bqcw;ZO zgTMs}pOZq*3MQA1LNA(yz6IzgAg8>Sd}ae`3U3w|r4ZB9!XJ zuWG#aDP##LZj-a=kl-if}@nS&JYS*@L>t)~Z;EI0AJcv=UX| za~Oeow$ztoG@<*&qSvVR@h_5D!5^O4k6L#fa^K2XA0h2Q=y{RVKI6(Qk*xNkh9zIv z9S+CJkw>lC~p1h%9NS-S7g`2&fr~K-XP&0+8^Rwq4RHbj%neK&0yOxcmLkZZJ z;l)Bvt=9-LvPgVA32w9!jahw)w8BmFEr{3bk;82LOuV-!ExCibkmemI&g-&*x$lbT(Ta^D0j*BM zl$p=;OUIm$bM=-#HG?+v5}Tg?WL7a40|y{I0f=a|7X<3&EC&0R!)~Feh83?qH!KJ4 z7vHSaDDYD>D1NBX@h$f1waoFB6f~fq2J@AR{$;oLct`P=uVIx%7C{1+!nO=aaTL&d z^v?5mjqjMxw|Gm#&Ha`n*nH>SVA-wSY=;q3GI2Zp=#e(|QFU5xSvqjdpi>l0?d`W_ zo>pb&{Fpy&>yY`7fOwfn&DgQ=BrfSOouKB8zPnZ4nCG9&x02*h{YMNuwxk7GeK1A0 zKG?V4Jna(jc9c*Y?E*-%S56YPnWb#43kVl@>PyCyjK&9>43x(ohVqc$U?5?0KU1BrJp#Q(Bei zGc(RD4Tm11-BigK=Gy+G7?b)RI9bAqK0OL53ZG%_c!7FHCiF}<^dwdD-fqE&!o}i5 zU4Lws#`^>DyRaK46+~TL&z41cSyO>nL{f<$WHF^Q_7Me&VO+cEV5gN@;sf46oC^CU zqlWHJ4*ic>K9Di$Jahg0eWIi12VsMp)8J`OAca`o^0agSyfJQw`=(+SGe0FGJA&Gf z6%(6Q6k`*uix?mV^QXuoZa?pbe@+ZWG~Oh=`TcqN?a^-%gI_;6T2(%(bZq)fo7zyl z^(5y(aC)tpZ(~F_-A+M+c2C1h?&st+mWe)Xkh@a~P+3VJj+1k1=0&mOD$Itw#dE4F zj0TiWA1a{7%3jUW!Fay#bJ}it)?j6;#dJV^JI~=Mw{PzztOSfjTR~UeIy0E-jdeUV ztgLE1(EvS8Qa*KULmEQTnOIr1{2Dvif}aDrS}s7iOWn?{y9U2wG7(B9tTTSY5=JoJ zSknW3b+Wc0^a>7(#p?q1Jch-F;?OI64aU#UJ32ZVVIo%8#nEMdLl3u+^B&x34zB!y z|DttUK@*9<|Bcl3^%3|YMr4%2Uf=!aTi3&HY4a|P8J;qb$Z4}f8PiyTkulDTEOj;h zz4}Ab&o>Ds$T=?eEpgu}+pqQv=Yz6+bI^-?ZO95YpQbY3sP9}hbJIU z2-JZWO`{T-AM|y_b){TD19_Bn=7;yUrJW&5zA@V+e*!k#hZ^5e2}d+OGwZycW~QHH z^~AEFJ6`fQ3WWKUz2r2pmEmRq#`?$Xn>@Mw#=8eC%O_AT)Q+-R;c9fAuklU_TI@s< zc&oM0eV#UO%-Ty1#6LaG@VstV62>!9xE8RA0h}qDvty5m3aiADj^# zzE{cVmW;N-*^YLwI#}BJI_W=|JY%np+b;H3{uv;Pg9M^1roFQlvP>yiqxbB!`^tyr}R6bcGaibot zL9$r#On`S|RPM;VQo9QsjRlspQWaL^jylXRIFy{7o+ZTdJCbEaNwND}0UhsGO-nbK zwDCB+!jJLt(3ABi0nO{~55*~c>G{!Vz6*Y3Y;%FC z%u8GIk!c?RyL}pthnY=|85IzXGS_CA;jdy*?_-xRbOl+ArEz zQs&htIXD7W(95$TOdUYu_AufH$&>jiaTEBwy}H4nr@Ec#m8c7Z$I%0CU8}KrJT>{^ z0bjm8^h?XePqPVo5O^r%TuqfQ^Tx5>Kv(*;m93SDt#@zQjuNzIF?tP2WkWMO1Gex# zb#$2)^^NUtup!?F|E}1g*JCz2?bArnaJ%Q04GB&^D%4H_PioeePpm!rYH9dt@SG`W zQq%HkLVWaU?AcP?^@Av-RT2>DSC^sy4eh8hm4f&|+r_eo>@~iKbaO6;?Dsr^IZ4}} z5q!zP^PfGvq>w+>lY^GnlR&1?dHb9!AntOMk5?+$A8T>ZJbNidjqKoT_NeK6x^v(L z4kCUY&U)6BrZvVNh*8sF$3 zlR+zoNK%fk4$wu%w&#?zj^+D5Pc~)T>M8UF3ZWm{W2{s9(U$LrAg!B%NK!(?8Dkg) z*P$@S`)K=^?R*3CSZo!Mf##Lf%( z6#A(iCeYsT51c0HJ~{S-^?s@UU=KX~x{Jde;dz3jVIE! zi8o+e4By7Ho39td0SpXQQ&<9>mE%Y$o~s7wFGFY{o3S2~PtkDtGeX4_$jzR7d;qBy zYhHNWvl(O9nXC>Tff4PFJzeHg899Mg^z;Y(Q(l9b6;^W7ilA-Vg+}8epUaz1OW7W> zUH)c|=2mEU*sZQpo@Dck*Kys5xyCxv|FaHzcYoCh`lVxf!N>HkT1&~d6eZz)?oV9( z^yNmin+!A`WK)uc9KN=!M0hEy5~!66G4y`_!R>_2Qgy9YmK7WTp`BiSlDHjqTUw3U zy86p#{dSra1?e=`kJn0JQ3r{{QPK>e-upMt-()zkYH{zjqP%-i(Ko7CG?-Z zocemp--Im`wWj@xx=`fxdiPms4yI6S4ep-fGh>3a5+GLV8+ddsw{kfW`3v&2MzlXy zkVNg-w#p#K>!oHNs~mBoi2mTuJPgr^_uS7X2J&E@Uoj_f5edfjn9TR1HXta7MdQL& z@pi=9_H1!;hu5!j-{@o?Go6?|z6M3esW?T?|^Yn#<2m zFrT&Go?#qsHfu>b$`_2sDhJC?1~VrUp8HSnE1WooUQOmyMsNo-5xkQpBhMz3BjgU$ zhSz7ImoM5WRJNL}ZKY|#bP6*;1N+6GXxr6Zt4Hs+1FpQulKhTNuNs=$UD2DyGyX`c z;9Cy;H{wTscx^ph#vhuW)W)(4QW9vb2hovzkUr+MTyC%e6Gw+n8{Mm)pvMG{WM8Er zxeHGzx4&8wDX43CS5HWWn?!XMIQv|pd@S+AAqPN8=2|w}|ShVR5*g$A!9a&t}?7Anj zZ>4wMdCfs`s(F3#vm;L4JQyzlS*ZLrD)yr9SPk*WGT<}7@X~`D%PG>eZ@(Qbsgp>m ztlZh{2mSnAZkBfwSdpY3>uEJKh59}?byq5irGw0-<$jz&PDtCWIBKzr<2%MRlYKu7 zv=l=B{E#4+BtyJ+WFmNI{LL5>9WvhI@%dE`b-8MX@@tPzH;%hdW;a^rvOY>@MjB=7 z{~x;EIw(_{d}H@C>i_?B4d3sACuVp@#Ad1m%B~B{6s~T!0?_1McMQCD)XxbQK1`3 z2)jN>7ey})j7*{y#BOr+>|8J|MFldtZm;gmib*^%RLm@FSx8?ef0o~f^LG#|EG%Y^ z=lNBGKpB@dWIk_TQ7bY)Ut`Ug)2Ww4Ea_?0$dguLGfh#?xi-kggqxPv#_TJ$raO(= zqgngTZ4QNo!mT`So`l9r$vIC0Pf|>|qqh9eEB{wp%71AXQ}l5UVVwZB{M;x10oE_o zPnrA1^~8dagi+6{XM(dR5?2GlX)ZOruVGq>snpUaN#)9AOaBBN4YRf!e@GH$H!{!O zHqC7NtAo>mxj`H5D?aQmzCoa6xA!c5) zX}y>|J)-R@t(b$ipC>a)n#G)|X3)YI&b9r~IwNwhRJ+SjpMX~+GrnXuCglX>xPD(! zcr*RQm@4)D?oBj*hRknVr#;rTv51+U53l|JyaO5 zqFD3SBc#WP@m#T+5wg`!w>M)IuGbi_iL%b826g0+yQT~oe>(GNw?S@BtE54c(%Kp& zOn&vjDMcK#6)_UkcMpGsGvEU zsN?LoFKRYPx3ko+4!j@~lnR^h2*PBs>p%V2u&*$*dCz%1+?)VlCGQ_V<=>S^YqSt* zR95P=m#HoeIrQf``0f$fdu#oIY^EP|%}I~@7UoJ0u2sj~*XMm240pT#*si@EPKHh}D1A@d4gR#b<4PPA&Hai+6gY5Rkk} zN1E#%A<0dyq@i7hcHOq(8{7|I&2yD%@CXbmiWB%PQf^V-uW;v*drK7gGhyAX%{I>v zjUF;3isnzHjQrzOZC26Pg6WC=eI!dh@=I#w6B~qK*i`|lpXE<#WnHUzCkZW!EMrut z`kqU3I>4+nZ^|Ze}GfB~Fi^+smX65Na7R0xn6omisqdk!TrQ%;iGO@$4~~Lo5XnAGWi9My8*7%b_CXsM#&3&bSOF%6Di zobH1qCDJB%y(6D(4~=A8*WhZ~Bj6LHH1LX%pplFZ91v2x3;N5E_HkD#D$E`f@)tAj zI>ut~+X@<u^~Nw|76WdNKM@c^MM zTyx{Cu^UbiE9t5WzucPDd$)DgqXRU1b=Ecd^8^u$Xha-1=ZPVX%)tZ0o?cNLu{&Q% zwS0^~s63mn!BdEri#Cb}>vj2o^1;L7;W{Z&ajkT6bb$s$I;s)+>l7+mam;4GXuZdCj^a zt(RzhbVWd!RGAQ_cw)K+h-Niw+Nna-f!UJGvk|!w<>8CWCX1~F(c%dGniZXJ;j$Sh zN~ia#K&vn1?_V5=b=XC6z^HeVlK!M6VssGABIMS=fRPf3R0kPK8~)|s57iy)3R}Pg z^V}=*VTe&HcEo0+advE2xWlsyfwsjcw?PH_24rpFw62n3>jz#^?`0;)WXnkL%2JVn z*uQz!TdFl2Wd&ib96>pXkd_GROEc+%|6@lFv4qd}E?*ih-E@IQZwc63{WQjeAPBa{Y*G!1 zNlVGUx$=yGq=O6?>nUv8!k3*cr*FdR^;|)A8js~M@gV`@C3(T%M9V_;lC1M%2G;m< z(HQ%g6I+JaC0|Ci$YuA-g^4M^8lpQbk;YKL<~M@2{1K}F#k^fG%?7v;z5$Q z&N<(}bWSvLq4N9-jXE63uU39k21S`S*M!7{-pxI|nlk zT2A{;pS<+VvuE#BRyA|Mdmx*M#u&L+n0w?yOlk_#`X_J0`?4V#F%2euS3E|$$ZncA z_`l1*-Fz?5`AJlW%pMTQx%Lha^9?k3AV8x$Sj>lU^H=jzRKhQpG4EN}p?aEiQ8u)40q3(OdaePV<5ZZ47oPrFX%MkkNH zON&dzSbl+&4dk>A42Qzo=MpPg(U3gl)NW3NVZ`ilph3m0ETS8t;Hw<$Lj{f+eoW$j zzmMf|mS{SW=A+P^v`#UG0QB_Cpr{<;|yI9P$9He0#d1Q9y#p!lX+h|U6 z?e%UyV0PpoahNEpPk`=MmxwOw-X_}Vb4759)_mi$@ z**oTlWXRe1!!(34Wx4V^A+2VKvu?;(Hd*7@x0|oHCK%ueV6lOWL89BnVV`}^Pgr_t zIdhqbCF(*oa$5Q09UN3X70bZbw&_#TIa$r>ki6NAx>lu0+Z$0Gbj@KW*2_7~wbKgV zev%uRQ+&g;@>w+wUCZ+1dPqC_%QLSoBnbV^p+~QOfH~!+ltcGjnLf^+7m_OKQks-X zTWy!8qq&^U=l3`OZWTN|Itj1l)Bw871FmMXLZ1PFjfJmou&jQ7z5W%F+R8zOno7MP zcTEiqqU5v^6{_l0zc{zthz$l6K?1tN5)oQ6V=Jlc;rLcK#{?Ool*a&eqFY3!$m68M zj!|ls!x2`Il05}|rR+(uK$M?yZ-zV%{h28}$@D&788(`~(Boox@ABxZS`X?Dke^ke z5=7*o8m9>~rp`WF0GCGuIu z2Ko0sU2gk$dNs($92JIP2$g*kj@~G%n({M4W}0vO?6pT>csXl`&#Mym<2Ouej$K5Q z>LBxLM-xL~R7=Fm5I1}5PHrYO1G3t<3?B97D=o|0gx`sbdbQzJj?1{%zk)u6Ls)39 z%j$Q3-LSpFoftixwGlqN;r-UCzFwdlDC5h)Ywuy$5uB^7@dojWPesD#A#-I|Bv;<# z6K4A{>iAtTgpT%_=@2psO598Lsru^Vf9f{PdmBv@!)yRXuE(0(#_yrhN-+I)9c|#6 z7|`TCxRkQevM;8i@6M@rkgwd}&lJzUyFeM{$ z#y|aV?AU>Y?z_zUC{b07GF?GF(puWp@lP_Zn>3$t##K+Tx#xiQoi#uBogHO|m$nFj zXZmg78&pQ-a1dwy9=PM~yUoxa8VAcQTG?1$i-O_VCv6O!!U?xl@~?;=%u^5C5Xx2C z=C-obv@iA5mHm`}Cv>tSIYz;P!D_0Z&|Y9aaX^IX*0})XvN$4q;Uu3IV9M5?9x`qz zd7NvX8xi-t-S6ZVu)BP*IP`0 zm@Nm&q}*sR4;67?&{4%i-TC&3mG3OE0fwSUz>pi(zAj_52Es9HTAsH^|Flkdmc!Yn|2pt3-A)T-dB`Ha$U?DRv+xFCX{$w z2(rU_9*5k811P1Ra|^MOHrpu%yx-=P8~@Cxw2uDVV%NjM<=NO@LDyV(4Z4tnf`Ym? zv>%?h#jO&y8~{m`<*o{WxWC|N2!nY`O#jwBIlAFVg_OWhQDaS2cxQzV#@hP$o(<+9vHPan$}>Jf4}Ov zTlu0wCLFHQ-9QuV-vi$wbM)`TN3CQwAL=IemCb!u@hrfG$Fd1060rx zyLxnFz3Eieq2Lb8{tDFn#|m;6ge zK~t+5NU!4bWCBu1wjIZ1bt;a2MZzHNFZyJmKTWv>-+r3PB@Q7xCFAGq?sVT?An0GI zKbb8^%ly4{rJpL~%PKM(Zocu;((T+|YeDuNK($bn7){J78j`E1^$wh2_z0Ba3|j)U zClF2+`Me%=>dvW`@pZ~VNX9(+t8U?eIEjvLz6d9y6RUI;$cNzjZ8(?BmY;B}XKLHz z5~5wgq(wk@)GIaeJg0hqE)>Y$8-}iuDC8F>{LU8%d-p-(^0CPfV2X*LZ^rzR zc$^%EffFA|)H?p78D;!z3gTagRSA~>U?_bB+`0A^j1Rf;`p=fEH?y|Q9w_0gQED(~ zrOaGpI7&r5+8zCbHAxDgy!1U1ocDh@KgxqSS~YQ=i+OUTT%OVvpa39?p|5?3(e!rR z-PJyr-=xr}HhAjCeddJuQs~h>=ia7XLgp7EaGqhPQ&B_=$c5Kst?Lo)~p zVk?T?bmB(0AMfgnbqbpAa0#yKq;iKp+#x8PcX*c~<^BBu#!8oAJ=y+Vg$J^TD!JG3 zzWbD0xQ&eQ&G}FaCW4VVc(n?1%O(^mwzB7GwA}|29mk^#M?-T3KI zcfmaGpWhY%hI4(%%*erwr>)eqMQzcp(QG z?F!K>CJG|Ve=G_T<5Nw#wYd3ONs6;i9_1@-4)SOS=ze93JQxZ=kHvEDcPR?_!MzJ1 z)c|)e6A~waWu>xiM%BN&nvkT{xQ>wtWe-N|pvfQJOJi`VX4&tIO4XRW`u;@{=BVAa z0=YLKh2cQR%CtsOwydvGS_piB{9&~6qlsv~C4}VfPg^d67n?)Mvlyf3*ljkIdM;hc zp1!Nan}on2c=Y}7>47Fe_`JLz3G>l$((d<#g`P8gtA$FLCAOocljDl@lUkr9Wl}JqSW0F2tYgWqJb^Q5$469-)WpasxCZ{q+ zCMs{yG}wKL|A-0&2WvOpXh>z@Ah6R@4%Yy}>t%iW0*KcNk>Z$-mxmR{svnr*J0$65 z2suH^-2qO12VRD~h-ehX#uFz9kAmNUbi(aw1ut6qcbxf!)#w`#j^mFFBSOgsM+u@R zyd?1%cSjYu;1;j>fl*&yP0UIXx+r{`?W!~E7?4v&C;q%kDGs>OGuq_`ckE$c=0QpqY{-^>ek-z#-z(jCJ2+Jdq|{sATz1 z?t9?q{>iS)I?gCqh8rkF2A{_oC*@;;M9{}q!uf9Lp%kA=Z!knpDVF`pIim&=q5pSK zzH#OAqp|p*+QozFufkVwC>>T)6G%XmD%x55iL%Faz9p2j&+v~89E2)`IFhOmzg9P2 z>5LDPU3oY-a&Z1^bNJp5x?1q68RX&XyU7p`x3>ZK{{RQr5W-ns=eto{(TqrBd1_w) zBW#Emhz;lFo+}B>ULJ~LQ>e!VSEDJ17smC76$$8j^i0wS(dax&V$z#SFT`cnT*+-0 z0)p}TFGIM_F=2&2D~)wlN+Us1b=8xtHj$~xHi5XB@8@2gp6msp8n!nBf1L3#kvV%U z*ivd(3=wiwe*Y5`{qU|2_5puJ9RD==QkdUwQ1@JhNNye{KVC``#WO*3X`=~t|2VE& z+M*6)+g^#A&INdqwSQHKTf*Lk%{ONqX3pTcefGSHNIL1TyJwqpET?4wL6Lu&({A52#zG0Tkn<8`N$0Fbl`mp zI#Fxm0X80)Gi<|}+0`;tFLo8g?&m`Ra;D75SPd=SOPH#g)O+TCE0u8j_@}a@d(ecB zr8ikzD-E9iiw)hod9Zt)l6wts9e?kxkm>nWxw)^f!+gi3;i)q>246>YRkJ3mX~ccF zxN7|O91jMvR!2z23n17MMP5`qdmpzi(Nq2E5Znh6wc5vx?@x**l=o%V15v98v6K2g znVbBm5S~!wOM@~uNjNI+rzQ~Vs|28+#;=q*r>{&h2BP<9z7`ZzHoOJ%=3QF(Bko?G zvx}h~($@dTh$-}z{QT5dv#n%fN_p%4S%<|(`XsO6-I19rIHD|+`MS9&J+3sHddUBzsq+smrHu6rY#j@`1K#=M4NB#7>Gkn9G?RKFW z+vG-%5LY6Q6MfI+16`JASA*~`@a!wJrTysm(8Z&YLv*lMID=sWr&c z#C^d7aoxKqO#HvrUS7V;7C*Usx(0 zEpnV>B(ZPcO;-^DR*Re0-^qHqg*Lv(Bkmu2@g1=udSuapKcN2BQC~kdH=Htn_syAw z7j?w>YF@=8bu=7->_Qa$P6(PIk@FKq5*(Z8L+n$e$?0$K__voi6DuuynIAP;g~cxZ z+%E=Vg(4O8x$b#akA!(Ag*W|Y`0m8sjU($b*&?k+$Fa$+_u=k!HS^K*z`lb=OtQhU zR6k%V=BT#0q{d>auPe?%Rl2QHvS23B`YFc1JATJjL%&1UUUZ}1da|3KQAF! zX8wICR{!a|IpTOnNr{?1lzQFB(4%mw1a;@3Iub~M#$t6+v>-do_avv8)z7Y?6z}gT zol+y@tdm;9wODdl!s=I!PmUFV0_nNKHW~2fvwewM7;K)lu44n|It<|zeTLb#evLoA zmWJ;-98^94pjz%0Mc#f$&zH&mwm<-Af}mmdo!o?ECSU4b%2=9QW4GgeVzFUr5FYC> z4Y8g3{AYAD%XNZUwuGN@d8s%4dzNCE5oMB6U5W*M)iIy!hX$%*15VfI{xU&w#{f;2 zsGiTJ+wl)V&FA8jVI0Crv+6P_sEig9>0U*umNPn|ODn8tmSiR-e62p_RYTgNUO*zFGP zo1E0$+0CSGVuAqhGXP_>2)CR+C>-t@W&*hn3#GMU&e>o_BRZe>xwMa9(MgDih#J}_ zyqGd(qRS?ZOY<(o0c{(Vd7Sb$BCuEAl0`WnS0KM}6@f!9(|0R1P(0AtOE3Fibp_aQ zj>^+~`t#4T`#h`1S5`mrF!;-1C8FRzFKT2|OAcl@)?KZ`V<#b5i&gU?&6zo4F{ND` z>2r9rBpbqs&iId9geqXK1!YF4F8XNZUZyY7){7sv)w@3_pL=0Nb^?)%rshp{qrxC@ z09lLjUI)q#FH#5JF79Rk=htPF2A38~S4cC;pOgprp`D7+X$^xJBVMgdoZZ3@6j_Y? z5h&H(&97B8_OV5sL=+<=J>m*nka%k#V>bR3+&*hkKZl4ymI{gA*J#VUoUX&p~e!DVX3?+ z-*%-Ob|F|bKRmqsc|CqvLC|pGbLppy{u(_F zUXP9FgI%I`5}P3R)-nUcV8kzKe3JD9rQ0zkDsAW=vyaF41J;!_|C+qV_HEk*)UxaD zeOs){_HRoTus;Jg9#i3MGn=yKe2$ehz{gnJ&wtlDC3B&3^})hOW(h_<@<;IO$J*LT zRx~*oz)_j03{GP|Oq&&N!-gW!5ba+DO2+*2T)*c<1vqn)1wzb(@G}~{!AXWf8~5VM zdl?f6Ic?GBaLyrRh}XEz)`R-m%D}Sy>SMg3vB&-@dB- z)&|=Gte>|)=NAW1A?rPY2#Ab%VSD>Ow6d;oTA~T%zN7Q@FA>Z!S>I=+;MjYqKuPX! zjpdHa#e_@h%Obz#*R~;EWZQRaY^*|$0w3qmvG)4zzfN+a>uab+XCeHUpFyTA;a~3> zGQ-vhUHLulfW!8%x_#dKSyRuiig#uOw9KKY{9mxdwG86VCRmGlkhLg=!eTFj#B~dG z4UhzjxLdt(y7N;54jXbUNnl2vB@|<7!0O?D*i1$Q%x{shwxydf1DB~o`akRf1z^cy z$MJr$3d>|a`P=z-taOAj3P$9Zq9E-Cgi~YyauAv+`fxs<5wZfM2&{xLfj^xHYLay4 z&DZMJM1#N>Pj%A%8^*koLs*tFF%0!Flsx(ImC?~JVJvVzuLpACrk`0hycuByUtdvu zEtmdj{QND=$=u%~LI~Ym-ttNkx8JcNLiu5g0d}59RvNgq*w! z?^^gp0~*6K0(;u2ODL1dl3VFG^$-$K7>>yJ5C-Bb0Wmp?ffy1+EpLpmmG8)l4Eb1< z$~j;=yaq$Yj^Q@{s$A4xV0rNW;8}+K1Uq^@ceAoBZgP}3xTG&DBSc>!q3dB^uLe*_ zJqXc4j8VFU?q(!S9>xv+2j;5g`f@L>SMH#|VR9TojgWU*RW{daY8}|XhrbS|*~_XM zky>l%B5cFE? z?bfbQCeDAkg!sBB1bN{(8kI>Bw9lf9avJt0!b36XZc;%g1#)JD!TV23k=*v9@C0Fx zC5(|0bTi*0Pk(lKw(#L+88l0n%#SbN9`@*fV3*7tQC4fZbz{!`VZ~%G21zFoBqfIP zP_vbRABAhvDY=}Rba>%vz_^VRZ8`X`XQ=s--E7cq*Zx$`=vz}nkUmlV4h|1jbLsHcj>s-YeS8(RVlEbN=w3ISk{5vVswTT>^q zdpqcRlRogm7ZTCnI656KDZT2hrusjj>Rlf68`Zk{bF+Z(A$z>l)Qk*5xSfXtk$-H{ zZrTI3f=KcoO`OLyn;Lf5y7aLPzsF4iv8OSCj$f5$4EE-h`O`m60}-E{)bG$^3?c@m zH~5Erdf(~vs)1t_LQ#?^qMqajkvEaFIUSIaR0H_d0aWwze8s7rX1#yXCEd0>&S33~ zMdo{qIqT%Hc!NpX*NktynhpH4kv-VFHjsK@L$FtxIT~+#$yh~gn@|%VccKZ$C#B<@ zp3esya)J8ap$e@ZbewMG)=rd1ira2+N>*K3YR_`mCE_TKM*r3>?xi)l-$%L52gE6W zbL?AuiUZS@V}jKO(T~2)p>bN?8{%g=ghtjwPpPb~Coo_`C{hlOd(UaG`&m=h%dP#s zd42wjzX6%I9L1J<@f(*JK|Z>>LgUu|iP`@bW0;|YY*=+Syxg-S-u@ax1c4#K+oXVo z123kkRqc7xS&SLZbWO)HO*o-Oay`n-n0MT+#w3PmQ=)EP1T%vg{S`lUHt-sKPBA#v81Au*YUp!~Ea&)U@=c{&H*+ zi$o@OGP^;gGTmnog6^<^X^nGS9(YRWKjNW2_C@~YH<dXakav+}3|M;#S8?N|}bMxnTlP<;9&`od37#yp|@s~ekp8lidtcZoEY1i-ttiA`V01l}YO5<~-cK{4@uf15L*eR=n_#w-e9*?1 zlupmxCHIilYXGqrd@s(!<&x;H#Ox1^;zYwEUp~iv5`z9$rXpg|uREyb-Mjfef^Y!1 z(5y*hA*wRV0s+YC*IKv-z?h0@&mT)`&FO_OV~+TC+t<%!zJch;C%qB!*LK|cp{scr zF%q>U+jkRO^$$sq0T8wYh2Mt9*O$5jrkYyj%MgPWw?C^vaZQ=`l+VE(Xny;@1nhrv zZvMY?nO`$lDESmDhI|-LQG&iiq~m|x%POKfDQc4AhzPthsYW>P1q&0up;Vs)+PIuR zh9x3Ok~e1LVpf;Uh!qr}Z+~wv9g`45OdU|N$qyxmdv`G9tLj>+lm$>&_eSc(W(d5Q z^VJ*GhEHzl4&Y@13|HjKUriKbMS`e8WkJEQly?WjBZ`CWFk9Olwc#H=StF zMNGK6fS53Nv4x2V-WHfC!`S}P$e%m&?}X#^5A~Z#(r%0x{a^sqa-rAN8gss!CHDJo ziT@AW*E|^Jlfn~GikId2NYk#xRK_%+NyaNMSp-W~i0YkAr&9ql0>jI>4XFMzadt-& z2A&cMtkwGV_m78;O7RT5MH~_`aw)&N+_8pE=6wYH5VPp(&Nnf*y|&{HE7x>+^^FFVQJbM`x~mej9UP&oe5olUa*q22t;2k!Lg<1L zy@u??_?yeH$|8$Ch)3st=kWi#nEwHulS_gM3f$ZPAsiGtVk<|z+_*h#u&?}RkfK=E zaMy?%WO~k5oGRfd`WoGHDJr)sS|URCoN{nil#;5dF9hQ>l6xvA#p%1d1&y{Hc6J02 zP2q1uoV~ySiGh}tRmyFyDhN&hL%!nUDydo%2;K+hk#gWY@e`bJq@Vr05oq#~haAQ_ zCJx}wNBfmIT)sj*Q(z&iJ@3XClmesuLxPC{36ESy)xT%Cq4g5lQH`y-Yxmopj>&l; zo#c1m_m&nY9q0tCn~EMzJt$X-p6A7yx#jMMCf5OE-W1*H?{e~USkig{Z}<8=;A3xj ztGkrckW)J9Z*9i)rCm5A<3p@Ilu2Gm?0eF0#1$!Ud0;XBA*1~m@T9DA zrZeF)J-8tLbm-7#wr1PFyumh@h#*NAi2sZ{ir2o&6;fmG(%FxW)bIxo>nI1Mh}_ZR z*NSr*7!?){L60C*^rf@~f*@lEs@+i}vNVI}Mliyx97n}RT;Q0ps70GOf(^t*(cjGj zg?)hQn>zqN?e5%b;w&CK=s&`y3@^#-nHC`ya^2ImdMGT_)??Zn{Q4=<<;XtsUyE zQKLA$bD#P>=j)al7@csP5r@s3COrT4&8UdEXtC>jNZQGP$Mxm!kXvJt6EKqYmyUf~ z$&`f7hH*6W$?oxAh_g;$6yu4y;C_PS*;{j_@bqMEiGa;PIah5T7n^C-f(Os<|!dUOVyn*z_Hqx$e*lL#NmG}t@*mI>Wh+*GN#s6 zEFMZeW`ol#$%P+wluzLV*~alBD^0-Qf*a=gr84 ztXUulH{Bov^c}o8y95aob*J8pmLU&=z2+{hsdQ!ng_-FJiWRr$y75Vj27rSIi@e@l z84ktQ?+`zzhfU?$S6}Z%GAo4G-pUw%^dh*t09tC8s}oqsWpmo4wp|&PW@@Ey(V#+< zjXfrf`!VgRM&@a4JFefxsR(uS(?kC)c&S=1o2B!r{|*e^ZULX?CV97W{GSF$m*zdz ztV-!&<-oKp>0%!`gM=SqU}!?qt@j?auIhr=tq)-v%|#x{xe2hzftB_=KBx;W&`|)2 z3XF{A&Ea-mL96qgw;ko8#G%bTYyY-5EPSB{XmQzx-%*hXR=fpRPFcyk(hByE*R!!TzFFOym1-2zb%C49PaPPjqbQ*kt}s zrP;^cl{|c^Len9dy|uQ=XT5wv5)1aDJwX7YHY&wEuLrF9M1C{>8oqOd$1PI=r%a?S zx-OI4A}A1+TTUayeld;HA}__@2P>x;de(0OZnL+G{{hM+%NjT!Fg-#KmOXgS_4bNA zgQf#=|516UMXb*|Z7xS?W>rA*R+#bL9}%nxBu7!9@|q$g6ViI@dR`_1{;7Ss#KG~T zMkVN^xAaQwH|Vrk%;s$jo$TMquK0i0y$h+6$_gM)5BZ2o*Y8z2g72=QLp6 z2E3`X<9jlaXiImz+Wy$_P7qDYL&}u_aeK7`wA#AeZ02T~43u2by82Hv8U(Kq9#?7O zj#`z$_Gt(n3;1|j=KR(js{nPnRHc~LC|+r~)#-J- z6N0M27W=`psO@ve|M7ZDY-uM;1~_ZTdpo-Wvvrk0KOd*T>lN>MT#~-D*RpPZj29T{ zas3aef{7*#OcC6=j=T5udok71;Q7>}yGdyDf$msUyk%} z0n5`~Q!aC0PDmTo!0&$X_-0dY>A_!?OBR7vLdu5d%WYMz24HO{rFIaNGvM0rA+(YgT^Y584B#Hpx%D+ zy8?reqT}pqca$Lh@++83o1+y;ip^xK;7oJ}ll-nLM&Td^6syX+IBEhmR558)D3eRO zy{H$rWxZv#Kx623NV!57UKUZqWo%7-?HVqzf#!949n_Xbrp49Lje+7FFbeV+>1-9J z*aH>24@m@)>f;Ia@=ylyDPp}qZm69SR_+}%J>02PXiGN_8fGk$sQPzYEKR)>r@k^& z`5?!5#J95=0Wtm({^L*=p=Ww(&3I|Iq8+^Fv*&)RSKJi;U=thD*}6%)3qtiJGpbqw zpF$wsO;CYi8@|%lSfB1nEkAQQpXIEEY}PwPNCSO^RM#M6f$4MkQ7IM{VjCV&}lZX4v|%3 z$`9K{?1hKof0p?%*IuFWK(9&qVofAQuRB89OFl|@u;^aL2MF70({|SwWeR5?s;28j z?1>zs_^b&=9lz*2=)r;Djst(R49=In5PRaCe25t_3KetiGT zXpv!~7ZctzQXR{d5FqH1#|xU|dt9%hjQQqqEdc8uJj{q5W-jp%viWaM5$MvtUYVwdJCS+dX7=l5cPA`|ar3Wh=S>#^C*M?T; zxjOp;?Fa2`?6gnCU$Q+j&3z&g6rWYg#IcJ zvmo#fL=D~k>b3;ShSnQapxm2KQejjsBH8eS2YlFufAU`)KOtTT>Kct-6Oa9Kqju?Q zv@roW=FFb0LCnJzJMh>>(X+uIosv@rUG)}<0;5#!Z`N(>vtYpc@eYg}3;v_Ad3tm9 za4;*$hEtc!mj@;iUVY(%k0QEm&v>UlFQ<~K*^Fb@HB9nYfr|;{fArlmSh;q_STb1W zOlqK?;dC>EqtvqcJ`|l(#R__#HosXlnH~%j=l(fVZ#FUa4{SDO%w$k=(T1jnL2m3f z))|(X(rTU4s9t@Uj`yoTx&bp>^TZd9;q3S3qKs~x{5rdaz{2-PsJ>Qx(;@g+SFH;F zkcKrB-1qyMfP*DABor-dbHH6btZ>;e0y}0^>&c%kQ??-KNwDJxtj8?rqXifmEa=pL z=!V16?99Ak_l%Ju+$V`Hv&kWH(`mVXY^Dpc+1dJS528wTzv|e2o659W2aR`}@aHOi zjHkh^@m&(RM%_zn`MdCY^LTYzJ}Ny~wwQ&i2szN6vrbRA+<^}q5k2rgubTA2rNKgA zx`ORIrAA!OWpZ&T*ZwmSkJZaUk8PfJgGIXEk(Tg`yQK$ez|(-blwx`n{x##bI}0$B z+eL8G_`+1B+cvj;FobJx_C|G{)*PtMv+a8ellc>dO=nq~QkU^DM_yK_1CVL(3dEf! z@i|i!#SMK2Z)3t-G{ITzLxsO-K`N4>#2Df#|Fth1hArKK@EA(S6z6unfr z5!wu0^^cK8wF?yS+v;pvf`RE&DP^4)ft*}(p}j1;K3T66J>B=?(8vE->@t~iE7lW~ z_aeT2sEuD!Q$;3*-eNNU##0D`LE{=74Uy|e z6{Sm`?H7V6c;i!eos++LH%9>ee~vkX!=y1|cse^#c(@$R$IZTD1F?o^CUyV*#NNg% zO4b3u;CKaFy_W%!nz?uzGVU%S?QjB6%;`{gyIrt{vB^27Rrum*S;nc60-5)Kg~k-6cp?>Zit*l4~08Ki|=YhX4uIPwDVVWOlkbyI4O*9zU%L- z)y6@Ew2aAc3tu;JoQA+bD#NSubzdibs$C(-)J+zR;)VkyHe9$LQ8S_s5+-XxM579l z4^@iUt29KkybM?E!QuCW9gZM`GK+?#Msa$9a$8tx()z}kr_|}6=*sEFE9I&|&L=vx z;fo$|(%J&*P5b^81NFpd#fmIl{V-2jq}s&gPcjOfo?B+D5thLutk4O;eS(ah{7!Ov z|LUt06}q93-iXe#g7`tI#GuN*5U8GFz?|5BK=pl4_Z$hB#V-Ble1l@^3$EPV(PXSz zqj8vTa9xDtYL!H2ibz4DvKZ!Bi5azB;C({MX=NNwpN#b#YjC0`d5k<{;GfD+q|X&% zl~gQ>GG2&d6U@C}mc_lyKaQ-*Pb+X)U=PL_fSl8zrobHa^gH-~_ShP=f`oMl8#R0EO3>ebxqAH1F9G%W|R zFy}Er#>LF%ibh}#)@L4EWyiRS+NJu8hmzCYO^H3I*LbVb&#)yv;7%Bl@|!Q)EM-U= zkUfV`#_>@May>dfKo|rXb7WvnGe3{^0KPn&LH?+1`8h@})icK;c7sURDg)#ndpW(% zrLJTEn`cbFXjTEmWSsfuL(lDfXY+ACY02h|qM}7E%A>or?F8S>H{{;i#zQuKG6jo} z-f3`Pm7x>zIcdiE*=K`{XS<61=#@gBr)7}L;~fGroM;7Ci@m~$zj&}j_` zbU!o`IzW>BM7q)jTtZ5$4W$F8=%x5csR!YnMc}+|~SWMIM>QYuBHwwlRt=IK+&o5h9xj&Z{k$4$9WQg?;Xh_2Buo;8(hHpjz z5JpU^VQlc+qBzu^^xFZW)#}ntEYo{TlNb8$SitbQ?}B8g zuUfTVDxqTmHcv5iUg3Wf_MdB>?-S+t*Wx%m9)udGw08o(zCDk1C!#|EKVEu1Y!Koc z`2#=Mau?jj4^G7U{hI7W_sqoVpSKmG_fq`f5+5qAcRD`?*8?R7tG;uV3v-<-_f!NtAj%G=G?fYfNQi>f8d>AVJiB0_ zMx4qM{-@by7vuV&d`ACG$|Kbbcw>~f1euqSLDA}8bkpD3=G*N51~!9~p+31dN?8T6 zdaawIjWlS(#3i71xs*}olfKJsHjBdi3Dn}}lfb`&RqC`9tcs{1nyKar{Nv?iuiX|+ zraL8>(Y-gH_wGteM89W+o!+7i0aBfW!c`hxs^5*s3ivEn4tJs)p#6Nw(|rs~%Q~ zl8UI9$YpZ{0fpbnZF&G*dmAfWA}vF#+Ek|!h!mfkLE)C9MLKLnAPm6_8%`Y-ee z+?w%zyEGOOLGMB~HFQde2topuKWfyjYRik!`TvF_hoIgs7}uh#?dVwK6agrD=@NFoj!uY|A42koX*7O34fObH{m^)cWg7S3 zc~P5Ch591%!>(WU#RW7LP;QWQ)IuSGp!E0hC(A8EMU-CP!<@A-5j!q@asD}2|}eqC14onE45~B zoHiu3n`$uMp2I4I0_4AUxh4!Op=uawt4<%Ms3})DJQ^Noqc%R3k+Qa!4=QQ_6f(6% zlT~T_VxcUP2m#&~&QBj-UVGrkkdlJxJ;ky)GlYvRr(88BfwAb9l9M$iz*O zzU__I$v=y_fqlOnyNLtEnR_&f)h(;3mqkIfSSw!^D%y=chvwcwP&`UL$EPWr>$6S+ z7?u83Rr)29hziQB^FRMBA~yVnuSI0k)t`IG#|BNse?5pfba)}PPMQf}tu?eKO&r;N zDve}`*R{PpEiRf>x^16*H zGvVAD*sx(4Fb6^Abae;@tW$p2m1zNAufk86{ci+R&h%0gtyn8XDsV58uN6LtnJP+C zJ=1UTf&`-_nOWQRlLSt|0bOQbKa#8eQ0lb{>ep;|XTL03Ro0LJy|5n+07D-GBRpcn z%y6_;x)}-Z@UHwdcIm=fBU4mFo+sfFW@tH@hoW$z^@oFOiTi(J_p&}T?8m2^MtP`9 zXJ^3JW{DB*j^IV+iJ=Tls1q2;c@45o((4=Dh>w@n4x8+2lB5PH>b}bV@YE}NQw90M zz$Z$P>1MvXQYq*0Gfva&)}KQYv$5;8P6l(?JP>u*cX(}x+4Fq->3KfEBtq&1LOPEO zPeTe^p+|;=!I6D(?01l1{`rlGt93K&>j2B>=^t)=9-vs-#YZpC730*`r{cIG*3r^C zibZCjKZrBHK)8GQ_l{Ex>x1N37yQ3Kx4Hxsc%~%J-dt6vsU^J^=$Erg8|%)rFQy6& z&*mVD0L{wwG1^A!%9J{Gw9$8U%_?5(!ysd6O(+u@Xj^JD%idgL8m^20PSBL5KmX<{ zIjUELfk4F{Sz@gCRHT zcRx0I!<&_u!|A-s!)aa8K!l2Q+j2A~;T+AG=xI=)PNsb!YcrbThQR{FgOGa!QB~j(4F_& z+S;xC161)$-`0K3b?Pt-F?Z+?dH(q0l=x<}i+bp3Z~eG%&*)tH7U%6NRP#m&WzX~& z6nO$L5IEhyzj%!hR@c8wzRgjVxA6!Oa*f+;HBk5X&Q*8(*T#&de82>#54}NbpQ;}} z8(C4MK>ODh|Lys_qCvmKu>HDsOL7-m|6>LA=MsZw6;gLNLV$| z(`QrRB2x9qBt~O=oy`;*ZGlgS0=66s-5!b__C2Lz?KBYJQpxD6)B^8wuxGGRG+K5G zd%FUsz%V-%?>Lx;1)iTE1mu%rs~AWPV&~9qs>>sp-~*ef?0HESw@IFA5pS@zXQ6n+ zcj3bFU^<3^-{^h0NFipzGeh}3WCJgGJ;8^JtyIS)y&BzLtCXSfkw`S2ak52y-&z1T z2R)L6rvA~LQ*WO4?Dh=SFON`s$Os2Bxo0xya4&)7^q z=VZ4S6u)`+RC=V3SUiV0nP0=S^u=+v_1!i*FRCqE{d#X!uw;MB`J`(2I0bLiX8>0} zylXGqV%3R#MSLYGnI)PmGhs>m!&H^Z98SWBL4VBI$1Q1!vgPVA!x?D_CozQVd6zgs zmH#YL!iOvt=To-q7vq(fTv=gvs!awf96)4*&I?1_`WwgL!=Pzi@s??qt;1%#bm*7R zyS=zAH4InR_^>|gD$Mzr5~LXPKo$RH&ARb8_8W}^UoCQ|dtU01C%>UL`QOydkc`ga zYR;tDkI1xf6LAe23mOk)j7lp$Va=Watc9y4)u?f?=fVchZTdXQ1Mll$Leg@9R8c>9 z^A<+H)s-c^@fOmj`ub>G3I&krOG=pT2ia7KsEzdOmudOIsf+hEIfQQNA6Iri` z%qH%XU#DHrHNY6OOSK6d0E7qD!b-wFk6?<{3%-AXvMIJy9sNWtg*o8FYYUu^+Gr5Q ze<1}YiANkp1yZ+O*`<3gR*m#a1jF=xj&l1%2S{lSNZm9sv|=IlS}Mej^BoL(vBcKafb2G-ptNT6v1cOEpfK7OQTsk%dG z9K~U{RYS*oAtdcN2ij=TU%lzHFgTz zPL<9EvB>*i7J$Qym}6nEUywy&hDXavZ9;vC7U#w*K_>?OXnaZdNTVp{|A2)^d9DSq z^u4WStM;FNWTvbgXlr6NinjU@-C&UuQs5wuILI$$*kRS6iW&psAQ2p~>Gj3LAZN+s zhJN!K91-k_lz1O}tTX4{6*7G~$;i31qVj_b03q2eEkU!($T_(IpEwq=eME6(T8J5J zKKGsVedf3#;s6iaWft>rFEea}wSFK#9WILndoEGNIt)XXuC-hG29iT(OK9+=EBfJ~ zGLY*pdGHA zVX@||TVwk{0Sx0Lk_--2f`JAUHD>tyEjRfs_LStm-$=fC4j!tzVp97c5Dm9}KqZ~T zP?$Z0t0pn^A>vK);7pIlJQ{~llB}x2EqTug#E$DfO`7=GuG7)f%7GLW`8V9{OkEAS z{J-XR_71wQIZJ^xn>#mXW~pka4IvY)uqQ>}hv`XTHP0YSzkdZvhwe9u0mPD@a=to} zLi2~M^`U`Nfnja_KVt-0qhW@vV91`CMgk!E^xdolZhCYChkzRjsIAkF_iohS_P^U(B}@>gOB$QZ5<9zib< zudXrmv#7-N_S2bm66cSsad4T;kz~cZ(R0mZ2)yA+D)KFg>rg7cBMKM5>d5!meoC0s zs)&k}gG?-V;sySPg-YGR&FcUZdmR}?g$6Jrq277w{;RmoZ9&!HCS469#DC6tJJ-;0zusYX245)z=F zWDFV`+rM@n?&1on>@#es$~ont1Xl4-zXP>eV3qSl-{zG$h}E*{88K}>t4^y5FV17xWgI5Ysjj| z?mlDQIEfAqgnFoh(J|5@2VD|HM?Y@HK!iSaCM8toHcn_I#U&bMEE+cf>Luz3Y%gn? z5&w%i(j~SzL&=6bTKBK4ABJfp9s8G{$D*iBZoqJY2j5Yo-YZnS443_}RNrrU*F(9s z47ObAlX&{kE%DfMXX6X$A#i8D_VRNr>4$F%1qb+`ndAYb`q(3voi-W+WVts{@yqh9 z{eNy_)RC!yUYHK!-0G#e`*45Gd*6LezdjAL369-)97!08d$F;KUrn$P-aIJQPE=%o zB);&e=gcgzt9eLHnY!X5q6SttzR~o2^}**LZjUhn8AMhzp4LT1ZpW_8}YSp`E|LMX7*tMCO5BefFn+5VW| zSUpDI103JV!6(`V(Qh#-Xo+E2i25Cy;WRnnG2C+JxIHT&ZD??`PiQq%bp^FQRB#gY zX^Xo2+pcJrC5c}8$Qt}Xd%{ecMC5qaO`3`D^%lc`X`nVM=sQ89-oTo}XQ*cW%x;7W zVeK)CkIXGM9ib||`` z^P4}{HK>4GAD?q8)JkL4>Dkh?s);o*rxkk#7{m_;=4=iScScS% z#YQ}cW$F>hSzvlP)cv12xd?@Ak|#Z8Y|NGo9r(biyr~cLM?8qJT$qSv^I<3sk%DFk z)nLaaY{?MhAn~h9e90o1yjnvio$aIfX?IDM8A?d`S_1qobn5MZc%7dH7^YD#>Huh3 z#H*1+KBjA|-h42nD4=vSU~uRdNrNf>b&~zy-OfJN=@!p;(A;s>G7p`yFZxNR+41xL zbjd=J)I{+8qO(p@(dY*AO$d>-+$2rSRQD@B`Gn=mP`WIuyv*&hk3?3ln!E8wm;GrY z^s9?Q!cFZk>fv$iTriVL$IcZ?jpw=%gZX!gl8L&m5@mwpqRjkJKE1@michay=x#Hv zt!-a1z8Yr`IJSq^ZFsx}BbRBU?!56W2X4p>_=D!0`Q5^IJGC<{u#HRfTMSGjZi*lq%C_*U^`D77`ZjF&YC(9*6QyZHZfMe_h>dzt2A~6B_)u!kI_+?OJxKx5 zPNLG~J|qTKD=YXVY|Zd;y^h$qYX==;oZ8oC6EO0s%nRb@A)|2U-DXe@ta<&+3iek| z-bAg%2kqvZvrG>?@DjCZDAqIhpt#sWi^>fM-r6!Vv_EQjy+)IHZA#8_aof)4gHr&v zL>_aqxRZuJGaAZ%u6zvzBa|frLQ!fI9viBV9{VKo;T)Pl3j7RXL&NwW95-@kk8T$F zGWwfn17$S1Ah7`Ie@cm&$>h$;1c%{&VK7;jev)N)p;1|%(78(6h|Xz+e=^))wk8O5 zg!~yu1C8CV1WLD0WLzGZwgO%X6A+DdB(21yNKU6AbpOrSMuPSJbas1doQ!wcR^6r= z4(?y#FT!mhiE*VDqK_F+UtW&&UMDd6dSKqz6fVEo1zv)JB`zp~r9>5S*_hf(@%r>c zZ=(Dk+D64(Nur#@$o7oo$OL;HHvAGGVa|1+^2>MvAIENXxGRsu1UEzIqr=_!;6)qA zU|*PNIbVMLMFbnGA0HQ!c?#}6@^Oq2>SBnj=3OUBH@&1xqYkt>F7E=RWL&Ztg_wQP z)3;X0sT{fkE1Iqk-|L&UE^@{ob!vYb4||%wItf}$Pc|i1gJC7AE+rz)?AM@L@x&`5 z7)p|C`$jvNAR9?pX3sqQvr3^A_}E4CY$>qz$po`60UOl=4jO2g+TgBO65rrhS8c=n zp=4zDQw1!AAH*Oo2Hb5jR!`I_Sh*Nol-FB9>i!aocd~m|X0pc&&R*VS{&w_qxvCj) zekVYGyDUj@MLD1D=+N<71x-*Of}bxl@3@~zv`)Z}3#x87d`b|@e6q5_D5-DEKAcjW zzu}RwZ#7dQn;sdHke=AsxHC0pHuz9o{|_g0U!m(vNIgZ{`iaz}%dHUGCkHYr63jo- zI>9a?Aj1`HNkv(isbGp%Jg>E0>@R|bJJlwvAo2q-o?puq4u0ixQtRb-jnbR{@aycy zjB&w8hST!#pw@F2S66k}Hb1C_*#uEBS`u>#;}>mS6A6u55N&1^FGFUP-v_+34OH(O zCj$PcpLxSAONlFVeNCe!IuZyAm;p!93s98TnaxMh9qa_#v2l+@7K_Gy!l0c@_*H9` znxVtLj(@&3$VJ&y0(3^BV;&RdSWdC6_9an+(M)?m(SA6+7E;1q>sY}~CISP$P5%WM zu^J2dMGP`PRPN*@o-`;snK%Nvrhyu{>(`sI@HQM9vLAW8MFI-;AUCdW8 zpp6=5z8UNFeQU3=q9wss{UuSB;8b{!K7#|jg$$r{5JT;=;f%X{I>n+WQ9SaCo!Mrxdex&Ih0bORyz}^50+|*U zgBp*{W(RChur)&awpZ}aVELLWytuD_f^&FLBsF=tlPhrN(Y&vKy9&k9 zE!~4O-GO2MJcnurTQ8_WN7ClK1Zq`--Y=()down(YunA6y+G3ZlKiK{yOhn`sN?LQ zx_${O=XvN3x$L!2mHB}y%1kyt zjf$Z;b1T6+lQ|_+A#>0Ji7s-}%_La3XAJkX#*^DNE~WXuKlOHpbwSNiK*p^gK~)s! z#!H|W=`Dzm8n6Lrn7AFSJf{~GB)G8jNWU8;Ogftd@w-w+O4#$#uWMZ z;sMOCiCbo>I+#BE`sUU>o zaVP=;0?8V)jn^y#g`*Cq$jb7NEu)d2I5m_i9WZi!C|s#5(A7n1H%KGd_}_xu$dBI5 zDq*v&9~Uxw+Q|mXv_d*<#dP1uYSoU{GahX6dY~$+q?<2~FceZpFt4r*n0;hRQjEE- zpNu80WD;Gz#xb^ag!sB)GImN#!6dIN9}Bx48}5iPT=3lA)e^2|QJ0v96JT~R8eb~E z(6H_l4X?SM!T~efMiN*z01HF~*Th~Lb)dt4AoG4-9pY;6^j=JyXzOonzzotBAU?I5 z2Yl1v?m&6+StyvB=4sm>M#e6!6WhM8yj^y)&aK_ZIBtz(+rLXv@3@VtZoqw<(g#_3 z&wRbGs}0Oj2d)$yW{J&R#gUOjYkT>N7v(TK@N*L@;a6++<<^HS#1B+`1wXYVl%!it zXbT@ys>P82Zik6ARuy^DSTG$l|-3ONI3jCU_&<2o;RG zPhdW>CO`vwurWOOqKcUcIPW5Qzfo>?UU>_Ya0Ko)-rh*8XV#i( z{3MVg!j6l_nd)AjcQn)QEKA(lU=n|7ZI)UL{q|Rk{OSx2nqxx9`1R1IoEuGY0QHPf z0;1Th$H4vqvi*;PmxFc*l~P$^Kxx&b0p~t}lSKc~7e#%Q27hCkbi6F3T&SD+?$J_a zK`UX2QFS&$O|xFhJO;h`rwZ_gO>wg;0?joQKf{258{7(ji8$dgma8D=PfULQ=$t&I zaq_Pjh8~X>o<5&LhXVUf^pJ~s|a>w+q}F(R7uz` z0a4=5P^oU6i-u(Z4}nwz`JBnOy1ao+=xun%9SVcs&28?tH(y;PovIC~gB@xa?cOIg zD;%#fbncn7>1K?XRpqTjAY&yx<7at?N`Z2NdbE%IyAPpigg_E#P=e@R2%+GSF5{=E zr)egKNb;74nV+L=M~E`k127f%%%%bKae{#BT=0ELxi`rHr=0k1<*)2LiOa5=mt_?K zMEB2Mb8K~-n}996b3qQUqxbX}DJA4EBw$C|Ido$GMWoph;WV1a@T z&jWNqoknR+|S3#Rz|HAv}iRBF&ab-Uj-EpgYZF-JCl z#EGaw8i~`;mi|Y296(G9byF0rg+_3XmMP+?EMyE}sIQ9Nz##Bn4IM-S;c`u3lGw*P zEiMk2Ap`PKBv~qV>*^!A`EO`9sROaeL^#^C6L8-rB*GrN?*0ihO0r^#t!`V#$GqMt zR@u{t2N4zkhc-D9h>&h#@HN*|JbfPZ`8K{KWl=m#al69G5(sn35*^hu{A$O+)eB`u z^Y6p@VElaUj{Aegv7<#$nF?F{nL4uIopxO4(ZOmzcHT@<24!yg+zu&J6w^@4S)hSa zAJ0eSQ$Zd{jM4PVm1e|p_OB=ivbwmJz$H4%a*1yDv)Xa6?z?cn^Gh{3^n9vb{O~jN zt5zF4lGYIKi)>*75VCW}N}+GbW`#E%-iu{=Lt8ZB{)#S;Z9Ob>Tu9hMMeemndK&sG zg1ekkGDl)3iWUd)K29F9AfYq~ROPy2GN0MLskVW)VYL%z6Hn zXacI%qx3oY8Og6_!xaxp)Q`gG{CB|jBx}b1>zBEyOzd3QDdU{}b0{tcv5Y^e&+o)?C*Sa58dmu0-JR}-d7r2xldq%rUH@pv#|izxn+^32 zj+%+C4jQpwb!OZVyS8gmkN)EXNggJ4wU%_nh@UNob589p*h)()*}Ld@b_Or~^RFgf zR-Z$g502B7#a1g+TSx$Y$0g}ZB6x-6PLvfrR^R*Luj0V~mA40i%DJeagmODjIVbls zDQrYd4JKh=Lgx1%bu3I?rg>3Awhi~UgKueN>e7;|;};?SusoKHANc+Gbd(=0wwX8lP%nVVCN8B{Al6SKnNn5hq_*-T$4<5TIVCk^$C<{rxruAmgKyj;YT((Wl#*=(XNpvV@c@@k3@*fsXZ zYyJi?rXa#{yGQ3S2QjXdSn|)9)jM8INJcr~x&)jWlA81xl~NcPyHPktMs~=5O!?_) z;#uQg|1rVz&+_tRSx=4UuoUcZdlyms8@EX?qmJawI1cVF%Xp!$lYP_~tqY&M6>{If zNAeOKfu^$pUW9c<#>x~7`BE%@b%{PCNig2e@#tB@*HHmcdW=jcA|w(f2E!*Cf`l^m z={bDHiNrWpgHoEC{j1g3y}Pb}UJi`!=8@zF)puxXvz@og)64X0NfIW{rJ~Knjonk3 z@Nn$@;FJQgV)^|X+h^RP0RTVF4AMEtX~}hMQp+gMsH9d$3hO{g(^F<0cRZsm_nOyg zI$re58o_1#UBfR>$)?B}fN2db9Uao_dc{ixNbzkUf}$<5xG1e%F#%r3(yO(S5=sTa z6#H;NHQ!d;b>-Tv6**d$hrpSfjm=n)sajGo325$x(tjRiQid6g&sh=~84|kIJ`6aK z+DI(Dw`q`otw0#x8&UT>h)s&64|E9x;QA6$i!4h~9Egc;Jku??6$P$Qob%>;)9N3^ zKF@e0!^K|}4#owEay9s6Zq|v$1~RM_B)8&UukX(UusBSYi=EqHkeF5K$gTU02tveq zc79Bd)_AvX=I+wbl`8o>0!m19%ca4@$ zX?IQdk~q!$O|Q^vilu^O?7DV`k)4cxm?CXW0dQZ=a{ zLs$P=Qz*ctBG@fw!~UgNNJ~{aJPsbpl7pkD5vl((n?=DX>}q!WKC|HiIMUYg^XJb| zrAEi0!V5>2Rj(IMvw%x2(gR3U#T_<@c2=lS-m{CVR~dKA%V@~dvrzq@qM@Q9$599l zyKTvt66xi6SikgddieWl-$;6)*pv6|U~;nE<1!Dj$-|@JIl_7!*34i*KflblTWCF>;0j`c;DI_=)KUd zGVicW%}FcAUrMGgC9rP)bNvQ&XsTMK)n^b|vP~IH>e${N1Dh* zTt@ysf90muhbVja>+~9oKx!$bZo#yz z?$~dA;iyn!hkPPK`W^s#W`30gn;Zvn3@fP1KkAQy@ke>nTXSU(wOGnuAh_)hunLXe z2FI6qK9Ti)jSkej?b<=*V^o|ipQXpOVbvFGE}^(;n0xZ9BEMy1khtCbxsi6)9fOeF zBSE@|_;NJVt0w%Dww7nfd7W{cc2HmS>6?1NoIt*w_j3KenJ@f*9wx*A{;&BWZ)=$a zkPl11bvV}D{eZAL3m2EV2G2iEHju6yTU6yjh&uG8&lb<3`pNW-3N|>0=9J`qqaB)q z#!K7SP-J&NZou4r8%Kxk$|i9?w~J@H8*n%Z`z=olOX|thd{dl*BThg_Cti&)uA%69 zi)JDNvlsJ}f^OvKpR*mEz=To$JqJD9TTulY zWl*q-od0Mrz5Tkk3t8eXv)3LXHN@uekzmG4jh-yku~POm!3jCxc#juxCcN3@2(RX@I$HaG6muhiWF@$z`s*<-%xFYXo*xqY!9;9Nnz;Q5W8fuTxGr#zxsXMirg{6%4 zUoe`HV7V?IY9c2!h4WP|A@2{dGsG*z)rwAiSYXfNP7IzO~5s~5Dd)g>q?XKD z>X!)y)nR_3ehM!Pic^s(Q^F5s)k7GB-?NCK&{?O@k#M6`B#GujG6KM_gkePxBLb*= z+g4b=YkW;BJq{*^^&blwmfRT^-1|bUFb0+(3OU0*8rx$nAWUcVrD8P!>gu)Z_1C*Y z*6ZC@i_KRD5cgmLz4aO&DTI!`y0x^QNzPswXQ;c2i*4Hqy7W zEE*5?g)F*L3ncC*x?FQur#^)ivNnEXE7MAY2B*EUu3xpDvXy!+M4SRGZW&8$$j(6Rq6Msz`DhQ|I zuP-EN0Z;Npv!!md;@(h1U%X+Q;foCO?#>HEcucaoPe!grlT!R$xNbSY$q29YSX~To z=qMCjBU~R+JQeq-{n@I-6sZK(8A}SM#9rJShf@v)Hy9t8rb;>fUYk?aVnoS?ba|2R zK;kj-YK2xH%%|xc>p<+W{Ax@(2+f1CM|d*mv8;Zpe={=wLXTj-;57xYmPf&Bap1-w!QhfVdeO_L~y9^=1IM{I{G2+&}NuhaMpLHr*f#8ei?`H_P2 z(Sw-VCl|4HCDy-DoS16)$WD`-^+&j!PVh9M96dkUhE*8Wh!ll9tc62dX* z;uQu!S8f2Z>*nf~$k4ffAt|f$_cd+-o{xV>|tek|YieFhsZ256to|-HBEZcDX zdUxM558@pz8$*e1+=v*>YPBQ`Ll>5&Jn*|AX7EvUBnDnl7wF$#b#<6Sa6%u0rC6hw zJ2p%*ddeIKN(3!XrY;L3pb=N^Pk)HeZ)!=|zL{65b7&zHAvgU0cL{hqgc!t#iwlJ`IR;Ae{fbzh0v1mRTcS~c|g zl89XrO5Y>uUkH~0pOuboDP&HYrhcVPMdbWCL!MXK&^gIFFy1^TdNNL3`t};O+#0{6 zR(;Ch#cMS9WcVc~C1ruVdH2KaL^|HZzt)e$Ek|;h)poc9D&VSEFZ@pu-l(y z6PRRfz5Q)`99bB@*aJx)8z#f!jQiE=)%9Ea;~cv>gjw-hU7Xf~%xi*Kz6hLPEC^g6 z&sW$lUN$HDOm>uJz^d`yg@DB<)t0o4i=kNuODBBkxG(NYL^(9qZ zZl4%8Nm+lY{Qke!MJfpspSpeFpS~0$IKA?~+d;}dVoUP@CjdIMU`bVqLQcTo4tfeF z#XNP)ga6eP?bPGcqRK@=+AefAAE_mvBdBnfKN0MyN`~Gx3jqoYNWSgZqfel+YV4%M zk&jFb{I_Dh=0tkUbe>+tfIx0Htkh3Zab!bg-2KCVoIBuu(%*wU-iIttSgiq%u?}W37k9}i; ztM!^XJ4m{^ZO{GtG{HFGjVFf9(ICZnPg6YQNnjJnfzR<7htIY001V<8Wtp=m8!OOX z3i#3>Z=G>rjS}zJuustOSF|j$i87n5(4ZG@E+2eJ_`3%x5Mf!ORy&&@$9bb8oKWQ> zVe(Uti>ONXV*Q^_Ci#EAAyEU#Rd6^WOJ*o;i=f9s#3S$pAy%&|9Q}$)!Y=)@;6C*f ztA=R7L&}T-49;OlFEdCU~Qj;onudKUnP^XDkJ-m9&i(B(&X zX#n$1B|o-IQq2zmB--^Irk$jI)Werdqk#O78*qddd*CoAfiNi{_1A39W7_i)B-S{xQ+}=4$(BI zRmD~L&3OOiUbpw&%e?da>v%&A%fJ9U>fpdI>Ts{-=h>v)NJ2IYQm5ZZnd7R+YPcRk z@l{<9`F;bUFzPB=CUo340I#xNnn-tainm3+O-Ru}FV~|M7Le9ZlC7fDKjP@Iasg#t z)6SrK=F(IxXubVEACHNz9>yW~*GB-u8RDavBz$1g2QGZQ?C=;PFjtU(J_BPMEr%PH z=)qHmUKazXz+itc<5FrT%fXs6f9}A*PqLOlZH?(RmbA{}uB|Ivu|pE4(a3r~*JT2s z^3~0mqeHfLB_!Cc!Yj(ivjtltF-)cpXPmvqzo_mD>Ws8JHR?NEej*r4UT=78m@o!= zk4c3J%@up;i(5%9JB*SoqMI3wR($>NcRoqw^oJxNS~&8=7}nPq4pb3wM4ic8As({F z6Wz$e32dX;ozj?n!R?-U|3wrbRrz?bblPsc`zH5AC9%sq%YO(6BazIF`By?S0nV8M zE+%cy7oCfsA%njP5FM5!mh?Z0=&ssIANe>*_&AL=rzk^;8{Dk(l+pjs68)b~R;&bP zyoykTV4?2wBCP9mvxLW_NNV>o1m~Ms8Z}Ns(d*s4InRpWlh~eqVLV@B1e(lP>9ZPB zu6c~$=_~0ErVU145QrXqI{8RwSM(hLPT2+BA^(wa<+}kt5%BxxMFr_e{tw0KXVf9s zWOp&mkpRkp*a8Q5-v~rh+%LQglpWb}90_y|#2|w2C~R6_B?@>80H;j;4zaIn({#8g zs8G4DT8d2A<*JIJndX0^x2x4@CG~zc-+8D*7z@|^88rKNqafyjuZApJG71&FV z-G?VgSF37a^BC9FEawd_Q~t=OUIKGUn)cir&KWB~v`0MZeS^!DC~x6A%iYCj#LaKa2wYBx1qhVNsjM$?Q+4(xJJ+?ET!2 zAshIuNJE#-4Pm*?rh+Uhgq0!1yx?M>pB5;&={V-!LxVw0`OU>R9UB&P%+pxQ`+Y4X zCF$cG4HjDsf-};f#uzfXoQIL(ILoykY1M<77i12&*0ltjb}B38&*TFHhLdQ}G;bH+ zV^XB0z7Dy^4T;tGZ)Fl$Zb=ozymjtqqV7&eFd6kcznv1(9e#b8{d zFk;M-Q+Dsji)(shO6})~1pHZ}-(6ZMwD0F{D+ejYpWd@F`s>`ODtM)h7?D@d)1((x zgN%B}k=P+?W+h1?Yjb&eipespX$5KAcSqYpfoES*5S4`$WHaQK6aI2mbL4oY_xTTY zH^{xztufaw!`K^{$Hp1^qUUtee0;vNfm|Q*n-ag6p|mFcartp%=nvTCFK_S;v{E@! z5gKzmn9{xS%P{{SD3M1y*%m(0J5<8V0W32~o!h8IAGbn%jhlH-JJE zZpM~^4&Kx_f415SoW1?0ke9s>SF5@ZDvP9|@--_(sO1buCkOn1g3UFjBokt_0HjHi z29=SqP}b#I@tDhHb`Aa=+?z6?Q8|-`HR8capX%jj?Rf5_uE}MI)nPP`PD_BbgvoL> z$Gs+1%Ok+>c|9G3X15N^vTe@`EsJ=l}8OWT3`L*(BRFsS2cc%oGq%K!Z!KW(=J% zV)FH5aI3v&w<|(yAr=8Vb&p8*FHnCX+I#wLLL3I3LoSrj+#f#$zq3`m-5LILWUzTV-7TvhREPAueNpzw{}vTAqhytP}cEt91WOv6;?Y-A+~x z%tiH^_Q=QmPffbNO@nzkT?+eEEhz!zG;~c{{F3jp#jXHe0Mu5v zv?_&=Y^&asZRa?5Fuy=i#Y)9|qE2hSub?Pt*;iRDuk&jLpgh|zApdW{gzbYz^4-J(Vr|3H6;=p7qzSr zO3jyEI3N!JCiBm-Gd%5%K7_?Fs3bzVh8liG)mWMrVP4hyPWzajSM6gPO2YgWAyqr& z`-83!hD*4oq@USW7d_$hL2#B{plH$`E1%6fnqHv`XSe!TJt`*NBq%~0KUcFtG+s3M~iE3XunD)1u zhfj3RiFO^@^Vy9%x$T`ffh>h3p7EU2?^EkL8-4V`LVqK~yneNdM*`9F^_Fj>IuocV&Pz*NY3+LFssgcc*TP>g|74kpE20vkZfwu5X3 z6&2|VsLk-U9;#wk9NRrr549e%J*iX6pl;_M8d~@)BDU^(`fH6B0f43%V+#TAZ-XZ| zFngf}V$WhHan{-10&r^iSm%y5xOPRp@Ajgo#wprC9@2G_g|-RR7NY1`x=H2v`T5=X zbRFjVMI3_Uc9`8Z=f4&IYTYo1Z;|K=(RQZo(k4cQg$|@m7x(@(U8!&dhdEdbz0Qb@ z@G;u~(f`A9Y6~AwtoU7aN6zRmjy?qji9!8oC=q&IreGZLqVW2jQ(5welUCN<`@Y5h zh*J?T$-Z??Y~&iF=y7rbUIKZrZ*NfLPO};G@t5i}>NNu&PovhoZ2kK|JBOA#C=AJO z>pSP(!nI)+!`C3z4Wj~t-V7`^ZUuiL^H?Y z1zGAjU#l-%c}x%$eJzLR$IyDs3($vlB}$je+qn~_l_JQGz7AcA3hSVyJbCiCG36=H?#c$wjIhYd9mjIy zGUd}#J@io9_X?5yTVzq;jRtwl6}mxFQl`;q^o~A*yU8(qXIKxI`DgcySi;ZNH(otzT~L7{X<@yT(v*Fetjvz=aWFYfOPtCzK0^`f^ODj(=*8z6cF$dTaehwz z$CH6%lrqR4zYiIgfGAht8;H3)jHR}X#{a^j;515GQ3O<8`=7+*5$e{~Sri`u{QkbF zt!s=Acn9E#b#J4)%#N?`CP>uIK{YMkpdcBsTZi()!A&HW?AFz*X^~4Z0A<{_H9N+e z^b6<{xXVyqS2tj55;n zLR65AN@yO4bxk2Ur|>Xp)m9;8k|GKGK%Y3a#-dQxmhm!6pJ0r1q-US0zl3q}bLQQH=Z{l4Em zOk8(pGV*^WPxO6wh&Ekole@>jmd={xxlv~(Umc4Z-aSF6jhZUiUHD96{qnr&9g))W zc6ZhM{+#VtM)DoiI$ZICwlJlaG80SWijqO>pE9Mlp2Yy}BNHqFHY1|1Gx@meuh$8? za_wnoAO8R3+ahIY~@@g;Y= z-M$+>hv6;(${VloBMFq0dIWZ1qUmS^8nj)qkjNjqrxH4rFB{M^^st6icj)AMKewIi zl8unZv5%%5RRCoy-IZg>?cb!DV)W)F3+91jU)m>YYjN|2(j0p;>Er6=TE6S9NUxsL zV4PdC>o%;edmghvph}N^Sf2~zYMF+mz%#`OqSCUj9XuqzQ%;lKPb8nB{7-{~ee|hz zI2&#PovY4lXPQsH>8NbBb*m+c-Ygl;_Gf6&HZCd_Jjqa1=&moMfg=i(Mh2%B+82|C zuEX#Ng%XQHYCHA`SE5qSt70FC!aZ5-W5`{!1%0X-@m@*1K}RsE=B3*gQ>v}VU@9mM zVaPhpu}}#Tg#(nCx_@3Ci>QQ6zEyd~OjBGeJfivn`%*!uJ)*3y2`m7x25>h#pLzu$ zL$O?k15h0pe!gCtq);l)MEMI&bw4W~3YhD$*fU9N?HH9eEe~Ytva)#@O5fD8a=ZI4HDw=8oc#T3juV69t;Ta{JIIxm z#B6+XXE^4Dwezeoh8=!_mK$>k2MWjl6%+HCX*@!={D9eI7Rj#vKq^8mBBJL^1+PK? z*I3&@DMa#;V2t1a9e3dz#--4i9Dy16@b3FHWkeN%@iiY8ZR_i{xT`1sLC7lQZd#px z>6^*Ze8$0<2MUlTC=3&xrccyD+~ul=;AM$!UIIUbZwbMcP|Qtxq| zN6Flx#nyCCjYlS~tYyYNO{)CDsKf^kXR*o)Eddym8vK}ee9S<@YxEjn&oRs+N#Rfr z7>3N^iRlv9Pe|jGZEa^Vr(j~BEUzSTSF#9rfMbb_1n#ATcxaq^kg!-L{~I9O032UW z@Y54V@f26x%6juh{kP$r*##a&6zM`877pbMh(dtw0~COb+H>DuT>zYaP#M|+Ql+TI5KYr{R38_i3ViR}r9pTA0r}=wQ z)cMz?*Z2-V)NexgUvPH>8=TqB(`j7>@~lzAm>vQDs#Qw;6#w5aC?vuMy;Xn>EiV9? z$2)JE&(~xlf#=-5zvQ|dPG~Q|6?ihe{QS`K&`r{OTHARdmn51&_1v+;=-j%#bC0E2 zTR1^`2FaBT$D{iB`82+b5Q4w(_IyeCSUS{0_eF2O6Jg;KiX%$SS&ACHi){8M2dD(Hw-fZx5^Ln_T z`EF2y@rgB^H$U@FIj`USnN&_#&#|ftN+gAEMPsAqNww*#{bCRItyc}(3T}a@aKk#H>HWdl*86=6G@1CC6%TTU3%;-{fzR_xriDi6v+ITFGAHrF(NSbdbcWvfSZ$N_6<%}M-`RSbZy4R|l zp*KODL*MnUb!?3}a~c|XXKP#(Lmva4&%M<-s~Yi|nRI7uFeWtHZSP}0)juids%DCui@;zR51t4D{KaqCqtPVG2`3>fK zG_N5?{fi2O8F|HlS{>Q)Z3uNjne~Gt>(1LUk~V95vX{J!Bb;i6@4_bcSMBi*d+;sM zl$(G?dwTv!XdI*xUE&fx{(;J^!g|8{z{KIvL&HwoaZF8to1FT&Edx@bl~`<6^Qs!3 z1!WolEaS3gQ(ffb&@)A+C|XS>M<0TdTmyI_7+F@DE`uEsb)rt}<`Zix1)uy~)HeK8 zlB!)02ry_<2di19&|P;RB4;tFy{)+QR((w){+`svR`oJ0BZHH{+9rmkVu+8xFp0Ly zppum0Y1N*X&Jsjt{7d>k*jumSQFD+GH?0(_{}GgBXi2IrfFeiHMIKYe!|gEu<@m@E)X(d zdQpt}n)_`_;EjjjUcWxNX*g>lL;c(1*ZNExOml|pjoURKlr+F`Jh3p4nRLU~`^mwp zXjedEf8zZ1c!7m=@Np$HSg{vTe{A3&dz9RJowJ=(xo0bcGCYQ(hYm4-RREU=@WX%# z|5?oy6#88@9W$dP5UPlsQ%p>7SyH16I{DH%M;UsZ5O8Lxonpt&w96tI5TS^?g^_|l z%V3L;Sf9lk8k$N}$T`MqhO`y`JsBIWz{A+^C^$PHAPd3FaZAmpRe_oaplGF!b$>#{Nf15x0W^JZ8QH-UbLL9a>O@R z)Kj~qVvm~2^S))n()~(LP&wiAzA(bA3tjZY{mcMbmj>|3ZP<_O)Q@lnhY3oS(FBM6 zmIH3Pgs;eC!L(z)PF?u*2*L`IG)M_Pm(1!e9B!o>I#Ca{krM52QT;p4Out#lE9ha$%q?>VGt-GEuD$$znq>0 zccxfd{TJp})rZDXVDn*%UYUpV)eJ_^qEG}J@wcvU?!msggScwb;5pLWu)9UKNN)On zk#!bqZN=S|5AMZXf=h9iQrz81aQ9+`7I$}t;zf&Fky6~X6t@-+uEBlM`_7$b=FT@r z&N=%pd$09d|IGpzan_Ny_XoIjpWjbK3OoOZ+B1LZe^H&^uDLU^n4(k5g`VLQWZI6y z8Yf-Z5-676|DjxU7nh(2VcbMD$E(&Xp@09?cUR`A>v+_`wlo~QA4mvBzd`=nA4CUO zJ-Eyzg8p%l>+UFryFV&TRTl%p*>0cBb;dpEJyy=U`L|o{^uJq-aD4M+{ipr2Lg~Ou=IsqAH zd<%OiHHU;|ev{f_FegixRxnDDmPij*41EIdEJR^^qrrv$G@$r%49`2ntwL)eCX9AY z2`Ld>o4b#YvqP@INPZ`%oVhTBqC(IuyViSjnviJfrwK9uJ0g7?n9=(S4-5+_PqJ!U ztUVyEN@g%0Z2V!qT=dxA_aktjeJ4=Hs5);zW}3VDB$=T0Cw(DjQ1E<}UgXPsW3GIk zvGLyr>!;L$2amf(%phR)b79OR#5x?uMxEe>m$?Cv8_0{M?Wa~`xy*|B{$D)ov~{? z@jDjAYznxpG7X2-g5Oka0Gktu20<_#mutM2{l$z^uE8vMD!WM|i;&cNk~ZF?qJR_X zE7zBMaSFaRc>(IaMeC{Dt6({@2RXrmk|4e)PVs`w;Dmyup|pk9o12?A*=8RppNC=& zv`7GWbcX{&qp~|p?PAy+n7_#GV|3`d?}Z+89G@$-TDqrL8}guoiY}$672yaFo{K94 z!ye-y8*t5CO%)cHr6X4{&u(lPc~mo@ukK(tBV}Sv?)`X)ahzUK6S-e4$k)r)`v=@(NWup^A96BA-q8mFP&IkzI zB~QVlA^qWmUT-JT5!SGq^yd3UM!nTbo_X(6VE7=$Df)P(C~XGWWxrBG5V++SH~Qy0 zHm~EBdWAppmo9O{z+h6%VUU!E#gfHAn+1f%8f%1#@fo2J7|r&>+%)CoMJ%14`h|7S zedF(0fV$ApMALv&iG^OmFK%0Zovs8n;})aXuV?#IEGZFz2T?6`c5YA!4d@5S^PN(q73b}k&h1}>AN-=MkpuCC67EsgKS>a$ZLh&3Vi z%zWLi`VBkwe&keR(ma^1v7t;dP(Gj8(HCznV^u-Dho5+cL?1a~ze5fT7!BTYoIAVy z%RB>v@){Edu;o1aSm0o`?L^m=z($cS^LQvGZGIoFOmqG7^`88`s`sK#IK*oO4Rm8Z z>pN!PyYa*&FUpH(fLg~LtK}+IRbFY;ACw^iMEU%VdK;N)32?}4lU+yQ_ntobk(VnlXFsKVtVwKvrc^oAmFn7UXmnJD0cYT?M93{ zz%ddw|9Mpq1P?hrGfnd9-0SJ5#KE*t|AH+!Au^LCbV2{Nb*=lS`n5ybzC( zoxnJ1Y?XG|W^*&h@o&MiM072jQ7&c_4GHEn^%qoEnoRwE?(&`8zA^C~*A%QClpA73 zx=Ush>tTZXs*y-fL@QgQR7pvE5iFQLexDDT=rih&$yH(d!OP z4~(f?%U*grwP5xIE>v=?1^@g|z&PGhVK-hU~e`?0tn@iYiEBF+=5b8L9fs|@w60=V- zYlF-s$3|yvv4sN4&^yUasI(+U`%0YjQ5_)f6f!bShVL^`>HqxRg*RYgK$s(wfjJ1p zkLHH)0+vCcdoPBTHcsqk`U1015he(2DX?dIb@4RXGsqZ{1l2#4<_#1!wYIh%I-)4U zW}+p~K7M6fWPU$km@E;c4!{nIIKL*d5JvD1iVl2$SCu4Yb^P0&9$*;wV{(VoK!ki- zime#Bfq!dW$;9?HAJ)Z*Lh6tIp;1lxR3hB$Z07oo0B*>fvX=_S=qJ9qXv5+7M!JP_ z=WxDnWt7@2c>RpIe#9W;?y9S{IbSUP_TFouVQ=_f=Zz9XooP$xpA8|AyHUAH<>f@_ z`c5&PGgN*bS2u!mr>0&b40GRLFrBL$f;qM%aXr9R{f!D`3;{fs*PbUXdecrhNFb?-j_&1+B2-vV7+zUtR>%~ zg5S>h1pryl`xV6L%Nkbkakgi9Vn$mwhWgSPz}o(AHq^UwcNkHj%)4$OqtRJw#q$ICd~)-fAd25pQG3Kh-)=NRjvl5H1Nd6cH@-}vkVq)rNL&JF z&XBu1Fj+as6RCk1a;eH$kcs?yqa8%~h6Ai^WO(E1l_}Th1 zUG7I=zJ_K#Q!0Cr%kK)baei<_f?CGfnDXlh>2)F7OgB~wWIVW2J#QkmS%G&gDl-s} zX@=J~DEHT7#9HQ5kEKBjuB2X+O4q(JuM{2AzC?^RiQFyfkseNiK_MA-Sws&F1?uho z}oFDUiBR`5?pDhK4RR-DW2KacPd9kESujiU$^4T$#PgTYYLlNr0N~Cu8c+jlPqH!Rsd{;l zNxb^Bim8^f9DW@OLrY(NZc37xdArI$XiWm$rAIuoct5KNof&~&IlYrHmO@y``|OPJ zl4-{{RW^XT0X@OPWcd&k+jVV-nwJoS;E~EwgaH5}GW8 zEr9DxT#BzLo?Og+{MBN>e`p75@eD?^>XTTAa-57!eK|l`y+RTHD){1gW;2!Ej{XaX z=jrx2g~ixrn_VtT#V6IY+UE%%P(zH+1H&!-6-h=uU(pUq`rNTisq6Hq8-Mvg?5I~} zj8z0VJ0LSVaCIPFG~X%7&Mlx(l>&eFAEiB`n&Z*p&YIon?vNe40uIpa<>)EPJEpTN zq*t74-fy!U&&XFx4^bV8Tt%&$T2vHI#mX;G`R%m}81s(h8&hNdd{~3+n^P!``a5bg zf(d}W26H1{-qiQ6X;^y>^4nsG&mHdPJ&!AWT3a*0LIBlrLQ~BSU5^`v zcQ;VYPb2j^4|ToLNj{e5uo@a1!f)N*uDPcEmRql~_deqJQ|q|;Ey0ic`Le((-{ple z2#FLJ?PUYqCUrFX1Izy?9FA^Mi6}skPeKB1jwUvEF+Og)c^3evvaIPhwhXPF2A^%M z%YkYg$8tkOCqA6_(PEyYVCWjSEeNZJtdet7qQX(O%pf5Ni8O_?i1DrL6E(L- z)Ci}mqKVWO&as6zC5IIS|3FV(3MWAf|psXA}vENe`DDgObH?p$5hWVE0Q(NRl& zprx}qiTx_~x>EKzBQa7`UWTWB18xd{$oqKZSa#tnNLhWZwOy6bN>I-r@?sr@xv*Ex zc+%nb1@loAdDgG%DQ4Y6JKBD3n7)4&<|HUx92h?7ycN?mMfW!-4oDzTRqcmUB-vlF z3V*~(^+wJ*NZ1Jj3+AQ-mR;~z)c=xb&)Y$%9=SG6M&<3Xuv993cNX`q^Rd(T&R`%c zEx>FXe<>2N3gs2vHdUoFQgzA4v!(#+Gj@t|$5C^i4`)+?a6qSV6*U3AeYGDz*)I_8 zoTReO%s8ctcjGccHwXzpY%~np_kOCY^veR!uB~}a7TbKA?8ak{9x2TcTrSADxovRl z@y*uD?;G<@b!SeYHB`Is3K#S9>P4+YvEQdgQX;Pmz*K*9^eZ@WAlLUI2WPOcrH8*) zzypLmRLpq}Ow*kf!*<|1)`O29nJ>8NG+W7ek&)5WP3C`Add5(VH5*NGOExuYlSu$J z&heam%q_Kb!aEr4o{d&#cNeX@El=J0ev(fdSbR3m_u7uxdbA=?Nw+Td${li7glz!; zvfOQ2Z=l5OAWGJoVi!SO2t0#!zVV#^{>Y?{Lc}z zO_z(|L@d!oI=WG z-X_|?-P{BJh1lesec~WFw)Y)rV(Ft06j$JU;L<06b9}2tWhPGLQ@}(WH)&rVq8}fw z9X97P+IBgd<~~o>l96WZKy|=E^*KJpRoHQ+$}ZHw3#Uf`hP^!Q`bn9p4q8 zqrp4hm<><^l9O7$^zXZv(mm(_C>6+>%GlAMpz0) zQd|VF=pQO&8w@L839eZgWO4gzgB^I)4mQ{(r1HB|z=@c<7AxA;U3PED zs045;yOj2Rgmz6`50jc@CUj9-^ZmXy=<{4VqpbH~v@*&kdvS$KpFeKHc@{iBMTq~d zuI4O8zll4WZVO+0%`J+=iPy=1az`s7|e5!z8gSU%MtT{I*@ex=>nt@z4 zK-@>GQJM#NQM=%gNy zr06$I_1@AWXyc=7_u1zGzK1pCb>(J8^X4s-#c$8t2ma2M(O;F6YPuaR%J3^aXmfX2 zedKzzk2Du{$g*x zb$pL7`x0|3H>?$O@bYkh%j&OoCt``TT~o}?eo|+`C^`x2P2`NPaj%i(U>AZmN-yJe z1W!6LE0kIN=T~@mjCLd3*z7nK3xJzNU1k?UmM7=;(U%8|D4F+PKeGe9wU!zCjkXzb zQw)-R<1z!}@C9a&o9qYKojeobt)OCRa0$(p^)XTCgxBFOOtp(_0E`(OB;fb>b5wxE z@LlcT+Ym<#1@rK4^P%SlgR-04s>l301?Qod8;61SbS1R(RHdod$B4N|Y`sg@LT2n? zP&y?kBYLQ;Fe(*Y;e^aRS^ruSTOds>d2op$QB7ov1H!(@8xB*+m*QZ6t@GVit3-Z8Lw zSp)}Mo3h#^nQ>;1I>by5T%J2^Z&MCz~GqfSEg;I{P2?ZQ#Ep?tVfw(gyO| zl&Ale?^MH`g-U5$PGzrU+kv6l{7A?75s-bGfX{Nx!w07w2&ntYO*+1mr0PzLJC{L* zy|e7(#=pq;0rEExMuOc_Eq-R3WrhEucr@3kg0!-%e~Da!l4uNrEyZD>8B)ww#1U`% zp^GUC5>x&B99O{iWWQvUa%xQqJSZu>kB(%+K1fQJymyc+Y5<3Db8}N-$yjow?+te> z^pd9`-^3@QTKax|oFP|9j+ss0OqF2{+-m??GVsHn+yLo@fcHVG0y zToWUijn-$#Gcs_^Pq}T=MbPeD{UIqGqo8GJ0z#vct%L;Cq1lOih=BT5+Q2j)+J=;e z&e0z-?qi_CABwM!F#n=ypbC0c4^P{kvw z1rn*qv4QQb$5Tf8WFudcg`c~=ou2amplOHQGfeLnN3NO#5%A3%-}RtAPnf0>ckatR zu#s0Hf!@GXd%?3^5~*LIJig61tp4jS@azCOTC>e-74M9UKYt_sSg>K6kNihjLvGYZj;x-pZA~3eV9S)1d zb`t27CQ{~Gu0vr3GCp+J3aQpb&Defkd1c3*q9P~%c;W~~BMW@*?4vGlY2q-47xJ0Y z^2p=BXT{XNz)rTi3}tP39R~xb?)0Z1;RAc8_AL+8@T5v_IC*pIsg@O<;!6D#rH^RX zAAU1scXTT*QZy<2f^K#P*G04~?4EQVuKVJ_W4ozi$hJ|nb|FE54&P!k`E&-y=CDCh zU^#;s2g9E7(c!8tK!NeB@e-+eMh6zdEUt%_tS>{wXx%(ARPbSzX#h0tAQ`+8#AoHdrJo0&3ey&0%2kYc zQl!k{#S{2P$;7z$rTzeVBbOUuO?{l1NgHRXmeqiF-k=YR!STWlk8S-5S(B-b zE^fw_d;x9oiq=C`?WBuOJ=W}W`2LTcXnw*ZFSR!%Dp{pq>lE?+_Q?=~gBa zqKas7>(ZPEn1a;0aTCR3#9|6v{n)oxx{Wj&*7ntHQHG3YkrO2KydRLWI-v~;x`K>w zSG>f+Bf#@|t1=k_3&-z=YBqcVb5AHK5d_sio?)fMPWVn(Nw!wwYy_Fb(u&<3={iO~0XG zOZ7g>Aw;xZD4KImy(NC`!`~*p@hfr~dxnkAj#6`OTDLpX;OUzID5i>mGCUW55P}Z# z_whBV9%PZvq%%T%j?(|d289abMJ#^%R|`k5TF6X3CW`@4}lmpli1_JcBii#>!!3@gD&`ORnSN0Cn7 z4&z0@;wCTv-AI66PJeb4lCKeZU<%Ru#u3Jydtj0yVfnr^*rzgNT~e7$Fz<1$ou@=P4-$%Yd{Q#?RgLezO$Oi zCI+kNargbCiyqjHYvb1DwL|AQ6Pb~JKlVKlzz?PcI-6$;YzqT7+2}UZmu1ueAJ4kG z1DgB(G_2*_Rw2%#0)$-Qk$(ZehZk(iKX7MdOgb>b_`))x zrK3jYc3gQ@N246{0#l3Yt3R5ZPx61Q$ux3T)D^eFA0iNPD*2;!zCt}`g1p%K{awgt=hRUWUrUo!F*Dw=XLK$my9ButLhXwRIk2CqUaVAZ7^G$6hRRf>x2 z8nM?DrHkugXY%a4Ub5tmS0r5ggCC?R;s!5tNu=f!F*d#8cLH|Ce zNHkT;ER8`&v>+y`D`_p(Z}R(tLB38V(K>1!gynAxvVs4ZTft>OeSCHDQ{I`Mydc`{ z--*X_SX^wCkBP2Q-JQt&Y00Y_Vij&7OU^XZI^UMbb4ToAf%BDh_~l`im#yye!CC$x zX)ND^iEIFq=k`&-!>Zedqv>REynMG`qf7<4-M~8`qD<4Fl?LKr7`m@w8?Tm9uka;r zlsEZ;Y#Z?$t2m{OP6&=Cs16=vO!QaSRBZlmev$ z%4Cl0MkeBPgYz$RY(1PHqPs6kO^MMPL{{1{4|K&rbfg9Fl$0v}vR+N;!0He6JN3UTPTha2 zU8_{w>pFK2>&;%^H4#RV1@M_}zpY1>Qu+HoTa3~^j`gSyiYR1BxQEqE-|xM08F|jv z^;LtLuI8dW7X3{MPm2D9a%^t%a5dHyV9toc^2Z2bhJ8XTU8Wmw5lF=);b^)yLNKmu zMJL-k{Oa1aVk-Gl{OoTW8FSK&S%I8&28C~)xsiZE$Wup&y_i3fnp{vMkVB=_BPl;+ zVK1DNV|x{r>J7DaK-l?j&&?WtA@cm~V1Ld|aM~hCD@{{7p1G3iXT#nMV-){l6%?Y| zqcK2SUBo{o4LR^23svrJph(4j>_h&Is<9QVs?EJxrxJI`RCb!9dG-+nCq&yVCTj0k zQ=U>ceQs1N_Kj#M6Ay^&cE)i1K@W+ZJs|)MWF#Z%JEKkB*801O2|$#=;fC$QYr_~N zDmauH3LiMk0U zy+U)PCqxqV2+X*GB5;8QcZAdbI(e4XGhXF)exe0lH*PhZ z*B_E8w$@-tlU4k=@rG^AvP_q~TBx3w-u=uEPEr(nf7V!S! zu@lSQDWa_OxJujZ!HeLivRxRr6UjflRo?oyNfEICP@hoRem7dmO}adB2OTSDY3;^B zsvJr`ngNRD;g~gv#?qh=c~Isrg&*9iB^rsxjo;>@#|Y)1N@R*)_uc5P9eHUei86_V zM@eAld|q9#p>u<77Cq;YVk#4w1`mr9pLtRCqdHFN>xH|!YNFE^%v!O;rKVPHP6`lj z?n_1=+>WdGoGE5Cq_~0!XJq3fBAsx%Y7~$Y&fdEA_V_Wzzu#@xUx>nI=_}8ETsdN) zODRawp{&;^ai)yFi0Lrr(?eE6XW)Izufk<~1d@z$FV`^QnTFvme&CMpi_J4^l#U+7 zl}r|srBN@*#)+!#muJSM9qZLQ_kd@>nm9OXB2Y^amrw^HQC=dplYw?sYcXtD$U}|i4r#yOGikF*3_g&@-dM(4BC^6ZAy7_$BYo6vH zva+4nFcS%11(%BWKp&cM0-q0r6`SPK`>s0Psf^xnyR9ZW*N!Rh1$H@#$DrrszcL8N zHH*Ntd3xcaj2(tlQQpqEhI!)a$sXABVm|$tit`d!4q$scZc?A`qWcp|6~?Gu1)-y( z?8jNeEPXsW7b~nI{x3!UcpHwxUxW&0htAuq?-Xt_*ZIO?oc=dK2yf0cL!a{eK5H$( zB0x_ir-&IxDI!lE*{M%#cZ#E4&$+)fg2POQf*?}wa|Q)3O-{Z$J2WTW>D8UMiYV3a zv&;@(mZt{MzT$7nNdv8a(2`@a!BFZf_*AJ1Li+A*D4k6rpy-3F)~30w5J z=lv!Xm%yRRcYJC~DA^Pg+j_cguK#fkZih(M4jN|v&|^H1D@i7XZp4jJuib6x1{5gB zgwvqY&MGh-VuJr>vKx|Bu`bHq)>0c+(+sKk8sr9kG{D4npC<2-4HMPqqAylajD4#M zHzpsawyU^N&U-gPsF}frqKjJ>u}@5^UWe^0BTTO*f>Z>DkVGe*UaL#Xv?xKL8;CjV zqlmsJ4;c`h&LOPSqA$P&TdG=kUR2d4t(Owv!W=vqC`)RMQ@y-WFyiQb{u^Gw0#X4& z4ay-Ct`BY z>2_$220fB zn3px6GWE~O`e^e2qeg4#!u`Bp_RN_o^ds>#VGgln}@^(ihSJ}?3Jk{x(j*% zWlIOF3yjgIh?ow|a&G7)(hAlXj!75vk|8Q%Cj<<&51iR2Lk)$V-6vt3yGvTBmh!L2 z`1y63;vznK@760!wVdb%Xi3>zwj38=fD^+sBa+NR?vvQ?FWGT^FsUh8HCB0m_Kr8w zv_MeTcPc#@T%3?)c6ovYY0$c>%Sx9}21-y?fF?aKAEpM~nc z7M8OmAFCz!LArcB?|Wvnz?tHjISX7RLVdp55NT-7a9SppS^2s?+B2c%$}gL>s=PT> zgKj>Rob1k)>wTDVTF7x=iShZo&lg?ej=#=(vhZclb8suNQ{paYN8H&>6*L5g)8{*k zN*zi!)lhw@Gxw>McwFGQ%PIrKENt(c<@D8;+%cv85ryp;*QPTD@#*s1qOLC);Q`0R zTIi_LEmI?H3v1gWVFuGK1_5cH$2wrucX!Tmh(TL^m%-0Zbi7FKFN))LQPKdWTyedy z3z1Q*vZ1wo#`<2c;H2$Am*04-BXr~lMh7NZWC$e|E@a65nbc#CnN<=92}`Z~4V;mC zYu|HgN`r^eRk$Fo-fn z(B9Dy>t2O+a7YR`VdG3wYhi{YnK80TV_v1uk^fc7jnXk`ZYy*i8Ha;!lhoN-V}6^- z2d7Qn3Xe<6oWU8LR$bHtWtrIl20j>XrmX);C7?@Z6mEp_60;0&MVZa~7^eC;o;^BW zDJ}47z+g5^CY%$3bDJd*i|fth{=|Doyfkc#nTA3 zb)iqZU<*7)LA6y3WkicI)R{>i6=aq)-B{qJcTF%>y|jt;DAo+3(W0Ul*I%|7DsdKjc*BC@}d}1VgZwQ4_636sr|}f zoI98U-nDo`QmC%<#$D##2AMB>*BHtQKBh(Ra zuE?MBVU}m%tiGVg=7~R_0jjc|(8h`NQ?YR>=JI@>%IL*jaopmF> zO6zt^JFZ40ECojUuBnk!>0+;lyQ~>`w{Yr=zY*K;g24;LhRj9PH%mva~Ugf`A zNvF7os)sE`_FM+nM|`78C0jD7GIohgyv$WGI*LTx0=afKd@O~>+gyYkA_F2>i*!XS$<6SNgbNnis>8LTRpHg=*YB$c!`Z|z@RFd zWe_lUsCf9vpa-3HVh!J8CRt7I*7-}@M{Xi^1H6`$(WF8&t!q?+Zz+uL>Ed!=h&6{b z)gl7vhPU;-2KFv|CrLsC^8JIlDH3mV?9$}ycp#RWG+vQmaCiV2zNVoD6}fW+MHyt) zfPEaqQ6^j{N`OErQac=;rq+BvQsNW9cA!`{MFG=1EfvZDwvOWbggPmqMnlMPucMV_ zd$GkcvZpYY*|Af)$?oF+amg)`(%P&;rbhJPfu~UB5Knz1SqkZRpNcN3jX*Mo#eNWK zEkX(uckW;t#to9`!Ohrp`aV72x?1y!&Q#!|bXR(8uBqA}mfoh6rz@WFr?p*uEatI* z8OU~&l%-MrPQR{d>x&UThLbDMqj3#WG>6nrp!lcFbx&sYr|did?OV^}$Y;tIYVsa_ zWy}>&Y7X8MZr2QfKb(^HDy|J+6xX)~$8`6N*xiOC?GrI|fn6$hmrsLfA`>HfR;Des zX#rm~P@;BU`NEZS^{*}X=F>lmKGW~|QI0|ygkyt&9(d(uAC+RqQ9FhJ|BNY{?3?@& ztm=1l{1Prodd>inMAE}y2(^=Z)&O)lmnQt^CHGtQ3 zsIYmhvw1AMfI%=`rtLHYc0|HZ|@JgL0uy1 zsSs*`P30hjqgWM4KR5X+J1eKo$XEVGBn8xRdU5p|HNHYvepw5`Gny6?GO@ezrb z@Oss_R3$hBzX2)ZCA}mpZYlE1*HW@31FI=tl*oQ0*QA6?((idU@lkw@YE}pbRZ8a( zGEZmQ!M(B& zZSN1fp0P2wW{N8ec|zUX%&8L$=`he%Az6KSWG_0cGD z5@u-*54%H;`Zp5t`Jb5Qqb1#1@<%TY<>mMM2!CoG4eDO;1iyF1G{6u1`2#@dLsr!Nb_l8N^t*2EoHyGKR%}5@v~8)%t`+91w5G!$D>5gKRSrj)W!2D?-X-d=>Jx zBv)Z;D;*-j?Lt5u=((-iED((JwGZIh*L~a_l}f^qf}R>nvdovDfaI7|H>ki=EOyat z0y_Mv8ytyc({PpC2pXHE8#knuNx}S*LzpG}R#d(84Xa)as`%3;c7I^^QQl?@Yar>6 zIt8%Ih3CCW8UsIDIe@!a`@?s{>1k-`c(Y%%eA$TpBh_Z-)o^B5=#KI!scmlUhC(NV zm7|D1WlVul<*F^;$nfa+dwI!!cxWC{2!0G!787orgkuF}>EATBEVu2uYx8Hnfdcfk znvsR>2Y{@jVzSNEL1ddX9Hp4)WOk|um^aV6Js`%pritQaEqVP@*elrcDP@9Dw2o%4 zXIF00+G%d)`5kFB%*iYQeoY0TZ?XUK>Y-9#qUwG|l@5!KYPv7n<26aOypP(mg`^I{ z1{Ff%w$_`KNYQ8lHoz98c&kOScY2KHLG-c2oal*S0^&{_Ibrb9%%G&_gTuo&+pX_7 zuAD9;_IN zP>d)FowM9YX1iDZ1{G6aMO{n7dyiB?V*B%%Mh2xAG9-tiA*^;q6+6UK$@2H9Ok|Cz zgTpgL6o`9a)X5x#I$z$>m5Herx?oMgMeV+L!8IH;(E}ObcP|DkNMJ1*x8k||saPhx7vl7~Cn(Af6_A`^VD@mJD^jIjV^BjDFp_) z#zYBRdnHhMFr&OF+;;J7?FXdW1_&=md(8btxJ`hzP*r5}5ifSi#hEn87tnngQs83X z^J1W)krU>GlUIL)gz00qOV|sMz-tryVz}dV`6;V@ZPLfKFB6;?Q-3^dWfuu!&0uB4 zfspEc&ngax^16`Wr7xuMjF&bpqHCe~foQMAMWdv#j7Mz!@giJ*CRxdZ&J3Pae5e;A z65MF@%}}p!s){-U6hr-v({!i76pcNKVX(cx{|4MhcXctAIi6HfIcAr?CC*!vv>9Hc7fv zS>SIWp)24^8lzjb{L{J4ouvT(PswNicm+2At%FsNqEA zdl=Xv^p58~TQL;MM57q{qwy|I|42fI$fkUkHNZ{Q>-BMse95igQv)2UkB#D#@LoRt z8=t?Dn}0q|VLkhQ%9isTOUx0qC!Tx@7WoGuO(O#V$u@#VX6yd&&tZr%e?wF-c5!hBgDhfin5T_hd2i6Lka@`N9Q#4CHlO|OZgi0r9hdN!PgNA)TyM8i-KRe6um5Z@yT2Um1{v2)oc5~ z(9tSIT5W4^*uZed#Th;Zal~1`-p|ceccU}%L~qM1Uf)kbC*NoL#hqW|8A&w1OB=EB zWqy^->KPGNxt}dlOHC!n=V(htNao=#)&37R(6bKCx4z~vWgPE+K*{L92*=TA31;Iu z6BeN&2pS}X=G3xCACrC*@9-w|w za~$J`V!~!ogz^&w*bUoN7%y7G);<)FwWMtaTED~2>*1Z#?UAHt9wMRJM@SCBrH7-4 ziu6|?P{84mdcm;6+vYWrgeNVOWaI&uY#{h)lt>rR4ki2QEbi<`p|^5$el^;mlZ%2{ z=A2u(ZNlvc_b&&FbJyfoXMh%+%-gQ+yb^4`!fR4K5C6*KdqHw(2D zR{OzgCHkKI5cIogDwsrkE4>pv%AJ^*qxcmqKJ7Jx_>{=T>86Q61FZes%5yz_pgdM2=5ZepU+bZ1)gOf-9( zWv^$txK$h-l}TV?YQ#X7u7t`G61thAflRe=soJ^%D|T90eBLP(lJCU+_^yX;K9DGPLQLebmv3UufSEU)Ky%v6fF- zU5pXT9=qhTE7PrwF%etUB7Z}mVjq9XrVacpS5hrU7UhLIcyLc|%=c~C>M#}OD>We{7G;5dH>tp_7~LNe{4I+ z2n>&;%Ec!dn@QGX)gMjCZ3{#mK6{H;C=tbM^1?Fll?1Kpj?+P&BdflD&@_sWyAaEf z&o-`HjNaBY*8Ob|ts8Q75;0nP31c7KTYl$(x5BbEEdYi4YLyySyd(QqZYOj$*!3Yf<4QNnJD8o)WmZh|MuI|ZoT^w zu&|z3#{js4qoElCf(F0d!FT5Jk!jo47J?)1YD0hj|%-z^P`f4zUkDuhAQ{__{BKV$79s5+RR`qXKF|0fsMXI>)nbaixz z8SipG4Ks?mi)Sh!U`xSP%^8_|;7fs5!TQ!_umX&^=lc!HK6z;vFh=T#hK{4dZ{=G2 zeIWTo{;KFh%3%{dayFNFi1XSCZ>{{Zf7PQ@L7~y}^K-Da0rCQ>L?3d^%u5!X+C7#N zO(P6nugDPuwXLlP7wtjHSS$<$F?lGVad)GRKy;umskLN=+<1YAwZq-rYXDE~c{*n} z%)Td>@r5wNfOaGJPqi4B3>I7Fpr@%a=OCY&GSXxEV0kPCE>j8<5PU4&a!8*ltA<^E zeKtfrk1};3iRV2qClD^|=9$}(!D};tI!y6Vg=$UXefJZDv%eb#!|U)yq4F}@KrBiT zsS1XL)I7H1HmB3dw;Zi06FF!4!gzE07iS|m!XIsfV9`7dF(yCUOT`?Q*?v;aIgxu8 zTx=av=!y#-vFyRZs4)J`&fOPm-yea^&pK~^^^+IbE;m}QFd2I1xB9Sqf35{J(5mE) z$ek=JJ4x$&qWs{)bJHs_m(uiGKZC>gt=_OUw9Q5|j{Tnd#wmQiwWZF4)m=_&?bB7S z%{s=BGIotvfAyNcUj4bkC)hNqJF=>-OQde=$mF*DH%uZMsXP@?1@};Kt!p&W?dwl* zA?9RoaWU{k^vQ(iHY0h^*L(L?lnA9eT{;)Yi&s|+`soda;Xbze!`qAA7kx;y61Msw zWDhoy+dF+0)MIe(o4iAf`)v|%j0=y-UHGnPMuVeP^`R*iBlKyCP`O88n_u`50T>N7 zIRS82U&l;m|Aa5B*Bg@J(%38M;H$<<<6p>h)ngwkXu0_Ay0xhOX8mP>baPSPxWZFV zv_vaBCh?eT>^HuQ?!~ZNFC#s5(gG8PZtN)HAm5A4d}T)Y=nRYOZ%1qqAwL+j0Am(O zhot7a)o4m3+V6irG$teo_sdDaNXNQPfo`YQ3*f6JJpB&=k-htE;429L5(n5`%5BfP z+AmH-25=R_+A0jYx|yF*QeWPkwn-Yc=eGaN0^qexfX7c|R7HmoT{>?f^S|LyKL6?zroNhSEJOqiJ+QR06H}TJ+(4l z(`L~EZ-1`y>mW+>!(zqOB)u~@O{qA#pWM?0UDi4%mb}Ka^YKisEA_+uZ_d4N zaj~PCPfIgR$Y5}ojPtwgM8`ut!w-a?VCwAi+&xjI4p=3ryAz=N8<=3VL?JnK4UK<`Im1~P^lrA`OK`>4EvhVc&Ow3#FQ7h z*u&e}=eVhzM-M38?%$xC8BoD8VqeLljZg>uq!4W%;qzj3LNnUuIHwjRUrl5VaqSqY zi=24RO@i2L| z7e5cmatOG*E_2rZ7gJ{y6-Tsn>u#Lj5Zv9}9RfjuyKB(k?iL`p1$Tmm;10pv-Q9z` z`z_9Ichn0HK##84wPme2zxfd;$f1ts`oh%A)abv<*kEF3(!Z`=u>Rt`=)rI?Jdrs$ zIVnRR*<5u#EG{~v7~kthxo7<-atZL`f)#wXFpS2!Q8Y|@!-L=%g|7jYV=MD9slOW9 ztRLe#!~Eq285&seEI#|$#GR)Y_9bzUS{UYx_;Dh{c}k0BN1AByoA6=nBZ&NYrzGn# z9E47F^dG|AL?pxGhw(}kd0t9ghhEH0Cm_c)R-F>tz}tZb!1cmL;e+8HUN%wu;O6z* z^zJ)gg;1#!vUF?y0v%1a?sxXlALmo)Q-q~=kf*+A*1Hl+O&}Al_L5;=+~+Vcto%W9 z77lDuhd^T4&mQ^r4ZsMaXb!3RG$!2x3y6Z>HMB_AJLe=g$LU)!dxnrJaQ^w^pTB4x zK+Hd}H&0o~t*bM9J!aWa%Hr;OUh_~odS*YW@b^N6e7kNb6%hfui7JAFe*77$kMnXD zvjCsCTs!vuOI(0KZ(3JP3`n@an6%)p6U-na~IO1mkZh!_Tkm=uYm3c-GURTUf3Mm8>no4>*6d`a-UN>OP zhmw0SKP?ZQ%m^scfygbggGeJrIi0@B6jq$zCdq}?0 ze)gv{c)U#R_FB8js(gEW(x~EeW%SE22m`MRjAjYyJW-xC{R)kNx;F4-cJD;^VeB(i zP?tv>1ycat_W{^U#J7u`?57wI&tL&8MnWip3mGe`x|a&SmlA(RVnl%L^7k|(`7#rj zi2^&~5<*z%bCBi~H3gl2rukqwSId*@x$9%w-OFqKJ62v#Sp zSP{0jS|E{K@V7ps5y>x}mlip5H@8>H+f_~U*n? z<%yQ%gNpt=*x`PCSj+!#zhPF7Z7)09S$4B)Ieu}<7~$9LrXOyoQuiJbTSz#b9udyS z&_1Z!l4D{Lm{8oU2?2q6v%K1*Jf?-~hKe!IuI5$RF7CYx+TWS*amC;_OgI(&q%R`g ztCt&acbry{ZmTXDb&5{_8CRQA#5fh%;MwD~HXf&kotN8q%O2=_25A}Zc2cBxvRQI% zmFVyl%ftQz5SV4BfhHcx$rVwvJx=qj;(svsi6EXkzr(~Is>2CpdHhS23p4z_FAD$I z&D4C1uKBaKZ{Hj9?f_fYUUY+=$KWPv$$_z*VIzVW_Cd3?QXmw}Z#t4KY!I;{I4B-O z8Nk(1{Z{~Y)%7ONGhoopXKQd_~a zxP`kH27dvJ407TEnWuNK++oen-68>}NFooDa_#Sx99hm9YD%GzxQ*N`2-(p{r7UTInL8qrN9J$ zDOacpx}DRpn{~$Dn`W-uGNDbOUT-*{UVEIrO3iM4i`4ePs-(`GMM=Fi>fK2`{ZSI2 z?Idu7(s+)O-HXvT-fAI`^rQa#$$5H1@vc14sD&!9GI4L1gvbNt?>>S^3spY83Cara`(8SFuaVLl?53U_yVd-yL($nMa* zvUdk#+UI%4^o99>7uSl%*gi@=weh0VRFL-}`y$dDFL1O9mf zKOX?hUv4eZC`;`uTHn2!VvS&gkaExG4t z0N)^=O?{Mx!3%XsR$H^?Ww)SlPtN6uou8MG;Xk5Z#5t0AA4xoxm)E$CcZM$|8t@1< zwWr4`tAAD4w?1#w@Yy;1j`NBwU?w8i#B;DKx)XPhPSm8*n^_DsRRS7(zo4!D3OJ?U zxPN)-1~daDK0O`qr_i#SFKvir`Z8Hn0`yTh`_D0&b@#gh2_duo0W|*R$9hg3U|7w1 zx`stBSkh~stcMwR!i(T!U&%LVKU*9`B=K{e1I zP)1EG2|YrF+X5JJo+>;5hnMpZXw%C9IS1`{fPXA4BiJhdY2XA`stf3jX4@Icxeqfo z{H{j*)$TAVcs?LRsj2V~Am~qe#!7zM|L~8yJr$BfKxa|77v`#^8_~I5V9jQikE94# zSSrNWeJ1woZd?5+mlb<{#<>BR#=Hn;9b{G+W~VRe*+#12f|BlccuL$$K>o|S1A+}E zjn3yRqz@fX6@t;<^tV&59>)EI_K3%(4{J8Y_)C)iC4mO*@z(99aF0Z9ORJN#-Y6rp zowEWOlgus}2ddoTO^xC$FQ}&X?i@$Yu5<`?@6D@XG!W2(01Dd_jG1qgd-e0d5T3T+ znoo6Yo3%MCM@RCnczM3!Lo5DXmPJztty*dFcq6VTlPOJc#9A%4AzGZQl>8a?UsVE# zB&pYUMvf!N7Q(dk97GI=EbG7_1ckSl>(#Ys{c)}Vf{(+Pe9BoE;r8P_uqm}+;QMW| zG1L)){Q^jR3zDF2y@zpoAw_x&2Nh<#`3!KYew>p;6|gH(Rlve9ASE-W>`!N(Z%?NR z)VyZO&4-89oq2DCA z1QR_teuD~4y8Q|Qb9F!W3%?p!s~K1^Rwr`huAiP(eIOu1IUflm@2R>?n<}W{l0)md@(fEpkG@% zvEA0qoAwT{v!eM9X;ycp?o%qS%B${}{3ZUrO#wjQXwmuWoIqq{pEQEC0^gkI41Bwm zN$fI_s0L(kB<%6c9nGEIUlfIs`G7CLE{VjC|Iv{C4Em7e;|l0uM5dA=d!783!hMGHEO50Yee_(IhCX+9cxMoW~`Lb?B|I1R48*)DJ|hQ zVld3N>_@-bF-ZBO+;2}l%-E>p#t^IwhGU_*zgzT2z@I5Xq2R;8s^W;D@Q~j(=tDnj zg+S0rDT?+YhLin^{QVn;g#;!t6t2blrJ_mUjNRPplfwA%YGzqY`{H4_{hveU-XeLm z)_C!)<^lsbNTH$+mY+gb&ou3H^zl?OkR+ zkEtI@_ZDoGJcqyYl-smKowtq=VZOA&o%=&F#w})foi6T1+4Z!!7)+jCDz>2_3zw?) zf$;)ofT3ItsUG5AI?@VEL5JE+i276X-0UnD`=3icu~`c4#ESitkh$KY`_~9hviZPh z=Yb%R%Q>&BeNIdekW;aj?-2#&he6WYxPik<0Hz-=_f`j91nJ(8;c$`1v*^^wC< zHqG8Ry_c@7w`Fm0oC7u zJK&&MvP8Efp`KU&#$a8?7?_uk$7M-1ZnLD-HIEj*Q9IEv6enG2RWTXEvw7+dWt%Yj ze)81Yp!10Wp)X0+B8uP7i)JT$wv2?ZxSMtbi?|7$N9fp_?1A7frt4`|ZQ3CnYHbku zlwg)`5q9#hFXVK8FgP9qkWale$+D+yi*Bg_+vbxbU%jvo%s~4zSdYuvCTiy;?U7>$ z7cb$O^Lj782|H>Et0ST+m-z$u*8bM8uz(aiR-Jzw>i&<~yR%Nhf|+1|B=Y&Hlx3^P z&23vNsJUynVr@6X?E(MeTlmeH`}`KMU#qTB{KK8_TU+DpU#+@Zrv3-_)Wj3-o;iNx z0&+;oR?`GM&o3h1R@`&Y&cXPuh!P9zF;pSt89O6Tu#)?lIEJi?hBqHDjAz55SHS4? zw%2JNE4NS#$+gWhUH**4-M=d-ICzrzwdsz%phXOC^eiDLNXx9nQc#QwW`RGjWI4Dw zvL+XS_zl6TWm*yoHxZ=viAriG43h`V(L5)=lggZ`XVz&YWrub17875!a55()HC6gJ z789fnCCSqaVS@l;NhSg%@)L+o$bBSAz^@PQxy=1R^u)(Ve9>cqfH+Uc=dem)X=2D& zMqm;)2MLQR5nDJ9F3a!cj1fQ{3ciru?OhmzdF43#oN(2>qm|tXIYROJ1Z>#K9ygr$ z8k7{>Fp!p}0|6GvMdi6+u2iPs&%>Lbdc?A5b0Mb+bet?bQb1B<{m4iT+FKv@sF@uJ zbB%j>)HbzIar-@f;flFrLIp32x3EQ-YXfm?!k_b7?rFUqFEoCh z0|$L@w!R|#sIXk0V}qNa+Me^wnl#Y^&tG5AsJlGl)4ORl%{9_}nEDD?8R)F?52qn# zmd?0Ye`cen0+J$f@t#Zf?bL=1!P$CqQZHz}gDXv+)W33Jb3ye4@X6 z$1Y{|qF|gcpORC(uRKRu-$-IPVgd)&sxnH)MkJCyzek_r9p;tg$YCPz+d}EW-7Bpn8hlB?)S|dz-p}(lK zGg#)p31yv7;mbU0%;sJ&4CJVqGYN4G2h(elp~maXqZ;0%*Km^DUh@57YXz!Ll=L&| zi{>YPMhE;c#o#avsNEq|~ZH$t(ChPB*K^E&ZGHcw*Q2fs^w&H~RdY^O8$sw+3@L&HvIVdvzd8lb6=Qj92_4>acTjjS2n61c2{h31KDZ7{t(G#x|RAD$H zeaoghbHmr&Aj>lg;=^(|vx$);s6+ZRjF}VPnQNUsHPs>Jy@-1(9(4ubi?Gwba(EMD zzXYvx+)`TZztQSMfilE*bZ(IO>vMQTrV3wT*zB}nBpD@brdA3w6J_(lB*GhfEJAv& zYK)(jj$~6T&Nf?C;$a?P4qKST4HdNan|TLPSVd;IoU`s@9E@QnVXmSGc&L#eq?Wv4 z?_=^9Ep%Y0XPIM#A1TYVu|98<+N@$5aHrQB5vh+GJPc`|gUa2wwVXG+(fh3B6WA*t zt;wA`#C^fKnsA@C!>S6X!t&~&&u<(c&+=~Nf<|laDHOTfiV2Dt;H}RuX}D8QC135g zapQ@7O_YU5?*a{i6Zw66bT;83n`pUXP=x7|%Bsu~;TXila}t>sS~l&6PbozM{q%+gBiX0a@I**1=NHC67&D)bzCJmwZDlkQf`B`J7_}) zA$dNW?-4>+&pZypn>a5XgeJ1J3znRz2~$Agb8O!VZ+9k~n%kUu7^leUEDu%7&2;tr ztB*lECTzGtiOXv5>>t$4k=b7vNH7*4;?+kDZ;{^9dTDc|X=*kAt3EgZD$e5(HJa+= zHlHQNZR8J>^=AXofg=%__yfn~`#apWB1y_JMn^{S-C%MEuyiG>Mn*IUp`;+61Ejdk z4}WLO7O*c}WU9g1Z!c0y%gRpvu@`QEM6Jf`u=F%|LRYy z_4q79UUX5ZIvo(8x3$kuHn(3guha;WGZolc^*UC^1w_T-iA`7GN9o)lTq825U0bKR zQZmZW$Kt~(EoRPg&TW>zJ0x^!5~tnz49R4|+yDC*P*d-+?t$WYI{O3Z!``VsnZ@uN zqw32xaSeAfnuKZOXXGW_zMRNyanN7_BL~H@GL+N|O8stnH#0Iki`-lzTVVUC(JE9JH}SsEY6>d~4cdfeLioBaqXd!(1G zDkBJ$}-1I5Ja%T^O^g;9WMPRBpngR)t+a>Bx~{A%zM#7A}gvh=pdwy-Jm1($$I z@8y|8&S}}To{7<#+#Vt$dWpRDGl+Uk=y!{|W)^uYnT_1aoYo!;j-L2p?#gt9B6G^Q z(^$M+*{ALa@K1Mlr;1usrS@wYQn_}>&Av&j$UH;|BDp7_L6Wo?v3aaA$gw`HJIps4 zo0P7heA&q&)?$p5D10BTZL<1h5RX@Ocgkd#bLBu@Fy#=MPulQKi!!+@0Vphn&_Y9N zVYoJkLJ>JIi29xf0p4OHthISi*w=(vIB1hv*wKyuqHxs3>ms)K3Z1w&EL}=KohC7Gt!A%kbFakEuSxYAK$f`QTv8vIoiMHtnR!ob*B=+X1Kk22EG> zX=Ep`OcFU3WV{a&oa&@NvO!Rn%t#Qf=d2usAqkddPs36aSQon;%UgF!FxPXZVv+Z@ zQitSy>K%skHTLL?78MS3A!ac`>AkOt0AahzJHyF7Lqk1~!1@JpNX2SFN!|;EB!mox z7xm9`#f%MSySOvNJHqsWaIJ}z_h8Q(lsu@QVAH}u8~MS#h6$MFU_R$u>lm@T?gk_! zEa+J0JyWf5uu*$}@v|9S-j}bLi-pK!C_`zhVt6+PQKd0J>mIu?P+E3sSUxizz%6cRfj4MmF_!xdj)#m15mOA3nh;D=5Mt9Q#Gg`b_Zn_qvg;O()Ng;m&03S$t_OZk^yrHt0lSQrI zj_kK2M_cXrJ?o#U-x2I;X&~#aZIPy`5P3&@(Q{uq(g&s8hcXwor7vH|z3A}U|EvC< z4T3_cFjxPc8vFO36olkZ4d3AwrS7r--KjnmFqnd$7w~o)&{(D2{7q8IjL#j6d)4wE zOYTZ4vdUztyN@-ZjZ-hq$cVN}0~0*#%t2DQ5~>+2API=?N)}}# z*$z}#sg}s5_WP9`9rUE`(8&(bug3sgQ+AJD2|3leiVR80F=(|*9LL7$w~U(}?x~vF z!dN#i`OLV~`Kg-u#d6_Gwhl~1^kmVUuW2P$2WXhfGP-oRu*?>H4(oOF z_<^b>?mPr5cT6JJ8YJQb$G0QkL9I71`^0wKTCq*2yukI}BWQ!-5qgP{m|qcPyPn=; zvHr9>51Z4b+w;Q6D46(brn%5ns#c6Jb0Tb|8jFvE4W_IXgTx_&P!$Zg%W1aC-a#YE=xvpmKrZbT50CSzU@jzI`=5T%A} zzr#YxdwuHJ+1Y6iO5u8>5tfZoGA1pR;&`v=PcI@LB;*oHtTHue_h+?O2OKwoF*Vf} zvC*sO`iZRMSU^%+xYBK{5|%}BUm-?f>^eI>K7dIc{Nrcck2PH;6WzCd1(dCsLI8lp zsmd=%SPe7^T~4Q=Dm#N6iY3Acu-O^P`dbZOQL0Qfy*=h~v~GXTR%>%GkZOpapdFC< zxrlo}6I`^Om!>KIFy<5RUKZ$zsDXL@5jM)b-eQ#~d$C%O!NO0L^xk&$zQN@Yy7iv5S?O&3%X^Qp>f2_1BTXUj~ zGp43G&v@Dj`lUTSr;l(B?a1r?MMC69Zc^1sq-~cwLKZ27aXsHSCPf~TfQ;aiZ-#DE zm9$xUdt~F`PVzOiFF)(#0(S28nKv^Ra)kCrobc*6R6o}Gs%A;noW(NTND?Z2qm@=k zyRY-gXMf#4Ci*lcr*?Nt6j4$*cR5E@zkwm6{`Cmv`xdXQ$~>~wFe-hwP$i^DI0;0_k`S6PCQ42)u(7jOL3!%@ zjL7y2kWovi4+f#oEBea7bb!1@XW?q(U^z8thT^3$);sXG8&CQxMnB)Sx$Kkg0=gnd zH2+T-4s{%#TMi8bBq2mX1NiZzC==8FzT(Q)%EAD~_h%U>$UEf67|y^0FV+E#;f@)G6EdNizlR%pJQ#T!j>t6&ave<)@+BrayV(#zXit`omAw);l9zoMpw3`Tp5%mSAD0q9bnjdsi3nhpq6Tx}1v9E?1l zAxwIRxnqdkf`jM7hy8pUJ~^BRb#rRG6=~|9(j!M0+!La>T+W6hduaw4!Vek*4W3?! zR;wVuvl!;Gecxb@Ga=hdL#Q-U1ogr*KyvYYQs+vsuY~TQex{9m`RX6-*?`iQGT=~G zTrorg2ZAkWw9vob2_EEz4#%LaO~ z2c`HIhB@O=#ELVDKXrFBe5K;8h>R43qznj^uv`i(ffkmr z=yRBYH`$={OyTK7mLe8GhERp70qjm6QtT*Lu$Q(*?n$^2@zvE3SCua<#b!#D&}Mp! zE_0=?z%E*^UAnSs0@-6_fmlOduFc$I4%Ie8VR!k`zDUn)0;O5-c7a?EVT}E{^U@lB z$$|sxfhxh{5t*7pf($gAB%H1L?fbA%xoitq7HX?2;&NxVe$)*|Lx&}rjVIbyw7Sp_ zI9zxq(|A4DsoZU{Mspzw(QDYwy5w+v}M{uvuqzGK|ZyBil|LBtO zLXI*&HW?h>FbTKJFM2KPhq&#LyLC+@btwqkL@$T?y`ID*LK2lfKV?T8C0FQ;U6{kZ zxm$mZ_TVty0r#h5Nm$}^I>AUwpe|j*@B&g81Yeh)@C0=hPLBlPTD}G2?pJpZ@}aq~ zG5Vek^7-)2j@G!Rx(!SH(L`J|XTV@X`QFEgPv#?9ZmhRBE``;>*)qbm~> zrkAlYD7=wsfb<8xxg_%H`0T^-@J`R8Mgj>|pjD`v&k%Yb3Cz+^a@QG9`S;9#jGeKJ z1%brvpDA^64?6}*qxG-WI$3_Gyg{DHiV2~Frk7- z5$^`7Mp1(r1N}FQ5A{DEJEbFJM?;wyD|{sdPzVjSZ@Ho@ z?AafDN2{e*6sEu}0ihb3wB_2Go$q!Z+&9Dx=B&^e{AO&1j*kr9JhckMT#CD0#M@Qe z3L$;C*H@la-y5S==|NX{8D~o0>EiZ7CM_InVAu49d%I&LAB~jK&sfIZOT)mNN|Fk4 ze1L#|akhTi)%f?@1!!b`>)wyS8HQIZst^J~i4%IX<8PhK%nBX9k_J^3SYbKDShBoQdIpV$+w40wl zCm@luFNvPnwzwPt1%;VV?93IExBh7pyi|%|;PMhFPWyIqHeR6K$=!Z4x^u;wPF9=>1Ti5mlboM z9_;qXOdceNMzFbp$?Vqlb1>XeFZGIT^Et$aNRlWlVz44m=4DG#KO_OR|M3g{EAD_p zGe$f~5uZI2(uZ1yT!W!qAk}v?&`q$S>7TYKAMv^=wgHwHVWj08zvE^`p6Ctqn=FVx z7A?lXTjmhj>vkLT2bsX5hny&`HtJ*h2$zd_x=lT;1x5x49Xh(FCUnJM`PR=KSJ!F( z@7BTL-3r$z(9W82(J%f*E+@Q3>*wnQ>)Hxuh!<;u+8J-9>SZGg+6mKkbvYrAKmxH? zkV@o^iyVbpO~Rt-SZ(D>E}yZ`j2W#iCv`g9Ak?lFWjKD(s15;-EzS6l;Y;HG_}800 zw7l+Y@2o-fOsp*r; zsiOH0QxRVeoH2=SQR&8f>+n1LD{Ni7qxOVFzE@0ixd6J*EWwQFAp*iTAQ^r7S4pX@ zRQe}cQL!KL8Ti(^UgD=9NJQ^AZjm_PQLE3S?$07YQ7E+WI!G#hKS#92(RJ$bp_uC1 z_)+=VnwlbfQ>-8dX)=^Xr61IvWlyHA1U96RdCrg`_Sp6&fQcrnm$aA42<4bT%HUa0 zZTK^AM#7G~)gLE01R3Z^#hhW(!L3eRbPc*x^qT-FdnBjJ*5ho3IBCU-?)<9m5n=l- zzvWQjwc32_pIlI8QN9aBBF5u>&r9)}J>E5LXoSW^QNTnwL`xKN66=OPMCx_Lgg)Hv z2^^H~bND%dnkv(RkF;A#`N9{-P**`xT^Z+Tqhy0B-3vGbO=rIr5$rx=@9uD zK13b7jJCK`$VCiFEHm(DE0>evKM?trew%&2oFwYbgQOC@R0uS-yZ{}jn~mVF$YudS zW|wi0x_6*K;vUm%B4!6-ZQ&vE6Q=NzWBKzxothWXb=}jHS}=$NEyG24CMF~a4>(_3 z7sa8RS_rVh$AB2UmwaIrWV~&suxc3txA(D`8aKW>BPU#f2YPcM*$Bk*=6vp>^N<2j zwm8I0#4>d@|^pJzAUI<6Aj7#_ zHDjs!64$XSpg^Q!4=d(VJYkMsvPYPsiwAzKm~2UoJ0>4&UXXibVKQkYz3niGi2LR? zU!k6VHwZRRC!3tV%I!-T#HCvZA#^Y?r7nz^h7$dhQX@6BHPTO}a07weu3#Y%$3a+0 zrv{Y11Z6jVn`cl7$x4pSC6$yvx-Dw0{oTtiWh$?C%}i4l+g{r^lY)R_Bk_fb*$>jO@+P1) zkbrT_slvng*d3HeyyP5U3xYw6JcL=aF0toyf-!W_APYZh9C6r*tKG+EPx;!LB<(X@ zJuHGQf^lPgNDpa7^`%?iMh<7_1EdPfU!}Yp@|stq+~ia)7kl0HB3j}OaECTXXo%Ml zR9Zss)ao9yt;2Sp#+TwgndG4VWi=>QgYQQfKdV3o4+aK^^HSJahg>N0wq50iXMp1+ z{^;hAA>!<7t6W-G=AfYlzm9Lk1IZ3_W9J=2PR=N3A~QAB@}uBQlF$z}$(N$CRg1hR zJZ7AUyDmr%Wm{F-5M1uqjr#RpN`+qTz**t=8bO1?K2^vmp{+vl@<%mM-D$)Fa9nV| z5Il(APoI#5AuzgJ4BCIA-L{_pM}R)$CfrdDZ}(iikXPfcdCd!` z1&G2~+0Nr=vX^uB>RRb7;NW`K4ZLd+5S}H9cDQL1DpsqxIye*8(K1xqe3J1@t(mjy zPJk=v)q_G|D)Xg%cG{t*iNizIfmAz zsLWo2uka)n!CyPzU@5Pe;CWLv#~U%mI+fgjWGu39vBKve;%E0;w_}n;qff)rZxb!Oid>Jj!ZS9WMO90)7zE4KxQ-Vt+L4SCT1l> zE;&i1A_Ze+NuQ4i)Ie4L_w`Q_!decK=ToH1a`YZGC2!I!V*uyee#eJsTDVfhCHFht z?@znDKLg1d(S*jDdK7$FA3nFkum27+@Wsq>{~3*i_)*Htl5;mdhQ#TRy~V!G9P6R$ z0V{%)l1>;w@Z`%LnWgr=p<*ZIufAo~Is>B`-cl$UiimuF#Pot==KtIk;Jyq>byVC@ zPG3xHQIdydOrp~~wFgm4eS{EzGBjl7e?SW*eHOiiU<^{CDSb9#<_{(%3Lqdt_6okb z?-lcX5d>3AI_>!sBP{_O3DFYSFroCXiT)AZrIG2ZUxle)&FX)Z>!>cVr2VYKh$|i% zHjbYpvy@PbzY*g(venVF&K*A(MIZRzD12nEaDW*^dwZ(i zT2gx&{OE3(E`!9Pjby+d;m!%?gC@RcxsE0JDMZScXDVMQN39RsJHG}{A zy$8@WqtNYHAQeC5moXuG4~)t+ecfv@K}i9_pKoZ{vgHvU7le@s6GfXBLB-O5kc}6> z;1w(1Qz;R4f>e(r_N1Sr4qXfp&J1LF*Rn0L4F5)CTLkVfW_rjCMhvKm1poVCzrP6o zc^MGV8`}hqAPK;_;Bztv9KaU~Da9JW>wFFi%alNHx99DVl-|{;&;rlwwm6vW?)6-) z(g<}#<1c%ckPR#CKNvlwy{&102Cni&(#_%(v`^O*?ZCv?2mfU6_tHIl)!)XI4FNX zQ@Vz!UbrPE5-9+zrOewhY~5*yw!Z`hP6mu*-zeq7++?lU)1fH>3a+CP=YRDukJ}<+ zR)$dDn+*MbclEzU7ET3}u9&!CkO-_Xx;-fde{fuLx+69U7$R8X?_`N6@Cof&^nV3^t7qjkQjcYUP-u6K?RbJt+ zMf?aYT5cnCQkBOF?>n(^C0tC>{fr9!883%T#qyR!I)x*&1*JgWd~))GxKzUjNyHZ_Xul$ ze#tP}fQ_wFx-lT+*S@a~Th!5$bC8v!ZQ}Fr1tO>Ed>^N?)g67dFtRmQ4&>bqTPn(H zHHuSL#MZqVqSd<$?jfvosk8?qzJ83-(XPbf-3N?Qsu@mWylVGPfLE&*Fd-$b0a>!` zSZ9EsjIKdvWecmfy!lkSwIVv?%zKZ&_Z@HaxfMve&Zoy&E{tzEZM|FTt((_RceiUk zsqcM9D)h3Ch5Qv585sfY!ibeWRN)0aLyth+iAFhq*4$bg_jOfcZU6-L#xa7oIOi_u z{PT5BqfI-g(==dMqQgh)hCJpwx54g{s_vLapVS4Jr$F;Xeqq6FWL|@;o9K49TGfVy z4SPVG=fZRDw;3~RHl3D@CuMkn*n)3D=cR{^uDD3ZRP!EGjR1q6%h<4@91}5II_!FM zt0fCbt~D?9J6Yh}rHK75-N!Vp8RbfcmdY>){qvzxium!LSKPm1%W6qF3?wq6^Q(7J z{<{%E`S~)rox%6z$e<`-iV#4p80STC(VYUf1UtraCNG?GE=4$Me*O6$w;l-oD>azn z-7V9+V(a&`T;b}!BV+KW>~Pw&r><Khck!ea=qe1@4$ zDSF2)>JdAk-%RaFn5b~pAO6($wWI@E8u`=0X~e=agRup^GQT-?%lFi@53k7?VJ&QG zoP8K>zB<3(Szpa`n<8<5F@E%W<4%`CiOnujg7Emq7G>b#us1loQ~iDLXGtA991hUo z@xJKQBTMNK`9=SI_Ju5t^GgT>lI>YPmBMFfK3K_R8tz3Wet2)-v7e?juBlNFxw}9+r4g1umA;TA7tQa};phu)3 zKw*+Y>~XXrdQgi@|Fs-dqZ1L?!p`r9}-W!n3m@+Lm)8fs0QS~ZkL|QzhW7zRX{lV&*P*{Y$$73`@6wSo2J?mMzXaJ+|p=&RO=MdL|)%siT?ffHT&(EdR5zg(KHzo@HDSSq_6By4UR(+-*;RK zQ0E!~@ANa-E=JSTt$i%%L5A9*Ixj=`yC?c!1w3_l9pm?$x8ctjdcHGx01ON}QGr~b zC({VHmp41Bzfi58yyqM{cs%&LstLW%Bh07vA^iDgx^CrQ#{${VIiP0+u?BFaT`uy7 zUw+>MFK~*9PlzL>*K~C$iNfSNyRxr; zsKYbQhTUAZ&V>%^Lp{q**b{WxE`*0Ycg0h4qCedMiow4-!e3HR&j7YCT_RHJ*UPA4 zzgUzG5A%{3V%I-*?w5nq+Zi-J;$D7J?FKk0Sdhn2p2SbhCs2Q-HyOdDoB7;^;xh;k z^19nfE$nF4EoLUnW9_CodF0j+VOpl;dpfszvEA(0BVUvwTcr6c`F$w0Y)A!`YvWnv zx_371{GN2^mc5yWc-JFt5j;p6fLzCNq|@;qaX!{=t%SsNXP*H}w)?o-?7W`-t;-wU z%Dl&dQ5*O*#6}FeE5&j_pot(&C`P&7vzOJ{?~B*&Hf2TfSb7zV&dG1~>juC(t*&Km zrpzz3v1Qsi8Gf+A`WxQJ{HB$X1qO*vP>xtMCEpz;d7Id2?n2bMO! zMYNc^bX$W_oXVXde-BLNFypY-JfmZY*`%K&3u703+-+4>-^-p=I@QZ{wT^+d!fgHx zkWK37FsEfcD3caS3~2ItACD@skAG_bcL!gYnnEGQW8~{!(9c4L@R$*x_DWkI%Kc%0 z2*VJhX0hc=76rJ3$LUMNPy}n;0TXj3AF!AFz$sW*XsmrXTHkH_M${@gA!sMA!bK{DwI zOEb8zJEliGZPtP+SYEbEAJ|`Ls1ryH4c(R)yd3g+a{&t2p1?qgU+-ofJ+HUa^UpUL zB3Qc-EFcD12d`Idj2z3&sO+Ueo!evzT=d2zTZcFfjS3m!nlK1-;Gc_GW6~_DW8uzc55w*jISJ2BJD+iREatj4~Z*vW8F37?iXl-%G?oqOU>Q&(*b(Xs^+OoF4 z%OSH(G2|6c;~XOJf20;pT{V+hSEH8f9X2VJ<^zYfmO+3>F@v9X7e?(RLjt(5KbV48r*j12D!4elE&hqPno${ky^h>`RO!>uXFdbsCJQc#uAp-~hjrGJ zEA2HTud8ZVUHs2~pZMwtEZRO&RAyYs$e`nhHjmV#v(A5OUNzW3>ke)28qm9i5ERhA zqxTC^d3JK&0FmE~)U?wpawY$SqS?v(-j?7vx{(5pohd@7WYDO#X=CT5qgLz+%((e_ zWN)$~KE|B~uO!!Gs4s$dD=HPeG!E(k!?0V%pdEkz=C1(aqrH`9GYDhFbL{Hf5W!?m z;khA!14`gAOcsVI$qzKcYn6~-$ko~4qY4QcKkFmKUU}_Us z7VYc43AZ2`%yOQCQ5}pw^SQzeSYZ*+eyGjS+{8lqS@dkAEHBSQZRNsdw0ko^9+QC~ zyzUFUTqiJ+hGwIv53sry^fDJyKbGcNxg6$$ZB+UX@8zb-rBlzH34oTd-Ub|O2m~KQ zUwCdITFJk-HUN#`s@2P)7cJHX*HT<^SL>DED*Yg)@-G&hl0eZ9|WjvdPv{J($uWdkqs+1UQ@j#VcjROVldikE)V1nlQA?+iLJvNCl=eOzzQxxf(G<;p zD;Gp<(fyd8A^nCkfibt5xp#UWX^`|y&vzzF)@(W}zkJK4uvToPc&#Y^V_3l!|9<^q>YYJJ3MQSLB z<>FJ`ll)Xm$iC!guBG*Hl4uxBumT%k%Vp5Iwg`M06XN~nYc*>JWi9*ZI>MdxhRoVB zuPt6CCwsyp=kp%yBh6(FDO>5ezDQ5%hJ`E+S`6cdcL%qRRqOPR39d??p)mLag?~+D zFefl$L`ME78#2q(-^T%)PvLyr=p8VXS~{ZQy7S&%62A1hQQ@@fxJdnh`Ed#x3ppxC zl}d)JX6m95D7biKW3fzn$Q=LX+cRoVZnR}%h{*kgk37crOm0aUa1W#S%deR$!DKzo z6k&~f&ebUUop>8Ru{D;D{vdMGOWzfE+IdK+I}xZm*zTX4zj=bmtN&HvG!mrxv`ahG ze(=;doYcU*hD@vH@>0BVD7&QmsDy@R>2=oXc9BpdP|&!`Xh(bW-NtG!PBTS(upsnGJL5A9)*fPzVs22g(bxdG@29)5H~6=KkW&! zv#YfB!(N{6Pz&?Qg{QPY?!+cz$f()Lq6ON_6yxrLAbt@kNHQ89eFzEKl+SR0#^goE z?g`%)g(Xxi4|QF_zg>=Jrji~AC&qB6QYIT?;C(*tzTxY?Rzq&fRxcWaEOE(7)^lBJ zS~xgRP!On;&z$A4htBaE(^t3phg%QGVUkJ2+MTU;JQ(6+)B$q{dnjleiY^54Z zMAL^iU>VUu8wnak{vT6k9TrvCwfi9?ltxOryBmfS>68{pY3XhT0qJt+?vM@%>Fx$; z7)rW3J)8GE=X@Xh!Nqj}!;X2Lwb#0T_kBIJL1^%u)M&{pbf16!q@ucu+X}mh*bVYc zxpiyL?=huZ=EbKG7sYKon4l1qyd!eAHtR`oj#bLXu%sA)Cr6C}_U6ut8ATlRDmFmS zETZj=ZG}+oAvYF2+_yVHeA|P}+vx86WpwR+p`$mBUZh{szQ4y1q^UO2OYuJ-Xo0+zEXkW!!am+$@-BC-6-mwArTYUam37LAN$|3E`Z^Xcg@I!9p z_H;1m5?`T}khz{J<*I%U)|GglDJYJnuGjcQuS)lrlYLCOoFgi?uZIy!P+GUq4m;^5_N# z>e0KgAlnhhI=DBujalrUyLN4k_gzsQz5ngEmaPOViG7L#b%vP^g!Zz6KEbiuG;isHhJe@{X3uiPq!o@MKRgaG7F0l{A8Lf)E8_Y-NSFp! zT+(j~lRvXpAv^eyspZj#sjLd^aiG16S($&E&cF%bRS8aK?ErPGK3`HUqWPPvx*Y?k z$+j~vBL3NdeW<#Ajr&ldQDz=a*z=q3RiFXVEft*$u$jdeKo{tgktY3ushKU&dVakg z2|pq8K8&kl-yHxJmNne>^dm%=0BbJ-*nK3j_csi<`FMG<%z zhn=bq$j%dXF0l9DWz&!AQ2ld6hN9mAYYfwcS1X$l<7gbbIVWcKO&r~G)oB`Po}{HL zJ9{~Xq@@a71xe3BaH(}ERP`Eg?=GqK;oq^irs}?apN5Rd&hGT}9)04Ivk{aJavkgJ z%+SwGTQwrAN0WxN9eyw4EteKvZwy|NrC{>eydLWpId<%YW?ts!W6KJGG~mdQ<5Wyf zmsA1~ZwmKlMyh7>yHFd7jqe`~%TJbf~m?;TA3tNCLiBekEm9=~Db%akcNgbb0p6 zcZJCz2#mh;vP9Z0P27=j$JrMfW(tW)KZu3Z@XGryGGF;PSMpzWUP7m&5lsK4GtCm+ zD;5TiNa@WD` z%45It9uXYeKLRBm=oDGhmV!fLShdfVQKn=T*_yU?3ZzHHrsai}5J@`Z&@2;gXL%Hs z$vXF|LzS^dQLL~BMH7Pyuk?NP73ugav#zKs$`Y=n9@|ZRvYU z4aw$L_oSLT;Sq7=+la;4oX%|#Zpqs!W?xpM#!T=3)MoQ-QHwA43TJeo?XFKu%4O^Q zww#|dC%szz;$;yhCQGWLcjmc@*vKENzEDe@kM=qw>)QOQY653bM|p>}O+mD((Ze$` z{b$X6Df7)~kJP*i!?RZ+tHivyW9TadpEGl0`L|1E>(5-4v@YEw#gESMbE-c9;zVArZK zBS_Fwq79xG7SC-Nd>hlW4rl-fo%*GGNnBkZNri8P9p^kktpXZ~n%LOhDb%-1oualc z;%}_qmveAaNWGVV<_)twyay`ujzKt_jq{~XCck%vs+w+9Zegs0cjipuih(&jKH}1)lG-0_#B*_X1Uv6$tb#Z}V!%pHF!I zu?i@3Bg1TDCYlg8=(&ex+8c(xJ?@MAac^qiUHVgPypeUZ6mqt*Hg1!`@SO=aj(Eq$ zpJQCrvZlYAaBFz!llCb$>K5>A`@}!UFZq_&8vvRNb*WLj6e}JIxwFsm>U;Lhw zCf;*pfD)T+yrzJIQ&J7{+h#Ug=q*x8S5wcKYeFk~YuQd(8jV1ouFrU=n7Z;)8$9XP zdS#dStrxt(j$!#lN61@jym#~DW<-lnTP-UkrKDnzmc+`@1fH}#tXX9vr5rE*RRA35 zZT=GDH=@m0N~rvp{NyNp&+r0r+x~~emW$oQovRP=MMb*fewp76cYSh2S}3&SeBYp3 znF_yS?n#%BK*qI0r;4u7}!67WC=DbA}KdIXESm6??R# z>PqH^HZHr#4R$N7gx9_kkJ)9!QJV#7YOrf7exHp0mg(~4q1bsVfGWN&B>rOQ1P=XCR;ILhLw0F(cW^AVW`}xe`+w3Oz31x_dvcAx5 zi7}`swZ}cgaK)I(`sMkyzr5`|E)P`jWW=D?@wKr6%c*Sy6DUd_`w%1XKBTME>|}Zu z9`WVXKWrq77ElF@xe*Rwi^0*>&8CJ>pbk}apvp9^%rUhUKhoNGOH)i?g`xnK&7YHr~?ja=f| zph*G&KP&f|;KBni8BIjjAQ%?3o+@*?q}K4X>Y;LshE$gI9Z?*%yP9wuWhXDkrnOb8 ztZuLNna=h#_&5x|;a3k$zU{?ZYvKZ1C_m@@^o*x0)%z_N+Q`73b=yP#)|PAYI@QjT zjo1ShNm11{CQzv2>S|U6BBT_l9~gX^9^7F(U?ZH1K${+Da2w_VbXV~V1y0@=A(dFc z8wnR9Qa=O)s1+(5cq<0BL+#o)8+5Mj@3f*O4|Iw$Z?_^{R4ZD^RJ9+)tyI3YTVxdv z8@i_u`Ut;XuLofM4Zu6|`1kLmlOfl7w3dv-0^&<^+ZVq{&Fs}OTN!G`ZHpb@f0liA0~nbt<|#r;C16t8kn>*5{k|ws1Y1UWU^L73x*fQh0JpOiXN%)EmeAEi zL?2Ks;@IwGm#Q3`7B9$v8LtEpf0|GQ!L~tqV;Z5UUW*k|^%ZezI%@((OJUdG#INq; z*MjxyO82)q(b9VdNWOvf|EV8hAF{#d54QV{QF%5W+LRuq30K#M4vO21;3K)DH~x0b zwO#)ziMr;C=lf)P$Z*uwpOKaH9g#uoQvI^s>#sfx;bRAxJHrO%ZSZNg%GOCuOkr2& zdpj^Dv6$7z$5VOl*HtuePC5pe@om--wNr_sECKIOi%-WgivM^RoNARVI%oVu!Fzx0 zUwhsapqc$#?D{aYA+gQ4w)|OgW&M+y)vJy#fX|;wscc1I=wA@Bk(_X@QaUi(B%M;C zbaBD55;z~Ah7NH)R5bmGZPcth+tfz85JjtA>=0K%Q0yXcol)DXC$RfsbQKWT20kgv zw=6}19!Gx`-VVM%h(&XBJCf&&o`C!BVGL8+>#Gb@cgHS|oLl0+bz1 zIz(NNqEj85>5we6S^(!zW#)*wK#NRIb0N(4KFI^;w*7KjDh-bumW~~${Jh8E&RX9| z)6`65W$Dn{e!(q7=xj%)ia2k3@_U|GaTRZ*8X)OINb>PO-C+s-uCdrX;`o-rs^390 zDN+v-4Pzk|bdmJw4wC(;R9bv8pl={GwXg6A4kdUECEghWeK-DfLiGlk{Zu-y1->D@ zv7S*RVVpMb_bvec;Rf*xy|SRGx(aj>Y*1YOMbJEy$;}}^a|5)|4DK_XvZI8yI-SlzHfPdUpxFuwe7A1b9o41x;1taq7D)b-^A+v|!YRr6;2rin|KQUr7CxwC^eFwGP7$yh z+AdDaa++@tqYX_ntjQVosnz!=m`^`ztnVw{%l8RW-6QoyPWc$8E38Z=$F+U5plDh~ zsl2B#SQx>P#nIs?S`GvyETmsQsRx1rh6CkK z5lyJpnQ_r(bWw}qU_)vdb{Lpi`;Ds@*0}WRH-O!&3k*Mlp+}eAwV?(k{RK~Zwu=1w z{LhXA`*-OGsw6(AoxddDL>m8SBFv2P`>U3~Kh3kTVsGL7BIt<>L)6w2nk6+s7N3HX zt5=*G+7NTwPzyv9`y71eX*|)9h{40Jvy#Aa_T~uS2Qor9pLg6|ZM~)Ukiz~YP?eY7 zgMgYgge6My7;X-=FYP1?-^n!6W*^sNKqT|R+OC?T36MxOR2T9tZ~(N5)Tbh{^q`Qr zCPGr!)OrZ{>aW)UPQ;FLz2o@-%xF3FuIz;cM-P^+WuHeF9`=`3-MU@UekAD+@wU@R zrTsMq1s1p>p~#DrvEz34N zj^Mv;Yt5@bk6*Lole0h*9=kC}-d%^dFV(r+=T;Y^u7Q z{G0r->1A(MWen~jqK?%45UIXfnZtL~c5CLmC))vsx}EBm;0b3J&y7s&;0*i5am;=` z(X1Gp!03Io-EtGL_QX7L&O2vN^bTzRfi4b^PU%?V%)77o?kK7XiUny(X}&X+q(=}J ze}#Mr^Ae_~gUnD05eQMxYo+;|ipi&MAcv2KZJjxAG!2`Ii9UbVmD3>P2ekbk{Wf3M zKCGuaI#Fbh)^lnDAW_%h#e9XcPE@1rKalWo1`A}2Xd6oyI>cp?iFT;O$e_q*v>LX+?%rtI4+^*)$(bj4YP&eHS?Qr<6aI8Um zBB#DrRB%pLd0Lj1Z|EIM?2b%BN@2X~A@DP4$#$AlOK|Ko#rP12w^`Y+$xxWBS!Jw%P}bk9u4r2e-S#BWF|W&}mRd#1vmyIo$1_aa&3r2K&f z1;$6e=9J6kqt`9yF4f_Bf!{Ty7nR36X{`M*!pB&|karusW=XKtTZzH(vljZ#5lEnL z6-Qa3pGR7s(aT&}6a9;slIseyu<1y;M--?5G+`b*d%CV;^qc}5a3(c}xYmbwMT&=i zRo%Iu&WobfWN{@MWc6*#9+ARr!-lxEx}>-}%KGoW*aEihnbgc3%i8hTdG#%f8v0(7 z6cW@slQDiSzwl6r)YeYdniWI8_D8lnW$?voYTbr|vVrN|%|0(WY*G?|22dfCXt*+C zZX;ObMsiAgd5Ef4Zpu>2%zD1e7w({=jV&e&XtOY>^BG zaZ!uiBaU&OpCkI$S5IM1-&ALCPg%N_cfVTgQEDf9U~VHe(_VXj=5-IQZ0vUrjuW&d zSMfL(lsDub;fILbSug(I`;W@dwpeK)+{`%s8R!iWWwillp~@ytpT4q>0zNh2X3Z~6 zerxolW8uoj78hD^!3`PRKit`f&g8~uT#g|eW(2hK{J}RIw^8d`$7jqeg}2y$p3X4_ z?G}t>vK*dh3H%Bqy~J_n)^`1R4Vvxr7F@q={nLftj1^zmzc>^pay<){Ec@t0$iTdS z=C&)aPj|DaXul+|H;`V^h&`zGg)s|GB#&*^^8Td3`r@6VXKV zT?)kn$eLn^G9L1d3Zvi(4{JdNYRg+zOvz0*c-RybxJqd5+TIYi{$lz`*O`gTlbLxQ zU(~26G*jCSMxN6gLbYyD42KijfK@VgX|k8G8Mw~24|6lyWz%2>(|3Q^5rh^$@}R)cY?zwph@Q)kfgIL{SN#op6UY@YLjDlRwb*N9s%(IS z-7G2Kxx!$*wiH-;TrR6sE7U0b|_Q;XV4{?QpOdlUf76r$oCEmvl z3N(oBrL&xwETQ+{ONceTEl;{d$16+{v=QR*EvoYk~e>ul9FXtEzXV<22y}rXpXWp zE@^eo9{H-Nv~)%LU2T&G4QLm1OF<#Y*iWV?ku7!EFH8fIT<1WQ@&7EdvAHhdw}5Mq zjN}Hd2F{3^3+EjgBf!B07eNq^+FVgb-E`se6tdL?_q$~p1Q?;-b(K4bwlZ;`nuK&2 zRIxjb)v)RBy{yzwmCmlHfCKqWK|y)ekcmH5BWQ^`R6p(Cu6&69?3?ztaDUg7OSn;y zN5v6ik`)fa<`oc#N^42yAa2KQGSv(W5a}&=6m)tC(BI$;|C8h>qQrb75p6rg5w&Kd zn#tp7P0gQW^J|@3UI(MCLRj_paanEQqjU3`hKa)5zjt3_!F~Hg0^j7rV0PdP+7!LRjr?jXnwCq z`e+Fe1nSba2dCM+lc*rZcg*{c@w0fjc0rIl0Iw3z^m#=Ke23DTnPN{;DI7~e4;{=* zatgf83PL#NJGbxfpD^4tD+Im-ULfY{;@YPc3;RnM6Z{lJ_tYt_A?4HmujcWojs6H_ zk>!kH)6aN+*{Ru(KEY;A0e((@4vuL{S#V265NA;N#0azT3;U_02cn+`{<;h-q;olr$U+H3y!8ZZZ$I2pVoF0Nc)FDG1#Nc^M+4+qL8V>|tvHTPC zUtr7>YM-?0_5bH=#tMDqw+uN?1)knn0;F*UvSq0q&BhUE#63R+K~I4fgCo!D^Bgp- zqdQq(`rj|tMoZE0%>#~BYH^6_RI+f{?04(M4-q3InvOt=rol+RswBGbM-PF_46VoY zIRb4s2dwTfBFtl6F$+{vR7EX#rH+U~=oDQGecJGd?;=f=Ed6=}&%&s}_>VzL=gBRs z|IG+|iR-x9zJBX~XsaFu`rd)_2>Li;fykxTxDyg44Ef( zXvjl!^;asj%~$N%#TG;rj5JVLoZ^k+=>2CZ6T8iTBmbYzNCkNK4}i<%TYoqLu4-+< z%xZV2ML+#kCOF|A2}7syakzHjq1kW47{l>fJ+{BuwBVwk`0;KEuv9D~a3PFb6|$4u zLLqUp8Eqv0E)|U8^3Wo{cY(umGZqe2C^a$v57l}38YTx@{93uUfj$At4&p#owEFI{ zjwvCGXzuC}bm8LePiIqk>!|+et(adm)K^IG1AD@klJIsP!A~?PFEAE<8zN$ml=FI# z4`pF&-}#Hq^(+U|xA+#&F4kZ{8^x#V2I$u*?_RJ9b)wrB|8Jp@S4@{kgRhBfu(-T3 zz6)`odxoyjwp*a0F$e5@UHd-jd7T8DdJaZZ7QH_UCe+XHB$v^9FzFuhE#-fQ&-n`h zB2oe<-c4u9gijtP1ntXPhJe#hCLUP4MI&0yS1e0A77_Zg)Cr*$A4l6u*6m77P<6gI z`kuW=A02OD$YMI_4qd3dfTj5~K1q_iYC>~w+?tB-zIyMAB_>m~iq8gagz(CqvRTZh zxBh@aJOV%=nj5bdzd|2?+#9o>F@ zx;3l&#P4Par})ufd)x1(+3*Z7p>FY->uzYfD&GL|UpyW63X<>v3F2Bf@iGjl_hoEr zVs0*NkQl$9LiV)CA2d^I`}rfzND65ZB9J$6^Y#V(U~;ov3=Eg^)2YI7faP@IX&Ix_ zEFN`GJnE-7c?V+~P~v*S(Se6o@Ain?2ky?x+#f$=o4o=WLm`0we)Qa!T6DzMvb3oT z;Ov^BQUsty)-fUj%ITd_7$Da4j{wvU!@anfr$Iw(VwXQa+jeIzBrl%l5pUQUvxi2^ z(`^61$qw20ybux{*kDyU#MsA+tbd28jjPYs4fd~MAAt*`h>JsO3V6uRY<}Y{%86#V z1OtNU_B|$x$Vq%Aai?B9ZI=RG{AHlsYHJGF0&oqBGe82)Q7whEWK*j|;N4d)L+YyG zxazs%x^PhgD47Yk70>_)>B~vk`crG$!>OJq{vK6z6|^nI!Vvj7Ib4Phz%3DFQOYP1 zo>|-rGTj5-)<7A(Q)>D(1VpC!VVGb9b+J43mSbg|)j5W7{ocsBE`$im?q###;eVtp zG~WkL{<|cpGY7n27QH~H@`%a*MecsV58tw6 z&(6kbS2IHTwRhMIl3#{GJs{{BfOKq-Z+S^yI0Kssu&r?5h(AGDc>&3h?pde|IQNAl z_>Njn^Y{q#srNrI0z>)}G7wG=N2c8E{@Y!BfO^>Qd;nM8J~m~s+qpL{;i-5pPSYi( zN3gdwM%>VJCM!!Fwg2~6-fMU2MzJ@v9@$0!ZNMUVI0~jEyG1OfyA$6NZ)W^R^@V+W z#y{kX2l{Rc1@i!B8=eLz9x-fbZ1K08Pz_?lNHJU$J_13fN+NiWxM0Gxov_ur(K4a+QI9UfVLF((mxT ztjoDLSdCcJ*oCniNC;x4?Ah>D@BOxr*fZ}2^&ekF@2-p{PI{Ct~UO=(=-*J@xo2B3vGj46R6PoaH9 z)pwoM>F#c_Z{gxmhCo`b(j|!4+V~I`Omv-g_HiRWA?TWS!gK?;+n;aB*ZP| zXDs;;dOYM5p2{e%-Ho|_)F9FF0z}}|K5P%MSq96l48%+;@t$p@4@-iN@wI%#+NF7D zg@`wIAvV6WZYyc7`_5SuB^Q6o5Vxc}VO5%K!9&XWI%AD@fQ_e`;G}t(PTU{XA7xKQ z!h^9+kAMV<|7cHoHO;=w(=m^DrFg?}kTxlwFQirp7~j0!9|W}chE48dzkkW%>yhqh zCdTc&U>e`bjUp{3Y+%HyV^mkAJCl|7@MDWQUs=V=glQ=b5*u2~E*Eb}S7+ebc(c*h zJY)YNm_fOia@(`luqG|kl%)nbhe21Ef?@mjB)=NEFKIWpl`mf0RtTDbI@YaqI@)0s z$p5bzrWK{#QyNzCn{z~<1a-~8FC>cn5BB0famGzZ%}M?d?(8hW^7klp zpXGe8gAv;i=lG1{5T@--c6G!B(chGFMcu;Ve*h+?@I~|<)FJBtBuj}f3PX1s6)8wKpXR*o-L`?}L{FUf)xEoFcJ|5Za#kAw)n{%(~JI8XYp zLEquxb;DPVswhNutv@gH!%$fCvVTcVwK9?Lrf(kqayU z8GjjL{Sr7?!swx<{S9g|hDq1P?X|a2-CM6shGbdvPNnJMD^W~-$vwOT*1r^A&Sip=qXD5X6za7r$k$Oz^nB5 z@XkejRj`2)XQ#(w<)o3F8M!uzeMsn|cH)BHS$#um`5P&^EC~8c$cy4$-(*jFd>cC( z$Z7C+e{;*hWWRn&uOg}lNgp874JFd9+lJVewVZtK1&8Vy2IS4 zuzl$wP+YfPaclu|)e1Ixqm6wK>Kl|u1S$rW)!Ut={tw~58|fz78A-YJ#6l8e9-m8m znJ*TDq>1Qx*U6vwqGGyd$Au2c!qGdpZGZN?9&uk){bP%aLw=Fm@4~9g8&w-_GmCH) z&*MSNE|$OJxy?tvVWY6M&7F0p_}dXPHb2@D!Qi%wz%78w)yy^iYy{Y$2kS^NjC#Ya z&magG4yBLaZ5*Aky8>F&NGur4{4Jc_YifV5{&?YWs z)xaOVqm?|#AV-iE;-)7babzV&couR9;`mHCl%I;BhsXgbjDXg`-7iEvB%&ixLaKol$U;3x+Fd%W-@4NLXeiK8k;b-7-! zC_2$Wj)sw@aGXZqRt{L7Tb;PX_YCX8V?;Bsz9~Rs67d~fICSy+Vs;zrbL*W>JKpVA<^R%<`dwit&&3bqPrEXBG%3>>GV^0_C^C9D zVPR}XG8uZ82PZR__ul}dz)x4#TsZS9NGQf&T+!6(Vt)wDRsj0wcl2@Q()sAah6_c8 zd);|@uKy0dyx~Sm|JjIqU4uPH)phBsbkv*CfR{Q8PXOm`g1=>7vvOb8{!Hbm6SL)h zvg7%v?(dUc`|aOu+s~W%#?wObJ}eY)T@i$aJ}?CGiLXNby`9*7lHSKn7TZAoT@!X5 z&}iv?(8qh*{rnQyWZfXL%rO4KM!)fE?ZEb^If{BkS*gugq1J~8N@1}ET)bB6Vj=@w zgMA~}+f}jj+MFA3*pP(;>~$iOrz43DaeP7o!DIJ;Xx8m+40<3btZW)>LU`UnRQlXu zKwvfbBaBT84J%{bYlD=PDYY2!y$fI&A<&6ij;!6>mw}N+F11KCj}3w3V2!?9DQgYL_V?IQtPiwS`p}%Yu#{o zP}|HSmGU0ndjY(E5-ZNDh~AmHGi6?+@4S7nsf4Z+JBCv(>H)ldssU8aixAq&^+KcM z-)c5pxoG5~NgJh~j|)WEW-8a=I)ZnOmHH5a^7LOc{yUazlVT<8rqz=T;a)y>p05FY zW*o^tHVX<0Amns}X7ur#vkx{3+ug56r$L84qfN8>EuWtFZ2P|&aWu+>jU=&t$xb@C zb6wxr*-Hdv6k+l#e2rWLL!Cl3jWkk%JGeW6)q~XQr?&Gk@_w*OJg*o?Se;Dqyp8|a_iu9eKRbJd#X+-sFPW}*?Dgh0tyg~r zNq;GvQ{rIdIb-RBxm=R3I{qlDvK{%4AR3S|9=bet?G2p>+2n=8_%1{D2 z$9Iuz@m%v_n14SZ{7^Ln*lhy57Y1<3D3)tPz9lq(M(<1gqBXNF?KH2frG-y#?eLeo zZ!H*tTd^+n*iffMDnOVT3`oLq%}+Hl$6W0gVx@(G=wMaU2UW zY?i~-yo!hn9d|5G;tY2m_#nzueX^Ejs6e4^B%A^w7$eM9oC{drSf|@RRj#wY#4FC{ zmNWjqXC2V!zfTHD6sJ6wexlDv_uRG(0&GHX>Eh=`gjth*uI8f@_2%aAO(ZW!r+oQ2)MQB);Ad`g+3b>WPTHmG;@* zX)Q8W@WEl9i1N>f?xV$?{$xnGg*7t6X5AZ`Ij1PDdx?8~wKRcs2~UR&5*i2({#(ny zh1YwVB16l7rvoz4eTwq{36@25PlI}{ND(KTVmr{|&^*%7r|FJHMR@?qr1GEq8&@+$ zqQ73EZ-3kq)eFYW{l1oct`*eBVJMv^sR}p?O@g~;lm&cu9|y?oz+cXBEh*c9sG;Q7 z%q$3E=ar}7(@ITYNy}4CNi4>6=P0I0K!?#P5#mm@<@{gLVO6(RzTwm9N1OyEGMYI@ z#*=Y2dPTJCy+$3p<=n&kNh62zSzjSlF{y;XNK71GknDB>J~H!!Vw+S?FO3AyrZOEn zoiKgt4+5j@QqsMF$M8UAFoLj#zoQM;KHlVr!}fNRWA;RF`FP*!zk`DUA_+*A;zDt7 z(lr@JM8MPbv;6Eqru)kD8>PvQ?$?(LGnc|KI3ZmeC1>`dWF7(3w-RoLoLZaF83(B$43~(^Zz2Rkek;Kh1kD4FcK1w^oaqIsX3X#pH#P1 zMR`bZr3@gbyQpP5=RGNIU;dQMlui40E*} z?MJImD`u*DmZpVq;`CB8XgO$5dL{X@SG#*#fhLE@R(#9A!|oZ(dEc{)+UElBK}gh3 z#nMO9YJI$EpNn_h>X&Q&rs;xo8&Mt&0&xqt=RU0f5gR{QgByG8Vb4zsyr|VN$So%Q zQZ&laRpe6G`EVm)Yh*?U6Q7qj4m_r^1VHks>)U3>Rw~|~e$lF2*ZHnW@1Clk;D*}A zx8<{Ctw)xU_}xNNzFW_*O2Tw<#BjwEjTU2Q(0lhH`w8P5=Ep8<}%H z3`vcK&SP*{>M`$F$$l-i^|6FM0h*?oBI3$^27ND$N^3AJQGFOLD{rNt%^(7Y1C>&1 zy(ND_%!OGF3MAf<(N;jL4*b2K@XNRP#PZKgPRgY7)}=BoR$P5`6Kk>$jKB9XsyR1T z6(hvqw;N?WByBJ?*{j_7@95oYlE}M?Z4<)8M8522I3_Jcge*Hkn>RY6EY9K#4}X63 z+m^#km|_KF&_8~NFUv&kmz^wC;7Whq`$2Bl1l4cHlX&FF!4dCj2I0(+b!H}5V?U^5 zOfVHwACgj>wN!k*J7t3)ss;s!Wt3sQoflK+7q$D@ygx?Fz7c`z^Gm&T3ZBDhBaFV# z7UN^!$#z536T_P4%0yIo*PU30#Doq*9s)7|{MF)5^FlVEA#w~p zbRNaUer$5R@Rt-7!H^U6eusz|y0Lk;nS?At!zFhfmQ}6Q^P<`+>Fv3?@@QM#!wXqt zBN`*##le)sZ;0ldNC6mi?vIGdQj7xzep|=u)z0pjW+C;+CtP?KHv@WL)1k^++QQOj zT67#b;tIPd#{;S3OrS5>!J_~{MS>z>XM9L^;phlLe0%!`FPL~%s`p)6ID%2o&;itF zpULvKtaX~#O#=3Uv9$O298kN50L}2iPx@w>5WE(Y5fF?8Nzy!BEjLV3kvq^v zj$eII6XPmc?(VEc7)9~C3hH%y>@(9~Fz3o8GP6HX= zbdD{1>pPTtWjy&T_?ygOCuxQbw1SQ(u^o=?% z;f%a5x)s^BCv+w`%PButa(l}jA)c@KuBnDxCVhjqm~42hnC_ElI(HWd8_u1oH`Yqu znX=wrr}9$f{I5T(2xUaMV$S5mAqbmeD3VwaF|W=d#De3($P+B?`lEJk*)rpj9@nGw z&|*aLZyiJ4BA?Nt|1fPHlE|#6EU`KN&wd;aDm@g%+Ei_e8k+9di6~CCF`jfyhrBJ5 z77*{U&dPgKXVy5b>+MW>cB?-x&EGdqa*Udz;b+GgdVOeKUX^9 zCr>HS);7?e*-QTlCHN$2;aT&nzfJ1W4pal(IPBgqP|AmFTS`O zgu-aDg!^-z3TSYqZj0L0wnZP-TOOb+o$c5EC;`j)J)@gyTdcMqVzjVlKShG@p{7b0 zmfXNdC#{e=uX6MMc>&ZHL}xAa^7QZw*|Uh%xI>RPfqK;finlgn-!{o7SC3r6icE2a z@M%wlCpPj(;gI{SeccX8u%r4+{Ux_vAF1{hK|kCU|IZs4A`Z1nXEv&FE3cSyDiO51_v zk#x}0zbzzVMUvEUPI4*MwkcniCd_-wzt)XDfpGdP;weW(4yFXd_zKxFZTK-z zfocB`jac6jhS09?myN$P!gp$G`RW@`P=?&xY*zG$EoMt?eJe3H!DG z_)p z*Hw}uN1vOIe}AQ=T67Y-Kt;Av(8%-x+h}BZZtd@&K2_5je$A)HENG(^M2FI#jz+bCE8fL_!Ci|O>yZlE)3fqP8{74jb0_Cv80~KC zm;37jPvc0^ffyh7>1j#f?~nrcpUm~NrSu&SDSgh}+XjX!sQS_^h@weeyT>%GUVEug zATN;o4Mr}XV_!|jA3lhjSY4WE>idFOr0nfpbQe|JJJ9O~fvD5vi5n zxyD(2Jp2umJV-8;;;escv!7J>Oa+9R=z){BHNT#cyzLJ-*h#=cFh4iY4vXxF%YG)3tEp~%e}YAs$imkb%P zUa#&aTM7oksBth!r8LttxmJw2dEJ$vjjermF&BdHNG`B4r&xPXMMKLrtG+ft4EM3z zxd}TrMOX(ZPb7xOYMO9X}MHWd9AqRc2@${oV#^ zxfnZumjOBWz|XKh%}{C$%=Y0T^V?Qyes>ZVLy%pypVi!>s*D$oT0!&!Extj^9W_cw zL?GU-I2Gk2(l(@8wH-l;Maxr~rW3_f5WH{%`BHsC0$lEFKkXISc`s1dd~S5`o4y9G zZRYcxsj=_=YhiP2dk0xM>nAt#eb>hBDu?^P=jhaiF2PMwDERo6yZseI zfaW~hrrN!oEF|z_X-!P4IBHXq;p5&)_soJfILJ|~MVPz^SNd$YebrH+Bng2oXwdLw zbVL&Xgu{S&53}w@EI!st>?|zF6%CSoq67b=_Q=Ndi7gk3RM2u6D-M!2iI7d7hlL!l z7^=bZe!@1!0z~Y{{jj|Z<%q8kD@3YlNhV0oiscp+$L8^yqXlh6Ib!BPn`+~2l`MpzZ2zxxc3V;9?@9WYMzPP3DN?xQ306ZzJJIXv7<5G0;<=zr zZJE#Rf`A3X4o^P@Bq)pv7Y!Rm-7fU0$;oU^Vk&UzUzvqSsraUpEf9f|*0aA+T#JxQ zsdC1L+VKt@#p$^ntp1QJw;h*spl@r*EooS^b$1ku^vIx;V7Z$KLo!?eLz&}fWX63N#vr0BZmEm zq509>`ShSy+nzbcD^hI%d>r_?)&Kr!5bT%WfAuqU9Quhh4zS1?Ivb{L%QXGvf9~Nm zSU!D`Pqn9Je$8dW^L~QC?Cd&3?2+>6HHEXV=+iKLKn|4^jvpYXbqgVN(-9&=nE&hR zh+)vj*Vn2Q$`@Ujd{hL|TUgGsM}^zankvRaGC~$ye5muNzy7qIXLuqnz8TXe0E9vI zQ9oJ+;zxF1x)0mm(J=N>{zujBPMp=X=us|aTs1se`NLE#C|L@NQQoLg&Iqt_EKUyP z9;j-zSVE1k6%Pex=M<0p(V_mwr2&D0_Z8>{wrH1EFg+LUw$4A67=%2dxt#{}m<;{2 z`To3OZh@V}zYY?}MVqXzvPf@c{rBr!y}T?15)2yv1ObW6A)n6XF7n8#CP)~5mIW3# zS^|zh2a7_X<}oW_m}Uqby&3#&ioc+4_)QrVF)ORmU2opM_h$HV&wwvBi}DM=gw|S9 z-GhbAc#XRd8#cn3wQhqkApO^tn9s(3?}gt~oozOt<;fqN^8eng?`Oo5nC}m9yG>LO zZ;t(W#ZGD1T1~TM|3}%o#{E3|PWvRnX|zx+DywEES@PG}pYQK+oi}>Inl=l!4}R?^ z16NHBb0Y9dccL308(+gz_XnEv$OqeEA~q*%Uul&-gwhd$1?iHM?(UK<>5#^6^E|)zeZOP>DaSao*WPR0abDNG z&4xR|dJ{o9wF>mHTS8Jdx+N2p)@0rNVz!y?&>AHkEtEb)gEDMxHBbpwLQ4@6o^Xx7 zqoYt6m(u{{d4Fo5sollf_(P5!30=UUei?A6_r-dmdO$(da+G#jWA!Z(ob=q#G-r^K z%#~FEcS(V3;pln~TXwU&WC8<&cee%-AHTP5<%ejD#CTB)o$g1H3q^uN)wRs?Y|mk`dz>WAEZ2wBHqM9l_>bviZI zt*MZPv5}j7ADdtTW$eUi5nzh9w^p!OG?|}ki3)A~v}_yk`hs1<3aRM(>of{R%s;4< z(cLB&#k&szeEIDd>a#Y%Ha%sZ`^+EW;IxGm-cLcC{M5fV$k447ArfjGILEcet)W+NgNnb9BpB|TaY6jk!(hT7#BOhfS@T-5WoI+MSGjz zMi_Paca3gnF?6xZ4dpSsfH=6tNH+-8BfX9qdIcRBPW-yvlOBU|pUfDYR1ta22@|_dEIAW!lSkQ16*JGyzadMAN3o@_J7~YWJ_EO;bp{UvC z(QK8R@}RXC@!c+6;^C{EVb7i$hi>susa$1-NXcRzl$BaTdH1`g%U{ww#o`d^+Ecvkw@ixG_+yXI9Yu%H+3j`ibG{UMyHa<6-b#;>g3H(@9@F(!i_ARG;)}SySxm z#h1P%RzKGSfUY^(N=&_&ovF6cNcT8H3p(8UHbHLG7Z(2NdM*g{XG=@%RP-hsnxqHr znfa7e8Ae-*K_)TD3jTxe~Ag!Hf zCwQUcwT?jx3dDjn0_>3xMgAp%q)~%eM=Ot!X0TPSsXmw4AnL$b!JH6E?<4uuM)_yI z3?3ImbSYQw0k+5z`#kkN9M{iB+i}e5TC&^{q)z--(`r)`q$C@oMM}6=Z!bWT<_eh( zZMTDlmL;6iX8T&VpNzAo_b;*BCb-~wtTv;jhWn7@Oya6io1^zK_T&YG=O%?^K-{(Q zC_$gJOpe4{87{(+l}@!)rr~vv&uR>jd>^)wE$D}MVuYHPU&c;Wt)CY7;b5Al>J!HP z9j*YcL2knm2(T?xoumI2AcUkKSSpMxGpw>q8Z~e(pOt;)WyLj7>FfD~PfCfl$N`oi zba#<%Q1`BTn4c(ZAkk&=X7bI$f6L_b5}os1wMk0YFGJO@+$t2f<#RuG2+rZPkoP(H zoD)@*{v4hW-w62pl}+cp7)Q73HtiDyUoJ!{OZ>I|6Twm1J0B#7+xmJSc>aO7Ncv(7 z=uk=Wsuq|)#8?P8B5pX8Rm8b-sBxHCDM17shWM#jg?R#)dr46OEICRgp`?+;13OaL z#fr^CVO6PYOc?lZ$F8^?f||~Rqx)b17-di+_}K6Tm{wfm5NrLCnI9*{i6i!9Y$tQsj!MZ`^*U=-7g)CZbD-IhY`3Wj{0B(amXFt*i731S>UUtqoM56VVqT`bps zx=OPkK&#*6A6gUW{dRemPQzhS5_n=b_XahNT{f0Xu->;=aCD+kNHDuD)o|`DEV6Rx zwvJgpE_n9OlEcZ(D-y}(?S$oLufA3Czfypl`T6>kf*>9J3XTZ)o}~SGAV~K9&@IFb z%Yhq!sFS%u)!ZLYBK7tSjpvqiT2ikjH6BDhXt59Z+qrIhOcG1#a7+MMA9VL)yc2L$6C91Xe`WIs;ne(SE7@&t&{{yeaa5L8a5uSt);*n%@DMz% z9vQ}FE_AzkmyrfVg0pi7>NGr zI7w_JeGH0E*+%!8lyUI8>z9TS3=Z>|Id8&Yf&P?`M&@@(ZvHtBNONUueLshxyT5OB zOTt8$CfDA=nwxAr<}=xIn8Dz4ZtQ!Asfg9`+?+*X*w}x+H-&#;voaip7_yZgI|fQ7 z77C^4!fU6YP27&3OoIk3vx@s+B|#QR+?rdljH2O+`%J&6U4gx$yS(hUlU6kIHuG{b zab?N&nv!}=tNA;iOmxQ44L%QK? z`|-4f9f1Y?&(#r^0s|rYV}M^5LZ~Ptj@MCj+_J;_dTD(@m@0%N=b^^Bh5! zQ*vq<53dJ;|9%`h7cCaS^$}wOL*JkN*S$FZ{fF^p9Ks1q7|2kznHqrx!Ff6%0Fil3 zgESS)U6!%YIr8L403CZV1US8<$)#}lJEO$wM~TC33D#=@Cux4ts{Zeeyh{`#U^#AP zV3H_*Y2sUekpJK7ht9u@^84>B?v(Gujn?8b6qZj39F11ax>kPdYwZsvH7fwl@WmAt z57MIU*H`wl{JV-{+fl^Atr=$ZO={fuRN*iG`<1b1*>!0_KX7>!Lu~f@u48b*{_iTK z_y3|M+FuFcI>qgv6qD#cgavWQF=H9$Y&%fbJ9*m0(vXK)JV?$=_8EAnJVfBSO+s&1 zn;m|n8`?bJH`w{Ppk=@={=*gnW@eFF2;4Z>Q(vaB9jQ?k^D;y$)9P=%a)Z4?l zT9Tub$hK>-y3hHy5$n&(4=g*rdu48*v)xJuMVX$^EE%tRkVb#E9t<+(+;Fx}Myj4Y*g$fa`~-%P+v$aQU!iEPL^& zOObbF>vp>yusHW&3Z z+&~9=bnS$1Q>i=B*YcMm8fZ}9=^byy!J?q749Hxxxc!Y@iCP$!q0lsxBv{>E~GFVd+| zS!&~!oQGJDDG5exrapa(dWASi8+p%T3V*~PpM}`JcnapZAoD!l`Lj%k-EEqWK%5|E z%Y+`z$nm^)zmFHIYpU)c>86H()y8fH494@VZUGrx`-xRPA1`u<1qb#KZZ47hXqus9PO6|gV^U~<0x&5AV| z5__{1lV#C?an>K(=wAO6VXzivz`H`##cXxN0_>294g2Zds6OG9__WW9E z7guuzZm}YFmex7Gcl(b{n53yu^F!?XB0uvVzm#M~Wh0X9cwC`WCRX&R5mUzf4ue&1 zdvfk{UZ&Mu-0xUyL$)$WesXq=pU?`IKAQZ*0EEY1r)TN!*u@K`vN$h?KBkJ6joT#rlfE-D`Dwv}TuUGdaIuUOb7;Lv zuF*zV&J(}omOp%{+E*&E%qA{uT}+zsSw;V;zYECkk1jemopVK0cCF~^P>%2pUWl3o zc$cz8GFQufuB1-b8(fT^{wqW7(GBcBCCHYVlY!{KHt1Gv%IT|{glc#;=Jzy}V#f&%Aj~bx-*8TjRZ1%*<+#2K1^Pl2<4}F$}`Ach9>isDJ{I= zhgF|@^j&FMgI5e=lz6N_>>|tt*Y?8cCn7;3Fr2|Ht+#|A$0&s8VFHQuAxIO=@4ETd z=LTK?retnd3qUnrem1qab>HrfIeAN;wN?J?0)Zry#$}bzypZ|1fA`uRIM8C`Wqwc4w%-IdGv7)wN3zK48hZj`6->n_ZsC#0d@d)_*f#nx z6N8WPLdnz9a<%_zk1_x8yDWe<5$L;9rr4#KB|8B}K)V6+Hpdp9HU+A~g4u?&$E4HF zgaqd2*w-Cus1!!|zMT+y)4_N?I5O827mbFUbQ|-8#-sWr(ksdC6ri%*O?7rTrL3F< zxc`t{1J2)lOIp)Qo(+f9LwD70(@5NJ07c0fu%<$oJDRTeRJe2sl}aCSGU8SAX@IYh z*9?qD;3OE0h?NrU3!ByVvg0qJgJIZ#9O+{3&bJDLLRj@V%m9OyJ%E|5I&2ACxJO)HpvonuK@s2#_3o z_z85>d|JaCua2QjTM32b2D9!u7UYg2+;fe91-vUkOm1_9wum|9aZb>dRLt!u0>GMBH3Rh=Ew?N2$$9{_EU zLg1vb8XE|Q<&2izYyHoxj>A#=4uW$0>mtj)9S{C&S#SwK-GZmwwbq-T1n;(MV_%DX zJ)e+;PVLv{xBQcT7+T63(p;y|6?)XcP;5dR!g4yplwB2WFPK#yQfCd0Cz(~eXK66b z&TPAM+T-1^;!_QLkHcw9dD!8A$Q%tBLi%a^%`qUIv6Bj%Xl_rjL;~6FaaJ&Qbh721 zdbGre^ZK|@ZFM~XxLFyP^e0(#0It$al|kbvZL*ND{~4ebp&Mgz*-T6lZNJ%AmO@D! z!BrNj+IU=;Fn%3aFVAgUg`&(ISD@V}c-+`Ud9A(v1c;4jP^()>1&yLrONpqO6*j8I zc=Ye2?!Q~oX -2+cRqe%i{#SB)0DC)495l+D(YkD_s-bLuoyvdYu zf5=lcFEw>=)ebOnXREZrwaVeqNfanI`1mv&PuDyncCYxrY*%=>W4`%XPAxYZ^1hS? z=%oIbM9)V5X?nK7DdD|?*RcX$fgc7H1(j8{<-bJ=TjLg!yFiiJRW!W=_S1zd@ACmX zyLVB4+|ljpKsdi<{Z@5#kdrnw&`Bv3+X`PhZTxKVL3t`42Zm&LAsZ$m$6!Gpe_i9g zW2(rSk*~1SD<|;V6RmX4(flB7Btl$;S-4E{Rx}pb?(GuqlyV-6737rC7WG*)V!_B! z3~HN{);WSQ+}DhW2ojJ|ezffzKT(;Ju$F1h+&Ae&!0~DoDW0;UrH`C=&fN^dRZkmzg=`!2ybIweyK!5|1o*uD>67H~84pz#Bm?cX`OqfbzxN3l zckAz=T0mCAu1nL=oss2%{pvi!wmN*tswC^-48O^wTA~{vx|ckFjFJ!xMP-#YBK(a^ z2+Gs8Ct2?C5R|PHV8V@c$6`QdG#})o)AQ2SDqlR6y~UnMb9rAt)KGkAk@> z434HMC$#R#W9(49;025EweN10n=3HkWe)elQ?(p_U-ox-E+=BzZ;axEz@B1GzdkQD zCUjA2ur;VJ?-e9fNjG)yfQOM7`~>Jc;QPAkNWvb-0poT&8OjG(+_Xg)VvF#f&nYM7 zrY}Q~gIX>p+8_2V0@&_k6yIPkC%81VOdy&&QB0(G+=k zXMy^PZGCy-E|#|*Gry_?IX{wlc-#3;%X2^3H*&P+m@dqgTc+x5BohA-`jDd~Y@_-d>!rE0kZJ1^((~^7ZRR!lX-#@E+uhr5RR8 z8j8fv2)`kv9goCm1QZ{f6?HS}I!!=`Ki!;%bDx;=KvS^r6TJSs2S}`BN@d96@~)u5 z)RCH{spxj=j)~ST68lI$Mj6;v%5G|+7Z;sv_IZ6UUOX%sa3bXrmt>|}a6%cLxy5j@_bPufb^WXVj#*8{?^m`wq!#5TvdWFen*RD;tem}n@ev#fwt7Kd4cgd(BK zu4i{p%*6#2T|5i|w&zn1034rj&GX9GXB1)@K#t*YOx=$!osokE3qr|XK`VZ?&$0?X zC0&W!A8zvTfGSS`P3&YA`JH!Z1mrw|Vl zHA(iJQTRPAXcoj*+Dw|$bk<9vhJRpaV35;L^KNp2VDP3?GE&0r#BocpFV0XJHB5kx zBB~M=Mb#@(iv!Z2SiA)6f>LMAj-`!MlmtAw^U+SRSU6n$=#@o;aYe5Y!h!I%7!5SE zB1}4z{xODM7}cXl?`>d!NU-udfToXK;ohBxT(eH+n=cCV{a~Jl7c+_lJKFXKh}5nm z9LnLMaT%P4otv)Hf*6p5&t4TaonQ5HY&}E9CuK=a<~AM2F-ewPGxzvQS!h&CHYk zo!1*@p}AR;UeB1RiNEZ~Yd6d!SX43Sc9lPoR@=!Qoo7Vo_UUt_?^1tSG9}1xJ*TH3 z^#~oz;+6g`5k~}Pp{8KjFd6Tgv$946?J$k?p1?1aog8b}fZw*F&7iUqFyDv9nTEr1 zu~yZ*j)AeM_pb`Ll?9HQwUrh(dCbRt+Z6dD_DPUBe0y9fLY3ImcRF0IX@8f$Z%S2E zfgPc-Vcz)SvQrV31Ssx!3t}SGgAt)Tzl>4ctg0#I?1_((Ir}}D>$}I4*dxVQ?i$}G z-wPi;!m+im)9Ptj8;NV~Ju4^iPuN$Ne!YqQ~w= zRilFQUVNRWb%!u!z-!D05!Gp@NvGE_LDQkn1Ly>viV-=n6YYp#AJbOtZfdo-!3W>2 zO^V@@6TfV{*qqtI(L(*Pz1^%u#E1bxzPB=T)r3nae0_d^FD3;Q_>|FG+vq1Ph8ypz|)nW^m2ILS)Dnyqqj$fKx(RniHu~ z^<_Qv0U9Xu_>b)N2P!?;6zx!=_{1DA)d*hiCXGEJ0JfLY30VjswULzFG0Cf10IV%&bpOKLa2L%w6si6!#egCdNo{sO8d z%6@4zwHF`>IHSKOf1lVsTJe6_{WDZS_vq|w`ki>89-_S1cZqCS7;9B$P?21+M-C+P z?A|nM7T{bOei|%ESdeC?2#KH&)>!h(&}BS)w;mE>;s_a|9*a#ZOe4HGOBSW1utN^J z-sie7FctK{6B#!cNLaeyUnrDnMV0+H_?l({O+aqeutX0_ZP|vSspX`TsI&Z1)N9^S zC&=1&YD25gy_05fJUm+GexXoHiV)ME(?f=|H;bV5AXi*$g<9y_Df&3#{jrvqflnPOaQaR|>`LP_A)nNGwjURcJcpr^;yv zYTSH}Ghthz>-`MvBw32?3*zLdbU@Ld2P@Pf+9#X%TDge|`%pR%=qgo5O&1Z`gJ^dN z03eE7#;d34;ebT3-AXh! z$f;Q!{!EMJR4%@63{5vt-?^F7+2dWB4Oc^0yRYzj9NL9zI!CQL?AGC6dV|wh;6b0S z=Q#0o#uKs~uo6)B!sa)c7`B*Wflt6^9qJ=3t9ol!_2bV?hxknzJ7rD;gRa0~@DV5p z)nQ8Ba(+Zk3!j{BCw z3QDLRC~Uj#frqt;N%284Lhy08B2_l`l6lrr8iIxisXVo40HW`Tkrs9t>6^T^K~pG2 za27=~A2F|eG@4kzEJ`FZ9n^JFTod1~E{x1YzMgXPdx2oGMWHB;h2B@ukKHt}j(}rz zJ1F5)1p9t9LdK%q%wjiNkAp7g$`a^qU-vQ9s-cKR8qnQ7GzJEkAQ{{*&MgDw04=s3 zollm0^Y`kY@J^1(@La^)O~F~=q?+idbC)~*VVP9r^S~V(!5mkAhl_=>C|gaxH(#9k zzbW@NZ^ZxbeBou&a%TbTom7C#SL{AS*xDqhk< zaj2ItdO}Mzt!`a?3{++Z7;}?9+bYmlCw^G`QD`*zxp${?Ms)d(wGfYWqw_MY!*QAp zVHW5BNgY`0dq+1)HStmv-3h^l!Ln=kV#alVoqy`LBK5u`sz>;2((Cjs#j2Kx#{ja!pXl>J7$}cahK``xx2~MAe^6BQ}vOmrHr=dr~N4+~CkGOU$-8dnVk>(MJ z0wdyeYN)q|Oj3$pFMM+)Ud6DvS)rqcIYWsMc@rh>qCPhZHdjIF7O$Mg$*SeN`E92w z!d^;!ye|x41Vxs@8l`1nC>!#vKw{=x_2^ODZALNXyW<$jHWX)n<|{6(?+*Huw_k^_ zoa9c`|=}Dx(lL8cA(~T_6Ny)!~%k@kCqylM!Fka&~|pA-3c zAeZcQTFrIrmf{wYM9j7q{NR_wU*lvQ$i^wNtO6=_(nSjiAKZGg2FMSZq9;>dquzQ6 zfd(^2@ z`_5y3PDDOKAzFvuH8R-0!#!P%@;k;Iu8YCzfKK}Z40?E~?HGhA^(-mAGcmAi9q;Aq z#Lh0z$oxpt*T3r9{J@PniSY&rpAZ};n<2;<*1!;a6gFf;Am4VApo+(WbNjKdTmMdu zKV;E-<1^9hn`N6i7nsq~YGYWMVBGloJjJP;GrTmRlUmONbs0T1h+C29!^CSg-5({+WBKr)-Wxx=vk5}C31ZRZmroh&Z*R4rF;ukpc(OF{mKX#O$DQopJm160 zO3t1+{YFg6_nYW5PG`zX%2Zse2Af0pRHK}`id$R17!wP`*AcSE?iRDW@%06Ku~;dz zBq#heU&PV|Ul(fX-=m#Ud6FKJP=RWva*$Ct81w}ue2;NPT4c_egfzg-V>V6zxGZ0wU>;;Bi2xoG_s9le#*NoM;nh0&bK=CDEeUrxF^$D~h zRwT1#BK`_LH<4myEUT4#nt=8Mepk(-Qwb5fEGyF} zBG>L7OnlaO>RnKd#{CnAaEfvwtSYqp#x%U%5Kik>g`S20wXMHBeL+^Q9KZg<_0RbG z&w8}i>ShEXsC_F#tj)}=jd-i?n4XWYLO)I8aNA#COLFVD5D?q#oaRD|Z<8gIlh6*4 zNHPNG5A2~sDv^wpXbpobe8Et6d3S`Epqs!QlhgUDq`DztE<9eR{))8Afy7CA*1vcp zqyvRQ-rWmVn1DGqf~PjvJ7x@wtV5r3OZGQ_~}#&*iFpCn-nT9sO~KP?jjS`O?vhdFEqo5W#z#jSYQ?#4>8((>F96b@F#IG zs19MxV~B;fL}|MHxop;ec(54F`^0~74ALsSZ3wi)ttW#MS7{$lrLc2Nj!&x{m%WJF zvSIu7$4_Z#khHz>?@yLOAQRdKr5eS8mH}@Ka#%ha=49AYIu z^f>0R?GIe(rS|J&Z=e+EVHETwr-(Skke((<3m>n1vZq9Oo}hQ<|)f}=Ufv%&!gKIy_^U;hYy{tqV?eGH_~Dh{<%9 z4oHqru;g-Dq)Yn8OZrz%gBbbKN;!l?zUO1s>&Cw~*u zdUDS1WFA}bc(=X&XVGII8|r+^c7;rr`&7wqJ%8eXs{e4k_$u{tGwd=3ftez&A^#+= zy(`wE6_NV1rUTK4*?=(gkOP?hzHH~G!Q?Yk!A|XzB!!krg9EUfd~XfQ>t>yqzBd~0 ze4YS5b5$H`D5&*huJeHI5CY~H7|`jcskGUOWKHWv?(d98P#io@Sc}1Iwox*Gef6Q% zraTN$%;bBmf#hLD`3)Fa%gs4p_GZMG%*D^E5T>`oQa?|{mR{c!{HiyaSzK$+2`!Jf zs((`-ZK>pZI0e5f13gwS^1`3ufX%G?*o@ma@7+i{Hc>DEeu!%=6qvloPVgi2c0C6B zrm&}r-XAepQy-ry%4AE6fL_N>n0gL^OZUF^*Vup2dF3kMbZWSf;Z%lo`4ff=EzqaQsnKKfkR_j zfK^TChKY2{Swl1J=FLsyDK)d{Pof_G=9|yQvcJPk((+zn`~O=9XXm$2sRros+k4*5 z-d-iPj-Q2Z6B9ORGqxgvf^{2*&`ruWxvgs>Dzk-$3D%{NwDFSZqhcSNO5m*zk~KfU z#Z=0^2)}vfft=f~!&g(f;ogreL%QzPYkR}~I3ASr7+}b;Pi1w?oOjWwi!U0@h zOnT+du46)~TNLH6D6Wnxdc02K8nR=7(zd_Ja!wVX7QfeXzNb>q#Z&^JebFBpE4Ilw zbC~@;P?eR7i`krhI9h|N%`z%&YD%zJOA=!eEGb;r=2%8Ya{!l%YsZ4X0>{^H;?BtG z?fny8Y*6)9ST2w@G7%UN*X_q6z)WyJ()@MV4;*GnaJcO*R~7228@{C4FYz$ww?m%( z)CAYOK7BQiNN=$kxGAwbLpAs<v77I;actMIT|U6<}VtJp5SQW4z#; z(hcmvHM4cxlePp;lKHyfALt8=QmBi%7N-O~SyE25(brgNAqF``1nhgyLfN}lC6k0t+crZJ5&nJVZYC~z7-G6yjdo`AkB=6E zKw&3=IjrPjTeAX#>lO7P=I(J5U!^_~7}Sz<=$KzFCTJrm7;s(i9ne%P*=Kv~lxIkD zM5%`bo!Jj25hQH#SKQt$4cwV8VY}Eq-R_JbLI=3qetQc_pP-e|a@nUjNeKCd6 zq*ifTCwD1|pJ~HQPV#-`xi=-Yz^Ojj2Yxx#5NvQ(eOo(LbL{{Wy;I=H(p|Dc=gmz%EM-D3enH)n}D*;$`#Nj+Sf7|DxFy4L%I z5hATcLK@-=Z zo?iZv9BXbWd0!<{_q8WnFmf$QT8hPdbIx6Oz@Us17E4qU_czT_@LY2u=DcR_0_XU+ z-uZpuLjCAQ&QQ7zy=#bd%lqiC3C)SBuf(?8tp_t7I&z+k)XYh*geJZYOvO~M3$VFm zczzr^iW4MATus$IUU~)Be^!+4s`|}DZsI9#p}OH@S)tvwYXP`vy`Jg2o_0Nzy?y@@ zP+xICpFk2QPKe7tUn0l_dCyaJ?rVi(eJ2(xbAKsq#pKiUY^iGxR_T_}Hq!lqQBI|@ zlQ5^Yn*aQMypsVhzaO(#lPw)~zO^YlP66d$)CuO4GmAI>Wr^HoA1qCM&_=g|!$JB} zWzttqJW~nLsQ7MO{a%v7)%gQWw*Cv9_jFQS*9pvmSFBfyawX^3Q{m6B%pwjU_t#It z$f*G!679~w8!;qd*5Ha=)}GGw|}G67~?NjVm>PwU@n*=1-9RAiS24_I}FdxJd^eZ8wQ zwAb=kXbFJ?{y*2x_>MJ}aUD+sGq=;1Y}$jak7AxxcbW0j|A%xwgPn$ZZ(&{;7^#)9 z?P{ziUFi7Jl_04-3|6>sP?5P{V^OL-ag;Yl%O8W~5Ztkp zd^se@my5!w$Vrr}hAx}vK-l{l=geP;HC-~o(9e_D4W#P>%0i56sOzrf5c-* zF~DwaLOSt4RLu3DTuR>6cfK4KtBV0dU_NGcaZT(oITGF?TJl34ks>C)9{5;f*=}Yv zwEx?3{(-wZaTqXDCFo9s-O9}SWkt-n{=eIkn~NZQ2~Pnce4vPALFp(>i9%!s3B5!v z7DNACeB)Tt-g0TTY(#oaJ@WpfC;xR3NWw9I5%N#t{hzy=`c}*&d6@FyPPpXL#78!+ zASR7r&;N3qV)wKZ?<6Tg6pBoLqWa^$fR9}^-B1r#Uel)9XlU_N|G}}%nmF!RzyF)4 zJw8JB72_bvA3$01pKFB;&Yy~-S+uW|xfx}GjTqt23 z5~=XTToU3BZ-gQkFk>s7wEgZCZmjn=OFkuuv@{N^*u?cyDT8B3`Cm}~4>A=akQ0lv zPt!~7F|V1fiNJ5s9Bb39DI&f7-_7?_0#i#T9TQGOLLB4BrUFPjZs4C__{qxYWMDBA z2pCE2w`2m%yA4cZ_Wb1<+T2hKaaIwfVFqlCxk}~4#1}u>IS&4Ha??dPkmq$Aglf)&r+B4*XPK_z{cbJ4ghC>l0UH- zx!C#B{YkS;MeD5a-Cn_yOe27+j$F~=R`=lR3_mwe9iInseSPugxcS5ta1*!r@ORv# z3!V4!EabTEFuF~?oR9ddAodP0>ieWDeD!HiI4SfPQ0#%nhn4j&3R*HtRaW#V zhyYv?>p#$ur=a<8>H`dZ?e5`Xtl0n<){ghu??5fb8MwQy!CurDBhx>v&mOng{G6VR zcGXVo>KEw9Oh!fSZ80ZHveAVe058`Z9jl_x#A~)uMPxpNjKYA;)G_eDUz;qN#0u}+ zPd!&mVr>qTO8}F-Wrezr3QSjs?QeU7N+xR$q8Tq+qY(3fKKuLFi9>7%fT%JZY!FQC-i)Us7&luf+Dp7nLWCyy^?JoWlH8Hu`QdN@y9BWvJd=2;bd-XA{~E1Phh;3z-UkRf%Mr&eN&NH{*Lt6x|sX} zIUs5KTnv}+N~LZl4RPf83yW6OV_(yXsT6=9kz>G{`U~m(_pFuwcmXKq*ubH(wO%F& zK2&xs*Nh3LoL|83Ax`J;d<$L`t;=5_hM#2s6qU|yx?wlK`<;xI_qhp9H88dBR?0$O z#Ivg$!}#4M?UG8YwWPs3Dtjku+a!uji!<;p0Ix-p1g0=^%{(3J!3)FRj3t>HPXJie zSP&!dwOD-sXoT+omaREO&4PoN6qN126ugON4`cfrpFd7D!yJ(Zco7N3vTI~QFpeThJH^T}m zJQJ~PHWgZIv=(_r_V~HXI5M0d*8m8$?l+An))|gVzY{QeL_DQ^gh~z+mM>RIFR~E+ zOa^UAsNsN8i`sGEtl?g2Q0w%bdY>oel=Tv?kR-uATiNoWzpx9dev2Ad#nVmTP8-R& z#^!swPNzy*y_?oeuj)CEhwn#HqNw~ZYv5#bCn(#AVED9G;7n%+dxklNa11-2fK_Y< zlR|!_k#zxyyeZOZT*(K)ML1>waYve{*tc|%PtVLrUP?pz)7|f;V~K&YgKrhCUbJiQ z%`xRb8|#@OoccL2&j&EkOdav;R2>N>ey8x5NkP6x3`2m{yq63B$ne%=Q}IFM6obIl zj^~N))Z9yzHqx#nc%X9e#Z?3WwhADLs&Fwu{BR8X%y3V9Jc%+eYSG7iWlr2kAra6f z0G-TD^q%hl5c(mq%qfeqDKncOFO0|X5SJNV_gduXi$Ke5tJy%;9jQQtz%U9f_b(oZi=vtH`kkp8GRn`+)~>*@2Gj?uw=3a z!odFoEUm0?)01f(S|6BV*c^k50r$phZIZ*5h`pQV{`oy(%krWTN4SL(>jq&DU54#O zouDQ{4QgM$R`>TM;6P)su?}&XUV@|n;?Bv+z{d_6VszqKkBG^l6#aww*S5);6pI5d zv-T}SE{H-0j{x3vm%w-SFR;-%9R}2VW3!ggdZK_cuoVE<23{F(YGq>YGvAw7_{*HK z8j#?c$9Zg9?4^OFOnI)6j>=?4ik5|V`)c{>6XYK&V*e1P(@`lBnY4?>GhJiisA`yyH3Ncymf29kY`-VO3W&I<6$I-R zP!3co*#oS(E8t}8T7Ba)6$+;tRN7#fo_jWaM@FAk_=>rI8`x1R9HB2TrXz(qI(8m` z^}l>fSnm8md2K%8dTF#Q*mWi*--7EBai4kI{@3@U!h`+_oSRZ$m~6XJoXy2qjCX{} zXaDUXzNFEyo_0!btUh+Dlt9Lcx{lR<-d;Opd zg}CO&gzo19^m;&$KpcbIyi~90YynAsU9S4=#CVE2=9!IV`;+EA%sD1xAB?B&n0b!@ zadAV9i6R$X48&y~O{a_@aSROzgIu9;4zC^b1j@0Z!plFKEOWfNd1l5)?ZNb**YAQG zt~p+^$m3)Di4w~C^Cnz9Qg~Ft6B+95_#z*a?c_EBXlg!WJYJ^t^kuoN?ibUbuJa~Z z9BffVGH(oZ1_)Y#F2wE){gtxgunGKBPf87#eSc%aFpO^FG2drF5va zm|QB!u1c$fcH8+QwGUp)6uK8f*Rq2Fz;e39f$?yVsp9ZvTeY1*N#u45O^m~SxiKlr z85yDKa>T)R3OF6jSHry$`2;Mvxj~q7K#xJ@9w#q8WLXlGncXkn-^DZC;DE%;{wLDn zJYW!;2)7MFE3XG#KV&-fra?d)fw9DKvG;0RZ{Qxb5B=(>iKPbp5#S8>BBgZfn~F9c zGxF3Aa-(wuI?iMd;5T15o9dRzSXR$af!2U6oy9DV>?879S*xX-gxW`55}SM81|y-3 zQS5JKlB@3YiiR3Gc6A6r_wM;V&Q9rOu1^xM!v0kCS~mBa_46}g4lQ&Ft52B)tnB34 z8!?<-X&iQ&t6nFHODHY2i2(g zu=zqn1n%YZ!+U+*4}WTvXh{>{j=A;9x^^W@G+jamY^_5)cg1t?yXqoJ)a8YmuX7&_ zc@q=s0$#~7UJ1Ix=1dJb8}B-lN9o2<*+Po_A`qXfS(T6X!#q$%y(~izXMyKJM2Oid zYAWdh)3|ohkuN{H&zmEmKM-Cvy2m1VasyMUxUD~VN+++N;>RWPb%m2$8-x*BN>qDn zI?t(>_BS&KBiYryIqa73{UphJ{s*{;Q9Hp8uZgz!MVCW<jKd0VQZkHwAGp*k+BIp<_f=a%<@^Q zbM0UT^IJbVBGlEE9@>2YFxKd^NjyuoQ%~W3e}$;w!ZjtGauQM2SP^6+ zlHr}E9OgfjezVl#ei2t&fRXPL=BhETQ8Sz@uXR6E0&kgGb|Dex&MeAnA(#k}|AvSk)zj zUSvL$)_rbT59B2`)K%-6!>z7ST`)5&7)D2Z*e$gQpL0!jiW^8<(h_f};)IJy0>-*i zl{^ZF9WZ^hczF^Imjn5K13HJK>S-HZMicKn2qbFjX)h^(Ie=lldqFK z!oX?B;26dhw^2iPyn%~ZEbIG}piY8~Mx7AWlM4cB0edbGN1=e9P}h*pp>oB+25Hn4)dgo%yZADh(4H z0z0WDuMVaFYu9YAzKG~ZM26-Eg*z76fU-t43I}K17osD|rm=h*j_vPi4bUxR$ZU(q zXU1xNk6mEndF*7R2GuxzkyhwzVov&W6QQaIR+il%We$iB4U?)oDmZSUM-^FjaH9ey zb6qWr`SQSj2WvwpjHr~MlmP|=KB@$1Ts0jQ>+e4-0sh+BbG6_mN_!twHp3}GfCYTGE^nT%-pk*% z5v0pE%e0Y=1`^*uwp~jwm1lN8>Nzb>W^w`xaqui{X7I3Nf635&@Y#x&xoe}o>>G`5 z0S;PDL>Y1N4$u3TJkcwCA2V`URW9#TeHOvT*diN;-fhx9vgPs^fN<9dc2>ae%lqSA`+IBxd0??AsrIZTvR3Cv0$Ka-Iua6Ak?RnI zV%qDJ$*~Cc9T`1X*(}PY5#rPM7-mH$gUCWTbd2hu>(Z1U_B=p~&Bw31mrjm`IuWKO zI^5o(7%s^vmpez(VOoiA2*~{P!-&7iaOPE|lO;ikFk-rcp=UaP9!w=PkjDtVQvh!mxu~lHo`7r|ox5Ab-mt((t=m=kmji8t5zT7S{DTis$c>jG6 z{Of!dTlU@xJeI#;4}%W8Zk2T7)wAgDj1t8Nue})N0t+ZCy>6~RMcsfOYQ9_Foqx#5 z*84u!4z4jbuP4{lAfO&|BH_s6f@)7wE5ISPEj8;Ytnoi{ypOCq^>EPqVBN43kvpMq zlH;&MjtWH4f+$-eyo&Rn5lT8fNsjbLCq8eJU_Ti!^$sZ&LC8)E3_+!KGQmhE7SLFG zExU~b2&J$OPi*p~ne6HmgZE4Ho6%MpoIxM93)a|#lN?6i#>pG1B#6NI`dSPErH#vY ziSVLMf_pmPB#LdKj|Q=R0yg4+NP8<$9Q9(5ig`*=7iI?!hhEbx0HA|40x25=cgCKg zwZ>-QhSW%wns6SWSG65614e>Sh#M#g$|M4*Vo?MzBYl$2V^!K|&rEux<8KgFKQwxM z)t}NS&c2D~;9jreD>g)K<7!aLxvh#N`Ld`XqGUXYUonez3LK0MsB(}5T z&ceq)h*xS*a2U5Yn+=}nfCs{(CWWYi%sRzLd(md_X^kWtqDB1ECNH<)hYdxeS9dMJ zav^NbHQTIY5>87s_dTZD7;jei7e?KxaKc$q5OZo<9{x#6#dMG#aRoa+E+!%vMH7!X zZQ}=1(|G?-swbmjYKzoBnYq;Pky@Mitkpl*Jwkh2`LX0VqknlKkQfFjBQjwaC5GQU zqE)HS9aHjO*b_R}1*MSt*k`^?7+O1c+`p?i1^U=ODrue``6PKVjm#DNiz6MLQJ?1T zP_j3Kmf3ON!mvur#lQP-%Rj_bWx5U>^D9f#rb&}Ryy!7_igdLub3>=s7waElL@f8f zJ8{EA4}pAj;ok0uzL|U6m_Ixyj$l$)m`lYoc~^3Es-)+yPLB4L40gtRoF-8XV~u&y z9bs_11eeUAR??aLZKfqfx`t{wDa8b-+S?+W>r*`fAYKdFP%Mvy+IPHqLti+N2v&b` zTCvn*6jdWO8rf!_Th5wosd?i)LXAWsMn!@U$mms3`{DU6fc|tx zUNNtlDM`jS*pD8)%Cxpmwp;-arM@=W*ie@J+S9kqpO;_n2bMdx8ZGMmGJxt^*XvC+ z30Lx37Sm}NI=Rd}kmiwC&2>mVsk}eSPMwKIBq@~MQt}-p9SKk z&?t_~8OF!gKn!+Sd2*4HA5}1m>|}VP!?mX+bVm7rBqT?)owTq}Kzrfs$2r4(f@L&* zfjLFfUC~o;wWe^Qe}K_i%wC#A`rm-mHvv?jZlHuH@(Xgm-a@caYBh0sC1|r54Chn4 zo+3JP@**Ji6)^~9PBQ7)Oo!xRbC8op#M5jhT|5omAncn6C|Y+D5n5Z#pGU~km%+Ke zN9~e?2a+GaHI4Y>0&g)`Y!dr`T^M+*7bCF;)sai|RNZK%yT6oG8^-vrQ+i>Y#8pUj z`Ofrlb$VBDNY~|`z)9F7<0p%0yUD$#ZT*wNOwb814xFAZ*zX;#?zky-H#{0@$*87d zudRvs;%?~bTAtLhG(Xdi?w<>$h(ZjcL5N0UMsi>5%^`dE%USV_8cCjI82cxS|C!G} zmvpKWSqR#rRP_*?YL*08*BYBSD-=Ycpmgt%vQ%!P4GTQ|RdcbmsmWl<^E$0&Gg|i+ z=no7`G3b0NDXGAf(MI!Qb zIsWAsV|~3fKtD3@3=Kw!uQ|o=APLiPJ|f&e!Mi*$u}M!Kg}mC5KpHrG#Y%|7^5N0* zDwGhxzKviCm8?n&>4ipxX!$hfaOzikqvtz6=04X`BUHmyh^mar!~`kWyj%{W^<`9= z+hfJD4-3k&)vk+_D5%R|C8A8Fd?AASBZ;sm2CfIx7rVtm)2z6PrG3W&OKzFyco(ZQ zyOz!HOeRQ*mF;#SZu53*9Ol2uSV`Bg@riKDVGy1Ty8c%F3(Je-T|_FS4wgMiZ&F?6 zgT#BH?| zx9W8~15Z+eA{8+N_nS#>FNpzmDwo>HD89= zx>8OOZ7o!vbZWZ%vQM}!+yMPW0ur66c5#2tPku8j>j&R*6n4A9GyaK|Czl*@p+a#c zXfaH1|Jy@t(WHcUT(+lSK!@)eg8Pm4lI&XBrJoV?l`*ffy^Npvx3B}F+<9NXJNxy zAecUJl9Ox6rtE&xAd}UpUkx#Kt6JC4i7Q@#y~CksHax!cU$)=u2(TD@%iL4zoo9ib z7AQ$)@e0Yi+D!{?&VzrM4hDWV^SL?faLS>kR&xY)3>#5RbzHa0Ex-%M)rMCeljT{hcC>uyB-UvxxZ z;ILsaIem~bd3qfwQr)~sang?d=ixHWK33*LxIC6dGg_6n7G093=OWUVA>B+ac6tlt zErigIT={(_!(O`XnG#IBCl{o+ckY<|JE<#&{89z_ShyX}8Rre#`ip*z{lOzF<&}B4 z;y3}Vyf%eFCS9(5h0J;i3o$Xn2*xLc{n1&tDGvcoqW@DwZ;02HAEY=SgM3llXJ`shz%|K*%!mZ7!E=yf55PK z*=Hh~HhAYZy+F}!LB1#}fPNB>D`)?l1+l>`8om6sNqC<*7)Qk8eo^1D@$17V@){zo zj#1DFtZ$18Xgs**`ssac8q?6?%ZUM{DQDco8lvsK$gjnSY-BxME@6;c+C zUCmKjX=3DUgfkopzemEra%J4cOI(|Tnh?@kH?Y-{F^SG$UoYSN$L!NXV+`ql(6roT zw3`gmfY`2bHOavSHng~9$ZcDK!eL|DzyFCRIv*}oYfbW60@F_l&wX4@UrUwJvk~DB zJEN1UTHgdv@xtr;F#P8q#a8XsZ|o)eA|8HPHph5*ilboe%3n07PJF1S)pj3KPMLVT zKvpIXgaO3p6+*#+gC-K-MDoC2ure6|P}%I74fz-zwbN3PH_LJNg-c&C>Ar?o#i{mU zk4Rhe@`g`dzT+Awxgg#^_h+-{2sY!@Xz^0d+K5#DKjD$a*e=Q65_y-~44}yQ#KNyu zv%Hcvwb88LSNSn*KkrG4k(#$b=(kw=jjedaYIiq->_XC$8B`lbl zGP-N9cz=@0sBs7^B&ItI1A?&BFlNf1l+LT+K2rFUVic!3`S9R_{1DX2a%w1LJR5Yn zxFCBaIa)4xFX100pa`eNFV8 zzRQoa|+736!9X4RP$zc{b?>o4!_q?v2Z-4Og3aGke1WTO6 zs>KUoiSr)KFi;Y8>t;RdCfYwW|53c%h9^BKv8svO=tjZG5_;EfzgRu4< zCyZ-Sih}Mb@IKcme9P(+aeK5oroRSSs`#<|AZ})YJOTBjG4vo{u!t5o3vMkiLC;2`q(UgwiX==CrRGP|YS<#<9dtzds*jMNSYb zzP^Y^g*)^?!8}_&BQLe)PcgobtS6*aCg~;|T|0*n{+NVfw*kmgCVX2%r2682!jkv4 z;7c%Bi`LqMA}nXBL_AOySryKscq<;r*K3D^my$a`xE{ESxCln%dChdFc#f{P%7W`* zVe$IUg|M|+g@+u8X7j4D5u*^t7|{G?^JgmijaX>$csofs_}dN%#SIlq-&n{{%Bxfz zz6sJ;FL_w17KN26T)2#V02fF_nd*J4M7RpuY3ItbG>?e;LnW11e?Gg7wVx3k40U5vO3WAiic}J%;tK2?)QAh;i$JOZ|g~P9|t7JO`3VpIZ z>l9j>8KNtb0WQxJ&oe0CwOn%A%8o(0vt;Atn)xGT@5UoxoAv9=ETx)zX)Gy-=&c%Q z2}er5`M(sq=zDQ%6W)U#we#h4Beu<%B7p~HR9`Ur_1h-J_t!RpKq?{kc~+Tt?LA1# z8;gJ>$hh#V0mR5XCb>jTK|;e7_Gwb>GCeq%T!%huQWXzE8ju+tg~3`3 z8FsisD-|20zN0JteF?umt?icaqd6!FeR#rZH5U6wX*L+ghfR74uqzV@o;XtN3x>WQ zDjKkPU+=yAoQNc&sTdMvD8zegafvo_bP%ydf+dw4Fzhyqcj$uVKWw11c7;sRE);f} zDJ!lh^&-q9$Wf*1MdNebGstj@?XKE2BUuIRSK@9APN28|!oAO5)AlxO3Qjit|(wQ9T>L`5COh{~dY z1l{nvgZ(NoQWux=u)6;icgM@DUsC8Eqf`U>B>owU$$Pt-*lb%%6E|FNKibmzhg#E2 z0>fCfXb2h-txN;)D0aqjNIrI}DDLqEQ9p};lWby)!k}Geb_jSMQEBQ%S-aY`o@t}N z>^zS+$7tPs7$4hYV6`^*GO0yzMd9U}PSr&CqK#;WeYJsYLaGp6yUrFdaIpI1gw4I8 z0)KdQVt>3lye6qv_@ju@%UqxF9}#7PhYZBd7wC!T2EWUxc;VRRHUB5O%<59*{l1ub z$fOf3(Z{AddVx|5Lq@Y>woP%z3gT^|7v4JDC7z+|Q2DKC*SX+At5%jYJ>;(m@|Of2 zxIONGp_M(i!plN{@UyTqNdynF#ftZ+#n^Kw9jtccEObHfXa}hhx|CkQe<* z_Q)WVVmiQo!7zsuV8Y&Mwso%^P;f$iZ_#tx$DbIa28#h~JaPauqR2KMyO z4zj=Q!lW?c#lLR3d}2}QDxx$76Xtk>iz1YB^+d<%Q37rEp57Rpn{_KZwj@)Ps3ZP7 zO`MB))GuL~UuxBQH#EMMCALILBdNm?xbL_2qf`ZI8hG)yX54st%&TkCBRV+4^kG6% zGwj;TGTmyUyU@aWnFsrg(3hFfmVR9jS=I+)wZ#Z96B=&dF~m zV#;Ky;~bN~6uSzHVjzRPNtXQ}7~3>apwR}D>3#fPdj>;wL}9uY-=!E`GL{ih-T?s2 zLv~KHoth-VD-tV~{!ncS@e}fK=2X_rWwutu;Z+fGJc4FVi_M zXx^7Tf|XdCaXHu4H%>UBTZPlhz;jd5S8!e|;dT&%l|{uuMWzk9Qy<(3?`y-fS39aQM&dxa9Av(cBKtVa{XXU6^>RzZbF( zJ5dfu@^HDDp(=m#_b-a$xwMrW{kG;W%*t#6y#Z9R?+j;+ZA%lH-I9fSgWEr7juLTN zkfXUT`p1sbc4kQFrSju#tURD^2Xk4(gln!_^`-r&Xuyj{D6Ez6X*Nf8KnUK{XvmH# zqGOjXK(%RaHe4`XwOlv(sn21CDn?rUI_1?>I@-gp0Rt_fZx11gZH z-tyxCj+U$G!~vr*Z6{kjx%>8g;h;r3&?Rl`jAnM-_P!(X=M)q<-+=zrJD43Pd&Sa0A*qu8|g1bw6(6 z1>6QRhW)hQ$f!5k(h7-$MeMTa52b0x3yXpi>~qIUtNwK!LOKp1?}|@EneT!Q28OKf z>B}{j^IowKp_yRhEA1rHV42eNuX6XsCqEL+m^n4ey=l6qMp%pkXzE`Ss3BuoyLL-Y zS>nq@|0nQT526vJiDpjDn@ztyihD%6zPap@4hl34y+STMBV0jZi)cnv9yM3KCmvXp zgS@mI@{d;WheS2}dD@-sB$6j?bWxFR@{!LBiyt&OM(w@={_=; zg3P<=n{Rgq=+MEekwDYdLf@A~|&0@LUeVTqq)vccgwWB;5fKw;IKwsIH9gvBRUJsTREj|>i! z)$kY`E8(9wUsaH6W0TWhNE}%p&SlV}*);v+&AG?%8y*4CfD0YhMebVF^{kU}|M`nP zfRnzrHyd5(CP;5)aFMu-vE%GVT-8kH5H&{8_bV!C3KsnJq$4zFM4R~d z%TnYwH#c4nbsM$)Tlz>|tyedcZB~|llM&mfxg25QYwA-=oYyQbt+z4rSir@vd-})> zo$hm={>=Z-=9)YahDw~P;2py5bd=6o)2)CN1Kq}aXdq&|!gN7s__c^pEv;}0Nx_7}3{R+;wErFvZh+eUaE-yss~~O`*9PO| z_79$6wy|tbeeBl-RbVYs1L|b%i9l&p3oX{dCEY=sF`S*gxX@Gw-%zM+J}{WqVKdgJ zVw)&GLZ}>$?WcUw;V4+;e26kPaVHg+?&_A|$8gV_8f{s8Q~^VBDJ z_0?*1F3_Q4JN|hI?vk^VZs~HyoDKh9xi;;t_KQ?Lh|iZlh&iYX0@p!_vHYb%AK{jY`YFJgz$c>O7s%%kB0!nU z$%!R`yFi)JbiI@EHk|!cQa?kM6wAT~4bdh=p;r=FY*D-2(I8DffLrf^Et0d<*izuE zKIxpD-iXbdJVvfmh^D|ZqlH6drdZ*WBi-P!{^jh_O#VzPuQ%!ABaZu4AE;)#2P!+t zp#v6bv&x1x|3gZiMO2Zhsy+?Vq2`k}YK#PK&dKd^8(}KV!~PINp4FFqMv*c1RBDdm z&ljd;qo-C3%M!C z(Fn#47NW5|iqi58JdJha**IJsr#T6sagrsRnO!ki!5B!;@X$W$j|1l?7RPBgOB!V1*%1u)a}P+j$jj6_?%~z0O6b+cYQhZ zwel$Z~$cZQUzHk>_Fqz5ES|co_QhcNvV}(e*87UZ5TX>rf3z6ne7z282pCubF?`Hz#oWeoLBH(wx%8iFM&ViPzLQ<8CNIp-D#STAyILD0J!7^<3f zr+l@#jfXkV{Pi@;ZSa)%DD!=@%zvWu=d)RFk>$N-nspx_p~jiu{O*{Q5<`2fxq9DM z;W=}kqW|4mi_6KFLh#LGw3WDNiO)@~c=`kmQNppfxL_u}4qr=qrqsau&|C!4*ctz{ zm-i74`GAQfgQzyql5K{ne41~=G-$*mq6mfTRl(MV+1_@w#KY_7R2$nTV@wFXo}F}A z1I9DstNCF|8miUp9*PJ=O7jmJiOn??Y1KeD#u)5|z+yY^bf&h$N;dk|K;Rkmgd*iv zCf#jxqSMGI40#5iQ0=j&=p_=R;FiDK!-$2hV z!{z-(&%L3l+n$M#hzHKOgv!san%;YQeB|)GVQSEQBt0UEp+6cm8U9mr%cs!6cV4!J zH3%G5c8=qY>?o0Zd(%fYi4D)h6zQG?KLKazcdKYRY>ISzuQlf1sOJ=^3OmDxuhOKz z28mXh7*ei94cf7I8A{1I!Xk;CIhJwKKEbq3bjM1(!{5DTpcROV_JDVst+nT?zwI_^ zd61Q9to|6J6?Clrb;M?R*X773APItnw%aEr;}%!sev3~5q2DN<@D1$`C-y#P)d+g) zG|35u$Vj|kqZMJAjx{fjuP@1OOe4^D&kdMr0>(fI2TF7?_q~K?82_E6O_cr20)0@l z^r4pU^FiC65Q0*?0ZxhsSL@t=504pkQsOe2YO4R}(JnGb;pSAcgRv4v#ST&wjfB4Y_ZOPVmg+-scSC;YNpkXi z&5GqoXgwj~g5d=Mw#rA2Ka9eE9KbD~oYgYEkjkTu$g~$XQq`P3kkWozQ^OtK3$2SG zldV^cc@~$2stx!!HFK27LbZ?rSw+i!*#xNm2La*JO#8N@ojj8imlbBsoq5fW7$K*s zHWbmC@iwT~MmpQH4Uw9={iI0h+vx*@8u~^c42;n^@&p+Kbere&RD&pjzw&{UmP`xm zWayt?u57j2s8RnL=JhmthcOrs!W_i+ljsDKF4upu(lI)QVqnS?Gx9}E`U6*VE2T+% zlmsGK(D^9MX2~BFIdMZMrd+;ox~+`AqD0K9&mAVtT;Jv0uHttG+-Dg}R+oML3-Yr1 ze}lY)CI;lTNKW2riQw8`mQ(!a$gC5HOqtebA&=Zo%6?btnZ&=tSvub!JZ=}|Ij%bA z=4@7h6R1q!HrcJop4Py(-CiL|D^)=HsrR~0-&xte+cbZ=6$LI;4euMK?qO90x}-F; z9L2~&VL1{pPN5|G69nyXjW9CE4Z^5nd!yjnwg4;jgID+t>8TtNrwcsdm|ich;lDcj zeFyua(%Za_FB?|wI#5p2)7DXFw%!<21X>RRi}2D=wRs;MTkk?6eYU9K+JBh-|3Hum zl(-6%-k5iHsNb{s>Fu$mHy)CWRv?8dd}UyN$gtAsWxY{EuAeBDhPy&Z${^uyb*sc; zj6aQf4ADJaktxG~1w*t{E^{E9I}w-<;h_V((NROcsrUZ?NB{M@#sGP z^s>J6*{R-Xn3xS3bEBvJ*(@B?B9A2r;vt$$^ZkV=DsedJ(jS(M^Tjf6yRfMK^3=?x z)>e=noUtG(N4BsVlxiO<_`mU10Fd@W#z;pbmrM_mOl%SA>>cSkxlD=DmBAfD?=}v? z=#BQ&SZ<+bzA$ROpx1w3B=H1^Qdndrta_w)7A`pnLHH`bPZ^A4eC&@ZUoI^N>*Hb0&z8eH}AMBnY%WLG;Rfzv)?4PtZIr zE-Gt4;+H8uU1jT2pF)QV*{KKk3NB`j54z~C;-h_(F=Na@bS4Q=!0y{bp9G>{fbM?* zQtts2o(%&7%%e*Di3e#|BeIGUZV8FQvCF#A`+Ga0&26@R<{Q07X6SsqqT%Fy+?O3y z*&Zz3lOzH9pq9mh;s$u$Dy@YO#NkoOuZTcdxA0B$Y(D*WH4y=DIT7?$x|EGn2 zXjZU=?GSj732|$__q`O5Gd%>csVl~x(6Jh>A*D{&lIO?TM)e4 zhP{2jccrK9o&SFC=lZMy{`TxWkN4AjUNYmdh1Xx8H+o4iM__)i13)+00Q~~FVp$HF z*V)wHzkesFO!VBSree&eV$Qyl;TL&)r*;Gwtp8}4g%{pwoKqkV;PI~QUdfi*o(2wC zey4zvMFG09aY4r(P)mFUUyuWlo-ask6co|k`peA})fVhcc^pp&%3>Y;zfApMqA_n{ ztcV*IfN(#}ge=+YbwxJ9HWnJF4@)Z2I$vkBcI250j^W%Gp^7bP@Ulz%1K>&+k3l zfGNVn{y#!efOT5?p^`JZ>hpM5#(9&&E(#$Fz9Y%@KQ8@l?+mnVcSH}_0kXU9{eBFLyxK*6J33 zI|%XPaFF`n8++W$YnC}7oaBpiy}drE-2okd6XSrKa~;*ucg3!`73g#uUD*_Txt?7E zXr8>w!HD;`KTQU%HV9{DLU`1$b$}&N%pQOx)lM@$lv(aopR@lRm{anV`}>H6D|lr; zmMFE-9gSX!L7DPLmw*+qPtwO25qW~5$g#;3#x7O#E|AL3_vf$3=xt0uEN+{HhdT=> z@s(}RNFi95`~c#nVL@#2olklK+{7nSiwKD0#QuNvT;kvv-<{FC03a7`t8Yfy?mwCa zq>IP424V@eApmd#7#eY?fc?(faooD=T&@@7TzDAjg=iX<4;SK%=HvbQsq=6X{RFfn zZu;6Aw=tu?GN=cYOvBZK4zz=P2-~xkg2Y`*Xh zd3`%2)KFbNA#e(yeqQC0&Vbz4hj~!vJ8@=cA@w`ytW2eB=WlTVcY%<=bf{>FixOTm?65=fMszK1XUQ(-xCG(_tKpU;lrkKP zyY?PN@3dZ%BI?ow&~HwBhO2A42{d|h|3d_jG;sXYy6TyD&iy-=W0mZRhhpCqmKH~x zvJ7h^JMbg9Sw2V4DSS_~OFUzJV;R1=^NY`&0aJ*9Z<)<5-WvR8D65)x{WLTX-x!iC zWK^zbV4^bP%68xz^;15L0)Ug(ou+^OK9V^9LA_a$1G~f6brdntumP4~6$Lr$XM zMUGiLf+*{B)vSjUos2Y}TeK;JgIIvBXKkY|`6@+n3OpOiey1dg$+n-6)xA)geP>zt z-bOkw-iHHpb-TR7C_qrUD5}(Kzr5QoNRbTPg>dChziXK#NjgtVe|7;<(uTj4e-Sus z0i&l~egiovy(WM-nG(7jqKs#Csaebe*e{|7;@BcWfD!uj#(~hL`mW7it*oCox~c_K z?N9sdc%lp0LE#4pX@C>~n;chUP@N751C&kqWs%n)K;K|pLR^9jro7{ph|^l=^?sZF z?R_GGRKo3|(~-t;P)&8mt#I6JojlElzM&5Fl*jH4 zTA=wfm|v9xFc5QL=(hqUGUl35Kj2CQxNI_ruGV)#F4Z%W3T$>?&ij@qm2V)DEiPqO z8a_&72bG~lY6a>f#`tn3m3_YYoPosBk}qzTeOE3O*A9JiFie|wy?X=jaF3T;xmlf( zPwlJaf8u<~Rz6y*{<`L-7(N9!S@%^tiM%LV4Pa(Ut!IiO@LXu#J|)flnXZRC-nQJ7 ziD<@Db?X$D3OUU6G2s3+bXS=Cksre?$vc?7(EsokY%6zG>AiW=Qx3L6lJ^?`Q&PHA zqb(y4W!CiPc+6qQ9}QL!zA)AqgNo4hFI|u1Jh|dW(+>9~6kOB)dpL!et>^W$w3^^e z)xmCFJJR5bOdfkcI6k#ipDS?l?Cf5m=06Dz!-znBkOb^4JW#mu2|W7&mEu8D|V z=+k+-<4!u(ZRF>`M9LC^Wv6`uCP=EqGZ`Kn3ejLHK#t>@2g5blv`yUF;72xjugfL@ zYS~r-eJE-%`>Q*uZ;VsTeW8}k)4nP*7|gUFqz}6>q?F`#xP+b8W%2qgqQpWB1;)Y4 znG3ykkPlu8O2Hdw`wSfmjZV$rJNbS5>#!t^$BpI%NJM8n0r6v>GiymRiADR_)t6hM zKdGq?O+;_u_Z~w<9i zzWy4Oci;PAJl|HNf@h~cWuQbz*w(1-V#HyXF?N%7%J8X2*V9_`?@=o3L^!fCc7~h6 zss`AtE9fJR%u@0~vF5&VaeEq@D!R7F?)|M0?1y zlN$+;POZiyC{ntVq=8=2#BN`*N&r^7Cxran-{*ZOxDf#>V^skZt;|cu>7W8-;{~fa zZkL@$G9;f`bj(G?#s|<^yjPtDTLI37cAVDhAK)`r6HM2Ccd7r(f#u&00q%=g1x3S~=w(_LBjK z6vTF8Z~l4OR$%o85}n#47Uk0qjg?obr%w(|8fSE zza76DV3qzG1xbVD)8b5x-2;VU7~)IgOIR~4HKHeOT+JTQY)?Q7vi6dd z*<8!|0Se7*Q5{AC7E&?zDV%PD zS4S6o^7QJt!u0P!eeDfA>tR3Xs^l?wt)SWQS8e5|OZlsMv;BN)Biqkg%`|r(9n=(K zY$ku|(97s?mkDNux7V{b;Udm+*A8bFN@VC?0=ozt8R*W54A8&+@XX^7s)tEdJYR61 z0XjCHS&0OpSt2Idz6ad(^Z9lge_&z~x4h%0^E@l60EvLb! z8a*UJL(0>C9t}a7$VsBrJJN%S6yn+CY<6o;A1MwSi;kk$71J(f)h5H9NiFNM?IUEa z{%!#abA>gZZZrfg6VuB9A|Ap|B= zsM*`v=5nQTe|i=K)9h&Q_U_=`%Yc&cr5eYodQr{qhEU`7xMzWvh@CiZDNL!wot@D3 zrBk3H@@)~PE!(pP-AJ_W?}u0t8`kU|5SAHSD~Ip!P0A-4XJGx_-sZv3P#j`&6b81m zyK!h>fPlkE-#Im3aeS^m73Jv69VR>L$5OKW-593Mfc%Uq@_b$z1TUA27I5Duw~Y7w ztJ=fk0g7SZ{m0!de2hu6D8uSl$1APA?_kO3ieK61D~$O$c5YA?_)U7xv%3G58)m{F z-|wwQ3FT)=?Je4?RgJ!AstFR~#6h#fs9Iz`by~gX<9-X(f$nyjYqzxX-}ek19pNTZ zzPYg2GQQgL^78FJ2~onU0WUylm1^O|EefxmA<2yNz3mNWp0BqyxMc}5w7|eiQv=0v zM6eR2x1@o%IMx`=r^uoh5m3#JSR2?;8H5C+488;%H z9hBDD&=v=6Tvcf4(rL1L`>S3)55%Ji^@i`mq`M*n(ZDMEN}!q^uYTXC^S8)H0G*0EsQ z2P~Ixf&eqWE%Itg9cMU*U&GF}L15-4&CxIyZp`1*DT6se;t>%4N82)Io~vi8f+odr zg1+Y*=hWeK&tZhR9J!_Cv(iJXgwUh7^cDM4@2MaQ4F%J;((Fp2&9pRtq_0jL3Qd+B zu!Sy8_Cy^7h&yb0zMZ*hWaD9s@ti&5L~PRu_Usg_f9C2*NX;@@&#_I*{P zjeBP79Y4wbskYH-?JaKkOs-LqGdkJ5MhJK8;63{t3feP`w!T~(i$v+~iT!DpfFG{b zmVOR)$EjO&%nI$spCe3-)&?EL{Pufhn9%XY-m+O=xzBApSefrL?l+wheDpx#A$E|R z!kG;hu&a6E?79TXXC>0O{)b@9ck1V8`#>bJ-0(qmqg()UR=wam48&NnB)bB!eQr#U>5qR&bFwH`=0Y)9V{F zO6n;e1I`MRmJP%8sgyA1H(`VVi+2eHoJKcd6@ITtKkmgzyG8wZLZBj}c*9x4=;F-q znd;tjM$j(Dse*zkP&>^W*mafgrhB?qRQh`X5m$EWKT zltHkZS*Rpy4c?f!=Qt?&C4)@^$Wk)EwMr>asVL9o7Rq_tslA=PpeMQ!Efp$pAL)xq z|5zNVt}DSVEWUIxEW@t43Ov76TksFvSEAn|51dD)^t62W_elldC)Ulikx&Pb(PH1x z(}uO8%JXPcnn%?{N4^S&J35hKtsh&L4P`=AU*Z$-*11`|r;)(7)!~;>Ty!#49@hoS zm%*4JJSA71<&1LAM@gTbv{5F)(CR!jT|T3O2_)|Vo(BWyyw~0DOryPG;t|{Y+>OQ7 z7Kkf9NV#p!6LFqiSlr&Fm5rUoib@%gV?-87HBfO&MPt%aNvMM5FT_K7z;T{*de(?| z{{(X2T;&)ACdKPy7!4S&latXO%%5VJ@jR|-x=2gP9f*LN!|N6gvI;o~n}jG0$_F;e z@B@ng%?q+Yb!S$}=2-$349%c_H{G(u_ofs97<-$|<67i8?Gk1EO=W%ikxP3GM$hdo zSB!}Q2QWUIbfr}0xFbp)HkCi7#K%r54cZq4B9#vhAobaCn(A~Xe@r+-k=lxs5a-xD zUWL$So{yx15}86rbSC9eek_{}c*KEs@gCW>&E6*l$sRiJuQc!(HC!D!EE;GRe{S3U zz1Y)RmKL?XN5#2ePaK+*NrRF!Q1_x~FxyINx zImJa=^B*LkGF=ysf8SJgyt-fE`@f-X?4+Oc)jy5_1@3T)n&pKdM!OzB{)?~PgaP3q-|B3aU^OI%aL_r09HBrIjFZ-P1urdF1dfejsS?f0Ghx4Qa-{Q)<7#2C+ zhHg~zDBfiQaji!EujWx@BG*%cJoGY)0}@Y#N?~}6LgtC;Wn@7MjJtwhOO;?pp70}x z2V3S6l=_jB{XpovWBWaob%9z!)98xr4@8$M>luYu^qkhfuW#vm0_tb{E;}CQxnu^z z0Rsc@Hu63yVyi%1V3_>#bqjkTef0x1 zIt2`sM?>0L-rmuX^hFje&P!sV7Yi~}W$%=#GHdPc)!DOe7U);C34ToWebed6c}+rh z4OKQRoGg2o1MzpyY*SxbYHGl~p?Ht1;WWUA>Ye)zRd= zx5ogDC92`_P{A}T?HljV%Kd9YOeLBkY+lp56mDC)D2HoVuHrj&c}3KhaQE}@(q$3X z<-u`v__a&ggv!*17eM?}N|=Z+SW_-raiBUhLzi+Hy=L9EzhrS-AWXCBd&TTz4*x;2 zn(UJb4J@2GTVy5K_y-K*EZM^5**n#%5mAX!nxw;^W(;oZ;Fl^Z*USpN)?VE}!`&rN}6!3}I## z@Xgpz``Ii~FbnOUX~IISOemhVXJeG~Gc-bna8azw+o{Eytd1|a<%&}&S|n{HgFSfc zD5pTmwu0I;L|QPw3iJCEMcz=PtH*VaQuMEMjY0M@Lv zscY=g2|^yizkkTv!qzCe$57;LN*jxjW<;*ooadnPV{DsNYAm#3T_s(VCdq0RY#a>X zR4?Bpr)Gp~nA6P$ydhvGYFN79k z4juiMQ9GC0SjVk7>tJp$47+nfRiaEvxe~~Oi z*9GHvsv`8Is1tR*Rcxu=Dg3=5kc&vR_w{WbV_`g6Oy2y)A@QirNbMAX+N9BOtbc|) z>38b#y=l&ihpwX)GW>g=0C&en;PLFi^Y}S$ZOOBdP*do>)o?rA{VL^<1BxKX8-~k3 zygJ`Mhb;_iuWvW}d)b9`xl=I)v(u$~dI6hl>^^K&`cE$PkIzo9vL@5$m;|^_0odta z2B=sQ6^i*-i;CikD10MfZzx%?<{8bE89kG?Sb2 zDFGwC%9;S{b0UZXQky(LRpd+l&1+?49rrzH>(y3A5B=eu{!+(=g#mXD^l>hd(Z*8fJ8Tka%)L7-9HA?kecAxxuc#}Dr7gV%W;#@Y1a zOCCK=(Z^2wNu8U=d7Io+&D^h@P}Bd;ndE-1+L7{V61$G(J#!*j%FE__vYuFA4bZo4 z=D;gda5F!oiUp@<7Zjku(a9Wmbo^vsC~uk4Xb4j~EC<8?sWdbXG?98Cu|wRA6bT6R zVE4Kzo%PqSKAh$M9t+*%A_2&S3ntV(G#13hvkZ zcQ+4e?4z80Ur>>PM3;|b{tYH{YRDmWtPI1x)TLsLeCw@Y&$=2?!Uy#yI8GaF@539G zU{odG<;=*Xd15K)fr`J0W^zEfyqVk6nd~2-@ss!Ai3P|BZ*KF{ z4%|cH`@{7U#WVD!pb@*|k8|Q{toNNBIenK%~w@XLaM*5YhZzza9A&n$7c9eEPPSb7E1 zb3~%U|3I8n)wN1L2WFx%7=|WiuU^9u4SJse+HN*ayZ3=eVLjJ#4r@C!nlrFvNnA>P z9sWjJO}Jw`-Q9tXv!b}=P%3!d`zahs0z|MnMhwAKFXuKas--^kbaM+;nr`U>6$%!w^k z(n#M&LV_kf?-IeyoZEWe)bkZuue?jt&B36KIiZT)RQUC`>nqSdw{Sbtj~R@ec%~mN zlJ#k&o!s1UR)BRtAU7vmUDHDS_?Mc0rZ8n9#sM1CN1vIzkvOV<%^1I4_2dw(B&t0h zaA-xEdfSKv0elR#z|Ukve27eJ!2&6rrq<#=xRF!u4_q@0f*Y}j`2*t6m2mVOCqYR zk$-SSg{%Sb)fFc4kRlS5Lf-kyDKV#$4iimSAO%|F@CC1TR!KzYRs=3`w zAn9I(;fswPV*f^J73rL{+mer9ibI-1N}3ROE}cenXd}yF0;>Ro5BIp9Kes8W`Rm6V z1ezqe+cqtVo3&70>uPF_->bo4Fhy`5B|YV0;p&CkRD5|$ie(U}&h-_^@Lp`TIH^h0 zz;pk8*sOx%L7-5vxoGZ~E3eAzj=}dAha+s0gLIc&^H%$H32V%j^;hqoj3PE=A(xf( zhV@Gz-sj?C^U90$yH4KEWGbPKZtRoXn;fqYUZZJR=QguNY*8bFkTU60}DpC0Jgbkuwk-p;1cC~%BHt%&x7_xZ#4 z|55dpQEjbV*Km>I?(W4QSb^fj9g16VZE@G6xVt;W-QC@tQXCqb0>wSRo1Sy-=NsQo zMh4m0mn@lUtvPMLJLsX?^}mA}iH!K}pHJW4ADA7!whe2CoK`g2+`M-BFlDatoP7mh zsNaxF34+IcE{C7|yQ|kY-+FzOi5XY5@_0J=d2zxsnJXcsXR^+etC$N#t*(jvxA9|? zKdwSmmTRK1c=ju&tQfrbM}iO7Ak9S8!KG{USp~D_QgzD931Cu6_IVZ77AK3N0Vph)4HT z_NPx}94CLl$Z}02N5>6B(fdBxi0xnLGrpEy61uV&11`dihHfm2B8(6 zjPsu@#X@;`A3r${;iu}454*gE$&k(Ns@R4*%+lStcIG7cUJdCRy^b*$J$(w8g;`)% zP2g!(D3Z{%!F`O7B`vECF>%9OGITf7`7<@Bf1^zCJcTjU>GzOfR^IKN`*!|&;dgS# zfG9*lo%q?E<9CKW%kSGJ+&|hlO&$G+E7`lakHB>I@pCBr(&3vjHo{cmJD#)WAU(u# zTHsv~x{F5XS)r$2e~nsISu4SFKwHYL>-*=wr3CI(cmP6o*hK}i43T8P`tN37n)%=ReWCl+ z*`?PiLt{3k*VujGsDaA<$0_L+lnvu?`-*H|{`<|! z)n4rUK(3r*=8{%NiO?RC(m_m~V!Ua`KRf(8pODus@ul>Or_s-wtLscMJ%i8qYD%%W z$)OIwtISM1%zU%A3EHxZS(wCner2@}%jf$i*gfNcnqG|3%hNmf;-MIN3xW zJ+>Xqu4tojqagKC5}os4t=9Q*dJKt9G^fHL&%G#5EOzfP^5j6-buyk|ih((FQ@JN?dcB`PLr2?G%qkRh$@x6?^A??QhAJkIT=d)@vvD%;@L)QUQGX4slz$!n zEv{Du34MoRz;A?UvS!3)MV@<{gQ+}_Nzg*4!CQ%cZuN=s1xy*T;l5!veAR!|t4qF~;tDOZX;X)-6%*|1D&#+3t(UKJ zbLql!e6WzhUi(sxFog8{cCV6RANBN~!)4qJap=4VDdsL4-T4ZY8LYRy*PYs%dN|0X zY&n?HrayYrrQd7HZnq0X0J@FGv~!Fh@I9g=p}4IvS+lH@N$8h%(+a zQQcZRxAtfEtCPo0*WZ@-aoW7!;jMg3{s9$@X~aZ_V@0Iwlc4PVg+XyuBAEIni)u{D zM}8#M6-Rhydn|0t_whd$wnrFk2X7UX7hvQT0ui#{;x{jrU9K*o|9-QaHZ+sXe?;MuWhA) zN&OgAm3`cb?3@uHi`gh9ViMPigdEQkN}M$CFqU61SdPbNp*-cDgxHKd2uqheCKo6#FiQATIR)Fjxdc{g0;OpABeED@@* zh5itTPbbu4Xwg0bKt88UOHqsBwxXAzR96Om``o$VLl(L%)Ac6(VxA2AO_?+Hwb?9o zG8T*(oQW`6gmw7ga`-cmhRZHv$FB`qQ+?|*hVO$RSrd{Sg;_~;i@yctd@|eZT4Ik& zF;J+p&+i_74{wA|7O556pR4M{qMCFHda{>OvPl9mU4QM)+)=YxZFs&7I`lEQnm#yT zNP?!D2YM@-$zwh-AN?wT?9ohWqMJ+(fUoQya+;?%rW*7|9GW@sR9{p#cVb0FC=7-5 zGssf^t#(}-IlNTx4dLe*9x2#|U5%p+zlY#y9WZ=$gQ(v`O8e4{EMUv@Fq52=cQWVV zE8Zr3lT|b~e;Yqf7tH>1>jATufMrDY&!xmS#7F>PcG_>kT;=)Z;>E${_iw#6rZA9q z`H&Ebq`OSb{;bdS@lv`A^t|K={Hg@{+gUwH)3#iVNvQS2L`SbaK-)5nGkhVZIZN#s^f3+Gxj z$ISQ+2rvg$pwMei*>yjYUEk_{HTvVrsC%Tj7#V5qgvCM0&40LfM?Kh(QD8KVeSbB5w%;Y1I$uJ%xvOHy{vrSCzwT6*FsA-K z%VnCWfCy7)hgb#hyb=#xM>GOhM)Fx|jT@Ap0`)kxeECpH34u0Eu6fRwD(>w9o&>fB z6oxKWk|4Qo8UasjFI~`r&QC;tuB9yrh4&P|}x9+SGf1iAu(Vw_)}S4qNfDfnVnrlZOqY3J!%DB0ycfL)P6qZLWlL`0G z>c_@r|2R(fn+ezAUbXU}rc?=H0>ZvOMSu|jofwPX-NmG2t(@p@Z5JJ12&~jC8eFl& z{HMp&iM3)YKWDZqA;sES!6Tr@ALM0Vt${yPljA=P5y={o%jv2ZyC$v19xuNjJ3ihvbVuXV3zO{|yOpJxx zh?y$R4OZ(VTY=GBwiQ~fk<tVWAZrAjFOy)i$iIgl!_e_t*h*KVpD z>gG>_y}8^FrJ1W=Z^ai29!*!C0mL}``T=l~y7Yd~xx=A%XD4$q)I+}$E-o%=Q?r%& zO}buKV666q9>!GIx!YRZG%O2fWhS^v#|fL61;(G8sqJ+U60+7_VNcw-50jO@ev=Jn(a_fBA?109#r9$r1rEC% zk`x;C4l^nPZTo*87XG5j-j+HZpp)TI3kuV^SdO3-mcC3ri|6YEqc5D`6LP0~ENJt) z^Lb%YY<)M)^l%O-dL$az=R7(8@i5O)W~rwDIEW@YV5syDHYnFNq3wZob`F&+xTbeI zAhBjL>+-%m($};ahSopDpmAm#HW30mfAbDt>w4I;TW3R8Mor^eu(qnkz?_^X2@?-q zHUANNSgIg>qi9Y~KV3;oGf8tmO_`fw$ZZ(h_q5Zf-dRua{=eR-km+=eJxG>C) zBFVLMdXGY!V`GmIVl95sM%*pEliUQTXr2UrZ{NR9kLoq0<>0JqV?t#lxtHtnXA`x@ z!<>#dh2wMLY89^9#Rat7M=C#%3{lh2V2a%T8uf5>RfIHrrkefc z+e<}U2=mYzz+>$8^X_DpasTSrXSn{`UPv$1jpzjWnnBM0E&1OEE4=ZKkDsG|8|;cE za(qZ)-uVK<2Yu=M0T!`5Y&LL&y579Pusr{WtObCWSMcp21fRZi>L%ficjnQ z|CT-K8}%=IOv588M_;0Gq%*>3Oa?TPevW#luQ#EXcaU9rik*k;6w3DUe2Z&;L<+{# z5(BTjWH7Yt5{1yv)1(1`>VkZ{r)s|~XojGL%6Jc1{#d@W;+qz}mdu(Rkz3+%i9Vjo z<3}l~meY?_>C`hz;_jCc7;fyq|N9kWuxhfN??OCq0VE0F+lv@Y;y=km5j8v10@jX^ zHMaeqO79!*KSg+U3yaPFGby7;lfmDXSUmNZSPQeL zlu=NQD0f4(M45OcXk`HDffM$*-nxlVYez zTjAR<5Ub^#LsrG8TGn{Q#_66V@)p+`G(BIP6Fyk|?`cpB02hXds_-5w_!_l7d?fm! zxqm3svmYDcy8-*r=qtg$t|Ct#2Wc8G2@xEC+;)jdMYZCUHaV;oQ; za!6Fyr_|f9?iNV2zP*?A@5^k`&f1meriy%h@itOPH~a6*pwYq>WEp)ycn2qqg6J@U zbSKk}SW`>2dgZt~SH@rTsk6VSesJQZF`qVjSKDh)LQj|$$+SP;Q9kZ;lUl67=BrL| zxU2qP*M!l2(mxhJ9^Uy?T|AzA0@;7PHdWnjzy5z#VVj1-?jY5B56&K_CVtPxS~*|3 zAj;S^ukoCu>eSsBq`5Z+5P;-oD!iazvvBg7BqrjDFn0I^iEZ#z>is0?7^{8 z`Q3CnTx+h7&fWb3d-Qomt)}l?#%u5)Sp`>$g4x}k9=pYt7UCB6j@XO!5Oivz+mq>k z43n@_uYevNmYQ*%N*s;2$!KDNxXG-EB%o)zNcIzdr2t72zCx&0puz#Kk>8MZjpT8&?Jg-Qx>FM&(E zxdfZsskQDwE}mNN0vo+~UOpW*`Y_p$tE-CtLd`%UjuFd}3rWl-VG5QuZmS#>?Vctg zbEfnwc0;BVCNXRqfTSLU@^)KGaJLWmMvn#I_wn2Uz|A5Ypx|e7K&fZ<_G)kUVK(6$ z(>*f7LC&T9U*m}t_DrUiKvJMdrY0K(9~_iK8UzlN{&UFq5*C_7B(KnV|MQ3^PhD@$ ziy}cv?;^q~?jFfPt$9Yr{SGRC2AF*0UDW@cuK#})hzquXiX#oMW5|Rclv|X~df}B* zwEZQ&uw188Koi3}acpQp30?97<3HZ&8W!ewx3Dn|R@}Bon`(U|oI)TtGK2>rS>Q=2 zEdWvb=BcN0=EY>d6`qKF=7|u#^n;4(9hOb=lm9o+C+U~y_M_0&Nf#{aylE?*ppTQ* z(+jiIaZd%`D=vrF&hy-Y79p(DaGanbv8SdZ3$%>-!Go%2oThw@Y98y}nr1l?d_kFcv}DdKzu=)YK$HPuD>Yp6e(Je_geVZ*q(0C_&Y|RPj*mCz>L> zKDKQkmn)8&kYJNDV1#J6Kweri5N`q#N72RW0NGL)BXk zV`s7b(&ga~du2;y2rPVE?4S4ldQCK3*m>$a?YQ~AV*;cruybJiJkI`t#tt69U@w(D z@SNFbW^IHiI#v7fDhMSio$2>=@)snd65wD}7RKzm1yXycj(YBMBQ1ZLSZ@UbJV_N3&% zH(2v3vTZPIN9C?TEZMP%9m&4)V~oPUqR1y3EXD$~y`op~!aMf|Z+7yo)c6nVAK|Sr z+mu-QBJ`zor%xS-H7$E0=3}L~M%4#{XGkk#t_9*YYF5d}x}UAJ-HP<@A1f!M-rI7x zXiiz&{%iAoBFWC>;nOja-g^ayY3pd*V9uK6G2LL}_w-jZ&qITU9^8jr-Ag%Ad^*Dh z31hr=)iY*zjCdv!HgXA#dxIahSb284w{sL)>CAr<31j%Q@f&A>B?ZIh08{EqMuSA> z!Bq3_g+A$1f223PweK`@Y}Dr_XZN#Q&q&u(kHvqu+}&GX{Ieu^Z(*hGn1hiX;h&Sl z4SAO456=z9?4ia|J&inv)@wCxjXEU2Bazx4OO(qAqLXHFa~LngCd zrA{p$9 zlJy~-^U}UTcFDkC*mBqk;9-5bDC}NjkLzTvw(# zAo%em$D=gSnk;8o?7Y)MzCx^B(>tg;0Nfxi?@cxnMqBO&d7Wb)Yv!ySEQnZ~%}Nvl zyLJQ;)d6~Qiq)qftO)g|`*xgAVW|U7^?xIJX4pfV`|m+1I!+?EWsu7w@8r#>H!=x5)736oHvrySs(f4I6J^_uk~Wy7sX$Od);ywmNSd zd*=N4uSc99fZ2K|mH1s)E8@p+gy5gjIa4w@{`4!wuR4nfXnBNR!1Z(O^wVO=so&wG z+O?sy2U*|ObC;FR#4f-8-k=96s?V_R61XJBk*ZeDi=?)wp!q6he$BjB&w7rQ{k`$- z$UYx0?@zq_z3>!Q=7CZ!nLH>olaXuNE|KS3mmKrwe(wjdKRvv)cAMS%j|sx$G;wPx zq2DYnH>qlqNDcYC&J?9)iQOE&6vv=GlujsAoC{C{5^8DZXHE1;P#yd=p*qY+vL(Op zF?O>ZnJ63!So^|aI3AoPRMO_90>&xl9(c}wsO*jg#_nqFNg!fw4^{jKU=)iVHuP=S zfPocPau2D4JLfurVCB^v@rh!5SmdBlg|dI@+#Bp~QgLiaH}cSz+z_!TZW2n%`yn5o zymN4SQ1@iL zBuw0R%HF`uuw3i92TdEW5ra{qJmy)kgq~dCApVL7<%%#WlwnxcuE;C}{sS}ZtO9(w zU3J+sNqo3}n{&~D)J587>VLx^{v^tz0 zwGhP~?fh%YKgt+8JD1zsgyK=C8OMQw%UIP+Wnc3gnb-<5RrThut2v53#w3x6kb~t9 z_98>AyF|;q%Lg|B-&b--Vam(1e3D|?7Azv7#I~@k7cmxfEbiFg(l5lQXUm1rH0WI{ zQ!ro^*RH=ZEX}eLF7(u2$6h)2b*Jv>2xObu6LwYJO|n2Y=I}i%>zj{by*0{AH1C4( za16KdI4k7faTG!xdRgKJH^prD}*DQR974q$-(j#u{Nk4j6sx80gsok~QxT55>7vs3LzZW+!@*5t;?ktOZXMG@l z&0sHJ=WpJx&__Ll0tItA{wcc!mn$Gq2 zUbG`A66)(0YKvim-B1~M@T8gW89J(W4b!RLhH6LgToZ)nnhz+{O9pOTB^nGVi16&8 z;L!NdU|R@6|9ccE3F+QTRaC~>P?@PSGzPfe6}n`jsi6+mFHzqs7 z(I%#*G(e{^3<^tARl7KaXP8Xg{%LU%&t*s3=_cd}a<<_VGc&V`7Vn$iwNN<~Ne`>E z+mOc`be4VG9$)0kDCTAumQ|NGI;s=s5_%q1U)MshGH`RsEg5du3mqI;k6k0)ql%xf`I` zo%#Yx`U=j?R#dY=YKc||HW*Mm0|5VHlX&-LbP`fwl4J)_?VOudO|bo|IaAEo=JTw>zf*2EFvM4btnMqt z%8a0J6K5#sE|wcyx|xM30N5uv?Qv zqsFVza0&&0+~eqPv!zdVlC>U@x09ru3e`#a@c_Vl+~{rLDkv1<$}(u6pcb|covu=_ z2v4)>P=cQ)tybDrOu^PcKuU7Bl-I>GM5aJ;=ytz5aI}B zv`h_5Qbx5KNGYZp*o><1CVs08@eB7oR=xIV3OM6 z;5Z$ySi0&eL@P*4)}zTf1qd!;;<`OqU`!L=R^v-MlFR3Za>uQ$N6 z8$b0Ubx15tOZf!Rt0XNB?k2p{Kq8jZmj6sTnW=epX`rz9=rxz06RCB`Lx~T zhvz6*^ARbIL)bZwNrg$++13|kbh(Z|d0K%n${TFSnAlhu1e<1c{)YE_u+fh>nY`*y zm&OfCV#a$HuFx>p&3f8eQDn;yT~by&^AaUSiT#V^1=@$T=7PMqME&wbXC{~(cA(vP zFe$B=JQCC(1~iY&h4218W<1}LvRk_h1-!N z3q`)V-bJ!fD;~2v%QIBFz`zS39KKSoiFr6WYBh1a!y|c@O`*fnf_T@ZW{dxV~ zJmR}Jl_-XU=0>274!zlF+S6&Cq7wYt_p_wp4c}hv#=zTq*9^d%M}%f^36t^&lv4^S z36s<7Gz{Q(k$kVl2xX@FK~G!UOI0{)@+$%*fgdSWgj80az4(;lo2PMk9kr5%_pB`H zRCo-9Kd(H^^zigTGfx1gtDdl_$)^lmUEm#ZYNQ99B`~5|fKJUtQ5jrE&?-s`?bb95Me+k=Y{Kt^y8eP`0NQG*3s_mS3ylJ+ zyXzIDcX*8F;y;dC(8y4N#KagI^?yAS+N63EPyC0>Ui$GM;J6Aq3`+tZx8V>AGV|5iPC-!GW2}7$1hn9<~ z@ttBfEHrnShK8{I5qVhPL zYW=n)+LSe7iVw_DfH}No$jfcJV@__I0kCur=U=ccSUhhb#}yi1pe8p}@7_CK?4JXP zw4Yy2)d*FHq>p}k(nml%>Y&N5eV3a@3oqnydQovi3G|7PD<5H?_|O85DT$bq>}{x2 z+M4oC!;X~dx3utxxWZpyr*HL4!v;zAFqyHF7$7VLPGjM6EiG7s|1nH_SZlnqeIYk}h7gFv}{X*1<_F6jl%(!}< zw~TqsHS-S+#gR+lZE9*d2D7C6;rm5T8_EjCOq=KK{U*(9WV6@Rb2FOov?80sZC|~r z7oOd~Fgfp=m@nwVZFSg#LqGO;Os}|2ou;2WU<*&EemWN0K>F zJasEPlKh~T!AzTZ`yQRr1MUP;3b&Rz&kDF ztw9^szW@sicACRkS&a~C+9E47t092xvd+Y`)lJ<09YIW6k`t&> zEzF`ah)OCX2?w|sX4LiFb8f-ok>jkU{lY9y+dDUfgLoZ^r~=nbX{9+@p$I2b9#{D+7XdV+>wG)= zpLU!GIvTbd!Yzmh?`62=aCh=^O^^hVO&1Y0D$&C$#P7F9^8~)=<*_Hd+oz#0A{&y7 zEm90e#eg2J+}rpy${8u(%OM#DHrkW^z2G5;cWp`!O2nC=U*s$Z_2MeE;$7LIX}I`4mh9;@4&SO1IrxE7{!xzzwA14#pn(E4wcu^b+pfc~tH$%bQLU_bQ(T6gd4=wIxnkQI{<86y zySL#cN%o*>=#XyfR59UFRk&3%BDw$e_s@;C^4*3^kty-4{Qu+~Xsobpp=8VDW5lFb z@bjvx7%+`;#Gy^5X@$d5RL$+?tG8n%2csI~pXy9RBF)#7xR`S4oYW#2d8WV4N8m&% z1Ufp&^ISj@M!6?u?hkHLb9*-LM5P$s#}RaW$3tI4lPC7C7e|5CSe|(9yTk{surZ6Y z_4#p z7CktCpSr@h~Oc_GSM1i>c4(%ogO4GGnfnq`gNR?9cWN{^8~k zfs);ONJ4=q0tF469}Xjxwrw7{xv;Gzp>!ms;K@H?|e9L*y)$__l zJG8Fu$Z@WwWZ(caNF1@TvsDcNE`k^?mnzASL09X^A$?&c9Gb?e&7)pTqGMZTPjlz{ z2UTc-cHB53Hv{44MU*Q0w=H2alpE8(NREZkNuz9`l?`#vp`dXp=nRoBzkSigg@_`H zxVZwmO-1JrbcARqmWOMPjh7=tb?~==WZG$vSmmw8-2{BXM;1lzGB#XC7ta4m=Xs$> zw(G6b22c`IFqA0=#be8@B|E*D-L`4*XEFRT?TLMljL2ngEtC}gT6KHg{3f|3i-2C~ z<7MI2{nU5$ILXgLNlaKoX=^_?svpB5FjMUH{Z=^w1GQzM5Ii)#=s14gk%cdJM~wn2 za>}I&ai+{I$Y!B&z)&Ft1gH>RQu2uq#Q3a7oZmZP5J%-_ycjrdXz<@K;DXnUoS&2@ zrBwDtoMpFZl6sV12r7yPLXEoUD;oo0fbIhtp2s$s-vm-X6^jL6L zF!uABM3o_SjprE|k?}@`lSF&|6(M5iM~9!EK!41%g8V#`?_Z`9wL$>TgYdJ{sE{!S zz}l++NE=2B+r z(GqP*G1Tn&(GY~}pb`f5+k>)vsI+T;^`#n_P*_EA?Br?eE^cf*+Ab9G;cN`Unsbf+ zFl6D=Mjb~o@GDvV!I}KWFAJ`J&^>7C%?R5jg9iR95`F)J=@s{9jnP)nbGsX65KDEd z&`bB-##s=Q`K0x{b%gS#WTLP{kQkXhw{`KP(^#m|K8YD>5{ivi&m2+Jv(m3+dF ztW2sRIZkx*-K=|Ep&fJ57nyPm?)pzS!p|F{5ZP^=6Dh&S&}l}sWYzF_V)s9ADOh-O0Gvq%p}*u90bOg&}I zRWzu==d|T@QfOKczj$|Xy@X#QIj2|z)_59$R4JFXG)`(iJ z5eN=XB9n(B7b+a2GT>RhKlb$Wp1W^650>u4C-gCawV;c-O;h5Ay}uFx;|> zT5BFRO+58qT)au;2qnx5QWtp;{TMpp&^5&ij+3Ckg|ftlI^GF;gpyYGh(I2fmWJ;E zz>6#JaHc)l2*p#tCen;S3K=X}O1YN`v`Ij6G^CxglTnEbo%1JK4^AQ-dV9L7%Z^f; z8v+UJj=55$ZeQPS^eftQy6rn|$_LPOQZo1`OZY#K@3k6E38*3%vxJ|s&7I+VSi zf*bBH7YAKt1&;J*BvwPfK|0BKdPK5b2d?@HDBO&fJ+_|rQGJwKB(c*>X>48-+iBW}m20a) z(y=NqsALHeXiwE%)y2xX`}#M7#j%`jl%Niw>r2vT7B z&aZNuj4z_}ng1x6U~S=-c2@t8$|XL#D8%#+{&)E0i;v%EGQ-3wukyE3G3XT72k@=O zKm`jml9mqttJuT9S^>{G!2VAQicSaFlmv#3>&V^v0(`sXfC=Sf3d|0y*VG>?vDIc&tDt@TPE zMrBOkq*kiHC9=guBafF>__kqM;3)dR3?W?yFUnM2!F;e`40PjA9fb?L7j0z<>JfEQ zSBn|!14@V>Hog=LJ&#mqAvPl!8~R+2JN{W*HRB}L%E;N{#H6H+1ZS+34A{BX9#^jg zJD&e3a6de@)^SK2B>j_xLYSsz!Tpd?1QE3Ry5@CDgx&#Fh-S>PZwfR8blcBkL`F-= z7rBgo7pBDNhc>06X0i$rzIxAVbwmZhxs#(KRyU2s?H#lWO0=E~mpR_SS*Mjotn9&| z@T+9tn9nCfrB|XW+M=c#>%kJvm5zXl>_DqNCD{7G+$8R6CWE^wp+>9YSrun#D5Q!o zs#ULSc1?o?9tyafEcQ7VcXo_g6=`UTuRkkf`U~6@W`4~$)E{`m5ktQy)eiUNs|Ojn zhmN0t&y&V|I+#QMp^g3_PI#n02a_0C&|Vm4;j`O>YwKgP+)w*PYY?{9L}*bR`%#{- zR!~>vdds>XKG6QMw`bv2rAyd-{rAkv^W*fLlqikNU*IlWz-)KL-1w9B?Q=vquAaMtOvo1wD)x zJ7z0!&;p*+lR?K_)R2W#-e8X&TQ>~>4u9Z%3@voxI74Q&@cFcP9RBK^;AArL@kOi= z_6boey-SA@yNZyTOY64f*MawYuLC93Xd@!-mhELn$zT>jrJy^I&sEgr>&1e0x-&iU z;}gIZ1>|v3Ufb?GhKG`e3G{He|NSlzJ?rc42*X5jF7jzg#R9xgP9U~ZF+0gnKQZVQ zkraYyAV~1CYVWyX=cAy?X=~=aM4UO$Vuv47^ICAyt3Gf1awV8KZ~(xQ4k~Cg>os)(NEm6k5O3zrg=U#gn3|Bgx>Jo;&-LH6 zKj~jJCH%V2^fUXHK;z}#k;HM4z3yo%I(8`d)afH4`TV{VF!{<_nVu3l@zwx9#P%0Y zr(8IjFXC{UXl}QgHR@+ay4$x|J)XDY=lZc}Op#Xmi3j!=x%>=!3!e3Q9LqeCPiO?6$BCD)57T$5JQpH(w8HJ@_WKL zf=z3XA<*HG@{%Kuo&d{0&%r1@A6DPqh~$XUT!OYGiTS?5MvB&Oa008uvnC50(-xQm zEsYmQE}QcAXPbT`u?Z(q78GCa_4@Wv2PgdmOBC8BkZ=1>)ZH6L4Rw}VP~uwyW-e%& zUUNPh`iI8~l^+}oz<}0Sv!4RZFn8{YhOy?DNhtXr(}b&ul5CPz@0KsB z^9If{Ltwp~r*Z9VUXek%Xp9N07(9tJqHRxODr>?WW(oU7)HE%t7;iFN-YUxpJR&9#>T6Hw z&$i$ER6O9-OhP9|xX|x@3258YqF#^Jl8XC-{1mgY^vq)kaCL_dB}@w_NCsED>c{F6 zznp`3hw<^dAvFSDEHui06ulikAl>pgt=x^xonl>xs?YGfI9pSel_w#@%huOB&rLT4 zlRVAOlq1Ybk4|xtzL1_m!r1Hw)CtXD6wS)Iz9bs zkuSFA8kjOrom&(9z=jWgva|uvVQ?OQuCJzJY8Q;s*U#G_ahUA;~W6{uB;4fn?+LwG;yISy9 zcmGo(p|2MAnKQbgO4N}DphUqy^98zhb*&#J&h|0|141-|XjeZ7`n?FIY#IFUzmglv z!;iW53iVdklnz7a_=1#ZAHY91N&qOr_0vpOi@xj3)1*ii5oz=Eg$JJA;1Aeh(!jc^ zy_As+3hfL1e|?WYq;;t5m_>i+Y5muuoT)wnJfLP^fcSX4-`$!hncMCs6Na^VmmTz_ zPz8{;%`db>!Lv@kLk#23ew)^eepoZ>OKhi;^Ub{SL!(U==;-~(DVkOe zlKiGEV+Ko^fOCtJShZ=MHmnvlW_Ur0xvc1kOV*RwDG7MM2HDWo0H;PG2@e{OmAb~L zfnVlWR63ox`-832vQG&Q@unAPW}&i+a!`62H5s}~Gx_Z!x&Aw+R67%X&%3(w{DG1F zX7^0Q3Q}d?zVdUc65EJ19oZ*y!KGbIl`o1XJ=Z&9j(-4AEf$GmeA-xMhBt%w&6?%{ zzOVA?lY>HpUJhaCge%P9>L4ML@vO4i-0aLtZ~c|t!Ccn-Ag?Q{1^8xih{O9mY|}sW znlNQ~I>t-AfDl0l=xH>$$ayz4WQplO34YpR<;;W@OdM-y(gIU-N;31ooYnWnG;>gY z72&0f3S0e!ik|(QJXi@79(y`!yDP|Ta_)OyIpu$x-WG5NuRnFgDrijTvb<>qRjZ8( znQ(|e%ZEMOC9Gmkre&P$_5>H&DP*AeEX#i{uqzq{ryyJ4u8DC5H?Y6=6rI!UJOCiG_j_kBb_))G(_7Bb`XC7dSip$Ryf3hqM?L1=T;N^&8fn zkN#%hJ(*(n%gI2kAWRU5rgAOq_Zd+K?|o5W)Dw7(h^s|Vo1No-3eyo2%;M0@CO32i+Il>?N2BubtBastBz3d& zH(r@dnqLysvv=e2nYs>$Mu~Kx7E*nh76YfovajWleJa zi{l}{wzZ%(lMi7CGETC0oX{L}+9px@oOY?Kk307x1DIQWpFo3haJ+lov7quxYHRdf z##i8C!fOOR%fK0A`fEQFo%%En9buY5Ii}DdWbZr=NTVpih(JSQQRu!pb&%#;b2NPZ zy_9m0ebRX~4W5e?8KrkD0Ov;n$?SVhc{|4Mf7iC`#k=8RkF|DjVLzGpydR5rwgb2S8jOg zFZE7TfbX#x9snXjN{+dH=hpmJDC(^DmxT4YQcE;H zXGLSXtkS>Kyn5En!$Km%H8l+1Op~r*G>v_P!Ars_!;@bUvj}(%;i%N+-0cHLU6} z<1?wFC#6<79fo{5gVJ)v5(=4N6w+HJGHb z%QyDAxtHiqSwE`tw0GdeC&Cj;A^Lg>-ikYm5Oq|(@z?Bv1v66A-ULd!ie#@dlO3s6 z{~)$D6Sd`)7OL>AV391W#3qMgi}Lt6Ty!6KGHnS+VSZBy52E|jT{Wg%F2L2MeHg9( zx4BlFD$b`P=(63-o!P=+ z=WlApiex*R{7MZR`0}_>U$s7e1g$E2qfb6nv%Mi3mR+&nSj@T9v#^E#}cR zL9~b=)Th@;KL>M1e^gAQua&+3<-q`3@n)I1A-4+1*v4CryO4F8D7WS;Z4CFSps4FK z6S&|M{DwtNYuP-}MQrp3qIXP#oz23doyG)3R5V-Vr)VAYVHUAf!`p}GI%|!LnfTVU3@oQUr_|y)evJ1m% z2q5vB%DU%LY|F>36~KDBC=xp}RBS^QNyGd;6FC9=-MqH*RsNa~lSBU`C3wdZ@583( z(_Mf3sCaaN#*@BcBQSH<%g#^7Km_HjI%1P+Q%#9#cL~;d_!KKrSX~6W5vV zabfe2I-Q9Q-I2=~bi@V4_=WXT`Tdit zIYfy9)(W{0-j4U^loa9eTWsib^aGvgYWo z%R=zcW_#MKS5=m?rFDGcKQu2Dzg++YBB--R1-m|2O0E&Vt3u7E>2gjS9rcjG#TxKw z?tN?%h1Ev_MAqU67Mqeox!IOhL1m#zTa_~i8D%<=Zs*;-nTGF{oSGk8aPc9;l##Or zh)Bk6{*3Q#S1aMHe+YmCotCafeK|+(`8_7o^xz6}Gvw(x^D12KM}&QI1BZvH1=yMo z0xTh>mJ>hNu3yAcXQFhKtGg>^68?k2l%tp8_ng__AibmLB3?U?1%F>!M~T(~L$}Eok(7es%=3tUOOP(phIvwK=UX#AyASR; zQ)Ge>b5dzadgvsqEa@)Ys(%tfg#Me>r62dXZ2E$FDPgW{W=PUoJ9*$e1~5Hjcst<$Xocg<4B8!a|}!Eu$uYZDicBHvR1s%ere2n zKa8LLnOUiPsq^Mx8k%twysW8$H_pL|q!U~@Zp;>)fD}6Mp@+6pUTwiw+1dm;2Q$jSytC>zoO(J1yBtpoc2eYMce-*&fcp{%0XLQ(#@!{ei<@cM z7C%lj;gGoKP)C_Q2ZAKJswL$`bRIyn3uJA7IYqEd15B-bVGkn0VE}LWmOLsctoh_| zSWuQ}4?h1&U51C0qxBExP9D9>t^CL8qasx)=r;>9s;U@-fmqkfzkxqYOswJLw! z@Ks;}%`KH;%yI9Oe)82L9s}S95I}}svICI=B#0k%xUJ?r1Z#fNFp|`UZ|+m%=e^a} zBnLg{5!$v&`QP%oK*Y$rTx#YhKtiQo>RaPvJ+r+;f>a4@oejzZ&9(MtC&!6RmVMe@ z_`V+vwUdA1CK6Nlpu2)*7SS7)DysQ6w4w6wsJkbyR-9LX}7GQcEBY(gE~T+AWg5&s$_d{ zRJrqLh{%tmjn64XQWNvdzE^~HzY-~z4!_9%K_zMXNqKPigTtT&MGu8#V1#uIW9&CF zih94$z;7JNm(JtGb$S>x{j`QaE+xW$oFt{r1ol#wjROHcy6l_FC#i#!DrPicR3B;NmdZ_OF2tek&Np72uV2BxL> z^-RH0VJj7;cd907p4fOey>XHQzJut@V@(#RPO9M$oh#9+3rQ*CL{EVVq|ki4epL~v z75-kZ1gO0x-NQ~KZtvdIY5PaQbA#*+%Tys;#V;w*BK;jRuec0XSj_hS4KGWeQ&nDA z>eP9Y+xYoOmKij27?t`ixzC0~L_`$zC{DhqOMi@MxL?0NsEk6EeR`P~w0AY6p5)xM zQ-prn?Bn&;qgZiMqs9|rQCzv-7FnNe9$9R;C^u{sHt_D-@|ZhBJJa!ORn0;t@V3;) zzw=!>fOkUd1(xg=-sff(@TYf~qiqRFHO{=J_<&#goXb{dHwLBdkD#_W2Kr>z+~_*d zC|vi;gFFt@)%}^^US_1C9^TbL;uzx}k7!FSsG~>cra7II8I=5#s*>!SzS^TeatH-- zan$faswP46oHfyrl9B!g1waR0_w|*AktLLt?IPJeihURZ{1Xp&1@?HuVK9`QCD)C% zkF5bCv4wpI9tf}#D#46Wq~ka&EL)jhzx_bYM= z)r^=0(273?@|l~KCd+x@H2~xuPj<-@^_*$pwoLLqUhyJs z!IqZL4_}=a*TDm^?0`&Mw*mjn-hXkd34J~#w!nTJOue{%pKfNDCX1}q8Gae$T%M|+ z&?n|->?}4jrqBr?vM5F?WoA7MYotYQ&8J28y_L%MAQ_3wz4$CjxXI^ndq`NGWlZUG zprjWbcG-U&2yTYoa5!2sZU4#mYpur?low&ir5z^t7N~L;@{I)^d2cE0N zd|I9JFgwG#2PNTI{QIxW_uc(y!kaeI?CjEh2+>&SOZ>Gj5lmD$6+c0u{0u1Fmmg)X z(ku9NW8t^seSmfj+TmVxk4i5>33|{`m3jQoQwuRJE%eZv7zy8)a)W06!`796_+6xn zh=Ziqe7*^oLsAIWrkNq#Kgp>_BxRSHlc@ZC!Vpc>q5jDJuaUfD`nOFVvGrq z;%ooH2CKjgp#g#rns=k z;E|IrY5JV}sPa{pMje>*@DM+}SP};=a0dA1_o{8c5q15h_i-|k`D^9h)tLEgc6#x= zA=0B&H70?*YQ?P;h<1~`6Ha`&J$2#&!qDT{$?OqV#;m`Wd7GJNA&$$-=eABwcH)wQ z&COP#t2d@+-xrb;)|^iJU0?q(dr6Yc9hv8Bx&bx5gT0ikj^;iExs2Cq2JnJQ5PDlt zM(NpGcPF|5Xx{_fRLJkq_g<>YdM%+sUWCZ)+TI-N=rB|c#|6o7s`kntcdhv!N@Q#2 zz5(SHG9(IEOex&*@%nH9LiEcy)1kM7!eUBT*cN3H&o~pGsxi=he2;mkNyiAx2LJj*H4_IoTwUgOU9sBaVMh zxP#w3LQ=t`$E{coVkH+HDj%Y5d-eh}~$Y{+evRR)5 zJRo3xjKd&o&Mp~3%0m!989a}!DB@Ib-vIV&juljvrYy*q-7YHFFhGaZr56Z?Yq$t0 zY|6F87xRhyDEMG{R-hWhbTT+ENoH-_!dDOlj}e(Y){t`n{G;@TLtc zPf_Mau$`sHN;M_orTnGNnBmKr+Ymj~jyDW%^%WWfG*eY&Yssry|%Re@8Fls(#Bqf+P9QwXRzg!Qbg$lVF zML)ObA#6mjE7v4x2NWiAHxF`odTS6_iofI#7CNJ#l1OPO&Eu>-{1xaZjq|0?FpGW7 zHF3Hb#u0nV?vQ2d;_lbS3jMEYLrRntH^Bjm9EI;%6bf|SN##|dte8M#??zk^1E9ax z;s!mv$DHYaGjc#(UotsB^x(ncb{{`J)XoM(;Di3v&7rdSnD7SzSCC-tL*?L-?eNvU)}Ql}UcT z@PAkOPLNOjYg&~JK-GN+1YG)gBwdx_r1!bse**gx^0SrV@?-r6R3Wd( z_X70z=hl~M-QpEk6PEvskB>TK6_H>w(CI3Ji)jBq+ao1m1q?`X(NJc$* ziUnS1J*`|P-767ylbo$^*lr^l{?$Ocop8XifdbYp?=RCZ=Q{|=;Y{dq52+6kk+LgX z<2P%ZqbTnK%%6(6u6)MKunRqLn|3KX+&c|CaU?hqki)}yQ3dOzFMCctcTIgt->9EN z@Xg^OaYy+F^vEwuS7cMjior?%-lgvk|EV|_ixFqJ#uq*Y2(fK^90(%ZrDvD>6Nzo9 z6NzmfPz@G(48H$NUn%%c?N%_7IqM%0OZGae_ypVXWVi99t4!njVU5^T?SiD&X4yyL z=u}zqhV}&1=;(g5-Xh)?@VOB(O6{BdjV&_6X|+%5q`Y((L-zj($)JQuA2ZTWIEdz4 zWSXzvF#}pwVKzB#qw|5rS>A&(bT5qH=Q`*~c>JY0mCw~g&lRB%S4S`8D5{=R)yKTN zymrW_*!&4G2#<}+$01;dl=f!XO-&R5yXZ#FqkN$%aWqBA)U>sIyJ0*>3Xisyo4YvdV3w;q^#mLJ1P^8iFNqTE;*CURN9Fsm z>RgRA{Gx}u{&TES+S-=Z2C{M9K`jQryVB~aL5#eA5I328#Hx~}h3v}j4St{bDl}H$ zGK7b^4wf_EmNbA9=&15bZ!f(q;1#mp`Vu>kG8s0em|$d1GdNPK#3P~qWYvcPRv;Fu~p zi7$!TA?4x=9`h4gd`Pa?t@5w=A3ZffpS83q{! z{}j}08|%GXz4lwpSH6VqAEdquBz`)PvIBU&*+boL!J2uR*OXv^97}nwA&gz8^$aA% z2AiO7|7GC5{#-ulLJP)NCl#RAdV~^nQKUO~*~>>BNz!@?QB53hJ*8Q>QSQu*Ku=jV zK%e8)dlMo98>L=~V2-$y&7h4iR6px&WL_DiCqUR^MPz?lC^}b8Xz^)T7^U_e&=Kxa zvTE_SD)K9oc=+@CG}U8#U&sR*EkaU+Z-ROcGM=;FaaG^mKF=}d)P%!vukK7N`@$Ul zJ%oasux~17Ad`(j?Mc`}mq+hvo%ozlLNWSe^rOMxFBs}(z3x|#wzae(2C+4+B65`|9 z7qBh`;a&kPo4=&OYgufw8RrG|2^EhHb;(j?+nu>4XGaJ-a4^}|xBSh>&akm}ZPDb>q`>%7V;oiZBe9vkPb#Zr&zpLi$rdWTJeSc&iGQh%` z9)0^Dpp%r{a-UO+Z>&kGl>>k<$QYKw*tyog%WF9c3(BzH*2eI(*0h1ov8oHkXos%= zWVORAvC9yhJFJOqf3ynzUGiIR%^2Q;U%5TTTHkhQxhzAyUQ~!$gr`~zvlzR4V9qXt ztvs}^M2RV|#T#%VQzmXgJll8LuajBaX*x`X=4k_MDh7V8k1DArvS8uUqs9=J-9oZI zKDBP~LdPr@(ftz^@bw(E0XY^@zv-evVxu9sykUXkumQSI^pcqlAua-SJq9BJKGym( zybab(5BL;#e!DcL z>q9;E33SH$0oQu{15r0s?I4B3i@kpqEQPO|RyFbNC$GSAxO_exFi`B904uZaD+$t2 zw7XVl^6%DplwVLMQwS#Kh`5C4<#uavcfDut;m=H;yRbtsGGv?QYJWy6DNneC*NTWk zo^5EYif(dEe}zu_S@!QL#tNx$jWe~<^Tgv{4eh~yw}Vr{T4!F`ei=N`y3;JbLbAAJ zmUiPToHq`HUVW+@$SXCW`U|G@5_4j&%(b^OjtMm4$8iuwDZoCPFDQa$L%Qn!7F|=> z?WT0DC=h&!ebZxXx_%D`ZvEHiV;*Gq+ngTdClYGBffj!PQ3d$8b?2l7Cv5-bOn5|BYj=dW=S4_%Kt&m7 z+k;4nUc+Yq_s*4R-{m3r6P(e`g%>WaI+I#^rDyB7Y5_(Q?+pwld!tgZlbF-e=06Ke z0PuijE<0Qondm*ww0O+*vB$L|-+k7xD~Y2vw^b42o)oeG z{K?%~>I!-LN`vTn& zMFJT)E@`6YC@G5P%;H8HqI$zq{+b=i;~pjZX^R;Et-tWo4Qy!?sJw_1&G6f`;1b|K zyd?~E9z!D?5beD@N=7VSr5tye?V)Vte1v~r2i7i;^}>rwu=jFdQve8iK+}fBS7Dg1 zZh+%b^WSsBY|xa#9Zhaahor7hJ&<7Ef4eJ&7Q<8b!Bz`Vm*`s_gA!96sk`>+!R`vS zWLFw@Z0Izm{z`eZTD33oCtd45Q@B(LU|Vb}bC|HqFPHXnPi@y2Cv#it;Xov6cmtJc zosRS8jbsAx#Wwn13ORx0IlD>A1BqmS544AW*vA+c-{a-0oJbhpDss#fD1?Olz>>^} zmfpc0ceDZgXFN^M59xq?Ut=g<8Xw;1gEf`EN6$3CHr)+K6dr79$1@?U^2{Mrj7)`< zC##rSqw9}_{$rq$c$}G;Mf}+zYJR=b+N-+R=Cd_{fXyrxNJM!^VuvJ_tRVZ+`=MD2 zhL;@Wk`zVf1Ci10b)vVt)Sfxs=1PEsp?f7P@GNEJfoZb-^{*;M8dz z(Mv@!4EXeU9P3ObharRJGyIw$ZMQLbn*N`JsQTJUhn)eHqedIfLN_tvlIug$W zSv|j(VL+J7dyPvqsXS_{wXF=<$Yz_Zv2)*GL{CHQ1#KjYntQhY*5}oR*BqX4P()27 zki)z)M#tc`%*Q|22GSr4)`uy|wEd@m(zc!n-RG=p2@i+^~t1*H8K z(oz7N3Y3 z2fgpzs$z{upv9vzYUB%ZOLO*X79u6vP*V1ICNU?LtKa)-E0b4_;GD;eYv1BQ=+4xg z-qlfyyHif{(g_QrI$-hmTX(b53F$FDD5%)zgcC*2guxVqu?_FRjD92qzp*mDR-QcDKltVbziaTV*6!f`J?a2%voH2 zi@pW2R-D*oXId-20Lb*l8olY83auO615|7cPeg_*Q`zc?hZfUI-_jybVH)zz5iV{0fO6&3W2MLpiEi;sc_cB+a++7)n4~_=S=gYqyypI1BI78) zBfM`ec{ufM4B3`3e}Eq7M>+g#U?2+Y=CB>3o)SDDk7~p>nAz{z_q*U>n0Rn~aCjw` zX89%YsTqBb^4~nT_*s~sPQ^pmR6nS&mA0OZ_MdO7{tw|C2NJuBT~&R)s~#~eLLBP0 z^fKQl@~Ce4mlv2KwXR{21$R1{9hEXDKPrz%D}7)S*f&#F{_B@x2) z2+6BCVLBsSM?)Q}Iq~@(ZsDrbYavYcPdG0Y>e^Es8sB1|CR;m`39Kf6yo#A6GS|QC z)HePtZf@sB9r!-x7az*wkuc9&I_QX?{EB-ApPQ@5OOzRd2HDkn#?IHph925G4XPbq z-EZ4vGIl039??9oQ2d}m#oDv)@Bmoe@6d&-g%JyrC$q&OiYm7G$s%MJpii46Y7tY^ zCsrC^x@1%s#F6wMh>jfu5hAR%>0I_+>RA=^9dx0<_-BT6A&4J=O6zRL#saTjO*yD6 z3v*4_yu(5-?06t`_z_w2zoRwUhd~CL#f=^--R?H>z4y=}nnzPU;g@|>dqR!JEr`a?jLpifsuK^^`<0v+#7Yo1@nB1y^^){t zICY3U>^158uvS%~2*mn>OpV=E+>K_owV;)Ve-b_9#`mY|#_S*Kv?buNMWk&T7Lsr+t{#u*-6hnX95^zgu2mibm=)IY0mZ zphIPrh&MdMzo=?w4hT6GfZg-98%FOeE-VjVbIW(?$5l}T4i_0#mOgyt`*|M2pM9On zI}N(^w|7&l7s@sdnyH-Ab?+KCF?d#CzJdA|G5;d)ks&V13D9Ic@Tdg=?xBvO@7fLO}Stn16(JlC9h-qLNoQbM0LMaHLNz}8_*eE z9{K0-N-Z!oIw8AjwTU0?xy{u@-Ch0$_OXaV030vVA4ORBR5$-@{7&W4)@zV8al*ED ze0$=6lP*e}CT;T7E-OK$$q0Ai*T_{5J^U0B(@nGTBXm#ldiXltGnUN|#OI<3`MLP{ zVP~ve$Zu7(8MHO_^}Mpyoi91HCKE#cbJMY{=nr`5%R^z5A-7$wosYJ$e&AL;-*lrC zd-vqCMf+65^8v$)9*o+y=VP!4;1gQxdwep27$Kp2=XfH24e98@)%d|!3{OVSHdS2Ip;6Z>f$Sid=rnZ0d z7}>6_{n=1UXEeJno>L|bML4L_YUV;dG~wNgKzwE*9nVdXOqL#pXDIMO_+D|&vUI`G z4~p5bK?l~!yL_woO_;9XR6>1IM6tr~!vrfR40u5eFq9h6a0(m3y}~7MUQahPP5W8|)kROYoL;dfP<1R#&8~1W@>r#V&2nyMF%k|y ziQyN;*_zo-mlv?82g2z>WWZe{6f_Fki$5Rb#(hb~av#)NbF2OpUoeX8v|8~O!1c>v z4`);z&JeCx5f0OYnm<<(*8zQ$wEGXEq)bJ31N(cHMc#7jadsI|!<@c&&D@XEvBWm4 z*RhFKEwU!8*uB%VcUiB-UXjaxuN3s#WTtPfTH&EtxKE#sQOxonQxZlTUu+Hvcbs2Q zgJDr?o;ko;Qf`R2**h0=T3ni=>V!OQ#6R6X^bRAYlgI2%+_n#=Gk8_pEcNRsWO7(5 znRaC@U+q2wth@jEgI68p&n&0GE%0AkHMozgd%LrvQ%W=TJ#c3>K-}*>b%nhK&F0Y8 zGN+!XJKWqQxT7A^3-{%zU=+n^zq%FuR{`xL(-m@~;ry(+R48k}qdu@Y=>6)?@x$6Y zX13Cvb%;Ru(E1?9r+KIdYMJJY-G6ojBAuJdSii?@zg+=j{w+Wku?4@HHLje6HxFA^ zgoNKq;4HRnO9gBdc0aPH#oFhKuCE3hkN|iQ=l3SJgezWFUN?_ShKoEiOvuLGv&Blg zP_S33{yVgYZ7m(~#p2l&3UCF^8QdIKTa=E(oB-LEJ%)$UD*B(>9?;vvGCbBPb6 zo`iqg`|$c5HG;Z>L-3+VAW7zgPWatHA=e8^@zBd(PVs1T&0*pjzeUvQN-oTOAv!pyv`f1`0mS5>=nlQFi1?f$OEED`VSyb-_BScd)s`E2Z#E_XCUPdiOA z$bkKVWHCnTHa5Hw?7xH|)3Y8E>@}}z|BM+iy&*)`%{`L0rQ7(c@d`DflZB{>z*>mj zAjfC_w~sw);!rOIK-j3?_d&`plMe9031DnBM}rC*Uvon2k3p)N)65GTmi&wyttk}* zTsL$RKmO-nUW?uPB}fjNT@IVdp8$uLjQPGJzvlZpV_$c5a|I)McXfhehdizY#>Nwx zuYs>P-joEs7kW)#6$^7cFy?oov5aLWCJG!{I^4|?L>^nVBc7$^O14&BFAukib|2P= zy4K&^`uI2o~Y&d*(5lWL)}lDd#$gQ=-$fnd|}POeiETD zQInfBm!kTQsv?t^Uo+%neTi)5T-8K*w60Oir**nhZ{&x~As<;s*X5w*4lSBD>0kuI*$sTBGXE6o=t6(}OQgn_yr~?D6WF@UF&z`YdDapS3 zoO4}u%fK;1X;#fNLtl09F!wL_equmX@9?G#BT1^lqd$;Cg5Q>uqf}eKN6+!*qm_K{ z(63jhJM!N#+I%$K9A^cUpH#g18J&#$b~Ln@ZhN8sds(adhArZO!H0-#K6~M=ytg3e9vZOv!jmK>Cd&fiiO6`y`8N57k|UU06{gq-9JVF7V)elNXSTfO{Nc)oB=NcD^284x-oU3_W0pc?tro+`GC^i!IsP`4s$y&y7F z2YCJ(K~g@r6r0*)k7a5MnxJz34W|4ne{=T6l`;k2jd!WW)e}k^VtyX_j+Y;;#9Ay~ z1fnT0L@{H*F}F`i0@E3suQC1+4&iw@(x=TohvLaQvUFziMZ4x}!_5yfmPa-o-1`|u zKU3Q|o;;+Z0Vsm+%AmELLBS|OSU-`v#EO0Kua*3igH1z)3T-Nv62x7O0B?{e~j!+iF{hsQNnbF0=gS$f0Us$(p3(&jisJd=J40L1klRaHoHcWDKeg)M_C zGhhkx9{tfd*oU}*XRj7#vH6{li<5=}HT6NXH_QT&(K9@t7rjW+kMyqIY+s}Qy*nIh zIB$=*w6BcPBa(m?5v5_JTu}5Cy%`aGdiWCTMUFnC`I*qoP~=XL`_-UH?N`;qR}<+V z_d($v$m}?^d{Db9drMkQhYIz^dne9UY2|0FP}jeoYq=>E5(J5xDzFcaVJ#Kd+ifob zGr~HpcoN*aB25-i6ppKw$F8R%RZ?2KjbTn1y1L)ztzr-8ed!K7=<=K3Cmy43kTx%vq_d`CP+p7F*Z==HGd@%Dj=!ZK7F1aQK?g8Np^QDXZz3wxO6>{m}U-TXe z90Fwi-|lS`=sN=X`ePwv78g(+V!Nr=ll)tDOwIztb1*Rv0heJtR#cJafoJAd)7DEo z{eC9PTbAC7ck;*kZu1I1hTgtonu)2n_7IBVN-)6K^DcvWN3U~;7CkL20}=F+*Hfr6 zw|fNJHZkwMnlkOj&DSAg*+*@{N0qayUViIj z>_t-a2A6jZd{8@RVne+EvFC7YO!J{DZL}_5;)O|r_{Q|Iqe4LT#IdVvSeza3L526kE8=sF|sr9}8_qZ!ZT=48TFAZOM_mD+ayKTyI*6h%4O%KLu&B#Lr| z{7X>#}z4S_-KTW8Y1e}_7LR>?MpPgtqGe?WI;X&I%=k_ zcd$5$a^#bSUZ7k@IUG|SnT>_*z-s_vnYcI+^9zIQV#?wj3fB+=7^+r0p(_~e?+ekL2aEA&~_5k_Dz-X zq`4Y2kACjV)T z9bMl>;v+02a03%hmi6eM|8`pIxh(`7pUejXF*uW$V6nb;Ahny%q6AAx^Jnq!^H}t!Pjjw2W|3hbg+Lc zPsb2c)G3kx`1M#S7_B>#+pIIc(HX^12iTbsDs|6R3hBf3`FR%ItX{dPV6`Ui%NE9c z&Ix{(7xWD9aHl^cEzY8X)U5+kT%#0JRs{JVVKJRjQtGv=Nc@uX_;WUccFDW$&32-l zF=;Cx)A&cHhGS_Ux>nJZY`>KAmg~S_{|5Y}L98`83;8}_(VY_$6Q@z<&KM)znC=*N zq9T^+-j{O^Q&^Ae?R*mxW=HQ4B?2AQ1-J4N_ktJnl)5M%ES%cl{rv1T_D`mVi!Qph z<0jJ(MQI)Tq;X!Rr&|f^>~S;jqy5Wssj%vZh3Uo4+IV~BGzpitqo&h zW9Fm}vJ7rdlFTIbQV+qnqD6C%DxGN*~V}#Fb8tiq3GVFo$7gyE49#-U;Jwp(?2?JIeee8 z(;2a>mJ-~@sQ+{moIn?ud9D88M5LtMd-*cfvd#Na?#oiWJL^}^Iiav ztoW!nH9rPWyVE>eyV1Q5^=9Bl?mXQO$>vYzOMfQk9o65oNnxC~e_}@R(EaW3W@z&8 z#iPg|+@TDOHosIOb4Co}snDn$CYXx}$N18XS(8MaPrZii0B{#~ewTm$i%_soi-C*F z1L32P<}auePG+O$5|WRijniU{>B@gc{~b~V_vjn8O4~e2G)5h6rwy>tsQlO0i-^5$ zPbW?{O-=c6Ea7(kytHnM|E6Yp{9=Y7 z?f^|KO5B{Ikv{76;4q1~oEThFc+j>{tHIINL5YrF1p&{=Dk+g|-6VO^yCPC#|HsGb zHly^?>Q*XP2bWUP;+;l!Wxu+0xSDluken=pDSYbwhrj)m9QoFM?tanvK_$=quSxQ| zbA>N^TEBB{%=3<^sA2is8e`s-`g(#d44^5#>Ew`+grt8 zO8owQz=Mrzg$6aqKjHnpN-!fxtZ|$n}OkqcBD4FuTGZRCH!t$d6U65 z7eChv{&yY!e}6g45a((;BQIX_E!0L%?)5Xdo5FTRI;n&P>S?Q|dkH1vQWkT)tP*ka zjZLP0<{x76>HesGZTk(oH`fQ7p~<*CI~`0DHLkzwK0z!y*OlP>8cO;9t*QUKU98a$U7&5k*c{7+};55@s^iy43wJBg*>c_jH5#bOC?XtnnOZ!u+rL zqwi8NUPQZ35kYT{-t)z;jlSWXqqeO{da;hkU=jYOhSb5`kzHT#qhr5(3$?6 zdNJNd7Dc?Dhi3%1oMM`yCizn-DLlhnhotF$pHt+6f@9J2V@Z(s{^G;c*6yy27wl{x z4Dfi}7+MKD0+NP((PVV|UqJ1DU))XG*md`v-91FMUg^KJ)>+~}g`OP0BfFkdFf8n<@xyQ8-gPvAqHGhDz<@H&OSN#_xGLSi zb`@HGbCaE4S$BVxg3VT-zht%(Sx>j)QtA4h;rzmUr^fUw_wfb*bLx3~08qlu0C&Yb zXJ;--t_B6>SH)CYAOAZ!(+Hw^vWX{cfZ<)Kp-#YqjH|!I0iiu+=!vzlMBe+@Q@FWE zrn6qt=yYv&Yqwls7k5jYK&!aj$01&yD1v`e(9Agw&|j`a7;I}}Y<^Fwm|OQG?=bLf z6qp9y2Zk-JZO|jUvYI-k8I1osQ(R>rUL|ZeebWmvx|=x70iQnf*lmd@+-g7XBmOCb zW`|BjIrUCI`r4fetR37g)gSJT^*Fs3mRUrTo!S472V!P05XL2ZRM;qmOe`b|fMpZ4 z`6phZ&`El|X}ekW?Rhu>17Hg)h|N=d#3?<#8sPC8-$r%vo^fIfU&7Pju9j%9xMuV{ z+f_v8h>Xd~?ChSu?H34bpu=X80q+8lD0NuC%tdG6V$n6)P=K5X-N~4weEi3!z?UNx zDkr=aKEn;dg6al_+@u>?C#TP6$46)UoUpE5XO<2vHnps$=0bxEZG0HV|)Ti zjT`CU_Y*yxkA|Fo;rw~RjG@2#vk&guwl5N-5r;sqWE-sggaG)U6JY6e+`JP8ekcW2 z!j)D(S+P4FRZ}@8I<9nRV!gw|6cJ*)c=dFI`M+Y^2;(@gqtW?$=7#Crhv6Y!py%zV zXNLgn6bonss9kCIZIlwq#CSjm^@(n{hIeFPiZvO0Zo*3zo6h*$65b2!IH+_$-M9z8mGn}dxt*B>Wavp4 zYmb44b8dI;p@=)3id5frc>RF~@NsKF-2KsCw_@Pveh3h4uyb(IBMx*lDLMu;(Whr4 z)HRed-#~|U5P%hEX4f;Fk2b51RUW8+$e55?p*Hx{1LvTi@ZCJPRj@< z#JxZ}{1)rj061&?sPW3{pj>3A1K;1y>*1&|Ea#;U0^Yv1+@6D13ENFxtDiM0&ndp6 z!pF+Nf^q-*BB|@waqad#DOsg<=PP3=FfAm&eXKesC|(}0L|xlCS1QxgdNoYAoY zJ&0ODQixd^5QPCzQB0+reidS@PR0$di()6dO7dJVc-PJ@Fr-85YuvdRJ(V}|3Krh- z?$f-iJR2-EqX9<(`})K`iTz%^<2;c14f36X^>mnkLR#}?RvQguG%z}=)y5%*Nn ze!)UX>b2{`Kcoa}$qW>l;r;kV%91*{**gF8Uy_J(m^pV->^W@cVvJgO_J=RVl)qfo zXX>keMvlfmAJmQkWf-#>$AD(UunWQkkXU22RapEt58p$0Q`l<;SQq0nMtoFUGS^2j zHxD|Cv#V5*L?o?k1iqC_8oQ9>?zVnl18w|hOqbZtAFgKTv4V{1?lZ~F4vcpcZ=Nz> zj56rw8w~3=j?OPcetxK(EuRLtRGiGzz;M-Rs%iunL=9`s8pdMkx^Gfb<_?Lv)oawPj zGcuP1aM6_!dP#P2)v zo~B>ImM-uG*{=o`n^RKf3q)=l03Y-2$)a;k&}TYePJk9>;WWK%h>J5{lcdiVnsCV} zG~X|o;U0r)%*i5zK3(yw+ACEGbPn}lf1=K|%(?7s{R1re$1&3#H~=kDu^of9*LJLJ zyJ3pZ+H;bRfDL)c=*fX-*Rb!=e#rhtMiRfh3)8{n%x6gU%&RNdWgXyHK%DcG)KN{h zF81m~Jig^b(GBtUvDjF`B`108QKS-3fpPPKt)>mWc~!h3bAB%nU~@D^e&X`W4e7qz zjJhqm^f!0r>lAZ81o9>ADFF7brn3Vs17}$w=8}G*uv`Ks$)ke)?`8^`F4FMx-IX1pR59S1RS#FxpAfm5qTG=MxoUz@L@yPYy=|O@n3u z+m;nJ#lv^hn#SfbZ>#>Fo~}JAskH0QynT~1pCvVx+5j>$yj`sv%7MI6nb~A&rjs?P zlz2CW#Jr(EpTBF>pW|n zb@tl(_xtU=o@ejDh)phnp2JWN8ebOo=X!HJHTH*d_`N5cgF!Sm;ML^{9W-rYp*@M1 zArCZ!gBv%d)5+>al>$iAW2z`^<_q~3yyo?dic`)Ot1M!~s}qGCkBVy^`amCyQM}_TD_E2Zu0}o`Js98!21T_*#BlZnMCZTc#o1~XHGS|Ap+iSUTT>SZJku`~PHR=n zN+N);RMj70wC$gtTW{2qI84aTM)s_!M4nK?X^(pov-=Ko3B8bmRujMU96gSg{rir* ztQG-lcYWJ4@1M)7#TC9}#6l$B`gssbvEKaMv9r=eT3dd=JE!dHXhX=*$#7{X|DR=y zspWKbPl&Bk3JJ69<`&IeQ?|6#)Chh1JS6#Ey-F_<4{pzlejP?>Go5m8{DUq3El9jr z#AOESMAdC3f{~Yc$~w5ext25Qgz;s~6dg!5P61f;eY?7{M4$ivN`!Dhq1Yu?Kx#19Ck*y zZu=kGQjRD0dgG>nEF~+dw;vx6l_Jdf%IZJ7O=~XP?{Y=XOM0=`KbKbfcp~P9PL{eh zQ3ZxzvOt-F=#&XgW=4G;_5XPa(U~gvi6uJ}5Iix)7H^qeV1FsH&cKF|3SMBr*lohP zM?)vUddp4)olh~dBD=Fb^YB@Qx~vi3vgNVI#|)PLTYf||mP))ol5bidvNOpuJ^Y0# zFoMF;*@%5_XP65XVU5&wbD7v^KTDmpF4VpoI9fHvo9(#Na=e^Dp|LCYh-wuFJnBD% zvT+flW{Cg;0+bQ2nhTB2cqY{R_|O^DT#D9dQanz~i)!rK%r0nh!B+WWgECIi+0O#*RE?fQNL`s@B@`jP)8oaRWun( zoaU7A>kGHIesjFAYjIgNS^-ZD3c!RztdK5IA{s1uWZUQ`-(%W1=jh+%F21)v3obwU z5V$v>up!t^27gG0^3=?s(Ca(%E4}4C@kPJ19A}`Qqj1g_uj8t zrTaZ^U>iC@GJ#RK>875Z2w!BppFvlZYr^KULKK+?88H}9o0D{>M8RTfVNaG$uLYMU z-9No(TFjU)`YxNCcMsD?ugcc!mznlX`5lw>CQ>W9yh0+*;BH&k14~wLZ60$MwZApUW}wDq`tks7<3*Q?-|LzO2T_MzQ(Jn$!O#t`tu^gL#}I%GE-9RlIq;nJ2r2@P{WHZU~} z;Zx*FF@8Mt!N>`PF!;(T=)J(MTcu7OM5bZ^z*r9byAJOZ3yxS~AOzXv*7 zVu_APrgR(spy)R9q^YZI^6{sEh7~MMA>9|g8F&AYp~wH-*=W7EK3)7`!>_l*j0Oy4 z-(uaXe&U0x_K4z-t4znGsJ>6wt{RA!{F3<92B4eo(IkfFB0epu8x7OYT#~H2q9Am@ z!1Tzss!A^?v)X~*8P^v$&b|u4l&LUhWYe)GWp=<5C3T!UFvRllG_no7xK~!4!2jgj zJpA+=>}c>|v>SZ3yrrYU%gs8o0cgv}vme`Su zqBsO&HBcISCZ2)GoZ{iVwCmvVE5a=;+j8A9v}YALS8QDU&Go(O3i`7UyoTe4?X7Gigak{m7QQaSm^(`$kpWlE6G?@hi1I1g zWQ&RBe^M6KFcRdq60)Ukn3RqQAIGWBNqOC3nAh}QBL^z2Qk&{;;>&bp%R-R*$A1N^ z$4;()QtxMh;x=S;hN(F>)}#1Gug|>3hV}HM&Ct=3N?kFQwYGUPVY++Y9IN|S-E|T}AkTD0pQiK80 zNXwYUsdj!ECS_b!U{#9XILET#WP|mDQ+^^ViVMg+d77eTkJS} zZYNHimo0F&iB~wRTm}GAhi~;+IXioPFFM6n^SXa zB1{>tEQ+_@*cvku@fGy?+O?P|0HwOQ+&mPhFM&Y`QPVUkg%Oy^Mgr@+OOr+pj65q3 zbk{56MvpRWs#eo9#7#uSZ%~n66RIv%$K2)N6=W5dElBTJLy}{5efDYZ4yl+4z3|ey zrD?@*Vc^d$abba$w^bIwJks+ZJxA5^^OPHpOIqQl2X=G7O);Yt^>nB@3H>QrsRfcf zIp~G8nD%2GX8wROOWNGEmSkyA{M{VU7W+YEvXwmr2YSg%0FRu?UBHiBVuNHft)c@; zz|9Z74^P4clitUtZi4= zU}&jMH76{Y%tibK?R49=OHfSb_a`(lrS!|Au~TV=*KvvHe6Coic{)}cFhxf=JY3dm z;3yln-{#c|rD#oB$B|@XrH5JO+U;7TkftXKAM+OU)^pdwxdRpghb=TL2D}O+3n)X@7%#KvIzn(nU%UCsrU?c2^9$eh({t#UE}zVa&7DzF_W!6>gD_ z_QFy0J=!C@noo}mdpo}?dHSE;_<$pxdvJd>tKx^xanY#|9tiJfELqq8%{gqoWm>y~ zU*-PSp;zPkSdhCN#Pdbo(9mHlcCTHMMLk!x^cHL{_T|`|nG__OM6`|AL*a$COuXPN zm263$l8rQduHtK#fzFXD_x0b5wo)6JD;%vN77%}Li%}|8Ql$)|MHaW$O&alf4~r%) ze`3Bs*OaX)@{JAV1l;vHanWTqrS@K;Lx*NCF*hu8L3AT|X*t-n=@HE>vVop)zoy3^ ze;UDv8JXz=`GD@kb3wyll1NsEmk0tUs%dv z9`1*&|JvoJ(ZV(1Qjg1P$Aw8xr<=Ftw@h9)N=~=OG5hxEa$;?wB<|#kR~nDqy|-V2 zqLS48zew#A%$%_o6%4KJWZzObi(#tg3;&ue%h}N8KUVK6|Lr;F(cmK% z5JxvPwJMuE`#F!E;qOM9!px1okW!|Ohl!3Xq5o1G^rJ+ueF(9x9&xLBUEmq4cYH51@Ma6@5TnGlWBD&$4k<(V*bo$u$EU9` zmteq?jzM(L+Dh8&#do#1rUSp9$JLBBY7yo_Qr=g1P73eZdXf@MsiYIn<9dO%D3c|g zqzQv*)8j9+_=Rt*5h9~vvVWES-csx0j+e%?h2P3niZuV^-7|C*XR~q+$TV^~BdiD9 z%*|M6x1F(lBGL)e3^RuL34XRgO2FRetl{lL&VoS!q+=H;WiZg4jePZtPfQ*{<+r<$ z)Pc+2rX8j46zL7!2M_;VrhA13?sBhA^_&_N3`nOfZrd+k-O>so}WtICs+(321l5RfUndZ9@` za8;Xt;0pQmtH3MZpfTV(Nr{cDth$1%>^*fCCrcZ93j%^yp>YY<)V0=WKb-rF$Pxwy zspkaIhuuph(0ooI_l-P@GMXT>{l`u1jh;o4QleY8O4c-A{8TjJ%KB1yo!!Iao1B~h z9cfn9F3*#oS--uxWRT^+DNGc1f=oH@JGB}h`k?$ftYiHN(T5uvd5`+wF}J7~x?0Ex zA4^{*+0A+HrTJ7`K;Zg4zNRx1$vL9IcJJx855{4z^Rlcyx>sHV(wW!Uc5@qV1i|l# zwNokaU6N*ev2nGRuY+pl;}eyS)L*twiB;1UGl^AG-U*2RNdVlG+${${7W&J|&_Mu9<70Vfm>hAno)*f@0`fisr zvEH18reIBHF;K_(WaK&bo%PD~yUH&VI4IA{Lw#St{nd;p*{w7d8^77m?&jMjEl?*0 zEDP-Am^zO|a1O(N1v-?oW=OdNw$iT13>PvlB0 zl!>S1sLj7FvU@nmacgKKh2?7!TNyX^v-h1{N{$J?T9>VEeK~n%wR_xy|91bhcQW|y z(Oh5b^#CvCI({tai;ct|!?(R0d;@FYU)6GE%u?1l;4G>Xad^_<(`64E-8x?<)?Md; z4YD}glQ@Q(V*S$BKVG8S<|FFmXA8p_J}|w1i#7ip-^4F6swW~3(pKz0N5n-)5K!UV zQLdh9>5U;bPdmRljQA7Gkal%-F<9CAuMng>yFs8KW^Rrlkgg#6Ak-40P?={R10ufs zMVff)P~B9(6+U z4{aHgcdzA3ONdP>)^`7|iLM*8)m!V|Lb z&k?^xpO9L%1-`%1cvJOrLhIyv@myDh7i}3JJC4^6Z693%r1>H%uAo-hS z8|ul>$SX~NsYnns$JCNB+OI4h@oGL(csZq5 zbkF30#JwiAnC{MZ6fSo~V;bX(<(i-SE1u=N(y7*7X5XbjaK>|vb9ityYdm1T!%-1O z%VEJq!;z{B%@ufYU;QhGDK(D;S#Ip`t9to68hM;XTp{dM>`oezMKgIPnnd|;OBS$9LWJ>14BGuZ4lA9vnPeLU{S+@D~xlm(>Hn!20 zmr+hQ&vk8m-(g>CzhR%(cFNXXFmTEeLJx6-XkZOcOejL^Gpr$&3Cl}=gN!*sAcBz| zORpv{lw_H-CzxP^K{OVL3WN*wTF^S_&Xs6YG1>k!v^0EU$OR#{gV;q_qpk5a;Sij) z*$~rkCfai?2StrC9=tP}i-N9`xRbi`qMF|p@J)Pmd-*gw_-RRgF0zbmL_7zPDVzr% zjT)WLFe^T9|6tw1_ll2Qz*^|G(5T=IA!7@Dhr_`yuiN<)pH4Z9+6vhA2}BCby)$+? zi7p&ieo~b<*4M@QjtUf$%WA<2Qm)8*JR&gSmzQc;p4em%W>7fE?K&~@)7ZKh-e@Oe zSueT_WsGI`R)TCE}vqz;)l9XB|0US zON8}>4PaGItA0<$PR&%XOdn5`LLAEd?5rHw%BP(`^J%us_OR~e$+P57*`L}oJKqcr z4L<$pT(%@Z8$r`E)e6M~Iq$j|qTL48tExV^=IwDHrA!_h4;x298&i5yxPJJ&bA%N) zb0M(b?8+G0xPNYD7?m}oi6ff&P7^}{ugz!AED=q|ruIm7`Y+k6aO^xoi=tLGAXDgQ z;ht%@IJ}`vzJqNzza3dv*6dX21lcN2Z<<$xDV^Oump*4a!--7YWy%lZzq@d|Tr7j- z8})4_eagefzaGD$9HqW-?b?;C8~)GW)@jzJe%G)64%)ckMcH%1g#NhKcjIL6D0eSC z#2^GrVn>$$nU`FO{_JTh|68N>>{l_b4BolMYHIsx>x^1ggWP1?ocdCJj6D@L7c>v9 zAaky(E2!J8`%WZD>cM^cOKlW90@m=Y{{2yFja*XrFkPxyN%fD0LpMU!`(nSXTlE~T z*M1d`{-rRJEYi2PxVhT2>a$IH^odYUCU8M6+D=nuxc41mIko!}2ZlqAL-slEo6v2C zq5xFj=uq{y>agma{k8q68@?}}zs!Cm7t3mEkX7~WD4M6DUPN!EVbp8AG`B5UTA`jg znkQE1-SD@c1tyjc@G|2GEAcu>SQ~@U%8}l6+nG9Q8DSUm)1YOcjzU&3*HUig*pCqsNadfs&z<3IH^ocRrJ4^ zKHHqw%-RHj>b43VtMmNgS)0GpSXKH>hi8^ofCgPe!lH4iFKuLq9y8jbMA)0rwi zI3hYWI!zNkJk@0ABfP~p+cl49nl}&VzqEPz=vwn#YNp13Ut8)XiOvQ?Z#I6Hw85iZ zFxs3ZVqJCWExr7YYDqNYoGkP$l;X^F#x%g$(?!2+4X_IphvunWO;N(5`lEM?auKWP z1Z?lvOjDIbyl~nJg{vbaBZ5|62R0;>B$D;6je!doO4SOt9KJZL+1{|WcXY84!-uc% z(jfN-;?ndaV4H+H&j*5c!YAqEc|v)~OjMg^<{RsdhT?v3fecq`-Hgc^y-$<2AY9;$ z@o??DYv?~bl)zLu31Vy2XI7BidRk+}=Gf~KfumvGkQ9gtihOqZW5?NEU@N9GzXx6d2b*QV8gCmN z(BL44$?LUwTY>Y;QC450!s{t9%j_SXQ>!WxE|?GzEb9{#r2aZ7e{GwVMs1B^ejVKs zuvnPrqj{I0Kqfv^<4Y6yhY==%+Yc3+ue7w^rv82DwUJT1D!e(y^*HGDcd2-KqiiYF z&r<47jjo;D*Wy1hL!BW>ShJ=A14_>cAN{&M>ZACh7bsjsEc6vDRa6K#fuFAvTne!v zxB~oi3HYK1z6b~iGYJ3Zm8;qrm;dMIE94iybj5UjA|Q|^PyG@;7sVR$J^feyMJY@UkA(Hm+e1g0;Tds$p#f^;l(O+PDj-EuWXnj)d9O#{yPYUwWW2b&(^ z5qF$FP|*QB9az33aWG--*cwFa zpU@S>4El79!h=mM?O9AnOLJ1abiQh8V+&@sA-Voae$=1c7jo~L_?|kce7a~Sl$Lw; zh|19g;kT2FX>>-cs^qQ3PI;hEtiHRvGm~w+h2Qz@f3)2dwAI#jMvsGM*M_pQx0FZo zq>FXIGgeY~gM7GR&vJLn?3Y^)ISW5J{N?Heva+d<5XT8IHq_aj9Wu{+NyfN>ry#t? zi`DkCo$l*CrbB4q4jQYzAGcD+1212jiDpsC0-lrhA(~z4@F&HL)JdCE-T4Xp+>P6) z<}vz_W8=`|d+{5^(0hjVEynt~0TgO}PilTa|jc}v3SZI0Z#o$Ffp zGw2Z}=VZDj{T@pd$64Nhqh80=zC_H7E8Lwz>g0WlIBeD9Iit9T+vTe_w)6eE7(s`a z>E``h-nh|-X)MBQ>kJui)>YV{i5y5Zf%%`#6zLQvF|Z*27Bn7_j4t2iquygOiQFgX`4Y4A3DOt3d_8x$|R1Wl{&awYra|e;)dk|^A(;dlYY_;u^H*KQBH;XuJU6ht%$#vIy}vXZv&`NP;{}`X_2_!)EQGH#Wt$A%!5K=|C`-(4OrY` z;|G2}UurYWM-`U&nHz}b;|WuLcB*?Ofk_OqD<%G)sA4!sZo`h(&U+teSy}`w{#+Vy zJe|o0US@2-d9;-_^`6_b9J}-coZ|u-gy%fl&S(8_vyLZ+I~YCKahws%zsab^K5-iA zUd){R!h|z8Yq=eEj)Ⓢ)I;$HsX2BFbF+iV`QqHr!Sp5a(}m%7w<3*HbUZ>-n3oC z^>CHdIr%Ozyb%sfM`5_`Zh@NjQcK)NiS+dkPWIq0 z9Jr3Mpl*^3!jAjcURAu;dTzoD0(OSYDpJjk%<|Cg;M$yr&Cdp$pAP*H!Oi)U;cEl% z!s!``VjH1UY|!)5`EzVHHA}hVPN-VS_jiiJ6;CMsl4T1l1C#7BUAkw}K}chP=CpOF zD9p7u-6w1AggE_#6p;&(s$D>y|30uc&~rNaR_y3XH}k$$+d3 z9YtyDK4KcO8)x-!zk$Lr1DLlWh)7&%WYF)dJIaw_S+_f`{<0S@KP8FTq>b0ss zTq~*V8&H3~I3T{|=5w%7QFU4!eV@+6?R$Efn0t}bTzNFqn}j$KH0RajFjd{n_NCPY zU-)R8u6dgXw;ZE3HOZoK5mftsJbg%i{t(frxaPb3kXgaLBjzPz{ee;Op1YLf?yrZA zGj+~q)c(gK=}_27FRahD(4~V$@6dg;b^X`(hmwhWRs$*g9zE6SqUNI;*Z;gtnm1oX z9_On&%W4mmx(Xve?GxTQ%yY15u-ETe>}ste;%8Lq@B{u|2hE$wC~m}8%;gaLkxy+Y zFIQrgWAt-AIhx>iVbNr$RxU~Zj#}8M18#prt>K%psPkfwn)d`xqBb%r;KV$@c;{R> zS%@3>s~w&>Kb(maCfEcA_z6hr{0P2TVr|&_oEWU$inA-NXH|wu`W?UMre@3^kWbGn zFe=>&ILG_H#y=^GRfBv^lnU@~de`&2Ed-r-gHdd>KPh)yev&0ZtkTY&etz_H`ZC3{ z1=`2@3uVbQ+&wPAeB z0@@Rnz#WdP8?jv2tm0Ql*khYpG)iM%3)mQx5q^I{=5K0ZLMkjW!f7$O$-EaZd+i2x z46;7Rk%TC;nm^=m@rUhnGE~JETJ(Tmc$4%;w*_ru8AM%jrfVFGs#QbC8I5t6SwE#q zklX4wQ(JDAqm_gP!0mYrc?+k@q>f^woUKybb*m$x^ja=2mMm`cRqNMp)=Z~B&q?I) zk#sBpZZ|RuAYt5@D~dnz$N5mt6}z(cG~Tvdom(k(%9`goVrnKLfx{4i=xpIcYVV`FWr z{u;CIAczJLJCN%7w+eEYwjeP`F+3hT<7Lh^CLX||S@Sq8Rq(vk=xi|Jhi{ZPZ_Eb` zjb2(m=5Kd?HS@%5-}dfjbd=8HIfVepuxz9dA-V-`*rx~WH=X*MK0U8k%Ch#0aM%Sq z`El7MX2lcMSV$LW1v)}*US9#%&h5_f25%|$1qF7rH4;;?9xi{S6i|FrV8=5}xC%j- z_9}{0+m7{^c&)^}aXl|AZGW!Odj%p^k*il`I)so7Ar~dnccfycuQujpCTDtf8w_eA z6Miw$q54ZfAw!+XZ(n0xZt`Gry6thT9fAjh->kJ_$vIo(J$qo7_L5PsHmvmJ5xg2qn5Fphez;xP&j@ELn>e%h~RDKh4|F?cC|v(<&gV&5b{T)4!giy~l9^HGsVSNlW- zvztubQ+eu=$b|WmRbhkBC>k!^Iyy7or_D+DIb3sspxV#(Mv?~=QT4q%4SnZ+D_mw3 z;aN5;3ii<~lJULn2opMR@s5VQ24Poe8KygSEtGByW;<47UDNr51LAwOmmVcFSz#W6 zpF%X#`bDYv?j_H=ap{%r2hf+X#tNXWy9=(U%~C-@rhZtRfF#B0LbMPI_Ibi5Wkzmt2_c0*WT2gfGETx(ubu+re1vN=RLwwRCUUGVWgTd zwRg@J^i0Zr(jEUqA`m`V$la<+Q>q#+TU&S%)GCV1vxz?pjjFg zgCvxftLb05GigIY!5H=R_v6=0G$v!D8UvzE=~X~dPCrHtnS5Ms2$>7P|Qy@+?FU@)?uu=EeQ0-G)2qp8fiAh*+rQ7;&`)SC^r>kTnF{nj%lr|MMJpmQtMD?3;!@I`5*?-JKvZ0v#g@#vwA%i-TX*(Vaf zlUJ529){jD!IQsAfdMrgW`+4QT>M}zuzh7p_3}(Hky1U7Hwl@;t~v$aWl{e0-I=2I*cuz%0es^prh#PZ7d1fuP!zndTXy?3WQ?LMGML8Ul>zhk}$2 zrtHclI}Ao**wiAMw}67$3GsR;%<_5Hov=-yifU?d$JHRzo_9VT)AOiOv{c+E0*g$ z4w-4TqX6~Oopo;p_*6L+4rlr}A+Q^lO5O31XTM&~?l|Lmq6BaHLQUu=bt&sRh$2fO$qymv#`E1~w-KAGDQIpn+sTfl|N^omb|ME&lGRwY_lnZ_X=l#V|*sJF#GC zzc2=qI#z#8%4rfBA*Pa4j4@p1Vb;5_$bL9%AEiyP*GkI!6*{ijv2$szZNRa9 zCH~2}00Dm5iLJJ}9w=9`v5UlH;@eG~uveU@@pb<6BjsxLIiUPVo7mB_97wqXE+(Gl zHYoKAA{&r8KY6ll>b;(8Ev8&B*4+|#xeei+UV{yfR$)Hd4nc#n?_|qIc>qbnO_66^ z4b1jjAv;oCPwQCw?FLY1RH)?@7}cry@5W$O63hm?!cd&5CjQ(8mF;DF*8;Y$VZ`T; zBAvj|t`GkT)Ap-h_%c)ojkJs=upm#FW$9YLu9&(evrobTU|QQ^g%j~?^m~u=x)TP= ziQ{>Ff0JTA&eE6ruMg)MaKBkJ@h&_A8aEhTD_>PK`P*Qh%%`hzA@Rk)A!g7%Ociqv z8;^*BWMR4mRKI>a+~MhJeK~)AhO6pC9b!N*G;n9BXz^+h410%5QSu7KOI=ZT=>UC> z2(jlTDl1wh6&%3jNQnleACKnGY)n>>rp*DJzHfpVG(pbv5rSuOgtQgE}rL(wcE&f=Q1_FM`KEbKO1EYY8_2}l;8?=X)_<2Hi{^Z zijfzv|NE)hsjCQWkf|-4qr`7-@h@GEw9VRs#p8Y z5K)t(5#5&7a8>AhqDzvN#c?#uYOy_Z>T&S~5T-anDZ>omKn>py)~{$y5094FTkUsc z6mz>?e0XWpVHik~Sv|=uFW_kssnN<{qgoFrPx{$@{wyhPqxybga86kC8&1%SbBNQd zrW;Yom%kL>0?vU+iUn(i_NLFK`+W}QXXhLkc1`IcYAbDi?>Qde&c-+O@jpEuc?omA zd2{>ni{!@L9xl<^jgfq{>OR(&S&50nECQnzdhCik6T4;S$7KdfN$i(0-*xm0&u<)K z(MYP>;vh_)E%ug^=-V!dP|&)C(KP#Qm>=Gw0bgPx?&;^-G?F+jdtAlx)$1+N=6HJk ztcDrcHn24gPG$fQAzhbOSey4)*y%J3QhdBFfGW_li5M8fo)0H9FJH?z->{NGyF{$V zZ0(N@qt5VKxKQx=NWKrw7hQGZ&(Zj%wJIUlcIO?)!MCmHq%FY1LEPOv)h9jq2#u67 zdT03Ru4uV1zsMt@oXcwqX%3 z_iLPf!We#4_WT4XwH5P>K0%h-+9eK#Z-BYdw=KD*`B|&p#|o z1439)EiICRILk+&JIszPT!-%S^7sF{1K4FqqSZrTL-d&%9*de=4Cn_zJhNeH$j1)W^ z?XYSi4RS;d`Be=MRm0v4H@T{`#+ zuK6FMba(;E0mXak+TX6#1ri&<4J@iCBf!i55gYrD4S_{;_cArH312S1_{XA7T7W5- z(ED)uFA{2u^qYF&u~Pe`fAK)(z#^Lsu9mYuqh0^8Ap=G9szCdcWs%@tiz55D`=LH}C_9 za)DQGW&|r<&d_8byiQH)iA)8Nl(p0U#m}VUt`9!XRphx6@;4Cb;=+z`0TrB|EwR zB@w6rv~~7cCQc<)97O{94W_6Y-xObcRyo3^1{LI$T%Yr`F=Ul-<3xJ*yZ;2(0i^fA z#=6@1yH3)O#)Xr1}lwf9nUis?h*x7 z6Y+J6oxk);m-I7k@YtML?N1(=ldCFo>WSqjm5*X_{Ppd=<5Fh?2EeIxEQV{$=|BKZ z?=D-KwrE)67=xQY8CJiSxEAqV0?xed;o#ZEDCNSwb=>dpdrZ%4)9~F_?frUhtnCHc zvf8PBaOANz_;c0^nOdrp!1Et23t;U41pj*-7eg%Be`k$AOLpMW+%etfckcl(73`&6 z|I=ep7M-aY2PI7w3tyH(pt12q6l$>vdu}fjDHc_4O|_YvvdzCYflHRJ?ph($>A=hay+VXPP>eJA>ph2cDw&<`IBa~k&s#3hdaphy&%BCDDE;ZFE}+i~ei zC6Kk=`D}Ar1a3~(ibFo2=3y{#py4;UpdI76jWp+!_Q0yM*rub^WXHh_nNnBefKHrt z{W68*7Ic5zY`4Qe9M4hv1~bCqgcudpZ}0$XMY{m#GA7X~tuWNtwP-VG17K8|P7kIf z3x^?gdWc#lvuMsSkMAN(|9y-ZVHc@(r^ALbBrhjyj-2_)>kkyKYXBtGVHOH0Ofk() z53!Ha)}XWV-ZSOa5wf2cESQx^!5qezyp!itS;JPjO5j?&!OHDB1N$AvsjZYS|)BXA3$JK{vPu_e) zj}_|)v{Vh4VA0$=azZY|x&N-qtK9QF?{?3}6wE!LnSpN0h{~NAc`lp*aQ4Yaz zaal9HCGzC%)3-ro@=J~ryFi6sFBeW*ztWp9Jz1z4#UwG6Ud%aGF_11LHFm6HAc_Rd z`{9np8K+EPA@WRKkDeZuWb6YE(8$*n;^fjT*~Wc6-^HK*(n0J2S7ooes9gD{JVr1sElRrp{Lci!1l zi%#|K-R)nS!5bq$%ObFz&tC8xA$`B$t@i*$hWSX!^QDthqta!*+0SvR+Qt#+QO|D2 zS`TgM$#|Z!>cqYn+)Xg^pOgwe=?glyK4oxf9I73)1y=9h7$TWpaFp=KQ;dxPy;|k-BD&a_~&xSY~+d(Z`1NXvxQF-Vr1Kna5FAzW?P$V3;K+c2;sR`_K+-WtVrE1hy z&{l(b7mK%yI}VDcrI;{k`!Rn3_Uf=XYPD=_7k|a9AiD?Gi1H9%BfYJ1Ox+TBK$(r% zvCqMzRh41jFV#Q?pl9c7q4h&dZ<}|1-TCQClrq9Y(ub~FDaL$tlVTt8V2#O>Wt;uo zupO2@U4uY2aEDuUSv7=9o!k*#Emf<3hzH?+t}Sux-xU}(@kC!P?P?*NS(W3>i&qal zCwG^KE7xv)L@hzLZvsq!w7tJ^pyR4ey$O3inX zYT&9}o6A_{YcTgz)NDdL$FIV6C0QDlEK|?lL}pE;;JL>C93RQ!=|@SFw@6HlDr;0FintCrai+ya#h|}|QtD=;#fLDv9b3I>^ zqqRo`^@}|c$LSNFYSS05fo>b7uiuW{4^NnOZ0N7Gybj|&RgD>MK$kWwCLdqv*{q#6 z<-Jq1x#Z41dCRbTthnIUot^e?n9##5W9~&awFE7Ka1~STTQhLE11%OG}{ zFYOO*CVgBJp7(Wi^K_{);a@+VSTWR?6d1Lv-L=+`63TFW`?Oh0hvL(<>Rq2*9G4abc?l{&5RLm z1m#cH`{y$FFEJk;0fLgqnudkXQFT=EQFSqFd`n<~mIW-JhT4U-ee)f3db`jP=zm_5 z+clyl#R$O+))(kR8#WfKnX2n)l8lDDEo)dUw0m+Y+2&*dHqw@V~!2-Fb_r`Hc3B2F+e=qmD9tc-#c@_B3#>56+a9>Mf%( zqirB5_)Vt(G?k^|S5$2w(!7p>voQIOO01+v>9JaMjmnlt><*wfuwv12ij@6i!80lIicBoc+O* z9n~Wrxcg0c$QSZK{mGLn{DQn+AsIF_(_EM2`J`S*Bjzb=Fd;f#-~?MH6{1M zDRtl6z3#5}&ggy|bY5UU4Hrl_n92UsyQd-tgHd*7G-RHozt&#f7lZCN16Yd}3UMUR-uIU{Y68 z5oKVOII*$|AFGsKTAZleAG6K9uk@;jy#@SKXOu=;HeM?+{-HvyTzLGXSG+Ri^QFu+ zHEvC94+q0d*p`07j12+44bO*jUfr7bO<_0&;J3Kbqr@HEVIEt-Xl(%xMRvtJmI(2z z`7%b~4ptcmI6C9^k$}@&qq@m>ercTlr%d(&GsmHd37!pmi5iw4lvj7IRGSFf7;+QH zYCL!a3(3hcS66~=D_6qn1k&sj@Fi|((NR!cZ^<6meX6uLCa&o}A#*8Sfkj)pN`c%& z^lj2Z^hoK;!d&duG0gRA0)yqzoSBcv4(`UUYdJY_eap*|&hE4bjUry4%iCury0b^t zQ(F4zxyC(H+WN4Mfwo?hyh7{+r<3E{JMP%{W^TpT7afX+ZqW$exaSQ{5>_@AZ<5U? zn|oTtcii#WPnonwQw`ZkN~eRAew4kFV;3S|UY%4s3enZ8VGwFiO&WoQj6RTNNxQD- zDpiC&{4R?b?WV$Z$`hFz-Iv-;^_9J99d>Ty5qDXzH#;Hgj^fte(al3HGtrc4hPbq&k zpFgg*JIpG~X~UQ~PFt^d@(f~@e4__q@`D-5G6G_`w?`9^kOT8nSgNNj;|FhfGX#k|v8#5T8ubFDor}dWoMkV;&?~g>J z!v#W4j3Ky9509Cca+i=kefImAl&dBaqZk3hnS*W3Vsh3MS z=TF}vribZFJu}Zo4j+&NP1k}Q=rp}ao74&092rnfzk(Dqjk+Rxzn57kG<%oGG-IRV zgLUZ@dN~slVwE{!H+mqj&mvMy9WX#=Xw}s^n0!#9l=uFb$FtBUWfN-2UpPFH-y*8I zsZ)CaBKq`@x5Lp4<1IekxO&y(Y5m;lCst*T2BBsRr!xk)_Y7M?xUN-7yZrr<`_VO2yzvNKWs7px8!a1&X>JAGoMe1 zbaK)aH;+*y2-dw(V^pX~F8yhIT5}ET0_h?4CmWhg0A$DxUJzxDQTJ~WXNPXGDd~Mn zKb<1-vuK%ia*R(JpqAlms~b;?9ZzkVT#OhekE8P(0L9S~pc7pB`bf*|@wD#aSIPzZ zcjAv`$r+Yn-&d?OnQYY(XeGQ(6w*$FZB%z3(2%B{+15YXZn>-hdj0#^Xj}&L^~h`hcte`C<&TK%!&iWPd7Bspu}$Uv=ap zpAlkMAvYVmqQt(BM!-v%SZFIPEt{!r4Kgb9 zhS^CfKLZ4JWy;%6c*WNz0E5MopQK$A%BGd4nrf)QCwFb^CK3c-s^blv-r{E98v@qu zjRkVjYa|NhC4E54+1zsn?-;|8EaV`T4LHW~92h-&2CAv!@jFI{Bb{+)g+@=8kd7n8 zyzjWt{&P=+G0jr0$+S%ix^UY@JU==^^Ek^YaMN48yA43|*dqIL?C2;9I5s7*wi`{Q zrM=Oe)ST5LK&%Zu(AaQERvy~YU2^@i((4svL48n|1ToRdg)HhEw-XicjD8IO;^u~I zcP{-HLuE_^g&9^($P_?e010Q%da|9Ut7ibPl5W6=4sNW-j*Dp1)g75lD}K=nf!~ue ziY<@oB=rCuyZJJTX)`}=aIj+9b%%7IB_KMQ14!Y8o^YG=^k_G~=^3_t(9XZQmb<=be0K z@EvowP~2nMhuTW*<^xN$%3M$U#FvXWFxzRVj(dxf*c$NI9Y7`Zh1`UjKbq3TPzKg( ztCqJWg0&}JqMiJ?0(op2dqua_%l1wI=4b1VM?e%=#B(AWRPqY2iDwd-e;f(;rj#L9 zN;JlI4s`180orOruMLomhF8^cPx*rifyF;nW35zoh&8xs`| z0WsIj8>4hAyaN78nnM{Q2e+evS?RP*Z=hU(r2NvUR=(7_v((kVRo2L72w+(52D2%% z&RvW{m4`u;GJq^8o%x%|r^;zz^b$ILS0YV0QOF@l>0x4)`K!H?*y>?@iOfbo)gk$- zh~PcD@XUMJrk2`Hc49dNy3-X-=*!Bnc|dHKYzK)(cExb;IevW?Mt%ae*yH2Ynd|c+ z-)uN|Z$$wc#WJ|&q5*J%`8@@fnZSw+!tPhWHe^-GLC^1~v`Rr~9fP2lJ9>XyflrGoyz?a{S`?;H+A-Kr-3?^H|%xbm=iR?by0Oqru|~g=w;g z^V_Dqq3Pka&t&1NXfj(PdpaIPML_5;!86B_03AF2B`^6_xR~yBcofYOK$~5VoL`=4 z*phSSk={KsbBCZT>C+%$s#e6BD}bTQvG)xUpfUlSlFHRWBDh2CtS+y9QA^p!6A7OK zK-$5fPrt>-J!;UC4;-|6grUmB5=U-nj{C?n7;uza&^&s?+k*|9k)m}l_VxKDp4MPUXBcUx9BY!)#|=wbC5e695Z#yWC}FhO*RY zXx^k$f-_FPWw~3OW|v80@B^WrZp*PZ3HKkL_1S6y^8R7e?6>=}mE;yXiya2UhAd8a z92_&J0yj8~-w@IJU7OQ0>{)8Ts2yqsJPoWlDwcacEUoa!kiQ7~rde0P`{kOK?4M|! z0`mV9Puy2Zp{OGE0=I6Kgu@RxhEWB{ED&}PWD2f^7>192nhE#t4 z6wQcIl*elm@KdvJFJ5|1rdaAq{!`SwZ7-PD_h*z;Wx%<=nS26|$#a@Bt-zNoT$~&V z-La1liU*kvBO)+>8h};}47aRp(Xsfq9u=d7SyZYc!=P8RK02-R#GN%@9yYm`p|i5k znRXs0htBzq$mI-t=hYvO#}T!QKtfq^74YEexcu&HZw|wVSvfzV6ULnJLL((4*Pe4f zhGXl`;u0|t22m@9#;$u~V{we2Wq^dhfiw1RjGSip49w9*_=Z+ zu3RK$rrxzGdRp-w>Q2FY-~fvoF>TF|D}UNIRiL~=@ve-pYV9XS0v&>)$60#c!trlTN`N-0&Z0No!U0bAr!In@cUy+~tZ%Df zO+pfY(+!qBuSJ+au4oifLnhQU@5kzydUb$Jo5Xx0B-1??LrY3w)zYCfknt~UTGWSC z+>}|0d{j|VXLZ16hQ5H3iBBQ+>(wfXZfc?)AdWMFwbp|OcloUb`ifp6O9+~xMT8Qw z{LWE&up-1*%*RwQ55K7_^Y}N<5-Fk3N_4y!qgo#O`kMwzE=aR4TF={GEPyCdR)dtD zh0Q)u*eQ)!>Oo(!fQ{z(G!lxl2fZ>>`)M)DOj0tHQ6Gr|RD*KkevByY75+5kAwLFK zXYOdi0rVQk5yX3n6P~#!a)5EEgxX{C5OS#8IWFCCj34Hf&#&+^PusFTDb8ICO1IxI zvd1<P;$|B-wNsc zr5=7O;xrReU{5I1i#@2F`>GrM@$lZhVQJQjHn{%*|GY{3RYnS@*D%=r>3LCjKG1Eh zGXBuN1P9vbQP6tMhaY6og|tl(rORCa(nYNU_R}+bm+>f~^Sj0eNmBu#Pn0rh5?F2B z)~?e0m5ZU85r*B1Aq>!lp&r=u0?gWSsO7dYl##o@vcbw5A`e$a^{kT>0Z|X2!YoS2 zjh0fd0JO2qy&~KrexAMDweQII&VWG%Jf@GjF5+4|Bmy(0Q>-i6a8dSUu-ZI4iQ%&!x+0SOI3+x!?qYUjYCLGvE z-C>*>KeXK_(9K#Pi=Cj7@q}qW!@PbW49@94Z3OBPQLZR%^^ect{xlLu*Hk_Gs>)_s zMa7PUE?EAKJv+K(@=x<0_sXPASj+vzB0jvCYszU<=hl9neoC@dD4wSoZfLni_7&t`L-b-iDr>UH}nCVfoc<`9e~UtVlA|ndf_5 zoMCVc2k2-PG|$Ka8%vTWW;bH;TnH=(mtmL2Kiwm*Wp1Iv09`Zk%V|^7^lk`(=mHJ;Ffe(=G#2r-#{^7v? z=ez_i18e#h9=L}6!)*0L>Ea$CCwe0@k4cNt(o!B|xBV=1%wf8Q8|lJrJ(Ly9AnswW z4F|IJOlJhc?9WfvOn}rrbA(LaLJUC-Yuwf~RfNzkn0n;#-h2b745)H&NwFQ-*~?7=V`fGEfGn<}di+(u)}viOgUq+nn!Szjc%0k3rFko{PE2pKYrd@5p_( zMjTyIHFE)CpPB+gwCkI-_LGaiv=p?b&ZB($tJJ7U%(V z;6i55o50IktuVfO!I8NGGivaWQ*}EyiO&}LQRH3G#jW$&dH-oZ75Z!XV#J7y>DdI( zgbZA8;{XT3-J4PGtFVOQx9FkXVy_ak8;|vc5!szG&|t(R%G^xY<4CoSpB0>3mn?YG z_v7h>O2Gf~nbh*d?34z)S{<0tnOR5=Ic|Q}O<4<2_T^vH{@(|k6afhD`f_W4RDDjZ z4Up<(6h*W?Y=BVUVUhe#1Q5jQ0YUO{Kaj>ZBblWzF9CT2tQHs}bqCssZkAhN5HT&Z zJ0K?jWEO*f`nLzD5}-LP8o6B)fWo4HWcC`MW&YY65(_6l6gJmR-W~fy&8dAlOSoFte&V&&)6~ijgum~H=C)LStg|XA(9vWk z>0^t#7+7SR8jY681^ic`_{a-v2-(Hu7}l^al-^54&DOhGbt7}lwFuSIr}Cq}*xug< z^6SyM@wH4{eUcs)8kQT_PFGPmuuN==c7|%#MIoE8&%l|F$#HNSP_!-jl&3RL0(x z-VZnA3Vson7P#|H(RcnRE%0~aSP$DXHSFCnNw-tCEvNbBrX0Mgdyz#-8d>Em#4Z7( zF${^#Lg!f3eH8?74z{D{aGMiwxIlo$Mg#%<;T9 zNjoktrnSaRzqjed-lk}8bjnK69@mQ4WPIK3P?MSMkiRT348EQE-~Jpf?Lu8%pK`hd zcb%-X@VeX`EJB?!oIIIXK+0uA9TdrCO+7e3r(8YFZ{kBJRG!HDp5`N5OqQsAQEry4 zkSonN^ai+0da==K&v)=ybJJ<5^e!;YUWL(VI9UwmJ(xXdH?j+Izk1{LLIZ?!elwqN z4kej4k+sJp<=;r*#`)ogHg%&>qo;E>adr-L;~9~jtcJ^jE9kaHO(|diKZXC!0Wiu8 z1upkWi6%l8A*`o?Guz2}F?GQNrEkKx>HyjC3+9bluC=Mc24o)B5Pr?A$gpZulFT2FAaW~+4Zv8asHGnjr`6H&tEb#of9DEb# zD6&i!AK2$ZFQ$|mWJ&f~t>|It=rUNd=|}F-GHIVDquP=S!b{P z58V4B&(m~|IYx~!YgB#fQkEL48FhJ~p*Es1frrIj1`Fz2IZ z?;c5jVoo0B1gfbU8I8r2qO7t_{Pfr;N=3f&n*S9fYoLpLIauDuQL>ssU{q2-mxCX^ zoX{YOI@+{k6MT+OtacQy(){Jlwz_zZlt8K8-kYdZKldCQ{u70e;HLru2HIjyg3i~U z!^lK>u{^1H=LAX_z=dHfrvoyXLVaf@)C zKHgE=IT~=5M2k91ZEFSxLN1x=l9hQPP91qXH?qvlIs)`_RmYqssk>R4T}`>+I%FYu z{p)Beve)(9eoJp!+~W@jMpd1<4rUJ|XSad0r27jRxnDOG^R8!PYF#=N1t$d51!wQ; z2B)rWN@c&r7sT}+(i$3bS!OruyqhONng1xkxpKfw`sxEwf$SJgKKI zbbji}S#-9{uHVjZH%eH}`I7?EosG&*=$*auh?`Izo*e{vcIn6dNSSMDOy}jdA$t;b z9w)T_xM=a%xA(q;V(ahT6~GOsSCU?X&gZl(D`}`u<0IRN;pplM%!@=fS{L*5^**Hc zf&wc@>pqCSc4b#9?hB|4Ln!yM*0jGQgeDcMiIZVM+Hnr8g;|p(OV5w;ayk zNk}s^a8`eNh8&sg|8QMxb;f7+o7bN;gv1KD=vJ#D+ococj_YSqy8e{t^YRPZ#|LBk zrGY+#RL1By?_?y7OdbE?p5;0K3Odsd>6y4F;7*hq2z zUR{m^kapQ06GCRVAg7{>Fx79e4VZCtNxRMQpC|9ln9rDIQz%-ZFMhjZa)u@y^u@-K zrbvHYJe7lKmz|bvc;@W)5>uyPZ|APGWg*`*$zJ;LKEH3=v>umOoX>N$Mc4;IaCH%~ zX%JU%r{!AKbSLw%|B6g$Y~tVjyJAtmVWZdMybW!UkEN4(5$K1}MNeFuqlfmicR5TqX`X~*~EQnU9iYY630hEokvPU&B@ood; zLmOCBdEz_6KPKObhf|f}0`ESh-mAT4%xFb$mVujRsWHv{@TD>vA?Ntu)JA_(0p?z8 z@_ZmSXBE&z9JK09cMv2rbgui{PV&tKq}u)|O<8dhz$q=z0@MjW*+ZhEA#zg zWYl)Eq!^xFo^82w$3@$z;TI+M+Y9b+CuD>3#6E;{QDmGGdt~>!GSdzKy!9 zsmnkJS7$Hc;PlG*Ez`8Q)RC3WrA>!xgF;81`DYJ1E5Y=Mp(gU-zu)&PWB}J+hd!J5Vkp%No+FaIT7u+Fn?}lF@Uh`d&%Nz$A@s zKF?d+{+Q^6ULz_|oOhae(6C#k-t?~Cy>hEF&Da#NXN#Y-LFH#OKk zY3pQ@3V-Nqa8N8Y$V?7|-b^3wW-)WxC1NqayxM^z)j75!5dKycqZUxzmx1;(;@|h% zyrUkO6|8z|V8K@mBT_8hnFmU|d<0HMIQU)=N#CL^E{r?*3A=gAhndC|aSGtwnjD=U+tz*+jFCT`LV7-tg-I%=!t$d-Bn3Wj1Ja(jkV1%JhB9kaMg0EZqqU% z!yIdh3cU8>(9>VrkaY>>cQI%I*(fnmU}C`*6mMzT@#HbQU|Hn_!Ep6ZC6V!iH=6A- zM!|VqSy*nN*XB@FbOmIF8GXGrvzW>V9TH182jpMRs2ld!7nATp`W0&yEf-L}nw3)7 z=jNHTKS{G@5=_6MM)Zo!lx)W!G;&*%Z8p9ysP?PLmeE_#_(RSNm$jq;+YHCOiA}od^ysVe^cqmoZK;yMG=n(xOPUN-F)b4jv$ucL_Bzsc{ zL69EEGb>C07UlS6|30qFy6TEsdc`)P#TYut@k_}4jBL<#oO+)XfOo8D&X~VoxFB61 zG~k}p-?`R2sN?ptyU+^vq|lm;b%>cQIpnrXs3ORIAg_Nkm|L+_X%E?&-)M_g93;p1 zpBD!>gi(2*1_?v+H;Pc=TVD{aQ1aOg~c;x;DkfY#hjUoiP^c z{$!h7wSf^@S}2Z21D$&!{Hz3uej{jari}BwhDNj2=~Hcza`f2cuY%;M793Ibyv%{@ zlaZ@x!R?1xaeJr5)%<9QicGLfAIj%bauc*a)|o0VK0?4W&rbFgP1LkBkxgv{k8Stc zNs=sY15!WeHdE8{R;>J~x19C~6l>&Xx%CD+(xq|%8ceSWOPk?mg2J}RRu{y!*0dF% zP9@HqM^=$|mFWn#ja-^3RVKCLUf!K=sd=V6ApPVrz7%tBQxBR7HZtSrxpU(V)8=nA zUFS8@k4>1jTIF%(S9IAIYq9^n6!H@PT8b$eHE_jO1ddm$H9(U55ygKl3d>>v07VEf z5`CrR5{qh~Ip*2wt*sZ@C+jbrM!CVCm|8q~5^M!@klFp{KGcA>UE<(AE^7M2<#H4Vy0gSGij3c)){P$m8xG#ur#=8 z(md_;t@LJgxhAkzPTs16WSR4gBYGQd-007*lpWkUM7ym33-%qOf~;}y(lS1?USW{7 z@7@0lCIl2QiHK2$lvxLPVw?qk3Dd!xqiPD|Z%l-T|Av1gPhj;aCyBl>f}(B?bphO$ z)N(v&w3CSR%C_BY0VQZX;C*XWi{<1A&Ydb1^IJ}Q{I=bq^xEZ}*&2r8D!7J5RUCPk ze3k%TDYqt^0{l1$$LA{zVkybkwVae;D4pBqRuvIN>R`)cK$P?&HrO?teTEyvxb-MC{L=Jd<1 zN&_B9R=7~!OoZia=g5Z#yV@$vQ98O-HHnyU-kjH74UzZ$ehrA7{2@wR|AJzW%WypV$iB)JH{k-9 zW?f*KZ*9gBf7cEgc(eR#l98sb9m%S1XwQx18H^}|a2c0R)e8B$zzItbsX&jF% z!}(;lHKFU%W6sDA%fhvnkJdrIx#6s4ONuN#Q4PIqPssDhBl5tNx%DweDD4-@Hnrn+ z`F3D26_ypp{$%-(RV*5mpCCr-NGe!?ct>D6p{TIQ0}LZD2p&GHO$$%K2?bCuP5KHei( z=jAik2{!`O((m*Yz3(6cG+a&^AnoGw%jzRsg(~H4(?(Bgi6kxE7N( zWA*Tg;0|(fxBQNwb^G82qt;~_Rvt9Mi|*~)pi>0^Y5>Uh6#c0cIg`S%els2wbU}v_ z8S`0G@WG=zjbeNq+{8AB?#C_oXAOWJ4~K%yNTj|cjzAi40@y4jaxB^lyxDY!(__D* z#3hBvht93~*uh z8b^a(&DIS5xH8(}Mzz~v9x=ymoI%%#?7x0YOzJB z+sz)qs*0PoX1T|*2~uc_7DgBK;l90EuAxBfz5k55rbHb9Zyob98yqH0aw|dHL@J8f{2NhAB_;f7ey;v+?A%~uBL5^)`0LT>(0fu za#M#Zm1NnCq8BR5Z=2B3btT&#LLcmO`8OAn`-y8|r39(W5dG7cC_@zzK`$3h-Ejk$ z5n_AG7WXlpt=i9E-&?~$;0?xTe40@<=gf3*`J!rs27Ax3f0psAJ;Tdpc&NW+Tg>`{ zV4V#hc_Z69gt&psUoc}`mouMx8pZ2gn8A5tC2rJR)(H}|8l*H1_OVrEC@wv^eYw?> zesF?*Ci|afBRrDTlTRR{IfBBCU*8bGurDUcNoF)iK&QCtkfzRcx;^ebE^r!2i7GZ& zAtoV86BW;H4Pk2XIQ}D6M$|4KMCGfZq;D^?c+98P+%H_Mzd!dg6s0VN2szbOM0?ow zh^^dzjBopj-OL7#g=rcT=nUY~lsOpt?kHb!8U zDpRkkqqT$R_XkHoV~ZL%jS9$C_CMA_%Qf(+e(#QvYAy#YnkrLB(CvE_3c>!K(ym4ArKpp71Fh-6+PW= zCxlFU2y@dn`COk=|MDMtdl$N4ahcj+ycK}}1vER3q`LG53B1*v!+`W;K=XLTb!i}) zJl$Q`P25|daG5qYD^_X3{nlPl%U};w0h;rVw>gpdwxrid%{;B8WJ$Eo`u3x(EOxrh zSHso`dF{4y%^!*`k%)Tpmr(F-iLGpO>E$b#On^xTfjWyqFZX?l$BktAQQ@iy# zzX4fsf>wIi-@_sk8%V_B)XvfbbQ2zU++QsbTQE-M4_fe*7OFpqLq>DH)CBUr@~AM1 zLr}x8*xA=2Lz`R#S+?_~x#EnTMf^V3w5q8Hms#Sr^!1Kv&EZ#{Y&ldukP>r$?UHjb;b1gX_2R0fAdph#>dgW zdZl!beyfd&cbn&H@d#zuf2tia+1Y6-Ua1U>;%BWe$wq|DR*ich8mL2g*8?6Met$~- zw3l_He>>OWYJH`1I8Bp*&(;BmRqu&0);cs+&j6@p3?6bWg6k)cNOiQfKY&Wi_l8w8 z`NZnaihM&wwsN%(wI+vRx)vOlbhSY>oy4{)3ql{jIv*};^?C)#FF-W`HX^#Gwo2M7 z>Y%_A(nZNxsmsm=ja5E++#Js}(%s)6xzs-c^;7Kha~1bHO@%ERNsRQl-fEZO;Y>hL zmxf`?LAp`d{Z1Nnlz2SkaDcMw@X_Q2Mp~lFgPX6sH51mNnW`4WL;IBb(k#UAQd;Gm z@>1DT>8NI|iE^CEtmHVM{+nj#b>6N@%WKR5wH*#U%?fkfH}l(7nN`jhox4}g)KTU@ zAT!7~PPdUj_D(PEw~Z{3evDHD9z*WVN?xc(Xzcl-=%t z!9U*>pVSGB5*L?OCI zI*KM;b1dEXk&tX==oW4LiIP6I10m#@{V~iyt$GsWWiS7lDq`BeO1MTusfRIDIi-** z<{EF0z|0H9Bf1||tNs?a`6g3W$ZnWH)$M_<00b_@a2F&W$54}p6#fvmEH~Sc0H+No z6Wf=fNx4dw`4$sh?5wa%BK$6|@fc(R=}2(nC|cb2?&BHP3WF=~v;aBOY3p>yOd!3c zrnbyT0Xb$A>eacAT#I>7SY<_=yYv#uyfdU`NPK*&fbgx14NxogUM>B+#B>x0zECt| zDY5ZoUDc7%t)-|varM9_v;wE+=@aLQ49EOaclUGm^ZuIQ_Z65UZ-LNQL51qHS4kJ) zlC$)q#%{~*JV6$1%LDhS9ZbrLWqxy0Zm}S6|6m000fZYjb26)ZLC59t>z+Bc0(Td# zdeY3;Tq_UnafFGOV~D76#L+Juu7DFGi+ODh+!F?&?;EP2_@DO!fct7Osis(-aH_Ie zoDgU2iyU=M*u4Mw4Y{Jsgy*2>2(OSnyfvn(^Fp>!StRR8PnY~TEYDK=-*(d3@b^2zRff0#agInyvo=$!Gfkwvku5&g&(Cs zZ^GRbx4<+4&%WX2{R{`KOI4w>s`1BdYTa8J|KD#$551ll!26Sj6}ie`lv_W#?L`&% zLJgklOYe5vJr&SsPIIY5kj;RQzUtiI%iu5E5J*AJA&$EqYE6}O(e#E>U69;e2fI?) z%gAWaMvN(*St@6XU20vvVbR8SC54YwQZQ|@PV>^WTL5a6Z+DXLc5GIK#jg#Jf;Sv? z$e*4chV+x?|CgfS|7P=l17{28<@+4m@$6ukH-GA^kxJ!OpAu5*dpp%=%Np~2YYtW# zBKplyKxHXqr%rhrP!A=M8POv45=cxLY7X|6sDh?i8tM2n#QvvGX8}cUxt;-6v2BL| znR+l#i|rSzGIE9UNnZ$8gsSOFOWm`IgFRxV<|dC$?`nYEcCB8&AHmuo^^Tg7`0pXZ zv_v4C{MogcPa8NDbNG?Pl3n;)jQhii$Ldy#af(^sUGL2YrZEslw%^M%SWUWFr2^Ze-9zYgvHHWvY(S-Nu0M(U&@N7VHE-z5_*XU*S`nx|J!foXk!36lceO#`2Qr2Q2}%# z33+`j|M=_x2ZZU#8i$9+r2msVh8~DV%1j#T|C_1)YeFoNp0p*KX4?h-Y1sI{mABBM zhUI^r-T(dJ(Kuy+&y1ebI#2zFVJn3L#;H=TMfBIt|F^mM%MQ{CpA6V@p3m|>44Y0O zN1dLLC)pJSh3WwcgiIlIY)YZMX!7?OC%a9yi;yP`hrRpFnPrpz<3k*9^Y{;6X5j-2 zeT%f-VzTEPkbq?*EVLnbT3_hP;hNaZU?CptywG&~7gn(XMCup9q=wfk!ZfUgLE0_vx@ zW}0LJFH3N{W^=OCAaR4tzt^JwA43(HenHpC_whw7nn~eK!jrP)iDV6sVzs777Fc?~ z?X$q-_y|&~_Y9R_6vG<6zmaSKh{T#1Y_jKF#s38Q63N*@vH&y~vH-8*Rg>8;VUzue zkg%lwmqeWeDF9#Le&@mXB(eec>r4$85Jlx2fKFle^DA!0N9rE{=PJ{9U+o{@Re%v^ z0ETW_c~NUN>@%Do!_tOFzu08&4kYQz3rHLP)5d1N&l#>7kx=F_OiTj!b@6f~_%$Q@ z07L@jbq-ZOfmnrrTU=prO(y@i>;YS}K=+U>_tEssPFf(=5iBfgO*?h_8{uwtJK#{C20JqTX z@bPRnsVXaTPS$h!M#k%4#3|*=XR-+{OCkBkog)9l*^2M{DSwNkn8CZ2<$Iz1FG2z# ztxOsw8TSaSe51`gUZxLF@V}(4sh>F0m#kCIq*YC&6NdiJhVBFi;RdOD@6vGR0MH-+ zW=J}`ko`vBx;s-OPxizO*?9?6mQ%=60umr*y&n_%^L4ao14#e8>92wH+nD~OEswtU zyLnnZTWINNi|7LqXrU5g#Z>^6Vh3p2?Ev_^8~5}-J}eqOzJ;;_mWD`9Khi>z{h>~M zvA?x-8v*nGdI$g4k*rh-yjo-kOzukwc4n)x?Ng@!Y3olDH8F{xsTgAR9%h~TUrz*) zZ!q>3|9I8}`~XgxA80Gq3OPXike|{GutPo$_&r&=U%KJKoLz*~9^F18(kLQ&;o}AeE|#R4CBMr)`M6+XNgAg~1n5 zg?ZiE;`8m^P3Zt!UANh(@VzTEA$zG%mdO47d^Sw|>hBku|2i3{K){1LO;zU*A}Iit z;kGxoc5}A7{v_;uB8Vrb4XSHY=xhQyI(hdeG&fM#)e10PwsjJ(|9JsE0Pld;7&KPu zMu5b`uiDdfOVk3m`4Lxm-NGnvJ_jbe^)~IuYu)w0!*|)J%3j+E|(o8O-)Ur zC9Ee5Wzo!yX!oVk)4>dIS8zH$W}9dGHo|}*owWn<8z4D~z3v&DYDMmNwAy`?IQ|a# zN#Ay+Y4vF@L8VXYpFngL9l&tk&2|7s^pkjy?=TQx{J*~s0g5FBd>PP9Ua-4qYuRmY zmJU?*a{jaNqH%Tr%Rj=!3t)DoHS@qgx3DY?!Dgua!70E2(FX!Q#^Xk)#r6j*8UIK_ z6WRSgO+hNysp-%%ECYa2mDxiTeR}}P;BD@8x%W?`f8c=6L)O7>r(ygLUI&oHQUi_w zj`pJr?*H%@_)jD~4@Ss8+YDU5X9nOisRkYjWdFDs;E}?gKzeNi*8gEhA{+#OBP7Qv z0QygkP#<6p^vlr4I(G`YBz&_)VPf_`62ulGgh5C2XH0R(28NxFs>-4`N^wk%Aw)Px zZ^MhfJ`Q*NS-H#IN{?Ap#qt9;g*Qe>kza7x5I%OH5ySuc zKa9d&uYMWA&h&V`_>Z6Yum9eO`GUxBU*q)ufAiDC{(oRLjylNs?Eup#$3&ofyc#gS z`~Gmz)H!P4e}B&4``Cpl#C8jyP#3}HUI4u$@@3kU z2fbHrm#;mR{ciW?pML$v<~qi!qle2*{|lf^N9FEu=i~k1JiysC?qQXOjC} zt;y4_c&taw8$RC5ZXQ&7nhi9+XFE{nufj4jd<{x?k+kmi}bq_;?He8 z_HLKmC-fff5B-I2fj$(A+WSu!@A+3@FQ+!1s1dWNDqC?B7h#}6VU%F)X~6B| z6>NPmK&uaq1c#Rmys>mK?B?bJuRmK~LqDY601aXUTTIZV0l0~i!NUm0c!sEE0VvDM z>H-+&=%G9xAGA3C^8ls4k7}Q;eLGj{S}0kOT2q|a<=#Ap_qaEFr6}I+=y{rF0^~Qs|x#^J#~U`KJYIK=>mH1B+g6I zW`bQvwLO5hY83=7=|>YN!)Zu>ZtTW{oSy{#4O{w?ug?+KTwr())vTk<^607FgF~9w zeSK8}IPA(~>^Wo}uwSf)yknTQuP`%%y0XC8Y#YZ?(xtO`ADtH0}m+w{w2aufSiXD6P zKc@+B7qWwq*_eENFm>W2>+j#0E4Y`3MD z)%|U;M-MtJXVU{y?>gJGR=kr0LrVl6jWsd0VPe{3a~AD8RkNp zn|g0Vg@Es+KbekNj8)I4Q#%6lY<6MATMk4o|N;~R!vFDew0#w?Jwh%^Q(cs36IaDZlKYl4nGGxe9FV%1bDML2-|VnV#C%T8_U?RFnPJ}2HyJ(yyuSTZ@S9lZ+B*>iP5V2i)c4y z0GrepTJXFF&}ga0O;F3pmgUm*^#{riIYoPOEHLxQ#yQb5_k;O=S@>8XS2?x4 zTeenTDyv@TxZi!K#-_!g9NyR^z?3pLpOTPmQ`GD9WIqHipu6y$Df?k6QY3CF>n2zj zREfl*W#nfs^uHe8Ma0IB<{cz{?&}Fap3+ZM7H{yC_Y{f*C?{!F2dzn0(ZMscxxAO=znh(FPx{POaMBF9 zL(xXbWU_6g^W1r)Z8BSErG1T_(Sl$Bgtdd(5^`}{X}J@Fg=C~a!WIC+%q1C`Cb9_S z`*zVxVJYRSTm&or5tqDj6aHaKE6V3&BBoLktc>adr^hGB3YW|xBzw>GqAkl0=Prb0 zE(2H5y3bn6g7qv(WpVf&#SKrAA;`o8tM~b;L?or&!j|MUlj|$-H=>u_hU=t~5ThZo z`Yif8Qa`x%p2L!`50qCFl*GAjsPh*vj#oB%I?M3+#`P%iZj+7=Gib6a`7tA z37!EyJ*}c_$_J9@;n)5tZ_XqgHZwX9D=9ZoRZYFmGS}5~G4DV_s!);T@8D(4 ztY?C+8B@1MrCuqnu}-KME}E6Hn&94HwOI}I&|lSMCHL`gn7w4NM$*87M^%G--dhW! zv~z8PqyY^9lqSS~%#<#kGw~qMVbXDZzwwh5A)n=q1UiYe^;bVP=R5ZWn()}*=K|a` z=F%01C$T13p-pd8!!x==_a#@&14yVfoiHfVO=mrJ+2M5Q88I>tFwnh{jB|{9s&v+t zB-ZBxcpPM5b5B4qtdD%*9L{*(RtE?)^=fh}?R{aobx+-dfLzonmmkpn@3+r@Gk6$R zzz=Ye2nl8YiLk>1=kNR&A^!D5N6Vf$exQ^rZJ4eDpm*7(nJwA7nm*^kXSW*zFz{F| z{lv=sPmYyqce4an3wAYDHEMK0~bXu7**wr zkQfN4{B==f{wQl#QCq~?d3WMTwfDqU;XV@UFp1{--0wrDI4P73w1J5VYTiezC5H1c zr*(Zx=?YekVt-EVwm*Taxe)$^%6B!9-Uy2srfL-75!3dkbUo%2i1hO+Y)jra0xb|m z{Xw+ACE9KMrwRp`XAX~tE)wDT&FknVC+bv<5yp<^9JIa;l)Tz!95}YiXE6X5X2Q;nz1ra| z*d>tkO3ic{qIU+NV%0_~@b4CAS3ZaFbFN8_o+By-4t$zO#)E~`G}_Xo4z18t-O0&X7*IJA|W4>!wXwb%)J zmy~H~R;_Z!W=w&dGjSpJI857VrIZQQ7v#XT^@hq}Lgg^tJAJEL`UixEoVKMWcf5gdMok z7+f`(5z09eaB|>ty@4M}y&$!fIateQnUC*0jcvu_k-VI~9UCVk_luK2C-oOB1&I}S z=VV}EC%g(W3a_Ci`d`XU=xoEdN>h^D!mU$tx5KShY74utP5Qe-1Mp8{A?OBAS{cU? z%ZHjy!1td5Tp$ zKY8P!Zz^~?QU%1c57U9N$kEb{$2gVj+aoo zEj;wRae=UmS}|3;0Thco;c0U)!?%@jdo(UlP*R&IB!6rM-m-5nT~jLuK~Yr~-8})b zf@J;VLQ4;V6O$omiBq+8_Nr^w>8^>+3-3Ju5PSzNM|rV-&`d8mSCVo@^5RMT=_-8# zJxb!fy^9bXxD|86Fn+6KPuF?J;wuslss?}Sj!vYTy=;)?&CJIfGq?eECOXruEOB6j z2bS6hZvWd>z1KCcM39uymtD$mq4!C--{R^FYx*2EW2m;Btts&&QhydJQ72@s@rALq zo|V0CKmB8xn(St#sy440pue?r>#h zn~^GF`HgBh2BYeqkm&@?_N;5KuOd{L?fr7k`ZM{ni6Ftf1ao73ns31TX1_$|PG>t= zXv!S&%KED?gtz|X=?I^1d8SnbrR&@qMlIM87Qk;>mo0YMacnAr$EQ=#X+8;4`cP7$SlL;sG78(ig zhd}LqO-wZ1?pW7j$=7_MKa;3bChQpZ5*y1^?ScKOL-P!8n`WQZ*csZLwYWxw!nd**`>gX|@ zq0v~L|1UKc|1;AaY*LY`DJpU1`R=)-Pxs)seSXc1n3_JT!RZ~@37*bgzpv+AI$c{K z2dhnmIgVhi3oY@+=?i?rkIWArg{=m~ps#DTUdM8|U>8AAQN30lfjFX^DBzsa?_kkI z)Ka2nD><&R*wC}0zkvgHyeo#d1!y1!jV8+ zS={Z!Hqg(Z?$#VJy$2M9rasf}u?Y zN()FF5WMJxGzwBuk`-_rb#x}+&ATqJocJao~IT(e#i^MxRY3Es}$lHu(ZG=oG zf#^QSa;q>)js<9LUE+7HuQ|X$l={6hZ_HA&!q&+5XJ)^zvsL% zI4$;4c3xld{}qTf=lo3*o?ZhSA@HFHC&$24q%ibAJ!si#P_Pf!!tZyK zrJ@und#AUJ=7|^+Q*eEQ!XEqheYI@pMb5mCK)}h->rKgB;W#@e)GC5o2c0c!~ z4$^#H^cg|tFZYJ`XjujDiD~P~2GZF%?;+$Kh2L^I?AWB(r?><^T;^q(X$cR#X<8se zj3+%w@R}euo+j>;-of3u-~IR!!798r;J53;Z0!Eo2eS*Mr(L2UOUO{$hT$q#noAjJ zIco-l2(@Cmx^1I@u7sKrNJbr2tNGPu>R?7U6J3oE_E2Z8$Y+>%FI529%sGEAXR+`f@6M&Ia76P-<-VQJFSnR5pU4R^R28u7NC(j?3uA{$wIDK9 zuEE9p6xe`%`Bib*+P7f-qkO2BXU7Ay+{a=uUh<`Ohrz=*@@M(GIQ#AIT?Po!5OxOI1OEKIzSGb{}O<<*%azFtWr1k!aP%!&_X%pVzX=a}C4~ zNqKm%q=->Y_{-e+hVMxYG^xWtNj9^`#aZk>pB$Urh>L)gBW`Z{4G)&tBSq%dGqL-Y zo&8tu>Z953qD~r2b1%&HJhASLY!+F7_*9oD5IW`i+9x(Pcm5M*@p^5QnNQ(OOiVA1 z2zuA6?#da5y&6RIOjBM{G39>vzIckJ3g4fCC(o@Nwd@ismK;}R*_1!UsPbhjpLl>~#7V-G@)d?*c30eCJ_*Xy9Q*DY(lNw#H!d=R#WI;nR(FN2(f1Yi1G!o~ z8d0s_?osT)6k$wDp;aB3aAhl_q#?}aN)&mrPUWC{d^9yw#^@3~suD1dg?zTns(5E% zL3c_Q`w0}*L#!BW*R7YGp%j^)wJ?wid%HjjM|pr3o<(fLQTB*si_O-fRdH>FW= zQ2yTkBe@`)5h5UnBVcSWPm>9rXfOJg4-uVvLN3VzA6P;^QzLs)S3zFrzj|xA&g(tZQH z5cE{}zqRpt1zzl40>P2VHVy0+bMjJgzM-GWv#hfUg6H5L4Qs`1s#veyF$i0GBY&Op z9TZubI0}B&q7XV!h{B$8i-)zNQ!&ySS^aV&N8K*Hy=>^qizYqc+(#76l$dlsYjw$BSad#* zo>?!pW_mI(=XDZi+fqNaBKc%?gpWpV5U`7FeijT7;G4dl|HNCjj)f`>%_yBpVbl(T zQy@~uU#D@-RhawHv6FwG(#^J8r;04Wg!ut;TqRb-9SnM(D7&r_(!PN&Gi+@1r&`?% zfmCvLJx1t{MM_=*$TrFEw8MK@w-SRb+E2)3h%yvIQ7ge9H3!3c_uSg3s$UaYuSRR= zrFbhZC=*et<}7%HXeOh`VmVPB^RE2I85RWtc|-g1htthSLGs%8*(dF zWx>iAXHJT@bIIdMb~dEI`;Z(9uV`iMo50J&3v_-+(k9d)07YgDX;bj*)h0S%JY9Ae zom;JFGWNW`RB1iy<0)j{#rq7s0m9!9?FhrNyMSn!G2JcY0fRX8g#r3)RmgM7X@zW4 zYgojP=qOJ}r*h1Ras|)Wbu>oR``!3CpWY@0V{G0Y@#}nwvkIWGNh|Tu;q=FB0ae$k zk~0m}tkNJ{ZLNqfC{1cd^dr9a4DHQHa6PtPSv>3JX!9Mv@J^-g&<3=`SAJF{T_LWq zRqg~ewFMA@xx$y#ckUj>QDkkA-RN#|H>%K=*vPnkNn4-1wv87r^n;$))QZEto>piH zH<)@yzKZ5g_O)e)C^CD>2-iQ4@FRDReDD5bDXt9T6jmm5_m`XYTxOr_1WYRBXP)=h z@4f@BA2v_9fv6O@jzEVkM7vK{>o!}6VJ|a*#0RC)#vs1>P6O9VpEkwx=C$?_)kqou zqM;Y{YpSxK9-H98R>6SWI{P>WXUFbGhbZyQlgjb4IZbOj8+OlRmmt&>m3U0QW4QWP zFmAMJaE#e0|8wm|fklJ>>X$9fiud_C)e@Q9 zxuRuMDTn?*TqAtN@epYsEfPV4-HDhzlHOIN8h=b0k=FriL`7U;7W+)*3vaT;Gd|)H ze5vqTuILtpn?}@_3BN4_6FEMHrA87DXq%L!cWVC&ExEN>s9pd>MzKsn z*Rfy}&oERtdhL6|RRh2O;+D22f(dIy1Mw+%J>@*;cPCKUGkg5X<7HJ@(Bo=x{>nxx z5H;G;XW~mPI^to_9Jw0h-%OXPF3NnnT%Tjh4zQS+h4CX zw@WFD&h0J^*;82J??gdQK&Gt|a-m>xl4ZoP8u~!c_@6{;JwQ1SIu^EoSx5z_zYz7z zwDym8P|_P8&PcY2=aoy{838*2-g1E;%oz@=VO1Ahh-pD1meqH2<$;n~!F{6jw4Smag8MW{Z;R)1w6$xEmF$D^?K^-DH&{x&RzZYsX@ zNDc^n9^J?uLbxW$aVct~Rf5jLQ`EbEwe#`ewyw3=x+ibwGjxNgA^)SspvZ?~Omm}j zMCnDPb<(t#(1LE_wdefX_k;1w-R0eSgE~lTDU1S>C=5tbP>FvIAP5MAt z^wKeBN})i-a3_qE5&A279afAI1U*^0{yXP{&dMEyE( z=iNcflXdYyuD&=H)Kd;~X6=}~95{kaX83Fa zl79(r^19vU7>4W_MXdlTuX)YVlgvP=4eR_v_B&=MB!{+zaAhdyu!mBd#|ThDe!*~6 z82}JyY0x#_wk>>qG=rhJR8U41u5YR9%QA2ILY_@o)y)z+I0oC#Btgkz-pO|(GgSic zO9a|%G@?W`6m*7DtPOTE*{Xh(*W9;0m_@^H{i~0Agp3ug$390N7LR4L8X~&eMDIL1 zPvjo0mX_kdC^69W7Lai_fyk}C({TIXDQGwI6t{L|lF{_F-CsCS3;K-ojHj1H6Lad6 zzE-e;adTeWHj@3WqKHXufaCm9>)yz!mBk)#xZ#no?Ot)cR>xTtJnwc<9`bx=Hrelx z7+qyS&8yD(V>Qr|4S79v6@5iTc|Dk%mscY-2B!@T+-T1T{_<8G=a!+8G?<>R@|-@Y zgA*d@xW{2f+g>jksUoe08bviulfO?BK5?*FZ12f9Au8Fx zfAhTc)0-Mqjd)Vd!W?brS1ac$m8J{bUBkuE%(5EIcMR?ozN?z2iPgh1E0<{ugA-bV zHM!W{N1EG_q*x1pCbl?LaXY{MwsuucK1 z+r_-(!m(^XwZ|N-6T<)6sCc$N>)_!5>kPbl@KtQ@nY5mQG1g zkOrlDs38YXLOP|TTRMgqx*5XnVW0Qxz0cY2xxV+$xvrUc)>_Ysd)@ah;*vsYuRL>v z(3f8?ja}Hc@KF|6_rU1z`56e6QG)PMlWoQKN!xBt>RHPizQm}GQYo3qDVxiM>T1;? zzC^=ATfsDC4k|l&WwBJ3b|1bR2qi5grc5V7BUg2dJ(g4iXQ#tXK1o(?a7`6Dczppy zBJC|nJYywdJ3P`h;>Pc~2&FRdiwgYf3c}-l@eY(!^wd^KuLpvx(4Ms!c$Zqu(8giD z58KWhn-PgkqR}#qGpY?t3{SB&7jUcwrp2{kKTP{p_|(7HQRAk_irUI5deu4V>*t-> zqFdThI#s(t>zD_)5CE6Ms!sI}Ysc@v(_YVD8)WWgCUom(Z!e)}^0|761fa5i8ja#b zJC13spWLaBdGxlh_c>{nR`IYkHQp2)e&eCqQ_OO8y0dFa2`qd2rK_M~iSN=w(!Hm| z5_A7k7n4&NSFT)(J&~PhMYuETXVUmv^i#oKu?Db`yeGb_gWAFg${`s)N3>$Nz0l6p zB6WA8p#+&z_In9!JipKP(XJ^K)A}qtTpkKY|%w7DIIprxcf8tUC9F9kAq5mc`eNJGf%@GWOtgti6+aFF76R$Dd$C}Ze%e|Z5J+^IA*)q8`^ggkFR-$8;gD{MnUe>L{Yzu4k zz-p2_hVCturajz(gX-goSgAxQy)ndOap7_k7 zh6-$mBcft0C#jix2ih7jV3S5Y{D)eyE{j%r#z%}Aa`%YL3Eu-FXRa1~;ZJ9^cQtJm zQWyJ|c_;L3R$P#8z_hJx;5@;)etHLO1MoWq8UZeC-Cb_h;l|nlNp8C$aekvvA1BY} z0TSB#$F>1Ohh#KrGu0=*D0}1A-&EvKeV3rwqBJV61MA*d4uGImWp_;~bzAcpz(#z}gx3DlB zwl377gc#4vG+d@IFX}i4v5AgYX*{xAF}c# ze^~+ryHgbrjBt?>IL3#}qewo}87;RB%a^OH5sBK*JS8XNWB6Tl!d>3?=8I|huyd)2 zB&@aUFLb%~8QbHsJerw|UlX>P0}Kqn&$@(!-dryx@vhax)ZOlG_w6qg^4NP6TeVay zK`tkcN?!(JDyiH2UO_PU9QQY5L2_vlGkq<2wemfU9UY zoja^XsZCj=&=cYF6MD;dvgR?SmvxN3!SMBj(QCQTYNdqJ$NagiF}@azXTrz+$N?WI z&`V`b09xy#GOvJw84r53vYxQr$!9NUZCP=)z1bpl8ch-OkzZuj2E?L2i%Jcim-WMpS|_I$mdy?)qWAXzo@<-CR*W7*V}cnV=}eGUnAae zU%!hJvp)~~?H(|W-U>abte~NJd|mfC+g=I+6@*;waC;wYdEC`3q%N}s+P%bx9&=dl zw{ZOIksn_Nq?a1sO(u`MKxT9Bfbu?U?k<;}Ys=Ja^^ndW=PheD>}txI8Cbj-ml@)K z+dM32;79m8rPZ~Onn5b{M7)F0St$L!XeAKt>|RIdIj|%39S-xhB z|KMLGp+*&*>)beqhUe><%)EpaWfd)zh%?{O|CvPHAoFlOPVS&!vGz$#fmC$VBNAK& zY0_yfMBI%?#yX)uA666!cX{J~_+i-rwQ1GXJQh&BJ=pHN{bKcE z>3XnvP1Pp)=mp%AToYINag^c;6bIxIE$v#9ObYSoI^<%F*6Hh$ z&-)?sgtvMM1Rg9!h$)nJ$i-mw`i^p1 zwfkN?VA^~mcb}alRdb#Ctn_MM3jyp_yw+fM+U!Sf9Q7@hR@%ys<7G@v(UxPbF|}<| zp|PDPfT`AoK7L@u_bk!pt0J*b3WMHV9m`k>@^SqVl)9y=~c1i=xx^1`2@L>}7t_1Uv`FF;l z!witW#~vxnZ<7ZsT6#tAuv-$A1G3!FH^%Wv2J&}o<|#}UQwDTxi6j6OE&PsUeU`r0 z(?o7UK5v#;%qRzE6L;yia)JW$gF2&R;G>6=k_JzFmD{#e%m?c63@%p&h{cpW4X=X4 zgsqNM20uGSB8FHHkLG1Z%wuFu6R?X|%}OP*tB7r#`^rM{gZw}o;>mV*lkxkJI9pbZ z4}gV>Rhqt4MbQT8%O}3TrPSe?-y_=Un%Z;n>*x6#zAa!$@$EN8153&mNVFPsVSE;g z?gXid9Cb$Y21smqvpQueDAQQGO2pdHxGwhYe|||R9bHb^*ueG>=IAo8?dCYA}bU>?GI-ZmW&>BRudtqsUR~;bbyP3CIh@iEWT8SKFOBP z6w5`A=#O=L5 zBRpkI&@mW!DX-U3*Y(P=P@SqRg2l#7ius%;(e4y98Fx*(i8JS1sbcvyDhJGcjJVsC z&3rnK0a9@Ggei_$G;g+}vCi7DzpY>}3@U#vc3!!`Zs_h^>w==<2sndp?- zA@6a9RS#XLmvNj`%K9THv%j#5DkAg{j>;}{ReO<9i_&tEBKfOBUta+btNwtfkF*@p zjsqrqM>b$)GL+GKoq?%^joSS)Z6p(|5;N$rU%o(zBpHqDa5ZTrx(2gIxdvOAI!dK{ z@=1!yXg}bElH8=b2^0}@gcYe-cT7XXuc4z4#bAQaC2|o)sWT;08ogNc)XJ6Pbm3u0 zzRuz29R9;XGHJ&H#xl3>0$h)sr}c7+F0Zpr$YGFgMYlLv(ZTk8T34^p&sp5xKWm^jM{G)d8*c~KBfM_@j8}#AQ%?_tf1~Mv8I*HVAM;;uTgTt_Q^t?2%LPiSWbxVCZ=q+qdb}<$Y}P zpB9{_DFVauDl-k#1L(Eqy2hSZru{pW>QR|_1-S0Z2^+f|d|J5dvMqZDt5y}PR8gwt zW1E@3=mXYcgrDTxM?S*7Q^o(Y-6ZyI);dw;=+QhIM)OaNyBQO2ljE$VJ(10lki?v$ z4A&La$Db(!L(rfc7MaT)6KX#mTzH%Qz&1V=g7!C$)%xBH~QI{Z}JX|?uAEdVCVM$Zhk9WXF z&`O_l&^qqr`%S)v7YBqrTp&qNI$>bd;8dAh~4w>r{-^3n9|Ju$I?#ULf zn6ZMfpK_u}XSG)Q)#<0&PEewCpxgIIFC6sZd`bmRZmz+HSfmGw2R&s$8;dXSD5QQh zbuUj83FxqUlh5cxKxbBFh-ZtIMKs(h;p?;kfN~9WC!`@0W8m>=~Mxo5J`YWZ49+Ox+7J({WIsm|+a%d-W z4Epc03?l}=_LqI%#CG`mA!D5?-g$N!hrSEL*65nJ{}qH>*!3M!Av@wPGH0+UL%h%l z45IE^CyKgjDK1SId1*stxjr$JMebiwnYd|T6MZpPK*tmd<02q~<3q9^cXO7~O%5I~ zC;q|)ceHIk4ic5IP6&X!_v#GA7pLc2a_Ku_4I1uGL_F@nm#0|oP~7CPL5B}axArW2 zs?K8Kbn4DuS18zzG0CbX_|5rTXY#5u**w)$Wyo|uZ0uV;`cCRY2jaq?#T89qTucwHKKPzspEe2 zyTUanb)!R>YAFQs0 zPCGa#MZaR#bp@^9Z@-GhG3XI96bfLyq6TB!M>4t(QQ9BZLmZfXkAOb6qVWWqby|fV z_0|kmxApFtM&;ETo{*`ox|iGR%C<75tk#RqF>glTOrtc%dSV1IVvD?!h$(EK+RSaU zj)!h2KxwWg6!7q(Nh;LxJ&cj?8S26+6epw+;i*MCc+Jw2j7XZisQ zM3no1Y9-DFZ*LO$3alOaJ8PEcf#+h$%)6KZHK9fzYgS0jxTQ}7TxK}2_4OS7$ur}` zM-_>^Hhqk~OW!X1eNBlkTXud38vTZl>vHzLNN4T4 z^gx-ZVkxts_x~WPaeNF8EQ26w-*WIj_jZpU=566R-uUStj){^j7^&k&Zn1DV_D|lL zzQn^>+#>282i(2?#d>>#juHSBt@Lr_M~#wgKdV#pFsUcrmJgmeK0+2LTA40BwGI&c zCr2)s6oBg{yPGa>03H1&doIK&_|c(P+}mEmXRGUZL_jle4Q3qBk@POz#0oz}Gf9?o$u8QQ|3MFVp8`{gS!Nse|9<3u)0l@>h{paWAWTB?f6_yKU;(Oz zjgtSr=$-%mYX8sx&8WM<`{4gS>ET=SCE*54J>b2yKSy8sdw)41dD$=`F#{ zHa))y#P_O-f*w@ZqT4EzbC8qJcMpn{>2NdO&7`>p2ng5C0G8xY$efMT&0LWa@}=1e zMgXAh`s1?ovSqF)Ue{`K>P-xbaJ+S1z46~S*Yn@Yb1FJrv=BB!K9cvxaU)lZcK~cM zqXlsEvnn-c;D2BUy*ufJNM6g*e6XN{e_K3#1fi?i@qSQM;0&IGZ2OuGe$pr@3{hcqt_TS_%OUv>Y zSNeSfsRf)30@)z#N3v;yg}`995fpC(AJ;mCv;(vO$v*&7PvD8|UAhBo?#a60v~(r_ z;{5S|>{q+Y26Wx$?(c5u%gX?3ue6rK04$xt2PepT;HmGG%wolMi|3Ae>6U9^BwYb( z70zZl5tCR^cBQVNX%Bsg5o@O(QHU$`NP3}R$ zX{oe-D<^e45eH1xG9*bAwdPv-u0_vAWo&G+Jg1vYuylG7@H?tzjmMyvFQ{&JG=g@& zc`9sm95_BMz6JQA`=1Hx9JUqgP(IcX6c-e$-n4w%+!5R`o_|=DRU!{8KgYR_ZURj& z@|{>!veji^1irej??kX8{z9zOy^TxCEPbLX@2Hlhn zHa`N4be7RSFF!Cv0ZG3GaF$U=_CFYQrlilj4LMOARln32XjsaA@RKFfwCMmUR^|2L zBW(bM@Aq1NkxjPmyXhIFgfbCS)rBst>Zd!TIajg{0zmSc&hW5)aUt?J5&47j>($~;c&aQ!MKpHIg zO6WSB5u#HePb+sJcfY@qIzGP!CZH4@|Eb&gl%8;#YoqE;@0(~F$@q=82HRXa(*u7q zfia*721WofYo1@6#V;rVu4%FEuN1rjJFRmfYj?t2h zYUW40|JXNG!hwy^0l>=AuAQ4&*(rkJIfaBJj<>4Hg z-wSucq^}Y{v%!cw2WT>5OEt$wU4$cU;vHJWCEwz9vt2rI)BSdwtj=?<)qr(T*NrNnLe_qMB58XV{$e7d^{W|D+2k zQA2t6mQfk;f<)ot><>!+BfU1H?#M#a@35}0--K2qg4*Be70hi^&Fqu3ppV6VC)VJt zL;eoRI%^*p_k0IJNd8zG`y6{ZB!r5PH9y2pd?B5#g2ro`R`Ttz97$i_MT}8 zecK1)k@}11MhY|kYONO&G_EH3)~fym#K@30PiJy~l`?H9a&8F~Y>L$K;8VBm$hNb zv|H?%*-2Pbo>TL8l*0l0J_@vXBh!cS3*B(I;`27v<*Odv!#-^v=Ciogb9D69*lRr0!iv z3(oSz6{9iJ-&Whs791Zrnu)>HEw3)j1+1ikwJ6lJw^**;iVaI5S*;U!*yvFIwANYA zd;MNEm+XF`@}~#(HanMe@7**$nBH+)ux&m`+c5}E?$|*_gC^F|*45Yr`y3W8VRnC# zLOu8C@1usvq_9|)-N#}jkVDxlN#Fv(ix<*NVWm&Qk&^*c>D)HlFrTD+Q|OZ5)Ob)K z_h=IVxLBHP*~;`~yY@U4@G`Z)mbd>fasv2g2;abk+e8VOH8Fed>RZn%_x{xL z{E1WHZg~6tnE?C+T3Va|ZNS->+BvI;6cBY$7hWZ5tJ@_iy&rutpjhDSzfO&hxzX_~ z2L1lQL&a*ZTS$U`WT=Gd(3MW^7Rc29IkNxwbA$tLnG)Twdubh_Sz4g-3=ZhOeEV)~ zO|(aL9(z1;f=?5i%Q*K5Mz_}qS_jVW()h&*#R#ya=syi3FFeh?a@LH1HM!MKn~1|xtY)(~N2oYguYc$0wv3ZedyEchsR_>(GpN=ZajU3|ZWSsZ-BB6Y1q<`gT! zZ%Gr%c-aO-!OrnA+p=xfznvq+7gFr*%BffSfas4AA`BElSdtjGBbj_v=BQ4f)3>8^ zAiHQr&qzi_S49M}_j;UCL3I0O5GFnJ=za*FP>8 zfU<^2{b2lr=(UWI5F8o?t|+9w>~L1huCCLs>6q`p92}G4&v}ITLNncd?tYu1oMIX` z$l_9l^h!Sv5Fim2^Di$kanP8m-PyP5?Ygobm>}bMsL19@p&st!c;3JlqRnwTweZth zn@Z|=cF*O*1m1tiXEN*&k)`BfU(M{r(XmHkX`#Xv#Yn7Pebo7ra5eLS;+IBD^;v76 zCUqgXHM1Ut(`w)Lx0+%4rc67EEzH(;v{3n|)!ZX;Bd#V7k^CSOL94P02h*GG& z{Y!HMR^-S@%0xT!=Py^9V(l`}5gA@BJze z%{8IWGUMf&(HA|I1ZEYXET7%f34}^DHQgh?(lV38rx|dJ%E#P4bFWw4MP|VZd01QR z#;+|1!iF^rmlK!Kd-S{b4vbAk36?P&@}o*lzd3jh3H2lhMCQRH!+s2pq@I&H)gF_2 z1#WH&4!G^*dH$x}Vp{44rMzC&yIKV~JucFe3V7$#&eKHV3kf2TcUTUL2Y}Pc9qhX! zKyntiNrd2h=gm%@UZ4cu;^j{6+Z1p&D zHz-*oeM1#$yz&ZNX$dNWHGyt-)NV1JWk|Bq-!LCuMN*$`M8w1gp$(0SYx1YM4sxow?ns+`ch{$2H#G)BvHPU2%B@A(J?JIMIoCDP1pF*jx{~=6t}`Bd-$0APawd&8U@aqO#{FQ^IT;yi!El<8iZJuP}Yhw>8u`*UiB*3yF56 ziNur_4hemrKATE<=M7g##w}`N1<0~ZwKLqA&#=j}SmFH2Zl>(oQFqMrIfgBNW&Bi! z4gT~B?V@o|CCR$y@1WWJci)c+2*$pF1D}r?7KxBEXaqDaHC$2T@0{oGdduh|{jkno zK7hB&e9zOT*P@sgnc-I7XbM(37k(g^K>0^RyShXDP}Z^ zLa2uMkh(cMU6h`v^Sx~k3eDEnVXYmu=eo~5Zw=}81GdDM4WRxLbh~f4Typ~V3?CQp zYKXRi&g5Gl-Gpg$`y-R5`r<2?ZRQe3ROp#1tng?iA6)gP+4oA?F~Cd9JTb}{4X&($ zE28rvMe>VaIoskQ>^bde#9);49pyy)ry8b5gtTYCJ?&lZYd>rBCd5aI0?(a!o^u>Y zTK{l8=a(GOaqiRjH6%aBY&MAftGF>OiKm7(0_gfjlMD{8X5?bc z%8YYCL8EsMs%Rp4`ZLJ0$9@WiBi}1>N=|8!FDFC&f6@OY1#P2lb(Ae-~HP01&? z^F@TSj@7Yj8h`xbl346ssauG%w${RJO2LI~ji#0$BkLyKHf;b2jPb&I6!)xy%BEGH z=ZfEQ{n6>i{jxfGUxt|4yDqwy5~HHdLb=@g6qlpd1}dXO9x6Ey{I@ykqj^u-C7zBA(3z? zc@l!(f@)bgHLYxI9r*K#y^kx7Q^iBrQHP%I*Vl=92G+nzwnm%Ap_pq(v3<`>t7(mB z6v^CxvD(Gn{@hCDP1@TG8Msb4x==pZl{WJVS{y?xb>`9Z9HgAf5t!)*UOFp&kQ^+1$t2p`#FdSaIngca~nt_Gl*RTsm ze$vou^5FIu+CECXE~yR7BOLV6F<4e0;LdnIB&H)43hlb7CT8sTn=k^FNSSy_DU4+I z=d4wFrPl+;F3+v_N$XUgP+N!`bui3cCRSVlT_+*LFUPyXs*e(a(K3Q{Y%I8{B8Ys0 zTffGNRyYqin*^OnyfCmV``i*Sg4q=RDXaZ9{^i1XavU1sc^1N;?W0wzV(Xi-#fSi!R+3vG;wtGU-C^jC>9dK@8h%eO z9~@X1yC*<}1UO|tRogu&-u-x}VB$wszn;=YqRzPxNdQSaL}pIfTB{%+OG$=nCqha5 znpKQ)iTz6R;^z|$k5Tm4!pS-D+#Sm|pKP$-@IyX9Kz5y1+MfkBS*Zx*0yGOr^jlB9@I{5fP*$7f~=l4`Lt|88cTlR@j-K z(X|_mQt0WbmVXMOrczy{+Ano)c9t|J26(oBNlYM(grYUWdQ6Sqmbo zZB0w~ty%=Vh5*+Q$vb`k;I{Fb^bH=@Zn4aR+`C5!Oj9^2)wdSrbEDT@ybE;OpKdHd z(5tfE{FeZaARRsjN%C#S3V-gdm7skiYVf8^w+Xx7td9gc<1-fTim_Q%6Z zPPN_dSeXYsvfryauIm;Ca#T{YPpEhjG{7>ptN7kG?iAr8cy~i#bE-+qKD3w04vDt| z6jOCdh&ADwd@ptTppAhISjq5&f_Ib{0FF6iGU)ZeDd%L^fwz1$EvSpMEai`AoyyLk zJS6f}PLtd18H2X=Qq@sbX5bm&8Jh1G)X{sn%^sX_p+3#z2vD!So9fMzjNYbpD&cu~ zM_Ib1MnkwCUo!r-Jmn+#++;*lig}T zo3o=(M1=eTfMy;pWy$k1u&ymlSB(0)~GoDcHxi~Sk?@LA*i}`e`Vgd1pM%{0u|3o zYCJBu<=A(galYcL30>DmOq(F=r8alFE^zMnHq^PzW`vx6#2q|2ua;*Z7F@xn0|)#_ zQwlAycPI_``>VYRbnR~cRkRM8;%PR#k zZLS1`yHS}eYbNmEy?VrS@W6res$8wn45uU~Zhu*#U&ByAz!>mZRVRKC`2$>t9Vbm=2>oJWBT=irv4zB!Tg&*l?zeHH&&W&bx{^X zJ;bpk+*Zni(_%J(p@ERimJgRNJiKKqs2-nnB0g7@c$lONY@%MI>zPeW z)vDJR`@y`1iKsIk$u~t3o2es$}6jky4SUL*zYC)i30$@DADuICDFJ zYp6@qBC1~tToeU`tW=R{{mTvHnF~xAba*!@rb(ou^el+2P}xtUu0KwoDN!(f%o^R^ zRF_}H(_O;L*=4Ejh82}*qstuk*QezKULuAZF_c-9Cn8$h0b-v|O0gZ5Rc7*O26{ji z-K;d#*}4|bo!JU8qu71t>9{JDNu_7MqJ{7`a@ZA<>i@}fi~SzeS?tky`-3rDicH;9 zA+dFwX?}7sor*K+2GrD}^Z~N+we7cS|K00x-wHmdLNBE87GtyhbI+uHQ4pJeXJF$z z%?CQa2vMuMT_7M7bEwR*RhU^w%`F%Yq*Dl}$q+Bqq64$0@W7;RfMoqKc$R49Pb?GE zEivt+176G+E7MB~#M&`LsyMWG6-UFTlC!cjp!$zXD^B!(cIprOrdnNL$POJUWyJJy z)C!i&Ox!M3GeJ$F<#0pJW1Z58+HR?KGnxdpy1~{!<=I3SY5U`JD;b4SMtRXG&(|#U zzV>}NRHymUqc5nH?Ft7=jK8&&sP5WR823wgK3txVKgyLntGTI}gu}SA`1Fe4LQ^>N zj=6O&=AQM|({?HSNftivY?)UTUflGtpPcZLEh;;BQ9yfQ`FNXIs3$z`la$Z2yF*>s zdmSgl;OK|h=n$5Bstx`K2l~(kTCbD=LPwp&=k;H%Av_QBE0NHta39qfcRtt5%8{>7 z>&z8DQ4`9%`MHt4^6h#GtPG5|_}cf&bj6JB;i&I~nxaroSE@sw_OIbBpvWKnfKoV~ z#b=LLk+Ty)Zs%vXvF~B(ZVbtx`z(?I4DgpzL#ztmj^Ony!iB=H8aT}dSd)fU%_|%g zgiM4slMGF-GIiqN&2!R7^Icip^&e{ey4F$^GB@gNGW{EVDc{v;GbzO0=*s@AR7#>; z9E13_vnL+9wC3OLIxJqjS1$D!3wJ57HAlq|Mdd5kzGuJ)9Fh@vBcv$TT9d_^AztKj z?#f*{K54C3nl~Nh4s))BNr(IEf1S~6KlF&M=|F-3iM5P|zNg826dPO>TEOmAl}KO0 zFes*zzx6UU@NexQLERtM=65M1g7#8J&V0>P(i3xb~93q81^H~Wno?MbA88PpLah~3J@DK z@oZ6S%A)xOWPW<>vA8pOT+Y#afkr!gWw`{gM%`ixmo_vFa>i&WM21`_jPRXw^$$>n zkLONLdA4E)^1i*}g(|N*S?RL)#?o=LGKs07;g#BO-XM3<2Nwc7FAAu|1lx9hmn>8; z1r-ewI=r$g6zq*wv16KQ@>s~6S#zE&BoLcIG^D5ieSjnT&z%im7$ZXSR4O8wYUywP$ee7X8J3{!1 z7gLKh1g%be-`K&v`5I9P;pf8>B4^+9{HE3IIg0m<8i$!% z`CVl~)>~bdip1z7;2D#iy;>m5!9wuBG^+1()wij*P4xUdC&nj_yJw*T6UDs>|2jKA z%;a`bFrhHVz1|SSMg8bI8I8)$?gm955Xq1r0a;TQZ*Sphd&!XW~s-MgqkY&uDvjz%b`Y)pS%u413dEwHGZQRtcW z6725K9p-tyTHn`%t(a$Ylzm}bC2f`=)A~Yz<4y;vlHtEiH8BeCi;gg|n{h-5M`QyL z;v+&qGuLlMGfvz*H=qIdEuRrq*LsFFGl%K7=6y)5tP(Y;m6G20lxU`{=X!I-ZVYVr zrN+= zZ5%i(PwiB=z1rt)fuStQ4QZTtv+i@h7LJuXmnhxmf0Kff758FFUgPGai=pSIRN?*5 zWIFpB4vAeuEgJdCvaC|D!>*6zg7&7}2fEYQ6}+~pnaH|(I7~HIW)d=lV%+#D_6Oe=6Xn?c>MkzsO+G4gC|iooZRJr z-2xxz6)LQd+<*Ok_jb}yiZ4v$V7}JDYu*m}YvlSEz=VLviBk1=*JQ0Fe)Vqq*TQ{d zFSkPC`K-fA+;H)?Uln6U(tSjl@tL=TlC&iZxsVPGg*1ZP>%n#*bYX9*OU0#Yn-xu)ux|?NB z!KUtKvI&{LuRbQDno=|C2yK8lsH3s4e}Kk@^G(G=C)eMiN57;&Cve<>X{R{synLBI zB~t$fbU>qfebIy+Y{4qzZ@V||P`OxzFzG;^R|YMjzsbXkQ=L(@k1lnsbTY3g`&jTX z)1SRvS8GZPnTdemos|7}HZY-p53X(bmd;-)81|jSGby&zJQsZhG{_{hAMP7Qw8VKxCDIsQd*%Ok`Hr;*>(cegRwMl%ngq%;7&^t$N?hdIe zYGf+2?n{;1;|Fng3KjA{KOr^w4qOM9qPw>j zQy)#e4C#!zqHteHc5G?D*AZbR!b> z5Ysoxr#ftU^U;Fnl*Jo_N^Ys?Dch1fc1T z*~FTIYQB?OY0lvWJ^yUPg<0pz` zkI|XAf+-SJHo2CG=6eY|lqE>uKM0;h`}t&RL~ADHVE!1ZqIa*?F_}y;!28c;aUR(! zCzYMUA7z2tUZ#r6{CSGn2>daqUc%9<4O zIKzT3QuJzSnRLf%2pb5;6eLQYg)TqPKgN2xe4zAA z?2AsqjDN|v4lci@Jh=d}(8oS2O3X%2Xqgw6iQfqeLwidS|M^!bvNyvJr@P;^q#9t? z#q`&|5^oa7G!hp{)kWyvSBP6;AAia?2#m!8a%n)hTqnCIAkr__EI>I9A<9_Vb1R!s z8&}fBs6cI(5&3zz9!~u|FfVh!PAGFNa7HWZ@qkR@z~(`C^+=13`o;;C*;=+F##3LM z>>pu*B|lzP_BNd8!FIlBCO{8ew|$BM?cElH&(rUa{jSXbE9_FV zbe((O0p=g`kRKkuFY%B0V6|b9nB_LvnrQp8;=W=!MmxOpJ??m*OuZwg!w`^J_O?YVX0->5?07Ir~Y&| z2*UVlL)#gvw8g!F z=1t+tr@VN^S>ISa>__t{1_B;-8R$;#a*j(E*3vmx%|>AXe}#zM4tc^eD1# zWSBm4Kw8EBdHOSq9?p*`Q2I5~$x7602W$z@FM4d(;8pDPbLP<}1ekc{nV*lb?G3Tc zyCsH|YGSNDO6Iw&YK}cKKRbPSa2v!M#UiE|3qX4hfA3_G40SDfFSo#WtrSoo%g-}s z%CV*&-K{Kc@7i{Cq)^AbiFD`l^jYy?XIn6*ja4UeFHC6{)s07^M&__{){OYE@DTz9 zp3S`-XwLf{rGV(DXY5u*`wKoELrgX$>}n?Bw7UKIW~`~^I9#704>kc5S?q~vU%e_? z7*GpIq0iKx&i9nGUp>XT?DBy~0rn()Vem;D=>`ti&pZezoVkz`7itxY3(-EpZGHTk zkFK2lXeCoL^1S#Kyjv_GrFA&Um^!LQa%JK*XB~5E0XiacLE%udSMByZ$`O;&nn`3# z?VXSC`zYM)9AN!;Mt{a%-vlU4S}=YZ@Y}^2QC!IqYgx@vh9(Hd9z{|T`l0bZl6g$U zEdApMSMA7tS}nb^cuVXj2F(#QZBN;mp!6y6v#=f<`Imo=Bzp=8+E`~ctHOs@LM*!1 zT)OQ#Gttdf`{lE84A<$221FQsUAdvypR{|A&jfRkwn&Q)84Yphe`oHXOr!nI+Vi-z zVMTf&$F01B5V+-Dk)O(1{(hzb;hAOzgEyT;eM@Rg40B8f_HucU)k%o(3y0^P7d4`J zx_YXfNrorTp4)aA1CDBSeW^^w!?7-X6^Ipjpb5%4AWqll8{l%(ZL6{`Yb%^Y^MFQ~ z7PW8~A_Q_f50OIH0a=@9@)_4}f%8mXRWt&=<;j?Za4FeN=0?DbY~AJ}_2L7N85H|$ z{L$>|%K3KPHp({Ut$bZRg@qnHi(s{v_EXiTyBmrvJN|_i(bE)LJM$~l)~j7#z|DpN zwLxp9pw*1h)7!(p_s#;asvo%{0PIlkyRgDE`wP~fAwqvF1BG~0&QZQZorBURV=mnS8F_yWVA}PHyZ%9#4?L?A0=Lns4VE*!jk*>Q7TavgabfoWQ ze4j^u@Z|h;E>fhB7TDv1yhRt*3MJU5qI6NTUrJeA@Wy>vDuGe zH#D~4o;=dP&tUzdU>Dg;sVM^Ctx`NDt; zDHt3zCVC4bPl{GKaLp#w2~-{}emhf=+mNNwT;0KM)h5Hahk!pJD81=b07mXzM0>$GkB<}}6tWua;7XlY*&0=5B82Dv8f zE69<%3}hE!KW$MvJqtlD3pyY0jM=YaAw-$99jN&cuVcgF~-w=EaG z{M1(|A$a(GzIgYrr>*cNR;k%Hsib{ll?lyzOgiPzd%G;Qy-XgbH7%Sa@| ze}Fi53&lDili?X|>MLe5frb?Bu*DH zJx&$+POu%%#!d|ov&LFs7ut04{Y6o&ZW|fgrQR>asf>sEd6V{Q{y*y8IxNby>l-Ep z8G1m5P7&!wxx4Qt6O}p}PhN0RicdmImpr?_%Hg^FDjK?|0wd zzwdF(;W5r!TytLQTz#(JTBSaN^}-4*%s!&r-$Z}b980InZs2PB=IzUt4qF0tj9$fd zy;Ih4t4FkhBhtsh{cVFHjCIr3Gb%{06 zKt4o0M^6Q3_<>x(>ezN=czOLN;1p5rg%zppW8qxdd1T@A&{59O7h$s@@AdwcZc+s| z)`D^oqSlu-ac}@nZAT-^)?bH5g|&ht+i-L;QVA3uA@`S#rP?%h)x!>%Olr|rpmPU-gLy=P#m^8u-6 zVpl60aN226yK-qw=`)b@Bp_nY`(vWniiXpI-m^|1UtM{{(-QajB7VH;aS{bk_hEzc zIre<4>P_oeNy9H2*MJ}O{lWrnVma=^o5HVK(`CE5t9n1)v&L^y=n;-vN~OvFKu2^C zy~MU&2(o#XYwHqr{N81G+sOea#y@ZOS^yG1{cfA&%I}ZFs&ebYL_9OSi6VV}5!qxU?6>tW2DjKm!SwHf9v zb(^n10#x?qd+~yTG?U1KHF?3Gt(Z?ls^ckp=B5O~t((?8Sw(FC{S6daO=;&~HI?AY zHW?ilj9aI@cG>6Ge#r)u0iriO=gU?}vo_Aqw!VMm4)z4!N8-4+4p7Li!n}C8<|>PY zT9)JWDSVPe)S6HwrgMhX30$3~?Q0%(CI3oY67SyNyb9c-W4oBj<@wyKfVaqO&xW`0 zag>UOh3J)^XX8l+tK77}d=Mp?)!JNa)!3;V~bIR^{p>4bMER=e9 zx74<@sk*Qm`74l7iQVPPDYuMc7*9!Z;B!-I-I%Zp?G?dfj6Q}!cvRsS!JwaPibX1Afsc#t1>dy_$fE?BCRk1wX z7=d@_!w?2b(VmH7dC%9I-8e=A8I*)2&F33+*Ka?t<7qv0aPz_I?IvgiF*&V0*z%1u zY#-$Pq(zd{=)1o*7A<-9F~nHjFX%yZND(a>hp6gY4}Hz(Cet{RvFKZr%5aG=??<#9 zd+$=isYjNXq!RENh(yurjV);Lby~G2oCruFX!TKNyrJUN)?GIJapv>-t6(w) zm9SloI`HQ&AA+Y}T+)OSCIv&LzkfO5cPw%B8G-el{`fcEvQ>+&Rh^`f>r>G1 zVmCunpL?JQTDkq`vb(!uQuu<$LIccOFuaAo%rhYBdZWg2NbK4kV)e9PP2rMcZ*F)T8a|9{wEb^8I;LT6&-8Vt`@7I#SIf0AUWx7xPf=&O= ze+Z|(g*b_(f^h%q8i0)$3w`b)f4>&U5kNeQweQRc z0_v`g@N`WqNI_i;2-_FDAMuD6)nDXs_NujT*Y6 z)w@;!Ih0wy(}fU01}~roh@~G;hhG@A518vuO}7F6Sa>oyn=OF#CFqm5m>du|x;{v| zNp1orMo$WOJ5>>${-431xBMF^JZskEhrz z5-*Pmm`hc0t7G#oifd*+&N#N?6>p!e*xW+^?Qti80i&%W6Tm3=EnvFok`4ZsCIEZz z+irmYvj-*vpvqnpt6y$0%5I`S&$dedjhT>qrGk}B<+W9IFptZ4b323eb}Z_3oKP+y z1eBf+6s>#QX<8xb&#(Rx`5j2lWqjRVmAvsh2DEOa#YxlCN9moH5L}6y%LB@0^wK(j z98B*5P>k;H+$Xs2&5x!Z-U^HX-Sfn}1_qFR8?a6BzMW}WyaDuol-<0l{zRD0NFefl z*qII{d;LYxqnssx#lQ7yFw|> z=ZNC2u^>h$`^fhf?(b${bb1`=0Z#lshfqOo$$^Bp)$rr{Mu8&Bqd9*BJ`KuTjk_`$n@c1Nw*-ZpejeZ( z5F5TcR9A$D{f(k_n73JjPaTd*+!=ph$;nQH@K2AwP6RD|dKL5`?*JGLORXQ*`%Z4Y zo%VV+VkTbbljE$i({;p_%+d2fjX}1#V{!`R3|ZQC6osmD_rUaIX6tWFCXV4%?aJBw>9CapKO z@45Bg6y$^e&>~|0mqvNR2Pvhk%wg(TGfPSZU+<;GNvkyb<}BXNGzsKUD9Y6>*nj2V%Wa7 z!R31(B8s#^-8*Sfwh9RZrmw@rH-O zu5T-nAAS?wB=em-@e+=B=k(I|qcANu_r^a%hi&W`}b7Sv>h+qCee? z!=6k@w53aUOP#6h((jr!C%xLWylQp1c(C#c-119*XV80)>Hs(DXY!djm7y8dd2Um> zAi`3)h;eKV7@?*y;sb<{WL#npk*6Pe&JK;%1&_G#J?=N&^B_8;-7L@$I7c;?6^`Fk3Vc~rkxUp(9h3!+CajN7YO1`lW> z<7XOP3D(`VW5`s`uyPBm_%0Ax>4;cnZ8a?i1{k|ZL%yBd0BF8m5oZ3V)FtNH_0OMH z5^i-r`P?3P%#cVWJAR@|zi=*jf>D&q+7-~6VBIx(z4jLH^2hLGAu4q%-2T2>j1AzM zN6FvSj4B!(ekNLsPmNgYENdp^r?Rc zwYGxmhe4ljYu~p5a5xiBpb?~d8|l5A4R$ol9)S9#d_B_ah|eYZ$27-ob!)x5k<&mg zgvPorwdri|0!N)pm6!Mn7381??ircwQ0*u2U1yxq>-jrO+-PXJOpF ze;6AL0*jMzf2Oqi;k6Uv#Z_+68+>!E`KoTdzz0em&FBLrN2=X6w8$&p)0MOtVSc(| zxR>;#&>Hy)wC%03|ieDEle=Cw7e5Z zXm=!JJxEtNXZh{p^2^>;3r_k0U8|JkQOqNPrFp;0`L@6;b{o6K78U#Cqopm9EA|d= zTmgvl#pEL2(I~mldys-=T0~)_~Z7a?`uI#e+LL=J!f$$4iDPtW+F|CdCpzd{#~(Du@k| zSqI>~uPWv*&}WZ;dAehtm@3)7aOhPk?*0lAju7;YUuZCg-O$la1??~=maZxKgZ}(t zC4d*i<>oJN9I>e*)k&xVX$>LFNK-e1Og2><&LkEjSn3p~P05s6i+-u=)nlQe=r2)@ zP?TVCbhM{n`GDjSCHycPoP$y@0Z~cN@~9)TMgY~u>mHU|5484lev{XidtI3Fo~GAL zH}u3^tcP@P3}jLC2-|%u8nA>y1la;sHZm+IeVl7>yfTlL*a{M+3rBP=g*h@4Z=Io2 zq(xk#9w6(v8AYb24@M4y=Z8$SSkrU6o8i4jDn4MW-je=TxfpHUz z3q}6oMOUnHT?c_dKdYk#Uo!JJ9*J6H#?xG%n$OCHhQ8ubP71Js^UZ#v!{me!1+%C} zW168Nm0K!YD5th)X<@F5P5T2_^VW5f^%tvH+3f~DxhOqNzR$m!sdo!6RF;0-x2YAn z%7uQU6;ge&_MPD~-dhFgbaSwa>>FIdk*;dZ;d^~^4mo8?H1^}?Qe-K4yckE-29?yW zpJr3tG=k^_XN7N0rIJpQH)a}YNNC;U&lmf~RfC}icih?TW?#K^GZ2`H|Mn}`nePcL|wJl*TBjvY4oNtJgbn>7@pI23jn zc(+1KlQa-$62!>Ic76eI`8s&i)p73ys3lA2Q9@t@W3t^J>~fJVP_gwfRUJbtRBTY- zIRh=)V=(F^nkm?F`+7-nJm(2%O#$<(^TTzX(PJEMr{mzOvZ&D^)}SvNdvw8RFImiR zLgrsjAWUaEzQAOt$NUV;l=2*p?M2xPR*%0Fk=s!X zOI}}Qko4D#0HQ;jmn=XqumV+xQ{hIb-G_dAtLD^bme3THLbad1d< zIMa7V7_Gyetzmw#fx^{+6*-yx6^iI^!^9ZHUgjRC%tOu7^f_epJj)uL)i!}X zCbOhzXuuxc11%?b8Cqd|jPqCw+CXb!7g|Fxd%8qdtv|O;mq6#8pz}2| z$AEjNFXrhE<^4>XVOCIOMFJfDqRuX$xA*;_=lJkeYO!6Kd-yJF)u48=^0Z=)S9|yj z#gU@1aQ6jV4xP;PT3Mg1#CDyb>U85l5}jwrC{L7u5vO;1D4T>uF(;xI1`%$RcuOR1 ztz@kY`2*iQ2aNA%txO9OUBR6Kcwq$06!r~!5!^U;{3bin=sk(@F~!Y-B?X;So= zS9TZDy(h-o$Chu~YriDQ`C@da(*SHLtDJ#H%WdDV*V=MlwoGw*_SRDSSK2lLxzBEu2iogK0j zs#v%PoMGyXC&)Xnna>lN8S)pUrkE~6lrF;RhWJ?_Th9*NuM}K{XC0W zTL%_ozvNH52pL*bKwLAAUn>bnfl=uP+nR46&N{hh*&kFSChzWM&`^}T$S^@*o;>d; z7XeS&CBL~Sz2>C{YlK`v=I<{e>Y)KxLg3-%)5UP+4rovkLckwEiH{x69UNvXbjMU) zCruhPsQkk=U8SnDa1c9Cu%WBrMdunohbf~DUcK~rdoIOn7Ce7#|B5afj&kP;*B#QI zoqtZL@R7COvlP61P!^!6rWjVC*jtr-a;3-Qkoin;>3-}-_WJzA*h@z=W=oV69E4Lr zdl_L9+@=jHT>VgcwPmIrID&A8Zx-Fn8a=e*$x&KI(1%7N@ zyUBCIZM-m08m(Xq$CxVG(HiXWJxuZ~S>tPk&SA`Rr=>rwzhWA?#dr{n5u zK1L-Lhw&C7s9zBIaJ{b<>W?I6i&e>124{_Cd@Ep=Zy+jzmHE7L-u1Q<{%l5~#MV%p z$VzyaRQtfJxq2DeMUaz}!k0ebKcqr^KB@Qc4vYD=Xppz`4*jf|H`9<)sFT@6zoa(w z=mIr0N_fK8ePW=Y1;V5 zeh{2Pu$0N245*d@QrZy(P7JEnnn#glL?S3ugK;3S(mI+%_yK(2)d0}mxfq-ONL(}p zscY4Cnaun2N@-Kpk#Qk5x7cXn13b$~KPdZHUYr7ubZDKfmdK z6jd^7`~J=saazSV7K#wmC7%O}*D{*agt-D$}^&`RUlTWTs zAWM_1pSHbnm)9P?_f#H!;9M0JCMOZ1@%2slUZlQ7m;}L2)VBUbisEpd49SVdO%bpB z@O(p>$c>PU(2C$y>f6;0%AG_~Zok3zC|J>ddTDT?Rl**t`7L!714PR^#<7bzBqO;i zg%V%{PTgIiK+1r35Hh3K99v3W;PeMiKgJIBO!#*}MZl7M^glbJTpJi83?Cf@#&75irLamo2Z*GwG*vJ3jqiDz^w#42neH4^t z;~>l>xFdm@7D0nu@TAd7r;P~|ZyKgssEp{rjV*R-ttdtez0sFXX3dT^>a9Za6{Xoq ztRnGnzpg|ZO|M?$11;;zM^jJx%7c3lNW+outS*P-Q}{o!IDAb@s4w!o2C3e?qVUw5 z*H<$$-Yn8i*>QBZc(io4N$*)GYhY0f8TK!_Ypv*CQCy*CBHxeChfUi;SQQ7O_$>Q& znVfbwC=VZYMqX`IDLtqZRNjjcvbbwrmqoy3O*8BoYM^R-QI!6wEk1C-M09-0p2=S1 zbgzHS+olU+v31n98U#3s{gD=$gZB(ls3ko}s^6w?o67WE6s&tP{@JSnB;Om92YW1& zwiJ@}(k+PAOY7~2phaD|01%zdIpD0%G`G@hA7hG#we~oIJ;K?{pJj_cm`!rTLFT@u z&tcbc)n8zy4Ev-xc{M)`unaM_*mePP2-!I`$Vh9=0t(exE_Lb_wd$wxb3ZW}wl-It#r#IO zQxKq-jYWC4dM?02zZc{1apF;?;rDm0U$s7`<4vSKqCRILEM#~Z#nu^Lr8iVuZ%1*Y zzYNz5n-oTIDUT$~9Mnc zZ85Ep0a^|mpCU8jgT$6!AD@+;mSp4a1pA}`I!lCf-YBk+!fK97Ot6SbloZ6G&Ep$w zyvoqGV3q9jrm!|74!2n{=;+f}@L%;l9X#x*KX%;xLoR&S7;V&PSqH7&V}HGfdqpPw zBBx)WIkoR3MKR+{a|$ zjV=+wzp{Y}n(kOjUs=W}lf5cn-W~s@2Mem2PRm7{XesKGg|quaYEEQOdnh22p?XtJ z4qbUw&&n6vizfFn1H8c#nh0#ha9;VuV{)XM-NJ!x95nIOmK8s!pW#u&TfHipu?Khr zL`c15Gcr<9l1rq$Z5{m8I2Zev)wEN9JCjI)?RBQX2T#jzO^;x#MtkaFN17{=W1!vV zry^ug_KK~37xJ_?fMHhDdODD&(2QzepDhU)>!4^Gr+VBZlkA4^%}l^v+V`UW0k7aR z54DQ)TldWqx{{ODoJJ4#w*mf7kz!o+UbF`&nF~5aSDSRO}N?Bi&~NKxYCr> zg>BV>LUv+XA(h|MbtHr2Wkc|f&Z*GE?K)5wc!R=N$=bpc#62iYF|L?v3V&R&eY#tm zW%%8uW->Hk4qN^zpxfi@5-Ic479-3eNBMib$$)1Of5(PS0~+NXr0+Q+PvSdjQLTzv zZMI8kDbsTXW#%a7up!BAs}yLDo@v$74|y%jW}Jkk`Ow#A!JYB;V!_eW3ZdXFBKwM` zR-2(G!`KVN_B8{X5p$(<sy=B;?+%$Ue)Hu~M)jM|7 zNTj`F9?B@To&BWg!l|-WTOPHG$AF5^LJ)HXp9HCi1$LYGidf%*;wvE3w;j%8H-^0R zRFhnNZv>SzdJ{-9-8Dt>^uyXj%^Vjt-^rRwm~)knIu!79z3y5Ks63%6uC<3`~r-_pu>-EONmWmsiU71ls`Ap@~7zVo8HNpq4X^TPZX|wl%0ieQU$^asW65;y`Q;qb*$WN1a8UOi#Ok+VzqRriFf=;pw_{~gGZ}n zClHi1Z2KU6_=l&fC(~kxG5_ccp?>TdBErwmRo&2^!I?OI^MRTZunZ$5tv)0=4 zU=fIS6vac<_X-_P)km)PNNs{0JC<#OpNB>W+df1w)lS^)XC=FQ!LHACdR$WxSeA^f zAG$T5KH`i$^K=@Iu7+~@`uV9ElAWg*4=a4^Yp?i?~0uuNsgeX zWAXAHbjp{j^!n9!H8N_@!>Q&n3;j3lc9V{5)*Y*X$F#)sLh29l2%I`&M6wSCCbiaR zAN+Xa3rO%7x%<{d@3_^{RGFE=jzH?}J+9t%h)k`CxH&h&n+?HV{88ruC0@T zuc*rB_%7{7d7Y}P7BDzu%6zu{S}Lh}OXw`bRyF|~SKGI+Gpy-==f6}xCyKTTrREUw zGBmAxf1NJ5tDt~(U+PaUm;@FqL+#C#)*$vAZ;@V|Cx6kiHw3i5u5>VlCo8NPBppr5 zGVzfQ!OisCT~W?pwlozOz~BC+Q4Tgyu^4rP@MGO_h}Vgtd~gu69(+pnAUUfQh|GOIvG-bjl|9L`#Ud(DXEX zhktBxhrsmU{?PP+UMuHT(%19L?;<3Yji+&Vrb_tP6;@JbqztCM6)t%`H&sTpdhYJ2 zWiJ9Q6)&z%<{GZhdift17W_{y0OFLntyMXgL{N%z4~uHrH?XXyj-%{<+RvCE-%mnL z&wr@V9oC@fZGEFsA%oU%KYB!nq5$ru>+66ou7!Jqv2HzVHvdXQF65ZrFa())V(gWM zSqI1GsYF+3vA?ZBYfe7|tJB}V)bf9OA(srjcN*Nhw=Y|pfh3Go9aQS`u+Wu&Y)!;1 z?(N69Qx!RGU2KpJPR3n9=I6PrtL#iS3`efZ2Baj{PtlF_RX%a5wm{byc~^=M{C06p z(lT74TzYL~#Ru;dXkIwT2G6U8hB=zWVQMiK%1f&TY*UV6V4)SqV6CVBtm?t|=Czg) zQZNp!#E4sFWX|luo}r<-Au7%+f+6-XTEzBPSjB)k~L zM_u&fXH(^R_#!3)l!n1?up!#IPHVxU%dGM8{49{)bo*WIV7Zxq?txq5d1rV9ns$_Np>N*-@J~krE}H5WZJ{5E4Ytv{U7z5%~VPE;2D)C4Wa? zlhwJW^e5>BBsuyVRPfmssw+$MR>cGvgvD#wN7ja#VJewvk9CR~;lhIuf%Fu|IJ+O! zOQ5fQ)@kEI;^^(!21i3Ah?hfZfwtENbpEPv%wJ2wY>plAI$F_71DNoI+mYN=?j_RnfKcqVR>I|AVKD-q$O^B;y3FG!j$u|Q z7*|7Z%+rLobEV0T&HHo#)9XCFdKPS?^)|v)i!e}g__X3zURGonMIfX|7oPuA-=M`u zp{R;x`@WLbf1np~EQqsF{tyeh&AS2(#AyxTyh?l4bo4&_*%a$d$cjhL{BH z)(>Ew=EhWsp{PM7)%gr-1BCp3P!)ExT+sCt$ptr?$D@YrQ&|xm?Wy(!)f2=?Up%n7 z78>{I9Avyb#-%AXyZ(a}ZXbzGwZzQt&62*sT95n2t0RN=E+n5If@9}Q+k#UX$_(@8 z);-1?ZKZ>`y-9E>1(dT4bKcxc8f7m%?p%$Ex0!aPv{DD0auG+npWIBht1bulD76#)p#%}Z)9U7%#ad1u&b?O6&x7+jWU*I2~Bd} zEr$`L0y#9dvT7JV-k$Daro05i-nkeugiRAL^d?x>6dM%7pb+UgPz!qru`|;rWHXV| z)xp4)W|+mhd`HHEoFTy}Y*Zz!BtSz4_Y_C-<k2d{QO?oKwl}&RK^*OGvIq_8pPdO{1l!?tpFq{A0eTB2{}+-TZ4X1hyt<;I|0EL2!3t;KbHDDMnK zxhO7X>}w=m1V%4tTesFRm6+rCjv4g;)yH3XqKw?;!`hF4n z-X`1tbf?^@Pq94|KDOyX;GLWlzRODcYvP&i2=Ff!4+(wc@?ng5y>uW%0LmtT(g338 z2?|nZriKa)4@_F*kBY>*6w-z(iP67TtCZ=^WW7g+fae5ZXVX`f1yGLkmfRn=lFh?~ z=a*0fn-C$*Z^C?@5_CkczTj6b)$*_m&ZjV@&}JJ{ptY6+iBtAndX3wPP#O7b6#VJLhg(Pq0}y|BS$b7SpmKwtaD1Q(4(s88KpUKB}(dmL2M4HzKlev@7XbPLZENXx^T#( zq6?Ad>7)I})a?zZk4}rQ%5`KKfX=-Q=9-d-WES<$wPrGs?X84Yv_Atn**nQ%jq1y3 zT#^liU-q^ctdT}f3%9a9u&agg>n-H4e%unZgWfFwfVM?aqsJL|3L-_FjpEJVEbwk2-&F3P#Fd z%rX-!b@_6dUYFwsSluL>E-lndFE7y8A4HK};IbVmymp(nh{L>=cvKH01<$uK4NO(T zgR!QfOw)1`r%fJjzH*0S5c4x*`c?b!6C^&5m_CtP+N#P+lLTfby!&`!pR_B>vrdb- zR{He=lLBLhyE&|Xtug2fCEm+7MEDS>Ee%r}vZ1)3me@MzYA%!><2$anleUg{w5NZw zcEEk(2S7bvQ@*Y;)4AJmk(&L&Q#ph~A2@{|ln&mgIY zIX*mi8s_zj03-^Tk}{!Op-YF6-iM9U#x%-Ikla@+8weu83K@_AldjM~&Vc#>?8*nN z74f20ic)ms1JGPQyE)6A`a{T!G~Atrr)@iM^RX<7su=mLj?{p|v{1Sa4O^c^)a95ez?6a{9^vL7>Y zhpQVsd@o+wh>Z9hu6^g3ww?0uwmJo(PV`k+wz>uGrRf~k7S+NHuB^l%)@%!1>e~=> zHg6`RH}#<*tEA@77R_v%yqgM{_TTf0%#xr2AvP>O>fp51(gB_O z6Ay~{KtVb@?`U^V;gO@4%U9xoFi4>keQN;hE)rA}^Tt1qKiI3MR!AFcj2NQchMRzq zrV+AW_VyrW(}8wY12BYM2ZI5;Gq`G^Hc^gDRn=|(t^%3L*TmCF1Hk&6_~0gq)A>MH zn{RodG?u^S0_2wr+1nNmG(jKE{rNspp@>id$;-i`EU_70T(sAHc#xsEYIOYw-3Y@* z^gQ%g3vfw$EMs*fj7+*V{BqZmlQ|10=Qi4vFncLOE^p|aF~CyD zMhvmWX_n34IA!k;jqXm4EfQf<@s^aDGw}@yCT?bk{cNFAKGp90=Mo6ueT)i_u=~kp z5sF2W*Nq(qBIG8=ik6}W&$pUvIS^pBiEBCK7PPwy)nCzqoDdS}w>cvCB18zNlxgJX z=e~(kz_4_h8fg4WtaShtN40ONPfi}t2K3`8F4tGQ1lE?X&`P67>zb;vF`D@BUpM&Q zdH{IXV}J-@lcjdh+mnk}HZ%_X>cfq2zSmm|OGZIUZK>x=T~RgCEUR6t&dHq#=-nAX z{)_&X04MZnOavn&IiVxtAiq1<4Okts2xT7Z~Wg^^{+d{QUXUZEP{p|VShZtG93yA zc0VlRxBTCq2&8cj_ArjMz5cg_{D=QavEH6PL%sfZj{m*GUo(sU`dpC($S-DVyh8B) z&OHBOnLquTuLx|A#ujue^mnfKjhz+ga=@^R7`2(Up8v48zmhTg9uGT z4~vG!-jfPeQgXv&ll^N<_NOKO`x&CcZVx~@j7(F0U)f))kAQF0!cd^BEThy#xW8}k z?@RxGim32PjUo-*@qDE?R<%+i@ir)@prH2t{{Es?Ay7i5misKF_65K5YJW<(*U8JK z<*H=DJmZ$;$``|(#Sc3>fO4=NT^t?5f7}u{5@50pNTFU;0l&lS4`{r0q1Lx>-8$!- zBBQ3M27-Nl+c9OmDjO&<^lrSOCr=VtG%x55J{2>ppw)h=G88*5cAZ=+=%08=DH7Nm ze0^r1gO=Sot6aK91_PWM?dd0hqgWP2KF|H1h-_S@|HRe*hkf#-08Vfcsklvn9UFaJ zn=aO`>8ZA#mI=R27g|#>sC`1|46DbZ6i|HjEOK`Lw{ZVA)`G!r-D}s9)VKiO&dCRp zlanP?O1D*6BS+IU4he3XV^9_@KE^1i?Ww99Ao1=z--@b>Fo9nJr*0jrRMYhfcGN<# z4=s9PpT~9e{j19?p4|BBGY{=$$#~w|#F=E5)=EbgT_K|Mk%Zmc=a` zqtO-N4wt`6{g1*WwM;LC6GybR84-comL{UZzc$G(gh=JA14WAME54Yj%(t7WeB2pD z%LNP(3%x)|F6IS_Azw@&GHyBT+g&bnVlG%@+ul~JM>g4S8M?pjAfTY3tT}@MImLscR5O z8r-v5*4c~&_WJS5moJqkasLmm{l_g2hTXVdOk^cdyoVEYvDC2M+91^}X9N zEf&9o8hxZw*&HjLk&vS*Ru2I4MEsK+v0?&BHfCgCy4wCjaxzt0yb+{PKV&1>_ z&1R|~V?+R4d*5^_dl>f%zT_%XoP-Y+$eIx#xLbsLtM!9T8R7;x6{G*75w#m z1$Jn%*V3yo5sT3RO`^)+L`j03$A2?$f3|?EobU;s z_pC4VdmAlm_WZ-<#R%#b@A{8^-Cbyxk7Kzw0n(@{j`7&|Y1%cO2bSayZDRXUM71@_ zG+TUqgn@eThoP^&b$2_)af1EbdH`$DDD?Wz_y7BQRwf`#7OU3MelJHpoMd*`+1Xi4 zQe2)1;V>tm+v3~QOR}1*oGhf8u7Txpu=4E#OSarnDQ{x509xhsCQZO>y_;GhF}S1F)v z10>zXN=;wO3-9#=ly|V2@za)CsHB^9MV2_@K7_kr_dox?JC^^JB?w^6;r@YLI7^r7 z8TZ?a0bZ63hx_|>gh9&znhx?uC~~4AQbpVf^z+2iCAL_AAK%Y3NeMX6{k^LDcRoP5 zHNtfB%6L?kMjDu=S6h=6hEGWC_B68|;f-fvpn2Mn2Xi26-859!NyO)X5$HtKcQ!`y zKTJD#Pz*d{5ph|${|^EW4^slf=>G8*aFWi*#KaWJSe`d@ZxAR{-%;&N;37R_{Acrn zg2fEbGZs`D7mreH6No{0ovwIWg_>j0_U5;&?{5qUx(m43i8!)sgs91W2LO;rGn1qu z|DRbWm=RWmAWuyFCw=`d`ms_1%VO1!s%ZM>I|APZKLB_?<2?`hKiXM9T%;@*fGaIF zovIW5+XB)DZ?z~tujN0fus^mX&kndU-%h;$`0ruTZxkc`2nbH_qfXra`bcr_fGgvQ zyC#kPQ9%O>fXm!fWOK#0q=Vll)Ty%3j8S^d^IvWcD+gI;sFi!`iu_lCVbB2t!&s9O zfd5y5ncp7n{y%cl>^QqU_7sp}dM2S_p_ZmZ?aff0rTE^j6JE>x%sj+Uv*$u{`%h+l?+x2eG1ORfFIWw59#|sp zb+D=*|GIc=$vMGDDX{HUYGEX;^|!Sv(yapm$ph?bG3&Qaf(ZilQ;JnKqm7AiY}!2= zqlHZu9yH9RB5oV^pW>IG9p~CFfGga0W;yt*`VSTMB=F&B__57s1sC&e&Oaxu>Z?8; z%;+SYE+{zJbmx`d+r8M-f3p4Yj1AtUGVmT+cud^DO6Ab;s2lB8ZPDd}9*B;GgllcZ z_Z>gXQ4QojTORn>i{ntNvcZR~KM~!&>8X3Xee)P!)FpnaM|?i```I~ zbG{~dWPR;3P{dk8EHv9=KVG&7XoDQN`S%Iq9xC;ns(G<^ z#cWyNTeIYH^No=S5H8DIw2R}Ngxon=ru9*V;jUWY-rj7^)#O1Po1E3nU?;Mx%bYs- z63j0B_uqLKZnaP>Hk?P&?t{1|=8yJu(;QxeieVBrL#{?D^&zAxQtrpt_C;U}_uu{e z^Z>%QigIi^?byRqh01O220&OkRG`Ura`{27H($5n^GK=j+>=ybN&*1iI{LLBJ*i)9 z=M=}LO4x{XfA>n?0rL$X!VYWxG;REm3d^(-mG}7(>2ew-d^)OmO07u5sS%1p%Lkxl zAws~M!W@g<_+Ql@fr3_MwG_nBYWI5v3!pvV{_(U!FC6^`GGCGI3G=Yv-B;b+^mspp z{Jb>Tgiku<84t6O&`+z$X)=G0&tQ9i-gHJpz1p5yW>s@E5u*a}20In&E8us$(F`+A zdfuDq*g5p}v`|DpBZs^&L@}a!cE;-`lj6QC)xLoB)X2M;RdAcT-PF%>Clr?*v&i?I z_WHd&bqD4PL7_&;EqPOsGVC)t1fxaz<4*#1AEBB(ACIIiw_1J1WymY$W;5p456WL4 zshTUhGug4PiYX~o{oqgySdR_b1FH&>@1@N$|(Qshj_;RlVL+o}%TDmfvEG?t*l9OK0jn7S|* zNVdA!dg^{p@DMPlc;mJlbe*JDqgCH$Q2*#Ny8(-*7mm^Tr+6)Sk;=y>J>F+2c&U>-Gg^)67-RDS?_u~jt20<#9#Z>VIL%)+>;^y!b5&MEn= z=>W)XEY<5Z)0l)B1+5|-P9RQmDut7)2_c&KR^7IyyJkK@mdMRso*j~xyRQ!g*&23~ zrEZCs_`6cOW^YZ^YsNoI`xQ^<&^(Hyta-UC)>6vvE^)IVy!yu8y`Mr~!X@5(AcgHB zR>8A%cL>@0;!X0=(;F@$mgYQ^<-=0m#&p!7+x5E33H;LP{ z@qn74{7AELH9exTa-+YYOk2RNJB?v@*tQ3YDS54V4$!3TJq8<%fyNyi6^0GR&H$|U zG2qWz0C(K)AkAVF6dX@NFI4*W@oa}qq7+EFHE!@*4-Te?LJ&ZHEl-H+{ocG6X;1q^ z_;~a9+}u2i2L85ExN%_g-#s0;8XfF5kt8`u+nTf67wZKodSW8}-0;=vRs`UE6Hs!j z!Cu>~j<)#uaa|+}yBM^EkV>h@fL@-hZbrgNoJ^*oXnd3{y$Ly8x4k_i>vo&HW*Y0J zUv(F@TooIfotmk&6K?2XN`FhZ@sRIqxk$xxztR>v&Z}G>d-y=isI{-OIfj7Nliw&t zrfcR^hoZ2Pl&`q6^MU#BamrA$e6tBfFo#~1Dvg&{k=Vs%MP^TGLX}a;>878>+;z9j zhG~d<>}EgN{S-aH_=3TRpjwW|p_QmoZ%)bnZ()zWr$2jow&WyIA z9r?4UU(=6invY}i5QQ|p3cs2bK`&n*n7*cDBtaE_$Pu&iAqT;(y4@WDlOez z0@7VW35W;?NcYe=bT=YhLpMWr4L#({bG!HP{NDew-Fv@Z-s5<`Jl}5SfP04PzGhu( zo#(mE6@)(Tc1YC8YDl)U`f+{a!3m;CpwaBmRpWs>8Q|x78(adxcPl0G?N z{?qgJZ39o|!0X*&#>XcE!vie{WEY{^4d?z$g}yKH)LAe$tQ)Y&5JO(n(F=8b|N1WJ zhh{C9Nh3p5h1p#o%M$b50Aen<$L# ze3j*wfsxUi_D$+V0_pl`kGf=)Sj|F=Ls-nPbkE4))~M ztF{2*C&z=*aih>P%2)vj-9*gi4m`cfCKw^jpH@HJ8rXARq`mq6S$}PRvi0HGlBcG* z-%Xm{^@yR#rrrANwpJwaE_u)9;yJ1fdCu{p^ssS{t!`h}t|51VkO{E= z@NokA+`X2>Oh|XoMW1?3>$fo;HFYPxS@OK|n$o5pz~xz>24?qCZ{BrVtN|7ojm;|hqgO*0Yt99q-B$Aui%Y!<@f%QK8joSG`htp*We$*{z^DW>n?!KkhU~qW1SB83L z;CDyJ4u$jW7QBSs9%T^Uh8d<(6{!{OddISoj!#>@^F0|a)qdejMC{Wf1<#Z?x;=p6 z@a**W+)6D00`?G8dhsv}m|17Af^|Regy?PY>vJZXS!u&Mjc^7ttX~}S zT;a-jFPgn1ok>=-inZKVf7*@Z%E#3A6Xe*dmBkCXj+2Z*Oh00?>MDpKlOF>e!w*Y^ z-$*6}aAf@Syt+8WVmVx2!ENE1wWfw-wfsaA>?5`J7@SlTdRp*7OmEu%{(7~p-PgLA z(wv_8E@DGA5|RVcFD13B<$_m$q4%E7_Zf$_Hr={I10`7F`FdeK7*8$l#naWv00~al z?U6p^h1*xan|TzQ0H$?Iyc%>q+znM$!djVMCodyKki~lLu<*=&0s=J1SD-b0l9^py zNQpch(bNQ_Q3dY$`K(f4AGZZMa?cCxvAykViui}QV|1?fEe0UWRCt;M?o=GSr5qR% zHGJz&uFlC&v3Un3ao;zUl^3~s<`{rp<}Vt?e4j=#>hDO@kJ`yn9nFbFxU43m0U!lG zmdkDiu;W_MHt3Ys`Xa4mi9_b*qGyH`dN5m+0L;(8c1$0svF0iBGj2KW#P>^h`by!E zciWrCKz>D`PPv#iZE&NQ!GVDpj3*)q*bV5gE4p1^4ddYzTTYmnyQ$hQ6T+(+0pV;A zlj@HLh7aG`!t(nzzCVq^cxYh6=t;_xlj+WwxoP^Zc*F~{M@I=p&l-O*sg;Asun3Be zx~Dh*5Y0LL^JKcx0*h|#piqu5W@L$jg!jpQ)mX9q*Xhzs;@b~Jd=OLYJ(o$h(khDS zPCOAOO>TGLTZbKIL5+<~Y`n;}U0Dl(ygp?KKOlOHvAjCDrG!q&Q#=-$kgsw*;3q*q z1(bIjtCo8lAm0-^bDucav_Vg1I|J&vFd_ZvY(fUmrkn8c?VPVX?zPug&gW^YeG1!4 z>cZ*GuUSIK#|q<#dF*9YH0kNBn=_w1=XscVV3+s(`h6uic1<4i?ninW`(&zZ;xdTB zx%zgv;?ZTFO;~*B8m=yOyX{h|yzi}JDvMsdC=t8CI+j{R067*;+PGcwv4+K7rbCw| zfOW$vj}$fQOeyv19a?qSVuv5WVNH>o^oK`dzW^LKPw;f`^bnXQ(BozR=rMv$5xHdU zvu2w7j+Ri3cTcf#Z35Tbm6BVoHk%?G_)Rcs>|i?XVP(f_ehwG|KG$cigp3T6RDho97AKZn`{gkQD)?BX zV|L1RdwAGA?#-i~csJW7Dr)Afp&r|e`C8w=s_<2G?W#`|#fGhVxdcKyaq7zke8aorF)K*E{lwR0NBh>8bNmj+`GcjIsl z&{;mTNpnb9X>r}RryW7=s`N#R$Ni9;?`nN~;l%{^U^uyFboPkNs^l6Uo}h!GmI}MK z%#@wwu8kq)bQ4b9-R=Y%$HNlXkFCi_%0FxJP`Te&+F41BXglTVlM$m7oV^#lJ^gl_ zB|0_zcU8w{VXr30=ugd3gICM(rT7Edy^SM?6EiHf;!94}H#9xwhXyHbT8zk2R@&-& zS=&oprl_mTho9aST94(0=PS)tc*cCVT2~Ecn%qm>*jtZNq#t-U4JJ3U1aJpx5)t>H z+vDh`20o27*qcGlT8l`~SLdmIChbO0)%xZ^+`ZuH7~Nqqrh{ZD79sv>8yXT;QrW4- z5`!e^uq}uj0A#QUzoed+Jj&9`=iO>w9*j+=n%B&DUtw2JrLQd*BzxC*)i1lQ-NsjO zN@{b}M{fTFP1yb5yt2=;ZgR-Ed!c4nXm3%xB6`Or>dQgfMDD7`%~6LthOUKJhzV?e zmU9D8iaSDcpR)nprFV8}s!|@5o3E#}%^r@e-~`Rvqg)5IX=kS7>JG+EkVnB@f@WAy z-}>uaIkSy^8y?VD4rTr|-AU?XcqUcCzS8Nf1T&qf|mNq1VRG`PY?5BA8)KO*6M zomG7FjIO;3s6#9Sg_)_mk0KziD<#A;?;)mi;Q|MJeyDQ!^sn>PNAI*PDK-n;7d;0k z;BU#1a%>I1l%M&)F$}#9aKRiH{(#CSWBE>*$8i(WZwMO zTEoR0SqtzfZgi%~47Xsxp2b13+S(yFB3Z4~)+Dpy4!6~*<+~iIf8co;Xiot=7cW*P{udY9hnEVy53uS4%{a%TC zYZ~q4c;LS6tG4tSy|*?nM*CYf>KqC0e2wsI0w&%U$XUEs5R~IjZw>;cl+?ieGM_V{ zI$0Dcr+lmLZ8AfUGKB8R;`uDUt{+V2X;A-H`5?`Lnaa?;V5e>-Ri(wR#VoUjyG*M> zP_}O@S1!-_sHS5#qiH8^&oq`cTgs1`2j&8yUs$X(tD-}c&hX1<_Pja*ti^uLo^0D2 zG@ly@w-C8Wy1AMI2o}$&3WrHKjSTD8b|7Z$i&U{_*Se(&jvZ7uL)MP zzQ2gCp35q5qM5gKFb`)`8?$~NDWRUTY!jP(qS!h68O$DmL^_FAj3eTYBI6&Y&sk!@5J#94iDY@;@LiO^1jO*TCQ(-gr{`zVm5A zIFs0m>K@~h-3+A;D)R2#9)$+>*2^sN*Yk&Fe6osK;Il)RuJ38elC-mw|Ccwu*E{*v zZ%W4`?T`2#OY~<+j1uXQrtbsdznMiG-R0SmnnqWFPOpjX@I9fnrSSsgkNyv9;n=Eq zm#6v;?GoTP))~M?G7L#`C`7RTy(6`1NwdjR% zCC>D?=O`%PCfThC3O_oXUL{c8E@<+b)X?FMtQ9t>u!?LJF%J{G>z)%&==nFi%0`T6 z^;wN~ZRVi$0WnLdZXKI!QUDh9P$(gD4uA;S`B)3wOqvGq)D~sRvE5^k|FvKs^#pCd;fW2=J)%?6iz@G zD7staq4{9_8+m=+T%-8R5`G2%J zZ?PG~NpRUDZ z5tZG`OiNejgG$10}OGAfkQ&fXPD90L2g2VelM<3Dw{28Wyo z)Bq3BLh=Kx%>}?PGh$Ne{hKd>N{cIe_^GERvU6gdo;$gk{eTl!%1ArH7*15&TueAS zt|$U_m{b%v_`uEzC9RZYVE=VokcDpSF&qdG&SNe!0fSSB%7N0O+6SE^&cH^~Q+n!e zjJqe*+Pb+Z>G$@5xwQE5Jt@9@_k;PI0g_jwebe}L1H~9o2Z-Ap55+(0UB^f7eWNr| z-^PLD%5~=We|uonUj4GNEzSw*AbP%V!Te3__}2xWg)hzOSn3^uIT@nE?Prsz-y%>O zn{UVe%8IPy{haQwd%O&_XJ|Ctz-;MY<6qiw;StC11y@lQNCJ_3mL_fw4cp4+_r(}0 zKFxOr_KLFU!ojp3m;?lLUYc{(+QGV;?pDJ_!EG-T0o_8&)l=sUo+WRRWQ?uqf>SE# z$ha#@%cwWUyAXEEF(K z^~zI~58_+4()}_MFt(m!XxDpSdQ;jo<=W{g)Yqiu$#lDJ2RXw`ba={M(&O1P)EQ3p zCs`Cp_tfs3EYWjplyjQP9D>J`4{5T6SOWh{Dn6l8w@HV^r#FzJY0+Az8Md3O85L%s zkuj;UkX*;eFV_*{0QLMnbe`Ut2ma$gz#Y5T@Y-EY?{)G%KT&=&>pa49zO34Y=qZ>u zf3QCp5hVrwrjiHLs1rh*_rz6fHnN@PIER~GobPR=ui<|rMDu+TJ5@?i;RKA->@0Z) zI{T(oyWAZ1I(QN>!}jQLXhK&Qu>|eG66z70(slaU%YS1*wX4E}f!V!Zo=1{VwYJ2N zT~+u>ZHi5sNq4%G5VpG)-6p(k>z?pQ-`$33frOx(rs1G=UT=UvzhK!&&XUE3jpS!N>5ioO?!sSf3_R=pyk$G8ZF*cEzu9p;;i$-DN~O)?W!@ z7fv`{YfGqktZAeBFlN-5|Vx$92Q$*x_=%aBB7 z4rH`+7`kv4t=EPTLKhx9fD$K)Q-9=v&tqsx2Z>aW;}DtDrni@3S}z zG~syMtrrD`ZxX3yg9sbW_RUWg`~rw42+p+!|70Y7fB^msFwnRpWO{NG#79O<_ZQZ{ zfWtHC*uTDKG+MmZz_V^`LvE2Fet=ra^sByl?~y++q=Z#B2;@p7cryo4roFN#i|wh6 zHA`#ao%cRJm>-7xO0h@E8Gsnw_R=2Ul7jjPXu!P3QtXlEGnFrnYAj@CUBrA-XS3{j zA`W)L8w}iL;|#P$rcAYV%GekT*80b}r}<(acG=zo_fj=gG)e*de=(a_A(6oz=3M4( zFEo|a{k7-3=W4(D>cv?b0O_sg#3+PTegZZ@Bzk|8riZmlX5MqZJO1 zBcrRM4!n(x1VcAMN8V{1i~MbEW{+-=lo(exA3kP3em(G=Sggq5U1G)G04#-DqSMk2 zz`2z`7b}lE2U6(h=PMu`H$^q>mAVizA}ceMl!?u8!!7|@)S3ejP&96__r@e8wXrge zt=#m-v$o5YzI^vp4%c*p&$PSxXI9CoI^k<2C7{1{$KX1c%J=6f{qD|~Fih@x?Tmcb zFd57j=4@tpK?(4;ZEP_9FX{3c$>*z8{|e@OMwg8jon>`qopp<|+Cj!mH12W~JbU|i z-eDvT5A7KGOuCDRtB4q4G*j+s5es>AcUBB?o~1`l=dY1tI= ztG|7g4wAEgx?4i^_0gyAGpZ7?Xf1yq4%=wh0-s)!ZTSiU&(3L5T@&+hdT=21CIBZp zmdL-D_-(W*WQIi~De4(erRK1h)Ch>B`htiJ7=UC{q~*;lfNXmLtyo+#Dy42I&0AnE zex;-UI9`hv)vgfU!=YflCW+ZEnC<<;8O?xCBS-s6*gFS@mPSB`*rl~=wU8z8bgzQn z^@MfWuJwv%@rn)5(73Yr29)SlnSvvqD3?Bdr&?Ot@7w&R3lO zR4vJZ0TG9c(f1NQCnsuVnhHFxAAzsi0Vj;iXYUzZf7RM9Y^&!*RPnb7Hl#I-Ze3>_ zidkgq`SgE2nJ6x3Q~wq?+Cg}bm9(Z?Ew~Os}4+NSI=i{j#zn-c^ukgD= zU0A3U!mpdQv*ew z++H3#0d~@T52?P`3!DQ+%(`s#%V-xeVmnWH8+Rbt zw{TP1@lo678Oyf5lfIdguVswTfJc*T>-$50eB zi3YXjwKU?f)Zzh2Tz~P@1|ZOHMgm1YXkdehb#jm4ac#R-2_n{PJPTEVGPDW4Z_KzC zi-YtLhZXU7ybQ?Wo^)6A^{01U8X6xl+R_O$;E)tyV7MQChZ6UOh8c`qUX>vuN-3~ZsW*Z}Z7j7L!A--TM; zU#tEPDW9->R>F=C=>Lqi1r>n1Jl2M%I)DTE-#2HUesco8!L7~6Yi4C*UgsRcHl(sK zKHc}Q#_5!M_aoHGY?dfnUBL;x9+g#^^&ec10iJG&ecFJm!X(h?9C?Ex&3&E1V_(Yn za;nL3?SbVq8|r4b1tGjWL<P599+82s!y8ce755bpmX>XUjrRMQ2ri`zQ6<&Mr*DBK0C`}vgwpRm03&9cea;A> zIqT_&;ta%=6iM7HuHY$7q3QELi4xEi7Sp8{rO=0D^Y`dAk5V{x@n>s|?>Ez~Y7C{r zDa*efB)rgTJdR7CwT6<n<1D7;u9%D*oMJBrCx2d( zm*F+_Xcx4o@kGwjDw#B2%=vu;(nNF(hWih2oS-?p{8o1Fp?uCJCE`yW=gPH!qI@rp zdyXF|%-kJyXt_ft8lDlokfPx36za(gbDomByN-(6VIY9O0V173RrqnCVVzwGr+b~t z8dL;@=D#tRU>Ff!5`mWGg#bJCzJ#S6#9Y_gzVlLri6tFxFqidXY8q~6)PS=e)nA=! znnh&O^d@u9r$Of2;A~0vBc61YXp`I6sx7$LISEfEyKgTOao(}9iP zcHzrvbD`p(F>fY7B#B*>oUk$oGvI_h-zQSz9TD1BLS)>M#t&AhD$x-CTDe^`&r z-rUJ|KR1liK*T+kNB`q`Z;Zq+l_Necs$7Dkb{pHt=Z10g(l{SF$c2 zuLrOp_)y(vm}z#WdPAfbetDpfoj;}A40S;E<=FUG9H6*&gWRY!c-Iuu&aJgtjqD>{ zRqw6DKkN#vksfuaH?fX>E%r@bGwHTR4-}%NsEB9llz_a$@S8G@I|Jy{S}~dPcc1x? zFvQ2BtF49&@rto_T69D6NaUWRlG+#N_*!#0Q-Iwsng1t5P6zT-~SW}b%6gn-yMf&+P542kX!#AA{kCC>&n`pgZQK+V?f`G@&~ASb83AF^O|PRm1o|T`Js9*egL8}7Z%5PPy?MJc>5|)aON5>RCy0*qoV*Vw*baMhTb56 zw_y?CvX%$4=r;7E=cvIoOTuh;rt0stsU$FY3;!Wu>i;JC5ifzGNR&yCC?ND#efe3r zUJ|!;eA6%f0zvZVu(*;w0~qO9@d?pIOh+Cs+wd%zAq;ufH!pht(KL)fA+PSuHoB$l zJJ(vCBJLJpx%7j5&aqTe6ui846+Q`#cMpdN+I=FNBl;WM+g?^BluT|HFh4F7L4p1H zki7edbqNv9qR(h{8O6$V7WSQG#z<>$mAtm{!djWcocnZ*?K7sV`ZZiU8A%dke|(q6 ze1&Q7?L}Q3I+JH+@y}Yp1bw%t{15E{Pv~;Gt{&~KVtRASkDQ+li@4URHxA7fF;ret zo@+I^g*VwIz`&NsTTd~GdSj(#J;$yt=+p;h@$uyk;Q%*oI8pWM8I|kANFoD6w(NWh zA|ZG^9pLmE6xxCshM)~Emw*u^Z$@WIY1y$C zRfS%4VV`;464?Ty6kThddUqx;Rm|_PTdmM~FT){%e%hWyCEvUey`R$9(m1o~T3H~V z6mNcAqZTpQ5+gRRjC@j~4x3Wogx@I?g@5#+;gtd`Xuc3Q(O+asf}fTw7t zHYDna9gRzVergkL=Da+s-DG8$KIWG1Cjfec19Tou1a*tqfo=_T7u#sBFr3RdF~6TL zeG6;k8-_FDlFP+zK%I#douC#@1j8;8^q(uRte@C8)|qrUU2UeY>j%k>%CYz=GzZRz zhE4YN+~$ZW%wkNUOCw!_tU`k}jZ^KeBi?{TN8Z0?2Y?nD&8xUlSM1KT{aDL{nj z2M>)>JEqZ1836DMS7|jNuOZmEi7b!7jPUbl$%l25{KrLCl@8jS{5iZEL_F{zKogw8 zZcCzyQ+uBbw6c)s@Zeum;lI_7_Gp$HP1nUjzthrh)=?+Rr;uFz0n$nV_DT%W*;sZo zU`}!?i+w5E*`yU)GK9pHw0O9YW)xTfv1uN^209mf%8lBVGXitNmFEwxEZtc7s6R-$iJpU8( zt#a4;5d0q1q}Axun#;s}16X$>X=JId_N!{8_8w zob;{}nG6=p4=Hc8AK*M+XXLTf2jp_(kT}MZgti5G0k{2f<$pEa`Tf?Sxi5dRwlT?T zR%QMUCQ8DOCW_SM0MQ6*xtewZM;Ot|jqG`?0j&3b5t;JVJ@T6gum?JFa!Y%QMR{il z{v^Gz-UFmJ)B=c}@MRpD`tLMFVPR=`wBo|7pOY;6~i)K93P&bDoG=(wg zfYDAr@n8IV{!b~tN)mvc+-p(Il_f0HECVlNC8VS}J~-Fs^XYs@@0ehQR# z@#((Tj4a73GA|r!OcU z#LK`QzxA!1hN9iwskYtqg1)EId=NWbYF$01T$Yfr>+X+P@i~jP?%A1K{RWLMSuE8& zhIA&)mfr+>7%%y944luOH23m?gQ_(9l8cAzLhXWU!uv=QP zXMepbq_($cBPA=^2=r+wH|T6T;iWA>J?WA;?vHzUX_ariss>ZQtX28N-}>=g z?r-QViKXSrMQTJ;mPT>es7N{0!s92I-}apZ?R{LW!%p?2W}xr*6AAqL71At!F zny%ligkyQ~WQ7_f$;4Go8?xFhpc;2Lg3ESpVrUJIecKnvT`GY#!+>b@{>z@FM#-Y- z0y^dd+t`QpKJ#WHHJW4%SFN0SsE1{d32)$v%mgV}Sh;1bYwve_-Uo{dK{7fYy1HV} zGDlrTe^S(vP(*c!^5rNB@POv(X-`()r3cZ5V-0UF==oj@7~4IMjVMy8*pM)L)Nr+4 zB6H$6^`7UVTO^H69U|ez_vP0rGGz&;kI`vdDBlY!F$q7u&l%5mH8;p?INh+3MzZ}Y zIN}k}9?k?r55PGnu=7^v5%JD!R4gd( zYvv?w%LWn5|JEKV8wIS`W1D~U+A{(`rcDm4{MckE{p<; zaA{Iivx%CPhZ>fA%>WXW;DcWPr%&{-ilY6ZG|g+F2M)!p(_;$1CcGfYg;AcRGpQw4 z7o0ost}BM-{rT}{ZBkR_IH30$vB zoe>%ayey>P7Pu+ARS+cGB&2aXIWqfpYjMV9 zt8Ey;R}*R8(qs!_0R56?Zu&=;T>Q_-ol zrLoquV`Q*YyWPYUSl8HENP$7Gczo+jbxT=vj~bfvVMz%%PT7uZvO+y$=#IOuzbZqe z>_0dR%ZxhcIo1w@cJ1k74AAmWY)P(A@On!V+uv}efPMe-QS2X0FB;S@)(tR{PK1o} zwHsw$dx(tsT!04uV*(ytp5NV~NnM(Wl@7Ji5V!D!3(=Wo9(F(7>UY=G=a)li$z>lg zt+-C|)$u5&%9$9XpQ`5D$rpkt`G(N~99$Jf5B*m_k$d2UmVkE~9pqn@pIo~iz`AQ# z5?4~YDlB0a}aFydi-3WSm?LHz#37me36Cbn+xmG2Qvl3U}} z96st>eV`i@ih6zNaTWUPA#+^*A+lgZJ1~~9_6HDm;yBra$H?lEpd_NIep>sq{$uM1 z&9+0>Lr>pZtJYMX9pwPqwq*dw2h-!nf{p)v`hQ-~O1;oJ(Q_J>>x;I4rZSd)V3e88 zlE5yz1S}=Iko|}4B+qzhgnGGwqXB%k{57$_R1yB_GB8kOWwdD#F(%6Ed&U?HLQHWU zhBcgYj~mWsJV&u2(iwr69)clm!fj~ zNo($5yp9S)7d8$PsB7Zk@v2%Hf*vj|Ec$vmdoArJrlqA>!Y8dfYjhTsSY-)X=*6%< z|Ah&c{zbNUWAU;w>zOu@I?Z25sx}izNy+z;NDdCj6Lvscft-AE%;%Ey$sp2>GnF-# z{>~>5>)y=EZ;V+bV#`q3o_zm}Zg$$EMxt?{M9Yn=$VhjuqcG=MYd-WJJz9Zi?8(&N zor%dPh?NexnxiajK8@srx70kLZss!u^5ky{-LikK{@<_oVtzn)tv}#@Vr?cXD;p{+ zFJBWxQF~A3ai7#3tYpyJS^gaAxF;Yi+^n}9F39%tED~N`?x10r|zh&&^vv5 zD`HDbE77Qr-1JH)!g8EMFXV&e2zwl4_~2mH-#W=!dbZ9vr0^*5o3u8c|Dqf~Gr773 z1nc7BS!L9{vkxxXj`Qc$R`l#~5?*;(O<2IGG?kQMS$b6?eNC%mpVFe6{N;1Av{-`N z-=QkZ%rs8V%W@PF#+59;A4bs0=)XRE@gQaTjiXCU+(77LrvBC!`R0;uKhKxJJ>mwp zE01f|sf0oqzO!3=k2y}ochmOf3|4S0L>MH4v{s9riNRNa(~D+{&psDumujQ zXQt4^eQ4jY!uB{Uf&D01Reo0rwbbOcS(JbZ+MvcHLg%MqOR5$(+X|+i2ot%TV1s`! zIx%R9{Z%2D^b=1ib5(8RXTK=3nh}Lj_fH3~E?fk8km54t)ODVYIzM$=_)$eqIx$=H z;JihoZJ2E>o}r`{QNe$;v*f*uUr!!$+9bkPh=jxaU@GW8bBPF86yA>3Q`RAaVuGJD zF!O*2OunJe+J)MyjImbNMKjUrjC303yj(bT=QqRBun_khEk_c9(`VP$+*l^?%|p9J z+pZuz#jEvrmL~d~`X*hU{KXlfpR*Q}-5+~}J8hZ&*ibb3&(@9qXH6&`d05<)cJ$eQ zQH3UR%gGaCWB2yA+nia|Wz!fvk2owy^rX|>z5=g<1EU{5ALk6OkP3C~<#sVwvf&1zrrm|Kur*bl zau%1e>b>bX%&INYF88R7v(Tv!-FYhKxg#a8zsUou80k4k^m!potsKk1cg0zZSFCsT zT(Tzn#%eO%@06Y?dT++1huX~P8fn-f)Q!d{J?)YB2Vn4be*faPLsba%hq^p0tmc?K zTU*;*D;6}*`ZSMcn(DxOnnm%nQcD@&j>Zu{Tejwp5f-$m1MUFRf zcS~Jn&4Ml$929{pp5roHsR9k4#l=V2)UBls*5T=Gz4xi%F;{Y1#DVY-4hY&!Jb3tZ z^4Mpqr1{oln7gA$TCU@2hUta%Fc)*lk$+tOeZ|u0{Kr0Clbmm1;DcOi*@?EhvdG|) z0)LF*an#rzhYdVGe=;P{H4_m+`zO=;cjld?@R_YGD`H~aNJS-DR!**pGdcOW(%jdT zXe}Fb4G}u#o0nP#={)mmXhl~h38W;Hj)i=Vl^-Oehc|rND69)k%NTxgceuvJ>mKUn z9brmfZ4Ih9RB%V3Pw^_f6*Z2EinDUXos#|$wlzO-e1B`wNja~pr>D@S;_S7)?_|%5 z7cH(PYa&{Ow|#!To&92isndQHs$!$~Mb%txg{X~Dzv|F6(kF<`i(ric+&a+ewh>AM zi6|>o;kl$WHD7SnBLhr)RaPiV%dbl^|sRVIvUY@ z&gdyvHE$^@@7Le3zQ)8m)7z;lwv3KmW9`B$wtPX4H?3<|aYoBZWKF}Vb$3-|ut%g% zH#e^;#jaIhm(lAlzFx{+qTGfWI{c<^A41bvcQw1@n{jcw5__G1Iu?UapeM9lEt>7d z)J34%5EDtE4((fup2Y~3nLFID`<659Ia=3L1*f0v{& zed}=>%rbunorP;5f{z1E!#lX`*oh_K9ibJ+!?Xo%@^6YjEg5)eYYZh*8#h&V-^Re zBLDGRdf~tKySd@{@o;~?ild{W+a4=xg`uT=`uC7M$)7mFcHKOVZl5&3nwHCgQ|n69 zqU~t89UtSn8z1MwykRcW&u&zpsh`Tnh^^<<-#FHiuF3nglG`FO&xF+WaoE0-Ct~3)b|r^EaaQ z{V4G{t4|Vz9UD1ZLD7kc1sojB zM307shE%s!vpi_O>EBC`&X1UY+}ZHf^OO8nN7l4nWLfr{YPqHnxTOcL5A>3+slc{NTw{PfEmRrM%k?)VYAG z0*fxgzkVbBKBPp^@WX(j`At0)0Lr*QIyyRvs!rz=aOUaLX)x+1 z56;@zp|d+7sh>A+2*hN z2L^mJdh+x0=XvNwL=0cjg~l%~8mQ~*m$>)X$Op+n3VB6i-MjVc`u3&bNk+I8sF&9>!A5ht}MziLq|kx;{v!AQrk;(6_7alIw}@gHQUWn z=`a=zk;UWa#O)ib8%5OZcQz~AC6ICC^=dX#db6m2pU2HN&}C9M*1gsHnBB7{=VrUV zkBG00Zj%g-_D^meOh*|Cj#qw=A+Ko^7pO0DHXc6G}~+Khs1Q0M33arci|I=`|%^=Xw)Rn6})I}Zmxqx+M?)gnEVBG z5IyO95UBo8h=@sRrHp?1=?FRgWc$bYY{??F|)+GTRFOy*8)9 z=`9rp_A{ZLdpwYMzEdaf{!6YG0_HyC&W8d60*E)zMIX;L&~_m%^qnsPduveT@)DmR z8Y#Jof%_QehCs$mc@BNg-byE0k!;~lGXL*$vfd4S`$SGlKpz*QgQ~z=Az~Ux&&w3s zlY^cmih|MggR9@_tGs&$mf5Q8_ih@ixNk767l0mkd% zOIw#Oc6tvnY{z&`_+omi^{DtihN36fKu1Vt0Mq<`Gs^l0MUkiiJO^u8n1aFoyW=U# z@4^JT$R_4LNArJXv_`T3!)W$@Z~Fi7ntn@H(d-CIQbP|74J}5xxw#b`9v;d}y1V`1 z%lvnI`F*k6O%3>IlI{7PTK$(q{hxnA{X5e@AJO_RoBE%R`1ehN`omq@JZt{rF8tpo z<5R#(ju!1x@qa1s{`sp8rog`0=x$tU*7?tA+dr8#|3|+!<2^2o{}N;V8Eon+fZud7 zh1nah{%3^vpER5(I{NCXf)1vC{zp82`2#MKh0V8U+&*(IlS@nabMy0dpCOyH(V{Mo zj;=x;OV$3ne+fSX$O72h@5j6#AtAximA1DpBYpndfpG`SZQ6|k@pW>ll>P7_Hl){g za(X(SUqC=zQ8Chsc2nUI8ZE6Ehkq)ShG7J`Fb$%PrrJpf~Pzg^lobsp6`@0YzYp=5!(bN}8Lbd0tVm z-nx$E$MqsBTU%xMa9nRYeattUI_PwJr}!m%76Sj~`Mo9tJa|kNCU?g3A%OX&x|&+f z>gwwLtMl{o-PNwJi`KUH07muOsuL*bP8rcQaB}MFwOn0X3X+paxp{fFRlf@02mahF zsVgWhPBM1QYb{ma=F)ovd5mpnh^FMS=s4X{RPC~u7y-<)FAVrKTjVrq!p*^vC4A%3 z#1C2@Npu=atVbte(<`1To_}5)s1ysItx=^At`_;EP4xF6^2Y^}+D9BwPZcGl3@mJH z!dRv#X>adloo0`UNa_a%ICywB>qDu0sDGle*)#+b{-YIoW{;xPhOil>tpz=zj=(FRXw9{%I^kv#b{8B_Ugz zlhY~XsG_S2Nlr;&&BdfMGd@QP!lmKno>W=p;^KM_;-6}IfDUSGQa^8~5*wbFoP1i1 zgZ+UVZT_%%S}JL5YO2W17g=c4?9r}L0A)+gUM_k_#FUpi*VzzYJslGPb#vW3W8C`^ z9^PJZR;oWNE)wJ6sCt7qJW+eX9>LgG$i&GkM+jxBB;4+D-YnW+))-fzbtz^cLGv#> zy8Ysi#PaWUE)M}vyso?LX))HHesfi!XG_hvmBus1Xrg4*<`B!zt*B7u=H}kfAFzEg z_l25P)%)h15*Uk+Z1l?q7nf>?i1*3Lmwhq;LO%a7Pwf5vEo;am+z*l568ZkTfph91 z!WVWO{>(aibn7y_+PM%S*Md5P)1T8ue#e2pnuMvGamy91u6f!Z&z=by28JcDWs95P z(3*b_{;B5S+wFW;{O?dR)!#%_wmV__YUbH?H0Jw9dY^-s91v!uAMLHJolE8x7wwqU zGW0S($fJdX$T0EI&NkNjDvz8a5V||Jw`esPCYjtCYz76YHQbY>6)u3fLOrWKC=f?l zpWzA(vs=YmJV1T@Bv;N?zfa6D(NL+NoRrGZL`PSLW*Zb95cE|v24YZ3T}e`;aX zGf`iSh3I7!ZL3=2ZY-~gynOi74Cla=T(*crmvf0@O5zWO&~1=wYpvu;nh<5Xmax}# zj!wNt$m9pmHBQ@5d%uI7Oj17)!k*|IV~Cfop`XFwIc?kd!egWF>+9=nZ7R*ht_@muXC+me#q4Pw8N){}M4_*J=tcDJtnNi3{{rPd?4phBKJX+J1}sB3IZ=j`QisBFnh?BEILu&}EwHW3Y;@NIqnz%YWZl<>v#$g;L;6D8Vo zMYA60(b11Id}5xrzC^JY9^k4<^S=7pFda-7Uh}kw2i%rQBEeo}c=4Bn+{9*zU4_Y~ z28te`29HdGmgBiFyWoT7Pv3c(DjaF(#?Ieg-@d=m7l;B=EzG6Zx4dIDs9dnv*HB}t zKID(R^YBGuoH#%7Sg$CX!xBwHgry^YmZ@kYto*yACy&~{f>T=cm?=eA7n3D~ z+lf!6qUj)T7|p9!9nj5P1+uPKg~8OM61$c=HmVK(RwFH0!L#i(VP-!^8&oT-@mm0G za2uv20TX*!^?dib5Zz?j$#6zKgwB9&wWHnp3b{X^cLgi)uYgQ!#{@h}l zR_>^MwYk#Zexo!BX*g&VRa857r&4SKM$Qn3`ZqoZCVJ|@r9pXpcPE&3&~W9;Dy z&{$|DUe)=(*n7*Mw%&GMxJ8N=hf=gHt_6x~p+Iqm-~oyhcMlXOrAVPI?j9r|xVslG z8YH;828W(>zk5G>&-?t}^UnExX86ElCNp=|TKBrI>t~mp;~}D9_jF@WQjbRiyiUzg zs+q}Gfdd?W9$bR1=zU49Y2g#%)s!$XKm?#o7k1S#*F9ck8ianDVU5MPBuI18$^tbm zz@84Gs~pOtprP~{EjJ%-u`XQsD~7hsv@N@yU1~9{f^A0-T1`r3&RL>9z_J>4s<^sx zFA4mpX$hvbR%>1ZkzG8XE026i^yO{>(G1zF0a}4vU7Bx%-~2 ziwbd95WrA$bdiwhaUEb!$f-6eua(-5BLwq(w}YC3ud zcZ54+-mq|5t(14m2LF^TYwQzPa$l0&tsDK*>CnmY?IQcpZ?rl~5sP9S!JuG?3s;Bm z6a3vuKRnDAH%kmh2dFUnLG~vUQV_WpSatT_nFbRfqb$t(K>pEhyi2}MTbK)l@wcXcpdY6nR{G9sv2M4-Z zHe!&ZzM74CyoLxBWD}{eWH9Y8GBJQfX%sOhaezucO3^= z(3chO!<;EBamM(*u~_3RZ9QtPbFZbuV1M)9BrB1L^9P`Mhnp#$ zK!-lZV6jTnk2g%j&?o`A5lp{vZas-K!HRIteO*H1X|BiS6onvTPu7tSAmM6?R`ksf z(ySFA@t}*_A!4m|iCwvYnpn`I3iy(^RWLp;7a9(yCon7rv*JzQ<=mhjTq~W1)LYNY z?+%BwomzvIm`3xa%>eHgU<#(hY*r3?4`!l5Q z5l7JH>DcJC8?6(`;K`;}tF$layA3V1-;`k2Wn$CFfGjUY%{@vS?63kKh z%%J+n?)uKAKNpUdto2d(|0sXNU?HNF66+Y{-%tjw9-&e*O2FXWRy`A>%jeBDcq8I1opI*M>9$bSf#46{~=LN_7OV>BdM4%~z~wAedSMik)1vlDe&78gs} z)61fDRMmvxUwETx=~9&rNsPxes&$&lKHdX|CRwuvE=+lrB{L~M0d*s!f6#q35DdpB z?-DMT{0FtXQt!Jyc&RzTtSZi?%0MQdwT7b-By}_VL!zADS)vgX$0a{!^6H+t?4^i& z;GZUa$3aTgjBH~9x!t{yCRE-ErDd0gy666{7fp&7&fcV~=GD?7#E_|Nm#G5F#^r#l zqnX1zl`&8|1?1Z7=AdkdlcU8pf+dj1t9))r2fW=`juxD&K8P~c?XhN1?s~b{{yG9R zXqefsB?EI-)t^S`CMBj=$gRhd`C6-tjY3nx-;B84oGaSY*3j>rZ2DyWo--aV>!0MK~M+F@)?4w=($L z%(n$CNXB&Eo#Oicsjrv7Wfr!Pu?R82hyCg#2i)M}UsWP)3V^i)R-HUS7qT2PSF1hB zj`rA9_{`skby}M(e)w$^Z0S0eC1DM0Y;Mf5HQ1<_0sB)<#O!iEehcgyKJ4vX9hlel1ldmKY_>8X!ue+d)9ZtDR*Kfl8M;LJ|r z614KtIU3ujx~xZar6{)JWuX$H^rNDpqUO%(2w@_ZFlGE_??|MEygb-SByX_6(L4gp z+bPAOMNrj8R;8ez7RtLPxl=?bCagYn$|{idTrRZRr>Z{_llsKBi(Wh6zBpw zKgYj~cTwCqx~{-eL`!7%3A)mzIb3Mb?np>wlaR2qe45gi!u)SKV}{^jCE&iwp-#*A zGc$cn%^#f#c*dV0Ye|~kZxCW<{BKRUi%yHviZ(_h(TbhQu^qx;^8a^?O7rl8F&r+U0 zMmn3^?Aa(K%3ARjRaB`#aE%ADId`RB8^q#>U{^lfpSLVPzqfhPM5x34yJ8b8AEus< zCS-rb5GWVMs)ox1#$uk^7`TdZ|!AL$5*(nm0gHEyfCyI7Ei!nChN>IB|y2klWL9_rouvW8NNP zN9RqkiGF!ws;vs*h^ET>yvvMPKI=HnBnN(lEYfaJFh~B23IH#r2|KgSc2dbgp{G9)uYb}kYo!LG!o5dE?Kh`F# z;v{RHTToj&?RJm3bPJIC_6W(Mo=FB5DsBAA&c#I_Dq=%vZ81)=eMGo)Dr2@k_6p0f zKrV!p^OT_NN;#>tn&rX#@fsNLD|N?{beb}szN?q<6l&1Q@nei0@YYsHGdaD?xE|oG zU24)arj|$V5-gB{!7Gw2e7i9klplDk9#rNPcu@>0t$&K~+PhIk8Gp<(DK1n2b7Kg( za3ll`4T!y33hh)@&S{Psiui+q6n11wRyr~LRc2E(RX$jcR2zkgHMsOtm*Cbp)o+-; zIPJCPnG=6aMWFmzdw{WZ44xUN_K_*qcZkbzdo|!`8*+0Gx5BVm`ePDzq%gqit>*Q? z(E|quj3i$CKTj8+FX^@4OW(lWTNptv$K+bv&NU7)74YxQi%%HfzwfJeD={cjlc#p5 z;ue_s@``wCG%Km!VDy7P{A(8h^a8vv3;ig&rc^*SjZW3tnN$8yZ-LQa*BL+dKZ0bLQPV$92RicMCa21nPm#t zRX&X3xns}Xh=XBsz?4l){F03R35X5;JHZ3z5zC}3xQWUJidjWa@6ply&8sccPp2sP zbFvqSbaRxW_kz6@rfrV8fj{rM(k7Emp1hG~+UVnn}WU%Hs9JWbMtR~b`+ zffJlEYZkT1NoAo4nB)nI%lmwfpW4S3Gw63Sr4^$P(1V(b4kS_;K}MTSok%cJPqJpQ zJjM2TN@d~N4l@cDn=?6EBbbT!28)Vh@I@hq(4I8epFI+}P;0AR3LGTa@USVR(}Y|O zu`Vo7bZlZzx9CIuXt^?%QR{#;meqiB&w){R{bLWMk2?W2iF=ZBR{?!2(^!!(3)hS~ z+cB*Mo3n$n_nVT}N}?O= zPw+9DS?T_PehFriN2v~25gHQa5#Y`W3>Q3ky0F9Y2)1{RD#)Fh*0_~%lD-o;H_)-C zAAFmdctxR>#NANF>EwK-_Q1@{WN10j5JFWnK0X2Jb+lKm;&`ia(eW)Vlhusl?fh1} zPrP`M%gv-B+|MaRXvr@e!|syZ_qAq=_b8>4-2LWoijgSuvpYJROqx=h?vA$;a&cwe z?^uniWqNd+t`GJFgv*^rxs7trAk584iCktMvl=d*vo;wT8R^Uh#A+$@;a7+e$>dg? zwO9Ol&tL)u(JT^+TUeLowzh!GG+_w!*Z%S8O&9}V zVHOG!zi@Y)A}yFgm27MPpMPRgm*rnAXGk=T!Neos_J#%d`T18WYH5Xv@86e~YJXp1 zfgsoziK5$k@Q_}_7&K)?=e<0rjf#-mRH;se+*`SUPJV8TyqtcxAu!qxQ2B-VJSm)z zwtSG=xOuWq%X;*1^uV%%Br5+9ErLEr%Eji~`5EPZWdTsY;^Px%k)C4YtGn#U>+74C z92T^rBNx3tKRP0H`BHf8HwQlCiLlXYt?{x>zKkq?Xbpr|v3i*oSUhQ1qy%@e|Ky&A zXVpPgK;b9PW7-dhIO(eyo&|7X9@+CR``57!R3}HeX*YmlE%6FQo3C>)?*;c#K6cNF zvN&~DCsV|VI=_q&S`gau;xkjvKQd$qeSg_^d$-)I5A(64EL|!W8HZg>LWq=wnyU^* ze-_v+hTvxL{Sz}AOdW^oUSYgy+Io7M?t&PQ!tc_r(XcN3*Gw6N z{k~vSO^5iYRss!F-HYq~P&N#tk2>%UgeFFp%#T335i z*QuvY4a5d*upuYmS=t((uj1wp>y0>{Xzh0qP_`&>eF%J*W${|}6F(yqKTnRWoP@FB z01O-u9&wF(i&#VZ$@#+(*Q!Rfa{~*li>*aa9m46I-Y-!W{VSdVb>9THHL~i z;>ek#Ho?uAidQIzDKabyZLzSk^CfcI(o7dKtm;5ChuQ7yl)N{jSXjhw{ksV*E;|@Sv6dbN9gp!|H^wZkQZ=oO_=7TyKq}6}=cag2&2+vWz4JOvba9@jD_r&MBtP%u zF5vV8%Zn1I`qk!l)^gK2tm#PKe%k3+|MT@fpqSEVPtg{sH2Z?7KT?urZftB^tiOUu zm>?KF_ETPp7#JA%>36&=Xl$HY441)-gZt$+Nr&LQS`MhfAnUU;QL&(;pkRl7nI0b> zw@_Ev6L(^v2%cT_+nU{KrLNX)@;WR>tH$DbW*&@(^t97hH3Rmv?Pxs>u0S`4TlNT= zdC2iQUg?AKvoNs~7q&fcdG61cPfg7hySbf`h0O2aSn;Z9&PxSK0eQ?jw9NFytbbCU zU@^xHCI4WHTZsic?w^-?{Cj#jcUh9)uxWr1EcY|VN9G}AqA-A)(5cAl;7-M{b;p{6 z{&7#%?M0gg3zL(gyLRXXm|dt$n*6=A4@OuYh`*FR;Ca;QNGqrb>L1CB1j*g(rz{`N z0Dpug3xhvAukc$XCFxTcv7ph-5VqFSbZ$d_@jESc{w3hgDNN_LK1kA3Aa71%)*8_7 z_Cr_ajXtWlH#m$4U>_W@5vzp^$VG8M=wruMiNhkSS#OtHu`izv5V2C8WQOH~^9_vZ z{(#kEtH^9`05Sm~O7B%F7hdiJGIIrRj1D}`aL1%svd{A!`{vg@s!sYjkx`Dd1g7mBo{Qs zTa6uyoxZ!-jH833{7M6j+^+Gn?JxaQ;m13l9(Piw1Si&7SP^*$t}J0hDOP z72K7TN@Lqk2$hlx>V`D8a4Si zE6zcGNjdr>Fww)D)z1Z#^B%>K;L-tB}YMFx4eq=1qu|D(Ks*TE#cY_jsvY+JmC|1iC)U58mZ$;{20H<&V}J|P^lqazec z*U~a?3H(~b-&BuoKqKUn6pY|o>yx@tP^NmejYP0ahv@dj7DrL;dFa}U ziSK{wT6G6{U`1hpNpnzv9XmUg5o5Q^h^jk*Z%dLwJ z;-rvrM%nTc=`~Lmm-h$rRmv^by&PUfP7#1;p}I4SfwXNns^MW7M?Ld?fj76eQ+RC; zDK`Oq^bYXPPM2hBPjNd!zZfajxoOa(h4`^R)RGNU{^<@7$N~*Ne%#TmFUWlt`^fkJ zD92(9G7l4A76K-OIA$v%wvj-$Y8@S&51!T9h$ktow#*7gEH*s+{8f`Q2C9T`y;3gK z++_$sKYLH}992rnZm~^fRaJQKdK6{#V=HAw z%MUN3|30WIi=+0MlFvs8Ik}>`!#41J|MW!_P_5Fukk?S~H~OvI?wqpqupJ8;IH2I@ z0R_hANMbhpW7qf{bx>;`gVhq1b7ib55o}9=DD#T!>XVPH2@zK>rEdE#L3l2)|3Os) zm52bf772|X_ew8n+H+6B|J)H?NRs};8Re2koIO}ZeGqfzrwF9MAOg1JPoiw_{0iMQ z|Eb>u+L5qw7%jV-m#gLc1B%!FP36I~F16S~1(M#f1Kp`j!c zHOlSmn8DHB0XG#G6wcLWDgTd{AlVP&_<^2|F4K>)m*f9ElpF=N1Y@I=5hO2!^+>(Q|Nr+t;;6oA<^8|O8vd;Z3ugG+fT4X2|Nj;A zpoVml$NW1;^lzVF%b>avhEM-Hlfr*38@0q||96T1cm@6suHtG0>Uu8sGL|>mmMW>M z=z~H*cHZ}tLd+PZ0{^X3LI5#HtjUU^E0NQ>-dRh9H)7nVk9-=OFjlqrbgg^1rgJjC ztd*2qM;ldS`zoI%74J_v2#E7RC8gSAO|`R9zA9@W zO}3^k-04jq+{fbo+IHHX{=Qe1nNLY9)EPi}iIM6m)oPQoGvY8(W@Z)$mG3OOM@EwkYYl4i1AH~1VfW z=B`GKNdO;*KKm=da{eXtRg;B7S+6-CY)HRv*5KCj5FH&|pZ>#uG@~8dN3WGRmObge z^vCzzLPnikLu#FML#iYQTG(tMrX3?1S=-UejFg7m%0eN^& zZuY<(tt8a^ybr%i$lcv^lydbW$e^9ezrTu_&XYl(#j0zdRk>RijfbSLv+%20MXmyY zE&!9=9c@PwiIUxbsD#XHlQ!msxoRJnp|0tNj6HyA+zoJP$KGx6B$F{n?+bf!%HiBl z`|onZlGBu5vBI}#mGr417-~ptN`J&jiG>>MUV^-T!<^ry2BXXxRCIKDeKEA!AP{KN9PIoE zO#{pc*s8#GZ9!;mWb9S2+UTw8mAr99Vu~yV7$cuvd;xu#g1}3D{?vk)dS51dCu8?6 zh3L4N8*i1@W1$p``$p~y93Q|;#s1SgI+%PXhh!XOfMQi;C7q@AY`=%D&|E-6YYzgw4l)e4zPj>|1 z;wT6WaK?{(>AY28=(((Ny!3GmjVyG4>Duzh$i%%cWNNPFyN{;cLakk^q47_tO%GH| zqF9bbu>g6`YOT$?mb%M$QC+ww81XHM*LM*PyR@G3NT|8u-uo`#8+fA)w-}<43XWLc zWKV}QXa&6=CaN=YjVQM3Z64lL8a5R`1Tm#Eb5ff5^XzLHDLGYAu)?@a3%#Zfu_51V zDKk?<2c6tpeBQUXY{PLA-~5lA_Vsi7j8)K&YQFwGXLq#odhyOyuQx$!=($&Xi5lf%?&geccV|=Aj{T zBu?ugVO?CBw4qzB-{xTrY=CSlfhnp+OY0eh^2iM$YX-xua(t4su2chWYg27MrqVku z^AUn~q1htyrdPr~l--PZu7{iZq~4hCw&oYps5ss5IlQ*iLl-POO3Z>6V{Mf$T7?Qg zz{#iJtY#htG24L$HwsmcUNaqC$h$T zTW@zIon^9;U%NT#Ew^c-H0p;g|2HDtp74lE2Lq3cZLTGWqkxESaA06x3-H6^V&7nD zY|Om$cQ6`eA_oo$Kf2y)JPJ+?EJC{KL4Mv79Ak0MX{~C4i}1Eo$+z*26AC7YK!^RS zVThg2_Dwx2+b>p~;)stF$F-S)QxZgrkyW+}#k;*;QwZWKgbV$<6k`m!Cf^jtFb`eh zUYfFxdbes*kP!|Ly8zqUjVMSFrrfMuj>@x6B;p(AR`+x1pd({KN~tkmtnRtL`m~Yi zis866i7u?(hht>0`sm1Hk6lN0o@r`|_MwUYIjC84uAVizP1to2S!`&c$w+EI2bmw? zXxaT>62+0Y7`%7ZvOY(ZG~`a;SORMp6#bc+4s0O(Z1nb?J9xgt(SC5s-(Rg^GBeqr z0CSOiqA^@UW_L?ztH;7WiZy3>QF$8m6$M$|JU50hBSDotZ4ehwY zi(uOGrS`am9ItYdi=CtjDc0kS+Pnvu7%47<8(Dv?%yuN(<@n1PS zDt@Sf^B31-oMC;MOP{X3ej!RpDqG9=wwbKkc+72gl5J{g<2sMt_iK*Z`Y&SC^gs4J z;|LOjI2V_yr?>YWJ3`F`t*)Q34=UubC)E4=ORy_-mN@5Ty zZ`6JRC*HTQ)lnsYnANT=u_2BfT%lI@%`7T%oGED zEpk*8ooMDTNrZad#^-KFSN7a)k4A2DFN@7so@a z;JP^$7a+h(x&MLb0{@o4R0Z&f2}?Gu>X-T1*$f|G8Zow1&z>Elv{H93D&E^VIq6+r zXG#HyAt=bqkbcuEg!q$O|C^-clkH8H?~m$Fa$hUISE?>!<>Hu7>ylw&>Vj{~>*6dT zyb0p%lV>K4?5J=&j`|~oPmb}IEUx2)At_XLUS406;w1%ZO=|TvuuAgg<0H!uMNFgWyHZ3K8xB3HeXA8jPCEhNNo}mSFYX@XY+~0ecL6^#p&!6j!82 zgwb#2j>($#IhnzP#r6|?qP52yn=jC1Uj>GK*sFldPZ=R5fR|=T0(HqM^2X0GBKyka zzaKuK@-LUcmOB<79?8tX{eXC?*k-=*n}JvTOCMD-P27cJh6Jut8$(!?_0@q|t_myV z#)p!j^A7^A1Qady@C`uH`w1@4Nig0gk%pAqNz$w%KDF05fd;+rqcFG#g<=MMda1eJ z{M_op!5+=xr=zB@F}9C5zvf+<+H~J4`(u3#98H^jvRHAnFIh~tSlK<&%OAWo8_&qf zam+{gHVA>yr}>nRb@bDj$fr|T`aUt0*ii?~PeWN5Tok`1pqG-Zq38a+2jZg66*<3) zKJF5s(#Dn9z8&pi%86LUD>P=hM;!@>_i5O!`RD2;O*anDzN!RkLD>xv~=9h3!6Wx(R(Aw<5 zL;FHf;$m-{DAhE@VbtK}uzr>GMiB~XK!L3}CanRA54|7BqN0D3zwzlKCm+@QE4l9e z{BG*EM%f5_8sok+M+|T8&rV*VcM^|Dr8ru)a}))S?koyobcVGI4Jnm_>t~ArX~nv*=Drj`)C7!5p=t9jiZk;0Zi_rzz7~8vp{wHqS|Q+ zT_dB?M%lZk?J{j5?#j9=`!59;gQ`$CdmYs3ca}?j;Yxjh#@mee&K_bmoz${722O3O zU_9lBrDX0b4tT$)WV*eL!GE`y*z)aSmK4x+GRZ(xF1#ydq!5b)nyRR2qA-waq`?nY2p3FVaw4U#1St|5u#a*TzANuD=z*gv{v%EfVa=9`8aiVr|}K5R4SFo zN0E!qT7NX!cH^cZP%{p+aN`8N3wdX1$nga?y1mV*DSttWCIW%_E4Zkf3^4V~QD>`GSni_7xKJ|28C}+{Q61=|Km#}vb zVhE2f!937hs^My&pxY3Z3YFmLwG>fiY7yIf`Z06WvzE1>Zaux3Us$6sUj0_ z@?oC98}uwi92;r_z87?kv#gJQ!+BEqHy>8THRhVn`^^V40NH1YO|4oTTtpxGe%KAl zY!23O>L-74$2Hcz*Xt!%PrHOwt?@S3t`(Iyo@QhV?7@hWl+uzC4Gl~zJkKV)FH*uw z&r3PB`q__WEl+>ALcxll@}ufK-Z~Z5(8Hzr-=+yioT09l{T=SOan(*C{>bg=g4}kO zHk&5ME|g)($y0WinnIu6@U_7qnF@0mgj3I8#}vYBL&e&7d}q8vu+Qz#mD^yq&}pHW z=tpKV;zguE4U2x7-nuNlUPb@yZoOK5i%g*~BR?ld6+aDw(eJd7G z`?JBhOJ>l7>;`M2mm`Y~Ij_sg_-8wq;Nt9}X*AYow0H?O27QZmfRt4!12^GFvU)5q z_HJQNjE2j{%h}YFd5I;{h79+!`g)54?xLJMle8EH1+5KFb+P}3NHn$X0aQEI#aUz4oo>-e078X6(W|@HTK2J zKmOo+ei9HXvS$fxdoilQs?@xW@byBzhica@x-}U#e@NMAopJj09(dA|gMK?nDYlTs zOBR;!5K1ToJC&zQ-r2>Y^pDRiFyof#!>lTxkv-(*_`XipC=GrC=R}tqLM;ib^)AO^ zpprcE=;xY3Y>|3x5ReWx`OvwnDwbs{es0HwlxtxamplALl?_?3cIgkcvrY+~!T-iu zr8#lxM#v{3GBPpEPNCmF2GX6?rS?00ji8Q{PB$kYg5dECu~w!z{Uo=H zGkG1+qQu;WVE*~q^`u@URczx|gS;4o?|r!gt6g>VSKZGOA&=r{mWT?zN?GCVT2x-8 zT}Fhc>Me_*DhA52%1+^=5&k;+4a1r@p2klR-AwmRz70+u`81%%x?&A`jA_?#SZ$EK}8bU2e)zW`~k z;s{S}KMTLYGXx@6<2TN5Lt==#yRUj%?9mr3RRSzt3K5ynr0H)wi$3Vx=Bf0g8yltYaY7m()C=UnjS^cFxK!HdM|Nj`>^Ed& zIZBxTvxT;gsQfdedBpLQnBG8%=O3wxlZQ?$v@nU)$dsd)*-8Mz_x9AyhM2wJNVTFK*}c1pVh)AmQ!Elk`-inh1JA?~kx?o1tOOfFiD^!r2h^s7VRDOmPEMx} zPmOC4d7LNkix5omi=0$DGfar&@@Oh;pKOgvJKr%q~tTpV?b6Prrc5NaYh}N4sfvFg1^VifoQs3!}*5 z?d1(}7k%_!7N6Ii*zat>j=RTSx0Rk?VIBB^(`dxp->is#xpx^Z%W!m)62wpoY*pxC z@?$BZfFe!UXttqSg!K9*s*8$KLw7Xu7MR@ce%EUIb(_3}Vp6ah8a5euoHjZ{xmT?> zx5fcSVgOE|_>?LmYhkOa7;e>#ni)+q+#KYE5Y;H&z+CR*J3WIrXjJXD0DE?%H^AAhU`@+k!>tLv4*KIzvEE9aQR(d*9r1DQWQHLESmPyuk|3>mb<&j+=Uus5V%m zT0_&JiS#Dmr-*nJdL(eb<2XP&f z0K#;UoTRA0qj$D%5ttZdUpmp8y0VE3wNkgdPoG96is>co?XFJS&Q!h&#uHG9?6kum zt^OY1YK|qhXetE(Yd#_EG|UNe#nm?oTa_F#<|W+w&JzRAt%m?HB{G%EKayS=qvVx) z&ENPszWPURZ9RO8B7;_@hv2wO>|#0Yi|aw=Hd=xkeXw+f`YUd?p=Fnr0*fBE+E&yf zXXsJf(dzf<+^Ag%m%)BJTEozqIPVUQZF1ZizNi6*qKQxEviu@8TC-KngM#VxG@zYG zN{lrxRo@>WHA!ilBzR<8U*$e;)#-8?0<9ixknURMB0hf1+vEIxmaNCDTQj`-yWvU2 z=5vkmukB(4ao2OX+VF{a*kPdZkG!SuE6F_ycw7h6!UN<^4cTHzKcN^t@-jAhvk1RZ zYct{eS}pDR<%m3*Dj;d)607&HS?1`ni93p`)g7om#-#ppXd#hpYG$xJ#j z`MSD~1>0)9rKiw0rt4u6H}9Z@&+->?C23e$o%P&UHJob}`)Jbr%L6bQz4uUBw`4UH z8m6Lc8Cp+oPr`KIk-(wXbdA{x67_ItYuwAcE%iD*#p4`tI-;q6qAXx6dbCtGh(u&L z{dqr3R)%hfGF&dhF_XF15R2|hT_{tKzQJQkYhB$wovt1{b^#_`V{dZEKv)zf_ekT+ zXn(&hwV-1KA;F;cZBFPdC#3@$8=Kt^06BS-zrcIFX_Y}Vw=J8X^1)kGV7iBQ(bb#L zkk8%GXs)lQAC@>AB^KKvDz#gJqOK&Iqn{3`oJiVBpjZ6K{5ob;{;!%e80RlJ!HU4{ zX8mo^_-EYLZ!g;M(-c^z$X1lp-pK#_vwHYulnm4Hd0XAp#>LaH*u)nnK~R%V1Q(aZ zH>51c9Q#I9#bdRH%cs75`vM2u+xtNYTJ*V=XIpWd@ma#T#$D3sihW&{5qbGnkhcyMytI`%fHFQx18Pu5A36 zwx+&4L9{sFR$3FMG8#=^H$QXAaQ(}qo?P?+Itku7dE@?i6COQhOE-d$hpg7+`>x4> zbcR3XT6Bl7YPZLdH!EQLxRUaVc8oo$ou&zbw5nTxYAMT(E55PngGROa>Ar{oGVNtW zBuTgT^|Y0hCE`qYzDJUou;W?5{Ib1CmLjA(sjWoDrxB|RqSMcm&p6BxF zTTSQ{^ObE1+W-Nr<-0A+ISZ|WMDnx!m%|xJJ*B^iA+e&Q@Xry_fShgDf>?9Bo=l4F z?CXtNtbh>jHM*(6`l+~2X^Dv?T~n%omYqNuc(h5*{In53yX9oowfJbykFbw0^W%2_ zVGRs6Np!aUS%oObNYC1Gf6cec{Zqe}_W8QNX?C(N3M1`Z3A7J+Zi(f}gYe0A;p|Hr zOJVzgzjfV#N&mxJc+s8+L%`d;;R#-3Gt>iu{}3ATnx;RYaemq-;j_;Yu=B?7SHv7M za&d9uq8Mluvh}vD4T!m;o}kJ?&|PbJ!7Iy+1~mYVN)_E}7Cz9X=Emc>NHFxsgVJuxuvHYPGLH zE<915kyfhTQT*6g(kLnpERg0o*)r{pYIqQLAq`bigdWl#RlJm~%(e z=P~mi)|`Jxd**^15?Qq)`J(o%SH49553|AAi)Dk7H<=UwILia>Q0<8;Zs5Kc`huDB zCGCi$TaX>;`(fzu3N$d4Pg130|WL!Zu2GA7cT(dG;bnI#zmomKU=}3JYf7Nmf@^o==iBG3+yrP`@Bxe(3P7na z(`@<6c-Rd&>q$E98x!H_HPtMe5{E9|zzgbWRhK1eLmgW>m-!-0B}o9~H7Ou~!HY<; z{8K1LL0N=77pv}zWRE~2v`K~C)4?U*g;Up<1CqjDY+y*0PLi-HYpl&nv58x;ll&Z3 zajRzc0eMR)k;{|JAwlFFv zCw}LFQ7t6co{9<^$~v)eP7z6B^db7{b|DuzBh{IDMgd3m(E6k6E#Febp!B}O$p<2CDvDLE&`;CW=am4f|+ znxYW+(s4c&bNZbK^DGe4+%(A@d68M-XG1D^>(Ui0m8$yD@xo-vneHrUvB|$Ml?fuN z>S{#(kxt=xoVOGa+`6tTy==hBvsOqR%852ZYodIR39EEY2RvlvyQ;T)_PxI|tN>o~f zjstGBpNo!`U7oaloH%VBw(doZ-m&WqoxLRBAXZtm?`R_EIOzKt&l{vYlD^?N_67|7;i^f-_`vx- z+QQ52&*Fj|4Ddy|vd4ttL6V;mw7Y%4#Do7C3d z*tp;-EuTPVRDAklee3J9CaZB{yZ~D8Q)vD%q7h zeARi1EvAn8#0bF*|4j*fKkdq^r#ytKonryR|1u^0`jP`h7vpkB^>Mfmz8D#PW%q=F z-9;*tyy2Ko%IvOdbR>h98Cw)#Z?5&*xF-gOv1N{iC0vYaqChYEsrf4JOnyt7kI2KE zBXI$J{FCG%g{5ULlz_WqW(=(-bwX5uKB`wxIiA1}5z@S8`B3|{I2$t(x0?w^Zpd%s zG#UHh&bE|)z7cLVUptPij7O&K5!Np7`9Gdnzg&$5!2jymY8DXv5Mwax`Cg7;ICZmo`3JB;*=vH|% z>%1E^Cf;-RRk{HTW!jLrguw{?( z%jCPp!A=4b*AKs&h^+mRos#T&b}{0RelMPd6qfzXLXZ-j>WM;@)PfBqA6SZc`<(}- zjhuwM@4@H|nt~iA^~*KFyl3|X)X%wD>$#P`x51AuXMYxOa3)zbHt!rls`5b5ZbnJe zM-*GryjH*U7OpFn3Oh!A#I1p{mLCvq^R+--=vodtWHq|N&9i-Bj%x;obgelm?Kr*H zFeT(+SzL{6gtPY4h%sh8A+QXyp^E16Uk~@dpC>rSqRT?iy5c}5w$m_wJq_J^VW#57Er@tapvnH?7hbV#av;{&Y) z+|#I>zk^gE9^=r!$k_o4_K`bt{lf*%1}vsv6hWl+!cKHu>)N^99WF4t#aC~mYGkau zM(`sRURudps&OXtzv03Pfi6yOFb_~bvQ|Rr>9LI`p~PXtdNO+vjl;^yr3@`|l^?+7 z*Q8NhYTI+PKqk!1 z(YW>SDK)t-2=H-Z`30RJ9gqIx@LWlQ)w96MUrq%p1Sbbny6Hkm$arHIDgpyvQaP{P zJJoS>;{Hj|gJzHzaT@pcpR>1jmF|_@xwKt+&!1l%Q%o%%CB#Yvs4ui0INdtas4TvE zCMJmr7^x%UE-Xo#DE<}R zi_spuQ-kSKh1BLWuE^U`&M|e19(0RzLVm7E553{y>)az zDn!%qXBjh#qXqqK(-Lj47(=)27;XYu#9DB_oC?v}!}c>e;XgaCjUzA*Y|GIC^;)q? zta~4K0>afFH1dTyBP{R5cie#?8XP*}15eBNFd;V`REa`KjM#$l3`8mvX}D?&i49?x zv$5U7h#NU~PNw2w9~lwxrM>(N&WM$hX;_@Kt|E%25>XS}@kX&DE@OQ?H3p&(UU<*hwG!qT5r~zDK`0y6uKa@Q#;%dSmj!355e5 zpRi~w%2FMG+dFQ_aQ8g%w%#+`a?A&-aOJhK_<<{R;;o`*_tfXFU|{ILBS#k*874Y25tIYA88p@w+e`*jQlo zcL(2k0cDmD;jL=8-DA-8&$4;FHiG9^7ZLM3r5gRIB7<)8_&u5{4o96rh;Yl8WF~pi zHMP`Bs&6YT+e3I>B<@fF0l|`3$p9e$`JPW~#cOtrupLFyqz_%a&v146e24DR^5EDS zN1T*Vpzdh#B?E}5)J5gZ=_w0Tn~{Yv%EAg(a!?e}!#2zOU*g7gg8x8umTbFKi%UyA z9m#PiBsy^AP$o?nQ}E`Xs@)>=dYbL*L(Q~Lerc)d{h@c+x59`$Q_2(NWiQ;2so~^D zy}KVJW-%|>0GRvCE-eM1zNQ}eG0$>#Gd$*n`-aaUtMXWvJ>9PmWzf=dfL!*2NXn-- zEZv@Iajtkt)`lrz53;;DEYca=cCRb4Sysy6HLG{^OV}mfB6u-!P%aNv2)?&jjVkTi zwYuoKKQ8F;DVqjtxb~!loi72m2P9{YBk|wM+@0HZ>KZXGr%#{p*>$7Cy$l;aATLIj z7LEpZhQAi(4mLTOmwtJ)a@8Ht33(F)He_^4SawrWx3=gBnyxU!!9Vcy=SP|0=8>uw z%`Jtyj$ydH3#O zS1w+ppMsmpH1@cDddIZQNUN?c9u8-)K*8BQY?Mq>S{3>HCh{vyOvYi6ht!!|-QpZS zY;b=%0@PF{w`|0h{ug0i0TtKMteX%L0tA8+oIub)f&>Zf?l8CqXK)602^I+M5Zv9} z8Jytm7IbhQcys=H|MSj$a_?Gu&Dv|&^z`no{<^yAtE%JsW=IRDWx3429;M4D)GjYi zg_*VU;VTn8)Jiru>Kz)bOfm(D^uU06Kq6t!0U=&++sz5I?CaUtnWd0ho>rrIC_ODh z^(7mZZxZPOR={X2p@q$LhFP;ljF?d zHnlo>a7B~@oLa#iq{;KOui{+@;P=>tWjU=fd9oCy*0pE>kM-ZdH3lef(%=r^s;EY} zIh^v@qAdGY?)|Dyc4yU)Y{b0*xeI4DjNuFU>3SBSyuUVCR8Cg+Jhppc+J01OKa;Te z=2}g0Yg9nb?YPs@1erme0D{L_wL``X((TxIycEFkieuS7h@!~C;;%@TdmJ(H!y2>h z@bCViL682zEhMzQ0(ZBtLOF(aXda~jb_kl&mZ;QXvL>hqIjPv|;4Z5)F8V5x`VbG+ z0am4Mp{!~_YWq4w)cmsHA7)GT1kxnqy*kmd)5%q4!WMIvTV#^RAEdRj68x6P85Nz( z>5}%5!@^vqEuYw z3pE~Qsx-q+Emf;}czNGadt-+(HtdaSmE-yq!4?DxM>w@-8&7QDG(5yIh!@9}k>*|( ztIbGCSZCNE<7!yZiw2bbb%CkAPevHY_VpuE8-%q%o83)K-njIpBpOw|RQ!sx!cB-m zI`lq3CQ~mTi(co6?0AFusF{nLaol|{T;ifLrZg++rmQfn`&H}{E*jP*cVI*>fzhr$ z!A52K6@2MyYkDQh=R;*HxygNo097ZR`Arw0nNZ_dB&Igfhx6F$?5ZXz6MmHV{{C>V z8lvxaR#OTF1|F|s=`xL`#RKh~?7jry*Rz~j=p>iTFQ?olmbJ!z^6DdJzx9ht7(<1} zx8})OB%4*KS`OWoj;GHhB<=k0Vw-l+{2}^5{Df0b0oprLzEi*M#b ziXuLZ9}N1&=bs9dme0gmD&~`~yGCy;J*^WwkDI4re&g^l4gR9J6Fl^e-iO<_g-#So@s=b{EJHW~qe9|U!?hiiqg zsqV)ImO-p-T^W&7m(90smASvGO*BL0_2!N-Dfv;Tt@lE;xnz}v--vMszW7sxH>G8% zXIM{C`*r$44};T1Yh7HjB4gHVVwGYQAp^i@XH_7kZE4iuW1wO7V4bDPzJ+m1{LUWf zBx{{eIvoA7?565RpKJK`9m_+YlaxjBI9teGbGA`d&3x{{n#be=f6x+hD`(wpP5W<1 z04R%h3hEFyGwW^2r;>Hd(S=r$EQ#Z~%k7_+ z0hGn&p$tT1P&U9VqGDXIVl29-jn7-XX<$s+@w(}u=#SIj6)=5>&V^j8kPhB0ALtPO z5DPH2YkTuroeKd!p{F0V^ogY)`=eLc446%7VdB9XWMPAq2+?cM-X~byBcf^jWKS(8 z6ZKb4tP{wUEb)B95 zXO3j}E2hPs{2SMk?{7IuE*P97dlawznT0dJ{m@}KMz9n)&5Fl3)99)2ftiOgqStZU zOTuf9$H&?SUaYmJkk3A>TcR}qPOCgdHfU5w`9@%`gAjkn^}et|9pSLPGU(y+l(5N7 z=+}$Wq)WK9hliO;>M=EHXrm^&N#plb#SDi+DSA6&`!y6l6ZXVF{<-UEe)OCv&PS`# zVI?l=TU`@gsky$|iSEauiz^N_9JYoqllP_KMs%=%p6uy!`A@4fbA_*2-jxS+g0OVV zE$${~^Iqb*ampxKs%Ygt=WFLZa4@_pe9?2;$4!CR=;&@9P9u+gpdar;U4X7+YB^E$ z<&wW%D%(lq*PVeszmaFsEVC&|>5xPODI(JM9&cA}gmsA(K(PF*Lgx#`U8&5Lw zhwzggfFaR@Ewm?1Du(9tImDbE~OdJ3%$v^iDjmQ56oJ>LT1hkoHCmD)SzA! z>t3N%HbaX;n=Ed-_8N^zD5Jw|dg?CC%WN)XK!uem=}}VW*M%3O#|b8R{LqVjFm#)F zNNyS))dmG$EJ9*~Dds%aR@*K88Vw!wF{3=L2IOS=(`*_vpcX>J6@u_{%patkbc?6m z-_D~Tg&unk`~>=`Z}xJu2n~9Fxy2Y{mWL>9a-05ikAi0Yib*cUMa8GnsJe|6w*Pny zk4nZ>H+t%LhRvYSbTl-mJ3G7Ki!QrAq=Tmz78t^)9c6u&b^qrICr?~>DG`-&B(B6NXX2rsIIO) z@_KwxQGQ*1-t8xPhuLaAK@lW)@m6qcZjJ_kQZP*Rf#AFc9IUY9?CeJaJjQ0RA4TpR z)S%U_^Bi$&o9d8e)M!}TyPb(PbhdfksC*@L&+hO89QlPzE#56dZ7jYCb*3x0s(n{v zA0>m}!mUf=y~K%zZaD`Ndi&S&tMN!W$MY{~j)BV8KWPCNzwwQlS-CA~wU!tC4$&HQ zCY?9>cLsTYg*|3OGtc9z9?xrfQQwkwIyAsyGuHwOu{!4`si%hT||HK&@{&n+wWSN`3f@*k~0wB`F4%mocqF0 z^18ZLMHwf_&CXC=jHmjGUc^u*n*P0-VIn=TNdZ@>f9C=?mgb6l3vf76pIBR^K*3#T zz+yRr_ylw#J^CspT!!P0wkoHn2RS}sqGK`j$!hk_a{cJmD)>faaFsLD*V~ov*7xNh z-V7B#vL%L@f&7~+2D*9sYB$JhQ?Lk3aHV(FdxfWMbxQB3R;_FeaOGb0YugM70F;z; z-DMchiJPIvTg;puoa^&ngzS1p3|AlilvSdED6ShH!zd4SYA+$`WRv3={DpGFHD4x} zGq^?TM%ySpJSH{X?AGGmFXKf@b$LH%Vs1)Tt8CRFYnDa0N;*Xk^6=jvg4IuQxCre&;=QgmE%`J_%aW)U@EEiR(7)cJ_o;Sz_iG zi+cbsE>gDgKlOIJ0LjbB$Mfh#=X5Di`Xp=zaQ4y($^Y6rgd zP+mQCZ4u&daTI`P^H(0Rqhwyjl3$e}-q+zizk-9m`zs_C3M5ps))Xl=UK!091iXTs zt9m`a>24Dx0`9tYxTsixUlyah&mApoEOSZipKj+rvvGl0&K;md z$rMzYmpBu)Jfx6luGr3K3M_*zA0hjOFvHh<96oe!Tf|w9|9pGm0EFu5RzNpUE+pyx-zN z*~*`)ZIc(yo@UVr$*RjRY6Kwq*Aiw7>|ETE7F8BFl#fUS{UM!MD)mw+KP+h!m({<2 z8fo;6b=9gRDvvGN{bEp1A?D&4L!o$52{IOJbz9}S>x}JB?#7aAj@cTY@UC)5e&&s4 zVG(*bn{juSrZv%^>y34?{%B-MwJGIQ%C*4)rn(7qI4>dGLI@-hCK#OiHfPL0TzmJ2 zDaSuPo*UGLm$^g z#w3t>M^Im1yrX$GIOL(`S3zplpaj)-cz)WbKg(48R^n`za_Dvl*t(ERID?FjYpou) zyX(~m%X+O==S|3O+=oB&#y7MV;{wywQj~+n4P9a%8}JBho3bHFp@4a4w6K_76z)gs zFPlRS+naNHVy*ZRuSuWZxIeEn{At2(FQHRwly`9+JS^X<-yM@P^l}td5g#}l86UM6 zB5i_NKMX`~xj$mpuv!Nh+lFFOl=?I2J`O299zmcJ;mps1>g}Rp5>qD!ZHt*%zhX(y zMW3&Nn8n_;siYW%Lo6huimvyzaT*rvUq4*3dXAThQ;1N~aZcRB0(H?Fv?A7C16B64 z#*))ACl&VA1Tp?oZsF3af%@{0dAM#G2qNi(O$n`@EYS;@?wGNs79}_7Azk9~h4*6D&R7l_#oSoQpQ`7>4@^c!I;{ zabs)ZACFA;*901i%SgfMWMmER$40QnS3?eRmQyc|hMB^Xm{w6Lem>pXg!hlnH1X!+ zi#9z!ZRbxJIU3De5$#$2DNRCb=s=o|)mXR`Eahz=6RC?x0jniyjWLYk;aR`TLIG&< zM!$|7q*54T12{g(v%&7dmx7ZpuXpD87G@qe@Es1$+^bSx0=;~LK*q5^s9C#9NAnif z-NwP}`h{yBFJSnj;mYFX$&8awmieM!+%`OZmNFk=+SgdkD&?GP++V31fut?W{qShN z(^~v=j9Pd3%d7KJD{cSq0rVx4?4keepl0NXshN=d0kvgbe|YbEiOEjgy|qa=u1mJ} zngf1ZY8lovM>T>N3PAShbV07?YKO%;vi0JMPlT7mO?IVtj~wkX z)tP2|_mB(_ORC5Up9K)8778!~)U9QLE z#)z#1GM7o_hUUy*lEJC{aN}P91=~Vq)l#=FfL;j;iDo^5x38K# zAf^P=xcwnh_tI?&Jv*LE03 zcfPHStjf!p@eSV+*{<&|j zi3F)>a)VV*v3eS4YkcZMF(DeB>?W3TUY?y?eNvCF(-z1R*XS)7cZ7Amp{6ziWkxLr z>VzRjEp(P_DU-iI_>ap^+(27NY2rLhBlOi7+DmXyZ~j3vfO-uZ8@rdOn>-TH!Lh6) zfdLQIXozc56P`=K#rr!e94(gD+HdeQ^G9ho=IStC0-G+E$moFYZo=ZnN)1lI!iAO| z)Kxs}c>Fh+Yj>tH%A0EIMcoBF+8?Fx74cY-hh9cV(C8{4q&O!X4qyqDZW&Y7;qE4! z5h%^&7Fx}gy8hl~F$1gh;sK9Pel(p161E(jiMrwfkcM{E?pi0)jWsI~{L5@w+g$jX zGBgRm+C4VyG1%D_-((wc4jNoR@qMuM5Bx{@v`VGbW_(<6U zZ%5_QOZOX$sxu)LltIvVrwwmKt-vZ}g&!5w(V(-wx?6(I1W#m^XdId+(_XVoU7s^E z4K=-{=7cM53}e`1$T)`2_1&`JncH@wNO23l`qhB(?V}`Cf7$j(If~ozE%)fw_NbY! zZs*xWiY~{wW2A9g)%nsAmnfzbcbwa$nbxa<2O^8pexm;VuM1oJ+q*lcGGVHW@{kxi zw_)sC7|e?z^7}=oC(VqKk#aRqU&p#s@l(iNeaP#{r8&9MG-T6_wdkg%JHpJLKSAuD zKa(%}JO5rzGh1_WO=Asws3lfHYC%p-PR2bce678K5TUEm65D$Yq0PEY0$Mj-Q>Gl* zm49*ss=JzV!CavVUv6w_P-`yXr&5d|?bKmLv%NAiZw<*0ZOwaMHk7A#e+6tc%Z@6j zthv6Qxn9v7AI`D)H#+*gpnMS|?TZEvr9{V}Pvz8-ni#yCEQea6{UJWiRUqPDZS7wl z`ug&^foY}t^k9+M#;s9Wx#A`AUk#ipASk>|bZZH#uI;bFo$~SW>=7Ue1NyOoy@MToy zw|!I%&*=ud`+3MrR+Q@rWZSPp_@DNjHRu7?I-u~ zGX=wYQ&x5ArXaCbh=@rqkZc;Jy^6aGZtO~w@=phKjjCpQmvbv~wN8oP4VIWRhPp#q ziaymvY*GZ(sk<_WeU}J#jak*!u=o0VzwukAf{*BFB%eF!HsT^9NJ!q`qQ%G4C3?3w zkDOAfu^(lQX!_$aX_bQ0+qb?i-dd|6#0Mq!c1kDjFG#@^3fW|6nrJ-j0)*Xf@t8FL^-7QiD1CUi{V8U(J0)P%O00 z>JnBFdVz=#-kGs!%?J)!1ORheUH02kg4qA{5I2I!orP*rvbFh5c1Y=CA~Q?0iLXD& zzop{eO5Y1VMzI$t@r++|%o*PL3X)@L;Khb3bA5K$>!kIvuZebj&58KejMTHf+&RnV zn{p3^{1KJ|p#6{o?bu`;{|!@r-w4US5ZVuTd^10CLP-lVorKiEd-?aQ{@*vPA2BxN z4C7w^-J$>Aji13M_^5x5{CfZHKcVsO-~2ys)^T6bsrMcC)Lny6gZ}&1fj{aWEvWGsOz8FIr3XS&Q1hbrW&w);Y9X7{d^}Md?J?Fg#U#l|8dIre}DRs(_r9j!z6D0 z%jg;mW4}fI@hex?ETkTkvyjD+a@1P0^AL#c>r3FbU2JBqZT?|2>iuum3#uB5fmi<= zT|Z|y>J2q#iS_;GT(3VPVj1VqQZU3Nh^Zh+(7-yn%s;-p#q>)WunYSU_FIdcl|>FU zTqbq4IdC!-C$&Yp<;e-!BWH!g^bX-rj+~t$7=C`N9UggC|NBt`>aLG<74YvB`PU%% z%EKiI7Y7s5NKIcE3!X2*!sp}1kL-MWWiU+!Ja}E2sjMa$Yiz))t<6o^k01TAb8;+< zjQsl{5DQDou!KanAryqarbsj>Xo-%JZ3=+nVs-L+WTaMo@7HNR_B!%xS}h{1d#dJQ zn)`Dxv?MezNpeUwbgpK17r(G*%uJ;HCPm=395-uv1!V$BzH|<3^yBQmD7N+K^2z|B! zrMe!54uSa(zZ4hZ{5r)r1ATWk5}SpoOm5(|`!h}=2VI?iLBro`I!W+1KotwS4^du^ zv=6>-E@PHrL{Ba)!84oc);2cM*2p%%-B`7bd-5BguCLsELCVU?wbhs!u!6#4DJf0&xjFdu0qvP9ZEOCQbFL zj*=i+`m4(gTv-emj`@2Uzfm2wSk=2+bd&9_0(U}WjJKi)sIemKGY`H-)nH{&;e>ph zG547I^T5v2PBc#gvG78e8un{kIC46Y=rlQx0cM^vK4h(rY-@{JycjAG57v$}P}3Q||X z!!>a;>#NI3@9gu>=sfOc+BhG!+*xMht*7JNM0x*bF8!$YMuy}K)=N19o7(U2y)gtg z%sLN?G*SElJK*JtnG^ayK&MmSEn=IniMMyge7d@V!h3ryTwvJr^t7V0b6vUWAkG>3 z2o8NwQBkuA3Ph^O=ehl4(aP0Tqa?LVU4u&xwdF%94tC+c_H_dUc)gO#nY;0ql)lK{ z-r@s^AH8h4cE47;dtB$=+-|PSqS?Mu5G)yrn_b0pzuDvy;UR1Z4teHkA1SAhI3yJ@ zJo4?N#w-NwFXaM;hr=4ZiiPvGB6)oo-y-t*g+^+}X*eh!n(0hXvMWCrcHR(>{B3uE zBjUU#f>4E`1-yb14+;r|sgQ+55s-nW<5Xh9N!$L%M@Yg0iPHYfuRCVkjo+6-Vvw2qG$7Q787i zojpYdFg0Ts7n;ZlANw*L@D@3ofejh$eNIRrElg20jdAujM^!f8SAKZ`YV2^MYFC>@ z7V~D{xU}`hnk`R$2q}tw(`vS&o%-W2;h~JZ_!WLfzcnUJ%EaCKeWKL1al{WU@t3@oVX-D6AFfpTXa6u$Fnq5Nt z9;|FNg}K%Rrnqw}GeV#;Ms#W86Ljs-K9oZqyvPf7ZkDXPbXb92RGH;`%DAj616xfs z9dn0ZI5r#CXF-zVGIsWD&nxqY#<`yE(uzC+`}bAKOYwy}5J-RRc(CRjt-Zpa`yH1+ zM?o)aax{>#jL?4Ec+cmXBiprjmy=; zNC(IMvqwGsJ^^U~|5*XOrOr%`O}{WOgYJ3<5AO$*<6+CwMpm^kp{=o2b_&q7X`Dk* z$VC$rvzc9_UYqAAsNvE4_S5riyHVRga+4d9Ntn0dr$*byJ^4v2xot3wd<6RwvnnJrx?UZ6A8B?kqj0>p`=75d5v2 z>wqc0^E;&n+~_#Qb|j5VIaIc-+Rr;}xW+&*y2-b1p=QolLE$b#>w+C2MDtmo8LKAg z8eC2vPQ&PNWA6@CRiKikW%KnrQc}|F;QNP^tNNN|IFwsRgx-2%XG$I)Gp6iNcck9d zP-kvEu5LhuPXZZx?)c(TQxygW>Dc*M7qH&t?(ZFsTEMC2=vORq1O6x5UoPp2kdWMmZJsf2?B z+IN2X92BhWtwB=KU=3?uiT5H_3KW!QBPotGY*hd=o=@=!_0I~Rx!cpXx^535U$2KQ zaAM8V(-L-2UDPN26&rQ1mh&NH*hxDObS0Yw^s)g13H+-s4N5yX5@@^^fT7;^PgKok zU7B)ql!q6P@AZpv?P)S@&Om@7jrRA?0vbKu6ndj>h9!ZJF^v|Ceafi}#APSb) zbeSQJi(08ODz%q2<86`_`#>4QjNcE3`cLbM;-;sf3kp8h0+&{vcXu?G>)z?S*7NPR zD`e)e7M8ovr^7iL8q4W(c#F9!GafSx&5xsVPKUc+L^2k}{%l7iIYnWFg}hy?Tgg{k zprc;pu1App$uOs{svCiu6V&N&SiTQku$%bR2z#b;j;~QUcdwNmJ-gpEYSt&*DA;-( zUw$APkc`YB3FcLmlsW>dOvYXz(dKh-tH#f;jShFR-M`2vL*qY8Taz89-A-wRH zUGfi+xUnwa9ACj5A}p~gh`Tj+KOTf>ktBp#$W2f|F73o#>Uzv)(HS-J(|L}D*OfWJ z3=2kBt<{&v%6sv*jLjqF7fQ#YnENHJ`w}xV=Q0*02JP#ip67(EUeMI9mL~+jns@tG zA2JK4kMFE6lhcA~O_eXfbkee%IN0prGRWqQMk>SGH>SJu=abIG)0&?iA8NZJN_e0gz z%^OWFK1!9A_pX`H4*loh=VRrUJxuKhiHW@~ei(999|+SW!>1z0Jv2LDVEC$jXs-O{ z0S1E?QP{trqy$O_5Y0V}`mC1ReHR@aeO_5_H0J$fCX!@!P`mA?fR?aZJL}Jh){BN!e9w46>vEuY~~0}p+;=Pa(mrTftyz4 z8=qmeJev$5KWS>3Xna9r^7*$zKan+V$~esutJu~jahup!mHnzI1#Vdbd!p_@<&(Qa zy$SW(A+WPE_-$V7%*x02&nE|7=RbQA;vua=>e8SeITcTP89q`fX-O+No}>!Pd>6~8 zS_GO=%f&;X)3xtL`LcOUJIWT@)X6yY&>l{^ydEf+ZbU@p_{$x>ln`- zWym9@5)ZTH(e^BKDCuHhN_JmXyDt(kS#+Lf?UC*7gZ2AC-@n}n1t`VSRWG}ct;iL# z23<7in~~DRioMe&B`cDRMnaF@i!GLozJrv6^_q2^0g@{2d*(EcZwEM<7i}*0%*wX5 zhQ}2`k{X?5)UFgoUDyf5|E>jgyre@ICzT5O5te;l3i4 zzsP+!!;VUB4{sbh(%IUJrkT)(ogKb03DeqZfAw87y*@~)yi{eL{@kqNF;hOCPKUW8 z69pwa@Im(m=x52p!FsF!m&E4G)+ay!tC&fbvE!dpr7y!jy~%ORl~G>1s5`88Qr>S= zv4qQ*gfValn5qm(YOM#1bdd#fj(Y0gC((Of+fp9>eqBD@k(2w zrgpZvPEu98%v^xDR#JMNj$wLCnu(h1SuU#f6YuSA@xng;Xn2$Y2DbWa{K*)7Mp_yM z9_`f_x{9a&m(H7?jm#%&6;xojo!F|OzB*CCNQ|ihy*YTnc+r_$xLR}cT;PLZhwaKIs%fh-4 zA0>-zk>0F*%$udk;cjxy-ODn&c+r#_o)f*?i+XzNDWQF8TJAx*EH;EVtz8_kU~lGt z0Zli<$8`S3EbQ9b2;Wd7M`bbBQ{Ix71alSxQ`qeTeJ7tsuK&|rx@{W8?e?Mws9G1# z&V+z+I0;0lj`J&)&C%(~`@3Dm7dbbAP$xx=Ny)zM&=s-E;7TJUDoqV%Nke?&a-D!d z2UBe@R87f1g`%c!WTzQSNRXK?+jVWO_OVJhXs6K}0;~64`H|@5C9|1)|HOGiN5dzi z(mrrqlQ$}%PHI^`qsLVxvz3a0y@P=&F?;i)lGjk(u;3c+aBkOl?vSUb-OD$F2l!E^ zPRyb&yhbHt#b4^o#HVp=CNj!8N&w{bg}?pw(bKy|iI%g>cpyR^Xv-NAZnz37gb{(~tCq#D4*kYM!n{veTxL7&yJ61GTJB%@9JW8`HoFQ5jH~(M zK0LnLgCfJ-+TCANGb_naF=sy~r=T)DIA-!*L_FE78$U9cW0dFKKCl5)=G}wV^iKlU z78C?7c+Z4U==fH2Q?3wO3XJBAo80bHTXRHJiU(MqTCcvJaf2Ums>0>yJTs?P+o+Zu z#;n#@&QVd&wrGY2L8IxZ!W-S;>b;xjXG=6RoZ}l00Su`Hp5F^g+5k1WHfD@`IML>H zdMNl^`=KX|3{e69JVcXM0uk!gR$ z*p>e3$4DZIpcPA8Xi0vI2vA)-s0C2C17;kpXlyd()J(r28`{LlOvnbPCiICGy2~=x zc7?{@d0Dn=iu{-(VWbYbKFXE~cf5K3>R8w5&{+HP?Mbld*T+q^xTNU(t53!rPrNXxVl*}v_QrS zM}>Z)2>@1TI&RD5%4`BPA0sx6LVAK!3LXg71NF{=qSBY>c7{y$hF)o!)->eA*7SxUfnjwewBcM&A!)T8 zHCQTrYDBi2*Khkoi0ZC1iNowYF@boG2TeVTfdY_>buLn3q+VIlkWeo*(zON=+wc^q zRLV*O?D`0e#h%{OB&haA+uX=9vQa*PA?v6Le`eBDzHwW-EKRTJO{M@fPDcliN9?zE zAHaiZ%yGCCJ`cVe3!|lExHb*^?Uo)HMROp09c}mTbsai}YO!rbnp13Cll6hp0@=Rb;UueCgDp zhCBn=_|J8G7R#MI;kxC9J@ik*#6k_+P?C|{@}ef5RpHLa^V=g%d-vo~?p=_qgM=t= ztcQ!$pT!y5%MTx_=Y16`D}}d;Yy}EBi0J8EJW3Tep!CFWRmK*k8D2nfxC4TFbQD|h z4>XVZWxO)a9w{!rt+t|8izsWrQ6}#N(!0w*ru9vlHT{Ijoywgx zK@pKxaS5g{zB=1yA(bE$ZG5Q)dtUD&n=x$7l$w>BtmvwYG=J9rx@M>mP7*!Jitfw2 zSf335%*=BQpSQcTd;(sYuBnd4bE!}=#YL*^Oo+ktEcv<^PNu-9nxc2 zFl2`NE}P#w@q@RT%j8%0aC;|(gKwC<9EH^LPx(=i=z+REr`w@zI&BV02*O(CsTVj#A>HB1pDaNpCQ!EOft_y8mh*53CmDiLntG+{ zppME_0iCCs-;@~gWhM2ZuF={nlsZmoN}6N6L7pTVA(y<6gZ+bnSIUP3_T zRxSWivne6S6uf^d+^S}rF6RB|7Jf17(zNVSXOefPz9-Kga-AgGJ@dBAjzY1l*_v?lVGUUk<7K0Caq4jC>hzJ!|FIuojgFJ1L#dYe`LbkaPd zCcaEOTd4DhvhnKPx?fm$Phy_-e9k84w__(b*jPY2=x{;22GfZv)5xowiEEaW+f4-} z?poh?nSV>u#N7VdS@bW{v;y)6Gj30m3Oyvc#PoARzEru=5o{58Plw>EG@_LD#h4&e9Hz36lBzG$l$aZ(aRk zx1fNIe)b@kMw8ZP(Gt3ZZtJId%)Rufm2)&bIW7B6Gqo?0*TvdEl3MJiO35%epK&@? z>4!fU00G@llU@!(8=#Fat=A}n%$qmXC`jnDR@Bya)mAQbV0aaK|8gBxR<(GBWuP8k z2}+AYbob3t50bOPTxA=5sT5dEv!Vxu7dSmKGEXhS^(J0Swvj4SZG_=FDYrD4*J*iH zBuSphy|-?<++Cj8B2~G5nI0dPNtgRYh0v ziKzybjq2EZ$<{)wd>v9FxXvl&iHD9p-fa)mXfig%?FnO~b40DbES==9D=TId6;Pln z$$+ppSMAl@U(g`_{qh^4C##GlY*#PFHcRUwS~=e`Qd>Fo3>kV0^nK* z%4ZQSkhoBKCWUP?nHv!qnMA)nzjAhZ`V0I#P<^dk&u#<&*1K-lGceHO;nj@>8y%s@ zqO>4is3zcp*0$<{2n4WC4o>@8R#v{)5&uIyCO>_fG+z2zPoV8YNnSp(YX)BRJD|tX zN|P?NT4sX``O!G5u~B1qGqkV1p2KZ^{Z)#Oub^Nj5dx)f)@G62BMzOX0x;|rkRfU9 zkWJI~m_L%8^eYWFEP5uS=HlHQZ+PuXRt6j#(^;xjoyFuB17%t|Yopc7RL=50DDjQA zu0{=72W}=NJXiFDgro-+${cFMcGLuO{(L)aO1iP-x4-DpM7+cc zT;S`L;EifebX0{#NzU*z=fnOljB7JKM^XB>74~Yq$5l`5dYc_}Zy~n^bE>StZ|3^S zLwIq)Y|hfXRzFV)bKlzR1+%T}~KBO^!)pl1X~{IMX~H zrQ@M~UY1f<|K37ze`cPgn#js)q&hw9xjKgGl9x46UwyzLZ)URdN3-OFF*gTa#lCg4%|c?PwjC{`k7WW%q8yNhWr_9l<1f-RR1}Z>Z}_7 zMqmya?$T0lEXw^4$FX1M$I2%*ChecN5bnX@nz9&65C|8L|D%0!#-<1b_vtJ)GgH9< z*HuOawI~cbV?H4}gXW_0^-Fa`F4yJ)tk^~tCLdnVxO;qR=9TC9Ks%ZxFTsPcw!IG+ zjbWZuR9C6hcI_jH&|{dtnCY^zPRL+u?zU=jE&=DUhHBg(9i8|vW_h4`^^n?c-a+;D z8s&H6dK|BMaNqC-mlT!FRQ=z^QK<%C~FE<@V7%KO;F~Tw`vBg${@h>ZLnHL zn}dY2pNZ-IMlq9{?2jJSvfiK=$V}OyyqbMh!bTE@aso~eio%hUq09$5Wg*HNw-QqI zLzOAk*>{QR&UNr~*>e@wsW<7Nuv;!bL-O65;F1sju_IKrwtk8m9r7Z;%pnCQo95je zcHBzHMW2MS1_74xJ-<7v-TnUktE4B`m~|J~EHcvlT6amYYber^in|31X{>Y^ICznG z7W$*E>30f_{Z-oFa>PXt&N;Cj!$&H3plmEEfUClNoZl_Py}9{P497h`T(r<(jd|>= zZB977-P?aG(ie!W6faP5d30KbnhOgh$B(h}4;~&s*ar76sj}q%oE@}{$d()uWu$#` z(O16x9&o>9I5zs}C+~Z0jGu_6{k+dvwCa}^O*ycD?ILXkboY+=*S! z=Z^MKY{Xuwp-c_Gt&5PI&tPGFakfZkUF&PFmgtb$OkY0;K`0YQ4QKn!FL2GiAWg;I zO{fsECBY!u3`V0H_c_ah9=`14uBd2G=QXpk5N%9IORM#oyPdESxH(83bN&&26Ijp< zeQ`JT_I*v$tIJDI&9PG^OlVjc(-SMdgZ-aN!BEU9$ebVea+_qEX9{QVh34wxERh3oppPu1Te7FxBr#iIz*#RC5oY51811xOB zR?DIoK7WsjE?Oa7n_hwd_v)TY2Ke&5B>1zyzh<2oFb$#7TyY5sX(Win8>itKInZ__ z9skyxy!|$+wh46l=w2VclaUz^V~TjP+%APA+UY_{js7+>DJi$?!>W>UF}{zYi-JN) zC}ubai&q;@oawuQv&{~>j!jJ=0z60?#kcvnVN! z3k`MRLnbP3oK+sb*#1hSCJs_3zckBfbaO}-e0ZF{aT}YIn;@7qbNZ&tG>YD^gl|6| zg*{70>?n$Ygj><#qJDC)BzY#EFoe!G6%a@hdsv;qjR|3(U%Ve%cZp;RwYz{B2-*)0 z9Ip;-!Yw`Jtz6~ksM@1kvGcBbkZH%Si`wQMRaXtbnUl5@;h-|byw}hEb~)D2H>!MV z3?$LkKjiu$yW-2wHf$xY-2RIyy^aQ-AE5bJRAM!&_Aldl1`FKscHU?L>^TGy5)umE zDn?0)Im&=($CMRcw~K(-aX(*QPDJWpaoU{U_mpf7Ce_`k7b^+QImA^0nNSyQ7Hmdu zSB2EZ$dHJuW!+FO*t|Z^OK(&A%DXt#l815_5^2^_gKfwlQ;FE?!`_n+FE#>T=@|tD zWo;FQNB>!1MC<#;jINiCsGUlfN#35;5#KsD1HMNpdK+eW?+3e&$79WSToVC1&M$5r z6EkBD#-u9dr6@Xng@A!ati)~9{wvzOmM2#UrQeoBXW%9c6}b8DBbA|*r+0I(c%AS5 zB;!I>x|<##S-c-4o&1M(Pbh?2Jp3TT>f3T}vt=97?|^$)lfdnx>u29ojc=xveff$~ zbQt-zCyX~JC=G{%5xhU zv;{_(Ms8QSpg-#*ov%oxh=sXGNp2Uq?v6B~kah41M=pfdNx*xve|iYQTax*n$UEf<70m7>QDI^X@g#c@h&m@3I$R@O@qS=u_oSFn0BQiY$Y zC&l?5buQBsTKCaCkSktbV-j7ii66X{$)DRnmBo{>A^HH16f1SU%<1CNMNksX7K*K2 z$L6GdhjqX*9v-LwYvYX^F7RHbZPSfs+ObWl1f_7HNo-1GVTh8-+lp3|OT%5)itLzv zX!5?AlJiG4MT)tpO;@e0X|hO|7^-$t+-{zdNI_0rtYvy<*S_v+OU{-t@tr$IpVPaA z!WIMPIm4i^xR7tDUs6ZdmZYs-@aOl}Rx^8S|3Q9W$b{Y?4`W%pjE2|HEsj`gdHyxv z;$;D@8J2cfXqa02DgteXsn5|gacePB-_LxY(0NQzd|PN!xvW}M+*AGD^V~E_!Na43 zbS)5H{hP_2dDqTNBo&HSIN%Vs?#Nd|lm)O^CMvF3mN_p?^@UNF*^z}2n(JOLg8WlzE6I~?wB9;_Y08wM%8DwXhIl8(xhzM z=t#WoxXr%Td7^JJm7%-Fa8`74bsZgSyH!=INT2bSWJ{b})Zd3nh>?Q^OtA}F)N{0L zP6Lr1xDu7M9kr=R>K~6(U!jokJLoj-hq1=V$V=r_J7{|ygUW)pu6bOnZ1zD)#-NCI z?^7Z6RTbod*J_7Bma!k`qBpWGm#e}UXO=3U^_D>TW%GLSyM>1L%AOHhDDb1Rr2-4= zR{P-{%y`ZMhNqo|#Dx8kt1#vRk<^2;ddNX_rKhy_l-gySzNJLN&|%HVSaOsuLISrD1c`Lb~w7d=U?`=HXcP8hwe8CN`)ir%_O<_iTpDTn-qGvH%&l6wu zw8T`5dC9M7CTkd)j93Z4s8+C1Qj`q45)-I_eka9~nGKt)PV$W_4phqtW04#iHodzU z!NYUQP5TG6zC5#wJhE>4v#v;DnuC}3$*-I`%JfmCGt;pYkb;Iw?aoddXdVeFnCi8H z3Qh738ON5?EmZ_hpEfsHS3vtSG`!s7_}#O#4Mfd-SEYah%ATG-&RMGagq4bB0xgKx zC&9{FbOMx8hfCWdX+0(#jWeQf1zBP^3fHE?8@x-tQV7kh8q}1Qi^vMtal@gfHrM2O znpXc(AOEP8p9#Y^hn?ZKw%h}rxRw*CG1RWC}-RovMu zAWp|kyhT)Jm7frdEn%e52>u2@eHt51AX|g2zW-A4%DZ1eTpZb|)nS8r;!LxO)XMHScq)ZZB>1*V0Z2 z^cZ|8C)5k&0B;Py(BId1o89D|{9xFEs|c`mhIW@U?{0S=v9KVlinb>J;UDOf_swU8 zyCsN~PwkyAED`-`}>GG|t*wD=I@GKS;RSCVP zCS#(mODn@@w?B?CoGEFIgk6W7s#nmfYE(IPl+U(n2twBip%nG9QXy6H)6{)pQxm%V z`#PIq%)kgf~v zw@+3+05Kh#`(VhvyvqAy&8o!>S2`LnQM_%n|3yP;n*$y7_|gFA*OeLN0-Tj!!7t$X z19DSM6?aiFh70!=_!OUddFgrv&#B~pg(@re#cuME3A1p=!`V?;u6oQ(t)Bp$WY4oI zS_Dr_BX}f_1t{96cJDABphK1f`ndvkf4to9;>ncVgX2j6+nW0y;T$j_4J!GcCBLq8 z5;`PWpHH+e(-ep;R@u%sZhFUpK2S#l5QZ3tLcxw z=I5A`a`d6mn%Cc5`a+DCWW&Vxu5G$)mKzTa*uNVq?emyxhd4*%Bc+&I%$iDVDb7oY z*KYC&;u+43{!I-37Xj5yjQo$Tw;OhxhQAXST|0excGeO|S6#Y%{{C}hjk3CW!%2JM z&X+1QUW9NX<-d{%Lm27RGXdonLaCb;>YuqJBaCf)h!QCAK z1W0gwad&rjcXvo|cjv6^y}LWzoz6Gz828^f41N@Au}Wu6tNF}gT-))cKzh?GM9#g~ zXT0)E^L}r|#E!4f3hkgQMMFi4DWy{t9c4}V@e+(C?%aE$VA9P2l&yrs=g`-8k#wQ2 zTG$_5zU(pj%|6NeV2+(?i&FcdWEj_-h-N4hek5<9rr1^CVlI3I18jwNLeqXOr8CCO z({oF*-r=JBfoQ@VUX7OyR3ta6*QIVTAa0iO%=U6I_Mm))wrDNEaO-jBY+-VqQ_mC2 z+*8Rddzs5K)+M0(d;_-Mz1ZlMuq@YY8NJKMrO2kBED;E}cqd<2D%UHavSYKOl{iPl z;n)zwQ|p$JRApdj0eZaeGM7Bj)ApW^eUYUN+dqqS8qIJfrZ!zr-L_C!s892-#xcp0 zXa4!3#IOMiz$i6icI%>TY!r-)q}v=!m1=~atT|BA437yGFvoF9|JH-P@3_FFG^l;O zD;{XXozjc)wTXMZ;$~|FXIJ&~xURf(d&v>aqq+H}n;;j!SAQ&_&(Mxs8T+7mI;`$F zea1%5{LO7WNx%GltL4cv!Dc1?(09+g&{G5j<(--B1##hLT{Aqz+0(@ZM{k#ARufNb z0*k9I*sV%OPAcHWgt!|0cK)YDj1=RT+;Y!~ifZ~O=gS31giq)ta(#N*!&4r5eWDM? zDjmu$^NF38dIbhiF2hse7*m>=e+hVQ^=_?BPfs_fO|e-m--N4%_!ttBVT{!JWyzz= zAow1ve6#;~rq7~AK>>ym6Me=Is;B9Ii_PjC0}*#c{CyPl)wYxjo)oA=x$ zG<%yYZww4%^bG4ag9~f&ril2Os6!5>Nm~no&R|2xMIj3DaJMsnOHslLpoFy!6Pe+GH(`h6RfH zhx|i(&y#{DaoG36Tjl9SR#vT=%=0I2baf-CG)%j@yP+H#&ej_}XjW?*j=n|{%iQ!u z=D^K3ZG`fU_kOI?TaXzI*O;DX^XZxjq``Dk|h&Bo%4UX=)_h^u!tm7aWe>H^GW9MKEEjZfq}6y*^o?O#DSl^aY75xPoqSl#=X^M^d& zcv->V?<^@XA}26IJ+?XQ=)z!EKsiB&N_1a?t;=$O2a+r=&VCH#AsfA|7`q=V#^_BU zsFo|^y4DEEYH!<_6BAM^iYxo<{Gq7LyXR&^+ixM$!*g@>1nJ8cm$OD_4GSzR(#JEU zYD+qnq;V?Jc~-Uf_E*O}z#hu$M_nF4EVIajbI#q5_@-PTneW8UJ0$0*B<&jcF*tZS z+U~S*g!fL6wCt}CjT`_hY#sa(^1spFERlTKD)gEv?`?am9Yg!$hxTEM|D&SsN$R8@ zWFJ3~Xq*J8P{K~&n2DCfG?!HgI17;gzFAF`FS8n4{TwMAXNBm3psP9ND9$}(=Vi6( zot(n}L;fr2Yl&M?7@cok zL?tA=Yot`|_xXrmyO+)U&TFs({Xe!PA4#bM3SQ0RCz>x(B4X*!ArU4Xp9h+V)PCLF zJ3zCB6egGbih&V}x%?u<^Y*0vib9MWk{B%{uDDnVTV3c=jlJdeORd$_*TOraYZ(dr zA)4*4Ucn>V_7Biyp2H=c=3O4*rJCb(9eQrT3Q~u0}911J^2BQ18@WcK?;VX7dq}| z0QD5#2f);EkXQUSY9yqkO(b>9;^=DQdE7Pe%h{9(n-efh*IWz+3` z%@q|HIlU%qso?D&k^bKcttj6CG5pX5|DymuuibwCBDr?~f!lkq+Q3DTM*$iH7-0XA ziL)x;8N{Qmp4tRiPy?N%r7|5|H_5Fh6+Cz6uXoX7h;fKIIy%l5Rvx$BX_yXZWE2&} zmsi-}>4lXVK&oeIw7A5Z9zw<1s*7AN`yd;@zQRm^`P2UM5d059vOK;;kJt2d0&*$< ziL|W(eMeoO^2V^r-{;XJ_JPg3`~x21Jw%L%j{XiBItUd9L%O5G7l|0-O#Rq2P?myje$0N2oV(^$~SDc`^FiWTG*r`&mx(aS%vU2%qM?Skrp2if7=C~{8wW6dk0IAy!gAi z!6^_^w?AUSyn>#3OmEL1XC{q4jXcextVmeScYp5pCk_6vN`E}`i2{&YRL=>Jklu=l zilU;SWj*-&`Hh~RS6&*GsTf;W4DYGGVPKFe2$9y%(#kF?qc7QOg~k!rF}C?^VW*X2 zoF*X}K9qT0YgYsYEeov>p(Yk8@Cs*vP~+7vX{D9!du%lcJ^h!{(^GO5mT6r+WMt&? z#^q(L-QC^vt}Y?&5mjPR(ty*mv!K10c9>|hnc_ap4-ZkT+n@YRT`c#CI92U}#m2>| z9ty8NkSo|Ri2R)ve%u&*R!C4T{$egJ^?3|kk1W0Y{pq!}Z21KR6}*{8Jv}{U{aDNV z;J$o`S&GWJokBVq&-E3?VE;bhKN9LO=sRRd;k~b~FB1nxe%+0lic0GCwlO6&_2iO6 z89xabSzvub!_-8jor6QQVf4DyGc5Il*1`MA<;S>VOzzNMgXR9);r{!3t}@ON5D0(0 zk`k9SD?2*?=(By6n4w{I9zO{alLBw_lItrtIOG2Kak+v9@&`g>_2Aa^)A1NnI&9cK z8Qo9lzmx~UM=Nc7dU`YFgRn59XqSkS6PtDGZ5BySkb_d@`Nf3^3`VsTeaOK2r5^eJ zN!P26->X~i`#3l_h#4#-DEQeOpGt1Fzbi8JBA~zY`7iqd)V_KJXay%aAK7ApQLFjO zfEW*YS4Z7)u4?tf)`;~}Dh6sBGsl-jzs5JJFnfPiOu-T)BPAu>ZAwl`nw$`U;PK95 zUvLuk7nW6lvit1KySx1#!S-+D!iEg&sxLuAWDE=u;}a7XT<|Oi(D>jLAr(w5wW*Fy z+QT0I=i(hBw%WL2=r@@!uuuX4HsYVc!%LKHqY@^ z=}OWR+cfiJj-DIg*Vs<)*6)IB={h?z6S3hoVti^!=;7hP24jKnO)8~)vAtH-{BiVNoRF4bdGw~fS*?S|;SX;3(}Iuh zcNV#Ui-93*U|?{Yi}30dQp2qe1gm%Ns0d!`OoIvPx=wE~k(+uyJy!q)o|MAc##A}G@b?t4@m4iv&9pOd+yKqZtgo>7y(&cC1 zda?y$oamgR$wX!@=FFTgKeFV1mZ50D-&&^0sjKf*AX$F+aIUJEYitXZ*_k=Myzh>R zhAz}cjE7`e@opD;Z!ziJTK=!;J5h>o8;vrN2i(|88%ZQsD!ctFaUe^T`h4Ed`0nR$ zxL=8jXWpxX00!Oa6Qj!xk@wCG1vYYV)22{k6vY=%LSlOM+B=^HIs~wE%wH`f1UW!N z;C4D=MN>%ISbNzmGfhqPk=E$H`o@c|6&dO_^&E_|eEXM`e)eQ06;2Joj~o$6uVCe`8nw`Sbb{uz`34f`b42`e&*L@D@B8_)l++@@N-S)bFM+n?_4kP!NKIgyg#%yu?68=AW3Dm`?!`Ce+ojhr7hZ#fg-am8szY*d8Wc z-jXSLc6Lz>1ORoeV+;KzCsR&TG*3Cy*vu>oh~7F#%KVB-3FLhrA6S1%oGBR}ACH*0 z)!SIlEiV`2T^^N@j`^Z%&P&(g1>EU-u78MZ%E?eso|l?Bx0ai4;M(%RGYzFYT9)>^&QhzUtascUIO_4a3!q2b}2p!cyT zfDsDdC)P_o$9cYgk18oGIX=5hKDFE=z|F1cVDx$WY5tJ)4yML@;a!8nQCiZzhM0s@ zHu+e9Dt%03d zeeN?hAt(a^>BW`nRe3cBdT)ZsRIcs&!zI@)Kf5YO5_6&S41IflF*i4GJh!j89>3Aj zf`;8s@|rDEoNnVW$hlt&3}^x7$DMtZ%a@EEso*~MJ$mj5A!3g1=`ewC+%eKCO;ktc zk0}OwX)?Mm+T(LlGTx^-m17JKppEncU?C=wT+!nzMTT;T)oyH$rx9BeRZ>Eaj*U%3-%uQgkB_H~ zrf?%x2Vk@ch|;ZZzsE(I+|)%y#Y<7l#iP0nApXz!^);h+ zYK@F6B;ak8DGb1$(y;rUN+8nR-`_uh*l*w@(?m)N-rmu%AO~xFAG@%mM7mZx9@RqG zkcmXx)HL4#M6IHv^v>~ck*N9Q_nmtNRT|yxTkmRtGdihYNp5?&akYJ+egC}79vg=` z$@!M^9B@CsC+~=X0VRK{=Dq*T#h39Co zf?S;44cGH6%+$N1xb!9D%dbT4oQ#ZFIquO;JKqS5C2DzC#*NL)v(1$0#zt4Y428Z# zMhbI^^)rdXa0(!3Gq=f%46NKCWkJR2%XRm3=f10DH#4yqEfkqe_eIl-=hr=y2upGM zM2Q+}4%;5Ok<7`Omz5`50n)|LBT1L;S|8C&QF3kRg397m?-3a*3^BDZIc%zx&dW22 zN=_t0y;Mxd3Z^z{xu`iQvn06ui^Km98QQu64cOBD`bnjnCHQNupo#oao6O%WMHuz; zI0}XA?Cf0mLN(Tq$o88;9SWMNZgZU)oqf{}BG-q3fZ+dt4+e^R+`Zq@V)cs7Ql|41 z0MNCg!v?X^xaz(|%9*&_kGY2lLD8@T%}-%mnU;x(*dL!Vtv(?rrmg3jyU|>@l*2D8 zDIH7~Q2=qZ#UW;N7cNOs5)#O?4Ig4SFor#eNbirfyPVda)>QDg-DGmOrNi-f4Xm!R zFwSLt^pkS?qj*k|JnxElaTcwusWBcmR9F-hU2%&CVJb8gS+1-q7%R?Wd7olb*hz)L zbnmlZ&pRWf2R=+3m>$(oj=i*ig>69j4jbVYt0Vt(}s2>6C~dj z8jT;`ukev#x zjgDzXqF|HZ#YL{6p`qOap?^t21RmtIQTT!IVp!OHt&dlcxbsb^JIG~G)kR6dSlmCD z%;PwD%J=?)Oh%z8!~wUoSY-?Pk;>9jq({pcq=y`OVhQs<)Vs^s(VJ+9a(i8*HM`Zh z9CCVYMMIN?#Z$a_2REy@;-)8Pnvc*TiYoCor-5_@ssZO~7aZt4dBlV4~XulYs8@@Gybeql3e3NKKL!i`E_vcgKOwx2cw= zy{A3VNST*E_svz~dVi*wS(h{}#b#4gkGIUxIjIyi<@Uyno0rE|&s%KU0@=u9_g)4< zn<3>@es-o{SGC(EC=|-+?;nOyfgED%OpdUV4I8OKM#bLx3;D*Fxc8Y;JG`2e90<*>-|hT zw?CjaS7hj7($Josm2Smqr$9Nh%nS}PdB4=G+o}t>u)2G*d9aUSFNT|2zrt_;sZ37k zH4Zb+LiL(imuWZT)?cjP-;I+GuYhb>Cpt-N%R#7N{^i&J?()MNv4KQwpf~W!nxe1X zpz9N+CxFJ44ANPpZ?7k2rVDI;ZNAaZt!L1_Y?*>y>{Eym@_~DNVU)j#rl_*9R&Yn? zCQ6wITqWfGw>9_=NAVL0{;(+n44ll8_87$~0OGZT?c^gqO2%XVE8VGb9k$`a9u~RT zgQYOv>8ZPY`tGyq>h}5B_Fs zVoB%@9(UaJEEz*9O?t#bXID&|u2L!}3N=v?vxi1jALQgB8YYx3rfk$u-;jR}aMiW6 zx0-Le>>E!X2qwq~T7>rv2jx$4fE-Li23}v6r0Hn_r`3aWOG8-2Q@G~^?6(OWFEXsUnWMRg^$h5sM-UF7NeEZAd z{XlvO`z6cN4mw^SZ|u5!1i7uNH-3n}ez@JTCwYk3LUIqn4ovi6prnfghCte@WnEeT zZDa@BTOrsOMba@f0ehO%ZMNn!_-!5M$TXN@`6z>B*W4mwW5pHZ$lN8EkgK0sB(R`e z^5kT5do5bfz^FX4sb30ixaYp7zUc%R!f$qa&|9&Br!R+`ZLiWNrrCa zFE@|1?&LnhXJ>Dt_mt_(PTov5@=1FhKXO)<>Lg7X4d6Mn*#l{-Z|CTqzIa@3%m8_K z=jzixhEyzZ+7dfVnZ8jivq8G$9V?llFjTTNzq6ff-`s=U>U8aJ^4qxlKu4SQU8Q~q z_q^9WZx>%->IwFr?b}G-|B5udAjLkBf->^Oxb1gsFI-+(DHv)29zz$xaQKFY2eiJv4%Y?1T*ilRlwUb} zH+Rq*Jl?TBiAjT;1Asfa?Jz7%TOuRmw*hFVIL*+vcAqWoi_atD`L114l>B<>Q+&sV zM_|&}EirdR)tf9Amv&|`G87ah>+JfC#JrAd&HYze573(R*Jw+1?j0(8`$aw18cp}F z{Hd(t46}`Ji$nfJe}O^;&b!#K`jV1xeGBNSDRq@Km!Wzj^9l>5<~fuLIvZ+KZmMou1jS1+uy{S^SH;kZ=_6K zms_%RR<9$2p?rihf04IXl_-ZA>#+|KmD)`4Sf?<(vDcUJIGn@I0Ic_e@SZRF1-LwJ zN&Ws2LTbwUbB>c*~u%`wCB4!bw@l^ShsWAQ3+Rha+V; zCs9$Tl*q-+nRfQ}vYwtTixUq2c=2V{D(p23u7E;6F)`B2C$tb!)p2rC&Bk!~ZRnC4i=g7{^S?-u zHo;a_4+(HT6+OLlqGf0*IhC~a&{BfCWKKu9!C+S$tru=U;G`ZbTCWm`j(kMzUfXPI zs@9t~On#&^8Tb!FQbi+zG%KERnTlSEu?ys!$`T9&>Q@lMTn~5=D3`cKI~fSeXek$} z_3nH19yZ^KO~ph+Ca-+CPk=l_L{{#GF+=%!)5F+<(F?2>9-x|v4_Nrss1XbFt28EoqthkhSOdR7oQ=yv9C_>*r=L1UBHdReBfoTr4&^dS`?4 z&0^F5UiJKEIkjea(gz2#qX+;r zbI*8G{Cv2(XTK5fn|#kuv+F4wp29>G!1Z(YHgMKo9bf3RJ-o}&HvMKlJ)}rn<(;rF z5X{=Q*Dod}_OVDq#fc$IKii7XMdTPU4nO6$&VgJu>shj7ZM90(giccD!+s-+al;$r z*ogP@F_Ugb%14PxsDknLg-)k~6)xdM*+$#rT_xx4Qf~H#jPAV5%%Ni913+#@39I9) zYly2WQguncz=ib$U{`FjUDx%|B4>U5I;*GJ$F*FpC=(~wv+6a*jX_nmpk_XDoV3VA z6A+>nNVX%sqA?m$=2{aWmpHD;TM8D``IORh=QWZp^7QPH&jn%U6|$N!bQ7!`gaT>< z{w$EjN_E%)6nJrdzK`ary#E4C5KPvE4h-B6b=>u6jd!GZzp=q`Ad!`>FYzm@$NDhv zbLep;shg4SRL2Z0y3`6^^Z2kZ+-WaDtDbfw^2l zcks@OpI>gt^Vt20bDfmlQef}IGaj#Hv8FdDK_Q?Uwakn zBB^I=?j4(cAH1@*V+F(2Cl1zFlLp+u^&6K-1x>{~SSj|s$J_&b=)X?Ye`n1l-RrF9 z^{!sgU$WtE*!Gk1w@_fbINkD*BkgZj?xI<)^=wnq|(ao`6>JRv->0DPG3Q#ww5Bo1ciKQgOes8NW{=gh!k!X zcu8U3-sv%ckt~cR)HNw%gt_~X>>E$1MTII3R)akG<+TT{M7;HmP*j}}0W&j`oQfN+ zf45-#!9*m?_1Za_vgXPz3C7p0;2YUy<=qQt=&ZDkh_5`t;f8XTvifweb#LD*-Isr& zRkMqi`$`*7lE7|8`|!A6qiRqcm(*nG=A*Hd!aM)o#e%ciJS~~C+O(ingNK7OhPL@! zEFZDyHCw8J%4caB;&LQ(Y^f8ycDsX-g^ob@T^GBPu0o9yM$O|I@u)q$3jbIQB5+dG zsFYZ7@3-#cw8bUGHGSUhT*A?7cYGmj9rkz zFM5NBM>n2R&Ih`>O-%KDHFtj|(R0CS?t67{c2+Uvhk4q4yZDU7vGd&w1|mXu&0}Rm z_fSd(gyOZI@9U0eI$>##l@uIuQyouwvXC|J25B$elh}l7AvbZb===zVd`c>^C!G!% zJA5q=lhq=*J*z=q8$M49C}IBwga8d4$z_z}9Oh=VG(OHh;K^{5oUTMmOPfCU$!^z? z%Q%9~j?H|jKB#{{ESfS+SC_?eGY+IKQ~FJJVRFNMQx1W3?wvs7Jlm6pa7zAw%*AaZJ$#EwRm5`0_6u&HR>79y9*4Y`{GpVjaLFk zCnLL7NcWp`t`lvO5B+XzIYZinf#tycoL1KZU*5Y&(^REBG{##PZG9e<`DT_HP1MUU z9zI%}eCrilaTvaHQ`?aEL_0CO^j?i%?+AV_Py)Hiyd$7T6HOhrVw1;tHqD# z0x#v}FPA1&R&bKa9(i!oKc&u9Ps4n`9lkAwKX~87 zE?iTIYj$_#c6K5<83>P)mPqDDmQpjx$?s}GrF{Q}RF@T3erN5sE2e`@mTy&OA+z&k zjQGYzAs`OUYD=Uu2ZdP9}rTzwBY1Wn=w#E6DN)p>dGPI0Ug z2M0Hed0Q0*XYa-q-a$ANo~O(1o!DC;q@;MKQT`mbKSDs~HFtFfR&#K9@hP*qjMQVgk?YOps=v@Ih)$d$ci=` zJ$l~xXI&%s*{F|ePcX1&b^@~VrYovfWE9R(7R%^7n?@;aqlVJzTfyc(qq5d$2t*m{ ztcJ0U;ViNj3NEunUElbhfphb%7FN)ustmd5*0Il>AIylmwnlFt6a7s%0`s_?2hQyQ z9}RNZuwMG!fMJSF{as`QrUgIr|KJ zN%k37^r4fowdD7D_7Oj#cO0I4Jvk7Kqs!oS(R9>iWo11@6bQ=;+A_`~r&Crg^ZRKv zazHf}&g#~(->Xr>Fdon#EvgB?<`(tZDpft54>^rMQi(+E{ZYvOj~+%tUm(itbhBc_ zz63U4YfS67H18W}Iy!YlwUustZlVhjF!+4JpR>a^US49-^$WF1-?ay9@9b>Sb-Fiy z(IoyPI=)nU@8u%px3B)~{qOy$_}-tnD*|PNpGn$3R245gaH!l_Z$HYPt?-}Co__#? zP;j|?=$R7u^WjgXK_~DTIHdz&8q7bGp}%~_t=`&Xq|H;@%=iMha*^}wn2qIEAGBJ4 zoy(LZ!l3L3*Mv-yR7J%=v&z*x91hBxYe z-E67)GcdG^?dlUzY`?!cQsmk5x*|fvLTkgzd2x zNUeDBGV~)65WSOMVwPF?;Ovkb7Fz@9FAPaxPbFrSn_k#m{7|R}1AmdzJFBz1)DSC| zm7Nb_fJaj)2($V3zHlo6n_;77d14~c$Je)SVL|-{_?UHSdYV!j2&tMJ9Ua{b^jm;} zf+FPQ;Bh(>PC3Y=-NE|#L5?Perxa)yn@c`lvOh_5 z&^(V1AsweM3Rl`KR*&Z=Xlm>)eyEIITw2<`FOW))l$K7{YJ&4dwRaV8M|pU#w9G9~ z0eH(F!~a{c)!G}MKn5BH=6if736$P#9uyp0ln@Zl7L}YV37lG#OC(~k+hiht9E*wH zWUq|?fr=rNBx-au>5lKWW+DS~aPYY01fS|`^UCSzDPk-<&p(hn9YF5w%ve_MIqveC zky^tA4lj<)E>>NE-u0m%<8qKX`1~uCjmp1papNQ5;#$=Et?T?b5*nJ&RXW3%aNo(WL1;%DDQIN7m#Y7=V@Cz{7rl* zT&oR7K|?zV@|q<~O3Di^(uLIoXs&;d);~7*_APjkFj)N~^St{D;9>#=Ev;g>GhkH& zd3bnG2?*$1K~{VuK$xzLjm_Zv*R;l3NHHK&#rQjS_onh;Z}cjRPl<_%`yRH#Gnx-?uU(K=7;J~wYZ_wGpl#>0-) zb-tUy+i(B=_l^1c#`|H_TI>135pt~%{Q}SWhlUiv3Dqb;tOhg1nwfaRR16H`dVKzS zs@U+Kd`YTuGRa+MfqsM0At&wl}FWMstnaA)y;!`q1z;d{RqL zf1eDB5?zXvy#HnlT*po9IK-wwe%AZ%Q|0Al{+)FCdV5Q0-c%bJ7*Gh1FqtrREDf(4I z?D+6;*@=RptazZj4aJ5G&m3bQG^7u(sna^Ysu-*!P(-dDU(u^D@ZzQyhjrnP^QEfBW<8DN9S11*W?~*-q^wHj&f)=PTR0Np;4= z$sS`)SYBfm)KtaUTln_@Ft!6#T?|iGJ;Q0Ueli9Rp-=Y`zL9#y)A6r|=GWKCAIZYh zUEL0m=DbK5j~dJDhQG-(kqBaFFo#l#nQd3~#P0ML6=^sP*(Er4i-aW36iK9oYiSu+ zC#vN(;a5p$N`bheuEi5~1^K=W3yD_>_5MNvc_FsSyL0lqW9+^~@;6woTytB5(5@0K{?~$*k<;Ug zwmqZ!FEXgByPC8Q-R?CCBsHw>a4U3z)!0kJ>6UIfopfcUDNC|Sn~UIfNN|4ZgTutmin_1UqdSS8uDJTgCQo%U?)ts@Z&xnIFf5CrFQz2;^)icR`dmkfG9}I6a}%T4 z6`UT%NMhyrK8GXYu00FMs{SfP+|l82uoy=gQXRB9GC`mv(EO++Ha96BFcy1sPf=sL z>0_4NXOFM8U$($Q0y^@WSaYwlbMmBJvU+k;?NK5`KL;r+gS^CabO>*5Zji1d#$L)h<(7W;nL5{f zyW#whBo;o~*(Bo9fW;G$=Ni^;CIuSR-mJ^{m{oavi&Y-ynr-Y$u^SL@OX{-aNj0g6 z&Ffw|sNRqIHEPF)LL)G6ZobsCr4Sz(iSR7x1f5&wB^>?vhqa56hy^R1%wje>`1?Lm?VheKb!%}cy5)WxKw-AJpNBx-kRioKRrO&COI=T>C% zny_iS`Y0!Q)}l%Ln?A)i11#51=g^GsIbHS{dUw5=K)7{uTKju%(hijVvtwP6e^UVf zSv<-N7$jvjDSCQ(b^`8rTuz^{aSjr-^?Kkp8c{(Y5GpRNg!|p4qDz63laq{`T*SD1 z*Yagyl3ooJesMgx$I&$0w_CPVBqaT~j%>o5MZII+z2kdQ(*%0n`0D`>>QW7YLC)S5 zpX?PCqHT(b7@7fd`RtM=FGes+sl2=@-Cn$*O@)|5NGbe3B=Vnpn3mehE7(5~1;FlD zTU*FdUGAgaEn}K!bS2dVzh7v5h*oa_~2Hz zFI`*+LrO{-=GKWB{?h>njOHVDY-|$;DuMs1K|KSTLFVHVvgP&h@i87veOvD58e_%R zrJ7eie|-!hE7$^2-pdf=xr5&bhuS7siR0?5IV*6yJ`ub$J%#;kuqC6|EH*oG&a8&$ zSN2aanU`1piR=2&k#tZ{H&JeINJvoNt&QP2VKB?ZxmW)gf`@ohm^7;Al6y{Mcu7wC z+4%aAQ0flmiIrLnS0x_>6>V;2xYncQ>C_C?R>fNVqJGyx&u`%{Bl>c2>a=?f?@6^8 zkAhQLVlj(9J?GjqLY$!MY(yma1re{714hh8^^Ltf@s5C3k+$|xv9S|t9f8Rn6HWkV z-FgHS|79Ur&LnrhGB2*(@hO8FYMoJEGoC8UKng1a1is^8z*lrfg~-R=Bnbj5&*^_B9YzL_dTMB$fq~(JXZ596PQd` z+y<#>KG#oSuS^&$Db9Ax%-&l|xRDQO{U%nNXbA4>zLRd2Gg0aMT7tF8HQ9AI7mUba z|Ne8vMK%K@eTR*BJn^$Q&l*qugq>-Vgsl>RX>|T>H;LyuLkPzU0DUhMBD_^v2M_8N5^l;LqRIm3V&iT*>W3;F*~yz#uE_TSg#VQcUu8l z>(rjNv$BNez8bOoKeRCvh)F`OcdUVma)=<@oYhqT1 z3uD53ScP}&fO7+P?B%~JYRX94(VstC6{e-NDGuihq(CB^bP0H!V35H#PtMFx33$c7 z)T_Vms=t15ed8+crU&640QosEhZF5$R3nTb z|J7*z&U?Krr~t1-O;c6vZ@+Fhi3AW^6>r9VH3p#7rSDDy3s*C1-Cs~KFfulAV7Nx2 z>3F|xwY~_@5|=Kg*W3SYN>T@kul=42;0Lo3C|bn;-wa0xa{jspcItqft3N2}0`7PG z)fBB#1OJyq66Emr9{lyI?P`E++byVv!213|rU9NoRq(@MQ>X*J)FN;I>CjILxKb1} zHJ7HBWC?!NjZt0j?X+>-NjAh^FT189umHs_TUN{e$MEBTS;Bi4`ux|UA65MBM$C7F z-+J{6od(g1FA$nA_5ZKk^KuQu1FYa5CXBjNL-_35v3g+s3T^y2!UH600EPKYSQhc+F$15emg4Avb;jn)Aja8%2_o9=mfXr z_5ak-<>lpm<)h`Myy|MD8{j^{jDUcbfk(+LExds5s_#KuOl*6$Oy33%U<;`m5bf(P zCyptMDtCZmf|B$k0nUX=1WLz7uZBPjk`y=mlMzd1bM>3NYv+aZ;{L4Ia9$EgPW572 z!=7Eb+`6%ol#BXqHC6V5d|`6u+d8o#Uv=g2t*55!XzrwzxsHLrm!FcPo(qqp&bI0I zEzo_;AArfNBn+vhe)1~6v~+lUJ4Osq9}oEQiK%+Acr+y}UkMiW}w1CK~nQu$1gQW6mkT?MHZF4;d6J%B3R z+f9_mYwKbwcOo8q+L2^TB2~5&!f+VEhHDRb>wQ@#r$!H}R<`?{4Ej}BM=Q@P#-ej9 z9zrR_Pwfow%Eqz4F267i=e%I$q48kF@|AWgdaFy1%4p0K8dvXSN+rHCXV#+%Ct~jh z8wLiZjPVh6S3CzUAt%XDN{GdLQ0-_p=hK-lUjxMQ!fiFO%-TDP7Y1>=4}2@MmQU*uqk%Wl8JJSd7dBM3#?p@# zV!;yGB2VP!ay!MW*fTHw+~zv+z-@!k^q{8g;AgC2s9*+-^o+XcJm zHdAfI!NI{FUBi!Mv=@CldwK$$3N7$oenNp%0E{qlvYzI$LjeH+`wh1}^HSho#IBmp zR{r&YN>%05#B9xDkJ4VMj~PrS9Ij}SOT$FXR*>-#5Kf=I!Mhw?oyimo!f~pN}4J7c`M$TbyUBzX0?B6U5RhUuOLf-O^^lA-4 zS4p|Sutpp!ip2>HPZW8(+@_$V?2wKSa{0rE30E1w4`6bw2o1hKP0FlgV1L0>>h^YepXr#}TaW0bRk8aEAaRCze((Zccx%rt<3|EIa?q;mBT$Tv*;ZjfZeN23A&NsJm z-G`_gwa%Q1v1*S!WFs{wxM;dnLp)<&((wqE96-Kl)Fph%-Bem0&0i09@}g#xl+==4 z{kM#ENJvjD(BF2|=bKhI)bhD%(df~po%#@GY3ZnthbGxF_+N!&blxfw0B(yTfyms{6yG|Nk?R;y!Sbwt4S-2GPX1v7%so>!g!$;rkA zo@rLB(S0;d6?M!J>LMr@!#4Qi8nt|l-0fkD+J)T0w^n#*a7zknosz7%%SN?>hsG0Y zBf5HFIJ|8l>9wM};mH^BUtfM%8)ru(_JYr}tzRWJUsK zrjE9%@3~|aWMhY~AJ?k+1v>oFbZbSlO7ilucPR(10%{;3A*q_I*+=N&ziw?!B(d8X zU+&LU+I$nceYje2MiCMgo_K+w!H0x|RO#{HqSowIH^shredp94MZsjX$`>3OinfKC ze-1%QO`S=jUOifGzZb<)^boH7eyydcFsr&}P> z3(G2Ng&#cze2`G*$Ow<&b7xll=NhC=7wKK@i|PmQdi5#w&E?hpAR1Qqw)B{W^@yjp z5lKnZ(xI+Jv$v3}PaSUCqiJI9k3BR9NGuNfDs@lQ<_o`3G>xu8QYBsMir80u3%nNd zm%3j0G(ejkzaE0ZyXv`DeYf4s3d;ICYg|!bf(RBnW7(KEN$9QS?Ta7Fdtn)j#UMg6 zPICs2mv(jN@sUj@LlW1i_Mt<$N~mb_25jtgj+U`f_`=#HoBPwgS>*%9nP(wFB1;gh z%Qk^na&S7b%i;Q7RO8N5<<=B+K&R`6NB;Wbwg%(b^FBj?=hm(M;WcM7Q|0l2F`h(w z+z#Eu^=qL|vML&%7K;t#SU;ozn4%~r9a}x(;vDU>+N3BD!7Y!wL4?aT3(eEb9FjBl zQytTn;=3cd^|pg&6)f-;nxf(<&BOa(lf1m*D0evEKo)2#*sQ_|ossr)&b7{C9mlcyz|1bLQ1rX#JO~R8Gsi5yHo4K=dqFLNr@dVy5B6AaN!W7Mzh1vw z&zXrcpoy<8GTT6*%$~$fByAVk^*}xiVZ1&<``_j?LHO+U=Rs#Z8H(D^$eO%iZ$~?R zG!6O(v(R2dKhGj!-Rtm=Q%bMZyJ~gXR;u-6355|smy|21TlwG63x>V%xY1lV;+^a| zUsCVN$L^Kli&}i8eb&kt9E#W>0+I=9N#BxyOgXz_OJGDIIVoPqilgGE8W`EZ7 z4Z-gz(#XMRF-s>Q7laX7K?LjS)R|Y@)fv32Tu@SydEuOA1Tn-ue6PV~yml{o8vk z?Yla%)NhwsI*RFipO~YO7ZXoMFE$`bk-|qIc8HIB^DiUC(ENaP(`K)Ywe@B%ODTze za8te0C@I?GU_3|c8!fY@j|UU!BuR=!MZIqieZuIwYa5T-2yEg2ho#M7X}T;F0NgW+=;b|7lCE@V8%{qovzw8-GajSof3D#cxK!;v% z=-@qRzg_z6$_25KFe|na%fR#^HahKWF(Axpx-zC@{`jHv$Y$L}I+-)kUfGWz781c@ z^sMs`PG@r}uq`ZW-+~G{7Z$ZTn_Ah8izBUcSi0caY&T1#ZW1Fm^rp~viCeN4L{rZ> zg{`&hpWhXRtkx``KhH`SfMF$*TNOj1>&0DfeMerrz4(Dqtv+;cQ!4S8eJvsvXp5S& zE5QF7b1;MZnx~NGflb$eemot=)Z{WXWS-~8n?X{<+3u#!H2B+bfQ)V%30nGTOJGkZ z9TByNXJxh$dAAT2wx%%ZOPA3tx?a_*itiq@yGZYf2`23sTtnq=(BrFW4#ZEkTvh^KqA5=z;x||iW2o@at6Q9A zOwh&y&ea0Z@&ykzwh2dla<!C`#ZvQMr3KvwoI~ z-#4#PcqGwW=FIWxNR_9<2X$Jq+qxEYGmi*M0*cb5da%2s}!D}P*!1pn|f|&H2I(wRnh;=~3 zES-y?uAGH8#xj7VI-+aFJzsUtKT84m;63myHE`HuB>Ifc=Zed6XK0pNJ7E!MV%+s2 z6-x3fyeo{n=!LD$^mfzhl1xTOB~pAw6B+J_LBUIQ8TxR8LhgOKyBDIWuWFm}j;RqO zwz;1Eu$l;0Cf(=E?AEPY)#?gcfuA)J1zjlTJYh6s0Ze*~%)Q8*DDFZ2u=C6odTD~* z#-m;;uEciRH&f+Fvh%hOOJ->fETBhLns-UC)clMXW>2LtI{7`(|4O=^fjkMYkzZ=@kQ6|)-|1x z-knj5ptPFSOPQQGYG@kxXoCAIs>QF}I``>J>Vt8^^6U(;;uGpqyoLD_Z}QEY_70}} zf~s^9;Wq)7ktzUMxInTB-F>OAc`pkrc3}j~`VvyEqEc{fNf7v9o)qV6#3RTR@Lbp7 zckSDBbxL?uYnidf9V2rsr8%)xu!6eG(4cf4|F46PqROqU-50mX7vxIy!Fg}83oB!R zlgcFlAOKx5+3S3MIshtohBVPkskM-iX5f2r(%sL32O6TZhCOy3673a9ltSP4c`WLY zIKCL;8L@Qem{lXrZF^xXU>4%jv4R*md9e|?6oMxf9c`hc=~;U~sK&@u7ZyB=%$U$v zM$~NOxxG=p)0WvLyB}QA;wzbic&b{fCAKx2vUVUVGdh?{w@|CeH~T$^ZXxS<-~ELZ zpZWL46``Z!I7i=&(93MTyr|QGK5Gr_qbPOm7le{NoC6ZlhZnhFwAh)$D66BS$==}U zVVvkLYRZI>2~xVP=^y3G62o8hWhp?mW^9fi!rcxSuN=mrq);xFZu+cYMB*J?eI#jz ztnI~`&y%V8B?aR>{f?L~GciASY~hgDDlqpN?feUTmvIt$Rwbe~3SJ{l#j9^zk!Xsw z+}-LQs}RGM&of{BaeNQ83Ni*EbB%9CPqnxVID7>LBJJL$2*1OtL7`JIYh2?nx)ZLH=XU zS`q0z(EjB3Xrsq*Y&t`P0WSQJ$JvxcoWYZbYU6$1=@ytgd?~?_z4`q0gC@_#km_{T9akF}KTO_W9iF%MY3EsZPyI%Y?=e|D>gr|;S?U~dQE=c$nz83Y z?rh)-Q%@ePiH%m<>UMJ4J8xBvuJLPip|1(VBDJH5P_g*c5=5Ab>Y*t|q4o$wC_!;Ae}w2B}1L6JnQYdt;L zo!?#J^b~T>=IM3`?Xj@@%k@X)U%q^NNa$$oi8@VSJ6lz)Ip!)^{i26|aO;u1n|=So zM=zp&p^$FwVG~?aQ#^Z$4k!>2AC(k>(kefp@k;4NR>z+YNS)$y5;PuY^}N(K6!%d^ zb$1(%6vD;08!`&W(-mH5Pn9FXXQ1>1u@1{%9*(*T+U2FDvA33euG5#Jvh`UD%$c^dH>OuCo_^1`4hxTRm@E(b+UhH)ZUoJ%c1 zV(ugS^hQ~1qw7;^<2L)s*s4KCr?E%fg7sSp9h_X$S`@;LtcM4Nj9iBSuD&;BbgbDj z+9hNUm9@8VE`74vV)6S{m35E@NjRj!l`+X@p}PYLLoA?Nj|hTM;5qYTOmnUPEGm|% znK^nt!BT%Bf~!&L$VGthHkgGxA;}rMe~1})5aQ5L!D43rPWv{-m`r)|k3($YigZ7iD2X%G8wXDUxwG)&(tRKC z6fGI|`nGWssf+|Y^62brJA7(VgwnA&pqx-MX8D2>A$ z;XQvoT_uAmw(i^M0Z|I2yo&&S>lEyZcs93THJMx*d#^V?iJW=hR4H8wfbGm7y7ND@ z4CPqn!IA|Vbkz5Qt4v^Y2HYpH)5zln9_P&aLrn&(*VLLl&}3$V>I?ZqR6A0psv#~ zRiz%TL5IjYyVQ>@(p=)b9bagcePjVRE)N{OC{Ps2&k!f2B=OqB5BSM`i8NNkgX-$c zoIwKQ5`1M1y$_R!S{I*=Ray+Od&1{xHVrYJS|=xoB_zjsR1-u)uU;p+?)+dlYf(zd zlWO=#muM4wzLo&CYrb&R4h+8Au>9eL(@PzK!Y@L&&&N7lSaYOlFCu~E!9F|>f(Dgn z9accMIa*k=>E#SE8}^$a1T^KM#h>l+6m=XYP)kFk@RO0;<>d#%4>t)a7RhjP7!*@k ziv(BD4p+kW1#s7E8SmmM%F6Z!=QhCS!OY;uqqYlVJR8CwJs99{sixVfX1GNq1}GWk z7Wt9>Iz7I9h!ym7dX(pFbY}Op1iJY$o$IP&o=Atw?#aDZnxS6! z4obwf%QC~FhTV_ISJIP%bj9Fr}IS^je?u#awIC zb2V;Ph;Q>@W{FO40(G&<=y1TySn-I-3;p4EF9elWSmBI-`zruk(jLEFd`>Bl*j|vu zui0$7yH^0N-Rg(EB49vod_%p01Lbud1c)p!s*0|A(bStS3P5w4e`B{k(W=0;sy5-4?Bwo2Cz+!wSd99h0)-xoP^EHVA^QI>L7jI znJHN;jELJ_-Npw2Sz7gXj7X2+TmS{#E!1v~WXMo?WoTSIr}0cdq3Q-}qcxfQ@Lq-M zE}hf(n7SQd(yQ#RmYPEOr}SDaT!U7=T}M&y*=6mG0H=0r zM$57D+|G5N-xKM4_LLV;qFEa5Q3^O!PB-cSX7Zu?!-r030mf$xw0nvQ&*rOxb5&u+ zzbe)I_wFt3eS0BEX%OpXs#)Rlx|4#0FOjrC6060wpjrDX=7;FpkOg>kYOTcw9X>I! zg=H~ww*Al%=)Hqo?n~qN;xuj$POeW_4YXbgZ=YAXU|xtdOKoC?A~p;E+%F^CILKED{&Da@XDc;@h}bv-hj@ zs-%8YN++k|xKk}V?WG)5|5Ck8yr|qw5Eb-c;{qZ5fr_Rr^>iSPD7D&B=Z2-=o9Oaq z$1SAGwyV~M2QO35TBsD)s&Q{uS2CXy^h~{HK>^||tfYkc4nUwi@Jk!Z94+h%iw*75 zotb zdvxI6H0#OI5p4w%I`$lMrKuC!Zr&cDSP+|?n8}j90y6%b`{4r@ugzq6?T>?}LP`@* z1teg0Mi7!Op;*w7R(R@8Q0KPbqnTv5cGSm_2T;j#x^X}?IRt@)?BhNv(>L_G9zJTwWUurkMVsH6b@U%?c-vJ~nWINBX%QRplqD zdWT#QxW#Pk;Zg5}+qn;X&WfxunpB=^uwD%5rM4>qiH(&nQt$=Yc;!(GL^G^^n=*A` zn9zi!Y27uXHS4Cn#0th{9%oyQO(jt)7;YhPe^6Sb zU<(+XZU!atyB}n5xmM;#)v|~TrM2HA9@Zt=o;LeOLTP) z@p(kQm1%U3_rg(i!%M2Ya&k4b_6mWHNC&kQ zlN;!zAL_}xE_iN7=x~hJ(k5@>`bPRKE-_|al zp_LMGZ!@);47HeMbxgSdW}<4==zfPkXSzc(_(-NV!1K1c=_~supJk;VNsHQ>UDG}q z8*5EuwUm&Wk?WlHaB%Jtu;R+d8ss+dyt_w{!?0`7AmeRVSkOFio&+De3L4+d#ZuyR zcrA!g3A^#&(8XrMcj;-Whsd^owzJjlhJU>nN7^B(W7iwN+ZrAC$HNxDsps}owkmxd z>HNG&ita-kIS%{LSU9Y>V`HewzE<($j3n2FiX*@^dz`nc?W(PK7Z3mEB32D%*hh#Q zc&HkKP8act*vxc};mT}0qsJRvIS>SWGH0{e*jT(@T`A$IJrmrQCodq=e6=EpbgUiw(Qy|oGzFc8lEyt1O0c{ zS9qI+0!8T9^u^U2<0O7~(2>#?k(wuh#q4$`e}}oC{88z+stcS4lz*T&z1Vs8iDUg! zE5?u-9ydv~_8Z!13;ldPEQWR@6uaJxZFkn2%xd={)aBOLA6lex9M5t;1i(vZ>E#YZ z(*7-q(R2}53wRDXO3P(TJ9pAfNy+KtS=2^ir;HLY(p=fiU;Vc6aiejV!G)c|Hc7;T z&us;6CSzAWuHPG0zV_6n+uF)H)+ISPTwgsU<>T5wvY>V8y}Foh2O9<{=N80yCd*>B zT=-w|XMi}cPWg$CEI=E_e9?%LEeS*43o`)B@ZPmnS|HvvnqJXD&HnJ3EuU7==6%^u zV{E@Y%J@E>9Th?AzPLa_MrJoTgtyzdJiT)D`t_~#=p_%a9fgiyDzKY_eYW+JeMk0-yVF>cX0KCgbN*Z!N?;tyqAR0hQbeC)Q&^}Xv9 zj8`tnnWKT}@5ppbtyBF;5Y>(QNf6C__YT`-d|3q{Wd>MDy037mX%4-88P*nn%VO_! zWco=uf_iwo>jUiOnEF<*V3|u$ck)LNoYLBQYe09uLS5f(C9|zwg^R{Kk0q_4D2)Y# z=!$7|zV(sfrGY3~%}|$qoh9jI`g{;AJ@UId>;q^(aqh&pT>F}W|Cw=K70SIis^>OT zmGvKX3XT)0;klH6WAvko(Fj?Q2(e*ZA4-h==ImMIa^o8&x$l| zB83d%K*Dv5ooyv8ca+o&Q=Q*$7vh5=mx;QEr)q>Jb)3_hML0xWxDg2BX%1kSfSBi` zgf!hZpWDa?b!J*QbWDq;>CewW^SDI-IMkIZZ8L2s7>8Uq{4S`ht4Z&C|NdypC&A;! zU6E?n2bY8p!Uoslqa(88LGQ<&?RUMF-b`2ePZVG1U+6}8_3(sVc>wqHMcA$kA@Hft z00{xSsehjDxL*A>pxl9L3Btg zSq0A^&xxo768X*4b z2on5-6f-B;n(5bTU&Zz|r-jNx3mpHNe8_1yf`y)TQdg)<7*~ZqVzlVp4 zJDwRY3y2^)smZBN68SOKI*9SxJZn2trV0esi3GNtRL8ua9*=LFz5xq59Hg|pathN+ zkTEU;r+bVW2Z|qPcyyT39hcHhw!qMgB~`L-)+t~QrS%4t^)QV7LhdLHc$(B{@NTuC z)6mw>y%24x>CDdlr}fHM;K52JnX8BH=`qy|v=MS?HNhLvJul0IPYjjcI~qKul^s-9 zb!(v2bW8_ou&IJKbMGUgQ6QZ$=Smw!`Swjt@;d@9~w zkT;kxkds3b?ZKNZ8ntoS-~YC%R*pRl3=VJ0_k6-ZGBj>t?*xqE%AwYA1gESJKIx8Zef!fgu6KP@Bv; z(Iy)6r8-rOdS&shg#`!^G4a~z0adK9_hhJiu1PfHn@Q$w#GP-`Hq?9V3XN%-OKbED zolv*!wz(P3nh@8-lvd?F|CsMTEc4RoC~X>A)5Th{Wi0eccKEH=ugQv=i68My{RH)* zJ#2I3PpTLFAk&CPb_aKhKt1C(r#!%N{#aFWV$JRmWIzE_-g_L>34%Og$meSe?ez}? z3ZNp5s=CyB4CrwepfH;29}09UK?U)88rHuC%%_VbOyuYqcXRm&lwSX1S-kLAF9 ziEvOQe18%y9)qvdb3)eU##?Z_ln>i32ViJ3EiRY2k@qLt`?S!}k>ynOjhN2;2&+*= z4Nws>!V9SG^8qKT__UDliv37I`@b&iLNiLC7O*H;X-jq#C|sc*EW#zP6jVcTfxFOwP+qTI8?P4p4Cl{UoqR zMOWxa2YA{m$h&FeL)37Qp zbad~s$}Jdq-VXVv??cNTc+~crAB`Lz-V%~rEVVcMghiTenZCi{c+45DFhBc49Pv~O zBH2`ssUf`hR5&)3J!t)M^{}sh&|@(_X6?YZ@d=-8f;LUn;z0zjtP&}$XE@_w^JaR@ zxIz|R`}HspGt+Ad=DlMvRufFefY=N$D2l4njAr>+SyDuCbPocS3`ilxuqj7U4{wf`(~6$BV_TVIOL@n@#Tt=+7SU9;7zE78%0$vyB?NE&?%gk(+z-AT}sNeE_ zjJiA}j&Y(g6s%o~*IixE-@b6kSxax6;}NyXa_W8fAVwEI-x5a`I4io!y>S=n*2TVuG@o7%LzgUC+XLA7G7Y|N)0yH229MaIR%u;DPv z$n<>P^*HHaq$9*tpH7a>j$UJ*ab^Xln_at|R54g54o88@Yd3D>YxzCD^Vg!!Pwp1~ zY}aR<#*j1j0+VN-lnQk=IfgsBNQp23;PZo}qe#y^N=S0@_N}}i=gll^U0*HsA@9{x z3Lf{Y!?vthfSJu<^;rLO)@01>{h@;Ds9>XkzQO&lJOhXL{+f8EK8`4LBF0E!(3Z%m zpanx3Hw1~e3hVtca)>Q#>@8zZFMNonegYd5N>VSEy8~>BUA*Yy~tAAu4#!mv0**uZ6n6tmb$it_@c@+kb*t zuQ$#Z#v>d-g+OU-Ft_T|x92JX#ZHYenP=GwWlSfu@1mk@=FqE+g4S;rYAC@0tH;bq zL$E&FY`TaZIH{*54Tb^W7rUz6GYu^d%fL6U&sqhz>;Z4{*T@F93D)CFZu9=E6uWx$ z8U$2d=q+sf)(|`sU(0r;`o)~-d4KDXi+auKg`nuAB~#Z|N`r&%wr@X?0_(-*&&?0cOLJ+2rpX+>>(p$Z z^SdYK^Dd5uqT5K*y*4^P3#vs^O?V{7d5?l9&~~<>6Y{zd)od9SaR0yS-r1QK9YCbb z=?`D4TvBfw=RBhtYZYm8%eZ&s3P{N+qWlV`PqgO@ylgaK^Y2mlhbm zF-QWq`55E$fd)VPaUH<&VB+KbXw8i0ADyf~rMZ z>U5m96DuB_9i!m3^$JGKT5BQ$17($i?DBGy485M){@nN(Xg(KRyF1G*sQ~t|Z3rGM zr4yFTw$T54!mt#)kidaXbuGD&m1k%Pz}2&eQX%d?fvdzK()Q#eHSfCH#}n9}PG?6w($0!^q0*y+>WK7GM(7aZ*5 z0Wc}5ZzlA*)xaD{XV>}?M!#oXl3xQjMbB9@p(GL#Rh#I&a+krpbWiIdmy7-Ctyp{dcVVhv;a+&AKu~U`|p?;J>a?A-d?KFcdz&J#Dydr#ZOj#A9_6)`{30=T=dh# z_6@Vk_3RwyQ%;Y*1r?guQ#~x-hlmaYZBAc0GJ#0VIJCJV__1L`A*s-o^Tc>;W`J#|22dsm5Nj*@(%c*kFXt4rX-V7C`5k>lcn?hvO6YwTeX>S# zA@ii5@%`~@PbjU6N(Mu-(v?hn*h<_ncLYx{v>In?xB>umG~c_xWsF|wUbD%#ip%(R zv{xC4Ic-LW`wGsm2$<5VU2Cq4%J!Q;Wz0{;Q9$>=E9i${b*iTqcx!TANy3uTt;5`v zFU&6rHfANu7_dlfb3{L(HXpr`PPrbLrXYuQOs@XM} zkq%A*WQjY+L~KF_IQof=%2PgPt#v2kv@kJ4ph))cJnF&pNH|{U;t6qDY!zLmy_xDh zpIuyxr)`)*A?BN<2RJ$aa0K@(&g=2Q1$4}eClu{2 z+wZT{xX_`4nN%i8EnSV?Z0(?Mw+fD-pJT-)ScnUC8ZIfH#7;)66+QOR{7}U#D*(Z% zsX2=&&95$;Hc!dLZ}Ncos5v|ut<*|_nT@)MjZQ!`l5K5D787w|hG<9e+(vW|j7~yI z#q$$mBc`Iw=VkHh)lW?-d{s?E)+{!~aB-hf1xHp?9mlWHeV>7+F^N){krf>V)Gdg4 zd=T|MwDh&O4Tj(tO*s4`RxmMY&e zG!7BlR%wXjhIS{xgNFuw!n_d`Xf)?8R;I6gp`2*^)&>NJxk$5gUBNuGbl)GBHX|Ib z4-3Zycl7D_(M0_8abXFsZ*}pmg{RNNc2YbTa)f^vC7sItvOZ+iQx~ihx*_1P7DwLM z#EbE1cOG=GkEHWGSESAQ+<6IC#Gr9Zn*j1vkGC#Yq*!y}JQ!mOkS)*Hje;LOaCgF> z++YlNn3c$JjTH1wMPwJD4Tum#XU29|)p)UPGw~GGOH6#q!Fg~|qGi0W|6E_fR?iXG zsd&=<17~>HKmfpa`<1n{EYB*Cz?#e^J1WyNI+5cs1E+@eR7^_>SKk{jNLTP%YF%Cm zDHt)n@xMfzenq!V00l4qS4@<|J8|jTonI-@&oqEj8OF!QX?)HJL<}tT!tWZegknFJ z$geAtX+%NjgRtas3W@qUEK@^bR%Ett74EXl%ev(~1l*~zm(O3$DftD%DLJhLy9j6{ z0Ic+_`vx6QUK^!wob*b!#1n@d2OQJG`CDovQt+vWJ*F^K*st-?UuJ`V_VqJ)FS8 z)>0>fw^D`iN|9b#s$@_~&pMG@N++L{^J8?|?_Y(%@=m_9Gc&6xKIG&KX+~d4(+@qX z8&!hXYDPtF=r1kxKX~u}aK@0k+8^eM?SF7J z0Ag!>0qCk6hp9%16^nj)XSJg`d0pwS2=2`uu4@Q9>Yn77ec;J*mlo;*De8>-`AN$b zzlP1YqxnEORlmgilnu4IH(SrGt*yYIrZY&=3Y+jjs|1hNnO=^6e?K0u$dse8FUI#` z*K#13^F`=8f%fz(joO6kBEp|#RO~4M3LVck^D(_LNKZ?Frp7&wV7nerOY!~P?{@Z$ zm%=`0J-7r_foZ=gm%dYAPjoYEhF7#b`IlxO1Ms*xbs<9uddd!(?q)L~6E7gpM$eRB08`RK@LVDR{JOm3giEqmlxV99TRU>u;4o;f>*B@e@VKE zB;w*Z#D|WSKi`AiTLfq~0Oyqc=;&s~CRWeb%)oh(@k+Uy-V%u;!B3n^Ph(N}@Y!-H zG|Jt*^frfHzPFj_=dh*8Gv?#mpGd=xvK4^GDd|Cx!e{?^0c^-Lsq~iNiDSO-)uEoF zaZR~3Poj@b~zm9)d7m07& zaz|Vn@%zM>k|qgkEWaK(wdn5!oXdVTTwm31!~PZVkVm^=yo!bf0}5sc*Pedc-V2-> z*TY%5^28HX!l(GdQLoNevsrA=LAT7Cq6EM~-rPENm%U~B%Rtpf0m?r8P4gwSpTm@D ziIwhGTVEWdQUm=AnfG3lq$AklJk)?T9xX@khs)7*#O+5`ED}mO#y^_=l|jRbB`>?6eZ@GhLzsNJ7WfP1NVxeHF!F*o45X_UB3tle|hO=0O(Ph za3}t+%aVY;HGlMvg884L=?U~nDZEt&_m-)Jh1=q=!{fgK_TQW7w*qK8muqRx{twHq z;2VI(Qo@dho%q)%`?VkcU+;DQ%q_D7UjJa21>E{~3BWC5>pmZ4!mm5r|FLy9^7-w8 zMSfKZ{ku4M^ZrlswJ55OegAwHt&Ui3-ELj!gboqnFTV)co_k-VAs!eXt5$yD!cFtC zD5s0VOjYq&fHT26jei`CUBH(l&UMjP69}~Px=#&W97lwP&#>&q_>h!qb{PZb9TP7g0H7Q-elc<%JH&RP*5SErN=Fmf(Z z{zH$o243@|fAomjhD~d+ePdxy_4dEa%W5?O?*HXlMix0$V{iB&BBHu>pz>gII6F2b z#zZIlbOpP{@Xm`GL)x6;@rj!6Ar}osIR8Fye}(s^nm?`BswUui0_=1(OT2pZipTU@ zlwy;%$l4;Ex9TH~@tKNluw>3Pu73}v{|Vgh9@uw}&w zjO?GrX*p$OpWOLNXJ_@68=oF3TQ<1vX8jc2X2_bFnigTjefV&zcW7wxX`naNwFsJr z%SN~I=DQPuc#;1sp*{rcCWUjt!|?!1VSol=Y5zh)BVOVsD0hLW| zLZW_}SKT89hLOd#fG47f_zj_%1>n z#0lQx(TS$c&f(K|0OICQ#tykoBs{N@aC*Qb&DS%J3Ow_y&sq%kuiV6cAYP z$39;}l%mM`d+rdcq&19xTaPh?Ym7BOK?k_o@0E@!cS9XZRMf9g$ zb2*(I&>c@(f3vw-y;qPML$;d}Z1*82hVeRc2UvlQP8`|A)KdG2z})CACqBi0bpHOY zXmG&3#u*V!I-8hycTU+57exE{s}!(1n%khRrUp19761$<*kL0Jpkf%c4GRh3w8e%o zU?-%}NL4UUy<=iX2|0PfQZew)vkkv0kiJ+goxVI|XIHe7QBtypn;roMsBtGv6i-qQ{Y|kk01m*BqRkMJ$mn+&%tYE zVWIl$nScE>lpd}IELC#end&e09=ET3-9cVYMt~7(g8#?Yk+nt{QaYw<`Ton$2ZxDT z*->NpCTx7Hfp1g&wp?G-J(J@7DYs)*^=JR+ZjsS(^*{~7Uj@kI0UJZv^X28&%bCro zNtI11+uNL(^=!I)H3m+{mo#x)k^h`-xPdwF&bBb5=U=LGjt&VVus9X;KL4V+j|+bp z8qPC#Q$<~UZS1VU*<_7$VD93`;Xiue{?~y2%ZNt2>)(8Gbjhiyi{)SMFD)56iUD4< zW{;m36#hKfc;NN_G5LnwzROtXa7ZljDzDo)*K&hrGC7zx;A*SaM@y<6{N} zsf*>K9H{8!QfV{fr_7f*JO{ZB6c_vzbDT>7V3 z{RaTnS`$@pbn`3qPS&jirPeSD^G&-_j%LPJ=C7OF zxJMl*K^XO3lI$_Tau7U?G0`n?rf%@ra@1r0_fc1F63SmOS?SqJ+Kv?&kfGGLqyy7y z>jMTMHe0%GXmzhr+v*1R(`hmEg)U-d!Jdz51Vf&1`|1tCd*Xgqu(1F3;(+`HYpRHs ztBsEjisNy~qyP2qzdmqJVsU7Ind@?#{!QwL*SXWoq{>00U z;jbS3`$(V#{q^bc0XL8uZi~T6TF)I}Am?y3os24pRRNWFHL#}Gs?uh>ef#!qjFPC8 zbR=!ssiPMl7n_M;RGJ3hWzl12^4~_^1@VtlIbRwvUvKloa%VM0rSvx&Ly!dzj~N6Y zp{}k6mKdC7wRH;{zYDLcPFIl@V4k7|w|&LK@00^Yfq64A}?X3C76r7}Uvbvk$`j`U6x?+|s5}&Pmkzi|*r% zA;XhTu-~?j`qs}Dx|okZSSje_|A9hF5LFQdH2Gh1K z9JqY3&77SpN}$kc_`H`rW$p=rjEqbNJdy);y*$}kDl+(Oa9zPt%5OA%DRNZ+j7FYB z1cT_Rwf%d~Z^qGn#*2gabQbJ~LT-G7_w)|JFFj-r!( z=I(M_*_IrRsngR*!=c6oT!xkG1+R;vwF#WWrCN_;bHq-?5JR8;sSO<%>4*SW%fXSq zzj0?)qn=W7yp6E})tUIqde>bYFTgjUzX32Wsn*8;!sMDjCRB&-&?#&(4-VL8I$U=4 zo@5dKE+ZPT11XvNs}rE@bY1UH+F}IwrgNsD(5*lkMi>k>13eKpn;1^G*j6gV>js#o zL8_&{kEz=?)LilM_Wef^E-53L)g}Qy(cl_xLpRa7a&99EuoaRgOx%ohCG|Jyy}#5? z+>9p$s2{2Us#ViSKrC&3c!29|KX-u0p;$cC__PU{9?NB<{LTv~lW-o?3kbt#J zcEkbc)~?8Ttv7B0^4{^c59~3=7k&&|^Bh6&6;mK-VLZp5%;TEX)&z4J`kaohS|tD& zi{iVuLt-XC&s?=X^gx~>jQ@AZ>zM5eECIQ#6y3OWn6)qLi>&oI>>`iJQ!z)GV+tAO;;Q(DtCmv9B9)UdPA0xo~AWq1h#Hnr`GQWt*vAkJsCLJf~# zwo_;Ht+XPZJQrTNyh!%nr8wn>Kbu)-tP%K|C?$MJMwtIdNooIgLnI#RC!X_O`_AtI z?4GuGMzpX<6Y=kElpcs=BJ&r&tb6`;rN1e#3OhPEQT+Sd``6{MH*ToOCX(L&-7FFf z1URrc0toB>^DQVpxTnlytnvO&2mGdo{zSl^N8nEm_>%~$NJlCGR*R$5T?{%*={8Uwz!+%Wv7!3^#UqSwz8XDTuWi+(M4{;u% z&M0Wu-=IDeTS`l-Do9Jys5;o2S=yMQp~?S@jmK71-+Atf^cHZ{5mE8B+PgMIJ=Uxrl{l|mfRQpX08-qntP_qm0gGOz zOUbTg!-y84%e$=<~b4U{&$XNz|SNkgL+J&4A zN3xUcRPMZd|4xCK7+L-kBoFmg(Ib9s{&BTA((?I9zE#rlvqYbD-qRd|uj6bV2)Ewz zr0-F_j))fLv`C5$fH+VaF*1El!ct2=vW#PU6utE!%B>H24ir1+^Oq%&T-%E zCnk)&aJL2d)j>m5auy6zc9@|I%7n4ExMPTQ7fY>rkUitc*WrEq*vmJu6i zlOAzn4e&4pU+TUxpe16=H{qV?#ee!n@KxG|O<-7Tm>AmAOXpojHQ6 zw=u<*iMFvGEc3m1NZs}VQ%dj$-bY$|c~b6ggR~Ssuo|SqRi8Y2*!A|2DmVQ%lMxmR zx)?$dNrn;Hg2%#-_}<26@)zKGpq)$kkBDsJhJI6cgFh7*wj%Tf*Q~?u3uf~Z<-qv% z*)IgmBpiVQ%f??QL1d6em#yFIEK5qN5{2qt)=n*TX?}fZOHLU#4#jDxv+I=5|iXCKf(}T0fRlx&z3 z`26O~YRGHsYCfI=cBytT&PC64&#BHi$?@>1!+66e$J&Yz#U88du zO&ML^SLCsc^NxGvrJ9u|f&syR!dZ65nT0le3kbB?n%}H;+-7vYa`uu<{<%#ETZmPN zxKg8OT#_~J23d@R-QML@$^ znj#y%T({TCB!!HTrWzJkCp29-VKCAPuUNEe+u_uOibVA)EF=pKo~|Bjf;T;naIgI_ zw59x(WumOrq{aqJrq@&Z{Fx7#WtgSkavJ?Svio+l49a$Y*eSEfkHirk2eJh(S zFB8LP1<0y0xsKwfXb{w1Xqs@}Db4MOl2mAT7R3?6Z!#9yRsb}6bt^R$zY(XIbZ!Zl zs2m@NjSq>dD|@3?;ocQu1KUs6&eA^7;x8N1tMS%^SzYW(TW9e7v`(5PFCGGjln>hj zH#}Bvs?S^O%I8$eS30`4!#)Vj3GF%D_#EA43Tty|M|s*u59B?N$ntr1KT|R5a+)>- zJH2ujI4L;^Icc$5v28exK3D0I2($k%H&-!aG=G0EbC7l5>RJykU{mGj<=BRiHCL5J zeoWB5GMZim+RC`dV7okZ9dNmPj!h!4&$UqH1)YwHiAqz0j?IB}Jq6&Di#@PuFwEFz z2>sx}H8$ksGpc5vUbreS@hf1|Xn&=+0~+y;(h`w)?x@*d=I(u6_xPiXy{V3=QmnD& zwE92B2aD>2w&cw^#xzn5JXiO$d2C44_-7htk3pdA$$N9`dhxf&l z#FDkKCrb(_N>vKswm)pQt?(>t>>MnGZ$maXNw&_0W7D+7S`ILd-wuC24w)sDob>UVJrGIo8rG8isgP-4S-Q2Oopp0t<42$I6*FLy*X^v~ zfsfey%E(98fnzP{e06j6>4j3<#lyvTdrug|CCG8h4BDJl+Vsm64hw0S_DuIdZup;J z+f$o~z4WX;V-z?%nAQahb_2}*Z0ysbJikGOG1l=;Np-#gQ630=F7 z;x3YEa@rcCQJhikgKCy1Tdj}xDl!)&VvsYp-Rnb%5@Po@)Zt`QZmjMi_jUuGVV5M- z`{KM20pX&EgyXL^yzuDm{C;RLw8Sv0rTK;41<7U2Rq{?<9^4N`9bq0C5z;_>xc=Jr z?K5RXjAbAe+PV%}L2B<^`6sKiv}YE()SseSeO3z-J=I>K6-dSX{P+V*;5$x*_JU3k zg4x>n;@JxNCq2CeWhf-t@h0HYFNrvEy=)2PKnYbYJ?wj0b)GxJ-TSS_j9GJjKBY(u z`d*v~PsM}*6nzym)lo3}@Bxhlb&P|C9%PAzi8?|@y~t57G&GD1jDMYZx}5RgU&oLC zP+v6ZrZ`(PG)XjtcTyT|==+P#Y|(V|!iJFLDeV8ecRFoazM0k3Z#Q zl?z|?vPWmFRz6S0#=$J)R5mPSnD233y=_5a7Eea*2j z?mF?h!))Z9q??=0Pg&gC?l}qR{Wq-e+c)sgvOuMYhMH$4--=N8pN4ML!%UF^HDH-W z88>q~D1uEr20I3@K>Q4(u_W zdD~+`^w(3-zdgb3>*YNp(>|%msqAx?oXa}|5Vhrq+9I_?6 z`ER>V4bD|uY;16Pnf&{JWB>nljI`3SEW_!u*XWDdIj7DE38`@TTo1?1JQ z19{k*l_Z+qF4h$NdT)1*{%l+dlZg5$!@1x799_yV$i!8lEFW_s_r;q{jqBjfV^f*IkOx zD+flSoE(a?Kc`0{Q6@|iGHu#hIRsGCdDot1ZbJ5#@z{a_!w+4YyV0jUl$w}1T2@wJ zIw7O>>uL(aKW*X$_Ej;n0|4B9Ohcm|z4Ddh!2#8}rGpww%GefTCh_Ffp8V|{wUzla z==(*;SwA#|OT4ipg?sBK%1^2v`+dve?&Bn0(`5YKT~z-rr@s2VqM}THzit=vONZ#Q zW1{0zlH<#BA|DAN{2F|I!&g$>QDbiC=?mYYDkCMO6H&fyt41Tx@^0zcF5>QTi&p{4 z3&CRk+qaLy`%5zD2bz$*TCu*6?MuZ0)no71fGA~fyt*!)tyN$9n?p~>f?d;ZUyPv2!Dz%_-;0D|1Goq$GMq63LXCo3mZpl z@dEK|Jb<40_A$d(6^PA3BCGXN$I$a{lF&nrFR76WgR~v$#L`;2Z*cyM9yE z)EBVw%Y}mEAKwXmWU>{n;NeoZ{z9oglXZk+Mou{3S}~y_XM#f#&G10>OmaDr*zF8K zdD0e9Xa`k@ZbR~NX(>}vOK+#?(USjd=-Oq?Fao7>F0oRxzmMK;Ca!Br_pwP?aFQad zo40uPXY&hMB)yFib4=rcA0B<23-^6^)FpeR_=QFa#0TCJXJBA3g+L&D=SCD5I4?0U zlA|0pAOcTK5#b9g=GkqY<4mq`xDgT28EA*tn!Xl)8+a|MC8a(VHs5;v9z+Ot**<|S zQ)N2zqca$L(owU>sQMb8TXOJvr2KETPj)NGU1Ei&oFwG-;KC!`Gc<~ZF4Bm zF$wVf;M)7~KH%C9k3)WYFXU5Be=HRThXe%OP?9qZ0RA@hbE}cmvisS5=3d!+*^$O_ ziidaf%aapM*F!x8>E|c^N0?bX@8x8RUc^>pfa<6{!FhD{OZg*&*oKX{6hk~WH`i2L zytTfvJg_yB?r5c**L^$nKvTKEXZp$Y*0q?)pzjgO{9m`WWJV!YoLzrZkHidZvg?MX z&;&c_d5j}dx0Yo-`k&&i6)Y)hmq?!4*uew%W zc~=yyzJ2hQAzpIeQS<2{mHX$VVV0-$8(C=%hn+Jl2fY9Aw;0_0zSps5Z0(ozR92+h zPYzir=^m}9Gp9#IMR6M%zOibt+4hs%Bf9eL@@}}!Ezx8I!AZcT{WIJDy29Ua+iEet zEaG1a-%zN@7L5W=W)|k?&)Fr#gKm@UE9wI-{B$F8n4r**IhYE4D^%_q28dp8MDDFW zDD-^Fg|WmFa*CW`LVECJ_A7{joDGHU%P%zNEdOMJxkj`VPg}&}0_62mlxn!CZWeQM zT7iwq_eHIFIrd@HA?z)uDYvw&Utq~UHQO%_!C3+;oN zfARUB?oSQwv)CW|LaHpu(IKWPvdk-}Bw#y`EwWIc`u($h8a2_4^V!n%N+6ys{{qzT$U?SK&hX_20S_c{xeQRKVC zGaF|E=XCyJm1ZG=;Th%|R>IsBl?G(76*0>`Xx>UG+`>Am%1)<6unQv9H4ve$pTQp#Jr8k4F5s zu=(eIu%>u^t^b&^{O<+k0(~D^?Tf3jxZ4WqWZO26rdr2w7@aj4OG*q6_VeIVYs%>JBQ_M%SzX~G zBS6R0mHadZwl=kPNb_312THFW%m)P%w&c$;YW(kA|A$9@wXY(7=`k|zFuW~zr{~@y z1dV$#A|EtNc}LG3^Cc+nWZEPp1a8Qh?5b&Eb#_4f3XZV0P^XOg`iH5MJ(nMN9Sa70 zphj6Jl|he~UvYI9vu|LaFkV4kUSwwyTz9r7rrO@#zE{JUnrukJxS;)+&MO(&$_{#$ zJ~lSSO-2R9)WFP6$fOm2i_P}%y4FY<$F^}KH!C#Du!wxLvm+P>j z)Y+$hMPXE;d!zDt8U3d={cJY4W)<+uOW~5FmHU&A;8fLM}y=Kmr=1Tm>3QB*toc0NU?Yc zLZ3nyiQ2@0gHn&h;Y6OEgW9PHH=2A6lx&*JS)$&oCke|QVrJMZYJipP-*Jy>tH(-c zam2ym5wE_>e5aBKKt1yw*Xt$bk%{SefiymJ(9%`u8z#(M+9O!{xW0!<`U0R`n$_Fr z%WUu8+dtn{TINVYoj*|;wBGPl4X64!Is$Lkyn-(l3-`IaGrIYb6ID`fW+M5pnvi2h zLkZsmpAHl?$pE^(zE;?XFDonC9@rfxA1-9xd_hfZcu-zKD_S|%N4*ef72q28qQUcK zOt`BFYm9p!r#|N{_k5FWXZC}u7n}Z_zs+o8MW2dXL}pKxTfU^af$@@C_x+L}^JV}V zhV#=an`3bWC|jk7wc6$Po}Ssgzn7U%h!EI%_#k&IhU-nb*LBH)Bl4*o7rYrEE3`K8 zbkQ!G$gh?@BV7u?c7e*AB>5#Prdn4^4DtG}P|u#Oby-=o3FH$CIqroG<>$w(s zJZc~Y-(}2i^RNYPpPK{y@he8G-TGsgCl7y5R~yVTr8=qAcmFrpj!BsE4wSsbUX%su0<48 zP*WruN|tefr`}@dO&VNcM{*Q>k3vOK+RO4aGW{x=P zw}xwpG~3bnmg!RQS977`mySYB-oG2)lyLht`M7AbqPkSdbV;9AUAl^I>B_85?8DHK z1wJ~+)YLSKlbyWT{5yPOYinQ$?8(5y)RVioOa0^t&B1(K{Er_v$0$&13%^KKSCT1f z=njBSayK^sq}NbwB;zTtP(T^S)|i^tnO7xVvLgX`S}r`X4i=v@ur8@Q9soyFIDD-_ z8Qg%pJ->%a#Hx9+b4&^IOxOAYIw;m(zXTrJxFDjdiI%?fqeKJ1*`U>IMXnUj5j!%X zO2%#SLwl$wmob}A^7#1J%%ha!+%#8B*RcGMDm10A`*aIxU$`^vu>kbMHQC8yi}%it zi1-S)Tn~PDIF!Vv#On(MR?P9Gs2Gy>3K)0e@q|KwK6C#e*8X4QBIi`qcx5)Dy(ahD zI{*r~(~62_#VBLBoUok>dIIU^F0Ru=$6pSy*?SBg-aK@Hc>~t2Hnl zJYeA9P;PWNu!0C^;iO+wy}fI`>9kHrF>oBxJkxcJ=NZ@Uu`lTvZBC2BfvIy25sY2h zcK#sREUF>*_`H;~nD|R?_h+Vl_e@efpw?z_du%F&)nlLFBiC4+HgZ#xt>?FlWLXWW zjO})P&rS(8sX7I8Cq;R;yi`L6dC<9dTTX4PvxU}{PaJ_eJKx=E%zNOZd%s@rdUF<{ z8A39g@1<)!b^t9Rn1R=65$sWOfJLyHs@<(j=c+BU&_Rd64-a;VPF(QU$6Lj1efBGQ z77ph2ZJ`SY?b%wR+)kHWjyf@+ve^ij1~wa8Z*+1#wKajynZj281grUc&~MA+#lkSH z{(i;WktFU(`P;@>edGslGkJ(b{obo6Xl;3~ZmXO$H7 z670;sQ%y=nKguzW4gNK-`s?JxXDM!jb-H(Kw+$ure zd812HrAmS@Mo6-i09+RP5CK zrUEJ_a(BIi_NN?gFWY{4W4@%Wlv--QMBY9fr=(?&c-(MVED8CgUB!JLA&jr9w`^`Z zZ!P>|IMaH|4#kAj)CFq!vV9G#J%(fgYQr(b@d@m<#g3;Uc7t3Re+jF<<$<4DJ_O>nY{sg0P-xvi{8f|<&onTTHGR%XzW#|Up zHNU(*8_Hi#jxZ=0%lCTEl;|=<$?fs>niHrgEJ)5@tosTs>RLw+pINnFFVkK5x$<#T zvsQ@WEb}y<6Bg@UCdwvU*1wT5VAjvP1!RYK^C8Qgh&n6BMnHxCiVz`r`Y0wQcpu8| z&09$iSB~`zJ8BNZgloEPudgr47EIVV4nntlIH3}!8DzcMKp&NAQW6phBTeyD?E%=F z$EpsySl~VTwFn#m#W7^#@vq}Zb5SnBTeh<7$rFWm^BcbcbwQPQt`@MYEtBi8k9Ius z$SD5grRAe;G;!7#MTxS8hK5bn*RSQU%Ux@84)u)tu7P?ePQE?9=gk6ewMym&Iw*nLlY_L@o=#-r?XeiN&v zqoK2A)W3Up0jGO_eP%m4 zK4D#2gL$+AE_5jP0!%k;7WXZ4xJt|WWu;1<`!)mEeTSEmZYsmXVa$)HJm0|aB^ZRUds zMvw(cdH?HbofQyy^W}Q9N|G)4uz>9xFQD4uSHmzN<}TgQ8Y#SY`qY5mwPEwZJlDJ> z^L!Sp2qS6Xh(x|X`Tvoyms?RODmwdcFM*uaaqLd>rpTqmljaIUKOmz2>M8W=yd1@J z$(0OMi?c_~ybs_g(*{U_Wljo!IML;N1&uCBhxS2#eC_~(|keF@r{Q=GCcfg33cOX zpEvLbJf(59QiL9U|NcEHA;Dr!_T9VQR=)=fY;1#gQ{$4XMP&~UEP;k|rF-Q4`J6>d z-|{;%i6k?=V>&$6?+~I83ESUio2_&6T8DEC#Nug&ZCW;JSXLE+OU-z)OV z(lP(ba$(BW?Hot41^a}rhQ;Fcxp@_7pbHY_*RNyJ7MuEc*W3#lPi~Ttv0{am#7~wv z1?~~QtsDW6TklLZ6uEf0*=U`ol<*5a`Ep~}vtOE}tnse>IpH#E%VsnDx@++^BhhHs z`~|SgIy^xe`-lj#b$H+co0^ioIzwMdbSNS`NlGZn^c?;ywru@69dhQ6lH(gEv^VIL zwjfIyhS8D6^u1ajBIj^|C{$NOOjrhgP_NSDr%+ztp4i2VF)Az83sXwpTI-|-9`6W} zx8`%=pN)TgjWZ!f!*uGKlN*Cv)k{d%O9ujPo(E=v-K8D;uw@_mNg*tKn9MAMN%|MBA&PfIkd^>tLcATSG>y=1n zUoAfCdWrdAlvoonJ+qPjpw|iipAh&Rnu&khf?OtsxGovm{W@k!VZZN|xMD|cP`Jat z-wu9i`+h3%#{Y4I7~*r?n%ip10>OK_zmq1b9-C}x-YvRI6W-0n!}`ZIHvFuFyC=2v z>GM-vqMUY~O^?tHA);LK`$-MiBI6C%k+%k7fmC~;>MAx9^;5(1#I*ww<}kXZ&@V0h zrss3`C{_$dT&lZY-OuN!_ssM!>e&0X_G?<3EXf%rc*@GiK55ks$@G>L;bl`Pi2FrR z=ic@W>jF*dOW0)IEJf1n${%m$wWc#Q^b`6pv^>HVZUjzdqA%p&C(kgCU0Becg?Kfs zudmDN>Lzt|cFN1k|7ZaCzvIg&>%^%&IX&f>=RH!CzH|ciJR%_Ae{fZ8=-lPryn8be zj_RJNWVF_|kmxnIQYGET1vGw#@2v2us&rfi67I8t8=d*#AEpr9a-h%#5+xVAwEekg z#-9qzn|O#YPi?UDRj5!HxpmBp@)b*L^F^XhEdtVb2DcBk1t^^uaMy z^uT0ix-K4kSlnzaDpDG3XdW(L-OV@r!8WgSI>o?K3Y`RIx&%7G_p&SW$aU)j5JR+) z0_~4iC{V;5eA?)|_s%fLAEY;*S6gg<+E^`g{4L6{_kU`!|DdcJVpTQ4G+rm+7x%UA>gT)Y z~1g_8RC_&mbJjYhG@pJ8FK_4R^3!^58s zMU6gzG&hU#G~4%tQ*P=gC@5^c5DuTZJY2L6&(8EJsi_V`A@m$Ke2P8NaQ*t4>F|BQ zX$E<%w#h=%!?QyUIZFQbjG?)1_CC}I9 z`8N_xr?du^!Pe0E-aD}ETVd+d-1`}x4y2BhrAmRak*ug@ck>}x! zWmC9OSRsOxU3c9@)ZXg7iqbDcH>(7v_N#1ThFW9SM~@4e91DN3L0na$wgvs9+Qw?8 zC3$R0O1Bc6Kc(+0&oO%6qmSj9`;4{H3XzM8Gby=%+xOqU{l@NU<;2foFQgky35{8#$e(9SRP?GXabJ|@(bw8Sr5;7JNA1qu0dp9=BLLk+cSl@rZ z+s-cL2-4~;YxZX~?~kT^W^@{MH+y744YefPcKpa)foIM#^*Ij@oOedc6p`b3KvoH# zbI3ldNiPn06PA;^A2Tz&c;GFJv=_gN0E-_aiR?FOetdv`>S;SXWHx@84q=X8yvnGV z)wcsQY1G;Stf$UjcBi|A54Zryc&(Z(T49{H;=HhQ(-24;3IYzspij5fxoQ5iV*bJu z5c{i0y^*UUvD7PWxi^cJ;pL(#sS}2wsx456&L@KSW|5lF4y!l)C9dM@+{4b(`ixtM z9bUTP-*@)yxM3qj_RsI=kr3pgs`Q7I3#YBoC!@EVA*k|t08&gdGJ$ae2*W$K-0i5R zG?X4Hj-Qlza8aCgIx!K^=v(uJ`VOnZkcUzRD6Set@dHdG*ok=(B6`|v zUXgRKXdK|NsZ&(LaqgW>3%bVouJ$_;H}gA{;l-4+=-dI`Rw+N_0H^W#g??i z^(-FcxcDVxr;R|%b*R^#nv=3{-Auv>Jh^e-_?%3{ET&hfY_hln6? z0kXDm09eL{B?fXoXit&14QY|NcCKjEeBd~r3yEn2`;?IM?qOV^r0KidiK(|&DTQ+p zq9;EPBL>myG0f^#bNlD>E_s_xgB996pW@HEiw9BpJ&q0VnIO~8gFH=JZxq|zOH&)A zjah{ku31^6b1Z&8*R1n#tS!?$0fTO))LljrPiLZ)8zhGl?^PZ}1iSDzO`K;g&qo-> zb4s|i;Ym8$O&ry(4cB*qgyu^c124P~E37A7O-OT0WP^Bt6KcFlS^V;`(B=eg$sxY3 zSx$Zut^FS|KHCBtK@lJrobMY3c73&owhMz@RK%7z2P>)1o(=zAM-LUU+h7YO(t5E;?7Ox9<>HKDW8$=o%l~#vJvudcVJcOb+-9rP0%!TyT%Uy+a#7IW zKAr>vhNqWTyrOX$D;%fK0oFGene6ANAD}@rTf7W&p@Etk=}L=V7IsKAXYKg5oqwZ) zbf?PhY827ZnTGp>pDX>Hnjr3JFX!2N8YPDlyIcB3r{Jo+wBLd~PENB7n(_Un@oDB|)(mfGB$Xx3-;JvN7J<7DF4PVPLSlm?u<=0L{+oOT)Z&e zT3=TTBKSC#?Wz6q&0Eu5HO0^tQk8`?lYpN6=+#x?ofo9Wht$uW>Fgag!oyShx+})% zMcLkakfHNyC44f|s@-4(>jGd) zKC$(($I5=!^nY;mgV)_$_w)#uU9YzHaIuNu_3K`|Y!<%uqBHWLfdL->D_*uT^?c>A zY&k+lGBeP9s*LnqR(5vSt&|7~MJxR8Q0ksc&ls9GrApZziUuVovX=1qs+4K7O6M_@ zGUbanV>T;fjC7!b3T1nNUcslHlhFFDb#kd*1=$RTrV&*UJYFu#I(iDI%Cx~9)6Qsa zHs0>I^s0bO?31+ok+lmr zvg~i(egLMUYju~^+=hwUBmiBtf|Y_9*lk;m@uHaz=H(QfZZB5141XoA?dt)>pb2~7 zIVNjVFoVxoA{x^rGV@|y2Q}M$8jfGe9xu~@%930Q(T8jq0-)FBrG)D@R=9r#GY2eP z!b=gPcJY)}Iu-4g)gceJCN+4S>_@X?_)y)e`#BZ=ySxv{W&~R$=%8cS?O7gIL*M~3 z@^13B(s<9KVP~a|{&mhB5~SL2%49FfoZfP)zhUMm=HBz%{kEZr!AQMX-vc2={6vE& zrNGZKVi8nGPd>j8iz-;whw_mOw-@`|{)Z`qOoum3)&oPsybtzk?F+B6>TYZSP4B6i zHq;umbquuCw`hv02|hYbp0{nk?i$1=Vv*y1<1pR{bp1@8GL=d*jPeMQ2p12r-s7 zuix?Fe1zdTD}PuzJTVY_aD~cHR`>wZSup%l(+3!-`SFC1P)`o3Q1}awJHm~DMMYpz z2nEnnw6P9<0^jVqzMNf-ewl= za9mMoeJ@_W!>rpE(-qE^z7!@y?guL=^PEj*poWu5ONaKD;M3cis=A?aVe^)xT`a8c zCufdj{n*srTDkKd*SdR)DUd9SO`1s82~C$1N&kniA@^MdfJHNB>_CHgIt$PJeLRbi zpn?MPNxr3a;^JE9rw+m;4+FcVQ=@BVg)W%GUU!EqL9EXrf5(B4shL@ye}uTTK5hsL zwU#Wk_}jx~=RhZ}xBf|4yglZc4+hMjY3#?xhdj6osqqhYQk}*WE*MMnq`Y0SlY>dl z@{@I0Kq?VHA?s`uQMj<|%UW^ACV2S-e{#H43_ofjYoNXT?IS|M_R^bO;+`@CPPtG@)2R|_rT9|rA~6pq zzQd;#T2&1TEfUfO?gx}>4ZDuIfiF?l@{&=CpX0aA{e-SZn(sEpks-R<QSym#eggwI75xFv$2XUNCcc8vzhK5hr`!A_mKafZfiAwE2b_#~XED?y+62 z3~aUzx!rd)$BK||jtOyM!ele%d&;0(mxvPtsmWlDdafLdcFJh4S-;i-GJDy(HXJkh zlu@at6wJVG8gzFV8zl4Kp7-n^EFT^TAO!Dln`y~5ih9qd4;?fbC9F7H1u$>EoG|HH zwKtuNf)8E~HJn2oZq=z3G@QCfoeY%Yl&+T2kzdn81y2M|jbu7@#NF4JPp>FY{qfjt zoops$t_WnENLuu_JN@gO0aqEXYJCu*rR#A;hzsT_ssoQwjppn}1y1!buE1%ePY680(l$fLt7r3tO=PY4BKt~<8^o>o=;2zHaKW@m zGj_gSPEnRQP|KOvPyF^ouVL$+X+w^@5q!;uZ~?}?BF>>-1hSDzjxi6&5*-%t z>$D$HREHy0kPu!N3>yxXxx2e7Hlth4pC~0IC27KkjT5kHmBhB_J4S=J;hOPiDX9v5 z4q?Ys`FV|(`evAK3;+CWA|Cef>^veE>##LPE6P#5dPB`<#B*s(LP z$L>SdW7F|H^#}ANd+#4yC#}v^c267cY<1nduV$>864v&LnD>Y@kcKs(M)GE&8F=RT z*y?GGtq;?N`;!tmyh4$|p`K~a@pr7{Ee996som>Qo&+_R4=V>7h_Q12isRrUoE#VW z(Bk$RB!tA~={>y6Wkvbr3GQQ)+2F~|2_{PCfC1)pvb80*abTqj!YtkeIBE>J2>eAE zlR&@86H0`$%|`yC*i^gUuEA&%xLJ`pZ(YPhe;C7hFFY<99tamho;~Xvh;ORC_k(Z`n9Ky(3w^?ZibXPMq9+rCg>%5H>)kc5W zP43tmd4ui7XGXPD4ZpkIkTO}~&A%CB5Gk9<^>i!P`!H>4OsAES>3$eES}u-1KF;mD zt5K-*DZS~dZez*B)rt4!VawdOAaZwpeO&@*RCYJ(UusD=#hf~bxq|sb!o|Hh zaw7t>!RLdi7vj?}L>3-7fasIp0?umkALVMRk!MI8=5>?zUIc5YjT`unm&a2hMAnEKw&$7#4Ktj;)@A72pRRNg zy>{q%Bvqu3cn624>sFIIwi=p-PN(j(yVETK2=CJ?e6IbK%g{SEwxjd=2MA%WTaZ@` zf5e3)w_TU(9x+a9*Q#Q`O_gS><@5q=v~sFh8THq}ow1T>N%yl&rNP$vjTUcX>?7yH z(dqpM`lkl>?lNc3;Kb(;I!maOZZc3OvWjV6m$>(dkolU zX09pfCVboABwSCtSh2doE>N_3)d=V~tG1{&R{b*RlfWZDb(bmSt%Y1jdH)mdF@K%g zZc0i|)?edFT^nRfLoP?2RBmeGw^^by?ZOtQ63TsN(v{v+C27HZ9|d4Q$qcAdg8MeNa(DO~R~gfFfe05>e5Y zy%J_xcVQkD7C%xzt6bbpUwmfEzZQW^LlGNy@PqsF5>doL5yy&WJkTR8^riSa7slM) zp7f#kfB;IfCre=h2t5PP1#Nt5;|*022jcV;*JO(Qa&E;F7Ah(s)pvo;cJ}hQMgDGmAz;v zq_*So3=G~$pZ-DRGrnnia?wN`68Of-ZJ5G-C|ZuHesKw^9=my0Y-N!c7;K3X78nMQ zIn~}J_TDH}K~1@lg`0)tDv5;$&R3fhrqp~C3dv^J%IldzW5Mrc<>27=KXwAQ;<%1w zh~h7fAAwO5Ej$UFVq(ClGDFT}0sAu(})udzqbp`K2Jv!6uiyl=YdHXVBjC6Fu;V&_>4qE(`Fy;RGe zOm`|zXj&yw`DD5&g>;2ocV8PFyk&KD1fU9WdLQupa}f}H1L^tB<6?VvEWc1o)a!t6 zQj{-$I8oDlaxY43tBllA$=kgV7pDGtkDfe4i!`8{Dx3MTuKh&R3(tCCimE-|Fh|Q$ z$uLW%OY7eHdKUX8J}49LJPe>qIP3gqd>o>MW@wAx8&tWqut;|f?H(MDzO~am4WiV_ zqqSp7RX^^spk(4@dt2JFC)2Q(q&}1fgCIK@eC=o3%Zf`KhR=K&1K3r_=?<3xl6S#E^%7r3;WdaC-MDLCVmF`1oJiaOq9;5VFd7XDL zLI&OUyqrqhZ8|I^ ze(~({!?i+fS&!dJ@hKiyN1CF`f)R!~s>erjg`S4-$BQMM&O6K~*2ycdVP>vi5+qo4 z__B&?YyB{x`k!OyAn^>@fBi3j|FEXxEo*Ii8Dl22%}p0tit3x6wl*GAt1Cy22I0H% zdp1K{4I9Ps0@E4N4ryASG&RJ==j)k!YC*2gN4~(U${6;WT7obrML^Kr+Sr zm2WL<_tMIOcHbt!3URoQTYy$q8BfpQrvO;<*+K^~DXDR(il9|-C?$_#DWp~ur1Sun z^Y-+b_~~NXfqr&Q@__Q99LsA4E;@|UZur5s92>}Ov8iEZ!K?; z)^sF>&wd&h8qp7+h^-Q2L&oW94WEvNrmNAF_rqW?yyZWH=_?^_)ZpOz*-Fz8oB7(I z;yv%1{{DXMZ`@A@X(aI1_C_-OQGKscU=xaIb>VFmf$U-<0Pal!WqW+qBzuiDQ^}ua zU-no8yVqTC@x9bI%}bG)uioa%XiF;*g2FOV9qJmmEDM*S8^)CY?K z7MqLBL`q3Q%S7!J(CPFe>g+*crO}?tqsMqprUP>32x9aVH!b)lm!DLy* zP$ON%&}R!M4bN_hiOMUdLDXvD1&=Rh8;*v;OVgH1K=;RuOo}z)sb=b$4RTLeuTc z`Gj28@h0~cY$21eg0b|x**vvx%6WsircwOl$J#!ppmkHt{+zXMb;OQI;GivPqJr0k zT`(uL!F_G_gi{wtCIq=T62QN7Bt0^x%x=s*-uneEq-l8-I%HQYojdJIglfX9*P82Z zQMq_}=mt}^);U^VOMKeyZp-ctc}UdADn*;gZ8Jy@5JWz3bX?7Ia|CMN;Qf|A^V*wj zqGw{24i~+D|8r+%Xi*j4ZhRU1Q+?R}=swo9n(D3^4Efm~+fzBEG+-4T%faIfs0}{7 z8oq2PuI}7bI~Wr(jQ{%5@_bl)lA!Z%{n!f6j}vlJsuiSd;3X$3ar&tQK|XGTyvOsr zy!Y~)bvECa-7<{6n%ql8Y5GiCcY1Hb-mtO{d%Kbuv8)(v_(<3tWT3NerSQp!-Y ztG(Bri}>2BSS969_`TLeDT(W-;_2gt{bX6guG;l|kD+PLFwm^!gC6mE`7i0An>pv? z!QA@<_l`*vznIHg`69e|;3`&Jbj~8IQk3G{-S_7-73HEqY0D;e!)aR2pxvH;jok^F z_}2CC)ve+Fk(hPbZk8iry~=(Nr3uz)Qnb1*@{J!Hi5(RCsCx}3Mx(^>fCG^dqawEW zG946o+>yn<_Ppr3{e5PAfKUE8H<5$f$rLLL;EYNzTLpgn!>SaND$;k&w4k!u2G5R* zexGss5^PLNc^#buqHch9%V>t!&{}VA?-P8Vi35)hsFA8fT2NnK-=Enco@$k<&rXI1 z>iYWn47hE=fdVN$UR%q9G?k^ZH{l=C?}xsI-VElmpH0%J;-43nZhK~3zC6g5N`D3? zEo-@{xAK$->0eR+=yIyyl zK-si8v!`Ni{YA&m+3xK*z78OJkfW^fdfmx3A)2+?NOun{AfY3fFF%`E)caOjsBvti z#@^#4<_rjGHn`AHPe-kd=(u=m7%*52km*s1Xu|eL{mR(<{vuIX5y-p(lcEBYHn8(j z9JQVbdf-U)9;z##=ig~#yDTT_BWMNK+`5v5QHA+Na06|OH7>LEpHsP-FBa`_fs2Nv_N;|7D|zNZeE0TecZbi=?vG zJKj*_RTm}{9NA=6SK+GhZsO-<>B|=>t1-kCl}g-@ZaP$<`Szr-MuxUmI}Dgp{RRES z*?Z@sAh)<7pV!+DW|M>**nYohtx*gGnpgBN3sD2=1>VL`@k&drkZ+RQu@g1o{zH<@-DIg=?ExgZQQ@vR6<>D@5HfV|+g4HX_ zgmC-OXr>0TIbabpgn}A&QBMM42=w^iLIY3L!Eix1G9~F(M^^1 zD%zDMq^FxC;ZKr+$Z(dv-K7QW_a8j!@2-Bk(AoFl+|3&@T`*+6{uX@fw}&AcqAeHiy0XhB0L%{7~1bhjkco{yA(`y4?~9?nv$3eN8eSu9)IN=-=OG!G7FXv=6yKK-22RL zZ%--NF6e#YupC5VVL16k%gDE`Ga%|>)w}Zp#m2UK&?Oa*N6@eppn1m7)%H~i(C}ih zfg$ikl_BVD&X~Ww>fk_5jF#JQOR_IAG(S3&0Kzd5&r$2yuLpB|z(w6KqrAzdS0;}xy=*$9gQIr&y;*KJla z54jZfUZ9pJS5cTzFI=uz8G@%Vm)MFiFbAd~{ZwC8-F|UL?fK?>#F?fNQ>n+AaRnKrbSCvPo0y1y40RCl7afzd*4_@jUieT;w6|E0wX z*GckO8NXTDxKlDgs2k~{g0*k?749?o77C$wP%cLL4 z-yG(rq2Ac6{%FYB^U?77q*0NkEFbYcx>%fgfQpjxZoZkO=Cd%Iy&U!A0Lb52x|D!I zX@Sirez3F~_cjS`qHx_Q(t{(1$@SLcUX$<0{9k^=V|=8~rK%(v?g0n!sQPxUxtrGwbMJj`-WKppHs3_B{ovucm32ovsgt`bg641gYt;1l@#5$B@h=M$7JZlzYOZic+PoK^px z5O~-MGmf(WEK_L{U~~dp$o-bJ&^Z5CB06$NrN#M2eAO+d3I6Q|!04U&MRRT}9W@q6 z`NEYY-!~Jta?{P<^{mMpyuul}$4p;u$owYiN8GVcI%970@C+7|!+y=MhSkYAe!xwJ zdUDg#J!Z7ncu3SwgQFBQD|rsJ1G}mEB!77!DY4=k`xtXv-n7RL>FVUO_T+nhztNcx zg|le10VgGZ-!OFzi^2-cH-7(J^vP=7>XU1}Sp}T27 zTr(@>uD`WE5C;;#TS+~Zf3_zyR=@h$16BU7wPSy?D@cHkc51=u{91xo=kMyWbLS10 zFJ^i8^nFvJ_CT-nSFcXoCfgM?5R{fyZf+i{yFS|%XfjuU5U^-4ar;qaV+^FkUU94t z7WCgn=;@e1-&xoj`b|Y$p@rP}T@@FApa<&4?{!VxT{h)>yS~4^*k1=Ulkqla-@I|7 zv4a*!dzYg0k}hCXK1h%bw!ItDE?ip{x2;XW#IU;zYAX5!hwEv6?D?E?wQ}L}Z&%rG z34spc4lCW>Kz3Tm_VBUvf{Mp$1En8JSxb;wf^};ef*6_dk6A;Bf<0ekZJX--?B~Pi zM|@C^d2~-I>tc@I3`HZqu|{6dHoUK6gx2gkJcIxds%Quiz~L~Ux!_$&3hx1tAaP)H z7GhyxVPjzV%DuNwd_qDR_$dmlzVuM zy}@D}iP6`}R&Ngfk?@UJX^N$x-XCn_70^pglvp@UzUCapafARVoyl6rB;IKL72(Z03EEBd>E!pjiA5iZF4%Q@KXX2#@rI6mnI&wszF_+0l;$`D~$^(6Jqa1kz9 zIhqxBck8Y4b(azxd?Zf*^L%L8YrYR~7^}ydR#sYqi+~6!^Os@6f3{EV2|5#daPPnGT+=3!+n?qdB zMsB})JrdY0T5WeczOpY@s{>M39OnLb`{?NnUJI*e#g!LMv3BO=Sspy*=5ho2(PD8z zVtx%>S;UIN!#S``jVlN;;sq_`$&l(c^U)I(b;X2jxQpHs%FA)2&5dy+UvtJ*j$L-}Ty-6~CQ({la1yCD zl+bHr#CK)`Q`mnqf%K09DqqWM2F3oQ69vUtuk`1SZXN?Lb)_DD7f4~=ZS&P-Y|h8@ z+}nPzAgHEA7=y)k)^3816a<0#eNuG?UuUBJAqoHG2)e>qbfh$K`}1dTv}PgXk}#R| z?Ib)VekJcIclg-$*N_9uwt(?(c>g&Sh2|>__TQ(@+DxD?iZX*dVZ>p%CyZ@SVrh}P zwYT&JQMuQ4_s(nzo=9I|jT2v>74(ulR!i%wp%KYkXE8=(9U~48j(ED(rdp8#Nekuy ziY3RGxoEa(vjYi_N%N-p`OiIw{Wd@C{!$`GRo7IwL=Q~h72$KkcB_38 z#XkA+A*yQ3(RdjIx9zQN@S6=m%1Y*-WP7%gc3Ncjdb*6s|0!>`d#)Et)m3< zi{0}LN0`{GQJ@(GXtcQ%+k-G*&-D7h49dqylt0Q%6E+NcXVNGmbjI!pbo zuc5hOs)5zLSQi&(5blcl~TYA=<@Fnugl{06Kab ze0)D-e{|bIkz#B+KMSl|P55+ie}I~Wa`(%(-Vx}sHnYs98`tjyZ13-{j6H{DEHqRH ze|?#mnjW^!X7h@7(v6g`(GM1CxQyxRQ%t&lyI6F=whHwDuglk`!kRvfw7IVWrEHMLJPrd0^^ed8)|7iPnWnet^lNrJ)VzJjHKhFqxU-+-S& z7i`!tb=ReBa_j2bePdFIPyNcacDZR7pdZ}tfrcj;pfM=Efl&L@pXq+E(L6#-g8@SHF!d%H zaA=r=+0&9KC^oiRLUCXBk`=Euqwn=s|Aw&Tm5g^T=9FDvEFCJXhwWqln7(P$pA*j7 zScb}v#8E?MdrV?`UbICq@Az)ccf-GJuC#^FQ=e(rlH)l>h*FDOVyy)=L-cXYjU z#om@sn2;T(2{y$S@HP0j#MfljX@ekm;UDAXM^si`P}~^EV#CiHErboc@9ku2TWXx3 zF$w7a5xHZfwWV6T%EePUgR-AVlA3WV)iqg710}`@B(P5>Fe&w{xMSUxG+JUzPYoSR zN^DVE-xx?D7^SVuEz1SG!v^dQn$W~XBz}vP8lAM!m2p=eHsJp?8#0X4IYmG1k?n5r zi@iFT1WD8YLDW`dnA(WVaGD_|1kmI@G%K&q>QScR;*x3N-%4Ep#Fj(Pg+%UF{B#XO zs);*|Th?TNd+Y&p&K*uujXs8AuT{8W1Ay4vTxj?4eBfrzgt+gshe2jfJSmp?Kpm6b z3rG%;m-Z@nuVR^_EmfPi%%PD|4WYu@`A$XYxl>}fH4xp{yv4@&K~;b2C~PK zb=j6iQ_*@V2(&XS1Wch~A;w~5b3p6;yK?0$8-xo99pZhQS8$olT$Nl+LEtj-S4Y!x$*(DbOE?C*GIvjEeLcU44@< ze^jKG2^R@b6cH0W!v_LQUY_u{uxY>3wlWIub{=b|Y(^n^gm1@UwQvb=@!PiUm4l51 z(j{TKdj|(;rCVE`z*vjuD$Qr_*SembmCRp!e!f+XK!nk72$q-6p>tN#5)*F$Bhnua zjAnIwiiSsk<=7_umzg_02xw-3A4B)qI~=~UUzv&&BimKDZQU^VGk@>-JgM^{X={7? z>hUeg<3Y)#aTepS%PX#dr9wx}b&}(+aymnHZpT8mYRhc~3U(u8Qp$6bbyjcnJevh` z_;(;&joGLoBYt9uvM$9eT-{B0f5qEp+k8S3%gXMgY)&CpxK7#;XHz8l&0Low@=KfY zGF=thgpypoXR0;EhOOC`vkz{CeX{?tZ~geQS$1(K;qxo{iJt26-QBlEbxVCIqH8*xt->cxfIbF`~pZUdl^m-n$vcj`?-6VWUo4%ls6$g8PA z^a>-8F4|u$Lw~)CxDebem zRwk#7TpAiu0hwRpI69=6iL_v{!%sLxgiiIC zJ27uR%gpa-SLzYOsiAZ7Z8ITH=7_KhWmv3vX12+(t|na+5^9AF43HrXeiQcUuzE{I zDFoVF9I-C_QNI34U+e72+ei-s-qP&*#PpifIr21^p&Sfp9`&b4VWMFJ!k-3 zPjiNQY;oNA9drDncAX-LZd^NLf+$xxim`O~p{h8{6(blwK2u-RSNFL_GXErwV!Zt}iaaj?29yYD4H1}>eR8Zs}5E=za8fM^X-LX=0|KXE4|WZ$}5&SX`iOW>zn@F$Qq$I7>5ZHws246cJE6>Cr zN$}64pEWD2(ny!^yzNT2uY0y_;k}4#O=52YA=U~DHCkyvulB=jV{367#5P45x#7X1 zYYUlg$tSn$jX307o|x=}Zq9~q96kRa$ac(wo*1l@6W>)o|@ zZ!XtrmO_6*({B9-6@t#^kd(Dv&sM`%gmqs)rgr0Oxv!l*E=$40as1soDCvmwyx-h@}+5ckU|@0^-=ptvilYG8WAv zwW44%nT6Rbp)HSjNye5ceJJ+@n_j&PQ>oc8+=_5b%`tnc(9q6mt>75rw}Dq{#hKnd zm$7^uxk6)}P4CV4>?NUl3>?b?U?Yvvt!L&C`h!P=B$F49KS1qG^-U(dEs=`}umQnB z^F1L2Gk-t(Cn<>EZ@CO^-1k>&4;*}|+$wjp9^1@EzQhJzDSx{>Mmf$Wt4BG>M}t-6 z3NWpT`qBKeXLp=9gYt+Gx-1;p0n_(;{MD5wYrA!YLJa}YUTIwT`N+ac0%AMIs0VzR zdV+7YjKIayGHLjSY58Rqsk@W=F~oM)!2Jw`A&z4L&s#It+?16ZZO!-^9#!B~ZGtHk z1a0hbv_0ei-I(v`33xBN{!F{ibcu8M0(CST;ikJ)2*w}7xSX+GSs}BT(gCbA6Qm@C z@8i8CjkTUNd2?*u7`YwrK||_rB-IbdT3Iw@ySi5(Vy?a!_lXGMzs0dVsQ?cPqZcNH z=0`TPbS0S`F!HG-IM%v-ch7I#)R6m)W_&xmc^4V@crLDo?#qago7uz{F7j_enWUKJ zKi(<(CnTv=j|;2c!&lKZZQzaZyKVR8n>b>#pssVrArB}cpOkJ?9Dm?xV|N8rG}hZU zanBD9rjY+FLv<#2`_`RoZ~VDkt$UM|{OSA&U_#&@-jnv$k1%6T3Pd47+wuDvUf83y z4rIJ(8e#xJ08M}Ygu@CU+?FKL>gzW-h!6aAZ!5C}xTU+TObdudcaWVe-Q90pm&?yI zy=bAz;i$bL){4;CNq2)>(xks#C-SSHGkR>}^C$vto_X!~ z0GALb5r`ukUtiKSn>?QMp>L+@#Od40`gPa&n5C&D37Q&>Ocv^w*8ZH)Xgg3pFp$|B zeE*UdjjX+iDr|({3K?7DxVn#Bni{*8OY-Bg;c^>@d${pldhf>z3n-z|L(CBhw7*jv zy$Ra?iYmBbsGiloZ5r`a-~M{*cr;2l1G>|J{2(;%nd?0F0ct7`BxLQBTNG{inE5(y zWKLm%f}3u)qzHOw>NH}7|6iNEDiK6VyDJqj)KA(*)@KxtaB1n3%)ST^}~S^Dm-Nc88N4wq8w zXWk&!uEnRqAgbX)9j&-Y5E#!8SU1ZN+RgjCRBP$!0Jq@LO8d+?j(uO5!^L>_P1hq$ z--H@9XvXF=F-gC4dmjNNuoGnWYIi4NOJbP~*S2`%JRU=U8CWGs)|H}n_3G%!Ff9}m z#x#|(D!G(!_lKUYf38q}iAjV+r|4H5RLJ-no=hfvbEua-`;HWcvCkDOpJl$|P19Xo z`-a`MED&8QjZ(QOjJRd-Sni^DuFzzLL}6qDyC2M6%12fPsd#R;E$RnqL#UyMwlRrp z7sW@uJmEVV9ZHL+gw{-WJ4yu@J#yBvGk1uejJ#QerTuASHknB3d}E~^%`U5dWMDr$h2*2S?ybcYBpAA+20r?1qjt*) z0c~80o3)CqxjqE!=)3N>p={N%xbBYYEs0_lQnw$=RKQ=6TQ3@M+~@~3f6dWwz$}8q zMj5^B?H!Hn8z4Vus!?;6Y4;VCTk4X`vZALWb}@tivmzINtTR$^Hf~lU@&mUK$Zc!c zl$B$DoH$#GY~l(C9H2?-7V^4dGm|)a7{mLDkkBjOtZ|U#@uO;eA+5A~f7hPtywFfm zA_Q?uixVq`-Sy1%5ZhZ!_zHnJcO0p-l!&Rw91%(A&3 zMm1l27;NH{G#~K5TL7PCYU`X3ld5gpUKah=kkh}umAy%RVW+dbYmd6WmLZ%aBeakH z+^)+W9?$mM7oT1zO*PZgf;4fcP3~;5^W(rINQ;GQG@H+el;Dr%!PR27M$agLnq<0# zOj7WOOPYYO?9aTks8~MaHf(p5rX*VWXs6c(uk{D!YB)k{65O#4prB3UoS=C6VWNaJ z#=lKhZqH8!NERT4vG=GXo_q~d=J0z|?iWcU?M&p*9&H>_2{9<>F7Fd#%dM2#gX)jo zHrF!<7>!qIAm*#0;-a#<-$j7}dX|J8e!kuvRg+Mr?Bo-Wc0zik`*&P=t8fOR?Vxfb z4)xmMBc&0K4DDtl5D*I+sM_I1psREF!3k_5{2;Swi)9^fGG4-l5Lce=$qc^#ng70K z)G=0~MJRBGw7Y>u>euS2s0~P}-;c0`?m~qjBXKtErkDiJ2$ZcSGzleNh$_#Gim}`^ zE6_+`g`E|LIY&ye!@O`FlGaY|6W@RB*Hw*ONi8ld6@p|&rck!__HWE}TJ@w$hL$za zRiaDHkK@lL#U~#-|pXDO&iNSLM`M}3J&p|uYV_BUz6*UH3Q8} z=1y21;2X+^WLrYrSC-geMRbd3X^u@sF;6Dt<0CI&`vHNO&-onY)>%uS_)KLLWMrhp z$HH+xG1lDjTwyPrQR{qkGb?d4-w&jxftWMzqaCh6e>;Y-jY-B&C?l7JJdzCc9hj|ULu{OOafeo9hy9>zG*uv5# z;iH8XA5m6i<&s=S7e(Hs$*2Cue+V+dabu~T#mn7q7)&@xC5* zzn^a(mFjqpS|=snu~4w6lRnC+5*ixjM^RXNf%uE@NW^j}5~>8*Yhz5kg4Euzn(BZ9 zVpuiePC29+?9U4+ZOnbvq=N$6Pnp>_(4lG&--t(RBO55L;^B=Mea4pYB-@saed~Ut zizWbMDrj4(jiha(QN>=&Ru=_#W$$!5Zk!P*t7iVd2*4G^P1ItSdg(cs?d)HJKL zoNxUwqZX+GChW7bWzcA6F}Q=z8jbqn)z5_9oT}~0FPiz+I;9(5qL@5a&VWaW@#9Y5YJQh z5bv8S!nNCvV@0$`4q2=gWn&ov&P=Y@lWnmTGgV(49`N%+K2CSqc)+ zCrG*UGF9IEt6|hXje&tjF!LshWlyshjrHEP>k(~M!y;ek*{B|}SpcXs+}kZaD0Qbb zryP~u`X0}xz8L7b|1=yZkNO~P97zA9dq&(6>9q~SO~jF?4;Pt|n)bJG#*>xZ+xq6F zbRxFhF)&q})l|@tFl4t+VM;emI>G4)myZxqrbbi5uI~$z)N?lmgLumkqeR=RG?oF| zE`BE_anDB#uS7mP%;D`t(6*`5>dLc?+%SZ%)`o5Q_&ZAyE2;nz}muUNiT#;Be)v$tve+ zoC<4__1VuNwoU2Q1pYVm^$20eVqe5pu&I3)o~^S@(ZNz4+tFKw#}~peNs|ka?J6I# zmg=l^VYqQ;ePNWPypewypPGhQtILGV=CHA=X|f|00kvv=b!oz8GT~OL;E`ujuF&k( zT$af|yq_Bj@G|^@N#&W%3lFOgR-`Q5>8W!)4i**!dkvxB z`UD^ea>zm>gqQOl&lMY!%euL>gO|%5f`XsZ=w=x1(=c5(UadVaV!L6=Y6Z`3+%if- z!F{quo_DfQl~yg~bI(_bx7P^$rL4rid~48`u}hafceao72bH>0H~3-hQ?$4SfWhM) z*brgov8`qtx@Nq(V{-NAK!6?-)zduT?KiO#dZfadTVGi$qN29r^Zgo66kp?T-Z9;X zL^-xrY}NAn)cv<+h1!|^`=h(N`G~&3EedQMe>K)+4$GN8RjkYozAJdp;geQPfTLa1 zI`O8DK-|igfo{zPSKBI$vq4tyxE3!{6c$XwA)dRo+-0>;(KBG{0Zn>e^VCSoMzv$i zt}ypW44sh&#<}JpCHD5t+sOt6CFPFcKY;EN4*+SK7H=&N@o8OoLWxzi&|T8K+^34R zFcM1KVphYTY~`BrwJz7HU{Eih47=}D_7I<4mQb+%e2uKdQMj$q#50xp%m}nT> z{gJR^9{0h@6{y#H<7J+?voLVSa-t>1a&>TdRX-ZP?4a#tTQB4}zM?fX5rZMH9M=;G zg)5>HJ}Rnv{!7(6g89NukEX%)0ZkQPd@?^%osp{4#8N6oQ)S8LF}S_)>-jayxd zsDC6E#JOe}WIRB@ExT2^{54RKe$>~1Fk-z~U%T)I{ac+Y!qGe3eK%P>MT>H(VLFVJ z(gG|o>1)OHx>PhuhV9fdY6mO8f|$#ZKnoS)Z4JL;WvXfDHJ+GAW%ydt z!$<}Ru~kfs_?6T~^MU%%5}`Oy{1Utl(HTMmGGJ2Zm;~s9=WXqZ=>#mTmfX_NQwtM3 zv$7xNeKEl99i@(`MF(qOEsU@|DmVGAwF;MvQ0QVp*eZQ{TJJ)d!gfbZeq5pDl$mgH zX{~uV2%psq>;mHe(tua^T_!mv2gLL)8{$^Z>N_4iv27@R>}KX@r84?-Nrvv5Y$pbW zU-DhZ1iK96&20Bic;stwj(tJwB@>rZ<#1vj68W8^Ea1r^uHG`+TeCN-a4znsJmUu} zA*ibJs4Bh0x{<022I8qI*qepm-d=0-Mz&-}L-D(X=P!B|d?_XPOM-~AylU->=Em1* z0_?*VCp;!#*%}#AViD6|wR20BRDr%uevGVdr)fvr$ghmN2O!OM^Qdt*@?{azcfy9#8A?_Bl9*Y(|`g;H1wx0*3L) z(FoFNdWK$&hcrOQWOBto?FRhyjSMR7o&tT+-19vdtgUC7Vq*3mpM`{6ppJOUt*ivt zT<&7mKW>iZI`WZMz=%D6{J2RjTugARDXx>1s`3-;(6g#HD^ZlvZ`C*Uc#L_sw><6< zv4CuZ7Rar)TuWoSm4PgIaRrUuQ|a|xGAtG8VDlmI=Ba~AMCx6tfOhcqcC!ZL=OMg! zkzDZB<@ii%@m#ITRO-aoopGTTqe&iCDwVnyX-DpmU+D^9>hgmj?AP+y#BZrfx#i?} zQC%h5H6cGQr4GF7sNHb+&EMn0TQb!n)~*Wgs}MHH8_?nydCIx{*(^d7PbTD6CUiB_ zmzPT5dO|3JOZn(6K)72*ypq^Hx;o>RJz;8$w2v+c^48|{USKd8AYasTyr@rd@rU5_ zwbRC~F!zZB5MgYo!woYEP$(2ww*9--nwjuyzGq#NmEfu|MB@P1Nha;Ty*xBoQc1W$ zrt!p>osUKDO5Uwbjd6%4nrg}zt&^azTY}hMR;b0+v#ai{XF}{B0*ll(>}0UvYKv~nW7{${Bd_*Y3!Qq=?-}fA8h|M<&K!e~(7|myNTMR|M@CS?9snxqsn5=&kH$3 z*?Z^}<>W|SK1()7mJ>eM@&&;grmLaWko9 z2jhz6ZMS#LUxIY|TU$Rzubr*)@<%Y(OoN4e3zHnr3()fkn!RZH@qj@ ziR!XpJ!q3>P7DaN9Mv>V@ZlMAAIX7v!z!}K#G=8v%(fgN)eZ~elW#6f zIhH2xoHt^m{erHK7Wg|whcm$?oOf*RD|YR=#%bs?#R}6d3X*Zdr;50|Uc#kt5c4BA z<4l-bx7{)#&{=K##rjTvjfR?b29QB4P~{9=gX!x7JN78+d4q(=*S+-o_D6YUgDD6x z*4v#@TeMC7I}vO(STXU8GQ;qlLU_!zM_<9bL8a348qO0-PHB$1l(`&aJZ!a3;dL;M z%S4&-Y{Lxtzn7f+2g>;r5KMO_@#Pmfvh%|kL2FGtRqD(vuxap;9j~L}uGvC8F5}BS z1C!*7+_k2P_&X5!1<))ks4;{_M&_1t{ln3>Xo%Q$!ag0MW}t-vO+)Y_OFOb`2TtV=s#_Uyu{UHB!GQW;Wu8X zc*b9INyR3ck+IlVR^g+_}jh6i{W_URaE0yw;{3_4r!N>mw3wtg5sPXZFm1 zVM?}<^@1;;??iMe_iu}I!AMzAxt_+EA2v`91bS_^Wqmen$dK#rg=HtjvEWs%vgd|Y zPqNUok#L{TGr=+RpYREh(HG`&GM3%B|^vdxAf^B z;n>HePyv zqulr}Y0Eyim|Iq+ro8={i?sQ+`5T}zV*v1yUJ`i^Qe6^(d6vj`bo>F-TvAw?iBf1& z!ug9%Ok})woVVgqsjbSCMy<(FVuPmNh^WUu#B5-lnQZ5{<+CRMPhv{PW4>X>U+8+& zkJuV~Tuz7y8Joyr`xSTgKd&eHpewM7%gk_`DKbgyxM6EK1(re!tdSh!|7j=hEC?h5 zm7~X-VnUpA^5x|22=(l(YIhp}{}suR(V*)D%5#PLpKyAy=O3&x998A&GYg(JOm_33 zp=0=ho-9-Xld%SU;UHwOax`o#F>p7n1>S1=X&PSrN&o&|Eb;z}<|kjD(8vyW*zyq; zUH&`OjIj}xX`7G5%1;mdM^fp5>1AEetgb1l&grObg+tcihX3%-k3I}L!#q@zIE-{s zvA(1_W7=e~5Au4}{`7l>oPE@Rcr?kIW&EQVIUs@c4PT=6sD*8VX%VXdY?Zc0ipv|q zFS2zk&O-2Y4wW~{&R!b#Y%kiK@#?K&T2E1qj-DlQjQ;bxzkoe}j&I*|o4||A@JS&0 zX4V$ieq{+;!2R|{e_t%pDqXCd3X#9Ydc=9;$aiziN~=MymOEc zmYmQ;M^=34GDlpj#i*(wFK1A1f_!!dxl2cY31q!~!Kmv6Jlb)#$f~VXFb!QblK1kz z^7Q06f7L+B+ft2hw!GZk=*^7fF*g~X(fl{EX&OE|`q-8%Zu@X9+M%K9%OaPUaG7g~ zG3$E`voq#(uf520|5$53SZK=+*m}ZW*n0!n*>M6J2-43z2e*rPF_sCx?5^!p{05ab zN*eu)#@F(h1*8Z=B8-fgjgMDq2BsJ=Iww?+$B?NeinVR|QJ3EX>t8$x5R^hT`gy?m zsZwxc((VqD@J12wJU{}j}HGWfhi%L+Ml zAu=RUm*-BAAjda~j(7)r3+0rfnv!hrZTi}+{NDE7BN_P2iWV*QDwsM}(VK(en#8hp zd9=zeKr;W7C;ZjqyU@qu5cJA!D;xaw1p*8aGwSmoeKW=#zocjU5BXJm_M@ULd0R!1 z-vl+H#Fti}mK~U7aw5r~rWZrvRaY`%&mgYM4KfE)D^9u6bjP|LIXKA3I=dI1o3w}5 zkNAY&FFz1J7rI_m@ci80%N6~noXOt|rmOcsf7_hxJe6CUxn0hHcRF7Z!?t>rDW|mc1mYa+?CiSco)xF6P>~Js zxNQ^6A_@Z}nueaQ%|t0v_CSlLGKVXLqx&dvu6^`y%VP=`Iv)0W z1>N4_zny49`$eFshiTKyIchJG<;KLf1Zs0mYdPwbwAlNk7f&&&i6-D4JD1i7`sh6f zLiWH;HAtTR62DQ!jgkha(&1q#+){nVO6eECuYYp3&yY;lqt};FVFrkg31I~dx$?0qg>Z8MWQ!0VSwCiyOACUL$m-gP zDg!0Jw49pJWJm;VZns;`rd?Kp|5Mvi%C%o4L|^=WJIQU`v#YUKubv1m$-jD!|Kw<$ z-wXh^sk+P!7Hg|mNg&%xln`x;2)lU6I-x}hDHysu^po5Fr^j0|qW^Z+!>ne$k3Ksk zMNL6x5LFU`=Yk8a`MU3*c5%psR@2z7Sa6n!=B`#z{o_>HUvzKz{7boI*(a6fi5hk$ zAUFJnIQwwJKn%?4KcrC}eEtQWUXfkb0z6sq1mG55Jhbg7T;CmhxZYLSy58J%Q`o}{ z+GScR1K23`?M_zMVD(I1>VK-&-}<0gOjc*|pqIUF(Hz5lfk?Q@ePKJQoO{3JR*s`p zq%hP9^M+L5wLJgupAOh*>V(-&QyzC9zebt<{qkih!HtJax-9m8)r0=~fqy@Jg)oiAh7@I12oyl$aV{6Wl~SD z^{*#?kphtDx*g(2uFYn~LmOuM)~Q~9|ccvl=7T$t)KegKejh>!;*byih87CRLR z(SBkN9%rq&SLZ&wRW~HUE%M9!;GaoOe}030S?B665Xk>8832Ftec^__SNvVB)8T=p zV4Q1I+lCbG*9gwP|AOr0^BWt)g4Oh2<{$s8Z#uN!^*?F?OP=`<2MmD7RP`TRz7zk#*(UAEH^ zd*J@q3Ki;q7uR2tHTVQNdloX}qu%}c&%*kPYvWZekqSo$hdt< zwD%(0YinyONPB-;&gumq`5lEt*G>oKECVp-_cdLtp&0k65Xg?}1m-X#oR+t(y7aTq zSz%uB*Eo=Wr}6DefW^-RHYuNm%{)Ol(Yg{m*KYh7*8VCj5IDc_*70fnFH3pWuNWCme zf42Em)s{aCpaA)XK;htNm|~#R1Q;CUlKorON`GefFXOEVr@5I$#-C;NSN#;796%}^ zWD4g`iS8$2S@lWhSJW&28|oIQablUGhs1d{PYFc<21mf*AJwE^PyXQBbim6=LwSbY zpN>g@0h~>|<#0NOQ<9(9o9W6Yf3NZE&szFlI4sKeT|!)3ytG{DSEQtmzcsfzxMV%CR&m`^GDnh2CUJzTCE@`0@5B~1 z!%r)HtiXx=sB}7oG1^ZGK&qm^O)u|s;PH7NH*Jm61A1ovuR!Rp|4Ck#a_duvVG7;< z?5DD?oey&ry;nUM5T9JxI$~gkl*xq7!+d{!wY3BaUKwtproSy3k)5O1jxDZEV={IU z0Xg^&w#3JRIATGfH*I>;(H7_M=4grP3HO1K7nnXQ?a7sM zBO?&py0FdoYu}~T(RDOtHF9s0p}LSJ8Xf(mzP4mz&m;=-Txa@7)@4RXm^i0z*%2?) z7Rc@^#n4p$eBwzZ75hzSzH`lN?xU=vP%4I25sgOR#XBSeep4;%YJUv7NaI@F#PiK) zs=QdaLzC&Fz6>ZP+KvLSC`B;&*i5nVIq_?h#90e&igs0P+t&B_d98t~fwx&$SkM(d z4gZU5RDo)?vfzs$F>d((Leo97zc3iSZk5dP({FUg;&YUHJC4o6;Wk~7jtC!B$Uz0G zvFwK8K%mh@0Y2wDj&0*3wrNChT@q=XqjlVrwCLqkG^v202l=%NzOxn1pB?R)0_8uq#m ztgO=A*7n?wk?g=fhFJ zIaNVyl~(sxotw4|+cv!Svzc6VCV}5=6%i=QAh$n!+^QYhq*+J0?La~OIZ~uoj_ZoF zch)C7Cf^dbZ{0atopyXR39{cVEI{RN@4AF3)kt@rl%84iK}ueDZ>rpiFoRg=K}a*W z*(CJwXM>@cCKq{Z?ILS_E68PEM29mwYJ`|e06Pg_8| zPjqIJQ9%C9c)B9LqwtbH&eK(gmhI`y&WuxO810dgLtp6K-dqrjVhz}8sGUJ&wa>Jw z@`>3OIN~Q0SM8-^rMajOru~D}sODCzjBJBG9%DJswd7%mb;hDUB2ZNsETpXhY`d+T zzjfpejK1k$3wSYJQ(i04-(hnp79#D^IKP9McONPRT`R?UU~Igi4Vi|&x*od8q=j1P z-sVl;D9JBzC|{y5Kh`xls&h;os<9z1hG@@xC-vA5SJ%E%xOTkur6#gajlh_`m$AF2 zanx6t$zargToIkG&HK_uI6l-~Zk{DkL*IaoE#H~`g&EfxxxSKxf-UAcVx1$mdAtyz zzAT{6g~MTcOlY-C3O!LUX6Dse3SWpXjOf6M^^?@0Zw6vJXv_zxa zt+vn3=0im?JIPx9H$xb~uOXesPcBjY&jv0?zI0M{Hq{u!fjm0Ur@Ze8EMmL)d77Jo zUZEqvr?5;!*ZrNuCK49=+?fd0;=lWX`6P8b|lS^Ckw=bt((5K9?g-(%G>fOwbNQZ zlR5B^=ri-Bh5$_Ym)gDSa@ik%g%YZUWf0y&lJ1+P=8;V_BcI&@U5Y2Zd?n2e!egSq zS;#!veY8=74tA_bfZQR|t-}~IR#k@2{zm+?YbtE{b1LFMufBS~r+ayvPXls{p(MUn z!K$S>%a*jRFJGuUR97SR(7i+({h0HhUw|7jKn%=`;Fwjfc*~lmYCcyp1C6hC32n$$ z@mb?aSNxII*d6k9z2(v-uO$xy?H#tPeWt4QvJq=yu`11IWqQfzdRml&`ym9x5!i%B zHP=G~`Q7#-V@DQ9#L1+#*I^mX+X z>iKs1jWF>bw?~D&T5YW50MqE}z3_EY$jc2Eg()^q*FbEz2;Ode?aVN8m85 z^bD0~HA{#+zGH@L7soH#%;fg3qr;Jm2kf;T4Lbw19_O_%0PQZXJgggbF9C$?)cplh;Fc92eeH#nA^9!Xk| zNX5sma`1jxDh_WdHzXD4X?<~^l#-ckw9+4{oY|Sh4tSq2r%W-<02{aVbl%oZp1^ry zDvGN2miq~yY`=$$W(~V(`Cilgy6j^)G-{t~rxmk4K}hM)uhM+gNRq^H6o4>v$MY&k zWW3M!G3dZX+SP`Frr3KfNb$7mapdjAk?&Szvk)syxEakt8KwPAkm5LJvKZl;6tU$9?a2&OMi~$H_Ow{Y!=;S$Wqx=X~ZfpE=jN?#m!$8+Fc>xAt@R zKk!+jOuGXho@CMcu~?8!=BXp?9Gv5Th>KmXnV}#OxgHx%*0+N`bCK2+;AJv22n^`1%6j?&f#Jp^y~tnNVl1Uiw4h2ghHiw1p7 ztYaxRIjig37CTK&=rWAQ$n+Jjt7X~1GLcD|t}A25EI=zcg(p9${P=cq{~VH7 zPPq-OEZ?Jhg4pS!XD^L>%kef_MWlQ%iu~mU_twCy_Lg(o>X{iv(Ipkg zKl!E6g_vtdtM5jd*J3;<^+yE#QA>q*m25j`6!m6P)cuo8dYYe02I^PqxLecvZ8knl zIJR1h89M6cJ|F1Z)q>(pVw1*P{@8LyB# zcOT_mu`&r_-(sfoLa}YxEwXJHnewOKInAwT|Fs+2CW^E8G*FsPu0!Sp@oG&dMOThh zI*lQtK1*A)*@Jv=uN+$LqB*jy)C&hDWIogNX;P_HPT(RIs7&AWX;o-jsjQ9;KpQNL zYro$R)^6!&N&`8oy*X?XncDB>?W>aT*zV>;UyyOb7>jPdb3+1SAj5N=p>wFxWFIg>>QmqBP3`Nt2_60}A_f@0(@wT4?CT=fTdO z6Q;K@7ermXv(b)J6Ov2Suef07nW5|mcNHtU_HtB_@WYTiCTMIvAKocxvHXjqVfsVl z_mNgc5$F8y)m3rt@zau#-Bx@`@p_l)-{Hh-`(nDbA%4_;gH!gxO;P*C_+he)v(Jp^ zGS&ME0*Lsq0@)3Ur=^im5A-6lMqHOBC%y{W(E@KzY2$U971I_Q|1KLKbAN;425>qN zy(|@doUeY}(t=*DRrJW&Kqjwx8DltnQKx9R*P59UFE+EA=c#v6(#GM=rGfMRY;qa3NqgE}^x!q|_IZ_@Z zv-9MMSOL1=MWssoP+&yc(%GW9+*`|Pd@}3r!(TM@TXc5gYrtRZ+wyNq&4|@`ZSps4 zPQ z7@GUM0wZd^UrstX1o8X<_TPyS)+O}%~Ur1p-Z0X-Z$|=%OQz4?@{o? zYk6pTX=X2Q4&%u6I3I+vnQ773G`jGZW0b90=xwU4;audsi7(|K9>z*+E1W;8W!Zn{ z{Ol)6nMzcV1>=&M+tB=Wtxp3=leW^^c%Y0Sv3zr|(fGUL%7uo}Q#cPir`gb^#FK^a zmF{f=)fg4&`IzK2Ce7H$F-lXNp}~jChKRGTocUXinY-#b!@@lc(s?(Yqp`mrk~d1q z%&S~5Ht?x$l1*D94E`-ehLSwr+bjH0mnU8>;9@9EL%`nU7N{N!>ZboKb0TzK&T~Jzk#M85_Pb5{1L;Zf zEoF+*U@G7wpT+=}cxDyZ-Lmkiw;f6K(`4u(U1a;pHWvCC>zRDD-P*NM2zF^hqh$4M z;8|LJ&ZAt8PtIQV#o(eRGS^X*l6LM-#RM6jJhqhB=ucqFG7%WbgfAGWH}QLK*3lYA zMDCrhMw>_{h;2Oehi@>UNre*5GuVam{vn#FX^q~Acso1f+#&G9WMK_*z6$3zSzp3bgp{zL5& zatblgfX;N^?znnvyiV;KW~0txEWox`oX21g)#|WuEBZBhbXN+_^)0vc`Iiv`+mlUo zf{vh$Jh668nLrWU40{G)6PwlcYRvheY>iJ)loA#8-NXywv`X5+9COQ59@HN4(yy)j zZFR~(cP1x0BQt@!w!g?4eS z{1`e?T{K{E8^dhil)2=k>21^V{mnxrucf=_z-WjMzh%AwZ$L$D*mq8iR4pdcx^JhS z^^}<*7^!FRE+&;3^!Bjbj+M?X6njzWG|fU(x7%W=!Sq%_@-@8O=~Q(p-ztYdUXWqb-rpvhPim{Qh2K34^w$RrVBJn zK6ZRk0+!_k-R9FiH@S1Nu(VjyH@Ey0x?qy==Y288?wy$iOF_p$P2?F`OajND{mxm! zXG3x8s>i0Q(Py;HgQFo%s_wJP^bfVr;@)ZD)0o>-E5WyX6*Q<|QmZT65nBE<>&E`@aX=Nma}S^7m*r?m`hGr|X(^>pk~*lx#)WGlM5{Ty@U)J=#uFX0@=UF&70 z64NTX*;`v9jd(p)&BiUgpt?6y7&OEwV(s@DAOoZbhFfN6&8g z&$|}G36xZA_LD?BBO2xkR(gOduPG>>h3sQ!ic=3hR~-&y3+%*5Ek`?8!X-6QZ&(yD z%AfN>j}$GAn~pb`qT%XVst+eVCgmvD6ax9}iw1Jb-$ftqSXu48+8hn>qlaxT4k6SV zF(tW^HCb(N5P%s#^0>G&FubtF?Z&O!${*+Ti}!MXi?FjNGNkQ{s4g1K?T?1T1({sd z5-uNe{+xQEd4BJymVvh960EV{Snv$N-DmL=RbLf7&HEZhj|j_uUmHOW?!Ly@RD!hi zv%C=fdv+e|xe5F-n?D(iH-1iel{YZQ&II=CxkOz2^3rP&?ozi>=ZPw)u414mYJ(K> z>z41hT1WG=wNgf~tMExy)VyC9cxGf~52&6uC~nT}4mih-O>e<=wx*Gj3*c8ZUiLmR zXGcf)*2tU+?IR$(74>SB$(GR9DC1Xf#`EkdpUwqfg)(g-m@6;hn63{g_}}i7cEA^FYN~)W2G_7iyQZ?ba^e`$4h&}(Ys`8`E0dqX#D8}AN>5v zM!7b7Kz1c&anBg=)YdJmQ14-1d`p;sRc(Lm2!D@H$88^+zXaV(utkCgCL2*#yK@}n zc{z79qpRQroaPcTlL51VIcv{h2hv`hyFZpLcI_C|mh_tH1QxYSp*`YZFk7S){nj*g z?Ja)Or?bCLQ_5|i$_C%w;Nh|?Td(Jc z_{CO;uh>#(eC}&JaTnRtrsbV|L9Zv(c41|&MT`3#aGEMF<+@|)%yxLB3(qz3w@YQ{ z^ZwbrIu@mBU6(yubGp!DG%fxKbS$6^NzArUX=i_jEIl;F773L?jpmtJccp5I?F`FY zhV{nnUh*?-37@`jN^Ij(LQrcYOgkIi$YqAw+I`3}V`UFtwHzoj(>AC;xV_5zLCteb z+Dl8<>2nzEk@uH}@~u3vDWShc=f{&=XLiEQnPx+G5#E5G{={Gwc;mZc3(hznNCZ%#*}|+ahHZ~&f8DuC@f4K`-Alx zwp72sjdk-(Md5c(%!|_s3oiP;$v&`C#u z5Xn{8H*slibZ}|sBpQCE2si1;mK7^%f4*qgcx0va6*RKjqQ1KJM8s`x+|=GL)cUYB z4ee02mpg-uvooxF7TPAgs-*(}y!@i5Y@yZ2O(tw;r94##lVs|$Tysh^hzD-jXsynG zxDd^JrdP+SG~7{`o=+0Fe5x&oh;DzF7I@|hS9bP7?7k_1RY3Vk!fS`TlC20@Se(dp zNl|+wjdA00@JFCph|hT6E!$NS1Sa}Octe5JNTvX+(?`(xXL|LgfYw^4imrS2{atbJxZh_1(96O^ z3M_}pT3hH1y}=GmHE9;F29CWRDVC8@N)SqEwFTU_9;SM6ugq%ntFA)gBb;{~%<9;? z?C-zAU1Z>XSQistdZ!KR=(=#(z+FGF?>~GBZToidkffB@`jzHcgFd0zrl~_Pj~QD~ zU#jsP5mxSiXN5LBUj;;1xOx^|WS=a=C{d}!jUIw+>#jB@*$0dsw~Zb%Ty}xT7f~YP zoSk&MYUm!$-}nY~5s|ZYjn^x-rE3*mP5r)}5bLjGKFIR+UejdTAb*@^x9}H`GqNRk(uEb)s9Q9daaFXf?l zc@_I<{HV|c20OL#Fav%Y0>cShINSkY~{QRpPcIaKD4^`v|6sE2aA?reW$z6IWihvv=P zoEShuX(E^RFeO42B3pkXl7+8f4TyD3?t)c-D>&PA$cD~^@Z@?(cj^iC;aoPOc z!KN7ti+Sr<8~53>w6G}ZL2la1GIPU6s=r?bEDEiWa`N|M@-gIl@x7#RhBqd#CKN?? zFN8_oKqW5pa*%?C&r7w4B8{v2vUrMQLsmf!47#%bat*tG|2BkQjq~F(Kp}aC5rx!@ zUFMw4%rQt6vDIgHmA=fF_;?IB*sk&NF}}LK!IyC}`VI*Wd!`oMZpF&a4bnV@IJP#I z5-op-P3GNFR_N+%;){9Am%&@PXu{UC}^w=z$y-}ZH%7;9LWnx@0o1XN-3VbfYzpn`sBFED-Q2uNIj5Za%3RhgjE7ZI+B<{J zrb%maSAxEYHjN%}lvw7E_K!Jic%ydZMUCspv-uE+Q}wx5Lx6PRuSdIC_K-QpiR`QcGWWY*0OIo0B+B%M4!=-!P{&G=$k=&BT>57a*YfOJWBy^W_TY3fibNZ z`W8(Uju^nnr#_xbbDH?z1vKuip7Y!$1M$Nzmhov8kO4~Hgxuli# z5|Cnm&G)&?%Mp#K({#$wo8^*>RibW>QYP}(ons`29kK8xkzwz07e%WhGFbL^Edf#W zi4D6-b#2v%)nI4kq99W)f3|vbcH2ihvU!!+8v)jC5)mheii!=IBJLvBHzaZOd8|J$ z#>(3+CM7e~Yl-z3PblCkwKY(xy=7-BM5`xyL?o9P)l&|UC|}XwdCqH@LziK{|W7xTUALVnpNFTjY-4=-)(a-Z$(fuUk z_}m@wqmK(m#S+Ez;8XV)6t41sD==r|yyCY8#7jzTig89gJUY8{o#CeQZbzR#BcE6L zOy=-fz5cfkI`;E*b_~w6Re80W5fUV(+y>wPY?~AHCZp>br3K2Y^Yj{43=|!Y_m6N-p))+^K zk6~TcBhD}zAdmBl>(eLr>Q4+@f=r?+H$576Qw!9Xa&(8a``G9+g_#Q7ZC1V6CP$C= zU5Y8(I>vn-l_`Ks^!%6qTm(9cU*1Tk_&QB-Wsb6m#NhRr0; zg_hgKJ#OtGsK0eCo4UC;_N;CTomce*&ju<4aDY>BH6txVejXF-tKeT-FyFEsD$0Id z&LnMR;J%WBY;pxbQ0cPXlF2sZI&a3ztaeeAHH~Z#Hz)OebCZa-L{uX8PW^n{=|?t1 zVQ(Bw#K#9f<3N?DB=r-}Zy8({OCK4J09?5Gg({pA^Y~;mmrdBq&n&P@QT@~R3XhKR zmYej|+7eK}r1EkdGGSX4vBFl)A5QR+F232=e#9pm)^4B!adN@r#iP!1ug*mS>P@m{ z>EQ6vP=MlLeO1}rd&cDiikg1floAm8IO2!W+#OR}@Y^*j?QX?_H8hM&x;Nr1BZZ?s zTcSicmY!*i5ZvVMI_=nw{T1x_A?R5N7dwy+{j1QokTKcNy_D}c87&nX&E-M7b&08y zt;3>@hPHLZMmu7ToA1k2_PmuYo|6B<_|9nT3PeP>V(#9im1?B3%>PgGd>fCN6DLRYlXWF zxn?hvXAPJPkD~(EnH$_deV1lFm3%R|#p=t^?=*DQNtT1j^X?ZTsr;F;rof)wc_V{g zEyY$NS9lVr(QzL#d;(p+4Ba#|e@bsQq&02-Vljpu;>kg^``n@N6GP$!NKn2BmrPXG z`!W%LVV6$XE;#YmqaM}$sIQY0TV2Ek)5~LU8W;~zv$gK<&GSTLkfV8c)*?kR$ijXi zBXF%S%C4XZPlc|GfkXKWx6KvLyW^MI&T22Zj28uMGK}8Dzl{IYTlXT7Q^Q<}b;@ml zA5?_WNq6==dtCH`2?{n8;3BFgo*T=-;#--F>%MCLnt>-$$k4T^aj%`B# z;>l-B;{5!)!@6eZ480SSc5K}Q5Ed>2FaF&cJauVCR89FV1sWuqjdB zwyDKVMBP`Ry+I{lxr>RoMJI1<6)=9ycI=#W{yagR?qRbS`Rx7{;o`AglNQK86IsL= zVC}o(@jP)3vehrNYV_+54R@tBHrijrR&V;@#9%PX^=A4upbEMf=i70sE~VO=YE*K% zV#=X~;mYP_Rj0tW>VOl1HlZ3cF8JtTO|mXKcVB7j%RvP zGLMQ<@V2W%E&*zFd`WpU#DhQANPG32seStPJE*n(LKoZ0tPg)63)kyQM(#C_%oqq- zIEWzM3Ze^jZ8;f`;j1I;L8rH*9Afh}DS3qKb$M<5 z?=Sm^=S~w)BBylWbyy=V_$TJvk#0Nh@otPs;{pc@6_0L0f1U;VmMBs`~yEeYYB(APfBt!v`LznSC@#XkU~sm74)wgBr!Sj`wXc6X{ObK3^$Y!kVqsf{h9m!SYKjLos%%wjB32b#@*4X>6leK3^-1*xwY z1mF4^YG%DE)f0!fp==Mm@w%u}_|du#&si}XzxK5&&OmqUdy`RYn=b*uYToL zdCKI8K?}r!*-KD1d1@2Tfi&}^^65uCCc9P!8eW-i*`-?x4sbZ5YvN*7x454T?4)QpWmdGRi$v>fKFu4JH+O} z-QYaO8+Vqcoc3Nv7IKa?DRK*=Bf*rb4Wu8^7CL;gO%`@{p&{!5zOR zNytt$K<RKZJR0)9%Z{i-ugirjr#1G_l^rf;L=)l=C!n=Xd$JB$8_txe2al~w)e|B}rx z*3l2BQrm!kVHqkRj*tRWJKqM2r+xO*h`hd^We=Akq>sY`>R~wuaGXQ`^u%Dfs*+Ud z_G0P681{MJ($B?0y0*QS!OpFQszHoG9}v=_vhmc{mM(<9G?}y*^yp(cy=#bz7VyQq zZvUpsj(*2y=aXSZPpv)dsu1#n$~01?@bjvo(KO2WRo*#aM>Qeq6jFQzPSx zZwlA*p*QlJsr)|I3+HBp0UfxB!o#A|i->$D7`a5`=BKe)LQ|+srElRbzC?Pl$8Ct+ zZ%LK@eTd>w6N+hihz}#eDRIUbA-)&5Ep4K>C8^^b#Z!(z2nS9jVDGayE9gptW@Q&) zd8mswN(2KI>rsb7gt3(Ra^_VYH-hKFBz*P05 z$xr=av-786+SgowK2C6yqJ`=8!7GOJKmDgPPuehIu-{MB7+t)XUHRj!@kodk4I$CZ z!o2(RYS4gGCg8o@>c^P3CvIm$bsd~T< zU&Gs5ZygP&aBpW6x(F@E0F2lbOU<0~&<_lsv<1ES;kT$}OEFQV)tl(}kL9Urn=#N1 zQ@|$d$K+=kjNBTJ>aMQI9ACx>)`ij?$I?ToiUO-l_1`Pp;n$R7?Tc0VJ=(@@&k}maEA>q*Y}8FXCa3x^ zl&+b=K$}>~2Ib^5p+@KS*!V8hM^AK%>cd`@7%_4Bqgv{53Y0*FS8k(9JBq!nn+@|9 z3@yJ5jG@GfN!ioaoSF0n2&HP9>}FK5=4MV^RRNHE(?%z$m5Sx4Q~?Y_uCH1wMe7#= zjZXG}a?M?uu(2`GBgc^z4~>AXS9m0&CYtoPsB-KXu4zGieOHEy3FMNi!4r z{KmumbMQVHcQ3h;dCZ=bSJvZf>%~7?0eOVsgq5{?R7<-@uyLZY5bgysy%z}dL5w|A*;VurW{JG7{zEhf%4%`_=4IIT=;|#oJI(y zqCTI3-|snZZU8ZT2W}?f3_iIS@|%};AStN>cYqVQ_jyc3?iaaC|MWQ|_9AvB=3-xu_M&#RDl<885lrAoo*VJ<}Gx%PV@=ithsSHje z2SwBXU1H`U5b6z~i6=peO_!nfcT$Cw-a_777CLrgIjWN8tB)-pMNyp~NGTP2GZux^ z-1?$8BuE}=`=0hj2@>cOov?Nt5ghjE(x8@UEjGelTZC<{n(e8Y8f%UIQAe-S*GQ=X zlQa_0A2CRYV`U?L4NenbMp&zyn8|1e5RJpg&Xq4ojNK2Z28V2VUi~=`gk5WTJq){e z@hd$v|7zZ?7xWNuA7hQ3BX14|k09qBZHv33>!m@f>r!~%CfE5#P^1M;C&I||#TcMH z(F4uaj|CFBBEZPo#Q36%N0V?UTMi@vv6D6`Assuw?oYN_8h=hPzVWd?B~Mi(oF$jOB|Cztc-HYP3*ua>X&fw!V?szX%9~lmA_~vTS0O4TJk+NXtcDsE%W`s;Ba)E~?-+!( zTk0K*qVwn)AlV|(c9c6Pkqc`@p5#Ji1T|R`kIZe3f}h`#=8bn8A|Bo zsYF58u&^n5RQVBC8R?Bt+|)`(IjGwcb#KgX1ZSh;Hs@0fG~(2Uh60i;hH8U0y>Li3 zDRbu~$fF&{RpGfo=Ajo$+)GK@(%~}@_m#r9``$8rTg`755T9J4M@6Ofw)GXtxw^v_ zPja6%M@XNMy*e+c=?S}bq1O#kk3}5~Z`DshC9it*1glm?xPM=;&r=lPftn4JxwG`T z_|#R+GtdC@KAD*(8SQh;bB4nf_$+Nw5)iGSGTY&L5JTb6tjp#Krhcu*D70gC;~h*> zGz)tt^S1%uX~izD4xhyjY?h_fs*3_|CC@-NpM<9&O z^^Q8!eXmugM3S`;Mgv#2tg$uxaHVH&mqZ2OmTg!+kuYS=_e?c5_6E`u5hNTxT=`BD{Y3cdQwVQS9 zR3|q^)Rc5g)`-6HrQ(;t+7ZUID$%A-CMf|+ak-v`$a8-yd#ZEOYsvMKMUKs^I)&_0 z`P*Y2>s`CR~% z;~D`I9qf^{d3VaJ6Q>>oRsFK&xkMNvT10UNzt+mun}XRlw3TmPn%%PxNWOC`mKa-{ zc$_`v1E0Sv`#yc_SrQRovj0W@Wq7-ai7PCFX21_=O`?;Clnq#~`ay#r#!Do5YF18# zwFbO@C=dbK|1zGDe2evLW@mdUGZ8~N2j6+tC9=;2M~E29`j>U>!ypKo(RrEm1^*?a zE)jC z{=gqNO6GB#xiS%xl?RXK7l&l}{>Gw+utM@}Rt;c$z9XHTG`>DU_8HJ!ohfID$Xb6R zRMjtsDcp^Yx%M}{x~~<0Ijg6@tDvb55fOI#UhH3jP448;n`>xwhp55_`xp5{81kPN zd0E3ynMCkNh|_edU1bu5DaF&*W&1xbd2nw(1a_u)nt5#{Wm0K@2%Y2L8^}pd=stWr z`)vPd=f4q5M>|==6yzg3NrE$nfs;`TjvSmv5CI!uCxJ*+xeFl?Kz<|uR~71}*?zqxNu* zF42z^4w-!C5ANQXDMFf^Y59Y@3!$O^p*M5=6ZSm_l4ED{v5NSo|NcAa`Ckc%I$zic zO-}lD8PXu|Z9v-Kr$g#SkRqN4WpYoEl8;1nM+W`R*Yn+s zhyF8W{HOZ`p95HAW~O?3>Uq+*JZYtwu#B7>mHTOBB%zVu#{@Q(xz{H}8kYyah7HWm zmZnF9f_d;2JSdh+m3W+{FNY>YM6nWxFjrakwSzB=2tQ6X0$wmb&wuz3DV7efG4{u4 zNskOkQ?Qb}=-Xr++^7&-_@BNkpIhZzQk>`G2^3sbA&( z&t&`!uaZ;zLtJ{EN*Y!}Vm=0>r*IXLtQ-(g&i_m<^J*c@u3H@iiprVC)*t_dN9>C; zbLR;jNlGO(gQh3r*<+GW8rCp7uu|DjpEPLz_$~mzdaVUAq#y-h&w7U6dk9_`*=B6oB%H$o==#iFy9;uxc zFNgmd=)FIB5DM;eMfq3~)!PLClXMw8K_ZdH640?VHB-K*N|VNIev#kgM1e@8bN~Z* zE-o&LdOhrSO&Ml52@7)b;mS0ROq1_5Vkr1vL3#STCs} z_ri{srFai%0vD(P=j=cvD!tDWa@E5ulC1m?Scvjz=Wqpy@KTykVmjrx5HW|pFMt1M zB0$h<0P2@{Scqi35TGOK>`ba=2mm@gBi5v8hNxc!njykzdP)DhY5$3&`=A&Y)p3US zjgX=UWECd+oT(NWV=hdD&uq)OE}L`Ya9bZ)kGF)Bb2Zet!JSlQ7*+PZ%57Sj~jrB=je(=PGoqsoFHCozpB#;ML`uN5*Z+EW869 zywMP*omgNSD_S{4ip^#XyO)@(z;*pUVYq(@vE=jDJCa-ZNh5e(JAHi@9d4tibnqSB zzt??@{<>|fft)ufu6^pkWwoygA2c42=Hh&6UzPb-Nz_+4bzQkDnSzTnI_=c?>!p(q zNrSe!M-_*Pbn||ZqKkN#EQnlDD5xu#L^b?T#UwC)OCCAf{(k$+-_xBwlOeBuy!Hjb5!P8guv*Nd}4lcPY^QN+NIh40y}u$tKcx3$XI2 z#OI``-0cpNdzYg5Ng@(Q;jqi=TSRjK~I{u(49GPef(j8%_CBnGfX#8sN-oXza&X05x`n( z3lzS-B~2azkY#2ij}*N5g&Z>w{2s2noTS(mbxOdVmA(@svFCljo>L0kBw08`GTn9C zp;T&qF;Z*`#nkER9$yuSs8s%idhbsJNSuY<;wpKvqDV44R7$QmG;=JBG^OoxijU8p zAB`l*5cJXKlpmit9eF?+iYtCpu}eriT#+=;l0mLGzfnyZXt@aPEV7OHPLlljLe2<$ zMtO84oHR>k26sLiZ_2k-APIEoBo=hAzvq`A3Aj8xeO>n@i70L<`MH(pQTPTas)`2y zYf&a4Yx$}WXXH#8N_17N^BNsVrVoz(-%g(p>zS+C^&bpk7`sQt;=slOII}E9TfpGfN{x#-^-(i$sq8f(+KZKu?nT z*#i*HJ*r70S$F`#xkt@IQV~VPgme*KN%71HKsdkSc$XC2p+n$r1mT>7 zDHIUSpACH_1<7U2l~af_BvB!E4S=nWS|m#T+-jZd^l^Wu-}bK^xPST|b%JnSXlG0c zU;*Y70HIZxUz`+ZOOZ?v&Mm7?lA^3QOa>s!=q!mOB6dRX7xC_YDDFSm>Ytvi`yY4p z3_&=rAWc0Kra)+f{Ng6b!YQs1gmd-~K9T?NzKFT^|LrqR&s_gp{flJ2Ldq;eTDfA# z{5@&X5CtG7c03K@BF%FWPk~7yQm$ON>uDp2mVWL0^`QJ<(r}g_!c~ zT-Fajh5Ja4L}E)eP@CJj{vZXjkONjuLain71^?>WT~gF>a_r#FI}x1FZ=~_V$AtC} z2~+4U`ewGi7Ab1;DZ1+(NhB)d0AvyRj380+2QaaB{5ffQiF}0dsx4mL|AvzPF~8|N z2~>#%6Xc}u@wvf2s0C?Ba1JJN6du~M@6ers?01$v5~X9F8A5LzOjG$k?+ode(o|^{4@5a zXH55>L?T#VrG-otm0er^T+~W;)HXir3d|3?Uf%C3{HCiIWw)S}^Y9=)E;p`4F3~YM zziCLEi~>GQ*?qfW6mff_PwT$-G(RY(xI1KXr?g-CVtwnxcoS&rU~CV3;@qr|vLM*> z0ugWh1!4>wO1_-wj>3x1Qx$I8o0c-_@9`tX7cs!wg%1{j0v%-WK?$u6#5r|smlt=m zzgr>3PF*E_8p#oAx;MShFV3X&OK0X_6J;xR!74*VAk0fz;`ko}T#mP7ftT-&pREf< z6dxejyCV`+p6ey_xE4)q2Rl$b;~)xn+VV{OGI8IkN+au1uR!CbTxI|-1NrSqtBk?C z@TO4WR{ncml-|jubySJoXcC|xB9eiI`>49;E?WC*)PV9rMm~OR%5jmI+7#&^kbR^1 zKoyoi4OzU%;Dz@b7m4`YL*Pcbbbl8BKWCxYD$8MGV!ADl*KK&*Os(;End0L8Ch5En zHlka#bi&yV)tRG2R6JIJPBfdWjy8x}*Fzvu?<*&bZQvJc=Z4%^{OZPtbJE}VQO}q7 z!hUhej+o4}SyEW_#(1HhF-Qi!5-KG>5L$my0;?26h=0o1H>nY9 z(fqOsjo;?;45rM@9S+%*n9L~Mv(Ab>2FGoA0a+{h!!7fJBr5QUQ?qvj4{I9J(yTZ3kJEGHiCOpW&#cITRfO6b6ut<_QzcvoeY`IpVXFcBaue{^KhW(q$H-aqk~I>w-f{N7$k5?9Co~!0 zV5@&c^p6qRr(_2SYH$XiDT($h2om!gX4UnhRs%-%j+b|>vyw{Utl#M*E~hQ0p1*3h z1b_1?fBp2>kLkahm*PvG?ZEG|0Eh^+JPPNSXL(N}iJA(pI!+c{X9r}=;%@A?kDpSi z+(=)WDs#hDQ(vyz8at4*W1DX&6XmzR?Jtl^NS#5KTAvUVC3f=TbCr?(I?MNXot;uu z6X8XkrSOp?<3%Q#RQ?x12jUCMN{LPuZmy<88P4=vx|tV{v(u+-TQ?}XeT?Wep^%GI-XoX9h<a(h%Z`mPIo zZ;y9W8=!31EWx+0;dv~gLWtPYzu;h86>Ppfarf|8E}0DNQ6l!SYKo%!N(oT)0`&kL zD&!e&p^g2YJQ-?qLw;_e*xj41nf|}fo(Kp@y_YzEnfUqwb?5L{w@ot6KmD_a~L>WGYWMkq;1jxRJkhsVbgANLB`uft}nQb9?S2N)*{w zBkx5bzZMrbtU@WD-XZg9s3FJ>dID|{8o}EM(w+{bNwEeNoqpxmH5UN-*?pAO5A?#M zVKuqKW7LPS#7Gh2o@9mn*~KNN2uc$)K9;gOuW}@5;%D$wj%yD{zj7z+thfKrTI~4G zdqgqif8>bdv%ej+i=6(`U)%NX{}{JBn)k6ZM8nOX&QaG@TiOr1gigmx5`{0n9VVX* zkl8A(k4tJ*iRxQN2K@V9`|ZL49%O|T*?xX(02nqh+9`5Kh)IT4PKwgw15A~_%gEBV zF-yNG>(Z5;$4zJGDNUfc4sY^$p&HOfM@% z7lt_9)vj{@P~$5MmgQ791c0Vth(Oey)+FGqkD6#M9SAk&0PJ9qu@7uW>w?@NhR=b6 zPXAPI6;WBqLR7}r{1CI>>+$L_l=a$R1>6_5J7S5e9$ghE0#Pp)Y&gVVn~9V8{xr&` zbAVJGk$1w0h!8iION`3hL_zP^XGk8gWWRcwcQmWczVMJ;cpD%m{ZaW+HP3(UK2xi^ z85O+0(f^_`4vb_cx9#M6goyys#-lesLPMNVwC~#gVUUCV8>W_hWWnk+H4{#`IOC(7mT)U3O@KbLsbafg_1mMDXH%&dzow^s|HZ_$7z%;G1c z>DOm58O;%zgpd+WT;jomdh73&~+^hdqcn;b2@Ite4pf6o!>4%YiK03xi~Z z&9-|ztbjn?2dhuU3Ou}(bOom1wbo2j1@e!G+|C0=Mfvx(iFtTt9R63)k{jdX1kOSf zRYr(D0=3OIs`u+OowW`^@SvV+K^`3-Y{3SAOFUoF*V{j|szgt8uNC|$;lk(KU>FZz z1%yCB!i8Qz0EMCh4!_w&{$AHj@>OWo17aZK&(Bm*QT~-v1eqQQ?Z1>mV0*gsIW z?5I@nq|@osHbc;3xo%QSE#zq{T)HPOE#wscS+Jk8Yy3(4N)CYs&i@9D{CITc+H$}=hEBy{vf-)cIFE6Ft^ZvTqm(l1MglQB)g?P z`mcm9#Mjom|J{HeQFPz@hoSB}iuaYAQiE-6Hn281A$7NR^T&xJv4288*zx4`amKVF zFCv!A{($x2;X$!R>w&?otXqqhXd66+GGN+K$d&O$DWIx1h!RxUtfo51v$>z16XFyA z3vY?(8}Equ=87Bn?`j7jXdy&4#1Cp1ZDgFb5*;^yK!O1|rFp|im-6DD#wY=Qgd9j@ z7`_8g4do3?)c&w5z(!VR0|l4{zb|+~Ae$;=Xc?UFW%A9$V5mDzaOuM>QKi*hSwkcxC(j5Xa>gl8-8}+(@ie+?`SjZ0L_=dtL^J!xMjGiA!hrzmsbAC|F$vzZWrbBkCw4j zedGP)XLLtLPqGlMvk?1gp_7uauh?%wBFi5~qo4iD47U!R?MZZFLH&|-~I`wtO_t5WuncvJ&jSV;iT62)P zkO%^^tigJ_5jTwz9YaE~-`G~RKGSwJs>&#zer^6(m9=#z>OPACzl{N?5^+=O91^ue z+nN@^0{SJEMO+u)_X=*y9fCOhMQ;B6AL*rXufwrV)+0ELLUt(c^bbH~%07;Yd->vI zw}RhO)av@pS%Z{;&6@wYyQC*XwteM|D(lno+Ux@)a_3i7M;MuRcHxG5*iE}x&Cq}6 zk$;);5cu9n4E(BUa$!@HNM7;H*tcr=NqFSs2Amz|=84ZAi!A+EDo8oJJqhV-43*`5 zIVYpK5QSCN>+Fm6@V8Q;M{oYTinUxlLMxWk(|<qYcLF(Zmh+t)+85j3 zo+sifBOKq&Hh*n&_Q3{yLiiIW0edOh`#HcU?8{4E=wb@E$gsimDZHUF;YR%>FfO)8 z_4{#suizfC%0^gQ&h=Pg_|0!uYv(0v!GL7lnwIDG*D+^3!Ms^4bDpnC58ZM9%d&jY z<*E0`a*K1J9I`t?f7qUECr0cmlw!#FeQZg&=K*4VkaMMKOlEBZj-5b@4wj}C60u!J zZ&FZYyI-$d>EERi6n1+{VIjHeC!>P5M);+nW%mr77<+WfRvTnfR#lDj| z)w@v}o66{|=K07!%-R()Y^F>^-u=BEGs=z4kCiWXh+y|e6;IECD$+lC#0tz!^^B!P zu=wd=+%irq%^JTaJ6*EfI(qoh0g8nsm>|Q72fl=4o7VatMweq3su2 zB(?j%(|B^Xl};V;>ogxjrF6cznFO#sX?whm;u;5;U$f#TI2eZDV1prpqF?`7=fD3$ zuJ{B-7LR@cfI*+Ft>1wCQB>t71eq$|Fp6Jv1NkmfgFlmr;9YkRi6GlPcuag%d#={t#l5eHsDVzlcNE{5)u-a)<3->!jLcI=EzQ$p|e8yQX(MU zF^I}rPjbi{jeK3_D>qtxxXk&7EFgFD2My^78#le-vj(_aVHW7e{8&k+@Qnq`i>t)t1`Alr~Hoj{kIEjMR0a2`gEeIndLKY+ABdm z&Yba>sjhPIsB^6V2eQ6jEYswT$bac!T*d!=Z7sSJ?3mr~~4a7gU~g0MHp% zA*01C)u`f!SaL>6y3jJjgl2kr72p}2gJuu8^+vMI?j{cC<30E;VOsX)ux-9>3(>eM zYLCE-ei)65_zlG}9LP^e9!slP@XJ54Fd1rJR&1dKRSITtufmoJsK5_Up;)oDM|)bS zrJNxq16y(a7cZ`|IF+6x7dPV8ngEe$0IG#+mERqGE)A7fv;ee987=bt=_7(?FAsRV zE&WZC{ypLSU96l+&yoWfQfiC-6?y;u4>@7-E8iEjSqx)nc(cs?Gp`8vfwfMJMaDwX z=$ZASuYAu5GHn8g$+J57aR(AydbDn*x z?d3Opx8%vjR&z|`+_?QHWEqV!U*je|%wNcD9^Lg+SKZ81KTXV9Y>!@XM}=shQrv|p zoL|YsZ35O&B}7~0Mj!Zn1;k<8a`6XcD`F_lKkPRv0Upf|>TyxF zCZb)?eiYo)mv!3Rt(4;GSyV(34G(o{LJ2vgdx7Vesd0l^L5&t884HF z%s$9d1y$e3D%a5FE~}S`*cgJfmN`#d_D01?LwwhoG(u<)3!sYYg)g^(EPpWXv?tm- zj~;vNsA+ojamOR@=Ud*Zu#BtKXy5NUjRZ2GZ2JgAeEN~AA@|f!t&!|zCh}$nubrCk zvXArRuk@Lz5y|eynO%8}0{BZ8I+#_4C@%C52UimXkCxGWGa}Mw{~u-F8P;Uht*x1$ z0ThWeK|zWQLzCVKD4-%mY0^QZNbfBm20@Ujqx7y)q!%dxLKRTD^j@WxfRq3M{B~yE zdEYtbeCLGu$Hf&f&)%!t>t6R-kA@Db+zzNyr4N2YrFQ|Cu7&9#>lOYym9oj}Q!OUX zn)HuOI~Xi|FJFEqew5$@qt1vxLe~$Ldr%820vFTV$G^ZQQ8EMjPlEXV*(0Ask0th~ z2Z;9`MOA1YR|5jh`1YNHL;Wh}J42rxYz`>2Z=gM3l}_7Up3@z&UK=|)Hawx!RZ&&j zz5k3nNnZRT%`XaN9wDD0lT9Emvi7=5OT#|W$saQc`97KAyw~b4D12iuU#0lw1SJ|F zVw(n=lGy#0zHl-w$y)!RfgeuZNM?72Q}3U2hB7`Q?NYPUFC4)bkuzlM?p9Tg?PqGD zCQ<9du&MLRjImTRdWUmrRlDsAo)8!6K-MY|6>QX)^o9v@bAop0I+r_OHxl~o^pB<| z{nJz}h;ImR4c0r#Nlk=7RBiO*wwDKfR|p7Lbr0o*^%(rka+w&ulmhNR5ZGW2o=APd7>Vu{x;lomh|-`??POtmdp17mhdCVATezBy%7|bbndV+Kqj|C zuF6!s8x!3!^dz(fxY$m&31Q3K1IrTQupb>IclpC+{;%|HccXe~9Jm9BwUfK8h%;Qw4q45Pa7lm+nicc~j)) zO4y75Oi+{6cZce5_Fxl`f>xtb0H|3SR8Rc_qnM@GOiP>JeO9ys}-on6PY_cey_9jSRZ5U)IfjBs#dn6 zW%II2+RfME-sUyb$nvE72V)`50Z608g)jw|BP>YGh(-D}+IU*qc-lU(DF1wbGtAX} zRh(h|d2JX(eR1zuIi|SiZ27jJOMFIXg#5%Ts4LQmOoHLRD!*9?`QbdA(Wdcm|7TXx z=kRY_GGPeue!6HFwR4p1Jgn(8E48Q`%=Cuy!ri3~T`U!s;X8KLZ1u@5#%sYE<7fTU7<@!l>1c+rk3R|(X{F?+$N4$>a=Z^MF7M^_+?R8>1h@?0+;;el$r zDJ3N&-wE64$ECg4UPaN%RK|gvy)syEIYHWqEmZm5*vf-(ct&x}Uq|;BXQhjO|4-JP zBPGc8hA`1b;XOyMP@ACQSoGo&&oeHT^hxyD`K^W0kHrP$*TW`*0dzppkmZh)#SqOO zfQd!GLB6tCJlY7)pGWdqlgK7sU-G+hlp^`|oi)QbRaxk|xB1d-CVeqJ<}dic;-v)M zyJXP2f91-*j^(Tt-%-x}UtkWIEC%uZlrGjb@Aubl{%vFb{ly7ZM^K5`CqZ5y z2;CrTGwBQ2CkgE6TqR@o?>@EplzKhvm8b#x#DEYyv9UP;|;r?KfM z|Ek*r1+T=9d{w(F#BP!0v;O{WpKIy+Oj=iwGE3IKN0=PzaX2gA8ML@`-0b&6rGH?T zu@r!ojMd7uCVh#>SCEz{o*1gp;5Dpk=%K07P_f3g%N~PNw0FC!O4<7X+;{dT4&ZJU zWK=@Zix~1gJ9$|BgT@K*L^`jatAukNGaljF02J=b3&9IBuvxE<%}b+UQ^Q5mF@nO< zF^yNQRGdK`>4g7t3rsw$&+{hFXG@X%uP4SJITP49g_o<|1&DGvL-uF241p}L#=EeKdiOhOk3jz#X17Du>wrE~NH^WZ#Yz}HLBK`kC%PJMN z`E4B0(EE|(lOP+Qy0s_})itvVtKSvv+tL4;IfJ`?8IU6%8U_b7pdyF=ikNqM)6bE- z-~Sp8XRmaMl(y&}0cvNYBcV9?`7sbR`iju88d88RRK9NTFa}OU-U18#<~$z@Uj1=V zlyRN^a14{$0+5J{PnSIDkC1Rb%TEkWrhN989-=+&bpkyCQKd7t0;pH~V2-tFWFzh< z_2l190qqFgYmVtV!g3GvHfZb<4KL2 zg9>T8-(>!aZU5UE|JNUqu|Rb(v}7Yh@&=QkXxLbACl)p?u*ktDd?V)Bfh?##B;O@o zms?&GXAiXN2;=62kbSuN0+|kw(0*n2yfAi`821Lr@ zYKr9ThiBQ#xFI{`F8UaUqP`p-fd2QwX{HyJQ(L-az2IirO>mcR1=te@7P9qThm*bf zFOk5lOz&C!lP%3PzR6A&btt8R>OYd|fV=3WrmoQr^;RQ24QGE6Z5|NN zHOt=01=$H%B_h*Om3tr4gYp}`vpW~$K9+Yd`*5h-uzT>w%{3rgY~)9wFu{k$qc1hP zM{|brf41=S|Jp4&(_ygxvuIf<TwmlR<^sJ);sA!kTlw2Eu;Puo`*=5TW;sc9?6sfBgrdh8ZHTMwc3hd^J)slhG3-&L!^Y4wvG@bpCYikPcMj`BX+=_kXI{vs^tlTF!&PBjF6CUSV_cHVrAK+~ zwUWttxr}{b>X9aLx(98lTJO7(_J3-eg$*3$1U~=da$ZX%;O?j@_3(k#1+<3m@TxZM z@L4|v4Qi`6YSqqHY~OOWs`0SIw`q1wJ&Jn147tSew7-aNH5_zq*4e*2;CtE>{v1N; z)_|oJQEcwl(-38CZxKb$7H*OZbkC6$&_rgIyCC-!TVd|zs?Qy(f(-;E=kO~+1*NwJ zh6IP6JDrvNBj^^)5ii-8}xgE#ta%AZvO2baB)#tYb<@ zLZzZ@=}M236N=ewuOdVMZj~V8#);kjStY?eT-MQIpFM@`Eeq|Y{>w=JTaf%K7dRIq zjkMkJJV-uz@>vMV)%wnhtP|JoD_so^d@eTK4uNZl{1NSI{WlYG>WifX5JA{5Cm+BV zFC?yx6x)G2uy;dWCsQ6ZeA+{wa;w4>ce^QEnO4?(<+M!&Hj%K48hsh@ba?v>VRs?B zdN68LCWKFt;}oB{R1v*L)R}5gyR0<4pl<`aTE4+?SJO>w6`zgvft!iVu(pHD>;)5s zxnznDTU;S?%9VM|We17mMbk};#U1y|Q~j^b@LQ2RKG%d))$AaJ&(Wsd^r}64#?4k5H#4;SHc5az_Iw#WX&xe_j%`?l|;o zHE-5)H>%$Nv%4FGt5|O{@6SyKai(|5JE2Mae1DphM9IhR?9pAUowR6lLvU=@-6ld{ z{wJ-qv68cO&xS^gH`g}U-7~{#byo5%$%cBL=1qr0V$$s*X}3$NGAhn1tQPfrdY)f? z5;yv+4?O9iySRps=hByJR=gjQR9;e+wD7xi8tV|g^PE{Ch33)aFu)R*zsn?zVUq7a z#s`JFKDw@EMZv-e4LeVU+;%L60JA5KT4?ren^xrXH$4|dm*~QRh~&BRL7s00FzU)J z!FVDZkV_6Tv3457q>(*sOPxa*&|HCke%NnZ*OwT1|JV9s8vIm69`3{J$Z=h~=IvK9 z*FRL>JUPZ)Fg2KND@EBNYE+arP^CJ3A(GM9qg16msUkY;;`!>~%lL!Q+|iD4yxr1T zecFhgOTHEdsSEqc-5HnWsQOfzlv5+0*I>zrh1?i}&}L9fElTm~mGt`Q#W70&`@r*=8d%i(!4Mj5?Re zeEgPnSINrO8BSZWRC!g5f}bC=xc#Mm=hD{hFUZoE)3d9*bweueXahxyR{IE|ilduc z%eV3f+bq@&=H8=P`x1RW)~8mP2ZycZun|~y8d9u0nu&aKdvmiVLqC<&M~_34soi%{ zs-Mc8-&kdnn;a9DmS(1As6{D=LBInNtJpq3Z56v4^}|8!#&L5YBB6s~Dr@OVW?T&f z%Feem7vK}`cp{oRIlg57b4X`N32mau8?AvyGCVy@H?jx< zwF@SR1K75oXq=CTG{d9n_qd%rgXw*Y5~nYnQ~128HaVLMW~p*~*HNa(2<0(;5IN=c ze*+YcQ|EpE+64fzR*fW?=bQ(&&SjIy zBv|=EL6V}%FD^Z+xef!a%a^z)Mv4i$)-GC4-}CQ@_q;q-W$Q!V$Y^Q4V?3f~N`|N! z=sZ@%?@JbbF)pKP`X=}P{jjXa(KF zVhRvtPwA^u5sGVlszyG=2sv0a?1Ht~j^Wa^Tj8kSgI1wt3i4sC5g+9Xn45J&@G3A= z6ZLkdLEybqO17zgbwl-29UiMB4JmlbHpP3*OGAnrHG1xGVhx_ySZ23LnJQhxT`0n~3|Zl8OH7MH>A z|L*8&A3RQ%gSgQKsMVyPyy4}e+ti~&!c2E_4jK?`~f4^ zxA4I{OCp3|bsnslY@Y9^O&guVY&*k?v;&jDr*;^|8{gWFiE2wmvN4y+QR*IwW+!^mgs~uRHMT09`WyS-Y z=<)Yf9lRQg*ylzFXMSb8!?x-?j+hN1fU4EidhZ#hseI=nM!ePt0p)s_|1Ne|?CFSJ z!AUVios{=tR)QqQXDnht;heUT@r+~%hJFCZO`HaNfIbDaK4$R}xjX|n%srQayzxQt z_!HWvdrAs2youzIFCdRTRQ%CJ18t#2TfZQ;i$Izqvp-#;#h79m5M-Q+IWd@U+lPEM zPR9az#s;xCUhe%w{G8pan<+M2$Y*aaYXK$iu8xq*&n|9G6p_m)_waIXeaUdakpZna zOcnklJ!CJI&oQaU-SwRVPCmiZ4=ZGH2G@5}l7{1}Q;JDsQO
g^<2Pa7w($~-VOJ9!FW#uj5gMcz}k3Jt{ zq?OIlcm$pm=(->b#5;;Q>au+i@~%_o`ESL%i9l}<%9Y|&m(jw5U1^}0gBi@ zn-=`RJ7mR)#-{%ET|4a@+NoowN^>ILU{?pKZ>RFif|L9|w7q#a6kxbEUMfjhN|HTM z)`;wTWXZnoONDINcVkF}lr2QEWy#KzeVY-o@9Sh8vWz7&wlNID?{%*4eCMC@)$h8_ zb^dcPX5o3C<$mt_e%Cv?j<69O2L!E5w&)dSi`RADho=ndg)yvu=71oqa8HfL6)c8t zX9?FJ2eykux>bu~C>F>3GJHe!+6o37ijWc9U9U5R}3h~tAR^m85d1dI{RNPA~Jh~@6P;JfR1 ztaZ&m9D`49-C>Ki5f~jvRZwA~{~TkelSp(=RGyenWJZnnjGM~U8;fsu1#5X4ikEL;*&WXADpaPGPKo}< zak5~Wbh-mvm0NU_fNqyCO^0ZJI=+0|9EfS0-~h=XJJfaPeK>h_fd5M=E_QTG>>ME_g?@BX^^8Y`YdYz65Tc8Ekk)17-;C{jwL6_Z z(b#`M){`1G^w^^)Xejo|-&vW1wU0nwX1#TPW&>9QRfc=SC5uLP)9o9b{3#W-?s9bF zdl|8S(0gwoB4n*@C8>;aZ@>fU*-*p6vttR%a_5@&wZu%}WF!K9M^&zmcg~d>Rip)- zba42+#BSx}FTDjJlf}Xy`>~ZaBVJOI#|BdTozT&Tk$5#mxoiW#^Ti!jWz`gNUE~d- zg)`3k9KNabVr)+{v}18Iiza>?S67e;4X{Ac4ah%r4wAGV8O*pBf~~$0_9rJi6(Qzd zCZ#dKkV{&`N7z-tOZS`I=v+{rY46M;cFbfUGKh)%#=nSGqhDqdI4!(7pejpoJ*JAC z<>+3%1M)#yt1W(1O_2#G zY@BiHrl@xJ{fz{8+)7|`c1{c>ot3XR`>Uu ze2(|)G8t0VqIjEb1MX)s-JjTYUTt?=6rS_#=^C(+$%9?S9d66mN!6oYATW$k8zE-j zb;nN#vD3l!+cb^gs3%NX3QNc4I$D?$sWAuy=Zd}i-WZNXSlctJTi2uq zihhV0kXbu+Ero4B8>kvcQemnw)27p2bH7>&aYPyDkpdv&2^aIKu;40&3z1cns;x{S z9C5Gyi6r{7Q?o6zVs@UhR{witz;u<%G%t>wC_d8#);6{0I@2)7)Z=9hQwE!g0dz2( zjp;YKKPbo}OzEH!!m_-b`5QVwn#ksz$G7^`U_t>y%}9|6Xb(0e^AJEtyiGNOW15F# zyu4&_;@>XjsggC0L5o&rIdEysKMQ!&nh3gzHOhx0tkxYj5FisZ~@sNOLq8?7~?pA?;VP$=d~?s}DfMLPYH-Pp$3jsg}+P9l!-FnwgWM`-Jxu zTjg;gMQ5Q5gK-c1#!XuBl(nxi>ML(P+RtEHdBJWV*KzXen(f0o-g4om{Vs*)DnkBn<8!;4Ln&Rs<@&Gb1*ZWlbwmzlgm3*S=~ zkc{Zec#x3T0RJ>q;}k7~S@++q3nOjlO+{!F(S>wxZNgV<$SawPkWKOfyw${XSz{t! z?6E-gLLmQ$&VZj)I@^+`NNmlf%)o*izyTX)A=y$_`n>AKaX!H5SlGSX7dS6xsa?Xa z%T#a5K%-$t&*9US^@=(z`0UtwgTCW0=+AAmV2LSHDnq~)L6&eh;-nJI^;}a9iPj>T z72R-MIDSDDu_?38C;SDWT)3B=6~LfI2X`2%pq4kf_jwsNhN}CV45FfZ@S$k z5MJt#fu9nD2Czt>#y4$ zO3n63$_5-odAmrMVE87DZiF0rMX|2WI#@IBz~qQ*c;f)&&tvPnpjZ%cy0ez7f!ZJ&hxMhbxF=nX(uAGbFH-Lq&10>NWw=$~m6&PtVmHt= z=bX&^=gVt8tNqz7wo`JDSCV^Add~({vARYbG~X48s-}qsTZSdXo-D3&y_|@GTlp1Y z4Jq!71hf^)bU@(N7L0*bHoqrDr;!ocb%FhUzdd6buW>VY)`79cl(_I5FKyVQ?I1o5 z*rw<2SxA(5tOimz4P%vN%qXs=JMZgxv*aMt0zcMwkMzw(iF6JmA7{HUnmd^6y0nz` zP0t3kzX}LxNnVfWNA?5aI)I#$0CeRMF|@ZTt+wk$tU`0XB^?ZN9vWy9dM~6#}14t_ww`m$Ut|dzy=ok8e<` zZYVox{`~I*e(U9rzVm<{c*hXS&%VTSBSCM8{Bh{*x;u_<*0G2?k8d~lu_OWssyP_0+l(yX;P8bILccGuvpa)Tx3CO4$}U zurp^uwtt&i3%T^{>$dum)7K>+e#mv`3W{epzEQ^zFve_DZ?kT702$FbfX)~lKsRn! zlf6QeTA71q=QAuyP7q18b;8Rg1 zZ@74xhqbs)fu&=;HJzlNbkNEhsUNFi$VLyqnSzol?%Htuc?D#=gupV3($SLv_3b+J zAYoE#{&VVzUzUxERu|wNEiR<=SR&(3nB-)cZ@-jxzW^`=9!;~c4+=^kqQ*5nlhwqCSG$FWg6bJoT^8+y#lQw&`w(b-M^^91jx|!(H2USnv<_LSg zbQO-uhixpVXg9Q0iICxQ9DAlSZN#wARsRX%{yz(}y#HnDA9S+=tU3RNQU1xp`x|t( zsrLgX7L?#$$DR7`+4Y}q`~UfQPJcj+Ai0WM3fzy$`0%f};IGf~4>9EF@6LUdKYswR zQu|K-&-3>G(iu{r4HGvx22mb`h{<#eJd$_ci+`1jr z(LeZ4O7Y)<>R)tZ@VlF4FVD!r3V%`m51;2BFLf*J!tHp~cy|^#oB!p5B>#gq^zFLm zOfkg-+5hfmIs@3;Z^_Wj5B|;M{vQTIBkir11LoZS?4SOJpO?(}RDVTSwb}fiC7A#B zIsHHRWR@I29UQZ+J-+|TFGTjHRQ@M!9og!;d4=hJ_}BSIgr7Ot-~QwIb5cJ%&hXQD@ozrUzX_0kd9&2BBwc0JR9KoPyMK8Uh^m@u z`R{rMcc9_IR%{ma{!0CsO zl{n=FL{5>bfr*yGc=iP#!kHy67)tmqCjOa$n)tq$;5;Q%UtWe{I|Xglb5$c7%NFvy zVD-Km^+yO_^%toJjT!^6Q_&MKhDnkekP6>b!~%-D`l;q>Nnd)j%bYQpA7-Q|-`3x??E*OcVt;bq7TYP2@DPge?SDwaAI zm!*PtEB|=H-O{**IyN3_-KH`yF23COc;`QDE2Ixsx z3)AiTWLOemc4i0la0qYqjDKx-x2s++TVpg$Kz)2SUf5CZ)TAIy+}G^?aJCcfSRY-x zPCjtZ@*K&;mAL%#d%8O?I{K=-@lLPOR`zr^Z99yW)3xu7lUouRk0e2qgCUW&6vXh^-44EWa0H z%t=_!4ml3%No!#|H-PmgAchWJCA0-vOHSBZKv(h4Lf+$Kbg#&3!8sttj3y*;hoX+KDYVe9wt>-reoq_4b?OUN;BO zB8U!}Q=Xfvkvfk7KO14PKV6^!5|b!oM~=sD>vQ&ZUqwngwhdPaL62I_AI>fZFiU;I z7eF!~75I0s^_JBKojZrR3e!E8#w4oHhbu>Q>f3-mc|Z`VUERy@^5sO2ib*G|LYblZ*2YWYAI%BLjeWZwVX2_bd0uSYHx`BWk7yQth3c#h%C0N`8Zp$7kF|r@U;z7I~Is{KEzSNZHP*_mU2Cg z=h!OJu1c4f=cSi%h*=2bz8u2B&9L|MqZmOWegcqSJ_pN{fmN8)eI=>Em+9MesT~Ik zs8fFyo-wzI*opidhmMwufC0fL0LLZH;GGAw81!h4+RoS%f|HMS_xvVRclcUt6L`Tw{oq6{+PYfP22XGl(zc#AA0y2zJ48sb0iy_ zJ04j)gr$qPOdqkFYW^Thfob)$4S}>yt7AXh%5^8y+Hz0k_ViZ!^{lL6-a#R5v)pdD z^xMwHM4yCNqB$*5MA&)w8U6n6i^o1UdaN!72N{E{;~%REuXWkN5EZ;h^)^&@*W++j z@ef3NYZCACB2cqwjvOVkO71Tnxbh|lH=!-$_4~HUYib+0sX0DeP>4jpc^{sSUn3JN z)e8F9vNO|~k^*OH{kO`~WT4Ho3PE}Z%SPq)*nQ#t0L9&f2s86c7&6=^(F|{RgF<5~ z&%#rJ@A$|*pbG7;GJx_zd~;fQ?l|S}Qmi!+?_%cj;?@9Sw1s(lZKL_*2pX}{$S=FR z8^S~|(aSxuK7#_jLu!Y2-Tb9AVAWG#p_QwdJPF_U)1|%$_I3eP01XI`J@IfUUZ)8} ztn}SX|8Rox_W3tk|&B^g8Ta%QA)*bUxz z?07s%EW0&#eO!GhFE(%kiCqw=#}rF2-wdia=e$3gkD{y+8#>g&C$2iwq!+vyv5!OJ zbM_mPY1X`)2JjyccPFK#<&7GSzlG_ydG%u!(V{wnj#=e{V0pZjgo*p0nXgP~iL z(0gl;D&P>a-P}R6+bA;~cGHm>dJ^e=kN!cv*NYY4!sTbpsI0lM;REEB7Ux7R(+#ZG zV{m@h%m;o(9qo$~A6PhnrB}v#CfK^OBFu27iScfYG4I9*POZbw{NQ$W=;xd~IQ1ru zqbvdPdzJJW-+FBfGx>UY&;|q|%kVt=tZu-Lee&rpzNaisnHYL_SV0IMwMW#TX(*?{ z)|gtjrQohB7MzfN4ZWflYyrz{9dd4!p&T{O}^_ z$?}+z2|<0Znqx}TANcUVONT&_t51f zXHK!@@)jH%5y3kxj!;XU)r?kL>QB}5T)NZ`zq%m*bntB~L}FetKiIE(=jrAZWeUMj zETeLCBEvsM+)M0n8Ykzt|3NDX{dwE{c)IOoe)h>@zB=B{o}CEdkk~LQ#A)U2u{nVJ z9Pyp&p18HDl~jr07?&uc4#|EXN-^!b8B4Gk6a$tJ$+LlKpHcYu7Y7i(C>IjTFLI)m zl}?pXM*@M?bp6(ezyqr5lzoZbBgWs=lrJXFQ3W*Q>r@mdA+p5um#fZa5`asJ!>g3g4+ax+C-T-dqB~8 ztB~Isayt+kx#hcN%&#KpSpu{n;={3|m-r5RG)kHw5tK{`(1zH~ewV{(>;y29co*)L zSZE^LzIST=0_Zx4uBD_scx#xK?Tf9kNQCvS4Aa!Q5=yLtGBXjNjkPdShDY%-#>*!X zwIp#u_9Cy(GRm4MV(Rl7r7d!j3#{+IvtsY)3x3SfP@{dnp2{pUYi|-SJ@l)L{jo)V zp+)nP?{I!^>vXDVyp9OINprngt@xt#2X#7_zb~UG4v+;sXF}x=0jtAyD*Y0PXljr2 zFNl6vt+Wj<;j&|R(qDSG`1AXNc(6L-2BiPPibn$zJirdf^J2YLF!nM%z_Y8wb!DCAwnqkJuPscM zHO#(Mp-Mkx6Ljv~gIHSSe|<6}t=CDL@sZu{hK*~!lrtG78PHX=WsizVtcluD$0pQw zsHc2n6VdN=*{NLbS)i{E8BTf!a}jR)%^i(?zx<33@7D|rSX51sOuv$UAEX~mR;_!E z;ba8Ux`!_`sjl}^O)9zqZ$JQhN6z?W>vi~GfASDgzIz^!7O&!S62`&m9}i)=^xY?xB#A;WPd%G@?@8%_midAq#eS;|IyC9AOWs@yuiKh>J$$o zikCG&%h~zPo&YWH* zk93+q1V^!c&(lmcLzqY?urxJg9({kBiutX|ZN$?Qv^VqZ=0iS)+d{b~-UmS#KQZZ; zaF_%2cx#_iq&=59%yt2Jw4hlXi?;AZDy7lC(#7}Hd=(QeSv zC3b4N_WiKm>f)0{z&iQnbB2w}(L{RY~h7?Ut>dhzC^eT`u3qlo@}f!rC)qrGbIYQJMl> zw8|lck$o1p47A^{!${Cgy_kMM5X_rp>#7g&Rk=>l-g& zCN^KPiW0nkk*?Bz&TfdhS%+)>enf4Geh;aK`C6Lpxv_Uiz32>;ac2{ecIUMZH>zfk z%apMcjT7_Ng3`n3wF$LNGMVM1-fKTi1433hgl0rI>vd1&qlh~6uTwdYGX3%~no!@WR*zTyYjobw_f24f3kc@RjrDGWG$vhx9YGLud%g8jAX zOReAQ@VSk`HlK~L;FkGWGlke8bF4c`3v10!2uSqM9P}D?UmtiLvW`f;Y5pb0XSQn1 zFrIB8!>1{)#Ex)Ky^=h%J!m;_;oci<^mA^@o$-~gz@JWn;fEh@FsYJQ^sLquuQkBM z{Fp*>LqgOz(sj|`(5T66C6S%@cl3e7HI$5)d4~J%*aF!!4+%rm_h6hH=1Cr~rb#N7 zU`@^_ldlOmnY5!`ycegathMUG_kN)L!)s1kz?!xL_Jf|NjhS56HvUujVHBH#L&wiL z0mdE@$3#ATRm9PjC3}#7&~{PdG_+*ev~okU6~9|ccs+@*L?sl3P1U|umF~!XXsjN> zxL((ZttZ_md~YZ${^Hk9bV(jEwopGm5zq~s+(Lj2B>mo`M#F~YDQWQ0xq*`Ghvx|k zPeas!j7aI+kCN@K2vm32<>Zp(dpQ41)2vRtDWu6TD`bF!y78>fO@g^p~>%mic06t`bYJWsMLe(3UNxjZ!t>D`%?nu?|9-hATHfJ@#6fQ zpRE7)<@=`cldYr7#rcN7Zm`-D6oujE(zBaAvUC8=N;L!G^r=y9*TzO1$mo(p(^-X+ z4yHcsZt-Sk1se@*!Z}&j1Ty;x<7SIvIiwRlu3ObX+w-0_hhXaI;e9Q2v**a=N(fQ$ zlxGfa2!~(i{(y9a=+hqs`vFqyTF{}Km{pnO4w34UqkNWqfRBU9K%O>^4tPe?#DYEa zYpV?4nuU9ZD4X@ZU~dQ(?59q;bDb$t#eC+62XDCe5<)+hc`hq-`+(Jt=mI>YJH?dKU$O3&Nq;LvGP z5eNlZi1(P%CeupEc3jVU*Wc5R&fO|G70#~WeNTm0(wA05tj;}iN(we3#icq$@U6@P zmN|a~UDG{=UHL7`TWQPGh|HO2{2+3)akVGc>T8)NFvYQH1({iNGHX~hLG&YUZEe28 zkB^4J)MXx}=!Glh)zvjDRKVq+s#|)4vUkjGQv3Zyf@v{LpAFzWe+5p>?FSAzJvR8g z$gA=WFRrWGv<;(jpH|u1oS&m)J}J5Sin*tZZ(Cu`C`I6Il7!NGU;Na-S`n)#z1NY7 z*?2WlcT4-pM2q2GOkkfIunU->tn>`Yaq^{Om?Lcb7V%Aehb4(z`p=L>G`+g!8v8hN zS8Q2;;aNVub2iZN-6N~IHQW#3={lF3vqIaY6Bw++q&A)twN*$3qgtNSITu&#{{|K! z?2__l(qj;ly?(jxk0dSn{I%A!NiRwxxRFGm9#Itik_oeFgm7EAe`n_JTTTwov&ayI z7(ymD%|V@K;J;G0!570;W80Hi_IA0bWc>VN|Ny?g}vWoLOwAtZ>%yX+jk|rcC(u5t~ zT%kv{if;>`PWW9|Sf23he9dZ}q%wLS=OuF9dvSCY;oVy8LB_Fs@a)+q{gt#b_pO36 zIEjShdPUFDe8Y3q>4aGaTtKmm7QIcdoPUX-r3#sl-D9_DDU+u569{R{6|P>X$5H<= zJ>Q_Txq?fsCS8E^`-lj`>>K7~Pp(o8>@dk4>7Tj`o>G257(}in2X@u6t){)1}48>8t&>HeKPhOPRl{WNi!N14fn`&UA zTE{ZUZtMNu#@-Pt#E-<@2G`+nWZ(M>4~^zH)ata#jl1Sjo&fDhs?48ZxjiwJtCY*} z_-o=Lj;m}9e-0&EkFa&e19kY`<+29@@SOlF*fIVnV@VnvfP$bi0**0$|CP<-AIo2O zJ8kav&7)e9f|tIE`JHUc7e2he;YU9GQP|T$fkCRE^3tJ>m;E-6!U7K(q<4N9tH{vcQ^^9>MK3{R$sVcEk^L?cPM=OyOvjwP^#jM9&KWKjnC&#|_FnDm>UwL0iST zhk8NlWP8%vs7uzAn&UQkeIaVu!%AyjnAw0q`WrdY{gA1k|k46pHxMD zOdM`Wlup~8rK!*Ra75B`1D13Vd($;2??zMM7jMjr(7{ETZ2K!?5|8fJ`ngUC@JJ(} zj#C@_c%il_o?Ere%wxOa20Cgz^|4(*>2XneT9Z(nN;LHm z@PF6JWb~nLk=uAtj3EJ6@M>rJFxaL0 z<@%m+sV{w@r#d$r^$r$HJZ9v!_x3NeN3ya`=$50u zq0vo(I*iw|q$9{kQAOC}`}Oeewrn|CtIvj|Vi^_pk8(bi`yttEn8Vb+IBXqxT2D<` z@G_M?oM~sMk_-DRS9Y}Qm-D`M;KTP1Eu5k5X{V8sZ8)V&IGEl)l&gm?=QnvDmO;+# zNabMe(~3^Nt{;QGZZI3enP)8#DZE()hXl)Qo3-mfNXgg!-=H}(HrQqo3|^*woILBp zy8Q#ezCAmo9*^J&W8K2VVphe&&GemY&I;b*jEfrkmlA)f!&M;%29s>BB*UcPd%RO zfy5|PcPeY&zQ@YurqX-5`%c>L-@X;rE4I1-Zy>J>Ea|yvc`-W+@wUO?xJsbXjEK8= z{gXgBW-?eliJ#E6X0*LLz{U)z9`sR&{yuVXeT?V+6NlJK^?Uii4~}DDla6y&bS?Lt zy|NE7HAkSMvj9CiBodu_flv+UBYSFK{ik&1%d_E&Vf*7ib;M}Ai8{7XW-e2*?nwST zLr2S0MReP-&pPyNs2cgIjbR;zdoFZdA*@e5|Xk^^>^k$5n z?tkr}LyAyfFFe;c>J=|=K}tnWPAOb4ruDm=JhO5`0qbJ@N8lO;8>UlRbA#Nbasl!+ zc!8(=8>u&g%cw6u$T&}XvC9Ldc@Yhs2Z1xbO~ysW!<&ymhdBz=31I1MW4HKiby8tQ z?vpt3iX@UzzuF z`}b41y$bF4e9v&UCRF#VrHQB5bt8IpRP|Fd!C^2VjiF5qqHv!QKsnqa_zt-tIOopD|nY&fjmedH>Lg}Aj} zs|(^bLkh>=&^a5++DB~vRXCH=7bQ9U4qObukZe#$=u>8n2@BLthIu9+glU;XvNP!e z3&kcYuhM=Tmnc`f7~5sPgBZy%m=|ij1Q}uB9(&8!K3U)h;B&RkG%==S>d3QS6)FpC_-LFlf!5Xzq|5-*{u?czioZpi(RU}!5OxjLgt{9)fZ8dB8tz>OX zK~?+Hd}nCVL;^m{Ch^F$FF7^LJ0N? z`<4>^DW>mC49%44X#qVaIHU5&PzUKDso-)+|myYe~Qp5(N! z^4#n&b9FK4atdEssP2PAtux&J{WOQN<9EhIMux2PV#HzVRZpKgx%?t7i&bZ2MON%D z!tKsm`>aA>i(Sd=xn-Qwq=ySN>q=qlX6my?5*+rJ7e-w+BqRW?Q=Kb6GW*)1Fmvv) zR=O}cG1v!#ZpJYfkI57a^!nvNvz!^WE^O2Fx*S=|?qEaO2j1?h>?59ce~OKM?dE1Q zQos#Tf!2Sdg4&A=F0-`{X470Z*6tA=yNy!aBU33U$*B0H}#x9ll)lbLneZ?s@TCy~ckgKA-I%wz&cbIRb32Jo+yvod!j zm5omJ^UKc7>`V94nJU*bS>R^h1j#FkrUpAZUBImo>Yk$b$#}`yM?HO8`C^D00a>751avk91p~^? z6IBaeEb2VRcmg!!zvyEdqN{k5jzOsNjWX?l>p1GwY0rGFk=L>uA&UYfnoco5OSk9` zMK(!XiQR1PS0jD7{`7K_ng`FjZ&fiGjQ&SS(6X{+T3kO;?lbN&YShK!km1bjSdPGR z6tU;^S|M!LF{NQGH)R4J-dWHZb50(!*MFD>?px48`nq|qqq=YYW~v!rbbft^Gbl0A zGx#C;9!oMWnjfP^S1342w8kH<0EJh4#%r_n4eklmXgr1faH`ke7u9d7&z!*A9pply z{%+KMi;U!sEB}k#`Vj2X(=_nSokb=J(3RGz#VBZP=Z@Q&?}cEtm)&7_%iSTWYmDpU z6kb%At@?`dlsAu7#NncvpM|%v6$Q8uogY^ozEIWqK~x`hiqL}h&ZV8FA|Lu_KaiGeh)Q|*bVN2tO%m@)pKa_- zd}<7s@z~rJg%Fb)lGfWbq%2p_?+?B5_>;iG$|UuxS*eg7c8}*jhL0UI-vh15Y#+;< zJoig)rkGlM?2fBWlgr8z;^$K3bUmexjC)b~0_KgA1>C)S2M@DB=STK&CN~s6oK&VwCsUz7k9mKNWRhqeNzAl?t+!Fb58Rwj6P0`~OgPgaLjRuhO7 zcCoGz3OQq~6uA3%j3h_?wc1QcV)VeS?1vAIcj7{%ANi%dV*vkqt>jtSANd*WXVaD6 zlV?{Zg=$xS1a}*m+P#y>Yd;L<4(|it(ci`c1*;!h15YhZZrxpkg77Ngyw?ytMpSPI z6-PR$xObhN^)f)Bx$B3rMwvDV)nyh4^cN|Go!P^RcTZ5ZpS(DMz+UY4iNpZ^Sk>cK zbqnc5wkg?qW%0ZQFZL4KJeRu1{13mkJP4(Fp3*G7#MAIXW}U5aFYx)CL7n$jIZGvZ zdJq_Dx3_bFp;@i)XmT=pj)k@7Y~vOxuCcPxgJgeHX&1X$?{RP8`4v&8cZ;+-nQUtn z-Dc!BJi=zo*8LmrQoDM+m6wKn&~;pz=huub3qE+7qnmG#wakR+IUGr@O|GP&?o1bJ zuz~=5??2Mu>!JPqbhjv1^^Z->|4|S4K|RRO7p|`e4;B(DMP;mD<(h~`$+NKMGu!o= ztzw~WO$1HWPhfgn!0W*0B`NUKJhU166OGt1uk)!1*Hl6C*nl$EAJFEC5-ddOdb$-` z$AO;>j- zw^LE)M!lZY>xQ}vG|tYfyf{v?Q{Hd{&4QH;G819xHrmWp?J{fQZC>zJg48C5DvW$w z|LK|W?cZ-^v-^iC?OdEc1`!Vg%AF6-T3*cAvOVdlH>Zsf^$ZfQG>=YZvZ=U1n=3m1 z6<->!!g}6d^Qne+l&ny`d0d_qy>j%q!x+__$#aVU!)-T|8O(}&@k>s-ey;&(!rHC0 zl}gUg>PIyxEc&ZaNAB`({#4OFakQ?XT&J~_ZNTSk1EY@+`JV&49JIQ?dpUU>N6K(5 z#)~W@b6n!GH8p-95Q+93NA? zexN?s_Ff zl?M^8e^=l!Sn1ugqQUJw5izLkAc&az;G;1mu5Y%lb0=9BNm#j!3waISCb`0QMUF*4 z^3|2nJD{8xJ$S)72HERpAfBQ*?IJ}_5;(2a_?-Qk&{t?xQ$<^Tu{gC+-03}o0Fe?t zd51${wmCM223OH#R*!2k1|qEIAEobB{1{^A#L=^}kF1GO=-*;OQ!mp78dE?Kufd2i zD_($ShcWo5-2et4Lty&v!kHEt58ppOYB5D5h8+E(w}IRzr@ghoayy+@d+$kFxGXct zytH-YVOn;_mvMr~O&Twy8+|8MNDoFiK6B1w0j2dZOG4$S3#b5prmL;BSp0~5&i*PQ zFv&sy+ZEh;FuT1^?9EELMQ**ufS-kQdT0gUV--3NnKm)4B@ox$vh#9THm7LStiS5kU%7l zy6Ozw%p_m+uk2IJ)c(lnMhSiK;zh}66+t#TF-iLOt`Nc*FL$ne3}IM5x|hK!q-iEQ zC@=I}1N(?)+I+89Xl2!R7`qi=+ht$8IF|ps3uyVHp$b_#a-7r2=O9!K$!w_8=`jkj1*JcJ z#)+;f7|id&QYNc>ma%*9T(RyfXCmGanwe(maC-)&Q4_4C~u`3TVC)&tc=OO`c^T6z796(gT`=ho!WXZY3Z>?g0O?$ zSb#>GlbE`#fthZmB_HBai3uUKGI-G!-Mn@jK^}&xIgC?D2e)NeVDmAGLAzS+B>R%P zFW6ir#m3Rw)q-C}xJ>JU;589<4v*)LtiJ8QMb;xJ!vxK2s-|o*f+TQpqtKrf_SdMs zk4Q~^(XIX+-5vyOzQ`NT^szo9M?rneS?L~LDwuy_m8z0M!k^JaL(|L2#|_d~)a10izFkSZk7TE>NZ0_d&_r6jW)6& zwLqXAao_v1b(VbHwk?u)*Ep^@6t04kFwAiu3Q}f%t6Vpg`}C>39&FR`y)mbc9vOKaJ7)0@{6srKOux35F6|cDH-6VKczgE!2}!eFi~=2%NYH6Kh*iAJY4(YM$8=)#5>!C7VN& zno~G%T|`cQr=8J_pCinzlk=l<;_y>P4CWBel=RTDqZX#Nn-RlZ7V#q1lZDI4!LMbkH5@q``nf-Y4%kV{=^j?&u*K;v zLEPrIz2r-6V%f2KveXj1CYhsNjxqkmCqa)a$~k?A?*=3`Dkvy$_#!dHd4sfU^Jhr) zpFKy++)yNw)WObGwtqm`LGU2X3E9F zBW7V##&~ekIsDjuP|W(6hsxXGx3t!Uq~)$;#TXXZ!ow^NXy~YDJ_hBHSTZT8KFVsS z(=%s3+0|&Ou5^JTfA<;&j8l`zJO3J|UangUhwb^?5BzJBb@qJxbx@fU-bpHWyL!Hv zm@z4jE09kIZLhe30eOcM|J~(x(xcvwbV&RR3TBI%?AxUB#duF;)XZkG>wYhdl1k`t zjsn&(;~P&zf0KS%bN-2q6HnLkqW(cTv^p`QcoK8Xc`CZ^DOPuKoi`<(q0Jxs)B)p0oYgHu&c z_baS&&vLYs-Db|hqYFxt(5_U}k;Hch`XMYLO~m}JN~hDCj*fI0FRL<(y0xw2&|kVx z)58QemDRHL0jAqEv(u&k)>D}S#UYA@mM^}eptVpnSypZM>-%l)N1UM6j>rX0V)Olm zj#zC?1}+8TX;vtw?T%i_}22R?GbWdd=N%cI~9&ZLx>Z&Mks zr^G!BHow)wMs}W}6n9{-KQk=zfv7>L3w!?{n*X>yXT6rfV(^cw$mb4_l5PCfg{`t5 zA0(EpWW1|k3#By|!zNvYa!R!pUi+1nT|7#6@Lb!JZ-kSNO!dBj#x5;X2Gh(JXh+Qe zyqg~c!o3B>n?n+oWnI%$Xf?5AcX-~cgHB?r`hs&C7+!&}{GQ&-)xf+YDNLD5n$u*h zHt^Rs0lO0{iSENI#kvC{FSW|th22yFc2&3E;0rwN?LP_IX_}bG_fVAyR5(x*-kas4p4*y0JWU|j9Vv(5OfrWvyKK!&g!;O1q@FS#fIDm-D z!CdjR`K0x%C%TV6RtEQ0!~fv*mrSWbnm5DFa)s-g-l??PHX9*8zEs?mlPWJhz&6c4 zl9Lx0TM&mbR_={24cXXU`II=#{VDS!cYtN6G`{Wq@}Vp=yg=SJ)4|#i^m;DFu)A(# zC9)no4xr@46#whkp1cfm@YA|zCYxh#xPF4Ol12n2>-wP>diNKTLzDy zski?kiQm7viM#wIq-5r?vjd_%Sbsr&7M#-s{?xkQ##S0wv8syr)UVaoxgClE z9aA@YX|;D#I8aBjcV@Zy)0(*4qKO={fkylMaWeKdpzgbN4=Od?Hotq|x@k?T{i|YC z@_U~a8y|DyM;STV)UGGmtN10?*BA;0BMNjy9P|u>5A0)h{Wq2DZ(4Up39nYLNV@m_ znh(ErA{j|JYyR(N83EN_vr^D$y%%c z3lty0X5DPjJ`Xu24isz{O{4ZbbRVjB!QU(}{oelSP#6Db#dO-ey^R%?h)pg{a7!-v zu!H8mi`SnUJ9x(QFwco4H;JjPJkaNb({w;AyL%gy8(4op=qr7f`RIL6Yq-v9OrcNu z>0Up0h6=12N&B7EuNf_|!lY8rnE#$Uvxa1USUeuruL!PV}P8G%UkPU&h%?m3fmmm%!MX zt+4-x1(Dw#)OD}-p0g;@{_7!b(D%|$D9Su^tW4(Bh$mHmwBNFVyOshh-fa23?`Qo= z0Cxv36-uO#C*!?Mo1PbMc~$!ywr8+(2VWw4L3B<|ll9SZa~#S;xN?qinMpU*Mi>PX zj^DlUwMma4ncuZiU4=Mj#DOv=Q%5Pa;q_;QTPAI>KDI!6#U=+}RfJBLR6hvqZAq8u ze1gf?ip*kgPM)gSt*ZV)V5Rji*cz_1aGfXK7yz+_&QhWZL_`*|COyqx_et_AWEO`b z?O6}3l;8bz4gFF+o8;uU!WvU3$2GK(%&*K@-^b4wYyz(MDmzr+F>IQU$Sv^xAmrM9 zYjrD*zL)Op7Rv$l%}_KsU1UT5FSavE2$H%etG(K=1$xFHJ{IOdHL#G*iVe;l;E({= z7~gTgtK7#4?RCL`5+J2WhtujBygB4o9<+0K9eS5`d}sWZwznqxeUg-N+d<}ZaGP3< zqXmt)&vwa`6=5@g8Qg_wtZ~-N7%Dai7?7bF-m9pkPO(y{&E?AtG|!4>8Hc_5^e`i1 z*OKkzHF9PnTB0@Av{({3Bk)VAQRZo=_n$F^lFa0)b>r)_4BwuQSvSjy5T(w8LRZFY zz-7brrg-%%rwuzMhz)Elkqhg{r-^(P5=PiP9dusIz_#|%57`GC2G}P#;pD%&)9&PW zJxZC8<#iE$WKN;f$2NM1`Yg5Fzd)#??hRE|t|R$AW-qGlex5|o+G4B29Qe1dav3_H zH$FlF>LK!b6|HFs7g%O3@(Mg;9)MfG3Sh>zy@^&>y;=vW$NwLD?-|upyR{1|iWCJz zL6okD1qDPvdU-^OAVqqwA_CHT2}MCvI!ci$2+|3lbOwQ} z&n!?GeTT?T3uXJZt%wk)Jx!j4y?tfG0Awn>v6K|yb&;$$F&qG7H}1%*EQ#*M(FjC+ zy@Jr;1m5i`((hQ6$uNrtB4(m)6w$4s$S&BGyXVHtDTR|zg4f+DJK>Z54$LdR{=I8B zllhg4K@L*ro(f0jFA`UNBt>`~k^Q3ZYqx)zz*Mj#(SbHAUI|(I*Qs_~M0I2lDNVA9s*^K~IQnC}?)hTFy)aWN z?@`2~(8_Qyo<<2;4iz3defl9y-(i`>&;>SLf1^AGTdVxEET^ZU$H$_0(VW3XqhqU< z%RBAHy@;&TY|*Uh`9!&uqigi8q+govm{1^J+^(H-Op@_jbA61g)X?_bOd3HhotZ;( zB`!GZK)Z*s&H@^1qKE#2_-;CZD6`Nk0fz5iP=*fsr>obHOE}*U#Dt-1x!7j zcKKMXrGKnE2>ORcwAF+;^p*HPrP`+U|9Yz*10>QHjcQ3QhFJffg}4Hs(w+ z+eW!7b^lcjf5t0QAL0sVT<;<$h3HG&4w+;ddoWFDnV}ARkL9v=vKA!H zntrhf3LkL>bglbo6^k@qa%4OFn>(4WLs-4~M!vt-${7{xyy}r zekv)_?0w|>9^(l>7Qa;@?_#Kh7NzMxQ~Isys=dHnIhL>t-uA~ya3j62;4C_6z)mlfi!3##|k^oKd6Q1no;_e ztynD#AGqDe$lBfov61(Q$9A#ho+CKSUlz<|i#h^}j@JRTj0^04d&|qM3S;i^-#}1oblCrv%j;FXgG(BFBtv`2mZLRgR(? z6$Bnn*+Xle6W^NO3Hu{A4|w%!0}y7mNMn7JyuA>$2xEZPx7ce%C%-d`d^n3E%XqHH zkX0kX)F4ua79bCo?qGm6RX&zrdC%M8Ipm?fm$i|c0X)xLs;+Fi4s<@M*NNFxS(>yh zRbpyaq81RRD0*^CyPpKF&)XfB+E=Nt_T+8w`Q*bNQJhBDSr+!!D8zpS!@+oYBSQ_l z&!x$|@P#&YdC2E0E_L~0csS}s)t%y zJIjToTAutO{KFLGKdV}|HP~;4XHs-T^V|F)JpZg~I$c~b11JUx0JEj&=mAr>07u!s z+3ROGT(gLQ>0j##N2l-QgJi8e*o2p<>j#m@!vk$5TM__iq_`S%ofa00QcZe*GO2Ne zfDy`XM7J!?-N-0(F=`H5u$7$G@`iq|ussVnHw; zr)m1VNoTG#YEE>%5#H66DC8cMuVZBP-us<0qpd&kdd01RO!;--dNOWT>7HU3C~-^E z%-3qJdP>P%yIf>2Jm&u?yG{?Uk%u^bH*$R!SuYR1bUG6LZ3y}qL31( z--t%Gf`S`puF)*V*CFyH2L?G;8cWBrKy1`WZ^<<>?<>`UW3~m9QAhwKnYYK#DWl#M zl>qD$591{}lR&n3sL(OQN`#G^U3P|1#lvPpS<;a`Z?;mWb%PDuHxNRU_gW75U7xs- zy+!7wfOWb#^~%bP!2u>@XrB+)K;)TWeGJka$GQ(?{Zo*BEM^T#feK>yzU#cu;L%^e zU2>+wn=>_5tVvv;64{RsSPG6<`#$1uC%Bc=T%;KDoIn5sgV1J|iloy=GM+4u^!bnQ zNltE&`jst*IP`xR{W9l0Inv_xC}tNg9pavL5(;gF`cISdJ-#~V^3ciNwioUGW`D@{ zKK1oOFuBt8W^Sk}C^J$KSy*2hU5nkHT55h@Tm+ z8|R}J8!|M-c0TQt-d++Z8r8WrO|GX5Y%`C^%kt5$eQaln;{biSr)=}M_QK}W6o**r zyCeD{kxFUjQ%2C_4~;=*A$0F+-4N+B zOmE|}nTNwy-T{L@Hs-u0b$@D{0^!^zqpNw-@_#W>s{ux0;=A^aP*Z0GX<<~3^$|Cg z=gl-@`$aW(UtJ0x!G5)?rgnYjw4Nvz4`%C|!C_}Qz}!7`ONZ_d|AX&}B7lfmG|B{$ z02xYdb+5*l0DmU^np*9H^Hzsq+(^0DCwpY~Acsd7(^%O07@iao0SZyGhot=q0~}Z++E`&*%pvH#HeKx*I$=&sDQv*M+i(F z4{Bt-aG>Q?{?Ig@uQ`InySzKlxA|BS-Q~zMzF9dg@f%A0_imj_kq9XP+`9}vYTb5j zw>G_w04eQ!BRK*U-4DOx6Pa_v-ar0>74JNcrtUrV_#{R8Th(G<*)Xs4dt?(x=5&4iOQrEP%{bDf3aDcf73I)C)^~huTgYVJ22O`y5U#}MlxReo?}UqHg|fvJzM5|@Dz5Ub(22hHhCg$oIA&)5h-moD z&Zz_Mdf$c8lJL(SfuQOh6?U!{MSU<>I=mfIi#f4p&rzy4T#-3*qP!oyn`K45H^Qn`}&A<(6$r z0Dl0ILx}*?;S2!7KH4J&<|i@AHDN;$!FzMrj3ze8yqD%cu)_w1E*RC*#X(B+D=&Gu(*e0OYoPL6;+H`2b9aS;*Pk5#43ucP z9A4N=``s90LbrXvaoWIPOtoyAcJ24G+=pq8g~-dYRs_(wH7sb%iHq`xcnkqT{H|;C z{pg$C`iq{JB7-_v0%ZoamGNaAmDY>c^U9{lh|Ub4>|gB18(XABj_KLM=~hW^L#S!- zFKZ3>i`UOO(J19Cl27IUEaj1MaSG}3zVbF3+?ow^p@2X;E{ub`PJ{bkp3I^fs)BZa z2VQ}r-s^MoZ!b0uwv&7>yN>TUaS`49&P#e%D4ZfoTy{HOeOHHiW0GB7 zB4t=_7#{~Y#-<#|)%W3exNrgD?JYuEM*|2^HVy;c)w%O2G#=J@70Y8Ty70YZkmN-k zhgCVfhL93)H<-`Wb41hs@jEY+cXheU6inW}w^7Z4s!2it8}PtQDr1wQ0_D;T@+0s$ z_+5gooA`T2tm+Ll(>_cAG{Lz~Iz>TphfD}IereE@_op_Vuv7B+fUXNE{jc8mfRZU- zQ%0y&wR@`(vZ7>Sqv^K(OqklutnXi3EUKBx>SaM#mgQPyUY(@dg1@^%X!cpQ;17KXUd_)FY2cb!_|aT<*`-}XLw@gm}T{O#2$D zSD|yGB$}IYjK;^ql0tA+bX+qKd+cJpw4Tm9_AkVxP{Ne_5Nim`z#NEtA?8mwq>V+Xh zGno1jE@G1+7YkW_ImJxEgurpkbsBe{N%0;l9FEN!Ef_ZO-F*efyv6`iVjnV_`3I^_ z2F2FjD9W}wmQrtOe^v7$l(j35p2>AMt$9gEN{HHlt-;jd-PDciw;?Jl&$I80S}`GQ zGtg}~kCOIyL#+1(^{vN2pCK|#rF<8EDhPomPXeQV{)XbS=f6moah<93y((&KI?4}~ z;sVl4ddG6n7jU99W)iw^GaldWbY63&@ zaE;{Vm$BL%mxTio`u%reC)B1Q%Z48ih|kEL%)1;KV{GXtM|;A`y!R11cTCKIrL~-2 zXPNn273$4GHFngSs>%dxsj^`n$zRTwQ;x2b&gndVs{R6|Jk0CBNW^WjKvDs6iOQ?I zu4uV`ezjXE<4IJZENQ70Xzt>|`CT_ymAh&Ls~p1(WE~MC^LH9>wGe)qX2(!0@{SVD zqkg>}Z9-Z|Juj??IJgC`o&TEts+vi#r5>C9ta_`A&)L^usvF9HdklBKratA%mpjKU zGE3KI6HhCsQxeB{oP=S#{Bg-OU3Hvf0m&OZUxw|~;mzG~Q9RAUQg}&=O`HOEbZ~B10Kd35LA3b zA+NJHChdND1#;m9GjkYxabmd-Gu*BK41Ls#M7{5koqp$FEYu7YdZuU5g8~Zx&2*yF z=OnosmndK1ol{x*jE+h5b_%ZwnH0n+qbitCS7OePmxao7G)9OXkMZt*H6v zIZHfH{Z@IGdcJ2{2l2cjPuap^CFuauj3*6uqknbm>{XrIAR38*^(a;3o;DabolTZK zJKo-}OiTZ8uB)d&i^a?7$+-vFew{TTgWJ9JZc7^!#|z%Cug<)H;3!XO9`@t9-lVVj zHEmboON5e53a|H?;ZYxz@3v}87H4}WYpKJ-jnDKpCqWnNak#ydzV_abQ8XxL7@BB+ z*go@iUrbNBk4qhT{NSDQ{=D^nhqElAgq&sDxcyYvVXS9C8G#k9JEwI2t(yIgd!y!? zodv=Micw>a^jY2hjDyOCW;eWU)>z~s%}d?T-KU3GygwEzvO+mdF1jqD3{zW@_R9T@ z;Cn6lm%cGxU>HR^>7gKyX;?bcnfd37m!c9$FTnAKzx{GX`WC}H$X)Y&jiZ6bPjVhV zhw|knGz;vPuBlF~0Gi$s81t@mnakIqgu@qlC-;I}n(CIn2A~nx6s%`?T0~sC&U@>Y z_O6G3o%n*wekkU}?#-eyz;M#y(yVIbl0n~xw3d#okY!o752@gzY7WtmC0{n7)`R)w zz2-3)5jF>hAG;c}S1O~4IF zZavmWf8$+*B$#w?!Vi8TW~CMZudxC%{z!25ARuwRv+kku=$*GiUX*4HPZyP6djdY^ z3-`w!YS^qF1y0YTmV!4>0T5!`elE8Nd%Y7FQda@#82Gb;9b|%gYRFFIo4Rk-Tn=?0K_MQ~)5kb) zk20U%uYhw~#jf>P<+~<5!;;i8)Cx^K@1|ArKPodC;$-rye&DV*waqfDE#LixdN7Mi zL96Keb}pj&ZtG213AD^IiZ!TiGQW(K4b>V!2r$1V$?PRMm`VA;jM}A@`=(p%)xckZ0A|UB;@W^FSb6G^SGZg2AS<%gYLLP z8lW3WNjgx2iqi7l_uRB85SMVwE2&R8;u03vd=;6Bf9+epU`I&o-ShLPEEo~jD1F#Y zX9ex%(YnzsKUT|=U*35$)!$7^i2-+g*+86Sh++QIe26O>FW1`^NYxl^L%BQFC*!kk zt=Kw+|e<<^Ia>+RyqnefjKysJIG61BpB*_bLo20lZDAr+cwo_mXAxS)_$N zDbPHWLg~UJ28p7*RI#`hUX5{lw1o6hGxjro?{w8`eJ%=v_cZ`T)=}Lw&GgSwY3|<& z$9x?sC)_~p)7l@)f0tzuQGUOx&VtzlwD^=xMpj(ZNqyYBoB49K5G6tqm93yztx%Ul zS?V_xOXF%6a%^3;D=pZx<0?E^lT<>#{j=AYK}UcDkJ0uAbf~ns@`Q^;p9j-M2}n3! zJI7!3S=LI$IJ4sWe`Wqy5=rV<&VK=XV}WB*(^b@+RS`ZXQ%htneCeJO`x?{tDlF}< zMb;U>>^miL;b0Ng$SR->6XYqLXyz*381vskx#Wz01XcXSM7bUk;F48#7sbbR*Pg%W zT=7RemqsEcVCh+H9KUd|smJeB;@yn9Xe?BJD$rm`wF1TAP1$M?KR3KiQe=qsVY4|K zm7a4l{F0VWJE)h0AE3R81Np%?rfuUG$*0%ueHv)J4{V&_8Jw_+r13#D9nT`=SBN%#Br?M!OK4`mT;#WeF4@XJazd6sw1L->#_5R7_(Rd+w$VCv)yPMFL zFN39(ZJ>nM8d10xW~*t^pR#svIwSd+_^`3&TSN7Bj!|@sn-4M`7Af`U=pmL7f6Z#C z6?65Fp@+l8siz+R9#Qxzfspplcdejz!dr?#i#&$1C9!6nRBs(4)|qC4PJyg{fuget zhd^pOIw9d&IpZr9vUi`iK;Jjd=x#+!{N>HqE`LT0`Q?;}{lQb`W+#snSQ$pnCghL zPj@A5bhqa^_qY7lEP&zDXU-ax|D&0$_H=^ajteBf+d;2A8m}@SnJ~~|#a)on03*YDTbm2Uu4QHeh>1Q^2W ztXY(G>#kMHJczmyFfs8f=-2c1&S}|$?4v81VUg62Ea7x_j|Z(Ki!NMS_svg~m-=oM zGe_oGav4ii*I=&m3yDAAJ$bdrpZCZwR|yRmN(Z~%^L0x-;Z^jMHJ4I)XYv)>Oj~Te zcM3EdY`V|V>+oA!@OYPHn02Z;>Fd{zYk*CfGU2+|4h>;3Y1T>S2E~ZD&qC9&$yKE< zC|i^sox}I+-2_=l3cEG$(a_W0Vz&?VE=*mDOynhm`DMJ}E!AO8$H??sBzJ6db~bPh z8rRjD7(=onwH&Udj2DF`jm3<6*A!?@L>s6kOq{cM>~v)76cYv{MW%Po_a;MeO(erTYE1{ZImy2lO7T8MBJtj7M**TB;*LkYUV%!d5 z&Dl>%V=PMAZKcv}wJg@><`h6zO|6tgZmqca!`q`DI+YIBbe*rQWrlkAo6Qe9cRi)z z)R;ZdX`z+##yd^r9IgZb;cPi9RmI{ZNV<}!&gShke6*bJwVcT zuzs$Xp+YJu8)mEOSlv9b;(ZO zq%;%4e5CJ{oFbj6<27-9_8`sGHB7qn{man)Go3J%Z<<^gN=bDN zbS4g#TdIyIABM`Et9~>B;op*Ys=#SENa5}J0g2~W-I^q` zHr;hK_~rCn$B2)99op82$*WLwdu{;4mbIt|i|X>HXtS&r!YO(AK9H9{YtsnD@O9NQ zy>@8yg5R~s<`bgP92*fj@%rK~=H+FcIovXqe=(4^OnlJr@=x8Gv?qCv z=@t5C=G=>+YrL@UErjUyFTX;@6Vc~RGZ5Cth9AHg9`ReXUJ;7BK7C?7UpqgHf15ph zMS|Y72Q{HXat5Ze{meH5HekcO*j^JzzBRlyR}aPtpbG6%Ca8ExyEQzRGn?lkP72X` zpY~{dEn+dERi596x{CHkFinpoxr>D@wm~i!hb&yWx`i z(e~iu(g5SwU%?!?wmkRqp2KVEUIO;w_j7mVStl1HdHUp0ax!)-FspEn&+Tl&GG_`! zU$f%8mM^=eIQc)z+4XLxm4Cj3>iQP@l9cs=FUDKf*uDbA{JFh-#oEJdxl8<3pK$ru z6piQ;RsM6RCCwb{XS-PMHl5@CXEp}`7Zw|nxK0m-;=t<)O9}0RF6el*?NrJbTbJSD zfDlYoWXqVlam$=JdmO!zzl)!C&W^%}Ea}jUThM6Up_}v%j7sm_Z;g}qK>es>OQ+w& zZ}*izQO`BK&)9->B*O7IVd#n$Vf!A z=U{ZD@N3FtpO;ke*xN6^hs?Y$5l%D)@y?H z+?T_X`dm9>DH%GL93todK_YcYXmC*H-bQTY=tVv3S$OlnK|cTqqH4jE%&s)&wOy{b z)yI4h3k1!TJ|0;wFrx_CC>E?oaT9jSK6EjD?-}wJuc$^ARSlXy%;6tgvJ@xE0fRpB)IN!w`P=~Lg%|h6D_HBo zYI1lrkJ&6pu1HR`S2gb4JE4jAU(-XJAXOEB{&g5Nyr=+)9?%CZ2WElbw%8Wvq^-Q-*%63uQ^KLe@r|0CwED~EKtBr(c^^{UY`H>PZfcXOO8qa ztK}GT^*@AZf>}y!npb!TEl}rfX2owTykj=`CdD<(a^Bh>SJHcKJ_|O|60=X@b$t4D zh?rpP0SBvl>OSbV?c|lbj8_o0P^1*F(=#BXDueC6UfwxA9g|%30XTy1&VXJkGE3gG z-9^ilLqZjQefw@L1@dmI?b_A|$c;uby0zV{dMTvXS}LRf-2I(kQ_Ien`zmST*IFV| z-G!NBvqJr%L0xgZ+-D2ayLm|yWIQS2KG$Re=1YaJq&&z1-31+dJiyOf1R0Vju;y9B z-!HG5g5G9lV#yL@Hq+@?3nf&bv!zyOD2ecPA!vT)F-ZjHR-SGg_dJL zzEDiYT+1}s=*%Yay2gZDu9L0aRg5Q0DUOG0fu+mk^%TDgHsVMrVDgokE#KO~A?jsG zS4#fLv`3P^&ey!1Hv%^EiTVlEe|KWz^Z#TBf<-}9QBZnba{Ih3r9fjDbo{5Tk1nZp_|!&cgRIn6*M}-k ze_lEG*5v7PmPwXZIn?@q6tqvy9KZDBwHh6OaA!_C)UtkpNyhvp@q3kln0^COF_Ec>3`@o+`@!vl8|Mdq`$~#f@R!`J^UREJ| zHvPhlowA+I^i<&$T>N2(3o=f4LHYyUZ^ z_Q%@wzqOf!_ayB$&jRhQmHQXk`il$fQJieBs-Fv@{q`z7a*WWb!4?|kcL`Uo!l4kEFp#|NBf#_EUzdqJ4Rr{x^ zR-7Uov@F*YK;*J8NL3qfg-_Y(q`p8K-!W2oxde>jHZ~Z6c;9tyIK;h8~fIVW7f0*y=kM8(? z@^??ppQH^_SvXDXw^T!Mr>VJl$nIVk8Iiv#FyQzdg~R~t-H?BIsDJ!c{`~?2D(n}i zD16I()X$#$0|fZ*7ydUfl^!Q0G?T8>_57;p_Q&^p>-6*DLC>?)#J!pD zh^ry0db(m|ugnmqr9EciBao1MFz zb0RkP&DGoLO%|rQCoWzuFZrZfKBE=Ku)GJuh`OjU3D%7aLxv@})AIdPv~p~kVGn=?(a0+O?d|am>vO!Q8YVVk7?iA^+$NOMfDD= zP1id_`GVl%nR*X`8MLDQ+yeaQ`My?W=QfbpJx?5)bL2dGfCIZ`-$i0v{vQY@mZ%6v zffAa_{wGl5@9+CcinM-pgaC1b=IAl$|Hu988NE-Ou|$IP044xfk4YyI#(Bx05Xzf- zfk7zxRC+qUKgafBXN%DWedYAHJ|Tr*H5 zmaPQG57yBnmYG)rwS5YP!8&e;Q`O9=Smi?(Js zkvyy#JGYstK9Nv8keX;ZV~xLvgz7~JsD2^!1#uEMriTcqJ|K@+DUcWfsxRPJ{&Umy zBWM>0U@-@APY+Oi0VlDJKS|m%sYE25Jqlp)Lp^O+5s^^wQOYw499JtdoQdSAf=H|{ z1VV!%iIsu+D4i&)?W(*<6muLPy>PUr$1U?bag4%^L%@w6JEV1&D3`wi0FE9}0Zw@4 ze9R(|vZ8AgnKQO`<%uMf|F65*GkPWTT0{c%03`rWzmogtZweiMsA-f83df;2#EJ#e z0jQ^_={ZFtP_N6*U71QOQ~4TL1H~O(0ofn<$UnXzSpuk+MQBD637o0015j_I!AK-{ z297VwK(xc(2cZ63+RM~GlVsbqsl;PR0QGGH@x(cMfOI+m)CZr@3?q`< z+-K*u(C{Xn)I`%6sY?*W!LqAK5r3L4N#1$}3beoE%_CL57O~7`v9!yl&DXyX(ry@x zC(3$k?J+X^z{|#^n=Z@;H z>$y!FmFsQ*ksagqgmub~CF2kM+#&;r02WQ`IEiDnAE^NtT6)aRXqYI1EB)3l@Z&+2 zHj!{*Gk`+YBeQNQ#8K)+dXOyXQ?g_s%Ci?Jl}@w_AAuo>#IJ*pSYO=a{`it8Vo458 z>y0ren`R;i^)Ctkb@xmNfa>iwUXSE}n#w;VD0m;au5@Fz&x4X{z-`sxOVWpZ-B zs|_Ejh7n0}aQ_Ga{J5_X<@#^UNCENlnVs9dW!38lZj&!{(nFFw|<&D8EC;+T3IEwBe{+_pqBl^0`(YAS(L zBFl(nET7RUFqON2h1tY-_JMxn9>5q z$F?(ma4{mPO<$DT| z{=jpNfq(Yn7r5R#i?7|Y1ND2lOGDmQZqYp80EOAChU$~X8}k>AI?nEwM3bHC7d=>Rad>XWMBOxoo5}NB3hZEMe@5lt*RgfW zzUTS&h!Aq{yAqZG>pQbrIp>f%FKM`0JJwaVR+rTqi-otIwlc?ba;z@pEw6UdAX<*A zE-&84bEMUY#2NF~wRqk?VtWmPlGa|WB8%C#aD7=eJ?d^lh?jb6als_Cqz5#4Li(BjvR!+@P#4XVF+)e zs`#$2_=nvrR+LFc!=CE=@#w_$l*`&9<>K!(k?|0g9iI#SY^jovOVq5w%wS1*1QoA+e$WY43`%|dx14H* zh>iao!|&7>8%Vjjhi+XznDVa|b%%hufkS-{oy0qFZ1;5>XntPza=30p@(4S8xyBw@LsZO=K`&|Du&0|GN=Jm}gU^?oZYx=>~^!^^^A z#wgSrkG5E?F!9Vh)m%~Zw4^F47a=Kj2KJd@$3?{BBb_Jo`&9KYg&Ay4g&+D2e)@2@ zMKe`saJ*^+cK;x@#HBsmJxvR1CyFQ?J4!C_R@x!3Fs0(vd+TW_Zte~~^XcLQNf-6$ z^DZ^+OQ9x`+xM79{43Yjs!bwU5R5{FhQ>Q$4;4lc(}98U#l7Ax zFGn}F6Fb;irKXFooGa^o8juN ztQ*-%->w>?p!c1=wX#%?gU6wwvpfm3I@()~_RvkZUEzk$vU2-m9xAR$M#_lA;MV4e zPlef?$)P?ptwxou?)z(2stAod^ufB-oA=7GhZf$q?RgsBOT1Ymac^xU-C}jS(bjyu zImK%woCqQFmA)pmC8F7uwIQaM%g8|d3`fW+%La;|%(#-Qid`)zx&VvPQD zcKD*C;FZqx@yhzjy=Au$jGKI`%pPnX=g~qhWDJKa)~1@^n)T|C4m}(FXC+Is5Q4I* z<;rJS>#?~)nj{x=&KT`J$%&VGMFW`?n*4yRoNQi`N?@L)5+-)r@a(J z%gb0D?b7jGtVH)4m-kI=6^6smmAcN3X*1{0xQ-X}72Hs7Ov><@CvO{GO@C<^vMya`QJ zVMrT#ZQ>7iG^NWO&JN9q?{zRQKs@_RDI_yxR+eAqdmC9O@#2f8l4 zm8UYd4Di0K`FZP#y!LiXXDlvnv5v=CiH@#CC>bws8~3?|#;d-NI_R;3<~0ZVt_EG@ z7?xp=hbDNPcj!fehbv>M$XSdo#OTp_&Ff0E#2`9CQQEadHjc&;2oGa^%b{)0bur{g zuR{iN7O3~5DXKNKsp4+F@$2Zz3>~Q>ken%Bbxzmf3J#hJkF9fAS1Nqw4v;*{3GGiw zlM+pE_0gh~sUZvwzP(ybs~P5!$K#B=oD6+>Oa0s=@G-E)pb#piQylVrSk`4khmT(J z7^VZ5H8G|by{cl?I8^tA z9+lNIcnZh%>KaC$PUB$&I%{}0yR;3K>i570$3R!PCWIfHtj-&C+^enbr)tU|7#ML= zH1Iq}?!zW*ZwY3vVkGM>IA10^O!8ERokqx~cen@|gwm!-6T8gsH<_U8{bk=JJ9wW} zkK&*Pc4{86Bka1O@IX+q^0M-R#2ts8*G?%)ZeF800S2&oo0isB*&OXsjwsKf&Qf}C^io4@|%Z3?SBW8*^r-L8$89fzn*0C4JPh8yD{jwRl-s-`+a$J zyQ{ou)@^U9CqKJ+M#zvZlYRBJZ-R}kfqlO(C3IHE`p&)7?~MFhUF$=!F6K*3v@GkRCbd|axR$j2 z&Wfqo3X>j4Ui;3bL*nq1L?W-Sz8Ce_&SI}ozq{1nhjj&PI_un?2U{rHL1QB8R2@~a z`2G69{!Ow;rL;<^XVkX#{$t+?YdzMmdri6T%R8=RROWl|Na2U77#NlE52EQn?gG_0OWT79Q| zve}?0N7Tc9Wx7?P#I3hzpwvlc2HSa--(AyCz(?_3isbpB=CV|S{weInn^)$FmK|H% zHDa?7EMl}Aa?~hcDXjU@HuA`0`LIQ=jw;*ru1JbkL+02{+}yM3{UZ8O_sUb`18Elh zwYeqUeM7?DnIrz$vlAhqCPEd6LKaa^fpR+}eNsQ>xkSxYg;e&r*g3)Fj2C>5x4RP& z#%`mN1GQ%IGavA-9fCV|SRE1CUTJWbZwZ1T+PM8e?>KEE7e{=w=RE9kM(*02=|~VC zA8d^upzE;5EVMGa9iChsQZkeN$m@|w zUCSW9o-fK@LJzaXiXucGYiY;`{lmUeHP|fA-S}benvX?Q{pDtSHm;iui75uuU;J~9 zc34{ZtJNiZL|R)i0K{KL7)x-Ce1qhU%6b3ykVM;1;0}CoMzg!OZQc`r1Ny zX)~DVw=fM}~&| zeeRBEQN(}4FKLOb1vE+RI|#M3_+!QT-iOn&cT1DVN2Wf9_!v`%jh1ZAbVb(U#OIeb zg?K`N2ZoO*qvmN#Hr94lr!9ClbX{i3fYPUxHHu>~Vsuj5{!)=2Vv9#yT9Bh;9C$t4 z*CE}tYOj)wmpgOsz4u`ULdFc({pHBXC8*>PEJi{T92Zm4&*!u@@bxK)kJ!VG6n*{x zhyA9azdp?^E)7D)N7}3XO@Q;*&c;X@Vs{bd6E9=ieKx(*Pfc%smFaS|=BCm8=I=ZQ zkU(UshRK1@-FVs9R|3kzN0|0*Ch+@v_pz=O*RRGNYVB-Up_Spli)edA*2he3EcCMY z->MF|!Bgw%e!a%|uf4QaHf8H8ZA=bzH~m%$L-LfFexo>k@+|1L*f=oC`b)vQ{dXi# z$rKqw!RN3Vl$fONHrBj7K8!}w!VtJ8gcwNDb#8R|lXcq8IL)5n7;g9Ygzu-)q6ya& z>;?nd&i#0Rd|Y-=xSB{=R{d?Aw95KZ7c2QB@$ym&u<6&u>^L2rB4Zhu23o^Ux65qXtg9+52c zSAev|@##3}0)$M-S z+Oz7DyvP-5pr2@g@`e^xNgSa6SYOw}i6^swFMxDE!#EUGM zLHzYhkQaR`I^=La)v2 zfcf7q>qDS)dz9|O%bosn**%or7hmL_a zanRDc`P<#-_kDP3DX%rn5o~0nyPgT^!Bq8f33`XS?0roTFkyau5f_!sK{})Fy?GBD z)~GEX&U$}y$k%cEdAinIx!tn=Ars^IAtqb=UhZOe=hXP;tPi$GJ0HvXGLn^QlZ~%W zyP76sTB>P0l6ebg=M#7pVlJ+!)u3AfAtC1L&sau7hP$jf->AFQKL2#OMYWlx9=HB= zthX#;2BA&EUQ~t@{vAUed`%6tTmB8&^NsnVJayjs9TNDyG^B}3=N;9+r#_Kb z=Ka2}EcnTuL>J4%v$twRE_KbHOZc$x1+r`>xi`PXx;z_r_ZrgKDRMP~EP}a+)m+$V zC?~_AuXq!-wm@dP1v4GYOmqR^N2TM@2u+gSTSdd#E;25>sYpxvPm_8^onmR?>rK_2 z*$|lD(!|___Pmg+@^BU{ie054TV`>`%!fIPudVx@ZpoFoQz7!*(`x;O2l`ndw*<3d z-wwQIoyt~Cd%+)@28(zn@9hVhGxI-k?kqw_wXQ=og|B3GgM&uW$fangX^IA#3!;}> zF80d}wE*n@iGxN$C3-yi+4Xe?VLC899N zUCSs*Q_>KG(BJty_P1X|AW}>;kN?Fa=I1K!IaXB$kV6h*s*o)b?xG~>r<$xT0mpou z*p-w@HTh8TPJ51_9cnPL^N|kP5@8!27q^%e?}KFyYm5zOK41nb(88u#^2x>{m<4Me znj-f>KXzS5^<2frNQbfN?8W^joMlJO=Nor-ed=IxZvsifJmXk0!HCB!#%`Uz2Ubog ze8@SFil*i{R`VNiprfo@URYZFz4bOXP?B3TS(|If? z1iJ8+_@kDC2`C%13M=l~`&U3iFmDuIqRy+aGmpv6#{MNOM@U&070ZzNPEC#XNlbHm zxoq4fUMw^6z+Aa+Z}#b{_hHKk!}VCl7E~wi+Mz0ROF@-{ln{Uc%=olAF&ZeU0CV&J zX`vT)-CzyIX*|X4q#Y9_%`QElq0iWVcvqbNO*x%tcN}%r@S)x~t7Ajf{L3dkN{4Kv z_ujNTp3W&f_~ghSds0f%r#%>Nsij^GdW2(dC1mz7@8JDK7mwOX6IZ9q%zub_jG^Ri;gT7)v26*_LR|K@*Vgb5=>Mit ziC=T;7l)HvtvmF*Ram`FoECbFc-EB6oy~7Mxhs}La=EHiHv0>SGa

E9CeXdZH zTJ`c8m<*_?I)3eli+-ZmZKd@$QSXeBBA=0FHPjs#ocHsCnw(w>BEd|oi>_S?GuwLEK}}cRVb`89sCFvIenDeP@hCz>9E^*P8XNv zf~#hGadl?S8ZwK@Y(+Pd?HvP!O}VMj*P2>CJT0%@rO1}wT9#m*HI|&(aPqS1nQp6B zj=8iV)CW4wgOHYTi@$aRrXW)^i6a1&kdUT5e~IWZ$qjQzGrgLdG-;d%{d4~gW$ z@!La*Js()=>Q|ptr{(rCYGC?~{)WYC7@*BLCswhj@*Cj6LiMeajnSlX1uIH{nXTiK zli+>NE_oC6P0n(M{rF;wsWF7r9)22$Gc}MsWKugGVPcr-b!edFbjr>Z3Ixo7M)qCHpJ(RJUcT76*dwsPVPZEaPNyI@ zhwOPv>o;@H8K&LDOW@W4LEH_CkkGkDx zns`F>>e#Un+52?%-m7^l^G|K}(wskST~@hwu*X3yyR?87$%jRpplu$AI+;-Uc;-nH z>hWNuPs4V!47b_tx3=*yOC28aE?|lphOX17d`zXFXEpS={dvz}h4D9nyu&2%Fll9l z?c2*){=?|s(9s*Wjsm&5gq%;u6~35SH8p}LZ>RVe$BK^mU!Xp`H`2mJT~oobEaiI_ zt1)c zuIpZVEmr67XH+1cwnkVwKZ27weSdA~6WFH1B`30dzXSQ{cFF1q5K72=ACD`d1N-8z zCt7EowdiZm1%IRutIwhW%`s8kZut^4SEzOWSVYsxyny3bcjnu{zTv#jeA^vnhl?T3 z>O@6+&PmDfS_V{*9TD;Ds{B+RgShk^TO$bJ+vU0tZ7tI=uSYMA!OPs+XH!#6Umg!2 zG-0DeI0b`)nN%$@V?hs{Qf~1yZ?210mt47%r3FO)z61lpyUaVpWjyad2ZE<5PGC-h z*!M54*X*^!z5V?C75$AD_jxPU%emzc={}DDsVUz~%eD0#-+YKjbTOS1x5lZ9ZRLUk zdbIlN0fg1kv#9XpEeSdSpCunlMe8Y4#HbFhUK_%1p#pNEwGuoUbFrbaYHRmrwLb>aYzCIAa)%eV9t=WL; z_@rTe{yX_{JJT^YPq^i9s z;y=qvoE2ES#GOL@L6usQuNbqmB7lk75rKJWqs2YSiA+>egPQC+hUXE8G%2*lF;t^= z)#OxRA^K5|Df?OGAdQxEIYOmxJVKnKK`fK;Bh%dz3$x`;h1?EXa)M4l`#Uk9oXPT8 z`P|~69`P)ThCcB-Yj*`}MFWV*a*J#jM+~b_kSyH{UVThbs=F{JP1}63>Ul#=O${`i zZ&M&W@yDdw${o;@B@roFjJn|LGu?im2*JlBv+fmL0J)b{j9le;QoKD-dZ}~X9oM}?r-vuKz*4M8{8$hzjxd?j(?4m96`4_T z>+fKCE=TM$&4gW%xRbMFdDXxN&lVS=@NhS9q&iokq`iiF`&txyL!Iw@Tj`~hrIjft9%JIhwbA?Y$-x;WB1^rb)RNu5eg+vCnOKR-B8W2_us%!7$Pu`@Fp8nol#>(j7Y zAkp7gwipSqN=;p0@)FBfJ53j6k>R?#Rc51|#cr{BUTV)ug+!xxx5?jK=>hv2r!ptE#=RyxX?8oamNkstmD2|N3Tt!C@3)-OFd z@dp*n>r^n<71w~pL1BirQg%n#5vD+V7wFvh5NG%272o{9u|A2VVSC#G^}5!Vv+sk@ z%`|Mk$xqeMsM)6^_;qbpM8T?uW*5`5unf!E2u|mBMS%)4Z&tOZjEGJ|0Pu+lLeya*~{7Rc(XY1 zv_W(9^GDI$zhim}igJ#kqBpc~X~k>{T9}zsW*Q%!n2tezgH{X`X&LM5+!S%r^Rv}# znTa@6Q|qVtyC=~^x4ftu*)ti-e#t-=x>tw` zR)lBUc}_cF>aPT>7pJp(p{sAaxKC7DcsKVADiL0saw!l?2Qqm8(^5VNm2qfQnx?Eo z&}kMRAGmf`(>7yX2URVUtP%W&(;ad<5vYjU@#!j8m()H{+%^X=Q!@x91 z9N7HjV3_E)eFk8|6#d!UREQRi^2+qHv(m^nmm0*Zmp=4(y(1JjXH-;dfWxb_l-e3x zswSmqpD#O`n7Ky2jL`_Z*P1S(^1Gc>B}NL;9aZSx)Sl0rDl35LtPOZP0<#7u-12nu zwQX2VOa1l*e1a)e@`W5X9!y7ETU=|cgiD`2xREk3LO*k?Mtnk$mPX*LWN}br@0h0l zV-bSFNhLpYhz{cFVjV-F4f1N~yavsz_S3y0n1x;6VrEJ171z4lt%GnyqMyGX!vexn zs1QL~Tle~?%_HEtlL8vh?_hb;6x=(9qb%+36m3c449}(j96@X3J1;~F8{cxYwpDkU ztP&!I<=QYsxfC1R2oa}W(?-q+rQwN-)v$C2aQ%%5LTzOTi~E~rHtn?DFbCb8cAIos znaTGI@(iGbieY}0b7yK6t!df|9}@PKDht>j90P5Bfgab=dHh=_L+dHJiOS3++3tnL zqVBYbx}b#{%5;;G$O%_jLzD1hP@3znn53C22fTQ1qkTGF4$#gXE0d|^mBZ+0{t&w< zz_n6XkAAcU@?Gq`+NQX_D<}T7h<%Egs^%P0QmU5f`PwA_VBcJEUd=rQ6K4dkF@ZKo zxvxo=vkg~bJ-hnp(Wv!>g^8_q`HckJ!H@5dVCWafg>WT{sXGpPnB6lBt@_U|>-9Ij zwflA@WWBnu4G|DhY*2o^+~ke!(u@v+{tdXaqd_I4%KB=Wrl029a1XDu0nu@7^+(wP z7QqjE;%~L=TYGrunMa&qmzgl5?#i!Q9IHtZ%C%Dv4=lUY%tiYRUkrB(YEg;jcc$hf z=7{Ms^cW_CZH;!Aae|f%_w5G~gB@u9d;LJ}DcDZMM zorrbVPB*lTJ_c1aGGE%-66z-SM{iB~ca&_=*Cdwage;_wN?N{O6i(Jg@K6!4Ao|eJ zLCut&ppSyDz?O=pRgMRp$7k1n-<-C(VC8yx;zKJm{k^aT_JLT*t%p_b2@{G#fqQH2 z7QJt(ukb=Na46QC+t2NUSrxrC!5=wp4+l-!qH%Q1YypwtZ(V@??z7NPnKT)&-%?VX zm5lP48I!VYhZcAtluAb!9!<>e%Z-QvY#Zt~H-e0m@%wth$N{qPhPQf6++V4~MsL7)M zbd^gN|7Q360L)#Mz%57Hg0!63E%xgV6Y{-pI+OAxh5`WF=W-dN1H2uUQqEAE6ySiK z@hrFKw*CemudS(3w6W1gb$NMXpYMp;xEJyTOH*$YQ zH*@)|>&(*!>=PyBeN_R~`CtPhBuB3U`}6n;G|ImU%p0gDA~M?-mpZuf)-DF$coDJm z{fb7-77Y-P=*5eojEj?~(bGsdk2` z+Ib?Zex9=9-Ul5yR|QL3Gm{UMm0~Mnt{LylBpRI7n#)+!0Rf?DYWfqTBQ31tgE{;o z<0Wy(W1V+RU!FI>!rtkgEif+S^6*GGE4%^^SlVi(kKGq&9`br8Q|~2 zL~C<(*_SN7g`88%BAj+-fFfU4Xi)wUBho=+q|SOZm1V>EBY8kIKyDp>+b;YBkJOkH zpkN*4gA~9=KPGISTfTW}+Up3lBmSMdv4j3dd6vZb(9BdS=zze?)y=|gG*vMyc!m$0 zAhY%E_fjRg%AAlZv_?sb(;VLXngzps6Tb|}*7%R4E8>k95b&i|iI=m3vVP&-NL=>L0 z*~0qjsF_PgY;FhLs^)>em8QaVkjbN^t#20lJ4wf}GxYFTekT$u1#WTHi)cBKUsU_6 zYXG9?JN9LGD9iq$BH~)n$8>{u@j%&A-p;6azeF~$deA);?ktv8he}8B&FWhVpTFZw z*!!6M>2Ur1lQAB!}#RQ&=NT5Q^ZwcbDGWKr!bs-~9au(A4F@>9hOueRq35 zUps=WPu}}=EmcsCbM>I7@MX?~5B}*|oHvLQwx5`De&L)R^~81!*R%|$uL`R9J!+g) z7WtC|y{Euc12;lBC0dHu$zcvE4%lFoQp!lRup!$aKNSWXkq&51St zAnX!}@sxXtSnPV1Htyx%^gDHh0S3Yb+ZfGhltKpS%xn<1xGO_Zft&ga3#~I#1Bndy zw5I2K--`oUh_uTK#F>&3<=M0|5j>fiMv&06??Hq4Fx3wsfpMG zBg9#8^R~`Ft11CVt)(w#(GXxnKb?6(iK;*<{uzfcE;!Dr(8A5Csrv1=tqDL(JJ+En zpj;pUnSbkorilv{(R5T!!N~2rkt(9YGEgOLr=xaCQz4-`Il3WSal;Vefp&(ojsC6> z78@*BEqTMx%dll1pf*|XXzC^ykynHLHa*p^u$gi(E*PRiHQmR<^bbmPD7|aA$o!(Q z0V5pgN?WOUxNB5xoxD^9ROb`h4vwvee%HDOFg#+eB=8j`tof; zK=?JM9PnbCz5sO)p|CPER_p`S`Ihju!8_C5L|Br*hku;~@cCAAk%=uK>BQWm8VKz3 zZ7%b1z{3Z^-3EKTgk;{H;kGP=ccvYQvWFR{@0bN_v@TR~4_$wY9H(JIsHEh3xy*@#Hwo5Z zw|m67WPWocBAYVNcQ#P$gJx}#M=49HN*VVKkXf5TlV=WBS}&_)R90S;T~9`x;Uui2 zX1=X_Q^jBHc5i2Z0Hz_y+XbLfIUvb-kJO`WK`s;T=K2-b`@9KG@!V;~Xmj>U9&M%_ z`KEz>lhDbwrZFY&bXk~|RKJbbbGe=G4hrmy{Xxm%)uQ{;Ic98LU>VjxEovzfLNQy@ z%USMcA=fnW&J_prZ>-S}50bRRTmy*x8W>Kwp4!$)mc$O~iDa9;qEf|@UJ(xa- z_a^k?o4UIeuc*x7lSZ`Ivb&N-n4eb{Fm6?CB_&#X>C3g~-ftB$*|AnK_O4n`l)E0k zasNrf-5Xl^Ahv6w1HmNBGQW}wh@#m&x2?4kCI*Ba$(sdqbcGr>ZXz7j>+qfqmCyO& zK$otGXsD&618fPovmGDGF}@v43VcW{U9d_FcL>nBc;3O(Nv)G3b}dc+(*87D<^fVY zz)99kx-*wk_N#Z>Q2on=wr9XSzdx3_Jip|=1aeA<@vWKNrqHNh@dl@%ly*epFU-r{ z3i|=^MJXuoqn$}Y)~iOVuC}HnjPx&o>l}h~D!+%g#&UHC(70C36glBlr(gItzV5?c z4b*J0@OE7@BQ$R<^a3KsB}2$H50}+_mY0!e{(8;4Nm@>6COlC2z%E7=vlt>|p|F86n0q>zb@>Yw9QSCq2heT~O*F@#S`0*o zA0NBIwPs*C>AKE zja8O%1*{d~u4$&V_0ka#`oZhvv)aYtKr-+d1|tV>ItLmWB7r#KY-z3t!qc(^TY6qq zn$XkTyk7Q230^63^GR{hR+?eJ+}0;+Q|xi+XT|HyOB@!63M-4%#&(ySsslmD)co46 zT#)0M-2y?J)?7LnhoOU2$Of!3M4uhUq)igu-z*MEQ?H3*$~`;Qm8ZWbS-;_%wOeKOmoX% zWEHbPZe1B}j&ZFr8Dk3FtY53pwd>DmqvMeF^ONgH4GpTgw%<5zrnfh4Yfg`;HnCc@ z7FO67e&f`%Io<^HuW0}!diq;iAd_>Qh=ik9(Wn8nvtyl?Yt`p1;Wy}Ms-YBGxYG?v z`Jtg}R1;1Cfo;m|Ay>05H;FU4tcgM%&y7rpxGFzd2@)MYfjY3`@u|W)YIq(=mEq#0 z4_<*$dAvMd&42iUH)LH|3npUw*GhA?^&!H8^Bo?Z*oUT@mS#KALA(7ulY_>C{LNm2 zJLnOQ-}XBe(sT3Xm6;1`e4Xvhr@Y}CrN6}bPc5@)52JRwr<-1BYs!kOe~T{AFx|)# zD?A;OGmzCCJ@+zg6}iUDxgR*P(+Mr3UiPFHGJ}>B=2V z>yNf=szH+)afw4g2Z@E5#7!e#?7QZ@`uh6mse^eEFa}!Z+!}WuTrq*Uc+E^ypWWVO z0s>d|=8P<2E~)zn&1m{6@ssa*FyZ3NN*y&vpd9q##?a_`obfaa4l<^$k{G8xff%n_ zHQ%Y#l)mM%c3#GaM6*Q8x>NGUSU%L6rqlFsuNR3zkewmJrB}pH4k9|Pw zVU=0kYR{MVb91@HU7^ug-Lc%;tFjM~UHjOatYb~$J_4HKigeN(K&wRO8b4ucdZAHA zj^$#X|LA_=%kpS;dlhz0dzX&Z@5f*}DL@PB;?lq`h!*He)K2>|3tZH66Q`2N#F@jh z)o}{udijSR=hMevKfwLxjzYTMQo{BZxtrQhL~v$ddA{`RnPET?S{p>j4l-Y6#ze=W zdtgIrfIOjHg(FIHbkD&!LG?2G^K9?{4UrIGkmqblGZ$OBOoF)V#FTI}SLnQ2iV2$l z=$3U=e`qRkK#5cBTu5D>haf;gtVUR^EPiL7*h!2gRAC@KE{OFKmyXrf$Dk*n^G*EI zQp7#w9V8(-Qd|v;DS9?-jFVxUdGfh*bY=}!uIYSM?%+%RRmuAIkRNa#v}R_(A!-r92&Czp2G<@~V2rSNgM`(+{3W;;5sk=_KS!1OS3>PHlw%j8DN7 z{iI}rR4>|Vb>XdqR9ki0TWJ!@6U4X|Y0$WJhRblV2^&*!$}f4l-t5tr>}li24QS%9#k(dvA5J>(VC*twAYd;V?4w`4dNYbIe1?!@>XHp ze)$cYb?ZIYSu$UhI0eH_ljJ~YTn)1+Q`k%4D;{N@Ih|+OodMbX(%$y`fJ5Ex@+Qx_i~?!|QIk*tr;WgT!BwlR zb8}5$!?XMVUCCql@#CT-`=_8tn{*_jo=LsXz)%!MPWpRbIl}+zuT5&slVwuPavjA+ z7mI4VT)+7>3fVmG8S5Kj&c2u)U)EKBLuTKrBg9lC=d4tP{{r-rN6UVgXK&T@0nLJC znx6awHI^S}G@8c5(E)whReW|RvbOQHws_W&4$5zEp$KLcgxC6*qh3!BB_82Cl8B@R zeto2feffnVjSQGYfPw4eip%Iswve}lPQuN~D;}O(Ta+v85-z{4AiZwvS20eA_6e0P z6$P#rhc&I5Z7tokIJltGRA$Ja2xteO>!^~e=;U1y0NhZJHT{x(XgT88q z@{*}H=B_V8PyoVTpdBUxIiS2YFc<>phTD|uBI-PZb3LOROKeLD9lb+60pESZ-PS&u zmu?abx);M@*w`Ak64fDyvXb0PM#td?)C-0DloFTdy0Tu?Ji{k9y&T$huL+4clak+{ zB)cZIVAQyKc)o&`p8t3zxKt9Ma`>}AbN-b)`$gP=kZ}&jJ0XGK#F`v$q+s9xjJ(ZmHrVvTB5)FN+0_1GE}e_aSwEq zG5yESyvme+c(&zi2hUOZb4O@#|L^|je?7dxLqAu_Z+aAU>L}&m&(A;|DNn9hFXyrz zAc$vB-#Vh*=;OjqsIk2*s@{H6hdOBn}K?xXryB%nZOa~k#QlFmcc&kI6 za|XZW%Rf9FT(_MqcsT6+N0v_{`Fv*>51Eco-QcDFhU!>;-^)xEzkI|)Z*8bXF0a&w zUT54GOM?BIFZln7z5kE2A@4=;z$@z^nY?oM0)0a~%I3W=S^Va!)@9!33L$fE$u)Y$ z7h#zRh;9!urQ%zRFK!iNF_Oh6>Aw~NXV*^1vI3vo{2$Bxf9Wm%>z~WV0jD5-9(Wl3 zzkd0j{0}!i`U?tID!c5Cuwnn7OzsgE{e|$B0{dLW!?odmVm)B|a}~nmvHUUUS;}`> zUq2;j|HshcNT#}+L-BgQK1G(ri9C*zP4S>4!A_=yOzBL3WE^Wy5}8s$BK4h2@{V31 z^HoPHnXZjE`I+&>=Ns8fWXd=IO1QzaIhIVWQuUbP!SzRas#nNTOfJ7N{sY)o(kWSy zC9+r%Z!)@1 zmQsEUIzjSH^!r}&*ao0g01E8zvnSK&0k>(<>a?~Z7gjK&zGKLwLmq^D`nxW0%aK`n z1bJ%hWgTD(WTG1{c}~ywz3_rM^VKkNi(I^l;YC=B<>MAcGNoi-{2OBlWeS&YQYTlbk^+RT&wSZry6%spVZLgJAGUc<9uboyMuk|C zRgBsgjU!LgK9R2=$vIduUG@wxlVD2?seW?tPOZz-!DsWy)iC*gn^yq>shNL2d3103 zuWBTpCu^boj+w*u{vZ#CBDWgCNbT#SPM$8I{AD0p)@t*T2^#N{fIX(Pm*szoqy6bU zkFJw|eUlrxXi2~yz~08DhD>Fah58Q5kT$v6gn9t5cjk<2B@aGR1%SPw{gFQYJd#}e zCjq_s4`4q&f15nK;pFG@Bw(*sK5*qfAKOv*H86g+@kH`i{)v1D3D_H`ALS#QKZVQD z!1ya260p}ukEkGzrm|rzWAjfNvTs?9LAnA<7lP7AQ$Y%q< z{?;6sE_?>|RRmj_8IuiOY5>4~C5&7R6JYdn;uyyyUByk6aiq*V#!M$NqzSZ zV2@h$AQP~^^#`!Om-UuRz#bU?#&{BWEdPYGh3@(zeKjsJ?Mu)n0edsf$p71h!-1SX z?l_mOFOhDimWFAC`t;LZf3;-38)1&2lnR@)wG6+ObkRzz_v3^2H+%QrsSMn)3NH!g zXJY(i#j<6jh2q_dNc%4Ygw(e^kQZh$)zB;6)CcLl-8oT-vU$8}GAzUS_l}*xL&=+; zm*ghtPNtkT#G}P>q0rsRi#)!6GD$n*7MaIy_~1dWr1#?^T;cOiFm%QlO5S7_0Ua{g zUyo1AP*-=*Ud)C}B{3uSB=7rox!Jdla`VhT*oSCaPZ4|J{EiVO-^%7cr>=ieK>q%p z_dKGA)qODdC?@g0zCt(}qdx-o`PW9AGCgSfP|Zy|nd+iC>9%tokuLHCSfL&eUq)!8 zBYD8!>D!6&)(>xwnp`83b%61I9$fAGlWg=*`kY@mNSqB9*@;4>-)9JLJDHA)`Yo!*ug+Mb>CRr>Ff)PHN)zg^Bhzb8Wk;1&*D#ZmQS zsWb91XCCU^xf`SY_$aqg{ev>uV+7!ocX{QjUH`X0>)$vxX$GRBYGg}81^~a{3v_in z(uasgSkOO5W0D5&`hLSC@~|VL5_#*p56foIqvTP%Rvy}NvL^*H?xKM2Cez z`enRO-W?;>7PhAM$iT&2HBV6#X;iEFlU20>{ylFr>n+4KlYb2 zv>7E|dnt7!(WY4R zKE6zAAmUfhBXTWp$FPpr9m-!`=J}T){Ny(c(t7I>@R=Ge3jv2 z3SQ$I%VEF+I>aaB(qBIF0<`i=e&Jv~*17LzO$f@wpbWpN4ChmZ3u_%_gJaNnX5c#b z{Z_rdPWPu@?n2EVHEmy%(7y&C@X(*8kZ|{M@LCp%M4JNUUOz?Q zUn|)ZoT3&}Ywh@1SC0MX_d+Fsl|QxUO-22aOZ*iF_S8|tKIpBZNjUt9>lYWR7L7_e zkjd|Un*Yhu->HG=eL!6~$_xRZgc^8!`1kmElogY{<~JribC(pO|8|B{i{7V?Fv9?# zO_qch>iqc~Kiekb`lr4;8Ow0=UjJVvc>DUN7O&;Id!|nn{<;)D{c<~+gm-QuIv*c? zKu#Ei0}jJrTI>DpFQ**ZYGpX!qFx8aXZ$O{{Ck(}x=JEnUBab?hvl+k(02_>4#mn( ze{$2yTA!bwxZbK|UH#cCKh2K*x^af~f!XNeQ-=);`uU`unbYp)y=AqZ-qATu5g0E7 zh97jN{XC4HJTyr^fflYsUC)C%p0dsyH>-}W&kdr^4^Nb%IyT5g*|74ZF+Vf7C111RJ z&-wHJ$)edYRan&XJM6?`s2k;ea8R}79>ZT8`sY{vY`Q}YF8@S6nUSO^h*rBMA0Ewz z8usu0;N0nldUtgt2-w2|=^wq{Nju}S`s!HrPfPiCL-{B6Ndyv4`^o;pGwVNDow01- z8}N$Vno*Jeq2c~H65sM@8UAv?nzolbqd#3H^9N_EsB{3%|2;Gi{)x9*Q$LIw1$iG@ zNdM6v@3}^zBV4etM z&0!hppZP9Slvj&I*U4j{;_w{$k1Wp)x1$z{0W=gR(%to>JmwgZ*rRfGPu#MM9B?H|SJU(-tu z(;spm|LS-enNmLxzSh_w@&xbcvIoF^0H>|sQYW$`H^6&t<+ZbAi2bwRJnUcDhLacv zQ>7DvENd&DAr0N0^Bhk8&k`rpS7oXwS*ev1v1^m6W9A%OhFuIq z^?O#-ZKfr+Mn|JcH6W^bYUu~o?9~{Fn+NqTJ>z8NCKN4W3WsuaivI$w|LTD985Y12 zo?~153+n%OP+;>(0~MfkD22*#V(LV$#I01>ZlQ;{_s$tuUlMoEQGU`eaYM*yDdJ)v zrhk2CdG@_&ZTpW>qv#RGWY71ecrUJWuNqMpp>^jCzA`HcHzCSUS zN(ye_eFt@3p72X*z?(a-K=s=qA{9eZbh*u)=LY>-QO*a}BoZi5CfsqPYLehiYRHN# z=vCf2!W{m~OA?wWFp&fy;Q&FW!O3AUQPE7klioS%`#%iuCEFK^Q0eFjiKtpm&84^p;IAYDBr5JV&ogJlHZt&I}}bDDNJGYk&$#r zytsF+hH2c3!J(ztaU?67?7@#xpPd66%Mnw})_g%Y18HHrlO48~IUso4OW1M|W3p4f z923ax^#p8AG@>fVqgs)55Ux~g{ca(wt{>e;=uXDaKMan5jmXSNH)uq_R>)LZr4 zpF6NC=a-#6`K{C~Tq`-a=WwTX8@;q;mm9W+6ttsTWM>3cs7wUvicxcP=~xWR&`)1I zx847e5k930&n4cFcn5R3}E+J_J!vX%6|Qn!RZtBejjp~vGJRS?ym z6T}jFRzf&G_uF!yS3Au0yQ^YS0CF^S4L#h}0@gV2e|!E;f&!)w!9Of>kw&oZN|dB) zvG|&jRQK!4Fb!3~2bf$M%ffgifcqCd%&=N$VVf9z7cMwq&dKpNBmZl#cREp^7b+Os zWRI57J9*bSXNfOWyWux4v23ptoWrt1uye!MvhLk%?t3uC1;P?%%jNpf$u17Ds25wM z%gE#wSGcT@q<5}d1V6YwHzsF6qzj7`h9|P<6R<_%3vc;YJ&Sa5)S}%r>u;^rSU&=? zN_uM;pWygMUskD)V4^IRcG4xheA#IjxK9;2bp2IP7SGgeQ>)T;>iSxdJt;v4S7YjOL1N=DySq6$Gi`XHDDB94 zy!v^V{^nWd+CU%2($&|IX<~v?ALm)!XEzy#e0F4Q#3TcXv%iJEN4-D~%kkcm*77rW z)U_T7L4paomT<)i1Us_axJ`WNdHt>Nhos;Zp}A4E_SALguF|~odWsxJ?0EJO-S|ci z>{s6T`Av7{L(S13ef`s8I8xnjh_7IvUS&a;1v*cEk%(;eaT`eRnO`S1$6N)4RiZAU z*gHCVCDQ$u%Ek8@HZ2=>RJtmn8Q;Y#&=l7$i1h|d*;^M13!Yl*+JF3*-Fqka=FCB_ zwV}ws?kkz@7t2J5#unSB`--N?1%xsb2NOy94w)o8BIU}yYAhPXy)Eacb)!x>^qO(o z9bnY9Do_qD)O9_BT;mC!!4vDf&oyV4i{UTL>T53)J9P-4vbZWOkM;?E;k^uq?!)q= zu8||0?rZKv86|^$BEFySrBo_%{p46mL(9S>y_gw6K6%_bmkoyAn|9rg7T_(%JL04~ zz8c)zXnI}9=bq()V6*7jPpmizn1i{QEfxKFwDM}KU=6Ch@^J~A~_mq5A=u? zNZ*}$L^Hgou6R`AYW*qhOS?fgfvVV55%Tir02=D6DGyvki%XKSI;<4_ftZ{$%!{8@ zyp*AvsJV-SjANT-Q!8b!`*ty26f1r!XcNF;ljdSrn!cK_fC@`4Vi{UlHuw+tL4xwP@u!-{JeO4)zDFN6WBZGyop(!n4CF) z*PYWhyLB7MhPN=xDfdH}m8{1t-)ZX(j~7{;&?$~U$R?T$T}(Z?;f_=Il7QB)#p*Ig zL^MW`4f`~m%*-H&51kOFDqqwHZVGMLUpO2&0IyL4fL>AE_wJo0!(l!B z*e#!+D^D;}@4fhQG2aE}Bagur`{5BZ-BsDY#SHKSUrY0y{-vakS0>ErareHcbG4U2 z3S{HLO`vIYYC#231fN0f^p^PF9?_>d((3+~_sT0$p!4(cSeM=(MQ6%jq0ClK{e`oR z=o%oj3YSAMHRi?{*!LRb^;-g+B^j%d7G~$xLF0u1p06v3-x(ghrtiVulo=ZA+LxY(j zt_GGU6_g&duM<)OV@J93H&VsqzUFlo@NuaLoHGe}FEaDiovu6O{XlzEYW($bhZr22 z#LDQK1(Qtg%Bq>T{;-3=XJh605m!(sNl9-*UfS{Hf~6%tPB39X(H*#-xuzo0ANSq| zyz+dpPmeewsPU1ZqCdXj%@YkHeWFB7uZKv6jo7Gv4~selniz5e5M-?}jb( zm9EtY_Sfr#JL5W7K+JHZHaPCVdhJ#IwC$eywaH%3Q4Oc|io4TB<|T=!&ImfWo!_ph z@7L{Ye*1v1YTYUh!^Cq*39zQt++eBKHxuCHTSyJk+S^2AH#awmOvR{x7}aI@rL%iR zfTx&LnO2YcUnrtlG;=ZI=lOwsPpr3*-QC&T`93T7E1}-~mdd?F_sROUzOHUzkPI$) z5kgoUXMoiPX%07MN%CJxrA8rAYXw*U1lG5LcPOIFR!d{Tz&9VP?_UcXsetDvb$qQm zG@r?jGuxuJHNUX@6@mQa7o*SyQ?cj><}_bOT-OcQ_g_h%=y9$p70;dTi*0664uZAZ zt1!=psoO~xPKX%_(~1X#j@XA{9rPAtISD&_u9%*-TjKyhaV;p(z;sr)@ugqf)t2_b z>3D|l!)I=lV7`nG=7K-|8mvuN=ESu{>Q92szRxWVf*;RsJ|4PCZ;Yu5y!j~`1}h(5 z+8lL_j3vCiwT6(MH|QP}_f1jWSC=iv3lS}r;*7-yzv z-O%dLnnvZ!A;ySw$a>3oF;>Cr{uzkcw0+iFpxdY<8CqeqTDSQ6P31w5K8Kv@j#(Ep z*{RlfC1@n0YQC@5LC;1u2mtr%8#Le+dk1X0BRH(Rz`-ZUyCK`5b$)ysJaB%|D7~mn zpDr#=j(ZIA#ZsSNnk z7hwXlpR7y~M576`NZ87<2U=t^s^7->$2q#T@^};jxNgJDtkM!f-84q*`MqRZHd%~! zWQBzJlZ#m6s#`O@u-!u)KyHmM<*Nu6ox&Aa8kuF@mwr; zoO}JzIET-74SuGG1d91f{yV_{%N1@x$U`u(Wr$$rMfzu6<3ih#w#fz#ld<;B^~eS0 zgZY{SS!{mK^)MAlU7d+rzEpq<6ft%8Lb~@i zVgqIkT<5IWN&~{9RIa=l2DySvu)|WzGR0-N-_usVcwel0&?y#V`kraB>L`b4Ml#xR z7S3WGvsOczjsVyTm8N>95rE6eY1t^2pV%?;TkR5GYzqowoO*EI*ReVLb)YEHEmh&` z$jx(9R2L2|eGgL&d8{F`8=mXBogVmRRL^-1b%5FKeDao2{4;{Cl3$|7dW)gBd5(FK zm2QIY=$o-h&2T1tJnzF&M zYIlr_YK<#iP&S=a)yt&d_jlid1GCQ1LF^E+Nw3Q+3Aeio=erCcc{G_R$U4h zofELBCF8JU#Q6rX^(Mqj0fPYFE>;uex{wlZcO6TZm5YiV#EY8xSW++5>=T{&cI#vI zQ9$ueac{rSlFqo{wf3Mkj&aP8Fs7^bJ;*yi*!}T)iXH9C<0ztsKlXg7G)&A(f%MBq zRB?2zM_hFto%S&>b&^x}##jfYIW~Uc7ctWq4!wj*FX|tvIITsSXhLPgEJFO#G(NTQ z5kih&1W^3lPCJsE@&Pk3$}cE`zh~k%&7au+;n>I?#m?i-9p2R{*E{=jPm{wiUpiIX zc=Iuy2WC|$N%Yeus}2Qm8>{{u_v^t=@VI)*>t{sz`kAj zWqp=mJ7V;V_6@tFkPd} z4NHgCiG~TmR|?kJDw*Oz2b1bIeM&)Z*e^%qa+mBO|+%ZH66fL^Xa zZH-R~MFDJYV;M;EymCa3`;T|blB_Br71w!$c!P^R^t`RFl*uhvt53qG++N?@nUx?$ zOp3~gB7NrSlhmsb_-zaWUold+lmIA*OcayZk1AqycCq@X=6XfW4))Ige~tYfBT<#s z&e*4GxZ{vfmp)Iso@e9GHRRDSE!C_^4Hez&A`(xy-8Xc6$;Hf*HSP^zGA$@`Y12Nj zqwVs@m>(g%o&Kg0HV!ksJt9WAg*CITK84SsZE8Qgc*Cyo@zNH$QrETp0drfLak`cs zPz=x?9L52WjUMk9V@ks>~Z_n`5VVh|H*i~PZ6{yW}n zb9FG(xpp5n6i2kpz(J+`CVJ1NLLCrPP4rGPUmC$@%wR7=XjzQ`jgnDm#og=iN3hjG zO8;!1jCl>WditE=w)p#%wfZqUadJ_=O)zMCL3tRJeFHsC#2r|YsEXGz;lp>}0e@v& ztrSx?_L(c^uyfM;wrJ*}-%H(P)UUiC2`1e#*mmXO+{3qY(A%m~#2z3s`Rh%#55FnB z>@GA~Zm-~Cl6Oy0P8(-;jaP++Mdv2CC9w^phhgV=;`9}2Y_qLm@r1|G%Bw>WCz~qO zk})aT>6GuBaLd<-9Wu51nnEY(-3RmJ-%mtE;W3?b-*T(F14AA4H(lZuu$1V|zLKox3$WIUU1OYCVm5{@#TVYvc{c{fh4?=!O0wI zx@>km&TNB4?a~@ol7TZBk|cZ?^vw1`lV@A=Ic?vtD9Ih%U#a<4LXxKJ-|V(0exHq& zQ&WDuerFKOArZnW$GG}nq}=or&68WX{wl+ z=Bq?Ol2S5Zj%@8DE+v!%<2n=1oyv16A^27IqkK27Ry$>he$Xn(6q8OFh2&gGZf*?s zNXX*H!trshOVBlPQJb2zdEb!vcCWun13E%!!7vkDA6_yz{9r3%QOEvb5 zpQR5cE&FR6&NCDGfiB0*oJw=Z;cTd3g8$Xid)vtE56YR2>JOZW!%gb|Q5=*Sq{W^z zBH*``mN|^?&rViGwXakFe6lxR6W3X>)Xu0~u`tBl3M85QBKyy6oEYM`GW6GTvA;jt zJOOuxc^N1+u{j1!6>;Cfe>nC*Hh=r8qt2)s1sw{f_AMN1mbEp!T&kJ#_BOb!TlMWg zv51#nVe?vJR4Q|HOT5X44>~{U+dp$*Ra0AG60q+u_jj`|sL~=)>7y<^_SES6!yP2{ zYnKc#2t#dn_R7|Q6lbezDCi=OK`u}G^YxgSJUDXnN3MqSMl{!GTx~;opuZx!|5waa z${dl0qGOim2?5Q>c3M~mn-F9y!lwW#KcU1Kcm?d^3_+$OJC!=GCXCuCPd}7BpM^T8e1iz+fY5O3s%+khdrg}TU52PUG<}Vb|afVWU6qq*xRB= zY-y`{p+aePi-tCOmpP$W!pWT?0Hw5~b&PL*+t6`6*a~r?GK%fM zH7HeGf@oZ9AA|d(mn?ARDnL!l##qfVmnofNj1ka7HewS4vh7@!6j{sYVrEo zE>pC%V3R5hugGAgReCU7R^VWBX8hc#{A>h@E~w7E%mF0;Uh3RqqZuZQ7jdSI>X{~P zzbz1*2tXV7C33xg_wLtg8auZy1$}R+s-8-ETD)b^GW1zC!44-mWmyw_-uF} zHN^3}v16s#joSUb7R(laI>Mu6cWxsC(1fb3M&qS=Ze^&wog;*ca(WJe$(EnsWJJ10 z^5Z7gedc?%SdcE8Fwe0)rd5!3)jS|{<@M{C{-Jc>O~qb#!YbW7ZcNPHcyO98RnpgQ zUDjqqM)NN9tqwjr<`#Qj|$YwqeQcQXma5Nk_yu2>Icrb z+`Ls?y;H}wR8Lp8y-_=Ble02jkTVSE$s-G)<1I_U{#`|rabd+Yc)V>RH%XdpanOa} zau<>NA^DfCN1!SUaS39+ewv_zw(*UmaBL`hy~Bs)NqdO?i>z9K3#8@*m=P8PVi6WC zs`9a2wb_oC6%1FeSY?*c`(cFHXFY-tR``1cWbdkQ@ZmU7KEs+)TfC*0dzHhXuvUA% zk>@u|4pnOUXdJH&9(+wR{4SH}^-9DPq~hz@Db>u&(a}C77hk=Ws!9t9b!)`+y>jwq zF+hC19`a_wb@s)CEYG7kKtI1gqSinZbXpN2hhC(oeb!6~8q;+}&*26ZbxdEcghcH( z-MFGZ=rkDZA1EjFM6f*PasekN$nVDkY|5hRR!s5tQ%#PQ9j8QU{g6*7crLEzsba!t zg4|8Ni`CCDg0?nPuIZ5Vc z&T#@KX$$pFFR*|5mJ~_bUf_Kq(oyZWG&VS4FvTlNH!k1T0JG`#)XywvZqjcdDJGKV ziF02wLb&o3#e-s2zkBl{Je1l_pA1nmh=b5`VT|T)pUUf~{BD|K>S8dT;{MJp7&$ou zfPAg9cRHwh{mbdQJ%Cyt_Pe1WUKJ&$8O6##QsDC?N(Cq@(%iPV5}gKPc}9fzM!<=y zsbQ#6VEv6vf?DcdQAb@nRrbyRjQHSEw>7!n{5Ae@;x$vb zXh3UMM)}j+Fc4d-?6}2o6(XQ5j?xXP7bZ3A4O{g&e|xr-wu=nO*ViBPRZCB2d=Y=a z&&y`oXnf=t4A>rX(N9q$V-=RHw6`)OfF9Fr{kE_#w9V#WkIq)UQm1rD>^G^Y%2)ao zjrS+RhoR4+$G8GNEiYCNkHZfR=0({W;0{747Jy0 z097V>79st~C*7|r%X`={ZEn{WzNa)@dQ%AK_mAAbc0pb#oYfSciLUP05(w}nuJ)zh zMbl3LLgDp5vwj<|Hie!afVjn4d9az;>Dw*24t8CHYkYImQ8^s2*s4>M9$=Lm#uDrQ zBBuRSQ<&F=#sqFYt6B-sac{!)*@5B9r(8P}caI0;YEt*+7dw`^2VO*ykO|nf-pLy! z$y*9(>cTTMHQi#PiM2xQUydU7-u3Nzt)LzfRR=WQi{~?fnaqSV@RJshwvqu~K@HDgpf`$ECS*0GFdHvy(&sD5rp#$_QU5kjhL>+Hg8x}xC?Zxxj103C@b zsCp{<;_ay)6HjvLS~SHsGv1t7)7H|_+tC@C;7M3~S4w1Abl;izAr@v~%`@UWpom~T z;iO&FcSW%~0;?}A1OOJI6#e|6?{?X%}#GP z?Qa*onB<4Q3NOYPiR~k8?#rgK2*bjxXp7_qSNDR_8A1;{Dko&JTC@}NsnPb=6R8-hkX@@tNlch=@_wl=9cc}-v zco$idSI@BO-YhCtGX#Iad*{q!HW5U;FI>2At{dJeS#NX3C0Ax@@Fr%UC~2+= z&`+o>ya+bA`Lciv27>H*VlBQ!rw2)LX@9z>H){9wn&BX7(A4eV97?8`@LO=FiO5!j zvcEw2S)_Nk`06kUfe!5Oq-%8``ifP`h^z$t*iJt7C-o$u-{U~TF6iISQ=R55;Sri876fl?N;liGTxjLbI(!Y zY^R-4g?e_x|Dv4Gn4>*1*+rKI8mgL?uJ7-bE4WCV@U)nfmn6bn{1`WknPdL{XnXIt zCbw-}*aj+ni4;LVR79kSNRh5AML>!my-6>jiV$iLOAruHkzN8yG4$RcbfhD_haxpV zfB*qPlKW=e@BYr-uC)(%&ZmFMo43q4<|xne%rPh1KpC2T3o2oa0024&&&?@2Xf}BO zK;ut1M0d;DSfpnQSk*dLqjKm=@va_@-gW@uTl{Pcb7I|&HX49fBo-oMgn7PZyI&AF z*c;UfvDni@@ISuZx2R1|r@3a4ITqC_+)#M&w2y)A|d z%act9f>-iz4+hjwQZmj%^lr;a@G^90i*Tje>Y&gdVX}=Bww4GM;n}#Rh|&ahzsfxw zYG|xhSSG|U%{zU!b;DbWW6<-WyPEs3Q$lEVkr|1L%qI60?5bLSTZYP)ZPu2|GWo1J z6Z!vo0rXb8Y%g^nYJFVl^-hz1e1KgI8-#=G@9*0iL;7-qlKtmSeNKDYdj4yIj-xG< zIQY$gcOV_>Iw^Ab&GW=(U3JvtR)g`fWINfDr8=D%=tSgmw{|Ecq%@EFP|WN9N^YkS za{}fPKW|O=ry>MU<%pSd+xOBdCf_1f5XTE%zU(F6*_$pY$9b&I?VsH3tpzOXwyO_C zzLymDS8mr@;th^AKmpZh!1(gXW*ZYsErgUy4_%a%_Jl1?nlFv-R6#iy>#3qpBV4(6 z*2*{~sdBw)lj`>TrR7^!%QIn@b-+|{Y)pbM*Nq;ShLz|d&&MWCs`ivVNBMT5aRe3BzBHPNa8Zt&Z^&H z(s(|7vr3zTGBu!IO7NC-Ug!+#mlVwus#d_Pog_z>-cL#D*jMUihzdMUS6*l3i$ZBT zjXB~R6USr#Sz)<@L$WC;d*>QTcyhp30?Re}QWF1?W2k$#Bc*lH%fax=e3ta}HvnJX z-wf4dckfs$PCr-^Cxg_8?}wm6<8X?;(=!Xk&z=;4bo2%pHKKRb)F#DTANhhTY1EI9 z6hxmq@kaJ|1~Kf#d~G7%QGSqlN<+Py8cP)2&l>%*f>EmD_q;2Mu8~fz+Y?3R_&LJ7 z17sq{B8Qx@*2A=DQLG)@zN_EVNpnaoCV9qo@u5-taor>%BqiCn-uQ z%PgJj+)ogdjQHM25}ua!{iPppdlZJ@oibLU9x6+Ms zv#LKCU>EMmY5U$y^~9vom26eN*Xp&l++?CY%@gX2dBqIygL<0hQK7p{?Bx#BA{U=+ z<&+y~TpC2>R>h4a)__IF+$TDA0?>l|eCUlo1p6-_)?R3tC!n(p(+So291r$wzrOP% zWRDAgath5H4M29f*-p9Rs{p4xJ6_WNzP@&6*e|m~W=X`Cm;j{)(WshVd)G~aZ})Z@ zx`;gA&7|*9r|Y?$7^4~D>*`~LuhNcr$yBIR(e(+F5Fw(FF;+pBI1XS$RrBO19l@$} zjB&$l4NH+|K898{=y|u{N)7m)sJgBqh1d!R$ZSRuIcXZ z{YzqrO^6UaLf@65%l@g9bs!S=`;|?Lk>J^68P&~hphTxd;dG%2%@_kpzgeAIb0AU3 zpSg)qOK)8FhIQEm0hRMdJrg6(*#X)ove_7qAA-=vmz0r=HCoor$z}m{toMf;*$QJX zlfC$h{Q&SV&eImBcT(0Pr?HWYX`kkS6hCN;xb3`MR466-Ls;4RwCkT!(VE!c(V4ztWbJZFVy@|)aeJeH zw?pihgH2a)l~--EL5?Q=d1T900%iv_YXxtY@K{8;A(Tn{0Vpeh?GtwQilCK>u<}Is z7h@oi*nf&*JAJ;vE;GykGyCigR?@bcqe?cvE}NF6%G41Cz```&I$52OY$J7b)jE2P zC6nHssJQ{GvE@idTB$K;*EjNxvq0t}*j&{uQ$zO`X2!(%3?xw1&#M}lI9shHJ-9vY z*>@%8OD`A=P|e{Z+DeubHRD$4{xL=-04Lbt6>)^PGk95jL|@d5es`NW#$ijw8Xa9ZSZ$PM-6CM_24kpeo# z)FMZJl43fH#*fnqB3$^G)d7C2rl=g-3}H?u&g6!SF04?+%B;433=qtd^E~c@>6A55 zbd5SErQiE!XAc}8Jjx5##1{K^0sPl#3&#td(H`$9Z$DRF87G=LeXNEQ0VN6FW;b*9 z%3s-uT--0LE4CvLr&WfiaKzIWy2%|Yv>&YcWhO!nWXm1krYmtA77(43_3HDnm4I~4 ztvSqVyzTkm0qo-+wm?DLmJ4rezFcu1_Wh#kTz8O{?Sh7U5;4kmY>^fX1swM`2f<=f6x&c( zAA}IqvF21wfLQr4xkB_@y~&ru&ZM6+ecZZ0qdS>I=Mn%y>INW&SqxDZf}sb1#DPfWNv?s z?$1K?$4k92iqx;!n~&3|WW+_V_(Y#*(+7=seoNaJGa+07doLt=BvH>0T-i!jIs^$M5-;h z4tYn+&4lPoW)}WQQNs4DR@-eklQ)si(Aq8v5T5Zu(W(3Xaajxi*=8OoK#P>EV4fV# z@vYQb&ZMo0-*A(_Vcakg-M97;rA=6+Y_bSKWcJptIxhs zuV;96Vn5bQHrpX|OM0WrfIdiI3BNu$e0F18c<;FT>}1^V4OP<(E~daOBsY&#skQVOyF#xPI%YbHmNnk2SB>!S#WQqN2k~ZrPVgQr_IZ+xCbkeWLe3jEJ z6kWD4E#U_L%n9qbdt)J5j-ug?#kUw25{OMgL!Uf(@~J3lO*%3(`HCPPq>JFuB`e&L z(ml-r%4L@J;-^<;y2mDagR6o7Ur^jVfV`E`o!uuiLI<~JDtPgG7S!B;^uM20;OK42+r~}ZK&s3 zr{3uU^mSjc9iUf6VRkC7EY9LtmHL?yZ|0>ke!8C)j`n*Kr;mt6Y>8d#{NyfFhI3vr=36MK&7LP}EanK*>MTOX&nJwAwfJogKh_?#_^2E+UD*-+4@pNNfWk zsu}DC^hdxYgdSF?jRXS@1r!{yH1f+qMfS?s7E_)hMzytrw&+AaO({o-K=Ei0$SN`v{R_b zKacy^I!Sx;hhM0T8U<9C!HeUTfm^prSN8DP!ho8KO<1(IyDbyj!6vzqSaDYt?n;4L z%2QuTwk)T#xvn@h15$kpFb%;=nuvF{eO8SNFx5T3m5I~QPX?yNrV3B$KK?V~y7no_ z`%g|ik$aqfX=f7jcH(P(BMZHE;6!6=qpn%5?s3W+K@>qrZ!djLG7Ao(#>N#w3W@yK zuC96kK1sAE`z>sud$;F8SHjt_?y&VWNe-xs`DCV6p3#~a?S%BLtzqYoJZ$o-XIf;{ zIW^5e)5x%Rro`4sCSGe<@P?F0;PH<_R}1@CcwevLE=J{oQcIY(L>$^W^7Nw^ZVU_! zwSMfRL`3zS@a!Gj!GmQ}M6@!(Ok=3a8|j*PouqlSTba(NV%j%;czk{% z79r{?(p)1;Sa&U3K&nMu5J~H)4nk{IP=lc z$ZvmRVU*@O>~K!(rU_XuQ4hUWLB(_w8~p0zZ?rRUdE=arp`gjb2UJ3=GAjd(`L7E6 zAB#j>=#y1j?M*gE^_Pr_J~u4)U4Gwfl@@Spo;-W(i>BSTNqMkr6e@CeUsp+PT2yjJ zWhJ)&a*Et>h__Mw8*?;xQAiRh8(-{HHr>@%{}tjE6mI15FWi)+sqW$ZZhDvsFy3Mtz!_19Au1v)(8#$W=niTy*#C z^xI;djnaX+g$Z^qu*^+Ezme)dw28w!=$$V|nd_g6rEAI4S@bz-RDn6R-O8dSRcQj$ zpQ|l1Q#FPj+Z=OPJ|%LyU2irOnvxZAcR#5*>S%s(YSIuWU7~pry!o!~BdDacKS4TB&id7X#&kBnO;j zL!AQk+3wJ4nH9J7K{CP15E+41=z3@Fv#Fj{kQ@90Mo2fk=~gGD@mNO~h^D$jg;Cbv z&6;^kYt#3%FA+~GVw{Go-KNJ$5j$8-yW&kUi=~Orx1To2;48IJQ9BbGqhG-p z+rFr6#erqB`&3)@eU34WCHr5iP=nkJ0&%eO%^`}$Y6GC=p0QUDS#d*1-`VM8CILz( z$N{V%uU{4PJZrRgaAAXe#DVA^ILltcEv;T!RCHU)W9V(8i{#3rV7^TDX5R&q*LZjF zD~7J$Cv1&w479A*?RJRI37&@f$@n-j-yv|A)-z$DnMAi|sgRJlA1xdZ8f$hxBk_&( zc1lQBQ(oH_wGm;~EN?H5nPQ-}>n0fNyfb2cM8I}p;qCS{{pa8gZr|UdJ@uI|>79?G zx|fSUUk~X>Lo%k0V7b0tbqT@QkfZE}(S3L-(j?zuv3x^+df@SFX12%ht1tCwC%vC! zhB1UqV(*#Z-%Iav59(yw14_wb*P+iv&>CWOS71I{o&(BJu$HHB_u7)|A5Jf|7;0vN zsOr2-cZc(q7$<;9!4LBS6VNm@Axa(0H_Df1WfgYEnnM5K3V0F; zg^HKdC|6mV9UDkF+ecB+|8A*}Vp)eNLBGhJea0I8UcF3_UWRY?V_&+jwli{|B1_#F z3GERgcUklOmXz1xZ}8@WTF6;3qdhr~y}eQjeSM#u8sW89&SUZmuie{=Z`eFCU+T|r z+s8hj63xuqTzV&{ncjw-h+ypp^|`qQL>QYpTT^Kmf~vLJQP$Qc@ejCOPdE;P6EM2Ah+GDbWKy2lcV$b`KgMKk*$ai8C@LRv)+ES?+fjG zv~woh2J%+B;$C;2cA(SN^W95j%g z`=qs;*)bC;FA3Dg2KmDKvDy_=z`L+QX}yazjMgmT683-4U}}I@l_-`bcN)-28Vum* zcv!6(=gzM=c0-h}cL_p1^LV!5qu({jOV08#Q5uwgFnv`NOGn6`bPCbH2hg3>rC zCFSY?A!UMsW-6GMAkMlz>@v6PudcT6p@=HOr>>@J+VF%Z%Q-Qb*k?AR4-61_Nyze!F)r zg4a_$8?gJ9FfxR!%TQ0T^+HBN@XWzW*@=&0K7!C5;I`8Bkz-hjjgb-Nw*FRFisP5} zdENbWWVeePU<4`OAE~_c_50QOwS#U)*be@K!R8{-QfZRk?(oKrXXw72wa;IDP~M=F zi}aP06p9w)AGV%gPpDVQ6wt8^Eedz{eECTxF_InfNz_Cie>yykTeN8%#udrOC(f;! z*Dhmlwab;r*3htm_WRn;c#^_|O{7M{NGdQ{R@ysTFWdNj!yj)=y^IEp%csbiE*0%* zS#=ZOQ_B2(&)_d{gZEoRC~n8yHr0>Dw8y^`xU-GldiptozF+I9^?>KXf@c-Ft8BgJ zrqw8-p*)HxPy{R=^jx}1%mv4q{kke&76bD!_oZoY-{$M=!NKV-Ql=1xQGU(Y=RzIA z(AQiMLW0$r@O^-6%6QJMCOYxio8-8P_mQK6x!N2sd05x(=PE)JY~ghjELX;9B@dD- z(uNxtx@*`DXoI69e5qo+-B-4!ldgcHbEmys?h2JT4B^SI<*aU;Hhz@lH&gdGaC;10 zVQc2AF*m?8!7zgn%r85$=eN}vu zvDuK$!DY%DIPaX9ZJ}_sJub>(&`AYAh8uyFZ zm<6I4J46oxg(9HU;y(7NnDJJcN~|)qR@*ku;1F}$4j}Qk{dTp~aqRPy+aq5;0@->9 zE5^7EwcL~Mjs-i;j1>BHunjH)t67Jyj2M^8SQ4gV{E&t&(<_+rN?I$!Kmrw#q|_6bWleLG)HGO=8_=TbhPQrdU4o%}kVXs(t9=NA zroPQt9b=Em19A4M^%d5LuG!Y+xNMzl0iFB}E7UvfNFaO6}bC_Np5MRq@o?lkg85hR^36;F40f-YfMRexsG&@sJ>7 zsV(BM&Qd?;z?U4BO=&fxPj()9sX{;4^9WN%t$3;LJ)=4QPx$RW))(7?H^o_LqMopq zFO;vNa#QD2gswXPDL`8{FT4F6kJ+Gf&#*CppV;TEiutVB~g*MLw5jj>*q z9hI{UUW++@L_ptpT)va!9LI)xvaGYhEi4e3hy`a?$TlhIF7J4cU&PVu{HWeLx~BQ1F2e4 zK4@2472sT2kqQP4FDy#`VdW<|EW++um$4flZXJD7IhF#LyxAYr+ ze!%{e?H7$@Pa5Jv1bfuZ>NPr zEky1E#nvj4U+4!9lq|##gMStwX5uaAgI!(O#EjPg1r{yfHNz#dH;OT_yj;eDG#5pl z8Jb;x91^a*CKD+I#|L!jF|vw z@+Avs(Tex!eQjGzQDFdSDq#rFkxV2^r(2>}fKvBn66z05=tQT=UOQZDz;5_idudKS zF{-fUtUPufM9RY(gu_Avkl+KKFrR0S#BsD@uTQ#*3;W!{V^|jSJ&WfwPG)D&)S!2) z8-UGO8pRd8dxc>LeZcdz0;LN^L~zSN=;?YdYna+Zi-M-CiUa5!wZYt3uWC#r_q=EO z2I0|uXfQpgbgY|p;nx?Xoe+IUlXeli?}UWsB5vi6dKnbk{-LcWE$svPa6c|0`^$1| zP+hK5&A#Knd;!KdE-OygBq~B!CXrzVmIA1MB%w`ACb!|XHAAaKU}7UkW^cVcVj1RD zwCS1S0%TwFG$0>ee8i8Ng}cVIif3hWTzVh$bMm~tRaz|{Ho*fPUNp|F-d*dLrXF|v z(qB?x|BwZo;})uop-(zy{NY_(3nBA26{NXgNR*pt-TND)VVVy99k(Ll|T*6 zgg4$SHK(m8>-Awu@H7y&X(_DlQ2Y2Q>Erx6|K|wg!a+(}e?^40kw7s&R4CDT*fL^} zp<#_waISCbAjm}1XmWb!e&-?0=XXqZcv|c+&Nr= zKzH5Fe-%7(+l5F=#FlUFE3EAyW;feb>gLDn)i;WgX6q`sOay5{ImMk2cgmAIKT1qE zdwSIly|~NzT6ERm8g*vA^YfkdI}NiuH5OE7KH#jIqZT=^p;Dp=cX0_m>Jn&khx`o?>ueq74I-pm2Zy5B^>GTCd3fux2j z6s}u7eGQ}|#V^Z_*_52l6eL9LUL1QKyq2ukcWn-kEnR{Rrbb+gDMvs!Ig@OMR5HRi zy?pn%5whK~m80oGaC)@IlZ!EZ;Um?gd*+#QaFdwR-3_U49yqIAE8%{oO?2)NGo zUt}>D8p`VQ88Y+%+hJ8s@0@8bF_tK<7GMR^nOUdTr0_2wXf1HK2dTZsIR)!Cygqp? z_y}c5f3{pHb>(YjB~6io8_b)vmBEyC5A=Ukco7h11g2!Yc@doHt|A?FSC_iF@kJG&XUNZ+=!)xbTelvc z^+x+dmkks>t!eBENh+`{yk?4CkxpbRV0o1dT^W((D}KIO6AsjFLWZu7fx4Q?B%5cr z;0C&4LWh@<@?Cdw5ZC0aiQl%vOm)p&Sn&;a6{)rURPzz*G&|iX-fje&zChf?@qu)| z(#G=Tid(BO%(a*rnEbLh_Ife~0IS|GCHfZXw`+z~T{KHt zq^GTZlFhG8#nQ_Spmqfl&$7?OO|robVpLZQlb?08)3-gk@r1uWz+trHk)hwgc%xja zWu(!KeCh04W7tNic92oN6^~h9(SbrD0cww=^zGBOP_)g_kQ z$bd>m-vU01{F2~ce+R8sk6m4}%9L>9rr)d9K2kR*^9p@(v=Q~;C0}OHhwOQ(imxRp zZ^}@*EAKgWfJ3gS#91Jmyso;JFPNz5WRlYL9@96X1IwA(jXk+3=zM0#UUMdWrn{gd zG7l{gxb0?C-fPFEk^asf4sZcDALObUEtrUbk5ciLp@EomZO3=2>krH0fh6n{hzl1l z%DaIyXQESXZLIQ`&T|)jjMYHR2wQ|@tJ=OtqT#_g$;o}OONpe+g8B=uSc`Kdo9G>x zcdWwjXYy z7i&Gj?stL;f)~Fq|tO5$~}BaT8Lh?%H@R zy0tM6V&|)TKy_0J9}TKE9*bwO!`yj$TulM(XSys=>D13voSiS4RW+1l3bKel;%b)Oyp+o(#)EeoESaRmmiS zfoV$|zFVasW1vMn*G5#f%`BMz+zdttet_9ms9!hDC;55D0n9i3H_xH6~HTT7xsjqnx%`LB6 zI6QbDRGx7iGJCcKG4m zQ2k47H9$SR^IffG!3~r&bm6GZoGh74DrsPOP6S|oy1}&yI}coEYsBCk$Bq=Gh4OIb zB(Yq7_XUervLtlYPPdnTNap+lsXcx1{ZG>J#B6VEN^VcT8HMQ@q7iK;aIx zk+*x-P-;@iyfXhEJ5n~8@6SJf;`Y*!^*IgD0WZhS?R%n_?P$uNx6@#j?M(C?M2BJ) zj3a`ZxcB0H3DBp6Xa(U*9u*<@H1*J-OJkL;Y2vV#x<-m@O^G?E58SJaYpqc0rrPrT z8yk8(J+eANx0h)HjI~3ab|}-=msE$I4PY-cf7{*N1CqLb?M2=|96L}}GZ#%i9zlml*Oy3QsU5}y4d5nJlimjerUnw% zimqlkxwRwdvnJ2w?NH&EikesbD8s>;zSS85->oo30@B1tjuu}n{ta(eNF)Em z;mR!())BO`GPEOe@y_G09Yr5VOHbi0Zay}6Ek`Qvcmj~XXf4~BEsiseIer>tXB{mv zNLw*}xc{iJ!nc&DDL(zqw_aOvi$*2(34whdP|-CsfMuC-5G#rO3l@{X-R86J!mKS% zY6#w-OptoIIF;8rKXJoXtm$U!E^a5s07iwKBs`kTT&+MeCWHA;WJeialYSvc9>nef z91<~dxfKD+5U?o4pN5h^)I^`%)C?8Ng$*J-)r!#V71v==Q(y;(D)rS6|6rlpcOZ}( zYhqnEAj6?YZ!}V793jQzlk-p8kljE0v~Z+kbT$+aovwozA3b7lT&i|9>4i|Od682Icn zYN6r9sV~qUstbD}1u>pcRbpmyU03u^ z5F}DqP=e2CeIDt!CttSyZmhm@NJ<jyTO03CcycKtf`Q!}2Yv3_wcnr?3N1Xg>Gq&tK@{+WeF|X}~KsO=vygnAT z27o0zH^!^IGy1$bD194Jg_%5gPJZSlfv?(Zxb{n;2hXpjFZ3>B0*pQ0Ca^ z^YxLeIvlwqV$N>YU;yRN4^HT*k@p%l93YfqA_~!dK287uA)}+UB(mn+UmMO?VVkp`Fm! zUH4#wNZX&$dCL+6yy@0W)A7@u@^peyvxCk!^MwJsFo`2{j%R!=XG;7r{Zcmubc7V( zOn+r9iF2}s>AC`BAk|X-_gJ@rM0VEfKXMS5BIkp;s6l4!O<+ZV+&Y26?>Z&Kw)d)L zrpum0E}$vX(^aLq)2dT4o}*JU{~4rA+1GyhyXESSo|^kiAVvXv%SJMwm}poPlSy<6 zk^lw!n+W*`nb-pK%U|TW04nP|L42#t#|V|;0BoM8Zh_^iWzPq}N*59#)l))3i=ce_ z#mC8()!RC>ViVq0;y@Nm$)=%>V1D5??bZUd8SiN~ZCQ(^R>0*oPZcwdKY1u_Fn}lQ z1tptiZ)<1k8$DUDgy9vsDHT@sqFAW8Yot@PMcH&5nR4*ma87dVF3^bCSV&tvBc`*^ zeMqZ4(Q7-65K~A`X@cM&wMtKssKwMPd6B=IOGn~!DLTc z$v3J>E-wcSxIG)U|Bz=lBL7N{UZ_xM#eU_yft+;;maAL5=a z23A5h%w?|+-xSM{F$Pf#cKQw->^aFdkW?>audjq6xuh_|i&Z$-#zxl5li<=}tA-vP z)?M!jE}}}6v9ETsTu+gDPYSBpx-$eDf5D8|%|ZEqKXwQINA(OWM_O`-xt1w+3?NmU zhr*d&Gso)oVQzKdY7?&56^}E^-2qfJbn=1>hZpN|@{HeJmlIDLux{359f6aQOFHHc zz&KE5eI3maOIWA85p;ALnPFY#)X2pNUG3Kjc4%yzRUvCRG6&V(xp{qabVb=cG0(uy?DuZuoV5m(bCE#!R_&k@KWrU+F2nF7t`xP zTZ@DR0qWB3Ae;m$H(nQ@gV()X@&TP6qTekr`7LkO6F)@XvRC!|;X<<@ol95zay^hf zl1EUd{OQkzT{OAUSR(19VGbL0f6I9lEbCS$72wxcn@rNm=si?1f}YYI?@j`^B&lro zDxepab|&vm(8rG-ox3a%ywTISIvf{bML`i>2{sF zwpjDH^X^kt2D-GUI6-U$p&2w!qiKS3D2CV>_=+}q6QL{C?z1W&nzN7e6{u*c{C;pv zf0bSPgHf+YPq(7!V{%TtRHm^L$-{||l{H@i+7@s_SH24#EWMP^Fs_-xcsR-2-0aOG zd8cL)AN#Up5ZnSZK1gm>uEKT|Rr#8|NAhD~TC?6CL|a8ikQPE)qD)`Q#woIUE4noC zb_qIXgmy6qH4|nt=H>B757`6Mw5vR-q`hPHe6qsMNbeUN!a{qQ5PHClusb46jQvs% z%VpN*hL!J*1j6Q+lMMP6va~4&j&N>?RtW0%&I5;@{uU0-9Kemb&K9@5 zj80_rGk=@Rv8`ves7a-+$Qx(LIV)Cf<4@HDfxG zv=m4#R$uv>?dntEJlFTy>#4zsjH4wc?#7YlRi)8M&K+>?`GncpM|aFLu%-H|7PF2I&BZNT-Sm=J4kd};emfmP3DPUZY)-!fh0&;mmZz=Ya~;k+ zt}>Y^yh*-CJ?!=BO+>Qs5F0w|RT#@TW8&hD{kMfbI3WrQ`ZKscUVWb_ydp8=W&`qp z*h}OoOwIw7`e@|tg+Qd|UfVeN)LdL)PYH<@8Q-iOnGP~grP|ojdKftUObBRQGtCrG zJc#4B5fF2H6EQkR({3_W1k!^@m7d<19PvbVVrV$33?@!3uK{rP^xj#qdHkxn8z+gY z^zi6su*6ycVxdSe@ZxaVLD|gRcFU*?4+)b{Z!C%>XAjGPF$VQE9vt^^agJa35Jk{t zOpFH?P=uT;I9^38!>LVg#u3$*WI!bBM;& zMD7~s6Rv>g#5U(TuuCK0@s(yMPq-{iUs?wr4uesX4RER<2xL|12jtD%SZ&zkEulua zoA5h*HSo<^#o`RkgFWg~XGu2SK3sWI&Qq_?%c&0v<|+vCb0%ahS& zd8S6E>2q zhTw=ipj2#s>DH?wgXT{i@#EZ1aN&6EVt(yScOfWt+taWwiiBdd)e|5clgM_ky#ZrC zQ^U}pp;JVUZ-dCP6f@tN#ldhZz?c|Q&mw&gd@1RAq8-mC))MNkova98ueRf$&<^iv z;qYZl>@-F<&|1CrxJbO+O&(|osI{n2299qAlTrH#?JuKat4Z9b-@pFNuGrMrp z{Qwvg9xi(p=DTnC?UTj5c5P*A`638za$yx zebD;<^#V{ZeYT_KW5Q^ZqGvOjWxG?36n*|p2EFf83|XuiRHF7|b*m`BUh`p|ydcTt z^BxcJ0v`lSzZBnA!xnAvb%5LG2PgvQr-7+!~k32w1(L#7k z0lqPBW>=CV4}t;+M3->Iv%d5Z>lqTpzoB=b0cZ6H#sDGAMdhs&CrizoKcYPI#*gUrHcF>}urvsZl^<4q1S3VhlU=mzgwO)OfG(+kg=?#BfKs+0 z@3e6T1m>r{Gd2T|Ni<07A^MXyDxG?`E=E%q8ePRr$Ou|)R`xZNt)Po{r9%8V0(F=l(un zO!N@FVaI9USRKsq5w0`+z`lzSS!hoC>IaVqUdKB^0Fp16ukvrl+RSSM{piQrE*y$= zZc4AddbNS8r4*6XUhf z5H`kBta5}lhyTV8Q0vGYGimU3%6j)-w)`JIIw_H?WXbKhZrYqi@)&tSLoOl`3T{@V zF>iT9L6U@Sw^gpn-pnc`EW=k>jxt&Qa*a*d2^D$U2BY|hBU#s1L4UP0KlW=X(b}T; z%rDJM&tm{~mqisZ_5S7l@=@5ee@Qsy8tA{h{s=9-&U=KW2*BAe$P?zqvFe%1ByRR# zbuhdh!2dNeU5Ty1Gi`tq;`v_fZFUdV6oP7t`SbZrt=5OdB|3#p8qu>*U9*Bkb7)&I!X)zGD$8X%6Na@!4>$?OAP@Zb4sUG_e1` zfD6vFuP}|9l+$KW0*L(q{nTN7ZyUZ>WAZKfIxcM_8U}47WBm zl1$?Afl7~KpJtH}*l1pu*Z47bpkYAe2yIUO^-;Ai>1^~_l$aXbjE=xn04KPdU>F8c zU-<)iWkBz@>(-S^(oj%7R}nZg9RBOHlZKVT;s<&_FmL22lgCmcr>GdXUJWIR>T&+Z zwfS$W`v047e^1759T=)>|N7BKnW`gRL+LMf?GxXr%%VSk(ZT-vX#B^g-3&Vs<9X3Z z{FlD@$QSEg2ab{9KkpQN|46yPua04D6@`V;z1FHOQ>i1r(l0&3W*w-b)kmk8Z2kXr zegD!u{@aV68k60^NceC3rn{Tc(bbmTtWq8X&h`2YBZT3*^uj6etjaHXsUyA$M-0hbW9@g|T?g(axwOy) z;lnrAtKWax+yc{qyZo)0`a`C5@Yy9%{lgYFX<-2CLiGsi;=S6_<}JOw*y6vX1UJs^ zR=!rcsCwALWZ`7=P9z)jtHZ1B|mk1Mg4;DL^;$Zdj?EGyRUE;n8FeU4?Y*(J88~@Ef22RZ&*%}e@hZD#C`}E&FMMe%HSF8>{ zRK1OCtsK8}a}zE!w?OkZyT0SU3nt${(~!=@{O=7h2}0T)1QC4de(0rBV*agYRa!CQ zJvnAs_gm+F{()S%+(G5bUwCkA)^J6O9#Aw?LUPRxe}2-VDPT)}LsTJwN!!?=yeG{_ z`R68}avvxg*Q-H-1Se)fBj~<>DekcEe@ZxWduh00Ob_XYYd9#6J%ZAC8Xw5<1|Dwx zn#AS;*lFm`rwgj5oVWsGq0f;bs!n?!1^D1&_D`dnFUa|uKmB>t1Q|T-f16Lj;(*N| zX;8MEVZI^!kNW13AK-@=%;2L=S+t zq5z1C>bOtHo=S<>PtW*ic>nvg_#ZDm!+G*Z2Y? zfBT<%K!Wu2XCpquBmKuw_~||&#-#lQtoUmVhh{c^d#@wC0#KfnpFPr*zk2^9=2N$t z@)W%fHLt_G*FTR{jQWY+WG=TM{*PvnpVQ#9gP|ysB4_Z6)FCfpmhD2|GR_g%ZQWqM`&X7>t=cX@_QbB{*MWx*M5)9 z7X!G}`E7zj;%^CjL4N{8Qm{pO$uGi@M|_$4{O@^ye|E>>j-bBz^;PXZL-*}`i|FbR z_Okr?#GVQ=BC%HbE95)B$yZ)_f0pZhp0dGj39tU2nZA8`IK{gkckGCh^=n=y=+NAoF_-iBj4-xO5mV`PL z$z4*76)F54cj@l`DF5WJ?C%-(0ASo_JYc_P#gc*)u%g0_9VOoX`ZX+wzo=G%(de%+ z8%G_<^VM<>2*%%$CyyP`5`M|2k)rJ9;Z&91k`l{(rv&Ks@2toEw~5R@ev`M0t5TICx$GdIq(7$=#D4r&Bg2vIeuh-N0;KIMGWGWqu%y)* zWc+*5f-~pekP_A=8HfLzl&uqoE73RM%NVEHZW?9uiO-jUZs&uWpg|ME-oe!h^dXP^ zc38Ys-f_8`5ACuT+;0B*{;SXqltumgAIFcAMbu!{E(ixqSh|nAVUwGe87l5@?b;i} zb#$1x`u=bH50}9E4+xzZ^s%wuk*vxEp0OwxIX41#_&pw2k<#LGRtnY$b2J_m2{Cj40^F++8vp!tJYsdbZ`TrmP$zOx+o5d9a3f%8XS6%!c1)`BV zf8(?M{}`;KKLJcA;@hhdmEVybknE-)^|zG?6enV?^S*Hyy>it2^Osx#@bYQ>$5(y} zq;g709uWH3N?BL_j>=fBmC~Z^bJmYPehZBFqIO2`ed`1Fjo%i$f!F_mjyUlCJ@H%V z9+28p{w^ra)Bn+@h^phqe#dg6yMEmN(b<*%!`^pBHMw=`Dpo{6K|n={B3Nh&0!p`m zbd+AB(u7c?mr%qG2q;J|K~X_^?+GZqOAS3pfCvFX2oNAZ?wfti_l@stcM12N_s1P$ z|6>pm-mE#-oX_*Dx#sL-10@tZR@gsA1gAJHApCISyIY3Jc0K%{JbH5B9?^lusA8~K zg7SU~70_4$AC)Ccpy|Nj#3z8>A}W}x;IIT0fF-b5@_{8su=xk5NyM9Oc-XxB-^g{p z=pkB*bd!7{JAV27pFjb=)8EtGf*+!gZffxoy!@f?LM@MxkIMYzu5&TQHTsZHNE&qQ zyvAt0CGjCTPhAZz$II`7cm$u+?8K+$P6?~Jz2=WqQ%ksb{LfY#%dfIa5`a#6CQNd50ipnl84 z0k>}6i=8YNJ}nUVv(u&1u;ujAuE)=pW)ZHtjG*h=v$$X5L&^1 zaE?N^)g;hJgxpVAm>Xa2z=uk6OUp~S+m@_4cpe!V*iy1%Z-T(LWZCi}4H>rqu9C|Y zybKKumj&AYX2t$x(%e`3Hx@Q~u23f8u?FgZIa0{^s`a9g{-zafL9BXa!h?nOkbgaktgySRLUy2j|;!#c* zCRe^~5IafZS3IG9uk|NAp%FnzLwUwKAlwr?r~LA|Y!S|L(etBM9sHMuuRLlf!1Y2> zyjXw`&{pZz6TA&e<{sWHI$-C1N)1ZuWtGd>)xrKSS@+|fcPp2^4NX_?k}wpP7_ypM zGU;5Uo0Hx@2KCY9r7_G(fW) zqzZ+in;8fw)RUmu6d zdP9cxmftc}$4;9O+2lj3#?xEaXXT-Kx4zrpj3?3%asdt^GOWbE&uE+fSNNU zhU&MX}HiBWBVJeCPan>pQYw!zBd5K6o9U_2?09-E9B**Rji-#qI7`h_9>b{NN?#q4ZPF zrRT3+>>IsT_r#ZJb-<7?GQoXdG{gH6{dt)cNmxBKyv<1$e(@IgtQN}#Kg7-1Fzew2 zM1H#>*s|>TdY5ec@S3~w!;vN|=P`lILc1c8k+Zy)!wvN2Wnp=2w&(Qo5~AtM=Ah-5 zP^bD^FYBY^jpdnJHr}>bVaWK;wHXv2`B3SFu9&OldRux3NJ*LxH)Z@C;=!8S$Z7gF zf&v*_GbFc3>_i-Tl!Iw>%??pN>{k+kX=HJ4D;j~}D8V+`))O-i=I^6?CBuMO&b;0$ zX60k+4SwS9`-+$-KZCDKzsi6j;JX#MJZ46ns^1PNF{>H&S~oLkn@?DqW44CiffbZh zohFq^-y!Kjr11ynli-EQupb_DZQU9MvPuBSe3*VwI^u zNmQ|om;NcVyIA+&pu>pg8bZql)p8R zQ*1sxp9rmpWRR&`SwZVCe9auZLjP5D6m1Q0ze$C2PW|)Ph9w*My^MPHsAF!-XUfs{ zhuAh=^JB18-5M1?->fbVkQ;yjU(7d>UM)^Dk42Z|L2*Kd4IDAhCQul%_&cEQ5YtLq%<+5@r~lWGS8M}RMMD; zVwH*FPC@20oro`a7zZ7#^eVXQYDWcW_C`P6R9X1CaZ2M6hQd5T++5MmA`n}6CJa$i zQ7N@qs}Q*ft93?1wI6!xY3fA`B;fs#>=ntb^Y|YtMzU zL{G#@^Y>$B$Dg4-n`RgkEXsEJ4)E~~K%8d_QPusA3VI(9dqZE_XyX{66$>5>^=A7V zB5~0h#I|QmgsBYfx|mLki-WH~4SMm1^PF^XAbHFCPG-eMNB7F}Al<&7oRadcdag5F z$icZl%-OmOinqLC=rI-mJKepP z)~lnRh&BG)7A{+PXN~I^x%ZjZ=ncPIsDt$RVzfPG!{+rdIVrP^Ask_{(Wx{022KUr z>#}9@wE4kCsbfY`eQJ%Ou5<_dBr#rgyjG0V0auiW5Ai@BW21OYZ{9{~>KSJ^W|j^v zzTJJ1Uum4!)lkyV2jw=->3~Tsm;_PNsH~=$!CGSPVTJSffAsECcDn0wC3~3d%g6h%|I`x@U0qY1WX!9~a?-VLV%&%e-aD`Eeop4w{J1 zZ?t%ottkH-tV3~fE6ovy;@Z*^&*JV}r7iiSET#C?Z5Jw1wh%U05x5 zP=V-_e+~V#d$dZ*7rk0{9yZyIuiA`NsWI+?EerJ-Rr#OsZ+a{9k|W#mTz17$z}42` z0h_0#<)XKR@-7Gn1iR#15%qJb{^X{ioryKUeiV0D`8go&0Gmi?e96H7{-GpKTLf*@a4Gle2o z!xySs+RF;eb_ObwCtSXltG9f7ZNYSw+s%Gsj-c<1)uq_{QWabDgq%rSmBfM4^>48Bq71M6hMmSb3}~|FPpng8HkNIe z6ri*zs8O|=J6vE3uzM4C487AT7Z!EWIjO^OlQ_`(jTElX&ccWgRrHm!-ap+Z&Dgld zjDM=h`aJz%wQu_=i`Bty?GUvVsk831mfM7!dt+0ZcaT=D{9O1E@rL!M_ufqpZ1>tv zvU_&AHGG;2Pp%x1Agg~}Kz!VkWZ|doAr8tG7FIT|e6QD1a`S?`P7$g=v-A}EY0?Co zavUeXGdQ5>v#+-RJ)Ig|6~B+{d4yh(=Q0G} z@L7QSi1L-u4}NOvE98Eg6c*?E52^esZ}^PPd?92*4uPy&!6^aMt($oLR$h|J`!d@K zcRa*De(wa|&PV&^d^Aj)=HVZ#R?WKP>3P(ycZUw($5&?~I`bOXQjgl{yJh?2qQ85{ zha6hxx_i+_#K!*zW#ojv|4eToPT89KP2cmNGq0U>EYA(0%&P)x+~wt|Y=`=l@k=&h z&i3J(d`gSQ*Xo+&_livkw@$)+R?YmFo&zR3b)x(wAiAj49E{j%BBvJPpZRZLvig0$ zpMSgi41YuC**PxXby8#R^DV;O89Q(K-P&`K=`!H#w=^rBxj_7fy`B`K<)%I|o=iAMC4iUkQ}dV}N9M`QL|! zk!>H?A!pta2;Vz!CMwK=5|b~#lu0Nr469@;rx*FE=hXYO7ikz_>I1FkxlNSd!l6c>-eKc>*-z!D|g6lF-L0b))G;X;x7TJLf4XA+<~njK&C(DgQh zKWH}jHZUWmcxmuV_S3#A7x*>T-<#D`ZH&+EsE`v_N-OI4u#iBKdYIwr`;@X}h4@D5 zVq6y7THY9PT1{f_$#7#nD(N>|QdX=yX71I^zdWOlR*Z(b=nob)IGc8RJKV}!$!$J? z=>CF7u6-%Y&L~~^K<*mC*_GY}5~Wd*!;y@v5lN5p@on{fL-0Gx?upB>RpqA+Ew+Z; zv3^-LJnTyma{l3^To5Z}-7B#FqP)doY{mGn{G_IN*0TO<03UqD>IOeB)JwcU+g{lb zu;&!@%<5XJIU|jm@v^}^fUk|G1cn{mfK6kDFvUvkf!)GVXZlX$K6n?|w$*VP?Q3pe zSH5`U5|!Ftl^pV(TUy_fIvU=$d_KEuVYJW?k8Jt4ym1t+|Kh`BSa07Q@PP%UhPkXc*Q`WB3`-OP%F(*{TXp)( zi8z`hmVh<3+fSAcZ1$eKLVtz)bMpu_6*tU3)d)SW{khjJTpD8iH1dO2uvM89y)!ve zW!3a6qqs05Wi@z7g=876hFd%T!uK+)bt_{@@QP0Ue3Vc;cAgK005BIrvB2|SUZqyX zF=MN;ZyopUc((83tT11{qNwxYpdX;TF8SPN!_>Dk2II7kGxzs5Oeo9G7uXamF3Aq{ zyYzT4wOv5Hkw3v4E;;A_BT7A9yv-wLr5uyAtDA_1IQtu+N{%hBl@{9A!`BMGngk&Q zgrkc~H<`jdx!njl)e|GErU=XE?)uOSK;@-9Wty`7@Ph#3m(x}Qjd|XXM zV8o6}Ii)bR$erF#i;X1_e&pq_Iv}PVVPzdyGP17&23xB*B1nA;h1rf&2X2j#6AOQo z*RJZG=2%iVBHH2>Le&f;xC#{oQ5D95on@v)Z}QnF3aZ-BYRrgbK}QX8$@m}!MsX6`g^6Knxpm(D7RtN<~5Z2#M5(f3O;D(>;M$Z^u#8J2>tZW-YZ_G&`Gy<6GY2{RZF6 z+YCuNc*^({lk3Zf!lu!;bM%FREDhZl#cAcO&lJ2iRx2|0T#CN>7h>{%zVw|ZAP1Rn z`0PpNTVLgvYBLsB}VoR?^=yA_4{H1pMa|u8;H$&E)6eLB5y@d z_Pj1~=zfrG8vZ7~#=i_Yn@{>28DOV6`Gh<*_(kDqI*x0Lz`n=mUHc~>HnzJJ=pxu^ zU4#ph`6}GiL^`0=Mp6pAY``mV*v@dCMwa$|5z+uI_vVlnm$jdCp9d4%cTram1)Uyt zRZ7Y=PH_8n$R*Lc!c;=-#_qGBaGhLVX1X|e2LSZ0<&Wm*qTz^jVQsvhIMBCKvI4*A zRPdA)S{y&L26JRojW4t@UWH{DL`~NopfRWl@&qjIxg2KmpKJ9Og46djx`xe-F3%r` zc;1Nf!F~2d^#jq|$FUph^=0i;y4)?HTt(&7vW~4EG$~w8>wp^fI3VNmeKXw#%2vhs zOYTe0R$cp}32n7aR6LYEnv^o%m!j%zztretlXXroH#y1W$AEw3AQChCxLk9KY-y^_ zz6MiDEHysq*~8dr`DNh!leJrC?|ZT|XolW_hlPZ_^kW;EExlHV@8|c2y+@8ds=ION zQH!_>^tPNi(7OG$4`Cq22-TD6)qRB+Ueit1lv~UxY-exs(D3RWkgrNW3n);NXK1f&PET+2&>3>p)Ed)4;8fk=?xMKb%nTS<)z zw8jWEz(G%PGYu0;`bppIoonWO7y91rzR8EeNf{N#aSBJaS($g0pi#Y*?XaRYx2~)5 zVZ56C;?3!2pz3f5UZC6mLmBc!6^5{HUqcDnCpr`XsN5ZlV;Lse?^ABISWQpbM4Dfn zVKX?~Q8v$d^Rm4J`K&iu?}gyj(J(IAih5s7$Wc|{qMJpNVJ9!~Z>@!ui~}0rVaLkF z`$e#foNkdrV;N~_Y3`2K;Ah}vniS~^Q8@?GRg)SbL?A52Ild;ZkIQ07HzW9CJvShz zkEfn0=Z-B$%U)>+&yYh+SoL-+o(#b`{TPva*_)#KgFkDiSj`bQk@ZJ26kH(1f4Q8# zSQHtWc(g7zQzC$68{V5A6GoA8+bPs_nZ}hqcjnPnlmF|)l@rIZh6-N;qGxs$sj%O^ z0DaUp&WuCM`??XtWBMt9tU9mR!I4t>vmEmvY*+E^m+MyFCQ9eK_KnZS!-Il?zWwmF z!AJ#($Z^Mynp&0dbsOC=NCq&%LS}D{AE2I5&!y+b0RbwMGZ}}`2M3(@=h8o^5IRpZ5ib|5lrzsn9RC4BNxlmz~GO;%7 zN}0~{fjg8zo2-`?WQAV=3HX!!VqM`EvD10C=_G(y%!OOo@Y?F5^H+azn5YCyr6f+u zAfhDg!*P->^_fOw$zsbama<=Zc>FPZ4mf?_owfO>|98V$x8t;dg`IRRtTEylr`x4| zyeOTCf?x-;fy1C&VEuvCgR6rCQRD+?1bg;sc#D|uh|$C{ZztAlJtj@1E&BhidR-~^%e z2h8mIxgW5mWNxJ7Y0e5&6ytxcQ7EVEDMV?T2FJ%`&G!#SKiCMOQ;o}ee2Zme{epmZ z?Ok8OA4yH{*D8F{bFH~{fltMlmQ;IKz}8&Qr12^B-+O{X{jB1sxO8I?ro38Lz=m!YGV zOJ;%AglCJn7g|<{vK@7RU~^INAU7u-c}Z|<{io`0ggvfhmR$s~uwqhT(2MzwaZiGh zABY3lp}vHrs^t*;+0J=be=+fL?>yP@?Fx)sMEUI2_TgBRIQ9{Zz0U$3Fzg=_D9$C& z2I9|^SHHRssb^tgQpR5W`I8fRsE-VUr_~9}9h;$u4(W?o*pi=>7Ubc>-KlM_fXpIa zRilfO_v&K03Shlw#yY2q|H>29%JnJdLT80?uY zyBhwu9Jl3an?)S)ZPA`an63;6u4k3nd5<2uCF*}8RK3Kk!mN$5vMOLxVY)IZ7n?AS0Hb0F<*?9*E6ngL}n7*5)bJGeZAorXaQg2jrih!+XAU+j@$wY zTU<*uOb1il%#X6e%_hlK)j>`@ffeHQxreySTYnM=T?~$?n;KHs$7y&mY0P*H^@O+! zStUEySD0-GoMB9vw9~dfd9>65o|9XOAI!J*)8@qQ5~>lAU%jb{!w4x-5+2j18+@jA zzB;izbi@DN;Qhd2!iKcutsK9R42k#@4LYKq+d7iamqvboe_E1+*^1_E_=KAGn)!Bn z5an)HIxs_M&XqQAnL}k{HJwCNZBA8q&VFU@#u?9D@Zo6s%UkfKUp)b@|I66e>~R7H>x?Ro1`n-9n%5*mQ)+7>4nLOrYsC;7BQwLwSC z(y;zs_g1i$(Y_KHF5HJqfAW&Hc+I#r90un;y7+Oio4BZXn;CaH)>&diZe$0sqpQk_ z`FnFvN19_DJ$vM;LVOg=0Dd|Qvm1+oPC2ssAeLT0>Z!qGlw)I-gV4iEQQN-Un=E5X z@wL8$75}?_%>OD}4?6v5xI-jZX&)q(qXO6fPUErUhFL|=#5S^Tso40St%q;hZSpSk}?S!+}SW`9Cy!xr@uC^s1-)sPf# zQgppPW8GM>Nv_(|<8CSr%^onqk;1;>(af4MqGytPH_(Los+WpD)mh$LJ4an!)c|i4 zURqjbVJHxNiyUe{a{~F5L@makmRRT+W$9<*wR1Lvfysx>o`eBZ%7-q;F+FHqfYRJy zlC6ECQaryg6AH`gibXB)LNqK1i-DEWfc8{}Zg!M{$G^v4?B+KnFvT*Yt`JqLj zJxZ#0#IlBp3-dasGL)EYqvgYiRWb|Lw_F1%`5jU&?Ba{is+%ZX?}Ib|r#r701mwkj z3pVyZgYyj3t<6f0&`50o?5FOdu#7Q9xid$8s%xVcJ;m%~^Y`U5h+ zF@m|zBv-xvrhRM7B>_%x<2y&VeHRP`d$U~B0AM-lvs~l3@&0RBhr?i+qSJ&Kdo3DW zd8%9(m=ArHerlL{Ko*MQ4ud(YL2Y{r76%*+);RM4k;!~+r@-eFfR%QPXU8Y0b!4!K zT@Z@saAvlR@qzoS)y+QcNS_P$9_%^(+p#}9sgx&t2XX=*^|B-M2e#g^}{n$mi9dTDp_B%bwYZwzf= zM^G>TsCYS(*6j(A4EfE8J*!v*!0Aev39aTL4Jo9m!xggyhVy38*_@~8H-aW|sxO(Zx89~( z=34JYV*vGbg6`Xa%Ng#|FY&4MiUKE@J>;G4XCgJKh7r_)+#8`I=Slim1d2wuR-tz2 znyIkN0#J@2)MJ6nHuV}Eal*kn+C$#%&Kr4zx7pJm4V+#aFcVp+tM_X^Wa`L_ENzpj zdc`p>EmYj^fG{B~exA%j1sG3m*>Z>g1tPa6d`o1tjUzsop{;S<<7*xcuPw5aZ(A}K zMsM&bNyH~&HshY@bCr>v6a3k^PFBoGrlmoljbqYws~N`@zh+Ha%h2bjZKc1^o@y8Z zDgua>vmX7$P6W4xI%wqmgsRP|p>d#w;Uj7B7PC*ubhDBUlG4$%=PW-e;$8(LAzy!9 z#7QNzHfM^k>7hMNJOb&hOh^hlE_>>bz0VJX{M7ZGD7>$hca_!KXD=K|MhS!kdEwv{ zPQQbLvxsk^PMFP9l%3JsM&v1c{i%wCc!rZ%?kUyEmxLJ9u*@`yXF;dmtf3t%f<#NN z(U{7YRA#OH@M_7x}4~v#pcg|3~Ckd_BJaCtH~OL`IqJMHu`lY&b9!WXPxn3MT}n;}+SCUEXzVH9=Z1^U^o!8bt9>gBUqDPy>$2vH zHD& z2ALCwdflM`CXTaM8IfQ)D|9gC*^QjnR3#J`#3DD8j6cO7&RD}yw?$nXR*`q`-|d9gKAd0*5sCdPh? z-c=XNw2`|bQml4yuf2d{YQ;qaao}t(+ieQ0aBJ zRyE3Oiw7vxT5HzI7<{^%z8)!Q&s;H!Fw891L*JfpXmJh9L2gKmdTmw_#u7XFq!-d> zVv2f4qD@7C{Wfw8sBw(Ba^D$252i*CMWpkK&r7FqUP~Wz}N5Gx$_nVS3fC#brc5mwEQ{RO{gJh zW8Hp!STc6%oiq=gLxlh}S*&Qa4Pl^AnuGU+Z!D}B$hn5^u5y@v_hlO4Z?Bm7Ijn^d zkngBCD07}&uphV@Kq|BAEw?PP0qP@Zf*60`cpt0fh8KzzRz(wGdWT!_s#;LOtEnulXhetv$8oV}u5e%FsnP8%Qh3T*(D zKw;*71xnc+t<4t^k>#@k$y>py=25{d5rs^&u>gddqjireY3Rm=>PAN z{Bybik*J@E4x7lKBxT$SHnjTIrN<)EsE?JG{oR}L-{Vir(H0#I-T^nA?A-5|!GG<- z`xm163Bm6GbS~^@JOZH}Mgh#{7WG`wlv>o{tvG{=uh)HVea&^*4fE3Xyq>s z1ODSB1+(Nu>-)^Bi^qQL^7^L_6;OBMUZacSCyuhkDV7vmS7H}&{b)4W^*XgusBqdb zv|J)fHS3&;FO~w!$rHi$*V8?R~{(Yn7e?PpIGaYGU-L*C0l2{2|FUz=AEXR}` z##z{F!r8}_`{3YlZ`IjK(r4hz%F*-mD9pvc+st-P%U#&`3QhN5?h)9|4Ly2(BOj|NU6N4*}sU22ce`Dd|h_>4@{HBsu$;CC|CZ_ke@w6Y8wZQ-CwqP9UbO zXH}XU?6-(~2-LR@N}PA7+R7_kT^hDhh_nr!}GHy^s22Kr`>lHsOH| zvgNfsU%G4X=dikj20uY;ho&QK;gu~@VVQz-``T_VLE9UCbFb>_N2tUSC@(G0nlc;a zw=64_y+i){{?)*nb3GX>*zj`$+t@+>>9hZ1<^CXat=^$tP!yzn6a3u={wM0Ge(>8p z=sfhtL)*AvL%TJ10Cf|xjv)2z*%P34-mZ&_cBkLY$|&$R^ZbD|{&VsEJYoN3@moM0 zgr{KDv6B&`2Y=CuRqqn#pl#KWI#ls!F;g3K1p0#18|+;vwVPZZSZz=FPQPigQU$GXD4!5; zr#pPKs*NVjvE5xv?ZtH3__TBpD1BWHpR)minW3Tbu6}UF>AZUZw0$eK0i{tfkJb!; z+a-)=!0LL+#{*cFx&M<881d%uZ_QoKEJSXA)b&*58a0ocpX~+*8zk565#>YrgVKO( zM*#DY!`1qynFb}mfCp5+X^fHrs|nV5Y7?xZ#WrEvK!~)bMC!xe-IwdX4Osu5IrOie z>D(cp7vU#D0ys@isVOQrKU`_Y{|h|&bJ!DHrNGYtZiWS#?k(cMNwVhvSgAbQ1yWxf z0NeoBW-mC{CV4k72_RPqoaWFw=}tZFhzA8v?xuE-VxzzlrLVl^c@c2T{Vqk^ctGlU z>8|U39cQkCGr&&4_#WQFe&_OEZ^Z4wg#X^+Zw~k0{B#?X(9pOpic zWycyA9{y_otm#J`aOM|$+_NG%?FY_W#=}SY(YI7A!SNHLd)EAic)*#uaDr~AQHRDm zZ?uD$-vEGH0HUHizz>vYwSWJtBV8mj80b-fMj#Uo?KGJ^;B@iU%q0n ztAv0vrr_r8gA2D9g=o4potJWp{I6aBv}4o%N{Ma(o2H2hAhrD8y(0NsEd-3X#iPaE zFZCE4U;qC&dtM|VDDW@f3>%xFGv4A|^4Aaei{Jcz>)!Y9*>}=GS?=9kbbD93u~d!~@lg6uSQ1=!{zoDV3fiY_lP00Vkj z>~XisCwv3Pn7p}(I-h7;z->iApb&@+FlHGwZOMZ79_RS@&e67j+cV~V`eS1ZoW>Wxuw^qH%wy6Il*i@)NOEl8 z$7V2K)sBGt>L^SRI7f6!0Ib6HffB#pumP}2uF4aPNaYH^6E}yfciW|4w79Gd08gfg z!C-7lg@2a&7ohmha{nTj|Kr`ioSA?dOjhQlia?2h3OoY$9*e-df6x+mw)-~^>05ns zA~R|28oj-b527=E-KX}89sW0tKV<`a@yqF~;3PDSd-Jd|+ppXEvcCkSKYsfg76US@ zES`b?e`6JX_b(Lg0!sLCVOm>G{O;XkU!F2&+>JGVqW6axtG2feg z+1{6>(U^x>`yZCjdLMjyAodjiVuLwNXzgE5;{*Sf)1?DsK0O)*2DuD~0XRed*GW(~ z!-ZTAeS1(I8#rYTNQ~9W)&T=(9!@)8CvGAM1|8X72!Pn4`7BW4w;=#x2f7(R0kNt8 zXTXixf*}*UVFfsYEaDLuru=8Qe+lmYEcY)PTj3w?{v{uQ8cYD;TNfk@8xG{kaBEP6 z*nlKJ`1T$M0wV}2B=hGM-9vzadcGe8w9*0-TH8+k;tGHHP#*!UH2MM?I6zaGDtuQ~ zJOm>(Ozd{Ia_)Qrjxo>XA}qFXf9`Lf{C`?Ri)zd~W3gX?*fu`nPpM2TRrrQRfn&^T zz!VNuFlf|{fMfu~j&<^ZK}eF%0m8SZTiai5g6&a-e``Pc4*Yxi z9-HSd3m|;+wa|E}e|wG@@S&P5MH~!EK332KKrDU=l=%JTC;(z*z=>2#0B2Zs$fk8X z&bB;N8Q=^}1;Jo!%YT;pS4;e}-2V=K|N7w{@BWpdff`I!=DmACiGd0{X93~c!xRp6M=MpKGY;xi`Na-@ij%gH?@a-%)D0I2PC`=zw9;6k_rJ!O|ApVYVFiTm zfgy0@Bo#pTW)%cQ1=}4*H`J;JhE}?hP8=|1Z`?8%V(DWAEx?#x9h&|ZO!uqb0*K8Z z#{>)-b@&wkVuQKNXze8VpIqkG=ltDoYymQF%Z>trj|8LvoZ;sWOE5Mjz~w#kp|lQ= z-X{9L1_b+y8@TN2p@?xud=cWRNav4ZR`e!o3Q>W|-khAMoYV+E&3*oG>6Bf+Vo zv;c%}(Y)*67*im3#B~xBV`@>$_rK^1{INB*=^4Mnnfq@7<@@aR(crL#QvrvHRKO8S za{&;$K==d-h&=-c->&vqU>I{ha5YKKde7!hUG zVYQ4FSR;XRvm0olDiP82?&f=tTIh7KHAcCwrGrsLKWspW+BRFf&|HHbav-|x|=2ihFKMo3#nc+ht2T@ zLwbJq`te>LK4Kax7ze5WU2NYU=M=)LX24h(Em5k&x2EWw+oreClzdc-0f+DM+X5v{ zDm3kXSgkJ_2F_{lIs2W5R#nJr8K6K9KHlV=kR}=1=U}kkf1LeKHu*o!{wJIKoPB_u zmzS3fLmDXF4z%$E;y}1(D@b5W&8zM?NMJj2nr=WGp|DKToReP&@81!IfCPo&%*@xj z|HLfY{=EPBIR=Nx<4JZ{4PAl1PR2q-U8D)uVe8qb@~dX7LhYin217I=f5~&n9_2 z%0%B~>A89D32m7nO*_EVKSVcGX^7TQjBdOOiwxbEBx9vIUyqMa!4l8T@KW;B+emp% zNeA`@z00gE;?IpdMv7R@u8h0n)E%li5q?F^eoPYP8fsSIk@4_wsr_s@mXS52OfTnt zZ^8f(Cyq{^fh|wQI(3gk>xn0NZcOKi^j)B=5!vclt7KE^U1rE$eK872kJb1&up2*L z$%q{Z8l^9Ad>`5XHLK5KMB7dzjz8mDkzQzA1X@Vz`!1axKwck4XLFxm z8X->{Fz+2%!d1D1;NQ>m#nU*&Q^9^uI)zkFG}0^eCyeFyQuO7=)vKK%weMkOM|Y7; z!^_u3o2Mt^bWAt)Vudt5@Y+U4f;J3YwSn0n~T+HXwktSa7zk{W(0 z!Lxc}nV61qt42rl+GgF#IPfkyN2>2IucHRsbnSSf?-bdNj3`~tH#T1s>sA>b(1@4f z-HR5z&@MlX>Z~9JMxyl{+dOkrRz5?;1I2`;Dx24QSeS;dN}wNwm~#uQp3x;DkYrbs zPmZGQPTJr@Pc$H(Eb~Djv@ODn`n_p=RSc8rm>}L%xgdSArf?5F8f3hTH zPd0EZMO@h$gDbkV{X9_cWY9ViCQl*Zxn6I2C$Qewk}GcxVU)GPKOFsF7)cb+9QJ64 zF<4Sw$0G{iE#3Z)`kR$1Xq1B$p3*<8M&0XSJpFt7{vlyV7TztFKyk8sTFH^ad6#`i zx2z%U<=OhTWXct*jyQcwHFJ&Og^W{9qsmo*9rEP-OWhB@7rtE_l{IODMD)-U^gKEB$);ehS7ws0=!u~*Pc%kMv(0F&l*zuhK{#5%53%; zUdl!Dy(OEzLjAlSF`j9j6Uqno(|a}D>!pEFlqoTSg&vc-U({!8vP!3KvKW1Z@CIHt z>t|a7Z{yuM3~A|8?9}w@b@EFg57PuCnOkBFlI^7yHG7y@+4i~LfT?jessVMA`5G1MRd``po zEmb|~um&X!!#P>D|GitDbdn ztEmBA|E4O;?0#l>yqE~rQT4dh?%tW#t+WwvEehRM(3h={#6S81zj|Y}?SYL&CCP^P zZtI*W;pu3&PrC;u*L?jGq<_D_mg~r_kVm#PoNKF%O>WNpjqh1zEV$#3BC89(h>ZsY zZ{1xD1ilALL)A$jB05HLO561ahsxMcbn7!tl;RwD$6G{@>9*@Q!ew}>`lwA5uup+Z_jx0VVzjn@nONZP;f=fbAYG-?8aZeCVa#dL79Dz&xEK1v7U-$ zVklcmgqgzFw?if6(41ZFp{m02$nrNmE^Wq_gNee@w$I%x0e`GngV$D;ao6u-Eki7J z9KYm0`i=EL`0#5kiSuR|Y0#l;V}5$ag%~yWam^8Y{BQa?4v~sU{ zT&7u)m!xUi*XtWBRqKt@G1`oocIy(9r_UqdF9BfKJ5!J=L!#oL`3k%E^tItd9FDj= z_EtYDcQYE|r@LmFoBUzxY5}%kVIMpcKyTTHBPRGutb#Q-vY5RW2VT}9N@RFdE27o9h6%d(_WG zV`JO#Mbk`UB7(FN4Rw*o=B4lYZBiaLZCGWWMh%gU_W=0 z^i8xcc~gf_$GoxHcs}s1ETQ!&OP%aWW9?0+Cnq4uy76pI3qO1X4(c ze^^_{acF^~Z+4S~Xr%i3mL9=0ifpFhjaY`0(hthcZQRI6F!mY`yrZ3Nzd;%s3CpSc z*i6>$;5dvEhm zb2rA|vr2|!=DA_^mSRYg1vtJ;u=r=;oe_I#@98W)6uJGz~bL5AMMI zuM$I!W&_VI+6XgDiDZfv8k5@Jk~7aBUW`z5M!y4aM3k#k%uBn*T;u9Ryxd+Ig~;#6 z=mvnP_Vrg#v`SEEdiR!cm3!N<@s-3*h$0?|Zk5!X>zBf1vqqaOBRr=^zIH-M4!!jf zOB0V%R#bc@jKxM(PZ|pb;1T3&l^frdPIQlWp@iQySv<(uh14~-6CMNj1z!-0jwfAN zN3DpThhlmyn}`uJrU4matA1*aBg(#|cG|8#&%P)x74pcSh}fdZh_tkL7ac7kud}uu z*zoyg`{gD#AY9#ycNdCy7DUsWW`)NJPpO+?@72arw0Xec+q{neZqog%;mFx}_KKzH zINP@7uYl8eOukpF!dH%11-itD!TfxdC%bA1b%$3c%sbAi6p)37^y>NSt5^GZSy<)- z(k||yCa-?{*yxvV*h03`m+@e6&xkh3Oo?Sv((tMB`Tj41F_sYpR_!6|aG3qT9IA@@ z_I$aP9;#`5Z_)Z_BL56z%VzkYu~F_ z$-4Wg!jllLLwL?5fEr>71U{4|)sH*wUFW>r@px zz)AAPo`z{>oqspxU$tR1t|Ng?HxJ3PHWf{)kFnedkh$9Y=*TKGynrX^n7HNhymSXf zc?WpEXZMP(ItQ%?KV`p#i~qAJn!_NyjEsd(x@-Gd=aJ6OrY$V&Zh+7fFT+2esaA8K(6;+DqpUYx z=cSzZ%5&hYhh>QJ_&NYnX}nXJM^Lg%p$^vvawx)i15upJb5~cR?g(7YP$O>oEM7&c zyT0I|(UO-xDioh$a$)~RTA)qfvST5HhJ5Y zeUM}@GL5zS@JvxmIg?tg6IBC^wTjO}fj3s`Bn6#g20~i&vCm zi|+(747dg}2AW6g)$kYh+EpD%Y877_w8g3GacTI-d-s35nTJ?+H$Ii^QMbuU3W3}g zM7QOV;Xy6_F5Z`I2G5|EPDo0S5KQK7N!C^;C-j{8IKclus@(rhAoGXHd)`B@E_XPF0hG6|bn5LXO+{)VXXrql0CsiOB{}v- zgKIDOgII3TLOus!Q`M`Pn zgv7{$n%X>NI(8t&?pu}`rTvJaNi>}luPeF=Qgha@{92)2drsD z<|9b2dN%Tl_9%e8^i3eTK6zmf|K+j9&7PI=sn0G{G~es)g~){V*(LUyS8-kPTVe=Y zflI^uK9sIAHX}$H$5(?{Lk$4&~pHdPg!5?M8%6hJE$A z(W7@w4JLSop3U0e&j)F($JY8)@`iX;P-t}w5{1rx?Xy!o;mYb zKNi=AAYL%9lgs@Xp^2G~SE_duuHw}_Kjc0ls_S!VpFF9jiun_YiunPK$oimUw$f=L zj?xA%dGws%BZ*Pe5RTpJvo-@^sh61j&hK=bn)$~2*BN~PM(XB%6YX2xK&e=N*F!!e z<%eFaiG0e7I-L6%3IM$Et!IZ;okKQFXv|3GbOP+&^Ye?)7E4sL?~M-c`EtOqyVx>) z_4>gr0MJ~*EPG&L&wj2CK`{m*hv0GLYi8Nm_=AHfhg&jqHGr59{cvQSHKaigDH^Lb zo97r7`I0yqc1-FNzVz$(k%tx6GHRRJV`b%??DBR`#o8x;O9~S9khi5mEl;j+A!8YY!{Nh z0?1sRn~^0C;)RU`-pgcZE4>lyD}*Zo*T-yr+P z=%W0Wpe+8?er>Y8n6ZhrHrzj@>zs1mh{u40V}E;vdy{mM;{xHW_TnK90p@@{dz5D6 z^b;mI4OU3w*XShQ8yg$na6|4?uXIc5D*f<~2=mWM3)@;kb15j*zUkBRjyETR1A# z^f*&6^>d5uSu$4^-&^Z(IYVyJ4cOUGM8?0Cybjt4GdU``VSBr0#qqkP3~@}#YaC7a zTK%xAP&skdl7+UX+20ebAc4uz#I^JxY5T@K*OM)AQ(yGj5)nMQ8*ywt6UyXM;e7B^jjO0?;`bDi2Et)&&)i^1(2dYxm$g$lG@^Q~H*}vi9U%;hZ~qT_Zypcj z`o|APoJ66B7NJFwvLt1nNlB%sgd$6;vPBATwDZ~4~KfPU_>wqq>(kD!O0(Re#UDLC8 z_MU-f#V_hQVqa+6r*CN;Js>8>j+*Yx-a<&Vs!xeucgwox#wxw+1FZZWY*BBGCq!mQ zKSWlZD&KYh8YiwL6VENk-frcex|X6(`*64I30)#$+4kCpM-D_q#s5A!=2^t*7_4)4 z+&zzcxYXPV;7AiV0Xo12flQvGkf4~+sE+pyP&A3wd5WLPl=$d=eF-=C8g*(m)uc9! zX*!QgSan>TVW8=<^^yYp08oXDr7e!7ZkB_A-L(W~plQZ>GLzL~bB@ZKHvg!8ELR8O zhptHjdHIMpG>GTaTFV@*#Sg#PP~A*mR1~^UYoEL}9O;>bU{$APnxsU`PkvHxj`O&N z`Y^l3HnlcVPH)j*tfza3TkFSIL1j>*kqOCNZkv5%c-7E}oKCH-@v51676i&8 zTWyLyi0tnkPVdmJSpvYZ_)0+17~+_C*4gXSKWxS z8pIn)gF6?lb&1n?Dk+#V@p6-QMO5T@E%o_xWfR96=4uYbY&=$^i}o{E+gsO(aLU;@ zSavFCs9w#lIok{*_}@Ify^#=QID89aF`%h!#T_Dob;g^GA*WxKy-VJ*wm#c4yZ7l! zGRb1xf2F;x^})v2*+ej>Yb(5cM?}`zWT`xNfK%r0(aBZ>DD4Cnl$`ue*ee zEDTQMFvT;{W7nEP zV;km_6v*CDGKlWu(G`XOpN$8s!sm8diGS zs&5Z5+%$2}80ZdBRPU7w5wZOs>-7St!gVg<;ugvpexq5bGAA07?Sb1O>fqdz-3qLo zviY%>3uwzC?TsGM@J-Q#jKN`$`Yn1n7h*k3a`{qF@D}Yl_Ui2SI`Id;V76lH$4{6k z4VJq0M|}SLdAIBQCAq#0+zPgg>cpp)YWRuK-Cg_WR~u?_H+hR8_DM_0C&j+GZFDMW zAqO}9u_kd?aR6wb7tc4mOsUVK8R_2(SARn3Bjj1NUb{~iH*fveK2<_rW7Z=hJz^T`GlZ-H#Y(ca-dQ6;%nKflPHm zkjGV>d)$<8U+DZBI{3MQN%D+c>yveljAjX630vwSGuouy9}e=tRdS<*S?G~wO+Ap0 z_eL%H4O@Gl>BX^jysSOMB`ZGSYQFT?xzG|ex2_03?Rso-qAAldZKX$kKYsV%*eQfV zu1+(mtqEm0tasz}q1NA3%{TkL^d;nKHG|ATb*!}t7TRBFXIhz~4FWL*Y; zG?Wg6Zd-nSh?^Z#-yT?`c>K!75X?LrVS#MINWsL_>P!91KKrzoRgtMwWtP789Xn6L z-qt-(H!v;d_J3^cI+lJN3WAWcrVlARvg>xk-qgE<(!Ev3glO`~tYetF5Nuos-x$mlm@3_4>S1^G(>g(&5QckJ0MOdUZL+D&6FQ z>(^(7lnq;d^yKy)v@B|~nVa5!-#JOGdb^Eoj#(1+!h(VFSlxBpHk;$LIPI?a`Uj4` zMbn<^sT>QFPdFIG3aWbTP_{OZ9^v1Xe$VXSvuO&Y6QE5ha1MgQrp9S@w_LbRD>>|a zEHugM<(E|Tv1n}<6t;^p5vWjNcGdA>oM*uD<7CrgIQM+FM86AAZydXJhPyds@Fui# zJ8tO+<1_p2dzWvgzKl|x-*T_$czN6LnImbgk8LUwLHcFU)B2#RI-JLMT}3mp##ZUM zOP3~u>_{ubfogkafdykva6)$X%BaH&>_OmgSlx!{55QTvldSJ_77cnXmU#PQXXts# zE%0+IC>~E<#|;LL9X;IGwj|}D_sr3kR%<9_tg4dgLX)h3!GwaI1L z%MX9qYO84Xp;{GM^E>90tWNLE5KYR1qWP;xpe18A$Qd6xoyc`wEECoN9h2MBF)Ou3 zdh0;$mDdZ3hnsRtGb%lvHs@#3vG%iZ3c~|0UStZ2St`~p9bn|_+ov9((sQRZ+VQ5m zDhJrT4wrT0vi6bZj`4FrOrLsjP2YM*GBE|CZLVnN;DCQQ=N`mNM$Jl05~pK`>kLI$ zS1FM>=#>**J5MJN_Ln~8rcpQhHV@l0NpV9EV6jBxHBT6~t_foF-OyR-_b4fdi1ZP>vv^y`^{SFgRh>G-PqWJE1Ux|oZI8ea)LaQ zz~Y^7*Je)0D`+c`*S-u#QqmSwTmTj1bdl8=4bnd3c?33H7!-oK{SFpD%$7LKoc+pr zpX(0YtN3v}9MQ*<|QFC6N3xeLc0$*QZzW%$bheA%=v>Jso{uzqUX&X0?#^P3kA7qRYcsVqMF$@i#9LMV%Mdaz@t?m|z& z=hD!NMpv=wH|Kv=Lhi;Ee?1F;{o){rx&V9pp((8|E#6Ek(=5s3Sn)wnU-N!7D>&J9 zNiJJ>e3&+mtc!~J=);j$stv%}Gp*m#h>4n%&Z0Y158uk0kJ(8#rJzM@iaT^bEvBq& z$<^1==9^YS6SI>@V@$+4R|P72^Z~aeL^A~RUeVm6N`O-*g=G^SaWfRGX}vPcA+nNf zjy;F7Y<6M2({tX=y}52{yQ2GQ&1!bG+#WVXQ|{88ycBw|c+RH{Rn9#vN@K z2@Rp;(${iL$N_qWo|-~8>rwfSv-fkjou`-;0eV1C$x(9pL!a30OQuW8ETZo zv-0|50^K^#-4WdyrtAwb8wgQ>{>N3>%-tt*T=fbxOU~ciiaTC_tsrv-pI?RLI4zN- zvfN!b%26`Vsyl!33+g|@cXKzkg|G2F2Fu>FDVR@!b)Rl8h6$8|qQFTjB$;=>!rIH+ zoublvU^=TWfQ$KNXJsFFFuw?3UUcPcSO~MDkc)X*)>U0TwIHAO_lOO`Um5aa2kviv9#RnFw(RN_ z$z^Bw12t4SN#`J+=2k|-vPoA&a`Upwt5j9ZWK=EC+@+c?uBMg zKO|)`9b#K3zw0;QI^9C9|s zyUc#FRIVEJc(1fcI>Zj zXU=Y6W+IU_87*7DB=2(1!#c-*4Pc;uB3F+IMy1`R({ z;qbJy3exJ+@Q{9~+T~i@l0kV`j(P%LSRpFy?0oY__T^vrp5GJ|PkK%Xdms!8V|COO zPtppn%$rQ*@uOkBnMY#^uzyo^Hm-t2Vu^v6JJ=q2)?1iBc|lA%Fj2Yr6fDORBTs_m zw@yfF{cYk-3OD39*RMfrfJf0I#khXW`x>miM4{SrD0LOn;k)1HtzgjDlD@fT?7JF;onst0RR%Izw#3dzKjQP z*$`>RG+1VTXAB4xt3$7;2k`Ok{zJ{ zPkg2<6mCGWX!L_C1le$F?xqF#F!@UByi<3+z+K-+pj+V-lkIMf>ssGn;Ar1(| zDp;JUh%8cYsMY&Pkpr_qu-vm@qN49|q$@A3A{7M3dSs=16~yd#A4NRi;KXpf(7_^b z*vybv60f=bBODrn81BG~vSnw~Q6JF=LBUl#(BYGw+j&z0x2EOVb zCzN10<7K&jDb2A|`OZOJ-$R)%=wJKsg*-2MOu=k&VoZ}Rk5Y~ecHqT`|6tb1K#)ez zs-U9`%6oWrgXG2_y|WVBxBVBjUswFcFPDrdEQw{Y_n!}^rNu`5^p%GMTlCv3$tqEo zHWcvs2I6(0e(aMdcU~03ToF5?uw8C^f$qhT$v;uU7Slw#>_6+X0h!gwTd;3gV(wH{ zujHLVKDtOUWaIuHsLO9G6h@Jve~2T_bJ?z7sH(PEA7?f-pb_!{2|T6w5B4A>Ke8$U7={aZ zt_Ya~6!~~n_S(P9{|#%sb|_AG6-OzHf5@GDpBiT8^ig)e?$V6CJYFVw7P#`uBiGOR zX8y0Xi`U0O9sDi_%#J^s!86$}H|Igmc&FhyUJU#yS04rOTJj@f-Mkv*U#tN3sOIWU zSzZ+TM_+UT%#O1(zX(qq>LFnE0mFH|@XVefXkuTRpmtP~2LS#NVI&nL?*b0bwJ_NZ z6%u^C?_C~pP*2aX>J%)qBNf*QbOmQ7oDcd5{CH{V$<@~_Sd`|cugXRWWgm>o|;_RqA#i={h01^G*=KQu>4|?<-|9)-5cYxwcE%F+iFAEBRv=A%RpLigD z6Z)7}LgBBvcZ$P<$xai18uf=V@Sx@+;A@HB;%<0Q4J<3Hx(cY~2QL4PZ&!zPQua5jf8^2iW;_tX@O zh|rtIsPqE`O-EYL0cZs1*k7Aqo>k{I!oKmdB;kJvp%{qKZwY>#bo;lT5#c{ZMlu^I zHC}W0$|A)I9d*gx+8*Dhb#Be<3PdJiiOxCOP+quSK}XIH-9|~;72|w#!qn36k0=$r;P-;Awx}Q@a%l! zRXj@>{{`)T<~nar!7dN~=(<~h2eAIaps%kVFjqX&?7lY6-^P=nDKwB#+tWKZs2OLT zlB4>f0y4oVXHE_kN$Ge%PO1Rq{pRu817c*?OUCYGLMW*?9s1^`1JaU2*|yXN7a;q2 za&_IA6w;f-aebIo{Ai&y7k0eGNGeo-^h@Ty_RG z)(h>hDlW@jECzYC8&`KsgUmmjMFSHP@f$}SDvd>2>@uv&O>vN!rYOoS&Mz0;$w!~0 z*B-?)b!VsGt6r9snaQwc@RI+p@cNU=k{6LzsDUf9AMmb4{5kgPKXeoy*=C6E+urse zN&)d<`R?mbKTSgvb3oeO<#)*VSi0g-o!jGq=-J}>QlMb zL7vv`bp!MYeZ1u87@c~d;8?RQuJ)J=)&=UT=3WA?dM0;o(~nKg_xy9(EErdQWOHBP z@U9!}l%NliQ0bnm1hi8Ieb*|e4_w;l^kBd5h8Z$)uMu0^A!5%-Qqcc&r!mxGrHsUHQ$p z=|ue}jtaHLAITmR$1GEkmtvu}6D3#AE&iM@|BSXL*HL8g8mRm{3F=oSNf+(npvs$w za|K7C8!C+>;5`S8&_z%U z0P>n(L*G++{u!FDxyyQ}V!L?F+fdYNONIIP{_XJgBfkI$Z|UuHOP5 z#zMCkOu?(K4{=UeK!3*>!IGZ2`x|VbcY?LezGwk^B*N_Dq9RFx>18wqM`*sQDeP;vjg0-x*` z;!NTG?)-|+288|7pF(Gd(6~%MVBoRrk^`AXwMk2%f>`nL9b&>jk#yAda>$&#RYW|J z^}3jxrWQ=q=ZI=L**1-9Kt*WI;wtaj45CA zggST&cLU`3s5H->i2ovhFSz_M*j*ST2^%W3q25cw2hq7ST&n67O$~fpqRPi1K%31d zJ+(Mfu|)F}Q(7MMpgLbNx97ktSANJ*FDg>+s(Ki*@;k9=$BCj_!|-T6Xy@h@w@+R%4-rBY+es)L!v3kn;vTEDkIc;_p3v(nd_El1G!`qf6oOX$Dkfk*&GpsLrKAvW z#!g&T-9)O<88!ZI!5UC*$a`6A#O372LFO5LDSY3!jB7tkKcsFDIuUhvq zM@}K@E@D7stP|H)9C0GYm3L5v7dgb6rxZPzGvn;Qurc(P^1J6j!yI#PeemJEk)nsz z#tnb)6rq4TQQb#_;Ac-DQ}u~VuB&0?M#!+&Sd0NFI^$O3DfXjc>%A9gsFlp>4h;$# z-`!Q&wMJiN(`c%&zkE<&;Oknu6c-TotMSoKV?uBJXB4WCccCC3L^CYt_?*C5iMglr$Q8 zM(QO9tUTqY56vJ`V?YHX>7f%>ZZ!Nb4DtezZd|3QKWiAG+IMmiTtv*EX~t|DZ$41f zBSu*;Jm?BFTs%D+Z0MKYy&)EAR{$ngXk4UJwQMzZ*))f8l#xO}SUpq+2a^dx^aW*G zdU*Gdf2+Qx%G@kJGPS>dBx8F@<)y(s(t2U2*4m5PH>c)UA`0~ZBqbc^0YA@mEndNL zp(qi7py)`DsW6KkFn|h0$=o~;5ydHB1R*k8!woZrY7RUNGJ!3)c~@U22liwuVpYY(OHwXz-dT z^oa~Wpm{!J{&k38JxQbpjf<8xxUCJgE^Zmo88Lc$B&&#&#FDIOnb>Pcg6b$BXK3Z-w;{h<;OWM~2wPQQ_H2=W8l z6@{J}8W^0g^%Efj8w)-iJw79`p=`7As24Sy8QJJV5qRp_^{Cq~CBsMQ zRMJC<0zC7P5mX~L!;E4++Wbg-_d1A--n>Qe%o9UH!y@4<*63i{QN`xG#A3a&_Rp)< z(5f0W)F;k*6>&=f%(FZ28pe_ixuI_RRFT-}99NfPg5zvwYJZfScD~M(=aHi4^>SCN z@2BJoE*292{+@kJ(gO zzxA2Y%Ak=$&kSB4crI7r4Ao%~5KK~fH2!c}AoPaMo3mfFxasau3(I7UQIixfC`+HR zF}dESO&*94r3ctca(Q zmN1$Nag{9$$o^ZF(76^jP~G=DKDS|yhFxNg!XE#c)6Nd@&jskT`F8zXi8&ua>&RJW zo1rRrN5fl)x zC*W)s)cL@1BB@{r=GT1|LPc@oC8Rhd7>#y++R#^WdbF8L#>wEL1qf)SpH`$ORALGU zz6V)26UY55h-#8zE_8fH^S#rfpA8)y9Iz{L>)fzGq3ig_;j!lcrH?zi1ggRiQPh~x zTGrwR$|1T+pVY#}+R52D!$Igi(_92pVo53vgo3mLdk$2$P%#-P-daXLut)E{UgWQP zhTA?<{`~p#LxezfPft&Z5UqW&c=hVN$~U`{x=8mZ5Z_zIckgs-@~-^Y=Ug1W{SA2ja$ZX`^zLh zaX5%nt|ze1(*nAhEpKaE!p9L$6fw|rffmR&h5QvP(N6lS^$}aiUZm}bKze$Swhyf6+*zy(55%5 zA+Jqj`M}VS^dr?(5S1IKBbZF(`GUq!Bd*P69lZHB8n#Zzytb?8x_)feC=zKmxj@{ znMOlYGJwzug1RVLtz#%_Fo%!Rb0}+t{OW>>86F2!c0;a0q=^vx4* z36@pz)q<|nG%;3W#`cD%vIVynKnD_u+qeY!dw|&r1Vzy1=4PXUGvKDEH5L{Y+p#6Q zcUAvSv??Uhc%Qg+wAo$lQW{k2<&=jMCj^ItcmS^evFf}!LW^Ia_G%DJZ&0)Fg{(83 z@`xJeX~VKqUqrzp>Z?u`g}Y;~&kwZFP6KlP3@^c_}ei!PrY z-HL2xGMT0#j?+Kc1#wWgKEH;E&t>Xdv;Cp09Jl3j8#*6I@J89kjP5e<@-@%Z$MY^ z#BbQ|(DR*y{|TZr>CINw8AqY73~F_hOSMNkKn=rKqY|o7;Ad{+Epy;W`C{YJV42KLjiOU_#xX`YKr^8km2jHT-;;ML0crIj;e84@3`g+-Ycu=zk?9um3 zg`R+cZq@)IcW@7)UJR%&r~V42-16%gj$feu*U zj=T=M!?b;CO<HCk-8MwICO(CIR3N{n6*$HwVauYt!|+JQsXyANCAj>9v(h9z>m zc^gdkcHHvddcioD?(J~854?gHxbE#}0-CJb0j7I9h}$q#4A$FJc%glg!DFACuz)amyE-5zry!#RsA^<2*MWC1g2y-!_W{EAz|~=% z#&zI};Oa2X1BB^-tHaz1beN|Hjq&U-@0K~*@U;K8pI*VEEEeF5TAd)q%Q3=efrNJg zhPn$Deel54$;u*i1t<$+^LysA=x5S9nDpqsEw_ zv!oH8=?RLs@VRHf&)f8q->sfp3i@rGMk@jWP_@frd3wZHwMX4d{NVA{?h1LH;@>;{ z6GLh&#{n0I?TMYJxYJAbX18bbGSnE#ldnLeF&8=Jkx{5n!MygNw4n8|x{pWUoOYg4 zjsct$-W$8|>sbK8w%amzIBghPq0iH#mGe4`V;|E7T` z1}Xk@NjwEv6eXrpFM0_TK3Z;x`D*u(o_mv~SCkiSCqmBQ9b!kyP8R^(%u z79x%z2NDr}*)r}FGhe_(&B3H_v| zw)xCBuURn-vdeKx&oNO36YXl}+H%O(MR^VV4`nDfi5dawq*a*U=V)C-BlRHfq9Nsj zVEV)?yFiS0S6l(_b0nM`6$#NFLlHYGW|E>6@vI)!&+-?((`OJI%RsK3)s~;ndk^uB zbYuZDAOn{jzJ_Od8wh(6{5yI&+dTtGq?Xt0j3FU9dJ+!>ds9&C(Sbpuv_U-cRqHDij~!q1H4!W zeAv&WQc3}yql-+67N-7eC(sR%OGT>k`Z=ExJ9v|&L-a|3MB{kg)pFit^L@LBuHj}b z`9C@1wOdNE(1skF%4=J0mD;1UB7tF^@$#_fH3=1=!Rmr@D|jmJFOD8jMX((`s8XBH zyAbOY3A`(xp?y5*y>BBiY>w>y6H+{-o0qlvQ*Y@kz8raJ!B4pV6NSW6$t?nQ;q0DG z+j$P)30(+pBx-VFtxVmQypRTAj!DRa9OmXOy5rtWGUlKBNoU#R$n6?1T`{~EY!!K=PCZFK&fu=VB>X=%RQE&_yKu!L+}x11CX) z4yX&#mS2Hfj^|4PB)Qu!&sbIc%;EccESCe_j{etP3Bf{_^NQf?l;RcL(7WgO`G`nR zD$(D12%h^|HcDX@lQju}X^J$OhWe<>j5wo3QwyyU4cb$*BTV zSeAYgxfE07Yo8o41bKfWf68c+aD7NlM5GS%{xQDvk>K>DW5F0}OI7|>1@RpkDwpe@ zCdjSfOMgHgd`BdCc?4Xbk(&)lU<>E3RA5a>LJYji=y}z&wA}OI$<;#Rb0n7=f zw~!Bw;%DU|k|IlhntZ#<yn*0uStl4YO{`!5_c-pK8p-(}5dvvFftJKM)w6Y8~w2yNR5y-v#~X z8;J7%#~aTt1FbL@Yp#aCv~~+YcS1vmUJoA!_x?zq@FI`Mvdf=n!gf3ReyrnoJqD3P z#0N;12EP-;EwBXIijrFtODIX#cLpr-%*x24;HrG1Y3{SDYd~v_cLH}Sr=Vx=(|{cjE)~GLQAgeo~j8~ zmS8T|b-#IJ4NO^r`$8Y8PVz39{n#Eu)EkPw1ITPnPnCrSGVod_P%wBB8w5|Zw*@$n zSJ(W;56U15^)I6T*iK=75&eh4yci@+ej)vP%)spYCgW*KhVR0o85K3SySJ{Dz~h0P zU&eJ}Y%RxO(TxIvOu=KEGe2p$;m6zkD{GM(xjFY2_@RwIw&jquERV<8TnDcY;XDCP z-b6@H6eQgRY^==w=|X>KdIqin&wV82syRga&VvX)oEvZqb5u~pb^~0nIVhOglb=bi z;MtV-k4T2u!41ibeUssFe-$+rU*1%qYr-c*f2h#ECx0R0yV6e)t8Ta&yj!Q7nm~~piomE z-VM(_t4$#P8}S&X%H(@){?~3N3n(#4Xm8W|*h4uHw;HaFv2l&pQ=FKzbE%SdmEFs! zuZsc}ofINw6fMq2-AR|$B)rIq5lp2|9zU4sKC_;3Y+EN!KH=t=;(M+NbAKw z<$qsUa;f%6*od(SrVh}MG$Iw;bQ#iJ5U38%>IcYz3XX)@P})*n2>703{QN=*6Ge@) ziWJ6Q2SL8j;IFaIPv14Fj3GruMTP1;f+?~??4;0@@z?xe@k0d!Q@(JxLMs?1{b+eUn~TTIDFFqN4(M zg|W;a66dX@~HdkUL!3Tu4fTM`dCV zB7n7s%Q}243A*QkNm>qQ6VjT}odEqIK73w^1ediEOU2=t{TJ*fq3bW$^HjC~_5)+X z!^2YKGJTkGk)g9e^vrp&AD##fVMS@{VT`A$Q;Q}+z(4pC5}bs-m=8hcL${8;7EB_5 z8wXy~s7?Q1g_F2oL^9V4RF~n&|9|vhloT4hw*|YS{#y4O$`-fT19E zR^a^Z0QpdP{y>Ua{ExWC`(+lAz?xW$UMqrrK|4PynFtLzNdhOu{}4;OR|N?H@{53n zDL<$g3{RyS&;>sg(n9$CjsX#FG=4s+&J33PI*1zR3;AIZWR?0$x$ubK0T5Bs_=N$a zdJJV2H_n-*kQEL6LQZ}_iy%_Gue%}H5y*7}I2Ozins(~@?_0>}Y0^vc=IbvxoZTOPS@Qr^$1fJf?z#$At znNa9I`B^qRAD>(_FjTJRPDRx;!$SNh8Lm2Jj~2nwWuLeNn7~B(-e5~O7;9ilp@Z9= z-cNCWej5WnxJ+C$Fa|CKytEE3+#JP_ObJEN@ZhGDiW6eWqF}1 zPX~t98Qly|TM|elfR4zZ-ZHpy36X!q%FQ)#a7gV*;z3~}1!f0KsFzpbdd9=v!LUfJ zfeqI)W@Irs{+>pe{HcIzT+g_wwC^w+GBvP|>lrta;7Nf{c5(%Fr$SCNECTDp6<8lc zuqP}6YswW^Q*%rbf<_y5pM}dWw&dzbx(}n~$E@Ka z8Sw+ZKOp{#-$sQ%GMWz$hUnd3AXYD{TsYilP^*%$Ze;|O~)(B5hp zejULGR)MEW)<|7N0r$5-zf$b>Q2)1qu1S4`%!}3aveZNuXFQ{lz`Vcq&)+=#d+Ue% zOXG9CKIYw@`fI9RwE6=>zrgT+LU1@C7egl%cvm5#5KdScj?m$fGwDE*)J=}T2!T~* z=S*v+O`ytXHO);~w5G9wJbOZUAO1C|xrqGhKfh@3e-8(`&XaXtP{<(R3QE;DPM@R3 zxW8eQ;baaP+jII`$Ew)jZo-A(=v)s&D#2MRfyS!vM;|9~&VM2tbdYi`T0Ktd2whr! z0?*JV55IP7vgf=&^o-fE+dyt2JZD>!IZpjgcK2rTqV?UNtQ|S|4URa-$-IWLC%t)b1#|361Tq}JF z3fOiQB$c&vm(ZH~R6l=KPGX{^TSqnf;dWAA|G1~2Vamt1>8!nRi49G|x#yD?Ma^oiHWFUs#L~>$!C*G&CPu0%zKcixYHA~WjLBxv9Ygv#Y7Qm3 zaoHTtPMR`@PI6(>XtYqw=+GPI3f5Q~Ng% zEL!KoJ?=-!E>>pIySnC;TlDr`8t&EqHRUf_!UUp?la-=EuMhpaS2IFR${c=x0@U`X`{9&~d5M_$FooxnGZ&&s=Ls(k)=<6Tn2i4EOtqK7KU+ zkb<7xp8keECY|uBt*dRyi3zHx15R8YHVaqasWlv*6-=Nv*gHG=laKs*(fS(&v@;+0si= z6Vh$HyW30XZX<~t%^930FI}zIj?Lkujw!^sl<2CdCpu@*=3ULXA8MW5adEhBPlitR z=hncr%tXyV*KubnSNtAwWOcZu>aT&n$ny&n|L+uq{^-e?{YKNdC;T`n^*Hdfp2X9_ z>|XUP2~;YZY%=1^NTlLM=rk|(;mihtjel=0?PJ#Pi4hlqGbzYNzb2~<-)80MT;9t{ zH0%K?gA~b(v?)r^&SC_QJgm(*XsF+>?=b9F^R}5*m*qf?90n5vR5$F^3g%9L{x!ib z8vOqR2MjfKU1MNKKe>rX$l%l!QO7u><^p1QtaWvQXK2&RHRY_dTNAm*cAt>meMWM} z5y|z~4T^8xZrn0sTWrhfO*7|4%)f&u-F9b_z}*K&B_+>#P2X5-FWGx*pQ-d&MIn=0 zT{1h4?&wUkr7>9q+iX%uT6err3NyZccpJW+r;bfU*(BELsz4jRU>detT|A+iu8%H7;bgNr3g0b>A7Ac=jvRBC zuWjmo#!{gKOVT8p-Ru6}W9)PY*+P1?Pk zJ||3dhIjUk%h8M0xJ34gq!@+UCmqB`Zz_Mku%*g0v&ZKxj?~Za{)Z$yYQUUsx~B0H+4w3o*naU&F%#R3iJs-pNP0ahpFZy_ z!qetIkZP%tn>dt+)6xlhrJLBZEw{JD+i)O3IkGJ=D@?*7_Xagy(W zU}S)0;1X^dA46|LWIfupsRI|BG-!0iv=HZ#yewY9;NGT4YHQ{rbXD!wvj7;e^!MG^ zvcTRJ)$z~qT4yuE8WN^PY2}M7Q$rlxwS>Cu#GJjlp<@Owr3!mdsrX{0)?@7@928q? z$y>p!59Kkr3mvGU+ZV@PFOBJ3@i^ayk|%Ds(dEt9`m6H;D@YSy*eTLE(nb1;e%;{F zaJ&I^+y35`6}6{uBDhxY4Hg8iRU}=hCR-o8%fOd0*e%<4s#2+}(s&KAvO}K;h|g>i z%Yr7{pTssw&87CXRI2YQ^J(@e{;2-2kn@>c#w3x|3zPEmyySyN*&%oDKPU-SqY)ZI zZ=OB88at2Sn5aq=}; zzjEv+jCDRW6?OakD{Z=odQ_Fmr?L%4B})#fiwD!DE!kyhE^);+LOCeJ&@$htp(1RF zk+Un#$~95_QhTP6@(GG+@uCkBrn>06u|6&DsM;rp(z?-`5ppMpb6m@Ps8;3igb4we ziCr(2EM`C38R^M$SW+#Ss!We&C@@48Gb9KpUgWve@nWW#E_bFP=+R>bH=Tbgp;au0 zQLTxkR;0(q5K!!~iBIgSObOT?U?Dh-rhWP}3MF*7pr%Fl3nfxoCxSM8hR6q1GA2u{ zp!acE4`QkPSo9UCw#lu}SALnVo92gZIhxdC=rEJY3`xq;t5_R>{q6p%4}^OdF}h*= zeAm$0+OCt;Ap_8TB`kuaNv=g1fdzb}AwaKy%M^5|e4Fx@9fdzdK`|`RV!(Xrazevo;h!HQw z1*~`BL|b3q5bpfTIbD5Nr9G26NM9k^O1z-!Rnx8DQNsy!OuD%#|0g=;>vI)O(?+R_ z*~IrxQ+DOOadm9pObX0)pjQr~u$Hx@3TF?{YG;tp-ftP*>AJSX`ZKG2*q=?`4+xT^ z^$`o{tn(7`9MbP|=*8=lVhC>)=oH$l@=am-9n4t@joDq6tGKE{9<}M_f+HJumgV7b z*)gb5#YET2l;a)h^iqS-OGnr0HENQhMk(0sNiKg(p;g?du_WBKVi=uK{^|L&!F_Q? z*R?`p5FO8)H)g$Wi5v@gG0oq7e0SNzVfM{wNwYf6&D&XZ97}U`U#4Jmo?1VY8b4Mx zp($asBsN0a|1D#QQ7(9)?SEdVvF`2pJ2!mLj;>l`1M3ZH?_0FLb?k@=9GLgs?L_WD zyu#pF|MZ?F1}Y%oT*aN{1hJao8vL7`IE{d82cL?qmnLymztR+tUdK@G6*y4R&>?J} z2_*iRFPJt_X3TWh%}~07KA~qG)|Ve?=^Ns|Dl$_c0oT)U(Wc%;o|TpIhP&Uee`$)QPEomLN7#e0sfV1UI{keC+q zXZwy3NZWe#9X}illwhJOc7?XTk6J62Sc)G`yBN9HcHvVTK4@?Ab0c7^Q^r27bxo_) z-5;|1pl%2FhBVcFqmTIU_y{%9RW`cfj!ou>*umSWjf{qFT?7qLKF#MI%SbDehT0O< zZrIDvHDg^jMbvu*$TMrw)%3!T`hthM4}4ziLxvcX&>e zd1=?9_jweX;jw+D2OzPhmH66UG4v$uQ}Fx}NXBNLyBy`BNs#eynbjxuS*6jcD(aqg zJ&VTt&N=;!SHvgY+zYL;At{+g?aPn6;v=tJ`fT5Z;FgNJ{h2+!4@WG0|oV|nDk z?4;N>r_Li>kO-HbB~7QdWX3HlbwPkNzAFbZw?-^hEJ>>4`N4Jik<}qCk*9CR0eL$n zvqsiP`E6LKho4+Jt4eO#hIK&rD}S(H+S_=9!@8o#pzW`F9DH58o~@`2Y^`d~YWqT$ z>)1y-9Szq7LS#!<8CcG(92DNy1Ct=t+O!&ZM9R z?Gx={mjYTtD61S)7(pfe?VT#c89|B9!_pgj=8&)7O%ciI4is0w9>>|BY$6jEH>Oc_ zQMqr590u)mgTlSi6R86&D}Furi#Tu~N6e=GihMv7@xsF9{jFlP#y;lO5(5{CRcl>` zo-OFomB6;1cO(roGOYZ`sAK{2MjQ1)XsYe%LSWkpmJ!AS`~PC{c%^ZO)x`qnm~&Qy zfh7|g@oqi_u}jpbyBMxMGvrAa*JTVN4cdA$ZEEpt2iJj?+ZmfB<`#LmE=+7a-=l-t zfAo}!HJWy>bPTWHy)Z25hH3S2_PC)EqEWwac5}w8TJQ09pC8yxL~(#oCy8gZ`jVq^ zBcGd=-TmTAXx-_|dj2q=iLnIRHt-${AwxH zMI&1E#1&RWr5y&^@BhSl4$d$Jn^P%By7vFAfI2d&&;vk zJCc^Zz8S=abyBISHCl!Di)0*Ee`eo%Y#{3FyKmf}SUE`HW@*1(YAxL`Yy%=NqM#y- zR%o8}yh^`V-~N$W$3)fbZJ_nv@%Vdhym{5IV7cNVfRWT1M_Uk{tXz+J&&~YUs zz=0l0J4yBJGu1ITVV|DTa?$&!k~rCWQChOeaUw}^P9y@OT}W_Ch+PXyD; zCF-+OU(b_MB~WCC65Bz1rrkH4ItEG9DBJu_st;XCJdHovb`fQh6coR~u_U1_c(7_i zlFPV&k6Q2n|KHFKQjUm_bKNV0D9`3#4a*o+a_Q(Q={mDA#+#lor|_ZKXUFRAR}bzB zquzSZZaasLHVZF6xC|+Y4s7pRm6^dnP?lj^OVZ!6zo)7qEbjnp@pwZ{-^E@vfE}Q z_7KyZFF0z_EECSE<&D1+wmd`C8|dEKYV(%4+xfN`*674D>6Se4!k`;qCZp=Toxi6` z*lU;s{F>?)t$2YU+O|)aT+>FabYxc1ZjLlm_;0VUerRYlP0e}M*;+$e2PsoTK}E_m z?5LGve15#8>!$*peG5>Z?a>2JGjfr>l!w)be76v>o;~K5A-OFtFqN+aSafm62Q5iK z*KFh>9rNi6aluc{r)4Rh3RHL2EA1)H?jF`N4IaPHpg|j^pAD{vS*UP{?y|e+z?*`0 zYOkInt6~wZ9-CVK?AbGvVbfS~ZcUnDYXP3tqJM+l7TTdsBLqdYI^4d=Bz>Njz@&W+ z^UNs^?vvaz1OS8|qMpXEE zj6m?=xM|XhQ>SSzhE#;}ro25)BpBQ^)P0{6f%keI?QurmQCB;v{_efaGq<5_2i`sO z)frO7$+^hCAKq*~e`WWZyx*wPEyXvT!HHN04$W>!HBIk`C+vA0F> z{Marm>w#K)-W{9wW4$e0Z_r59*WsEo`!iEn>vyI_KLK@ablXw&c+wmf%BP{?GA?6p z&RnczoXBO-=*mkS8*~_RM#C$dC1@LI2$cAWaa4C;4q%c+;OO~(1`EI{zO2zfs zI#uh$p0q@+d#-M@z}HdN7hCvcLYv_)8N0!{2h2CAKJEVxJ8vG;WcsxYb~i1!v>>A5 z0;H98YXr0rB|wt)hZt>?NF$;ch>9&XQCR}AgydYJMSW|*p}nwqNbPoLa*4Cg-gIp@Bv>zwGhQk_A+& zHHCYq-`_jej#lpf!ky;_TfiTK67~t1kwSD_F5~fLz+Hs@( zxC>a~|LG@6N^)6&G&7ndZD-uQuC)Y~7vP_Z`}7kn%~jxKc@#Z&@Z|^;;t-NwFoExm z$wiT5pMC|-ydcO|V21p7eRS*8}5hnD3E`PAjj7(HFZ? zWTB%8o@McRLnPb7tKQAym5Bt@d`UxlXb5j7{k_)g1%F`Dw6rqe%6bRxR3*l+Rcf z-E`F~WLs~dsEBkkRlroj!*@rO7}vgAWS$tfUVaj+d#$(3CR^-X{>Rkeunx9r026oVlgBfEx)N`ieySpLU}i8p@Ucf= z)m#9YoAV_Rw}fX^GBSk}be118;~Y+LH78@owQb55_%4<4cp6z)fP0f9(0m=SQoG&# zy3bzV!c{^MhHkc$?zVuWdj38yP6SzEI7X~i%mC15SB*brczVq-B2|_^Supp)PBb#| zYIsrWwO5p@7rwvn=;6X=i(Q^WRziR_I%1+i_ynh`C_@WgK^Xe3c3*e0ESI#-yv-YB zwJv%$w*pBktvSRt8VMMbBnzO{PMfydY@=X1QYl7L(=?k(Q`;L#a!Qk$V>KPpkRM^R2OM(64w0 zvZLYg_(GCF$p*`ZoJO1lmn3xVBW2Y|_Cowg2zsN;oXO&%3}+5OF=@Nw7z+0~%W2VV zS3=qn4Mg}|UQRwk0QVgj39w!uVP$dc10nCRa6~4n7EG|&yPa92+I1c3sHF4(d(GgR z;7&of)H$-|XdDR}t!?Eyf@yj zriin{v9vksZA{{XrO8SueMb5%JVP0Ai}wa;)|bxUNL_wn`{{mb01|A~>hH&bRww7byw9%TQOWk!g@b@T|icI`<__ znVr=sA`E!-2QTbuo5#WtB%4wYih(A^ax|`)Ojn>!wJB<=xKEMav+_Xw4euBxl`YCC zTT0zQ#^9$DTQ-ofT&{yP!f0ia55&1j>aG+Vv~J}Z+2+-67)&16|J4nlS=13h=UTZ4 zgz^is=*2*q*Ll>4d3eb^?b`jyLtZ5G$%GEF&`f&4xt%|5f8X*{1tfbN`rR%_q zAMf{jx*uNH)LOO%7Zz5lC$=t^%$N8EBaBK-BuivpCX1=?_&W`5Okvj-Zk@0mU+;b` zzNC~ClqXH4xjN4|y^NOz?Iz`tg~I&w9knB+-v8@$|L@vP(O2+}(Kuf!rA5|`Ynr`m7NvD7O)&~7)0_XHvV2?G;?ykrpRox42cb^ghS6^@u^R#-%kW~n zgjN-~4wDga)Hyu%o%afd3Wp9yD#Z^Mn;ax#;9R^iB)KD+G}D|kV?u?PE@>|{&rNHBk4Kji09R0%g4eL!Ubn!FtBN!I4a`lBw$N+=P+M(fNEkrvFR;&oxHPVZ$#~bE2uy za{h8+D(0^dKcu_vDZ`&BZE`|dC_G5Kxa>%znbwlAfG?eiXnoX?p=O+E-tshjg&uI zV0megpJrUG3~R+ew9Q^j^n3Sz_es^FL&=W&H+hfi*xZe65G#t`ZclaSzi*ece_INz z%Ht(StPs9V#NG|Xi$j%<#uz{=Fra%( zokV`IsEqyYx*hwvx@j#JsS!8loDr3%hEos+Lq`t|eZ@W{t(!+*7B&Q$48W_DuXyx? z`i~V~aD-83arM=i=+8oaODZSg*j&ovbcm_}+Vv4TnlR*E7-&x2qMj(?Sw^$J(3sWq z)jzhVY7z<^*wPKa2>8q4`GyliW_0$#{ecd?;G6ehu6agF;Ul_#uWNA2qibac#Cw!{ zC#7D~MVVJj79(b|OVfRETuA~`@R*sPK=zB_FvV%mYH){Gqeh4<^)2#Xl)kARN*o_6 z#gU_0A!#E)(NWT&=WbvOpvmoY)K8^6=f^2}O}QSFqVaxBQi5i`x24t~@vLNwl%NgV?U5yGy&RcUf;fwUQpP%U;jBV{&f~PHW(@Vc5+g>mfNgt}2Bi-bVL5(5QI~KZ-zSiz z6GC>xu z7BTFCehv=`bd`E5gF*WMY7Unl5Ak)7i~w4JzN_tUlTZ^w;RBzP-1b)fyEtfTmK97n=RAFoaag!zx91l6)EfpMuo)~Zww!bl@mFBxrU26 zHJ>4yj7SZZ-u$zEBxgyWO)2#_f+fb%1j82>7m%|C>x96Y$-ykCyUc1)THx>iXkGe+ z+r18^rkL2x{$`krnT;93VOQ4qAYX{9bPd4=nQoOTy54=5hIH}cMs&-4xyQXBc$ef- zFs5}@y{BpIul-o!`@9jkT&Qo+rlQcM8yQliJ?&o=l8M(=|nuLw&iFU4? z+n7=PSr1O)5qou_?XX}nyHYm*;XcR(NyK3fGtI?h*!+gNkYilUV}C22c1Dem_+xr< zI&)v;D6WvICACj65j>5VgMaBn#@vfG)tT5X_YPWyOr~+f{j=d5+5L6Mtw)LGeg;Co zaE1S-CB*1xn#yP4LJt}LtEcD{$6PkzK8*uE8lF(b^dgBlWB(iJt*qgXwV*?xmF5GK z$Sf~f5llM_51TsROe?p%>2wz!c2j2i&AsNBvXTSdj^=%eoA=&K_>LxQF(_7`i4)N; zef}1O+^wo#oF_#`{Rj{w!ugVM=wiHed-u1@zi#Y+nkN{X#PL;>IV^P4Hc-e3L7CCF z2ol@P{GnFtFEOuXn-1`m4GSvwdyad2Vwj=`*uj~KkXMBmDBh*n9}El1uTCB=Hf75S z@UqLC>lpmx^(69^jQ9k)aqQS%HO60utC>~O!B|G9K&uduxZSql2~9X+LP4a?4sVVzAGnircl}TjhrHZzl?#Xt;O!fpsK> zmuOs)6iCHvre%O4L~Qwl=;*nARmU|{z+Z^zoRcD*` zr$>?-i}89(jQrzduS7GdG83p&?n$&-S^7~xIe;O=+Hd*+WhzQXEmZT*m7tR4GOoJQ ziYw!S`4HxX`0f_{nNl7@Pg04KjxE%`r1^>Aojiw}uWx03rTQ9U6F*azkRmEW`MX6r z%*yj+$@In?U+5t9`r9h1;jANY4R;MQ&U>1*Wr)T&iXW+N=CLvdkF=KK)XctW^q|BXi9KQA?~F(xvOoQWNTJ%eLvjz$wtW4HZKoY>v&Bcyy*V>P;n`&7 zL)g!Ym65<6si7IJR5!J|b}oVZh+$5x#1Pjzr6O*P$2dZP3- z@s)d$M8#CAz)+i>loe+7l0wtx6Dc-4-#}<}m-}l=OPhcJl=abeOBl7VIx?y_?t-I( z`hde+5R*H6tE79mybz1N1c5^luc z(TKsb6`V)dw&=ylz^mY9>3H-G7VWBzzr))qX= zG@^cOyYcqfrmez`zffgDgW$wok$>PBWhs~Dg*U+IRyJR|?sVj1@b;m}^8Cu(pSdU( z-XV$$jxVe^Az$I!51>2ahC|1+^IY`&i%a`HtaSofz)$D_AR9B##g95itfDNiwI(u~ zVcoL{yM-z-4m7Mh^kFRyY}5HWMZ87;&*)iiwp!`Z915zr8p!llZC>qqS)UDChk>yj zI6gOJpIPaVfK?l~9Whfp=?0ngKmwnx(69bEYa2LS5li-Z>pmxNgrP}W7%89Kh!WIu zmU^`C;@7Fhr_X@7GEC`1KpzPs65O}vR!9WghCsxA`LlwJ^gQAlEj^Y{><}F_wA%8X zK-8lL|#%uIJB=G;VaEBzqH1sgv=t39vQ3g9fBMk1rIE{{8!Bm55w=4MyR`Gm}6#7ok;yf)&(p)0wyDf#Ysi*VOtuTh_&^o^T`+UlW5I1uh zb#rmM?Oj*rb0r!xtNG-Bi5-!;gX&4Y7tVjiS|5x5IGITMa3h6@(^bEtIrG+cheBX? z79|*P$+dQo0$P_`$GyD8UDG@3zXew(&jsiu_EW_^CjLQKYZEfXWSjlo&_JtoRx?o6 zTyl!Bm85XnUDu6N6p2?PYB}66DcL*pk4F@BcjTL!PfHn&F2uLE;`~YHsG>Bx1odYazm)sTTYydm=PQ%c_xZ*G_XYZL zeTR$kOzmd>R^5IIkhNj}p=V}>*isO(-X#W}4L?j_mGZxdW@qa9?zTu=enzLM&gf1u zf0sI$l3bUwKVRzyiMn)96!p=Q;?ni_K1T{U7vP>0%snLxe~SPTRFfe@ew3)U?|eb^ zMCy2$Zw>hs)xnLmk7Y^?+$E)^t7rL$SmX&mUNIWMrap|(tDOhekQ*c4LuwU_P7+w> zw3CyD#ofoUF)T6tZ6mPPaD+pERN{lVphigi;EjhCal{f0x0*N;>J2C+9k1wEgLs=) zTf{NUD5Ahwk`aBajW1zL26me8!8DI6fhm-yeZ13#9HsfuLHik{llfeS4w`U z`fVRjr22;3rvy0cV8D7Ndn5h4mJ0xv9ORAet(z_e>)lTe_&3Nj$~&OmKu)Sj*RQmm zTJTA`aIk$>1UL+PJ1rw^M8_9+9K&P6Pb7K#jpTrY^*JBn$SHPxiefL)Muk{!2aont zMA%2Oa;FotH!3cT2;}3C?oJS^# z@Xv>9gw=nCcHP9iox6n3g{9f#jWoRZ`#OngPTs;z5;$Id^K1nxwA9dW%Tu_pX+DZ% zU*&)*L6c{1#qklZuflfW22WU7OV+;4da~hnh}GUlZpPw`3M-ejNH+eaA$-y@KN$34 zY}gI_?MQZ=&gOTCQ~1xRsmkRGl)C}Dhy-Ch6hy!7y#&@m)FD4mCsd{UlPL*pJ83iR zI*C&{@tRsiiLXD`m_=$>9nC*}&(-{7TRkkfybo9dk@cHpi?ww|{tyuLh$5UX=XZJ8Bm&p@t` zCihipzFUs;QLA*paiAzV_)y%+N)_o&EvKS#xNFjP%{p*|b#e2*UEa6*fG7AH+HjQA zQ(}3N!EGpZah2~hSi+!|Yx|Fw74lh^&P!1``_Ky3Nx-dV5XmO~X-6~u_W18v0GcK7 z*zwmmChklA*0;NLm!3{X^BXfiCYf~w_U?J(8Iu|**eOsYuIT(-ygqBmdWcFM#aSZrpEQG*k1fDl#!xF28TWT)LK?AGt1Ap)T~l{qfLr4SM%BDAjr-u$&RnK?uG5|=eJ{gR&F51x z29#t3B}nlaeA`hIbu5RLq2EdzA+WB+Hz*O2<5M#2e#*lmm1j74u`fV&zP}C`ZN(M< z?LtyxzYJi?q9zLwZiK0P2nDWAW98_lj3AkC!gqR&3Pqga9>u8FR%SAXfoh#LARMt8 zskuS};re`}yqwfeqkz-m*wRThaV`SsVbTk~Q@1eT-+x&*$7UwM_-vWW|y39#52 z`H>CZ!;q_J`x(={!0g{ioPd|qAHX<$GI6^4Rt_K(AoPxu-xky}k>F|2&|zvgjfUu) zpeGCYER;e5(K@&#=g_LfAamb1_|iD(lxnR%XG6vFpwMJabl`MN*2~1i#FZtoH@x8= zLX(3=F0)rH+2pC{;6f`btyUVeL~sABn}JUk6lN)J#06^7ZiSv+WQwfgXR-a z)pcmEMJQ)hnHZ)NXj`^c?*nfva~?{l|9ir{n^64Rk4}zJP|Yr{+hx|_%NY5qe#kw1 z?5i)2wPz>K3?E8-@$#z(YLH(lYD;lfI3rngCGhB>fZ^+ZqL?T4Lz?nAxOMM?E{`$a z@n(Z|$IAa|RJaOG+K)kjOwU@M3x255%HbwZuTM;hy@hiASH`q2V^hg_8h8~N=@&TS!V(a~zv!eaf;>v($ZSeDr2u6VjaL47KMSwENg)o&Z}~G6 z>+N;s)s%TU8zms)Iqxgl&L^4qbz*Dgz_A8O?p3g$l3WppBs9+$fgjrokn~Wwi}#hu z2->;}vWP%1i>7hwG}Ez2!l={CT4Zxm5WVG>oVB#^BhK4t(h!Nb*R5+66ppHmPlI2Z#gHW!mDMueAy8Mv1lr`*4oTmC;btnJ$y5T6V3<%yso` zHH{uW@+xv@!NLp5TFT1t=h-_ivZ3;edO7qhlQm*a9`bE70LvO~NFv?mh2-B4PdZq| z4|coDVlK8)Sl+d7rm1LI~HUo zvGVJ7dBrwDd5r3|iRBfZ)JE`%)|cgFaqo(Atc@sWk+NmZ_a-O7_vI>9UDP&o6m`#{ z;=BJ%ql6=#uZXIH>!Z7iM6Six>uqPzMGs>b70=NG;;qOxE{Tpy+EJuPmo9h7T*E|& zBcZB9#X7JoiM_#Q(!!Xh%pdqF;HJsiaSkDg=KW5)x9~jHqzll>=Jp$o*6cc1i9-V}t^;-~jUG$Va_2gXMH8DGZduUMqtF}|->+O`Qj+%qFV~?65 zp%qk2g`p8Y^IS88JI(hdEEE;x-f|sFOMh&Syu34lGOIDveq4(6wSUl*7FV#@ zFpgTCiP16dA(-2bMQx1=pR1Qg$AHO`8(1@moj9V1{oIk!dBsez)`3FQ)4}uA?e}QF zf0PJ|udf5a$`lMQK`jiZ(5hquz87Y4tbA9(&X;wv>`J&8u(waV;yI{mS5nBTJV+)P z6jCy-;*-u~zWWLok$Q-u9+s%ESVb@O5f=m7x3mdd^R9r8LxT{+KGr827e34!#ZjNx@NnJsjMfLmg6~2n4rDyC-eOU@s8Yd z(^<9J4w8$aZP6W6TtfYqeVnyCGNkI#a%B_rVE0giZJ{xBf&fLZz)Ln6Fp4wf=~ZGv z>R^K{S8Fdhmf#b`U+8s0$?hvLa4_Rr@miwU5}786k6c)yQwk%%F@+UFKiK-cd2PyB z^$+J&EO4nTE0R(ee<(c#W9i;46i_IRHfY{Awvop4Dg$d6z@uf!9=Y+c12h<83LD7i z`eK*I4N6l_Xw$AWEfN@w!Y$zXQFzZt*dk(m-JhawFs_@0|EUmo?Lb!n8DI0cre zTNqNtbHa~QKn?HhE9#A%mnRMA335N#_3YPGeyzgly#CcOFesm6v`!JxX z-P21o@q^1H^IQ~Sy$?E+YI}5reW(rg7!)xaVT|XPCvC)YEG+Lb&R4#Z734sMa_Zp% zTFBBcsjHqQ@ruo(w-eul8deMIgXb1x@=gc3YIj?UaX0~F@U_%ld&$x z3KNaM@+MUe*5`?Jh1N}kAsnVKJedL}yo-Ph zG7uqrkwMICuFSa_SDI~;FOmtGyd3n;3O8wx+D6UM1v$;i%a1PU`7;^`G;3LqNgy9m zJI(0C^L6z;B4aATJC29%`}2M5)m4vVws)Pr*qPWSn~7Z;-Uv5@S8ojIY}_y$X}o@q zfDK$s>^Z-!dP8Do_b-N9v6GQu3df$QOsDY`4pp%MT|EXA{ztN-ybh-yhg@g~(Kb1T z*FK|KITpvgaF*8@7*yryvz)*8Y?^vpUiYXI)fQZ~Q-E~moTbP#e8ddW$IC`7+T6O`YF7 zE-$iEy27Nl!*9#|n6vSwu(iq@-0H<~S=G?{h`N|+#uhqx5!b=NyWw>#mpsSx9Rjay z$y1_-#j)utJow6v@3t>bOnkBhZ@3Q1Jb#K5_}xwL`I7ML`Hq!&rxXd@gE*U0>27c1 zgb&(9&fxin;d^t8I2Csz6%FT5oSxAMJHb&;^@+kHnN_}tDI@%LjtLEp8M^e;2Op`A zcaWNM-D7s?!#IxcKlBcrm#pkn4Sl1!bOX%utJBja{2@c%&x;o8Qk{HEm#(B-Oe~}S&yKe*ysD2ue>xYZ zQ#;nZ6#&zQf&w;)WZ|ko4^TX+m$**)Io5<%j|Nlvs(=YAUCxw%B?>5la8(BEg5}Zc zV+8}V`NQvJvh&xv{waSWXDe+K0PNC$?6}UvKVe1|#AAX%KlR-?GpDwFn8U@b%hi3H zgY=74zAdU5%IOb=zljUPO&cy5Y;Yc7#vV$%=&8JFFCOaG)(sK*#!`=%Q5Sj&5N$?w zvY57bFd_^}=J7-RCiY{$czMwcoj+trx4#4_lr5nEVBWZU#G}MCyACcH?K*5%NDIAf z1WDa(&muQ(#$@!838q=^KqxPmR)-qRdSfItPN+C3p*&*;`$N0_1x17I#n1md~n9x~DY# z{tnN~^7c{mdAxq}DQ+p0k^31c$T=35Iv~OyHdKkEYjB{-IY_A$St&k$opA@^>F{B5 zX1sk(Hw=hnG5JmR)Shyh`{ZoRDbqz)J@47 z1hv;Z8ZD@(nYS@j-ST5fU4SE`oG(&AI1cE%lrq6p`i*v((q`Jt-X&ipijUL}yTRXq zT7CU4DN%S{8FV9E$^WR)tw3S#f+BEJsAAiKL5%lqs`bAOckC10R%zXw;GlftY?ey2 zjL8*AtmY2#+WTHsSBHk5;6>Wdk<%49v|0{Dc&SueI`{j?W#M4*S(_o>!f`@0pOHTJ zPoW^MNzs`PfafFD!A2{nImC!BjUzuq%H2cwo}8`Ma?UOydH-rvRkASWsiq`{OJBtL zxU9x7;!8 zP9upT3F#=jy{#Q9U*(oMZ)jCDc%*{up&DL+x)YS2^d;gQ2^2Y!nr#!B|7)a=(SV0u z-$6dTIX>6sJlhmb6BrF68a`D?(Ka@o z{$L}`y;P8I6K^o0p%ew?@9y5-@W%g{SXKZ-=kX>tU$dI|_iklAelTM$xr@MjljJ3L zg}qC)B^o*$1x^h)OFM(os=4WN;dg=x7wpc}TDt-B-tRn=mAxZ-2;q->jeH+bv2G|A z*a9~l*d=O?4BVZEtx2Vr@$#`9$iTSnGOH?UgD|EQrbVroFPX`&#?X}4S9ER(rENrX z6?K}RUO7~~3qUPWa@}#=NSBCQd<&^mvLj*V-?6)Js$Y_Y;q$*F1FD0BuC?v7_@I2s z4hI5tYahYqwxKM;ds9Mn_Mgw3*R_ zBbB%%5nY;#?S7`MxEmCIdsv{r0Gm5>DPSgI07D1uF}KEvdCEI{k4S^AhZmBl*^#jY z(VEPv9K@gKhsqm$yaRpW0?*1jJl24rpsG?$tjQTdVq$oDDPD%0U;g#f_9oE7lQZ52 zwF#>G0OB~X5WUAA4~leW-A!gCK%Z|RB%z`6xmm5m@q6pGcf~{<6vLZL(N3t%Lgt#Y zSWWa`U8iEunm5iX)4^$AAUNRfz5lds546l1nX#?{p>I^8fVu0Ws|nZc27v^QCDO}> z{CP=(Dp~krGK;HnB-C$uZU#0rZ6Z)NTXU)wFppe-A^YAs(04z;pFu%hhQG^>5t#(q zBL0J!&*8NOxU((YHQk$dTTBI5?tf{v!KX?W;UD7L!_zWt(-8EZ>5U$s8O9=ha`U)$ z-XPckfJoF#?C)Zb4z@lS*Jp$Jv&Qo;PIfgfD9YkiH8(zv2D{PMM6saGXyy1<+j8z{ zo1R9RYjX|poP0-~2ZC^L??eO|&xXZZ;S>dg7nNdKWM4h3IWuG$G5&VLn@?Q>v|}z% z7-ucU%bEBnrO}KaU86kR57o$TE^Y+w!)XJ-kjVbHjuf;g?8^Wd%;z0ud=~S4azuE^ zSc;+h{xDCCiMU|3SK?@ za=VR0B{ye42;D^*ay3$sKZKs{2SSr~8K&JNjzAfy5zJsThJyj_SOC)FHgw6T^bt1B zn-)9+WCF_X`M((YE>*`aNNfi@8f5x2%*zsZl*HCu_5uEHN1joC->4qHkq`K@j2$FI z@qI5b@X{-q8^_gP8A=W7(qz}1w)=XHZ7OAn-Yq!w(vv{4d={#UsaOSDFx;SEAVTtDZc`0sVdfFwi-*4|+kel{~0 zyf+%6QUUWEFIXncOi!a0N8z+vh6p!d@n{cSPIUrd7>~%GD zTvhYdg{+A-3>;MHJe&q`4Sknu4eTL1_K}i5yKE31g?q<%Z>w40Wfo+6d@(bPOR)eY z7%?rEmcX=&1eeI*N(`QNgU!I`UZe_~rz;h{N?BkhSI(eZXDXkHUWp1*Z@ExMU`+ls zxclBagYwm)IH_M@VamYvt8F*`e7b#QR9#V6OGsL`5o2_5bgZESa1oTax(F605{QcU zhuH3cF)d!t6IRV7r2W0)hg6ZvHhXRl&X~~9!?TI(R+;nhf0vt@n(m7ooQM^NR2%aq zGt`gpq}`m(pp@F#PzP%8l>he2vD<9CtYX<3?WBiS`yM_|z&$PBv0N0p*1~@UfuxQ+ z#g^>e+eO=&ioL#bc~T*|g)TP)0KTD9c#lWxTBn02`Za^gc+FaSrL%JLLcZ6+%4>c1 z@sVe1lVUM5OxqH1fOJAh&o>MLR>?BYope3w+_nnW^nT$vT5Os=%jo!b+uPkLWB9^@4? zyNO1T%O1xt8|BudxVk8c39&J1AdUw=KW}Ayz4RW1+h^V+gGUgqT=Z&sWu~3PT-Lt2 zED0>R}4jeBB+!zuD0M|8l z2K~Z_b@pi8P)UtR&q}M{251Lr#l<$ zp_*Ks_9N;QoNOEQ2Rv8y9NRwZ+{J7htQ&!@!b04K0-A?bSHgh!@$p8JKmSQF_E}@7 zSN9twtw*2da3v79Q|oU@#pD0GrN>WHJ&CM(_wR6ui_mpdZ;YQN?0GDR zR-~n{zq7qj^F-n&NT?Eam(-RVA=V0TrUn?)HWCi?A$%=Q6(sDP*q(PF@M|iR1oJ`j zas3Uatq<8R?viG}Wfvy+-xNWe7J=islvx*HRt=rEqoNV|o95t_<%G2!N$@QR!cnQ1ETigE3-^a@^dZC`d-!olY96~MAuerIq z%q||zOCH!2KYx4=$3OGySSjK`Ceq?3qwm{( zHD3B~)rRjI@7_ND&9b&t7nfuneE#XzOaC<8B8}$*S6Wu7j%OeFdg#o?6WcZwm>+*` z{BASl$6uB%J-2%G;f~dte|^BL#QNm|-LBjkZd?*REYb)of^w_KA-s}6O&8uQ`t{&L zm(^3}T{lT*X>R)D?dkFF#st?LnmPbXj7~n!0dxAMqLa$IkiJTF`ZC0d)`Kh zVyg9;(u?$u8@(#uPBo!Jgd&Xu#UI(%w!GELRwrp2 zxKU>Fs+wy&R{Ndh$AbL;t?zl-3I0W$wdNfKU}kTMq5xh1n_v6JZ8Dy{5^pisHV2t4 zi6R>_fKn|l*zcZD^QxEZJ|o6abuYOHC4drGL!4te_#_}`<%uABzWTi~hF>McyjN`b zPW=&(<)zd(67+rI8#2eN)MCGSdgmVO2W5_>_I#yia3(C|^FG<82ahV}v%Tk5h9%^R zyNLH#g6R;ma{_Mk626wt?}uq$DW`~FcNivMWPrbi6gNBBKZLY$?NaQQkO0gK@T(Zm zk%w*BlG2z9+XR3%?Kz_#c&(QyEj245`}JJrBatJI^7+UdWlRH5S5PfJ3P;or5E{wj zKR|2A30+^ef`$uJ9;cc$t?xSSFe9|}e~={(KDNw1ddvqE-(*p$`)KR%!dTzFkzc>s z@{nVjXCwB6`<~DrO$Il<2=AH=HbwzLC$rrZaF+}Bg5Ahp&t^Q-OrDu3Lx+!^e4)ut zy1sjral^0cml~b>@rS?vC;u2sK7Uq=c^K%^-?{&Py6AuWdb*R5`_UWE7`;@{x8_0J zjxQ4Qt3H;Xxe->*fxoezlewLQ=7%e9!QGeslw%Vad_3JGcGN`V8aI$q^%LQde{@d? ztHe0^5z_R*`nQoqsH3YXvn3Ara=jHxT3bZwPrCKBYr8{_iSYqocVaoCjp-~iN5RQ<%muLEgDGe9b3jb z6qPlF2w1W4LrDuqpRG&RofI7~IwN{s5CSq*OIThAUN=QF^JqW6f-sdLd1v_R?Avc;g6+l1@Uza8}if4p8fskG4|`n z3gsgV@o)@DqkH%1IPQFv14gGM^kpiySIBev7ywFHj7oTlZ!6V@#EAVJbBq|zy`wyS z9@QVW53uG*kZ(cGIeT6uYTtv#Vd1I$sbqxiT$|J^(c z6+wM8VOp(<)$=U#NjBp{G!|FYj&$PWT{YiVo zzDc>~+uidWKwR!^OF<{}1##?Wv0h41u(J+?=3e@6Z70lNZ&tN;0%GQrqWno8#jq`A zSmWa8yv@A@@+pKS7TiFLM7cXwt^0_5KOp7vg=Oo@^esy9H&_sv8zB)t>diS?l|B-Y z5qy*D^h5)8n;-^Y(|a7n;@M!-#K3HlMC4E-f4!4F=U=CE!Zen%oC}LD&~_=69}eZB zY0%Xod~rAq9K$XH(bu!C%q5t*LG>fv?q9w3%IP4F!#JBP5s84Y*@GZCnq*gjCG zd796Lc=o+u9nUeDbc2FH!8L5j7x_YF(##vU8~ra+VN(ny@2PD$cme#Vf2d1h{6};B z7M~mULjAb3N`nKt^-43r;o3c)1A&Ge9O*`8QX_r#6N9Snd3wGcM|@R$fO`_yJ^HEh z)#&k<8r{b*g+HWwYvG)7KrV2Djo*zTOVhjpLqDP7%Jj((M{vjC#Fz7-HpJOGBk5iD zAxEf}CsQ{(m|eFhm$JKm-Gf>;@Tc{nR=3>z)@DMQjM+q~lVGLu8Z zNSFyE?r`K9UL7flfB$UQ*-%r)?b3DdK`(^{@`Du3{npEDEKL+Q;lMD_%^dlC)3PU4 zJvJUnJ$Z#qPOqjE0n12IfAZQB^;6toX)^W$Ciu&PX4`b_w_jq73XiKD5u;;$b);un z=Uet049dw!T^l05vEnJV(3JFt!OZ!Jx~yMcU#xoWp0u9+pa&=iU!QyfKeg$_+H@PY z`$|d#d8)V!A_+*H?w@H~ML2Or9ZA}QC7unMD-nh9>T9YkYqdN38^x-eg}fWkRpRWg zI6Vdl39nc2C-nUf^*CiOONH$3q-dn#uFk9FWg33kneiJ|sTVKr*3F+2&0FsD>f1p= z4?nQ=_aYNn=U<=!kKeFCKW?4e|GD?03NbgIUoFn3^d85)VDy2tw4kb}zzFLyR}k*Y ztN*wkg4i(f>W%v09xsHxZGJl((z!`LwWOakFng;!K%Jw(`;)=xqzLISZccovf9cSwqTD*i2k%)0OZBW z&&gh-KXha2&iJ#(emw2?VkdX=A?k%W$`s{~9S1)4iuj^e_tv{vsHHq7Xip;9ji0eB!`^XpH!k+QM?C$^)T+C7%z^e4_XrC*wtHVwM zBP6N|lCHmoJ5u(TvjKZVRIDz|RqW^EM%68fLM)q>Hihu#=nBET)7+mBpPCqVo&}A# zLKG@ojDUwAs5^YQC&94_=L@}j_W{tAhj@yg?$!Io$oC)vj&0uSVlz2lk{x^@Xw)n9 z6`<`(uK{!~Eu*-^S+ANF2gcF5D}BK6uwR$;u%u5lwYQH53o;A^S{CV#)afa8z6tIr z>8Dq(1l|ZR)%7=lXCuiX+a?&4F(d2m7w_kvxiz&`0IB<&N*S^Gxx@>cjr;id{!h2; zKYnAo=?C}})otV{>nmfJH}Hut-M8Xfsyj8l_6s5+-M4y^{=*Rq;)#i^Da84gux$jC zvW|kNa2pC>H)j|N9uvPWIYu5P>e5)wdQHz9KvDm5RpFoQey$TEh|g@10%Kb3AAvkY z(3RP!fpWvi$LT^q8ElIo*8|hbvR7i9n#XVj>e6F2>yL1IC?c-r6N_m43xXTXSX=mn zn_I2dJ)B)%a)fhH0W%GHtuC%~UW0L%sraO zjJWnWhdo{5i_HaUpkxSaQN^X^#&y-QVuFvo^Z#Al`mYm*|K(Jdxb;l#^I2#4%Vn;= z6NN(~PuEo1t-CATc=iysXU;X*f7iYTL2Hp$W^a$g99gOQU{F*gT%N6)Peh!(bN%W2 zpC?^-lb+V;10L1k@DGpwH}>8ENKXLUMTxhi z^vA=y4KK(3uEDihkVj3)<ktZfBv8vb5MQj>KqRm^+_{8ERRf17<` zDp7j~I3+2t+)U$DM5;D z8ided>&4eqz-T4;dwWJuT?S7ox5NM&h+7?#LAA}`B1AyKIGjgr(DhZ{1nG};IlMfJ z!ocn8rl{t#mOZak^{T)A<5$Jve6FROx+o{$cWKg|MQmKPV>uw)*6vG5XWQ@ZW4wsb zpA9YbOf!loQ-_()E0cVlMr*&H#`cEZdlJ4;^7@-`z9} zZyESDK>VZWF6Qm3j+Ug@Gu0Sv_kc$)V`IU-p{omxQT?U1!`x&`>7LD;b@vJaTPFp8 zc|PppJDasvoNp*}q@;Mn^y0!r4bG8EFPhN31gDsskT_(834|&j4%_sadF%k&WUrfl zdVuV5$IsvA+{yZ<9?NaqK;txz)|VDe5#$J)OR0x$!zW+U5Vd5m^$s zEG_T$6V46R^&c|8DubhTCx`6!Q|9yL?Dqpdw~@HDn@c+b#V_xDu`hZ0E7y2S)Sz{% zPus>vx*N@T$mOJ@7@y~jdaW!@ETlVcbO5j98$FBz$+^#%RZLv2=2blHb)(VbH~FQD z1JIcFfX%Tvniwnvb5G+kxJlKKe;sFHyZ~*>=DVHR9B}}cS`z!^`G&+vxXs&;a=noyV{`S`FAt0&vaDs)L0NzmW5(76Lzd-$3EvH_Ww74WHzH+s^zgh#(dC78~rWqXJ zs+4R4nD(=<2Qk$YoGO*9>H?B(IDpj13cw2d*F{7K2Bq308bZ8ww+~|!PTGHCE+mNr zyx}usBL}B`CohY@_Kin@iKgPWHDi2{Px`T-oEh9*OXuTKL-x}y#fDZbsj7W ziV>dxNt3gG*ZSAm?aK#}qq?KB#6$>~R(TW${V@$5ms84U`Rje#xR5o` zcL(objimacq9-ERMMz5!U8^{-+fCoxe>0N##1s<43OPR#GR$?C zvVMyPC#8Iw*X^2x+#a5CCIxi}2dm?0cvuGKZuaJ2Pn^ZN5iA$-w8v4ioRepEfbG|< zUUIBB;upx64kE~@{jS^mepiU5jq|~F(jOiczLMJ&|KGhh7Cs>3bVTy#%;?N7z|rHJ zoghdkE$)oy8??ESkCgbwM@rwg6DuIx66av4%F8AJ^41Tms>Up#B@37z22YB;jRDmX zBk{G%6LCy6WbiAMADi)Ytrw?$m+H_LW_pEy4y>RbQQV6i7%cn&b31Vu^OnEr_Zi5r z>w&HP!DAtlm#L{|C5%An_?#VUu5ci>@LiuP@>5A-=A=B4IXfhSZVbrJqByRol@>XP zjSE~p0Yy%5pw@fO&1w;l;urcYtQHR|9fB8X!exH`;op(*i&>&EM9Icz|K@4e5l8_$ zWdI8{Us}!&Yaw>roO^~;$68HSnl>=Upnb;uPL1|4h|09~bn$oh_^HXj?VWfKtBRSS zUA7L3L;>^BvI}4*R8F^4^K_hN-4~E{`NURw1k78!NHq=)`ff{)uBc>d^@?t7+v7pr z3Lf}%*e$J7Np)S|ji8wB&{U%%$=$uKDKJPBS9Cw;taBMs^v6(|!=^J8)j$r8w^+aa zebadK6mtgdyKo`jFV|qeU!O4Npg#I*cVkRt>9jXSY7=f@$A`zh`2h02Sh`46Qj)!l zoI9eO>ifh-Dcc8E9>Q7@_{Er&D?I2ywMS>Wt+N*6PjZ~%FT;6#ZH~>@PDf>;rPVHV z+S+XU*Rkfu3I{`Ei>jRZmEgntfaMWvn7VX*m-4rP(K4iCvbml|c7-X=L(3XuiKNuN zi!chQhzal#9}C=j?niHa%WO*^0)gTx9}cE&j zpU{;dVDh-Fvr6TeZ1&JQXq>hTolJiF{+*_*0_H1T-~>n7gKluT}9i1Uq5=}D?GlD-WNusJZV!-{9? zOtK`6KWZG^eZ>Z~Gj#>i>Nr!=Dy_ZwgiMYBn&MD8G}p@~s>d1U2mtznjx!4W=T%wc zG`JH`xCD{_bt$SUK)GC`-GiI293WA*lUAS~G4h6a?r-tk&pNIJTnPg{$}zyV6j;St zzyV|z#ykrP3lBE8z?rrS~q%NKD3xbb52g^Bi&*n{QZH3+}jANZV9 zN|2^`28^vkCNjM}P1IKa?cPlx-#<<%WpHmNE)S(Fkgsp-b){@1hGB@QTtmP|ViuW% zk<><_3f`BmUkz(7N#$jl93N#Yv-xuw;7MoIbs9{hF!nApWejVY}ayduB(pd;c$hWW=`nv zmQ@GAmLqyy11W#@VN`ny=!>qersB#&+1|UsM;TRVl`Uht@v{0hamFRVQMhOnqvx z24OyZA9%WtU6=!ZvHqsxxJ@16=rI$DR%38DJc4ooYcSEUTOZ5R@V63G4@ZxdY9`cf zd&}H><9%i|bJcG7f=283KbXKoQn=-+9-VfRY1gR!czvzt!5b z@3zkkqGtqJ)r*I*g?~oAyu!|OU^SbTI~ZY+kjNfC2=zjtQ}|dj`?Tcqbc3Tc^4^N{ z;G^IzZa}b{?JLCZ3Mvw}P`G`gX%VTJ^i$bbzShr4`rWZcY|#DFiG~lt&xaX5M!NC& z&>x>qR2g)?=`U{*`BA`y7YpYo@1Gq{&W*Ros!dj(JK)G6urtCv#8-+%HI0f+ubTC{ zI{ouHtng=88{^U5fEJma8C*nh-QTKSOrg8J0Jd9N~6 zSARZppR*#eEz8%D)L0g##?^)K=V=*mpPG_Sc}&AOeJ`q-ylujNwUI?68-0(1y24hY z9t+FYwQ=(0Ksu&K{z%()^+e~lK46Ug`L>QZ(j+D_Y2A$;TMRtmr2%WpyzA6t-$eCu zbU0yZ-5f5H-TL6+#+lUWl@aDS-!qSguMtiV73t}JwQRNO;! z8BZE#^xjIk-37yZ#4L*!Xl@&f6>>bPE^$=(2&H$KNy5L(QC74AO9^KcgEU4GaFEd* z;PEo{0eRhW=23>oV74RoxT$3nFZPK2QG06Y1AO(Ijk8B@cs1`BO_k)dXrtJC>Oc61 zf!$MtEQ?ZuLGt#Qg)yA{cTZ_2v{vimUE&@;Yf|?)7h7LDYXv<=W7k|LEe;)wO??!| z?a|%BbFK3YDR?jRO%vhCnW8Nug0r{6egfTG%cfNI9j1WSeqBh`;W!=p7iw(+R4eWN zA6@`zd%T_$)IyrriCVH7vT&gQ9T-N#OSyZoX^CH*8`cspl!Bu_8U$S}dFKHmDgxah z;8|0Y-6;o~$_g0A3D$5atZ?T1x#;u|y4E;q$>LGPToJ(H*P?GP+?E0js@>hPY0S6cR8{D;v|E)0?bOIu3IDMjV2as@JMrJ$gV*aK zKWS+uLegz=lwr-6niFQzxn}an4fy!KAQ-&Sr&ztAC~+K`a*(Riql(rgL&h_RV^gXU zvj`^rg;!i$sp|sK`4Wt)YW7=tNO25SJVL|51oqzs94 z4ZJAKv$b5X^Oy|yF0(p-cL{cMh(AH^Uq;8 z)td3%Jqs0KW3($fwvuplzL`083>w{V-0L@;EyeMpTerv43{z&iGGdbYJdBPsQp$Gb z;wVK@D!ym?io$TCV=sxi=rXSda(IkiuRiH|hffd3NCKs)|@>U_o z1{fit0~z|N7b;Z1sZ7hBVW{HM<`@FLLe3sgy%q>FP`is~bub%@1@MPE6-ZS?8~oej zQbqeZN)^bKQC`;=#*o;{*oeCrK`dKW!duyOdK;|>a3`g@Nj`c+u4-*&IV|?_mR(IC z%Db<_EydTTEhEP5|T?R2+HfU z3cM-jk0w9*f!ai_ev;cr1W@y(>^QhB+SkRiwljbn22A)PXj-yRErL2fO^ z)pebl=L5}~WSo5~RVuYgW&{g4Ek%H-VkhZSjf-kfy?Ci#jJ$$;PhOmrz`}Ff`Qh3w z1A;9w2~d5zpW$cL?)0dB&3?8u>h-<;8sAmqd~d3N!zKA#@44iW2APQZj%*V8QC)ow zYaHkgu?YI36;F9zfq78rdJ+9Hz-rWReRWe{4krc%eRx%&dGd4f<2Gfja9bBN6fL_I zUl^y;)A+;75*UH$D@hHg6Mf-%Lvhqir)Me66l}<8>GUD5I3Q=b*E;?gzm}H)x3!WS zUUi&5D&vsYir0k z)=4$6xx}IArkV^4`+8`IYPxfyQ2qX{@eAW%^Wdj?aOAMz1f9k51`)3?pE1Utu}N5y?g%GIp`t_f2_BHb0>=P#K-G99r|SSB_(r8`I2j{zvh`!v?R=lg{O;v`&=Fsn2EoTgaS8EO$$l%&lxmVnZn6Z$rdlRZExGtw5Ek)rK_!!I=_Oo{7m3}f-yW0 zrT9#B9tQ}e$N9A@IH}??iO}W*#dx%c`<#{2WX|;IeAZaCHp3Cvv@B2kSCQiooX%cm zGg=wwMzv8Np}iSncq3&%8L0*iB@*1aB`BrkXJ8^j4KXg{SS~|Ui8$lMOY-U+EnGYq z?7WbUT3lx0?Dw#nQlpPlXJKky@QfJCO#a79^T!%f71c5y@_i}=B*`5BsYSY3IJO2l zdSHI%IRwr}DJvj)AVsm>`Lb#(0H^b_4nrR(V-zk6V@k>pQy_2AS2m)@jeszSv-ZD#E<{Ff6vR3DlmPSMzs#i;quHP7qx2h>!fp&>mv`b^3gkMj0_x33>~;asoB%>qE+WwBG8^q@%4Be*#_y*Rq8QL%;p&>4o`w2 zNUoc`-0AHO1y8M^K@$D+6Fo3#(yyUc<}~7xj9Gu}2tvv8msSLU7XI+oYTV z%cgfy-!_N;dV0N6(*w7he^%Fu`iQC}&gsmxtenf8WF;X_^BBDynpopKnp+VlD0_Ya zz(*$=$l(~=;h z=hPZCkau`>DL1q4TQ5;GTunT6l}@8K<0h_A?CmVMfSsrIkB(jQx(^kV?I@W4mrl zyOvdW(h+4B6!Gih%NUqzRA+;AFAOvCcwS-WN}`5C7XSx zvX0V#9_L`z@NlcrNRrL+s%lQ$F+Qcg$#SJ~AR-c0w`D%wTu#j=M+Hjc1a#}}g-c;C zoyUAyUXi-{j<@rMO^*NQ-}WK)rz0|)y22xxInQsSr!t}w)D~#aYDaDhnT8S;=z+dm zh-53^DIc$n-((7`2TuxkleG55^EgQ9Xo*FZ>t|Vp_P4}cpN;0bBwG(jHus?fp|r637{(R8-a?sla{h-D&zE%C6`Qea{n0jD9ehvbhvZx1S#a!aXx4aixsAwuno*Bmo zx$9Q-n4<2_s1Wmkfq0k}Q(U(!2W6E8hjO*Z_dGM5+)!;^feYQP7QUwFP;)pc`4Hhw zJlLiRl!{eS9`puy!3FlVGi*;+w2o;@$lyZ?9#(f+&75}NFADDG>70Y+Hh=sKD?%q;bY9T3UO@n)f3d`?qluJ{E{*0GqErhuD^Zffg?K4ZTIN#qz1<_Q@ zMs=%C`y3;Yf=l|V3CBCz4v=AS(UP_bVEkg`=Rbo2zVlqY(9$N_<`xdU&X+(Th8tj+Gi#G z%PfGuc_*X|?5$Qd9crFN^R7@B3@;F8U|Y@9K>ic=;96Cni~h$nsw^@=^~eLn&s5R* zfs^elpFmnWuZdw>>^XKVB1R!e?JcT^9e!qhbzE%L_=t%c51qy-UQR8P z?#L^%92R;}ZqWL`DTg9++_UBlCWZxWS(^(?g0vp>a<_}xwG-HX(9IG#ahiH1D|e=} zsa%Q`7Ev7=X(jpcm#*k)XtTF&tfwx~y{ngEmR!!FSyoQ&KVW>lf5#xm?JAE$1$aVe)Hb7a-%q?~|JWLU<7+9|Jz zWZ4_aB2ie&T*^DU8rVLz8aZ4PwHneG2b4_BvJ0i_ygaaT1^G!zU7$gG+Zva#G=yYn zw^l%8G@>PvH~oP@?xJNkHs`Y@Wz!WvW$K1!pzVUJ?I2w)5<&!J0@p9+jO|BhfNhrj zg@&t^S#apDZ_XQo2R?B5Vlknwa&UUw-$JfuU#rqn3Y&;fv{FvQwaUrdKnZ*|lvMFc zRXbAutbDE7c)TbDJB3%ahQf_8v5;D(rP@LT0AL#!;&C#MPIp%^5w5B?H)9ku5-+;T zp~5!i`Auy$#xAl}-PvUKx`B&nRX(DMyNN$l(Y+;L*>_DT3U#gUTD30Gl5b1JmYv$b zDU>~a`n$V>&pv;xw){MCI54{V&G&zw{w+nT)WqX?EF6M2CVQ8~wnrUJ#>b^I*S^}1 zp^sE*YaTL^j%J6FhWo_QX1Ig8J8SuZyL32bDXkQPHZ-IRPzVJ1! zOj1Eon7EjoyCHiA$GSr1S??-JQr0izH%DL&4fM@t_of&{n4`o1xJC-Cd3 z57jL=Tg&xleu(-Kc=V$E=s%HLN}2GdHIq)e#Lk}3MfQ4c$CYWeIIYY<2>#58T$awZ z+VY4V@o?ggK}%}?Q7bnB+txvUPQ3Pzoq8r(-9UtcgoGj!oy7m_z<$BBjr|iJoMKf* zQ-vUrKi!9|jcQ{aQvJ|`*Ws>Ss( z{D{X6r;8AA$K%jrS|7WgW>WqchCeO!OOrvM$9lc7B1V$(o~7pWK7r336&q}I3u@B*);O9c)uYS$zdbr-nlRK@=CGOciE71mn7~D486S- zLuc)#@pJ1lI$jB>Vw`$?I|JVY13r{B$=eBZ4Xfd0ty8>Uf;!FKpo4J8 zRnD{D$O|q@-~QvF&Na7ODX^e!nGeBM|V?__8nW z>g3wr{Bm|l4)jMlMcaX4)UTswat0Xo2g$n-<4<(|SPUN}uh<=}?+#cM3}RZ6e7Sr+ zR%t^(A`)kOEaR5S)IF2jnc3g>MYiHF%(B$)g~h}hmrh?%8LGXNTLV-Lnl_ECD!*w@ z*Ng1ClQpTPY!6#|4mlD6#HeC{r)t@%$A;SCbM0e4+u{ctnORh}d8>3>nXz#Jj6U1K zvmZTixZI?kn`kCRexDz!aW417S?WG-tXfJj;IpHBgR(n4WogzaIZ*@pj|~|@24|2bJRT@*RrvucusD4OSGat=70jNkfM(AeD?FyGo%Mw%g1yyGFb02+Dj}aw($AcpF(c&A?j5p%=6Fy zUxch9vek^BdnjkvKIuklc6phjVMD)^&;yIAJw2z>umasKi8n@$Y>$>J|inTNf0;hMo{w(hk` z3_r0Tr9Uj`M))`T8L{5RWW|71rGv{u)%8~bSLjP8YLQ87=;+JaHPIhy^~I((*-M?j z-a3GZnly|qyK}H%SE&gq=O5qZ>5ik;t?%v^v_|y2bcL5ib(f{Z;}qNHPb)0^t(HIN z9Wt`w1kuf)X?8ov@4O$Rh)#a(dd9(5(nsB!)y=Q}dzjAu-wo3%ciOD5Rec5rj|R{b zz0My?FRiFWvK05BXJlQ+?zdCK%D0u0=D{eKot;URp){)r`7*WVa^%FZCNCva`XSb# zUEc zPM<>i1FanIs` zrti8|MY~RNLe0qZU>Ju!HKVxA(`F;Rbi9y%pgNBO3sZDGh+4mIHKt!9sFkU;hg4-J zy|olugo(KDYgR}9S?)dNslyc;;nF3K8)cH8B70`@NWCRK)Q86mg8IOP8>ft}m$=>d zJAQup@A&z@c~J-g?#5lQQONIgT!|c=T#;*qyN##Z^aQzK+z4~AkI9o~a`b(dYwO!B z?E?$!Aanx%u(D!C=H3Wkj%~iGFi4=DJu_gP$j&f0y*`JtH_tk!tG}?Wk+ME!mpp?J zJ>=ddcIV7yE1S*^GAp3T%M1h2zCd}?g+n6p z>secAx7PYW11af9(|=|T!5s(PnH3t}Dw*)NUD z%~*phimS1S{<_Krr;m={pBzA`^~{DSFTmgvs~-DSOYhw%Av)X&*cbuNi= zZY~xd4}1sngt^09Cx-U?+YaF9rok2ZW=fx$fTz*YxN1j$2TDm9*OZhdW;C+HoGFD2%G-mn;@&0+iZ-;E{vCNndH$ zf{-3BT;H=MYgV6Z*U>Pd^q8&PAW*0<(?qpQVABJ5dV38MgjBt%sLQXz22sNzW~$Zl z(4^Wzpb#_u?M3c>ZlogaotT{nVh(i#_M}8-`5uqQMo)=9m72b;r_~*QIfSF*gMX=H zj^{b*>4Uk&v_S+!Rj*l=&iD&j|mTQoevzpv}z@}}t zv*1vcheMj3Rm6PGmKdZ7L(PO$9lNbO-1lxb`gQwKhqjJMcXk%2D8u>>X7YW+Y~B}K zk`)5)uA7_Wo?DvI=9etmk28{1gZy_CDGv8t7i+pl@=ucFy@~gDD7smI<#NONKS#1h zyG}2iRwv4KBroE8acP^w5&`bHR}VbQ%}%Qkhg(oC3F|ofS|7RNoRwJK^?{A`S1mZF z#Xn7EGNxa^7ne?mB(SmJ&zL(<0WkYdaeDSFx7=x}P~6l8=;+PN>kPsEWXt^9q4(6t z@h5!jf#fpDhb3erPME7y?2lBSN0qUlTXgU$RsyQ{1)PrzB|-{EzOpfAy&OVrQ0%NO z4`UtYUh?jdMbGyw(fVi4pCe<#VF{e8^gOVj^EyOrLSR_xTdGE4W!e`IHI6C@WP#L$ z-8P&fZTSQLOkN75*os{*_wK{1xDd<{pXG!s%xl%CXCQYI#HW3{OcsywwD2jrUg$E{ ziNHl`9F+3VD6H$5aXTw7?W_el!YyW509`y(kw{VNhz-AF$OKq!e=2dvs9YtLn`1B* zs-h6z{LJ>h0@wWE80B!l%Fz)&|Iz6>pmqw=|L0jip?o3!izg)G32IvHbM{FSyhoox z`BbeAcotk63WQ1YuR<^zR5o@(EN0iVf>q8#e({G;f3Xd}oZn>*^eYJi)f;+Qfuo7{ z&K0LHLrm%snBd&|R)@z!1|F&bvbhgAfw8U1c1y9J+N|M2&VXB^By!B#Lapl-d%I=j z8Qj$Nl&4NxsT-+Bn&zDrDWmw~%$J1M}tfwfE`JvW_l& zu8HFOfYnlGWB5gFlis}5hNZJJ_<&UavO|CQm+(t%l&5;htc%*@GELvOllC*A{TA^%u11lK1n2!Zs3nyO0N(#?(fwMzy=)ncvgk_^ngi z*C?s#by1%3xSYSx4%Ay*emxf0Q0~J%%G=+sJSz4X8;Q5B0eTqMU6g?Y=}Z&oYgq?$k!4r8|m({SB9@zO0e*D#)8ZKGv3$9k+EVVl54@=|L@faurI&L)foU|Sw zd7|j9tZt5rs9UGa*%zC&Pj;q28d%jWtbNY97F(kx9j`tIvR){&Y3H;x^|r+EnBV{0 zg!tY?-|22iOD{nWvYtJVZKfiQ>-`0zL5ODXzg@L^QxUBkK5qnqegw+g=AI6*KxL)kln{F z!6q;!QJ;;dnxxN~m#XD2Kat z$8@*qI3B1W!!SgMnv70IWF&n8N^5QAxxd?~K~uHFOsqn{QL4fOnK2QEV$o#>jswqW zb*ggkLoT3t5_dAr*b=|c2MtEtc~ze3b=^a7$Am#C&${ljE&eT zm$nR12=M77^7~cNW{>An1>Cfq#E+4pN9O-E#>*m4 zBMH6`Qc9>7_*4cCk@I(yA73noO7Zp(+tKUBT2@1-IJ3aMuL5_gGe>>4TS5%tC~ zQGTr*+D(08ZZsjyBU&?7=p-}O3dn^?{To=+t$}Fg^zA~;o(FA(qdXS1_lH?fz*}S#esu8Ej-HuEgB7L&&QL@BL|Y-#)4;@=f9Hp z9e$I1nF7?_Ol0!J7*!_^uoqsX!&L+_yfdwGe5}tk>!xyZCQ>nE8J{7BJ}+;P zIz4*jn>8Y1s#*tk8Xfhs_)7Mj^Y`EhZ&=HHtOVeW1N|e%xA}>iCgI7mk~p=7wT=g% z1kBb}hFrI6TBM1|3n`h+7fI7{JglgOAt9e*E$5yNWou^aza}mExy*GzW9q(n(_2ZL zhoT9@`?MiTpx)48!>d*p4rI;UVvy`%fC`Ol0G@czzZ(3l=T$bVmPfW$Rl2u^`(R`Q z2Vf44NE2JXi{4gCRP|MJw;Q?@hstHz!2H|f9f=WUbC^Id2|Zhlw~jDP&du^M!j-Wf zzIyd9^#Z8@!J#$z(T`RJm6QQ~Gw-cD8wM~KG;ovLP<`AnAMTr1;~Fu(kXsm;uhpa~ zAC{O48Q$+w|I7^s&=p2?BEttNodQ*T$6?AUCu=6=O`a=Vro<{nU*wl%eQvmN&9>dt zN9>~$9H>`ArJ$CAULka{uuk(fj2nyHf-7k!cfhZ{^Uzi11UTu7l0Th4kcxJjOE zE^%7AP4^UMc;sqbS!-Ff;dmIYKh0wwew${q*{9)J$UKl$>x5hqB|xpDZ}7RS!+~=1 za;@e!{o~oSC9+x)YiEebDCJ<}_tzpfJAC{rH*e*b8x}!W@4>CVL{-(!**Xj}U4Dpk zHdC?=-hBBYN*0NX0!^CE?H-yw<(fjGEoJ`x_m-a7{uJRxJN;=xCz(9n7@P@;JV3b- zS5}AjXs8Dkh3u~t3VY^t&`K6m@PwC4-K@RtHq^hFrujOcVQ{{mG15MJ)q}%}COh(y zlwdk=diEV$UZXYvaB5BMA+%S@2h7NIPkP5?w9ACoROGnJzuS;zU36#G)k`AL8(TXN zy(`5!0?e0u;&G~pH5-v7z&~ohGmgqI{`4+qg7l(U@>^;g5{xi(aQ+u=li$Cq7J`q zRI8<18V{1r-1dl3--oXkWtR>r*g`=4CHZ<+)sfmYQ>MJven#%8QVp_kgba=~qGT=k zRMyne=@T$q_*I}~m`_GBx};+%*;%!*53xd?Rh(P+A*|9BJ%=iCGds5m3Hcs-G;NX> zi~8)yO!{=s^dlG49j!B#mFm9lz;&9e-sW&Zl!YRw_W*ezu`n)X8QGT3opC|yES@^* z234sIam?T*l-`Zl-a=M>*26z=7f|(kL~kCOo`bI0_}EH^U#WGU;YoO|OGn$C|A{Nx ze{IRO)c@o?ur2v^`W8N}Wvk)DD!KfpkJ|vY8$7d@{HWpy$mEL-kT=>SyMsN9$j-nz zHTgS0%A&T*glpPpw}oVjPrG%rQFWQ-MF;Vle#+j(1o4=D1Hz>7U6rG^L$p|5zn^rPAn?M(DB77 zlQ)Qtz(6e#L}K%0;Q7=LNgo*+7Fl687n#tnLu4x_cM=U}Hp@CFPFF7lAZUDOJb*f> zi-U7jO#mW-e1@-P>n7<;QsN2^&7VqaYG)1-1GFU2pC@n?@yKH|Wr}i2Ie@lbJNdzo z&T^o86v{&A8feuhPYsGdlX}D?l{}=HaxAJqjztYY5#H<*DeWrf8KO#|$Z3VsFg$4C z`T=JJ7Psv(Mr%mvL#{l7_(N=OpVEUGehnO9VC>aZtX!O{WLV-36gA{3BN?k0G}$sR zk-{3D2eq_99xcJU$7K9t;h|IF zyNcU2?E?2@$Kx?vNn{rz<*hObA|rbsoL5S++mpdDtZHI}TJ&kW(6RGIZ=yeuW}04R z;=4S~^dYf-^MRxp)N?ovEvKV$v*IzLEtO~y`L`9HF%tH;qqjibMZNjqO_!0=gWJ<9 zC$_K01@#{w|I*XvRikTi@S<*VeI`gP^f7P7R2oAG7jnVfkrS zB1I=00^9wS@;{YbaUlUQ-*c2N?YnI)uIzRHK}pG&pS4h6Q^$tC`y?>PS8MuB>j4V} zz!HY3+St~izTZm~0kSVIUuCI6q$=j`2;&iFxfIJW+1N~tk5sfn`7`pN*R7VAIYjl6 zKZm>#PxuI&o~dnB#}Fxz4u(WuojE6^F^r(eH2;J|;=4n1GZinE4sYX^(&Y^C9FGrd zfPFUncD;x3#c$NCTPw|&XefrZQHp<9h!m(?q^`!Xp^0-+y|eG%xqnz7eH3HjpiM=( z%HA1)nF;+91x`emBwk8fiH1%XqgFs0P`gA}VgZ72tES{C1ENRY?2Z;$C6PQ45h*QUItDo_f#9f1nzrE1*BU2jVbRo+EaiI zVo=fE%lmujO6WX?b*pHOqd|u4&)hd%#S| z=Kf^V@$T@ajdrlfOAFq^ zj2tT|es@1|uI->Nau=5DrB(Caum1Z^e2N0e6VV*wQX;>Y9N}xaGAIG5_r$&6rc%&SmVpdJ)XAHqaOZ`Oc5g-<2ChEt9AW?wHKR+Bz&Rep!y`N>FKsnCc-@NT zl|1HA^jHMTdgR1^jmPwOIc*&7Gg`V`iwvjft8GJ=pe?DzRiU%9aMc1FZ2}Kkp`NPT zqAO$O=Op?2G-IdfIZ#v*EH>P6H`R*r~d>;1kq`omvB>~ zQ8>|f8^R(%rXEI|M)z~=Hofe^>td`+{WQ2FHPkd+o-QwIS`3JNH3H?5@!*wlhwl#d z8N`59kEt{RUrEEUF}AJEv{}0i|5;{{>M{_o3~Czx*2-->TfWwWB#plz67Ez&nkwfY zoZ4g>Y(+$s5!4slkagFsK7BfaydZ4Q{6Bne2~EaE#;Q=Oqw#4v=?!SScqt4&hH7|wx}V!Ym$Q>K;sgt<0mB-t5TDDgBZfUTXDI(wki zeplF(Au{c|Kw)3y#bnXmMceqh`~1{s>K&~5Je8f z+QoJ|A{qourm^8Y;l?rTP`luIbNr(b(e;NC#KV1KkClIU4`ZgayRG*tsGyFk%AempHeds0y5d7``Peh z-j_oA^ls2K5jOt_WMLE;b(CXQrxvW=F2TBoe@}58+*j_TOfr`Chg{l@$}yps9YHTQ zQ@QUfVO)yPw(F%X3g&Pw#kf{AX0{yywTN@0?%AFi0$KEXRxPhQgyXVm)(;IC^*!9$ z9Fl@&pSxSMgh~s_Q5S5s=s&p4>V3*L-6++XrbE5W)w=Ga>@T)A&JQQ@XPnEHKR4i* zNDPK6FQjI>steGdz6;kG3ZfB8z15LwNvf!(LddVgOHz{NWxv`v`*-fSf8Be| z^E~JNb?<$?-_MG9+V~@?ch+OBwzD`9&?E=Vb3Dgn{69ELKIcOb>J7Ztc%3F^`}5i> zMQu3JN#ZCm8s!O(WY{4W%glCyLM4qRP5=7z=cZ9amq~6Wwtt5~QVDk$;4L@jEa9&q z>^&F&=wh9TF#!n^`Ib;^&Z$?3azu3vd+nNGnWO5mqK|@qZmJqWCyy4L$FW$YvD$~r zK{#;{DChM5$qtl1!5Sc5#9xf}@}jg^hF9 zSD2<50b?b@oeIVaPb73Ma%HF#wrt0~g{6;%jS25l*E5ssRWAouoPu-o0UUtWw{YBg z0>8g^B{1#bMPWnwO^*1V=ydOK@P zT+_q49g<~dJ{?yXnab(l6C1>F;7|K-?K9Xda!Ii=GEU+s1Q-ei!rt{Fk`tvvdytm{ z#uBZ))>Cv4x95l4h<{yp`=@)D4=W;OD4LbfB)pms$F2<_oq`QKyieaNcd-#yz!8We zuy3C_w6*BELQ2$M)nQU8T^LnM5}&11R>CyN9sA2KwVURxo)(CUm;BnSBtBX(p-c4^ z-z_c!>TT7vnEPdBK4C~>b-%nk3OCfELAON*^I%mnam1zeAgH=_8bGe!jie}rDwKFT zFfPvJIE%ymzmjr+2BgRBo*2iG>c5owO zpaUq~jpodat`i6QkB180TH!jzrUzBTXS&^90#VWgA+8^#11mS1jjIM5P&}6~VaJio z__kpy21jFoS1;$3{z5CNCy&E>GwTGUfU5evE0NqV%LPVh91Wk90vj9)Fhph(q8eFQ z@f$Cbm~eZH%1N{;F>xB$2MgEzjW1M(f;b)UIB-gB#FKdOJzI>5Z;FMWZ|1W@8uMQ5g&a!%s4bU)MDWi_8OzA+s@I7)1 z-(>fk+*RSnlBVjYl&#Uy2RnVsqlvKwUAOjV=*j%8-HjkjBLlk|HjI7M<2C2K@TED` z9iCqdTow;h0um>2DO8*tO65RR5}PeO`XfSK zXkau(a83jkr4Chb)KXiE@(#8@w!gCLa^XAecYBg|Q6(McCM$gJWHw4g?ip3q*{zLp z+&SdQeSX`v868IY`~FN(7`QRL{hxj0yHjhZiE_Cq=beXAZ4O^Irko!)FJM626fc2C zIZIOjOMqe;)(eTAZi%ml>G(>g^rw8%lp4^gbfrGCMNQA(89Pjl@i_te2M#==U32L-nFVIFETjVFw z&-r0Qg*A$_IBIz7-Da7UsOnIk;Xr*KA|g>6#||`<2rTnVmEOU_>vavYHxotCq}FW1 z%uo|c<}HYQm8E-7VKgGJ<=Fxm9NFYOoIZALl!aepWf0q^+pP}Svt3N qG|yL58G6tmOo#{Ve`dDFGPI!NNAvIVj}&YJ2l8l;Kl=yl)qem^R$@y4 literal 0 HcmV?d00001 diff --git a/.devcontainer/images/stats-endpoints.png b/.devcontainer/images/stats-endpoints.png new file mode 100644 index 0000000000000000000000000000000000000000..5200ddcdd6bf238e3983f78429824b22aaba05ee GIT binary patch literal 1033208 zcmeFZWmuchwk`@3D^h3+1xk?$?iNb%wv-lkcSvw|m(+pM;t;G*g1ftvVhK<*xR&59 z0Yc!UYwvy6J^Su;Hk|YCKIcdBd?d{8%NTR$JI0uw)KuijN$!*2;NXzIdHqrY2ZzKA z`?^C+i2Y=-X!fFygpNJ2hClcbMbu24H<1!0Sia!od zi0F9e%k03iNGeAhe%lMyt=BGpg5S>ik;3A!a)&j`1&hl5oCRyIrCVK(TiP?&kNKu| z8m`a0e_c*|x#Xc+D_?t{^zseIoy*cs0j~#wR1NR2TdOZNezm=~pJSIiPn8t>NBH1} ziR&=8GR2CLQ2GV~dsK`RpG|Vi+h#W=b5=HsWCD%!UE6r>n=vcO(LQB4NnA;Jvhnvg zYI2C5?w?F>+#VcGVTnj)E8*dhaOvz)bV}%M|6_goq87|;@yMOS$HgQ zurE`s&=Kj&&7{O3T3^S2(3*h=)gRNQDQg@9EGiUnXwo6fA1_;-+5l(Peb@d?@;DTK z96jZ;J{jULT$)`$0+aTbF3NM=-A6UO z@dG8MGs1B=2xpqKtE-FN+97BeCq;q`NBxhxHReq@)FHCM2#n;23pT{u@A=<^oWyXIQqE|}1D?`$abElN75N|`4x0`6HjaLotR>;qcI}eC* zWF(&w@q+E=Sy%BT=WnkP+?W@kC1h%&#g~2hkxcy|`D+@%F!)3Ij|6qHQfib`gukBO zR1X7!uX=5Z_qwG7Mehq)xrZi+ll_zuV=^}{)m1^*UbC5;Gs!%sf;K5{{fpA_^n z)CIqhQssR@`-ID_Mrz*ouz5=th5)+eo2b^NU3(vV0yPr$X9^U+P>b)4Y7cXtYTZ!? zGXVF#p#I*gCX&ml#kCH|rxAI37SWlRXG1uNw-t6QFQ4hVn!PHr%CmaMgQfn~OjvW| z_6v%v7Rzp0o(Qo{x}R+wX3+vL{<_3RN@7TEBqx+eDCG3xFN-xj*0I|gQIWr(7P=NS zW+-#}vV>CO@t{rOTOWp7la`EJA3o*fy_*m|1r~qb@NuJ)d|qmSdbi$(zL8Jr7GJw_ zE6qaGBHw(&9^bAdK1tihc_re9yEnOrr-rm(QE=CGLd0D|xB&)!+QyGw$gKBJO~(RvMf!lxne=GCM^KC|&7N#-WDn4V56 z3bzMhF^zFXa?Q_!6fS&5^28pDq0I zp;`oo2^BApJUe#ib)7t&I+W9p>jS$ryR*7f{xtMlgCNJEa51Z0w?|#9&`mBo{d4Ah zwWeH&^;he+*R|Ji$Q3Pzo>poZNNqhW0s{*3GwpKjXV)85X&p7%@iEAWLfu!_4jm6Q z4;v2o>?Z9TL_#M)Rrjl$s??A4*BRIGjwFr@ju?;l?vs%-MG8kU+&{XnDm<7BN(@v;Nj>@2n=Nt$$0Iym31qz!D9p)TDPbEH|AF`}3LO}U8kx&5Ex7Cm zv1t{2Eyylx1E2+rh>!t{fO?K6zdxFF2r39nI*!;0+rfpu0A{U>oX?~4`v34(B#pwm zSgr1Q$7HhtS-q9Ypxnd4!-3FLP-#+={%8HX2_E%CM zocjy7finKAe(U8%X`owaG9n`U9kL*a0h=@%lR#qPg}0kzzIS@bjPIYp0yfWopJpGVf6)I>L}E{#^PcaP z^!*Egb|DMHj;z-)ul23mV>Pq_w6sTTD!n~qJ)GewiK7CdmLit#%E(=7YjbP&Yrhdl zk$UmaeyoWah-_*2TIX`wUM-g#K17phT3DIbaN>c-`taF;O}nlWaZQAHboZNS$W!>i z;uf+A>Ay>Q3dYlw4V{;Zw%3pyf>|N{r1pS0wmIZDUOeYB|Fr9vAG{tqGFbVw@^j_h z;p*WeS-`93ud-gt#j@JzXI5C9M)Q`{J=L9V81Y>z&i)xK^QMj}nl~0;HT1PD*BJB& zEjyO59Iu^xWUD_?J`9UX2#>ER;WsSv{T1#ox0$Y+sk^TOC>b)W3eujlJ6?ZbpCR(e zJ{fVpuuosSwBOly*>CZz@~FkBbW*K!;b-S+q_Wtg*oNC#@GkoMGhG4QXn*Gz81#m8 zW-!&oc-e&4L0aG3!HKWve$jsTev8wBW8GfNk?Jq$NN45A$+AB4sf(@gt;{WN@7kSQ zZZ+O+-qks}#){&v>WR81=7>dOM>#J!BCosNFfY_SB5Ki1f$56C0Yr3cbehJ%&}5T= zzvvFbOxGNuY0fgZ4|nUvDN*wSD#pg(?j1GbBv<`G^Ua0Ap94`Z8Ei30NAB8nAm51lB)F77o|0y zha4^(7O{@#-;`98gy<5D7Uj|xtLE)Eeso;5BeQXEah*AR$aqHR3xeAl=&(U9oE&b>@pH z2~N1U@MK;QJM|qTouSd@b2Le#KV;YpsG1*bwcpz)`#voldpVBo{L_~tEqUR<^o5Sm zhs#&|!U^UdiK1rOloF15`$YnixaaC1yc5%z(>qW&P-L3f(nxD~OpU5KfvnX)cS7fw zqO2pL!t3sA|6vb#PNkxNH*ZXU^G6RSH?{k`)XXj|jml=7$t=1xcrh=@U*iEzu5A1# z^^Z-rLWUV}Xdf#ytc=5ny(Y%N{a}lOkG;ahzV2gRI5>D2 zc>nPUiCM;t|L6M7-!JP??1DHrGB|Hu%4+%GZq5(|P>oJ@?ZrGNDg$fa6a1R>=hG|8 z%FHzJM`fConCyq{>#f`D4@n;)b=L(8SCpE5r(L-rrTK z*$+=S?RWTu{^Ls$bY|(A*_hc{J62iS>S0jVEzIMk=<^Z>7oSq*I&Z`zRQIT;&JN_f zqUROU!8fnDT!uL>geg$pEXM3kK+?#^cf`ygIC$51lX=}rXvW$|z*WsF%#*AW|A^wq zg7CUD$h6Y1b62u-Yx@N(FP~c_UMR3$j|qP{mQO;Z^W+X_v|0}O^-qGfr(W2#2*LjI zliTdv?5`86i#|3hS^Ru-eNM`l!=ME3cVRyO+}Ga7XcDR#C-qnl0@B-9YS`3FOw4;Z z??4+R%s0WPn9{pmLr?CUCA_}|P27ffzm&tNB;;iL;i8_CP*nmlA7oYnZF|Ndj0A`+?IR;$>}7n&JE#4 z9Na|mU~*bqyd&1q+{$Tg_Jy3xO_!^%8iXgs}%qurx!z}2^w zQXUtNf5}Ii_AZ_nrCRG!Safn6gKjkpsT}UG3pBs=N~4YxxTwY9QEs7=%>VA{ih0VR zrsgy}Onnat=;oB>pcTQ3l$X(GTj6Cd8obG|TP|0TdEXJT_NuB6p0wt=`r+z#CLW2y zq2u3Bh{rto9fEf`J`WS5f19MN`Dst5@3Xy;odm=(uO#f{3LobIW5rDT#nqV+BJ+Zj zN^9Jpm4JYNT=LeJC>%VoJGpPXdZ5)KJ_X2MV)tde8j?&kK=-DG{s><~^qAA}Np3d7 zb6~&pZolTsD2!$ahYfpwF4XSXdr#6lqUPZc8G0R~_a{ciT#7ut>`{n}U+6m#;%0}z z!UZss2w@oiu&LqLqbqwinMQmP$D8{;ksk+{Lu4ZH6&#OYL*?-F0Zwto5A%xN<@duo zU%t48rP-Iw_+1@9%Vzl!C)5sK;a;5faF&~=y1Fblo}uKy8y|(`ZV|x!t7{uGr8jOS z-%`*!S|&U?;@GLp1mH2-@L0aSE7W+S$uy-)XNUFy<<<4cf{SvFy>L8QfFFO6O-;if zZ7(BPlqX+1zNaUK4YHCRJR5Lvx-uIj?$Y&zp{d8QdZP1iduD32j8&PAU!*hoS5msB z@|U02(6A60M|_ey)uSMyqq?o4npwNaDtqg*<1NGV4}B2Jz@t%JC=eD8YC0N&K?D%X zGC9f+Q0Es0`{^vG=Vk6%ne{;0tf~i@|4vg)%W9wK++og=gn++EUeBLABRxH{$!a@| zEKT*+~=gh@>}{HtAvqipp|wvyBpR9|o>ttldHzdqVQ&VGBP$ zpcBB%O6lzotd;xmCg%Jd%#RWoqbg;4c-N7nQ_Ed8X+28@9?+bAFG1UiDj@Gb2h@{X zDHVA3w%nKy^<730!!9E9B&v_AecO+M-v+h91$H>!SqY@1qgXXto<&F z@jcJ87MkHc#waM~P_NQ9v z=$Xq^=+smxuZYx-la(b&t12kcKm@Xy0h-WrTLlFLxLtvFDSFLmvc|NJii*mL1%1$Q z6Pb|CHjc>217*kQ3fPaA9qM^w3XcW6`yU+qq?nt;CsStX4u;QP@Hxs?n zaybhzx(DW`*2_b)4Ew*tP`}NapM^Np_Y8bp<33m@8zD3U4N;Mf6}~ZNHO5G_F)P%l zwZ#{A_>{tHVG(&Din^IbQ?+a6Ki~U?COb)wO4=2Y($LWx85j@15tkU0DF_LtgT9GL z2IBUezdo9(Xl!g3=VS0Z-kkUj&M~A}uO;gXKyB#>omA8JH3nbgxs53&3yZ9buZCSV?Pt;*A1*-~8zt&{Nn0PdEC5YPo#W!Z5dsxm1f zlfge1#wR*y^O#SK*X0)M+^RsQ$N?%0d{)3MSPWpDZV*e^_3A$JAwFOag}!1_x61hCZOfRjVYqJy}k z(ue;+VC`6F_jCB>nJWkCU?PVJLSNj(X}g;Z(8yS8<>CdHp3hlxpcZr@7{n))lgRig8iuohVcMdvv+B$x)wiogGIFdQYVg-AWRnrO1J&h7qu20dA-uF9~UI8TKv%CEF7f-Wg&>$pZo4Ti}@1-nhXic zk(x64l5A7l-|SebUwSD+!uU#BkP5*E#r9r8{yS4JQsMK1s2-D$#oZbc)L8KDg*YgX zKBV^N7jZOZ=4}|?CHg#gx^Sx^e8TBNsuH5uexe*XmxOZoy)3GDgN~_o$El+26(mtx zM}Kr@hc!0T?{{3n2_2hmHLz>oDcUH@)mDOHHn=9~5H?`)bp^{|0SbxzAGWiNbyL&+ zBVseY=)Q~cCe+LveMPyh3a#{Plukj&y%jgj+q-KBcP;%BZ?Ox9he>0bQFGR>9M z^}-d;FTBI65p==UO@UDQ+=%lqf`g`Q78a2fc|l1=%oRiZn^rX6w4*@yrl6>;Fn%y@ z0!)EbDektna%g?82OZpHZA^}d`fJ{1VsS|r|3O}ywpBc){BNvDJ#qgJ9U$&DBFcU( zj8EIbNV+E(Pe9vmT15BDbe}FNSHON#7~k#TZU*^#4@V3+Kv>t*yJEt2Wu`IYCD31D z;m0tXBPVsaK2e^jet=Lu{_G$*QOMeh{bYYvN**FKAU5DoKXDIqO0B~`KD{*7$EOpfPLn9XaU%Rv=z-1+AoAh;vIj*aD_)EZtAF5lK!nh~pZ1k$uJBXV1!P1|JEX zqUIWZZ5-+$IwW6sd7Q%^UoEUT;-Q4$D24Ia2hnqf%O;XEYY{3TVowDj$Z}x)X5xgy z)bBtTOo+6VyZ_ON#)`1duG!^CY>%KeQZZpv&>(+$Zd|3-A<-%63^ZKM;158nAaq%N zbVXcD1{|*u3k97&g%~@_)^BT%#U&&_=7Q0q0jIxKOaLA4^g&K3V(#zhj*fI^s}ENA zdNy^JnXB|NTHBqQ>6S3u)uG-Km12O$*$Sb-&lVpaV7%v&^(#Q2iaPc8?K{nw&VZxk z%Otwsoc_6(%p(d`WqT{MQVP)HpT2hS?AyXgTuY;PR>Glqakx!UCkHkI z6LE8J>>by2OVvX+kY8f98GHUnOiTG*5j%*!*-?xy)|Sx2tLX(ZqJ&nv0lQ}``NctA z{*lf*X2*)a3iy++ZaYn=FFQAZ0_9|P&5{>0;g&^UeNJkhJRJCXav1kfOnx3!9V|aD zLs>b8WIba0g{7&H!EIwB>jS31-L$%$*@i}(pR2OB)>AhT}h~=(g*(S*l9zCHfvN z5JiNsgO&BkDWn%|+&jL>6VafDN$&Xvto}qU5WOGADR=q3eBZb}xw(tc*^gg_MM?Y3K`>SwACMU@Zn+nnYpfcSE{{!} z!Lsg>v`;%66v6#>8kdWrYXmjxp{=qBj^#j@jtQZ14ev>=;C!lhiFr^(TcZ=b?tP=s z_r3LbW?e^!Id))YuSk9I+K!+xolBgMH;+CJ62>RxY~s5{&@xi9QLvXDu%2XctXiYA z;y;jDQ?I|HF5Ab3*C2KA-~`-FZG;h?|_NV_-TyaJX)R1acf z)toe+6yMEH=Fk}Olkn=Em|)bHJXpcFMb!bI1e6QdPohyukZDafyxc6!fgd4mc~pFt zPen7-%xwbcn^u}XD7)@O*FZfcNULrTG!RbBcu(6=@#l@9YVX2>nmC1?=X=!Jry^Dt zS!1NUOtK1EjAWyMK;T6p5?)MpyfH0?35snS5&?#jRWsc{$b{Cd6|X$oDBdA3v-1b? zc;Y4&8B_sYFw)+ib{tyE(}bSD5X32v7MHaSQA>G$O%fGylNYI%eWFH=VYta{j?~0{ zU0b3PA(zfgg4?t8-BmY_RRKjx2{%e=J3tLaDGpT$O^5Xbe4;t&qXS&@JI^>ygpEmO zAB#MT@({Pa8otJTfLC_2^~s4K3bj~H`Ie4ba<;;HVES=qK-4F)$NUu^TMo-L>xcWF zC<5!@2~N^}WXGEEeM*A%b`1`l#TO!uBvNRUe$E+$Yh%G{YRBwvdJvDtWP4$)sLs`p zsbFpD5hU$C#eh1K^>xZxNe}F#XdXG(p)^eMLo;~q^=}U1WNWmM@Th` z2fP7v1|HAMZO*#$RlG{z1&}W7fOZ{4=?Hu{YxnQd|M9(iv5+AZM=Oo_6MRZ1Su+(R zUx8-y_qC+8hUoce}Y zK|1HV5vhg)6_l&L*O$K*-_T|1kl|3;SH04*&#BmN{f=69Ussv-GDaQHr_~3n9XVSY zhQ6y;hG4B#o|p)cdJ}^xn3hluM&jLkO--<3|3pKgxht7Z*j~011-B6?lwD*&prLOD$>`+0v+9ZKXv)x zrtLHdP1oYUi|vb-k2ZdP&zdv6_Y73Y!R%b*G}G5{bE!$2-l@?xS20JXy4O`2V}`^W zMA^q;HOlFUEC}*tTGly@T^(#%LvsD{7Ah) z8hp0rFZ3s^?IK!eGjL5%{){w1rFMTQdB!D+h3=JcdJ*=Z9Gc)O5R312j#gAefNkRJDWxzW7A+4Z#+X~Pd(XH{aik5(Uo~W&IRZhbn z_J&SPk?PELChXo%#|9~?p6G|IK3yJ=ZoD&A?BJuW{w=*p9av**Z(D*| zvpzn!K_5qOfW_bv`)Z~qJ*xEq%SX!z>5#hP2ViA1Y4!Y(lGc;3f_x?G`!)>IE}wa{ zgNk_Ab|xP-p?z4kW&#ce<7g325k>|6HdTUZ*fhQ0&}(#=#uv47EWVi{2)40VdH`QN z2M4iW)9^|A7wPhmgnh5Bgo#kvhZ0h>deCuZ(ecgf>urqwoOjb^odz~~yqL8J=TS=F zHJ)~umEsKXo~*Q;Jvq{w3Yo=1r1U_b_Hgt2TMX;UT}Mm=uE0Af*}KI`LT@-Vv+-Cq z9_f{{qLrAE;~`vk;lFF4Jf!Ap4RhV=^ELptxwbEo--gM0Z=(NyIz4I3xt`5Im5=7+Uv1mTP$ zhbscqpR&g4*t1LCw=Ibh+_@DDGxQoTuA#?xV1p6|du)_q=4nq)tZ!sgT07MZ=a& zzoqO2v&iB&S)}|%UT4YZ0U5OcgEq&%lQ#{gMi9Ou9sv$lD;%A&snrbf()rbz!OSS3 zcngb+=kW_`qxpusc>Gw+`T3jnzT$4SiUP39n9fadteUKDDq+f-nD@O9Nk06Ej5^&h z35gJC8yTTlkQ3~kuC9TEX1v)h5P&Y^6*q%+sUlSA=!^@B9~{~hlx){02P3uP6EDyu zYqM@~Sn#Ym)Qx>d2PDj%oB7Fz)W=NcwoBM-JxaD&Q{bJ(d>qqu8V{A zn)rZuP?+u)sH97YgIFfDXTJM8$U5uvy`Vo{UM&~M46uKWTS%$EJr7Kopd!$*FiT%B$vtvpbH`m>ynvO|zy7Zjr`Dr%kP zp2n(K{ia3f5c~j(#SU{~bPQ~P?mzpyeOC74$iI4QVIl2(JR#~7jt2KLW3yOb73b03lkH$M~o84H^5Yf#v*hnxeE}Bzr`yj2FGEYFmTglRH zSZT9RQs88vVbM2P$_nJ}1R1UTiIPxG%Rv-cMhu<$UoHu4{UcUSpz9Ph{fy ziGzzvsEK0Z?j!&qgiY2gcpLT&_!=_9m=qNim5KaS>$&54IScMA+Z7cBmg4)ma2q-{ z6%9rSzQ_-bVO4I-P}Jr1pH`JVn`tPliW&3$Wg`!Rq{R);-Q?+%jnlqP6CwF z9^z#wMceg`J)3WbDV0w9mOEk#U0Zy!E=$ViYx8fzXwd1wp9Y&S%a?(m=CY{>M#&*@ z?<38gBW&PpSNy=EX{~JgtWCKf^*j8!Hj}y37FF#79qvg=$1KEGe2}bxQx#hOxzoRblI3 zB4H!P#VK`OYQvb3)p?QW*Kc@WLgUrbuLSPV0OK*G-aE6P-TAgz6CyHNvsV$c-`Z~H z@9du+44_jzB9tJVCJ5#1SYu7fWu&3QGN?d;u!5D-KFfY9fzZs(WH|+47<{89f3i!! z^3`cu0>rWUo$u}-o3gq2Q!7BCdif*+vJ{LrW<)RTlmbyY!`3{2$Nd?$rS9hD-&VLR z39K$Irbv892}vyQrfCjqmM^KBn)j#ASe+!S{^MN^Z5_2IG6q4p$-}llur||x ziB`_#ju=ODU*h1!;1y@&ha+FR%fVgN?;upiL);1C!`ffMRfr_xlzgcp>^jRS>#QuO;C4J%ExoaoG*x zSc5|Cb#9cL4G(_8;wA8ufOY|7$I_SmFp8?65rpaK%$H4nhanjWV7SA_G0PcG%+H{+ z9{Gz?G&XW$m+|P3XF3Z9`!SIFIfzy@LxbhKC+ck@Wd5kx@VcMd=@!VE9q8ib=wG#T!``s9UHI?33 z|E?%T4&qQ=hgCdKUou_X3tdfQFE;FlL%v)HttF&m<~!qg43kE0BncUt0yi6vp!R)l z_Z0E0;$$`Gq~g9+)I%M+Fo$4-@{&4q$VSsk5yNeub;lS8nDo))6M`DvhM%p)*L7*h zc91N3Y_)>@8+v|QmLB@r$VDdwBm0%hJ>JCk8>Pq(rB+<68Xo^9bezC!os;sdeuKZO z{>^3&1(JA=<#uCcAV4;8-G8H~rhdj(HWgbvL#-@HsK=V?z{<&bV~GYTOk0933I%oR z=idY`4BaHq$S(=fh@(bSw=wt6H)o+00qI-gF|L%`1iy>{vnq)WKJ>`cn^+t5p{+q=V*5x&5h%hKgWW3jbc49`xDb5xQR zRU2-`9XD@$>GdDsDT(Sr_8BJLxb>_g@V2xnfi8M@fZTtQub^n?aLTC$+@f-K!@2gG36kCni9AJa|4qQ*Ja5?ZR z-15ao{Sv+!dODB)xwvt^w}6C1kV|Vg;3glj&?vywpxAmlb7;N7 zaMFi=xU%*);S1ogk#}1xNm`11MbDb+fFw#7#-mH8#YWWE5E1VL$%qoPxpiN-dsV%U zz=06`1HxMqn#B?xW1Xc`W1R1K8MvT-fH+*6l^jNmFJYVr2;PD0A#M9dmrV`|ii&;R zCC&UxT^JkW0K^%sDpb5Jx<2)7J ze}k{3Ln(DXr^e*cqfGYm-x6jzBJnTG=iJ;?zX37!nvu-%3}O=(2%1(!HhF*W4?o`U zl*tuF#Tz>QMXA0giCMl^pI>ErEVaK)Dv6K^xHNXhqNnr(#rYf|`_blL>#?T)&Pv*EwGKMsv7&Yk$@a<9_<0yaSXk50_B0 zB2F{)k=_i!slq)H7ppJ4Qg&>r5d9KpiQ(^-K$pUM_o%6TF~;-D^40JYY^_sS(_f{2 zOnTgHp=Kr^RsCzuMsV9N-EoJ!IN2YwBf&$s%{27V9Zpw&&%*6zH3ZV)AL zD3&yon;vfjo5w{js*(kcH=(f+k6W6U%J;$mL8F``+x0wRXtn$59&E=E5 zLd{1g=q8q#x&(xeNPf`hXzOS7*uu#NbZxCT;@EM0#s~aO14;49ypu$AF&8+=5;lB zZl`-9rdkVI+Fm)0`H#3GvB2pFMCVwYAby?E)?(+|a=g9a#sM)y1l@ld!u})5HOrHc zt&4Oa0p)&%L?|e1bcw{JFh29hg)9p&mvR%D5~|EKsD`0FkJW7^);m*0nOI|giy$o^Tchu)I3l0bvbAub3cX9>{xPN4N|sC&o{LU*$L2E{z%d&(E~bFL{v}u z8M-5yC?-RSS#TW&n^mR7My4IWBEwZbzdY?t30}zlerM48R`aOD*={s*uhmqV&%Q0T z__cGOv(*T50__?rLaSs#zxMLxLAgKa-YS#`s`s2FRJ`=9>jzhF!Z45g?#&kBDz1(8#TGcQeLA{?^S0Wb$ZP3cwkJ&HLFHT1f~klMd*?$u z2GNL3$B|WK7S^0-&Fr_Ht|4wY6vMhYf$y_1jZ+6%96q7!!0`V zZ`F@mZrEB0*558wLmV@l&dPU5#v0G_H{j1CIbpRQysWHa^A6742lm6BW^GJ2VgmqW zFeXH<#wbdj(M!e!khRw4Ej@1?&~%Z^70HErF&;B82~Ua(t#Gm?v1wf24szEZ$U>4GPBgXmUcZ(qmWAdvsb zUC>!UMIn)?f;{Ro9CB4ZPSg+**Ew{2WKxy)CWaA0Poes@7PXbI0eC66# zbLyc|B<=9Zy3Kg!7EE=*)^A|D)*H8?;Q--{>@dKnsXpK6fXI3~0*ekdV zdDE3(63_-RNU_r?rDKaKPr8@ocr+?b3-nKMsxVPWJICTPy%s1*Y`uShB>`ggW>bw# zJWH@Y)q!sHP4xq>%IW)y?8!m1%+3TIj%RiG znH+a~11v2r{t5>dG_FzW8cd{kAzS*eId@@sKaZNs4?L}@O4}u1lvdB4jV9~R#fquL z*!q}cJ*RL9JaIBX5X8#WGUM6jbez^OAR| zz-prz5YY^RS9L5FsD=Ag2%B$6i9-F7q`(-RiUEkGs&v=kv-x>79X&)2dQuX;594!& zs-!L^cq8g(KQOI%+7A8r)Kuf=r>_{dr$K&S2i6SRB0tH>SbPL9UretYgQ zhKGmu-7|EwRJg}096XMN4_G(GH?|ZC5XTbFiL9oo%?*4&^8$&-)cP#v?2KGi_0+a3{!-D*_=G;3iiN$4)F@FHeO zf~cZ$y9Q3#n7ryyx2DSc*!{U+%rdt5!v-u!{UrVkMBMw!=|Plq<5KZtabR3TSkh(| zFPgiWB}+TnZ}!|5>RB*02GXW~I`L@fg`Gb^EvJnJuvQazSGoEHq-p}z!EPECh>!|X zp5WLrG-PkEaS3!WKv=h*xE>opebDPzXmza~X`p>fH_iI2$d$d+3X{p{A+`e~u^Ps+18mfKgQ~ZyCtOMQht{B*j@N(}p6wiT309xKIKsYK-%&LFk1o_{SKj#Hy!4=**`}rpSTdo>x(_K$93=Wz9Pne7r5PhG zz8#;-0l6;ZZzW`F^;_4aB{m$82)Ese>Sw%CI*b!~PQ$J<*67gt0eQ*cPDm^)6^c~; zEO@I`%gl0k@wuUjxKX{BCN+V<@djdGr#M83CSZ-P@YhRU->`X@!AThhUJ^;b<&3Ba z;&@B<@rj_O@Y%zw^)}&#J`dx&abM}t*Bm?&D7Jwq!|fuoJSEkZ7tAM;YxIT3nyu#x zC3a@OeWhPud6^p9`UwS9@KoDbS$C~nap>vjvCPf=Ggl-#@kpIaUf%;TXIb0MF5Af; zzboxbQd}?3Ruh#uj?QQ)x~>A@{m0H~+@#Xc()wZ0<%ZqH$Dyo%8=$*}1`@;7wUzDM zMp|jMsAoGlWj0FJYO80$cCW)exC*|)-cu$+Za9<7Puq(_--t1sS&6{Zj{90SGsXYd z3{T+t_4GFOUfrNJ2NP`LbKHefF4XdFz=Yb_1DdNj!`YA|z%q-5GhjzFJJldkN+)mgCrA|s>y)pKg95!IfBb7u2cVqr$?czW`P;)@Da zIjF6xd8A?t7yZg&IZ0N?Z+zE;$Q9(G($y3Y`z!Q13A#h-BIa;Xf|h9X)HFa~CN8_c z%-+xXMn9P7BW!cFf}yP!OYJq(hDoJKJaN`#%p~)pY)q%5_uh7}%NU%12`1Tp3^Ac5Xc_Q19loL{KIJ zgk{DUJhF(g+duSOc&~DgMY%Z=^X|{pGNFH%gA7@$+&NHs-TEvefgelm{++y?o2TGo zR|qY^HCXbM4f{)wJ?|_MiASGoE`Y*v6O6)*cIce`2vl=}vu!EaJ z`xX4{nf(3j;0^*x-pb9Jq`pN$=p zi`*}F(;)t%lhHU$Xrc2YLeOfGXot<5E%tGYQc_(N$oWde%zt>4uS|cL)a7Xrd-XN{ zSV;Lew4FBc-S;axjep+V_n{09$i#@1@Y6L$y8b@J^$s(Rkcuw2?3$01F(JmzCekE) zlD*E3{WX6n_#}5fy-ex+sdsf_@NfPsbR0VmNrzVKz`0T#>)#grl>%lbY*>7Qm4koD zOPiMB8q)rEQ#uSX_{Xv=UH-}Jt6j;E5s+|ka#}p)e*gBGn?l^78*=B*UK1dK?CL`N z4{lmujo#}g7SDv=Ut?s-NfNQ8i=*dm27PQ#6f4s(`e`o>n?|U2a{|q^1h=jQXhwb?0@xZ`nO|r6+gF7@4o@im=aQRnt>bqpT4SV7xY|V|ee%7#XhrObd23 zJ$3clKg|W6T>F{Lcmy}67R4oAU1tvdACY2*>fZ?E|I`KkFSh=l(c8ZVfBy$=51UB- zZ+Uqc^GDx4&gIhHzGleCOlcX~jy>m&mLlr=6)~oNYUAGB41C}Jzq>uP2Q3dr172cv z8;PB+6U7>{EtPt&Ejw(9JGGjE3me~uzNbul>YAxvY9>4RqNKc+6B>v)4Fw) zjAChLB?zETDP2l(>t-dkTijz~jK`5l=iieNnHiGZG~=4)O@{y49%1D!G=P%5wC(d+ z7WKgbcl;OiP{kzt#}e4CMC9AMD&1K^mbt{trG>C}g*60w;DLWI94Z~Jk3EDy`NJ&+C3SW60K%Tv|56q1XUk;uhD@-RP_q3`F}*L> z?tt{=pRIAar&#f%^bSRs`1eh_4@e>-MQ3vbwJ>eHwmGSwv!e}b?8N>%&JF#4M!x^~ zN`@Do#Jw!0b~DR%80t!=P}rqzU|!kOWMsGJb7k0tsDRU!RbJerX{f$xQ z8M0uziiT%%)t(z;o!&GE9?f$ndQHN8RP zc)q;+_G8?aCJ0Gs^Y*uT>E9ISnBRs=mp4^Tz)>!VL|$r{~;s6j5H0$J27Ye;U9U@mGpJ zrnYLTN&*=JcH4f}{uQrV(&sJ}Th&v^V(!Sq%L`P?-vc7{(AdU1X=LjS3SrC62!UU} z&P({2-v7&!yFv{}cY{;ymAn6EU@lZ4bf+0z?Dn4HuSW?@xfvT5mxQevXZBu5VGcDb z+6d`SU}&sheGx;_9vlvXG5@uP@KRL|20URQH>XwkMHX!Fpez>{C~C; zt3Q9Y{1jU~eF660?_qn7T#`LoKqms7X<>uz@HuDeZ=^DAp z4QDIT?7+S|pknfaAAQ>;!`cc8=N5X$N_7?Td%Q+ALFaq&Su6Ry_Qj>`Bzf;OvX&=H zwomgkbNtXI*tUy(q=*diE~^s%)?}5?OuZ+pV92YEv7vYgt8I-4*O{e3K=4Jt!4bj~ zGOA0L{o?o@7}%HHwm4x`B}G3h*H>01vCwD>lVruUvr0>Vyk#fsskxv!`OEAL65CTk(?dh@OwOhF>I>GCO1BR{(L^r;y6`ZBob<3 zcqpdcT)(1gV9T;o@jn=Q3#h2yc5M`pPL*y@LO?=d2x*iq=?>|V?h+7DDW!Wrx@+hL zrMpAA8A9pidwAb{_SyS<`|mz$&2q7px|o^Y{oHX~*L^)z!iI2H+CjVhUv(SF_RW8a zPHywPGue`W;v;j@=4^ky>1=0~LJArV&igyaoGsUZd*D{H-{m&rLDCjiq2FS@)hd^@ z!n$>{zP_-gjc~zE&A78+i_Mn1?G0Pzm7t+ti<^Zec>nuaj@~}o+415Mqc&Y5Qq+_> z8|L6V+||k4z0u}4xlm~dx=%g-Z;<@ApSpuZgV2n2V#t4b67oCDc3rjY19^jEQE7NO$mo#u*La)Jb4XxYG zN$$TtsRZv6i;C+uk~YdZaJjDbYM?W2b9SnJ+rI0un!u96Uj!C9IyySs*!*xF(~-*9isxKR=1h?=>hj z61e<7wgk4QREWaJ-_^EZZ5_URo;qz;GvEJ{*wEH((f3RT#q;%9^1wCNk_U^dhW0?C zYb<=R7R{UtwA~TrA(U<$@p?`&l7@ot=K8Jgq1QJQjz1o4^m7dz?`GmdOY)n`Fd--gTS+@Qwl(u^ZR#?)gkQaP@^dfYr?WQf z&fuwd1x)cSc$jQ?ZU|UiyZ>?wu~>_v_x|O+=sVEpc_dy)@Z+)VWjovaP08j2khD?$ zqFaZRz`+MF7rxr%Is&1r>Dm0QasaXb|4^b10#9W>msVrVde>`j@@S^Yd%vzr&wbw2 z9LR3oeLEv75tgFz%(?&{bfAY3YWoq7dcV|uEGN9~?)Iwb-Z&A>r8{z0z-wq$&to~5v`NYa8lF9|?p@8*`*Twe zMTWxv`p>)g+tsa+%o{6(EiR?{A(l(Mxc!sGy`qwXM6N-;4j&LE3(Ew0c`A9BNGaS_ zQFTXyF9-H&7WY4{i0rtkKm!y-Zd};4h7I4~;bYdSi8dKHAA8ER9rYwF6!Olys5)mR>sT$d@9`Vnp@o#x2ov9KiroE~WF+@? zA%(uleBvqs?c22Wy(uZM{d{?IydH0ON)^qteF5uXNKQy~UzoYle_cA{XzhBFR&1mr zByy5OZRfT3%c+kwGnCxa0Ll^wHReHYVx+UV>|pRUm!CXtKu1jIG1dCV(MS0yVlqlj zThhSy_-VhZJ$$z%(z|JFRPD$q)Y}iI_I=7`O?X$?5|-4bSS!|N#z9Xd=B5#ft!v5y z0yFG5%ge=tn9j&4B^a(kPs7O&fKEb=tRlQf$1vgtrY8ruu<=AbutM z=LbGMWK3aYDF_djH8NsxU=Cr?I`R!MrER*n_{Vn?+f;kR{uo#5UR51sZDbiYGe!{~ za5yko<=iO95t7RgsV4RpUCR<9A4AG2W^d|EW@x5A+&B%}r5*oSjTFJ%8$wm_I1Ajz zsDY|Qf+S}@>RTV2U)^V3hx69CLGH@(0smvjIc)X?d>VrABx9-}sT!P6UY8Wm`R3#_ z99H+OPg8>k9-bc6m(usv&Z?(MY;4|i+HIHSiL;Hf@ETe>|`2D8(59i6u0aNbG@+>E!?fl?RPoZ?|WhJ0ntyy^XMTmIU$LB2tl7|N?c zDSF^8hDQD{w!lWR4}K}68`M3qDd;;(C3-#PcvMXGI!irj1U+21ii4 z)Vy))z(xrR7n$zw`swu64>v*3u#mSw-wPVqP|o6QXHgH#VE$Jjq@*pl$dM*NUpZ%6 zaL9(b88cH~3(WL?!|;V*N3hJmgz@2wwQTd7yIY&CS0QwyzG>BnS{O}kS=L_qm=UxS zFyX72^r0BvlgpB`0+;Ziylt1AclssJ!jnG@1qP8S^P%~1bD~Qh299-2x_x|xs{PZW zMrEdi*!CI@nhQAiv4SSE4-E43zUL)6p;1nqN^eXEDB)$J?uB zCbBab0h-h44D44~6(y#lF?A|4U%s176wFPcGMLBQD3XT9giEip6x#H@s`*Kz>yh}m z01lsI$s83!qm1Ep{sPDMRYT>P#~LYe8SzWfoaBfVvERyhZVln1i798APlzd(Ep_iT zm>4cD=}OxdU>>vK_SPJhAT=7Rs;Bas9oLR=R-H_fW%T+X80Ok2{=IHys#+OuE2-`6+WSM6NuT-aF^ zdPyy^$ulmL`MkGxl5#2s`|S+GOcr!`xtaxy^>!!CB}F#d3nEc_CVy6b_7H`{F`1-P zaGGBVJe;i!u!wP0BYmBzJrIr4hq}%Vn>&7qdtUwJs=6ur~H&4)mz@655rxWc|tL266)G{(NbbT8wc#rwbov%$>G+DeI zVfg|96$QE0Bl0czmw%z{1LTpv5Wd$|R{kopm~t{g{G~@WdnZ&U_Cy0=7L%oD$#*%A zy+i%>Wi&grGo%%D`dhP01S&KSRw+x%!tpwrX>$mA5c`{4#II4)y1sr1KlNiXo%(yF zve=jy5Bm2(eQ6#mpO)ET-y#~#-i{9prItwuF=_;)M zP@m=1icq6pw$*rbRO)}z2UndJY1^#s%_=+w#ur5>NeBJ!49JajbnWdyBIrYvzYbOkkrh=Ub^q^#x9P>`(cV=KxVdqNcU)? z?dJ(Z-_S%eJuA>!J?}i~WQP5js$d z(1N-b*mxED{%%79+gll$sC<_Vp$2gE(?$THbefAnn1lC|gsI_FpCH1SlCO8{o7vLt z6Q{MBG_=c39pQjS{;WK(&j0Sl{osrq1+5`xaV$dURO_HBqxsJNGr0sfYz-#seVMn0 z(q%LK4eEXtlhk>V{&-W=)5v$z>WJ%q5gs`)C}%b%R!vKMNkn zJMER4F^VpVObd-lchwL4GLj_GA8&sL?BTaFUR?Sr`R>{$$U*NPFIcz$WS)!goeMoQn-a2-^y9ZUvGy8j27^$k6uRfcy zRsRwRPilcn6OK;as3twDYLz91lRE|ZaRO{Dci_2}+1+X1sak{5t3FwqJ7)H@qLe(@ zSF=mY!?&(@{VDuh+qaqY-SgAz4Z9W0^f9i2`nn))XN`)ot`w^|;@2BabO=}(OI0c$ zd7LvD_=dhG>am>bPW{#ED-=7{yCdH8mp+p=F%9p$)I3L*d`&BtK2FXV6)+3B@|-fG z>D1E@FZ7(I!lyXM1xYHROL0EPx>@?qz^uj!Y)u}#y*@b+%79Zgif|VXp@Th8o8FAA zDmnUZCj!w0^eo!ND$$Vc@4XC9CByPmE~imZHMiq?0`+_rq+L_=n%t*Oyxn~L2K%zz zeHXaA7C$YVB~8IIadhOpu&x1$X7JgnDQD7s>?-YM75AW0|M$sD0bJjW3V%!0^EIlg{EibfVUn;uedbPZ<+65X{k(vDp9U`Gp zTS%Ok%hm18731+WCS+hvbb#5n$__%`Jz+RCgPMWrexNWXl3q~ZufJ)^suQS}J)kdF zO`Xg%Rjk-;Pzv8~w3B@4ukY~WvQFaWB8-fnAbGpquLM;pweaj^jnWkwB?dWmN|`@* zT;9GrI{7(#F=*ca=C8cw7W>DfWH6&-u`-C!^g(lBN(0v?RSYL`Ix4bUoE)6AkGytw zwG87@EkROu{-J}cGj}3+6ZA09;Cd$&F={5OTb{U6UdcWtTT+%V00fs_9KtIT-BE;<~f2YqRjT7Gt~DKW8MU!sx|s& zE3{{ecxz%lQlMnuIniv(z~e-hyB;JC!s%}XOqRUozlL2Z5CYWZHaQap%`Gs)UxSnU zcC>2i56`Vj+q0fi!ugN^#iSzLSu+rAmNXv*+=$3R1~7>@D-*}W;dX8n!(Pc4EHDGE z{~CDU*@%Mp1~F zx|wSYQ!VPJq)>>EuWSHzGcwYl@e&$3M4pcu6?(Q0Qg6x7kZ0X-$&fdLHbPEX-+i(v z=sRFna;LsZbrSrxQz>21u~kPZ)MAn5$)K%ipEw{&dj@1;}plwGogyWv4!H%3hcynzGeXs3o!#{!u{allFHv#I~_(UhS-3a=U2f5S8WE6@=@hD9*T-m!ZZ zU(!PK{38nQ%0(Z2Oq7Op9;SFRXexhbcZWU zxqklq*@;R=ue%;A5fS%HgK5#FG!j7Dr6b;|Whi}LQR6p{TtJoCT-_9m9e%gv-D&=t zi=`N*QdOf_e^omhZZn+$T!TsN^Eb`GBrSg9U%uX?TD4{4S0Zu;NP^)Ep5|KKs}M%X z?8%@#0E^-ce#}uP39H$K;B~Ld!jxIRa9%F>{-u{uX6rKqa7J=9={4&gTwAL=m zkMS*Y-5KwJPHY;HJM0eG1P!#Az<)8qm0ArGPdky&bdiYE$p@?bjC2l2s# zN3}|LibpAtscRfeD1LO=Pi%W>tEZ-B8fWNtvGmqn;F9W1_5-Yc9y7X?Tm2$+{R6BZ zNAJtEpG!!Pb6YA~`e~vJA5^C0rt+!Q> zwK!USSK^}I6{`z(^76<%E}3CALW)u{^E@i!XEnCHrSN>%fMg7~9O?bHfoYN*F3-cY z;YM>?x1M26-|aLR(H}X<@5nHXF4v-!!qScsxlx#MY;20kB`sYgkd1&VG*ms%Ix`?6 zLk!jYJGcpq6kkjCEc%516l{|QD?Yn4vvBc+PZmqu*mb54`}jr(xh#1lOaX;&f zqvx#_v>zRrlQ-#%JHRc5&o{VRHVaz-h%t9~`BYWOT{;8Kg;@&)vu#!`7cjFd|yP4W0fA4&;8 z@v)ejO8t>csmNgl2#a$kR6(44a#jAAD@(W`8xJYu;PzI8vcAk{W8Q zd3(5Z)u2&SyYl7MO9A--H_u|VovzS1>m{1CkK~Efj_>#T(b7-c3YX-jNs!DZ$$TuO zqyW5|Eu#}3m^y!0@vQQ?ls`Io{OR3pD%v^W&zaMZ?`kNIkYA%9Ba{17Ya!}BpGJB6 z{X5bZlrUB@9qs`JENe*m0yOwMDUH-o%q&HJ7fXot{Jl`n^cBMFl9y!Wb()EmH|VMTOnv^j*cL4zEleD=F7emrg=!70v<#$aaMGl z!AF^Di$&!sL_So32mOg9e&EG3OO7ZqtnA-Jkdky(e72pW?~6&eCw}eIxD-^=1Yzk zMhtI?2y!~kSy24-*AvdTR@SdK1ajlrD-tT#f1wFil?@iUKm+2|@;u9QF3BdJfhFA( zBrZLB%No6Umwa`hI-;+u^@-Cbj+oppsGR#>?0k9}p)7JWGnAs!*Du%};b@pVYfJ65 zMQcCr+(~MYH}AeUuS;xp@j^#S|Aw#bbPnLp>M7gcr$q*FoK+;s z8aqpz^;b*yHyb`=tdSwvusF}R@)U%+K#Z*x3uj>BOm=BHLcd!dV4jisk#wZHPP(W( zvtRFxHFsg?((a$Bpe3zS5eb&(Q!c=IqGtpgDjHkK?}FU9yt- z&?#CclPK~c^Fh2D$2e)rTgt&UbIlia;&-2Czp_}Ah?fgKo=gRt=d1AlzF+@$!A<3xeF_4WB5jaUFUzq_bB zl@?1X(QjZ-L1AhfuXEnix^M&Ji7YQ*ANvg9R8u}t$0_=S@J87);J{n2?t0eVrNc3T z+xE_KMq$)g@%_vtAabXAPfzFUHP72X&5+sy1D|zns@oyASm%q0eGAmFd5(j3B?>Rx zBdLUD<&bDai}L>6$cb${Tb6Dy7*^iWnY#F6eD}tzyH4;qyU1WR zqH{RU8^0cdB$`b!o=EniAlShKj2wCINYlVG`*LpaHqPzM=QZfhlvL^0EMGrU z==!ksZKk@X@k}bE@Qqx)SND4uQjmO83{3pZ63gywWz5AnRMwSw)dtRV<3w zG$4d#=1g%5<|>DT3p>NfHxu)Jm?Lrv)N=D9r$Sw78`IV|*m<=x4?~~U630sE{82%F zjj4ee%YwqR${80JD|R7=_>{>7iB%)#tGKeTV@EbeDqJugl}@u>Hst4v8q%5w?Zq1H zNg>%h158J0W2_#IzWTn3u~SB#k0)S3Xe?oOia4n!&1;8g5q={A=#a@KoMO?3<^@^N zND=qE-IIxL?Q)JN9N8av!-7Zq&7KezDKj{3M%PX_56o1A>1c1N*ALk?{^@iq*QBGA zAEokG3ZTa_l=S6Bw2J|Rf|}9XJxk)+fy3)D>jzRwDK7uo!xK=^&~kX6rc+YP?gvhi z)ecen{1$Ts{v95(I_0=Q!;18&ddWRiy2|stBbLumk^+05G5q3bX=v{kG!y*b@7u*w zp!D78&T661s(Poqi%RwG;O?d+Dwv(6oapP3Rh^HXvs;~~#*Poaf${uHlTK{c)o|X8 zLYH2q+&lo2^B;5tj8BGfU>XG?QU2{LeieO;oK#}aB*3M>uCn!s0lF*q3FjQd#%q25 zo0Bw-4K!*WBgTi#fN_^qNEJ|5NQNl19UDy!nyIK@-ux)W|4^-$gV`|{$)biIC#B<9 zQ7V^FneL=8AS#V7_5RWJnkTw5e@7TW<)rIycFDY1K2eo3t8o{2r_5~-fSX{IEa`XV;AGmkJS0aFpV75La z5$92v)=i3mG3$Mhig3=3XnFS7bE0pf(Z)x~YcS5)u(;@mdER0LbDGeRoGy;QB*dm9 zsJgr9bhdA-2xr;sNGH>tkk*_hPFCZy!<#v9G zb*uy2k#KTg_~G*|Dy|3UhoUbzK6rkueyr%%{obOAk8NLzn6cDaewD1FR&wA}Hrux} zXN1gW_l3h!YhckI+TL$cRQY8@9U)E|&RgGKhmN!R{Rs_puE2IUIm_DIeLfd$s{OEt zm-0DQg3kO4#tWiX{Vr^X@<;W_R-W=mbfSNI{d{c6%o9$KEcRkMyPDl9r!Jwx-&I!hz6HKUdS@%Y(*D;9Qn(;JwFl^1B1?EFXVo^ZKI)uD}*e@FLg@7DDXPH1t&$0?iqwjs7;xE6-n!U7qkYzU%av z!+YR|yT`;XywT8Wn;vDrgDs$6*S=|D4CdL2h}QjG^{lUI(E{pAR46}1LInRoCi8>G z`a~~}`(PqV*Aw7+gr*k&%Ps)Y5#HYt1eWu~u)ep0B`)N0tSwTJRFnB69RrROt2J^@ z%P5|f;|?6^C#YL_Nxw(_%WEe>G>4&kz0-%s_T7)B?!I7+Di7=e90hl)-a5+IMl!8>Cb9f;|F zz8r#LEQ2P!+(R!HN1*=-3}{8pS?M1M^MyEwwf0eA{rIyVX~Hf5z1jVY$9?}-U|B6< zw&l*Nh2iJ4RU^`f?X|9XA6+=&KMU_%>bs1*ey#rIU0TPn83iK>WfqNvG8Lavl5(t- z@uB-*3cp4fLF+3zSU>_BQ^qr{Az7-fM`>;oO4i?yk5rDF)~Sh52WoSI+{)hS(Zdbo zh4ifoGxoLhEi|t}F@jo~w|$D0hLKGL5(mTj4z;X@gVNO>D@NE1cM@-s_42R3_B zJXa~!$TyomHEev=#Y?cf+q3tFTeW{UwHjMq&2pmHF9ZNwAz%$g$As-S)R_?9GCd6Q zdR08}f@-`0fuRIvD$g9RxOo+}KaqD!{R*jlF30>;)=SW521RXltRJZefBzJulTc~q z{QGtVz!vI&=htjw-@?x&#}VQRdeLaE21y7zO_Ga_A21OcptP!?NH0aLV0)&M)EPMPf;jU?onsPVjSy8?W zTVC<_R1gc|%Cv8@Evx8;D^zjfZ0oR}g2d()AdT6f=F?TV7y>ciD#%X^xDS5*p)^yI<*Q6Qkr4egFav4bw7E>HF*$)IMVyMJ>rNR8V z5bK{`2r~g>|ZQUXQ={o8$k@-avu%O0bq8V#4el878+>65dXKc z$b5em-}C?{P+iyHRtY@?{^8%6VcV}-XzIRQ02ZByRT=fDB*z<^Qwg{ekR&Ac;ETjD zbY*`WEJHGOQn3EYq#m^KqKm?W&=nM(uI9AK&#oIYj$M>kI>>fUjNcuu^`MN5Qh10V zJr%{oBYm?#i(D>WGXR;(yH|mUEtGScVAGc5)f1blyhc>bW$*atht!hT!sfWH?F6JoR{|RI<`|BVWH?A!=MPT;rDdpR!z;4gWgp#p* z0i8t}v-n;>VBCYX0;b7Iy-gX!J(Vh2jfx=xy)0%-hw$Jx6D%4g9%_D^2G;E?8xn+x z@y8P9(gOJbI-R-8A=(z`qKW&nHl;W|Zf!}ZWQXK|t7KJfB~JWj)+$2!TMrvwjc1l7lbhR0+jh|apTXoID{{@Y(hJkh;JmU>|fDRfC_ z0raX8#D^4o4(VSwg}!*8XNpN^l;i5~$%iP!zU9%C-jg1t+j^WJ!T)fu@m>Y<pml$~L06^(Kq%kk6E7L5UB}BN7Vc z#tv|S+py3kzI&*{2O9n2>J*^V+^L!}sBHJagE?ITt=L)9!rgW*v}CO_BUaRd3JlRa zjw`PoUA8O$9jCm^UKY5dteK0ozdjY{jWj4`0|meT8qJn#^2YKM1pURE9_G6Wh&nisZ)457eEpyo$&YL@M-2Dtn?to%Vr;XUqr(FEzUzz;*l&6a5Z_vSM zWTP8{u=vsB7Arl~;BH?yotx$*s{j?A$2=19NUH_BqF`}@pH_;0!fj_44wrfVC%q8A z;}NNyNnQJ@itxwj{6I)FVR(B;T;=iSEf~3^`~-s|W4~Oq_QYD`82xLy9xF-A*z8kh9UDbOo1tDS+WJ6lKToeCZVr1^Sb~UBa>#&H zcu*ZsO)=*3_^c0&h!fSxu{Uu;2ZuCm9`)sZ_Wm6ra-Bf~)pwhrckg4ZS%XOyr!1fk z-N8_Q4BJ*I8;cp_B@?~xp;g4v^x9md4jYCPSG5al!b@9lSs#46yWSKjb_TM&N1lo= zFpkY@Vq1oY@3w+|)`LcBIuS|~)o(?MR2pexyp%%3;E*$BzW*S!5h!?5Hq%RVXc*5x z(cXk%jHVDd4OkURqgYkB)uv1)5G1rfX5z;JM^QGdmP>vC-7r+b@Wa@wos-TqeQvOb zvrc6ixM8Mm-J!WhBe~w0zOvoael7&41de1f z_jM9@79kF){LVS*5R!x`@@<8XX7f&)HWMxZ{}jpjqr{iEQM+7zr&f{1e*E`R%Aez# zbESqNA~F-#Hp>~{b1~~4qs$V( zxROC9R5adGAJ$u(z83Dx#1=0Pq$GoByVCZy`V@mr>sG>lNI-~Er)O>aw%8SMKrN0$?S4xw3Pk5R|3t$xE@ zg}LZu%08JnA8Xb$V_BP}zR8HOP-m^RJz-i4vJh^uHx>dS`J!I{*TNdT@Fg@+Vk*(t zux+tRP`!cl-M!tw6={Lp=}%!Fp)U|`N3Jz)a@-)AiY0SIUK}uvmOMRT{3{q_$%mY7 z$KV_?Fjy9@bJ4zd9MAmzUhYlY=)-$-64`+)Q1)#*mt|d~1R`8 zrBJWK7^b3j_T$wRkP;r&9>NJv{8v6Re*8W%o9m?FK+CMe)vSgnkKX!KdRyLh)RkX;H#nt%mkhI5Lc{{=O~Ff%o( zMo^?1Z&~S=eRe&_zs6==shY6K)mGclwEJ3|kt#N&@^SUSSB`jfXg(pLd>N)LRzkZQ zgH4@zILmvhjR2Fir$?M)AAGsj4L8#To0lc)A48 za(dBl$OsaNZZvH^tLV(ho9bu=svM|m8mxb`tD4Z*xrCRp^O7H212w)x8}=%w=DI3= z0EA-Q7W_Sqgoe4QoL{2i%3jsH;i)|()FW(C{WR3%S3^nN$*=_8!1wd-eZ$F{vNi#7 zwu8qk=~Z3%VA!wD^OV6dDg-+)v1W0cpHDt6qE59;dKDT8R8qvBrlhV5C}ExbOuPG@ zpk6TaYN9ae4~Y^?L(_t=OgI*IyDB{no2@6Z%6|Bg*!LW$zFC+I@8~pd9)(oB*th^} z=Y4namTia#2!PMmYHXdu!_-<}7vVZkkwa}_yG)BCs^Y6i> z6Hg-rSL6+4jad6@);bppxSO^d%PF5IGwwhdd-d9~(su`3nW8rPs*+K9`!SI%NRvj8hwt0v z{A@2#`E6%KTNRQ=)IovFiIu+`kVaRfF+~6V!*Mnx?s6rRo!|qCtSj)X)tr5m-=4$z z;jFcb9)_=JWLw&Fssb?100Gc?rCxM!ct2*eA4>(Yl9r#b zqw#CwBX1CPvdKQ-zbHm$abh9mg^GO3AIhGmI@U_g3g)&85w5{xAlVA7g%5D~Xr9T4 zc>n->9Khw9804LgCSQ}odK9w<1W!K3!s zuP*bnBvt~Rc3FlwQoizxW66#(Q}g|Et|_KavD*r}(SrgBCga*$9l1i+o!`qHsW7Ac_B#cIy-#<$$?!-xM6K*{zELaDC>6upX2t#=F96DsWW0_^ z#BV6KG3mcfB(?arcxSl_&qf{~OTLNg3l4uE4LwZ>=d94$G`{VS5&|QiI^YG8c&F+o z-Sd=ObPD{Yd-TXn zp-dQTv~)E^dJenI)cnEDu0m%CLs3a5ShfBdeG=#FJnZ>q8Qj$}$oS2M_f>)&&)6kn zPxIqb>~;WOvnJocz)5C_^3o6j&15Wui;Ah=XHG2V zP;3VcYED$NQA$vHeYNSM`oW)Q!KICdvNA(6^qLWjQGXdX5HPr(A%Uu1Nv0EK?Q=R~ zkw)|!-Hc7U;*}k2M6v*Qrl);^5taTfuFS z!3zBHP9UFY5^5cm#e*x#5a+1z91M9?RX*)ur#OVK_=91oi`suzU)6GU&bD%ZfV=63>qBHJK@SIEe&nA%IFa3F zpa^QtuBA;8gGCBml(ud=Gu}!~l>P&TX~(e!0a{P?&IoZXjm+qz~*B06_+w zh+hDH!g&kWozoUaW75pc+toh%?lAFc1t=BrL8GnX8oXrR;&)S2W_?`0}8r{lofh$}izHyk*%U((>D%cKVy(@&IqpbNHa9~0i=7N2q=L_@%DH{5{1H9m!{kl|N@hPJGvrLl~{9OqiH6VGnAFkD`C^S|H||AyzkVg!6iq8Z8xe*WP< zkY6(NfLIpI0UOV~L;C4Q<%?|8)7&@Ky;d=}> z!&Ogk8Nq{OY}FrN!KG?NNno3MZEl`v}e7ce;b1CjfE&k*-; z0c?TWE!6fuqE+x((iM9&AWM>q(A_{aCi~;>gN95nKmjuIN+E^s&B?)H zOIxMoGlc3zKW~)139DM}sRvf$@t%Lrg8vFHdJJWR%BW*)2u6%_`kPG2$;5FN)8+IK zWHMw#e%$mCk-Li_q2h#&5IoIP0axZP5&&Nv2MkxJK*;BRN7pDV0%ENkTiq*AKnAW* zVv*YVzy>>@b72;H$_Om?9<_Ax%zwR$vg}J9~G8D zsQr`yhTbaynv!s9fX*%q0ZB=~CFA>T@B1a(kJUC)ia;0g{9yCnIs#GOhgx+`*_S|Q z)l@}2>0hW>ssR)}nnGU3OP8g>Y%g@h{t5&C`wS^}+=puiaisd+=a#>GlsxQ!&RC|n z?En2C{8OzG-FuvlV7_PYax&#_1kt~v?|=R?T^yNg)2R-VaNzBK=7RtEU;d@@PlwzG z38a+VM&bX*SNESu=)eA;EQS;gL+!7B6Hw=MVtoQ2r-D2Nux6`J1%wWP)7sqksks&d zDCaecK{=wlP_+bG@M>T|SA2{k3R#*)2+69HxA}Yp3*1j-_z{x+I+UmYK+zdiBr^Z~ zJq?$kKi96HyEA|RNqhlVb;ZF#(3Sh||K`8EGeR0=O)vxMeR&$@04Ur7032%~@cv7> z5a57B`O+tG6PP32azhm_r83sHG9)YVtnrAID!w(U`j&T!M<~Cn2JV3j7=nz`CTD zy}+E*KYT=GW2EqmpPwWCuLz>?L|XJYQaDWHlzMDQgA9;FtEyvwZ`EAi7oKquM9)Qu z?ubE!`wj*6Bx~_Y(bJ)Ob{HT|89LRr`4F&KSOv6lo-JuY-ppFKB>YZUUH}1t=l!(B z{D(>_TJ^}XNWW?#f9P1`In9Ra)tSvvg|I8TqMX^Zjx%SP2k(2QL_o^WV z=or|KJIxm^jq-LgI}E=28lM`@5Fn5K%VkWVKnW_m19}3i=Ld1R@7{o`Wwf(m16r|3 z{y8l?LQdLn;x|j`4wW{X7~!Z4I+f;i+tqSi4kqqhLWOq`|F&=ZBiVd|MaZLo5eu^iyfzh9S&og+ezR5fX#(%xz-fu7a0Kmrza+J{_* z5m5J7UGAh1Hc$rsq%zFhMdCz)lUe{3Wi92kuG^njA=c5LTgq zZ$k;mRW2R0xYp4Mke(X*;;PBs`;R7_Zv3#-*FNIGImwp@WKg~{!BuNI2>1Jm8r}y@ zHP*n^I!VB_pdN71#oQ7fvEP9D;jea2Haq+?&z(+zq|nEoxcPsl%4uY9hl?57Foa*lM9)pvnfIkf`fs5%=d8NSnC6+z8)hu3L<7?NC&-fES{gRA#ulg9jcf3#( z*v|4H!3A0(O(VxvSy8-yh)e_wAT#^3Gf@~S7~J!}q)HlHByeqwCTKM(FoggV$GR*h z@|dCbY|dT;sD>n-IfKHaK_c{zO_4HgKu$P0FWctzk0Jf?x50s=iP>`T1%MD_Ng%QY zmqx6tkIQ}phco=XicJ8({{E7WVgR)Z-47BI;Bx3B%l7*a17CSAa3m-JgGs7a(}+Eg zV&k8HCFeq*U1UlqDuie}^h)EkPn+rjWcp^JknEvw|GE=Z5MbBjX%~Sh16}V@%iT@s z{kbLFS5KJI1Fi#)_d>ggeW}9Z*7i^a0HwWl)+uPZ%(#GBzWv}Udn!qE_qq9 z3NqPt_$u3&0T2PCdI3ezIOtGH>)j7Z$at*PoJ3^n_vtn10`P5&vE|Ye%PU&7PQf_i zJ^N0l%6dI~6LkBLuJ5$IgZA&)^`w>wj=hgI*q!f);?1iC=&Fw1rrEp&aCkrqcEoX} z-S`Hc=d|t^U7g0WToV(@N^mc|eVRd|NBOKn2aY=EkshZW-5X8>hr5O$a!_xV`UA6f zRmF)W=NHvRsp!pHN1%}|sj2R~BwH2dX;|-zFT7uAHVMDL_kD_kwtv3tw+B`Rc{Srz zaVI4K1Dri;o^01>fs{A}8lEPbKpvJfcUf1x%sAN+WVO3&39F&5+dgjkOAq7A-LejXk_VT=prsxs z)YMzXa9PK{cDXlD$pfg4<{sGoGsE!g@d^FIu3Ig?Z1x+Ay)oUqKjDpoHJEG1!IDA& zm_-}4*at^S2f=QTk1%K@Ye8JbOj)qiZ#_9_L!(|>b$E|+Fz+^}a0A#r&1`h`rJu)( zx2L=ZNx-qCL1W=zV=K?ks%g*7)MCDPG^9F?2kQ-h!Iiq%cW*gDE;UB&Z5+Dh&bx!& zU0Xzcqu#ir2F&Fp7+H#+*?J`GgLOgly@T3PMgDbyqnK6`y{W>|W}SPScn5SbY_*2K z_&~}&rM1fX9#s>L{UlwmPtxEBjCH^{(&RvK1Ki-17%OivE{ z@8(!=+k?S-hcY6c1Luu=o6;r?eQ>h<)DQ1S7|T%uFJ7Tzns3uMU<7!D@oU+Oc`U4R zXaZ-8Noz2aqUe0o+cqQVbW0%X6hvBPec)dcr^Zo&@G7y?;7V$(w@g@!94ZQMs z+%6q&MK*tHGKpv_OweK4CAfz%nm7P&JP*VR{MMr=yfzTu5GKGFLJ3B z)UQXw#kXoHGPZ^2H?siVP1HoMg#AOQjf~)@#m>j(N^AT&%EJPTxa6$k_z9&&5-HcF zWUTK=6Iw_!c>A1nreA2>oS>@hgCOHkiWIyzhp<`~di%A`y5%j02*Vh3&i#ZnZX zr+v~-1BleR12POF%lw;q;>VJoe47|1576-QGI^GZ5>~{a$*+R|$wd)-a&(4oIUvQ) zszsVuY8XcpIAGOAc;~Wt2dGf{^;{s`ZhkMkyorD84>Y`dN5>C>23Z*Nu*xrHf^Tia zB2tKi!;83jCy^fVhq-6h11}$)^{s(emCD0Gxr+UJrxW#>GWaJOJR-5Fr-SEdrt^qT z^VoiV=-T6wi7-y+>KFLVZY@@$bt7)0(AxudIcPfT6yPm>mDfNNQ#NZ_J>(j8A`vr2 zO|k}~Q7`godxiD%l^H1+^oQ5eJcNFC1~gXNM={(Q9<$C6=5ONycyNl!y=Ifu8|(+ku#;ua+B5t z9FOa5p-BL{P27&#!cxO>u1`Dh*0Zia!70T5X@4acU|Nq5E8wHrbBD zA4VyLyBeh(l5SFT0~@w5(g{0AC~T*g$}@I}3dgFC0H0Qy#VX^nRoFN#*rJe65erlM z0!1j2mg4Na9{GjY6Fpt_PtR3K2Ck3v?{vO0iOm~gs{h83Ege42*q~lM%{u55a^C7S=_O?PssFFiwv#PbYQpi%Z zZb)?yiS(Zu>tQ1dwf(*Yj{zXC)X4Go0trO&jvevhNE#y$#z}%-X>r6%U7w14GLS zjn#U%{!vzj+$3I-B*%i7w|chztSeqa#4yPdp3?-ubVNvhw*FaJ#n=}XS8Q@Yk1}=o zsWI#Z+D#Inr=;VB?FblEMyUiZ@D_EyYN3Q5`jPG)Z8XUD`?#4Ndt0^Rb#K9G28U zkX4$HO^JA`HzGn)dBPaC#1b@Hp4iL78`RvWv=p;-K@=`zJ7elH0GJD^wp1EDA<#XZt;giwbTOYvlP z$%!!eAdL-j#6D;vNEp2UK#3r}AGq%OkGz5u1~lDwnlAW#^O}0cG$2Z(DyXnS|VQTsR!`WMhRlTk2-$*w~mw-V_Iq3!k1p#RRX(T6z zv~+{g(%sFR^i)b(Kw26^q#Nn3cg(fcK4of2Oue4qGSFfkbWbA%txbC598w02=KKsR| zNGIP)RiNC9M2~R$p~sNDBK3^NdKIip5*^Ky5l*OMXo-)ikEjP;L4K{2pLSb|{E`cE z$@jm>z09=uz83qKwbwOS3A%SUB>6UrPLJHdd1ynl7pHV1qIUm1b9$EnQy530h(B$q zcVdZpMoX%#aIczHkD*O2BGJ`>1Kp~)#mFXvPj(<(OasX`+oewVe$&v;)xbf_Cz6nx zzFGH8qC-+br>N(k6qf7hqa8^o&SAF?1LLxP%`b4xRg1no_K?!WP_+hhSZ4%%FO0~& zfHMJOK~`N`tG-#c*ipy72A{1v(sf7|vhWI4QlTXMb8w1BY`9CyC2pg4Bk0@^G(-UjIL~Hx8P#EIVw0)@6bWMd{Q~~h#X%SVe0L+{kHwA&(YGd0OrKhBD zsS4wVgG+6AT%F_Ed_%%ci~e+EdbWk+3B@JBLbS(KYpoXAtS9;z{V$B4EhF%;x(#=@ zcbLOl10&%?^y@xbuLT_Gvu(Z|1+!%Fj+*z8;)`{?y-%Pq)#)Y|f+GadId3)F>uJi|qx?4Nn**u8e~gvEJmku+LoK2_z1?deFC`Mm z35!F$vJwS8b_QoTcTs8522hhBE$rlU}fcdJajOg5h>>CJwa;k}T>j zb0K!zm7u-sf=huE`YhZc)Z?(M-Uq;3(K~$1%;y5Gu;#V>&!S!8Ju&x#Hjj5qJVvBL zuNXgFNdWxYKs#^82<-N<*ri?Yr;m_MTWunkqS2MgM-B@ypZyBwm^B2yK@wuAv+fvN z*qxN1QB|#abR0g$OGIkfMmEhJXu}g&bZ;}+>$6*5)rSaC;V+(oXulcZal+c{xL-1c zrQK^DrmhckD#XK2NK7yi8-*+eOaLE7d&Yxlk-+h4BIPMGK(5Bvn?;C;Jg zUtJdla56DvSw{@(u-95Of&BB*IYz0=1SHJ0F?IVOSmo3r46U+horrgDS1>9+7$I3r zMnu$cuW8`yx{KLjdRRIGW6h{iu6=AziBVnG{!R-@~OK1XV&u#h91&pe#I`x0;2u{hgvzf->tv zkdB@I;-)3Cw466ax(p)R;Ma)G#C;8)cguWpRk?Lg|N4hk1-?kP*J5; zm}{kA2#B_mltjm~3vT9~Czt;Grv7^$TrIY8rR31shKuV-0|s>%VZs)0LvjdQs4rxE z>MQIm9H%EF_@CEx0Z))kkpDtZk!sB!~qK_XHp(d)Pr)cdxqnR`smp4J>%=R|q4$ zCPkQCev(bDCs1wLl;lJ?d+ORYGuLuixqo_m&X7%}8AqM+iaiFAVz?h3Lv^k&oq}XS#a&5E zRhvY`n0O6s{3K)7)RM{Z8vS(;%#52qrsx8^H%a;%H9!@XFTDdt=MmMhP?)0tHf0HR zd2bKnQ$0EueG2Fe)lvF}CuCfsT+v*0NzP+rUXxzB0t zW{;KY)F(SNk~3&dt^1P&t&|knEpJv0XzEb1c&Cq9{PJM(Uvn9@gu7%7OagID#a>U) zw3{>!Bcj*(Z7Pbd>dI#IIev2d*qLx>9rGJY)T*fciN&umapXFL3X$%ej&JF|f&Mt8 zOGN2hTLXIjvAey>1gJ`I?qLUTwbEV)rF!wa)7~@qW70s>**)bviP-@Gs_kN7r}bRW zk&YwUC(?C2wY&JO=!AT zw-L@FJ@kv;%tGLWsu)AnA3rN+QI|yFi)DE1z1K({+bIMs^4EcKMEsZ4ypZdM$Qy?lwPp!4$4YJQM5b^vLcF7P_Q zR^_n`y#NdYLmHvVJyM)I_hAhgP`bx|+4f+AQ-E*kqYac#xdU{@r@$6h`M^8g=@V{$ zm)b8%CIOO)_ho%(!qCWYH8@{)2(kiP8W@7OA6b_OhQ$EK-ltaiU5ju&i~`ULG{P`4 zLkVD%4W~B6EQ%CA>)IRlX9jK?&2iVbUl5%Q6W>8&j$;8<^<$ttVDUfc-_{aoIGGRi zT?-9g{ZaqP373Dd4V@F#PPW&@cYo})6fpOY<#Y&2=nZ<0=$3=-xK=@b5~OplUew+T z%$DAo(w0-aq4*eZraD3r=nL(@O3DH&Nj1>})JzrjQBd{M>HC3>i|z#2JT6;Pqus+x zmfx}ig%_h9!3u%ytL^o6Q5d~7?q(&vL+OgtI4wmy)

zEX2Ivhq>~8_1L)fh*+wJ zYlY4*%j2d>EcyL%6sw&lPYN})au-Me}M(73001>oPU5Lb?0 zNxA};8GXwQ4h)G?!U0j{4U^M;6nfWlrI(7T%UF$X#~ne`=j|j&~qR4WTx2auuo0T= z7Gj*=|Dl+(%}r*N8>|*SyDxAxYPxy0&D(oU`<#?G0!?|$duoY1tc=oLtcjy>d{x;u zL>%zJRMOpl31OJk%nZJ+bzD;|akJ-O=yZZqY%Gvs^V|kl3*1&hB-A37bWva+Qn& z5nv~bPbh5A*LUbS^e4312tF^pQ~vScIDu}?nd7Me?v2T&MQV+XluNRuuN4ZocOUso z(+{_%<3%Mjyx6rP?+_XO%2&=G2q<8Yb_SMJ^lLovue3QzsPk%M7yrJH>hDX_h0F2-v66x89Flkw$vks9WG;O z$CAy#mqwb>canX9tWrOrabafNCXlE>>K$9ah@2k(xPc`;{67_kY4N8v0~nE`eS&0@&pr)wQjht+`}4erQkqps;kyMl zG8!WF`!QIVlG~PwQgyhJ?p_+V1;QkyJO2KI-;jb3@NP0cCwWDyw&i8U{ewWQVtI>Mm)y75u(%R8+C=&)f;i$}1H&e})G3Xg{)k>9NGKy<$)ux} z*D!fmYRL^{MgC|AT?pLyjp!(zN#ag+d2yWQdOW{#zJPSIDF>=%5a>=_=FP@=C_P}g zC_qWn6hM%fT~6OpFLT4;GVfQaAMml$+1Plnp6*QV8>FR%LPB341^IX}cnb8Vs$##$ zAG!|I#CfN%ki&$}MpODbS1?aOWT&TyInfHs?Bw)0Zn z>}K~yCHk$)ClebrJoM>HXVp`CRjV2HdLQb36oXelZSI?4a!`f`TtB z_Vf-*M$MdRV!u=RGqh-Sy}Y(XCJUj%uV;+_lwx0{V;`OJLv=zrf1vVLu6&@rRmsJ>+d>5pkxyB14dIFm|~ z{L(EK@%Jw!##1?Z3gZAt;Jg>~j%X>|WrmO?{W^$PKhQpTxSoS!kt4cZn1lKq2~H_N z^3aEmzBhWh4>)oucy-tf5?+BHB~45@82I9O1@6Yhc$_uO!($;%6TnY!xf*iOgGkb? z$IvLI4eyZhW0W%eg5%P+UCIsNq9U3j`Dquv9y9B$imniD(WO>uWZE!E|6zvIKA?$~ z83C1sqLIb;~e^7`$*?{kPvDW{YC5u==~I= z%;PttmOJf?lLv|cX5UHb$2_)Shn@iGEB!||I61z*C8QFvf7M77Bu$1S8*i1dsj#bR!; zL_`dY42!`Z#18%jT`rZj{)CigMwV3(F`jz3X&9rOBlrQlcIcEJl+uH_6Jk!~varYb zJ_Fv8dXb;XP;7dM5`vgXTk6>u(wCun82W8SL-oe|{jp1L-&cKlx^Q4W2&o=EMhcL)^t6FO*b2s5cxtPF>)@oN%0)=cX%tPi zVP=6HZxWew1AQXvHf4Um2f*vV^@Rh_i6-BCgj2=ClGewiJYmogwgzQ_LU~Zy!$)X^O7nR4Os!Mv+B~*FP;%`Oz?5(E zIV>w20&%ejNa7QgnmfQ)v7;c3)b{NvpYw+IT#)zXcK)Dc`}A=1!kEhQ#|W`6!KEM} zQ@tXVL$uvAXj?7ZS3`O};*^q89W6DH-1fit9`^)fE2z-^3GPu2k}5;Q&BzedFP!~H zFKMd_nr-X26*V&*4#4Kt>IbH`$+6_y&bD}f2AO8Z}-cHr?crvPaq18-(Qm;@7t|RmZNXY4P2-#TO zkdgl-h}!OteYHE0s#*e;gDuPG&M9iwCZqxnd_qSq{5en%V~F zp-_!#D1NAuarpgtYJ@DOI$H5Eu*4hTSQ&B3txq-|e!Kb0&XS`g@MSV2!69`cwZ<- zb&a6cPA7JbFCpf0%{a%$S1UOHCFBEW3=_2oH0<04HZwoNZlq&KNp!c}Pc-wN86k6S zSxM60ieA0%^T5Wa_v%UD;wtV1s4AVc1>C3I1d#DiQ}%@nQDA#=!Jr6`i%GM8M3}-q zxM?A5i8~wyecD;s)M=_u5TSg!&#TB`s` zS?3Fr>0Pztp!N%@PB|&X;m1a)`z2!Gv{=eNb62djWdVt29X=rWv=b38mH4bgNBL)* zPG;0EfP^I?YkZsxToYZi1x=<724qspfZ1K=Wg ztDFz00d^b81Z#$zB%ULO^o7{2Nz&3wubKf_aCj>jS=3sX;az=1x9~g-{2ArPSLmP-b8b#2W+8(xP@#I&4bcp#)Q!yozH9bL^Io_6PWWocNH`3GB-MBlwUr&=UburnyWV~~ z9IN;974W5K+^lJrtzFx(QxzgS*0{d990jhZHOmZv{o+`Z3Q}xYvFx#RN}_1eGj1Vu zWXycjk#DmuR`_bFb|n5eZmv|9m>lzXvt9Zz64;_O;9h8+_tUm~fMwg{{rz+NJ$a~S znzQ%wFUR4-gSdF6)Lk4Ffl?VO|`aYX;M0ge30Uj#~#25X~;<#4FH3 zmi+;Qc8n%@cxZ3kY3EJV?eVgVZN$~?=63+KVDCK!Paert)^QVPHR*W$tsycA*YKnD zq^ev@XM%y3tI%PjQz@x&D71T^*TbKHpZhZ#TjZx1w;uV7+!b(T;e7Tii}a@Na_4r_ zbz?4@JOLi}PxTT`g($`c{iFJ|u7rw?Dt=9aTEK-&$}W-=NyaMLxQux#^|*B;e58---72LR@|V#dmS^2(AgBC*>-0M4wS(K2myiUmh2WtiI*t*SZ9} z%s+q?vEPr32ZAvL)L7_JUU8RTsns_=YIruBLZ7kJG+o{REGi_YERRYd+?@aj##d>n zx)A;>k((_BbVsF3C6yJ%SR=@3Ax+gQo3L@$J$;VDdr|U7RQqT5ooJaxRD0cIt*#^P zdAuhop#vV@++^dW;hZN#d~OF8><{EPejvSLaRMC?g@_aPu219U(?Wgq$bg80OXL><$`W@R%jx$JfHNSTdD@zBxr5XA%H&N z@SI@MTt2Pp@@#zGd&(12VF)Qa9m7glX9|)C%{oEfMQ6v_yO*c)t=W&h>OH|NbB$W2 zoj@5=F%O9`SERpVn`4ch{xfn~4u*tiiAIdbtPdJ)G1}bJ9|#lL8|BmoBWlmJ?a;6Y ztN-v?|Hi{7ggnL{%LD^-;3x$uksaTXWSap`KFOuu; zQDk&C@d|PBX$6pllzqv=Oj2!%?tErB`~%$WE6NI7^*`UPZ_EuQ_vHrmf<-?IOTq>Q z-&+iU!C@@hH~qBozXQ9Y`uWjTAH%j*GEdOW7wSLo9u{Sz)ULhT#hfw<`A-y+E&|ox zQcM^!1^$&{B5$QyP5f#V%=7WYt^Si^0%cf{x_+GaB0*XhcohMB@OrQjXUi?0hTG6* zE!-&;*jiu=wMCqWnt-%Wq$?CKE9{5s)otFzZ9-JWVbQy#72L(*U###WyPtPFQ;hoJ zQFwPh`U*5NyBHYxlqv2%y@SFuap%Oa4!F?xcP25Q)D~T~*b&f?_1f;z-K^L{r^D*P zljK<;MK8)*uZ}*ROvgoUM1hA+TgEbTACYmsgaj?ZK@+uc{A}RtQdZUB+Hbt|B@8EAPWFoX5M`s$ral2L2V$*QJ~hTUjA zUF#7@5&4+~B#|_M^ALAv!7Jkx!A8beQ^E&qfq;mMdT<%-lgO6e0I97;{_*b z$phs~7E6$-2r(~C9r|(A+L%u`d$*jGzE}Rl>27>JZ@udO9%fpZ)}hpJ1L`iTT(Ofi8iCia zT!t0!td;l$j8JguYVFuzqmvVg?np}XOkB&s1X^)7zJDqs^8{)z`-ns-0JQbnr!iyr zWRew<-szP;N~#$zC0@&=QnMgP7Wb^HVjHY+1lzi+j!PO2Dyq>L4ZQ#e4BxZAja!w% z&2Cu-G}@^Ha$2C2%&l{IpN8r*ytR``#gC$YK4+3=EdD0?G;X0&&_Wn?=goC@#jOn= za3ijqt!)CZc8LGw<<$e$8;sxDonice4ljzINEL=92>S z&fBB-4FG=%&NaP0`b%(((Mlyg;bC}JA)Tw&aA^*wfF z0*|5j{yR%xQ!vBaP5dAEk$(h+y6g@nWV~;&Dh^v&+*Nv>73KWx; z4$N$Sg+cne3P!2PpA~Pj7NkZGv~j&mq3d2Fh)yLx>AJ2y&1$|lo-m2@6Fuk|OC6(2 z8rE^J*KyZW!uv*+yW2CIQsC8ybov(hA=OTX9 zf^9SG$1x^^th6nt-T|n}wPhLvSO~iuLgX?9>fsljjVDj&AB=f|WOM&Tb<`^*yjyQQ zb@9+v4rJ3HY5WfKT8m)mu83kejiL(GA}2!>C`K(;M?saKGHg#v5N%7<@yX2>h{_ll zE7F8CBNn=gXQKmxPpIF0cl(~Ne4@YBS(OMDB3QDz5i|`rR>{MDsTfPw0KSLaE5dg7 z{h_Qf)zq}TlpfEOMOJ4jIX9vM)dqJeNfFp9HQsX0_>T4Kj($CRJ zH65Q5TeXNw!|i42 zumvNf2n-hXqGOuM>H90zNiNA(yvX(wz80{*$TF4s0~x3sM5Z+Q?{4);&{(>r^q9i-8Vv*EzifAbk8WdjaK7ST8GPr&s>=` z6>9TxM_c1Dtl#MEa@vCsi$47~>7=p5jZat?tG{hVGRUD0^2gM+bv&Jrg znE`N_Sr*ktMXAuLhinECNbHOC(?FcjlhcK3aNd2YBCs6MdmZ$3mxc94FYo%VfCDwd zXwMEV<}IFHF0596Gw+?qJDD%Tl~TI#(iSexdalb)skdSqmQJO-u)Sq*9t7Aa7=OMM z?>+4*0~I6eWdf+Z9w)jfDn|}e!2su0T}@9W0wcmIJtGGh9@NAxh&6{H?#(3FQZgTC zb|zs(e2DDrQ6M?`7CUgSFrth30U`9KAauC=EXj#LL{?0fuvJH@m9+F?v93`cgS&+d zW>7cLRqm#jQ+KA4Y$R72C+{i1P{x4{^Gt|CVG=KlInIE+NR&`OA@NI*YE?FJy~}Bh zzeAOG>ea^8cJbW4pMPI*Uoc!qq)&XI>M1CL%zo_hNUAqQkVF!3EC`AoV=Yk}@xa)( zc{4P2eG4{&r4F3~$EyIg5kq{|5h3ybpWb8ecLwk%$szQI0#c<0ey(Qaz}iMPfL}gS z^H|v$3-Tea2AqBdmMxi*F?n`-0q?0Vzj&wS;^x~{Yes2V<`B1#Mvqa>DdY>>6dT^` z?}};$_%=7DkwY_;r^P2K+_sp*v2G+nS8}r5K>>JQE7|4-6Sw-44KzS;PE`A!BRI z2G_g$5Y8@DbX?3{X5aP^Q|3-?;+HHaQ>HTDaDLwVu$z z3sCqr5tMqvg`Qa&5xh{}EU#X%?p@P{?^nMu*gWOJRn9w8Q2)$E6}kHu>g1%^!aKUg zEa_&+G#$x)L=XL$dB}CPV-$Q_(>h+$?ZxE>6sSq>K9~zzHDtcEHianhTeGv&AJ!m( z+teF+Dwjc_)frIr7hGN9u=sI#xuNwjc*+pH1S{;0yq(biCQ#RR#~vnb%nOS~Htn?H z$wMDUiZX5-)5!Hteh4p_N4GqpYMT5e;BY3U(tS8F5s-b^Z<2osd$DY5dezx6IqIr-T6t!A={2Pd)jydEnO|`i3>Uq z9vWgYh#S+n8Lw{Hhc2Hop~0N`M%qI7#r@I``~yXAo?{5vOsQFt>>$G`*z&43XF#ob z2x9!MtwDAHPTw$XD%C6<(tTUi_r%||eFUv6%^&lrCTW>ss|hzhQbNqan4gAk%&l)% zdOf5+si4C3B|SJ6Oi5vRk|M65v!95(kFxh@8Qt6*O16sSzb=jtUT4YUGZ7lVgFYH^ z>NJa4TSR>DN}@aDNmH=xVAOMg*pAypdt#pUe3WY{ANTV794u`2%m)d0G+0sMTS7FZuPXZ6F0hOSK;WSmq=NfWpn4l3Bg`QFMg&k z&@X(cOEDJwj1`ZbcJ>PYC6YE$zY%i^rn! zs>xqaEgd{h=KcCI2CFY&SF*~21@BZ(qJ zbi+~J$L`G@GjE3_<{sVw88_F)gA`Ze={5-8%!|ij`*WgU1t1$4&&*P!xRk6-M!V1^ z2fN&bF?XUQQPO{xq~!gD^zd^?CGy@l;(1(Em{ z&<(D^gvl_kH3?6VFlo#HU}7)Xyf!4EblRG(ty%}BjpNEH-E@!u)<9;~Zz|~4yvdT* zp77Zk$_t%(yAb|a(WtgoPvJ+Ed}z2KcGs+%RSc{cG|Oi2R2oRXfU&U)+;`!FM+%tIXw0o)sOk z9*U0KmSzLF*JBv&$>{;eB#;OmU%pMZcnY;CRk>szxVB=*?7QVoFFc=wBjFLdA_1AB zUob1uv7+G6SrmINJ!lUmSk5@y2Zr#r)`0k&n%q;bd&Slr>~UrpyQldT;6|rC0u)7# z%YwsH_|G}Fg>DczECzAWd(YpIZr|PYbrLd>0+NE|`92*NbWac3tWW<~_5x zP7|<2&i%G8ZAfg9EAX7X0CgCK6A2>H#z;m^SQ-v;haX||Mb2&*%EfDu!G0EZZYQbN zYMg_-_GJ=cOKMGwoM7~Q2dYAue|!bbZ~qVf#AUdze2Gr|!kbL{(LYwVuOO09Py~|P z=8XT2$njZI9R9-NYn{Ks^IO;8zjWCo*U*z&ALAj6;|Qb7|2m;05jTBymHPQdi5 zuY1F48R*V{N{unRVOay#i*`7@1c-$tG2@Ub`anmrKkTCa<8A%NzK?Gh4sYI$X-B&@ z?O*Tbz9h;Nr#S%g+t;S*lpFfGfe7L#=pxxH;onIGOdl;HsdOaU>C;ay5th2m9pE5K zNW+346=2^WX_VFjFofvH3k)+a6b8Blm=v&5r}7k(i&ar^t%4#VLMoR!Uy4X@-(So*K4 zVC;XRb9#+{Qou17LY|m->(8~I@yxJ0mKC>2@E1tmF?I6G7)<6*rR(Bn8X$q=()3w zpmL<4M*Wxo*gSxpgVHtNedX|+eHkF%GyupX#CW9S1s5Nnyk++r8UOJS`Z{7uqWp?} z#;F26;(afvJjoq<5P-D;?Ik3+MCvQ0elR+i#-JSxH;#Fl83jK6Km|(a-->|97pts? zPJMZ@5GjOft1&KPWb>3Eq#4}aGRZk~VxNxzz&H{g(2#)ze)jM=1As3D;!!NqOaVD< z6sBGE=QohwlQIN@eAYqR?r_XY>l$=&bey(l^Z)?Bf1~NFrrjFjfAOG65|CKrVhGyv z>3VCX{jYwX|NOiCudg36OV)o$x@YeDcfX8(-aG!s*9awmS3-DUXnX(d(*2Lm;-7!% z+Y1;t5QoJFQU8D6N9GukqBB;;u#p0E#eO3BPS_?{TEB;ZuKVE9tr^vA~4_RKKPCs5?|v18h`6RWyZIW1au{J zz)Jj+v-6Lp9zd8}UkqFq+BRMC|Ac{?@=HE23UIsZlfP}_sVrOv(GArE%U$F9N1F}! zd+Xm*HNdVrBI+xvqs61EQxTMm-I6ERiVcLT5^8aew*-hV4aOV97A)w(&YP61Z}}Wo zm7RbEgqQTbH8YO-ZQtr~nzkSUHP92rwK)b|jRJ;3IV1`s4ZW9WdQ1n(f$%upTZgeg zWsuJVpRD0@jomuncz+!~1L=5Gu&4E&Z){}(tAN!^gX^i8k$6kP(9LP&^B@j#BnZP6 zRE)V{fT=1X5SUg*fI{yMZ-&j^%q=RsgL+uPlo`Z{S|b0ikD+n~dgkY_KQTKDRHy*u zkP~-{H)g!bzvKDvsJr{Ov9iW9d87%&3WT@%BS}D`(ED)1;96%3^s1St>5xFV-~EyN zg3Vj1^_7*hVL2I^9|gTM#o5;Y^Kszopp$(}BlyPfk}sO$u5Si5a)dVEE{l7AlcCVy zOBsW|eBpFSExlv~AK(pus@m8nxPSfz&NwTmy~Y?8b>Afd{|X7uDTXn#|M4MmqUze# z6mo}wlRJw9sMbMKAo(`}Y&^@Pjp+2SQxLwRe~vvYFfcP%Tk&_eyEsPW7u4JWQx^A@ zDhtK`;^k<@JCel_hTr-Fm?Qh2fjN%`M4g(>p+p+;YqM}ZJX_Qw4C z^B!`i9DK&?*h+0khf1PaQv6>(K}~zZqEZxCka4Fz1AVs`NkK!_l0b@wBAFTM;D+?I z!2jklh|@Oko=VdF_ScPk0UZE9mc;Xh{NK1v%0H1r9F3m@uQvYL9~q=j0jx9O45+{` zS|lO_FzVYqCV<0))C({QJjL;`kOR7y8zuqPls)xNlHG51x~>q(1sJZe(BJJthQu|% zKBHLX$Fv4WL;RJ;kWJ-N1lLu9m<5@i`E zJXz}?=CS@QC)jGLdOc{O`B|Lf54+n)j+QO$6Z!;X39AOyc90I3hJ_4!YJh9dtLTZV z+zq<=SyJM$R?2wksx)om2j>_21Eav#3XXYr!)^nZMBZQh1)Wo?TypLcviB6m1=1^K zJO$%UQ~wVX&b_}u;qW18oA^Hb?B18(^A%I`%}<>eea1LP)IDr7X?XW&bpUb)M$}j$!UPprwz37|%Ej8qdd^CV~6G z$9SseOGxsIN2ITp8(6~Rv#!AAG6J|Qx;Oh#{_Y^}@{|0M=U-m&(5Mw1d2Ss7oQk`j zW#wGT>$)OpF}G@AU0rVr+*%mjU=qHq#L+VWC< zUVy1;z@DvEL%8|~431HGD@EkXxdx)1L{6Y*S_~K?khs2k+UY$_z^U(ax|C1?Ob}9i zi99(Ba(|(3)|2`}s&>P?oB;V|asQ9m3}9F*=~=G~g`Rr3tM9);Z!Wx#`q6Yl?z*4L zD5I+=zmn1(_A{2IcffS&Gj31CATf3h4=tfo9>IW^@pNkNgl1lKuz6h?Ceg>|EI6qu$crz``UR|JphvNvqL>D2HW$8!;yu@nw2J- z9s9JHTC7NpNiA6CZTJ0oXkEd+%(V~pndC==LhYgeM7^|+$59)@YuHEfNx!A;!Rrem_MZ9yq^D#VT=)o*{q5(#{zt=d!wa-Q zmce`H14GuaWmvC`Q`@O6W}AHj*-a(qh;a`o9m;3+;0OkmWh8Rx#{n2}2q+Z%rjx^T zhSv1JM{Kx-+nvyeLI`%QdNAU&Y!aA7N>s<%&hW+%n-yxGd|hcao^>^Kvz4q4&zu07 z4Otk^OpNz^>DS)_t#tK03FS)x=8Xpl*lDS;z(N9c&W^X~VHumywq&A(6fQ$OgSV{b?|?7W3M%`N`9hb9ED(qk1D2wUJ~3DC5r)pQcG8>uj36CQtSX^FnjKoyCtdq!uWO8Lb4>){$i8K?>2)DHt z+K=Y;bQo*tZI)Tb#=S!0QZcLMz`e;B=7PYSRB)V{1QmuAoQ)+RZ&To>N7cQT)1K|0 zu|f;aKbUz8s5&>li_S|vsP<&);lbZeNrTHYM(UCp?^tVxzWswwrmd7%tigD@3sRVZ_bykeh zObp!Nok#}P-ITj$VRTqaZ7I<#RRwjjD*DeFf?$w$#-?nOo9B1seHl+@nGr16Cu%&L zlZU4fGOk=2mwQIC>vqkrpO8LR8|9K;C_2e4Rxl;*`M?Mxu&MRv)FN5P@Z@}*1|Q$p zyCYY8cmS@QdaV<;$hbKtA3nZqvc)W)@xhg+(WEp4PdBII+t;hqUyy9U_=$Io*K!!` zXL{={`Q@)0Hu4E%dfhEeix>^Ypo|svRHyhs9-d8mA2dei%{l6~Z6SLfWabYI;mo)N zMN0!!1BPKoyQ7wSD$p+?1zNq&JqeH|*iW}%GSq4lz+`?~XbDZD>}_`8`r>dydrHJ7 zT9Ut6kWU$GQ72Eu;+s4)Nes8}Ig54?-h4NHl_x`ezTDF~FXXofjUSC4xGV7>w1pZI zHkXG}E{WOWK%wWTlDzrBb&=@MmoL8y-%0$AyrQoRi_N#Y@(*f$MEBi9V-FuiS5Z(f zy(AXF7Db})BV~cn37Clh+-N1;#UeKa8(0FF&i9?3Ox|SQ7zYGY4qIgoo zpBwVj)&}2Q-psG*FL{ySOJ=H7X9bfY6)Pquh$sF8IF!vAuBt}88|5LC0^TR4&)WUsyuPb8aXr_ihT*o=S*rRtxqnA>SG_9S z2bUig!#=@v(HSD17cv;7Dmh)eKOAf7J4GH(x#aK24~L<3y=-rw=#K5QrGql6guvv~ zVS155%Zbf+GRe4mQF@<%j4+Vss1_4yKLy1tnu{Fz?Zk}-txwl0i>eSuP2gKHb#t_=l zfFWz~4&KSt=SC1o_KapRa@{+Rc=AAuWEn7H@%i%>ORkzn9i#VfIH^-|C+=6E>4vvp zl;8GvUDUc?Lt%F#h3ySS5!zH>30KXN_GPiyt6Ax9GlmktBkNzOtW?6k8g9mNt3{EF zzr-#~94!y?vh%{~dl8?6u2CpocE~(PFiXzzle|7JPeOHhiEJvw5OLPc`SJAk<)}4> z%nJF@Y{k9M7h2^qb{dep#f$$&i0GFc&3ENYQua`?&GtQ&H;RQcH-5Fxb@w?x!Tr=> zO!kcy%r+Gb8!HSt+vHD^)L8pjPzTsjuu-+glfm%{ED2SR<;i-hxQmX9&k0alphn>MXT<=9Q-*!KLp)0OF9 zo*P+09q<%mn$Y~J&?@K1=uG4XGkL4Pg)?Ee)xY5tSN1@_c&0ba!yt}^oz`VQIp-VK zbx^F;sc{VK8PCnsqyodiT)p`+ z67O&wlDNNhvu>|rY8BM2ILkUUK{og|plUE4fXx*e{_K8i*pSW#)hwU!VOMkilVqcd zoJ^N}4lpz6GeD~LJ6nSC-qV!!=g)ll{*=Ln5)3Sw)g14SMBsO%fuaiIbt#WhrdLg1 zuxc2cz-DEm2~2NR_9a#YLupKL$inSreMk=X*r*nBmaXJh^wQ*tUse|7+cfEDH8dR! zKIW&uQud~}(*f(nFRktS7-0zIFaQY8^BoHFaseotPb)o~^{`v)U6`eVZ9a!QXFi0w zIaYW3?nOl2JQShnpl*oF^v;x+|BQp1oLK*@Y$)jN^5^Qxkz}qiL^KCchite676)3o8rpt{QBfx1waPVeD>Kl6Q)h^-kv z)mpY@1^@3#Z)FNp*OZBo!#1&sfh|E@ydHXery~YVT#Y;sS`m4}cfXryM%3=Tb`APr zZEXmYWTpCiTaaSW7^lN758b75FZjBPsd*j5fLL1s4G^W_Rn8_;P2S#5oF^4HzM7T4 zaGq>0dZWhKO+3>etWv)nhm}8F%5pRAv6Kb{&ROh5miU|RAcJJ9kvagmQOaXOWk--eEakpR^#Q- zOWVsS3|E$VEsml$Sz$+SY}-WV%2-TXH;x$1)*5L{J~%TI9ouB9uR-gOXQoC?7+R;* zBl7X6gw49L)fFle^|wEF@Q!nxC5YK;`dwA>i<@H-HpvJsKSW{J8vM|XG)h#n{wPQe z0&K%e)nIyLWpq8M@~#_rO$x)R$d; z#I)y5NDJBN(EV2xGw-aJOKL^7h3dPU^y3>sHzA1vn^)v?CLW}DGPV?n;+}4^#?&TO z-)`)uvn-)QMcgmO>_mUyit;ELAw;l}TKXK^yC=m?NCF0i{q+egX3ZsdwsG z1%G5cX0O1T@Xx>?FJd!Bj8n#Z0naDo#_kDhLYfM21`=-Hq>$+gX<$(c$FpDT^dx6g zuRoimEX{vJ)oL(pZU8>;xhYZnMz?m=*Kh04kB+n&fb%PEU=qvi$Bm>KSp?3KL+U3y z`^)1SDqUfpqmT^P`}E4OizaOo9)d~74GAogXplvOW-`AG@U;6A&1lb~cB}&$c?T8V zn}KL){mPA|z5tULkD8Zvh?f~)G;N|M;r6z-$@{AYQbA`c;z87tSlqV!o~At&9m~8p z&El@mi@rV#p&5hCbAOXvY*jN~wCN}A5iLJ^7X8OVTpUi7hgdtYf8XZ>Y!8`c(oyA! z2rcg7lZE1KqJAT<^A|AV*u_w15!O*Va+-s)$P1Ma$B&YuEQZpjy;nI9(&ar|ZB{!; z@r+i#=f2&I%Ww9M^awTK0&D(DVwJ-QM!B{k5iBdow&>>*EyPuSGCB@IgxvVW(+9h{^E zvF{IcdbrY{)oR~=FZ!R>s%w~$n~5gO>MWVFK&s-qS9<%D%Bk)*Eae&U4T}iTiQZ#Y zIjhM`NwNan+!X^|^XU_oF^t?P5{ zXIP~wd>`iL>josV_*qxaZ^s$v8YOJIYvm_L!n4<9+-~jb>z)&cC9LS+RBAvP7ZwtC zt^%5r=fiMayGyV6(OdyOoSIQyuB>I3kb-P)6S6vfW{Yk|uNNd=d1rg)Q!T6EeA~j# zRI9u(~1A|lc(mTVpLU9O^&h2ABt&a);eR`FAauuN9J9S_#=hpEe4 z&H!gbsLGbGZbHSv8y6}vptTye6URAFzb+0X%obE`k$NCNRTCYFN4a4A|FQPgQB|&8 z8?Pdu5+W&*3ew$;K}nau0ukv(8UaBCL>i<)LK=iccM6h{(h|}kjfA9f=5oLNeS5#( zIpd7sAIMPFVm;4u-}9c=b^WHmM8^p(X2am|Q?R3f7a5 zHVqZL*|~*zmi7@a4l9WfVakbB9Nzo1lhS_Y9cX&4*g0GKK`*C-qE#3{6xwAEXqeR* zbAEhPxxA_vWb!a5c z4s;e_pd!W>XzhKkLp;zju7^|$8NBZm4(*R_3q@AZw=j8D#6lRYm9Lm)2a7QUy0pR@%{@RHu87l@2?h^MDG-i6r|PIJc|kk?7tHDv1wxb}}b z#C=e6GJ@Q`Z!KDnHRQVe^hV+YG)R(M!^1yCGKlmTB(8(KCsI>h5{aQfGy&2M^T0Yf zqdN{6Z-){$icv#odnLSXc|EJ9H}B~?uX{n7I@X;(69$7E8k+XTuZFKNnot3iM0(PYjIk1Q!?sWATbKByPylxs9P4v1*Inp- zGj-SCYY4)y+h{US6SO=Vj{%;1={OpZnY6GN0Fefk@>s=-VgT$3^cx*L?YQV7? zJvjHJJ6WtY5$~eTSF?gq%|&M0n+BJ%8C;MooO3^_ zS-C=6!8u4pH3`EvW(~GQ^c&9^J&d(iBDwnArrWF^shQP$m`D7=bK^@NPw(1Mk5(2_ zCNY=U8sJ;reiSa8^2F4Ph+JxF8yGE;zAo@2@jTC@EuxZ0D<{;|oh_x^S)_Dpo(N$m z3h}pYRNr(&+l(@u_-JECw%xVB#;O9*t0h_z(Mpj876UZp4XKORCCPBDV- z4r5BA+S{$>w^bD%9T~~5mHFy>hIyKJ&KHO+`*rfUXxG1P9PiYF8p?9eQmauHLez3tFm1b6x}~0o zy~Zx*QkETkByoNH@!rje9bu&Y>YJzU`sYu8i;ydo<8PHY8i;fGGAinT`-^WWW%}Ap zD|2GU7JvL+naS-t#n1(a=8$<PZO+YJMX{zPAc?{|dXNyUoO3CEN(Dw1y0_YR>$ z_@Xp{PQfCkb8F^@eno)QkAvq`peW*!Jf?eOiEdHK1)HYxJ@-tfO{F95GhVR57}g~` zRvvimq*m*eG`h)Oj%M(nR`^|5aUs%We!a_w*QTkXQgy3TS|^W&KsShX#w-Sj;U<-USBoD8a4aS-8iO`_4Z9FipTcC`!y|Jz&^`@AcjA0nNrb zfQNOzxhawO9iM!yVom(gs7jD9Ur4T4`(Lt;G=akHUjAH9Yzm7 z>a5hTdlqDJW6%{YUx9fDG(NBgN!}!jyIEMS#z+!1$vFb9iL#~dv`G20CAQkHRFmlp z7-CC@Q8K%mJW!&zZ>-c}=AYYw*Bi8!I@#7i%_-TYy0n&L@RIKvNWLt=m>4CFJxlXwB!>K%0uC0v5oqjm+6Iyf2Jlcn|oz-hxa+0d|E!6J~ zuD4X$U)2y_bMm}RuJd8aSTUC)WKK_w5^e-JMxA2r+(-HM<70|7k-@o-ZFkHw2@%C5 z(L`yhvIzyzD;|p;ByT*9R+D1dzMAS>4|@ItuD0xZJr?_0J$I!#lYjg&iRQ@TvW8I} zS6J!&9GZmtK~=pj?K2JIyafCBS^MtAzfZo)BFJ975E1X69vwTttiOu;B-l4~KS=>S z&ymhzIkL>~c***!w7T~4aBW|PDuwK`$2%PYuG{(-4hqVdAJcpCp0|nuWRq>ix1tUg zu#97lJU7_4gf=DjV~Cv@KR-c7`ZVW09MZYacLZ>r9*}6L5LT_i>wtGD%VRu66!z?m zv&p5rM)3Y%l9w)zP9!Q{QNLL`@Ku3VT~Sy$q#ul=hSA zMI7V=eTb~PQedu#O^xl8{KJY754Zg28+Zj~;0)k{%1W}QGuECYbT{hJZZO%rb3=yf zl&ADr$c;S;0tPM3QIb*V`o1F~&JQ5Z?6ec4dLXdBz4UNNLCaF~`SU>k9W*Hd^GC); zIxGI0Ub@F$UcP`|x*H@0d`6>j_L9lOv!F*H0-COWDfTMAT1CYwe8{g`HlVB%pHil= z0lNtEa7OgaE{~c*tIX1z3hS;r9g)&r_(x7c8Asj)$}Cccn=9a7(YMqH_KtqLM8L~} z_~cz4r*n^Qq}KBNoGg>v?r=HYKqIq06SS&?5F0kOlB#^?87JVjmg(~=Mnww`1 zKy=K@>oQ^-HaFSgw;31Y9wF#yPTX$vyijG9n)KJh|>VWWZADsiteMXT-spJRBw z1anz`mY~3{_{nQueQ1{u-|?ax@oEpFrd}xTBX&mKHa-L~UY#$=1u3tgP20Ud-drVZ z^GYE1JPqZu_2Q-~2hffZK(rF6pl39lmmomcP6AM+-p$jKe$B0K!cIECtswdajo@t% zPKgJo>>AHEeF?<7lzPLQMf$N*zm%8MLf}2-o3>*bj`33POn>-woJY&TIs`S?$KZt8 zfua7m-NPsaF0%=_5tIV;UAyZHs`MoJhwz`11Zn@Hdi=M)st|dNd>JY|%SkqC9v_c& zX^JwN*w1;$B9<9`e)E|!46dD-hS?-W^a^qMde1iacDI}Hp0TOd0sGoZz5~j;8;bk! zOW&)zUnT6N@xR>1bk4dq+SvJdbQ&fQ8Wo#`0m&{ULQst4EY6 z{tjSUh4wV>ss5M)%$)S1b3^8<9zexQ#7KPecu2{!KSc#C z?U{BWwnIG^UKg<zqx75S18re~BqzAjcvTeKpk>pM(e4z|FCUMNRmlXNrRdjSOXL>G^QJ4&x_)7W*z(woO7 z>8zk9n0%Qj@^SICc$W|x>ij~vtB#8^Z9Qa`eSzgdRM7GM+A=Qz^CPIl>Xn3dnsQa^ zFGR7fr+mFLv79S3vYE*BBI~k_s^hSRmZCcH(?b9JIrKjF-VqyKKx;X!@u;-y=9|2U z85t)zzPR}=pV7MvJ{nQYBLX*T46K$s+#)@U$|^AH@u1pFO=PQZxGuD#z0#_HXhPCA z8Vc%CHV;rm)upTl2n$YC{?Y?JIuXz-@t@8JvF)5@r_Y-eK z^82ik?%}ueusJ1><(-JH7Psc_|FMb#@P0CSt@)w<2Tv&sMBxw5g|(AA%}?>tS51Wf zswrhGn?g4!K}@`@QF{d(8U3>H?d3ZQU{=a~B4I0RA%*+sCTkGC(*>Q;%T^L9ziBLc zOgzr3LxE*wm&*~Wl3!ssQBnVhc^R64&UG>g@v1IK>iwT0Fzq^*K-D(6dEex13Nhs# zz2XB(7=D?vTIV_f?I_Jg$?J&BQVC5tRhOiFQKfOt&AN|CJ}SWJZdKSm@_I*Fg?hPRJ_!T9etn)WT+-$oGw7@Db@<9?=V&Eg5pMu(L6(RSqqG~la&oVcgizrat zI6!1M@{w&pBf+DHISzhql&>gT_)(anniQ4io@(@*^sJ@&!?ADR(@l^y953kxLyj5~ zhsJ}U`vk&H-)8PdjF2U(->1=ePqHk5?IUbEVxLbDWm?)B1J`%LVaP!jZ>)5cr(D-o zqO;LEA)hErap&QaYC5}e@{yojae3R>BbpcG4s5I(Cf`+G>zV0??%I4_wW^JxVnxb zXa{#9#7dfil@`X#c$dNI!}fiPbJ$^&^vQ>xE~T(JX`K#IQ+{)hYKLhBU4it)B)4JO z81q2$D;NgGDvI+QG7rzvZzsBNbN;0@9vVEoXNT0+`a$woc1YPy5jdBKqlr%PE7v}W zlw_DZ9@g{%om8C7M;qI)A-8vOgRe;B*;4!XqATAE^Vb9U6*tuLFnVCXd}DP5*z@T3 ze>!3Dmv(?LS<7CkNErWG(fM>Amx~2`6ZZL{#_yWBh>F+Gu@H(2IF5&KMO8%@SFYJu zx4Wlf&*QRIJs_W{*aPsOQ(zJtS_5KalEA=Rh9-!Nu(0y9*BDj*Ay_?-nCG{yy&umz z8f!wu_zf32H18c?!+1Ie@R+@tZAWfmA{2a$Sr_Y_W3SNrhoigth^w2! z5aBwkgQE;{GDl->(M6fMk{#%lOT?YwId8#m$+qdSpkN-h8;M3w_v7 zb02>-sV503%?di$2gcnZJ(B9;p02)tZcCk6W$ZrcqKh>!{A4@#!cPdQfxMc!I^#k) ze=_dnF*8&uOooQ>OS`9JK=~#pwkuH<1>w*p$(yTB0rd@Y%e&zm-4?{cr-U#t6fpnl zc%5_2E5YcN`a=C^q+}L`B8%d3kSfU!e}n z#ctFgkeSQiGSTCM?BZV-UH8V>GAf4N47q}VGl>;m_PIuZLi0yBvK01rz6NvGV`e%9 z1d9-GP;hnSdy~aPkR{ruhU#nnw4rtdi&5%IT!r;N-bRv0>ped**$sPfN(+ZU@Us zMyegn9=0@Mp}PL-8JQvGYHOPle`f&%)!P-iLRFPr^2Ya>2Vkz_;W*7}O-zr*oLw!7QJiEQAy*v@*@F;Kj}T15Gb8VK#}9Sk zwd&qMtXo9{8bJi6VkZjY&$Plk#y!{J0BM1u`xY`5A>GDIVl_P0XM3#aLa+1CA66Nh z9)1s4Q>ijQjc>^xXhSv}uPW)vpv;br;A~6)caY}0T>rJO?CoMTK59XY2VY*I2m81* zlA-k#Qjr&5`2s8<<|*v;lAaY{Jsp2l6r1{(o4iFUcWN^W`Y`8k)s3^cAdYSnv}+SA zbCOmsx5u|3nKO94xL0^h&|XCCpLgibN}p5-zqgEe<0?w+CrW$=L=>lRR+rANam9F|@;ESF1;Q^MyIyD0Mb97^MOaXZ_5!OFqLZPwfpjTXk zh^&LN?1SpiA{+a~M`T=vlCnhNooB!H3tvc$aFAd#uU>6Ui9iH1erl7H{dGr|fUYJ` z)Zkf(8<}<`BU?;Yz_TwA2ntq|)t9c=U4@-ijwBO2L6wOdNG+s%)NY1Y6|`uXSI1zY zru-;O&yi)dj5emNJ5^@A(Wc2F=S%E-mtXZI(`+K67Utr2Z0RcgBcEz@IQTUL*j!+s z_Sn9g-3|73g02UVclm3RjwKonrKpko9nyi7;;Ip>0R(qHw@Y2Gy48t3qZoXDE4YFQP*rwG!x%HmN}%Pe`{XghhDYCVT=Jxfq!>%beJS3o z)06Ti)d3s3E`(o*oxOHr%jy+XLEXx6f@tE1i)m^IQ zk1nVbou5U=Q&bzJl=tmpRVwCy2zAg*zEB6VkTw@lHR>M1XNK9w+Qy+9XR7fcJYI zl8%d%QCj_WRV zteP|G0=~|#^srx6BBF3d>T@pj(YJYaFV^I9QdR1ej@}`~mel6X>C?NGhTA>5!}UOl zJWgWHo9zRl_)78-cqSQ1FQ{CZ$6ne5>ug5alj50cTF!P?4z5_SPk-1xZhrijDnlw? zWKZY%en-1`Q|-A;+7W3)tsmrFf^Ajrei)odqGkGa?0IA}6({4|C?b!*+gZIq9Se{P z>NX3?D(PX#z<_x%rLanWBV_B_Yx684hlZI$)qb--+iV{+I$m9pNZJWU$VS!6yI%Xq z6Zq2Y1e!$bHYK0v7wZh-feI<5L78!lYpWIOb7Q0%GJ5+L$qx1lF3d1WkqS}qz=((2 zm88?cY^*-TLhK7SMaBnT5H_7?s(rRPsrt|ZbqME0-_wteyKQ&yZDqwtE=|$hoB*nq zZa7Cbb!BotMG-w#*Vu>hhRD_9(%|{yeZdRy@S%L$iFve&kf_XzF$9 zoF^PTpBa~96)N8@EvviDG~YU$-Iwa2)=2+`T}!c!i%I|9EOY+4p~Wqd5X3uXi&oz< zXWGa436E4>1*qp1o1nb3^`me6)}@&Amu}Wx8=wx*{t;i4RM%cqM9GLZ{`012+iMde z9FF=uwRMVXorN#vm#lQNm-4%0T2oI0mh(s6z#Ut#QMMb15DP`p|MpQ(74WR;tvY#} zBe)j0%A+WCo)9@Vf>u$I)T2|VJ;!irVQgvVY2Pi)9v%`unTPJ?~K zf?zl8EYSA~?MO7i?lJe!G4goT(p(2-IHP)v{huwpcR;^;=hZcYQW&$2XY}%8&LyYW z>2qEgCR?R@mcKK;7#JhgC2sUs2EX0a#nUklF~F2|lsj?NSBAFpT6|A@>Nz__RA@$% zkE3Zg9r1-5_xgttgzc-*nG@o?%B5F?O4~_tNilG+SP)i@I#KI`4$11US;Ru_vRg2N z;qWjE+DNwWjSnt_1-ls`MjPbizoe+AK!F_4T_J z*Dn9o4=wbq#}8YNQ>qK{&-+*nwXlcFV;0{tlVlPseuBK)Lf~N7P6<_X&!R&0Bs(j{!)H zz^X+$p{kAlBBhgx;ZzRJTy6(o^7{RQmhOZPWV3#$u$jo2^SbvMF~N0c~gsLHmP+N#l&rR{VMEAa|UZsD98;ZWgM zDE;n(d)0o-q9w^JgFE{9m4Tv1`d%0mV*^q4SohI?5|CG!CE81GpUyu&Jg$vV9`$jB zToalv(cV-0gY~Ytj8sZ{Psz1<3Kd-UmEA{{SdGhR}Hu8OFI9&{a zMun4vB`JVfPJgpaR2;aLk^ykyF=}~hG1pF*qmHD-+%=dKzERwCo153E9)I-8aYz-_ z6>;~M9~sAYe5>rw9qlHU_Dkb~3-ZNbj?82hS@A29?(&9x$^}_NZ&9he>p$1C!?8;; zaqT^;Vk)+q&WoS({|CH;QrO8(a(LA0-6R|Wafwum=oJWy^oXC1NwY>~etH5ZB4XsH zLB^0-vTb}Eaq*R@`e(Vv^N8%+JKU{b36Wvc0OFf5qSCG1oN)CcSaZNM^3qgmt|B8Y zn{E;RuI?o^&n_n{B7!5$P0f4$s%H`MJK}LNw3MYm0n4U^qz>A3=WH zRb81qa{q-Az?Wcpo4@Y-J^o-~0DADFj29~qy%TFSnfSA95B2@4SIy5)B!qZjw4h9M z`WV=9@jw~jhSXJtw#%5w1-kSq#TNIDGk}AT+wYQFqe+ZB`C1cCtO?CTXc6OGz6 z$EukQWXNI$2Jo2m@|t6l7onE5CQM>}-~A;QG16P*0U`Q~9W&1Zh~U5EB?voP7Jc_xCi+Po^OkJFQ3o?>*Q;uR4_fTnZl`Dr zoR`n`*T)7`g*&tpb91xTHD)ad;?4S!Z6NLZtpls|v3=ii2H#Q#SZlnCG3RlKl2UVg z@F+O(3hH(``NWhzobJe{Abh`H+f@U808ZQEA-{Pyu>~@lqYnrn>I6RSB2q zvKVamm*ck`yf{0VZhFSlCgV{Qvxjex7_7Qn5+#-!B08|U%Hx{6-9(?v#7Ht%?;gZf zacSg(o34y{F5yoC>hL*RU!aag0_VzVTi_m}+X>Ongn@EZ%|Gu1cr8h#_*y$et@qR} zIlI-75tt{V&k=DZEEDhMg3Wz^;AJ_*LMo#|h~K(qTmp(DBlPv-(%Guo2{IA^zJj_s(;4{S5~Qxo16K zj=#=h8VCA%0?1v17FXp2lSH1n45ZPNn)UI++1_Pn1v491n9H~YKE$Zcva#;oxz0V5 z+P`fJ%|U)pJwB`q=f!FR;ZqT|6mR=8n25^b2ON|1SE!(D94cL{*Tk#*cp0Y0IM)6G z*?vLusd_=2Rc4mQ0i(!&xq1sSFR|i|icNa{_DjAY_kxaN-`>g~L&>kj*vAbYnRSd! zlm9Sun3th%LR;78g~dmJdMI|quniiU{AHl}pGFWboJ%U_c`o=Pz5gB;Cp^#iIFwv~ zy?kH31D5$`J`Qfat=Arl7UpVmpx$-&E;^vpKE#pR*7fggetni~##ML@0on&HEB6xq zjxOH9OYE66Lz8M z8}N{5iUP-=H9A;sHJU592Md=%vS@WKceldtpZx~!JY!=LG#QuRq;=(&R5@B}*Ylsp z@jShP&8$##sgA`>;apaT<4nD-r!n7ft00=};AiTe&r<#4&Q{?-W0NCT9TuDb4n$5! zBZx~vG$;!7{$aE6TDtrDIRj{1 z(>UJRhv^q*U!At5zV7`dl`Po@xe@=D`}g-dQH(=C7EOT9^Pe~0|C_JP|NnRsUL($y z02S(V%o-{*a9t z7KgeK%Qafm{@3gCKff9B`VO|LX7H${HE$X{Hd<>YZ|5c0!s=J1KfG}8?Y@h;@i7R$ z!IGIaHw-aSvnOD%^`y5_mrs3*z^-!ENc*I6-xlQB5Mv1edz8CyZZ!#)fs*wCIkNd69)|Yr$u;Y4`3byb4TdFIi7ae{P z0U0#Pr%Fo{M_Vt>5*)FQGz-U8TpRLBUErR%dI&a$9>7PSNjbdBTtTUS6rOwird@26 zw>ba%J#}9(#bh;6@y0xyou<(x_SB(nhldbT?i6EfgIeR-S6`PmZf7+$BnwrZefie`$8wt^Em*kLdei` z$=A4W*!8am(taK~RlUMtWfv%csA>p(#nnP#6Q1b2BJ-|b=TcId0*_Mx8 zUnl$HmBrCeHO82EdI$|Mhx6~#XrkT6%fj*Y|NV2`CNRhK^#ZDst1@@^f8sV)@4|!% zO>W2KUfj2vfF%=?)K7qyR7^a_s=Zk@s6?z)3{jDI)cP$&qTNylci$5Dba>8wZoTL_ zN_jPwt^DqWvQRjR67^sH%-sB3W71{1=sW2cpg{BQ3yrxYI=$lCp&`kvI`}Ce!Htwp zCk;?gHJRKCc%q*t0VB9rcK!k;>FGn**19YN1wq(DTkHWKkI+i+KWeK#{o}1Pl^HBeLitR&`g%^Ib^4#{*BP%?UGsx{o;hbRC`59&0A9OXJQ_&F7IZ)#1nho%nCwHNep{YKWja=OinQ>oie&T0K{ zEj$G@07dYbPH4s<2xmU~B0B~lu}>fO$+-;q9MA+akj{%ZuM+Jk)+rlOS#O@-VjVwT zL`^5~6!6a5K`DM{pWq(UcL7sLpcDO{-eORb{_*F|{gh4ij^a-qu$sri+Z?Y0#cDAm zU**mzJFIX^9kgM*C{v>;xr573i_kNWWa5F3(~!6iRC_*9>P>_;MFf`<9lL`#8W7^n zpoC!rN-w_hzhFK2@wg4zMy4q*SFnGZj$rDODLjrMrSK9m%hkR66k;Z57TiHI$zd@IOr(6|?Wpyf=wMR|aPFz84`^a=S2KFn96C@$+X;q6t0&3l}5b#FSd-`)qt6zyOufI_xSrcWPrE>aw*C2Xv8ihje2)=-Hn;T(4#I}Z<8JM^o z#M6cfeyoFg?5?Ao6}Y$#Fy&NHX^m>YF`@SBd#aruNEwPT$p8nIBB~*-n(gy!vzmeQ zWdH3s0P5F5QrBB+d>dxZVDwq&KIbfYgxS8>S}i(CUb6v5w2LJMN<&87s4}Oh!J_+S zmvgdb60{I%v67k48MUT>3(~|jqUbu^M5cGK?imi1s379n3~fQq%cmVh;tSWgjs3@* z1{Hf?v7|;ae1G!tfPxZ8Aht>mu^MW2=g=(+Fp%WTXAwBv~%rl=o)1S)5knOz1ttH_GZFHZJ^>;RjE@Vim>8A z@ef!!+vvs)<%uMs_!5sLXf9gZG_F(U(htxJw-se*pTT`1yUTG*@+k)`$oD-T{o-w=}Ll6A#*#esCdf z%le8Tz6i5b?q1!p^`-D(VZ1eplW{9BYlVssj1l#l?FlkcPen=Ea}4tZ5?8cXb#VK5 zsLXdb1J)@<@@9|h?pM5E*|fxX9U|2_B_!d-1Hv6$+gA=VVymDzC`D1OaU5}e`ousT z`)YV-Lm&)pP%cBa{%X@bY;@H+rvXpTOBN`r?xRPo#f+-L`zRa>U9pSyM|a^|C6W5H zkGBbaZJqrpyd`(^e)W!L+UcVRyvelO-K=H0S`Ysy_o-6t2PXpO#rVHCqo%b_Sry34 zp#p7_GDqKfSYEp_*zJssLaz1mEL*$ef3MKadBxz`pD-uj^Ib%U_{du#mUHMEDJ>jv zi(Jw3OouUT`b)-lv={tLicz$gBICDN;)sjhi`8(#WmNppAzJc&sXUQTJ7tEj=qkoq zh@DU}eWMf=vbagki0>{Dp}O`5pUhl{;kMVoZ5A-xOhCzc(y{c^aEkK+s~D=v^I{p` zWLvpL(*5~bSu5jXAq1`uOOyLWgeu`;Ar^L_szcM;D{Zx4px|egH&}7&qIybgurh3> z%~*E`1aCIcykQ0bigf4JR*L z@n+-4oIbMmF_cCGtX<#;FE6gkTPYoOv*02 zOwyw)ymBikQI>+e!hlk{HnAYf0iotc++&H1`MC3YSmR7X{m2{N^&;LH$mX@^)FU+- zvUHRlu7vF9pYIyCH-P%cKHKdNUgPf$*}ol={_!1sDu&NBRHL`;=OhbDNcjtjn9wlF zpk}`HMYP#eaPm2yF>OB8D8eQ|<@9qWgCQNgoi9#n6wo%~p|#JYvOtJU;gz>?Ymu2@ARv7)A6>0398kziLWc76OmA~42LWGEFfCI(3g^J_gh*?OJ?G^ojN#MDOm zqJHwuC=5np600u%yjy5O;ktYq&-+Jx_b!t<60WxB64f-8cQu)??I3|S=HgH)#16xs z+>`u-nx0N`J%u%Cr@rZncQp_5%&&G|_xS5eo)3wzd&+VInr0%kMx6bERV z<@P;?{uiwX#RR_irid2YzA7nZ$4Au*!QmEi@7&6mTOk{AZOPK*!OlQjvaERcVmCtrb;V z=X^p?>NFive7`o*k40NGcaQH8YT_C5WR#Cl`OP4!4tbZaT6?>}T+DU0hrScWwbTK` zy33-vI;$uiMG|K+##RygiNG3{Lexb{ml+n4vUPfvP&g5E1#+h)s)QHjpufXbN8(Ff zW>7;1=ET>ae=sL5KQVEJ+|M;;-I5@~qTU$hWR$}v6}hwt;ai$fH|-tvl0N;ZqW0Ep z()n~od$-y~=u69|wNN8Z>aIJ;?TMwo(IVog?~Byqpe?l3Rc3k8L4T_F@X8T%&-~|7 z9I1<4{K$!%Vj2 zXMeZ$d&Sy^xj>e>tr*wGjpcK0gLjEGnKy}(wT=WO&Ddt+Us<`;Dh{nYqkhlGdRe#q(w~`FfG>91HR`JpBE(y!gfFg{N_P$&*+j*Y1vJG^l%NG zZF^LBusF|>P4R!wKlBMXT{8TQiiy;xW-bW`x6DcAX0?(%mPIOObXu8p8v5wjGRiOw zjBOYWveZeR-qWUMzH`*wi|t!ocTZD};!R(6(VMdVD;PHzd%ujbXucxg5Rh||WsSNO z!=}?uO8)eitd-0HI#2;zPY6e|Uj~GnR;^9K+%t+LL#A#PJRm}Z+@H+;O@vT=GCi0R zBKPjzE5ycLr?({I#`yjm0{KI7X_TSlK^D2VM-?shCKvzAy!R989T}!<>EZOXt7{pm z+O&ha5sz5x{rBZ%FpJHXI0@H~y>7)L3yIg(RD0bdcOvT3Qg0KK%xvU|gmEdbyztjh z1bzuGqsv5JB%+P^9n0~#&I!YSf$)o1LgI9?Y~)d{t>ei`?CtxfL2JR})UAebv=>PO zh8r9_E%3mUAz2>%Kfw@-ymIpPKLvBQcyE2pHuhZ}(aad#w`zUH$UH)}{vE3w$abUT zD!D@?ts&QsC0L^JW6@0E7=A(p9w0+X!co7E!fE2Y*nKigTy37lL^1nf@(p3xsE&Qn z{Zca+hj*OhU#XXT{~mKg1r@y% zL-r3Z#$ORX)PHBb$Xir;K^HC1gkOZ|2kGK`fqEt0Xuh3Qp%3Gb(B`Gt+yn5FejZB{ z9IuDAPa^Mz@TAat8oLv+Kj04BVSm6K?2K}R8WrhuKeb~7+gBvmETBrs`9S061^35h znZI0tploTn37DkQTm;y$#%JHpRNfy;dW{{(>x3gR=TA!^3*KQJh5}liA+MPJvh77 zb(i^Gi_?-EDS&oNaH2ga`VJwOjzcQ2jU$awJhYPNZM6hCijc*ApmF(B6_k)k@{I_p znrs)PQ~WWYHwAl?&5CHa>WGcF9n)};wC<;JzKB>m=6v^)B{0NG-ch9I>H4!6AUD!8 z!9WUWyk_cM4hxx(%IB zsB_uTQPcYy+8v2$hP5{U?T+Fv166<2WGO27WkC5I_9vG2JJvQ!T5MS!_Sa-3j(sML z^y77>AY@Q-GA3GcQ4(dQc@mhUUe25mP+pJ7B+Cv*qXlI?e(){Al^0SfPY0aP1Fa0D z24qPD>Xby;X-Kl?l*k!LS9;F+ZlBeq1)~@ZEj>B1=~wIE{uaSfFr@69iB~2}$soNJ zqvvk1>?B6S*&3+itCp{c`T-P7YcP?wb@Gy91`|Uf}ml2M{s3u%e ziAtja*71}~Pm}EajE97=%n=wb&fi|Vq1mBc*xKc*M#T!A0cqrk)+u4$k#ymPnr6Hk zzkRWus@Wm?t&xf(GlCUE`})KWQ0f50^xOV>#|ZrYc3$#wOTJTf^p@iDVbrIVdaWyL zeD%y)+9t#@=7`&`)Rwr~DU4d!O!YruBvghlHCkp*y?h-Z5311xuHxcoe$j(TM~hP7 zqm-gSQlHJWqTnccRJXUS0yCFbD1G(LV{PMbsWhdFE7+_>cZ#@9Ak!GL8*pNs&PK8t zV)QSxg=SQLS0BY&_-Gp8ON$^a@u})7OZTNvP7*FpqnsGmph$ogtB6TCL82qK-~I5C zO3uT9s-<%F5eh7+K}X9uz!}GFnsM;X!k+Vw>~O zcfjA~a;K2?otEsE@lvHa{n+z`ny35aMz{L}3zr2R$7e-pwm{NWeA@zRt+=U-!X2ZYRwS=m(OdiC%Uf4_BhV^Z_{a`ZpX)a zGEB!F5_56t214~Q=j5wUE&il5u$Y$+9!Txg%TN}@#FaZJ&(D=Cvl5Ofc!J2PszGkBV}2o9_c! zTKJ=l{Qvtw>K`Ynm*{UXz3vfnmeb%ywE@awnD_o7>muMz&Gm@~rjTuzRLJyM>W}mZ z)`lZMd~KAYVLddL%1)F*=1iGU;&89^bOm}Rqepp}gj*I|{+V4|Gcrix6cI&y?-n2s z?Bhm%DO$MFtWO+YP7tUm>7OgdqLyWXBxXrp9mSH?xj6?hZbyEb^uIF-?rFVja13Em zd{}GgZ!LAZ62Jr*4+@F7Bl&*?Mb+OtD2pk9>jSn3dwnjUsPi%As1PD2*(pRy+T1D( zEExl-ZU5M z)cSKztT@-_623#*-l)U*cF}3xJ4a^ynEvg5c})KI=crL4#W|cEuY3Uikz4gsbn`LasR%Bd_==D_hwvyI34126t^XBKg%;myUFtN z=Tr%+8pf&+c5am)XZ`GNpACrhTH^TZTtw<6!7R;1dYKS16a9WB9B5%Xx{{t!K@{BC z*)2HicFH9~KhVm)^uG<;7t~ri#6GVQtL&9-I=hPaEYM&k24I=O_sHGVuV!REhI-=# z@ju)KJe#tM5-NJyV)~x4$x>6#kPR$+I??f*zXQ27M&_&yiSnZRCwC(XH+9<24-KO{ zG-1>qXXYuAgN|+d*Ikl|?1aD(IwOWpQoOHgwd~tn^jhrssjE+258EM;>i1u8O5=#- z*av-!UmSZ9H3C=&?}|qZnCa;$viWgcl6>xJ&N78y#+I$ zxL}?+Cn^W#b~x)7Qqk>wJmor%>j?d`xBs5-7ZuRlz&6JrAFB}k!F7BLoqa8(5&@I0 z003RCS4iks34*d$79>S=2ISgap$)kQ54Z0wq4=2vSV`Wy`o`6ZF^&af2{kA~aO4Pr zHmcr!3ZUghkj-jWZA2*s7fgPkY<-P^gmW%m-~~3!XWI`CjX)!IXp=?YJOm;GIctz6 z>FB)WgA2fC&}eJng2GIDX= zTk~6BSHftud*SYmW~Wj~E@ivM3nEBu2Uo543RN9d_~<>JSWXKir>QLZQfNG4=#e-*QWOe(s)pb$-wMn32nc%*6FVQ+2cQ@Y z=_)}u;7iWwX#a~`@84zUOP9-V@B$Bq$#+qr41SO4!0U?c#nR{LLUqq!O<&b1%M0**;Q<{}@vR5NhC_r{gG6`EkRjD>xX_qzgCn-Z;*Ss*t+XBtE zEzg=jxlY4AwKs*3A+ej&BjW2=axZ;P0UGj|0%#h)BMV?6%tv9I#$etH^DV)%(_NN< zw-RVm+39G==f~m{Ef+(Dza1&QGfVtWx50ldRQgl&DmiFbQ%Lk6EX35*(#tAOat3f*3iaEx| zGH1Tm9(D{N;;Sc5Q92`CT7~Xqt(O+wE+U1$>pP$lsxJF>O+yN&L-q%gWFvDDWr4m39I4RG&JQh44s9-+%jOm3D|(Ryecss`dbn&r8;>) zmh{1?PZ|U3eg2pta6!6CT^DsN3ON332+kv76Z7+>XqO59^RoPpt%ddf;q0x$s%*3N zVL?IxMH-|O=}jXkp#n+^NOw0%C>>IQgmg*^N^Kehq`N_+L_{P7q&xlAp67k$op#a6K3M~U4$+JOdqS>Vah#|327|R zd=4t*JEP0)DKV_uV8xJ6EPylaKY1MO{2`bS)@|Km`;lDbyx4@4`{B&Pa7aB&t{B@) zxli~>wo;H*n|#Er{IyMc+-)4RD!jeeZ}D&A=iIx})Y9`7+$mMCNRhUfgv^go_>S-D zrxN{?1FZ&}L9(NQIGd-CBp@%=Gqj4==OAW=V222FzhAuRq1|(zq)9 z{4qrDf;t^M?i(RKfXBYy(!#9lC3UM?h}TiS9dvXCKuv)(KG976x2q7>Q~!z9WOB*v z56vWk{65hqI65Ano zG%strbqSMD-6!b1T5_ozyw1MJG?zM?;7Nthe?hQXNy5(w<`mfD-DWzrP>S}VU)eE= zvK1mL#JSvABuyySntZljV~_W*bJpk<(v(?@TJ(@951|q7!oEIVQ3Z6kJ6llDx_`41 zPQnSXtsGT1&kQ7W)V>3Ji4<2|$w7Z3{c4SI+1vKK*U1dM9)F}-gUmu*f{hx`B2S0> zmL8EUcqFnVskz6BVg7=Bf^oZ3go!- z0Yz@0AAc*@2;DoSW>-GHWrC4CZ@xfp^vcLsl%dSfd#)h&jFdcq^q7?(1|`i|>AC2$ zsE0J%N=;?{Rn}(dJJdGgul^LO3&Zr?;BDNM16WR~vWX?LE+`Wf4!zpjta2ZPDdsrQmLW{J&4j>v>%93nYfwHoeDn z>Ls7|O!}U%p`~yiOrSZPqS8`wH_?0blu22Q+T{_B)6h>d%F1{Ff0TqasEOT*9fu4a za9f&VS6Dwz(F0;9wik~+gR3`cmaeUJeQd>Axuwt|UB+YM`r`(m@CZ9np8?%35zJYJ z2*`Fw$OYbC5ZKWEbP_3Xm0PLn^AFSkD>$xs-$`f5ta}gGHP7<>)uao3y=d1BuQ)?l zM>${G`u%)g;EwjsEgFwsM!*De+yO2QV^x7TX+YL9KH6Od{vm0enK@!FgRSOvsGbq@ z0cuvF2XhhxntP`IouTWii9SnM{5N?xLH=yIZ9pt4StHukG|n4#*yw7U;h%=$e|iCM zhytl32cX%86b&}EG5QVVhtz6Cw`_HE-4Y&zkt-7hMr=2tJPf1uo`Oc1ySNl#d-&@Q-H6yh z4n1%M{6jI`4V%fh4pv#neZ^%+?`D1#Hy+Jg6AzjNttgFHEZMRoDy`qZK{5EdXuN<6 zMB@SJ-p6_LJsb?m=WMUcM480b6F4*K`kmofIWTh?e&$26a1})3lEe%t{GY^%qze7w zCAG4FoVwxgeYOQ?`MSzvnnqLv?LVWL4KUi9FYWm@GCzv%4K~)$-HTfCJfPZ311x@F z3qjTEefR_Wsi<2QM^E8`%|(q;s`-j5So>!WyzgWbe_4{+nh?_y8<5y{TuAe0JCWD) znl{m#7yuKDIj$>5PrwAsDE`3?0*8%3`8XHwofCftOcV04i;1{EwdZOqy=Xi0hL+z3O;;kOZDpq3v9+24Skx~n!u@oz5Xb6_D@5J@r@!7K_H zE+Z7U^Zr+#@}V|LpbkB z126M@jV>oZp@_x~Zc?6RiJMXYO9ykf)^N1YhQV9-7oCwZ;Onguj1Urbw z0_j1&_9yiUtFWD>P?oZNZrAX3SkknVFBMgH0AVaAo|u#Cizo3V>8jd!lS$uOdJXjD>^!Ep$A@9;cmDfulr zW8ys)#<~t`?@SRwGS42@(UFL4nR{$CWAq-(4^32>0$S9VHHM2dc|)WwN)e{>IIGnE zIMOEJ%A6s5uSzr)fg(PQdt7nr(vL+qrz!Kec@~vumVWswi!2&ZkH53erHD-3A#(rf z#qiX*`$v0Er#!<~N9vv*tj8_^Dx!G=h&^^?Iw*=e*`k?9-CB)??LZ!UtBhu z);^~12{wCnvTYKvquw-fHlRK*vb0&0u&CG9knt`X#MChT@EviI>cXZiIt9k(zS&OV zf9o1vVANr(%;J~)kAxa$>O!x1+%Jc0{K{G`lx0KsA0p~ozM9FmjnNoDME&83{i8&w z7rmxy(;S5wv6$%Nzl=oIo_=&*LnnivKljOP;qM@G3e!Bwv*#?{k!t_Mlx*_CL$4Yg z9LdzGHHDGyf`xX6B*K~b-m_lRSU5Z0lj{pTN2oi6X+BWsTkTa^Eng`p$h4|=-{aBH zb&!%MxZE=cgAG(QjtbpE=809`FJyS}o>`7OOrr9od$)c;opVi=*kcl%my|YK9Qv?Q77$bE_pI>o zi_2fgp2Mr9uf~!!b-u5NQ8%&$;-CO3ijiR4YuddcrTYD>_gA_FZvUfV{wWo&K;L0-lV_o5y-5w2&%dRfOqV$?I9;bq_ROyi?lS4#XPi!+U2}xUj zF#*};yQkk9l(krgJ$8Q@L6|ccGvzzwv39;-+*U)P>j&dxyH1fW*FcRhqZ;=v?D1W? zp9vG5Vsl}fP-J!@&&bfBzh>$e~J{+U%j7$JSD$RNC0cvmfn^-74I@vHIR zH{*Bnq^6SHd)xIS#>ynPhp!$_|EwOscY~Jm>rz?#x1z5uDQ4;S&WW6p}uSd`8;)RvXmva)Xjy1wz@Azx#)$?pkq`;uaPMA!&V%5T@vX$yofwe7gOY>_W zuN13Tz1P_G(BN<)9~kTVd8(c6u%Qhfd=t|coHKbX)B$lhxKTTdrmdpX&=I@AOhzGr zLvMwJ<16EzL!p0HbXnfV&~D-|H;E)OMse*+{4jI+w93tsz`1^y4XzgJjkMB$rTh;@6-w7Q!7rg!3~AW(1gjN|JFxCh!8(NNuB^{~XHX{;}DE zZYJ=Liex83%GilbP$bXPmtfI{tRCDIA~?{{rNTNOj^9^@4d-G(w$(*qUq}lacXVdH zA3#c@%*nVKCb%e(?PvQLs(yw$ToD+;9n?Aa&dp5W00W<4oQ z^rzz>yi^Sl7YbcQrj>b=-d=74Fzd~0>N~>Y7eJ4kv;2Sb$R}Sxt;K9^Orr}mr;U4> zHxQife!`gJT+9K68%0=SE`H~ZdzZ(+6YEuxUF`j&!}sVmcbLV02CaFr}3YNWr1 zu@bu`HVQ#S1+-o++?f4#fmS5vERiM6_1vOnpujY&6xT+i?!f50sZ$MHJ!QFE46jUS zA`e6F>>8f8VSBi$J3QUGi9gM-^%N$Z1y&qL`jOj@ORhErSsk9VqNET2I$uBihBjEB z-u5I}Lptw21)BYB3KBv;WJ$~wT4z}$g|3i#HwBC+8~J-6mwSi{9fFp^O=QU8lZ<}k zXVPNdmS>IsuS@6uEGgf`hZ#j2U2kX=^$Gr`5gdtVf~?p65~EfsG-!Dx7vzF2{Xg(t z{;~g$yy83dMYUD??^B%>g$q3ifYO!T>HyC6QrlZPu%_gOGb~j2+srQNS=in9-q^fX zf{ub-Enj0m!tUE9g=aM5Rgk@z2->7YWxmz_kahjP7X{cXs3Vt-IPPBf<6uyTx=^U6 zn8?)}E6czO$yL1WyOvHcLK05kv7fmMYI_SNc2*vbecK(N$30AaVt)+H>GX`SCK~D& za$5s^t}|kAZ5VVNkviWB{~t;Nxa!5{=*Z0KPgzo-ZmAcG)BmTONGATfURPxiAi8Nh z3Lg4xkw^cv0sp5L+zx{)r0j^u`Jc6u@rmHY_CmG8oQh6k8)n7R@6#E&`bMyw3>H|A z$)QA13TaKy^Vk`_5{!sknn(+(EBu$J=)d2qfBYhu(07bor^;4#TLqgz%%UFqw_}(d73Jgc{voh7l`w>9!xz=I|6L3J z`2PRr>zUuBE;NR!#2S<|*Ca8}l!>L<{XPW;GXqMH986Dmhx}~@7J<#L4lJB8X|`ZY zl2^>}n#OXfB?7ht{vm$#hMm{FF*n4&uRJjyNVPjyUuXB+5jm*2Q(n$nzA><#k}BkJ z6?I36WitYu@9DEvJWziCG3>@c zDFMZM_pbg0GxfhoMgQ&V{_#2fr>}=pF|?~d7@DUT%=G{JbKFIDBeG0#!DRdMsrc7l z+JF6<Gz|ZC2SJ#mR1J+x$(Ue%Kk@&&3>3GFnGaJtbn)9hqLZpoxT9qLBP^WA?(q7 zHN+@Lc--wA)z-4Yv`NHh{==kns0~B==c`$j@)TNPu#3BeI>oHvB<^>d6u~FF;mb%@ z0#mO}R{b^TkFCK=MB&+(2nnGj8@gLBC4|~41D7Z)pbW;$ENp(fk#~8C;6_Q=yMvxB zHYbJX*UW=O3{tgq$U9VnZ5P)S6jkTe@Mywy91)NU+Go@P((aG5UOjh}&#>vmje+n* zCN8rcVm`~Ej2TI=0mtBjPU43CBT7&(tDuZk-GRF{igI^Wu*tIGUp-}ht1U==6OE8L zxCusR8Jhs*ZHO$Kf?hz`Xg$pLuUo2>S9c5Ct?|D8iy3Nk6NtkYV#qmPG-b7U!6QVf zO!2{)Cz=IKQ~dVD!YCd#ZH)Od^|A zyH_ar`*=$(^tS$+ygDTt^!^_nr%WLrc5_9#@k^e8F28;fYz5Uert9ksU~WyB_05+4 zvg-W{@iM0kuYW7QeW0cyZ`27}Z9_?|X4IRzZ}%t;w7B>lq3#Bl@k*xkKTR$(`ZVR) z@EzhY6r7%j5D;22qH9tKY>dLdr!h$}VhOIfB>0-^O5S@?w}oChGu0lq(5~?I&-7^6 zsB_|x9b_L{Lu!ZOf*jTMl+&OaP9kdPZbAK7887CqpAqo!R@i&>6RdU$b&Jwq&XlJJ zdEfV&$DGVcIDB8Riua}78UH>ne)%@FFA&G3l1l>7?}}nq^T!)OgJunEpP25jCCQ9W z$MTBgnzk6ebqnF3s6(9gaX~u!XqBA~uT|7{6lEH@bVsj@b6d~v!b)sYUlK3UY?-5G&%G6e%AghlBawN7Y!P8})%iPHR2Q>*%L23RR#s-V#0nWCY!6TyOYb$V|SveDso+|)n6y^Z4wd*fGY zRuWG(u-AaUzRQTg0k#BXjwm~0xg$afVVCtn)R?cVu4t~8hx^|=#g24JE*xFJ)zR65 zG9%AzXE6^fkn*7O(t^Ap#`m9#e;dQd4}ocei)w}iepJA^$b%_=E-Gp3oU&Nw5ag}} z5Q(nEUfM=z4V?CY`foo4G^vh2Q=(Tsmn$pa1*43&xVFA@-WK$O26B9M_h}FK(SR{cat3DTdO&{E+mh;}R=I=eX zFYl7oQeH^Wye(tEXxAoG`ja(X9}w<+{1b=gv|_8*;9MmY%n?ut|UmuD4Yw*bHpv587B0>}s3GgmKjK%L_$ zX-p>#{jZF`$o;LN&;s$Jyc>dCKRUo2xB#5Lgg26nKlR~Nzpj2)O^Tw_)b!R|37mov zGvd)_ujmMyQN3vZOcd?(tjB7#iq%HU9`baocK8~F?pW)M3R@nzf+cqf^>8X@-!x(z&^Tb zwK>zglHq?9XV!rdWq(i$+Dkv%b6$Gs+)r4IQ-4v3Qjo!WOex_7XS zxH$y{Q-Zvb{MFh()s`Xo0S(o z|BW5VZbW2n);x7%N!>|bGd67@N}ujJde3SZ&LMU1F9>sof!!#O(sEH+Q~`#=PA5X1 zA@EPC$9M3f=9@eOcI2|?Ql@2uhZ+{M@oX|RfYQ_0mmM3!pk_Fm_G10qFG!9$Ma)%Z z?bu8u%sVQjnu5?`7!|gwxVS6<_2^~idQqWI=ajYcAYBJ7=y=UeL=KRuw#L$Pi=1iIvI5^daf_1WC8 z8d+<6YY(>ERP)ri3M3)}#< zrn~#fl(0=Zz&l0`Fh}o2jwSxs^iK)dEjga=+df_ulYJHl3NY8D)ybgSvEgpMuzGZw z%ih>r#arv}!Vn@EggbS*WYmtiYS09W0(1*E$R2$MsrAvbn$B#UjPg zL}hf!GnfkH8V}n!Wslj2e($z^_P-z&)n~2W|L9%wVHhRy%pi3X$EYh za|XNc(rhw{!e?K+#f!*VOjf&Y`B!agpi4ATEC1G3MrM;x7{AGk<15^*;CU#6AlI@g za^E$!lR>z)#cx;);ovgVGn48R86@blaV$&m|F&QHeJeu5IPL@NPOe^PUM-wVzkWx{ zaX7>;GrgovVASKZKWdjcw=wgJRu>Dm<6RlUwO|n0V7&qjMJ13Hz}TF<=MG12mCXWL zft~U=!8i?DOVPvVC69PJ?68umY?()s7G<6-he+{!hES>jc}2p&ft((MPDnB*JsSGBtt*le

pE?3(;N>K-k1p3>U{O z3S;jwAybm_WhS#?)QZ%jS*>gm80v7VS0b&H6!n;CT^WxmT)Jd>S~%-q*>P-zy;{=t$Y^Tc6Fw z)6V`^U--_*W46N$NYCevV+!i(hIb#2hP}dh+j@EL`+2N1|iA zx2(_$Q=7ws^>4^JB`&?bJ&JZEmV(q|Q_6Mn2D|nvV3z_MPd;kFO0ru4 zSN*Et7P^uSV|}Ljp|@CgDN9Xzi zO`&LLxAIZ4kpY2;^Q|7Y%D-vM5$=05H_BVvORNaQWZr=NW-7hT4>v=t6X;uzwfe}- ztaGp`VMSJ`m{&68+iU*hPH$Ist10HkFjO8l^U|ooGT~xld6R~3npQ2SYt$-BJB^ut z*{xf4xWzM?fA-7**yb82ul(p=ueJ^469(lprvk!|Br*4UnT@BM)b#UGEaFFVoiMbw zzIhn<1$I_nK!p1ow$jd)X`O7H28a}r^cL>sUShj2`;BV7+lGY8T$OMr;i~wl{ou(% zhR&Tt<4dOO2%|LYY5LO(U(metAJLr1jENtUiC`yfW3n-}wzwnFm)d5#1!hw;PqlIe zZ+@pR(~sp6X#bYJ73Q@YHLIhfY$6|= z5<$BnIOQX7f`P**owNO_>fLP3{g=i#Qx8!=uxWJP!9HcNCi!(T_#)iDc{OIw{6#OK z`U1a1tWCb)xPwxf1ItE+eziwi0JkpB{bl_1y}oY4>gMKBB}F;PZ1fAU!86(wkJ80( zzW(G@vW{Fw|2+2C%9~BKmNWpQ;Rd6{2I7NfM5MMqLbN#KTR_pCt_F(s15mUdfIHzT z=j8R!mh2C-Tvqt&N-a3J;-{Pb!(*g96Gpy7O95pBGs2gPyeg&qGnlKJ0_581Ii~F+ z-JY8Gkvw6^obmMz^k#{3FLiwpcuAwlP1eQ1^3C#9qR=PrbRKCbrg#Xj&D2hnHG6TB zen+X0FkOu7U(tW__N7jRyBj0beDK zxUtfHL=xS=H^lRmQ?Dj$J)`2&PkJBbK{$Aa_wHqK6QZ6r&H0Zs{5wr+h;49${3`z> zd5x~)SK)$4*yWSV1y*cqIR@mc6vm2E6d@)Vz2r)^^ z!wNs#{A}nMe?YvR18V33Ad=@nYOx0`AugHoUlcHl)n_{#8HS3rUwbXl_RMg;({MbhnsclO{&;9eh7s6i{Rk zw5uOHwp@T_^I)p!qhclC`U5<=ZlUrQ5n)$;uG(W>8E+ofbI}{Z2x9^N9u1|eCZX&r zLDbHP&x5OImc4Fck|js>ZlMv*v%29YV=piulAa%aoy^Z%vi1z;8&k5hSsg=?=-zHc zmc{yPDWc_cTkCzF6$-|$?|ZQ%tg9ozfrBd*1{H8Y)XwSlcJi&w-oYK(!Dm7SrOWT$ zxNjszmToq{%IwLJ`5JI=rH?2HO|}{)mlaH{MprLxB)O8IT1bCeCA**a={En$>9dqV5 zQr&KDyuA|Y*54cIho>LaxzIJ9xsn=-nZh8-TV*q1sW?_|vq1+z_Bn;<)Jcmm(@<|smh1f4{<+~P@^{tfxPE9UMebAcae6AR9|k8Z^8 z&PJCDX=mnVldXto&})BbOJZW>#!bj@`*>qK6g|Fxq`K^Ls8r^AOm%#b&AXS^-~5>6 zRmdHaiY>H(IjQ>B%Gt1`cZ!P=x}1!$H7w&jgkT|NHH>`I!0G2+iLNYz$c?AIsOaAE z#fjt$WSy~VgS^cPFS+}kpTRJNI3?6a-yWBOG#l6PH+lVp!EmUQS&&t)pV>m|6;;hh zju|DfsnCx-FYlNjMQr0D#5SSk5eiLMk3X$K<@lO$#46JkA=5j5kN0Q}l=) zm#&Qo>XksMF6Y7z-oaZ*ie^$_>y-Fw;RF6Q*?nMCw^?c)?&0!@$fEa`J|RAl)zZx2Y~N3NrTDRmR3e>$-sdi^DydG3g!8 z50W2DLW?k|HPt29ET@T&TOEewy&i zvm;O(I(-9i$R`rfST6JCEh0&&=TBaG2E)>1t)8km-N?7zcT?5ptgdp_3?;9)ikGX4?DYUzPfkSAgge#ez9n)6H+;oU`u!{7mw&8Eh`w8tBc=F zkK7UZ`Ptl{nSXlJhC+}@oz}_NX#2{sv?%;9cN)F~?FD@{`=%jA#64Ibx}e!zCJ(pX$M^;*t_B*RP4h zFiR@A!DN%km7vij`|9GF6AN1#yU2YsX%2N8L}clE%BtKPcCHQ@+`vdW|MTI-UsRQR z!(EKh3=i0fYDx2yg5}VNV&asSSeRHVbGR%#GNyuS`(F)Kp9i~VW*E}EMM?_yCdgt6 zKF~R{UzDOFCh2o5MY2l=E+*Uow}3k^7eiKM&`Pi{vUVMRIxlH&E^#!an2c7^92?rL zo8$n|8sGJTE0f3J?eaPnmHQGh?R5N;x~#S79GBY3EB`UJ{Lsoq zt|;ICc1;(O{Q<^F$n=Zts;V@LO4?B1J<5FHXWlZtDZwWdkZ+9&kd{=TNe;L;8pqcMkay{X1r@)gG8$9vcD?L^s>OO-t33+9bUZC~S0 z6x|L0X8;jCahyvC@n5&N?Y>MJU#z*Ya*?&%)9z*khTA8S>_SOQd9s{epLKC?$lqrj z2cHf}>h#EulyG6n=PAvx_U%!1>8Se|lf{a}U>y~KH+hzyCzgrszJJwqn{O7bq?WiT z3}K-TnZXW&PbFv^_5WOuQbs#R;T9$%d&6Tx$WuXnS+vJGUn{pIyu)fAIVh@_OBZCs z#Gx}z67Ii_@ZyCy9OMJDj zS>`e6;aou>I%>32QD?{Fji`Fo{t6zMML&53UC487z(uM_ipPVWabs&#K?;L}sZ*t6 z`gLCOu(*euw{^C%396T4*GKd^TlP$%?&&bGJ8`--p{wWJWA2Fg;G_XsbJFITgvz>G~_W;ZqxnfjmXac{Em!NPi1V~pePN|YnS8PjB zU{_OzJG~FKNLe_c~eOWI(jP1U-9hS zX!ksSfthYnug+(^94+-*PszB=1+r2!@Vy=&3UbZjwHT{Br1s_}{1JT_$Stjh)>7Ad z_tGmLOQMG4{2(EW(iT^qB63Y@!%UE~>arSc-z@E_iuscpx-YF4xO`k@ zeaT4Fc6OiO>;+jxWa zM)PP>pYnjMbBAIsfp)jEbil>P$0zN#)zrP#N)Fv$$?#t%D?b@W^QALosHX0m3Zvbm z33Q+AGTQeM`}tKC_&zb5kdQ0E1`OI!`9SeSx&Cls`k9 z_+U0w_&LsSX{I>qhuMFlNxZ9!fio)GniX1QY?b=vJZm(BGoK(&Go)MXjKT5SoGW08 zNPg>8XLS*_EWHk`kF09apU3v;;;aj0al+~VqExq=Y z5J^MT&15T8xJRtB38IcF-q4#oJ%1xrrNFW@lc;yMCLw>@3nq;fO3rZ!os&zW1bCA9p8xw|e}08ffD2qvf;% zgG)_1^MAAk=`7(&iP~8Sed@d}$hF}xXq|FP1(`A)?1Z6oDV}x$3=t>pE&0f}MvRPQ z{!X}7$^cR5dvcY4syv|Dnk$0T7nEpQ`)K~qe68@UG^i+$W0p2S>M2o^M3G)B_*$0- z)tJ-Y7|pi5vIabYS*{TzLe}R|*h_7(`3XX$5D5R+Dni6eoSCcVh`ii~q@I1rudgZ- zd3e~3ue96gL=DLJRqwKcVo_^NhrdM){41LxgBg8`(SXPHm0XhiNAI4JmmTcZz%Hx2 z9`TBSt(pp`>#`qBcM3DJONEU|;vZv>3K{md;VC&nsz+!-toiUN^yd7bGIdu1Q{C~( zid&CmqK7^_H89h@7#A~UWR_9f#v;+Q(glze67#mU0qqVT(@VSthrCa}fAZ!C@04mQa; zP6=xEHZY1`f3eVEerbCyxMGPO$k-P?!7`|5=klQ@dV!u9d(X@%vk8BJdu^I`f+3xy z`E~G>u8Sqd`ZCPg>V71wny((z10Mhyi0MY#kDi=E9DQc-LxQo&IfS&+6o$(>+83@M zvV$Es3!jMBYYP<iKQ#Hh>;Jp@;GStf-OGr;S@dbn{tK8)za=_z54fpriHo%z zR>3>IX(y>getTB{Di0( zMnL{flo=Lqg|JCX=l=~nJ1?K1gehMmh>^ox&1<5B6Hf^q4!U)%ZA69UGeISQt>!B5 ze`za^zGQJSEUcw0gemChvHIhipN=eICUTIbayMviYn zD2>jT`H*6@gxyP}H8*L74EKiD{r2_N4p$K{Mar_yIps)ak-?Fn!w-sk99xKiy9){B znSi60wCGj+St?)8#(>cV06HILZtpXAr9a;b zm;K&t{X-3n2@K4>=R=qIAe@5tojl8JQexf_YTqog9F%HS6hQtJFpfc(ltNTsKJ4hl zZ1tpGN`1#Y;o(}NoGGAa3rX!)!0BMwb@(m=CUacv%NF_5R7<1eFvP@@8_R{M0ax?01 zI@A-cT5u_GH(4!uFlU6$?3HW}GRP#mFRn^qIOM6i?7Y?2=F=kr>B)!lqBj>->Dhk) z9U$6vKm;m?NcJ%pi1XxNTln86jHx3Fpt?>E@u+Dy9OE$r6r7Tuc?vvL#X@F6|<6afbK0?z@{)+qGU3U#({Snt<z|};4I`Q_e4xi00WzbAnS8=??44kc&S@y53abIT3dzWUuSfJ-Wx3P# z=?H&pRdjVQU$1n&stL{Gk*Z&-D$8tz)WgEk(cRjy3=y~pgLo!(ncAXd@czh&=1A#w zw^<%msLGkFHmw9~%S~O5m4)od+fY2)lZcAYMH-jza`%__UOhkD{DHGBe8vSfn!Wc& zvSngU^`?IV9oBkfyIPf13n$Z3707^v{OZ@E25V%~8*^#R_(EYqv?IF8t@GOJk2@#5 zfRsJ)rs=FXR!GV6qFL*zm1ovv^5PE|Whbe~!Teb=mpCnm5xq}v^h>TF7n@E-{GH>c zUY!A*5<}nXfTNnl;jF!Axm2jK_w$p)J+~sjS=4tj*sQe6%A6U)sK7+h8syXWo_JEB ztv*4asfA4N2@tCeoR*0uw*cG!w0Oz%cfvu?#khpnXSTkT_jofRfMok!Ube0t*w~B% zZ`3-#?f=_qW0{C1$FI-tBU*yqph$9y53NxGYj{RK&fg3hzl=6s&S>RRv`btBUSCU@ zK<`v{9V`gCv2m7dlArQ5+R=TYrhBesyL)?{e5E!mg$Va;l3lGQQ;Y5au*3Xhou}O_ zD&ftr9DF3Sn{)v)Khrz?YbK=c{maDpFIbRwr4w!krn#ZTb-${kS2Nz)2jj49Z&YAc zGGOnheAE#ztyr#z+yq)w9)M~EkoCeOvz4^yP@^62W;dItV3eP6LuSo-GN|E+cTVcF zErRt|eUT&A2T;`J*83ko6HRH8{tU^?-gMIm2o$Q{8@!Nnr0v1F8Le4P5KMF(9rLSx zdIC$Y#RLjHWHAIojPNubaZ*}Tpl)C_1uDD!0q*ygQtwf=w(g1zfPGH4I8}y6;mmE< zTvtB_ds*EoIo6n1Gs}zsn0!8n+p+!z7#OMPHwL{ktif3K$Ci&grnQ){TcbciSe&@ho+hpNX}km%a(O8h8aa-| zEtx8ikuwge7($IUiiS;fjS8JX)-%`@MEuxRMX)9cl)tM{TD`u@nkE}4GhTT=S?;RS zf|L)JxN1B3H1mcjITP^2tWw876H3taYwYT+==W+8d123-&~mnN&hlP_%^2R zeZ9!uKsTWzl|jiIGY+dS&7=F)WX73?C}nj4ifqRG4khr#AlSfqTiBDN z2ICwV8Z{CXMz(zLw%9uXAp3FUz1mFq{2NDr)`n4gGG~RktzP4vivTb*f?U9VlwT9sZNUF9~d+k|L^mw&oy>?Yw zA@WHEGL?l+Weao8BKii|6O_=LK8R1A=7{QUYdQE%qjqOLopfKqP`UVflfdUo&mX-1 zN~cyTTX*x;eP+Ytd$p6d4|2Z6<7CMceFYI{Le=%fh?|kBV=;~mvBf6&dF~%P_ZjV6 zhC@*KYlu~Xhg6xbMfWG97vz{}e|*ayzCiZY{&U!i10$9>RLaH*U~^$?`i}P&3p?w( zu;wdxi-r6OJFXu2(uzr*LYZr9)pf%B>je<)dMDM^QbN@<2cqC0Z_Y>C_=XY*gp`k= z+}5-@1En@Op1!0%$Vl!XR(O1eoP-6@Jp3Jq8ia0Eo4-zBTc_J0E{$aTSMz9N?^0w{;FTEMhSUwstP4tj^n6eD|L zhDBwfkHO>K#w;e}`j{ehGhHiaQ#fJ@LgoZwqf^_?(R$2`^ zQcfcCW;mV(jG+)hgG;K*_1e8+b00)|f2TT6cC+-(9HVj{?I%>;Kpj>)7D=uKIO15BpQC%hTk2k!>N) zd>ij_<+POpD);k-u)0)IFgol%U# zGWJI2AkZxkDp3?mfesAI*z6_Q2=U}#kC$d!%2Jg)*2AkBc_~Y*;sxjH33>sA7&WvT z9`B+>P4CpTCWcrAqhyiZpRM-?g-Vk%ISa^XX?0;JYbLH)Js|7MUQpqO;YNETbvjGd zcxml($t8q@rVtP9zoSO*pa4zje3oPSy%V- z)fv`Xka*yvrjC>2cZuzm>PnT8HrGdBs1=BOoTR47=_0Hg95uF5z>WWzMS4jYtB?x? zv#L9kQQ5o?o&vvly7t#%TWv(Lwf7T3-w59KelF%P+a}o~=WMq}v^r7xb~G`2Y_rh+ znIy*z!^WpZN{ju%9Aw*{Ic|@Yt&NuDN_{O~;T=u$n4ANWiieyKT4<#YFmhsRn9&w6 z=i$^Nd0>df92&vXhbf)H)KLvY(~h)lC@{~)h8tVVD@HMd%MS@ zk3)MP=D?befsgFF_CAG%N4`R+ijp*9FoRu1>lhHHM|LvhlTP`ab2-mNnI#P!?u1?_ z=rE7Ofyi;&Ig@SEz%09Ce*pG1GFMaY08Yu^(1lFhQzPIdzXm1*+EYKGjsHXbb(43n-s-I#nsb^UZ7oa`p<1?FVb>BodRhX%6~ot?TvHsP3toV9%2X6`cdM zE~3rfM#yfmqD$mlG4B*LGRm#4q4+(a{aYiekp0AKN~r6gL$Egs0y;Hyqe@T8BbD{y zOc|DHdIs_vPt3?}BJ}K=G0k?QlrmZ$nv|tafn@?te1Hwbye{cdo3#rc*wPCHMlj9e z%g*c>vX3&ALxjiCo5O5L{Xe|`#(o1!JQMhE+=%{&t^-fzOo%h;IDc~fmuE=i-As(# zhueYfH#J~}P^owg2j7uyvd2);@CWBBT(P-pPam^N8s22LZc(F&sMfuNN|3+x)e#EP zk0IS`3bj-Tq{44m{cKpR7D`kQ3{ayNtC5g?jn;p(+Qb-Y3v@R#3*ryVsHVKkB>T>0 z8QudwRT>^=w>L^{JgpEqIP=VfQSa2qNT_Jdyk@V8oh)-m9C6gs2+=jxK!Pn-#9t?y zV~fznRwa+ZnL$NPv*LcNwDkylPer93S_O_Gelg6J7emu;JqRnYK53;rH*5!^siMeY znwDaq?eQQ)Q3GCR$ zfqI2t_4v{NMF!o1NZzwuI2sdDouUJ@_mk+?3ZB!j4J4!Wya3!EnM7Pe?OgnTX5_*h zhsIXA2nrMdvCZ)wF&XolBsAI~!(aHgD4C#XzNIBvU^;$ft)>yUNbH_fq)afE_9adGY44J3vXCF! z*9Kq}X|}hs%=esh32RDjdb5d33+;_OmMS_9>v0LI79y{+=nQ+^v*VQYo_9OtsSY^Br9Ri5E*pmUmz>v-P*U&(Rj96f{ZO2MmJ72*@(+Q=qi{dnwmVgW|KKE0`KpLRPwgAn~YzLZX)a=)d@@NQ}%7_t=iFWGdTiga7te43SxQy@y^=O&jn=<#~ zl}Ygr*5{?wj?iN1NKt`}rEKly4zCDUW30qJR@{0!EzUTRGn*QBPtx#g4$f54Jn;w6 z$I&n#W6}V29H_HjWh8UA=U~3Y(f3AR@Z$%i4xlB|Ce%lsK`mdp(p-PXYM36uZY8Px zE3h*D;#I*LW3?A6?Mo7x%@ELm+5!sQ6j|$#?~V_?`BSsX`tXEp> zC`g|Uzhs*a&lQG2tKHg5h8Drz2a9M@VPB+r+*G2_#(Y?{Qi{#exr-mwKRH+(f7Co$ zOkqD5(B14Urb!=2IDoQt5zosz-@5l1`oKabKi$o*-_Oyd5xiW%3MB z{vNeu?mPn1H&=wD5t=|kbEX@g-m_OM=^@*nJ_L6kW;eYX=_F^qw*(hh5PQp?J8Ox_ z{adHHB!qZhg*p~A5fhBCi!1pTeB;7gfZ+yl|D#lr@yaeCzmY3=LNg!_`mjH990sO{ zvOBk2AEFQs+VHa=0sNz1fh`-5Rc0by*81@?%6$kl+Srfc!;oxqc#Z>DOVsB5R7I^@ zX|Eg@6e4La-jf+zczFtZb5-CBXeMXf+EGWmt;HFX{bNn1l?}s(e}`(e3%U;@6fsOtI@#}%?Ak;k;Yd=cZbT{xjNazvtCm9Jv$0}Ms1*e zfx1Iicd?P;{C+i{Cw*)h@pHflLRk}*UF_R2-q6OJ;KYO+h z_m_^2>Tc}7@}C2QcoO3 z_?)&1n}eB5geao|mZ*_k+{RA3__5*SCe-Lcy`N>H8R`X>_Z*OTy2H2+20SO@v@PRM z0Yy9H6>5n2*j+#G%Li5Jj_l#I;tg!YRaZ5Ji4rpxRxy*J)nhsCC?Z_qQ27jm$8>(q zZd$_tMIukNhU51NPpkEdUd$;}X$!T+^~=Vbsc|~%oXpXIxF$x8X{EEqvLJ(@-j!ze z`L2iVhuqEa#`DTTwvrYnNluRV3dckjLGnzI&GDX?W^V0LME>EBSCP$YN3fqH5otWN z_yVqNYivvrRW@d0GgD2^!PHFso1vlp(|Li5$H_GYob*W_{ntb$X^7V+y2=I*+n3Jp zc2>VQbW*dw6Z;P2-{Co>#~u7ag`c~eUCvBkyha5u#Ipi)q9W*a;C&MbCSB# zxHcReo$hotsvmP2$xGCOAlG3Tc-kC*p_Cn?1j|EZbIzs!ua0g3w<@8MWRMoQt2vDG zZmj&S&(IIHcfs5rnT7DT>5hHf!b_2HYO<58$pZRG+hOO@P2Cu;r1mMoE}FmjG+2(e zm}oNQZ)bOsR3;l3sy8Mv(dF*o$(_w1~{j%s)-7T7MmkVK^4u8 z-X@rE8W8Ert{Bv3GxmuvaD-xOsZ-cI>80a=p<~`KIenZglZDTwdr#L@h3X*IX=$|i zLr)>#H<)R_UM4xX-L7;>?!8N?D%&j~4L!7CSm}XPZf!%T{QH}wmjiiV_rFl6KNqX@ z8d#4tSY+^anbzLpzo`FtIpC`#h}+E%x^;&f^hC5jXH(UkQ1*$Ig zWbb>75Q6qak5AQB3jbwq{Qa-diZ`@yv2b;AT@;hLd+@az)X@8ohBgP+FPb8BOzpwx zFFYSmL6bC4)RSI@qVk8^Ex*N7Hr;$OQXv*9B~h7P?g;tR5en%XDR=EZu+nI`$pz_5 zSxJ3Cj(DuvnirJ}cUWxSbwR=6vPC3%Z^!~{3?|IqbQcNgxQ|0LW(Xv6OFaj2gzOb3 z_p4Ma#?V4>wYxuT0_OknkO%Q&Q5J9pOHS=-YcQ@pjSa=96g`!9K#M*%BrAq%sCVs(JK@c}b}97epF*;Mx4E*pl{?nvu_}I0CcO zI~{3dTaPn1mOAvVH12jB2>+febrj0SKPV(1*Hj>bu0X;cHz@pF)PmyFo>nxixK{C> z(lyI%@NEi|jR*A!$Y){O0F1peePcs5UIVJVK8*AH3Z7$@D%i{oZSRk*hR3bma~zUd z3(bA%y};RO3A;M`nX1Tyl~`-)WEmOrSTk_#)^1K{mZIX9`VfyMw2m&fv<&ZFz2rcc=y zA_MW)KrjfcEiB3=*^UFViXza8(O#2^iiofQ?p&#^m!FIjRK4zMlG%+O$xYc)YQLDO z{Kd8GO;8c-JI+&Ww?QwZkyUrMWM{Q@uHUZjfIPdzA|IGr*+*+~3Cjtm`?dBj5E3&x zgRO^UEPMqlLLOM-1(Y(TZ z=~O`=8-Rxzp^s}Z@}TfXkQ&oA zHz51|4C|?>#YYf8h$A4fZ6KSp48B2#ZuwHK9Sjlk;E`&1hBUrdIdQ@n`f*Z zc=xe5bXur*9dtC_4)|ZSLADCYvwx&8Y@!+gM(;yrd0n4aO5tykxWbDJYd+1C#Kp(Q2A5o!hH-&S;4km4y#Awy(M*vWl`0M?J3hj2$XE6Fs2qzi`* zOyJV8dze#X@z`rQL<0S+eO^iGmjI!coK@~morI#|(ae}G7$mFqq&0+BpQu>0$>6F8 zh#8jNJ4DiXx*Wc#zDf_<#ics5InG#r^EhVbi(ax{*ii?Ec;=(CsD|SNIF_S4S7v=>yHDbaNEhCfO`! zbn#0r+f9I$gNZ4pin4t>?m-*sBGxx7%g-RKLjSvkXr;&cGrZ}3feOf7?-S7HJj}$2 zGc|A}iFpeP)>X=!iq{38tp*pAJu#gYZyVwbI}pl*(K`m6LxneW z9;%AM{5;5cDeAHv;G{}W8S)&cUFwLW=%{WWvQ@ou@Nlt!>8+W2h*)W|+D z+{2RkLk_d31_y!7GcFB?MLnDakem({Hox_f46`8LVMj&FHDJv<47 znp-dwE~tn~mS}v3VfzDJ)hmiMCwt8&^H`$=>hwiskSnA|TT4$^rU_V_w{=5Sa0vLb zbzb38u-^rc>dKsR*?N`3;S&aJpT1(j_Fv zA}W>?{krdND#7tEFw@NS-<}N-ge1_ZLZC}Md|w_VMpvLM;4RuZ2L*rBFiPs;%zS`? zkmHpH1%wbuB>jyAw3LO8v{vMKHVGu3Ibpwyr>iFYFSr7uJ8+#EXHy2mrC}p?;wI22 zo>0Anp!Z!b%@bk7wd6dT1+A>l%xe;O>s8}MMP~~^Qg3MoQ~$=2$ZophtW?}odRza$ zaY?eXV~64?{(Kt%4RUe1KZ^9lX7qqO+I&A-JkwWy`@VnIB>j(PVANk3-`#8%-5*noc& z_L`vlUhYQ{p+q@($0!0Ngg!iI&*69C5Rok^vK#z-xJ?zWLcEHLH-OTboGR1lk~1eBz{ zT4^GH%=aQyiS z8poV$s~!$<(82DeH%VhEFxwVT`ss{<%!E z@k7;Uak#MW=KAY@{hxZ`|J%oqlpB{s#MtSh{|!j-=P%;FJ>V8WVKm{r;#nm9Z(s4h ze4aod2r~s8&D#Bc_j3F5>!X#ycZd$e@xJxvQ~$dU(D7|Fo&9UIj=`dkkGvnCa(Uf8 zNSzx9208B*nwCW#wyGYoTMtki0y&km){i`S;?XMm@!$U~jtWU;0XPg5e~{(;mi}wC zqyFdznb<%6Crw=Xjm%AO(_-CiaU&9aeSsl%lpz`zprYCp^I#N&CJ=Sh4qe{zhlE4%}v?sd5W6~QXl<5;6?s8o%SdzB42ZEp_S&|y%T^97zO(R zUPn8x&(W^}z3SY}SL`AR|3%Q@^XRLDGJ%Xe)0n!w`6Oy*9u49SkUr&+3B0gTu$}(x zOxcOA6L7j@PFMz%T2wqBig%v8iwrC@LjMzOl-v0KJKE@F1cr%-HCP{`g|7hGL=}0m zauBh4_)_|DP%QBbz>069z3{tP1=uZx0DrQJmM&c%=kUkf{_hJjNGiL4*+kF!%bh=V zj^CFWG4*>Vpv9jyFGRLULqxlUMa&9kjg8V5B<)GOQB0MFg0+hc)?@GHQF|&rAkZU7 zl>GO;I*eZfG&V@x)HmVdX>|{F5l-RN?2vCrWdS(Ptidi7{^7m_`^8s{00kte#An5j zc=H?-uA^X2%J(_m+Pnmb=*GmGW{;me#6>Mvm_K$0%@ZERSUXOpN>D_kLOX*QAAhy+ z{|KvGR2{tsfLc0c;k1ReGmqSunbY14dNMDwgP-~v)k~ly*F9cGGVTMTEh3Sd@Wa6@J|7m zr?O&}NFxLPPVS#u`JWHc-ifK}wjjY-(B9FJ?zfLe0rX>RTAQ=;duv?>D5{AmI6Swe zP2Q2ye08`9I4^F!JQRuU>-;TM71)3~qCVyLIYYrph#ob1%-XfB#q9B&MHZ(hDp8|3 z>s!n^fCxLLpttyW4%YYLQa1Tlq+jyGAOTu-Am83FGE6MC8(X6_tpx9e@uBlKRT*8G zRyE?`S;`u)1NwZr;@ag3vaUgVDN~k!>v*qn~)sg7loc)&lX5;37nMo;d zh`j%xUEv?r7Zu!_X>ur)ltD0@zx?YczK(ToYByt`AS>slLQEdU})JkcO!R5e$}sJ9zCtibkGG<`X{&?$03E#gFmrFOFHy&yof`v|B5UF_s z93(-&KrBEeD=<+#0%9m1U9x}Lma~m8zGa~IA!EdV@WS2>_#_H}Lf38ys*T)u3$z1j zKVz{zF>#y&%f80u)MxEpme1+yK&`Il+C%GBCK!o{yebbt&09p9q$5!RzDw6Xr3afd*^i!LTmR52o8oIfH}1_{ro8uv~U2);Cgsa7>>Cczp|HVkvQ!=;;4W zK>{m^n;j^mc8a^;HbW9tvJ``Lo8e3Y)aH+c+Fkh^t>1bjH3IpT-9S2jA@Fj~?E8JU zOm<&ZOgI6`EXal4=jSCme!2jRJwh?_%{%fB9#V_kolJWYthwioP))5}3o>T8QFAfh zpCEeb5R4^!Tp1^^l3k;T{7%uv>%lQP(@(1;D#X`rtXLQG-zcOH?@fIJAN>`D6n2~j zczwRx9YE$B|HMPnReUcF>O43b@Ukx^Aey6U5=dR#ik4G=f2Pu3x5qnLKqhDxb*#7r zW&4H~s})Pw`@7vStM8m~V@`9KQMV+ykhg!7R@EgKulgPfE*gCc@jzOO3)7B26q0p> zaM6EdhN&f)>`?e35i(%HJKtkaR8p;H)d`}V%XUJ&Q<;~B8&>u?LsUY7_ZDMDdMXFA zFN7>;6E|)PE$oI|z=0~$XCb?}EcM!{ev^0OfL#WBn7;b90gK=+Id~Eh*o{Ln&cVz1 z@15k&OIoZEKfe~0j_wh?LP|EU4t>l7-6oUxzMIFDS(ge(>E1dx1^V|BxnF@^3Qml$|!CY7*YaL|h6$(+sApZ&lkN2L1Q*e*y%mql;8vPB4<}qnY zk6aHz8GSN*)(h4F~-A9!RhQgUh zYMxORDUV&E4*)=g_)kpy3!$`7>;FX{$yY)I{jJlYyfeIPh$kXi+k1(oOr zf@4l{z%EW>kqzufzEtx!1?}Lw;A=;G2PB6mj|;I+Ozw>T3PQWPBl0Zn-0}ic9>-hi zsn5T(&VnL{H{rgM`Fng$u2Pn^!n5`uK&tkhB59`fluSxQ;oOm>&sdCBK1qSFiWS@$ z$KAU>WB<^+_l7t2U^$35`TRaY#)}9!$ZdTeXQ@caH(}~9n<^4;aqJZaBX1z6Ro_32Y80n*0tn8|w?_qPR3AVY+p zxjUOtW=}P&!n=&V)pY*c9caY_S6aS4pO%SJ-xUHpus}*JgSeRL>n+b_bx;gsB)?wy zh5W6VG~1)e*`?U;qs?q6i=0}B>U9SWxf)T^=P?y%X|;v%smWq&e@}T5f#s!S{=5@= zwNm953#ZuKgO!i$O_EAt*P`Ig>^-A9^8@~;e+7d z)m=s`u(4>x)*k=hmHQfT^NEzKr0m5A{&4|$5n*8QUX^_0H_KHF>>}*O7E=A!MypjZ zLs$(JT{cqU8!0pn2WHAPwJ;o6M1uE$g{95u@?A%~kGaIu_*KTrrAY_DA>LlUjzq6^ zaf=*;IrN9eNaTIqw#p@M9xwPj;;oJm;r`yh`%;c5` z4}J?>E|g&-NQOgSPV8M`>zM-HQ>R();l^-eCv9W*GS${aAfSO2?;%UFGPZ2xlciUe z#-L;v;JoZ8Ul`8aKxb{P=?*MWP#H#is&JJ4;WJnKYQ-?m6eQGX37`L}RL+y~?y~&u zQ6gkg#j-9iKN%u5arkV{ZxFT_gg2JNy(W9EkTl31Wo|`2M0~jDkrVKqenWmwz;-GA zY1c9o!*LwZH^!g3vNHMl;vO-4PtF#|1Qj$`Q&wYH<|Cq}vqBs2v{1eXCWIK3WAvs$ zgts}!qr2q>LekAMee(1(F}wYT&t z=&EJ)b_G;ZE6_tNz9tQo?CthF{Th+16{TS#63ctZZeWppl{nT(>w`;)PGpiEMbQ|^}A+Fr?cG$q}Ebc+D&rfsxp#^Mf9r7_p=*Z3CvYB=+a2mu*$ip5&)W??t0z zzcDl5*CUQc;P5*jj-AOYGi^`qigl(U=A9i?)DX%$D+|-u&Ypbb8XmIrA zYF@2`7Ex%YU6~Z+ipnYL`7y+vHsm9gD7<<0pQ#>d)U&Z|Nga@;`%=Q<({abC?C8_V z#;8gYoqvABATc()B)3)N)JPM6bqfMdBg{i0#tr?FLrmA`ngW^5HBPPYNAK=`bcSBm zJ^rfp`C0QI5tYd%HfzCQu1q0fuJnU08uORgqII~q9$dlKkLYwaRJfS4h0G}aMkGVI z&?kDW1Pk1LG{>khr`YOzbn3`*(=?J|{8RE|p4 z^}?~gQyenqO<&UVYH5&5c)ME0P)5hcT~}^@keJBigT#zuY@uM8KUAdsH`$e}Pn(hO z#ZJ4Hp3coNoxY7+;#G-~d#|8xEd{Tj27^?ei7qtBu%l+ButAM~khusj zKH>BA$4xh}VqH+Q$gX$7L^~`ij}}fbyh+CP;&18P=&0wPP8er2>C30dW_ti!wVB7U zaxp6$o%g!+wAzGXwVq*-;R2SEhyx|@C01sL!YS%lnyG0cCF(L-E}@uqy~&|qxc2=h z#d1oP68}2H!H9{A57>3I^;{;DF)!KdMA+ac?sboyww7(Je^{${fS=*}bBFdc^Y~Lc zoq;F96g{qF{99>QVV@q7&c3~osnRA9zal+R@lQ>qmya;ucHd!^Zx6lQTMenFAw5B| z>@|n4QOTyErYM+^bI#X>n`Vi{MKkj$51|P9$+Usv)wnnRmjp5*s z%!>q*Z)OVn`dmuso2#bq9ih=}wmy*4F%{SUqB%J!K`O}XJfE(@i#i?NUR73&d5-}7 znA5o+rK6MlF6Xvm&C)Av zynZJnI-B|$eTYy?r&SsAYTwQm&!3JDqe8Wx3%eBO{f--ulHblV0-1|5s2XwiVAO`( zAJX*>Wx4U5<1TfPc)gZX3K9z9xXG$J2O~Xp`{ret$+;yfwA~kkP7$RD!8d=q?K9Db z_PMNkq~6nstJby}oc$`3_SxxbN(H|tIaaXN@Oo97{KCenxl(-ZK2F%oYlVfx!;=J4p<6)aRFxi+NoYvFOE zMA=JbCU?By+5HnaFFbA)i^rwUcJKp3?nEAZ*L#bo-3nemgM~18Cv$QDPws(^iNx4+ z;QqUxe9&3=p~%JuDAEz91=m3@$Nhzpbipn@N3#5&c*cK9s^q@;GRM)iO}OGkL5?`| z;HDWv--9}>e8#mCLQ6O7Bt!#C#8+} zk9x$aFjb_HV6v3ZTIh*8C)K1w9gU)Pp4BlC*fb_X$@Q@01d5Z|KuKzyFDl?bym^E0?vd0!GF6It7-YMFb^n0vf+HA-rT{KZA`WYPZ(UuLY2 z_{4W~xLLx=8TsHhy_-=(uzpim@=uX&V?O$l>^1tlt7P|&th1lc09LEgK*(*zZ(q@R zh@`73IQckp9&w|Vh%;7~a^UoR7^SP_@vt*?$}CAq;#wcQWggAAVaz94gE&E^@$ltS zllsYrKQD)y>NWHOhZhXZ?++L=83}aZo(8;WVCDa!+5AHMIVTlJgx+r?*%pXd>y$5F<6a1NTg%Aesf9+bL>tpJr>nf2AU~j<1trC z1dD4-i)bwK6?H6P1ATm~bR*Q$D3#cyr1<_Mfso`PM~!m(jA)gayly}VoKUX`Ffr)88-M+kUuAp&)&6#VEaB!sjYd&jt`vAQ>KU;AO^T>W8lujYVdF@Zuiv^LyxpcRIianDV1B56a?|J~#l2hp)w0%{NvddMBEWQ#& z6%*SxJhj(03r`D@Lh!pS(;)1v5N7jQtmUB$!>NaeP#Q?@D|CKctkBv92`xDan=E-# z>gRKKm}0IKdipP;gnyJvu{gfuIGV^guf5W1`W;N=AxHZqAHy^mm5v}jXF#2G#zx+B z;7F_%&;4D3h07)0p@ev=khDIxa}paA(>bd8Y_2czDTFa)$!v<}C8?HJ65<82(K1SO zV6Lz%gRUz&Nmb29q7}m|sUL&UOO}=iZV=Ru)zaow;`+@MDYhHMV*!wYlyPnSobsc` z@!C_pjAsngSTm)teXrL&p)`(;J(})ubi}n)qZuZ~L*yzmNmzi7?aCmFs1^?=#+ow~ zk7?!`%wKs-#LyS;#?i5px%lMk0Wdn0w^fqVgN-dRaUZs5Xp!Z@U@~uX1r$7OtbuWq zqp=|hq)sN{1~XKXjIud;*(WJlJ)O)tWADX8|`v(B|IB6~N)AHPaio{NShw~k=C&RM<;6)y2 zc=pQdW6$j=Q!3#V;Vk0GXN@0b2-)`+@3MLyr8Zd7g6lx!2pda{Na4};xg}2o>PL#7 zdFes`g0s=|^twxDIlkw^mQxni_3sjdKc_y(2iapc;W7Ra3w!V6zm-dDpp-U_}XUkZ+`)ck&Xf`9zZ!kEZStyIQS|mAoUxnI1n6AO2CJ z_4UZp`&z2{M`2C&v#P;z0MVYXE9k{3O+_gk>$~yfXBDRN^&x1C>5ZB@1d)%_dwGBK!G}A13_B?(E%N~BUhQlKCKx@vdURy&nM!2R8 zdy*{6Jy$DN6+o0;@3txIZTu=p1oet?<5$X^-?Z3OnN zLXXYK&`m3!jC(D7q@yyqy-#a+LhYC2f{os2`=1?z3u}nnj);TKCe;E|Lxtl$SNE}a zjsFe#^bm>y2a7_jl2@^ zvu?BNxv>kt94X(MYvf%Qk+KrX;s`huXY%3y8G3o?ef7!ZHjXFUS^fE~l0;kSTEp8n zkuU5);l>rv;!7~&a_=<`xmE3iv`C4;s&&b`z&`Z(MkZzlpgfcdOtjd{xZo9bCFVonw@mk(W*VQw_SIht79bMUKVUi!cBBR*;ZIa1jWOK&`z0lo$o(MDTB9 z*`ZZ9k*t#ud73{#U|{h{4%yp?ycC1cq_}m;E)bXCRHdr_xpLkVZJC?cWC#u;@V3f~$4*E%(oqA^#5ld zSn-k8TCZ<~&o0E~BH~Nchl%uyExL7F@rDpB&m`}YaNDR@)Kj;o?XhvzXEMAEy?}ES zm{l?t{SLs2tcJ0@qa>vQ36aR*G4yr><>atyPAreJ3E1C9`DAi`#}{QUJ`yb_1(}N> z1K068lm#V{*KE{g@&okZwU%I>7R@)`Wr$3KLc4tzzSpzcKdCG87M$SpN`}Vnf=OW& z{ljxLkgSneq$2X9y(1id6v(txlLC-kaj6MNtrpBf77 z^Iee>)1t=m!VvUiqzKJ6*&&lBky}fqxXm@9hsW5ti$bwp+FpB-%$DcEPb&Oa%}K7jIB-ck69oJ}I*G44jR5|0g=y-$Djg@&X! z;$erO`iLvto;m7JmYC!;p-Bey7XM9qbgO6eLH3mTYeyiE3vqYzN4;kpQRgx^Mcmml zm1Jzy6?A(;@ZE#?d73!mwp=9JFj)-zK;2@h--EcyaFYw0XdjMcs7%`G#6^HF9ZR_> z6LJkgMQ%?`w4f&PqdebaemD;zfpYW;PJ&m;G%nmn&1VKD*t(vKb3`XL#iR{?k z{EfP%6~FMMRqu%Bbm#{26JE(UDw$ki`hp+~^fy2@^^xWE=|;*8f;)NGjPJ0d?n7d2 zwZmIkPZcmco;rw828|xeNesd67vE}^<6iG{qe75?5!Y|PEc`6WKX_TBvPfPQ{6BbE z@JN;a#AO9*sI zO9>H(v4N~dd#MqevxL%3Ob8B^?NcFb{S6Klr>#=AfxaRzkTJxRjT zVq8uE-iLum99oRIsA3SAt2xE5w~o;Gj@}e zqMOpHsEhF+eSsj*@)qsXbm}+baArkTWQ|`a+qKFDm;$4<%Ew-^0{h{qVo?Y3t=t8o z=?nDAa?Utb=z-ntQY8Rv)iW-s^|T4C7jc8@$-87xm~q>s_6;jBMWlmoo*$DiYmqex z0mJ(jYhf7pbon4yQg2X(c_)TSbY^h=lD^`;*@HNjr;NVz6-J4<82<~x7IM7%N038J_gn6_&c zV#3!M%%&slo)NiH77OxD{>IoMEc!>r7FMK*^MW8qWaG^Hs-x1U;(0S733?ZBkq>7> za0`JFs5Gh*1YQ*Z8(%Z*z(+O?)4J5-l)Rw1bA1+{kz*=7a{=qD+s} z;0lzdPzir;c}oC5K@?PB@!oe`TyxWzxMCfX9M^W2L2KktX|n@g89sJ5o9{WJJtB6( zCGH}nUYBH7=s(J_-!!smkz(>SZx|W7F>v{NG&Ka*D=7aC<=PD@lQc9A9il~){lNkt zau3)8O1SN|P%L#q)qV-f!U)E0W~jJPqUwI9_A(V{|TUKe0e_nJArGak8&o~XEdw=73Geys`-L*7mCVGZ9JxuAh)2c)ZqjCS1^FwyBDu1~k zwD<)`u;gSF`34T-_^Cr>qXk2~#P)aoc{SvF4GPg9)3( z<6bkBJO#BEQtpQV$y1a zUMOD3=TTKQs!pj)#y=0t*)um*%S)?q-J4)LuhS5~DpJ?GEnBC;@c)eFrOnEyp(dSX zK5;~4OV}^GMP_-3-OeZCcjAohnGuk}=aOSdjm%EGV%-j$C^zMC_cmaJGKZ>gBj8>p zJiL}qMOGO7uX6MfN15?2OILiy%&RHR$)pB~+_T;y^cm{?O1~Rk(kTszjNh`<;3N8( zAVS_&n20$!jQV22MZt*zRrdUi-%+0CH?+68RO+>>ODroaK*)qc#+~0s#wwB%Oj}JU z>;r)e%5IpeBy~vm^2~wUISn9f!HH<;!YkkM7!*G4@ELX%ZiZ1F2fya$g~jiaImU<` z1$qbasd&rEb`kybFEGA)_6#TxE^P|00cVp-^NN|X-IDpN47=Q5;*&B}DDIQ@&K3hB z0FmX5j7f?QV>hBllALlcYlqcqfHEl~Oes@HcTTv>NHX4=sdD>#1?9_f1r)Ib!NoLP zo>;64*sFzVP_j?Gsk0D#JJv0psjSAzw?Z>*=s=^cok`MuuBSNg&kEH7%EPE z9ar3-Sib3`QS1EO@pbN)^YTE3Jta}yB@lGzoaf3@*y7ws^#wg+P{Y_i_zaO=M14S% zaelZleh)Hnbk?AtE7E>6T2pD4e1XA07(tl&G2IxqBqoUV9< zhHjx^$G|b}|1I9@-hbk~Hq5c~BEYI05-+GZ`RZ2Ad&zuLozmgA7&EodRth zNr@4N|01lf=)6zpOIwj0el`xtSM4CHSH;tKWz!L3_=|+8!em>g{6qHBUymkGpgX#J zKd0?Ixb}ZJ@UQ&ZV%QcQKWwu0^jLSYw$97|&4|xGwNg}|cd=B|DwJOLEEvovFTS;M zWsZeeyrrXinN9HP>>Zc2lCEyIBV>f}86w<#+@h)Ip)1ovZIY87mh;?UjKmz1??W%3 z4j*j3I3<~XpBdpS3p=a)b?8jI#{#fphXBKe=+Lff05}ciz*iye8G7|RV><1O!PB=U z>vX<^Yxuc1GOfrdF-{f(qF1R2&IbKCiUtk93oaw~oysawW}R9KQt)aN31r-fH5EIK z0tocx;ULtHYl|Mx4{_Qh}8x7 zWOT$q0G^F|8wPy`qp`$kw}Hv$`_Ej0H{B}~xhQ7B@}k`KdgzM)NQ|17wg>%XCFQXh zR@_Ku!}1*%nP4s_zR1&bpelcab4np4wF+ip?gf+l#7q_G%7B)K!*sjB6Pe0{Y3`UV zU+>O3v!s~3Oq#flYjt5IGEmqUqWTtgKM@}gt&S)3Lz>)xm8!zj&Rw<1sTM&^SZ3g6 z2FnuHPfqGFw5_k{hTkh&1;wlG#*i`$kyc+cpj$=CfDgiEY7t7!#?aIce6wh;0xr+^ z*+cEpKdPM7wc)D$`G6iU%fOJcg@ z69s58pk)omqO8;Eg@s|Nf0PkUY|KA5pi5J6hCoubBA7~dluR{SUT~&+mvoy)*?vsG zqy(RGjAb(~pcH8g7E)9iM*7PxbxX{=K}hN)zm`BdJA{`4T!WTt=3w@)bybq%7dGFd zW&qc!R8MNX^ac{6-T^tr$MWd$FnovjI};w?U#zy512UOX%(?AvWU}Gk$zplXgPVv+OW=0>GBT(Z&@b&INL>Ekl(jeFh8>qNph^fS|u=G7xS>F z;sY3aQxohxZc(|hN&Pd#&~%obkbT!h`~x3?OUoo2Mpi5pTlh;zdT^%z(H& zQ-%vb4Z*pjEzw@oWlgQ7sJz@DDPnEdk+}YL)=3sx+k1m`tVq+iXjTZs8vpgAjiQLe z2`kW~;)m3rfy7CrttS$U6`E$$A3e8cwD=Q-;}SNs78#WR?=rctm_QC4&#%g0tvYl# z_&ZRL8Ch=H5eqB5rQJ#^>KINVVjk*bx%UXiZ!Hi=F7$hPUKB^pF9L<-J&~g|&BO2vU*- zfPt(4ivf@oXptmyz9(#Pi4Sd}F0kc2QX(l0&W&)$;eg*e#gx+Bewwf~;op>P|IjEEGceeJaAL8yl-RSFC zByX+3+fRt|_Rf((neoe37d2H^ zB~NwrtIu-<0M3l2HwOTgpUH9V`VeszG9?r*3TaR3R(XnU0t!Baspm8Y0IL<}K5%?j z%1%L-Z#!IO|D3p(%S`*T>>d^3i|dRWr}NU|kt8arbC*RS13WO1nNe#}_|US|)qnm3 z?1g*QqgH!KPy@@s5nRM!`NQy7v&EmF-H~EFW|{W`xJs*l4=-#!TQqVK+G#oG2fVCU zdEy}G`)?Ooz6@#!lkS_6kB^Yus2s^TaiypFC{g%2C-Rl(S$Lg-iTEBm&m!MBLw8+R zi6yo{aN-0kJ@D$Z)Pi$AK|e+wE5n7<)Si)lNT&cA57f&)5txyVw%eZwD|(c8Cv85c zL@!#DVLJoWvV2)wjw2*!jv5*kB|k$=P@(V{@Gu2F3nu6zX=eq$tm+Oum;vofgsDPh zwA4`09i%+yjJ6*|$|lK_+#$?-hQ0&BKoc!ZKPOq1l_SLAdWphCy!aY9*=WoGcL8%A zu?ZBQmF^-oUmu1#AI`Glv6UR8BQaT#bY0@2kLdQ6f~NuAd(+tCs?GHWhW#ZR}IaeWB&?CKw(^C_>>;6$NFaBQ3=N!8d=n(>K33i7ueOWugWKeiiccoBBy@N*PAgn%G_3zr=JhVyDn^aU*(B^` zApdAt=8cNs3Gms<`Cuhzxb%zZy{*cnr!RpYF*)#=yfC2W8 zzlqJ6s2VThy=&JO@RfyzFns6UT46*G6OHe#s;`Ze7iulzgh5G2yVE5+hMAtn zQa$l#hiOHOsZY;4M=c2I$jpXichb+CK=@&YHA{_zPlI{oFn6d_v|+u zpmdgbi^nfamB`^;l6FGhyp49q^kJyYf3$un`yq?kr-G?Fj<4Ye|jmLg@XoGMP-+ z{h3-nqLa}i_~Wi;2iB_oDh9@%KBHCdy;(1MNHuFX!i*b3ublboDG0Y-u}%+5*IuL$ z|K^YOGyi;U-0*6h<(1^|Gp4W}lbPBLVG{58A3_Mg024_RIU~KSc& ziUWtP`u1i?epL}(t7zGL%1*OTlQU8jyJSjTuXj(EHtG6el;mhAi`RU9O*p4cMAPJ)nvLj`fhe8^PNJGQ?5V^YZrEIzy+t2quf+{BW|#PpiwdEGCKymg>RDy#GMUuT z(Y4-=s8@-XAP>9Gm>8_^{K{q8!Wkf$=GRNah0%2sy3OCa9jp$$Kj0`RC=p8={T%b2 zU`4O5E0>1=;@^o1kr4O3A=l+var?M;DMG8|Dd}PkE8lxood%?fBe*(-H};%pg|%ij z_?~jPgeYn!m7{KJRvGyo*B%6-572{FqhF{-*zcD!2b?qMd(s+0x1B~Vw{ZHn?!X{>GJ5EkO z(d0`u!qEj^m7f&)Hf&j~E=ij;^Po zv)?CK2%-9U-Pv##$zz*G(}t5?r(Hy=w>%ZG3E{k(=te#DzJwb0VvdCB)_g{fUvnpy zPE4-^_^m`Sb4`|3tC2#Y#W`@60E8{Tz&X-&&yd^&K-j>QI^zc*Y}vDf(11J;($bv| zQ_@9vb8Z$-2@cEX?{B|7)sHTI#nF{W9>;q2Js-Dx$Dk*`>+=tf{WII1>^E-X=OpVv zN5{a<>f?By6KC?1eG{Qun2Qpl>?6kmoH!?*V*C_Ft53wQwthP=Dl6; zT}VItbQR7Dqx7*^LozXDj#WPE)d1^+Yu*Oz4( z(91yrzDbGpGrf0jR>)QwA?4K~0+g5O>Z>V&IRx$+0w?@O5? z=n$dFu_^)5%6p!8{t30GAcBuIVz=Ded5$Wi$?8fvUb?=*so=7(NBORQ>fzKhahk3A zgI}10t(er0J|xt=ov+Gq*Nwxc+Z3to&)SkDYtVq&xbCX zQnN*GJ1UXCte4k!@Q~XW_*9;1j@lBaCtqk;KU?(4FT%YUuPkB&qr%fL4t92=tcIGa zsR7(fc`-jrF2B|25BRNhc@6}77r@+(*Zq?z9T9q0ZT0*%L5@XAC7_#x>6LsT3_plI ziB>g}xdP)kpB7+r;YrNvr-CmVFWG^v214~-O>1IFe@fBx(HxJPk|XY(Dh*s!9_VQj zcR5G$C-OARFquAvx@Xy4)O5{Mm&?FNC3_8(GMrEE2$)y0AeJ_Sf5TdgqTo^+Umzb*eb=%206;z9nTu)AfFjRwS-;cmkPhVy3#gk#_j;@$^QA$3ovtEW`rCd4$xnq23WfAXj zolax6rqRW(Zh-=sq5^~$XD#S=3%<@VHZiG%XbQ(YQ64L5J~>-)xgpiizp?M}3_7!d}E^U%(Ghr3Ww7#OV9_gfkh za^ldqws&tKfL&S{_0EV>^yNpho?b8Ea*|@lTfKRAUhF?AlyN(ox1|;|!RUs#E~`UZ z#QlJ|K#pbot7ycO(yiXMU-PB87_0PEkI+Ny^8OS?*a5gnzH}b2fZ_p<1$yCa%8kY>L_GL#Sq|7%-hmc5m*=z8p z;)iBvuc9G&h=td03i2!zZH*+qVb{FXwFaOiNr{PM3%^{?3^Sk~eS7##@%=JzzLCqK_?MH#**vPE z76A8PuB}0E{9Wjv;KR?>ZH8ZNo8a@ui3Tzi1Mj@U4Bo6etGDA%t^sHw`WAWPBF|>X zLg#ZfQE=1mR)d@~PfP?`o9yYvKrG^88-+1j7L#KE_!+{@BDxW`)8nv-Z~fB1k)SXk z>9EGB;_(W^gIc>h9;@-o`Ocn`JI%J%Qp59z8umttM)@0(8p>RIA{l`A9N!~WM5P`%`8(rd~Uu$5@)!q)=8NK4uQmYv-59>LX zbgxDI7_ZxQw@KT*VV0}|ZY|F-A2cxzu9XfYK=R5pW)j}L97PAqGaLIg)gamRNtQ=W zMALiNI8?3=)X~?Lsydv1`A-0XMmF#XrGJ>+;KOjvbZ9;jz6Z;DXspv4&Q^2O+YV=t zSK4%Fl@Y0aW+>Vu^znm}`gq6zUX*G0f`g49Ch8e<(u5rQ(g?OYsyfl^UQ@q!Y+pL( z>lY|Y=kF%n#SZ2(1^|2(bhj=3R+*f4SK}SjeDYMC_3Ewk`hUbbAy(InKj_k-7X= z+6DnfZeqcZ;yN+fN-?PZxKF!?T?1GDgykf0Xz-F3j{PoK_>P*c zohp7#su?Yr`|glYAiWU9XBWc2=ad6@;`_6t`CNH`ofsc>MdNk$Kt21#HMZP-Xo!E} z4sZO6l2Z^df?A93HD8Xo|82rbeQ}k~^Mo+AuJN=X*{(+3qiDr!-Dc)fjF=N@37A7w z4FGr!HEbHLFP6{_hz-jY-IE4Wmwl!7>dwwUL(+OZo2g|5o4E(cr%mN0t&D!GTeZ(g zTDZpN#7qUFW4(9k?uQ>X>MTrU#5G|? z&+%xUL;b?jgfHI+*J*0jLD;%vnNv$RoH=ogW;1;G~lS1X({!Rfxq`@n?x;bbvXh?=VOHn>h!fUcPAoNtvU5 z%0Hznd|RAX>adXxk#Y1v_2}g-eAn%1`eI4urs6Gti?H83yZ3__ooYq~3te(Aykusy zQfGhO;Ra1&B3oEQD0X@qeYwOKP*CYd64!Yb{H*cdqz}jwbpb;tV#4WGv&tuLEIf^P z{bo?80WGBsY5XqKTXUL}9L?X^?=lz9#~$=sRC88Pj+@pAkZ5Mf*d%2 zin{}!m-^=?0`IF7<3q}lt(=t#oK8v2UvFkK2hduiLGm%6U6EjTmW)Bu5OQ=VMda+9 zLTzk$&wqZEC7gIvlQ^0f(~ju=qK`$WKR+&4bRCG&u*q=)utZy#n9I*d6LZNrKCAz4 z|I%+?`E$TL;|#gK`7cbI|0UTdKB?{1Q9-^^@KI|5o}U0tgy-)+(7)*%|LZR*&j3NJ zf5XV~p9^;813blV&Oppm)~4vYoAz4>6X^W|`+Kd72Oc%Foh8^Av_nIT zO84ZC4`7ot==h9zHTZBH)$W23+suNiF9Mc9TQ?fCHiea_!vDbp*)SD=DN44Z zo_}-P0Jsh$!S=H#8xrL04ibdE6!3h=kAYe8H-DXH_{-W3dN>XUXxO|pnKnEC+S54i zdb0ltA}d^Q1^5_M+6V86Ivv20?LIos>)aJ9%%AxhKzdXUcUC=ZZ~f)B{gCUDGq77j z#2vi>#Z->nbM;z?D2IV?@O;7d`9J)nkfC>9x}ui69hN*~DJGqUIf4{(2udj1e^^>e&Ce}Hyf5~n&YfZ|+84#*mwTHsb^)bNY( z_xgG0i1%|83jccYP{L25@;A^9^frQ&z=Ny`;ut+_ZwW}aC%Bzx0_~h7^EJ4KszA$S z(^0H$jP&4&Epaw*bVK)-ZLQgCv=ntIyR*OSf8RU18_#PU1ED1iJZ^$gL4(`JR~;<9gi4^|N9RoEUb!rA6@v4fJ$E4!^lBTgYXXup z8Abi#^Ta4Hy4=s6Iq{f~%b0E9Jf(e*uzNWA7=(ns0H|EKx=oN+q5>{3c5gd9k1nkM z?3MXgx%Hz9-~y4qG?=dszC6#u`+h~E6ny0(xfn=^=?A+o_!&haMeMRgKo`0XT!+({ z<)UXfqqBk*iMkWx5lT0=nhS^SbpJRHZKA(+0r<-iy$=YmYLO38{$h~;tIZu?`%sz) zp5@EznEyCmf@s|VG?u%nF;dwakISd(gtup!u?y)Z`iD_RJn(!`i{k8lb-%?;DiC|^ zVZ%!M=kxn^p8h7}t6TzRhPUihP*~1VkR@8)$IFEfF_%L1flIRj$4mH@MMK(^mV7i^qb zm)rqxzOd;ZKAi;v2}O=H9x)!|Pt&$6^tu5mI1qWLr024&s&Lj8j6ZDW8i|A?QT}bS zJ9C)~mWZrq(n%6t2pWdiYB~gI5Ev9nc_J3RZyHj-?e4=q*%2$;D>2J+S%B6ZbiM|n z3%u|iiaoG|bB;r>HmI|=*s&RVNkA*6?ee+MuM9zD)pvn8&P$@VBSuic?q_#Ba6z{~ zsIdN8TbUh-$vc-4L+@BY{01;DQ5A~f&FbCa`3zzNU%TP~Gh0eDuc3!(5Ac!5 zBMZJ0gwrYfd4cTPZ$ZlWCj<{jiFPOj|IFT+3BpiSfoW28z4p{K=$b!Kto^jlQnDX6 z!IAxc+3%!CUq5g=aqh3QTTb3IasAJY@~ZTiaMDFzmWOLi{I3GQzi!L@2vra-Bq#^K zE2Vub<9AYMhtG_!D>3WsgW}$pN&r|b2cRsa?AFGFe|c|DeHEP0I6j;_B|hQ?(KlV} zP?1EsxA9-LP2W3-c05_mns?s*`@Zv^Z>pQ>Je0GYlc@5m@a?bPaAH1&x4=C98A}Z& zT>%&I449)(KRsHIkTlfYkaYj~=IHV-v6#17V9Qbg=s^`g3tg`LRrv|r3y~1gp&wFX)HF@P#xP&sdo~5< z*Pdu?FZIh98m3NY)Gu+O(2q3lnw5ibDpPYWlnT28QMy9HT3QvL-a+N4Hh;e*7az7j|wNO_O&rxfx=l6nNXE=Ps>}5Fu;A@|a z8t_hGXW%q$UK!2YS7SQ!3 zrfu)d4sbhIWLbCc9`kcnTmuo%Ip!0A+3Z(uFTm(I9L{a>MLt*sh{0X?@#mZAv7~-) zUb@~iYZNZri*C}FstSUI6}=kk3wfSk;z0%i3Dz@N zdV92O-SL)Mfm{a!q|Y>TtScZ-)GCB-1M6c4rR$@-bps@nLH)PfJG}L8Dj^6Z{M-I~ zdW4;Sb+bRU(Y{n1AlLFt96SF^^6r!2shQt(OsHr ziC8fpTY!*z+rYA;{ixuFWu?}qBbJ3W7QBlkkcfQ6W8dZZ z52ciItn9jgL=}%)13}r3yU2XKDwAtvdMD{co712{rE#Eo>CthvsIq3g0bu?mFh3%D z@9FIhQ)`ESVeu5sSy5JHA}ZcG1-?BOFcINtL<1Oep@1>h)b_yjr9)X16m<+f9c{h$ zidvPxFx$uI$C)gC^h?sNM~X5F1jFu2U3TqJczgj$&E92@f1C95B8m83;$RoR%ynhI zQ*3M$djLqd)g;$v?HnMGtYcT!mS9)?4{*QYuTiEmVz|l2zs5x)P6P!9R2%tE230Z0 zz%Ekn^}SHoZf0?oMa(AZcpYA(rqX75+#F7fqdF*%IGQ2}_I>t~Fi?0tlAhgI^Th>X zZmNqvdjUg}cF#ce;Vo-!i#3Cv=C#T@UPOWS*KO>XftM;Tx@NNi{SJKMPB#7s_YFNy zr*r!^=vu>Oew{3rJ!-rOc*`STx%7iEIZ;ij^?P|c{BM6eeB&fHOS@2n2s?5HkHAd@ z*9Ln62d#jNOWv>Cpz060675#Ao(KjZjE zLR88T>j?Y7`e#1e7rlh~1knuec0y5r&>#pO*ReHV6^y^#n)R~_M0xaQ&f>WtTtLI~ z1$3q_c)LPgL!!JY;vm8K5ohn+gI@Uu9THr#Wv_*Kx?po$Z+^H=xf}wp#fI^fV(v(u zrs5JTjKg7*TJiDchH~GH^Z|lsst6&Lon=~#t^CR$&B`e>Qz-(pP`HB2=fEm@+kVWm zW!4OYOY;0UL#@%oLy^W7rvWe-%fPb{`*)&0jwO-B%wirQ!F{Mb)Ri9O+fImY<*usM z+Gv64b0~+$HABe&X-Skqq`lpQHEJ|sj}TPPI0&??u?0PTV!?}OJ|O;o?(ypiUW}nE zk%|n_`y{LCT9c@VB_uZ8YMgNcwj;F>5Z7QJ?Y6Ct^&<+e<*aqfqx?>~*?RjU3a5@I zSxaMGtEGfYC8xgbmlSp{cdLZ&nKTELrfZ(_)=M}5hTTbDzt~N9iK&J)JTfmKLXVSs zQR==#<)%6hg~lR;kJ=i+8~KzV-?t7$7t8kU`unN})aw1fh58-$qt7!Touf5OXOWbh zu%GMfb^zEP8P?@`xTPP)*=CqX)7XW z5HbzF23O*!Of#oET|Ygp4XIYps<@*%R*jdmq7^lq9jYlYcz4$OP6nj`?7>>OQTDs~ zCvKL(2;-G)DEpC!cOr_WBt%A~Tjd0VYOy|1v$-`(Q@j>-YZ3(Z`dIqD<}ae_gWY37 zw#R1&RIL=ryrjhu{h`5y*^-p-J$xCwg=d~EKuYR+DUmBhdoiW!Q?GACxSL8%2~P0| z`gC&uw!tJCp=9>l?Nh&+{At8T>sdg9!*n)4G&nRwgKLP22Q;`Ai4()HM+3sE4rG+Y zD-JXe4G#C426s?;q+|Ec35$+0A(z&ESA^|{DKo)Wi#~lgt9}d1!(9v_vu4xConM4u zI9Vp#N|K#*lsqkPabWZwe{j}4r}jy0HrHo#;()^+8XRD{hiuch%Szl@^2x1 zwj0!)28~YRQWkD&jh}Z9r^^ef)o%X7c9Zdh*lrzhB*u}cww7L3I9%*0Gn?m_IHU62C8+6Zpyy7X|JxT zU1~lj+dz(bE>ZA(=p!lsnOJD|3xuIwCp&9|PJHA^hG13nwiyq8cFRnvXW({CV0wWU z^Q?{Y$MY31aZl4!;NamWIn~g*lkf5;b55>S$~8NGgGQfdlyHZ?Dsm@=;7g@P3x55P(Ph z`sVJy*!$@6E^vl!8Vj`>{tzQw{|?pao(76UPZP+(cu*Gq#`qb!o<$zan|IT8kI+c;X|`XW=`GKfHIkK_Qxk z{NjkiAMpb|-q_?WVV3s~*=IF7ebUec^5@zDkzlHESW&viJ7zR1g`|llR`^z=sO05t z5D@b>eFAq!v1C}zQekD}Jf%J5?{FftsbMvM zmwF&qwq7b3m)0%$u*9<(9-3NiXa?lG_hXG3taCqyEV5{#eiI`?O}yZEm!af0R}KHl zej9vz%l6uA4*3_D)}wo57h_92!pc;)plFfG_zZ80o6VWXWynvI$n9EFz-5dG)ebte z-g@aK4G3<@W*Cp8t->oR;Hz~EE|xrNu$!aQ7ITIiE+y_D$E`W4dd#Yg=MW4Z-vETg z{i%rq!y|p9|D5dTT-4mo_)ourxMY3eqn8*-qzW+HLy76$D7K3&Ho6pctvM@2$kqjF z7epK3XmZr*bE_!d)xuOv&I%vhsVL!utJeIR0hdU%TO~st{HTiownOo~)pSAwelyle zHZ}7j#8>z{)LebrDP1De6gN??{Rn19(26|D;RU);@3b`Ul#Iuy5rx+)$Gu{B^TY(v zKNR=dF%-eH&Nxcc3})%3X^vCW_H6H;MGnovkH3nSQV<)JaM~hP<|0UNluN1P0xtPQ zZYJ?2EWai%*~lpJ>uw3tx$Y(LoB7XZ)pOWXJ!>rua%kUDT*!!bL`U5cy>?OdDvSB3 zIU7e>#k!5CTrs|b3PZ=ik8&-R$z!z3hphXjB^v;$wvwB&- zP5CEpMfy5T623U-)w~EGSKv7Gp6>ZC&x0?$;<2w*R9fScB;h0vqna>{Y?XrN`=AU? zBe1ye2ZbgDP-y$VQD{$uD+;av6q*h|p|L_JG_!xB&}4J1`jW#@b&*t*1PoFl$7ybv z0V6leEU%?rzfGa8>!9s0HtpTr68QSALQCg%B%jUEF6pD+$9clJj=CRVF z+sB*iRVsCT1Fv)WUM~w$@WbQ!D~XxNH&66{m_A?^JFB{*`1EwU)uW7KRrCOoMmnZ5 zkX#i-#7DD?Whkm^IvfXQ(4!-c@v5$z>{W<6Cc}x1eqO&=Sz7e_`19QQ)Jk)066MS} zOqJT69YAZFDZXh)w=q&THTL(~_Ll+vTAOJ6?(+9E{qM842g3&?yS!1i!r3)h84)?N zFPSX^NQCnGq}ZMqh~ASR_yT5PZr_CukGworLBDp6o!ewqQ)>Z$110K+(2i zlX$u*gk-2FL!r%F|MQ;==Oahs4MHiy;?t*-R3Boo;3`Ft?~uvu_Qw?qXZI zWAfRC{9Tc9-4o5^i4AKx5od&PQR7{NkZu4$BsY80fe9#PU8FlZe(IVqa-?ycdW{f{ z$a0bK3bUlcw)t4*L*5*@GIbn2Gxo&ndBonNx^Ed7=82NGEPdl2{MIJ7(TV)OwLv@{ zT8J$wXFdQ8p4_7X+F>ZV0q9=_76z7>K7V5cUC9N0y2rJSUn3K^? zr(L$xl%R+k5+55w5sdno=iEzrn|={j0|Z;S{36t?CRDys9%y_KXlq3ikE&3vmf)nm zoI}ydjmTefiLL0kk3I$idt_QijF_bomI@cK zbf6oQSS#t3PvUyhvC7_2a$_G{S*othRXe`s*V2^YDr#l)>EOttWqF#%`w`Xrs;SRc zU|_&)K*|~mMh;7X9pTdCfp8PQ`^lZQ3KZgV?wv9!@u^Rw2%5oU>;%wWR6*-7nY*`E z{t}Jj&!j^56OJh@rY6+(kXFU@j4-}_$n8L-x^qsd6*d%J0qO@Ilg)Dgb!JJO9oBG! z$#UEFes5m)@vNG?C4N5FN;Z&Ox^W-kfUaAC+dj??+q_{H@DLpnq&~A2fx57GTjr<< zH4lX9d~)LTQfU|AgIE6g-+JjjQf_DZxohe>pXsMQ&~F!arX zhKCkb7gWPsk~Li{O#-=Am+P(NW$%s0YD}!cI0&>gIjettuNR&e3=qY&{-CiqcOYrK zUJXdJ?h?dX&*lbz;rDMx|MNsvJTLP!!yYN^!jh%*+SjF>+Dkqvoc-EG9LG#H<1_Z) zqL|BPzWjc`q0eW6ud`C+51K4T#mGeYM_UV>o8{bR>0c007#GT-sMD)Qaiit1%@mcTfsHe9kTW5WGKi}L2r^K@>hs^RZcEkI;i zxS%m7t5feiN_Wt0cz}8wWGJ^!>8|Snvt&H2u?G@)#$^hE7lA&L`Wk=bqsh$cy}@}l=6IY%E>n6*{V7hAIC>?aA49rxrn z*ezn4(6IGP!??}=5{l`|7-WfKY6vMuv~3M2P|tUlOCt-LZ>UY(E&PNZkrE&RTjUxR zwP2mope?+PSv*f6Y|zp8PSIwuC&ha~wKH`P+#le~p$Fx9-_|1V!{M|83fOW8XdX52 za4ywO<;H6cY4p_s5fBoa1103KJ%9Qp0h!wLII9|;$xMUXU8XW){uAr>Ww;DE=U}t2 z#?U*>aK4$XrGAVkvW;>T_zdDzFT~~oOqshrP0VodtBX@_>BD~H`U%I9X})*6K9>Jk zWg?71KlL7s*eD*Jr|S z#?-e3-bN!sRqDpx^~$LN+X6=J^VGj+V}6AAuB?HJt74uqMGBX>8)^Q~#&jUsm|{Il z04G&Tg3q9S$}>s0MKPb1bJ0X4tI_+z1&xDniiauJxd1l`J-VC!dj)y$)E;5;U4O-F ziGTSRH2AAfF{I%zZ87o3tlLkjUGdLCxEV=*&|qGD(=kgRHZYo=12p}X9Km=7=OfPr z>4B8!S6STzcllYMWh6}ZX+QbSZp`EnGuv~9!MSpf68U0B&(Y&TmU_s7X@EdAFQ18mc7wGRgvC*-1!LqEac|-+ke8OtPo>~_>mdWXjBgy zKIY0FWZ3j&fDF4>1|_6j5gh9-4!LB(q1==8I)HoGfVEiIFdQZO#WOz+lSMkBfK@Xx z+w2mFEl~+7v0q-`X{ew&H0+oxp@^M*KWuZ2z^pPiSS|a@r`6O@2pGm+ERNG)Uu@%< zG1(LCOiRYcWg=vl2siutvRaEUPD}|(`~DcIcNIT0jE8d!b)?5~4|rLXA1`7*0B=Sq zNG{Cmmw4&^0SuJ6UR^I67*I+r`fy`eN)4Y;e)jPkKwDnBhTRGG<@x%Oye&^^E6PH& z&9U7|1>oo47yOd9q1jm{%m@+MXH_w#UR9eU>%2^3!=F^EFm_N>?313o+ z?!6b=_dwg1waQlM!iCkNS2*>e2^I=={PvRoi&Uuf#;P`&VUM@*9WF(G^G4u*wD0FfFsdHk~-AVX&n{=(;S8mYVx!&cgx;P%<$ z-23bLuKQ`Zcd|7zIXO}Y@MM_CDtK>(rRvzjFdFP?Pt$lpinHA8q5|P{dN&<8+le#5P;e3g3ElSMgEfVYzxQ-NSjSJdI8>- z_0+$3Uk2%6>sawOHiWoxr=WLoS`!Kc2~Bn-Dc~5Bq;1>r&~_9(C8`^Z@OZE0H5Q{;EFjRoCn@KVEE*>yPkscgK+i4(?Pbk zhp|T5v*oYPBmf`w;iapHOrz*`kj;2UfLo9W;^UMRsC!Mu>;0`k#8x>L>A_?+xR+ z?``mexwhk)X(i1#Iw%TFZoS*ST6{VBlaUs4!m*lM!7@GrJ$r@3Hw2y=R>@C( zrRHxgx@y;OMQ{&XA_1`|HC_8w1dK_Bfy~Ps%vq>5!xW4q)Xh%)j)K*SHM-w!uWJSl z+pJiSK@T5u$4kewF3HjjomFP(o^K=?0A)>O|`L$-ibaJq-9vLntB+%AAY5ufa=RMKg5tTNHzxjH5axCbEEy$^6) zJq-4Qra`Ke;!I1R!kBbJznh8J8a}=)jWN^0J%IGHJjLz5O~h4W1Goy>Ek#O#fr+VY z3+7S{x?X9-F{*X^U821fwR|<8?W>OjJ#zv&tDT=cl2LS7zjZJF@e9LqL2pK}YwWVh+dUA!d@2Sgr z^<7Nf72lJ^BI&YU61_ou;PWSiA_=m$LG$Wv&@hs)8MsDtUdEa@v4-^&$;D-2$t!?sgndFGZsS!RFZJe(+*laJW|n)*w8v4fu}{h*<9HOKj~ z6ueqnb*Z3<6=n9h;jjQQKmEfx1ecjBE{{3GF0gXTB$ zGr1#96aKT#LC*Tta|vou!{mZ85}iIK(#0mJOePk^1Cf*wGlY4PJ~V2Dax4-6-r78fR71(mwIt+(rz+yuN&&JP-T4`IAbF`YWYhUVn0QX9CBN%% z@zFR4jEgHGTI&MW7mfF7%G8?dL5Mhm&?j{$Ou8i9XJmBoTbnV3+xmhb)!|R6IS2## z)6YsZ3xqd<1#yTl#{`o}0RBqV-AL}QhugDpQOe$||u8F^2XBSbuy@KX7jHWk9KSUiGoe~w#VplGGPC{t<}0BQOMYR2{e zdkL8q`>|;RGy{~P{H`nNJp`00Wy60cRa(t;RM6}dliEJ`-IjhYM_fjp2?z!4%x6XM zloVwqQRvdyFrcZI#Ihvx3&6~|zkxN8hf`Um%t%zs6ZI^5Zn6lD*CDMTQf4t zj*9km)9)#W)xOHHkT-T%2sO8;C`cTaY~{slLYQ4TsS0-c#q>zU@J@H0k86&l;N z!9pJuhr4ey7eU!t28&F0g@Vn=Ge$zCC^Vly0hq80U9lD)F7Yb@_;{2$GB79ZcB}cy z$7;rweqfQ~ryyCI1IFH4H=Ao&!zMw&suw08IMagMe#3+wDH><#fAmd|S(74;*YL4& zh|gegkdkf`xJ3XmPkU1re z$6hSTXPwaqHWSSuq{%QxuFX{>g-KU-$N4bUpJ)6MfJF~wbGVssY8giYu8|BnV&wpz zFK(Q+kXzgd(-jaVKDbs`Q>k*N797>bm`;6-yoT?HMF_~BN`dQaY z4*ntMq+)x(@lKm_9GF*AF0So%TtdvU4etsnP1{~IUs`B^e1znvTY|J?j?-&OK)cqA*P_F?ro{?-aAHotMWF}AEzO`V z{!Go-+GE#f{}DQfLGnrFfoRw|m9#CdeHQ{Qo@J_hKLjmpdIZ?8EL&$Y9cp5Yh7}M1 zTZ0R+%TnpIO&e!*jj=59QB`r)pxB*St#;V7S#(1_P8FSs)qp7yQC$6qZ!b*e7c|1lHs<CP@nC5rU;AFIhK}$`K|}5xd6C6COl7||&jC4vW+_nh6d!gw-ULZ-)`%OzK3x_ z1vP_qbu?LZ(6X50RspWQ*a;LN8m?vvsZDws7Q(<^cpVwT=rT3~#y(g%Z$&KsDwQBJ zmGgE|33%*?L|cVdU}uss@g^}@C7of-p}rURXt##9r|YPV0vCCk6M%ockU&;LLv+TU z|FPe?tH_Y661&X=aBH!{q-n$5Q?c|Yu7+v3KOm@uu&7eL`f$A(X7t^q{=N`1Y?KzBsbK0@W|nyS z$8Cpr`$W6>uOl*YOFBiCHTvtRXiC3|BKUhPm8_UFnlIzR=`szqv8?!WK%n6B)qk%z zHpsYe3C(TrJ7@!9>8&kjrx{U0=hTb#%c0+33c>pI`Klq8nQ)o|?@%{2mFVblF<_hzr| zVZ^cI5{UnLjPl?)hUC4?AZLJ8iYG~koz-;&qe?Q4-wRS%Ucel4eqe70iYgxf+}Mpz z{R5=z?D_GZE@OXf4vfAF+j`<6&Eb6B&Cw~hb*l_aLMYyFR7(AgM>_8yt=+|L##E_D zB_UB$el-deFGMiCxN0afGHtL3_D4=L4vI%KNMj`|A>|_>30=4p=cUk{hYF3}*d8@! z*unBt2ue*6tF46po0n9imBovoK&O)%z{=CZIBNFx@Nf6YaiBD;zX6=$km%bD{nLX8 z@&zz!Bhe@d|JbQ5HS=K2C3sq_ zwW1m_=mnPWfC)ZVni{4flkzN(*sFhF3g(E%&*xG@{{riaO|sXj$k}S=??QA_Ol^fn zFdbZ*yV z((SYcOzNZa!ZbZA-IqaCima}$tDd~{Mx^B4W~G|weV&Ug4hXU5W7a`{#}wKH@tB5z zJDe+Be6r*IXgi6rV67uVbt=-!3!OuLSmTQCLN$BV-^-CuWj#vj)JtS>wTW@r9YC2D z2I*?G7HdDwh+YPR)2YKFkwVvVGSC1g_)0VLLCjR)a^|PpPFU-^P4t)%L?<01m|i~3vbTx^YU{Xj8Y4&Y(+wmutcpk>c)Mrf*+;A!Jg%XUuE>Wj_)U^a0+O5YNW*>127$yGW3 zq1MX2Hgv8*toy+Qd)fAdEpVpq8f!>c1=reN44K>N+6eGI#NWT+Qi!UgBJdNLa?P*? zVo)wQ9iLe#H;-nUs(SUa8QL>O0w=$Sl8FJiiRK@2(*b*l%jvhh+90O(T~mG_T#C&` z{Nc0>7+q|>czUu|YoF0fbFou=_Y_f&fzv7#Gvq2O- zL(d<*Z`L$vlk8-;(H?2`g9@&$owe0``8<{&O3y(TS4bzAR~xiG^5tB`4Dj=A&ztbJ zBuY@dM^9ez+x-I50qDhFT8R(~)bI4^Z;922b@mj`n4p>GIzlaPz=`F%d*O7T13g-5mA9RwB%5Kpj;M2`QpbQYSs(vcQ^oCkui3XiuKf!LN*?QC3 zA%j-Eq<^N>_#fUWx-QlJ8@cp|;mWR18mnf4C>bvxZ2aoMBO6Vo zDjx~Kkodk;%A>)TO|_0w6Az#3p*Tzl2|RwToIWFx-(QuT^^pw|woUVB%;{oTWu-BjiNdMQ*I-T_Nu=yK0?mc1+Z>Sbz4> z7a-m_>OD;gY@{mTy&mrA7!~`dciRX^)59|rUj5FKbBYnZTdR6}pxyDT%^D{s#%}Pv z^-=Wu)iUxUMrY*gvqSj}|G$Z9iAat)%v#>C1)w%N|z0t6vWu*?1phIYI8sU zEIZO+d0jga;(-lU(v2WJ2G}H0(meV)Fy~4=lAY&aT+O;VQu=~K;;5h!bRgJa$zX<- zyy=_*k}Rj2M0Lqrbq9vAXy&L~(L_-f-;$!48Mgb11T0(aYr_$7-fH$+sHqNf08aYI z)tKOnYb$DILViRRj9cD2RtNYx{fmS7s2`~%*pJJ~=C#!=D~xlZ@GB3t_ae?`s==AF zbhd4DIRx1($#cT4VAz%Kb-mD}?q_`qCc(o{-OKPpO{;6uLqMUDG+Z7MAhw}3?sR;g z>8B>1x4`%r{TazsSYvl1c;zG;80;axyVsT&RpB zzevR^awf(W=)SGTM;4{|7)f=rypGVwqyeL0yGKSzUH$SV`^F+dZ+g?eVn>ObR{sxk zZyi--+phi69nt~{(%mTy3X&3%GAU`02656U(hbs$NJ~gfQb2klDTs6~^TCJ7J@5Ov&g(pn<98StV!NP!yow_vkEj>IKSrp&rw1MezDWJl zUG}f6Bl64tH>@M&vVUV8waSzK-?5HRSJzx!u93PnB&`@?=~pG9{Lf0BI4yiYIOLql zJ^DRa)rm<$*z$+_tfkeOG(OdFSK{ksOuwOa-0WwMdsHBLxz;TTgj&<39F>h-r>-}> z$7eSOKU#Pa$kz(xbm&)zT@JBOw*Wm zw4i1sr-gRmT1)wwg!B)IS@E$EmH7_euPw-I4nJnAf{spUZ_mO+_LgA!4C*7{p`C*p zoLgxMIIfwhBwyeLCnjyuewGojG6JQ`@)?0?EBBdxDV3?+Sy`qmcLeJBkFDl6-fW|^X?!qZy!93fFAr{4Y{JA;qI-9>PCXDC+K8PoG?%{r}c1H?x&w;K}9)o0$*A6bg zSa($ZvP14!J;4;2v-)w0tFjaBDp#ht?EPJT0IsiS*{GYnD2}db_^#vCQjmL#!oquS zTW!O|GBaMBD1NpUK)gSP6A84 zunq-9Wn`bR^RN{4>>NKr+P%l$2|ml!ABM0~+1`#XGjW8A4`TCTkM3W@x>^!SJ5IG{ zk_@KX9KFX}L4CKgFqgb^fnLSj@CBo`v zGZmIQH&6f^hbycOu?SlwiU$OgacuKPd!bF{iCK(5#UCY`Q42xkXFr%0^-MpyPnu^D*r0X2#PP^D$5DXWJ5 zy;{mGM$7d%2cu3yO9TVF{HP?+cD(olh&O#=R5^QFQV^pBFdXG#_nH4DDH(OentS!# z!R~B-sY&Pc&^tamUu@@4+}uX_C0bX-kD2bkQAxaDUNT(ixu1#U_i;Q&7K2b>Ie zQKpr|#*jT(8z6GFTQfOn|NdeEUB?O95#hRbBE}+ioY7)gMUh$d=dE$U&|cEWxVzZ{MY+oC^{M zn_|>{G<(=hZHw+9m=z#IY{E4k%xM4iBUhD8 zfv7<1?Eer=N}>YJ=S5wXy9bCr)aqMhX$XST+YJ5-m;dG=LMKKLiO{DqbeIF*Fz`QLtlPO><^f{tqa>VNwW|MC6N z>VPE_?N4Zc`loU6ALj)B_F`ZVHoz*GE)K=~`PcmO)&J+4G4}wwjyqX7+5~s%pI`o8 zevQL8`Ux;<(XCRQbdNURdVr*$sia&4avL(Y0f4A2)C@svW7I$n1ln8m;Vf|xVJigk zqRP1S#b3}N89%hc6cMT0E4O2iOxCTN3kLFbz$71q|2gt+*J}$q*C_`)$#;;iId3)( zS&(Kt!D=Y0fIwJ*Y$5CsDBxEi$W}tuBbmARSz;bqyWblKM|O^p+|)Nkh8~sxadRoR zQS*d-d>K21RRXB-_u z8zSr>e{Msk^6-7yj?qqYz4kAJZ+I3YccNSYH*;w=mnL(1ymR8ivq>;{EC5ymAtBo_M(eNXHtEBqw3gbq znCgnTyePpK_*w|SOWeZQ!OA4ix8KQ3bsN=MgSp=2CwQtP97VuPh9c1hnD#+J2?9I- zrS)%m^=JmnnI{p-4{(rgaZR*({T~lbAPTnNq#qLkHxjr>B~k_eJxZV<=Y^;(PHq6> z;eBrfp2|}c?0Y>{_OWt+U6UCndJS6ChOk4+cz*UZSh07AKHcBm9%djS z{uKNoKWeXbwb~w&4tcz6zdp$(W}fo+(?v~`d1lZ7vHMVzw8OCo5{XL%Mnnsw_GIvt z0f88pj3*y#qzPDKe35t%XvMG(25ip_Kg$}t&%XajIOW&D7g{|-r`G!4>(HkNAk%6{ zV1MtOKEwIDl3sOPIa}+)8SfE_1h4wD6)<(3*j{L2@{V*OM$>qY#;l(GQnIY>llFU& zh#r99d&}euGRdD$Qy9MFLvNSzy(j_C588CPfiZ`cLQy7#AlrZO;RM+N8y5Tw9h$d_ zKiGSM%iwJW!btKbT<*sG$HJ5=ilSB&U~o@({qeuvHE}F~zz3rydw#bP)F@D^o;rM# zRmYCSznFG5e_@M)LfOX=SQEQYGF{%**MC(U9_j(E#y=M5$*V)}1TYO6dHxX6{vItn zs|ZNdCR|_;wGD75x(L<^zqDyEvDHGGZ!2$J-ye`GC2Yv-rc-0J z|LUVowPlJy?_WT{zt>htj~2mA`6=kL*e*~j*qtv~041s(!WYiv&+0f2`mFz;J^l0U zV5gq@i_>%@OI)uNpd{@O0M~G)6b%)w`XnIs^W9aNEJ6GB0%eLEu|`iexmnkLdlC5o zP_#=xl=D={<26gb*;pt=+yz{K{ACBy-1=MRY((_$odaE&4p`_($rZMvC$G+rCV>iO zul@jx`pW=ILATy9D~sFxgZANF)f}lGDxMYfQv*qz{x?Uo$0OosVGfeiFaiIlyT0&K{PpDIWfwsH` zVm|*ISb8OQ_$r>)C&+5$SR0*8P;T6*Cc3D;SGuc8>`COHYhqN=1#+`r0a znGGIff(5Y4q~+Bv=|w6!xqfcurrP~afAhcOe;)$$rt;A$GtO?&8sOUV=2uIpkxRj+ z{0G5kyZ;009-z-9S(1kqt_{*QE`Y7-c(vBf@}9&q1XL^T`azgr{jWVg8$r(%NBM^8U~wG;k>9RWx7ytaWihvku97 zAdKNO(RDR07$Gu+y#pw~Q<^AGq~DPSgJylGH4L-NpD@4pXps}Z^R^I=eYUPg6qn)w z?9nfIDOM1k)~X}4_e6*6ZM+*(Trw;WN;#DE3iuJc-#gYppZzvRI32+*R3(vS4|;Ng zN!~PI5-uZAb@urh0-&uhZ&Tx{)w^ztzy?~(Vr@F~^8!Q+}rB-qZxWsXD}ka&c#9J3p;&5L+gMT@4($-V8-9E*C&gP z2f@xDy0J&cf{^g%l>*ARq#e-AV4siwr*Sa%6`Eb;{SfR!kYe>5p_JVQLg)k1amE+~ zIP^Y%tJ#6$NX1P42$*4hsBBtK&$R(ep1N7bmfaw?=}rUdtRgV~Y+4)x)kmgX20Q1A zmBC&BAvZA78e8L~`v_2IrQn|$H~#!nzDtqfsUm=D=Tgqdy(5r!O^yj}{WVOW44 zw}8q22Y`Z`Zw?9f95)MMulyHC63`^IdHv6rBmxtALRu*Z;xKorwfULI3J7venBM@D z(EooCNyoSUEh1@|OAfJSfLI<)Kg}SM--&U782D7HzHdn&C0{#1!(#LJNTcpcE&F}) zCoXUTvCRj2!DvvUY-yl-oOfft9(Lp9Z7>(8V!Ch6cNf7&nyb0^96;^Z*eTw7hTlY8 zQ|KNSh&UZO`E-4GtVA%N)94=ufJUg4hGKo@o1bs?!=xXx)8z3;0AX}cNt~q`rD&t+ zyp?-Tu|jr-jk$jsFXO z)!yfUUd-pqss#)pCvdp6Lu9YHtq&bon8BtSXW_tOJ_#6_J6x4t)>4bgS2sZadg1jU zb?>vjaaRd>QHjfM^nZ1_=J5};`np^0%+p?3Q$a8HNJV2@p)uaTI}Gyr9zI!AmgbS> zZ3hLG1c#cs)Olet{)GqZ(K2Oe@A=^hC>VdXCZ^fa5%xuaK5VL(jMGlqYVK9kCq^>v zHF2hSk6ei*SBLJxZ-1Cx@ccE zWqGO(-(FyoY08$pSda@*%*WRGIFV8)rzl?`|G30Rg;Yl{rG#lJKkr=Sc`3VHbbjgU z+oRT@ouMYTy{yamAM-rcQaKBIKhnepn-;`9L8DP%!?g7pxFRrNZ_YX6QkM;b_#dnS z0+T`qEaJQv4_$3P@OdYedw{ykE$F!VlsM(XftHHZxgIy0%c0L}J{a#y(uN!jM$aaY z{i4ALHn4eb&D8MIbg5uiw zCUC_yo0O%_4EKoZ=wN?D4GXta)Es4B3C4Fgc|0{}yZ<3}BX4-4?_!wRf~Z(Qj)vz# zsquLMK4$Ifo+ZOyYR>q?jrf#$AHQfIu(#t% zlrceefJ)c5a7dG3DJgl~E=)MW-oo<1N58B<;X8J9Y$^Ixj*-HV_KfA@Jz4E_2Bwn@ zfW3j{i|i{mO>(RvCvKf3##ahScb{Dxo9wws;FpaK2@Dr3aF`V>GlSU+#+i=Ug@p`9 z>yjl6CcK&*`e+mB9sByUgMQohENahSjDR=aMk(>vck7yaV6L4en9q}tpP|=&2GsV? zR`$Y^RA2+^$=G#?{I$ob>qkwMozjfxTE-uCfxpD~7=?t`ltqWqTN>Aop%i(@lbN8d zpCWmZLvrsS^<#^kjX*eGPV3hlu$a&hWzb*X(PAonC{`HwX$)5+=O)gfgX7gHK~Qg# z*B|5*8vdOHa6gV;hF+=g^{$Tf3wa{SzWfLs>0VVdEm+-HL3X6DFoWHV2|ruU^uCe8 zWaoH%YI*Bb70Sv$4+mvKRw}4%>Sv4b)vToi`0VHWPik`v1oy2^qMt0i7|Z@5`K+)CZK|XOmCsPr-<1>CsJinpMR<-q6XP zi)!tho~0)zjcuQvh1$cq8B{r?6C}9BZPd@#U6iup8KN;T^5dFv}C%X`v}$ zA2nGVDq{~A{lPZ^kosMrR+OyOp0Z#b=sloHh}PH9{hb`a}WN@k4{%nP$2$p876 zK5nz4oUzXtb5c)c#@6A93%QSS@`Uc~6)bY~X_>yIRoXta%^4Sw&Kc)rkzwxHT6ftO zw3VYdqDgf?@u!_(xGz^?)^>pXTJIi14EnOWe!W7NKG&Sj>IZ`(=xb(*Se)mLKAp$+ zlny1LDcPP)Z7yaW!zwREnOEA2q}5lbPVB2IGsXTL-k{-_kIhlR>bXG zyped#H0>9$cUklqr>$`M2vH_Hg>-P}vIVew-NSCTc-N^!!!~btKE&VHD@reW=MEYg zvaHO%{E;h$WwCMkPS@8Kr97*XNeFvjj1(6VQ^-ClmuAL?@m_x%!|^M>!#U^SXJVYE zRG+D`)jPHz`q>PfrRpbr64e$@KN`0lbO_`v;ga_&y8%(Z#P4?jZIK;EB~M;H z^l1G9;KzQeA*Gr|;-wUGw=v~=$ZcZSsMnqOBf`hnz!yU|$*ibw8(Bh}GwdDtlCO<% zwP~RGr>>)p8evXeA!@}X`TNk-_=qIkOmf_U?J$o=Zk#a#EL&@INRiFlJ1v>?L!H%f z7S9Kkp$W^?0q7jQvs(IEHzk+Q1Le6cAMHyku_>Lz{9H!?NiScYr?bmkE1;+pQJ%47c+jq}oSBJ{nihSLHx0$L2U;aw zZYSeYUTZ<((Nw_gr+9s9QwU39BMjs`!|#KcW(kHnAvp!^5wz>z#bG)R#&e6A9e<_HmY7m4-hyf)pv#Hf-{TiE^4S;)|NS%h1Uy_McEjv*|uxDRKpW)YA59@*?LmJyN7kIwgXqh281ayfE>_|NvA%rsxhN=Bqcqus6zvJ*Jf!>s zn%ooC;tt;lP_vV=9)8{G?U-~=IK>VI_zp-L?JIOESsy1o2tjXM&3Bu^#*62Z*FxffDfNKA2IKJT6()K?@i=ed~@e# zei|QM<)_?zH*mU|wr>T8In>jlE~z;Ki|FkxsxS;w&Na3YPs`F z)ZRnKHhx;l1;z!R?qb??=85no#TFXj!OmTd!{58#r&S#VrsaobzkNI$rA$;!-wFh%*?lXHUcRuALQ4? zz;lZ(K~_x{84->{3YDlW8!2}QD|?hme9vI7mY||Th;go?r3;ZRRQ@@+p-<2>v9vzwdb`z}V@@Nu|W|1i3tsd;ecjmF(V?;8EK~-EVI}@=<>5tUo|2{fx zG0E#J)CLYw?4z@Jk1)|GhMmiX&P~eMas|Wd)di4O9uRn?A+Lx*B!hV(a1c-Jr;Mc| zcVB2fmismI=7s9UVFWO4^Xr=jed+STb`#xD@wM&pLUpAVFue*~Cf}YuWGoNO3&=+$ z4d!E(ug4Y1)|gnup|xPsiWholq&9kc?pfwkZ1CCKH~Lt7PGQAxd%m^hd7X`BwH2DW zo!^l@<|E;d^G2@F{4*Fo?_kgZ5+Md9F`?ok|4oo+L(h?q>>qgZ;)K$;_-7*gbP15)1}=gami*_GlSd4R172!L_o(E|yYeh5TQ<{9<+p#3|F$ z`}d?NeC3OinNZ*O_{52e#Oe@u}eN^s5^dr8X*vvA(l<(G7BD3HWo{4y(tYU z&mF51I;{t#@j-Sac+T{J@{8;jz^H`#11`|H_J(i3;~E5#*_gex4sOXU=`f13=Tv;H zQ!t#b!Iz3lPV5zWxP|r$h2Z#eYh#&XqX6@oS)||ZK+u}g)3d&IO_fi7C5C+8H81L9 z-_e8ST4g|AH_IiS^M|K7C%svtJmK88IIW_@5Wt&aUoE~TT8wWX@yNLDsI9BrI!g1R zb&109>yTf!QE}Hb3nBFD$oH=YocmKAY3&BFX78S}cs+m>L>JvSTTcM0@vQjjCRQqXQO82$l; z&&VG_4VH~8aynsVCnCPl2l1pgnMMJm87R{Wcb^Sny(ZtI2 zcbD}QSOVO8h=9M`$~ zzP5!ERd%{HPx-?RVH=V^jHi5Pwz;$va&s6WP4)|}d^_vwcYNiW`k2t)D{Aq+*}pi* zQmBwtqGV5^<&GRjYy2kkJw$v_0fj9a<2cvkMNBwu2X159?hA=%oQmxriEU`j>QVk| zpO_?}-)AO{{9q-zu`OpA#gp92r#g_hV48ik!h7WT3u|JMj%q2VurEe&!LRy)6#4ic zi{BS+XnVGbFekC*JVk1+T8O^!So<=oa}*_(b93w>TlsyZy_w*8aPLdc!`RZDKIQB$ zE|~C@ga%}{k>FtRKI{P;=s-Xdu4}aTeH2_tZnmH)#g7Zy<{f+^WYBC_LZk`CwfkH8 z$KvZQut(QEXFbn3)tvj=H3_E{b+EamY(YDi913!%)XW2Y>0yT4iOiO-$}%7SM`?+8 z4hQ6O&+peK{eGlTLJ@nB`t%4o8KkBxHnWjDJ(Lu>n1YL!Pr5bq>Rdr96NP!<+nbID zRdLD0n44~FoQw_#FS2l{X^o<9ic2lJC;lxHxF# z5rdrE5N#KDzlc+x*1JT2?n;-V@p-RwO|&b=THJ1XrGOm>K{3R_EI=V88}f45CH8uf z3O{e%9Emg?kZtzXXaA%3v>-!c;tnBs{UdDB9=&Cge=3ix|oH&R2#L7Hq zmD$%Xvp^%*gEk&!Ln!oHM~?h;%l3#l-gldVXwIv?=OJZVUQ`RK%w^)o-ts0g(2Vj8 zgWu-QW{Md5ZG(xO=88#j{0}l+Rv1Vnhy32!*U)rks6|&NKq&45oSc z6H4$KwXJ~$y7>0-^!Un!i{!Ijif?x|7BCG6kL=JRuxyhdLlMxH^;W@YO&p?k>cfwa zH9ZvW6Eh4>kqa;4E)!^^9Vdp4nvx8wj!$Rm5u>X{tG2asqpJ=*bMXzK6{NF&X8c%z z&9wJ^+!$F)Zy*fH#QI8hrblGI9!EHG1%)X@sD0;vA&oe7hLV! zAY)?~g~#{skcJK)P@9|2UDDfc>iQ*tj9*5;?DE@>by;A`4nM-P(BYXZumV&yg@UOw z?jUE@{%+!Fjb(Rq%?|fGt(VWIt}v!lAi^tJ6XWViQ&^9#(S3`Rao(+;Rc=kSSE9bL zz&2j^9hS2Fy#7K zh#sDq)8$r(U6C6QeoVjDa`k}OV5;G8vz2_G$I9SvKM8}TpX1-!6@N7^;sj83ZNBQ- zi0+ivmY*!f{A^jcu1qE;3$!<#g@rf&7~5jhuip%#&ep}6>$wM+A)t{EO>rlFz(M>; zAFBA)y2qD+5rW(F%riN3=L22^tKID+^l0i?+SxhlSr*p zYKQvxtVXD`lAC{DS+)frE5Of}tfd%oZ+|M(Lkk4XCH7CTam1DKY!2BN zmB|&4;aF@=C7^0&T3=t0A%YRl@p}TJZM<++U=`-lNm|n9-wt~wjRq13FWQweI$>(m zAa_f7@~;R|zP+Z|N!#H=XazgN;uZ7RWaFuPN`s(9c)Rlq6x1jB=hc;JRD*m{<~L)3 zq^+6uX1>z!1uzct)+0LDKI?+7#V7-W)ai6Gw z7KfVot-@9v5+nF{z5VpXiUepPN8tHSthn1$w@r6hVsJMBHag^ATW$aKH_{jxajkvM za?O{`abzlGtswC2`2mwq7nw@`WF8pfCx;=t8}&AfJFj#l*yUK-Dh#993*+ls^^2&= z;!zk7$qD6C5AH%de|S^~(gZG38N}BmjK8cL#r7`ajFow7=_s}&)r7S=Lu!y(H}*jB zL=&s`%}2H?#z?(+>Ix05C|vuB`V@~AJakpDyn9-uOgkLpMw&#~d!TxX97tF3im!9C zOhCAR;oWjpMuo(72XQ9dUmB;p0FdZ11VRhhXKu+*CV^;&&e^b2wy=CaBd)`;-Q^L+w#S+V#q9r`m zzw9LG4?^v>ryCdfwRejDToT|s$(1DKHPSUY%dUOloeR zZF#nuz*YSwp?CYOj=@tR{nbSje%7YnKW7ANh~!WgctLY#pnIXFHPm*R~wIJz`slZOp2_eAcTJ9h$rS;oW15ry|N zGOQK{TIQB<8{T~8x+Ya>QS#KB9*!{+y^a~**H9Qmo?cy7da~0FWI9IIR20>-mf1B8 zj^uY-*i5aya_aeXo(+=u8|}VZ5cqX;KCDxmJQne;_IwW0=XoHUqXpif>^df)Z)LI) zhGE+DkqgaFlzvyh1$_vSc6@;UvCc#J#*PjNU2Y`U6(>&-WsPq;Yb?L|40NE=bG39h$-V_bIlCI$&sv0062oQ(ztBU@J z>{FRhaEN#O+QV=)ihS$n;U`6aP>F;qe~9~-e^Vmn@x$`UiVeQ9BHr+3+e<3vyhn$7 zM{opljSE$wT?yx&^l#ez7sYs$c*fzh)t-`=Z6b+;A!Mox)gYaO{YvMd^Fub9NnJh{ zq<)E)C~y^yiaM=pm&P6yJ)`3xSGqs#;2NSRyS^g4HMvo^{kei~5~GQ=7Y8tO>4t~J zvF@4*q55M1yLoGn3XQ%}clguFO>IF01}*ntwCUsVD1OoUwDq)6|AeRTor}nuwG^BL zVJ9J9i5y(>tm&)c`o(VbHMb?6ZFd6(5A4?AlY+{nr(#MEN=1h9w`H2y9z2Fck+ea+ zqPPo2s4!3;*;IYiVBEbjI&ezzU-2PWrjC&xn`do{P8qbr3#Kpn5b)6V!W}X4wfE`9 zsM_kn5_H?42Z^r*YmGGxvB&f|pUxE4?8++EpK%tRjj`*-!)Rjoo7NM{H-74_9S!^v z098uNo;|0;0#HKSo&6aqKJn>Jx-UVS5@hZ48~MB*B|NV1WuEQwl{oD)_qIk8T0hZJ zAJER@95n$pkZqtOiJ@nzb$1&#(u)u*PxhR#q{t$@Gz53j6B%+JnsV_^=}`eyJZ4QF zfMCx>1O3!zy0)_I>t=d6UKP%3eO3bqkSiggfa!`xALlYY8l)S=Ywt{M_8~oPqBl)O zI?7X{-JEiF^TXYeANEeixMDs)gZwf}5vqC^+hOT$Wqd@XY_Fr;@q5XnF{+OV?q;Cw zSaf4thxhI%+sfqY^xSv6F&C@_A8X5fWhry|RO;e~-32-A1MOF)Vm3XCEBpHe^y&Kc!Y`vDYpEv1CKbZVC2y%7I*m77#5y4gSSY%T6Ka&!I(W z^9}JQ$!tH#8~sA1p)D!Due=BVY88}gDmfmq69U`6L7J0Z=W)6EqFaJ`TBAfIl!x1& z{IA`t5v7>Nf8(+>O*e0O|Fr1~*WP84tuWyQ5rh(ydd+5QgZ!J0CrzoVhi$&!Ly7ca zmXD&#RDq++s6Sb8WgwY5e{rc3@14K%yHPyQKC|*}e8pCKAR*;4!f*zAHnGETbd*Oo zC}Gfl1er=aznGKvOrw!h^@>PAzBEO>Xk6wc=67KXa9!}eE{rAPt%y$IxOUw^~8upu!U>B1>}f(RyKpQGgM2} zR1eJBZcsy%fq81hFOXoU1)*t1yM=6hDHQodrEF*$iqWPl72(lFAzEn%1r>ee}NNvJMd?5POiCB=+=_T$s%InxTvV3_gyN# z9#HHSaHl%MG-n4mH>ehBv%#h^&5kH;dOcU_qi$BVMU)~=EJxEmsl9xD5rePk;fC(u z_=BZ1v#@~x@yW;f+L9dyC<;W7L64w0Kwe_%8)i7)g>eDA`gv1ei&(rvsdo`r!^o3( zvP%n$EjX2TJvx@&f)0)L4{&3IXA44B^rnuoiwBQ0$a1Fb_)+F>&rg@SaBSP$a5)7s zkbN!s;^?drP7$#Qds!l7Q6S+E=Ypro30TQXP1^l%Fh%kTtp+xWpJtVURx7vh<7KV@ znc6Fi2KQd5E(My^g3Avcf#D~PYx%S*O$NeyP#)m8yt|cN2H9;GXdaMnQBSugSk!OY zb~&cdYlDrSK{f^-rC(DCUihr^eHo-1CVTCh`Bd+gBSFvgD~z$QDM{nwmm@F>n5G5M zYjC|vR6pQ)cqK{5?e%-ptcQvIk9!6;N@(+g4c!Ngkuk1$eQh4xq`z&EGaA6j0kVGz z;8Z0DPJ`s}#ItRnS#y7`_^XX`a{664`%y`|k^xFz7mDXg=u6fVXTFX9S`8Tloj*y+LS^ zMSIL+A`Rv@E>a8~u{qICe*G|vzRQ&b8 z+%!eL`1t|+E$$qZDFkE#l5wG)B=fl$M;WeiW#|nYWob7#{> zAvDNg`DZO(WLdHQpkKg3nUu}FU#>w$cGe4SC214wakYleTyE!?-43r9$RnH(RDfn6 z4kROeX6&`aW}UUt+R;}?BDtbx(!=;l`>l#G{nwrrpL zun0NmH;@ZIkG3fqG`Zf^(-k}HY<@ap26Qi<6c-(HD>B&VAqVJ3@6{J0gcmNR8hj$^ zRcWLM0`|){Ud}6&?L!?Z;4n zmfDMMAyxfeyh_NhIJn~?m2)(`lwPa0WM0MdqfJ`^G#+%P5YU%sT4^cWb7CAKko!Tk z=t|_6PE<{^E-|9Sk_95=UF$!)$Yz&sNb0pf->)$NTGOvZ%&S~hq$&=jK>sJ2=OO@7 zxuaXlPf=Er$pDu;&74G;`hiI7%@2yNYOyR|8(uuZcRdd_XyY=mo?JNUeLEO@=G8OV zR>fai_Hy1fdKAuw6z$^!_nIFh!32AXUvS&`VWA|v`50NP7C+~vEBWitp}a8#xDnC> z@~Ve7kfoj+Ibpx6M>qb^=eb~GxVVwu1xnehUM|y+V9aUpRVX9(AD4%FD7%eu!ti33 z=GZWFT=M7*bU!i5-Vvr8N{rH7!e9VO471#*hxSwD8u-I6FAhmQ z<_$0q17=rgV^6m(InL8;iHD+r5q<-=%uh4#1_p_z8CGV3m}hYY6`>01MRJPek3WxD z2bc`10&0X7U`t&l+E``oR(;BB1Ld_t_OxrZ6uxrBb3v0M&=KSI zcm|$V!fSP}WocoKSSEXLKDJ z7|M$~rg}7mF6gTFxNVX6cYfn-1Uf6fb z4V9Kv+I>ya#-yk;49$r00ZMMC0cAS9JDuU*6n>Dq;##$z_3)(oG#^HMVXNu>;ifr+ z{ueh+_N^G;#sQ~9ZRyIfzKFpp2m<3$`B(ra7N3aR6N{J2quY^E->^DTWElN+7yY;-TbtrK|&zYV+;E_nIVc5n~CrBYl`gzf#$ z2Te*rUU7{vSrSED6;7ZNaJ$FB737F_GvOWgHi)&4ynyk=jHwBL$*J<_q&FYPGQ!cbWS{K`Gd;W3HCXB zjIWQY{O{uu&aZ*C4{gSih1CcQ&pDSc<%HqQ8p~VZ{PN*T-!XxG5A%fNx+gSH#t#GC zmj?SKl?pY>M-UIN8X0+5r}ZwdtP(2Ki2u5NpyHKYfm>5l*a2m0Ym+;NZL~5{Wi-Jz zH1=O}m%Xy024to8ln%Ai5OQq$Z!Tf4oUyKf0;2?t2J$MS0q+c`@N|_{#B;pQ&Ajm; zhAYXH0BRZfS?&tJJ7dOUA>j+1!I)v20eIWMmq1Xog9h^y_z5U+5!85mdxQ1=p}Yg_ zK$!!qx=0eMRoM}cYF=TNx8H&ORTqN+Who*SSE@kKxgY)2H^oSj#>2z6N6{Ks9m_Tk zL3It8v`FbSig|C~+yZG4v@5azW!#j2S?%zt?{oC;`W8SfiYG}#!FYrRdLj4KaoA?x z@ZZITK>HfWAaX>5c%lxt)AEYs2;V%cu5Kz1@%^1KRqTIs0>Tc9hbck zxr$uMAI;VWDY}a7$kFWrpP8bWhfnC-jY{0{dkLR zY2pPr2b0LNxy02&N*I{w?dFR+%mM>e?xNQmo`&;V?IGgc_hZww%+Y0h4RiTB%i16<>k{?>qI^IqF{gBh)?j zuhi4RHBF=ALu=b4xZC6pc3V^oylTZB2(9NnId|C6U4Jh6^tS=2OS;L!+otiy;9e0( zoB)t>n;xQm?|EFIcV;N0$BiE1++{1nI`aK-^K`hVq`W zS{KhemZ8)~=_#&=Jw`;_bJSrEs+Z@FGM4*>ql;KZQt(Xadmp1Yh1zJB7OyaEnQ^rHD+B2M`&dr4_b@RVnyZ z?W01-jKMzj#Y0Fth)AhVFbn7HKMXa$ze8D@A>+vMg!1TG``BwVR~Dzz zZ#ck-If8KN9N@!3ej&jtOrQl+Uo zps_aBU`Tjo7Li)#1(7uA!uU#cdFKI)dLjujy{Wln56zZi|`0zli+;`Xb~9K z7<@A&h!N|?UQ?x|Sknzm@UWlNuYjvNC1{fEcTqlS>dazOL3!F| z57DW#cY0%Jes^s^_{hk?3HZ=8KoGOqGmn?^R#0udHG>0aWwRj@J`BmEUAA(y=7J!U zqr9LrKaM=~0C*h`q)?LPXel^U;htRp>>Jr(<|$;?G8yA0{>TAX8~h5devYZ|;IkE3 z$*W9mpRbFwQ$BYyYy+-HGc@A7JWYVm*I?P0WXi=aAy54y}XS5VZN@w@GE>HTo z#T0Nk8!`l%MGJe_t+F>Nyw9$;r9kHR{Ao+rP|?A;UUPrzYzqAx>A1BAKPc)2jqe)He z8lMa#%R;YE7$m5%3Cj5y1EL*JMf{I47W6F%q_6h7`EB{*s%J}0Rw7M)ch)TdL!`&l z6XgV<*-X3(QS5HJI#c_s`TRYF>>74aRyNvY+ZCxJG= z;<}FR8H4r0p#X-~+LzYdEY#fO}%1W_8a`z&ky zUX)rtBg&)>vv;xz=E0I;u#itpJ{*ofC*ZdQ`P4jcorrTuAAn3s1!h6N^5P!t52vQkRzYQ`%~O^ALZx4J2|4)jW7s5IwAM3B0WK7C)3k zY8FNEXCIXD(mm(9i5oMICRMHY7(n1ITE_NbggXL`+Wywhw9OncUThUzo{xT%+z%h6 zLuO%C658EOV2o^F_>fn5PU4DvIjR-fv(h!F{c7 z^r_FJJWw=CEJlcCp5n|ts>i~EFNp#ka=J^>ho7%QBVk)h$79@oT(1Ab96#V8mH!#W z0iNbHk!U_#9(}~KCt7Fo@}hOqWS@AwdFJK&w@|{}wZD`LeO|vhu5uS*Z+g)ru2=yec?buF^UPL)EdEmE&f}mE>Ifss5nF@v8k;`wcvM#o&~|4VAz?} zkeG9Hn~E-bFcc+Cv7bJ7x`%eB#$^TF#J&LUj6lm2XO%yWZ#2-1FK` zVsHqB{VKm~sgx%4TS2J9j;YJtcs=cAJ_CCTgkh~mL+Xe1@@rEyZ<_YXq#!8cn84RWvUQXHnAjxxW;G}qG_eZ8|#a-|;`WIcNRn`iaMJM~WcfDKV_)P4kY zH;z(rK{hubT`1ofZPz@9TnW*d*Q9L756?Wg@1b2iC7riAOE$9M`Ya zfYNzFAb5{nFMZ! z7tm{iUIf*HWiQH86u9gcTjfS@Zxp1%Zi+q+86?nq{6XdW0Lvl-shozKrdkP=F4|bI z_}oDo`3OM*((}G!{1~0vUHy^BVJ|k`&@h=Xk1)=%aBXAPGtz4-G2s#jiuAnjvc^*- z9G8gqm15B6hT0uyfWo%~-zEv`VC8O1I`G+^glb5!nVKtXIIT7SDT#*ezV92xPDbIW zCf@l5$5ngnO-wqUIfZy7RDj^4Bb<%Y>KF=sMWGtaHdv!5=^g7N%s_a9P<+J_iiMhtfuQd9I~3-^#^5qF2_uIR7tY=C<`{R z&pIC8*RUGh-7%^8MyuodlTOJ<>Q_T~yp{?i^C zJx<-jc`*NX`a3(NAe66p*{_qw{3aY1I_zzeIOtOYe$i|F)NV=tu~tTO)f~V0i8qn$ zBZkN%-#SKRi5)JaaxnKDQYn{vU#r#bh$vy)D+<^ujeMWSBcmkFw#vkC2Yu-EYCnI2 zr~mXGd05#ks9L-AI6cw--KT&!7%R)>>ff%^X*~`YOa}5)HfL1Tpa32c$y<@_F?`1x zMNPid5qRy)18ReGZ42AZGAsjk&ARy2WDzzJ2=kLBB6`cfIOq(JSBB87t{S*H#O_F93X;g++G6hQrP z43o*;GSOwx50+GZ54Vl>D+?zRiOW;Zk)qS{z}F@r-5SjcZU%#zNkjmh2AQ+KxFS+^ zA!!*efe_U|eygU}u&exdwk2Xv@z&m_rLyT5Q~FGnX!yNjFeweH2+UwOEgh-R#%sS5 zQzso7PFhViH!LjRXW8krY3+QSfX*VXj9O_pZ~Hgdr3LvsP9>xp>F!b*7Tql&BHc?GHVtPkpS_=Fzwhh* zjq{#!{y1YehGXnM+-t4x{LXpL`@XKvrKPbO;~3*ttgXhcD5b`;pk5Rt-#?cvgDXYk zey29wLhgM>9y~v=%)}GvOlUt<FB5PHHF~sG_ z^Kk?%sZA)GE~V;ym=0xoDJ3jH-ClJet>ExVja-M@iiRF@;gX2Q)7b&;%={s77|yFc zc8w$Ws4+{z9J5L9Vdfa0&O@6d(?z0qf`GxCi_b7Uq=lXz+|yW+5HX^)`<&?$ZEWc! z25#_uQsUP>sTpE|{V_ShwKek&PvMlP)Uuf7VRLdvLnOiVi*c9a>81^-S20P8LWu1fe%;~_iV-5!sj-F zh&miXO&HZP3>dS{kkNDIJ&u%6Ons$007NOjSE`Wql&TGtXy1WphYsVZ^CcY4v5NoP z*neIlVmKc}Bllf@aR(jTub3<)88HvN0fzGRj}-?XfsLxWSl;d8L!plaooYtMjp#ZI z3>r-SeVLEsBwD#gY4Z=d1PBRxhhk`n_bowmN@zd6d~oD0xMX9-;&{e7A7H~VEw9Fy z)DV-r(L`q08-G?2*@&2yAQ6bSc1qLNJ7BhWTOZe7Fy%)~`wIp%yg_=px%Y~`Gpo?_7(N^++gBy;ENE4J(kh^ZK*Ui~u2hkx>&$zT-&(sT`nHl$Zk*Tqq;3enhLhh` z+fF;jd!n8knXfny)9$VX0%1o1M#1lvxi62$k)ZQecgyUDSXEOD~md zbqYTLd_`wKVcVkHup@6CM*7&9v$5=?q~;}azf#T>)w(WP%8sN8Rz+N#iQUK( zVV;KB2qM#{@)kCp8yXjW$^&~O6$1TX?G(;8g?_dK1~2>%$ep6oO&=p-#9M;7Y1a#7xB0HEon`;bx7XW&YoGNn>dK^m? zRQ0r)#id`8HR5o+05S@zMYZ>X2SHP18r&aGSpP(GRddpkgQ@*82iLPq$d~6Xk75e{ zkaJ^N(C144=qv>n<*%c)v0wRJNlJRMr$SyMTiuyPT$5hl+eX$0y{-a<;F5D;eLKo) z3iz3^*c>T9Ej3ko@=(wl?)gJ;#N8Oeq`UioQ|u}5=Vn%Zr^8ubB)AW73YL##3^w@o z4n*2}d}RI9=6se3Uj?4cXCt|G1C|4=prqZpTvqUeUHnP&+i)~tHVffrdLAE7neL!y zFy4JhxeC+o{V@UvH)3D9w{$>f#*>O8!9%Lg2lTPm78e;`Rj49zyM!Id!EmZQD4X!T z7p^`f?ZB+kf_t1rraA1CH$KQupAKA62-rfPDf=z9;{nbSO!=uln$#(~ey*n)0D*Yb7yH3ErZS)Pn&xFzZ1yd7fK>K!~I7-|f z4Z*o%&1wC4Qd3E1xSb~&;0EpHo5Z*r#tLo{Xj{CArvEVQxsiz0v+4)`w(sVXc|h$WRc0ia#zv2(_JD}l`DDyDNWtDhX6X_ zz&T~q+7?fr zAxix$h|FDlQbB_3g|J|iJk+upugii)0EIGGh&*s&o8pC{3LENDJ}{x}W-oaHwe!iB z)>rv5^3uQg^C(-eZi#6IubR25_&T78yMl*6>s zs@=j;_J?Put+y16X`-M$#&klPk^}f%EzlVm!e(}qAt&dQy6vP|g}9f781||bQD2VZ zVy96EGqvQl-kg;C3L~KHW+-lFs}#XLTy#MK8n|4HM36*r$TKqf;u5mABagRfe7x?a zA@p0g)@q;n_CS}c_tDT7dpNtdd=4J6?PU(|A7L5X^Hf3W_25#@uoIC@!yM&+cMN^( zI#WZgR2pm^t#a-0NkrIv1D+27LC$b4eAuI2C6^iFV55@b(rmVkI~-vxew72Oo=b%N z$1j}QF&JL-Gka)qFT%&HSR73iHz5vZ@?_Ow>Asa1`{s*%`)tOxd=5p#if&_;O=|r; z#joD(qj0AA9N;(IceM^X;LK`^OJX@kcozGcX0U=Fl0w_TIsQjq;TCGZ_XAMFFLNE} zZD8gZ$%It#@ulu~AnjLhYneM<@=^Q{+y7hPKetTAHfCayXvK@VPFnkUw+$3cZa##_ zKzO4^Xx7YYg@E(>phUm_ZEJMocPxzxkej&Tvg>MpNw)stV%Y{-@@o4nTo*SBj+aj$M}}UuO`d_X%>*~v0FWc% zf3A=%oJp&6OUhp~ehB*g_5*L)&!fLbGMh(Nxc+M#Ep`_jI=cpMuv&gj{#7RcoI{yy z(}8qxEK^neeq-(!;H@}xeEKIa z|F!qAj-kUd9P5ASI~|Mlm<=57!5g7p0e~r66O3WuF$iIF|-&8zsBS=Mz-~Q`q_zK^HqqHQ5CH2Mz^<1q=wC26rryT9GUf33bq7NjhnB$g(% z`hPzyVI-9nkIl^Brcy({c7VBJj2&Pp0fD$~8f+(j{vtK1$eQ4Yfo$XffpV?t>T2b` z7b+(bKsG1&ZTJg6OS9?|-i#Caj*8Sn?i7~HYY}~9oYVTmI7;$&4Ljc2e&~SgWc)knte`^{5X9s#7_A!W0s60@3Csu)-oI3=Bv2Hy8)I-uM zI+pJK$IrqkLvPQ|V3`)t%VFRxR9n;&2`+w*|NFoGUqBR-&%_8gi%&!XNdM{S{Pu3} z+yD3)5xLXO0jr6QM)h|Sjz4#f|C@gm1^O@=X~I0w`Tlyo|K)T4um0mG5`5eE|K|s* zu|p(nmb+RG<@gGZKDGR;Yn|jgr6U7UvFZ6E<_O@sMg}%A5j&(n1Qf0_dGEkOhQEe0 z!j9_TXFimmw)0v6uz?r1R~w=xR2e{UVF^&np+gS^{@hTm@Srm{V0W9wGD_`A54gfZ z*t-PB%2%>&V3XAad?uJfJy@I`ARA&Ej0_4yH$nJQ{;&0^b%IpI5Jr}VT?ER9BCF{# z4f=Yfh5#8GOc5s5e|jPQd^R=@d~;=0$jeJ-p5fwl(NmcQfYM$Khf1U=FilaG5Ev$7*`1!*fWl+HZ5spu=%`UgZ4e+c2aC;LbsGm$T ze<-?f1&47{ZmN1K4RO-LikxK;K!xUeJ(?ku2G<-Vi+H*}WhXwTsQ_Ui1#mg@Je0y^ zE)%@yweAr1SrH_GdDrY&AWengx&s(}VP6cx^omA9B9NH~fqVSd>JgFRH18WX1`8Y6 zL9?gn`vw2mzze961iu~tIbSjOMf5 zRqi6)UQD-wVhY2~S+4yW=%{Mv`6KiM=%bmCW*7zTltjscBWiI$Pva5_%qgWASgKCtx4YJ;*}d1(@z2*e!1do|y=(QH z`WDDGCc$}L1fs~uu5d`W=|wk0#w4&s9((s!!)ZDxETS z43a2vp^g-2t^8RvAfy{d_Yr|LIc4P%APBpvWg%d3GW$T`2rau4(D0N&DZu~N&MX@Y z1+>Wo*R=s!w--xC<0r~}pE!_cANCR(7V6)7P2>y4agryyKb};i!Euq-k;FfNYta|~ z(I3)u|4=;XJRGG2xtl5VC1i|MEqqhj67>Y~42p>vAT}Y4R<7`kUIqIB$O-yt0fBG8 zy6nilUxJ{ZsbO9p!?}O=DA+S9>TDBED z2a_mld=3B;+*gwOhvFewEW;CAD3cl4rT!`&{?oRQJe>3lcL=Ef z4p(dgkgCSIp<~M@0yH-EVF0GWKdk&wYNQ=9R)((soXG#){(Er{wV%hT2qXEuJ4jRr z1uuq*4KkeB8Va?k{h|3^OI?BpD7e~Z-0a=nj98w5kQogveP@lQJAfmlbq2C}hqf*1 z1kYDv?yL=gXEiII@cwt_DySwHk#<^uyjglc{_+3uz{?n--3NN1A@?sJ{dFKj;cqkh z5Sc}=l4?i;>2JY~JtHrX1E&4ksZPU{GRpf(T>N;FUbGXOm0>B^>;!34&DyetJ$>en#*I zrRmdxQ@w=?&AbO!0MV%lNR#P=EgI-w7KiBveB8%2h}m=rzBad^lGO}8Ko}%u)y@Du z%Uqy_ehLWGum>cdm(|n*h>`pcdd7O(&cNdN3IZ;(HFZqmpzec!JJD6`+EbnPqj8Cx z`%C+S_zsgN#hu!JM0j6GumQ{gKtedSxwe1^>c>ZUavq?yM{onkj2WCQtYAB`2&vs_ z0%(oW-VMSZ=0L>26X<~BM6(_RGzC117FDZ+RX=+(PQj(3_yT--%KgF&xTtBQ>cg|` z@hh}>7huLhx+&42L|cH@hlH-8`#FnBUG4HTW2$MK)ri-uD4(rd{_TAEU~|On}WU%W8A%BR4OUOnDY!j7 zRe$W{0bBbKXq~LrDhyP3pSbM@K`7rloA)z1)nqi z-Rz^CfLuO%d_qW~4M-&Py}Zvj`v~Q@7?l5&X*OVTrvZ$R7#D*eu1x}|04`9p1khG3 zI1?e`g$l=}n*(TN6~W3|MO^b|czN#3Kb&Wp?*fk9LA_xs#?_DHkE^`w!27K!dfun( zH{=h$mM>k_y2NS{ue$@Z1hlWtp&5uwGL^VPnXNubaxh#}~IPi8x;uT}guN<@LW$tpFL+wo955v~$KDlOM1bE;Cs*W% z0lBlR0hqoh#|z_e{cJZc#zp(Zq@yul+9oho-gOk?Gnt~cjcSwsBI zyBnpTZ9brR_^7V?3a5pvi4J$sSNZW;tdUo{aaIn(8grBAK2&?!r)M4U>OptKp6A}X zs1TV4SU~+b3T}kR9_HC2TTn-j zPkFE>!=IE-#F8-Q6rZcWV!4ADyAt$5>r^~8h11w?78I&qLDS^ke!KQ`-Ngvd6HbDt zKVovf5GxJ^1G(BGa34p#B3oDApYRZo67jgS->U=80aPphCIaqCqV@}M?}^uXjCbGtQPU;eg13zy=!PvmHC{Vq0MI$j8Qhv+@KfJ>=jj zW#KBXn280a=5`THR0R$?iTvpBM?&jWZd|a8JtsjGKSf2ED6n)m*F-L4oi_J-m=*(<&zJ$?7Z&l-)}mC~Nd zF|wx0<*R>v2cP$11oHqYtPZ>y3?!cb(|`6^=u_sjtdKkOlh*aW(S?Hg{yS|%^%=La1DQcJ^ebSO@8AT zCTJ7D@FhwHRSmNgQ9?;(j)SRaQkFVa7M00L`y`56CLGyHGr5>zma#0#Pv+&d&>aka ztN)M{Yx?p+pLknTLyPP{_WX7^4+A#)^`?L8zhN6VdBvnc_oq#BfXMPqh5=f1+%ba4GvD4 zrFUv^m8aD}YeNe4FkcpvXIIr}9zRN}7MIlYpgbc#`bO5=vJ^yyU&)j;vhNTXYiXG? zxO)=z>eIsmlEXoqiUPA&KG=F3kemUax2Tv&K&0xy` zBSdlbs4j2FD%4ADswisNH*Vb>^_W3zSWya}Nmch`{E$n)2fdaWx@UvRnZQpL$~t_%aeLY#CqU<+)cK5iTg>*=(3LdbGfj4~qV!n1tfG>9 zr`fjej{@tRHgu1D?4FYW?S1I#(YT1-?3LRg*_%zCnxGX=f+iH5F6@Jca@Qg|PW;iW zaqCY%T0L|y1hZvNR4b0>EEoQEi&YwG!+)?PyNN_)&qg-95@?PgRAG$xAcmMt3WJojmktjJAS^G(c z1!R_5eo|zP`|~71DA&4$>B7b;5u4|LX%cR{icuWm)V>E2Yu@6E$2LTluObHTC=juS zN=2bywjhQ+t^mzg6cNNSb=eF;?YM)!@}osMURD!26z$z_z&h4?GBdNCKfx3P}5y)oQIj*%Iv~-SuAs|2&?u7zx!{CR%rE zEED__fcPVurB#`<9L|l#Z)Beu#F_AkW z6!B9-2+I5-h@L?Mnx3xI=?wrq_t=vAr540N$|zTqiJ==?JFUFEMI660d~RcED_c0O z?NSU?Jf zc^gSIl+JEt2m@&UMK>(-&qzc%RRv*Usu{g93_N$VCgl1V3Meog?oFj2vX?I+&0w=n z(_VN*!vq;e>SA3+*&%7rYfcFFvn|}+6UEE}&?u#f4Rq9JEwOq zuyjmR?-^|)v@zQU;{$0^omjl=vl(Om`y&Ajc#F@;*=-c3_w0Q!h_znvG4{qBk6eAB zVGXjs=Vx-va;#AH6|0sj4@Ob#CCuPLj5e$2k~s5*=ZAapn!~5nc^tAj_F8Lu#DJkw zaH&y`TFZl8Q$UJR5NC`Pj~q-a;|I1I7-uWbadUO+Djb<=p}-Q*v_jFLly>*QL^)4;JcUY7BnsIZ_9tUV)rXpWRo6^McCdffi)&(p zjh2o8WR~cVs&-SJmW{geeh+Pr7>^@7d1zva3d1_>j{6KNT5WmnM6I16PyG-Ccq7e+ zHjJO!H@gge%4_5cV@rIJjWq8KVJsdo8Wy;-&a}_H7@h(3tDlnb?J9W)v)boPOg|S0 zwA=Ezb63Ul;#d`sPBfv@i+WviLmPX7$(*+xQf#>PN+~iv?d0WTya+D)3m}`o(%uNV zv4|WSUWw6v=ZtzEWihE@3P}{xx;HDU3+u>Hs=K-y6tylc%xzI8BCyf^9Jv@If&DUb zeGm|m>Rfk7l!RKsDUea#LC6b1OOeM(RF@7X&9$#UABp4-1AukrXHyUTCDa9F5n9O6 zBB5FbcB8DZ#O1HPWR~|8882Fr@5+f=fiVpMgtw!Vd&9dj&u5%&N@NH*%wKTR6g3QH ze}dh@$ovbTV;eLwaRR)0qbD2Zp*6oQ<8p?bF`;h<)7~DfXu$3)Q3bI3=GH^&d zgVoX2&#&wnh?BV@t9gZ36Ppm*prWv!WpUR-NX8$T?tq&*4xz6Cdzj86cKg;T*LXWRZQK zs#Y8QDp%<3tal;cjABT*xJ%*edDfM9)X!2bSlliA9MgcWL>+?Y!A2#zKL`(PV0jlA z#0^EZiBZerq1uS^n17P4>0S*< z^lyfyhvrZo&kAt0^SM5szKGBQOzZsb1IZ&2%~Jj7$4;*fu)JbhIqJT=ZRRL(b2I2% zfkc{MFPZMc0fbvnX+}|s8@ZE$oHsU;;%K_+annh12fPJn*Z59~5CjA0kcVbizG|k1 zex%G(<#-Q+7i2p58*O%VucY2^GD!+i+(qxBe6vuPh2^M3=2a}X=iqY`jrZz@Ij61t zeC%EO{T__2^9#C=QyjuULGb$6J}wH~=&Y4M!+T~2ljFV1iph)7G}$7@F-6G4 zXWsJFlnSv(chf$MDvYnf(|3A?*7M2g8Rg- zml>j#PMk%Q2536?A^oIDX~a7a#F&yXZQjTeGAy2|Vap%E(IMwv=D_&)LxzrHRszQ} zE)r$Ftl{WE2mkErhghOjUsf#}(z*re`?jB78;lXF%s+y;5na!`c*`W`IGfQK8om$U zcZR~|b7$yMxYbn4$t8(W8dOPXD6M!JZbVKlzYJ>z@vg+*%+F96F3A1|I`Ea-(__!b z6V7tYio#UQzOIr)?}T6Mz?AR*%nrOW`VZ_tg{0rG1N$c6?7+L6T__@`DVT|`_@*v~ zIoTsohDq1Ea#Vn?$D-GN1VlysLTEB#rmP5bcLVU+)M)7yBU!$W+|=9Bt3|4n7IoqK z8zjA?=0!3?@`(4trArU=k(X4WKhT$Dc5Y#2`D{JQovA4~$0C@6|0^{%aJ!6bb`&2ch&T0Ur;1JMaNy!)~Szi*6F=m1mV{>`*`d#OHyh=KRCp=Ik?76dZ)Yyo3&*w!Twd3o`1@3jY z0zWj{ni+LUG1hqQkM4qAq7x5O989&&GaR$o{Y1^)!UDCfkXn)`ZmJDMFRQppq@(h-z4s@snK zR%X;FT0Eq6=U?zK!=M_>Hu$=1FKvCuCUQo>_+3hVZP@x1hIpnefNguuoe2V}N92Is zgnq7$7K8Q1$YUyo(~{Oii*bh79g%r?Qg$v}nuH&Y|f=Jq8(Cn$;wQX;N;X%Phv5@Kn|k*<5m zRR2!(6-MEqJ-kOw6#nYRaEOdluW71tv1%Z1)feL87bbjaMysIhn=(lnun6K`%Hp~o zsz4sHL~A-G4-r;DP2$$@&=&`l80Hv=eT7qKVbPkT{Es~e{3?yH*K{d*m*Y;QSz-xR z+5x%S^ar~HV$5@`;8@H0mjzNecuVKK?LH0yw*#~m8~t=Y8eM8BBNxE9G}Jl0WJUYn z-?Yh~y$S4J2tPBmYf`eQSH?M%Jza2ye^+SOV7lmn<=vH4aCJ4$<->PiYWWF#GnE>~ z6JBt)FQucLb=UW2bl~vUIB%-D#3o>YUvm53Rsy8IPEFLwfEvFk8!h+y#eFnUrmKs zHo;*DmlSC^({CYqtgHQcD$!F6%Q5qX7LV_TM}AjB z8Tjmg_)I*(l&N|U)MwVx8vm~lef1GBSN}rvWy${+M4v8t#s5c$zM-c7is*ylu5me9 zXt#Ft#9o9aV(s6lxR{q^OxE%vWYhj2-T2@%lX{i(_Phc5S(WmnNu_^D-b0%QIxbL) zK&l~wcVzJ5yHK-^NI9V?vR(5@yw}x*-MITblD6`t3Kccz#W=Q#<`^2q%9IIX$6u7b zp>53Opyi1Yooc_0Zh?Rf(X+HOC*C7A!V9tS#QVNxXE^M*eoc%_)>VCv;N|Lf_<$usA+hHhF(`E4doFOwTZa2W?cTHXNibI-+7Yf_qr}14@2_(V>Pv@ zLdme@F>)?fYJY470jmI%Ij7zYZ3(@^Y!TNOK9bV2u9PyO$IDl(&r%-~Y$);fUFUs9 zp~Ta_*lCe${_IxHkuML%agm_MEIZpYd3@l(9_DOtG(GKi-z8y4AX6oOfYc&8MAn|+ zQ_WJIz~JD<(lkV_JZz#5p!azBf1&rtV|c-)w6PcBoqa{Nk+SL0Q7Jn+VU#R2U((IV zsFsYGIFYZc1)`!Wx@D~QlXnxuyuVGU{tLTDHFy5M!0tJEVz?C8(C}W8Lof>Z_bS<% z%DK}J$)-hokM=wi4+=YisXi9vGa6tJZ349ek~5GY$wWo#G!$}XutBMzOjGk%H&nXnUJHD);KaqniY?GYR=j2T%Fk&yRlb8EJ-ORMYjS z%9t%nIrriM^?3lW1zVXo^8O}*sUl;J4FE+6F`ad3ze05lT;wJ_@=BYAk0$h~9v3N7 zEmhU>q8T50jOa`b;kslSkmDm6V#7WO`Pi)z?bOp-q~B?55IF~GroRa<{ymFbzV})y zr;DQHaVOhe7vAjD-qO=WNyk)JDHs>2C?#>z+pA-UcYqXHjU*(38<7-GnRK8!Dq>E? zo5`~*@EwF;1lkQsYxD`Ed2p?V#HpS*`958s_5wROnOa7;WdzGa{hU zMNE^2{JoI73dXW!1WG(~P=5@GoJK?DYwa32mqS)PS{&lGKr94Hy`u%Zw~1VmB$B-q zlpp#qLRd}4-|%Sk5&pc_rHwNnb7;H4qvu!*UP-PN7-sEsaC{CS=Nq|MQGyQL7YSIhMVlW2gM76^wHR+WbX83L>b|{YJ-y zQy~>htu6of`E47nDDGOzRM;Ph^HOwQDa)*h(_CCCesO==*5K6Da6{f)b;l7#E#fEe zwd-Hhym-3*Gc~U+oShqv%+rS>^913n#FA|3a5eks!VZwE#)hQ|k7aHlyn@fFIbqY9 z9fndyo+)|?yEB#9ELPjRBEx(_H(ADC*YJPlKPo~(fvmina^g?F{OjT7B}@iFt{=&b zwXo_=)L;c#EmYDJ8I)xVv5CpV#T-wGLu(`UD>+KDDDNFSRa|?B;2pwC#`xm-(0}nZ45E5fWDvK%>ayy-#T%7 zx;(wTZ3wRICi)FIZ~PZIPY#V--?U%07}Tbylnp~>mtkdSt^2ON{x?EmUqIQ|*>JV5 z)p`*Jel4J8D(j!VsMX-iMo;JPIOk-?Jvo0a#?3)|@}Nm%*romqCn{SyGfBTe0fX?8 zE<*IiwK)n7JgdLkCw@MI{nY)KGux5vcO7wRblxzrOw7bNOk@|1@qP6dHPpoYXOSO< zzJr-O``J5?&hr)M6Ef4>x0#&5DimU)6FwT`*#-)u7aOTgAC*s%)*b3~15(}?(&$uo zp4pD`et-UOZERWzM&6PVVb5oRYFLaAO2oz;DrMk(JSH>slpV50v=~_r%$Y@?0@19e z=V}+&r2a|9`&vaojHX8Gh|lzK5QXcaZ#>dE(2bHa9+iWmt8L4xbI2Z~^(KzBmm7~^ z?2ZgN90HjM7Jpg_eGp67kpo}R4KUxcya{EA3E-|#c?NFa#b8=;n#9`USJIeMya0VE zJ4rA*A>u;R-&R3q&D?3vqG4fS$=_;qRQpXR;rOuS2+i<_@8#qdlE9><^Cq~VRS+bj zp}Cqqc=EO+L|u5jE^*DX%s37!9tkMcN`VMKl>>=h-nt@XmmVe%jx~KYS!6Y-8I5P( zrC!Eq(L@Uy?+Vr-X$i>?O+?e+3a;%>#y;u{z_?%1GYb?-+ro{`9q%E)U?9!8Q22=3uYBIKC=-qs3Gc;yP_Fju&VfrFDyHTl720`F3E1$;>XtEi z-q{zl%QFhnI)3#-v^!X@INb-T9Q`CpGQ~9o@?|%RThi?6kq`c&IR06FMEYp4(-&SSbHsz@GQEOX`_AJa; zKYed1kA3l?x91pohA4eNhuUG;^V#9G=^1moesldHz}Nj;k!Mf|@r&%o4zE+?9jJ}7 znqTnbDsMl++R<>uIv+u=B-I^_;qd{_sQfZNdx+fk9f^64l)1_VwiXIfVsx*KjS^pHD0B4~2Q|

nl;$eH?Iu?)6La;TT$>9xJm@Q&b!kcFvkdF1}kteH8{0sZXnKbasMG9Me zQcRo&)1DGwL(uU^>xOPTg*C0)C4txJVX>9==OvG@kGDYIqwoV;OL`rXu8_t0Axd2? zL6~txLA2E3Q46m35BaO)2yRUxL4G|n0wE994*;qd!89};^+LqX0Av2a;G&6CW721) z*=0?Fwuyb`4S--OU7k9D)1uf-_050L6E}f(5gpSDoio-K|4e8m4$T6Bct03Rmwx}; z2}oo@HC}Z)856sWP8oa4Dn;} zfDpiA-Z=hxEWcU$$S9TTPKknq+$pdZ^2HDm@SP)4vq&J~MP(BqRGHt8%$x(yEwgn2 z$b!@O2x4}=FWh{o&QyQ?Sn7bUWLOZ$(>--=*IHMphzLzwrllTmO5`V(9LmMW8cz;9io#dI&yMeD2H`P{p&Zng!a~W+B&Z z^1?&K*XSERZ+C);k{RBL70w8=Bpy3 zzyc?6BDA(|Oacqebmjh{{yfm%Rk|H3mC*rNmrDWNw=j0SKkOd%&o(VEJiTKm@JNTq zb2UmPx=67p9VKGhl8!}WM8ie%`iF)~yv3F0vzth|#+7;8s+@dg=e4JM^=UDuJ<@CP zpc}5(apeY(2YO0k($MLaU`qFbxco5m1n&^?&tbLurYUeAS-UUU4Pfu}#L2{FufZ{Q zYBW8M!S5}xCA0*lR#ORWd*H9Kx-lFU|KGE*ca=I`dGso$(0|n`dBgBu2rbA(02skRHtF2 z*tG0TFwb<;>e<$tZhna7UxU-fR7iI33dgp|E+V~H(X_{)DJHR3n_1fpYdq`dcEsN? zYu0F7Pa)b&57#c(2DFIfXBKsaidDkND3lPyD-a>BXlh)mIGf^m^B>Bh$-gLfl|c8< z84^Lt*S{6i*Z)H075IpEb+*p8l)blq2&JPri`Qvwgsj?&5)vELe{9V9-&5}99Ph>= z)=#Dil4iF|)^V5G<1SnR!Lv-ZEzB0H{A85Ha2i@M}+=5!Y!EzLE| zP`BCz#p{0|?z$~I{Tz9C*N0dR>KXdhcwB94JsXoYCQN~^6%A#2#mvW1dhQ7`TuaP! znH<4l@d{aIyaj;Tv?uAARuA`jnFndLsg5ML!Bk9WKx2r}(1fnfh%nhRszAt- zfa49(+sAJZcnd+4rbnvmKz76S+Q>M3^J>%>2M$Z4sE~S*-NhZC35p&#v%*vLl?5bV z7~c8m_X0?thReK#hbJn%(0;s-Px=~K*>N+ix70^nx>=j-(wpnc;8*gXZK?I(A!G?q zB~)-luPU6eFcbggru(;cAKry6xyK0hS4@RD&l#Y4eGv^)oeQp@AgUTiwWUWS>w&BK ziY)60(a?(_m`()*{Ye)5cq*vzVwDy!lWWj@-Nm$NcZ5+E@UZWPkAgeIlQT`{-?a` zwmr~pEUsJr6z3~tbiD#3*DnhVr5)N6^cVsah_rn41X{-Y&6n~6^i3DQ%e?sg8HI*} z(nPhna_9?>M);j6Zk=q2=$&z?DVRrmm{L*|oj-v4k1E_!`B{N&HKcK>?TLJLqyf>6 zMfzl1>+9L-pFCw7eLUeTr2Ahu&9vwd%m<&ELCL*=Rk@Ry)7a!7jAt0#rUmA{=oQ7{ z*gmNn8!g0o=Rk?6uGmuYUOGx^W_riTcc8XlA&EziVI@mK0ht&;BX%auSR%<+_1MrX zoohi^qZ|!~G-q*p8vD#F>&)mAE|FYjfD_nkwsZJTLhmSn@~84daS^NKw0WdLC#yD8Vk^>EBv0p?Cg zn(2xZjL-c)>svB~)iqK?;q% zy3I*OhbI_jU&6yxo`Z44ISPETpH_B2OC$rHw4Jv-(=>EgP}W}!M~T+Tle!|dc=<#6 zOiw5@hbuo89r}i`I*d5YJB@wo=k^1-aQ05ELbw$G}cXV zglJa!9w_U2>?=CIKy%iw{{b|IC{E3WM3=)N97!t~zKMN3hE&h*vO7nLfo)Y&sQxg4 z{qyBbdh?M_dY0hrtqOrSvLv2$MkVpfd*SrVL_g`6EwgUu@L1o!wpRU6=}Q<+AOE1F zbLQQ2!AzrS7J7)EzPJ>k)X%xw^PdYp21Nw)c5Pkub}z37Vb0~>lRkYqod1^eEy+B6 zqYX_#hTK8&o>mRR3ypcW-b=P)L~rm-+^ftMIwYz#P0^WQHe%5 zjBZ*@kbGap`Y}D-nq4xF?OAA>^GnJvbfjnsfHu$kfhcs56t9Z0uUqQgh_Y7AdlZLp z%HC%lIzoq&PFuin#P;EfUvy#?rdJjs7rzc3GphoY>3zgR{NWGwxh_v{+R&Y2q#{Q7 z;Cy^*N_(+A)$%;G=0(5&)sbx0lo@V#;air zd0%O(398kGtyDDedYSryyyR+{;w5`O!%>R~U4%RK^kYaQNiEjBv63ncKZWpinfs>O z>1(6}x!iQ{jT55Lz2haT4H!js69$&tQ%cdz>#_pd-@J<(+8sTo8v)JO2mSZYv)Qu< zYv@uo#Pwtvdptv(z=t%@(KQP6lH?~=pe0||zbh?^dnM({T_=s)xEviJywR{B>jI`K z;81tozWUn9mjZ>#VO@NJAu*9hCZ$_>S-g3b}TpK^u7um^~NwEJp^n9WrZy9JUX%z({nf-AzujAAPf$ zBi2t(*JsWbwQHbSafJN^6Mlxg67NBo%LPaZQeoPBpP8YIg~wHn5a-|X0* zr_rTTNL0T_-MLs2v?zOl?9yuM+B&h;@$_COBIW(d$DSYrpy_dmw@uWoE86(l@wIDD z$94M^sb}SDeb&%Wp(U?;hb&L#H&54dJ~uS2gMw)JDd`@JgyP<3`gH^cLEP_)tBmHWnO^Gqswce5hMD$PSQ_A@vcf&9XZ(3NS@%3XYYi> z%iE=j(c#@Y=!Yd!T~2qO5MSt%O&iT0fN70845Zjb;s$*>vg_=6C&|Yi`nYIVV8AWy z`4iY5yZPxo9xH1JhU``Xt|M(TTjfuiKsGe}`C=|>+Jf2gI@Igi(T!c614l?8WihmN z)|p;3LU=YT{mXTPTjm1gacirYRZsae*R<*nSiwaz0xV4KdF^!FQ;bhU^ZCwCd|PKv z6hC>z-+-`{xyQG$5!mwZ4iv@;<&->^%&2oTu3t4P<^(MwKJ|b5dbD1pH z%PHN4r3mW)S{TbLYE3HjxOp=zujy@SUDw@rPF*diJu{5&zYmThDXXs4c2tT7Dn0v@ zFo3%hOGnJ$x-G9BY&^!*w^mtbx{>r5;n8@IN?4f{sVGt7a;m}u4y6V!a!C4W1=mVX z`Fd*bTRy6>ks(JrFshhICoFpTn+C>aQHVKKqf@&-=y z9yR$&Q+j`~02XI!{z$5ujb_32vsZnNh0%#&L>tZ`bv84ya7!G1t=iY)MYm;0b!u4d zGD$m)zC6zpy&H@r95AfEL;bPZlU)wsJ{5PK{z%2dNd%0>2jjWJQ5~a!kZ@u7hsFf2 z>+G9iLa1U<$|u7)a*f(t)(y9}vkqZJ7JFW^ZbJgg-6}sstfy`q6bPY%R&z&t`8Ojb z;nd~)*#nd(A2E&3rJWqEa~AUSZ`s@^;*b&#N?+9IB@AKd+jQRTKrY(42^_ISnAj@L>eO_SB>v^}a z&6lqpGHJ}^$Z{r;n@Y1ZiBB zJbDC?3TW}Xj87^mrX|^n4kXg;6$Vnlbky_0Ewt zu+sDbj+O2<5d7d|wSCU|2^VNTr20fM_@l^SvL!|%CczU&F+FrYoq~Y8F^zuka=*;* zLx=7Q(%=J#$ejFrK8;k?^#Y-6u%3i=%nq}0KaxhgX^g@(V|Kr_cyza+#4Y@t5Y@uM zpcS&KjC1Lo5LD$>cbuaU=dVHagi7l7{x8EAnR?{&`Ed#!!0^T+SH_-D;R=9_Q6_kEw|e(u!AK_eFT?(EhKQ|B6`(Ce%eXs7_eYhwO-OP)hV zo)dyx>3RZrr4>NuwFK4&=4hsVFMojiAgd1fFNEXF^O&T+YXe=!Ua8-qemL?$>0tn_ zhpuRSN^KrUZUYBz%-tgrrY}bc z#JvPu({AQX@pXr=<;0LTW?cgxu-*BAn?OFBKt-c zdTLmPvL=+X;&Hy6O$oN)J=!W2JMA?0<=}ZlWVocR*yQT?X6r(Up%|mp`=%3aeOUu7 zS<@aYs?IF6_7B)8BX!E+&jrZT8WmM#Jb-VUEU%+WPyNo!QCVuUFuZi-vv|$;!LE~D z{15dxmlVrnne+Nr@I7`pLDSlstQ77y9U^tGyN`ZT4PDA>RdTp!jfH^u+y9v_QO%@%^30Xdlu~ z6T-zq64p&G+aF1oHIGxf&X~?W-%eV{6jxFu$onAlIsHmtRd#l)zE;S<)`-fk%uiVN zo47zorLlTgC3qs=Q3$_Eq5F9m$x(_xePr^a>F9a%-GwLxJAy6WL9@|~duG_#1fGz2jb!PPPegB5kbs&u18w^4Mx1|oP)Lnx3?SdX9 zCVA28S}!>bEV!^~3I!hMD3ts_OZ*cjJp2Z3c8Q6Eq5=Q)d{ z!@4naYtWe@{lV3-Ox@jD_L?sSfGENEgp+wSyzb6?_vd+%DC~J$13ETc&(bKCzSvG` z5}PybZCG0RE81Nen{~m3R&PREX~n7+7tdZ_gJOGjzCH+Hk&5QhFnRqlG=934>{(jT zH01Clf63uzhccRT`63+Qq!rPZXEdY3DoM@y-J{os2G?X+2*j}byNmVhv$w#{$798F z;vCZV-YpUgoQ9C$G)OzlV@_@a%fD3%w}_yb=x}LsE5-@j&fh>;FTwSkpf3ez^1dn3 z2vC_Uk+)HV|FjxRTD37q0Jc85I(FnH0j8hBg$k6MNVnM5{06}2UE*6uBEL1|PmEig zlHTVD^G%+~u{!#_CY70^G=V?v-3z$5zxL{mz?q33z7*s{P>!a;iZgeiX^`Oi0%$3w z8}fdK_y9Tle$}VkL45yKWJD?aRSrD=iKe3N4tFX+Zt; zB_W0%An~W9rTZyaSEay<3HLN*N`IkhI<(G^aqU6CHBL%v$BpTD{in{MsxvFXNXub= zGxHoiw_gV1#V@{UX5RbF!4fBH8orYVJV2(WGg|!aVWEfa`=NDx0|o$v1?x(x`5yY- zqc>&-`ewn*cg~HogI1<~9nw}N+ouJcvnT=O=qm`=^g>#ZBaqi#!0Xb9YaFHxj{yDNc@lj2QQVyX8YM2a7N5N=W2 z+#e-en+ccn`N=nohSP{+;?>o_PJXmC**~7N0NvYh+}?svs1&$Qn9Nf6wonFuxG{@cdb_NHhxeNAM%v&$thUqX~dv`JP<}92d8Z-+vg9 z`^(izqZSAF3K_S6#Z|+;)Ia4Iucz{tIvl*Ap9eA2cn_8L?VtbC&kiE}`>^=y{B33- zB%4&KkKZ0HPziuB#ncj!OE4%G1ZZoa2o1|W%C!*>2y(=*27+h$i`#$-O&Ca=`nkMW zRR4KR;qoTYYC?R*K4+HP3UGjI4+2m%MFp-}<$;RC^1gX>yZ(O6Uu>SNq!M!QZ>RS^ z{!?Gf?AII9CA{O|u4Mzxb1;04&P|9ut{m zY{Os|9|UJ5kxTvBK2oi`CXn#YJGsr^d%!hZZZni3QjEi9`;P*2qySqSXp8G6TY#xh zUCvP3+E=2q&X#H=m{PE&jbT;2J zDN^x&wn2Wm^t_gRclk|PeR~eg%q;=^HfkN_|Cfga6fqgA1T)~ynsYdT_eyl#g?Dx> zDgF61{oAwR*N0u@Fjr&0s(Wzz&tLI-&y2FvkDRGgpQvbO1EXck>DARZka*Vk$*TSz z)izg*bg5C(8=7P=VwsZdE!Y2N5w59j0(>-u%e+1Y^&<=)L>|_331kkw3BVP~&)>4+ zCs{JH`15W4=au;BsAhO`l!z6oqpGQ7s3i+!Ry_SE8W=!J1SLUtmhx2w#JQ<7odMJK z_Y{y~?d3n>&p}n7%x!A$&%f6b+X_^eru&~6|NO)G5x!URzd>QG8xJXcsgH_e$j$=p z^Z*#9+5mSyT}KIh<>c~oH0edrmz`>UWXN^$mmekqC<6H4#noGk1V_ml zQput`S#7I3{^e<2>o6Kv5pfzB+U$wou)rkQ1q>cwAuYGKe(NuPQhJ+V|76Y~`3$k{ z8T)FXx#?Swt8;NsYmr{%05DM5dq%FqO$rEeQ%}zllHSk=V&Z8;{pG5_by~<~ghO7( zJWvV_{_9o$Utf{tpdX1lj4%GFUYYdQKI;GYN+Kb24j48K5Sh#VAOFSQ{Mra5q{<#Q z)`I4*rTE{kkbf=Lk-u|K1=SwdyL`0tP!0XNh4I&a@prH2i~9*NJ96d35wN5Jcv-0c zX@LqA1>otEfXe5^5I=>rs;K+eS7{Wj18-~}$|9(@FlBGk5S_2oKP?`oJeLn9{ z2^H1tQLAX6GL0}`BV)L=_FsY|&oyKiS=6z0&f^RU$WMs{a#81e3Xq7)8G^Jel-7)n zK-YiZCu9#tp9GI&=K#Rx34g;r()msGc_V!s7hC;q%>X&$w1MlaCAj!A!Wn?44gwB7 zp~Y+9p^_*QfQjKlD?oM&!as*vrEt0cR1`v>BYc5k51@6cLBZ)em&f8rx(tQjOKr_S z$Ca)`G`xrR_7UK_$v7tZ4L0UM0HvECt#k0(KB;iqfG|pt${vQ$DkHWck-sdjKbDFB zp)cVtDAE}g^Sz-_aLMIz6>l;}D!)DTB z>TR&95qkFX7?c!isg_$uE-h^}X_PdKpQJ;Xd2Pm+0wN_vUA8QAfN4`Dh~MP<@-Lk0Gx_!5Ok3G$Er4%GkN52Ty0rE&gHo;U$%hdk*j0L%q# zi^>(V-UarcyZ`Npg8V87PP@UM^GnVHAkWy(lv~!PX9 z>!CXlFlkh-@Kz9z_s99EjUy`>zGDJ^-T)jXW{~E|q6yb25P=uTz1V2c;q)I*y;gu( zpwRDGJa`K5=!0TapPMIaR9?6xSvVZ4`J+(ApbXr=hhN%`70hOQ4eb0cTri*C59ov8 z)PVW*MTHNz`Ul{!)>NZQWJrbN*!=Tk#%$h{6GY9$0yNwPJdS&|36*Z6?RqLzU7qzs>;6sS_CX8 zgTc<7#P?2@6Zs#3H{F3ixt3>h24eo$^{7yhjz4;`$k<0+ zh8zz}p{kyXl`6=oNpfBPL67T0+wr9Y9-o5A zGc5N`^Yytc0_-qU;)T3gb)ey}hLc8d!^KHsqE0}iFeTuPlAr-x)R948MU97jx!xD= zx6K&$o=sVHd#5~f%$kmD7%&Hs=(=mb#Owhwtw7HvCsvgUo>0l{$&`(%E+9vzgM!I} zb7TpYVpJlqtkMJYy{2m~z{@QXxuD>;BEKZnhtik6)dNtXt$Jk+lV(T4k1#}I*4zLn zb4^A{O*uOrjy1SBIH*Uj8qoI(g&wxuWe|$y(@=mVkA5$dx@o=o1sZx`sX~{C0PC0F zHeotR4Jh#mzf)4GUt{tWilF;tz0mCKWWP?1c5oeZngouVE>Bh?-~!ZGUP$Qy8;IQ> zScH8`q1mN$I?+#0e7U95FQ^da>3UX?v<^D5TV1%~DgaBdYZtSO=Qgy{#&x>{mhy>8 z(JT~=I2YS@5>%{qM_Bl-%_Y!mO?h+X^H*95e+@naNp*~cWq?iWVJr0*e;ZA2IC6vx zSRaa6O%>_QH(G)XXrN%jNE8-E<9cfpYca^R5|{zF+oGME#d&xER(SlgT`*PR!I48* zn*k7<@oXIc;ae{OVTcFE`p>8GzxTF(ydr%CnJ^TEgzm)~x+cQF#y$wR%;cQv@W;sQ z+6fGUl7Yil!>eRbWa?TSc=!U$fKtsAKyfwLmn8v!c;;~TccyoR>0ROY8%T=DY2k51y z%Dp~Amk-%)7Oqc(Bctfn&KCgB09mHU=9Sr)G$7+UYnoQ-M1Ovi+fiYNbTkG||I}c- zKAZp+Y|Rb~DWq=lK|L)1!ERBT6D#sMmX8*~*Js^;t5=ktNHMT4o5z2!(N1U$!W9Gn z3{~Ri8UzXg-iMLl`Jh^Wtp~Iw1Qhi}0NFji-ihgk#!h%b(+Rv^T1-*j4e-tq0TR#g z;nyj>jC3mAy?keI>pj{UN*fQAXZhcmWtMF0jU5Sph;+o(mjw+QZ7KfL3VYxLGOXBX zfUi57@^h4xiX$vyR`N6F8jPTg22@Dt7W+5gYZQLib!$!B5kWH0zq}^qV+Q-07=S0* zgVfs?xf1BtgQ3|VkqYOMeFjiLoUMI#8a@ssy8N8pK@DMn9MG#b(FjG14$F83!K(6)`hPMDspqSn#6teY3>;A>JEGJ1wBf36A>pyhLQc4KQpidPf>CsEG!Ler3v#C6S1wF zuF`mOZchM<0O^XL5F}j#YifV3&ArsIIvsRni9nt(M*Q3}A zZSnF|!>$$J=0~=subF`A6cgc8^cfm-fHS~uC^fqIb7|NtEl3h$8>P7&s|smS`{cMV zFU{lS2Z}&*2jH+S^`-uDg$5TvGJVbhKLZo&^(K6L>W93~&UoVwr`>oJ&5GWcT!T@| zu44tUOoMzq*aJ$1_sWNJL{8F2i>8Fj@XShs&D3lXE#vr*5VElG$O?NGL1TQDgm$Hm z{{f-@7<>uV@q3o-7pUd&NHA8cCK}mZ+TR|=#o(1A-=zPub^X_x@tl}om(s;4OQ95L zKUctX_sNY#X2J4d$f5?DH{pK4LtMQX+#GtUlwg}4S=a{U>>@zn(J|zvvrQS3C89RB z9%L(NbVn&H_Z;mKXLV*VC4clPYch~wJ0r^!HJw2bdls|+s zM!xI;pP>}bEGKubV(i;Ggt1Vm?B>* z#sbdRz&v~8iYM>hd631`hY2lkJplE3+>tlY(kJcdH4<#gc-&u_sXOO&5qxhSzp1D* zCW^NIGKN8XHp6hgcLo8bWLXbd-L0KI;`Zg|e`!O|R%(4HT7xC5&$yJH{01Tl6^p0x z$)i^pkjWVN1c_%fZg88t4$+?!G6GJqyf+0uX+ONyH;aWB;E?)-5~cO$3phVq4vDM0VK$+uTT`C0S}E)rmQs~r+&=eW zpIlI9)-FH4bO z91;U@y;8!BqskL=BkQji1LYlkN(Cq3>*|61Pe`zL`-fP!$oE!aMbGj}1Nns6)uaq0 z?{b=k?O*+lkMv-ubSmcP#bU_Z-mSVc=Z%RJVH_{+4hA=lVZd-oXoQuin8QS(cYWpN zGf#0mG1r&*rqljUM?7?Ru|HQfI+nK_Z|%}RkQ67?CgV#b9OI&G8Jao`NY)V!pbQq1(|TE)9-T+Bpxr2nA?j+`7{GIG<7#>O_T=9xS~OT zbkqI#P|h5$O1SN(J0;d2W`*B|O{@~}LL{Sq@RzCunf6wI1FPieph$7u(81#~Qe}i< zE;BmbLLVagUWxIr;HbADD7aQo9BwXAQCui)bT}=IK`ovBg#7P9)plELnG6z)s~?{u zB`HaA%Jv)kY2D~DHz#xM50;7xw06~j7vkNF)(dvqGxWM$D`YHbK|qTb+aY<<_Ra+p zm9!NIdyP6kNcuT?xBA{v6zXE{V=v*N&jg0w$w1s9mVIA<8;uufnk^CD>v*8wR>#n_ zW0kT#SvV-&Pf)cXSl^yP!}8uRsbHl~(jHz_JMJQe6%HMteO4H7QVJUH)(>TFiHcuq zt1_Kc1j(-@5N3G{DX6D76tc9WXM^i+kCpBg0UiVatezg!bUZK2)RmQUb& zcG2Y&Z<&11uh}b=_6RyaDzn(pFJC)8ev(Aa$Iu3f>Ma}nh=(-j0rXW^!fkN;+p(+S zrJxl~6WY(Hc;jnLs{iftcMv5at`>X(gL(%}rg%I&iW)JqvprO0#}c6X131*X$gVws zH9oZ+j5>kckW*TIu3|lRyu4}b!jtm8p`&aaFItd^uC+htY-wh`{QPzlAq9Ojjdx&z z&EDroOQG<7>F*yoO)1pf?I^(kl6ut~vjak_CVF2?r+>JD4ZNMMr+60Wq4SBAbg^nb z82a>pRFysf)k(nE`#6@hhZW8!{&ZZajkSj^G;Zd1In4mcH}tYyljZw;%!v^J`(Y~X zSZ5(?sKb}Mst?-k5|Dyqzpl>_qJ0gdZ8ou@Tqr2?40bU`+tb5~_#L^8?mrM9*dTa?sZST2M`L@+q5;opbG`$?)UJ~)A*hM-(+wx?EcS;jXxINFu zaD$jC)B$Zh`Dn%SEo9Hi!+yLWXFp^J}{ zjBuMS!(C@S__coN&rE|Z)X2@+IVBK$s2=oyJ38KxS$-Ham;nmjX3pCKWafw_5G$l8 zAPi&aJ;uB?1tzsOM?%;Bz8}!+vnc%Kj$cNzF$l#Sb(3$j z^J%ntNmn(yv*?*tPz*bLcem7~7-l*bn=@@EGAADEc>Xh)wq~VuhhrHDytuv&72!4; z81hI9;``>Zz~>6j6&?L*vJ>{E_QtWq$R5+Yd6!q+lslj<3i|4(3oamg&y`Y-&Rjj< zKu_wadmQLTd5}h902ZWkFbc3HG5<>2veFlLuyFh>2)Y!}P_*Tg@OHCG3-fjNB{Gcb zSd#oPVhKG^^Pco)nl+gOGLxZ+8v7Rx>KH;TeWm1pCz;IN7S8ZUtgLl3q3F)E_y>%qYU)s`}_B0v#REW$_JkyA4rW z{*gx-H`F^hL4s#<4ebayobEMD03gJHyYzioJ{MoZ7zn^fvuj6L~;m0(wgJ;Udx znOUhb#6F4(6zjadYP;~feg^wA>to&W1_ZUu4_z`2xESU~AhG5ZE$EV--}+Vsn>#c4 z-s*ul|1MV}{S_~3^|s&o4H)%t5sRxP>*^d-q^)NfY`i!anAv7^x9;Yj2ZoE9qo$O! zw(KYMM87mrTCLdpsKpa-Hclz3T#6db_UwM|52UloPy ztOo%$WnJN=n0#~5a>Gycs@BxvP$7cG)w8>i>XdXZ(}a;yM$WQBoQ`F!ym{;s zb(;My5}u&>iETA^N@U9k#1aN&=pkU?Z#fi?~eyZgNTTT(mA+`25NRIQnFE+~=GJslSG1`KT805Xu z4(^ACAsG>}R*v$oyZE23vyTHkZ2v$^Xjve~OT7f4ZI(#QkEIZTSb6E{9m>~4w>XBi zkB~XEu9Cwj@f2NbSE0cC<0(YP&O9?=fwQIIInof@Dwmp?!$og`zO-VyCM(_gNbB0WT}st*cK30z>bo|_b_!pYiy3|QU=i19{%(k5pENk<3yp9doyNbJr+DBPWb(){6Jl%tthodjYugO1Oy*a8-ab7$HY`;gR+$y!`OSJ`Rd*gdHW zy^h}ryXtJQRwr-airw4oi{MSwbVC=@gfTi#>PnE0l)S;TcvozTkjyLo7C`h!+3R$l z{w7XjuiDVKt_-m8)afaWhfCu>l7EK8AIRN`+sk7%ep^v7LmWeNTfCfa?$OWs#Z}_6mR)AmV0_v%5(`%SGGre<2sC?jHZBRz6t2G zs0u2)ev*fvNowt_Wa2m-evr1%Oa5k{A<4;~pT`gGHo?x>0_A0YAwcxh?8}pHEID3WDeNUQ_d{_# znlx#dA6u^%3V&Kg=RNKcLSH+4qlfL7;l=HTv=M`#Yz}S--~?$U>u34#5t0bq4sp)9 zUr-d06)sQ%(f`2rihiEiH+V3y)?+K2ZS?LMCw?GR)YqokUvKe@D;kqX=#M9<55`7yK5sij%E_pXru~?&YOe>omTUh;lgsexT_Icg^svgat-*cjyb3a0MSlL z_nvKerOT!vVK|QvuOhtiF=@G|my{;vKslCw^2Xb}5MyfxRhIYZ*TmXL2SI!T+tVml z_(NAdqJC!4r1fFXo!8hV%PU{m^18bO5OiY2Rs^jbSjy+ub9*iBk7^bU4hB9CX3&jI zBO}IKk70lE4*tE=)3ioC5K6UhVYPJw`65A|0!1p2B8|JGt9~{nvyH)`KPHwcdPv!& zR3U-^<1BHeeWX@DS5hFS6tfl(g{bhgk5a{0EUi@{F4NUYYyAe(6GSXkH`n`am_*Vx9 z3#T6xYE{0J+4f=yjgi}Q$VkHn(OB0cJ)$AG9eU`zH~+(~@t{j9Z<{v48ud!)lT%_$m$+Ioxg;>kk{B;n z+FZH>LvK@3L+4QeEsDGdbYAtYYQi}K?vVTXc7tHnVEimtVZQ?uygUc`Kk)DJ>AnO* z7UYcGZ1xgz?!6C~Cl456*3;Fmcx2tv?!UZ1P4FkXMLKL(O!G^W+w8m3>UPki=&D=fK_XmX?GAoGp&mcG6L_mP-=YlqIS}r`*wK*VmEd( zWFrxvAPHYQt4W1;CjpBys?k6j;8rDk5hK%Z2GWM;ZgapHQ8O|*6}C(C-t;odnbzd# zmKrHazON1lQ)hI30xL_)oqI=P3Ahlv46W8!iO67vpFw#a%H^!t>EcK?Zj-&N1hyrpVaKZB!`znj2k ze!J9}(JCK9rE?;aQ0;N}^9jvF7WEYJ!%)`-z|CP~S&_{vAbCt|?^!M@n5laEs1fM5 zGr!BXe?|^4WKH2{-vmb)C~lMTH`2dNc~phgk$OV9d7K-c0O4#{OR(H^++wfiz^f^kQPW%)bej((FTb2& zVX=~svm~}RwgT!L{C9$%vFP4zM53^N=?1JI*-^f3|1x32eugrjE$h;OI6e2g4(%zC zWEP4_SI;G}o3asHHozVZSYt@qbsjapLMqTG_{`+l@X(X*g<0Yh1~RZ|0Pba9$-s+k z@lw5MNT2j$UmvRyd(X0s_R6}I%YR$! zL`ILU?Mgl_UEi#F!z~)k`nOQyEuzQwJ{BD^)B7o_Hw5;+)GI1s+Ea{d01Zx12&7na z=C#Pth+KGr1)?fbJIjSB=D9j8^ydgp9l@K;(a%BgpA$xvQjv6-G|>_oLR7Kv4d)j@ zC(#1P;0gX3Ax*9xidamz^7k&>k{1?H3Il+k`U***zefSRJ3@(byet)%oykSay_uHv z1CEEYHex`vUgo$w#%XCBz;kV{yNOxiZC~B}{Lb{NRF^4i|K%C!7eTvK1S#I!kt+=S z^MKu^Nm8}{3Iun{u8(rt=Lufj)pKp2R-l=N2g#VHC9EO>2`?YW@h$-&=5f=v8(>&X zOud3a_13W78T%c{rX#kARa6V9m&{Ee##_U)nPL8+?SnxVHU4)bd{*1#_+Ck-X}Wtt zXk5KYD<%?iN!L)6B&rwwDnyvd1)oVPTXAr?1Nm(Mq z>bLtp^3Yk$@ObHbr%qoQj5;wxao@*5e}?+dwLL1iHf|yNfQ^`#4B#yw4Qv-f3#_QZ z9Lbjluu0b8NxN<8y5I_>pRwCjDMsND?5Zd;m1MVy#ph?~Lad>se=9KEDd^h7$2GK( zemLnvd-TY!#P$&4B(V+~M3^+8=_r(dnMelvIn6ofvD5^+@rintPQiomfYPrVUx?uvWAQgOheM1JQ~nvkFp{&r{* zhYZ>kn435tGv4yEEJ$DBB%cK{+}Z0x&es9{V%$+nrt1r)P`s0KcDCqRsz>4~-Q#r0 zIt*on;{{Wt3!@qK+~GBoReQ@NZ*nL?k1n1{%w+5+3?ue`p?=eu7CS|nV2nXT>l3Ug z*7P+-N$(k)xqtyVC%H`y;qOV=5KC+&-y5x}x9Y=s1V$4xOYygElvWCi#L7zT?{}XE zXiwnmZGoYw3RJ>s$E$>D#}}I#Sa^eT-_H)Y-|YCCP67%h^h z>c-YH&6F%2YFl}Atsgxw=IG%rRjh>Zv^W&CR{3l|11|s|78*cbqDAX=Z zq$SRs0kPC zoIN|a<+!YrD{Li#zG_wfLs$b#v8I{G*gOli}$R zpxyCK-d4N<(Qjew%H!{BbwI_`ECMXI3krhf3BIsL-R3r%y^$))s$>0;Rdmj4w-`>& z*Vbx~w}-Uf86$83{MWO*#v4F~2^vUzr%t-)7c5xJrDrQyP(xmyURZOZaQ(P2$IhN4rBMI zH?je0b@H*x~fG_i)!|^pEnOG z+_}S#EP8m_QTp$mG#r2jnzmlIww2j;Q@N1S5%WJ5l8VSevKT`)*@nAl3d1s+Okmt1 zbZ`zi;k{5x66h5NmQQO^H)oM`VE!3?T~E6S3||Fi0t9QznTBtf&Qc+UEM|kQ7H+PLAEO|;s2q-jIFZH-2*7)y z_-+3cq{z+Aw?$@-+8~LA$I&C_pE?x_NXe(KUTRw+)8i|i>L+A#$`WJT1+5FH*yin7 z`kU`meDlkVNEZ9s@4V!_%%LO_kVYMUEv#0cAg%Jp(&&ubD| z?SkE(jgfdNzW1K$)xPBK%6_!MJ4nKnTFPSinwfF>+Ha6O`T%G>lC7=Wfvy^d+mC=* zQl1)690}G$UmqI}o|nK?ZP80SM>$PBBtPmf(sy-EErx(~{F}%s(GbrYZK|!_b$3hD z@Oc7hRT`hU;#OmIoMV#^aqI{n3TLTfELB<$<3%|7R^t?VKiDg0)JE|@MJ*}c1a|^= zXyvo=^m+1jbKYbvCDRZfC;x4==VyRj)v3D*q_ZX$fTemj)@ASvI%r@ckUUXOi1Y31 zAG}VlgHFuQo6@F}BoUxf?BDXoW#f9TOL{*D#ak-sovjvcP?3`ok#UL~+syF=Ao8*I zJx$J3<+%5SY{xLPvc$hO(8=(is#mh97d?{=>RM$eXmxjY`$b>*t38`UVc9Fa6UADb zv$$JHd9FWPrZribM^=$0Znqybf+*d0ZCguvfQ=$I`;vboGn&M`YEcC~=)?s@8+YL9 z-Sk0m>Gv3zf(d|in^R2zA#PZE02yCnjfOuAtgVJ=58+%(2|`TZug(GI;cKor*S(~* zW^cd<5?t*K?Z?he-QI*Xry0lRrPzP?UDs6R+eMv7%08u{t$g!yWS_fSJpTMsh}1+wEC!fem<)} zHKk8y2-|jZ*G=&VG~M}-gr9vSJ;D7IY}YC4O(4=??V}uCc_luLocpNIEVZa!#v>fH ztU)O5Y{_zM6~$JS!8E;UOJ(iyCVs!cw(_};m4s_;UnlR1O<2UTuMpBTL{vi#QMk)1 zrC}a1-~7J&-;s+yX@qA)Y}zQ}$1cA>%X3(qnO*XZ^>}*G=Jp7(T&~Ji7)H*1t`t1k z{Mf|-rLLYe3BRH}Gs@D2I zXQue5W(Zn|(Em6dLMhte0>6C5=I?&b?g}s?-}@i45Ua~_r0!M_g;b0etvgaK+322C zy@&9Y3UTS4JDTb@jDWcSEm_l!fkeNNPQq<8%FG>wAM3YAV-$jX{dc>&`iGs5u;4j_4+6_f80!Ivh3$=G86YL<8vM*!gSnSrfew~^0T_6{ zK=Ppi+xE*T0;{(-om&Dcq&Eb6>m;Yt3k?mxBXBt8gvwKM)T7Dl98H`LiyT)k2T5PzS|P&{ zWmA%RiCKGy+=iY#DptcuMsuVJe2k`l8xV17G~bA(jwr3x0bJqPS6vtbxk9o`;Zm)O=Qk7K4aBS%}ZJvVlIBs#E^*+toBn*TY%4+lZ z?{k#YGCb_^vyB$H`)#S$ta<726plYiF89-%q(&fg3r$Tgecn6@>=glwCROW|M@ch#s6)wFhN1H*z^ZzVYzFxHgN zPRquhm5tiosRN=ZGZo)*oww4fNygnQPgZ&X(vOUymSa|Z+M>c;$K=8u|S+R;+zpN}44oy)PL{sPgSYK+)!n}?R0Jb=6e z>jQvScyTx(LI7eaw`d27@J#k_YLPLEV?tfFr5M_xyscy6AG&p)#t;}+ghktwQg^ob zmDKY}7qnh`&znDbLV_5>tA<5O4r%&RgBLlAA@s^ed%knhrJh-Vs z&{2KmX*znc@g0P!%3cekajsE0oPShw`T8*(XzmS8uNr9LF=TfqD&*~5sSTfz2Q8kT21@M8f0P3zadhx>^#(qhb0M`LP@1DRdCry&0S)PKJOc~k!>hRRk4?6Rm zQnfR_03L?1*xUAi;qQ8P@8MqgXHGdxbo3e^T3(!y`oPcXvzZfrKI(s?3|DDh7s!8X zW$@&D1U*D;P5|Bl3hcBBwdch@81G9p5qfk{SZiDKO=!FY6!8-Q!rwlZEB(6yvI!&0 zZlJqN29~=?pp}9v30(1^*8)4`3{453&nKzVyxyrCP9j!+NPqVR&?klU_qp%Nz<{wX zw-e}k3r24CngACyY)ah&$OlDMN&q9*GC4UPXYBEtncuCI?*vQ^iwIMUdb%n-K^OAu znLu$lS&|3<@>=9~b9?TblEcNzU?hT)wP?5OmSM28M^oRc_&WGXR)3mh@|T*S zNuxXrTxZdZN~%sj{w~@%)3BhmPuXhyfH3?;l`1EOg`O!ISZxj>PnN6o@*6JMHn64IBhNp=rYIF12) zuT2y7P0JQSFr;dpB_3mfLHjdY@YWnKUcI*5>$*Mzhp1Gk__d>PC~(91j5ip^0uM7P zg@eekLE!bGtwREVKdUd%j(Z%9@l#~D{o=utv|W&O>vb&&n6DZ?2i#PD=<|hkF_@r! zbAbHIhYz>%Kg;UMT}V!87|?kyU(qCa5_Y>H^L*_bmJfhbVh|ATbV%{d3)9?|+I`vV zgJBUgmha4^rBU{hHgxTRB7gI(kNg7XBDW{^J+HbhO52V6qkpPu{{-LvtCyNc_T_v+ z`b(Z5i|LsABGnaclY_*JnL?wOXD99le_8yLpm!f>J|<%@Dy{hprVuUj@qPN&giZET zV6x4u*NW?d#8)iN0eoz!M_FN_N3 znAnVED>09n5gIVclIA?skP!T^p2rdDAd^ys_4aDpxPOe0OOpAlqMnJeS{Y>BYwr`| zekkwln?AL)$+TlYdD-|QK3d{BGVL^XWiKw)B_uoHN+3(vF!=fRgL20XL6X@(wRq#$U-77 zR^QalTXD2elt43ie;8R-iaAU6R)WLz{h|DIekc@!t9K1HGBx_kabfv8pxx=lkv`9) zBecKEJPKXvPLRwE%w7Lb~!iPRN z0eDO-$yKD?`*`_QfeEr6ESe#U5c0~~zBJn`V+&YYD~|r;35)W(awB z!q-|KQ4L+{K<4ltZ1JgaUe8HhI;!>;@^1&N=L~;ry441^ND}CQL^fPmz_3O*Dvh1E%{l%G5`4h&zFx!;TY~}(oNl6z9*C5lsUFw{I9^Gm|_= z&(XR2`vQE3R;bQdE?*bzG52|c0cdC3?GS$M%ji#=oJn z503a(q2ix(qQ@Br5NS_^r5xEbN1UnatWVo5`nOa^pKI1YSCyq+Io*48Yc4hpFZ2c5 zS7F^Fm*=lT|FFEWdBsNRdyM*ZX!=y{A#-mhcG~%7$JJN)TdKSPnyLm(pNC}JnTF~D z53Bd+_^#eVol&Ip1EM{f(Ua$SeG7K6GcQQJEQ*S7C_$(wmho+li-$ zsp&^&^q0Zw#rpA`UX0v(RVyJ-i3nAeJ-&t>80{8?3y+KY7^bt9eJ%wC?`VSjocYTs zp$lMT^)l_Pm^Za~3HAEn-Bx+HRvTe`3Y?DB7dumjriJM3Clo8f@4KE)dK>7_skfH^ z4P?BmRQ|&Q{96OSe(g7uUO6Abz`(wjBrX<(1&$dQc`V_Fq8-!k`CYEr<4*6g`L}5M~x;mHvki0hT^S7_1hhFSWe2KOeeIkUjoRuRf4CI=O zaOM61mmIYW+Ff4z*_XjshWMSB5BcQ_O#kR`}dJ^&4c z8rOtw&+WPodZYk;maX;k&t<7z0_MovII;Yl=bUe2ir?YViq8PqVgu)^`CA~2SBSxY z{6TzL4C|EMPq{mlz?_^#0XOy0oa)NHI@{DE)vdWL5V=D_|*hMMtL;u zDJeM$CDGKs4_v zGy0kP@>r-CSv-jlD;U_@bQ~Ejvt&bQ4utlD@absdvk@sRd?D8CeZj%(j4X?T88QJ` zSuyW`N~>=TbVGMMP@U@UD3k;?2HVE>!rn^@iY12KocY( z^Ad8a7XF1hT^;KhcwbQP@$Xc-@kOqO5Z#uOoJk?xjo9|N8nP;ZF+vb5|!*T7o%B_jCYyctupM^tD(p)-Ojx#d7w@F{(=XtC>xJQ zB{VQQFBi47@ePv$JxoExdO3)QyrKL+;J?kPgvOC(RV+dte6(GIXhi&%_hpL_;k8~P zukQ5(M$+En4QVvsE}@gYZ0xrCsnsElzd|Ruh13lb5=Z?1@~T3)_4uD&Ri|J8AcQnt zv-^L(O-+S>L_cS=ixAl)sEbR*q}#3H1nyF^MsU;)wyNJ%Q43ep_{(j9_y^UbyQ zIp^8?Jnr#+f4pP7|2V(_Yb@59YtDP#_jUcQ1}}-WIoe)}fM7q`-AQo$(ct?rDE;v3 z6C}?^L*S?8({X`FeZq7hNI1rxD#HHQxLxhxkmZ2Gh%CuT7ji#pF2y!&K_Yfo0E-J? zRegNG{^&VC3)W0{&U<&0d+uHzbFY8(qMid?px$*cm!XWzok9rWxvlD%44xYPUUY+g zro_IB`hv`!Cov0c1vuU7#A$!d*B56?l*cH~wwfL(^*-r78~bo9QCzlUAOiC5nop?F zp6;A+pbc64eChHW01|Q>R_4<^>Jzu4!aOMUaIKzu=Wa(ZHBd}ieZZ}TZbY5RyNzqg zhaY}1G#ob!p~R;E18~Df-)NeB(2GvC#=4CjwWE@0u8?CyyFLB&1$M_}EH4XVvG#^V zsqY*9xHHfcEdcbE#w{Q@r=;+HH#MD;byFumW>ANrwpsb5l`k5QGLzOM<}HWg&HW#i zvzuoCDk>C6gM95Z4U&T)zomA7o5C~sZ0!CUz7CShT!QhJQMBrq#9=(YCPW0bbpZ&^ zsq)d*&e`tkd}RnQ$;$O#`al!F6Hik6%ElCig(Z1TD&=1IGcHTcYA}4M4yxMK^GNUu&!`eSJ3~`-RTH! zhxy~${Ai3e}de4xo-;sSM>m&4h zj{_76-`BluaUFPj)We|*IO{%8Pnah=9e2@N^&W?cTC=yMBplY!gFvd7O5%M!D67Sw z-WCO^KiwsV?No;!qMKblvV|}E+;G$Q{l-9d_5pd#)!ntlP2J6PO(nupT9atSAAIwSLp`#9k#UCLx>iCfJe#dX=n{vz z|NVu+Q2fHZ+jN)Al!u-NZCsVKATfo9alWDB`!x2SU;EGH`LAEpa3Jg%>3J9! z{cCn*TaQHJcLB63;VgfIl}hx6Vy~Kb{@~wsA6Npd^&&C>2mOI9u0ID|!ILtJU^K@C z10y^qqLK(`+M4=k_I!)i0=z=&4`5uoG?4>}>2V+zBvy)>0Nf9zgf@^{DXN+(yWZ23 zi+<3|n1(&{*H!ahU$4q!i-mI@!S`t^(x@X`);j{yRpxhYN3aM`9%Ns^6S{y=^J&df z*kLYd`~Kc%V5?6B^DJFg^p%8v!34^YfTI{Ul$sLu9uq1q0%GW~xOD?qC<6dhvDNSM z;eGPq`VX57kL0bf!gyXB#2uMzhSsUNdH5Zf)cSut%>QZ>fd`vLnt6%RpFr7W37${a zL-00AK*5&4$7Bl>WU4^Ih9Cj!k{XJ`V=chIDl9Vq&N`MO6Zr>j>d%G#=fA<*=xi|H z1$a{Pje_&78w2S!K4(AoAnPVzoLQm{)k~06LI49}fd#*#SQ7G%l%#-XDLmwIzlYTP z@t{R-;E=iOk-qi)!~Wd=>>dCACNutiApO_B>Hpr704u%4ckuo{ zwe0?D&HV3g#}$GQp!^7{Yyb6W`2YWHS-j*`vi2GnvqE7XGp!GVMr9zcWyJmGoUj0n zI&6(dilM1wiT?nJxe@|9V5fkB>Gz-9w%}_RnCbj{C4K;49_|?h1Ila~5OV$dH{sCp z9|pDf0~J&|@}|wNyuK{B^%n3xtG?ERt)s>ldte=<#kawLc3^C^Nz?>176r;F90Ph$ z6iR<^JV4woGIJ>A`S2S_Wrnts*km6Y1I~XC4Zy1c>=1D_inyzzYc z;A9mT@lEOk=)bv-fYAskfNE7fyVf-eRKjFJ&gO6cpmW9#U>*jG8&UyCFXp{%U^^=k z*&MLB!VIx6XqGHoNB<`{$B~<}#rDtvu(uOSri*%48MqDbBL<4$0tAjdtglZ9OL$lh zLc~G476rsMxu6|#_Pw|&@uYh|G9A&5i*OG34qRaH8Po12CI1^b;)CHsw1X#C$)4&4 z^nZJWY&DTuz&M#$C(HVSiv99W`<!HjxAPmA&B1G_WA5hMoUpSwc(U$rJ zCIOD5&;~OLBPXa)X9#TBNm?TT=Id&LGFI5GnfF>!l{;+6%j@w;sV z?A@PKja=p1VV8M%rcl1%|HYIV*4%s;Oe|v#XvH8;ARQL*CNotA4kB!mmPw5|YkS_Z zrA$6U%A-stHgKnk)m@8V!~Gwo6t;mH@hc?5NAM0@vqRgU3qL;drsDQr%YT>!&DlRs zXU=1TltJFvfoK44M{4dLq9tI@&%X4>Y*^^1j$f5sF?2y(E6P(R860xVQ?csEQs}> zMoEOaf5o@`B=CfSY<-pBn{SH?_?46sL@+n1%@Vr{qysuX>aa_Il(HEEd+h_bqt;tr z)LWxO-GQzqdN!heagPXPzlh~eSwZ&A}+0KXrWGR*b zr`1`=5cW^gPuscwJrtwiL;$d?y0eit8RA`ez%Tm4JV4B2TifmCWGWq&S@;qG8NHjr zEk+nLutT|i?+M_02+nwc4S&lIf7`*cWeI}TA2%$czxMsrpGps&#|xxv#drU1ExdXF zXa6Y0)Ca=U2TSRy7MTF|Lz?Sv^znQ!E2Z~JtYAn5jEh4BL%E5dxVN zcx14t^VAS1MeX1Q{H0>VeQ$}2bWdx;+NlG#|2x%X0B;q3)nJ5R&?(PftoXPK^l|&*>Ecx zAj~Bh&*!cX|LM`$6gUF)1?jOpDJFN^@y{Q#>0{4?^}bcn<~0H8%%_XRP+Y9_4@^$H zX}%{L)O8DhMR>AqQ#o+3iJ* zeaweiao&mXvSfQ;Bi=o<0z$`AeuNluuVk*F&glrxUJjFn>7x5T&l~q!ctOGoj~B`5 z6d6}a|4feR)9Y>@l*tbBhEJN^fqFl{9c!alUf06Ad|>%QKQkM-;Kfo*T&Z8-05i(eSI%4pcNCVrT{Y=U4sO!?=HV%M^*in9mNbK49?a}=wv)iwaJ83oQDh$ zrF2SPgPX?l7jrK1L+*-iv!_5Tl`YHeIQf6O1ELe?fWRypp|$VpsqGYe*dW0veupG&D#-|KFfnr<`HqH!D296j9XX@by(037V z1A}ib1QV&SESyhZpm+p$XWwD)JrDaG{U&jsgd6~bN(d~a)#PzCfc>PY3Vi=U;k#RD zWhS2@n+#V|qM0X$To`cHxRCmWUf##i8YsSKp9s9H0WAxq#uNVUg!PKOsZkmx<8pw1Mhyz zi~{dVOVB8|v0LGQIEJe*Mvb70NvTV)s+Z+iCsVG0mCGj3&Sm$+2y4+c51Oa3nj-W83tgBH#H$q`;ncXcr( z61U3`P#8$;ha&x*Ayp2pn~#`IxRIo}Y`U7mJ0s!sOgxf2V}6kzJ@03z?W8ydpqQhs zhkhz=S80sHuOfvHz$RwP)jbKrVq3Ic3^>stw~dfc1)MLnzlZkCxGgS*c?6075NM3% zhWGwbUs@lUQ*yIi&$)hJd&CiGvkWfkWwVd6N>l`YxF-t6kGPpPO)buw2gKs8vbcEN zoy^jdlZ*M(e196v4r7Wg4TS$PU9pn@gyLu1hk`?Jwuz2cz$t&ouS^P%FW+CLXOKb&Rj7~J`&Zts5Yi|esA^|y1>EBIkrcB zQzkL^o*i@k2uJLA_{*kO{FmA}h7?bdRk+`;ZKyC4UTMvxY$MJa4 zy6tG0Bz`pAMjNNM^S)hcNU#n$Q|_bbmkKE}~AylsuBlcF`9CtmWf&({g_<=@Woe{W)G z;X!OH(OB00?`%g{Z?^SXS%2VM#?lVKjx^ew-6P<0SDByfAnzrM9&hcYt-h*_W z94aNPYQ z8MvVKFkx7tt5{SqLVd+0r6|yTuP>%awyh-Ww%qU`xoeJJ1QwZ=qt?8KL9$60spNqYu|!xvG73%6L^&=hch1w zRp-)0>E>%R&^c(|b4+1q!mK+Sws1+c64R45r3*?fHhv-e>y|#`&_xz|aLZGd`#agY zG1T(gdpE_lSQDBux1i?m-tq95+?BV+_j2K4XjehLy!))!WsX!$i4H94g%D}7aU z6eZGi<@H`oe4EvxKUQfBHw712nUvm7;&v@B^V=>^EFT6dZ2CN6zazz3vmE^9zT-ky z;tjZADYe+g=!!cS`s#-l=XaaR(Jy4n239M}SF7(~e>8185oWyUlUHZBsF-bSTD~it z5@g|!L?&5nZ!QuTbJ+1NpUvH{elh!w-#&RKp&_gX^{dqlei#1ULFtyKRHGWybMzmI zQuqs7zDHx-Rkp8Zq-M!fT)v@bZrkJGTNfJ^hjx+r4VZoyyU)(rEFOJ6Y*+zQK3-`m zWBI7D%)_EK_OBG&GU5;i?s3G*ikLQE4?_|6Vhw#IwY>or5t}~RB~v%GNT}QyUq$8p z4NjVG066D-*2j#urY(kBkg!p!a-N}fQ^}020K~*@s&!1PZAKUhZw+z^F(qr7Ct8_B z)kt0_=9x@%8d_iy#4DBsttL0S)fc3n=j9R-XL^2L`AN^$+`#w#A}JDOS||nl$Kl|P zajico-_A6SH3g^<{sM_=_&X$O9mdjPDyjPv7RIQaxeJM};1BPzf@1_&#F9d8VGdJe zA-z9|qdv7{wwe*d&2pa5>dr3}W%%N%so)zddS>6~Sm_TT?vQzRSh;XvHL(IAzLM(H^S)MDBn1 zP#$TUAC}EkrfwMcodkf9W!m$N*~L-n#;=G1gtD=o^c@a%|0m+n2hWFRV6a%<_0q&;fujr2 z`dQ;cTVCU#YV?i3(gn}#Ujbn9#okA{PwlcpT04l?$Mfv>_Y#mdLXtMCp4x7l)2Gcs zd|;l7h+xa57ZHx?5Yc(IqJLk_R0QSZ2Z5w0bubW3@4F*Jqx$+`vG1duY4ff(V{)TwI0bPFYvDQTfH ztwLltn#W~~kWE6P=l0{PKn5BGKb}N>&Mv)JqqSHN2E`#|16GG^?-#m z&7{B%r28v3Qq&5CKxmxA?Rgawms!lf83g~fx$RJ=QV z9jU>tlHL$zbUN?r^wFtPj2Qcq)WC3|1+OEJkm7V)hc@+^K2HC&lYM8u)d}ng%jnm} zz;Z8Db$7iX(L7L1L$fTIZX2-(g03FCf_eN>{9}T}DUOi(QO!H3023+>^RG-ODKygm zH%urz=olmqYccNP44lc-bR3M>PGITs9r3PSE&}Sldq!()Pa6dKj|u z1x9<+Y0I!YE9eDQ*`S#6hPHy{*&v^>OEeZDYYevS4i_?e+EhOf43iVWTlT)hr^ga! zlcr?xfccYTQrgB@#nVE_l=}OA!QWfgxg@LM?6og{wy{Jl1I5`#W-Y5pkTM_v(rHAu z;oO{$Dlbv@3GvdtG^(@X+|Y<0S5aPijATFO;(P_edz3fXr*2$qt<}mc7MiWL-l@f% zhIrET|9af`*=Ex8Uq~pmOMTLnIQ!i;`OM9Y5)ZuBl?zU9;`9>^CN;R^02g&*9oQM7 zi11X>KWE@}VVBx0n%IKI2#T9lBbC>!g{vMWRlxvjiI>69kp{XKY#<>IH zFce&8h!tw;N)OkmbQ0NSRI1B2WVs;`&Nn&dV4SI;>);1{n*O9)6k{iH`sg5|S$sS4 zSJv-lZ`o034^mHh4C@~rx}{Q*1Q#c;-4m`3MQ8b5bky(tvLcFC&DflnQOcwsclq#( zu%i!>jh^zIMwlMO0*fKY5T6_kjk?_H1!!co?$j=WLo`nlv%%Uc&iFhd&7 zPeKg7F%_y3Urc=~h#ez*YfH?gY$o8Fo4^UF9#x=T|7v1gU_PiH7Adp!KfEW-E0BVs zXDv;3u{00Rc!Bs`t_6D-{i97pmvrA_(30c@aFyw_w|X0nv+k}7`&ER6bhoRDWK6B5 z9AzbjHuJ8pA_AetwX<&oQZWdg%m4&VM*RLz$mgu&n=B9N2=1@e(UwruI5)1L40!K?9$Q^z*8mtUj3Bu+Av?DMx*9 z5p8|po4_aSk4F-ClANXZrskfE^BMCJ5ojSWq|D`j{=v)p{i(ZbZTeqo!z=8bp0 z`)61E8*UPw)`M*OqBev5k9hZ+K8p9hcmdBoO$fd1g3e$?3XA0PUaK!ROJBAH=BOG< z^2YSuP)`!wZg4C{V~rwt>r>rwuQ!2?@L(=?y!}%A{YhpH)E3=1YTF|jT(MOpsxP#- zTv9&_X?jxC4wc0BO$H0a8NX#D?I;jXpObsI?xlF{joRL{T$s4soB4>$nQ;_pOifo7 z9q%&1srot{3bXkPdT>vQEYgp3=d-5kHGqqGNJ{`9lp+_5THRRdW5yu!r8$Pw&+t8* z8W=?q-WKc&r4}u;zj?UB>^qOS!&`HVyyZ#*aa%d9sfb?dV}Eaz*OBga@Dv7qK}25jT-dkV5BbNE1~wqU zjwQ|dzMO_N-|VVdR&C$Ib13e(uv#hxSDjh+&gqRxmsZ~5i0hcWipfDX)y8ZvoVFA{ zB#X4Nuqyj(B^Ddj_oaDPeC7U=Sq}-$D8Ww81trFBYx-r#-z`2X|G3~F$f`nc;S9eb`S0g?(xu4ne-x5+t6|COz3sj})|OQ9Fr{`h6~6hP^D9o7ZU~ zr0epNUumo%IfNxc>m|1%?`*9_GU%rY#BI6nV{C>#0l*X5U()FlGp0>#upCyCWQ?-G5e6YpXwm&lG*CFKhOgF!*!HE>9PiH(CLI zcU^JZGR?H(a#=0Mlp^G8{R6OKqxl6W#DLR4&-r=!_YZ(G(^Cxgm>|<+N zcw;aP5pA%Ko+g((oyUYQg$|Xt#?v^+tHi`ZQZ`rTHmkeTb9Ksn{aZ>Z*vkCJ zwwoJ||nFmBB9*Itdx&L-4zLdP88|;?p;O?yw-?3|-u(QzG8ltE?)~@0)p@wPp#W|?HoXzbO>52;PZ1&ZM!p!2g z*DR3859VWKfMa3J#bZV-r{uO`DEY{b@LEr?QO89#SgxC^jJrKoJI%R&(DA+hat^=rx1%l!cFi}<$Xo4p*fLBvUgDx%fO&ye>;;+;35Bn@lb5cVEj z2ADsSu*>iWY8e;RAv86dG8gKcCGMZ=%7|d;UGqYb6({nYI6}J+ zSA?_UW=$9CeyA=Qb3r|9y5uv51+PMZu-w+?uEjO(XMJfU;%N8H&$yvgX=V-n{hUVf zknia(q}I%yx2i*D^tq0)X7&g-)Du{jtSEko?(*T-Ci^vdJp{MHIylt0Sa5g zPtlO-OkzjF*%TgJqOwRw!nQSBZ*&^m3s_KK5``#nSo4+$F#^EC1lonRb*5c&-fQf7 zJ1*VgX`nt7$C(n4q*`r;}4uPb-Ghv)|JZQl;r zPl+L*5>{e*@C+!imOYcLpZuU3at{H|IyogY-@K^w1;}2|oq1LobBbe`0Tn2eJ|`og zQ!QkF3~led*7@aaNM4+f(o3`X>eu8hNt>*_S!wBwHw()j+u8e8U^dmQ=IXK*_Wnf! z*-O-sYurl)$wt{lrLkB^9LklcC0Q3MtFo?0I-?az#fzD}3 zjp8RsawV!VdR+?!mv>*@q5?Rw*AP#hqEviYKB#>Shj`XzP>^&5RiHn~U z2x!#*O4mlYRGMkWK9o}K2LS%UOzmCc{BRwm+` zDiEf4_Y6HmW-MgukZLi_d*=j}8(CSJ?og#jm=b|q;{jE}XipvLJ}JY)vRY&6Ni{}cI)t|FSfO2_j>(*Oa%hSX<{bt$8AK>~cVKqQc-R@*$y>kV z#K0uHc(08uSBd#NM z9NyOdW4F!#t5hOE&Eq`Nm@B+Rm)JX3lWbL}uOMzmkrp0~JqntYB6hZ7xGwiT!vtlQ zVDCol3YFCKi;FBPe#rp)O&gs@AEKyF`f9798PTwo?`eyvnew?O!7pha`Myp;F!Anv z>E^#-^~<|r9-ci6P%|9I3F{+T){>2yysnFaUWv;798l1Q5Hr#DDe%RlX&zWL*TECVi9CA)bKi|JjV-O$v9C$^58>VcPuAp-luQe#`M zX=OUH6Pn)4NkrcpmHB(M_U~m?gN*RQxo_bNFK>jnr<2x!XGu;XLkpbDwIR9+M+Z3R zg2QRS)N^3C@exe3`XrUB6A?aFfO^{=Qn)#a{!(ObpvHE;&7Z;kA^d^rxSBB7wU447M>(xZ{ z@qER^jtA|n@eu^9GVSo*LN!1}Mx+%=Xl&;4m8iKlDTGsNCrgi({oObIEJ87x&#bUT z5*qqd*8`TO^u7|=y}YWIrA+BLN5g$bRE|_=dD23j;=`L;G=*3{MPY_Jj_$Yle%4L6 z5)K7|H#)zRh9v`mL8%CgGP_G#2wRyQh;@U6N|Qh{dWwtXr1h0IXKWDNdDDwIdWDY1 zhXyRLjL@bp5B6Inw;s>FNXQPz17@?Zk2INzgtuOwPe#D-Q9A z-7QRCymJaX_@2(}X4X?n@}Nwwu3~%kvlH8Ws|z&NZk|uJk5lU!(~O^GEd^v^E*-99 z{~B%bIs|hx6q0EeLa4~qc=wIy+a?DZPB!_}E!ux5*Ad{^uSVbVNUtqv$j@Zk6F#;T zZvf+L!kUK<>cPZLLlw$J3*bjwROJ2(1u(;`H%RluN zqQ$jNeD#+6V+(2Dz*YX?T6>BpjcJ{;g$Y89;)$Y#h@J?9_(xI!(QjjXKG5HyrT?>Trd>YlJ ze2owXazR~bA1K5!v>-r7wOPUlz~9>`ZEF`U?YBW-W@zH}sWi{zyvh2EjCu)k;Y`b2 zBxN{smEl!+b@AbYp`_2IAHIHOqCISK=koVPJ3qz0P*u2{iIk>h_flNbZf6btd=6$f z_X#Kza(jsOt2vz4cvntA`Vn&Cj=0*OqPX|yXx(~q&9Ur(_gqzkEo3I})N2IC#@vuwj*;rScc?T$-k@1i0^}faNX9@`$lWLF zWmAwR;7@>k8TGrfqJ|nFDUButAfn1FJV`0qB!E3*J2#pGBaGW5O`@LyOg1yqKp+-O zOPT)kP$LZk#ZhasJ6~`BH>a$LG1@QOZgiV{Cv|s6Ym@DR=?9C>vuv$(WfrsKhy02S z^ILD3pJ+FSXabMB>^){j63$APNq7Q`&3Eij`{neu6s`hC%I}|*dK!|9oFfV7$D@(DA|cup$+1{UNLT7;Vgb^Kq-qEZtutG zGnnjV)_4Fb7qq-sP$*WzuvNw$R=glx5Qn{^!l!FQ zE0KyHMAWOd^;cy(Eg@ zpl`om9RuCVn!SUjPJE3c|K{S6a)gYmg^wq zH}fy3ys?}Aw)gUGhY{0Uv+QTJ|tU6gbfj%H_6e*s8 z!#aTa4m1UeBCyGcp=4CTuFu{gOTVpqDFhT3OoMAKv1WS>x{ifn2vd!=DMCHC=XNKZ zP19t?6Mj@-oIw6${ji3Vyn0yuTH!Spr&i;+T7vAsb*_a5Eq)ng){ zFnWQ`uk+*qU$G>>MEQcQtQ$VwstXfu2n`-e%ddO5mh^b6SR ztr)~W_SQI%?7U;~Ll5RFE!+0s8bgO?6)KHnh(B7PzS9@GJzx3oRoVD;-KIBZQcwa_ za;?0^>YS$5m@=nsK;veo7C~k-T787)dx#vxdfbD6wzH5T#n0CTy{ku{@Ky8x1HkkN zqX0BGDnJa-H7-H&>s~BvCaWpz_h(?{i@N2g^=;%bsj<~$GfXB@9=65@Rar>xzb=Ur zUwS-(4OmZ)O%~Aj(xme~Z>_$+e?)fk550;VdW{co>-X(T@nu%SNlagUC8DGafA~HM zH|w$im@63)L+($?P{QJrlbVP)##XUc7}*4#!$3d!lX5uzI}>W7z&XRLk+>weVmA()fh^6P?W+ZTt1M>+r49y={&j>w z=2ptgdl%<8mmgE0auuqx^j&N5MvErNro+OU4r>SwDvLd4iU@GEW)V(>`Uq8w{69m=DQ#!6;wY3PSS~{~& z_R}6E^j7ll{8uOSKeagxiX~1@HN&W!$fLCmC(^Ch?qSL6 z@7xkQo2#Z}57&}J68y2lZ^Xn8y#W)ePtJCQk~5!QpY~74eNe@WM1-J*F(Det117L; ziI73ui3So3tAcNd>S9jIZ}P2Eb@jF2XJCKWW@vggH7P<1N$%Gp&vXc$3+q18=*(6z za@VI?y`qSL^6@3UNR0Ej9>{Jk5`UuZOWqS2s(nO*joJlMEWNF-jNdq+s1uOZ(=uh| za)n`A=s2tt_U=JfK;%f~V>vhW> zR}Ux=m$u{ZOaE?Te9U)0h4E!tN)|l3mi{FGcJ-GjR*wkOJ`MPQj@98KM8nY`RZ_W? zA5?dN6<}Q81Ehmi?tNibr+fAz2_A0-l;&33fVd=634YxWO$|Eu)hvA|`ZQ&L^#&v< zRw|rA7GPejH3%QvQYO%o&aW^C>GbXJ6;4W&@4YhF6WHPrbX!*mkET8Z zKFBNP6oJVHetmJ&qFxo%uRzqPw#VMg#D&UF&9?0}pxs|m=~MWJ(m)JvGemWr zmTuD=(9}lgqsPGUU0*;Kd8?32nel={YibZtQmHMx@q9p8STO1eO3lVs%xr3D6e;&b z##lNYrKIPd*f9%(7|GIN=jrt;@v<07wxCY|;?b^-PE@wWy;su#d#U`*+=nWKAT9>A@9RFsr67(@t{ z^~m!%2X-Ss;|wy&e@~P0)%0hydn`+Zwz-5i>JIKB6=d3ZaI zJ(hJlo{k`l8$o7aYCve^mf_mV zJntuUpF=B=kYm{Vr@AZb;x4nEnb^zDVv13s6#O-Jn>p`Y>4i)HroQDwo>V>lOy7Fa z>fFj`fb}S@=_6&^0hRq7SU@MCN_;v_hXQ23=#}?Se&P23;quk*^tJ+fWm>I#zOgsh z#&1W{iX2NT9%)z&(=0fm;f|K%~d`6E!vTc-46Q@Sm6gtH^tYx?q9?Xv&|h+Zdghd#NHnJLG0D@yca*o23#p0*nNst%}98GS>*aqGieE2Uz zSDFf5<-d490Ruxxl85oGSr`)!05Ft{5%r$gSb=IZWrxxpmBC3*=rFiDKTKgBtGGtQ z73CU!j2H1Ma99e}8{I-WdO3E`=t zz!5)i%)x?++9Lx$qC_;7Un5M3Nwh)!`o3>Ys^#jpH>oqKn&R`^HQtK{LLWP0z0vy9 za8QT6kw(*H8x`G}Z;K(ERYT*m>pn+{QiujPUAww2ZDeloTU_0DoAMI9qUVo5UhLBu znoig30a*;!Yr*2D1k zIkkmUwEfnnWDA~C{q8c6I67P>_9A|~ihj;eocoHjgrEwM57VUFrY1?_XxOAHQC-Ar zIVp4cz=j>aSyDH50@$|(7oBjI`Qu)`^WGcb@nwN%jTYD=y=ry|At=1mWAkOh1)zm0 z;qv1gAeWggOxv=SZglo~SCde1C~Wyr-JBE1ywPkfp-i7K`tc=yOcQWXs`xUZGr>;H z8p6G9-!j+uY}?D(O3`Dodb8S_)7cWi1wY zmd{1>^uj@L(cojycBd;T5+55mJu=p>wR=anh?+4?ow7jS#q=dTE#S>$67{ct8vl^f zW(zX2dK%*87SO)B0Zd{uUm!TO^O5;jAo##;M%#H0@Rdq3fR0+zuq-&6!{tYgh^&&VL!WBf=%&@7vroL-Ka~um{*Ubd?q=&UQqSvtW;5FghicX%R zRmJS^fYL)5zhCj<(5dFbUe>|Gn%B=%snt;Yjj4&pYa&Q(L>$+}D|^$QH}s^U*4PEV zOA{ad2x0%o&%SDy&Ii$AE1Sg88%qz0T7y|``TY+F`wGJw?czlb6|nvB)zX_vAr>iV z^K9ji0UuqTCe9R@00JZScS}mvUwdwgaU07v41!_4m|}vHJa$7?TUF{zd4I|qs(to> z8$i{5nS@-*6}Q>BkT!{d{|r@*3HRK7sfQ_^cvp#4{8#EuM&2Bdfy=Jw2_^djdC;J1 zZ?*|$wVWejIk=)$Y@?v8U&;B5<$O#XI>|}D5IRhe^3|^EeDW*{J(|-O3v&k+u*j|= z;|KDYXSo#nu6IJ4(k6+C^Yo}|P*yOyxDF7Zn6>ERi|Jp_!v(fNr@p)}_rn|u-|KEA zzWivRCev(~uBn>tQv#ta)W3lNzn*?KzXh$pV;j z*_z4W6_Z$${dt$JG8!D`!sa-)B7TB~q^z}SZ?Rjxo+NrSjM8w}|3opdHn@DM!=ma< zb-RcvQPC?WcFw`Qa0A56We`=Zb||7qaBB}@sFQ*#M<%uYQ>@Mg8T&V-!G%~Z0<)-r z#2>Yhe_G5|v?LxcQQAhs!!xdXUIK3~vZw>}b8ld2@PiBsQhNZfKA0knuAOYuH>^S5 zp9LeV=ehw0`LPXEUJQChm2qA7;oSHF&QV4p@^8^7Mm7@Otu~H!u^itVG>6?SGW2^? z8>kZOwJbegRcYAo4m90VE%B&8~ zgVZOxJD&|_6>U(YdGn15c0_-#_*k1Q^4k~r1^xt%p$SpOyh_+ ztCI|v8BBt>de6iiP75im6@wpUk-SpXu5V}G!S2LU>v4sI6j}&F?kF|k2%u6-jAcI* zhiF6-)<*>#5_|bp-bnOWSPu6mPAw=QK=E`B-kaHbD1@V+?r>N*EFA8L?REqQ&a@X9 zNFa$Dmt)P8fEh^W3lcdC<2U|{z$Y1cQQ>ezoqlB?n(BkzOOrk#BZeI51^f z_{C^l9Yf}vV8N)l94&yp?D>MXti6~TTLCDqmBexPRD4o+s1QgY<;CJ-aR|^hReN8M zulPk=8Lm2We}RoU;Gh>$t^%*}cJJPKGG9Xn1UyAMkF{U1efQc*5j>AFRt>JC+A7I7 z_FgZbo{37owL&uoNpef0A%wQPzno7P^o#+@V3QnATmTY8E&W)reAgTIq*plqWnT!8 zzT}tjjso@*RF5_&)kfuw|5q#t;Hax)l>Bz{XyHPwG(Po0rFBkkYZCz~d*r>?IM9dQ zMr^4t6RzFFN1|>#G_PNZxEfRR)TwJiw;Gr6qWUyxSR3trL)UITPp8-F$o*^A+>_Q- z*HcQD!9n9Zj%~&(f0}LE49)Pb| z419sv<#YfVs;eiy_(5%Yr&eFT+C1$KF0*@-TsopOqPzpiQnRyDIPE{ok+ z!H<`UC(7!Th(;mO! z7KM$z=dc@|*Ci>&j1+_~5cV5g2|3D2wY$6Uniw?Q^U`BC-d<%NHk}gDv8UxY@weY= ztgNIi$c9q?O0&&U zxEP&()MJ?R!a$KAYvmCH6wj3hAyjXp8Wo?C`4`adZKUegHkh$;pNU6K#t+o@`MR^bQ3tlk+qYCfRfz4tVjm3`;GaZ*!CD@hrs?hohPAb;3KNM)KrY9WObK@U-kH(QytyG4QR1E@P-8RMYQ? zqFVa;lNqEY*swk!;ma~ivV1ZugNxh|A>Pqo+X4bW+{ma;kch*>J6Q@>QtbNa|01S2cAzwW?)EOA#lLUAvjy)ZzhLXO#k`WVnH#TEA4kQ~6VtoWb z<|&h3N@|$DExwjeL}M(&mK}@h3>fS2r0?Vr+vLtraS~@udr|F>()vw2^w4Vd*|e;T z7;rTiDwiaA0Ce!+?Q;gZr*NpHLP2AOBD|bR=0Cec#hvDxR9;15k>%D1jP>^sFcF|O zLvhE>gZeRA6^5Bw-{|6AVk4zGZ^0wv74@x+cERU!`VPub>Ku4O@0>r_07FQSjEdI|Xf9-XWAB1`Tg zZzw%aiHU1@kJ5e-9Y2O+8*TIC=FZo?m05p~X*U5V%ISt2lc z=b1z`)wU#2UAo7zIob6A(0x$GU@ux2`;i_hn6|SOs|-xA@p1?-I8 z6?ceI4)s4n;O=|L_q#lRL?|(SluW4#3G2G=qPhfG4jp8tPxUHAwN?w z0HpL36Zk?DebKF@7oCCBB25!x%_3u1MX&3RJ3&c#gI&dbXx{@xH(su>D$4i+Q$Y;uyrF-eL6B?c)Z3X_;kqX-k>)imMPyBO^@}e%!TXy)|J{bW=nGsq{T$8yPXPbPPwN}1W%<`M6tI!EG>LL`J&rLM z)<6zG6y@&?sc4Qje{x0lUF5ALJ7O@wv76Arj^UkGvpa0qWY|k6tHwI&mjVu<=dScEyuKRb%|Fb>=KX6hyw}koqLv%DvnLl2V zdr1I?l1zY=w>&JGT0Ffwg@pdbUlqB5y#&DBjg(_SB@yHK_HXj!|LGkMH{qY;e9Z^O zJN3zbXnUo?Wf8hl;2epG%3xg4_gE~bP62SQLKgAI!dD>6&}LAGwrQj!`D541LJy>P z+$jB=MzS4-c0Ws08;4T38n&ko0pay_L?>LC1*&%Cg43qKZ_vQB$hAgMrgP*WsD$I` zia$N5UL-4~My#|eeb*XE4)i)1ozd>M+~7=eTYy@!BpT%X$5!{xPc4dxMAW&($eljO z`17m>#)Klkj6SCF$WGV_2>4(5xB-Gw8N9S>`wghW9(4F!mN({izLJj`2jk5N2aO9S za9QaBuihVL#FYyL(vc)0#A(=A?Sj}h33_w$p`Dm4nfUn>{5EmqBF_0U&i$Md@TLuh zZaX+BwjlZ602f6U@Pc4{@JdiQ1bI+8U^9JX-q^hYU;}KR+F<&>1y=L(jQpk-v?>LN zH(5*KwMoBTFx-WoD&|p1&ihEwybKIRQwg|lO}|<7`L{^pXWLMU7YS~R&^`1n%WEag z7PJO-mHPPq`H%eDRqw(F94&P3m-e{eBK>?dhKU658JwNr4%8dU7AM|IT22O|4mFWh zO@ADaGyxgJRI0>93+Nq1Z#&zQfZx=nhky-FO3NzAt)}u3N@Jx`Z(&xBef#MO){I)e zlVxRae{PE9ZyKE7ePPt#`q{U6$V5JqVn&MMtWQmXV{&v-;h#-Z0?CWPf=-bxEWg|Es2_U_%V56PlcZ>yiwB`x4S%D_mrHiOOdkE*;>_N427@Gl_qc z)|YD~|LaQpv(R$k0(NK^LJaH1$k{L-^@#tanFf4dU@XTSgF0Y8Y4N?~KS zF#5kd9e@7%pI2@T1H<(k^i8!>xTs`t2_4eF^I1A!Te4#X3P`%*-bboxJ>l@b5okrb z3v8K6fhG%5w*gY25%TD1a8lzK;fa6QBzT`y$yjTS=s3H$thf1Q5a2n);+@dyM_wm=}5yizY)nGtVjhcLIY!m&JNj^}{~ymB zHxiBS!HcH=*E0b?`h)@1K(tr_;G9aFb>o^@q(t?Zzq_R!LZnhS99}q#lf*0k?LL!2 zmzy`aKGQ|F*WMH=;ai}#-Nc@Yyb=E6f}1)J&XQzsmI_}_W0Ej%be8dKBPB!^@ zKpld$Pk;h{?dX~QEwIe}`Op{;Alh_Y_UX32DpXC2SDY?4>F;W(4Xk;=jG} zug{GX6NYP9esUxmoWYZ%^0|BZwZ+6O>r4#-;tCTS7}r3i2p_#G=$5?5p{5@m!S@7J z4fy6vD1a>^TCrt1qt^`D7bd<-6mxMSH&R02A0yt>^ffC+;-I5yI=|9_wWy8D#%x>5 zt%>zZ$cS~!4*!SQ^%fLFfCn?Zn!3;t1IQ^7Una(=f878!yhvaOxb6%PUUt;p0#phy z*A^T|D27M)`@QNxxRg-posH1~6*qwzW^lIt_BqjzDD0~PvD7{st&g!V2+)v*B0S;7 zQc4E;TPZ$#J>ZP^GiuPjEa3KK-5dKU%e6s8$@ahUasz#^w~C)!hQucT${-&+8Ur#$Zp9BCN{{0Aege=}kLE>!L*hHKug<-Q3L>;GJ~UkBN#fRIkOUV1m6 zQ8!k^4#Y~i!YKJ9KNgj(lzuK)=J;fiem>>7z`jWa-lEmG0J%tsAMmn(Gil@jkqBr) ztvI`sJAc3ON@?NeZuA#+epLSbz5MHFa%*XK&o-;d0QS*fP#na8oD2QCbgGFvASpJ3 zoP?{d1fgP=3#0w@1poVAPLGvpSV=I|g455~QqA=non9IM;qL^n)GJR0=7eGzELh;+ zuQlN&dS~w>uU-N?UP=4KGItq#IR>f<7%CRH(XyWc@YIB+3TFYJr?ic(D|C2)wH&^H z7s zNT?$*Gh2$jRhrB>eV=^JyD;89V;~a#Y;^-+1wPlX0fvDL0C)F6!(&dNH_Yv2ub}U| z0a-x@64NqZaS4=MIv|jI(9hk`Y5+ib6M)u|toU#;_!V@hv}#~=8xofE$*Y>BN3;92TUV1K7j6C5;jA0liHFLyoRn&M7F$5cdiU zgr?rr0ZxwrMXd3Tvxxqaw_}4HZD(7(uv%$6 zHFpaktV&ba7`d@a;m1ut0GKi}#Di{r8SXatj>ey|JVMt1T44IU6uphtlgWqg#JICI z&m`E|@gSq5$l>|767yNUb@s?1yJK;r0g994&Q-I=J?S+7`o;W!bM+dSiRD=hWmi;_ z;2z)VR3X_OX5qQEkVN)2gA~k`?)&S2d5WD*6brheuIi7Ei@aP%UdeaO;#GHFNsU|( z^acU+n0_1RO(M?KfJVM`Te9I$f2x=&5(I5N{PYnBvT%>k23Dyi`~h|MO}aa{?C%!w z5vhT^X(vX!1;p_a09QvDWsUOtg=`<+rr8x=a1L%n88q6==TuL6>g4mcn$xk<3G6#++@qT5@07Y9X>+Hh*rtGgX%6IDpkdAI4if^q7> zQ?F|TE;SZKDOdRO6Cm}u3vW`|?#_2b1Q{3Q_%%NTZ(B|;ar%vr{Q{gPEr42d*U7vk zWwhsBfBNOXAAFdu^9$g4Rt2Bkm^Xdv6VpRH>ubk{1hjc^rUelhW-i zMbivKmJ=eYnS>ZX`qjSc10EG!$*Ui+6GH7jo`;3BK5Fvnp7wkfwgKXlyN4kE?yZ5V z&TKOr>fyPYGOZ1T3N8I`6(~p&z6EEn-4+b`Nax%VdYpOodG3ltJb2a4+D;dhYptFE~vC|*jmajKLhg8#PzxVH8*~1 z7%S7h81`7emC4m!3ZjBp<|e$1p#_hU4>7{g3c=xg);t$$FM~T655%v%^A-nfgb7fp zETje|#?!~5z*)^Sv$F;44BqAIkYCE$PEMv;Tl*L!lPTD9l8PF zo*Kj7odESxe&`84yoxvPMU=M48tMK(!xG3(Z}fPYQ@^2f>O{nv;qmzj4zvhJ5o2z9 z35UrMsO?FquLDT!jS!CZ|ipDfQZk`To(9tm^8T^8t;!R0UTc zkwKe~el`!bea(KZ7JH`vKlnrfkS~Yj%UzSPbRl=4(4pX`Z#y|fKcNmfI?*Wzre&V} z^!^0{av<`lVc7LH#$=GOujx>6sf ze|?)7AUbL|(ugdpd!5wE?df^omC_^h1guT`4uh+&)`6Dg#tGR6WDBEU59BM+9gm1Z z$7ytpRd`5%E4Gz8>wkS2K-$~fJK+x^(U0Y!Jn=@2*bYeSy1A3h8h0r|)OwHFWp)Uwauo?g-4f5IkHQksE_!k-pPV;>&-{CY`F$wJ>eb<9z9*<6Rpz)|%|z!ihg&(Oej&Lq z*Ar?U|N6)lklJ!;LL8ZY$SZkkrADy^K)c@m`;PgSy)->GV6t+Azo>3)qJH-2X1YSx zd67`5^H>?GfB9ZrfbMtRkD{9#WjA~~)AYk;Z#V3%A<$Oww*iu=uz&e0Z>l zu7gOc(F9qJMmK|xgR^ARc8})0{voC7Fks#ie`Ak#=e%P&l6*w{<9nd|==tugxu|?9 zQ^t{amf40OB9SmNYCfo($#~FXONN>9*4qdoe)oRIvw0#!v**4*mL<-G?Z1Pz6 zxqw5>V40!mEAEGnh||tmLC3WOX~2US_bh;ywM5tFlZ)W9+mS=aITrP8#@FENq(rC@ z`zpi)8x$87hJI?BX#@~EtNND%CkK8KvVXZ^Zk;lHBhCV zgWbX<3hk5CoYPG%=55Q9y7>h8>zCow24gb(;6&rB-8Xo~NUCI@_=Zgvn|uNm)<8aq zR4Mw%(7;lDU%6NXJJ)N(ax~&FmL%~$gTPbfsd7+j_dZa4YPiJIt6jnKfVr;Qa>!eL z&x>S1RQ-TDkfUP_aw1yG9q?{c=U(fXP`enX;fnmtvlRXN@id!1TJM=`l$m{0W8;gS zB1N@JW$1=n9TsH2*)Tj;J_~x5G{?byfGq2q#`pS5DNW+1xx=@us&@`7!%TfJe{@OC z%JXHBVBpNQDQTsfm{69k_m8A8_In{-QlE=LEthVc1l_5OZj$|uXWMnJ>Qam|POm35 zYlsK7VecEvyscg{9#MgAfrH`9|p4&@7abs^hpjs+R#GhFO=HPEMe_t$x#i? z*aG+}UZdLXpZF?>$oHk(Pf|3rXa<%(qv24P>8q3@F&naJ5aeYVAa>Vu``efVxuf~! z5-C_-$@X-C40&4-TiyyS3xRxKnAFg~^^u=VOTg*Am6(mjShooePL-0YG&@#r3!Jpb zs$}`YaxD9Z`sMmW0V}8d9sbV3rW)w|vX*k|!x*#Satl#ksRH;YC?DGh-k{rx_b9p) zJndFgH90~a*pv;sp>bx)p{ot`#YFv?a)S}mN-b5mUXss7b8%es9qiHRHSW{^5k=D*a!UNaQJ|LyeM zF~;*x2Kd5!86@9tz}l>sRTZ5;?+h(HnUMPKNGJYG@I$j57J6mR$hDp6`;ZFDXKb%% z+fO;7_%#->?vOFOd`p&2;Y-C&vjcYeKz;AIJBr}~b>o!leR$7nlx7Gm&uUh1_3`)v z&bQ{I6NJxX?z)nhFkYi?uZ_}CaY!?X?7dKW56S*l*7>)jY*04$Gq~_NUfU4eHQuDi z!MpaaWDsyx`kW9#dz@0QA0I$U_Y_vj@hO}%Pvq>hFa=fVQjuKv;apN=X^9GPdWb+4 zlMm9(YG}lBr?D^k6q{NUFHY+C|jytHkqj{ry6$$a;oz5%Q91n zc19bETczw$bwwY6t`XS*X+@TdG(NxUbTR68{BC7u$WlQaM{jixBFjuj&4TGY%9UZK zT_Vv`n_wmRiZ;e*1gQw8gfB*)8Xi<+A~JQH(l|q(SbaaK1e5s19XrNSP6qC*<&m0wI5EHd1lja(UVg% z)R|Xa4Ifmep;?){uu4!9CYK(R@^%Y(>R&PvN4QFosKcZrtkX&Ua5sA^LXx3aVLfOlmx#ln8~Uf&D@ zMt{|wq+vo{hp8G0^?kcz+{td|8xu1T$P3odSy0^l7`yMCO!uSr4@EK7GBzJ3BJWR5 z%XU#-g3zxNAaAA2jAn}YHoIB_FK?8G0^@jj)a-G4^!97u-N^(Q`C`*1zsmipBbYm7 z)4CkfG{_qyQOb5d@Fs6e`v<5{;6*()(eau`{q_{im&%vfP%A)kGTF7<14{yVrI9Xm zZ4-C|ZK)t+0Of^@IFMUo`A)r&w`EX@X32=Pa3~UB86i|act+c$M?gw}e+X7_Cpx22%n-hPp8vWdAa^>-D z6#cEJ(#*1_E!`;#Lk}0?YvodNN73B^*NHjp7gZBT^h1=?Q%Z_qqCZsAHC6bexzzeQ z6SE{Zl*^Iy*43`b2ZUAy91LN%#(?dKp4F2BW-rsikMb9wkYaAtS63av4h6#grqLYr z2UR4rrBK8PJ?i;<)N&-P5m3f--SSE!;Npu`D%|u3vO9SP%+IK`aZ2|9p=f_imZInu zdxbtkryWFoZ0*d0%6UGiq#kMSgG4M+U9q5@l4k)Dsm{sVgSKI(2UgAlA-o$sEjVK# z*9K($`t|HJiu+&5q7I}ZrzU2VkekN}$iO=(bGB%lX zZ&ZhQ0@$t=JtkSp!GZ_mBO{Y@TKQ!6jzB6}BJK($k5yWuO_yof0J|Yd$BPFV8ZI7y zMUmuV{K8ZBlQqOK^^)_z!e<=)$49PQ)C{DtIWnz`1<2iS*RX4)R$WD!6KRNIANF2muX1+iWb-STYJgAyV{z8TD+d|7&dQg^~TvN8x)712;sh8Q+ z_b!Smye+BD7H#Yer;w%v-l(i@q!i!BPX3UuF)i?zHn!cBvH(+D?|$&Az~>;55@N$! zmsA%GpL7PQD#bJNUz6(z^gsjO>*XL;6>*dFzDJZ~84R~jy-(49U`dKiYKmeHOMb6+ zdRF6Zf1&npDpA}+k?>nC)j8{#jB>QQubJ57N5-))uLn%zV8NKqzEIl9kD#5_ZyQgt zQa2iaCpX8_fp>Cf`Iwys`Oh-+U-For-wev<{vfQ&Jg~!2c&*0Zpgd4UM5(#)x!V{z zC?`)j-2Z%!QChUt*efoPIe-`S15GFw^GPuBAdF?&*CsZ=yF z*t8)+2)87CnYNV^kBBaR>1KQ)zsxgTJDP+M4ZV*YHr6vI7}9uzq$hPGwZ(T#?t?iP zO(Xe%ui68jwD-K^7mX})o?x0TJ_Oa7h6H1OqMXUtJULWvr&R6^yo!@6STBySWmvB(n-OjC0o)fPFHRfQY@znc}#UpM!SLM@@&89M&RUzIEb_Dm)C z-yxjrW0}U#NJ^AT9C4o$uR&2+*0FeYy&NlfZg~5e-CB_3qGS=7Y8>W3RGoVJkX7Bf z9yut@jH2fn*5BaV7IJ5W44RD7u^FFTZ%Chjx=^!PJT zv{0_lCySMFBd^+ll%_rYn?-oo<||BQqU?i+Vq;xj@CQy#MZev*D=Md9&Vm(&>isat z{mA>UK#j7(W5xKmybkr7%$q z-K7Rz{lB%mJr%?PAJ0!)UlvwJts1Yh)2#!%3#(BQ=D5u+V7#FO{Yj&eRK>xgk@%vF zr?qPkzyx_{C+>t&ntDt*p`h`6&uhE+EpbqY}9^XkoWaD00OaGUxfd4C6f0qtyc5u_w6 z)5YPpUle8R-aV(#^~!trT834xRE>(Q0<(lzsm>-Hz@CXGXSU0oG^H}4YpEyL;|lAx z3$P~ik{*!3CnhRpU}1ObR?_VZp70`c2~^0BMowCJRyY~ZZsH?l9PACNWMD)Sm(-~k zJefv0Ccx+o9jEr*8mTd|2X;~T$g&{NG+`39<))8( zt3UggW05jY;k4ELD}$31L5n)eSUGG|Strph%a-Xj9YP?#mxv-(Sf4F?#!$d!nD*8- zRj(+I!@ba5J}$ZRdk>#Mf;pEQ^E>QRgmlDkB`=(on=kO0H-N*6GNB>PnD&orFzWcV z6m982azgjH(x#BE$Zg4ObA&xba#|E_BfgcG^17ndFQs+WDm7X?YeF-7s#`3_G+NlK zr!T+kKvtD~&{vip?UJpKF&^(f(q~HexcK{49xwiTozr*?sqA;Zpj7+gUpJsaGd2uS zayAqH45gBN{7vS4fk}s-^z)hM7>_}qkEr%A;G_G4O67q6FDe!5`?No)RPgq_EiiD` zf;)acxWSL52(VQ9G=E~LMjX|`aa?RF)m((tmBkFDjlY}-8OlUV^9~_%2qLKAsB3110a{?_VoO6c>yrlhbf7M_qqXsWMz2EIa<9QppGbDi!oU zs8qonKxv`>L>tWzOec(Uqnbdjl)FrH#aE7_SDpO;EU>7NZN*;X7%|6ven0)IbuN>L z9ksocNkR%*ZqsW9VJ{JS$BcZ06+q6&19Fb62C_m&GZb1PIxlr4t`JivOr;F&Sn3Zv zOi$w$5hW2Sb`Bd$y_jrp!jf&qqn^-o->v*%Qi%=2blF*vCez01HXB4xo6|(L(R>NA zEG4(_AMk~$@h*P7(UnRU+o|E-xKs`jMhpK5rb;K6QuI$*n$`tvsR3sD=JmofXy3g6 zKeoAW*vb4WX}{06ktdZl^lKaY=7393h0Rp6f_co1m8ZqgmpH684g@90g%JAe4_A8HKRw)10uw_#FI1uCOLmeFWJdY$re?x9+F zI$jlR)LRKUV|@ zREnG!exsMP#W=*JkzQ0Pv@BfAOd8`W`m3K~r{= z{qpuGQo`5va*LE_Hs3bP`p7>w!_N;Hwp=q6eFB^|Cr?fQfT9@CH$s(y{7Y`VeX1ud zh2;%5910z0L!AONC;2Mpg88WNvsGH17I`40?OPRS87c?ZF3!&`5@6(Fdf}L@ ztbDZQV1=%H#9gsMwc>($f4&=bElaDS&Zx?I>LF4XvOap{d$N!Z7|Rte ztF2alV^-0+S=kb%QF09~KNN+iYqjfvW6L%HqZ$1vN7_AO!9j*<_Wn{KjwzdALF;t1 zdu&r4oZtI)_((q-YVlP+8F}0*Ff+HD$%gu4pjpOWCkJaR>2zo2{tFUX!$UC9Aw=@L z#s|gEw;GdMK0Ha$hrndw3&Ci>b-9=JcdAq`u}BkRMfsL$9k_dY#pOI)ngf?I+17sn z-6&ms4Ya5K8Ls~s$g|zeRY?-)!;#1te9N|OXJynl;RBR%w{7k#I^#*4c= z+XhM(oxv|YDLZ@-kLON?B+dtfpmCKig8K}KCtm1by?h`1DW86M;W>A&W;Jh#kC!4H z-ZP+{(n~>b(DbcTGf&e=*N7i_$h0L2D^95|?fA?F9lBYX63(WHpk)pqV>RDvdf=D1 z@7+u5wOsin(0auV?z(O}p0)G+JWLPt-=^$p6Ns$yjbP}KR3>P=dzl^N5qxx+fHpuw zBBRAlv?!KyGP;re3wHu8^9hE@Nqfqxu_i8ZMdMd%qGfFN_YA!@lMH;KZqg5_ppT`5 z2RPEam<#z<<$L>JBq-&=XSFy zDkdm7Q!(BsT&mTx{fnnYr=>9o-LCCHhd_E(o-yvOk8Leb{o)FDFm~@|6%noL#7;tQ zQq_CmPu2qh`Uc`B)Zb=gu@G36kD)^4jH$R5!XX!`x^KUjO``iV%tdmP8TD{+7Nu6j z2roV>R+=W204S9_$eqzrti{^_m_%#8yOhJC7!OJjwXmp03?si1I3ZjE_E0g%UT@>~ zx_% zHtx!vTFrt?hIBhx3qJJ|(S^`Yv@&x7CPEr!iFq4QAV!vNvHqLJ!4l&ETL7!$TNS>+ zq`Kx;k>A1!@7D>p!i!xPK~B3}acUJw+0%a9wgVV~pey2tY<2~D z>G#?|-xJGhj0!a7t*V_R`93F2jVaI(QItcMUV%ahQP>+om)vt(l=xn{++LQe21piz@Xnr8=5B z&T`*N=!=uA)51_by3VZ_krlEeW>1bMJp1P-jzF^|07B6^FgaKXh`|c_v~m$q&n$YQ zBNh#*r%om+?Izr37@XRo+#?b$0;&{b2BNaQ3Uv3Iw$W3C4Az8*K1B3TS^_d2ORbwd zn*EJmGL-sG0ELl7JaQ4v#e0v3cf^%{^Z{JvCk9|O2f4kLW0HG+9KmLo5ybSs zNclzM6Wo`kQ#-&6Ye>6@Uv{0HmQ`rWD5I83#<07o(slGv&Yed=>O}lv>6O%ckyckR ziz%01N%wVZB%zL>4eDGt!*}X{?B-!oh)fFHv5GkMzo4ap1R@B5w?u^C`UNiYaJYFTrF@+Dd}?a_TK`g&7xsy&{PAu3xe zer;##hh77V$Uz_gAbmYO8M#YSx7d|)o|@Od%kz)Li_VYcv-0~*94aPxIqvzE77!%J~{<7F6n^i6Mo7OYZ7DUvNG`FOlLWBTeNuK zRUW*#j$2|xj=oAZMd;SN3qlB(lxmC9HQlE8JZ zsekR+EmQYTu4FwvgA?f>C>Gf{-<{fiQ)QMlj*HuUTOx=b+!hwfpBy+dbb|!Y#!hWU z9zSx3Y|hsa+2wcs+601*VwjsR@qTuMO6`UGHUW{i2S0YK!iF2v{Gds74}>U!nhsDe zxWI;S4;f6PTR=g=QcZ+*&?Gg1MJn^HF{EC0O`yMt%kJEkG{ufY*C?JP?u7pSCztT3 z%9`B-^J5CM3jgxYaA#0 zTxOMDi0#!FL8+NH2Jnt;At_rk1}x((9*$9DIX#r@J*0@N52DrpJc`}-#gjeSxmERd zng?jikvOx;?%n#u zjl$dp;K_1+E;AYSKn8V`j)mKT&w>yN^I5BytH6A6>FJ%*iZhIord@y&donU+W0+2B zYwU*xQ#6CS81gkR4=Q{fk321aAcq_}t(k-*%)F=x;dDyd01+J5s}0S*wa*Pz+K(sY z1=*h@Aj2gNY^bSr%cyLm{#gc!!FYh^15{`odPHZiop=?l*L(cr0j8tyq6~4c<3~%X zZdEY1W<5D!@1N(5B0oem*qfJqMn}fPP4zxXwdRX{tyPK6&F}FCbt-z_y-&((t3V!5 zC{zXKL0uAx=rlb`ya;MV+3X|iHS=fg|FE}Aj(XakEmmX0v2+^icfb&;g0vUzX2sql zel*RX@DVP^hl>jJ?$De5SOWoTZ8lKDJ^nQ{^PhJF{9XxMfwShA)5Xl+V3bYZd&U{a zmZK;jkYD+z?%vWzs`_I8M%rKoF?b-h`VIzsQ`LgPjc$$J5|OZ|#i-z9L5UYkr62E3 zmK6XT6z=QNZnKP?a~Q9Cb-<=z^B0s9wRTVndh|ebSTMQsSzNblZ(b+1G{>0lww;L< z7bnf=8yeii8XKX02Z0VEW4Y_{yRs8NwNnWk0@cgBARVa%UgLf0)>2pjLs?=%DPdo& zMvbi#^6Y_}BR;|eys`WVhESaX=0sSlr_L`34_-_T&|Gq0 zWDWu3SSCuH-ZxMfx7I*0>%1d_r!-fpZ9{>!+XjZwCrOs!gKI)2abZ#8L7~|Espkn_ z0O|a5T+?d4b5vwXcd4f7>*A+j)!V&AV*eA5aJ%=9~JxKhAg?pk#0dE8(r<1bO@d-W z1VSX0!Z0ovu8>EqYV0D&`5Y@ZnwmJ&P!{L)9s}Pmjyi?~+HodGxHD}gE8bE~UpTWm z<;+>?qZ~m81N&Ni+vE48_o+j&0SKx|H7#tJ#&bSU8H-|Zr9Kv)8Fq5{jYU%9^88pA z%oSrrZQ)vp=atukn3MTQ9w0!`=oV$Urze5LBvw~*_oFf`l5jql+h>>C@(%`U ze?$C?61I?|@{oTjA)dVhQz>GkLpQ33Oy1`)JUHSqgeTg9n(~$Nn;SwU_)=Qr5V=pjkHx z_rIZ_Ftm#H+5#kd&dX+!KCpv%&0$;Im3ca`*kGAj`j&%D1Mi6SH$UPKWMFzfsHa71lj32*s)NCRgaV++bE$QiV1t-! znteMv0tC=gyzjGIN0mr8hudQ>38xC~m(RUyBK?#5WOW875FLUE(Kn-@*b&atj!lXj z4`WIe@p$vhLM{YhGM!9UHC*LlUL^kW6Ab>RVc(@ccxxcsD?UqFt|MfpX@A{AjjBvrEACgtPf*z(yG~( zkmX)EG%$9}V}DSHB^howDy|bYTU`#_ej(5{qCYlMYisa~E19|cKDH@Saz!Xfp3lr3 zdo?@C^1*EJmclwcIWJh8{C0Wm$H>vp<&D9H+s~_3;d;_?%8Iu|g^oH?FolX4&=(=U zgrU6|H$U7y*VE5c!|oj4RdtL*KmCChJuJvMZN5B`@vg*eegQ6~WFGRi=&aFLz_=NE17Z!hlJu0=V`e6v);ZW)K|TC3Sj z){ZXuHc{?nOxrHp(B);ncckk(?I1pcwFNdEovdOShYgt*8%x?gVv<4HIrYoTo$ zqzc$lIA!rzglP*wAag>a8MwZKK9zW+1MgmR+?dJhrpl&2SJm_RWTB@wRN3;~){J}+ zE&vZxGFUO8k(oSrX&PzvXi zwn?<4D;JPO-!E?ef}e=(hnpJQfjjq{q*u9u&@$NZ$>pQ0O8#g4=`GSJ`pNBjNy=K; z;gTm^c;z)3cp)hjN)Yyg8K1u7Us)T%dy);r?%HID*)B=yLD+~ zV*705JZr~?h1|QV!$MN2eXiPJt!L2LV4hb&tXFBkkt}03*rZ)$xH42p>w|j*G!Abm zyZwNCt09p41Wo{U+17t`UDO1mdE>0>UDVde*mKq=IZ3lV+2cYRpN9DQIeV%?IW2tA zESQcoRtM4uqxI(#AV(p3A;1{*zl_UQgd@OoL7{F#^>a0@P?F*GAr_n!_F9cy_Y?{U zs}$3fHIEEu6q>vm>G#cgIJY4xSa(ia)$I|M;?yUXv1Emr`U^0#oBI-<{6U3MsGnfD zvG9U_^=9urtB`8&h5kJ|=ZdJK>KL7yogvjSin@~>lZr2}aBwG=rDb%|R`#FbwK&b^ zxI=6w5d-m3*n^KsQ6T-fUqdy>bO9%=pJOSPm*ewA_-^he8W~9x*M}q0)65Pr*y}0R z(0zd!)*s2I3ElWtZ;o}U*n{R2%RYM;j~K)fMzMN-tc)L$6-$^ch#nFRs4N|V0p=Q@Ecr}y^CFKOqe zZ=^5>tOxs2)AjL!V_Qt3JxF96M=~_@{Xndnh`@Y?781KG7Krd5p51#^w#^xrb+N`2 zH2$HR(fomWq$}DOrYpC!9+~j;3`t)5lw;ys1<&WCaSd`GYu^sI6+F&P?-1K3Q25?s z6cDN~UY-x%hAL23h>H>DJoUOUj+#wq;hD~E_gyN>c`gJg^(dorS?d!^O}D{Vy%C1& z?~^9ZU@20yh}pT4$*xCpI6`0WQxPXAVw%{hrt&EUE}+tHQ$;%NB=rnLwZHwIgt}sJ zua8e89G>;1~tOmxYRMS6d-Q^ zV^;45LM9)sz=P%QZO6uLVCG|7Tdv{p*Nr~(J9X;i-NFy5>`1l`N9|V1(vRrRqd zU7WZZxs*vLR=zs>;${>0uJeYYhKrRVg6cELKWI-VA?pqQ=d>pgHQzKvsC0lKqrjf{ za%r(r1VHST!NQCSP#-&M#f7N>u0rA@!gp=v6VctwimhQ1PK?n$#$KDTZbz(@3g687 zSGlImjcJt}#+a>TBwTKLBsNucS*3OODQE3@wA44@~3Q{I8hw9KXHoGM2iQ- zD?QFw1e0i$utJrBx)mViZ+~`W*$jLARrPMibA+Q}IIw&5D%mb`gcNZbDV+>HKA%X! z^+0dxM0BfmEsD$*cuyV--prSsJ9wh^5W300W_SIvys0O=_ha@7$bq%t*Z`p$Gm%lF zB#y0Pe00Ab{;I=RYg^!&n6w!WljU@1R^0}|4u$g1QG>D-Npd(qHjvfHp!19Cge6!` zt5{OE{Kna=R{R4Z`!B3h+ayT|?R=plZ`ohCPQF6+@8DRcPn`dRbz*`g)R|FCO8y(z z33Dv;+OufpqCOoia0RXE?zK19aJ17?=AOwOQ6%Vcfw)Q;mdtH9f_Ub@XoW6+avGm< zp2q9j3#hzkPAGcbNnw1Zphf}g16SQUYHvoSh__XsZLz%a>$8_JrK(lz7PV)H9yz_wVMIxo3 zg&d8U-@-NP1{u(mWz58qItH|TGjf_Z{RL7?@@1jX4e5?RT0$;yDN`c1Cc_!wfCIp^ zDbB-^z}u(cI#kV(FoF`sbQx|g?nvDyVOG?V&v`M|j%SoRI8|`Cps)$&d>|X6`qc!`4_Fi!5<=IQ0r0_2o112FNa z)&KSkp;a~>*+1|p-PUBS^?mlVEo;DYFGljH{Rjd#k@;|V9l+Ec0dHxsC+_YZmX(O* z8Iu(lHFbq>2hb=w+k^{dm4lJFs(i+eo&fPA#^)smNP91<+JVPqS8IX-+KG8Ny2mHW z6tcO5qpwQFb47Ubqv@34w3)B!xJ8vXyk`@3)WfpmEah~X?#2l+=eLRJ5`J6mgVpq0 z+^i}WwLGiNY`s?U#hDuglOp@3*XTjh&Rhi9D=B7GGL#WuOcviTcXXzf>i#uFXw#Ck?}wk0i_r8RrW4w_I7j!K z=op}W$VQ%poY}>232(t+Qof))z`IBri(I9x-xpnHbOVAaIKv=qB;pEe+^5?`hacn? zo$tiCD5cgFU)@U99haQsA-h}MkuXVGJ#-^*35*V-d27f|3_1UE!V0HSM9Q1;tSxfX zzdut(z6Gz#|Aaolr+&MoziyOOQQN!A3g;z#`Rv$H0ZW^kPZqOzTX6_RBe|zh9zQ5{ z1DIu7pa}^yT?8sxqK%*cdO_DGwQ%nBgEsHu$4tVRFsW%ABwo*)8OE|8W*U38Mf9$A zcbni^GaNbFT7y6*`q?T$E#g)!o0*6Hmxsjs5+|Y$7A!mm0d5-zoE_CFI;p||Jx zUtb|g2J8r^G(uVqj?@qlA-hU+G|^2YcI3Ot^QU`zon(YO?$RwJCpf#~x3RmAG#g*~ zYS=mSy-p6SzHuf(>1nq+T_NG0*tLp?U5*Now5Y(kLCcRC2y-{U21`Ei*E}&md>Uzd zpih0|D*+g}QoB>F`B>8WdQzBFTmz?uqu68nbI&^g3V_D&EI>yUBOv%)XTd1o;HgOu z1AaQt%xvH0>s^M=F%jKhsV-EO~=4AR1sA!%sIKjKyS_xbzFTu$F zY1n}6J3F%*f8TJbAv~b{gn^No6jm*6)Pw=6L9lwkc^?2kYjA%{iu!p-QcD;%pZZtQ zXdN?slK|373DWoqj^+b*y$(YW=o7U{(Ty^zyH-d#NQ zn7|E!`R2l>1NsdAQngwdjIMZ%gyl*=9vy zG`WEC;pWs(qzV>?0ZdVRe}GRZmLdi`wNn&a!KnDZKIN(m!v4cFm$B|pY%$VYdrt7K z#u%9ZCN1489gJ22s!63Foz$#&-Af+mv<#YcMevb!;K1%F0I2?Dt$ZJad$9P1DFG-6 ziu=7h>9fTCL>D~x6d_0XpagWToOkVXv&ubO|uqM7({B?I@Be{zmkrd zi4cgWcs+Z4F76hScKlKQJ7^bq?{Lp~WuJfH16`qkQ@{;zv6}Uog9a83@a{h{{(*90 zL^u>?tr+l6#^FEzF_LaLsXOIufMqG8I%D9yEK!jU`{M3S!?H-&D2QKi=L-R%Jpr($ zfT0ymh>qi#hVl`N(VOy(0d=btm|pgE zoK)d>EeH7y+^5C{tIc{^pOEQM2XYxT%cZ$}+aaG5GId?LLyLIxcV9N-f%k}?sP$*v zNbN@00ZSNx@MXH+9dTfcGT@d`9e&tr|1anLzyAn}VYsO}F%9y^ z8UA&i|F8b*st(7%<>Dnb$p7UO{QK$n-~7KiW#Gpo<$}iXG~WLY$03E3CFZs_I?z`+js!!mpF?2{YFLZoA=%IHP~D z7ReIudI#tY@}hy*+OFAk{pP9Hupi3GV1~5>XaVKU8@0F#00#$s*Ky7h5h#Nn+cL)A<)@^2)?IlOq3^E06DGT(z{s4 zDD*cn@d%h4dMLn>AeGIt4oG4$0E))E3#q4tDUgI-{lL=#sCan+%T#}niW_iE(1Oxk z8HZnBPN$!d>OUgb2MM&>x6ck~-VfEA<^Y`m77PJ)cwHU0y&t~`#3s+AbDnZ zw^c;2P`F^4juFm!*>`s}nt^nR7Z@A5_u>t5(z&qw=c5%kgXvV}yFK8E`qx`gDgp&g zNVw@@p+gsl8sS}B!QJYyjn{LUBN+%6#wihD|8U(_$^GQ*NOzZjh;$6y@vV8D_x+CdiR0i8_TIP|XV!16b>H`OotF=?1KYAJ4yX3>6Ewkn zz$&pvh@KH_ncqTySBRF3=F+@M0+aOj(Vo%VVAaU_H7>LWO8R83<=_|fp2d7P9ej4R zz8pTyl?NSwM8R2S>76qsPBZZPQM8CV_^qW%reN#^U77;-yV6taK4QeS`+vSjWs%Yu zS=2KqY=zIUOc*8*$rP|^BcQI|nGP^eUP*oOFF*dzKWfP|n#*t6p&hHS&;c6agP<7- zBU0&!4>$UYz%{z(BX-s}Z)p_T*tQH2=paI0vq&E5u0PjaQ|Sq6yOcSwj65K>XhgPk zqFRLLEa}oYn}^+C-Ps&e(~@)eoNSt5a31tP^sMUujjFZnH5Q7kCJN-<;YTq}0)j@x z#6kWqFYJ@zZ!lKnL4XSjZVob~!1^`aGru@kNi8#D`Y)%2EgA~#Go)&=cU8Fm_SwXe z=mHXwn(Z@BFeGvkmnrxVh16iv@lzT69OpAr0JK;Kvwk1#Mg?*`Ced}UINO3{OhNRu zx>yCmh)y9i+{6?_&g2TJHytdKJeMV~4hA>J@`swej|ahE&1N3}Q;JSzD{6rND-ARd z2Hp4i*NQQ55eL)1ed(tm{V+ASI;?R0mseR~O8jnJzVQg_gYV^FDkFG40#Iwn4{u&t zKLbCvCu<7y8~pz`V);|rK{N(e_Clob5OxV)3}^gQ*r-KHF^7;DJa7nvL9pH~CA=C*#l8 zL4qSs2s$1wL~7c;q!mOin;v0V?E#*Yp3l~okf;K2FUHtsUx*RAwGraQqf(kWKGEGb}ae0Y=(NXGC36YDV)w z+=ejN^K)pGXlM4p6p$Z07)5#@!F>oAUK~U{wm;`vo^2SN4N^WNtfZZI&WqW4|1P@7j*{K^QJX(!o6@Z)CJ2ONTnh_F`|60Pxd9U zl6Z--nVX_I-#A~x=_K>(Q?GVps}tWd&c6b~4(B2$C)8dkkYTyyaF>2b|Et*|{rwBD zzIZgm4@2AQT!ly8Ra!3Ldl27Bt@A-1qHArJ&fga<`Wm0os*aMI)8Q`9?M=qNaV}^~ zeuvc^i>TlaRC!*%YZ&%~+Wt6@GpPrgE!r_v>{2HJNngW9ac_}@YO(G42Es^-J#Qw- z0f!@>_#-?g-k>`f;&#P5z>&zF#nAoC6FItw&-1F($FCDlNLZnh<`j&=wnM|R5P>z~ zF?YFWBv4tH&}YW~a-zIq9d$=mRc$o^qvLh($9NG#SAIQ{ow+408+YU#9qsHB;f!&{5;eeKwQD7I7jh z&un^V-|~Z2l<5l_(9v_u0z$}58vIu#{vOppwFzAP^x7|qn}F-!0UyMx0CrPFo5h&L zmemF5jTYHQbaM1>5lEn6C*YJ=N6=wV+IQHr3WVW$6j*EbAX$zQg5BwNZ_yJcfWTEj zu@j5Fcm6eb>EGk)0n{rCDL?5}8xX&A9f1M$25_%$OEW-6B4*2aPy&t)qI7jW^}jlv zHH%)^azY;4+R*Kr2H-ixbiU3@#vomIg6?{{^w8;3KJm1I;Y;6D=e6XPId9f~%EjFw2vBke9?R+Kt>TuChuNGmtQU52?)C8AQgQF}(xZHpZMxB$D+M$gHb0l{o~B z5<$RBd!_qn^U)qtw=@{IZdveS}-os~dY9{{8s(XdOSi z^{Tk1m7+6$_?l)Z3e1Yj?3Vpnd2bOKylx&J+!#2OI5kWs)bs@>{_+nq+MgbYENZ;e zPBkBc4$x}ue>Zi%4g}#-E^#1FLE4m)?T2{JGc!pzcqkwNa)Iv;YxXsW2;g_%L$w1J zCNe*2Qsxg)E|2}BLgD;J_&?ZOX*S;Po*&U{T=r*g&;)Vc@^*CiM7gDwE!(p( z9b~=*F7pD#p0`Yb=hNFSfD|O+3)wN^4^27(bXrJ6tP|q&kQ~3TC`#y(n)p7AlC_CQM zKUQEG0=ow^X4QhcKMRljHh5Tm&Jt5=#(|b#j#>qYjPE=5!<#Yn>Fo|lw(`s7s%_l; zV{kna1pEi9$-BAp0MIBxwcrse(d&WXRBU9vhy$Th-q9iOCw`2VH0uOx@3t5_A^&lq z3QA_AZ;DS}myb4HTUfsHRLHTs>vQf+8(Ds4$tW%A7J-RftV<|J-r$qi_TkUB**GN_L!8@(*pEn|H z2*}+=7@uEf*~}p`mT}aE+LZEne>dCg+2zgS>i_Fm;PW`~l%uZKeFvxwfWa>ws;)~VxYBy)}*lP&*Tig#1HQRe)p7U^X$F`QIgQ8=G_B5%AZ z9s}L=EkC~iJ$Q91Eyc{Sy&TLbZA%`}35kALgKY^?N|~A$I*_|>Ym~hxZuTGL4@9-n zzG8LB6RMf3U)l1l$RCVj#W$6k-28dS!xl)!fip_hoZ@D;>H3q5)5e6^l=iaw*|Z%z z7xP}&JDNUTD2o;*bdG4gv4ym5l-vn(dCo-(lee=L-hj8tMj;eC1F|fUBN;`nsHQ;t z_!+Aa5&yTy@H*^PG(YdniqC^bbnK70^~6WCxtcOA?ucYAKj$fKoCpLIJ&j5*Hb@ShC^Wym6WJ@N)6A%T(Epfyq%J%@r$Rm z$HAlOYk9Dw5Z4gIP!Rjos8VRaO>~>Kqi3r(^BnyjLzhA_x{zGQ^%%9fT@r=qw{x(R zemOxt)V=4u824V}L#`R=Dg|69Rb)JmGp@iDgPB@4!%Hvws}aGUI4e27H!@Rt5_N2{ zKB?<;RwS}$w`%09(^|Z>(GgLlf#r z=OI^EcuRpX^XEMUdy=M2hcD^lbzK$}i=u<8symxOn5K?;%&MO{sf%_OUiLAt&#p9u zn*GZS|DSi`(Ko1~13ivfG&Py+Otq>$lb@tiJ>9i2VtGdGUlmVKaXPd}#$Swv9s&6; z->798v&61f#JY%qmVEM#dq$?`d|z>;a*spuBPwW43lD#1;w${!lVr4?(#5L!hS$xQ zEY{-z5k^9nKzlFOD+L!p(Zl0bO!!F>J3z8YQWe$%aRyC5Th!%5t&IBXg>rj^PVH!l@J*$?RQvW^S()W}2;k~z z)E=u)zUxB>xdA%s{S47?(wI%%s&KiU2fF_29EI{J+U{Kl4=$c~t+1Y98MBX_TP_ja zygQW#H~p)+|78J;?xK`FW7swNGRDc~WE)t$@aJ>A_zVroXwl9@Yw`0CNs6>jPHK9h z>S>QyJagwnCa*q`OYQqQINpb~>(JV^=xZ}45(5~3~9Uhl!_q;A;v_6VQuqM8% zf%i(nWa%{Sc(-QWJC44YpvGf#GU-deYRf?NaHv($+9Nn4zqOo&NgBz@u=Ik1esldX zqD0NH6WRBpzz-j#`-KgaGD|%Pq&uZO#`<21o2j(fBbIIbktN39Olrfrm4S=zw<2oc zAjtPjEJv}3gS-wqYu2IVKfbK_vU4PhBf9OD7D9gck4%%M$jY~+tMHl|YLR#z-4&KNVD2f1!vQ+4jY-eP2OQWdhghB@e~IW&D6;LtzdyJB(=5icsQ> zs>z^w2TJw-(tWcc-qg3YHZz9V9;H6(vczT4eEbd_Y6Z*bF&7>Tv`H-?m~iO{R4sB? zAsH(mR;8DLpjlr@0z9$w2aOsf)PjPEP>nWZl0X<{9qnLU8*0p+=@Q%Um(;kBgP4&} z%%d<$3fNE(+eaWXWPp@fa0@>2nAB{qB~&k-+QL%CBr?lIO@s+6W(K{Gt7fr>u(35w z7CYmRj6xD094qKngt3ve^oA;60EStYyC#fii4ittZ1*K8_=;hk4Hs2LE&?skHG=R} zMhGQ0ENFZe@;J^{cHR}jiVwBb^}?nd9BBKTXUmNhLVUmXmfBjRvH}&EV3K|EIjpFP zcCgx9vvb2WyJ-2l+?*p6Mi^N;k-8kGPCjzH?_lFr^95J?A#mVRhJ|4$B(=nd zk}QSXxqQaknJCntKY#+cihLiach}lwl}QPqIcofJu0?tt#0sQp7&_@Zqu~}A?+%f! z2w|3Ceb&t*Dz{1g1756SOLO=*!kg(ISgsJHEm{m~6CxV`0jmrV8+4=e_gq>PKf!9< zh-;k?oQnF6=5LeHd93kf=o_E@DAFxyH!lTs)OvSL`49tYg1bv>RwoSowmP8jfNKv_ zuht;()f%)x+UwEbPp_O816h-hZ-2OSM%b>XH3g;r3kt+pd&`#^I;;QjUTId*&0nWW9cd)p4|!8Ql$gSXq0 zed*!c&Z%amVXep>v;{c|$De{k#z%8Cg4hflIXWaJxA8^(5^fN~_I?(yIWo1?(@=ka zl#Ro4{58R|D;9r1(cyl<^-e_jQ>{UrGx~atf}BZ`G?=hC+ z4B>hY1r=;-Gd1N#*cO?95@CVKdf%mhZyvrW#F~jgWu`$CMZ32o6L$Y_gT0`5plv zGF`79^E+;pjK7L=Yq$&O7D84f2BIfXNJI1xJq$3m>!Hb06ltSJQSwGZ%O;dEpBo0cIiq_Cjw zUoSF3Dsm)*-h08My1b~Dk!IVN=5>k(g?hfcwifPg)lWs4_pJH2BE(-Gx%Q+Gud|+t z<=5(<>h*rRb*Q&+4H^z-%?EE#ZsE<_H_^UBT1Lo5{ZInT=B?tAj>`B}Bx)w4rnwy> z&P_(378XHSVm);sr8y|ULx{HHzkiLAqxMhtVIBXJtX_q1;!f~OVvuO(_E8ZD0^Ta_ zKqphth_<$Q!JC)qFQ4;pbhXHJ!v8G@Qk^BXlph=BU)dej~Gd}t+pB`Sd4kW37c2Fd5 zsH!2-v?4CKFT2N!kt@IXYCrFKm$%2;`-rQ0IA^(H$G|J*Op~0YMMoMHkhwx^0hw!5 zDPj%xezn`!>=JUkdorBCj zP>PxDvj^vXpxU|0!!WBySN%|j$>hDdRrxY`qwIQugQd46^?A+^Mo+Bh?cVF1y65?q zHZ4mttSfg42jdHYn{c_Gr?D1(mkuO<1&@LH#OFu!VQGjP(>BagAwCHJDz|gW9s%%l z&{y}&AA1jjDsy7aB-&4G6DF32=KWZX>LxmQx-(kgQkfcKx5h9Nu!DUzSf`QkdgOfr z{+}z=Bx>zTF7me$K^JZ;&#FHWT!wo8k=kl{UC2tUR6OrN)K*4sC}z?kAHb0DC0{YX zq$$Y3a>9+2RlMz-zq|RYB}c;^?X|pr&&5LP>yz?Uk&OE9R3&LE!a^icLLqN^0t#Ro zq_JK)@hYL0--EW~+QNL-kou}2L=F&CBEaA#|?w5|o4_h45EMqaE z{bDK?CjXv?60gQtdXG!^u9gmIKD5FMdtO}4^WJU}?D6JF+7>SB45sfK5{xT<6B1Rs zQu&Y8v2u$%H|ZlxL+@xUi+ayA7L>4JLC&*J2pr}Ewz^qHCE#>&r# z+a_@q2x08~Ys^1`jxJHj$H@WO>+{26D;uBfy>7LmX!OuYhf{g$Z8SVZLN!gD^C$Dl zBwAClF)Ad9tttVk>a2@}#*xHoW=luX^+etaiI#S!M3?3~y{(F#g}xIrvS{^+{BmBa z41~eho{hq1YCb*89||FhsWw?#pU_Sz68lxuH{y?aunN1sMmbJpODhWil4|J0qg7sOq)ViIp^6v%lTLvG6T4yfMku0a0wg_Zl*& zd9AR~FZu4^yRm7|hd2%8mnnF%%_`CAjrZW;u8r6IT+#4bw+6Q5sCDZdBlL&2FCWg8 zKf(pgNMVKZ?!;&yk-(3Du8H>iBLCpC4~;_qB~ow*KLU`;RPs&j}~e8#jE57h{{crvXgj=%9;h0iM>X_aIOkC?5gS6zNy#<3Yfz< zQ6^@da2;CW)4ks{QBPo1VU(9ltR4P3Ea8^9B3lWwP~OJ|R_conMTY!R;c1E;mX$gE z8HB1f%pw)lw5nTeF($7fb`tlsHVCSft3v9ZdJ`2v2QPY2ZIe`({fUmkE*~vSnfs8k zWc>Nn7W4p5Rev6kzXm*c4~@Ez3sS}h+45qmhaB^NAzHy-ySS@&A!LqC?I9QoOTB*n z6h%X^(eFIHo?d|epx({wP36>yFZ>&+@bi3VKJ=wHl>!s z{6ijl^HaUDNkVD1$O6g>o{+=jNy#``vG4tVOF2;HRoo+2|JnDimCX!F9qS@D;Hb@F zo?4xZ-ie`~zsO)$xagz-w`O(Sj6xu6um)g(D6z#8*Jcu1jq!|;&-~qX^MAL2DVi1* zr}ms+1Hl`bD1Keep-EX7g*vLiGDYOXOSCQklFQZ_pK)|hTLazP^Oje253FL6z-ZgN z@hv<{|2ri3j*c`I5V9vbCsOat?7hHn`OTkB(q`LPJk=kftm0XqFw*$0`67R{*)x+d z5=j@MYHl>=J`xJ~;Uor&a|v(S%!|%&JdDkpe6@46WtcIR$WPZpG35#AxdyLpPKFcu zOWD7NCUg%1uWLuAo|PG{#HtVa_)j@^lx1BNG#;YmA|dTI4SJ2tK&VydA?X@bKTSrR_&lYlW_Ys0z?Q4 z4S{3Ue=i0&niAbqvJ@8}Eu)N7^f55c(_~}SSn4sPzZqcEu}2e_nw83DBRZFxX$WLq znH4_blIq9gaC9PpVJPRhmBm=QLB@%ZEmL};5u-+8b zYHY!s8hy8t&~q6m(OyL3X4GBvuxRnKCuqTRd3GWb)_6?DppE49;7!$-n{m@H(MA0x z{4uSPDv6j(D_omZ7MTunb8|>WAEIs31ZGK;W9o$=eAn&FUp2z$u?6Ml@lgy*H>tkD z&9}N6z5pRN#qxRt+7O0LYDUa=!bABC`v8t~g>P=To(D9guCNkG-o3^ik++hLp1kTa$m(kNitd+sy zqrJJT-yuB0V02Bd#KV{_vH|A7+)zU?1_VxQt1)izPVX0pX*6?m%JF$4$b~nV^f`>$ zFaoO)VT2b4WxXcvY*M)Z`F7t6)nFL|7Q=Zyg_c@cmds8pez9MY-N7%%|6ujYYw=`2OJ}O?8Hj93J0qe z)}HLtj|t*Z9sdk^rVPeHM5k=V-jxIL-6jQwE@mZbTV^7&mmdnu+p-wVWc1Fy z-NZ!l>^kPSG4R-ELfy>jWUdkZAls7yz@vtxpTE(UnjLH`5WUc z*uES^=gi#>9EHa$>+*~~<{R3|!4T4rvfc)F|K|C)a}ij4V#7o~dB!?aM6&{BUX1j6 z>XS$v%`Eq~@b?DO+gRU+B=tV!9FpXh^bKAZgTE@%$8 zfBzc1FLFSZU(CA9ioK&d?y`FYBPX6&8%@V|e?-we1NAHFu|o-`Fk!g2#w>_f>z10g zTD(Jm@jOZ4l>ukU52n4gFBQ+NAaDLEv(BE=mM>5kn$FZQtREkJ;~O6G-;&8h4CMU^ z^`EMiTZB^aXr?$0l~Js=CrEGlStv@>QFO0K{fpS*pL<#jagckuuSoJM4KGu3VzH~O zJDW6A{l|McqT>on^ZpTCBk zq*Wg4;ppcWp1%2NV@7v5wbReh6!7Ybb_!l^EI&iCY?a(%+M zt6JLMn)vL1tFI#P=Hreh?LVeTS28%-^TS#I9%9Sz%~Z5L&>0MWDkJwB)4%6s9`E?* zcdN4G@7WZ0oMvQ`tY@8?Tq>f=G=b9#%*9S~N7FAW6yb6>-eEUHbQEOLYb+CUc>bDgWfEQczo*~KgM2~zTI?)+t(*{0d_=#<8it^q2lG9wqkskusj-Z^zw954zlsrLLw5P-gG=k-MTEK!*dG{Wst<3Fl?AU^^s?m>>E zwUbb#@ z3D^^se+=tSSZA4yaA~zF_)jvKJ#282<`#%@a&bdXAj_NqPE?$>Gq?|NC&h zQ8(f|(+lOUl1yn{y%eO{tdw8!PEN|AgHENDPyb0zA@nX?GrjqPX<5p6l{vb)!@)e5 zhsMp7$=m&m!a$nQh_NF@uNCLdJ`e6P@OVD}XQR}X$+?P(TXn|qsjte+8qcspj|j>m z51%~5UV9OT$_y_}*J{^Yw zOT)bV_g)Y9)Rl9zN&f0@My@mddK!dw0kpHDs+pn!gxx20cNOKr2yHJAVqo2O$Vcysc_T?{Xx)3 zp&+JMLB({p0+0yOKvg9$l@MNj+uyVtjlC|?>yRoKy7^fJWIh;sN4lZY*{=`M93nh{Lv&lCEg=hxOHcqO?BDg)fddt(c#JKq0o&7 zGUC3fzjyNeM|cLV|2lAgX!Um*vtTxvqqJ59MnoE1!sc4e%HQc6HCI+jC&0bhXl+{9 zWAPtDUu5DZ(bBImWu&WRDb?ZcXROl(p2($oZ(?O}cv~EvfjB7K0EFtt8%){<0kK{K z3U~m%Lqp=gp0fT)OPxpRdTykODcgZ2TM-kc!tG%GLc?&~2a3lM-gpO?K#E^yNn$l~ zHjr4FoKkeChXFoqZ@@f0*QmpDo+)lADXyMTDURQvq%z!p4#m3}+~q{hV-+?)xT&yN z>9*ON!EqlDa_oUc7KgMB7ywPuus|R{BjEqg=F(*3IoEZT91!Ey^PatIvnCN1V*(v8#s%rurpyfBvkOE~fz$6{;a4q(rAa_~36 z9RWDy>xUTOV3A86^T;7f!J#Q+F`t@G1FA`YtOH zNpNcxpW1FWwjSuvDi7`6PMy+1m11L(_IM9q|D{%c&otTqQqzBh8pA*zuP3^>&TwM7 zX~$oz(IY&T>!<926KEa^0vSbC``>%e$+kLM4h+mxt3djKw)2gFj4&sgwW^m_u*OKTrCB8@~g%l>|0E8C%NwA`QiTpI}MY zh2o4?mcjK>>rfbzTgb9xE3MwGe+9OJ={_dX#%ACG%yj*Uh#)7K#vK8}#SF(Oz?}ETS2x}*;AZtvIuKRS^DqygeLUVjC&qa( z+LyPEd9*8r-FVuOI0fh0u9$Y+VGq3vKku?rq_~Q!Ka`%v%d`4K-H|^3sgk_)Fi9?c z(cdkND7hAIzZc3!_-TBE|M~U8v(u`gMy+xr>uDby?S_wK@f9>z%ql%{J zDN7(nG$Yg#9nm>qtf%|49B4rI8bQM8M2u-|d4g}k8YC(X95u4^G2TFer){*@o9EIp zuTt?`#{sa@x+0#MW+4G~8tv&V(3R~rFi0wEd;{WmKFKN%#q`XX;EY$=8-z1q%lqjb|=E+X%7wOf^_1 zw|s*Lpx4OG4fqTT2|vv*YOm@)=W? zbQW!{$(_ghKO$P}1f@n)IG=21svAKc#ya*`7X7rfc&LQWZ0`65!E$M_pcKyr<#FkH zNe$!(P+VR?sb~*TO2^QgbYDSh?Zn-GWLxff zZ&nhQ@XUfuXiu?K?PJPxRTxj~-Tp6dMNu1n>rZ)`HS|RfRMJF$7vJ(nD=}VP@$*>E zsU9745(p(Yna$h*@mv%wfn!x4OW2x$Mu)yK>j3()p>1dKq>uMoa2iZp9TGYsTcmL=0H<% zOcAivc^(9bhJVB0o4PtqYDfPDbT#gPEHj_SQUgqNnSp!*&MEm> ztJa?+%0;zCZUx`qk-ywiAmUiR0ojp)XL*p}y8hr|W7Gygo_CmpOJFwRdc)>9XO_UIOd)jG5Ep*N?!!Lh;fX z$S&#NDk4BuBG&{hw|t7a$ZvJ0ysY=WXtQ$s$K5G+;i%p|99*(p%j_l}$iyPrWh&_K zj1kdL+OL}dBg4gWJ+Z_8SVQSb5|^D+p-b*LLcCktDHc@Bu6 zzoaYUTnd95#U0nUQ+vAxFDuX2$Nvf<}$cQ!rpp%6wVaC=C0l` z>)BZ9SrYb8Q)*}I#Z;+*P&K%roX8UegeVZ)P2h(R57J zhK@~M`jagr6d$nB=Oiv5GH-jNz{NCQfK8O>*@-EGak?NvFU*%BeIBwB2J4-{k$Y(5 zuIV*@4Fcy78gi&}2%ezpjh;9dTO=Hf$rd9tz=?UUGui(!z9@V+4#e+YzxfUmj}D3^ ze(@WMLx}oC6y8BhIb{jl;NKE$seKMw1FsjBJ)Z^aR`yuaJ!Enl(+{c$LiZ2MxCTn1 z3BY5kcR$9S>G-B^%2V$5UYWJ@eiV+G_^TabCeyhWKb2A^BAJF9elZJ)|$>p5q@e2*v`*s#}yYP=1^WMAG^uO14gwt*nD zP5FB8=?{XdT_$AV!BDfxZ60kMWe=!gbPB?F2-0ixu&Kir?EGH1v~(1Zma1F<>1$kO ze)q2_&>DR0;@MzQh_*tnoWjp47}+5y&I5h4zPC1`2Xf~Zpt)_I)RenrS2 z@C)o-tg!i%XeT{>z<`3dbLFod&^z-HpjOset2#0ipbvhax&O~entrBq!+4791C;0A z!?}>C#5_w>_$1yRgU6~MD7-{JQ;;Y!%t8YBQ*yy{Txi&f>^7S5AlCxpnCH(QrAb%X zrgt%ksk&|US(h#{a!P?^33>rjmi_#yh(KOG{aII_iW*@G#o`Q*y6n>!1fvFoQ>24Q z?57lJJz`|AVGIblu-PcN-2(|AG|s$;coa}S7W`Hnb*-JD3y~u)d%pqjdIqu6>OQ~R zdc0RVMtS94uptm8k!8%QB*zatbf$@Nn zgKlOU(c=gBHZk#hebn)E9nYr0Q@RwRGw~hOmUBb6hyJK^VTfRp4vla=yps0n0ujag zHCh-bcFdCmdm*%r9Am*5kP)&v!uMT9ocx%3O08kRkofw0gp$#Y(GN&a+|=br%*OxJ zkm!kn_MBDRaZLq3f5jwY=-i-aezqq26~K8|m~PK_dfEKxZZ{L>sFLFw0Jtn_bdRDy zN82<}k8e;7iieJsUF0lkos8R01>Z`5f^zsY7sKPFLo?$0&WT~E(8UA1v3_+2!E|1$ zXDk5S=BfdVN3VC^t^y01(+RZwqGT5@?zi?|T@`Mhe1f>@JmeKsPThnJsQeO)q+&4? zi{x8tZ09jz`ev+fv)Yg>qV(dYM2$gO5uZ;hb_Y-`p6O4ON-KY!_Wtrso`R5Y7L@VD zC2KSw{(T87S9QsMn)J>+va(jNi+=b+oRJaxJ33{%7SPuoTEGr2903Rz)g+ffqidtC8M@ z<2r`6Q-zF>iM%>m>#4XWYO8--eZpGbYUGQs?^TbDA@8e zst=}*~2{H_OxDVCaRpPE4^PDA^b69{kH5rDX4uZD>-OJ`ct)Nx@ zl{r{7Sad7G?=W6ex7Zhydo5d0A1oEfSwlp*I@-v_2v=iSt@kae5fwqpOil^I2d$52 zx9@GeOCvuxD0mLM?jqZBB}=7`RYM@`i+ek?raTya>0AQOm%fZqC`n=p8IkALUKBY6 z{vDCS!)8DHnFU7$;m(IcSQDo@K~3_>woMzE-K4kT5Vu%K&WkX z?1ISViHKs#dV^(MMJOIi96Vg<18>LfvuBcL8Sqrb#lA#VrM=g)$^Jlkv*iB%NfTzZ z;yHR5fyBv&L?MdV5$Z#yh(_z|hwT>E?(T;2bNN3dFubQzA(wdz6_9LT!5lQBIx+&) zYsVALWA12PGCiiRPs=gSF!r$LAu$-E58q=={?1gm4)aY=xtYC|z9#R+fj_!uI5CmQ z4);??*HjpM@Jhb->(hIn+UFA7t06(m$Bzi{9_d&qTrhrxAaOSHfgj|eFPnBSv<`c=y9uK4&&uv&}9pib8*~LB~rzTkpo80i(?TWBdi8lKA z!P0?$;Xs59J^2F^mNVa{R29KIj$Tfw_ZR5nYq+-;-JQoB7gSD_wk^f)qkTJ$hyPge z%r($ij4K)e5!rIfA2F(Bq|N-pPO(Ve$m00lk)jVbPU_jemdY*?WIw-%uME9ibllKV z{1I{U&k6kpo8=%$0YAYDr50sqV`iI|U|&>Qa^14D0lRFY`W-AVa!2Y#V6EIE>y$@5 zwlh2??|AUnRS)orS3?7SMnfB&dg{#6Cg4ir%?X+0-3qRyJQ_xh2(CjYzY zn<2%+-wnac0m9Qx5BFt43rV7BUq2ij8DN2%22grzxCCAsC`d7Wjz5#^BNKQfo7E`p zJwtijdO%yUBfqIZB{ygH$y?lR{PVY?KdI)iN`e(=rwX6QwY%Cc9vf;sscs&O{x400 zZDyp>h%aKQZ&=lIBNEYD?|sl93KlX`5zXAUpSyxSV>z1Wi*nfI{W3Njn=z}Bvg3J< zBW~rL10(EY$Q>Toh;V(D_MBM!^vl;y(L5v;n9LK!We0MpP^ARJai+lJ6F2`f616gq zB#FTvNdUlBLYU0HXX3fZn%CaZn5C=sd_vL$ZvK$`CXrlmPn`Z>1*-6=g#&qzp?}|k zG<;3Zrh`9Pw+MIQ`~72a+nI<13Y5muO?t<~$)2#anR}I6fqkvx>6xC($2U>urN$|s zVq}AtfZatRPOSh;K?mLF_W3}I{h$V|p=w)I4BIr1_Y#$n-y&N|4XHZo++-u9@=XH! zOC%Dz9!~O|H}-)ENGzfH9yj_ob|^3_*Sc&K&gB3?SI2OW4>#D+O8&T?0TmKW#V)hS zrv4kt(9fgqVKRte+YZ+#!a#ZKR<;>HaJenX6h9PfHB7|hZ!`IHP%|9Kn$zjo_%#A< z{Yr-#^IZCXdrR~>BkOf8k~JCN!l^*DTLrrU(1q1WrU$emMHzsFB>>7HSh($09^kBU zS7Woi;F$5r_?O5D+x(VDc5~R)DC;zDz~r7P9~z``i(x?QtM@7u<^pqrK5X+ua|U9q z@4VLfM|W$vCrR7Sb^pQYO`GI(7i)<+@8kd0O{yY(vWVK?XGjg(z20*Pq=q3U zV^N@5d7h@ZhonjoX_xSBq=;BVJxODU-Q6B?kFs^gQr)+FpFxbpl4$j&i~2da&$qz} zZ^mzJSrWeJ1&mh28kt{5*qiiXcMZ#VXOaX2CjW_)%YY7l-I_LiYUtTA3bxSyrNB~>l&Jy}?rpREo9GdiijtBzTn(B~}{IKQ&sVmdX153iaPuAOxj08tK6 zTc>!9-DU|*1V4y|F+Qp9bxQODa@82yMt*ZN#@fN6=pvKv&+QlXyu>}ROydy9va?~A z%X!K<%uSY22Fc+ezf*dk8FBuJ@}4O6y9ru1&C0b-sGh~JXY+4xa}}j{?NYxI{#A%I zxIpJvdMHDVR@A+SC`da5eo=yd{J!e27ne?4c!ya=yrxT!W}W!O%=r4kdn$G-w$)%7 zo0YJKf)wmCN1X2(4mq59f(Mh%|5La=>Vqm8{n>irS(pMRkCF9vaEqGcHRV;PNq~Wp zk6pmo5OwUASplehf8xHNS7w`k^DWQ3N@CcIftCc_CwMWAd!7Lg_1DjsGCkYeuw5;k zfNQ2uwhzwJSR6b_+i%rM

->vFr&3Nnqfx%2kyOpQ;d^66vq_J@_4mXAL>+e%O zJHuK(TYIvawS}jk7<~ZzH@hG1Uzw|)X8NyFSPpkf2eouKw}Z$h>Cp<WnZCnkvKqW>74achCCURDQ?E|fR-z(z#4nAi7Zmf->Cyx^Kvh{T4 zA9|O321Dc@Vi*5qWc&Xu-rH%S{Y}AaZKG2sFH+wZ^Gwx^sK%VMdH)2<#`kOZgJB!o z-D*&QQ{cMcl?SALa=GuI^gvRkN|7t7-|X=~F5TiiJKGmK@=M(ti5urXV2v7hmb|j7 zMpe3QGV(IOoS-SfGJ#zk-&igGbdKcPJ68}8QHFa}eRX1w=1FsAGCRz@S$LI5v_ykX^^kmqx;1i4Yn)L&@*=;PFFfgKrDJzHs zPbu=QAi;ywL_H6Q;Hf=g$M}0Qu&LQ<3%a7WHdij`Nyir?!)lE|-@b#beDM^ZlL*c2 z&(Ebr1@+&>Y3fS(1)L(kOpNkKoWa&4z1c$WHm%aMrwDHC#h~5=vpKw}vqleBL7N6W z4VO>-bLOdbk>{ktyf_3QnU5C0XKRz@^!>dw$%-t>nD5XM@XW;Bw9#(F=y-4!e0M3> zsQN{5S7+Tt^`LS8k?8s*$ZjiH|L-sxzm3CE=F^05=jSqscRUuW`#M%scsm!DV9@!Tv12Oyy_%@gP#T{UA8PYhK5jks>(ha2w(M(IY;8UfXR}lF(hYoO>|l8i#r&29tEi%r*=D^05^_B zO=0EmjgVj+s3w=HbmBON*&I;~UUqecleUam&49T}Ch#<)b6 z>d6IK7kC*=^Px!Y7(;eod%#(85(vBx=@h$YC#1Oe=rbf;whv>SieE(A;6P-YFn9R` z3XS3nhQavH)3^}ZN0WSqOa1NZe-(W9Dry-l_iOi?fsDN!MwbCug?9kE-++qR zO);{!9rpwGcDx;!VU4i$4!>^!s3gkpJ$j%+WoZ_EU`k_y>sl@&M%-bV9oTujX~@u9 zXx6pXt)xihbu<};2Qv(;HInmyS${D7{OJ#&oi(y+gA>I(6uA#be!qJ-XIkOlL|C3P zwAoIVrB}&Q7y?ZvIkqljCMKn0oT&~FX1B!vsuJub&2tqw_Q4?Z$;jK)P2KR zEhb<$XROOxFoC%wJJnpt%&2@?b0KFsZ?Jt1+%Uxt@vz$x;Wf@;y&Y~iDbkJB4s{MJ zoR%MdDZg$W`a-rjNA!tU5BMge;+`jsJo^U8tz2?2gGrv7vmdX0w5}NN92)XUw^%M- z_eE0qDx70DTyv!?9`UivVysAY%zMX1XD^Lh!yu7WKk}&~r5bUVDWVoz7axRjYlwp5 z$aMedd`jv10UVal2tME4+!vv17ZMAO%|@Svi2U>^-)?QjRV7qScUhH{+u5DU1hcVQ z2!YB`PiOIKI9$u|9_#?_0C@wHonl58V3o#b->*md0v-j*chE|JhO`Zb zhh zEp&XiJ=h97g#=t*mtK8(umGN4u4?Zy?UWH&+Lw+dusjTGBe${Ugfz5Y;0yH~&YMR* z?8MhR&6X>oZznM5bg#CZt%|XkDN<*8VNd%3H0)HSNIz%obqr)dz>=4i;j}x~R_G$_Z~`un<(ZE$GJjv*xP|3mw=z_4ru zt~*IPh5O21g=2Gl(7>B<2~2uOMljXr*MT82Fq=-kSIS~#txrf!gkOTc#Msq&j%1244js|IHI2PXQYGtB=ZX%7r^n@fEDWT& z0{6L-^bnnU@!FH?(CX^jGtuyL@MA1*+h3>KSr1KF<7;L#-|+#H#00axiD5s`)!w&s zFGMPiR=jp(^%TD1xWK05Sqz$HhO1b8D{;}Qy&46MCsd#EY}|q$Q3!XDDwe?kNiQ&# zh|x+AxUGOa6ou)eRm^g|qBgcYGNr#QZ3#|PBoo)Q9i)&7Tn_*~QIAuCg8~9)C;iW^ zTt(qtr=Ya#$!ZLWZB#Qf*`pIzy3?9R@}|BU#1hp(*|X}{YTzr7&QPl36V%I5K^kKM z`)b^%{qOpxoR@MmDf&}|b^ht;Xx%&3j^831q}`I%Zudh)B+$9p^c&UEfzw!09NSkI zN3IH)&zOQs?wJorw)GLv2E49x;vOE?vOn8(xIO`e-)~-{nM{Zj{&kg+iy4)YJsgld zNzR=vE6nZpysG7*e@h{x11zYtTus2>rV8Xe4`pBawSt_tPgZ}i<7EWsVGZ9$C4cqK z(GtF2$Pm&)beC#JM}@wIVZkUPh0fk7xM_93n?)suIXy|{KdfJnJT7oSZR@ef@Q{i| zzZyaJoPCk#p_3QXi2}hnNw8|f_4L=;n(iMvu74y zFd#*SI3n?~obaKj4|t3ae0+iQdkc5^gLjy@3+WJXJS3aZ4^0!G8=@TpnO#%!3=9Y{ zOk69dQVm0v0bx~4XS6~~!w3E}MDaL#5fN4yX!{ON;v3D`XYc~W50?SeHsatNW_qAy zG;?pawV1&Gp~Raq`Y6K;ThZ4W0Oiu=k-eBpMS_X}>GMOy8%A34!Y!mRCIkY@{= z^B!=VW=R5jc>0jDk|u611H3C7nO#f==izjqB>|%>)7%PrwhKL{ANva}9I>tJLy7ug zDiUGz9}x~Y7}R7N=~z;|*jJM7Pk5z~K4({93vD!R z^lH|yA+IHhB=~^y_K-J_f*{o>c6T*L5l!PTQ7(?9JQuUdw|XS^wM59ystdf{HFU%R z(nIwyob-VEkUXex*sX`$?I>1lupB~#CjlueXrZ3@8O21@Q9TmAR#hR&VF?u_FPQvf!AStOUCml@(hWn-e=cN=Wd7@ofy z@_H*q+1ZFSOkQ??6I#hP@S?V*yK&aw(!?7#Drd==Vmqh-0wdE4s%VrJ`tXgo-zB5j z+_m)FVF{S%Ryt#(7xj@%h4!qmSK+l^9v(d}uG6C2(792M+>T5mL22DSs>qU^(Qer( z*C@rdM4wAkne{0`FaaYMSs^q$)}#v#7kSV%@5{hKzeZ~V*@6; z`ap;|;eOiNO;$aNR`Q#2Z@oBk^(4aI->6YI{!<+bS^zcXmo+9V5c7X8*&uDS3N5Zre)C(oHk z($WI)9M3O$`WMYQH$3B%qCSZD!Z*qb+ZjMpUs@R7;kfDQeU9*;J;>8<|9XbLObYd3 zegWT5dFwSPmtjsixBcZ+1vFU1u{9nxre!Y?pZ*)rh!Vm$-QLZh$<^d@#&u#O@nK_D zIfU^&w=(Dj0#chkR-j0kvusqveWZ#0LC|0nX#R1(@`Fq^5>)v#7kJ#5U;2>Oo=hTd z9C`1aGlhH2)P{_d?#1Md4}Wdk^VDt;v26i5Y{wO?`mbUPqwQ&|8%`jmi={7y?mA_+ zPty7)p9ml}-<^m-c)ZO*BKw>o;#cK3m@yUer2bZe1NlJl%!V4(le-5l(8`n3*4ssn zyUeK?kMOZL-mljK_dY$YS|n#YL1MXOidyyxHEXh)9_JSQs9G$&ogQ@(=%QB~GNWex zmTc}u5%~swny~0r;*OwJc_hN=^!*vKs!vr|{1q+BM|)Srh$0NO0hodB`TC<;z)h4K zx02cXQt}akN6U|z*Jr#99m=`|ful>=nvBjzE);C11}^4Py}k0>v$?$zMh)6^)|0YA zV5VTbQ1AHSg>u=J(tfavO61e^M%l^cg^TUYb@+N5x%5`>s@_fC83rB%snWk5B|b!q zmaRF-fK_m}AfB{N029x_N3lOWNfZrWWA&WOIGdac=f&%-KS!<1I*OEz}|r#+~5 z;@oc{?y40EKhP}Ca}|XB(&TJn!1b3SFShiRkE83hJSUQj|4i{r?ODhJFbmT`&+9?G zM}(vMU=+`wrY_8jwb$Aw%7#WKGTo*7FlqN4#pC?gMj%-c9t)MgcKArQY+Vm<6_oj# z7fN7diR+i_%MBR}68%jda<~1)-G>Z-LqFd8D!1Y_eUJLM*1HpdKqq&#em?h~G$dya zG*M6KHv<>)|gxx!=bOl|+zIdh8rt%&Lt_Wp#R2@_+NcYZB3x7n5YC3N|=V@}vo( zauS6=-eP1Q-9b}n3`Pb50I6#u-Mfd6`|yzn+tVx~)NmXga5PG?E$0|?KTSeB7sq)N z2H%KHHhCQ41ta&l{DZz>y!N2o>zk=P0`A+nID zZr*A5oGy%<8!G|#O&{B~mYQ;XD|{B(`Q2vpb+Hcxw_Rsv840&-k`Fz1qz&yx4gOvs zli z2#$e|Wyc6Z)tk%$Y(h;S(NGB3gHKd`Tz-#L)W}ws2MHE2k;#1?DFnS?`meR(o?aAF zhtHfA6n=(Q*7*T3u?hSAewy)eqB}s=^)B(6WAK0&6li-HIo+`Y%P+;66twzB17%7q|E@c2&1;uPp|woje3Bawxwgll)|gfw%`f z=neuc&Kdyl=%Ju@;+0ZRxj6h~&+mk2FF)c!{*pYvFhT!Qz5A{EBR`PjcK=BdQd+CT zGe8Npt$85u621*+E{}@)t9~bY_#-hs%OvLX(Wtn}v{W-a*_q8CV1~S41u-h)AUu*s z73?IRa0$)gVl9B9CnGNc(4sqvZQy|{Aaa(&iy!C*wF_F35Y^yCiGfC|Ajyp1*Zvrw z`^yTav`jHULbN=4uq7=;Uxj@}F2w&{S$q#9%0$3?rii=V#Uzz{HIeS4tDI9HKS5578OnQ zrpLDZOBfuQwnp4%EF~EB`Raf z=%BLI9h`nL-1t-rdzic>2)aUSk+y%8{LrH;`J^=Y2oGEllT!=|7iYb`10eEN?82MF0pH z=!PT`M1QLA1q6s7q|8|q)9GF9h^?_g{?q6Vq4WyE|T z@Q=GCa|uoK>>vnR7@Fb%q&kw7iZ3AKH~FnCr~`|K9}bb%1j(GJp-|#KMI$wy0AM|3 zG}QG1IY4oyOJL3_gio$}La`}d1``)3AjZ-uYJiF`C}SwLa13u5PmGcY$!|XZ@E!!{ zP>bFf&}q~uVfx2=z)Xi=mk16h*^GGT)?gyA4Y*6{aKBU=Y9KTG@V?rP2)~>`h|6@#zy$vA=Yu6%WPnkp zOB~2%l?S506K31MScBevq=p>;x{1VmE_Xj!k7i45gAyH0cv+Eh12D#D0ww3Al%AG9 zEDHMM|A)N#_km}DIwB}4rcl8t`}p_p>c9Uy_$3mM_Y6)#_*L{5dBjB? zp*<0hA77d5Ci;)I_;`gJRyhfI9`!QXYyesVxFnQ1kbE!3KNJD>wAe9hy8N~7=&Rxz zV9zQ9)Q`vP2xUC?b4DnoCf~uLVjS4ne|t0m@3SZ-j->{U=G|j6 zd~o%1BElo3V8VxO0`mF=bG0^v!Ekp8m`*3PfWaFnXAQUui+~IzmPGOAWwirg1`7s@ ze&YlacvC;3H(O{{Z}$;Lnh&LImFiZyUIR5kz1*M~o{w#CEiHSFubm2DM+G2zz4ZJp zW&(%2@Mg%k(Hh&Fo!WW{-046qC|I2lA%x5 zyVgKH&QAB!%Tf(J$F74XtJ<_mT}UH6ge*FEM=ol$FZvUTz#crSc0-2&4-@-8-?@MN zj+(zH2QD=|Cm`e?O6D8VA|=K^X!HPVx+p8_;Wau`8h&|N(gpxWY!|u#x#y3pZScUb zHj@!d2cQZ)IEVw}K#LyBCE;i{|AD_~NBuwJFWy(+og@cm-lqlWkOUpTc?*hz!>v8x zB^H46qSTL+C!dz&h+yeiwr_pa~*c9KJmL3-B~HH`HHguh-Zwx0D>Z zt9T+=mk#GnJ8i_p!D$n~ph#OP8>@gCwQ+Gq@hEpHS8P>(w9w6qD5aC>cEBYZ$lE z0M{}jfz6UE3N{UR4#^~-W6uJaO2PT1I(I@m*wk36Ai)FbYQby`8b!-558;n_&`>_LL*%LOnb5qc=sw4D9B)h0mpfu;5qdakyxTusA(nz8CZn)8rMbwSDy#+<4F zxGFL+fqMb->gb(lGp<&>LzeLrRy+UXj?vtVD}09l9^W-N#6xdHOOKNyq0o5<{30y_ zwCWI%Meu-Cs|C22XzK&tq|M2}gfUvLUAM53o@KCP^#9<1m+`5Ke+FeLvSoxw?8Y&K z!{TRutc?NIvZ#L~8FC5=xHL!H(ZtLa zxi~osz^j;hp5HUB2w!RAAMb-Y76wb6iN!buRW-0s9MNB-(%-SHS^x*2a2@!Z>_6EX zxBiIYNnkE@I`%(pWqZR!pQ9UYNThWA>%#;7XHjv)k$Y}a+7^ZIAtHy&%MY$|R{4b> zDX9uH`zhX6VDeD_tYAz3Kvpoy!`;eK_^zN{8NT~WaWw+zgl*tg;h-|Q`3#sBf%Slq zsJCJdND1hx-}r#UC$ut1z@kI+>$lTIQ3Iru&vLGt>b(8`Y2-Yk3;;({`97p}1gQxixLa_6dDv|_a|@_nGPDNA7Adknh#yK;h@hz|OgRMZ>xOWQ)S#vL z-JGNNWAZF0=>s4S7&X9cL7)!wAGDji7*<$hQ39ddH&h z$r&iKod97cnB9)4DpKB;u~$TQM>fIU1h(D`NQsjJL59ISa zKI*&a^#EDNbB*_+eitl6w*>%yqkjBjv}4?RJgI?xw{hNOkV6l^I1B`#32=K2+}@F~ zkK28yuA%*Lv}^dcAdbTghk=kJY52Ll+}%7QzvauqJRS znU81Y#M)4cu#%4ovVT!D^Acj1aR~iz=-glSN^_8*h7kc=1&M@af5~ zc;?l1cj&>R>qX$qKjYQik%BhtZS`4jTGsMGhW;IM*43a!wWez;3jeuPdb}@$@S_O}0jfJjJLx>BnGe8ab!9 zo7ZRGu%3{;0h+n~cc2aroPzpSINZrS(Uj$n6*Ec5=I*A#lNv)wEN*eN8LisU&U8c>mKv^^$k`OylRW$?Kj^!M^b zt_$Hx-2~79KLX`}v=PnyWY(e>C^logh-@V;AT|8~-)?TZM|lcZD2@u0M7S#)gy`f` zat%DU9&y=BG1IUhohU7X>0{6Q7f!5hq(4TyfB+%X7Gtp1iwc3^@is6eF!2KjI6(HG4!_cfk=Hyb2H*y+ z-c6AAug!mm=7W;Df3nd9uGKxO-#|JFR{zhCj$llSMPt+M{|%&Lj++LA?+~9T#a_kCSB1 z9%v*TJmM(|FKp8QRGC*eZx8jne|2qxJq32mx#=?;<%ifv4_RBUoD|(pL1uuhF<*(L z2A^alCX(k_w8vIaahVFX@L47g%KRxq@WiKCbJF8bk*kNJWKn{!t`~e3myu&yn_>{R zA0t`532k6saQ*WOHujXDG7P_@KfBvcq`KsC04S$9OJIao&YRQ+U%4iM4zq){6Gh5X z)|h%q;JyK}E9t$JK9CwmE} zy^AA*#lcD>amC|Kpd0IS*3;0U5zCnw;h<>VilLK5un8`LPA9_l-y)yB|4HRg5PI!? zOL+KRh;D^QSe#LEW_g&c*zkIGgpI~_5XJZ8I>LE>2*9*0UoX)08vcE;|1Te8fF4?J zgtv!?0WlrhJjNgJ4wAGpMQ$e9vJ%J*(Rl>bi?1HNuiyMDyyK0(#y{a5wn_hlci?`x z2ZwjGCm`dx%BlIyzF`#v@Vbkw${R4~9qzpZfe^Mgd8zGSq+!!Je|*|O{f$&tiU7@Q ztq$R}uTZwHq*5tWDq7_vjxi>U2<`^`8~^vXn~c)jf*9HF8MysK0xTIA-x$5HZSmEv zTG4q!s(J&URwU4%;q8THtM$-w#i48%;X`hVCD&YtBc8+=XWbCJ zE>aUZ(a$~?MZsUe%5QB46943OBx1V%FS#A!HK%wxuvcKnOUutwECB|@9He$*^P2~z z*EpLJ2)R^&>|qDU4`%D5`kx%Q!=t>2(B&;M2_;%)tL(FqOV5Di zW~jS&^a!`+$ynA)8NE51N1x?zPo8W)YS%{|b=9u;iI)C;@6%yFQzV~gxpW+*X{nYP zq%;MRO0XVc(ULplE0u_CL#;UIIi%nm75>^tpRkK(tMVEB+aRm*cyOm>AGf}d9OL?& z6NY^Lrmq+KXJPgN0OP&PJ)JdWQIX#R_Gr#+2Jx>$+hLDzY0{S|ZZ(6i(>K{;es`#^ zdQ7DOOX>gIcST;4-bPz%ixaQLJMez0I4F<8l8b3_mW1WGkVw?g2y;)Kn4l#l#(2!C><4wSnu4%> z&G)aTD-JTV?yfC@g#W(7zyhkHw+Tr8f}m>(eXh}_ZE`g&oltYYu`a7*IK5Ek>7w2Tzu5NsT8gYbDa3ouLjK$qyEL)Jm^NKnp z=x^8KUEi;3&CVKpRrUo}PK()ml9P zXsh6WPMQnEVQ@r1MIr~~AlGdY>8zRX=!Dm%IB%(1erj+}!we)SnK9{ZFr^QQIOa+J zl}bMYkC2>kM8Z(^c;zp2jyO=#S48&()mit`f>XqMtjCSUb){t0ll9R?QeHVx+y@sC zmYm8sNXO)Ih=BsZ742jLY$mFs=AltWHE13kZC4a>m)je}##2P*XxIWfP&WAmk?SQ2 zsF8mlpHh;<(^m1;U@NJ`w(mqp3i?>PHS&vDaM(vuq#($Z=;wPm;?TZznn7~0OY87v zA0R3RIU89{a|YYD#!n60j6&H<0a?%U)ytcv?YDz|kV#^-M>N zNXfdBP&j;mmI_(*24I8XoZ&OO3O`bg*KN#e@E{F~0DvoDB7HM7mJ7*L-@n^qPgjL41a8Emo!_Q4)7kd8WmQ3P|)o zXh`Jtd>DTKZ5|783P4QT=hz@5*#t z5cP7C`-Ep#ILJaz-{HRaVfK1miFJ5_@miBLF)T_pp6Cm&aqE0LNA2$Z!U z_&%r2gYUqZ@!41wZNuzE$DIO5LyqhTCn{Kn`TwcIPR$Q&7^p zPg1KrdFpMAe9qUX`*BQ&639uXRph*1BRq%Ij^HM3$|263f9HD?j$Hh~_mKE8Y6bWn zo^t=n_ejg6Ye=5f@fx+9dN5saBO!i` zAT{PvS<^U0hZ)VZ5$aoNqE$d$Nae9N80D*4AtoE14}z5%`khruoq_4n)8fEN40A2^ zpL@_b&+}Nf3?G!k*NZ=K zyU*yw^@do%nRzD=^2-Y*Y!MhqZR0WI`mpkYn5_O&m`6C3+o(%tJyP{(U672Lp5b+4 zqQKCM2b)1tJ-t0H^{3c%f}zIY85kB+-X;qDnbzjl9=WCJ$QFajJFCP`g_$|Z7`E@% z-E^H(2fxVeIiwian!|eBIhuHMgXkBBb^y+!b!bk_8E_BeVKT+ARlPzz_JM0%gMCGO z^igT@(n_AIxPhJLYK%No28BqYyBuae>@B- z_r|lPvr^+NtyP)xLHQ|lbSWV$%vhYRMF~59gJ5GTTy~1kd)MZ@wWGW5=sa>OgpqWz zW2R_0he%{SXgb@%`5d90H~MeWgn$3CH^RTKn5va*^uF?ulX{EEDYo=YICo2+_b5ej zw+l21^P&V9`p`SC^;LJoL5ZFY>4Sm~&yCt1iGKWqj3|0y9&Z^u8q0faO!`zgRl`>b z2l92?nB&XK97~$0l0d-yz(n~6_rpY$yC@x;GxJA#Bvg~Cg>ha^@bHYVtzFRc;SZWf z-594*mPL8kz6#}o>~5c;TxFxNF?%R`r?kHUHyrzRpv}FkBzlX)=nHAPq0a|Zhd8^r zWoGXkwI>$|f^l{grGz?zo7?0#Wr%y=$>p^(a1sLyQmTKs2CIoWB)s0XDRL4tgk!Bz z&6F-H%5c97id8)kb!a0n3Ur8j{%nkuM4Wx56WjTun{SSoOE}zBEC_=r1WhkEKI{yB z;hpERyKS=n^TO)}O-o+d17olCZ>WTeC{e>yjwTM$cH7_8B0TPnfo|SUA(US={`!DM z?&qh!SO7iqFzHA`ck`k+u;nysmO`!u)Qjwx%5>{Z_R$R{4Cl@f}?<= zw0N)fCQTm$F^P3AYM0{#RcRevWC>`wQn!2{^qS@)9bJNaN6y>5WZ8Lto-!9u_!pk7 zEn}E0Exw8VjOxOD^yiTB@6zF)lONF(q?G>tLA^!5?=*^oO9sV4Co>%Y;s1rx0leM{ zXX{4>NXn5#?PkU-yz`w;o+4-UmhyYwG|EYZ&)!KdRXX^qj|j;BQ<81}x}#5-zA5lO6)2uhcqM-~l1IuhNsqrfDzDNv(`sSrrq3 zc)+OT1{A!Bpn!8vkuh!_R?@hehd+6S8%dEj@ho?UT)}CZhznky9#uh(b4QZ~-Mocq z-H1`0M?S*y%Z~NG06^CN0RW*xy#M|$07%4sM24jP**w~3n(NW>nS~g)ubDp=YmVf_MJL!jAWQP`Apqmr{^lP|9p0$(JakAi4 z0oeaNkHm5w1tV{}+*_~|MO9E%lyhy|0v7jKXoRmH2olkskL1%Y;VWa>Ji_gRrxufo zJ*D)POo`+OU|8nsIT`B4{PPC7i$HXf6)qdEM!U+kaQOvgyILkn1vI$PL{zAZvAG;&V`A}WxEs!utT<~^XrFfaC%)_IeuA}FM)ipoM zBFTA2cJ~j}H^tIjt=aSV$?6UQ(zHZGE-s6Cccg=wsGN{A`AIP1PSk>SwK;w|&D^6X zUR&nJxRCBVChkOUx)fh(9;)kCXCd!Q;&egZbW}$?&KJBvGD-2;I->$*85W~_Fz=bJ z$(i*!EV&G4DzoG)P|a76nh{a+z}6TY=^%tu zl~HZu0tY(Kkmy7N*B3RkPPV7%qxqUJY8f+!IX%k}U>7MxeSWaE5QN3w%Zut$Nb;c+ z92VlWa!CBi1HeYC=gl>+ssC}U90TEWkJ9O;4%94+N}KaGkW9(qT$M^$46oyq1;2X{ z=Pab!uz~jd;oK=+FuzYI_Kys3wi3}gV$#Wu;$`=E8GI}{1;o>Y{^c32BBo)TH~mG! zGi#ZaIy?@dy*LBcBD(byVZXdf1t2Fqd~r+(yx}*D=eP;_o1n#EPB{Rf(XyMTTfAv_ zWcC$sgz--MCU9as`OOAO6p{G8eb1i*czAnUvh$aUyrVdu6lY?y08K2^NOwo7(!oW{G>a05b|ZwbL;%l}8& zTgO$ob?e`Bmvl);cc-)p($cbM>5>wpkrqKhIwTa3STqX(X{1xSq(i!;@tw=P&wieB z&a?OVz5nbF;06}=y6-vX7~{IW7jgtuc>T-$QtRTcD0zP|K3)tw(r_Tw@ZjnCv!ob;}Q`%L8E4xOk-cN|*V& z?D>O9?vJ#6?fZl+Djy9E9wV)kah-3oD>P@h%w;YZZj5QdPqC6`f$ChpE#%ouV$W%y zNlm&OZXQgY)8?;>@zNbCBkmaOi6YZW+aTV;)hpL@2}lEuKN~0+3u0LYq~gygN$ih+ zI1*wO)pCxun*^p8{EuhsO?>XIuym$9efhI0%fJ7OWmD_1!6uAwf`9m_$=g9IhWsq^ z;s_txc3crbDe6bG&bCRR^6Jn}@MM(L$g5$}n)X(}w4fR?dtD_|a1W0=27t$yLVr2! zPzp(GY)QS-$(jat_PCCo5s4tp(CX{s@4%$E=hJ9nBN}G)_}BC%FszBp6D?jW_{$6P zKcyiD{pL0kq5D@}cic~5&j8tZqL$1o@L8gcE@qm!eZz}262|=Sf9iAaGZK{KGpz;f zCQp0XQhy4(x5lpR=;3*RR}u@D)mU4vRdq~|k?sL$Zg%z>0)()l&>UMFm1TXk0`?&L z>6rckjv9m{1KANZuNw1)MQ!xS$kC{pbvms|rC5;o)TUvSkvnWa^vej{bMRLQ;nfM6 z)>p?RanK>Sjg$^3H4?g{$;M5NCSRXz?2;x2tGq=({)<^;4)wjPAb7gZM$H#s!G@Rt*rr=37lzzvj z9me>4F6u1JRWWqj#5M*nh>cDx z(cv1HavARIV6 z0R}Emiv+Jz^Tw@L(b<4sB@K?4J`(MWzMC%n6F-{-9;9~Apox4?`ekp6rTD_cqcH=iAPKGcwh*O=1x8~E{M_^=~Mjk{uF`%O?VRBp@Wo{bcx zly5E8Xzw9dWQ&0~*fYJi%3z{e+M}0wg<-sP6nbjul}%1n4n7G_8rg_3!ZZ=I zTn8$5EBC5z6yKT=^mfVD?PtG*E7lGh=Xp@v`hBPPg-;t zm^SNRgvsL;f23RiQA4J7(czw-SMEQ}O92|*{efT4Zuai8y@Hcwr(=pPOp?KIdLUj+ zyhr>qaLo1`wKH_-VVRQBJ^KeKl8ihG|M)Am&}bW)?xxbPV25G{3x{p&&Z(JFJrb{ZTbQKa2k0KB^s1&uZMOvOMbCvW81!^HGHfw+aWF!mmQ z#qO`*M4__+<%BVEH2Mi3`Yr~nW=WGZz&)2duJ&&MbiC^a`=7zdfJDd($I(=iRnG2B zC8c4ALbO|6baMfrWu0(nq>b7*qx;)^#i41}z2e{Rq>3SZanYuV!|QmN3|PwcN94J5 zmm|4XSd=kcZ>g-u@pHH_a3T$@#DZs2_?JRqUbAY&{(I3R=`N_D*? zce=Kh1U6xJFa`3_&}4ARlg>SwP5)ZPma>%`{?ce&>_IV9+2D54Bw*M2(BGii#_ZxB zDNlh=3=8&GY(i|01qSrrztBDH9w-+*ZF7Lr_!^o4{I(DXf3)B_uPrcT*W-5k22{hP z*7t@2_-H>x=Z@5>ShcBm&%G^ioxSr?t8&g;sVAoCxm`sInld$d{P+CGVht-01z}aw zVxCeW_+5M(YVQ3WVkQhgaxgHYHQ3aBI218(8ZV6{F4I z5hkEQ95BK-E(6w(Oe^w$s!5hR`R+aH@#{RoIXQg2)GTK6ZUDi>`US$q%iT4ejRj&W zo)EwQYnV7>+)jqn4M+!n6J)5d?O*{Dp&rWg1e0Q|xka1hNf`XH4*9{u;wt0wK#*!x ze#WN@#D*p1^;<5s+$!F0v8q<`gKKOsWZXALI&f;D^MtKAj$Xzn&oWil2szEqB}&ke zep07*$(!`zZe6}s)IMlAUBX@WwsmP4{|cf;^jlps%kRN9z^t?qg%=1J)Z78GVnccv z&Xk9866E6%H4Hu*tf6F-;Mi(N@W`45-o#_16dAmdB!U)S5Z`d5X9@>-QR*G?ao;*e zy+i`x5t>rC>v&P>?j1`vcd9RjQur7Gl=1<6#Fv`aR7Pr08lI%|ZeL&AeQQ|pBH0QdQe$OBoGlV@-J%#|4#f%___Ocwn3$*}0VCJCOI6 znAW9YLc|iLB`6nolpR@Ry;?*vFG=(Z5R6&V z#=bNS^eZKH?fpIwOa_S&IB-N%4a+WV{o%@L*-t@NY8jvS%qq*fu*$(=dp|TJ`BE58 zo8e4jQRDuE($y;YvfXFmljtu1oYHVS2BsJ`B$!&$@SGeH-6C{*NxiJXd?C{rd+ov; z0#15j5@z2B!Tc72Yi@MJM;K(O+=J&FsFD5G>lM^K_O@^BG8IO;eh6qj=Hk|>^N1Z% zsVq5%uUj5fL7;w89KuJmv#}TY4#(qoV@IzEJqi-_%g?4mBYs4;D+L_#vj)3fpkyST z=YV^AX`}HW_!0*#4YZ`{bPY}rg$uxk(9}@>kiZyZNt1#>C~h!K1!z z{DIv7gx$7`mhhpF$g-^IatoD`C=bDGPWUeri4l;vJrdHeE6oshw}W1< zcVh8BmL1HNi{^()bI-O2QTsoRku9c%WvCeo6k z4bW{CLNQswFGa~l^V?L)7%W|2Zn3CLORs4abR4c1V<$4x`61fcbCAh=NOu} z)v6%>^mF|sPFtjrTf$7V=*5WP$27{+Z=`byF6)7{_P$;vE4~F}XBVZQ0(2=gVH$ZX z?2;l^Y@A`u>?H*cDj^Z{KCv0Xk0i~1!np?n3ba8b4oUs~>B_C}_4nDK1=w zfcB|~SuLaBfS#3FC7}$23)=yE*U#(oa4#xbmCvJU_fzMG&7r~Ii}OLva5_%TMP>9H zxJd7Hmd%lS2GlW@v^NV7wFq;v{{B!;$AOdzB*(TR4;ACPl8wD>w>H>Ar+^eq>&1Hz zzXCgYm7M7(FF+Sb9(!2WijzNKHy(;v8PZWVsAo4C#9YtX zYGU)q8#tJt%NAm~xd-PE-G|QeSHQPTlJX;{M_@BIKLzL%Ith*6t!YO#gKmMYR<1l1 z2me=wP`kLXNnY}ITyd;y)F@m!9kog|jVT`WBf1}U6;CN9FLEhrfCdpFcR0L`N|Z8O zx^h3o`4J$IxCUQ=sf+qOTFY*Cv~|%*v=R$Cn3k-}ho{M3y%`GB79>7Wm_UW0)f+p| zNv|Vgu2Y6srJoeX-puaQ%+*hKyqODyJGc~#M>RKgvM&L{(CpD8zbBSV(FdlD#A|dY z=Hg;jDK4U66Fh}$N1%P63kTw;Kq{q+)E{;v8@gap0C|Lx- zp79ED$%7R8oq|hyKB)+pW||+G)y9DPInW-B0T|U$0m!l3yZdr?Mu_$&m{%77HHX-K zS0IJcBTXMYF}58)Tx7n!Da21iV-qxMbTXEgu0 z^Y~}~u@{A(q~&WJ$O@hmXTp&9I!=v*8<3ZxmOy0;y2WgeY@Br?)iW?q2(MWKRk3h9 zi$AAoG}-Y73MwhhU=?ady3+U-w0D~z&W7g7JMCg?rb3V>>^MGs?tb(6AxkajCihB+0l=<*q-K5$ZH8v7Ii#oIuUs-0KWy-VrBZf7<{2(HVX+>IA7eiNs~G#z^&7+ zf3P2@X+t7+ucH<$Bb<|7nm@qXFU5|gAmzw(rP6dq;s7I8@>Yo}MDy5FEE&=57-&=O zK1J#Gk_H?=-D{u*dVZmbk8%Re=Ar_R&EAF`;xL!!JxpGw93MaXKu-3Net`^n)c5t+ zCS_PuD&x(pG)IN*(a^`4fHgx9(^|$MF&iRg5?q^wHgh&%=%%_rbv_F?`JjGK=b%aA z0I*1IjvXMIs=1cU1g|i=-d?O>4nE3|w=0tX``J;gAN^OLFnpAHvkJ+D z37G`2tGTzjwNlzcb9kHTs0I6)09Z$t7=?H9pT^wTnkf7WjlnI1g3hVWf#6v~BVXZ8 z^MLRyt4%ligrdMh0>gSB&3(fzZ>JEnsh-?IjTP#gKW7tBgp($7=pH~FzcXBYZ(vms zmqO#T2lofi1w&c2^8GJBQ&CfMiePuflOrOQSBEn}mf(5eS z3N*E-&-={VHxvFH*H zKC(+GC%oPZOd^{zVEqW`PlGv3kJz#AeXpeqg+|RV2>oo!SOgFms>1KYYm1cN5mf*X z@Y2eu#{s}^n<&^9X0IJ394BK8ke%dw_k$u z-sd2*AoAUq?aGv@D#H!MKsF3$;=K_49x0-;nG)8`5t@KJt3yx&7ceO&F^0j5m@NQf zVq?X3rv{xmT~Vp9Hi6i_CH>{{cD$+&rfH-@G$UV26APk!!2SgCUpqdan@y9M_$Q2hC4S5^3ad1kWTKumn|zjiSA8PzQOZbnMZ?l(gP zr5s1;QSL80ALz36C#lzKz|!|!oXeNmy@x6Jso8-Ha)aTgm5-$WDp5_xh5S#q9#B|# zBeS`ELZx@TM8Up2=^LK|dYHJ;bvZY%rWvTE-|gQVD4T=JM0_D7W)-J zYWW;cE60x_(OyV9vU8SS!&5r5aT=!+M`sw^yv>C^nGkGL6Bx--HcN56B6(Uv3hCb% zwJLOlte8F@$yF39S>ni2z}8;{p<&Cu;?0I7k2tfK_gcZsLI24hc(_x(fI`I$@=BujU#3ridTXh2Pc&#Zlst;NAzo{ zAaR|TC+;72@LZZ!?1A0&WzwfmMmKQIKDn$VMH_^NB&MpR*Wp9q-I^EcvIa02wLQ@A z8?+_L72{e>qXNiGSx6&d#wdgixo^^n+zs-io-T`Yuh&+UNbKZMEg0FceF`;l_5R5J zNoZSt)1}c6??SZ(@+F)jm4x|f8&v9M9SUA2`JZ)Iwz}$UO0vNt=)=7*`EB3jdmEf` zXz+yesTuXRpl@Q0aeJ2N3<>DB-c>^2vUr4&(2{S|ue0jeoAkz*+&=vYr0Sx5iXV3& zDMA6y7mHwVPu+t9y&B`@U;MDQY9N&m{&?JFTP zmo9Zpp=QWy(NCeVSTn__SB);H=HwH|DcB1>`;z;a9p|BLBUB}U8-a%d>Kgzx0UHj$ zbEDiEZzHRNo2);HG+=Lmq|tEXzUViPpEcgm4xh-@8`h1IhWz0BgsM_fArmmX#K{~f zcE1?N+#-LVuM2fn+-5Vq1TzExC#lQ)MvEz$O2^v=GA&vh1TMYa4Q9CYdpkp6dn7tK zB}3Ck7Ka)1sXt<%t`N7zuFf4E2y)Knq<5C*{*&avm3;Y|F;5y!c{1^WbTDUi0! zlH-p*EExAIKNaY>X}{!;ZueW7T)G?&;&yq{^GWf`P%ccqqh7z%kFUw*H-|)x!0pb2 zSS=d2E(W%bRI9+N{_qW{llvzmhS(BUXs29rvu51Iuy?{n4)4(?M#pz}X&>*ILZ!L; zmMDnrgU%KLq(4a~aXbz`r1WDbZFhe$pzMDGs(rt?4-GHCb6UV!EW|!xB!zu#C%f{& z^Q&UUR|wmHRPf7t%*emU&k{F5I_tK|CuuqU_(wG6s;iS`w@H^Ol=@~An55i>KNY(?N}Tx}-`YZvB;8k!y6mFm03j$ZH z^p)$MeGBCmlpAbbeb=)77y+aV4)m$a74xx{X}7h=3HN9S_TZzXePo?qftTUW1q?m9KRjNP!J_dB2s-U;}Z5rN?()N+A*eN0qZJdG= z4BEW3>=}s^{}piCMz*$9|6|oC8rZKIyPce$iCG4h$O<4sMM?;WXIoV)*h+zBO9`7D zEsgW7R{n%wVf946sAA$o?nhHQZcOwlOGsaQ6>FpZGGLa-hoOKnt$1?Jlz zTj7+g(e(J7&7gbR1QOTre3~s045EB=BZ;SN~{+ z&mc$AG#Ezf2@|}_>U-Hm96+`M9IgTQuRQSBEq&b7u?cau(rIdeM~Tg$ZA>$yxMoDo zIl_EA&BPqQ7a;Z#hB>McT}UMFSWAT1d&dEvL@3=V_Xg#0nb6zI`R;` z)ax!ct=iiB98%k`cRF4qK3kJz`z7eSCSTn>^T%iGbu#Rk`XoT^lSS;t%)_)xAZbe6&hyQ< zeq04NKsbKTwk7JxJU}|H4e?mUirNK-FSt8->noA^izJ5GH7Cemx`;Yxp&81Pombe} zif@XnD2d^5@NjZNxiNBZ$a!UKk6q%@Z>A)MnLTs>F0Jj&i_RrV+v5PNGws+>05B0o zECXXjnuJ`s1~5zB3MDf>2*F*!*j}a%!=d<4&9*0F#_mP?)oivvgQ3{b<>)CzH9E*F z+W^L_rkB4SoVSfHSYBC(9hht3QJwtQcM-PIPzNo^@X5bTtyq*RGv^5t0SHk z(BvuG?ivjGnr+0sn5~$068Cbu#W2Z96*p64CYD!la`vkd8Qkk7*FUY*Yp_P;|C3defoDzL?0`7+bhDdjsb!iMAcnJJff|lChI%M(^ zZ#Uvukf8nvh1Y(UE!hm|Wa#PAv+Z}Ama|5VMKxjuH5DLhY`%U640DbyS=Tiuy%8=} zGno4LZ{SRNZ(x*^3vGgX+VfzbdeSrb-fwp|nE~NBDe(q`zA+q)-8lQz-00cF?`8z{T~Lu6OX!1%!?zMWphlB zi$Wuy5EKE5xxQee`+wZ3{`{g0YoPaVAw}A~kBA39V?yE=mm*cfB9JT0fx$eOC2ax*1+1lT4?c+e z(7AixgL7&}`PfjIi>mE8L2T>k7_&Zzc;;#xP;sz%Hmd#nX%a-8Yi%@tL2~J#;lhyg zuemSz!za~%<;~%6^wpgJMe0X(@KFyv>$<(?!@6N8Fe`Ja+js(hpe8|-19+8Eeue16 zU*FhcIl2SS+L^GFbJmAn0N-%QWb4ib;~Gy;PoLG9QL**EMq=ST`~^Y@sg(~t5pH~~ z(F^jfcjpF*JySQ*pk@M$0+P=_li~zz^+cB401^xDpwtv}k!g$gcY7?3e_>1DWES4r z4-(X6Ke$0k!o-Bv5Bwbgj!UCE{L<0|tpsUPBX!aM>y02>UwU3)iw}aOITYd={da_G3n=cgi1p zhl|(TjjxMMe3jN-3usL(7)(`jNEXBD>;}vweS*F8_7*Hn%q408y(@gxqeE3Hx27LQ{LV?7g z6M@v^v6pH6n|*CIg)1wSe+9Txa7RA+LB4{c>hz0^uO8gbl}H60Fm{L-aQGO znty#SyFB120QY_Qmh@3K16M%o2B^z);L7SZ-1mLKIH3r5qAio#k^cG)yJUn(Dwxmi zl5{!RMh4P#|2cQqq;@Yl;O zdfx)K{sMLiQhMDtd8)$JV083OfuO%{iT?Fl|NVn(2_%kR!1eeB!rK?zJ@;RKm?{dL z?*&kBf1U7;s1b3T(WWYKox=)j8amq(C6UX+b#B(c^gs6Di1!Z|N6Rma z+D?l~pao-PY&n&uCkp$g_3d}7Z%jDQ8-i>VO%(?7yEA=B64L^dk7FQ>;)rD)Ol-#i zkGCNU9sI@aSu)(oaDK;7mJQIjXagwfvHzb<#9Reau;SQ(yVV%gGl^aIhh$??g~k8% z_x^dCb7GE-B2m|Ia#$Gsd13$0r{#bD4^OsHbc;@jOt1dB?tk3_|F0j=*&}h-60Pb_ z_FVqIe#^h#BY%9HosT(;;-zXLC7k*H^B()_XJr$D+n|APOrPbSjPn2V#>%J?J*~?( z;Gx8K+tSKc(Wo<2`#Lobg2W2I>OB*95(nOS84`jNDZhFM$QZLx1`lB&2T zE!e#C*r)Lj6i!88*u#E;LMieb3Py#*@PB>6jR-9SP>lp0v>UvD7mNfCU->b=RQdP)ac~rZ0f{VA6jkU`bv`>ivM~g>36iBW?OCz>#(5h+B8I(p)u}S=09Rd0LfkiUdcSzzK+yz>TDJPACQ+Gpi#2Del=xwK-aHC;8v5M1Y^gF$rAZ;s&~M z#ikzyn4Y{*?EzNo>=43jD^eTv);`sRfh_3-=~W&~aD~CTS806o;NU~rT@@;25uj>; zftt9_^iu2I6MH{qCLB)T5Sf|nxA39(b?S4l9u@)MxYaOL0M2nkKHA+hi?SQ;xS!|u zy^bu3hkQZDNe6Qmpvu|mjR?N(jDCta;|wto|MS%@LL&UKM^OB)4;4aVng)b?o~CC4 z2sNB)a0;ra<7pNg;=j$3EQ&_ht=Im}WET8C*RsU`6z~oTsr%f(M**-N=5$t@r5j+3 zAr>^2tL=ONj~xac?vms|oQ;1&JXxqNf?y{uf~GmsU|elDsgL&d03D8;5ds5EAuts3 z9X)702ePTcQgF!hCCC4tzxZDZ+zjRugsPb`g4y49>c5_q^0qrqfed&Y-1VQlL9k9L zV=}^^)Rlw#px8!%eQ90i8*z9r1l)%c`t8BL>_Pg3=O?4;;{g6)r}KN42c~}oA;%d( zS}B`hx^Yl$fKRG@rvRfOo1h7h9M;-B|L(q*K^j*v&9i$>JuCmOU+~9EG2NMhS`@S^^H1Jp*_TB(YLkjB|=pQTk zf$YEePAL_6P?bw)G>{|HIr9RJMA;5ttxm$(7{f=yAUI&WP>Th2)T<-%70tLfcQ$%k z)Mfc0aEj0-?{(1zX!CMS3%j?+Tm_I;b#RFI;<7Sb-8{9 z039#=oUiCw604n6wkCF;4XxC*+&@dqE&mdX(;D54!}0DK_8_%qpR$!cX#Nc#0>Tdm z%T%C=n*kQvl5)F)+-d6(I3uG8@Q9p@>OovK3?wwM8V==7c&2QF!dl=I^v!&RJf8}r zLR#O|Tj`f3I;(klbO=n37yzTeYgb;yPNvW{0b9`i>GS439irVw0pGv@TT3$V-fz2h241qyF8C`(s+8tUChAN9d;v;1 zN;cJBePolr0HFa^5Pa|o2QZL@2>kUh{;v;;;$%AVf)74W@XP>!)naN+DxbMLB1=kv z7{Ca?Av%O)KiLa7=@xUsX*2;ern@T>#6)1t*tX5VbJF1~B40v>{N=po3GK{t;1p4M zPKNn<5`V;|=%%s3LQ8lI~$VM*)Q-(oyB%U@nlIn8($Kf z47Nai*D*@{5vITN6j0s}s|fA^Gk-*bO7dFQp}G0ah%%23PxE!9_gbPJR^<)=rfz{W zhN?>-grwL;mAD+&w|<|jYuC}0I6~Z z8;s{9G1X;$dl-8uTWJT-y_?F5#n8vjmYFpB&cT5qw;(*hD`*n9SS$7fr0>k&@1mO$ zuLHga?J1a&JXI`Ta;OI)8^P-4l_qh(f*;@v?5ZuDB6yXmZj=7*Y#S6E`)`SAbpeI~ zkMk4Z9Yxq(bCEsk1>C#h+HeIVypZybZ6l8s1fZo97E|Xrm##uUYGtNvp0O(~1Sp=4 z$RYGFYQ}L817ew_=!(~0d;0Q#1 zo`k%V1|?aL57t0iog9N<#v$4!AJ2Dy_J*HH4mwS}vYxHDfm=%p{6Z_J7^UR|N%DHe zu7J|B_vrLR{k=S;kg{K1zy5QQL#yL6Py}0 z4jKrXm^(&b4MJVdjU!lLoREQIm_lN&Yjn5BXq9!2Gv2!A2=?LXy5fex7^l8amkxlR zKz+W0D6nwrjcu#Jf+7mS>2cgQ-oJ!ATE2w$6t}>D?QmjG*8+(KT9)^KwwM{QpYbwE zLg73fAT1;?q85<}`zvbm&!2u>D;NI$ERst*hDLG>PH513H_U5;@C8hj8>~&mc9qZcL$Gl*i_>5ifO{KGG_68u=Ehg=pqn^Je$#Um|?u~nXu1e%(6F}1B=!N z>1DrukYZoRi}qz+@>x^oP4EV?gn?tjVQ1<3T04AjtNxf8ksKW;(hN@F5OQ`Oa0t-@ zp5=gsGhUD|lvoc`;U#AlwR+$WYMR=&1@clqcK|Hfm|dimNufB?hxxvW^60&i_;Htg zK5voYiTG-lx7DbsNTSByJKAJU?+o*FajaL9HqOD%}7jD z^wpj(N0#t|3W8KWj5NCX=tuIKIIk0{H;F8GR5wTW%MGW)MAv!*y#*M{eFfy~E4ppX zx}NS%^3=Fpc6?5iJUR#Oc2)00`jlA7CiBY{MD(Xil{Zbl0OmLX%J3G&dqo&M%>RCy zKP(%f<|HgH{J=>CvSw=*oiX2C*=Bh919vE6qMKO1DNDxQp~tqhx7+om{v^y^%_-@8 z`h7DHRld`i2gBE$Q`8g8=8WtGxJp_-pO!qKEXBF;+cFv1WpSt|n6C;{4ip$TEw1v; zCvL&D&&4#2d?t1p#!ZZ~r6P+ZHK9fdhCbyO^)xP>XNGbqpS4zgkP-aON%unS)JFs5@}Mp2`mhKq=C_0w!qpECQe ziZP~U>uxx3EfPdpYnzOuogukA8?aiRL~0d-R`v5vRtQtjJhdvk0}(KnZG=pH99!<~ zO}5J7qe|+eBw4d>?L|r|-L?s{MZC?pZ5ePdUaTNJ=)VErqi86ypJG72Ro;Wy<=Wgy zrAoDu)_%KWQqe(M)hID9^^~Z7bN$TyNu+^_tkmnH1E_&2ccB;lMy@n_m8kiAms_4; z`vqse30H`Y2Ites)Lq$h7=Z^=Y6NJXGDs65$8Uk!r-J=_wAMpr+Y|I8 z)ZMSO%-_M5KzJD~69A>F8vad>`;TWb9Ys2^FI|@d&-n0W22H)?od`(c2L!Zqw8JQs za8xCSe`-MEDY+sCvL1TdkOq4o*tAEkWN)ITZJaQ_$XE@u#gjaFqJCf1Gzd$IGRJrfPl_z#FLawD}Oc&S+!vdOLgb&WugABx`9f z9P&|k)0IdIX+Ht(I`&as8;#L)#-#N(25oo_z${bMcx(g!0|xLWHSM%zqfwjB)@hGaNeIBjkTNoECWW*%+CC0 z?AY7Ntnd)p%o<`XEt{toKfVlGpp|I4f4Ahbo?HfDkA7&7gq)Huq=sCB)A}wQ)GV-& zFI!<@pKH@EvO5U>-EM{A}R}(;{wT~)k3~j%DX%w&-riz(@EpS&@ ztwJ{PEoq7ZI7!nss9%3S%na(1r`po>iz2=KPB&;+z+NM4M-{0&T7qY5?`q1n~(<)CvQb2+qA8OYC#mZS>{vwJa!p0M0*VA zm74uM?d`JWrhS+{m~C%xwkuh9_MdW1U;-nUPBFCdjW?Kc6Ng~;A7TV)@EX(u-8U6e zg8w-XQj%Jfk{+)p{-nsTNV3bSdwc+_5akoi=iO-Aw1(Ss z;X=*SeZ%Uo8n1n1HmI2k7f;>lyX<>%?V}KmP~9R1v*(j9c$wbfH<|L2PGZxlo2lB& zBU^b>uP{8km_z*ONwYbe6Z~1NwGsPg$`?Se*VTXc=tgnKN0wzJM!+l&y%fM-?11HCzDhh3wf_)npY}ivZ=dZ0btd0% z*0-0yLHGo4!G=WP^bV0y+udJE_8t9X5k5;!0apg|Cfn#o?fR46*yi=NYIi45_q7i2 zre3a#x8bkw{LxZN!ffCBFBZUmYqI^(Inrhdgr2&#{mBm5#-+4&GY#q$8P5+@&9H4l zis!{l1CWWEM-7&l=<61z*gslEk>GU-H@cQQue)xP@=TO1IO3JmY$x}MafNI+yz?(K zGR-%{Ru&!Ym9bq{T6l8d4MWgS!!GFMG|n19(#|PA_3gD zUYi3KE$fOztNt`84sNM3V`-?^z2TT&=vW4nKKiDRy-dW_(ua6XvD5k?tn(VFrRAT@ z`h#8wamo{Uzu)u_J#6#3Hy&Y3woO##ar4;~Gap6p-5>=c`tYhAye4YuNO#4I2N1_( zzen>!RHPm97BU-we>pwBW%RtVOl?+-F@qqqK0}X&@P36>E}nyy zCTI6YR1@qGOOi$YoN%Ewu(i-kp+p(+w!d*HuNcN>{lVB1IJ-ck@-%k6$CA)31I!Q~Zzj@g3DOBC!n^+2gf(ic>c67T+ ztaY94JLc{I56}!ByHJVQ5Hw_&L+57MSLMoHS4zSUPBr4nO&+DCT5o4}kDX{>QH{OI zFw2}j&6L4*A~~UuK-O)8zhASzE+?DC_wP*ll}NW?J9sC#d6+WvzV5DUW~tNVR~Osd zpiFqbPU#NXMDsU+;s;SQ>%7J}WtTUk&9zqCEE^s-h|W@}w+Peh$ZIW}pZ9s6r<*t4 zvbM)y-MC9iUpSU96RoCHU3)C)1)vx>8^05npSCS#(QT?V#KN-vL!$kk{%fHkV`*rj zW`9#|oWJxaLl~d3m;z!i_Z-MKDn`;G-g$0j)F3d24D~0++dfZXWcrHOSvr89jF9Lh zNrzz3WYg(o-p<;K+PFGNN&c~Ny__#8uRSbPqN@N`j_vE~M=d+FG3{_%ddtj%PDh%;1Z36+TlLtQgP&AzaF z<~L@9mt|Yws$F=)$g+pOT9{6+a=5&DhFe4h_LHUf?o3Eyhl;&G<+6$A5-NwWJxay$ zl49{LD#;B^EQ*ufv~85xREWqveu-bFj=L02(042E5=%zfo0=_SdENauOccKyX!*MVa$iws}=2Qmv>gkGE>>tfUVNDOrw?4W_Ncv zqVDnh5IAU;aTKy>+YUBs97kP?;%~O2@KzaepkkVa`OU38aCvLSZPxfqs^+M#bj%5I zY#fVVHKo9QKBfM%svyQ~WO2Pd-}5=vm(n9+ET7IH*Fm+km`GLfWY=wV*Aj~wrp=8s z&WVDKsQucZ)kYM0warx@BIu+ax~!jm*!95xaleATi(v_dY41h@oVF_7`0b;Df$xDD zv04*V2W4vX-;Sj00%gioS#I)qanaqB^WiC}V{jS<8Y)e@Aa6hN_@hs#8qm?8o;HZ{ z$QZ?M*htDKPZGAu_U6D$IcK1YH$!DhMm>j1$_2mPrE7b&hi2cHcrQH1_dz7;{n6GP zlK!3!_ikE`%u4^1=i})Fs2%o!;(e>6{WkA`VIOs~A7P9`m0M|a$;#Uchsag76bLi` zYD5*FM)dDD25Pp*+Ls@w^n}9zX~Y(gM&QYU<(v^+meU?7%>rO!-Bod#_idzQ9e8Vx z=qTNL1w6gF9TZ-@ciXGO2#WJYLOzldO7ePHizlbr2uKZ>rzj;dubFzlWP{P-#sLYt zR|z{2yif_wUg5j_&S7uiU_JG~LNl)GXQUb|(N%xJM(o41KrhcNbgN0F%C9@Tc_(aJ?{iS8crB+ErWtDbF-Hp70lWOOkL`wI zpp(yW14t`Y7k)7f6DhxdkJ1gCoXD(fU@Z{YT8?aBB7(4L!6D|Q>-uJ;d@9&k`nHRR zvk({kK_5@%Ag_74mvCg*LrIVjg=&_FG2FJC;|DQtEl)#r8{^i)1&l5umv+0x=J4Me zG1!J9DHdF^TB&O`tDod=a*1~O#Do6uT01zWd?K(CPmvHYy85|$Y~1kco7|RHKnX2; zh&RC|2s*y|U4GZ#m?pX3pzxC@Gm~$g4;;OOs+Ue;yT1% z-jGzUnP^CAmTRY5=s}1y$5&EBT|SJQLiegpea2Cw9Vl4h$fI4*S;Y8Y2#n~= z#`A?F;Kv_`*$8s0P|2eatZ45ZC+3O#OjV~=z7V8U`MsU#D(n&4-FLbv!sdm`7%1kW zByH$Tqw7Q@dl#a3a&OF@gAQWV2M+pI5vnZ!Ix%k-PK*P)ha02vN!6aBVw2Wt`X`uL zj*HXR1>Rdp7k0GEn}j^z3`lbP%s$wywMQOyHTnY5o;E`Hy+8Z9Vxsm#wMS6{Ejm2> zb8Tou0L(y&#iQbZfv}21_l<)6C$?@6c+6%F6q4N#@Q@3D?w>p(7YSsx+?HyV#>(QC3U^edp=(7 z&5=dx5kT5}4l1^kWXKAK%G(XW9k!@-nObq#BW^Y0-GmabxrL8vpEEYnswWFH9A9=g zRrWCJme)KpyU0_Jn!MKprWLyUS~5g;0H(WYc`bZecXgkp|Ncz9QY$SAxsjuDV%(z? z-%^p;uo}6=v6ttM%fZwu^Cjpsp9MFXINohN8vVCv&HuPt#+B%_#tFI2DuMN|2{LUl zQ>rTReXIzdhk-sp%z05JPu0QePYwxB_?p$d5JNDn-V~}zA_IrJv~=%=GwApS`;`1B9HxlErK@MPy9v`jDT)j zZVuUA8W4#{sMGt_E2>%ZU{WW>OPaxW(5X}cMx4}eA+5qzcnvffZ!;Y)bzNW0Ha(Iz}1s}auru%dA-{a&@a=dU=9EgzY>8w zQBK3p*@V1%U}c6~=TjBT!tZ^53anhOi27mKay06;LC`3-`&t(E{Q{L8MS}pWgNW^!d-+S*+e}gol=JC zHHWEDyREIOWu!hZJ_=)mpWm&`~$6>gw=9VfR%rNwrI&zjj@RTJlV)YgVzLu zD`J?D!DM1x!0N@~NPeJjI*(6wRvAXN z1k55$hG~xsXC5n)5WEuGWEDu!NR$2c+-(KPzfcv?%=QaB6C(SKW?lE&_Mjjlyza`~ zBS?>r_Wa5Sao*f{Z{;qgc?>6aAsAtoU|GH|URB1ghayml0(9(zhF-WJFOkfvqfg z2fNgJ`Gjq?_yoc>DCF@ziy{oaNd-~mt1QCAFJ9c4J8%*!+^AXv`ql;w2|fH>mQ`?L{4aqzc(U8P()c&bIeTw<~?C|3WxbRhVf`)Bz3g}uMrqRJPI!Ia)?=HX~xvq8+DcB4#;R3i~)N~_R|kceCPV#<>#KA^?Z`;f1t{6?ErX?9+qCDAU0RaW%yFvMzxB}m$F86wZ)(}F*w?$0LoEJ*jpB=lDe^5a z=RW~b|I-k@ynN#OFikiF(i@D@BpvA!J=r$B5xGMBEz*Op31(bV9k7&Q4r=9u%q(+B zSgz`c#j%Sf$6{Xzx}cE9sjWXq>FfD#Y!OzQ!a@$U%AieAn<3T?MZ_r0URGxO*;{Fd zzFSPaJOIN?)ow2|H;aSCeH%Rrgt$nb_+OoFCr{5g>0Ez7x5w9_BW~3^ zj^i-N;1wH86u8~b~fG%e{`8kV|6lahXfND2&}o7QMra8zo{ag zD1T5z-ml($Ik$v~0||5=Uimk&i0(@`c1N)1!P5omS>EXSqm<+pCLH3^R;;5g#o!l- z#v2_s1UQbkZgA>+*TurG+t2kN=C%EucYg38J!bXvUH37K9NW>Te((9n<9Ydc4xl(z zCX!vZ)C0uqtq}VP@X-2zhqiL)LuT$|0lD7lb%b}c)TIrqgVcc4mlu1<(k-(IXdNWq zc0X3olR&I%3QaOk0TW#yW+?MM`LX14+^mVb4vf5sF)N7wq4)A<2S(sGia_shM8!=g zm_5(YRe)2Cf_LFQkZbHa0VVYoTrLWCM03fr{W+1c4jA#HI2?@2sh8;NykR6NqTOXX89jyKY$kz&khMqco4Sc?}T;<>=N zeef~=fCa}YU-fPZUYcP!g$Z`FW7%MF!Ya83h-G;S{6mJXc%_A**gj_urrWoiVR*II`Y}y(WR3Ms`kHxQJ``<_+Mb%d&1Osr@0mG0M z7Kterz0kuttiWOM5cl7)4lJrSjEMeprqry|6JTAl19KPYHK7flEUGxvg089 zkX0B*(3+ACV6J;gnfQ^TpJHoAwk5Po*%rqCZxZ(aT0K!V^@8cD`uB#LA2*bj+NxOipl*%x zv~+hPU5gZuM(Gj|0ZHlZ?iK`TSac%|N(+)ocY_Kd-Q9@yTYH~#_Sxs`eg6M@?-&k; zpabWe>ziM^@ALeg!@tMAl*LH6Po!QC0aS>QFKGRi^2T>1s^2JOBEv8t3Pkn&*Py!i zc_FSAE#~n1phIg34F7_zu9746k%rwqa4G@!;S!khs|p3kSR_aqE3D;EPJ%WIs@g$O zqNapVVK^E1abl7U?QeU&L8Qg3-Y9FK?#VmjOQIRkVgDB+r0o*rAB>Q2WuZw9y{55K z8LH>+_u^w-%c)`7jcyCe=Dvy!?`YeyZ(buBg(Z0M&f)Ji!n3Z%FDQZdm#oLSbbqFV zjQ>FifhYP~O2`q=jqK*Gt(Lmi<;E<+qUj6y4E>ZVg|I_TM1rf@LH&hn*sXb%mDtgaNm9# zGtS9cu(G5U6{(@Uk~mob{uDj+@!j7m zqD|8+&O(?c8TV4jW5(2Q!SZE)l_{4~;fr0x?VFj>iD(X6SK!IYp)0<^L zQoGC5c?h!N=nD!zgqF>r{cE7trNYQDPd&|)|3k5=DKy%u>S)UbHRf zszEkXf%Hib3=bkTc^RLq&35Hx@$ngX z3%(oS|AGRdh?!+f*cF;HMT7smJBpn+qobHy%-3^w$7;RYrWbqyew{4+${uO3vvG!FVqU|9NBs)3n8pOv3~#n%su~15(~s@J4vx z_~Ky6P+mDoD;Pr*7B1LToW50<@{m`BYS3#eHp0t|r4WI(7=p5wF*n4g4=f`}4i!Lz zL~cwdpEnJ3Xu|AXl6n9Zma-$l;tD1_YQjvH%s_?nG{L-dyC9n8QwQ#k1z-aE1Vr#;NVs+62UgS(1VZnYlmqw&rX~p2_|0Gx!{HMnF-)&C6 z|G5MS9HT0y5#bdlY|nt$u^?Y5md+n+oLI&-aZsG!s$^A|{to%5s9}zss)JJw<_r=_ zLRcOGGAOn(IX0?v37DLyXW|Y?nQcNTdy2$}aR0FH57tNg@2n44tVlFN=zTi|&|0gq zo-TX#%&+ty=Y>$aXMX?;_VFYWKz4)3Pk?9bgD`-ZRGb2#LRmtvhZg*wcpoc0F&gTR zN~fq+EI?=4r86911j+1iGq};2mPWOnfL}LDC97$l8i6#n4CTUJFGfmBW-p%12iS}% zL44Sp++Hy=%4`!ziL?f)f#lCJ*Lk$?@U_L=#cJH}Tglcf^Xuxdwe~&384lI3Sdr7#H zpzRPk-3$VuUW`K|qtAQYes4gmh6^LkDB!Y}nC5`sORXeVpomw;{~AXtJq5JHc-=ry zD1HX^!~{tZ!f!w*I~xVH^fGDR+9A8soNpfM~hf%-26te)Oe<0erph4UQruZ zv-_H>%`)tYN<@4KxZ<)?ti;*3i5Z92dhg-Xe9mN~{WJ=VCG z|JQoNfq06nzOI5UwR(C*e7i-Q*9>Cf>EG51te&DbWiCGM`#0XlSzh7!HnGQVxDS?t zf8jpbBdENY|DE??IJR;6dLeTrJ9$#d70K%Mx(-guX#U#FL@Y-DJ7baz#RU}S2dpp+ zuS9hF=sZBk>c-^Nnl;DED?TS|SeGE!87$JhnRh=#-tt?lf-Jh^+nkv|65WcKa}713 zg<>Ql=U0>FajmzPNc5Q*M7HmaH;1>!gmJDw1e%W5X}G#+_Dej=JnC}a94`NHl-F*6 zSKM4H!to$21E`c|d+Q;N_JDFW;<_;8XO!$6GLeR2Hw`b;3}X2N-zvwg*Tvb`&(#4_QfW1^enYv0Z>Adu@z(xlZOyCXsu;)iThuRag}Do;eGxKAflW zJ?yM9)q?I;!%ohG)NA7zi&|MF)EoKr!RsIlyV=)Jw!PO4-336B>?C!J!kiwX%WRy= zd`P8?R-?MKS?>3x;+P}U@-@obNiWc=^kWhCzcNXiiC$r6ifOPhp1Exf+5sB?t7%N+ z^)ngo$-L^cBi+Nf=n?9-Xe|s9`M8#5?G^ zSl6uOFt!nB_jC5`@fPRW#yJ(Xn|@v2X{$ds>3HT%6B@E5;Jlp^MyL0lqYl4@euuAE0sQ&|H``7sGv zPk9H=V!H)UXiApfvaLO=f-7bx=dvE>B;CI$>d?qUkHUOB%NS!=e1-lyHN-lF&{dBZ z3DSun#Vxr(L4>s&4?-h)(AiXbXakbEUpuB%lLYYJHhPL1+Llq~aIQ8M|gnli7_b!12a3Jfi(c1vSk%+L1RYnBe+y``J8Yp8D1VbyKS# zBu-WQcf^5wZA!S5LTWE)J-g6Lxe&(ZI(yv=;+z7a+F7HEy{ z8+{P$hg3ePekJ@RFBjFd&~fw9Q~thh>yHp56Gra;+i zk^YU86mPCj9)C1CkFSy{fq~B&)GN@6uTR4zEkESSoko7xG%~mVdUf{gDI-=r8(|Js z>>*w2pkQq;qq0`nSgLrd@c?mvpe*7qkSTU!U_LW&OMYfQ2g_FkG2OcM+y*dQUdho) zZ#hi0Rd}qxPl=YT3z0CUV4Z$ewpY|JJCy47C2^N`-OJP|+Gm!((b`U4N7K-i65vC& zhBrU0E4AN)(8A0f#Qa=V_iT&!ZA+bds=?;*PN>Phe&$6{n4#X&cij`eVPdv0fBh{x zgzWI;@9YrGqAHY^&(wSIfnxDVv*fzUkq9H@gpG0mkKou+jj{B>LU*QbQnyHzI5bMZ z{IkVJt@o^|<0~&?w`&;Nz)Yl3A>==snZ;2t+;FEi22b?A~V1q_Y`mmCJT)3-dFz+ibVd< zo+9ZRe%~150HFaIicqUwXkdmw0l+et5wfM7X2jzZOElv=j$ElJ%^yBvwiQX*c3}^HZ6Q-@)m&Tvu`W`78dx=I=(3!eWOV66xx4Lplsn4z zzqOz+u%I4Hl_pM@{}eIq7VP>U7y%e;%yvD1fFET~6koP3pKZVZ# zThPI`UpQ@!XCCunI#{cnQJrex?WeFkEE%tUxwf7_X0Iw64$8mwZ0uQ1IDajMoazs zbHHVsU#fgecv=Sz*DWi$5M4NtKGxbiQ{N`-lMkg) zCi0V6ym49xYxwMD?AJ8+!PI-+{dq>2-AIbvr*N?uGg#{GtSooxhZ%%ErVVzTl&vK| zfSUpZEn?PFSlV$pDEMhs0<)62){bDQMXlg08sVVVoV8N4XPQ{K7;rcdZUkf79(F3u zeIPc$5Nqg;aD?@maUMJM*2{{CuptX2#d5dV%vNb7)cAZ+g?`qR&n`Hs1Ok!u;u?&_Lgeje1wArqZ|%iLkso9j#mZ* z{hpuG3#BwIBz?}@D{IWGQ8>K-YIVT?uaAZ86f#y7PsdT}pOCo?^UsC~U>+zz8ZyBy z>D>tKMbW|PHOev=LX+2C4;lpz7Q1E`pSpZ7beL)Pym;mD`00T^HjsKBkaF$&j8}|? zoWU&DfB8#-B*i!_C%T#(OXBvUAxh#l38Q@5_~=0`JVc4WulhVqv6`+*{;LdMlI zusJ`7zxpy6q}^viUC)G!5=X}Q=R4AJQ_?;s>{;z6~hd8sY_-^fOTDF~PqP^LGL96FG zU6UC8iUHco767%?F`nMl0jWCVp;Ju>fd){|FXLmhY^&V$P!-kueU)n9WIp1VhC!?zXB=(b%10F+US~~ zK1R>{VfQcy0i_J|N>lW)(Eqr&AR2gpferTtGfPPRAXSASf4@2iJaxdWQ`t`1+F z{%pSdfvcU?m3kz>{m+Zh#18_=Z#BtSnXkk7#}D^J1k{J51@B@I>sg(02X-NwxMR14d<`Jli&Zo zvG}i11^!SWh{zn+{6o(s+lrE|#&(_uOa#HVq#&?eiQj7C!NCUjF%sXH0uPwhM{{z- z$B8&}OMsqg{in$9BTX*0Bmc?kDVV1hZ5znr03ajFz>GcZZ$*@U`gC)xVJ3HLE==AXWoIhT#KmSXxyCdkRSWxT^|Jya} zzlYqPzoW@^56wtxC)v2=Pmk!&qyK;ZRar{Mz_Ty!@yLK7w!IYgR_JjOr?-F=vdn6- zIM0d%%zYB@$utnZYu9?y{)Dlz7yqA`CThg@jcj4KpOd#eciFN}-B6YSeto{>ISpSn{)&2AmRlz|g^G z8#+Dw87^ONx&jirbPpmS2gY{=0BZ7=PrZZ+{_M2Jx~cBvSsnj-2G4iIvLwc!C6Xb8?_q`Y4! z{~eIqp1~wuZBYQXtN9K1a=pZ{-_yc%N_;&q^gRko=eL2;LE5(G-W7Don&EsZW$*w- zl`>Gb6Ixnb?v5x2URch9>ebHLQL%C$?Tz)te8qREdr~7=Q$j51s<;W!p(J&dO%sJ%ngIkq1GisL`O|nK!DOCHxGuX)AN{ z5wHX$L;=AZY1toc$>H+Bz|9_zU3>rq)041h@`oxg^Q>2ZzBm+2&0R~N@10L3U|X`# zU{^lYxcS#ZC^sE-iUkuojhJHhr;xlLT}HT0@k#l1(%u!*`x4~mbMH*1fnBr|)}!g@ zqK%GGz5*qe=}@@zsnv6UhD6DJF@p;thZ@V0{Miz+qwoUZ!nXtk()c{}$`KEPMnS!| z1jeu$(+G@%J#l3?GGd>z?IJ4g&AhQP!MpGu^6ctW^4oEoVG=SVJBN8#p%eNmKfu!| zy*}I7VA0n0GP8F;3^x7C30}e+kYhe30Gc-guVcL)?od6fjbja5OBZ)Q1e2pHM%j>s zD0N>6WVQor?*^FPyT(qF-@sTbMHw|+vxYW)=3(tdgm7`^-U!9FoB8)83YyzfIvt>K zx~^7APcabzXZoGI&3PJ_XSKSmi0hUsYDd&zxzWKr<0bw-!T5pkvwXDR^7%H1G(W+? zMsMFMxQ$)QF$5GWS2WTm8>VP@a@idq1BgD1Yh`NSg4~IjJLUnzVuYd|u)aMP{Pnw1 z<$i(2k2gFN*0p;}sgWWn{>Pg0?-Mu};wpZ03m~^@?HY|FBY{}YQF6w%yg|%YD2Di1 zTZVW*TR@*7UWp4Ln7U2vOeGHimxV7!?*GJP!P2!PduVTqTzS|Ff|we5JpS*oEG3Na znYG>3$k`W#9ex0U@(i5oL^WE#L2s0}2C(@yVu7Z~3P&3RSqK9~Kt;ZvU5FYfCji9Try?Otc6JqmLz57(&yPW*Z$0Vd6dSt)W9}A^Z9FMGJu6 zay+a9gkUGVzpZpZgvlLj)vYhHuDN?D3hZ0<1lXdf@cN=U0Q#$<4C2rZ?kmbXn}hwd z@bNzwFpsH2)vo`G|AL-t`W^7kHDRn_v1k}G>@R-B@q@L%TsiZATOb1&{{(`UMn0@v>Pf$@S&g$;PwVanOb`rfjB|u z2zZf%1h7OW#Y?>VAe|y_A4G8k*HzsjMgASVi3L}i6dnqLl9mD)@@I2erENc;<1Yhu zTL!jQWq?ognOIZS8Ac#lT;Bl^5?db~gBdBH``zI-98Ey)T^cKPEyr&?B?oei7|z@a zmV7}g1O}ad3Q~8@+kC48v_O+H!-5sX?z3VySQ-ssD`TX-%GXIF*xUX)h&|Hz*Vfyd zDS&<1wcG8!RRx6^e49sTT_kWpAwZtxW99);x6OOtAicylfbFH8CG1wl!hs7aA+t_D zK1D7Hz7ga6276bG7|X!=P-fEm#%x$xzEQt{Uon6q+F0kPLtDUOUoQ-E3nt(vADsot zv-jn&eS4Q7_;?9=h@rISI-UhMpppiO>uLDqS=4*(b)CvL^|~2o+gs&h9)Mfg82* z-0wM&E8Pd5$l506NMW^Ffx^#@%arWVhmAArKxnksMI zhMdT^VH=GA`SnJa<}}KSKGLVZHD%g2`XogvdCW3WXm}0G2MxjB0Sn@VJ|MdwEo1!U zj)f+O9koJlYgn&!_mg7ceSAhw#wUea3=)CO@i1WwEV90NJPxS@wBzIe%%0A08kD8; zbF&zSU>Q5xU}YI*>NIB+FwFl7{4m9w?YGWh#Ikc8Zq1kia}q%6ssT$x%brip#f*nR znni&oT?^M!-u?qX)Rh_i4{i)&Q5p%n4+P%@#*N`37;Y+AfgSF$+!w5_OaWgZx64g} z8WvbHWtOVHe&2Ns|JJ_-Xd_slmS2Ick?s5#k1G%ssRd(hl|MJ|dLr-?%F@{e1RXo5M;r#}(NXQnJoD8!-(1CeMhl$?v)~{jzufQ=6!|8`XsczkFoyy~@(>9=Y z_4k@cuYxVf(T|fLS`>hrd1g9qkwDQ6$p+gmPSq_SEP2k9=_s{G?dJHI@OcTSF|8+F znaGLdN}&K%*E4VuFJNlD0i+CquNsy_BZOqjKcXMX#d>Y6XE{~$kivlZ zq=Zj~cuj`KnQN<>z&Ol#ink+zS_4piy<9xMZh!%8E!HWJUvLegOi0_ekxR>?F1&+z*}}1T4n5 z{NlB+@Yq;vX}MTjIuIRo$$7;4XlI>>gP57XeZ0+vysm* z#+qdn{R#5EwuOWW7LAV;bV-Hg9B2^BMx#qWSef!%WxrhV&bj{C(=d3osx1(!PSL#{8Zn z9N`V>9D1jB_ZVO+QifH7E;yP^J!pyP8Sk5-`Y@9i(y;Fq0BT-GT6KXa{EG^PQK5~@ zISPzR2jEa&&QuxTgXquM+$;<`^fY1`EZ zt+S7im;hAWy-foT+!M@bm$}I%AhRT_o9I6vh|aBqMPbF~Lavjke{RYe+$kB6?tM!# zyF0noQuaR=zpmC$5&EoCK0mtLBX)0{20&U$b&bOaS63!(ogI1z*f-`#5NZrAaL?x< zC=LR~cE0mwsa_Y!@7_iV;hxh%sLPX&scQF*X)}EQM4%MR4;@?GxF|nia2fKmU+(F; z-(YnUKAApOLF^8_#%G+BA*#EoUy|w$-W=iFASc98xqLVGf1bc}9SMg^1OGS>73UtE z1mdfIei5V+8rYWnjc;Osl=b?1ZvHaX-8Vo6;y)=z3dp>zr!gD$+Qigk!uHcnPKzLV z<2td4nLos*t2QQ&9~?upEkE@97$+eoy5J!j{z)UXWekMS4}$-xeKDzeQ`zT{SMdw# zH-cU}(%+(HdbH<((mBhqzx@bQCTr8o2yi8-i!}rDmg)Bl9cr{rJ9QYzuOY+zs?=4Q zb%F8t>uj>r1kdXNWzFvxgJ*oz#)Fg7uF~Jv;n+SwuY#^F{u2MWrK;i&-dp`CqA^A# zG5KHDH3J!M?<*-hS8Nh{z%yTTw-b^aMI<)7N@`|vuNv*T#arH?=g}IlaB!ZP6BZ37 zdf3rTFLUgP{`iLQy6^&bqJ5+PQHR`*qLjlifkX@HaHpYlT)U^}ACT%_!zMt&tL!>Q zd9{Unx*!j~OJF^z${CHhk|x?hfJTYUVGIyMHwTGybc)4BP1@o$;d&mCqi|>@5%4p& zZgP_=t@4j{izL|C3ICG?&|Bs6aUXa$8SyiC7NU1i&OT>E5t(C`6%aM`RY+&!F1QVe zff*^}aL8Iw*X9{rCbV{btG-4G>4g2!(8dg7H~vY*MJJGgk+EHX)u8%e%h!pkZLaP* zBOT?n{`&AXMEp7;ZLmzTZC*^s8Pd2oPDwcvattkp%HJ*bl2nB8PQG`~CVVGw=vS_i zM}@tRuTRZ!xfyx3luPIIFzltB5yV5kmiOj1kX;qnqR!x4H?1l5c#3K|k-+5g~I22&( zZ@slMwlrro9-FG{Y}mifG*yXY8ZtNH)0T&1M0qQ9H7)hF^fqOD(GL0eR%_4q?8(@7 zw}_amnQIFRjj|VSCoqz8n%T+d)?*6v{bW zt_m|`)AgJxHQ~4^b@n$&&Ep>?b5FmE^J%g3@6^Qo){-;lzPq|Q>JMXm4VfW@=3&rU7DxtMfHg1T zF&Cf8c?j{G<}c5joI>!z9;@aj%!YU#d^l7WohA0}=n9;<^Na|bZ4FLEZ%x~*>xE26nu zC^x)@t$D}tF@|66N$d%lr-rfh2$s^0KNqOO3%6c4FS-cZQj~dTWXXJhff&OAMzp;xfalXV z{6LS0($g;kH=`;rXA~kg=;prrtB2&FeddB`qHblFlYulb^Qmh?VPd*)-lCvP5MwCo;Tr`N2+Qk@uF}MCUpd_$R`933FflcB8AyGFY z$NdV>DR9U&;?+jW`Tm^%r4C0a$m>(U?Fw}~4fT*%*Oco*c%l`# zpyj9VMr8;&(&Qrnd5y?(-qzQA!H3bRo+xWwk3Y1HSJs8c%57q2WS!r`RVt$82%WTM zsBG?#ho_~35`~cpG>w}(_Te~_?3*SfqGWWog*54VeBT3?QQ0DCpq2IPJvEaHA^F0z4me6$opsfAJecbk z^;(~lCcTSoZ@%;(vne@YlJUvq>F4Py64HzFH^hn$1&Tnc{28+mv) zS)yZyY|^Go@)nZX`E?VNCnI}wp;xv@)~Vd&=FZ06x(PFU2dMU)U^=|}X;#;_1Z$R3 zE%phIWiP$VhRZ7f*;X$=&5>W2x#5N$^|7QH0;AjsP0n}2+Tqv&1014`>(7kQ8_=8e zC+8FdOOT<(mrBy&50vxsM+0@Vho-F=hMsc!cVyPi=#r-`gqHSuaCv_Ke?bD#*{D7z5eirl6C@aJXVSP0Sr3V`-8~(i}CN`@|>EXGXuZwM^ zn|EVF)TiaKE_H-t@Lwojn0BnlXQ86i%nBS?43nL_6Gd>zUto> zlcZpY`E`4v>^Tc}isG{XVjQloe!`%-`_z065?>m3&+=c1}u{`2< z5U>5*=nTdPH-fLwn(Xn);7(>NsQa$;1bx}dYnJ?&n|DoDyNmoevck#7YlPC5#YnGM zuLGYmMlK`~)kFqh)QOo`h6(H#87sMyUAC(rsFsEfU{IyH7>H_*8!=3)t@zXgm^Wz&0p zsYGh8hwK=i9H+HUbsZ2w*%D7djsLTf2LSt!a`ff&`qG!?w)X7j_wMp+czONMH_zy7 zGQN1-6La^J8r3JG1Ne^&$E9w^TSv+Bay#6qYW?E+_~j~HEFYH9V<0GIS89=bhEveCcH)DM?yscB{MjtuyZ_{%QxF3ol0rPWg%=*T>bQu%>Gs zZT9T@hcWVU2qJzf5qi{gRSr}p$6U^KH0{rZ+TY8KbXs#uW;5+GWqZEd6}8%%<~~1T z$Ql5fH0syr1`|VGy*vZlaDJ!*jRBTi@;fvff?J=S2y=)4fcBedU6N`tloQMOoIVEw z!(i8eajEj@(;iyoxC~*-PAmMP>uRKUR^73YeteO_G`ecWyT$ko=tmH9DcovlY@?$$ zREX)m6H8S4Ee`QZeYM#>L)^DAVr__g#c?&&itAUF5et z)1cDS>kcLm*rle{8Rky z*FW^pjI4+0u&@CBBmAy_lqef~;O!YK$l7M)_RwbU9By&)0D-Vf4MX%n1zr1u~`oCqGZh!9#4vy)&k#>$UyK0@wSh))V77QmL%+Tg{h zxbLOoTRlDV`hGnF{#GkHqw|%%J^YTx0SS+BG!qUKY>pJ8sL)f-M$&70cxvEb9?!RT z+AYP)Z-m~iirS2Ju~rehB@kg%fU6z9l1cAKM?@noQzGa4bs5f(JihoEoUio{DKmtB zv`;UjF7uwYQzAnA;1hr#NTGrbk$2An(PP3>;}jaBST4Y2mFhg!*v~IMQCu0ufZBEy z!y<0_llFvdfa?O;QL?)jbR}mxF>f|$nscyP<^JoC{Ex}p5*c3qtXQ$s6{Oq?uh}&% zhi?N&b2EMl0BIUQUv9lB#74@r?ld)i6vy`tL!$xWmm+f=_!xL77bEkrF)0H|WT`bh zm1p`-^;=TDOx3$jK!x&v;Y0fU+GS9dGDN-zTVO9&^WntXX^j-@Nw;e_h7_iuh%f6k zr;L_Ep#@5z&VcZ&$E2N(BOD2P&NmUSxaSbqy#H z8c-i)dZ=#gee<@AClG12;Sgh6C^(|>=l~dJ%Y@Y0qNgr;iPWM%=c=FXuO`3%`K*Nb z#awEybzxq=2m0;JNvoD6FJ!uTObXphpt{aIGfnU<>K?>=LvuR)edjHapFG~r%U*G< zYl%6p3hV^RfJ&-Ux9f!9L=1D%cjnvdg-DA8{_=(V2*R7 zXRM20g#lz$-WgA|r=;t?tX6e--xC*dLhrmg|yNXrxy7 zcSI_w>Z9uUU#+PKpBlovrTFGPL^`IpMO?IBBo)?;sffTa7`;aU{c(DJegITSm9DPH zylOu2l9f)+u-Nha-nSNy>DV)}p$77<`M@@2Dlb@z5uf7c&LHKR9IC&aGs7gFqc$cz zfe|1l$aFG)oW^MNF6qFyMmF!%t{I&NyN`er_>qY9p8Fecw+_CKVz&w9CKt}t!>lu< z6i!=#Lr=v@x4S^secmh!vens{Hbb|C7(t;1Mbw>)aq|8}OJGEOPCEgfHu3B7dPQMl zK}1YkRG8a@@*bm|it2I(c3uTSO;L*OKz}i4^}ymib_2C-CLAvnj{7_pl+@Lyq`C%I z{XlckW1Hq-_u2_SuL~d5r-=9dF#rqW;IWSCBSpC`1bwI0Te2(w&fW3W%)3}MXP+R# z-x*ZuT)MW8E)fkuPa|Wh!m*})$^S;kscxONcL`VIN$mWd@TiS@Mv!AyjdAxvab$fr z^cx1m=`e@Ekv1#?$ml9R=sa1Vbf4>#k8PNmpV87;fwnRi40k?)nt46w;Sp;?L3Np5 z-O)&YCs5-x@Fk0Q-?`$mE{`IKzQ3&3EC-)>bM?KvDWJTvV9WuHL0I<4+9w~-Poro* zmCJkhf*Hwa?N+zys?ZTSMD2e{eVm^Z-3WAqLX!3VswzK_MYJ;pyk4Y3m^n!nLhE#X z)>F0@G-Yrv#n~ym2<{8zJvcY$Y5V|cqe5pBS~S5IQkkKri1dd*`|-$0x(C_Iiq7hr z-YS&iL?$4{&5^91KR{P+sTORfS?%JP&O_h|zQ!IEaj_}wBh9x4J-^8pDg=jz`dyVP8E#1E;Z^1Vz-#mZ+%&t_9NEy4)3951_j@Ira8MGhs9FtKs$ zGk~`&Q*iiP!se}rV0fG&pia`ySkIqMm``t)sm#cj>8Gv7$u+oHHlyc(XQMp7AhEV? zt4?Lfc1)wvvo~H4(bd@jJct^8h#V5?CQ)BQdnCo`ngic2mVTs-x)e+roajQt%m9ES z$aj0?Bh=^_y*QhPB+XzE^Iz zyH(;8vL54s0JT{&`Cd0oVXpE7o85Wy0MAzdpir20pa9Sh?vYJu6t&};u1K|-UZ%h_ z*?9Fsq@UFUN{7iN0i&Lry$=o3-O<=ghEhzZ53M4+3~Ijs_>o0SNae)Lg4vKgvcY@o zqaz5A95OX6`me(ddv$ODS8J)$w~m1@HUOJYl@`6L8VVm>aXi7BB$w%mI%h1_73o*# zJA5xPl6N)YWX@xsRAWBK@wz$b(ywyU(sTN(q*WyG+&nm#PHtIRPmGs%e_{s7NY)^@ zd#!?hMw>o&8J$2r18eZQo3$KqC~ZCj^;u?9)%BQu>NJd zNyF~1@eA|&p(e3}C!|-RVQsxdsRp|8Y)E-lgV7NVU;L|O9-ZQ=isW$u?FTDc%^k1n z=2)5GIotcu5}Cq~|0qTOYcL|w$Jwe@1_l?=V21X5aNE(6kl#yX;4_zCEA;b>h+(pn z?Z&PHarA6ZuF#anmM`MTN6lt+t=T27zRxd0(AVx;IeuwQ5zhN*YNr{VlH(!bMJ~Q` zIFrP+as?4^+6%DinfEtuDI%h2zIxpxW>2F`Q#Fa zKye2f4D@_aPTmcvl!Q^XPI1p>rN0A@_+ zCq0%tlS=01Az?nlC;7NqSu~#r%NR6cNi-LBu=>*WYl3XhOi!JKlFUB4??*9AUjLl7 zI`b@B)LNqFhdVUTuCF{HsYye;ECesRChwd`Fk?z#?fgtj$U8Rv@JG19B}|GqY9rFt zL9}cRiK&_GgJMWW0|w+Ii&593U5o@Ck*_IU``t$P+O)ZPMf5x1T+Ox!^iAw@g~>l? zbN1)B&~5{s;Gyk7_gzIJ8+zVRr#voGTgcJLb%Z1NxvcHv3Qk?9(Hmv;OT5&a1*@<1 zI};_3V!fp^Sce2+sl~+@<-RfpF#0X-eT;T+1DOx;5;Y%*!|#kh13$JbOc8IcyF2Vf zounmw@{W;4z?}vC_b@>DdyXT~`eU(CTfBZAatr(n3 zt2YuP@z}QBF`C<*GLM`1M!F%=9SqH7pQ(HB%>w<3?dQB7{<@cOk526Yy#DJUy>$*G zt5wF-=%uvVF<;QnB`)Qwq!!eJ0!NzbW)x--=n=}0F{Otk`sTzO<2pl3Q^%u2s9J9M z8VRK0$=}Ia715Y6_vB?X9II*A-@#<)ZuiF+r)AM5uYSnmd$kEx;%LRjJ;qx)4)<4Y zZ3XL^KGo%ba38`-MaWwouhdqey-_eM)WkxCFqg-E0J9PA;wE*l(0LF|-CQLIkWtBe zFRI?*6v>d%7lu^&?g0RWp}E3U<0NJ^L-eH>^H$`U+1j{Yq>OW(w3;`jff^YP!Fh47 zO)7T_sf7Hp0yXwT9nUoYFGb+3KZA_lf+Qp%c^Fl&VN75Ll9kxYgp;B%qcAd9G}fs)CO8I*1g-J8B?KODWh!3QCVMiQch?b9#Are zInV~qvnO<=G=)Bp51$Vf;jx#!cqqKo@znvy{;UDyrSiq)`jO+b_OzGE$Cl5)#J3r=T72 z14sTgV*iSv$RWZ}s4)<39cB#Lb+`;h=X_-)+#^=3jLu#YxL1_%ce6zity&qf5{v5t zhlW(G9U=}?@*l9iFF*tPKZxFHDRrpzhqY5d>r6rvh~dge$(7oMU06;{PBPYe7(ejc zBoa}NN`+a!KW6#SY`der$zD1H^!$Tf1auv*5P7l^BiG`u&ga4g^JvI_;m4YT9&}4s#Nubv$V2!^wmT{UdO9_B9-@> zenhcF^IpT^M@%BpR6>JAaS&^eq@I2iIT=b+EPbC--uMfNx39dwa_sQz089$byEdt? zhU?cufXN5fB9%=3b&RMQ8ispi+vPE^Xke zr8-HSq}WNHKfju)^J)eGDGyba^Wgh&oD)t^nF{bk4E@fMH3mSdx0h15aL(AH= z%?b1+KljiWH3P~-S@LrOp@};bT5F$*n_&n4g8inIH^ov0GmU7NsUYYFTua?k_O(=q9SB~Z{Q%=W*wf~9l00ZEciJ;ry5We`;S6tva6<<6UXj?!v^ zNo&T2`(@JN)3M2hxkgVdcg{KNzC^3&3PI-WG)h?d(|9cw`tiO&UVt5l5ncT~nth;? zpwrNC|1h$df>I#Z@x^l`<_kR9@nU*4%cz*`+bnlyL`XIG{N$k25!kR8@!+LmP$3;Z zPuUM=%mCuM#Vw{hKg5W}m;?fn)SuSsci?0jC5pyvMyxoMf6pxXA6wo2S}x1+^;wp= z>q`Jg-(kUi#hn_r;P0CzVfiyR1WO&(G&v!Wq5`U!415_?f7H-7)Xu{jlRVGQ7ibW} z)be8ETDM~m^mY{^oGX6}5(jfz1uM7lJqg965}8}3G?8zq!1VPDt$J?egFQ{K!&W;E z(Mt$2x&{q(jbXH(h1{xaH$$*9th~$KbZAz`c%LsqaZ+y#`9^LXXd^wFB_BZ;bOF#C zowjws!CS2(Q3(@j_E{q?Y^hF|UHU=O_D&-wkh1{M;0rhF&hOs3VXb{YollKyfiQU} z&@aj@!sa}bvhzmmH99y|1P!}KxSA{tw9#0i8|HV(|BTG6=4kxtOo>OW74_Fsgry(i zhj3`YKsnj5k%4{j>N6GGE4g94O1A0`rEq+^gSvndkPuM=BqZ_IgSzCW_n($+ z`i!5k8;9IG_M>Zw>)t?q&A~1t@QIdS_r?!M&-jzSvqSNM!U6juF(A4`Ef=ox_W?YeY~HD_mT z3|{dY$c@_|l#;TozHlhsvYeD-;G~rbJbuLEmHbm20MFj`$;{rVm@6Olx$l~EGTmvEw@_*>E? zRzBJ)ppG10i-e)d(2A3&y;gBy@qV9ZAn@JqP%z{kOPoKN8$`!7%@p-_ZTq{Tt+(YEVZJmet141d4{ku|W?dMDpgo0GhilFkCsdgk?_QhzQ0H7wp~ znSc4PEpPaR$Zy!@13lz}4IpbC zsV(U`DZ9uD=Lx^^Hh6G@W7y`b!Vs3?XEh>nqT~ipvyWoWmjVKiG-|wXI7y8cw=)1L zYDP$wN~B(a3a0}DcQfw9cm8dz7&x-5>T#PYGk!7Qbxegn#6cX%*TQv8lG3MbwV19< z8&0n#{ptEaU{-nefI^s7qIFNN{t?+pRCu0g-Q ztT`s_oK{oxB-#?|`q55hWA+DtET^}5D4SJ?;Uuz3lXq2dNh7uPUkRs9$q5K)V&SsGLI<0IFF@=B*sT;QedJ%-?>Z@veRso}Na414GIiC2Qy zVH<$WMnGFdTwJ{?%`B2!oPopWkfoX}A|&T|-|9s?k+#vj2#%%BJbcD8b+z>c+NO&Og&26n~S*8&O1WY2cHnJL!wK@BE;>rorI#M5wNH)+pbAV&&G_qe_n<71l<;qZuivK!2vPih;eZs1w@l zkYSo*EFN-`pvW0%)%?|MR(~4wG1&@c_C~Gobw+nMo0Rbufsv{-^JPUcaf$DVjnLas zA3K_135)yI63`VuEK;s~L5jUb;W3cJlD0De^M+u|@C?Eb)%Y9WNUNdagQyZrbRrR= zos!Zhes>g$HGBLc`$Wyt^q0W_l;eF&>x2U8x+@GHg6~%S@!a|LbShlpRc`Z8{8HKD z)%H7l6~Rugzs*(!aL8!g&B<&o}$>zdyNQ-|lzuP&oSZPUQb zBYNgFBfZ)Vyd^#UIECj{NW%lwB^xjosoL6I^;&DO=WqB&i&S$Au{vW5g*0MDq@mH^!8W{o!rQ( z6~-89vvo#KWb7>pAE^t@J=3)3n<5U?g8>`(M{Y-24@7kj9 zfH|N6TVuVLsPtPo1;m1iLN-Nq`N*8NS6eS}u~>ywcpQ%fHd2>zJqZsswG(LN)vPhL zGxry4*N5}0RT_u(VUDi_uBD&gR>*hg@I38;Jztg7#D%s1v3zZ-R_tuQu#RO=9Cl#- zg-MCCHtwL%J~f}PW~ML?Kb}$QXTYb*TBEUtzgeo6B4!1<8NNpf{o@0G62@cH0yj5Jacuo_ZLY*HtEfWM|Q~hH;M2Y71I+RH=0Ao;@+!8*Fcn zM|5sat(q+#LTeo--WwR$gm9y$S*4DwU*CF-^fzoiMNQKgEpP8n7ho6mGnLvb0HX=p z<1s<(t4fW1)(hja#)8v5x}GcLadq6?%yW4sgBQWhINr*ve^<*DL=PO*++nP;uw9pb zCjvI-DVAQOL)Ff>1O~N<;~If9UA6SzmA92e$M}I>n zfJF*Qz?Df~0TVC%HQx<5PnLl3KN#r`f)Ker@ozsQriVU99_Ajd`!@|knQN2i0c~ln zfp6q4k?IqQ7c)i9j zG(ez>K9jGD0oW?i!(R^5vV_vBNfWCj24x}b9cmr#B8luZwV}k}FKV&LV2xk|!Ww;U zK+!Of1fQhSV5W2n18kZt2M-GQP(pY%Z@1f7WmeA<{di3Fe~qy>Py}6@%_{nAKPHzLJttV6|$f&flLSfBfJ>ApM8BZ zFrx8Sd7sJn?32SKk3|S&E}g;&uy?^`+GCpB_kI_V=N`&ZYP|Fst%@_H4&r9H4{s5sKya?9I6i%xhTPDPf_*yv^QnG5+izsU3Iu9t!$CNIW zvDf3`_piufNew5*FI}I#A#3_(G%{0j4-#>oygT_lX4Rbo1kIxf*BMDWMccQka!;L+nm?t7UQ$Gtw!Y4{B7ZyQ~^Jd{RP~QuTjo*>OyAnO4@!5+P ze#W&Ctl;PeQU16O-mi!DMhq`>59P8&a)iy&o-G4U@q#+KajmSz3b3P8LU}65c$Og} zG2cphX_f^vZ3agN=fzoDKIbbs2QnBsJ(gMI}NhTR|ei=&(-qT);hEv0dI_Z z@2y+M7fL>v!-%alz{>J7a-(ST7IKMa84@=C$orW{U$4M}#Inm789ZS1?yv3(G_(z@EGc$psIj!H9!!9(tLl;Q z;NLbguTNut>+>K(^_yhO{A4$yzcZGl@}!34~tr zwcs=PP!!?M-vGA|ZDK45)&X(9qOZ*KBO6p)N6Et4Nx34F$h!zt1J++Dqztx@3ITB4uHN1Q_B44VB&E(-@L zqdTtv;9~bh3FaFv2#hns(3}n_N$>tiMLTwW(n*mxhQ7r~Dc#@FEJ{7VKip#O(?;a5 zWpDc1p|S?#Hx5&>pTCGmdLNU^TO~SF&0v<)EV?E+*`5O$?mR7u9TGF)hy+L*gw&@6 zoYlyH%40da0sNiRmk`+;u=vr!Z|h*4#UB}$CDDGVHW}tv5u0z#F!>p^r;&LRyE?Hz zwuCv;;OO8u`r?YGB<48oLG&r;y>B@}@Gh0+WzL1m#bloinc|ORRG5oy_A#<$rk1wI1>zW_lsvJ?j`}{N@TE1Y&4*%@;o=7eg$n^Z z4d@o6$-6thiVG)?u8JJ>AISGrh|nMNs7VdT94AyO-GDXj9*n_M+Ab&k#_PE2*UFoX zzngm&6i^^Us_b^s=fbM}MJhA?P5)?0+PQS;Yh=h`2{-sy%Xi3Q@>%*#^{b0>C>U|> zlJ3h_-`<$rO|tADT1@7COd@%-!r397kHW?m{3NE_HiDs@#d>+RobcOZr`$Prdr?uO z$&f$SAFM7op+R`0=(Du&;XF?kWAMkOLej8YR92Aaqq#{#j2%lHQ}VVi6ootJ2X+EQ zSsyX@ocR`QX^4mI6@wCVW+>On@Y+YaY{zweW+%tvhwrjC*L!ispD976^Om9zURf~p z5p(zS1Icln<_=c>#MVsI(sJRX_p%|2Kdv=txMt)~Y9g*DyWXb?VPkA3a;TsPlw3_O zLeZ5t6jq4>1tc7reh)`KR>U?vzYmsoB5b_Ji7r*(TPU2K;E=0aD_l4k7$as-R-imP z1hv^#IHo}!Z;4|&83*P;_JUC{-gEtn&0!lfm^8g5<*F(1ePB$Wt?{+Iz_{6UpiZAW z>*Zuti~CW*77!`^{>Vhd#gppyFZRAWt=vBih3wnNTa)L((P*nSbSpIdRqr{k0*XNV z6#+I^uQ1!*$=MqvTaEq@fr^2PeIYX@b790?Hb1EwIs+7vG+Z0s%80kZjzd1vG5_LQ z__tzTAT2S+4~$Q9&$RhI?T5=;GCe>q7f~T5Rg+F~V2U)GQ^UL0rB)MKDCB%-4|(UP zL*uw9(~rAhh$wNEXK1(hD41eCYGW4IBlu-6{CWtK0^U$5_%hzkU=^Bca9(1r5%qEr z6EYrEfJeqD^Ht*MJgp^G3$-N>u4Ro>`(Paylq<-m+YC&tR$Yo06Iiy7ZIuRMenmgo zso(4?8>s?}rcN~sMCO{2%fP$eO((`jv-8(=AGkLG)l1SWk@V_G(>V9sua!v+ec>I? zI;t=9mJNH`=UsXgVx=)ZZSO1KN#3j2;I8K%<3l0&37ke%rItoP*5a^C`@)-E^JcTn zg^S6Inq+dst`sgImskINmz?*Z{ZH3V(=eaZ%&3u@WN&+pTvZ}UE8r*=zpHEpD&;)$ z;}IE(x=jaxx$=~p6d0y6+O}MHy{d*L#PR>8eDfklm9&syC^|Ue@n;WhU(Dn{?07%I)E%o=Wz*@VEQGbX$yye#@dO34{dSGz(0odNee8Yw zj&nFspSiy|XsSIuXAW!kdXQYz@~&336s(w%0xECJk3mZus7rpT(G$zr>gqzCh;cYP ziYUZPDrn-J&k3vaiwJkbDOytbyMq~&4Nd)as~}ldUaGKVq2FG#2`snMpH|PNhSLTV zx+0xF(nEDjHvvIQf99bJtMUd(FAOyNNov||F%eEOHY7Zp;t2YK4+cn;4(u6+vqVg4 zfj$Z%gz=L5%J0-GIk54@Rgo2qQMSh^2yGG^UKED;Tl&Cx56E!kaO*GY3ms|k%OpFb zSWpJP)4a_eU+R5m4~9T@TmyC}LG)|4a3$@SyMhBdZwus3KF;(RklgAv3lpv`16$M` zICs;~ZX8?~C)Dv?BwUFYi3kHO+PjL8p-ZOQU>hG9LZCn>u7zbU&owjLb#e6Ol2E=1 z*?~{eRihnIN)590ONrrrAi_Yl~NZ(0s-1IJe#C`&)7r ze?QGF$&Z2PC}i=#Q)E{M+*8&naQ+e0wfT)6;S2$W9XzsIc?#X~jH7}<_AV=`Dx-s<7_5VdiWc;Vd8|ShBl)_r$>sZR8^5?lucg4_JF3 zefjan>Ccdmv)#1qSqgSmM-$q}X|R1~h{co6yPrhA{V20ef7Y%h7U%I5ua|v*(B0Kc zm5@5Zz(gc{8yH5%BH4a9%5dNDNDg)*04pv6cD+2X-m;V!yfH86_OuB&4s^rEmjShWCm(QyvZAJ2B_k zd<#BgDd29l$WWT`o|`X4eF1WnN9avQ&%bwe$efEBeg0}W2~4O6zwrkSk)ICNzC!6Q zXjFM>pTb|ht954^Tx;d+lBr04kWm)8WzPiGC*k|2<{D9sY>`fKyCBP1@74FDc{y#b zkoRBhk5AJ(MUKmuI5ORgQRMWt@IrpSV^8UJ`nz-Ra-b{)bfll9Kt33Ni8I z)8B&pa#wG%`tj;WoW&Tud?bW+)HQGxu|QV;KF!cU4D?oQh04w3GN0%GTi|0>m?*$z zg??nrjfhqJzT3sdBOGU#&A1g7%h#xBpQtOxg(ob&7i?-GG0x-|Q@e2jCAqz$pQ#!( z$0;ZU{CqM|_Qgdh1ab?YK=8C+!Sob7@%YOgij0)&%qZb%rk;S~`4<11)C-L=6tb=1RreHOkEh!$0VI6 z^W_845w#0Jc;c4|y8v7_>DCUJJ^&|%N4^B-G}y-q$`};1e1wGbk_{hrR5CAO3B^Zl zUKl~3d7-4|Cd*hJFW&?GvwP-Ro>bL<>v1J>(>3MnhzwP`_^n?lKsC!Y+8ljt3vxfT z=0iVG{!}=P7|+2rPl7Ky?AlGx8 zIOJ7qZXaN>&^$L%{PKwAk)et8yA(+Cwrm7N+BSY((^AkaPJfK5xmF+Qr3FxNquaKW zg%P6lFv<6vxjZ$AQ}ijDfxCs^-B(+pX`e%>YBQ$y13-^*TOJ(~0tx+lGTVnnM5lI_Dbt;1zp4#tL~qgkWDwp(R9SLO*J!+M;H6>e@&PF zwt4yAA9A4>88$(U>%IK{Vk@s&e>VFnOSt{&dLSrh98vK90dv_U87W?Ywy!tq;0k7BjQY8n3gA{`}FyRg7 zjzy#=9m(_QIO9YA=l=j7#>&L!zV*xv2vS+495@=iPk!5Mj+fxx6e8qMR;}|!#)`ms zS!BvWd^RSQ_Q!zI0_focQ_J}InAxcTIA8@Z?S`%l#r&O;19?+lDh9A)WgiXH%>Cob z4@z5N?VezDeI)9y};*d+>M14&>K?tl2?2y_6S{>UMjB zTxlW8Wl*aY+VW6$$_jEC>MoA}3f4F6=X|Z7z$E1^|J1dUjh)|NCG$)H@$f( zXu>_p1rd81Imo1kKXiw~d$$v=P;44O3-BR?|4}UUJEzzBcu2=sTOrGzm>VR z4xSG9;9(9lq{zNKJ~=L6tENy!%FR~lxmCL5xDt(hApoNlAwA?7>E@XwR1erVhy#%= zrNu|gX#aA7jQ{aNZWHnPKB!&k&Un@|H7&5!KV)RUK!#WX2wS<06;f%E0p`q7KXLGY z*H5vZ-XjCt#eN&bi^GkARX`&s{ikz*gD?>EiPZ)`;rAYjZ3!fFE_x|O><uW#}{E!lrQ#D9GEKr6;! zWJpNG6K`XI+?VP9$Ho0`*Wo`e`=7s&{lYw~XggdA=Q>#aTRqMH$Got!PeEY8OcVX>o8i?n@YwE+bH*aiI}>1bfphpMAwLF+i-xqNATzae`hL&WS3)e_ zC~7b5GJ&W1mFdZ$&l2!LXd{G*@)*o58i?_HMLfpHNi z=f{8&)Cdu(JGn>7vvvy9HWU8W2X7-PKRo|Z3UVB(R$j9zfM-J*jY`+Rf$A4F|SOVub7)Y)Jq@wm}wN$*Y0nune@WiZNr1ylP3jsC`6wh7X%m99G z*|n88{p$tPT2MCBH<$uT%mmUvdNej7j-7ke0?KB(VaTM@x(o8s{`z8bkQ1UM0&>Yx zz92~{JS~^|y8bWSB*83hlcK9vqUR6#B~O7Wxa52TywMwD@5^*FrF0kR8o_7G1;r4j zo-mKt~<7e;B10QVe||O2H)K)kSL;uY%bu(T}};6gWhM;&{iwxL_7!cSr1|U zto#B1!|AAUS3eZ808c|7FhpG^=11s=A7b5V=!`vTe-X`7B-Q<$?4K+EazMO;Rt%5) z8axO0^S_5FR1xEIJ+sd8e=hKWtIPqxl9`3`eo7wA*b9tD$i6AK*ms{n1LuxFINvcy z_L%^IPBY|a(3{IOne5M(zf5jkT@D-~qm(uFMt39&-_9#A8yn-iY={S6H}b1W!OGhc>+CCC5M}pX*6-v=p z@LlWy?ajuOgr>e4^ulTgpGxS3VmDyRD%_g+be0XUcn%@t2gu;bucDhiTX4h74Ijti zGokxl%^+wzepUY?foOn|%UJ!AjJk3KL8$_{5Srpi3)mCXk69tfc&VLN$kdm9cKIc! z-j{1|3qEwk(oh(n_KarDCZ^og0YjcRP$LHA#OkBT^>~R6r%yToiFtAeis1clY!j<$ zokOn&Wj@l5nix)EXcU!5Tqjxc!-^{5*5cAVb2;i+nk0fI-lbi;SzqJ9pe>f0mq>rb^p%AA$9n%H zj?XutIM2TfSXke;A*j~vAsfE{2DkM7^UqIJ!P2%;=CILvm*$eSqGnKh6HsZ= z+73wqu><+dyNW^2Tojw2JOz+=mY_HOtpTWV)|CG_jQ_kjP<+%3Mn`;^qCaMvf4gO* zVXZ`dyTQudS2tJlH%Raw7gXH~@E}PAjej~#Afd1&NUeO-%kcUrns%H%?i#g}Y#@-Vq9PC_;-hl0LCItE$DBO|2dmV0_Nl3 z7!clQZ-X1DK`Hex7aOBUE&UEjb0-WVwj3!3$dK}``wS+cY-y6T0YEwaVElR!bD~Ki zJ|OBfZ-3H%J#p|-2gIW2&kIw#{w{~yC(f=Y-XAw+DY3*r* z%!kRbt)Mf$Nh$_X=(;tDZgZdoA`gWSlAcDUgywc!uBX97ATbpQLo5dW@H2Iouy+T6 z$ZH{BVi=M8>m_12NVdCLCI^qUKjgozaaa<=?|kfSDc6SvdAVH+z+^kXH3|BH^j2N1 zinM4U;RzjEV3K{;e0^@q9`iq@rtPp+pvn4Gg+EZv$~?@CvD%+raD9E!q8}Z8+y?fi zPp@2w1M`U+fX#IrK=D>A{K454`@-z+W|#d(xhsOEKdXq@ zj=(nFr4~%_Trk%RU}@Q}^vqnwc3~3rxdJVQr+}kKCb-z@%0Or|8wet&1dae_NHH_9 zkEh;f(Wl^tY0@>YeP~5e{(&;W?;Niqh0clvJqs` zX*Gj;@!|vJ<-yyVryx7Z%e4wDLw#j)P2Ou?y^@K}QQ&7lKdR(OL@iise~w}*ZQg|s zQUGLxOj`r$9_%HF?7WT#djp^G_<~r~^KO~zJdlkeRtqQxN)WZrt{cn+7#9btQXn^h zxlVyWPqwznAfNXFaF>{Q6aaR@fBY>Hy*bxVivc)O;kYe8+^m}CAINDk>VKQVyx*bQ z(|Fqc7PZE3r5SffNdr=Bo-wu{TQO0b-Mz(J-FbNh7>HU(gtXw0q1VPc+k3w~S}vYD z`M{%rw?hjwN4+$tp&kW` z#(3#mmhzerB2&q)QzL*AxGBAchR6M6N@9S;eAiy5?7;Q_*JI>>0M;rjA2dZ29AHBq z;u{F6trFBa{1mO%cUEs@M>;g0S-t-}we|yuDYE#MK7l<xscco>}Fbj+onfPUqB$ z>Yn&eWbPL*6Og5!h17ALHGKf%UP~s>Ll_c$gri`H#LX4pXr$l7qUSvguBJ%awh9mLPNf+fG_2aOdza zg@p8JS4di!8*>c2LVqNN)nRmJ>H>Rb6*ME%jJ#X>>(d>X?)Qe|_8_6dK*qme5qVM% z*0wS*w@GDuksxx}HTC1cu`i!SgBA03Z3%)YvFX9&Q+KcalC2{$HE#I`Tac4HB9V6R z)X2DlGW-~_W3&ZMM)9ls4;&Zb+-|K-*5YEJrAbcSqLe{q``&xH&}S^7%kYe_AKgx1 z4ED(G(@Lsd%*_rr-btFVmx@_jkmCflGv)n1xp278!OSq2MX^JAX(r`9D7MzQ%3s_; zZfKVW%8oh*n2q^egykuOlDn;H%GKl@nA2X^+awn>0H&$~o1YGGbVY8%JHiN}5fQb& z)mOw?>dt~_c8GtS2tq*mVzwhMkHZ^pf$e6nbz?ooENp#e)Mp+W*_SH~SnFx~IP~8d z6ya3Zb&LB*6mE-C|sGCia)sF`D;%H8CpKG%K|`VxH??G}aX>F6UE zFZjK?mVbb!jzH+vas!s1<;6p(Q3N>vYI?H1{#9mcVCFd_!a5H<0L8a-4;cpUZ?NbW zH&{D0dY=KTF~4z-r$ zuGas_veg!vrE)s@Am+c;=06S<*bikLU4>&0yQ~!*pXm#hwaGN)K?GVLyWQVRGM9?Q z;*r3*ZwijIR;ziTEZKq(SuTNCa#GjP5YqyY1d@Xk$&h9CrFHe1&dY5quY>A*qLiT1 zNt&`0FwVy`ayFX587#Z;D9=IB*1X&f2pKdQmgi4v101cW6dw*}?vR;6Pn9nwgKWrr zIa0obkt3Y;$FKmD%yc>Atak+KD_O-GP62-sIa~c=Xj^Z;kGcT_yDlG7U+vY-&D-lk zc6OPjHu_pjI8Ku0Xp8jn;i@%S(&)sU4@7U(-AiuHO&jtMFY$HBT}k-B@^rWvZH?zc!*QAe zxovsd-^D#Ag`uiJqvT{bjkac1?={@7d>r~2J}R5=6|Z*;DT>>4R#{f`J}D!)Pp75B{1fPRJlFSwrZl z1fAr+0PRxzc7ZY;Yo5YLrx$}(?U+ca_13V1H3Kb=2>+XS~~omgO!$TOc(eOB##w;55O;G zP;3JW-L+I-_k7{V9{^7<<7_gm<=*)#SLVL$=D|9yBFv2!zlO?BqCOc3sKj|2T%PAl z)?jg-^w3N{y7!{lY%UV9ZzM-^JTXgAggLA;`{f(O4J7wdzPi=R)mTrFRSb8}Q*v9T zexmKeE?*?SEKxnr*#wB7DdV3>oGWuxMtl`=n*sY@Ulqzfsx<$-G%rWUj@ePk&r+#r zD|}Jp!5|T$OUW(4%D}U^TQc$yap>6@ZdHxMIlf^VOSp9Mrpj15Y%@_l>=bQC!6!hk zcsvY4=fTnrR=v|QTv$jnnJmbgL^>a$aPc_eSOWUn0OZFsiZrSluQFsjb~2>PkdeoM zpn;5i^pcz9W54%2}7NCeFsScO;``@;>(3Fk(%&Ey7&oKc~wvWr(gvN{5iBBuxmL^1L+_V9kSKS96_^qL*C>L z_4sSFTU%5B>mOt{9vLLr&G|pbZc_h6b_+rSWVgc57eQ+aOlK=pSdh<1L}ouX((P0{ zKQv05nW`lbLkF9cL-*s5o1K2lRY980L8QJEt-o_QlcxVA#I3MaPJqu5J|O$cr~+f# z7eK^SEJ`I=?Z14esrD}jEz3T7sq9-DV4^J8r6QZ#b9SqI&<@B+g{*UFMI4OA=Z@aB zW5nIiln+THlaoG0dJ%0TB|95wsFNkc&yJJK>>u4J-*3%Oz7txmlQ{Yy>u+XCgdJ|d@L;~H)1)~IuHi7HmeS5HD*6?b2Sdk{evjei z^buBkZRY*7ocP$bUwi5@ne9yg-8meb(+bJ7rfNRE z4$oyJ907gX>mJgw@&p7v>5={GZiubg5&tNT+z-VYMZDu*7z zaSDuLUu^m`0YnCd z=%7Q6{F=|e@qZi`1}cg)vP(@rPyUW~68#Le%AE6y*4o$Bi_&c^R+$V~Efgj`&TzkK z&+gZ8pB#-XhUE4LkT1gsEX)sk)z4o3ZC(ZSLl+?l$6?rvXyWLtH$fO*zUnzBhX>m0^E zTYF)mVB6!m8pv@l*>YVwO3t8`m~l;$ZqgUT_o&M_MxB^V!LU3$>U*a3Nv#~H){^!| z_w{|HRIm?Z-g*Q)R$X}hQr_%697Dpvm%9VzGFA(%fp0#Ul-nZ-G{rZgkhj@QBu2xX zGgJp5#5V8U>Pq5wn9+~TkzE|<528Scn6mYGvq9>E5WQSby1eg>gKn#BJvUvi#D7^p zAQ&8#<7m2-*h^~aK)aMq?ZVKUV-zi)YJr=!v1 z@^sJrBjI+}Gi#FFge$spjZZf*Zt)e%Z8^bHXCvx=Q`?A;jhhh+{ut!>!dhEV|2^7R zJDwRH! zahq|Da1S0)oe}xh#&e*aN+qE4A@pvevt_OzS*W|Y-?(PZ`o-p)r`INbj@6|KO z1>RuO+P;(Ad_ubOv7%>($~W25@pLlttA<44DzDkKjVoIBCw1d`_K8pq#Hb{ zFq_YvhW>}x24Ap665B?S+0;nhsp?~{4|mVBa#d`}ahDvU=G@zc_; zm#GU8V({$u+YJ!9?Hhi*QHy$}248P>I70FUhS{2;_EI<&|cb@EJZ9;?Sgk7%yBF?zjYIWP>d@RRE^^{qCC3-9(o zg&J(E-`W8e>hI|JHPY`FOlT8 z)n9_j_-y6(UmCXEa~K4->JDJrWnT2*Gi)Z){(1AVCW#NF+bAnkBssmD8nR@9h|1F; zDa)wN^k^{RLd|@Tk~F?CKZZf#iw1i=WZf>fpO1rq<@5A#M%J&)`bh9n=w3iN*6(K? zJwiG&cLggf=RDt9X^cHagPpP^VFwX?Y@WIF(spHU+^SaiKxccq^>9FBbk!bUqtsai z&F9#!6)zra=?##x&T)ERN}Du-GlG3Fh$-enr0_2#HxX^*=Fdf|fXAs(g3fDy=UaqUMvV0QZjDrJ{H5GF?%SJp@FP*gH=6 zG~pz#cGU*dd6HhGefy&0q>`g_Q3X1dlZ&LQ#$(uQEp|caJ65;*`=(c8+OX6jL8_-w zI=9=-+;i(T6h}$eX;RTIWcPFY+PP*xI69pgfh9h7IV)E64<>WPuoc|h0x2Xwa@L%s z1)Mc*&zSWOmXr!v2A}bqC$gUJ#rv1TO=AuySM_L^{y|y8>=!m47&lO6c))d;h;7wj zKT7e^&asGQiM1<>HF1^R%vc8xrz>B?+@9E+xjUfIsRbBv&28Dv2JPz1W;}rZ)%{7| zr`n>8hdCfWp&6z!3pxkf{CPP|OWFuG6CA|IkAMG|EnzoMRp7~!^Xi=FH7|`B5ez!pbdu(gr+%U=3P3!;iNV!ehKJmG= zx-t(@Hxk>tTUWs@dasV2j;_s{p;%xx5->tn6i)IrN zT}V{sGIu^Zyn~<3V%9zI7v55N{A&bO<76m>47v_!uJKS~)b(9WaEQBcm zO=a>y!~bH_aKpsaAoNr_p%lhdIpjOsNhd&uJYSOV{V-+7`*>@ka}sh*>!02zftj{! z4JS&H$Axrcj9Se$ez(2b!vSjMbP+{d{RxqzN*lMmcC~}v z8+W7&ZnS{Mt*%xVA_(H{X%P7o!Wm# zDQ#YB&drt;phZDkq{hGtB>W<0a)wR)ryjk;vUlhc#t^yDp8C`yUsY>Q*vr_#N_FY& z)A>Q$V5^_c-7~2~opN=4fJ#T_-i72Vx*vpKpu`7D?dyu_74`c%=b$X;1-=u6M)TbRd1*gmOEAQbELnidTmim>W z_bYOLx`|eP)l!j>@HbpiMhc9?3D4!krp!o9m>qagU0K|;=W)5p7shF4h?tT+L6zyA zJ-Lot13{*0#lztlPLUqQ<2$BLy@ckBvK5a>nR zx+kKUv@dJ;rass5J5q%ODt;Q)0#7C$4WqFNarO*6v0IQcWaIdio&RGd1YNP_>}B|@ z19WO@^j$O^sml_gQGLcJZ=2`q6?hxFdaE6m-kS*kK`DC$X^;y&`2uIs39>^{5=c6i zG9x#9-#&3Bpl|udY5})LfiGnUDLm5k-GH>dLD&UAo|K%&ngc0e7uD60Y{y)q2Yu?o z9**g%R=H&PqZ=+FZr_!ud4Zh1y@9l%?Dk&Dnw2RmpBb~9$t_`Yo^J+Are*M2cdDAq zz_cv|A4zfZ+D-h%&=kJf`*;quC;LTNph5QblQp?%sFKFou# zp6NF~db6doEBgl@t+bzXxd+eV6Jo^5Q$TF+j#GbsZYwrY4`B6Mo8f>kcW9cO7AawmatlzH0 z&a(XeLd^k+Qn~zpaA|1vh^hNVLx!In&9DmzGdXu4q#HYmNF9DIVL<>+j;xYM z(L*rx(UwcdFxO|7TVz@ORG#{KXT>`WsEk2In0)Vj=D0?(9JklDuM_rsC^H+5TLhQv zWNLnB<0WXK7irR1H=&{NiKVzfS7(#!J;MxfNd%V=$6z65HFU#+o)NB^r>{{yVcXe% z{>|~J-_mH-2T}{3q!U^uqTYLz()dBibttQ#FPIO+5o?F>H$eP?j83O(mWS(#;=DRm zHroM6#5L_8($!~R@eAJHo~(RJvIE)(&X?Q2{}pj&0Q!fsMV_^NfXgWRF86Ib@JM}= zOu`yqliX&&LhwC5PiwjS8hJ}+P(`Zd{#YvaGeqa(_-Eh&LoTqxMc)3ouh2x#AF#<3#1U8@)8&_D6QM3gX0j12Nc& zW2tPgp_M?@U<0~rQTNjhWD`J81^Iq-Cjcw3=DbO9uzB&O*X1~^VM&6(TJ5Q$1^nS3gzus^w z12DyY!R1?JIco2kyEmgVT#umApl}lXG{Ze2oWbvzI*gA=-1Tb_jzitK13XpN_)QS@L3XD)6TUrKp_sDX4qO;t${-VGpyVu!nB=?D<$Z z`|M@Vu@T*&S$w~>Q>Qjp6SBDy*ht!%+>rY13-=eOKR{ZA>^nO_v8i>zswce^d(8wh z_n#e(3sCrAl}PH;ndeQb-98?X#&g#1Lh zago4PiwU#EPzr$dtW7xwZS*@!2Xf+QuZ#v$IQ<)$NA8(B2!!%sd)Yd-pSXW#Fjuvy@_-hgz&Fyn~2nD{}C<0-7Icsog8B$9mJ;$*` z%ltNasip_0kR;p_*62Y79CK_t&%{P+0EtxN5MaK3ZiLIrrUh1s%FK!gshb zP1)5RyOAb7t7tyov;lPzH(gC!)A1A)g2NmR3_~^hVQx?(Fl@ED$U{po`x?fOlTeuxXAAJ$)EN+%)^2&Mw25I09~Y5 zq+DnL?Hky?S2$Hm#yWr&Bs8AH>N^n7t-yl*z>L`XoI$7!w@~&OxIcUg!q6{%yZilx(&rDkz%+L9 zy#P+fRMjz#>8(0_{7-pQ?Na@?$OhlY4xngi104e#q)cag26}^(M*EmcAo}>!(?0?{ z+VqLOADn%xhD_O-Qq>!jC~a0^h2clQ%UuhR@-C>RUUzP_s8`P`Vg+?4Yj#!F4!d{i z+80rcDRB)7Vfb3eXyEK}ozGZ=wCm$ESS_MYtg)DPD$Y{(w>m%y9s47c1K{nB4mrzH z#F$}SsJ8|hNqEz{FL_6v0CVbbu0qSY?A*g9WZmm0RPympELjQp|Ai$x12N$zrn(;iqqj^S*dwhi~jAsmQ zf`DQYnWwVa4yNZAR#`DEC#NAUzI%n7?3}J>c^pu8xJm|R{aZJ-db^!GSUsB3aueB{ ze6{4l6K^10aKq)7PZRm>6igELI7FH2eVJwU$hBQyAfvpz0VA!mX~wU)sSaz&O5Kh3r1L&63RfZRdU z4Zz^U4BEeMAanjgCVsUU4NY2!U(oWoeqdiad*v5NjTDkyQD4 zhq;xbr9kq`T99{|+~@2JL-`$J6z}sdA!brIsDhdDb6h|B#4>jbKOVf3pb7-$W z+gsBQws>!X$AGR(LihBJb0HsfdoP=qBN5#J^-2v8YuO-SmPlPM7@oT8BAOE0f}yIM z!iyip;HHT-3bJu!OiOnjV^2pXo0AzC%k3cdSgzTpHB#Jjv=Z6;Bg3E^1|GWG6$J`$!m-`e|?NfTty#W}10W8Dd(_I#L%jQFtw6E6_uTP%5;B@goPTZPMxhwRz5C||kaE|G07WLrj zo;Zrrp2A~v%#zznnl=$At4FIVeKI`w8P4`WhzLk=dgEmKdtL{wU1Nmz@kC21ANJPl zA<)N4@5{3UsXxfMDp#u?#|=hrkW@al9p)q1CtQ((7MmsyxX>RENXX3c)T%C3;aquf zr0`pb*ygqUqTL`7jP%)ee0YNg_Gk@^Mb1~vOeg+Yu1!mInuZ^Fbz@NMe%u3zaa?Y{=px8B*16SRFs*cx{&O z7wr=!$lD!3FP_;|f2FPaxDR$46j`U9UO<96myjyY$rxnVca)KvMBR_%E=!g{Y>cgg zxUGkL)OtG}Li79XT!sp#f#S@!ZyKvhlB796xuFx%Fo(orSdnXH5X5a2K<4X>=c06m-y*6i+ zGt`BrJ8wsI=e2>7+9XFeogqDZ$Q`Q@uP3CrH(ezy%|0yM7U5h+sY zr8x6_bQCbi{9Wn$`Wy#4gpZU_;R)A!U}1JvE6v~h=nLnhEwNksB*KDcQ(qgn+(LIb zsvTu_(JU_e#1L2M>?au=BF4=fl5J{5MWJT58I#fQjyNCw!hC7Tg+gpTAocMl6G~9V zICC6rU|;)c;AtM`1uPb)rr3nRyE|a+1VAgtd|fEu5$nqUS=@^)+0zH#K7IpgTC(Vy zvA5TP%GiINH{u5_}813xE8PGx&9|$RRfNtG zgI4r$;%e)P%PenbIJox;#C=5|8D0@tymNoDoN5*0T$T0Jn>&ddHv!9I-7(kfogR28 zJ|V@NEyezudJ3kYx&b4}sT1Wdq|n^Gc(#vcLd&?DFyS zKd5B%w9Lvp>|pf1;=_7HD~RKa%|sN&*qN*}+>9gOAxuCgK7M@b(*ew}kc>4{kE#3# z9+;ET#DG{833v=)qXU24B$+9d*D+LEBxvb zgkubXE!cayLL`nX4BhEJaAc@iAT32Zi4@MNI$$SU0JdXpYEuJ##;Hg>wd?=G*?Wh> z*{*Hhh%V843n7R)+UTN-=#e0ZPIN)^-lGe`=v_pK5;b~>-lLA_H9Dh2OTKgN^{lnN zXWh@UZSVVT+x(H+jWILVb)Lt09Q*#;BRdNt{z8)R0G%$YYN_YMv??KaBiOL%lIsD! z7nxt+jE^B5&uMR}AeR5>57=9a&6}X3q7(jE-u%QVZu&G&e$RItrq`PvzbbY8P&hd-;CV*#1u)tEqpt}%rsCtQdkO}Q?%TVCRJE@uK+B7L+r8KTN zyD!7flYeT8hePxv>NT7a;VjtPQ(kYFYME9v23aBD&Xv+E1Z#UIz7AGs$OCV1jsHqr zv$#g0Ub&COtjP(=6);$q_9uPnw*}`eZRcP|Abi6i?hGMs1As8?j&+T4OIMZ4@~gO* zU&wa3$szD)sEEUQb0>k+a;y6>Fm8MxZFYHpJqo0CMSy9>M|5SxQ&aV1zW^DOE5toC zPYbm3Bm9#Xp625K1WoU&-?#Sr`fxPTZ~y^p3!)p#^W_)G&6Bfu-;=;pK(WY83liWi z?!5k_wgZz!_$I^yVCRb%Ahslnnp|ikA?*!>pCu1~dwrAKT&@aOwtxY4u72Cgc=-1W3`M$6FE!%ITW#wu;QQdUh zq{j;hI_zXD4i}7%t4sz|F}e&zu$o)foLiAGdWARQ?|A~9G098}MBfvTuZ3%SZ-!VI z^iSa^7EihQ6NI|hxS32A=5RxlV;g8qzk{DI^4T1B3bX<4`l|f8f@=WAQvWgEej{&~ zN6l}kqCA~XR8$ATGiEI)%Yu!MI}{09yY;4v0POw|Hme)vfURRs_zSV}dpsc_l=!|MgW2QVj z?ES)Y{RCW@Cnr1ah?ttuNS?1+Xm8g)-PE-YV+#<*eM zm6BzIN|~_ZQWr2hj|dikouZorhd2J%fk5_M6?u?0?sfbfi!}+UuKV~O z1A`guPLTank4%5sb8s;59KYr#Fg_rs0k)t^(2V<>Qw3VuhPa!lIo2fMeq&!vQ;bR# zo@r@w{E>avM}GRPh$-Y9BQp-8_;R$WCG8@J13joJVYYwT^FR;PO6ZrvkuR#dmHt=2 z05ro&AH%N)U1+^WuUPTp#-|y|u+a_)iQ7@}(ed94!D*o~npm*$pt>|*G}7izfa8@A zJaxwEm`HMTvuI z&(Sac*a~vEq@MJ$LRt>K?y^5(n0@lnvmjK8coY4+FbLSgC9WiSr%h<(GRLx;frNRd zFy;4s?=4g}d8gLfT(%dFB8^i5$h>1BA67lIF_o2P($olk7g;55hG8a@ryw7Lp+7n6 z9o2%tIja%z&`smH+$|IJnU9Mj-}SKg>$=P@Op^~0_HL=S;^O=Rfi1=1lFU1UAdp^SJALku2rq4- zyLM%&n9pot>(C#E^wpo$rb@b2Ups1%^?2E!!*A1fW2?V__r|O1$Tnluf}0lgJZUWk%?yUl{@%ajiB< zg6P;pFsFE)&($N+O#)Z0vf=pm2Jo)ngzVDUvu@k6;8{MOKiX>8u0n;2cxPaL8J!&q zP&KytbF9XI9_&>4%271cE&yvOTOzF8UBu&P*%&d4Nn=Nt6i8v{AuVlu1y0}AQutpU z;?z;@N*5EFIYg&|C4f4*TtjFUKj_g*=#ROJO{eIpML>*e*7Uvl`EkV4=cDEl)0Kgn zZ`g0_O*DwQDeaC-vyRn<%tGWP>gk^x-scW|9UhMy%4}9ScP>CT?(S7)>#yCwQ&1#txgR@s3u47mGeN41)`=R4`#2ewb#+qU`0(-2@ z2fQ;5vkVp^Lf`AW9V!M@m^$g0>w<0{P)t$q5y#5}`IPcMg)J?*I3P*;sC zg|5Q4tQI5GNuKTp7$d4td%fpnw^H3YV=g3V%Y57d(bdZELgV986Z7*d3sp4z-URMK z+sK)M;OoSU>DK2u)E-8X7ho3>N;_Ow`*{Fyo#!{qyWN-4gU*I$-FPiUz5#A%68uFp%KU;zBeo;88uW6cPXI*Jp(JObUG4`nLd(hm7 zYx(6=D=j_6`wNKksC1S^kDSq4I?IW1JY9S(EzGmd6r73YZSc3cb~LX~c>LGkw&FSK zT!(QdyBMEwTkG{+(ci{2)O@ew(A#w~7m%-?vp7c_WoRBg%bJm)f3NZ;w~Q~?t$ieY z8k;`7qKskv1NRMmNky%ALI&+xu~>#^SAKhSm5D|xDL-ce)h_kz+>riihErfpF}OQ-cL z3`+81-4QNouqk3~7l2-iqVei7Zr6ySpU!iplh$>EZli%n&GDp6WNEwC%A|F2jyrF^ z@7etUKI?1W(cIeH7pI#wX}^pYAC@QDyTiZoaQjVioFk^Z%7l1&9+DUidONU0|MJHw zhe9h6JX^~(J!03+s=b~msSTbaLmQU^aT!a95A$`9k?A1M#VsrnNIb2bHque8dRX5F z0MIxtCGrgod=~tX>B=0{fcAH5x|ErzcujezkGIkD;Cp&AM|I1WwI`xI!fa7dHXm&= z?~Ek4O;>tp*)i$ggCKYs}r;=X!%IiX|lyD5Mt>BA@c(%78Z>UA-11bjkFem>Bh(6Ve1-x zxht|ZQBS{)8dRL=3tntp;tk`BRi}gpLpiJ@5~%GadR~?O)Hn)JdNwIr`&D71W%>qw z@c}4K2cvIkEoj%~&uYsdSaZ?%)Dk(;q7~5Z;!Fa45?~IQ3V&!77LfeaYo|i|ie{6_ zr){kI9*OB$L*D!z-?gV#2YkHp1wo3!hg7eVALNHzUw?;UvbR*Gi+!bWXkdJiQM_AY zTv}55IG&vdb09Qeks$@%Tu4r;iL7N!zskqn13VKFD_!NG5d46ufXVoz&DOlmc21s} z&LXF=nh!ISP*ty&oyI;W_VG&i)QH@U(m8=d)(x>iS1Uf*$9MPN>V-FkfC2l1vCXXW ztU5yO!$zw90=XP`$Y6KI|BI@=fOl%R4ri9d82O)J93{q#_tGlHP48^7Q<|zdqt@-cO$dzdYs;J zjCWWwA{K*YzTchcmQVb|OpI!=HQ9Y}zrnZHGnuNJCtLN(*RyzocCl^x`Nj`i{+ia4 z19Y1lEXzIy3$3my zGzOwjK_#S&Nv$sp3?u@Mz>@hSKiZET{@88@c@DXQuq~eVy%k$$jlk(l(zIN!&t@^| z)7PWW3Hws?uxqgS`ef41zHW$VNH5>W4S2M$EJ*FGpWm|0b5f=3hvW2t&c1N<4dWh& z1o@1NIBGxr>|5b$5Qox0r=I2>dQ?qUxAw&4Ram%DGK~>TV9V#m;_^IHiKLz<+I$+A zK6744`7;dU-l(JrJgUukGH!M!`qB7Ov@_c-;XnY@4?xin>sUw3Q$(%DzSTIW>Oi>- zC>Et%sS&&zDj6dXn)y7|$&m_w)2HhF9kV>Pa9(0)7&kERYDzb6ZCv-Si6uIDk*GQG z?TB@IcQ#k}^Q&4WR)0dI$%5$cn18?!r! z{+HY*9&LR1KZUGcUxpqD_V78mu>8WT)TBu-_CDQSkvkleo%k~7ZSL`sXW+;UGm`ps zR|XV)FMl&^PkfmYkwCcj9e%Y@SahUZRLwQOpGc`_(u%V$+G=EEBzTZXzObYV#_hq4 zGBB}=jp536!SZin+f2Q__gTdKz?`#VS*)YkE2--ujpd>kZyGGi60tC;WYxmeOY&!^h=KUonY~0os1ZSP(|;(918D zk2vGc50@T~JqT0^vvh{j8dXXK^h>XkHF@ahnuHpkd|V9GvY%D}!RIfeAx^->hife@ zMMPpSYb_3}&m}nXmZoMWXeL6~eapT!iDkHYFCi;okFn4Dm0r6T>HnVE{D!t7*KA~8 z$LjHM?6d~tD`|5v_c#SG9D($mP6k~{C^bD1k6Se8AzycxZtB^VlX0Q}jhNV7qg_-1 z(&bDU{RLnpCsV0e6_dX-0%)PTtUA`Y5{uF8q{c>go{#(pt}^so;%KWLY&eAj$owN6sZtGJHd2iq=(iR!8(9H zfHN>?Q(8Vvd^3z#zl{i95hG9 z9r7I%m+o|C1FnKIWTeN3@uv1GfL}8HD#{VO0tZ{1kW1bR{M<9`%Pbq;^MdQKnXWL; zAyirEJLo~YORXS20Bhf7;D|*MIOe2N^E6;=7a_-zcCo{o`29@ zB|Yzz?L$q>fcn2Y0ymk*vN}_SFHK<_|Me|>PmK?LG$IjVE)FyjUIL*!bPrDdTWKRT z&x-ub{=Ggj|I4ohPZzk!Fjgf}-C^*rADvW2=}Z9)&^nS~kZnrqpR@%IAJ4`1YqTae zzK+IG@hbq$U*3TSCF;M+C^;fwFtC^eO*9JE#?J@{GQq6Cb8*l56``lgCv;&b8<`LZ z2do{8s=xu$_r()-2+?Dc&JdYZ%Yy$rP5kqGfxrxmg`-H zw{}adx6Q`|K2QJaTdZW!4SmmEAd`pWB*#H}>SIqV9gSxu#lN2UAOC=3f+vIbc&}^y z>plPbKWbQze3Idd9)rYxtbwBvuTl~Pj1 zzz!37_FB~apiK1bw$udkm^1hQtQvKC?s{XF0eum!HcjLk`Pks7KAtt^|K;^rNdml@ zU8{R1?R%*Qfo}V75tHKn=?-ZEoFNi)bBTcPMZicvD~ADtpaw{W9_%&&6MG%d%pQD8 zaOWR?@l8rVg&GSDxWrCykYOXZ{uaWQ3(Edfp2pP7#@N3G?)PGb;rq{{1%fkReQ578 z|KHz*e|)7z6K$UzUOWDJ&FsBY`op8!i=|SqXoZc=J8TMnlcZjNNqFr(zAl*t@^+lb}`e`b=rF(44dLhAq=wm6oq zvA34YOczO%s)p1UyT7A8d*tMcTCVqgk0S=)GBvt*W2oMWDsbz|W z`q9S+Ft_tDMbxw|eV!lwehOsZv?nR(PaiVuQZg?#y1YhSjeS0EBzcHci}2iDwfh;e zyuGXPw@qZs7;XQw)26w`G?*Xu&{O4Y0g*xjGMxjomaFB4E0JrW25umjAh6&X-lKu4 zAj6jm*TW;ghwz+)?Q0t^2)!3{TJ7EmDd$JxVS;j4=x|7tmO-Y}GjMVW1r#l4Vkm!9RP8YOi z9k(6VJN|+{0oMiu4>=b2x}Kmc^Oztl9A)4SQ2x z>;Y52UqEuDzrPIHc3R-XtPk4!ut&#Yaprc370#2a9ECFFcXVM!Bf8SjS39YoKA3BS^ z)aD!0dr2Gs-2?M-*;lSpFLpjR9YjXccFuy4=Cg2mFDqs29A7XU82N(4n#H!g&jL^0 zp=5ZK8Fea<)b76IyH)U*XIk}S{{2$&onj2}6Yq42C2PFqqN0HZgDP4ru|uhi!0Rvt z=1Hq$Uu&2W59eBY%!vD<+J7{5H?Cl{0NXG3ecVtXo>Lr+Dr>#_#p1c7RP)xX5j+4MA1G7K}-~|mN3t%2@e1UU} z{?Ell>HuA@uCguVZ>ce(0~fRfLg#x zBj<9S)hFVJlEeYTHU<*1OuKIXw@>Y_^&>4&Dt#gVC_a_hv*lempJu)3#2LQCq>ks< zWAFzv?5-qaz%o4|03A+^3abqg;aFoR_&$VR6jSI8C^nP8slcNC-H0$yn}Z+2#JGkR zJ@UX&1qP8`8Fd>Q7%x<&xSkaEzX2gU!e>apncsW1ufH=zT}!kqeTul#16KhZHbI0& zw~R*8#{)v%$@5pahg>hE%&=>o`see$eV((Sdft)K?+r|2puc>oxeu?!`%*XYlq0lP zoFVW5wh#C_cPhK^UGfZFh6TycKk**a3n_8~4X&E-&lR66W*L9tKtPUB1#y|ek90k5 zdHgSx-}oFfZiQ`m{Ig{G_r(tASnwniON6n7+JC-ZIeq|5R4J9y;s?&a1U30mc!wZM zF*oO!IH<3VhSxMi55S>=-<)4sii8<|Q};VbgoxpB)o6GOAvf7mbPb-_CE^gdzdnZ? zGHj&UT@8vf8@JzlaY>*jW{YSa4GV72#uRE7cLO|NIM||UTby1&q4}LGX1W8j(B1_ zfYm>9M8xYquap3EYW19-0>-9QfMfR-f3EDr4c(&I*hDfa!PGYuM1f`NfnEWgI{&WsFXVoY+)0v- z0qvj^glH<%I%a2czAb!)L+Jw$V$#h>7sltiNO0~M=p10-UBhUDl#;~hc2JTo0XrJq zi3fB@xU{eWE`f0E(-nZ=V&c=zK5N_(4`CVqO~yi`scdskJew|DlU& z%m%T)W23u3Ey<(1E&}_YysNo_ ztED5g@uhE+C}wBP*CrPAa~m!1H`RUuVWQU91FYW?-sjI@tbJWRj_)lni;Q?j!>;gT z0x1)@L9nxHjPjtLvi#^U>9P2d-*q{OJ)i>6`fJjEe=ScXp9ahC6HN&fe)D*>b4+*UgR1Ge7#xslxL?pfH*e^N%~<0VLedGX5aeq6AE~ zKktaE|GoSah?VNXfbiyef$WZAurWUY0iZ5{#%bME!07)8WQa-a1B_~;szbj(!VQ=t zBz^@IR+lk25LO1cr3qhre0-}UaW<)CLdaQU`b?<*7N`#K-Jrc z_S<3a6#dkNSI|GW>Kub3>lDyGkSo*!;sARyR#Gmw>*Y=I(9m8@AkC&aknslKm=m<) z^93XR9b_!Dy7+O37r3!4$fuATYM@*wGnQc?xh^>3HDs z8Gy}g`n+Z#Jn;vlEA;3gk)=amjVMP#6Ss&%bnU`%N*YdL4|m${5Y#wEi1&C)0Qwpl zfA$#kVcQJgBz=^Y2y~w+R8Hyhpmt)cXwE+XtTS3STTqJk?|=f3|0C(nn~*smpa}|X z1jV5aGADG!6&qrJ44FJTG9QvQ^i(9aNKO^sg-o&{VQ5dRff`B&6jw&u>Y~DH(fpGj zu$l;y-}Q+{o-`Kh$76svMq60`?5l*f$3tKm|hyiJ{7ZF6l9TE1)zR z=D6o?asRHb5+~s`?cy+UUMq4Qkm~q-Nk+E-2Q`){R#*mEO{yh%_=AVTybQh5@o*Fj#z&X_{JvmhUmv6w3Z*E!b9#qG1xA=9{dg5nHe9#s z2?kbwBa_unHIK?oyVCZLRJP6Xh8>cEmdis;qzmp#W;TJQa> zti3=jn8BtgWO_Hku~<7rF+JuA^;T{Ta$o?6MbSctiiMFi%Nj&+RHPeW036&Gq#=we zW3Bz?Pc~7Ps5arzT@Aly&Ef+KP`E;YJ+iX{A|hPX$u z^IPTf-gg0)ODVunm6ybJbmggh29QGBwL6m$NJ&JOl-IzvW1j#bBmKS8)_#gT)@rYJ zB^?yneKuOru!{Sk<~;`5+v02uw`B$c9M#n~u#bV8!p$5%Av2ysyuIiMLP@R+WaK2o zG4Ki%@uWJMNz!K?axdCB_=;1B0U^|Osmf6B&fEX|OZF!KgA)3sum>fuN6n&faYtgc zgAegCqPu9}APFGb%b}u=FZi5V?`E$NP{j~Yp1h}x{+EMB$T<7C4DMT<5&5*ceY_6` zxHdof;3EboU7!;i;|Je1?)yIV;RhJ_vd)a?eHG6ow|VtK%{>>ddLwxr(&qw^ zlm1?-k}iI=%W))ak%c$txeORVql04UTa*2Tz7be+dR?Qow67MM75G0;$D|K%RL6`q0e*F|PIMQ%i ziHrxfjk8z4W>&E^zVz-X%6{gsG>@MghN^4pHk2l{uQWT{FZOn?mfi@|rxA7oZ2Z;q zlQfR(dN7G8{vC|D?$>?%Ql)isUR9!GqXpFkwZG(6<+6ucjd&Kd$40A1FJo)_kNSjd zTXHbaOD3l9E@~B0=6zeYQnpTItcp(8b=N?3t0qW3)=5M*>FuP3mmxxX0kDY!8!1Ky z8Hs?;W)Jvm(NXY5?e1A5pDn^moGt1cVb!6iUi>GEJ)ud7)J#_Fv1YHHRaFVWXF>Kf zE8N>D>K~;iu)04RgOsrO(FhT&Y-RpMc^K!2P+P7LyYOWd!ZLQ;XhO#BQ^G{&Q?eTU z&BbD)X!~`T3|OMSKt03(K11!ET?l8+e=EvH*16;#5clGZL20 z>qK$JF^`{a4_^~Nc<3SW5Psv_UDk|zTRzXzS{)4?pFMG{pkv*<9lIaxLfJKUAxF2? z)FDLfN@r#gy}M@c-a^6AM@?d+E?e66Hg?cCcgEbPe?$kqrq^TYIkL4ebs!(u;~|2F z=i_bt>gBC?`E2|3UCLmgL>d4)OH?n1b)-vhW$cF}9x6IUpDy+${`=VV&x2SDV|@04 znFQL5YA3g%tp87Qh$l&Gl5{xhce< z2e*{2hkLc+qQ(h^)llHMg13;j0eOy+k~%I%)9zYlzwMX;>b-kP_-WpiUGz<{iL`DK zvM$6mFAH2}AGHDt7giC~_r>6aO*TA9do(_LE0Vy}WCbxR&ERAzeLQJ{tV%7av&_jW zVs~}TnaC0EAKoEFI!mAJ5oKd2G+W>c25|XTrM37peCF>GA0~YROtT>oiVbALBJ)s{ zXN27fVwEJ@)C!v1#j^M!%v$8D1H=!~L|tuiOqkSY!ZR5L4%Ec&Z||9pEhTgqTN*Qt8Uoq51L1JRNp8a=eD7%S}M5^Lgb^4i3RSlh**_e z?K}FXlMXdzy-w$99K2X%&RBlGj{?WcwrmNp(p%-LnYdQT8yNZn;N1jQB1+Wnqd58X zgkM;4e7J8`3!vlZ+B(k`G&FLmH!X1o{ABY&S@f+QR!k`kvRkiqG~X9s`gqBmu-fGw z?8rG_!cDh!#inDP8i=W2b)q6R5<9>&`kE>Jb<>tI6@s@?FL658*9g#!(MUFwE^3}W z=J_dd(#(C0r>Q+XwiWAw)OP-`Fl72$&z>z+syE>~UP3ybMWl|d9f*?0RvD8R*5NqiEqrswMd;OiPxA?e=&D#n zeU65T9Re)_`jWTeymk5$`Guf5{sBN>YE<|@RdZPdnVe({>N z^%s*9QkIi~?`fNK9p!+K%?r_b)YUH6qM6n@ z+1dvrIRDg>K`M$DD@1?Kk!$qzQyPkaAg&xNR4Z71#W!nvgAsepC9W$Q7zwDz3Iml4 zNBllg_L>;PNM3?*dEuB)wNO^BB$DY)=d#Clf3}--i$i0}BsxMec^X1nvr=uuz7}x; zwDQUa&Noyau$DYwcD1k4S{vzFU&I~X>k{DEtkfVdH3&MK7WUzv%^+bV)OnlA>)FAx zDF|__2BkGSEcamU%f~ccGX;pYqG$cQ-O%IZ>n`!ow_vv!05#*NPQ@S4St^D11vq7r zvYnhERN)?qFX?tTV0Y^2b{tMCG!=k9C{&7L$z`K3&<@`Wa5$A$^0kRD3h- zyGAmk0}mS6rpZ5ieGxjYp8xj+#_9o@*O*SpfhvqO>=S8B`(?28N^!GQU`eDQ!@W*h zlfZy$$heq^sOZa(uudi=Bv0+@UO`E&h%?iaGPjF&@=+Mn4$E#kYH36!ko2`yUUW z44GURB+X@;#flUSgz!ytH3^Qs_B$(R;juYv6d%6L;ZE3GH|bHpd*Stc8t=^u7UB-x z(!n*V$blwKjuUSMI*UabKNIIcZpDe4heQ5Pb)GL;i1uV-Ig+H@rn}RHLBCl>tpO3r zoRT)3Kj3b?xY&+ZDtTj(8NX?Ge0Q5^TfVA~Gv{Ce%_flQtXN7iaZ2x3%LzcKzF0ux zPb>anm;7?rBkc(gYQq}V9S!Z>fnp=|wprXW<)!7A!|cW|ZNA?mUdPE4mS0P|{nR4C3TUgI_LXWE^Mnr)h;#XsjDCu+ ztXDn=)Q6g!Ds&wgcE7JxJN{tQoiEfDW(~U&y*qZn=Lyo+CylvvZu1`7gn#2z(ZBB5 zr9=!=9@*x`m3RzCJb>HHLGu^Nzx7v@R&dS`JEnOLK&2fP)5+;e2k3`LY*7`r7V_w# z`Q#1XrjDbvNgIw4^iWES`=mTqDIqQco0Ss?er}_g;I^`%uDj?%0;Grlb|Nh`t)aOFwsC z?v+DE#Zn$d%J2s6ru?2$DY*?n#T=G=3RR6a)NIIi-bLKa@J+N&SH@Rz-Q<+C&bad) zKl&CE))}7--nQp*O|Ksp7_>==d>JgliMli@Pn}x9aML?lME`Wf)s(%J{zrj+d_*V; zQR@l94N4OwPFwb_&|DwFwMAIVg?@`%jLZJ5V?3sdhKsjhA=)xuW0RBR_Ds)~uWUQh zH}y+;FItO1&O1QG<7Z`s06_|)kEQxA`5^ zUx~gsyWr&ATV5yol$By7hDNDq?@D2k4Tc)q-YB!B2i}vno+@r>4YfU}tN@Ou6y?I_ zyZ-p8@KgblzXh#ce$d^7Z65YRXJ;eZwznsFf~mqoHE!BlU#GK{4QAkU8M{ZMA1+El ze!D*aY`li3;;sUQpy`sI%A(?|6pdfF&%=o}-URe}KWY!b;LDDWQo+X)2Tiwnak?vu z>!_{h()+b;(jRG8#bWg3ut|uqJWqw>l5&OO>YAdVO+$W$SJnS}jl<^>?pbI=)xSHvSBIA-ZgbeR}zd2nooG za|YeUVy(7b9F{9|$Z^(M2=2N9Nx8{j`iDH^ofG4&me}Ei0YQKcO*k$8H+va=ndfX< z=SBc<=ghBMj(4ROT!6T%$DiXV_{lGduwDFeJ(1~q@~v)jJsZ{vvD{rv_#Dl5r$apv>xN|*bx<6d-bRKFiL$yF@;(|S>K?9Lo{vxG z%Yz0AeAmg)^8mCsorr^9 zCL7(XQj9dR5vbhRRVphULqZi3yz>~skF|Hl<2v28h!LVoJyeuTa)Y~ zd9jO%!_Uwyc9Pf=mI6FPTHT=OS5tY7r?VaV-HIm*Wr@FJQB#56)n}Fd>TcQ?>C&~q4 zWGM!_1f4Z1z4;8@lfXLE%^wK{y|Hv3$k{J2zr)cNa@K>9n6b|`Efe^cg*a806>OJ2sb%C13>h!#vc`7@E( zoz!sgTTdsXSh2K6AThAMbS zR`j8kFcQ2;HXVG07|UHQdX!oKRl#vu|1G$|eFi8c*b(0$XS*))$yAB-CyCP?q?{`3 z^Z1sfgKjaf^heiJQ7Qyx*$vPi1q+{FiMdezcH174cHNnLbjnKC=Q#%AQ<_R*VT<5H) zivL{?W`!O2tdNIS+Ft$1T14%m$S`q_FAv!P@}Xj89A=UP)Djw z&k@wGEGygFz~H7%g~&D(+C&6l3`wX#;lg-PDQr~Q)q>=(xQGo*G(+p2+Vrj~P}$=z znk28kkGAmeAt3Dgl3Af<4LVgLT8q7&PAT?WJqgYxFE?NLDV}&y`Mo5tDW6lT))iK~ zKYF7iZH?Ze+wVp=;ZV@!@lZ{d5RKv)t zh404rXyQ$6*m#M!RVmww7*c*xdNoy@T?^(fFTRZ@tK|$+0p-CS6Ea51>GSo@a^7Hc zV&Gl+OFN)V4{Ji;z~42d`ZzEC(ycUk;&9H%rvtN1yhSa)<$)@RPz1Gu_tov73PZpt z7idsMTpLr{qWQjn04!n8F>Uo{qqibL6N!;hn)_Kw2It=x3?iV9M=m$BeJ_)oQpQJR z@2l$Plw3v4n-gD@$s2r!yO!n&BF^9sqVuiLw)XuB%I>Vw+Pvr%m;PH}purv(3)|yV zPLEZGsidp1odu=~Rv|mf{nT!JvTQCxFy5!>)S9|Uebv|Sh%yEOmaFwnUh>CC3rE2_ zrQn(aFfLQ3nZ&^g%(Q%4T_!vDin<;sVL9|^iVezQBJWr{bm+KyVX{h2QdkEiutH6s z#w$D`CqK#MBH{j-nfC*ZkH@K`2dj+V`YvqT`yC`p&6g&yRA;t}cmnBGc?k?jx;iqT zO`rSnI(+2~L+Elw6o$vZkT*!c%wUc0Y^juqc`dUHjY4YW2+o~{3w?(W2X5R zE-mH1Wt7!3fQhoYBJFL(Uhu#X;n#1%s_7VadHO{$D9mqlPiGm1RHU)MwP}_qAmj0j ztt3Y=I)t$1?4Ivvz+)kXA~ctA;MsuM!%u8+{2$R%W+V3&HSM4-+yX z_BgD2Q}_xi^@#uVh(P#?anWv7mb9(B^|?CajOqqh}3(LNPY!_hB^9fZlDV8 z@Pi>R-=eXcqkp|tFj+!{X~%>G5b@fpiBfpQ`x;oXN8Jvkk=*=lSHe9P?qGb1xpB{x zA3X#aKBqJ6+IQZ`3Sn9snKwHBp|W`CXzt@oVkhC*aY3+)4NI3wmG*qUFSkN`^7OJ9#P;yp}?^ThGlf0E1PSMI`PtHUKF}6 zQ0P#?u>RgdEhO32-7I)VJ8727Xsu)MQ;s@`f!r>KY{Ia)D=2I{Ezl0BjlfN#%6Uj6 zCc4qBKld_4?B#pOlRf=+N&_?p9iN9eM?+4`$mJ4Nd9FoS%mlX0&T2UAytPCQ~Ies3L-(7ThpvJ)^$gbQvl8q9bctj8=nv* zi_8b)tf-;bVEzNdby+*pNHD+((t`d=e__p5{lwvmer@*5Hs5z-lKUgW@(D{Jv|`dz z#72kRGrk$0wDzIeVk1~;aL;pnY+MtQRh}4>7tfo^y(EAQJI^pc080O38Wo|{AIj9IwAAHN;&DD*bhlcJGeadM@mZn`(uE0to7Naq~sFPg7;|` zPY0inu%HhsB7+smewG7xw_GM*mUZNDVD2i?I?3fok*Exm5Jj3)_KI-W~BS27uF zJ0Penu?y;S$}iTZHX zo$}T()l;3gBn9t8iR9Q~QzF7_aRyP+#gIf`qPCXfd57B54y%LKI}lxOZ`#P;SM15p z-e>JZB)>d`KgBTbcQ%u5qwwU1GQ{}^ipJLLE5UuP;C87BrKiY!_(YdM?Rs(N-VD3F zTg&Ln!P{pI6BOYB<8uQj(#HB0*M?dyC9z~IvEU8kS_Ci9M|K4IsyPo$rPVS1E`*YG*V^@!$WBHH{f z1v}80lh)g=$EV_x>!|sxGCHFCqpD_-kOCTK3#!3>rlnzGMY!lg_O|VOBu&s2$B1P( z{Bl#qXKPP0_dzYOs(d6sAE2qsy zNf`C5cilurA0Q$c^lG!in<;+!pusBN7>B@A;lQvID00`IXvB@Qy~g_JZ(=T>i84!N zAt)Rp8fI?5K*2joWKl(ms{9zD9|_JkLj+ImsTHU>n%|Wqr3j^z$ zI;A>+m2{D4^Uzl}V_BL}iD;Cy-S0Q(H*ec&1~#)!V^2!DDzWcykpe-D2W%YxQ|};Z zHoL*rZ;cP$x$UD*oPJx+6M5EEpSo#?9VfMR3`7uX=EQh#&$PL>53+kDtmg?{ zUR3TMM zq!B6Bwv5rvz-f<_Qb6dMFZ2y|vw6%h*v5ISY0YfE%6HN4m^1B&bKLKjHK{8Cf(3zK z%^O2$UQc!Z;tJ%~l!Dt)N&0)kE0%g7_gQYOyHTH3*BoVEO65c@J?p#OBQ8^K91YGc4N|cxqx;nk z-JC8Bypuata|f4KudLTn%zRVT#VtTpT-}npm+RX(sJm8m9S(e)b?!{PparqRJPV+X zATsrzD%pR}=*@86a`JnA+E-4?W8>$sD0mo}HBo?rXhEuwk1mjE4wWle1lo}PrP~hD zMuh~J;ZnFv6uj4=%IFz?u%GG25zifaVX1BG?nz042c))g2m^NsIup@N!#VH zBQ2^5Ho6qdA4xBrWpqSGzZ(G>nhUhhb&4Q7WLmYBIuOQPcc59dP$i@#o3~Jt{TWK- zFXir+uPs60dYcEDF)yw?W4QS}r!lymGtV1nZ9~lvn2L(TJ=BM}q^lj{R=6pf5KxSgZ5HJ_5r|NsNE|T3IeV1fI zU96XJ_sOT!%5Au3EN#9GtR=t3*f2QEgxod5N|4}{rAS3y*`c=gF%9RP?@XCJ zdhB(&eUv5=AXRGT%}A)G__uQdQY-uiKoSZ!6u5`lfJUyc@Rg&?Gyaqxg@;l1Nm|Z? zv0J6T4~O88kfLiDdhZL?0(syI`G{8u*5sun4rPcCpX_(s!>cZt{p4<9EZB^sd)L?C z;^Z&n7>+3Jje}_6?sl(3xB*v0;rcBhzMdiVzP6#K1uLFp;tREaB>G3cg3kG45`&;f zg=pHm9!qo?R{U}E{6986xL#^UUTOtTu!|%YE0@;0bn$#p_FL%SQWoxS0Wq1=Q`{h0 z5MYB;Tq7PPUjBcqy>(ob>DvAcNOyOMbV+wB-3^PD1_1%-l9pDfMW>{cEJ|sV?gka4 zr349S`CV)FJhS(nnRnjjjeq?vE*GeX?$b?W$54e7rwQZ2}^$ef?AUqAm6G}#8mUPpT0gV`k58pev1YgN;^HEN6H z4LJGc#VK;KoKM~WL2xL~Ca@qtNP0jUOW%uoKL+CC2w-JlD&K3X?UAHig5xmJJSSO; z+B*RF$yUX{sXD?jS76jU{()}`D+LMKchyPr(8#+j&%b8ThZ~4}+F&BK?OW(y6X>35 zzgFgYWohng+J3$^s?3E29Uon#%sAt`IEi$LYE3`Q4I0bapho@)hAi@ADCQ2CwK>@K z797XqE}8r5a_K=_Lv?TFz{xyw$0XIo8`8xp?gkpjd*^%BqKHW!v8Hz&%>Xf{=+ZAr zwrbhw-cbBNKyC-zkI{5L{LI?fZis)RaJAwzr({HvvLGMkJ|OnNCvQ*pwK2~X2+Dl} zSH6o*z(Zq0MfJCA5@;Xu$#u-k-G01y6O>30Gc@K1Zc~D{Q>{|U!U=l4 zsa#+$_gya5K)GQc8U7jBh(spu#hRrBc{Zpomq2|f)X@5g;@SVO0N}|`Utu|L7&Q>) z8?u(g{37Q}mjLaNpDv*#K3fklXovTe>r0fqj3mQ;I&K~nKf~pDmbVY8O&tW!Z{r1Z zVNd(1VDTF*FUw|sDVXGC)eXt=)AV4z+@CZ`Dzn#^)u>!r1IQQg;boI~v7vBsJbu3!G$1N}!C{C3`n;hEE_pr7;tPEO zE442b#hf}*9)4r_lNutlmylKSQb*c;uG%d1^OxX3wo+mZ8O*ww!hP$ykEEVQ8N|`q z>t3$aQ+KMcP94}%kQnA)n^j_nm3QrRW8HsqyiMs7kWH`pS2~R=f8f`X*BE5Q_@Ve#x=es`An%N?}sfVw!AjjumwOz64Z9-p1ety^= z>50rwiF(g}zKM7>_bg=ML~_0vTeV5#_xRSr)dwVr;ygG1D)B|$1&{ceX{@g83F zm4NnivTN1ZU`((>p>q9;td!h6`}~Asb-f{9ID&2~MH4!X@%6|0#PZ=os%$>HioIQ9 zK_k*HcIjW>5KGF?ds%s+t~OxK-G3~s;lS%0!aNrEI!3j93i4^M4Ca6Kecx1NQELNP z<1oJ?WxbZ%LEPAWe(nkOK8w!K2H<&=)m~YR3FpwM z$M`dDn$3K;^XG=RN@-;L&ioud*7?#Sl611g>B6 zmfC$Gq#pdJ&RP7COJnG2B|Q!Tz-#u8%}2#{IV}WQa*~<*>am-x9zE0uEL~XH8Im9k zb%|E)gB?t@*HqD{CO`F+YWc>UM?s`LsVr;a_vNSR%H1o<#JkUJ#rGQFg!p~kt~vqh z_{fdoRzvy8hb-$6bb~D3&h}nLHeY~GBm0wO6ua_qndgH9K*jt8l=pU%wV(Q1=g#|A zToU>N%x#$ipTEMb^%eC$abRg!2HNt(km)jQ920yHP#`%@&)9IH#N~EG`|18CSx=nJ znGFCYfUZ)*+*CX@;E|f2xt5&4GTKUTdr(Xa`Pi*UYN(K9W+$zQ>CgclZ{sHsR#e7z z-D-#Q^jc4EI0Q9Rx?23r?=0Gt^A059L3(L@zan0xECL)Pb;o|_VITNrobzyZ~NL+)*i!fIjsQi1Zso#LpXJQAJ@7~tOV@3?- zfdke=*$J1Q@TNOs$X;DvR4_DII4t#BA0^ai!p%^}-yaX;k3k8}m~O zYa$^2f&=$7QX0Qj1Qqo2-Mb=H_Ou{hrUTeW@1J~hTQkcJ&Yt`kvO?cbMK@I@TjNEU z9lZ)=jqxsHy%!U5$Bw~3o$~Jfb>qi1|E=R#*R%E3K53AP@err8cQMw_Vtk(Us<3%> z=SJcN5oFwr!6EBJK9 z5lo<+Q*Hc-=kCU%;uss}2=pN&&>NGvt|#hpI$a=dz7R&Yw=;g&DLIZD8*?SF*pY7~ z%Uz~iW$>JTbO2)oST_Wd*>s7{fP+!HAz$S2e65}wbpA9B1qYg)DH+fh^H%-((JR0` zKl91m0Hn=$Q)nM@dYff5RmkntGKZ-4){61l<$UI zB43TyHB6S{Ny}b1?v6c7vhe}c zZM5|DU4vRbz*oS`6etwXljBjw^pIQAOL-wCaHdos%Sk`Ymyx3w(zAIt$NYt3J8!35QhSAC$;d#LN;td`WU01 zR8mML^Q~EmA3sH8{&Qk-{<*R$nU}ZxxHEECQq|)T$X@|xImb$EINS- z%tBI2G(EX0Org8-zXnHS;NZ)q9QX-;24Ft)d<^Kds0Gubf4!UTrAoB}>e|uNf>wFQ zmx=)iKO}oEPMcdVsa#xKOK3}MmpD-Bw9|@)`yYt#C&V1RJ+e^9SOBW|8PH8EorF%N z4PuPnjugt|bGpix=pF=`PwX$@itlMPgpzos*G{f`;NJ##M{@WT@a(X94hBw=?cDBH$ zNK$oCSjf`EzPM*8?;KlB4Z=FCjH)CHO0L1`6KX}x?BX)`o-g?NJeKqv{T3Ee+<$&L zI#MA5v(%D5$glYpvlvUuY6!zO(^sRM^dGne*~_TAuKKFkd}*4 zX9A1NN`$CpwjDo8IUt{9wQ_X=3x}ktAiq%1Ngu{maj1C!O-wLwzABH!@|!~9Au*lm zPVKrmN4Y1Fl`Hb(`$XJKo#WS4fKUGZxgN-JS(cKSo{?UQdro~Y5;rTYzw&b`c@6z&9UYm z;^Qsu_v^v(pUwn9nkx%^J{xF}uD~w3V@bWszYR3SnoD?fuLWIDe{WiFav^KC92GS- zKMi~9DLGIy(kbf55F`;diwT*C+p;oNZ0QS#^8{@UZ+%nCNdJfTxeZ`XjGl;--<3L? z>rP&ggw%3yU-mn<`y~4IB~X#gT9j~K0gqqX58{_TT*H)7RLwhP3mS`-mK|;pO*Dg< zL1tLApVE8Q7>;NazKizP4@1AjRrjcg`Mb|sIh{LksWU50T|3=fjWv%bAFP=rCY|Oe z>lvq$F)35;LRseAxi68N`y??CciN3P+b{Uqso)lKQJ}bzjF=rVWFU{FtoJ$u^t}~( zbDrK!`lX;p2?;mXH`l&(DCmnNbllc=|t$SmY5Khw+(=z^D`2)4OA48Mc)zf_VWXs zukiMi_@471FYHx?oD$&zRL&|kG<1KtzsWc!4dYL2(#9cpWbW>A5^ z4*#zE>H-?%ClAKSPHzUpbnZ*|_pF!)P}>l`;N&$|@i=NJ?6$^c?4gwI^#$ILkc4+e z&b@CiCR9g6KQsJSfzosTSUo%qu=_UM96UJ7TE?znd=;|*pV zhGQ?^|xe?3C3W~4uOW}Ao zq9ENp8Yh}|TJUB}O~m30$tkB_Ui!Y!QA9A>B14MdFz?q-N2eVGq-)Pv$xd6#bYTWx z=v`a0Ks{Vnh{9D#?u58gRu+CNpGq-o2=%cJ{&5Wvci>@`S@ms#2E?z1UGez5nB7=d zX7zAo-alTa(D*4n?mfH9ljpF+6}+1;HP>tXi`*8&TKC#&3Eh^VLS0@eFeoq}7sspO zDRfzIEUb2NJArn^E8=+O0CW|vC=S0oQcGy0wtg&fD4VD3?BR11d%ZKFdGwOSlAjnBnl9Y5mI<}aw#=7p z4X#OCwzP{OyL7QrxMl_iO*yh`6)3IOg7WvTinI zZjD0$ZdcDLE=I4_-q^EK(w9Ch=N!95tw1Bx|DJ5}R%6rHPEE`f!&1(7 zoEvYGoTzE!8~r-*TyMtp&~o!n$}u*-p{t^6{9o}VGD?r2iXr#76JYzXv;Nc+>c7b! zB_!;p-=}O9AunNf-bwC@aLK)$tmiG)3cQ*C1i1TJo|$x2WUp zlMM68d4z0O+S$87jUr^8mp)Z49o4PEDhNb=XEQDM-D#suzPJU;BGE@&Lvmcfk0p|; z9l#|CpPlUBA0uOV7Gux$cI0P5_}#DUIc~w|H~k9Y78wGj$-yA>R4tZhPMefIf@mw2 zli%ITO;0p+Yijz(&*KdMsmgBW%ZPf95q|L6ID5}$nu9ZDYtRINC`iB}$HjN>t<_+2 zi)(ODP@su#9V?<558K<}`7z7fnd@G&p3fecEf(t?YKBn=cC^QSpo4>d7|(IMd2<;& zLCW01cjZ^b_zc4pew^EErxh{`0ZvNgdB2=L54@D}5s??K)E<6A^eVu0gr8bNDJ&)3 zQ`xxkl$!(yI`<+;u`BpS(l*VB6b>F5_|Mh<=>63_9Gj~ahm-u1L5M!5A3Jau2yhd) z&NK+HI0@2V=K2$w70_192(lkEY|gdU?6qzg+wEL%za)| zJC5g>I00u)8>e*3MdD4n-SUnjAh@+Zym6{(QgNO=GE)hv{svbF=92R1I(`C}+XQxg z<%`U@YBICiZt6PcBJk_>Q}9Ah7TT9oXa&*X{x>mHt{~LKqf-!if?`@MKnA4l<~VU&~R;3x%A@k zH#=@wXt6lEoMq&;^$UUWb+&Ra?%>7+AQALe0=FuVNCM?DuM<=>+!(d|*9@jNJ{*(d z-AiOFjjWyqq<|v$w1NuO&v%Dt62dc+)$Ue}bF&XOlr9}QYHltpJE#I7;DsO`_2y$( zXO)jy0*F9~pQSfax_xVa3qCBgXBA4Yd!yM5Y!0q4FAR0q+#_@i~^|WHPS^?BFc$#fRmS5GSM+l*1nw z`^6;Wp8}6ZQiWVfPeu*gB={_ROO0f*03rrXooF@PIG8R^_S68-7D3BJFQ z0KQNK8<_hrV5C;)K=j@Tc%|L7{cAEX9tG-ZYh+F7EF!lqf)jdCm|jjF!@%#1O@i5v z{0_--Dp^#q#3iqmWhonT#C^Pv(l%+gQ1@k9KG+D4G~6@srE zk0M)Nd%4?+I79eahu`1V9GSHnlHdj;7TFH9EHdmt)SyUT~yE#9o((^aOruP36#HNF8y%VV0<1tsW@B2S~#>;e>rHyM#6PAuo zyuH-+o=8oqBdAX4yAs+4Et2Lpw1+b*=%rOwtS64O8ROo{8}qnXXLZDlAEL;N@fb$n zEmMt2^0!UjmwYmmO04I4hFjO#6YCC$_LZIQNcHt zC{*c%$W#QRfiG|)IHsBl2eEf}Qa*wdfIhoBp3IBuuJriaL-{9t3dQ#~zbvypa%JA8 zh;8QHbvDkMdsPz8uPU0Tf@cdy^JDayXj?s@J(h){$2UJU_FY z#YKhN=v?+D&fBpdl2oTGgn%w_%ggX-))%K6i4?T748NPo=OMwc{j$9H9ud?VdYA6| zU>5(AHlR_~( zQ5gRKfdXl+N&wB^Va5f>zC_~I!bi|hy0c8QS^c94IJ0I2yzd|EH@d3GHwBRQ$w29X z>Hxq+0@~F38Dq(@&6@J(ap4fnA`7c#=RDy){SM`u1lgDA^sTLbfxEO7G5xEeV$KQ*1!;9PL@(ELKk55o$9wWcKw`C9u4G_u70;;^hJm z@}Suj#`(?z&9@8)el2)jMqy9I^aMaqDw8#(T53zPMBED@0Of!gmq+l|#~=PCpQ%4X zf(qf#{{B;$IQ(agL-2N_%Im@s&Ae)$vk>z7;x#AQLihiL+v$m38?yg3zZ3%KQSW?TN8_-{Q!42O#Mk9``@t~LrWNC5Qj?wxrT{^{W1RAdeUtdIybkHg6lK>UYKq?kFeAI3ev>lq!6D#zbIbpW{U=P*1uNORY-! z(xP|47YUFzIo^!)PMz*8)c?R6p#J0b_|F%^{K%}&M8{g4q#R5b09Q(U%YCuQ?cf~V z8gsaU!#r931LkQo+`pP;5$q@EvIygB;^F-56Lj99pYPaogTKI<*9j84ULPtdA^`{- z*J+KdILpmQXO^E5GmqcV`nn9ZED{p|IWWq1)BV-|@!Q3Kq5MYkj6_@Ef6>|c@GCG* z7y<<>HeCz&@+yFZ8_o!nL2}7M$UFdurwF`7Adi_T*Dd{x@(Ehlp{wY_nS!b#IpV@f z2y(2(kxOwy6xP3!T0^fffY79GB6}V*hiB^Uoju*s%;fzyAN4;@rvJJ~Fa|_S%f?j` z>)gLe0{`n7{BO13fBuM4<(YRJRcv0&-#-g~`CtC$xAXt!n?Qo%d>s4m|N3J~c)+{6Su<2HL&1|E#ws1<1f`~IgU9C@e_vC6&pC*Z_U0X(Y2n(1utFGxlK33!CmiCZa!9z)@%HvZn>ui!HH z5&Q>=bAFE-VCXQzGM_SPF^0ki^DfORQC5T?%tjwb*Id4B$%-P=pClaIz+q?y9k=b^ z5f7*2v3%BD@)m{EC_h`xMrkA4b5t9y()I0wW9T)cZ%)R?!e<%B%cOQdE?*fuHyD2r z@YiNkII4&*{l@)~;kDDOspkmK8aVR2hts&g=Leiq{PWE$w`uTi<%1~K`mgS!=Dt=9 z9|%>;MsvggZg=hf61NLJF**{>r`W^SzTEzQx|??Xw~)*!bn6|QV2$9{%PmTH7>xK( zai40URRDYQx;}x?B3|I$EmKfLa*2eq0^f`Rfv6YIJNnT%0xz|GG_}Wbh*cy>>zv=K zzcelWcntFeF<>||>9^K!4|0A zJ*NRCR==3J7dqfBbZ(AoT361W8C1(18*QG1e~+>wBHK%M1TsIJ24ug0yd$Tmm_UxL z4pB^`-cHGY>t-gB_SA1d4?&OT6HY>r^2Q~&JK=h7oHq!Jj-#i{y~&I(UV+<=O}4>- zXOsZ;Eza4p(b%qH#R8D7oM!Y56NuYC(7<67Gw?jyvi){3@7%v0RsQf7IoKi56bzJ9 zIdqu-0t8Gr0Kf=?+DJ950DNN$a2{Rc2*kiP zd+)6epX)6?ol>V^|2x*?x+X$q8H+~tw}-66;8{DYr-I9Rf>V$>cKl?S`L> z{*7Dtzb>ATNm`u|`mrRK;YLD$4ufP^8&rDb3vZ1f!SEH_^2aHh;{4^kkKuR(fG*}) zb~V7%reBW#PLwQxL(M@*bY%B&g2yp1Y?p%zs&=|Nr`csgLt2_Oa06tFJ76+~JLn5g zws$;r!JRZN?EYIHJIU}a4}hpN@e&Y$!-LJio*LA}Fm|(XKO_eDFY`^~sf0D)>etcN@NKsW z$N@%M8o#r>OM=*h6fNK=*$Ug*;thC{fZiS-q%3X z3?`A4u2LH*x)q}<$ioTCK=q?P2U3-TPd_dHYW!P(Ox}RZ?a$Az+ssk1}M_+j9XfUopv;~*e0r<5) zJ9gMdJva|C+Xl{ObU6IGp`R0LgDbF8dL=(dh=W&q&`VTNzvhg{Q7Uy0ivS{YM z0n_PPo_YAzd`PPm1-55WxSs_T$;|56EzR}6$&NEj>r87St9d{N(am@bU@Zl3TTF$C z@S?*#LEl5m(?026y!fyxOnQxcQyRbZmn#cE?<6?>B7!em{v5t(05jQ}md#8j-6|Rk zJ5G3Pi>c~bS6C-pkMlL>k?gX!(eTILS&w_FOV;S?-PdXEa5zx^%QwYA9(c`)*L@XwjL$Eqgt+a2hNA~FpNe3T^!BUDeEDy1Cb26V1=j-Q+Rr3C-4i@sVIPQ0>&9u4kqWv5PN`=FG$@Vl+mmkbqKLK)dM;_q=U2{V%v>}nZ#qGdaST23N zf>*xi@L|Eg6gW<-QWT}}kT`#5JmQzs(p*Zo-;kUP6~D*~>Ja6AH@pYT&pW^$f$<8i z40#78o-=Y-T*T;mIUuS;f3uhX|CI4khQ}l(K_tO@o^xi{Md&hel2aHuAVq%p%JRU| zR~SwqU!T8Y*RCFdW%Y6sj_wBf+XA?Xk42@m1GuY9_rXC=cKJ&SG#u^5d0VR&B9A~M zr}&NP5mA^seskYB#{lF(ZjfGbaFh~4Km%N?gBrdIq6uUc?lKdtbm(p~nd1!z0o8b8f#2BQuCsK5qwD(P^Am?< zn*d_d+Fw@Itp7$gE*&-v^H~$hF9lunp^k7;k*EdA-@rM;8q04sGC}EK3eJvCL5FKe5R5n`73=Y5mxy*cwp# z+@H>I=S<=lmt5O#z(dL3|%K^>&%)%kh0dB-%)$ty42XZ>ZdV)S1JfL!ruO0zF#%D=#| zUdblglJjbyEGfBHT^>Nt)j*S5<}(78s!Tut!PY%M5$6t>yo z+99{D6wm--!qpxqZ`E;wI3yroZ~v_uX=+IJoE(&d>j^cL#Y?iG?0ZW52AWr{CsEj2 zIla8S^W;G%Wjw4`%GKazCAh&kDc#?aH_KdS22t>z!-MO`Qo)e=(%-WpS@`(zH$}nZ z+h#u0#g5+#{lrc3dr;D+{{PUoPiDja|6b=_L zd8U7%8p%h=sA&fZvc@v!`MM4e9EF;xHdTy>Lp&}~N>(t1oP>P`hhhA1@{I-h({Z9LPRj|IZ7{JYf2}brZAux|uAmbRjd`X?K zYkDMIqiwqhSd<3ivtKZ)Nj~kpZ7xhmhI9uxK1g;Z%3$My-Plb=T`5RFuSiO%V1khZ8U^}$j!>?-Q#y>gz7@eHIJMbxG zG;j94LOglFJMVp`Jj|qt5Sb2aO4lhdhuCOl9fy$D98m}YJrC~qr#x7I+ggga(K4sv zGM63nLhc<|`4!k9mFe!elQ4vB5NzX*&I+*C^spzyD@GOM{dW!WN1+K`ZH{VG`qID&t^dqa_1X5=29!ZLFjq%8H_}l+2r*h2B}7!3|1F0G-(nd9EPF- z4T>n=W?Uhv4V9rr4t$Ju{G12zv3Q;%izm$i!>FupFH39q(}t3W&TAf06RPUz@jQRdi%c~pd^;m~Fx*zZvA5tcdVIb0 zZq&=$uJo6;x1IOa(v|tg-TRQ;Ts~ofA0Bj{??#Yp(#w=LaH7t4Ws@#Ow60hl;ZT{B z#5{ls&O!)?vS#@YTpk;AQnL=n7FZNmbbn~rw#+3#D&>y$E)2=S_2M6S@u;4E@B@v| zVj(qhx~biQWjncDJP2+#e%&DIXNOi-XD?RU1D$PjG2w5nT`Szd?LtAHfd?byvKcIN z%7&x*SyNTl&HCz!Ch+1=O@N?68>V6D{>tz2ClnnxM;&RrZ@^Xv=UM9!v1q)pscgt8 z2fKCaDxUZY=FFFx#zBN$AMA>+$?sT;%wibfIV4!^fX>RXn$TKsVrI>-&|2;XUwbk1 z_m-}5xlkV~+LL(xQJx}SW)1@T1i{(b?yR`d=c3}fUbLIYb6$O)FTi0|pBtx_bU4Qf zcTRdRbp}9uvPOmR;u|L5alNZI;C0$~gEFbDfdu&({T}92+vXz8 zaGm!9X|5??ckmd+>p1Mn^;>4Hy0?id@xB!}!%`W2HDdUWvFgW-bTeE*&{WBs7^-+{ z4G+yFUqn@1+TpVE*9rjH)su-9MkmTL}X|2eF53F`c z%hNy+OHXhcM`z45iB!nFHwJUKo6%v3x&O5&12lQ&{;vmFC(#9;TW!vk}#^dR}AG4i78-KdbZyDq2qppOK{oUJMla$9$3S-&+sboPWusR+e_V=GRo^EAz+lX3+loa0ns_HsjwKZ+1-nwC5` zEeV_gmxWyE2$Y{_YHwKtBiZ?;W#*jZ zzQ{fPJP>n8@5c3zyNF~b-PzJH%rqp0q>Mi|sFQ7UzzYp(*Pt*G(Du?NuZvPYCDi5vWBrlo`DhtgnNWZ>tq z?^M!7{%97bulcsyXa^4s>4(+#c3M+|-FQZq2|8s6^{d2aZld+Frh~&bTs6@b*~}v@ zYZp@+N2VMbEld4V$SrZYOF_M-xOe8rcFX+TK@sehKQ@vrI#ogY-M!vo^@4m?j32x2 zvd5HzM)DsT=LzyMBxYt+U95+N+F5AodN@^8`55=VRC*ad9^c}67L$IviDlIKcy!42 zqVRJ==vTsgzE4Pq^pCZ&_SKKximLf4JCE_y`_Mk1FIFmTus~fbYfyM-AdAWSsD6w| zFILSIsQi^;ok~BqPG@#!pN2lUHz-u2X&Umd1yT=9Rd5dR*gPQI?6h--hL2YplTm{< z-Y2VxJ1fSn*m<6#q6TK;Np*gN8#WhZA@e1VjimVSs&WK4og93@y%vTK$%@uTbLn1s zRMNm}ytTo6rf+Cwn-k4a^9~L3l8YW|sk-%;ya(>zjH>}GH}-dgs9mnd!IPN<>|3!? z&kh@j6+)k+s4D5q;)F4Qwp0gp^?Ae34H@yGUd1Z2@mM^C#c2(8bPCl%7 z+&uq*HKu0!4k+r-#|E|#&~X(omabd|0unOM{2z?^H5(ZJ%&6T$&C9z;^3zL{2Q^+j z1=EDPxifS9lM8I!1cVaRevC0v?eC!N&^U_>5}_~?svGtp?!3JZF*+FTiTXIIHy2!x z`7y+KDNJ74F+FSfNNQpv504R_J?%8I4qlIIC~d*@mek#7GZ^%2lSNdk6enKo>T9>l z>#n=t441N(swvQPio;X)wP2hAjO_9kV)gj{u(}1J!zLGY&VoO-0Jo%Zr4OZ`~TgPn&~zooDEnv8cL~iH3N1QTdOwHL%Xgr!>SzVhe@Oxk7aChM%f< z?o`97APpWUTcjlo$*9A5`=CgExe=PPZTU*u*^WP)A?c-5Mb6tmsB5Hgz&1=K$Cg&r zjkFT@2>Kn;=r&a9BPX9Wr^@(RMsW>$?ar!qrIc-3mb`N)6+S?shCA0#bdR)gt+O5N zsN7FCE%javkC7PrKm!DF1iCh}YR*8o?ixhqlk~<7nXymh*D#5OL@S6=XT>(an7dxQ zR>W$C$nqSUrG;l0PG$4%gtl09p^(K_5e_Rkg<{)FK#k;=O2pS+JYeYS`*m}LriPPc zCpXecdC~k_^gY3x-|4tL3{@H)VbkYbQ|2cn!a-h7J;dgkL0Ga281`=#?x4wDQ9xP)@-9NT0(|Bg2ULN1N@h zFQ&Od4K}g1Tb;{0`kTz93R^)v&35pJiXnu}s6zcMM-@i-_uXGW6k_Z(y|~XA0#$U4 zcuk@-wfK`E(y4oJO#B*TE7ix2Q_|{#gG3e2cIem4Sq4WGXBU|?>A@m(WBHt)5lF)$ zQV)Lt3h^CBn71+qc2=S?a@ZWinalZsYSyAo^H#D5I-3F*Y?+LTnMEON!l}vl6{%qb z2240f@n^kMZshjI(wuLwGL&MLP5PbOOpKWT<6Y`#>5VI572MJX2`JYIG7 zgpMvg(2{XZcsq(i&eM5Bww(cTy7Z}g2h@cYK47Y@WeB-I=obLZffAkn4m~F?aN_VQ z!Sj>SIz)Ysa_gzQatyumCNdrFglV0AUIsS^cX*zVF%^ezq)5pXC@0k2^!t>=pL~_! zz`4|ElQMxP$W&N#1cS^8y1NeQ^D3C?#tD29e%0DTMsCDk?6FgpR)B)c5@jS)aOg;w zENS-AO;8@wD3hf@L9;Sxl_Cg4g7FsVC8`&&BRlPZ}zxtfFygIHe^v>tj^Ea*Z|UEbJyA#Eao|`adusz_=c~ex}BdJXT%u ztfq0PXgJAWJooN{D808Y4(x2qQ=k70z3z|mk^?%@#0~|YYnUp)hkYJwPU#(X1yidA zcHI5w`9smY+MX04-PiP=8v(h=#C`CmjC1K{k*F7{;7)6+kPTPTiB?|_z(o>2{bpm) zhw4cfjU%N?RYtsyJ#;7NwddBTRcYH{qsylX;76{26AcJ8vo>^ftP6;jx)r2gEuA0D zbWcpCf8{AG4Q?*O zZlb#Fl=6yMc@D7G zHKm#|D5jR=MjYmhP0sp69YR&BX5ApjN-SG+o|(6>~kbs$d56w^)x-A@@V z5Jec{oVrEX5PzzW8-zMWgzx(CJgSajkqd0GCUFg>O+$iEl9o`(qX(>kj8XQS>9hLf zH~zp*UBK1nnYjI;=C;dh+7ofIKk4fsXsYa1+1vH4AtSGQMh1R=LFa#0)iXW?$<41O zb6JdGvQ%_L zo4)yUBg*Tg*BE)gV{hXGEBs=C22nF0^K$~BgR|%7;MiJ@LBwq2^(u4zO)`paF}*rr zm9}yP6UrRun!jYs*qN=$BB^O{EbsHOy?<<-oM|Je&d zJMo4m*Y06Ed?>j}MSwBLS)YS~N=McMXjaQW5>Vl4A0q57JZQ>b9{8;t!OqZ%=FYue zFH5m_GtwxqQx{nM;vj9^6Jya)Doe>3=U-p1z>Zh-mcQy<%W0A^Gji);p8y^g5Pvpg zn8}dm=iZ%a$b^XZpSqMkz23={sbp|w6>covY-8BfakE`fJ&z$`sQ`)0k}xODU^CPo z|HA?R(No=VCXe5(ZtTHX~EetNt3X+|4TrQ(8}xnWjhyG$k%lFc!VY0 zH83p)&*f*$(sG)lD|xZyF7P)`Xas8Dk%C|YjkZkmb9)d+qt=zSUHoi~Z-_Hl*{hhe zw-^bkgOA#3TEfO(ZiA7*n4|g1U_{Vy}1zIMAiTB-We#3s(MdU{WoYUL7FKb=8@ z#HmOBpbVo_rkT|T#e9HF^Y`!X4_wh*>fh#of$Tf~lL1jbHMPSfU`-<}5ytuOo z_9C>OxbqGD+JA&<|7p7xU<{QLv{Wg$mpNZ|g)Q{e!gmG53kci-x}n@vly`ASo1AtOC+C7+>^-vj^{AIctSz5=i zrYr1S^)@)Qzn;WY5M3m-J|Out;wLAb}~fy!chW^tEvMDqKjtzeYwb1z_I zcLL>-Z?NH2tKz)N${o@ea+>}wz@Y5b+wt)}wuYkY9_gD_=2A3RWnwZvO$iDNUDo)>=tsB#WLIh*8>672-~?j zJj*g`sXM8lzyXK@8hZyEr%K8}l2+yBJEc%}(dsA?9?#9;PIwM7N;jooJ~&is&wE9( zfOn_b28ztI-jFvh!HH%^a<@4G=O#*t>m&NuzrNEU(4>-`lAStT2YK(y?Li}!yGBlh zjT%Dycv45?627(YKw@?-0F(VR4fKTeM7 zi+p6xk=nNO#LSM3cqg`}_6bt8l(o~{-s6m2vsmYAVJ^yu^nU(-DA7+<^0kQ8J*;UL zH7GwSkC;wor&Q8_k#P)%h&#CuNx`-q7(-!(u>s&zE*$QJv|V?>jhF2SEG*3)^7E zk0{Jvn0Pv=*5X&qL^Jd&H^onq=h2tl74~(LXr^>i9c5WWi*HAO_SA%_*a}kNO{{Ev z4a~gsD~%k}Cd7;*6*E11uQNU<%c?`M9&2bM-f=LQ^=#xU(w_AjsTz}k&NrmV8VPPz zXX)PFFXZyT2KFzMw&dz#I2*$YC{&G&yFZ_3E7I6TzCN|A+S=hau0lMUx5o1V;M9Q3 z^dEuuJ|R`*!fjbLr^n_+gFh;tdzl*qp;}kLvJpHNwY$@w-2nTGBA=Tp3mPu9gWxt? zVt)Rku4p@7Uc$9%8pt&HV=7J;mIvc=b*>we(c2lnncf zKIMo~v(x0vmz@$W=GE6l-T4%APeGz~!ghircm4Oe)VLTeJg@sZVtx6~C2>N7ra)0? zn@eVQpvJP6u@x(k76u{}k5rgH4!Pq{w!boc!1nx=9?#&Lr=+_${L;rpPU%szBJsP* zW(1zz#=8=Evafdc`UG!>_W122--<1Pqi&8fg()4nt>7!w0QKZXg5A?M+0+kAF9rou zRp%8;!oRMvm1aLex!u+b(P7C8d`prx8=e$j>*`e%LSVk1*`tqF?tTLoS$r!k3Fp~X zz29boijsJ2T9j6|)L$_Mg`6ScJWd|AQqI#vBI`yk^Ga~CNxcG)7uT}k_U8?)w*{Sm zIAD{CH?j)f?&Y4hh_=8E&?z%ymz-a>&QXmsV9QEP0WI&`32I_JAxyE?_>AJsZ_=2~ z190}hffc<$KyPz}Yg$%+V9&z!%PoL^*N?djGA%hlxa}VbqrbdJP|Vjt9F`|Dn_fIY zs0Qtk4FJlj3j%wletOHaj;gWa>Jg|2gx{PS`+I}gbS8{g1(Co(0UYq?bo8~Ic;16G zRd+)dFQyRLxNx*(hr7WwOpl*zU{>y!q&Miw{489faY-Pbm;xsgfyoFi{ju zqkLugcKqp_si!)_3KPG&B#qDB{6vL@j*G7W!~RRT29X12@)Y;_pF<<>oP>Rc-UL)} z4weNN1eMG-8fFCpSw>^T>Rmm!;@$*_i)SU)_w;LVEtY_`?GNoJHq%h=M~NWnN#$`e zh+SsqNK}Q6$9_Gusatwtvx_2&pgUU*sZxVCV{4Ar+cJONd%<_5Hh)^pB%$I^w|J_? zb*hwXU_J%&^fp>Bd-t?X<71GPt$gAS%QoUIdZkBVqIS@&CxKvYiwrXbhotr$P`amU z>t3y0KKy(kfbzf+C5%l+%b}+2rw-T=Fh=;s1f3{$6W(0LPfzDPJSRNf2cizLL9y)^ z$XuE7&;SE%#8ebE#Uopk`ZZsvFj7E21IV9unX?;KzJbDT*(9SfB2z^5C zCP3H~Op-Wy?o}Of`zsA(IR8=D{`o~{?>((D1m;7K2RK}a92#A`D4f4?KVkb}OA7!^ zu2-N87CYXBvc**liEd?EH}E?r35aqFK2=DKR@W?-Wv)V1e~gsn3SwVlYDzPzTWH=3 zkoT+mENp@pZEaK(WS2Vx@d#`ZHrYqGfWh+)Zoz~Lt$4y)tsQ&GygVj}F-Ens57uJ0+tYw08xk`%~{9RL;Mv%`exBT{`DQM^lcD?UBU|HIjNfK%Q7 z|6fM-h>VO-A=x{7D=Q-oPG+)`knELJAtGBwB;yzv6&V>Jj*)Rlwh+pe&Hr_}zw7t? z{`&r}|Npw~tDC!v`<&1DeBSTZ`}KN0AI}Aahuj^C`*V=*>8Sbz#C?2$)H-xa(fMw< zy@dlAGzoO`kCQ7RP3P5v3!nfHpa|aZOYv_t$);mY-rm8Yc)Dh)vf4)BlM;xqJ;7(K zKY6p0?=4w$ApDsR8M_~(V#F9*MTp|WYL?(wRRdK`v8|;u-p>px{(syTOZCLo-y@8Q z#wK*Qj-AYMIu6!XDUzu?Ay1V{$Wz#7)Jgoe#wBuPp=5dx{$g|VpEkj4@p^n)fS0Em|sOjYG zXK$DqP-=T^Y8TNwsmsaMPl(5ov4Xon5RX}^838~zG%hU_fjIzRznq$1v2?Gi+UPW+Bz_H<#7@ev~Dl#su>Vh+`I$zof$dUPE`lU9$w z0%Tp4cFx*#1~#lhEZF%C^OGa86qc_{;-PcO}g^5$U z!`N9XXgdVh8?_(`^%{V>> z%qA@y+r1uN-Ecd^YLpOyT2yTg;=(kih3x37yW^FvP#J5U4>hsP6e^{RN$BuBNJ#zI z7Qeo> zKcLD13+7o;Rzb~DN_}VJVIs2RbnQLzgvI}cUiO!*QTLwc!(mdV9rbulZ^reqyaM{9 zLForR4mznm-=OY?p_cqfDUd3qZ!n9_gN!=cfy%^T*zQ@Ad$Vntv#o0*;g=ZMU&*v5 zd!Pl%l)TO6SKX(;dBDb~c(4wTl)&y3)#z8Da_GFj3lqu2sg^8P6q38pre~|xtP%xZeE`k z2;9|tX@2meVPK? zxAB#5PLAMYy(UGftj4jXinFH^yX)KT>dgrs`Z4`vRZ_{z5PK2eh8Ead!jrAa#lG_xUxFxwr z!G40sQ*n~YJEupHio`kSjB>I-v%D+$RMbk#{V<|pg1p|a>4W#!YYy8Q_zo)u>uo4~u8Bc>dlU$nROumu1z(y9lTZ~Nl=ySdhJ~}_Yh+m2qY1}2|%!rzH z?&L&^>$_dAg~L|6$JvpnfFQ{ZPh;hqwcz&H4-t#O3R=gRjvf+N2NC&%t|Bb(n=*+#SamOC0)t|!5(=)T_Oxu)1P=M z1@1Jn){04uC$-1)#3}?lbh1(UPdxKKd|e7NRK2*-VbX`f_3EU2;tm>y0Ek*L*gAww zlP2M%gqhODkboA=>?sU?@d*J@mtrwtQJ1=GOsG%T>^|7Z!{?apE2Z6W?t5UH?VW1l z5L{k%`_k0jOV<~*XumG&V!r%1qv1wqRyZeQhdDI8$RimNXe&PG+FOXOH1J-Gj_#G| zI+%reJc@S(PJ%iKr4|%@ZIZ?Q1$n}E>r9uSFnFIJ(E8x=D~ZTrQRJ`?|054`m&F?k z{uCvF#RP2{JhA}2vyP{0y_TNItL#$V!ArAS73&s{d61Gn3NbrhQ|!)q42`H1OMP1V zjy-#IpRZr2w0z@X?$ji#WAtPr-Lg3i#kum=ZGPrHpUpeEhr~7y zXjHe(pz&mbsI`>BM=T z^QCejK39YqD{{Y)Hu%+Rjo9gCER-APAlxl#My4Yi8s#b+yR8p}!s7|ods(F}_p1;% zDlWJ53f)@vFImFdw zsRO(`?y~)lP)r>!v#3(?$aA#JR;RB{^OG})-x!d}mP%%+2%R_#Eg_@aS&*Rzd3zg~ z8X2eOQ5&VI5ru@~*%KAFHX2;6JYhJKrFzZ9lv4w@E2lS>VZJvo`?-o^s7%kwp3?9$0})>@y!@vi`PA+&NpGDG>QB@*R7L@aS5Df#D}kfJ^8a+PCtQ}E&2>c!-GD_CEweDHo0Y7?`@ zr&e`7Tl&a{mn}PFgrB;WXS6;*O`Kxry8W(MW=O-kRKjmb$h9|H2od;>mY#22W*>b# z6`Z&S>&?ahnhEXdVe#k0nxe^dlv1;Z&ZsHBE931~zO zR=eAIOHD?Y*!8P7c=LC;8U*Ogzvy^C)zSX+{2(-@nBRXX6*J5S&4n2`tDMXw&3Q@F z^T|)!WNGIt6KQQJtl|UYsOD!GCXA^8<`? zx*;dY*U`K+>yI6kF&+_F4;H>vJqjus(9SJ;E7#pOCA zHRo*huxE`esQslg1rEG`ae=^QO0Y=XTMfZIt|AIbOW~+SJQSF>5{bDmZ{xRP^QD}% zy3bN3zDEr9%M6L|_tW#Q)wVjh9qXPNX09#ygD}F&-C-b=W#)Wn#p)>w2%kI59dD?; zgZaduQ|vT=><}+X+{_4@jK4RTxM^aVN1%yfU#&m)C`h8C$!ir(H$~U4Nvhf!70MTR z;;Wacnp$_QHOr{gybCx#b3XbEwhe>wr0!ngcm1<&uM=zXG*>K& z2v3wPG12k&)BkKsJ>5g&g@|E{SnJlk5vGf6i~L|Vy~kvH_TMdZ{~UQJ_~4Q%Y}oF7 z`|?sn45F4vbx7$#g<&>cT&748P3?tci1@gTFlWA6P)ftBFOERY1`tUs21_j(Qbp~u zqeo6>`M|{)xW|`#*}9c1teh>2$e9IejaUSKnPoF7V|d3SxQq$^)?L{ub;MwmlhKN* zsJWVTzrmfo-G$VR2Jz3c&f$}L;39f8E*6&eDgl91SM*iUCsdpSqnE)8WnJ{p>O;S5 z69@3Bm|K|o{sbZA`S3lwhX0M6ow!_GMMB25q zuZAO94mJn4T!L$X0E~JqzF*iS-?M}A&A8Y3$rl*lg;=S>6x9KF|F2uBD4HHHnAE*K zIYW;B{42QkiEVG54b7_*O=}(*EqygeKO->r5?BYORtKs9m+vfKm&MN*@9&g9MEDL% z9^R3kyC0=f-|SA7VH9w*Yp1i%-&&d?V&`K`kGc7fa*C|Rj|hY;U5>>D2AR9i{i+q? z-s7tLVtt@G(IRpoRPGDq#zKf~$;h+1?d8bRKq zKkjL67s`SHgoay^jwPvWF&AR-f-jyxGe5RYgoYoviY0Vk5;@K6O@eXM5XeDBB7!0f zEJvaG6cJ5cXR(6q=qmoO9pe#o`HBD1ApF~3O3ueAODm z>cYVw>2@JZfbZPqKkv?elz#u^3k7lf5#93$akdoFzuo4~v~ik}z!mb^Fd7&eH;x2* zK1^ttM*S)7B*X@ayjcj`P$&-~eu-o?`sg=0g7<3{?hUD1B4R1}1q}>;l3# z8H5#*i_ktGlQwhT0b`fB`&snA9AQ&=fb7*?K&9fOhPehn0BYe!M=&s$W$+yMOu7QM(6+S`r;4|s0DGhJI%B~xYBQi zhOQ?*n;!@}bvQ8rk4{#)OqjEqncw-uk%Z=Pn)?^b2Dy$UFot`a`LH7LL9k_p+qL|+ zIUe?PDacaWwp zy+^X+WN(V@BjSB|K*DR z>wjd7{D6zZsVI0|h#mo+#Q}6>9f6)eOT{96-vIn|_8)uj0FE)IgVVnqbw=b8`Om(W zkw~y>@&ugy>&kw+VhP7EN9gaEpP-^zb9-2d;7S}!hfWvYB&0O@VsAAKoKhfIm(T%|#H3;dF?U!ZXjmNSE!~6s+9|?Oy4M((Jf>h~D zRQNy-^7}^}IfBHnSQwr!Srb!0Yq`+7gI&?=iY28z7ITqR)7vT0fi_=osjsTxxF5h7 zw{sXs3om=wz8WDJpiT$iy|B}>Wj#9^Np68W0C>WGr<-7^)2DX<6|0E(#S_~h$w zxFUQ{6oAHYlb{sP=qQle)zGztlXC|9u*YuuScAF=Ys`Igd--@j@K{GtH~tC!`i0dW z6+MN~;v@O`EnuI2c?aClk248BQU&!&EN^3t-r8y6+EsVPkXy@RH>PsRq3?xC)+l>s zd&Lr#utjK66<01nuC6XNYv6AW!xc;LmphKWb6te^sOwlicSUg5ciQXj_p(5VCmGBP(IJai1O?n79vOCQf2^MdG_nlcsq0OF zg6}x{`CQ*Ilyr_itA-HRB&_Wvps+>SOE7&ACRTVKF)_3j*r(1lDE1I!l|vqfNTpfE z;-1P-Cw&)Zv~QgvIp3#}%c7}iGrrGak>$*1if-e2$25Su_U#@TUcJfv_~)~%5T;WI z5CIa#D>HjrfV>wFgXT>Si9-6Esht&B)P>%Q{+#8f$nVGX6q4U>T+FKZA+kmfOrrwr5L%07+Ph?9(`PZa%Wz0oDa9~n?&5iV*1bx@9J zs&pB*_w*w!Tg0^-JA7v@5R5p!1cnegpLrt)Kb0vMf=6%64YHxG_fX_Tzl6)&HURc= z?vRC^M+!MxDd~cOUx{$x7{{rVoV6-4R_nbna4wSf=EtuS-F1x-9zB8VWYTG6t zp`mS21lx{Wq8q`lp|XD_7q9KKbe>+W2-D_apNlN(X|dq5 zR~Kig3V!W`$5_nBG7=UH!ZSls@WLRw{p7kFP3a znGjoYItb4E`<|(gLuGvX^+%bXTTUg_c}Re$o~~RCfPQ2K9T(BLv^!8>ID+(KV>)F@ z<}YNDeF}cS!P=EA$ec2c4urA(Us7J5t686kEcryeRwoszuz?iVDO*0K_(l=;^}Kv| z#JV0=>@UAB3Ow4##A;R%m;XG9)g^_c5~CF3@b9ZF8zFA5?)@fWu6z)wdU1ZTIR%-0 zC@E+g4_41-I6cQsHU@ztU>Ei`v_!8ku~wRRm*Wnog0-eJBZ*|AH722bOloilxfQ=K z+DDH7Q&I$DYJ+G7p(e`pBN#idmR+_~g~#hp3wj~ce;qqf*ZyNOiKRJV?_2|6ai>FV z)qn$Yx?bfo?6mpVxxfH+3NZK$2(?C_ZLMnhTe<>VO>km~6ivZ=EPeJ>1U}P ztkiFi^715(=1!kHG0iM?$g#3@#QsbY&L%uje;!umhbfFXd}y&{N4NVy%exR5Sy)hs z9soh^@;TrBUWvU2>$-;ER@bP4ibs*=8di@>KBQ(p49owZ?@HaPkvGmod%u3B`PO}Q zDQgsT!tlZ_;u+ROaQoU&e42b<{T>`W>*U5?YSQ=o&?`cG`J^NvCgx3sJ$8lp0Z3v? z>&yXoVhyp-qPMRbKmb()5FxwA^wv1|6sy9_-caSdvTDTbndz}f;_*401n-j^s$FawJ-M3u#Tey zORV@?WXb^_=;M^iJ49l#wF_2|ikp)igiG7li3GL-JuX!Wn{0`FwiP`fk-kfM;~q{! zaGpLyl|1rT#8#&8@jjtNBoaF1V8IKEo(=oYx3$=oggh1vTz)VWUjvt+Ub2MS#(rIroqIm%-*D>(LV)Z}_3 ztU!Z@A;0IH>kO_HQBd_7mdkK=8P0hKY)UcS6xsh??m;~mEQ+s@M9~y^z*F*039Br` zQWMtj`)?^DOkGvCUdbP-lQW85>?h|ox%TWBx>34D;PT<rMbuy6GtP1a7 z&C5M98(M5q=%B-uVKU}g6EI^R7yB4qzfhJE>Gas?HArDnU!}KEwTGR#IB^IMt5M)?r-cmQID&;& zMC2(Jv2$VHr~|tEN z`%Z-3<*)gEPREO031>Y+sj3%YAF3%l&L%gkEkq@b>9%rcO6G$lbz)ELKruUrT8NyB=H!#bXPh>L27Mc-qh)SF}Sfgi%DRTHB z;JF$J&+Gs;(@A#XClE&#L7=vU$-xG6N&#vIHBW#d#Xi+7OM@s(KA4E_!qe(fD@HYU z0i`~h9(tMT1s38x2tW3-xU`72J@i8#0Gv?3Wt%1*VAq+j(*6Yn`k-&gujaU;dA;oy z8HQ_XOc^?WkNI)7 z(5wCkq;#@py;!F+uS|oETxsg;eOZe@(6N$iOD&QSo-mS`vEqxGcaxD%rdVMTl(#-G zb$FS8z8*Xyv#*s?TDrDI-Kxudmpe0JEj^s_l35AX2@R?mkLTr0<$fhXBHerDd@mZ( zw%S}1dkRZxxv+H*ntVz#srm3dY|Z&B_lFyA_!{h6HRtQ)$Ta$=Y-3CHaB?Qj5Y3Iw zfXCh#lJ6C>I(@u4q&J6g3@bIsi zj7ew+*tPID3#0wQgouEJGiecYPb&NDPZSS}`Y1PP#D_))?6RbmqLkwfZZX%fQ>Qj~ zD>dNU>1%rOXtC6SL}CnT2HW*vEDi5##|@X85)RrD+Sq{}>aI!PL@9xvb!Yqe2blFC z{O|zT7e`yI7V&gakBh_UFlFogOt-Xw?Lp$6kR$Ou4cH#T2Zuz+3hnsuXOUe)0-7#; zVhhpY^3@y1zh`QhW~x#+*j?Q<7;KX}_bpxls{$Fr>t+4Q!7$-4}uF zA!b#pxwLt*#;|*`F{Iyi_GM@J@`y^I;oJPBhfb7qRzv4M?PS=Doj8x;9}MOCDPr=( zD!C0U^+Lc=@vX|Cl9Q%G+|U9@TQ#4FmtM_(PiOmP^nO+bQ3rSTN9zPM ze5O=MHs5x6F-%qjmh~c%_9vc~ z%U$-oQ;zqVlVA)MWtf?7S5doY-cnI`^r6Y|)hG5J#-y*s92$#rhuve6X48x19j~JC zdXkLi!(DN2B=sZBibcP-sn5BgJ_@p`RsVHAzs{g|j~EQSvbNo0vuiptpVC%`R0-T( ziaADQ8g|uI;doD;;a{$~d8Y{Dpr~diF9ptmqOMCrJL}%}!7S3f4(y}`$**|#tK@Vf zNpJn>Jf#rH5&L}1`tVmFBcZdMpn9=|E+QT+QhMF+!O6#D+Ok%h?k`f=#gJ+ryOx;i znIqni6m*?K$=LS<%}Le~v(RzqU9NA6XifF;K<0nymm}7uP-hn9R%Buloi>=Mw7hxl zr)RG@v9pSxD#Lu%BMKmVq+Bcr$!h~K=tmLvWKnX_G$*%f;qf=EF^@-jVs_%`ABP<5sCFdQjRmlW|j zAg0SEEX>=oq^tIt&qhaoEH$0{%H8CykT=|Q1xAK?dj7;`>NdKiNjOEdwX^jIf`~4O64obh_DTBebi&=DVWX_QK@-E#DqzULZr@=Z1u@ z!+T|D>bGS^$jh+SXhrU=MIv+dW^J|vsw%lY(f3gGc6b4Ls6{Pe>x6yuwpfK4N09g) z7I}B+u?M{D8(}s-g2ihbSt@NxK!u(W_QbK@mZbr}3aIYh5(>U)D+;8DRjX`wHfuAZ zYI-x0Y$LlsU7lY%aXzhoPfC+teM4g(?g)!tbx5bco(&V)6@@HAj9>Uhwd$dAh_m~> z-c4SU57UwN9uhifSW#etZpm4>p83x+z~6f}uJ|J@s_ioePNj8or|GbCNm=(gDus{& zvD;^@M40DF;%;A<)f;-T-l8eb?e`%1`t4pNL4v${*m~EC^T6`gsl2?IP#s-QqLwMu zci^cd;SAE|(&k8=pGJ=>dYzn$&Q-2PDu>wx>;NTmEA(j7XaPgo{W<4~uLFBJqB!J? zNWbDkqP)&BlW^lI)qtnhC$eQdrmq|GJx0jRn?WpSsch|bCW^VmGVWJZetTbh zZKJCYDq^?VV>OHig1ud4UP_{ae=YR4(Y#S>c&1b**h3P0JxN*mY#j(GJOI zQg>I|l`>+I{^-6&KOr=O!22KN8N1ra7uxc27d}u}Bfq|J?wV|R5?LrMp2=pg|2-$h zClB8SkC2@4TeLHSbmhsf9S%_rNb4s^fL($eOwrs!;6=}lbL??dl$9VQgm4iSf?Eku z9;R-T>=*6cry{b>U8M7(WcYMEtFvy|HngSF^d%EHrYpO-S?U-_jZ8 zSS~Nc@CzZ#P`A-w6Mxg<9_L|oRi#K|KM26f(P8M%RDCq=4eoCXaCg(-^nhK7%mn=%8spN~q3JrT* zGI;l+=mIuJyr7LF3MM_flIcrUNGkrjW&q2(E-64Mcz@@|L12<30v!Se98Wg>K9v-< zo{HsiK9erbfO^5~=zZF`%9#xI%1M`?=%cLmp2F2*nYr6Z>b8R0EEz_Ja^H^AdZdua zJyJ1tmltx0-Q-!(f&Bf;{50EMa@Q6?JJMz4&sRM){;TxFQ56ms;$PamO5%|U61rzQP+TRft_lXnE z(Inw;;>W!hsUExk)x=-RiNqa4$Q18}CtD)_!nD`~-C^-JU`Q`g`nl^VqHME`@ei*t zDm0818SVPX*PQHLFFpu}O4`x8mI&Ti;#c9b=Qnzhu}v?+!{-e>xrwr?G>koZIe+lk zBBhHwj^Mad+3loljPdqbFZ9jIn!qie{MjKLBc$bYw|vLpr%1^Q9xJLJ;wxOY%MxbU zYWWC~*}hLx$3621rE+sTB5=tBQan!6O-Rzr` zfabXBuQTwrmS>^2BK2e4s3~X9l|w(AFj~g$z2GfwEv`0!C?*EYrgY8xD^Apukr|gw zOIYowDRN?w9I_>bEduQS7&CJ?ZJAPY20fau5%dK7C~|i?WZ;66(zhg!%%|H| z&KH-O`9*?bbaqVZ?6%{nL)jHOL%(6Gad&U|2C)Y?oO0#jDU-v@0)p34wuM@SqBOm9 zxUe{pPaam-20ZB%}6sX=NFaIRkC~G-uO) zB1OLLL$l-`ND(K8*Vq056+tPHY}!{mKsX?qb3mx`mX=eN%CsMOq1e(nd}#fOcUb}L zEZga_$0xDs%qwjn&Ef1!#@9f>~2l;u@^k`&2z zLy1LmJJ-LTZfk_Y6mQ_u48V~fKU$@a-ip^om5FA6W0oN9C)ikm1x0Y0E`m!(G-Lo& za5s0;LbyPY^V=_brr6=CdT^%CvP-m}T~eb?8VQ0y^9A#CG6k-O14|zT^W|QRC-nvb zJqWjeE2^L-x;Z#>y0_)g6BcRY{4AlP4N9+=g!V^c&DiOC%4TVUx0* z;Cr~iSJJY^{-Lz^Eq=f{i}^H}`@@S9XOi7HLg%_-!piQ5wXyDA)0#_A_DJFQ!>m$) zl%1+hGg%0Kh;)-&e3)%UpHbvJRKJ6ety@1Cwr&-{GUu$K@UECKnj2v&>0QQsN#Y6n zw?3GKm#R49UUdEBP<5llnV+*nq4kuFMTGdn3wMC1qL(MGTb<3ANVul~t8Vi(->Knm z%YgFk<3wFrtK7ZKAx5V$#drIg@(oVYQ8Cp9u`x(WpehO@9*Lc<>{GZAykMHvGq)@A z#B9U`V{9F*p{I8n8u8a3Mc{Gc+dW4&UcWV#UEOj|-^&vUdoi6GBd_l&k=!^9X2W#{H@OKu12oJVbREQ|EUF-uTlG%cL4a0+v9=?+>!W3%Ex{}U0& z!dS1w0e<~)$v47aT<16u!BWJz(|(hTp4!2h+&ICDpTzJnh`E~V?_!P_?OERRsfn+< z8;1epd(^+5WYbYqC2qx^b8%M@+rebvA&Z(9BSN(w;H608mZRRE-!~1BJ6KhI+0}JP z#(IiySwAG_bgQdSPgR`M2E4`w@;TXX!Rq^-#Mjfd%fHRe^Bm9aQ+S^Zh|1~xu_P@i zzdz-DEU~^Pz?w4n06wNdafMw@M+&yCwhY! z%%eUrjSEA5aa-wQ`AfCs`&y;ub&M~WK00owDSwmEZ3Re;?)80r5BRMORC4CS|mJ1B>J2->GyIBNfQJgqxX?@BVNWPrv$!Hk(8f&iKWvd{OGajaWVH#UWOdqW;mn`@(`> zTqR?Py1bJ=?X>U08lz1&Kb`^g)H!ad;59~Eyua~H-an8u?H>ahuE#59 zj9A0_CiMOGjX8J6GfoB-cTAXPd`f{NFGg%pgTc7T3JmRAdFbpN1Z~1O5p~BTTz>Tf z-r4QSrX(8_!8bo759Lt$&w1{l<-EMhEkXpZ%pBr~EN?E~C3f4}-96UieH|M3{qQ}$ zUNMoR52J_w^Yd}-s0yzV?&;sV#TLp3%XCTA&tbm@Qncw-5I#fOLE1inY@ zpGN&Zs3`gs(JVI#{uPT-2x%?r_m%@3E-?^jWM}3ke2Ba|q&bkksUGI|V!eGS{l}92 zcV3ifb>r;FEsvK83#P7AoE!1T0@I<*!lDv=2Z9_+ilXYvpB%ydZ3z7sWZ|6pi70~< zgQpKYj%g8}M`!r;;6uhoVEM$5CThmL4mzi`%FLY;LuQ`O;W|;W%GH)tPh8r8_55s} z!o>&J8MM(rVe_}&gp|hiqUzfn)vep8d076%I;2W}$i*8N7cQm+6O(WNA%&BGOiyt% zO}$Skh=lPATh`4QtbY`1sJ7Lukhvdi6V-$gsQ2+)FF{|P4D zU{TeR?@FvN?)RVmR7WP>mJmHkoMm+NH>2Zuc4Nt1J7>H|Ro2eBHvA)=U#RPH_53Bj zbe3687;e>ZLBs*qAkwLrmbQw$$76X^QrE@UQ!rBima9w9htB~W9eCK8U_!PnT41?j9n3}6U399CjYGkwhq4>t?^A;y2|@i-XNIL-Prr+{i+x zg1Lis-!>d}(ac4heD*(aDr-}1pp3g69p9g)-FYiSmn5pwRSfl->Rs$LlBV{J=x+iy zyYCEOK{%Y9ud|-+-EuEl!on=S=3=!KR$$YbpLft z`e*LyK6dOWIr}onTpt^U)a0wUaCZU=i5!>yh%AjkzrWq!6eU^}GE+UgMbTM>5aCmQ zHpZW*^M?nxcNiZ@YvNxmWI>t6r2bVv%w1jke2Jf zY(s^Ju3nlOIF7WB1i*%khT=-@QZ1x4DVhNp5|P-(8dxg@ssvP7tYn19k$8jG-+aE3pNx?&R* zia@&hO8bU~)KJn#$k(wN+%-s3AkoqIDWbl9CjtNYk1w z>Y&e7^f$_if@A8{RO}F1!!bv_=4n!8)VZ0)bkV*1B~MT!8XD3TRJ(zI^HHB>#fG}X z^Vn;tx(NhIzI{-uTM~4V-$)NdNcG!roVJ-WnRBI{axgl~y-zBrla|DDoG)nKD#jve zZZOk<@)g^<_pvylhTh}3+0Rl=GTi;V4Y5xj4pJ9x$!wTDZA8B zKd$U4q`Df1i-Mxa+CXo-`oh6Ykpdwlpuj{MqNKd38xddT;Xde7>i>1d=*Vr%bY;oO zh-pz4^>k&>#|!as>nFe(_Fy#i!=dS!Qu0phd&X_(trvkFLUOg}6=e~d3bvmuofc*{ z0cn1cJ+QJUBX&+Q-L~BQFL@nEB74$rAGsS%;g(Mj^_ICa`VP66d9nEPO{~wA`lZNu zJ}92^j6Tl7FLyCstJwSjiVHCZ?q|5?hLiU|HS`DWii6^Ra#ud2n?HlNmicD`m-@gn zr4R>|^kzz1`KY57o9ZW#=YYINY!FR$-=GwAm zuANxwO6y>TO!J#@A1BR=XVY%M>Rb1~L25$L{_NUf<0tY?nD`;E;1yFl%m0pD;eI5} zEz(ds|Kr7w_qw_E{;8{QgVf5Iuw3c-GFW0)UUVSCvw4Ei@&ou(>UjH%%+m6u%SCpE4vjd6R|3#%oe`Y%0K!)} znKa!4-TE3m*B)(9EpB0oZR@@r+|Ce*0mqhY#*u4Iap|FtL|@?fi6R@BA~mzGz}_{V zI#1qjSk%S%Absbm!qF-Up>qezUNNv+oosYWbACe{dL9Q60&dY$OW2f0zW)N{(IpK= zsJaxA!)T>Y0RL>9BVlNGgJ>Sj?A#m}Qi|v<#&g~&bD%X$!it?7?J#E@+)N$6M_r<{ zh}0w(*8i$v;IqLj9;_V!G=rgjt)bB;W)^*&|L^b>eXmo8G-*YHHQ3o1`5ECBjg$RP zT~n_V<8#aE;~anpP#aZ6q?%~5{Y<;$0?%*wipF^osUY1(FhLgg9qqKqBaa{=vW0}z znAmOe0EAtX$)Dnp<1Zd3ZDg_1&keqWi0|YV%#|)0RtbPW620_j!xX4ZcC8Iidm0ve zCS-*Fmi2A zFJTk0^az>n2GNECdZpr=d{)IJ-SStzZw|F56RsmTugwz}QO&C}A;rM!7?a`~I>e~| ztcFvQjc&etPtALhu0<2WlFWExGMu-$sfuPEJ;ErMtat9U&W62q0&!vX=Vcfuf2amE z9zm1o36rfeM&r?M>hD)&k2f>!n)A(=h%NhQke3bm4KO8n%08dKqF4qW33Dx{Zm-H{ z{HbPFz%@B#AC@$zDn-PrUNN|{c)5G?Vs|OH11@zL4egMO-WxV3KvaYc)Z=JB;134( z=M)+n(#I?Oiy>7Z1{OP&kp@5#$%Sc~_p6hinUfrPJ*p)GTUn8?&EmWykDf0leIC8$1?%S#PdO)|Xj4PdmUCiEeQ>nW%Y4x2a_H7v0 zX#Ni*%L~DOAX#b`%b}fJ%qHk0Wtwx5{jLcAlg`5Ts4I+tpFMiYdvYCI_#D33)}cwQ z@7Ge>fsqfi!kUk~8}b^X{4Pyt=HQd$)By%=_qy*;i)tH2`f zI1_fNp3bd?Rz@e|MnT1>JuVLrYygfwx9luFrjN)f@rzxY`TIm_ft58Q5_T};nkz0L z5qEZ0ryMaTli(k^t?-8J!)B}jwW8^j$N-Udw1L3Z+sKfe7Tqy0-`5wlEds0fn?iSJPY{kXnVbscij+HFj`Cu1 z@HZ>ChsPqiSC_h7u?RfDAO1vpAXjgxuV_AC58Iw)7*{YmUtZ{Cj_vNCF7Hqs!MUZP zY0?|^T-x!{6pE%KY|h`AmOsZt~3!R z2aVwurW?`Q5LmoI9I(sC(GNEI#0F&wNfk4&StSTl%5LiRT;MhzPRW~vh~?7za7xsW zImXEwgMb#&C7ZLM1#CNIAfvlz->zZ?yt&+KQVSR4O{N2h$P{KynvXZ3X+ss+42a!x z1Q&=2MIL#j>?JiEeC(hXpm^`GWE=L;`!86_MwP!pGpjgbW1}Yox+fz+<>*(sMVTE2 z;`H|S0Y}8i?;-fGlnW=Mv@cuiCDd0Wc`vgZXaH(7b}!zr-sya6PpRH9yUHz+y_@~S zN-b1zp;Tut&k#t8?*l-hK|v%2N>v48Q=C2WWu{S!NeX98O1Yh^2N>yoMd?vE4ct0u z(nhtcY_Xx8n6pep{b7y;+9y5M+@5yBHa7fGfzIV;he6>09s4Z_3erGA$yC2f4 z0g#P10QvH>&S?J1UZo@M9s!B3hw;5};pEP@iS{VADJpxdl<9})w|UW%Qvs@h5hwNR zZ>&}=sgtV)$hjU58?y>pDsV8OcY^nUC{HaILqV>`psa0VJJ#is3(0QF0Pq+6Sc?RArX_k2?ZY6_F5FEfBBH8W{@gb7a znwbA5s-=P)i)vvbW2-V#6y%H!uf~e&oRuywlE~F7@3TF7RL!)(A6n)A_OlujH+K~1 z(P7+3>8vLIfq7OM#V%xC02yP}-G z0;ZnLW%}zPm-o6sT4Xe698?_;uPv?zI@sX1oI$p{p;PCXxT%6-VtdUOdNa*%C-Y+l z9C`aw17ujQPPuLP<(#F5e3!x=h4@VF(|FGL44$j(xO;4)l@9&2U{jY%nL)-mg;lZ2 zF|@QP);EiAplGrLCYduD@6>G}ux1^3jTgtYOUs2Sh@L_(jD&nt3!%Mb_dC0)x$40oE1}@e7;PsQEDPE=@F&ua_z>o6=kGkU}#;Z)3f?hhB~Oy46kWo z9+L5xNwZPbqgBF{FGMQ^->w8+Ws?tjBb@zb3r8PS?*kWP-fQDmRsNz5*&jL0CJF<6 zXt)h+u#+DZn}z6u-h-{k_bT3@Rhmv8NV{%0MU%lFWX?);P3u@Bpz;Q}bhh?e@rCGj zfKw^2R4_3XPq=%yF05y6TR-<2Luc@b=Z8WXM@2_3lbDs>^{}O+O2m=v;byB}p-dHL z*^Xv4c-FO-x(~VibyPj5M+wZt-5gb+@A$&Whx!T9mqdrr@@SbLx_o;jv6k77w?I_(;%EkN*X zNjC1yUXH0T682=i1qH;9jkC=MZkuyy9|u-KeEPd%^o@>TUo-v2JU?V{bfs&^KI3x3`I1;DZcK49h!e6GifBFTj48i(k~r(1=;ZVi|UVG()dPMeZn z2ZtRq6gMMyOL%Jq`Mx=uUD-%&Wyztm=fiZ@Hh@TaU^jJ^(~Qf>YO{U4{%Ft1PSz~g z%XV!kOFn>D<@1A}gpG$h&*@4~=~v`{>HbVlCJP`?;@YWR&*#%!uhWQ!cL5nNvd=ZGZsg$}%I`TK2T?UpE8PyueR>Jz5g z{bJ#3XSwY1%Z87N?y@{^EsDrQ8ZNZ$S-(}taD|d4rOb`d+28q%a($cBWDp*@zu?Ji zD)&M<4FW4nI(5k6+_7O|NXj2Eu9M7V>K+!DIR+#+t9Iq)uKlk)gvSmOkHYAleI~Az z7hFpD#;`>GXE9QHY7hbill9C?7{#xol`bF1$^uM`4W}HINdJLm(NOSh2cuv5g~A7| z*X+kSn-rNs4<3*87&Ywt68*7rlzZG;NKCWX8y*)H!bxlI_L&J$Q10%4qmiKZoTDk} zS1%PZI;3C~m<`Jl8a_4X9ZfAtkL$5JBQM-nI5xXYYNE`<(A}{jSSD zrh=2nobUTQ;~C?=KQ~*Fm&j(rTF$@@wH9@%@h#l*)@tnMFgMlAb+ks(=CC6&uLKR( zmaQefYc#1%Ur#npx&2A;{p~H?iD?{Gn!T?T%^5l30tNgdHrKhj#IMV8qryp=e^iW) zad;X74DQq1VNmoYuyAVb(_iZOLlktrNK8(Q@hxK7bWIIc#1&z54ULyfY1s=Le>QOxBDd-~?)MI5akvI5^CeBAd&AtR z{QP-=qu18h))U9dnUWpSUd$}%^rn578I9kTRez>2WA8|?d3GXm;QgRPaezcYv6`9( zL*bm1wti4$hF%-_u^#K8=2+9KE1fzrjbi4wNivBc7~_#4S7z{o%(Nqar&{x_ty=meuBvqrT0$!^)P*8Y1g%2 ze-k{P3&$8PnUg$LY+}s{UI9h&@@;;=Qzu~i#49GFz4|ORcC}y> z^a#a(+M|lfLM1lce(A>4+oD6Ftb?tB`1V0`>oP~>Lt0)36f|kSk=9pY<$T*q%Z!ygBOk+Vyv`Y?Sndl_T=%ZtIYLzy^B%eDoC2l=v-Lk=TFgT= zXFhKIA1Ezs<-Hs;wHHiY3`tiq^bCGi?APSDHPQrLo_y%zO&_?=cajUcR@|VOfGlxQ z#&7z;XR6~gVSoK;N5zA>XEzf9yy{;s)qk8zWd9XGHt~RNonr4oc<0rzw?Rh(`2)?P zKS3ApCG>OIg^{pI`s6$i+I(uBYI$sy{XML-quu`e__5(7`}6*Uv?V6BxhHyeKljzn z!HIqhPAJNVJlg_77$PJ!kRzz`HV&dEVHSE-L(G5ULA3oltFZd*$3&0a6M5UFDlKnB z@EtodbV%pJGxB!8u|A9PJRJ9n1=9QAO!wmx?e=E1s7d&FC23ZP`*IcNR8@OTAEQmf89|&R#zQ5UKSmeFJSAYG5t7(9# zJmcBw<#@|S6C%bHe#XC>(Q=9SV5BOQQ^osOfMJO=nS=$)xIbA~+prw5zt40q`g5** zFt>M?O*q)ovq~=(cHMmlj%U^5!#%kM!?~&l323`KFKGS-yHrox_2fZ|TMcoBJ3!kf zOt0z`-_g(eLU9hyhkOW%Tx-B@ms7Ng=aC>U3oKB`aA|$<5&Z~E(G8Y33J>6LpkzSA zm2ZWGhIfTMl@P=CQDdO=B5t4TR7lJODavPmu9?yB`;IBWh(FqrO}5;ks-{UlcATk@>#F5(`{a?{A7SYo z`inse(OXDJjdfDcNwdhv@b=5EKa8Gq{#+Ck>NKF-1tFT-l+$fbbE2u4j{%iezDQ$V zK0Np)O6en|o$+N7Yu$X8R%qLhY7GK{a$H0T_9}Qxw>{kVU_!wd(&CKy39KOvd*%Y& zP1#K8Ta}}?SXi&jE!<)6JU%$ypLIhUagO%+)*#2o$MUwU4NN7L*3^ewA`~df@u$v? z{%rz#fGXHa4zRsgLeh5S#XiN}Mts|0ZSq09gC!eieFr9i!tJ+ziEx2^i}Q#^Wvz+% z{V!$I3}?+de!mI`ltvT#%0&oZNJ==i(unv5C!d5yy&H_e9zuLYRC9_5dtM2dS`W^v@k=rc@AEa{&c{|!du&sp1Ak{CIT{`fEYN5_Bu z!#$dNXQrHyL0SOb&1`Vl!T_%j@ewkAc}{R$1p%#>un#2i+mAwvm<)Lp;J2+`7W$W0 zAPKLatcz5gZDOLm)I{cg9^C#p%^gg{sxZGFYN-8>AD^0q?+iY+F-Ug5IyL=!D9jP{ z+2XgSVHjcm_5yA=L z@-WWSBCjs;!5j>imB1&m&oqpna)3gz!yJ{039rlhJ>!49ZU57N{w&(%<_k22f7ed` z?+@-0rGEZmCL;7t{l&)4yv zUrooZcp>sx!*pdJ z;flMy@Qn^WeNPC#uyF@%&1p&l$~z&Q@ARiPO*+=27azGvLN4N}scc}-Ue(^fvA{2N zIwmK!$}N?;TWTo&f?jRoQ72n^I_-K9+nWcob;bLbo0q(v!G{z@^b?x6 zqcG5(`}{Fql^MCNx{2l~ZK zs#s&O(Gy5jL+qa__;qkpI7y-aZj*(t0ab|+##>M>dpUqvvg$Hj;SFpq3ZKFia-<9a z=KAx({cX>E!GO@m0)$=R%^ypRR6(KDt+@dwfHi29-1_Abj&~MobZ#H9>=q#Cfj;Pe zS^!mFyL`jv6BhlruhAF)r{$4tb5|W-A$|iz}nPzpq?RE z8wf8-MfL}7NJkuePaAU4@cBZRXflGexw_B_w7MeSZ~Kqu&9303D7OjWkoco_qeBWn zI?V;3Frt-(g%G+Hd6|#gJj-<*x>Gv3K*+d1KMQ_+btH)A*C2Jg#&1cPS`0qfWkj6d z&VJXMqhVO&b+~$?a>jK%@5$#{7cW3`=Cfl+-SGK>?;Uudsc3-@7$$*i?vOHbwbq?A z?Wv?CC+mD1mlkDtvP~~sZJ}yQfh>4HxH(1$H+R&$190%WYERpjt0zssC|)i`c9nK6 zQu)3jyW54(4BO2^P=WtJp)5S}-n`%1zm~Y@f}}a8nyPzQUE^gNjA@8K{FIF5Z zzyI<_%nnUq&wT3-%#FUjk@8MqdB5!atPe(Cf*n}!51#;n@Z@F~-QY8HFe(|cM&9|B z{)V!*Lx$I+_ev#PBRvL(oYx*!@I(+`GLVbYtRHm1rgZs4o)_+%G2n@F=C-H6+nA$v zdOu>L-G)$ezln%JzGSKwLIq|6{T-o&q@u%y^{BO;X(r%lrd*Ji;*`8Vr7;uTLwPiv z*`J#=#=_FatT{*hsq>T129H8YigoMqVH1kJ)!rAu-^7;jMMeS*5J*X_=hqDxwv9Q! zWmJJEyj`L0JD6dZAN-9_gwBVsDii5&2`~E?KTvm{ml+#=80CM%TSllG*w9Z@4pill@DB-_dmnI0LS;nKd#zQ zIA=5+ewsbWM&=p?gtr=Y!{deB-Vsav1%JzHOVDc4!Wnn+dHp>gdVZX z%iYz0X~`I+(=@^J^;%K<7r!MmDoCa(K&S+HzQjisf0+hY`t!4*wPac0aE`F1E~<72 z;i6_wPbNOO9|H}qAwa~eRTJPx^%p0EdK9ho0Q~e2Nn?r!?$;=&dE#AahMtt%JB6WW z9vtQvSq6>lYu`)*%j<*|;BafGcFcjUY`KNmd<0CSLSPYJdsnJ9(m7g@TFLY<&-bvfpn zs(yxC{Js$56s^%Z@<=I|VY#A*ttURG3Clx6PiQa(v97HFsO6h~*kH;n$aLp66$Ri- zKoc}$n09ZmFUjpQ`v`SxTqABone8wrLGKCSKF=tZjjg|_5 z&u`J$Z%HH^z$I9}uOB;6Wc=i@9jky-h{9LA@18-GXJfsJDn;*#2G3$G>&6B@dZqaO zKumE(cJ375DXu6XA-Q^GFxL-Ry$j%fVBg#C)~JZy1?S${*L=-y% zlK+L{!U7Z*z1f8E*wL>87nbfcWId$k(tV^bvV>6M#J(ZSVPGo|VwwJZhyB|FF%)5L z-7|cW!cq-xSnUQPdq7HXuEKD638bVCp?9vo)~e^zD}e?x?I#ErB<3v@z+7;q%+seK z;3WgZ*V?aq`&6v5+iOmbRz%lYac`+;l(b2>?2ihhGm6NbAZ0c$@QK3m*HVar?TFJ;t(2zrZ?+4edld ziPH%jwR1rfmPTO>f>2fGOJ;YF{F|#BkDuQdRDJcWDWd4zlq{fWU{_C?lFIJA-X9jQ z5BHnC@aYi>S+=n52Hh+IJ%LJ+IV>8XTvd)XFKju`S3H1*PWd0s7kMcmtyzAWhZ zNV6&q$+APbZ+ecXUd}LZ`qUwOxG&iHNc`wo`{C!$Jqhhofes9amY>E&69m+9+&i(M zE(o$l&F)fQ4T7vm?h`#d7#MWIi#_|>U=8&PN+VrQ=4eX}%YxxD;s_&gcoTi}{ zsbtvbyDz)?l+s9W=1#c4?k0lca|LeP7}(0KKV!}~$F$TbWz=2kjiR~o(n(0)`4aWu zoYTs{{P&F#OhbX)^Cx_!fjy}D3Enb_awx3sIfib;Sa;kiaF3Dp@(B~yy(Cfp(_`XO z*5}jsy%rnBJ_mYEYpl8ySoZX0gZJ4-<~>f3^qeXN%RqHk5s>*i0Lc&Yi60Hm;d7}2 z=c`MR9x5LXZ;ktWJ7J>S>eR6c^YzB>b~QCL*CF+{4&$Ax0V7IKoXf^re-Uj+ z)v`6*lS+zeoSDn#3k9^?gsc%T@k-6VhSIK6HL#Pqg^^sY*pg|LvXKbPX6|`SCrl=7 z6X>69qc^CZ`yD;;;!52KDQ&qKZ8RM;S{amSYG}D{D1A@HmCmJ5_=- z2|-146XBJ^rRM@`0h{4^8?RUq%FOTx`5pR(H^u=qJ458V^hLTicsxXX$E{R{6W)}r z9=e#*epJ#)*@3hR&DBl7;OS|LC43vf7F_GoY%=RN`sfkmZ%NBzI>qr2*EVuD+r}#H zO%=&ErnIJl@zslF%+w8J`qoM_9_G=y3HK_yN%kndZ?s(7aG_hB9bpkP@Q=z0|CVXZ z&?j;oKaIxAC;oz3FM z^nM<$zdd&_15~6jhL~;-B%eYCcNn94>5(rxtBUF{^^5jp)>-a~z~YZ?kCThZ;b$GT zQ3RhqxUm_lXZ%ULWrZR)>F>QF3IcUjCa+H9H~$ji5^AU zt8k`R3>YVT|8ys-Qx^5W-ZM${bbaDxumip5W@giaO?0xe??M@d+_Mp4AO#Y zl)Z0w3jDIE-23$MBCfJBH;9J*9Axxy+P?ajS8(t}@#WUX8f>i?TxfNl6Q4GJjt6ZkjHJ){E4e40(Q- zDSyCcCL?#L%-HW}zt&pS*}rp6Cbk1t{iv`tRZ;=h3xlgZaOwO-!mrzz?~+P>Y6hC> z{>WXyQh2MB5U8nc<{fIM86(WJU0AI8DM&maX4RnMJCNYG{Uipc5vkyQHg7wEn!K}M z>T!0#bs$-I4CbrqifW41*w_lO>@6dFk1TLPyU$oVReg3uaWP1@TLxOXgiJ~%u8bA* zi3M|1IFPmw+xGScGk5Ui(N9P5a@Et1RczMILShC74!U|e8T(WF(6fV5jgT$xs-+ac zzzqtqN+@WVST98EMz?mhCF&$nxr^Rzn6AF-u%(*b_%y^I^Jzmn974&1kq9hTocHQsviyUucnJl$1=|LmSo;!uMM|V5`8MFE{NDQ`t_HdxVud0%#`V2C-rm0l(3$s!68+Ocftp4|{8Hwd^m>WaUduM*xSu}WgYHj(M4d#P z{|n2J7NG+3?7{j#*Td|sqoagH@n@JYPp>lS~CyE)`@=mv%Jds4CMB?E5yAL{K$?Q! z=aq93Y4}W??q`g;pqsD|_q1)B-=dzQAY_*A5Cl_VI7URn?={dPY{Bc3MkZ;l(5ROP zoeItQzAqn)dhfd>2igM!C2CcUqQ1~=_!LG7=-lrRILgbsmac{aa8g+d{Q;qjEya{VOU!kga=eNtawFBVM`Ex*t;=`_^R!1dq{K1ZbD z>Nm=HHX}eG(Ka1zguQB!Ba|fSMzIV^Ly@5ixImYB-e2tfU_tw0kfj+We925L?)F*P zp(9-7{%AkeCkB`VKzqL^JMX| z2rCaQbcW&S3~)3XceD3CJBEYqzMbxo>uPA=;1?O9#S>xIh+*?af^6Jlz7s{8CxO|w z6t?H7Vo9Ci0{!`oScR;z!g$Wu$Fkk%i#uEzihqK}5c!5Wxrn+`)WVQOeYn4btIsLp zR`~Mb-m;+#uBreEX``T-bhnf$#Yj<>G1XZy@9c+&bbCGFYqctyd}Z)*to~B@<6&b} z$GEWV2Yyv4(Ju0Jcx|zd%GwTq*xAc+4l)ByT;`})Bk`ZdsC)NZpj^hH_SjW4BN%jQ zdCYtm$G*a$SrjlU$4+#EvNz@$YeW{wh3Fx|gOOMpf8)sUk4by6Nh?CP6lPrBk%f?( zxSB}0)d z{N4T7G}Nf_I7HqZ5w=!Trq+Z+C+Oqaq93YMxE%XPrd}|c7`77Rt6APX>C=p(*&m7N zIZA#u&7ZZZpL=ugPDCjADZlA?&KWwn=Djm5^G*>LzD%UGm#2?PwR?)d3v_fv; zF`UR5w`$^X2{pdFO}PAawbm&@$TSvY%X~l(kqLI(z9o3e^WSVujoR{5|L9 zrEb#UPf)$N#Ut9sQ&=g=KjMUKZ&sAlUybEISRBXJUr7=;_;W`hzV#V2q+h6#R2X65 z-Q|xH?cSbpE~L9yRCgK#eAy5atGya-=rt%7Xkb-UQhY=iLv-4i<^KHuJ5HtzAkeUU&Jw^{d=kA-sG53-X=d zb1m|blSjdaSb3A^?3Eo=4|x#KX*)(ptA9msuWqAhM)K5#Dha%)<) zjuG}8ZUwFHwl=~T?7;%+cGw2K9;4FF?5yN>UTuqZaxLHU)Y@U}3E)xeft$s>txzuB zo`Lgo;Xp8rcbxHQ!d@+*NHW*2uH3LY-%jXfg>7v{1>>x!*?jCoPw7wwae8W={GH@5 zRE{FF-cOVm-8jSF;0A&*0{6j7plht1P%t;zvxf>|<^a+iWhC z!>e9s(el`kAd#!|g7Q1|>(omXPg8~yEYvPHwAdU(xPqj&Ik9$KFXn(ly}qKg!g1J} zEC*E6bQ~@voRsow=6zNs4;T5j!t!%^|A`B;ITk#y2K|;u0K@DwKxeLq-CSV0mQjek zjbxcb-~GFHjbv0|x}9j1Yzw_C2<>Iykfv&pqH zd90@xSyi?|aw>IiW?I)mtAnG=Yh$cHy?L}`T;7^t2=0+TN>Xl#gdqtDi#L)aFRV=! z7u+}cZb~w?#wIDLGRtD3w0G$ZpMZH&#q~PqitGz2`F0%+uVXM{$F{u}RBo7thR$Q- zqRK5~WIKw(DGa&Hiia6AocBI(6$UFT4xyP_K$y{`qM@sng#_%%)Z->}<>~fe@hM%i zWb!MZo%!@ZvEPl|25EIB0+H!S=wiHiab`d}@sxY4UyaL%xg||@Ra$=mWjVQFwRTOWgN4b&e%9p zEOdmHcjs1q(mY`gI~ks-RVfmSAAd)BQ^m+QJYxk$N$>1Nu2PMG9m*^~1`mCrf<%T{ zBVoSsNRi5Vjeo7|#$_7b1`)7+Gz)9hWfEuiY2?$PwIJkf`sU2On@mT`5qwxTrNAQGS36ztGvOuF3}z^X)MX7;iX;NyF@9V@x2lNFe#>! zMIrV(qf^>!FZaEtM42dmlvHz02Bq*%vEFC+bm5n%zjxsYS77Us_3bPGzeuQ} zb#2u=yC&S7I$S3Pk}jCL_L40mb0c!1Z`aMBLIr3o53R~KyvlXd!_AF~u(pj9?>D+h zwL9o)yDUXTy}Lm4)9*}%4(Zd+DeAF05s(*K_QlA2R(!At#-hnp;I8*9aT<-L{1370 zeF`+LG3-mVb^afCrpz)T?Qfdc4L*G&!17g`5e1D?wJG_iR+EQyj+?!V4x&Nh_iJn~ z(8fU2M=!HBeQ+oe;i$UzLYt)=sEOlwmU5hTQMyP)Qa$hN5uuhSJ%>H znk(l&7im}7m8O5}jpr_)z`LP@)n6Oyb7P?FR|1|VcjmV(m^5tb@4QmNeKU%g2-k`4 z60(r^bqHBs(={(2SR!1|NkFmuI*xdAUHUL*h5+rBT}0Q**QK5GDzBxY?d-{q-(Eg) zSTZ_Ew$*)QQ|$Kga&%`bYp2M!o2^1`XRI-`!WTMPq|7ZP$;#JTb9!ZNd)vTqp;Wu`(F zSK>*z$(;`7qt;y{GzKmgM{Zu)cZYF|k9LGvP<#DZ>LM;*%j_DZ#IZ9lGIsp@y!g*+ zL26NRm&5q;X?Kl7{JN}CmkS(kgO6XMTY3!sWS#H`7wIHc(-4=jK9Je&a}gJ zqTqyyngi$zVuI0_xrE(*u>1n9y0S>;3mx22w&6R!5wgJ0(vG+}l3WUqEtt3hSujyf zOC=uWI_r-iY9`%AJx!u*m1fY0uSJ;VaSumesc$HY@`5oBDN{r=_Wm3*N_Nfv2T_hW zqxp$>XM`61VxW?SCr5H{>AIeI$0YH2L%Rhzw%Y5j^&-=cKKDx({J9Hjz?LH?sYH;>NeVM8|`Z&5LKeDW?;940nxtDCCqO3ndq#*W# z^Lf&8b<9$2xK)^45o6(UtfdOGH(9hvM!=ngEX_{f=1u*&GRZac>bpzVYg)CTthwr= zpQA73{~G%J%e)$9G-4wJW=W=@nKTOJHuJ%aku z5$*22t2EYfZ0q;IM^)er(zf0Caqmy=O4PM`3bzsN%4=NbzGPv+C=PCkYcib?nZ^#G zlN@2`y{NU%CgE7*^d4-Qoy^^_N!;hv50$EiiO*{VD+HZfMca{~TvmllnIKn~;}&Xf zL2o#4kcSyVvA6UCQ^_|2Hkw~^^`dG7lHKhInSCrU;qxhrm7uNuXf-{uW=a>6iMntg zLgIXeACs#`2YZ0)Nq@@q@%XZQxJ>rlGqPWzOm3W=9LN;jGOj76oA6!KdQ;viz`i=A z{P9>4i&x=QMm>IW{bIP>D9i!0*-n6=MO-4`x5qUCg0m01JBhzL=YGIm%s;D)Lpekd z{JFLy_7rN@0?3hfZH@htpaQ0{d%`gHw&;z$olk}9Hmt(leIvm0aa`LG{#5>GuYpop ze2Gx`g&1pHoTPvy*2*$E0)x9+JB=l~#;!^cnd@;g5O2e@8kp7V1n}F};sJYdY6vV3 z!RzPehh1*YWqO12PKK7^38Y@3Ay-3G|0Ts0zAn4DO~T!1cQ1r?!oFOhS_ji|#XVpf;}pc?OwAH@Ggm6q92UBcF&DT; z2sx=I!VTTdL|CKE*G+Yh=1q~&P0%hg-Ff$#tBGEJ6vrKH8AQ?nzmgyucQTv1gco+WO))g=I0Kq2{lFMO+iwkxz`9 zysmK@)QY5kTiE$aUHWhO8@fSv^eF>F>M2sxQ>9NaTsaZaWIMfgaD?eUkT1K1iJmxb zZ*Nx3ssUQ%r7IldN0H2r!6&}EGtLVa9l$1^50NqKGCO%4wsEt*al4tpt(7F%iaeb_ z;??GDdKD9Ip|ekOfuT+zW;AjUTw}eTBnAxM4L?I*C@@!`Zf)nD&{0MP#xExbg<;TE zrfO|wHwiH~g(XsZB^#j!kB2wf5SW+T85ELB>wi$Xih^1D&7TTYuy4oCOb^`N)&Q?! zp(o)~|G1`UQhd)fj1J?btI;j6Zjx0;zV|nn%f`IeWz@^IhU|q5eT}K&3Hrf|;{f$A zTEEG=d^_f~R1S%1jZVe2Yx(`o z7wCRBiMo$ggd%K27pb{@i?sAAS?OpmeG`dO)G^Ak`ybnUMTCQlZj0Tcv!N&4a3Pi#sO&S&Ad!e5mRFOSch&> z=zqHMCi^WyEF$e$N*6plXXeP2#HC=YXDPE%)^Njk1}jA4hmhYs8x1L%X4eL+B2!o8_l$1OGxYb}dZS$~ z8z)a#S!1@|DXzKD%5>Z5^UtE%Qd!1d`0A^f2I|8uGoWoD__zV|u#qwB8;Nt>*q1{=VJmJy3+=#}ink@yv5c{l(7vsDQCJ8p9F(yWfY`@|v{%D^pYQ5G8#<`xz zrH8DB`jC4i5&U9L^I)2QOiL;&+U|hX$}GM9ckT7T%jjAwn!!km&1VBC2e9M>{{opr zBzOSDeQ@-@TU;{A6#LG%)y?`Zv_Qr)XX^5WpmYE@)0B~FWA+FD;`sSseRC& zmpNFro($7FjU)gxjAtPkBuUV$Qq!oUa)0daQeb%!{7rV5qUqP?ZM1f81Jgu%kBWET zgyOS_U~tOvPOrbYiDv@xmGC}U<|4X+E6&t+{7n|9a-aF0$-8;Esw-?r2QnjWt0&gC z#@iN0p0Bfjc`}=}@CvzRzhe1vwDDnO|J!n^{W3VAY$_HL*HkZ5MLlj@s3kT0`EwnF zmv~3V3)H6%Lo-VSHty6@3A^S(a_XpN1C-9(_*BvNX|DaYa~AI_R*V+=kv&2m2ilki zaek2!R?6A(d3*!Ne7*JtTPT>Mw7-x1%`6Gt{waHk=xp+zD=~M%N~fzT5c*U(l16Tn zTYWOi5!Wm|nCPe-a|cX2M)WsEO4)D*;MLGcSZ%{wn46hRY0iP`)b;jQI^@cmd(I#F zi)`KhFo#5_kS9At{OIb#)7j^~&|Pi*YiapjxPn9Zg*}!!%~uxv>xw@rrsTQzik6Zg z;C!60)%!;a$Ok0j62w2!-L02;s#N_0l=MpG?vb=BWLFlFK|l79X%@C&HHsMaG~$+d z8KcJed*isRn58VrSyx%gsmf8wD<5VpDye-&%lrI=x3yX`{7IOT21b=$S!_iOR7~9# zWZ4G&$;aBu`{Gf={2hJ=N{N1hKC6#Y4E5R$;LJ-pXy<}Z`jPBDsiGz2GR|aC@4KJfw70GD zyBH+Dg#cAWgSGLBjB~llTOfsdLFXoJrg^c=V?_~Bg-NOe<5z1FZ=VB|VFCticEX6J zpoRp!rJHxg`TEXn5iozenOI=Ec8s)Bzg2;a=VlDgM)hu4Z6lO^f)R~BrYy&VP`wNF z470pQ;1Hq~8`~djNagn==4kUA#ms&dbUaI+&aDM$8xskmpNsm4 z;r#7<7Nn&~CcJ0=C%&W`-z0mf!=&;mS1GntEd$W7n*=!{FD>%x9)V8~@ zh8_fR&Yxn)iidz|hl|N|PK(OOF&QOvGxZo&M2xjWy3}NA2AKmbrNqKt`gyh-3JOkF z67(S%d$1G3eg>+PY6nD|^X@47yswi|58<-e*8xa4%>_-;yYiQqhC__3n}|nBUDqMX z0k0#7{l>~&MJ?U$#f~7E_NR|x6zbtQXBY#6G};P^pL}vS7k+Gg{zTR^SuMz{DLI$y zwq^b~z-f%p34Vx_ZvU|sXMa?gckJ?^6v+~5q;SRk`Z|BUe&;nR%Ori%$y1Y>V)Xg@ zd1;EpWFJ4l-zmwb|fDPu-%FzD~T7_E|3MTJ&W=!f-NwuJ>UW1Y|brn;&l> z)PUJ)C;q-gCCA$u2pRYSV7EuyCDp@|&?=79xjX}5Mnu?#62Y_jr-$kosHdU3m30Nl zQGw##b0FEMdLp}tna!??*K$jjqjjW)1c>#E5d3;!E`nkDR2Ex*8XIE-gkw; zw%`H)om7)t*Yd`>M={Lb*C0XQO{|$P7=7?wa$xE3Q825?lHcqW)Z118^n3S08wSJe zyJ&;nTkuLAI(Hxncvx$Uhc~*vry8F{E6;A@d`XDLyYQu6&p2i&wR;rY_uxc zEz>(m9@oP$1ArzUjRZozgV4yXu%sVKKjJ~m)tqxJbT_*I8{(ADPP>QDlSMAIn9%X` zF*%s`@}}=>0Hex*jN!TBNhVv^ZNUMTV+k}w+-lDD2hBX~6-BRNd32YU7-7~NI2xOq|*bqwMOx=0^P4dYk=PxhRzNgM# zMBSU{ycOF?0pZ&?w(?GpArPy#u5+?w10uNfyxi2pXBnv3+T^$!-O91L37_(yXOY@8$YAQd8f#-DjrvM`)SP-8g$k!&ZW zlMa9JxR#=-%ib4t{)?hE4L+*1ke?@~HJ5ReQyJo)-2{SXjNw6Farz?RvP@nzIW0Fe z8QdX^FFy}f6_N%k_Iz~@M69XaWpZDNo&kYR`1m)~MrmBl$lX9i{^XS6@esvV5xa{v zUcau+T7mh#>v83~6frHv1QPF?^YJ9byIY+EArE<3KR)`L z!CP=0)!YtbmDyUP%lWDyCmc)bYp3k&O7Qh5gRCu}Wh%Umu6S)Jb1U-v7mLlO^bJob;!hA)$*}LR&##K7 z>Z|ZsF{iP%dYm5b)3a_U4Y#Jy7ikW>3|m>UtDb#az&%o(u4!1-pa&SU@jbo)1bDLa z;z*ISXg+NhxROzy1g3;va_#sHo zUf4cU5ZniLr%U_BAc`vDOk(LS4$$mzIHzvCHquRgp?4+pXZ9U!&bO8=Mku=jq2RI@ zBB#X6Nt2_+@~yTb_lnoA+DBLF;Fxuwcy&29z(!UJ>*hl}){onJ%wOBsshc%^0+!LW zNpn{}H)1@QObc(<##5;2gwG=Fl(2(qv4A@`ipuqCS~!Ur_TnjEfH}D~t8wA>YTX&U zx{GEkd72SGC8yOqx`tc9?_|mW!wi=`6ubUiLH3l}{d*>MG6`n89nAJ38KQ(wIm8W; ztuYt8HBBl|TuJ=Pu?KTHmOgJ83(~_T%gUSwUd!)FtI-$L%orKHi-F$PP=eeCF88K_ zF!8CcBfHX!Ge@M`=fOAV{$cNu&p}Dg2iu`rw>s#1%ZbJI$}m3*1i;5tiXl zqhNhXc8_RVcP{vZ!i&!-w6c@JJ|rr7cg{oNWNW_DhRXid==n`G%VM0!mbWSLoZTrV z2`wL&V_JmLS?7=CEC+X%$IaY|OLZ(oLzyh{a;KMmu`c)9-hY>ryKhz0BGOE`?dUuq zHTyQer2Zh_K)%<${`&X`v28JWF+*D}f5L#;$@n+&-1i^$B^UKK4+GfKg@LPuUA!)Cld$< zv~sT{(dv74Y>$=mzJ{?ySu`ovh!e-am(2fB`WmI<#n$VJ{q!NE(b3El`ag#8VCu8+;=Dm2&N+^+!o)hNZMtQ-)o#@b&zTtvxV4~=FBl8p^ z8?IaT9m3}Kfv+d2j_k3%@}&Ev%8XuFiP5LZ=&&4B-ih81I-sTTo7Jvl3q6ohnUU!v zF52VciYr704bf~wa_gt$r&=jI4~~sSH5Ad$_Ocx6r(Ap$RqrRpc)d3O z+o0QVWhdjJ*w>aNWZw7QdMfH2b@c9?EEaTj+6qPMrb~v^e589rk@{YzUk_6m**si? zi+G3_yjNqm*RWdjuy&7qudX}bmnVs zWAF4ee)v_%K$*pD-!+$i#2&|@fI7flZFd{ss@s0xng|CKVa~we3fJLZ#`OSMc3FPD z%aBta*%ih!6mn_V0U_x{w)jr+L5nX!Y(e7gAb2%&Ex)M3(F;5b1aG5N(k z(InZhKeqW%Et@eg$x##2|Iix$qnu=Y9PNA*d`|f-50QFtw4?C)iMpkXvQ{dCL!lPR zGM#Hk+VWy({?vh3y8Idiwn<&3qjKF*nKUNzOAObnW z-j}7o<>nj7mKKs5%8DgsPPByMi)(lZ_Zj}v5tCU7 zjyZP%rJ<(bu#IkED^Zl*Xk~68jX%fJIk7B-#*QaHEJIag6F#aQ|Jo0e9d@}ma4%s* z?WaNje-Xd5InlR#r|lVpD}s>LTp_VW$gqvBwKlg62#a&psS5|SiAR)lhJv&1C`}pq zn$B8rw?Q`A-oidpmnJW(lG>>{mK6E(Cs1v{lReRMn^^v?qgcqk=+}o+jdY)u&3Op$9qw&z> zU3H2|i)R<|vfdi6B_=m6{_#XIKg09`eatRTRYi3FM?89VMBvt`NyWj4t&irblw`-1C&Z*ifOJ*cHR0Hfdq- zcxDb~2RD=gaQ%+UmspznRMt`_KO!P=jpf$Tr=DiHeE3GboL6DsI*)rj7#*pzu>4@(AQ0k{KrP{@Q|nj0mvuJfvG$0aig zZ@B2sB6qKL7@$TQeW4{L5R5cq3yoTkC)3VkjD&^qcr%8XAeio%ui7&e?$LKoWXY7c)sVu~*f#02Y+bD2<>>Cbq;T$%Z zVO!dpX=oTn@u1etoy0ZMiZI9p;T&YE5MTaK+8XB}A}%J9PXzatgdYCG_r7e6h5F#% zP|dlYbQL?OoCV*p4UH~2hsP-k29LLG{0I_4@HdzxC=-bbXdfm>p-61LyI00BZO2KB zi~yx9s9C~Mg$ExUoY|jy6loZjEuHVy4i@f$7{J-u7RIK^_#rxAdF%OJAne1SCZudu zFanTT1$!&mjAJmL?aTx^SDKSTZT&>uoKtz}1UIqy{i)w_k_8U|%AmDuMVx{V>1pB}>8r=bzo{`UI^ zhl&v?Cgl|0e{~9BZ{PpwM|-afxRTDtx0c^1X)v2N^gT3(vYR7NGXo^5ZFO2#L-|j}el^%9ixWuyxk#Bosk-eo)HVWy`B42i& ztN5B8?5abP`QrDxY_vkEAv(ME4k{pUU6gR!IQAm-Ue|?>`D^E{d~Q`Xb=ndQqvLjz%f)>|ymS=BoFE za*w09M*a)&;M0r!v^bLgk;$MK`o|gauZAW633hSuK`PL?-&u_1&*OHZf#3H?O6EsFW%@D*2}ay78hE*7`1p@E%|{=*`tWfX z*mTX<&=Q%sCs2>A)3Hk$q*3##f4!@JzrFwTfE~LcUeM{ui&kw0!sH0Cg+D0@Fj3QF zGlL~<6eeK$KT!TaHaNhZJNFX$EK$t0pd~1P%|7b*AGYAGSIr>d9R|{}-Ia|NK3vU(wB~s=q#Xz4SXv*MD7H|Mc7c^FMYa ziLJxDmVRG8?!P&i|Gt_2*9Vv5&M3SlJy_|L!ffB32c?O?46(-^&xiR^DQFMll{ z|KUj_=?Ak_3)Cc8-BPF7b4~!6kI^#cxzBM!>C*Lx1^n3g zaxrXgY@I>XP9un>IlwD&dSw6qOyzj)^sPThP(2xIyDPC74(x@EfOE7H!DT7&wgA8L zNTmLu7rYv3u!xcp}6pFfm;du(Qi9^Z}5j~)|_bzKJ_ zPx<;yo~#>+<+bomNYa%2{1V)WqlctQtU+IcO~OG#iqK3J`9(nRRsgXo1Ru7Xntmnu zrZP}sKbA3o6z_cLFsdaM=;hyX0PAYZvCxO0Gw2rI+)lwzItCrbbSOrt5T8GjyUIIQ zmzR~XmX$bt5D#qw+y+a}kgO8nHoG$quKG5^A~y=HY+be<#FY=VOMO|&4Z6WDbT|Zz zmv2FKkP4!My~_I}5n1~ZC13oy^2vqh9B`+Uu0Mq^hkTHTmL<-BVPp(Ef?7XNnSAKq z#DV*uJUW`EtO|a1Vv&2AAQ3^zjhD*U(UJedw84&H5R=^1`AznJ;}4~rnIV$DalFi( zoFjK;s)X8k?yLjUg1OL04q~`uxPizf{;wPkXleszs`2#1t-!l+*@pRbav%dcfHDyd zK|b`<`VVY>BFP`fVX6{#8}4Vq8hro5N(5UCtJ|bdYYaGJZG^9ouni!}D99yo&4*QR zMjzs-aMb@l*4_dt>uqiO6+|g%1f-Erx>H&@C8Q)p8bn%JS{ecA?rxAy>4)wRq+3d) z@tc3w+H3EJ3d@@IL=yayUQF9zGY&tea_(M9#lopTU@S0A@Vk>hWn722uPIJ&X!a(AffV_b%)1?;mZbrgu!|Q8 z=gE+g7`GXQ!EI+Q3YJxABBo|=F*Zjvqw{A47C0>w+1|o_`I4jJ*6-BpNBg|eo zYF$-=xF(4@Idp?xG!8nCJ1PZmRW6NSwzM{$BcG@yxPgq!LFDy--B^RBkGyEC2i1}v+cCe$UVSah$9s(5?zepRWoIEXn*S-PYe_wZ= zzNGfyp+Ly*#3%y_Y552&iPr|@9)H`t7=v5AQJFT)N}-95KrzSg8z^#y-n7w|ykZL^ zdgXFW>)&Qhc`#`A=PG(k=tbsvr6fX`xCLDJg=*S1;_UA?z;{Ix)i3YFQ-NMff3_y5 zWBWGv&9vc%U)6zbIRZ*87@R@%k37f}(gZF?3v+knbk2H~ljZ z52|qZZ5WtF8uIRfuD06Q3$Wq! z8}RV%RgLj44S>6DH%jjBpvGDcy(SsUM~i-8xc>Dg0En;u z7oZG$({Y8bz++sEtqCMK;~;>$nB{G~(|!q43g$S6NGSkjQKF`0Mm>=u zZxekl_dmECF2Gtp4q9(ZW~})}#4;e7tjPHycsO9K^R_z>{pFq4+u z52$5wW&v7bqCeqPn(bS#A3(Dza{a)={3nK)0YjVfG{a%JAK^S z$5e4@xtAYrt&5wo1M7p|=?&^}eKjmpu0(tztQ`58Vqw3G>(*FK^^br}lS87mMpQc` z7;6v@+2d_(wR2Y&oT~ zVET7^>E7RJ1n7@mF%oI=T0~DKygM>Rfw~|U(CadF!Si#JlN7%|S6Gx0#)oEIVoFsNV8qMRZvt=Ht`-9 z*i`0HAY0u{Jg_~qgi_~TnC?lj7-|k={P=g4$FyAQ|CZ$eO5`rixv>X1U4qWQT0axr<*!n5O+B?2vIY3|10nUSzgKvP) zfB#HAT_ca4qn&!o8k1~g6bNpLLB`(RN!yVV3dIQ;_x!VDpmPcAGR>M{VCrX`Gl}lv z#}KUr1M8D01~Sli95~`tVA%*vDAm`+oA`MdX!OMx9i*zAfHLpxjKT2_podcqW~g}o z$jt$O+7MvUln*bYVP1Fd5qx!jzY<%mE9u5C(PPN9?l;Q7txBO3vMB>n|y@UqimyUp}ER>;p7a;EWhT^S023NZvw+HMowSy+Z4-EFimm-RVPU`h?vUKIf=8=;idNUsEs zdMFp--q-j#8Ei%1F9fn6b_Oso#co{Og(YB9N)Vl z9Kv;n1Dhn7Su{_n3^MT}o{oJql8Q_T$>e@2I>ybsDLx*F=P0M@(Nv}dMzaC1Im4m- zmY*K{(OHL=W2cmx%vZ85>}*^*Ld=W^FGh)^Z}tXP0OrIbI~RYtspcKm zQZA0;cw*%s$8~GjB^~mVsHKPP2T8`yN~4L*rJYZ+ zH65)UPSCv=xBFa)7+kjTAa-Ubj_I6X(W`d# z;3|OgCGj~`v<@o!3kSBH4ZiLxiovac>&S&h>1d|7%}}3OD$3Ga)b z;_|pDprbCD#W~c$-(BQdz3~au;S7oVvmv{PCjs2lO}#03VOo_^mL#Jg&&FAyOfiMe z>?Mq5#jfc*tS0RHQ}Aunuu2%qR2|m?(gfpb{Hk}tQWRui%d@pOW68YiY^TVHS)(2Qe-t2qqoG*PY`bpT4sEcc46GQ zkcj+V^$^~K*C_3VrM*CC_Q^VjH1R^z+Wzew2_>dI2WoZQi`&?R3N*~uaA7+!^}e7t zudBve?S0FHw~G1^eTpVol3`Nrf80Q!qgjDmprQN1ssS6(%7jI_7+-*{Zh&3o`3Tyb zpnLKH!{%y#p-IjjUSW8i`Q-L;NV}Zb66+c7$Zt}OJYCuJd#KnUZ0gIWH!Lcj5_3C_ zSaCT`TH5;Pt=`n5!2NEo$vCRn{j?@q;23!3QaRhg`5kGGZde8Zcr-{j&UQfnE(#%e zBp(DPd1HnXVJ7?wPV#_TR;Vh^Y^n5}|5O?Op&!r1lYFa33?4B{fJL&+D>_!VW8vJ= ztkv2oT{HQmH=)vf=filP_r==zx$vSyG2@)8BE?9~JJEH5xeMw>$K~=q+ zfxFGe058&!yFaX(#rf!G0zWjiQoC#?CYUsB*JdxF_nY99u66T7uKaO_o=T}?X7-h; zj&ta5Iv(vvRmcqyMm(_mTHnsHv-kM!NNH`BsCb*@JZLI-(s(DX}2gS%R zdoF@qAZCJh9e!Oe0?rqfIknIk^Q$m@30H7oIh_rjJV+x)+I|w}dfN%fz>nARpnWy{ z72=po9?q!053fyJ1Uq-Q!K8+T#WO9}K>SDFQqSl7OEj(Hq#{z&tq zKseXRlnANCR)_vejP*v~$rn9cYUcyeYx zpEwJ*6525@wrMYc@zlO+u_3T)CYfn`xEIdb(#dZCu5D`Is3~;;j>ZXKhsjlms zJqr}Dl-vQKS%!+;VI)NFRTPg`Fk55DX4)EA7KE;v?_VRxeMlI(O;#`uS(9G-a6g;D zh2I`AhP_;&jF#t``J8y!!T$|hiW#}$O7&ld+4|Q#v~`;3bSrJWL|E8o;l2X*`9{`R zOLl?{gD&~%lCU|}n4a?wg_b8M7XEdSKXn6}Z|#f4t%!Uj+;7LM z=OkG-W~oGFFCJYhZ>BirxHbbeyaemG6VocYxMDx#m$c79S#b?>_RC1&#@dNZz5{dSW5>(EVdv7jFTCP5xWR&zDxpere3@e*TZ&ZL~Kw zZ$okIp~p84R!!s|&TT)llZ@JglD&_bsE>^I{4iMlgMLFwV=Nkd52ZzM(LnxzMceu% z#=02`KeolYd}W9Mb;>>`HWiZWW{1FYbzrCz`hR`MQieQLa^& zD)VbiqbYB8>bM=7I!Iy)i?%R8Rv#CRl0@%#ljQ`CX37vi#_h zom)Wj3XXm4t46+TCc5TFotpdSt`cNxLfpg#Tr-xEES=`M0r50jfW`vrKFw{LQ|#x@ z`4V6t$2zk_yxyNN51P@WwUW%Wl3yaXIAb-LU|8Vxl{xG-;?xEs`wO^|Yz)(H#x;v) zsMdd@G5TQ%(*LnZS?mtFzy|G7VrlmI=k9f(RW_Y(Y?7TwG*%*SqUjECP+W}j>wM_8 z#D8>-uDnG&E2m-|hL}Qm5eWvl6Cvx#9aLl~r9X>oifU3n1P&!|(nr+bam0?;9`A%s z3#SHgl?s(1MZ@iBC0HRono3$|;ibn}^|&~SGfwji`-0ouoMu3wTj|+734rsen~pb0 zdEkt}^b$?(2>Hd_cbtw3nspg1;W3OL0psfCr9KVR;TH}v=HA3+O9FaFpe;M53*4JI%bl;I&Pjc)Q5gA&<8rq#hKnvYe*^9H zije|{7qjBF$7MVjEg5pE_lh~wvs&`x{sZu$!qh0D&qN=)e%H_9b{n;@(c~R?VdZIY zPYNpuo0I^?=$+En$%g~NNWQCEWdzhaf5W*vc<@}&^6h!BJCC`%!Qhc_?TEJa)A`yT z@7>DJ&2q?U&ej1S#aKMf=NHeV15Z`QEURwX4QOjLjM~`!4}_zm&NHt{&|+jphY9az zWIQPa=%6}-f@)ihbBp4qc4gXr=A+m9|Th^$EY?StRiuT5_byr#Ep6_$`ZN2*G=W*LzI?fJx zz+x}QU<4UYRLl*mSU%UOG$ zH2)+Xi=#X@>&;}qpA}>LLs`mXHW&}HuM`|oxy3G>h?*E6?#@I0U`arth92osdg|W( z%-Q44U7wxvZ?xxK=Of`F`po%J7WSBZp|)o{-LHJ?it`1wV~#kBDOy%9-ewYuB)zI` zrl>eTHnE`5ql2kd1z#D z&iSXC@cc%DT15aalBjSo@I=-LK)YY`b};m#KiSpy^K;fG)L?$;r^94lyP#d(hY{r` z{$}(uo7_x$h+FhnySt2afu_>;yDe*q+g|YsW(r>%tmDofsLyi%8jNy3F6t=%YQ)or zQFot=wcW#lJ)m}|6)H$!^Nf2vL3GD!^+dGA2ws}`9o_Yb2YJeacW&7;MLc6t>(_rH z!I)XyheKyMAuv%xaZfTcCR+0VuwOeyj})VTeEqRs$c0Vne#kDF>&fKYApcHG%L9JR@EP&sjfsWS$xnaZAce2NsMsu)!B`nkai+;GKT%WPml;|M7roJ<1cc1BQSYR%oHB4>7+ z?naQoF*xY*5L1*Dg2!k9_Tb4Ng(U?zKWSdvK7`$B95UV0G=8QtlxS8$wHQF9VKq9A zV%wCfg|)q!{|BN#p$FxI6uX_#lOG%BD;L!K=jBUc;iJ znd%mO&rV&N1Yg#D|A4q>Qo;IaG$Z$ed@&AfV zGe$$NJeVEVE7B3Tm3ECO8V_lwMvV(_xqRr(FJ|TF3++tzqKUdOZGUm(8Ok-H#v$pc zbf(rJdD+-|g&GG_RjFlYOeSZQrX0b}fL8S}FH~k8(TcgSq`qL(IIXYO^mso zA6J&dP}(%{*$-AVe}HtC7n~984a!g6kBd@O!)<6f7JlV*Hs9+=bGW62R5i0<8)#E9 z;2d*(6F80z=Y_A*;6=t9`PrRsoic8B7&iW$E{i}+v zvu@Mey(+5iP@mAz$sji4DWBNgr`kpupx`h5YJT|u$y^whrfr{r01jC|4;-=;qk@rXupQJ&YWiw|_^pzPL?Quv<8Ey>J$do%RQ z*UuT~r~xB77?Gi@HBO-K)I^KecQu^~-82V;8-Ybrv6N8d9IeG(n2Wx^1}LkP-Y&!u zJr(v?hs7J?_Aetb^*HI%AN}MPcN=na_nps_#BcyMQ#z#2)&N^8gA!T4t-H_iT@n-F zGr_Kq%9LxkHijMYr*nr7WNV-WA9It9=dNwwcOQ2a$=AXCboeO-?fDXIiS$xGW6iWE z6ee(EH95lR$+lsjS+tSPG|K1uJn!y7&j}xH?^KX8l*u5&p%2$HZqCf9TR&?4j;;df z@0S*EjftT5(!Rs8=8fpvmDc91;EXCai~^D1V{G&(k@c2WFwldgS@e(?1BV5v@b&w- z*X@@_(f!#PxLTKkd|eN!EvX$uF9XLoaAU32rn2z}>(X&!N<%hY?$)a(*f@5I#Lb`C zn&H`)Q5LHS-=fJ~=Hk-{KB~AIZW^R zZYisr-819=F>Oc}_*Ey_?Q$&PwA$b%mO&av}sG4`oraQhB&O6C$iN0 z<8=1VB{)y4kWaG?71ZcHjzfI+@UQwG$WhflpIUyOz!dgzlpOm4AkrwFZ-)6Aw{j8- z02OumvQ{jClWV{Kk~l`aq;?sF^HooTYUK@>gxwacmF{X*MIC7kBze;c7jtVJ_^a1( zTg7U(-sr_ytUF|v@jXJ0C6ihqMI!dWuX4ITC-aaVxP(mlo-u<95tdViAg~78)U@ zaejRB1)z&~(p_jHXz#F4SAsQhJUE*QFh=Qamc$q63EZTfS2l|~BouLmH#O;<=!x1V z_R6iSaxcWQjiP6zB2n~ZDDV%Cs)baw{3SwC?fIp(9H-(Kk019zY>pf$q7v}=N7bxw ztVl1(sLv|r-MZ#PSd9YKVerXgQ2Raki-5BLE2k|8i$m=Zv}345gMsI$Kt*>T;}$}|H2E05LkdJ3GWMVWxwxM_n3xJjw!qq?5V0G(+G z7@p%0q(&Xd9(kE5Emnp<`Njjyf&DVxbuEEixUX{i9ji5HlPR&_>sSYrJA%e`iS!wp zr2y>2t5UnL(CK<7UWfxN@f%3Ie>Qycnh&YFj}xORnPm#LBV*v8fc*`-6=4Uk4chBT zT9md{+0$?3P>BisM?owsOBGRgSB}=@TEs^jGiaK0D$14$FIq09i6qh&Tz{pQ0H z5VBgpYS@*hkj&THAAhN19JvawF)FIhS~uF6kR{3~-5+7hKQoyuD^S?1WC~e?jM@{BO`XXb=B}&S9uUmoRsV&Cw> zDkMD~lXvIYirHX4TBXV`SzptpWv}9-)&|e=I;%UFt@Z9=!AjGbX%Gp&O#-Q>`ZzEQULL>3hQ?Sz%fCC?WbeTC`ZZsETb3_IIPk2`OO{Ov4M~Jk|S#_V+&%R z)~(VvSYDXbXUFQ!e!p9Vv9t^VH1a`-^19O^Fy*7V?o0s}9$k65GD3F+_qvKqCB_`+ zjxxf*o_wqAz*!H#!!o6Lw`dRb`@ndPSSwZig%xLEs&7pt2iHuNKmAOp|MMSUW#7|| zOf>gGx`Xm>cphQ-imf0zZVH|IzS2Tt225~m9XyC4MTTL#5?{a!S54J2g7i;1kMjFF zvw@L(`DikON>MqKDptF$~bNrlmo`q1PZr+azn8*V=2g3Xihelx)WThmZI9~4^J;}m_rXAInS}kgk|eDe%0ft#J=*k%uD{a{ ziA(+Qq8AGrz>VBO{f^gmRZ8}jN&;E8i&S)fLzCpk><=Xd*QA6y1J1RyZh;s>fbvN2 zm~DN^Hkrt~_qQ$0QRG!~Z|&Exj&V7qBtZY+G_T!0TnZqo_r?hjIY3Kz?T<#3Lmqbo znn3wL3&HS4h)XY9Ux!@zF5HpxL)0l6gS(n0kyLoj6u7$=mq0f~*Qeq^k_6B{uT>lH zjCJnVAaB$!ORFf@;vf;ZYv_aFhsx{UaDNDS(oWj!n}^qQoW2;{bv>-N-+Jjc(NPJ^ z9U3z-l_8UzDEy-wuawzql%LrZS5Fp@Pj!XUUBX54?6JOBR{|SCW%UCjjJkC;q{7eh z4lAFwyXewE-IyKats}kRY?5T-Uw_mGz%B;gzWd@Rl(iR}=$CAmvws|f%O0j$pR6<) z3S$IN=1O>*S6UvvpuD}zU10r|EcY7y1^3iURF-AMz`Nk9Y59tWr+Q>XtMCiTu6c#X zRPNSx0AEM2A!CM9Z0$0@wV1~|(A7g?r(;&P{y~y75Vu*ZSKc7kWkPIl?pSN_T}&h3 zbLxns9YUs)O}hXPJC{Wx=w^w|7&+{o|-SsL$?Ze~WF8QofXnytihoH%~*)VJ#^B zqHNLywm?MhC-3ZAG)$uO$y=k?L2Q6`;XE(lt}(NUf2^--rDfpk>nF>II!ve(SZFds zPn%2snlf6TbYr)`liC1tn)?d?e62VGe1!}9G|uiP`0dpXS_Z2U>eZc**MuA}DrbLN zm;xPvQ4BlafW)UbGu?SjF6HeZklzns+WCh}B35}XZ3YYhPDnGXYS3xc?9qny-62F# zIC0wv!Lcj{xrZSiIT&XGYQII<6;Kg<1QzjfJ|NO6T7|S+4v=ueV8Z3#1J-(R$vJa7 zeY{=k=K}j_s&KoK@X7WnVdpHfH$d$n$G<^2@OaqBh~ojaUvX zZe+nhi6_+%dtu<-mU=_;2Zxz$z+SKoOW^z@p|Dux;%)m9J!X~U;nu~o7zbgN+C{dPP8W0Y)x|)h7t4`-DUdPBsd-+$2=4g<4D13!E*{AeOZXt?^&Lpg+C2j+ z%*v=7V#?GRTZ<2;xKug0?Y;#9bi|u9gX#|)Riz+(2|IS9yIZ#+`2q`QMWugMx!DgW z_2Yv?%m2JUF#7&UA4+%(q8+bbO0pC+AcIUbX(LjW$?OYGtVB$(36P`P$!npkEk9`< zy#X6Y(FNdh6cdAfyu;`VA|~BG&_m)`f1!seTGBRiX~zybbh-mbU3%_oqq~B@?b|dj zv&;m={CgS3fV%DBhl5CGMapC+fC;2iP_}wIDL+f;XKwRliskW2&R%SygS77h7~6Q| zt}$-`Z>i+WnE4-c4-i`ZLiRB!p(dns8fr{TW%A{~EX7KiN2mjpwkjc+QIGT8E}p5o zUa!EEjax&6$v~9eyCbU0t>Z%x{%Rs3d#QRs8`}=+lYQrut75fFEGe*b&iTjq!e>>B z?FFOM;v;h?Q_ZRk9W^|L>tEH^Vidq?Z8qYVJ9#bJ6BK?tSm#W7x)U<~f0H|ePg_M{ z?bFIsWyu+2(N(96XE~<5*puPrkx(JP)lWQ8swc}YBTFmo%Y4|(4oIc-D+S%Ij;h%d zjeZz%a_Y>*5dguQqj_&li@Wln=@9S%7(L66mH2M@gU4kT)u zI5rIJuxCqg9uO*(bPb4+LfY>WLJFy`YPmETxU2;l=Q|ajwR+5Qlkt#FZrB&A2qtIv2csj z?Vzov0z@EF8-E`k%I-a^Ep;D&Z-rIOPZxc+uo4omgik~d4wFvJb=Ip)wyqkH@S^J- zFnVABT6=7d$xVsg>mx`lQLIEd(c#k`eq@&;lYTTn@bo=>$u3){#F6Zhc-4@3GnX}B zkbXsVi%Sn0<4?GYN_z`ko=BR*>fCv%a@XTQfxu+uu32@w`HuFUJ0=GK&zm%dOE^Sg z{c}Vhy5pcQ67TD+1Y&ALxl#ZpQWF2Ll17HVK9Nn%>l>FrTxBi8uJ!-KCaU|ORveS$ zQWM|$)O-mJmyM}5FycM5iNPh< z1(}v1>yWd&GV(bB057IY>e#@uHNOdPP$3Z*;8E{`H%Ztb(u^KbtV}r$1wo-6Brj%1 zIIRN>pXEDzto>flq#J&^TU#NsSN+i~f;iTZdTQ-S?6?HuSUX`<6(7Zll#uU%TmY{K zwc)erhO+n^&u`|r6GegNTWb#U=7q&YC*FYVEN#F@Y7yPsftUj-==gm!0j`&>7>t&K z_)ukNBk==xfFt19V>`O#LBX5kfD9k^yV6A%US^Hy9Wvk>(G>s1H~RT=HyN?^e&jc5KR{0zBoKekaxKf z?uqyP`vQxXdS9aAXJ%{%zkE?S8#1~y>fIkc3l5*`o)y;jyy#+-`u^scs0AB z&9xj>R(Dvgx3J@$@@Zhw87WZbTVJ%5v3x3!>4)MV62#NLyKL%m?U5-c&yeyJK8Nk3MA08z``48tR6B|q{(iS zc&A-}PMo|+*@#&!0}IhPR$zc@?7excLq4Ov$s=#U1}$P9!`%^*uD5Y%!8nt=z`H15 zS9ei;!-^1PDKZG5Uj2~snKjCUXGDEis-F+ihyu`G3u(!s$Mwa7w&7^+qel)9)MfB^ zcR&oO=p&`CW-nLN_XS4!!-{X7d!cSf8}2}Lp1(xGWf^w?U?LDb3D_MzBXxH_dy8nx z+bBCd>*ffuF806NZvQc{tH85_kok7_z~4E`B9rVm4iN2BDZ;*47N=hDUe>jMoUo*Q z5|;adpl+Vf_$N21?9Q9?P^1`4?UIGshHVXnX(dS#BW-`D&B`IcIizEOxWZI`6m0%P z=dlC8fA^=WCb=u<$VQ7-A!L_%%zOc_)r(*X!K$}l@{}yz)xEE-ZR2N>-ufUN-b=H^ zL09-2=TJ{WF%4CENm|!=Q`#_;5)iA<4fPOtR@0O z$9n}=`36um@K%B*gDU!5KVwPajvXAwpcSueWz2;`LEDBVfJ0ql; z5up>_49{@I-ZNo#4=Hjvh>qc$^?isX#Z@(B7UJdfHxE}Wd*p&XaT zvkb9#RmsPOkpzwi#83-#{)5(O3zhxGcEJEo_#)=J-iQvogOj@qW=E0s^=2}zCpZAe>QEl7%ZrC4nxd8b~)g-bW+syy@TX2OVsB6F$vo9be60Kw>&4T<9UX_x&>Ttp4eXv7z9v1*T2aV?#IH{|Ht+NW z-AMY9qCV6&|9HwUtJ|H3e>QsP?Q z1fTjqDy^?B0j+M+YrB8LFx4F#zq#&{u!wvW!t?N7DNK%`)zA;|A!e`b()W74Bi!Uq z3R9Ke-M+6=LkfRUm_&Yxzi7WyfBMvi`;)|+UFcfIHAg|7pVr#zmc^Ifh&Og?a86R( zTj3B9YFECX@6T>tic3u;>TRBi33WYrNv*>;__6i52?3|c@yzTHVTzY>(slFutA3ru z;bVDMFwk#KpSs-*kf3{wqeq4%C7-CVh@i z46=sFn(ZZl7kWGGSDS!4`CVgk$MdU?!vk2iJq=G+QXV$?=@1j@I;+NIdjsuF*=t|h zIXmp@`dVJW!JWfv!;lvmxsl-kP1`>B>+%{cKaO$Iha!ikS7?stoaFEA$ZOcyU(Z~J zApPK7S<;%nfRQ7oFk#e@Cp9RuHC^LyrT5$$9VPHs7WQ?DUz@^G7uDX%w`QP z;4L+D&6uJaj-+1P!f_UU+*M+ME#xbikt9pNEM4zGtWCBdcB!msbb6de11E>1eZCfS zd0$@cgQ*yMs!GH|CY_&dbpQl4ABbIWIM%%n=o(8!Pw|X~EDRq9S3IG(#s(sv!{gq1 zjN@akgR}+GD?^4j^~^t6P>VOAgr!P~iJ#ovt3k|-_|KinHf!2_a!eO=I|J|&H`twz+$C3C zvz@->prc|QCmYxCQ4bIBt7IO3(hFeGP6|$_oJ+E7BS>PN$eu86M_}1wYq-MHKJ;^L z@6#)suf%KhjgaKs8)?D#2q;e1CDnDx)Ceqqb8?Vc$pAf#L>?qpi%_v9Xm&Ge@n(YN zU0}ULabj&3`FBRg)K$XD9k9OeTfbkb{=~m$iGIU-CE-q-YD{F8?Z=xSI}Bq^Eu1eY zQN1;0fQK>TNJWrWP)Tx z6ue>_mAH^6NdV7)U==;V1}j zQdL>BSb5SUg{B_z(KHvPBg1ji+AlN23K_6rj=}#zlWK6-!E+5XT~VsoA|=8wG#I_a z{-~j5B~j(b*KN_j@RCF%aGf4F6D=;ImrA+6NvshrZGCBQT6Vbg9W8^T5Ub9}4&YKg zR-{G$00>f}?_)*de;`O(jP~$X>P@fh)QBvcYo5Ac$yNE#uMb@c%#}W#mJ+-;UI%aMCvEDWe*WL>Ep*5|3G&YHp=RR}Rf2S^OBtXk zT{^v5CPk|kUSNx-arJo()tD0mNK?}!2#CnUmg$do;c4`$Poo5T87MTvo@2hjVXyDg z^)0)0A;ioPu9xPf10sf3Cjjb2&#(}?Q!{H$Pfa89(XDA0nfYC~tm&it)@jE%t6V^l zwDP+nrq1Wcd+oPze!Ni#5_qO_Z{Nf)z92NHS>)05e?-@mXQ!lTQ2qu)Y|F?scQJLn zJd}~!EimZt7pLCh-(bdEiAS-^;FSz?CWYb(%N~0jKrz)o>okbNCHJr>m=73EyXJ(u zuN`FiS-OOk2@_+MnoC$BjCf1nrv|Z8wMv7VBi{kH#UyO*m53|;@!OKe z5(GzB?8-76;k2xahDr3DKJx4%@EM<}VhA}*pKU&LS0x!`dV*KxV6sRwXWcF7Y;V#% zH3VYc1+1oQ60GiS%{f$Fm#{_S_+K)wzYdj!{O*?f5?LrNYMMs(6$j5k_(M-Y>i*;KX=8a1e_WnhaL9kK=6va<}idyp&egY?ZEW zEt?1!1KPm4Gr`XTr6Gu~_SwFid$NAr>9Ha)&gb6Df$1TSNZWKvX&qG}CQjxj%{q?i z@dZ{e@E`);t;=x*a2yO+WMZz`4IsWr7BHSM+qwaEX1Tz+9;tL|){Z=}h7iDeNcPCL zNt$fXjCA!2*|V8`Ea!df=(Y%0Lvv z6&skNK)3?;sXM;!_Ks!%fvPmSF7n#OXuNjyxRST~i^@;FYwo=hw5()_y6$eaf@UOhD`oCNeZAcZ9Y12DXaom8cSkB+^RDNfJtHDh0(7;7p04Nqwe@pT z(}#P9U&2c9$qP?+NgSs|pbYOop{fqa&a-zz%E^H;-Af+fs?ZhzQ?3 zRe|Z`gJGpJ>ZnGvzkX`d=B}RlP|Hig0UU+T*Z0}I76dwDH!Vt=YP=`Ive3O-fy>o| zl@CwZ9W7i6KjEX`)xpzJMkrDk#rp$<8|Y#_y`^`tk|O%z3xt>P}O8#ghd^E^A#l6Pl1f17kV(tes}zdF~8Qk zS5nrXjro0{-`sBzpsY9D(|pc31SGsY`*^Sg41f2gVU%F_XJqS zosS(3zD<=b{(LyminSrb`6db*@56DZZ<;xILfrDnBm#@jJ5H?c9dShZXc%PX965?Z zl^2>tSntrf%!|-oCgXTwYJ8vKE&maWp-?!I4kO64(NlWe_{4E*w6hW~s#A-zi^h}j z{*DW#ZO8mAvMWPD=~yN&hFRBo>LNLF4fZz4tGC^4^T<}DL$rd9WkPfXa>()Y|1rzH zg{(^EMN>hpk=OjPTnrQ$N(dPUESV)Myuj~u@#xI}=M+JLeYuhkT5DBR!Gw^=34FNoj~@7QVg24nYA9PqLK@&*M3!WIkOcmh z-|f%;ECStYouyi&SYxa872Tg-dnOH!+3W_4^q~*$k@8O;1UMTHr4$2ULU`F&DEhC* z54byslF|PaStWxBkX6{@@g~^-S*0Gte~d<12BOFEfF_1**FLk|;GqZ59EQsH;QvYc z`VYti!yH0_%9-uV>sv(vzuseEE9`eQ{k>6-3Psb?)`wC{Ndd8i6QtW`vULPtr~}+T zTYEcyFg~*y7$;*q`LcNsE_jhQV)kz+FI<4~q7zR!SMvraFX}w@p~vt5L=(dICC_dT zSogMvhZVoNL{7xt z*=1kUrxwX`fR|z_$e$?W1wN#WR9d_LiYfE*MM%K?OdZm13ckT}QT?saZ1bgdzs}Jr z>qXsa@M1PMz*{YRjnjJ2q~GTKQXE8r|1Z8c z&gZpWtqa!#;W45Tz=J`Di{kR;Yc0S@6#(g(*PCC&b>VDeSUkHV)Fb`SxjCL61+A@D z#3^8z^n?jd9*2UHK*Rm0_tA&@reEr-w?Q;0^tWDJ*dX*YJv}|{-Ym(@CU~o49vy&j zbRpzfY$yX~eF4bO&VJNR&-SRyeoGlbbm1Orf?Lt^{usvK8*>3+&nDB6hlY$<;GSOq z&^_tm>u!{|^3spYs|TW0r6vA`u=(2q`<`l83~xI#`#vReX-O2Ow#>tjH$V*!1$(Kf zFKH4&s}2($P+!CDHxhy{*m}TN>pI8lhebngM17$lqfP<=U3>XA*(0|F2zkPNep(~uM6y!xMzSL9zEGLIS-VNOA340ccNrqo}RUpc# zU~4S*NibgZe8;&zj%Ke{^|-N2iMBT?`Pt=&B$+cA*2_jM5cQ)9LPi?P>Dtyp{&A}O zbHV@1Gk_*-2tR{clS*4FyR!Le!~7PpEsv9$A>^2WV+$L2%X+AoKTys9GSh zqYyN6L@Y8B&&tF+ppAO0qS1F3Y1Y0A#Gt1a7v;z zb>-p^=;Ut^8eG+cEdu11dcD+#^G{ZDTu1zh#)@f^vvNPg;(X-Ecg`h%PjZ)G%L((H zgk6(oIJUB#_Fx(vRfNOOCzjJJnFFvy?ot%m#|~iO(#Hw-ca79KUV~W(z@JGttKC}W z*ibVvDr|gK4aCvJl)midw)rGkXyN#wO`6sHiqF4;U|#3Y~nT}+zpX`yRYl? z#bIK#H!2p3t%&BoKa#B#a?qy$WoGpmy+lonGy#F76>h1a^-rI6fT~jM-itDQk;6Dd zs%O>+goK3mqTDbi^NkV5x@rU#7z{~1c+>VVtt(tCSrjl z22}sk4xT3t??C-dGno6G(cd3fFBW+EqB8H?rW*)ow>_2{?v1zLwBRf$vO?|q!k*iH z^I0{}*SQ{ke?toDjd4UT0Ey6*PvRNLg8}!o>QIV6D2s~}IVwDaNf186HiXD^#TTdh zrFhJ`MIc00H#2nEFaU^sp35h4$#Yr{Qui=?Lmm6CCmbAh9zR@(huRHk8N%Nesy^mB zwFWRGdkX1dQ>1NIvfloBYN4BpEK}WQ9*1EO#C!<)kCX}IaA|@_Zoso3Azm|YD~qB> zD7M)f)CzXaCe~gBGWb?dS~K1SFr5)|Kt0+9X>pJJ2aqcIe(LxuAd=S(2*iy>Cu0CNN$hKFlw9|^f z^-A^EO^SAu&M^Ji0Rb%e$&@U35U1onwt-bq2zWz`)`mYnwOkhi2-j0B@zYTevUgl9 z`fc#cdkamjQ*vat)`2Wb4V(mOO)e(|v^W-Ku_UK9z%s5Y6vp+s0nC-OAemwTDCbfp zQ$RS{v=a8^7?bOA2>W{tRCkTL6OJ^2&6W#|&gOt6m2!Y}aSVwLAAE{#1sxswt7_8` z(R5EQTD|&IBP(8iB!Y_a7*^UfJ-76yoq z%S}Jqlk5%GCHSVa{)xvrNL;+i838jc$oWEvH(0zF(IE+d*}wJWgX zJmCZf5cKI3JXh1~bhVbLglUG(RL>iaF1rHS7?HF=vH|!vce~pVAQ{f`wJD%^R8r98qN(%u7*Umno*;Bv3o4@0bdKA@(ZNE7i<#{V&T9LRSA5L#w# zofwre!wNWSHvrd8A7^+(!le?$!1eRA<>zyVKv@q|5%;;?=%5oRLgUO?0MdF6Zu(E} zG=YXzKG;(qPzHh%r0u{kb7-Mzf|9%xU{ItnPz1UpP`*L=+9kTqYxht74{vWB7iHSN z{Ywb~(%r3sz)(YXiL^zxbVx{-v`DFd3@IVqDJe)Q-5nw+-5t+)?cTfJz4wmq^LzgI zyg*S84vUY#;LFs`w~#)kdKs3eaq}V zgd|H+{OSHP^o|Ijadq~%zyS3YEIIu65s3nkJm&|4zC1NhrQ7D%W|&fRPV3DoyLtq zashy_rK<>pi&7MNW1ne%C;Ua&CgB)T3^~W4Qzk2?=v27uff)Ut@a62zWI)63%W&S1BF=P#g<)?($|2~ z%FX`vJjok`CLFkMc~izxWqsty2t zlJ8vL4Yr94jFN=F1FkU5ytw4z)~ter*MbBW#IJUvjET8u7O0QG3FsN3_(#K_i$GLq zL(H+l!6xv!n^HS>Nrd@ymLvAv0$3#@zj&GHFV!oU?R3U_g1 zzCiT-+QzwyvK8MYSwimQ9M>Xj_@0kztP=a*@Nxb;y7}d?&|#euJC&)cje~tN7V_QQ zk2Z)HUHyq1p24`=Mem2+w!L74b}wyN^pw)=dxAGM|rkX+5u4--&NTdlgdz<7y-mIPxI#9xexwML=R&a zM*33mjbI|8G3Q5J`7)IMsKechwVv8NFzfLZp7 zQpaqO9a$gkz;#Jz;uU=FUC)VQ^j?u-`GzsW$X%Ub@74yujXM7yZq%bcxltZ~8)a(3 zt6ujuV%FdL;}*Ez$c&j0-!dgNGRsi$xYX@Hh_?!!Hl>z;{Wr@)Ql&+cFaVC~`vV-+ zD~U?doX&#T=g}=kKbWv$l#(&lFueebk~|-jX>8lK(3e^g{V~e#8$u`er3XF+hha))NKIthb2p2GrIZsO(xRNsf)8zpC9cyM>PV49 z{e`^b$R&xuP$ON0z)_p75n~3vqDK_Ms$*!N9_$p>@x$+nvKTja^F~=SC#^+WZ}Fwj z2!(6R)L{xc@_wl<%&x1$)@Ov#cWEIE`An76Kor}_#?vm$MfX-n%{%=n$0$X1&&mDU z;SCC1k)BKmDukqhU0lM&@Bpvo6JWwX3DtT|?Eq%DevZalKOOgWU(yvBbTnQa78fa! z$^EzEJfCW+aTRvjCN@j1tuk*JjPjRZWQ9I8@1aD#R&MX8h1S}kWow98DcImn4Lwg_ z61AWUSQeZJR3Q-M?G-!USg@qRj8K~=WEftw{CLpA-cF335R)3w1K%cgrLJga8t_5i zj0Gxi>HD6wY9`Sk`#(ud7r#_}9j$gS6j3O;`$_s)eo|Eg2U)s>*1>!B`_oyP4UldZ z8@WpiVVw!h!copFY&`qq{1--FTA(Dx4TdB4uAl)$* zAQg3eSnNyQmxuuiv?{r!%+y9mHU@4=*3RI*`ys~aiH?+1nR)@hMq67zs3u!ia3b5` zWsz^o4{-vHs7isp{3nU-zz$1X;XLM_-^L}(SwyyA!#-bBpZ1+MH_LYHun4A!U!r#} z0cq2kay7c6r5(_`KT z#E$Yn&7X2{!amsoykfk)0juSu;PNIz_p*{aE&w(`=sFL)C`!p2PQn&Vs%!R95JsgT zq+Kt13DE;5{Ispz_o@MJX1#Y9LA)57!dO6>mzNB6U0>DQHc;Kbi00_3{v5;FLV z;V31t1pwXebe|a+Q7<=o6Z(!|mvfo6+hhHY` z-0DQ}6R;Wog#)l5YpSkQxiXhjTe2|$JKBd4dN{X+ABg!R_+ zNzd}Ict#+=rF)jpfEnGeTCS{*jeqm-r%jpl0CO|^WdeF$G#*`Wk4nV9%~EURSVUDm z;s!WMb*dl5^gZzlJu&@LzXW`Dw-3R4hG@CTsYElmVMv4HEH!BlyMwdud$!D_6dk%u z<_v5jZVo@Me)Yk-KbbIA0#6<$L{efYaz@`TsEwDpq*}8~{3Si{lIIi5+y_|tR^!M! z@R%YU@pOeiEAc-#N>I#&nWCHs{?RbysjFd#*zILbw)s6)VN_=NC+9$Za?jG-ti=IT z>Gdi5DA@qpUEZ?_NTURDI!Vh#KtX4UeB$o9;Wa!9H$dS#LD6OPzaGhHA?Za5Aw}jhOW_a1pNWzniaE`@0pXT)#c8^iF-|IGo z@%!Upv`;emOM6ggQIB;Z8UXL{E~2tB*&=~oEJa|wp!~`4*370w3ay#Fo}~bzVyYNm zC#CsbUqQo$$6&f$Rttb?;a3>V_n^>=@3H*zC`# zvwYjGUFT>~0vyRVZ)Ge<3=aX@gvjtq&6A;a%S2*IFql?%K?D%ei($jN-V&(6_ndYn>;MnT7uXVFpi99&Is1X3{-#G8CGgDfp zwUsNsJsTl! z&PsfB%XBfsbG>8NSC*_Rwt@##iOsBr**NXNnAxOad+R}BYUEYCqy7DnO!bh0PP@;< z=k9<-G{=9@Y*RKHY53-;I49)~q~9?uoJf{CE}6+Lw831m<{=Bg!8bKV+e*M>Ou#+@ zgPEvr#rxH{?HH01P*8ovEAFn=8I}=WDj}TW3xdB(Bg`tPyW<$x8>kq_Y~&ReRZYI& ze^A#pasAD(QP1nXGGPX@Tixstm%F};Y|+aCbKRQu$KZ3@7c&nGN49qFcA+nwlYE#g zy>9u2&h>{_Iw$@-foOv3eSfyula)E^iw{$M*p~HPowg2SL0s+;5KEy>&f5CPtzRyYDRa2%l5p^!bS7xxEm4T4=1%&AmyA5DO!JjDSoH{qr7L!cW%gy$t35vP z!dEvV(qNK8q6VHr^bc&Z94&40QoV|LaN};o>XTyJm}urmM|%|YQv`=l zpWt?Q?}>-utbcp@CAXUVfLtEwJ$oB0E;(C?I#gKcZ$u#YnynIV5L)M}8yNfyFGTHh zJ!QU(Ukn%HZ>shl=rvQNR}PVr`r%EE47KfoEdf5ooY=c8*bKPo*~Fl2k~O2K_x92* z;S#FcR_sub<~<6Oy?whcZ=>o)mPI3PCmqFeY_s&_5rJ!PLLgs}-H&ykNh#>0`L-JO zir1}fus0pI98E(eKZ|YM7{RVfryc!fWlyXrxQ@LERgyIB?I%4r#;(*2`tFGZ&NcE8 zapQogE%S8vRm+|-bdkAGn7IDdS^WD&ri+Yl`v6tdmrNO8M_F~WJ-A0RyocCqewzhL zp7Bk?4JG*CaH}WG<*^2rB4+tY)Lr!1c-AFdS~{Q{!zu*uxDBV<8J2l>V<< zJ(<*88`j0Om;2J+G~olofY9?c2OD-9d*AtRRR*suheU~F)W2N$eoG8{_cwV#{H@1j zxn?r&Zu_)+97f?ut`c+}t5i;0o*I@F&NX^NU&mhP`z3D~K2qf^|0VgZqgpI4 z#pMb%gIRu56>w@lW5cO*7)d2K7-@F$jLj?eNX=_FZ6I zc22KypavTyMO4DYHO#9T5o

eT|k`^4EhaO;4Md34rGE`I>5WoFU5D`1pL!LoJMyXw4fv@vvxhIhgpVhUU zutyfta((MHW8~`%T98A_ewAx9FrINoowVa0JHKE!BQh-%3w~p3uD;;4(RNQZCx}Zp zGw(wT_VVXd#pY?~z%A21D!|_C8r=8<_e|*Y!Pn{y5NlL(GtY~u1BECN1+wc!+TZ{m z0h@tPJ7fWm;?H7b%ds3#XhWfdNeQyL^P4(9UyFv+^F)x1LBx z4XXgAkB{$UJ2Rh*dJJ)@hXWcGN>=#r-u*Xmfk{moH9@MHne&c86WhQyWCRug1Y+JM!+W!%oANs&{WtHq@R2=Ecim*ZY&q5il;3-1iu$#b8qy zd?On1_=($cv;c(E0alqA0lizlTUZ0FTqjIPGjxq;gl8)(hnmyP2vW=^fZX7ofdfkH zy}y7Vshroq!{;aa_v_v{sHC(X8M%o$-=P?dK@5)syy-Bu(hWV`N~c8!MwIONz9Akk zzhe|Wh}N;KjKzNzxdNti*t%8Vy+m(5xPkF9l8j3V_Yv@5r_2|ltAYimuy>zz#!N;! zAIt#^dw5H=$;#P~2>o>+q7M5sGzgZHjS>m5hLi(FoXJO-bA?yubJrB6W$QLc7i~@e zMndt`XaRwriz6Z(j2%jJQ-;{q$M|-$*1pHjNcVE~=}Zj@DZLX3CD(K=gJX{l&6N`I z1H8v$er_H&X3b?3OKDmcxG~0^?qX>C{30tjR##x{kI~|N_nBkU|Az8kl?Wr`p8erZ3j{1vK-se< zGw_fN2_~G8M4=DljsguY%q&#^g9B#Nx$?OuToo>plpW(2kl?8S=VDB(4u^Vse^z_Q zU~D|eD4!Clm}YhWJHWKTO20|}BqPhzLK)j9KZR_z3Mxmn*T4k$9t-1gd2C^6|Lj5g zP0R|@=C&CSo?!Xe2zZ@sJ)|dKa+w2iu@1?s!IHx7w_25Iw|bVwE9Ym54H}JS)op-= zp&K58qJz;Z5bt-VuMAAlCv*JR>!-4mDHrMsgT9U4OfsK{@LyWAw4uEj;con1KXhWn zIMm_(vPhWE^$#$3JH~A=z^GqM%x?cqCBlK!&0AKEBr7b+AIdvbo#itjr#? z#AP;RLVGgYEK)pZdsF-ULi<-MOY2H*GY$W^nULzv5-{^8`?_?*1C)vQY&5cjYcF(q zQj6sBj;GgNG>!dA*>Shrp-dj!`dk#lQbN)5{TE^QE^Fl5Pd(!oy8G!K3wFM4OSM7$ zIXPGwlbbkWuj3b*GQX&4{s<&_<&GkzoyPX@)r?9sMrAr~zz4(20KM?OBhfC$?jmpj z{I~*8gQsE}NktW7>0S|tRo|D2G>AJ%puxQD5xZ8|C$|mS@$C>F0pI^|TKubclKSBm zFR9b78r!o;tX({cu%SS;E_=m$P?)?Zm3R+WH97TzBbY4YTWF_WA)yd;lS(NvRNzkd ztF&P`36=2a(CNfXR3edRFzKQwV`L8B+PtGOq^A2tEBSL}|2T4>(dp!_Zn)mqq*;=l z1D;u8my2c7OG`#}4T&4epEi|w>TDbmB=P4+SaJeK!zaqkr(`*GB)Vn=u$ht^B~na3 zZ^vGSPxe(`;=f}5mS8^dxSb|ZSKFHm^`0|QH>gukiJ;)?T%`pS6zEVZYKBtPGxmk& zI5axrb)LstxrSZxPi$|q5?u{G#p%>t@E-%!03AXTBN zA?TuF{(qPRSr=JwRbuA+!HIlGvll`g|QJBlu z9pm0GM|PPrYg`C+&<68d6yQ{!zTaU}MV@$ceNi=n?1gc|6%@@-tc!ygZN~0=$t68Q zQK|ShX|jJ?JoJaD0XP@3+^wcd(Ja@z9~Z{7`<+AnESUrmPhg53L2#MWD{I`>mM(u~ zU7j1`MM*gJ_nG6*J9g~ryhX8ht{l2Q|Rv$^4F z&4UUQc349-MNaX|PHp)w5e@Ig5qpc5)4%g%bm)dinks4lJWqJL;L`HY2(L2)mc5-C zdISXIgN9j7RHv8oZWh_U<{BIE@4Sd&|M6P+m^Y~~h%5I-7W*QyepO8yZ>L5s@B7F* z3SBD{<(nc_rYRb~;L$SUcYk?*7t${bpU`r$&wPQUQTtQEx^%1GKw3g9x24{yxZ&s# zB;PrF55N`EB%U<0ooDv8;l{Lahmn??|EL##R{AC;j9(#93#`g0rlownW0c1gXXJ?x zUFK4Zq#6nPHPa10Vej71Z%6yoA6|)?mv@-!nukn`1!mgDedX&jNxYSj9mD=A)W-t& z6@W{&h*ke3NN42$Uu?l@2hu31jXaW4BF5#PlH_ZeNyM5h%4$^;` zc9X>s;l8^P=T!}YFB0J|_2QViw^lj<9fou;FHYH5<2vOCVH@RL$=#R#GO<)V^1)y) zdG;9wQ+!yBm{3!B{Gv97sPw`vC?+v`LNnR!0@iiLf=4NiADLrFn?-94)AIZBo-~wo z@_+YsZG+rQ;SBHU{4!Qc#feHfa*Sox>9$N5*n}ELkmA(b2Wt?bFG{B1Wo0ezvo<|G zy!{{sKAlp#tmRFx16qEJDYaJ%_r|C``=E318r<9;jd>p&xczSQ`itq~uOH9I!&E`I zy>6nP7SZ_Vk!hl3FGJtMEK4j==6hJ($25TPK0CKw+*kw(;R^I2d3cRshbcFq*=eXgRMSnD` zgD$BkqpC-)(2Ul(__6SJpdM$yr|qQ~XUkT#Od|Ngt)zwffP`Wm_%uJnw76F|+Kjg9 z`s$n#83AP6xI5jrJz6k)jK(cUN191I=c*99KKk6qccx&oSOhj!5gcLcFuUV?Bl7#; zKw{4t`fIvL_9?~N4uoF*e*MGGpq;^=)z+s=rc?}^a>hO2yu4%%u(*=SH{|#}yAl?c zV7vAVn#nm((3(KfzMLkr=ursT{z{*!E)`;QG+9)Bq%YR7{^hU1N9ijRV|-iVX!ezC zIu?o3wpQZjwj5BYt8hAT!r~Xrxc+>6d+#08ECt@MN$+4$F-A(^`#tV7Q{gU*g)P99 zPfmaG_Te>R4Ri}>fNc!V&n6RbRmAm5*%z?^MSDNo&=UnqO1*z0M|eu9#>Y-e zsA|gd(eg;sYt!Q3y0^CECAke9G@fMfCsJ`x?h!xIO|SMPS2OGUuc^<)?+R@n4GL)a zcfePYhQkXR{2Bo^@@9>alv^*AN?5P(01 zB;I{01VPwdv&MV|l@BKHDQt|oWYLZxlT8p;wEEHH=b^TH0@CbkGz+OA-NYwUT5D+5!-i!J&dhhuW_3eIxph)u+ zZ9%=5GnAgX-^)5kI9R0k00`xrDuCgL7xl>573hPW`WBxClBre2<5sxZd1sX4xn++( zc-tIX^O$u%I4GDjae4IhZbK>{X&)RMnCSet*^Iq97F`RHn-6>Ty>2dv<;Q~P=)};) z3{d8ioyey@LJWUPvsicSrP-lRXo|nFQ0j0U^vwHm(^0iA);Vie(_d+gLA6N9&ZAmB zF>;qb85z5E^!5z`>dx~`AM-G*;8M`W->3oD$Uxqo0(Xr zN$bU-ZJmiKd)QcGwmBblSQJ%k9CK+TdEi)Yc%j&AoO-^m#I(p)-YZI2Lgzvu;Ue1d&O$-jUG&DEQkwmJLY?Z3lK{OLQ)AwaId zG&FAM9%Z!$R$#NpW)kB>&`bN>y{N2{wVltwQYjJM^ZH|!`Iw%oZOjKL9SKzJM?mkZ zD|=&M4XXodZRf*m3XV4f&qIY)SnCSoQ4&^vqWYHldChqrlYgK1MRte1FC$9KDhM$P zbbIxQNqHL{>+0rFO-CTzGZW}@JLS_DfIh^C=JAB5;nDasIyofj-nRqr<1!sPXDyT% zx>L=;=e@pkccq%ZR5iaR=J8y+E`*n$lp^aFa|4O-Jg7YYaUbHCP$V@7`hvSiKCf73 z$qG5yLW}`#gW;n1a&y#e={iH&*d1-!3ekMp|0B-k4 z>~YXVA|0f+u^xT0Fex+bE{d!93^eWl|G`*>K$I=VQHR8t?9o2O@w94+h*o3$;=+A^ zZf_9y0vFdv%$46_p1a$DM#jH+vi`t8 zX_)2hgCk+Q<_*t;Wszb6aPaX@lZ3{USQk)7W{%_2YEY=4f4Ljwiyed39A}hpXaKqp zB`(A-=5hUCznNqI*pU9+fGZ)2_wDHo!X^O2v$79pl76)Ls((i#@|TQf#u|X`-PKCP zUe8*k~;E!S1y&Nvi|GWUU zEWB#Wo=y{y_P{POC5a?CC4tJ`L_#yD;vRz6IyeKCmEvdm?xv#Ogsc96BJq>SyW2Ed zE$xePn=P{z?9Fqanw07d;9v+J5wX%$%jzJx@lnvpOo76MP3wp|U$?&Cw`+rl?cER( zJVHL4%xLi_uJNL62bWe%#ISbw_1g^e#OnTpj5?^DvX*~uoCf{!+c;_!+AF$NqNP;t zeITOpq}zawyI}FqI}xXHPsFPFSp$h5I{eOIutC}cgywQ0sEx#W#VE$5oey@9=|D)uOBJE^$U6lExyX>35 zh^c-JsAu78)q!3Y7)MEWALg^oQg(!sFBoW#zW4w>*T;8MlE}0+y90#Eh+ac3iv@$e2Mhh@bPx+?}ThQkc0XSM?zLM%ea$bwKWkI*macPnsU=V6wsEA*_M0;!if)p;y2IWS0bOK;t7`_Lv zOW)Hd_s3&|7Q%VLPdcca!pr#M0f%A*>T@n4^!jf0$fMfSU2!5@fIW3Wv4C&4z!SU!CLS%Rhx z`tbu-TkdoBz{@N^4N#<ijqi<`*l1edR%ibS2Ls@yx(`J?QzlptY;^ zx{@zUS^#&lW6%*4ussIj3oSaqMTc+nA!PF>WSH9$93ifu-p4az0+qmB;jvAFS5<80 z+I;H{SzCaMP&cCqrTQAF(Qh070IL44^ zTYiXQNVRdG&nwn}a`y zHVECPz7nZ%u^oTi-2eTt8aL8J()*~PeP;#?^|$^vub#JL(3yR}EK}EzsA=6Wl;mwA ziWEH>H`X1{R)1y$_1zd#_{^61J*{4RuZYR8qkcii&Y1QKa>3w!qW72lgTZ0Z$NCyi zk1q1#N1L_4EOx1|w)IvK8%bUq5~!Zi-{OSzuM7@$uK&Q`urRrI6(FSF#T-P0jv?!bg6P%Nn>OP9Sfs`G-l71dHQP#0^VJp!whc+(zj z0s~k18o(j$zD|AlLkNG1^#aT^ArOZ*xVHkE(Y*%I*0 zK96B>R5uCGu1tV!O@zoh@ihi*NvuAReWlXEjG2WmvNejF4ZLqjG}CC`DbM&@IPP(v zGk!w9Vi3`)mqV>fe~&A=QoHiN^T5t{%r^O%SLY#R4#E#;BU~x16qbV*LNX9wa82by?Dk25&&oVI$O?~#@7 z17p#b*Dk4ZCRAPM>_K3%-$hw`a2oE#^y9gI6I7mp)X;6QVkzX^4F=_<7}7B@PYa_a zTugUUjCkHf6=0^<%$j6;j)UyciHZ}JCq5dq0Tlz;-{tSlUXX61Lk*x`4{`iXOS&c& z(hc-MQw0z6Wy=M3Xp7VQ%KRBPx~WDpnY7~jbx9<+Z6g~TtemuzS{I0d-y)*I26y(( z#tMy($Ued|P0ZqRIyorr=@%t1 zs^yKI$VZ(K)#{YewKuYoIRe=>BIHCP*>{MZ`G`_cejK+S9l9kPZ2vGRj6meJq6Tg; znAyMr)WY@qK6T*HggSB<)qk>Nq$!GWO83q!C_7*J8|9)kJnJu%i@@-|Q7#m3@cfl> zp$N3q01wZdDEd^L2poSFb(16mpL2ezdO1L#|1ri;KYSiy6MYoV#{6du7UlDj7#~_AqsBG--10rI z?9lU^3I21BflnDSJR#J&A81*kO^s&V3vEQ)vL=%6Fd|P?ST4kKRVe4n>k_zQvNX%+ zST@yrEy_+R#JO{AzU-lCuHOQZg4Ux`BUX`aUVTj|nDxEH7NhJ4dxR@tp@bZwE8yrH zIF#=Wgs%xvQ$E`&r%1FX$A{`j`2cQ%y9irGClxKoH*NGz8Td)BaDo20C{7wA#kqpqE3i^JJoqHog90gu>`oFLdTH$`CpG7ay#ZW zDpCl~S&SCM^W(M%BoBu+RS*<@eaPF?uK)fwYguF?NEkdUXpiBIH1=lvE_%B!*8HC` zQGf2>et(d9b}Qyi58_dS%z6gFej7B1eWQ$@7;BuMe4Ct`32vu}I?$AwrIMW2DpP*v zK`5Hfl&r0dJ6X9!$$~#BOAXwW3%02XSG7r(R7^%;5i~Q*HF8l=CKZYpJW)X5 z_Pi?nx@NWQa=P*IM@Mivg8XRG^L-D~B4gG@4C38m@D;6R`z~XIw?VK;|4>OS4{-K_ zFll8*=r_xxVW6D0q4d(lD@NYc#p_ac(sXRdg&J%L-+s~KpW0@X7Bs59Hr^VoehEb0 z-XlAiyj1hpr_Xj#!(|oCH$n)=>bN4Io~^1@K#r^=u=OaVRi#rNh+K^bQQve3UKQ6A#{w9Duk~~R7&g2(;tfkz|J49Z`9{UdYsiET zMFt+EZG(BTKFyE<_6I1q;nXyD?2A@I}OlM4i{x&IsyXj|Zrsd0;z8+Od zeHp#ILlbaJ%vHB;=`DR-X+JMjyxpvey<_yqK-U+30q~rRr}_d}ipCI{f*CLGg8) zNSUtkiASy5odDWjPr&i(4InXQ{a9_e2+tFPRkI$VgloAI{-=1G<2O!j*4P_}m zew?MG4k@<$2I$)WhIq+I5XDXZN(?{2Zh+JaPy}a%VarC=1*LKs=N*tJ7r(RoN>EsA zyp;m=jI+SfumQb~Xp8N?3UT+@Q1j$&IB6mEdc2pQfQSi04?bFgX~-~#9~fM;_w%Ck zbb}+SN`^R2jvm8(K`0mbNtI6N2G3;@g5f`>B>y^Ck>DfD$+@*>b+e`H-S0n_D8z?i zOB6h2;p!XsjB;uxgLG23|98*!$1{JDPIVXh4kP|!h4*_%_-bbf@FcB?Oh6_tSiGCZ z^T?(W47UT5?OvV$T4N@d=1i`>MEvm#;8%I#e`DogY-;bn;|l$C1p&(k$a|k{<10S+ zhjj@Fx!*+)#EhQaB^tgs-5&u>tEnIl{Gydo%&QuN&!X{3mbL2LN)yDqJ;r~@h4>x} z$VaFI{N;C)$i%QOdU9{?-@;Py0XY4^1an$essyYZ;XZmuIen5L z7lA3-NBH+6Vct>~b( z;sqGkr9A5fvF<#O4~#)g1N#6gfLLeNYx(y3s}d))Km7h2SjN;0Pz5ydiqF4K{(W5c zmroS>BMEH?bdVWKHU$2jZy``@bEG*4D=fb9{~yqS+6^An$!-uv|95Z6|Ng^N4vc;~ z2fb;zXa4`MPeG@OOw`mJ4c}+@XI10RVfX*~AO{OPLqXWow}=1BoBg-<{xAQ!sE}%z zruL0T{QsTyAb|{mAA+c`L|)5B`^1uHV1j*z4_y1icb-gw9;J~g+o{?d9yZC}E)Ixr z418&c-yS-z4J$bR8f50iQ3Z5`=kg#=-VR2_1!5q!_YJecZbtiXZG;W_Qwft>hAK1t z{c1`#H*tKSFIXnw2^hnUfSBBh-s|IS0Q8DU!6^Qg^xIVgjqSV5L07K^yH3^pv;4yw zmxo})7GC)lIQQ~hHYcB2ztiIQr7~ckj1K(lk3jyaC;`~)z-_Iz+`_qH zdZB<8MIm+amM$E&OVIm!4vg?#Ed8?0gYPBU+n>H3u%!JdU|CwQ6l^o~~xm+$te6&>J?A_q6h94Qm%l z#InaV4fCgGvBZXH$f$s7Tq;=fIUd4ecBe7_kGOyGAn??xC^#6y`5)-;Ir&K!s3j{ukb?rhMG zVjPa2wk6N6;SagPm`E1&Bh!kCXU`)OTK?Vk7Gk^4RwiO8o%S#Ahdl zfUxz8o~!$Z`A6?(x2Xiw8bB$A*9)G3e)<1d(Ej?nccJ<%<7wIqe)`U>uJ!Ew->+4x z&?W!|`C(anJ+tkT4W2tAHRv~FWWU=j$>%e-sfC`{f?gqg5z!=QzI!P717uP(0Pl#G zmB(_B={NgnI8Y+}*68}dIQ|eyb!#F(t~J-KJ7A5)9^`#c134Wyk0-4;52xm?p7kW~ zDMrwW>o)+YvF*(dljCR=Aq9v(*#@Ke``6`<+wXnK-#Jdz0|m@~*>gaPv;L8nm zSk926IY=LB+K##R_zA$8h0XViO*i`b9sMr6 zltX*IaOhjCDgDoPPd}kMJ0ap1k~82dhw1<9_p2DRxWa9RgGlvrZeo)e;z1pE!$6WU z`STT@{6NWIAll)w@Bhteo{Luv@$sAuzn$7*_{5c0Ir9qIHyaWdHI#|Hsv! zrh%Gp4JMa)mP2drT3XHMmDbp`D;_wnk17`e{70T?*9T{`hL}z-uprDXuY(n4gZ)5~ z5J!p3sHKub_kTqpJf&n4ae}D_mKm2;K`ubCfFP-_CLk)J%L%P z@J8rC0E9eceD52mI3)Kqe`Er1!gj(hlqRYK0#Ni+;BmN?nZW-dg*EX$p<>-ebrd*& z9iBN!5si(Y8e$EY!w#3-MLiDg-lMcodAQd9KkS3|@jT{vxA~|0G4d(gBDH1XDR>d~8qSCyrg^k-Tkj0jgFjyHmG zh27{M?rWvb=|hvGmXEP_A_Q5tm}hrOs{CBP@r`OS#vTvT`d$q15KaS9{RluON}M-c zUIAS>!`=rt6fB2@wVydL$KdPsFUmMF{lNkl1wB>5FM80e#WguCY&`q&l<8(55CI$i z@`gp?Y8@b7#txrxHf(4$P_DY~j5DdJZcmu?qI^0?MAN;W^k1n8tHAy67&I27 z-06QBzSH$}+xOZNjW7aGIc-@ekz9N@{)MH`^e0PUxQX=8?;F7@7YN})s(N|a=X=D< zl-6TNsL$^k_yF9xzhwV|qhL_a@#`z0sz}-vQ0}%4N2(SY|^9DaA4w}0mHc#d}BpEwGd zPeS5VEfUKRuj@!llWZT13ZhQhLp?e_hRI*tA42XNjpi|Y3ts=B#?CB@GivrS4b4WC27H{gUU4(jcISWa%< zC6`H354@w5;p%siUp`9bqOcqd13v2`@=UJ20KBcY^wJkhVU2iM{nX1M>ifjqUFplh zKH6HJ<3R(IQUjpz=)2(E1bU?B@I$u3#ajl@GJ@nZ`1-XEfm13lS9(g3`)IKphDBxO zxp%kM_rtqxKRcqrc2X#D6`W2490mS^85FZGm!~8@8B{SoLMHAtpw98VZ@mPc`sOe& zN38bDL`2_ngEdxBPipdE7#bJUg1kRe(6(c%THM1oGwW5;Uo;*JDvp3}PC*J#iWwDl+Uu}qWAoZ1$Fa8+s+uw{?NEG9 z1bUYM8fj%@%vl9j(J3-7JFJp=THGSSX-2-a&9iyi=U5mzS$l53UR7~eKbWq_*0bQx zmT8WdDOQQC-7KfYTl!}jgCm=KWuoIO2YBp23@`poVa_} z2ArVKB$H26;YtrVifx9;e|6o|_->ixeKa9Q0mRoZWodXYkamqYjwtYnc#9O8<={$E zLzP``nM8#nZ6brSia+8Rb@^imv#>Va?<9Rbpx-ERbOOvDyn`RwHvKJ3?r#A4lw7r* z&zv|&PmPO|y{6N?!ZcisV_egKr(%|!66j!08t;67{^+STMpM5IH32iQ?DOZ180g4e;R-HMIPk`PN zZW;})`E$wBoh-WMjnK7f;8|(^2jwBmP?;gc!B&CyUC__gB;`hZRDUdl`7fg)6E1R^ z1hbkuzyi20@da#roNB&jIwoU?5zD;gP~#va3=DmxBq>G^)-&ZZ<_1;`lj73-mwIpI z6W`%FVbiQmEiwXM9tYdSp5L>Li^<~0g%0vHdfO8WFxoD(g(?jH)2C4v#PfCk9`O(z zBibXF_tD^9U!ws(z5x5{x0xSherSk&d(e%#-HymOx14HJ*s}iM#Ekz#wO;N=9JRG@ z?922e?wD)?xv^plf)BbIymPnrbP1hC=5V5M%L#Y!Bpm|y&qNM(6{uz@H;zT?<>hNC z=F0WlL+Pr(jV{9L?T^||3`Tnn7O6>lX)jXmSJNKV>la6Ry&|X%{*S4#Lq))h=m5-! zWu52mR7bPl3nSop8tBTR{XS}W<$T&7JiIA()3mS?Zl~Vn3=O!6X^|4Gyvj5ny#V0> zQ`*z|F^I+JrIb^S6ynSd$qYac8g^i#{}7(Pkj`q6`05#h z#T$jS)UW81f`(=HaszJiRG{gxDU4V4n-OHqGjAl^Z%&g{4s1lG&~MrEmm@rIt*S~c zInfF>*E`BN$51X-pVUi5f_IvNf2}VU(y*g7v*z@xng_HbF?Ftgz#?pVbNx`zS!&^7 z56H&S4p#vXmi^voPE}x_SvO+dl4^i2NY3~Gt-j4(<*?lh(~EQ$u7I@* zS`=S)8C(&N+QthQY*CGb5N4zGM`d42DK3K@?TTghNK2PsdmUHBr(i*gp1|+hu(%~% z1u@5i+4$%p{1a0mBhKp*hDHV=t!G~>6y>R%W6W!q6p+EDi|Kn^!q28N^zQz19Pbp{ znRapWYcXJOYCor0MlI>ZUtZf46)pgGCNS-=m7#_ruyxF zyl9*iQr(%YAX@xC@Dpf%;wN~hSTfeU=P|=_t9EXYD3nTKeI-K3Ux3j8G088ZBmAta z43e{pb4)*h`)=zvW*L7)PqZM{D7vAazNtd$D;Nh8Bat+5o1*lhF9E0Yx>)lSkMt0^ zVm6Z!sTj65rEV+0TNHbQ6}$j_0yTE?>TImh!;Hj;17GSftj%l6_A~i_VLBztN+*|2 z#0rL4#reUng-X%^i*!1SHDQDlvMYvBkf6;@^I}?$9iY?htp!%h8}8kv)BymBZi=vf z0#J}tmA;z#LUW5b2Ln}kQ0ivioW|3R0PtTkfC@Bz z4>u>cOx~iS3o5;3X?)-Rd-Z;wxIxs<_yUW$-BV#Bad+#U&xBnlc0s4`{6#dtDe8fXWaT)!n+J7M<#J#JupfQK4ru6 zVhh))AFwz1#tpyt*9dl!FI&B<%jY=rM4P>1_=eg^dcbEjV&IG?dP z-$r8gK9%Tht-jcufkJ(p7{cvsi)e7p+gV=9!5#I1X#}Y`@(ERl7Kj#v`d7{u8Zb^b^raQhhKa+o4lNIvm%DzCahsKauY^t4+3|ROykf_0cZk2q4?8g$YM{EWSN$Pm8t zaFYB()~VfrY?Yw<#4y`ywM?FE$Z>0!MMb6PY&lGyUp8gi=94lYe|mho5tdl+nGs<; z(${i7ezT0VE;(vjHQ@8d4_AqQ;a-S#HI-VN-O^>0y5;BQj`qW6%DIVZ9-NVI*^$pU z5H_;ngv+`t`KFI&Evs;s72kc($HB+OQ5519fh=b?EhA=tZv^zS4K5~|Cw{F?`^%JPDs0vjEHpf?9ph?>XZXW?LrGb$H7d0FFuV>Oj58saq%I z^@V4|oZ~sUu)_d1=>wg>Z<`i1r?Mya`m@t}y3k4dxKs6}%%*m!s+SM0+O*>7j)y+` z0=rAqEyqUD>h5Oazd5GGC7#hv-7E80GTym3v*dpd|m#IJ1KI7cHo=&5y z!06nNjN6Dn)Uj$@mq*d_V>X7jzgXqCu(RTq0@D032uNC39q5qDX~cKFdfLTEi$|I( zH`3;~CUvdNH1+Zqx>qI_bwzn*J3X-Sr?Q-HkZ&aENS7RmRp!E8@biwq;3e%_M|W>D zuiGj%7`5V-w2R`|Ln@B!5w4ozAEj(F{y&_(by(HgyY>r6NehT{r-XF3BGM%_rI7|H zNu^6dKyuPO=?+OL0qG7Akxr5BddGC_wfFD5d%4cJ&VMfOVokq%#~9Cep8NjX;qBtq zb2#*05dNR7vj1KLe#uM-8s-gJ(g3Z2sjg#7aF`j|M-4&3(0L8ggDR!$?XiOHj%}K; z${-Mg-`;f4dDCzv#w$2ier2dwz|S1pMna^1F@uuA;mBcYik>3uh=WAqAw23$QeZk4 z9LoNgxE65-zwI-v<8!ec6q8ZHwI}}A+$;L>|2IcNsPk`*hT{yXKkEnHpiPcXXC^sp zmO#Yz&dK$L*$3)itt0G8noYsLW^L)NW%dz;Q|2;H4RuubB`3iSNB22A21W2ua(Tqz z-b>9B$)~Nzx$WQLU5UJ)?De#y;d;6cI&Bw`Mkmxn6HgHXKiVNO+75(0&7H}XeD?qe z-FS%7M{T&^My&>ubO&#^5DLLj5a<2<-Y!{1eE&<&{`8gu%%5MUL)XOU#LM&( zP&mmB)3IqP)u)m_AB411BBj<V|hwi|HG4n^K{}{z;@ch?S>fWK7XI@ z!RNaLTP`I>j&Z)t02mUp-Ry`(GXzSgCciWb(nD*JK~5i2WX=z;>rbyipCZU?HRv0a zo9R5s+JX0Q8Gv)7oC7o|b|7)naorB4^SA9r=#TOLn$G`Uy;+32Y$C|Xj9lCFm4vYTAW zd%{>y4L5x<^H;t11>SRxDwA^hxB}j;3?sH{V?Zy*=l~2&hI09$z;pJz^L4RpCh}My zpmOLz*~E)K(8;1MZ6ba-1+n$x0Z6dU_pu3R=7ybm>qBXG)`*N@!uCulZiqOX$LJad zYB*l0ugu9D&73*6VkU-HbzPwtQ~JPq|GNBOaQf1(uEFu%$cc(at4G53FM>=erk9+f zRmO3=Lr-WFo3?PwKe4VF{Tkx$53bCT2`8$Q@h6e{&Ev4s20RXB{$sk!o;25479(pN zfsn#{&Hn$vaoo{JV=b*ww>=CaT{nHC%p%Pm@s&lhHuoiGtBfK38voaq1jAQl-jr)W zWXmJdp?iTJkOz#H(hAjo0Sh~S6_JvaHE6x@cf3|f(1ia0!Yy|MK7I{%A`r*(}MHR>(us@8uUvcq1i*qffPus^=d@8q(jbSlBDT+0jG~a zA7s4E?+*46rw~X(tM7eh(yIM#AxRCjq%yPogkr$#8wYru&|l2zdajM$@zW$7fhnbY zW(W{6hnh{Lp_^?PEDIL9-Jy#mJ({_Wu``$}8w1F=SID99gq^!@wyr_clZ8+#+;Yva z4bJV+sMBDO=2NxNLt6V*a`znMTXvZU;^+-u-d4L&E@%^KlTjrT-os-s3D0Ei#y1K5 zu*affipN(e6Izgo`hl2FXJn==3`Iee@J)FoE59ul5!+`Z`8Ez2DLlS+81we?lPyU? zA}@ZmG`;D+O1NTZJ?0Gjo=T@c&XZ!Wt7DT`(@{gB5dVbQ9kl5x z`DjWHIh65izuKX4O1higc`I`AJLV0uM?P$Ky#;h{oxVId~ie z?ybp*D3M$lej}7=>hY0k3TDjHk5^=M%Z^r>vq9ObRRgB&I^OOB4WSAS0^61NTXm_i zHl?k8PWL?22CE?qSgYMM}+#ZspU=_Sr48Q$kGVcu2Ux>%K#1Y zs$XbGBDEVY^+QlU(7yr}JZ%`iD$5s=1k^40iKh%@0dnx|LloYtC&M_=x(H z>}^*bzhKmxr@VnM5;7X6=a-)yihMfU0S6#D03|^D?A(gof>Z^D6Hx8FA_Ho;B zs};XI#`sZx5PwLWi^#qsH~UK4^B6xNcj%dSnWI{cV1 zP|q9csuMxBH!82;2Hp`RZyt-G=WuIs#~hIaI+j9~F3Voc%U*n*yX%#y+Fv|ESa?^N zjE2Nsrh7!htKy*d!;^HqKTLp@d-1Q!4syX-BPr)d{FIBT19!xcM$a$ zdz>^F)R!yM&NqX=vYM{yv&4(dFetI(u8#ShkQ%FBrQ4ayRiAaRv|))_G5J3rCdmp* z{KCt;0oikFPf4zvsct5z+-OmRC%>jjUp#D(ZwH=ZLov0+;*zSc z`}RNqm(V&dR(3}t<1tyrGZRtvK>LxGE1!F^xn1YMsf7B$@bcq$b&5cQOfF69 zlQ%#Ipo!mJtA5DJ@X1Ec$~py8p%|za{4|~^c+(TUd%liX^~3RdWQjKM8;%!s1IdpC zNZp|9kID4Hcd|tFQnuC@-5g0Hv0tdLH zfrahoRx*ZU&L>b%qgU&2eRH{M530sAr@KadZrIa74Nuc8LcTkXIiTC8baal)g}H;G@cy6TjxzVrd4~@ZR*(#H?2F<%h?1j#k^;}_;3ses zs+)F4?DOkaMx!a+EgOWXAC%IUy-knL4YH|B(g{&A@W_#4Im>5?{ zSc0Ws`07YLD;6&6W<#8C6UklT~G+srQ3yc@pJ>?&+>VL1&+ctOfS%}4# zWqDoKHOX!2re>BCebqE)&TWRx6Ttc2mY?FblWPc4LVkjL3A?V|Z*(Z+oi){Q5RSs% zXcR&x#7Bu%ed_%htoyMi0FAP}Rc%Ij%so`>nkGkU8+X+3lA_$;;%A9a{a9j0e3{?~ z#8$Xw8ZR0+2g*QXV+%Y`&Pd-0EYr!rIRSB5dGbIjAbn1d<_ zC$5VSqrLa(a=MlXT?0LZ#g}uP1w>vyU*7HlAhdYide-%*kLZ&kH)`x5PNC8)gM*C$ z9SY~FAZ$!_hm@5@$&#lTFifOlWxsdzXoA$2djDQ?ONO`|?~N{!^tS7^)MMii3L;Cl z7<1NA3h1;Mp8)4!!L+HRf&c|COq#526KKr{pm%P5xwZ1-==8i79j<#-gB3NAj)^z` z9~6QxrTZF9V1K`(Wm%DK-WW+Cl57AE!T3kL2Ctx>9-onX7G1JwrOgBW1;e-dGA_Lg ziS8Xx_3HN&FA9OYUmKvNddJgM-v^0JFEtQed@#c~G^NXhlU9PPI}Qf8^`=}{UK1sJ zoTHbgZF^U<0zfPMN4bo0(>yI;@cDR9D`<5&=#MiWU!Qj8GzDnK}{oB%sqgz!*k8*+81uhlQ_Bo;g1l_*dCx!z(<$Kf_!{s z7hkCtWxL*I=kq~g%$jhJq3lF#NBqT!*I&Q$4^*;oFHSx5UGCD8{06Kv!2v6uB$v4Y zlNH^7Y_&k&^=lVa(X3;`Ev4j50N)P2aakX2-o)pc!wY6M&S|;o=YfpgA!%l&*lKjp;p8yD*ozH z2%dTZbSUM(yvyqXTG^NFLq5>+?huU;QIfpT5f8^OKjz|}0nt~8XylpjB7HYWx?=9< zHasoh7-Rxvm+S{#7)y9Kksdw6)fbQ6c9ejZf1 zE+rId03=xF=mTtU3|(<2zgFj)*cDKc$!wDDP3tm*SZJ(eEzPJNbXbBgK7-7lj0$MP7# z(M`E00ftWJV1hq)PsTE4otDE&&_3^a43x{1Mh7F0aXr>*@)G1FvRURZ83&=DqN3a(p4>+6nz;xSXG1r-p~#bY6xU!MoNbnHct z2@LH8QJD(~pbyu68o~lyZ2Y$7O;`#Wq9SPM9(FQo58EKCoyK)JXnQ_Mdbk-LTAT=aYCz2gH-78K=k{i@h&j~L6sgqmwS!xeE`4v1#iW+(VCh3JB zyNNfNp5HL%_xIytADCzI5BeAO-S zO}FXI10S$M2$`!D`=dtc>|OwJQ&dVU!!>%JJTH?)BA@r}>k&AT5QbV?bO>%&k&!oFuV149(l^n_gS7s zTLSy$kGndfpB@S)kX!B`bOFs1YR4E(bVscErDDw0in-w&BP+jKE@LA7`ID~p>2aN( zO`y|-Gz#RZX_7i)zD~R@v^(H7#9YXwhJnY({+Ru9fRNRM+O$0|9y8omvo1>o#)9na zyssYciv@aF>>8Sxo~23*8MQhB!L%f6+9rUCRYTGvjzO0%_%58^AQh9U#{3&6+7sS$J;+I2Yye=&SSt zNCxPKRZqUkq2vrm=X1?-j`Kw2wP7R6jg&FDcpQD5BwatpiV?MtC_6VC6gEwuD_sU} z*jJ&1_CpV#KpyX7Onlwv1(U-}d_v4>1*yVz)Mx5>u71|;G6;zH3tm-8WoB0+!pCAZF3w~Na};kXLuN)&K&K<@CXnO-6q$a5(kz{%e0B~8Wj11GM*SE zkRiLmj=E<0Zp3o#jzAi0=MiB%_YqWg*K{>apA7&J!X?XR6uV-F|l&va9V zO-tf(=QsyH0cRvU(xw316?78Yl2~l56Muw3o!#&yORO#%H5S-QZSLjbox05y4ld+ovs zjH+fMcV8`-+#)jyF5Caf4##q9!HF~X;l!Ed-^3XN7@I~R1l*LX4=LAs-D>BeB#U${ zI?~-37S+653zw7R`_zVN50VnTS%j>9Z*aEQem;k$skK5JHF35UhU0fNqUoBe?RD(yN2@m^j!$r#Bu$%GLJ-pfd-t>`2!7|fsG&|@p zHPv1ka}$X37bE&5|5!TEgVKQ!4~K;NGwoeJv<9e+45#Q{n3@JP7f=Z$u&JURmciZt zz$_kY2}J$?%7QjArn?2^X>#hHV1!KDC)(D(u{0NJ@ch3c$M)1y zINdMp2dK~3S~vX`!X~N$xkzVu(B~$LzB%?#lx9om@X9M(#xN)#`D<@bb)=FL$XK~_ zH9LZACSy4UjNz&wNt+@oZY?5oDhoNkcEmfVUo6vGN9#rGt0LM!`T4C8!+DZ<9g|0< zYq7x+>3~AXq!96Nf*ul>|0l#Yz)j`()U0Th{UvXfMxVss^lI zEj)aZY-3V(RE_ZslrE*`oGZuwMFYq8@Fk%1kzyaFrYphXtZ7V@&T}HbOa@U$hY(i zF6oFN)6qg+YyiB#Nq}&pllIwDP8C#>+sRc=3HC7t0fBc?80sJ7-dl&$&UU{`lY+J=Ov;7w+8wXt-M6Y^#;VeunL5njs=p z!#abtSdca+A2#W(IYk|Eyh(O}&As6`6>hL%8<$GaXT?b!J%!?UU4d8N0c(jfaO9%a zNL_47a>`*i&4VvKRD4DODFXFhB#2q6T(S0qZaEz zL$MtQcsi`I=+((CjGNUq5BIBH`Q({9qOY?9o=;Ya6bzDS*H6I9}4`!j`aa0rVSiv&VoeXO* zjbJ9ATp#;LJ>q^)b5i0@l#Tg$|8P7-ILm4qrD@4!7SL~O$k{+YlMJPFvDp1RQ5EwB zc8-atgnlVYCNa}yJE+PYJj(~vK$PoAS1Fr`hn9A1T^TpY;@rBWJ513;eJ~Uw48i;$ z)|Tyk+^6*dEzfNAa|DX%4%>RcMRB-sEi(WotOXW_4%z6D|FItKGtsX89eAV`6jd{&?JOjR!}do+-j34FC4kX4{!c9#x-sg5-!Buosktw{&#&~L}#jlwE*lHCUb?xx!+wrWjr1jc` zN{>eORGF{gp&~eAB|P2-x*v_b#UamnOtuaulU1*n`3}p2>@gtdEUE_VGrP5{mYtlG zl7?qMMgHxL#i;jUdd&&Ycu8Ka^&IX}-9k26eZ{fQtp`nl;E}YMC=jIcAK>lGvg%2D zX4-r&A!I7^0W<3?75kCS2og-|Mdo0GNNg`S8*EZT_G!2L&LbR4BrI9r)+YlWvq+00 zStMmf^nvQ3Oe)U)2+wpF&m}nz6}b)j9)p?Yu2)^N?f?%x!Sx4CDVws>8R+pUc>7Pg z)w!{M>{^>f^Uv~L-wPAC>AG3~U{&_|H9TV6rqrJgt`D*eJD@C^xXbv`OYX1>hNd|cdK+t?>=*Yj}P}C zvrn=Ms#l63>LHcO-NQ$vQvGBva(*>jIF(-W78L|}u5zq@Bo^rr(sj#T`-(>CZsaSn z<_fjR*_oE+nLq1z%ecn1_O5n?)0L|~AH{{0!(i6*Is0eJ_J)!4;fl0uA!b`#rg(Io6#zp_5U@V!CWb}OrF@xfmE zp$7H{KUS57ZeQ+%CdS}%f%MXCrgc<^(L4$6bn>=O88_X)~&O)&rQFi>4Ze7az|83c=!meklxr@z=v*Ftp1t{HS*u6F|bGEcyMK zcMS7AX+W@;HVGw@Z|E3ko=4M<0qL*Tk+pbJZqJ#Hz>sn3&V?_Qhmoy%QNMG#zCCzY z7YQzczjSH6C(bG-);rJs^H=(xe?A5onglDJmGU6+RPlGGhs3BwFevjgjyY|=Biyz) z<{y^Ds1Tc5*lL2qcga{jo%}j(YJeu7|Df|F_rPgGDiP71Vs+DyOi-=O^bn6}fdGGY zHiLM6tu}M%4z-bixD`?X!TSv(12pIQkZ8S}gTVP7GOm zzp;L=EsrS)i`2C7R*GYswJgozs`MCn5;~Aa@$sx?!xc}gUOz-qzDFJr5iU z%xxAn#+WQ7C10xFCZTy1H9O-k8O*O%RzXa)Rw0RoC}8(g8?=+0w0JiKRHUIun~dKJ z$c3D8#~AGi15p6}2Ow?680F({AU_BU5U8d*Ow|1<;Te0^AP!e;_9~5sLRVQ-!;Vr7 zAcAE}K_>9Q>$V@jy2h$_QTjjpAEKTRT&l7flIod3Z(DOqf+lOg(ovHW9$qA|vct#N zeGVN@c8=qh%>&j)JR%0XdEkT38%*`+2$lU;nYP?(iVK3hl z%4~pVD0ZoavQXEXTL1tm+O2xaO>y?3#xkphg{%CN4Z(*pW-a1_(KXz7{_CQeP@!!- z7D{wiE2U=nl+5R|HHHOyQWIji`mVM!P-Stl&BT2*%JJT_wFclNgzX3`R}WEpdDxHr zW&pY0%+8g%6!N!kl21Ok*utD z-Wm81^WnT3-0MM)j}*v0kZSSc#1r@QZDT%gYAA3;*suOo4Q8XuqDMYw1+pn^&mlZ< z)6Y2HsN~uQc&;qKFhMV11Z#C#!>_-^R>JwM+T$?b7{Hs`%C@aGm3P*9wa|b z%Rwl}Jh8eBF4k&zy-_(|>zki35qyr=7g%=wd`^_PN~fOEZqVK5TVq8$2jAP8aiwq7 zPO*(O&|!c@z%pt#LFcBcZPv8h=tv@avC0Q`w~b9PKcA?lkZyzDX(Z8g5>#Mm9}Vji ztm0H)G}o(h%TzaeXnBJXtj*zSufR}do^%k%fNW%(#WYBWw3SJyNT9}GF3=pGfAo?| z%RjS5!X9_~&480pYRLJI&!GegTd@PYW5V5MNV}sb5A^Vo=%*-D=Ye;)@aMUTmh&Cm zy_%`d1D*_r%w3Ou>{i(9dpGFC)M`$nIwJW4m?70P$jl( zb4|^44d533(a#wD$j_Y9Py=%ot#(WmocDy3vKN;*r;q?NPcJWPl`PwlqJWqZx;U1Ex>m|^}m zwY)*a``;cpAQ9Z64T@OV_2mwRnyI8%9*=_sr1lqH2;9t%F%v700Wf8HDznAU$On*| z#o85*0zk@)vF>gx|LL~XvCL(-H^2*NsayJdpo~mu1Uq%vM@P!7JKKsHKCIchR9+&p zOh1e%1J3(^(N=7y$+8uQBGzm5iNk5U$D)$2c*$0&b|t#ypdwk=-E+=xegCXs1YLhx zc=D$7GUL@Vdr)DVu9+Qo0JNCdJen}E;qo1kh{EeP1-V1ew_mP(Y8S!Vrv;1~$-ljx zaP`Lf>Gme=a)aCO&p8w5nUqU8Dm96g4_Ys_SXERhb{~p+wh@;b=*^lk40N_3AG(!X z8eOA#q0bl%g!`1FOk{Vyy|Zj3It`4!!!P>Vdi>A6aAC5K>keRBf3PWyD@>n8uX_1T zoYcmS_>f(vLb9~^pwEB`iAIV1kBUQHJEXy*U=EIWWND_x$@9J z{NF}@YE2|Klo;%!m196PB^dOG9k|~AFuVQduS*IeLtwF38viXyE8s^&Hw4YVCM_;h zY|@wKouZt$4Zqn$Wr9}#o1qE_2Ze$ZjQ_E&CaK#h)%gl|hMAGTUo7ziNWJXrIIl9` zI^P1=|L14<{}$bhi2sgpcEP)d+rRlcgW$ zt>c}+7E`2<$f2bJwHVEo*#eyvToHZ8GvI31b0k&#&qpTXYno^M!QzuK@;tapDfaC4 zC$Q%rm=nJZ{?jZ3{*-*BG8vSj$#~uWMku*R8v);95jY02^7QRnj=^0dM|$`W`Jad6 z|NNlA&y_SohDbYW!5ifYLE8WQ2_~?>6NhI;gw`5nF91D`c0C8{M*wLzkLMl#AH#s( zz+H!uI3W{rRa!qvG0&I$-uC0L_txMEgff`C{zEd-c@i3DtQ9Z`R3;r;bn$ZSMTw!(%6Z4vo3fPZhCyb+L}S%bKTu6|+H zp9R3)s(o|_{%Yp_-OS5$fUw_xDgpojU}CTT`|IFa)FMcj4>+EK_k5q*ch9U)diQI5 z1j~Ovygxqd->U$CeZbz*k1>&+$mI0@AMT^Ni(G(MJ)c3{ukwcjhQlmL^Fc`?%yncfBwJz%g2hAK*TUw8%`Ah+@XJeh=2O- zgpgl?i-C9X8C(DXXj#b*2{E+lk6!Q2>%;L?sN=ssrzX=LP$(31g+Gu@$N{Ss{)&BY zbO*2!@SD|*5&)zlf@2U+^K@Pk5IHo#WQ=xskN)m+c?8p~Aj}6uu~IFa@VAVb3d#NU zs=;o1s&o=qnKD$m2ZE5D7%N_Hsvm<*hR|6?UpB2g_!7j4-|zNx06l(n){+WozOeTH z7i8MjJ4v3F3O#`E)TOvD)Lek4Cr=yUFsZ3sNb@*2km)lI{L!j1AOX3Ue96LOrc}TL zToajx&;0_RQA&Eq;4NG*Jhh|W$hcZz`kQnFhNQ~JpnUv`bOf@068<6`QRB^@0&1Wt zfFsBj0p+$eylglti13#>7Y(ppf#-u2gAQ{w^!Sm_xdNZZ!Af>(TmT5JF9de+X7}E} zy95(pP^S)GA4N(FU~r@fHf#GzVzB)+3m*;u6mv7q9!)CCMsqi*jr-0kgL57#{Acn; zL#aX-t#Gaoffn2pM>vK5XS@;k(T_9Da?lO6(5RgMXA1(miC;JUf(^pquJXmT!%e;l zg0v(^oo#Jg3?`cZK~coXh=G+M*kmw329+`%P?bOSFaZltt3B_BFv;>ca2u2o|9E@& zel(=qs~XkoQL%uob?Yo1i8A8o&? zqDCQ|_Wj990&rA(NP{+|lJUTPxtdVCa=_@k1B8_MaJ$-MvG$|gX#j_0blz{0P_hWAC`|6q^U=g9j1T7uD3h>`IJ zrfDw9a5fcSFlls#;JN|I(Jg3AP6EmiP;rUwKy?#CH~(d8yNZ&0?1hg_V5e@1`09R2 zOn$oO*6pvxP%5b=WFm7f0l;IqjlQKHaX=>G(6h8tmE6ltpim@JIEBM_cj~?=qmF0X z^Ybj`Au%?px`$jvX%E`828$Mr3xoAwW8?=Lqx>{;xx4L8p*wtIg;3(l7`&f6&o>B25gKT&>%D5w}3Y zarKG@gK+pyj*V!^Fl17B1Rfa<#jwB2n!iu*B4wkX`&xT7)3-|xT2B?7NV4l@OfVm%lMF4xlrq8QVhvOi9MU?VZVl`CFEwj{9TJ$|JeNGfx4Qre zhdllnqdVYmd;J^D1>TR3?sR7x7xl}L8UUH*$Q6P1FFWbidzlF4uC__s|M!j=C$qpL zaULoR#zm8GutXAlVkkMl_;11GB@gr*{9LwxLQ4y-ZM^?fWt`DhIFRZu+@++~J*bc~ ztP!ABOQhlXo$x?MHBbaR3XTHtna97rzkuJ$S%R;xcYUEsBXiJSimTdAb=Z9n$vbFLZMt)3V^|C;O>cqb#tHw4@h@u-;;LBtFdN&qtsThCT57-&))lZrfIfcQ^{}`k8*B$zkh+ov zM*bt+JbhQu9w4-E-x1uZe+~LuKKBQ*;WVY+J2pUF#j4?7j&rl2cV1XKEM z`u1ivX4s5w@P4vDXcxH;FYLygY5amjK=vK1~-=0rxxuSaJ9+lRKZi5C&&J|SK zR0(x0l9gSgKGUwl{ed$=#Lku-IVz=&y-tnghmW89_|Sy&_H4P#d!TonMJAGJ^jgY8 zH9HV(WYr7sN!csw)|^1xj~VqDEajCt@K0a|^8CHX|Dn>M)<@Dz#OaV`C%T*AzI1mu za0qxi$m$FZcD(FsdXZ#1t}>A`D&T!R#jWyMRWfrXt@+-rZM)V0rKJ&JUr`Z zyZJ++oMm$U#UY_}@}MAfHvT4Ze#sL6E2{;;sBg@JJCIx80VKyj3I>sT3;ZVuw*Uu) zZ9AKMFM1jgD6tcr{VRZ>%j5vZ`tDmU&L!&7D!OpdZN+3e;@Q|x0wy9BIO~qWb0bT}XRaOm z>fmmO8x!7EY!=k#n+X0y0OoQS=w=93a+^qy$)W+AHuNUoY$Fj+Yq;UkS5Lc&w<U{|u}`1W#1h{Dbn^j%mGjC1&CAXn z_1ZZLQ$6NEr#lJc0mf{1PdGv>oPpjiXh_Ux?HiRn4ab2VKnDr~k;x=rh#4`2u73pa zSH%H1!e7XmUNC9w8NFqv*wW!c<`jAwuhOv-a#9877^mFn_qH0zl$yU>{lqO!c#LJ5 z$9xKQ1{PNi8-u9I5~1?0W+RYm+)?YMD>6NRZi>UH<4VVzvu>bfK74Bt@SbuP%+X(gN^rJ zy3cy?cW(jxmlYRTL_kFyC!hcZInu5jjxCCIKhGOjR{I4s9;#vhP6uQM=~XdLzP%Ho zUn{8nwP#E+MM(dkqHSggjJk_wZL0^R?e8FUUH+_A*%#f~0n1_ic(<$V-5vBJlXPog zJzPYy`sN<_FXL1nTfyvTUXR%LQ)hLT4#nwPAOgB*54{}+vllar_6;yCQIcv?YvdUc ze0+V7*c#Wax!(#_F~+tF4D&_EXHVocwXsFdh`ao=mUJFrf6_0*YggX8mZfBx&X90} zEck@nOCr?AbMe#4!Pa|HRxkEvx=y5?_on1c0aUcoY6BZ%o3w?R^v!#NiH~r25aw|p zj1>+KB9X;33WnLIkEFarY2ivJxbl?xv-dgRb|F zTW}0~Ui%<}T)JA05bQ0KeN&qWk+PrZB6@89OLx=CIMRO}tGYw)d;|N!f9eZi$|ou* zn@TY5uAF&&-CTobD`j7Go+xsA3&>-TO?XJ4fxcwg-uT_i>6E~~`9agtw%$%3ZXxe- zG6m*L`XicaeYFvH^c$4z10m-d@6VlL56Tp(f6hKB(yS|3e`kS9WIRkKcbRVf6_Kul zEiaI%l*g*hc%x^4JDX$c{q2)uX?sDU73W3}SA?&hqDdd8kID1m^yPfUHt}+ZV7>r3 zX6yBiJscr)VH#dfPd5xyCg}YL*J-^{m>&aWlnB#ZGTuw)@(pzg_B5Y5McIR*T!-Id zg5)cXHBEp&k-5t2D2NXA3FTOXYPr`5m{@1Lv(VEYoBbi}Xfj}KP>$k{No7((oN zL~w=>U^C!-(ZuY!3=2*mO=ZHF-~C@yk71Lj@hRP-`TH_N(73H{{~ zSc-88RB}W6M?JEkYetZFg}yh8q2p8uI;YzY1v+XLtc|eB_#QI$(pC#Xh(-3_4!1rU z7>{jayRew08qBgzQ#S$}g`oGa;Wi3j@y_4ulgmh>kl4wD2WN*kI1X_j5fSsN2Z zrdwhcjfC-28$=HY$mH#@Y?z-@cBK3%s8gN}Rgb=cQ(*se?S831E!NcISzASjW@o{f zLdQ4yIS+9V@%>h2AsQ)bg4J*wm`@002b4~Sk&E}GJ#5m8_bj2EUvQe$A;wL@dKhMcixCNY)hjra$gC|i5o4bL!hpE8T`j2zJ+ z%)5t9YLue~{+f!OB7Zpyr>7C^tEho^f8UL1q# zm}hc;d@oxO2TfX`M!sjVfud5D+GftLU%)Gu?wV8J{@#HjO1y~@*tLq_z@Wib#|vAP z!vGj`Ay|kq5--4;#5h^A(>Q-0Ch;2>l*QrT7=}ombAt;@pDG5ybdqU6`gMzmB_yq1 zbRXNcj8>Y!B}RytjTQ>I)VHF+nhifjBQVY{b+CNWU7xQ-K2TRccGdy zd8^UF(wOAC!wMawVh)&dQaJx`N{_oZth2eE6o;G>*AMnR7iU(>cob=^cUe!YJhbck z3!!z3p;RmVsd7V!TCh*PFy3o}Je!#NGCf1_FKi%C{1@J{OoGTW&?6rzaTr$u7koQU z5GrB~_{gI?+aZGv(A!r>D394*cG|{oRyc-XL)gwbMVH{0ID1nxb1GwNVQarh6*Mvf zyge?80lE(4ip|`@Cx_(eGI0TW5pYCMha$-UuFZS2^pPK+A6haPZW;+NNkko1dBWrL zqGdsN_Xd3Is(KmcxwfzZNn>n-6O-Ly&Nzd1W}$7}tOKeYwp9GM#$o4hlSNEm=qu^$F%ivQ<6rI3`v&mAp;&I9pxOVUeeq3(u!;z9hpA^42TTW-u z@(2KTo{Z_bMG_nAx~_4{@d_?@mzJpWDxjnf=-KvnrEavxf?YO7q}tzZfIdxFZ^zXd zXg_Eig-|>r7<`rwaltqHY+iFkd}l|f`z|qVChj>XFhs{a+%s}6SP#?pm9txTD3EhU z1Zb3wn%q@}LE*|1HkSOhMX<&5xT=G!D^@lm?L-jQ%YVBeXO~yWFWXM)2g%yrRgPZm z7S;ujGi7w>pqkR5S7eqe(YBeuK1@2c9DU{7$0YbN*8aAHr9O}EUJ(es=>9_zSxS4rd!!Xr6+mZdY(r`ovj>7 zr=W2Vn_6La8c=cca4RyES9~x^bBo~um?^nyzd}(mFYL3hT+g?jL$Vr zahF!qRfE7_)TLxZ&d2P!AgJ||IidXx+qVZ#p1mmv^q`ztR}68*qI$5U4hWQ%u>8%qI``lDD4kpZ(pf{ofaI`e<%H z+xxbt8X^D1{Rx)iPaIEClhLq)%zVDjz|Dpoo5?|-{~>8BcI?V6?yggdpj{G?zmRUr zB7QQ8ju>b+pg`?8CTkpL%@sqiNKE1>z?d5^z4|8@7GgtLraSP5>bX^ucPGoGxeVDQ zpO28eKfo_nwnAhbR!p0(M^7E*ZZo^#9(dit%M$!%JmoN}D|U^-i^#LO1mVzp%xchI zM$22TrI#`1{`D9#d6}PwqxLMPMM+Rd>5&>59Q~6kq|qu0S(g8e{;3A&pIZoVe|!xO zo6_NT%kW$w4`|G!bo@}WApo2ChCXp%o6K{>)s5Gmx_>U7^Zp=%?8ex0xI~t-%Q}6! z<2jtCp4Tff zEF9q7Sz>>~H7i@n@>LfFAWbz#q_5`dhe>F1+B|<%>pxo|&z<0^NrDlr;E2lBFmRHw zrx8`$g{HHAO#5K<2vWlwT}Q;5IO=rh96>7nbdrix*9G-Zj9rkxo&O>yP_i}970Ju6 zLD|RFXjQ-Pu2USE=@PK^@~G06TK(w5bUc=I2c#cgq797CJy%M?5soV&KR;&VK?M>v zwYCz?#*mUe$PHykwEC`RNyJ4&gv9Eee0B2bv?vU!Lt5=<#yK923h=pBdrX~9fr%QI7KFdd2BFk@3rQ72F0lbWFlNL(VL*HgAkWe#N_Aj*`%sP1FgG zTh-4&c^kgIgfm9Ynl;SZA8C3dV0`G!ens*w>V$n@wSf^9BzDK_aJMu;F}nX$+2Kmf7{7~; zF0XQfO@O%rd2`^c!o9Y@y`mJFlJgvXD2WL1y2|JXa>fsA^*%Rn zE;5w*as3)YLY6*wJyZYTl=x#WV-PXTyG8tmU0(J4A1ei^Tr!-D4Qw!+Y5g4N4mk3} zX$@^VlBO+pRECc9JIEn)F+3bdG&MG`aMNjXdmSVzjPdsrB2y1B)42jovQr1BR&l@O zVkpSMviN!eWw5b_i+%#1QpyHweAb@L+^KU9%qr@J;7*aX)pDcL)-Bzoo545KjYL|=k)w#RNB_mpIsD~3Wktyw zBWjDlpLMu9XtM(=Gf5z1?1{2$<+LbDSSIFUj(%r>n3bb`LBjGb(8fjyfq;rLP>6*y z7}rS;M_Scs2zl`{XMQabnxMZ@EixydxR5fduuz2seP`+bYh?8TRnU5;I7=pGSx59E zX9(^P2q3K|?geOzGzM|E2i{(rCi%os8v$JGF|9Alx_pjo)XAvl?QC|$z&ngaKE>3%MNQKFU6}gLP{tHmNT3j;LoBq-md5}k7NFo zAp~?W=Xk=2HHm5*VM%tMy@2yOn?vqeFWoGp&}h8$)5R9-qvfZ0+_<&wTHiXKzRTh2 zpIY5Q9uMt0Yg`G6a~;juYkiCFQ<;A%UNyqeOzsT$IteEP5EX(Mx;$pQ$nqw(eNc@O znsc<;jw!H2+<^rvRfn2Gj^C!rX6Q#PH$w_|ICmSzaO<(wv4bN%k3 zoflNrp{y;YhiSla)sZ?CW|1~V#RjgjIVinI&Wxp%vl0|%yK@cI79GM4+46{x8SZGF zZf2``(Fmd&|IzIFp(`N+y* zS9_g)oX8uv;w5fmhp$SnX90){-qAXa%q(xe;5o+Z0_B zti@;4=G$0kay(+8eTNbG-4e1|ZuAF!34K>J#~rv;Oh2medAKucq*{E;@CEP;RHdgK zfw&ssQCahY#^x)><&a6O7lRM`B1m}HT6aHqv2S4@4`j~)5(Slu@U$~taLgfVshwy% z_sj1V{n93%OfcMf4?$*u>KW(o>sfWb&Ev@Z{kW?(^My7)KX-G4wGR-H8j|N4J#Yc} zOOH0C`J9q(-bhgGey(*eE?v&RxmsR+HoiDp|EW77W2#cGCjh|}(6mfq?f(yFZyiwO zwzhjC0@5G?N_S4WyOb^gB_=HmA}!segmiazhcrlcmxy!y{$8A1)9U?;1v%Lj4S6#5{>CbP z=b*~Gi&Z9sj88=6KwKxHexR@Yr1JWo)HEPnjN}9zWeAx1rfA>c=zX1^fVH6Zkg6g> z5O=6P@O4f_`zWHk?w*PE4}xz@LZ$#u+9sDCCX=W$5KqFeH%nfr7OFJsWZo#d25aD( zSl*BGOEt8}EPrO5xGM0PqqP0@@*B+0M|Dd za$Ui@*fZ9;Rhbbwz~5oiR7#io!e%}^MY|ivbEU(?{-I85AbVM~0SsWTpB|8PlG!_q zhD28N0cn#|ylNum_X^x=r%j`_F+SES-Z}0Q+<55><|~n(MZtD@b$jTw)O{!Zb*gjU z^2W-MSU(3f3|0cmiuR|?dd>y(ngYZpggYJ&C@KLfoJw^lm5g`H`-6&iCNm=T=Hl3i zLi98P(DntC0WN3MXBi4Pe(9gA@e-CtB!}xscdE$aLK@*l$Ra7pcUgy6$?z2P4=C#R z)XO=*wmIan`M~B#=(^#tTEpaP|LgPPt&wA_&^xsblN@I<<@m4x z<1>qCBP|leEXXitejWrx>sVay81q1*1-_)zCJ^2c(i51!3+_?;8=zTXAYB(59VmTrNbm3XlT8Z8=R};&}~DOw;Fw>t!6Wimzt} zh=o+=1>fVRQTId>ErH>JTlCO07_YtRL7N&ik}Rf*C=r!y9xI=NtrZ0@)!NIaosrMb z#mH1$8Gea$M@4g&ifew@m2*qsaWA|m9~*bAOTilFUU6Y<4PPI7v1+2t&^FDUU#Mra zz-ALmL?vIA1ph4>Bqo)UrifK`K5#QZl21gP6Ok?Ifk@%8Xz~3L>-x{VkNCcTM)wP# zFnJXk1(qw?Lz7ouA|QQ-s{Lq(8`n6Ut6)NR6oY)De6;_Rb@cpMw6n?wD&4VhR$39C z?u8E)Zp41^*x8(ExNY6R+B1Zl{XFQKOwKICrX%q1LnrmLrXm$gAF>W7aSik<4Sdg3 z_F+1WVa$^$+?^hjL^|HIYvf6xKBK?ps((yZ|Nf`1BQjTC&~rT{)Jd5Uch|Ta{A1s( z9F#}2&ytrq;cpVzjan2nm@*}rgRG{gDz0M2Y9>7rn6=eaabyGF?|oti7DP!+Hc=1ZE2nIWw|v{ zup+Y2)Cdi+9FHz!s1qS&c_2GnVx~BP2~Og{$t^{q5o+I4_ZOf~P{!x#p6jy?l zkOM(~dv{##shCJnR|72KRu$xO`#BAOF@Z+Sf+@e$OH@MnJb6|9jRxI(6~%T7q>s_| z{dRiM?(q^naT^)Eb=ZW>zqvSmVw57W{Gf`M0g~fAi}8em$`;Mjf+LS2FO3Z5DVY+_ z1o%YRK4*JUrXdYQZ(t#ORg-W~tAiDZB4a4;Ax4vi&KdZ_c(D|mZ(V6FWJ4c#K~EZJ zw-SU)yg$!Mz&U_1+n@*FOSxHyxiii>Da=(FNly*^(?vu_t_^$SCCjPI;P{M_k4N`) zNBj9&=r=GXI}Bjgg(3|@MupFGKp+aW^12i^{tI2SZPlGVCYx#YfcogfcidAlj4zDz zV&Te>d1F*<1X7|n&!`RuZtZ02+v!WRHvth5q(MBT_6tI-y0zrSYL_01&g8;)1# zl>wqcbhmhm+uQ1hw^hZ#SAu_%Zw`{U+CX20Diodb%Q^BExSncYz~9bUUeZ?Z)l866 ziQ>7)Q+^)gq3rlQL4^D3sUD_4@)6!*45q4T*ls6%U97FYqTPV1IL;=Bs1KHx#*Wb) zc)D)c2tFSiye!Q5pn7w4_OUbCjr<+));DWKrhSn~)C8kv=3gX<)&!?>giq(Y&hYQ@ zkcNQ@qtWHVKZ-%H&65*?wY-NgrkBu@+hpmCbx02-(4X~!O{Yx_TF9B!<>LOIzH z7Z<6W6c|pkzb`IVNs{*Y13Gpo?rjCxZ=tDU(}UI$wm$$9;urw}a}}Qesh+!Oe-{EB z7T*e-4a@2zP6}vm;_+ViM&T}^4b5?5qJ^e7^L^7Fh_r-Zj!Pw5zhm%t&(s%Av^}gf z>OHIP?P(^2^beZHT}dE(&uQdu5waBBQZY+9#~4aEgMA*z5%(Wcj$i5Cf%X>69$bBjD@j zcPQP{NwHB6AQPUPPJv){ngaTNTC@Zmc8H&;G+^6oZZ+mRGVQsmZq;?XGpPtHh_og! zs8_KRJq%=lMchIhx?#m0o;pTE#cJP}cCznjm;6n_R_cT|t(|?&5zq^{Mh|_X{qXw1 z^Pja>e>{f?%SOS3pF3V$lVPiTFW-JnM%;vGjWHgVO-^7`5OfmnOW@O`yJQQ1#24Mq zvBW`D=_RAN>_`d%dX^jPj9eMzz>75NAUk54e?C>k?x(kkGP$+?8{ycu-k>Rkp~JRu)tBix>=V zL$Cxk9%@;-5B?RiRsC+Dl0zs5MrvnxL)rVe^+CCFu%5nb_XAi)TfR_JC&kzMQvCZpDw9i1%IaUhb|`KnmtU49K}KMB-Nrefl@X4bG~C#>GZH zB4FIaLv9M$UT-A7`Q(R~&wJXCY!bn&qYwb4ch?)^N0QvPK;BRJ0hD)VEkNNCN3f4_ zs(tU}k&Ge}tnOl@iSpY7xoL{O$_GURiwt75c0l{c)NQM3nk78kt9DOT7u?8oy{;nu z_RBMtvjpw?7PnyWjE+{Jr;hS=W1xhb!7X>dn3@@}RQL0MYb8Xft~0u&q8clb%(-Fk zLxksW1lghZ4j}WcSqO0<3OuAM!}1^eu8{{v8*o~(3M~6i@4Wj+oLxF6up@cA?W{aq zmz?Jvq_yq)DT4Vz*DR&GChcfD{u_k^CIF~L=3+HDZYw1Y3pFs6^~&-DtXu;2YW~0Q zHB=UaOf2C*%v-i06s=bYf}*t0P8!N_F}PL55YTRbHVS|m%3M_aKZE_vG_8V8dAb?f zY1Apgz6&vVXAQwS3vU;c!u8QHyP9-?+aNXzhob(m>CfSC;?y|WHEh~CCLQCA(F{r?Tsp5;WS2tWqhkD{tUf4)G2?`o%Q4rHo?OQ z2|oPTNv@61^0h~rBP5&t8qCcpVVplT=(suVuLbk3mS_>6w^A@2`hjc}w4 z2BOTWWGye-o_ev>OmSRv{_+PPf~zTj+=&IKQCZv>|9z&h{T6ItBV+y$tO0?HmL&DvuKKN6Tqgt&8LiN-VOv_c`Nk2Wu|Ei_D7Z*hI*yAg$v-Mj@o#kfESh-u^PT}XfevRzf0!bKdJh%F`k2d_ZxGqDtg zY5dV6Cn$DyW+>VDZs3_8&zaiz!hKY?!^+IZHGc=wh&)#}JjphKfoZJk3o{>wq5bC4 zY*k52Ed%Z9eTyB*HNRO>t#P6f#4_QM%)lLZyX)&;TN36AZdtW1X*^ikEwn9@n-BLE*qZUYq4!@IS3|!j zlQYLEqIKZfDxqn(&8?G#+1fxWdzz$d)TOt4V}LX_!zp}e{@wourb*+;*#37ejo(s( zZSNFqt3=IoipQwcb9LrOH5YI}(Of>(MOqmGWuI>YR8U8pbv`)%4rUvw&2(H5U|xKA z4vJ(D3UUEg;6bSAwV#OCa1Ea7dp zEg5G(M(jBqvKguk!Z#Dp0?N7?`~wUfV0L`{e~qR2YFSeDn@huMjQ0PNOEa3nTah`k zhF{B*A$AK};^qr>bl`y>u$jfZgE$y+Dvc(LU+YsegFl?gKb52a>PWqHp|Hm)Si@#v zMy;;;F!e+0?I7{kP6R@#0(PQVnz*PzJi&>OqS-0GsR-XJ^h|EBcz&zEq9id<&earuu^>S0PJ%C+p zlB_oYgzTY-V$IzF`FjktTG%>a#rZDJ2|ME!oCw+-*|Es9;542P+OTKWH~gjV^udQ@ zTX5wW`zaszx1N{@=~#`5-dr1#^a^p0UYzaR1@}mMmDgW`>{(AkfXF~BJDl8WKPijgsiuOa?dqw>ZbWES&HGD98Fi(Z<&Rm5)d%5=rP=}Lfg)v>dZY=lV zmrspZUoSktVCH+$pg&xs;yk`>Nx^QTvt1K;mzbi_wJIEKa(Gi1(_l7y2FsNSr_w#a zIbK&Kp8RzTzN18a4K{Ws)_fXcGEFAu&cv4fsip_3&wPwcgL@7S7^oh)34&3DZ)gkF zvi>(shF?LdLcXr4`XYB^R+fo1KyT=GYuiOccD{XmXFrRo#>5jt`S)hx-#_=I{R1yE zAJ(yz)lRQD=nX(GP(jJ;>udx8@=2aZ?Lu4Rh-Zz3Bi{=hZyXv#Mhzb>N9d1wGou(t ztT65h6N5u>lsRbWXcv%6PW~Fg>j)6Dj(r}UbO&1RyDh;?gXsxyruZh#5|`|3BLeH& zF$th=u{M0ULiSYbBR)w$YW5``n0kp8xA%I=EgfC5i3W&5F8FA|52dCZq&X}6_-5{}45kqR9>AKg|9g-`VQ4CKA1&~1k>G)K?K zfRkjo-dwMAFcANF&tlSv`f&m1mL4tC&UJr-&E-84E=4H3rulj+$gb)Be#QR%bD3bV zAGG}^62+FYrAbX-1}?FhJxX;yqQ2rR1>P%!8!6nh~VKo82^lgW$6h;yomisj<@jjtDI8j8y17fFVz!=a=23qVK%HXf*B_Pp3+5UZk|;R zN?6Lmy%-A<>UG`8zY$~_N~s6ANl??-WJBH->S&ZzCur*(H?<6KEG?%x% zwE8|kbrpR)4j&j#PKoxffO3{ zp#6Tg2KTaLv^%b(C~d6iW(Haphwmp(QZjp;Os`lw0j()ybQX%Fk0A`{X8(3aillJ9 z_PHz7BlW3hd7#RAHutb=B0h|``|9eo?Zm=vY-*SKq>UNM!(*3(E|*)t<+n>i4FHFy z2OJ6vnINq3{haWVd8^ zCMjTO7y(yE*@=q9u>!1Z9-{a#C2oPMo>0ie_Vr>V@&Z@%Z#vA@fsnWyQ@;Eh02dRy z_+?}yokFiMkAUK!`6SRMg(s&3mIw$*{*^*Uq2TLC@h-aC&`v*vP!$`We$E>7Zsbzv zUqZD*=vv@J$`QZjhHlLBUBS}GD_vLQq~jlry-1OM;jlHV0vbHoLL@(prY0RHZPFpz ze2lGy4l1tV$R_7MSLIS7Lci|ML9JtXs!D<|NeJU|fqXQIr{H_5+93kWUX zI3T7OE9L^mGO;}2+bBeX;iF>4BtGs>I8DPQ^BbN97Hzmk23V)?SeNcc>lo=~3Ku5K zH}C_DV9Oa9k!QIZ;}G4HZ#%Hk%B9%<`sO~V=x7}@_JwWM6h&8-7S-P%VYa&j7Fb;e zGU^%1JcnF$f8$}0rIP=@@i0)eIHz535KKM!8uCJN3~ahv){L+GiEhkepDu@cd4SfB z%0!C;n8?3`rs(bWJ(5wglKyqsRcI&nI!IKi&=C-@u)bj+^#7c=&(j{2FeF)b|6K-9 z#tR)i+0MG_k`|7kRaAwhB>vwKVz8w;{vyO&s?NE<%?*gi=bK!5-|Xo_tQmP!eH2nW z)nO4N-^R22U5lJju(rL|^04esU$yzvP#yd%yB|{l363UKjBKTkT=1`&oVV zv(_)~=$AG2)^LQ%-B^#`_ApSOnY{=bVb|zO)%3CraK;_3y|6ri`D-kWXL`77S@ua- zqy~3ZfHTFy4l_O%eW!*!K7-HhmF#zUe9!vVRMFF9fFDD%1+z+9K**yc`p)MMfVcU# z1<snML{+bgXZ#7}%iMoF^eZqZQNCkK!!zj}u? zGvtrN@6SFQzY_+Yl5fAJl(Aa#gyy<89C*<1G%7|KTuF^?F!z}3_6oq)BY2hNn(7m` zh1ppD>$J_>7=9#ErUw5Fb`Q)iSb&HokpxHszuIPdAD_-Y3AB}BZoD|&cGtf(dW3A! z6LgQ~Nu>&YU1G`xX)OvjEO%9z&F;ryBdV*om>tk>sLpR_nWZ`5;MlTFPdKlH-8uT4%RjRa3VkNm{~IICT} zVmcA9exqS=tk-jjmfF#MCw^a{?9E2yexAtpg@|_Z3CfuwHM){a>}yyd2_`kCOnNQz zR#xLnVwGem%hqvoJN`t(!l6A~UB9+{Cjn-O3Os$hyV_9H3`=Dq+RhTG9OXLs zNO^fX@iE8qh-8aBu>u$xr>ELNPptsuLGMdo)swZS$oUf_eT4%Vl|0P*;UxNQyEG@D zHR0aboTx0(pU*HI$EWI&@KeuF!Dy67^lG284rDDpX6<`m0Bdwk=$G9OD>_^2v$TgU>8e>8wtI$FhQHlk4|AZHnP zA;%<8dLtVi2rbKzaHXz46<=O8V)W2a#rgr9geM~VJ%snX&XH&IsX9bwE9B~2Ch4tS zX$gyZgoSgH)kdM=GyPn6)}po}I(*7ra-GETU!56|Vv%Aa$OcHEz1X0Q#0IaD^2KnD zEfwG`EU^FN!1#r7nhqD9ulwYSM>xyEU=jn!09{Ah++=5D7q-waRLeBSIvy_z)tCoN_g;tLuV(~NFVC{5Y3T?$`f6fvK9+_nJzE8xIl?!#e&{MTCv z)+q6nL#bt&!F`@baOC#aH~PLt7CS!zp2#{JGA{E-5L*UL6l&i=6=7Ha!4zG4M>P$e zt&B>+|MQk|;roKd#wX6MHV|b~{Pz1o;L;*2R|00oOiNf#1x#dh7>`mtwN{7?;||E@ zC!cvh#UABP^&7oNjJ^dDuvbxh`;}cU08OHd&FvrdQ}89r6tSTN7E<|tMQp85!dWL^ zgI>)Zzr$7`==N!R1s+@VX~V9dA|T$;G&D>H8%+^dal-qKJ*zNXSC0kTzlt^AUaFtq z(F98ZWHi4OT=BU-4cfuwZm0W2up+JQ^=A%czGGlu)$qRhvRs-%2C_4v3E9BL1mHBB z^jHY&yGK;xGDgz?905VreMKw^9y3nB^IQV@Ymn;{5R;f9tRn#&%!|?q`DZpiBYhAH*`KgzPnhV*tJ&RR^9@k#zT~X~tjl z7J@~Qm3=z&dJjkKpI(A*DKfx4LaG%K5ICsEOSL#5CxA+&?FCy0gc&}sAK3O`%lN1d z1GGmWZ~(+3+{+g+#E<$zeVXYAU(VC`>&3S_)B#_k=}Yf?*F|w4wwwXvseD?+R%%G&$|%L+dxra>9Rxr5p)+ zfDtv!1AK(d1gL?Q0QzM)$meqKPY;-JHUxT~&ukIVyb}M7MMpvxsLyZp85~{ z)_>hu|LGI+Ct$U`PLv)X`hWfr{h@G(Y{!%%9{>ED_=m3&27#YIw54(+^$*|l&tE#C z9OtMAJL=yCat96A?HVXS!O{HVYjX*>W2AdmWnp(~A(F52lB+Zf%+0X}9!0R_EA{(p zzWd0=!b|7C#Xb#!&k0@c1Jvb9FeP~x))hnjoZ((r5dhn1Dj=O;ivD%q(I>$5s$_ta znM3+rWgb$jy6|-`=vxFO@Mn*c=i~>E>%NR*=8V`W>(1QR?_K9P z20XAys{)qRarK+e)p?-Ue99d%f$eHvI*lC>#ryBnJxKsa^V6=aeZ_A1olMM@;XNA+ z9-Rm19jaHn-8f(r&&B`0!F855=6?ps0v-(by`F#ubQ7@qQrVor5F37(v?M6TvMZoe zQUi!82Gc6oq!H##-`N%yK_D*;IJ*JU%@<^zzoGyeD-a4R$wU~n!RY6R0l@*bP<&&N z6_UARt=n%-d!{i3cF3K8TpRyJ$eb8{rvx?$Uc>M_?0KwMzDx)nivpnc8j22kJYn*0 zL}s@qKOo+I8RKQ)ibceu0Ais`dO~THQVZXL#x(%^fP3cR(LDGWGcXdsunWMaSo&k| z&|earz&WT5OM3=i&|f+?9UO zc@rP`Z+w(*{%|}R3UoJH{G-ERw+qiQ+b*_jgLa(To)&vW>cPB)tvk~dV7uBP4OSkxIT00Ijd-2i6e{>SRS zfIT6BnXd7F*Ys!dpm4>uMuVKnavp{`%_0MMOORlv1}e29FQCb(sKTk{qmCr?1;7p5 zJ%Ml6AoF)hUdTUo;iFB4c(Fn?F8qnQnOq}puVS#+?0Ptl^+K-NIFd3V;mA!D`fX0Y zG$FBM*Pp=shjo7-#DmO|<8Z&NdZv=|u2;{9bv~Px2cGe5503l$*6#9vc^byI zpIGV*m<~kSL*4JbHnui<9(-Mb40|kJEqz~F`muj-`qs?Z%nUXX41)iv5V*dQKUg3S zgGpD^$t8Gj=`q($tD>sAz_LmZLld4q#&MV32bv-1dvN3QaAr9v}Z=*>M_nAufW_B0bkcqrNp~0RZ#}^vV1Kc&I1t3 zqrrqol8+0PkUDTeD~5&e0DMI;a47d`bv2BFX@Bu3z>o4NvHbaa{P`jI{ymkB*B{Qv zb^i5s{Le3gP4%-T<3@o5@W5abst-EReY{>xd@w~L3~4edu*bAF3(IID1+^wb>5uo5 z3k}{M2}4y`_~b=RC6xyz{_E*wk%ndqv++X3SSHBe7i!_cgL zR#oF3IbU1ANaI_KvWN;8@_9SLGdU*Bv;~9ep52}RPLJIc1X@=xsy=K|EqeB(1?a0) z+J;z~UuQMk!GOuIQ)+D$7B4b*m=)vu4gcD?pJ~emHYfT6nt07@lS?>*4>6(Ozg2+6 z{W;iKbswjMcuuse3oE4y@qg=^=;ikWPfyez9Qc|B_h!IMc_!=WgY<4e9j=2V#0N6- zsGgcWmV!0U^iRRDxde9hP!;KX4-4R$OR7)q2b?m7YtszRw}H2awJc& zXv%ei(KW9VAa3On?`jf^02(i#fd0V}Ai9ALI~(q1|AP&1*gr>*Ih zg2HHvd7B&8{tUdr^CeiE$_a3%v#Yj<0C7RtfdU=;9pA)*uxfKyC@73)6m8J;IXC4^ z6GKhwdh-G}!3|5RRvhZF4+N$tYo@F%?}6wz!jnfX8sLPbI8yMCH)M^(lef)G5j=#` z2|@2U8HkxbsP1${nF2A38u&fq7hrWAm;gUo?(;isuv^c*vNP_LRB6e1$MHoW%Ja!( z3;=&|N?Cxi%Mxe^!@67_gMz#X#zk5;Zo+y`Md%2NaCZXv%Tj~Q;5&5IQsA`~>-3oF?!j$`MKQE_kl0ZxZ)%8tf|HxTUDZ-eyG_)%O-6^JAgyH}6-6j&j`I z!N5`a>+l@P@h$L;VUQv%f@@sluck1>)k!BB>$5y@!(9MUjKELMs&ocj1iD38DvC?l zez6>>aF95ML>zCq#ZF{T;XH&v+=z~(#i5vld9W2k^hPGly<_BK{KrUq6HuV4kpP9= zH&6jc+p(|SlmU&GB_JJz8=sv^i9e34;Li%@hTeOW@*}ZiB?bN@?><50K8oLBzy+r5 zdO+g?osy?-Iw;DS7*(YW0Z?Wdqyy!$=}#gwBH6R{>ed#C0<_JgI+tiy;y22E ziTp1n!@hu;C$2Hc_hyLsV^~=dJX))tPyZgW-Y;_LFEhY z*Mg+oq4W}b{xP0Cm0qWvs;5H+V82)R<(cf%c@?l&_uDvHVw*Q?qR**(>;@vk!WXxb z>}GU=SJDzHhC1%mKuxBrzqrfrW68ZrRL;cOuyWD#{^WsuP?@k8{z)kIN0+xaKW4%Dr*KDIR~^hbYU4pAp?P zD!JZyKQ02<~Zf`k88LHPSw zN{@Xn`6qW+e~6w5Nbs(B?$qK9l>gc@*OR6RaiR>W>S+%YQA>r)Cs=r~7Hn(NDa85D z2vl)v(+@ud(MlFw*pqr3ty`G;WhA$|`tz(X*6!@~h+40`Fn>DbA#`>LMq*V*`90rJ z)0WDwPd~QTt?}Op2mwXqB8LPuIm8>!pzxyqvS7e75I@WQb0#7LBDxS+GQJjux6K&L zvjfRpiArf#5<@G-TQC?M(MXV#tHguCjYj}((_w_S=EcO;>uLOPT1OF!yX_3`Hcn-d zq*ER4!&>BunxX509zRrujIE=vYS~XEez)c7**z{LseolxHCvj!9kP*z%fPf$y+pMn zTq)yDCUWB*)p9?KORxC-nKh^6so|481=0z83-&K1x{*%4sNTxp{!E*z$-?nxOb8ycV8qDT!}f>N!-k;(XkQCy`!m)IZf| zwsm$7JVpf`r*JHwA3TtyD3lo7*K^9nxLXv!P0D=Pw-0z+U1(!1_0Qs;sICSKn~Er- ze!}b5GELn})(I-u(%K6LNjqFBKS1*kYV|fySbCO;sf|tDSLSds#CbJfi3S#)p9)-oi-bA6aI*}XfL>Xn?Rj@H7pR;4vY9?@P9 zZR_J=bSQ`Z5)v#^%36E+fkdZV!9C#}9nCPRR?A^A?Sj0z-X$r6liTLD9BzoSu6h)Q zWzu)y+|*zv;+r4Ux3U)O?E0tHf`oU_yMbr}Kk4Ph=n@50p1Py1%goT~pW|mc2K9R? zW~pBJ>35}#mNNWfT3PT^x-Hu#SOmk}I0xL}=ZT8JZ(3(by}?xM<k0&zm6-2un9%rIuLKo}6i0 z11A65@lV_bb#~$Wy(6aN!^d38T6ZpIZ2{~9!)SXdZJzKOw5p50n2UcpnjDczjCOg9 zbT4fu$C^NldnSp7#;aBPZSdmIXT~BY&=0tw$E}g~C~WqlB4aJpmf2kyiWn;*-?O)+ zoOE-ut^EQ*H(m!(L@OMLf3Ltt{NZ#`xB`gCOxRg`D22SP&xxXB4Fh&ksyhWYUx&C9IkGr zGUFYEnkacZipOTvLo#M)#2*^6MPf43RpB*TFp^nHdBrB6mA*oPsw2|P+cn|*w6Q|v z*(^e_NZ7soPtN!gC@ZL!f;Z_NcLNKu>h(!yA(6b3sPwA$YQor?W%w(Y5QnQ5&^59t zLIsw-*G`}&mT{Q!O5Cd<3|PSb2wS^kCr%XpL1) z+|0Z`jaVG=>yn_jY)_9r4B|28#Lp}}9dw1kVV&LW!b43M4AyR?92j!aVvo>0=kAk+e?qZy?lV?%;iGoKvFUTx0=9x>5SQPFX^{lHh@wQab6(EqWz#0o%6aAc}F%crsj zif?fOC%Xmgd!DACMKy~yoa9KVBAzWT^ysf;@x1qup9YAoj$#bOeM*gfTPL`)ceMr& z8=d_G$s3YK?dP&M{k{-4pmL)8U|xZrr~bh>(J}`J&zy-3`6CJat;FrV_7*V|_9;)% zzN3~u2HIl2p**I=dmY?gJACh7tT!48AX?;Q^$hjb?EsuNrAC@Lr!B^a?tLvRMDz|k z9-ZfQFvIxc#x?&dN`a~;jj!5ZcwS@M2@DPDnFf|gf)znOqVIX}P)18uE(>+zuS&}w zbco=b8$QcYCC@WfS0{FSP&$@&l2{^dcoeLSE3ipqhWJs*mQ|L>!cJ#4@WOiP8K*sK zRX2`2eJ!L`zM+8!<%iY)PCfyieop#=XXpn6n|vbG22Nhxm%EOacM0v+d2NojUE%DD zVs_aWXZ<4!l%Y)7{jbzFny`KpC`h=AWyEhQO?l+^?^U}5r|37xH-l3ul}2d`W-Z0T z6Kj_~<4-(o;UXA6*1#FlmrqGQV68QbCugtYZg011E8YDK;+c~pJ;i8zX<88o^rgcr z(6xO$(qEurjUyCIsoKfRcInWM68XTK>iNW))rKnKvcs&4$t=M#wex26R>L zLy7K6@>mqjGQeUEF`G$!9B~3C(FuFfUW7UKzIltLP>E%~D$ekqw>5<-)<{NevQG-g zhs1cY!$-_ZX=v~{WxL9?O@@QM2sEH=JVTp`A2L=|4_$n9?1*giVPmi>4&QD^jZ0h! z))Gzzu(4@yU@uzvFuEVHB47y)pBlC$FA<6xU zWgoLIMnLIdPFq#}bg0l)anM9LjKD>I$fDIY zylNt5JNkz6Ao+Gs+pGCz2r(L!6I!OHX?z?%3wrcRL{Ycq!0UX=Tg-+NRiB0rV zbI&E*f=tepbQo*o3HOArj^rS-faZ)S!{(xSLl(E*F)9X%W3Ejb7_O zLyJQNx&-d#TKmw*<49*@*RBl$t2$dNtHG@XEY}EJrWuYQrX0`$n=l{sIfHAA911e^ zx@=Oh>NqKdSS*44mi|6V-^GH^Y+2Qh#R~oQ9c_uLPxHQBM4lF$4;Su}pvzZ2llwZm z$Ptw}h#da#60VfYNH`30P09$lFF*+O*)pmQBkz5@5qARn^j-|jry@Jc?cUQiF?FBJ zM}yhtW4$M&oIyjq&|B$?G6pjw@K&9h_PYI@*A_Sph3K@UxEf`k9PwO!1vwbcZaB7L zcHCtL_$HK7#_GGcN#ZMuCqCNfL&D%LCHohWeF!$t95BrWZ3NP;(f(+k{n>`&!uG9p z5?@W9-+W749yq1M`KipWeruu}pY4J{E44UB_T{&|d+K~n5o$|(pLHt7_EJa&z_VlO_uhbncvryY*kD*>m@_+?DOw_5sg z4!T$nWK&OD#gyZs>pZQFfRjjYG-o+nd?-yE)t`YM`DoWMV5pd4F|_$8C`C$@wEjq% z$VX7&v7J0((~>l)t8r%_$6#0UjKwcerOr#$s9CCs$9B#~l~OULiudV^4w&A;Us^5r=8Wo@KPzuWqWhS_MyvO%kW+H6&p0Mz7lcNHYZLJ z)*f3UAPa5Ka-DS;b7CamfM;0EH4SY;!(k68$lTtcbj|9=FWyc=y97XV@)OHRP@1Q$n)2gh?t2(&C)Mxl(v{vTvMwSUpg5Yv6nHOJq z${zgkV}`^RU@o)Mlt!rWOQ&ww^{r(dYJUObmnO*AHI6m71QYAh@=tU}9dWto|oa1>aU1(S2ndhX@ z57f|5A?8jkeAqT^N3%m2kg5^X;#(*E!D1n~x}0@3j)KZms{_3esq~`5dty(npL1j0 z_xggEX-Gg|vP+Wfa@4IQhCE}uc0!6s%bLL|E$w)%n)3bI_d>eWiF?hoJqGF446EZU z!STli_Z~U8x>yf<(O=XmEyl0@HfF`f$`G0nXad`%ZsH+W(QQl#D>4w&` zr0;O)Zh}U?^Vh*J$SZ%5S~UAMIE28)=Px!W+vN>E<%yZhBBF}vd`5hBY9YOQ@%ad5kbwig%JL#+YF;IWBVSj%j$F9{q^x&?%r`GZ)Q*BLaAni=z zaP;xL-Pr1vBF@}$1&d`@j_|W??T=^`Dt}O6hnzhV7nS_!td6!+-tzR9;iBZjG`Y8U zBz@vlU#`=Ozlw!%GOoZ6e$nwoK|5xlk<}x{->v3JYY3H|<}C4cZ0rw6DY7g=cBLvC zrtJN}(fhBvq9NA&C-W5(f?3^qZM~W@tnpe74CnWdS7!889gmc3Nzeq;?KK|S$RID14 zJfX4rq<%GNU8aDj;Pn%I`8l&Am>g<4fdS{!;=%kGP(zlFyg<}Zdc~3xpXKx3-`&Cy zP?@3MsYA(#p)<<}w>6lXnfhA}UP3WEk1?4cNhhq((WgsUn;66)994aF6?^K_yx&*E zK@axPS@v9<#0Qd5)pEgd5P&AsEc*P{U=oMaQN^gTw8iH`~T(T&qgvpxLngS_=@va28j`;VTH@ zT*J3(z6}foYg4QKRM?P3b&3ytkc>{N!+03{oMq7}d1F0Wx*!;>fa@C=%WVV=v|#bh zm^@-0rM7(n2Fres3nmFNv!>5d&<0UR%-{w|xt}7`JS%WGbMnWY6SXt15|PQJ`Y(Oj z1NBcdh~K_SFgVK_f6awsXn?BN9)G3x6BPMDi)hpZx+>{Is=!->%luYwDymwc z^E(4`qUmWwR}hAL10jzt20xnRr+%T5?@CBrWdNuf^Z-=~5sNd)^Z8!7jE)E_1iZFwf-y5yVt z3wvR{k?@-SH&;e2*_EnEkT=(J4dd)w;`+! zUC~^yr8OESDBC~haI7v!92H9-bjKU8&}%xs<74xW-AKvG>aHe8UAt%cH;v{xc4$Vu zdgsJyrTFN^p4;JcygItaMJ`jFAM0~qJTJ&35(>2nv&gs7*rP@J1!6YxJnzCa@AG^v zG1Fz(n7>CV%P?Zh-834*i-R>x`OvX)G`hy6Znq-@57BvgL_+dVFDP{m8t6RE}B$uG|SM;r;VlUVeU4`LK#UR3C{uCdKB45U0G?oH<- zka^$f5#Bj7){8Y5`1et%pV%&PY_X>--3G3faTTL1oqOreQo@yxybXKhD4N{-V56gr z0sIK#ucN31h&$aMol4XLxvJ|Eie4DuslHkP4C#6~DhPZrAp5HmV~N>?m&!mVHhv7E znj!84c+P&8Vdz+7d%6bNi@b;ES_!plm67{30|MsbX!-{Mfbz`o2D>Qg}F{Ln(yzdK>z3JBvZW_(#ue_nxL#E+9PcuycY|5~l* zQdm5l1KBAt?o7s$?>+XGK!eR9a0p!?iKB-R^JW9+$xM1?aL7Xi-}iwb!|}6J0^dNG zsXj#|L}wkk`W88Wv_|{osFh<1g}i+T>o;BpcdJ15=7;A|f|WX(G`Z{+KwV*4S!^ZL z3>1o5W0}m{SBt12B-cL!U%n3$Gbf0P$S^MA^e4(g!XjP74Zc4V8P~vs$$tm*heO>3 zT5syV2?=7gyY*tW(caI?2FRu@yrN3OR?s5V+J#|oA;bdDkq)wqr^n|5Vviei!kjW% z{HZ*K(R95vZgos4(9YC3eiPyr#sBCO)+a%H4S<+a&* z;4mD&dt=?iXktl0X?mUDX^dnL{NUWOXXEFLVM@OqrQKutdm zPUzAL-oiKNN5p)#nQ`2%!$(WJ)ug|WncB|RLWCx0yq+6uTw#-bMwIV76H{2~fP~eU z`-vkC_lSW>*vAhaZUc-x! z+DSDFL{VorQc4Gig6n>ke5urZhcsJV5U=$ry}B}q-AF1G^RW)fXcGbXbJ_zpb}pKk#pGh8x_|Hax{hgG?*?cRVi0@6r_ zbW2OepgRUNDCuqqK}tkQK)M@|P6+|&?i8d`L8T=mzI(Xdwcj=8T6@3y_`dHi52s8< zJkN98SDe@HtU$`3iE9*2>3yp3kf=62g6U%IAnN4R0dWAV;vjxk&!OqQ!Jt>%eWmAH zuZ&}W2N2waGHp)Up~47nykSH1%e$4cXi69lIwt28rOl{a2g&O9{?5m(ceN$=S7ZiD zXn8O>c8|O;+(XliD1TnkoChOdOsL04%?SZ+Zz}XYeA;+H#c6g!NSuC}nY1Kfw9l*W zz3xB&MdhG+Ak1}x;@-=YjZdtny5V4PMRgzp=eaE16VwH{GxK_3q*eyo%q zlgajDe|*BFwXznTH*a7=Syz%?btx)zO2%zdKj&36VG+JV5H6>J)m>eJt-K_J9Ce;? z9`Mb7@g|4O{p9NS2#xqSJuGsg?Y{7M&v&5k)dp(kgpkb8Re+z*GkgE}QRO2+j~$hh zXa1C0P}Y5;7`Dx(l7^f~1M{|?Q@)qt2+y^uvm@I{G1DQw{@=g=dt=3yk9zbpR*cXC zTiVFJACXr3Mc8f(_|+oTS&dTd=lD#CSbtR!yrR)4MPgi~=-ROAe?v*Gb!5#(h=o&) zY1fh;j8Lh*5xNQ_49uAy!joh(m3AZ5tmY$fzRO&$Eo2H^9KW>T&Z{U^vy~X#t3)7p zmT*BA;XB^C^9@Ft@$Iakih;JBri&ynK4+NBu7Z46h$#JC&^JS~*|VuTSXvO*i?5!v zcQwr2@1d}!THNu*udZpWC*HlEG;d>0dWqV<88IF}HnUSqH3LWqSyWL*;NBZ>dlTs0 z>(TBSi+)3P{zX>oRf^-9R!dzPh7J-j5|BS6CO-4b5f3Owcc$!aSqMR#_t82{T`qMu zDfn`qINT`A&}zgPIop48xi?h2u<+mrn~^f-EEeLcuW|!qAWjUS!@SP?14Po`F7vqMNt&lQFv#zij3j2AuP zj{N^LJndT3j?M;r2bc<5k7o5u8Mw<+OpU!)+?cn_6kkX_!_f=zIwGpU*kLtnEsg?1N_iP<6t zDEt8Jy^{65zzXh`c}PfrRZ(sGEFbsYHyh7vFi_Qcm+2na;PU#iA5bDF89JB9e`j&4 zAz7(2JD-T%%hLOJ-MvvH{2>s`+vATCz;sWnl5P>*l{bRTbU#$anymS+(=MP!tV=TB zTcy}YJ|EgDS{MpJNjlo>mnYY=YZU|B>%AFm^%wzTTK&x)TY9E1*8#;xKgjQZ^zni* zX6lk1M=!}dIHDOJ(^N;9Ez)J<>go57w!=(!{zvCPNYTjHW#@m@=V1jpkzLyT|Me)Y_H_WNSS1X-+L;W=Cf z=j$Ca+%PAiD%S?yJ>1sPwC>ny@d@n#T4Z9<5YU}eSH8=c^zHH>FOMl6B-0OV11IV% z@bw|8a558Z23WbXO{dFoD=cO+;HQz6>>qi_f9@B4v{DEWTcHcbp`UEF?DQx?eOH?m`4S~lPt ze4YJ}giSo&pH>#O{aE;%EYu4m?u zp_1xIOMKjn^AQK<%P*~Zb6y7SR9BvkZ)7k?0rQ(Kp{(+=WN1S{IF+9QHW}YQQek}) zG{fdMg7*05&M)Uc$5ZtRn|w#xkq(=XVW<$aT@p2AHn#TYqY_Wr?{1$*1*~@8`)s-U z_*0VR8UkUpdA#1o)}Br@W|OB>)`k|LMGP?{SDgC2NNy;(a@1y6_fsrQk&s}`3uixC zJ|Cv(H6H`fgZq(H-z@!Z+U3i)g0PD%N*aO7p_ZK!GgIG`am0&OzA}}7s%$R?62=y; znakg|yA}K0SKQ@TIj&t8ZaJCBf;eZnpTd&P05+S2Bdw>A7AbFAl%m#cuvMrK4&0MJ zMkFj56)OeHW(x4-&t}_jaPwV5jfpDW%1 z2HS_D+&S(w5#FG$AomFj#7*Fyk$ZrPs|o7tjE!W2xK*GEQTLisWa`E05w{{t>f8Qx z-+3y4Bz21V*K?2dJTOOOCrrmo{cQR2u>`R>FrrQ9K{|hpM^A={ zX&DR998-Htt3YHYO~}{OC3K)S&H4tSt0wmR*On#+Ij6;lv#xN}q*L)gd#)9^Ejjls z=t}O+g>WUxB(FhnVQG@I=o!f%cM9_&Cno{JgF2%55k%_kV7^;0d|0YYJP;k@e^xk~ zx9HOzk@Cxb!F`1>!!iFbGz`ZPUktcG?}1|^W~V4q-mw&DSDYs^KTHM~vyIjXzo~Q; z^Wg-N*CEmG5pLDGJN$XRxGV)ND;An=;K~m8SZA#7V^;b}(y};MET5^oZfck_98SmT zEM*|XfNMtjdw&2#3MTQSru?;QOati;DiRDHYZ)n-5-&Vgmg+=fa`6L&y28H8;~Hj4 zL+FO+k*kt#9N0&Q4X%=jxEsPFeB+f;dPv(JNf)u{!%p?wup+yZ$eW zU=3iuoZfVo3Y0p$S+baa?eC)oYZ=F##Q1XR2%sW;(rUKid||(kGz`ZNME-gcxNm#U`2qi$(3NGkW$FlG)P50#&7}W~FXE%Zp!SNzyKL-LtfCn9@$M$fWj#(8P;4yQ2Bi>n8w9fn}BAb`pt zjjxp&VG|O&&>9VmKUu68m82bE7^WGUf2upo_nq-+A}BTHnrgGFGQEMFFkAb@i$8lw zz++BVW!5e34CYjvX4x_En6+^)*f)6me1mOsvk0#9_7n6yQCz(TYdzplmiw{%v2hWc zx&@=W%zTJZaFO3S6bB8}9HlO;WMOw9ug36c1VcI9o^fOKV=M~h&~uH)_6oK>5<#_* zi6D=ArGD4b-x_x|KJ*-*Y#N*`3aEkeS>p;>zs$NVkn+ZMAM%CD5EM^+1Jbh8(o8%F zW|AV>j-(s^K1Y2CC%z+op?1{Nz8v)yAY>qO$=i&2E9fdj6gk64#IS!XKBXtVbujDg zY&Msdy+2_gPv#;-7#d3L$`7|}WYZUG1-!E?rJr!Yn4tjv>ML|mth+X0uY{<;ZHeiW z7rshN59q1w+(^dPY88N#O(pVmILaDG6UCm`V)i;x{Or!egANLtzgc*b=v9sOyK~7E zlRK!$@+VOk^?;*%d7;`r%V2motH(zwVm0Fg&a)Vfz)-e97B-0o^L=ZSbHozslDh3w z3*@x1_MkN(Zt(nFryV2uDtw1?BMq+G#oHxccUTYG6$CrlY%jXfxu}k8(uMDPPuUh! zu7dbsO0>V^&alLG5!c)id+L9jos5<}?4f&aUl9;YOOsGcuX|PXi+JBN7cujW%bDyt zJ$rZ5$5hwRI@dZiq!6|HlcR=N6Py3-x&4J_krV35u-|y)l^y|FSU|$*pmQd%K*T%V zgCyTk^{>*t1?U?$WU%{}tuo@)^R<_nFI(eZAvSWx^ukW}+jaUB$rL&17_SweRxK_p68DBIyoQYWBcVQ`RU&Dv< z33n=q@{MWh(r?rO)$jSSC3Mb!O7#6;0#iRUc`cu!QqKHFiC_!fF&gEc=L=Q!08!08 zJ@T>K1zE(n;iHsp{p2F#%hu4U$>vnaPiyox8w+u@Z=)LJdS>Ze4sX|hi!nzbrd1Up zNf)0LzTfx5ZGwP95R=KzK57g+##rfmX-$bNJ>;tqy+ceKc#^TY6|z6APM;80t5xS; z)@(K#kKmA9ZHQCk=!3@hezAL5=p}NI^KEGUyQ&n7x@(Pjf0e22TX)KZ zv%5U>{JZ=OEm(_)yXISu`p-;&{pxfWO8V?CFfF9Lvkl2Hxh(gjJB;JP?MR1$%1f{s49NZeOk;z6y2qHVpQM7{BHmF6`Stit-Scw4F4JT zW%QLOd)|hb#%vo`rO!H%{YbMQm{K)+OkQrZ@AK8Po9;;Hkv5-BDeK~eKW@ql=D~qF z9@}=k#DLW1n{pOc!?VrFh zfvDZ+daFRZ_otl@2OsXj=t%M8bCgOM7sfANJycT6cf{uTfvkKyL|K5^{$+V$?|cyA zJ;KD7s-=BhI`JO531~U{e!C0eR(vvKt@H_I7~C!a-72dC`+q9g7FV{~wr~&u{ZB#X zXvA0sE*UNxD(dg-dMkX_3^r~!hNTvZw%0mCEmq(boG9l_jA`ei7qwL~!%9~3@8*s# zIwM3;Aj~}CVBe#GSnsokKQ@kkx0WX{=x90_G*&#PwPGmCWkjE$b8$ua4P>F6!yCRP zUYCnb4;?yuMK4!yg`Zs<=T4i8Awq9eOP}3L`$H?mOvk+c$pSFK4UTiCI(L3``gPL8?S8oWB-Zc*FCtAD_~KbJ3-*| ziRy=!+pBzy2mS%%Xw<;Pcl*_x3?|86l$q6d%({pKkXSGq-$1~`ZJ$FlUmx$Uh}K0w zx!Bnm6PFHh<^t+?Mw@~OZg1f+4o_<$)JDu}9nT74z8Vb2DL{~KTYYy4 z`)KSTs8>S0>bdLH$B4@G6DM<3up8z(&>HT*{4}k;3zLnxX>Gk{nN%i%E!I0*o;U0g z3H>U=P)+3NrZv!Se<*zhkf2+JR1H)mJRL+GaO8js7CLineCxda_C<}{p@~jL1e@j* z3Nem+ER|Ez2LSUoSO>e&+nn5nxXAb6{<&&R2%FHA+Q{9_Ts5roJ^xJ%B^3kY{S5z2 z2cUQz^Xu`g0>X*3BlUO~?HahcLrU3AdVQ(J#hLv{Z|obY=LQ54d=%?^WWU~~7-eoH z_wNT&Tbuxsw1jjN!ilC@u#H`jl1>%LwzP+6$#-f~HwwKXr-=U-54a|UeoXveXWQC;f*6SDaZ#9O-)lW*oWECvqpr>FBfOY(g`KJXwDwe@4zJyqKgmyzz z=h9OQ;&T|L#~Suf+ARCp+CzOLF@PaxEe~7^fzAPM!(w{=5~OKH87xf_SyVB`H8yd(aXnzh=*(N z%J5<%D2W!U!+j8d=0=|0kpKjq2vMWjkUG&m+WOB;!1SB%{7UU5Mdf=6n2hqP#K%qG z$UJ$Q;vNY0G3$mp8=r%{Dg(E6MCTfkN?PwPPJ&h1sXqO1`9FNG)juj~dVPkT&|0-i zWJn81aC)Ofv(-b~9wTM+dAw6`^3~kQebcy2-@I{WVx%$B=PF&KxaUPeuJLlbHe)(M z*rP;fo_@@XZV)y78bxibaB{jzzSpWe)OxZlDmSJtTk}rbZ@9olIFyh5Sx}%UtHlVX z_Sh!*gvP5<2u2;q3C@>CS-*i5K^Vq;Oy|np8$*EUh!vY*%JF~eLt%9dN{z-1H&RRw z8WMBP8u*N+agC11BUY4+a!$sH7@ea4&PODEsnH|2JUNL>^PS<)%j>b-P0u+2wv<23R}9xnW}KYXKI!!0&8G>SdinnwmTJlGf)4 z4-rV&J-d-BN8GR7zX1U}s1fW6n8K|x_rSKscths>1DH*w+bdm$n(x+~lfOU&Hvy)W z1XQ?Feb@*$9rticK&CKHege|vuP(D6^Z6N<0HSjS6hmd=pmJQIXfh`+&#K?d6GDKm zM?X63SYZ{U3gJiUIpIf|KZ&@{ApPIVmSAe03qu~LfPIsVd_YucwIK+4HA6sJXOK62 zN`%kKw)L!9I{7Ip8ilK5W->ebTn`sUfg4qeqdN~YPxTchi+|52xE1jG%W1_AvQ+hX z+O+%eM2q?racAY2ERzgVUyl_K+4x=Xb2oPf#I(ZLaiH0Ox0je%l`%QA3{gXhOj(5Q zrZ3-yy%LH!=*-92rS2zj<_w+vXD(!GScVM-YxPY!NjvV7E0xU7>Ve+>0&Ri8(Ms)W;(h{OM7C4<`iG{p+tpv)%wApxNwBE*jmJIJgZ_Gd z4m+T@1a0smx4WX>wQ$pdGNH<(x41NTU=?f`TXvdVtN zH50K^UO0E}CPVGrer%xDRh5~FOfy)T*9>Dn*RkE?)Vu|*<#FlWD>3jLfyVH+C|{d)u2Mwdw+t07)bg^maex?x9NQZ$w9 z$+4(MK#@4y$!`!`Raye2uJg6x8DC4Cpe@7XIF$dK`ePduKCzZ8+2J@JuSmCI#A9&s zWRJOa(6+kjH_~M!sh;6clkk5cO`+kvyrnU{deDw#{A&MhGgji)U|$;Qaa$Twb!7^e zQmn-YY;$CH-hoK1mlyNqwby_?sR%3pcj~Elyj&{Q(e4AeK$K>@1Ef_7gHDCRTsM_r z@*|L6d9;TJsAbs1kJyZ@b3LSo|&&iyM zOx=OqLi3Bf9 z-3s3s_jB>_zF7G-AsHqxUEs?-*ZKlbU>K*qoo6vbHCMBMsd&{+=k=~rDq&dWH-!bE z1fpnc{ZO}?i={OH(|%UmUAJ>(3Jr#g>XOs$TFsU%KCe8}bQdNYJ*Nqc_o^G}t-tN- zH(5rlol9!^{_1Q&bn0^NuKx6^Da?Xl?qdyASc7Oe2PL=~W4~Ts(?%6)f_8Qax%3#D z%t}XU@oM~KYz_K;sHd$+DcxRpGvY67PjczsN(FHa9oA{Ib8r>U*Driy9r4kKI#e$% z)-mT=Yv%5C3A)|goa-qph^dw3_~b!++^gyHo6Uj8Iok1E zf_H|XrbEvu(y>Us1C>k9bvg;H50^3`FY*DSz;(-jK*0&la`-p*YDtR^XaU$L%hr#W zg{@-T(gSaE_)QA3DO_&-4M~S`E>`S|z>`{D8_-Ww>zA3X`jzLSiZJdOSc?%AS6x@V zrwh%%$dfJD54tO_$tMCsv(rzE;Ks_}km`F{#gZYj&zJV~CC3ik&ewehWWBFWug?3x? zI68h&KHZ7_M~fzAYDX^v^?C;~Q>8{|iy6H{6fE3intLEJyfzn?h=Gm&sZ-y(7wvYr z%qd|uD{XQtX8A8tQ?`y$yd;zn2`)kBI!=PQ9*MCkF#Z_TAh;6ajvYnCY(qqE*K645 zp4>|MMdqyD&iwehn{YA_Ab&G)d1-uHsn!VQjzu*_hW`8>@}rIW)RESVNqIfC$$DE} za82lm*>?t~mAAy>Uu=_+7+rzl4J-wZ3gGAGtP7>DD$a?0SHAjAo_^h!j>H)KyRbom zfa!$nTisllis+W%-;Y`)Zz;8q{E*=!z=&XUzo*hgm*0xvY;8~5gh&JFeHoQ*f1Ixk ziBwzj6+_a#^kiLTb26c8Qek9MAG746jfB;SxLC^qO#_E}jdVg^w9akgz+;sy;&4Wl zTik~%lZ=b;YbGQ=iArgkFyAFy&x+zVcjiH8t8CUvGuijIiXp#?Q0O3Y*6!0S_%l}( zEytyT&S_T3icJe;{Nte0Vcf|v1^+{vxS<6HCA6S*y6Nf_%tjSD(r#0_?Q}nB|nFyJ7sqA3P2zeRszyy)xnDdXsR* z0>Q+sG+J@{qZ$@nbd6l<^wkrmH!oOJK~=8Xs+hRpG9c3~9MBQ^V0k&qrhYnEc*w2% z5&s;Cm0lBQB`RwbzYPh$Ild%iS!aX=+Ei06Uv*R8<{rYR%qh;Dw4YSfS}_=Nx~_lz z`kd4SzPC(ydduZknGSV*4QeBUQPNf5q7Ff8w0}loyx&@k&i{6Qr9 z&)AIIeXU0ZQ02re!~G!9f%glrHK5w@xyj(a@BKY)-yhw?bZ5spaIE(7O(CWL>cM9(qm93YII?I-r^RR#9@RN!!e%b$)*gqT zJUi9oH--j4FW4$pRhDF0m<4b(qGsDSge=BN58IqwMD-}BLV2S=7)m8^G%zhhAB!6oIEjQ^OTurMKS zK;lKy_#hG{SIDY;bkKqJ1VmxD5wWP` zvXfYy-BY0U8Tu4jKb31w{|6!Vr^z4V&_bjyW&hi6C`XC%5~2>40>Uy1Pw!{!VF3 zs*MPnj?JUH;;5@^ztgXHgA)1)`iBLIGn3x&PgBc!7Q}=GrXf0TDUKZ0rgOfiZ7Hg+%Vji}DA3ohQf3)NZzYM`DgBDvbbmjoC_JoFqL>YAsTcm+FOpxLjadR`gHw#=LbuLn!%CP5IHdYRjNmgIy)=B zy?>og4F@^`J`{}jcYJ5WghNN`^06ypsIZ_+G-VWftwO6wmcZ`gg{~{qIWf3r)Asb( zsErJaB#f&HOHj7+H-(@vO(_I z+0S`mLSMy0((%G@MO+xi)l6*38@D;$>uoK{Kkzz#qC~1L-dBXsj8P5W>LV~|gg~ov z6E8vBhrIJ~-M|hJCT`D&fRjN643PzrJNBiqI0{j5C`y2o5|*;fJ`=z67(yV$%&3+l zZk)%?%*@&HH6Ig;B-O_ZfAKrAm7ogxq4*#}S=TpD$IolwVI9yCnMu-w=QXyE!y;~h z8!b_rwm#PdpuME&YmBmzM|Obn%_R?Nn36tJbA4=CqrfCF}XG8_qTXbqz8+^G{9Pf&3F(O50E3Zb0Ljg~Jaqu!nQ>fi z+{(E|!kG5$4IVl}!Bg>9_f)|8vnStfw$M52X15sX&=5SFusLO*bCH$8;HjRKZIv4ZorMMplFr6POy)enQ>mQ|}yPNb(3R#|_r zG00ST-{3uHX1p^wEA$0(J^Cec7^;U-w0f$<(^Ucq<~9MP&ZcZXqBC~a&K0V;R2u3L zFjJ2g4dO?KVPX7r>???*S`f6b#Esz{BI!XJR}{1W%fu7}Gdv9eq-r4x!zlpsRl_E+ z(yjP@rQrK#w#P>gjNns82g(i!ae_fg-tG2C7z=4MwgdE3$bAVWGT%Jpm7@eT&lBdm ze;o$?2cXj*n33c#?Sux&7Dsq8H~T*!SbRK4@V*-yYu-x>GmAJbLW%fG8~p(?*~<cve8exPf8~6Vyset;gufT_d7@xE!e*??`;a*Np;5?0(`ki5!u<~uQm%zl#!MGYG=IVJ*}EMiH?KAdx9{D-qKQ9Xa1 z#{c=Mz!j(^GZ5I&%Kqnv(?CF~es&4E+wYZ%@{3h7ik;gpt@+(HWZ8B>KmI+?JB>#w zV~wQp$iTff>>Bsq1cKXRe@y1_fAOjQ{E@4P{AP`L{a;%d5Y zQ2P^r=DR%dY=cpV(UTgs*#7&+LL^<0WudIZ8$d!>2Eb``pH&zdlcf+UcV$M!T0Fny zKLNeV$NKeH1#kdXwKrxoVAd{hYAA}qzY#fP%kQrDm>!pslSF{4{4b}-KfZiNWLd;I z$DSflsayo)rm0g$Fw2mvd<)-d0Ml|HVK^Xntd_DQ@&H&iOmef?34CStykeC!tx@{7 z(0`OiYfQ+nfZ8D5eOj6yxoxY>14=Ir1Rb0)!$g`W{(yqDlsUFj@(S&hk;eemB`ind zH%&Fr#jsxgW9~az{<8wkqzwn8xIZ71hT;!ZFJ0KfS_dKVXQ{3qZhzVqj1dVa zRU6>OqnmVa6~b(pUX>6#Nk~U|WCsA*;_IdeJ0Rgl{QYM5x9?H%fh__2n^ZL^)RFne zEB*@rQT_zdu`4{(Afj{5+MGZ#ME9l->m z8(nNtZW`X0B|_vq2*TqtAPOb634Ip+Pio(P4DkQ)KX%+b_zH$c5;~yi|KUT&y+~#8 zA#@UB&vf}a6!K3{`gZ;?QVBo^%h!<$s-3I{H@dA{ce)DE#G(_fr&F6t&!G0DTxdk9nlw6%3 zRJoQo0?8L^I0g#@T)}kAV4$}Eo}~J;J8%Hj9%!jYcf0?2Co%A+fbhlL%|W0pDE($b zusBPqlWG2^z!xKxtNoGLQ~*_+MfY#_h^;zu?u89px4G4#k8Fnhd(Oy37mgu?)3daB z!yo?wt|l|VXjIHYsqdKwv88fv9$WzIc7@UnAokUC;e#h9_}4#Tz-E7}-ezBnHk`+m zAEGe?A7SO++s%5?kknluYy7uS$={z9TLI+7?$d4ck}<$s8-3-XeS88=@b^S|Fij3H zI-7I>gGklEciarPAuB$(XXH{i zjUz1^olZg^9(94^T3QZ94;IUx=KVHhW=M6~xjA2TQ9{NQ`OeM1o9V%-PciB+4`6P2 zPkuH50WE@WvPVX3ZCBzyPgffBExJRH-orVJC1AHoB#A4&6HePwK=c4y+Slb4JJzfi z|3hfWE)4iXmd50<>RN99h8=B?LhOyQW^5AJ@dT~m zGQdBJl~)#efK)MOjnqlAU`+#VK~j-t#om$DAD2UVB>AuSq2!I zpM$As{o)9?stbv^%RZYix+f@*5kTB!NXJ??{e$KFM<83g7Yrb_hU;tf!+S+#uW-dL za>;=Ip&yXKS>CQ8Dg3P~^0yBgjDTLBgk+82|48{i1P-!S9WakkB7-V058s{zXHbz@ z*f~&+=~nw-Kr9pF-cY=U0!ajO)*R89DHXf&7Kvs}qGpU-Ei`Y8EC!daBu|3l&+`CvfW3~V0jq!>R-^8><-8G!xG8cOkL zH)?d=QxCjKAbV{2I%%0eT{I6)DE=q@^v|cB@cS=XD7>QkA8Dcge&&^s2dhy62SJep zI^GUzTG(E|?d7h0UKp{KYtbwKtzHe;@&^OzYGe8Y_O{{N@VFTVplmN^qj}A`P zgzzeIzz(@D2k#Q# zhZ^|gay3YLc}Cq8u~RZZMIU! z@h|8IIvB*Z0?`+oCSSXe&XfD)L3*Wp9NVI*MD)~PKrpahED3O|s|7aX+!*1giW z?h)rc!)aLRy#g*-;naKdfg?G4KX7?g%qxShCs&Apm$vk-a-8WJeiLZ-O!~>;9V@r_ zK!1yJBmGL%vrt9-`DVZO=F{Cxl^?j2L^}z7l{miTNhM&Pu7`eWDObT)#**Qrg2+3j zfxc1)BPvfjDpebb3xD zsFt&N3!j(u>5iK06vb1v66}Cs(lw|nP|YP6L<)n z0fg3cA5YLc(QzoRdG!RSW$=^l<43R{{n!IWS5Yobfa4t>_Ne}$V^@aryExl0BIxUK z`py_D4)T1kW84T(o@M#ok=OwVhg3&uN1PxE@}DH1kYP51Lqy*H00g*tQ;Bt0QlY=`uFobRi8(K{(oS3 z=736e=Kmed6VWOREJO)vtpot1C;lqoXK7<|ys>wmr2L|l;hs#hU>BR}tn*qV?Clk6 zS$RH=*r`Sp51H==tT2i?emTg1uWL;U=*53!-@JqW{1HDV&57k8TikHd+w`PP_23C7 zYrt;S0*3d}I%I^&m7i|?;A{J`n9o7>_^d074@{t5-siKQDN(@q#snq*72d5iDrzmm zx#ir9NSxA1qm1;NWPN!F;0@k;;5J>(9TQLGkHF7d8606*V{oQHlYIg~65GD$HE&G6 zu-sxGiEzx%R9_>K|U#&t7H2N))66=HRi`jl0bC|3+7T37S%d*wo^p_P>iW zV0wO(;XL;O=(Z>Z5baJgR=;Q7iE#gyQAF8N8DoM_??pE^b+BzjJhP%VQd{bQv3XP0xu-V#}23ZO&P8G>!3L z$z2(a4Ba#9z6GEb$QU*ZAuLhQ&=?w`bzYp|T$;N!0Ni=iv_4(UR{40!bOD)7d6!?7 zqTPNRsUA=4#>-t=0`|7ksq5sI|J|GUd-C|Fe#=!r9_Z5PeqH`m*R~*6`t0ZyuKmS!^|P1xaqA+AlMwXcc?-}lwq|1|p|?)&wCXa|y{L2;!1a|Sf0Gm=usFbGY9<}daa=pn z3Z!fCP=r1a0<>DBX(l z>)5^v*Jj!rh1FonMy5bpv6y<|r_y?{wy1eIuB2)o+ZU}Po_hI@bW`N3*n5FPD3Xwr zz$g8n$1CPwGF%~V;rUqMa3@SKR-tCXUhrz6Jn#t(^b)Atj%(i>Oy`kSJ>~=}`#sme z>=b>Mg~k^n-tom`?iDT*QejJeYtQp#!b~8OolTg173}41u{d8Ks~-Wsw_=je5X$QA zyw=5<*gA<*i%&VAL>q0vI)r*`qW=6M&%l~VjDulub-BuD$E5nn?$);207W+Byr39iB_97 zdHowiVmoB4Y6HUb^YU7m<+29cP+gjY31aw}2|p=8=KArhZBow9GLQ8vxI>V;vU_m` z5sgAaSJA);<6#?ErHn5knbxv}BHDh0+izL&2(uZBEV2C~9|E{KXreh~1yKo6|Myzg zUef-Gmmh~-F=(4AgY8*kH_riPJmZ+KmY!}zdb3FisI&v^z{hH>5)5dYnQmh7@ROmd zaDIr72DcS~K2})Kg529d+}(mSD~5r!YSNTmi7MPKSCK6F>f}h_mj{`OySoX3?9ZUe z)we>n6S)I2@+)=Ktt#PS$8RC$=A#SVw`=h2Ue2bqkbz@IlVqQ}YO2geR7Aby>L=J` z1-`Oq#PlwhzTbvgO<$F70VtKnJv|fAN_2Ss^Tz)3A&95eMBJ7G58ySVp&PoH<7hg$ zUDR>}+W%1PK0wBl$<;O&){UP8X=m2ZQ+Qu*tC9rM7O?Llm#)l%Nq&C%643d8{2}ZT znf%@7+_0yZOY|>*3UacTa7nyt)^iT2>;&?oKYgBlgL8=>-_@mE#NDPp-A2y|I zzI0zNzE56cxj?UVB?3y?a@CJ;Sg;@QklpOtZ}?Q>(h=wxqF`{tzj$BZp}#oW|Ic68d~F%X`H@-s(1ERX~8SI4E?M3`@!uR1_j_b-2hTRq65k}OZXSm5zdg;(%EdA{5kcRw*Im(+^N&5XSkTH6(8c04w3LszMG1!lAh!J;MthciVDg5ir zQwa0Quq|&3&h@8kaYv9~KtX1EFbg#Dn~v*U?pa=Q5#4qqOAy{;JDm*VSWr%QZ*Zet zxiTloP<4qs^K6E8+22WdteQ=jnCHv5a zb?e!w<@AhZG|DH*$I}>0nGc$K)gBeT23lqhDa&0k#9yR5cHAWd>T4Ui|8bF5|z_R>);zAoO}GW}cs z>+g+UOgWnJ;8Dw;uIk_2MbyY`h_tSh#3gwOHFWc^rv}b&STcmBEg{6~_%qx2Y-K7- zn?FC*!Q!T^W48^_Ij?NjB^uDpAmqeEO)kZdg&EIEa>z#>N@4fHUJ;ft9R-YWT~8}G z>QHdo^=LDFA&qDzZ1D=W|uAuvs+=K>NS$Bh>Q=qbO4`R30+Tv3CO7;`OV zs$0c=q?sR|ur>%QkAIX+KO7QqZ70JXuO{!R7coHnv)9@nQK0b8zBD+x^(yuJfa)Y!S$eH#m4<_JCh9$CQSxKCX@L~vtcGMWM=Hmdk zp;K7k_}7Bd=iL%ZVd+26EA>Zz7pf!$F%cd_guIAkMsm?x0l|}0Tjjf}>f9?Bq~Gly z;6p9+*9R#9!RMp<2oHl3U9}9PR#EhlzS>L;Y}ckIuClp~_hUHo#itC)H#m!WWkUwY zpK#rp&U~iygUjLB@DCn;x!;Ff*Y?ffG`5hv&oqGW1wgE@7V;7P2LNK>Ko%T;2&y$Z zUIS0n@OSw~>Yp60=NHEhM+RF=>0Gq>t>~IQ%8eb>lZ&4yBO>Tv)B2EN!havRGP+-BhoVlBV2nnQ)5(?t0F6EQStin zLN<-lCCS~gyQpMAfL_j*AsBlW{%c-^bKufjUg_ZKtnbb;c)k>Cu5G~MHIY1;_{Qm< z2Jydjvi@a;VE!Oz_=8piJE;Lyu>RU3tcNC|ak|l%24;s!4vfHwH`_&{kYy@u8(I*A zvCZ4I5ERHf5|*EzDAbYTfVc8rxIupz)C^j=;Qg6ZBYl+82ef^H*UGaAJ35|oKouc-p%+Xj9W;LD@esgsr zH@$=0&W|A(Trtb#9H1WYq7K$*Wx~8-$wzNB_6`5qJ@7UzjM`w#?VsSm0cj=ws_$6L zE*>b1%uG#*kAz(`Hrl{w(Z`cwXOn9$ZC2uG!E6u8{Fc4&*!X!q96(t9Hvl0a-64le z9&>E%qT5Pc!;;H3&lg?ON(9|{B=7S7m$SYZj{W+H+r}PMNxS1Eg#}fg z!Y2O@SE?zQH~hbyqM0;G5T(Yt%mq%waai~x!EG1vv?jtP{`g*VWaF`%uy5qs*;ZwD zmu$a@=_FhOyT*%Pq<2vhD;Jr>N_lpPzr>mn@u!cuH)WX3z#P4gy{l!%oqaD`uA|eD zOCjpgjV#{lDVtcfQz9U6*1qivwkYLcvkxe+^)1MXy=vYvt)9|9L@d$}T$Zhmfq9ObsvAwdPa z-lx?6!~n{F`6mVtk|6>mTU=}GYDd(1qSB=8Ehh5Caa+KvR?WUSA6XsVMvZC^!ugzr zJnw9oHX1$D+IM1bwzb{u#kREQk+1r6*olkdsthoSUoq8nF_Sp&sBBbrk3PR9s~njs zQO^;_tdvy^$=IunNJPLFiY6E2bmvIz#kvxj9u=5UOXp+RkMBB28We${WYhywqqNS? z0c~%#e)cI!83B;h@YXVGQ=w#A0I7jsjnJsapdw}^)UWB%nXr?e#XCH_#vFKkj9UR; zDz(VOp{#EMLplHl2wSl^`zH=?Iqu0{aDW|c`=Tc!313RVZSu1lg~1kZ)^basN!VLP zrwn%WL#$=8KfOUb6*5OHYnPKy3MVYzU3*37QEbh43i;Z9!aVweH#_u;+dxS=cXnoHgj_mmykQAdPp(X~AL0bU9}&=Ht-KnY>4A3@r{ zxbxi7=}Qt{(yKCYBRzOoe!t(mJZVbmC-YLB&A1R1 zN#%<Iq-hN*#;Fp$9!PkV-Z!5l9|tkjQGh19;BIdxUZ7G2ngFaKh& zUXRes^1*qwG)`{r*W)Dna%rXea5E{Wo#ndb8PH`#ZX!DNy(Lm)OJ6!PTrWpx_8V)V zWI>5L!()qS7OrrK^HL0Wc#}Y`y#2ozd@u>tzccv!LGP9zqa4OF^K=UR&~uA;q>22t zR%PXKhjsOO{rn@4vmt_7z8nywj8IYtOB!*z&+YIH^tCM~N24RF24|b-NGjY&Nr1|# zh=`My8%!X|giaG2DjJfB^pw{?rmHCW0h~5W8zbn9=Jz zY-eE9m=7mJ$zH>^O5R^vS!qcJ4NF(hu(=sfxZi?_8x-A8gL%UvQI2)w*jHFjd^Tyv z9ckyOM$cG2oLjR0OyCm}+OmjkiuJtVi`EBfIih9- zfdaB;V7+^&Oux+|wETKMUT{$r3U~UVV~dY$O?>oX)bn-lc+6-sZz6}AtsVi+qSQJC zACQ*pfBl*xdLK0T|8=JFFDKDIPbtYG^sNjkmTHxh#|Cxm^(6YE>9vLcgH^Fx9Tz#8 z12(ht;>-RY!rnSA%5D7v1q2xy0cixJySp*y4r%EIK{_QxkP-xjZlon8L}`%j?ixxE z7?2R;uG#nO``c&VbI$&J_=6b?=6%<@*7H2yV)~00-jwQJyztVVEQ6tKW6_?p*$1-7 z1`oZOqg=pEQAnMZZhB~A@W7T$pTgQ3Hys-h{=6y6J^XsnhRr!Vg6)MF9rZM?jL(nB zMI`Afpe7NR!6Ymv*wQad1!}5y#>z2OtE)AEwZJ~9TinWw&!Q(5BBP_iyrz)4D2R&0u_Dg8lb)HB zaOK~E*|I>jhz$dT(uKv8Sc86r=IQM~lCjYibcOE_emr!h%+{U6V-2syyQmAvnAs7$ z!`A1sVOm>P4_X9@V3Hq?jKtY%2YGefD{ioxcw@_vI#DtiE8@TP>IAgv|Gvz9?|bp^ zyxIQx;<&%=Azrt1B4XwdcIE^Rq^mU4(0xfoZwL_S`|Ogj|FXi1VoT5sQWff`d~3CQ3v-Po@|9#%{k0qrwyz}P6_ld25rYke{EsAx)e z=H_XSD}x~kmp5L~%fdPI-BZqR9m$nRyP;S9Bf|2N@~n@*3VQyR71Xg-2GrNISd~SM z5yu_Z!*%F{%x#HfS5Ud=P{eqW5_UtJo!E=j`|R9f(BX}O}SG3P9cw;CcY*n zg;EtJ#xv`*s!>cV$VD)SMa^6Nimyvx7Vzf9^6qy3)poinGl_UQR@c{-RWe6U9WAE1 z?1xJemnVCPxamHOu4uCGET5r?CT_ureTU~tvRIsrIf3+7UixkB`g9dKGDs9IKE(7! z6wSnmM63O%{ub{);N9za&GEs&b&Wz#d?l~b>STE3{_WFCq2Z<7mrtg7eYnWaTdt$_ zI&2ClBn{G2O zNg2az@NE;wB9gFfC`GJ^31AVQY-fT9+CUi}jN2HAq96x-{j1JRZRub2ieazMm{O43bN9h4_%?u%b zdeH5d2D^iP^IZrxZsY|4u74^f)EhTq{Is2)`FBO_u;{zIZ4gvD1r+}NwXx&vSJ!qQ zGGUHPI#!nSFt|kaCFzel(cj4fci~PiMY7m@atZvi?ra?aTvnnXQ1W8STGJ*35OLXw z-=3Q8h2et4h-@Ax#j82u~~Ae2o037XXp%ME^#= zd!_s0Rt}pAU)NL~{ktBoxfQ3>mTi_Pw{T_ffbg&-dYO3cxB$<=_b1h6WfjPyDgD|VQ zD8#+r$Uj~GWg`2*A&EzfAGh*4fT*ldmi)?r`P(mo%~Ftf%WB4Oh_HsmaHuV2O7RHT z&q_K39tB>@&IJ?>Opm0V0FPq#He~eTKOEl>!D<;DpM$Ipfiu%H1ZJ=YfJ!x$7t3vC zUEn4UMAuZh+G0njfD(ur&1{uUKTpZlu)WqUO|RVH?SV-Ly2gj1O_p_C*=bcE&of`|JOYaq%C|4^-(KZ7itKuKeQa>8f_FayfWjQg&)YcMt|GYCBN=NpW;(^w#O z)OII-1%OW0Ff8oW?~;F2JWZZu}NMePA1+|=lu8K7q2prPqzrvM&GS$5cfA~jl!cu&(G{$^Pb z9cUl2B>YZ_lW|gb{0}%Sd6qsrru)hS)X|$0p3C|~CEZc-{HCrtzf^(18(3Kq3?{O%l6V7DkF*5s1X^G;J=e|{x*S&-8Lk?dCdO;36Qil*h|1v z_)&X|h~+(!)P9x9U!u5;>3?kA*>87S=6AE>N){P>42)?%3a0fVT7w;UjHN`j*T<~u zOFs_7uayz!;zntgl2>H4w;MNFX@xew1A(kzc5sSl`9F4$f4&*~2|U0goBkGATn_~K z@)mhh;=dgL z7k8t>&aJ(%%zT2Bo;lwCXeo*7Q@J_5A8ChNJIFC9o`QR`hEFyt7d@H zP^DTWJNf*MY2(hnOgKN+lQ9#1wj}G)**I+8rSM4P`SuH+#LsAK;n}d*)lUBXXEnkn z-{_`f(5W_Ai}r-S`Bn-}eCMShG5{YGK6nLOmXqy!qRCS23~m^I_zfgzAQ-YiKT1Ai zl>(}D0r!dsaLpj{vWmGAS{0&?v!?!#h%HWZkJ$roJOCVfwRbx!MtD*7`gfcf77Ird z(K}6|cM>&8nUCoo`0i;)G4v7W*EHbM8onV?SbJCKXr=H;5vyb}|J8sNfqo(b?b5A3 z?zSYK+jfTE;g{`<&)1T0-=!G|KAY+DR6f4#!E^uCb@00oj2hWB1I|+y_RH(h7D&u$ zsUM(&P~ohZbfmnYI3)`N9sxSFp7S5k^u%SP`fKSq(rDn91S7LWuN@672DeQOGm1M0 z{V=w|zvxCa<7jL>w|6Kk77ow+=rrgy(B>x#4>iaL{iLa7_=%Ck zf{!3wtU-3pnmJ?x$sAZ81s;f`b|e=4B#W~&aG5IA5qQ z7RyX9z*E#6Na0e$z#@;2DN@}uuC-P%vsY#hi%HBm5Zq|b;J+$95CVqne9a$MCXJdb z`v_Jp4izT8x3GNM?cuw9H_VS^-4pz?pin8rz8!X#OjVXGbFYISN)tY~?TWu?P3fT6aEAQF8HH3J??TaqVXDg7R{?ysF4AW1CGW6t5?7Qo}t{_ypL(YfxPae-p7coL7uMUk4;527{8#qz)zDA zp#k6^C8tKmdr%&3wcjrHRIg!vx)n0wKJ?B>f>$Nt7!RJs>i9-*RkRp|<>>tT9N)zE zx2%D*^{{3xg*JBw+JrpXXrkXTnPzn%%qIm#x7AfKDcJ@nncLwqA46=?&|xrXiczZ^Y=1 zZWd?F`7Gto__=np)1_|!{%hA!2j|))C6mk9eoIn}c%=XGCGCmIYF*=#ZG7)mNvFa< z!08dTjWh7vxqb3x=Npl^A-K^!45`*b<6AtheqToqK+E*g&*y470=nii&iua zleaeZ+*8$}almyU;z;3c@&`k9 zz#9GeVV`h!*v8l;7Nfn*NT}0YAZ$AuOxHQQAamkCiEN<9;&W21d$KWu;2_r?nb~P| zi{Cl;SPC~FNhiiWina(G%z=ek*bZUOKT}5D1Az1ssO+@$ZAhFcKaZ@bi7FYti> z);HBkDBF()X!ms393-*n|GG8&`}dGI>2efkv8TR%s;(bI9CZp8g7az)s>&}U!~{ev z)zV~xpGyycvD(jy0R-LaDc;R2zlgK_&M6yy`op5+PDcS-b3#22I=NVEe~BsgLQj9- zfK|ZXx9BcJ7fmg-jIDUDP9-u2725HrpJf|AM6YxK1lotIJc_jIAx$^i-K&Hd+V&P5 zJ?x=ythC+(?uJ-nz?P3=PUo3%k}kYBnMNs&1?j8z@p?4>cUbMAzMx1d`yY#gp5opF zau_DShw_ttf&^nF`1#?ISjACrGL7sAzy;&YizX*eV9#1a@S0uCOqPh~Bk&WmLw~A3 z<#mkH1)a2Cb`}5d5&%wO)M>?8{od% zc{BmVIj(JB?Pq~Phx-Dx|M-8@K~MFr85 zFZsiX;JCn8fJZQ3!*8(7)2PcEOOD65!uWL1hgzXbJMuxO|LrS}f#&?j`chkHTY}xE zW+2D56Y8omLj-YS*naDul);MFt12PTt_@EgzFwzJLv=!NdxN(&=(^F82RCM<&<6w3%=qnh_@$y>j!R88;NX#%PJP+mt;_(^lk`TnO*rw*Q z{h81D$z4*Y5Kh1}tKb0i(ep*Uxx;SC6k(W9*`iA-w5 zMV^{ke$nYw`nA^UpmcNnGAuP8B0k;(SQqV04e`CeX*HG8mwkJGx}q#8)X(etY_)-& zdR$30i8Yts>CQXd&nzds0tnfX@Lq9#2ysd@I*4+C>QGf`Frw^UmVP$ac8uGo^n(U4 zE(qGB4=?fy!rP(7%(xjm=f${g;)5ycp;%lEt{YEzOxuEpoZ_AR%N>;4DQu<2HvgRzz&rBa5XRJ-FU6j2k{@6JqlD zgn(=Bc!mgt0#Jj4h|8;tKx#`D;4!8oQ1uIgj=J8(A3NNJCcU$^3rwQ(GZ8g>hE1G1 z`E}i6hMi!AQ`JmSJC0E4R+jk4rUIvhPX;X$s$v|YX(~$E^jXC-ih!%$45uAG-JO__ z1ajXdO(;3uImmfeO91@VaADwr+zl9x>C>!t$^}7pqdYL6RJ$O!;FxG00HB}4(ectO zP&P&a!I?JBiNrGSZS4mAN7`Nr+t(U? zF{P?tyW1SV=)3RWiPHcCY|!!{FuwOt+>Vev76q7IqZ4XVB zYH`;VdW2xE_R_NmqG-E?0i6^Hm6)gU^pHeQ2@ISV1}$Ki=NwO`jMk10;qd`3cYVq7%k1+=$Eg7Emo-%#_`1Jh=wbg6v7*&_p-b;5|@zd7+vD0s3R)7-Ip4 zX(H}B=ql->(ifYFYW7>dQU@k6*&pHw22KspL)*jgdBW&v!_bFkbGob%zR)S-HEflQ z4;k2vk*;tKDHflv;yNj56)E2v_5C1f8`1gnLrSO%^;Mcf4W&m!JW|+a8kaXMW7{;4 za6xv%Ps(kmSHNpJK|d|+MFNw#WKhox!gEX7WzJ*u1`Gm3DRS{Ed+wI*uL_~@FS?Ch zyMm7D4d9SB%M1r#ak$TpcAs@i7#1qt-wu58D&nq&ZLUlGek$W-0$HI*P|zn<7bN)h zDy|ud796k6(iB_ASaQE|nl62#asPpJc3;t#rUIGgLGiIFrdMz1V)2WDOgXK>-w~rI z=n)oE-(N)7PuxT{;lgR=!;UR?#|zEZI>J$8BSy``oB9UK9`p)-uy5!Lh&#sI*Z^t} zS{m-y%RS)Bra0z_hO9RDBDEQ@r(5M!u5O6d;mM{#KlA)3ErR4C4`0td{NuTMFdrQl zB+~Dp_sG0u5jFbaa#MB z7tL(pPg;SB15&pez!YEsS4+}H1t~@g(kUmn$A>z;PDfui(2D?MCviuH3*nXK?u1|~X)f3FF z(P3P353g^qFH%Eo7H#Yx|@C+PU^(iXfo!ruAV$N*YXH$4|$H?UUoo>X3UYl>5h&r;1xC@itMWEl@qn;}{ z==QrSzOwe^?lP?@b{jl<{)I%162{Z)-m6~Npo@5ek3R7nAca;W<2hcwzIV4Gz&lGD zEx&p?l!jAMzVkD6d1uaj(h>gfP44NFo7Xo{E)|yB1Rl)GOKT#y7CHM>MQvwoH(~WS zS$0S7O0I_QxKn|3!+TZy=_-bXz9TyR%>q-85*FUv>i;2y^00Ncu3t&JaS-$ORdSw&t3m`6_4 z6iBB&6YO(os-|S-5_o>5XOE=_+wwSCf6HZW^$kb+W3hg?Qm_KYtNOr~7LsM+g^b+b zZ(R>ru!yf4W-ZbWvOaI1EKu7n_*t0I-*#3b(&U=6^|qQOGtru%o?mm8$C%)tg(zfl z{4=HFEh1GpdHPg-$RC3xno3xz7Mmr=&YJ97T(yCHJGS;AAh(+j@kKQc#5|}_g?ZBp z_0_}Qd=zDYR%E77)bH(Xx)OP)Sv!kBYDXI9uov{y1jup@Q-df6`h|9sPsSPbjU|6dlKfImWTBZ{HzJjGN`si@eWR#ldUfR5r3-> zm1%vC4~jn7tPr#M^{oH2V8w_BWXwm`u>BNSn4VS6lG%)4|HPib&9YfxEO(YxB=(d# z-k`j~M+qlRf4eN1!ab8cJjZ|F7edW;hE4G1?27@DxZmdb;2F(HGIjffwVmOJBC`Gp zzgaeWczwb(aL`HK^XT^feqPRsW)kqOKaNxa{#3-9Sa(1xZc9$%tB+FcN|pz_v{v7w zIgl+JBC-Erda8`05&cWX^%1?xvbBEc^T5X`nq7cMoVUdxRiG4Uarax?d>ubf=oUyj zub)n+&8(Ms@Wu^!5qb-be0b|y5%wu{KQ?E>Q=L3^h5y86A>FjA;g@GPI`fXer3!g`e{>e3!p}_DwpP8~zSyUqWHt6Rl>qxU zo;v%Eu;#@b2!VuCM(`bUQF3-=Eekus-&E~I$jr9$va#s!=FyyYk)b6nO|;1h1ij@9 z{MC0|M>+4{MD9{vaq*Wy=kvx3-9~KuJ~r=mUPnw*+0J2g%B0^P`B{b0b8GA$tEvlceMnktf65a(yO5;@YXKceO2 zCt7c+nlxH;U`V0P()yC6!?Pl-WXL%@_3Z^LSfIM}{=7JzRF+3>D180ss! z-3RM611pJp7+bKaBsS*k!@Rw1szD{bpvo8hUyERQ8WfcKg`0M$b9VwMZ4B*{-C%`!r7sxMIqow*fk271e} zDp>}NUIEEL9w?DvyF^lhqGiLUW!p6(KL?8ONDVc-b|Kfr{Z06!~KrCNyKibU|AC)??YprI5u~j z`h3C-G3Gv#w4Y=i1EqX#R}BYOt6-Qh@F*%9ZV@b6iT;?T{8ZA~U*Jd8ekIIF47YZK z=2fjz(TZ+_V~5L4VX`g<%i!qz)n{UsxGaz*H8!UmW~VinABgKFG#KxfI;TC+VVON? zo%VABW0R$xP86QIA}T$!@I!d!?Dg~I9U*+0&^c8|bRK&;oB|zRYEOj1s;hb!JOpvR zMXH&s1&sVQjtvz*)U(}{@tI;JEtY@D?1eX@c?1RsPt*)vST8wwu-1tzl+%UXtKtmR zH$T-V=^J<~7YDiICFgp0e!cT?Qf?(%*|hC>wts)h zU>8IS5p_o3;ayjwW^ok$d`epnDV?f)AOs{vmz0E-6(J6BXGeh39NyQj+a~q<7_ZuP z?BUoaC&PtZOFdw@mFa~BSU-lm*yu7>99e8fS;!-BSg)on;WAE8F90daQy=zhtFP`*kgvdTf_N^=7V^{d~6KEv<$v-mdfKAAs!V6Fh_Hbjf`5 zge>mAKSFKU(rCrMPvZzi^tCO(SR$5~9b#2!*f4x)@ELTA!*6{dHbe=Du!}H$_`YL7 zP9+Gp!3X6qNrhnpaUhplXq`+Nt(#yZ4Ybkoz#zDWCZ`eTlpv1k0(Rq%C&4&FUe_n) zj+qeT+p4c(VtJnPQgdt%o@0@8)ko5Kd_ifut0f=1Sd})gGlY3Hn?DgP7O=Crq@pb zg*kt4?umS!o%Y$m`_8v@Q+f143g#KDR@v!>JuL%<6))?4m|tH3Azel_mIF^0-jzmT zI@7HJ%`+5@ayZz*g|^8^N4&gsyYWIy4r^JnR*uKi1#!>1zl3g+ZNA+$Th#Jimi~Rw z>t-p43&)p~>YrBA*PCQFPaB=pXV&~9Dsp@030!{Ar;RL07$pO zD<9#u&xycmV#@4eY~%&aeci`K=(Gzo)Xh!D8y9iD6-06r9h{*Kg;kMv2k@vZHZt*g zQh&7GE|WbwIz*OD+ao1p7wUQV?~|v$&Z|LR)ebRzJw^(XLD>oq%0{yGF>CWoK*E^C zh^7?LoG8GGNl;4R9J<^<^0UKc0RK?%i9(waQmy~EX_-P0Y6w1*&nDIu47PdgfzZDj zaMcrkpZFuO;gnu_*5)L;&CjJ&MNp!_lYHieF7-oveLFUwd9~FTgVa7{up_CJr zJ^r&*kAIC+XKcn53(R`nqG1txXAX-1 zlwE2>1kd`4ID;^wIph1X=r4ow*4_zbx z<7KXaYk8~-3{>}Yh;#!SX`lmsTmr1nfM_~Xkox5}+C0G6UkBHM`14_N8J$s+^O9(_ z%bKh!7|BH<;-)P4Oxuu#Mg&Stk~md`PTs3X;ya-y-x{_8@o;RhWt@bjWg1x9KDuNTgEPF8dk^*`6Px;!e-+tMH( z_-ZsVZ%;Ds4Tx{hx-7c(M!utyixTzN>(Vm4mvjQwj#wJ+5UX2^Jwa~v|6Hv(qln*N zv=Xxa2n89UU91l3yK3_%Lu%kjklrQa?nSO6O}`qA(%02x+ygO~_fVk&Mm3fSPwhxk z|M-Vjxllgwq&i||w|$?h#cE9`HovF;c0Bf)dctvR`+m+p40qgL|%GUrYwPn`tgMxt;1QU@M67?2{%@phM|F4lYxD(9yDE9?lEN3ut zQ6QmpWK7WnXJ9za*D3e|oWIZCeyWtARHrQY6b@E-&M5{x0Y)__yDT5&DwHTDu_{R6 z{l7ORkFE-_ZorW51CqFs73=8(;~^*?_~c(9(&>9?0uCA5b$}-@?IQ_x%caMF+VFU* zf9rhV+2yc8xyhILwGf+G;O~Tx6OWFyn0)p;@Hgg6R{Hay`E&LEZD-28S4@K@Opv?P z6a5eC<9|G(Ih6Q0OY1LP-pxJ!pUeAitNpJpgIzGxk@$?V24nu`68VQ;0?AsW@tfnr z|JykKD?;@jkt^v&ROTQuPBqxmf4FLYyNLhyQXLnf%~>euyxgMCZqlL$?)8ebfb*gr z2*q9!!c_xjOuV!tg#GzfBgfgQ_J$p>TSZ-+?f>doQvj#T4&?Ed;fhS2Ma-9 z*+c=auq(t*za=3}Pl5rnl67cc1oi)Sa{R~7@z*!oo};pUi_v*y*ZuGzT6-Z)2P9uE zj@Zh|>d7RpZW36LE%?QtvNvci1BXErh+9o2p?74$AfgN|o}mB~WfH)!Ja#$>+Y*J_G)R?wV3pk8r3> zaWaQt6qr@*la0##)6%9%}_~hq+_Uwbxbe0y+{0B9#T&ek%7kXZA|@F)6eH53!W!o<`$el;ENe zfLd86wEu=jxuA4IOr?h8RmvORYvVfGchfcqUQI~YPk`)N8gW77J$@`N`4D$VfyEw_ ziL{NIIRIE(4<7*5jKpXsx+k#CEr)aF0+irEHL3DHe5|cFX$1_^+;>5o`9!MDP zd4tIX?1ks|0ej>5Sl$yXWR4b4{oNn+#t3GfN=izK)U7ZOIi7TRfcT3+3Z{U=%hHiT z`eImgpM9*^!=XCx#`hQ$8E-+)%mifAUjUSC{`>ke@1@mORmG6CKMSevp!sShY85Id4ziJ2YnJp3)%Qt|h9Ua0R!4>?n4j+KeEUoo$MoIYCBgDsN z4OU4P6xn!7{(1w9L*9J(InPG6*zn@{SiQruV=(Jy>?GzgVb2QqsqYGy0!*FW|8aHy z<;|^B>F$$7?@yV3-;*&T+rXOV0&E~Q-H#?502H+V^=LquP8s7NaDhcMloeM%cNPq6 zp+bqD{!z&mqk{Ncv}*HiOaXZy1yLpZ+SM0zpDha5H8~uwl8Jk}D3ad!hchUrg@9QY z2Rh3hrtk%TZ!!Sym;Mg&X7a#6x^;F1fnIdL_5o>}p%j!WIT#;6zc&2Zfk#@u!8!8+ zIEB!Cnzv^gYw>}9+m8tZKv;Gp$beOy{P_Gi$YSMumy){cG27x(TRRutJYAwC2OKB9 z&CT}nQ-8dOeB5DHWj#dBv;rQb*Zr$tgT4;{_>$V{*6l36sQG#aKOKfLmuTc2#0KDT z;yhihKNgK_`qgocSL36J#2CQk^LPhHJeORlwujQUqc?Uoihcp4y9?0x=z*UK`dEPi zp+>GO8lR%+t62{`BNx> za=#o7jD0gSToLmEO6nT~{uY8(Lt%+?X6pOgNZ1J!3t zgTdavJKctQVkk0g)&V`SFZJ_yVSQ$teZ?uDZA6Yp-7cnnWYZ~q@2}fkkKJh|-X)53 zb7%ia3q=lAL|a!RVSV(`AmUzVVYx|wPf+6rz3wFqbqL*;{im&ID^q$Ijk~&p7tDo@ zffZULI83;oVBO&y1@#>#u;zUTrbQ{E;a@^LgTPHuow!EQG8$Fg*hcVddc#sE(9=s~ z1et&TTDgq^zpF8VFmSKUeWL6ZQMU^N(rY*1?yws)I3KX=cuc4WMIy|+6}o}DVD2T@ zZuj4-7z&{Dlk-_elW+Q51D|No890EV2?5CFD!4iM4S)7g06I1)O;sc`GF`&&QzJ-* zN>Bhw4rUjs(TJS(4G^a1hT5EP@3*8dn2ew)^FIKPz6gd->ZSGi^VYyGjbL~01|1St zky>_E!YKl=LdYl@f6hBl$t=8wJVjFO1Zo>8vMXTa(K!|$CK;-7ar>+FRw=8q9b_?a z%_|I! z9d0i@$Y;a`4|?f2WBBGRFD=D#C$_rZo*@T?gF$w>ps#lB(nyh>$#8kh-fGhUBDh!qUf~g)90?%14 z^0&BDY^^dP7P-ex;?q^_;PDi(2INg+P{9}?qRDYoGrDkJak#)fKD`uQ>>}#f;ByID zp;ZEamZ{%t!SvS=PIieOBm%+et#8?4^pv%?P|g6whC!qLs~Ijd|B2*#Pf$y?xR75v zOI-ghta6pbq$;d5JGjR{LV7nw zQ{N$D!|ztW^)(25={CKKwL|DEX>yA&=o3&A8f7zPT+@6rG&Fqv9MhG);K*)XG~bbB zHL1-zr6OI_qf}QF6pXb){R$-3ONB>4x^~oHaw;i<~mU}#y7O`Kbl?dD``7mA+nLh&E$hkgZ zqz#|DQ?G&fv%u*Q^j?(5@B=|dJ({fDs|2DecvqxAdYTC)DpS?4W~XECxMibF)?C&F zcnr1r13)EQJH%P%u1WVrmupbRMe|4#tHD)v7I+%xPoeEo3vl+xlvruMweaPhPIY^b zMSF5kfL}OG%u<&gKhH^M-Kx1z_Tbl))c5)XgXsc=L{0C~vl^<6KX-icGQt_bT?iJ!BbW0vIfQnoaq zFp(w^h1{A#r zX2EU^(WvB|A%&N4F()G-6n=>;&v`rD3NB|#I5qj;D2Z}~yS4a5t^hV{1b&e7L1YSP#)ZVV4>I5T~0v!zU;^lyI zV~)WAJ|KQP2uuuN$ufv*If3v|!hOMHw+oaUSsI@L12D)G)=;W}jLa@g_6AdWMPehG zk20n&@K|xph|&_dlR^=LnV*n{?6JH0#$U4+EVona4rpn|WVlPdDiy~PX>hl8Ssv!~K zu(nMjZo#Mj`lXpCK1Ct7@!ec0=!}-oL1oK{A`?g01h0qYqo`z5*~i=*&A|0fq)2qk zhGsJUV+<{{5Lky^a9k7($JNdl?t;<}g+oL_-5_4qyepr8q z0SRfwO`lrDrDf+rul3O!P{$O54n0bb7or@D?5z7Zd6GJa3HxrU$&;xsEfnngqElIP zFj&xGS~=%=?(>eW`n@WXP&jXDbm!7mXA=MrGVv1pin zCAE&G5Omyu_I153v^ymD&Rx_5otF<2XBZ*Vbom6!{fi{2b7R~k8 zpEd^`F+{c2Lj?Gu+P!oT{`QPdDyw~LuUd~lCsmL!+;DmP9Ge+iK?H!l21#}Rz`xL)_=z%D325Jhm>6|jf*n0EI5NF#71IzkPYhn{ZMi34gX# zyTOgA`*4Pcy`VVbzt2nlIy^>vAAF)D?fkxL&opb++SAB6gJBbvP|vBE!%8b8Pc`vO zbGD1Tmx~)aF-IevCWS&F&5jGYlPF7&HH1}ugRvdTMUx## z37ZJj9?u6>v{0>eGz^Hvmo*(#JvT4F4bRwb;r8jBv*CULy?GEA9jB=`IFAOJ#>Ds# z?&0PUa@xE$(6Bkl58A{l&y3nGp|xHuOC+MRdKxvZS;~p?rQ(b6KU5ec{9hF#~eWzYkXdAcW?2bZ~Ma; zx`MCfP>CH;wCxRPkiu~6>%VAX6_9uPerIT*7vMJ7C=14iL{2Ciq_8->pO+6PGsWaF zcbjr}G{6{y5lr9endLsNK<-w;GH5^z5z2EsyDHd^Vfj+W7sOxz` z6XrSP@5(N)=F=mj7RI9N1vE8w9x_s|)uXfd2IOwO2)_Sv!UK<=SNM|W`&v%NOAATM zo_ldJ`k`hS;a{M36$niXEC~=P%naP13wx-|DV$uCoOp>Q z@yBw~C3W)x=k=e<$q@zGm;%&QXiEWJ_P*;O?{g4;E$h$|;6#f^>RFA(A~@lGQt`Ivfxf;;+ z3mFY6o&Z(Q#PCKM07Y2Lez^c#`RmyD_#ZQ?zs0Asp6KFLoND6zwTbtnG=wNv)rMF#^pqs&Zs0u65~#Cn=i>E~0r2V)2oR;87K* zjcEj9soduYqa)q=UQj=6EAF^yq4L3WW^=|fgV1EYU;`%g6 zphZhtIh99##sRVZ3g0qi)e*3X_BC~$HGj)7u3PeQt6vr~$#6q~BZtLW&Fp0Pg})={ z7@|tdrn*Y%a~@(xTMTpdc$mO~f@62=lkt~9ar2~Cn%`}#WeYsBL(L#8do^9%N=frLFNo?4b+ zLIK%k-%W)V1&<%)#6o5WkMKvS+YbgI?EL{Ssfz@9<{liy-@r7U)@Sg}KR`yzA5k}d ztN4f5X*z_&lk4+OgG)Moy)|WlnQX45VK2+-O$mn$P3$q(FW3cg#qn#EXZGvTsMs&S z@0X5YMvfuIe0GHjIB|I(?#BSS8@!q}`LF~{iLWJXWrR*e;#a0;7|LXf;^W_7hO0F$ ze~@4RZivk&c|AG9y`0M!4 z$?~MrjU3=Ck|w1(lE9!;x6Z8!#@p`<^aQg2Yy1QK{%o~{B9t6SCJvASie+TedZwEt`iIqhNc^;h&HJ<~iG@bVj%lL9GP8#^1D5*z<(;Zm^T!}o@ENbN>MwkbJqt~7I{ z3}u35t}kRA9!uj**AX%*kDAAUtRG5{^~16ThITF7Gt>qhD96&?f)pgZ27N|vEi$D5 z^y64sR>-r0Bd_u{58yZkl<6P9IB*@9IZvo^7}Uwbw>xWrnKOpnoUHr+I!mi8L9}2v zqr-H0Y8P6&i(M}LZZC9wddWZeF}>SCmh!iMyxDT7tV;FS9crKDq3n(wmg7cx&?iJr zz_GnPMc2z#Doh<#m}0_Opsy@P0alVuo$%#PX@?I@uGq9G0810qNwl{7p0SMkrx(DT zXUD*C0f+Kg3?w*H*4_GfMDk~vLl7-ZR4S;h6+gj-cY0sTEs~6cA_PGT8V@r)dC#BC zp&S!lbVMw;loNTEb4lPytIpDRp;97+r+uR@cE#h}o*aPLl_`YrCstl=904>>ybubY zFeWlsuQkA#`n-j?!&mDP?|HA6iwSn=*kJz9Ez?zz;27o7v9Z4sTYG3Pu`W97fgRc- zZr86PUpvyrx^V%_0Tiy5LP2uP=ZN83K)h#~#PK??#D0*DWKG(g*5OY2DipF@e9pIL zHvGbDk|W!vi^nG2je6b?d%wm1oXl21RR|AO`=i*3WFVtrTBOp#4ZAw&GZ;%aw9m!z zjn_5gqv@rIslv7~>C@o$yt2WRQ0l@>%?boI1R#4%owwqscXSZS_(Izi-4T+0p6NTI zS6MM{Eh;R3#bb9QAX@4jAe9Hqmn0oA^X8wc`Z6AkfzJAY4h{u8QuLkZs>O1WRFXTS zV3;pihF|Om{}NJmkB~ff>KBHEWL-?NGY~f)nw_i|?K7zz{SPenk015l3+{JyzDP@d zgijvI!X`>v6^vF9542MT1n7b~xl}k(jh~zrFri#w$&YQRdC@WxFf2r??9d-&P7ST* z=*W=Uj(jUn*^$~EoIvA{`tFSg=BQ^^L6$uzSm)W8BV`*)jF1t)NQKo5#VA?YPCQMk z2tpdX-%PHRkR*V+sG>`!2T$ujy&SEp0Ym%>)g#M+Zla$GeZreT!u!r9Z14vHKU}r2 zYMbUB*epHj$rAir)x!k26T^w>$h2)19nvk?Q6diF>`UQW2pBcvGh`X5z=IiJ!QI~PL>~5Zt^6jWTqT7K5 zn>~EtBa1Grw;-mWdkl&RoUHtS=V*9Ip}NF#=3X2MLF{@~K))jbJb_Q%Cw)v>C*dxp zAoEAF1B-{|+m|h!AHvg$daX-9(t;2&jg=k)`8n40Dh)msP66P=d7_3LzmpfW`DxKL z;u(;MhjY0*|Ezdh1?Loh@AYReg|4^pfpC{~q`~B@gM)s zvW3LP7_)*M(jglPY(D^-l>`u&_Z*we^Y6?vI~p*zj7Ly8n~WI2ZvkP4um536On)?H z|HB%VFmp^@Un@II&AV2P;Jd9C_R~D!s$l0rcbXVt%g$LV;?CsA9D1M0Ve+-J=3c^4 zsoUbYQ-+5cllBWt%QO@yV=cI0$yD`H8wP9$kMcZ#I%Zt}Je9_UBPZ1l9OQ1wVV&a5*?cPTzq(bth9~o~ zI0JnoUtpS=vxoc~1O5@rky}7mKn%XK9gn*s&XyJnKJ2|Kz)}0#WaO_e`{{!F(}i9T z@1mM^pjcp1jTt4W5>p%@x?jY=o-W#M0+LtM2vk@I&P+E*F=POHeqmPB*6gP~E6f|z z3P{+e5a=5nI2NmReo^H9?Dzem(bQ)W2sPz_Ha_xGdhQ9kROSbKQd)@x2WgT3>Ue0_ zUhJQateutx&+Xd-qhf+bud(}BpKBq}l_~SecQxOlu{j^^a%$*Vkiw1-JT4Gb&#S)) zxCWF5TF!0Y99(*|-3o{bJ_0@&^7Q<{>e`A^RRubNkK#mzt;Bxk>22z;hM;{qmiR8R zkntS2$>T1&~O&PyG_AH~=b zwhf+=nGD7KFYy_o4pwJHWnBv^P^umRC}{TTlR2YMEa6ldNtrdao|o96fuf& zbgVppRGc3yJcEY3z922rQ+CW}(STTur1HrbxsN>&bX*59OZXS0%+XEV2GVbWo5T}) zzYL23c_CUL!U%=VG}7S+G#r@XDQUR#1wf6tCO$FW(@e}^06EKl6y4ih^Hp%cK>0V| z+1O8YduR$2f}Avi$#Q+Iw|C;2bUO?U`gnXxf$aF?Gs1{96X1mW8r%vR^W@B zC@I|y(j_3Jbf=^s0+LE8AR;C2m}~9zJZtZ@*WT~RRnZIgwmY6x=AI;$^yIwo^I-OsP-rs|6#oRL9Xx9+DW$4>39 z4XSknpgqhhCiJ+&5>m|dj)(?FH&iMN-DUi9Ui~6ycy5>E7B@P>)X{&ul-xL`jcE1z z0Lm9d!V(L8s|UJGkBf=zu#A`Kcv6bkS#ub9N4=@guVmIwjZU(otk15S4=!@xq&jJ! zN8U+k@SYZp^PF2ImioBTG*bV=@+z9Y&y?udx6UXM-3WEd9<|YKj|f2}SAqqM&Xkq8 zT0O-gCA`0K(+xC`17J60V$!JK=vIm0Q)$pk1-AA$u(j1^OW zAK?yTB~{-q3)Ee+4sp$Td=(!M^JUMvr!Cy>YYAGlRiTIlZs9qHo?4haNd7N`$-Y^E!gbQLaL^1?H@at>qHu%t$tmP8(Ll5*q8Fm6 z!NZ#@3h`4qYibzJ&QNrKC9&yXGZFAtmc%FkTx^0qFF<$*)&!9!oHf78j=zRDQCkx@ z4Pnx?w}Rqd&f`4JJ(tyg}Hi_GK6^T;}BVmY*9+d z%HhU)LEwyfxP>BlX`)Q6ken6ai!$6uIkKsz_FsK9>Td8=zvDdU*=>W-Rn=&_@zfcf z4}u>`?X0%d43d#mv^fe~2nJODi6?=m;9vU1r-+4#8)V74iOG_wbos|5H#+H@#NQh!yR7MYP?D&t&nweG28QvE(4FCfmu)If%yU9nMObnRQYyUIM}`*5Y+N#@OH)M|9dx(3KL*5m~9|Y zB)9zk$cV5gRALLAwHfPTsM>_kGP0kZC12!se#YFvle3O({Nf-(D(>4t7JtJk?W!au zXK-k|+6XO5wfgIeU#H=qs=1Hr9HqqFL$EBbbri3N#n?t<*ya8TdfXAV4Ir}#gXy>R zmkLPwsZG6Choa-Di1e*HoWwHUgg?u5w5GrR;c=0dwhzN>STY_>_RPx%)aA8^yqnZk zx33Ewlleu`VebMXpQ_!N9_C-9Y(QHV`OFZsey(Ui0#L5} zXIQs`HH{#uto1X~#&R;k5|<)%&yajtRe}@=9&;Iufj9i%;hz++wxJqbLpFAR?skPG zF@c2FN+f^nK`*6C#JZL!!3`c>e$&X1y)x78_tc*zOV-Xw1MCnOG|gyePO4G5FZthx zIH&80xx7RNX4EAP+@ZrTO-tq4Q^DsoE~I(*&+@u|RlP|F(kpX0lrs=$-yYU{Z9Buh6GF;2 zR3&*CS0_bC?G>8hJM$9M?#U<=r2syE!AabX6gV>u7Nw4%c<$8AppE}RoiKX8s*zDV zB`<0z%*UVo2nyv0#grzGCtt>;lRHA70K=sV!esMB0P4*u9N<9ikVwCWj}(B-(V}dt zaPjM0lz%-(WwnRm(d4q3*(_1Z#0^p^s|b&OB0h|RfM$W5gy9RMKa%fI{{Q4XXceo{ zBl+u0eIhr%5tCWjRO&kNLtwWlbk?%Q-lhJFB9bsSb;NA&avPaT^d@I-r#F*W!#8IN zeg~qnZ)Fv;>%u^l-|!GKLa}E7uixTn$O(lUL51dF3r`a$>PP1%hWa zuq51Th7{NvySU_@M+#0+nn2f1x;N^2+}`|Ut3ZTG3vmEiLlf*!C-C-5;j-$xYfy~| zy2I>;>DlN6q<$e%cA4!WtUR)kzp)y|2@$LY+JDb#V5FEqBL7t-h>KUz*)xOy$iZHS z!8Q-x4Y^2e0ZfZ<9yxz`H;B{D)9?+iq?{Bj-e%~FjA>l zf{x3UcFOnD_>|J&_{zlA45~BLj&aoN#ih6H=cv15^*kU2Kq_}D34GE3?raU*@hIB) z(6{TUtoJ_B(p~z*jzM|j(RV=%sT^ER3LL`EAk~#!H?w&wml<|^$!s2>iKA)Q7W(E3 zqSNl`UMdzE{WoigdQC4WTbZ&yWd8>CN=6Q7jK3zMi$Q0il>vUgF=GJYyE$FAu3ybdq0PSpz=nR@w06)_c$fo1|vCPQb{yVeR08 z16d`ywShxD)Qg%rQXdZRBj>p`X!jPap;D1CL*n^@Xyq=$ce_lZj46h3dOyq)yOWLg z6QlnJWymi(!b|sj6w7;T^oGntsFTU9hXuOV7eRc=z3}NW>5K`E-?7`FVXxp{!3|#g zqo!wIgF|`pQx;h~;?++9>?8DbvLhYxfF49A_kcEOaNhjOA?vdPcf;+moIr-9P_L`x zKhg0hKkMJovT}x7eB{J!eJEvwyXdqmw*N$EsIk-Di0c=O74()o)TRWUZ-s2!6xmvu zeFX1iguD5;9cQ;0LEI%x8y5N({q$cJcpj8|3A63{4w>}%W2RE|j4N3@P8onf29%J5 zdH*oV=vjfEPPRzP96j%n$2wb`jORKVZwP}jN2NEI$97UGXE3dscxh1~0Zx4|7TMfz zmacQH$2q%Y(tFCRn2j+dX{J4#<84s_Ex+=cT#IY$s0?*yQz!jOZDsrMscrCG2mH|m z-@+bwAi_E{kDJzLe1t$swx*6&ku(eysF&_rQtWX-YfV*!o59y7=--Vf(8{vC8EpT- z!B1FMTX@fAT|w4lyX`myhz+LPgA%?>`ROsboRn|o;WUpFFNqa)n4Pv=V0>7OP(vxVl4`el(!y#r=OTb1jB`1)71j~XZgf33X1 z_^*exwhIjPc#c^!x3M4l5MA|w>oP09?QQ18Nr$UETs-RX?KBVK3MBXa8OW?QFqX5c z33ZP;9LKgzY_2#RBy=DH>0pNXJGCyaiPT4)aw?uTWcYJ(2pTrg!M=qEN2}817_E6z ztk8M_D~#c;cJ-gYc8L97(t$VDKS&27DgR13m}oJnKfd#SjXIbH29RjfGB^7jhcjXF z{LWPFk603c^YCG3ylX+Rzdxp$H2CuxXz=U3|K@|T}3HaMBliqj0}mYNoBZElL%zS?m{r`Cc3xB`38AF1k_}abrP^ImAy-n1-sO2xS0~`xq1dKlu zYdiFK16(eG>+lFM@hTMN!_mk_KAGZ@KTdL4r%Y^8;IRotgGt^4UfYPDg+{}dJBa#7 z0vILrp$xlD*vm&4EIED?Pm!)8h-*mZjysaKos_U7f30x^&bqQm>_}p?4u`&4a^o)` zj-o1N7r1b4l?hE$W)7~u=MZmo@imvkC;%L{DR9!P`A-XanD@Y!5DsTZrr~V$4y(<_LXji7CDIh6hGnugGuukwm45NcMEwBVTRwgpq z?7IR6cjpk*?o&ISxszfYac=6LChJGgYkhL!6@x1qKcSS0k(m03a$=xfBrr&_3cGOO zUL-kv)8jA8$=dY=2ex3_It)}wWR*Su@9P`|=?inGuE!Q#Z; zwT}U3#>fUTzdCTr%Uf+%=*Rx!_r@;06R{-OT5ksHJ{D z^B`HM+xzotJXyV^#VgJRkA5Zu`d&u5?fw0dze>Ehi|@*%<$I!*c@YBB9?2KqR7RnT zdp)k0^n?AD@Z_!Qgk1=o=aFxWXO4qph7t8hEi3n19XGuUEc+3@Eey3D?WA@Q-jkxq zhhGH6Qe6^Lk~YQR=-dqk29ZofyWzJcTi{Z|{o zXd*TVJCW*&^HL$W?gvvs_lBtN(h!U?G`s|3tB(^HDbd-{uXJV#&v%^fF6y7OradLP z&<>PSxQ>iG>}xCS9nTL#$FfX~ydwUC{{SHTP3|OhLm6p+6FWz$s0VD7lx*4r1Nxv& zY(rzJH8D0LqPQHqnlC7JPXV1TQF#WYG-2z*Y2n~?+Q=8gwvR8o)D7Jj%JwcO!?EH~ zk-8zPTN+H4$~?dfFb*skyB_qBh9+=}NvY;JVkAkkG^jtvgCIe1?A?}WN}guCX)Qx{GW&cg*<;E23$Ss{}V9)8gU%J5vM3ug_6HQ00M4n ztE7G)Y=~sGoC^|Ft)7RQQN|4G?a&&1=qfJf(i){{6w#WTRR8gbp8p=n@u!BC=Aw;l zQ@xEG@v71Iqvnp*^W+a)VvTsCT<(UmwbpTYJ|ruM9`8zofp$2pSkT+gvNZSqKnC1v zxcWOX06G5;WI)CJRCPBo;w~3--=9^(KD%w=na>oao=a71*C<6Fl8C+SJXi&})tX4w z^6WWcXp3M|)X(1jZ~IETh=0J9Hdc>uI~vR&*|rClxVub~uYvXQ%2iT``zp-9Ag6~w z>(ql@BBYe|RBRGcE;jXq9Q_Oyz;CD0Ol0 z6^tUCddMt)Gq#T_a9o2niQq;j&OZh`G_1%7!^ls-tal9DAKVzbgMSUm`LT}ws~5s3 zicHkT`o?yE_{DFB`1s4nV^0LVe%QT`rRxGP857`-=@6k_z#0S3H$0deXmn z`jnSZ5Vkc~|5j!PV3==!Ln$zJAoAc}>(2k&cDRJOD&vQo+_-0E^T*{901SdRSTB%m zTkl>*7{y;(f3&jG{`X%S zBOysx6cbaCZQC~h7cigTJv@^?VfYdI2`IQ%VbM`I@jwigPEa^~Dh-~sY_ z3;lc@y#MDn(oaxC!)u%vfi(n8fpF+EhCf!anQy2rg6gJU|1Mt;c()(_ua#U9p2llH zy*P^OjDy$p?n;>Fn?2~xKLexi+-oERy9(T)hlu};VL>V@o+;N$8bUkA6aRgJ@85C5 zZx0c)KDH37UZJl81F%Yx zF-y45HwCFe6)w$H0cM3B4C)WUfWzF)?Sf$jEMYzHWkq)+XU4k+pvXtJ0po#z=JUOz zr^t|d^imUZB!L{yQF=b~5$FIDF z;3PJeH5K;pi@&(m8?E>$bi^U~70ik*1VY%NVZ)$wM>LHR2~ugc-o+eB;ALJzbW|DM=$lfBV3FBk>>Ll+(zO3XWYukk_!&p0U}<fe}G@FM# z2zQ)s$p^sm6zSHLkgM-Tn;0tdHp<6scQ4X|MW2LCH~%mN;RUA2c>{`0vKj1vWB@0) zWd?sUGSr{+DQt0kC>$PsiD#h%FV*o1j7YduKy0zfR6!BTi11)5=c2%ZdkbN6Y%A|1 z$E1GqWOI_qkzD3)3t4{}6y~Jo-^^orZvSP0AtL;@es_LzS3oEiq`*9lpqKh-OObkUY%*BZl3}(- zya65rB7~+&8stv3j(-pFp&>y|aFH9T{p-d1LSH+!LT8S=l4Pp!~8m zvc!DKI+7S)!})d@@CZb}Jf14qgF#ss48W}Zc!|(*Qnc-3Z{E&5{(`9e{P!g;k+<~% z5Q(=Ax?8E=3cRi|3_K9}LN~K@c8Adg0+Fq33MCZxQfmfm2A-Y#!&=&bv20acaM^h?IEC zrdN-X&<;;9vlt+tEX|$*pqB{FK6uwSdM;s5E}0AbJF~l*N~7~0BN?1{8=^p->(b+t zW?c!gHEC~HwoJi3+>5vAaFr$WvhSRL1tt;khIHz44vBUhLP~*Q3PwpSie(0%p)J>1|z8qLv>Qx zK5vsZwyQ|r@3)`$tPLbALodd4+5=2i_0k786o8Q45IjIR>4vF(7c4Tx8M-a*)dDc1 zsH^h!uub@|}In>q{LeRgs#qdxzFqer7` zYVRz-)w;Tzc13%m_?%;4BbD>(RKtvi$?$a;T&MXF+{jEaw)x{Ao})jfZ^l~rrB zv=_0dxridhn_QM7lpDcSo>a(QMPDJcEL}2_e_j0gdJ((fScMn?*Q*L&9n!WqkfP!!1k<THLfW8Ldj6$_y0>jL@Ii`*+i z5n0i$nL44I=P>Kp6|#Un<9%_Jtth8Uwn>1m*Mp5qNz`04WbAfkoT9(N!7Q4sgEyt6 z3xcwafLrXuGfp2-)b|AS8w^t)U4RdIh0`0#+bOk?mWT}_5hIe4aOVt?b(hFUqxd76 z_^pxic#Z5|jHQ0+LlW*lXY ze*JOGM(W7cIbJ3{lOF&$`kep$z%&~LvybG|!^Js|#tEkW^mNm0;>WRUD<|^p)ND_| zmhMF5yrMjK=k0gJw9xt5iSfSSrdsR#?CeAa42t9Z58Ott@Fe%SSNbCFj-E{s?xQ+N zVF{y^w0bk8yB|(zO|4o-BfJr8j~bt4#LSsqeVOIkMC>rVc&LE1SZjXwill=tL)%z+ z=wd68x`J#@UhPy&2RZoW18>lxM$~fZ2|5Rg(V~isuYZ+^p}@dwtd8e1dd+%e7nl=;?3$#6GRB93s*ibPpb1elu=T+frO+KR#ss-_dp`D zA!dZzY!hU)*sMK)!h=&GebL$Vk?n3G+ZmDVdX2d9LV2&aP^*j&0nW*axm@{4eQeZ8Wr~p2%z1463BG z28nMsAbY|6n&0vLHJZA4cWGQAs>Ae1`JlRyPN94DUiG~XL=V+<`JBF!xlqPaFVN-3 zsAcm3LV?zvq9a1N%;g8*Q<3)+XOi;kWget!zbgJxAmNC-#mYPMgjFfTYdvKLv-l%t z!8}xAA|JM;uI7$#`UB`%ZIzVB1|O!H23 zWr@W*?FZQ?3RhN)lv30WxnxTG0Rv~gRGy>4#;q<75eX!rApXQmdx}K0n+s)!T`6+qk1N8A% z3k_wYj}Pe|)&hO^UR-Jk(`4l(PJcd5D@Ar!lHPQK2=D+LrXVzER$J_7S`jW!^!2%V zQ*=A*&F{n&CowSSoza+7-7priVjN8hd{PY+Ue;S(jsuO?`UAmyPpkxnyQLf7hBPiJ zUgw#ma+`OGD&D8Do;nO96Q6O-OfjPT#o1%T+1`Xh?hq(sRUX8knk>d{PO^3y$=Iks zE3~2W0IQ|ojmVh0z7_fRW$lgGwuh(sW`lz`*eiy^GeR5@jhDYlF=&Jo$*cOSz=OGQpLPk#RAgfVpD zOVF|J%xS_{=aF9(sB^0p)1$LJT|n`)gaOZFTH6K*^Pw)jN6`_VVQMFeIUE2{POhEM zD^i!>t?SS_+PGM~v@XPVRU3{meRTjZs#o-G9W=7r8&x^3ow)q@cm0n|lerv#<`hHz zit<(9`$^5~?@bgHEMrxb2-ltTT|=|!f@~naPN_6o3VPe=)wna-HdRV|SIo%ya@}C5 zf0*n=pz(3#Gq(f9(1m^vXL7vApWXV)MR`&3CvWf+35WY`8Tnjw?J7(@=0fXnEF-L< zYNOl-@tzPvnv?kHu$E1l(*x5Mwd+B5IQeNG3^iAf>F`EPu5NXK)6QpdDONDbYy{6M zBUG^c$ww}?w_qFTw+*aDb$OZ8d3fY<48Z^g8XKwTJ#!dRG|9Gs82&{bcU|>aU4B4L z*^PY7JR%%|s*tv(Ei`v=h@l)!0 z^ls~g?>&htg|9muxh;ld`x&yT@<#Vd2RJkRBzYV-5L}O`W4l981CnF-peQxf$ zYtJ0+IZs%)X$DFDJmYc@*RKHd1+5~y75t#`>O{vy+ocpm8&d_D&bqebhZTeK7;sFx zN-)VIUf-1*z}4m2@EVa0GgEqQdB9q19us)0>5}YL&c<8-}cBd zGZbdo5Uw;2;9bjNHiImy?hv&HH>enI{@V~h9RKc#6eRq{eLx&+sGNMOKIM9-wMk`@ ztba++JdNv6kE}^tMCr8qP;A} z?_rJ5)NVEX*kkJJ6bJ_NAFbp(lXta>ZG%2rCA)YSU zzr(sAsAyoDa@giVr&w2F-%)M9<1j7w9O~d!#&eVCR?<6)Q4JS%tnb*5KS{`YA77D| zQSyc2uTEq&G=Z$Z?Iy_qVk0qQvp1ZGyD!v#Qh_wOWugDGAUi8u@W(~bjE6&Dhi`?` zf$K%*Tdft{4QVd7CDEkW(fqZ`BngMqM|~Hs+^Ckch-OZypR3+|{ye)&s>?6;ssfMI zb`N8$6;bnDiJQpeT!}^1In^u-%vXhPgc+2*zh>4grCg0d%Z$OuY#hJz;QOzQj}1rS zF1vP(UT#N;Uxi06FJ{cnrf_Fv2y-{P{DAq3!I=E~$breT!=->T=;W}P)WC*Zsza)$ zw5j>-#svNG4X!#o+jg4wWxWqB!(y0JKEjW3L&WH1ukVR7KJ=~ zpIo)5F^{i5=(G{Zfw z|Fz1xSTN*2yqtZhz~GfWWh;Q>Bxe=IC+3r>A=i=~`-IDIITTe#d=-B#9+&xEVorG_ ziaD<0sQi;guF7(G?b}w^w~4v!Bm0Fa%OC1&JOX#emdFjAenZuF_?Xt;o+M;+lh%V} zPVcPtkW6c;o2OAF0=M1FK zfqAKF^MiSk!6c+hnG~Q(FOh5O{lE}1nE7&onnN$HPdt4mhCT7q0I|brXMpCe8Vp$9 zCP+W}rnlE{rQu8b?xevC-=oY&S~JsfY+73}UjX3v_?f2SWnu0%je`0i3x;5-m6NI` z11F!FG#*VR#uxMJvhgc9PI*o1SSGA;6Dn6e)?+jXO*>xWn)gQyW;bYJY`DsMd0u_v z`ga*m%uw5kMw#{mZ|ycx%cfbG1>i-oZO2ZIt}zMgqozqVAs>94IrYeIb}G-_$=d(5 z&eW{obpM5XZxskT^kNNx5~!&!QyWm4fWp5xh2!&5qCML( zn56esYSG!ZhhutAnxKDck&x4CbqAD49VMdXMv0IP}$REAbP<+}}Rm zq=pown(+aN?yXwq`h%3Ru1tvuKu883ss>K~v}@r3VFHr8?`B!&ZEKkov(+hL}$ieO|qT zWq06>IiCzy=3=ST`g)QQbu*1vvsIXY)YwcAQ%#{!*clh}WAO3RU6W(cY5r8VY;t8s zm1(>7C6Tei584CZqsmvjo2D=4*^znB?a|+Qyq>0qr8u`1*YQZ~zF(}Vwl-i6$|k0i z+tS6K0vx_v9j7jc=f>^D2r}-7SF_Y`8_Z9B1`F7fgvVQWgVP@NCOywL{dHE&gkr6(@5!)tapha@_~^CJn@-YYJtso)^|<`=V*|Nt zuXUWX?pCZY8*DUg_HmcT?#-z0`VY;W6zD=O_08@_6NQm;Q1g~~b6bwoE=LmdZ=TB} z&hLFnIurN|tv$>)*WJ;kr^)Xeth(Obay3*JX7;JTWND3Ew5gl%NEo_qd}A?qNpuj5 z2?Qafxh_B3bi5uh9p75~q@gYsOfu+(_7kHAf6g}cwm5M|lPdsPe_1OaQ9Y|EGnM)K z8LUJKiZk!MWmSd=_SXYMja;uD)$}uHb{d}(q!EKrDt&x6mdJ4XwawJPfZ7g5nQmXC z8Drz)-T7HUrRGb|*_NTNMIl_7as^Acj`X2XC~ug62@tAP3wf1``^ePMPUK(S&j`5h z^`&awAJ=K8qa^u3^Qh){Y^3@^hm2TRBhB59YTxy^p*Uw5$0B64lV_2%AQK3wL*};P zkFwxNGHdBe$^p$@cRnW{IG)+oJN?xIUfs7K=vRAU$DAg~{8fHSaXdGoHZktycHz9o zbuFQgcGJu!p(V8+Hgfv}#K3m@-08v?G-$taj*h}^Mk#|q@b&n9L<14$M3Iq0jp!>pW9lm9{HH(Xx~A0qccD z@Qc7@X+dqIUkErYD?atCRZ@CR;@tBTZm~<)6VExzP)y$xe=I1?a9fzwi=GbPopI*s z!?zh|6#II}n|TXzfl4^vn%IT74$>V>5)Y(AMTLzfB| zF9MsZHjwpiiU)M|>VUhTPDlSEwdJAjO@&<`z%hTK>dobxPW?GnoJt!FH_hq4-Zab6 zEDY3)-awl9goV{XDx812CFS+}iU5_x02}wt+5YuF@hod<6?*EacH3u-BYZRWV-yk- z>dRRFE=ec*3qhX-k{a{4gmoEY#wdk8kyY43zGf6Jj_^O|yK`Z%ApZ=lf`Ct^29BVF zyWZVw{B6%k)*mm`;Gw0gVGj!|FOhqD7~W4Cdz#CN+g&UiE;1gRrA~uWqPFhB^~8W; zhCKRl5*z=8a{VB=wJIu7!{GC|T4#I4K0bN+H#XW#0B1NV(0+EUc9lU{uAS-DDpPZd z);>S;(-l>uI}X|#OkM-;Z-y(_;so9(DE9LJ=m7#Nud}iOh?Y{oP}}y?u~qBbatV_) zj~CF)TMnbYHUmpD@y6{b2#{hi%G1en9=>J$$AW=qWKSL02&!_pJmDoxolXkaJQ7#k zA61aPAuhW86+z$EQB2UBgH5^mDvOTE+CvXGdYfdHY9FLrvh6pE66`4@9>{f1Y!AJs z{NCT3yOF9-^=-a+C4hwGIEKxAaJvZ`3VQF6R)u9q%X(!b1xKvK>-7I*c^X*6|AkwP zx9l{jlSyu&Y~j(vegiQIv$ESC$!#}!Do^v$nvEd4!;JYF)}gUo|vg!!6v{@R=8EJZ8G-=u#af_69GZl+jfs<`{V z2mbt5`cI&NFH7VwGOW`aJk=?tfwkE{N4iS|nX$Buh+Bc4s92j!Jz>7(*`PMFCRzf= zwTM*<6xNmGv^B}KE+w}&ONle`uRrg5mv_Z6%AxdU9)0C|Fq;>@Ss-N*-yxk@gZ{Cy zY4A6~GQuUfd+$xF@(|b44^^h2xJ@=_#Y+u9U(df0Rog+T1vl;k|Ct)| zLDd(<#8}USv$_(dcr6EoHq8-FyV{o??|H98nYZw?PgvPDn#-=q&m5}KBCqfgp)I48 zmHvS7-PN@wpf0x-mJN3>p8|JSVcz>>r|YLDytiWR5rNJ)imk;oho*jUgI7=2ghVT{ zJ<2P=P4pO5!B#GTW5s(Z{)Z3;duQ3c#_eD7TJID3NPADL=-0GX=6=7z%*H(iX$;pX z##=a?aW$=HD_jk=Q>;a2P^MJ+AJxrmweXyvv&vF~&PCE)1iK70k98YlCXu|;%7{pT zRM=#Ve|d_3+IR3kQCR|c==uXFPf?LFcImv8B=7svnGZqZK1APva&Wh+# zbwW)U&5egfN%EGGhw|7IPDG?Ci7o6!-a47{R<0i>5JUX#kKVC|e6cK|{aDkfBjOj{ zv#Z)p#eP?|a;nKd~2 zNJjef!ja@poHhuVT5ZpiynG@(7V6l8gWrMbN9mIpTWvdK5*Kn3q5a5a{329KHzVLW=zm(-uJVhf{FdpsIazE2Q&#*z-K33gIiWb(_mXWR zDI6Md9{Q}QwmnXuAGG*;`swm-%eU_}j*mROR~j<+WeZ*k)O41A00-{UxflG{DG+Z@ z!iz7V0wXRx+wJTYSmHjqaJvB!xtB?7N`#$X*)cBju}h8qCmWNzo3a+)T_=P<|Ga|I zu+7&A!Y@mi%h4q4`lRk7B1o?jEPlR=_I)VxCQ^q*@*ZOI9F@*jd}QO)$c4pX{C=z= zRASclfW1I41Q89Jh`bKu?oUhyoyY@le5oMd@1zZ-G?j4?57Een;O+P1w;)9;Z2&Dt zoiu61M%fG$HR{eKF!rUlK1_{)BS7U=i_K9APj7(dPF5t%5ma2nvk{<()AOiGMCAJ< ztUs5q_F3(F0g;!O)7Fgqc;q~N@}&hBWxkPAqI0j7qAgPqiT7_{2Ag@cxR~zKAdWev z_D(?Eg)VmCvT0+D9QI&?*v=vEd{i1zVnvSMM5z`B_pDH2Vo`aV5}j)Q&kxORkIa2J zA?w;O6E}8YLD#+Y1-)DGUB(2_z=p=@7)g&;@}p)MBn)2ktp!!i=Pn8HM!#S1#U}?} zANd|o1V2RtU%xbd=5Yw{?{5p(smG2H9zWo~_I-g#v*SUc9=4O#Q~q-CmCmm6`ni(3 z>NC2--|1AGkqG}f&;LU!i-X+Q1We8Y#Ce@8SChZAc8I?GW<&ldjK%c(t0$_s&=vUM zlhjaFgnp>oBn-_BoJIMJ3QP^;3URKkp5MJzL6SZA4}WOFl(hOByIzF`gVE(XW>6wHleNCk}APj~_!t2t!a%J`FM=*M^%?I0= z`^64|Ho#J2nZ;lM@ba2M`ye8kk}s8c7^lQnU6QbiR32x3H$PlzD9b58eKP1nlMI$K zrNoEv%va{u4{JtjYsD^06U^wMS+6xTJLLb$x~I2Fx?G~h{H4oaBLl3RFcYq*c^=gK z1qQ?Kv2o5Gg0N@6hEl9nD%4 zfa8oCk_!h!4H`oY4*ObHD&q>slCWv>Ls~$`1Exl*6m{3xGkoD8Km2;GMLt~&m#wJ9 zJsr!8HM`ra_Gw5h0J67Z*h~IrUErS-8dnLS1e-WC--C@POZ#U7$-pqGwGYF6LHoJd z>KbYLnq_I9xisA>V`TH8{SS;K*!hs8tr(9Lk4X~Y6fiH6@H}18d`akwuEKioVLq@nboy112ydArjNn)^NvD`= z9tcG3*D8ovOJ5y|OI%|XXT?o)8om@xvKC}BU>KEN(Nag_Wq33@^~-rYyXsL0^agsu zJ93lB9*Q04XZDUWlknkBU^wds23HCkDFZS3TApIcg!ZH4wUplRCZ2d?&Wc`KkD=Kq z-Hl_M<#|i-%H!9mK0Wa_%U2+)WUw)@{oG$wQ#3gLh{u6qg>kxz4T|%Mt<}_l0?wP2 zz}_32H2Sqq!g36n4;2K;AR&<_AUdMT!L|J93&Y*in^BacqlhStLtvPBXkHB4GHc8O zOEtMB(ItKDWUjUeKZO&mE2VQ;EGvFuq%dBK8CmLCW2V%bw~KwT&4a^rXMXQoqu01w zSRPDULlIWva7S~Ee@H6Oe#6xCrd!pE&Fa`ORVIaYGmx44(InTjf(jBAu0@PlhzDLTVwrlDFxZJNu7AGs=xLk|VQ=2a z-O1ywYZs26U>aqA&7VuyX4uX!#x;v;t7KJR@UX6SlKS59)q@?#hftS`OFgR-_55B% zim<1@_=-`6T|)W$8qlk&P=UD%?%gqA)JhD*=-w)`<-Wz6k-^gI)-yN1T4#=;S-++) z5jhk4_9BFApw0qUdIW+n@>i)dr)-$Me_d?7i^yFr0n5T0y6c$V$iKri)!P7apk+7N z-`Ya_a-zZ#xg;kEt%9QXu4)p2lw@_fV2+h9 z9e=LyzD^*iH$7uR=mE1;lI^G74UJ*3mBF@Fup@#+lI?z>bsdh&0hBc4?kqW%X!(CZ zt8u37451G@0ZrY&65cD88bST@1@4$RGP^Km8aBC+Ev2kWRunm{4r=3-}#{`8Bj}g`)G+u~~dA)15*Bn)AUNeqG zM=dsQGYIq5s|{QiU>hn1HO9mMFmroZirp>E39e`xGy>n_?&d|VTA`xKxX>4nli{e91jdG~}h^r>w1z8>9nE%FzOEg11g|t19NF+;DbPcGR}~ z7C2~>KnmSK?4U|7oTtnSR?LcM1{K^B1rYtgGX%WsXj_Fv{(GY14d*3)bf`F*m=jN( zkKd6u#2=XGO#8_2usQJz9=d|&owYIhGaS=Kb*+6-h?OcK3Sd;KKC7p-AET|b3jlUy z;h#=^z_Ba(>^-*aPuRP?66dN4i)D%swT6p0IDyJO_#d%Dd6t>5e(#&N8=yE&-<4bp zn`LMn$}kXQFU)wr{gr$~`x(H9)W;*ckh-c&8ah-3ec7~kA%Z;zbHL$vSch(ll_Wg} z1&`#X^Hj2I@5XmB6e)6lPk;9x!1%0`JRhhT#AsEl@as#`OfZWA*$`Tx0m&V>zej25In1@hG^n2TW!5S zeN(MFHvI}q_gMv9v{9C?B(-+ErY@`D%a5JJwcYI{X!1vf_Xd|iA zh?4lAOSA##LJ9-300qN3Dg72uU!*a{;TC>Ti`q42T3449TSJqk>BqE`u37QDqSuI1 z>O-w*xNGD>8D9D2TTrd}Zb1nkaAQB!`L$ErH>53xeuQ zGoqhwL;plGqlnu6ou(u7nYXy|HaNHy6ub21{?~f0yphxz8!%Z|GY;BsGh%r_ zT=|Xy)ubCe)8(T}d?_30wO)>=tf!D$l)m;O7q-^A48(rW}*y0e9M4a?tujbtJ1 z1W|`RB8F??blCJvDoxYCb*k-&vG>8j@lLN%`FEqX^bk+PLChV>25j9IukwGvQ*orkPpp(}fFCj509be~**D zqq${UcC54>Lt&OzpSUTSC*?4dr=6E`k-T#|+F(=@-Vw7o#nB0Ck5P*nr{J>oQ-RGx zuZXY7M&Iyz-Cz6HHG8yz95|?9+3UFK3D;KVS4L~cNTtJlL_e4GwPKGz&*`O>toApP z)So(;y9=%H-zwaaGH{Ci^_f)Mo-YnlG7`0OIp03 z;M1B6M7AJasT@UnI_QDsKklN8q1qOIK633Iwcm{f7H?>WRG-$C+KCSrC~lN+*rF;L zQC(CjV0MUyT1E+sqSRd1`JTcWZ$;y#xwTd09GE=VI5TCrue;Ijm8u~UzDGhm+3i#D ztPV<42ovNQCxn=;>n74NvR%Uu3Uy|0Rp@f0_eug8Ycu z=u2A&ruIU3?4OK+GEpZi|2@)fU~Ev`w621+bhkuOfzv=xIJvzw?R`zu8U8tPg|Zfv zl%?A`dLGUe6C5u@XSPS;XrIA!^l+YZb2v9ffA2vgIj?;C$Bc!g@TV_c5c=d^xjeu1 ze>i&&c&hvV|KBd_QnD#Z>ewM$MJl@#4vxLEvO@NXLWu0ljErNC%&cr886{hXq6nE8 zzvuf}pYL^judC1Z|G(Y3-Ez`#ob!IYU*q|FJnoNXViR%v!sdXnB;pvt7qOUhwom0T zzi8q>+?)#an6v{c>#K@7*PN5Xm7x*Zq#`P zrS@h*e^<9u!q5&A&WgO}x}|PUqyhK3*qTs@6al!rG~|!?*%gX}Q=il~Z4tbSO_qi3!@NlI(H3 zNQ5@OJT=Q%enZeN+^a2zOx_ABb^Gj&V)&XiSxt*U63nLA`a$h)&(aIh1{1ooLS7S87l zD=!S22!?Xi&brl{p2*YS=2mGdctU#02p5=4o=>KT0_(ZzD6Q5<^M*>TtnyGj;k%#u zi%%ub+eegla|TYTtM)JDMZ4e^?QAZyMrWO_ha7b)sD!4J8nKw^mCMwItB)3#rU}OE z9)D%@0isrwD#b>$=sz9a;SfpdgZR}OkxWm`3itVNPjGA#fM>FM!n~(f>)~QnGN2ma zV)ncoC$Ns}%;vj-rAw4_@@|f1WlBJFadhQNT%8n_(z5%PR(YWg5B6EXOCJRSdhAk^ zbX>}8MjR5oNO0YiomEOfr!A`v;91U}fnkxfH{PY*+5vu&ubd3l+{uxwiiS&V+3(?0 zPS3dlQqi1pv+|CJv#QyZ;h%aR7%lpCkok0|es*Wap7_p;dOV$R2<4H+r+Jw9(Bn&s z;>^w;OJ29^K8SEn0kes)<41YBLg#{Iwi`6ZK6YmGbxeA*RI}-f9T|SmU7$1helac z=q_(GM^Z-;$j3FNX4yQk$12Sa*?FQKMr=vk{bZ;xw;;4C%C^=~)x$5|wHu2ke#Lap za$K|cm5}g+=Bu0E+AcKT`!?p($N81(1vXZxtyBd^gI-=1E&VtF#nr3}@%Jw-PRq6; zIf$U4=xx^Tyih`x#}>6Naij8P8~2g%TJ_ktVLRbP=MYm64wnqU)qd!yyeso3&gy~UGPlj+=2Co-<+P-mO4HC2U*pl6YCU7xs^nUi zxeUgr=Q-NJ*iqWFL~*BVf8&|vKyumzfBzY%l|LWWbJeqRx^*XB&p9R-kIskml`j=I}UE@MsJ5z#E$4)&U)Y5Fc5Li(IUMUYU@~z}&2Vm3N5#E%H zS+$@YS#pVSQNyq_G?FUs`V>ElYMWD{TUFcO$w9y9fsvALA|X)|+t&zw1q2;PAKF#)oZv%&JJB!rKFZY_s>N+P_Kp3R7Q1 zH3?Df+g42n1-E^_HWRR|3xT>t#`>~djD)l2M% zTQG6{OyGLe>z1u>*T?ZURtk?Cq%nMM;C}T(t*1mqcxs%4=6MN8OAW;=_Mp%Oj+eRB z4li;i&Q?DC=c$+}Mp~%;q}qjJ@nMQFUr+fxBE8RPXs#<9dKRBL$AJK9F9l`_^urg^ zd~cGo>I{lWg#4c1G;HJZW&CGn&i|+d|F)zv`Ae?_-6sAIg&+;Ou7yaD|w_)&bE;lw2t0HBskA z8`nhe=Q~??iZ{Z%?sb6jawB>-**)7j_ODVq#9v)Rgt_dH0R``Mu1mPz`7VBE6sDkH zi-r@5iQxyI)hDT-3%^F3GEe%i0<3@DUBfB5Jag5|49`vYcZ=~L6F$lSd?3P=>q;Gy zg?f^Ki=|}N1r=!Y)iT{be!8E;$;S0-$z!OH1Ty@MP4#o7NB;QM-=HwRKFo0=;I-Dj zOePO+=dv`{by2&Cy33-zvQ59Lmfr^L#1t~1ENMcf6?!9dKw*{u9nRwtNem&FiLAYTKjF(ut^ex((|Lc zdXJx$B10r9ONfpHznn_|Br9|&k_IU7mjD8iF?K(%P#+H zwES`D{^|etxu5MXRYm0hziY@tQVM3*eUJ5x4|d$;oIH1zC-lJD&BsIDhkVk~8i#vQ zF6e**oTq&0b+TkWjI5x!X$7#ge>rSgKd}X&@`K>;V;c2ExW!=CzmI%3CmL^f5H2?# zU4ZukpMS4}{x3Mo0eio)9XK?(hmUfi_*!pXgY|)V5H?;5Ic795VE4~G@(F@?GG~S$ z+jwYeW%el$Nxt8nSz#V|ma=R-Rqu+jq{0_v)RrfhyZq;&vfumWlnH`<|J=1?w3 zf@x=^Iv(Ifzg+P+_>>Vb2&<|FtW$%aiA?);^F0*$5+jaaf1Mj|odS5#-3kCd(Mgt;N>Z94=9;2_n|81f~(OUs%u>W4O zx^8Z}4I^O)qKI;#raHR^XeR@6=MqEe91(mit(6}V`zfG19fG{xeb^%erp$MKAsy67 z?Myjr{g|j!->&@5I0oHW6@bT+_;l7IJ}Pn6@yrlVl-eiLWglR?%z@7?EH9Ib#Bvst zc5#u>$z|-U!vM+yjv3Ak|6ys8&XceL)g0^(<-nO0N9r7A0#7+r(HD6O{(J^6$JBPA ztJ0vhO-*2Yr`c%}G{4yp+kkdX;QaG8|EDiZRnpRV3=1LJx(j#n_|quR54a5TEN1V* zw00d~7GHG(X@i#396srJCO_Ev<%>?-%Xr6wS{!urwKic)abMu90FQf@X`9d~RXeXU z>=ZmA_mMGIV$#mFD?}(#3$8wsGs4>@Rki2aU29B>4)`M1w*U2 zV<;o6>(44D+^zXj6JDGAIz7=6Fue8Non@tOZF;~XAXK6aY>r%Xc?V~oA&~v5cgK1XYZJBnB;d<0=v3p2R7z*b_Y8lXm;A1=70)GF z=OG9IFf4UADe!%`3o^GnXtL@d$vDHg>=9D85cLL{=~pX;DmPJ@{8H(T0r%?7Uqtq6P%edwS{34MP-}aMV5uf@txI&q8 z1#JERu>HBP3<~)n@Ubumhv`k0)C^+~XwLNv-l(wsfYyUddaLKjE~SY-kk$&YYqTx@ zX!$~e7m`%;g+XkP{}7IBT3vBs@9W&05L2Jl_7QO)`6vy<|Lv0g^#;oA&w%KWJrxc-HFQ{W?H89uy<;K<;PE*&1RD)vC9z~l*9{TfZayp-J&%5!Rz37# z^5A@hsGSqK!@SpEZpa0ny)K9{G@$V2o-m@#Hw?w|i4Rr2SkU<)tAdK*Tg*1aepWy~>!FrRsr*vH z{hH0>!XqQb^B=TNx0P z9VV{}+nx0%yh!M>&lMW+-OqmwmwQC#t#o?&@Z}4A@3l)`?d%~<69^Pec=37>@`bdA z^q>GzvX)_h;1#R@NK#zrS5X2-hc3l@b0QOo;rUM^4Ay7^FX!b1l0IREh(&>|Jyw$| zu;r=qNWQCwoQwNdkR#6UAR_G90Yy}1KmA*K{G@gXDwC5bes3(`jLKZpFs04VccVh= z#E#b%KuFd_76xumY{bIDu#yNfC!P-?_0_= z0Q@Qjc01sg|HMjnV65+tQU1Ifowcf5nn z8{W^t#pf8D!48^L_=R>e2(rS*hc$QY^NAo!ewyEBJJetD%q2r1;n&@BJ_kQ07XW#R zK6duH`nyKwK-Pn;b}JC-Y9fRMm<{Zvu8o4iB?}<}<{!2pOPGcmmiK+Ra9>6tti%Zl ze(kWcPjZ${S`ofi z_BTo#j7eRMKkqpf_&UpbEN4VG+sZHo!EADOg`E1Y>@x$qB(RI$kf7j>7he@ex z-ieEL4c>c$px87^_NNYIEOs~@L({XirFR^p!{)c91eO-z7PugqS}elhQ*`NIyRY7X zU^5RqlYTh$*(;b*lP_({@2Qa08?pA(K#gtpv>k<93S4n5FQ^MFz#3og4vpH-c}UmP zaE8szz4_4KlZPxj!?{+!2w8?3G2F;jPPmnMx8vl498jIqFhodHeT-5<-n(kgT*S%N z`&`HCVEsXaQ>$Q12Z%`2B+aYKIz~tNUf&DYjgLbVB>9jc*1;TrTc&y1{=ud!Z0Bw2 zK8&82k6l2ApesH0E7)&bm@$r#x0^>0U#cHgegy_ z=uTLl@bsml8_+e#IDyignWe{4u`yq~>p+an2ZX6p1?0E8_2{|nme-BA#S2YkGc2-T z3H_UkeDz_XTvuv=xSOA_%LJfvok7YQu2$ zxe_76@4`hR$_Z$14g!0PHMUjqY%2Ro6AsjoN8OTB@fH2HzV6`nO);c4UmmvRK+%I_ zbz)*!vkU*d_eNQ2=f}KPD<96M9%s7(mZjv(hosC#@^lk)MZ%My^L>_ zsQ`6b@7RMd^a3f5X4jGDQVDW)r%7V%Qu@1Mi3`3kD0$bDYV!WH`J7YIkf`(4b@#E0Pk^4|))Rfy>!#hKwgr0kj2CRnZ^7rmxHyUx zlyNEOv8m{^NnK=Ee2|lN=^W~IV2T#bKY0J$sl1Np_{-`m~%O6RIyza{G} zNln-lnbLldD5F!&^Hkh)gq16X*Co+9OKS4yD>t-Uir6$LlX<4YEWTFBRO)c=1nDQX zV-$QC)CbNq_*e%{sBW)Hi9@}JTD-)?fp~A_u7ZAp3Id&7q|W}?@mzZRSWY6ptd?Ye zl9kp~&a;g%ni(Wo3w{+5jsfMjwU^c{KRz%M&|3A4i5A1B>o9D+W_P*0^F;hS^hX>q zsibvm^T#l`on;rrEnX*S3AaR1^JK_x>ffZdZhfUSylhzS2%9}LqCQiPBpcQ+6emS1 z&5&rh-xp@mnhIt%Y@+az!DKny%VZy_Clst2~PtbF|no7tjyCGny`s zdW_p)LeFSk7+0A=>|gTvcNDt&8}~s8>b-?G*M;Na!2Q9~V;h zI#tmd;WJ<6+f>WZ)Jga@Mr9&Xskf#E=)6c zktk9Qxpz`&zOxtR45-|hs!qROD}_>Nq8zzTdJJo0|Aum8OkoT?>q;a#3JBwkozTjf z=V^x*4pk)`azz;t6Qfj(os>!g$j_IPnz1)hvgrOuTB1aB`r>Q6G8gfC#a)16?ULTkTEi zAeD~GR-oJIMzD&lkni!fa#UROoUrAIc@9Y$j&$`OK)Mp6rTsEVWzpKXvsFuybFZOyUw+T-T&3X>1zFXBQ98zp#OWoY=Vqf8 zvn99Zgf97u%8DZkX0L-hjBPn8i5O|Hy%A>-eo9}(U4?7O{Q$hQU@WYY7ovSzeEk!0 ziiEBA5aL5gtFj1}Q@!rz|4hk^BWJhxJEGS9cvpBl;zqK>kW;G-Ss()NfX1=9^QZo% z+4O=2catCMBL;RW0!2a*`QjEClehD~Ws8yhM)3FwO3?2qz0DUZJDt2J6TV3mLjlQs z$-ATy!TW96*hA_Z#@e;xQ3dmkWzyqT2`bi;UGu+mM9fDnjn{fC(u@(J{EU`f!j+nN znCNlhyOUI?pXAsZ*DvpG^6FOg>l~PP8HE$x%WiVInBw*9@+eH36Gyjfn72E?8r1BlYsAp_0;sE3c&rK z>ZzTRYXj9-h&IJfLypoM4u7<5Ikpt6cc*tQqn~_kss*LAP<#S3J7^o%9t+l-SbTwK3)yM))f_WPV? z+PwkdYM(H)``wzOgR#U)T~tmZXT~X?c~;T8R-^7qniNRc#6(=gbB!-#8&B9N1wQI$ z4!-D{tV;!{?FZzWP7bn(OSJ-Y3a+d69QiR^$uo5zeB`*()l@R}_!@I*l->sIwnrNS zZc=nN@Pla?YZGn0n?AQ%%v7i1MpTHmynMim{4eG0=L&ocO9&Ra*vTaY>{xE|?=8;Rb$CaJwaFD6#!WgdE(3N;w_lNRqNYzG(jhZt-iDrO zo8s0I(vo{!B2xh#(>(>) zbe0(x)Y)~KRp!U)K37G(n2fbx

x=r0hY{3!V{J3Nz^W#XFI%SMLr)Q}Fl`^s%a`(QZX?lEqPVEcXvz={s!O}Y z%6x6*MPLVy1NE9hfRwLA|;AC zArl_0%TE@6tK;g#9KDm<=i+` z`WGZZ<0~-TO7i@yr`SYqmXPI4E4w?jM*YG^zIalezS~}aM0C|ihI=y?3XhXr&qTKh z?u{KDyQ}EBP-vZ@8&zGHds;>3Y=!R4XIQ8e3YNanJ zc|yi6GtRyWs+2Ukoezi~Ib=Vz{pbZtZ!@35o^DEMi$*ac6z0sYg)S}bUHN=Rm;3gQ z=XDKkU3WB+)G`MI5Oh>*=1o5F3SeQd-g%i%JB6OOYe6A?P83@{pcr|o!sh)g%Pf$k zR%u;*Z{E+mo<3^=g#|@jO6$-I=0_RHRu}W0H|!9qDUCr# zRNDbt(d%mw1rZ}TAU{a#oG3|RR}?(w_tXCIW9dS&_V+j4D|_9dkiBQk-(QQtqt4P06h5K;w^80hIhc zZ_lSvjUN``_WQqZFMe?4V~vI7!7984WaqL~>qSYl)Q$HAAxH z|6GypkTveAGmjiATGt*S4#@KT+;4-FLe(vJhf#U@3h1?1K|1UQrJX?fkF z`6VyIqimrPU0!-SKNUSj8@X7eIO3K=7^1t%cva_%i^k*;OV}n?j;8a@>Np5R4PiR5 z87CqtV)WKCSod;J5*Kwn0m2{Z;Feb4q@(bF#qlAnD7$u1Oizvd80fXK>eEqQc{4s5 zRK$E%(ast$g%GCD=PLq!8&+zMOirwt#WmQPM)i5Lk|Vhk|Nh4rqMs^fb29_Ov7@uM z&a`wpkz|RyH$6s9C~`C{+HK6Co%1W5noM;8RK?LLR&s_FYIj&N|6@fjWy~k}HHmr7Wx2lbLRYt|yWUkVQ zs2cJfJGqeZY%xyO)j~Z?nz0!z)&5)aT1I%;J%cbUQ#5etJT)?j7jawLUh+Cb&#=Jx$ zD1&>Q0}C2!W{JmQ$yW)wo6>0 z%Y>VS-31K!ux@uN`=uPt`JK9vk$Wi!=Dm34T-)Y z!mgI=^jL|nMo)V$|NTRjUob-$Ca1&cuH6x2AjV__mVO%-s-gET$TLpUWTYl#r zhW5-Gf2k2E6h85p?}HisTeGn9x&C-#3O|PVbsgDxy980I@(9GDw{b3+LZMpTj8*&2 z=!%qC+@|9GHJqI;mtlv>f|S{frylBVmSINkd_`!_!Qt24PIlCkD$5soh?r9fN;bot zET?WUngQD4Mix4^Y657QS~$qGZS4|;J|egN^3f5`sEt3&&~RKCQQ6Fk6R%~Gp7xjG z+G6G0-u{-ZSUn9q@QvsP;4kpej=Q+=&O{MI@j~z;1EYvdd<}HN3oHn*2}l#*1{o@J zMw^87#I!6CYO-@(I((+BkZdXA39=q+6;t!&uN)=eF}64guGekBnE-w@{9~V0Ppw~4 z4ycetE#HAcuN9)n1N+=J{(>C?Es{ErUndL1Wmp&0qirGU%8&ZeT942I*nU<;^i~F# zVu^L>hzZE$x9``b#?T!=BP&MZ3JZsCDVefBnfm3(kQf;ag{xgvkFt!-RJU(6$#W$) z3SOrs9!=ZH6int$?dDD3HmGWm9{@_-qWJ!MuP7GL$zVON0EGA``fh5Zl<+Otz z8*{>E*WuE_UZ8RK_J<(n#Ft(_Fm9{i^2F`V!`f$Qk7m-gRlx?zjjS%SwpE=7d+Vgb z{FADg>Ny*2x%yx4ZLXUOAs!6_U7B!jW4`h}XUWz5TtkNr?e$$@B3pGJ9M%A{uurh# z_}=EEf!eUSQOxmJynr3@wh_R8+(?F;sFX3SgUgoBhXZtN!bv>k(1oA!xb zs{(bIC)RTVh;QHB)!zXJUUpREjc{J0rFNV|c4o2QFJz3cMD)nGm?OdUwuY#Qaxg1(C?wOw~i-?$CU76a6P6C0`bAeddu5hkjwF z1g)IkQTmQW?Bz!fd2ZY(uUYyGZzCs)>sphdN(K>vtuXw2M&U6TgF+W-o~dj962{Fb zqDBsGT2!?%fRXlReqx<^FWp{DoBpbd7SL>R}FEI&Ffuqmi?^ z11t0z&#>3tpLPjb1~skYQhuDXe#MVRyJF8CExpDHUtxQV=~;h+@BP%FFz^%=&xsoe zf~{7<(V<)pVYalf#zb^{(-#^0xQlyu+C9s-P^*nxLeXxIU(gXof1iDQ_Lld^*3*q0 zrnNe2Ju>nPq%qRmj=3Em&S&zAy&gNRkNYCDz;B?dOhokF)h;}EYUe3W(EX(0$M~|Y zwxdD-c2zVu1WqRQ6>!gTd)_~UvsruL^EoTdJytP;sK>E@M#Hr}iB;-evBdt?Z0HPP zskZ`!C0E;<8$GUEs$`SUVGW(f`7ORk+`uRdYx6sxhM(e}IIe8H!(iaq$7_Buj=;Qn z*{f&u-cJt#6^dy%=pESE9yaC7Dc|52KX0M!D%=&Tc*DWeSLemC>tanmHX*_)4^r53 zq06R$5WKGEGrKB4I|7e3FKRySYOHspL!cYZCS2sDfzT2Gaf zu$*l)d%-wU6Qv71YB%jEfiZL<{?cv_8*k(E7%Y|x)eq0F3AdVPLH?-7x8ig?D!Gxp%43^_X0sJesYY)K@!S)gLTZ{&(?Xa{qN z55bHcRqn2Ww53Ooi>{n#B2&N7ckS^HkP(O4w9T}J7D#C+$>$rRgIG_gzVde*MXHl; zRqwEzzx_A{t#nlD5erZoEt**S&Lfo}cQ}1t2o#RHJO^B|G}v&l_Ko`RRuGoPhlJv~ zV%v9^?zH#fDUB2hj{eTA7^W?Fq7h;P;4d=8yQ)~vrRw>*eFD*sGK%)9cfZpruhB6s z<*CrW%VE7!vbV1JSPJPa_H%My=&p#;xOrU8&}&e=@qUcDmg)CPDb)x}Xjmrrg7Wl* zh>9o<)#F#)zkf1P2o)G(X&3N*0Sfc3fQPyUCVO^Vr{i=RiT*0@`0Lc2qeieZZsE<> zfoqfEp&nFv99un8^`tplnFBw>?%iny2wU+t?t+NUjBr@BqfV7!_5s$75V!vJdQXRC4G6XG;8WWdxO3EG2m*p)ghF2 zyiARsNMDQ-&$zhB{-a}=&*ne^K{sDo)5+eBe>i0$iFYvvZt0A5MwDdLu%JA5`?&M? z-6f`@>Hrig$vmYv<~#w|q}R$bRyen(YYo+jnXPQOBitAR$qWtC(J zjlZEPEOAtgNPM&^PU$0Hz<=2vG;Nd%R>j_bx&xdA6cy2kJgrmr;p0*s0sxX(5aw z&xkv+s-ZabbwJ(5 zWo9L_#hlGrPY_$LuzcIrMOV>D*8R-V&Z^0uG+N;7jTDBB zMKEeAWx0zNHZ^M|d7$RMRE6Bk?uX7^&uWi}r5;mkOt*FmP~7H6Dq>}rqDvPzPuD+p`0#Mu9U}wW3P)TbmvVY*!#=>gxg8eWdj#51RTr*+~ z(Pe3YcAGBUf?n7y2y5DmcI$PY5`M-c!)18+VzqgkV*zM#W8SuxVYn5lbyqT%59^wl zC5V6oDt`-6R)@AM6mB=Mv{k{jsI7~e9ZJ!r$?*@C>ejB`Xkt)on`_8%yhyGKMS4sDw#bohu#ST&}SrQ^2fZp z2&+fwqAmzV3ap=XJ!TdhZl%4p0ZAz#SQgpIU+&<~>(RCEuDR{UbX62H{gq#lSRQphY{yX+yyj^V>BXnbxJJ0tpin%q zD7CGlvU5~k_=j@;Ug7Br%J>Ci>&hICr>oHuZ!?`-RL2oPl{1$Ljt(35jDW_vhpnAr zjU^lwuN`XcIQwdr%rB>kB928Y9J@I`J9sp99=eN_*G+oDF+xx2O~);IYPgW0z{|Vd ze)HukPj1=_E=vRb5#toUbxon@T0W7Yf{$8U#a-()`8EdP{m!prV&R6@&`gBukF$sg za%DI7{jdUZ)o7{bMqeJSEpabaL~(M5$MNdSRTo|YQET+>CRo$Ezi5QYlJ00W>}V+L z#Ygz_EH;1@n`0Y1(VJ1{&-{bR=ue%cH2aa;DXvI@p0NgL;Gt?aBeQd-ioeCZa(*^8 zRtE~pE;K5@LsRHK%!;0roszrae7tvqG#-W>vJB+NC04O9jh_ZvRhZYM-bJRbTOgTq zQ+V<*ySC??!_1Wg^=F{zX_9~3CELcid?ZB69MSM3@vUYuo1h%7cHW8Av2J%1qM4<{ z_C+&KU33CaCKS98f^5U1< zJBvj++Ad=ba@;4*MztaSuH1(!peGJ8;}`#vThRd8I}Y3MC#papkb9XOeRgq06O$Aj z+s~pIV|oLLNs)1?_rt>Z%|!5RUorI|Hz{E>HPj-i_S=MqAoeX zE80iTufgo_`;ho*e1yZgdU!9Rt9z}kyazS!UuPOQmXY#&g>M!#U%X0n*kMJ!lLMY| zQ(Tww%c1s`3x|YBt`jF@&nU+mW;Lm}Bt34&aE7x~#Ltg3>^lc*6;eq=l6L)AHNp2h ze2qMw<8Z>yHt1|biO)Z~^Z#-T#gjl+W3K|mN_7Nfaqzy+JKOMN{#bv89MvKO#^3P#TVSE5CipJTS?G^@r%9zW#FSAz9v!UW$HKFce7W$3JE8b3(3OLY@=a0m@g zk&C&RQi~-Eqs1*g`$$L~f(-^i0KRvMd4^x)V-OYVoeEsE+I7;g_y^7p|Aw@PJapoo z^!VMkDyPl(S;tJm}vjf_60*a^{Bd?B7XMZ`}0eITq67iFLj%Y6U#|H#}T%k&g~!_ z371h^fG|h(TbA}^y&`IbD&`I0X$^>)r0beHk~a6&UWQ_OHb`pji`0nQt!-j5YlY}@ z`R^@eCTg>z_>sXx*YN3CsMMl~>41cE5ZVljwj$dvcBy=}0_LOcf@bhmwq!Ht*>gb*InsyT4dwsg z`reEl(N5C7{btM>LRFlNN1pJQc9+o5M>+=@kAd$5HW(Lrer?rzh-N zC>MaI;B=FOrBRS1nxUJt_zQ91g-dC7#tvz1walFt+rsC654mV+m#p@#9yF0~FQu|h zEzvQvsQSJ)iMT++;{sky{iX{icmkxwk(9TJ1uCbw&v80-KIvCXxptbfPDMXVKTXOZ zWxo%2w?PC!6%IMxQFF<#z2vaGN%~22YrK){a8=9b05n0K8Lq#kDE{R^*y}Vr+{N$0 zKC@({vS9Yodna|}{U;~Y`QZe*aw}+#TN5hRC=lDZ!&OAB`u_?De;*;$^a1uM*NolBd zqGy(2UU|`FYuu!+d8-PDCvHoe0tUw+%9Df6EPX1$)GNBpy~XB%R1kJ*_E0&MVnTea z!18774^&W%NRA4jL7)|dYyIZm343mOH!@Mr;(+v}W@l?Y(GEIc?$3qq8VWI9ZAGa* z2XbtSEA$QILWW<-TdNQf$iy;ngVCk5W$BXcFS7g9X${4hwcwo2f#AAkonwt5LId9- z!?r2>7FUi^k8%_4lqun}ILha@tzv}2=LvIl@1*ptZow&GW$a*Pn|$_IN=&iK{TM^k z;~BSK`cx1Y%ZqD*X2Cm;8+$@$u|FPRi=yrUuA=A3R^uCk7qV^pdp|rp)6WqHqEUFS zlf=~!B|1l80=K0a)5x>F*=m}DbJ?t*{~@~*BJg0Ek$ID0c=2E*!slM!dn9X3195a) z!>t?N*N}7UYom||jjq5iX+^RpJ;45<|Foy#y0{={lN~!B4@(k6hf#TzxHu6fgui6| zjz14flBMsXhOwdhr$z|p+#bm~5Vm1nPTIfquee#4A-0Gu3t{YEUQrI4H>u;_f|E!6 zWa(}P+2%YflYIK^KUd+45x5ibY^E8s(SN_DE7QXBBh|$rSzg~(n;osU(`s+HjcMXR zGs=7&p!-J9J&a~2>>g&eBJQA7Ujou4K{usDy50-A@@LwH3Fdm3be^1e}L86Ga zA@O-=yLN{@&zQqw^VF5lK6i?>MG!fA@ML?l4i0nd@d&SPLK~hU`40*P?D5c!1a^#VZgqPA*ce*#mS(!4 z6`jZ1WmadC&^wB=m8bdGZLY_9?zwc{-8*S&x~E+bW7=x@lD(g`_x^-ts@$MKK{Rjc z-L@49diB_S={IgFTE-wvXt-0*$bfRKcB(WmkM&uXyGe|V3D7!}HLJ%&_%rS6c|izU zAhuk>NAvtn#hCC#UpOd-qAujt%{l+Ns}T4Q300Qb!s_)G4STjHhT`-dOuSm>NzW3t*db{2 zXTcW72=O-wQeg)*1iiB$UgpEp4mtM+`)MtO4tFGM<4||D!+ZnE9CU{_9fd2_0EShJ z7eC14{I0$Vwx})F>HCbZ0UQmPi+;v3&hCa7%kxitEvT_Y%6&w0+r=>PC~J-5Qo60Y z!W@kp25A9-!8*LOc(Ur_gE6gRPtoc5Z|Jmof;_A>?JqQ#{PN&xx1%iDnuAkrbosF9 zwsspB+N3R3zVVg9(jwUx$YEZOCd;pl?W+K{*f^}YX1y8r8t}>Ye(DtL?;y&1=KGm& z2+c~XYu9r8wtC~4qhq_xUtI_AHv8=HNj9@oGw*VmHD1+G^}S4@FEVT9sp|W~2vudt z4F?31kD}u&-H=Y_=U7rreKrZq0V$y-aiPs(BkWYV8BKu#W7lNe@I7@EB^^W`PP>yW zsXm}$UE-1J!rATeY86X2C2Oer>R1SMRJrkWI%v5W%{MRjQ+I(88v*MwRV(=Q)*`BS zD~KF6x+>8(eWEE$%3Dna|Bm)F$uU0CS&}O56lkhFw_%Xernjv^Hg2xXRSkt~K8GCM z8E3RpI1~!3%`)s!GgsLs1WjIw=GWcR>pI&l!*a*Fq%&;)goP04dgFR>rSVKP+9ihZ zEMT8F3xE=I<@L@5FwUxL($m=J{TP(Y5pOY06Cl z9ZLWmGh;M;UI=Ok_=h>5{sXj-I`J`Yz=lNE(yIG*BH|8e?a@NKc-CUy8)Sd3lGO~90*7m@E>tPXe4XUsV zx?b1zNlZ^L#%*)RC9uXIdzaSvcrk0*9uF-lD9K;#+zAQm{ERnSu;Dme?Ln1K-DmW8 z^O4YN`MMK5psK=MUpy{@**vpkX9pMs*YF0TzV_0uf+=vavgwKV;KJ!T?C|~ScaN_! zr|tLeQ*1q6gKo?9@80Z-BE_CRE0fAUl@^NMRIcqmjgz7H%GC8gs1z>C6XR-vipCXe z!7L6%ZTGQ8Rt|x&kBp5koymB}KcGNkQ_Nyd(*=gm?%Lxi@l`z^)ksUc;8FQv z+JBOB=Kzk(sU0;BK|e4%I$k(%M=^AkUd%7}pa=ox(D>xNap}^hTzEfR4aR>cq08kX zK25ZdNsWFpNLK1fNM&ih9!~LiMMb)ly z!SsT~$Oj3kJwLDP+yk!W4-wVJXP>ZsV+oj#L5zaKt^(d*Pw8N;EvA#*uVNM6HWO){ zMC`mtNOtYA8=m!PPgQ~}$=wgIr9T$-Ijpe_TD6OduR;<2F_Dr@xRgcMOH8r?>Fxdj3EK(9(^vK7Pro^k>}THV`Ho$ zt$916*D<-VqfDA~-(@|EgC}{~-0I#o{zyUWXUvncu`QlI5ks6-T_#HWtP*}XqsFIj z^Qr8%0^39Bcmnf&VPybN+-4#wtlz+N4^Z$3$>Ov3G+%$q)`E_LdX2O@kv}A4c10>hvKdZYXj1Xa3g@Qoiw& zG_f-IA@9zb$136%yVtUdUL?qAVLjYkF=&kmjl%4+gmfO+W=>C&MU0PJ|QW8W!s!az?nK};^ zru94!v$cv*A!v+LyzJ#ba(X)Eno+C#Tyy~j-2cCQavkA~(1sg=(OgfK=BZsc;NcQg zV)|b$+3z2^pA@MozR-P1A$RI z5m`L-*Z$g12FBmMb^9><1e=E+ISo)gRaFAO8=fOq!W& z`OJfBo**GzK!7ZPmrs^!BV;ugspP#aPmrgnQWAj53f&#cOI}a|kx+S{ze;zz7X^bx zl0dsi6q&f!fmjm4Wh^;j^zCH45CF; zbN4fK?mfhOF6_N~Z&BhJJb4wM#qK6x{I>$+RyrldsaKemMwn5aO^E=?o&KZX2n^9+ zx!W&;^z>lpuAaopvfG`2^c{9#SX_sIY*x`k!i@4%uY{`I96OP9XOc9OLPDIUUV=S7 zuJv9LA(j%_`QJLQFn1L$01(RbqWSGaBE&F02X$nxBS9q=AXi0?*Ep}WC1)$#FZeqw z;BUjo?=}IY8NN_Wb&t$n)mBG&!PNffszOr3Bt{|gM~Q-FiVBkFUbA?8e`5uq4S8zMuXD`* ztl0eP2vSLwmfb#~1H~vHJU<%Rhmdx(Eo?gSKzTO-)#shon(zeqv=gMtsTb?tjl7xf z6Q55?ymPJA<*OCuWi}f)Qxmf7Z&($C!GOWMxT9ySQmEi&_-4$Yd&(|83Zo+8dpYJv zhx;y4N*%J8132a>S>DsgNx>>c1AVhtjA^Lo(%yG9NRvnPkxNJ8#;hs|^s6*OZ(!EV zFNkJwobAr#B|s22(N#Y-mzULF-Y;jc_(oCj-u!7U$QOptgec0N9aP~q9K`dB{U&{< zMlv5ifjYDpNN=b(IcFQi6t9ijWa?iNB!Ivg&2(tOHLw)jz`BO(bK7nX>4z@RhWfxJ6T(< z=83<2%i*!-8VsBcXf|WKve5+;(4(t2n^Z>016c5#2VL_dhHSmLJ~o~sl9;S^>ud|Z z_X_zs6r8(F+Y}nv0bQ{x1Fz>?a@%lX9M;Y{S5gp$J#?lN`Y)ReX*ITfRkC=M>7bIZ zzs(RT4;rCHy`Wum@cD*M9&)!Dezpf8CK(-n`Vq4r1a$;PiqUS1?6s;5Qk%M!HnOgb z!^c5E;N{0@G=3~z%)vN#m80z`;V)v+kddUx3)XSO6cJ0nPcs6Gke#qe8^sXpE^90r zN&d?uD9uEK5wV+4)$e#~*ev+>nK>c>JQKkpev6VtOm!SMa;@c% zZlwcUbG_@K`K`*ouUvnd#sBlr@5~k7(KwY)=4H8m`yeY+3^&JJHD}u+G-2}804k$B zm%%e)SSK~&^xbnuK@f>0sfUiA)%#Mj-w_*z)K%~a4JC;?^_&(qY9>HR<2-a0DF?OOvyL@7ZerNN-%qeDV4>8?+@Q%XP( zNdZwxxqXV7=>IYtCmrfvl>}WB4S7v^d&?l-ji(<^|uD9+6-&1?~De6;E%GS?u$I5-*lBHtF z)SdOp0kMtadl>`A>s4ch!@t(6#?i;cR?;dlECk6;kUaU_p~iA1@e+qVIGT9D-J=D{ zLQR0e6=v@5rXV($kD;?hoHK0U0dRY!1(~)Ag!J)Xsvsb(5Hbx5qylU8`_0NBFt+Ry zcq8R?e*wdUj3Yqi8^Rwa%G-nXD+}+^@E_h7AU@M^2Qz^}OYp{kRs$(T3LvsWCr+;k zGZk?xYB$E^NOy-ZVI2s4Itajx2EVXBOo^69i&$f>5a&(*cuSGMWFi!1a<#_Z>czz# z@Go~2^8Mwla)38~m~2=2UGd)CuT)0fS)1eKCO3k%&g6Q3_qiO^k!ldW(olSS4ijyn z->#3hQ;Jx-jtR!)S2ZOst*T4y>o)TOzJX9mX2d}!Gsc-;2OLr&{I{H*@pO}U7pbGc5!ezvJam?}@jCpC zAAdCc<+t5YU&0u=VDfY2)dbo0NQv#Iac4Hd?$9|up;*FAe>jK#nU;>P(>OfXO@jV! zcGHL(wuOjHgwi7Ls|vv^!LSjIJWupRr$FIJ>&tFnkx&GHeICzh9Og7KZH`~WO`HpG zPiFJ@aEppPadVqqSR=+>)f@idGH^09$XFCrCoa0wf}GHZ-g~pv7KYtO94FB<4w8&M z8q2OxdwYnX2Ni^J`yb=GD8; zJPWol1qwX1H<9;n8IFwpo;qj+3hCV^WYT~znx5%kh<(A|2RUNSR{Y^UK_vH0VB*Pd z7|2kh23o-tyoiA`)%QM_Vo@h6|zcqIbx2wX58ZU z<&)u~wVZybV|$fNFSv%sTo+kokAdTdj(owmBn~Kp!3p9or7ZKb-`Tg(!uJvBu>IR&yd9E14vtE7fCWhn*CY;>5& z-AGS}Gq|sgP(($}_AHTO<076G;xI%e?fbx1SzV*v|556d;Fu@L=C|>(3?p+VZ@@;d zr6qKCZkFhj^E{{debOdBZFQE2CL2sr49e;d2C2Y&T_=s*L+nRjM`DmJW^?5aQwy*d zXgu%yvpRm|X=DzEXMbm%YVyKa&f2r>Xwp>!;{C;}5C($B`+iA|zKubcd@@-du)M0P zL+ECgoPWE2e(d2kqISpA&SS-#;8by0&JD&MG?oD2`l8z$J!!J+V-e^=tH3BAA8Nb) zdn$9&SQ}zPdmEpP(jfS~yMqWj;lK~am8%q&@p%p1SnfUhiXicCnSmox$E)-5q%^>$ zAMo5!x5j>q{df`Vy&~n+$6RfiXcMWT7tvi@1zo#488}mxQL@L=kDe2JWU6t zFi5@E^$jL=A}K4^1z$o@-CuqE3&jdgLc5n#*9L8AL)c&X1|mjfx2`)9TQ4vzIHR8% z-Uoziz$P>FH|9rB0BzA3-{S2m{E~p4L0T4VYUunTxNi{NL3?8SwCx$V*{m1j+HN~) z2E}tuMP*AQ-6k{+Mw}EaE6Z22JH2C(R#!32Ub^;{yM8tZc-zJ>17V&#|maw+p zj&2dDj!?fcNc%<%wL5jeZKSPJjQaukR2a|#S~ye)UB6=dUQjH7_k`dQ=63GH_6ZKU zQcIaoyEA@eJV&I?746h9urASrm`-^j!j^HWLDruxZ4rnVuu@T)pUa4O3;nc@muEXa zNYn*=AXwd(e~<9t0&0c=iGQ{q1)f%h>GSRFoR99@2gX(0%YRr;Oq|^1Z_4}V-hyYR zz`P}gkV7vn@>Pa^d+sG5sn$H$c1p}MV;yeIo1O}Bcn;%jy<M9B|Awyo(Cc6SA2s`@`7Zn~G!ogd5DF%xx!3Z*0&5#lU?_r$!uj|0C1 zrq@)(x-ZOgZw5R-J1BJ?G;!6Wgb&Ncj=9;jj;D^fC&lb{x-pV0xuDC3I0U%LsLReA zxE`Gr(Q)nX)L$=_!yk+fX-bp%l&mCRguNS-=5n~{o z_}6bC(Vn#o_-OjdzIZ7KV;jH0ULl*4aQ@F_*1x;oe|(VHe<9z9tg`GVWd9{SCav{K z)yPdU9j4wFW7@b%l7qI|`7t!ygnb#ey{svx!1YE_DOavL@GQS|`f$piTy#jT7%&nf z*95chyS-%zg*+!&OPoC-RAKs)H!?WIQf4C3+ zWKXVkaW#!NMAk(P?h;U%5YrgH(l3}|(DEqgr??ipw>;WoONt>63$b?%toZ{wzfP{dPOL0) zPSYus+JRmd5;;oG>V&(xYwPp9ljEK(t;^~XEXZ}x@zJ3x#=DD4wBXhUb@9k>#Ht+& zWGH5>m8s%7l!Fc+#Hz4iuwgV-s>tJXSN23zw4Sn1vsKFYi}=rb_X+w=hGg2M1!F>L zub3I?8g|C~B~TD`-Qm(;CLPu3%KJPT1rs#^dX9LRLXI<^1Xe=&oDzSRcHKscl~xRj zGaoPqsgyfEBSPclwn)qYHGCt#N-GvDH&QOk`N`%;Z})DidZSi$?}2&vxYat z@CIrW=~M|g4tjYqgGhdu=1Vab$)x}rwZzj;7$2XNC0dxg z7{G3ym>jEYN3hka3V7*cIu@hi8!&g9kv~f|jp{Q9`)Dh12lZ+iyv@s+t(Eu*0y3Kd z*>5|AkZ30cev~MI*(ZJP;%u_2FkNqGJEqJg{lem^G4X51&rOEOHNK0L(83_-v$Fs;TT;XJkmR2csyyKNcWU8Zn|h0 z2BxY-m`<)BA_e>RDa5O&TxdGqhxPYnXiYJ*;b)-}C!Vlte}|T6E!?5z9Xim#iN?44@I#nO_bBU! zn9k6R)+?t^3Au>SVO0I*NbB@QvLz@;#{% z8Mp1Tv5bCwSY**Z1MPe47-`BoeC#n2-TmnxD#QFq0QYfAE=#Gq#+h8@$6h?5TzLYH zqlIxghI)u!+%hl(t2!^^3DP^iz0iGi)0{kM;uvhjzUK5z{uHHAC0<_)$^hWOQq_iN zcP8WxN$0ysO2#c?hf7OmIb$xg)L$GMK_WG+EU8z>@H}N7u0bRHW~}+({n-`9Pb;D! zd!;L^>#W*F3J>XW28>Y=p|IW#6ukI8xgu+ML zl6{3fEyH4xaM8Rf>gKnq0Hg?YL4DTGr>@2HCH~m>{MojiGPTQwS;A_Hiq|mJDp#LS zL3FtLu1z%YN$2lj?3-fTnH-f5AIlT!dgi_a5399?ot!YIB$IOj24y17fp%ME_>1`M zse&@=OCMw-mC2r>D~$~gQQ-`W*?Kmy=Xd6KcAlZEii1K*wm;w+6Av$Bi)l2kEv33D zr{i0Uggjcw+loYA?9svq@F?v}Uwob|=9w5hDjU~d2ev#(R=IR^gl;zaHwq?sj-Pp_ z^W8q&C%TiUBz$~9u_Ae?3Z=!6u3jZs_VV-Pp)YG3*VgzH3D2WfThs`HYYK_ynn32$ zAc5W#63wW>-Jfdsy=fL+4mihPE*Ln3>V^rJ^jo~9vE)aBs~Wg?8+X;y<=nY1rY7*n z-9(b0yoQqN6(p^!YWqPO9@@wG|Dmcp3Fly zwOt+~`D*~(I|sF{9cSygo4i@h6CK9~%^JYIf6$C%s)uhr0@5%dQ92w6@g%sDOQgC^_^L_c*r%B6Ra3@`s;(!?rT!`>5-ailkTet4iyqXqYwoST zT@pTGubys1z-MYEYJa2Wsvo|8cK*sIn9Ol4qBV34X-Q7a-X3w7$*2MAg(^!v&d9M} zU%5VC?ez~|N8x4}RB~_HDLpjl+L;?B&#edWvbZ{v@dg`9ch}K}U$P=g7S!l#Hkxt$ zt~s{#pQ6SmGm4L@f?1y@ja{)w%YbRQ+b>`!RrX(2Ev#PB+I@7Broq4>!Sq~vaP6VD zwUSzCVW23Ud&>7J?Wr&NV+?qX3a41`LTjE}v6x~a-+}tD>l;&X74MRP)yM%}7G4bD z&&d%NRYP@^ulF8c|H}&i**JAWiS?Cr*G6QF$l=X_=ugSh!wl!taO-gG~HtF#Xcsl*JP#h94mKB>VC;1 zjJEcU@K-==trCiqlD5yO88<7uZsvwp?+E8j8r{l@d zM|Zc9v=RQQ2w{4FXiIa?I2&7uC*B!J{@9y;S9<%70hlS|-rHkwHB3Th_Vf4QX*5DR z?qet}fW0Rl^L*$*O_Je}$q%94D%;U+0UMk2kfh~edPQD&Vvy8V2CyHph4A$YR)%Ac z)LPB>kpYX3?ui7#1}VZ0y~f5(Gm){2omGC-zTMX>Ke`vqg<%VU{T308dDSi$6IZnH zXP(h7VM{#ZNeI;Q98Tq%^smi=puq|y+rdo#A=!og2dMMUUn_~2zmIyqRRI|Wp1HwQ z@vN0k(X#`l{iU65hF5o~OXQSGDmrN@PPlB-Bl}X-18fs3HR?tJp0yrPn#muu885U8yW)Q1W{NzPIoCAoMAsPvk%1ixU;xfjx|Y+sGtw+d>< zo>Z)GE7bKDEOFpf&+ja}(%u4$c+=5bA&EjF;fa=KF{kiKZMdVgF~aS3L9ehUM_fm2 zRM@WD*<*$fO~3ZVQzZsN&xS3zv`GDp?cHx2w0I!dz-v8~g5pXY2!U zb)K?SNbb*QX}O=`KD3x2SGnc9;~k6~sz!_LqG+qOy}^2E(`a^h{An!e}m))7` z#l!n>4nXNJbwWz6^0q2w)n&1I^tk83x&WHYA)Q3$>i!#enmw&$zQ2DFn90T7pc#gJ ze8;k!NqUg|!Zi&89BZw8fPn7JPLi;_tM~6J$+gSj`dmpXWSfoY zRLbFI{Cc7lZHysLwx7h<_|XN-PRh!WbSBQdF=$e_^g_QLm-_p^XW9P&#{TDNiof_x zCa(mP1qqMIYk3HQ;GAVk?SaG_CvwzF(S?T)BB&7BFY17>d1y<#5Sm{-P`o z7_aXp=k~p4xjzTAM$$YXGFjt1(zMl;!B5d|5qsUF$?G{xR=VI}pza!~_?)N}Of?Fj zCc(+W9NJ$MqLiQIwy%@9$D;p9@>a9ZG?<+S5?vFR*}c(j36>DO`4YY>VA?7&)(;J}F$K;NKv~ByMZ6f*kIq@oNl#Yjl5ddZTPf;)HLUt5!mu+kU`# z#@ApkaX_HI=ddp>FL@5Sm4#2ZQlsVloE{ne@n35^%hiw2RlOe^z7Md!80^52~Iw+FLGb zoa21ja~wqGC-<57Mjw>KE<6%`QVtV0SxWnQH?yxy~ONw1ll~{=rPLiJbC#JP`O)?q+G$P)= zUfVY8veJ~AAHvBeH}8AB#%>nL%~Qg6E+94+YZ0tHN5Orycxwy5Cv|{Zswb}qRp_w_ z;NA6)0P=f|dJ(z4BeV)HU2+D2OYBOzP!xZ&^zh2szg{lD#|*0;ywY`;sUZp($MY@#Z)+0TZ zzk!A|#r=;a%)7hgWM~RJd5hdNO(h4t1uc6oLYTkZEVlA93l?5D{7gnO#r;g2f#E3*5sC&5jo=TXoOigA+e5Wj$p%o0nA9iw9t1tQA!K zF?(FkzD^KF)kMk*+vPoP)5(wICh_nbuJT>5i%-zZ@9d3CGQsM$q9HR*ba971BmI|;iqTZE1A`AG zK$EueEGvr`JMh6_@(iIxKtQK)b7ups@}shw++y@EswHH zwj=`o1t(Tso_>P){iJMq2SVcePv?=fU0yVostWB zkPcsmTm*8iT=`?a^k^qfpbGCW>;%Tf^|({x*%_z+h8Q$3~9?KLG%_sRXJ#RFZXjgL9&;%ifH-W0an z;ad#h0}uQn+eu78+}TsL+HL64+yMi_t6~51P5$p&-Jj!%s&tQVPxv7?PqX$c+i50@ z^e*r>vUBPJfh>%J?OdyfbsaT`_ydf)VWw9G;czt#{N;xnXI8dJrR&7nfn1*n`ghGlk|Ipeq#b%AL8=d@x7InW13ZDZlxs(YY1~3+5!E^Ar}9}R77g@ZQCE0p?vN|DO^L^`eN7! zPN-EPc-kS2i;1ZZMD2=m*_oD0{b@1gMahCLbl2O5(0BIXpg#&0kt|ZjOM@ z!$2slUY3RfZsN-9P4yu+(7>hT-LIKFTXZ+ETWSq6TwG&%T6d-PNYMa&+O#2h3>WO+ zzu%oz*!%@Tk7pf*6o2U zIM0Z+6Ua!}$ZF*V{m6#v1N}iAi;Oj^>+J&@{98#D@xvK6A5M-+72G22eU3=YHR%L@ zB(B4o#ur%e%cWYf+L;fZBWq1>dg&s0MILjxV;y|$Bcbf`7vIgrcl6_Z3e;A?cH}Oi zHkY}k7yXDW$U2$;Y}S>{8cpJ@j&j^>thGC9(nl=#tP((OE^yZ+;{>xexwe|LojJmS_T-die-tf(j%~>Wer86*zFJ=u-nWSRE(T*8=5)(Pi!+_3Jpv zj4+)Fd6~>6l!!<=Z^dcgC%wecd)Z$*$x~$`LuQcrg%@)PabeeXeoeQMjVA%>y-S_M z5Lj0vpDYV?O?cYf5aatF9>9!J;Yx$~V!;((WKg7_Y${ycb*EuX%9V52NrLv&Qv+4wzkf|MNe}deXlhS1 z4-C@ZtDa&{l9m%KRe77HqJD?HmbE}yj;3HuDs=PeA{Tp9e0FK^@Ld_Bf(z26l2vQd zOv_$&N9m2;hc0J`qQS5G;ml_k^D}6<#Y4_z*nlMwWfBn9 zO@`@HFur+rmU%vQDTpcld-W$5g(|ROOjb)bO6ChD(b1pUAt=biV{dr6wFpQAPfZXJ zt+3|f;~!PqX>b@-B;P4Hck666mMBK>>Ick%j!u8|u>;!=-H2-N0(jQAXu2bF-4W<{ z+CLCtp!P%HABKn}S@?DLC z)lYIf_8QAEKHgb0+b7<7j5#Rw88bp>bmRdE5q#j*wnkbq_(#NX;Zm>b$*^1mcta*2Gw5I`e zlETn(zyr<_Omsj?@pq?4f(v(fb*B1+sa6K+)@*(xnU>W~c&oQ4#|QG&tJ8^^t@F_@ z9tiY{URE#ngw)IB079Pk!-&GW^$PoYeAi49*=5K<>pvFF2HsWo)x82q)Y7;Fmcn?dMey$>nrm9NOCH`p!JmX_gKa@0AUnrF>*#g zwj^MzNL~jdwM5*+sq$p^@5X$|I5gRMy3wzV*O6{u8Q4(7(Knc0L*Zx(p_K&5#^ubR z4^TTN(6u}aFlxHpW!n2irsp$cyfuXLHxD6xPXcn2FgvqI?ywum4h1S}UIv$_EbUtm zofoG2{yJnLZqp?3_DkZket+{Ga?5Ll36tZUyMBXN_^B}iB~3PyCcf({)OUPbfzS!m zwd2*wK;f3t+@>U^TyJG6sc?RHhtxSUX3m~Z$^P=?ntiW56t+Ht;YK#0QE=6m2%$GCa?r^9wHc6zBC>3fCv8G4IF}VOfs8NCwgj9qqc6O9xHLvk9~$-Cyzn zH7}A?j!v2Dv?(u}0uNoCq`&x`-tK*ML*qiH>Tq1;n&q`;TUOIQ1dkQ@#_z>Q4C3K2 z(pPDcDLf0) z_09%D6Nk?Z(7MX|*uUsVOymEsB1uiG=4GI6^cmb&Q;gXsU!P8Y)4`>oM!f*VeLO1Bp8-VR83AZNDSD zcnxRLFEYxhaVSf=9;f94L&2!-qEP!o=_neTz8$?Ig+9q}yH@?cNSu=@-tJWZcI%*& zkkl9&48W6_1dmlj<1K4KuN~Gdu?sw;E8R4fSFs)N?-kV%bRJ*qyzN@rf%^bauZUi%AGG-);9sap_mbY{`hBR&_&-(pC=yl4abPf{3ELb#$My~ zTfejZhF^1v^dQZT(z^H42^79!+?d2+CAI^Vlp3DG#th$Io-gZmEoH3_(JfqR)F$IO zLSKU7OR8=M$CrqlcD2^gtp$S0d2W%_C&DH1!vU6A7Rhcl{;$hT10FV3q~>!~>JOJy zojGF>N;6)(1v;sg#|{ z`su|t2#vchkp)#nxhUJUDr#6#Z~uTZv2ihu68rD^AS?P z{iTkPWcxHLS2=Ldk$}jhJ-=mz{2`Z~yn1ql!p$2GT%ngh-UM?$(msyv*%j$>)p{z?<$jZ6;1pZ%eY2aG~km>DF_nx+#!rb0`?@r;x zZ(BM@(@VfnI=N&&-a)xd{8HN7nPRrXhS_mNDtTY9KT;~QO7~jNFEBKE#xq_l@?Bhy z@YS8Medu4sru3}M(VzOfs?JIktsMpO?>uPzm0!g>^G>m;$*Ad7hjYUB6Bh!pm)t>h z`E~*;5$FU~?sl$$-H=Aw#PLh-W<}F2XHdS#+|cjCN0pYW!7Y(huc5GU#+t9?>wFs; zq|!cA|1UO+FLqK2)424vN0WxXAkWIn(r=H2{3Yo%jTp5#MR8_9P21K?)tDT)?f{k~ zaEp+@^$Z61WuUBB;;bh4(_A=e!tS<#3O_JenI!2yLEZ9D(SQFZ@Ku)GGPkOzB zt<}24F(7-Po-Y%Yo<`SX%7~YU4Lf29zDK~mGkpq!i#XhFLe$M*?SC--MO?N=xYuXw zZJbwsXKMPWxC-IY!{qmNZS4d1{?id6`^cnXGXK^32l(X~-NZ#hDwGMU3r)vQ%gAUg zvQz8}@_m_Uu?^@+O6EJ+xqCi*YxK*Y_Q?gs@Z@LwwmtR!=USRBX|H2D$ zAP8y5wn_;cRv!FK5q%x|w@M}#cB0Q7nl>mv4mC_y>#NLAF?(8|8Fg$>9C)|{sg0hC z3e0!ElTr#Qm3MhDMfnpE;PE^WOJof8OBtK9OcJ{7HQZa#d)|Z~mQW`4$~vs%t|DE% zA~{P}q#)`A9$6=fmS|RT(;0v5$~04OEq~$-daxU;r2EL@JG>3dbXAl;<&yE(#|QlO z>71R6T81OF`E^WB_#yI32=aa=!nsQ-R&yl#;|pJ1qn>aJ<0>UwiA-Yf*;TNA-PX&H?u%zsb5w7i z!G&v*c-V1P^5{`C(cO{LWUc6(a4YmjEz4+_?Y52_19GjkG1DkX)>G=OHXh|Z#eC65 z+|$uqH&;Z7=p_xnfrW9HQ2Qr%(-@fN`*)t=q4>{%!0Z4hoa`2AfN#n@;F z6fKm6V%6xWMn4MLbzud!8^MpuXWYHL;z7rbO?%`M`vHH{Q;R-u5BqXA$Kc z1=V|tHH^>dA6D>&nIOr<9|4@FS4>?;W-0uJiPIifb;Sh3Ij z-HkGZ*be1TaKpxqq+e<_;d$h?A;dqvoY6YrfA}{k$NrP@nGCTe+HD##n~U z_4`l`0WFfcna*ndB-~%#Ws)vq$kJyN?EV_7t8IpF116^i(UVoTlPjIVC&@FD1*{?h zjORe41=X|P9FSs*CV~4TJYgKz(AOkyI{)TO+kKL#){_wyJuT3GHTEgmTbu4E-`71l zwB1ol@!5X@B4vng{Wh&(?KKG`KMG7ViyH~f`e>0(6kUL6Q}CTw!ajM(A1N58`n{dd z%!YTn8c6$hjf!!Tb)8kRN)V>R3=4g_#_nW5jo^7F=i*&Q3#difM~qE22XY_i{o zTs#!Vm!L!>eAoUF4LN5~7{b?vvwhlj1j_3XD3Gi>v|NmlWJle=t+Q>Hl#&Iva0K|y zyMyvFe@QOocu&y71d%EOgP0AGD*vimmzT8C`KMI5RGQ+$_#aZ`jZKC?w?U{2R&73a z98@91`qeh{x$iMPBVQA`%ntDY%S7Wc{!c<6KxLi2wQP zviV_Q43vTKzu+Ra2No^)2>d*aPzUf&;}UDa92Ya!h7H?SV*?x)C%)6X^Mw(+5KrKl zzj_k?{UKeydchj2HQZ}&SxY@-g7ROB?SBy)AcOQtfM#!KIAA{9ww)+9$y)OKzluvU zEpgcV^aOl*mHtU+qqu|BmH?fiQt=5X)nK+9S&(;*3zB4C@XWIIPmA(5pQ=Jhunck1 z@z32Du1uP*jqO6$;s#AEL%Mb^Jd&cZl6zDSY!L1wqtAhfjAvrv zAJf<`BG{#TN%ns|n)>%wZKeIaCUHDVe;BcpMd8>|`9n>t2LhxkHAwb(ftHSe5Z>?& z*w@GS#z%$?51pN|0CH0;Dt;|bk{j~JH_Uv16VGE%2=d}tEv(rd*`OJPasK$fG&KH? zWr(`!?*+cq3K5e#uW$C({rl(ozkX1dh9zXIeN1nD{P%+F|HcaX$2a3=Rn4G$FJRSA z@c;S0C``S6g6zA)tL2CP@jLz>Uz{sZ-2O)&wckztU)SJ2{(a^VzTg4yHMCBSs%{XI zjc>#Fsz9`I8M$*1`Rv|jNyAgH!AdTpKpa)&eYpL81!QeGwxE19r%8uPjg8)4y-WnC zh6;O#u4fyYM&y1m#HleR1+&U!=His+8rD6qQ9XA={|lLd%By^V*w)A+kQWy}Lu0H> zg8EvJu6z$NJX6$^ee;ylZ2OLzcd&1L1tsAKaAf8>gslg!3pq?`W*bNS4UGW4f$iRV>`;By@_aDmqF@sMF9Si{{q{d z*DIrDA4FCBLT4XRGSy^MV_2AFFnN_M{NppVOHXRfKVvcEguW083Lt zu0ymOICHo$mlTZwYW}%))7_X2m^;{$f|W|(nu{pRE|E>2K1!r+IB7))U#lqJVIMrJOl0bC`KkltR*IR_N^5QUb)P%Nu zr(fVNk5+vg+mN-b&t>)yH|K6}c^>Cf;%g+Van44?|7;vYH#{dl7kzz=8D%$CoLTm& z`8=ak!%N;$u<4?hZmJusv0V{xn@!i86pHt1`~Y54^7UVz*`F6oHq+n#{qo5O$2Rsv zz65p-gD>v6izK^LyD3mCNR$!9kvJpzQ;_W_$;?~pH-qi|?-H1*FY29oI-Gj1)UJqf zePQl&c$nN1-uX$LQ-u|Lb%Ik6E=y(6|)9-|n0R?38E_!pYzT)KL-ju_KY3PP2f668}Ut z!DTGh2-N(yYk2yauLEt&z5}M`Sp~p%mvykh&CJOo#ZXlF1Riz{NR=5RfwK2t0(JjW zO$D{q(g}*%CSpUd%kaeD<;Xm*;D(`XGjlY>;H4Bjdrf)$%}u17RW9u65UM$B<$M!!MHbxU=aL zYpPQ~9iU~a@1sa2)*#k*#?cBU#^>catp92a4#KaOkhXkP`cIx3fBbX*$(vsgv&p>1 zUtkbf3H4x1KyEt#W*pWHPyC*Khs>q2>KQLP-ZW|z-v!c#vq4nFovo|h(Damup1sRt zhYeD(QY4o>(3X$*!;9-eWH1izqp`~Uh=vkCd19lU5`JIdx3#Fg>i&MNSGfzaW$@KHtS=L>*)BBmUq(=LS6=?(>ir*Yvdn(6e3jWA@z1z;fBJf+ zEZ!=da>(JRi5zY;5M7{gK&oWmHmWrW-cMObI#<k`ada=337+a#SG-u$BlgVe16`!cMoHog=i*D1~as2vqmY;fd$IfxGC6J zn$(D7RfExc)BjCHa~DfWK2VDDMjw>Xg`N7g1Fzzb?sW*R7!5mREaf;OFQ1iu48V3^DW`~NcRrgd|QkMqvad9&IcNwzY z{4zpa2x^9dha-#^wV<$1>(8~gYOB9wF>RHZgFjERD4SSsKUH1wCf8r}dQPovdZj`a z>B{~YLdyKIrlanAOR&;jXS6&(fX%8L>BHxJ;8ZoNd`-_Yv!V!LpwOL;yYmGmnB_F1 z5G~57pK$sj;TCaN1xe~AahQimgLIA%!^;Tdnz`qgsn{?j2oHeAjQ3-enM5kIn{D+4 zD<>EBX*LoM`mi?CJH$U}6w~v0%+sH4X3bd`gonR*19>|6uvzMFuPGKOaj{bS!?pKT z{;AKyw-@f{I{SQq*pto1)(fs2M-)fof2mxq!HYG(B9o4a1mgus&=oJk@c;cW2YvVq zq=O?t;AM!6=V!%?n~BXkB;8^xVH2fDe~Xp{|Nj;(YffX_uOwD*S(@!5PN=<3 zv+42zp*4{;c{NmsMXOdBCzk&wn112pA=b2R&^SE`7>61KlP(~AVbT{|O}rphWgKC8 zFT?z{%#A>nE4O`7LDTo0s}L~T1QhZa_xHd_V!PK{b}H7}5NvJlIi|KWB6X9s*n;Q_ z?I}L@dCwoyaMg|=hJJ94t=#c66CI)hwy^DNThMZ%S%eyFD0?S{$@KehpKW-PP|wO0 zt>s_p`6E1h%Y5!_=&2kS1n47q%QB+@m5F+~^}ZYDCCQK0 zPYHbfL!y zm^Xq^vEasCT4J>1mPChGFEwiKxf}7=DHHJO{GowM=j4az7|f<-IogdBOdlKDGTlNq z93Rb>a5_>t>-9f+s3Q*C0yAF14by|`!u_+;@2T9|akCGIaGK}87<75S0o+K1P|nyI zte{*Ssr!6zf_q{Nj@vtxHyKX$=3xR~;uVEI&pQ?d4mSDAQ*Rv2#Y$t?Xq)>o?LV?I zlQcjE{jTyanAvPTZrao7Mpb^*|0n%i)5hYY;8Iv8lFjUrH;6g!Q$4lRAKOKL-qH7@zVp8;#8h$dtcf%%T+!_^%D)fNhZD(ue=qw$c)x50^}2hU zC5V9M#&19SI6jD6nc&AbWyjrd6o0$;As|3I{fhmrrLJ}DYa+Ss7@J)dP3yx&{6>?+ z;kJm-$ubdH7Zu69*d)oZ-@pykvsh7DO&#k@ytdhLy5!+UAL-&V-exOox3EhVcyWV$ zuDy)#s$|a-aW_rL63H&!#-Q#fJ2Ii2OTBi_K329ff5!b;B~wJn6t>4VUjgvAQ z!0F?@1Opx;O!qZN5@=}h0|b%G9c)-=(=3i&m>d#>j?3EnIKQ~V{r1IhTV933?P+ui zXUJBmt_XmqMd?zHkI3)ECh+!E+mRJ$PrY2fye_HxWIFQ7{G((C+_3U$a?%XUK(<)0 z34_4Y)24h8DzZJoM!n>i{qMjGQi*+|89M0RXyRxPA|JBIZ`ci}}o7n=E-j zAIS_}Q9gLu7%WJpxsv)A>UWko>hT23pb?vL@yFhuXeQARw|MHMZM&G+EDOp>H-IhHhll{hq^0qHONZ-FLo_M*WggDtNbM2KXs}PzpSvq`okgF25 z!lPuxm{?pQ^FfI`k*t_2=ao(?Q4UsX6e$0px87S+d&wdjLyD<5MBgB_7z)K0n_gP; z7&NSfIRj^-4b444%;W2>LlD?PmNKS-)h9K0dwwWjHt)q9Yt#*+C^T^Do@5CrI?~iD zThQQg+YWxh=DsCIhsiN+cm#EH^c7y4Wc4?a%Tlt#MI&@(hFpRzw`<`q3fI-sINi?$ zYO@b#@hXGdI*ecs%$*RqwMfm4s+K2|(R28{E5H}26o-K_0f$f_Zx&Nx?I&QLaVur1 zQDkl~0Fap8`8EGR)vP`+ID|@fx<{=rSkD5g*KM6fMXjtlC|pxVNY@K#llP)+C*2o3 zI$EFkJqWT*PB`S`3)|xnoIfN^Cd|^(Y#u#Q8@qrW$n+f0Pq}`NO|WlBi}I9p_uFeX zhdfxC_oROvyxLHDaMQ@IQ_AR(gC>i$CWEw(w=er|h>-5c{xtXLtdQMzClJH!?UOZ$qktbOedK9V@?$>qYs+oFhk``vAJMKPIgjsRYcu@Lr# zGxI(fCU8Sf1;w3_y@~pWt6{nMYT$Z)mcDdsJ9)L;jk|Wro4u-S_KZ(*jl1RVueaV5 zQFNs;tEL&a&};3nJkqtoi(W|&V9MVp*CSddX(MnY$s9okZ%?$or76X?Xm3pwRou4; zXOmGwZRAv4ViDf5l$t`t5dT-zwtceM>6rzmw4vC`la|TM9l2A$bzJRU?~sWS?Ur%+ z4(=L#3fMaxD6>!14)@LoBu%uuSmbFXHlyi9#kX6Gy5q^q=Kp}+WJj^0+b#%&(<%JP ztfW;~G@Or!_9X(Qk}N%vAN|2~6y{5`tsBEv3|?W&2%X=oGYtP(klqlaBVWY}@yrgj zjMXTW3Kh0h67Xa+Gd>q0=T?l13PDhp^e#(@0kxet&%TE&d^1VJ|CDSSNaUe7ZNy8u z#uWmUb|=4q)@Imn$wb*{+M_oOBv}Oa$vP=}(@co>rMu&b28{bf=oi_GEy{(5CNT}Q zlmYZ{UkWYygFQ_XgX5I#lHW+B*T8gD3pmQ={JiHhUYGKxhPqwpB>!xZhSdtw{D0`Q z334CxZQ)@vpz_v8v9@~HzOwb9FFTGczEiU*sBKT>>m@b2ze%4?R7_~VVpc&M!`N&* zV+4KL$!ZeAz_ksD(J~|HBIRDk*K4I){R0@NnvQ1BZg1~A-A*Ig5O~Pw-{n@Uu{nby z!_hna2DpG9#y7@a38B0;gubbudocUTEIl1Gr}m3|PVAfS_1VsxehZAv@xxYnsaVCM z3cXK#HDILDaQw7FwQ2tn@0cNQ#PU4Oqo|IR?cV92D@z$M5f4ANY~0LkPb6aYD4zZK zIcAe5?C5cb)RWrlr6DIfqP7mvW5=(2i5=P}B0L`aWO*fIj<(a?6bG_VqjUE_%qSm} zg`+}1Ia`nWKB)3_gXI(=LO+ceG=xVBsMYiDQ=RWhlZBBtGS~X6uK`KWCEvfMV zsJHGjhw8U$dQrhirHHBnk&MeZ_J;_oBs1;rv}mT!NWAaK6CzxUW3;%foE&%i5XHOB zLAw}MwOOtub%fPxQkN=dwfyD;FoG_Dtgs^|#}mO{YL43V&)hq6z<0*%h2X0^5eHXv z{*c~2R9`#2v4Lh;JmGe1T2mHAF9rlU*?u?8=8H5G``~C4FM4t-#)af*It&zj+kYzf zu)bUQ(Yax4Jj!cMh;>)dGSfQrYP~(L&KL#m=sj|3?mIp&J%$G+L+2a_I(fJ=7n6$5 zDSYK`$E);5YiJwBgX07l&;ZL``Yc0Wa3jUSR%RVG(Ox9wAPQ9Di4vVBLK}}N=EJzW zK|AMZVJG97R9rkOSUWG<89{GXfumDfI;u^%J!IUcZbQ5n)#u~y(Sk9c`KjO#pkJ*< zD0$1&@4F{AUD7Zk?d{wcmiLdxU^_+b7~Cqgdm+`U>1^I{RXl02fol9FYTI*`Eu*6R zr%PJanXJIFs}grxrT3&UBIySX?=Cb?z5o1; zWaFrh{jas?BXZcNkMRY=G?K-P(p#4o--eQrRms>Dz3&75y&76TjYe8L;V8rfFC$6% zK-RcalZTs`7&CCS{0nI&f7u!A>l1HLWjc2Lf-#~eCT$An)2{>?sqy`zxYEXal03ql zX`iS+y^x||BE4CUgJO;%cT002Q?es)z2xuo>eI#NE0Os+c9fOt1^-l^XH~h24__jc zt+zDtM`B)ylz3IL*%duTwRH3xWTb;t6=P%eUY(ev1ez?o=f?wxJllh;vAWz4|V4|Blhl6M#11(%E8u;>Cqo#bnmCmi@)l;V^5l*|0Qx#;yedwy5Jb?%lAx)ouAVF zV7c)s&FKB0PQYSGx4G<+1m`C!ZQ^5eZ}>6}0?@ivGEpBSA|qotKB!>{EIszKnBhDiJe=TIZmPpURro}5 z7)5-Ln-O|78MRm|xYStV-sSPm^b88jk1e%wlv?f$ut>cXO8Y%q@|hL0Xt9G?8lQA8 z;YW4WNRbN)$h)IYS9pqV){n`n*(vYxHG~|mb@0izG>tTKo}t>Vzhmg}sXm~Wk)o9H zlwyg)=Q`=hxCKR_O`Aq}vx0|^g|Mhqj;se|LAYZAujhUNlHnz{d$yTEnZ_?k*+zLf zPQ1no_VmO*N~irq=d$;2W9a?Lij%IS7MRkj)$3j0IR-uqhNuN3Xg0)MY)*G%rm zC@=d_I#sth?X<>S3U;;|gQX-I z;XbWo3$04&=MVrr?in{|W$fby38hch4Ao9Vg$>9?uNd}cDSu#oxBuGY-oHK%wqrgXy9F!;^ zpr9a<^}efn_dfgVvyc7%b#GNymtA(#$T!zqbG~DYXP}10#e6|1MlHylqT2YbK&V#> zkQ|N%{xNsFswIQ0Ly{eWF0VQmwHV~aJteW4TjPlHrwm2gQ>`3mfxWP}n#{`P8_Hlp zEU!e%zzmm=X{gE9o3mYPqu3&3X_l_KB{ku;{ayX(=}?NWz3DnB7ZA;E?a}3aHr{HR z_6pUlrCfP(>}!GK-kl|Xf{TIkL^fBKK}TYVtUIAA7`3)j30kjNVK#A_JmQp-?%VPhmE zzMX_&ICowH!BhN-ti{S)5@Kg1i^7`>P`MkBf>4+b= zC9L8RZaKmn&>H+lfbJbNN*8pT!rTbm_B3OXr0LIhi!sQClQv;w&liMq@N^GYd{x_- zSH}__a2DIv&d;QPy7G4cKEV9tpEw&u;q=XG;&u?UP{OKFM zJrXw`3Iu?DKBmkVGWW5H{V0&!Bd(d%)-ePjW9reB%0S9y3=@ymG#&BxP{_-a{$eyD zFl%62^&)*x!u7H@zsn_xT2N~`He&dh)b>w~wQCqtVJSk6)bm|oWYd>!l6BFpzcT)D zgE@AqP*&dSzvSP48~giXuS*0B7d*S4=|&J|J96_$yxUbf=n${rrk*Cf81D%l4-Q94 zZP_}Hik3e<`H)Or#{43`;!W(;btrXK$EGVaVJ&ipv2>uwEIHr>TZ~TtbRs z?w|9m&`D>~hF7W*M#V0LyecQaEV*>wX^;G5+!gHor-gXX9wVeB*8$?ipS67q6_vG% zMk&t4*q8rEp_L(&Ly1Qb=2Z?;m5g)}TKEHEhJiBA9J^O?*C1H`KKMqnK>8?dn&nKt z`<>;oH7eXF&uQkyVXNmsEbV3eG`MDS`~YH|+n|dUTW7PpD}#dYb{#g)NWR`(4~yf3 z)T2@_^y-Dx<>QrJZ8ax|QaW#*dTwWcWLafYoZm|ru=|#vRz5p_jkS1GbQ*SqWD4WY zB0C_ad!zjONw4_?To)}vQH)nYLwyNYeX>-!w)ZjKy22Xv&iLWDBXN=-i_zAe`@_eE zGx*sxA6iUIadvXUIK6J$vcxUAp;%RYiGaEXr#x>zG1~@6VPbAO|JK7#RJ&545?V== z44sbP9<*{&Zt^xwd+b8>@WsL;IZ5Yq+xd?XeI_NV-!S8ZE|`4lPi)RQpyvJNkh+66 zE<)w)^9mrjKnY!b<9I)i{(n`n7z4y^GHPS09#{wkcP&;Ej3$T&M_slFNfWTuy59qd ze0PEWp2&Y+j1P(Yr_&cTxTYQM;<7ptZp);~T$~90dCuDIitUMQ-Vv}SOD-+TXSfaH zzjfvAlHYFO>=(gf4OX}-(yPYC{J@rpOHT%4C3{IISMkf!Ux3c_lP8!$W|L z3VMCFDN@rqm+HnB$Rb)cCYZ6=o?xYvp|V~0|xekwQROpV#{!NUTpm}A7oRH77aachl6rpdQ7@A}X_G3ZYBd={&H+QNEQSk+4&Q>8p|$ni z<$lz8=NryViJm#-&s6YLR?I}w{K*X>yoF<$Nl(CRrnlhyxxL4HuE$7^;$z*Fxxtby zD$FFkM69GPTdzJv8I)0r0`Yz8bhl@_GZffA`d3Z-u0NL8wvg+1_ghXh{^;P@AoA>| zDSMR;Dmh~~{R%_#XLHOjQzJkK_%3Apt^I1#z}3~zn1<(qmK?(Ri@hqBu*vl03kFm! z#%I$A|CQ%=H+F8_%&L zr>en;xg?1FF;1+w2q|pb1#^UKo|W zB>mCRU0*ADAU`t-@s<2cCp{^=7s*lQsM;6DGvuAURAglAe4cHQZ2NF0R-w!YMNzEb z_=;arU?-pGW78@nZ7+Pfp;lju-`BlAd@cqnDareV=q{jB2|2naEB|Bye4TmZO5PHG zo$5EpcsR8cVrmo8DLLZ%Wv#EDq4|n5v_peMJZt3I@TO^HJ$MnvpvOnj@nV09ApcFv z#Y7s)d>z6QW=DLX+p$TH1pDGrX;Y0{jfr8uA$ zZ#8@*ILE?gqEwFYN_d|0a6430m zi9jO^N$< z!z7w=J#0#Oq&4mNnh~`W!fYAKQ8~|VnEoBg_-uw+S)2q#Y8&~sv{Ec4&nVEE5tz!| z$80;cFRjlFOqOJSdmrMxi4=s@G>$+*8y9)pKLls2mt9|Cv6h^TP8XT>#9sEy(=+ki zZK$)0dJ7n*akty`2s~A`=Eval&?X4S96$KLtY??gijuQisXTj3?>{6KJd&MxQL3wO zgQeCQo%G^~^iPlTLT>M!x;9(VSgYr5zK+s3$hsqwZ$4OGGXr?D&O<>|HrR$C+9 zX3oo8Z@9DV=b9SblK1h^$7G)YU!e=t6g9()jB}^IZZ00iT)N7{^t*EnbAYN^Okb3z zO=&(QtDsB0>b+ijLpbIAPq@IABXh6ZA83I)DO$nHC)eqegr2LsdnVA^5&e~n(ES7n zjN$0MD>WA9^wq*ts&`sCn^ZygQ*!?7fLqQHK>SN=>UptWu-Ui^qzh=@%_vgwo0^N` zE5nv|@V@*$WVjZSrX7#YHAeUGRo8=-Q=|sp6enK0*>jfCV&WSnadT-$4X5$13^J<| z+PQDO7gee)RATDJ6p;8LdTU&hYolR$+?tVR9@WPnnhdK1oMe#=vruZqo z_R$=p`14uU@y8Hu<~nG{nnPY5gOYpsQ9{#i6?aqjfELyhVR8M-Ww1KnZ7kXyrbZZ2 z&4ySqs7xm=ducaWAMM63J-FPw`PwUfLp!ehVi@g9P}$7naefwP=i&N!FdnP?M!1u~ zGQ(cKmZhwB7mNynMRxyy61-)o&-szeyxXIeSEn`(+)G^qKBW|{o|bFT{Un2D1*%zN z6Rp8??&+k&6h4-Z!G)=1@sgZTbvjg85zl4#Q&wp+fY;BDUN5NM21Qvler|LnfLJSr zznJV}1iwqDweRNpdc8BHQ5S98d5lqVnpVln-@6^D!fMp)o?`Eq_YoE`U7=4M$~^+p z9@@0HIn6QJ(MUB=*~VLMPZamYXIuQwshjY7KLUr=&Bc-jBocENTvFC%J(f=M8&sP- zv4^;a()Z$CQSk!P_^BZnRaklEn%E_V%E(-_uLCoObIFd6dZ$#;@@Ia(nGp#Potp+~ zh&KnpbdYYPd--b7q<2cSnL%0J@<*yg4*k-Cm%(z!#|UpY!&b+}2P&S4PM8J77MYle zZy9fxbew;^qBxu+P-k)6?qlUg7G&Sz%Olvp+W;HwbAF$Lf(oaMmMV_Gld+@&&nY?K4c!|oB+?GH>nTUUnmQ$9-4 ze7Ul>r3@jF$YsFFHnY;6#=uw`gu2)fwXi;zQj?d}GRpJ{$7dGIk#kG6*W zmI&3q4JiKgAIY%!C|WwYqUtY()*3nYTz;vvhL=M&^YTUnVd?c0!3fSJ_`bO7o@8J6 zG57EnwJm!*)}^82eIzhgGONt`C(U5|z>e@bLFM&y7vrqaTpTr5r@-dPw?42VmMq>8 z9alQzv0jjOJ(4b%K)Rqc3w9CrOLVa)X?PS86+PI?G6^5s0AOeAY(aX5*o8AOay5$U z_EeE?pY^h{)9QSZw*ZoXHpa3IRG#PNPTaQnDfwfv{cL#Hk5;e-sI*EHZ7~W&yC%$k z#1%$I<^JD64D`wWGsJ)~5P=xn5C3lv12bn)RnzM$H_txVIOnt)H>ydvY05a!&trUg z;Q%!M2|G&c;Jbhb5%P5j22ITI=euRtZY zY|uv_)MV`KL4xuq(dY*gcHJJVfd+R|dV(s#ukg#|oH;;W>?~6KTMy2Ew?0b+98Mqn zRDFVA5Y_`)u4#SoANr~vxpuw2{s4ql$}1YUJEghaa38%i;|ycS}Dxo=c?;No{7fz>88vE@-r+qEwC zK_b~JBS`&?9prumvLu=XEQl|b*43_3Xvv;&-XU5#T^&!pPA%k+5660YOL34kEd--c z7s83(M!kk&k21#7Z;^M+CCo3#<3>g+JMH`3|u=MSkUzU_aN@%!W-J(-Vr&h>YctTy~R zoW2FOFas{z*1iUBQU#6qBu{(vm!TNl{5aHE)9_LaE;g+VJOP5&*egRq4t7AFZpyTh zJNL=ZIz2)0=)CGhv$zRYt)c|af#pP+7oc0%%I2z`@WIzA$u2j8hWN7tW^%WBKw2z9 z)!5~P^M>);>0b`mPKRUB+SY2k8On#tazfy0<=AC|yKynbwMw=Iz0jE4wPMR;vT4NFC8nVLr z7s<{B;g(guhq}s9@Jy!b)2@sBn6xPI@F5O)z?j(nro$|Z&MF$JAN7XW->G zbI^nr*FhG_*?}!8;QVv9?4d4FdRwfEYv5Q1IG&P?Dd_Vlx$j8w_DJJ%gMNRcX}<;V z5ymfP-h?ylSOvq>!iP1ugli7nc~q0#M+aGIPloMzI+Ae?Ba*g64^rU|0PiE0@^Y)! z`c=xjap(C#6n?d9FKIJRVqNuH^T<|(nOt#T-V|*v;r$-d5T7A)$|3en!3~_1hhKvb z8$YcP9rmRc6?gsx&~SP8e*zjtVNk>{>e)uX>cOH^!E60bK!bJ6z~21EK2m9d7##iL zSygdb@sf-KSx!|`NPhx%yM$sKlu2URumxwHLAT3MVap}(2oq}C-{*;Y)E`ncC^f@D znfl~ULPJo!rvJYH8jdv@p+Dc#OZ#bIY-;QKXIJiuyMO*f(DE6i0Yd6GFgGlO z+m$$uTI!I@BQ^1=pKLD4dLg>xEnQ{opNRPD$S#G(Fb98a@oWvmv4h0rdVbcE-Zz!t zDdoD#&5d<}J9s+d>iw|V%QpD|e*hY2g~ZxvgO7$LeBzdE#DlRJ-{S;ai;t4RlVvkH zg~n~iKK%49E9g>=d&>OvE_w&QFR%s(1N)jzZGm=Q0D_aT**V1g|Kp~o89Uqj^WbOI zaMO`bcO6#pi{E=MNAv-*?3*7m1LUyJxX`peZ2)<1!79P(-l1(y} zm=v|li$oUrYrRwMRdk*ERd>Bpd~=gFN|floe{!lE6}5AZ*BDkySe(tWp1#1NUjSVR40dcJ$% zM20Z&Xth!*x07zGglbE5K`IiH=ggI@bJ)7yWNEv+A4bYZp>as1_A}#r$BilrNw+Mh zX!`3Z8HNx?=B$A&N~=Z8>oKlI-Dah3sFW zW6kh*$;uceO1w4cp`O|J6D)4uXRA#74lIj2^u0^4YuI8|8t|@oOxywiI&KI|SeBhj zbhE#V+r(a+GH|Ky;!ox-;W_*cCbfG6J!Z6FW4QRzi}iarq)2_-R{9!pvGjZOb?#pK zY)|>KwlInPsO|?;-47@kpiIm)z#Mt_=Ut$3c)mahdE%vUoW zvk1Wt{6mbCUt(Cw?d`;mD+jJ02C>AcB0FS=|Mf>D)8hrSy2iQnUNMm6s} zQW$XZJ6h(oYwE&Lp5=RJU_g}f@oNLc1`q_UkEOfbeus*_7Qw#zCzIrY`&G*Z%6R<$ z%!x?<51fbqrhjrG1S>@Q#;NHe{sj|}7gC<~<%$5`=}l+JM;l`dt=EM*Ycj^LDxZ2* zO0XX+ofMM~bhduJ+9YjfOut+Dadj`+}QbIS{n-y}CY2)qTos^y17YB0&-@A=6^k7p}&%f%tD)Q}(0?{kO)m=P$ zy|X80p1R$BIB%D}cM9b%^=<1ysgQkCsGp{%!gm@jQ-_*%-B3=F<_n$mT0cua7K-;v zSv)Jlp}KZ~;`J;~A6J6O!=Z$Bu{pQ7my5CQN3?2^e-|{?Aq_ZuU2yoS%Ym+%38A`t zM`LWL#RPIBPOHUQh5jJsq9V7e6i^Z!Vm_rtq(m#=F1K-;ngm7d)6Z2Y!F6TccJk>r zCo`Kee*!mKEKY8dNl%*;5Ac5Op!>pd62BSRp<~<<`G~&|43VK8jnFW!1DKebIl_8e z>t5#N-cw)rhGM8zhaSFgQn%v@?^}I-^@ri^PM&8luD)$y>E!l{eq^BVt@;*)wtPkI zwbpYiO1vZ#8@*#c%xCOZ`Vbh@g&ncVuS-*Ifb%Xecuevaf}&a8CI)dH5~d_(e!xYo z+wuA3RLp)YYjq2L=9nZ~{Fw946*T=hcHp5C8Z3j0)4CG_iC)KJaz2FAy~FNsT7LNQ z67RTdoJqw-!1V+j)0ZjE58-Vh@x^i_M|MU+l|VuC>$8;}GXl)55VxLypr81;@`=QE zhg_*v%W;(sB{~v9cAC26k}2)YwK=OLOm4N?4tS5DZ9sm}KFq3mDR@pks&y#vu^_Vn zs~bwg0I3|yU^%RlF#J{8A+<9@7m$0~<`dVQ)BbZ-nV3mW{zoq8UsSk7{L!m<^Qq&9 z`KDeo0t)owrjR2<-vgt1TWm*HyXthYVU@&A4q0|b^vB_3mdTHz_;=>pbUe6dzFcqH5&Vl@!Ejj9#Q~<$ zdj+6xU#D1;2=m6~-}cCDqg5qs^Fe`B+7|nSWn3R%c?aXbj>q4J0DR{9=-G6AT zE`_HwXcj)fvMrK%r9IzG#>n^Q0q`r1osHnZ#phed!o!bz$(LRrM);vAzfRtfZ zHA7;G|Kj6{4>e8Kycd%g)hK=CrH+)QLuxO(Y5LX;y}si$<*uK~;W+TjG1w4Q+-I6W z?MsejX||M=R&~eFipnY`Pc`}M^sg9qz~U?0!%c1?#Z&E}8g@&+bL@N0?8KdNL;2Vp zK3{{n-1p1kj9pUr*{n{0?tObJtZzFuUOQYM_F>ZFRe^Q+huv?eXT>Yj@9!Sv`vujb z?89_4x1J+qwZXT(Wh9T*IL-)pL_5_eJqz-V-Yp-G&tJ^YJh-JWy8mf{>B3v5p_}@p z7AZR!4ddozJq@Hz4R_M5ZjWBw=_{Y=g0Q!zz3{Pm{Pld2ttzT8DA3_w(j*zYG+Y1m z30-aJ*PSIMR{S8Allv9%&7230e9`c5SG~_a0M|^i<()6xBDq{6Z1`UlqJ--bskXuo z99cH(&3%6pS51%wGKQO;oc2&8v_*QN${FL4R{M}BF&m+lE;c{566U=AZ=TYXz_XvR zw+CqtX`a-bC^fdv7A2aYtxZ6YY%RUoY{MT90?>ta`QknGN7njAe5bl87fYHP-aru!kJ~cs$rmj zukUs?A1_}e415Z?cl_b=8v!hO@3n1;MphOZ)QBYVKK%kvM^W8s_2kACf#*W6imH=` zO^>lydA|J;bNv+aD%rq>E=PH=HZk1cpx3z8AsGc%nG#&pR3Wu5bxTk5j4tCnyK1r- zB}jFT@d`w<&)wuXw_^%<>2R-%>Uxu#MOV8_&?@%D6`^hW5!>@+8>OQz?lmPlLkyGF z>xbHBd{2^Qc%=?Vws<{E-sRd$_S;f5Ll?$kl(9j?Maf{(Pl}n-1f~+*ug_yydz_c2 z+ByXtmEUH=?45lL5*MdhkBDc3zP+H&V2_U$#CYNnoy~-KJ^-+&?~Yo?w+i=zFiL-w zhBNsoJe8|2bvAOM8icY3$+EeJaJ`&85+9F&t{}6ht{=$j?lno*i8N-zy?G1mNMSe$ z=InVB`xUhrgdQpXc0wFNmcIw~#E&nVjIL($`F3o~7 ze?c{Lk;x9bkL?+=f7!c#BR~A}w}vmuhnTgd^R*uZ?tr$pwiP z0&_UCd_?exG{{K0zkZ(B8<7zG#rmkm{|r`>bqLYlM0FZ2J3#!(?)#^A5aSzD^S96W zWwE6?Uz##5-K4CkM8JMSj-1c>ZM^+6v{Tt5LScdl3FGr2kL;f*#$GhCNWS(~FyXB# z_1(}%NaJg>>(7l>Q>&%BpKHQgpvf|Ar>S}Opkd3<{)?a=GRAA1sCu4PJIHYB?;4tx zFUeq{ou69%1+~zS#~N}M1@~V<-|{FN@N-yHlQLn2w`JlndOz_-yMkl`Q#w=?&K}#SfPze|9?NLzyAIF zbJ#Yo>eSQZ-G9p)_^$-ssM&aYJjmu?Ekbw*nH1$Tpe4$m9LPp~mCe;@iSo zukMxrONu5r6c5byy$YG{H=@9lfI_&vPw8v``3^~Z?K{-;%mG>irfQAQGv>of^fv_e7Ydq2B2y2LIX!@uW?`5@@wrLQ#LbPId!ZAibOkoux!uK|E+lcztUFw_tB2 z-3!w{{qJ~Qm+(i~Pbb~@{@n22))OsYlq|$92t~hp&W&l)?gyZrQ5f0eKz;M$p|*>W zk`O#~15=_l6@UC$QrH(d&a_DIn|I*DJn|+^ta*kgFnh$k zFJr)a)5mySed-W=Ma}sowbROufNGsJfkRWD-gzRH0OfN@FqH5swm_58iB%7)g%>wN zxAxO+&+=nzJ4bZ_p^jZv3(8AtV6YSIBL!`SuA&Alybzmr{k zY;{|6syW&L;C)BOnZ!_%&Q&s!aHZX%G;`AD$LPEHIK1;hUH@iNYB| zXK(Yv7)Yz5AfFcB1~##e9)2mq{T9r1!1!rKQGavOq9;Z+^xyoon}RWyG_f%^bU*!cKn|}%y?O-+9hkA!feBEx_@^Qq*8-&!jR&2P zLBHU?M4H3<6`n&iYa!H8tV6K0r`s1K+;teF>pX;j{kGHhzkOx043$eg$na(TYybc2 z)opjF96;HHU>?%`@u|Wn zRQaIU5S!nvwnPz#)?IUhRK4LESskD`PdWW<(Z!*1=DL8Xc@-JUt{<>*02AR2>(;)2 zLeJnuQw9UhIg?2r1V5{b;A{mJs_%Z7p1EIw!-lkcGx&ag3QVTQ>+pk`nu&7SfoyI8 zWUtiWI;U3xt*e%0RYN=F4pV&hs)!to0gr*)gBqhsYiUragWN;#kFj3M(%C6Ju7 zU~WEhPO8nPY1*zxbcFKk0esTz$AD8XF!KvwH+emWf5&OCwA1bOxCJh%ho@}eHvUd2 zaLc}q3y=jC2ySj>9rr|Pe`Lo#K!eKT5ep+?Ix!vO4zEXVlMhu~ zsTAEZU&vY{$p#;Klo~=-Vo$XJK=)pIrRH9mr8UFgR4V>sclT?2@7%ZiT=!P3gP|(_ zDNh~-b2@)ds*M{BG?^-4El4p+;8*ltunG{v_ZkmO(7YnTB3FMqAcke5F-M?d1U_~S z=!p8Gy~hil)l(>{`+)#uJmrQ^^T5Hv=Vn%xeQF*Vq6$d2ke{y}xn2+L^&R{R%XzI< zcCn|!AD(QOtcP=!YQQ7BgUxetyt0MR9Z4j=Yt+CRCnqXDf63&p@p(c758$Vt(;1yu;Tc z`3K%wivl`>V&GI4nSh6p-@$T*jJ{OsRt6$UwO(HW__AJXOyZSSF<+4l1Rj^%+c3}H zh4xtNN~B}X4jg$ph)~LEL!-!e$&`8%iLZ4dNcryq%w}lQb3cKb)x!{E-N*Gx=Z(!5 zMIH-7bm%7#S(lR2+eJIAQrGU&JE=Qy*MeJmCuW2+;5`WFE75?bxV>KX@T7>UYtOIM0)qzXqS^8pQp4>R;7PckeIbkxlTI7%Mq?P8R@g8yT-zwz1tHx8A$R! z9}>a|AQ}NXfcvaOfC~Z%-O=bgv8|zV5iYf!i=yI{0|T)tY|_4d@xozD{cv9>l>)5+ zak>?Nyeah12MJw(#uV{Dg5fW61#jF6ZRo*A@B;Q~uLB@a3|`Ya3nGJ%<19d&r#^fS zNqQ7?-tt3Y(QPS8*sBd>uA{s2DRNaq`ZmETd~=MFn<_}BBhok2AZlBhKXIw&+TQC$t6SD?wj#`pnP_fDS=;Q?rxZ zVZlo2&6G((jwx-2)2?ji_Z}uSZBCRu_hg$NJe&={m0{fVKSiRkKd=5;e{+bINxzgSj8`2P)hkkR7AUQEFdeMdYWeB(xgz4mHS$}bluxR+Kb_8=lt5_=^~ME9QLYnk>DOLV z^5l!6Y$4{FlgJdFcScR}Y98&b7;ZvjMxd(u5Vm&BB8SGu=_AurE{Hdf;_A#+SdITZ z2fAg&%$nonmZ5tJqh*vr1GX=+CarADP8UgVp`VUm$?K&R(Ki~Vj!-9?_wAjt>DLqG zGPrQ7)Fg5C%7ASvh4h=9z30D<^K>(2({{VCx`IvAC%52e_3_F`G;yE4Vgsf5PDBI@ z%V|Zqe5hxvMoVxSoRhY~-5}0fxxNPUj*1(e2g43;DCx_mDc$IuHd`-!_F+z*8*vaf z4X(+F+0V9M=@%v5d{;NrhAHZqf$+<(d-f&ZJ5IEr^`4`D)*l;4cZhN| z#LmDIbT)yA<xI`Pmbzjo4~aS-3#KNU5Mi&D5AZD+ z`8o1QRHMyFeE_-?;I#!4H1h~fF_ZdwixUgJPKo@QNcr0HF6j-c3m0Avs}pIWeBa5v z5iR+`$J(7RWirAr_Op6I*~<7Fiz@zCftlrP3nOMXXWu1`!RQgWBvCF}DwON9J(A`# zhfJg!4Tp}MS0{BNj({J8^`*o2?eh1q@_=f;<|k5zHu{u*yTlrqhBWpJnxzM4WoIs^ zYHgf;8ORYPI{bP)vj7j(Pw1wVW%=S@M3Jk&}$9FoE9ckwzWrnEgIFyx2j zC_c7ctr3^!>kNp%$0_(~%0pc&YHgjCP;A}^P@aoQ4V8ck!PKfZzv&( zN6ioQIVk{vK;5tL7#s-a+;q}XsVll`!>3kgJCiU+fyaq8Oi^fid!?+4XZ%fhr-FAndq|ajB^K>z=6T`o248NEWwIb^Xf^vB zOm*TRoya_9(C8}m5FD?TlXu&#M9>ctUtdV@WF;ylOI6p}$EL}f%nUIlL^J(_&diL* z?n%DE1#2P;=L9gZoXEcN(xI8!u*=u73$E`_4cv$i`Wo4H=fZl(V^@dxHrETmKTU5B zzONRCBuZlgnL6jF?P+#BO8hge)t@MDIV>cvcO(U9T+0y(H6@&>d7Lj8;*q;=`h!eP zo9BZ&a)k8_czic$g}ci^u#_q39T--l8o#})*<{BLJS0gSnwL>?zcu|FvfLpLMujl6Ko zy`beVn&GuxV0E^SRCbXKuQjLndVKdDy?}7V)QCc!INE#&5Jxegf6e^ zGO{-HtrDHo%$xY>u(R*qlS{5UzaZAQ7|w}iCbTknY6Wbgs>Kau#t3is=?#hZ=ZseA z_68oGV_mssOvjzKaG2Ao)z)>NXmjhfM*+9o~6|uEBoo(s83iVG=5rl%n7E)6`3Xlcseg!g{ zKvBoU7HxwA&2M1Jx0}BY;D>kq&MsjW>`QQF-w5y1b=3s8z398nH*U7QbpHKbs-XRf zby>*k^Q-4>-4edcaTVUB3}GY_~Cz_rLA8LD0cH}lc?zXTsJGy7m|E!0!vpE z0WvfJkO4SG;$1Q_J*;$d;@93(<>F?2Yf%lf(VsM2gkjcVU6AoyrQz z>S*r1-Rs;+oJ}Kj%n*>>Tm@98Xrm$JTfi~k_J-Mh=V9$v&hkk*{~+PCOBc#xl7qnl zV}-|9J%xXF2I*RJ~$KTo}6{m(E(TH{e(?`IqMn z@>Q}(m+jura&CKd(Jnt1K5jG07ky$HJ|dAnt z@yz8yF(9o?nBZ;Ov`!p zz$MGMC9RN>m?T@}?9(nUrs9n1%@4~>h^tQ}?!hw)+`ZGHn`gR?^Fun*u9C|pqPPzd1*}Pd;80y zjNvhZ^9Lad4ZDn)!dxsTk6Pe>puk4ki zsK#uNk`%k!^_N$2ik<|7C*TfNY^UQKu6W^+l6U>>=xYg^T&TCo6&3V!_Y%X^FEyc& z*VTqnh+V3z2i4=pRpYx@RO)efF8Zw88<;qht8wM6z4-YyoJwm%us-&EE8bLDhh_J3@D0JrYb;wK0D`A%s!<6q`M z_W?JtEg@F#0nv_pynlj<&29U$4+N_+Me6;oi+??^RuTV;1%TF3<5t`BYc78xxaycj zir?I7mL3v4g}_Rdz8yyzB>p#hP4ia{v*4AS6NxrVB{ ziNs5lvxN6c?hj+2U6ozdOB)QMT}skN`EEQGLgrefxywrk9)UOiFFe9}UNJ-Ntr~yp zOjRxo>tx|knrWm>k~o{6N#iQoJ_UgyL@P<7n?mb_9H%{4xcZlPw9{*X4itJ8Ab6w6 zbD3e8r#soI_9@~JkL-;-thh2m;u4*Uq@pgMQ_J?4a_XJ9GQTiv`&Bu-(RGp!&{{1= z`oHYf5YlRhr3_IWN|R^Dm>q8{_@3N*9im5CC>5h?;^RUVHggP=6r zqxntkCIy_YyU+>vtiUrnXll>y z0g6rAv7(c*qCb8|hSL6Wy_Cv^p|1Uc-n4Vzn6*UKycEOofY`>B9O>X*)^}I~1FI=M zSYB7K4lQIkiO+52?v!1YCfVo%z_5Br!*;Kq&d&!hweytzo6#k+h6#bds8(L`uCcwE z28t;{cMgJ0CHH+#E4FGmaM-CS>PA}tQCE+q#$B9~mU74{yyRLZVYaQK_ft7Ry~`JH z;YsH&5-M5HL;$OLX~Z)3)$E^EzpS}%o0FDeC^sXE#9Iz?MgH>Hhj45TkU+i3rpQyn zC}d78p5zJr8n9K(E)!xe^*AWTJpLB+sg$%QkhLHc6Q|^AP!`c+rRDyrdjQ}KzRacK z^UTr2sgt5a>TMLt69k$SJ+G4GK|<>(_oBr}tegR}Iw>_gOl-&Ak;vYoiyt!u?U&oX ze&75sLuh>gc8E}2x|JT7>Q04ovU~-XK3*lA&)3!f5q_*d`XD?~p{!BpvM;%Bj30lL zVO+G)pd5XnL`fZz_eEBr23+r}I5AzIq^3g7Leb(iSSgZP1CQT&!+hYDC(pC>zAB3G zYVc?KkNv8!=q?0%C@;y>>q`^UA^YIPa zs-z5|co@O9Dr>J{RJ->^S>V?rqgVSBA*R&2$3Sn_TCBDLCbCXeoCO_fGq&#Thu7@d zH2LHoi8)VM+_2+*YFlw}5>ga7YWORpwmVbGc30xtZcVxdu~665xr95}zlOQ|ity(@ znFdZf8X(X1Ur|m~devr#Z8exdmyet?`?_yb7{dEi>QA15K`6pA2(1I2!CfG4py9VrwPrYqQulY)kVHL9DKXzH#FT@>jv& zkFv|*p<9__4isM5jdXu|bc@=t=*|Vh_f^Y{q$edIZntx~iL05rKj3kSx}#s)FK0N` zigGrmT{GIf3jtC+*NPo9a;UY%9A9~|vwVQ{c)Ka(rUsrQ(t?bnlKE=hUgH`118pF4 zRO{J*IyNAc+3@D&j;M*I<|HG&L($PDI zSne)~tPOE)@u&DUT*_)W^)wOQ=u@eMLr+4b>wp7yqt)kPHJmJC$X$D_(QlWANkWBE zQ(Ki%10{wsG!>uo_${JGE|*Auas72T(Oi5f2jhj?&_Cb>4f-ig0}N#Jw%oVw8eOVa zp|P#N!s5~YWUqQgtq1Q!ZQLigohbymi)}5(iwy&wQS{v)Ji;ba7roS1+vjq*Ow%(; zg+Il)O0usuFH*9$u6l(BUn>PG37HdL3ni{t>4pjJjVM~tVY|4|4l6n|BV$NooK1uB z@D=vDS-?v(PhkaK9m`bW)NDV;;{4&}aFg}Kx>(t;g%$K8DS1$GJ}=hWoJwG{w8JDV zn){{LBh4K$c)XuK2SD$hktD*nnOtuG+{ce<+0d62{akt?uHFbD2BNhPxSnYX07y4c zhrY%2SbNUm4~E4F<$g%>`6%RL>;>Up-qhF+3X-`Z5aYfz`{5i}m%=3{^(PkDSKWP$ z2~Hn4ofM5PX`PY`e!T!&n8b!5Jr+8*Joh-C*z;qz?xVjGg#!-dGZ#Rb=G&-xPaB)E z$7iodp@)rN3Id~wc*6QSA<^lbS~~g3Ux+Y~GQ9lQw!3e~(Cz><8++Ls@s*l}8aHk* zKa*qAD(5R!WLHd%uOKfb<}|Sze=5fcMCzcLHA+48VGnlI)!tP;%T;ClwL0@)=C8X>cQ_=i5UUrtcjw4hujHGv znc4SqicV`Wp5FP3RRH7sT^Q5eGDIGjlz*@a{+QQ&fqA`am%hav_O>d+k_4z=6mSDU zDs<5sZt@fZI07zZwbOPPkMAcbL^}^-d+JQrS!hLg866(_7(qWYci@kAKvxxwUPeOn zaE$YnB8F!$CkrE&x$QTwO0a$)-V-+U{mW`>TAv=R6gs?~^ncE08BPr+e1t}TZ@z+r za>lZi;zoA{rOQyY4z~2Y9b3~MW96ikXs}+CFteEVZ^sgjC3#kE_f>F*475$Zt8=p0 z&^U`Je<$XkST554%1ygi*Ypuyi>`cgoGcDU+@ViiJ-2)8K$X`6mkVd15xc*p&PAL% z<}(k25(M|^wByHVLyz{sw>k>e;^Z=CXmZZ@!7jZB%k6vP>{d&_DNeg>k;FbjtQR)% z1!g^V4gr{=gB0SwUZUc4^|6VJcD$$e96Yy*5|G^wkk>C;E)IUwm1FEdp?BYh*z+sh z#+SUd^bHCxEO)7>k&;|s5;WleVE?XlVs{ix-u>nxoW$=I9Qr1eD4;-wbvfc=nz-}} zW~^xHdmq;Uw!mYs031Pjw;U=$7#vRybIVTN!k5$C{X8{7O8NZ_2#n|Bo1|Fp0tRc$ z*Jf2%Fl#A`e2y?IdFZmg;V1qEL;927h_A?RY3SqMu?sY^JBqbR*&x(uW^m?5M@Juq z9L$0;_u&YRvwNdp%K(jIWEAQ1Fj{#z=e5D*ww9Av2$h?c3MVURU6Rqk$=|cvxO0R! z)JJX?EGNb?SbP}$gjI4$iB{D;mAgPF?Om{wLKQj%j6WAh-5%{P-6sPj$r&YF$vg3FEAYBOwn z70H#SuvQ!}uw-f~p2}&dOVe-f1@MyW{1E6!w2z9$9$nd-s(C$7^gT(*g*$)jo8kHC z69@ozxg!w`J?i4i*(_q5ty`G*C5TY0Oh~d@W zf7QAAaui?18ukm*iMeR$p9UHfbmH#S!>klB#{e%W_Tdh=fc!WT@0W6>3!GvLQD-E_ z>3@XZ)fh;He8u)wcJ9RG& z!9=zQWs5s4W*{Sz;?i}(|2Qr%1>W_xu?~W9@&l)AJmAs!V@F$`P73gkwC4({lS3O% zpyx|tLwiL##;&k8#Ji?HXvI0tW~+`M5%jIooI;CI0+-6iU80ihOisyV?!vJA$>)1e z%YnEME{%*H%8Kq;)yN~lHTgaXgOpL@!AdIOpm?H*Uwxoy#TsK00ap_DM7@hO=j+i` z>mnXpIfA#m7Az8onW5}^;Ixa`C$!oLrhUyU)@M;p0 zu{d56%nlN@jnte#ZV*IvFGr0;0XBR6Km@ICx+D;+j(uT5Ii=VSI9x znFQ-7_YK^08W^jolGSthqb=9ECHq~;W)<6eJii2yN-4UQ^m@B%wX#+9Lmw-8TeW$V z`*eSA(nQ>Ac$5-Qs|Up4je4A-R>!q@2Z;J8Ho+$%4dW!&6y1czV)H@U;ZU>2jAwB! zkBW@ybHmRDZtox{SxoJgp?wdy#T+RqA9gCp8@zfw-u&pQYyZ=1UfcWK$6-gw><*8l z<|UG-XU|A&)-A;f6j_bvw4(^V!U!x2yrd2{&*hT0b%X_Tv%7 zJxzA)IX4_t_}soc>{Py33%8|{EmJuYP$7%soh%VThTfsTDI|ibgd)uG#}|9C_4yHvk|&=Tc*AHxkJ5TBOy)=7tx%Y>N?qfb1C$n4H{*r1JqWI$j_I z&SKu;Pe~lhTXFT?g8}Uv!BxZLLbf3!e6R#ISBq92OIV?ZT9ovWT_6;+}L! z-UZ)xg)u$9Rb)cfWmTKY_pu>PB@({-lF^@iMkgP)&v~w@>h@}nea&RF42P&y+rR_% zZ<=k_LrSfcZ54PumqodLWYFme3;amtRtsP&PF$o7u2f}RCElSrhJz=GO}zxr9k1bJ z-}%YBP{(`bfrJv>GUx!j^>=?lA=V2mTplLpO$V^dVTaFeoZS@yFT->sMjRUUL0s;T?!E%nqa-!qKP= z4pkL6^EA^dHiIn(_ixYue++J9+69Eh2r-3CTQE39vFT&&@Pb2|%~e@@`}^UwOa2c$ z0JvM2W}IQJmiiAoz%^^Y1MqXz&{7u3{s9LNw9{GK0XTsD&o8wz+(Vb^*SOC`(g>@| z<6t|UB8bFim$*Z_-9XmC_W_151$ws}1^Ih-RQS8d7Q^kmGh;ZyW7;B;?g1wUb)Sd^ zde07bH>{V%!IWbDCmlc$^DEMR19Sj*n4cOCSQlNN8KLGsQ2#GFz!RX)aZ11q^|By4 zihz&Ubjif-?dy-RDraBG%;KFylF`Nlek3ywcOGgYI9HIn0o~abR6pK?+I!unq#{UnHz-O;NN$OZAdQrCH%bc9Eg{k^-J#@`E@?Ib z(w&}rJM+x*#+iAawa)ox7Bk8$*!#Ed`y1EwxxmL;ukFFk8Q>7Mrda^`hvITdKf>&>xiA4LcvT1<-*w24jkfwt zb-i57HV_-u%p8EsD+A}PiNWw$VD3hS$T|2bD~(oaIgp~VR%pN7s;w?3JW-zpB0HM1 zIz*OF1Y1k)isg4PMXQITrii@j+WT?u;xY0O#oIA1FrwxBE;X#^eqdzF2nO$9odl%w0E>=5H705~YSuh7u@Yf3n{f`uDzS}re+!W7dz>`>Nhr8i% z$S#%C1JmQnZIq|9qf4{|hk0jw05!eRdkxh!H=2I9p@K(^- zIoHAV#{>7TjEMmRF{#@GR|O79sOZhry43UiGYafsY0gmdH$XQyCt3|ev~I(+<98q0 z32-vSFu5i@-2LA8S?eC^MV>U%&V6tYhsW;#%8_!lSrzX%ND;NpGtY4Exg^{G!k9PS zW@%!sr48WI$L?qx;88xn4TP?290!J=j;^3nHl`8xxpG6}h|ncxbOw)A?1WCqMpoW4 zAIw1O{=C~qAcjWcENuKWu-|wLVg;sdfBe4|Pa~k08SIFCkLIK^Whw$fz7D@K5Mo8% z2TjH^7-}G%LT=!B1t_kjh_4O=6v=Wbh#@ymMK>6ofm?ocOB`TqB;sb&kO`a;cudO^QkfHN&Oi{ibb$j7KBNpULzI0~rOT7Bnqq$N&F>JK&%BABw-1l)IUiGKiG;6UO%frV89)1Uq^=Kvc}L|^w)Y|jVu z7h}NSQA)4h3`Uxlp-tr^Bzpw1N;5!qQ1nz}jYO)i@l|&44yg2xhPX=gY?xL&y4^z2 zzkw_sfwKP>RY)Z<3#MlMstxa!Xc}(|-eDd{?;DuCb|jj|(-noQYeC z72GgvOeinz{=%!U*Kz|lO{upRzvGPMNB7C_Pn6Uq z=3pGgV!`PLjQb!u+W=(J0porO)^Fp!IcD`OI)-}5piVazEWaEHjiQQa@{Qg@e-h3_ z%S!Bz-QEC7rZ4{=3cmTLOobA+ymfQk?G5q6U%n>lZw#L zXvV!zcQQKjrHeN29^ZtJtbOna{t3h?e5ZOL5=zU$8RP`Qi%3ds1e1*XdjyocU1Fgv zu+{ZU-<=X)BhPJtUCJ?EZ5C7Sba->;t`Wygt<|{VlKbeG@Y}paew zUc=z4+W~aAGssWD+5aowb&Vkljf&6J;}CH9$($M>OP^_k3zS?S)W-W1MfY%(M8SP6H{+MJAkUM zT^!T%MU*we6Smgj_TwTU;*uubEP=zd zfBEPGb^n`>-uIWcdGgwyKKh}@kY};Z)Eg=v(W**TAc67j!n<6LXAgtL#4V#JThAPa zjeR5_XYDUGqh&bwmzX~l8gV?l?H+wN%jKK1Gx;NHmE$lpxJG-Oy7co40}#bi&=5DT zQ$4W)d(r1TJmi=j>JyT#L|GQ>E}Oh4tqpd)x2kL*_uNbyu_Y*+%V1Okz(+r^J6$?N zc7Xdq%G7~$soRplZc996oqs5rC#&Z4fBEQ7LAxzFt7lUjv^uh%-7?8Q+ zUiQgwDI|7bgE0*EF9i?BpQY_o|Z*rC7)syU@r=NFjxi zinRu+R`7L%aZNf7x7vx(0XBtI;%O;taS{W0c;#4A?)TBSmw@>?SX(7YEir#Q4xYG? zmA(pOm3T>si5ndqoOsg4mewq^GqPC>)r1(&mJoCx20ihr1P>E2by^F_;E*nm#Dx>- zq+zYDFZs)@VzMw(YS75y`#U&ZI0xNKF*M}%Ovzh^?i749)g;Dlan0f)&Dn6k%;<@G)KLt=Ve$j7YiB(=@WD@mN_HrB9!b7_~#<|ALsiqJ2-y8pMKZDkisrn*Pk& z{#v$QaKI;F`H%M&!`4M%7dYHm1CB^e<- z4=FdFe9)+G1zOjPT1jGz>cP&d*Y8p6EHkJR2>0}LC-o<+?`P6wJnPKRa%gqXOWZrW zXhj4nj?fX3mS|PLj-6A0u#KSRY!+cMy=TMVbT>mQ+cy0ljq3=L%c3tT>s`MMow6E9 z)}(pC!FQLvt6YM^Q21w{HaSpR<{pp&D}e8OM%XfnC3?Iup8?**UswtmnUY&CG%}YP zb*nx17gCK=eJrSMjrtd_1&zHfqpk^sCdoPTpoqUdpvEM`qKO zpTD!uuBkc=WO+>sQM%M*CkdzdmgJ51Ve?g&?!UTU2+aZxi3~p;<j=qTeQeE9{Sav+ z@iHS)v{H9{=_WMVgGnW2HCefPZU?fEE#aUX!xYYQuk4y}TXr_Kp@2uDDBa5?+QN*w)9O4G4;o%0=*z$ANTS3lt{<#R;t>x9qF3 z7}v2k*1V_K?|pShmSopwbv?%ot0zF-P?!TiCgd%9J;PYX5#@Ws(YWN#b?PS+xru$i zz07#iMmU^+xV%TG5{X^&fZuT5n_~D%0Tp@QCct_V;D59e^&J(KJz}`GJwuJ$$Bx<7 zpGm3a`BtEhCWw-trsPb#J$qmWU`3B4inJS|i~p}Ou}>xI)_dcG##qL+97=?3q8cjm zzzK{UvF|v;Li{7uZE!W?M&W1T95hq9vd@7|wyfdx#)k&iUBg&7`;mGovL+%flsQQl z#AXLK&}Y?ww8bKjm{$NCNvg(yg)=lk-|6WC4?n3?76SjPCzViz9(sEV3_LqxnbZLB z+nveL&G2*b(>#E%*D}6&)?3_!zas>iYB$qj{((_on@WKnN5f!}AExU}n#CPQl<Xhlj^?tP@3LB?=69_02PE& z%fIqACUG14^I-O*|ID_U#fqglhU%_GWSsM-5im<0iyd@rpu?K8y8i#mNA3W8zTX25?*`YW)A#^0_Ompn7-o`z#^+VQnLR`7C6GV2YP{Ay)-RtFncZeKj(eFM}f|9 zNNC(!aQByGfBaUP!v0{~q6SXDd)0||Y|8zqcuk-DaG?FmVfr6_@gNfXf0b5x=l&8UeO;_ewftB@d)3)??X201}pshTlLCodHu-S@Z2u9_8djbI>0bxs1N?_k-_1k-y zExWsBO{w&M*ct!j#rqNqUgE0U!G=Gd$A3Ks|M|aeqTZU}C?)>*F8x1zSO524`w}ZH z2caJ(68it(DaS#)f8;}VFaKdU{m*|C!vc);C}y0aRC<*E!4va0pU*L2e|dpVnSaEc%0ax?P=ye zQ3n6}#r*5P6c`}m0q^akK6sF=KV!)ES5PMY+sn=EIHH7je8y$60DHG0K*#&?L<`LA z%$@m@O6dJPz=UWk^5*)o2#AT~V+{ZUg%nj_<4IO5Dgs{XJfgt7mdb54_5fkVTI)QD zkru(UFVVy=WRF8U^l$G0<&jhYAQ*LAh7r=S)L2hGt+87$aTda4ZV2-h=tAhp8Um?mkvQiOnniB5{do_P<)jEV}=As z->&L%&vaYH68M+d`(RNn8*FV2(-A&cts-sz72ahq>e3h%Ka5BLD|p0Ya~yy%?#AgZ zq2LQk8vtfU3p?q;b>uDS>|a_WdMX$ZK>6DhbXGXY8V zEJ9fZS>Op2NahfZ-}3}I$1e<<0XUprLW>4Rfo4q?FKK)N-Y}5?xx?oi>C18Sac&FG zDp5fYJL?OCmLpRO z=YG!-Yg95${epRLReF5}7M-f5Rw@Z@TlVh=B?a*Q2~iH(Cu5GyB(V^q zliiU)d^P|^i}flQKlMBK_z2`|Hq*g52hY=)rnjzR!qE1BKU&uW4$Qr-HndCylF0gO zS_>iyRgb*1RpOZX@A@BMA+Wz0god%P721e>eeF$Ejl1bQnvuEnJqyORh{&&?N-OL0lFg(pj z|8F0MTSO1uN&{o=IM}_W4mWNV7QwIoZR6HVXhR^GfPRE>7SqDjZm!P3rUA&=(1N&h zAeQ%?r;I~C0h?i0d-0LI~YA(&Xqk7_gnpD(LLDB!08 z*z{_&_(9nC((3X!-d;G}WH2QUsxH(mkLpuC7XE6Bv$8?Y*6F8o0e{3ZwD`QT${%_Zz zza!C)$uc?>wFF}B{y+c3p9oW$&vbn#UFpG+ub%OTEAWvyGwRxH0h}By=j|B*I^RB) zk8a4`zzL%&xdTo&O$3z_kum>1nopvrq&5Z6f&vi>@G(Qr?Yx=Kc6PKwm#RP?q?!r` z8r2*qe9jdyWgZ8$CNWm(g}c=nIdYP5M-w+5{jV>8u(CQnBjmWC@h9uwo{KTk8ptql5%VExHW6i=RA8A8bB*A} z%NgW>#gA!W z+JQc1f^`LW`J8<8oj{AjhS`$x8@;dGmg?{iPoww!n1LJBkk@2@fDA=m2T#wQVG}~L zWfe@S{iPgjT#Ix-pnZ(Uuv8FC^-Dlr8aA93IBB#E@bD}LJA!e>AJciSCP(~(^`0+x zEBhNvG&~Zg+8JM?5(K_`P0A}!Z)*W)Rz*im!#DXmpR`LL!6!9I zC=bX@d_abQ;q+9*r+5*h0rSC>JjCi8(2?IybwPO2Muy^CW*ulhs%GvCu5ebF0`_U# z$7WMtgHl6~ORPYZ{mnqJar==FV{k+bcW54L@ZlpU=OwsZ#z8*zIIxcY7+i-%JuAEf z)a>>ljxy)SwLHSu#8G-!Ny`W04tB>ol}+0G3Cj-roUhx6W}{R$*6 zcn5pRbJRJO#WSM#ZU&_9} ze{Qn}PBPD#Np3S}{)Df#%8P?KD$0D3Umw_ujqMFyl!TvBSqje;?WYBuqSOuX2<7j; zS_E`yEg()Pb){ucW8M|{F$~V#ZJGtsI2EhS3l(c`yc4%czf&H!`Oc&=)mK+%``WJi z8A}MY(ehOrxG#4+4_g6`(HePD?$aw^4nN+xpMUZ=Vi-u1E5<$)2}&t9XM!CcHspa) zeQzoaA^~nNYrPey8<8Et{Ob2VW_YmL|3pM!Jf?Bhq|dnh_jlt0Cc@p%b?`WvwgjvL z-H$;I1bRzBFV-|P5O3@ab4Edw_`#PkLw+)k4|EIq!ti2nxSG_OLD+-#ZE%o< zlZI^M|JHQ#p%f_jklN7-T~F1upQi~seDDDFa%6Z6eR=4KA-H+wah&+<(tQ8r?PnJI zm$$!~=ilCb+NLxqaKw!NcW*z5p(*0f+yuKiEYt76x7jop00b1n#MO9=gtsYl+|G9z zrGTwJ<10r*GPrNil{ICQx`6y*IT@GDOpb(W+*lTOo#YO4ekYUY5X(?E*r3|cI$kiu z;1FxK1is-(!VO#$P}Z%lewlR*+adg%JyK<^dJHVfy<9Vw!Gz%(U1gpcLRA&29MBE+Z>3#g%ahHMbbs645pol`_GXvttOuDtf zr6*26uU-VCE}Ak$JzxQzDit-D`}|dXw^&AW#2)x2&39`+W`^JC_2QKu5UD+uVN=j> z1(?vnURqD~%(+atgWIGB052!^9qe{8_Bex(^iQRaNSV;%284c~?(hnP!oWRrWyexrZMH&?F2L`pGpX+sx$ypq3$9S?U%r9g9<5ks5+x#U zd=u&Ddvlm+GTCe9GeS#>D8SIT8?yy>T~Y++$XH-dQ4HL znr#azp#|p)RgYYzU8RpU$LZBpnMuA%DqP~u6DHlpHdH5o zJROjG=i^luYQBY#Qnr?MxfxXgeNGWTx48}LsR#HIhV%%mi-~tGo#P%Bw#s*$qp*n^ z{aW~SovFh#A9~jN?i7d^z*Ndvt2?9Y`s8DM%Sk`KFSBY!F#=<7e^B}|Vvia}zD~+y zC$LkDKs;{pe&})9`A@%=cKy13nMG1-=fqAvC>3(j15Yr8tcKHnN*~o~rNda-2h}#c z@6eUo6&RA`Ayle@IjozZZG7`0i~aT%BJ9_2r?q4cN%2x1`xlS2y` z88%fSL61>}YW?XD#0#lkug z9()fzqKPB$0zXuKrOm$&=a?*0vKs-`O25qS=S4zg#Ro_5Vj(harYpw|AG?MPCi7$; zQ{5KX0NBmLDfvgI$9OQTbQIj=Yt<2$`{ia}y$td{CRi+4CjUw@+6Yz<-9cx}O9 zm=gh+@%p{5R~crrx9$~l1a~ph@L2+LOLVerm+sh|oHsqe^Y#N@508MJfU)m+=|hXg zdEM#@)05$~-V27I4FX)p8BN0vj_nU|$h$}>-Ng|;Hnh5hWa?^qi0;V4ec*)5xouf; zSU$vaX;^HOS`_gzt~=@7Vb;wa)5qXx;$w9joUW5>eXLmfNxD0vn$7w`n*>xuC0o^g z()cFA1D4rYfHrWETN4wa^)8yL7s6sxcVbbpqiw{!&}rGO#3otHHEHNsk~n{*13oo0 zkaAx2*#SXohO@MrCj(p`78d|i08NNq2K}o+YJcS5OWpvfftSZNS;0ss)|k`sls(53 z@JcW3M|b)}e)ZKPuR=p=2+f}2dzP{No)jI-eGC? zQ(tkKCtHWV(|q;bzKz?}{Q#%Z^Cx4%x4j3ihd8*o>`yO$hOMKVD+`-`AvB*v=y;1V zG&Wyrw>|mWAwU5ND%B>rIjIB81wC#|gIGo11Ug?_Dr&Kb#dk_PZvN>TFRN{R)KZbF z1-+kO6C?f%UzYn0fG&B)u4Y?i$#mr%GxN*!U;vgufJ7)%u zQqq%48h!;^;FVFdJL@6+l+~UGz;udsbG`Y;#L_tw8JQ&C$gYNI*tzB2u6@Rta?nn2!6pKrb-#~HazQ=U|)RWwz_lT zmTrX;1^w$87xAII+MNmK1MlfDt*T>!dmJvPL`hI!Jr3 zYDiQ`o}A`ss#tX<>1LLo^m{SO5#Q!YTv$%pMWrbPqK9wbg-Sm0;5b$zB6PW#3Ic$o=2}`A6rec=8$EY(27xM~cp{QhbhOWBf@Dbm zQL8}rfuogk&LQ5n$t^@aY4?g#d6=N`%@pe%nYXM7Mr8Q-s;5ImK23|V8|aJk$My+2 zg9tLtJJEMgxye?&@QYYR7--muf<<)4-mL}Yz5Iuf$V=qNYC=o6Sq?N7pX)HMGyjgE zp&Sw({DwXvWY9jTF`$)Gtf~Bc2Q&9JE}s;kvOi@O!kOav75CX7w*U>Z7qa1$a2tBi z1_Dx>%*DF`)n*&$PBshz41_C^&ET&OlOA@;vj^QAksnX=PXlz&Xg|(UwQM@S79PXh zB(m-h;wuWiDNUuV`@Y%Rfh;zY@@W$nS+NT+kDmBG%WGAK#9- zC>lVy4gBj8E99g(I`7BM8#1%rh z0`@^5SFxW@EKEgV)Sm{tHXyl@(&c3?ig{~gK8V+0;dt;g#S;38 z*b~eozoTr4_-{k1$^+b^DwRvM(Qx->7pUCYR z;*3_syC6V!pUDJf{p%^WlB(0{GuqClKwfjxIhF}_{#%vMLju0+x?M%EExcq&VoStF zp3wC?-vLbd6J?J}nGKe)|i+{BYBVMBh68&^TGPrU*1@y`Pa>* zr?pU%4vfmX*(p4lj$5j$o;^bg`xv{PQLV?+162)oXg6m*OPYe5*u|$Y@ zxqKv*`TIMw2;j`b5YE z);?%`9}~l7>`|~l^G_Eh2Bsb*=BxwmVSF@jp8?{(N0h0RVVRb66T{yanDrV%bnQ$< zQ*+P?9X$fa_}p`XRnja!+#Th{g1jPL9mypaz_DU@1AFB^4%(2Iz;n3lpkkhF&ug$& zN)Wl*Eb?wt)@`U3=nkcz`P613vBH*y%0_kP9yLfHQoaEF?JeeJhPD67VDP0hYoKKk z8@y>N6L=gXsG34~bZC|R_~W^Ji5|CF%e)N%hfzwr{5dz*4lf?ozW@x2K$hm3z@-v% zX*@%cJlt4Gxk)nf=wsk1)LGqk<`>Y%S)=WZ6UsX#H}7+VGmhK~Y^sQ(4Q zaOOv6jmjZSGD9+80FfT#^QTJq^0JbOiJ&G+mcAdTmZ-Tu7NP~BY{WjyMX-&SOFUfx z(+J3OM^@9~?5pdg*G!MXjq{ugwmqL$$F=t)_Q_FhH zJ;`1loZN?NdLtn#8A#F)BG?~)Dpk!oTroleTL3lz3Hgv^oQCFKsPx zd( zSg+yWle+oYFCF%~u#S{@x(N%Qb*yuh8l}_K-QK%g_Xv6aGR2s~^d~#U+BiA!Ds=Pk z(3hND7y6>l*ykX6iG27(H!j6t&*UciZ(+3l7f+>M;z?U`V>cC#Qt=WA$XP?a7GPx$Q9^xZEMh0DDDudKb?p^A!pU4?}yDOLwY+AW;|Y| zGWC3*nv8wx48#GKtboq1BI=%6X)Olpg~VOF`O?aMo>1e%(I(022|Ateb74%E)QuYL z*{h0T3BvghHUDW^Oyc?=#+S3@ESCUM+V{gt*Sfo+?~zmv{IN}S%C_GxFi{;!OdN|t z;6zIKcfJGLFbJZ{`zqGYvqFT_QF8_ULP+|Jm)Dr^5OW{wUNFZ9VOx;e>m)=>UWqkn z08(&WHGr=-Yx7=`F!{Zyk$!KVV-&K5BE*6jCc>q%W4xu)ssiV_pf7s^CV!L4v0scz zJzYQa5i`Zk^>g?oPgLD%09jFol6phOa#W{{<^mVpz1ML2~sm?v}WW-!oAbzc&t+q9q0}R+M2exOl*EstDOzcTS!yw(-o93##3; zftz-^`&n)v!wq9(G8QR+LC0&4dab(0qbL({SQ+mH7NHXk`ZyrNey~1BGcP7n3kD2l z0QePt(R~&nDpgu}`|+)TwA1WLQ)|i4C5TX_Ks)4l(U&EI!~r4T8R8y`_#Y$izb2?) z*(H~i?cmkQlN&Yy)=viJF?Z$SH$?Lt!3-}$UY z|E5of9izMdL7zwp_%x3bJgu6Hb*$+0Zsc{{fJun48UH|y<*0o7`+^NnX4m%oe;RU>eYTP6wZzmXFJ@EA4;vugOm8n7woi7G6(^s<3dJ;_27B)REGn_xGm8KINWT`ES7*JbaVP7(qqjEOaG}BjGO=G) zc*}~xeZW*WPH@ZWo+Jkm1Th;@+`JI;^!DJ#yJ;BHq6B=B^f`osOqm(C=j|j{@ z9_YU}1X5+=6s?n8X%3dFVd>7rV4zV3((&I0-w8%?Lg^x$m69aM zu0aJbB&&Lx4pu&-L#%3VYGS8_yz1@-=MJm{U$6~&gXQ(-l;Rp6h%x%xdokenu}ZXd zC_Y4F3ocV>KdM(u_El+Te2o<_01TKB+cZI}h%jm z7lVD3HpML`Z==WnoxI|*JlLi~FO4}?mLdhAaM>z`N~HuyW_k7-!FqjrSGU^CF|VZl z0j4fu*%97(jMEO;fK8UKySir#IyeCP6^rdSlM(g&{?dx2@cGRxhXZ#4hi+k8tVgyW zj!m)DF77?>ViV_;z#iDNt4gOcvem|>3{x?eSY$2Ym#fhz}@hr-g(f! z_iz8+-uMJtma%jl(X z1nH;X4k`Gr7jfC(kX1}2Jjx;Af27A>)9&SH*}X38=zPV2F7+Tk*+8l%rT;T+l%l(1b*j4iL$DNc#*GJcLk9-jK*SQY-g{HyO#1i=uOI; zxazJ6s%>k(i!9mKDX<56HVDU;N82|XJ?A32GPpTCJFiu7Z<{7 zBnsL>Ez7TrOSNjSTydh=`$fO}!wQucVdd;goSvcx(7W5Pz;CvQcGmTV_)vIHgLvl7 z9tOs!;#mhBglHeFf#l!dj{d|7g_J0?fGjO;SfX)1cLel~QOSe>v zqT$E#W}<-6_INDWYpRRPy)k78niAZrl}8(sf2u6p-RcRK*dkHY2S0MJC>d>PtD{L$C?_f|G;B%E2RBI=FU8 zSzr6u8Lm&A&r{K5Mw;F{c3eYJ93SwjG~}y5E}KeC_Y!p!m4Ko%!ut+3lA~$JNg9Nc zlbX1PaQI~=LJ@Icuj>;Q)|U$_8~0m4Idj_t5*z~R3(%I2gLfTakiNoE@$#42PdX&zAkJw&(;6%Vxz+-ic>%=B5d`z{&=E4Lj- zwH#DVX@a~TL8nR~&CSFFaMu*O=l|*ziBz?s*qaTlLpeKg_ul?*Xt$Qx;W@W$G$xnTC z@F)5s+18?@$V>;6#VRq0Bg5P!W!zi1co8j3ZL(WWDx=<6yFTlu*|Y|-iYy49Y7G`N zp|a&><6~y=F|X*(^HWS|?z^$MJh3{F5*38B6WX2+-jZk z1pAuN7Sk}d(GcnJnkuU%v6g&&)YsookInnn+AZv=uk0I#HURuevm!v< zA^)gjMlW(db{teQC4kVXt@*5K0<)|3mrF_|oK{G9B&CzSOB9j30gyQGB5FWO|LENp zT?clZ-esqVT#NpQGyqdVs?Jd`wzHfmpECR6UOIJ7ew+zEC8)4P~K z?>$a_ZeZYCAiQHJ8~fRBi^RPiI(6NC{Gj;W{=3X`+-7JyGD13o)>o){8*vYapna~3 z?v7z95n%7@o3Tako#Hw1hM&L+wbDn33+S)_}GQWXkacx^8QzBA+QLzVJ;{R0p{MG6dB%<5(} zDF;@(vU=nn62^$n)Tr_q=;>42)uaY&?>oRYjYTaTHLU#PAU1ukfm?Y%o9o)qgd|0b z;fWeflx^8i)qB8Zk92#6bO>g3r$Oi0{@6^&w*?JA>h}N??qi`dW04bC>`rv2-V)Q| ziNAwLS%@>4EQsF*LU`Unvrf?RT08&#yu$U>s!*y!s0=r1Vp-~RBd0h49IQx>kSvhi z5Lhyc-T3GQ?xyx`R<)8027rd6?hNcrZm@k3+6ZRoIe_>S0F(RErFut+n~20V;xneV|%8D|uAnmbVBe|y#t z&pf-y)=y+c4qv3Ju#3C_*l#gP+;RhZaupj9rKw7cSyo9P8fvbH`kYjpFiQbeoTu~G zukJ|RN|zZNTLpmiV{nI$(8a#wB_YCKIF@H@@UF$agd~b)vWX=oo%>#I_yPK( zU3I*kKNAmD54O?}?+DKf<%?U1T0eIEbGOFo%u#fvedbt;ia&UO`1lY4y3#BGfYQc%tFQO3DBye9 zJ0R%chdA!&VSZ=YLW8q4-&>!*-^=~+0pzNZK}woyBDzRc)jc~>! z^5@#RG{*a|2y0ObYSu2T%I)Cl(fC@bnT&CFm*dtLVa%VYLz8K!qYn9T8v`bKz)1cy z>1(I#EaSR>g|?C-ejbvV#x1uh?|(B++NlS&6b#5te=3$7dZ8-}Re?ISWHpIr_FV!3 zSm9jy(%y$2_wlI|vThmq%H{>+69v;36D!}x6ec`h^;2G_NAPy)f3m)>Q*SAGC+iAi zTbuLVo-z7AXi1x$)~W*~~fNqtRIF8_f{LV-zXt&%MS_K=+UEL>#@ z)E`}}PZLaNNNy$NhC3nEXH z*?QOan9?!b-*XNS#$Ggvn+;H~MJgr16c;hUeBGX8>yZr7v)WH;cnJv3ar02zq*Vo- zzoz3rQ2MUMa?Z~5AMg_acyN#8C@Gt%`s9QnQ=GhGurF7mU4(UKV5xN zX^cllFD%YUWiCwsl)U91h`K@56;r@_?{@V_I!Ne}kI)FlEXX@Awi39z<~P;?$Su*I z>ReG3Qt8X?4~QJd;p&l9o6Uoa9p02BWUMdiyNtu0VAJU8U!(chu?Yp}NJEQzUIS(x z_T??i6)+qz^x^)6v((Q$c#$t+E!7F|dmElgH;91ntcV9CQDy+1Le6Hf^KLS9y zW;PLja_MD1$P|Lm5sG%X0)=%zv@P^ig} z?lj`bC(e`Z0#+StvIlWojzE{V|D{$ROgXfrM)9A-t!MyXiuc)wfz=L+b|4(|rnXuF zR$~QS>!W?Ty~vy#NU&1EH9(Oi7iJ&y#~`8r7^N@5tL_Y8FB^b-Rs(dJR%Y+l6U`zR zx=1Haq#3kG7=%`N7NCKZYLfr}H(q8W#WoANAJQWCu|73ZX>32a&i7*zz-E{-_fVSXIRUlc#k8)-FT*vBypljhQ~Gr!j`A@Tr=5HvPgdX z*(Q(p$FBtUI+RbyAc@p$3j8U{dSx-|fwHrjMkBkG{hZo547xaxxyG*$Z1C+?W6L6r z8=ybeJdg}?MKvDE3m!j~VLp(1Vqn$N6$&+`;$BO;J%KJoOUD3k_Q^i5%kB%QH;b+D zpE58`fNKEB|AEsoShrf!H!E=q#f1HXRFMGFl+zE(|Gs4{m6399GHthmjia=jcJ@=N zk8M2CAZl2gXFrfWE|5fG6wD(-)oKA|PfS)z@ zNti~DB(7{_w1kpzL_zU%a0sQ6-d!asUQ7j(uiRa_OpHniHeXYmc{Sc?GTzSkb*?{j zD78N4^m)DhRI-29$*^o;w;pH@hYwmnZIrNk?n9i+tF;eIEK40^f?ZMP!m>56W#AE6 z$4V-CUTyL2Z6&8q1(J6M7Bj_55g@ZeBeT%QpJ5o1`sKAU0y-MbpWQ2vjI+G z{NQ>GR3>z!wJsw-csWT)2JapcS*Kp1>I)G5FbBlF&8|2O;(!&W-tJWYii>{nJB`pQ zeFe)|Do^8+pCFqxYV6h9uDuAL+~aZqdXFwkAJAB~{|q9Fd4P~66BdZQ03Lp09LJ6>Xbe3z z*|;qLwFpi#CVWzj&%aQ~Y0X}CynfZNksosUh}?jLl>~~K!0hf-b@+3Ay2Eg#H<~;T z(^$K5XlgiYeVV8|xQ%`hokLf_p!qmHHbLrv7cf9ZD8XWn2l$35d^S-#L=cLkkDv6; z;}28ijXtFvt;|_})&no+N2dYQ(K^Car{u}VxG3zni7BLga1xu$%jbgkfzxq7*a@zD z>#(K)hp1ts^GB~`q}H+UsANd~5CYK^Mz#hfNJaOAJhKU;j5|8MZYpuUG)To-U z2CW6mfqhgrNJFA}oqU6ZNe$c}k|)qDDpzCt70|*e5qj3j@RS9J1c7UYkDuWP5#_>a z$0<(`7O9R%B-wdME%!XP*}V`%ige@+lJA?WRP782ui*MiCT`nHRTuo)Q1vB3X!oV> zP{7OGDTcq+?o@ycf9UrfYkXvi!ztO`DdnhjXd?hv%oiCoNCj~Tfyk}z;k|!5E{8#} z_y-$TxebDX-%5I4ki>;ZuLAHB3uqXbT&7==tBT$0Xb+l$hi5MY{PE-hP$;PHhZKSm|*?Q`4=WfxJWfjxax95nY*FMvm#=ZSZ>y{(5OB z5`>N30`;(*5Zzzxezg^pmkQsEsG{I-vh_xbwDYn%mzilc4j>FVKBPG+nxOMv89Pu> zzwczc1T94I(?}!btY|8MK2M)bvAcjvk6oUXx8Ffb-%-Az^JT8vocM3xzwtV_E?Vam9fAD1T7MzXX*b z+hyAn;}4U47Bo^C`Y1|+8nwEjEsuI&$zO~t#fHNkHV`bR=^8)Km=UcJbvWdi;++5f zAi;@XvjcHek|gZ_B33yXYQF+oq$iL~>6WQx*|F9E(Q@-C@q(xqhB{L1`X9j*Hys7<&_E=2 z{jtbJ;qt0pWkrx~HeW=fEhwaagxg%{Ng=z>?Gqw&unfz8b-#c#g z<6MhIY_%d*_-@sAv+Uh4$y1;qr3XNKxc542vU(6XF_v~m!P>@85GfS^U|h&jtM+^r z#d3N^+-ecx=+Ezz>=NHaXH_tk*6Tw|v~=byFN}+4i*&f;V7S{@#TXz|Z*0r%LHqOS z#2<~VKz=@drq|3YV}dg9>_@6-g*(1JkNm^uXpuKRFy=tBn$h+uWzFh~gUqGmjH^MB z_zWv1)DZa6=7ms@0|*_(!K|{W#k6KmHeL48U&?EjyDZ3sl4|DLuXZ7-Ys(0gW68=s zDM2>lInq^dMXroX8H}=RGWLuSKJ4~t2YS}!!NaN4V%P}+>p4^~PE7|7+Y8+nzSy!b zigC43d?fni7m#)UC=P@cuiqHCA*y)XA_FIldl>GP64PwGK&_pU| zC_ZK+kRao|&Hus0Y-rM**IPsf6f~_AIhhuh0uA7!ljT9>qIRPoly3gd?e9#2YA?(;Up+xqea^ z`x5t^RzXFf$2n*+on%0;RH=mHVr|)h%$-YqNBBwAP{EI?SDl)o8fWd$!p$s_6g8Q` zO&#pJK|U**H`@#4y8_r2hqb!|qKS}n9Jd8UXUij@j*+NKgLjZxVOXXCIPT+=UKmGB3XzN1=ZYRYKc6$ysNat)r5DnnI3GXESk-+cy`N|6tC}Yr z&K0q3{L#`VT2z%6{apub_P3YgIwQo7==8YwE_T-%*y}@i+LPqD!bNL)Me@`WuU^BPx+a*r)o;kdX*^r>fYA<^K6>-d1V zir#Tia%c7$YWTA^<({f_+~35B6bcFFJ6QD0nF4gtuD)wh>CMr*y3l z_J4h&tGbo31^Ityd&{UQyS4qBShRF^3KG&CQi9SQ(xG%C-7S&^(j_5?(%p^HvFMWS z?)07O-h1Ew{qFI&pa1*e{kFznxLoU6^P1N=&*M0MM-nwJPFtvOB}VR2))Jxx^4ez= zxshyTXimr{I4e}8WfK;P8NT;|R_{U>Cj_xlo@LW=^=98oNr!)b%(DH&tqJO(HJ`c8 zQMo_Gh@cQdt*2%ZeguYRnVH|_D=BD*KFClnkj$cF8P{St$XnNG;W%jg^1|}eWz{*_ zWAe;C4Ecl2YZu%}7!*f9BLSv!o>kT{T(L{?U@Pt?jQQt{EULcx3yPyC_-Up5-eO~V zD8yo{cCqD=MZ#AewX5Z`*Ju(Un(^Irxy<7l#?02!A?+b(Y}mDFqnBTdr9G_z6+7}q zbmZx&O`TiO5qWu^3HkN_R$4}ZNzf!%9gv6N&Njokgo~-1AG#%-^To6=<(V*lE2j&i z)m<^GHW+J?flV)ZEW2=c&7jd#Xa%Tv?nqyZr4WFp_dOP7RkdqbB6_t;Lz^}?5G9AO{_QhGzwplBlgW|<7YZWdsjAXSnoxw3S0#5EFd8SMJ3dYb06fzYx zPOMlA5wt5C&S?<5*j#ds_Kpk-NK)*$iIbt%5vw|}>^w4@M6b#J?!1Q{r7Sb*c+iga7boty4~D!V=C&wpM=X(W&w4L-d0ob`rb+^k!g zMY`mz`}D4>4wd{-$4TPMK(xMTFjQ+XMuJc@$XXJWq@$9#ImZ-h(Shv}DOqUZAPh|- zX*X&{G)T~tonWz})IX5QW6HViE~d0r&5=eTTnQV8#0?GQ*L|rw++@YQ1$~U@wb$jn zsm2iKPKcf)TFn~XiL5fcMQdMGv)uI%S8k54sb&9$mH1wp`J(pNrsg-Q`NlY5H=&M@ zKPO7GKdIu)=U6Ec_5#1?51DM&^4?dw2QSHn=xz6>a)bHBz8$=|ARwP8O@5H?>}J_Q ze_d6u!h0>x5>x6MYN&D1;D6MVD(vorr^^Yus0-Q1{WCJx6o=QU1J$s78laF3O56@z#h`HHwOGyG?#deB*Y+6cf% z2yS%!m=uD;sT(lb%sli48)v!^sFyN9*KH!ynZ`Qy5b*{hl%g@Ff(&K+zO& zNX?X}V_^8FmD9^8aO+6WTqA+0@eAh;X2tn6kJe;}|46Ld4tqxAcGdyYewVCrr3dFY z)%u}WYeR?-dp}dB^K)WyL#|A%UdD>j0c|5_CYIP%qj z$gI(^*Fj+qSF3b=(%ND$M zu83GxI#WGJP#YvAkcTu`zylX~LVXF+cH*)4>537LL*zc(cZmdw=J-kK zhwyhVWSKl||L`8o#2*f!+RB#mSyZ+BfQJL%yhP3vzvpQqm-`d9Bnuf$GX~BAv)ufX zT$UN6o#+MYCuT;#Yf&YH$i`9GTcrf$ek=S5SvU`ka`!8)nkIwK*N%tnfJ|M=>G)}=HI@_DDCh^ zva(V5pSu5i+pJLlz_|hn9r^So=sP-7y++s*139&-!)xVtFy;c6No!#FiYesZkJjTd zCLmeeY`HTs`6YUOIiLfjy#2YW$W4OBd^1VwFbc?V`R1%lZV_rw9;y?n*w z|NXh1nRG{!CZE#>fWhAsg4UP6>#w(2T>tB3et}~pztqQ8%B}p*z2?WKR*)Z058AGz zNk71ZCPz3HC7EYB@!!A0|K*Eb`r*pPSucTq%?3(T;RYVA0rD56{>{VVMF0^Gx+!-7 zNIP$BH6EjX+vtMO@ixK6WO4Tcs1=bwCf6)|oyRnA@3yt;$@H&x`**edU$3EfLHXjp zZ!4^T5#aG!ve&~PWR=zlgFcViHXSqst3b%EI~*zuJ)y!18_j=ubH0bKwlz~#F*0yFm`VE)r#Q!Uc|{uI#S-foD3e_s%QaOpdgE>fdA42%FTzLmD4cezsieWUO` zK%gM!jo#>2*Jgr0{R!$t!|ePCZ2*cG0cGuWKbxz}f4y(w(csZdEP@l>z5myR`TMQ^ zFJC};;Af~xHoo+g|FJOt-`@JAR3Ji9vdOF5zpv^4*B57s;2q9xU%%l0x3%%_SNnf` z9i)iL%T9ov{Ivi1A9u5V+Z+Dpb)98|#%m9TkLEw_fp!}aOjmk?$Fc`4{9pwrweufS zk!Zm$N{s-5uHWgFzm&5I0$CHRuyGZ#aANS^mea?(1+0KA8I&PMGFI>@0*>s$9{Uvk z`0Mj5DzwrP%{Y~WS9JgT_nCP({2ZNiA_iTNt-A|XwiZx9I>AD=xhUk?0GHQI0ftU| z_ZN7GaHTt@NFSMv1Wi*U=-UlB;Bga!WLC_s(ixi~G*p|>cM=cLqJjMh22JT=i>4CO zqX0HR*gBLTf=uc32D7X%{Nob^8Ke4weu^28SIq#)A)^OomY6VbRT}yBf`{(Ed~8&j zVcyovh5!8Fah}6roYvm}zrvXY)!&?z)#twe=Ku$!$|$ET1GWRlg71kEz^X-cUL1$_ z;v@kmP%S{8bb?ky6e$pCLuvsVJ!(S^TNOn%mVz1Vdn=8EsdfP7!%*+Gv)-tz^2cRk z^#igk4~PGu`}GI}5KS0imc%32*jNyk+zlY9KVAHR!=M@h0s1&2;NI)>UrC}+GJqcZ z?Xp)DWu@ITw>qLl)mq)cv4*W%{=(&?lvnw_qiTa_zuZ2A zrw)PzP&EP&s?2Y|+R%i>lYq+%MTS35uvrmGNKuH@Qh3;N^IYN$2+{CP!B8;GUXPHk zOT1W>hC_~KR8D)u-h63x1XP48ys+?F_4ycqg-0+3@$f8cBsr)BCIuv!qcugs*4rOe zaS%=cD||mN-l8YUoB^D{TUzOG-uP!^hW%hPQLYhqPPzht_2DtqNg!l9rWGIzJ3&f} z8ruZ0Vd;q$cOxe8SI>jwU1nIfcs6x|6t|#C_yaDoEV&fT&V4tq#Bm&cX~5=a{%ul_f2>MIRtP7ayQ`8Y>sSjcuj)v5U?%Pg3^pknqd{4(AW5D+wg18VPyCa*sumoZZ$4AD&ZH<^C6|GlPQ z+nq!#1a?DC7<$Z`y)F7yE`OAS^7o2NcvuReilP9kM8*PPW~%Y#h~^XzBEzW{vypi-$K2l?M!k3e3L-g>hB^AYz_?iX-=6M#ErhFlka!3a2bEx z?IjTDhHK#y5@h~K`1>C}Zcqw?6Zm#-hs1vy-0nFBu(JLJQGIw|6X9DH1d#Q#R9mnJ zJ6(TSl5L;h zF8ZFtT!N_Zrk~^BrhGfDt*_KNXAT~kHo-q(%MpOfSV8lb5!~IMyqeVlt7#n6Ncd<0#Rg`?_Z)Z)vjFb>jS`Z z7XhfS2SFZZH7$4Ftw1`CIwX4umt$L$@fcTt*BvTP4z~`2%~?$rr-O2&!fK{+J7r4Z z+}mY zt3D8g`1r~7CVd%Tw|nnhfj#sq3iFmHtP>HyS@Gr^iII5ApEkZnpn>Sd%WEdE}%fbu>SQ?Gig=)#kU)Ie#CJPDZ{YB7rq{STbX$S zlzxjK7{<%50ieS|I=1ZQEyc4z_WSCp)iyx*NvW3mKE??}=6`Pky7B^9~ z!x3#hkp~A-0MEa^{RQv3 z0>hRc%z!{D##q5+)J$=)|9RU2+gVmNZb9v99L8hE<|~UMFvs;4;G@Rz6)ULQVZ|vd z!N3^+P!g+>ta?&cZ($@W*mLo1O&U-%&A@YuBclQ9uMHFsvxqqiK_2PCvcd@cFJK>m zAvSOdN&=u{+%AyV7kvWQdr}~g2`fC) zKe%$&@aWp@js!!%GXtMVnE)KN%ZDiNAm{OmU}yD=D!Fb_>jCka?*)N@HmVJl0vfat zDE#{O-9;3zH}~UjvLIicnSk7GqK!1y*eT#*>BT!PUr};twi=-eiri(^$bSQFtw9f4 zaKP;Z`zOc!abgQ9>Wr)qlvS~r)#C?k#2b7S(UBq^Vk6J&p{L^q{ud%;;M=?f#m1t3 zlFmifU03ck0O@RrjR8%xrxr76(=*?b2!?QR9&kelGDs>_-^UKP47uDf{=JQ6)DfC+ zpHay9L%dQXP%UZJwxp>OSTtg2aLh*L!PYFbBeGBg9sw^}9v+emxplt5T?U&q4!A0x z5B%lN?0tLAuIv-yb7UCo{t3oVvklo3q|I#xP`W67 z+KUCBE?|eFvlvWc2AeOLGf3Sj`bH2iqWl>fG8Tt(TM#M&oEwmtMNSXET$4SIJG(jZ zgWmLR+QOdnW&o^1h0-ttzrgl$6dlo+{91AhKW_N%o(8RQ;f=K%y#zR>sdWrLibi>!{=Ra6=O?~fRO%P|ZCr=G~ znt++Qz81{7vG6x*U#V0Cd|!qJfWpK22+$j)r!2Av>7&itP!}yL{hX3cT9Xzd^121T z0-3XdWMD9qQ&aF)AmW1nk>A?}=$Eqj?_}WWHVxpU6XHsZ>pZpNrJlW;j&CQE^>qpQ zMuQanKwL-Ig{y!DNtA9y2Y&T)fFygbOn1@f`>5AQb+w-zJnnnDSm~eC3GR#|LD2|R zh7VxyM9Z{Zp3P>4d-XR;GQ`)cVS?!Dm%Q9V&-Kwg35ORFwn0(zGIy-TaZx?zcwd3% zKpnO7hyIjnX9Y@B)&}kuKNX&XK-`as4EN4EiYfLa&F0=zYQ%Y2`ro{1i77D7UF*T7 zWj3FxMYC$i&PMiXv~NRL_BU`q>fMQ+x}KINdiw&6U8ekJ&fwHu)|{tCeEV)$@1rmzy1sa=K*6~+i=3xF zXYXX|vT3zjl+jTMR3k#t2+-el@qATO$FNq#llcug&Rsv&f}q@uI@Wc7+aL{ z6pD+6^sXRR^HXtwM~15qpUqMfV|S=Uy(mFYRwq9xC` zf5hO*Ha-&Xer1YfUoW;8afND))>f;8eon-R{W)ow*j^gih_L?Q)W?YpNg$>+L^(d+ zuSEEnhz={3IdOvHEh8oMlzBU-?S-S*!}MZa_sWeW!-@U*NPvZ!Yk8qN*a~dsFrGK(*n%z}J4DpYuw0>RYktL?szm%25#ss0lb$Rg^ z7w=59;H)%*-5=!LNnb_WNrjMZ2N$b7d?dvdWlpG%X&Sm!|-U1Ry$^1eoQjnM{4q>ZfLl$gaiaeUN@y|Q?x)dUMWd)m!<~M=IN@bp(4%n zAfi{yNm>Wv?AljZ^Zd#!Sb7s98wHhpMI|p2@%7qJu&L~P5`8oHfu%%gJL}G_X5Rfo zF@dQmap^1Sa>Bn@0C$jb67no;tQco+>h{d?MU)x%qVc?u`(TvoSHpM|lad;u-ETNm zsMbGMVm0iCRV!M33UhnsLRncP9pxF{;e(;EIleBxXS}o4Dj-`klVv;>$JHEF9{o9@ zq?0QH_j;fJpEJkkZ3v@F9old$p&n<)a>vv_#zDx0qg5@GvQoI+*kiLuiWR(9L&&LH zga?kc>*g|UYemJZtFBTRWqTW)T6~BMrAS6r>FIwN(LVaVS76~5zT9u zOKiyZ-98GwiexbWyhx7eftxB~y1x0piVSthc$#IZ$qn_rsj@)GbrL zhU4HWMwzvt^%U^vYE}&BFe-h49&(25>Aev-{y{IM;maw6n$4VK)(n2pn3ttfh+}i6 z>wGcfmH3U%ICGko!pXhQWNeUdaUfb)_^TlC?;8yYygXa!)UL^U^jA`IPMkUsGD7o} z4E_AOUs) zi?pUFws5HuFMWpmxZEl(hWGh0+lt*7rh@U3&*}p@DL&^~Q zo0ff2UXB6g&6#MS`6}AoD7#_(8&G=<-E>PQA*O!F?bgh}jug$ohKJXvKSj;u;+Jrs z34A4TT6h6six2902MVQZPR}wP^NVNsy>ao1*6KKpm%WJ+j=Dmh&%P4^)pt`fqTFysvwqw3wUpy{=mZoayTJ`njaN7nflaI`trPAwg zjB>`m^1ncEhO^LC0R+b))Q;!rF+9QQO9x5zm%|Dl!L|m8?V3+SU#!h14wq0_AG&v?yOT2#M_{`DVhz(XkR!g!MW$F3Q&;`sDRzJ; z>e%G}i^LDYEJ2V&SZS#K7YBy`aB%e4p+vb^!3Uqf$?USfP`=H?xK@w~cz=RN<#uM% z&jdt<{Ebo?PrmV7I!v8WZCFv~!KGB7`vPAA67$DjXE$l^EUVV3ZS0c}A;DiFtYP84 z4}tb=08PQ|wy2)XkmqfLj?r4D zw`Z;VVd?xHqSDN#8!;%Sj?L-Vr(;JC&bXHZ3$U#hOEN9b_9n(2T}-WK%`TK$oo~x(MYiB z`fB_nXYAx5g&(MF7PI848vBHd9@Whn(u2dtAiic`gshjlShL&I zL5K_xG`(NYz=g^@Xlit3vc7RB13kn`LDGMN8%(0R`&tMv zZHTn`} zM8UUU1~j@ci^?3Hu77%q{kwj7=wJIiu1Pd4Dbu+e$q&*35t! z1mZeVGX4A7l_6)WY9hJKT_@2Ql>w%aor4ch8~w&l7x1Aqw3=BPDD6+#Y2`#5aW=g` zu&>?0avikUt~1IdyedxDYWyT<1we?KNQ~z~c(2JNt@DodV2=Y!aSo*guL;sbIGlx7 zsBBN`O1&xE9Em0?{^H%l!{QX9Jpk`U&Oi?#2`99-yd*b~`8gcEUl8Y#EMbIgNa|zM zH~fHjBYCHjz;s9as&p|DHt~Xuwgm;#~EoidnI{nhthypwMrWPNBA2J?A|MmD)jOt)QBKD(xuNa?Kx@8;mCU)SZ| zt*z$2`wb$U76eNs@Mn366{p*yeUm<5Oqc<|Ko%#7owe&{7iOlAn~rD<`G)@Z8ePoL zYjVX;VM3*2l#0neyPW1(Pf0E!62_FN^F>T27Tndd206JN5=;16i0}Et7u&Os@>4o2 z=45vCTg8L8g!DjWwfQzhw*_T(#w$Tsb|XUmY6r!P;Cw%SdvDl4slIv(m`OEd(e$|{@E3HHmu>#T71`|9+z@iHsAY-25k zgHD_Bg$q>&B%grA!zjdBe|DEyaUr5A4z$@4hoGf>X`gx8$d3D0QVpZ-8f^-A)LlR8 z0v86It%j~xY-1fV!t~sEx0$THYpWr8Q_~;WGVR)3fE%hG*AD2P0#c98L$I#m9x*Tm)e*^o~tqCK= z(KeRFW?pM)Jeg+L+*GbH9?XBN3qUrQEm`=DS(G?@ut zPn*+?{;>WPvT!8`AULKl2o66xfZ(`-Os*%{ditEuAGz*k5g+nrD~qP7*ONVboWFyR zBw6^qoyYpsyufVxtlKNYO8{?hD|e2+pGdZyu9-Jtt6vO)v>T?y_DQ=J^k02sN3EDV zrc6;fNh5fv&69D=>GlugvHP@mr*DaPEQP4 zquz@%&N!V)1;Q{w)Za7TWPtT_s%XCQ_Ax`Av5L2W^*-pHbCt7I`IBvkGRMFcQm(^A z*T@jaJl;^~(AqBtI9_UCn-&aC$SavZzw==SgR|gg} zCtxC&5Tf5b!j{6`z2r#fwSet};&WDBDLv++JJS^pX{YmAed2H3K3R_Mk$g}aSS*KF zr=1I(fB^YNE$V3&GlX-+N>&c>twNGw%A7p?c1oOiP7FVHFWg>)u7nUcafk6nG1JUd zx1+O?n6mgGd`}01tNH2nhH7m# zsKWg8OyCJ@kfJfR&%PszOC@FPgh)p#V_d38Sf>RRH7|VXpWW15Rp0>WJ?wlKm@Mm3 z%}F_9tY6!j5PSb*rT)&(bzVckA50_dIZ|IjrNm1{-H`R(=QM{@X-@Y3+yRDPQtt+K zioihk7W&h50*>{0o$?9?$KBErCb6OSBG*+gJ7}vGz5Ho`>F)mkHoAWv~UX2&L@dr9GqnWes+m6H(KsAb5|mg z@H$xJ*K?j0gca%ACByP6l^H<7No2>28f~z+7}#rWXnKJzuyyAlGVlZ9imIyodxpx# z4v5+Bgci)A9@BNK5}JS}{X01rJt>2Rk-uwOo0U_x2@LL-TYuC{VL7|6crp~IC}E;P zJQLNQLVxk4PQX8a_W*YfcxUAYT<@<1;xM&Rd%C==^TR&RJ%*ULJEnw46%esBu z#G>bw!7ADx4LQ6x2udfsudGxo%uNgAJ}_cJ+&sC;0>jV_Bk`Gt5Y7Hcyoo^o@^#gh zhqxlc_L5(gV}vMcD?@09&R^Q4?f#--TVPI#H5U&#j`e$T&D?slN{Se6Vz#klbvNG5G z?JzjIM#u=6K2-nmj=-W^o@1P;vb79VP#{mhwMJ4gSo~1gGF>$@RP;K13tFgwWGn0T zkn$m_Re%Od!cF6iyt~jOuvg9&eLDdW^qw$-^?7A6KoT3?|Ft$QHd_ntsEZrdbn=V7W3AgQvS&$+4uDbbDZ_gV*J9}T(Z#bUPqMZ5t%2?5B+?(06Gnw$0W z+vxe4XL{cH6guW+LSBk4j&*mo`lS;@w;pR<`_lF8nyJ(oOPeD(G9Z&B=3CQoFKZcu z(;0uktJ4`M7i7-Aaw+ycvT!Hy^aymG86|vvq0!a1XpB15K6waeyf9^ri$low(kUln zYQ=4C<1NPhp8>4H@u<9m6{XcQG2gv7h8i{X^`?|!f7&K8KT4Pc2o-sgV^^TZ9x)1n zW*XbFRh8<+mpfbWA(xfkKySp8!F}e$p%%)FTpgxr*VdbryW2Hd8*L9>UG8Tg2G zBIR+jFy)8%gd8KP26Uz;i`M3hqFI@Yy;^F#*5{2XtAw^Ns%tGUOlFqAzL4%dv0+_h zD&~E9$jexCE9LVO*gcAsn-+nd(C=AO_6Qw5QeIfU75J-S3t#q3w3Fz-jTxCd)7Oo$ z;8O@AxbVRf@ShZzRnF1A_DU$`vBntd@(Uj)8O*c(K6Cscvibc$>psWKXWytlml>^jxT)t!+o$pD40&UW7K^F)KprNPb4XIFo6G1KX`Cf#Bh$gt1I8w zrqXbHv6Iv@25urXc+BW}qE?2j&aIv)KM%t`%27RlE%cS!zR*mCvk4{5W z3g2EW*>PQ;6x{W(cY5pXD!A?rCgtCKe$fF%;AeE3P1%|g# z*FFJwo5tVANyqC{T0)~XFuV<**f;~qA>oIA;BDl+qR9o6DZN{IC_U0lWe01MI?yU} zrrQ@-zm-a{FwgE86z*|whtzJrk{lUt{&F`^-Qrg@3cGpB1fJy{({aA8fz;?NP5i`^gbMP|1G1W%(=B>{ zAF~M>2r}IVCCg!VA*UovPKZGIK2_y1vj|4s$*;oWM}fWf)n%917Ocs=o(d`bp;>LL(z1uNtjUL)T zN|m#?#`wizX>w#^@Nhn|^_VsW)^W{(peI)|Py%Yr0+!GBi4%VNnagry476*KJuvrq zG{9E};WTu^_>_1v~ZH1Xj6GD<h) zAl9O-vKyKG9-w40TNi=rU=2-I>T(-I-{6oW&R_+L0ykHsK>qjc>f$s}Sdy*OB4?zd zT#9)JxWPxdnZctT7baLj96kpTjfU^{dgX5l%wn}$s7a-7+D?A0xQXzzR9hD$_k}t4 zu|Pn*oGpYZpg~BS@aLr4|$F%tq5vtvHWcIOC{vOa+nlXwT1f&}L7d3QF2 zbrB4?>R!x7O;poZsxs6L@n_pabkY3;+mMOpEJ9K(>i5_63JQS3FvOxtaA^46qK7bW^5mUtfOMRScy*P6G$#{)s{l1FVS9sF**T*Ez34Zf z0&HGA-+?)`-Opbg`ofquzahiM99`o+#)Slowa+H+V_l(u7HU1`&%OM>W$iq{;3!{+ zU*h($UM1)INW5Kid^>JBm$Y0Vey67gr@=x8FkeW9wy-`bJ~^6#TOP1sDsk-lRl_lc z&W*X?ScJiq?!z*w?x0?Fac5~ko22rs3yOG_^eT@XbpakIybWS)5O0Q2-GLw$1uk{lVTVNpIDH?48_(hU{sv=u zRL(%_zPkUse!ZNpwztGdJeTtf+mfHl-vBfa(kFod)aud^_$uuB6|APlWM)X;Tpej-1tE9g<1Fyd>eq1~t?%KfMU3IN9HrKCmfFm0)>c8JyuEbZ@%2n|qh+a;z3}A!VMqFHcxr zP}BT=FgMLy-`tmCNx`n$2UK5uauW?TbItEr5ls&irucLW4l8C;3ix+G%MSf5%clT6 z^AO!g>mcCIW`h~a2A;iPK(Min)rwKf^$m8}-UkMXnl~x*!yOTnvj=!H6h8Ffe&UrD zpID+TddB02_KrN#juwC?(CEVtPL!9am-`@0^5qMFfnx#k9WVVHuqm?g1Ne|LDA34P zaPtbe9a1BmfD=i8*Y@*XXE!(Mwd6|izOv}iQx(LLec}zzpYIOlPDK^1W8yfOnTDAG>;JPt#~64ae%HJV*G)07trHuiQO&mYJz8$kb=}6b+&B)V z_{|^C78f+$&=t~Q`$$slVFEBuJ*<5QkiA2-_F$goUCOf zR#xpVR*vL8%xY!*8xvjM{$9txIjpoLB#9o?wX_rN`=|O4cWpl8w%g#xmFP+zoWnwX zpVzdY^-peLT>uWs%n7Uz^G*Fp^E_FzFP|zv`pE*YQ~Gvc^Dz03DG6M)n=3y1FDdaf zPtCVn*5HC3TKyWObXR-^s5x$IFlvsvrR|s2_NQ}bCJCRumqAh>h6t{x*h~GndN^5V zryK!S3T%7E!+7SYmlaidg}x|vGZ@2(hVC!uH1b&%fa7a!>}l5EQ55BgbEr*r7Z{fq z#OKth0iH&&w<+S?2&XWJ`o|SOb|TWva;}4ArKf?$TX!B93^JUGa+HPJfka8eVpi5} z`nGc7p0L>M!I&+@JZ$}2=^)#%o9`nM;7_vo{+gGf0C=&dnui9(vlytJ9z8MSI_fjk z-9|~_qSu=_^i`>JT%zVyCsQEY5AVx7AV-^WgfEdk#C=|(xqweR;Vix2rBX2{`1V6# z;$ss_rf~iSJqp2<*&Gqy71L${a`xak*t}Uht+cNcHjC&rUo{OAkwXYXt+c=a1JeQE zCFx@S{{h?R4Q6o-EYRc@Guu7h#RfGE8}TZmN(P%UaM)z^ovKLuikHSZDnrqqti^C8sb>5Ek;|hZIAKYW z_5|CO^op$b4R9|XubZ6)wpHP;c^i*;lCC~`?!>_`$V{-oqa9T3)<)I%iPZE+0CbBovjv8Wef)TqV| zrESQ~rKkV1i5@gGgOKGUl-1Ywb7`JRwx8c&lJkF~8Mq_Jts4$D@ML+e(S}s#q(j1M zrONdUTB@t=539Y*C|K;RdmCtopQF1V)Lb$taUylYAT~G4@%ZgXg<|D2#Euy1KH8G# zBUkMOr>mhZCUfdmWuBS5*!uBgC>SowjWm3|ga_}W=)!>MFqcHRifqdHuEpskB(djoZgNocuT8_`MzIKxEb z2SvdWZ=Hug948^Do8Z(pd)^oyb#ZK)s9yj?rr^p4srN{AoLl40b-JqY7(|0kqoIZ- z??HpSm)~R`Y>Qi|%#GV-H6&bixLw##bErZ%N-<*(mZg;O)h-qSW)R;gOSo4l?^x2EQ zEQPv6JHp#y8Tv^uz6}R^sgwvEQVxc?V1EN;G!FHp!qU%WF_(ArY}c)}#b9hPZ@s|m zCU2%3oO4B1e$pMNCspb4J0+}h$5ggS1T3JIh(P)7>J46xaS+E<{P5v&>5)uvlagMlX| z8_J9Tp>hIsi~43upd;C6ItZPSOtF0Yd{3+S^Z*PDwASXZgW>^IUOL6;Y>jX)j=-Dk zIlM;B<9G|d^br{8rYJMwo^CtnKH8a0ppqc>{NaI5-i75VBRmtn=lToFL(1WkXzz^t zu@)h3VZl#&d3a1=j_B8f#o`UknIH~!(5Y7EVC<{nl%MUXUrw4~e!=0jTQtw^OS2nD6}W1pAubXJB3b@XmO*=whfnH*!&V6X*FXkI2mNTc~diRaQyh zeWnrnT`ly9Kbhadbo&`VWeD5l$Jnqc8FqY19_C*TEhYOQJCy0a%hF($(mf?XUGl3z z3}nV12yL4Sit3+!S9_*4vrT-UfMjcFtxNZNQE)GzEXG!C)yTF1DN$-b0fPYFRMYknct z>5lp@WiR3YwI_tgXW8%BqwWDw`|&50gp)u-tix_^tBqEw6Ea~GLadg5z(HDX=)!0) zYI^HXqCMUjGoR|W3eJo_>u%a?2@`@6ieXYHNQ!MdHVGBoTvDUXLsqi9gn0ud-GAwa zdGr8@O_kmump<&;P%_vy{XAy$ZLDJoK}GUv@~%u`U5{dHMXLu#Inu>6_zO!$sj=S? z`=jq{L^`LHqed@f=5XGkv3d;ip~i*QmC8(H3AzQ$QLp7PPQE`b9xY^qS41@^^p&{- zrQ1=qRc?2D@Z(w>!Y}?!n(&Hj=V55$o7OM``XKkqcNdKi&Waxm_@gBm))S-&$`kfU z@+j>g-hQe*IK$s%QE0!EI;Qou+>xI*$qLyooZm@q;M{lK09ry$3+^ZPxr4V*ZweBn ziN#&f8?Q%}!xfcxW$+CBYg(4&IB=tVgy-KM$rQ9!z3Z?b-=L79sjg`G@&dzz?vBA6 z2URSh?i&C%q*Q^-5Z?$cXEevG{i(%3aGhY_nccs@GuAE7*p0mJPglP6AlJj?r>lsH z-;i#bw(|>azZ#AkqbmAZTVWMYmd(CjtGDqvHUz?1M#}fbHonEs@=;)6hHv>|={0eu zk(kP@b_iU4My6m7D0X!pF`Q2Bd6t$j_nVsM3}6I*+hp3tvae~9B)$l# zu1pWVm8~l7YX&KVuY-bL@@uJcK%Pu&=_9Y0Ka9ZzLdYnBeD~t|l0^lRnCiiCUW}*J z#q5lDDCxHXUowpPh9N{sZdJ~!e9T!w&u7qy#$rxdk+BcW%#u?GcPH7x z!|1`0-N@%KODRM4-q6su0dh7AIGj9>i2arqbHkuY+SUtv0jMYS>e7mzU0OA3p|4Xm zGeCi+{X8gG_o9^|8~P2Ol<4dNz>sj%U1eVC>IAAUYUvoPUE4Pvbw9xm%ImJ1bLsQ4 zASnS8U++JI@gr-wi=ZzAHaJ!h@@@&eK807~2Yn(3U{N$tcu}m(yZPy_1zS@6WKu@7 zK+3a7fHo(yAac^)gQVDp*X(lec0;R1LVG%7cbHnplO@o!hq%^LauT0YO~7VySGM#!+7M09qX*sMQ;x~1`kgaW#P^afJ?%Cu%dRV57YW5UP1XV zrz3}e9AsVI0dhDHlKq<w1Uc!{BLMAbXmO>Ujgp_ej*kFMo{9g2%fIKp@0z)%>ZTAt;r? zLF9LRs%8|_qMP<1zf9)${T*V*Q^WX%<}Q#N&=@I&s$L(8lq%pzMS@9mmWzxX6qZX9 z5r(Zu)knE%2K+7p!P6VpGN>9fMv5YtwMqg)$vQ>^F_mW6-a6WskOr^Pq5ma z&rc6^KdI@U7YF^IoypO`2CAAJ!2#ir%f0gHjbhP{%MlwKRlTG&@+a>GuN@#?f1wfS z(weYUy_R+O*jhu5;ScK>zKrz&UD8~Bjm6Jpe)P+oQXI_@rgv~R%~>ZdH{_B>?bK(; z2rs8j;Y_h}*IZ2Z;My(k24u;+PEQW+I`T7s92q&LEHZF2QGf06Lxli86gFva;GgD8 z>*#E#OUeH5yZXNK+PK4S-0s05)@asZms?@?-OaN;hn73{5`eWC9RDpt=6w7?##oLc z^DbR+#p~q&WjmkMSjTm&rwZ-skb##l;UjAI#)yoVUU_trwUA-gL+ffqU^j(o@JaWD z0|+h8Hm?N~;E`FuH)VQ-?0aQxz%fLd>$TW=-;}Om_uvDWeHgUX&iJig#(p_k#cU`9OS-+OOH8k8`{Kg4~b@xxD;V zR@jTbpi#K>A`Ku~y8-8ByoC4FeoW4|P;ZRCYntOKY)S{#DRC>hh`OJl5JG_fUjo~K z;i0nsT|^ykKcS2ev;*KI#!$mAmr;?!?W;$3YH+=fRF+Gz`ZB~a%_6!45Qhj(9+)mV z^m|DC^4y&&TS$9Di9Ph^xdmE$K$jFB&+=29^|7_x3c7#M zNWBb3`?jp>TifxDXR@VHM!xF{I3A1HaSJFv0owfL<4O~CZ;(KaU@a-(3>+-ym8jpq znX@^pSMX?^61m+0C%*0EBjXDh(2;HWX`r}iRyJc~Hy{#_@LVN@=Oh%rES^!x#cPNl z<(waoH{q4YohczfU}(_r0hVMLOa~Kr)(DG@iMQB+Y%de(+tJdH)B(YjxFgXUE{57O ze^~nhkX!!;_{~d^?Z-wz7~3L(L6O%xKxN+itUY=<`e3N>i(G~9GDt&xX9Y;4??_Sa z&o@Up4vW@5fSFoPd(0VfRN)%C=~4XtP7lz|6JXo&)2p^i{xVLy$FVS`rTs!C>rTd3 z&|#Au=9xJ=QKi+k5iYAF_5YfGJiRcha|Su0T1D4@l7$3u>naV8(po%$k!r#EWE=(EK8N z4*404-Ebn8I4riu+a7b>YDBy6YVdo_g0R}`c$Q@O;eU=J|6}f20s%8tf?g=u*vcu- zB1kT)8!hy4`Gn_4k{>u@a-#t%!pv|khSEbEUuF+iiR9_!y}#dw6!+H@4Si|!Cx{tN z0Y7{{$qNgdKR9jv;lK&{h{mfd^hEaWri>~r0=Pd3f%qVxE)F2Q%)Zt*OMmuL{HFu# zF9Judbk@?0pF#w+`9EjQgTDShyuAfflxy4eF9=AZbP1?{ba#W&A>Aq6B}k`$0@5wr z-5{M(0|=6Wbayv`|7&*m?B{v6`+ff3`qsCWd#!QU4m0;$_Z8=P9KYkyoyC3t9{Jh} zjUj)3oQ`F-&%KfE4`s%9Zx!SPgAkvXhZs-(dbZAIfCUI@T;O9JAXj3FFZarZFX^%43k%9m%DvPXN>8<1G6wCb&s0lJ(Iz;(9tSE({ z(SN)V7Rm!qFnOEG?~agL2{rixVF!ZlI{aUL&##nGe|_Hf2)u3;pI6g|KVG*m?9LlT zU|rn&I?bry1Dxu}Gx4!nfGl1WoOJkC;)-&F5LjPXx5YVtQj5)eB-<~Cmf!rWOxm=E z_m`6!)bJb!{f%*{xW`hkt(azG`H}6J_RHPBSO2%td}h(pKLJ6{hddldkWicHd42Yd z?A7kHN)xCGyxTL-|MLU-La@rO;fRTpZxh+7i9tnIWFcG*zaw);uj<#47*JqBC)sd5 znNBAajkF}}>9Yku_s0eeG+Nwzpmqa14&2{aHDiJ>9xdPlYSC=~$~T=Vu<`ZZ@Dg&SF(h=+adqwwv;XaV{jVp5 zDB-Al5|LEJr2Y~5^XGi_bAI~Q1NkAiqzR=(uiH!0L+C9bl5t+UPr%_4HwpnZaEf_!*f`0p%?+&8T>^yX{3d-vq4>Wzi+#B*ah4=TLf`2Iv zyF)v^tYn-By}IenNOZbQ>fZsI;XPejAdw9fA?KRFg@il-yn4f{0_MpP5a%Hf9;(i& z`S;h<45+9j4Z7^iy9hJ=y6U((5I@d1gy1vj3!%k^Y5*~#85JB@6!EBC#y{HXG26`4 z1^T^NCHF0aVs^4X9QI4FgUDFbwXPY5gJa*6NRNU8an%%Z&;lSXz?0F3ajzvn2Pzo~ zc;CjtvG%{;voTV443B{&m*waT$YtJw$Q7|bLmw+dR6yUF0n2GuFI18PZRcYTxytkS zf&nczki;%MkR~`EVl=LzhGSV;pKAsfIh&D3f1$mUGBd1G4op?|SJuXVeLLWb zldpm+|614xHv77QtIYp4P?X_)!CceVEB8XfpU2l|tY-B4_1|-IK=)^qP z7NOIsl>xYC4rr*yNmR$1Z{V6lIaP+H!O@85gEMHRUaMDEH3rWHnLUup;tdt;rUSlS zBq37~{m^M#nr0E}X?H6wB-+W_KS^Y19M+7j=W(V32zAARmKAwc8Idj!iGdz-35+JX zt7pewz)4MkZ(Z2>zP?@oN2*dm{fc^xvO`li7)y$9l_W$f8VqN#N7*T!nhD2gT=toD z0Ho6e3We*^_f>JEoH*xPvbb(9mY>CZEilx9=DdDyd?DOmP0n`S zJgT`}?VZFOpxCNaFa?hN554aA=~svV{p2}BK1gg|oJ1+x4X|Dj_k5xGSPMhWAb+k| zX=4ywO?G{UR%LXQil6Z!4tNlRwOtki#O6Pq;1BYGmphYKl)eeOy}3rQO5X%Bk-b5~ zzrV5aX<=oF0R3ML{-wcx%!8Frhik31D)t(-aj`UkI6t@tN-6v6pWgU3D0(_f;L7X} zZ23*24uB|t?CNZHJET#qOc&aV#FI^8djL*^m_T?G{vh{7n!pn1a+j$C1vRSoFHkf> z&G*eT8Q~4M|KklEJsAc^$t0`+3{ItgTPA$vVehx0Vzy|5{4n@p#F%BE2wQ8M#ve|#>x^asvR0FE@qF9A40Xjo=oIuo3w~zVPkNoH34{gBaLo4v(yW=4s z#SFH@Y!G*RfI@Kgz(iu0OjP+_LvZ97;R-*)T}Dwz!wng z&kY6!(IF5qxnUUttvq&7No|r(eGiELBo8aXsnrnqL0$1r1kN$8_Y#f=I| zf8f1p0b7^jD`yaJ8|!nH16I9pWx+lZUFmg=FtnB*x9%^Zako%q!U`*BwhZVS*uLp~ z3J^e@lRj}`E{hE8{7AS=jySTwFa9l|d!`KtyvgTWmeKaPZK}VB&2cFXF+z?3gvNam z%tFgaZr-C?dj9-tgy39qNV4ToQm?tC=M8E()QSM&BNhf;{g0-ATK{XYLVE%SZ{_3gV{f`AJw za1wJroN=-{?7|BHOuQDCO`!fe#nlTYfw`BE-2knzfwIOUGM`Nca1<`x7|jcZMlOni z_|Cg{LJV~au*|MUMo)sl!a=YOsCWS&#P1=h;0>Jl6mRnB_7yX(%>mz2z&+FTx-?ER zCqmqL)Cy+lL&|5T?pa}aZkrVL0Q`#U{}9L)V25CwHo%mG2j=6%r^70!2ixsnlS2p1 zL8$e=$(rSz+72bcc0A3sruDv}umkAKQtxzHj?U;e$T>%Ex3eNX_$R4Fk z!hOy8L){d>;=7{v?Qto6A{Kg|vFX6i1zcm#{cVnKR?9V5E~Yl54$dvghNH5>Fc!p}N@{7tthEWj5kMQqePLFJa9-IsVg#1m~o z6nOSrZ-5JcjNsU0J~=^U2Nz(wrh{5K9g!&>fDW>E_?baV>4giP$emJKvOmZ=FBcl& zWQl+yp?nhIo4tqx6sV8ueS4f{=$S?PhBDfy>bpr1YTlP2|2xv4I;s-WrHAOZf$o`F zev5o%Y;f}sM{UAs?G2XPeP|A1Jn&@VxoT_1ffpr53}}tneRd@c~9mub`j@w zt=^1)cAN^~eYZABRFAv}POCaQ?vwrBlsd!0_b%DU>pLbJNUuaTP^f~Kv9{b3po+|= zKA}u5VfoPv@t_v6+XhA84X>lH7zY1uWSy%jSgaErbp8|hFJPIwQQTnW*fX%Y0flmx z*3z~OOIzUK$ON6JIWAfmru!YkF6%L!_~^^5)kTHjZ<_pYx+m|;b$&%Veze82$A5D& z+6AUjm5Rd}h2E-_07Xn$k{+-G9x>v@Rl$)P7YQMj+ z49#N}3+mKHTpMIM53)^m0Og*P^>AB+mXBb`j#I;Rdboe*O6fkjb3Ih8)_s9(NPY6- zFd4uW&Bv@~!nw1dZvSKl2(^HLk=l3HtDN!q{Ja*-H(87g8;_aIN652u7wXe(k^vq; zH-%=MTQ*H#w&=Ap@mI0{TSr2_1Lv8X)MfrQ_W;*;uHz8N5m%5O7Ppje={&lq?_ zyC306zjt4Ob65cm@8P*c<32u-Q@L=O*x>@exE2-=%W-*>+kIZ`hWC5qt!*p4F%s)|5|*XoL$FhlTjlV=PJ z_=kP)m44VvEZ?;^d%M#8un*pb>cK~Z+``vW;SrQcNi&S#Wc&Cu%wE#sm4#lcEETKa z$v;)*6K-`_{6vsXXD=kU}==>H!=d1_Q} zcGh2k^y^OzoJB&tjoRcaknH#&r_kGHG0{Y*$Rj%%#V+m7k@23361efdzZH{*y_nl1 z&L-28A6CBwQoG1^)mN??>l?<5rx&G-d%;H0;wcs1gzFD;$pWSfV=KV^FVeV|Mu>P% z(d@Cpk#nnpjoI7rvgnXz__0N@rvZL14?}69$3zHYo_`SxX;EZ$a3!m0ATkzq$9M|Q zi1s7BQlcI6zku>cqv`y=Ve%BUk4yb<1GN=|*7SO;i>x&LaKo`GpH^&j=gfFNeKA6Z zPH|ymS3)luk{dinoQu!#TRWGZ9oFDR_H4(b^&~arY4k~Cy=_Vjn}!t0z97aM$tfat z5S?$COIVlWs7B80ceOC zsS=2(;Po#c)54NfCT6l#EkjRo^OO1bCU$DVi~yIT$ntA@Q#%5YOOniTHq0);FyCts zr_+r@f{#G>TwBu{*0%T358DEBc<=5Yh5ZartnMd%RU{-^n(=2E-ncLRC#xq_GB>|2 zgW3>;wVtqvJP%Nr%up}~=sHG=AM&>bt;70(4e6H3NXQtnbPiu0Z#dZ84re0J6ANp4 z?}Q4CB2G5~iw~qF=Gt|_6~jGj_yieO7@bhRQyctMnzzU@r`BNjZ4U2P7w8m;og?!F zPBGnZ_laV^c&4&|MxfXB`XS*50CJ6?$|-Mn^H#s|{{JOXkEiXwNIiehc^CrP-V3}D zG;YPHzN=a!opmGn1LlUs3@L0ootnh(dBRf+M+MCwopTW_%4)cd28nv~Wofeq7!EGB z1_%w)+66b3&BPbo8>&PnmRHQ(uNC4HP7YijPCESHG24T?EpN&QH++?P5JY*yg-&=1 zJ+JkqE504r&Wb%^5EDx!6Uwb*p^mt{@%rFxzH_MLk&1e+Q zH)VG4g=u1=$Z?6Kv}Yz+x3HM=S%(!?Dpn92c@k6IzZ-^ z!k!|ZVp5hm-8(K;S9a!(!8+A?-TT2N5F6`+DG_glOoDigtPT!KwbuXgWdgGnK=r&C zOIS^m>CDXDYeTnAvPM?Mh+ehVbqz`_cF{20)WE zZ{(p@LflE5#A4fT>GROE%yVMlWNyMp_#5zdtv}9ELWA^{T!($FGYJlr3*{b%t0z}* z8m6O(3&PyMcszr${)dcM=hn;jV|7iMqRsYS-Fu|(@!|f{mPUw2841D~#{&}};2dw> zUgHY4b)LTA^T5&`dN?nKm_!v+3qSvvENGo{jYh@P3I@X?Z#Z6fUcy4~q@{+5U&}m5 z)bd2sDX5mmKogq0P=LS20zAF2e`@GI9X%7<-vg2y4zfVnzE9@GL z!N|8&fTLdteHJiSRhB*SiSY;{y1n7q4>teg*;e)Dz1s$D`}3w*-36Wmg4CpS3?$7kktXTcGNT^RX*ygF&QLdKa zQRaLPznSDb5F7|;lzG;XT!Br(u_XTR0)$;BAAY0kRhe6TQ#|yBWu&u8#bB%qyW63A z_ef@xoMQU%H}a%pHU^0dDYcORHC@*((_CWW=ms`Ogv#7*!^_qov#c@4PDUB+%~J`B zcJ|WF>iFGCNMlME&kO&L!O}lu8_}Xed=YpLVnyiPqFM|Ka(Z8fV|$zi^!IlfL(qOF z_Q3y6>=DHOjo5>Xjs26@BSY|y#GZ}aOdhdoD!jKTDhtq3mqa^J+59@H{G%7&P@U^3 zd)r~>HK^HEXdeu))2eQ9_U>ftuj%pcFiVUGRFjn5+&oJi*`nRt{0gqX)M3ccKr*)y zhAy8N>2u_V?uNyg>t*+9sjWW6QojB~5pdgd=yN;x@z~dk2dLI4iSM00+PywKE^e81 zBU~lx1=@pdr_e>3&5=F5EV_+*g_X;A zhFX)_enq4q2OD{+BlSlrgEy9qwlo2HAr}W|!apRuNnCnfJ>|S1oXinQ^_t?X1%RfD zl{HK~_4>$(>%ao03sDj&X3|Y6!W-Ucj~#}TEF3bed!@^J~wpanbNa-eKS)v<2ZNjI@G*A<34wO^Vy(1 z{cFT0SkGzX1ob*5Jqck0hLVVt%s6R-_8cK&5)^Eo^0x*gw#o6f!XdQk5y8mvh<#(!tXQB+=1Z2Khg;;a4H{`~yQQu+Yy)%K-S?UlD%;bwRt-`BXu zRUfCEHexeXNRVQuS6fbmSjWE<8@`of=mj;8oH#nJ9+yO7T%+rVR`o7eji6dN!ij8F zM*6AM%-~uZ{TgVgNo$}QhmO`8e7~x<0NGpY@q8qzIXxo{D{5i4koUcNLam?C;i#&& zw(R<7`d4e+7t@8-0*u>eRJNAVF>!qA2aeQ|Qd8ylM78>qcrWdf4bH`_b%vwvhE~H9 zPgxo9y}J~XeroOx=}O!Yh^7mYm8ySx>(bi zu^QwP&YFg=i@ObRqh>}`+hn$;?gZtPv};W2CLITncQ>XhJ-#Nq^5Q<%vo;=F@^hCN zbE57kwXU6_l+b>$*zbgPZPQ8|3^3A?e4 zDJS0v_mc;fJ2?bA(2zj^&rtYMibj88>ANP4zSQbo^VxL&%h2$TgA3lpyJ?)(_7ekV zwW~G0l`cOpv6;g9&bfgP(o_Dh?ZjdIp~h#<@BUP3CatN}#yvr4x7^U!*1?c|yzbfgkuG${jx_9vPvO`qqfXMqt)_ z$k9{Q=-{-Sn+aC4eBQ9;N2^umhm3LspGL^b8+AoFVW}nrT(omGz{l02<%Plgu z4F^*@E&#rq^{#f}W|ti+^(&(5poe)@q@_(K9U{Uhni-!R@Zi*%O;J9kIXtbVofVau zTy!91wP`?O9j%zHFccpOh)G1}9M`zle4yS2Q`);AB|x`8V%jhzrqNtZP%FLUssTY) zYd48tDDXHx^&;4`(WW)K)|j)6tJFd>#il+d;Q)jIX~jB3bQI0@aY*2YeJS`l$^dCO zR(&hbUQ0||nF&OZDN)`V@VC_3Ji}(#@7xQ&i-1aH$8Obd^om2-{~Z{dz*krlC~#LT z3DnRvjmnU>dm?!!gww#$C^f`Y4Aj_=L#nv~Ed~nKMWs|H;0$4#glk@KMc(6FXtwo3jV3EF6{f-Jz z#P2}>0Mb=UV=dZL(QLvsq8t*_q{`)%ES$&mU%>UIT4>SkTc0DVx1iV2@}<8&<>5R@ zI!{ybDV5Rx^&7C$Q3P#xMS;P2yYbca!}wo}uvnp7O>YJJb0JSr)N6nGVuj ziZ?2)BYFx?r^N_k2NRe(3sto~RxJrXxT$G~RVfrns;$KgrqvYnu<+Gx8@4&b z&wwe+>x2oUFexTcyQfJF#L8qGE(R+{u^flYma?4#;fdyB%c3;Z46HiB)al zpWZ8xRM~%Sy>Zti4i)97p1Zi17Q+!|cRY9Dg?os? zQA(iY4>yVEeG3_5j~U)UjH1J^ec-b1C#`LgGuFBEoB6XV_V0}aUqZ_J)*KY={*Khq z=J8rcwepQBP#JUFLAlpk_!z*XmoxvEfDEw)R@`!kG7oG~3dkC%`Q#HN4PYuwY`ekT z5R?!zP9=jWUsnZ2jk~X9xSyRlsV~08f|8SrHSfkU#`$jv=|!SoRaybt_c)*tr&pu2 zd*ITEOQK*Zx}r#pl&|^Scar;JJLn^dtX_(SQVyn@`~c6x@g{<5URu_qzFO_jXIVhS z+xPKdw+R3*TsnM>kg`)XL5`#|?#Zkq$UZ97mVXA;i)w`AoSj@^4eNM!4F4{^-75w2 zk3+7J6`r8uy}o?g4K#2|wr;JUd8|?@>Qp2j{9qE+9&=FAm}ka&Rivco;jx=o3-P@6 z^_Ze2u3;_lbz2_pnrrMHYk3qgJNks89`1BD0HaZ5VAv=Kz zbphx%OvWkd(mg6lmj~-&K`4BVa+=atM;LT1FSwxasx~IN0nmCgk1s(U3cBd5Auo9$ z6%e=DA0MQ$x!PA>pWN7p9Wrp)XvJFDj*1+^+8Q@R(t0&s_L$-~lu*BsN;;U56o#T% z=6Avuh)q%7IeyM|QV&(B%QbR0PyHq}#0lZ9WiyUHmrov|+U|6D@y<0n+3^#9H!#WM zwPh*Icy8w;6O($xP2W>*?+HD?H58cl0EQ)81daIEKEz*CG^l)YT@+rnU`rlzt@K;b zp|XRr@*t&Ut__`jJ5Bbc*geL4{bm?%MBd%%=xH#|@YBA#NK$Wc`Fy3XGto{~~H(m9N|@eC(h>`TZb`xTD5*teWDp3tj2KvGr9 z#Adn)keal=GB0GpZM^KPkL&#K58<*sXK>Pr(QoLXGhX8ypXZL z9Uq%o7JdLqQFu?xJ<=d}d(eqt0fNZlBn)iMi~XoYS2DGUixljiM+R>L0NJ~$4_hGo zM1_IcQdujTz7%XnSPF_=MrIB@ zkT~lu@bAPW5>!5oSgC@^?)kp!hr%EaMeI8<0a8|U2Pv$!3bfW#2z%bzlYd?H?}Ef?B+ z=lTnwVfELrg83fPn@1jT-*l7lR!xXBS}r)gy|1E=m0xOF5N~#8XtAmEup@k}MI&qKSG|eCB(g zMw;sv`&luTk@he{wql^L*+X#%Va+}jv?{lNQPl1D=JlFjdKyryu9N zEC=K57g}D2!y<}_B(sPeDsyhzd(mHKPyM)~w6^@jC!cKnMtF7g9o7t$l7O+dIRzO)CR()io7cXThybFOZBV&io0L+S%CeaVwQL~gXCB-J*>jnkCfcvdU2<)>^%edmk*&4OF-*$EGw7H z^`%N+^{Gq}Ti^VNS2)jBzF(JAkr3noU8t1tK2)JGQrI*U>-HmnDZfY;H%R;ZJiEt= z`)nM-S2p5FxtD4G7!Q$_`h(B5Cd8o>E+?|?yrvSP_6;)AT-}8I&%#nCSQp+V0Ld(r6Du8-)gewSM;~za7gyIsg6#(`cEID5A_0%*jsQJDJMiQ%GVK!e23*E`Kr?JjFAa>5 z|NLDuRmm>oN*&cWDycKG)B$#V@^CZOEj-3?_JST)uX5!0{Sw8kad@?HJgHy(^tEV` zUhP1A4`abh@NZ#r@S=+v6p%}R8}uCg9?H_BM1gPh~g|brp=yg z3qXTGpJt{%!s%Z1WZ%%ws3z-#hTlb7aHMu6=oB3{Nu4K>@58fy6SkB%kQ$0D)N#FI z(=&L-n3-zH8hDsZDr@NJYc&$lxD>;T+p|;Av@d?_|G0gzxDNz(C)jjQEyL+2tQS;# z@sK+?p-}t0I{*r~>u|H2?#*f?lFGcKlRTPQ0Q!npu5oB$h%?x}wuPJN2UKSSIeeyG z8)Ol(r;;kba@@5*OxEiWM6sVA>V54dsg;f%T?f8Brm4)MkvN^tv&-t&0R!VUvE0Fy zImbFf(YZB_P2qOUyxQR8?z;hW8aBd&SpT8J`s1(Z6G&{IkM68=c+k_|mncFw3bDlN z0mkLFSYlqZU|Z-u2&4@v$;-HcIHNIOYtShdq%)A}YVZ@GCht9dN2$#?p=ibvOH(0) zn4>=lMJcH$e*oLwkB}Z6xD=pXs!7|1&r?}ge=E&BsUp{67spsyVRpAa%p_tjWuPgr zn*Q2ddu_b!ZKYbLhJ+dd9l{={(WyRZ8G-VOtaGx6=_plrte`ti#1XXWSdHh;8?d@A z2%bua%GSLo$|Kvq%T){R$KR>&$<3#INk}!qZT^;)~ga$2}eOicHSh$GIYeQnw%q z30bA(d1Afe`cmGO2-s_J)q#9CjUN0{J_0r2-olf0i5XXmu`1sp8^IEwzP140hzgLa zD?mZy9mk&o@O1MJBBKb>6Od>VPI28%w~QYu)(_p97|XW=usgEOfHOv_ljDrPpGXu7 zT#dreru&es||B z;+&%uknj{@qr{LP+HCY2dQVU0%_=^X;T&+(!5i?p^zG(%?U7Ao<47_w)|94m_>CA4Orn-^Da+&o%wO*&jTTy^sZ**>kDd%6 z_SxWqmYg3E6Kk)7iEiAt5kkTk&M3sA7KDBa`_CE5cY=%V*g}#&d2|*J&BRUQWF+`s zyUj#^d$Yhbb%^Y<>sfzNYwQkdF0rKbJ`nGIu1Ech5wnQz^~mSajXGm)T`GsET_E@L z^`|d*%QMo;pQ9B_<*8nmt`u_incf|n2V&)-M5?aRI;j}d96|9Y4-UKWeJOw5eWe%t z<5h2{W0?*g85CrUnT{)d3u#PKZhI5ut_TA$P&~8*9rw^;U4d=Uy*5~QxRoAqdx4dL zTnt>Wp6b{|VM@F`CK++s3vv2Dw|~u`Hee8>gm(PiBAK?Y-aXl!v>WrX39nmsZLzZk z8rQY3500twtLnvZyULEl!8K6JpwjauM|IGAN_K^Ysl~Poa(q*_7yHE>tcz$==<_Z< z{3zrQl#Ixn;uPQQLem@@27#1Y>-zclA(&z`R-;3AfCSc9gE|KJvHHv<&{aueDrl-h zgEyrL^9Y@hm5h-39s3wc%-b<_VwMsDpom8!JeK;gog^M^s`src1^s5-OhLO! zHi5opj&creRjQQrM?j0Un68Ov~jCrZ6iTc66=_hVFLJW2*;<;p3^LfD7qt9_se|+5|c$=|6IEG<&FUVp1ezwCd=#0kniW4}b`ZC)9L04oDAD~=duN9%<5_K8cVzOH4o3k#qZ+ptIwVOUzwp zucyAl`fTi;iiw6}0Wc41%T>*_tbUHwhJB;MXy97f5J9=m zu5ezwIhuD*1&5Zuz|>#;JwX7Fl4ab2a62MuDV(hIxRt6xisu~4IW8dsxfndkEZ>Z3fu;k%^Nwa`(ZXFqjkBa$sa;O;@bg(l3Y z6u-1KGE~vl2RmW-5s-Ex0g^*(;6a4;$6TQ2o`DcC>HFZA{sI!T6(E$0oZ!O&IK?3k zu}PLR`F#Ug6}6vA1-!jS;*xF_z_Mup&$!=VR1W}CCCf5Ak9ESNQBn+c7mJK9kLr|B zl7dLw^2f(O)SF@23(Fp!kh+$Q?#UyAML-;+?v2}PLqWzzQgrR@J>tlCYa9qz(%L1! za%~dzk$x8c**jXPGe4<9Dq)7+WiO@R06#Ey6m+8V4)9chEj`7^QGU&{cMl5gpra^t zsoR3Nf`Y`s>!Va}s&ZN%>2on6^#oE7)I2_&c6;)aR>10Oc`v+&Wf1n0*6Z1Q4u*D)FnT zlGi2ScNOW2RVs&`r?9R)l@_8Ak?3Ex*DCs0uQ;ENf9Qh#J7!e z>>*z)gO>9hV4{p3(qLP5&Zx8k9VPsPcL_2}*x2%S9{M*1`&{Wp-T>yJA=^_SV!50C z!6>1t&zy{cqnhcl#j$0ERW6U`U$-Dc&}&j@P9EmkRTbA z`XB{Rs4uYGZSi{Vz#r^E=g=miS|O|nMFCYzJj(9ERL6WpJs`}{q)b173`^&mYTr#z zQS99=75eJ%DTq&Hj$%{+g2j$Z?Zm57QitA0QZz(M+v{9XHRVgM0h*J#uBhlEV|T?J zeo)>ejXrk=U2itM z5uIRr(X)893&gIm9w4G6kOp2oz==GBnYZ6HRr##p=IomawNwIFjE;zz0cNTI4gvln zP{88Mnl%r`1|!@r_kZPy5+V**+M!i!Fh#U$f^*HeLqg7;uf}l;<9C!;%$9n@IRClCP zfM~tOqRn0pB=|;>x*MQ_75>~Ex05L^(g65Z=*tt_fY`ME<>duf+;X7SagSu894u%g z9r9QIlI?nweI}rFzZfBsHW+eC*30whE5baVN-zICfJU3Xd?w*xp-Ryf-NuK!NajS`(@-}rle~JUI7@sr_!QM_+&0eeNRznT)|bt zp0iAXfy5Kp)MX@ovi`*}f)v*6koGto=aEB_e)~KC8arMY8_6}I3~mPGB|GCJkD|P; z2T4oJda7FLbdqz1Vce8@LG!iFt0|)>Q# z=tPx+=DX7L(D_u=HsoS0TKcu~(LDplE6eXQKt~%niraE@ZAK9}129EtjO&v{dityV zpJwY;qNI_xrfeE_9j>-ll56v0M?)+x1+8J2t2IlM)#dSwMvt!* zTk9v%E~ebO9Sr4tK!E+N9>ZuHnY$juM{?%rM66XuS<1CqF;Eqibgow8^tN5qd}~Zr zjbZrug7)=lD%ch z9X!QXZG4m5;?2_z%D1aV#%K)DElHsrh{8cV{3Pv1LBJgo0hYA`36aL#DW`BkP59OTO;Us@Y+5dfYKw z1X?-L{iLoNl%8tfr@lvWZ_n0?`^Uv$QS7ZF{^;-?FsVh3?rAtqyQv6Y152c>{;UFl z~8vQy}-cb?KjYKl-ovmv_6q= zEe7u@qp&*Y!Drfgb1JUN-E6m0!F=5h+$Q^jIRiI?yKL)HCcFtxKCnESb9kmX!+aid zEUuk3ja+eF3|IdJgGsIJ`w$<4W8)aN7p5acwDrgkf(vfcIo&7w){dqJ=TrmHHC%=enN8}GXT(LM*$YtFLhXgQufZ06Py!6d4DJWtGHJh%a4;NvKn z>5Y7X0=aak+rx8ty|})7ZtH!m)gtTNIWS3DaM5?EN1UdIaFY@B=>27lYVjaxns+i( z{oZ8CKLbcW`|L94Ufkbb5|#@1tA z)mt{T^BOjdw$}uovjV1ubNl7VkYFnOGD6eS)AQ(76g-AdEm@P*;rPQ;jobP?txD7- zmoy^m>Pll66m99R_m(l&ZW6RU7^V!-<)_`N>3a2x8HWP4TtCv)heh;j=7%3IyHB+W zVb?&tRrA2FS4B{l5FWlM*>M+(lfD!-w-|%5ge+d>d|7dkTEdI8e@!7 zrbxn4fri>}ZM_TLm?~iit%;T-V`ZidRTtbtM|GYU@eYx%k1f@ky-3c&k*A|9B`dG3 zm7`%Pu}eMbGrh8K)vAqKl9jdJ7LE=us=#2OAR0)qn-D>bf5#`ekK9#}6U=+}-kdnT zjPmTZeY)$OFpnN{Z}4`(_L=ZU!n-la9o<}dUYA51y31S?w)Nif#E`VQIVm)7b979H z@s{cJF)cM6LZ2=N5*%QN*%2 z5JZ@@CYau*;tvX_UXwEUP?PP0RNt9Uhr9IU^$NaxA*=~>5PK4Wg0mB3ySJ-9W@tw4 zda6yiEyiK#d!M6O9MW~$7d`|>-c3`L);+ep){At8J;$29u6cAImgvbB*7hGUPRoGJ z^+az-)eM0kT7odPoNwSqL# z>K~ribl)GHE(T*|?QG2+w^3&ZIUz@2@&Yv@p8)q@u~?5|uk36IQB%?h) z?bZYZJ3L1K6L+!kIqjDr??Si3(vVUICbU>pWz<(1gn4pxQeSWxmatXq+B50%yJ(11 z5E-ItVxO8a-zW|`4(<)0N?HMG!@7tLBjim?a9R$%tqX(aN#=|1DWOptSf}_4x@uZ) zskep~XtcF>=q=Jftw(V)ex>5fmsiAE<7p+`Rhh1t{PeVpk%pSDVi{2UujX0<1R*>F ztaM2gaD=52b%T`T%xsz@4r|R3uZ03UUF^MQIe}7rx`j<^UK;(WMrq99PeQD<8%rxx zwD$TkFEhUlBZo_A^+{L_oWT2_970Dl4l9E>yw#AWCii(6`5MtJbDdYsDqT)2yS7Hf z=m-gPM{F)y@^u-C3OY@ss!vFxgR$0lVNOx}oTenNUh%QeD+>Kg`uE&LoviOssW9S; zCEt**NlErTP`#)9)dFSEK(vW3ba^_-&Zs^e)|`(Bt|nl8EZtNkloQlNUJsZ0Zb}Lk zA#lV9b@OZ&XPxxCKz4kqC^B3HlR8@S8rd|KVeTqR@)R^zc>7r^xL`NDp&{GH{2?LD zw`3)C2rN`Ow#VDqk&7AvpPTU~ajrxFO->3IW?8%5lYILU)Z1gBC#4+v)NUS5C{}d@ z(ozAblxOn|VQ7%>^`1%RAEvU7+q;-{;m(4cZ%b-@Gd-6|X2(q*~(VtfoFTipz(M8|4S9J1o*J>y1{N#A$1T z6K&6m1;Nh8V}vZf0Z1BIuvD8OLtt|Pp~fR~yc{Vlj-wd7ww|17tZFLqZ?gbVJqE5+ z9)R`i6^qB6<7uxCrIi6o^wTPoC1`(j#ApUW_Xtx}PhD4CNnV5i9EwI5^q$~d*W{q) z=(YCFA_!nSzrR4$It6sfcLH+L@7J)D4?iS`qGI1EvNa&CnW|U@5#MX z9noU8YJa@j>7xWU;MFQ_dihv>X9V>4omUI0wL02Fv&s!6G@Yr$l7v%<2;x^Cg%cRL zvND=a4L0a}lRP6BV+@z=)?tZ>3Op_=foL?otmqq`FA>2BeYH0;rNlI$%JW1prtRzd zt`E?{lhh3G(d3jQih1$*^3=fN*z%!%xc8jn!qL}ZoycG}eO_NdxsmxahJQGY_RZ`) zd4XMKB5Nb&q0Wn-a5rdA0qWtjEp{5*Cj%^?n7+)RUQ59+?Ff1s#O=u#}QCvIk zLLZGZx&~A~_*VQ5M!E|QH2yVQw>W<6EP@$Q6>PPa@r(+=kp{5p1WpA?<-dirO zM88n|0TcwW&QrlO$xz3N{B%l@NE#vvFkc_fIiBoHjnb^~2qaP_s^e_Dr3?39wa$rE zjcPO^j6dpkDd>2$HP&|>u@0idk&9ssdq%Ge(^@>Q5#kDrz)e#&c)PMhF;qbOVfB_} zuMlfptx-YM#rpyFK?^de{rT27ZN9|LtATfidw2G44wBcBUiU7?#OCqOGkq({smGk# zUGgNFdkqgy)%z^tA!OVn!n1E6`kR6As{Uk25z!(x45YDYkrL1w(sSAa#y za&gs`HCXHjNXGz`9L|4c=b%|>* z8#Oy3OS^+(i$Qz;0u#DC+#J}LAB(0_aX9a&GlsbVY_mqr?1ZaSr83wvAkx&% zl0%fv$f;D-9s+ob3RL()fsO4A&B~%JNqPdb5yyM%b@Tcal|T!V`jWD{9lT)tEB+hs z9#d8HX1tjhN@}Mqkk9qTf_4K*z>IEbof>r8CNMf&7CaJ`=9r^b=Lrsmb2EtN_UbA< zo_B^`xx`HYha(Q|K9R*8l!1o^+z*DL-x|s_1A4RDP)wIY-_g{absU!EOZ1__3;(5v zAH~7zucFr?~4aE0&i%8ul^_?9E+Lxh2hxnGMjiIuxK3)w!^{ zb4(t1g6IL-J##@(&4Y$ZSJA+H-m7ihcWXnPc@b#?Aq2B>SoSJ9f^MOZH-n zXYXb(KwZc5_L*HWtw;WQcfwSpgWGIiK8GiLcX6%SZ%aSKITCdP?Y0Q;baQukV(pVa z|G|EHupn}OFgs3Ve1;HCJ)B*w#^usg zv6+fe43mxmsP%KF7`7?@>~a53ZH*Zh93f}&v(-NtJVKsW>Mb7iguwXd6ag%v=|?%D zZyx;pp7npe+V9Uu1PXPYUdN#dPKf;R=2V{Dfy6`gI4cBz8G(Zl+~x+*RXbQQI?h*s z>zx;fN}%Y>UkvCTKmVjRAVQsgTVRJSE1D0&aSNd!=f#f`pnq87+)c&!_j-=sZ`&BL zbaRGyB@hZsV{N+!pa;LZoa7(CmOFEMUcCyi_qhFjxdqZw5MZzyC3G@+n|tEhW_<02Xr~2n#N8rM!IPbVoZP5*s4yk${gsG{1(wC;`~1 z6@bEsCiq#IZu1ymZ-q<;1^lEE(Yz4)jC5fof9W_fOkM}7y*Rh{F*$UQODCrjMAz_` z!>x!Y#ecX4V=TU6P<2Qc3R{f_GPV0N^75Bm$fuwvw1UxW{jIhTB&}R>af0!*l_ms+ z0tzl&FR2-bJyZ$7r9ZN_`T5dpsIVR!X87xg;u zO4V3RvDCcU9QpnQcr1k3ts(ngj)m%k{~T369dth*$aDCLT~QqVn8S?M!J+-tZSucA z?;9wb&V0&9)ctNv;ji4MpKt!Zc|b0nZVw17QAO|B|AAEdzr2#rU9#ai7~&@wk$<^G zf8MMA-2+UD;R~?;m#P*~75nwI`*{(6@!(W0T|q9$jaz~$8k)yWvlRhKzYoWu>Dk;? zBp_-?=-~q>6%2ssG&UYMfiDc8#;B`NS;5d7c@lBvu?+gUN@<{pv;k9XF)nqw@#P8h zr({U5095ea4J=Gginf6F8Yru{mapc$u1l^!ld8Fah}|L^iUpdItHEwlZ}zx6YT^QD z!y#MFllN@bGD%j4sP!&~OCDHtLrdYl|J7ycKpcw&XYcqWswYqYkVS9ABLnS(-{@^P zkA^`~m_%2Rus=cpU`eVx7vKPQT)Oh~@p}+GS_HN&ftk97@7b}j*$E`btYPu%x&2@N z$pWwi&hOz~lR3|Go$(^IGSJ!dg+@kz^_o77?e(5^07j0*qn(!PJ?Qj07;*&?$qU|d zOjD8C_7a(&C9>5E0QHmwK!Ejg+JoGNLeL!%_rK0~WoJ!AQ@Cs*OHQG2Dd(a^$UAQpu+Y|Fc!2M^#)ndgV9{hOt$!h&VQRD;gLA+^TV&?dc(Po7agFNlA7|2nF=Gb0 zUx5;cbwJ&sf~F(c03b68u1wq2?{$j&FJFOpIyJ65xW|;8{1nLke*MW8g#}7&C8&@@ z_XNaRaJLS=KSBgZ7y7M+?b0e5n0cT&(mUP#rbe&RpgaqXuoj?Uamk|ReNzK^&&^}t zzg$qeNO}Q=@;^^_G1BSOv5ftqy*EEstbc7yz;w5O2U~777{TX@L#vwKdV5+1k0S`Z zWtQJ_e$E5=rH2;7>B3v!wi?W92D8-GUgN%M`B?ui=Cq%eM)E;EE#8WxumS(ir~c!? zxab17ZIz&VsW%PabV$D{ZNyhl>#62AH7z5s*MRR;*Dq z1`a98@eDf3&@lv7M+kR!(j1;mr2tr7PeHy<0T|=?>=WwGpp$70NLQr{vjiugt(4bu z3VwwW({KMrU%EA;rn6M*zqv^U%69`Z~wWmubG zo%sSBC7ax!k*m)Mpd)MxG!a$mR5^hnY8-IUvY(%C2{&&XgGKvbYY)s|gEM#AJV1zH zA!sl`)tv0B(+uWQ_9UhQ35&BmUwVu$03c|*sH~-MLfcWc1{9VH9EzEr(l^Gi_q))~ zbXG3;x=(?%rx2WivQ#zADfYdfAny3t@82(vac)5baju>B|Hs)`hgG$;?OwV;kOpax z4(V>Cq*-)JhlDheB1((2sDL2di$+pFx*Jp)>5#57ru*Idyx;fjZ@=d{{{ffCT5HZZ z#xtJhzJIqJ@Ci(NOemxLVeaUyA8e^0*>NDnTA=fQ0IsWi>I`-Y2uoi8m@4D3_pAw`X?Q0mVB1Cc#oc*!_plVyRNg0D*=yd4cLQ@a5I!2b`}nCFd$6z; z2JvCVCyM}C*GljNEM4A%&9yI*xJ-BYiA2HbJmEjgNVro2VTDR`<}CLeD*?i!HUeg4 zVBnrpAf_jq2jxJ$WC>fF2MCENr9*m1%GR8E6Go)c$Hh~^{huyB0Wxa|h>nkiq{I+u zYy&(@EM<>_LLs==_=lTI8;`HF;S42PL?nyghO*RG3lc4y_nhT;dIHpJYOOd)z^!x8 zqsMgy#XEWY*7!Qt$(u{}5cm0KespvF z{iZh=@=p*AAf4YXGJ`N>?`3qGS_Ubgl#nqXNG%DtnElSwWP5KGGlB~&0>&<_C>v0u z64bJkF2CzJCG7-M%NtR=1ABx{SeP%7e-(n37{>?S76i0BeEJ98&#cGtG&Vp$bnlwE zB>*JpLc;I0f?`lp!c5Y?g4J!c&beKrp)r+<2d0q=W9B0m_8dtElY9U7sl?E2*Ka4v+?mAyl+vcSHEc zKI)s(heu$uEC5(08AvO9b_p)3zA@l+nFL7iJf>%v9+pdb#?3x6?yScpA9F5cG z)3(Z%k{mXFbJa7l!waaiy3k}{l9F)#2c}2WIP8!xrKENd(_`8y`7CQW(DlO?N?QeWWA$AF?sv4%R)J zBwR)FCKf7d$Rb&`hXxn6D8*l&!Lu@|)F=fE^6!0}Y!uCL(=>ouYY8!X+!q;le!G=Xh1B6{6Xt=10A2f(`&JR-F)#_1D%K~>3|1fb?BW>>r+mKDp+#mK;;&u5 z&)y2cXHe$(>3X3Of5IJQ`6+5W(pOpp);xr@CG7JaFbhlcEIDuxjR{2 z-zI`<%9jA&L-_{EovU(r?ZnJ8XaY>$;%(zL6rmw4Z<&)TZY}#Vd(|gpEv3t3;~0P& zh`X60CFplU&)eUo!>nUHq6~zY4oE9lY1Z~~qTJ7AQ8sH`OO76rz|uDTH}PO}YZP|w zaqcEpJP(S5^I^7q3+Is(@l+>6B`}kS$Lw{MoP~++mm;>=b)7%FzMn{dM^QPN_Hl70 zuEIV?^&Y)$mjA>sHB)^=PTC6_!b8#_l075yPj%H?b<6Pzb@0UAuf9eeo3YR6Hajod z=145Xr+SxodQWGea12#8=Lglnh(8u~Nsc4e+B9Vi+!;-&il5*0#x`J?;DYUchw`(e zRHHIWf*csv{V74FTZwVXe>&GO;^(Ds$?A!Q9^rk?%lrPS3(rLsR*FCztFp=L8mnah zk7_WDUojI$gDIHdaH$3*-qkA~j&yU4KuZz^iga--_Fxp&^vuLGvCTK21d3+FVApLc zh$xeO7@-g{JwS&pEAD zaPd8RHSe?U(EDY=br-D)C)ZEgwEXyhRiwq;ip+(DD?k2pD? zR~BM{X`~eZKpyW!1!`ME{SKH{?tG0vF=1CtMc|zJfjEUd;*p+8vf_LjONO(?)Ru&E zWI={%r#a)7pxd&7^8OmACy$TA+ziTTzw)nGzjgYQq5fO~35+H=O3Yj-N=_aRO$dn9 z_yfG;G2!WtYZcC&R(Zj>6{5{70;dI$5Q=Tk!uGq8H=Nf}M?OL#c5A(>q$iDliQ}@* zGTn;97=z(K-||k#=p?m=zy%|>n2yznzmx6G(O_fs0@K}+m2&myfUp3TMBjz?M3}iH zK})}kvCq%q`k$_0daXjDvk%656e|O_Ba{L74AvUpVu~%;2~H!`=fD#xp1ka$Ylm9a zE?x}8TGnpXv-;h*Vff7BZB|T1T0JhH6!Sh2NVjwvXZaBAHv=lxaj*fWsvUy1vv{P$ z5_RY$#~M{Ns1ftPNO#1|+!q`k^Fej4FQ9chnKMm8E$5u!`RK$eOo`4GampQe9_kj- z17PCu;e6{V9v-c`+Pawbe_pfnHX~H`kAUCpW65E3AOOFWa|u?x ziMLpGy(y5-W+EJ~Hqf%90ytD*DCF*(&zq2SyK8F}eTBfYz(F?bwJ<{B{vso8qIS(5 z57RDXsr4?`92batP-)G%ZzR)Ohn*s8PI@?1Bs*d084vdEs?~6z^})ciUQ@z3pKuh) zN-}QFMJkP-K|Eu4DI_Q0BnS@lMv%=1)495TpG3(8)b3?&EZt`wDb4GV-tT`-SLRMq zLm}x^Ai(7bZZywK5yc>iH>~qecJ7Dd_l#0YXWUOSJ@7W(Y0%cR(FqksBs8HA#JzE@ z0yge}*onPzT8VfT!EAnAR^1Y%tynKw>mlM+toNz=!3F-flkXoC#TsW~5B{f<-z$9P zZf9#U(N^*Dr;@pNOlXsB20wfCd5r?!0jci$i@g1%F45lSj7$pzd`=|GV8D>OLWQ;S zxGG-mhk5Wg(9Cz>ez-Q1CQsG;EUtR2H$XqFP$-%D> zEpXe8|4iNwtjdy-7M7H*PwbR%;o2#n*omq-DASQVZ-D|abZxGbPGXwGfThej7|RMC z?!F2A%KaoA8$AZallfW_MXv+jVS(I4)^~J`kp9%Ur?nigFL<&U8@AXEd^^Q^B%hpy z%|5QAZspHOElteF+{f<27=^T`Xo>j?@L>-x|^ea-m^1%7tymq<_E! zh0yoavo3*Ebn1Xp^9<%%uU2`U9bW0yl?w6_CXiEqL%fwm6oqM2(LV3MLJNT=8Wf}F z?PC7|O|;h1UWhN&O4_4v*pLkMxCj@kEcRcdqp-#?uN`&_Jfy97D!t<#JnKZ}Vj5@3 zeO#&?$N803blDFa6tLt*sA-AP-LEt>!N)_p?FvQF9`5)Bg8j%HkiB1jFFGXI85tJ5 zat}2vR^MQ!NKBFY@Y;z%*g9AEVTU_rC&!zQ*Xr_As?tW^xc2&tUS&ucm4PImAKq{R z!(btoeU1y2soDZbql1mk)8}>Wdbhd&l-aN%!xRMtT&1;G5u-s?H7C-x8NSh+ zBJ)Ah)qqt`uy3NWHjgid7_rqFx

119dk8*9q288<(>tl&%%uKy`Jp z|HYy6S1n0{ia_*HB}*QTLceJxWa6*(UQ8H9F=HU_JdiG2-jfybL_zaJ)f92DK~;6Z_X=+GdB=niLWEQGVItKqLHdGS>JEKuI=v znm^$gozO47%-6~_IJ?87Qg(o^sC*pqB0x26t%&ejN&RSTxcTsOqXb;%k?!ajAG7D% zm8!&if0GFc^>0a-ch$38Ae2eQmkUt#e_i%BGBo8B8YsJ!I}ln8oUz^9NY%AEdmL~-I7Dm6257`#iIIY+vi*E#M`l{qbmAby>^^ z1maz!D1ZC7B<4^*^B~RtniYn?+g}%-PzR=nRs8CkmkxNC6PdunLh$RDy^k{v+?|9lkTyxRyNYQ5>C68 zmCtEL+b##yhQ|p-JJXq$5{Nr9Pr5)h3UkyW>!GChK3ii)n?DLa@^kFDjS?_4e|^R7 zm>xSID+EGedb+hY$S8f|{kKkb0b!f>4Qq8Y&mBt}^(mmf zOoXx5RJ50jPZS#(TD8+b6-mfjH(uKu6<+fCVo6`E+DT-TZH<c?`|>c3V*Qh2QqHKPI0`FEh{|`1f*h-{*S%tAY>)FxO_w=;te>Fvht9|#|QfR zFUVg<>&FRqy42 zwyHSWqX!wapNbU>x;xmJ?3I-!n(l|lYt~KW%`5d-C>bWhM>4o?Kcw{rIRll1De#M- zsmQ~BM}55N&~+l~jJE_HDmY+^=&Ks?VgAATD20zGP4Il}P)&uVr-hBx2R8rC`WX7i zp~|w2I>qwYlfMMM!uY?@K89gsn18`On4iY{hJ8TF`Ts)u$WY(|3>e>a3oB|Q!Z9$j zA~T5f)B@y{%~M#T=Igu*JCJ|EF${le&9?Kfz;&+uQiC<$0V|~GtH;&bWl9}G7`r-U zBdDj+FX1^hIUHODKAOR!J$*tUo3|}(^x`I23BBH6LX!D{ktFG2Z#}tzUaM&+(@x1v zoJ$`?GYS+gZm**JN{@Ro;gc^yB>mA1Iiy)1l~nYw`V40*7k(~WUhJEZf9d(sjk8%KX;G zc24c~xkd`1e_%S8swk$X9!Vbd@s{_dp=6e6MN0!lM_uG!jE;zOX^)Ijg-z-TcH(g; z7wc$5nQNue?3tngdqR()UhM(Lp4>aFUxvI=buFg9?vM66=}kF;fSXk9viW?idu+u7 zk=L9kv0$#Vyn<<238uRK!j1}zLTtQY3P}|;fa@-TnBU08L8&NDVTU864CYR}5edH` z9eQ6vh&Uw8E&$m7Y~f1{)45Us+3Kb&WOmd-zprkCjCqu{w1hXCr=0 z=RI37?y_`K^ld`GiYhye^mN5(z5!%~Qm)t=wv}kk7NXPF8+B%*S@Z z$frN3qwiD7pA-D)4T^;1boD&Y?sYfT*GXjh{_2#N$MwBREJ1C6n(#_O<5r1ZlD}#< z$?E^Z_16M0f(-N=p4w0g_4mCpdSTFP;84iS32$O}FT4zNTv=+}LlfonEMG^cp55i0 zanVN$?Hf@tqjW99V^=41S6P?TNYY(|zk5K&PM9Xmxt!{=TFt&@;h1z%lS5%6X?)#- z@-SJRB$_5Yp-Qa1JIm zK3L)Bod4N_a?Ea}hVaZbQE|RKL&1*K%mnnk?U%p4p18ut!~xx}%H`Kd`9*!$behu* zAad;$oRw&@;ptC;!f!w@WUvC}3mj}FoA{I7@xT7`XhRT^i3VMZgWk;{opSBRU-T{k zARTs@N~eUN6%$@!DQf^*qAGf2>e@lH0W3+_1Uap_xjYZUacgk@@2c~L3^3KxOLB8a+tq8lc--I zliRRl8L1~Eom3>`%*=$W(CbMBJJe_F0p@ohP-}WSvzF`Kio{Jcx*fm9tFTl1Q%{VG z>5D!g$EPNSUL{7td_A(UB<<{|UOiSA>Npn(WzI-9m@yTF6=wJ@ep0p)nGE3caw&03 zRK+snAnW&-Z27R)_-meUGq1>|j^dSJ9)VNxg~qO~!AOWs z29UKGSXIO*pmc#r5ffbqyp2>BL5uZ`l(0s9or+uwrVfFZ*eka84t+^ZW53x5)?j)Q z6Zv_kS22uZ5&@(TY@l?Hkef&cV-sX+s^>ql=Gh6JEDbm+tVrNm>f2YcQs=nH0as?l zZd8dnX8iIc;yx(V3L19mvEH6R$MNNwLUa0oDonO{YpLdTG}`-SV!;+0pde6&H6;*_ zSy2Q~uJPIL{7f!>@f}>2aTmv&9-7^%bzNYf)|vzps-_;`7<%9Y2JB}-0( z_?>@0YW%bCR$`3HM^VXtDwnKwY}bx>8Oha@2j&2qES62cgW`#R-vExe;|VNUV?d{v z4`R^R+(u*TiR-gR)Qng%;6z>WMf#>jIpppiimI)C(<|Kg947jDA{uHrPAXY>=qe=a z6h}N%L3DeDl1|h)2xM@Ao6NqA9|z6z75$$qD|yQyPgy(&EAgyusEYx^;@wAxVZlK9 z?+go#quuY4)S$_#89+ht@UDlpyfM|9TOFd+6Fb))g4&laeThQV?%SZSU}=UZT=M}*Ck-G_DUTVeZ~~W1&R@Sh&5cFGf<6AC zZTo1s`wdos$gd&UanLbZtwRoP%hmtRm~50q6>z!`@@#{Jw!co3!`*(ecNsK7)cgxm5fSR};7h*?06wJ-_tlsmk?p|x zFBpi2GHo@S<1m*Fn#i?pAR%5HBT*bC=9sz+IM)0DE{ks@8Bt~zrVvX8{DTzW?>p`2p268oGK z%hb^c=&TWqKLAN2#RslL3_v>nWP43Br5y8;G8O1#*y?DufyuOLBzpvd_}pxI7<=SV zUFu|9wN+qjZzDOW#<9H+*3X_>4pvZqc>HDQQx*=pOru=YcSRM6FChR0tnyC)g?s03 z07XA= zaQWUG%mPI~{}aoPUc295>HkSg${Y@P#37MKa8aerAg6+|h%~F3k^`mdjKg?Aq7J+L zFhCEYdJp-#Sz#`-~si`bqF-v*NP(+%+!t)C}XGPU;+rP+WXqFbwK9G_Df@u zdJd8JPWEq(MCXig{kvpPOeUI1{*=*43ah9xDoVginL?Y8>WfRzOwhMstXX1KYgm3m zoZr$oR&R6^o}(D44ZKZOdix=bN{<>uu2kIQ;(VElz+`E9G~(8xr&ykFC!1u_mB_tRTIK|+Wsmg&*?=Dm#hG=-`8jaV z4A7epl%LN(|2BOyzxwG;*IAei2H!2)q;c<+WVo2QSAbiW@_5_G`Z2KQvGyuuYTpi)e+#8kGvsIM!~g~Br)=K>^IUHE zq%yJOt&uch_F;LJYm4C{&{L=^cypweN_PPIFfR#3&q0OGW~W~OJ~2<)yM~~)D~1ET z+(e&6HRI{vYmhx?(Cu2hpfCFKrFMaQ(-U*`q(>s0iJ@j4MJeiv(~+-7b*g`(B8XjRVh;!N`Q(Fs89S<#0$K$|dc8)a#gEv+gDs?jRy_${W#4m~hv;EPuvub;|Ks^~X&F&KDlso~m>Qj92aKj6|kRa;Xm8cY$9at02S zL^AGs8h{|eu?*?ZB64o)-tu+eY_06kRz@B~(?E#uw{|fuJfPOP^f8@(O~2_o}GX|+j`G@g&8Hb;%q38hzO3e(o2K23yBb<&w%cum?ru^DCii} zS%bIWT!Be0Q17`&?{Pd97YuvIi9}YM;9C&=`qhwa)Kgj3W00CQ~bk3j0f>F*qJe76gXvi5TTGp6;^dP2eTQ& zR}@3~-q|l%C1g;5POhKi&rVV$BaMo;N3hvyqp$Ke&sWkdWGk)v6O53xRc3~u#TWF#0?DhNYA}BwI?!1v0MS!r zu*WZe$d#5LZ-(SH403UZ73Lw6ouYoyD+;xbgJT;hIMxRNKA>*Ur&b0t6;CAtsi6{PK6SFJ6i=e zC%}&E4mHCtqBVlde~^nM01>j$BP+6uGKP5=9x1n!d>xhiHKeF8Bg>tlF}`B~+&P7% zoCV}|cQKNXjWONx2(gAno*8LdmLdCglG%KzxJEhA*ZXxp6mD;|T34Nek_M0r+#`!| zh3}z6EJZ6>J@;21pJT8EK)FB=v{0$dDMz_UDaV`#pA)Iy1&|z2IJMhYyP(jk%32YS zSD&EWSc&=aE2v)boE!HaygqMU2lZScTop2diS)J=zcrfr@^>5u(WmQXRiO@EK%xpW zn0pDI5`FSb%;R(+{GoxM{FP7_h$)7FYvw+;da#nlXP1@1?SPv8(SmS$Wb#T6f#G4SnMxeZ^6*n&|hwX=yuFuDrirU)l`+pAO>k`j@`uxIf=#VCXcd3>+ zwpTJ*LaW#E7+@Aig_432Fb-~V0K9CB{&AdA;B;_7r-4`V;65tadQ7NtoZNCs|-~P+sIp~ zXvOHSM}@Gie}yQka?P#68-~(N(EIF2+=QKk>Ae39RZm zfT?58C6YJ@oGDN>yMlyWm>WY_*}_iw^tmL@-DZ4Ys%*nV3H!67n0mn;4mll{0W;!` zs)m$(5Zz7KX@RXd7FO}~UEuZEnOnf;nfni#ROX^VSW|Wem6H`CC^9Ek;PS=k)e;Fe zqr|sm3&$taFgHRR4G@^Z#fpu7ZpWH(x0Ty<5IazR_9mG@y$?m;8C+oB72$LHV1a3y zLtPl~fh%AbEfNQenKCOSiWyQzv1UxDCwp3ii_3nn=g!Ze3HSh2qv%O+kpbkCCI33aW5H>AU9S=gSlU)8sJ_b+sfnh660JyJSRzK=5T#%IXiN*pk^^E7iHSJ@ z)g`391@i>InDpIfkNLM9v*+h6rfh1fC&LlO=HqCqbpyg1cY)IO?n)igf7z zv5{$0+k&R9$0!@GE>Pme$?EN9=xbtH-_5^=bqW0uDN-_72xZlE=^7T(Vh2r`a z>7@Oo+G8VHAjojUvMlhKTlI{$40o&{Ut;l<+%FhKdpISAI#WooK!5bhi{9Gna#%%v3aa4yBumPKacREn!E_0mVMaa@(Pa5V! zb6mYy*DfOF78EcW+hSky5gN#FXBiD84DwgiKT7r0XhE*2bq~vk;;_M*1 z<98WObB9B_Au?07s~di{4?pQ@B2@6>#`T#hFM$WRgH;x591}y^H#f zR{?=QAx&xtWSRc-x|v3W`~1uQzo@7YoxH(n4^o)54K#Sh`VA9kW=0-63Wg_}_~wsH z=w%f|CE_J_`$~V&hp}OKmrTD)rF~UwSaWQYr#!hq+wk1l4vSC;&}Ce>sO#Un)_)aX z%lBc1X>QX5XgcM`@pKnvM(i{$TKYejTt-&m871xlQ_O3t;lLxAjFBV_`rdlX1m9u+ z{19|{^GHAgsIEC`$e-LmxGd03Q85NROvdp^xZP;{F_K#GdX@_{E5EkVvE~Z@Nw2{% z!$p)2rM~0Rj7M}a1na1R*8e)|@IUaU4;&;k~en37o)~&hgC-@9l!5F2^Xc5}&&2vG?e^aMt0Z z7)zb#!(t*sovF*;8sl?%dYfk@*Dqbw>xF>&`r#|P{zQ8+4NxE_9-C;6ea0A^p2@P~ zpcb&Y_dm>V|L)<+(?pDBV@dXGD2C7SKpJTIh~N&2?Fe-oDlwr7M|A|JZF%6?m$f75 ze@~ZF&91M`=SWL}sqWp4*AbSHQ7q5OTx%y-U*L1N3gaOYwqtw8xGb3M-+jvWYGv{3y3UB4MvFEfrSVR5nK`ilrZ(qe!r||er%{WjB z=>R_PV^8Tupvi%yMH!|7ble73FO~zQ5;HJ&s?V%AEHB#Y2|NgaV)a?QE&=7{E7w&I(#eBQ6_^h*_D%RHg%PgWT@8uV)%M7t$I&sWO3Yn5MU zj<{S`SqV5y(#pONx@geJ3waG7gMOHuGfFng;RK`&JTZgm!n~S`0axcNPGlShOBiGM z#q_>Q=2K!c6|Enz5=6hFJD^>y#w&B~OZW!0G0(V#m0jHG0h-N^(d?@}q&IsSv7Wkx z|K!?NtU*b2dCzmxZbW=SH95r^J1t2p++<0G&A47B+y!7&g`kgUUbRtBcs{PZtm~Gv zWJn;B!@qO1F|Pa!@NzLv;>v=AaR;_RePF`Os44N=R!CwtBU&fMplJ1u6tS0MlYHsmlxxaZvP&PzQD!eOqC%UKPM$ zeg`HJC|5i$8!o@9nbee^S{YZEetq`XCzV=|$^%c)p=7z2@-8YA&Kj!@N8*l^Ix<4zyIR)gADvR#}}U+@n(g)#hhleo`F~Oo`{{d)w*PkI0qzp3a)q062|JP1+=vz&=2&9 zcm-S^>b6*z5s=phnn)XfG*@j9QBa5xu0_n;AT5o$rqwX1bywu+9`RUt9(qTUfe`9i zaN_Gc<7U5}S3=EDS>~l`UIj_7wab*q1*P!4K~>dH(v?;DWC8!EZKMwfCAN+_II5@G zDp^PWG|Gpe{$-SZy6}flzM-Ic6F#=Y?kTzLtP4(d56>=0go0n)pvi~Z8`lDu==<#r zu4XVrMC@Q-zJ{n$<6M`61oky;-#(+BP%z(sHL_Ey?~Bk>gV%0+$-V9CvC56e3$D%_ z&{glROnY%&Ha{c_g+KHk4pC3puzKmNuie=VMd=gVYsFtBh2*P(lQ9?O>MPl5r7L`$ zj(x+eWG4no;k_GF{t*~ls{Cye-u+`oH3Jo$FGTH-Jnju0aIBIdw-ItjTg)*a z5ZDGG1Bv|;{nKEpRlt%-ymFO7lIxcJmo+_D8>7WuOahr3sp!pOXsA7=G-k>;1HBdP zKd!jY>Km+tpO=SqpmdjSmhq2&9PGH>6fIX=c#PV%sY*mba)4L(R^IUDk#*YC8GXjWAHx8UI{S0BTOpB<; zC$-sn|4Sy%zn`^67^P79o}N{B{;R-H2)k8etolL1c*RYaKk(ZB2sHolW}h_A+dF`6 zMgbrw1L4hMkV&xt`rLRuoTATw-N|aQ^^aE=)dFtRwu;^!2k@ZjU%1;4K(Wx{AR?$V ziCsSnVy=2DgpnAiLvD457pre)j(>c@EzIl4|6OOO`b>|S!?}5*w z5UkB86KL`=ujwD6uJVTdd0WwlBF;KiKC-n0tVPX7X?z$Q?JEDFi28jWY|sx8CRKuv zLG5Sp8gzgDMsPg3)R`Lyt12%x&3X--Y|LB9FbJzOT99@Gd8&gRnn8f}vemZ_6b`Rb zUNja}R-?D1t$?-2IALgOSAN05{LlaF-`~}L{aPVfN{iL>Q)d#<8!3C_Wsg~aARL>q z=m2-!xS|wj%ddbo;)Z?)<^9Jm!Hdz-2mwG7<^FWx%DiWKDbQOlc-8Xj=V+lKWseME zCNk94f;u^{E8sQJe(O}NZ>z6s&3Mt^fV&v~+V1aHY1#X1)*5mdT>a#`NtNv|-S40O0Yi~Gx(%(` z=fGGb7HsC>3v8q%R10(r`i|&j!^kYjXLa~ z>!^RPss7v7dB_Oo93{ve)r$Y!GyI=Fkv~2i^-<)!ApOzY*tY*5V*gtj%2f6Kkog%zU+U$w785OK>tkp zt$>qEFGy(xpE;|v84zXKPghuFK7!Z<|NmC_+9wUbZf|%5+&6w60LrZZ;0T-*@9bGy zcpC28gwD;+jW)vOIqoNd>zs+-;=TcRsfXe7AVgt2Tk#FReE!or9a6{O8|jHyn2F$* zLydHGO~8i+dHj#R#*vHMj{vs!A$9bpTT?umziqXUxf}-tBlZn)L5$SD+2N^9KxTVp zMqalRqTQVqZ+8&({XpOl6juc%pMB+%c(ELT^Y6DKI2(}HS^b%H*n%xRtp*6|8tQU= zit7y@vx4VAmVOTig-yhP-Q=u20F-ItEx|~KuFjV-KL8U`3z#ysAc6z|upW5;9hE~q zz-L@*zBK%Y_vay-A;in?;XWmH`@gOv!Ab12RM~iuB6c2%?s%!`dUk zypO^jj3A*IkUeNT>jE77(KVRm=9{%%gK>xUscqO_zxt23JRbaMQfN_WER1u{aSVZ2<00T39@jS`a z*Z(Ej;rAk6z@)B=nPS}Fsk4{Ic{3oqmR=x%p^t^;APZz21-{?|`rHhHKN%hHrvP&J zff?{A|F-M<9dGr`aOTj~3M8GBv1olt&?Guxc@25?3Gm)DBuaxf)Co~zcaU5xzna|% zGJF`w8ERVpxaN$3NEF-(Sm*Se`G9oIna^ZjO%*epDD1JkvpV1~-Y@^jZ7WWWG?uPK z;*R{wGa45l1uq1_WFi7l5T^m$Goqe8#GnBBZ%f%<-{v_ZJ}NX6Q~Hg4_}}iL@rPy; zMf#Ab93=!yT}|vk5upV(M~&0G1F*AH^lU-t9pK^Aod=l*BmY#>fX5Nbfk@$j2N=5-F0_Xi0)wm4JV;=`gzZ?70z%L~>OC`1q2(S`ja>d8 z@IwH9P@DHb$Tf?x1^*#sCg>+}v*F;^GVgwGZcYpU{f|7*HP^F?`g^0%@8x)mD!9O1 zx(P5^P)@{^lh`#t^pOU1hX7Jto_Ga@;w30}3L#hzWECg?3=I2d{t0z(d{74+6V<%1 zr-jgV<_o|t+ThF&<$lH0&#enWBNZsK18moCHh@5O!--gV4~$bZf${9<+#8@|#J#kl zDemQBz3W{OLj|MES2Ca9I@jA}VS|aJ=n+_WSd9uPoZzp4fW){QU8eV=$uA#vnT#E< z9F6yh-|7Peb+L%&RvtunPZIzOkR#1SwpEu;IxtRoQG3;CU;GbOJ7^W5^bjY$hHq(X z=cJlqos{v#elMapsQ}x6c7H1G!(yOb{dVPlbTjx(H)vkNXcrHBbS$l!MGA3r(h-Ds zFh1l-P4-|5gb2bb>ER!$GDQNWv#2sVvjp6%&3o`8m2#!Lif#6=l>r4ig*!#M|#yna??wjTmr?PVI*Yo6u^?- zFdDYoaZ@z{b3Up++o|2&ICo}RS7sDQh-Ub)4Vmr_fxmj-7XYt(Jk1u{9(a?hFn2ii zUDb!1*a9c2d=KD4&?j2-uq>~}FqUZ7(eOfrk(Wr0`FozePqc`hY+8#X~xxV5E7K0 zK|7&ZHBb?eHlqE?1c2&cO2D=VmeLh(y`h4E9T3X>c?-=D4pu8qm`~BiA7?bI(#0 z`N`l8{>E5)8&5XXP!<{`HXell`|WSf0F<2WJKdkf&Gqp;{Mc8r*ppr<8x`^6kf!Cn?NCP9*YjQ8K{2hsP9*R53;`(q`Xi^* z#4yhf!7M!_Cf>ApxQI^B_L>S{`bg&O;Gd4BgZOw_mLt=sH$Q^GU#XEo&!-wjp_aJ% zH5$}4e0htz^coJH%q0fzrM&{^N@D|RR$#NZ zUOZ`_AP{1|VQ9n+RyJz8HUDGSb)jvouNr#yUVZV6QC;7`gmOaFxV2t@XB} z!1dS*2t|Q&4R1$zv{hUc*#NHNUCki2Q;`pmvoXf|}E*;*Ds zX_%_DpCo_vn!DNGwPJ{qT_fkl{;6tIi* zalFeM0_VqdD9682~6`Wy1-@V zh)~$(2CRep__%5v^j{R7$2qtSE4@kBAd&7S?@TC5hnr>-6+bUuvGxhC$A$CaZPVh* zFH$AxA3qtc?HV@xQd2PL4b2jbJdRwhVm9%4@Z5sg57SuKDIDg7bXVpO$oZZSkE~x1 z(e|aGfA4&~gR`4mhvffm-g!^YVkP@URmt5QKjO-Me*C##78yv9?<)&;c#x<>1=Vgs#>Bjj^!u!4%&R4Pw8@_J&*@%a8=dn`w2kGcc)*}IE+ljsGl~J!{N5>X3d638xRl#;N1~*5v^?fctZY$BVkyV>z*t@0N9o{2+> z{_@4U<~#2*hy4Jhgm(z{{rIb)aDC84ibi*|=|OY?aZQcx8P7BwJ}R@`vfK8N%MF8d zJ-9oAF=JlPSlCeEvio>$c|^DD#n*ak%vn~Mo(0R^fPIc2t~b5Gsdho1ylsQR>b4q7 z-mK!9F~|hqv*9#V%f2}RAm-Ibw>ATQ8&NrUKAIRmJKkdtIypOHQ~!ObP=^UIyPp{d z`iBBT*sqSt&?!Dy?WUY^HJ#Gkr=)EcLSODeGH{1d)e6eF!)=3#Fpi#QN~Qm-j7PM))3vifFqWKC+fs+d8-| zSSs+y97R9a<#JQ)(sfIFqkbxc%YM$HrRA243e`iu zS}>cED4Pe#Afb)7RUO7UQa?RskwquW9QDpY!f&uR1{?AlR_lhEYtk_mBVbS7#p(cGu&c! z+XbJ&z10tN=(p`QKs9$K%E`MctF@XcmInuI7>qw0#M%9sBad0nRi;p{X8TA50EZb> zhL`?fOc9A6=(3`%*wbNw};|H2q+cn_t;Hn5L`KhLr zZZR#r9Yd7Ajo3N&{5}uKE9;FGzK`$J_|8!6TyD=38G{0R*q>?@`MY1&98{o8nBM6m z?tABoyDQmURWN8aP;+;cW$*rvXgPWv?nxOT3r+XiJ>hjGdoo#xec03zb9JXd`xK3s zD)?UVXtdVi0&Q|!-ls19Z8b~=XLpTg=G+jF-@!qXXvb`K2WN%Idm2appRS5HKcqoSc+i>LVAG8C&nWCm>d@m1k zP85g3NM>vk_ZNl#66kE;oDvqj9eTp;b#Y$o?5^XEcFumx=7@&Cn=;y2L%!o+_K1mm zZ=-vN*yw!7Ute6hM>epOOB%N_xh~y$oZH_0~gJhEeA>p2ESD0 zzjWzKKAsU|zvImT)G@8;5myYuaX$}~A*tF)T%m$-{<~tXe*T;uW z`)*r^;R$Q@cq=kEBXI?qJnW{X!?y@hR=mGJ_v*|xs00` z=sj<09B)M)2ehTTDVzA_cb=qWx6rACBsql`y`>Kk*2j;3=|o&s4@S5S+~4Q&y1TOa zQ*Z%1i6;m7jtbrLwVY>wbA->kLdU-Fs1T{@%;eYGJvHQ)_H-EqmB`POaMzKvhQS`~ z$k5am1d^o95hSHqCfqkv|;7n>NrIpFG0zehzMzdr5>*#@tULU6}^X zR1_li{BTzNt0*J`{J$_XprdX+PQ8@hqi`i6;`d4xx6$ohBYNeP_zd;%#m>o|r9UA8 z-xHG4AE9{mbY%p4&%PmZppRYpf4pQ?m|*%UYb3YFJwg|S<%|2^+S6UWkCtwklq`AZ z$#T3*cHKG!P$ia)<_;zM`qXKL{oQcbD)T{}AsE z%PeM5a~GN5nH^jPOPj(Z_&GixRN#LJ1lXiW7ZZfT1)kEUuIV!Jw2O2t{eO%JP~f^ z9&h~cbZfT#R`esU$ zDWaKsS-%apyTU(;fMMN>wSDy~Y4=Xc7usj(?b20`u-?mKX&D_Tc)vzF$bIiyAd7X* zgR2&wUPAp#kX0|E_qLOiqK@xUPnI!tN`wGjZUB$@t{KxzRJu31@6@g?+*5deFG1cf zJL?98Fu104>wYIU$5VO({%1Oq?KD$POB@DHo31*NKYr-)X^8xiy48MS@kY7mGb zJzVBX@xq4(viI@By97ABRYikJbgjh+Tc7B42*=9z&Fl0{>m2yVFB)5Y*vAXlc?wg*b{9E5;!{|E((Hz;!FX>iqe`loP7%~?`3Q6_FR<8dF zcEa_l!=PNn`b(=xv{vT5de;(sX^Q_t*;|KI)vaycGz)=6Nr#jmN=m16D4`uBcYvZN!)~>B^`H|lfi1s z4iy0w{~#OgukiJADvwFA5)uq<$Ek@9f`JoVtW8?4hTvTkXMvTcX}ftTuX@l)4*$Gz zSRl%rE?tdAuF#e5wyYt-7C?>gHPAG}go=Wtur513N+(|jxlt|IYsCnB#Z#~1X3AKW ztr?&J79mw)q8{ff9dYiF&wZaS4_duVKd8dvMe@d?^(~aq!ah0ckp;Kc*Ld+T$5%iX9Gyu1HfiGv zEu!3p##ov-Z#kZ(LudveFf0Kmh)O!QVhZ26CGJ$D3AB(UmlBM?oR=6gY2`7SG=_Ix z=*Q(x@z?@cr~ADz7Me80{bu&!ZR3@18c>U0MqbYWZ4nUqBLPvs~R ztK_DtW}FAaNjj0ne+q<3RYhOW^g`N|{`b_MVcv$KN0dX+wic<59iuxR_y+PVcKk3H z6OCoHnLZ99L)6f+cO+bBDbY<2Jdkbce9G+FaRlFpvTEXXlKDrSNd2O(fsveT(HJpo zXtHjx!eEjb+Tpyaaik?OP#sa`RZ%YD5%)TYj2a=L7{CU=IE*$t8!Z>}rPNCu!#b;jzjC^8f8NoHf4i^L1gd6T<}&#|>kLf0TX2Z|9Xjv4 zo;K-+T3J;a5n;I~5*OYN^Ws%k=6O406NW4hg*s%atCGb)5LgyV+wg4salgFJ`RUWp zo#z82tg4alPQ%_Vb6Fh*HnwNnPO~+ie2j9!` zkcjjSC>(tlo9idFYI)An{YsYPxoAAi;0bW3it>fKiFV#uCE|Ud`ohqkZ>TEa-ixId z&$CtmW7O4}1V6@N)^pXh6^Cr z-+3WXI_4wK2baeftdsWb9SH`!=ufw-B`Jp7vT5f|+`=q5{0e5aY;s|mE&)p`Xw0tx zP$CsRPry(xdtVR`1w}P{!DUA`6?#nLpSrcUUaaTG6g`s-wD}fG{v?Fs#ar3z>tO`2 zD12RS3#Ai(ofri;(MMQKAkWBN8dzM1*UFTJxKJ~&!$jvqNcW4=E9|Idwsj6m2up%u z&EFkvGn{d&-d_TvM|gqVH6(jtyrY@@Q!Ckyu~ z%xCEK_E*fPb#Tp06sG9^bOk9`XR=7g z3!2GGw!SZ_)SHo2c?d=?IIa1`J^>xC0B)X!<@URtJHR@YyEZ8V*@EYc_|WR^l-GPp zFr1#8maL?=)Tdl~AXKmHG${6UJ^(iviC0NiMp#l8e|>sqQbv(#T7Q0cmhGZ=8yLu4 z(fcZupi}}Q7%f?MTiqm7gx$O;2P9Bq04$~6P=i>&$mdu?oR$twm`b7(kpFnvvA|Z8 zqrR}x)GF$pF15o4_>7Cz@sBMEtSC>@cM?MLcvc-Is{k)4V}E@Lc$TG)mQY(ofOWo@ zMDtT8tDlbS^~E5?QYqQh@tB$KKtiiv-qj5 z6iAqv*yYCg7<~!O@2$NDXzO=|U@^zy@B_iZ%1brhi})5JQPGBR{8e6Us^Nrh#^P-& zr$_pwz1FL4@dAHLZL=XRfu0in643?%Yt z`^c$T4}n}05|7cO!}mp)^41B=WS3nxr#v&dJ7J$ffB~jkxxG12J#3kMVvXmy zYr@~uK{?|z38>qubnLBYg)c;po|)PtNQD9gYyM9==KC)@ACp~ zer0_va;jcXaJ@~S*z|S8%`2uTHX(XD?}-Ez@Pc`9VS^gYzC~A=*D~1!?|% zU5(0yl%I5CJKX8DDS7NPiC(qF&2-^P+FU%QounVXk z0<$s2bd5xQDq9f8*^35-C%nwIW)NDZ6F&+x&P(_K?o4Lg*9^;Ub*CeSThWYV+Q zjXBnp+GJG-y{>cL-H|mXGM2?k8(?ccSUWgEt=>&D1O#Z7QsWmnc}MKeXLg>MVXB7# z4ZAI;h>1YmV}A=Ia~_M+m{9mMr3a~60oSQ zzlHbC+!?w7U0+H)im}t5Olf4C6VrupETwJUOG`0GVtGXel?}%9B*X2OF$5G5-kt}; zgC*xZ?F|MqKOhF6iRV735G`>50|mzkW(#D$C?J9v=>tMege4yNNO}&aVIp!e&DPC+ zsH)nU1VN9fUE?=?#JNWv_0bxH4FrzMZI>T3pLj$*$HF)x(rP;4 zEvRdten);K4nAoGXrXyQxge+(bWx(lLjw=eUvB_g^;{Thdg7-u>5(%;dW-Vw@u(Y% zFr^Xrgzb6XvVu`{W%gvqg3_wBQT|8SzDJ+v8P75aFP)7X+*el71ULwg?dbe)D zC6Lpk`-N~+>_CVoJK|#H?Amd@KOHUr=i50B-o+S^2*CBzl4VYydAb5#Dkvhh(|}?Ue8^@% zL+yQAMs;8@jr1`gc2@de6R70613OOrDVxB?U$~o1x$?r!q)j0x-IA}PQOs=;^ipj= z4U#v|-ZVeW?Tf;~x9^`80-+)WbmL=m-dB~yY2@U~-d=1HhAf30nvGctd8MeA;% zjZNJlZ$D}ge?)ss*?>>iO@UdX0j9>uM0wPxcDLVo+r( zIs@(usmTuEFRS=eM;4Fmy8R+deiP2J2g2geOgp)Osk&&@g~K}C4FBf0F$q$MYBHLl z$A|3Xn($bbAiTo5D|JjwT^RAz=ke6FoVI+GCkdo0f%KW%v)+d)GbxvpbM+jt!2v)5 z5G}j#BzGtv2eKJn!v3SM899VNmEX!{fqkxAJ@a7xIb#qd0T8e70(}6wT|AH=eHx-* zoB{i6p_A5{fo=43tDSKon0d4I42N>W49(K z1~xospc4iqtSFAy#21>Z9d~hROrhY0wKep;2JQAV2mPHbAYdesC;0Pu_*U{0T4E#h zPo#urJ=AKU8yT`Mh#Y6dlZ_5yw%#@!3JDveK{r7F(Tb9mWwNkPU(RO|3}pbkm$y+K zMGGR5o)JRHBN$Tf@kNqcWZv8KeE>2m>%6OrL0w#@4$=T`tGrg@gHs?}a1Y<3Es=bX zwjE9!Ufyf_%X!-0k;YCpf|+|jPg9@PabcQoZ8gJ}E@6~<_VIKB20!5>6s~ogPVM(S z<#tGV6>@F~8W&=AN;SV?>5KRH^kBO8LAUgmi6tt&LUYfM*ZuwXQS3428R+euzm}vZxi?W^sg{2)10^$_ zK2X6oq>){>%L+735AWLOXjeE_trQOtLI(1Lqi}~W`LY@G&4Tv@OFN|BlZ)tGinb1t zS44i&IbSZLo3pQ|x$I#VDPsRIvc|rsH)al#f~m+1k$=cbvY@H}YW^e;rA-&rEQYJP zmQf8w_KLd0P!a5NR=h3`cYTRqA;O~e8Elud8?Ndf#Tg^7bxt6QunFCiuQ!8-lPf9q zuMW0a{6j+KD{sDmcEVEEXEB<9QlOzY9gpCr=-|xwcGxePHV@|E_3w}T>75OgTxH<) zWC}U$6Cl7A)FtT!^VKG7zkWWiB%A^8+t_3U)gBvUHj8`SDm@K45-) zhfm;j^9%@>Ff&QvNG#H7Gf8q6XT#BRq$Xt|qSgQ2aAhDkaJdC_+dtv; zSsF)Ei@Mob$8*)pqp?P*B@Qah?}JjDM>u`}z29dm>lcCMQ_gN<-sv}*hlXfY<{4pL zbA3UqIKg~91I$BN{OQ&lGfJLIi`>xMArC;15uQ4BUzM$D9@$Doj=@my;Q47`R6(C< zD(aKf5k0aCZFLf9N|V^E7^ldPJ0o6d1b6})0}+FYn$3fry@a=3RK<0(Vsl^USVuZ$ zKv2ORRiwY4Xo>6?u-fN%J3ey`AuB-6FjStV^Oq44uO%Gx`FcyDv_K-hum%6+uo>t0 zz7;gUuX)hzwOHlSa5}?T=_)&dN8$;ml{wO6XR%pa9eo83_cvBL52Ee}IT+_QB8kdK zZBU#8M)PZYM8(W2aOhVh4E%c`(%-AOF7#;eOC4?>UhU1dsJaq*bbUF-pt?CoR2{{x z04-%}?M&qqvO4hIkXQ)=gHf6r+4c}iXJv4I?!{jJah5IFHl*<(xC}2=4}eKan#+&> z8sX_pg*ObX;sPBN$gOD_4`zST%(o#$1@lA!+Esc^-FN$xdHY^sV-8H)QUuiu!(wg^ z%cEYP;4G=oaj1bxnV{%aS>Q-HI#h^W#|5iIeA&7LBZ?iI%C3kTWeJ@bib-&$b|N(|*n`1265(8{a3pzg@R4 z`W3HV!1GACV$w9?yR{m0B=;Ig4aLgqv?4FsuK6I}Ax6PQS{RHUQRjzxhVuY9UDQx(aLsmx zTmjkiW2C&37l_qT7!jHmYc?7b&`f|AaL>O05lWXBP_(IPueB_6JpuzZ2C1)hke<}G zm#qE=lAArCxmY0mdlNZKDQaBxOJ!#erHQKAoy1IzdrW;kfS}b<{r2JXcfLf4tLADi zpe4)Y|4v=Xe80xjqZcFjwEc_#S%wmJm_F%8`gAM#dw;kLcTuy0M2~q!hoS z^acP2bL+wgLk2*6^G5sS${gcaRBjJw(L1sNR#c2Y=A*(w)Bcio10$`5gEj9JV)H)u zuxx&_>2$fiICky|_}m8^>Z3TlOJM4W0n(U8(|yZs8%d2$bAUXO;`J7-Wn9@pPQ9=q zhR6Gp9~#i3a-sB@>IP0BE#~=nGl9L@V3taCAP`z2XU|47q!G?ha^^K0^gM8L*sBMX zD-n~yJ*0|P)FcZ#S#iklUg8SSKwqYxen{amB3zjvc)jD1Jvt$a{9yaP2&kl zJRzGt?B8}&eLCt)z{c#_)%kV{aL+q&0+9*r!^zdJv_V|tx-bUO(Eqa0F`_x0Y1EQP zg(e%5o{OGLn%Oux=*6SAC)3Q1w!d&tf$mr%r6A(PFl~g~F3@D^a4{9>L2YfEB%hP` z$6RE<#=Dsam&*-*}REJbPInv@DS*cLHVF>2&1DG z`JbR-wZx$o#B7741Pyk|QPi+tyUx0pwsKZI7S23cK`myCRgah1PfnyS4vV$1YY!!g zgJ;v0u!Nj_{S|@JoeX)ba1iF8wG9?^K^9kQ7*=vJ%{kaq5wWkwnOqKoxR= zFjo>u-sPqeYua*qz9;B?is!42##DuB4o(Ags^0GA+Np=V(hjJ&$GpcZ;*Rd}f36bL z7O>R}`Gx9BlwPzNhn}3fXtw0NOYG};_^qKm6jAHv8@#$V6)6(**-Y+zxX zT*|+m$ts=NccM2}n8@hOY%r`@&FYdMAu~FmARDg$i%%pm`0NB!Rg{MXni&0_l0+eh zUdxp|qR`?F_P^7te+Ft_7<23$TyQ10Wk(hIl3pUG?V~qxYfZtz_{TjaE_O$2L;OVZ z;iJAlXW0HRjqDjl6OmRYNF%AUNS9(D;^VT-qm;PI(jnD}Am96PCbk!`hJ7O1QK1j} z9G3UVxUu}4vX*)NJBGi;2_*tupl@wePQt;&@%%7|1zVXWC8##(HmIR5^o6ysF z=d*GCsJ*32%tuI4Hb#915aa3}M%iVn^lI7mwuL8F$jv_tz#r#qCN^Wd+1pAfJ(=~| zRi@YiiE^9>cb;*{8(_AxHua&W;A+vz-krP>^`P5s_OiYqn!7hkGXB^hle!-5?9tpe z1#LsRCdd!hl%73uFq$|Dbey$2*Z0ZZL{`pw@-zl?lB-;N-Q|x~Jt{5Z%2cjp21>u5 zRO8a~sPmx1&aJKzl)7QnCWajN^I)19^b-AV?HL5agPIsU$o42G=KLSs>_s-<@9mtp zGp@XEaM@@sUxgYN@xFlzwxcz9lv+VACEe&E&mEz^ke&FSmW$IGvOME#gZVyv_9C$9nC5%zRJ8$imVpqLig|!vCD<_oa;FDRt?lFKl9pCMXDuh z9(iqrA%`}!+(bgmMdsclN<=I4Ji$FA`jeV%kP0L7xXdXe@O`dKwFA@eX^Iw#I-iZK zfUM6iR$8d!)3yXw8*NQgWdk}WOfmsVaIHJf){FZ+uNrn7$-&D`-9)IWgPJuIwWhf+6yDJU5qY;x zTKx*%_aumPp!mrAg5+b25k%!opAxQh*G~s)TOzWxjPX)g+d>0W?daf_GG}4|_+sS=YPX2tC4R9foGaJFo}LDc*myS&xQVBcyebYH&9r#I2*@32ihk zy;8{+3H2&Mm0|rj=6i8LD*F1Gh73F9a;YeJZ`>sw1qn%KH40tmk{Y(BM&UAecFGS) zBz|6>Z}O2=mZ*14R6`;8z;cYEw}#+UtL805u^_6kL@Vi*HJ?wHe?IK>bx!U_b@)L% zXW^9j{M2d55)6*X?JDeO{&v0m7WHObM5?Gm7UyQ2NbbzdCzKW6IaMaK#I9#!skA3) ze|O{1moRI3(8tf{7go;szBj+_jXrnRqKFa-$##pJ^v`j=Chf{DG|Umg zKR#4c$ctA2`U3Rm@$yK=l`)n!^atVlsg~szblB>ij0F@n<$O<)xbfeQAsCdQ-7791 zP1Q%5UzWoR_VVHbLqe@s?WIX40Y|Vos7|1`kCo@UXO|1ikMp~BSL@bS7k3R zViSzuEMjn4cIXVv8wozxsz28atw{prJDo7KYP6UNKPpV9Zz z_qQ)rG!yUIDzKty`?JktuOP~zxEbC6e>y)OS4$)p0#ktZ4QY#gklo&O_zF8yD^+6w z!o+-FDsiN6@lf{ZgTt!?tfz$+%2Wp1G%>rH82h+P&-mOuJGl(}VG)AaJUw8ulToOA z+Y~D71>6^W+4ytDk%*1vik5ohB))XEUOZlevFx`pqLw=4^=(zQ)4zXO#dUoAU=C zWErZqH)2Z2!1D+d2Apr+S|w3ekp!i7fjua zOiX&1J=ClhoyRNYa1Fvd1ULvwbC_;E=Oy>xjJ#oe7{dCwKDQ?K3w_YTmtBNREJjhV z`p1v0Wz94kAdP@=#hiC2w@4c%Y!_&MzdtPR9uv!aA8;Bjy_0QSO|h3?vbaVwX=87# zgSFwXrV`TJEL~ru-ayNZML|X*Drerk^pcR^;x5zyIi5~3mTI?cVvgUZj^@m<408eP z=#(8>qX0WZE!z_jsw8I=m()r>c{f=pGVy>9X|CR4@OVxgo<|!HS2eOLf9d*q&`dOK zHu^!b+c(=e=Qtm%Uz=4{O)r=#Cx2LvGR&W z6FEoo^X*aqp^%3sXhhwLh*V%L`kPC;l4?{eib(zT+#9kwNj=Sk(U6D|T)qWyGYJf? zh_9W3)f)mKc0-4vXT}gI)_od6G>{9Om|emOpt#!%haf@uia)|4kkf~ zo-bWQ#NX>s$JpVKBd5~G+OfhAI4sV#MT}*C;&!}dV`&Y15~FQt;Yug~o#0Wr7Gozk zq&qX=`E1K)M46{_$?nvalQTi%gP8yHx-SBd|244BaQT{zP~1#)1XniJsyFpOGw}Udj0vpj83DJKKGc5 z$@jM*`^6W40QDMelC{rwlDGZW2e2*Oo794lHWVfNQKo20l!&J* z62bA%$clamSau+AW2t+GfGW)mdUGNE@;E$E=}L^UnXg?1)08s z6ta;e_(>Rd^bN?oRzQryN2r_%*q2fUgiqTU*r5e0VEj~hI#nn?qlatvBM~psZJiP3yt3-r_+Ymy1Bq?5n0Mj+Y5< z1NV)`yh1GiNcwq#CmGOKGy41qW^3AD)kskwi)Ot#4=D_kYx^WAQ0CY!e*bVD_~|xh zRk7WdY=qcO2I*zB#2ZvrW8xbr#Vi8?B_*%%>L0@E$W45W~bf4;N>AW*__~-I0Y~DBTQW%o*PrcWMH7d?=X5Fva0m+gSe$TRYu57v&2YU zskE{ZHaS_d{d_BtM7$P#GxY_dwa4W*!i?Giu zu&?_0wIE!ge`;UR7i1$XbQmi!z^5Qa(cAJHX*Ht>Su(M?k7YImCWjG6T28LEpGNQA z@d`#l_?mv_4Vqj0p}jts4uMCZSa`L{dn@YbOe;@pdFVe=KOw=)+i_7tV z&^wHmT#wYCDCAGe@!tml2KfFTlj(P@jmyRVaT4f;H3KSzy{gaxMo19A|2#b#mI|W# z!&OTD`v%ADz~)@5wo-~M?OT5@qx)A$qqHUf*vvQ{r$B!L z9D@ZG0o@N5VfMc~e}o~;fSCFc>B6a5%WE}x=mnB3l@Be5?GRvezHA_Q{sM}&eAv^% zU;JV*J(zGQ?4Q!ge|J#^=%}}h-J(vrH2)S7H8TgJzzrlo3Y(`{m=q&%(G^L>-=hx* zUeH@eDa|^v2|%`b4j_UEATc8+|LJmu91QG2`M2wf4Qd9jb>i)xFZ6e38&Y}(5Zhtk z!n_*EpKFML3k&b$dlJ?zj{8{okM(2}qBU=fdwx^ryRjVfXvoLluSDn%KxExTVAKD~ z@%wt$*B*FJx+Xp3{}{{tyYCD>jxPiSlRKp?ruHAV2TqGd*hmA!Cl=cYFv(KG2E2n0 zzmNjL@^FjVzkWXoNK5u(u%*18+{h+~jAvpZazPKOLd3u$+Lnb{t)pN}T8hlyjcb=Cq|eZTMB7TW^2aRgKP-ZOKA}&H;GsMRrBdXR{^u|F|M>?=Em=R7u5XKa<|+T>=KuNE_&+B~ ztREfL5d!!B&p-L+ORb|v`w6(gTD<4W1~O0*J5RuoRxZ|j;;jK(5B%WJd92)~h`kKH?*Nz1O{WgT)oOhTNg%U=% zXnG#8F;QyNW)luXFa4lzNFX%@#FI%$Z!Xr=H%-tOB@MghuzRjFulXOo z|NnN6Q6MgCB+EjPy^N6#H|MJ0Ko#Me$}RrE2p&u8-~H{~9;lkCCN=zucjy6uR5yF&=yMBT`ysf&!lU5E z$!W=Rcg08t&*rs}LdK(wf}H8PZm=M%Z7x_a7e$H(lyB|k{+!kpXyO5pf3;rx%sV<5 zAAu+3)hsaS+9_G)lW4g4?z(s@`W{1KwGPZ?H5xTaG_H3OvSjHAz#Tlu9QUS!z^BAE zfH!{9JB!^P!WY^MT7kw$!5i>l6PE7X4fg``yU|b){1f`TgV9sQq{^!Q{@4T$-I#&9 z_V~ws%-_O9wQKiwA_W)knQ&VaIKD|des#wFDcHTpbi{fY(d^zf1D(n8;^9Xd+lbnDK*vDeN*+1B(U)h0&=zkU#c>DhM0bLJKR#o>k z)TdDVzyJRK`k}x5A=8X-5+t%{48|$*o-0Y6G#>N*E5Kza0Qy0p{&Q|M1u-7~y7d0> z%ly3|E-BszoS!gw@7zMj{rBG{L*zG>08adgtQ&w4@G-tF&?+@N-UF?X0d~-g`^!)t z0?tbvtOaB?BpyldpSP|l!ptLcfz-tC|GE)K>M=S1n78a2Ky1AS<>5GE-#nHMMfZa@qWK$KKBXbkbZ7fd$>Y=^>TuyC~pKF3(k1II`bqxfN zgb@FjekE9h+-DC#!5Y(thB_VGrfRn5BzDD`xZFrvP=FITC~iwT{zg*uksDB;JrZmt z00Mmw;7q+?9fP-qU>Zru;G_sS7}WS)AF@9W7#sZa zdRdq_-p9AqmE%HwWd1LrMqm{fl#9e^lr5Y|{03uxl0bkxXKWC>dnnj+u0kQMbZsiu zc?Ll~K+TFzM`Kt0fIng60a?VZ*_8+dyy zIT*(C1}rqZM%Jwy)9Z;b+A{%;7dTNLCu5Fl!TseT_6A933V=886ZfP1%ZC0xZ`Df- zT~6AdC=1&&kQ0jg3*Uz1Sz)WQ0fR{ha;ku?TY)nWnWi93imKCK+1UY@Q*qtgsRLk< zCxRgb1$3C|oI)6i&O)Q2pw5La(D47FHpmkr!$^)qzzN$2S|Xdb_rW3(enVr6oSq8| z8d3)21}<^5w=b`HxtcI`!KLr=fu-%?P-e>7v2aWI2aRJpQOiOhZNkabq*+W7@=!m1 z3AFxUEnbp$>OfJfZ@=@-9f->q$XR-rkaM99$+nFRM^Cv+@4Ze*J$9z*(8)i=O+BEA%DECh|{k$&RK$kXts zb>u08q|e9gy4L>sh}(fvUkGdk?H@lTo|EE})w!2;>w+wSb-4N*~BWV|4@6 zC@DZ?+Ia=mCqGhFD^3@H3p7Kjghm9)9{0lCUOY3;U~|H2^Kb(1#l*8|pz-SiWF+0w zd~xLL)Rm8VuRgQlcE-MzjG&|6;gJ|M9m zi)?vq_%`+ed|w+V03s+m^Yv`qFF^>4wiiGo2m)>gV&UJ4DEch{+S$jJVt%Vii(1VI zclSk2Ow3P{z?Se6XbW+rTnTmSKm#kF%>+UXptngYzz2b=^!Ya!lt};w7)8vGuH#V7 zvpv8=#uAI}bI(a?M%lGThEfz2)7>T<&Y+V$sw4t#S06Y5EszLFzf#ngTW|Efffx+i zg0AHbYc1nyL(OYYYG}m1xdsW$(J-zd@zO4mV|1@Ry3JR=wOI_4j+UI$8+!GV_zAm- z01(q5+iDl@;Bu3+?mvk3_+ca~EZg+VZ+WbNZ15K6{My+dfgz+`a&6Eayen0Mo7X=< zlojwqEwue@74@r{mXwlkNytEeZ=3h6H@XA)nW)-VfKs?q~S}eB*~ECaWBmlw!mlD0|0^U+)%yVJ;JbNT?DJIk=j3Mt<@9#5lnZW4%BC zRg&!+P`AyTB24}U;2koM`ld*m@lQm`6v9rdL+nonWeD)c4-)g=>Bn6@uA?)Sa9Mk5 z8C5i5?2EOFCf3Oq!JeH%at&0^MN_`NubHgq>7!03ILVu&^68A0PD=I-zn+Xk&%bI~ z-DWa?UjL_KIB}UUHmd)l@c)oPUavIi**8?0yf$weW;24iP;<%%9Hc%3a?3c~U|T~G z&zH^*_+x0wggncQnNsGy{<5Yjf1f|n6>M#L?iK|5S`b!d#&YqCK34z;v_!o&Kt?gQ z^}YcRjmDS9y;TG@(i~KL*Am*6M@4!R=|lSYjVXrXjvfS9^9y?`-Iak_ryj^A=CEMv zs3w-u3D1{?`6(blAyYx6VaDdxwI&9P#!ut%FS);+o`OEIL(dGr$OSa|Nf3P`IYqjl zyn6A_mk#)eIi+n)9K)K*TZ~8+MqVU8tA==tanJs81we7v4WfnkdO6JVa9}q!r> zvPHg%+okuw{GH)c8oIG%KMwWUW?4?XT+$>8BV>~obw!jKo5(5bNitjgmN2#K?eDAp z17By-PtQSVU-^4pxI|8;RIP_PiOGqw-4DQ^Q=fUNf!5cynzXu1|Knd#A(Gh zLGsqw+vQk|{R&OcC)t&2o&#D5kjLZPd9b?0E5!%NpS}0nIQ4?&ZJdKfUX8i( zL9qr2bu#Y(2qs@qxPKc6<@T`dGe>yMZ`z79n}vOdS2oLrM2^ck@P63g_FoCxetld4 zF&USg6hll8&w;iL$0426B-ESBvE;EK4&UwC5-HC{iNHPPQ_!;zxyBRo)zrEj^SXyE zUx+Vg_sh^+u5jg-S{b;!h+WGCu_^{v+Fngn8c0sQ?j?LJy{*YY?!a4mYCHX_Tv1y# zk#T|}ThUC#@7(y(Pyn;=!=+%$+N>rS7($HH3?-2b@X>CxDLL3FuDUtqIp-0I1SW=$JK;}CU7rE5RXBhX=!tZzHDFuf3x?y38$_y}%z$2;*z<0FmA4 z_q(6j>usmwXPNjKSghRru_l?d0Exskfi%G#FHoL+rX_L-sB`SGze~u(CtRm5KmCD6 zBg8G>Gewj*p`~L^S^+{-ffpLjjijZ30@pONvTgkD;E^f|K9##4=2RX37VQBIK2AEAvNf%Xj%o{7Y>*K8WvzHAhSVz5}|-(?PfQV+_UO zF>Bs~c~b>}WJe%@8)<&wDJoR-%;dSAjj2k`Hkbga_+&V4U$@QsqrCC;VaTJa7JV=U zQ0HAja$dM+=_uCw7akgibRD?0lCf6GK`fi>K3L`fcgPsl5o?k%kN9?5y`3J=^5L8I zrMkw@=kkw2DKBQW1$XQ6Hr$Yr9KXDYPnon+Gb(n_tbUXE&I2jERim4O1li(*+R&YO zu`kCBgmkKf4TxqPo$_M`@XD}v~%$#`{ucGP6Ytq^gOGu=w-uj*) zeaMo2G*iVwP*-jCNT}e57Gej`p%wre2tkBM!EWVU9Wjt7yR_Nr(N&C{MH|b1GirJx zdLnR659IvN-L=J#fokJwrxRM%~>+3S*_M~)HZ2K57CDZe%RPB+d{9M4c$lfeCv%pk;X};a>XO+Q z>CZ#sjdq5bSQbKQlql79n#yN1rP3kz88e(7BeE99+?4ZH-}=hN^)leB2s@%;<asr;1X{i=o51~E2`BP(Ek}LWS~rs>BQg$2~DF52Yt zY1zJDis4UhAjG!-ehvAs;Dj0NXa4&2d6LDzE=sqZp1?;m%zlkKBWGzpFt>PmR14D36$Oz1AF?;CcPjJ$beVPKY^ ze&ReNcHe{WNOXI!a}O#LVo$=--~;t4Z+z%&RfvavZHoW>Gw~(={4<{FCXkT$qZkd} z9VtKk&=Ey#$rl42<>nK_7#KDMU2z%`xUIPbwOr;)`rOa0a`qrV`Rgy6is3Hw!^OsOlYZ@>khFs#Y$RsV9>6p_6$gO$kcuZO@?!5* z8{a}H#LTnz1e46_9kCe^f-Tr(UJFWK!}wyouJLp*r#2^vzj3FZRJ~Y*`3_Nv94w4{oD!3%Mw5_t4K%Wt#w898FcG&Rgwf;W=!$}sRV|F*0)v*|knj6m0Nyv;H)#wm1r8;x=DcA|7g;xwn~;bGK44(u|*ujm?fz}(g z?j0w0@YwBKuGGdQLuv6)MuduA%J6Q?mpMl|IyPHNjlUQxZ}iUOypUe4Smsr7FFL1g zw#gA!#`dMls)%VVX#+;sy7!C|>W?X#!6W0M`o-`E){H`hInS>fU2Q_2i6+r^iU{Z8 zHaVRO4GTnmcca?+5MD{iT4dm{1=+{@Pu&7ZY9`|^c`AGq!YLw?M?{C2NnOoSb1C+X zNo>Vw1)(ad<(S;ZQg<*`dYt6wtk0pZywP3&BQ9YsfwvrPZd&^#O?5XH6-C4Pwxn&9 z*1D{-YHpMjHj8d3QAmwM)^m6pt6x~uc&^)qissPmmA4qJQ3W%zu_~J}1>`9^ZgfM$ z>l}07M`SL9LfYPZ(-(`V%Boq8+hZhHRueyd5khuk2Kmk`Z18C9lvYgOc`!^t>G4j~ zg9taD0>)`r>c#h5Z zmaq>FaRe#M`ou=2!HPe3;FZ$BjDgHxaq@Alaaol-Lq**89A)hIS$3__N9%}|sEwQN zW0a|3RKVqBgyU*0@z9Qo*z=%Hm8f}ia}zL_d#oOwZ8>bUbDd-_9HsM(v$*`H#F8E@ ziXqlE{;```xEpu%OVKH1J`e#!gPIiHNVAg%3H4kz5o73L>?6>k5V>(XhLJdPo8$5x zD5(ZrB7himlbI+>tTST_oi}YdwT{a^`JCS<-J(@i)T&)}38|~sW(F`81YK*Sk!Hx1 z()Q?an@b^0tU@@szep!L34$YhJXujh6y@03IW8*EH0b=BkRT|SC?FzQm0ibFp|=@@ znqBe-QnOX4|KhMLE=!K8KEH7O0B^fW`-{IdqbF!|2g~|jKrG698ba^$lJ4C`)nXM# zcvttd)Rzd@1=pflD39oaiP({l4_@&taE_j;pFrcCBqRZ);HEdd7!c61N*L=N_GXYU_0uYu40xZ* zwBv;*vS9w8s4M`wLwv)Qm)NSzKlUPNCVL`~+x(kbT+;>7;8>FmE;Lj^*tm=^k$GLc_vDG2GY>NHC{>a@W{yb9>?(+%E#GTf#$R6n) z#1u!Ct&Aam5bCDHs*I>j`X`r# z%J1PFxU?cqH!w%*tGYY@+#<*ssCNjtgr1NB5X{hed%L>+@blKfTm#&fYf;{`bA?)5 z`F+{PUHe)}-_#xD(k(i)iUAdpA@dB-3lQT}pgR-@fexBzS7?%W=NzdR&}pXitX9?ygtAPBqUdU^*?UfN z!v^VjLGO;$g4DTHwI0^#ezm>WeIK5`4$A0WNF0lG%N^;b4H~aNEx`Q?8Hav!)8hfq z>{xrjI?WZuQ9my`OcH@|ahvn!R0(M-4LB~{E_L_u8r6*Ck%Z?cZ4pK0e6Z6Q5?G;q ze_2Pete4N|KdVNp5@-R!Vz+|}G4a<&+{mIC$)_fF)^cWo4w42Ia{S}FW14nfk?SM3 zO5JnxAy4;n0nVNc+<2V>1{KoF$6$ZYl!?}!>#E28^%60UTFR(t$LLFFJnBV78UBDH zY*y{76?$<^5Q&I>fBPgv5O58HTL6vhlf%^?z+$;fu|+KO;=VF$f5W!OV7g_sBe5;E z;Xr=|`ot+jhsOR`Y4Y&sN%IfKc*SXh7N(+*S}+}j6=MCeZ3pl{sw29u@ch%ZdGcnyA}68CtA^-ZTMGZl)4^THs6N>1pWfHgz#yd z&-@M8Le?)i@@#ES3>ZKL^?o;ip7Q2^2jO8wTp$^%R5x7)kXdV3XQ4$l>F!Nv#axRs z84lPtilyDw{GM98DltET<84@Yi3exS?+Z*Dok-5o09MuVi{s5zjLQ`qRw-ODikYky z(U`-^&W=xzH!`@!C7@xR2T~EwE|os?MmI2_9&3)W0|KiaolfHWUEt|I`uLV|CRexQ z3~O2h3Li}B3EzeFnX1oH)0&y?oOlqO|zSQGrb`QGdfc^M>6?M&3 zY$X=9l3N1^B~-<7{A@mji)DArjA)?z*AhpAGSO8pwFh;~KWJ>c+z{5?T^c1h@c)lp zN_sN?#~^g_XAJ5v?vL!ppxz$5^%nwjp*fEd4w)x_V&4a%Hrvd*L{#XNnd;(Zas(3F z#+g&ITfL8O9n9ysG1*D~?l!%}_5fclZzPZ8*#Eh{fk+yGnbB;KE)J3e5+pq(VVCQP z8E332qJqLJ#(h}%0B=P4^@XNyVhO^CqsXuBU@@COyf>HH9BeFav@WQ}=4vDehp_WC zh7C`=27i(B2TR2clQjpi^#HxyFy$TJi*;6BFn2lxqgbv#tf)DM;8!_}t4I1HnLbGS zrz&1XK%P`eKX}d}?aXq}#|jMXf7@N=B@=d6!6!o#csEt7s#h9(!0EdLu|o8bd~Gw*d*(q~d& zF%Y?|u%WkpDtlv$TWe~IWbmt;?)+4bK&}UY#?9V5U5b0QqhKT(nZ&s7VM({Hi3Y0d zQa}!eUl=!}Foc|k0U!Z+AR#3HdTIe=aWe0!+~kUFdaPgOgVSdruJVV)O7s1b4@l^^ zv1<7#Jr5ny@gntqI6DidDA%{$ODT<#0s_2_lWa(A_QFt#nEZ z2uMnUbk})i|Kt3>^XothF!zL|J3T zg*hl}m{xQVhSKbUDiJ5#b7_!=n`}55`|v&6BkebSk1oA653Y0cu{hQPm#!$lj!wb%~Ne?o8R*aO)rDYm3ZX25jn_FQg~ zoOzM2=ZPb}m_N)eM(v&ohO;443hpftu#SgB1xjBen>=fkAmkCG%mPDlb{;sl>|gKB25aP zWR8XnNuSr~dm6zbIiDethA&2$=#IW|v#>ZxiH#Fxp6A`mU8QIA1_O_M^xC}Xd$y$H zU@J%paGX3Mhj~~CwaMv^Rq=?X#quzhsm-`#t{#GBRwxZlJhgp;CD6ujv3X!J`?&Rt zPfMdm&{^uLuxXtvAG?my3t6@xFuRXlsc7{TSn8vx8@y}Wq{XYt4>*}CP|6-O3?d^m zUzPM=0UfiFp^aXr+CF=(dx!~e)MG`@FgVT&z7>_Udd@1t=`QIno%L6$zNklj(%c4? z04T#{zkrLq2m(C*4V3xW@gG1LJV*uqnqc{;*h`)ksgZ{>{coSaSg48>!&CE%%zjSQ zjA}h0gBVG{K1ipsmU-%?2``?ujKdE*zX-xC1EuQfYk5h_D*R6aKz;*{Mg<$GZZ6gC zop_Vw-1xk`lF?)A>dYIs;`@t+8{o(!0%S$q@3vpjGFv0A)4<~iu{?Y{^S!#f4(9pm z;he8zq@!DpzG`q~W5_Aa!nxitSP)tPwE`eV=oU}zUhXqphp`TQ0X+OW42uu>B}7J^ zIqK|YR!a`0Ei;lDFt$Nn;ak+Ce3+&Y7LxVT{dfOB$W+3#R0S6J5?v~C3L0k{Qs9{! z*C5H-h0D?p-r370tUeMgFo9F*k}5!NSmKZmP5ShF-t0SkRoEwttVx7fM(n*S%#AzD zJ42~;pFjE@%Z-_2Y4gBv0>I3@y{vTy@m^yChm_#?Y^W;cb@Y>Ol zk*7b`G77Ym`PS-&QD)A9mdp@9PLjB9w?UBd_BvHwuv7e1$w>sc8C8|Rx6roBigQR0 zU64U9g$L@9g;yj7{NdqMS}Sjffp!#F<~Km7!O3_F$b z%_v$#b=|r)g9GN(fd1_=s(~Jm;rOw=#FmGLqxN?E2I7>T%8D5$Za{hB(%lEH;0O~4 zOOPASMd?1NC(-BtZ4TVvu}-yO()HWGc{EX7*bx~KU38c5TfqrL|X zeMTmDz?HpO8p2Nsi86d9GQk(;)zWlxjDd&HZfFUQPI_TWT;9 zgi0fH^tjluS(Ogad}a8m=do)N9q|6BBrw$a%bpidR54dF8*0^;G=Prb$N5Dfe^1b> zF2##mvp8vvm(W-C{DVlNL}0TS%boac3ba9S6T*WGR^jO%!0Y%Vfie;gA6{D7_TOnN zQNPme7%&%Irp6S2O3GQP=;#12f|t^>vannTNGA+P_; zg_rq|j+Sf`w?_h62k(<|k*_GoDtg`*CRN*IO%ev3a<}+Utf+vmQmEbHq#YY*6s2w-$ z->sM0)H*vWNvK1T$Y~*)7i-{J9F?-F^nFMRj|y2=jc}?O{JyTvizy-tt;;7pdprA%Fs8TOmM2e7I@zUV11phYz+wK zL*;y>Iq7mK7Dd)$_Sd)iB_b5vU>Jm(JYtx4T?v1q`5gh`s+_Fer<^{2JmF8$h?yY9 zbjkLJH>$$W1w@i;Zpm^!$akxWfx~Y6&_t6HBzQV@J$Lsp$AdPqTiZa9rHB%@W=%Tb zb^r2lW)0!5Fh-<{F)oqzUvP}kZ~ROYwnu2CPPL5Ebp0$<&=HHEpZ3+8Smp+4btUxz z%bhhYluxL+mLXCeR8E&;wMe^aEoS;xq-f(LpW&fpPX)O=r~gU1fpAy*O6oz5>+cU) zf{t-oRTX;stP^2}?eyx85lB0xKmX&YszzW-RzGl~ystIym;k%AF-fo3q}y@>TG^vR z4%e3tKQi{8?EDy~2VQ_yhif+>!1{w`2HF_h)-yJM9bq_e_rfzS(;qVn2lD@7+T@(g zF@3?0D-GO(Z#CJ9HuZ0Y%nje_iYj&1HO@=4sc9OO>k=~043)_3HtrABZ21Hl!DA_V zas;^sMcYvkCBqx#)6S~z(XtRZaq|vwjVF}W&h!fbS)3nR;!j~sDU0saRcKNnr;MI? z1PpN>;9q42XFmCQ7Q3nL;H){jV}7yx-7908@P+IYTJ8;TTZJNZm}-(#>Sl}8KU@ql zsJ{Kmr-O`RG7cN8S~Kdbe3}5n&9~gg0&Sy@i*$AP1<3xU!F)#nKM+*d7ue2{gNT&7 z^rYyt>OT-TqjqvtLp;eb&r8Fe;cTabbX6^VB<0D?RmAut($o(8bQ#5czotkAZ^3G5 z+CLQ$9F43Mz3gf89U`6)%p$i>M7qg4@0zWW!qOA0ng+H>#Sf=2VoV`1!$5}kn-({{ zmE8xd`zE-0A@~!t2%wwdLf2P>HPS~-&a4`GuJ|=WUb|YKBAUm2bQ(Z#y0ZQ^1Sj*y zSDv$vuW~`$5f@trVO*eV`u!-j)_#3vW8|Yyah?8A&--ijfQpyLvkL@}c4Oz*mZ_kr z^yvCy{`6DS2cMGiB)HvxJxOC|ebbhEk0wg}G_n5dr>twVop|=OEG`)&ITlu#8q3Rq zy&^&quA%D;jnVaaFK_(7y(r=AxamU%1u}Y)GsMV~a7iZYs+Rw_nTu64UM$_&13^F;F*=s&M`|e6w@`-)G`28>s3lArkk6^3Vzli96 z`=Q(^n}~GBA=Dep?yD{0VjjPN-f<~>+{y&?6)Tu|=c_TP|GI`HnW2mz8^sRHjzJ`- zLdKKsh*&;uvd_0Z`~VC$ZYIV1M`g9}B%psla&~_OzO;&2fxI$P4rF_fW1GD`say#} zxPod+<;>exP8=@mBMt-1L>5Xj9j73wi@Yy;$WIbi6HHCLA?W0kpG=zITJrXZESH%u zb~qtt%A`6*pW;`B&)Rpzd%GNe@Nu{j^kv6|wv2l>zauV=vO&dVG&OY@EpRM)uV&F_ zLbv`vmQWxcf5aqSHeLWcz$bU$9~e)bJ1FAqe#%QWis0|g-rgrr{`ry08(Fyz#?-J@Fh6u-KgPdDAK|T7)9_(#%CTgG;@>mJ~92K zyziaP|DfYUBQw}(tzK?_d0#{f%AG5FP6`A-L%?7zR{4`M=t*>9elV$z*HON1&|ZTQ z^HD3uLl}Iz!4O5C%~Sw5N)s2wWydExy*U=LV{bya_khbaN>c;YYucvv;>?`6IthD! z269y^AM%s`e3;3FA4) zuYqI^Qs?sq0D%w z_5jr*2Pk+$zN)=aK|nUO33@;ANyNR_yv}0yN{4$_{4}xIW;j^^V|vqp&9p8QX*j{d zI*9)kq?gI!BVK~a9Tr!@#@Dm*Ckbp5{wZLDmImV~2f2`WJ;jKz;&Zi}0M2*n$p*lF z5d1zm7?(%ZI}G-}paqm4*pfla9%C`~us0=o@Bae>|Uu-+Yrr&G&?(sW&Zbe(gF zi)uIVq<*r$m$cNB#ON{q!FLwu2*{?}$F0jd?(6OB2AmJuv14_zf->P}pdyWL0Fgn? zmF+lk`9Myno>BNCIisWfnJbNI10ZrfPH?X!Tl-Y+te=2Q(pNkE7NZJ0J3*qK^0I;Nc(RjX86|XhzlOYv;h6Ao!od#vH7ClH#IDy3Dj7Xr!Kx|hN2pptVGTbgk(SgY z+ouZciM}c#Z)3ZI2eB2#@07cMLs;@4P#+WQM-Le!@Un7^zAb410!`)8D1&)HICQ6o zWKuf6C$+gb`qgVGa<9*uz+u573~<8Q^PnC>l9we-uBOf5C(`nTS&Jld!BEXnl5i$^ zOts=mHJEJgBW{7?pBpZ{Xi6(}q|9cxj|Ne_^y%5tAbqIdqksZ5n$KH+9fCVo7Rd@h4lu$-c^+BYA9?~+VzBemLtqMVIott2$3iy} zsi$Hu2h|}W@^aW+ zR&V`5hDTY=BPxm4V<9f}N!G31ajZck+>c@-e&H>Z%^=|jDZbJVzzcr@;@S#>_s!(E zw)r;?T0OBZY^+zyXW|FZ#&1q?V&ol`$AtjiEluV5mZbJ;M)O^uK`%XXKK5v?qka!i ztdjkR>W?K~vo+Fo8j89Y1RVOdp(?pKiK|1| ztXgc^)v!ZS8~yxlT0hUbY*@K8qms{lKUwE6|3dWJjjnPepez2x$H0>k0CmF7qils& zsA8&zzB~z-`nAs}_67Cy!3uge+dfhPMi;W>{?OZNvE*-D5NkoU*1*lq(-nTWw(b^maf#lnx%vwgRNj;iDl3lGw3U&kVN0P#iM9YRdw5yP7BY zx%e^C71@dwOZ5aG=qLSOQFXvWI+dhzX?ICA|6ycFdy1(@wU zUpJM0nePAkO{jbvd!J|sY?WJHoKAnuB%L;r?a;aD#9*CxJ@B4Q&;QHog^G*!`$98* zXA{>{txC<$OQ4HvX&*H1-K~3^p$-hJ5Opy6NqEKx&%DNSZ|ChdA*U`jyzy@hKQZPb z4Bj_qnND#wM0eMMO8rJx8wF_LtcU z+oyq>2N*h40z+3+K22ZLs%lF=JGCA>xz5oE8#oT)HcMf2oPYJ>v`MnV%X8XSico`FP6MEvoE+ zhj<25?;#4LYsA1c`^uQ8kMRdVd_~#!D`ay{*Sv$3o(CS%?Qd8FJ=}0|!i+%-xC+((btO~Gl0Lg9?vSy$q zGqv!`XJW+$9_$K-To4>+iL8}Wl6gGRh6~Ta$NsLUibjA;-MaXOe89#%R9;+Lt zqYW^vWNPQPdi0>6;9Q3GEz=Umm{y@l5_6=Wnu^rH8keftS(qRs{AYs0QlndwzGP zXvMR9Juj}1*~TvenCT4Ti`RXd5fjAsr44-^VR5H>MOAtulXZg$4&VyAhz1|D-? z&JNb08?vF+T3m{?dHbNA1>VRYFI6_m>lB;XXj5$-dZ#Zn!5Q*+#f(<-#bWpHh={9x zn+3Q|x9vXlwHU_}zG}Tn`H5ORnp`& zpI<2GR7yLj4U&P6nGqPc2&$8(u74ntbEbhgdrg?e1_JFK=3p&b^w`uAruyU-2TidJ z=OwrbR!jT)9>nxzHMFB)yr?85PB6u}(eeSg-oy!G<9U-+Yg3zm-qSvqVePP0AnSb` zT()7L_a4Z;u(;*0--MY9*wEn&lJ(#B$rEBzV@YyW9?!Z9IlV_UW2!uUiTmqD-OGfV zv=+dmC1fX8nX5d`ewz*^u&;q0$)MV6ASiHHMM`sUHDtqHbuP_%!P?@|T4cdmIWoOl zuuQyAX8Z0Zs5=xFv@QvNRgBFOvGbrg+iK>D4}IElCoASgR|&b`Gy z#5~GG&{th6uUy|@xDevs9}&9CMVKfO2ACtko|Ps7(d*7P_;SAU2QnH@XO_dwBeyE^ zsJ_pGxeb0I`s89r8@wq%~w<@`|c&aMV4J8Z54ZY%nm zvBb`q(pbeUPAz(80>^Nxly4`l_nX1)FO;4kowu(>xpg!aJ12Rg+>$L~D}K0BJ}A$u zK_U?2#GzZX>JcG;f;E{&ZXyS3}s|dYx=1^eqLN;0o4xl2QSRHkk$BOOZs%5@(K3h%Cj2Dio7w|?4{H7Pok3>~_xZ)m_z zlQj0u2%kqz8Vgi5TgF(Vp)Q|y=vjRuw?`W4lkq^hZ|Eg3X%p};>8`%vzrmVna9l6q zv6<-|_j4W3lPl#Su9J^@7|g)BrK75L{=w&be@VK@llgqTsrGcy#vg~6gSzO=I=_z* zep_LA2D3Q*E~4HEXqGd{JZ+JQXOV8=KZ?a#q1(>Fnn_Z7Pxdbs05oPy{j(TB)au?- z>{-*HB(2J>hVDiY$x+sW=hvV{wQ_S?LA<<`uPm&Ey&O)$eHe=|x=@pgr9sGubz&Z` zDc!WEI@6WnT$X@}-&9Sbm#ZsUbbE6Z^lnkIhSK6k=F_+L-E56@)`Emgqb`OVr3T)` z?Fz_Oj%0ZL;30nBrzlPGyRCN2QWwq^GV`h9P-CkE9Y+t+*E7;)9Yi#2?~TYoOpCi{ zFi6nJt>zy0XI03MwITbSjFSyRKw-S5deyKUUf@1zTb>yjPoClA+o(fn`9$Qldfj^B zbC&?l5ry7XB4E;t#bq`(z-n4Q2n8lQRUq_|xIJCzMftJ(u|PP*NjD1ZjQEHWR{7XN z$FbPDYJrfy&4>(>W}|@nLF_|vw_lGY8=bA%5<+|iPWxO75lz|mGTRmdDQ&{}V2-HW zsq`v&1!cNTA9*lX3k}9!ZV4~HM;9k;mW36mF&39NoYPdO9|ryaRe+Wn{ zSC86=D<7x+w^gpVPyg)UEYL#4GI&@;k`wgUac%IR#6XnZvBMu_KDn;k+V|!7evlD& z;Kk9p2O&|OeCk%;Oy;Wxlcn0cHK0HfZ^DmZqf>8}nZ#q07(%@*y8NF4Btbu=im-^FK|}T)1Lz-IedJo7}u{9gzxMW zfZrS`SC_<%6m?otWEZc(iOV)@3pla6i#xuW@)vW9Hi5RPx8ZkV=|V zf@O(^B8EsQUjGDjoT69lkCn~qI_KeZqL3%d+O@~{fKKEBfG#-;F)o=~HuZ+rUCq@% zn#35^Mu*cg;Qq#AxU9yR{1WL(cGa6;23mdAi3lTgT|%`A1J!?5D;v6Kreexae(fgg zQ<&>53AyvK8|K-)?a8;WJ>VV>t>fwB!w!59hUA*}wF(|jpKZCTXZb$&!i=<}YPQB| z-M$0ERSCVY>=vC+Q?S#YBJKI3o}`(*^)jm>8mtlLbDQPXWi0|n^Q+U{7sVHor-S5O zOuKHZMZYayXlx(NgRSINi$Tb3Fb=-xjhULK(az`oOlULFV|{km@&#EN&Gp>}_Q#cP zheBpXnaC;wV$jLw%+%5J)!caL#Z(p6ga4>4it_lv(+^Z$g0r z`^xukUv-&*BLnj$@mOqATx18z9p19f88{)SmjYVN{GFQO*f(}0w5WT3_9b$GOtOJB ztV2_35VwFFCxSRY?nj3*XcBo}TNaVp02d@llg3&|5rt4HdM@eMDlfDD*}MGdTmSK5 ztU^W>OYZo$g1)5g~QkqhsVxz#VUS>m6R{CWy-xNX>M<%SKnR&4cjE1g3u#}+U8%tFi;H2 zH*!nKet-PBfBe$_{%?ji8du(-$<4e@ZP*__2wrHPS>_)EFVzdmrMlT4~P~eQdzcjiq%W|8`Fql z?x9TxBa}fc@5mb=z?4Ce(|BL6(TSdbO?NR-0+CweFTb2$`+ixP`aWc=@{cPPM}`QL zeQ8^h#Tw=xrU37j`|Y<+qenubfB6o7{^pA0e%&DQsL2xSklb?jE&nyS`4v%u8vO$IxZRV8O2OX?{NA{Gf(x%ArJbY}-D8WSG! zFFs$1J&?JSrZx!d6~(8!vqW8)R#Rn`fVd#8`*jfhw<*dY)5;~O$}KAr;y(2gpaLHx z_2=lzBzVY0AkJSsME@H8vCd|uS*>AL;|Ml_z^pgJFiy}qH1-^+4dW7=-j|1l4LsT&mnPknO!QGl@_Vxeodx#(w zJ~E#M)}je?vyML>p#T1TfAbCeqfDt}gDAxJC!j7>D5m~m3Sz}PS!puhZYeM;1_sA- zWYgi4LSPNe?}b&{%&OPeE(mkrC`8{w%aMG#d(sUQPK9vHUhjP_+j$-5%`qDIe-*(+ z1`!hv;H`clrXq04Dl+`~5#=b67+AL@PXH*vRmzpVL@t?U&4N7tweOq?;=o(*6#S0^ zB2EestGe>-&-152%gRqo0)VAL3yWOHHL-cgnhQ)E&UofiWxAqW#X!1J0N;lj#ZI{bG8eFcw8B{qE8D&fcc@n`WV4nNWpQDyG*c{7McPnQZ zh!RF{P)KLDdW!H+v)Q!*rL*qbiiSgZ5_xST{R>Oe4u>;nc=PK=&w@hn1d!Vm!{v8H z?;ZsH)rsgIkHnjJ5qodMacJ(&STdJ|vJ3Hm7y>XsCeMH^&IAxYFM9!SM+*~IvW<=e znrxa7|H9Pwb;*b)T9ed}T5GMzLuQQ5Nl3aD;cuy$8ur~2i7L~fqS8J!dK{*tD=T8p zm!K@6MsHS%0d?{D;w&87){2Hn%<+xHtQ8#pF5m5Qj0y~s4YbS2126mNT#LthZp#U} z{6m_eju|6xsy>TlJ9vrl_j6Etr4;<~!E25Et4dygF0=*INxD3H<=Kd0U+ zFRRZW5^e!6A_gIoA_$I6U z7}(X$6A;v^lXz|4(J~+P0K#x>_xna;g?yPOPNSme6vR2CR&HtbxCIXo?TBs4sKAnN zy0m=g1U+A?I*!mu#DP2Xw7v! zLF1|r&~#x(hJIQ)Xn74tlB{#t!KC$fGu|C?(J-vZN=D%gsv7MC>^!4D4b)vT9b654Fgfp`L%T*crx zT?pV{xh%YwL!kYa2bOix$yP59lsenV?k#ZRHNewwczF)^kvRhIf0vN($jTE5#1FV( zt_>!xK%2n5dEUPW_6q70p8I~Cwgkyab{%oXA`KfyM{7ez{l8~wtcJo641|rkF(=D( z1t)W5h$idpC$TCr>liG4*i$@LNZSct*;wJY2DrE_pmkG*+f*RnIHn3(c*b$l2RSB@ zy7uVAR)&}|nLmc%bRxhcvjo515=>EN-A8KbT3v~C3Ex05g25BOQ}_c9a;0KuyL9xX z+^Q0)tn5?cozt}{je|SuKQ=r(deaj@*1|0pZ50UF=uLPI@|5uau}0r*1Zj1cK&$2g ztOiQp89D7{)f73J`dtdC>6Z?u+>#0v>~<;{`Tm6+Rswv2^PE^|R&3+uG-KjYbcSGG~ozo9%Iae^%LUSF4!dO`wH=eB@ zap^!8K;{tw*Gf;M2GH9nJWWOWyBjZpcp{UrJR^GUcn5Tb$|FKYVeWvJ@uG_>*aPTm zRDkTEdTXK0$1+)+|}>k7I6&pCfzLYVT` z;!5PpQzrU3ph8DSPbez~(28Qf3DDmK^c+jj_`y~?765AO37~JaBJc}G#(Biazuo|J*}rf~**h5_Zn=v6{I{c7{ijetxu2_z;twDKvB z>zx2gR0TvtAM3=4ey>#&X%hfGj>8`SdLzQ^d2Sad%<1r}w>|HB`rWlz4G0V@03TQz znssj=N>7ipj=AMS{0)qAoiyqvbI2i6B37{3NGdc&)an0@Ipz==M2ce8Nk7BZDB z8CmOX=1tq{0}w;5Vb@$!z`)Ql2_!cLss6a3#O0KPlM4q;0&59IgEC@~_WB?=GaC-+ zIsv+-``%x)ZEB#r@{4-hw(~;ODbgu#q+P;(p1-(4fEh}JljH)k3;9baLrlpuunuc_ zft|?~$QV(DI~#AW(HToJ%0L%m&r_Iv`6>MmCGj{f+CFy7l|InNjLUcGr3?aGBmo8r zRwp|E-6;StCZ7xI+sDxg1*09ndol?|^Dg~fD`*q?E#Q9>(`KLVBDRg9I2r@GzI=G4 z$QCp1h#__Yo{f0|Cn~|7gmY}uPn`Y52rImiH%_k^D5=MfBu*kcE9uBN6P^Ais>X{|PSa1SGKJ z&j11L>SnL2vX!ckOue^ay?X5R@<9lNn*$_S5FMX`>FgnD+fKZqp!?ymHUcfh(Ml+XP0*YW)rD9h^E3Z$dXfXu>pR63KN z?RfRmB`m~}za>~j5woVz$;H3|8u!cEqzLjr>NKK(*c-wzoaDOG74^_bE4{NOP z*T7!UEd|mqehhit2sNC! z!)fwbf1)3~;xe$d8X9x938ylaSdI51|ES@pnxw7rDl;mfKu5Xp7nNsZ`o=&cd;HNY z^BL91^NM-Y;(JG_eWHvF0Vd(lw9^zU%4o>CVX9GW%ft#Wfj2!(X1WY}^57(tm%nt7 zyf}O&OTB}~7%Ez}B$K#ay_`DvZqDjvED*ZZxL}rIFVS%#q5gy%)Ct-XwxWN?Uah~p zBc@NYD#ds66NYnCA#>GPUK=!8c2lh1zLERL@ysZD7R;>$=S&sUKhJxTOKydco|iDZ z!gU!|m4%E~<8S-jbN@PGtW%i1?fbn|rjd~c;O`ZSQjyvq5dqvCXHxj7>Ee^_Irp7OW# zT0}>T(=PlK{ zu~A!1(arDKL5)D!^XjMVIyxi>cA8DC<`&Xw%TC@@pK1FQhRZ7^~2Zfo?yY!Si*wEA$0XyJ^w@ zS%Ob%)HWa8NPB7)W&sh)*pj!VcHe&NEj)A8MmgP~pMJhZQJ#^f9hyX(@f!Ke0K|9} zuIJ%;-IvC4!0T$J9Wt_3ZRDxCkNsq$Ax+2YWby@ya6Nw$kn}StEoPCHHOSa&hc7&u zGlv6BwpnMk(l~gR7ahpwG6M(*Ge++brAL$Lpl8X^ks|#5wlp&}R~>{QYeT?Z>mhJd zhsC>Tw~MObw4t#PZ)b0Fzux^rXCY%o>c)bpuXUb`l=b7JcQ1yT`940gSM^;U1GF}R zUc|F5JEOS@Bgx!S3b(SWMdhEE20`qlphjuxVA`YAhb=BeHwnjTZcV5tU{!zdxx1a8 z{^)^86ztue@NsAkglrBe^!wz~co2HgE}+^g4nM91D)J&YIC1ME>AT)|cW|^V1VlS_ z3LL>GmLw(l+)HX>ArQlc#A;+96m+Fi@_;SK6D+T31E$w$*=vkdL+5gDn>mqUec5?4 zWe1yPIBFWf`E!U#TKn+i5P&>s)!kcOS0+@&=mD0E-A}->fg|c}VFuP6bHs#pciCcK z?5=ro8l-hX?ptMp;I8gutC}t$&H)a4%v{g<<}Sz^Z6}QSv+ncontnJHDdYgu8x%9% zm9Q^fk~$`O`zTmoevu(`_zhX|%Bw}bmwBzyyGoKrICe#`8?Hv#S^yE<2< zX3k-NzJAFY%$2b^cc4Q><0y3XIuMd7I0`x^0{r@ruLB=V?}9Dc+^|861spPXVJu{H z0|2Z8J-QDRy}R8)kgeC?hWL#f4*QPcs1&l>x8 z@={)DLR2-WijCUWXtH-YOL@ZtYeUIIb}D618XYYpi!m?O%kaDJ=&$+Xt+?&RNU76` zH$WE;xnGvEW3``c(D?=wfuOdb3wc1OCZH;`=|9)D2Iz$Y7NG@x+d3=@)z4I(rl&vs zDV^;{^vHcFr{0sue@`#$v1BrWheVp5ri!I z$O|?i1E^h_`sLj*$NN7JYVS|NKI^EhkHck~?cDC!{650lNOQJTK8ug70>A;5OBFv% z7a}_3ctIN1x9Y9J*tT9h+0ae{(V|`yu79kNZt5ph!aI04xRSH>yLx?xY06FNaJX{B zU_R=G+&(OFM!C{$_NWI^L7xvjZ*kTauIPN=@Irsb9e-IyV_KNVhVtd8Kp2JtcJ~Ps zUGx3r;pM^%u6+)lffKNEu2rKn^m;m!1~gPFMjctOv-Emh#4MK)Ff;R91~OUwj<@L$ z@|n_ozgmr(BSi3N!1;l(f@L^Kf$VeY?;|%3<2#(*WENgPMfh`G#|?<~*8lKKSyp#u z@}^zfpf7+Ull(948iDt(d8E_fWY^LKv5BL2CK+Lhe(u`A$a;0}+O3%FcSj^)l4~zI zE4-y>j)~>ljvw~!k#G(Q3>r-x(QSQ8(PT#0Ht#bA2&Xt#*KQPzmlU^k-&ytUuRXu% zOmimtA1e~~;VMnfrNi7Pxh$4v5DJ~UB(n{$u?3bCD3E*r?{3O@Hgv4WLOj^S|_U2Iz zE)|c9j&v^Fw_IPez?=e?ek>6i`ayb}SkfW6T)vw}Czb z)9ogCq4dl^l+C@}o=KTBvKw`4RxXmiqNio(y`=O>aInAwh z)y}!s4J9}k&85srkVBF0UAffsCLeJ3vLl5VVvg+Tu6kW0!oe^~hEhzy&!rcK%jDGX zeIa9TgJ3AX;DEDUbaT}XCku+~b=>+$I)%&C(WcT3UpjsE2WtFr9rOgH{$Q1Sd8}*o zud(Xm-5Jc|T9wrNY5g_Igy;!U4)JF-qgA4F9?(;gNg7Gqn>kkAA>oy&&#<#-8W{)0 z*l^NcRp_z#*1VBn|s_Qr=^*qotsIy8-__FaL zI(A!(e~&O5Ssw#E!4&~!>~F;1g9(mX{VS2S4s+wMC|%UQ? zT-pcqkLow!cw7uqThKu25Rx(-g-J0J8Pi>TqKf!bg19qyPb183g@||Y5{!z=rA9SI z*ZUz;=+1Godi7hA>Q;ysgUAye;DDVVg)p@QlX~PgJ5@dkL<+thO7(@q0_`-ZzwCgk zjmRng6Z^1J6;=Z%$PLMMjVQa+%W?skE!m*?yjM#)-Oq3<6q~!)v((%j^)6!ZezLE} z5=}Il04HePW%8P_9wKFTq+57TqZ#gkQ+u&?zn+~LAJoxHs+B)*CfDlW+Z}lTmh$U} zNH|ceKAcreL2{Oo#e@%!b?af}*P_YSof4Xi+_cQ;;Xz$*{b5aE3zZxwX! zfpyXP5}0&K=G5f!+@qO<0Qq*4rdoFkXkIBh#GW%t-#`iSc~Vw+CM%cVjLNPGD}K$i zy~;3i0pRb`irDndMYWCI3oBf%TkUE`=tjZo6ob4gz`UV8lPxY>rXMnJcSgBxH|6MZ zD@OjG1^NH}{REkxECE}^W>%>t(7_Rt&b!yGbKOV%n~%a99tNmP%1)T%Eeqc=z3Sh@^P6b56lHI=aN# zM`8{uB0oQ?YG)}%EYkP(vFLEHuZ*8mQ%>ldIX9zU^jp=9iNYA?MqKoSnP<`>h3eW7 z6~E9!dp%Y1WYGqaq}}5x;pxrlq>#FIHeIV1am?C~^&03)#CouC5|ApwrW{RB2OXxom!AR9JX9HCLQbv%A$S);858nl9YHa@B`>%CrfRC)US%= zlZR43kuV81`B!1JDFvXvsDh(gvcrQ(!u5t5^ie8PKm$^Hy~f#-F-`4tnOymAKL>f{ zk2wwRw_!t_8Ks6jdUz0`kT>9liv?6>olKaa`?YgE&}-!UP-|c*anu9Wf?uRj%YLVt z22d6PrlFV_|E7}?|2rc0;|)X8K8k@mIjUSzcDeE8foqZaN}``^yPwvw;nDJ z{qjdJXHdRVXQaS)DPr$!#b$hOkI2&}Yn7q=nX?4*7zzYo0jZ~BnWMf~_Pe)i=?YD? zDr0XmRp?qnwDn@?so*76? zhP@V5Ft(ee&xkdpSh#Rt%KD6w>KB4eP{0^`&-jB|L6cZHq+YMY4|g17-%SGFP!`-~ zL8CABMk=;4R4z%dpR*M8>lisK8Js1vWk(rC00-wibfD@%0%S;p<-`$OP{f@%T9Mp>=JQ`U#6E05sk~HYX9c~pZIidIVw!+KayayvkX6@YmGkKD zn~@p6QK?sOSZE0wMA38E>p6`S(MfB|(JufW5L`k41we;=-xmcf5wZzTRNvH+3P3?C z+=y*s%SMWKX6p@8s6d!%mwwF-U?lXvXiGKuqx&Pn-*CP`5j#q8V>)VhoP2R(wAuYb zA%4Nm#O!{9-$zFltDIbhXC0GoDN$s7szzdE$YrcFq2+WOpgBOV-iHoR{_$MVt`kkG zpJfkv9p1lCui74!+^W@|#&+u8MFW^5pT|_&n}G*q;?pCll7j___4 zxxhW1WGUS;3JbKTEJoBzblR$C;S8KuX@SJhUZpGzc z&!ikF1e^*QfeyFC3~??W>?mfe9x?SSY29ZfUlK>w^n-3AXpC3sWj7krJuih_VKR;C z1LNp?3v>m+a%jHF=R_nlptk4P%!~!|mooE+)*csG(@Ur?YFe6njoBjgD zIj-z^`@#_q=)Ua3hr*f27g>)(0z28$Bn?`|aUPH02%j6g-171PQ=Gcc@W4wLO4xs& z<^S`Q2`;~npg-VYiUls&*rA@Ozp9~lxu+9Y&0I-q441*5>1YW;d(x7nt+7)8cpx+G zb!Yz@4&8a+6YO4dW2cN*)?;6#Nz`~pE#1{$-k9^uM5kN1f}_NLhO8T%r{kYqiY z>p;3hi5USmWWqAN!*)l(=Tb$hKi+Tz1Y7C{pt!&!JqNR0uyO_RB2H^;_|N9stuPWc_#3Nh`ilE5G+>iV_89~M^n(>yu z4g=YD=9r%y2=n4O9d=i5g=j?q@v>%02oMk(D~h2f6*~ecL)K9%GKRDOdlv zXH@zT1;#H6oqpQGILm~zS`|$>#3+JLmf_u~ju*^&aUtl60^b_{C_I27l7%WvcBCOe z8bQY`tNv@}DrkNXq-hu=5=+M$BJ_Ke_ha(*_HLt>v6m1|71T_d#W86uYhA^J47&#Z z(QnahbW&2xviaFq=;zcY?0F;&7^tNmRUFNF0+I}qtY=}9fd{= zDpZf@`~T>pczjKu9T*s3_JR?Z0f++KTYj-g4DJ- zlid5~54!9_6u2S>OlaqFdemI#H4?<)PWzeLQntTO$qhWS=b=!d z&~Zu51Sb_!u47jqV#-_}#Dm9D5v##99t81(i*^p6hI6R%8bTc3@o7%y+x?$FlA(-8 zP3Pe}pGV!prYXrmzy|N1DI`)5P8ocDV9)u)p_kH>>&U1?kZ0Ne$tne&L4~LECK`Rk zK?lofXG-6PjE@E?g-C2k2V|U0>Qipe-<(nrDBKe?sacKQK^)nt4jmWLj1|8@DhWD8 zeMX@FDu5Q0fs84OK<7qG#Vmp4PgKp^-qC0CxfyiZ*rEAdWYTU%-C+kz=PQZ#b^hqM zfkcv3XrFB2I}k-bB5e+&*n`G<_4BZT$x$=Js8_hRpg-nuGb4oc1rr|C(OG4s`RR&D zr`S3P_gG#c?jSq~8Bfo~IuTTDtzc<&W^;@@iw4SrCLvN5j8JcTAR+6`zh zib8;jYChHm9-?QgtYlBuN(MAXmO#^p9zws@cGoHZQnnCH+8I8mmS7l5Q;NRtbkvSAfH+*%6lfa52K=urZi7;JJ)=l}&b0pUWv6eEWm@Q5gQ>olc)?|dU15kDiS8e?^ zK+)PIaRiyN2gm2K+8n40&{b-SF96-p1)tso7ZOtj5oFzYcV@ErHT0@2P)##ja-Tw0 z(>G9W%5z1zHvUGSL^kjL5G?)YItjj?c;NR@iw6mYYz%-{A7!P5SfI~|m^2lg$cB=6 z>&iZdkiewK{A7g39sGs#rJJ?u-lcJ@0lExQJg6daMiKH-mO0~U&4V6sQrVG>!c>wGOwvvk4Y(|iSCGeX(GF$Ahs!zaQk^mxjyh+U=Ozl3fUmL5^%sE|mmz5R^{mQf+ z6h~X=m_iao*EmN^+`{;WFqJ#L3TX^hJedMA5yI^{hV`9#^!+^Rf0Wpa8kTSZ>BF|| zUlBUGt~JmoGdQ0)C{`rr zKx12U2%%9g3WZhP&4#v+$9pmS!y0wPVf;Pur1WVu#%T*j-{L; zPFT?)U8yXE`!}G!{ugIw9Tj!7uYEv}M(GqprMo)}q#K5zyFmn`8>K_KyK9CEoA zy(1*D?UHo~>s3{AK7g5JJNB!;&`Ee;Q@x$as9oT~VQnt5HDBdShK|+m4v=ZkGY3YZKvga1t=jS>kZn z?5gO5CBAqmZ+({tmjMWIJedq22pj?I$mjgHdS!|tmSiK}phg>XH!usyek^A{sK1H2 zp4%v#o4NlA$a=6sAF=tLlQUO8PYmxJ*JrTE%&oXWd(I+)=6w(iOH#!-9qbkg*@ zD`(@c^@471>giy|x9|izm?=2=`;$*|7BC`af>5%!*5vOYrs}zaNnuBT6pK-z49;8F zzQPJtJiVeC$SlcoVU8xKa6$eLQ*l1!`?@>wQP^1WMM3O$e|%|q$NbHcXro#c37f6w zw)HY{dL*z6*sJ!)Y|G4IxG)Xns@O>)v|3V$cjR-b%I@}^&meNBXWt}3U|5>$0)#-( zl@~}7qGt|r%?xGDyMcK3gIZY-aXV-o(sRV z>S#(nn}Pxn(S>|Qx|iB73(b<95(q|hem=TTVA^5ZpeQwB80<>XXG6~5I!!@#7F{@b z&cx4Q&=e)@E1KbX8^ z1z!HXNRqZiOIdLTLkk&=AvL2P+T5m6DuI?d398cQ3G`)P0{Z}nuT!y#WvfPO52V4k#FRd2(T*UxHH=3h;Y%KCtq_OPBl`X; z&?jqvgt_{2aJJmzo0B~(;3Y6N z;2oP;ZDdT20|Qvv&oQpvp#H5f$ot^@QC0e$xh7?@n5c;!;Nbykbv`JCYXUjSmd{MV z9tJDv!6(u!wxysVbtR!58xn(Ya>P(P7=tx-@MHxc-vSz-97zNE|5i%;x4%vbA-5T) zc#MVL6^i29|Kw-0aolUKr2DdeQ!z8cl{fA4n)~Sx|Ni9+2>ck{CqR~K@0s7#3?LQn!zyku++2LU(V3wF#VcAR6a8z* zdG)~Q*$Smk)hr?~PIz!aE>5UTX!FDohLbUou0P^EkE>^uh)|CmQG6^Tc5(vh(Z@cSByEJArppffa1F2c^MEH2XcAb-!lJ2jMxf~Cy21SKnKjJ0^vW4um zM+e?stYI}Sf`hlIu}0gvrrm}Pb=y1lBZ3t;6?XoK#GaV<6acT*FNDvr-QzI`ThabkDtU?;{}KszLB$S|L{B`^Gr*hcdPqZ>d(ogEC)3?fVbmO|Da;fdNu z_P4a`(R#}$afU9UE-fStc}8t}Opjh&3*ycl1&QFrftBEa^;=_KF@zqiXL6$j0hZJ* zTi111*{G{glr(_N?nSYXbyrb$=#}W_c(!Xt8d}9KF5%gu_XSt!1)W^}4k;GF=f?eoP0w94BQ4eEq#Y&dS4vL3xckVC)hpV&pUnHvS1dYB z9Eil@>{CTqA}z>!SNT3SytDnb@p=`-R39j1jLM07+blUm{rcbf227fSY#62Xy?t$( zdp|pD=mO=Zj%u3<{q}V%i01y%0=%)K_+$rhKCl1m?U9n1re}Y!%>P@Z>3YIrfaJ$Gb#A;+@tJ*4;yI< ztf(k45#zfboI@bzU!0Qr|;~*W+L~@88ex_iE#w{yZQtORShi9YDkYdfp*~->j zxM;+q&=bMEo3MPIIzD2y8uS)Q=620>x;iR+!EN$XLawxzgXSxuJ*>sF{+N}BVnIkAmGe>i2YDc7H>fa?dNwopg;`!^gb?S#nGa)^>DMW>m>Y>Kq zp(_zy8DUZJ$HulEozsRNjg3@!F-_$DA|S5W;yKCl$4qjZ!7}F1eZzz@;I$F{bQ3>3 zG!d(aJ2T5_<2;rY3qmQhbcQoE$Hg3VR&=mZ~A>vQ9TcG!GIYfxdQ7Idl6#o8d{o4;p zWKmLE?$7uslml@}3D8A;&7w4F6M9`Ri_Cr|hl!A-kB5gNyZQDc6tXGyx;kUHdCmvw zaP@?&2MwCpul0KvINbMy&t)<^B+#w1T5eLAp=8HzTFIv1GI=u&;X>J6TTSv8SAC1T z>#`hJor0vbJin#Nm0W^Q1<5&F_cY&z4*)BwE+@x%TFaHst%r5c3go|c-tdnbw{7MA1pu_8JUEORoo#jp! zW>=kgXIF4}+vAG-ywt)_DLhx8Z7Mqx?WKf;W~YSCJC!FtW`s&!UAvwnnA+uxF)q7tG5PI+q&UV+Ai70yq*pr1XF)#YSpj>^Y#$)e;C?P8R0wM<1Ma{N?}N$zG+6aV-3pO> z3gg$Qp0;}TS+0d$9Zcl?9+OvnD$>UQ<=E3gTkVJ4FNrrn}}-{yGu^4CQ|!E9{OCC7}HaSwY^KVYhbxloxq*BG32$ zFxFB?O=&^h9`iY{Vg0thWZ`{C=eM^h>~D0bc_X9Yp}LV**7bY^Oq~*4&vafA5~TCb z_rNK*&15uUN1U&F8GY4_AM3KJ&7-w$O%y9blO#Qp+4UzuGqA@**{eD&MOn8kQ}{(L zm|4C5>tm{h;WR!#Z+DJz35d=yG?};o*!2V7n^_{)6E~)8R`dg)S7+L>nBCr+rz>NL zNDTI@!&WNPZ)e_V7!lS|Kn>TQC#W2U-`Bjkz5>jNtya-8T-iaq9vPmGUJqBfCBAXJ z9&*T%*Kw`2n{kZuxxF^n(BCK@tTz7gralp}J&uUXx@bu(4U9$f+v=Rt5Mk{1i~&uQ zN58;07h7%tL|_!cQc1i$P|R(%Ll?ct>hTz%%QWNz`VP;gUi;oMzu$U{6r?)2hNZfS zbXY8AnIFwM?U8b`uQrMpg9E+i-f%tqbJ(TD27`O|1&kefKk>^y4YD*N zB7%!L2Uc^Z_nx1P{cg+-YoeFNSFS-Sz%nF1iRQBCy`p(+umCU)4p*;lbXFLL^WdN^ zm1+aYvRhyvo7@xB+btMW7($Y;90q>ch^^(U4tAaqt03@&vsOdJGVmIE{BtxCGdW zNLz9BGeg~w7cS2!NaW;2UTwe#`>=wKBml^e= zQ}X{Zny4e0kKr}lIsc-r^x+CLKFV!gSn^(AI{ZFRbG#8byaTNF2Q5SLQXH1?*APy; zE%1b&p09uq;G!Hd^1eKk_Z=~}ppBhkLG{h4JeHo6O20DmZrpYknznq4X@_M*wObT4 z=GV-8FHsnPLvOY&x@9w?@g*8o!4EW~sijS+2of}+_?%yq7F?wi=_OyVyi9R>DH)w4 zt1&nPji`Ts>A!3{!_Jc__5IFY5gyiSiCPdcKUM1J4a?1^~=i^J_UO(*|sQP?RX)0nnP)2!wA;4&KQJXdP^$pJzTSjHXWqTcI z4nBXlj06s(I-iT5SyPt<*>kpzyE1VubOYzWnA4Wb>-hGd6Fcboi28jlV^p0vo6$~a zGWkLF6bLZ*apDoV<6f%CT+d-^H*4_6g#~h9*>mK0f!C-q_r($9fnSB348Xi9_M1Gw zD&MT4_r|>1X~AaZAwxshA0MoL*-{VCja4n6xQqR5cq8fZ+b&80Lb&J5!r zVAPaG8b}6Dmbcw@vX$gu5*smGo~5E;-o~1E*a>kNcRZ{*TTf?!9w|O75E3t<X6>_`hio1^}m^X1riR5ULvDrTpKS;;S)vKW^R?5#Rxy zXbrRgI{Bm$zzPxOkO!y-jR+F9Lq~+-3j7-sz5)~EpunrbM2H&LfDZS0{K41xZ@(17 zj?8RSG?-lY=Pd>JasShwNm}G{Hh6dX!2g{XP$2J*mGav?{%`+{|BFw$$bj$Q;;ugT z=s&%x|5KM0@Cs7}nMeOUYv%voJO3Z=h8#RhUU)J86|lW-fqkQTlOB7GHmDwxZ02gr z&8V{;fgc?pcQ-}Ixd<5YvLBScKp1AfzW4dd*JR#G&TmJ7)vg*aC}_pvS}nFVZH*Vo zBfc8&2;&lfv9`c^gdM5@qG&X`gL~ROpMbxYfxNOFmKIPymVqY#ZQD5b5HrT>3`ZLU z9G5kyU?rW0$OQJz1vhc4&3v8pZ`j2D^jrA-`4WrY1cAB+6Fzwkv)BKXA^_DJX8iqN zXGylW?qD$+;F57legW|YiKIycF&*4;2;KpLxzOmi`d|}L&R~V7;XI1rM;;Qmg^tGx z9R}+8oMzV@9nS33T+7ico0Sh?X9d9cz|_jv10F^v^topOeJXAI-pAU5+@P9Bmo@!z$zHy{+J`G+TISjta8`=4=8(7Wz-qyZ77|c&1L#rb6^u2C|R9w(gA_YFYPP&-I99ocw_wLhMD+_8J%WfLyEKat|115P;t7V|6HdPmqV+ospNrIK<>>;LA8-PlqHV?* z!d5OL99~m_ztpNF;dTl3^O`_LuU~O{`TbtaAiL%b6=gZs&>z7eE^;}JnGF%cf4!jo z_3Z!{H3)%U8Bjxfin9zNhNz%Zz4V_4i?u00rJ4k6+Z^B-P64LwJ&+k7t(eL!#rI;U z{ov5Z{a+rh|LT|0e3Ekj7Vq$_ek_Z`mxW~i^=tq1@e)21SjvTgZTl84BA}xl?6TG; z02JGu&!__lYzE!dCcxfC%mwUXn4m=#|90f?_fM9vqqwXEwl6BLJHo*XPZXo0%u-1^un1VCqf4&G}B-b!`N7kGWy=-Fgw>y}Ch{A9J z;&4iXuu01h6+4I}ROhpwue13!sB^b5?HqIuQwTT;z+{v{^j$Qk8tiouzupQdrqcJI z_%A_#A%HSg!DV}z&86v+18_j_oB+>x383_p1H(?Cfn~Lkkqb#WdyEU>4$KsBQ<}tL z^PMo_v>c(TL=2h*Rd0j5>)LYwFCp?Rr?jgIumLE+YK#X*`Fh7^pjq%RciWk-x9COU z1dnU5%?vyfaq22Ig@B%Np|3xl!E06Uyb%W>W&yAMyGfgJSkW|aan-En7MLg3Sddo+ zaj~*clMR9<0h`ZxU7;S#f4x@En9D2FTu*>xLh~0ZVy3bx4|Yf(BEtad<6o?P(>}MS zt2yDu>~GRP0Zpc-ZJPP8iP(CWviR9E#1*i3B-!LF1!iKZt$cK|1fRX~3hD@NEqu7~Kk?_AE(Umqy5hZa8mneH#TDIdJ~z@%@)K!PL_n z$3mcIVYpNj_)?Gsra~v+#JF97j5Gy)t;Jx%W;NCBck>~!ZDlbWOh&%eNFpVx07t&= zw>5x&cpu2ZB%ue80@c@y2z~2R52<0rE?|_Pp($uVfy!uoV6~_oCFs++!Y*v;r8A@ zwIHJp5`VV}lMU2B#7Dw|GH`e)fix2JOvhgGtUUYsuVwxU6(~igcF&;@_imiAd>&0z zDh_VZdc@eW+<iHC z34%!A5eDXrDRpJBM2Yq;ES3_`J1>f4D@O_f7=cEtdA6(*PPh9ZLOsQF4+yz{(kObM z5Br`T2rk${xWdKLC4#>ZGQUFVi30cdy!xUKIB-$gnL>jaOj;v&7Vk@}7lKqGB{A@0 z7RgvQH0`_{n%0uGXl{Nx#}9<Eb;O`r>s~_qk`mE?l?p#%^)Lk@$krp`Zh8g7_{P9?Tdc7DGE7)B zMZ)j>yWZHO_70@eJM2JfpsC)`%Io?A8YFagAQ_Hyc1LgtX{uP6rhbsUBkV=)ef4n(eFzhv1m4lG{mLY9tMK9gP!`*fxGtl%H!fGeR!m-n!f-V3 zPbh%{FBi1SEE@Nv0O)AB>?wJ&sCDtH_M#^sWi0b6P$O7MqLh<(l~6{_Lf6a3AIKFg`~9 z*4K;;ue>AjgY!tE)07jq9tMdMFtdTxnMGotho@kW?pm5_=oNy!()bf&pp>;(pa<)(i~-O1;s3}ONYDFc#=wb%?f;!IklqX!1B(SC z{TIgoF~TriZ*3mvQHg+Q(c;Get&qluG zu$hGX?-&C*odrgeH3Ro&_6vucbq+>s1a|9vH@oDVzc^fV$^AwQ)OBeZDY*386z>n>P&L{EXIM&8(QWKN6?evuPVq6+8j-HL%YAg_{N2|T94^mcF z*l?uq>D5*Z4?Cxep<2&v%!m=dOMf&YS94}PGHt<-d(0MIniW9c9 zESzXfQBh*u6R*OerA7ul>~?2>z5nQ~{b3?WY)iaroCW#@4eB3-Wj#o(>87(Gcdr{n z;97>EM%aSgVIa7_JT4FVU|-WAqB!;M2_etpHdAH*x~dQnT$>jjwI$CeLL$n)keAA`$OY9 zwsa;JHa7U${QziyN9Vw_0yq8}UWD7rQcAZ=HWDP(6Z7ilY!JBMnQhx>N8s15H`i{X zI;Ddv=47|NvHf&gN!Hxb>2Ih0YCY_=q$($wjKYJh zCF~IM(D(%^fz}N=C>k3PVx3gl4h+{pHB*-!Gkz#lNUXO+SvnqgLu06!x(>Pi+@9YT zL5ZT|w@cBt_nYMXX9R%`*m8&p49wz$TsUm12|4Gg!|$fksGXt0GncW*!KMp*A2#*4ZZx4qpHQhV9wkMSq(%p#$=F&YP3ZMfi}NkpU|EBmR#=3PhlrW>oMR$9&w(F{OUaEZQel6-c#s=@i+Fs>=I(& zK0KJv@NIi-&MaQB;@C6HjLVXtZKOM6sd+C&1k`O|m$1&+z$PBnrEBRRxfAlCGm8$< zpn9C?=PE{>dX&-uJ*@fE(YXnClHWnGt!-Z-pDvQMS3}M~5T#o6Ivxctql&;Z*~@p4 zO$zO1#dSgI4q~^>pADH$QO7M^gU$r~oOL>eY)@d`>LDN$vN(9(P6tvEtuL=86ax-~ zBh__mHI5(J7jmhtdeVChJv2>KyyE@*&8xQB-77cF!2`~bTrP4O^#If-K1 zNc7>-4VviFrNu>1^G??qE_I<`u2m#n=GCU0UN(=79;~2cKhX2fT0l zAiY~Xyuo6mG+B5)=WftNMXedEZ6HRq>PN-nU+=xxH&}ltfm+3HIEhGg95!(WP~U&4 z*#Gev63xt=tPTuc-~@OD$-+-7d#qxwi$HjSCV$c`7Nmuci?mJi(0%K z+Eh&MaCtekxpB~5{}&p8e#bJ!KWGHZ|4bvu`Xh}1ZdU(i8iAfl+HV>GW%a+O5$IPL z1(a`j&x4+pyz#k1^v0;AkN<`J&pTA6Q3#zj7UKcdV&ouq-K?J_5LU_)VUk&%89OYRSf*}#MctYRq?oq%J$kRq8Vvlt& z*NTMpI$^?sId~Np`6#Z!1;OO&xZQ!7O}v6AN+X_fiV3uD5Lu9wOjyF7drH}DFW zN~+BsO9ZPaXvCa6z2;n-ta36VpLbG#PLCbenI(tcosWyA13%N0Yhqd(b~IZju(!wd zZowo|`VrgQE#j-#7*q$XIqOK{*+#xIYk5_8*^#wVysoazK=$A{(!l3=fh<5)watZcOB#JBq76N0((RY9ivyPav%4JLz!XQ?TZ<$C*b-rIU|aE!AT& z&-G7z7Ovws0*PL|jj8f_5`IScZ2uTXY`Qb2WG=({( zovY3#2rFj<dyQpH?lTL>IIE}KEtNO^pujwP61G0-Jv4Ed5Mdo zWpF}P_aJ<#0_ZoO2R2bMq=PTbTR_6ERCsyf1sE#lSBQG%&xQ9zbto3UD&B1-f$!Jg z%nMt0d|AYorov}JnN3Az->Ng`=V3Y|n~|pB&vRJ@Cl#|FkY(?Mq5*IE8fx0ZuRgF0ipHi&`(bVy|ZX6ZpIheG~S7`Ix)O5US zxKANd-iHc%W5}E~XTc=Ido>&5{Jc z{tsLNS9QD0zmo~7nfo~p!E8yp-WvO@O{U9q^|%>oxb1v+L89JJa7IJ4nLf)y6;5t} zp_jfuD9xQdK1~PX-3eFfQDvS5^#dCk{Z5?HvH%T(q%0TntF6g?VSP+A1^Z=&9F20e zKB!ZWl-YZL;(24PNGB#gx3=!NJq?5L_a6b&YTbzKwje}QehwDS6P_RvynJeX+wP5R za-4pUtqY&k(Uo?XgA>5;{;-07S0`9? z4?jBTXUK*gc!m~;Sw#;E9mYj1P!v{IA*N` zjv>_Koz4Xfcx>^eeYp#zV&RNCjt}-bmqzi^;c5CAe-Y8(ETM?<7zNF z1t$i)f52w-v2`}3E4b0sFGZs8izSP7wFRqfa>c_e~-XON|Eb1Z87t!FL z;U}glK%h4)pWyn~x~Dd@kw}yul)v6ns&)WKkT4o@s}$8TQ-L`#NfE4tI?!*~bzZ><4{mm)(wtC$Od?K4Po?qt^OSlDmVe#b8z)>%& z!IHSic`ests3o?(N4~Lkx!zoqG!FP)YYXV&^;IL~ud)LYzdboJVmqmKGD~cKs->;w z(a)#c2$vTgJ~6>fNC9Tmk{r9b9ui$aSP~tZG{G9(@V&KE$QxtpJKMt`9znH};K6i$ zA=G);Gb#;Lw>DB|mq!g5Ebp?)G|M3tM`|MME{N;El3%A~4}yTyx-X+0(HeaF1qQsg zMwJgetPfUtEVxpsR>_BPRPLW%SWfcb!ecr1mwUJ)-F(O3)mPn@?&4 zYJrByzfcQEB>tIN&?EUT)PnG*|3obq=Kp7E!D{2~O+kwtAQl|zP0Pq@J_{`Gc|!T( z+9LZa$;>;A@$xr4cbX1xgyh#AB>L#tD{-@dGoUT5UGzmLO^~l-i*4qqM(

0T)1C{Y7~T-dN4&p)g0RZ&Bl>k9V|L(4`m~i zru!)(8`t9tHh$>nZ)i4;R@6`H@Xh9r<7;2z>DO0)wJn5ueWg%7+2UFu;Oqwo4%9&G zVChEf-+d|Cf9x+Mz*uGvkia&;xfQu)vB(StBI64Hm{Z0M$iv&INT-{CzwuKC)%JyZ zQfGv;3j8%Ow2As9pV&5EnS8L*xJ}cjOi)`zFU)CLPJ77f`<*JA(65)^zC{@bTRTqX ztxP0gR@DMx%W<9n@An_}e8AwBWj3R6v=$A!Yz1fh@J8UP_o}Q{FS#Xjbq%P%Y}&k8 z4A;A*4htKYU+_!)aS?1DDA~=b%S3Elu-3+EUfR%{gW(14wP($Xo&cOX`TbMAm_XvM z?t2h?z3IC(HtDU|Yts?KMSJk+tAuY~hc!g$Xsdq74qH zHFiWJ`rqSJRU8A;>6z-@1vruGd_PxJ+zQH(yIs1}2)Nty52EY3$h45vnOz>dY_(an z?g~sXo=M@f0(z&uU{9QT#^Un8dber-Pu}0yRy48_c+z43EU#9Sr3rfTWSNl}9O)Ev z%B34N^`kQ7Q?hNms-dPrwsb-a#AW4U9y6^Wb>Olo1Gluk;!i0$tN(;XXiNN>Z8gBxxVS%ROn7ix7BoW%3F0)UMW*IC*weLV5)iz^qoVU|$+KU$ej-ku9X* z@tfpIXjo|sL@T` z)>b4U>;a!%i6gGy>l{~PLVl57i<5A5Gcl6pmFtx;Np_nK0;NQx(H?3>gQTb0hINJo zup+w7Jry(i7!%$s3bvq0PZ;0Cy&z``hzR}Y2%kJ4)y%8#oLh2@+5^^Rr`__z-xwfo zp}f#t12^r}3QIi?kTG!@UM2ZAAOQk*jKv`@g~oW#L3qS%-jVm(tR8(h`4e)J^=;pu57>Uf zj~dA8I#n?*(&8Nq%;gj0lpPB?Ev97|GQatNDJnutU9jlBihBYiFCs9TRLi9Pu<4knKR{fRCSX1G8$rOv(`o*WT-asH?D^BT2w4Qf>FQXTAPXzLqYYl)lw19v{BZnE96dUdmpuqI# z<3$*=Uiu1?My6cs?4`e2)%Foc&L!3?el+l~nDnPkKBLUMt9y z5B~@@iyA%}N4(j|p)##I3#=|~BibF<{P~Rs{63M-X;f- z(}u|cH}afcFcxzLdoRsC8o$=_)ApMkCO{nkx{(Yw)PyKxQDNDVfIEB|JMdV;y zVg0=P5IQ1zm%HD?VIYAC(sF>~g5U(TUJ?)^dis)y)QoMQGSpOVy3tJu>L) z@T4;8qV>l{Wsiea_VH)rHT~p6p^?Ee6s)@cw3e5;uZ}hZ?DryL=Rl&0Iv%GKGY}5~ zKp30D0U%6wMn(#EyCB*q-WZ5kxtl87K>(OhhRjaa5u)anC&f=t?=-0eGQH2=q%;yA*idj#X)fvRHn>E-hwzK{qK@xov0bM{9g{R_hBmYrlEs zDoVRph@R+W^`%T`pc@zRW(dKDQ@9>}YO@)clSNya5-zS@R5?U|1bw5pR20u_308R11j4U9E1zw_j^(&cD=Ir`OR9YRAc`amRm;%0l=z9 zyzvJ4}a% z4R$ZYd?HBxE(Eyw^5be&SfP?frqveMintcw{b(8nV=+8re4JF`+(3~&UzZccuCz}| zk%>qaU=!h?*(q4|0MMqWyI-*5-xdWwoOnj1mO}9YXr|L;++{gnPTqWcd^+ZFHr*2h zvTvC*B95|xAM?DJ_f;1x8B-j0nr_n|Su63<@hO^YAWfrA`=F8QZnqEq<6q$YS{xi1 z@2shgMmElDv1XpwYEaOar)=X4IRY(6xcxlv9>II6F$rz(S+jVjDUAUECHuGEjU_V6mz@B5qo)TxzU}A`}F-%-b@tIh1=~M3_i3VoU{+!2!Ob-frkZ zNkp5L8l&=_-{paheI9S*)AH)A71T$xIY(edQZ9=n%+7F%;O~^P^!}*ga~7H|8B-~3 zZhg~)wZmg`uU3$M&&?_@q)NB2g>^&h=$43c+Y3|EXu}3URb#MsE0Wwn$VFEcfsI98 zEaW6ys8alR?5Ryc2iN%o2ynf%EPD&#Jw?Wi1DDUUr9E(#DWoZ`9{_Y2TQ%6u+#U$n zH&1arN6>liwu3~p0M6Tgl7As#CL|+X_ur*OJ;~Fh&V|;o2aMEKzvN88CVW;uw`Y`Dw!m6Y$y==c zP5n?U2%A9HA$lk40Xh!U@s#zBTlfh`>h3Z^Yt&Ef%DW&$GgHs9tb56x=sCJ*9l`2M zoq32>6}c$9jKpjGZmxBXlmIakI-IW)_&}@(=@;;rV2@Ynjx>|bnMr61ZDm2S4=7_N zkoj8?T}+}Yu!`GU1MiSlWT}CjWIDw%qOpO!SEY8QK3*}o^_ghA36v#m6VrxPhk>$2 zQy|q#>V#fc$+Qh$Glr?|9Hb>ble&{JXgV_DoN0+=C2b9W2P!B7bCwA<8eeit=}2r> z)$XCjIfRJiqFsMBh1RD`g8`N$3cw*~y16%T** z$UDZ!ruRdi#-u;Fe&gWyLg^ zNFa)F0`~%n#lSeHu64O#Q&$zOfZ4~puwP)OquvTeTskQm z0TvP9K^Z-2ZbvM~IMMd%FoMz3$RH$zwvIft@Z1l;T#rTJu~JGQ4xyT1jhXDyY79a%Hp~C9jl0Wt0;oIIqV|Dw z(yAC?83qx7E*?X39`GZDWl}2=mgg9?89wxz_2nPjcRs(HDMM5WVZ6LiAmLDEwhrfs z?ggUHN(^&EN?RUWHWH_#v5++4RkCFmDti5PD-YFbjA58-7mU$V;xGDsRiTdFEo|m( zLMUlgK*>*N=y&B}S3mT2dOsFA8)Ci&%})!g0Z<_#{@hQq!2=lDKT{vAB@>|2?CS%a zfDQ>19TBuLeW4i@T1`&F19I&8Y+kbeeguzB>5}yxbn&X^k1nMm56L-#1F9<2*g!cF zAZw$-uT*eHY2J#Tm-v%BujsRT0eHVUoQwK;K*|hW)lMFQSr|K>j_~lE7|)X}Iy;?K zL`n*#w`fH(ke_K9Md$pf-$y1W;Y4xj=5%8~qooR?-Dfat6>(afj-}Ac0K&fE*rLEp zplBWu0{z@&qng(f)f2JhH-wj>tu<@Gu!jQVR80HJH?lC{+_Sx=jjRCC0;8CR_4OHaZwNy;cNJCc>83ah593?%8@D;YE2HzPyb916tL`^p|`#F}jpwlW?v#+t#hn_jc zQR@MUNq~0&gm442n~nv~*`#04U-+rrGBImVE8&bG-J(Y`qRNQxN_^pY8HhhmkEUD4 z3$m-DSZ^`Vc>UmF8wT(Q;`E{z47KmlgI`x8439gXe7QV3f}P3I%1XcZ(Bh+qbxXvl zc923jEdZPC5NLYqiXQ71N=82v5WHs{I2ro{J^~sG6vskWL1~)+oZ%ZF@pUZ7d38UN zXx9lrJVW=vSF%}mEU1cj7$kA8R9iXX?Y6nIOl3_Xg__-`I?md5Ia<^m?+i;&*-Q*P zJF|+I#M){F`4_&1((QdN5l#q^!+nmbF2M%^r1zMp*6Gn7enY=jb01fJh}M!#5o$+oQ9?Mf)Ev;fb>#jUe|iDBBC}+uVTnFyBGae0D>Tpi=Sro{0idl zAKo5wHS#`M@!09BBszEFEY8&{l^sP?5%-wB5i#B@htS{+i|jt50NYpYg8mgreXeVn zTxn^n6dTik%be~sMQUePgTDX}CT$~4nIhL0Ks5TUcOl&Jn=}f99%HC>)QDPT8vqcB z)HkT=si@>1M^A>M@O-}V0%B^R!~8oii51~ls$G}b=>65}9#4(5Jl7ctVC!i%rTkpr zs;k@3^rm!M;AIR-$Sze0+?vbP7)C4c4Xcju$S|Q6c2>9)4Tk+qPi;(I?Z(*3eHKFs zR<$jxXezgrVJg^)u15$mMSkWDlg(6H#G%w9v#WJ*VMWBRQA|NNvlNHL!?&5xq`zFq z-ZLFjuD-@|);>+Ga+*NMnpba$zHF<0e*wDfduPZ&UYQ51fd|ih*1P%MI%`)X)})>8 zIM{ka3)qJ}?wGImglgT{)ABvuTC7b;2NZ-meeMVf z!pU_~mw&EiU)$c==G96n#hzeHG0}6EKIy%Tvk1$h0zAE;<1C3`4-RXel@(kXaZwe+ zWBk@_6w*kR!_{F)s>svDmc&MG_pCoUa_$?VjLpWibQe*+fwv~F1YMG__@9C03>`Cv zT+XdPilE7<$aD>)355{F=&E7O4}54@ae69t7@zrH57#V*yp+p`AP}uzvkopzpE5Q# zucj?dN^C%)KMYohoSS~+i}CiEP&%hUoOhd`49!LX{Y>80ZlbCzO3K~F!!6=d?9N!m zkSOzXPFKD6i)SWioYlEBbQ-H`Zw>AIKkJdWjLIYNL^OXU^DwslNzO4^(Z^Xyg>k3s zs#7G`{{@{eM#ZyXM}w>3uO(*`JG>t0o86ap6~YN}!c0?oJs*}u793%rE_LaF;xcPn zw2tS8PTKM>q(=j5Q*qcKGxdRt6&JG+oShpRp#Z2W<|W8+(US%;bsx zI-GyV=gP4A+2U-U^r64?U>}Zrmp<_r_k?t2H;;6jWnjV82KJM`s zYX3%uP0Oc9&+m-k?5XxzhjuQcH>lsNbgI+S;KlvsqB$7DLljDZ7eCTek^u>!Ixag- zhw9B_I6fywHZS^d*!*`R15$c2Y)2<`w#jF@P;msFF($p+xVZjh3iIAvZ83?(QO=E= zz0?z%=k=MB1`8g2~500Ub4jv)j5xkgzEUaO_Fm{uS%j~K`UQ%|YF zTgpr?m!h9ancpW&EZ^;!)>2G%`vQU+Y(x$Pd)sW&bpbhdNi>|J5vK`xCyh?gcI22D ziEssgq)Z+k#SwLo0N)RLf1N4CHf|+ugJG$UT*svu6Z^K1$f!%!WN@bYb%ZGdE>5Ub zDJTB+0)n+t43R2rniTd;MU$~VfN$<`s!v&5wq8Nsg}}Zz-XLVw)tVrKF(`(j!*rDv zW!eSmOtO9WEqa3@y_*M9;gx{H;)1IV_Mlf(`1XCY;(FnN9ohWR0(}Nu-$rq@hxIXC zjtvvB#%tdEA8i(2W4<^GNT~nPz=h;2nDrT4+9O_wXq_0E7nl`(;f|`Kd|;sHwX3eog#HT9F`ooJ z@vHtsuZSNG7*}t4!$fF@t;0Y8tSmz~48LDE*+C#fP#+ti_^_3+@3vA(e3~vQ>Oujz zJ`nBOT76Pz_ax{d`bZkcD4W46ODBGF>5Oa~V4}Y#SrWW722HSNT<03;5?Kcd}?Iq5tQjamr zfqV8z+WUwvMxE>T_<7O6jx@3GgbE%znf2hMa*$AIwTukmejd={gZ6J3K+TCc+K%J= ztBeVZ_3Iv|MH8uYE0!SDc+fmDj!xEZb6lcQ2;eAYN6lKKjwSko|=y8?2jX3`Jx3cdO#cyLMLMt}&=3`vH(2|u3 zAI+!u@`!Kc3-i49WZ!8n_xKzQ9?6ei?b0{jP35L=>iLxxYRU`0T#~f)n|YAPQ5KU^%(*6JMTHJ1oQ zC^4|Lxj~~Nh(tZu8=lXK?%+n49@S$?hO3r~S2{s)v=Vt?H7Xa_{#WJ_b zC0s{!q4F+km$U>Tea{nc5h4H=A%OBlV{S_l4RC>c{`!esS3=s;IWvDfRXSUBaBz#v z6z4p1(kS!$9I^8haG`MAk0IR{^0hr*9hc4=HCeocZN2s+l7f%9%qn1`3eitwfTo15 z5`7};)W*hU;pEO@{Udzd-e2DH*2Q6<4${;Ev%%P%MIgh_7grsX|24Y@+6+=)g8FpG z{B2$u^VEWC&zhKR{B=FYIo_Mp?p{JOTycc{Lv;@$yn-VBPuhAUOrpm*ctp-5vFs<0 zN_v5FN{-9-E_tr5|A?f;RweLLPjUv*UI*g1Z~H&RXYqcDQEJ z8%Yi~S^;Sxr~`riE5Ihe$`7XGZq5Xhbcwt7f80hU*HgBR)0B+A!*91AqBvn=^>jY6 zaMMjo5P!xE02y}q{vT^+0afMNt!+Uhr6fc`K%_xH8fm2jl#-H0iA5+PjdVz(2rN3J zy9Go=QfX-kB^L@(B2t3?eEnja{hhtt=bZ76vBw@LxLEPN&oiGn@B6xg^Ijlvy0YB1 zT6l6ZaMA9)W9D#$_V#n1g#$>ncnD6e`UfEWaJw&Def}NCf;G*(W9k>`^9FNL(Sp{| z&kceOC=Y!B$X{50Ae3{a5Kq9~ipQXQ6S19iT$? zV;b5u-6qd+sA8>xrz>&iiE*AY=?9V0^OM%y`S`Nn;4^6OoKAT2A6b|nS+6)9rVF9- zBh$B~to0@(NDuuVS2Rmn(GM$$`Wf`^n5h%9k-0~ms^_g~;;H9@!5>4X6T@pfyYm&zg2YEiuy1z9 z{c4AiI>p|`ezbShw{nPieQ;qT{h*@mN`?|+yWq84>8)I;b+B4(pBUu@8@F@D>cAND zF#1Y`K)0Qa@(0AVcJPR;!}P~&p!~WA=_|4)7dkwHg`Tex&LP>G^2t?h8FBmwi9RcK zd8DhJW`6S>OZvQk?%a!GACmk?JCr5<((8vD-~GGTH3YEH@iF1T=l#2w$yogi#A|P< zgHobPZU$N}qcsb%cgd66vulpWKTYR}`)w8W-vk#$X|e|Dv3i#zM>GEU54pmcyW+Xq z-#lWe<%0OmCoPGz%;RJw%47A{ zA*gtjA0C(V`&$lafyutZ;qWsMl3+tT-N;+{mE5ncyHGoy&|A3@40QtLEjR)`Kio^@ z0rLRugqnet7D;a15;6osH~#r?>*)(d`uEQE{CdIJ_-aWPS(optEWrwL^=f|`Vwe8D zQxkSk=C_~UuV2j(EqmDLVjJ8fc3(~5pY_%v3qRNp-@*8PfY83Oo!SB*o>@yC0sp%X z5TQ71tE%=5|9hGjuXwB_5jHa|i`B#eUpNim4BlP@v~2v1(Vj%)!Huvlt=7c(iG1WS zN|?8#-oBk)n{n*GYxPx!{lBObf7w6;3P-_DK)Vy5UYA5iv>QJ5Q_2K~=ZCC=ZZG{- zIZ}cWYMdUYV^JTV1#VP|1~WM&sG)csUIrg}TZut6;nmhR$TQVY!9koDDkJ8`%1qk8 zdPthPjrsRW_{%S1(XtFmjct`@9wG7|{1U_3tKJa*>|+d{$rWggJ&+-V7l=ZT3#th` zn{*RR9?tJ7%rAfJKmPY0(jS^-{`LgJk7)TBQm9MqBW|z#~-3gDJ+#dsF<`T9+xhPUDf-1uFiilaS@E9c&Z&8u0apz-k{h=RzttUm4Pox;y zkr9n9D;*u$EJ%vU90+6X1uhR4vVeagFCF8gi1S8@rJ`q)eFLTi;Ru~!XFd~r#>p~# z*MIE8$E*rY0e?sXF}s5vmT%P^m(UPKiiRcuoaUi z8b)1a(kYPWW8{kZ$>0l>k_E_q=SFYdsr8uw(%eB9B4oS2Iw6ckGyli0`;R}KAm`}0 zW+rE_#OM(vJo@I<02dEAX2x~ONlEWGK~3y^@Z%ERe9aXndl4I8IO!k9-hEVxq4;7djjg^BQtE zRz2vfC_#~-2`ZiGsbcI^PqsLu{Ts~Esn?HHfj9BsGU&4YC z0Tyr*qQHEpq~~CSIo85lkHkIMn1B1rZT}Ze;yjCn6D_|l3?nzeB@@2bofrWjUk`~z zr!<5BS!iH~GA}`t7(DtFvPixfvZPyp{1A?OHDsV{FAE>NaI;PgkYVl zJ4e6_4u>Kr9Kzhf5fa4KMWPpE(6dfKUvev(>;%p61(4TLXg+iFtQv@(uRjS3(EgIMKmn9{m?~lsn7vaPVXaUtBX47wbKw_%*cm|_T6oQM8@~YE^!G{9Su@w&YsYKgC zOp0n&qE~i-%h7;9BR;=`45UrCOTuB93+ok`RDF zAie%4@X(D1JvB@19K<>fgO)x}aqHqsTF<|Krjy9N1Id}W7Yi`o+!aM@O-(?) zHtL2|KMK_ok&E5jVOE}fJwv*X$Sdh~@E)V*CuS#DA@=gGOME{6uGUWPRkMZ%%CZ-UCfD_2Q!eMN9{R=Q-vI0yH$OO)Pf;Ydb> zPt#=*@hdYDnWPB406T?i6Wu-Av z(F|$g^_yQ4oAEm?dFRU=-Kom8U_}v^zKh&}+owjiryE@;Che=EJR}A)Anm&URGnA9 z(X*%NWM^x|r~1L=b2ocwq~;*9RN6MgoVQqd?A#rE#UhdiGN{NGaDB9c6S;_OGv?9h z^tg23eIg~;$|bC+%dky6ZElJ>dI4GDd!P04k9*GqS>KerQ%ur-YsR;WGrvA{*x9_( z!@1ug?ewUKApPO#{#5k5)RI)F=TXH+WcQotzrP!cx9-l>Uf8c^lGd^Y5g-+#A`BnA zW)JCmV^eN@`W@5Sp9WiNOZI*05BZPpp@yY5Xm9f!Jg@b7J3c_h@aW#D&rJiUtz23NTq0~`xjC|}YPfMB7<4vjF#^Z|m#)JgdC#(nQTlr%OU9Olu32+SC z4<6QEM2~&;$2+V1M5I``;5nt$=tNFkziZ_7<Pw$cCWEV9NN&yIN@sh4agCLHa?bHd;9{lZ(R2$%G|^y51> z(AB+_=!o2ek&5$%Vi@|E()|cYuD9E3(>IIrf4mtol(LPw9Fbo~&^dT6N|@pJpVn^w zZWy%?KUY(56z))xvsK|P;s713o@tdW^r!SZNOwN zU*=FnEkjyL#LI@`GmvQO0kLE`?@6A?u#_1{a*Dq?eONB=%zi*&d|$#@!`2+X&{dr> z^MP!(6W6h6OrvxHc*;NW$ZK za%H4AQCH9=%@Z0HwH5sRh^lz{&OMfoBX6jwWmfL?tRR)Aun3iwu8yg^w4hbbUEx9n zTVw6+%O6)^3RZmMDsg#K=RfKSZoLeD>f1JAITUNO?RmXZw~niK)5s7R+(CQf%yuT@ z8TCTP}@hT9xtZS=Yw@Svyh6m{i%`3RJGxfLan+~s7t1J=Ne>9tT`u9qHa9Z zJ*>1XJlA7EB=lCP;eEBWQW{45x5Xx2S15LUmb| zboJXAd|@;ld2oWZy*Iig!BFD(+k@?urQ~#bhyvtp#?v;3nrLY5^%YUIY%0q-+8y#9 zn`d`EepuzxT1od~Dp;!Uz*{40A#^6Q@e8{i#~@NXz_vh)=RC*1TI@K{ijy}S&VfJ~ zI>HX}KTPt+MH62}J70b!|4Jy>)BFN4cD_icYchsRQ*U1kp=$esjgtb#m@50T6P{sEwY z(GK+;T7jj$XDuh@+9MQzL;8b%ovFBS>78|x2>MlSq`B{ID`Oil61kC>Jeiy5?^9qi z@b(?|x6MAY_oVoGb~IGf-ZPdb@q;bW{15;H3^_W4-$x#Zqh4xFo{XELS=Yg1HtSJ; zL$Oshtj2rc)sK6^;jziy(_)ZnHPB)g!5$-iY1QQ{24~WxbE+`etR2BW^vv!nHQYn+ z4@Is2z(2s?%4NwAyYzQI_evn~ z?VXvR;k(OaolH1E4JCudv{R;@pIOHuYbJC{m<2un%%UzkFRz0k<242vNB4WDljm!b zb*1`HQQYvHmW1AAN>Yc5i|U=u1qJQP$Vc zcSJKTZJfno{DM#+$&*X!t!w*K2RVAucEvPY^of*953ub%Pb~0@B(H~V7@;J3(v~|_ z-1+>LJj(AdAEk;r_uTsSyCLi`f;Mt|z38OgGiY`Zb?Pn&34UH4Q`(zE@z^(_r@q|l zJ+ER;VV7FaEYuTm+acfw+%RK3vaeH1C?DfHQ0u<{8s0boF-rVX~F*i^dGVzF|>xagdIUM$8{}5u5V%b6iixJQtu&!Yr73UL(9=SiAuk zPQ0Ec5an?pO61lJx9W2Aj$jAJdgJVA48@4gtz@fpsj~jk?9O?=)<| zc*1ov&*2le`Ob$%jkjp*c;~(9QJIV#tg>eYj3wll{tQM#sz_sg%}6JVW=qe>oBhs@!@btakRp?W6ibgWjRv&cf8rS8P`W*v&dW2BP#;~&lh34CpF=pUSk z*lW_FPseJKo;$o+Ol!Ek;T>HY;&yh2XFo~&Syv2k?ft)L5wubGStS^y4TsOZ+SoSv z(Z#nxF(QYWcU~CV4Vx=^G&pYb*6y0Cm5vh!|7+ zV{&&D9r#2d=Zw%BkB7&}5{La|mD5S+&REgqiVVKtLd!>v(-TZGRS}rUGjSHBVXSh8 zDXmILgXl)0lFlEJFJ5&xHz7x{t=DS}(yi{;fDhQ#Ma5ZCc83KL zeq5FE8>4nQH>CzYEt$MD_PP(Y~;ymsO2xDj}aP5Ogy`3rFw zlCzTf5%W>K7&Nc2`02nf+kY2sfAWP{Et`hk%bea3W3U<+dLYS2yAWMi6ddefMoWXK zLp_b7qcp6B_6c#XY2n$S;WKLQfxRGH)u>f}9f1)V(l@*-*^Bcu%Nr8PcT|NA$4g^l z6#Gbzd)752#s@W}C?A^fLK4ij*|iIWm-h=?lNVd>7f;5S!l?If5Z!VQh0NP zSR6Zm$khZVPit*l2%eQ`>lC0R8Tt7L1xGwCpn@vjz+`klh^=UEWua&t!IR#!E-NVCZdbVtHYS~ z`v0TKD-M!AUfl>j&ujKO;me(sVZ}@VKPu#unUe;R9f2VzPZ(~qlsl7&=?4Y7-bj_} zvrUzh12}DFQUwZJBG!u*M$vA6|5~8_puKg^$I;&hoW?qF$E7U092ZF-Rp0yso(vuj@N+9+KUMN!4bd>)FvsCnEHsi zLaR|zuT^2@6Za3>HXad9Ul zPdwZE;Nc*hO)-R*TNLB!_hgp!ct`XEx6B@A$z>QbK0`dSc|AN*n!tAjX&xy6Y z^Ca@&nvQ^c8oicy`It6}iU5Dafd8Xy z`c!*`l4bfE?M^H$aJrmqJuH;4O)yfXc!rAgqWkja7e3Y^2R82;fo;A=Ta3M?bdm=B??)Q@xZN`RnKXe*fVzB| zyMdT2IgBFqkyUu@y&PBX-i*XfqZG60<5-EP`?k&>L8c;nQj5-YPB<%JVB?8p6iO%S z{2hm7K~{fdW+z}1)Eecudi0v!lsY`viLp0CdfWg)$!b?|meR&Y8i0oLC;P$29W?y4 zAlRZWcA|me!OT-u9Z7fH_)#8g-^CxXDuwA@_4gL93cm6Eo;a~s8>72DusLAADd3txd)2j;f`*2*caU#$g`BiNU+mBOno9K0xCo#M>6tJ5k`KJ@_C@bNt6HEP)|cX*_U)WIVOTei-l zCE>y<|757}pi%9ovGNS=W826X70t+;V;oxZRW;?(SM6GSL=e2@xdk*ka<4Cyq0i6q zDyGXdui6y~|h|L&fcFlidrpaRqyPpXo7^=R@v)Xt=-UqX5 zT|5M%8+HiZHuRO{dc1c&Ur zaUsE@q8Fq^2ya*uk`*ltTMDK}RnmUEB+@J9HH#^?y)c=FHIx@sqc3+JZ5T<>T;rga zvMmz)tt%_u5@;`0wc*qQ7lR*QpUJ0>wVv*^yZzxQM#|CgVRAr;$EeipFO~0eg+t_G zwWyjAXLCDXSZX)P=~jx~%jxtDpF4eX_6Z9*KnM`=DqO7S09@D=RGzHEMpE9M0)T2v zxoeDrw2D_>*{F+2!$A-9_Y7C3xoh`RcCvWqk*O|G2aF9(eR~g+u(#fWubT_$IhRVi zeelR{W~9f-g6Y>@ z_FJi9mvlY1tsUrf3IrPYt2LRv-n}`Qw)co`0;!?>tvPMhztQXeSiR%B)wEV#C@1n3 zfZMo#bKgH~^ti}>!d9)<%VRWmuqy!b6v2~E7Z4XuLKYqepp-u+7q$_7ht0(~+mC@yJ{J`tr_JiC3z|3(nXx>~|koPY*S|RM}FoJ2?r1H{+ z*fyoQ_hQlQG`%(HYB-OxwwtWXdl(Ksr7c3Oew|C2*l5})@y&Wy2?LL;cG-xJFc6zT zaVfqag<1M0{Hov%zOk^HhRfWSYG^`AH~C*)L-Wfag2b`}qY~eBD6igN5-p=>4YJN% zA5DvKV8*4KS$2k)m9k2tG zzi|?^J&fz9CNR5T+&FyNd*|!x)LRm5+6*W7Z_rAz{YIqWe+%c{h@UMX!@HVCK94G} zeuAJZ93ezgb=258X=o$va*M$n6^pM6Z{c*UC>7sb>F~6ha$m)e9N&RzKU=0yLw!&p z=S=^XmAnB1eFGSR4P0X-H@ku@n3fPWC$J?btTIvd88+Vw;Z%_Ud%Y8LYPtiXIJ{Er zV(6&8p~|(NPt!zq>g`fTX>gf!ZRi3&EA%5S^r7$0p!)L2pZbV!>PHqT=f#p`Ik-kZ z%u^cO?%Cs1Hokd!k%ezE#I@3e+gf6BH~o96L*IjuDr6@WkcsB7mf>`JuQDoFCkE}F zn+8SE(j>%f2ol{dOwXH#YLV&wLze?pz8B}~KtE7W(2!m&Ak1wRLD9}Yd%-+_rk{JD z=VVqlKOUB$&F%Dyx5MeisQX1iZp_ox)_prODa<8;09PolOKs~gdA#yDoI1c^tdc9x zIJ8*;H6yVc=Els_X zg-*<)^>x5rr}6y=OodnCFt(_zuuc8BTwMM`ObkgG!Q{gP`!@?LQ@ZSfCi?4N&&fy^ z@6zPe@eQdtdy|Y%wNiRs)$&5G10+;?`V}~yB9QSHh$e0VgqA`#iU}IcW%WSvY+pFuXw2mN!nrksqHtD{|>I8iifmD9_F0>hL zl#iPQ5(~X51bD-Ci<$eQMJs?Gq7A8(>Vk_$X53hf0#`sb~>cDnN4x#DX z{OhdCq5Dfs$MHWUuX7>jsx%DWpHKJyIii=9$97@%OG*?pJ!<7KtrgQ2Ozi!Z_nz9` z{>dEEt}9d`VFH#N`1pCqw0#bi7@}KYy*Szx7sxmRk8OEo<4@+f<0@D`W)%rwrnEme zfcu`1YiO9~k&f&=m}VP_i};`6ZCOu;Oo)kqePMNy> z0`mb{TGKaZC*KS3<#Y$V;N*6d7v| zqi6)OGr5wJxy=Iv!UTK!CPjMe_n6Xb0 zD9$KUIMo9*-vnPB8lm|j652XKr^OO4=IxsH(xApAmo$e}zVjzjdW)Wa&Py@k6ACZv zi_A~&-lB0%US=wJ5+c}H3uKD(je5P}mkN(H87_hI9_6!K*IZC1PG0INR1 zKC#x3Alu~7_Rt&VeW^QfCFQCH<%_)x^9JA;X|L{=UO^q|iC-ab)N7#??)uU=5p59@ zu`1Y}ptp8EkI4))UBT~v_DaZGn(D|1%!lrAd-RbMS3@Z@m$Xy8_Xuln;WbhUmG zLCxq&xMH?t+@2MBmMh%jbWrUAR1l|k1M}vu-a{PhwGxm%AB}%dVFNp(zfinnIWAZC zZ++JVWY~Kurd_y}Pe+A3yg%nAT1B@|T5u~~Rs&~ot!Kxgxg*LZO!XT*#0s$5atev2 zWbRe!R|n@=ML@DmW!q>xpT`p>)nW0QQN2+YY_cOJzxXTWBbi6teLYH-Y~7Le63dmH zmW8K<SFZ&R4^cm(ce!5NKRyw6n?@+Ckgk{PT0IyyjpNEq8pQ4liDATP>rz~PP#>VKH;8`O$KLf$-O*b z87;xFrn<%?OF!OgkNKUyJoI{b{c-+j_9*emZq>smyGu2Tb3VFhs~#6g*8t=?T&KWL zUfn0rvT%Y3S0v(`=HAQ{#Dj51i_JZ3{s?eP+C*scg6xv`NoegnRCNsaJJ{)-%be>2 zhtps(4c^ViOnmXRT4OoVtNlP;b<@P6K2ptUN!VBEbX6 zHi3r{X6c%SXcYgUJn;=#9M)#avs%|0Ldn{+7=&((_Z%c)CYai&^xT9$UcDqDdQaek ztn;-j5{%%%&U!iPC0O??g=0_z;os2MGqB_HD7QL_ubAA5JG}La!_jf)$~C<4FN_lR z3v?$S618v-kMyj)uuOqM*V}5SA#i)Xnt+QYOjUGAj*q#gI7ME9|2fTK=7S-j*W)1Y zDmXvtY+E8)a^~k*8$v-zh#l2@cYF!VACov=EhkN5v_Vde?-VP*HbNOOC*b>j8WGsVk$;@FITu=T>oGB?1E=BH$ z$UvK{Ip=Q_i>b0@Y;QEB@OcVp8_7mrc)5{Vdr~ejM_Qro%kGO=Cu_8@&BM`wEK%*! z9h6dwVu89DNmvDz6a>ifK1jt&md#3H3j1CjM!}9NVy<4Q>$I4Z5|(J}YEaU_d@~(r zpyYWK=0H@UATXDY_y`_&ZZi}gadmv%emwWd6vN9QC*Ot3z`NcKC+*T;k8}WrTuz1K zX8PEn)ZRi|FsFOI0>30gSJgwga4B-&r$-jFQ?3ze-x3)sGk)HzNHt-B>a55$e(Bxd zb%#0Ts=(XPYz3myqIx$(Bf-m4*f~5-#LETE*!u-}Y{I5S^Dw`|x5uGgULGlCSBtwh z?tS43(+eXPzM9gyU5_!TUTI6a>j~z0erX2O9bc|G%|tdRxuECG%T8lcn>#Lc#beVB zsX4@&csEp#=P@lo3!14VXgHC_;G9~P9NL!0>bOMIcE}jXJ0TZMxh62@~!yM>uhg-roPyT_waQjdA3%I~vfYX83NHN3H z>&cc=RC-2P?VFOj73Z%$Pdd%FCaS&`%IH&H4>b5Ts2&;gO88|ATa_%#85826DM#29 zO)suB9;9eV$Hj8%z4hZKreRJ!*5e@Yy%J>WhU-@Hyz=N;>y7z~G9CHXne-8f>vm??q@$4-r6{y&cF+XHt(%WDHv~o@*C=m0I_FqqptDx}pn8lczx?Dvw-0YG zM1Qe#H@^j^u$n51=o5<}%2RTLhcAa8#(EnDUL2^wF-RQZkcEPHZuVEzq(?g$#X<=-jgQe7AZ6MJ8bal$v$Y&8=vE6ifVNde;MqMa_E1EZ%+UmO=XHaHZ%+?n;RT(C6 zFgiRkluJ8p;{JMl<OW;+ifwhM$5R?CD9BK*MzJ)$3R70b zoEuwoX%wu1`D^15B9=y-$tr|$C+d~4Iyrc*CBRJVwY!M$0Y_OrCB4f!yGx{;O#A+& z9?%uGboFx4TNZWU8WFm42qHb6j4)+##B%1f@EY7T0S*DJ3##gD!s zUYOKhNnqKzxRS=_`jmujUsGP#0P+ck zlD1oSDTT`v9&9YuDxtnyn|jv!b(T-@*ib^unS`L{TzXt}v zKK1<4`%ymqCNl>krfN;le9?+3J>(eMGPQ7d@U)VZdnMQ}C9RbR%sd~6FQ3Nl)4afk zl#GPr%{X}YB`Hlg@u3`7jv7!fV9jL&0+H;^-ntYY?*dj~^#cbC*6%*gSXpzN<*w7^ z4bP$9`w;ThK9-#^Yw*z0*yDez7il+A6dxN9j^*qVyZ{gO55&Sf?abIOm*-nQLKI<%{UhjnQY#DeI5K`ii7U8p@v_4o=s3=QNR zN!YI**ItzJ`W_h-al~CqMNoJ~Sfq?szH+CCw_K~W4q7=*U=U7Bj!Jn6UAQuWw}_>n z;D;G)84X^#){LwfJ=f@;6BTmna()37IQ>|2Mn4Q=)XK5>i=oHFM=ivsf@LoNHW1CO z-S`gAR=dDeJ=6;-FliU9>daOA zVe85Z*Vo+3D#az^ny7=qa7M zKf|^>9YR!~qg0_6x$!4J1vf!#1gM~LqT@TH&@lIU5frMlB*z$BH_|R7P~11e115q=@Jrdc zs6JLyWs>@oIQ|VJid)kMjC7ytjvPn(d+?6HGecloHL$uqc)o}?oI2!Q#b>#g z^-FpW@lx8fD9U5m^b|6r9|Q@#L#dw~38`5jd96H>G}iGgWmA)JBx!TR*>=phchWW0 zDnstbYEtc0DM@?K?7k{*so@})j13Q-Qx`_2kCxtij@?1V(=185$nR!(HbdAB$dx-r zi5HB6hOKB1HgUc_nINCu<3}-&-JDq`ziNEvN_?QtadRf`Z^!&KpWJrVoIf^aEoJ>Q zQgYM-{c}SzMo5qQ8dx0M%4$p3H8RB59>ytU2&^BT-S|CxQ6@O*tKV($ zrLwowD&<8Tdh62YYqEf7LuX~dA`8e_&IVbCiOB7}Ly$*sDaM>-X#60+eL`*)I=4iH z{-csq%Xr!)3@!Bfmp4vfKS2i5*}(!zIVBA-43|b9P!rzFFQ95aB$N~I{#Fem^1}Rc zG1dA{L#U7`N2A>ybXgh>8CI*dopVIT#8K%U-_F!FmBjQ4(@Sq~cbNA)PB_;Fli_o5 z^9C3=_MQUhmSd4!(bcr--Wa*NF^oVTUfXh};h4Ja{_-V+;#kVCy^ZstUXgUBk7(SH zG@-HU5tfJZX&bb>n>a>4R%{CKOeL%I`9r)T1-KDWpCrgfUW>W*i7!0_hlM&~gA^Z& zZU3E}TXyxF1|Fdxcb3Y3;uFSTu(nKiW;XW$YXdy^Rb|0fYl>XU6M5=%m5T{C!-3As z>RQcG#xR(g0ywP@Zgl;vx2OE8m@@0ZCJ_-OGVx|QwWP2xtUK?^67xSf3Ln%Fj>7Qf zKRF6yf5uUutgG{p_e5hF5|2j z=}i*soUVEOApGdnTeg&kSD#ALo7UTNU3Q*zEk9M-#PniOL)7+u^KlVqLBu zE9}ZH(XTwmgvNPoYHL`5GCbEy2vM*dboj1vpN<72q46f4-7y_L{07bOdTePLUje>S z=wM*a^L=gITwbe6uP$~-3q5L<)_(bX4vr@-GWyM)#~JC(quy0oD!G-WeQV8>wBzfo zYwX9-U$yp}YmrwG`f9y2GwLIUEYGL$Ys#<@EYG`eQm3WQQ`(fCQ0}|kC^S&zgAf1?T0cNqq zL=<(uWf}~!A$SB^(a60=vJPwr9wBA2w+^nRHi~+9Zo=w~WJW<&0@`s}-q#}Ke!C$5 zcQYTELZ;)eO8UP~_629L5iB6|poh66!R$k5in{VQl+{1D%3&1e55Cyz>~t9Ue?1iq zM{Kf}so-_fje7au0CmLQ4=rKDn%H_RkzN{%bpm&1njdeO<01|$GQ~{o{A*?6A1bzT zgW%X*W&!rh+*_|}&c|{AjX=lgqTuh<*T{D{l8>F>k5KFk`lqK$LmGR)RorD+XI3m) zzsbE44H@7xkRhy_1!&C(u-n;ytqLq;4}p`!^yU8BSx9&15hu0!^?qsM(wmp`V{LhX&SJbf}K9CLPwoUM9{sf~3eol8+E#x#8 zmn8j~x76bxW=t%Hmj?Abot-?(-I8`P@U~9)M!lE+yWj4=%p^;(FyfS^uX<_#A003R zao8h$Lze+|a6o{bKW5m3Xx$A3@JQ%6AWGYSEC}>%VL^r%FENPI5GN+W^7t5m4vs&hc7%a&X0TjUT|LSMK*sA! zP=m^@vip7Zdi$8w=Q3icq!qFMbl~ydulV2pO)M`Kp_x^8V#Du+%D*|l49jEJ+%zKM z<4XB$^80_d4gc`R|1VF1vbiMqbiDe%uem>5Ilq~h|La?C65t-HUhJOw`w!?ZX0|A1 z|NYuR^LW zV|WJ&wefp2S@*FQOe8L2$kb;L1rFp4M^G33k%LemV-$!>+%{oXo_4w}oDZ*G71qFS zD+b!ykf~O@^!Hbh$EgCAV5+CNR9hwLVYlV}D-S{6!dC4U7UMGoV$!udQNI6ul^gnL zW#5S4j3$d6hJWkD2O54eKblLf_P2~d?ka^Pr!H~oP4Y2J3eer!skb&e86)6UY6sK< z*fLcB)6!0w4C`rgsMh`Wr_uOQevgjE%%A47a?-8u@@d-L(bG` zL{?A_bGOnYM&}-ZIYd8p)3G6UTk@~1SY|G48tAlULUtsfLC2k#`>7{C-ZN+sH_|F+ z2Il|*AYM~oGyvx!(=mrLpO!v+d`Ql6k%RRGPl}N3V-u^MLJsVaQR{Hjd5ZWeOe@>C zwcY2ROAgqqMXm0pi8)zR1x4N<^DjB@l8ZOLb?Qx0Gh~F*WG{{Z#)GFGI7eg zRjH+KJWtN28ut}Sn!8M$TNa${3IGf*Ea}X3uTMe%_p+G z4~!hd|2+NNEmOuKeFEH*gKyG3Vr3O5kV;gfZ(Pkz@BZ}|~#wq?h$c)5d zhC_9Nd+`#$;1ysVpa4u|BmaHyipxegBOYy7Gs4tG-d`d5jZ8&X51X>t$hcf`QvF}m z&wqKg3a8Mp4klC~3fhcclQiW(S?JoI;87UJy*>lsF$A|fflu}j_z4HIuq2&=5yn#* zNGoLw34Fw&L};^?|L;oezpv+H*}6$gODF!6q4Or;7xW6=joH)K#4cd6`g$n&kB2C* z$A)r;5?~1p-?$a`9z;(g5cP-pIcm{OKDL47<@QL5Y)ZG4T_u zN%-hy0~n#$z@XXBHVe>&x@w1C%iciin46kMp9wj-zXMKQC4|q0LGASr`Z`O-@!4HB zfft8>GNyX#A#n2Imgm!tKOm`s3XD`#z*wS$NwE{=HZ>sz9*F{^B`ycg2I4 zaP&n0ti`m(VN!Rv+*Imn$WYm(vU#wvFGbIbRNwmO`}2i6q-P^uvo@;~2i-x*C$7^h zmux!Ni_K4V)A(mdbyPv!(=*~)4aE9}`8`!C0i3RiY$n$H z=^j^4yPf3Z)b51%SlYQ+cv;z`rOmtQZ>7t!vW|Qu;hf`tqzjy!6JF#wso!m^P(4M&C8Ku8J-rPbVQtr>-Lka}BAWE&1FV=cU9V|kUWR$lv9%W4u4+Zu z>BKy!d<8r2eJ1FNn9$;1KGqW@19B{XXLxH$#DG0;eD>sjzheLSH~u40vhM*|`_>zH z2H|hx*dt(S*GZ)&$kzgi=FHJDNAB;y5;7e8qNl3m2NDfc59{KOAq4LD2|`HLpD`eK z!#S92Ze0hu%EYwf*W>ae8x}}_!RehT=NP|ZdA+l@zaxSNFkQ)1c3*fNMCh63d$czf zeA;B7s<|V4IkO=LE-F;4Yh+bV`CKi2_!4rYEMEfkE(=_$yl%%0#aA8AWxhOZbk`rz zgAHp}cEVYO>gR5!%n$ca`g;$XU1S+O0omUMfj$_*`+MX*GUG6=Za1(_V};>Wd6mP2 zx#dZ|D$@tsHw12XQC5drz@>E>fgJsUqu9_rG{ea>P4mDc`Fw(!=t2ky!}9keau&sh z*QNK`WI_XBOO^xqurE2NdD1zooGJN6z|wC5S4JML6N8hw6R#^c4NHwu@UR>B%@-R$ z*rE4hE92+=6XoVDS6}oui52`rf;29EZLxm^3-@VcH0(;);!)%UIx3cf{|j(o4Yu&p z{FWkr04}WMovT4f!h3(@VWS54tCXoNAG0<&Ll-4-kMBuBo&1sP%edo6ZIKy&zVP{6 zICmQWnbwqcI>=-))$l;je+uN0Y1~Z*um#|(aq18`w7VzXYLfHrQ61>J2w+aPlOjtu z@C%U}h8prp6tl%?Jw~Y$7gJXSu3Dzy#l;=RJ-Jc!%{N~?1;aRh%r3oPn{f2D<_ZH} zb;&^wpjO*pwE2k|59pDkwu^-clc~wbo0W<@hrUaf@jQA3 zi@$k$W%5~hGx~-K$<`^gyA~ut8@at%N645ADV@e)*y`{%$?Xy03SW8g zW^`FHR(mSQ_V73avPrAwqFvSzSWT~im3oCqOXJz(S_mPd+q$14Q!31r&T7At-r%St z#Vm<(uFpU)_*eRiZFkPxd@y*j)lm0AnZgIMNF9cKpJ5s=xD3J}B1T7jj**2=k{y|I zTeJibjJjdhha$+Qo%xI3)&Yyzb^VnD!_0AZ$;mm7n=bBb$A4;H6K`M4NhiA0mjcbL zri!|x*-x+BF>Ung;_KqWTT7cr7M)GMivEx#L%8)Wq&7)Zd~e@HjFJ&B+7YPaXOaGX zpCc&!1lDHG`_V*R zN&(h9gk~rj1UK}jYYFT`%Du;LJ8MOxvzVqzJbo}Ivlmb?vw!t9Bd>2m*3G+T@6Bs; zUv|9PfnhckvHPEp9GLzWBnMt!5*p9#hx_q#%+Zt*;iVyzqXS>#TIi#v#s^yL7nP&p zqbWBY_I`|Ds+ASfs<68g!j=mAdV*rFQo$(U(GrsXK;^f0ZIP*VIaooRGJQKW>S|7HU#o$^!UPQ|?9qATQ- zuKBPWRs*vQHk4GjRKmo^VU%G^^(Vp60Iid1`;n*HdA}H_p&EF?Ur^$57Y4^mThE`> z^04^O>73gTqCM~4sYNE1pq`Gj6ptZ*OK=ll8n?%(hG z`1HLWkNdy!P+aHvKHul@K91Mx`Fc2rF8JO4Ig**q#$?L*p7%y~s6BtLQhNJX4PwSs$P@l?=u|~Qssuiy?p)si0s>&Zv)88pkX=UYsf0aQ;Q{RW<;WG z(a_Ynzibai@B3f;kF}NrUslMTfd`ev>GNi=-p5@4tEK4#J*ng8O7UM@GLwAkHd1JqxNmG&|XrK^*ghJr;>~N^n_; zQ7A5*KMuKQyO=Jl`uOdb+C1GEUhDqqbEx^w!m~pACN=JG67SKfIxIuG4><>*bV~>w z`*G;!-=W>_jq4|K|BZmSvfTpITYVCet%ji_x8(1wi3O3oJYFNSaii&;1ayhS_8Oi< z`_R^F9?n8p6Nhy&s{$l-(K_bUD_#0t@DJ(ENfaA^cj!&}>???;r{XfE3c*cyE8s=_ zZt6u(`3pk5XvK6rJJmZ;q}|;*QOy&GJFESOU8ohWYc88{t@PQ1A(a`M2f%AUIa2qq zDLoKfQJLR_v!SC8r+l&n*%FOB_Pu^q&gvs915U&Uxpm@2ofB5%74#R zsS=0hX>>W9?O6p#LJ04D;)bdfpI?)lG|#8rQYUaj4eCC6Ic&v4Zw!jn%h2pkDjD<= zJK#BZbfxBle0IKl*iy6V1`hjN&j!AZmTIs|i6RvSArikI&|>!IjL9K$+?`T;eeixd z#32&RD5<|-Iirx*B5N~J7;mFMn>dR&u}ipzwxc=C&vR#%GS12`p4qm%Vd(4bwD($q z=^;S247CRBn>dW|eZ_3m^2kuF#<+UU0ABjAG#qZvn*q}^W3|stoHXn?##7e7UPkw) z{?2&dF76Jj=qjsANjkYCf_Gl_;1N=#_sQlq3dI{*inp`|bJ^x)3%;%aL?e2!w7Y?$yhDf#w^A`n$y~_uMf?rhUv0pLiH4t9TL$%o_iQgdP!)EZ9 zUmNuh=x(!v0$Sc$#^Fv>b5`|I1DPoj;O|2-li^$WlK59H-8+QH$`EkkT<@38n{Q$K z@-!^_*ZC8v)^aRg9qRCXlPNhJ=f2E77dwQv3T^Z8da%q3fJW#{g8b0yJz}K_R5*Lb zC3u531vj~LQ*SbsrdxQ0`U)^C;};Sjg5kSF(H-WKeHvRa6XtQZKDp#b5S}u9ET0nh zJlovb9wZP28UaJ!ms=P6)BUL*+?N9Ht5xw9f@2IViBTJ#ywXbDooqrjD$^NL&}ZDM z%ZTABG%FE7Ry*ZMjy8q{&tB4*XpQv$zkL+hX(}rzP z%(Z>{l-G1>Uw1AB_#k4nt5y85){pNAb=qHmtK51BhjSg!$X3n?j$y5^Sh6H(=%_Vv zN31~j>Oth4izKL&Ve-d(5bsk8$zSX9WnLr#lA+@Zx za%&7ecWraK(e?$YK9;)j%Pa{Zc30o>=zl|}3*0VnluRL6FAQA>9&U7%SDW#x!fP6I z!30#9Z&l%~om+2I!{R&BJ6^f#EZ4AwHBG*Zz|#({!0F~Q8*_QQ8F5L6L@v+eEPN!JfW@r_Ui)@VxE#-Ns zHGOJkydJ9g)k#qRtv(00ZF1$4Y;zrZ_~>osVHT8=qxt^p5>t|ImH-a)7MbdRYIDA3 z2wvE37TtCo#^)P_Pl%@;O1C-EGyY-2#vv*k!QUL2Almwb>X3Im#SlmRmfm_~NzwP} z?Z?lm*q>yTycAZuXH17_vBkX2==>x;$fNUy$YC&xyt_mB(#!tK4NGwLcxwDgxh|9} z%tA8qJ?$XOZmlsdj9V3nXUAVX`;O6XP!(5waK#?A|6rSb?QUJx^DG~07W$`Ai6rQ} zAMnJ>JeBUkN#trq4DJA%{@0gp6-w5;L`5l9ev_aZlV-@%zx*qzT=>LItt-KA<&2{xYg9_=D_ZdfsIHb^^Vx#Vf#}q;3l(}b#LY$1Zm!&r1S>sKC z)_8=4pgwQlG-K5wgCcJ9i*}Ww+ok5DP=w%L-E)^kIzIm^hU8xu0mPHsqaMjt01i0l ze{2AjE(9UXq7Mttby8TO7f1{vGCEOQwh@6;on-$X(27RENQvDpmMIxT3#J%_*dxA#FTdC)vRU9H2m)r>U}uZ) z)z)nB;JEo5FvhaC*B;&@9@L+vY>zk);(HNc(SV30!1|RfqxaD*LULYk9y{$aBi{0> zmnBq#dKN|GuvV>X7v=k{pCAkIZiKAxLWXK&7kM1RetIPIoRcdp%zOEls=1f2DFN#3cj(jkLoh+@7sH($NDsSwaVZ9I87 z)F#2?&BrYHsE;P=%+c}zTtPP<3#>lBv0A0Z7x{^5(Jzu%qe>`#V83|n_{)O+@>iR+ zvOaP5HOGC=(XFI~pU&gUo8vac6~7*=c^TQF1MDcO@DZhr=Z4j)^z(!R#h3lV=-wEr zdf%)XQy1v_jJ%w@uab_N0yZo6B_XC@bci({GBf`y;Qoh8*`6Jec z&E?~!n(5hQ_8M1j%c2By#uhL(LSKbaH5daQQSR8QB}@() zEckv%`f%q|H;i1aH_U=zs&}^f-UM9i%z(|OVc*?P7YU1%(^B;EU>H*i$??USlRP+r z>O?&D)=R#N@Bj3F_GT%HqM_R%3`v3;x2LWjPJ?m0xN5ScPdR$`enERxD+*r9g+nS` zTYq#6radMU3b%QnSRbeI$z(9AgCPjerqMU#oy^$|apMk~vV8yB{yJiit0(VcuN{mUxy33FMae_gD#HEL#AXB9 zHye7L5L@_;4)%<_5!N|8%&7Z2L24}Syy_P5zx?y2F5L*iABYDe2ef~Lu}F?0#aZ9+ zQ3N>mmQQzwG^sj|s6BafTC4$|LAB$yc&I%p-YzRy%GF_r>t&mn{_{9ukz^rLOk(lw zprYd(Qua&4=5bl!NA0HyDGqHV*h74N-bjk+e)esWN~9cO%aDses|E{<)t15pY3t~> z5IefUn>oK+y^34eO3vRW-Y9Ms7Lfb)k8=omn*=i_>U;ja`j8o2*;^2VrE!1+?pfo5 z3&Rm4DF%2%+nBlm`D^LIU)`3AVyIWkzE#Ym&G&V(E)*d3KYrX}>oFw3(Qh&CR%_CJ z7?yCe_DE_euW!#zd8r;42c=~bmYHF1s2{%@ut~q!WmL>mbY(=4m2pHm)^))m#g(0> zN;%pcxm?rV`uqGT!QrEWow6uK5a6VAtYA}rXNSLio-n#m;Ag}3CG)iEjltsg6V|17 zUa&@|Tz5yhR&{IMCko(L(#Ku48T5pMmU1t-xyM9XMWw=>=$FgLxIUAE8_L--eto*9 z*4#mSlA{BiH;*{)na-|=IhjAc*oCNYq2$ohrrv`U52vuxo@ zw^Fo7BLPZYnx9_rMgJHPA#!4NE9UBJRK?0I;$gkOM?d!AC}J0b5|+w`-pmkjG!r4( ziZ@E(~bnzyI=BQpHCpu|TtOVNQ&Y zOQ8ygqGPYn0XP^e+d#fz3_on{Q8jehTg7=xh4e=ZAGa3*#Y0E(kp~o1MJ`40t(zA5 z&kJTkrRKv;DrN5E2=j8=eH%I3$!w!Fr<}OfduZPe4VJFdYzs(S(XqeCu?rEB+=WyT zBYqdeRv`C?G$8&I1sNR-9cZ(#Xo)T(@|5z0pGd<6?dm?+*NVilLpQv+vq>qgaj~(m zp4NVKftoA(0ow8V1paag)?pe`zSJCrsRLPqo?Q^d?MdNu=Zy7x55unJtH1q_a-gcu za$Zc|t3R`%i{rJ;j)gt+=x^)111-T4^#0!uuvMjS1;Lt-DzI-71mdZ%Wj_lym1EF| z$Hiql=H*YJQhIob=yyL%!^K;P6JVY)&)>#6eM3oZBe!NFG(?&PlOSZ3u`ZCaSnf$aIQ!e7IjBF+Nf(~@c!<8B|bKl{N#_5?zBti zEQwbh>RS!k6GbcWijWf3jq6x$3ow>5e>2;owMa@YcjY}j`yQLtq;%EmY*8|J7)zH< zU5b5g_r=X*!Xxqm&AclBb~7_>%(0Ycg{l2=wyX-711c+lnKfRFUy_MyTJcRguNkSo zSRaWp-4>ZW7TkHI>i@<1AU4$6zCUQ@(oHf+BDYZHcYIx z%z*L%;hoZqWLXqR7vlXmx~gw1zgo;%M-P>=p0>*pnc-P}JR(^z=g@|*>>gxatPL}( z?;U$I!j9|tphO|DKnDi&JNRi{TZz-0 z`{(2boE5LuXH~JvXoajpBXPD!v?AURIhPNT9;VgZOy z&UHU9LIIH@>#`0U2O=r|c8hRGOt@kgliz(e+#9V7=8E@AVAklk-Qt>}>W|$~Jeof> zg3W`zzc743)iRjhtmfQ!4(2QD?j)F^9@+a={U@In<{jU}D7wR4oBw+E2j1T7gDBkB znorSj?n=ZlU7NGhpnok|#^sHRd8%KmF{fvhhfh$Zx}UTfQ7|#3HPbAlcZ?X#-<0UA z>2`2Y{fB|yzX~bRK-obaBZV$fO~SC*0vCzw5|fbPSs-nXOOe$K1w0e_J@aeQ@ovSS znxrf8{Kn~ODyPoWxX->SiD#C0j9Ods$a)*QP99DK97n%VY8G?mVJ8(4RpmHM*dw;3 zhjJ7U89Zzo2rXmgJISuHjXk3pD>9&YIxQW=qwEbf>P zs$Y@&>??imRyUCy?)RqV9LS>l3iU^>Tdf9es#u@(XSou<=lQ&g_d_n2wvltJA|q{~ zv~wIA$Jx~4+}H3TsIq_~YI-?aSr1YhJ|pr=)PzLOlESy z2ZeYW@5)^kDy8HYe5RTkUD@Qu-ry_&6Qx>eIY;Ugv-R0?(l>q1h*dE?6~4YKoL@jT zA26(y$`$OtY!Fx6;wk8{_jKM(+CF)ZqWSyY!b6rdi_za}sj=+4IF7KmlO1yH1|!|t~ChG!N}9LHkLu)VE|U=CGEXm6Hci6V4u?Ee~f=P*LPL;M(VLmwntmsr3zt%>MtXA1}v0q>$ZftIcnW^b#js%lslSY zHT|p0(j*8&GqrW6`ZlYE+FpzNb&HSYj+ueDpe??7uoJs{SH|G@Ms(I9i_fA1j48_x zQcw0%qXPLu^bdo=HqdU`5`{XWxmFI2`h+++(P|Q0Mm*AN;=m=_^kPt4W+KeQVdw1s zlYm#q3HMGJK1*P@C8`w_LAr;9GGM2Wl&wxy_K3bp05A-J!e$82Fu4#@WTs%|@N?ov zl)Q{RH*PxbD9KFj)*SKh&G|^3q@T;0KX?i!v31+4SF8;$D8IYvum|17a0n|^qZgrv zgHrwrGU8?*b)j5XPUS8anR#ZJQ{mysU~htZx=qs1e?vy50fyE)@XHYCKpQ(c=1?a+$+?=c{riPX@XddBL1IXyv!gIe(M=$Dx*bKQX3LZNveLDf!g9Zg% zG#c{Krab+~$64-KdX+oE%d%i&uB}UJY3fM=4w+41jjm3i-mGc@`>xQaYj5jCUkd7G zm!FcM*WpR78Eqr>+#jUUldRbY$6{fSyRh;@9(tul$_OyRN>BlR;;u8ixY0ZwrtJ^KgPwpfjg1Cep{W|ZsT-9PT>J8CRir&RM+ zR1&PvqGOsrxYQ1f>voeIdpEowTgw+pkSI5}@}=hF0v9+=*aj>A z;*S`Z#5yc%hS76+CH9ZPe0$Yh+n`4kF>Y6lt@^funE3TdScG~*_dx%3r#LD>$be1^ zJ16YBndSTtZ`&6BtW%J_VG3`O(x&|3=4#!A7$t|Z&8U1XpZx|ra+jvx{guDK3(C27 z=Q&Jw6Q{Z(F3FYvXkCBqJ3Q(sFJz;rF2>GT>zS6G;x%NrqqUi2y<;Kp_wLQ!QJRK4 zG@5j)TD{@A3P(w^*ZJiX%WK{z?t#Id%0$6~b+7s8$Ty|k=80E6qk_G|OB zqV~&D14)9IJ~1_7>!$Ayu8WJ4rP(RMso6PxVD4+wl6AK-`J0^M`QO7ncK1 zZwM&qFrQHQje^bK?w$oiWLpCuiFmmlUd5M!u(}Hsysv4%m*X6X!z2V~t7tAvH$94@b(+THE&pp&3F#*v;MgGf$*TDW~)!aMJ z(VZkdC{dj5@@=xne0oQhtOk0YX!PyI!YFEg#Ff3MzyVnH4CR9{b8Ke)~H zF3w7rrlp~mBGH|kexE1RfQtAu_#$FMusi0k_bSh{HA(TXuyq21p?r;(>klLFhHuo4 z$dqd*k};#?RRsRr)P>DF%!KJG_rk$dH$Zmh(eMXy(C{MfImLteF2OmRYN+IL1p)g$ zraPY1ziaaeomW0d2JL+7%_T}OlBxtWtVdZIdU1yTFc9c2Q8Zg>$mu3O_qwOHf-CGqRa+i;pA(`MONItx*0Y zn&;KRZ4hl27w9_0CDAxF`U`9$^yXfeQYwVM&n*F)N*>Hl<)SSQHG6bf>d5cnN2vnK zkwY7D1dQJex@Hcr1OufDnaFZWlll2;N>*21%tr2}FH>>x4CHBX=)TJ*^f&L7Ia<7% z!mdil8Aryf6DTge)~0V1TlSzUL9(^%`meDY*Fgf3GU6S5!{?ONtW6094a5NX2 zdRq;ECcJvKR&*BMDSSs5g*~@;=HhjB@I7P-^dT31Lbl7>e+lybQCDD@i%)mklQdO` z%66!ee+MSPn^_@5-#G%uls{9HHJ+i@+o$fl@z`3ABX&_7?AKibnw+AE>lt?+zkjP_mT=)9WqH0eh}OJlFb~ zCOJk&q(4g|Up*v7BT%XcS@BN!nVqpdk-U^m)*mf4hxutX_`*!RJl>vYR#MXyf3uaR$d zn8>FO4#9J4o^5Y8gd_r4_6U8rZ7mBSPlv>Xg2rnr;*!hGDK)xtgn3naI`5#G(R!>m zlw|nRjXj@FGw}@oPMja>0pLX5xds>+g@f~+7PoX>63Ay@4UgK1oTPJ_+%Z(S@2(9n zd8qDyPrP$x>{!{M9=wu8ZV$W3?hEQZ3?n9uL2+-NONoD1gz8|AL_zYRGYcS2*Kj<8(_exY{8W@2-9kWimB zpuUx{sU*1ys?J~KS8m5_fqVD#FP;*Apr(^X&j|_nm$W;)TYm~qcODB;@ z?B8GHVP%wmrU!JW$XmdO6Zy4Mu2v`*p+bTq#B#F=6z`H0ygj}I=P#bpbZLLFNp|Ul zSv7=UjH+#U4H(b|R1yz=?fx(kKCi&nN^dK2VcA%E3-sC_)Fgo?MQqJfp~m@{^>hQ2 z8V}wCeN`T*{lva-x8Ua2=q15@g-1?4cSgVtb3dCA^tW%l`_tr3i<%ZuYHt4o&CjW_ z8VCup`gwj{>PIT!7Klm~0NJ#WnS9b;M-<(FT88MJ#W3fjPmmVR!qv?p+Qza_@iqCb^c262QA5vjoMdlYYP@WynA*~bX$H_N)YAeZF{4L#rp}dBd z;U%$05+1VtRWjXJ+RLdP3ll5D*_iKjPKyJwF-<}&I?zoz9hUw6Kz5$;EGMduP0tpk z-yy7C>Lju!c*e+Uw%g(F*YCXs_QD}+?Ofxkc$bz7x>Q4A-#fR)Oe3^4 z$0&@t+s@?&QrCy@RVy|QJveX9ZMai#@1jTr7Hd(k2dN20Se3U<+?p$lr-zM>H)*Dq zk5WM`s{A-hk0@XP=sW6A#C;?@^5z$^QC!IaSZ`{wmE`kPhOu1v`>$_b`Tzm4Yg6(} z{4f$u{~rITixhwIBb-Mql+0AZYWp)Bnus_8tgWw+GzzZ*#dp?7&^}=rD&HaI*NIjqb5KNh&#k&B?@-wFZ*Ubhd%{si|%g2bgDdzVy$2q{Bo5KLzbOi(7>@X`eyj?N!x}f|aIU z!*-sZM^7yLED`zkz}Zvv4DShO7K5B806vY2s)}SGS+y$KDm>G=ZrsBuWBtkC{FNal z)-N}sfso0z?RjyDKadR$uG_2^PJQ|>7J%$NgtX~2OsJ04_(q#tzW*y$7UfL+8oN&W zXX7p46knbn;<^t?!}6vXSMa%Cn9_(RYl_ACA!t9D{* z!1|rw80m7&JACTldE2dncx@8!F>=Lp-N~<-Vz}$iiwjdx*GX0R%pU{2;&xx0X^X zbXk$=PI;K2Ew*pts<9Jxzw0w*LM(@RrDO>%FqAPc*zm5u1dIy$P&e^;&timh;qi;* z8HdVIv%fJaBDYqGgr{8Q!jf!k2a(+d*3(r7Z2p1TBgvZw+A$2>>b>`yk zAar*&k8Y7Xa$CbUm<#jfTP@QxfQ((ezQdL16Ko=lgUbh>1v1_rKfjuy?az1^@^NDy z_kQ*&orr{K!~^A^A9pbyscCYAnhZS2oSXH~6|@WMWH?(O!O?O=_Fq$f(p_qz=50x- z81bAzZ>wq6O*K)3SJdf8zpO;+-62n&g)34E)DD{xw`wVy_g?N^M5lUSK7HiYl?d2h zaUSL^5YDGQaK6SjUmI1xs1#&n(j{y7nR!E+{OGi*z(Ty^$7!Rck>^Sy5w3q~a=n%< zqVQ>b+s!EQmBnekzMLCVfA3T`cw$Pl^={tM2MSh%=dJwHDsb1JCr(SE9w(23Y?_YS{Hp7C>+Zb1Z=GRPb5O_=*c2KA#t?o8`no~_4k(8aQzF@lHWHJg2S%Y zYRDbnX?u>Hkh3_si+q-r@Ul*4e3R2VuZyV}trfZCb-#aEhJ7tPe9yyttci~>+;1-t zn>3WC^ODxEcfq{aQlHfeQX-t+_u!ajYm!)Q9})X3m55ukXq^oP?H_Vod4Ebr z&BBM&*-B!(;=^@V-bH?Dfiw03w!NuY!Vmfi29^>&aVu_ejTf3PNhllMI6LltUc1!I zgjt7jP4u@%Q`3B$fzl~e51*f-ACkO1ENL0!m z!`{B5a(y^ggVh=4tM2ALJ0ZsSEzf}6^6Ea=8Dpr=631ljB0YuX`Qw-tGWU4W{;J-9RZX4A$W|lvD>1Sm~q+F|O=o&-+9#TwmKWE;K zO$>W}4DRM{@vnb>nLgIh^ny7A@1oTD5H11noO&Kw)0w}b4&$mndc8y1^gU~c>EuUr zm9~vaXU1MeS3j?0qsrG6Zi5Ufznz!b8a8~+;YROpig>34j~LDKk*L0j z2xs@P3C7)Nc%dLmlo8Vf!ag*r!T5TkCO!K3T~U%LHU?yUY>3Zaq0OROe&Ov7-Gxy( z61DrziWAW{QUgj*~ro>5OL5Eh3kLw*j*-l}u%tS4ZJ^a!-* z{Ciz!*g3XX+12>&Gy!NYjmdLcLwB>gXE=g_ylzjJ{mxj26cw05>K7XQJ ztB!rWu(vUnytpik=n}T(6{rEq!!ST!Xg_u$+qJE_xJw5GFa3E`j*pwIB*=bK!N&96 z#P1jhIG7V-UWAF*y;9#<9xXPWD8WDAb`l1!%i66=_*|tgFBuLg@Zn#BmrG#SAR;(+ zjN<8_(dz=hKn^RjADOcSaJ}Xi;ru3Mn~%-CCvL*cuEw?ztSGaU6T>$}SR2}|lvC;& z+d|V*W1=Q@Ab~AuzuoOyg7qDQH8juiVUB!FV&(~mWiPNF={zDz$^D)2E#p-a$uXR5 zxa~G8W&rWRRPoYK7(52KJjwQz3dpUHrt23l<*k>q?=%#EvLNURQGluc0x0q|#xA~M zEesK{9E?;>j5&J&6}2nJ@V+Ne^urSM0_ZKR4Bl%hwVtr%4IoLRB@q0z2 zS3J{>K(gwS)+>h31)q%CM|qyv?|QFPUqF@(bQc@mqLDnTVD{H@ZjIB|v8m=9#%CLG zyE8S&97RQbLw#~CraJ_C6dRaOCGnE-m8y7l^NDmQl7Nb5Jr;i+Et=6OSMQ6UkaqKF z;Oum$%C*N?1U#{Z0?6B^Sm<&NkGG)qY~|r!F|7(}Ch*D@ z3)P>{44@OXzW0661ku+eo;F}-y#Ie2%>OnxRJXznOWQ3Qh>_jTZN*wR zts4E*F(7uN68VTtj=tMY$iGt1!D~>dZY5Yhg~h|vdAe7C0wWjjFxfNax6_|lIzFCK zaU^8tgY4>b9zxE?kfLi1am|||9QP}%wK)@CwcQva#l2RUGEtN0$Ie{S-9ny-s^|~O zx@0}Lmh$wn$SrKiyp|w8I0YyFyjSDp0W42}JG_O(!xUrjFi-_6C$elEe1pEpnpMop zObyOdllD_W7BdO*_puo0+8&F^oF69;aB^?>S!$3F>xQvir>a$S^!^4(Qp2YclQN!O z1@&(iLLx6MGvR55T>&-2%P2o3ir-(s$7X}NGErC}I$~VoYfKYBRx%sxS_0P4D_`$I z4&pAp2jckQ1El*(#f4U*@4<6Hs{<)zHh<$`sy=>$dB-p5|H8wRHj_!Z*sN4CpE1)v z1dC;dJ9~p0jm`7lERSZ3zivqRM{p`TU!)XxCg(%BOj?-Nh>u&Wf%~E5ZS0v{SOji! zVrbSq<1l<`7gQs8lZ;Yfq_tgG!n0JaUlY12ZvUdgoB#s9W`T8^#zQRTJ@tUK2}KT* z3+hwwMdN_Fh>EkVilO4!m4#I~rM=wQUt`1wn9s?&Oh2bc+m%sFk#c>}CH)rwrSTG^=al2%7&ozWORt`mE1Gx?rL8_TpgMX0WRKKZjI_OEAkN5$uf@AB@%JF|a1#LlWX6MS$e%W|knN&r@; z8+87LVGUbUxIkYm-|owM9lbaUV3jN#?M{=2@JV{CPF9&MH2&+ieAV#jC1qwt*DJu| zY3na+Jvy(L0K}ProAE|BuB=0Xd3N;~i26$9@)=i`r1?jy`QLjQy{>yv+-<@ROF2P<_Atd|(eCWbrRG2G2LJPmZ&cGZI%Bw1q~kgMXtVp1{qDcNE_;JbU6;N6 zlB$H~fm2M^{N>_#_C(tZSkkodL6O+|p-zMg69OH$U12=c@FeF0GdKLdixd3zJ z;9rB@SsvJ`Xn2B&Iyq!l=LH{;!H?@WuLr?h2OuEWj7QfUEad}F$yMh65k#e!mOvyl zAdfF@>oVf+KcmTD5^(=Xt@h5^bUjl-w+LLcAzEM9*NW3-v;i|Xl>B^3--6e|Q8Dcq zVOH%FHkFG`^sxckYbdyM<0% zM1AGU2VJ22Dc30XHYG$0l6`(F_hbcDXC-pAwCTmfo72H@H)3YrsP ze}!|FxpM<>x)}y@_Apq$7;%Ck?9^cP;ta$~%^OZWWO)B`4gUL|)2a!nEI3N4mzZ*U zKqF2^Xe#@SrrUM=%mPr}~NFd@dy}2!cCyowxTP>`mLb3(LP6-mxK! zDX5Shq(CcGR0yo>C;+aapr}JzpV?Aqcl6p`Fa@6BCjP+cTE}Rdc$BOI{uwd`%P>Ls zE)_mU4B(?cXutzlAIKb1-1#{^$mKzV00DE%?$2uAALK)`U06@Y_RnTQ?0v@dZQaST zLfr@^yBgbd+6$^jdtQT(?j^#N^Kg66Zg8rvodz6>Aa~;FNZAp5Kxn)HsPh&W@H?xC zZ^aM{wmL9i$AlWL2zyt2>!Q9lqsSCPV(dzX?UX1K4{N|z&a*a5#nVbYMxHql>PYFG zm&PI=j?Qfjfi&~2ns0Xue*TLFpb-_?V-DBqi!&xlufh$gP@Vz1qApNQObeGxYXOOK zc<;#3wy+g(?muk4x zJZvG}iLL*ArN0^^(S~+VMC`8vNJ498aqu>FrnO%Jw95hrYf_XG6#las0lU4)I-g5B z=vt~~DkS~WCrv)*0{Wg|Y!RgM6`t9*>sKzD}JDsj!Xb6gEblvYwm0>uyRRF^(ALPyXuww4z zDzseqX!-f_4hXCALAhT5@f??TumG3C=@Xr4kF7B4QFQVI^li2H%fv1#!z5wgi<6w; zmvXC2iDy55*p*Nv-qkxW;9C&DGIVP^KuGfCChhM9nG+2F4o5cCR)cH_yFCVLXJuOV2)u=Z{oS6F>-URbqn&c8gTOkmL261d z?_-a^X=pNKAnFRMm-1VZ9*kO*#g*CEC&xOc`aa_cwTUA!F?YhArbdJ)S}hgHwm#*g zdga6a!oB92Hd%F<`x(q`qOr^_Q7>$TQ~&GBQR!Yz3B5CZ@wB* zjPil1$|c2Gm13&?Txxk{{DRGars0U=?YteQ26s>gs#_lZCAD$ykQ|D)I)zLE9~H_nB~8!Hip4MpQlij;U7DNe4) zw1=bfQeI9z$YDmRl%h`e!V@<(Ad3^Nez@|%=+S2wA?NvVaZO|U0;Lb$cyD%aEJ2po zJ*+v|4+qtCw4__FiG^uM0F`VAf&kB7{UHpAvpWMS{QCMlMs<^$rl#%@*MF4&Y`ha* zQAxB^ZeZ_~aUb1+#1d^tYI*B1azW3r9`(So@vzTJQ00vhjt zLP!al`<5cBE8WOXfOQ2`&-jrHJ@G#L@-Cp}QC-U(L@;DvgWq=`rcn#~hI_gM3kY2e zq#>+B_HMt(YgsI)1pqSp{jA|)@}x{sW6OeI7109kjlDD(LH+Sg@i0iz7vm+lZ{f^< z6n(2ZbvEJQV4G8AcqOWm`r~SK0qwk0knAcZs}WBOhx}1- z?Js0RBs1n<4d5aN@N5-w5|+l1B|gwNV%!~uxtn>)dAHDI35V~BJD{%11(cZJ)B07A zvrLKk+EhUK5s1-x`66p6yp(>oYz#Y;d?+Av(l z)CeQfFySE(&3$iKz+)wg%9niA{;rQrJjg@}+fmti13C#yXSi<*M}cJM>ZPkYpD6Es zkKQ*`lunZ;fRq7s*zamNY7PO#NANebg~p;r&aGPo%d(;a=%(nIF4qh6(~>LY(FcR6 z$5b}q3Mo6^29nA=6_g6MSSD<>%f zF0Hp~i<~Su=H{i)GbYX0!M-(6=)ANyPcCwlo}m-6e9ck*HX^qfkMOq1)SHC*2AolH zc6|YJ?dawjA@lBwf#MWRv3$V?Shz~QMPG_FT!fbfYbHEWSk3RaF|Q5Uck5j1saB_< z#^-UAUVtq>obo%dvTv*2g;1_C439o-VQdLn24G=$$eBmT#kkH+R&wl#g=q6htz$KTzn}5cePN)BY2nMV&(@>iOO(p%XC!XnWpVCo$7m6Df3N?u;F-?+*=*O0PUp3TL+bn(W_-sjG^zHgkh(Ke*@0&0i)>ZMQFC z+Kv}#c5mtGkR0pnFO$B=*y`tBEt1+kW6>y8{xr)ueCj8cOZb#QY46Ks1(KZr4EHhx zhfKTziE$9-iNX)kg`_E#aBc6}@hErLbGipfm`>)HPf9kK5XQ16bPvLa<|_Pc!3jUsZrYdc~G6TMCsq>JJf{Vqq`RwKEnZ-RCx$FWr-aiQv-zMCc- zGrx_}YxFpJw;g1o_T=4uj^qh83z}PoH*{v_^fr-9YRL)xP`CqM0QYH2QE?zI}WWwhu_QS~ju+Xn6>gddsgTX)%( z$u62WbFoW3PQ@yBrOZdpd1^daYF(mni>;p?8 z&p{{y!A`KKIBz#oK^U?j%b5P1GRx?CcDEyPz1Lb4U2*)QiP+Kb$x)+nJx zR64Rw+xay@F|%*a)ncPKkds#j3;uURela8K6R@wmHLQVtlCe1`A1BV6MV*jLy;r_O z`AaJ3>5+i;56{pYUlCeHB-!Pt6v=G@XPvJbHT0uZ7}cV2kIWa5f2>VK4hR- zzpdM{rgCiu3z+LfwsCS4o}GL${H+`_EPGwxWSH}x*QR2cA3j~I z=`Zbi9KLb6FSOlmN=26guLXz?xHNaTHfH?|e6NZ#`htDeZ|5K{B{3%}x4 zCZ@L8FVyda8zwxwRIVPKMcf|YrfVw@nO-SGxLqor{ zdb-?LF85b*iB#0twi?LLdG7pc+=3>??w*mn0)oF9&VskC4FySVPOl6X#O4T$pDk{i z1N9ctU;)NlvLV-m7zVhWgk{JWaJ~48#A0ny>t{8n>LW~4j=t67iQa_!ds6MkO&wHW z5;d8=LB{TU=T4832w#D)b(Hh3t^8Q&xeo*<2rlxXH=20$@u+@*)k}qT+XT-7qcC&n zc8thPlO;)jJTcu6E8h?P+C~`sY!wmPI(f>j3e~*DC)Q@~axBCs6afKP4s+6&JyP>84{U!kW{XCsV^t>KkZA3Ebidm;Ma6T z-7-XJV!K9t2K@N_$PbTK?7kV_z{AvcjrZr>qz~bxOk~#F!$&2X5Yzf`A)IrBbzRse zEP9g`;}iJUJp3eNS;**zP}myH0(T5l__yPlD_%HIq}a#z%2y#G$p-BZ>8I0W;&KH= zKNw?37v#l?^m2rq^>Soi5TdwDx}_p zP%@cSoMx{!N%%-rHe4BDtnd*!5D&aRBX{3aog;|$nIXGWh#>Gi6Sw!~r*R#ro&3~O z1P9q*9R_v1JHL^~WG%VRrOHVU?I2MUAg9~mLIO2%~;%|k^eELpQFm|ZcXCYoQJjDrP=VEk|X)Vxi9 zn9(naBHt5~YeUdHrLko0mU(E~EFARm=Cp}wGy4HpF4hRqM2;u2qTU@qG}H3Ddq`T5g>d5VJ-HoDw352V1K2=%|c7nS;w1i7Q% za<%EI2dwz5*fXXim|jHiGV}b^VGG1UBH0$z$TdBBIiJ&xb_}Pe1tZ+Vg4Cr0s!ON` z=)U4&Y6ZMZi#D;M;)gveqs2yPwuJ)52lS5d$L(rXq&ZV=XPaKcb>)A((s%^pLZWT` z!b<{E&2Jom7Fn}FYm0c_oK?Y4+$@$|p>RuPAR!R1rD?ltzp)3zYZ-9xxu_V7<1zN5 zvsu+3!V?2$VbR3gas{QkadgabGj4J}sBD^YZ9*$pQ}*u=yv1snYWK&yMST_$fUm`p zdKTBNQo+G4`YsFE(^YJj3Jpr6hAoro7?m}9Y8AZ*fcC~;Y#`mQMSoilxpR+~38wAO5;AOG)0g;sJMxgdn^Gk@uzFuSj(UV%sCUWI zH$Q3W=cX#c%7oG)A-91|)emLoXYk~VK0C@-O@~A&K!l|50T9d?x(G@^)^+cQ zPb^nGRgnN&-EBvh9k80IhyG)DDvFk9Fi_}fRAk#EknDR=gT0P{aQYB3_`W|JXWM$is00>p)T7T{hLBEq-1l; z5p|0t;8~B`oSuye@g08FC@K^^7_78uwoM6JZi?$mFEO(x(Y=l6zF`wiq(VoRqVqMI zC151WbXd-&zBJBirBJ74lCuuFhlMWxYbk~aoTdMOIZCgvu71@U+;Qh|(f{G>EugC0 z*0z5^KmqAc8jF#c%y9H5Fq#Nm2bW3+Fx;ed^_AD&gb*y{GTOCd@{(3KA;IxKa z)eV%!TRnQWT+I96UHxtrix9^3z|j&_7!x9Ej^8N&hFZslVu-%p^1Zh+{o3jWPgc_! z=N7tv(NB|KcW%rf4!}Da;*4IRk{}bx-~Xz z&$g?`Lna|GvCFYqkz|tkdpfNIn@|VMIyp2l!3F6|o+Kt;Z49Ur0AGGYj0XJ;8@1^< zDJG@e{AFaC6if}dG7b{xsl}kRsr)+IKY1h7erDuyFy6?+!2in|d7OJKOY=H7+5Y%R z?yvR*K<{|W%7Vf%sllHhA46>W^*c49(y;=%QHq5rkp+!h8nLtVs=dY(2{q2^X&@dL zPv+4(cp&{hh$E~`qqdW$z%o~JJ(h*2T}+;ESrYS(PL~O)j~7{Q5UZkE-maaN`#PDP zNqIj+QFB+Z70M#JC>b6Ji%v=i=X#yOhg#Uy`j6UDEPb?{-ttHFH1kYR=9PV0v=zBO z{+NO$Eqzrks|5tH7~;nC-2Afgxc9P9b!wkkP|8scV9`__b?;GXQ%&VdP0SBx!AJqr zcY3H-1>n9Ox_Ey(!1jo`&_HwE$xVW8!fc5DKp@Cxm%kWq;Zl38XRQU;&vMmZijw2U znjMz@JPh7*jt|ncWC-}W(gYeH>>yW zG}XB=RU_f9p1m&8DAua2xmGVtLf^dteWrZC;uv^z99iZ2sew!YB&7#HIul_HZgck6pwRvqg}> z8gqm^9JkI>?OlEw6#133$TjlpCmYSktYApE0p{A6NB=~OG{r#Z zecp^M)Xo^97QNOaa@qS2#z+`~J!psYXQ=yJ+6r4;D*?p`quah^QE@Ih@SQWjVi6cy zPOHFC0_Ai2TZeG^^yKVTEquq|8g>0i4HWgHD9v{bXOMskR9GB#BBgH%wX2r^l~5Tk z2q-@>X+S?DE~pl3$TSQRsZ-LzRhV0Sxf~qnR@BueSOx0Z&7${_$Wb>u8VgPG#>_dER-;9q)B_mwo zEnMHAi5w?HlBRX;kI<32I2JK}_*f9mv7gnYn^8(VNK) z)V(ny&IkqZ>AP0M2yNJ#W0W{vNHz~2aT$sx7h0g*AMP1B-e~~PlFQ&r-^;Mr$mRc% znkfFznBI?$=hahAq-bd;X@d@Y&8MIioE3;TXt~oB;V1O50|?AKfb2{aVEQ=ngqG*y zF^#Fy@)-JizBM&S2k*$LylnD_FG^w_Lk+1^4or>&fn?wNf@k4o%=g&nnftALlKqh6 zhx-=HTDIC0^)f^j1p%*EtJTdr2A7QSRH_>t?pI+G3V|EWWD+?|vA!2=Ubq|ifw6|G zd-3`U`U879zo$I&l@QPN8C27F03HyLR(duDV5pgZT5cI02~=5XU_w~FLs{Lc0j_m6 z`D@~EHTyy;#Ay)gMYdJtclhe*Yt3@@;>?#Nmz3Xm8&s!Z+<|243Mss^n0{5N2+a5b z8=~qiZCH!n>{izQau1ZqYB2sf;tz1#m;c!&lBER{J+M(hCc403tGelCF_it7a?l&d zY<5BzO3KoZ?NZ+W!$PU}$mV-90xvg&l^5pzvAb|;7Q| zxFl>WwVkW4pWb`Xm8qJC(=RFMr?BbZJ4%8BodCz`NW^vnm}#h|0wY!P^sivkE|4~- zVIWCtAGpEu!onebIKFO4O~VAQ(rwFrVM}AHj|-cY>kgK;t2+oYQdu=N0{2iX9fVG3 zvqS1QtAtYl<|!rv+2r99jqxTrg~g2Kf`lL`Ci{Ca46+*zB6T^GK0e+b z30WR{|4C(j{fx0zyS_k$w#9+_7s`f?Z6mH|R6wl3I~`kMX5Ge_ zxohMB8rwSDTwthYFW8h;`_5WGmz#2B?7d{F;aac3#M?KxFADz{aHgiXY5cnYLpMW7eN|3FgH6+Ah6-?t804T(~PtIsX=NBVDp39g`wi?n+huphK_0Qx^IP8;I;)DCw8n6bhO zpFW1wGSh_NGDo``Dv;?V*15qWU!ehA8hpW5P-B z9~L+X`+gRf#4~Tr!2mtY?$bfh@77uB+tROWK67A1WMy*|Df$k)ya{htVae2hvp?NP z_Tb4~cGkUIO3}ZkiGdlea-483A#2V^)P$&l25u}13DM!(rn5N07amnKVc*AO4W^EP zzCaO&T2`K=`DbQ;OBf{8Dq05Rrn4A_yKyz)1J_9?gR)Ut^kn&;gb-3i{#V3s66;jM zr~`U`p@Xd2rt~>vLGSffP434-GKwvL0gXz9=znE|@B?S|iMS{#c2)7^J}8n-F`DiG ze-sG;1A;*3N#1!6j(9vV$p?C97`gFWZRcmGLzG&RwOvE^MfMh0n8; z(!5jqDUK3OAV-2cL^`!MCl>@la9A!7u3%h<114YRS6F*Q0XX?|l*eS(v}H{YwJkF1 z#5y)Wstj(LT1KKq#HHyirf7hw=|hUA#RK)-Wt!SqQ!?pnr3woeZBWN+qa}pOgJ9Dh z(ia{-7c+0O5YR*WX-!ulo9N~rgIFtlF`B@zABBuI@dp=|apo1+5yGv-lNL4}5IWdk zsv)=C%cm~R$~CrTM80(OF>wf}821`*ID|-luYIDF`xo!yO|yIKpaRN^ zt^zdZMVjLf?;=b;AP>}JieSPM;Q@wYu@lt(*JW^yvnKHcu=wvc=O1(J6QO~Lr*-Yj z8>+cUJQgFbwG7UEP%n&@%FXkAqEDVeZsMXOHI3EyThfb^>wU98Ud|()En@ z%Vgw-!hj!Du=D8u1%Bj%IXEAStm)KuAVxT=3Oolg7EmDX+JtMOc~jr3@AMO$gJxCy z7|RJ|7vk%5(`MM+1((z-V=PaOOfI=(_!yk#lv%aV9;^ubd_7&H#xhRy{7rPjb?Yk> zPbB&i8Q~Or+Pwu$YOH{-z|L@+C!DHD@`+~+aE6WP+X)k z>w9*h14qeIl7U;&cy}&V!*4|^^x0Yu9@h5`y6A1goQM@Dl0a%Sr(qC#Xbof}s^w!b zd3YLul1Yx;*91LMB7?xZ&pl+p6)h2QKi_Ta9}Dc+lo@&cisk^hH2{38d^20~Dx*MD zIQ$FNV-ghVa?5uAhV>wm7eO^mh@LZA)2;;z5d~vIz>0-q@HrHg)&NT-*#TqS3j~!> zAM^8Q^hWIx-RXR(GlIvJnh$pu>MK9sXt6_p=YzfgC=B*|2(2wQ?vbfKWC2TtC`iD2123j`0qJ$gCh637*dw z`FoiTr;$7iC6W)xeY1}Ch+15DGsC_9JB*Ibh zJ;R{rUsMLmd{5Qs*~weOcJi{fUqJv~--&2)#Q)%QjOV@%buRs%pbp{t-Dh>op}Y-> zy8`JV1s9f7z|M9-d4~b0{aczy(_4vVX;P4Upu$miXVR$XJdR%llnw?Ax(q6=5Ku}h zKjCz|{VwNw%xNI%So8hRKqVpi#3$v|V~C@QqUB3}>aU^!EhF2fK*p#!+vf#& zwc-xO$1gwp2jCNiHh7?0&77ZGes5}rjscN%o*-`msjFe6})J?A= zLpHfe&-M_%fmf&RYy3bawzFK}aLoL<;czfDn-VQ4(Fttg`69a1NB4uP1@XyR<#l{} z^~h#SrzC+xsz0wS2x&n~hFRM+EVSDLRpEnaKAydQrp59QUZ&zrmt~o(=g^QxD$T*< zb5Tp?=GZ-slB*aZe5wzce}Xrn)rjGe^RF?3?K9*_4uGD6fyjMHBT8k}|I;>T(OFJX zOLsi4B1|s%NQ2QenJ*RRKGlM~i;jb`_9! zFu2B(-|8>@5a?xK+b(A{&_}3-K0U-#<0t35?qX{*!^?Q#U~~?^SS*?uvbKTk6Kcx; z1E+y3R3MV8jFtpSf$9)g&Ahj3k*aQ%2Gp*+BNXQA9~{6s?MkkhbRUC~6+Zj$6V?Wa zDCU6EAJQGZU5F8qJK!p^!LS-HK1tyrzFH9v<6%&R(0+Z-noh?fI1I2F0ZEdf%)Ryj zxc7jL)J%LizL%3Qe~fVaift^=kV zs@_=w4y32!hWE8lzQaQPe5y{!=6DRSXPiI~4o_2gM6~+bmw1#xs<6Xf{<{BPm>MCz zzv}_FW1m%LRYJi1;S(+V!mXcX~R;U@}Y zvk)*TQe}E-90V8}BKJuV9?Lk#uA{fnea}Xc7iz|~Ql>N4j))U%A+f&;{mx;30;zFw zn~EZP3~&V5bA{g_a#M~E5FWh_j$B{w@x&Ak?A{e+w%M;Jag)T{fQ4J;Z+{JOMDG16 z81gdfNF-n)>|K3rwVR|F!E7yBRL!+(7$PlLezxHYi#bHNu>Vn8VVf|5uoF2IeF z@g+x{hD$&{`sh88EiH(H>4GEr!tBp$9D=rO$O94pPuo#hz>FQ0I)D97W`?~3#}PRG z(dOIt#%`7OkQQZ^8GtKfh-@Glx&&-t+4{MR$d$1rS1R<6;I(1>V3lj&s3=`@-y&gv zUI*`L|Tq0^t>JF$A`N!Ki=MW!j>vw%&Qfvr`U4A^g z+7;U5iR#{X*p6C4nHXGcGe1R-bFmL@I*XvLvsZweG4)S!#!1&7x3 zo3O#gMbYhJBVpU^pm@YtULDSVJf+9P5IP-$xozQ1Qm9M63LI%FM%NQ*k!F0&?p zdeX)*cDT~v{r2148et#CCy$H$Vr|Vvm`$ACOThXosM;mJ9E|?0+5HbYfHHx9EQ8w4 ziw^5l{J>s|NB-$PM``0kwY!jcmOqfGRL-l$-wbT6#252e zJ9;?M>g7@AIwFeJ>A@vX~;KtlLiiUHwuq1z*j-4wX{NVo!d2?(0oJ^f2tp}wbW zhTlNI%qCP0RciB80&o?l3G=&BMTs{1SUMcsIyhrPqHdOUPn}YB6+%L z_y#rDJ?|aX@qJ$=fkYumR2Oj*GQzE|o4u|e&*$=JfNTJ0_#T)ET1@DmR&LHCm4Jg- zML*L06OU(2-$$mQZcJ|05?hhu`JRG~JtCjIyN3mTut8b203fj{;mQlP1qew^UR$kv zOu?@~o=`(Q_gq8iW(CPEkDCEDZ1F|t5vt8t^7NMsDz`AK| z?0!DgZe9;&_^rvM(6g}HSFL>r{u<{5(EFyTqr=fon<++d?~Iswqtq4jH^2H;3(LRp zJvBI!)P4}((Zsy_P-tHdB3Vsm`L_57$UfJ#jgqHqcl)`cSsibX&^4DwlJ5_4F?BOT zxK4w${ap-iLmf)ETJRT+x>*HW&0mMr&z~iYIb--4OlZ>C>~9h(q84}<{Q%wHrt-%& z-E|RM(fIjjcBAkS3hE9PB?>x-YqQGd3fgi^&v(AbZ9aMD6LRL7Ak#1$7@O==hkvg! zAtN$=_fVUecQ=xysreln_8OYc^X^}85Z^(c_k2=$Th=O1zwl_^RnhA@}IUjXQF; zjP!6g`c7)d(|%Wp_S?u8vHNFT0s*c%%K`S{zKsO0-dXLnXwfMnt^MAGR6%u5X<;@l zU#26MD6nLG;OP0SA|mV7VDjT4fyN1RN6d*2Neo71RLyV-GHlg=^wp@G^Rbo{wi$_x_BxRvd;e9ehHGm$5qWey)CsfDk?UFtL3a z^6ELiM$G|+R@T+thA-Q2F=h;gqs2vHnL{+XoY*}avYak&?z7UYOFcR`*|I^)ePNBC zABL@K-Mv7eO(CVgjJEHCcqpPj@!Wjso3r*X2zdBV9&?FtkhT3EqS62Ov@qJQMmMJE zG81N%0tMv~$9;%i|L(<)Bb|aXoj-6C%8wFGLiH*XHOGyuIf7a9^0@NxqP@*E6J)0} zNm7nHI(j$;_rt;-T7#@{Gf|zlPU6`iWI5H(X^X=tVL%G>e*;pGnr1RFro&W9-v?L9 z%o&Jt`#sNgOoHkKwp%o{qQ;UGbVd<70FnaLR9h52VJ~_UO{TY--vo?7k7Qrn{&?%l zKo<&zp>a;6ZkGP{-xAZ)-S<|^+0nK19y|f5X<#+7mc;L=bJcO&B?Gxrj3F#vA2q=h zpHh1pI_B!ZC1Cmj2tsI5yng=)z&J4uR2gCKqP3uv_!ghZScu@LDesm2d6i*9u**`+ z4C%8((X+x$w=f<}Ordgm%fXzXBN_aR>MqaRmJV5!fm4lN<+d1F4QsdjU~NZLEdT~K zX{!c?1a#!Gl8&TG<#;Mrf$2KpG%5Ye27uBiF=t@h<)SZnho4fj^QnsFqhPdCY6bKy zAbTrZ-Ou!s`cdah>+DU!bC>S~o@NlyTRuiOm^#V3lb@BcqTp}gZ~$!cdlxKqEmbwY z@(ZU_w85Y;7Qd6lQoD^Gz8Lvy$@4O{zbyzsWhgI)P!ZqExouH7FP+Sy3Udcw?Fe>C zBy)@BU!Co4y}^8@oXn;K)Lsg6FDq$Y6>yay428_~2HnHejWJr|1RD?&3cT%HScxV8 zdKDXwy_FD6fWH*Qq>31)E|>sK^n$V#r9#*-IEGuHup@Er0B1p=U0nefZ@OsermgbSWZ_ zdXY+g392!f$b0N4KiJ7vNQoPBqo z9K)xZn$uV4XLOwi78TnZ$BU6lEE7y6p*tN?@j-kmd`36H)r{Sw(+l+Td$r<22kH;R z9`acZ+5;N`j0{}_o3#(;QrtZtw)6W6&K#oC{1u8na271&{55*B?-TQlNDv&&SPDxh~Y2w$1Ne|>y){$m%k zQ`;!^Jp-?$T8JqJzd?ONnQG+cP+ny(lM9}Ef~Kl6$N?Wzy1#46py-wZwKd+-U<%%7@)w zz=-2Mjhl2{v)~|uSe$K7g5d87&OdVKB5Zmc&yKx;+5=`J+du09ZDm~%R`v*qFJAAT zJ{TE#XN6+p47|1H+@W^qnRl*xGvzz`g?#*R5`GGq`xQ(L3QfH@ z+Lu3i1gtvPn6d%OZxgz+L)2yz;A~W9h^$x_h09O_#DBKJo#=yUvGmvUI2OHq-58xTUe|ci=Qj?@;kQA5x-S9XIvq32AG`g zlu}#0f~VBS2BZhh@uLJ7o&oC*&;!+jKR^#?WLlh!MQ!-MpM=0HiGTSu!QtN>(*oHV z7^wO4G{s2?529$401vS&NxQ-Ve$x=xp~hk;g7L;Al5cWuQyxeV{A@2 z1j=cZZ~~6p6h=2@WJ+njn->Zx(BFDh{wzDBsYj~TIov7!`Qr+AJrthb$d-!6<YBEXvHXu znsilLP8LE=+}V*SUxSxokqM3b?Zx|Ja3TF{#A%~Hmh-hHA%B|qKl&$l&sc#)eG;hs zM~;E<%aIGv;6~ge{(5o#zkD1cnPCAEP6r13&Hi=amGR&n>NNupRC%>t<}s62jq-CA zrdmKY$cyDVp@Lnx$W}0a&(9d-L5tt~nIPevXm*36?^}9j1;zi}H2aSmX95W>iM%v? zw^Q@8pLhoFV#cKhOyHw?yvh*4{IqtDun8EGJv7;VT^y8x%qBJ5VBqpBBH%E^bw@mBL6>c zp1(XXfBORe`fr3uu+6oDZ49ITqXho{@hQ0qe7J?bfJ!qo<-gxy|NGa?Ku6}Z1!G(i z?$Fm1zjVwguCGamt6ceL+VJ3`Fg9o7t z{e#rQ^B-J>??ZlHz|U8J^UAYn6gVTfY!~W!T_8Z!juMdMMEQvu4$1=>+)V0FfGW-A zbKTcwO-;-Iq8LlC-dtvY6_eJBRy>{=&Ot7o#j%tb_Ub1mHK(YG= zk`<)<{Xy~W9Ug;fKA8N84yFq&{gO9?b?$-B?F(45RCH>S!+$rK^Jhe!h(&@jww3<} zi^P8n`5GvArus&dCF8-{D3{JA^XDAz?&iR^7=c>$plI` z`ZB${1GVO~K0{$kzs1GH4oxc|w=w+v2k2GZiQwOH8548Oxzgf2qs;u5ioehIgj&oBbm805Npu*cJGf)rc-a zrXFa%T?8Q!uwBKor7xOBtxAwF1!0V`%zQKx_OqmOS*a#<#isH=Df`*1L2YfaHSlN^ zC%;+{r^Q4z5%=Fo4WA2rzO8eB+r-K%PwL!>`3DU3w;h>~2b)DXp%|A?%8Mg_BdcjR z$CB@zH{N7~%11GBK!JZlV)+zp32UNVB}AUFQt4jj7b9acbRJ2Z<;WaHOzpmnk&p3$lBm~u%CmR z0{t%n+W-VwKMhPQoWEUfh0n0-K!k7a+vd-Hoxm9PQ4vq?asonzv^vq}DX@9u=Q0{nz2mpRCiPz2dDHSNo@2Eil~ z-~eb5BxZNgN0VOF{$Glv50V)>ocds`QXWj#*&C2oa3XH3;0!R(!5Qa*w|%79czVn7PV~g`7A|dNm}W+n-tPfE|Fgufn+98m^HB zw~;v*NhTyn3p+E}CJWw!f^0G)(^O~G%2s&P1ZEx0lF;xbW%q%I-JgIgfN=ACt_~f1 zyC!$gNErmsYTM0pU!QT1Uy(}XDDZZcLrq(_+hw~0<+;t@QzDLRKRL zNlqNAtWLQ&204`uW#4TPp7yv0W^U!X_ii&}rOwNaR%8iv3f#M4y}H*(WF9a7eouTb zHpEnW!fOp&XHF0pVS2cTU_^5j-$%Dhprh3yuo0uwcmTg#cn#clk;??^#vf)uWcRc0 zvVRWN|L*r!)FVzm$Qfm|L1gMCSRB|ufQDj5Law;3`IjIlsCTVEG(vPkMSKYZvk!=F zO8}8DnO}c_b~+~@aOiUF&p!t+fk7DTvp-TcQ^Oxb3Aix+)q$A8^M4;Clg9?i7>5_!!}S&nSyx{N!?9Arj4d>10O)y z6wThA*R~{r@yU~_M3Hw$;`q98K+s$X#NJ6TBUUacqTfnKa5CtBvDM|OPgLA5c~(MK z(gmO)h6l&CVozPcV5D##hRhuVlbA^1qbu+Yo%btQan^;lQXJtW43Z990YHQu1m>hx zqDnKmv}P(QdiHo%10ULKaHs9sS8#77Zi2%#7XZ6!ulwj&|%@P9yo1rd9%l$zRl zor=GZwsLTNHu#GW0pP*Kj)B_V{2Z89ECp=VV5UT{O1|aNnh93MNvb*mQo#hE#}$%a z^ag;pXBW8OPR?u@7+WG2>dpbphM5K5yBiTQNRJ9_L22D;$R?No_Hs&OK_jq3h%3b; z+@U8KUgM>DEoHqs2SugLn%}ySHU*?k@Sp>qukOmqGUuUS2{3{|zBBk}w_%Zu{_KP? zXs{pK5#-7RWh(oQ${C_hwD{hkm&&snv>*LTqygYu2=Dh-PZj`@;*F#=BDA_OL9?27X&#EsAi}vRC_~nkn&JBwSlxG^j#=EJu#MGXih1g({y@;F(6wYDY7r}p zkgH!`H`Ei4jCT&snQOQ?J@t4qR8s;d=I5k|~lw%W-+D&%jl@U5I{O3vo zm>aLQo+yk+zmUL1Of{+~!^%mUaj1Tz(Le6~5{{$B%QKkqxtej*v*_yzH&yp#{|9>= zO0@^|Tcmk=KonL?5ob#ebHqoNY+$TqE+=bBViCNgtAc<3g;=U3Gha0-=#w(rON|aX zxfovhO#Suj%N;DlnGjmH>^L%0Oc@hA1&AyY4@4$LpCPjjn{@xi8w_<*k6#izHAgka zG2pdtd93U9r54J{wqK_?CT{SQk@-js|B^n_D~X;{(>S6pxpe*^8M0 zYsWD+V4&`7Eb}#@?pzXNh7a6p#rb}nnI_XG$=SQ)(g}Fw z#JU$6n=ecsGkK;t=0qGv+&jSeJolQ%A!=#8@g(9M>0rjVniiue%oL=Ztmg3P?ff+HqrJp>Z$1^RBVyx)eVBsTKyCSrL7{J73 zNrlpuGPLHW+oS$e)s#h6ESe>@ZQ?}n^x#9d~C z+Liv|9H;5kP#z}&_f9q%|Dvhv@?o`MSo=@UVSJ302O7-}>AeLfA-O7#+1|c5E=il0 z-E~Iu^@F%{{QFO#HtY8ro;yW3scZE(;x9z=aDXL5!7(SZ9*=j)FIGZ8%oO>F(HaED zjJH|m*jx_Jo>WU;N{|i+tEnw`E`Bd@aC_))<<2It(xs&EkVg6*(rm@`oWd8@?29iFTiiD5oRf&hhr*EHm&ww}WEiC-k@q13Z zYG@OvC!nB}pc39=WBz!MHc!I_n;mvOkBVd)NjFOKyS&%^3COUy?PkM%@me%i3=>>X zUh(q_gF67Hzq5`Zu3!*Gg)(C^?BnUJJROta|4u@s*qxAiA%I~NaPZY=j~JYM&&D#| zw#^Vcw!4WIt(<$*?ZvO3(yood+S$Z&^%klE zyoTesM*t3~mu(AWTfQPPO7yyK*4b{sO7@QZd3S{>hPxdg#`J{SRwjsLw&*$ZQN0Eg zZon;pHEc6){Z_nRy7nB8OH!O4d!RkavWwq8tIipu2qge$1kYy-KbS6 z?JxpDr}z-{m*K=)j>*&^vQb_J0WJ*T$1A!EYTOG1p~q#)Nt5>C0XZ zv7>Bf5c^I?HQGsFOJ>+cOd@XIxHr!g#g8|nC0j2G#u(bc^Yp~t^+81Sdx4=Zw6o4y zqZb@k`G;Ru9@|F$aLLxm4PjS7kW;9Tq`!Lh6l1Zu;$*+$rTd5hYBP}C9INQO{sjc4 z6g|C$HqO4YM0JZUzgoFBAHtYu5ZdjAmm*AdmqhV>TNRoyOALn2%nrRkL4#*c#u(BT z<)wjr3^v%w=;;}q(*&JO0T#JMlNy3BqOaecMcgVdQh6q~f=5Udi|ST?acgiS@a2p2 zQfEPwsA`72Poe6)kttYLh%b=Vewrde`NiBj^vYkR(4s&2(E_?_KE#ak+>u z(xz4e1Y(3(_A?nb%lsRRJol!z0_<;rkOuMrJ9`oDj>nFVg(^DaH%G?&jt z`=Dr`?tG>uxL3$nGh-OlXl_O_h{&4;*Zzy<8n2X41%IaXgm;s0#i!BnbEL#GqarWs zZQ`DXzwMC<^TE~a%M8aFp_l6`d#?~R|2%7AyilQ=`bmGx)%;e?P?I#2L7YKf^pbJi zUyl}whj*;4eMHCj6E}a)(H|ZY_jK}qep-w31yj+qRrI}}WI5+& z+5lC<&eacc1-L;!aaq57ig8MVwf{P_8H3z6{2j8ISfg`ZWa^ePZpM(++GWL}$TzG1 zIPDL3N&92Y265hyiH^HvF)EM!8xW;`?+vhel#`I1u^W7C-(O(AvCZDOs-`_PbDC*9 z9fE0y*c&CHJ;M*}Tb^=FEi_ z^6mVF62GtTSO22lagBPW)4G3VsGOAI0FrnbkWvZLsIAGLk8UMS2!-Tu(+EX?L!(;J zh6#W{G-Ii$ks7%Y7`Y^#Gzz%K&zgFnB-F*z$R=RAUKV`^8iu5T>~I0xaq!1d{T~5O zI%J{9Ub;x!2y@pmg3ukdh2N)fi{e6Um%xJvpXw#5W z&hcuhBXa#dM!I%5qWYfwoB`2+G;%XMyMkJbyutCGTVQRozyC#m>=fs9>{HWd2a0C? z*kYjRg=ymL##Slp&=}+1uDaAZe`PFrek{kk5%Z=|<=I>pyY_4e$fy3e8sd;n0A$J0 zl7PSEHuZ49>1rYJ`x=OUgG8f*hdL|vgg>UA2gGumT?BsqR=g~A)5>V!n(+`Q_^wq)8ZLi z0ZGqnc2w!OBR#XWHBlE}TrSN=dEsr+kFM6{k^uhmk9_2B)4?C-zSYs12R8&Pv75Nk zGt-Tklhpt+?DNmMV99%Y76MmCT07DMJ(%l~ZK6pxs82Bari^qC z1aiq9>93vGGEWq6?axD3GjLcKGJA?#5*vQ~TpzpvJG)(>NP4QIc{ec^MtukS9H`Q$ z__e7+w*oO04nxgis<<7&NP(zop7n!@-GSrlx|R=1?8YpXCCUgG4N!_LB7i}T6fg_z zQf}}t(}D<4M=-qE}g4;#SwWB8(OZ)*l{tJKCt@-oM z53xTvFC62J``nzVJyT^Q5$W`f!AaMCrdh76T|rbHIC1=3*L?#|Qli{;t8Pnf$5($kWj9F&C-hXu1cUbkDRqlW07PciqP}FmYSO>2tgV{*C=f>D{IyPAtJp;Op zJd<8CBhq$5L+}(P{Sk=v{N@|qz%$pqNTN_RI^{PI^9>7<{VL1*34V$}o5X^k8ddkX z6iupfcrX$0{)*KRT<_P++eVlWo0%bFr7Mb%PFkAqowjHmO{+zE3mLVLE_wA-DQOZI z)sX&b%_G@#AGGBt`<%j!UZbRC^-|TF?5ck(F2;K;@Sv`7+>2~V*c}2O=BA+2$jJaH z3m7GPy3Qn~yRk7yvN5X~Xt08LG6=k!GZ3IHYV)c}i@Z0GmbKZ%!PDsnUv_XKqT1v(tMte@Tyw*R(8{7$04e*ny+(0NJc+?^;yR zuM$x!-m9_=^X)QjiJ80ECxBL7QC=34?p1%G=_b-|w|u{N;m38Z#b$6&Eluf6UGku@ z8C)gVD2Ivlaw624G8A6xnX(<^J3vZiD~ot96bNDj$04BY<{$e~-C!i-&E$QVxsfRv zc_!m-y<)hY)-h40t-$l>&9o9#-sAo|a9-gPw?Gs%%flPJ^a?B9n|%GFyZ)<~jk)Wr z#|rkW_tdLhm6rhx?VN~EyC{{9J1?ubAg1aYPdH4&p5aiOIgIuTMg=&&p;dD6EB2QM8Qh9fF|Ly2*a3h zxm&EFahVnibQlC}X`pjd4)GO5ms-nczS%&0>9r=cXyno`bdvPV6lmF-;Y-{+@e2;b zmNc$`tIgpv8~z<|7UT#i=?n0KX~Q4@&TsTO4suODxqd3lmhXD7XbN&ExIr0XP#DXd zmx2Av-4RGdTELd5lwtM(P9OnQW zZ#Y1tvgL9vHp>j?rrWJKa^bmpEq=f9;MNqxAGSi)z`d}fV;OGLL>6aI?VilRqpM_} z3W>Gf*hQo-b~*<1YyQv;`wipQ)BR4(YgJlKdTFY!##Lw9`}eCEW!W_>?C|>-=JZY zg}Be!w5_M^v^Sn7XU$dGa{IL&*kknBUoy_yZsJKS^1N64wTTqQ)3%L7ZII%89!1qSqk&IN`Spr% zCq+DwX{ZxgZ`@MS-fjb7^o?4Bz}xp*+QX%CaE@S9uF`c;CL1QjN1jfS?`JW-{M#G~ z<7Xo|iUl#7=kg3Bqt#KKQDyhQiyclzWv(Na?>^O-EQ@@8b2>f<`jSwZe>YbXY6!y`JrCmB{O-q~EJ3E6CW;RybAM3&PT8b#-1GAjg=Tn_= zU>_fwD0-rjOC-F@i8?z0(J!_*TyAroM64Y(LF&I1nlo{fYv_hOXof-6uwWyI=EkI& z9*MdZDh`YXXvgvM8`yrOiGHPq+y6r_HgLGzqqOS=Bv2f9wz(oNo_pWxn2O)}Vc zA>)T_swfnb6Q(+}ro=9O_Y0=I?1D`U!-rR|K@4Z1dl}nW7zdyIf7wjOke&QDx+(%{ z&U3y=#!^XYoSEn3F`l)1A3O~v#=ZvhoBl9j-Z7Z1aTCnEI0Ris!5UV<3$h8Jpu-ZE z^Hcler?zSPYY$bEc!?mX%BpGe%W&ez8e1*#KFdU8=7t|5z^u+s*zf`bInQ{X!>}!j z5lO(8KJd{B)o!L9IIxhIDN@6t4PLVB7)HSe7#675F-=@7N@?CROLw=fl5jA|CtA#< zfjye44Q6czY%C)wv(&v{RNjT}c-03A3eLwtl*Ozizb5OVZ$Q86S%WDktzKz1P{**D z*6s?F&e~89H)rU~o6*)D2tK+9YSC0c_&%s=_zjFX9^Ec?EJ=Vns9DiAzw-&h znS+WNWAmrGu4npKbO}GRF0QM3jlc<%<38%GTP|EYIDt<+BH^1Tdgu%?sS#8~dB9xd zLq3U3#2ktZH9W78Xj%mreXMrhZe!lqH$Y26^U`VsC}Hvcd*vgCO!*UR<9+Z*{E=Oxct#f{5hJClBcH)%E@Dczl1~jAqBC9loo3 znEiNjC9YH_pazK%iRwSSD|SisT`WY8~eAffIY&P^^PBGXcQ%NUlNcR z66{5^A_pD5!5)mdRmJhpP4wMFFbOK;1-$Y>fat-dEnK|@9jR|0td}=XNt`2+)RK?b z82FelX2HD0KoTmEo}Su{67grNnPPOi{@zZ%BdBjGcfYrU2;7;*gP+^put*Mqq~N5-}P=IP~VD zUy+Ts@Ifg}b1y|GLVtqT`$r#%Z^1}ja;$=S!l(ep1QvrWp_Mg?5~yKf9^_?56VAQ! ziwLw_UQ<{O#M-qbP|ZvUe9~iK?TYnZt3p*teQdi2W|=Q&G#K;^X&_^>Pg!zk8=$7P zW(sNNeR;*N0^FNSF8k%A-m%cPm zfTHuIH;feZP~&(b zpRays#m;rX2*oH`4IsU!gq9K|mc|Z}+{^;Bvn?R`ld9j;{vYDLGOVhtZC5}&@?CvnS zZJX^@%`+hX3jWnPW=HD}G$~WG5Xx?_#!m-^vk7k`DwC*?x3T#AlbTKaqo4_L?k8V= z^~1BDK<2^l&8wtCIl@1YYb&uminSyZAee)_pG^!w8(`BTnW=5*yV>o&h-Y3z1Wlny z&sR5BlL)4hxbb+s=l@(aOG@#Vzeqk1w)NAZZ@B4#C|I<$T*9ns^-r(qK5p3~K_mi72p2-i6#|`U|CT9M>yj^i__S_K!%}*XPa(TkoXr>J68`b;#`I5u3UFgkaqx zr2kqI0;H&V^QCtTPlN$9=^Bh4ol%}+R5+RSZWO?;=e(X}#_|g1r&h)(r@iB*>d|E8 zCFe;LYSsR9Rz^I#GxeT3NMnZI0H%=Ee&M-&U>Wr=R_zi*Op7H`pstsjTL!*Dl%SS` zh^NcvY*rjGH^9(-+!M^tV?DGG%Js6CckcNiIWLb5`Fu@nlIULF&5SyL&a^@QRVD%Q z0i?7ST_)6R{-{UKm@N}r?q4_T0HRvlGa<7ZeHliTy9jW1sM`tsMGOMQB?9A`fhm6~ zWa3l9I_Q;&B`_a@tgffl555ELvS5^yl;;V-KTEYwu&HHl&LZ{zMXe(Ch?>{12IC>B zx0>b&7p}N4W9b4YrrBs?cl}3zDU?w@9#VmXL|JGy5|wRIa%uiFLuI*8A32z>D|65W z!$8co_IHV9TFGcjsueaub=k;ibWg>R4ly*3>($iQAZc_$=hcN)_ zlOfSnPdu%5LZM@sy2jSl5Nmt=MOF`^QV$MF{w|Y{R)zOB@}-;legv@i9jUL~#AsgtmK)blm}Gz=nIpZtF>cPI#pvCEj1AQHwk%cw}1`K zajdNev>hgQVDMDH=*m@w9|nv1=}>P5Svi5jq>@U(#BUM3+1DCW{or#|^EUhjMnzU&$!Ugxopr2`?K+#yg97hLPmOi!i@N+JP%5$U=Z;Q1 zjza@f2;BuobUyX0o)a|G%~rU*$sTBOa=n=R-A=$9WVGTtJ#9IQzfK;z;<;5~IR4O1 zBoSv$;5ZzF#FkWu^FMd2kDIQ-b6h6wdxSd8=mm1+2V#akz$7`yc@9sz=U&PK$i^g4 zh4DuxK%?CL;n$OgJ-&LoLO9P~lBsXVYNM$buGW$%qrC)c?Y)R5q6&%oPG%n<^)&}+ z@$mMeUB2I57R6&t(WBPlsx1@*wTWHG7VmY$Gfv@=83pOfi4=<|8$K^3W2~di62|X+ zJVk|~T45A2rhma{hpB-T;ui-T3rZdOZ!QSrE5D>Vj!8^<=r!m+$xf!)?*f_)EE*HA z21}qE0^Eu(fGOPA`>ZM`O{W}-LT)6)F8`rG_cOK1gYI?wP+RM>%4IHN(0zV#(%t5} zT39El0<~%`iK5g4`D?pAOxPN}Rr%Dj5W%H0VTnpI)Keise4~|MIu`fyPlVrQUIHrE z`ItFU3CI4Amm->x%EG-h_M;;BB4@!)^}%%Fo$-+NNLg5(+dh@rMX5tl6wwMxsCfRJ z@N6zw-)CI4hYn}!?lAc9x>;zNOtYm-vUOS3$CU%w5KAy2SSIZY={A|N5N!k)`%_br zy}16B(jSaz<59p<%_POze}^lNfr^1d9*cCB#j6H1M2*qG5sTZ6ThuNffN}DU_Mjhh zPdqkUB0ySGJn4X-QjxPZf&Sp~Lez^Vqh$6*i6Os_HN} z#CDj_VWmK;uNNN=!`=K8Og%5Wf!lePp(8{Z0BG^v;?`J(7YwswE3vZapVhYO-wDjF0kIwUcmwAAE2ge8PECx3tZz<&|!i`rSrz z1_=FVL1K_F;xWO=K+sJ;KfYyupuAgfTjl?RumAlgx|L-2Lg;gm=)MZ=N`5~X#4b~T zI|quw;deUGuaR)rDtibLsEXk8_(?*fniF>P_)AV=H+}VmX6gut;>~`)=Axvhph=%I z>a>~~Z_4862wWb-nspNe(!*ii#`W z*ip~~88rvXKH;%|T`)}O2?$dE8d?Dilp2rpho!C6^*4T{60 zbKX>wg_?<7V7#Y^oiyeShJT@IoJQN>X^EBp@Jm@5BSx+mH5ohY42qdL{|{M-TlFy{ zomE&+=h1+b#&m=$A4+1gy`wtbQLTO|Kff7iI#(s{V?!&KuSZNI9AfCR`^)O-8ky9j z_`%k!b{AVw+SLa?spB44o?vRPm@R3W*qCd&ss*l)=GRE?zaU zl<_ZE8@WF6@Kt0eOPyA@t+J>U^SWL2!|SgkFE+A1w*yTMvgVim*D9||4;rBwkE!Rj*r2*`idh%2&AgsA@a?{ZlofAxAXLIH+1Ja2xgN{2GK+L{;GC z`DCw2#nXr_xfZ}Dq6>sm8pgolfq)+k{*SemNDG@L9~`g9YD)%bA;&AJOZUy12wIIx z-uX~Z5+lp?rHilzAO!z#13-9S5E! zFVb?E>Mcu_>Dqi8SIN#F=do)05bs?soVjv}L`+fKRrYr*kzWhKIQ_XxcTy_Prq&Rq zm+eXmo$e~v6YIJM7wvun_*A)oto5Q?HCt*h5G`?9Z%ECCI)*3R!UJxY!q$NgU{%-7 zJZ472@^-|+c5_kBkHtx>Uf3j6#wP?GfX3-_6lTz#GrrdGFYXBDMzqw1=;<(d2OYDq>XHV_M~N#2x`saWxnaf2;-fr((GD+D4)EGuXb_teQgLh*U$MlW2MBUq)o+ zj=`a+sH*q`Oqb1DTMZs#K)Bd=5>4kz4B`UOl@Jrk=GNjo8D;{U-c4iKG!DPuKDUkFwufB)!fC;-8}Uk@ zG_WkKjZb6h-qmORgfF$lGopO9t;o}5c1NvMQ=j-BF{s@9*j;z32)%x$qTVCrtQuQ2 zdNre1xgNA~!O#y{Bnct&^;7CQIXNxA|th?7l}CM!o6+u@1n zgm1d0>MOhevEgXwf6)S9n&);yK6X!)qf&@%7lq-z_`)oEICk+J4nch~Nyom0VYlha zrrD)$E!VGEV0v`&)E2m^I)@Yw&RcI$q-ue+!eG$yEIs=L@&|So&`2RUSn(3V=D3Dv zcN_AG*<&0@E{>x0-r zeS|Z%yIiZM#T8!`XR#~~JIU1@(z+Wh(gLCTkRGd`fb#%z_kD(W4Hz#q;Xg56)d)T^ zj})}q*!cv})Mk*2b-^B>VLX;2VGJ_e*~_V)GxiS>IShVGx z8mFu5A%oZ+>mGZ&y+{5JS>1n_lB2qc#@<8Q+ncS*-v#V6P^P#I0I=Q$0_8)-qvy+Q zfxGCKKvPyembrWbq5ttu4P76^xizA*2ef_0qOp(t_MyHUX&NW~5>Lxf9wCHW&5t@N z5s;pF$yzu}MR+9gM=`SeW>BA(L4UW&=*?Vi9@Uv8SJRS+u3F#9=3n#mYS~+$T*3ba z=g=E?BCHy2UTwXym&J2w6pa-vyv67Ak@#5$sE@j05v;!S_YS7+K3T%L0Ly(K7EYD! z+7@IXL{$<;zNXB%V==NEq@S=0RBpPhPuEw#H%@!{_6P8Q+*kHwZr0ZXTWu2BwN7l{ zVJ{yJpK;whFXo|-Ri2xRKQ+$N9~y}^JxF4$L81~{1VyS_=`XunNY77STokem?`2;YCmpGfY5m~M7b z2WDqZP3Bv~AF_+le;qXCckAkp){500Ok_6j^}6Q?S4Ba3yRynUum(Y2wJUt{5ZDDgMeGgh ztFV6(>py#Z|9mYd zn1Rammq*PJ4PLJK*NPuzYRoL)8B$#}?_2W&%zD3m5j~&Owgt`@pte@^M0kI+M0WT8 zFsjst&o7H#LtYaAa%YJKuT)S((!$kVY1&o(V^YMQ;*l>Y_i&l^MY|FH17y!|yRUm_ zztIzwr%;dx;?0wQ{&ao;kon<)w>MWDfa(c}!NZ4g#Rhmbvc6guL&239oyEEzcn!a>+x12 z!M)V2?RLtFrC52i1EPr^gBYBu$0i>^=)(Hrk=uJiuE3atUaSutC&sn2#zn|&Ai~fR z>ai+N6@vtQhdv%#5VNT(*9>d_g{bO zqmL{HSEbram-c_ZuK)eQGZ3&dme(*`<=rIzmoMBu_WghT`%df(c;gBWHST{pRsQ;h z{Vy*BfxjPd;Q#+cjO3E1jRT(0ddcJbtzyADY*~wD*cK}Y0+k(TPlN7v1PvbieKQQG zHn5A*fv#r&@ObfwfjnTv29wME@K^@|UZ&r7SKlAY>H<=Q9hI(JP@m+8!iV>v2VnNL zK+v)@y*aQJbAZX&msZo@T(a>3w#1ABnKbUCbiVg_Q|)LJBSZIrkzuRb0y)RlZvN-e7oLDUc|a=394RP9+2W=x)>O&M2)@>$$hKaK)UCh5e}f|%vRV!T z^Qqr!$jHeGJc3EU%)hCEEcLfx20j>~84k%cJs8f-yu|<7=>J^rK6uYg0Gr39&~lB7 z@Sm2NAnZQKBQpZ5I0rCqjwkx#srNvR#@1y3keTXwdIRIytDh?Y|3IcZlN97doZ5QH zq%ORlBMp=(CFIhmQh?9>p7{OOCZjPh2VmTR2%c=b`1q_SL4*51%@=2`A(lc4XfFdq zJP${(fuWZAbmn83*0IMp^DlfB@BwUVHABo{a%+|wXF}^S@S%S`6x=HOBshB5^g=H& z>Hb{my=}K${K(yQ#m6^fBTrjf#D*)+5T?W~i1K@422qpdvd<;6=(D@i6+h?WmC%935 z3n3YOEEdnfI;O8a8+;Fn-4rO2(;@Tr`hpcQeQ*650MR&qv)#lX_%PUBOh*;#%3$D! zZU6m01aEMG?Fw+s0U4e{94<)z#sNIB=}G#*G-&(}n*jKm$_oI#5*T1AAlLJL4(sc` z|FN__7@NKx_Dw;&Hve@c{`~9JjHOOB^K)vNo z1%gHHPj-L%9*LI7jsd7b{}<>#Tviw4F>Qfj%vr_}7^|2X4=O`q0v>9{+JJEdGS>i@ zx9o}_JBR1Ef1c(_HZYkHUC}Yx@_3V$6OK?0duzTK1 zjCjJ@1qqvteGu`Ow7@VjBq7D{UJYl>ZWV1e%AIac>)vL7JfDMaZwhehE)D=4Q(jaB zwasjbJ>1=wYU1ni%AXmGH=qR>1WqcOyfo*z41v!;5lC3-1*8TKytNvg(XSK0p!3RA z79L5sKW$~Sjf0SpyOkik;?a5!5M(?aFgr`7t$vfz$$1L6yd)@Zy!Bi#+dzaT)dBAb zM1Sd$eEODXA83wiVH@;%go}HcQ=2V%W`N29?Ze-))wK&mx+B z_dn9t>;obILp7tR<*n7v;yFNW$49fuB(ikzHChjyhYF>D3dLmr0MEu-V0Ow%L$C3~ zj`OU6bM{$4ceYI{4{7MF?nf8?`p+lL8BwR+AdbQq_~lx8;FcYD_ByKgmL^x8)J~m1 z{fd1y=1;Jf`)+eI6YM@&Tw~^JG8sH_*PHy`ZpK25H<|ARzjS z@gI^1pw>_cyJ43BSSFCV48L;$Kh3Qbb=Um$zyoc|bf8(@0+2M5T+0uCf#0xUW8f!d zgR&0Qz&>n%+XRF;oaeyo&n>b-*+5)g4yEwTOAN8^jp=mqJSl#Nr(nw$h)!s%?Yio( zD>O7mOno4<1VyV40JY|2>BJ#K!M(xct4_87$q+2{7^ZIk!I}U`6yg0#%>xA3r?lT& zIZVilB|#R^w;B&y^trSR1uiBOq0?}REO}B{WAMk(;ye+smHK2^QTR#zhjG2Y`(}Q5 z0CXq5>`+YAIUu)`uk;LncZkiRv>^`$bfac_YL7alF8=hcgCK!CMfShk>uU$+A{mjW z9LjpC|MspwWhg$lp&LMeL3+&(@`+nFi+~Fp0K&ZOgSOY-iB}|P3!2uO=fEmCc%xru zrv+x~NS^~dJQ=`r4EEnktH&gT1bi&m!1Z^>kB1Vw^@cYSUO5mj)UUuJa2P{rR*8lq zf#kzLL8;3RfC_}7r@EL$|O4pl>S&y7?R$c^XDu(&dZa+2Ms|C~PA1F&; zmvc4BfCj_?Y{SaqZTvaOBRS}FJ)gbrU_NI@P{Y!Y{|s*k_f{+Z?g5OMp_RKIY!IYB zTHQ7Mqp!h=FbxN?3u%K_eFxN;JH1WzHf*O`41tY8E_RRcT4KQG`s$dJ+UT8&V+%TU zi0;C~IUG~V#XM;8(5{P(k*G^7zwYJjXIdUNE}CmCJRq~83=GFxu_B*BF!)u=|NI3_A2|I9CmN*h_*cBgf9>m z%Kl}TN1LPMr}%-$U-Wc5)MT=di+7!@H0cglw%_$UT5ni+vjgQh`m-flvb8ngjq7L%iLCJcMAC_8Z$EYu}hiZ2$eiABzC{4gQdBLQloHp z8|slu@>Oh_KdFq(KksR?wuD_`sC_8vfme6|+syS4(Vm+R%(q?!r<=?yNMhFzDP~rN zauKPt`boQtM!9Rk$ykEozM~KX*i+p0Wr>O4=_qtY`eWtu%5QxM@{NkwDiWhpR_;iC zXAaYQP~q_otFv#yzWu8(a&7cfJ}=lMW!x$`39AvSKb5D}F9U*~31{$z&_$Dew^DqA zUV|!_%t|CyR?$dwF>6Ih$XmsRfLZ^eVg&W)35|EQn(37~fcp-&l$gevCZSs^6^p;) zlbwYlmx)&&tEx@ny>DB2 zNgi3>LDG;ND3@gaZI<`=vXaVCTI1okngc7X^C*wzUZzg=Q~f3rH%|3F@dfE}PVi5l zlB^@^TTR->$}J4`FpX0$O)u*Yq)6Ht&q|aRT8?7d;4?NU;VARaC$8|_4m(LUg2hFo znV0fMxTV{8rM>8ZJoc$69;s2z;vzVuWDY^E7@&-J{r=6Wz2D!FXwKDYq>l*Rj|1mC zsX?l1Wsnu4yBKgAl(Lr9doU%zh=qEPrs)}i6h60e9o-^~jc)Io_>^Phgw$c!u<37( z6_E43I8?!zY1%Y;Yncyoa+M)q^wfmBFfvC4lbITwSt2B(;{6l9pCrC2iE~Zz1u}N=E z+Uy=^grM5qkFD#27Qbz{$|!X?!(0CB-hM*KQ{e)da(?85bv1Z8mA0oErcGr1%su46 zpOT7~TeC({Xp2{Bx-#~CbFo$5aRUkAMd=JDopLKT(n7Hbdbw^uZAQr$EIe?MN&e*I z@Fg3%@`SDs#n4^^-UGb1Bg=e1z2UC1dzxh=`!&4$N3!7}BA#x{YY?tAsWs8;ep3#B z(=IGztJ65x^ee8WhGO3f9u7~?l!nj|Z3nCXIDPp5ToTNHd8=VX7#|w~Vn|536qx7WmhyK2ZIk4RYDwi(=G7 z9(N*F0kGw%{LGNMcqFE>f7L*~-r`biOZq#B#)w&0Q7v#blgF#Z3_ZCKX6B%mnm_6$ z(!|+FaM5AK;`zVn~Ok61Pk`CZ8cE>PF!(emlHZ zCvOX983_FUL*d->^>`9+eXO>O`3QTswCFxJt3a2}EqC4CR(@-bXI*AX7dvi_ZdXdP zs(^|jV#+FKK4OhyQIfy(OO+G9h%2fc1lbbSulW^;QNL})JqOC|;|;$Xw)(Bo$w6|I z*8gGJKk+5{Po{lhO@-A|Id=GkPwh2jC3J8u0s6S32bKK{Lh04smrY^#ceeBqh&I)< z)lwxBs8_{uoEM0xRC9I2&r%MDZ~=FUALguWncpDZ4i6c^i!f0a@Y};qLA?w$6yq(6 zgqlusa0es#AiZo*hQX?lZZ^{qE_V)^WJ3f72}GUy@$mlJwLb@j01be`Mf)u(M{smg zDEs4dzdNfO%oMNd-9a$-+>8Nuoy;o$vhX&eSn+Mp>Z*&`W*p+C+8M& zB4!Km8fY>J>n*!(Q(tM%=A$L7?HnK6qtp$3Oa0gYYk{SWGLN_;+9nbSRMOVv`an3QKdZKKiTl1KYcZ3RB#WONkYh*oIg4Xn1`AzwY!6q+af zxMF}=j~%FBG^IPdZcEzYMAwBFi>cD-+ycUA;Cx}>Y1TIQY{v6WI1OQ3yj$7sXst69 zP@#3?27=IWZN0&OCEtd^^fEjeovOZo6enV){D67;1@AUw69{!qu`d*ez_j~k;$lV`KJHsFo$s1%ov>SMQAADNnSvip$5Mh1c zz@EO$oClJOJcNFuV#vjJXkLJ&P*fBA?7J#GS|1NcP9i%djD&O0{^s3&^Y8=>VL>5e zbB^ihO^6GE>s2{mCZ2}MvJNo$L5BO2Zy}Y3{5ZoWu4VqsahYrnzx}?u!4d+}(joCV zpnhG~l;YhdAH>+XIbG=b8!P~{_%Uogl_kz?d=<`W)c6_j(`{KlfVC2*@Fi8M?dz2@ zQ9SM@w`lBhTeWx9sP>0rNJoYu5@eUvEqkC#D{1j`C}AKycQz8cAtu?Mv>}HTn-+CroDYsVJ+0|ihX_im+w4z6*iV2d#I1jt z0lR&DgVO82AgZ z$c{iMBlKF$8n70dyUnFm6gk16e4mpgfPJ=dNXv7~FO6qNT)TqmQXsJks>C27^58Ow zK%B3b)AQD(GhIZhpy>%O!S}@1#L52r36(!#GV7PN504HpWU34z6qQGtnq}$yBWEY} ze~$r(-Tw9#YTHpYpJ&Tj#bs=t*9?i-k<1~w^@!kLlIMT&5{hW$Y$o>g_=(-Hwex<> zmpVx7nzEV@CjQ+1;arz~2>n)UMD0cjejt(s{>BPMZI(2Falu_UaD31Zx~*%*u4Pnq z9~5SAS?kI?t?fMFI8q}o#v3MFVL(aNQ`lPO-6D4PO3N)9aVV$2-!PSZ9&(~WXG4`v ze*F<_uiq7lZdSi_HOkdzbvKo#f7^D`YcRUq8q{j!>i&jaTISSJMRAl;uI2xIjZ(;@ zq^qB(swi%&KC@d^zDJtQ6ST{?Fx@X?!BrJ7N1g;sxFWaH1OGc3!w?`p?N@(DW%Y$aKt1`YcTP z*8QzUQ4-xVF;N^u{CRa)Ztw&=P~KfO2*N!?WxAA_r(?8S$E)dp&(`|pLWuI*=s`v5 zW3KKT#K%2(aRf1V!=5OKa^jNQvQ78M;@iH7XDocdHyxWJ-^1I%4HaK4@!xcYMXpvT!I-^18qAA((Y`%!6npz~g zMdjy}LTQe0tycKx$&15!*i1YxL3#%MdkoHNOfa52{};t(b7i+>${Uh-{itCsm2zG% zOo0WL9?yc7e{;3k?>y0E2j(=!hO${80;jkz%%d5cDzL%42y`lRjW5916y26q{A*cM;+3w(W5RA zA)W=?U-2}JigprFqBrGWEL(Tft3i?H3uAL|*3BunE6MNh{`XJ<+>xMp#rkiud!!s7 zPT#Mh7sGabX7u%+m8^Q^V2jeWH0xmO+(z`A-CnCzq!8X!81<))Kl2DG+;b5Q&-B953>}{g$>3rc zsr!Aee-=NMs&#hy=`kibvED#4I33%@k-bJ=bov$mMmGtH;shizc3or1_{Fc#;lf!4 zlkD?vmNnJd4Dtu|AF+=~J{>>IOVmfn-mZr5DJ&7jd?I0Wy@BwDN^g9rHAL+Vv{PJw zV+%2r3=(8frC$!bko+xk$HW4Nk&h__-@(O2V2KD*eWo@77QJM#6;O8ty|Wew>`kkZgDcfZ z=7S|AUP5R8Y#taW*LtX@4gr-eynw^gxThrk*y8;sNj4cuN>P9_KF(*aI5CA%L8;z~ zl|Lj?rbydR$D{5T3v(zA7i@hP(&G$;exwCxvSu( zU%OYjgS>XP3s&Bt0S$4tQFKewP~op+=k$KmNQu?{?cCTZ5t8r7t zKAKeo>yCC~lnXx09YDa~YzYdXN7$?_$V=`U8v9|TdI%{jh`7psGJ_|1-)yb9XEp%` z3tvs5(cnr*FCW*>dcWK&nvxDE9=mEE6ykEN_X%o@hP>ov#CZymZL!E1?iV%cwu)xf{#b2ct}!I+MK{uJZ>8|Tf3Vu?VLaZ!N)?g*F{A!`{z?T1<5DS-)CVBP z^1E}rH?*x>Jg7mjG&ew9f0*i{yfhi&qdqFCfxw{XEOru27Ivvuo=C;88&>aGDj9kR z0H}hem>kxCY5|5`|H>f{9Cn-&_vDmDcT4`ecB0ttBK#!Ji=8czAvX?U*3P!bxqbT??q@OQF;%JUH8hX}cC5tIteV$8Afla_vMIPJzTS z+iAnw{hLTMWkt~bSvW7)iB+|s&=TB^zOC|!V?N4FGx*mUIYNyG5ee_)N5z604YvKX zLWi%_DglA8_sOv5o{`7AMhBpVtd9Ucw_@;YLB-6|KH#PF9Bb0j=S%6leJDO46fDr6 zEvV-L)QfBDaErtHr)$8}Fec*EfKge%)n@XZh>yc9?0CIFO-tJ7tSh19)L1XCYEKFojUqNTR+wm+L5-wd&> ze%*1XeEdd-Uj4}< zgHr(CPbm!JfY`85x1G#DqEj$v+(%lHt+_!Buamw0`xKnfE~b?uNym7s=MU8*S_HF0 ze&hBXlg4-;z%8Y$RYLDm?n~kUZ%X*<8R>ATXJ`|}E{hQ4N-{#Y%>B{LcKQ(0QwyMx=D#R^SCELi5ShjL% zo$yZ|F*p%2eW!odeH{tD{+%ye2fTD!;#tbcA%@hgatt=3w zsqKuA31poFwiLC`;=p_n7ajXS=+WNr7mqq@CucflAOHkY7i2bko?-Q+vH;9CT?O2L%vEW9W@L#kQWQ~IPWSH~a^eDV ztU37Ph3GIvN(9hlKGR7!^u$|*>?jiWE(=r$LfbDRvRHS)AO zsZ|emsD-M0_c>MXzEH(lVFgwGK7JWD$X8;uF&QYdo9F%eZmYZ(BI2J~6 z*@e>ov_*-h0xYYEiB1w$4>#a>#p9s7&m%hz$6!pF1I&XV&UG{gkkcp@uJ`&J`3FEZ z$?o$~%nX~VXxfQvXvN6FjjJf<*uMA+AOG(!1d*uZ3gPo=;WHOsxxAWk$71P+wf;@Q z!@2qsS12MLqz@Sa^+q*a=XP@UHp^q{u_^}NS1+Y$8H2J)=8wh?I!|)W1NyCbe(X*5 zhj&>+Vf4kytoL|)FXkED9kk)_6Szi%m7g=U!l z;Mn_jWA=wn{+iV1?eLR8phS+^2=*rf#mttzAqb%O5mP=9ALtvPOfY?GzVHbe0vM&G zws0qkVLtj1^qkIVP@>AlEPl1=c|TqJG5-XTY$B5oRg$ut{w+{w41h4hgPwp0wjqJv z9#r)7S#h;pVT1|J;!fXdR}#0>zq#wm5FYX_--Fi?_{3a2$-mOGYww0DQx)3;f(oAe z${cJDI|F2rE{WGqJ-=-Q;*6du&}bnIR~ub9HShPDD0%vyMcf?W|2Ui*_bW4AT;4r> z(!EpdoW4z8(SiLyIVMvT1`3-bAVp!feM6E@jV2<->ur4DwQ8VgGY2M>7y=W>4pB2` zV3a;{q!KIVOfipe$EF}YKDmgh%~kSP*nW?>krHTBGo^JxQ{nozO#sk`DriOS`@4Dc zE;9&eZ1t`AqA?Z_BFlOBO{Rhb@E$?tO|axx0OakGBd*#u5$qHtjYzSx|LLU%qXFud zuaRUGph(nRUIqxQhGH6!f|tbz6#3?8JDxS+xS-sTM^7RqIwO3+FVDb1G=lq^zz5X{ zAkl>aA1t`R`!vRcdz8zKAAAro;W15!zHC;nt>M`&W^lcL=hr-P%E`EaOVwBcEK;`C zmK$-&px|gHM}koDFpC;(%{d)uu_@(S>L>9Rr?NyvkbG0HVlka?H;#fKjI>ckQPbgy_eRtXSXLXE>_*_GyU=Gg$Kv#*6;C| zj1L#~jE{C%rataMrdB3-e^6lzGJv2Rk`*XR6hD%mLAiWCY52YYv$0H?tI54i`5!3~ ztDu6Dnj7?dOA(oa69#Jsf{X3ABcN7r9%Hs{1E9!%lF>Fuon-hfCWe^R<=bazusEIPmk1^*1t|9*xr~`+H-85$;v_{@ttJd8{tdac8`GwPQ|%+%cw@B+<|2Vq<6{{owZq97Z z&a1bg^`Y%dR|SBtv+>~h>jxK0MT3^CnFnrnZ7A6`41U!>v&2+aSUs=&8D6&}Zue%y z<=b708BiUa7}2sF0`U!VdjPt_o(ITeCyVb&Lu1C`s}p6X9?nA?M1*<9?~L`C8G6%( z&W80w7}T6KDRY}wdn})Z4V}y7F_8DOsx3KqsAlo41(Cx`C8|f^l44I0{w!8!Z0HIv zO5ib{^c0GB!Id){J}aIB4}V!H8Hiv8ffUmQN)oKvD=gwxTcON-B6Q^+DSO4E&Y(HY z%im?T39I4XX1W7fm&sMOeMt2xvb5%5~*ld_xy@YvwAo4A%f$0Svvx%aA zOK`;y`zYWtRmc_5SEPEJ_4>b=mbAQ3y&17iAL|=o{Bq9Q3mU0!&uRUy5!vbXq4`2i zpT5v1YI&S?I>n8nAW_m(QXHQ5meM=4U~46>G175ElOSa5z7m<_2kT}E(6rT*F&Yw751`D~T6y}44nLT$XBtI_ai~35hJ@5;$L&E^Jr=oWPWl;`^Rl~fO7oce z32zkd7Gb)+9|g6pd6Id}h7w4;z2uc$E>gn@_wWFIZ;!KA$?-Ws>iZrqB=D@XWHe@F zxY?~quYF!Ufo6Sd+j=f@@kj+N0NLpSynBbBYQawgo{)Koq&l;79m{`Z0f0bHqNI>r zhfCZCh?qP(nC1tbB32v*14B2OKf2){#$q+zfG};_$EVgXK5qbR^DD5MklA<$xyc1D zfkQv7(xQT*&qN7H%PfkwVLw9kgf|HR6KV%N;FHg=Y%bJG{V!cAweFEHSsPGecw`vS`jtSYK1 zuz8A%Mco_b0V1EsDjP5d!+tIFzn|uRZ4xaTk{Q6sD7XY3DDjk>>jz^OPW2Y`gTR)85tm)x3U z%pybGWbMV;qiaId^)GBt1Sy194C#TL*|l&}e)|JAxjNi0uuO}4+pJlQ%Fbhp0@>bN zew&lNppcwvfnNivtkgMYPy$gcfms%LjeF>b>Of^hZY>E+wH>xDdu1d@?FcK{TC~vs z$KPDFK4vVoX%i_Vo>DbH=Seo>0gh$`5p^>qjSLBHyc@{IoVsmhROU`!%vLp+qgAC0 zP-sgg4(nHfX3~wd)%_jaFI^Vw0@DmV`VeFS;K>uot$?0G2E85$nsiH5G8Lrk!3jt; z>}^75{23I+mS#TE9Z#GLI7!d&@;zgu>RzCsT9T1m2q#R5#xQqG53H=IQS@;1hv{q9 zgK6aCeb#nv`x4Vrk1b$d0ET$+$mUlfSUFr1prB7MM`o^GAW26q9^G>e^Ng8KEIFp+ zyFzxuy)F72F}6gyy0{4P`{F`WOZdMJZBnGX>v=$E`KW-aH|-|~sln@A4uy#dKm3P^ z5A_kX7TjYLsks`G=0q6>zTjJ+H2hYu9b$Kw{0P;|J&NT}-Bb!yb>fU>Ad`qraJo`1 z&_EaY2iUNN0D=LEtTd)YBKfKIl7*emb=*9!e=w`hKGGR5kuUVW2mrH! zr&_eMNUUi+&)8_uQE}W)Z-L_Q6$rk{QlX%eygmQ?+wqbZsI5d9d$^yx+W?e18>G*b zyww4PZl;oz>0fFn^uW%1v+ z6zS%RIB}~_ulA>hp^QqlX}(SzMFQ%9IXG1H8tNPlDQAr>_qzUgzF~I7W3K7M5-ftNxU_os#z~GRc9|xyvRzN~IU|gG2JY9-=P7jE}a8+9s7}$h) z%r1mM8NdiBcZD(hYc7Erq+KFVNmVt#M)W6Cnu3;d_g$Dt958$@OB7MrL)j03tuKkT z^qVooneb;orAFT82&KL&imF8cD(>4bl#Rv=>82IwV$IjnZ`wl3TTqP_Kwtu^bRW1( zUd-FX+Gr0j82G(Wi^J1&9t&iUvWv+t?Ca~895)BD3wkmH%G*I$t$~ub2s^vN+}~SslRaseJe6t@T%B-naci zGdvo0vO?x07XHJ8^xr@S@LQkWgb#EXu_VG+S!5mL-e=f#WTyuUJ=%y%-!E78Adh%ioJWE;=Fat{jhriHUUx}*r7g#tv3ITL1 z${YK?gTEP;23-^fQ;&+AeZ2StuWUJ+RjtY=v(T>Gv8HPT#_r)(WGV28#?rl{N^?|T z(@`z`_M>>K_bVU-OoaQ?K*S>LnaFz)I&&pMyOL|FDNpPW+}t*CwaB+Px-Vy_fOh)y zCn9-j3Uw`Kw{$8ea|Oo1H-P`A8bCAUCJfAbpGgYHz@F>;%0i!d3duQb+_EUtqWpU^ z!a`VVMewMbU>!BemT{H3>wFI?gI~*Rg3OB2Ak?v7>IP-V(k8C0_Nb_b%*zr600Ju! zoLutmPxdOCAhozSgPtr%Bs`e9@tt97FaTk3<`3&uwUw%e{aZP^moHKKhVH6+ zppIzb)3qIgK5q3H__iz0bIFEOt0Nm82e%-4Zzf! z0ubHTY!Pmcg#Ps1;rF&?NJV@e53&oh2GsdDY>Bz-a}+rUW~K>YhaYNh>!TeA1bYbX~`!<9hcKH}^M6*Q*Iy$$N2tkjx-Mp^dr*h~Cgl<+$?(^Kwwp z8_jxALy_O)k`cJ_OitJEcH2kvc_2Ne*o|Z>#1!e0t*e$APYGB7rgXnmZnK_6eMmsY z?zdzmK(b649Xdz5Of;DGv#Nmqtf8d4)#xqqq@0Y@lk*U3x)tBH%;E`F_iYGl2Z-%` z8@d4Nu5o%{rN20(Vo77x?3PW9rL^G}C+(g1mNWPNL|W>D=V~g zv^h|#%rWAKMf<95g-|o(#F-s~l#a(CkrI+@&crs~P6MuRf+L&g5C_N%uU=o1GY_*r zo>Fuq#hXId6l&!AI4?J1)p@V8Fo&5TR_FJNuxU=&K@Cz;{J__$V_Du$+d=g!;bcgx zl5r0oKbQonTUL43OLJwqk)BCp7PF7b<1n?d>}x(hG6>;Bl=eLIu%mVrEGSmf18ZV% z;nL$QpQdx&FVYl(batY~7A{?}>t-JqZJ3IkZ2g8i{EERW6O!+Rt6$BdBwl~Ry7IjLWJ^k+ zlu;e-@pjTHq_BMiNB1U_#6vLCYyP$7eA!h~w3aj0{LhChmL_W6o#bLzS>@7y{~$Hs za~q!}B)Iv|7J&3EN?QavM#HFBu9nSre0rex;>h|!U^l2NrDj_eGdcKt;W9`hSv@#n z5H+FKmTw2O^5jvy@ztS}WQuXJ8N7=7T#fq}v&78`nRIcS=t4ggvBB|q1Af(2-9G!m z{?uMDc4=Fu@Bd-#t)r@H_qAa$07*sZ5;2el1tdigkQ9UNmhMG^h)9Phh?J5djliNq zfkk&pigb6^_nXh&`5b9~PGj`5A*AL?ST=34WfcU&na_l3aG*V;AedUeGRB-+G9 zlP>MRsrns!SF6?jt!)1PDL`vL<&5_YHrZ8x70UMxvAlI4+Nk* z!7|np_#a$@H?^Hx_tF6p)u7UQW-p^3lTZG%JI#w>zCI-9*w-*?E zCRtot*neO9wXP`=A6WcEJ|kmvjWN`Dlr_IaulAL0wBL6RA^czb*F#^<^b{K_2Js=G z@vXh9s)a@dB{X3-cW$LdU5)b9jcucPxYr>BmIMh_x-WEHPwLIf57y2Jok83mm6|Cj zw9suMA%eTvH?wet)40wxKn9eyN@m z{VZaEiEZ#3vS3^eY=wC97`3ZpPIaUSbI`0~I$BJyPFf0pvGOZ&ABE&vd=J`iGTS`P z8)QNRWZ}PGsRZ6puzttU(E9$F{G36zjqA<#w-hY<#FcD%4PhUK@9pF3QUm)e%UbcT z7s(sF)=%&5zDIpy4$1=mfP}^nC9BGQQ>X3k=m0^%+m^$3yYr17R|t}P0`FDq9a=|J z-$f~A4ioLCiV6=XfnUD(AxDB$>$)K!+3ni8?4N)~lR%%%Zz_MD^WLt^?0zXsjLYn; zz&De8xE@{!6`T|{c4SP{Mo;?cUbVojqhdXt*x!FuN&GE$2`bs2J&)9nJ#+09%Kuyz z$OzdLk}+GWh0oYNvE$gVG6hfRgorv7D#%40qxd+TZ$XO$(Ri#gE-&${|{ z)QDfEO?@_`ykpzh2|3nnv5eCW8)NDV~#QuJ#&tzda)jQFX81*Wbq>mAM8o zrrp%$xnBIRf8h3H^&+nMEXqpuAx^;5A07rWwY{mD%)`nlr^c1+_(&PD)ozL$90SmYOog#J_`kaX{e0`kD-AKYcTk55H zSDXgG3G1i#54(vr7A`y-rpU<=i>mrr74>*R6?ez1i-urDaBaL5392r?WP%>f{PaiR zkea{f&4Fd}b6!_404I~Fe1G+H8gc&t-D80S!izTIHc@6>MxsDiFX-r=|MsJ+Hf&9<{5~3Vd1(f$Ig6uEF zLEO1buRfIQdh2Nm#(MA6Qa!p{Wa(vlH9My`k|6sQ>k`suhmHSS^~`0jBEZU_N>}#R zN>tm4=eMxeVQ2ID=w2~#n3;Wfae}L+{w&2WeK0*ea$Az6CmZ#^JfTNT#_Vfccsftv zHN8MhJ#DcI%O`F(;)jgmU5%E9U5%F`+np;a$MS_|_>D*HmOtLU-5&dl%r_w_a}~D& zY%rf(ff!1vEQXDwI3^AR7>`veM^7oCtNH6p9U#Z~fdRqGv0M8mBr>eygG-KTD>i*< zZB|7K$jDgVJtwbo)l3+bpne{zO^8-4SeTOf8tAn?v-m*jJke*9JSFhpDhSDV_XL^gU<@Yh(==> z8Pij$KL!gwlNXmhrdFxTM;A%4>|d?N3PuM`{WE;y51P#Xs@42Fgu7|}?i^=XFiWWK zKd&KLUI!}YmVu%R?Ja}A%#K}diP!&2;lO|0uQd3IT2biO;(v70d5Ztf6|5lqR1n9_ z$MG~~KL9nS3A`yD?|JN81ZL(NhJ3N$bv-Bp`yy|qFCKE0SNyBN_P+q9youz+H(ijq zV!;Q`-W&T|>!q_`C6{)DdALW5Q{Nv#LrN8uRIex9seANU_ga7rcy4$_o zU*3dPTbhq1)H2@>tGk_65&pw^`qw&ZkL5KAe%-}aHNP1Cx$IVFil55R6oJS|BKoJY zAGzyBpnG^3{C$4+2VfN&hV#3=iPT$2TJ1pcccp$3eyM_!0^!2v)5w?dh>_EBxVT{P z%{n##MTdejS$62DY%6iC7_jbm?^9u(UQ;;bCH3wG>EKw^{yYnn4t5)L3C?Fu|33~0 z)?569}xBo14`mY1wAL9kmO)8LC zu3nLo+Pk6apGNi$`LjB1&ftSI(mEosKsqnPN)m@3;Iln{Z#sV+K^y$4q1tjhH`?lA zcEehp-!>|+4Ytp@9cJBtgp{2l4NbzwC7|R^&OIJ2veNF)P|jih{QiU?%=K9I>)(co z8S$JJKI}_LQC<4%Tz;)%?kqGBs3Aipl2{*h@D9eYHWK`8aPLHSE>Ya`C|3uJK_3SU zkTDV&dLaUvjpf!{_ZJ%D|I3H(KYk2Gtp*Z*((`AZ&Yv;`{&kCd&bpw+ zxz@t|=ll8}@ANl+`K)kS_=s%MM@e+*e|fV%TNbWT&J1d>?bY7PYIJIn$MSvgS8gko|E`Upm zd>G_j(P~@p2#-L-Mig@moV(y&Ulty70(spCRI*06oC3$L9fZeAMd;o*KY9Nb1a#RT zmCTBY2x}(n+6Un$1t#6Yp!uMiTkcHqMH1wDU6}s$CB@0=D1Dp(aj!9v=OBcxX;^}y zwp)teZv&{5FU+R1HRu+ko>sKtTjR{<8Ss=;>?Kmt&*`5bgFpO*Yu`H#@R6$|-Lf6(dW{UsE9D zq7aXEBW2>2&`0`}o=zt6JTgCyuYh608h~yaApUb}^3MwV*TvyKg*0A$@IgsA)xE6WE(M~$$0n&%>QWVMFVd5%X%-0ov@brsA=rN7b!S1trBuPiy%nqT~DaEp$fb!t7P@3f4a zLFy$HgE>wluc-UE-)Nfyznde{HB|8GMZ+#h7X)Rf7`!a`Yhu&K@NoW_@VusQ4Hhw% zO{S-w&m1^lm&tCRAYj_VaGtbyYmL*aADM6{K&#B5(v2f%Wf@ zv9La6U3luCe;aRtfu2yBSS1zV6J1>ybKBxK5(+Jtz=4hRod zTZR}Awl8sjrW4I^rlm6e$9w*_zc59Lw(Ipi6a4cG3Ueef1M2w}05@0vJLrzYuYzv* z3-GzQ9;G;0D~@Sxo;`%z)4GjSOsQF4?b{Y@PR1QzLuc^Hh+IfIzYJPfW#DxFG*A( z*u^m5qnD6=eb~!=J7u7;>YFZ^h4+Id_Ft6KGxE76Eh;hnZ zw-juffM+|&hQ@uk)TBF=-#ifA@c_RBA+8WIKfoYlW@NjCl>ExTd3_ZuU)tyXd5aME zYwh$EF%U{j?12S_{C(DSo2K`-h&&+-A*N=R8)$+4r{x)jF*dEswa_Ja&;o_pG#DNY zd>dL-$Tdjhmy5Uak)LfSmM;fs_cDl#0+w;8DwOPha2cCS00*oxs(0Bg_$vAwW+3q1 zp%&yEe4JH_OR-Qj5ZH^>?19D(S8vvt>%^2AV!4FuAvhUXP$Ue8e}}KfkR6kBpuJfG zyAnw|aS8_>ZfyddNgzc+mSZ?ae^uTHb(Y8<44JrPntfTXuAuFvLXQw}75&ocqAxrB zX^O{LPp&H!)aDn4;aePeK-5PGtbY90+V1>MPuf2Qp%=~hf?)w%j*n|$tJ!7C0qBmr zA@XsRyoxr+?_K}|?8|U)#kX&VLu1F&kkaw$+b$4dW;@VYUPVKE4jzSjB}f3x6s!4( z_lNr4VOUFM9 zP;igCjGvSZ=K@Su_*HEfb@n0<0IakFX-Q>pkYKwJK(0POHs{9}Vm-FsSET3MdleB3 z96)@%I@u7UMbfmL+3x^VzzhVk6gPa%U|p5_~cHY+3yhYsyyj3=rut2MgLKRB_!3HR%8m4 z3cy%598TW6XM>bi4FPRE41-9k&3CN<(n+YNK3sZs+PRQc@lJmGB>x*-Aj>@J**Mv$-ITT~Fk)N8VHI>k01rjWptA-UgmR(P#H^7P7^xkp9m`cpt* zUJvY*TqlKjP6p@GlQzf72_pW~K2F*0IoDX?0c zyQW#9KBTldK2+^=H-ZBT>apqvTtL^b^;nMZpuR zyvZQXpM-w~en9?CedmTH%?*lQhf6?@5$P*s(29f%+BUN#aizwibqH!I?vweh9VZ5| z2WPhI=@6T(2rG7b;5Q$2Ru|QS$;9tqD|z1jz5C+q1nKf#E-Cx+t*n|Ooa~y$ci{i@D#_XFs08 zyhL(&#!G|w+u@P6%E<8ZgkEq<$OL0Qk=IoS$~$MrJxs4hmqF|Cn8Fx|g^=BUf=)v( zpysSc?XC~AAiImw03C`Qyq*7{8ReKcp zJ>B6l!!PYe@2eFC-%h*gPlWRcqz@8UWnS!_3Fem`t!9cOORuM{jyyDds<;*SQhV;p zBq2-2d_-yaMf1k0*|)#%pTOi3I5(v0OPg5vQiQ=J-0kGY&9rAE@0xnUm$hdDN}rEW zcSV-3ne_4|S)L>ozh2AMazwfW=GQPcx6%WerhabAu$NrxLl^idF~cCPbrGn5FJKbLs3izjHMQSY7`8fdxWD52X0> zPEz}TO^2t`vvmp4k0G7ZY|n+?7@Z&BcN6aCKS_A7SZtGhBuSoE(6P5opZPq_>T>J% z94F1fxCFFJ^vQ0j>7^>zV}&Ptyz+;BKykV@Sv;CpmScd=o9y%G{s zinL0u&ZL#fi4Rl1IBLapP5MQWE!OoZV=rtgV;?(aI(VLYp>xYgKligp+^jNZ$Q(vk zHPQ@k`YgqVjFPKEmJ95r*^~E-{J6S;94L->1Dk&+FUaBfX8)uZGp{OxYskOD622y} zlBZu+;aFBIA2svSSWjw(o$Uxj#95+R2A{sBEykQZxv!MTG0W@9xSFgd_jrf?mQq2t zr?pxqQ49Iv;Zyo|Cw@tZ1egBiD7}6?Y^<{WcutFrC?igHh~`8uJ5sL`<-|iedqp?% z%Bu(kQwNlIvs&{ELuf=@E}p-p_%$g$r7JZ}c8D?}{86fX=1Z?$j-g)Xq|_H%jUCMF z3B31UtI(Owu9A{R<{QEEEz`r7G`J4}A$Gv~qNEtwtC*V@?kV+DQR!@M*95WWZq18@ z`%)Rx`sZ$Mo-1S4OrudE+`y(w$V^SuCFQYldYbpc>?vbzI6bBemW-QH$tH8+MZ!x$ zdMV1ek8D-2cw0$FwhKxFn=%{;Kohg1C-=j&=C9BifU}UrA#W^(kJ}mqFpo(%glID; zEpoqOFY{IH$;mmSY+YxH=G1*q&=sh4>rU3`%@NRl@v2>9k;|rDkN(F_Cu5&L=?TVk z#GXAmX&|EDfkti@H>SO#Ns(bsUbZG+l-i=;Nx{59-*zZC<}CoSX`@~@U?XYN_4&cN zVUlT|rmXWgBbhq;r+CYg7ze8`lqFSTO**D(w~izBq&PuO5q+mZ#f!}(1UGK$ZV;AA zNnYf7@y(iS++Lc&02|euSvuxtG9#sKSr$;5ojlZYUUzZdEAB}FzC}sqhQlsQ?%hv( zU7IcKTcc(i7>iIsH%{^-GgVa-ogharD23q_scH9e@M^4o$e*D&0B$M*73up#pque? z9)%W#o*?bX6sn;2E*;5l!@KB{-}B&;Z7KQkVEL13jAh3NCAo_Xh;>u&pNI|H(FnkAx(MXV2&()x1 z+|ccZRclTY{lu$K;oOM3LCpCA!l5-Qr-p3emD7HpX9WLhzvrG$0Wv7{;p1O;t z%()Ra+7{j#;g|mC~8NaF39yYWbjJtTqw3YQ0&*+@lYLnbwD`Wu2W{c>1<9c z>@eT+f+*Ompb|Y%d1|Mr*t21NQtPrE)?vH?{j%a3L!frBU@ErVwc(lVm9cw~@t1F< zFG0nNH4W^?omRa8F!FcpRnzS3U;K2mXuJ%wkyweU$CR4y4C5?^36VPg(9F$ydyS8~ z0_+X6-fjpTwms0lhbHZ>k{LcTp(@$17m>pf9=Lp)loX}#>S)&<>MYY<2op4~xk=Js z7-DYlC%!b3${W$ zJ1O5w$+YOpD3pyn9aRt026Q+t%O^K3)6*&5Nkzv2Zr6ugNK#Q3nXahlZFtM5Z&4p< zF^bDEfI3;v)QhpTV!imj&>wZ6wMo6V!BH3_Nd#zeVhc0>rJ#y6 zYuS7I)xa!~_gEDyxgyE`W}DfFgD z(m5x?Wm#wTPT3HM7mjR`9=KvCuFnvPpb2}98mfkar(E^Z@r1++D-si}AWVg}D{hBk zIv7WPv3dt$MTiwOeRzl>9r$Kt^ z(n!4~xl#F96rW_tt+H>ADcZc~%7?X6>dNZAHs7_ppHyCo6|rT%~D{t>HVZdByiwzxVDZSc<;=E0%&YzuM+A1(CuO6n3 zJ{EiG%0#MvHQsfvS5v>f|JFuIfVckXKf*Eg7qI#l(fg!9dc>#KK6hIYM}MVsGTDHr zScCB12hKvpY=fsRVT|_^I0&W#Y@LONB@Z58<1?ILc4y^0^^IfYkU3248ihQ!);bF( z_LRd_f(Oxahj@IX^|Q*1au%<6^kiL~>A0(FYxW8z3OLdarFFk=R~KJ&=yvhssdA>!)&FA@YSvO11zR4bM<=8= zn{Y1nl^@~VnkqNK(J5b2{uEG%BXOC5QEG^nVhza=;Vq%r$>6Bp{C&3@BU%2USL4FA zdVA!SAt5LgAEmQ|nmOLi{@EHkGu2r3(fx+OOaHNT@HD-%-*28XIVxuDNfv#A9p%wH zR?CP>dFBRX)(vJ8TMQV!wYVyO)#TqH=kCF$4D=5Pd#gI=E5vZ7<&L+4S@G*omT-;y zoS#xlX*Vkx_)R-^u(xQevJ7?3f@L}i=ZiaM+SUQ-l8jE+WEa633rY(81=JM+v4$}G zBi<{a2Z7fdfBWCWY);fP6qHCkv5-6nh-JA>Ta`TIT94wcMm$aWGq^k1`)4@#vDdzL zig>1Nw>)U#ZC-irtmWs+Lz0YTjknCy=Ay#G4{DpsTXJjW>mje~c6k4T5U`ZnpYlp6_D37FKOT#<;{XECQxgSyll zC)^r0Q{FrgS-NX+H1MFSiZiprf2n4ROm85*-SVCZe!?iM)NGOFMMR;7(YWX`SzCmr zsM}6FHZ%=)(w!TK9I>tD4U!tlkP_p>%vqq{BIX`x)U!h)G;D56ilC-<_J#9-i&Vi- zum6C9sRmWDT}=Wp60r zJHC9$7iI%okAt2JVhA-Z;@HCA_^)TRRYw+~0@bZ*r{Uh^^rRw|pggxK?$4kV+0!!- z_y)Nr0w=n`^0rEntlbaGxw2}s!>OV5mbKZ_jU-SenL6jEbL$gz8>=gT&e88+A48UK zI*6_ZemZN&ii$%HJ0l+ehw1N~tl>uZ-At~{Eo4Uz^tMqO&c84npuQkDtbMHn!H4r$ z&1-^}8sBNWMK-hV?OEf(m+wVe7i;;6oor%uNwQY0z+yX4!9VR*EV;njALOi6#AUWK zu?O)KdU7diswnu zD%a(LAoHCiZ}1Q=)Dm`|At^s`3HlG2!}BK9v~OVWVsHt9HUpUrCVUbdJRBNTNVH0g zxp1`%BNX+pWjziQe8=3#l$Xv8KsOEDvu?aIvQ;T0)ZW{vcydu&I{)`@jVQvG;*95%IS5- ze)ABHL@RID`&PLYL3Ec5#-Fb)Izef1+O*n|LpKhQVB}ckShFf_!(Lt_`izUxwI#2` z>MG}A5Br?jXTxh6OKLjzc%7kzDEURp3dRhjW!IxLOkFE4@BJ2lagkK4oy)t$35u2w z8IhNMG{2tb1a-Zdj&jW*LDIUvzG$-T7?f%-X~+ygi%0mr+^Y z9%8q!OdXr0ctg5z7`fSIb)aF%`vZK$_WbN#&Fp2euig^t(;nEe-%zl=X7D^rGNLbv zXd;K_kgzw&v%R6HzewSuytEmHXGrUy`pczh=d9)1D%VQ}9dh68t1(&>R@H>Do0VTK zm4DsDbDI#;ptASWbM~}1PnCtG;+bceFSY<7tB*Dd<&WHxs~wdQ#ZeMy=RV$JixgvS zHbMF52##I)-ciyqQxG>JZA&oNZWm%&U!S-_xM?$a5se*%K+8}%EJ~NIFL21)wG2V- zj({Pyta6l>s*e@e@z>FT;5pAV4dpS_I>SYCVVrDR`wXM>@t94zYKdU zzWD}m8Sf`hvIRSnhWD}mI9gtwwPoyhen$4-DUpPJh09jcl8%7tMf6ckdKiS%n(c9} zekRRG0?-@iCi}6yHpfIol02$F9(!hT^QTt|1SkeG=`R>t;5GePI93ZefAmFDIXjny zT=mS4YwSwwwRfNME^K?E&M{h0TyYW0c-v>@_j)NggHlIHo$~V1HwhQibzBqIx0UW| zL8bFk;ZxTw=X@|(%g9OU_45L}U(+MRXHRS|S zcVmzU{%3CqG`GcK@EATRWNB`z(RFzhSe6;V!Omj4;(ix@I^RgPOY~0h7MPw(;Q%&3 zYuCc{eN41si74V-=s7XxaHVEp)xVa8YxO@HMKHWV^quOVH60{xUJR;E$haN8cRcCc zDr6ppbs;0fLMfY^Ma$INE^|BZUhX zduffSb(Qa%*B@}kOt*db(Ig4PyA4vl{rmf`sUI-L=`D=?aMBPdRz943$k?yc#J5Xi zR5x#^X+(ZVESznA)<=~v@WDySK~=0NGbl^fFx5j7iVBTb`)n{`)_OE!U>f= zVv)_rRMmOu@Hw;@D&DTgXpH(=T#`%ol5~)>`yH?CUoPJuouC8`CuNosGG(t^x@>;O z4u<+X_=bu-Pg%s1gdD6N)DQcc^bL^EGpHJO7mPXuE@o)`mLPiM$qn7w$_3 z0PU)8xu$_Er6%XhyYyJ76XBkhfwN;az`y%UQ~b_mVl&mz^UKnYUUn))vXMBfWlHdr z%I5z-=cp&;C!<<;hs^UbS+Rqdbeiklr}_07D~A)rbtB#2y=D}J)6r(>gMxxDR1s>R zlUaC+h7=uanW{fz+-1qTV>)v;hl@ah56G7fg0r8!n-oK61^Xba%xG%&`Uj1tM2xv0 z-{4&uq|exm!JVc<6;6t{@4tR%CZ9i{Q8B^6{3hE{mFvcx${F`obbqD%$C<*?_JL4F z)8$Rg=U1BDZd^kGgNx3cGmjC13K$jjTxl-MY-aZ8G42s6C9`8i#7uDh?ZV`qgmAsO z45gq*pR2{UqohdQJ6Fx_J!;UajVcr|KjQ{e^mD%zFymSR$Y!$}Mu_>jpA-ifTDQ>R zPU7R(mlmxg(MN@*f#$An?XJ7h#8Hg_JVYC0YABCXvy^>_cWG+m-M~eh3{y4Ui>u=` z&1;r;10sR?&93qNa^(V3DvLB1+mAW>FZhmC!*+tD^P81&b%Dgx|IO@LHuzyAfUPLW z^pg1Yb%RKwal<~aOHmvNL!SF`f-jwIsL;A!8Av(2Szi6}`2o4HOTeYRW}UZ-IBzlH zV^RIBQo+1{t5<2z?71i7RA>KI`dL+FqaTqYgKV&K5s0RUhmsY&__kaQ;-$!UsHto3 zkG6}dmXNhO%P5k713KLDCNTKr2>lh=mwgdkA>1w-uRrkEbH6(ZYg$oRlaz8}!Vs}h zFI?!itfzJC=}h&_o8N$F@C(#8^PW-@uu(bm=?sTtNbLhbxfGDeI&`db*|hsLfNp{g z@%{5qN1)P?I>KR>|DZ}teHTPec~WguOwV!eFkodowSZ!Pyy(?D3~c2nWirU}FniBZ zWxpyV$A&Hq6y|RT#VJ25em6rczSn?M(! zHX1^yyW|02c^Ons%_V1_=hKhx=gAeA6}8sveN!;FOXBhk!{Abzooq#4Fdw2aJRF|Y2A*RoZLuB~mR zr*f#{>fOW^x^>NTuqQ4AEvRY&`jQnrbKcv3S5$G9 zEepf?+}2KluBuU>Jn-rUtK$PbIXNhPtr-S^3suGj$bg8bBx+xuz9?Aq1~A20h^^KQ$QX3Ul2nAPSdMEe1MQ!!HP4&Eb z-Ic7RJ#V+$gIYZrjdWHlzqhpVE!5Y(2OYn>AhAFZnrHf%H`zy4&{L!P{Dx3-<tLv8DQ7IE(*Oh@ujw+Fpb*U)TD)p4s#x1n_@lA7+~f%N z8*^@a;qgYF6(DIOixySLR@Q`4`4xSuV;Nge$+h^d4gi4>?%1f5zYnUE1l0~B?w39nxJDlC|QHcTl5zS$^#7u88%8F=7@l>f?jM$B`-{Qa1GqS0MM~R0nnc*;In_Bd*FOi`+ zY`I2z^7Y!Gk!N}l?Ew2d>)r^-jbFNi)gXyh>BcL|GIvd?9}7Uw^cqtMZ>u#=)GZ;} zB$n;`Pe-g|W8iF1t5nRnGmGeqYVhwbAd0Hw5W#3_a{)F)CvU#$JjTSRHy1r$(v z&R__;&l-O{9HJhw=**CO8yS|sa#+M;_}lX_T1b^E&)M&XO4}cGyaldxW|IV#*d!6L z=!8)7u|FXcQQ8AR7+EvDh?^7ZXbbN2BhFtPL{(m}X@-Ognq%mpq-U`M@mNY5ACzw` z=PqTVDD-2N)NEh~a`mZevn&(NTbQNMWLv4&$dw_Amaj)on{R05FU4jI3g3#yIb3$E z>P|N!(wBcZCL4ZmFm|H#mX!OI>0iS|kw)hd$$F`gZ*(ba)$797o+R<~6msXCwjh~% z?W}eC3F%McXlI(>9-lbQ#SO~Ye9YIUI3oK#HmNA^;HK1Uef)clSU4k#`<>$!r^+|= z1q*26%pUAZYVhTvQo?-g{mIt7YTI9#oSE94?c%kR`2gFl!<)PVI>$_SBJ$ia&jx%@ zQB^uYEDbaSxdr(dYIEfZ1KE1E&`++YX~UFk{3Q-$yY2HEJTYog zo2yfrYG-t*ntvka0$~C0@kcdN_y03_+jQQ&U`HT?c%M7E|93?S&M{Md?eWty^zmMz)0x zWGm`5toY4zjJI@JEXi@&inm|*njJFu(uA9KU?ur8hTKim<9XES-8+%Va8oHwhWqI! z*pb%NGYq5>bFi2>fG4K;0{gD{;^1*+pJmZdZF;T>WhE&>AKBg8?+n#boY0yA7B2`OL4G)!=+)(h zb4=?cAgLnN^HyP<%SBa3Ss}b^!;5C9ZlcWZ0cti@9Xjvy>(;R7l~BDz8^5y9gUq|G zy|xrFYg`lHF|@b6jNZvb0#IetMkrbObVq|-sBLz$kQj*X#N2DK)yKykM+@4@LRF$i ztuI`k*riD9_NwzDQ`j*m?1oaZto=i0A?uEUc~Hp&nZa)4UOkY#9h%fxilE(iq)yXD zGiL`zaOY4#1Q9t34Sz1UyW)j8?{uamRnQ9e$vRuk?god3^l_aoK@*#a5x}Gr#zGAPnjeXY4Y??jC*)Ab}+ibY`^;<=z7&t z$;PS+%zM50(xZOa4(-D7(sGulvi2kd2ds#O9SjrVdN_ng3K zDWW{VUYy@*Sg{nEz@%pbt${;PZKN)HU%qDCn3GBVu6_@X|9!vtQPUHKJeBCB955s3 zu~w-WAnMd!2nk{JaQ)r|hD6Qfh1s3ERwm1c45{Os5`|>Bu6-l5uXx>e-2Lh?>c^4I zPBqzgw)~wF?1(CWiTZv1fQH5^izxF%Ci0kID&$w4Irf`004$q76RWQ16= z9YSs-^^p;m$9UA?{73(KuQj>J$=z|+q!W^CleGSvWaU!uJIIW_%t$#he@K?!xh36hd?(j$_7hL#niB_v!s zfx8s*TkGsZaOF&m&`*J3$$?5An>wom>N&4+zJ{Rq^RF?~w*vXy8{|H6r#z^7|6Le& zI%~AJ?6vEY;r7?dp5d6;#3AY%oMH^7zbFyu(` z*YzNi@S7gO?RXoex3~W12mmlYRcA_^%An&N8OL&;9sewJO?G2}r`ip)lgxAyZ|0?L z&%R8MNR#a=$i$9PqSrd>LqPDbjY`OnKf%dlL3yjiUWilv>vR{v;^#}l3Ct|toPE;{q}7#k~6z`MwUXu(1MRZvWrHGRlUY1vy?$O2kQob z=~8o6vdh|Op~-+3uK5I4|G=69d|604s-ovN!c_@VFjiO0^aYx=2wk4O~ ziGuQXn*;U~ug7uk-zquwE#MLS3fK6Dw!k`eo90HHu2A@Nbgyw~-Kk5g`E8`( zBIrll)v^M<0<;*F-Bam`>;`_RL&|I#t+1JO*$N2;hU+;iitb$zmJv|7UvbpMj5@KS zUP$+G4R3!k-NELeF%nBGHpX}Vr87hw;7h=n!6mg%II!tLz$s=?VA31(vAgYyMba#K zPRgSHW_nu5(~5S3NtIepIHK9xU8(^AzgWcUAp5nJq_@tRY4KOPyY}C&z8PzBju-ZD z4UPVQbz}Zkdb@oz)(w$;w7%~$aRTS0Zja30@V6Z_;JcHtJ;}^2AySXhgte@bxB56i zM=nA?ron{ZZ~*(kJ8<3Ci-$GQEC zWCnbRFYq183SFe%_GAK@&0nQvV(p6Vc{OH`_}D(FX1lb|QhZLE`)*a2iQL`Xsc28H z$gc!w<}omiWi%z8?0+z6%L!6bhXpPDLY&dXPwn(d)G#LQVB0rIOYc5bIHnrBuLXqSY_^ z^^&?D(qhP?`5`xW1&%jURFqXvgVMnD+O29nOArn?VyYjzfo&Wuz)n+i zPgN@$e(9(w<@;K*(l6yeM~^K@(5>H#>E&4i^tQ#h=8-QKcScQYD|JZ; zg4LV7eJ~mA-pW3C1@Gx#rmOd>=oL_%)6FO+qdd+HL}xrIMbp{TUTmYbKDXtw>}5kM zJ7g)4HXHNsL|1p(^>)DmGzi;83-o6q42raH@oDZ2c%q|cl!>w*jlzMCD!N~hiS=#* zFhS=S{l0RPw%0P7P2ghKh467lCVZj^`GxXxhl+g-KK_kiD~uTHgf3ac8zYpyGh``P zNKvabt=6+{v3PGD?1_6%FTDs>DmY#~*~( zct4>i-m|bD0gRgNQoc>xd40Uu*8T7;STr0wG8l05yYcA@Hfp~?=u>YXHsoBxW5lkA1oo@Rq86~9OARt z8FjTXFpsKJA?J7u70J7^Q=Z{m5l6HJx?q(XQyKd9-k)^!;-(D6?Gxzm3i3F)OP}Cj zI%K?cWi&&XW2T5QWWQ{Tgy$NGjF>Q}5HmK0K9+dGo++CCNd0#2lx1?|pS4b^jWKuBDm=@(t*mnNhx-wZC@Oe!ur((t_@w&}UPh zG2A->V~;X$j;52}$p?tIy!_5Ik5^J)b81~&JO7E~?P=%Yw~IcdXueQa`q1aQk&SQh!x?i(Y^NF|oM4tAY{XCI>RvBIA<~uM%yVwfU#uAev0kv;q!2&=%<|F&2@C>fLVS6 z&u_ki=#fY2DVay^2K@EgLP{*%nXYH}Q?I&h(o=-*D^lJbDf_Lq1@4hDutj0VoN@Pn zx`C!!U(Rk^zqrGV90CLZ2BD6AHab&+Zq~hIcNqOD*!lZ zv)Z7}lJ!RGrF;aewGAPE2y=2*zvIvspTBhD;TwPOJ36G{V+S~$5A3y$gyR*TPW4OF zkBjE`K_fa>yf@~G3>>_1h(omSCQ<|l4g|(2Ug7kKCXVe3ySxb5SSX4NYP+R0s1AC0 zTBYl)^E$ZYa8`_{(`7<|yi?p}c1xY96fh;8`9LUEQ8O6!CpDvTQ1QW@v4>jvHY;yZ z$}>8O=QdA}7Rth*m4eQRRy8`7^9M^6O%vpIz5EZyeeB9A8+3>A9=6EcA2j-490;8r|?XVfqZo-}-_!yG*C(Uv!kriap#5UjHdOvxD0byxM}(t}y1hA`Fb_hIl)jPO?8I z?H~1XVWJ!73xctXHi+YR!bN9D9^I~998S_}hA@ovE1Z!2JRn`l$?F7*IMwmpE1~Eo zIRE*p?gS#C8u^3OF41DA=;eNiJ$6&LN|X_!&m;Ob&gH*gAf{;1g>8C{{f4xE=~Rul zPD7o6BiLZv7Sr;2jRtvLxpXD|jVAwGgR22K*IX0L;6`n>0LK_D>ascee_qi4u-Oy+ zLK4NZv%1ieUx)gqaa1*EMM=H0uu$`Urgw>uO}CtS)v%c>#h1s3NngiXu04Z*CG|?%yGq z)nty)2!%J_!F4wHC!E^hb2fKy3X01ot!Y1T8wQktDQ*~|T`mfC!JN`eNGEhRGV(G) zsf_?r`S$&Y^*$U-`f`bw5j@W8&gltEuuQWhlNI2ggb~K$`?$aMl_m@4;1bhvbS)GD zjw%S{PsenSoCaHKkay?x=^vMF$XWv*rQx$CJYB6i0*7=wT4Qi?K?H}9Fy;HdG1p%4 zBD&rYgZV(~GCg4a7a-`R8eI+P`y-Gs8`hu$K1qipiD2m#W9)yssrFP}&@+8)f0gO$ z2m}zJ)j?18?%T)zE%Tw|(l3!mC5$PML-E(3d%*@b9!aG6s9g2X>|keQMIoE12#l(v zDbX%S`pcE8xfm+5yP4DKuUTx}SQ9Ho672x@VBH+NWBsc-M7$1g)Gr}~9AVXvs|9%U z5s4fnx4|Rb3E8nqcg-BF3Opgb^gkwx{^J^OPT#3E_sy^74HFGMyVz6+p(&YAy#a48 z5ciT6$65$Mm-9@9dNa}$t{ZEW>>2pp``@0*v=5@8;f`BmM*J`| z`YwPe;EgN9uQo>zQ*c(df~9fl?im<&BacsgSo!+wOC+&9gc#VsKIc|F<$uDvUaE1` zAoQC<%2sgCC^3SFt|K!fc_Q=#_$JgRw{56;epT9h|MVie@T;hb@=eT+yb{3ASO=yBb?K(Oeah2Yg(09D=t5RU#Wx?3E9k&G z4M|q74j{k(Sq7buQ?5E>n?Ey*k~)1&fyOIwh8k3ysjgt5d`kRTyUN27dIyno5HBHI zfaY&51DlwcZVHQRwsHGlXK%h-jid*_zJdo_3SyxcJ3C_)pY9RNeW_RZPJD$KHEKHPycBpRc0wsuTrj zQlcWDBE5GN0RaIK>Agz{5PAuqBE5+qNS7`(^xj+OEkKYegpQN|p$F#4`#tBZIcI(| zYt5`#Q-15L#XmyW*>19*eLweoU7u@hJcRMe-{dT1w9JIy7{b!c=xk>Dgs{VZ0dnxD ze_Fd&fOWnO7zNEVp0{Eieyn7Evkx}~8!{(TWQ3B$7T_4nwY-UrxDvwpVWS_+5Z+cK z0I*OEsO>bqp)UU;9TT$C6R`r?JTi#FFd@eN!>tJ*cbo=uP&QQ|MAt`6O zH1KU#j7yQLp}Y;JIt}!3i$Kr88EkQYjD&0h+wxfH8E6Bqf_Eu(O!|1h(rkHU)5$LT zb^OB4A-HnYK&(;iPh&7Ke>OyTpa0?4GidMV7n=Y2!^LO+fIqBSLahD)fBd-qI#p6% zt~Y}eGUi16f#G`@seeJq`1hhKaPHx#iWmmF~%ET#uXRjysmcDbfIZ_BQl;kr}N^U z@2rYHDEu!kNxAUU8dnQAYrC>;tgRC7u=(eL@KTcF!0V%Jr767glfN!D2tU!-+kQgS z2XGA%!E7k1OSXpo#Gl>WgPMS&S8s{;)#VwPzu3KB83y_;M#)v;E&-2CQ{j{lJAV=C zq_4n1d2*9BG{t^@bE;~FtcGLCkE$Pc%PGK0yD^|SS=2R@8vZQOGC$|^bHLKl^fM%Ows zrmKv!%hhr+JK|1s;)+621h#U%Py|tDme86SEKo{QANE$dJT<)H}(GS zH~l}jyy|;(J%2d?$VPZ0!{s}80^a2vhFfvTwBo+_z4kWgGXg-QY!tg^WXbUl;-vCR zAiwJ8YGkz_f&c08GlvY^bz~2lYu*y4l(P!OJ7uvFS-L=Fj6m{miO4!AfT!P_9)v}oqrRgbF5szQj=6crL-_m-z7{pfF z-P}mEx~F*l$JeTfIXS0I+s9rbrK#!S_V1%MEOEm}3>VT+OnDu=+*@wNJXl(m0SSqa zTD{5OD}0_A&Mc}DIP7K}o)K1E-rT(7M)Ybq%C#yoY}_0ouf)To$0{;=Zk!3s9j-i zfK2E5up>Cz`ye%SMkkImG;AzmiSP@o9GtZkob=Rm`EtE$;*0^W!2xXa1p$UVG8W|_ zN)lgQy*gfNt7TTe#F4Y-Ov`Hp8!mMDRotZ|p`*OA#%(sTkgmH?Y7E}6JZS)B+?ClO zQ#Eeh_P`YPUgW<|;Qz`MAX(sV9xbQ+AJ)b1Z(i1-N&v;}57=b_6--N>Q0e{978%L?^$q<`8v~_t^yBYG{xbge3ybNPWz2 z==@B!RU9 zW;yB!*+l@oodZxOUM2)7*MShGCuY)1?4Q3AmM_68`=>nhS|}KOERFq$JAK^#7jk`_ z)UH+jah3C0sfprEdqGa`CyUZ?<7~X5;rK|r${{g*CBDBiOT{0)I&$(-HmBsGsXCUDg)RHh1xiKA1@xGcPJy9m8bEm$iaFi_w@FA|(I(CZM38I&0I&-o z&uIULJrMG{fkvJy=xE4IRWXth`h_##0GlTVn;RfCq^5N$+-DCsMyf$B5t;))h=yra zHapkBW+I~U(Fv=yp^pf^9%g z;pUqw4Xb;gyBO|F&L~=L+W8kZQsFurh9j>I4%BRgUHu#Ie` z#N}cMGyrHWfuEun+R^cTH-{q4e0zW;zqp&f8Q)e1WTv)x|| zopGS9Y%orqN&i8I{-c}(68r{1dCOcIfYAxs=mN2S)csbwN$k!qQafB0fJoJmz&>)8 z8d|MLr;HF$q?ZCs-Cd2i?>2Wz82LI4&gKtm`*?d_qSv27dmo^b(6;eqCSkO|Wx@|E z*amw04bNluc=LOV>b*BB(COz9Jk*DRpyBVuH# zDhoT%1aC zmDAj%aUi;QAddGd8|#zHkSTMzlTQc**~ z5fteNM;ISG=fbxhT%A#QDLdkPG2%fne*9K;_aWKb_+#G6`b9u$H08+Yh*4MwsG2GIX;gj8JFgJP14&V-nzlG<=hT zBQ#EDB4y>@X^USp3mvjTueUNkpscAI?QakVJlbdkLquIm86`#Yp zxf-xd5x)Bj>cjV6VOr@u0OC7X2u3|yhfNpW9W*$qR>@2FbuiH4u*8G2bOn1El~KzG z@!hV81G!r|z}!CrmbKOMoj|FVTtU58`K|#kh~Oc*>0CfG$DJpWae#T?@jwSKa~76; zGNxSw?ckK9ddS&t;;oDG?TZI(8=$o#c_2o4zZ}B;_XpL4Dd0t(VM~QmP_~5nY!-n{ z)aZG{+!z?n<%B*AfEi%l;KB3Ufsk|k#0N2l-*U@5GCjWEzCX-wAIysJ+3A+lH@*Z2^v9w{v*FfE`T6pv+&DX;0iXt_C1r zf_q9Yz=x%ZLG~}Fl=9;n%jQ;ljH(*WslPzCaYju=f=V5rd%4_zD7+eYMTB?-#la|e z=5bEa1Et5Ov}`=Y;L&G*nT~|iP49>D$u(S3)3!iJrcGCri!r6 z@1B#Nct{SfX)|=55{!%Ph|eCtD}`Xv*A@C@7X5VnLE{P2RVQ&;ZGE6XRlO*4l7Rnp zZTWl7m}qMEUPAKPZ%2wxFqW+{Zl-3Ac_~()@Kj9a2KHCYHhiFqFeH%CRf|8Th4{TZ znci-_P&01t0}|Nr-F$^v9=RS-!FhVxCl9cUf#OC zlV(932qs794?Oo7NbVy5beIiKu}3t0(T#PH5iZPG7bhSo=sf`U z5$)^7!kbIwQd=abmVe@^!Ic&et+FylYg;ByR7bJe?17cCr1ti9jL4HBqBM_0?`1zr z&F>rj44s$46mhgWf&1o4{~&xYkRls*pQy3b#os;z1 z<}Q|h(h5N;Kj_QD){M`0c@%kk4q(>r%VK&r1V}@bZZ6J1GISt`nDyeX~RGs*jaZSB6H*~`Fo84V;$fp?d@wyx~rLy5)Eu+=Zs zUF+4KE67D2+w=w{Wd_2dZZlHQXfwtYAKYg%htfqw?|-6hrz%CIhZ&n_Ce;rpkNS=;u@hDuWHeQml6iYKZ~13O#^3gP6bPW4u|^2qZiGHUCqnVR&oj3q+<%_OZsCL?xx}2CGGoEce!qv zTBUi`UjhB@y$ED} zzn&+5{r;{f*7?Fjbu{bbJWHXQK2-zCw|>C&RFQUj-Gz`iUBF}ye~ZZbsh0vh?EJf= zGAmgw$*cI4C`7ySP<)DvRvwzmB4Lx-?L^Y%^1AA__b`2}`8rK1px$?<EeGFo(-taW;W%98kU#$8hkZtp>U8TGzkrDWodki$LU!OGNl%002smiCvkAyZ_ zWZd@X-{T$}Mgl+{c#I%=vgy1#BmBk>O68 zQnf)@{sUDPMp^6djQ3$XOu9y{HJhMLG*{U9B^&tADRhy);;f2X*x3~kdzm;IfCipv% z#QrI*7`6T1)K5(!3sc-Svry9WKmk;-NP34) zeJMOMe_fi9M&DVr1Mg?Z!mY;War0Q6lds}eDHftFFdCzrz%JnYL;VIuJII_qUgU-jZ_Maoh%GR-L;Rj*pv@kU^FmG82++7Pt)d)$~Y!?^kF zgU;{jp{L{(>^;Fu7nhXBcKa!IAb|w@+p4ar#IlvE0T+@8VhX01&h(d>Uf4RnTIj{f z>%rv_%V>7{UU|JUYn+0QfJY)13|p9z>D={8JW+$guvb?*IFwvlm=Qf6UsJJUh19J1Hn=@2J|nuP@jiTX8IEXU@VYX*Tby7ihUW9*e+f>r>D)G2tr5DQ#DOYIQ4KppJtNEY# z7YNyFdfwT$lRaW_vP#42(a}Wgbph)hfZ3igCR40n$}vFCYN3NCW4~JnX7*(H(08E4 zL(Klf7#CJR#x6l9IGroP*tJ?nyjzMCX!0oY13ZW#-)N|zibL*dkYKq2dB;MjVBE6= zsCE2e=$$9En^r5g^UpuXd~Lf?Y*n;cnKP#U&Y;1RR^#a~nK#xD2=SB^NG?G9XBd9A zp63%iFh-=qhv}+|?Eizpr~V%lzJ;LwHHD8ySUE)K!hXv4o{o^axK7T56yQ4AVXWQEJ`zZtoBHC(RiM`P{kElig> zz(8FKV$nZuF+)E(U96q?R}pUZOM^+(hoN~>nI$kU;*X(H^h>&!Udl#@mbGpn{tBzRe^AmwsXH_t*f-X z#i9<>mPpyKd@cDp-K2{yR@X-pN*4b{=JR+?@N{esM*&^L&UQqP653cBD-G|Cu0DG7 z)I+cU^9AkL<%hBoeR|RnCmtM{nk~KZ+`##sep04WP8MDf6A=%@b zsklLLsn{rs$4TXp#XF?_QEbN=Rb6dtzPoXa5Ae@VE4N=YeGc14ywP%2xEK+YF&KHN zu`p?g=R>Hq>cfp6!Mr#>KR&+LK4B~PoV?Fx%mUji`&R?x^h^8kY3Sh9C7}*%ASRMg z8tXM;HKO^Vi4XK`Wr%%!B|fB^aI(Hm#GTr7Q!j!R0r}m~dH?&BE?C1`a#P#Cjj0R* zOi#D%d>#Dbo{t}0(G@dgH>1rqs!IoiY8hR%V|B6g!fX`NzDz^!MVsPV@xRezy5Yt* zjW*ABKcpS}9Om|ht8%ODpv}iTvTK!`E1=>dbtUA5Hf_$>`q#>AJ-}Q^ zhdvp$G#WLkQZ1-R@m#_#OiPXi6#W}RQ2a+{?;YC?TZoZqsGV(`=7wP8P~_b0%3&r! zTdh&Uv-LY792#sUEV!B56wP7N{{UBQM>U5WZTqF}cv zQ~$^G)Wr67)r3i?%+w7N_9wPuxr`@7o#o{mk1OD_^A;71vNZ0w?qI)kg_Mebn|^QG zCUU@zh#{vmos4;`_D^hya`ZD*sJ(1zlxeXKv*`qwmu&)Xm|-=@(}@`~xv5CI@y^LL z)MC|2J@ut7s1D{rB6*DNgg`lYAk6}cz#|z_>F_UpU?k&z;s?H}j2h$hVVQen0odi^ z-TIVvodRNjq+4`7Z7;$m$51{8ZpU5udoq5};T)w02$@C4lk=kfH6+WjK2(jXI-!Ne zmIA~Xa9dP(&89Pi(C5yT(JBbu5tQ86psEv44wyf|E@UM*vUYv94&KP)$ z{lTFSNIJ5MsJRvv3sV81(<>cjB`jQFtR)h5UBE))rP|ovHf=#b>TDhEh<%!Udbp*b z!iT8_L1K#_ITzDx0nkHsfW|)DaC2GKQ`!HNM?9n1n_eG!#X-Mn(B#LZ!0$aCas~G)!EHMz}di3SCXQ)H?H2Rg7C@dmGB*^fa0a@Cg(`2X#W*k6EmSVL` zf*l*le$UXFaHAk2fuXXC`w7#^m&DMGf)?^-}2arh*?zkkF^>Vz~|%mFo(Yf92l zc2B&CIw#dd{w|0^xN~`TfoyZkxE;HzF!Fn&nhfk`x)RuScjn8P+6$Q&(Z>1%m3$n7 zpUTx$u4F0Fx}(E1p( zRabPWpkW-Ph(5Kka5rj~&&lGPJWDZwv-bqkq+)C~7@2v~wEvb>0`tNH1d2r|uHyJX z+li$C*XKxwOS;1Sw_s7yw91PvwV7++IA&is9d!&d&*4Lt=rV(o2CCN5rPrwp<8IRpb9l1o_lAUl*G9$diYl#BK|CCSHXKC_M=TWv zV$AUuiE35@trU&QGy$#Z@cwsZp9^E+oH^KeE1BA540<;Bb2Z_ME%%Fh*WmK0kGuD{ zY(IxCKYcpC;T$yv>Wi*>`itd~pXVQ{^bYpLA4|n>TGc+?SUHnEAwBWmzkMJz$5o&9 zZDmM2a5H!_*8hAlrnti4t!^55Rxa~W!JRtQ! zSzM#I7VH2NCmL(UIUswpoz6fcQBrAYBV_-X##@mZORU=L&$pr9+5my!RYxrBw^n{HhBm~yZj=4sFpNiGfF5p} zSa2FOb51e!Ra^7j6jXv@(64HB#Anv@yATrqde4DwgrTPPZJ&Q=jqZLQZq!(?e6CDu zV`!l-eJFUzl&11gr*QP*3tbH_%ppZ(aM>1!c1BEmZJ6bt+xu=maUd`LpFxd&8v#r- zEMeGTdi(Cjk;fC`!%fo>%ibkn)Utp6g=(~`x<^AjQ9CIbcJttF*lzOgvzsR&P7x(+ z-5!34A+YQCPT$Nos#hX{#|r+P1>kM!Po)vGCTDn~KQya&<`cto%K?y;QACw)Ybr&q z1r%KT$V;*(>IeGZlf95Bj;<{GR=GJ}00aA^ZoIV;u9NPi%l>Au;bXF)>A8CUFA=Q~ z>c#sK1SE>f@feG#H}@t}XKa=3mtK$0149iV$>?4wQ7{(b2JzjC|^Ch{mN4_<7N7fZ=iIKb$oR* zi`j4lW%e@i=q>A=DvvMnD2`nX*^#XJ(JagZW}inYBQLKter8dDC)0fW$dI(CEfvFN zrK8dMl}&O4e7D<=OL?~-@+^}-nbVj((z%<`u=gGbo5wi$l6*q!x8g;hpa9?7{T&)D zzQHW@SSd$wqK8?3w;j#u!o$InE)@mT8b#&qt2l9N z1xc&JS4;exluRq_>xwBygzvGCHwt%`N$y6EIM;qI6epYphadNUpW6QmR}ErSoMM-^ z$4=Y9^lIK%WA&rcPgS3akP(0vxYeVe)Qh?A3mi_|k|^>cBW}%@-o1{OT}JoKo@GT| zz4nYdX&AYo$uRt&rPzCjeF^`B?72ts-+o^J;IUPygXd)Im0F@vI4#N`1z4f5UxYV> zH;GJ|-f9&~aNE6{X{GV0I1lo~mTJdg^Iu-WP0_SJ!f5Ie0HLyVI$W*yi9SBO>QVpw z7NJM(SirH0XvZ?tF2a} zVFi0^WY>iy2)^7*?8P@NSia7F9rcEeqDt{@7YC`rEB{(Y>6&k^bMv1k5G&yF@;|>! zi@B!8B9w)FLO1d<#G&{5^s21F`T0g!#Gzy=E~(;R7EHzt>3jwcaiS~nl7oBrB1n}nZkz~@s@`#wDaGS%UBdS3-~rO%G?1&AdX(mAt>KJD}#uv6+GA%#+MyD0sZ zdT6x~z%@4^ho8A;VCZ%lMvGbyy`+ZTp7H6UiX4W{2_&*A#Iaj^oqb$hm~CNmIs4iK zG~IRjFQreBNIIp3Bs==$8nFY3Fq@#lUqs@ka@u6@TwP6qy>D~CcIc!c<05+Leq%L7!o0?C( zy|I2GscT`BX7<5m>Qx;SqQ$K$yZ!DvD?{z88KGUHVL3X9cdq9{&#^9(?S3>J5d-Ec zGo0Ru{idP=9ws8x$w-&k%?6YC72%cOZ}^oJmBKfaoMPJt1{I%EF-dG1k@v7{jpL+-D8ZqJ_%4duSIQNshv`<0Fl6rg20qWQO4aDl)!DMw1eXL%QvgneFF~Yrry*5B| ztA0(ueyPnt(`9LC4k~7P;puO7JOowfb9|w{N#*3JZV$(sIlpZpfC!Zs4H*siu02Q8 z+1l8E+>#h{=(@ld#%}47w*u3?=bHwFMqL!ofMFTOA3{u2zxiq~5H}Mh!YW_MV2(WM_sAy-cpcxWXB}io(<9Aw?^ZN;OaIjX zMSw-3omGWF0E=~=qk6Fkn26-B>1o*%R)p*Z3KTst2}|Jld+BA=3tuP{gr5D3?}4O_ zntk^785nn67tV8fgXm-zYVPlJBRWym8GLq}QS}0uP)Tjrl#hNORN?qwIA+^x$$Cm@ zNTCYI8mO19%xaw4(#C?Ei^jUKd>34ZzWq|>YntfosE+_);j7T!j>!*vG#4_0OIn?% zX&zkkQZmRG7-0Lky|DDTM`s1l6?Bwb)6RHaZBk8@Zi1DIO#2pGq`Rh)F~6WxL2mpo z0A0T%#19)=<|nvMMw$hpMD-T#bK;W)w$Wk}Gs$?0Q`+8r8B zU!~%O&`dRcU)%aF{PHLskW+M#j=HqgG&=e;%bgT76-Xgi)}`+>pucQ1zcqZbHa|ln zeo)Xfeen)58iNjW-#3shB2p=Qo)ze3xHD09UV8q2?guoUc#bq;bBy&8dvk~*Rj-cQ z5?8Rz?!uGy;H;${VVN3=kt7u)fwN2x)=7OOJIWsP9rSBIdK8x~hQw9e!A$o=jR~Q z#{e8o;Pv!!0`}5#O0kBDaG(PmIR~~ZX!4DPdCT>%HTOiNvQODOo?IvGbGwENQl}A7f_npqj zXZjL^qqhY-!bNQ$y0;OKeP&eUsj%V6NSrm%7(V}qsPFE*zX@rBs*Q9OJ*lkRou`*u zTnbF;+2&1AS~ydy1fSp4fX%87CfG$mwdqTVjMk1f;y)gLzr>Ux5IzIN&fg^;T@2({ zH*-ohvoBpk6xM`GHhb#Xs^5u6omdKtOR$SpReQG<>)*C4KJL74?&Pgaw zu)j)JXbSEAZP-Y@Ku4V9>EM|qe(4XIid4!L(gY`}-fMy;NKrvMC!wL4tz(-TY8e9q;(6k-!&f8@Y!PJ7+^2u0)q47SB-VyudcW>rucGLtu%Cl`KASZ%7KAX9uxd%EF;oOlGNj199V8 z+0LLdry+X@>CAgXu-6P6gN2RGk=BNr!>T&2ckn>4UV#VQ+0<+(0!c@yI6-;NYuTg@ zG@e2UcATL|mv{M-f=X8+Pi?0Uw}HZ=rdq_w^)PGSmpe(~=lCrfX(j!fiX_WhsWKzafl^!HJZ>nxfi~gB~xZ2)c(W>%*9KD#4g&*R+ zPt4FXCib8HMeah+Q+jcBmK#~n)NOj>l(;7NGH{J6+^RmYzFa9O~?N1|fq56CtKSS6y_Od|7#K?I{#>kvq1VpR*mR4~C;@Yy4`% z&uS4Xcj``C-O4;5ztilPJN32uCOadpe{ayZHdejxu%Y_FB~u7X1MsC}e}?dL!Ab{Xnx!?uoc>_T zLQdaLBQcSGE%?pCBD}k-w(0D&klad{``5n{2rbwmw}yOI_^2Na2$G5fvws<=vMC=J z_~LOk82WcXZq&pDtY6QiPYyYaTb7e3|JHGfa7mWAE zKnI~koOGg$9j|JvI0D!lZTfQ{I>M!+U&@K_>nC=MW!ij%+}iiVOx$5VA7V9mcz9P+ zJWi>{HFaj$s!8i<72LW zC!{82pM7~J^*|>`iQRzrzWP+on2$^9!Z!rm+|sGSzVQOTz1?N9@EL!ELERMwrOQ*Z z4}pp$8$a!%arYhzI=}hVK`H%?^afc7=`U|~s*N&QNuEZ+vwBJ zG%2(@6L8zrATBzw`bVyv7(uMHU51LuJh`%CyXJGIAR?yMF~NQ+G5$H^?!{rj6C;$V z!d*t`B+4<@Ge?;tkhB*lfw~HRCys=3|L28E(uPNV zZLHdb-JBBMMslu+?gCZURUkW*Kc{^pqrW4*Lk6vur3Nny$fF{8PZ=s?@gJhaU*Wsw z=<)9GUr|#h=tYGSwg9C0ZkDOpq5A*|!t_xEw!Qs(w7TS9% z8yEcQe4H5AG%7nH$vqY_qXC`E^vCsbD88fHS*iL+XP>oCZ>XZd&gn}@xK|U{5_l=) zMMeuRT|^CaK%;|gzGc5Z?A(N(99681u6uxFkrUCC2eQ)@5Lta;yWPN?y-j@ILBWEo93(_ zH%OW4c4NVAH^T*miZ0WvzF?o$?!~OY92E+qHS8N^-&N~S^UqD zAM6)Td(ZjaNvKYcfS=@sz1^1YN&P4sf_^A}?mQPM<(%%xp8V5xwWYfgLfdWBV#UM0 z(((!+W%8^AD7b4cTO>KhAWY*Q-8_O$bE`|)cR%~ zny9}sydj&I6E>oPX{L`!C>NMXtimhjS*_YF=4oxfMzp8?iq)~sO~_5X9_AS2Q*n>A z-5ti#ojtg(mU{AzXSMw&nc0cb3F06t+k(OG$IYB-9Y;Nw^^kEp zX8H%x5QosZX}N)q^*-1@`RqN`_0loL0-rK-Nr%E59 z@pzo4c24lU#1kLAl3c5%Z8rwL-^+VAS;Xep;yAcZlu8z`C39LOv!>qsxNo&svwJ=P zwe!5GlU}oXDGMNsE|GT;sE%^LV3Xqp{=*x}E8eZ^fs*@a3t&2#ybv974su7FW}Pub zsoC=1v9&djCYXuEZbSB(-Z%75%-Md33AkJH8^um|<`oT3-eT7^n`-X{S*z!pczXTn zHCSHww1BCoG3YL`5uXIIf-@7~9F_hvRDIb36&WD<+l-fpx$7@-iaP)C23m&!p<|=K zPcV_rb#t{aLC7K1HYsF{fvv%GJ_|`)KP6r{HG||?HN9xJO&>;joA3EFAZQf@O^ic% z&nME9Jdc%gd?T->;#FQ-utJnPWZ7;g^AjrcQ^O0S)B)pM45`rMcT94jvexZwA z!3sq-d7SlQxX>mu5mY{}VUmMV7?F!3OJ*iIgTuLDSV3eerPlsT#03LQ(AXW_%F02A z)FW)C=q0}MCz6eyf?GK5+=aY2DANaj5dgl{!LLzC5oDM!FleAQJe@?})yzKXR`Geu z0BAoQ#F9H7eOk$>%AU8e^WhTqkGQRWChHU%uy4{i|0%GZ@nxLb?s@HLUL`d1_jb+< z2!F*lhY*-E0ilSbFm|@<^?;8?Lx^haw};&koOWoNwAgq)QI>)$NU$rqA#zZ2+)c7a zdtiTYU|(_lyW!aaO@8;8=W527;zKV&@}E9~7$Wow(B+o9CXFgUJ%3A~sM*4h7;D`# zP&7e9a#PXg%CLlt5Kv~XY`DzYqWicbuR4{VoiJ&jd}xy|fc#lj{Wc^<QR(EcpmX%9J{NPHwY6r}p}gq4%l zmebFw^fqz*Bm4`j8=aKxkr3|EwbURMyUbmpQ2VeYTK7ndXyiPMkxPQNF@1|&yWgeV z$+xO%zU8GhgPfZWHRxJv@k!G3>TJ3URC7Z;uWi|13v5n|l^?GeRr9 zh-l^9&c4kr*oTShL_woXvmTShmSS7ZDlWRCydhW z@=~9806#MuKun1jH`xDH5P)z;DyoS8davZ}{5!cPvif%r%ett;*7kv*`1jQnY&ybB z0Nx>H;JMH(Ytx!RwEfPf{i@tkRrJUIA6yy{15smm2^F?AsB|*ZVPu{@_YeQCdc)$0 zWL^XC*Dyc+xJSDax=P#e$O_I4u{Q}X-Hz{!V0XfmwfZyJ_GMZvB%YT$4#1F%ntH$v z&;fL(`UKc;MX}EHJ;rT!WVz;-f~$1Tf>Lu{tfsj)A*Psq^hVXLw#cHSyR<=AAaYaEhh zfzH#Kl4il?hmBuKz%9d->1}p*3=yA%mfkB4CgO5vo1`UDa=F)K_C-FOlF1qP)e)`6 zgfBFjqc&FtzLus!3fkopCbMDqqZ|$now3)HQ~0wyh;Q@o?o@_#1~|9lz}R zeB95jxeH%`-W)cI9Q>5P%`}MJ+5Jc}?g2N|Gk!lY&DDA3X88G5Xn6H5%zzgZEnUA? zeOq|GEz-v3_X#pp|bQoQL;(B?a@X3gV5h)7ky3WDD*2`#xysn_1tbq z(p0l0VJ-j}Ri_UZj>~03@GN|AqCXfVUt@0-H%pdU63p{0X;28S3pSfVGjS!Ojf%tg$bM{yl zZu|pM@}PutRbIU>^y$f^Vc{t~VarG-uN)NmXA^z9O~+A2QFaO0-d*1zj6JG)Ih4~U z8;aDQV``W;;Vc)vCw1L^u4@ukQ98aJTUN-G~Kg_X{8drA5p5{bWCn0nb- z8puc&GV7gAMhA%uh0vNklAMT2TWtxIW#pA?6`osUPQF`B%e>AuM0wGYF5M~Txx(Ui zdz+NO)$EbyVX&wf{Id(;Mw@LmmJ3LCOZ^F6qV?Y|`G4xVSdCmCY?qg?{8HdGoZ#G@ zI=h@DHE(t()nWftpIqgl6}9uNFn1nhCcT1rReX9;KAo!nx+8Pr_35shA2z<5|_5a{<4yr#FUJ9+*l3_e0KB1H4XQAnwCtO*#s7p|R9@n64h5ZVE?3&83S0wg$dPeRQ!QTHHXg$RV1uZrXIC-3g`Bbkcbg^(k_yR{Khqe zY-<>O5xC~C)7ARHvS2Ha^W?s19Jx=s4XOsg{ab>X*5m=7o!RgNxgb24D`bGD{j+E% zhEh&c0EzKa9(7qAR(koJR!k7x5?V{H^~jZbRc83Q->l0~?TpL9*mR)qn?FWFq3M*@ z8a8%Z>NeW*Ysg_gCR%>b$gq)kqCxKg4SIKwg=Zyx&$&XBY4?lT(3?e+h-Jz4k0!)^ z26vLVSM>uCQ~GQM{oX-D9c0%U9*G(c)sY!i)hX8}oZcc1VI=WXb#DFP#@J}*mh3KY zc%ST!80~)g>gVU%qVSn5QLOcrG{b+N*#Es(tYctNkyU>de6%}27f`+N{uZLcFIKBm z3$~;lqOPf%;l8?VL!Dn(qET{^K+Zm{WwW_%-yc}0R#0)!78+PsW{0afXoIM(+9$i9 z*_qCRaQRIx=&2vlkdkxeo9E+Gzg0UR(qGw%pSL_QYxxdwWAI@lIqWI_U zOa8S=OO!!%9<#GniEDfE30PVO%GqK%0(A%*``U;l(68HZ4iw?259!y{OG81UG(RE( zOLd+*eW?Vb+RdeHQveO1 zT~Ik`U6kkEkTQ|T3d7y4!>rteKwhu9XK3%Cpq}P7@O#)!p~jLSnAIqU@?TA0*q>9; zx@8;Tom~_E&l+b@yNSY~r7a6}7NFY=hpr`r7L+Aky@6y^WY9wymmp>~41^{PoUTh4 zk6XnW#u3qR%Hr6Uec|u&?bkp4sLGMpwBkJIAjf!S=*q!Hto2}sM1(B{R4{v@T*?Q4 z!ss)`el`5yS3!K|rGCmKz#M!-pIa1eImvJJ2Lwjjl4gL+G=-+iTcD{_c%(}29KOFm z(^Neke(;fqO!!B3V$seYOR2hL$NgbBw}#mvnqfk4&2on6pXw>wq%vefxZi=$`t~&# zZ?yR{hP^!2+O-0q+wzZb5!P)w2iDn4# zxv?A@gRd&FhLo*Ms6XOof`bur2WNrp>`q+7H?8Jb_ZrFI zkkva>F23DHSx7@qozWWK11VK$&}JQL%%!q^vSDxH&w9Y3I_LW^I)D0N_o(eWqxOeP zGFpYnckd`)w0ln_#rGXC1G{j};<3f0RyIXlHN{Jm-FhurIm*ykMpx~8@7iTn8{AuRhF zEPHAp|2odWtyZWMv;NBS=NP}SvMGw_eM6q5s1o}}CJ+STU3i`~Ca^$MQEl=J(TE{6 zZtzTG%#K4$5uSn6*pCYaUYld+hp+K3E}-^ax+P$oHjryrcX~kDvyr9&KPu7`(gz{u z;rF>}SJM|Z?R~xa4{Fg3ML|MiHXrW6aruTEk^nM5y!qK3SOKVDE^iw+%W~JUz2ME+ zP}MMlO>o9P4>&rGz-(;nrX=+#@OT?+$enHhk+2R5$KFomWnVoXut0@yml+&WqB2ay zf^F{Z!kUV&XVZ*}gO2%gN{fayzJ!6#`@iniMS8sPnKlIuB$C>Gzmtx@IG%`zUrt$% z2SpFvQ6lF`_MU2k!LkIGdrrYMd4`$A2uhKP7y45Vall7!-sAVOfz$2_njhR`|BiOazn!FSClmTkvhH>J+#wRdQmq&kntcMzJ|bmT6e zeqm402pO^7#8yP=P-(EY4a%bOB@K^SX~t{E-M*Pdh-7EezjSY-pMB$my7ISvr~v-M zOY~(z`f|?eY%hSUHVozAG@f4h1B0SppVHynh!~LzPr3;p0{Xy02=kiP%IisZqeeov zYaPM>eH!6b-=^-reqjnZ)ly=6&dx8jp*@(8p2{Ip@8$pqa@5d#Yrun;89QY3-lmgH z+(0X|O>|b$o~R;xNS2h4>)GGbT+R&bG)kz$yhqufoxMP(0V zssMOglSAtq@KsVup|xl_M8|&dvlI6)+uc+OZmRf?#JtUT_ea6Oyq>B|-(`}`j*p4> zibp6ZlTYhXO@psf8=f?C_1spOi$DfSJ`@A@+^WCTuCyGS@Q^Mr6DS@*k;7PTMPK;C ze0OS@G}~0}(0l$o&2R#Pg_3Sf?+)6o_9#fbt@yofDJ7q74?ujfWnh$z zamOI9Vi}y01~G(t>x_@*`I}Rj6koQShimRpXov^?8#*;Qnq0&!B#(m(J*Ttzb>j*Y zVK#Opn(IP`Q?&H`@W@zuZ*W0h>P2X$#3+b0YVkMdJxr%*_=&1ueQ5_|X#RF*QhV`( z1saxjlo1)VKs}ZhY*_GU?JD~Ekl*kV-`e9Pa_N0`yM_m{LgaYdGxmbw7bSqpp&a~E zQ^2O<6M>Y^n8>PTwcw}GINa|XjsuJ*&RL*$a^uGHCUF0tx`7*#MFfr^dT>TB$w&4T zR0Jf##@jZl>X$e`hiYCnnl=YjUK+>xXLz(qlDKduC$Xc4NC`3U3veiI+q|P8@f<1` zjCAd0iMs>ZsPY1rECA-25m6e*2gviOoju$`ayW9T9}D-YiN>-`CFQn!i{gW3*HNz%oijHRUXkMvxqZ{Z>xiUPQPnaXFSp>TA+11 z*hA*2A@S-&^#NJoZq&`hy2sAT!92OFSiUszrpieT=x z%<9KjCcQN3D=H8-1@t;b+g`xdf`UMG0{nc}GyCR@w8+VREVJOHd=CRbdZ!15tUULm#y$|R#1{Q8eQ@^0+1^&I4FHPhU#QB2J3Y!NXk zabnB@zwL~@(6w z(EKgl$@|_BmTt>CB5Gp)fnCEn=_&q~@^y02#7m5om7Z3~ye+r#pvfG^uxNUAebv0< z09KPqTi6+O%&^5%LyZc`?Zv%Pw*HDTUGTq7**O>E^%rqMybJa)-7K*haWKh(n6rsn zW?7K(Sw6gQd%*SaeyKRpe;#7Hm*6h&2mp0hZha&17!*8w@~Mk&UFkA8Pu7A(h!=%7 zi#S=4t4zGaEYqyEp*A1OqHxfahGVVJuz~2fY^d-VdADL9Sc$pXN7$3sc;Ku7Ka(Pq zel;s(?n+>xl4%=+epj1NhiEfj^rS+v+m9*In+w~xb+ zaI^?dy)YORE{oAydOiQTy1mk7hB>4voaN_k+vA{}`O(6IRviP@JL8Nhbxw6FPe>M} z?Z|V_#up>muMbxa49>t(^vxoK{Kj(}iW;kcIlVryn7bAKY|KdIj&;bqXEE}5>sCaD@n-)D3>XwPeNE!>pw%XbrJ&%~pd0wb zIu9X%=lI2$)*QR#Rq&huis|;RsEd1PSd$G$Ka|5n5r101M#DSYhGK>gYb!2GsnfyKjnm-WJd^0<$ z+pQL-o&DFivq7(@i~DvC#V?#u$-&($vr? ztfD_Slr)CkEec0eE|!Z@qF(B5J?H2VB|C*$&#+on%vQ8Z1bh6coYw|@eP=+O#?-}+ znkZlM&j@kQikLCqttJK^)1`lN8OEDRs+`<$3$?Duk1q>5*P;7LzVLsz#TEeD1-9CP0{~7MOpQV%Ss>J`GJe4ix|L>>oz2 z8tyI6lD=}W@f7NxFR?ga6CG6@KOaWRfjR=9v$gPSt1ScR53n{{!<6CIRl5>RG%+;b z1H|K1r>pFCehA>NuK2f!o z%UYg8Kq#fN8x*ZA-yCN6%QBETjbKT4d)J*Pe;Tp&OvUM{)A@6S?E`}>yg9oe9*gyv z+!LV=tHZ9*9a$8uG9s5E!t;gmsjLgqnU4IPWOf1rex2%!>}mDX8#3p|<(L@Q=blj3 z%&>vF&m}0QR6GCkJ`k#=de9fbzYV2FB8gFLE=whPG)rCO3@LHm8dG!@M^5-2I=uaT zn8<8AcrYi2CBKj+!H>mgR+T<(cotMEo1L(*UT$hkOQ@uulkm{@#H z`1Aa+ZXF@=0mwoZ+^Q1H^zR<=YTa6iG;nOlQ&JePnwWXFFCUTO!CFr5a_ulFq`k_z z6TD;-ln^dIu~}SF6lv|AvF%`CgC}h2Tvo{TGPj zozn$f=2c@4w~Tkn#QKYmrFzJLXl?m{qMTjl`&(U|RjYPfHfkq&-CAbqJ33l}^XFM( z&88AWzU-DM?}$NHCLGA|TyxU$7QzQ|hP|Z$K3I({*J|{n&QAl9SBJuJGgqaNqVv^j z-VqamyIWq9+_ztA91Nl>8YP7_B~P^i5R1qVN<3U;P;hN=)g{&fT`b8!8z>i7pn zAE}U49W3PiHj%!MBaI|_#4c2Hiu#A@*aZ?r0EjjTq6;Fk;I-Q6y&ncq+@-NRZBU1_B?)&RkCP}viKh(=tN`= z%Yb#^#?Dja@4`CY-haqueeHZtiWq$R=-631>+<`lN9<;<*%jf>9b3t{8%mE-N+{iz zG4Idl*m&|{eXJ35_BiaPTZ2q!LyUKqM~dDJAI%a#EeMsKd=q^LGbEQwWIE++wX5nAS=mF z!y+drp{|;{H4wi${V&fO1@k@28IuHrl?-?MLY#*vHA&|zIUxh-Df6PY{z(;i9|)rf zBSFHeoug|P*l)|@C+(t~zsiA#7F0l^eV;XWESg})%)}|+_G!e9aLlBL98c^e8D-mP zI|AUPC(l9^bClfuoYwyOtk>Zkafr`dW%?vau@3*v^SOS98LJd&3_RiM4EcRO?G+bW z`E&QGsgYA|{UMM!vI1+=&GhOhy%OS^Rd8=*U>yud^LwdKDnsYJ-#WtC#=g9|7v(~*pW8TnP*uwIevBYLEKMARR-lA$A= z4d^ECBH4$FmG@8b+j)dB+~;)+{pb7pmE9T@#H#!@q-LzK6*DK%nIBPh%;Id4ARbg| z8lL9KQS~cY3Ervj-jp@8FBa_&*=tuNO;_kCq}5_-z?x?|E2n@rCQ z6{7AAZP9tT+mqQd9*g+$w8Po{9$R|+#&>~!q}+{Y`tzi#oHIO_Xpp4P1pVpUIV2*E%7In23)+1%l2X5w zzPml7;3nxQxA>q;zW*|OjAaLG6#9ljwuRmDS-ZPRG9}=6-M>_1B zrF*?B2|2qd#1%M-D*6}PO^^tt*NjLChlK{nq`pN09FF#K$+xsw5FS#Sqs zHSrGavA__q)+b^SGbi`+njh|EeMJtoo_LBgwynWA78UDn2FD#`(?6fHIF|^!)#tG7 zhJK}1@{>(A|CQD7Np#m^tO~1MV;g6c;Ok`J1Mi4Mhg?t`XAlxpm(T zNVur+HK((Sk`Gru^}{U7#=z;*6#wA_{P#Z z6d(I@{D57RkJYD-{Fc9xwW}eif=285(vP}zi+X=3ge*vK{GWc`V#zZmwMt{2?5TaID_^{Zzqw)a;sM*R#- z;I@@>7^BPK1O41>CAgzhq-RKzOd%h73lUDE;{o)-G zzPN5d23&mxgF2GZ*_3xQ#^yY}Zt^LATDCl68XU2CfO%#te8>h0RrjFCj+x@eL1L2aK&JcA^SwOP3-e+ygnZNmllBN{CU<+ zu2@sYVNm8@^Y%~Vi!<%6m1vy3vl}ll`$1|ZXy9`+e=KoIdS%<#F;H3aI-vS!K$VNS zzdORw0}~B*``7Q;#cZ|;{5=}7d($0zJw9cYYp+&xD9S0+-!fPw@9q*iD~47p+kIL! z?}c%UsbkbWiROP!-SB;?Xuo_IxUCzU0^48aptjpsAc3K%KshGj+34Oy#6tY<7tL2h znoF~sh3QrMRdyAe8B6s7{fj?hBb+*vYGWdX+U{F2KflT}#&6uw^C5ra*S+V)q2~88 zX11S{N0p)gEvs`IcgWFv{WVvlH+b^G?GN0|$IY2%EtnZD?eIfvn_?6>w8OsapcZV3ybX&gh|Ew(STu?OCy*?S_kA!4|;5aMN z&gJDQ7=~4G4tU1kR3#xj3D!y76F6A(IZ4w=KIyPKc>z6$%3W7t!2P`xdX*~H7be;5 zeh{uX^5y*%`5bz5ldpa7U2dUWm=NE((SSuJ)GGX3RA%IlT`2WR=K6Lb->kXt#ajo{ z3PW!Mbb5X$&kC>Spg*MARoYk?x6GU0uxQ`mLnxPhQn9^d`3%#lpwW?t%s)4nSyM?@ zmsVO<4Db8F`Z!PfyGHaz%f2e@g6bFm?bpuI#mo2YFZIfaQl7dEm@;pTI;x5u(l`dq z&Knrj`}&cxsc1=MpWZ)t%i%vv-bTlp8)~7F!>j#`951dQv}sLqzH;$myn)iJ z!1{{w_dWA{`kq-$Ce*`TOLnT`_mK;_O!G_IooY&67MZWc@ib4LwQ;b(58!QhZ z4_bCoWzs~`$cG`vKMzNx{m4XYUhm|*d&$!HVRDcQI-%|-8&hD;O^d=KPwB33F0|wY zH*+wIrQ>2BOA(V+RjrTrQ++nkaH{x6fA{L<(|4Kpt{E1FS%XVzcta3UT0VG&VRKf? z;k0@ebx1=?X~1Y1<2b#Yv*Oa1mPUX5N6Jc8izV|v7x{(TH;a$IC{mREg+JWF@QGoR z8Z@+p02N?A2&kJ^<%o;{(cMM{l%qP==Zzicn%p1l5%|6TY{Ys4J&0WUMJI2etim2A z!!w9?$LIFMS{-|NT}MUUsXu?;c$bOc)*V=XQYsVGEDL!GiqkTUARp4R0VZ3G^^nb6 zvgoy_7+NFDD-YGCKmJs)mw}{iV859IYT+LTcEOz%!FJO+zV6)zH~U9V(m8^TkAis9 zSG%&WL6J9uL5gEg7Jt}Q@C#bDfuB+y{FK4zEMp@M&(L8V3VaoMY+^e{Ih{914z>3K zu9pSibX@epPDZ~7Gn8y%8W7Mo^?7@dgZ}ZYV<2mufxN&IVRZLnKOASUV7XZENX698 z)6u9;Q+z4gnF=5Qo(k`t5@;vae)GdZ}vNUN6sMt68~VxMEe5dhwr! z!oT(}3GOa(1yF!iqT+=T`K=j!xhmtAonVRp>c0IAQj|W7uP!daN^gx841#IaUwX;7 z75Hy|^M443zec{FZw*ryfV_S(Ya&pYh6|}AHe}GY`R}kDP}sG60&%!qg%vMCgs$n4 z$aMdg%ec#}t-ADj0GD;I8Qcl!JsX^gO z{5kizcP@k)vqsAUjRn=nOXAatch)ENe6pJ3E_;dD+L!tp!@rF2IzF{s zClWJHFizMbnvaR-{m+~|?0@PgL~O=XduLY*~k^jH|lsQ;R?lzRL6I!2{7CO%$2 zRPx_5lf~UNt(eu^w?d9MS_o{X&aUxj^*&Mi=l(8u`FM)tqD=6vGqp5iKH|9Tv1Qh8rZ#8;R&2ca&da0* z3gxKc@e(Oj`26Jjg!6K*c`CGtjIznLCRAZ4+oub7LMXLo_=XKRwA*)ap&i6GuF%zu zAYsIo+=>LDn=>D`#ihKNQo3DX&lZXrI%x3mT)R)d>~S)B5#(hPp3$!w+V(8zTF3gB zsC+}#X)WWLI)A^GQK(8kO!nUSxG36ZZl5l+H&${)p^{P2>i>g!Z~xKeIjel}es=ou z$U8nHqx5Cv?f%W{vd0P0p=k0^%$9B4Y5Rme=t$a9x4G4R`_|^S*Jk`);}R1kmvQmj zy1}gB4}KTjZSGQ_02g$q!hmER;dVSt$pM%Po@HSF^~~(c=TrKhI5Jc(ti)&aczgan$K_)V zjmf&VTO)ht5dU%C+zuVFuGD^m-(C_ixfn@a;2oG#Bjh7ont7z+BgFPiY zlzy#$e2?*w0i0JI5+P;RnZ3G~^Vb`KK1--$M>&{kUbqgq5#*l4q$$`1c^eg0EW#<5 zuBi0!mHhwn$zjjYFch}KM z@o|(HReA}0q#1SJrv8Mu@BkxK>`p|}nzv;F7O#Q@JSV^eTCfx8JR^1F>eX}BncZ%_ zwg`Ga3wX1X=il&5fz zha3MX#Qs+r^Y^n`$DKSTr^QHS4Prd*>gQNvM*U7IiC5n2RuSIPQNo$9IqPpY$Be|V z_?!%cT=TTC5t0F2uU#4{mXo=xB|-+SJso{>?%SF}9FRDfOPG`E=So7AlvTGgBVEo( z3W8HZU33L!o6VWs;-~We9{Im+Hq=Gc_klD7VAAT3GH@qHzk+o6j8Kn6%8QjNnDuB9 zC&_Ecx?gNTIZ0}{&=D39Wtibwy>#85b1NJ%-8*8=F*Dt!=k+_@|36ueVDWZE9fEAE z-aPWHZB@m$UVP_`EG)*!s+*a)!hE#>H!v#%y-BEQtV0jKijWLS$*&wo0k|I3;EU;e$w1RwNfb|fX7W_5q(!y?3O7;UI) zGKceg&-OC-s?ip(Lf;-UWn+Sxr+p1>ErvB(;1%c6nc2#U88?> zZ7D*`Xp zGjR?M@jNY?A7vJ^#nsTn8NE04^L^qvYD4aLixp_xnVsS>vRU(I;S1~_c5{kc&bZs; zhP`it{(o=yf7u)&7Zul(q6xc32#Q_#d=ml3Y1qeF=yP`=__pL;qMRa!;%X>0RE!Y> z{^x_}zyCMr8S~!#59@Hjx2Cdw*9`M7Dj;u3s*C0l3|X|@qjHVA0?yRi8Yc|K)Unm; z6n<95tZgAoC}9wzjqMAp!!^6TEc@Lx8&;W5u2zi@)?tgmkE zMi_AbI+?Swkr%98?xr>OtY)wfl(GHU&kA#4a5+9DsHxaVd-@aE&^GJT)!o%4=`?)`Ca03o&$ zK>6;<k`nE9NNcnO^!j~^o=R^DGS^z-PUUxC*vuc|Kqd~ z+_MxSRlJBv{1Tq@>!5-1Y51F6jC=cCSnxUO6`7_(us}vQq*|1iQm&RH)}R4Zvw9>( zx{?73X>lYo;BqJ^ww6BnILA*J?jk5+?ug9Sn?dO7`my1uy%lMKN@2lYc;ilTuiYlX0U*eaR2ZRIY3^!I&*XCOmNuKh2`8>0*wG zm{0n{7o#j@i-o-=h%~nG2ipI-?(TfJLj=N_DR_Oh*Me{)2$n}tfN{gQN?JmNpRCir zJ4T{AAzeO*B;tWCC|?Vtve&LWyqBB-I-qoLUM#mQ=}5u68NxaWX%`2*6IPbcHq z;#fBYW&%6|JQXEHHwZs{09?xPplx53`fZlVVL^WEZWS>6N##TpYSnmj7F3);=If(3 zF!2g|FkSd$S$Mx!yy1lSXqxWpmMeiqM$TH4aL0}tNLu=SdFX71)Qa#805!h$OGOHi zBe7*|l(jAAl{o-8}UYQcBq^kmFiITr0c=hZsg ztQe)?Z1xG(rmGH=i#Oa&*DstlT5JaLe{wGy0?tYe7Sqj?UMUj;b*ZO!8xfl;gUyQ1 zV+j4G2OH8Rv5TC~&K@^g`|4mYIW{5E@b;~MnAbL-?D(rTT-x3K9^?hlaA_iVZA)!b=6ik_@14B0y2+zCqVpa zvRENGKUIk(#+LiMP3^dxaheUVfrhGB@e0xACB3k-l{b||x`Ub|*0da}%&}}s8^;c- zB0lxM4*)!(#c}_IB<1{(dCsHAuPI;Wi}`ZL&| zSS?5E*0cXgwpA=AL5o(wVKEQK!GOo7ABg}tH!&!yWW0P3%C}&i zHDyNWp1o?ewE5vLhPLGzXAWX00OrZIB2p_ATKe%CQa=eZB>jch9du^I**H%wuqvQK z`ye=P^jn9RXo#xhgf_pK^{#E$Cx7-&)#%SDo1=tff-WxZ27Rg2WnA{srI30#k z+emD9#VcW>GBwXCoWIBzEh!IoS0|L6go6vJlfVkc($8YQHuxlhRuho=1m`}+_@f0L zjP4a7fD7t$p3J-J%h}{+KEIKQYPbwJTO|l4<0QE99i|}R3dZQr(^%wZR5lZ~{c7dS z4nDLb%(-P`3gT=ES&cN;&h{GqsK7pLsP)03fA6%YZRRk**JAO(t1RKybuC9S}xhPYcc1s+IL8L z@*AUTc=;i}cyD$5?y5q}X~yZUZh0XmTt0RxIR5v|#G%4$2l^QjRe+1GG2LA%$|E+tG{paxv&j z17;G~oZWAHeybZkCqPg$nHwM`I@R}{l{r%8LqO2t_F@g4=3&>O@jdh+zV3sOQ*-1& zCT8=tm5=*4yw+e<*Eu~`L32He3S9JjW67Yc&nX9UfqS;rhwW7E4VW1Z!#IU@{!0uM1n z{H!9ZN{NNFbT4#d?+RNjIuYRT>`0~`eRAidCTJbBLT)~2hBi-6yYkp}-vpR^u{D_j zpI@~$7L%%&9gWlhtrZaIw%eRY&hcVY_*CwO8Upl`CyoDw1ou~a(c3Xu9fG|rwP`ux zfRIpn73a;61nA`^n0i+M9a$^f7Q+xNZ*bYcei~qdM3N!Sp8Ej1Z!s#{LTBuJcRzVo zYDe)wAD-m<-JtkIIX>!)H|)n&GaPKI<#)hxDH#Oqx1hb{UY+tYcl?g8zEUxy7_*XD zJ(8J@!N|Hpyi7Oj{BX%egiLU$ksaYre z0D3k3^?*=K)#9IgHO+CB^SKqsawNrLXdb)WJg&MKPfL}lyur}pTyRFuTaZw)o)TD)O#aO&b;?`m9{n_hskuGKPB z?c}BNu?mv7AO$~#rp_6zUL23@c*LtuKT%3M7qtuLfAV`Ni@d`_zY4OIwBUD{#bfF7 z8S!-X2^`n%Cf)Nm-MFM(!QIry;ch65P=!FHktX(YW&5F^uc_FHs=Z*wsa1cnoi4Co zM7wA|%@RfH+)3i7RB2FzE--TgaE!>evV$2qspt~hYytf_64RPN(qFR? z<=3X;0gI8b$4JJPG_8Zw;ws&U)-GwYI?`-V9$+ekV zYJmiibmLOY8b6f*uIy#>(i;H{Y`9)$>5MWAdY~E3~9O=9yo(^sj4v%yZ|wZ^VTS@}Vt-f8W>^Zv8D!%=xjd*fUwUlv9Oom3?2`S3}V#9_Wz z@tcFObv}_fRMLo){+>qhSh21dRW$Hmx9xx(5E*FwH$UTdTLU7DXstuxmEeRBJ87?; zFov;!9-X>2^E(!4~E~hoP$svjZCqnSTcKebh4n z(W?<0^@s|lg@P>xCbE%1zcd}Ph`7#>R{n_9cU}ilo7trRjT}@opqJ4lv@i=q#B(bE zRwm;dK4ccyUe`<(@p+~c2`Nd{ynY3aF>Qx~`FQ%vw7c8DV_T0QFy*`1&k%9b1@39( zp_b+Hjauy!AV}6)1bk-H_<5$!j#+EDfKtn$7i-y_c-Qs4?Y;!S9(#rYVH-E+^Ex3o z7l8R=cP|=b;4cX3Sa(fQlT8DakJV#wf8*}8UuX%x5UUY01Ku`JI7_i=%wP}~`zdHZ zR}9L1*~UO#C)6KP zs6Njgk!-S`IS1>$Ob$=C-npM01neii#dlgbG|r(sKub=Onr)U@J(3CX+S@AroAHd! zU}LLLjsb6tpTqtw;{6k+j15SOCUINxZXJ-BD(;zkTWF_cd``M^r^1$(Q;o5M)B*0P zmP{dHo|yzNONO5K(65oL<;>d4&d|qO7pQ@YCNrKFW4BVmEMrFq-&=vtcwsqg@GJ=c zykim>avFi)JJoA!{AfOYT!=~L{>gE(BwbP-& zd#zTP>s9{am0R1zbPG<1N3TTfMxfkz!Ms(UTQX@26z^94xLLR)p$pb$_J;j145Gxt z&R;CSyu;Q(ydcGn=&q63l^iE35y&I3D!pD37V$anuNAW!LMehC5#?5s3E7-0)r0v5 z0Y_L`Bk6t3&^zl0=WyIL0Qmx27$sHm`5j*Io39L7h%3`&fuqw5*4LucqCkvm0)zAg zE1JS}RnmDUs0iG`SImZ^H@SN91`KuIfgqqNxN&YR*3}Csnh8Z8>^3fe)+o)uu95I; z1X1CT7PNPv_dQqMQ}HP0q$NPkRceU7gD75^~yDE!6=Ehzo(N=t(ADJ25gpMx*z{6lc|( zT%(HAk|qOEoW)i(4siKrK}hFnb&+B65|zm^!q9NBmgMZiw+O^9rfVa`8>wzy4BaLq z-**A;HRVeHEpZ*?C{o2^2iFa&Gp#%N_(;0+wg( zz1E|H7}7DZu!_^St)8*AO#nd!_JjS2149Gg6|Paf%McPU9eK@9o$`muScty4I{7rA zToP1qBvUZ^c+7Q1fS&%G!OZ2X0eS_JVj>K7cpk7dVP}wdGgul#&7gHOQoIp**)cvt zrdKGZGJiIqQ$7BNOc0|~^xXQ)or|s@2U++Uw;n?}Ywy;kpB{i$;C0rtMKFD*SW}s1 z()34w4qXt#wO#Z*1cj0Ub)t%aip>n*p*d)%=jNI1eqoiNs>1-%r7Y$EPx!D5;yam) znJ@a;q8&C|exfeC6-9_%89D{asQ_^^ci5RvO-e@!@c&|9Ny(z73|?NF(J^#^8Gibs zDw@C+UX`?1cieiBY#Jka`TexZMkQhRr^E4i!RG

xP^;oZsq(%jqwbOn*36d)0b1x3|w{rL`oQ@y+Kr^Gw$dQz5mIt0+ zW7*kbpco(EGKcJ<1lIv&KS#3Z_$?0J`VFuLr4aX1!7ksl@}yj40)VTJ#_GpYGcBoX z*{wMkg>KO}{vtG4BR-uBLoU2L^Wk;&Lg75J^Z0tq7{2Mmk?#SPJ8{WG@8O*p>|+&a zYF{8;G`>1xepkU}2R^uAJW(X_}Mr_DUO4?X5cL30ehl9@k3wAH)H5zQfKx7MMIa zH&Z%45VICMDCKsvE`J$K&#ll2Z>rmzp6&!~2Af# zm?Zd0$WDy(FOSpEZxkR$L_rQm=E_xQP)m)FT(_5 zz(YsIi?`P)24u&IsnhbL?*agFITO+uo3VRz^p5L6^FqaZ9u6|1zEEz2+h&L_b!}Z5 zs|i$g;pI#5m-%&#{3A5t8IfzsOb)^S87n%5uc_5tj^Tzk0}+gOeRRn8rXBc`zyPYaL;3-e6E zZe5oVJJ_RG?0$@HN|#WoJ{u~rjY23(E^cd4AZZ7nvp{dwpRJJ*2_J6RiIy;$rbpnQ zp-Ja&4=U`Hk|j}l=Ob_vaC(#ViGKfubayx7HAe^rhR;EZNIEEvDWQK4%F-zpZ@_6VQX%3?TDb`KUo;q8vx$1TNW;>=zt+F(ZR-l;!1 z2cpc_x{;uH`E`V4QID7v{yUjRK@Y9+$rschbjM1Ki#OW^Fj9hDd>IO8Pw@A z`#(t;M*VvgNr?sJ86G=dBgJ3G#We>D6(lC!%D9$vE5P2g!r`q5B`|h<>r>G&_za6g z-e++aD}dZh4hg}KVqK9FOYH(u*LK#Aj8!|IckWYX=cSozsq)f}jRY#upXQ}1K?HR_ zzBG-7r=@D=*vqnc#tFo~OYgToLVMV&DO1*$wokjf(+AoQwnF2#F^oIksb*F*C$d$? zEXEzk2y6e`-OPw#+1|`FJA2$sZSJg?rd0V)_#o<9JbHd87@e4s2#fEFY87C)R;nrO z_K!u)>L^XsebZ)v_|&!9);M=9Jdmip9j^NJG5pB-D=kPP$uk!ssCb-Nn+%SS3@&3IEDR|;a*O}L+f$hOD!{id=#S>IL%$Lw|N zjccWSv<`&syjzWkmDIEla?8dteW`B7TUR=I8(0!5&D_5fve4r5A$5&4%biT!T5$XD zC~0>dK4}qHo%HhD=GU>pag)`VjBi?t9TJMIOmDBDVpUlYlmOK}F|)Is%s+M)hMASv z){K9)=1t#!^!PN!#^-bNsL;%PYWQYfzt4UY|1vBS(zJsv3Aq|qCM**^0YJsz_h^^b znz`R2O;yJMHI`w@-iI8o@w8C&+b67lsT4VC635eUizYSEdBrV=uQq$3_vkGZv5y6o z5&d!ZFLYk4I_{0Oj_msHhp;x=*Buac);$AvK1o)h z1>{N!10h5Y?HhZrz0MsUYNTW(RRmbE!&av-B6M!(hlz&=w+rb0uFJpN*!(}kqBJW< z%*F$@dMouS+`5gLcBEzpu}acz`_xpr8!lFoEWPT?!d@s|MZ2z1Q@Q==QVpG%N68S~ zVxdto>aM@w+QeA{4~I2Kgkv7UiyqQVtuF=icMN`#6gM@Z7R2Jw%9*GJGRuC--c*&* z$AtBQd@l8xOh5ePyg#@ze&jxBR_clKSdKLCe9kZFe>Iv#ls!W=e+CuS&>Bu_BL!=n z+kKolTbnLgbw=nML->D)(e(@}8k`Mc4_`Yn9am{;+;~l!)NC|;q@OMSEqC>#PO{>W zeD^2gw3J6?jd_835Y$tfXM^8OweKXBk}mwmP? z+FNNad^SxO)P5o5R(qxV_~|yJ_+wH$#%spCO@Jea-8`x}^sT>xCr~$OW}Ls9$<@)Y zgt_#L>}%SJc|yJ}8UL6V1Hhvo_OJ>{JIk;{(_$GaUi@mjiSK1?g`m&uTY^9Oe^uG) zzKo<7#P6QSF)NOE*1ZcvMUi=A^WI_zU|tUeAvY3*F(}(>PgnEOUs;JN}XjW zc2O;vp-DV1SR;V&(T=rXWv?{u#E#vd>7`oTcorMyMUD@WXl+e8;6{A7r1ffb2I`^t z%K5Oi<7}L5ak2w;2pEUTOFzf1jU5+ST>CY;!Rx(u1w+YMtn`Jm=2}1Kbpkf#<_te8 z%5vh56v>(056)8Mz=m`B)pfUHijpz670Y zPMc``3ucfmyc_hK`b32~LegpT&%7RFB$@1=-|iuk;ZqKWSxjBd$j?%A*EGr)>s{;N zl^#4-*Fcah@(N-N}JBYV%*^p`G%2@M+>+5M5vgI#M#p z^Vv6SCC$KHZP%;eOVU9AJ$2Q84x^7hg%8QTXeiWu@Fl~|ESd}BCr)p!dCs(lkEqIg z(d0XEfZQz8P`R)KINSg%WYG+@sN(nL84CQ9gMmY;%XxC*BQw;BcD`^2-n@{_lxRD>ZN+Lb zvdKK>%!q`E>)TxN8J|D((e5L8{hYXWc4yj_@~=mn_+l(2Tm0gePRLc1`+fml3^o%v zIrt(eVU~jn=@NF10o_AaB`7%s0=0+rNw4=pY z_1{%1Ku(g+kjlIsb1TVeR{|}Mo19YG$pw4FT~NVAM#KVvtm{QKCXaJfa;8gO$aj86 ze=3H&ZobG1H9K|oiQ3&Qrr?VVI#}NRdAwr@r4=HDzq}u-{O6(DVhLe+k4BpH;?P$n z-ukzU(!Mr{JZIgN!HQgT9_N-?`tot(dT^|B!1}~>1(4C=OiEJNBIFY-t^bLIrWWVg92ClRxrj7e5zQ#wB z&J`%Ln{}EJ(OTP2szys*XRZBe`cgTHbJ`tz{jkR5ZlPL(sheen@R$Wgnpz5-G}Ntr@Z193puOUbuLxWkz0!MZ*a5r6VUQEN zz@VEp6}(w;M8z3fuP}6%i>ye*QXP-n6G!OvL%zp2T^h0p;uINQ*V-qWo*!Qw zs{f-t_YFU5Rkmd1QqAJ!Ae_dmCH1{gW#UM=Tv&|nYQPQd3=OyOnLyRG)u4|3;I+3s zq#5!Yp~R^r-K(|Bd#^UEK><>Z`qQ^$t?QAtHo7iIAQ`v*l>bMT#gD8BqI7INnXR4B zr!v8TdRVYG{W$S)$AfO)BqikId@Cu7xpE9Ua_=6tK=P^ArPv;m1x^*oMjmR!p{D$x z#XmPnb1~edZw%`WBzIpLYOE!c(ueosZ4#}Y6bFJGCtlMix=!wZXFq4}Qd2w^=1%od zE2VB-zRK1$-t7h+Vy7_?yXdd1;ZiIX|In-LdVE|~$*Zcx9iHq?BC=ZNjtKy<+l%^& zIUW!H%!i8_w5qdz_Er2vV3zMXPqMkbuHOa|bo(E!+8VTnmY-62UUTWcO(_;8YYW_| z*>^3u-rOm!1LHllE(g_Nu;=CK`mt=OjvD%9dq!x;^ z5zD1SNz{5v$nY%fdb33kdhJ3P^|HQmpu){~r?mc+l5lyyrN*IajRIeub@=!T?NGeY z4|)nXENbKuhu4=~Ybwl+S&)gN;PtFcPsl14{mVSXJwHyU$ix@Mw)$Mt&{8!7*c;xF zSa$x*6FRuwr4GbV%j<-+G(piN&*Z58RD zz*wl|GHnmyi<6P?3*UU~4c_;0xR3HpdkYsSe_JsPGTn(R|2&*8$?66B(zo)k!!2;21tVFM*>_n50|H0mSy*1TE@1iPIP*D*O6@t>FiJ$_~0ya94-b3$%qJWen z2#6@4LArFMNewk1Er9gid+(hPdVu7te7}A6-haWlIyYP_R-Pwi%{j+-$6Kb-*h^Zx zQ^Zw$Q3JNO#q+Ry5K(OU2 z`cuq{d@^a3ddfr5=tl;-_0Bzyp~*smTYt6Kld^4@{7mWnh$3-%6Z|V6HjmYnu>s!g z9(YPNM)e&%-tF7iKlcA>2*Om@QIIspK$U7nC#K)~F;1K42BQKe&}XkCpDi>Ns2%R~ zRDgTHf40Ks&i|3U9No5-q#WIGbaOK+YlIGp^Tz&w{j1WBUuYDu(AZ{~?TqAhHTUuPM+e8T2c^Ff=qSd-D`}N0DI}dym3XntrfApBm{VZ-JuAuUBV{6|c&{ z813Acg(csD`(Ot6hKn-l*22Q9p|UTNHoM+ z-rY;4_Y-63S+;b=A8d_UwG-FsmfbF2ylX%VIGTp#km0mLTzVhLC3$>HO+vmSr9F_I zL{Exz@mf7sbjSVg`-m(=-Wgo)>5tV}t*3L8LVo-VPlu6_e5K%4iyGlAeus85n z>U`28s7rqfIT@Z$Yhc}yDJ}8%?*ks`|9D;&@m?X8$ zcrokNI`Q!NtUy_Q%G~H>|NBe_d2bBM)g*G$kD1=0r17m`TW#??x}6rUYcgWijYngm zL(Yc1$iuvd9E05jvbSeYGrxA8^pE};fLCU9@(E_6$NW;k;UFYLQ_F0qTe?+pFIQdz zIHbXFP#?eGP<23YEo`X6Y5cxv z-w5GGuJNcg%VXOA*9#zuCSug$2S{&1il3d)qE|MINv~$7NK&P|kzZHLoYW;Y(fPYM zrpIM8B>F8Z=;V`ojGu9@hxIevyH#Xe@orE1xOA@2M5CLit`GoPF`F!A51?Ok>QjL~_5?r9K7p z$I`hBDGPJ5Z9L7-2+5U=?eUW;V^K8K)*E>x-(NF%!ztp`@`gRuv$G7fd!%z?9fRI? zoRwzD2mvt+{{(aNyQ%^n2c5{;l)PZeH7-a%563A_o|5?;YZWUgjV1Cq2>*_dq?=x! z)wl3H$xKhY5BKedbo9DLqs=fGO5ewxu>P+OL6tqce^)kdB&2Ec za|6GBUgC3>n*yNi;*LkrnalEX(b3lg8msGM_;VG<8$IG_W(>4{tejI=GVg$$@JMs} z>@#x0$!6`G{r**=i8}k_+L+Sj`CGMJyV3oFS=HB zT5{iAD97G7syR_)_*&iHd3UjXjn}+`GpWW)h)o6>+#WEmF%{52p%gf5s;oy!%bg+Q zf0nK*$;uyu3dA|4YuAGnH8p!fD^IruwHgc$#b4j0 z`hMX7*zG@!ucHn!^bt?b-oqWhN#hH=d}059(Y4X45J<`zh53%<93h-fm4si`kSFy5 zc32OupjA4`55wF6p67?ZowQ`O8)w(IoWCz{cTE#?%`J)N4e009Ob=Hd>lhhB{ymJP3=1vrumNJ zV952jzd%x}-YQgq{J{b}>1n3`V{w6-*(h$axE)I|fZ^l-=DHZGObn{$O1`SOMQ5xF z-?sr%?~9pBStQ_1_?(KOS2$mgs$bilsMlRl6*ad3%?BMM7R|hzi~Vr1nz9U z^YN#PfJWZ7<=tq*sqTK3*lGsBB>@8bG}XZGm^|yw0KDmn6f%tUTFdzg!l|z+c9bJ> ztKm5hlg#STy{&X8z(@i)!hEA*S&zYLsXOzl4tFIt&y6!H%i2VjV8z;VE2@@s-^h<< zx)~)GRZk9ov5vqaUxizgFY2+zzq-H^iAF{Y(R?0e3tYK-)b6w3bV|0w6$wm{+uf(4 zXVyO6gT)9e{h!4Ee|sgjzGz*QzbGD33$qQ1GR(+sc-+uHZhu2O32lIovNqsuIu2m* z{e9^KRQ(%u29%65$b(;SUxN-&VLVWSuB;=b(-EJU49Qm7-SnV@HTi15p1qq)^e=Fr zeN(yy^nxW#29Z7GYO50H#Ek_MxYqVA8koG(p}@;@Zk2LoS!y1Z{!1DFuY49Pb^;7r zIr``lfpq}7a>Ag%Pra%c2b?Ui%YwsPex}>sM<0{Nq*Hed)oj;6GwOx6#TRddAgU1Muq~Tk2gUaegd{O_I81_KB8c>@xAj zXiEVL=OSywS@I3Mm!bvoEk-^mn)_=Q)Tw8VSFcmp?s|&0&TrsX`zZ5=xMdm)yoavd znwsZwbfdJU+wmA9aC1VVH_RAKTE|m+c|>3LnwexgmmRVh4LbUbK|&(KV0vgm{xtz! zlU|`@>8GeHLDr5Pw+NwIaelg)>MUM8yi5)(1R)5xMc72HY+}B3WDLCSLNoUHykqv! z8TT2w#^=_dUHm*jg+}8IDe~IR7os@9^ng`_*m#`g#?w4=+i!{fT<(AyY7?~}d>*q^ z1)qBVD{M;gh@aiOL#y5j$&_$I7o4k8@*AaA9k$p+GMdK6I01u|Zdzwcfy1#Vebxr& z7S##bcLso$N~q1@-tVY<0<{w5W@qyvV#)=jGqMbTPW&ag{)D!1$>;El3Cc_FD4+gk zv2h6P|3~)*+4KTz4hb*CtZaFxZ>hMin*}6CJ63V?i1~PAB0IX2@&dx?aO4OjPaZe$w> znET`xi`pi-eJ-Zr(rfC-~tVm^cElnA`t4!LU@Y6aN-C(T*&1j0gzYIJ#6DY)} z?W4&RwQ*a0Ajw-oA{GwgfgOyPE62|8NIg?eUu^!$S@<xm z@b?0!W*S_#0memD2PM+nRb6kf@j_J9fAg6H2%!hdjh_3}EQMkN+XCc#fsGA4sad`AejyVmd$re7b6%*tuw_S12S!8U zIK2vZrgu4FQ<&1P3*lbdNSgKs*>6y%5fIZOxs`(2P++}`78G?FNQ)L%rMkMRl;fFm zy5@@xLaD(@($?8$!imB2ETuj{6gk)0jAZ*}IlpEJMw5Wf>MTGP?J75P-@AkN4xDQ@ zDg%#oWe+j!U1z%XN0Q6syG1vOuy$!z4~bM_)26^ z6&tz~~VXaK`;TB%r z2lu!GBE78qI^}?{hYfdHNNcJzGb+)p!lvKb;M8!;Gx6Oj z6M*ZPc<5wEkI-lDT8#pwX-!W;X-{4(Bwc}DXcql1$^`zH!*UmhHWABB<|9*mY{~XV z{9UBOa_rQ@KRg~T%X*Oo50f7i))YZj@t|=p_V$_p#F>6_|3zn6)Y!e5$mD&lIyw8v z9%_nb??i5_5A__Q*b$GzI~RNGBUeNae;%?$eu}(TVk^4+&9amIpo&%2we(`#@kNmN z`b$;9A^^I3j{$J?KuU5bYVt_ZzY+xqrQGo#)0kwNuWTrzuyhPi&)UfvAcs=sizJQ}BbdGw zyUL}kyXNQ>#u^WT4qFr!9q}yf4MQjKUQ|MU$ELnbreid#FxC-MV?R9oNkIFd&n4T) zBTl;*Z~?Z0xDIb5{D7<1a^A6?i(kD=3f<@-sO*E&cKqDGz1v!o96pd@G57hleuM3+ z-}5o67p||=etI~#Wdb5UzKz2S5}95U7CY*s)uy7TtE^Z<$v#qlviE$z=cn`z@3YI3 z8wxXzz0W`C4qT=LyNwJs%N7=I>z{o}OQ{2jw<>D7)co8Ynt_btGiE2g_;BtB)w#F6z14sZ< z7ZhRY%Ee?r|JC9MdA4u?q*t@1=F&du9M8l=mKzV_A@OxNhrsI7%V2e40MJovO+c@RF!J$Uu^E53|a|Y?O#lUCGvz*zTT_GT(jc}jZ9o;LE+@kT2FEF zET~j3O?=J_{-f4xDh^tXizs(rn!7QzT>n+UUB2@{rI$8K@51=IlU>Mw5Nfqm8J+4X zmymk8z%sS2%f9M2Uw#l6*fZjCP^UErj-Hn6+iQR*51}jJcj4z5pASjDiEt|2h;_!H z*bJ$4G~uIDFv5y+EWCJg)gJdTlJpf)Tq}4|=r=k;xIlctN(x7{20!dTNnd4mo%8D> z&C%l-@m!`cq>ts`-4`s7UmPR_1E2r-@0{Opz}YA1w%8@`@KGbhr$@<}FONZo;oquZ zg*PfHi1UPhEQ`F0O0|Ndi!OfiL64GO$P-b;`(K=Y9WV3W+n|dh23a_9YkAz|dGH8G z;@Ko8q2CCzFPF-B7n4D@+#L&If$HZaKmHmUfy^~CTna>LZmG}Fjyn{;{vCZFJRt<@ z_uko%UCk>%0FZ%u&>+{x8yAK3G%V<#DW*!I9_rwuzdhE0)NhI$THs34x=w5#fPg3l zcQ2>AGTpae!uc}JRY#I7|JMJ}a!CMI%L0*!0AqX2JEWArltm2-*jb_8^2-L9>{$;*Ym;O*$>rwzC0Un#*#Ry)+ujZHg0^RWQGjF~IX*P;@Sspj-<3R~|+>YYdULzE=i#d_!xo@aV= z>Vm2rQd(4kn{tthiZ$z59<6(kUHP)^x0V_-quK{Ij^~PfqG&>>U!lH3B%6#LFO$wh zfFoc{LI}MQiQG5*`v;pi8H>o9DvU16cH;FllJbG(DtPbG|K{BU_U#W1q;@xr5jwH^ zO$T~4S%rs1=U>XBS0erDZI^xnb9}|ce=i->FMwVRqS}|494-%okF98^NvyH>fc3(9e}>5dqy_3-UL{{-DE{d zm{8JLh(xO~@JozoD6mB%fO%O=NKyU4O(Ppw@fn_)wGRAGvC=J_s#K7Or?4W+jD?%r7W1}v4YFY!Lgk5W zTJXAx9lZ_y3P7tPsi=lI-?|>3@dfBz-XD;k@F$(MW-*nf3pN=AFNM!Wu*9J>QE=N# z{bOoM0jVt@p)ET8SbyPo0fnCRVS>970q?bbmGsxPQl1GuFd=8};2$X+M|W$!&(NIg z&mZl(f$ts@w3ggxRx`&R$GRO?)u8P0(#t7LJl<#js}gxnu0(#4Q{-54c^LIiN>a`R zPiFvjw8dR~C4&`Ni#UH$vbN2Vb|?(hC37Htp1a1`E&?!I`7uYT{dqQOu>xdQyj}?6 ztnqsa`e@tIP{q3AFJD{g8Pu;gdcvKUf#fOu%fefd|R2PZ5M5Shw2?8o%o>gXh!&;>4Cx6*o5-`zAy^VSk7M}ml3bMIyUyE zV_&iCOV<0c4lQ^G?I^^0QPrs9H2jXS2Mi}akC^6!&^^AUH%)psD0i&2Q7cTfAd`6} z-~~O)1emXV7A*I>eL;PZv;4Lx{*=YFWXua`UBDw?Jn8!H>Jv$>OEdb<$P$K5TGbOk zX&74rs26v7+mz!X<2rX&B0p#FG)di&R=JVa{N}CedQ1DY^K@W1uREHc+IoMM_xi93 z_5y;U+N7>2p3`j)`- zsx-cP%r?a&`(CZbut8Qp!Yh9z+k|*$Ry%7=Z*0ExfRNX@)y#5&OR^@|)~yyaEB9H( z=2UXI9Wf2xV+~-|JQAJN%vJ5;$#TZmhcNVWwYnOENP}bRz(hg_V_J4ZP5BGHr+t7Ze}ivi~i;nV)u+9;VN zKFFHgpe^`x?Am1dbr7L9xESqsz7f6dy^X8YF;~3hMKgygTPvI2**ib|_R8bs>l4dw zZfF?PPkkaP&#UEUrGh!t0697?=GmTn0h7h8hD$FCKPF8UF@pbmj%hGpJ)Z6B>8~3T ztyYE#d!cf3O(oNfJdC^(Sg^sk)RzZdtaJH^>!lKH8D=3MgWVAIpDFGA=#Q`Z>V4V! zJ}NJgpm`2_s!Yn%CTC8p>TCGx@%bQ07*|;TUXCClDoDTz{|@^8|b2(j!@ zjC7i8<9w?Ez;X~qUSEKmPT%w$O?TvNp1~W|i;Z$^lPXVD+k*wapUn@F)<+M*I9m%Y zyqEcQKzqhT)lAkuDLB6bNw1Zc+V_84iZ!imSf+T!4@{w`=JkHGiUkwn3X^U)n1(F*ry;|ar+DhN;8{7f-t(&=DkxT6}B;wJx#jW)l zw1V#bi5|+~8)Z|>fir;XN^nTXASG39|Jc*K)Q7q6BTjhg2eJ=OSb!{zw7rfaN=d2P^0@;~EYxT1ZO+m8 zIAAhAv}$-@={a!0Yhu-W(nTL3wnNbw7q@+Q-O0KQ1xyeJ5y{^@dL2C?WYaJVjKy@8 z>rm=RK=%PI%{jy5XJ4p83hV(W*tFklDd7E*KH41OdsH=(gaH2J51s(6YL#WiF5OGD z`Wd5tZ*WfN#jQ(z4mw3pADb5`R{<1j9IQO10qohnO*}nT|EgO+r6jhDE`|JwlmXN8 zbv>C}tKiVF2p$<528ZA=Q5)3y)D=$yz>vQLaDshO1puuju24kyJ>BwLb6CZJTlFVliF;5i@inal5FY&xe=1S8dE}NjP{YpU0KAe zKMha9&vk{3eJ&i z4zml}^j^Ko!L23uwU-BqDaW5;*@rkQkLyFlUo)oIVXo>9uLtW%!p!y*u#4$d*LSNdOVVUq|ZaO z?r=ADGAAv=aeS6PYZFaqOnWytgZb!0apg3Y#qAgNyNHOgm1WEw9#D{T>EF zHTCw=)agyGPjKWSj$z3@Yvj?+lj48lfX>^tRQVUfb#v<^`SR2~fj9(VAccL*4P{v5 zT&;QFo|bWZ?qHbrYD54R%an9RcM}T9c{CTdx)U?n--+g$EC2gy8m;XL*u6iagRbiy zaoOkQ6)R`>V3pqljb_a98ki5!1)4N|et~EFrgllhsVNeGZCf}_lu8l$vQJufyI(E8 z7WUELewZ8`Muu=Z)va!fQp`9hA{!#MSb}#oK4W{#!m0o}8DDn%itN!}Itc&cUk%|8 zuPh)re_`Zqd|aCt+@Xsh(_#=QE9fDfiwbixEwTR-^e*nOQcGRb1CF|s#n{WBq4_}Wg>nMjuVjW6br zq}1mAH_<7LaWXlUtQe>t1iWcWfz@$Ao7u?Lowh-cqBwH`@k8(FhX38i^ppsYqMRW* zRW~`;M&-^?oJ`(AG7MM`GhOZ_^ee42&ks-UjjEASp9Zj-9^~lhG@9;)=vk35UaApD zz2EWRqT$>>n(aLpzNafjEQCCh0OAPq^gVn5L-QQD0MFoEk(UO8{2VXOby+R0kFQ6(4cW2AMZ5Osg zti8iNem8xZYK54_=g7#Va0#!j^@qxqDG*-m9nydY2wE^5gf18^bb7~VoIpyJaCU#V zHk#{!fl)yTInws0EYg2#qJ9%GLe`A*MX^X2+=$w66uY0*P(J=9XH-p0(5r!Ds0%o& zBZSJrEJT^G_Hz@Wy$giU4Th12gqRpq<8hXw0>(Z%jRf;n+Q)9ymRjG6{L!P0&c|Fi zUiDjnkUIVjo@nE^aYYKCCs2{2Vqgt4O4HnPm1|O_lzwW$7S2SBcgoVu<`5P%t|$zU z1QL}A*BX>BN+ImB`A0B`DVb(yGeBKSibDNF-W_ZfjLLUdw|ZGn+lO!OK)B& zc_7h4N7{#w2HjpEEhe8Nx;3-158bevs5iSV>(v?_BIvI#CId)sdxrHbuZHsDk#{Wv zDtyXnUbYFoI99q%NRZe4tPf<%mYg5WVBcA(iXIqxmp*uGR!{TM6mc+w$S;&?!!UTY z3KjjgQU)Zyh*;D1`U28H{cITEe3~D{AbULf)nzD``g{*edf%KLuSU*Lg%vqYqXI2# zd_6$b?)Wy|(8N!9wQW|JY5hArdLjscF56KHLBt1 zkbc{UtMQzzK&CpnUvvALZ9MIrQ=q|x=6*)$)B+Pe-Bn@4nhG#ZWUf$nu-eE|;4fZ1 zca?eQ!!(-X5LgPu8|Te{GBqm6wc&EK&#Glh5)Xi_oZhC%cNy%VMwV&GR?Z`f9wBx^ zO*d(ca~9O*R@Q4Y*Y&BJ+>!`Pj%5TdWnTFlqGi>s83{L_j}7)PE^+HTJW4;WPFS;M z!5V$V9<6bMog^=!!m7k@KR&4BRiIfi0|(c3s>nEvO<2)X1a?}VukR>mYB5+o)D1ly zlGnL8BUHadah&1L5OcY^bj_5wWGd=(k5BNiGW}>R5HDk8%KDh5YXD~8E z4ag{pq1b!{c~6{C_0X1me-bc!Fsj7o{EO|gpP1i>N?fN_R$%ut;2IK|W}d=@C_L3o z;quQywlTM^`86yJ3q9_?pUgZpX6jLwRUKQ_A}A9xGkm{t#C-SgwszLOfvjs3>|9s( zz%y`Z5H{fguL91Dd7z2Y<%!ly>WwOI$*7L~Mo@7KI`5FxB;Fv7Ks83jUmWhf9l7VV zAXbQz){k55PD|lX(|-VHKGn#UOKbef4=lOz*|- z8??0gct$2+?>3cUs1fRgA5e7sED}}6wz;UaE*7MuZ)OajOY72g`OU7$sLJ`x(VMPj z6u+?L?)^}^m-J1SWZ`iY{A*dSEaxHQ)>#Of6U(zN!kYlc`e(}9N!t{}9V+u;pMSp7 zd&y2)Wh2Qtrt7?&L*gMyO5hVB5dOJjB8@=b3V#BJL;s_mc1BBDfHNg6%6?#}4 ztCO>Au=HO`P0d$*zU6}ca$~ijMt_~+<~9{sSgaRdejPb6F|FGtQqWM*vgyV)qPoF) zP;&7+&XoIv6Lg|jJO&SIe7~aFZ(OSv-{xjy0Hp@#;5#LMu8_#=T7C(-yk2rNMj-{* zzEJ|uNU?25G&^-K{F&}5G~9nwwHc9wI2@DtaNm6LbX5UtC^E&RN3oc}-&5jLlHb^( z4WF$xtH1P%Iv^~INWs58|1VVg!EwY9NQ?~-rsU7w4h4D0HrM#jV*&VeodaLnJJU03 zH0zDE&{CfMkABj435i#f+*iNX+K3VoU_fWkqrWPx;d=+P-Zdy;-Dx2P-sqlKZhFq(QD5U(*FM{B7zt4~fZrSZxggk?i54Z4n zlzr}T6K`cZZVaAt3oj0WEz5A{5VGwO^ zWq{pcDE_fY8^tz<@mjJrRpAwW-Z#e^bpDSR#2M#@=RWx&)PXW9_gY#qjZue^Uv_MI z3?iCG!j)t#I`EvwLQwCM*o?^7#MOQ_GQ-Pnl*=>%HClW|3m^bcqV?J$H*ckTFe!*M z2NG+GUF5_Ff&*seqhtLHB)!|dKAPIACv6t3d+A$+fI#!I5m?5g4tqZJm}^e=Xo>;9 z8XKpMa-hs9&Ee#Dmz$4i|1L{d-J}xsk}s0vggfmax}J^P@;5cq(Ci+%=^Snz4TesR zwS|iV67i;(^#A5%6{Bas^6BXT1hybrooYA_&Oh2k|9&KfEN^f9 z4v;dLAp=(~QsljD?J&XwTR)=<;Qy&;xxsfcvQO0+3uHy){IL$Y8*m$tUOhH5)z=bV z@n<5AKIo~HTgf2UB*0>{dnjocyAr|Nn5rqjS}^oN968RzvZ;V9yr=>M#iF|7R{ba) zJ*V?2Oh?r8U+T*biv4RWAzKzBdrZkut_KY#%&S-O^QE>eyeXEAUl|;1h|7( zhM!eT$f~BWE_&HM2o&A~vZdQTuB}L~JpajXJyFTzUpN9#p6E?7j-u#f0q+2o5nfBS z1&)?iehr?%dQflcH@){6vB(3}3HD|;!gDG4P7jFRYtr#xmh3Z5v&7wXvPN59Bjy66 zxg6lJZ;MwBDH#=^Znh}A<*^iBD46PY0fe<(XD!VCvn{oVEYKjCcnBSSXDxn$+g+R9 zTxNyNLrF>}Vcko{pC%WI)}w2XCl7vAC{y{tv>E62RuetjlJ}-zMbs4RV}}4fs!KZ{o(T;LU4oZBvf4m^<^jXAcN#U z81{K<5yL6;tL-&iunPCtG*2@30o-YKk@d9Y#5r)6<&9q#5 zyd`83R*z(Im}bDKwxjjtsrW};^Sd#0&}e(=*cT)L$mk zGR6DlGZY9vr8qID#5d#${tbA(+tbfYUwWV%yBYpj*Smk*pAsy^GBWm^*q08HOE~_Uvzr<*IBWubb zICb3KJBTqIxl2DT#wSdRTIY8?k@nKLmY~DiB4lzv_d8G;ycF8`R5ltt2<|dl%I?Yh zgJl~OtfIHz#SbHklU(O-$ZncK9gBm@P-VHRbAEGvl`)H;06d#Y>CH4v{Mt6z*YJz%LJNm~R%wts z;8~}4$y~+h033PiFhepjtOgUE@30EBz;BLPqSQod4)R^L^brr*R>M_G$IVz33WRRH zbsf}D80!CdTv+c_7WRx%cTy2XV?E}5Q8p4L(*xidi*)Y*jIJjn7MByM6!WA2d5O2_xh}8T{e-!2SQ8~@DOu*KW(cL1jNCr|ax<&5T2flGDEo25$p3bh$1 za!-1y{a?k*Y9@BAq9Laxk1J03e> zR>Vh2S?X*R_^X%K2^(#e^5P{5 zHcWW3y~B9$sgIA$-MSuSH)Pgjbe55K#L)=Z9)!k6d=?dqdbZiZ17EZaEcKm|N=5k^ zoOX5x3&HJlWAzVG7#=2Yb)#fm8Nr}WgNS<^$r=s7{2~nyu|EG##Cow2E~go*Df<8# zumMN_QMnSHtx}Yy_YXL(n(06Q3~H$UpdE4XqW3vZfkwelWn&ASm|W7zIrIosOVXr$ppo4i^%xvrN#rb|U?x6vYVtAiD`ZWzC`RHD?Dc7%HD{pO# z2Q3YkLA(`}P>oqPNnWMxi(cd(zFKG4qP{jdb-na)hMs$wigoI7kYj`81`9TI|ANf- z;_s$#wT+_|)FbZPm)`VqjM%1J1akvDLtDqK*0U7%^!DEdv?(LjYZ`u17w#FE-;F3Y z@b4tGd1e>eF*mGu82A8l0%5;8z1GO;9`Y-esBAmhjc8H8OUSDpPjjNxZd><55G@>P zb6d-6`j1R(jlLp?0Cqul26_YH8=LILJ=BzDE5B+6}ti-*!X)q4)S zM)9lh+7k(-`7AyE9q(%%PX99BZ)G;?Vs*9)H`ug67g2dYT(yYSmKpsn=zLWH@l8dw z@n+Q1NTTEIqq~xyZ!KB|0|Y(6*A8KK58`CHPo-s>?Iei@qP^+xOuZ_bCrKMIrzhsz zvfauDrciLbI;Ap%|G2;0_LjA7J=f#nl%bRgTT72Z=la+*yWElI+aePq;DnAexR{v{ zj$DU0xF1W?A2Ti9xqK({FC1-k&9d1*cW`AP2U?Hbhf&s_uI&7reBW8I`!~St``AA_ zw7aT9Cwo&BD;r}k&1y(<)gO7;&8Rcuk9h%YHBv{OYK$XnATLk)TBjUG9ys~LLwzW$ zZn1mk7tDO@HFL8*_CV~aGKslY%9cKQBt3kH|IT&EuhqDik>%GrnOX#{*mxb1V$r=jk0WLf6=Ooqn&n9UiNgz%H*jkC;ZYnA{xXNnFp`j0DS?V$O6y zUePe9#~11_!oN7vO4fwwLy21@BbhV4$GKqZ*!ff=?pg&9PSolD}~d*$3mPCQ`!nOdq7|T6YMu&1)DGdo1CwIPk{Z;jBd!{C!hQHF*JZ8|hsm zZOo9Yo^XJtf6$BWlmq%HD+XCtzoMI&G79hSV?VLa^YrQK%3B7-@R;^JsqYZOI%z$z zd+>G_5PAz^gt@~-pDFdj9>g;CvD@z|SGLONUA|w_tZ3H!m_y{3^D#P)51%u0(C!G7xeCoYnRgzl%;tPAqoB zh$+@4)H;_sd-Q2k?|yR;)U{hLyRRdMQyZN@`g$fm81 zif*{MfLg%SbE{t?ke`-jOd33-jezVkkKRU%6WBqEk+lQDj`lZ^FZiAz=bQ-RT@fM{aJBH^`)UhRa)m8vaOv9ZOT zZ^FLFam&b+@=`#Sx~{$yy!K@EsAah$TkJ}}!Wp?UL4RR)t-Gk?hkmS9SVuRc+F7J* zi)P@yT{ZSOk?E5UH>SoiqaF%^q(%-*w{m!~NpR(hE3Nzb$cl7MNpvos3Z%UrMxTPSGeF9Q#4<%A5)#A)$^A+nRhGe&=pmcddH;;7a;fNJIJ25Qdv z%2%aKeMf++c*{+E;_J-m7f?czIHSb2h%XOJt&MORX>KBwh7_BXWP34q2HzUtqpa@Dy1&i(vJgSVYY9M;*cJ-)*z{diB)pRh$02maymi@uP$8aH-T= zxdrjN{SR9<<(rm*!in?eSs$5l@#jaAE4ybc&Vtj}gi*UVX`=MC-xH>hP#O^3 zUS8<8_3ag|e=XLVXT6Jo8Z(DHBV{YQ)@3hUjTfNeV4P*_xR`xwmBRFm1D~S~sB9YrI67>CLV~4Q5{G+9kv10L9%Kk0YG0^yRY;2`9GqD~u68 z(eNw1A=C$Iol7#yuZlr_S}p15PDQn4Ejpd+(s&D4TEp06b zqw}g4U(vi^VFw;B*7)ygZ@p4AbBXqdhFJWT*hHn1?8?Jef5700*UR*Z88L zH+@{G3m4IrOzPIVmtJ!Uv$B<^+R3H-CYF-gVgg2mfC|=kI2ho4=!6t~g})w2O0^qy zZf`kY83DIZC;Vx`zEeIZF$VA=Iix^WB^rD`&wZ7$6FqAl>t!D`aGrR@9*w;ibIu$JJ@;Uk8*&(@sF3t1$YO z5l@#p6Fug>Wfj{cMiwE%C=Hg2A*v1d1|;BMo3biqtp-yryekZOorQ72y zbcry^ehaiQ0;(iub2&2@< zG8Ph5*Gk3&vI&N=x)w``#fEGX{ZH&0+bNGp4MFrJW1dOF?5*LKuUI)Tg_z(zY<^PP zp8#wd?obi0{5AMC_)zY-;}cxua7Nl;kb^dGA3QNSzOPOE#9?gMHx zmC5>;L>>BDi5yb&(*{tRpKi&u$3- z9Q@m53CP<|{|=)vZ3^yhKl37{f)>o9VE@+sRj>^FTeova`8)g zWDE(uz5pG6{};W0U_x-MM9Ka*;-R!3CyEHMjTY8*3f3LJQJxZi$yoax;)Q-$EVtBW zee&am8b0Pxe3Jp2m@srdT)QChz@5#O&!jz6f$$Nd9t!De%oY1{1s#!bnO8BTP0DHa z_)s4a^SQcRZb|E`SFsn4Cu3MqFepJr6(Ih-(i(fw2WP{%r+K9Ln((tI>^QykJ9~YV zt#%e=WL=>&)vn=Zp4y;JU^zrXNuwG2_up;J!j!pAVuQKM)F9FSNOTnKPpPf|>f@3H zVf7m$pd(lP2L#YTiGE;u@&DYDMiRR6aNyQs!VGy(DU?FmPizR1C!GQv6!Qq}UP(1C z72bF8he8PGeK1$SeJgIXbU2dE=f_)zCPGE%XMV+e zfK!?Dw8P1g-or)ijkyIpUFIJSO??i*#~%cHg)Y3`zW2KHso-_y+d)+7z_6yXAYEnl zfq(F1=W9CpPgD(;%>4`HfV;0V$AwV=zNn_wfE>aj7Z1c=2uLl2JuzHr{lD&d45zod z^d|gH$k(WQ<4P=Ds4oy{Txidp9A}1=va-^^V*I{hc{|Q$3a5x(3e@w$b4B~h8pN;n zT1B-tHG~cfyo@pRHVVdL*mo}?ik}YYse0AN#YGmMwR2`Ei8dM@aDYv+mVP99{klvO zRgJ^_I69-Ui05IQ6D+OFc#;8;@D=Rmj33IVc5iUpiwJ_qQmelcbMbDC)V9@#Bl3>% zNJo^2I;6N8#gC7^`oNg{2V45F%xx5l$hTy3Ou%6s!UGF5OcbV}QB{E6bX}-bAwWie@{_w@TflB`JMfM4Pg1k#M^)jM4Fsp26GdUKn7w!OccroUA7;*GDO&b`a9j-x}L8+Pp0EX#cB? zhq4}>?F8)D0Jv8$iN%~M1onOm&xbX(;c{J*8~ zKi~BG=1Y{OK-24&SNb6ZahM&oK{o>Rg<$~R(Z~B^<7~p5aDbw#VF>l{GDz^Mhc#tc)2YTVcvk9eF z^4g4_vbkgeW;3!1kR6;d4cSfymwDrUdmEQ8=$S}jqM&GqbVS+Gtw-zVBk-8Ors>sJ z7+{!J16MmNg_E1;J`#qa%Kh7F<)t?y#&guxlcl?OCY2IE+*I8{Hgj>=$L^s?OO?ZA z1-mbM`l8z2Piu`}xAb~1qTRppB+W*nH!KC&k;uUs09;*~KnbS+jtqz~OK-X5qz{wH z=h$b%>%HZ-IvuK`sIL5<{n5Q5Xa4XijTz_+wa%YfD-fnF2^$& zo6G?U<8E@2k0d^9SA5!QAI`^pILhqmDYH3S-b+=WG14gk}* zXZrtM@C!bM`IFi9V^V-`u2V*|ZabNtNtT;-h>hE&Z32%Syoj5w{wJBGd|2?ICfA~b z-1+Vam_Y&kA?LvdjNSd~Px{Y_Sfp2xaz0eeT?s$ktB-Hw`Kyxk2-m$msoJ?|dJ z4&AH~?ix9;{6n?~1>FPhM6ZmQm^p6$z=E$lyDvD=Ab13eS}|_as$)JoO(mA6>0vJW zkPu?_HKS>Wg2b*0JF8|+VvcDwZo(&sX2s*{aKwG&Z-?Y-th>sw`Sgjat2|5<#%niG zxz6+ky_su^8NA#KCQ9xcO79l)N&YNd9d#-Jk7O`{&s}2*ila-aHT--5i-bCJ?!O3d9Ydi=>IFWuAZ+=b^G_l^*z*PS? z^o4}u=uh4l18#d0vT6I_tA6=vz(X>Aas9a-p!(+(;58y34Xb-Iq?#7oVq&EclDV#U zP8nPs#Te&FNZiqs?*~kOdoHuYxlstU!vA$HnmHTH0xaTg&r$Q>@i$Cp1B%OIHy?mENngAiXI?>AiO$p@k5_ znenW(&%f8R_r>AvgIw^;d~?n*-tm_1Xo-b)M&4Kc+u0mU_SS+}Z&n76S&V=QMV+$+ zqu!mZcKZGQI^uyK$A(z#)0hf_&MW8k#q?v9n_#W;wvGkVyo}{=pWY>3#w394)jgRI zidw$JBm4yhsNQZAB`W;88HUqKjfHD*v3GX!ux`E!@vSnp!lfDmw?dAwqR?4C=mlb!|D=z&LPo4Uz6U$I+CmwPZr>p|cWL=F@qFBxAG< zeTS4KH)8f;6=JF@dS^lF~q zBzO6BCgC83kP4MT1kJSrC4IZBk>N4ry_g#G+Os$z75c8d>%8H88&MGpHa z$37mHi_U1=Q(6V~Ork?&z^bDF#{H9_zTK%0N<|0`?;%uCcEE#v$A$x>jOUk_N6^93 zCpDdJtrU{ASg&m5MZ66Kbrmge#(I`Jp?4GA~ITJuPQtq6*2D{A#zedjZB#QG70ZOdMy!7~47={XPs}FE>9xH5;PrZ?G+J@E zB<(3mHD-+ua+!x|@V%}d@bl+I1C#0cof)5UT?1y9yllvq&uObj5}Gr@wi|Z{B#;xv z!ErnDYK<-QW*q1yoQj++34c6x2<#O?O8Wrb9#rxf*MZ@+y#Uh7Jk?EwS2F)!$@F($ z-qoQp0n+vH^&G?(Q{Wa(7)Q+?=+!b)F$Ve}xP%buQSLN|Q&%QP?QTtRc$CdJ7g-C*6lt}j; z1$hZtsRO5d%4^sp}(#8cssTsZFF%Hl9;U_r8O|R+RMx2n1}Vf;Zpp$ z;@4`CIt(FX3{8o_PAY_swNGYN>W<0%U1tYO!;XXR_+G(Qi8$=e@dBuj!19}l@~(kr zFeKd@O%Y0VCY+HBqp<1w=Vo9IO(xu%gby#jm_6u3jW5NFCJUDQI9WVcj;qm`g*#@S<}51waS|#FIpy|5NPYLbEnPBrRB%pbW1eV7Q0T-J|K4mV@X8gNqB~&NA^k!r;DX;7D zJk?JKISSGUdyp|OPH2}sS4EokuG|m#cZZVplf+%?@iE;#`cp#L6&6b$&H`A2o`$M2 zcd-k}lR7CcCEoPx_?*{%?#u1@ZTmV7Kgv|dMf5!K3m56s%A5Rp$%XRr>*2Ve!EWt$ zZnz3>4r6_P(+AD`D&$rL#;#P2vcQtAK0hLH&pW&GAw~uG`jqvi{>;XEzk-~; znr#gx*|#U3yi{Ygk=!!d=W zKGy%4)K4nR>H!SUHOiP1O&@D_Tx9&`(h(ZAf2`zxJer9aG^?}Nitr5IQM=>A(#;Os zNWL5T&3`w98Yi)&#VzqbV5(4wZZ960d{E(?3)$r2XDLvY5VG#gM=mWJOauy5;}h<5 zPb@MZ972nJtz@?@7B-;UA}0>V>)I@wc&9-FN5UyIw$RHj@O9O+Ie$3nqTG#rqd{#R zo0kG2*Xjz+cKo^D2l1kw!xQx;`K~(~%L6t4Bo`{^&5TA|WSWC*I{yasN$AzQ1BrXBoiZ zN*j=Ot514H#0Qfe>hdtDs0n-4oAlhP&p@*O(_QpGTBmZrV^@&m4omaS8Xp6|U zEpO`$Be(Io*L~Y>a3js(&He=#H@7Sd3E;L@@t&Og(=CvZr1s2P@}9xk%^PVwl@7vFPG)(3e(Z zN?0wutUjOQeu3Zm6@iVPKS+e6Lw?@mt=l*BTEA9eLk~M=eH}rsp$YpTH*7d43jds; z@;fQJ{&q6CTyA8fCkG;Eh*y%jDAM!0ibsgt--WEf(wMRzUPpVGYA0^;6rc6DainzX zC0I>{PiLIv0WxXasn#>GqA_7y$#dm#wdxFkNxdz4ynb1V9mh#_nw?RZ1qRk0U7lj6 zWLRA^CI~(zKK|qoqA*_hymJ>B&TJ(<9$s!|TsHXu7bBI&T1#;6KQab~t#8?-V-RHU zq2#TX!(lA}K6q7BHKH|1`u5+O_dj0G|Kah&F#W)zi?p{mdU^`xzjW?}U1l*frdJo? ziy*hz+*_8C+~u&`K6h1OooiMw8{>PrK>VuLc7DKqQ=dsn&c|e+(43cu&GmL4ji*TR8Z0(TV} zpQvZVTYW28`TRfni~nIo{;|8w^o#?-^l#**HE^XqBA-YLm1>e=LHStR%~QH+T3YPa z9idUqca%T-i<6rNUX7>wi7rs1507S94=Ton(6Zi3IdZjWF@%D~ete@$qTlx5mc?=# zuw;+x*ovf)2ss8S)u!ZVL2ce`+ zJ7)Ob>---D^nX;`|Lw6)gzE0Mbjr*3ec=-1_;nK>2PQ)?kI0p;s$obZPc@_m>_~(@0k=|8 z9cVc((_p|rW8@mI;r!g7Q(Q93dbw{##O#ozV#FI(8P$QgJv3h{d5mQ+Id|ibxs#r{ zr@|ml{KkgRyJI=?|6u?8nCAAA3eP3}bxL(VUP!cQ+tQ4|Y)% zqe(awa8FAQ2^peDTF+X}mRRTgO=z~WY$-2_4fR8fE9SA8saS$>-Z%i)lLhOy%EuRf zp03nV9Mk#?>f7{;A}yY7zbURwFYtAc|mP$;oPJ_5cCYWD51=I)xE3KmQ zBB}`$wM!ex)1PCMH|`t98-L;Qqv9kjS!y;kj9`#^<}IM^IbR4x8S}_04CjY1*jV!%XYEpu%68)=Qg3~K0BSNy4-IJCFUJXmqP%B9CYbtHu7QI+61`O3H z-PO+YL%R3lqwCuI4X(K?J-Vk)aaB%GbsUhFPd!m9_Z(hNch%V}an9bS>y$H%%?4HP z*)9@|EgMxj2!EBlfaUKDT=O4Vl=~8g&Rp}KJi0O>`>$I}vT1BHLuNt8h4B1Fxea41 zhku>|ScrvVexHwjcAg$NaX)QDT_Qh_F*j=5f1w=KoXz!}f{^;*-b_s17yVe7|L;-- zlr;lWjcL){R{)0UmIcVdjl3?xVY^t_oVz0q1#%*5f*^ZT(FkNvi*W6-hmbwCC+)D5*WPhG(ynkzpE)oK>@$jI;-?V*; zz{((mW$8(Zmi}jb{fv`|AQ<8c0k6<D{%bnd2B2 zAL)8Qb*6Zijj5O2Yfz{9ARtq~l-FziT#;-y6}gT~P)1%P3+MbfduA5vmtBgh)(4bA zr$Iy6A_E(=rgb{iI9bF(-dbNK*WTT(hkbh!-i47r3S{TceUGnM?c3A(s*Xtz5;>Ne z4?gk^sln+b@2W+2ZzP!j-KW1T`*_EMp6j5caxba6Ybrk#r^RuX4@-ffh^9XiAj5av z0Wd{#;FbkkwTV52xLtV$ZS<+C$kjlynSRl3J-2dHKk zr>N>l%cEjz8j|P%k7JRVF-%t{h7B3DkDjpUvV&NeOv8rBgs^5$E4(P8@(FWcjsBV z(a-3oHxdL~ISI%}f>K3Ywjwa%NeV4r)620;=MRf1U(OczG%UyrOnb_u6O_O|Ol7L# zn;?)%+%q6uoGCy957;iv0VwT6s(6$ylZmuS(Bw zOgIcs)y+Wbpd%ch_oL|6-)^f9X14&>PV@|MLI>8ToqMs8e1 zxEes0=hM$B8-_Sp5(VkxBrtYCFRZ$A9NnDt^x14_et8WGF$b|w`=qy4@!o%t8&xgU zts0ZfORez>cqzeOmFy0&*X=49LiCL+zv!RpC68uW&_YWG9>Dz)lD$htdkk2X1@{{O z23}@QPwmYiWaBiwLGz<0F#h#?AT9&%PLyL8+*p{(6CcbESw5q?)6PE)%=D;0K*X{J znr2fD%@9HB&wM8&`Sm&#@G21^j7Kd%`LDbf)v9EumL=o4|tt%|qhGnSVD9I~!zUBcouWjwkzfq|k(Xkf$=IwIpc>Q?bo=&!nzIf9HB-*;nwL&=W=by8 zy+laB*b|I?!FVhjGcl{|N2IAh=-OPV+8T!j)UID(V5e$>&){Un0WxA;PO#Dv!^E)@ zFzghWgFKDxZxg4uDy^G_24)!gUE0d(^J*D^Z~E2C-QsEeRg)9n6ssgjF~yADj2yPu z+vTUE{#{0){4uNCQeaDn0n%8t7ygIB~q5B>62Pu5M!D<_;YXQW{O!LgO zl+h}M!y-nb)4@rvV>MfG;8*=RN+jW!g60X@wPZ5sWsM!TVOsPons4VoyZC`0>Vlr@ zQebu*86vsIqU+#(5e)2DuTw8%>@-;`KAY@yp^u0f`QuqthA95$iXNwPOhUh(nBp~n1l*N!{^HsUj42Q`u@~^ug_3dE2R_(o zs94^_;HpNU57xQdiV#In!yc4S06mym1xc7t_1#A>{TU3c=K6c7hH-xx8>B9cGSA8< z8ynF)5@{ZbYkY+;Pb64kT=uv0odDvzP+g@pN`O~tZzKl*SwfR$6Er>$n^8I9@;B zxP0N7j%Zr^M%un=jHfRBzUNY*UHwe;v<`PU2P(ei9=gkzxk-SjI~^jSuui;T{j!Iu zB~vU62Fll6F}Fp1nT1tcs|MfxlHtZ#{mYV3a)jlDiP-}D^0BU7YFzfs1F)^A=lze} zZjQnTzLg!I6mr<~Q#qoJq{hDNlqa{sPF zpq7vRx&>^3#v=g7)UKN|xet?zCPWH_SjWg5b`c^K?dDrTuKE5Q;^76;(!@CIWwTXi z*$28>9nyCJjj=tm?wlYjJ^9JUbu%WLIMVzXl8-zP2G`}H%ggBne#xHAheYz_?M(2#6P0RgTn?Ph79cweSfm)^#f zy)+J66MU*(QT{5l{rhI`Zq+8w8xcG>0&)4@01C6Ahi3$YDbb^8XN(#k_>vVDhz`6y@ zKo=Q)ZfcH?AdJ$re1nF_b)fgs90B#tq`So35W2R&?QmT5T1XqMD;XT$RQ>dKjC~7! zJJEERzntnBaw^`q$xf!PhX;`ndRBFEHl*%!Y92~33)1#a$1C~~|NeWwEVBY^-O*mI z?6;T&X&sDJBITIEA>@~y-pk%VlGE1x$w z9Jt$fT35YzkMda!*L5F!=k-c$nZ#;4@4kd6tdA}g+cWrPmxJXG~%6yH#D|VXhLe88Zb~ z6dcd_!{ToWSK=)4mnyGTV^gVaeSj z*$%|<1N;DRTNG5dxDq%10KbM#TZg8d8#SyY`PVbd)3wfiwxY!07L2vNmqbyMh4A^^(gH9v0 zOsZcCA~?L~X-(ByI{DM90oV~l_}yeZTF0O4^aGJw`QQ0uH6FXE52f&)fi9cZH0r}M zv-(41?Gid2+`i?I01 zMKH%Tol}FZt>Ok=Ray#RR1wtXV(J|^}-jw_a_U$is7E5 zPy|2qso-~Q%mcVUzZgjNL`VJzY$DiGjDwEHXdl*E>;KUy^EzKMSA&n)MQ_Y}XoLrK z!<)HpZeJI#95G2RrXy@a@K%id8|SWrXr^oJV*MIE6ThS;x`j`%qsTjJz+7lN^2^{~ z-jiX9@CE;mkX3hJ{5Q4)#)@}l^qu-!PV(D%Q~mMB%%Lag)bLzV@&)W>Nk3tN=sIwx zb}q;c=$p5j$!~+M%;q)m4a=3i2IEqR5?$9@a#wNm4o*|`VVA$4G@TbJTpfp$X1Kdm zA2-n7CY@IQV<=fbE1S~B{du3hKC^x?gsU#3Co>a{Tkc_Rl7&4^;&{Ts(nC)!>*hN* z9}h)68QHjcnTfM1xqJ=!R^&zeYt(ZUqY`YO7&T0n;e$ILhPT@8+0c95!EAd~yLxy6 zyxv}BX;=@Pt38=T#q-%x36kWJ;ku$coX^V4(VZ(`Ffx1U*=EcmQpdO4aOJ@EKB5$f zgEi6O^|wWfOiM4R)Ml9Vum~B4m+-8H5RNi__-(>&%RlEyHcL4ndAjVe!J@id?z1J6G9*(mKf4KglpSsrv&JM3tVX7QdO>QZh~+;ya%i4=O{Ppy(xIq&H(caNs3Zd zQGn|go2*}!m?OHOyLpD&>z@YZ&hL8(qp#=_dDe-_m+@f!a3YnGQ)2O=2RM=H zfGS56b|qNEK2$Sl?tU7qx9{0*h!bnGW4@A zx?7BIgZzCjjY)>2%StUEKunXCNc#24TF0g1L9)d=2X@r+KU3darmO8IFKF^$1)VM$ z==!gI14-%yc5zyAM{Wlj!+(Bh$hiSz#Bg@cdq{=**eS@T3fvS4E23fVG>22mQdSKs zU;Mb5P$?%Uta8HqD2$wd2W?;N_#RWdD~rHGGf~K6e(_U ze(!3M6`+D#k~<&jMWQ7K*gw;tmzuJP{_^ZsrIuZaOEsT#xEo97Pbjc8>k;uF);4(l zL%RxUZmM@5&tFn~a#2~+Z|{eAQ|-%f zA(-rP;3Yr{dIMVw-Xxv~IPm}};8GohDzroyz|m_oM!5BNh;U@10`2pLRi0mC&@eYF zNF`of9jW*!RiNVD1m9)}xjzF=^qr9s*v<*8c7)VdDWyXFhO3Ndk7WH|d(;yON6r(0 z4$`%`H`MMLa;KF?6)P4c9e8$*KOn(sYJT*dZ-Cz8%3hwM^L+>cHwt?5gtgwGhdnaX zEkNcnL$BT5YQOkZ=AGIR)xz--K$~eoE1vfuk^OD=uwl!pqzr!IE_B)8^^?;<)8N+1dys$UOwnGN>TE4au?qGUI36hx;9-Qv~I%SC!<7E%qMR0|QLoeZMsHYD$NFBPWo<_NSY{%d!PRiyCm_YE%aSTKn#Ujo0?LK#MM|mp?q>Z zHY$`M$)T5B_F{zfv5Z_e?($qoXT<9K-n_wl@qu#7?ICoybwvs!MWGoY=2j8jJ@uBN*%OgahruWh@ zuiY{#^f()>eUgK>MkMd!gw@B&LL4ItBRf*=;j>WUKjhq{d1WPE;1H zXTBF7@{oFV-^eVzEc{W5MU||X+AVk}GPxsN>vq!R_AV-+h5-+p)>A#{gkU}1C$q%4 zq>S8OiFBpD@e~oGqf$yqY5|-g+y1DKg(vNqpZUkk@MpJUb0|1zZ)McUQW714-MpW) zlu+H%KEVk`17y4SYVYDRSAs?xuBYrA*hflnZ8_5hG=qN-<0uoJ!=mR;Q6q31s#6Bj zhAxDWrY>LF$hlM`QYRqOOtx{8&%gpbl>(T4gT|8)?V~8quS8cOh!7O#Zq3~K!?PK! z)yEg%S>5|*5m@A`1-e*;PjfAv@NBB5L{;=hI$tE^Xl3Lfp@_<^<;$+J)O<`TUwQ=2 z0VrQ2Zya-SL=fZLIB0H1YrC}7CEH`Tbt#|y7Ba1?B+?U%&)FfFA)S&Fh<6iu-idYcNpuC zd-$j$N4Bz>7Y$>E6b0YhVeNha)G)>8$oBde#_hE_*(B?QYtsVCn~T*)ow9oW*(q`5m;uV1mg9sQEWlh`~WT;_mS~y6S_3LQA^n z#F&dHLx|;TAsDI^-QIbPcedQo^jLK?FZ5x)K6jxs#p(A0>usX(O?_|vh{%@kP=?IA z(DnD1PIrH=m>{d-URfnp@8CV0a(fh=Yu`_p7JJs_=M0S`A~+rE$@EOR$+hs#52o;E zskS}p&N^?u_F|jPRhlY^ppo{zOx$L322BsUfZlJKW+nl?`(&^<)^M@HjEf@fX^fdd2H8r6(?p+0c0b%R zSGu&Dtouc8n6jB|kuaRn=M+n-t=@#Xu@a{w1PXogB)YHr+kLvA=QaQ9G2uRv(!3k+ zvddkWwnQ9eJG2)pnz8Y>SKJC&E|D~473;#oFb>Gm5vPmURdg4Skv6o2eCE?O`M)Gq zwoIK;#q(rIF-4RZ=lml`am;;HX3SMdBBn^hn?ms?HT*R6jl}4SBxWT0PT;+JAe+V% zT*^0PDRb#Vhmlzcp9SB~aRaCwNmJpgWT)**`5U{|(H6zzT~P9-tSAf*>0L8sw$XDy znrGnhy3RkB--8Zi;BB=t;#!g~a{M7Dx>Q7p$6S!sQIJ*r4^Nr+9a31FxP@&zwV}<8 z6E+jW#x>)<^rLqDQFObs}$Y~%jItn!|b&Q=%Fq}`3*>t$BsJ!v~fc-qZ zqIp-@4AB7iidjn-6_}!{kX)*9v3kyZA5rD^&mqiShOmbdeRaII3<|=9M0SI`IZw3I zE@g5++`Y=fU^kF5RZaI`LIpJy!ABxZOS<#y&WLd7#ycx&d4Ha_+YwfUoN@Gy6KOi` z_c&E=5Gn05$zPfm4u6v*S|}avVwp3m0uX>A5?r`L7O{gg#v#yiGe zO~BSSXqc(JO83ZVpUG5l?N1lu+w4Tp*bfz%){FHgu?wUaOcV2%h52#~bLWxwbnRMP z>~I{REF}M+C~-NCJ;m!w!3w{RsdW5&Sw=v>$CR%4Z%;bACR_~^AD-tA(T?p9wvO>m z?fiVDey1-r;QpgX!M;>0%OaspORiz-4|{^b8f8i5_WK~-2m6h_z{p>WB%xn;x-g_P z^4p6apGe-nL8Vk(P+m|EDt-T=b1q+sNbf=*gByJWv2dsbd(xOetF7;XVe6|JvfAA; za=kcWT`|u3=tW71!!e7~26?=}aAli|2Y`&Q2hq#M{>CoVf)-PL6CW0%1lu&Cx*XGQ>K4v}XafxFd zU+&*_mCqLH(`c|tE%z$?TBfw2oXGhK?v>N?ta3%r#=7^xBA&=H&^TPfEMBPm_R~V` zYLoIpoo7veuH7Lw(SetoJVLWRYIA~HQ++Gz!-qthLhVU7<%yMNQt4ZDf3*aoTUE_- zg75idDzZlUrLXdZCHi#fOSo>EWZ~X_FOdjw@uVmnss_Y!A2_+^~LSegW3_-E%Odn^3FRoh{u`=jNF>qJk73-g7}iJ*IJkm$P{ zhQ`sjp8lTsn&T(*vRSr2vqa=Zp62OuN1w$d7cg3is_-opxyNxNl(}6hQS@>-=fjgD z!eKF8*!)nk`Y8^VfcT-jtlxb!k&�c8+l4g^G&cw2s$oBN8T%zZ_cqEKeXC{-=8} z6OcQN`8^JkzYd#!pJ|?Z}sc;O11sj^pB4Z`io#k!N%yLc4%7R9zR?=IgIg{`IGWFYx0-O1yKtz z?1RtKa_%Bb@81lXf3}ovSKSG7ve&9b$DIIIz9Uur=8slw5srRI4~e)snTd@UlUhzl z9AC7)y#!Bt+FX^;8aq#~6DlIwfLGWI${>9|4T?m=C#p!YW~#ZLEOPo+UhxKK$?8b8 zMHef7Kj+vl%h2$dRmbb66_NKN;jgx2wel&UogTyn3QX^YBpws_YJM>wNpJ;y(yAA& z@+^q`ZI>wUtpjIHquWQR-QpjtWFW7epGuiW+k@yF{ha&_61yx!2%UCXI;N87X>(@l z;StRLblAy0=~LX5t45NGOkd~- z5D)y|d!2v_MUNMRXq2sE51^baDB*`p!hXa=vvg!y~8EaCaFLM4(H6~V_wzBkN zwN4gy#1p0M`^W7I_nxhFcGxG(&<9WwNpg)Y;nm9fb9aPgNgmF(ro1Q8ar~TZ*^0@d zKkwOf{c-R$!I79Lixn-Jq`TZ?&6YoyNHcO@k3<=&o%7XvOmx5)Do{3)hTH*B(vmj{ zdEiY(C)>T4Oh^#dB5uh0XFIK-}B{ zq6|H*_Oo1@dr3=D+NJz8a<;7ThL71qcv*te(>BkJlOV1nZo@M)8_iC1sm(XvV`r;H z(|QdH>W3e1N0(I}sp3BLGU5PfmOfg!^AjJu^{1lrVq`4a8mO0VG>DCQmBrjDyVp;1 zcpH0x2>K^AHJMIsc?%nGLVgL zG;de&vRZ7f=#gJ&Pqy{ale;bFd>bd0iW$-M(o>gSnxpEv)nuvrb(wZF;Ym*A*b-5L zb@xh%_Z664)6j}n_@G-N>-P_lo^kO7o8(y(x``zcLSv^nzVN&CFL>&m@yiF#q%4c1 zeZlYf`H}sVC;eY{=vOUvU3|h(saRKZ`twxuwIpft4dT3~=vbI<3)?ulP}(`1>bOVI z_uDQi)Gb!J7){sz)?QXmY>B@J<2=8pvCME1G(k05?ZH^RZL|1L*6BUQxgD~Nn1I34 z^O0;8i}rHmPHYH?C%)envhm4S1U6_JwwvEl&1yLQUgIW5lL<=e405XR|MBS?O=qX9 Y!8!}KZ=?MdiNKGFlKP|Khh{8 z{8P2NYSrq!_mX$L_B`(nSCA7&M!-XWfPg@jln_yZfIxYJfPi^~g8}z|EJS}oKp<3D z2n#Dn3Ja4cIM|t5SermVNQ5V+!YU{qVfnp#&I&{N2Pymx!iyluf>07d6^%p5M^Avr z>q|pZIUU(XsDl3Vsp3#cq+3dxCO@nej><(hPE=GA8!}ckF&tKF1Gx&`8nNpm-Xhip8YJXEb4&_OU?-)Rcs`!qe9Ngnl!vYL*L z_vgT%v~B88&#u|0uvcEQ>*tY|I8xB)axlTu##j=ZuRC!w%N?S~X?ofWj=PPQf74`? z{O>jW%%g9UC)vkr+)j^=~FcyK;;bd%3%4@CnFMA^*xK&&AS4i4g*S^Mlk zWbz_GC~_MaokIxLAp5a*B}Stq)}e+(0ZpYns5`T)}fr2&Dz38CW$d->r536zMR z#viy#L4+X)^gl=ykSE{ihhSH`=@lSR{CacI31Eu_`8Z+e1FbeG4x#uqKOI7U++@Rn zA@0V3`py}Kq)3V^fz2E+Mv5N>-SVAZ0qrwPzYx3v^Vb05DQa`FBved6@+s011a5dX zq0~I~5=0M(yYGQhJco!;0g{Z!3n9^4T#SgOz5YL;+R@}fQhSzvqO@buhm39-{Ur3l z?Sy~m>bSIWgMwB-pyHN7HSsshYgZsG;Z#AF3eXB15ys3LQD7^fP@y?yFT-XFdX5^% zFExi*fjkSi7Z=ZWKP)_CJES{AcOq{^Sr6!pJ{LwU02mG7&_!_#;P!U+{YYRMWo$|N zBEz*$yH8yN%i{MG)^B*EL9y`ZBsRLg$WYy|>BobCRZZ$2-6fw>IF!)YuJj!pds0q% zdW_V_)j*z*wy=`{P?V#{@$l%@=2rQ(?UuoE#nPJ1f5o%`ufeuK@lNxY=os>j z_fG4M=#Bvo37I&WHJT9b4o{wS`j_di8@5!7^TqZuF4jo)Q4=gXwT%kpIwH$%EmJK6 zEt&=ts|KrR^AqzIi^zrtbNy+enY@wD+&yNjK7-P657E+i{xXRQN(ay5YdKYDx{z>o9 zjL((*voNTvZH*K7?o<6NzexQ}WvW}#Uw2b7JZZ(P9gBkT0<#0qg=o?>V zDt4Z5rSU9xDkoEmtx&D_Sizyep$VvCs@qylT3M?hUwvMwYOwj^ZDnRl`DfM66_{;F zYz-LhTz<<4EC}q&8!(ufo?_~@uioLqipCsS>1jO=vcGoHI&qpfs;dihEV}u2AfQXD zGousJ+MYR@Nt5PjYzrvwq*=U+v#Q4LrRzS+)vj*K=2`3*1Eq)h!vYJ|cA!_2vPSp^ ze0D7MzFqO2a2@ZRHmsZ^aEz=@@=Uh%iuY5_6!#sJR(IOf+BIDK$>{(}0i@q>-UZ(Y z-yS$u2#AU!SO_+8{&44#$9={j(m;Qt9io*$pZkmi3k!9D8g z^xesBEHiDMiNlD^D7XgMzPY)i`MNnCnjg`H4kxTBb}|~!7T5Cgsi#r&SL6(KmVQNj zTHB)&Bn2t=mU)l5EnHI+Pr{JoS_bFX&Gy-T$G+z!;!_}``gi|L(F7}{?=z#ui@RCF zf#1%*iGC9nVlW85v?=pF_Me-skE@TUzq&oVT|x2^6A~+s5KW@6)Xc9leoCOPY2j2~ zYnyXFsw(VF5R`2BoIsz%Zafp$U7~CH<>mWA>RyWKuR9CPx!T#$It59iK9gy1@e7Azb(})yWC`t18*MPIj$?OBd-CrTQ)6M ziFfk-0?~G|D=RhQ2CHvpOK16KuCC1&CA13kL-dD0-1fSvIK?#eM}x&}T^mssQCJrY z*HM=TELcpAQ>L{#@5#l4q=amx$(fZ7El-XM!u3JmVh7O3cl^WI$0yiMg3mnZidi#f-2?RNqJgIJbRlw4w>rnl(blTHyH(M5cFR<^&HH6p|IC+fb!$q|b@WP2xLDat zd2y`@as7Nf)y@;x=@ROAU^>~JUDX!vdI5|CEPCenzV8Lz!rBp=@)3B}pEK>-Z(xih z<`-+pkNU8HDjOH`9=vi~^mLj*2FQmL~bz^N%+1a1XkBNUIbop+Vrh6(8K$Lt>30Dm3K=GR;g1{k@>V)d*!}+}R;fJ<%i`-;q zqT_SWk9dI;JnaGjxex&bCT-X^Qe~D`{o}U-1d99>f8VNi$ge|ibDmOZqu}tB(?mnk zR8|&(8r+71_z-FV0R?V-0RQm7KL`lOT*&|3gYuU9@qf2r9{>4M0z!%z0zwc%Qslde z+lSLEST9V~l>vPT(heaZzql#*jt7b`suDPAL-kXWb=^^))+%S`#SJx4QQeb#Lu?u) zC=02Jj>WHE{ez&;yX>-CGF!|j9yZog5-!_c=^gj$xef&Ovd8!)-B0GK_1{tLHAF;$ za1&Eg42U8Lu;4?iSy+X2|9lNmNx{jm-`Fs%&5#`mPPC5R$ z^FJ>Y>JMxiBO@bab31<=&`Cc0x66M;d^1)cLYAwR`$*=dLBCjz5FQ!1VT4%_^6P(I zo9Tkzzxy8oOCM3@D}Q_IyWg>fNcurZ{L3Xr=N}XVRqAP((NzGR*ME)vKWt=HK^-sb z-4@Q?tL0&DV)J(XPVs@Rq+0S;q6BldJmNEbNTzzc1>4()QO9>iVYS;6YhI zzHZF%zgCmm126b^@=7$1x-H{)e&UWx@wZo%Y(P=HR&E@GR{r~=;t6+sV|F+{A-qa1 zIxtH6%QpV^jg_N>{QQ#|hE{fK(~6n;h{M$yLDPnNC@}U&z!%A_dhqn68eM3Yb9oJ zeAfT)kp3UH`LD=B=-Ku5^nB&z)q(u@QMS7J^7U6v4uhzusNM$=5s{&xc(Te{(MYV} z5M=xcZpa`-zIJl>E|;1im~YS4jHV%zwGQs%}b#^)mmpjGCt z-kwFDvD^R~S?y(`K9fbrCf1ax2m2%Dv&3SB#I#y;R`-M@QOD&rS+~d9HuA{$Vt?6E z6AHmCyY%TAlE3KF|F^{xG{Fdqj!xbm&ycpXEOWb=L)_B#@Mt|sf|`x2Ube&04da`9bGG)6>DY zTV2}tDwbyVu?Ay;cHS1CTmW-DcF6LTwZx&g@?K6dLBRXou@d`T=~VlS-kv?|FY=>K z65Q+jUOH7&%lwyf|9^<-UscclSPJ6H?_WRS{L{!n#f03C`VG0|DMQLDE4 z2=*#R8y#(ekJ<_IrOM*y7#QQIBNh4pJ+(@$y;;PclFrPaxldG*x8+)DvwZ+FSsdDF zr*cZ0D%QrI9!4dadp|Ti`~bhk>H$^|QPFa4g3ADVqR{hyJrOQw+*U@yue*#-#xXs;8&N_;4x@lBsys!O>Cn1AF7s z(^CcO*8vQ5cb#EWsxYC7#k zR{W5I;jwg1k-=t;NNl||8;Xa1{?xH0;zDwXAIE!a-BF> zA;{Cy)B6#KIe&IVAflk8n2!IF3`HS?(#uG`JDe77v|i44X{juNY7h6pX3(SM^SrNb zz*`iO#eQEvET>fG^~n3}Vr_V`8Ukz_YQiX%mU|}E=Dk;4JLWop&h~kUIj83nb4lqU zN!{!)xPfZ9&cPmOdytPWcnWU3UL*ZigYX|cC0zdmOk4*MbpLi30z-Mu|Y+15p`aG#F5j-p84tN%Qx^WSQ?YaUzXwcmK;6mB@sYMu44$@6*u5{-f?@Z=^|6h)@;5>Sl zkc%(qM86R1pHv+-p%Jl$R_y?~1skNQ@M)F~Xb8UL!{I+z{!5Dg^9FT}pqN+)0iVa5 z3rVry_2bn}t>b~5c6LPt?JB=3b&4R^MSuPJRU=vG_T^?$K-$Hn5%a(}%wS#c%>SIc7EcksFNn^ITJ{{q%xTlf`K5Sy3pEh6tA??-Qx%lWA6l zR5{W3h>CtGe%D|8COCN6qkx#c$a3BIX0zHz=c@ar#%Ml8;`qI!X~UyjtX=rJNxy-d zI2h2dCsRudzP%w^&{(4)2r3j;zs#BZk8ND$<4&_N(Hhxc4EFqUXIY|JG^?6q73u$lhrmt{&d{5CK%lOUbPwd(c)sK5ENtUq1N9WQsqAo5bU zRdmdiyo!4;GYQanZOGVi`1FXg@AES zwUJezfMw(k%D)`x|5v{@_Z9Ne7_z3U*7;;%_zmvSPU0m;tBCi{V08Iv?aLHQsy>8*<&Yfs7|qVtxvJuNK`RnPuwW;N+VC25`je z0q?ol^`Sfq>5)Pqc`ZLbA8E@izlE7f?{!8Zw-qA{F8bR--_lT!p?wsI|1U8TQZCgM zrwb!?&(&X;wT`{Nel0*ZHsPU{;GV6eNZoKcxW~C>&*` z(ztuNLd%mno?PHwm@%ZtGnCoc(fr)gIq;BF{+dv5~8nScfISrM0xgj^vTd&uP^|yRr%41>;x#Mpb)p2UTe?`^Nzsj zz-GIq@e{QtgDv_mAuZUzjtJ!r!25dMS1>#Pfi1M&4I@FJup^kMO>r8%Mwg@26%E@o z)Mz+3RD|44jO8z2ts6^*qbWOI(UDhmK!k^nm&@W#=Olg8ZF8wq$kolLu3DLH3X3Z- zBpe>fGq1$?EH=jpSzz}T`L)T`tkHA6T@##9H?wGf@Ca6$)1BH5#loe`mD=s2m3|wn zR?V0WnJ+gu_|v`|6Mm!S)ZqnM5CtYr&1=9@EmZ64m(AzMIeMM)!@H3y6x;f-o_H74 z<2hwRg?!d0q~rc3ioWU;uQtG9xi|M$Ge%@_A&8TWZ2Xn& zqiAPX2ZN~zvQSLyUa`@6kKN)e34 zc+>NY_GA-washTirr(_S7?}tGH@J%Afi#NK-81>_zx&PSN{pX&6Dt$4?fW8(Hg8EF zCVN`D>9~Rc+@C_q$^0*;4h_dgIGc+#2*@NhohZ>#(~L4jZ~i0dHOA#w4HqOLSC) zKo$}4Re&R-+Q`sQNjIP2tmNh#hJ^LH=8Txmmo58na(0->x`_fx9Cr+3P!vP-YbKJy zmwJRTKg>&E;ec_xSR%Rvqd|FzK!&}E{NqXTbN8Q+Z{IgYf6=rEf|gd1_L!0zq|XhJT*OC+_=Zt zF)EczEorgq7S|Ih=jHt5Yak4J{dFOGD`f$h0c<-yb2H&CajK`|=s zeSIrB91>iD$M^n@9uwn>iYi&tHi^xoPdMJAS?5OhfkE&5*BlR>p$aEe9lsZs5468& zzT6L~SM%AOu_&;>bw%!X;h(2A@1_)5{xo;WWIbaK>(Pg0lhNuf>m{J!>iU@qH6jS{ zpqPqimn3%PncV8+RGe;4 zqy}1b0W*p)B4y7yDik*>bEzY{D$CBkSG`ItJ1cog54$h948B@w%b^ts&rbxO;875g z0D8VftXAlDM%gn|avn}nOgk>8!wF^^X{NM)evYLSGrQQf9#ObocEg(N3`9Fji(B7xXZP`hHZ9YtEM^mLn{8{RudT7Uw?;)~}_=K3h zDOtRJp>evLrnNXws&()>9mav<>08z#t~O0&_@K}wbv!lD64+M;VItZ}=H|oAvH5fr z&+|gk!Di}OPBVC<*SI&(f((_$Pkxd&J%U5<1&wbU9O^LyTuQ^@#&=&8JmKq!-QCkg z06eL0)HKDNG`=_+Cl;#GxsF;GCw^`BrrKL02(0o|cB&obdoDC%eiEuVkt4=>U|mno zq;5NZB@1TW9>Lzrk6$;QjyS8emOayuIdSrh`Hg1?1jyh}kluL#4s0yL{BqjuDtPZ! zVrw}-KMM71FKa(q&6g#6y;lTYJu@yyT(>ATlVk?>`oO2 zw)msu7kYOY6_58HHD8zUYc0-E6LK88#yo!lXJLmh<{@tU9LHT~xK5Ck!W2W+V$jAzd+Gk=zdcVzu~^<8>X* zYP+^H_BJEUFpMG3yCtu<|CeOiA5R)WNS}7Cnm_qlSVedo$=iDK^uvo$gpbvBdSyF% zs7TNfwSZn9u+K(NswOcj%f{oapSKs^u3fR!^+Kv1@!|2fp8Vr2eYI+K4%|}FpWtx^!>P=TZTkt*dF5j;raky@OwgX1-QhU4KFR? z?7RIxBpjIOayHWUflRtXlnA+d(5~{|2V-6iN?Uv%u+%`5QK>}b9FI*aJ~Aq4g6$f5 zfv#h%19fP63f{OARzBbJfFOqj)f7jq4M%_WzW$($v#OGl)nx|X2bz2aPS`)f?w#*2 zeO$g4A&Q|JatAJ!aWxhC4TBWS+T(T!ifW+W!=G>nKv z1r$#@Z`#RY{A$JK5={?GZ+XKq z;YWqKl)E@8&SB?!7J7Xdz_%OP?yqu(L&jre+&P&qrv#gu)y8pQA*G| z93$*?eMlAOHUoY8_Du=kFV)uZupe@6bbkL|nD-SK?Br%kV=qxnbc#VXxe z-*+ELDXE0!X3p@K7tvwujSYGVl{DH_y)ub7*7TWY8cC9eDmYkph#Ou z2^BmlYLiJc?y){=O`&Ct;`f7v+_373_ zv&hi=x7}d^(O8WRP@b+p9L6^hIS=H=U-7*?TtP z-0|zQ>veQF$MVx4E9>^eh|YGh;mFP;j{n(c`XUT>dyBl|O%KELdJR8g)%Rq&4B}}V z&Uk-}tejZt`-Ua|nHU#()soeB zmKhe~;0Sx1`eB7%;Jun7VBzqTUl2vvbbq8}^r0VS9O!>U*^vngHNcVf zhaE7*G1}IdlE~$S`h)ZRrH(IFk$pUy`ozp2>>FME6Xam7}Bu0i{7+RWQcS^@~x?uNOY-`ur~&H=HPU!YYsJJig5R`LK?N z#<$4TBZpgAd)tb9W6yCYfg08euXoo&k-$fCf;K}LJKUA(%A+kd=C!*At8)V*+D7-B z*Nai0%!gFXn$UN8qIq50Hixiu=3dTyL^}}ed%IQr?eW^!BRJj0Mg4U3OV)F*bkQft zrtQ?%Y_U>Xyr|xSoP}t+IUR9fw17d5EqFBS zbg8k1_x0fB>o=yA&l7q2np~lK89C}hG#8W1qfgJ(v5oWXU#IK@|$kWWvoX;WZ zyThIgNpcplGSiioH^EKqYKA;2dh)9mz?R-q;1!1N5P4GvY5KCe8v8-r?)-ykdcgEX zmNNOs=Ep#Zw{`i0(bb%>h7nyiIgS>CSBP-7p#8(p<%8S6>+3calYw?;HGaOIrthpz zgE=}z6F_zARL{4&(kI&Pjw=1O&Dawafowh0o;QB+%)MK0oobAMJC5wVb#m@6b6!MW z2tn%&l-e82&nJ}(9(-;wK%YC@eMi^;ZJddxx2VAD+02IPl~BOpGR;@7i8z!-4}OqO z&Dac<4HdV`n%6zx^{^2A$E~uaLxINf9}~bzWfI+ao+r4RN2g-Hth@@ny#RDr5Niwu zaQ7eQ-KW6xG&lhNCk&TNlX&bwWZLwWbbp*L=uVwa z3Qe5MUs<#(@i8?YsO-#M_F#{pM9>37dbpUJZ`+%1a(<-4jl5lVUeql*&=2!vaz#Ug zFqGS@o8-4TR|gXPG5Kqh#}@4;ZJ`yY<$d`huWzu8LRU;Asq<+XB^D5hf|-@DAuO^| zrOPASXN~=(fC>F`HH;2n3CjRqKXQ-3>Tpt$3rj4d}3 z`VlP;X3MSDny1Os>y>dQK8kQoJpc6B+1VLyU8v9`TV7r+gKKIC5)>)166)N@;)88G zZd1jIv09R_b+^nv!d!Hp^79iEUR%+r^4Wyf26zV1WeKEu|(>W>V{4wY2Ia zb(^Q-{HkK>vu#pp2WONO!cNjL+m$zy2mJB08|*v$3)->5x{bYxEjBuA&LwM%zx$+y zGLVy-ys{uUsm3!DbK&De=ho7wnfzkiQV*IQ&8PGD-g{z;iRMQsT!*W@0mr(kN~C8@ zQ#W)O3w%2DR}j;*knu+|P+wK$P1B%8WJzkA&0?K*&CEt73h%>lhL$Q8 z6)Xg{(U%(xJHc3GmZ8bVlVFL}JfpG4*UT{l%(r9UQRe{HW7S|Y2^m@M>&D_}o`FW1 zNHpm}rS^g1X@n;sVt)y=-fhhB4l|rv&7ZJN#;B3VoiZlan9|r}Y7eB+m?N7=Vksti zm2DHg96TN)YdF)i-#eLUfv-Piie&Mvt_V6%q6$AN!_hNt>={yXlZHr3Lu~j23a#(B zsq$OBz$`PK&@@=ttfI6jD0yU(X83^A*e5|75$gVFVx==4L*|YTU5$6tt#jINg6}W4 zY)S(3`5KyQ;2>wib98y8-2!9?sjixvvz4a???{^Y^6(!032rG9<|5Jz*^<&mn>8uY z&U?LlQOXT7>$WesD0f~HHfFX?x$MdPQ~)@lKAXZ*m-d48>l;JIoe|mY&7$3>FdS!L z?&Ign;FDcL;Zs=B{93(VCG!2Hm1Wp3A5av3o|uMTuK?(q+)9{#zz_63HzoUbXboff zx=T0WLF&pc)I>`MMbzJE^D@-mbrBZqdI`@Rv4+KTW9Qsg;tvCJo_o^!*NA6|qx&g) z&{R6_Zs%vZhpO?RW_ppU(@V^vNcTfr$D}9D^30fW3a(&)R!H#{`Sx^tk2+UOUlEcH zGE??+1WU>$X8p1&cZ)_7#u|^KfvuzC`g>>Vh3WEJ3{dOMWQU^w6uyt6< zyk+tGhs7Cy<~PO>J7&aAh<&7J!D*iYw2QZhf^Y}}?AMym_=PJjhUxhLsifS5YEk%A zCTr5VtCXWj>UIfcz%+^+ueKp&%zZWw0I6~Cr7DLTu^jtz0P2c;{1xxz?uSOlHi`vr z#8_aCT>CP5QTg+x_fl${-rh~4EE{iU*#Yr{MalrWN#Q&E6QCd@rY- zA&Bbfp}ZeJ90$xf2&>ccCY}rokJY!O*U23ui+XEhe}35QFxo3#w%YYK16)7yit_+D zG&X-Z;Z=!dzMs$^*)iIZacn$%4|bzfAM6gm93gY@@yVmr)P23M$+TO1obvWQzpbGP zENlA$hETm9*3IY}Sqyrhj+SZ)WU_fR2V#lsv`=A;mgNONDoV=AkTN+LKIATN*0ulj^+i9AC!oQo0Uazl}BEJO%0u^;+RG16pNL>+5An8!O zVelKI|ABV$pyoHI4mmKDD(-s}@h05-!9JLy7g0j@Hu8G&<3;-j2?W^WOV@;#Qg`rb zXX4LAV>>e5e$3t_p_qPw+(PQ>meQys#;9OSmxni1!E2{H>A~$Ya?oFGv{A*X)@D?^ z>t-QLJ9PHPhoYm7U5rRm*ntc3ynJkX_zdSuI?w@Xk?e=cy?piPxiqZQe#kQ$9fGI# zuOg}r&1kf+3-__l**hTmJXeS>QgE>TXhuU#X$06TsF>uU_s?EgY>NKXRNLS@FnDn^ zd|iA1q@{QcUNkKB!`AZ~1m5}8AI^vSWE~K3wKo@-7#cY zJbW&m$@Es<@KSB<42Hmm)HA6o^2!Y;B6*6kSI3(ae^}(5K;^wS_7-jv*L7`kB62EH zT~PjU8Jwy~fQZa6^mv#uS5esQkRW@j{gYEZ23Jqj*=nV+gM4LS2baSC8ZAuTVy}iX zsAJ*)oq2%`iwX__KG83CJF?oXq9ox9lUNrY-00*a!@e^%V%3j$9P(#XBkE#Ty(r?j zFZ3SDO!STsKBUI|sIjfNm_}(}z(&)Er~}2fcaKmw#fc!QX-bUE{rlbnD}P@P7f!D` zGwr}X$*?xMTR`{(CU2YTg)M&hDuR6|)GJBcif7uO4o#=~BA&n@E?zw=76CIB!SM2# zyFu#X9J}c~#sKFR&qdRY5}-jC8NdysCVd+caCwcem7yHOF>$%!xp>#hw}5PyG(u88 zBMP{jfuC$`Wn=5Jx5F1wmWR1$xa;+pBfoI+HSDkq;QASeme-|19u$g;&1t5kb7{SglJ>L1ph@|wKA1G?8_*zK z^p9+?RGH}BT5Ze@u!UKvbF78FyZ6;$JFK0!f&u=1mQiWH1ej zq|v?Sxsl)-Hs5*5q)!nNyN0@|)CcO1KhQlrWu|$ zyNu!nqu3){5tZVdquq_83`r7!ZT;IU_k@8@aK|G&wR_+#>w#gYnSb zo(!m{1HCDxaBB{L-^b8HOd>416S;p08YC4m2|)c#1Iom9rQ`F^J#8(3gaeI=o+8RQsY_5!@H6_3iG} z;hjl$Ex8ZORm9-L%5k?M@`Wu@&@D`R zvs9~-VbpuPw0UGh&*wsbeCqK^W;sINYzXzDo!%X`Zk!6vhyn1RNGAWM1^9A0U3>Xb zz1Ov&TNY+hp3MXBdJ}lsn?*&=E0I=!Ky6ij1KGnfpR;K!vV@GLV&pW8(7!!-;<_BM z?eq8j-mvaEjI8`x&t#OEu^d)zn{@bm?n#)xI;roY)mUi{;{5!HkOmZe4Vr8lDl>Xr zM;!)K;~LQm`8A%eH0vd3xACqy<9Ze45@#b>j5Jnh+45nlW_HfMEHsN+-H1cp5zOBp zt?KNyiasKo6;Z)?KBa$YrEL~L{wEmLhV!+cnosR_CO&val?9Brrtr? zB36sI7ruJJF@^10s=Px1vaoZMzFx6$BDsa>1bp| z(ho-TIOjZUSZnnbiKnXv_mJWC2w2YwAzm69BDfCKcUWObIw>hzOyvh^w);3Py6w1aDO&h8O1GzW+6SNN17uV$91%aQ z{{v$*r|JL)FMmBfht}<#$?t3JksNv-Utmiq9z{;?q@e{It3R(But?_EM2#y)9iuK5~;UO zi`%3Yboe8y^14P1FLoT!an(LrrZ?=GO;w|0rK+W$mO2>3-)^Ujms=Lu#GF02W0-l< z@}oyiF3f-opS*rJ3V<@mrM#Z+a&{w$Q-587KX)5Km>fEO3awe0wR`=Vw9c1APg zgg8j6uU5xiXV1=LBW8*_kC(a7aftX;w{s|`R4pXNc6chGA3AfsF6r>b`L;ksKL4%E}trgULH1HQu!GJce%% z^LE$UtFx6>jFlz{f^mopO@9`~Pa!?~?k=W#T;xcTLR`--Osi^-xm?Y~{V(;dn!%j) z_0H)$l`UT1Jz4-wpaj7K@x(`@*Br+7e#5H|IJ}D+_Tvif1I=bmCo2KWc# zTiq*81D{OQbel_4?>M3k;%a4AXH=)wJUmipwOVw~pASBRBd`pxhCz~fVmg;8)(v3Y?t+O4j>w#UaYXF09T}f4rIeb?& z;iA0W%O$pI-&)EoL5+#a=_YQ#1&r<=&@=~NwC};UX2tK|0TDGOF|CBL?iNj$H`*+h z9>M3XW|U5TekjOnszct}map6pId))@k8#4IvCEMYY7lKsz45!CPsrAtm%@cwqwrQ{ z7J}#FR_J)m`#1-X7F)wkS}nUk}>J+s5}VPqtkhR>vQ!QK}94PWBb-CYDf4_&Y(L z%OkBh==5oGIv<0`pGA$>t2MsZ@%=2mLbCVl;k%i!@@jNE=g1kk9lp@W*EbG%ydPc6 zt{eHzS{76oCW7mX1Sh|Ge`>Zj|FN?5zSbp6&&4y#IXf9f@ubhwwnhXX;ivF8_^=TN z&KESFj&Ua|Z9^!HOdLC3HK57qOKY|;7uj%EB3L28{3v=xnz88k^X*5P({H&C$k`!0 z$OOmVGU`v(ff4##b}5)BjP2>$u=#=MxcdjaltlI6KJoT1t*Y1StJPX2ctz|@J=u^y zKr0DvvbZy0?N(g zA~)&XATv-v?6&5+i;GK5zuqNbb)=6yPSm$cMJ!Ac?3f?ZSaY%V2m|R8S1==68qZ%y zA9sp*)fSkHB?tSY&Yqi*&O&h1i4n6H`&Pq*bCS6_2#vPzOf=@8Wxz@4Oqa_04jSTk ziKw26rmZBnhHbpv?Pa}Yh<-upj8A7KM4#4XvV90Wu91j&C5p$sLPE&{CAnxFHY4Yc zM(Pg+D%Q0K<$Pt|m0RBs3DpOJ=hqB@RS`hR&Z20>?maB!YFXP=t$(BUX;);aZ6Z?M zif*iI4V0clVD9~lfGl&iz3pU^86J^^Gmqy_&kR?IusCAozGQGX-EPHkmdHc&Hbf1x zb^X-Kqx}MRdzfZ<)%&)PmCk&>AD(iEZU4fIGJFTFG|Dw0n>_pxtV%*pu~v+xz85H= z7EVH%FNR<2)wYB#^#w=?q^|{kNE4bW?Iy8++{0mlmYSb6GL@p(%U!0c*V+a?T z+>8f*`P+S&&<>$5WW*Ln|24CJFr?ggcx)u`rpj{}9rVTE_!iTFWEF%YO2Db-GoTFgY40tY&1o)lvNHdTBi7#^Vg7sD||rj9cBm#_O?I3OJeNn8WB2a5j~(r z(RR}#oExP>?`tU4Pxa9A?RmS0?vYwQIer@xW`2HFH`#x^D>}p;6v|0TU9lzng>b!j z6K#)T@1v3vkG&CH{d%$r_bbFo4ZBn55MjEQ+0CqDt~tACLc^jQ_T~Md?|?ev8>{;E zPm$w%d$({x&sh=a+eoKNz{{1q$>2HdDfrobi)QhpEuZG&i6-bTDqywz5tv!u6d#6AA(RtX}nbE^}65&ZY38I`Y^`=7If zqAIZr1u4QZ?R+oE+;0l>Z3cTCpEfAhPf4eoJy!1T2x{;)$uHYU2UL69ZxKOmE;Fp! z_-go**hbwtZy?~q#Y(m+XXxSvD8{|AETBn`O9Yz6 zX|>uDG2I+4etdE#HDj?j@f~R=`}s-z!E+J8#*a7|bd&R*q^{@QKNdbbTxT|!vQViD zghl1MMH2=1FdAe1-!q^RDoD4%2ub7TLFIK1?w&$-j+0XUf#e(rEW5MC>Kq$A6w7{{ zbZ{M&q~RCeM0x>}1%+iW&rbg!n0+S$&y0n@_bzXi{PL%_8u#lbrt=n>j1=ockoG!& zF7*YX;$J@Y{ZD5>9pCkT(e>UzO+VbWw_*WA1eKyxQ4r}MO{7}r9V8H1=p6!t9w5?@ zszPX?2vUU5Tc|-gQlk~c(NwW$;^*&!u*_XiSooe3Uny&o=7GLF&KYjg?pLun!hcB@nk2c_~ z-+FDGVAljfO`-nUn9P2D`#puuv|-J)%41_B?e%<}Sh+jWTDZDIic$P1%%$8vE-&4f zLsqs}v5S=aeYT?cF&Q6dnd>=u%k5uny8&Heaqn(tMXDm-cYUFazyKP9<&BJf+dar;yeWN_GeKucP97w z`$GrJ55Er3>*jUQckZ>{X2Q7zP{!n_NQdrU{F0a%GbEbN^w8AxC^q^5qL$pu^F~WL zack^g%#Xb#ws3v)7VW9YfD}H8lA7^n#fKJLurymkd}kr+GLZIRXT&|r<6LrpKH(dn zXG*PLH#YQWVc`t~?HnmLr>W=tSnldt^6)DaLv6N4*Jzy-Fd`g+!v!$gpj1L|KA6dM`-~EY159F?>c8wArQxbb)9`! z**4O5la@#0-LSb(h#Sp=yPThIq|2ul7B8k?Dm=;@&i!&Nww-4|-l5~FTVQdHHgVTi z278bP3ISz00KKo)9V}PDM-p1=%adlK&-@xPHv&s_ME!bycA7in_MSFUyhGCcG|42` z6^R>T_M-CsQur}sO@%lrnkz__e3+>x~1{qkQd01WbeXX;6S(UYQ~ zIkqQEAK~uK;i_qY#na^KKb4;3cbky${jT$RZ2US+WMs!8zwoaf5JbyR;N_Jx8sf1d z(_pd=fICd1B`u2`vFqNb*m(|}Nz5fNq1~187`N#mW4}EjI(v*(jmm%h;iBGuU#g0W zpvnVHZ_gEJAFq%OwAE?oS%%63XRmg9b=zZzHP@%2p+ydqTpIw*RVw#02=CVt&qS+< zq|l?8<0V?V@kN^P8y|D{qp9VI<+-k{wsoP#yDx6xbAvIZ8lDDH*QWUnZeB}O_Yws@pFcaw9@qaQ&_fB^ z$dy+9eg8QqueoO%<96H_0bLjS@M=?tTmOeNDs|PR^yQiSM4Va(g-(A_9Tme!(l^gy`1JM)reSV{V9rw~FIn5Tux4;>ifvp7#1!0v+zf!x zjeiq`9$o?gjEHL8{*NDg<)7qD9l8kJ#tQEgTzp{}lNvoLfn6%UR86rE`M`5@GGQM3 z2LVQV7a%$o|J57&+gA36Cm!?KZsgUpJPbzk`j z>+|A4kL{^HVymey7CU1T3Hb+*GtXvI$mr75sU6hKt@1vT#Dp_W0MHRl&)ynF!MF0O zMfY?gNn{hYpY!ZEe6(`KD5X1m^DaGvO<6kUv8CL#ckltjvcDYlQ+#-nckPL|%I4?$ z|2|MDBmDd?!D78{lxX*e#;gs>pErLAQc;PbP9rE&KG#*x)$Z;%>54X}@8v!m+1JS{ z^@OVn+gTbLe=8FH5ccxvC4&z>0-G7RbCbOKgczZ*_41BFC?;!{W-W}4aeUX=?Jwe$bIGNq zs$rJ|boAJVyTd2mvamE$`N_CNqP-ujznRX9v{qV}-(v56Z?o_x)%#GQPQy@I+J`CB zo;M);tBt|pFvMf>2x*oFBtDM4CARM55|C#OHfl6{OF?J#(t9ru*}b%Ef&9_wnCVgy zCRfwo-LhEf)Z~BoC93KCogin9BeCS4`xFE*C_))q+qV)@?e2NJWHB?m^J%N+=!x0N z*sP)D0{H;Ct_aj1^Y(z=LC&2~!q5sP1yoPq4H~FC((TJ|4Dq|ui=I9FoSfqlDYD}E z`D*K_S2G)6x6lvj&|<;WEdT89&JWVE5-0cjv7m(^nYBTyC#%D8?<{;5+FX={8ccWJ zt4~^tcT`n-c{z(*z$X`KJ`h>5ISYx(XPdf~EzAoXE`P4M!$@yk|B-~}ES=3o)!-@7 zoND<&530zuf?d)ol%-O96?2_5uY*-j*p9rc2Ny+L+&2-RQojqX?0)7p+Jx1Ss6NyC z#l85EWXJuXKX5~1n`85d7W}wswDIZc%8C#5R@Q?ko$(US42VvNF>!hhdMffj6|uFT zqCS&xT>plJY0#HzK=FW zZnkl7k7cm+0Ps}dzLLqj8ds;|!p0?He&2!*J0LnJ<20=zqj0<3`v;cmz*@roR9z2g z^`*M-KZ|7=vZIc@DX?>q54PH6iuLQz6Z&mibN#9Q>(R(&`~I3G8d0mXldl5d_5Z<4 zwu<{I@xxr6^YG&1$?Uy=t@Fs*3{bF*q zm$c!4wV8)Da>@V~4=Q3dOjWLrpN)^o3A^c{4E? zF&}UN+8xXFODz3e#p`qJ^cMYlG#J5%Mlc;2U@zQhG4t*-B( zT($Aeq=R^$)w&7#&eq_$=fBl96n>;U{QW*kZ9n_zeNs{vtH-c~9e?uEISXX2o{6f> zTDs(^YvO#4=h{=n4yBYo9b_{ywPzcEaz|)7x1PpZiid|Ace*ZNc!w|kiQHn(2Bc6* z<>eCUYe*F-uZN8E^!EPFF7G8GV^hNQk~@z+c`DKt<92oV@CU&FElD3B$aGd4A((;7 zDSGYIOa^KVCFjW$1Q2N;Z_02J3Ghiwdp}-Wd%yPGYc7oYKu0nv@cz4WQNmX5IKg7S zYfJd?V>@m_y2-|1T0LY(l)FV(jEVdUc;q9~>5{ww;(&40j}%{dTH7w`G|5I1P8Q2h z7Tn}>Nz!W0)3A8=?j7aNWqR)sOnx7axu@$4_>f%}U};nfN!tk6WV@9NtXOTo=%ai> zPqlUQF~n6c&)0+$ws>EYKe%6>%&L+MKaLjks4$xLEja@x!MB3y z&OY3-4uPHT+H(~WJ3k=&_$A}ngYO+hQwj=tH7t8%{D4q*zL6iR$JA2s>sU`m&CFH2 z)|Cl9l6SaU`5AV{XZ=sh;&v8^y0@BTD(}wWSj-+q{ABTCv@nZ*`;%MdRBgK1aG|kX zkjGZ4!K;`$+@ZOJ#BCRyrxXq3I~E$Ow@;-|B2i^H?5T*bNl{>PkLCQY?;RH~=1C zGh>Ut=Q&Wj>U$aYS%saijj|$>xb{*PH2x_(k+JS%3DPHKELloIBnj{xQG)d9E9_XS zv+}Je9UQ_Ec#h5#O6Wm!hzPa)T7Xr^! z^Mo#r_QX?-g`7}+K7*!Z8DARX#v4Q23D#7vCuS27)y<6t20A`I9_s^-z^jabmLvsm z)iku$9Y=#y3bqsZ7Kt$V?S#HZg%?+bsKdaS5^%G;D0twZWNhBf4OItnb@a}Vu|B;Y zfEG#8z&wzI>YtL<3Am<9A6twLx&OT7eRc)Q5_pUiv-c_Xq#n$`i}$aVS>fBgNHd_` z?r59g(9TsLL=O8}`%;9JL+?L*PRQtdB_t<$EEA0Y_UvnbJ0PZ@{}uK8arAg+`~~se zsK`8+Ks|8C0$n~80l9JXVXdA|{ZzFh7r~|d_>J4IFV(&s zbcAr)w+gUCtDXPwQS@@cwIN57Z>7vw|1>MHphTqS;&-#`^U1XA&E#!1iI=^cvA@CE ziGMEmX#V4YolbIc=Gd(5-|=rEYciG(CkR1p2TTKy5R)BXM+jQ0m9<`8o#S)aO@!qc zAiaq^1^{mC)?~%<3}m2cA(7W;V^lK_o}Y4OMzFI0*m|&H5-=ca?;1sY_JEF$<1s65 z|8jG#{P9^1&6URnl|8}G5LJT4xF~&W%FoXa93`<2TE|$jZ2bzS?V{F{_nvqk9!XEf z7v_#{{H0x#ker(8P;fC%t#(~@gRk{~)~rrm3hWs8d4hSq1hp4cGJ89aXj8FtcaTSN zx`OiEfcD_LPt2&`!Dd6YxolgT57pJxuKZ~Ox>!`Aw;C__SHc(j&76B4tW}YadxMsA zN2%T|cXnSx?^D$1(hT=N);q4ChZ6*av1*g5-)d`$*INwu=;32)%z5L$Q%CR1ZNWXF zP464u_A_refz1FR#zZ^m(>M#PPxPCCM_2C^7?`&0q)&J*&^0@>?>7+{UO=-)N-unc zB(BDkxN1Q+12D9Pzu*dXz`Ua(1I~QOP^wKGy8%Iq#Z>%~UZzo7DRlJxACWeQJO%X1 zWn`zvmUQ!qUjjGwsWt000USYfNUW-O`KnK_F}sfQwGoK2JwpJVXRiB^F@3|5fz<1{ z^Gwh4CoGySj~Hk;LQaq1lj={>Kd&}k@-5avdVP-84#xz7&jzElR7{;$#;Sb2W9OIT zTmYEu`ijC*)MuQkD=haCIGI}ubtv-~HU{hH?dFHhDNPnPPIA85HV`du$sxCRx?pL! zqfi*>ZOyA!@;$=w+yl}?66mR%N32Hm_l_Hc)|)2ebnhi_>qiWUmyXWeOrDRy-76O> zOyGntiiWd|F_p)jyvDU3)XPIQJ7x9GA&ucio1Jn`uw1xt1;N#N@5H>mGcld$omE3O zp@zc(JYT~Hy-G6#Cl2z@BpHxIH`b7EP)PC6Q7ce+BI*q1H-z^33jA^Z`gEA~6XJ(= z`&bFFdRSZI$x!Q}?D5DJM+Ot>L;dyqQ$5<;;z_-|%fj)TmT&Xzx@wdd)ud+TI#1dJ=guRDxBn#V?T#@ zC{a3JW@7;>rsg=lNU#`WNoZ6!V^NL{mG$IxqE_Hj$#&5(iK@*=Ij?R59Tx=3nnbGf z>AunXrGE_HYgmxEoSPWIL*3T)@syAt%<+aKhT(~seKjyXn>@96^!XA21dvGZy!?@8 z_G3*n_Q_{>YjORcm@`!3e~}M9iQH@$XvU5TJ$l7;6LxKNBnkpfyKr__*^PFuniAj; z;J3n`1%sw6k}`5uK6!7_(g2b9EuaJ2D_v#QQsb}p>kFC=G2+~upZW#bexGd3R)R#h zr|d2g+*(c=IrKK3W_X#Kj*P^p7GAtXoPu~0m|yk{{e1FosdLW)?9^}IV=}x~o<0>Y z3ua|wBj7lc@6WCUnr&lhA$bx6_tKGjQ$X&*!H0K9ILH^(69%-Vsbn z3WJ1FzZ-2c<8SjPn0zgkyWwNO605PFyiT`zpaL6%AdO8-)Hk^ogcN>8vxX(j->G0lVtIqfox*;S6yHJO7(D?x6BImThF%%Qa15-l$zgLY;Ror->2}z;Fwt|FLWM z(ylW1u;wj7s=v(+V_6pQ>nC@oW%6*`XO!%n9np_JA4pnGg9RN-VrUtuz4qD#dk&W^ zGj>AnkmO1pS{oz};baQ)dzs648(wfiBAVT9{*+#5=pdhsEONliKQhb2(WFceltvKj z7>nFM3F;QC{P}H+Q&j7W`omjSI@s;@`Uezsu(bU+i{B`GvyVQT_iM-+c)IvI?Ke$F zU}H0n4Z}=cRRm4AySsWJWhEyUx5P_qd<*?1=k}8wItJ=_e~+v3zdR#4hvtZ}^2{PU zgb|~tgJID}3>FtM94FOf^>f55<7=Oc^z`vh?@%Ji6m<}ij`KzOz@Hxz|I(g&V!aX~ z5;9hcBnKO+{obX-sB^t?yGWj)uqej8(pc?w3vP+>WGZu>WA=!+#uZ zC|;c5?vz-BvDI0mDlIX@TbWsMvfLOz`5>gv{S`^sX8wqU-J21Yd&SXwS-9hYpS%}u z%HF=yf^?W4;^DM$O8ckFF+Qf-+DzG;6dNtTo*E9dw|3oTspD&fa0sz>b(fnJK_Bvi z1|A|mC(7vANOD<59{E;3za&}1lCCG?LdY*(>EpOFJ6O9|x3Bv8|InsBRzJF0C0i=1 zmp4$fq%Jg|ju-gM{9?!aJ%RWJY;C2Gc8KsV+sDJMrw{ZXJv^wS#gka+D?NfQl#iH# zNoarXf4iIlx>>$vWPlBpW`{M^p5Sc`L*@wc6jUvQnvv)0t$Go?Fy5}7@)k7FBvgdH z=}QO#xL3}#>InsPmaGZwbh4sr-W;DZtqMF~c=PN{Q`Mgx@nk7fmjTwy%q+W_6n1$k z`S`MUU1T*bq#UyC^z?G|A(1+|j;%_C%2%nJXz_CAz!L_?HW?UejcI@PpGi8;-%9o9 z%Z9rC@zXk0u5hHe8#NS!~vG^=Xf zo<`BP6fL$Fs46H>df9XR(a7T)mLw4Fb;pEA6x_(j$OI+lH(Z3pqOMGZZ}{#kaCcLZ zia1PY&DX_u{3x2~da;J( zUKjkp;W&G{;JNl!1lPks-hc^A5n`!`7*|;E0V)}Ta}@op=k>!Kg()}v^WJv0DpAKO zm*t21RI>_d=QhSgxqNACyO3KphQO%tzuYtbM;%%beBMtfF;3=AO1Vf^C!zb!OPpXQ zEqZ%FnvI`%NibBYuI#*?v7OTx-UQbhUluJ?G@W$aL&}UdTTgy$YVtkGlzFyo82^lr zG}vmv4#DyY%mFB#28l%Lt2N1Dv_R*3Vxn%LauQ{x z|0_?a7ZH|HvJdqn*j~RLl6V{3Z7JaA5aPlaeVa4x_h3U16YY!N0>k}vANMK**=F@h zWl$ZA=L%upbP2KAye>k#c1@A`QRs;_&{T7`NnD4ndWVQEpH$X;;Jez*#b!fnT<$Xq zl|p7qof5K;7cH}a6(2fS_gR`lx9=zPO&xx9Gbx^>`MK*#?JWgvrq zPOR0lJU_JXtE-jx^qibXdzNz}HA@XPAbT9+6pBFAb{_lGON1mAy7G}chJHU(O{Dnl z+!`cQxHjS9ebAnt9+B|2AB#@SG=i;&?YNX+%t_)${i5+;!ysngvQoWiqFWo?w?CX9 z9jaG!>e5$gpRQ99ZN7KX=@&xzeq@xud||et^|;~80Nr@z1zq2C zUCAoR-q~xv%v+bhZDf=n`FPT6l4j(PkB9Bc#5C;i+a>?jpJyKi{2aG8Z|40qQb!gz z6BrPd1n$Gw^VnF)qa>9Sp+6p8ZS#!yXi={W5*eMas@iAN6zevg>`a~zu zS#?*qA0I$vEmy?=b#2oNwSX_Cqs>F8;;$5V2%qsP7$N0t5!D2=S3!r6(WV$nZ;ZJ& zWoSfq64ek=wc7PnR*~2XXHY)&Mx*=v%M!=j>#@}$a8(X=8i4z*3x=xSH5xLgi(Y&6 zP~hsan$((;%c}TW1}2>+ELwK20C`#Ik4zmb$iHtl_|fdchhBBdYWJ~R#@FtLE8P;e zH~$|^loHzo!D%uHJ(g|Mfv43l;~}E1xnS z2pnc7J_v{I1`z?EA;n`L^IvTDN7W$^tpJ`_g7!BA2a%xW$eBY4%?adVQHW7sqtI0p)r3wqf3!R zFhu{po?S*lwk_>fv^*#*_5CCEVJ&i&iFmC%)s@?A#U!k^A{zh zZ-0Ni5d=@0(srZWm2-AV!8h&8B9z15*oD7=&ylAa`At5)79FE&nwuJL+}t3N8yU=% z{QxX=Lym7;xtuF-ZFdbmKXo~>vzHd+Qjh27ZKq^N7@b0S@RSGc)rlIZAF{F6(v-fN zA__yPx4GlL21eUXd(bfB^DBv3#le3S0}Nu-@(GEg>4Z9d=V(7o=Gkc*4U^A5wtZ5Y zh&QpVJW+QcU@LsRCq;*2G^AMNI3=iMQ`sO-&~-!0&o$apC$w4Vwtr}t zo#nLWG;Q7ba8)fg#4wDL?{?OpCa( z@~UCwIm(NEKul#$du3BBYtL)CrKe_(r1%)C?H}$_#(z7sM=V8m_Lf||LADToq>#g$ z@mjMsBPEEd`7Q2UBXjy*BGoEY0ehRQkHwd=#b2h3j-%91{7RIR)zm~}nXf?P-erDM?%!aof7>eEAhWzYS&SXZQ)jmSW zAZkq*sjB*?`P2mc&jW`8)@<-(h{Z;!29|M={XF#()skwxZ@d0JXV9kZUW!#k0_QM$ z_^XhjLO$5*W=z8GxX8B)hO|pe-)1+D|4g0ITh0cmx}KQ4tCH7ny9k~UJ)}K7t_>nc zQI;Yn=T!zvgUqX6aF#W%V?7Htii?}}GdP(f{sZv-uhmwBNC)Xtbi?Q2L)=T|Zl24J zMM1>dmMyKbhdMI*N`=qgOt8IvCuh{K$^EP0&)daOG_Q$9`qZZsv?BrYh&JFbZBS_= z`^465L%_7mv55!wsRjMbf~@wBEe%)MkEd9sopRbWv6_bEEzU6rJ8q;|3J!o9AYmM8gXF^O7#O0^{r|wpCAIsqDj9xMGhaSJzTvi}#gv29Te0#HQf7*JP zA98gd;j!lo7v*KkONqTG3F!VZQ@fF$e2hRyb3xWJ#Ol`%NAdAF!J}$uZ%uJf*z}P9 z<%an*8a@2Wn`;u~SaEpqcX-8D3V4>``E3$K81A}mv?5E(4 zT;0)(VLiU>D*rxu+UTf9=&9==nb(sAs}p&B}4+H<*A5WN=e^=_Pj<#H`n+5n&%S^=` z$H2RGCB zyydtEnIku=ZeLbN}eeSrb2RoM%UuV~3@|;kln*J#Ag%?G?Y9mDm z7KnfPH(pr(o&LN!UJa|UK=O$bM@l}<*eX70pL`h;@}9R|6Pxbap3C}ju(QA|C6d_E z63Ayaw)Br)mox*b!r8`O4SkH&Ed+R`*Gh0enieasDuDa^70kSRSM<9_MnQRrlt;1~ zKFJLCUTFF{E6>pMr$oaGE)VM?^|*2A)S`&V>eUCEthA}4?NQ=Z@wKN{6h#M^&{cq? znm}0uAD+sFgHhifehd~l=K}g0yKii&6F77NvyXr=*^T5y^ zNjmNAC^T=k@@b0ddG`39{V?d>R`d397zkkCt#cz%tzmzwDy!js)8Ve6_jW7jlWTG{ zJ!+fQ7davZoI3G=%i|;lE@Jc=T*G8OVw&|B%zDFlv!v_4&LX-lEp({s6crT(+Us{t z$eI}tBF#R zpW&Zh4c+;aO}L+Nj>WoK4>UkMuyuGS2GV~#5Aj0v_V@c*dz=Zzek;3Ov_DyyZzfUS zqSN;_MZ&vW?DAmP{6&tio&hSMq-uQPvvp0G*RI)5cRhU=HQVbq0_Gi2zYIptri|4U zJ#f(d3u)Q540F5Tk*(bhJ(MH2FQl;`@WnC~0irXX5=BnPlsz#8)|pmFhw9yL+I>t! z`T54}XE$z=$lUlpFXJO*EGuksd?4v~7oIDp$p&$2kjIvS&P$t_8naz+fBN$7=ey}e zT}lokYEgu$Dmq*5iRyn2o4skzfzoFq9xtP!Efgj__7R970Cmhv%c&GC;4PfG6UT}I zfCw6oJTVSUD*H}ZVDNB%I)Sk$+Q|fUFsbSbWt%ObQj5Q9RuJMH#^|BPwi*%C1Bl=( z)(VgRRQRZr2{&7h0vq)oD)_%jgHsf88_|J*9d+|4k4HA+1##;mIDTzZKl;wP&O6ij ztz@gsT=Hh5dgFnT;9M^x2m*DU5a>j(NS_zk!W49`OZb)#HdTARVeelf4DL68qSYfS1KZVOxk zcUE!DLIZE{OzLGSLn}XmE~Odqn5yC4bRpv~j-eVLWFHw8ilD!8%R7x_mrKF~sj1bL zJO*+bS9xW^jFh^I%W=P~nTnQ-X;)M;7!2`Ks0`cT%=hbZqMzhI*J0ukn|JnT7~e4m zy=px4k1!^T!7tGEZ;fqnEW8M6zYe%LV)e3m+wxYSh<=m*<%KNek^V$DEXZo^s=pCS}4UzkWimvW04HaRDHv zX1~gAi=q5zy?)=k{hCtmwR^*4t+4-ov|FsGuk5fHBgDF zrt7dfNBd=W*2}knD;&!(UpL@owUsv z62J8nWvIbZ=q8(=F??T;Q?h8qp_{w3RyETfm0hj8=|*a4Ron~nao&RNMr0JfuZU;- zS!j>LmYT)!j-S~n{b-0|H}>MIVa@roifR)xQCmVw3fN9QxxFn^RJ3MObnU`Ip~vePUS=m2c)JJ{*f3U11k_9;IY- zC_(1_iaGPVsvlE>osTCn=!P&`J*EX}!DV&0%-P#lEo)u&@uRd9dpu=R)`w6p)REQF z3uy&S56}G!cX8V(U+5Zaz;o7B*17l=oL0L2s#j)Rcih;=zRsU0dF|Cq57B71`F49dARL4;pCWOq(#^kKHEr)lX&R^FJ zHtbGN^zk{p;o51H^qR`2-|+Fvkq2KV*v|aQVu+vCj*;%YI2WcSQ#|xX9w5(SA7p&h zO1Q>#t`gHfTtjDnsHZVT*Kod)ws1TTu*S@KR(!tp+?sIA?bT0R_+V60g51-hm%CU* zB_`vIU9{M8u#V|N=fixuBas|TtiFVFHtjwE26<*4xpzibnTW!!&#@IgJp@;r{r=j| z^RtVo_?2Yqbb(}%FTLI74DbGL+54vg{(4U2!Ce?(JYaAC=4KyTt^F@MS2s&Hla^po z_)3XTzl0~wP|(k3F9* zgST$CcbU3{UvJf$F%%f|)82l(_z{x*X9UZZ;j|nje2%j#A^S0I*-W80 zSO{iZW`l5sAxdX#0(O1rw;WAKyqyFg-+EFT9->R%%VnB6XC!`))R7pgZ+~fbW5Tb4 zNqJW{f(elSF@p8h-TOO5Pq>PfN{VaOmpG+*m~;BrGkhPtid9$#Ds`neYtY%E1_>uX zh$9;hqlSdGVvAo?A%15PGuoovddF2(k0kvl>pk%Ng0v0Rp-qrP(XSbG-`;U3NS>}@ zlfhV5=uW{tdLO^Sg*_9kINO)CI&O{!hX%{as0 zQCPGj&lvali~~laZ1Vld><4hu=*3>MX)YRdt27(hbhRR?j&>L;(Kq$*!kQxUaq^nIYEjTJ2sX(8JGyg~e{tC?&9o!NopxMiJ6arMJ3IeF>0bZQ zWXgf~0t~;i*EXP10ieFem%Jcq-y&YN4qpf2bR`2Cjc3pMudh(+*N60d0b%%xSBa{> z0RFFA8>A0#4e*0-J{Kg2l9-kJ>hW)v}=`z4G?EM)fT7MqQ=$sY2Q9 zPunE;2oDPRXJ07-B4{4|SIU_nwa2%bV1G_EokPMgW?3MZxe7y2XmB73=dV#*z!vfqlu(afCrdb^!FFRnNSSgLXqM0=m* zp#!JGQF#b!SQUR>HSkmlm#i7d38ZYaj{b)Qw8UwKL=S@TMr+gyL=9#!+gS?#Z1 zz^x_=$kBn-#lY(=2(wB_gIG8IN~A^CF!6Q4M}Qx@kG~>^zS1_a4>kbNS;_Ky`}#ce zaOnE7b+#ngJa&s=$(v)RNqmdeYH&!{A4mx((7ABBg4iXS@bLAtmI)}KIQaS&vp<|i zl>IKP+HmN3G;ZfyC*fI{w*!_{x+o5Yhk0&IZCAuCgs*9KOPeR5m`IJYR zu6p*1bzc@UXwn@Vh|qt1#ca3)zrKdxH{moy=#v#8X=Y%%C-61%Hhh&6dl>DBn|PTc zkqDb7XZeJa;&<~c6$og#2+xyg801>iNnm!>u$Pwd8S5?`mn!_^KLM@1!koA1LAJ-$ z`8yd$*^u&w(HDa~6Av1(rp&VjN;c7P)mNe~D&$BtcVQ{+42U|zEgx!C-09JZs z-;6yQLzN%h3i~%5?1&1{{_4Q->QE(1@mP}WmHNIJuH(0`z>0ne+Z|9J-j?YTBq*X{ zEYLQMmgrxr@qhllfD{Fj43AI35tHB9sPE~9F-`RvLW^jwpk&69WE|_+j?;20GZ69Q ziUGAM-x?du5ZHRU`W}X`onPX5q9>grQxIaJB~#j+O&34gAcj$jr}=D~CpTVD7|&#p z2?(kO{P7^HnBg8im3Y;&V*>gLnQf8jte`j++KGlV2i}3lzujtN^>5Fk)I2e~(z^X{ zoHzY-cQY|FLv|d7CFg4h85duc4xQcaS?bdlWQ=sap0o>g&-^>0o)&Azu*?DL?97T! zhSZ62KrH#7l1#C>^FLQ0ooD)QtaH70K``aA4efD+hAp-hu|89wPI!#wf$Q6SaU7{M z2Dvfbt%zPlqXuzX3mZkAj^L+H~v;b?A_fal7c~l|iGAJLNsNBjI|}(KLTGdDd%r zM^P>p%dd?fc+=Dywi(=LE@y-`;c|mkyua|eG+~<%@1ta@d$H76?U--rPcU%#!3=Xi zRVCK_2Zb}xZNb|_rv%=xTfkFKJdf36;W7N?uup{@hFkCmcP*3=&AcwA>d2h!$KQj{ zT4^|wr$~yGHh3t(vdj(4k<2;|;81GPI=bxdi%nUTQzM<(m^=Ade|L2cZy*ir(k{o+ z0)XLLgE?vV4CFz5yLMpX*7WgRl{4t>W6)x;{> zm2q*EOoi$^Mv@FaQr8qn(_?#6n=FQU?>*u7(&5jiZqG&^w;ih7V~)SIP9+z|=Y8@S z++@68tmV~#zyyF%WHKi-wDBy{`{HyY+9YNRD8MTKezzfaXKdJ0;!YRy1C~TJiMhyx5N%Jn?=HT$l+4lKDsESYsy2n><{xqq zTHJDL`OTSLkD=!^N%PMN4Uv^+vccbd?t))q`d{+0GlNW7JXBMJO8M&dziC<>PDSiK zU%mtE(@9abHNwVF$h7U?9d*=jdBtDfb3wto<^++^3^hAgX>4{KX9G& z?`v%1*hQ|0sZA}q1T$YfmroI`O_$Tk902>+H4KYaY|A-jWJG{!)0(A8E7+qax3tO* z#SLt5bKF82BAc209vQ`~nZk1=tbMs4y(Nz0&{nnmlI@@SOd&Imo?4T91vi5U2+mK1nsur~m+Gwez zB9?vot$mzA`r_}w*5t5mxH~Z*+vb_&;BrqQ;%CfTPLcrRoIRhu+?vEaaYEX8YKPSMIVwD4jl~l+uZk=VI=)*E{Nhn1TNC!GCfdNQjOqdR8AJVcrcr|MSynb z-lK_o#cP+iE}7wfmY+veZjSwMK@mVi;$Vat@;%v-%r$PkymVEt{B}hrAq(zy_7yI&aa?BFhe8i_C(Vz_UARxa4gFzv-K3?SG#6_WnkevW_NB{ z4&c!`RBOIDH&i(ZhYtoKFz*lm)xcpFW?wpndg5yz-@=m0^QsaiMAi;X^@9Rys!s6L z(z|_-v=sLK+gwD+udOq-92;Ole3dycfjp8sU*8+7-;hP1c41C7JNx=X(~bV5l&2@c zvAS{tDw<4{S9MAOJ%D0VBG)C;Se2hM4`<<#75ji|9yJgY6Zd{-O9iH z`0l4ouJp^xBWQ8wqS!{NcdLAA(Itnv5%r0%YbnV2^?8a|CBy(KcA~=soz|v9FXLZm zQT5y+#x!rZBl_CY_wXPIveAg1tLTk-l;37?IV;byAF$m+cFeZul`(XGD^5>3%ik#H z@Rj|j6Y#ZP|MypX7xv}lj+SOomNq#d^w*^=?isCb_4$0sR!X8$))Vt!XUlB4-otXu zl8g%94%r4cOSnhm6b;2*J03j}G{>#x;^!GJtKr-Uoh~~5wR^|WHjEU#3Bby&|>+DbQBtY9=sV@fa9w4TFjXwqC66k_j-|Y%bBOT|U2!~T zcGM4}r~A|#Q%YqYA}B&m;_&CK103AtCftz@_tbS>X}r3xwGjUOvDzCJ4Z36@+wTKB z-D$2Aa0|f-^(Yj{Z<_*a1IX+3Temlb;lj_8i%+u zqz4?PwMeNH?^$g+HFll{Hr67=K)A>I^HAwo%Lf}{v&VAX z-JVwmp>D>xGjWex^ID8@|Hd~wSzVJr2-SD!n(~oRG-*WgRd32#+2e8}yQfG#kakkHz z-@D^ID0#9mW2B7x%h6FGCEpP@gK`<4S~6e$G4+P}Bij^veGB@PdZ*f!`)>*&@rL&j z^2lp>N_-L9=S#(UE@B(uL8^HVilVp$UN+BB8-J&`_3Jvi^tW*gg`N5| zggI4&Fg%UwUL<}$8QYG6>WM6dT|b}Do0Gmi%lfuZ0#E3pKL<=qdnF94LT$x*v=ewg z#$)6ClSNEQ@n3VSfF?K(1q0B#b4m3~FW{zgB2_xTbG>7H+4h8Jw z!!QBwyFa3>o~#S<6Q1sL)+HiRO0>&6v9ER8p6Wf=p6+It@Q10hRHUDdH$o&LO`%)c zN=<$eT+MwcW1>g^ShOd>k%uetaS?i^AMZ;?cm*Ms0dA z2)eeL61koED}j&E_8X%`r7425+9!nX1M>|NIc8u7i17tp0`sh{;>4vl+q->Jl z$aojvK$vh&C;im#1nqpd_CY3#`K!G1-{Zf%$D+a5^VfIbk09k|nbU`*%M=k!I*B59 ziT#S-5sMku!b4qwtVDz(v~z2iwBE+_Dnl+9bdG2LWFJ4Ny&s29HSL$E)pbtqX{LZ3 zS0-Ps?-?>RJJJ#5F~E{eN00jz7oT5^JswbhO+kU6#Q$jXeCw5f23=qgfv9wkQ%5-W zGh$J(&ob1MrQ1AIFysxXlHmVVreuWKDFJI$gQOsJ!vFErmA>o6`~MV0haQJ(U66Af zS-nMpN$M-cPecCO+x~eOP{8uH&fOkDxY2|l++Io)y75nQfWrDi;ZH8OZ9gI>d$Laq zN>W0^NN^XYh^VV_c(UNQ$q1n@&`p^5Dh-3MZgd0tAu)K{iLWx&% zD>Cbzoz+FJF7F15{nu9O2i0whkaEq|2vr-o=nR91@x2EmR3V=WUtSXwWMcoG@=AgT zO`k`Bv(-o0JgWJ#Y%>3d+j6CaD{fj)eFN^P?=Vrx6L-wk2;2DG8g%^U-rh=)cp&7# zzpTs%RbKepXR0rTme`$Idh7TYLpp{J|5IB2uTMmfd*Po&9Ih9cul2N+LGk`Q;wT-1 zcI;k<(pooMhLHM+t}-!gt??Bb^WrA+?}_`J>quAuK``6{zaMh`$1*82njYF+>rO-m z@+}*`U%#l{>|IQZy~M+k9?aGu>fE)F>xs-Yg1RNn6#r*ZxcA(7&qXqD)e|@42q>9m zNQK-8*pQh+Bt8K3oSgj^3*fb`p>wJL=*e)MWypIxZWh{i*yK~FMU~rUZ1%Pq3|#lg zC9`h;f4G;X;CfrisAh=aLJ`>@!63Q2*pSXO_M!7|^O09{px5WXTmOBd_#e`G`|Xy9 z-^JgZc{<*Y{Qr;7r=-97RZzBaC&nid{~u}Z9oJO0g$*krDp;v1D2lXDrS~F=H0dR@ zzyQ)qq)QhSm9CJ`Lhl{vohS%M=v_iE^d68J0s-E`%-oqfuXFGH=6nC+cfvV)@3q%n zd(~&nP(1tVoeI39t1OE`A_?8lC*@Y%%9IhnrG+?wpPGd7}}wt4I12 zK1f5OK|#mk#_N0$So0k=lJEpURcB;-In&YCBBUVwXt7#ta;FmDz0lLz_gm?B+cne= zot?hq^v6vu`^wVuKTy0|AjFSz?phU@_TeOkn229FU8hM6VeD0 z75%@|1&w>>9k5Lki&p|qg&=1G4ds6Ua#^!AGamb&t^qm*mOIb18PWtW0r3N7^#SOqb*);P3G+ocjJpwF+U<0j(0Rm}dIq~HC$xlegcv8p8~&W) zkTJ;;_4{W0K+RIRl0aTFd*qa>SXf=mn)jsGxj%^Z z=XZ2KfdC{zytwX75|hh+8R6ds`};qK>`1hpqRXw-i>zd4e`h{tQXPdlWu)^OX2n?< zSxg`C2UGqjaoJ5t*pFhM=&StyzM#J!&8j+{P7pK;_p93F{RdN zx@U4ui3|F!)y-Z1BmDoz%Yn;Er&_Vg@lLOA{`}*AS+uV5ouqWlp~fFVcw#7T(|rk# z)lZvHcs4sPuzA276dW zS~D;4_i>mFWbz`=^`0fibn?Q);vcoi!F9BAbfbTqhJV|4=*hl&?q3!EM>NneBGHm1 z=Nz~4>DKipKhSgxy!!0756E5&6wR8*UC|shZ@9#>u=V7}{l8;z7z_|XEUn$0e>10_ zsr4sqK#W0fuZ&^?t>QARJ+YNHroWHs&NMmV=sXqSLglX7+YX7`Lah7^VPU+dsRKGi z9M9kQtFHOqNDj;fmHdJ_d;m1lHW69p1drh-#9mgevmTUcm->D5C{l-{n8+08-g)nd zCW$pMpOoL{^(UcEJ`)P8c@BR2HQ7I6_~D2b)FA^POxuLIC*@F(2 zv7PrfqNUbd`{@2l_Otfd(E7Fg*l_w$sh<>Y;I7q?0%%K z1%2~Bw(~FV$`-NSIh*YO^PZtjD)Xw+JHxv9>+c$Rq|?jg4kQL&%g6R2>HmgLP;XCI zIGXk~=|5s&p_eao)liT5MChu`M0dx2xcB@{B%vT#9(M?jlRY`(^y!~z8hk?2;5_BT zpZW7I3;OHgHONRa0Yzc6|&K6Nc@S4nBY9 zpD_(@pfN1Kk*kGVot?yp|2OkSR+Z&y@qtUQ_1)h2&D)sYO`d;Wg~rVj!TUx4`hRI@ zKWV9dnW=0M%lpX95(>^}IjWG)Jlwxs<*AtSPxIT!FF^SYd648tRUlHDn{ z)c#(O>VT6DGf^0^I5Pf|&oz@P9j6 z6zeZE@Q}1qiEjEESAOFx4JT3uDMP0zCdt1L;J2M-Rse>X)t{#NM>}=rJ`1`<2-$6J8XF*b9*|{b|YkYmahSPI!;yf~w#@JI@iMg-lfBpXTDkUtjojCHYY= zitZKgUu>ZN`N#lm`4kKG#w%%pGz?%Q~2z&IKVW9lzl>8)R;JnaJ zqzvR>eXqAs9n#Xa@{g8zD)8o$PaOBtP8q+ViqHLZI)H)W;Aikr;rZX}ux#a>kJ!`a z7=Fl$W{wQ-(!!gc{+&MdGe74T2_5bB7Khy8UG_TjsPyeLq|BuluWr4HDuSojx|LH3~?+bN6$C;m>{>>fq z|9Q^rXHG=y1E#B_|1V$pnFUh!RBr$L^nY*if8Ge$8&`9|WM+5H{}TcT#mP3-UFwRB zI7$$!#Ij^NO?X?af0we_u9%wd?odZe_;`#=#!(6VkHx>I4?MgqI{AXPIa1IOJ%p@q zWuxLW6HffY;QenW=65nYRZsPd4V+J>DiLu^@XX!rO9=1mcAZ%hE~jk(FWsj5A6q8t zc(1R_Qbij8wQfURQfPSaitH#$%4hdA)cHS~zn|DroxcFVU(`hg(LOJwhyi%zPpX|Jx*EK;_{rp)>OFAF27`t6BPFIO{ZhX=^r)jho#qyg z<3ti&T}NJUs?NOWCW2Lup2EC5R%KMn+lroy$J}aMQSIiFQWHo*dx%hgyZFXE9C)nW z|M;7`<1gC+6AC=(H0y17OOE7c-Sqceg0Y+iMH_ogxMu^VssA3(hR+I!mB;WEnjS8L zy8+}KXvNYbU{c$d_~3-f0r1AK-l!L%VKRCz=6SuQH}n#M1WLor~~I zJODj3UvE@l^P%?m=%5?Oj}?%93pnTQc#*t1cSZQ&n~Qu2Ls3r>Mfqk_GJp6iWyS8V z2|J>n-u9ZkCg8q2^y>(7k7bqDvBY^1)f8zzVrqAy*kBlg7{A5+%CR8fkMB>4a3zoS zW~=~^+8Ze?C+0*T^98}&(LUd$xX!L6g@Ep%0wXNmdn|!q^-aPv-b=-LZvo#(q@OV) z8QCyPir|B)`lB0!EOW;it-(z2e9xd!vF7qTJvrfjo8TC4H>VXNNaTf@Ak&pW4+ihHg(08Oc#E{iYT z0o-wqO*>fo=_UbN^}W#PVP3;MUQVwveNZP{=mEQRzA%lY)D9TA54Rn0NU3Bsh(hpN zh8UDRRcd>obU~inpiI{D%Qb~P1IiE4m#RjV^b~qcYz62q-{mnFKYpK^Dmy&}7`3BObg#U^hUFz8$%LBE)UX{+%8P*Xp~3)sKts#Uw} zy@5a0@`h0&(R@If6F(K}llxlps%%=6G4lHWNaq2zv@nIoq#=$E?$%cW_8?sbFky~n zWR6+(0x)FrM7m6YJ;ckmy>QrkeCrR}^f} z=v{e&HRS4d5r2*JX}rek$A{~O>repCY#thLVAK;* zujO>G=80V4lrA=^?g6KFRWh7kc=_mBJ^M6vlIhi@Pt!mH5ta&cCGK`N60uGl{Fl_UvvXPS`#?>j>)y;(Vq{ zCOE#ztqR*VKvnDlT;}1+GicW3NE!~MN^RcSSxQ%+<#2N;hoX>;ekurEy(;`rIBYOo9Gr_DaSnz3LUJG&9I+J2QCX_OW4=!xH{pWvv1r-wr*>mJKT5 zGRH($q+cE}^uH(-vO8?4d{ce}9}5DE-#rjwN=@ph{Gpy6+~mOJpp&sEPo^8nSvc^D zl_Hey!F9qkM?)^jV~Gx<{x4Ko4`eA4Egc^drioj5wZ(nq2VI#j+5uxKLOeqNuV&KTg^ zr`OwB4q(F6JZ5iQpj-i4p9K*h(ifO3oGI)-pLbpIK&^6pbxx)`L zXG&`uJV};Y(0$AcsT%?>AK{<@_OSUf5=q;E%$HGMe?>y|)qZ`-5MEl2-zG z4qK92R6J0PM*#Aen$_%AYwIs)H+_IjZv!#wO~1s2vO5~uZ36jaL_7U}09UJH&MuGw zWAAS+eAMlA+=#B9|T0iL-bSN1nS9nX?U1A)-m z0fl>oqE6_kiaU2ep*%{jORoFdSkIlPYtqJ zimBMty5=@+u2(Va=a#u~bi&YaQ$^L^Q3wK1UUS&3XgQ%yul@uf%ne0uPfopMT!WHm zykkoUh(4>HDR}|*&e*OcZn!g`)$O(?R@^9=helC4?&t68 zZ840!qfQc(VK4YpY1yObxFBaa)f{9shic|d+Fc&*>^(=`i>|aEd+|vrE`dK;Q+E#B zShv&N+vFd+H0Yk1S8jT%-2H%ci&&3Oux=x^6k;1tcasjMmcu){_6$nmlIlI>~Qs1`O7Q z4ck+Nm-ylAK^8ts=W|msYO`xy7v`l*qI&|?{&1rFMU(zj;>y~dS5!C~ip(#%>rcGr6aND({(iX^g#uULWg;b%iuAtssPX? z5qpB8w@C4$C}_aAIb?kE4saXyY$^usX?#=Fo`yWjp(f4uA!G-AE&J}$FHc9HcxOq# z6BbfL3=4IK2No~|PhK4&<{84&+nS!zs^5s+a+TEZC8^9)HS|pgYJ5O{cUULQpDP7+ z(p%eC{xrw~xJEhqgO28?I?*&yz_qXV`5{x*M>+0TqqAfNn%r*+O&Za;N$_wRB8gIj ztZul^x9hnP@Zoz(X?jAH1}|Y2CuZPF_@Tod#xy*9*$4GFN<&-?pS=9NM47JoM`Nt1 z{}{lDEnuR?;k!&q_P5gcMNsm?H#Fsd2qn;~GHYUO3MHJ*D1>jJg_~eLbi5{sMid`DV|o+ zTdSN3r7>WUIwo#)pO_@P!{1CDrPGxN?AOk5a^y@4lerG|)h$#%C(S>2{#X}gn#17r z0U8g^+dN7X>7tlf7ci=Va*2L;I)*R0k|G=}3g+4JmF< zmBp!3wicw0L#rXMm%2^0mN9Du5y<%j`z}DyvGZ8NEJ;U=@@*}8nRTwDxg2K;gb&;I z8xmkD1NYR><99ymRhK;AVpbXGB8`qKr{3(n8t?zs$a^R zx4SyCA`P9eAE~*g3*U8mk6%+@n0f{0zlQbLm(*MH>`ZH9c^u?_rqvE=Ytk}tUyd9H zH2igA397N|jEO(FxgTDU8cOur9eYsL>77k&O2?&t)wm$|+!9v|)@@Mr0gO#GL1)H* z^ut{0BB?UO|I+dy{EphhiRbAx=JE9EXfeX#fLA=w@|awJ9j021|XdVO=Q zvzxP|!MstG0Oy|vY}l1!KsWS1k^*hm55BZc@e^)!lxE`?2d=@l#yIcCk8r5n>*g7;)$9uE%5Ttiqmusa~%C z@k-NbKlDmGpXZ^>){+D-Vu@FZnqZvA%Q{x9n11W&7Q#RJz1#}QxcU8~+N32vrA^J} z<%D7iOMP-4O^l8-b$!y!o$p%4omCTAAE^`kHy^HZR$O}jG|9-x)+isUWP4YWSYR0S zm5QS`>T628zK$;Tj&_Y*%b^yYF+GlTtS5L=CeMD@5_2zaZ{%@6ltT;6z9UP&RWIy~ zok*_#6S@3{zMXlI38Y)g({B%pVG8_8l&*406%dEG9i!Z*<7~Md7NtS_T)SIkaXj`f z^)j~)fL<87TKkpw9nQ|ymbW>Ei;^>80>*3xx7hlxsPiLf4P&fnmaZ!(wcVSiIkMbw zjJny`V@1?o=g2HpEsIQ!P}wu7vIOtdnkU7UA@!@(TG6kCyRQg>QwSH(N&WuYtmO%=A^TRl|6ZHC5%^^6GqKP3(UAb4-c#ra!vWe6O zubu$5zBcXK6*1hlxIb}Ezf%;ztr9q?0e+YP$-_RM3IC>V&t{MNg}eW9G1`4FqHUUQ8 z9}iFhnr!GGlOw>3DL7X}y9+cFAM1+ayEo^p#Www;mCkg}dAPV%e1zF>AWEGGG+HW? z?Y9C<`=j)r+@xV4g6|w0Oh&P8-JM{`s+MTebcll<^!L4vpuwT`lh%FPlN0(g6cFs4 zl()p)e#8SlMphPe4u&$;JIC-gO_vGxQ9{UD@)f{vUR|Hhm&_+RvZ377DfmvDX&J;A zwavq}ikZ@hKw+L_?-E!%*_GQ4fWL>~{*XIRog}JrlqBI<%pA>mP&g3oAXqL}4SVPW*!{*Z!i+Rox7VBaTY8UqeLXx5l? ziIR)KriN5{hla@7ew$9fVti(nj-~b89Sa?QJD{Jg*jAT-Dqz;0(Nne<1}oENX|jSc zeH&(@REVA{x2lK|b1-dU8H&S$Q_}9CjYY^a0;bW&(-m!-LwHazm#3y<<+d`?jVwOC z{d_V|IYt!52(00`Oyt;Z2qwSi?%7_z=`hM=(x4wp9woQ;x^s{RQg_|4E3NLUzq+}A zRoC@^v}BTe=p^9s5`N3*U(;`OfwEPJ5CGt6-ta8!jaA|66oG$69Yg^NO#DKMI<#_k zI+SO_CB$Zx8KB;|+rgkbeW1~i zek7q5n!__)5s^^2Vk5r2yq?mNviD}J(yyQq{tY^SBZsdTzRu_GuA-pU_oD#NUi|eO zXPH-6=Xm{G$<+bS3lgU?%ADN+iS-65Veim;pVsWMT}YxNpqu#YP4ROJIl zv7+5~sC)Qvora;~@}2sZdAn~=Q*JTO9o#mjTmbx;o7`cSLxuhN<>Z13c_nv-v;(7` z)fSfR0w`eHooC1AYgUTup8!dqhvJW~yxA<|*H7`z&Hi^ZI~iPU-nM$LjD*D0nUbtr$Nb=gh7Xg`x`DwcZR?$lE8= zG*e-UWSvsb`4&|}+f%|J;JPGJgHtxZ=pkj2zVfS|R73EPM~C5Ur&-qa;sQPs)cqip^g7@g+!ZlRr0k(=<%8+A4RUUk#MHgFgf@{? zb)E&?2?f<@dbQ?A<2cJ1VY^kXak0B?=JxaY4#EUhMv>O9#|iZAb3t?_isM%*orYQa zd_SALy)|#Dg*{Atb(tT{{zZAH`ootR7qMZ8a4~^MOBv~aja`o`B1S694A(B>(N)Ep zne!2uso6~pkK7CAJ1o-%BIFBrZQ6T;7E;tUmon&FB_Ga^+Z7m`U|ee+MN)+;6dd2t ztk<@XP^yqonJ`V<7^}~Ih;W*JL3_)Wq7jQ+*J3;I(ue&)sE22J^fE>s^YbRmUpFkEaQWv$N55`D(4;+4#Lxma7 z%x)@9i;j9grLh&4a!^UW+J&1g;UfcPquPz`t)J4{dgoxZm%Jj`FOxz zpF4_52JK#Q^xpiNWQ5;h__C?lS94cDwM1ct8}+i{PHD>D{B)D;KbO&J*f%#r-j&GP zg}kNKt$40;X43HMEf%e1@r^H3+O$MN&rOAp1id_AyVIo}9YaqOSC!dV&p_so8TvDP6s!lBneo!hEER4__MzQl@N zYDyW<7+Ub!IZ(de{!-4!$|SyFtA_%XzTG5(^&JGG;4fo)aB?mOFN()xRCP*>YX`n> z22{S&2~bAnT4#Mt_2tfTa;6Avq9ByW+a^3}ntVw?JiA$EB_Bef<)(2vI{n?i9c6Mt zTg4qU=RTjTT&xdY8^f@kiR>j{k_afdfY`3iyK8A zxd(U#_^~-94@+b|$qTy85t-4%NY4tNL*Y4kAu?`U0hM33$gHsoo*#BJ%)^B!_I=fO-=0UCd;hI0WD{p zgnHY;AB)D=y0uyqGJjo{bxhK{CCe029$@%m#lJq`7vyq&0dZHZrfKBh%Ofv&_W&J} zevwI@?C3Hx7&WS$TU}Qq$+breM2_>$`IehFP(q!NNu63ZZka9`Tuy7LIK8|rS3_Oy zt1a%f0ZXP~^Ftak(2Vlvq2JZ3`Z!)q3n!1d3X;sj=!kLZp?vZWhNVI9ZP7W&!HVuc zxJk9!ypPq!TMJIex@W)pd@e+s6xhxXO8mVNwA+qEV zgv#J7u3;)mN{7nYX1Hn6i>XBwB6Ny#lSf2ypU3y@ zzH~JsMo!-GphTw{in*DXm1R>~fygNBXBcZHbRUgWzmCIr6hk*y{Hl5$Ma_NTMzT z=48RM)45vn0%QL$GqX)5gm3NI{9R_{Du&|wuQQB3_rqSo&ZPn9g^4h(Us!TML zl20v`$N7ks-y?71&Ybh`+p2CWti@KE|Ag~BADIqeV`*&6rMLdN{<#->to>!ZAh<`Z z+83Kq^qZzL2Fp~rja0=2Zl;dBJHbL$SF!7HYBH{1_97HT;5bJ5HS7LPe( zGTKyJg5S1z!90gOE<@vBp)&E9d`QLyb8wSpIOvPg^VKIikF$ThbJp}7L{oB)MxLk6 z3s+uKxSQ@=-HQ3u zx8m$53Yv!X3&(l-OV{$k^9kiOyT(m^+vXA0iwF(r(dW_EUvGKE)eG;J(?831T#UF9 zG%@dO5^^-1rvP!dDP&{b*8RLgQfS$u+-ux>Fb{HNFxCIwV6iTntK52tH?5BmLY`Ab zSi%#WJYMB&H(Z!hyA4~94^?mI|LXGbX-kaIuW=OXw(n->%I$gEE6Xc{(w4A<{X##k z9Md_8N?zvudCVqT&ppT8^rN5w#dNn}(G0YLp3AM35QKty8KZ$s{0IBQ?QXkdJ^ID` zD+RT8D;teF+QKmlgKOOjh>?17M^npAC5zeGh~WZcnp;KLCxJ&-t?bsvOyRhM^1hUP zqv9IBXu0;eS!mi!rPFhA9DUu!?B8Ux|I0v9y^{*q)5Bs+3Cu&&R-A^SIiG*Iq){(1 zX}1wY>!}b-8)sK`pG%X%t>T+beNn8O;ER$ABw%Vb@X{kHEwq826QuuXDr<^yfAgGu zaV=}yYtQwLD-ueUB`Z>E^==S~GZRU{MdO+NLZ`*i<^G(S=(^~mqgKgdPG zOs>?{Uy2p^WTO@Jo^n4_E=ENfe#?*n`cEb`7W>kg_~v)m+WU3xgOHfuhY)Zbr<7o6 zoZ71SIPrF@Rc`n6uz@-zG*MI%2AyqN=2)RS~k(AZvUv?89ueLR!i+)`Kgs=P6h9CoByfe zM^V`|YHI*BbEeq)F})1+!w_8$R)`FTOwuy<7k3s8M_83}VH6KzOK3O@3zYuS+8fU4 z20@~ib`P9q(tXWJI>Qm_Lzgv8E{u+HjJ8-N(aOz^k0>TYq8K^zOE98Kb%jhIlaLge zxxq1k2S6d z&uxA0ExaN#BIFL@Y8iRJ8Vs;xF#9x6eP z+>ESne6sS`iv#nf!Vi8_ufME2DlZSq&Q3NA#_)tG%1OiojMSGZWO#I_b^nnqtC-~5CR%Vx5VDnXbcMoK|k#D4K{fvj(M8xuA@tceOmtj_twMt zZ?|&@1ha#lqWL-eZT@QMBW?lPo)!4K_O>yIMe@!3Zc_8qSC~li+Qe4o{s*Pl8)ILT z99`>cKcJ1KHjOsA+EklxMBk>ROf*>d(x5ZSy3ju`XK^KDo+-VJ6CyHpJJj{=jEhqE zDEbHO0JzNm$A44cudyG75J@j6i?xN&f`BNIpe2(A#XR8JSe5vomB3mKvAoF5P)b2F zr%2TeMIHhreyUX7T2+I^$LJ43YQoAJ4<#(>s0M^Dw(jXR0N_G1oGEYMubM;7qnDnq zek%icr;<1cnOnMjldul>* z;_R!nZ`FrVx%ydCZukHWovv!+A?}yJSk}}Nqg#d@MOPMMDUT_1zdVRoNn5{C zwwcmo-zkd1`p$5Ym9bjN(=vbg?(ew?4ka&)s%FK(ZVMOg)-wB7ZtYU=Hcaxm^<@^q zEO#Jvp$%nzy@Tp9I0+gR1H(%5t!ycEJffH(s?rVo-472zhLvI}WVIwD##`NrNwWOZ zxN!J1`+X0cweBPdk$0|iy_?x6f%;X^ViZO;?RIwpV+#(Ir375{P z=GyVgIGlZ8=0cOKdsIh}s6%EC_ASuQ2vP`wS%+vRGDAFQ%l&n{!)^+pOurOYjL0z! zb1G|ditC}3ZgeX1p%hl|oxDf~Ot7oLK;N75dKLFS$Bd&{#tk3T>@OF*YA6a4o#G#o z=AC;E4m5SzDY7~J@)3o<&ZwctbXo(fqwdv?DYA7k!$qCq@a+}G+c0->M8QRCq+<|x z#AUU*L>x2m=^?J@2UDwD?TM}~t!v;wmuq7dkjNqd7L#}6>-?meA{VJUnp+H(Vs32( zNZ1D^i)pPeNBNtKp;I-Zzk(f18o6qU8wT9_nszm!M-I4RDslazLr~0+gAo#4c(i(N zaH|u@QA1P|=h|O69%!|~N8qe_*C6v5qsbSEoeQb@IC7(&g7Ea+5){j@m|dvt7UjW2 zK96?eWDH9ypu?x+I+Zz|sZ_^=iw>!4As;7rEa&?2cp2re6$sX81C73SsN__)#Ci-quEiZrns)^b7~`0S<%L&A z^7ivM0$A)um&e06qK#Ym=WOAgLCVrQ7DEy{m*gw!XGa{{L8kWFq@HK!xv9Zown&xA z!=Yq1fYlr(vR3j#bpz@VQnnAu9An?5ElX7+b;HELW=gSDb*6Tp`Rds=dCR~@wk5kC z9FG?fIsyIJu_&)_sxOt*#xkyAYE0_P{V5$RUGW&!36b+ib@v&36J83bnhxc=z^P;B zYWJXlHY`8f56C7W^SVnsauMy#I=<=z&X4doD0A{%)sHN$oztSkG5A^R7Xuh)?g>TF znESaH*Y?LDLPxQ)HE-$t@%kt&k27Me_l%)+PUTX1DY82sgx_h6uVlrVpmzJy>pDGG zwE|IA!vN7;eY-RopNwU0lm-RDYs!)Wm+RZlze69z?Sr!JKT(C0wW8mqixY z`go3hM;!1F~)mtuPFJJUW_BoN2Np!%L4gh%a5+nqtdnm?=pRh-_>YbgF>1 zsDLg9pdMTOW#qzQ0+CP#WmJZiwd;mU5a#UM#bYb zwaQt$hQdypjtdK0s`VBTjX@Ip&^wfpj-~R<9+_My@r9z3(Yh|Fk+PP^PJ&69z}B`yc=T9;G9~(_$b{jfz*#k?k{FMj>b-%9WU#; z+j@nw>~>b`SMRnE*5pjdT*zKgO=yFAw=U`$63AuZ&}S|=NVwleavw}U@d)=Fn!lqh zG?G8d-8^jm#g`>`55#EW@;QW-%=SU-BZ^4eZ1QIKb2_FGQ$m_x?7++VZ`!tkF0)^$ z=Rm4tZ?~%G$yB!`0pAoT)M~DpTB&Ft9-{(khBG(ujUs=PQmixrPeZ zMZg&2H%*&1+-cNzZi9hPtvRboL)pAtCpCzRRweUkJ~0!j9?F=RX~%{Q+38^q7=%A` zDJlE9`JQqBNPW~s6`TOBBKY-@l`kHmJ{8wQzpN{6$aDF`bE;oRRWv`bI-Qs&Kc$x$ zw#ak&14%lqwvo(s!PW&T)^7?#=qN=07UtRI3Q>J*fc_F#t+4g%E&B(_08D{B$E&RO z=|1Mnv}@*?wMtr1ToNri#!)*Nw2xITwEK^uX7+a>LH={@)kNAHb6DgicuMogMV|0& zB3LHT8d4n}u~SHU&%mJJd8yY-xQG_Y6hgsEu6Gz4O8qJlWdZ-}RNMO`Qtn?^0EJLF z3O3_woS>$9M>r6=>gDAvl86l~hKGdu1q?y6H@kI*MqiQ}Ve9>u5+)erN8z!dEXwDG zDav%R%fJ+}6dj1M*X0i^plR^xPdr>c9yq~q;lhHN2Gd)vUv8Lg9Rr^DMbq`Z0%XAV zrMT#@!c&YctDqxOL@^CLo?&R=`LSV61_w2cQ?eVE3kdZfIdWBHqw(8%ge>XD`u+Ea z6SM_RS~rB8r@y2|XkX8Aa~kgzkJazgKj?8ez;eHW<3sut*lAO&lf788WHO-h-6Gg0 zr&EPLqC~)_6)#S#f9IgDyAty<^q}cSDZ2I~V-2g|-r_V->z;>ZK!4#-UY(bzTQH0c zb1_2MFQFk-w;aZk>{4ne{Akp;6LsnPl%HQqE3Vf=4@>JvKRYmT$ylFoq|ZgpRSAS@ zE?6lW1r-cwbwNQ4bUUT6Y`rBgen*wV?@ODqadH)Yi=g_OtY%wXN>(a^{({XoDuF%9 zd~JEqYuA#`jd*P{Re-Xt1Q258Xpu$HItiQ@Ad%ItO~&&TqDFLXFyPq=9b9!y|D9hX z+TCef4QI=#ROyP5ju=m=TJJBh@6f~faNpsHp|;07Bs@m=V}M|uwEg&+I@9fGvvC^q zdrj;s;a8>fBQ%?r2_ICY;fQD0NA8AsZ9JjFZ#oyoDc=Gzdmt-*AL8UAN8kQ>g%eV4 zAv3}Y+Ww|Gxmx)HD%K{#(Dr1ZbveUs>oh3oa63n4XN7cb-DjibK&2&mJ#-@WrjR4oNVmmFR2>FM*paZj9~cHQ2N|mXF(y5$kXP;|nVIL{yLOuNHtZ9r6i2 zgyssqvGr!TZpwohJ&wVmTs8LvcJ~S0{oz`4272h5pBnwg8m%ztx|IOo_N6ufVJFOD z?-hf9=B@4BIy6yl+p)&=VAop<*$VjQ$;Y#cR=Ub9j%|uhIsr&j&&B9QOTCgg9?p(DBU;y-}YZdQB9 zTa1}?%w~VX5uZJevM~)h?D_&)l^(3Uc;|KJ6UXK>KG4oJubMw31IrTbH%WwWy!{Wag;!p*Yo++@4SFv`SySR1XWwe3cC-~NMETmcaS1a?2> zsxAQ7(!0lQ#$1}-VMj9d`i6_|ZKt_77?j%7Ln9_8db57y$VaU?l^gm_ZHAL;XWJK> z!)VtyyVJi^ie?=Y!zVxb7(9GO5o-^++a;Pv=W^KAJas;0{8q6$gu)#_-eL5ZPEj!! z(0$r(KJ&wAbM2K<>nP-#^D)@2N~3!w(3ls@w zu~t+uO@{B#K{HBv_i!zpT-8K@yQkV|@UV`;3uayMiAT9&5fbuR@99}lIuIFSmR}8z zMjWQ@;ezwXIpd(hk0g-18g^gjs61b7gIOM9H~3*uN^#kH*pKu=A^mD4B06XofUP2L zA7Qej^j9F1dV0!_;l7t>=Q!m{e*~NGBuKU$M+cd9Bm}u0ZoyN!?wdaM3K%CVxwU+V z!{}*}L9w&k=7T%oH1wl2>m747fT-lIa1{xE){?pT1RG3Kc}wSwA?Wc0GqQ5aAC`OB zeTB8!_?-)*CwGUi8%Dyd@w)F2nZ^Wt4A7F3191C3t?tcn!K(IZIbV1?AvH>3U0v+9 zzNBwiRd1lABcXs}17FLEqo;k{61yge@Q8KP&V$f^1L|#ys^TFpvOPN~Q|zS_C_-8& z<{hqAUJGC58((ufAX}@3>!fgNqtVac%hhpMEz!#y)y?#&`XcCO5A?W-*rhTGoyQMq zk61sjH9Ic&9thOFk)p>dZC}FRbBTNVqsZG_Ov7yo=r}G=zue&4+umRCYI86cBvT_E zws_FHz2NkbZs)u2!Idcw%k}S#oL=iZ+oRVbnjZct75Pn-vz=1VO`Sy&F+7l)2BwAp z;b|=}56LmsN$z@m3bDYAX3&Qg1RhdhhT9l`%>ZYVghj{y9w_tYe1$v5Js~ zL71>{6IQPVnXvsWOX8@wDug<6`Vpa-rn+R&WYoD95Q#kwJ)!*y@UrH!bjDX5yz@&H zs>5SdYX)jH4{$(s=VnqagzfAFzs@~uhaQsIbZLw)k7-y{Z#9SL_bjJM4J%%^t;bTB! zyjqLAW%|dCYT4r7x;dwWefahl&3Kl21j4Ns4M1qaV0yd^keN^vt&Hd*6QPt;tV6~* z_USq9VI&1N^|q?bWCXWj))4Ilrk*LS>%B4E+a)rq6Q+%3wpAuEm?V@2=aTR#6f0Ce zAl;t=r$C$0^_5jEL1MJc1W3%@5@Gce;i%Z?I+1a{^p_8eYz|QS76Ii`PbaJn3hH)& zY%Y}>oX=8pZ{;7o7nUAm)xW9jyka+6S+4Ujk%%Ct6r-XXK-Bn>H%?3=ZZE@?X;&-(N5ynWq z(UM#X@C7clYkksmN74W~sRLAZzgwhfO@v3Cw|0T5RXs};VT?{qu|j#G9hu*7 z{ux?awYzBh!z6g6n4GQ>rKPo~YBSbU)M>3c1D{jCm^BoohAI1$^qxnLu*jhh)H26Y zG1}-msH;a(WaD}4Hr*yOAy@s8v2~iN`lB$>F*oTNAS>TRYds70sV=rQYO2N7Ryr)~ zuW*<>;(p>f!RlTpj^(he!9`^fJr7SZC&ub?ng`Mwt5fhrB6cIFWN%4)!i{^kH;#q5 zOlM7xeV3mf`+oL;Cfq`Z#8n^fx*kJEIMqpeRi95@IjSu6JZ7zlS$|N9rg5e}GxqGw zAOw}B7osWB3Id@$>p~qTT!y~)&WkLa2&vG|?c53zc)M#+M};-ms>W>@Mb=#8*gDO0DVQwn$#a+Vgp5WflADfot*s$)sP=iQ?G{;oAV;CbOE$ClUF zoTm3MABXxuCo9cDaS=qtrMIPV3#~vt#FXB_SMK^|e2c}krTv#v)&fava5ju@3^agM zTYsxI=?(jc4fTzCRg_UdwocWP`^$K@cFx z__cz@#h6+b)8&0up0Ke9-7iulE9R~G4&rhh-&N`wv-)bWFVKccPQLe!hpXL1UZF&e z>w9Zw4!sqsD3haIL?$T?KCIW25kWb1oD3z#J)zeke;kDJSrtg$x@}**?mnKqR@w*+ zm~eKlR%6#=oM;k3U>({7j9V4v4t_Ay*Nm?}a1RtV;HaX`Afi~hPU<3$eUBFAXIQj} z?U~y??XEIHbtY>}9(ox5ag%c7*zBbh;kD}b{!jT(VGc8ys#-a!2&;-f+r&&)?Ntwd z z-pXK`w7xO^3%KHM3U!B=N%9i>hqsI>lp-3P;=r)K(NoJmnd zL<-*h(XFYVDVJDSCSr0#0uxMdi)LMF9t1MVCaYMv0LM@Eq~zd(fl!GFye*0BQZ6L2 z)$Gf=Yaogo<7yzsB_f5@$n^QtSyvzjBd0;n45m8=n9MJtP0NJe7iDU%zB8)eMhb9m z^UeZ!p&p)m?;whd_%PPJFJo%HIh_H7HgL41mPy ztDXvHIE278e|JN{>g+z!Q|-{pucOi@XzaBQ7kZym+knN5Y#y{F}(58N#hGwZ?RJkC=C zI}V*9mG_FuQU=s5-_T|%x~-N)miw+ss4dEXBy4A{`K@c|BLr==X6swgLi|GZd>U?Fuk* z{xhd*+Zc`NP$}}9{j4ao^_sQJJxTc1=CADlIKZQ33wJ(2FMmF$cpc!Y+hUqy{1Cs1 zm(lM<2T4*957u5K(76~WunT94{1+29{C%Q^L||qjeYhf z#gTpmV&Zyf92eNK!k^@{U!*c6Ww7dtza_u&9~=|Q{viZ;I) z^Y9j)!|zkxEi2B6WkTwiaoBN62v=s-cX`AOuY6ZI@SJ(=LF(_A<^EaYwD0aKB2`(Q zls~q+YeJ826pdv5*cqvC;A(b%bCbUVFkHDtytWs>!@a-zdo-Jlst{AY)Y_hz!P@)3 zTu=HO_V2X4|7K0$gb_)*Kp&M{hl=md3dm2rFMI&+2u|=0yT<(PF8|{~hG8>^^{e{6G=wkfkHFBLjNbHs6~b`Y zt3YF7xTDTP#4p#Gw|4Dzhe&($aB^3%cPvF}VS*fTWQ&m4<|{EO4QV**{Aa*TXr=d8 zmi9`xJ7<6E_e7J_s!*hmZKZ&LQ~*ZlNWe8Ad6fU)eX;iz()~O?N-_A35LPEt8FH)i zcyvsYNNGW`jDp9+pnR9%ya~L_cd)hS)UsaM^~750EYblvf0Z1-^`X3_-efj`m7fgy z`{&3Lz2AjKc%3M`uIVvxV-2vL>Le6)^OhZT8G$Lx(=^A7hy}U9OmcuUay`S~#??BY zXTi{;g;{ug0VfA3C76LK&ju{d?VVPw>hq6xgBenumwL?*PmbNs8~M$n#HM_q#_#k_ zhJLbnK;GHe=?jLcnhBZi<_*6X{dfg(Y{)aV?cw90au>>ZDORYtA*(3#*o+EG>I!Zo zIIc1ORdMls-Jq35h5Da_6`S70x~iI$3CDoItab;c@l8O%bq!!#r>zlo+ zzoBN<;1tSBgE2X+w{(XOCP)M?R!lWmGj0O3`*(H?Np9l#tRWxTLVtclvm#-uQXQZo zW2F{UKqNn|Z44SgdYn(eVy-RB8U@uwW0a_;?gDNP_k+CO;!N0aC0ngABGQn-uTB!% zO7^gsYcS?O(s-f4Y|PwMaz45TK08*sqCfxE7ZZO9H6EB_{Kdbk5K%plKj;9m@AeQM3I?t`b#^5ukbT7stH~2u#OaJt$L0RDx)T~ zoz;)GWNylW?2I<#_CHk2A2(Z^rbf4iyJ2A8gyeBEou|HuK z&;HZT|M}05NVqEbdwJ8J)WIS?M9@!b&o9Gqk9R(tn(Y@uFr=73etR)Q4!46eQh!u@ zkewz`z@+$;UFA}Tp@VuVc(TCAf>@j{I>xP{XO>A(Sd3)l1l3msmp;29v1{E^nKr!- zyAIAG>O@zBTqW(f9cFgq&17u`wRx{50`H;u(K4_yR5Iv>xr&gZWtXtdL2g_j*jOL| z1YhWDt|UM7+5J3S!?n=fyAU|n)SrEL&VwJy`;*97Ffu0pNm8B#Txbq~7hbz<%eEsn zEj_PqNbY~-tKt2=P=!|)TsLs1W9%MHrPw1B3N#Yjzo~`*qhJ+fSmXJ`JbI$Ut5wNc z(aD9BitYD`DSRsVgB)%;^IXEMqty#}L_Uqa2szynmBB+Cj=n!3vkY@uS9|TY zliJy$2Z)3ie)k^#wcy!=bC*n%%|J@yHJnQ8$4RbuThPR?J3Y_DsJ4Kmzba8Cay$0K zm9weFiZ{Fjp>@O(rMwaJQ?{UmT&{^Csvc&r#S=e zWXtReGnW4|Y$cd-(5|a+$p|z5kcwK~xbmB)iw@NWUnz&&BejqD#DZhpQb2sw4XYN> zcJu@L?rpQQPj9zuymcR5mM5;xnOCH%>i*{7Mpz->hfcI_w{auk2{Zk=lHE>k-Hhxo ztwe%b1=UIcU4*yx?zuT%px&;h0>e))tK?FwP$@RZ429vJ3kOdz%o0POb~K9HT0&|5 zT1+JT)ew;wLa{Bq3X&~ms-*79UyuqhP# zWr^r5u6gk^;b94~M0CD!91QL z88`rK@OB*6Jny|V7@Fgrpvlvgs2=!DSUoDZQQ0!+ji0w+HM&|C|AVw=ZkA|0|yQR%nBSfyvb}AdI zTq9S?oc{3U2VWcY>GCm?TMzDEsW3d&IJ!CE+iNMeV4Wn}wn{w{vk*|0AqwDF$?8Bq z!Eog(Ok#Nx+x6!h!}Yl6%oo;nTV*#$@DX0j7+;Yk^UOvtm%W?29gqRjco|DF*tPx< z9Xw?f{>(L8H~iBwhZJ|2(JsC?tGT5LR8}s3Dtj|~apU?}HcOkpKZF1T2Ht_Bec*lF zUd)dLV#wYFoCW>%8A0Vu`e0YuH6wqev}&U;&QeW;W_OKKZ+3I%MYfck{`9*Sdy}Ml z9=&|*u9iQZSG$qm)3@hg8mNTCTzMB3wfyo_zv?h)hfyJF%VjX0^&_M$@#>Yx=XO0NawRd@0Q-!%6{%gCv6U z`fA@gl-IZ@YCJlq8DidOPaBc$XH#@kMn3C#j+K#I=Qal@e=X=GR-R7GXU7=-&D~c; z=XWHys!MU9=GBytXnIyT#>dY4pry^{(Z}IurFD3uf!Bb{@}gCOaya1~@hK{CMRO z`WMhj)T8PaaH%jh&93bYHurwy4dUzC9;dUGa>X?#=J%z^=J91Rg3V96!V?b;nQFD5 zEK5;fTXfc>CT0kGE7VD~95B*>n>sCtF&_C|XK}i2#QU!MR3w^Uo>jzb2=H$WH{IqO zDs&fosY_4sL>SpIe@cEK;YG>u^WcD*ChK{fm#m&^l&#hV{}TKr-2tZ77RMPYw7c{j zL#SV}K(4f)B|8#jp39q`WW~k=2l{3O7-i?vLhf>SVVn?(EnT#GzDXA`ex%zxgHtCA zW-SdBxm6??SYkWTrQT&bs!0ENZSTc)zsZu*Isue>ib~(4e_FTS-uB)Glx0vn&+hOy zV#?0Ct~GUnzm#PuRh)uT)6t*u+WoQIQxMV##_GdDK=J0%GX?D&1(`?XzW>U4$B=3Ga=GFjbl`}*$^6;h zR<+QlE0oTJIUq2oyMZCyquj`939VLh^U%%F)mKdGDQCpP^vpgMv zbHLt|`8j$)Jr_L{pe}UMXbe}YRR`P?DVTQvzm$f^AAshpBi9?V)_=aYdz7oGX&In4 zonl$``*bbo+3qhd$5(NmZo$F{3Oe-n=*)!>w>*madC9C43aVQ2qG-2u);50X7^ErP z>vd06Ul=c)(-u?_3wjyg0vOrZNLG6Vu5s5Ti-{5TL3OurQL3w1x(cj$lV>*_ar<7+ zw4ZSbYc<{^uDE~EA&vK~H9d7`@~(=*Z*hnPI&yTxdKxi!Gxhyon|dEbaC7{f#Tr1u zKAWxr%5FNR$)ZO?i^e{BuF}&=)Rr9<{MJxz8m)eMHG+ChDV<*Gee>^n9EMiQ)I^58 zGbB<=Uki~cS?#7{%QV|dqU)uzzYlW9R%q9sGY z$OH*%lw*T^OXSPpLDe)@7B>{|BeGr}xiHK~1dO+$&`oZXTuK@)P@zO;{&8V?)ABUY zTs{HZi>h*89xH)*z&m1s#~wrLEke1B3T4R|RQBky;FC2b)HWI23SBCls7UUJleqRI z!y4Y+UeQoDWbc`okEei75$vra<*ubTVvGW}93b+0NRQkWwBX_+9` z$2VyMO5i_qm^GusM4>VlKGysPmus^(Z!@{JW(PC%x7YZ#L!D9-<9i#un@;F9x`9us z5;vf2n3Ti*2J*@&4DKeH)Iar~%Vx^2cFCL#w{=P94e#^E%+Qzoq5!0ZyCh@WUxW>!rj~0~g{3BjCSV4C5r! zRlATX&K#A39u3Z-mu>YOK?R6kzmET}RuMi#*eA$!PYrH=MqIDvPKY)-6q)Xn*;zD2 zbBMnwl^F*L9By$4+qD7o@un)*Udg=N|91I|fV%rMAqzxF+qoPGjl}ofTI>4B`RS>z zvvzz8N~S!-v3dZTtggJ8Zzy=0g&zH@OHr0^{5x|bv92XH(BD~X3MaF@r#$QmzK-Up zvc<>V3VG?r5hR5DZ017}9!u3(sj#$T(>z3FADx8^fN9*QYfqqNX78@n6OW;p9>H@p zpn1XpNcbk(Amw@^AW|1F;Z3b{6vqg^n^2w6eE7qpIP?u63od_?706Fjn8RJ`;X3$@ zR!izT<%)gTKB&4C>INIvxR+wU9WyD=-@fBEw(Z6>NLk;72CFF6PQCCOMI9NKOr-S!<~S8IVy118}D`!d?B7my~0bXHZ>8E z;PMaoXrq*Dz1^TYJq<&u%<@C$ORjnw?umxmez5B0@;%(5(NYlrf;xQ~8(-wWo3hc? z^sQShrPr^$z+2*u6G|7xd`)ajRT!1{7)`v85=PL0iWenj(KPG)~X&~wE>LdZ_`??r}1vl1NpZY3D*W7d>7li z;}K1Tp?@M2<|H{!?b5f}T!T?drDj0L{I%R4t{IR?QYd`uAxV|g9U5Y!_)&~2${}n5 zZ(wE+t%Qm?YMa4~I1uff{cv&CsNO3l0VuNo8^yuV2;e?k4>lTW`^ zM9iRvOaTG6`=Z_hdeViBxD}_N#_Kz`o&m!4dWztUHT?4Jayd8lSoMler}mtiuKYXuH{krU-)|sq-177%Xdkb9)_gifNNY_wlwZhcl** z?cRGtYuCT{bGlJ0OJHkQ$65VVxu*KXfT0JvmNxq2Az-X(VB^W}+Yu)~%~eqLKniLv zi1q@0eN&2kI@?2^qZjVdFZ^uy@nbko*VgJVIwN9RCrI5H{^PCgy((V8p>JOcWz3Pa zJ*Q7}Bl=8KcC9BbEp+pcf0~|t_u`k(UUV*0Q%mX6<=(?PPxB>`E#>^fLRT+g^!<6q zS+kZ-tR8jd#80*1h&iCfd2o)og4j{ZEKin(?82=SKC)v<&3k?CRojaCTpbVf`E~(m zqFDlEJTTB^Ypjb1++(hZjET2@=0LOcNi$eQS@K8&9m=KSvc0&hZ*>Q%FTIm z-NqMdVyQ@mX8yQE=zM=vr9~4lIAz@{1Cc*Y$(Bn9i($j=CQ2L`h-h1`0dV72bDf1y z!CQFv9MA|^TDfC-GXGwj{umPJ3X@3*WCcbyE)6w=^wJh3xk07lNwYghC0kC4^QR~% z-)xD|xbCp-H%&~R*r2)kjog(9&p2&56qS1(Hi#AUrz3->iXIz}?vU=~7-HiG3r~#K zIFkWn`uM&W7tN^+-Z5cT_=$ch{}NNO*bX3|Ep_KYz5LxJ!>knjte4Zt84{C zl`ET~a^Ccw=be?G^L~jl>30xXN@?0`Rg7$pLRBL&(c26DWl|eP>7K~_YOm!I^sVmpnMdYic_>R{aj;H|9$#eMU9s)J$LpAp_p{@x%4@ zpnF-p0RY+|pwBAV<&m zLKTw|RS^8m=1RQp7X9#;ZmnB5zUjwGz7H6+Sm*j3ue$*nS~)e`2o(FoGR^SxdsylT z%m_&VOZinU##o_HA`gqxUVSz}Q?}t>0BuugakW2BmX1DHob9$~9P^J)FTpSZPmvze zSFj^^{3K1Z1&~z}wW2^cMgf{yil&1%Q|(YdgoFjS%{HWrjlm?yS0HJwUeT|AelxcC z_3W#)blBk-A%o-_z5OxX>gVupwmZwVoWzhOITGEVrR{VLXowT-ns%0n=GIkC$2S$5 zdMnG7eoLnh`eX2#(%y#AdxAIRF3w>SBrwL_Hbuh~DLAJTh`)_jd2fyuX?I?G@AhVG z{lS|FWv^lPP_sk+0NcF$FsQf@s9zhk_w~P*H?eJRtlL7)s5V6_I4E%IY)h?g2Ayd% zU_*PLyyGomGoluL~gD*?+<)| zu;&5+MZRk21BecH^mivxYu;L5U zTbftyjGuz#bJ@u0!+zMtBW`P7Lf@So_9vq0C=N#%mJ)wi})%c69+8M!xmq-4NG zFtwQpO(}V;Jl*jt z39Z$B7SFE@jgF7YC)jjT5PhbdRVo`sqo;h;rQ&8zsDdG`z(=XJQ}bpF0~n>39DpHT)$}?AR%>;A-KQ9+InbL|EERqGD!|u|YyuKW#xTwwX>9u+zP75Whxq_jYRPl!2SR20C(WPqWfh5XsJg4s zzr=d5hljtlV@KG*^2+3(X(A$y#HJH$FO#oRBkLK^nVBttg%CYb=LGjbRyh@4WM@&v zu~Ow5_BWe>ND$&Z8yQw!9`k|*B*?-)Hpm+Hxv#?%e5fq?goSE<^;zN^QqvWS5h${tUp4->u` z-&iyt);?%eZ?Ee_j%>OlDb6c=`D&E!bS|%bdetDsZ|4%bK?mR9eYlr-s}hMj+3z^S z%Bf#QhQ6?Svq z(eHy&2N4T%q%?kVTKa*1dI=8=t=1Wk#(E44oBA3uU# z42>(3b)NAaT-bNVR!^lH8bmED_&y=9z7Wxy&it*~7L+<_!f$8=6lwyCd#?Hk=GVLU zkd-YhW3z$1HbBx-`+u%-C|^DOg-P@4yb(UX%p~NlvW?DAbr9g zmF>L*>|Ab|KM37+<4U0_+swR%F;dgkYNtnKLGM^~s6}gaj}GY!FNz*8D;aU|qq^wV zQicw_hUZKE?mx#AW#7n9EXG4Bhc%5;9=lWW7$%I%CMf%U>MAus!xTN!vv38ZG25CI z(3w8F(F4=0Nh{ZQs#arhYa!c1qHr8HQV_NC_?n&GV*N42oRZfTu`|(t>ibK}0M7db zPpjQq3F^tJwRK3Qk-g)f-;W?e5ZPhjdR6(=S{%!w#CQ(lNYM2KYtG67 zD+gH$gkT68H*gJTzc0NcKEZD?Np`_H-1=oEg4KMqBv~B;KO4W6X2CE}DMR)Om<`_{ z>AtTf`v@|S9Vwlcxyebp+plMimESo- zRthDb1L;BxeCDnCAJLsB-GMZ?mR`{MEbzlz4qX+sW}NaJ?_aX&qh5|OYWHew@-NYP z4%EiT-h4S@$c4>wLCfW#@jde~tanL|6+H)DNCmmJ+(eC2YD0CZSTLez@IJ7yfI?84ZPf4=pD%&k%A{G8M^kOjKLR&*ytS~pRiFBG^t^Xr zBfRNhQ+?O==0e=YcMfw5FywL@E2zu5N#o}Acx@O5zPqmUcYh6(h=UY-XT~1&<~m^>v<)zP}Rv$sVgVI$o<+Dt3+)a zo@%@H#d{)y?y1VoqG@QIVdC?JNB`QFe3l!Tld>d3za3j9VHj1pTtfquM-B9@}N@2ZRC9xfkexMj30Bfn~zZcJ52e zLJI+NN&P&MZ*l#(*L5%AY=4|8wJ8;76x6eKnD)LEioh}4OJBagw;V0 zm27C!XbU~Ti?s!O#>Q$(*GXbwvZwC?I1xzmv*GK*=yO12Kc^%q$&dbus0VC<;nD81 zEJxjXF5`;j&0(O_%4ytW^mSk7W$En6he&Ya8JAJSX`>9~x@O+cr{GCIMN)eI#A}?- z_ov9&{yTzW%a_2oE&+uFbL~5>aBDpZ)*No7qyZtXlby-L?iS#lmKO^5 zgz01LIyV5_)5DYR&R5D#SgXBk-g`_StZD~mzg=%YhM3trL0Kccz3YS=IKt?f_}MKA9;fHs)Tgs% zZU71TdY^Mb99+Og-=$j)avclRV9T2#i&)Jt(qt_|iu1D>9HBLJA+bGU8^}~MLw|nC zSsLD9#iLVM-bU7nBYeM0u~QizhIw2Il!ZBG!eULq@1bnX?GAlM(EXbpqA*RYcpRqG zqao}ZTY>+;eoF{9MNMW?(eiWvkP+I>U-PJ|3MH=BX`|Q+Iy@i`^&`O>qfSK~?*=dP zz9?oGUceHMTg&=E;^;N+N=~6;#;ouKuy_!oJNbK4*wN6697)^vXob313gF;oHtg2% zUZ(jGcI%XYs(zB@@MYdZb^zeed@+mf3tax%V9-01ghwhO`^Y@DGo+`~m3E>>zKRo@ zZpj=g^rX)H!5!K#=A6wshBO#Upo%tv!V|8wHa4(`XyxCa@<+Q3RB{i$kt++LC~Kh~ z5Nqu`+E3kDG2(RGIQEa+(t`eaSw;5ZeJW6WGzyY&M{Q9fWsWQW@R{H}dSQB#O>*%;XL(8|tLG4vUMJJ(za>)49sWM5bc z8nJZRn!sqRi4f}`y_v#T1CE{l(kKBZXUy@W_aPtes8g#{7D-H~3*aqr)myzNh(og7 z=w-ubVTBl8S^$$t04|xu-ITwdY*;tca{R$U;1gg=vlVBQaQc=*tRqX75%ceg@a-&= z0fs=WjW5668)A+j(Xcy1>gULbJ-G6|ph5>{_1-ryH84Q@@P?FklYsc_rjVJ`;J;#h z{C*DmAXht2DM`IQ8tXw;J@J0&wwE8ikz8H_lFhZy+kLF=)^!nd6^PxRab?x2Gi~`?!tMDAMt0R92?fdnuQ>`w&7)nYle#J(8Y|)_Mh#>Ng`$|W2$ikNkB~ZJDXlEC_;@_Ti!2eF~A%w zwN@PTj^6Md^DmhQc?T^@A5n2E1!LL^#@dFz+`J82`!*+%64S&7tAg7i9bScyN(~vO zfUNps?*j>Ob4Rz?Gv+ogV>_L8QcYNFb<~A}=xeHNgB4C^^caH`85^Ce);6OO7A8tL zcwDa$_K?!e#b`OqWl|7+qi|UV7W6t9lrS9lED7U z;M85;x0Yte7^-ay^q8Xg18j*uwF#=_!!7mvKfcZe6c8zXO}SV7;y?H{dIk52TdHjRNH8XzC8#)sUi**$$qIHfXl=sSW^6!4FI|l*2T(2`i9^o5 z3bs8pzcAJ|7u2XpVM}^{`9m3K6n=D-E3v&%Lzo5MC2nD-LmnjEDrVlVpGx)ob2njj z)^TI*hxB5So?tp?#Zv1dXiqkF^Bjj$rCIsZ2(%Z?kx*L?aU1&R{V`LHs94$F&TXB$ z#Jx`UNjy`f^?OSZSm*Tn3ZyM_X5Y0ZS(9fbZ4ras63{yQJUfk!4N59nJ4$vK-nN>T z8f)(axAT|S19T%ez~~EOcq_GM-E5Hv-Vn5};6d zSo+!4ul9)CGB2(4c(7-q(tgL?C_-QcZR*|F)5Diz2mj`2jU~cOHJ+c27W4 zqM!RZ9lE3HMjz*o=6*8?J4(ExeFU-DB3aq=>RRUW!+Tv{KL>Fve_{+&ne4TkoyDNR zFdDn zA?w!nqd>SE__0{51^|(yC+u7JPB}%ePkB_Ogt)JCKkM&Nr-{0eQ08xR!2|P*Ryg5!xjs1<{;22QPy~lSyBnuN0miPj93a^f z^zg>A)f8m(udLmBe{pM6qKU@MOZwxNfGqXg5KlTN>eacD3({r{Jp2>!Gn@wpQ_k;= zzF=x)^%TJ#%y9?GUj9I%L!^A{ys9R)Ni~%17YtNId|WTwAo+YtvC%^RJS3@c>k!*= z`8UC4?JhiI5zqr#D$?YZKtg`CB1PB>Cp1X~$%)B;2gPso^3cucs5;|&8hektdhiL$ zkC+UcPXp;$(7jmajWq2)?+xB&%`-vtF4j;=!~VOx*zU)I z`+qLGFPCf8EOg=zqwzAtZAy@j0=gW->@_(+z+xdv?=R$bN|>Nj7HP2mDqh$wQAHtrzl) z*LbS%wh@`tfPEPUn7E>s2zGDY8kogwloPh`tyrTT$Lt^4yTXTffJU)upgMhH6A2PC<$ZD;~S{aBiA|b}K=D1U( z;as<(?SC`>{!Q32mi9dBe`^8!V-{;&;@P|1_WAyq|N91p(P@BS!MB|gICpX!4|fX% zTO{-C-b({kVZ!TuT;t3ezkM-m91o;ivN^g}%kpINbI=(tN+@$UI>_|E-qk<8UfAE6 zq}x}XSX|d@5kAV65V~KZc%gCgEJ;{!SpV#S-FsbgK1Cmw^Fh4_AxV-4!rA9@LkBAz zJAFXs<7<2#pFPH-BeKx<;Z9O61)v0v1DZ0X>w%=UlU;VJuesaPboZ_g^P}D^3Lo19 zGEzajVE`VtLHr>du{`$BllFJCgTIDhQQ-HiiBw&?``4s-BzeR%M*pDjrTxi%fa)#h z)6uF|3?nVU`?AlC=_~0eOP3i^+I-5wAMU>W&$}dIw{(lguY#L`oV4aWRm3cfip=*>mz%24JnEaq&UjSN`?T znZ))NgpLn>XP#>r?e~IUq~53T{SE8sNRC#-mpjeDd98m%r4}HNsJPDGQl$QdtMPB< z&i}jXeYw=v6dLSy!Z%GQ>c9Hlzx$`W`;TmbcZnwc-Ru8%ivFh_9jVzBPVkN~llYqf z`hUOBfBd2Ub9?`(VgH+9{h!hMpV9l9sqs$(^Z)ymt2I-5u;A7|LU>xbR(_h&vs=~`=pxl$V45spM_sd-3e{+f`?)C9ZuC%-4v3;;2nCSrq z40QXBt^mfLFL=gqFgHMEU72@VR_12_KzgzP(;-bEbxFy|`vwcxHNNvb77-_bo(H(a zBdU|+crSN`D%~PV4sEg59c1^F&f4+rlAE$Ffzye{ z&uvO(XtlJ(p&@#Drgozk2rh7GEVn+Cgz^9Ss~y~Kr|$l3{iJg6cg}RJ;Wf|f&G>y1 zVYTqZ(U!3Q`qOb0Sf!46(dgEbkme3T$&g!We&ZFXv$*pfehfY1Jk}~`_ zx?*&Qrv;32b80cZIjSGTs0@@uxDU29!h(;Yb)58Nt4Pg!U_wizO}m7;J1g_1vgd#< zE~r1xF!4g1+h9qe_~pm7aOz+?D1hcXuIygTcrA>oN;(%KoKs#kuI!1+0@tKR3TXJp zE~z-bk{k=kBAa{%4ytiali&1?~LQ^?-&oREE#r#a23fg z)xEP%PpanX%fiI&f1gm-7$>QP2RmPJyA z$oM-VZUfbUm)*yaaGY;2o05K&#kw|p!9{BQzc(><@i6Y@YU}CgCCv#yj+DLt>rr{} z7hdQFGnd7mTvSx7(My!F{C4Zf*CTFe`)^sKUv=b{-?sWgUsG#0dgoV6M#LfD_s7)} znCkVb$(lBU!t(E=%woFA$$=?G&$eC{Ok?K19#pJ;FrVXwR`d6ZK!tcf2xkD7jY`z+ zSk15v7q^k(2S+}krl5#zF{`rbqMc3M`o$W;0WiX9T5ewPBVzJrjwL9@|C+{3BptR% zExKSd(*`ry`+YKaP%z@^#K#4v7#wWzbB0G{(;Y!0o58%Ef@t&b_4~X%yGuNkHNQO|@2>T~z_g6m_H%W4# zcBT3E8fjKmp2A7<#c6c(0M4;xdTY^I{my~lqi8RJ4@X>?(Or|5{~~O7W&pY)yT8jg z$sS-9`S%KjIjhyc43t!p?KOiQ89xp!c~?na#fj$FXr2N1MZsI{$3#!$_bTe?+GpEWUl#h=qCu~?Xj_`VV zLt*SpjpU@JT7|L7p?m6_nw`pTo*Kg4!ofS^f`=-zAsPE-x4)MgEMcUr+BF3E|B*TV zr#HNRI^`-40H@TXY+h;Q?2{1vaACV$G~6kk1H+%)*6wOK0N&1J-g(E(&6auMGL$Py zw?hof`p_95j5LIWJ-usKU`coaStV zGWR(a%C-oYzhS0?ZRJ-3H&ryX^gzURN=lEtsODE3Iv>s%*vFOit=V(<{?M!h{muTd za=8-U-rfFB&%Pn?9^)`PCJNF*XQcrc_B&&6vuIm%1I0_;$O?YR?T>HH?>*2t39);6 zZ8G?bj6sz!dMN{uld8O6ou-sP_Xup+7kfj-1;l9JtW!SQLpX=7CZ#BZPFHuftLRO2t!PBnl1iNSb#PWw8 zjmPNi{UUJ!w7ln&zD->D4A%0WvhuSM{xlgP(!A*7A?yNYGSOr-^0-{t9j3%~}z z$Twlb?V*liyK@_XvINhEaX9tp+%GkuL!rM+cE&|j(9T#(w3dlc^^;pOS--4sZYko= zeiVOv>4-LPK&%@MLb}spFU&Y6s}5+dKKJH9dSk5#!tYXae=}+R}`Q1Wp{R zGWPSBVg>gw%DKX3ceAwZYG^QZIVZ}o3|jYfh`*f2Cn;WaMKyRkN0YyuBOaCW3;QwP zcPNxip0y{a8gs_FiTKc2)l#cq%@At#U3KNr=hM<7AKJsNJiIqNGeO^J-~NgHpf^~` zn5ru0h91c*V+8r-DU@q&))(BuIDL_UdS@vkX!Vw~qw%p7`Q9`8h!~?;jMw%+)|F)A z2migv`CKcEC#m00rUx_u%%1BzB*#NVt=|RQ?*YlIM5;QBA zIf2Uks3nN@lxO~3gRXPEs)HKOHYk>>uAhz(SXr=#bpu2N8&_*`kU{Ev31ue%ovKF4 z-fodx%3w~2A6l6x3b&Jon?3X-^S`P9ZLZ08UUjQsp}h{T67c+7q(4^9W2(3n@F z@Xt|K7Y03(p8cw(ZhS)QTtC(5G3sM}`e!XiazCiX=3P^>$T#DQ=(m!ViY{250_f=<LITxxzTZ)o644$`i%acDAKGa`e8SoN$f_Ldo|EPgs*rcqi(`8>=9xhJ~vn+Qu`$(@suzhcgVDVyy@B3XeRZb~T zMW?DLrj%_At(5MwY1(8WMwVBjiBQMjAG{(KGW0^kgs?(z(%aX&eXI>S6-s6&omE+= z@-!Yy(vv_SR!J2Cs_lsRY2C%w6f2ng#>YWpfvU#9-bNXE!HRpE+RC4-d)c8+M<5w$ zfXXz?WM_8V5_Mzy8v&3i@e(r%JK`CmEM8VXdhVQjx3gJ9n&*R@{~pJB|FK0us9uNf zmo)1OJm2LA8PcBIrvuLzT_HO<;F^%I8zDnBmJz9xkWIwrU+A%q=+j}wpFSV zK;OiLOcnv+>*Ch7BcoxP42ca=&IYzd^28GdlX7=;P8x|gzL8ZwlPT_a=D!3m{PV?u z2Q2RT%_@Cs%CbSP|F#0uF8%OsBzgZ(*O1vt$KBlGRd+HT%by7nu-aAeLN*ETG2X=i z$jvaO2TyO_L;n3n#~bRU?JaS>P9tM(dMjK*`FW&4<#JzR23)VU#%QyCsMz}$$whw5 zLO_CeUt}-+D#}>a1pYH|RpyP7=;k=acmDGD+}(ryEsc+c?`k*Ss8Ohmb!FAq=arEi z9X;N_9##NdumnUO#jUTIxO4EFk^FbzbX*zK(^ck1`gIfD&JDw|6@3WMn&zJ{XGs8E zT%M?}`JE@F*SLs3{Y3@^EFL)=AWl9?Z!|bqWO!xtN1`fY@#J>ob#gp~56g?M(+Uwm9e zx`}jG%cFhyIAy$l9_ner^>p+?ug2YA$tlzWxr+jDQ5LiGkg#37JEo+|!eu~?Ir=Sy z8*mwAS>K@rN(mSoo7IEg^k1x5nx;Tz@A2hC#NU!z+}XtPwJg`FZBtaLo6e`Ozs17* z=N(EHDV`qpCA1~~n<%$w3s4A}+l~38&CC5=bx76Ujn4^9zFBM{zlAh#1K1;|*ljL{ z&qh?q^$B2PS;cs*WoTCU{6+9!A*8U-e#$fPu3J}$8IY!qx{$)i`Wxel!wUuWaT!+o zc5}{c?XnWE{^S|)B|unU3(gfdHe+k{6T{;GQQchVM-pt!dc*g?eyvmOi9p!Wd{~wC zH5W?%aY1t@ZE38c#Y*1R`Jfac-FetQ#4P5^^q(%OL*Kpe1*aWEHpg+kDep%QYcfxX z`F^`V%!6gTpW%iZY3wX*wruTMEW9QMw%b^HLYwsbnOo3b1O-fG5cq6cT877%Z4`n{ zoY~l33z$n+cWjauvno8*6iDXxe0KgFW9^D$Bl~&QdXgkx=pNn7#aR{ek6!bW$F<3# zzj_i8dZOh3-!AxN3$ff*$X{2@sw+qIu>SEs%igYNtOcmi=>&n*CC&AbyFXzqcMtX+ z*Io&I)fTne zqE=BOMy#s6_ZBItT51=ywRR$6MG&M)sl9_3F>1ytVkE-z?S0PgxnIw7&VBB4j{CpR z<}3M(>vO%wb$xmkEobE>UlGOiPLB>Z*Zo69=RfYz|2%7$VtBY6u-Gk-&FnW;S#-u( z*A>65aBsf*+=-$THTX4*&?V2BTbC-Av^x|Skhw4#t2_*h@wv!te0xcGx?2;;dkGno zqSK4q_Vs6SWueZ|&( zvbNl73dF#ypk%YUe&{z9i2LC6uxaN{1a-dlE?3<)@?Le7U8Eka;;7WMKd!)(xiX~q z1i+w_TY20GpEXuWV>B@-a56o0PQpLZ`~UO7|NkfHt1RE+NUTKAF9>A^1>D#Dw&wR;w*bY;K!Fc@b~on#cIr@1 zseHMT?!z_nTiuUj*tKdQ7|7-(f0gU9t`XX@Xq7DON_oTIU>_PSA=!D=Cmig(Gaz@g z1zdHP+Q4Lyj1JUKL6}XWSHL3kqjD3kbWEX5(U|QHoW<1ZT-+PLU>3>jjT3jNv_^nO z12mooq(~k^mEV$$J(C5?k88>iB)!uj+=D&G6GrD=hV> z*lD4=A&y;w;RxkZpd(oe|Zp%_;nEEkveMHuG;_~OzKH{CBt}) zb@1i({_xl>ELL(+cI8cE6S#{!l~*bSQJSm0*mdQ6l8@m2v#qYf4JIkyL6*iTEgKW3 zth!(CM1LngT!FryyvB2&^q9y|5lFW;X6Ztt(-8hXX1YJ(kA)MER3mi!ovK&r&cdvB zt*Lj}{sYARA90jB>VPEdu{RmO9m0n31i(l71Dj|kd?oJ+(m9;#Pkfe@yc!4$?(2tquF*AB_An+)U48?up!_o9y_uUmCv}k1V?eiUIo5r7Q-aa#$MP4`W zLPmIb#(EPpDx+om-za9d?pqn2gc_kVu`5ohl3`YDJ(>X2zOvJuxz`|bu$9&ngl%%^ z8|GT8MY~KomWWOZLCDpO5>TNus^KRzfboaC&ojVzIM(H$1sS_pP{yQu!VRXzRr@%! z#ct5_N~1LBy&K$+3KLMN3u|G5P%A0DItE#L*Ol1SxVgwB2@ga>1}>rWeW zh;caeE>-c9qyAD;gCT+~lnA}Qqj)mH*jKGD@;j2h}6AR>ckdi?zjkyuZg=?o^ z*><4lezmw{gGEdxP=UTkj0ewy;NOH~sB%zGAgMghCSG-?D~;!TtlHo1(cUNFN!#$OouN|b@?JsHTI%vheXCzw-}|qZj}xJ-7}a?{Q-c>?XkV&?@?aYJ4 zUth{S#;X@(Pdn4;p1zAr7birOx4d@?!q+&Z5!k%5+=miz*-z$tE=F%i9^hhk*&g2Q zd*$Zi;<(dI;@1Px?Dnr+14yh8MS)@v9X3E!m(s`2o9fBREaaq{jkaMjbw}LJh*x%vKN;_L zM4I5UQuklmcOCi6llhX0y?1{l#=FqejM}vR{7DN%)ql6>h~X-Va3cp$Fk(uf-zv~y z6Mc-dOKU>NgG}tU8EA`9DySH>KF*&$n5F-ym$*0e9U5i@qkWZ(6UeYI64yI4op6;s z?x;glvVS#HmevTt!FN{)Sg7{S&U-yAQZjE>y2LA4}x{2d&Azd`;rK zKk_?K{V|IkCocO=#VO%0Eo9jgnC+fVlUllEBiLV8fUU;F ztuEYI??)piTw7On%x}J~@}!7K{d_Z7F^_xF1o+di;}ErhC6@%_Ts698PLd62)$ zCDsY{D%|71^zem!e>BxBeAN3aE4iL_h7Jm;0WgeUiv-VA)Jyy+{)w`oR56#tjiSIy zjkUm~f0TJrTS|R{i4=P5Cz`XONu&DFHN3-=D`qW8d?i7gv&1R(_oYHJl^)q4SJKqTmUhsKVgPiNy1kMjgzFvZD7Ktb>me>45j% z{w*6e$2AmyZr-iv&3)YL7~BNcM~YG7W|(|eyD`rNzgCf@Z82UqN5~rI{#eO2mj3?-t=du>AMQzH0KX7d{ZeX7%JzWVCdTS~OhBKj9!S8jLW>x$opDIkC&nG300B`+m{;xPq=W6bG4t4qvDp2M;%8w?P z(^sn}57MuVt0Xvnv(VIS`;z2}zJo(NS3%572F;2)eXsLNDW{zsq}lxNYxc?z0!*-~ zkgJe`k|I7LPP+i?;~|O4bt<^A$hzEWLXv`YC{eF`XtXb5U(=t*6SO6T+0EzT24|}i zp8l$}>Tn#V?iL6<734Y!TKWEjp}i>SyLzS5z#YoZM4+rZd7`wQTI0}KmCN^W73Rq& zj9AfV|7g=Q7DGsV`2BZ_i>Bmtb=D-965{Z1?ro0KW?D?1vC_jXa$@8Pju=z!m(`E~ zd&k!_SnCF)RMW1gKZ?mKh)PeZIhVsh3;e+H`Xu@0C*kAGjzMUAd^}%Y5Mat+v@NGa z%p|8h25vtrR*YoM?|FNk4Zo)FwU8zV%>$Mfj5!rGuXnSC{?g(|4u-@bIas^B>HudJ zC{39qh|&hHb>$|#qnu~6=cx5U19{PCs$!%QpfvwhnTv<)apid=DaTJn7~QpDCLyX#nAN^fKx)aUnP-x^yy>j?OA@=a8<- z!^r)yeeKgBu>1OrP=v`BD*~-f{z&=-*~)T(C+kb?{Tum$sXXm$uS_T;2Jl8=$2Wx< zwk=yGj80GH`*q5T-$HldI$y<5Qlli2pJ>%C8p>OF&9BJ zRHmk74Qj3aDEip04+EOjDrzxU=I=Fcifn}~-qtrw3U*mY_)KFGU z_Lw;$)04#j4-u}0JS=27HX_+{kL0_V=(RIJu)NT`Tk!dqz~0kj97^X3|5EP=7-eg_mAo>ZHuP%p zc-ekw3=p<4F_38iAz-P$7@*1NZfMz&+qNZ^6Q1B|<&#}^elwyNO{(AuVT@x|cEpi< z>$t>afZFS?gnI6tKp<@ihA6!3jk5vAoP2vnaCL3-K4#bE>L{>*6W$Jl9`i_A=>QnB zwGM)8M?(+&%1C*h`{?dU(Mmo;@Xa$Tzi=X`O^kJ$%}&3GTt%LTEbq7RyO)oLR4*1{ zXwIvus=^egzb(B6Ux0vIi?JMJKjvfqJ*N(qy!kgzuYuCCs^~FOzP~{pI3hAR z>>oCC`5$HUh5Wytm*^7V{|}oU{EtA@paTH@iKO9!xN`*?xMSPAHnsjH(Fkv0$m3csROoUzI9~EExwLkvJuF$0i zDjw|O28V!~`G}MC7*QwuL%V8!JlcipoKElh%y)qIgn>Yt3Um+c`kNVL_olA03Edj@mV&^M3Fy1FxPOlSt8b&t`2OFGqa_E*?wI*dPhpb7M#D|R6? zXpWuM1Lf65~xelj+eDx=O^sLT9u*9M;^UJ_`5f0AFf;a-Uv7YJ| zfRC;HQD&Uzt&Jt47^8&zF2}K?^P&%$ATNc~*~HH$yU#{P0leEknf`xrRK=PC!SJCN zP;iC@*6}D{Xm;$$lu@bCLz;4&A~OO>{GTK6L12hK24jKl(~O}(pl+aHx6{^qm$@It zdzGH%H7K8po!vV7Bv8Ip{I$|23$>ett?0%<&0u>KPzn-a=jIS-*x{2ryeFM<<5(dG zr8u=Hyp1LV9vu`9Nf4Kztif2jPu88E;;f&4pX%?|)+sHa2}%T`olQh;Zki!ZU@BiW zhU5YsfN==S%UnC}FQe_fY=KMH>j7K=7;V3J{gjWEo0QyHHdo8 zut4>;TD34;mdSh_9;uhjuEhR=7}VNeUzO8{E%Az=t_{Buv!JY*4Vs&#&&PSfo)z#t ziBy?=30t(8wT{mhb%1p~7LtN zRlmz7_Hd)mztn&FsnJH8rICn>sfHq;Dhqrv^|Hs8=Lx3XADR!``|LFFf@0+1)R!MB z>N0xApu3-A%#ql#O?Uzrl#Be5g4t40 zHb>@SKNmd^S_%180C$wO)yJk+YvIto|BTLi2@*?U3CvC0UU31GH}zt8$7Pb4CE(d> zta38F+GUz&w&gfjsFFC%8tcF@-rUdzn0p-?2Y*$$wou+XJtn^#ej8N@Azu1(8tStu zwOf9pHQgnncDI7Nf@gF^1sO(wriM3U9)P)7QRtbyJud4 zHjr{h=lS*U1JHvU>e0%CPaxBGa_cXidU@rid~e<`o_Lxd#PKJ?UA~Z4v}|9pcMt#k zh2Ox}54$@R-hK5wr2fm7Gpd(jCu!c?e$2`nJGr;&IMS7w?h*g`?CGtPVg9w1&XtwS z-OOfegS5WvPN5;y(Bxy4u$F0xU*y0pq`NaMZ@0R_sYJxtxRBP3knWM(5H6xeT^ta2 zER^~{>D5fYqj7nJa34$$y0?*2UVz`#?ow|!l3nUuKR1-v)e+SHE$0OIb#+XTGgZ^t zJwo7~-jMgdH`W(2C=+1Wm*J!0_9QrG$)6>Sq7kwKDLOcLFu}H^ zQ9ZN1p>}jb{?6nVxk$1z)@@x8{D)`#L`6}+_+h)G;5ObkOXtS;f(r+17v$?X@4>^o zt-I@Q>s~wo`4G(6Boyy~gzAouuQru4%~@@JKajE-=;31NaEe|aZ09y#z#4F=?alIx zmM!y3EYyap^H{hU+LhH&*NfuoED$1=J|Aqy|ee()Bk_%>nQI->yP8DQW z#~9?xY^Ut(e(y2Pkt7q)Xs$R=7S{2BDfQ=y-38TkEuEF;QC`a&MKb9!F=ZvPF=bDj z=9acHhtbl$KVOe;w{4ThGwY89As#uMdP`cruGx*~G#J|MwJ7n|GIjueHSVI3P5Q$= zIQ05wFIgRUI*i5`R-}q-06*?)YLb1dzr~TZR*WeKe-53uOY22^{w%GeiP5`|&1!+O zKvuNku8~0wRPd>G^)0h_=caH&Vbl`FZoPw*3`z)|Hg_MIjTsGdX?kU`4Qm!-v*ig2 z4t6Jg8_w&Im|ZCm!I4j$`r*|>?OCd*uC8rA-y>I`UkS>ZFx2V6=Ld+}49xqE_deiw z8#ELWi$hrA*ccQ+54{I#&#@R=Eb5zF$qOU61Q69B!b$!Gh0bs7G}sQmcl{Dhz^^1cNcn$fH|JDpK36I_rR;z$F6q6I`#J zxs}R727T^E&#RX-j9(x^pIC^xB3QH@zSe`1k{;c(eJ~6cN!}9fo$&F72wU@e6#i^FtUm&&G2p zJ3kgslZ1%@wR{I6EIcR*@=P;>e>EV=wYH~uv`2+drvK=nsF3!0p-B(WW|ddsw6CZX z_wMwaW91_U8K?L2Z`1=Tm&|T=KtR>EW7VIkfxGH5y9VRGyFW-2- zhEsoQEU5xzCQ+|J#~eq05na3!-2*a2^%z7?rv(&7G{9vK72LIT@)Q+vnJZUs|H@HP zd1>&eCO7nauLvuq&@|_8a za6!+jiQS$Z3(WcZ*sSgy)zKOa#@h$x52!7Wyi+N68>Ph84eYO*ZzXAw z@!M1>%ck=0+8?vv`Y@-7nsOQxePMLEdw3vb;{+swBzJXuv$EPx_s~Sf`#Jne!?x3C zF^ENIaOX@+RKlVVHII^VH6l3%OS&Hp0Y!}tU|_W+uu9|M{2i{KCAlsic*w9rgTMM^ zG$Q^b;_|Q8TO|pvv)f($6vo#2ZB}#*cPETA(Bgcjug=feQtE_K=q^{ruH8eZZgS7d zJTr4c-*z;xMu%%YW>}KkkoJ(~7u8CFZhU0NqZI?GM#>5p&dcJ9f$tp&1I8XONfAL9 z?7q!Un{?QiJJ+$GtcJsh5G>C=`Dx|L9MO@0y$y3rMqTB-qP{`=;-c+?W~&bv`(Q<; z>(RqBg+TU^l%CFR5n&-3e6Ygqx0CA7b$zAEOi$U_zxG_3e@(;vYLL}lDc-7ltpj;m zm|v|*=qQi;ab;{Hym)`b0|8ql`fm((O_-1~eM*X{2MidL{mZtT7&Q%WD!Ycn^?@u1 z-gv9+%26C}w*DO8IpVKi794Cfs(LTB04i`=H@!Smlq0b-(ScliVq|gMu0zido~ekL zRD+*E@STgnLaKr^EutjB@XI_d6L;3fJ+dS+yf$JBuWxLk34QP}`?J;_CHc|x53$}x zpba-ld!jp#Uy$0HmusU>p0*uQu1A&H#&wBdp}+DR4-V<56-GRa+_!&pgW#6Ku%Y{I z-5F$E+vgule?7wDea1U_G`s7HVPGd*W9a5Gq9SiZThWNN7HYirmh*!iMb~9vT)L_F z&*G=pWq*?Fhy3TdvA*~RnoHPF`xv26x=3>R`BBMj7Qy9${3?%CpUuXE;V}VTp+|g? zTv>N?*8P;Y^goXrE@&hSnF;mES1mk8(wn=Ok@6f3e-(9+tn$A5-^EG#;zTdJi!`zV zYAQ9klpEs&h?PwZ^wo?h228j~v{ham_2t}pTJ2-nKu|U*6$%y5;_zPzC|s`S8Grb7 zI;dr8jU?AT(^?{`VYRi%?cODyr9Ak{)xIFeM&jJz+h;x^$o*d#tv}H{^Jxo);X7?r zX4qI4=J8t@lng2YOnIS2~YK9mM~MZCN1P^|O$B~zd% z*c1II$H7B4SeuCqQl~YF%5RB^U5e{`zUB8}xuT`k?Sb?C+An-m*aB=)cZ9T6kSP)# z1;fn0#%Vnnt$j#(UKFs4vnmSQY)g;hNNYqoASChL(z=2;>cfR6Pp6+C_jd*M|458q#cJf*9=zO&x4v-@N*U5tB8X=zpcShlC0>8gK4psck%wS z2sr3rRrk?o(8A$tr{K=PuLKsd=xNZky~wNU_cXj>t|7=C>Z@a6yJ?@zEG8mivK|~| zE{pUDBtT)48X1x)i8mN3v*({6o)+cI2T6C@ zb|!xO_yeeRR^W(AN=@Z6!FUht>U<{r_@S(#p&^zp!FlyX@C&8s2@7y+ZE^KT@eb?d z39#;*v5k7z0$AaVS|Rheb3VvPEHw=i-p7>n2W6u)_2JXfmZzlW_Hv|ixO`mEbqCUv z%T|(Lmz5HVzOP=;9OQHhqOoe@1lvTytMnBOQzX(8QtwPVjV&)AYQ5ujY_^#|mv$|U zOuefLRU3!WY76K)p4kz6hQ8tT!Y1HI&;snKn;HV^s;+EjihG95b6<_v@p?<+3v7A4Y+^!u~!y!sSD}eY*CZjz$7r}SnQ)$5f6v8s>4U8}xMa}_Wuoj_*e?S0Hzi7E0<0Ex}lxX-Z zbvXp^>5je$8Zrn9YA`+VNI>9uhU$wK7aPq?zU|2IjT4I#?Vs4k%&s@f!&_Dgzwa#b z+7Nt0-&8uU+TyJ{Co1?(IcAieHW;d=Kd7}eUtMlAn;jq0t~U(x0o}vdn!G*7Owvha z9xBVZ?GWsigE%5PEJ@pD2f-Q=bU3TcR8bKFOO#!;nHF_0Xe?2T>3tM2odfjU0$8OV zqNZFbl0GvglhW>)zST&%DceQE-fct|wQI>yak})vN+GPy(L_fF>t(E;wgkkoN(mot z?c@b7Zzq#haq2-_@%}QZR>-H?dAj~;$I8A#^F&hzfK9@(u%6*REps2$&WOTfB3m+B# zrU_%|fKOT;NI#x0`}N5a`g9iOBre$&fbN_>Q+Q5%nTZv3&)V&Lu&#p@!5u;G=v)Fx zRP%y&0_Q_?W@e^!mPX=ZLlwIrmGkw>An&1m59>(*9WJs@##5|)J*;@SkR{mELIXml z`yhI#HOj;5!^)KOwvCB?@?oYIaV{pW>WM5z+MprrP|y)hg7yCTkZcxT;auII@!8Dl3P=RwzqNyeF{WpJGJw?Lw%+ZKY>bFq zhat2u$u)gsC#t4`KF!&*q1n3lhDIHPLmykRYTBB+>C@CF2}12!j_D)E1%U)&)OhVm z?^FEFBb{d^LCKx|Zi$CiIIq}L#BMnUj@N?fcjfS#!OsmIYTT*!2p<1M zaw->xmtXd9jI7$+Fw|7mtMd9B~W-(mA-Qdx7S%pVses-Hw<;zeoiP$j#TM*=$3LW%fCj! zd*!8$x&dNi`&ZnS^#q@3P*AyjTPw~;YEi1B1jY8|fh>+2xx`KBfy^7mw>=Ga zhlb;8ZIC~0dmMF@8#c?7at%9@TEs*-P1sL`I@CQ*t2|vkL@~KXslp5OEktfQ98wVj zcM4v{(SM2gbO06e0esw`Z?9@q!LLBvwrRBIUCTEUu38Rk#w=HQcrPDHBBc5h`79~l zRxbSpJ4-%0qWw4Pq70XCBmCFz8t2Q9!#a-^4BDQ%nZ`{RK))zCe66Z-Kw#x~+)bP) zdRh86HgcWdmV<*em&YLQ3hjU3@@bc%IIlfpv$Nf|6sKe@~%`H-gD zZ%6;ijYzzzc?%P~Ab5?9uI|#=t zzWsd5b9h;_d@tBtJt`mS1LX3_fU^xQ4C(C*~D>11WN2Bhl`==1T%XQS2x06vQKCrfdfp6yVq+<2XV z^CGlDmVH#9T~eLvzi$!v&sf6rGu4tTHha~NeSNDHz#$)jGR}nJ;$q4DKbe?Ph;?;! zok67Nf`WpsSkZfq4;tIfGE{zu7DF2DAJQ?(W9^?ro*8?Y=cgs(r3=EB$HQJ*8#s>n z<7?d0q*tYCX6nCh9&8h>mf#GX^`MJ5;od58frMY(m5atqYY5q^e;P93beJGf`FvY2 z*tchtZMh@SS}`Skgg+`AjqWlaT_H9gW^47bN=VXvMxY@haW5=u(6IePah%{{(0o|G z*OcG94s~PambR%LEDIh>oI8S@!=^GUkGSo+9`63A{T|mu*ENv+&Y*(uNs{j!WtF(w zkubay+l;`b#4wLP?nz6CyNQDqe+Gq{&db1k4o<@POvDvP)62ULy4504?eiUz$>M7m z1=BRCCjpbNh*^M(yO$)oCn6G%w1MI&_VG(8`=Nv@6s7A9(Xz55;Us%XshN5 z2oNgw@87qt{^reR1dp{p)hu24M?MmXTn(AE=@J~WRuh*|Yvy>`b>!Y*cE z#B7|t)6(K}D&)M$4=eD65(Wqh#M|*&2YtjVHw6@vXqI(BzN(^MO^xk%*MrW(rSY?l zqpIE5rL$YNRwgQqgD8#-fd?yyc>~Xdp!)!mIq#>QQ6B%wL-J91#wfDL!?ov*2blI* zec(aYR?Eo#TvI_;tGfr9O2^ds-hc69;-9IQbiZE$z^AW_VYQoSX=8I+pcjZ|p2E(wnNGAtATLs$k#df=|-j1~FXA zR0hCAQ}~6n-!6-kepd~Scz~=K#3bZ zyHz-gnpFec>V3iDM*_|Jku*F6-v#!W__W8iCF^Cymkk4VC|b0RM6sRZpzK!cXL8^g zFeub}kG0a8X9zCnn1IJ~NHWx@ym>sovf2PHZDgH!A?0D)3L6Jg;hM*qL`%`Y>@I_8 z#VE18mD3BH=ex(GGZz9qY;s0=nFU!zldg$s?}KAD~C` z*e?2}WkaC>zH?G=<`p0m-6|Nrag}iRrHhl~_hrX(Pr{yEA^L4GLasw}GXB zF6vK9%M=PziUte&j9eIcy7b^`9Us==1U~*7&62G98})nMln5rgZ(J8DTt{2M1h`w5 zUntr6*4s8N0z{a$M#6uisw4J>wX1>I&!2L93I|O@2GZjS@a2o_0sztX5zH^#o z+pk*gSCrhAlFyR*Sla4b;Ie=fka-q!Sr`GUB2zOqzf$ANA(-36COk{;-(S9VN$3)O z-E%Bc<~vexZoSN{a;%t>?ssx|t|5DezWFyjk$cBkbUm=osV5Q|`GRT;p_@$gNtu7a zRC)Mw)UZEa4GM`O*XgW7^fPNqVm>D7fk>j_Qj?=tlDOR^W<*wzedU8JqZ>s5;*s=u zuzWtCe`||$y~{yCW%Y}sdP?<&h8btbT^K}jzcu81`F?WD+}E}9+F1wgN<0Nls6&1C%=okXq-RKvgAb5Tb1RlvD8fFko?6J0MX zdc6|+9zCMYtCUl89f9IaW8#wIY31YNR}(hb&My3lpqGdD1kO<-e=CD+jc?>`U%&g* zKc?n+;K`6q!Jt5jR)raXgXv8)SI~RYeF>{!|52=0;(WQvk+bI#G`ezmu=QLlmz3TO zwxB>{16Six5EGvIVSd`%{;->MclKEM)MJawcaep$-@d@=qAF~*Ht*~aJ6oK`H5sfj zpLg{1B+CTsCa$gfS zuRF9@DGW*E^M!{ro}c)wan$1-I~Lpj$cG(BZG3sp<7MQdsrg%xIGnXT$@B>Voy2me zkA5g>uXhH|Eq&d%$0D=JnkL~DpOtaTOy($LVsD0y^J5CK9!BQ`vegbtgqxXZ8{Ad& z^Xq>Oe`%~^ME%8+3RQZ~CaG(dpIOlQBaW=8KFs2=%+UbZm2uyfzpy-QCR+0C+wua^ z(Rq#Y3ttHiS4T}tQ}aKEQNDm?J&6t6`=EZ;APWA+0^6>Mz=Oq1;s__ITv}`e;Ar8{Psb( zrw#;mapAuV7s;QO}#zeO9!Wx>ZI;UMk0hM1hUk^ zQVz)SUue+Xsjv`?&4lFsY7@7&nlAS^0A(?5#MiJ03c$)&MwA2~niwfCn$4X=epD+8 zIvI-b?s%YYHd|`%8m-qwj*?m%3~h`S>+WcezgmLTDqh!u2-!FR!bC@!$Gqya)&f&R z1taIjIT!4zD+6eM@4ZR_iM~BrHquS2G49r8YyUcFxua#o3?d-N*UQz|)uhvnnHJe{ z(`A~PU;b`?p?XzMoJa*sKt~^&LdLK z%Qs@jxjgCyCI_Y*=-Ttlkem-083(_wHil;glsm1rm{qRpGz@fruKQD9$e&?`x9p39 zRy;$meA=UqDVD$N_S62fu;-&C(-E^SeaA)CwW!HNt#YHZPh$s=0Zc(+dY~8wa`%E& zL5Gs&gaDvfbyd&tN^tVZzM56x0>C=^dQ{XHk+cPQW4Iy8r zrKJ@vH*#`v`d_Sm0e`nFaM2j+V~x)KapwK|nB?A1*HngK{Obn$@WP9WW}~{?Gb5S5 z`fo}hi_* z4=K6w*azF(Y01>vS<=69tL+GF8YjtWp2q17t!ttVdDYqXW5ENa_8NeS0GxkasP=~U zY2s?%@Pxb-%>ya`tZ_TUJLY9&{T)apHQra2X|A>1YUZ~n zw0JBUtoJ9a?#6I^8~-1FIabf#bX{D0QnOMYY2`bnb(v%2+0#Jz+s(oXs_klQKZ6`2 zj)nA>gdT6~dO|~`|Gg1;ltH#G!@kf2RsB}bQ_l0p!AQX^x2EvEoMAl29R9yxTJ{qC z#RI3>^-RslH?$F(n=n~wnFR>qe=Hs2-yEMC$!DwIym>Q{cX&XhlIZw&dG|XwKd>EZ zCjXkhGuL}{Ptlw_`Mtg<&_MQIV^jZwrU3lXmEgU(Atzi&s=DHA{CESc$Ibjt{HuTe zNdNUK*La#W=aL!XtYHD%gjgA&_%9gZzx~DDY?@P0wvWkO$HEeSH^LXD0n$OOL>c{Y z*6H8h8+@AS`rcS}on!QI_SE0s`*`BinL}LHd(gjV{2mqpU-$H!mB(LO;&^fG)bbr* z**I$y|CjfA{C5cvp!nbk?U_TdyTWPzqJ8s19B^ZJdAwpemJj;xV}G6x__|O0MvrMs z{cAviYtL2>JF&q3{pTs&GrnRMl1m#0z9YRff1R=AU6T#g)&k#UwSM; zZ~v25Q^J2<-=kce@o@OJ$uFikAwta^@LD$v-)?{x#7tZ}`S)-7zj?K>d&Twa*|QRQ zREvEIg(weLZifm|$7=u*>!Abgd0l-yDJvp^o>xF%5L#YQkylqYUi3aID=R2!fR^#j zV334_1f%t}r+);u2;2jBrJ1!QNPkQ<;N*x;s$R`SE_}m=KSqzLeaBcyQJdJ|cN12+ z%v9XG%RkQ9sNj*vBN^G-Sv3EX5&8cYfAF0+4L=jC)~WVJZp= zZ+!jz@rX0$&JDKeDvL`<81@egtl|oT#hmc(E`9N?{@VD`&aTLDq_nZ|oIDV)4QP#x zjjeuKc^nST*3<-CKA`G^6dZjA5)kV}eMsu6@blOZ`7zC-3oSf<4@UosSK03wJ|^lb zn?7+v&y5|#J-H%PZ$i$|uE_FauQ9vM&dd9|-NH{W}?85J@@Obvp2EDz7 z>~lqx6Q9j=LK%;>Kh%|8M_^HPL||@J)YKAyuJXKh@Am4819Sc*Cr6PM3essLjE@^b zqGVkUI4H?|-#V9>Q>xSX?{-|5~YPx)PtwjP*I>4LuA*K>oNwK3Oj zJVD&#wi@#uMfpcb=qF^LccLYCh&)fU;x1p~6bb|1l>*#fqiDCBKkb+@GDN-Pn10t< zBz!rLUJ|jd1VpmyQc#MzHv){HYl5VS|7JLqmEn5jK24`bYY(nU=yhOp1Ag;NuL4LP z0YOIMW9;>SVMOwW+}k!Wuf#b4N@|t7o%8}>UkP=M{qyHf)hfNuwN;RhVLiXr9UJ>{ zw9~VM?FF1iUf4~b;J+y~@8Sbcw52tEVxaHw3(GgnJH-d=%PHjmZfsUhXE*OMA^I^V#*mQr^ zE;L#`qa)$I7wcw($*IksWwE$j>BZ9}0alIJ6rDZke$PB-WvuR-v&=Dr_3Ov-41dd5 zlPZSRY~L7wsuSmpuNyPOJX2C4GPHMeSWVP=bzhbG6=R^Ec&5@ZKuVYSte^X3Sx1$AuqAC^C0uB340`=SJE8Dp+8i+(xmWGucPV zD{+cG zliYx&(()pds|O$|DrQ{V%rm9kywH+_2c=g0Df`A&f1rRk##vJrYV0|-)n9WY;k|A` z8;bn|EpR07-|{$Ou%T+=cUf9vJ^`X9W9Xoct zZpG7(Jdd>^w)Ye#r$9*T$%L&cg{nyL*5Zu8X2j+^H95i^Ry0v#i`hAs2&J1p+7gg? zBRwC1K@oJupdC-CP9xh};hX!BM>c4{>dpCaGADn;#6mzf6D|ui3<}(JvnXtgX}DyP zN9+{dru=EOmLRAZWxo;Ne)5=cOqwP*ICusCbPL-7m$}sbKuz5ac>`X=AN1yd3qSTE z+sudEcDG}fdZeAM)QU0}wb$enn84{?M2Qf~hDR+N0AmX(NRVbOe_vPyJ>68CjNhJ+ zmR?!oy2g1&U*_QCiP{aXC6De$7>5ri*%K$+Cp?Zk$O1wo zfPreOXNk#a$i@e!`?yAZ7cZahCg0-;6fRKSRyuQ6Od8yUeJRVqS^bz|mB%ip7ItUM zRiP&bcik()Me?6cCXdSu+b!xNbf#BNT;X9&9$~kbnVsA5nREw=93q>>Py?A(aeDh= zubOp_8GobJ>W2NE?w7ZEmY$V?+L3F z(5~dU4HzM2`Ofm@`--fD1`DLCZ&X?RrsJ?jwVS_c^jbr3!B5%oQ^(1UfHNBT+R3lE zg_0h%*_LYbEmkR-U1Hki90S7xByjLQpm?s(exNUfv96_R$|ZFEw3I1km9ws731NQ# zNxfZ6oj9DCz4edE0zR06&-DJ^vVZ~A`oGr%{3r|aLjniM{^sa{8)g=n^Sc2@TZuKV38?^6mlphjZZcCA36?}+y!v zpRTz52iB6c#@*@Ch5=diT{ZnPuSPez(DBu72_GF2^>b!twy%2vI-*AuD(72o!a7E2 zTtCH;^S>k&gF36_F89_ab!c#28G^y zl_BfwJpW`A5bIPX(1!g9-l~sZRC{vxW;UOfH4BgfIJM#DLaEfcx&x?<)VMrt^w{?c zq6?~#3|37S)>UV41O-qFXg7vU`bjGK!~J0cDIjNcU*bSUV8WASi?LZuSwD6_W_F-T zwcG&~i@f2&j_vgb*qy*OIWupv01g5=s$=6CM(Xs$l?T+b<0}l0Orn9>sSBd|X6t}c z>1d_JSI_>7z|j=1M5RmQ9vL0`&RgcTbMOA;(T0MupC36O-=xxZ`PxuOS!a#@<1s(M zSOkD~69Q2%FmmBn>}UMU#&i=;WdZ;?d>u|GClcdSjKW%TUHu2I~k}EXR9Ay1w~l+54!mLvx|g2KT&l;FPStU&gxf=;dp@)e$3A`p8aE*cRogS$oSm zv{w$}HS^+W$ciya70BWQuPlrgX@<2lFEYh!dAJv=eOIHHJlZO6n>YAp=KH+=*L;6N z3#F9Y7^(>A9w;h$TundLK=}dEHU+=hT3ii?`Dg*&8^Q-2dB^=e=2X zrc8)Q?ahWgOCF#5GQI;c@y`Wod@*VBd@N9ja=*2laW#R~CqwvqnBTm?x3^ZCvzVBU zDFzp2lqN~c86Rq$H)YYvXW5v(<&an>d#6@^&U)wQ+F9KPbvSjNn;6Fu?_qQuo9d zVE>1?_Y7-t+q#Cg1yN8?6p^k1A|RkBARQG^dQ0dKktT#5IwS~+h%^BK>AfX{PUxVb z^w1$d=tvDc^ibZL{hqV;exGx`=M?<$`77o!ab>M_uQlhGV~klKT7Y;YanOLRjDAa9 z-86Jh$~1N0xFEjLvo9rco;|yyG(%md{{DXCd<>8ase?=y-{&ma^jX$EE8)hZ>w?vF zu_s5{5^dihf+GILe19BTgN>orm{tQ9I9=Hlyqcw&Pf^3bTcH=%St5dz&ZgK$X853G zH6~>n*PokZ?1;;5=ok-|(SwsE!E;&?S{oVPaskp?pokS{SdhFpn4-BaJ=9k=P31Tq$QQU5=7(k=2OsK$YI>&ZDI*(^S&o zt03~lcH}wjfB3Q764t;{N;S7{Xr5>qyk9)4AOKk zu2gp9xgWd*mO8L~{46E=)FV}uduFusuGt9Z_ za=^`U5D`(;5)dpu&(AO1gC3we=51LZZ5o5RB=y4B3D*pfEIL+=}M zPH zMN+P=Hokve!Kw}HI}zF0Ni&!c7 z-rJZ-Sx)f`?wo2bJhuqIMpo>d%R(+8kyWxhfO4l=R;g13J?gT*uZ;w_@x5Qm(&{G> z=#vgMX2XYPGC3CSZV}fv!$UQeKAJ8|%su$ciZ6FY*)ETg!*bzpU_tjYMnM1vzfKPw zjrb6DGFC+Sco15W#o3E{65d-mJ{H{TgvCWP1e{DJ>9RZmKPd*{11Ce+Rx&ml`+TB` zW5_^dI2|5du6u84S#$->p7CO|R76PijO=Mn&}ZF3#!Cs{8!rfN1-~Hc!DF}|SS;T* z^t87@iAZYpN-jk`1G?qo*A&EjSBj|fr=QmN)^tMcfvzYuLslYcx$_hGQj|J+!f_YK zc!6j_v)4IY>FG=2V@_u9YQK)g4P&-#d`>$2Hpl>H`^}YJ)bzvl14=tgkjRq#o=XE$ zhiKn#o8HXeh$uAFa=tW}V0mA{rank$rcHT%t*R||A64&?yEFaPc6d1sI@Ri5`pVmx z)Zw&&6|eS0Qp**MJ%=p-j105d-1u2b@Z0tpXTx~DjaBNL?g|;+ZI7EuU|CHg^VAQk z|BU{PgL~c7OX$(vpe6^|N*Xb9l;LE!9ww2EUB-bDr;mxO#=JgK0=PCU7B{DzI1w=} zOFKB2;d?ItdNxfIFM8)rYg}_{YY(^5Ao-V8GDk=6!mut;IZ$39ici#h8rwA!XYW*D z$Xlq%Sz>5%+CAvrWHo)m{A7K(sI2oVTZw&*eF;Ke3#&pcfPcuwlCq@H6tl?0Bl36H zx5qn6Q(7iJ-y)#o-MCjw<19#?SOS`I~ZA5R8sBGa)*n@-tb4iww|Hxt%2<9`fRto zz3fa=Vn~b0c25gOp)q-^2C_bSP8o+hFN)-~&UJF0n7Dpz!3urP=7I@otMbLB zbv-DkA!YCK;Xc~F?o0v*Y^jnK@3GGYe9utesY07My)cYdtVt$^MFg^CV==dESt1r$ zBRE{w`{-_2#)f5ES;&0UmFX6r$_A7T8eKN_3JvY?iCh0EiZ0?C%<**($DqU1G-l+j zwr;3bSL9Qi++w;Xck+o|iykpUn;*S}cxsXSlhgL&BERAF;lrH(ph|#Sz9eK)v2bW& zQ#~4T;dl^el0CpgMc0um(!mcdT(}^pb&H+75db?|iI?ZJQTs^Cubh`zBtuDp8zn$S zWkU1Q)EuCD7_iZrZk~{@od$!Iu$1!!uvacVSR3y1(a~`)?>nb(0@CN^$BWMdy?8&3 zz!t9gvr5SO++@R|WeuH7(O)5eu~eeOb@u)tg&iF|K+=!xHbCJTC&;IxXZnImQu3UJ zX6aZYxMc;$JA|wQ$3^KY%Jg#xr7g}oJp zG;n5(*_gyFo20k0E|Hhf-1<24{9FyM%j#Z;M=2%EwMaL=@4A_D$E!_AU%q5#eKV1m zCS~^jGOxo2Rlq72&YioLr}TR+%^;g(>R4R9+Po!Y2Otxax-uZmfd_Or*fVfCFAvu} zmkR;b&`m;WcqW`vtEyBxArVo12kzuuo=)*?m+VZ;Ot9#Qui){KdE%o`wds$@S?B|B zv=*3FXfX3|Cl81lD=I3F;I03`w#Ey=f?_KYqoUkKKw^BlriLo4Qp8EG-94$+nvzs* zyt}Iw_TuFE#(FK+bsO&ZY)syh_cgPSIZy&cezXxQbY?;Q* zdg-)?a}M&c3(1g8d7zs%ZRzgv)Fsu85T(y=9FKP+kJ<7ACAoK6Lx6XfKj!qa@USp; zHn!AvJeCO*UC6=;OK-VUQ!_ILgWwD7V-xc)m-HPUv@ht1aa#>4df+Y$JMfOik83Gg z=i|}3YXw*J#m$x=dRaPTZ_pP}yqHsw(3v+dtE|Sho#+prpvjH1k?mw=mlP z!SZz*bT5=U;c|6=o+hEdASx?#YSA+17UH(wa=ky`qg1}o)y?lYowo`cD(jdPNNX*q(u zLKx-||LM7`V;;WscQ1hdS=|XzN#gb$+)h~Jhu@^_3JMAmOdS8>eJTt|cK%RNqxVfv zWNa*tsVUg#p>dq?KE+QnkS~gq;FUW(U4xBn;c#g$VYGek{W}lZ`rqY2pM$adBM+L) z{|_E?GwJh{_P!6!YO?~+*Tidbu^@hc%EtijeJBpT6H)FJ zqQ;iKPY=fu=b1P3wWM~+vOcbkmSj_4rcBeP8yG#k;n#G*%Zv9jHh9Nzmvk!`2dpsE(a~%3RcbPcrtqTTiXlURIjQu|8afj&Q+}+%c zDx)HwA|uT<=N`m;8QCCk0N`frBT%NY170t{1kcaI4wP&xx~pT?SzIt#&6vy-KwSEC z({?0hxU>>cc@&iZ_A7JkFgqOIYF`cOC1%m*fLi*T#jq~K7(E0PH~x3|$qZ4V67TB2 zH@1@HH81PF#-!y-SA;MbT@D^z5FSl1nQ0lOmSGac_ z`PTDSj^_K_S<*J8H!hnTY4;H}8Ak&c8xpNad<=;0pP9BsY|VO*o%U@(^Y7gPl1}|i zTL@Z70+5B(d-UgPc%6MldE+=G-Wl96lsp)eFfd(Yp?@$gD>qPLxM^#^fo#qL@Y}hrLne#f?2xhw z@Il^ce*wk7%A^OUt6w+-k&}XSC_z=?nry#E{5Qq+KlwLyg8-`uJ&7uM=S*<*#}?-2 z-zDn%zJWP7w8BI${B!c}5ZD(AUeP3b!&p&$IQGQ7WB^F=cF~}zQExgW@oapBhr2wm zJJwmBF=l;PAQ2B1Up1R4f|s0NE>Zs*`Pc6mSljRz7Fr4&XGxgY{vvu16*295{H(lq_=@kjLk#0M+&P$RQMvDuG^a#(Swmv>a?i zvK)YMS+CK%JE$0n>nP+mLGV?>irG;BmvU%kDOi71;l}TB_~O_So|xd*(C(cquSL$I zi<|X28(ZB%w>_V#ItXlp0VGsA-x$n5*Vm__OD)0nE+YD1`Wc z4|9AT88;oBwQn23A2uYA?Nd3tZtM1Lur_@z z@%gI9_5k8nxVKo!Y?I8*Ds|7I(D2bfr};fT?uQOC2im*UhVX%F&_-hmx!$eq_MvCK z<|=7ZCTWc+B>rBWJ<$q2elY{XD(g?12#VIZu8GG*km{nJ(Rx1tonhMD_8lqRj}bAq zrMy-gHxxFAr_OmbhU4m60MtfwFPENR%a~Wm%&B?-)qb+fubE6Wse_dp*Nl@}l z;m&M!tSMG2Ph>FVYkf0CA+{R)WAsZ~DzL4O_r!EOIIUkSjWif+A034pu5)l?=5`r% zk413pu)iDkdckWvgp_*_6xFV8l2)c#;i zIp@U~>fjGuBQDhE&QkRuF_Chz4q<6lqsio9(A_&;4I*H4sZ$i9OPpQ(=p;JF7%8Wd zO}yxAeFo54(V!RU7>0E`q)vpnU4Ik?BpySpZ%Pa-+sL1Om$xc?G%PyjA;RfoP^-M8@tEb7c0V-Rlh>EY6r|GCjT!H5;$A0u#WIEvIItrCD46P(I#KD zV&O`_eoIeT_{sAi5pzxa;s1=T{-ZG{sRHTpWzRWJlcVCQcRi0?PL7O#7i7ql^&{u; z47R<`T(+~$j~}>pJQ(xO_`RzPsx$a>>rP39Nl~mBlZjA4{iR1$eSq5Nc|_ zU$Yz_fF~;yA&i|lmKnj{XYb;xo+Fy^24VacnY71z0G1A3P9-ZH4Swv45{KBx`4PSH8#$`yG$hJIu}k6olU%?{kWY={2_yu3m)M+lMA4T~{MzR}T#hrDbJ3 zALRr%kn#!&P&b;4OVVSGGHS|yXxoH3!sLjfSM#kbw>EGAou zr8hmvBzCJ1u9D28$RCfmpm zayGAIXDS$22UWRm?SvJ;(RBw2n0u2$z5*+Ef#vH3Gqdca$Ji2=3&$i21eP;0Tjk2h zom(1I4hwcpxpx}c@(Z7%TJLc2{IOU$*1&&s7rC*3 zON6<&n$E8;;Y-`+&^(FKGJ)_Cj@aW9syU0Q$bix$QG= z8%sj?BERI{j-p#y8s~}{CM8tucYq6Fi=})s1*wx{+${<}J5lu?{4y8m?hUQ4J4_O6 z>u{67QpQ`lol>{;C&C+I>6m+MZ-0eUHVAVMKx}(^`Y!MGG8`+O6je{!F@Ziy$d1hg zYiV)n=;)}ctKT#=HJvs%O->#Qb_cI$3DVN=-MRB%=JP3Muk#EKp4(;02iVW(~ZoweGA^tv0HV;BvVY{<(?cJVHGZh2yN}*b;r+tqMgzm zrh@bGx4CHNjcki9Pd{40o$w91b<+C;#r zZej89)|xXViIL&q#%JKqLRhTNZ1>b;Wo6y^3IYBUG2}Zfw8e`#&1waK!QdvKfuHGu zcIxiW>raRLBZ8C&ctef8*uaMA+?_4J6I7+ z==>-b&R%63_m-hIq9v%g#UfUyC1Hb*{w-^E0hvt%93qcyubB*iXMALkh+^Sz;E34#d4O7UF+KP@iL=nG^OQrrz;W*fJ+cldJl-Lhek zrbAa(j99A?L^V-Tz;5rM|2$6RBBS-Df)6%>TLb0pC7-TdDW2cnRAzwhxlN4E zrBg%J+sP_yo%-$|o|q+Ud7L{tXH1n%@g?X@ZOw@r^~7`cwxZ~JEqGc!JOu{koXgIx z@^QaX=y~&p_Vn9ZuS=`~^0+@SNtwj0OPN)?ZMfCsJBlC(`O?1|;)Y7Bi}^TxDwbwy^GTh9C-%2gcl}yD&3R zr3fH%H=EiO1sh^XY}eVpolRur^nb!B=L9Za7}yS9EdU{TTH;xz7a5aA11ulg$;2hh zjE{2|b@~HOE(rXoyh>P*vrHxDK>YSyZUY>y_d{k>h}!DzNq>1JZo`q9uRFt zaS0}dh$OG*cLG@`bb<2RdT&hLw2qlFr@-<20fcGn0^YxWrH*N%C_virU`wO}FR>^o zTAh8`+t=3|BM4=><#)}flSSw1*Fhx6TM$@?7*0&DA z*G5j$eJ0E-+A^e75htmC3}-dwoXp|ggL)nKwBFfSVLkk)aCneJm6PpMw3*fnqqKRY z&O0bNV?mi4WuKWaVHa4EH*|KQ#u>jj&CsVksZ~36U1SD>XSZ0toe9m_0n7HzZ?U+l zIt#i(kZ|Ji0qT6h12repNtaQ^8{e<9NsEsRVGbu>xWB8)w@WV2^xe;2YOmZ-5qLFm znr-0~WjP_DM9bP@IZtRIT{cZ@SCT3Qp4&EXSU~h(^gwXAqMt`L4bHeMdqP7bmu#cXheBC)AMbt_G0YR)3KoR4h*3j~t7c-UtMqVg zGkTRlPQzGio?&^Z60H~Y3?he!uN_&PR-S}ajc>ikGVcq^bjqPvG4#YS(g@oX3;tY* ziLTHwtR$VxzT>j@<792c9!s=qv+49u)hUm_>&{+&lOyn-4AGLyXZ)G%0$H>mGb0Bi zTC+x7>Op{FxH%zJJAQGZ1kVetMQBKREK!ke6iE?>d}S}fjlx%_&rk&2T@I%Vb`qKD z(<+TIdL=j>Ew$Ht_NhvEI0Bw2grNd$6_5LE{hZ7^d_^^UuV27YV;bw1G&@MbX8S9vN&UcM+O4K5=IOGkNQK$v%|Vf&CZ(< zTAxpVpsfc^3tXJSjJsgisc(;`T-x`Z$+n5M9jN*NHkw-DM8A5O7E|hd19CR>sT2}t zG}s?)O%VLDomROz6=kw#ktrlnA2VrQ#hQzlmy5!sAoC73Au7=T2fez|k~?W=`EzKl zGhy}8ee;JG_L1ipaNB{Za=d??OE71|k zsA=698>U_GK{O!AWytFO8e1G8Co*Y|2iI1)xK^giyL>AIB~w%V62B^RWYE#fwR#lT3X zI;!okCDFhzV86n8k+e-tcp|@6TZ^!VR$*CRvZ6u~cLJvk zN%?6x+uv4@Jw!&An-k;;@vGuMTw~CM$qjpMtcM;SAGr7)G(N79P!66aSV1Nk^6Vet znc-54)mH&BrW$Tyu6Lz{sdXz>E!vH+)*gr)1BZ#Pniv=jv^0#KUy~#?Xv8HbgP$MF zj(UAeyVPycV?Q&SXKsn*H>^^Sr=)7G@>PlcszbW~Zm&!!R?VZ0f1n?nII4P2>q4KV zR@0hFVw419iFvfJ2DthNN8j}Zx)x2pCWg-phQ4{3* zy^}*zkk?RK@W~8GPMR>r8p&*UiL=v^7O~c=9sGBe;`JE)yMpfR>*jR#N`f#O73(%{p)y_8QQWBGxbIujUaWL%x7{3W!0Hj%#mX>k3 zbxF@H5Z>bUJG7!_D@~i!xmw#IC;7_zf6iTIUH)W&%}kV&GfV)yJ>|mpJrFvaJW{*; zS(c+XahVYK#sbW&qmSV^zF0>y8+tEzYjukbY_uIX%KxC<0;`s{ z3HI+6wha|t-bIbXmmae;4Q-8Szh8MzzkIMV#Ryu6C^g&*p2E1BUob&~O z+yz>L12{S0bA%@_%qrucl< zl05iK{}=>4FSe#HP^szp4@5`LY={DNig5FeE0nVLu$y*e1r#fEMM?rWT85MVigW;uRE-+QUZ_G zh(oS<_0fZ00~ZUYQ8?@YkViN@7qa*cI!Zc4at|KPOnVU!7Dl;y9^-c= zVVT+?);gR1ic%iltucq>FsrpV9@7DG6$Kspg!1^r2(#1Wqa8$W#7n)E(q^N?gr0Z7 z$h-RLAKCa1cdWP?o9rH{lZBE8CS*7CkdQ#C|5j#Gu))m0E})9I((7K^8@+;3z+NvN z)EqZ49UkCChD61Q;5S=XFpKtky8Qz)=Eso(dylYO=Y zKnzq%FG@zH7siX)8itENB#AjSTerl5emB-5drTJ)Ug9=c4>|K}OB^OWwvJKV8!_(|ioH@+kXS5M_S zjWR-D1O^q6g~hM?o>Lg;#LpVv)wTN6HzsplegUOXvE?>OO4WNi1?zQ^qv)OR7S!xZL2^T`mc*GQZ0*mLFwwK9WucS z)F`;-*}j;}Tsd@R?$?@ZH}1y4hue%a^x2uTjI=2Y1HRxO-&VM#1Sy02u!0fVI{^0K zYitd>HYt&=ySHL=l-a4#+T-!^Ys9Bu3Y(!G5wJEUZxx}%>n?p*ufc=?lnagDWsWct z&o?JGBt1&M*y;UHgg$PS)>Cy{t`ADF8tmF#Uqnf<_S(~?n+oZPshC0`Pag{0DB#Vs zu+N19Q7$I02ERSFTk%f1L~v=&6m`WaNGA`eYl$#JmSjT+mO(Q`=HcrSpkCpMQM+mt zCm?B?TLjPqAhq*#$Ga!$X3ceIB6bn!ZRhx?Un@6sRgEBH{y^WUj3Hb7r?uHV;& zmQI1e+2C;ps?EdTAHdHJsQ z78Q93I*->*6Q5iVs)_9S_J-!lRqM88Vb2fU*UJoZPKkL4AKvjLH#lS-*ao2judgg9 zEZrUTns71unGNHKMA zxNx~Q^H>$m4tk*YflosEfPjONUW<|>o&nsxvfA`#ZtFw=gNw3`9E3RC< z8q=`LnB0btecpw~FLKl!d8$X2?XKXMF$aIzV zBYkrB_h9s*)=0N3cNIg|_F;8vP*B^*5eQ~`7dd$FQ#G_K9hUW>AvcDCUhnJZSmW)? z?pyJ0?^>%?9Wa!;IV% zn_5RP`_$fVD_7&!ic91WnX^8ONv3<1p`kVEX#V`8U))1pZG@rL&1HT}^-OG=$+0BF z-kV2t!8gOwsR9{-Ti`#3W8)?(KD3n`>q7t?Kx*>2-tfA*r6=MRyb{|~l>3{}hZ@sqc zgHGB*^{VSHu$a`kY400A`|)nR{QZtMexg6h$=6k-v(PDyLtoU~ ztJuT570gZ1S}9`0d^E3sF)tf~EjVPN2$Ab* zz@&F?LpAk+tqDU5#h)-NH%AY*jF|U=6rW$MO}fj)-zJQsm)vly9*M~_#O((!?H$;9 zJcXYob8QSf_sC&XX_e;c1eej*gtb{~|1d<7x~47n;%s*z%dw!93I9ig(_sMRT72m0 zPoRBf?34Gn0q#qeF1bIHk{X@!r2R4o1z9qSyXK2%`TANgbKbSva|K`kito83%L2en zT5e5XQ*I+!{u`(M0VBPnv3o;&S*JWwv>5KO^e#3n1KEXWw5Y{Y$gbUwea8z#8Ht6f z_+^tm4!R>$ovQb3@8b~!!eLiQ_=Ae{>pPJ3n(h+oH#QiX)C7txU2HCt3R}K<#;?QH z$Qg6gGOKB*M2{j6is5F5>~7V{*`@J*vP91;^kU`i_78}Y?vbQ1?lt^(ss<3HEr_St z=nu#iIqM-cQ;^w)7{~%w11zxV$;HPNmJmZT%SkTGV*Lt6f;&C8bm)6u-hE`oVCjr) zJX>!s?dB6@5_ehLsN&gyxkt}lfUHH2g{{-LV8H0d$u`@wtE~4Yt?qA& zO;*LO&s*qe$tgLt)QUf1wfh_&6XU)!O6TU#6n&w#gH7lg>8{pKyJI0&ag+}}<-%%0 z)Sg_wbxU?)!RM35=0Ygo->*4Ph6nSPESEawXL7nNLGXv>RKwh_!rUa+G*)5}reAlqi z3(fveqp1<$1_m3U;M=oOIk|PH%2mV7Ldq{<3*yB_wKm`0kGEw!5CeGi0VB)FZ8MXp zr6G=-{IC$oblS$AQ_k_p;mVzQKzaKmFzqA&YsLbkhsn@R9`hZ2{5j z#a#CSzK*#CQUP_Q5M8n66?(iT^b)lS|Kz?INxVZWSd|mHtO?I}{jm?++ecoUGCA$M zUh{N&C-v|>xU--Cwj#|ts=*8dw*FRmHfO|&M8@*S`&oO&Wt$+5+80k8&>}HSr;dp1lz%NNr)<0_q0mc~%?HonUJl_i*@5bhNsb z9;!j5`apD8sw1{!6H6__|&Ms~`uN8H#CntuvTzFoMJW#P!54VTDX#6QhWrWwCtj4Ryy5JL;g4KxaWjnVdGJL*E z@$05VWea_qD-p!3Os*5#aipAJ3Q$NQET&{`ZG%8(=%`KTs+F28lwZw(KyI4vCtJLC z0uZaYjc4($KIdZ|KC%^F$|CGy*{J;~=v^EYRCG9i+K~GI(Z)^IbC3DSA>Gif&y$G$ zqy#MYqS#%E+;#opu$6V>7R0Dj&1xd}w%;G5LkVtxF__Yb2> zSGb}Pn?CiG6|K(ZBPu|79-dglxBaH9++)_-JYFyWf~#w2jpKY%&yrWl=mJU~Y*~V< z(1aP(ax$`Z4=xseig2(SRhHP#Aq$av1@alO8KQ@MBXj5-m9iFJ$T!f@%;8x?ZVirhSQ zM()1KO;1aEjy9O;Tv)I=;^xpUfq4Ocz8-BLfD}0*cmr;88wf%3Lxf(0a*2|dxc4v= zC+~R34hyY$cZkia<<^V56H%-bn?8Dv&2%U`^F7kagMDx$DAoi>66@VU?y0ye?94PZ z>NG^-io8h9s~66G?Em_P13*appT9c0JfO8yl6%i>9u)1lspBy3R2zO2Z`N4j*`B6c?S%cl8nPA^mslN836`~j>X{j1! z%uL>kDwj+m;01x=2M>>$4XJBtzc^#-r<9ocrf!;@&MWKUsxW``9qx`CU4R?3*M;{z$`|yv;y+zw`Q)7% z62791=f85hvFYO*dNEybW6*?Z`GG&H44E>jS;6FIU=g!VnqCxRJNnyZz?mK&q%LxI zR@k$!{Ggy-Fi3n;5pavs7$}8RuOcWT`%g4HpU9V^>D=nTiB-yX@*4JBO6Z8*A`W}8 zhEXoN_Exdch8;`>FtWpz&9bvCvubM0C)Ia$Qq9+yy*AdW1?J0OPkq(E4>iH5*nUjC zYul)Tv+f6gRuzLmPQav}zjce-K+?@6wN-{3Xy(G#p+xvHIb=2fP%a~@;64i+r`YUKn@9x)AZARC215m{3Q(~*hhb~e0lppt4xA$bDa+FGAJJ#5oI{yA1svfMZ4QHC$L|?iI25b2N z);I~ezFvMR64gzn08UO>D%@&O*lm-Pi;*3Y2%Is_ahv#2ieI#tMLJ1(jpyE)v>Y3L zmK!>Ht=Eigf;^T4&T?uVg2uHiQoV_Hk~(4)Wyg9&rd`rdIt&*uc_GGR zOKfh;ag@hk&nB5ue$=1)Iim*xu@itu7+`8fnIn~W%jU8)+bOJ#Q*DhO5uZ?7)oH;o;EXc(lEHsdP>MM+B8dC-2%6M7`GAjWjT zML%o}#n*$GL4pZDc6d)QRAGsvSjrWI{+!ve8W)4+BH!v+f`V*vvyo-(qpsm5OC!TW z4`7MN*Hs&tiE)}Ihil<};s>!U@tPO-8k@tk4jfVR=bfFy!m7k~wghnu;K$bOYQs?| z%bq_Z(A1<~d!ntTsl2ccd9!-X-L!)--t|<3I)m$VqTJ!eJz)9DzI{8KoY+< z6B+)KfLjtCvF+t+2OH?{Rrc*)m-5=P3K!XM3SM5mb$L)ENlInV&hyz&2&%gpvFy7x z>2dgg`~D0=UvMI!M7ieH0=`_CrTk^F&ZF{yt=LQI1^`M|=t7`?&&P0Awx6r4*)K!Y zxN8Ohihj~hpSiGb8}hmQ@}*JIIFSm=15q*XUls#1w&zyu0i7HZ|dqeG{fT+a!g<0%LY@K4s9< zm;l@PxcCY!0d@7XGT-LTzmae{#T)9EYoY+4Uq-yDiruZ*M2_j+H+|!VX0W=BX5WNU z);U1gG|_m8<|SxTX}CCDJXBoM-TGp z>!k8sKVjZ|X-QXy^uAxp0A4VCvIE{1917bPq!`u z$b}@aSW(K`jpS&Dm^U@Ryw)L?LxUXt2 zX#|=t@N?fm=W@XD4EMi#$na;JQg&V#z_qLr4`1b`eIs~PmL454<%p~j(chKz zAQ%V8TXNLq%dQ1jnvVD^y8jEV^B>Fm|H1cMymVGjzz+ac*&6Phb%dQT|2k@eP>`5k zizoB)=(*r<|7@}P*t9wBx%6{Z7zXLNKOzNqjk1ZE50;IeSZlld<|&|?vPFI&eHkDu z9Jk?s*$LXc4J)D=(;tI%Ec}u~X#-T5oRGGMBvsDDf~hH-4OfI3Ot^8`>oU(1@@;t& zR{nDr);`9>M2482ITi|qJ`yi5a7_QL@FAT^*}6Z>MniLn)BcTYK&kC(Nr>6JSrd@7 z+p=Pnb=>0jM!QMD(;Rj-$H=_BS&r0D+KHW49o=iB;Rf+F zavN@TFScZNMvZX_raA>Ie|0O9CD&Z}yBEN}+FAd2)JUsb{heDFwhORmA1s#xcM|8Q z*w(xM{G0ySC#0h;p1p8^c8kxRL;v)#w!xnxuhs|DG5lVq>_~sUcbr!SPk`^kxl-wq z{gMGn^V0zvwq^9UA<19!eYlIj_X#GP((?XiGyEUF*Ue27r<>=tT|MMYTvbt2&bGaGZXGKR{>uzW|9&`t46i;r*7*MTl}S!Op-yk+ z`<-JPihq0=FeFhh@X%zg6&_C?`{!eez6@+~QBJd8G=Cl0z|R$ni289H9O^Hm!dLM? z;?^f}?>H&IUl!6^`KXadcGaC<)kuVJgy6UN>-;&P$9m<61b(jal&SqM+AX@Az-{WJ z-1@5;iD&>vm@_wj!12tQ{y6?RL{F5yfB$~BUgIdrP6n<(07_fL0R3@KpFTZH;OF8B z9URoH9*zkH+HwKDXa4SBbXApp%>A|1)k`gff&@JnP!>t6scAAUa3&tB;nJUDQabHf zCBgBazxD?Tonueee%0KGc+Sw!kcN(qQ%y}xG#_PSL7c{_>*@|7D`74!!XeA}(mWtH zm^B7E&6*q@?7LUmH=G3rh-RSCfcOuILgC%75r54CQSn*Y6dYv2e8+MX2`J?}Y*w_u zcyO{FZH=|9#*HHp)$d^4fdq{bco&_WEkcty!E~%G`N!pA@I2|6=H7*~XFpzIlVuVj zmf24-Ay1b&eLbp*__|I`PC9WIIR#Q2cKzk~Jw~AB9wi+Dl&R&bH_`d|s=(9^GM#aT z!Ma;OAkcGw*r2m7eD|(uh%kl%GBUGs0|NsU$L%Nmx3MQ}0o{%zgf2 z<2GS_o}Hh6`L@Bi%%^|3VE%el|NU40d+*Is05@kym&SX4|4#EZKnc0K>t3yN%x2jC z&)_NAhZ-850ex21ql*d)9TShIY5n_}NiPGfUOcWOcsM#1OG3fmh))p_bJoX$YyUWN zsx@AZEnh+`0eyvO=;^cD;+THju>o9@EaT>^ zmoKNbYin!Y78Ddbu7vo{=>{SgkJE|OrKP37jW~DT%-o#t%N|c&py}XQ$-}Iy+i(nU z^By%E!XHZ?{O2>^Ui#Wxr5X;_5x#Nb>(t_fYj>qV+kKXRs52}g!qhq@FCig803a;@ zjZwNMfsPgxtjx^30DsB761ed<7Y0&+0@}ixT5@WZPrJK7#LzGMYaYAwlM+JPz`4h> zd1JV~9oOF8Zj_ai(`uw=eFXPWT&%PN?*0_X9JA5V`W)QHj~CS*y+oOso9h`E{+cWO z;zgJ945#D3qfSD7aau4U+s&Kn$+WbzDacdZe@@@AUge)23Y502E-|Xsjc@=C-JBc0 zYV6WU;irK(Bzqe#hq-f1kJ~@CcWl2iH+f;v4bw7p>Q; zqvnPfw|k8L-ogH_?oDsyBcP2d=gzN*Utde(k8%=hz`!q>KgT1J6=fq+wOM=%Hl&#|;Ke_S|#36>Bbqp>Ew6#69~5&(l7S^Q{d>s6Sgi0cYU#6G8fVzM;qOkg+tiqxR3PzeXiq=veB8$hLT^Cj;>z=R$gLS&4KOL zJUPQU095n;>**7(B>sRc{`J?6>3+d=tK`Oe#+OyPHP*Lo6uQnt<#HDN_c2#+1#o<% z9-IX>Cl%xiURe6EF?kGS#I(7b#iPD){$>i`k>e!;jB?VK$L>u`FWsO`e;O8EgVq}% zrwjV+Br}`c_~(GBZSNxN4}>x)+xV&}?dgiL-$of-R>^zF_}ir(>I2lPtG2bj!JYIX z;VC4n)Ak5TBtD_CeN;;N%ms!!*$)_VXT;B|uYC2ZMX(1%2MU!A`>A z@E?Ft5H}A`dP>S;3JQv}oSd9q!uq;@=)UZ8{k1gbQ8TbkftA6oVP(j2FuAfQ$&CK) zk_oZvK4y=7w8qiHr7DOIh7CQ}B(U^-hbH0LOy-A0cno@0?#6QNn0xjYO9W^hzSWGjZ zg#vh~Y@ENJMeEbrUcDr6RFui042(MC#Em)&7Ng$GZ_ihWcz>FZm}ES7f7Z4K1{Y>` zh+1ZV61=>8xY_xB*QnRdsHH{ml7Cr-f+VG-M+#Dmm{1|8xFjUDND*;I$I5cO2021D zBNjfZge&r*b{&B3IN#7#MW_buw@$RK!D%*aQehKaCmeSyk7MJ z3-JHF;s1Zs6izaK2G9aJP-9qDR;AqBTsIT#wTIoY^n&{OdQIR#s(@$vE7-|x@fcbRi*2Zw1!#>S>RKKjZkDkhsW!Bp?4eXvX+acC|#=@%Ff6aHr#>A^3+Zr zJ+gVhU<@a6zOhDDy@S0tV!}XdB%l|Rf2q>_nUkQL#OPYdv1hM~EGd61r~0#e{MFEU zZ<|k>-!DKXMaNK={=uU>!IPpz3gsG9ZfbnO#^=@b*OE#tzffqhQtkk zK5$?nd8X1w6ym$SQ0qDJuAxkyi{L(!`w5G+YHsW{;Cm&cvh|QDl^2-R^W+Qj^c6TPyj zluBruDU6McE&k((!V}uq^n-oP&CF)z3pVUwYzmoeqvQR0RZb12H*(=C!g>+521?>6BcEctEeyZgUWoIAUFS|jL9V@ad4 zW2`_!&4@^4$6`@^;Oy?PW0!FXuZMMLN-Vgz^e;HTvBLNA*rE1fK=Kn=xBpAMPfqY_ zoK4_MqY6U&^_hx5@JR>7mV8XR@5)^~KAxp&vo8z=Pvlb%g$=I*e;YR|$YxkB<7*QR zl}07^$gol^<-B^W^Z}^x+ToTV5h(gSk$~{f&kcJ&{Q19Z#eaR5a9A9W&>nIl$TWka zNz*&z_?JB?#2`u~ZqXC_l#tu5Af)vxsqn$DhSPOdfp0G(r1W$iru&rgr&9#wlJOTM zI3^PV-`#oFT8`Pu$}Z(9*Lz>luX)Z9b6S=|l9H24AO26T$Uo0OKgfw6F+cmi3Fr;O zf!{1uB2f@zn#Q=zkr?70=KALLbgfMrm4H0vRP_$8%&GPrVcG848Sr&97U`GC`I+nD zJN@K#8anTB%n$`3b*SAqWGo&WPy}h@Cn$KO)wIxlx^^3gqXfKlgLH1@8M#8qyz@{} zOuv0zflrd1-dn)2Vmqz!FC9u;oox7M~BF8J4X-n6d&M8Ae5CngT!DGO4`r?7HARhh2; z{ZVVu^_+1#1bs0a%wI1r0Qh1CF4qCf@SnQNjl9UY2FDgo>TKoI=uNGKROdKF)a`=68RAFd% zczR%dZZ6fX^e<3GCXBCg_XfUxhIC+-^!s8LSTs5}SE#n&N28z8xo59e1(1i68GQo)Fli%QmFhizC@M!1udrp>0k77BO5#jsT*}3^I zqer9BzIps>D9QHzsCqTeb7{@>dPec|jDVpKq01Atwr>ka1LCv~ba`m~!$WwlBU6f` z6IwbW-yQgH-B}3VuQ)|mcuVc*hb>%8Us+N z9}V)3op+XYyj5hBpFNJfI)+hOX6}Q-$>ZgSo+<^(R_}k;xBjpF%pbmgpUwuye-%m? zkI5-bRW7l5(wb(fKa9)Nlu)rX4Ze~8LOk#1{9RpLGszQDQi=k>OfMCVNS{6Zk}*uJ zrxj5@j9zaDEo#C@veOC(~JZ*?9DE~ZgAlVG^l7r@`({fpUe@UDqD0xUH z;Etlx>Co7YHS#nVNo+cW6LTqv<=vwy%f{^!D3uK$AaOa3DP^Q&xRe|+US>Ntr_uC* z;~MiF9ve`^6;azAxZAQC^=|f}r%<*#>_AO5o((MuG`!lwFlSmPRr(;fnOmW8gl#y}g%nauWXq zSx!oDKws52hgX@h%f8nfh5+fgbd9x{|7CIeT7qK^Ls5)c@lt9%6kT>n8C4eTOVKGCjDYDWk-x28WOK8$Q<@(=TkD|wTMeTGxDf>Dw7*6@e-Bs4Td**02V)W1e&+JW&jTN*nQ$sUG{ClZ1u%4c(Y-N9Pt+OK~2 zJvx9{x_JM>?R_7gH>4o$Mk1~xgKaapVGyk72wu;U&kh@12ul%^`IfV>6|rU*nmo$1 z>)Xkitwugb+qRTB^V5utIkO08su;IJuJTb|yw6bc?k3+D%4po_8$09bF^llJyR`{; zz+=qY#VEfiQ31Hdm3G9hlq7S z3B^auk3AQ`Ksj_*7|3mZTb*vISoi}r38Oa}{KFX(n2x#8w0HCa;jV)a_M?va-1JFQ zPfLrbK+2+{vHq*y!{GYu8`-FLNunYYd^$Qze6I>>Er7}Smb(ImOoEHXf>Bjtt;D8E z54%S@jBz=Q6KoAtrOUVNA1kV}cPEvj-X~G@yGw+=lGV`pGdnjYZ{(bM%=e37q$yuk z(cx;Y^#!86Z(=|T*4|z#CpQd0c3z_PTN|4Dq2FJfX*xD0ePX-0U? zk}@CkkRTbMv^ZJzcoRYB{<-K|tjm;$Qrn?VObLo1U4=rGPvn<3u;hQXdTbAyH)}(x z48?J&qmL-8NqFJ)y8gX7sps9eqUrB3!yC>znwnpqGrp zLvbi?Iy#G`2{rYddk}%$#Xnmq%NS{&A-71gAijXJkm%Zn6yvC>E6lm~72eUt;(2+| zRd$$XcfMOGd&RqW*pxJu(3fc01=E*-;iB;bdGg_r1K2Lb<1s z6$zJDE+rL}j+*QPAZKAwV82|i+WCY8Xv_az0H91LZpye%o~kUHE^bWh?K2=%5YI!R4sOT8ryy#Y zJQA$*m4bo-HI3PGAXgDy1_nLtHRl->`mT?vkNvieYM7Qi7AOccMDnZr2Q?6)MSkgAHt~?vcJI1k zihBFXJCbK&ng)CX72CFJSpq^*EFX`{ttj+Spp3m@lp!-z528 z?^{Tno3}@0gF2c~_xb5$)Zg9lx$KczPx9FwXYnWs9pNjfx8YosCn|3w&je9lLfUyf z2C_Koryx1At*!W3J7A3b-upgl@>@2EipZDtfCr|#jik0H3VTmqtWpFgTZ?|YRQ8`% zMZNyy?Cq5lM<9oz$mg>dPukBc{iJ&EQ>bDj(p<^j1y~^U`)+2Sid`)46+BennqkzC zvd1dx>~kSc>2RdQMP1WiMtTSEQMtLv*>a}D#>MtJrb^?Kz@!5Y`62LnDSXvcLA%k@ge2pz5 zhDCQxFDW6aieC`+JuKo?c|hBxDchooimIvv4!&eT82&-WLXeV-n2eZ@vdns$Rrl!l z@wg*D?S{|=hAnVqlX&*B2@T$7wk8jK#Oa z>L2iU6c-O(;332-iU?s{U{CieJQy zh17ilgm1@e?}yJRxzmJV^3x12YSMJJMrQG44ZhvK))gdMEe zSJY(7x1o;uNwTD{O#>rSb;aQ{tJ zD-Ge8|9x1OKq`N1PZcYFo}hZlXoi^TN-}^*bu*A&fd+0pnw;PqC!B77>#zPU{O@Ea zG$)1^YULu-i~*W`IEbD~Bn2rL_R*Gi0vp*fX(T?&+dN)F2j_D%{>iKS<$}cbLmZ2` z$KzIxUWt~JzbjvB)~}0`_V*{p>?mj|4Z1U#XjI$}p7LY-J3{Hh%WCLW64d!%MTDq! ziKVx@+Ka`Bv|+Y2q<9eXjs0L-<8@nshNg-|HEhvU#@EKeglIa$?_dXhB6#<#CTlFi z1??i^+X!>JM3e9n8RC3X#>}~{CR1Ln2!uSdVr=2x-P+qwkcaw-&Wuevs9w+eUTu;o zZj{BvQnY0{+CnvkHoc>K%%6Soa=>W$V#_-}h)ccde8!p^l*m%hPHK{K#%%r|Pag8g zo2XO6K+KqJ?dz3xdgTQY*e%-HAsJ$U&x+0@i%x^{bDtDHVeFl?aGH&^-kx{{7b%>irLUNFoxPy& z``9^x(f!f=f#n~g^LsACu1_f-hdz!SzRS~0&#CPtE=hwW->^f6-^%BaV5VPoHin~P zCJqMg>N+c<%PtW#P|G9)YsSZUr*=~eK$RgBu+ly{7Q8JSJ;CCbNjcw3-bvN3tCsQV zFSuR6NPBhomDkCD9X*fHN^t#wtb@;5jv!4w#s$OGrgz%I@Mp;{%tcqa9Xwh^`tJhn z+yZR!aJD!!bwNW87io__nvj%FlW>=K7o{)m-(ybnBww6@ROJNNHbvU`4Te%)xbBWp z-4WNA^}R!xk0xih8&04c^zsg7p!B>=(~4nHXgyEnx^=t8X?$1aTP%#@xofGMR(O#H zu&CgknZgcgWK-_bQwA}oFwK&{SsHg)@00ze&EswOaGJIwCk;&|xt|+u&6mYRj@>!OVNM+)A7d<+X?S%i?{KG{M`>%Kem)W&STS>kOsHOTNh4GTZkSUelHvf0lh9 z7sdQ~C7;os7&<$8C9X%JFJK*rDXbD`@zX)$TJA{2HZeBSux>Ln=th%}8OwX0Y>j6& z9P(_#ZDkt^|5+9P#BzU3zoNd(aYH$ihprcOf}(N;<6hF<=w|$--dS6bTG?sSL9N+W z$zSL1K|=O>BCm5kfQFNV8k4w_herqW>Wy{fv9or*9r1hRlFkY>o!Vg6W-iwC=VL_r z6pllr;$93K8evtguWw6X1vIN&@;gj_Pkjlg?#kFtDf4>w!&kDreDACGa;=*8Q-g-T zNzrGsoN~G;wuPpKn%v4yfh^pb1%iO1ka#qG`CQ}EKRI5ztJ91boqqljEe~}yw$@sx zKV5CLamWRywYL{2E$#N2LWHk7~V z4K3Z|{{zO|p5&OeP#{N7NrVY{%~;Oq?!z^I$TO4@5v z`Gm^zgBaRO0aYT$ueVcH#v=T^gB0~Vi>!L-ImXEg0C)$nty~QcCs^`FZ#vvLfUTG7 zZStQqt5mXDV9uKJMuPts5eYNSEBNFZkMAkE-pBYR2NF7L^+(GgCv(Jy>PRQl3&b#A zkq11=-e1q?qJI7ACtx*?^`yxfju!|tGa-U9+`1k~;&%(nuj;&4Y7%DPv6rhdUt85><<%$sPp)#^PkuKmL3i(gp8JC~s*-IuV|D|X2bQwPa4ZYFEgtxmhu zOQyqFRtXbid5EI`0`d$_#>-vyh>ytwd?usl^|laz4-Fnzcl)-LP}ZwckI3 z*B5#w&ZohxkcKw{*^6Zd{YA3O5dxL4-BLzM>ZHtxgTQp_9%?E*>XU3t;AWz&X#aW zKWa&1&~$pxUCzs|eNp4!=T^pHy5`Yp@Y<#LdswZt@3X_HseR) zoAjjxdR~7J3^6W>E-;*O=CZm|;&)p<$6x~T9uq9h^iA126IzLgl(Gr2U$NC$3@5NV z%P`#Aj0q1jf2`G6T|BC8b;|Zo9O_y6F+rE5UCkX+8>m3b#tzu#%eH9dolk;;BK_ z6u_G>^67DK)MP;n46R#BMK)b!RRG?ca8M-o^-etQa@!_Fgpf~SyF~jK@|V5ge;|}(XT&%rp**2%{;x zc=$$Ww%WIERt0R3S^FnsN4?*J)=-(_N+S-J)4Ite3|4?nq##*!ym50>1;)FoNm>4g zGl9qyXqpMZJSvuWWc6A95gJ7KMQ0fO&6`BQOXS1Zy8;ou_0v;&w4s%@nro2bTxr0; zdY9j9rynisOhoj6hPLxkgu{iqYr7hXB9>86LqczN2bZBU(chd;PV>H83JPA_y*#~}9`w0G1 z27f-93q?(v@7XW(gwY8>+g3$W!))XQ8P^hH)`snYgJ5qW#pM=pz()~g$v64|>=zz= zKNrpQQzkpAo=U^i-rW?oCT#(F_0?+MsW91$me{2f*WYOH*_pUI%e6fd0B zlzV00Y&q5g^gtbrazes3FLYHSx?u3?U1J}`WQk!&N};m-Q+j{-H6i z+m#d6o=2VQhXD{xN%Lo8rfer)BD$YGG$d&(3gZ?JS8K~7s|*S&iHx|$c@KNE;Yp^?AwE76d< zSXw~{{6?Gp1`zoH{`f#6gn+S1e*SE7EMLD~Q9~H&<^tuvhXtY~aiDarIpJrIlFz#H zJ^)aOVU}RUX*rZj0!b zWU&Df@|H?Tk-vpF6XG}J>u>X<_h*r?G?!!cssXYDZkqao-DSbSbSbzUgZI`P;ATPI^Os%T^xo&aSTJ|I&L1W~q;!BGkf|RxmfX<1>teiE zN3Zo$gi@w*LG!l4<&9fmdT!d4`IRG1U0{V-Sj$z^e+F7I+R3j zor*c7SJE_pYSj>9_K=vle_^$M9Lyy*KA1DVN&dl8o)$BVg`mV)-xqOu0{ALYIqmrV z&#Cl#Hi(lI&vqR6WQeaQ|U8CKNZO7aQ?Dp7tMJC*m@Y~0Y%a@Mn{K57?yizp= zR!5`y$I@;&=S9mqtk_f{wqZ$yalx1>3cn1siEQo5TwY*~G#IHCQ8)OdUEYen#x*5= z;+ZrNkqh>b(^6;J;|Gg^{6WU$1#`Etk-X+N zMZKg3?E{}Ow@yJqWM<9!$-|Cmc(kh4bf&s+L71>7qs{K~n>EkuYmrxcB3xXFryVy& zdhK2{8E#{!&>GLVF#n0{*rHI1EK$i#J|+OV*4|h;bN?5qItAu=S03-8FLN3W#1TGXp2^Us^;g>qfGhP&fB zHkp%4{shSeM#kkcNU}$k`Bi=gYBUNt=2d@6H}`tD?VI;@2BW7YV8Tt#dxId#HZ6 zv()UXlR_moeTUb^m1|5V{!%BZ{Wt+_R+gJ^oG6QP4%Iz{8P~@Mv<9bnkbZ<6ZJ*{H zK*y&f!+bDYSDP*YlGn^cf}UP^*gXasf>a|14Y2m@tCH(mD*zX{{9T_f#fD~L>}d~q z&g!Vfa+Ak1hsToy7e$(l>#ulIUp@4w$(A08+&_Glv(3}I$)WFt{-#+8!;){b+qvOd z?@Y<3uHEBw-MRB2iHvMHo)@v28QcRWmDZ#*)Q%2~>3f|yP!YId?;wJ$mc|47F>E>=L0(8CO3nN|zkB?UD&(gI;y;?$Cgm!yw^sGZWr*CyW z<}o}bNnRL)N%Hsecunie;i5at<{Im8%nvG@S91>`dNTUGJkvhg`jTwGoE$J!laXAT5~$(A(> zyYPe?Wwu4|NO94@Kd|VBRUw;qe1$nju!tNI<9R6f<+Fv^6*3inKwbkw(lBspns~zc z_}JR2&C-Y6KDb3rZ>Rb_{6Du4M|`~X_||Kx#Eb>2sEyQ&^tc=x#IS{yFMH%N=000c zu-3F|?S!AXb<6pp-T0z@wcho}4r_mZ1Z-K-1t-^(XF~MC@Eh%;!*<~gtw=(_yHb&q z$jF1i5H(2YHh?*-p~j`7hKJskbXIMn>&JEP2gUaGxO6GO68s(adcA9AtMc1j3)$`A zBS&NuocIF2rg|Y`C!Zm`T+<8T?R!IFyYiq^l2(@DvGvx~!7$d%2&I- zH$)N(U;bOMqRLl9;uBu{`c@L4J?L*DM%5lmX0~S}xysz?RFb1z1eT z1#fu@N`lb?=EMB?XqcH3P&s6MQm$EQe4Rxxw7v~(0YPZT;LekY$_=c z-Wh_ANr&@1dQ+HIUqJVfDNUG=(8jkwa6=bs#%i8GR8;;4x;4m>_*>V%oYfkSLmMM0 z^84H47NlG?b!f;u9zW^y{B-%>H;9GV@>DI#)Z{eV%4Wy=!vJj+N2M5g;7rI9mvhG( zkT!BNJS!dz62lv-B^XjN!s7zNHw$7YAi4`iQBYE+*zL0^&02pKn;LPxu-vcI z%BE9oGM=#tNKkf?ce%mLd98iM+psv_Ki_4b$tc9U^StKI>>_IhUpej4qOM~gI=uag z{Xm83;3YEifxo8tPH(BdFWa!Jl4%Mn@*jW<>=wcpYZ!Z1-DIMBdo+`uv>mN|;*b%1 z_Fk!AlaCP3-WVP|q+!r^rO4BXBm?ridHR-<>6<)Kvu8|rXTaLS?E2M_@I;r}xKb;} z)gl|MKXVje$-~D_64b7%OWZH1u(=nn0G`OESWCHY1WH8)4Jvc0{WR2}V;lt&mz${m;_R`IY=0;X4mire58eKBYZoMCsTE7eNnXD)o zwy0}7YwK{U7Z|~sWG&cHE7|}$GC45$aZrM)lpgwf>dgk&TQv;SP8*r^e!VK5>Bq|N zGE7gH(*y=sG~~cl^tF~mcr=lz`dTZym%5J+Q&s8Kry^|!IV-KxP8;D1tG_8)E6^SI z-9mCF4n)v*gcoV*md$Wy=q5&4D3iyu!+hrYFFfhjJ?VkNn?- zZil;#t&~U7X=pR2fDCNR@&_aLrC;P^v41dcx+W+85+yh57$cmGK^@T!D8M!-b*zk#@$yIqU2uiuc1J6UOpz-+=uPxweoy?$)3lioX!?ns!+ z8u|Hu+JOJ3zCd)1YO?wiqv14q7Nvf~g%8t+c%G8>_4cY%o^xnvXh@(0#cq$c&T=@L zFP6l_f~1u>vyQeozG!EP`n(GM_SNBG(vXdn7QAaXjBhHJH`5Yg%hn=!w}ZE?;a6zU z^efx2@t-A~!Q<)0^X~hCpQLq}_!`p!zn5NDnf4#N031}YWfkhG`^=zi=}iZqLlR!D zTw*WkYtMv1Tr_Sn9KRlWOM1yAE1uj%&gi)jOT>&z zpC-v)yd6GI|L6&AQ8C&#IuUR}GQNa49zkkXQN7K029e=bjsYRw81qLCrB2I>>to-v z8fzMu|E0Xo-AWREN;%uQx4(vQq~ncVQwFYDfxw(?6}wS zzS-IFpS2=K2mR0j6eTUlu@b2d5%hRQMP|x-m&F@<{Z``v$3rM9G@cs}uBFu})DXwm z$5bW{3}*R_aMsWn;a|B!9d%ueJNu+-L#Q zq`0c#;W5xGj}9Jy2i3i%q~4xitkrf@G}Y`KUOsP8Xv5AMo_ejj&6J*37mAv#?G^Jd zOn;)pt%&0J#G!ralP}N)2pU@=oUeJscMrAd?B*1puy6PHrrc@2*Jt_8*bkP3zbk^e zZHqQ~FuPTCN%eGI0LX6dN#;8O9xu{4LM~r>z2LgL!I-ew8Q!rhd;RjmX!buN{~AhgHNtRH!nwX*?X`F0XRF`Ng_;>#7N`_}b<1A>@ z&hl-|0^gFHe!RK+nSnt*?&Rzy(NS5X{Y8P;a;MvSvbEMk)U>iR%vs+9AZCRHWM9Dq z|1}~nNnYkGZ-^#~_S%)-S#oa4|E+Y2h|TpxikFB5ss2i*f)OpYkMR0Bo!kwJKXl+v~MLy`{B8JyyI={xv!%vDVz4NEH8okpmzhJ-511V zu}e64wB<Xi~$_h{i0*A zZ%U~tqo5ae!@G&+!;#s-sSq7m>?$OhymM_`Gj@Q8#02}frbW9g;$-nhT zXt6_pjUFlx@}Mo_W|(v_8Y~bTJbi_1n zo};a(D`y}$_JKR(wUY05J@_GGxc}VN=4a4z|I5&`gS;toTDC53?&RfF*7<(THh!3c z!zlEQZWFY8Sh{Dxd-kXF8EymM&Dqs%`7`3n%0xSuePzLNwvn3sB1_NmJmmQM9m&3K zn@0$yHmgDNA8&tF{l+Mt>;11}0v?H_!k2?I^+2fb!4qcfc~ff#;_``&loZ1*qbC&W z5Oc*$?`Zxt5Nz=_!Ozz>vC+)jJn=J{4!*sG1zo|#lks?V?85d)T=nOk){jhwVHx&t z(ht_yfU~u>0sEF(j_1!Yvh(~NSekka95etn8NzWOT>V^TKnHzXuNpRnKT)3~G4tQ;`N2u}Gop*>FsJq^HoDiOv zif^vQRjde1;BptUePpMzJ=!l1Ix?fAnOc7}Iu98-#?R<@KDs;ChXH2=ZH$^;VmYv3 zLIpmqZgQ>qrK=p?&9qvOaIyF?W^yKs6HDY|qAC9g(e9gNd5PE!rb^7+`qYR@D|K6u zG&`Z3EL~9<6IB~e570GMKj)Xc6&@Q?$dRfvir;TPnw0&wMVs9kmrlZ=%ix#s+1y6A zs{i@cUn#BaEUBLfyIA(C$*U06gWPni%!02I0n#{%em1|b*F7AFC8+#Q>B-$49LlX% z|H#~X+*Qim6lm8(?oTYnbGqzzHWA9@e&ahsNQX?0#hJR)ukMk|+9iW9`d@){I}=V1 z0694N0?SKbXP2+t?rJ;#CJK=Xpl{UG6s<`~LA(=!b@X_IzQXPiMF(>&W&3K*;RXtq z`}VT875L@-f5Q{EX6dTaXU)*hwA^S9oLcmhzj&)LTAkS=9}F4u@jkLLQ3Kl4a9Tpa zBAEi^eo}*)tG*cI@2=`d=AixzWGvSXgv7FBuh+yr`M42v_fKbw!dKAOtCj;Sf?p%e~JGS{|3d{`4fZp(Ql?BMme|f zeYWvwqT-3Jf)c0aZi>8VL+E#)7lXy;A*=TX5&kXzQf~?}j41EQzq-v#4u@o{`Y|#H zsa9E6D9Z}~v0vAO>Ip~_F^zKi$+kI%ZAhM9DjY&o%}X?o-V|7ynm+S;+*s+|yuH*T zy6C?7mE&m}G4X)3ix48plP$B)FQ!y3S+366nXnbrK{I?ti%u~+5p><_DwnRfLJ~w! zGvINA`VG~_brCh1{Kb;bbk_|cLo^)3Z5BL(rnMX`OV257u%9szH?TONilW(*M%n4& z<(oEXTqIBAXM5{v^E=O0n%$NfZF_&h>bs!&!fl-%DYVw4N>wv=A*?Jvq$bt;XZuBL zJlBxjr*p+%OXpjA>WeN*a|cP9hlaeOGxqZxH~6^SP!x9=yfHcZ>#EjDVWES6t5=;A z3V=(y^FBXF)3ew$r<>QJ5b^-{RXe?)E3`-_0~)x5NZr~s{$bi`JpE)d#UEJIt))nU zhh979@pY~!>-P=pOxsQZJg8fTUSq)Uo}Q-G|f30qIYV^U(UBk!VzxuN==VuxmDiQfVG^ zKJ?o}Jl;S__?=9$=`nHsV|)M4k0a&3e-t{9<|UpqDxf=eC#T6bh}nb&oZM$iD{MtX z`1r+jIGy7!zX8F5QS!m}Y}ER?D{2WI1#C{~07plu_;W66>?arrBBCX?L0E|9f{QV0 zBWSPveN%G8t7tUx#nvL{_&yXPGU^YK7fUUsOZ<$I!Wbq$L0BfAD&zynpG{dI`66@V zr&&b+{l()mL~j!vh)G_8YaWxfU53~C-cJS9rt?O7slBZ;Q8Q&!1LzS;SW4c#o`{!w zg=6x=qU_XSLe{XTF{n-r(=0}cHLJlwXO2JSnYodQ1ncT~srQq1#mRz(x&BjH1=q>^ zmoS}ndkb^sf+Pc`+Lmzl#cAwmgTI_9z<{!2*}Zg3l1y9JnLg)2g6`1cS8QNz|qz>HJpTXr$ds)eFv3 zu6gPOKe*J=9JVNtXm@ykY&@wv#EDnFJoV~p|Jhmfb#iuUWuh36Il4f8&51^a+ zsFI7T>HYc@$qwWLYAaE!a#gH|W`02Ak(*k8(Vy;4HEX1}-@Hdt{9WkSXkZGv|D#xC z+Uo9AfwL&6HiY6fR|FlIuh0I#9IhwL6#7^!X+_71_ARG@R6F}7A{zZ0%3!XDTnNL+ zap#)Ts`oYB)!vBeP5`E}vvYoB6@IZ8CDZUZD2$iKcA7T7yP|JkfYJTiM6X=;-1j;! zVW{(fq1QXDu*x)YAP4PG}+>+O_!|E75zCe zg8Gj`k^M8o!Aw!&A&Uom?oM&FK%UnY(vBMVQ&AbcP5(Fdd*&BalU)pI9G1=;(Jdh!jCyJ3)B*7xPW6k{D)U0s00*Hr;<80adW zSgg84aRIP&;Sj(yBs|8ilJ0Mw*v!9ve4y-!1a_W_Y6}F%(e zoA-6Bg}*;BSZ!Nc4u3s#zFCvIm3n95VDHm#w6*+u;Z+fqqXzv*`grleYq^j&Ty_hg zS$CFflGp5SIQas4swkNIjsYzwE-(~<4=ViRXL)sHGIN&A=zeIve*GglF(Ip5!C@O6 zs!FpkefCXh8`J+Z!0$&qkaTc(m|FN7=%64aXnk&0;5=6{@}tmNweG8wr-P#GZQD7I z@sSZaI0ws0S(Q>sU>YaT1HS6YHk}UaERx+D975p_$UFAcj~n4n-AZvE-t8ed3pKdPzEcU@*(( zPEGaQyB|S$c{Fqk4C<)p_v_8l?Ck7o>N0}^YLFi1r2);}hOgh741xNuIQx1le3Qkz zT9bF?D~!8;`CYE;q{iCTR2_euW);+ZEWg68tzm;5E*>-v6zgtNMhLVfP2(#4N>_g4 z9V($B>bjvT6P9)zREL7#erf-LTUbwsqL5==XyL5$APtEQk;>?C%m+qkKxB`HO4uqErM!ZK_(R# zeD*|Uw_=9W(khyjk-RtmWG;iVV%}YR1OZ~&?}S}kfaN9XDb#z)r$i9i$Y2$So=;=# zB0qf5ak%}1GF_kKv_{OC9$gUqYg2EBObX*r#=1tCn^(rnoe*1doJr$skqV_!xYO2p z@@(M(S(=9sB8|yeA0&;3h(v$;y6cVt1Pu|nQ*=#pYh$3yDGcb_tCl2){b)$V9>ww|y2NcV%Gof-V-76JiI(u0cHy=zp%OxW!Fc zGU^)@+WXvuV#6W@OP=QpDwJHCBuM!5{;cBcng2?hYhtE$aiU?z!%KIY9N6u$Zm+iA zmxI>2ov%oDx3`L?TCF%;f6lwyj&n`7URmJs|CodN%AWvp zehu%A%=c9J{Hno*Zk{b}+I3RPzvoJE&4W%bETJP7yX7(FWbHvEAUDYP1)%+i&OQiuNPdzDI|O@jtbk-=1^ zpks0K4C9^8kxP>j&TuPp>YW`g%cNw$bu?UGM^&Q&2;7ssq~2OLFKeoEm|L#=oQ@X7 z8=Vd_yShGyU?p+BB>DJj?%nSNfQrbnP+=Gir@@3(w2>_$rqZ3ca%0rABym zDxbULqgWI@z!eI5{^G?(zQg6|smk7&b@61Ltl8=2mry*$&2+2*0?soz>~Ms=N7_TE zZcBAnoh|0ik~$`{7nq(Y!2W8X-bV5m+rFUW&!RGTiW>gHt^`crX$Ks`d@ z8$CU}NR@dsE%sHnGQWXh&}NmQFzQ&THt$-^oYwa`A51=a8k%&#cej}#TU!i))^;2R zKs*sN(L=Q8TW8GG6u> zJ;xK?Y%mJf;tSYjlqJ_YDCKp)D}A`~hVN_@yq09b6(@0rz#HSQK5$<8sQ?`{aTzR% z{uuXJ1(!Tug@*8ych!4dNe=lhDr$d^VFO`G6(>qNbt)Ji({YK?^m)FJs zY4W4Ev59IwqXhLVd&2;F;IO|GsG)Az!qsD6rYt9@L58XbS!F8ER3Nc={RR0KP8Y)s zR<|A!5Ps7QPq^ncqsZOVR(nleV$$4`kL))C1O7;uq5`*TrOA8HoEUTWOz8u#>b zV8dUź?5vZ*1WV?mG4*fY;0oL^rvAn%d-rDLRd>Z_Tb4wK((5gl_sH*8+3LN`` zs?Uk{8`9^14g|NXs_6u+OyG(p@}AqCE5ttj*&MV7gFwQ1tkgdbYs@IM^7L zcm5uq7UX6#FeT3PUpWA3lL4)3ZaXHkpnd{%CM;rN>4S0Spt53r|Xv;Z&fHAax2n8l)$F{#~^Rnaw>Kd(*?GeByU2@#f*u%)@nIJf*4+ z(Z@HAD{W8v&mtO%d4@>5^!4?3k5@aVk37YeWIa*$SxSeRB$$*BHfJsbS|sw|#qYZV zG7A;)d_^s_KBGLO6lLqwYh?mR8*RD#`TqI0uH}jIh4s^TNhY+&jz@W&9+CCE5LKm^ zu;=f!@HzzM=>~*Ld$;F0lT5meG395v)l7%%bcCD;h#?K%GeOL8F#{Y&*zFaCJdtN6z(2i9BVRSLF8(Ct0ykL}DLh)<-XL zGVkmhEq67*MZOX^bTi-j*Nts008Dw}zJ1nddEZ%8?Hnkhaqvx>QZX8GwdrkkbmrR&$lxD!6JWNW4t zD=4kRXpM(}E*(>b?ks6`FzKCWJaba1$du)og5ezf+0I~V?c{Z=lpf2Tp$tQ((PMQu z|AXagTiu?Xi|zZy_!dq18ny5Hcq*rF%@>(_>Dkf%2?x8~4T88slB&rS)1>*M%c4l| zezGC&c?E|lC8a8WJL6AuhiOUkh+!*K?v&1MPa@fJ)`+ut<>f%C(%#lfjptyyT@G&I zcrvNWOz`3FYT>W@f$LFTgq)eWos$*!qU$vmYuk~ed6A+}v2o3s#E)5< zr<7|tTn)Cb0m|-x_&@^RikI7?iv$m0R`y#IndhUiT2#!6-u~a|^*ptdC3({X#f?Wo zjH9os+bPLi7Mg6L-a9eLdIQI^r*FKkE37WsmV5WP;Z5V zCI(L!bPvkZ6p?RL)Mx#3Ps9DhIuaM!B*jn~H|yiE1${Hv>Xkadl&qYq{!{-ZIa$D) zUpj#`KtWMDt=+Dh&;4?2XFMxF?h?c;?lO8Peh7(oi&Dledb0wh$P!)3*&kN5YRJz1 z4%nATn$PZ)(c?4TBp8jRifhS?va(K?-ki_wOv)PX7%C3NA(J20+p{zns`U*5fV0y| z8$WlxI|c@Z3TNl)3xLw`WB@ow>U35c6JxF?)Y{N%*8(0${1PF~)) z_hU&esn?Z^X>>Ev_ICXJ{LXx3q=FcR$D`-<%!Zw7ve4g?jXrr+itdXHnD$bIyqZ_E zl9wN^e%p;cA=w#--Y?_AzaB4bX=xeESM)nxmtVD4a_Iu;UF%m(&Ee80`s)Bkin8>$ z=)9S^cZ9TT^A%63itFn*F{q$pU+ip7Vn1h^Zp$hFOy7aQX2a<+>Fe-CkMF2d(yx%J zc36@dmhOw$yUt%2v+D$@ALtO42z{b|j%qHe^Yq&W0G+DsBqV_;g8g2Pl7PP##`WAU zl(8sqdgnslE-5{?=e2ZS5})$fxjLFw(2QI7dG-eldY?&s9aNKdm;92aW?xrai*9@U zB|>$A;5$|3=cbUDMbE@9Iu8mXX%u*m* z+~bGy01iLTtF%n|z7h-FxV`xWHTh6MYqM7e(%}b|rqJLshjT531V4RAOC8upT}Kn`@^NT{K6`G%Aw*m%FWKX4f9@aBaNV1*E$-i6YG8~(I`ViUoV zyjklsjDrq{DC@4gybJP0RN=HA+d|cnoA~yKx~ag7Sgclg4eOUP80VAuB3&KOrc5mY zIK+gGDQH%A-PQ#O3BW@S`{p}86?>o3o(!3m3-!0#mFSjqCxWs)c~3m?$Y;0%94=Rc zLPA4w_pmMrA}19VnHi*tSB3kRMk6h{G(J)?>HP2;m1{aqR!^E;t#;KOYAWZfahQEI z9aLR@@^XIN8c<MMD246a zR!OPtY=G08rmccPrkysxjeWg0RS?SVfQL{Sv{G>}Dxhl8^akj*k53ikq{a;vhI;&M z;LTjDZFo4G?5^3VXf5iB zh;AKF3C;ksf9OLwKDR|5*9JB;Sq)=YvV>7NyKC(|HZIwlsGsZ3S~Bd^tv&nARLWJk zptUZlML4^)FQ3$Vxwwe9v9dvhegc~xomiEYG&{3lsWF#oTUzqRW7H5?N?&h0ML&v&)!d2iikDMWH( zk4U;mf3{PPyY}9zsf-bo8S9X+cq~9bFk8?!k&a2w}evMEE-OD0rDx0vq@g6 z-7oo%&xC~&ff}^3GVf@~T_WhDSW-e_=WJAfwsuwr4R7C~=Ge!7mI8fb+mL^7>SfgDY zHv&|ED*J9NX%Y$$hVT6?TyD0MuMgm}8B72csvR$mb=)5BYiW2J@0Qb{E{I9C32mPd z{w8^1N)G`Y7z$JRCUUgDUtD4h|M@pEn-a8VC@8x7Oyjy7ST+t9RMeOP)|GW=CJWq>5_m7By&01=9nzh?NC(ww}Tqm=`7gN!o$mvRJid)Jm z(~xOfSV;8nyw85e$Os-u<&#t`)hgZ0>N)<~&}X5No^sHJn1t*L5iR8u2EM$ zzJI-m+QMa?n6DGwW6(hFTqm;up~NnYE_!T36e z|DO>Yfv?bZLH%SEcF~Ib=IP(u-v9g$w5>BA{VjI%e@RozM}G!v3a1uQ*wepz;Qo`0 zawYK3x}bZ%c=FeM{-3%Qv?TkgO^EEv;^UJjC@vn10~lPU14)773e9tJ8kbelbq{H8I2;NlFTBCvPgwJ*T1P6%kRffPD50F9L90F05pJ zVg0||#3>L0&;o^)(rh9A^X&b3xcra&lcPoxywap*CPYU6A9}~Xek?gCD)8?A|7ZW} zn*8JX|KsbfHrp?+KlXp#f;K6ra|<8}P^(-4eDVDK!0?v_nRi09|L3p$KUd?w`pHFj z8~VGu>YAEd(QpFVS!QbLAPEVHSQl3WbOLrVV`JkrHcc-teqbmIIImEt7l;l-#KbxN zkQJ7`-p#@I!D)=={}LSp9kGuAFOfSfa=zRQU z^d+~en+;sy`>b1STTxR$J_SB%Bm;#y-Jf~p>_dOxS{@MPt2grFEMzbveHV-Ne5XpT zBAa`@!L?9n#@|g0@qDLO0J6V4ImtL#?^TqO!#a5+0+2OY4i2yrY+2fTrZ@wT{=2cM zNI$M2_--GyY07!^UO42Od|HC~i@Ddb!qOPt^>$tYQ zPD@TM6rA*ei;GLn#f57g0x=IcmaMm65ZpS!!ND;(ef9LO!NE6?YV08{SQ+~v4oA0P z^?U1{x!q<6PoRzZvzx^;_5c-t^kG+k+5xQ~D>{W-5DRsZB$0c)04e2Q*SlTEc&nk9 zP1?WNG|ro(#&pi4S2cSyQUbV28Ar8z?}sVPdP8`;nUx&*G5OB1mOSB0iI0vSlH1w@ z&7duOKvTnS*%PikT-}Nn#c4^g6D39x-w+bQBMf+KwcssfMiRyfdNxA$ARbm@5bVjn zqx$isd!1j~q07t5tCvw4AFrB2Ufwr5I}7;0-~H%r1+(DYihlmARy=SID4gRWha#81<99xcM@%yL^l}{7RG*(tT-;31h6=iR^x4C)A*%#cXvCI zCUF07AwNE?RMo@73knDr_eDgBJ^k0nB`E#+$HE=qX14a&VJ=|v13nMkj!d zmc;)uefhuqf-hmTU^C7`1&Vg{$zbWp$q6nVVo~!3a8Ts5w30XOK)}?OtO?am0CB+4k z>9!K8Nc9Qq+upSbP8ylfP8Qn|Yn{Wlo&@}kxzQ1TSOyCVEB&R@a+7P7YvpP}7hwe7 z*$|t=Lp8?L^)Vh5)2GB<@1VZ zq8LB7Sc=hV^6TsGjC_8^N_#yd)L>&qio0pNKT{st=l7*-WoCmAPuwazNzO`?HHR`e z8|Vw*vDB}re&M)k4=`yu^j+YE^Jlpt8?W}7y_FG9XB_)xJ60!iw{D}clT+cnE zeRuLQMWDuif;l;^NbRF0WKL2GLBlC#%SPo#1zU_>HqTI5ZCI?4MpVai^x@3{v+O z+VjVEvng{f8yvX3^?u;{_%Zef=%b;apirj%auKpfH^M@&7gbTookt(NYKeb@b&S5h z_GSquydCp-ibzY7j|To>d<3-HcK`xUMn?xi4zr^VWOu57jl&#I;^ErYQgu+D*X6caDf44$VbGxl}LA-B8!mlyq!#+$RqY*azI% zKi!Se$^rj|AtR$PPsZ;81RwxgS!Uhte5AIwrM)N0%ht*U$g$#+ z5n%^X_qR}nQe$#rZo6Nc7FV+PVvbO2J8Ez}zlW@by1KY@c5W`#BXl(Rgl`!BUQda%uCES|STZ(O8ENHlcF!v^w|4b0zbq^R7^M%IKR##gT0|g05oWzeiH7bf+=lhiR+j!k* z^cOE;3c)|{&*4W)^dQ?$sfME>LkDi|0;P=l1&r$}gxLBl_iBE@v@r_~Wh*x;H#@IC zNOw0QP~|>5S2P=JR?uEY#o)vp>1QK_uOf@&SKPuz={HW`EzT-2)mWMpjQ1`G0OX%3 z)0vtch%PC@YDX%}@;UFaINP$dx$J%QE+|j~{#G1=DODoTHl2(&T*d49nPFZsXoNMm zQm*E)%ekMqsZyMT`nL%{6tP;kTHhD`S)dIfbIbh?FMvn;2Whx$-p@-!E)%^Ic}>$L zOy;EQqSrm%by3g0(3-Xnf+l|(dz0Z?D;_P*+_;uWtjo`;2JvDh371$C6v#w(FnrfJ z8@6|VC_=xStYsqHY)%U$+Lf0hKcz7KV;%d7(e|T&KxE+ZM3Vnz4JkfD#tIdA;^{jW zi7&JFZOb-nDAyuAga(dA!J=hHY>qa#Tk~tBwoW43@HQ zfnEJdvc#2*>hED?CQBWd(x+VHRrk`FM;^41B2#A%Fp|Xc5rqoJ4;DYW6Bb7RF=Q6; zpae|2pkrD9v*ir`I>=Fu8vK^O$rSCL?^b=ujscJ4_6C9ct5sRjXvaZXZe(VMN68a@ z!LVFyD3LWo_@2sn zh^seVlREtCB%woZI8k}c+w6qh>+W-mIXEgxCX$~gSdFN-X0HWWXy=K?pvJ&?at02> zCngqA%#%^UR7N9=ydD+s&YQ24cA;%oHv{sxM=~AhDvf zNbAR^a+58D+Rn+3DGQ;Lfs-f#x2|tNj!A__*~BMo&sjARCh(C zPzr|ZhSV)m0wKW7neEm6=`Xb}gi{rvMlQrCVKp>2n;qd=%{%3?GYXJpXR|#5u{mB? zCG?1m{$}&kqcy;3hyLcArIhJ{&GC{mgosOpph)~_)PK0CIx`%IYvKvoFYy&g1k}16 z#)408lHri{dT^)KnjX?yP96wa0?R%B!eK!3b_kl4Nt;N)GzT?M(B@`E2ky(^u#P{#B z;m;IM(a5XD+{Hvhx&z7b)!H8Pp1R*-LCl}JXVGM$X08>{NXWavu&~Xr6}||QHG^9C z+!N{>Yu|&=v9BUW9f88#*x0)fga)rS9&J{1@I3+2`e>on#ajN+-t#%NpeN7Bo;*br ze1d@G^KV`H<}!Yrt;&Pe8SAR3P*L~keyLWGsy*Q`E*0|q%Nw-ikfkG6(h2#2!MF}v z8{|AO4r*uv7D7Z=2ZVZjCdI|sKch226Z0GI_KE_qr{0XU;5!o7B_&G#szkwTxkr+i zgO_zP)DI_u@}l4^lx&!lo4Z$t4yP+_JVit8m5z0+In9ZD5QoBFnir%Zo- zR1z1$5Gm8nHb@W8T4DM`W7j4<)p4|jyg1OWy)l4}*;<60V^=f1q3=#}(Is@@wJtc^ z_9IorSXDzwP|S($EzLTHLgMLK*fbHtg7vwl*$2xrJSX<8DERK!)~3o4pc2f5ayPU= zx;lAxjxSrm+(cxpHN?~DV-fdan$1uvZzq!a+o~vgDgK6_%ZD?6yOh_o*@^-L9)sRf zC)_(uL!Gb!{rGrr-@}6?Z$FRfS{7)3#!`EAsP3JWw}#_}=bT+{NEt1;5ut0Xl^CLx zi;q_G%LFFPAQ5?35iE15s2GJgB&-&4jdTFJI0}aMPyLqW=_4XQ~H^Tv>czDgb-Z+hxNXoJC z3I@<3!$8B-{kpvEv1H@(_GI%G_n3|bbjsGB5qrrnw+ocSdqL(x8hYj4^K;A$^P{AU z86bJoe3XkgNz&Su@JzvstadrkBM|WVc!Jn_<>hi%J!=9qe4BRt;;zrOMR*Ja+HnWa#I+K7H!Umre6B zu(p;3sA18bb=Ys-WS4GlZH?7fYVPcezXPlbSU6l<#?r~BN;EMOcJIo2b0;qk*Bx#{ z!OqZoAGZruqhMwRhU{i{=gFCpq-lmK?MBgYWmWB>RClvI+VUi=hDP_XgZZ>RePt!3 zu@Kxr)3dGcE=;ky%{YjGppBrQ`KE?Uc8(P;l#W;>aD7!Vq&Cn z738gCv-JwP+gXG-^#A7Z{^z5>MjTZwQndNK3~Vj+Gf-A0`~b^C!#O? zEH^&G54BRSgQziX?l%ullyvm2;5`NJcxevjtO&f|`xT>`TC2B=0=)isO&%`{joSfG$QQ{s>HrcAYmqsgeC!(~?Y>I=dvBFjTeqDP3oq)4Z)7`S?x$E4jYumLp4YA)` zWcAh;(qB08f7~HkJYc3QF}aanm){{XQbG`V;4 z{7}1Sl7o$dQw-_ARC3==0fC=PdOI8@SI1Z0#>L|7FL>V`;sa7*e}aRer8c4X)`uH5 zbYh<52iW7X90))+Od9)mP;kxty%ZIqcYRTgGA0y0{RBBLR-26kYY!Miv(U`S-$v>NE|k6Yq8+aF{eO@H;SR0+a`RhNO_y}$0EGowKtlL^QIco#7aygf_PY525imJZgO;!SuYQ42 zWq%A$V0){FUswjq64$P)N^Yj3XMEQi z-W#qzfQMn^8%)W6o~D1E!~Zlo*Eu{3gVr@Vj1-I~i`$l;yvUc4k?CTd?9ersGU{Cg zRuUQMuaP}I%m@2f{n~oake}D}9oLf?b`y}(x-6c*R{#nMQkppXGjh8m-9{_D7_0df zm`Q!AokI}Qj;fU$9Z^`5$7Qq9Fa4KH6INxTZfou6tUIb6#ld<@ z?fv14_X{D)3um)LZ_nuoxI<3@ezkJx=x9fFvb4Dike?Y9KgCeyV?49sbFRFn0+ zW=tixTV#tBzKD6IH_VNBZg9!x)ZG(02({YzE3AGs7@VABe)af1(>sWe)EYj!bM8iu;#6)OWY%^9wLw#8iBh;E1?(h3})q$1VYZ)Gu}+9>@R&9bFIPH(?>mNo}jCEoa+K6xroonqPIdBGW~p0OF>SS*$L zQN91YTl_o?;2}yH5D<`14Vj-WP&eY9wD^R_9}yE%`LSyxr6=8TUQHyxUszj9%Mi0A z=pWBUHR3oS|i8iB^HZyI#$@e^%bigo89=jU}w?448pwt8JBx}K{Idkc?p1yd~z)w_F z+?>Z1dfw*i4+tN0qtB!zC6$kS`|XxAa%#5qEk9O$`nOZa|9x)@PT~pnK#`lg>g((G z;y-oAoAWyC2m(D_3DHFCi~KuEMJu-Z3Lv`v=(TDa^vfXs=Sg7tEw~WeEb-Octt6rl z+0V6>YIJ6G2Fc-@zat&|2sCh(=dUP^rFvZX@;QZ3EA7vU%F7W;s1Q=75U%AnOd zt!6|=&nAD0O*cbBBw|R5R;fAt$?Zc1Q)l?ohy}~Iy|ZnP+!qsr!yHCgRZ~y}h+kQ& z5(0X7d+s9j*@3#GHnSR}|C1)|_E3QaaU=|c`G|F@%G%OE2T!3%-c^lNDcySNmO8-S zR7NuhwrJ&GJR0Dme{LLh=(_p2yb!tj^f^ke*$d;8O{p#-i-GR`rC;sm$#!K^HFLaG z(T!GD*ZS(SDqQZCrt(j#Eeui5Er{_%(8e{Zv<*@axfqdD&xi&kLk&1}(%LQ?Ubfo# z@F;N&R$eZ|;%td)mQc@f|JJ~<#Huz~r%Zc?VhC>>!Rm7!Zf0|s4M41vW|KCDmzg&k zkEWU#>9ULf+P$5I{Zd6lv1_7b*KJ}B!Vks+xP|~%9p}|Imoz(-l{=4h*AV`T@`LfL zc%s0{dOSS5K1WSD?FNTwbta8-M%&z}1w2(%)y<}Nv|L=D`?0KDyzP=`Ha7#|;cDBP zOU|-XAkaE2_AQ%EsXP`4YCf6EM<1kBb6~99qXA?THph0rgv*n*tjnQS#irrH%?@9(D{M}2y6%%@Iugqa9CMB9B5NS4cU0&B*Y5i)uliv&0)3t20 z#Spnuc~%B<{~-O^l5~GU@9G9!PYaj3litk_f7-6F*2h#JTbH!o9#P(2TU*O~M$#e! zOz>zr=xxu*WLFwvj)XQk>)O6qdorFF2h5Hh)OHzxdfkR=)mBfmcs`R(dq^hODMr7l zsq&VIxbDOV#2{vB?CI?t?~g&VTZ$X_N&ad2U?3Cb^VA;)e|;2XoGC6B)9*F#6ffSt z{!NZz5Zci`Hxp7@8@Z^Yq(rlynK?|*WVO_qsa`v^jL6O10}XAE*;X~PZ{_H^SbbtO za`(}8?fnuvx8_MKt+V5vaAsF1}*TLmgCtvu&8jsU5eU_Zo9{r%4R@ zNOeKtm^XZ@)&O0gnYR+5rOW40lRlqhf_!(LES+gcjdJ*0TNYD zqi3kvNDgw+`&<3cHy>r=C&lGbQJ1cHiqrf!~yYgsd8R6Vq|z&_gKR5@eRTw?Y8n55HDs5M6f2`E1lc-~f~jO6yj{BB)~ z*p7YKG^eH-M4=U%XIKQL(si(fgExtrZ8hdZ{BN`Qug6RE~4f z2fB|6l|D8Ym(|rjd<2hlW9}`8TlsHH5#z6KM!a`LlL8rOi+R3USBV3D6LX7?fw!iR zQ*O?1-6WZ%hPQ}aii(QUD?n&D-5fLph9*x{=8+#?w4;z_0|E>=Jw1xxHfZ3`<=`36 znLzdiOsq7ehPMnMH5nB!fyd%FAhZAvk0_>{_{xh?jSKwlE~3o4yN?Nu7nP%1KLO~N zXQSQ!*74Jyv?^`(hv?*CW^-W<=T&uf_OFmo%NI2@IN!CVZ7t?iNVg~JD_J1cj=t*v zbHh#}I2f&B1lQ@+d^mTKy@W)CRim0Iw8cN4Zk9=7hEe$+j{=|todZl45(SCyt3E82 zQ2{rGV$8`n{$JDRf2){IjC+FM%{+Fo#{4DqqwB=lI2V?h$G3)D-IrBdWd9O;#(q3A z!^V2!xcQ#@jDk{em)Uw*6pXvo&W15UQjwN3FmIqgGaDyU8rQ&{P;*e_!aW-o!Bk7^Qty$+ojDhN95~O)|Qk$v^_ z6qlzDAqqm8G`IYrS1z#>e3$1OPlBgnuu2oWzni%7ZNzG^*!4w`y0>P%+d#P)whg0m z!xOL~HAY{SjZJAm)S{Zd#4I^Tep^U?=(6r~1fS+%g=&Hz(XsH;r?2TJd?T2z*cgHJ zqhr)*`UUvXOpU$)U=F@SPRm5>oxNNqKF^z~U8akg5qL;w=!x;+D`tLH81-gxIPTBrVK5q9h4c%$3KM)y8o21}iOkXMAfd{3L%1GgR{*R;h~X@As; zt=vfd#1dpub57kcGtXq%&!4lC?R9iYi<4A{h=^!EHZ@!DJA8R$EAf8xwbKMznZSSC z-G#Mx@;X_7mKbKu-CL*O7pr8au4j1BSy}v=+@mlc&&~lD5E3Kxg%Xydd4(+H=>PrQ zuK{+Su>As7${ zSdQ7{g!PuI{aBU@m$KYv*`oH&HLi~x2?pz)g{0-*W)dO4?ibD%fK)cKB05t;Hl*w@ zJaQ!ZmK4$)*n|j)0bmO=&fRIs^VLtD)BCi%^K#{z9@yB}8(%CJs-hg_S5bob;EVR> zfR#j{{i+X?+dd4oD-wzqTzb)Ruvj13WIQl1Km!8hiT0vmM#^1UmmYO)N5vW4j_$i3 zB~V0yV`B7K0N+)qM2E72Uij5&XSrPpJ)=cao&&FP`P#vOR`*OGREczZeRGqNT0>2Z zWlRR_F6Y>2WS!6S_+iT0x&Sk zo}1?txtFf@eF}le=(;V{I;CVw9xtpZNVNcfAiLCyWmBc(W{YlgJ(DBfcpuE2;1Ddx z6f5ZHq@LQZ*w;rq|8Hj%?C4KBYw41Dw3z$V7a)+B$jHc#wXv}{>SF&|V56|)aDsTt2=62d9Rvo zS7he{Nvq{8p}2(+Zey8UzrbD-giqD?g@xO6`af9pnk>~RM7$4A(?qNXm4j56B#aga zHyTR7rwaOC55^#=zw0zz;NPYu#^22SB5-cgYrU};;xlKrE2Vl-$z`SDmU*-gmU`MS zr?gIqlDm9%!~EXQA@sDuWcLd; za1IMU@7Xc47L5w{>kOV5A1!Tg)$Jh0h0?fD{P566&2@QT{2Mcz8xSTHLljIWd#=cS zT)7M;RB%5z%T2P1>fGG;)e689zhKdZf^on`EUXQi9d*In*xr8Y4O8FIhWx>Y zFumh|?kF@SC@7DI7emQwH6U*{$$D#-RiyRq)Ev*qdRYl_#zGow0?a>V2NIuC4xr8X zR?f0OVBy~@SpHIyr`tY%)4I9Hwe2iE6w><4w1A6;M?py`b||ECUh(P?dC>aUBU8G zt`QcHuNoUK4}e3ba<34rvS(g-Zt$oE$|j0CF%mmksuk#v!KDfhrT|FAP+KW^v1zAf zS2tvuF1}IKle)I{a4`*e`Rb?EpW64hvr>g#J^!M8-+RPW$H^X!o*nf%4ZNR=>zu~v zupg5)@l!K5(JIrQFzyvfc8J~JdYW8(J19hXDSG?r4lZVpD^q^5((@QhR~{GaxSrq3^G`nNYzvJhZ znXxR0jg9TIO5t&gbCd^~29kgB|ayNcFrn3MNS*;1m5iX(;ag7Bf4N|Hkj`?j<}{J&1>Ms`r|R*GXxlV{$T-$LZkx zY`tEe+b!S8wx$->{^4T%mH=BdW)lP$z`Zbg?#<_R9w*)3uWT$;cKD~qkXL`&_M_gu zl~Px?bJXTR{dmE=Y%G6zSpde@3 z&k^<`urBRtn+6YYZQ5O@yWHnT!h(R5X6et3UXQU0@VC;J+m+FmEf24r?>ll(5-&(4 zDl0XMGxF zer9L6gBpQdg9D7Ul_ee3Wg*4`%>{$XJ;-bULQD>-GyAjtxAX26v8}Zc>W0 zbX1OC>{9))gO3?qI^ z?87E$2q2;kXZoZCNmpvMA0JrINkQS!5eHNwtPoM|S7!2Fls zAZG;`QC6UDSQx}#p--7IXZrIj+ zL&r$VCqk`?xG?2$>KQ%Bf&uO7t9|af(Ux10<2-rjfvmuxdzKi@Q3~+T7 zD)Kd2jH^7&6(d90j21TA=3p(F!aqj(Kd)W%^~rS22VWD_TFhq?E0oyx%tpN{Q;6(^?=058Fj?=pr~*1BlqS4l zXj2h#{Kk8N!0A-*H*%%^X27Y&#|~7zf2O@m<_Uaq+V+OoJ-Lt-V9Wq`I+Fk-VghtH zH#Q9J)H%H$RFxDIij(SrUg=_5*<|Ut$FJ+b z66xm`mIfM0yofkm)?m(azOrEu5hKkm)y|r#0U9|v{T=Qxi&g~+kh5}jy#Ia}TA9H5 z-N-J}dB?y7`N8>RwhG0VavbjgyU^4W7y?6(Zoa@Ya~+y`hb^LsZ>iT00che~g;xE# zO~7~0Kh2pU(&kn9YwWYBM?1JalY9>IMCWdJ<2S?g!a9$BzI)7ACNReOO0lzU@hdrMzj55{?x##DO3^$Rns^1%@m8@uAO4aKEsIj>8L>S)M<- zA5I0|clov}$IK|Wp>1o0m$(qXOhKqYwV!iPs6&hE4Ccdf(`Gkb zTWENm3(c=1i|^s%6GI+wueK7qtH_B3= z!{`+wXA3nR80ZRqne{eLY)tSyIi+voN`?@;8MTwr`&J2LPcfIwbmPyXX={;j7Qh zM8xpL>8Ty%%EWOwCJF+OmJFWX?3X1u6~$kK6V8t7NAigixeQX0rB~lz`=8yK0KJRu z!g+pd@~jsLXWLzL@1_Dg0>#xv8V($bP?uV*xS$14m4`VVu#3#pO2 zTunznc$(2tS2vvrME+|;`D;!0mvrl2FHIH^h6&;4Op6B$hRx+uD$`*M7iIbRaxGn^ zBuYc;Hr~rl$16h5?p2UNE&qZo;ES|PKx?ZLz65~NL6Z8mKFg<=R7JkcaW(Prc$2Nr zkFsxrS?ugZ638d>EXI^ZXzsm|SpsE9)Ox*r%xm5hfpHCEf5S-WhDJVcrj`XWWEv5g zjmZ@xD|*Iu`4jGpV#4wk!#-2)nf0(fzUPG3kDF0xO7eoiI1`aDnG8jVTy^Lb4Ac~koS^6&=YZ*^r7}&xb7F#^p)7HtWb0dS!x^?Iw z%iwk|Q<{j&seZNKvfDqO)+axj1hz`Xz~>imb%WGe}yC(wj0Ic$^5HH@b9%|<9nd-L3O&Mwp;!Xpq=)(C(L;qa68wVcCx!)=^ zi=J=;^;)HZ!E2M=bstAnRS;lLBWlqCmHX>s_Mfe{|Kz9XrfBSd4I<0!Wn*8g`R-t% z^!_=)s0BBDNK8!3P*YS|n(k)2AmQi`^PLoce^2|{QN4LMUGHWHH)IMoB=KPUfPcn| zO|?Z8{txMAIm6dwK>A6wg%GDn08p8A&rs3O$~`i})2FAYe`?giq)DEBi%r23qsA=F z!>0UD!PLFP{2igg{gpBH){~Z@Sp8ThkI0u(MT2wrZo0;p-gG0Qu}?Fj5Uq0`YGqXO zqQC^kagJOpEGNRU<>JJnY-F(uj>Ml^+M{Bl9KK^%KWd^Qlnjcypad4ZHP!xjmtR%q zGqHv#FMN)d1Oowy$#dncja_Km0kOt-LhO1hf%DIi_oPK9Ra~JqLCdPqDb4?jy|<2w zvR&7PRX{`~3{XjnF6ojI5s{K^5b5rY5mB%RN$GAFx?@CCN;(D@hM^mV8U`2`-pjq# z-dopN&%2l3`~LO)-scaW`GL-T-`9P`c^>C+9OoU%1xr<*2NxOXCanjBm7zvgNBmic z9_?xnIH;_lo)(IXx|LoSdRxJ;gYnqf)kewKCHUEq&s!!pOY!BUw$|3wsfN>w&%p-C zXob@VqrVT#Crnppmq-BiytaTTI!B3S30QAb1uxv}>`88TYGx)Uka!OwafyLJjyBpx z;U*(-1!&J)5O#@*3L0=WIx@0|P_V5~8djB}!|4giB$ak!k@fDY>0WNPp^I~7gP>u6 zEp47**D@UE5W0Ri)J76^!}W^z*4M%M^c=kbMt0H*ODLi zO8$1-gThWHS5@YapkGVI01ul>mcJD+Y}p}_{P?K;>Jw>?`VIb<4HrMI9>gzG`RTnz|vqDTZH54q0BmCIbC3$uOFUTfzvZ2M>}C3%c=`CKW?)GLY$9 z3qO=dtq+5bLVx}M%fM?^>+or5Dd^nc@Y`pN=k;*55C;<{SBs+G`rgIZ*WD57d4BE>!h%S63o0 zAK!3(vY56!x*2C-n#8m~_-~HUf8NHaGlJ)DZo(h2xCQ+-RyUn^h?LiiWY=+qa>~$2 z-iDG-D&E#SjBR%5q3U-CWz5kAk>g+HCoKc7CZOCMY~4vT3U`*jVUI-~S7?H+T`{_8*8B7S@I zaj{Z63af5Tf`7H7et!Y~)=2%Fq6t4|djg!aBKZH?7yQF0|NXkPUkNGpecu{BO(Oek zegC_+^{>D6h1B5HpW8;G!zY3Nn_v5xk?EP|+hlTO;@=iiUZB+T=g&!fGTHwRFGkAx z;scB{|9#mX&*k5yz(2nEXPKayV*l!a&>x51e=)p&n*sb;KZ`VK*Gzw(#s7HqKYf*- zADt$|kDq((@PGP6zmJL4WAL?tSzO=$ug>2WFG9h(sJe6>`Nv!H@3;34Bi$GAbGbb> z{6PB0JMI5=*l38>?AAj5)zI=gpYDC}benwnargQ~2I8v=7HSW6W0?Z9K1mRAeK<8K zdF}fRIctM6EiLvx>w=>BuU>gQdHlxq>XnP<&*${@-76P6!Epd3naBEgKg&X}{J)jk z{qop(g`dr@>~|TTarN+sH3Ax44OP`!@M2B9YCCy)diuGgrM%_@AxC8ZU9PZ;i6uT! zP$*uv8JPsW;x5k4KkdVR@&>kOx3{9(Vx|3V*NTKnU*tm0$&xkvK5cDGw>r+yf zOatPBD<=&a`fQzDOY35HDwX2g=+LR(J-xT^`S=9T0yOyS#p_b1PoK7lxC4m=hCXsY z!k7(+_ga#te5BII&iq86-PftJ!%BTHPkaD%cjcZQ(qsPS++vFFTL3hh2|fjlW<%-y zU+aod|LM%)mkm^q*o03`rU3GZDpmvkF_|{febhwuH2)20URon7#SI#>-8FwlmA1`mlt(n`|}P%$YQ7O$Hf^0=4-0$`wR>rS1HKih%Lpt==Du z%-Y=ZC|=+&A1XF{T!~PvF-*g~+2WrY$rnUN#8X402_VeJsLSU+ELrayaeWK(I^mxz ze1{Fk*v`(*%B1>jzde)^wdclvV84Gq2{>+K6N-k7IM}FRKtqW^03QyEa2w;Rt^ zQh|YiUyUP+l(sOKs_VP9qEwdp(;Uq_JUlsxbE3rOUHeL^1~OzXFuFd{o_RJmGxOXQ z*+=%!lURPedB4U=vmy-eoB>wMnrLnqP&UGpjbY2&vkSv^~>~z ztF@!()UgW7M55zZcJky>v6F_!%9U@m9Gbm3ssOf=d<;^T#3fyW!$A*s0f|%2i0a~N z>#tDWmem&z=R;WNB?F?X?Z%4kkMbBN5B6uuag9$nJ^Rzc1jFehe-=Mn5xkgEO3DQ!oS*SGxWF{_dZW`e&fv_aa{h@qyi#CAyi^x8rhPfH*={+GK zA&E{+RiUMzrJ{N?5fTIu5%xkg`&*c%o&N1Wu5Ba|9xM@D!n)0v99s4xqTRgWs2dU0 zu8{L+o|pCPH-HAArm?Y%>&qC!czKduozF_xgzr$Yi}=LG;DcAlI(%fbztodQ zg|v4(PIok_*M%B$Q8q%Tu`%CqZQB?UQc}hMmSh%oZD%C)H25LYZt;&gln%?J3 zD-C`xMgJSq@^d!R&rx-uD6V$ua{wk8p)UiwKz*N+GgM7o{q5>FpfD1X(WW^d>pP~5 zArQ#>K-lEuuZKUhU{Ta*#lbW=F*kfcN%FgOiG603TBT@4-PL<^FMZ&3TgA-pAKL@uO-kVAqcJ27x zv)^XGFXzf%e3X*8U=SGyJHyG&u0Xm!|KX|tC$maQkw+Zpm-+6^o2NMEYRaAoeO=vr zL^#1q*=ecgmv-65?~7w}(*dl`A|YX9_x3pD&L`zF_;zwy~ zXJ`wTa0l4K*E|c_@7+s&8gmL>K(efHo;P zzpFI;>Od8{ISZta0aX_@FneXlzWRu}NL$4Q*(~l&Oq7p2Fz`xh)vr-~-4PT}OTdu2 zXj1HTmM|hH(qCD>r(dK~SphCMtbhct%-R~=oDM8t_Y)xR^k{1J9cEW3CC2PnE7J!A zy9y!l_`MEavn%GsVa`7d_vN*q zVWb<&HZbnO+EgrXwzmpBrK_mD7rv%1s@BWS92u1;v~FAztxSh1ao8bwmzJWf_>_;m z&EYso*w;}e8t{4Ak-4FwZgsqijf$;J=xLgVh9Q#=CW{fO+x{*fVz#$%1MaDU z9CKaAw?QukA$5HB$}+?48t3e+d#S*3!`(iIeKK(R>ZHGL6$v_L;z~y}MN_=;_l=v) zC_B!{Nr`vqTel1Ww4sqk$TyNDEG!xc*m4eW9|kpHi`1*Q-0Vy~kp|zwMK!f7gCK)e zfpd1KpxZvi*%Mv%tdgshKI9CO__&QEC2g+nxRAxqSSFM@Kyoz-6+tS5cDRzJ1$vJJ>1yuHonB7ZXy# zpR@L#UI5eX+I*$e4#;2-;tYjMuOl1YhcO6Q2*G>eQ4KwvXcyIBat79d6-)EeooLO$ z$dAqmon2i@iNo$ar&gy;_7y`JinP_9Z-RO+9|kQMF>BTTK^!t6UO-;F?s-}!rYz)S%SD`R3Zz2fZsK|NP(37E)Kdha~4 z*ER&U?8!+HBPGl4oN4Pd!T;gSJ&@b{x6ZE1mv5Gk#&4qaivmRk_q zzw5NFjH*ifp$|wR<`odLZVSx#a`BdDCdenYy?HD0(06Z**LNz@ z!{GOA?6>3hUq`719Dx=R5)zAws~@P*R7_wlqBCn_ve>XIvtx8rWf@*q4x=BIbGCfM)sTq~Uz(AkIyP6}xXB0%C- z*oUB&XFB)GlqrQ{p5IV>G?&$NSc`Q=tQr3 z2~-j%FROJ)5B=8?59+H|w7iOhpbYAUHPnuaQsamm$SrK5J4A)8vrw1fI`NXyv0D^v zYwY>d-oz{8y6d6`-6yIvjE_Hdji6u|GKrAf21|}?P+2SP&7#fa&NVg{q#~w49dzDi z)G2Kk6Lfg2Ap8*3U7IX?Z$PbX{;f)$fA2>N>8|l+*0#L?&l07yZQkRi&eO42*2T}S z2{=Ta>JlcoBATldV)opqT?!@od~m5d)|fBwI)#||Y{o5@M#*L$==cZNG%}?B>$PhI zrrQ|9O-N0Dv=BsSXKr=7H>2h!-95XGQ_CR9>lU8LT8ZM|N?wR!&&6}MiR?I4tY z1lwDRNXaspP0`5pIh->&Jj_m9YQf@}xEVhqDx;|=`z972sRKrq!{9f+lg)=lN7J>` z6um7N+M_~$^o|Tcz{whG0{^Vsfy9*mzQLk|XEOEGAFCthCnd8atTtxDCAHoP?_)rJ zhNh*{@6yvvc8An^FA>A_*lCLnXWsYrwFCu+Fuw`7Ky@S~E#2~bIAWCu1kKW{GRVPwPw8ZnG;^hHaG`R#Oj#`JFZB(ArT z(jJMKepfJC-%%yI7qFCm^0ai@=_(mVmB#377q?_KAnG9Pb~0ooKf++Qrs5f>@<;=? zv?tZc#rfkUPW-q;goQi(E6RDTCu$SteEhXzIdQFPr!UN0M>k=qiVbuzLFaykpi0R$ z`(v>wDUZO91)H|Mi_PWTua(x{KeFiYi>bCNJF4ke8D1?;uxY!5$;ygyL-~8Y)kL~X z)V}36?g{k+1!g^7GUE`9#&Z-A`RX+q&qY(Ar; z4(Z`MtCN$N7kYAT#h%{a%0wNXc$rh+FyP_B>}yyOnwP}PAu`np4i#GT`*U~R14jXv z%t-+MLI-ov`V%Cy_5sp?b1BYq&Xr_ksDI^ps0jgaw@p_X4Z{dj@Lhd!Bqv<2k6Wd$ zLFv=jeVLfG=D~%HYUCCWklh|ynizD(R?*zLwII7>8KYOTR{vr9Ru5B^p zH5EyWQJ=#iM|O@htg-0?qaH1#GYccC!VPHynF0awWY5L$X7=?&^jP7Bk1DAbmA$*J z-UTfhx4~AMzMSkdV+s0R)4uNTfve^zRje2cdQwY^SN)xcz-ugdulv9WXW8}LE`)H} z2(oSS1&7h%z^6$`z`jX97Sac_xM6J-x+k>*?8Vq_6gdheJtR0jQS&~bl?*TdR7hQo zRL~CS?BxpkQKP2AKEUHB0Qtwq{R-Z}n<@_1PD6pZ1vDYjU#Gq?Chy?t?3}G4anSj^ zkK1!*{q~*G(R_tCmcxU^d99#;I%8M>!4goAUTXj?-jwRYA3PXm!`5NKwZ}}yD=mlY zzT^;i`QqA{!0Q!qsYV>^zy^tqT^e$8;}ViTtzr!K?;98*i^v*)2X!IhYw!j#lw4}g z6@qRe=bR+>3n*#iRrhzw9M$GP)P&~^XaHr1x|&*LVR=vB7%&UW`<7y)tSy&t70@fd}R_Y6_@SBzD z-i!N$;_Q`B;*37UsQO&cA*(g9CL%dfvjmq{m}jpMUEk6F?X^P^{w}A_GG+hp%z)6{ zS8Oq`P|uUPmzT-uZZnwsx32>xX?+;2beH7eClF*NtV1v|q}z z?iSw}SNBSte6r~T8I#lR=mZ}+4OLr3(F6}NdX zsLQlg9j^&gcA^z4#ZL5|+K(vmyggdGcxXGR@Lbc-NNnEyhED4ZGXXkv$nY^9PGzlJMg&7NcRH;7Y`xALQfhG_I0DC$8P!9 z>~qzeoxM5WU)&-yB1MC?58>CDlS>kIFVmqKM%G6ClB;e&e8UqS(%N+}@(H9=pNOc` zglF4z(khD2?B&jvfkH%#x1SOT529Vak5kgdi)&ul ztc?&qncLa!8)NFxes1K+;*_~(f7GZ?N){X3ce4rII*xMjOZ5r=P>-W@Q7yN8{{;`Y zqJhCE{MFYUH}VAKSOa0iLL65NSNy&68zK9PGazlZ9>|g}=m+Yt=rn}#RT>(7v_hvlZ(mof0l7VR)l=v%zF} z;9GQp4Sj7L2p%h(9|j3V2;a^K8vkJ-7f!EbBsav-G(k@}Z0Jp4oHD9p_@AB;#ON(c zCw46kW(j)B)6M_o7y&FWGF&*RR=-ch0O?W{r;tzxuu96H$L?>LKB-Gd_Ee)9<=48qN6bR;f*yt^|uYwG1_=)3Oz zlSC$><*y}y_ll+Ex_einYU->YKptZdMVi7^+E;~yS{HLboSA`Hg-52QN&?8P>2jL= zzF}u7#3ikCxz5bYtWS=ii91-8m#s#V*NA4VC%Lfl6Vc)4)BeHMle&qN32=3Fm42Yz z$pA&tuYqf`-;rGC7GO#d^F6F7up#|lN2q`OQ>&|IzB_&rc(=@-Ebk;}jE_uVIm+e- zqIRmQvNY{o#&#D}&rsDy$Hb_rsYPzj3z-J9PC6ur>wE}e{Iz^R{bcH}Ehn-mGgI_F zaWBWo)SYpdMd*D4HN_9qFILmyJL>U*aLs$WH(kudz9=e!2P;g$va+{ zda(ZJ=(l%lkI59%RyBj!4$1HXyi6OlQ;>iWxUCAHVAO#Q7#?9y$wg~Nlq z79=Hu2QHI!NC0(wZqo@zdWYjN^lZYxYqzYhCmyI)1O{#f?|khhCE~f>eE%FVz3a`* zeq`bD2(yG{+dNMa(m(HJn-{|yg4n;2(+Uc?=mUn(^&K|J1V(X?tx7%A0bGdx`OEal z>YY=3Dm+^LoZcy^N0#@ts%9@YtgFm7MLuY4Q&EREA#{44{qPvSJYo+lDU{xaS6ffQ zl~d&XQk_kLep+47_I1zKZjT>eYj!u+1m-9yI+gf=(?zJ@X51qD>ZIiT-cXpI;%Z#a zLIHFW2V~e+%8SdIAYRX50m3ome38RbF7{MQC;r=6hxnu8isjw?Mg3vdO;TP$>&`1S zFFLa~@mt&589b)nm)s`3W=Ru-oinJ13J`st*|m+u_0FzuFY0(siiEkil+UXIAxGM9 zq4q!nx>@$lBZKsS5k{euk|G1^ql5K=qkw=JlGa{zytpJ#D`{9ypQg_-edDg6`?@zp zJd@Bz`A*9FYLEyPSZoYeHy!Wccy9`ciM`KJtkd_DpncV)`%Labtr{|vAdr&?kKaRZ zS6UCAoq1+#|29lQ>R%XMu(1-k5gap3h|!HG{-jp$=B+gU{L}# zr+7=QUZV-%&ZAk`f*j$z4z^KqZ#*YV&WSDt|4>BGJ7gReMVG99xWS!&diZ%CP`3vMXEu?B|J}UQlpA0Cx>WrW6f= z0`FvojrOtVigKHi8jA3sKdt(vH4|P$Z9_}?xuTr+71lp~{J3qmv%TG}HpNZ6`R>aN zh%9IklYBVuZY1eE^XhQ^(fT#oD%@ND(pSF}Z~+RoTk8{j|KUW6czv2N(36|x<_>Cy zD-RP5Z11H%xfjVoG&Tl)(~na*eK>aO z@g(Gvr%P`3aToNA0Y$nZ%{WEM+Bs17o+&_v+UtsO&at{vT#j>7hGZU;uPe?cQjv`a zkRA^2y&c;Q@$u`YnkXyDTZv7Q){O=(Qx7$}PjP5fu7`02a|A!vm*LRn`g98zGwde@ z9BXvrf22%@CMU7!q><6m*Q%i5rCXLU7!cdPacs9&d0dS2U3zt-v2gp z@B>hdO^D}DfMll}TFjwy55=*h-QYj_Xcl#iQ?IhmL5=r3Hga`5z%NvGn&V4GZEfwF zg6$hwTb{9Yb}!CbDo`;3`GiI>mq=7ea`IM1AM6CLehp+23oPVH{b%7WeXj06&qZJU zo^xla2Xxnoo?vEV)V;RLF1UGAnF{w$ww~&BV;E|b3 zSH`zylXlu0tzbjUXM7J75@+5g{?su1>~A19$#wWX`{0e$uLfySt>*yP*&Z^uc_~1< z{CK3Y7Drt%MyCgBnc1MVN_1lh9{1oQ)ZQl~(p_Vw#ugiK7Sx-kY}ZsKMsj|7Z@GF3 zDQF}TWq0nu6`JqO`}aA04m8zobz3Vy{D7Q6+lg% zdm&GzC&;Y zOjM&O>@TVf?#&+_iKKpvic04$SzMs5c)eZEX&!SqOEZmd-?}T<{lrR}bA$$m3t>LS zEvo1zHCUUP`kiQKX)NV*1b#lEU&LwZ_pqk=I>kBzO9Xq@COG$NY%gfZJin++J5+Dg zf7@s2mdwI#ULH$5Kq9Qi%FPG3qz>rt-9o6mRUoC&;6+gr?3m|@YE-tw2L?*>d#rge z+O7`hg^w0$Gt@Z(8}A~7-ZBzVD`|{gOihJen5q;cL&Xi|+^`4uKzvV9N9kx&UfvtF zXx~K1%)zr2dTT}eE>yE`-aI}}MwY(NO$wW>Rk~{bg0-f~5hZPxK}s{y>0@OjrfXcY zVXR9|?#R8`-~auT@7U-m%5?)W+EMNGONUqn7TjiUAYgl{0JD%X9;K|59SE!VAk1{l@HH$fo8Q@9aDDW1grl>A?BAo6;Qy!05igNX%bKj zx5XKreQux^^Y{Q{mmFak_KV!-x38Ui`Et=%YgP&cynQ>5zs8-ZYuW93QGSK(*DG1w z44mpoo^Pk@MAaO`$Gad$-eoe;82b1%4kLwwO3od*WA>`Y!-cZibm?<9j|kjq!;_nM z8fZ&gr%zSUxf+quzIYF8;ZCOqUkd zAxBS!D{Pf%uuq>MQwti)$NMgz(Jr6FY8cR~Z=eat9#UmD4qe~ZS2MG#5eyqGfhv$~ zRB3fai@g2p=o@m_o3t{W+ndJ8TdkL%5}Mial66l*0TPuCF8N* z5AoBVcYsG$qH-ZmGo-Qw<9GS?=eW3WwS2-et~uLO2_MqN*D;!oE9lh8CSP?>>g{Yv zWmifTjTsmmjJa4Qo)4e^8{9D#r2^vg^jEJ4$5e`0PP%%a-cOrG;o~l|-`)8G8mCW_ zPAmck|4deO`V0^i3;>IRG{Xj)y;CpS+rze>mX(E=AxEC%Du0LR3Ons@PU|Fk(D9n( zB~a?R(cgO(5h*@;{UOKrw@AsZ!h%Xi25F!y$t65`v_x-ZVx5{qd+ffov!mVMJhcr< zg7aJ%$uyNWAc#sH36^iMQ`#cW=-854w4>?7s^1n2XA8b}2KMdW6o1-o-X`uwbLm52 zxw$+I$Dlx3OmA#g3wU_4n%?aXm1D5XmK{`#0s@*EWxt;5zfH%#sAoI%6H)Bz2PsS~ zF3L$Kd@wsA>MCe{nooLErTy~K%b*~0s<&Q@6c1>o3Q3QKH?)J6(|_YP*>LuWez{($ zZ5F9II3lfYb;e0#X+*C>#9t58AxlJE*(~>pp`+F>1uOj_e)ddC2b%YH2Wg|2Q zTrP`bmqo$%ef%`;p}ug$$1ah1NqZhr!V!nUULSSH$%H%HFw%5=yvhbZM~y%V1=?3X z2Nei)hP};=2K2yB1Gj+cuV8cUmoQVV9Cp7!Ln8xx&azZ9p&w>z9OQ%UBTA_Eeh4a!*H@O;I5iChK*}%=)lJ zZNeLUoeztd-;^MBo4i4^| zWPK7_KA7-=s7_kF|Lo@WwcE$Xq+|C%ZELBB=|vy`#Xe)_>-{sS!c>2wfc_o1eRkSj zDs~%govd03K_!sp93Zp_-^63`LxTC_J9a16uPhhfHnPKli1Vdkbn;UN$>tVRS&q4R)fvs zij9q}81m-g3y0l+1b{4r3NU91frAWt1O*oORy=K5Fni~S&EZaBn6q@vU&l^r* z9;Tw@?bWl-_ENuY7T_!eYmW8(Jw0Kd4rjgtpnta2Va+oHp}MXLPu}I%j#h_oSOs|; zT>qOth>(Otm{#%O`{&QeR09H1F8(-Ps}OmTR^1?497K%mTE;A!UJOuDRP3w7#<=&G zaXg9RQr&iK9nx4O*Sd7PYAPbt5zO&KD^^0k%u2}c5JyAM=ec&zf@frJ&_YMTolUo) z`=8QCt|kSwNJDI{ll^&wrZ@} zynSP0!g&o|tbq#5TB~0fcT-o*41S_JmJ0aKB(x64<>_NJ3OO3kRW=k zHW)%CQZGFCrePzi>H^I64XZ&Zk85v^n$3i?&6P<*@f=5|uS8-VN@r?Sl7(+B4u5H8 zOjhbY!98{Wa%Jx{9@p72r0r6hC%UFKBs1#PQs>Mg{sfXN=CAF7J;Ci`p;aw8E}3f9 z^DC^{6)H4ALuRH|3JiW=!{wh(unlkG^CK5C9E-xS;d^`;z()%y;!H6+QRli0{9!Z@ z;Cz!e{r(}nB`CDzqg;&Q9;qg%7Aqdjq>=^^lV|&)lNHm`zZb0nBN-;L#|y-hy6ibO zjBO8Z=!DZZ&GpeX>JOKhwe3)*B(gC0^Xrq2P_9;U0et)BI&Cb6?!%o0f9q;6?jZn_ z4+YY*D1RT!%AKFV7DvVSi)UoFsj`h>_>3oVVYIP8!|Jv=B0~n*&caJX)9_Q;Q<>ru zrNkggLO^R%VIb}&tTj@sS*aUiA5R=UyJmOsBK)jYBK>TS7&=yowlwsQvtgc}ME8Wk z>6w`afZ89?B&_cE;K56Sk^->#*;R|MvdUZFDQG~GhKDhoF`r*0_*olm{9PsR_ta$N zW`tY&^|iLsW%PJ_bh3jlm9~VNb3ow5Bho42#UcZ9=SLDP-!IyV+{oqJvwrgkbL)PC z=OD@a{M6jTaDVYsy}BDOUp#2=EbPCv9=#SES{6-ptv8oMFlii$E&dQF4)foO{)SAbDZS$>$NV1AXQg{n?2hiSP=5O( z>Z|=xk^FGQhPd}3B?jVAc79$j?1nUQBzG>?)m{(UxO{oWYFfyZU%a4XZ(TCtk+EkK zbQZYoWqpkzsjnV~P90~)wc_N^CS7{|jgak~9bj!pp@CBH*7*h$EN&rq4BXhdFHL%= z%2vDT7=%F|$DWCpvO*k&`(E?WIF45u`5QuxL;3B;`L-iIeoVH4L+MTP4v}uo$;xs_P*|zpFScDb8~Y#V4{#kF(KJ;TPTL{n{W_Fxgdah8@;=n8nVZ5)x5{-^OP&~Tt;Vty>(``~xz<;I)Y24~-d}kkb%*4!iJq;+@wlA0-y_OiXYtp<0jEkQFUF6yq>82w_ z#lab1gOVtmc<(nu60S-qat8O*18mZbEcGHOBPjD5@%jd0VA;qYlqR#)R1QXaCSzoUDq<% zG%Px0;{cgPX7ffP@$Abuj;*6Lw~*&oE-xTlcOl)0ZSnXdk(ACBi_(jtp+(#;oX6M3 zQk=^978=~Nd6bnWry9nLN*w&l6s__WdqXqM%=DbTedkUxRD0NrZ)uQ~g{2gx(SO4O zA!1rj%eP>Y?>wbou#2q%HSKEO3S$^(HJ0w{U1tBEoj&~@AZ)nSbrY1CWO$D#GbqP;?$Y{ z_+y^)9u|TA!8$AI8H-;`wj4nwABNI&Rh7Wl+zpMNWg;Lay&)EQkCFAfOJ6=(AeWPb z9EuLas?Qqb1niboMpS;OCiTt=E&>M2U9F&ptWx6Hlk)dCG-Q<48a>&hX7EYq2S%2L zI)}sheQ2ma!`-_-_>O~?i;Q7CiZsGbrIl9wokcj0Lp{px#(rA@Z^QNopSde5hb=1b zg^59f&<>YrXqbUdYyrlTuD8TM$WF&`0T9z~ABxG@>mhZ63dSeWM}e7g$)=5$*DGu!#R4zJzp7krCT1w83$}{3tn0NuQ~AFv*9m4$vsUwyma3) zK1EOR@e=-C8oEQT%7#(zBivfdV~xV|F^Cq83bZhOk4wPMJt#)w8La9|TF=7Br>tY9 z{I$&Q<-U7Guie@Ny7*`xq&Wd;C}Tjk|>w zy&r9~UStiH-WnJ^^sOD#>WycQ7xNS?%&x!q-i{?XgtUr5Oik^sHU7+4rArJQmA#}> zTIJHX?1NR{l#+B%#k^#7)?aj$it93|xb0xyrqUJE$L>OH1rMKK@f^xPh|jE2gE7^~ z`!``R7uuAfi+1VC{b$+6${q5}a_lLKM-bI;r+mYjd)KoTdnT$hWAPaKk8x!ZTaNjt zygG5Y!kWqb?Tf44MjX^LL*V;z8&67+-0LSw-e{9$-Z{T~%?2o4*Z>Z6R8!GnKDwnZ z#8Feio}+1LJ?0%TM8aLPx5$xfJ62{L`cTNxv4pH{%43;-i9>h4?OJTFhuC930~jPB zqOL+km$M=Ho?5V>R~&pAsVS^Nk9h(20DxUe(|6kdS-pdUAh|3=>4hwts+GMRzLl0< zv;Luz&YWSA%Of`*`CNpJvYX)%aw=L`UF2Szjga#wIWjUdgIvaLTnG+-u+_#ezdNWB zH&T3oeU^+yP!Xh@T$0DTQFLn{A*?={WjKidtYUA&#(@5b4(3!2(C2Q8S~4jHSa`Gp z4~?~uVC}^p@#Y~?e7pnM_6QG`y|G1kv#iAng3X6EYGt_!N=Od9OWOLYBU`*CUuYsD zBkhQ6u;Zq-aHb9+l%F-$|0LIBy!0MC70Gw9m#j8-`1P%0SE&i}7({TXcd2I5M&cyBxl;dQ@`waygynr=hh@}MtIna+kj+f`r~$&x!V{dhtRz# zU%!4^pa4NIuYZ$cZk0;Fk;;rdK^+*G25JR(VFQ+hHx*X{&bKOEQtf`opgf3UEu2E*kBPRoGUGbG zVg0Q_Aef}?aZDvc&%t~B0Q|0|OY19Zt(ye}bno8TQFAjJxrDU=BA9JT6)Y;~?b z!j9{_W51+Y#*{|8R4QN#zvM5>$yQxFSRA1MqU_#d)=Y+S`{CNvzDs+p*q2oUj$hEJ zI5O=~_esguDx~Pta^JVH-*J``wa(ih0eRd+VEpvbrAxQ&$c0_>>fhi_Y&cj*H1E%l zb-9<``GR=o#@ZzEikki8edXOtMctoxy6YE&UfK)Jg7YAsl7HRu#I9euIAIl<)L@So zNoz4qUi8aSLaop_Z3Aggi8BJEcWg0+p1xS5Q1KK-visVR zwZL3q$sSa+1e-Q&gHa%?>P}hDe=`XXbk|zYFE$|nJ(;pu?Az#Q+?$F4ozU*>C=_PG zH}Vb1(KF4&<8{tacJg|*n)}^5NV5^_{9OC4ibPdwk45R5Fs)tx zg_jr1zvrfQ7!{s*b}#idnR9z0|Eqk;0D*fnMa!6?BwR(KlM=&NmAOo*wZ(miG4un& zpr(c2K{;I*2F8Gf+=-_naNC>TAi1Zv+xMu@XKkOop|d<5MQNQ+`KBroeQ2IC6-_T< zum8?(bLw%!7soU{>)~0rgP5ud)*`W+y8Xfsu!rd`^;Hg-l;BIL;cnX<-f&6?uJ8wq zamTj_?6AoYmQ`F4TMsc}0lypA$hYA(7Ii~dC%5DqN+RG1ey6WJNHptYbv4anCm~w< zD{jm-qxXp{qnB=a0&88eg|xi%cKJpb_o=T0zouXQReh^Q_JWE4vd+~q zQNe1sp!7=x*^k7<1KvnM`|)^@3si(;LkT1yeQ)2sW!*9Y)*pN0x&FA>AN6OmgN}uW+PGE=|C zDgRSko>oLy@bJ;2L;nOsesp1=rrz>-tL%%IVVmn9_|ck=SW9D=;Xv|fr(_D)j}JBL zkUlKz|7b@!ugBKuzU10cwGX?^vn7=OxP&r=Atm+m8GL4=*1fH3=kBYi8nMs2(|s)K zz6({jMq=A1opKE*~_5{Xps zRwL4#QR}RQcg=_W`cFAJ7hC%Yy%mRszmgOD zhQ5qMTB#owLW8oc6E`BO1$0L^k}M=8=l$tId?h9&1Btv(2t8Pf z`$1T~g#I{FEZJ7?vCdXyGhAMHz;yR+dl((wxLH*XzUG_M*C#qqVafeA)ZW232;c04 zSO4pvK-@JYM!8v?v4oe#wW#IPtGTI;Cw4!bES>Wjw2JcVUiLXGS z-tFp5A50&Ra7;;d+7exX1b)6lIbWrw3cXW$IrEn=Tq7V*)P1F02z9jNen;EDxeUmU zd_&7#{ylyBvZlpz+>~A^WKmQ}CF_N#}zjpu%x&J8h{#+FKJPysw zu;(1MN08(;z-m-e>ok4l0nF%j(O+KWpMD{wdye9W^MYpB+rPNi=yEAwk@@v2zsOo< zwaxHhX}B{7?X$kL*>3v{6wDZS`#4u96aPUX%)$;5VRObV=S% zd@HIg`XMJ->sI7EeE9G&pmH4N=~Wc~ z_EB3vR(7_$gM&kJJF-lWMVn%V_IYr0g#4$UI z=7$jDBD)%=Aw%?V?-7e;fkqj6wf`e0+x)RRdeX2*c=jTQB+E|xQ)6Nn^Yin0O}}4^ z2afw|h?)|$$!pgP_s)1uIM=wX42?{-yv`R94)-d%FlMhM0U0r)s8>2~gql_C0)eJmkVeP<) zLOD!qL%5{tr?`=dQ|~b>;CPLDK0(629`2#VR`McXdEB*EsWc!w)3`a76VTS3b%X{R zykoE57%LCah zIgfR8KGEGCVI=+aAZ5#yS~U{S*28>(Ja|2ne`joYIcDb(nSr|>)o8odh5I;RtBOyqwgPXn4b6|6*JVAiF~jdmK!ErvE4Zk7P?~U zqcKYcgz-iW3@)!y;)f2DsdL=>!$Uo=lif+z!aAo)2x@KNTw~6=>SK9vDLuQZVMi->O6} zUAl}a%>C-IX4Pv9vnspGsdH0gY)p28+QdI!IfhMhO{AfSd$wPz>rl+CZI)PJM>*Ln z5#xy&c3o(Xty*2PC*FZ+iPtMA`Ze;~jr>S~Vl&!w@mR$U>_G-Ya@rz%_1wsckON1R z4Sa9B(RfcmZ-uI)tX$7}*u0eAVNCvZVs*93$7cU1I|W@<_65bVjkc4z{&#Vg`d?$| zml9UwglaZ&p>U>SPsQ;Ovl1RuOuL1BmOolO%OpxGveK%aBk`bVZoO+OS!=EyFIHe; z77b6@tu)LquGNSfDK*K`DAwv;i%d>t)Qyj~IDRHNY&#TL-4vqWW+&EFSU0!P9l5(s zV?Ma@y4+*y!;6r-8)|X@F62k7$O`ft+YH-0K7Q2QT|d}?OytyEMkH&(%$tIF)QWvb zeec^N9*r4CaQoOJm9Mk*cO&#;d}Y=aeLFrl-Zhn*vdJ5^8M-PCNz1`%Y7|mZGo_ng z)>(ad2h9OYh;*bzDT$JbD(sG~UOtH(-htGFz7vgg7=#-ev;_=6u^nn4L)LX@Qg(yb zYZht(e@t8;)D{$k>N^~O8Ie)CvE|WYPE2#~#T!h3{1pcnuwx(zjpb5`2JLna{R2PY zs4-aLkHkhhH*PFP#>AMPNTfTW@Vw7H-)!)4e(=RFUSy}_1J*M~ABPS=X*<(L4d>ufN5NuvWN`L>Ms9R~khz`6V$@A2!|MUW| zR)6RILpSnM?dVvy;|&JXBalVjR!S6%I>f9Zj037Y>?41C;!)Zazftty5*yy3&!6hBo|J({jxCsb+-8H=|PeA;*2IJ=VEb2+Q|CX4EtQm z#Kr#Mu2~}(nL`2FkxEH}<>p`s|HDtiK!A#CeQPmAAzD>Te(1R|F}9Yk`2xxCWQ6oE z(1?^^l{h*%hrw*k>NP{(+cPC8M7T$=S@&K~eu8aI)YOUb0yE6FfWkgX%roYOlp zR`|4^sF4Lf-%H-B^6c~p0D(U3Um&EK?`N{uc?>(cMYS(sAJ0gM=P!zBM0zy=JN3qaBk={f)p+kt&h=_BZ?Caj-(K%I>;1<5dB(_(3<$|2^O^Ix@9Vxw+^`gh z1eb6xKaF1Gq0PLq)dt@%624<}gZ&e#sXB&rr`mc_!pQVj?tB5;{@mqXDiS$F+XE$K$B&K#p$L{go!GFJLUWL8-83q>E;SCSNw1(RAn zQQ}RfDm~t!JvYtTtm|nQ%VLJ8A@@S$LoPrH{W2`N`?;ID!lJ_P-|*7z!$LgHd)sBL zt2gb*EWGv{xKrz@K7#<=-QW2(;52ckd6(q02r))jrs?uAU#6VPc8h(WAYkb`rbrdlr7#$qy!hNs(&2XXoyIvWB3}ZXF%6+=3b3k1vRI zZtZ?^0hp8POSH3CO@Sl)J?4{3RPiwd)k?%uc5g*NoyC!jYRXKcaWfQooH~?-rhtJ6 zI}ztf+MY|W?(o+Ckz9>de^>@0>(bX|V~{)XKl%p9C9tW_{xZqHzpcb5Ms1M7cz$w! zbasXq1`NbysXM$Y35;hXS3c~E(@jqp*uI)PzfD0epWZ^nCLrQ1(2Zoe)lFUF@+7o| z%P>IiX8g`@wpLT93D{lP`el$0TPDx}%`{nAoiY|g>QkP0S9@>t(5wO8$gaz%_vxMg zpdSC@C0Dt9PZHL*G(-AY+SaOeek$Zw*r;p~aDQcxmUx+_Ejws{vH3Ucz+SUR@?>zxci# z!Cnq0H`D9TTUiwAwSDw3QpFfuK=h1UfISkjyLnJGoB3uA%hM1kwGv3ny=(NL2DoZ% zThw~@uh%(UP?^`J^dq!sYyfvzxE}CvkPGaYokG~rYrvGn8ytjD*n9J3)bfLc{RSpS=Ex;(;B%e_H&6z#&Id(4r&s_(-kuj5>=c1jJYoideg!~ zj|xet>FA6@o^)^1F>@Xp?r_Kf@nl+;wrAdezsXq!hQ6rUQx+lQ5p9~^HE$ys{*WbS zlYW2km{jL+W&^W;gbs$((S_j>l-Lg{8zIWl=q$b)soHH*1?I($wR6wvabQv`m=WOe zHkehSr452!$cawXdOP6RpT_tBhgQQB%yvvIQ9cPgZ7L=cN4lsFtLuci4t_H*7%x(9 zy`0y!Tp*11Dj~l}EMJ`)3S|55749Dk@89%_;qr+d9F+s7;F&wu4bnjbqL|?yjGmJ( z6n%L#vs;^Ymy6!Mj_;m%&k^M)ffYA8;EO!^~{D&IrHM>T_I-1fq zbIA{GLhjDZ3)*HV`>b*d8LN+%9kgKg+CI&YhHhe{seM^5B)b@n{VEQO9H{oto0zEe zEowJJP47ll^Qy;t)RSjx5bl;gru7)jadwnoR#N}-W#|^hy27*2Y$p=Z68$doN0+{G zcISBq|K}r{EF|SsJ&QEEF!r%c24x$6efp=?yX0i9oZXgki>=z&S0Xm4|bmzG-tj(%yC|?tfrxu zbc2;9_PR<=txIC*>z&BZ@R|}iAjJnErtW@2X9{}o+tzJ>{0u!n)zwG@) z@k9I8tnEVgj#s?$`W+sfD0z%mHlVq*K_|h7IL@avAP82v}$ERQ?+N5l83xWRGg^)t-j;CB z%WP~Wnq6@(vkai+8(L{=`BpZZ{EDY(z{9R2wqjsax%l+LwF9BH*#mAmNyln#}$k z_tjsPI8<9-Cc0&lsNXTzoy7I=f)=g>n$Ec5g|&4N2kn(A)?vF>DSk@C!RS)XfP&4p z=*l67n&sM+iS*{d0!nm(>Cn*7kN%i`Exx8t6;C$Yd)xqxt_?vIcvfn+zIVENHD1bd zq0XMgwZEzHGq+a%lmiixbwzrQ-Ob<3veP;}&c6CR19k3g5&q{LAy?qjMLvZHN!3hC zSKY@k+)VITlu3QyR|lEQc$WO$PR6qHjwQ3_P}%Y!&&+VwNQkk$Oc%feifaxzgq&t^ ztzzsZLY_VA*^C_=oOPS`2G!r}rAnMN%L-Pp3bch0sAVn7F8KLHsOztf=FVMGl#vHO zHiX0L1N*_z4f#!sZZoTcvrBrNA2we z6|O`Yx6g1v3~gu}Z?Xu5em#H#M<9~GNHHc&&4D(A|1@=ehk~rK>B82O`lI)FEJxk4 zU5k#?4(quQI41`1nHcXQ8k>zr4={w+`@;lta0)D54{cm_CK8at1eW{u7*u3V>A#1&wmo{5a~o&yejqqfm|!=N;SKcConi#M-<1z$0aHwi$* zDUj471+>0K7zV^T@IO7;kHmSr)pRedWy9Qt1Jv{W?k+qR`{JlXz6~e){L*mY&$d#h zpy0f5Bw2jTiGo9y!^oKNO;1YPP3w{8RcX+{N=@ukbz>}JwFUf&^G_mY^E{i(cWTx) zy2Vn>&^nDjelzux&l0p}v1@pkEcOes^m7H;r;2Dn_1znk9=Tp9nCkX z&b*&x%%lZ8aC%mSxImgn(;3s)q@GrKHDN{P95SDh_C-r~qDVDGH`a-B=mP`B7B zNjZM+vo0hr87V~B3xd?NFBQ6^*CYqoYvw|pmrn(wIy@iq(iyuA$vYv2V&1FE>@M+o z29I?Ga>d_B@YzYi`i_*W=Xp>;0EiCbyQUa1V{aja8c@GFy)9>n;LDz+;=-v>JD^w| zzHTw+W$d$EvG3smXnS^CH9w8%w`*1#v)9Pjut!HHNVCVh`cq8m>sotQHeijgJX9w?rB_pn zTJs}&d2xUJ>Tmoo3F*rf|GHsG?(d8?We@qbUQ^%VUT$?vWt?Xr`^5o_K|s6MlVXov zp&smC|Sy3=nrB5eERw6;#UNs$hP-wmz$4xX>t#hAf3J<}2@ zvsZ89JImHm(7jS;^QlwlST%b#kL_f_flFHW&hz?Y)wZ!}%!M7PyBUW~bJ+}{^fEM8 zv4RBi$#*^-gTBEhlC||GX4mXl`eI%$>-r=aR|m(%U|UDo@eqvC^AHE4nvUhG2%nkE z53JAA^FL;IK4;cW6t|vmy|4qDwff+`y~G~ZpV&rwfm4T39_3+&#U6k-dv2B^8+PJa zn5?^ORx!(?p?P?(qI8==EeBYDPn_xg))YL{a^Jv7uPHb#F0b0Q=SMi}8`ueF$DE`!c%`n8bKG;NQ9Z&Zv$eypVJf+GK-o-2DU&ypbhHFi}O8dYqb3eTo` z@{`Y{yd8^=N?4_K&V%<3hQ1LMbN6#2GO@ESyLQ~?Obc9qYFfePu|tXBU*k&Q%SP$? zSxULn`Z&!bLt~&I8N~JGLJAxMFeP;b4*Hd@frgq`kqtt8nXB~=-F}-c(!h_$N<}*@ zT=8FuYqaAw7t-S)>D`bKm*^U7tQ+3@j6$<7S@pzs-{-}qU@Urws|AjbyH zVK?#2Kb-1{Zpg$OA>}<7nQlluk4?RMnt3Qkx7NM$WnGtygduW<#43>zugRyQzyH0_ zXvEdr^CQ>o6vEuTXRMbi{%B}ecxrZd9&vD*RY!tSsy#E+#2*&Bgq!hzoO>2O2i?B2 z{IR*y-%4muAkTaFg(s}hk59y2IpPc+(F9#@4R5O&IAbvrCt~~+FiI?Jp1kL>vO00p zwbXXy1zRqF8db}!a`vbTTW?GX51}HryLTGU9NxQW_hr=bFPPcl?|2sV?h6C;!aF8t zUly^f+Co0#a?EOfTiPUH_l8-Y43KsKMZLw=0vAgAr4E0>I1e3WRCQ4k1nW%xHtb7SOOxh3Qu5)=1`|o1w zYL;bkdX-1hS*-Z;;^1TQ0y7{`ui!{O73m$9ID!A&)>M3EaX+{WCLtgC@`&zgRa=uq zv)@U1DI&U zY>$*V2ze7lDOt-??(4JBcB;QjS>ZIH$v=J&#XLG#Vh7SpD85H&M!fg&^=I%7J2i2@ zCnh@SJ^htv=|69H{{fW86Ljb&{=BpXn5(U3l@{6b^KfTPD$t(ka{Z%_3jQE#3j`EZ z+h9g9+ZhMIX^HDvXS=KcgAi8fqm(;NIEJYINIPw-aLOxo>C#+cD>@TIfH!m{l-@}{tR~g4H%+wfI z9!G?jwJEPNtcYO?JuR~^B@tSgX4;rJqk3OeB|}uhf(Kt2<0?zc`jW}uF!&SK# zVJ+Y=-1IcrC|nD7Avsyfq!-94qE!4&(3kpkbjpH~BgL}Is51*+2$TXorZq=FIQKVh z8F_pAyyb5e; z0`il9TZsh{u&A8I*e$vjt>ksam4=LyAeE0man+M~qF3kR zaV`sgkFuhE?l|C#jq3&m2QyJ<1hBdKT-Me!+K;o2rJL~l0T9gapT%&F#k#0jq%B0I zXml{v_IKOmN7VFRxOJMI^1}DDpfT?*6E;i#@K0G{Q2<-SJ%}Vk=*$bFoad<@4LQpF zG`Y*`$A7MM#W;kj@M>#CE7m4RNj+(l+>`;N>+IoS3MN0$bsialnMu%=;f@)&a|feX zEA&uO^Ns-Ap0>e0gvj?`MP&X#tF;`^dPVK+=!mWFta3W)l<2_%ZCM;-JYrn~Sx+08 zY2K#}L~D=PWoO@Ta!=6jD&vwZ!B6HTKO1$j_;}*B-|=3dLm4CFlBE$qs+JUpkB+tp z@PT!nk=c8xxqsEl-_UaywMQ^MDCGIj8Ag9ac#t5(uy<8_v^K;0F7`mL^iGasj+}rc zb!K=H*WaCmswDNMj`?Qf7~PrMXK_-DQJoP6|P*c&EW8*mTv>?hE8+H#SfrR?pz}(AE5R zalc8aQg1cYNJAKx>fha}FBDGbO^uNx_qiA$FHkmR_uswSw$Q0xP}MK7NyUUqdrNka z!91j+d<4S5G4u(P0bB9#6N0yV?taFPuzou4@*mvs{`nG~XmIcI^LoM}Xmt&E{@g7R z(bH@#tvo_!arDo-C{NNGt!9`WW5Qxw=WB%s-?v^C2<>JyIfQwCDOY;4z)eVK*c0RH zL>h*CIW&pTTcdTP#(ffXpIR5xV5hEybro&G6*ztV&4E^}nr5@c&#^y;6b5P!cGj?G zpI=dd9B_9T_2Vi*7OwBY|CsPk1BI0Ni zh?Vg+@gBJ>$4J6UM*@M|<_vpHh56UlMjapnoq-f?+mdd53n zq8AO525nDwUl!kZggTW|q`-R}aj;)@A3-(f>CQVLUoyN1pmq)^kBeFyZZu+X`=d(q zQQ{q}Ct!_=g|0NJaN;SpNmwv&$l*=r9m!o>c`O9Cf)5p@8flD_Ex#Oygiyw2ZGnY$ z*!DJ9iPF4gu_Rlb{!~=-I$*pUVH+__dW}iDh!g`9kO&YS+xc#YEVe%r$-PFw3oKzv zYfh}Mucrd!(|MolA6^b?XI*iVNvC7>7;7V4Tb}$y*WnHX;dVQLflA88_+?dak<;k6 zz=3e3)Bet1Fev|JCic&<8Q|&wGUR0DsWWFHf$Cg9<0zVCFZGY2(y{oYt=>$g&ZYBO zlrQ$Y5D{&gzAW?Qkwk?Hy6C|RgHG&se>^MJ#f24&Y_$E*cXT*~5sPyF8A&zqZayiZCO#RnNuN(tT{ zSylVP0MCOcN>V`$mjZ+!y*Y-E3*FG30yL0WL1uLQ%kI>#nv=b3Rg6fmdGU#_q2VOK4)84-`Uw31d-;_NZT9F zVe2i_7g1yEe>pM!l7>x$BweIXk1WHv`5Bk!#C4bEay78tIZ3#h@i-_#RU1TYzT64u zbppKy(pZ1#I-om8i|LmhJ0nXWj^ML*awTH3Xsia>*NdEfqg3BXsz5WsgVHlBzZ0$H zk_R|e-d6i!g|61GYB8^A!Xw=~-1k;jIX6(A@b?CA+$Ho~6bVRI((Q&Oy=8LsJ$({{ zJvZ^4f}n87UFeFQx$J-+)3`TEOVrBM>-Ru1`z*X8xsJJ~v%9WfW8eKH6Zzj$XTs&* zj5`219N_rmp2_r({#0(-#K28FbC%hK*7nIC7*_l7&U``2k-6xQOB|a^&K@`x2D8Dl^ zl_3Bak>EYMxE$PW?1(G%%gD)|>>Q)}lO4&=h>x8m)-GTNz~r16fA4TG~h>>z&jg zFekdeKXBF~pNFUt<8h=*wR@l<6{7@yee(2TS=`oET-7n2^h@6UOoE};Fv;c08*oAp+YyId0b5&PTeVk&mo zudJN-@Ql6CO9Wa@#xi4f+peK7?luc|9)$Se@gJRWkuj#iBDRyX%~3xO#TjN2I;>FA z>ECNmn5mQ?<#CJ@TMj!equ{i}su{BBSES)NTaWHljH=8C;Zmf5u=xCFsO?~EvAmnz z&`Y;W=Anj-qcAr+a(k{(kyaviQ-e-p=L?sF{jREk4P4w|%j0ZVF{OytJntzBn5UqJ zn;YvVsYMI6WW8G4?maSxC*i#*alfgT4%8%uix)4x_ScIM388zPanCeQIQ(S^&nn2{ zB?=*-*t(a60-|19GO>BOHs2}lE~wrogmEFvcZP>%cf<&ulE^@sit`ty+@)x;Rjl>%YfHXL3*sFrx@5(kuZuPP(){b$T8^#!48z!^OP&P#xExTga2qi zdK|IRHNd+>+$Ay1*ASk#l^Pkp9zBq&f2ODg)K4ufLr@@XFE3}Z=%+1<_IPc#b5wIfzN)$qz;)Or4--iMB(z5$~favd^Wbx;F|v z%0UNV(vaNV?ADl6iQ9OjaZAl;owWRygU^?ol43m;7iOJ)9%qhHY9G~^sjT19AnCt94s9JBY zL}{R%Oe;3Y+Nt(O)y$vZsJjShLCnLPQz3r*SFH!)I^CxlqtT|&eCXm+b`XsQyWC$@ z5$lbOJ8yqH@@>h0l+@wePj(}IDgslw1I&lTat|uz#Bt8LPlTa2E%6&~-!Y#PhiR*I z3>IV#5?WgaO=dTMSRVt)S|>bJ``%GPcp{$w5)KH%nSfR$_tZmsnH;TtSi6!QCHvk` za3D*In7O%7(++mc^XF!0Jsi|lU!=Kqx$KAy#kWT59WHHBV3vpp&YW>zm$4?50V3J` z>9->tm2Q;@ufGD)@vP9S5g3qEY9_g&rBWv9=MoTO+0HovlmqJWLA#{o5`Ze4DpO1Q zK4z+35nDT-4vmL$v;=2+`aCL3DQLrI;imfwPWL}?K?1v6&kYUBPQC!#9 zY!5zP(P-zS7e>h;D<5QE1=zKcg{sY>1zNEVkd%Z+L>w5XE}}PX)V0TmtwS)7j$l-@ z%kSoOSvo)>Bj>s~{3W$^q)QoOE6^$97Yq>l9g_@~2wOS2@w-mi6-FrGmLZj$jn!jK zIHWbD;Q4dOt^m?J!%5H`vp%S=*pcq#sp*nje=ElRXYK#bX5lZN@x;iITit%rcvhQe z{mL6098AQ3ZiRz%CW|y!AP3^VUd=W&H3j+T{N4pLi~MRkJrZX?W%TH1T}^HQ<0q@} zQ;$Kc6h^t{Op#6PAZ|kxL`spa|4GC6R`Cx9fWo>M|Nc!?76Co+guBXGow3|t7<8U- z#Nd?#8&|H!Mt(g?NUkb7>Q4s%d4_*+063KW|Ly>gv!V{bnL_Iso|di=F3{C{V=_d^ zXJo&fZ%3l}H~0QO^#8*L+1SJaR~FaO{lNlmg-|AyFcm11E+ve&i7cf#DZUxmoquAs zxTuC#daL|@YyYd&2zgCypCMiO@pHdIt5GXrJs)c|#(=Seh6GUgGt<}DoYfs^iIlnK z#JbZm%z;oe8+BOBP0bM!s zWfcP9duNM?dF24HgMKWKA{vK`OyG%Ew3SF>cRcaAExhKWkY#4iSh=Xg!?O?O#-_`% zHR!cPth$GA8x`>Y#4JSDUYK=tkoiXKMc0IDvE!2jydyRGUy03_BLNmZD9klqy z(s2&OEO);_FZWEE$|3&?N81oPHyBuNpIH&T;8CIL)ns7p2W|8F1yvEvG0*0u* zF#c2S){P%EQ9qK5@rg_S5d2eex)wm{2^S_^EnLjSLgC4iO4bN~Yvx)dYSfnvzuosq zvQ$%hJUIEVV)h4vD=@2C6543xbt3F#VrV|~2ln(w zjq_J^5~I%lav|tv*}wKOf7a{Jz)&8$GfV_n5H!i1dB;BL;c$ z@mV1+`K)_fb*slIFJn5k&Mc2XSZU&|d2lwG`fzjoYIgiMk|epXO)zhtIuO_`A$S+g z*W*sDtt;yc{O%W78iMSwZ9d0Poe46pU#wAPPK?+#qTRQ(Dki@|Iy|N#;(%*`627#c z{VkfMitY6#xij+!|4}<*v1QAl!cGY*X2-enr&X(#Z7UXAmT#q~n)G8o%iTpU zlhd7v5H-kdR*l|>`gG~pr4Iuu%d1UiO4vJVNU26o-P}yZN2T(-;mywLv!82Xf()={ zEuGgqG#0e8sWx|qX`d20S&nqHwhEfe0+uqPyRtV!2~W<6?2?6Llj5ubR7W(q%y@;e zn2n5_3SOr^6rxDmxb{4btO&?~_$ZO-sQh~0u7QOwTUzQtuFIY4m3f3TKD5$sA*2~h zYN~@Xc?$-Z%|z{fzO6;%Z2%%w)D7S(C$itWG{0Om+8+z5d>Y9riHxdO{s-#C!e2jv#O3L-C~RyT=K zUBDu*sH5DCQ;qthQ*zy4eWx2A7w6Ksy;%>P^ab&U)3WtGrX>t}-oL7U(nh12=Km(L z8-K)~<4NoKC&mqf9h1j!iEn4NSzDz^F5=#Js8gfvjekzx)Cc~>)!--9DB3~uwsNev z%Kg&i71Y(-H@kbO$!2ZCFrSfF-~aM7Fw{I8XID9jNGweD%t_ggyCTvOky4`dc(f`J zMQUsLx{%;y6ATK8jv8KzwF{yoPLtrQ->T+LGiBcvEZg0e^KLEKv-**BEdeY`k z5U%E?5O~0wq`h9|_Dg*uQoLWBp3VB&=FE4~8U6k@XG$^&@2;F^2BCxv`{K>G zFmvrdAJ5SRE!nF4=#2QA0yvpt?pQ;33z*SDX*`b_2GsaSAMCk^5ps$iWtWQ+BlPVH z{OUS)Ciuzt-QPO@TO9746VhqYO?oiO-g?)!zP=8UiW?qq&swWQMpqzc$9&bk{3W0j zxen~0k@$PDzQ9lOalF^sxt=dh`Dx*1k$n0*poTKb=jN2nyzr53=7e~2ZrRxFY;Dgm zLg!U)h>fg!U&hz8!d!bgE!e=2S|oUb&t3=nW+**qBE>b)6rhadXPngcg`iqAv2bwn z9cHvUYF~T;m_b33pBnR^_cxVlxk(T=7aBcW*zXx$|4Xb1=hau~-kxg5ZRmXngzM_i z(LvMn{&4RRKtOznBXk``NZUNd?UGOVBRVE^H6Q6q&d;xda5{2Y9TNW@ zDGcG57G44ZEn_z` zwdU;%>+0TIzh+#pCQH@Sc<{p+@^*mAccWuI{4Sy z=r9VGai!}djo(txwJ;3oVm`zOi~U&02fUR~9=1SMlADD}Dm2Bgpq^*HR|z^L7ygSJ zFaW(q+})G=5nb|Ca~%;@5+rn&P4bH-6INZXDF-OWisuK7Z{&JfzZ{yKBZh$@D`$mt zqbFa0xN_Vkpg)pl05ODu57T5DB}aVPb@az+FLUu*YfLLd3tHa*lQBjD303nN~ul-8yh0cy!RzxlY;X(5+gqP#^yyp7%XgwZOKGoavWxo=puz9ojoAYJqSkK#$ zbdvAFQuG-Y067qF9wf!#Lp9zpAh#FJI6GT>-|f}pt6e8iW+4zLgv1GbL;kd2`FmH* zQ@uCi%U^v?h|2u;zk8Y_yIYg4NUS^;x-w$vqiGBEf8UZH)EJF23UhP~xN}A5<2{Nv zn8X5MKC=w}o0s&{7vSK| z&CE^z_sjok+z~s^_}hl>V<89SYbFXt_q3nqD)vWNkK6+8kqe^Z%9&cpY2H)Y?z_{w zWh5!_b2+Fijr3s94!%Zugat8iTrHurerAoAjpWCrIGL)+@2LkfF^0o$qgY*b`?8t& zO-xK?Yrt+FSsq$86!ka3Wsi3!E3h> z7YdAa;FxDcV*mzlf#`iMNldH-4j{FBUlJ0QjZ%%@AE9Rv{1ztxAGRDsqh;fLb_(uG zUJ3XEp!p{t{g=-Y&A`Y+Y4(@xAN+&=TJEAJeZyT4UoGrB6@ldXMegiAfhKni#b=)C zwKHwiGFn2u7Odr--tenLkU0UEqV2ezU12QWS?qE1x5BT6<}BmU=v$bOp$ftPN6T^M zSXld*j0gxE`0r=!uL^i@2^Ji$l5y8BK!#`kA7&E1iZ}ATHbZ`#u`8)xR08+RR4wA& zpNUJ)}QFyzaCAZaKlz#O+SzMc`fRPSNB=Lq->YL;%tdh>f1XUoi*$kxV|%x2B@*W-KYw(KwbsjU=8g+D*wAE)l`|Ewtk#pZ(l@0@R*MDTw9 z|MC5g*Ah>nEcw)H6@&ACaTiigI^MbD7~CLYbyI9xY;C7Kk^_P8@vj(rpY+w)Ex;w! z?uBQjF{{oc#sskSLH}p}vO=#V%65DaKYtE0JQh&` z4Kho$qZJK#aIEfTjC^%-nsCDax$Tyv+Uz;Gz>juZ*I|o+OL#~N?<`vZVZ0$+4j4c4 zpTB(B+<2+ZpUw<~X@yVKwQchNdjd|-X%=-w$5uT6ENsnAZO8d^Iy$%u@BRdQY}Twm@g!(jWl@j5UZ~S(w)i0%6i1z zZzc5o?l*zqXrYtl+uxG$VXY|bCsKk6f_vFS1aj?BG94Igm5Jlw*nGK@Ej0w1<%iH+Sme37&i_@DW*?T-8W=&pY~OpTJ1u_b88#Ia=okd zOH*1oB0q_~!um9^!j;lhL+8Zb zh!R67d3=AKfbd4gblfXBwfYH$F@w%BwG77CH~uYu&XX?;e3PZO^pl^^gP6>~M^B%| zoDm~nzJC9Ho28O|Krmw@M^^xupD$2mB$ch$>l+ar%>%4QPhYw*@Ws*AHb;|#>v@)D z_UzJR*(eH*%rQi1xh+etv7g>RiT+^$5p3g|SO1h$P;<%o$RH<4^NnVksU`!b4ho3lUgc7D6?blj>+J$1n2nm zrFEZp7yD-3gmtleCFxy)VIg9UDS^DG|C81}LcGLm>tKftve&UAb=Zicc?S?BWaFao zEwQJK-lRQ3e{agtbp5bd!ls}AyecbUP}fT7TOgq+BfY|Vw*@u`LMQrMbc-xfRj~ob z9+fQTcqozBUIAJ_2XGVDz@ zF|CI^$h4owXull#+mAl>Bk3tq4rXR4Re*b__UzFV197tId|1?n{Drf=TrAOeOSQive84 zaQ%$$H0<2CWs5W5SWw4ag$ z2B_-ErkefRmF@`&Q=BTPR91*QKNjq99Vz>!4@dh!wUdq@1@yjOo2oSa-P4wCj5Bb@w+*3dRIYq;%|^ z*d3d=sM%tykA~&!b7s!a&`EdQOYibdpYe^2JqoO9#we-j-?$&YZ20hu$9kWQ>uEYc z>D6#CWU=9eTC6C)L)B`C_`OJV&Q+CRW&N!nX--PTUdky%2jRAik$wDql|PRBKmRV( z)lSBS)&ZXg2&9V%S9kB$;9!C2({Po-!op&!GN-A=2!i%eF`vD1dm7&rFyh>(&_Ckx z?x{0bY_S~y`h*I#a2ZIROxEuP@>7r zKsDvBZY_Qsr7D)(t$0X}Ups?7Lb=j) z542^kN|!fD3tKaBD;(vLkKsRhOGZM@%|Z8uyJy*ux#m75!$}}U=^^smrjTvfqoL!w z_lXuSy`sqvlP=86_#kP+^-DfRp3pL6{PpYc^A|c9sz=33^NkGpimiVgn0Ft_i*&C@ zs&2jwZF6>~&iPFz!G)FT8yWNbnepVRy(wzZekU!Vub}DWLhrJx^^ml}rbSMqT|}FG zXPzLMIC@II*ao8D{ZxOSzJRjooAY9*#w2N}ZFE}8aLy#e!~ylIr}w;XEnl~lsn~Hi zNubs3;ro+2>YZ#Yc(jHvB#Qf2fJ^q$i6s`{oN}7D@V4NKVnuuLWs38hxD&D5td-=l z*?gt@d`uF;kRlQk|Mq_Vhrs2R6wf8AsH>eFrI>Toi>QjtH3je9L}}VwV3kv{(Dd zr%TqxU=u-^kCeLV7MeXvWsZ*8FNIo4CHr`__(g><|9EiBKvU4BPhPLg-c+0Sj^v$y zGun~~KewvZITeDK?hQ!xnl*kxrW9|;YvP7n#O7kxb0W*g;m!ozO)^&CmJlom$AI?y z`TE1nr;2`+=}S)@Q2h!V=|RnukC^i#8L{9;lW9|MrLoMN$Y}|NDshoXR(QT&P{V%dFQNg(@^x>3+b;%?kqs& zGz<4~X5}tHa*X-AXUTW}XP3UCGwtt7fA8l6s4jD54DRGUtK5=%DFD#gS3$2ks$_e= zr=O<^+bvR`PWo=ti~o6*-%{5;sZ1sA_GT#fU)yM#bNIH|B4^h87_MK(9nyW#g;jFZ zO~Lq{29x)mr4(6uD(~yJ0*w^+AT4n<4vz#M|2WB4wCtADeS5LkB7Mef$%nTksI%!Q z-jt*~*tN#duu6m3{kdmiZhgC!UV@iAiR>KKwYqtBa67%*E@K{pCCcVTn=4OWaSttF zDD3gqm~jUY#a3|{ABj`r3T1RV(Yu>Bef(|ZAeB#_cYdGjFFhC%8GbnLV2qIEFJFeC zmUM>BZI6F-sa_OQliu-4<2X&ud8(jLpe#P;YAJ-CL+tMAhgzMy{mi}9{K8BvwYx#} z>^FOZjnoa9qF2>Z7ebFe90Up64Tw$!l}e(*Wx)wcrrA@Sx0gM4%*2|+BQDOip$_0B zU8NSr)$bD^k)!Kx1?^c(EC{Y9V?NuPI4-lPItVO2s+`jAf1VXP(B8WMIiSADiJ?SE zQ^KwAC1``4HW16=%#7u^fS{(lWJB)n+~MY1eZEa*~Vm}?n1SUy!jZh@pKtjimw<1a_H zY?n!2FTx}AB9yZSQI&T;(VjeN?A24YyHTvzHmD9R?y>#kWAj?M9wp{dS+(+3 z!nlaO;UkcKh2G+T^|;(`bK(PAbp#NGDl@RIG0DB!qm1n~U?=*N3+T0?UzHZl7>D-yAvC_A1#3DV+9 z{4?RBt1fMUTblavp9<6CcVv9;7Nt$j$)M!`bHN5VH=UxuJOmLfKcIT1x>$Be0S{&t zto57aFg5C9z<-<6^cm2dYc_=M_c9$wZw}s!cvIG%JxZKjYfC@58HSWPdUzQO%S>o< z(lu?U0Wy-D^#LI{-$G8GtUp)@z*j_w3511KwjMpRr|Lmbbz)j@sq$K;pb_c=NI2XY zLCB?Suq-~2;ROE^ca#t`O<;svrIz5cDIF9Xyvc*!cwUg8mVlrJf+$6NRcoIDs5QqZ zuOkede*MzIiKM7pS)QYSbXm>>ueGEq>JDC01KrdYo7-DvCxhyIv*|ZIQjFXmu)O}a zYuo=ShqrDxDxN~DKJ^sh+d1An+YtlJyM*CBHsG&$tKH|6pX*@O4=7XEpOtg10#|pI zDde)-YPBBVgIrh27#eV{7E0b-p)-7pwurOn;hPDi!H4;?OLLEC?=ty3SdyTor5B$Z zT9QkhaEB zvOQh#O*Ue9y6Ska7Zr!hz}T>=oO3J@-zxYDd8U`|?L!&U(Ax?s4dlMb69~U)Iyn=O zUeniEXm2VQ@-cjbdS9dF^^A6*$xmi`%_YeXFHrQN^_F6%eoPKGX9W37fMVuiX-wS2 z!6(hfkAfmVlvILEx~VbwUWip&czH34ePhjz>ugBPG{a>?$FhNcN(S9m@_Y+iA(Co3 z(-8o17N&?hn2A{&>@8S_A8W`;C_?U56We2JJo2>ZlKWhMebF(cM|&TL(n~F5 z)rm1S$=4Zt4KO2YcT#;d?-k3l$#vwitV*Ea1GpQPc^%OF%o3}A( zXVIA~V$@{jFgPaqYmNI9G(L=wx9*eVH*`6Vbv@Ij3s9P#bE;N#Yi`k58X13$uI$(T zsx7^Fb~b6VMmx#rtyH3sy`|ZR!V+PAo~hH;o1`S0%e(jel90_OjvI*9Xr-f;U%i9H z9^U?3Q64xKK)?PW(J7?*fXbEU@&A>FMAIym7#3Q0AobVoed#ta|`=fhQyaj~k z+64bcD_qv<7}(}HX=!N>!+|TG-DS5sv>8;;K+w;()~j=aHh}W{#fuco&s*cKOsOV& zfYkNYy0h|MH@-Pq*>;;um+A7E$><`}zH1K}g*%7O? zi^+G=u#S|}8Q-B3G5K(($$*@1mKQa(80x9#cOv`|dbbQ2#!8rLc>rZ_BBFHn=|dZQ zEO#!RIZWCaT9zl-hur0HA3T1(ztFp+ys22FP%MR?ny}QS!&NZgj;6)xO7e{Ip-zkI zGkLFliWT)4%|;lMaqoc0&MzRmBC=}f^g`d9>jL12S`Rkk#QL(6JzSrA-PR6{WG@^+#2@R$`FSS&M{s>PbG zRYMkc9Df*X6L$;8oN4(B22h5P(gQ-DzxbF!!qYmEc?|soreY2x`BkFbM`2BdZv>)oU$Jan*E<2N8g=;Ysug&zU-zI9R zY#a4MizEyy=_NHzd_p}BaoQw@$g9vI<~m|-iiz!#_pU`~zUr^4G60rj2*UkvfbKnS zQGBW)fBIa;`F*B~7n?yu^{tzxF|PApURG2wL<|m!w%K7v=m80i>XvYJAWyI4A<(lx z78Wu=htFpjdr!3+?eXB!sH-{l+1}o&1bptbPC#|o1Op)T)-z*&oqup zLue5wUVNJoxFdO!Xy1hC&1m^#t?XBag3fFC6DM=*+5hX=L zKthr3MvxMaZt3ps1_cG_?(Xg`NvTCQELe0m+?V}*=lr&w-#K?*@4o*nSZl61*PL%W z&v?c&hFJ?%RBNF9V(a=S<-YFio5iv(^$;?+r2=z0wizi&Nn{h-J2G>@Ijc-gzzUXkA$;QNW)NnQ(^j-e`&->NC__{gg!@W$R78LjW zsx;60zD=HCR-?v%(NPY>8KLaA0n+$#-$em5$F%34H-?9`DH;76+UChFd@sa>!rxkV zZGPulE2lY`Qt)^}x&WrRLPtU5tICxjz8+PMtl@|)2^BJx$8Im9cn)%CuY5Htq3b=L z=AaR zJ2kG8H5Tcq@$go<=XZ$Hd?9gBAELYv>Ixj?x3)hK)lRyOwew&tEu}5>F%EuwuT*7L z@F8w(8dX{09nSTIW8IIo{&TS7g}L7x%BOu2I`DgDR?_iZuLUsXXn(ETg8bD{uQI{U z13UE>kaTKQF1mjb3!pslkFr$`V_yRTeoULy$wDI{iNDwF)b@*e)SAscJ>Mz|HHACy zL4|JA>cMMk9$t_+$bFBjl&82R?w|ka(V-K{r5(&5p9aLVCt|x4V55)aVp}x=Ja-$X ztugs0oR+^rCbV_md7a_wL_e(e3<^6=hI_fET}dVDmT4>y;B{f!AI$DMM2wK`*#s5Rth<(o9&|;ehgFg70@{K;k;KP zarm0l)77Wpbio_5cWZLqDI({Qbx{Y%W(CKaN`i~kfz9a5bZ+4^Hr*I3!}e@;tOBCG zVatWZ?S8ra+SzQmGhuav>gl{E=+&4UEQA0_2jWpf4OEmA5{Kqx!H4^&z*KehxUL+? z!}f@fNL1_+p+uCN@>~sFb|7*&J0(^;*#xxCZ}=KVC<}maA_r(~G&1}rk_ntmb%#tW zD^QaCE#K(OH#fQCib|iuMQc)bacA9?B{fe=%$olS&HcukKsuBx*_WCq0q@Q_QI^$p zzPz{C7BM3LUy}|Xi%m>n8dY;?9$MP|3!ULdp6_&te#6tVc@XoHEcNSMoGE_M)7^tt z%rdY)ypmECYJz!@p$$xKU{hCYd|XV-`8oE+aY8WS$81h-yfi7}^eMHFxhXWq#iU2MAB z<6Wm>n6+9IF(DMDW@3%J7I+H(tDZAd6t{`PqBAY@CTaU)kV}9YKr;2!Q#HzNK&#bC z4K$It%q0_8E2j4j73O+`7j3v*9z#YN1e**nDL;q95i0jr?{}&+6t03a4%{sHh8V`I zymVI|0V|32W5|3uQk_HI9KD-m8MsyZ#cq0^^~_kLXdx?yIy zM2R9TNK^j8Ks)9H4bxryf=gTX)dh5twxhuxf2Xb#y6)s||hBaFf2hUa!g|XRhSO^|y?Cy>AD3_<5_EHI$c)$u`gB zpvT|yopk{M{un^#D5!GsZnzMrD-C|}L*_v>S(5x$fr>pSqWBD4uBTzXpoDsG7n#8i zei%`Eyi+OP5rCa$gNGt|djZiuu89c<$X3)@$;irz5qj%*uzEoVKOYu`#$ugdNC9$h z8jEiE61#1q2#n4BFmbw(>lW9V>T1!XymrvfZrW1o)Cic4pYSHuylua8g!0)oQ@j<|m=b`qz4S@i zb?@us9#Hq<{%T99&8@yV$g_!QfWF(KoQyNJfb&TUjrq8 z2In~@0YUKIJWLHrkq}38pAr$H3ncgDx&&GXW^IqL7{{S~xBbR^cm62BQhd0AP~u-y z+`u8DO7OTh_iNq}0Uz`60vcdjF0nWaOs;+O~@`>zg`p$Kdxh@)Aw~e=zMX4T#(19D_y__6_r`QE`baZ?9 zWQ0!rw!2(bVGEB$U%bHlkzYV#Gxpdod~c^b7W)ybC08`PAePp9AQ#J=1>g`I8qu^A z{)eA;Pac%IUc*loF9biuf7w;J&)TS6I~nuLb)a?#C%@`S<_!H;VUb5QM1hc&Bh|O* zD=nY81hQZmEaRR9C6@&$Ys+gwOTeSe&N}}|Ll3h_4g@9%HM@=T-Rr+}%AIqHDzP5u z>2B{)13hKyV>UOE{W<5`U(l2nPNyeViSTB*SW=(xfL6`8{M)y0SI+i-?v!9D@tfpm zAL4H{>JJB03b_{S*~N~6 z(SUHyuVYCb*L>c-0_~OVUvEEmOWP`M80=8!lOZlrH=b$diut(!v&h4@fk2xbadiIb ze7^SwRbmv)j3czc>JCgy6*^qqEYj}|!W(?bA|ML5BtIh}x5KuUCYS>obCn7kGq`*Eyo4n)MX&&~>thz&-HTUOCh>%bOkv`dwe2LK*nnFndHRc+t z&ANpe7bPVFb7sJ3l=HzivP8H2B}SA&d64YNyq~NxPpVdXHYZ00Lu_M#$Y>ouE>+rR;deU`qZZ^M}g zh4jDjtUd1PCsp$UVb%j|QuureoB%1iM1Z^Ki_y4~Do*ar6Dv2L=L=rn&+qBBaDU?m z%W}Vkqo%q%-7TAObG_vrusNQq?4Q<}nt@JN)ip67@F)lhIjVEYM7&ax$QK%UOik6H z8?mdV_N232{~0&7ODwYy^?OUTl@RPxQAp%$y11%>BdlJ3weWWKWgX@=+H$~F(C_qz zf2KnG53iG%QKZkFk*)&AYq5_X!wNwK+iVl_!Rh89FAm_~ew%A>Ha?949+{h=J}jsq z7{3iJR(Vw1wc6mUnL?HnC<^_r-Cx7n?=`puPIU9X3m})KUm5s%SnQ=wXIS6vo2gAW zQer@QMqI{oNsuyCV1|(++fr0dnGAF3PZx+oJ+7(+zFc(f(tS%430<#k#Ob27RGVu| zXbj5WLkJDe8x&(wy!U;3-knL^FWxx;gXdN+&={h$U}hq0(`#q7nbZUls5RA|$yHhd z#!Y#a?KR?!Jo=I2chPo@7kOW=ZmzkO227`iy@{=wJ@{(BZm8xlUcVp>s|P`z?Ny0!n9H1@f&JHN?@605XK>E`FF&vx4|?4z}nGq?8w^NrUw^pg9A{9auY zmE}hPglss`>s&Owmo@Kf))~0&t3UCVVtxMh?Z;b5v}+({@^Zl}$#D%8Xe`x?6E_Mi z2%9tldHimC4VN4n*pFA3+-G?n7e3EQgX%fwpR3DfiANPuQ^{|`$(E!4DkW%ea`ZV= zsdR|SaRLmNu_c#)SadWrx$pBjy(ppHmg?^l=W7?~UUPk-R>3s+j+}Y>ajyD`XPEl= z9I>`lQt#?m2feQ|>xsx;1%c9Si1oK#)qco%MYCP)?V?szrHR~#O;|VgADwxxt2a2k z7ZmiF#c=Pd17-f=>wP^2Yb~|khE=u%d*g-W_ky;)5dQQyJ zkfvbxlXXyzO78N0vJYu$obJ8;gm(f`b&3v&=zw{d?1@s{vb*hQhK-e(R=M2(n=0NM z7!9qnBb%pWoVq;1;T$Y*y>w}Mu>{J^8;y)_z3@#oJKb=A%g)-;u8=vtszu2T@KhvX z|0-xx4!vB<YV&hc&0VA;G&nL_wk)2DT|Q@fF?6z+Z9iirbz^faVs#l%x4pw&zGs0h za=YdIcWaRySc_DUpupE<<5$~Z*E}*N@sGZ~K5AuoI$@G^beVnRlDOBeF_@ z-^L89EoytY#4vu9)_^mhi^&C;t!i|ax?eiYN_qQzrJycMz+KbbtiSltJ)4l3HJuG0 z@~6M}#ey+6I3o9B)ESdCmfk-El)jX&D&><{UR|-6g0a)EvhuhB-Qx-BA5| zp|=NuL)xWcL@EUO8n*!howq5&3WLY-D*W?0k(Z1Pq@*FUO=V8c^St6`mCw*iEY;9a zEcF|XqpxdrLT@9|xzo0&Dvfrr4gEmtBeLD(t-icjBT*e@7>M0e{iVGOamRfwi#L2lwkvtJ0$W%MOChnS)g~Wse7!*n!9=dWM zf|zc*mRPkRI5_x-ZKovwWw171aj}6!z5}SS%^SB=8)ZFdoo90Xl(S=W9UTM3{#a$Q zu&fQ8g#C9MNKRW%Zg2=P_R8c2Ey zcsO6*pkl31g#9y8%WHu+Iyh$_ue`MLWFk}CJ@AX^a@BI`l`A~HBA!m+O@r8YosQcH zb7=CwMN?1np_y%iAK(@Q)NwO%sQFXrVZ_K^uYua1twRJwSy-5$wFs(b` z-b7X&V$=1pS!d=|m@l=-1cA{QRFv@NWZGbtgd=a3x5QTe9?AgwF(I|(c9_?8>Nsrh z_DG29Q=71a4f{+W$Qx^WO91#eqL(@iyjdmwkC&hjKg}ov)@00vvHGDirx1^z> zBq;a3(UTR__IxoDWp#Br=ToO0dJQ$;gd~TrtGhjF$S9*^P}BE1G7M+1BAQ>iY#88) zT8YYDn+r(O>O^O(Z``GH(7yJ=fVs#wN9Fg?t_#g>YTUqwDd8crR*-~5iBs`4>!!eu zyw-jRWq_n_;|cDz*g25BeTAjoz4{4CK^6EY)0-*n|gj1UOq zN;j?RzhKhmS)j|#07GU?_&L7^Pv1kUU(C+dHUKJX)Fp`*L9Xrlf$IvT=j-pT7%ZL>>Xe5n&oiVIx-M6?n%Ur*kzQvSAV^F!^` zgv?~k4Kh~}p#4Rj%yM~g;Kn;%F9WU%qgqzu%UGe#?iFW^ADg%HA{V#X7Lix5q^3NZ z_ahpoD0_f^*?ng0rjir#6VR&)sY=*<(gf1LGdAlO#SUpfy!yJ-dg}%sof5x2(S~0!fPwzSrGaL7Z89DIZ8p} zI!aKaYG@KGm6!`Q8J9~+*>xCSzg0?;VJLg*e0yilQ8nkJ!F1?M$nElj4pXigkmKoR zJEIN@sLFl1OVis`z8M4+k%?{3atNIUwm*{MTwX0k57B#8^ph;{v;OWF7w>4k&k*$? zK*S;e3ayY;$#~-TV9x6l@TF|efne7iSi)`p5-`6gKwUew+;C)E>4jd?ouZ${)l#9D z?YBGrGti<@Sp7*e+cY2lb*gGNxeVTNwL^T1*!{}zz36)OG~1&)RAay^nwdNehQG$= zV;;25Vm_CCxfe0f;2cHg^=-~(NElAF0?;UQ)sQzgY;cI*evYO)r8Eou`gQCW-m*z} zb&*I!v~7f1{q?uVaB6=sZ)f3kxR`%66Z|7FgbU_Pla1iFu_-_HFHdk$SBDg;bzHSg zdn051Y;?V}ajiaTH5CyO=*2_f*K{wjhDv(!DhdTZrp@PBFiDf#PHSRIfxkgvCMR#p zdm!~EaavOfW))~W-`_ZM){a|q@GB>*#;kB_P?5&8?!k{8a=J)A9(J=&9iKa*ibM~F z0*B8;6o$$0XQRXm@5fX7GN$fB9WinSs zip$2Nj_$3&68#Yyj&p%=_gv)^4gF|%Mp6@L!exTtU>TpcpVffrpt$;p9aZ0~aetP- zV0-yP+ko(4;-y~a8)l7I=FqTA>|evlDW~o-i@EH(Y53{o6Nk62nPgBT_B}ZmwEI@- z(s!f9KOcr|lybNhybCrV+paqa2Zd%pS*}Tq8B1aeiHz)y$GmwBo!QG)!<{WnxH{Mk z)*VSTEY&&u$foZ0f&Jvk^I7C1idVgJjV+VDuG}uev=NAH{j_9dLEJiYCw+Rrb`@=GX1qi(Xq#oN9ZU>6KH|9Y~^9+T;qAx(h#@xk%mW7fV7v&(;rqmb!Qv%;!wtGBEh!d2I%<&cLPn z_(pAfci+qoQv*QX@a~GFxVS4S4;Q<(O97iHbY+EbFE>l_{=*~I>YbUGoKggKvxx=E zNMUa<6|-Cp`yr)n*UFy8yMT}MKK$hz-GK9ngHOmBDL|5IuQsIc`hMxbMmG)ss@EM! z8%M#-J@SB%{G&@CP0+RBn(9b-S882}ZXVyx!C>@4Y%dG|^uG z`PvpY;8AOF4DxS%<>eU=1r=^LkqFb8rOLA4%nvo47YTA2FIfFhklihn_YKUYsr8!mM5hhY*?uCy+VJ)mZzx5@BsD zDU+5baGqNk4>~rwgPxbsJTA%NCV$K#2g$tFfrPs3bl3XT$Ry_k^XW>7#@o3|g3}&K zlAqZ!I$KUy0zio8b_Ixxd{0e%Zj6~g0bs8;gbkr8UaLG#$ARHMa2!@YI$FSP`f`u| z9>oQ>-BvUq>%t8u!!)U@dgy!hP4_tNk&W>0tY!@i0z%7vcyz0RWZXp)f(>IvMG}NZE^1t<T(>0f-JB7~Txa#XJ^@-YcD9jn^cOGVd8nLO;Ub(TtzS??)aIiSS^4@Mu7-IF=?O=v}C9{hs;w)r# zo897u$nkrX<}ZDnG|i18778-Q96wiVWE-|NBIc7sykV1y9m;ZYj6;nX$#!}>56SIaE_Z=nz*?}p6bBL z0ZfMqGkM*vkUp_nco2l(?p;>;T*(3MoG%*cV)mP*kg z14$pYXAK7eT`92k_`cfgT%qPu3uq<-H>{gWgmm42hHfTw&`sV{1_U1J!RCU>ZB}Bl zfm5^<_=rBc+)o`ZKOErsOA)@t)@bg?4-Tq(DPP(>c5&(OLgML;GruYO_+}&7BOT%QfpsxdApg@OUUH9T>V^AH;+h;ZS(9V^sEr64HF{;COtIuksAZv7^Q*I$DqTR6C*PZ!5Bt3nk?R zhq48es7siH{T8*A(YlSp1Iz=~8rywWu<|$4jK5Qz7oRU&5!BRPN0QJ!sHQ^X7`br@ zrriQvRQX#0eU6)CY{g~#$pP%EBE2)YQ;uw(8bXQdMD6k~)n7AxGj3R36``>1H=(NZ z$sBmavsP!WuciUbJWMQN_gvXkz4iX!z7MrpZs|q zs5o!c`+!9iuEg-hQ?1msjX&mcvFu=JyX`8-?aj{jRQU5Q1n9)l6Sf}zHZO-y4Z#Ib>4^z-x51Li)2o&{~?h1|-vXr`yt??FTD02s4 z#Je?6JD`ve+dMnEO}w|N8oUqK0gyI2jYc_;$6mn{PDP!Zj51)+$cSmcN+-hZsSt&` zbQrv1-^Z-~1F( z4;W1omjn;%_3i{MIUl^*UdzNNu`??a5rmD)*qx|5Cjg5`>?-YEf~hiORhsJ0X48>7 zVKk9gm&CotXU`ySKetAl0ZYbku-jP|=rodAOujvJW@W4KH`_EOu5Aqs>~ZCUzX^r7 zzFMW6*%jBXi)H7La}u?mP1kxvFmCC?t?%_$fC{M#VkEr=orcT4P;*j-`0TA+zo~Fm zM^~4^#isqSzlBAc);C_$N5JO2*uQUZuxcg*G!!|T_T?4!Wfb-y^sz<#c{$@XH)V{pEV%wx{cWp~Ds)1mWLSI2y`p{tb^+z0M%qZr- zhIB*0^5mq1xJXgHfyCsC9JAGlaiR?1s(xa-5PN|6x#xx`PFDd&O+`zUZ&o#ChK#&a zh|npTs!&3* zcJ1kz)!kc2shn^I#J9>eD~4?u{GF`?4$AjpVk9lG0x0#)r*y`ymD8#7nis*L=B9OP zFDY!XSvlK~96`KPSXkL|^vpmlzxNxN0BsjcP@HvcbV^@0GJvc9se9ha>N);>WOiYO z<6_92yymrAY8o(%o8IYF%<_Vtr#C~%yw!vWzYFJEC*fTcW*eu8ZX@p;4P+_+)HSr^aTkM8bQw#o&|Qx$ouHP9Q?f=UxX_`K8n zAMvTzAC=W#qTBZsG4h@e&yn+7?x7JtY`tD|+C`oPI0S}%i7Guvv(*cUNBIrN_*X0E z9_FA{excWf^Iv`(BcfAC>}zkzSu$M;-^w!6yi}k;**F5F z2DFFL<8|X?$vj(5ryu;?MxHw4am^Q76<$(mU(&#C02&iEmquAB|Gc!{BHBMw>;L$$ zC-pz@Xwu(%4*){QtM+^--SNkZ6Cz{x_(OK5bkRn4DCU4k;vElwH-VhND*d?CizLk& z`l6+awzSmlXId!t%BObD|M=$r?u`Ha|5+(erO%wj=xFHwsPiqzkr$h;vV?KEgb4~( z4evCKOQE*!2H<&0Bz-yjL|YZB6>;kIv@y zWGb7(a>2rWQ$Ufc>ny&aLWc~L>y}r$a_8Tu+(EF-?@5aRi?QZ>ZFB28fHTtt{1FZ3 zIQfBI*2++dmxrFs+1{cDtOVz;2JAmBaFh~^+VQNhCDlJ0$D5x^gBH;ntowIg9*>5I zhK7bn@{d3M@@{yDBJlr91Ma_n{QuqItmlZYuDH&Pn+g8%+WzZ<`|UqO?ls7Nw+Z}j zj!LG(N?tZsQ$!l@{HxIB_Z{cYlPyq6EtH>~ojsC7laZ0J`vh{cvH<7{>19M59GtB; zz`ZLYJ3G6xYx&-9O&0%p|MH)olt!?o{tqpHf7&4|N>ST8JJE>TrB0|VT>hL0|J_6V zKl*<$SfhGP|Gb`mx`zLYw`@J`_AO0pR;2$Ym!7;A<@`TC$G?3Sb`K8CeY5$w1=_#q z`TlV~7wJ!bnPB~PIR+&_o(-`u{7bt zq8=cP-o3xv)j)Ib1yNE4{*L%|{{i(JW*H!auvsp(Q#obS{~d?vzpQH6Du|pxnYBzs z#e?^k3c9;RXU(;=Qb6{%X{{0XQX+O@i9Vot&l4pxJ-z*A1qu}h)3+#-ox~OBxlAvU z&jNi-Hm9R(LN+VGpx|H%diqeWrxJNLFO|y;$Uu|T36iFU$#f;{dT`4PY_crNEGjnk z=@9qW1O5*H{TBwkm$|3ZJJ?&l;^PThR9`t^U^B!)4B;J^F`vE@1#TIyfDo{9M$JGh zllb0jOZJCkpg@8{LZVSa+Dyo4y!S=sSEZ>6=#t5BRhE-`0l*eHp)qzl*ywxUwnpI~ zDIzF1F<)~=#{(LAK7al^(Pd=o62#m(NDb22(xQi6^Et9viKz-dd!PT88}olO@&Er1 zd)A69{J_8A??!^Kqdb)$gLHm@YX(Uz9F%>)zZQP3`$H@RKEU}KwXTmWV}J%Acyw7Nv5 z2nrejv|{!TQGT%tI#5wj0Vvt&y|}pbC)7)}H7`qSnos$xhT7tsj6k3g<8spTSg}}> zZ=xuIXq*WC5l|a<;`3o+449+3U{u_1> zH)=#lrA70RObOG|F&H}*KgP<-3tO`$7!Sv{VFT0AYJCY1yh-F381Ud@3r zw80bl+cf*G8Zs5 za}&uL+pjBHymdx7;R1I0^|=KbflE{gQPCSGLqo%UsZ`=n&CyP%tYd*3^!Ph~qUj_l)%(ScjPLkW}bKir95GEolX&QU8>ii4qwZe^>=v2NehLX%K zz1s@$X56ObIqy0qatnA1N|uh=T#CkLWA+p~`qk5Q9d{)#<{8Ja)8}tbcjt?G;U$h> zW4+=>&MV#6(|kmO3^To!mX`3AG&62*cz!T)A}Uv!$ zCB(&&C5;k5_6``7d}}tufh!^RAwCxRtn>DqDr@l}5fPCoxrc?_>dy$i<>o{QF|pxo z7dFvNG%ZoyA>$yT5-I%GilkVzdCltWl(e)Gq&S5SM2uujoJ%_#GS3QX3)6xqLT#h& zsjnp`u2%aSFW=1%pGj66fT%@@3#$hbdEI@bGuJ6{| zU+TCZL_Id~)~o@%Tc;592)98%lH)wTm4TWN+DRr`8r9*Z<=pt?qdv@HDN_&Wo1FueFY3m2A*Bot@Xvgix^dT2&~mR9?k^SA1t6@ z{31pax2WjkLV~PHF17va zEa*DQ;NbkQBA$b=646Ukm1BZe(SC1%udZ)9=?(%J%Z*q#A1XJLy^QgTy3aeb?()V{ z#aW-Y^S-_+W+6JgNVE9E_(6Jo4%-kr*wZ0m>n?WWVd6`8h=)h93Kw}l+afVyA{`y25cm2r!6M=y}SeEm>U&Xxx`` zZF4Qx-uToD>L>UP!b^^x_b_M3Q8?3z-Al4c3acO6N=@QjU3p*M6Vcn^DDN2LTJXL0 zs>#U?SuQntwvG+))F%va;9i)#$2`&2sD2N7XE#K8TtrR()u6Y9Mrf=oYsi=q$(LY# zDz~|2dy+;3Y^;do4)XO!gNQDtngw}5(h%h3RLmI?BPp$-#hVtcz@(0SYgbb19HYY5 zlz&XDzxdNr8r9(kQOb#&|I~8mDJYq5DtyBa*`NlwBzo&J{Y2_R`*$5ynfHb@o<)v5 zfXAw#)_Uec3pO?sCv7aWnAWx_i)X$n6;xYj$8Mg*`T!5E% zI*Ea7O%cBHj}(o7P62$r|YPrN|%Y|l7rzQdEYM>kHyvy2A+0)bW z)?kPf0Q7#Fjh34nL-l0??0I1UDis~pGd0kw0&CVnWF75YDyRh${wlm1Xo6L#hrRSj zV6{x8)oUZ%mofI%M{8e6itdcqVuyp(H!CBf=i+#irr(?3-;gm#$00r)UDK>!dVG^TpM3h-b`_QkbK&hwL79Fj~NqJo1m$wb%UjWJlntxbP;bGKa)hk)3=r zPrT6SvR_;t{a>hAvHk8nX){{U9YUht1JXClXSF3%wf@+heGPZs($`uHm%SAVbV$20|m7%~u%TG4hX8X%KB zFC5W`PL&KO=?o>&=+RQB5OGZ2$;g!;6*-(F5_M&1DKNr^9c$8IU9kx@<+>A+efAaY zC$KP)-wZsqE+iskDly9qF$!%^Pq>tAJ|S`E=@tHLxjTje7j#=Y^(8mi4=n3=myHfv+#i z#;-L0n2eD{MUwh-AtX2TE=I_CLa^0LS~Rj-q1NB;O8=SmHTS%*5M#d?e=IF4Ek|UD zA&3mR`^Mmj0%#db6bg&4IWC^`!cS@1hqAf##5RK-gPa3fn{ zTmHgW9)Pv9@Zz3t^jmSsV1j)8Q zh%h81Bs-4$m{@c{Zx9)mY4|0>;zVRkG6by@jrW?57oErqI$W+$&HA~$CA=eQm@PKs zQu}BD^L!iOXj}D}b-i>UvbF|_6CTH&KL_*4^XO*RkEmW`7#~V!oGjgQ7=%)@F{>={ zNyf$1FkwrH2pahh3ZLm>8Gsfq6u zv-^oeYllyr@7oq*F0f)i)u7hs)&+shgHkZ1(3=wT#d0(SgDt7*hGjPYO$+Dm=<2na z+=mS2VDUXOgRf%cL#;_hBWg5&-@RUOJ+f|9FL^hWK1k zOj5FPc7W7~&w1oKCO;kuF=?aLC?4th8GP)US5h*7 zukMgy*Ym*&#holj&ePV%fB>$g*og{Ga7~dB(dRqN7q4PpO$TiQ-jzF6Td!}@l!R07iBcdGkp&Tc0jKs2&-pFA4m&yrxk&HRVAPbdRI1x+vRG_{D04s&rJ5?aP2S$Ygl!Qn4+poFuT(ag zntu}`*I!w}r%qxnOuHS%W6 z%bD|hu-LJlVl@s*EVAwh94h6tcb>GLVg4I1r+7qwHhn^17qkQD&nWHUeS&~Je12wG zn>2QhJvcAgfagz+z3&lzj3^@!R9v*UlwYckeW{72Nm^`)CTXeGc#=~iBH_=;YB&(X zc-L)Qr~`cI0Pp>KMiWDaQzq+}MqDhltYqFg&$r8IHcZ(cITvS({v`2ZTh=UOsZ^4- z#)v7b+(A@`Rs$aE$~9E{>*qjbN)AUphq+p~YLk%5sXX_2bU4+_C!}cPDe4q_)i1M% zak;7$viuAzl%Mk5O}F4=lfRxLQeSj1`B-tCaZ5i}J*u!+fdqpvz9Ur2XJ z7m6HX|9nHZsdJO>355Z_&x&=0{s;3^AYrc5Q1|3y<%&B+IA|^5h6$mp7iDL6iysAZ zBKn-2O+H+_s_7nB;rVxjEWvl{$$gV*WNOO??HCql=r2f_`CYS$kzHHVOhLw9@thy+ zb7B5+(!F>mdENz-7Wv{gAenE#A0pN+jD5JpB}8 zkE*y$oX{%}+|L>e9nSm&de4lSLJL`Dfo+-McOBt+-0^zyuONz}ESK`Di=0aYT02rK zGBwiuBTs}UXsgaWrk>aIX`L@J1+C6DKtCv zb|lf+cA52GLw^>((`uoj&}x2EV!12~5pTEm!ns+h$(T`6qw)V{h(@!|h}S-4HZS7& z5W8?U1ePBftMh6QVa%W1Z_`Q6y@j}~ggbNM@hOkss+lKO(MjfcpGBTZ!ZF|cT7wq* zb*xVIF8j(@XE1hONzBW?$aelbgc5+_34*z-{?DSRaK**N(G{NnKG@UQIvjdl7epC& zA0D7T9#LToxj&P%^CeK3;$BHKj_~;-t@AkC@p&7KeA+4vlz|@;7>Cwq%47kILI!J0 z(XE0r$YR;v>{yvGsgz|z!}6$Z@~*PU`XO0AjW-Rfyk6z7!wXi3Fz5%=N|4EuLOi+P zEng`rbYNZ%Q7JQ>;&=MxITZh@vDPno2};_LkQzsA^`atU-?%h1lsq6QGP?1eL%TqJ zWo<3@GjA769dn1T`gz`774sSw99bq>^+v9%CqA+!CaJW>Y8$Qms=!(1&LpgQJ=YR} zi=C(l!O~P{K2y9{w*Kk*L@u#9F@sJgh6)4dnwPp{^Su;9Vg(|bA2X$rc3__hVZKi7 z#BISiebAsH?%DCqs~CiV9wUiR&Zc5ytPPlKUhyzq}0(rB8VY^L^^jNMlJe zt~FC_dGeI^9tQq|=4@mC<%h?W_CgX{kSx&w!h%7In=J|9+VX9y7o>@ikWbs(+{ z5)W#C^TH4c+`}0ivM`S`IBj6=jKM>zWK)V7ZPsKFZfv|iVgxs3QEB<*<0Ay3HrZK;`3^vS}Q_nAfTzZWTq|#BE z8e4MQg6V(>P$fksO3Z8$?dFKEQ{r}g(G!G6BX?X(JP1JOq9|Xvu^QRt(2Gp;(nH+` zxjfdc`D84ts|KmWu1`_34St!Z%cWBSarqro|{Oxi;pd zl|#j|XSdaXQ*tF#xcMQ`%EymF(l$OB1yLhxPuD*#rlF=rE6=&M^8E1wSB>N~DTc2D z{`1c$7sZb)u;jg7LfKPGYJ|sX?yq*{yu|5?twv=|NR@P75@6DkAOU_wvNP&q6JYF9 z{Vasdz1dYdym_Oh+3$GyQ^6StlF@!Gucq^Ab&ctMt$kmOj)}%|i1ZrLC$J!e^@LLz zx1?AX`42Zuj#DZ7tYgieV)60E=Z(8vo$bTJy=YYxAB(C%cBzSo-Q0AU;~h0<3}{YD zR&Z_7GO4;$?57$fPt*bkLB)deeV*HBNI+wY&iYVFAJC2Ped(S`R{|+m2nVBE7QYE)C7->lVC1sB1;s+I5ADog!CLZ zWTUxi!<{7i=;g8#?zo_4fO1ntZXgw_VCKe`DuBj&s1n%fbK_*L53(hOzGR9tWq(qK zx}W=WqW&?9OkvZB1-U$&=K?@H>)WMs`)uZIt!3r-`A1JF>^{2I5J@aD_^1GPSNpuj z7KuHG+WW8>4mixmnnJSie&^9kC%LsKt4@6thh1><$eFLkaJOR5GdVIQt76Q9=J$v` zjcC>Swpp@#V}KycdpdBB3nrU$>WsS1Wy_qoL#JAVf87d*ba{sK4CuDo@>Gz2$G z$GvuTGh4s$UAt13D*EX0@dtjAwX%knK9DE#7#4Rv$bh6=IbF0Ni2*&#^=WzuA_!_p$k0xG-L#9XXA1wz}r;Ttr{~ns@!eq@ac7(^kX1W*2@U4}Q*nX7GRa!s9*Zl@Wf~sVwP(7T!=|uA>NEhX}(Ob3eupl-xiS56-t~ z@daUGBhI5oLa1S+JBkfXwnIb$3u7q)$g_nY4SSO|u}b@sX$Ng<)~l2NZrsOvRJT6Pq%F*hde(Cl`4fmN~t@CwRGLA8Mu7 zF%{dYyc!?mGP1!2y3H|V!zBx!AX+n@>L)Kb%Ep@n-8*h?i)Mi02Mp0qq$Cv1nx$$S zP39@k&oYhoQ4O;o1zMn<*wV)>31<~gyF{in6mj>lK`J+?I>jXp8=CZl6a%`eo^*FLlv~xGa z9<1_*H93@@U+gh*5Vj?h071~nYRfdnIOxA4#HEFgpv}u2>(7})fv2wSr&^Q;^uN1G z@fN;uPy*@MF+~{4W%CxpD|nEXjvSYjmgcT18UbML^%F^`0T&w&YF2UwZUS3e%#vW1 zVkhp;7%u{Sl9qTHGV&=zYFv!WTi#9nqdcENtZpP4ln&O+?%|%D+cJA%O&L{V68DIg zM1oj?xO^RRIxI%7-{=2|7SwU7+sLG3>A4Pza|)j+kJF1a6dnnF3CNt7PYjCRc` zL%TV^_AxZhS2ow-XRalsy&UGSuw`1fyaQ)k9lYs|sC>dU~gQ+wbgbC(%5V_pM58&o)Df| zsn|Tw60_#XV0~4KzS0(JGaUS7kY0X<_*Kb>TI4vWX_v1 zf+ zgIB$*1)>%El+aO|`%&T&1R(a>yez6>{-ZVI4s>E3QU#TcDo=$!6maWf7}zd4oPpDv00XFS?aXoIZpB*u+P! zo$iBxz|sfSP0=hcY_mm{JiI7KMf*dE?)p+7Yvc;|pUC0Vo+MUIFNMn?xS2u}wVY_) z4%LY=O<#WkrQ3c@A&$(-*=pVC%r0PvcOCiDbyH}?PoTC$Om%(J_xG~=$}+wDbvGVe z(#3bFPbGJLZayhp54XNXU&sN@KqZ5<`n(JG01^0n1*(fO=2y49c4^?k5>-#NlZh>8 z+_nY}epPADL6$F{P^K(id}6g)6BlrrP5L{j^-3(4@@ZRotC~*du?v(bqbT0Hr)Ns~ z^75Y_q&Q6oTi)GmZrRdY`$=&}^47omGNdpDxqVQ}r?if(vvmc6i?|)}{ zWyY=T>x+mAM8cC;goKhIC%dKELm1?*SVr50R=*VdxUM|J`mGG>hs9v?iR;(SKBB&y zfa+?QkEMmYZ`tWHcQN+MHP`QhnRa4nd5}O+V{_vjP3=1~+G6mdqYq|#3x~8F?We#T z>=BFuG~O3bgr6{!3u)5`@hF;7A`dJwe+QQlzh3EyDSlG)vIINS4=V*_i$*6E^R+G% zwM$Yt&jNEc*^}M@X(za|Uhv?mPud~f0`x375G|0M}M5eJ=d{bRDZoz2HqDh9CM>kUEA&oY>9Za)~R{2XTiF)Sy?JAV4M7`d?{i*Q0cmP)fBbBzRm($szw_Y9mW$T{ z8Ct<8P!juzGI0@oSAc@D7#w(Z={Q{_XEjj=1h$=sVSe(#GOgS05}L?kZahxo?-G!6u}Q-AYref@i z3=x*QmYMc|6wyo?tqvvoFr!?cTr8t}4O1GVT(#m;rmP^2&R-N+8 z;+xh54FAgv!EyKQ4f(rP?%Zh2m=SnGY|Hq``pBnhdn5y)v$i>H72UJ)Xf}Rh?G88a z>RBL~Nk}4jqR&r&Oy()(Z`gF6#a70`B2=^gcw^5z!xOunfq9O!bo4lcfTmSA$;m)S8;-yF~m6%5( z15R98q~%m9EzCvl&+4x?#ISeiqz!M1?%7VrNJd~9Jh52&#|3Z3ibhc7>WiyNH1Pgv zy9q$cw=KGxi4X*=8I^@g49r-K{Dn)O9WL4jg%koJaj%QpS);eiD~So6Bax4+YnW#$ zi#laQfIak4gnL!N@EbuFvgpn@jW=Cq+u{3f2H=(W5$K26t`d50MZI_J3YlgE*?t}DM?VRy}`kG=Kk-yq-G+nzE)szF`Ba;`d1mjmIspRT`7lSJ!C#8x zZX%EJi_yq=-yh(-Goeo?Zt58R-C{l~kP+<5z9@K_fdmnFYsekDMmDY5=z*SJ3db;_ zPC9`ISS}Um$xbL&oB|?%9CetqQfY1Fy9ewo*Lf22`GW?>BiQ7pJRU;}=$%xQ2zhoS|7{5g2{Z0*k7X+>@@i_v%YKbC z9WB^%2?*$jm{6E#F)bH4@obX=Y664$yuO20{Ygt|?Dms%6e~tPtMN^Gaa~FLEN1*$ zanwCX5vY;H0U?YB^rPKO+8XelY>W*N-}d+_=2!J3My})R>`Z4_rdBzajrj-q(-2_> z9WB>(^0%JvBHeINklt@IUHGR4TI^xpv9QRHyATC~8;$RvkFN`jDA=3xQ=>wlSbLSr zmua^oP?dLFIb9O;j^1|9$~W}OhZt|mSo)X=485o|*P^IIl?fom_!O^omnIjQn{*G_ zymq}WI*`?malNY2OYUhoNBlnVy>`dWuh8B`Y1D39PGNU1I~$<>r}|HMts<`xm>#+S zn-v&Zz`t$01q-y#fXvCnzQhl4};{5ICxYjd1sC#Ge}X|8FaG~0wLX0&<^pqb7U;fDOz zhkO?xGjSdr1sJ)OBnJO}assYEd0+B$i{Z7!%>{|cNN<{udy(%CAafMC(G>i*@VDdr z2w14B&xrtjXteVG?T!EX)Bf2X{@};)FzSn*{l|X7MEUuP7qT(G1_viQ@B?rC2VM>G zx7v-7-t>b1>$L(u2FAq1(8k5aW`>gf+j;))VYoyE*4t0VKK;k=D7k-$MLAEBPT~IB zq5St#V7ElCn?i{GTUh+F-~IpL_kUF1d474!t~!4AKTs_Fh0-Gg8un?tl`~r9-gnuD=X=o ze%NhLK1TXXjYP-o8{hJ)LoOze)F zU;UPtVVm;#?cWUYCgYCpnf&&4XwMTOz|9&NKVS?y$?8pjQ;Jln84w^bj7(HxP;eV{GY_F?de*3?d1%hQzY z8PNx4e1AK`yLvajm!1s2fp=bo{8?^APT#L$@avFzTIp2d#^Av;*4s+|d@lQ_FTd!_ zczKM)Qe;I+(gc{A(x;32=`Yk%?jIlLR#dz$(k+K$b?cpsSXo#`u2s_BNC5=Hh2pDg(VT4QVS20s>|?DLDv8xHigzb&(azT=w|eKbkL6s*I==U$_AVuv5U6?) zhS%#BlRJ``ZoeU`)AaIM^t03XiE8JvaUB(%xS~Pgr7tZMb7J4*+Q<2A_&}qc_|igM zyfmF(jw@r_5uYgKRMpRzsG^{`DWokaRckq5sKVLi0sl5M)N?;q=pKupPnqU(6|0^6 zSsHg1#K7v~uT!Z(WDwi=pmf$qr2qq*-RS!2{5}>yD|`II(fgF1#iWlXV@p2HmySZq zKmO_d<$K+uhIIhkII~QJ$nbB+b_%x;vnUc7?U7YEW$PHXPH@l1 z@>SzO_XGM=;0xB|{mT3jpY04_u8iz$emMh>k=)(fp|cpK%T?(E^BWn|HEJRE5Z*89 z(oQyB<3U{7d!}iecO>>y3?#OBNb<2LvVQw`L38_y!f%o1X=djOGCewea`^<&J_XhV zcmMe(<`1$vcCx3b>zbjEi;3JPBl@43JYL=OgA^&LHu8JWd#KVe?LR9!`7bZd?rQx0?F$8!F4w;p$_!{7m&;f%&o&tGs}Hb`NAERY zmJJeP%VXO7*H0G20breZ;{we%oVi2(?MXoR%G69Wq5h*_M5z3Z42IEdtNL!Hll@`FJyDZ6S{V~BQTgD-;5l{ z7WUY(3!QI}qoh7r|I_yL?z24~hDEYxxrAPQFn1Pbq;w*roi>Q@VM*qqmDn#X(Om@O z%5mC*M6O#~bV$HanNGGqHNP!gpDFVxapENf=0h`O0i?U9-r$+IZ_EdLh!$~ zFaI}But3c_McSvR>H3Fr&$i__LiUj}gFE*gt)`W|Z==k}%zzCJgSM2M_9{*4f$@)1 zq9BC@SIl-)eNK)n=GWHVo+_Z`p9>5=Y(b#YK89>Sqvr`MWfxe!RC95uu%%{@T9jsZ zZQ4!*@ggK7+}No%&IeW{@PF=5+07&Hlv9oh8a!3jeMoM7#K-}A61Z9?X}2VIWPrin z@mZ2sS@k_H-jxHQW*7YZtY@QcZf>u{#EiU)IVQ4B;eYo}msS%fSppjszc+O9J(mcR7g1{!xtA=Pe%DY2EZ(Z$7t+{cb8_CM z1pR4Sk;3@J-CJU3t|5@YjI7YV!r(o}TsU&bdU%wv5 zTsDjum;Ljwithi@0x;<+ryG~$wdr{H@k-iZAi!$Ua{o@|PWk?9Dv+Upr)?LzL1{$C ztX8p#!holI9wf4 z2_5SYTGd*kN47OKHl{2liXAuE0g~J$HNSurfdW8GR9~Eqj&2~;!jksR%F2pIdEEBL zD&RpIU-#)jZK$LXm$Tix&vUu1m+IahG?ldyTCH(&oeZQdW6K#a2N>oBNc%u-g=X$c zEzhc7e9gv^6>C=!Eo&5LIwWRaVaT+dH$jXr#!lM*T1w|PJER&d_0H-K=K&iCje1&Xyp@KQvj4a<; zoe6j5no35i(mwVWo1wtprpoFCR5ZLwbH!2K9<&r zmye%NO9>_4vpva^({J0J=*oJyviyL(p@k$WMvg$qXE$+K<1aW{UWHfY<$bScfBK?+tnT=EM6`oSu4UIZ*AK*w zsI$Z;&`H>J(s5Su8%2naJ;@uBLCBYBFtXFVR3HC!ucH&fP)@J^mUnoYu$3BQa-=Q;V zC{~ELB>~k6JsEs`Q1WWez-PH}PwAz5O#jf?o3#VHy+E)*={A;2xtf6zgR>7iBjSvE1ptnrXCUaZ*~h*#HQk zjW5KTrFvyi7~Qkqv)=xFHoSXGZC~7u_8hNtR6=|4wcbmiGA90c%(k1qn%`Tn=$!`= z5Q|>eI6X@)-Iq<6v;R0|)Z*U|$w$k0NTW^@M^DNvt>s59C*YK66sJJEo5KO~uesQ5 zKMo209D&yDyZV$d<`&b;^ya8oS9Ml_tqga%r^Gxy=3a7ro#Ppz9$^uNy{2QDulEt} z?-N&2=!8BQa^<(Y{S&Yb|GsS0_9|wfi*=qu|F}V;zj@h6$$LN??iz@7G<+L+;wZ4A zqwU}Kx>QY8{=W0{!SWSP9!P|h+)tRPdm20v+FM2pqJ!R2-JZ&ze(CvrHrw_a!@T2| zmvaS_rq>PO;U#V}(JW$_o2#kPWO=Q#g%0K|EKK4L|6ES`{%^^RnTZ3N|%e)P@?;&b$cDYQP{`=G{lc)PDn9OMAE11 zT33IU9y>?41jm}0Zd6QMkHboWQSHira82k#2jiuhdY@~fm#s#0cHM2oVLsxHXzH1I z+sd&M?RZRhNk@v85!_nX$TQtj?Cf+hyW~i0re$UX6O`Zm6eH5=kp~pxE>{m3jVP|= zW%)?<=)s1D)yvBatdC%hKmP@Yt4QU?O8dh5%T1ek|G5o)-aX+D0b!Ia@w)t^II!?K zhv}^F^x2KjYD>L_9BNoyq^q4U48DmhFPEznH1)dk+s+Rk`Rq3KndceDkmi;A{ifHF zb@R51wfbKqgfF#y5rcF`sng{3EpKV=MUH*NI)arJS|Bix0K}nJr<91IyhXINU4+m2 z0eMi^#dZC7%>#w`^FwC=+iu}Vs#C@bDYA@5JD}k66lCdBIFmR$W4<*J>y+fop0{Uh zNt2zYyi$9`R{l&1P*j*4vtxA`i_1_qKgg^|=6Coi8-r*bX0pXpEv)Ag)76Kg!z%7_ zLz2f<^Vb`nqJ~f3-DKB^l~o9xFgjgR0!(7w8ruynh|!h&yi`l*oZ?SYbx7KSqo!pm zj$dXd)eO4w`<9j|EsnVK-L0z|T(WJfoxi$$EpxkSu;sRVXcRK?-HbTwr!#boErS2` zCeNZBhZv*BJwI%_tl2>@qoxp7>KTip(b>JZgMhK%uml4x#mRg%+G`a-r}l&{cDro<*DmTTR>ag6IngIq=C%+7E|_H4}zWyddoT? z%hKmV0j)KA2D3Gb$G#Zu0~~5!iKCp#Td6kKQ&X(4ru$_Qr0834RNM*D|L2QexauZlaogTFUcY8&F4(~Ld73|en02Imd# zgc{5dPMj0MqQ|T?_p)$ppHA4sgo5^=d!@#jh7KZQO@f4b2F5q9e`}Fk^)nLwzDb+v z)bl=FR0z9?#O^X9@l7#z%|FBg%5Kjjy=M0-byU|XTlfNgTco_%C3@N_*VTA5`KR(* zy8CdRvMOB+gr*|!`~Zy_ZHOJxT%Z-4I)cfyY39wnM|p8nY#`4fy-$~V!f&wK({cb| z7_SthNk8mSugZ>XIbR|UQR^@$&q579qHv_~JX5S@(F<+>2LtA`(l{0)W!IEn&7Z>Yi zqT~(eQoK&bDvp~~KmE(AfE}Fy!c`?-&m#Es`GBLx?fLbKg**x)&au%tt{dgBzz%-y zn*M%<{!GCey45gr&QJzzZerX<_fCaK*DT*Uq!_JQW*+uSkAb4{Y;9qMhI70FjZL8R z&ytsZ%vS2x#?AL9FTj@Y>e*D2p}el`)5+HnoXs9MwY#V|grA?y&xSv~+t&hj-Gm!>Zo+xk1F2p>#&O28Bd(S?quq5a0xO*-WlhzpR zsYys(STr?r2QMJwU&na{+SPY_3hVN6Iz{qvL}!?S+Zv-}xc5rAuBC~B*At=^hyx&7 zv>YYZ=-uP&$;?*9!{)wXGJ`Pt3tYPi^Q4KXC7w(1i=H0U8L{pY@yno;G-!RCqoD{^ z(M_)5A_mGdl2lwC*Hyd2Om`KN7jTiQJsVQt-nGM}ktju0vi7cafxQMSh9T2`bLGL` zq~E@hk&#9f5rq{#eCb>AE5_=6CE6au2y->V<<>Xz#J){1)TS&v4m--U*p8Gqt*Ek-d!m z86dxc4)HTv;^HmdoaM6`h0bI_ySsK8IB1z2fTnJAHv~&zKE{)NQLcT$W^;7qyfGwT zM;+=j64uu0^RBrr(iSmvm2_I}9P+j$TidPYHqzz-5jZb6WURZf$I6P1p(BG8+`oPB z z1f6>uNt8I zDddMP`BhQZsdpK4nU^Dmy8JUGS6!IdUwa4H$Tb|!S|vw(6y}fRWc_XP-CR$xaz3#W z_5u@PM3D!%v0KKItl>Q)TlfqIY|IL+E%-C2t+@ECvW%1SrLwJf*2fdXet;iz2U+osaM3-5spfi_ z_>=(hun*Z>i~ykXF1?)q$SGr1G|GYZ0D<@ ze{l>zV##gTc4ftiyHfqAk9^;dl2x=%JG7F-Kwnxq=z*ERd;A(@>Vo?+JK_F~slLv3 zb5#Mg*rb+WakruJaXIh0Dle`-4=V&suu6vMldqb{uP%O*d&;%VdggoTj=INijGeE9 zx4xzan@n+<*Dl@#ri z0nZiTfh6ukCS}NYsZY&C1uD4WgzRbT{S#P*W4FX{NIW22ff6_0%@#4vaAZ8!jw$b3 z+}fD;qDZdN!K4rE(^|$p#WtXSokzDAt6J@)jBe%8`fv{CA@SLOvl!faOzhwA6-Szt zB3NVWP5-vf8MZ-bko`Y;#)dNBX z8D)yWrN#yL^wX_036Bd!`Xi3Xh{J>TuFW8$ehG%UMtF_WU?N2CZqe5Hh6why-CP`H zbp?%xuV1x-rEdRx5Kr0o5}jIQSRk9_px1mQaf>SA2@Y?yby~udZD7kEJJ<=uo*57& z(@d}m`X4jWW+Bmi7<+8XP>zFvN~mXPcI1^oZOm0R*^Fk!$cdWEmCcS#^TXt~ zsg(W-R4gb_$WaJ$l?~QpkwO-;^gEIk59Ab}8KFsdK+F{-76$%ek_%#e6;igAl3;iThvADEu+s z^H=sBywYUXG1)SGrSHu~>$}qdNoSXxYBFQmLDdBTQyq0O`Zp?@qQmmu?1U8sOP_m~ zYX zIX1oL{U?-I{Qi^s6hl?(o&YI04;>=c%+8RYqoX4aP=WK7m(3jMA2_9o5mqC80G6l% zW{twN7m&T_3Q&l;8vwfx6BB95Egf`-_hhouFW!)(38nY7gSFd|oJfmY3scLX z3X!D|3O{VyMCrSYLcYA4)Kk-IDVgdh2KUJZ&VTd_#6 zLscP7De@Ez>NhC$>#SH;SFJU?Z5Sh>Y-QLtZ1cq?3S;%aCGEH;MDoJU8@FA6O&;(QLnGG?3wY->;Gn$Bjt)G2z< z_jII{Qym9Q(i+qKZl=(HbU!3`Xearu-M~0*3ajH+$RSc#c&`A&3rm8bv9XNhS%8D8 zred!@0BF4ji1P1p=T^};;8VGjwaUX7Rep6wXr(zfgG9cT6;W3^J#LRgnY9Q9oI~g4 zjEZKeDH2DTF*twb{&Bq(k!)rm$A14F1bdTkU%xa(3XznB1Kz+lUY$*LQPArxQV`VsQ+#W!5_-EFY>G z0`;_JFVo&ufK3Y4b`E=P<}EexxDXxiN4dFs({EELl(J`)4la>R&HmA+{=$d5g293y z|GH}MQG^&FrtWlw4j+$K3En?9;k=AGmN}FC}9U258b0l+OhWgo~1*)er#EPNI zt4IFQuh%A8g<13t36t$rXXDqCSg~cVsH;@Uz88+r zlz^uwvnyZQc&X{a-q~-7e!&e_{kW)_h2m2$!B%lpgxvV4xDMCr;4=Sp-19#N5!RNu zAdX)_=EwD1UXJHH4-lpVGKlQEE*D%zX{+d0n-=4fHjRRR5nUA`X^gT26YDUZ-ZxQGk zU;Ns$7j5o)4{vij7H)TvDhx3G3v8h8pYf;sOASIkbCv4W6XbHpT|_|an)egC3^lYm z#k^hwEfZsMZ6f4Ui?{6FO!U)`A?C88O3O+>#3Tso4ZD7Dmp8Aw^z)k#R2k|x6mI7#=Au!MLxXnK`W1{wDC z{2*QaBH}LHM5gqqEpIVh`DtTn|FNgr~OTeJf3t;i{nIw zoel>g0HvrehPH=XUgf6jCrSkFaDQMZgD?<;rL0!2i zf<<(#Dw{2t*n7{g15n$TC0r8<`=ja=mL8`NN+}#(Qxt%7Fu7`5^^pzgArreL$VFhJn4+l9ZFsM%&!frP_*uv?rX5neXFkE>8L=ydUh4Rbf3@ z2fkX-`euMf?&wO8TwYP}8=x*ol>W z2Jw|r(=ifOMU_m5!XI3mo;4ZIHCF!d$D4eqnjtQiT0c}3VL@D?aoWu9LmQvgU$0m` zNE5Im$I6!@{dREY5N%h8WDQ8kA6AG4|X#$=BmS)sW1m7DLox_$+-5!Oz)*ZCoFs9Ay$pDq@%S2spY z?_3FQz0|;)kvHATZE>0e$PxS6TVqd)G9{%?n*o zONSrKg`7f5=d(A(X(=KcX0XhDn3WDQ&gy>UfPUzwQ{OaFoUj=yz?G*usfTerFV!g* zSXr}$QM=HcUB@L&rNN=QFCA}(17=0T-&istd}iE?3VYgd3|SOc0Umb-tsMI^^Y^4# zMikYvjG{+}yb*jpF>x1&zi`U2k$=MFe&%g0*3QyV&yvee=h2NBcO%Oi${-Kg(siz} zq~w%ZqQz^p%GHoEOI06=CFf-Al#=SEy6wiqE_;oBfyE|;jZnee8r$eD&#yER_Z;>2 z)0JuYm-kx-j=FetH`JRa`}0h_T1$KmSAQj#ky2nE6hnwqNC3)Biq~jg|HUSr@*8%> zQP0wsSlWw4g<^iyFm^o}kG+76L@&B8pc?cE(CSZ~oDjrxFSPlGwzm15?R}Vw%g}^z zemZ)iaGQb@+pwv)DP(o0GE^!1pxR{yn_hF8O1Hi^8BuA`uQ@G_N$idU0hVoT(Mr*M zmJ&BHz`vZJJPFRemYP<;qB{5VMMA@F2B~1<+L^VHf+)_LV_c(C0|{X;{-E@Rg*se$ zG8(sRWCfeV{zhwJOQC%B#ScThVS%fO)Ns7BqJw2s>v$nmWtl1I@8$u0%Z!$0-1#xI zk7frs#yff02-QKuL*QngpTQ{t;yt4G4%%;D?v_yxv4~=|G2_lu;pyj^B|H+223WSM z>sHH5RwrH%J0JgEalqKry#+>agAzY>z6hc$QQ;Rd;mp+U(Sa!Zu=T!eGfM%BxZD*J zo3K;rDC@t+JAeM=+ILTL)8iO_Q^2=i0s+iD#EF_58Hf-*qPb4fDuj7T*^E#JG-{OI*|<8-5%dMeo?moX6#SCSjCkcz4EfSC}?d&-`!BBos6Xt4wH(WeD@z z$~cOC9zWSptem1HgiP0<^YZ2Ok8N+(Ud~{CIF|Ph!+$qK>$DqiFJRbs{b^UX{`6V* z42PF|DBeb>$plsDWoTzj9sKcLX;Ka6W&;dBrAWKi{*}cn7dXDRd?B<9!%e%7?bF7? zztWPOBOsmdSzfLHU7K*Q{AL(7;f`foDu4XmH5b@jdAKESw)5gkliy1K4-^|93vHn- zOBa(V6s7v5MY%8Wqxa+~xBXi$-!8g!@~HIyd@J98;H~ERmb)m;mn{#UnPdX#8?*R6Mc9 zbXGh%s`V9?)19Hx?XPT3OA6`LEtyTU(pKw>)cIdK=ao1md4ls_7$C zt9YIi)gp`$lPACG#rpJ_8Bx#|ukG!X`%oshLQi)2Ifg9Hz&+h&^NS{Zp*vM2(+L+A zOy{eJZBUXJBXkDXr!NFdZFMGkFX|rS6@))yz8OC)3U(ijQCm77bGo9LZ_H;^MxIw) zUsI@>>09Fk@B%E2L9zG!Uqvab$0$Yk>H5Sa+259NKIK^iw`{I7Zsak{Nub+au6@ze z7pJ&?wC4c>=hfY_;_^12yy|Vudp0Y%p};O3or${}_m02HlDN~@|0FPeT~{E@O^yAP z2JZY9OK6z`sQ+S6K>Hm4(e>vHPQ_ij$U8Pd>HM>YByK(frpb1ie)r^t zyW!_K>$+BdtRhN&0JuP_gUcTDwHr>HOQP0IRo~Wf@`XEMP02?kAj5=7OhKP8vYZ5m(H7A_0wav- z4$4iY6Dw0-_M|Nc6&m*VMbspjyw}kduwS4pymxth%{b%!Njc~dDfvP$6XI0$FXHgw zY_48EeB}-5fH9d5oz1nLyF|8L+>_yDaMb4kkWIn_o8-Dc^R>rs<9>W}>{AASE{}=G znDCZx$ml7Ah2_^oF&_cD5dHH8@xRmw^wO4O?PjaLUYO`{$bEq<vdy~}%R zNs@v4r^Tt>N|j!vm@EVNrBZNN3T}YkRhBIZ@g-0lf3I+X$9sg^)|cjqTpLdm9$KRH zjM!``&+d~mL?C<@K^8BA^AA z%a=Z{*qw~a*YxpK(WPEN31=E9v*-!6<9^i8x_R_o=t5YdIsihR>4t^S_-j*)e6dZx z7nLXl;P|O|e!Xv}nM7~h6rwdVD39L8-8$KTS<9os{Ds(H-+Vqw@fJrP=zuLivcn<; zA3@b&{{lJs4e=d>*tAs#!A`6~k;4l}g89z(ZpLFs*4I<-r8#sOQubQS9%#!wi!D{# zc=krJ6$*1YE71(iY>_~SrHY?w}dKEU+>|(j5lEGR$rY=mF$;iMe9%=0f=>JSoY?@T^(CGs5 zW9y4QKj~-##NBXTUtd1eWI&6gR?*$ddiuyX?8c<-4#0iTlLJd&`IQ4fbKw3GYO(sb zmv>q?01hm4N1x~s9NhefP{V$PfpPhmNw-Y!Zi4pOZ?Je`{`1TaLN0_Nz)ZILHns$yu}a=%^~YJj zj-?f3yYgM<$>)*mo>9PU^p!weB^Z#eKR6oKym^GP#JsVQPluFkPg^$_Vo>2Bcw}ix z(N?n~rm;KYu!6!)uAG8+I15v;J+a;B2iR81XW+^wGMWdz=1dk7Y$7oqJ){kJPe14L ze7`71&~I#=Zm*7Io+g>Tux*)tkT;g`}? z*|yC`yH)q*`j|wed&s&QiT-pCd+Y$`WfSUA)BK#QH?~`;{)Iw^W=dk25?fC5bGZ0bX`x#an8qf<<|V zRX0OfLjwW#E5ahcvT2}-eiw)S2RyY5v0^!JQF?xm0XmtMQF5&P^`=iDj2VX6@r;ve zy>zV>om{taWLZt~LMhPtNOJ)W+YaaFTP!s$OU6fCl$y1d+eAkbx;Mr5H7vTv(4F{* z0Q&o4amc~A(8VKxN`Kd@jB`6NqMD5>^(7g8>ZH{%5hElmNY(F z?m8D(&wkloRzB4sCsbZhVpBz6hq==Hx_EPS2Opo1#qRjlkdP4dmF}pn&?*Z0gqA~g zFh4bPJ6=c2;!IDsTf0shW%<*!SSO(pT~MMwsNR}_m^}Nmm8ZF>o`3KIVOlbYzNjHZ~YR<=_nH$I4Y|w@6&~#zj zivam`FM-eQ`5Bt7M#5hKD2GsddQajf=!T(`q=ealu3lcfXgtU#gIB)KhD zq7@D^ZHlyqZGA%Ywbjy3S~960q>;O8M(op~5M#GWC*X{`HIJ^b&F4}rf_RMzEL+1) zehchs-pfg#8j7BI$J~9vnvZhpee9sw7o{FUrkw$UPmo?VClHR}O-BK)p4RVSEg~qg z>(6oqgav;IOQqw}(`pZ>e?^$*|T|)L3fpVQ* zx?mv7MO!HkQa4}e_E}kE!tZJuEYg#w3}~crBq?0#lA~(fMGh819JZ;F@j`r+tBzYY z!At2EoWh*JN46r!;rS?-&EDrT^bUzTkA@*&=h0@lZ)Uv--MZ#@Z@Bx3_1RkE&@@!R zaP(z7L4X)P-8QHNej3wqfu$8pfkZuhcO1leC(75@adh(1s1VVqzrJq76&&eWhJz`x zCcQ|2p~nd4W|LE!h?}F%qx>YH{)OA8epl>!T|8VvBcl)Z=3abKaZY`Lz&Cb95vs%= z3xZ|`N=%AKuA9ueD_6r0)^_NMymApQbcsdClCF0ETDHu;a8KLZujoK*@)(e-lj{rn zHc5+WhOi!GDfEizCW39raRI}u6v_8GaVaTwFKNFXxTSvi^4-UO(QmMC*?21C-E#ne z`>@yi{#B-o1l!Nxmh4zFLg)sXw^fP}_T)Hczh>oEZ=cHM?@_3pk`iM?blE<(qkU0u z{xl|mS?r3W<>tB>a;=iyG(1&_T)+7FlbjZ+_@2XKGrX4XN6-&n%9i%XrYpRrjBPbYjm zwN3C8hz;3*@nNj?&szs0BCyz=2haq#|2h|BHJNCImycfanZT5Se4wt;n>D(5Oe>VC0W!{0ocakq@WYPH=tsF{EHr@d5k;(Bo-W7EwD>SnVZl<5h#0 zVLd9 z+@v)MVA}<7%|=)2GIew2Ej+DDT9e3fhZ}b7Yt(mUG%m#zmRc~P>A}+ym_OT2Hc3Q= zm}Z$Z=HUZm$L`%t$i;?SA8dO;^GK=o&En>4=ic2DM9Y`Y5nbcnBaf^jyEf!8#8qLS z7#27p>TG*Qfel==vs$Q#5b;~a4(fDxV;&Zi(<%Bag^0}`;r`RBNVo2A;^2^TDv5r0 z4pmLhy?tB+o~EZi=P0~HwH68fktPCEeDY6Ey<0i~lY~MZInTFYs~z2d*Zi`?M2_UU z?n?Z~uAkddr@+<$4>by-6exx=yxI?K3JYqv*`BKi^eju36H<6M{5y+ak2A`^Gk4^q z%?}PW@WJRLChY64lvF0l*8$R=TXNCQgv^emj`rGaqyg=(Y)+#lTc6!VwEs+nDGiNi zlHwtx;2rUIh{D{1{YK9&{SSz5O~ml;lmPuRE9$*}7On_VLq)!bvw})^$<+>tQ54JI zehzX+Y$gvS4b6)~OXIrzk}kLP8UZQvs)iq?O-dH3Ua#$Ou%c}S=&Ef%0gQ}LJGb)9 z@%l)1il9X;Cq-e^JxA+)r6=1;Ldnc*Y<;#vM}wRenY1v6{HD5(A1Ri;Z;m9Q-m9wS z4-cy;TMV3lDGZsJneB~Y+l^HtzO9JVWhaO=HFy;GfP`w+kP>sO(9Fle{>!hgwj{*X zt6IG@kkQ!yONFqwF&ZsKu^@i&ivhBGJfAZd4j1oE#>{```0Z}*yQAAS-NuEaf3NRIsivsnVdOpd#j*%$KsKKf)w3UPbE0bgZS3OrZ`Af0 zus)dgx2)FIHBv^rhK)@9Kh(WtTwCA1CtO1c#qCd#6k0q$@#4h`6n8IfMS?q}I20>Z z+}#}t1d4^C#hsuH?hqiz?B4mz+;i^v+-L4Ncjm>ztFV*oWUuVC)=$1daeJ~UZ*{yD ztgC7b>HUn^rk3c9jvZJ)1u*X{d@hR@U7J~lDxg#4l)QUpCKfiF5Kv%O9=FJzx#O}H zyK=ndQi)?R%gB|MUlm8);Al2m62M!$zc5A%4D+R_Ne=T2zf@&ZD!q@b7Vr+J~@H!H`*Iv)@T_j z(?00W+jyxfPVMyt)=2+sd6;m1!(i@Fi;+-Ou(y$G)-u_}o_>NQOQvef@Wf0^*&&;k zB|$Y!H9*)*Xf)-)`MzpxGYw@Y7xt*dZ=UG1Wdbut7eYUH-q)2BKc~eq@F4qBLfk>o zfe1y*N=)aby7iA2LhD^ioJTcAFf)WXK=nII8Q0MuiKwrs3yUwWT3GBBaCKjA>a~XI z8m7yLh>>($T|JQ*`}q;+KXFPrnpK*?d^V(CHmwtHtc9SzK&KjG6gxCAoHm|6no$?< zatw9rh+jYMLqK0nl~oybzEYl%{OjY_VP?6;?l|)`_r%dGa`QxchoZ@!aE(im)k;sN zHVDXLNKQ~AmM(DiUtrRvTRx&DxnpDGmuPz885bj!yfVEyOmaR+Z(4&NS(RV2k{sMo zsSW%U%oQ|8qG{mYX-1Uwak{jwS*+oC&s_%gDrGi*t(`#5*TZWU@YCM#2uPG56dwuB~>)Vi5%6v^f*-r<6>- zt}JLItHh+)+vMvjI&2CHYV-AB+I<(nA)k1`PW(eB5w|uKyAH$C8k}uuT$*xqdHE-> z+biH@WPG=PJUxA>6@0F5h!v~zKrde0;P!?CZtKz}eR3^|rt=*g(jOcb?C+0t^>sBrzK0fH zXjSSTjID12?G*$6+o(yXFNT7TdAShl{tJbyJDl6|8U3<+(@-~^eT)#^*Ch1Umsbm6 znUkMkT)0-5?EE7#LM)}DNj6Yyj<(e*hm!jSJX-??xWgCvn|=4;SGUUJZj~?3Qw)_} zKY1j<(qj~2WydFZ+^_e|l3>OxU)u;Jr1ZU;_ueCf?c193$5C-waArW1r{>+I;IUD6 zP$Bo$^e$75EyKx4EAKA$ZUzOBwlbZk zCJW0iOV&Tx7DH6|e51cOEJWs}*3-HRyMGUaCAxDc-6lcKRus!BrF-a8@90eue^#rh zev@&sKO^j@YUb)7FRkDE&JU90wwHYD@I6}hVnMe{Jm&r3{RxMMROQq#Ne z6hpK2<{K(HH0qE5prU^QfIc&ll09Ow4OM0Bd{QFM10)Gu%lJy%t=_qi;hH;1Otg+l z9m`DZa-8!+rRb*b(1#loHlFm1a!r&?H3oZu{{?{Jf50?Of*&qa{V4tA2mQ6nCgK?q zayjGLnq+ePWBEq+)s49ri8p#eQhdBbNlA%QlWyaPmuh)ZpGpZ%fW`jx7R0)BdhWK9 z2Pm0kj)ENv7ilF=@p#ET%kao@vh1i+dY?i7_3ilz%TsL3=_fBOmc6ut%DvLe*{wce z;A%_eM?Ke(?5tJ2%RZ}t(T{EX%(4YZ)~&b?B$RNbK<~bLq3L@`&~}1|XY!?b8-Jzg zaju)Hjj>x6!>hxA&x?)w9zUr4_o%B1ETbO5Wy9#+&1l^Ay#(`{%WLhv`aDhx>zgqY z(6^k2f8nnho4^|_I{Nh&tLf)GN7+U*DYbmvz ztn}8{Uc}_%H&50mYb(#+Okfwk1A#199<`oAsOQM{#qG)9 zXis}5ExpERhKNQXtI12Udh4-G&iS@244z0*#l2ZLy<*gdhu`#%=wH{1E9Vtz@sx}B zYc{ZH4OXRcq_B~Q8yy7tJHF{{_#Twnc#xx2cLr-ZtIm7t*evzdbVy6IFon9;@L55P zr5Gv6pyhSQvE3peQLX#?t2@H^7n+(5bvTh<>cY9CDHZtNP28O`PnGB;d+GCh@rou_ z%)wzr2nh*9ge-az;Xv1=1rplQk`z!W7Zq@`^1f9OY)lP$00Zput%LVfQW9~5dzUaV zxfVyvIh8Z0f-p1t@n;rNJqWXhJ&UOWW`7;gjDLyoKGZw`ILf&y)K} zeyq?5dyOS_OYgcmuKcNx?SClM&{x<$YWdoCD0MJjGEQg*-QbUhqa3_9`ECtbJP`r* z24x2qy@^gvY%81^SFC~l>>to?41Z47?!IX4h_oVqe>XVFpNs83WxM>!wn6&pdM0mq zU0NmCIMB7~w@u)@^LC+K{ZXW~iw9DK=cn--|3g)SOA1PO250hnw{LJ26UQ4mFQ>aZ z60g~m&UhtJC9P)^=7|mEu1Qoz9DslR{a;7WvY}cd?lnf22 z_u(Dz?aB&+)@ftIi>|Q(c{1TqK$XDYx>%Dv>}>;KF-zMAITke$$|OkJCf=DIlCn^G zE@&>YtUeYqaz=z4wooZyuk6l(lN^cn#`l(mZ9PmnJRvJy#X1E5Kb{HQ)R-mH%uIxM zs-3?f|I2a7l#@{?E zANAJciEe)A{h-=kPeNvqjlWkd8g_Oj8-~31#`=d+vG7!K2uMEj*11H>%Nj}rj(8@Y zl7Q+i$o&K>E+_PbK4`*@O+(9rg!AmZGyU$iWb4X#s9|f9eNh!?>)_c9DIjd>`)oKh zlFrewEhR0zg9Pz(JZEEOrX7Lx(P~~uA4Y_w4$5Ocdp6l)*4s-~h#2k?kE{+vb4p1` z5%=-erOs?LhaA?J!d!kh7|@uR2)b-3CknAyCo->RT z!z`&6%0h=9p+&^<3JpPzM$5~K)@QwIQ)VnK4#4}`jq4Djv}l=&mck~u&uKdwXS|*5 z+N+uugZ0*M%(25qeh73&)NO0{BhPytbgqjl}I7ky09I4y)i`>xUFX*=%FXihJ7q+f748exq1;| zxAh5Kiuz{3`R~5z3ufw^E6zPF&qCrDc%tNWZN6$(%S01Je>kiHf90;*Y4#hMhcMXp z6ql9API#2%s&(9@;}(HxBb@6e%8&)zj=z-4z}wr_+?x}46>By&3@l4d9cL#Oba1Z# zb+_@8n_WdwPSr-$gE8(>5LFckp7n=2`$NU0Oty8PFW78!qbDJm7lBBGno?&ccC^xe zG(RlicuLacL@JNE!iZxYx;U#@C_6m(>7eTIULwuR&&`O>6u08Wx=@dLNF%^rIlhwj zyp@n(vAif#*#D4Ic<+7Zj095oB8i0+%&drB=DW*!5MMe+@lwLxt8v`j917~=Jw%tuozY&mZ--DXyD>#eUO@=TJV{X>P|j^T>4404wvC8#@Ycf5?1VPWkP zU+3t~q?7r)d{Gg)b8d#v?fK-DANnYey*&*eznL`gk{-$dVH!}es9tKb>56;5;c=e% zzq9}beT(%F9K^&{-ce;&2sSSzI1b603F*LdyTyM0UBGpA@oS>d^E&N)OD6Go`;5x* zEXxYcsb3=`$-?gf9=59}eacw7u;fO6eGDhP>Ra zY_*5zo(&opzS$S`8rA8X0wAhqzPK*b+yT!sh<<9*F$w~qtLnw7uh)a2Oham<3G6e<7m+lxcV=QNK`=?nAelvH(E8$`dy!&J=Y0 z7X5sG3a^#DYe>Z98`S^K)ywnp$@OWw()MNC`*uUzcO2Ck`NpB65EGdE_Sh(|s*8`F zFpp>NGiJ7GKmT7uwmKiyZ?;okd}-BSf1NOYPE~<)TuNs@ujWvunu)2w+0(;(r!-I5 z{pg(Kuo&M~&uKP90H;l}^&;P0&osL87y9)htn@-Cg5osu&=*L6e!z|qu%xSS;abH@ zgx0lBAvFVggxgZQS{TA_>bL(XVFsIMfmDt1-L+-W4)w^C52eLLa`=_Q;!6;Dd}&)1 z6qL>;s(_ld%l+vtD(9fk9GRqW-^)72?!IF-?Z-SUoPRzFs9K@%Y_Dk=wfAxXN)5r< z=X)tm0yV8R*tX46PgTO&Ve;}jygg_7gDy(;o?}n=6`Pkuw3ckuguM@4Eymi=)QoCM zcMB0vBEzC#GLkh!&e)n~pB2SjYN<>^hYPsIYAF-aVehxfU=jy$O#^7b$U3oPh?jd^ z@1ysx|LKGyh+IsoB&{#hXr(C0{^kHE8=yOcP`Sk_adK=_wE z{Y()Nb0`=Y<5DogOgdgd`-JUuuTE*K_0X@_S7?8CS03bh#$Tb^@EP!hl_DpXDK>>E za(|qChlSTfD!Al-FH!HZO=vLt!_{*hcYmSW+k7>q6@-G*$}KfyDwESC099x<<`4Tpf6pQTzLh-p~@T_A0~` zU^1)DXGYaqo)QXpS>Xj^R|(e)&#RcAmWf>s*0nAaG0Mmv0kXQU&^o~R0CB<1t&x6h z6Q%X>W4YS_%Px*l7JxLHtTmTsWl7$jt;uV~aLNvaKT6nE%W5W!zJ+1ez zP$)G(pa1M+PxzZuKjmmqPidXI~PGZh`&{^DNL8}Se% zH5PJA_J}4wR{TY<@}q!X-WUap0I^3(MMWK)^%+etf&?F2OiUt{`Z+A@g#iJ{lWkUf zuTO8il-@ZU4Y$HZ_V*JP>1dvKgurX+CJ-IxC#{y$7C%M?!1@-)b<3_Po-#5rMin_) z9vv`6`<(2zfxk*4@e8N1t;8%x_VdaIM>?dWuFepos36k&gUd|xGoG6l9Y$3QB~lY< z;lWj2JP_eJz#775+y3;d8Ok7*EB;d7jSPy^O0zo zyJ_C7MBOv44JodYe$?iEc`Ghdaks<>6(XaOR^eDx?=ZA2m|I2qO49sT+S&^DPmq!l zXac<-eonC{)6#kHn1xZ0VR#y!xN-+_eDN$heBEuLCO$13W$}YI)UK5@ep+_MBGA0w zrD9ul-Dp`dtzhHGx+tTt(Jn zxo87|TGoQX%*#d&{x=ddJ{&@)b1hB73V|e{s&1doE67Z=COUlXM7=If6$Wk-;B>H| zS#g;At)dD;kD!)G0`2c-R*R{h7nbueTPM9gSM*H~YcBB<^`Zus z;T=s=k}VrjRB(xwuI=i=(2@_nyC>wh4MtjRM4V)#I3ybu;qJFT=uNUs1!o3ZN^t5H zUi&|9j(`n*S0UP)YeT+I~d$wX!UZvT$umUNgnEU+ZU z?pK##^WB>zSHw4Kj-09fuJ!nO!)eKq-fK)t0diNGqfzDkMW3DFfD9HxrZ|p4n$Q<^ zNLAV?e@hKJh&8^y$z`{%^{1-@#p70+iofvLbx;i&Kng;ks%s;Jf;!H#Ef%;LV?KOl z$A+y?BvEUYOyr@`jc}%c-<6<$q`kXptTy=PrNI>~)unfdtbd|)QQKY84`-9H>y|u0 zG|_I9O8kZI*5={Gc-;MTnD;$3#BM4l+kz^*%9ZqhUh+Aa^7=J+>jqJzv^_0@Gs7=f z0~I)YaGZ<9QG}~(EJlsSYb|r0>ZUxuYRjzFJelmia`=S&scgOTrojC9f|nGo&oX!P(0@4i(tQ5r-LV>@{o2UibwD7#75(ze-+-LlmkIwxIkI7gESk-t7Mpj(gt zVcw7!<*)|WQ#fAk`)M~yxNAzal@Y!0dcRihK9DRM|o`?Zs&9m2cGH{B+8HRbKb-8b&x{@In^2|TBs0)3)2(1sr2U8ZoG z0s(%p^9LBUZS)U4{|rSP>u`Dr0Wa?KB=A*$^q1FPvZP#q5MNV-9<3KQ@>m^1h4fL! z{hj3XN+1g|&+iU`Xlyv$`t6NlV)uKoIZ>spciq%bOZ*ZA`#Ksl>-M^3iZjewsBK3T z5Ax+I4_$@xJJ2rJ?AY|o6|R&o2=djtGUn&9XYN_LsbM&}YW#4re%7;qod_y% z%0ORRT*K>{V#toLyVB`~O)o6yU0KQe>7oM`(GefC(kf$$ii%irr?RtO&_!19c`tsR za?@TMjJ_zp5A|<4~qTf_$%z9R8q!StLy(JDpF*vZ|fNSIANBw7Us#0w!^ z!(T+FyP(xmbXejQQ?9StrE&On#x}(^O-l?R5E`IApI!itv@9 zYFZ}AJlU+`D4C1&_Jp(jW)I8ry+A{2=w%*WiS<~$)6y&7+Bp$tQG%K%aS1OLPwIn) zUdVGB)dR_%X%@DdcE%@5d#OXw9Y|cC!F>N^CSuytLw~=YV1q1Wo!@yNEvW-MN)P!K z*7Vwy4AfRh%nTE)YUbnCa~mq}x%TmejyPJOCSF*=w}~@Y7akyw2FMGrl3F!v`4yei zXcpz4X&6Nnz!)lHdvAIl(E-;RqTN$K8`QA~|KXqXGuYoF3$1^rOQ6k2^}{iPvvFn9 zm)D|5owj=8OtG+hhu!3o(O>H(0WaV$y4w>n{43gvc6Uor{_Iyl;z6-LWhiBE{c!YR z;pR0NUtipr%19aN7Yd1c`Ovav-4qNLUf$~6j^wiTANHYo-Scsrs}_-u8#?^(p!Sew zHh%9=&>oQ82kA6Y@&m-YOLW}_b&|VMPp}^XQC#5&tdDxPOIw~Dqy91Ct;=kZ2t%w0 z-G;~EqBbAKN;EIa3Qv8bVyf=`D!XdCJ;hix(X-OlmrFC$S=&5sdgdxJ*x?aPjXEM@ zigiCfQn@S4xo-{8HSAbwxe&y{$JTDx;eYpYt)s%F%{Ay`EV*43#Rc*=WK&jK_I-7D zpSS}*XVV}!6cO1+A8XNYn4kmP9$!sv3y70i8Y8B#in{MKf~t3%zmXA7z(Gm}ODP*=})iZ6{9+&K^4<%e9NT1BcmsUQCH`j**yPblliT&qRz zJQqk;*HF?n1j4b}@2W6qjx4+8kW2Nn&lA-pVqUu3UYF9Qfv#@KrICfCT zknOsU2d6P#ibUq38!Im5uEz4N_|3fxZ7ERagB)Eyk*vL&l4+HFSD^`!3__Ckcbp0e zoO5j2uah%<-4Yz}6*y&Q4)&JY<3n)U)BLWjYu+C$p)7WOtqw#e@v&vd$@koh2RZAj z7(?eErjTmkoP5y!?!wB6Q9FNFF0d-7GWL(=^kxZ5?8%j*yO}qVy4}@;6+&l|3G-f- zljP_ho6ZcgbkuwUu}bcOgr{^MRJ@{mUo@P8%9ieiJ5)Eumiiyxel@1$Hn9+I)klLxK|s;Q}QxvX|XO|zQhOmDJc>otsA zT(<$zz;X%-Q}k&)SF;cbOQ47;+tlF96U`S{8bc*04c==YepZ=cxdmW0dc=)+s%<&% zt8b(+d)Hcc{G1qcYwT&w_20cFV&r!^G*#Kd$Xb#Vya1EXjuY24Vqqy9Hd$}ixaHWrHoKD&Lx%J{4NWbLsiwc#zVXk|i1;Pq? zdnFgzvr$*SQiKQ|toFPw+2-IrKJ_D}vfaV7vU|VD1DaYL(-lqRS&G}O&F8Ovc{s!& zOkz1Fer%r`@_F&20L2|>n998gze1qoX9AsMY0{%eM@tcS+Sgn~?E%g4Oa9m-N5i(V zk$PR};T1GTsITjT-b`GzbjNdNHnv(NeRma1-NEOLRd>_*PyJ@xUr{dAXuf&j@Y)+= zlh?zK>xsV`Nh7g#e-9<#D72<;8vwWTT+N{p_bJ7@xf8Snu%;%`Y=bb*neQ#NsTD{S zonqp+$TeRX&}H+<;(9QJ)n%i`*%HNLdAe(JcP|+UPosN=i;vtyz5qseq0%@JdET9| zQ$^m2p3Bs8h+&R%6Rl^M(-uu;gl8l&k)n8T8-EgvYP`Euzh63X{1VxUj8Qb;7_7wRS+7C z{lByn{l%^X0~@?wByV=q9JQZ}O3|^qb!}3$fMx|M7d3SrwVu)+TpC*EmTF%XC?w_lfk-dJXN~sxq}}C)wdoPOMbm4KM1G87F1&N13=IOY-KKA`x=}{vHAN zZuAy>#@^y_fitzx;o3|GMV`eH#U=u|x<$?L<*ajqgyutf(#5l*Vsq7lOOA;S({E-b z82|jb)k*V6!^hWmI3b`^jZF}T_S0J_BIOMFxn54e1t^G6bMmjbu|k!!Oyb#ms?7)x z4mJE%u*Nh#??*Sx2!c_$N%S@x5i=pX$~Yuy->w^AuryoI?Dp1lb;s%3?2^>siLLF& z%*;&jp#`1hAathQt}a~s)<+A3%=0#fUj1eJaOF2R$QK>g!;CaLuc+p3LmeaPz(>`V zP>nJH72(xr;>B7PjWRp^3fp?HNnf;Q=gku~`&BYkuw%Z=O25d%^<{7CBp|>g9 z)4dCBe9@l^=#}%Nae6f}mn^R`VQU6@qKs@MFG;Iv%Y>VDUj^yyQKqM*?f#1CoZ_fK zv16NG`F>hp9Bh_*j!f*gEFAjWB!p)X>7K?S_T9zqddix1F+idp#u8R4IFp~h@lNht zM0Rr!5s6nNzgCrORM2U4OpK#&1 zrwX=u6El(tXMfTI>*Z=_-WW*CmP{jkyj3FetgFd`MmvS`*3Dd9ETE#;vtJ=0lc1=X zz|w*u7@7ECmhTMT#>+#E&}AnWF~H|gy_ zCa+4N&r^Me8KtZ77O#q9i1jPzXbq|{#^~{;VJsu5Kp07+(46QOJf|j;pooiw)Tji=f*jiZtbiVol z##qsX;2B^2c(jpG6&Rt{zF=7NNo15sAroaML>C?$Nr{8R@%&`yWu7kE00WUrBWU-H zz(e_*ZvTQz->Zl0?ChV9wAS9{*Wwosb-@R^FxUUxBq3nnU1#c16K6DuY3=*$^$NU+ zKbbmb9hYj5ngzokTGjewGGgx~-{}0nv$+=cD>8KBFBMEcCNj?)BlK@I!+_oRw@U{x zs)1r4=J-fmzBs~0c1B1pb(FXAR=gp5_roV?WcP1^3lJL!FfFb-&AN`?-W1% zyEl_ad^jVD>>r*gd!Ioic+Ot2bg7dv-@MF>@|enFknz#`ZEd%BLlR7Nl{d7no`hbB zIIZw(3Q(U|ip0IUtxL(HZH1qEZ{c|Ur3ku_>2pYU2VboM>iDBqhgl-+DuvOW{}V}; z@Hn8yKokqdoI|5THSuI3ch9EgNc>TT(QT$G@A)s?)}3s8%+~?q=?+~XskzgN$`350 z57-j7l3Dm1##F5X?^}V2qC$$Y~yLFX=x0>zfDh)e4?|&!7r^rQ$`22c>Blx%DF9{^EE_xjYU32qq z^Qwz6wf}_)IgkQ4@N7OK9{yVwn*`ASNW6eD4?`f4wY45QGaIAb)NbSQ)wk}m>HO$5 z8C0@=gV8_=De(p)kFyh(8Fn(8!PjG3Rwv;s2L?dWJKG|ozs%mZbjR%4HP*l{K38dc zJSHoD^6Eoc&fgBhfA-j%PPunxW@eA<>fqo&uC>ie^bw{ycK{&1&SX$nRHO#D9!R;z z-2L64t%ST#p6E^kHUZ_RRBB=hNbHGooqd?6>DT}4Q~s;Rm35waczVW_^s1RtG4-MS z!__EPK5^oj2ouHpub%Kf>AV7OPYiuKHNZvu<;maQbAMz1^LN+$Pae0|2MltSn_<*k z82{U-<^SG;VoAVNsX`LtvBbmwdnf(h8%#3eNr}iGA{C_Yu*@S=wh|OcpX#)POWhZ22X55xDssN8`@^fjuOa`fo1!@r6PR|wR0>0XJ26&D ziHd*kDE#OyR81_MViaY?%7vHtNxpu7-z@T!*n&P*%gW!$>G;JVkSnZgu({N{Mqa0b zE&g%o{Lfdye_TuX@B=8MFZC*Pd7PY`<3o8_SRw&c`b}sOR zEp#8zNo8dFrX?vmot4PF9*6*mCo*f4_*q$EZU0K%Y1)#@ga#y}C5n-KHQl;AfHQqO zJ&6Djdx5zEMw((?&FG4_HL1lWO9;*k)wBv>{R!YY&)>b+if$qX0y|clrB|&*+68hX zC+FuH%T!lXC*uY31FiHOO%`Tm375;(?lO#+fCH2PezUs1uce;{SDrHbZ^TjH|b^$bWbk(KruHgWS z^^Ma8X3ei@-J`R!{Os&(LaEl{<72>=%v3{Czr)WL3lpK4xvbc*~Kg*hN-{4?AU zyXU7YY~XCVcu;|}jQe&S^O9f1{6p@If~o{aK~F{wPn}_vi>Zs*Tl19B1$o-y()e3j zNqyo+2|w{d-*5_r4knq4;JUlvXlx;WQA}1#@tOCek@`!HF(8d3@;dH91y+7&F=>M% zI*q&6VwiR&19tt#>4vH`W)@0j4Du3GL)|Njs3@T9IeiUr`>I7x8>mr5oU?5kb;Ng@ ztZq2zWD$VF6P;msA5ic9qiDctt`Sk6BLT`zb2upaVm_RjSZ_ViC&$6|Z0-7$V|#{! zd5ThEsp8~8#Zr&rI%Sv0fnsn<_zWTdR{k$6T>t)-74#RK(v2EbGoI7MDuK`W?B7!f zxV!+28HmQJgq!^l`4e_}m$JHj%pB*pXPN}YJS zY(c3`v8n&G@rQZ9_7oL?*9@T*+u|Ap_inMzXFZoOi>2yg^fi$(PU|JR71!<`_l5UA zTYBuSr2Fio($mw6Jx_mIU?rUQM*wE?PSii)lLcGQ;F2e0V0wuL~ zAK3^-eI*$`Af@fG&u{?APL|?QPgXhn(|GdFN~etbq*S0)bsrbW z#A@(eThe-!V$Ws@Frm@D84SoO0KgHd%jEnc+ihVu>^5pCkJ(f6LWI5DN>x6Jtwi8A zFOM|Ujxc!MSE(O1&X7#Iw#MXt6BT73ee&`@P!RsvfA!OzRLZYbF{dlzJ&m->%gdu8 zd`w14s_Nq-)Z5!j0Bgv}&i;f;B_IhnCMB*Jk(wpEx@mV@eMI-_l~tPf&GQ#4`|vO! zpPS8h{#o~I`wPw52Sp50YS&3t0`;3(rQ53tkEyAYe%26h-g`wao}ZcVw*y4+e@i(g zFq-=7`(Fx%iQa>6zn}}Fn9N_n`h_Gbg&)Z@R^=@1B8ZN}v%=4N4GptRci95j^_Z`dDUj)3;C21`NO$tctb8ZFE0v)E zgzyP&YSpUpRu@~G=`_P5B615A(wH{^k3dC@G5~N%#-5~&hgQk@$j*V979%}5!rH;yl44zdoi=m!a{wBd#xUiARA1xI)%R1Rhv=3W1{MQ*RD`f^SoGoiTQb!(@bnBr z?TZ#jnqfXxyxRK6IMD59+UYT5W&{5s#ezWj@= zNySZ?Geh_WBo*R7HWHXLy8Wro?k8WrDwT+0MUg*`1=6?5Ky{uIxS~~sSolg_hqD)#y1%~ZmE*SI&mUa+<`XO z?RzN{%eIODwOQ5zy7VHh&_>m>a9_=qX+qp_#pGVK9Z!=AJ77Om&ns;GngQ&%K7LNk zUr$v899KGk(`(`V7@6v16MPwrbyAzC!*j?R`y7+Omaj^nXGXo}u7inwExVUo%eAzy z*=ME##9Y}O5+QGS_S2V`sglYNzjLf}AB|`K9gf~P{){H3!MkV@+(DVGo&(VYTXlG5 z5-WmV!#PPx$mbC_vxz)+II>r&HeE!uKu)8#M6g-G;p8c%<~73hwMui^0!970oKl1e zCC1!wtMC1)dXt!Q>A{}3>=*-+&q66-m7O=LUSq^y@i4WqHRU2XN;-^Ci>RjAV`86Zm+;h|ISJC9H&@vhx4!I~*)|wAN%t0GHHd9fs&{LnC>16Y% zcOlL9WP1D}KBI0`=FLi*k*7Q;@lsV*#(XLsGNe5Sk~Q#NDfe{k&Pg(zYg*h6Qprnz z)CSd5Z0^f29V52(#td8x(_5wJgapA2Kb==Eo^$WMNVhIi6F*}Tc$rBBK}4sJxRXSh zHtRzzAr=Zvy0y=W^i00SCn|cbd0Ml4qh1#>7xDRW>Rk6xBi?f!Vs5a43J@z_DBay( zYa>8DKKA*b$bfqzF-Blqn^_R1wBT*#G@s+jX{aiRy8D)#tfhKPc9OI%?M=uD+15o8A@Be*?wf#@syyNkH;DgE3W_$3EYSK-ud_{Mjwvk zxkzeqm@g+0r+z~vkL$O(F<2we`0uZ(8soGwUPO=2&pD{(X$l8FxS}SC!$+87jxDz} zVW^Cl2ap$)tcJ(<<$2NUCmN7qD3Om16=o|}SXvL7bfb*Y6ov)xsuL6dkW2khdrm?n z!IU+2lB)~ASl=`T!Dhz`$oFly0QD(JIw$Xx*4fAV=mA%Dkt z>J-#_z+wr_54$?|y!Itc6*;%U498Z(NQC8WTBXFu&mvwj;2eR~_)Uc3jxrnzW3e3nNhVj$me zOYxJ_=9MU48kCwZtX_Nr!|?K}xZqi0BwDd~!$PqdhV^ofOu2|)y}6!SdsIl&-IsLR zzewYL{e}o}3CHn*Q^i9Ys}gla6|WON_t0WS2Lo0jBnm(%WfjG;u(~77V6&>e$ zjF0c`w?r)>Lc%rcwH_ofq$t(G4qzNTKHG@DSA!~PGk33T1Y;w{ug`74<}6*afO>ga znB>%FAEoI>rG$iF|sE{H3_ z56LOS&~fia&8l0kJe;IAk|lbNLGzYxG40!!o5axd?RsHm~h3M$ygx1+rsl{FG80RFW z>^v9F!hv;n-1NLzsU0xNn6S5J(Mw}wgZ?3%|$=XXF|?CjUAWD1MW zS+b5f#l7D)O!fHD`Hg^dWRc+nF1OnSbpflqoz=v5_$_zCfp1mH<>x_<=@OYddWt7c z<^?E`V`0N1panG>AaCC+aB$ZF%sPw?mR+sS>ivtY8S*Z_POt`#kHA#*3KYDz_CZ^j zV_AB{w@zu`Pa8L_S+|qrky1p|U)L1f4tzJ3=q$`j0ezBt=$F)gN&c|)iVLr2OcwW)f1<}?> z6)nnZFCu(%GNUQgq2JeC#&!-xF-0daX`7C}t|w~0o9Y0bShRK=v_C8Sro;+DRZ+R+ zHv)>AyuOcd*7T!y1NAK46pe5|HyT;id zYSZ`DF^$q`JxXy`k&Sv|kHo5z8KEzf_eg!dpom9SWIz^j-Z)5FV44)@~C z1h3VvPnUV<8emEi5~;m|5M}7vk3uVq^okoQIg$h!B8Y-?}Tu7J9F$0vnRpTfN= zOUaWzWfFSth-D4evW`dV+apB{PFj{<#Klp{Ga&C|k1g@k)~<*)R@bZE5H;=aydy|# zZl21`G3_YiuhN6iw=LE>wByscnT$#cKvC{ee@%NIokq+iam|vyDb|sR5NWx0!s(V~ z5s4Ob?te8Jmmw&v@WP!vPr}G&gJ2#7!viGV#UStO7c9Tg;u>2Zqp#W|VVmPah@)we zgp9aXq5Iob9dL zntT#iBErY4h?WqXt|w0zEtNGZ!$E*y-Y_5pa*YKNeI`UAzGuSP2qh`o43oN6*bN1? zu{{ZmZY}Y*TXF~}j1Y+_0^R$y$NnU@z329Gl?-kM`j>2g?W{3B+4SR)y-1So%7dnPBDC+l4@d27ci%IKuZ-M+vgz0Kf3HyBzi*212=p_$ zsR54?EITkqw`V!x{63EHLSUqxbl8vcPZ!zyen&y_^o~|DcA54>)exg3b#OvhQPRg` zD(|UvXCJsx*PMIg&^jh4D@@`-SnDQey~&H!BFq$G*xbed%hZr8p)s-NS*pOMnCPtw zM8ybGC>|q}zFOM(+brEG+AN&1Z3?Yh!UEZcvr`;&NqK7VzgxGaZOqQa`5eLrw}!?t z)b-UR0rl;|#`Xhxb_i%H6i%j;^Ic5AoD*3lKwm^BJu%JWY?k?)zj3B^@a%Rpjjgg1 zwz72)rC#BMvoq_?h}N`K%Kc-eKh{z-CpaFYl~&(kF4i=_d$7n6Axxw=*LA*ZwAhhW zzbyqesVCJBKGMSBhe$unOtrApQ&xT}D=XVG(m|QZZ7ptWY`nJY_fxZ>EQ!x9)zNzz zY;w95S;dIJ!?T*J&0=I@>-+fe{?^j(UIp7aI2LebQv2$8z@S7;mPHhC%3RcBJrP}7 z%Q@u@!dRc?FbTm4W7MiCz;mF`r^se=UfAID4GM+2OW7&+^%bjEt=I6}Wx7P=wp-EV6d4yc~SJnVi*ABlIpH z;C!nFCM`RL*l&U}og|I7ILFoccuEhLiabVNRCH+LFf=3rEK}+|PmOwD<8aZp5GglT zSB;Qi@h!lcml09pMm_YN;^y`?e8CuF>l87n(&5*nj2JO62mMit;&+CQX%cj;pYX%A z&u)9kxC+YbAds51`JvNQXVaq3Po^a1^^MA668<5Y{w$ zhWf`w!asFn=0SkXOy^%LoA`4rS|pZ74|K{`tv(n(ZAIs^o&GXDKE8FfJ>hb^CMA<5 zcE$4kg~>fUAu;n6njW~B@_59gH!%?{+On(hml)0R5JA@qnMX4QukS>3HZLo2To4l= z6_}n3qxG-=TyF1jz(m~cgUVhGYX>2=Swlc?1o%R*KyP=2*V4s^tTiZMe$86Pu-VI7OHr0cPAWm>()d(iUe_tYzQe+wC-;I zJb7*!u%Jt`fwR!2Kb(ZXjywe6+qd=xUvb8~lxeEsnM3TVlO#!JEm|Ty1sx|P=M>$f zv3zgWhEJf~LfXwYi^={hYep8mCd+gnVdmZ0i0Th1hgsNg^7q@aWAswKL0gSA(ytu8 z>V#xqz(x`p>ViL^29q%uBUy^WL*2^(WZv?1=b)Twm0(u3zt(UeC5^{)NDGlPX4C9F z@&91&EyLpKwye3h!G-_QH6p3SbJYVEn^nli?ipQsI%$kx&&E~)rRLLM^_F+`2;p8Y{7eqCoB z^phUseIh}isaQgsb-BsA(7sOvY7ntkOTHfutK6?NC`g%UxA>zHkL|cf?mgE>V)58X z`&m9@soobDD^USRrJUit168jt=<)K@IE|y?X`mfYA&po{hDPVvt`b{sI(aF-8v6?g zebjQK(V3#Hx*$#rOjlJB0r4Yie>ef-^{|;R#{EI{mJ8@Dg>)*kKI-PM%OLmg20xq{ zi9Hz!rMtShct?)QmxMhH`yHJXjk|d?O4*yCr@K%2DWDOzq!~6;)2qh~zx zi?jzQr7Ig7=cTF^H-I0ig`$F2LbV9KYq|56*8uU8UiEM z^O~wHhaJ*;`{;7yWLUiMP|yTKQE*4{UDx0-_gDLss#9Ui^~Y^jlckh7Ymo#Te+skY zXK{Z5RpviO3kFk%m7QW>_;sNaakwBLfIyVe=eGgmVqy#>z}#?AJMRzDlw&+MgkSRA@7YZuzM8cHeL$56#ptlk41IWw<*tzG~Ey-)#+;sxO z_a=Bwy#&2s_^Y*=uSOt=>}Rg^&5mYM$xMvYgN!D+=?)m~`~iNu zg?3P}oCs_V|5V9uE@9XRb=S)BK_Tq_9mHW>oAm2S!;yBX*o)`{@H{a-K8@$-$OxU% z?XUnQ#Nn@ANNTDy&@!#zmuPEmFZO}oQ(DXy^CBh6yX$iDrG}l%=f|yZ!UTAu^zUps zNh7R)c1J5Rd}*ZG)C7#TN#WAB{VS*D#6Odrw)PzM8W=tY`h@%3vbXCx&2_>wt+#d( zQw~VCzONW595KDoo`0%Aa4>6Iv69dF2|**b=Q5|FEI4BLGlAtT=^K#Fk#IV`t2(7~ z=TggF7)pXEf6Y0wxDC-=R5}`oe-@>HX?1T_&s`q(RSgRrO6v8-I0+?Nu;@H-Xd)oyf=hh>7ReDqJzQf@p zv<%}sYj4oA-Fk*(nX-KJ_I?9vi!b>_$%-vFJ}5FpnpodC!O*J{apJ#m;h}!0-jhfa zK@SXEJT14{RW3l+wd!smp-c(&slTIBWf&Nam3k+_GuVXRED|!G5dh;x=5M&9k%Z;izuEoxMUK4>?;F>57Yc5q7 zurA164V$Dyv+brEthA%r#w*5yXav=!=s{Yyi!IJp)RL;h)8#rE?gFaNdYw!xFpbEc zH#`d)vlC+0+|CD<%wMVhkc4+Sf$Z|L z{c=o*IfY33I>&&mR+3YvRx@cOq<$mAl|TO3?(Hq-Csbmq^VMuX4aRa>b4j$hci4!Z z43O`eDN)ntQzggkciRlbpv*BCla!PDSyXiCunedyFjt5J6UWNMLzh1AxI_Tb`5(aW zdZoxP<{;?Tl^7XTq*L`eE(?cu+ z;*t1+BsaBZ6r`kG2kXqt%pot{?(gr1Ns87r>&%&19)=Pc}v2An}4)63T2yCKaF*}Ib#pk8k{IJ=5BpyB~reK zSk&8yx9I#OrBf{rFL2WuuGU)@E#7bt|jH%C8TyPj{QJT3!z ziTM=0pN}=Jz@0uY)8f{$0$v_rY>Cy>q*IY)O?&&F)>GYGwPauBZ)LeXo$#uc&Szd_ zrkefvlyO`xDBX04U>M|$SV8kOtJDYO}Ikgb;d1QG*FRk|KWp}v`c z)>HYIegHKPU7+x&J6dBk>^G_3Zu7&0O7=@z?EsP-Iq7EJ@|KZ1g|HT++X$cAsflpW z01Uz;U3lAE8CiAPDD=GB55>o);51mbLdgGR&251k7?TJ2P(<+ih8M)C{CQ;u;c3#Y z*A`@Un6dLynohN0vu4DglRXj}3kQeBGDUT4yKqVB7y0cj3Sxq~Tp0X`;aK&IO}Quq~Up~5vP zCoQN=knSZtH7AOhq0T3Yn~2_{kvg{&{p*^owA2_n(U!&aeFD*HjBktNt(%$7e#Xsp zNV!JovTcN+c!uU|RZ}(Pim7+=mgBK)0He{^p5Milk45ZcDQp_;*ih*#`&zinv{uCi%Rc?^W#E7r8y@P~H4jmnbktJdU2{I> zO3nA?wRK3K-O})Z*UVd)aa4s-J_ef2Z0)+PMm9Ev{d0({o<_aD6mG?2$ysA!WAjHP z9rZ}ZjLD!J-P|X0#RbiAt@$o@?Uf$R{-rc1wBwmTeYU80r!Oo&J}lz&DhN<$kc%f>tAYam5&=qJd|6E*JDN1LNZw zx<1Vy)QXA<6AM&l+V4-o8PFcC<1RK%=8tRF{3`*y|L(l`JlKlDRH8u#IqsF#n}z+s z#2*QDBk`OmkX;k(6h~5&&zW#Ttm@XPb|L4F_3Hez-8EY&4ZJ9Ob)VQ~Rp0NZ&AI8B z4<}$l&u-$xm{lS#6GM~8sPRAHvV3(l!j08_lb;fu?;;(yyJ?Bt$f^8@`9Vzg-s9-2 z7x$5Y<>ZNJO1;r2A<%J8gv}}EF^^HvBhp1)X)OyJ%`9AaFc#O)%+DsGOt*;Wa3$66 zRH`m>RE1h|D>SJty%BriuG${7@j*?4lW>XbL5|l}FW#cGa&mX(#!9oL1piZh{>xpT zTl9AL3UP`W`N^?>0$A!q!-->c1&xf6aeT;}hC%Caw#96mA(#jCZ5h>}_2N}<#1hu|&CSn+TD%yb zt;E-xz$_6($WA>BGSAS%V@S99VLL7#jQY~dzTP^HQf{Vb6r|NDp=sI1yF1kY;#qJq zH1w0h(`RJNJ%e8DtJDxnXik^&KSz1LIr122lakYs1P5^TK^OhxHFn@<{;SvFKw5RZH{vc$hIo96cFz{B|vl~Jbo8^g!e+1@_3otU@Dpzk&SQ%* zyh6WSxlbl+x@bfA62i!AAHUM>Nd;QCXxvN(IE=Kn*fbH4Q62KMrRGb44-iS9KDf;v zu5!0!es=by<<`{H^v4acZE3kTtgMY{u|!o^-+hFNbG}JZ(4j`@k4>>vx&Jxf*yX~U zju+)lYQN8Gf32>;cR6ifAZ9$iQ?JyIS>)Y;Kwkg$>R4{X2@T`6Wordup{v_1g_P~N zA|(+{@}jxl; z^gv&kje}fOOVCv>_0js$;jeyPPnRGnAevG|^Wc10cY>rj+`oq?bgcv}bnj`pSgujt z->Inl_LUy%ol%L@uck*CpLR!T+*d2{VOH51+`90xdhJ_UugLRJ)3iF9RDeq5M592m z!cJB#rAo#@dSsvZUGxi3w1Tb>9r@f#yhiP-v!!tJiQw+~!32JNEl4g-cp_5uC7_?Z z_1kce%l2*Fwz*2Mh)u2*ly$j{Ev8L*GoVTbv<%s|@#~SStWRlZ$R0DOpCG5jfqSfw5grlC@S7DLR&QBEt4+|q$F0`Uqxx3}atL=Bu zIa(ZU%#e&1LQn~uS-<**CM74l|@FRfv-f!p=Q&Cp_%*n==ayi*Hk&2f~=rCkMx;%c?B4Ro00C!3Z(Tqs;} zq6h-jc}>-R9ZDJiRnwZLXakWCa}v))76h(s3?Q+lnqTVj_u<^QN>?& zvWhsEFpU7h5b^Y^)(epy%SKvlR47^@oXjLBGsE#td?Qp%&WwZWZFW};F* zQfUcch4NQxoSe6Jl}1fODw@WBQl2Sp(W}SGl^<|m)8&)xv0@exy}h5!CnqLm?5OMU)Q3BR?T|L(-FdETGSSVEL>w=q|`IJ}C* z_T6Z0cPa`qqx!lokl*nwxJ6sNUo4(Bs!@%FHF9iQ;)09tmKQDA)R4wrOtL}EN^ypg zW0SlR8F1h0dX@q#RECb17%lat^`u%ZZ|boD5C!A1)VtFlx-X!qf=H+N89-0uy1lLK zGcYjD=K+3)k1M?GfC>Om66yQ;@U!-rs{Bf9`qw|% zFyrRwX+VydY|&H4B4F)a%u`qQZH`ktJZu$!h4AWYXlxN`ez&3Ly~{i2+rHX=wV|B> zQm*^fE$*u+Ph)sQX*9U58{;-x$f32jfU28hJUprnfXhzCoZ@bnZ zr|x;P05Qpwt;3{_zB5mAL1FG-#53+uQIbz(Z|%8-cT4;^+**yxGV70^uSR|IpGepL z!ZrBkFY0~(NNJ1f2L}hz0QMwC_%-4ibbrdk@od_)-|*?oVB}>@P0f{96*%E_6+t0i zPFpJRsxYewHdZ=MP4~gT0?sT)QL$EsinG~;)wFT}RXPvN){JN-`!+8Y;fq-k<7iL!O534uxo~W*|MHu_linF6rHHwv6-zAKfJn)QDl%itmdM<0~Eyogj zHEX_80`23yGTh0ZS?Ej6Rt`kr4b2u`EQm56HP4Ag-7@=dUc(d*PPCse0DA3}d7?ebQ=J9{FlbVAwIF@T^HzwKaF zBbU9=9v|`zH`j&mtg83IJGhf_N-JP&tTKTqo!=VUpn0Z5?kCZGqDL}arssXP$>c@~ zkx`NtQ|e#QDvkla%TWis=Qhyg`X?X%stYkmD?Y$$cGw?`pd1Pp10 z8@8a02A#y1SWK$Y%kvtJv+LX-cD_^PTuL1uQ+D%Np#q8|e^{;ch&cJ>5ktx$hP6|7 zLTKtM0TDGNMk-_^By)#%N(_#hJ+JTD)H0M7nr9Og8{{*%v9Ynq1>WJaW?Rl2;c2A3 z>yZ|=t5RC_+Kt#c9iZ324_u;>e;)`_Z()&gafQafkWr7~>_Gu5J_M{^G7IVCXM#gs z|EOs%@n_-uX!vMGXI z#CGd1GBVwFxmva9j=jp*PB50`O!Y$MX|`^}iQUeWS}spu+h(^SWP=L}S04;*bw2;= zr`4 z&3omw(*m)$Z6-sEo$gaj*XQN>xs=!7y?6KkT*;ed$P1Ydnj#yGO?uG|e#kzmMC`H+ z$wq2y9 za<1|4?}eqxr+l!xtnCv$jl@Q5sn#RWVfUXI$OE3C`8AgKD4$if$Y%5opzDV{;qT3# zGb;btEr1y-_xO%7>o1VT_CuAGBb2;2tw&TZDhQ07lQZsD6pRYWYLW#W^7mB_nH_Nr z#?m3z@cB>9RJjWg2?##fcRh|OW3-PnX{ z)!n7tZMe9EJiiZ^G3(Qz?x5sFhe^%dB2mylQ@x~is*jG$`y~?>ENF%*Fj6=_r{$mKQ#N% zTd@EfHCS|S*A6c(FZYTI#W5M*CZwgwbUxImCXxVPtc}zoN@%&5G!Kc@@tq4HW$h0r z0bW>aXvjZ*oczN(by<*x*6vGx$Yy{g%W<&wf@hlSjW*^r=;DBINH%>+GiF#|OyhaD zlh!M1+H?VMrsl`8Abd7U#jjtpFE*T90u9YLa1W~qRDsg0-2K-H#z!~8pAMMjf7)mx zGjGuHsl=5Wjx55kPAZZD_IfJ6p;#{NyXAIy*pNn9(yyBfa18AiU>2djsGR83RFxz#5hxp+u%SPMtDbo$=3b&emEM zw)S3p3NwwR4ZeW~({6>}Fyz>qb@ghd#e(e!3^z!Taa%2)qfB-M_=AEGXf%U>03uBU z8lpDh4a&u5%~!N(ub<}PJ20z+Ueb`}QHc-Ruiaf4i#?E;v2_^6@XIHKoZF4^Y+Vh}02p6H7#b+&c)!`9y4zy?eF* zK&IeL#|r{LzyG?a|Ko*m@afzxQC`UN$3L;hR=sz`(nPlIO`^UPi{k*CT6w7hDr088 zyHo)E$_>CG41JkUZ0<7uG_8ydIqS6tm1@sy-T+#jLu>;nbgSN=-=D&`t2Ma#8D9UU z34T=fk<)Hem0$V-CBpwCdO$e8@er7@Wd2w{f+JLwWfy<)vBK&a-|Xp53)fbBO~SQ+ z%Z|7G!D*0LdGa{z6e5SLm1C0YHz^-=(6b&so-a*ofpy3EA-nGK_kZ+XW$3uJicmf_ zJJC>tSn0n5-~qX_E6B>F6^*n~0G>)3BN&mZ8A(>5t-ca;x-3Y?y1Ra`A$B^lMAcUp z&5%bKVivk_Ypr!npKrBnJ=0>cQnOT^#VNp5^|4W}($l=N32JJRr(BEb-J^@Vczv|) zxlAJ9E$+&H-!Q38Pa@y}F9nCXr}H)F&}}Q0H5~ReoYH2)eJ9Q%z5j`U{@8noXt#EfNV#NqiB_8@0D*zT>UvJY&7u#&ym^ z-HCOLvhU*wciYw;u6?qOI zKYg}`gCD$r3c#BT*OTR+jE0T^OiV&_RYvHjz))6U&g!w8dMk}^c0TNh%2_#0(10=t z21X&$u-nBY%d2q`xAjlwV{561`$M$ey9Tjv^`2t@J0;JhFjuZq&Q8@RllUOW*lw(e z{%d7LZ{*IEDN#-MEdj&ob*Z9xk(-9~qOASk&MEfdDN0SOLm1!$HG39wB^XUa>4Nkd zjyUcC2=-?lp0xX$V+DYJ`2z*-T$mb*vdxVB-e#p`xNdtJ8%TTrMJkiYOg`5qld$8+rgE&3SP6Tj1P2*og9;xi>T50zeP&V{UY3k z!j_GS-%tKC?8yJ&o(ha-a{z#d$n!23I{OU8w%%8)c`+LRKXX5ZwB~&sT}V2tekF8x zkY^hX6Y#t#jvV}#O+G2r4+3v=59_xjxb z5?+0GxjI8NRiluV!^HB4lM`4HX7{^MKSawL7X@NsrdYlhMDm!%rX2N}P8)vTn`SY+ zJ+tkya2=~BrBzmnbF_Hiu+@b|4G^&Q4~8p-;3Pg%Wp7wupgtMXeGQs#Ga5!XPb(HX zI?>-;NWA+XoLqp1a9ACyUsDo{YXH<{KIVT8XX9Dr7QQQT27wlyYC5}^2yI5ki7VRw z6nauPE29uraP8PH6TFlCM}FGs?7i4@apHun3=av2=g6>>*bLOdf3kT(9Y=HNwf&JO zq(?kpqS!kvVE$1(AD6@ccli=fV1(bXGIl7+FbqBL<$gXVSbl5rZy zHk{@=g})FojH}qFfU~%pUE@;Dpa9C&u-ebr0dMJfMcGhswP+BGA-1&B?MOa{w|Mq;^!ZAf(%r9gAFh?PB)7mb2SPc>9dHO57>S# zIYSrx+6aem#!<%?pHgnko?07pem@AV%Vp<#3*lYE)BHS2BJmt0w6Q#ciYV^Rjm^dc z(B<`P`x*d@UE3EJe=noZ*(u8K8Dp{l?;I#xFy{RUv+duHtDNT#Z^CkA$obxpo4{}B zN+^A<(^0=jvIbE|=ln^>(Cw#)+VFIrMJ1)Co+vp>8ZJ52r29HHAgNKhP!B&SwYWO(&l;|wo1F>w20pbQ#HJa2 z%`rD;Z17@n;P%{>#!%6jw_K<36GHP%t4m6_${ZlT4qavm@biBsU-OXh6~G=2^(zxh zOeiJ(7^W{TyZmOheRkIUL#SLk^J>|VF*!0iMLvZ&Rz8#0CULF-b zoafJwwFZ>-{{Xlb8P5)Y7CU*dBY@Jli=4oI$GPU^Xs}~68!GvA!$Usm+c^;e!45`{ z-s#2QMR}a}PUJab?6N2K{sn3R`lc1E3$d1pE?8%{b#jwvVy(;m#rXLiC^Xxo;&wVl-j!_X;vZ@KHFuL-G=(@*_unp{mrN- zKHc5ja)cq*J5}K8SE50-g&9`6=qP-kK*J40z4r_q00D$zuJ}ZsXv*}vg3xzl$9ZhB zRvgSC_N4$Ivgu0o`eiU$5G`t_X$qGOD?jA@za&t7B`zsSng;c$;q=hh{H8~sx|C~(B9>`|9hN-pQGMCZ>iYEJq9 z1PeuuKF}ZhC`)&xDgtP3Enx2eIs%p?H#R7YS>U-LuQwzwYJ|-fKN;f?`-t?J`PgKb(q1y5oAd*K$B}6~@IV*Mzz*(?y zaVZInqX!DydetlI!}k`geCd0XC<^%1ZndIx+HQveY^x6%ShoFy3BB#n%RLnIXlbA zcV4IPoVLx3q_VL%5b?O4qz8=Ffzl|-ocRhV>CmO$vzW%aBkl?#+bV-VhqL7!!P>7K z$_K+8NYezs70r7&mm^()6J1{u;*fVMJMO!n=mcuxCP{kc_s~bqi-m?ewf+!{?vW`4 zfp57NJIPUp&F6hqyp{cH6h~Q_dTtxdyRcJa@m-7gDkXFQ`_0>rM=x&{3ia$#!_IgZ zx8!n`C5Z0?av}7wptX(_*)0B1Uc@b#P@)f9|240Q)heQ2z$OBlyYzdT(Br+;E-$V9 zc_haw<}?=0!0>g`bwaV?%u&N5m(TQAIl*WN6G_V;bzrI6W$2-=PN1o5)&ZYEildfv zLd@%D=-;0peSGrtmEe^6mtAW66K0tcj9}% z&6f*GicW|}9aK|#UafZTlr^~?Wn|=IQWs^R{ zpn5H#bcX!{jCehA;ilt>Ltl~YNTm#B__Ff1yk?4AkgH1l?g^r4ZaK#+`(wX!xyOf& z#!c?)G@7?Nh`|J{SPIj4f z^P9}V^^=1ARlUf7R>yWT(~Xhy)m<8%Hzg?c$I}8w_)}*C1n}Fy=O-+*!JQwHsAz-@ zg~~tBdSr6oBr2*N_8Jqs5}mo!2rE_mnFGutZ9QFZ1&Yt6>%UHacxa7AMYjDJBCr=1 zR{67Iol=r_ZL!r5d}f{#;5m9ZiLe&;6hX=R@nb^qR2!c12wY zV&^?DReAhF3%A7e@(9*qyN45MxNi;?rgg5|MkhOXkMqsYor#{m|68{Em&q$uAz99r zS)e0u=^V9Xd{TE+; zc6$c!6EeBzh5y?d-(>s(<|2+N1v_8%KvMJ;8oWJ!LPJsi?gLt{lm{f+47`!-;4j3# zUIsY}>9o2Wzv=qVRd|AgXhD+azvEP?(7oe*I^O`Y${bR;t(5zIemU3isLS_XZ~f=J zvfu=nVhNB_+P~=ms)6@>2~d)^&tAx7f9nqNiL;ukU<1(epZ9hx(Ec?S|DT5U4-N@z zPTy2EtJKLCt2FQa`^x_F-~AsMmpu|XqVLnEXa5JkF7QlWC;-BwzgY^!{^hgoe_V(j z48dE1V1T>)cg^O%ndM)Lht2ymp!3CeI_}@zh5ztKN0$KBfDjXqM*W9>{+m}7&wvMp z%j>8e@Q$p8?nInKWkq9ztI9l>s#|; zjr<>Y+K*3syFMv)c)4G8qY3n|B9?`(+Ap@4xV_OuSM{oBDQ7)w(PIeTRum0+h>&|LO;)J&~JmB|C| zXt{aHdbz3k?BfJ8QrMTLd}M%{Sj7G};CKiNIBT?Cs3|ZT&t&q3?H6W^0Bl7JEIeoB z1_%17t7$6P;z^UyM7D5rxVX^8rsZ6P(amCMez9t?LyXbhpHB;8I{@K<1rV;e9xl^q z?28}~VECMs<*T>Un96;uaF#Y-q9o6!;*6tY+g1O7Uo3}K2y?j4+frzID z`XdMJ{#vN2=l%UY890>j3OMJ=7h0T4%bD|Y4@$M`OCD9g27aV;F){PM zulzZs-7tM)^6qFF4DWoDV=cKb%ZHmD575fNb6oR=-Z}5{InQdD<>#+Dsb1V}MW;FJ z4Be^e+5LWDx-*opUzEs==t3f2p7f9wCWMnaJ;0%Ba0AlcMnI?c;ab<#y?3HL(}{v# zh(#&;dF14e3-K#+tY{Slz8M2rR`Wl3qRtV@WvzsR}8rUS#Y5h=rpFLvPs#R-R0CfL_ zv^YMVf9GwHOJyC5qV%J7G z1xRd68SmIS)AD>?VG}&VG&k%`64bL@O;S`YsE?Wb@&bfechU}B^_^2&@&P(-@N9PX z6egn}#+MBi+$Z&O`X?4q-Hwnkwo;ACG5coY7n9e#<|`%dUSPVTHF(F|LX!-9stYMD z%(eD5Yp@WOBX#Bzr0XB~7hVVYkBHH&BidDZT5ggK#>DXSj8O$1&el^Y$UApat^6*H zpMtpaBbiY-*S|Me-^1#F#VAn7;_t|Q3?}h83y9$8*`bxfa9y?!?yUB2F91@Z-q+x3 z{@cCW=moH&q42fL^Al(>((k2~8mB!0rpNY{-jrsbi$D}k%Y3r0EeUFvtQVoHN z`??7cmmC8e>$wUMMW5BSW+Beb=dCU$Ut~Hwmsz>aKN-xgoE4>w_>G?oothSt{EZXN zSD0MUFtGDteg>F+MfOeF#=3FEB^(v%C=S`zor<+GZ)QpKz zf<_BCaOp4nj=Qo3bZ^OCZ6^wzuC_lPA1)!A;VN?4pDX}BB3|=-Z-r01)Zp{Dvdcx( zY|I&e`Q)!?ZTB^FWA{_8E1wmt{!T(pYO$8={3!b?d6=PW61w<6FR+oBEq>_V`^Fb$BdO6`b2clP67RlUraJ-*CO*RSV6|Mt}a!3O{`nPxp*M z*@6bm0N|#|EoJ=B;0V=b2Q6-c>-371DW>wI;(n#222fnk9KB&*?xUcz<3k?yPxisY z-P^L6p^EMSawC^;jG%vyZ?=d?jeTY;`Lt}iC_L&EKE zwosSrZ$9!pzwXi9?k;vr7ivs8zIK%>kYFkR?yJsfjsg8~h(#yy8YH`k$;cu9i#4V$qRc2(0mO=1WD;#MH09icasgkaJIcpq}F`tgbNN6 zrM#YsOTKSaIF1#7Ao0NAOVvIc#E_1$J(GKR{oxvL!lweP;@d8cC2+akbsTz=*WE=3 znD5JCQz76}aAQyFwbLj<3}_m@b-(;8&vwG(+zcVxEJ^$F%`f&Npi@^|VAKx?d;#tW zP-gngLZY$Gh;9GtDRQz5V>|0^7~7nI&)p8wX<+hOaOR#C_-aBT_eYqC?utNf_QAvA z2mdpq!{y!f7OiK?buAJ{(k*r)v(UBLyz;{eq$5*>v?Ets zP`XUo_-9Kr7&#k#%QJs@`%`faDbQ}Y+gY#WbXe3#&`)JYAwgS5rtfG+;@xRS4x9&j zxpsyVm~e)ZE?XN-4qa+ZmTm?r)GHLnE}6CZ@M7Q{_A;`Wi!(I6Azx?`hf@s?XNwG7 zO10Q1JLP?JIwy`K9me^HQY|L3E5Lf5C;C$(x^0WH>Fv{W+Vu<-6%SEGDuq$|%gwce z0|RGbMvJOKj*IivMv?4nlEyTJT*{R8ne6ICkVuSBojQxI+w-l_fmpIgUitz<&(ros z#@Qbd3hq_ue4Y&{oc1}fw~Rb0o|w?VBQLtAfT$ax;mviXS?F_#Xkwx*BGy*!OBOw1 zISTDM%1=2sjEkH^6af(zUui0TV!|kD0hPlSt0z~P%04soj|f;AP`J=MA&u z(QUjvsU7F<_$&nnc!lOeCMzxEhILTsb4#8=eZ`ggNsPp=%0?A{z^0Euoqcd$d0VNe zSqpB$jKW-jLvg&CzNhU>R68<$BW5v;{APE0ne&nJ9-_#HFRtbE!Z$_- zNNVL*s~dxvp7{%RjGwQ}1fgn1!Ug>k>dJZU$vMtIoKgJ`hhCB_6b@)y zF(DH<#eh!`xsip-_5PVAAXADd?!9Rhh3jaMptnr-CQ#n+V9kN4mRWu6ISYnAly8js zBAB{^-Z`d4zqWc#=ZZzw4y~Jwk^1G;^_uDyYJPjRu?xgCQPgQGq4(zxm*f2=p1Ub# z5j)$I2i!-Vzaw3{QwieEC85`Q`b4|%cT`Vn*)d>e-DuDGZ90`-&)LjT4K$ceCJAvi zK8@_PSwTHx=Q-RPrPpbLeC=p7B{?KfDR#{AUQA)oYe~JoCb+d4+@C6R2eU+6bPo<4 z+6Dlo0Xq#}^BG>A&JBXPnpNsccp6m&t|6dnXjiL7DMs8S6$dj`J=W-xtxzT*cD_gF z1LN}YgqUUwo!zFl%pSf#h~2{%$F8^KHk>$m!@87PQEWD@zxq%Y{aA6gn^rk8lEU)f z;3063LABK89uD=9ZF|~Fg3_0ovDEl)fx-nFLGqh={1kdCT$qWpn%LS_azr(*xPEr&b_UMq>- z5?aLyb3izWFZU|)DTMbHTo6RY>riQ!#=+3%b(iqr_Q1-<34PTut6}#DcFMBT7Hy-) zvp2%xg)veUEx@$ad0vo)9gx;wD>_rH^&eUQW@Cs>82nQ15X@n_>{Z)*TTCVAt`J~a zzOoUVmRs2|^w#6pndLzM4szN)-z%+PCGvzaV;+hxpejf*=RAV9?x&8o<3@i%(uvf1 z;?MbYJ9g_eHYdp`0e-NU{rP^#eBnOvZr>Ct6R6$DLg5vb2|=SZ3;2}dR|JCMzI$&t zYH3aPPid`z)33Ar-3|_9aWx|!w*!aH$c)Ta_K&n#;e(f1uyGDG+FlgC`28^cl?Maa zr>EOL`URM?${+N2PSK<+?*raF)Qu7HZdq}(uX0o8`QW041KpH3CZh< zlzejWM+EKeS&W@_rw{zuL@;lup2HwThk4KL;X-X8$pZp*I=U4tV3TVUg;}`jJg0{+ zMY-vAOB3>Yog%7{<$aUle%^}*QeHm4o-;tJ_z5Hf;@&7I_6%)j!UiE;K$>epD;sY0 zF%kpwN&CaaaK~4vnS=X^=3RUi0LGN8PJZ9K6~$w?c@)~_nF(aWH>?-8+i?o_&puM{ zUr(zbyiWja`Cn4!g&8iXvB_sGhZQn3^D$rcZkBA(dQfOQN0|C=p9RBC$J1M}lfr;X z!^q{BIxS^sfW{ya7gNfVTaK%{xVZSoU+*;N&x3nTLq%QjjY50GF_p%y*tI2{^cKJN zgcSf%a~t99Q2 zQCvtjN*$TV8SxHXwe4w>N5uh8wD3&Bil51D&fBJQ`likOaJUm!8V4_qQqKeG%?TGY;GC1VANwao0Z=fjYr^roj?A zv*vlq2cCNEc`QNX9N&C7#shZ)8UAz)W3!(Wr&MyOZEWaR_e1eJ#~5RAJNxR`{f?t& z6biIbYu2ACBOAiys2-HzCOHlgYkP|S+b?dH3gH`-nI zM?(#x28a~iqgIvexV7H`X7y9a>P;usE*4UDbwiE2Pbom`7n3rKVz_gyWCz4eDFXL< zWVzP{q%x3eUGM9e-ICIZFbnBJ-q1ww!+C%5t+fKLl0`z_vA;E#?mbq3BR=O&{1jjH z-HyFAh)?@+!01H7!24USVH9ZT#ERH$T?yR%ien=$j(M&I4g*^w;HPFQc^}J0->$kt zj2?AQlT;Lrw|2aHk2*Y$YV9`ylTxDv5WiaI;C?kW*#@0S?Q%iPYbG{rUD|kU@S9+! z3H+pXkL!@oslg1_RjU@4V_dw-5Dc;)_x(okfb{UxbO}f7tu}-% zG-|a61WqQC??0&@l;$Tda)J$LEcBT02wid`Y%7;hzf%;wzLvLJ$Bg1fvr$ogM ze-exSTVPK$fH9Q(?58A?inhbV!2^S>Jra}MJ71EVgw9e3M>4-2-}Yvt11?xDX93D6 zyMTd)-&L)SZUrSU#)inO+E5%()5ZN!AtiN3kC%$EJ1lSP3-w9B-LX(RZ)OVpPM+7` z$JvPLuH}8dU$|0~d^Wfm^aM!oT(|jteBE31JRNm3$i2sz3T4eITEpa*`ch!_DR!TK zkj!#kRs31EXpX^7(i5>9k5IiDme4L%(_BvT5lQm&0Vnzc8Rm(~p%Q_?%v#ZFJmWT= z-5qz{*k+5n=H1DMLeFH$t5SrN-7Em>;uUxvS}}u@L3JpRbD?yO->3w9YQkp&!!uDs z!2}t~do?1=%7gZeRfS%O6yC@nj%QVO(+ch(vc0URiwz(G-f>Kr^pzFg8>&*W1;Usz zT~%%Uib5bIjs>J{jKoHjK#9|wkwT$dY{a=oN44WoTR3dNmNpMS?kZ=X5Rac=a|rm} z;L{ZL1uv`10tcsdq+u2JdGgemP+a2S%74kt`M zf19W**IBNYl9w-&_HQUq-LLV9&CuaUEk8_x5W`Pk0nvJbBHJEet*>c3^Vazn*b_{`xG%AQ;y!mmbu^^A4K}0}`N)?dan<%{_y#=L1=q-jSf+8KHcck~;tI}HtHK9jZ z=mZE5Iie>@KBh#QG)_5fG_H8!WYTm{7vbXgtcu2800yp*@jhzM+lFBv zJ1`Ci8rPcRU8ExTgLhucCGFUCO_Rs@v_0Wb zEq2nH5fO$zn)xn$-DU8y#J`ypdHxsC=A@+@3NQ%D4Y3xB0?0e>| z5h;=C2X67`y6x5zN@02l91=+@^9k{j3ZL%7w!-$`l24F`;QO8@i=Hc3J?C)Me#{b; z6Oaesoo_Uqe1~G<d#1sp02d$n45z%`wY;mWu2aB?yRwY$z&41rlT$2rl!L% ziGFM97m?-kTPNcs&n4PHb@C5Q#bOl_7=Ipcv`G>F-5pL1nfJoMe>I@Qq8x<;a-lJ{ zljZL(RX@>lRS=lXSrV1!sixCtw9Gq@8@a0AXL>N#L+iUmyg}dnt>;(fOUApxSVCUL z;yNSgfuhppnEsHG?#j+a5KRNtGq3*2aPlnw1I$|s7A8XUxyt}cIKkkwXNL8T94y{d zpOuS@NGJu%CeIl+nAjR zyHkY{BB?ui$H^UR8-3U@?*N0w^f-hWz;9^VGX1P-?`z%;_V0%%*=W!lDsR4npHQ|@ zIuvlKH`y42zq*xBR=u!XC7Z~@zvUhi`?iJx$8SWhp{SYq`e!WBm?+1o3xglsdCr5| zhq{>ByJFCRICfl_r1waQNf`nokFSt#YEecr?I7H0NS=7cO)a!MA2kP%WNS`F(uwsU zilBWfV8a#_Bwz+C(_r1C5;Um_M=>}nwvE+R4Oa=Y@0IseOA%iXQnjICt8)*4QCncZ zJ;7PSO-&{_u(zl@?aVCKDW$i1Bos-hk7nQ&^OSw!B&AeYZ(X834B>ZsmWRq(HBQc< zuiD~Yza3w)MdVvzXZWZ|rfRP*94H=+e@V=X6nRA20W5{Z`EiBC@ostxRM*o!ks# zY}-{WUL}Ou7#O4yT=eDvLgFg4Ze0pa2QRT4Okmryi+uV}@bZ`xj=pr)xZh*}cbJ#C zVeIMK6Ur4xJ3n@?;~m;V4_P8Fu|}4uHh&K)v0D1ZcBw@v<>2uS$mIWzdb$4#3!ZTd zdUc#U;K}sUPh7Z`k?YlDOixnhjs0rN&rkWmw3(Zx?{oSFG-C3YlH*MmK!V$)BL4Sm zahCj7) zj}7~ueR6A=z){pY6H!XXMWR&5Vm^f7hp4F?@2!`~M`LPLL!_%uJa&XGVbrSkDa^Mc zM7h7tZv>5=8F@5ts8vRV4&xSP$7Byh$OxN#BUOi3f3JhU!Ib>t8?+YOEbmHrTd)rH6NSgIvSby1HeN< z)N|QWw?~~4`{OJlWn@uue>u*%p%PDUt4y|Ff@Bi$V>-F`y!zQYzFI*6()(#vc0WE| z`%O{!(fwuvBSaq^~=TNJJ~8zeUYnXdYY+(H*9a&J+3|3cIpnL;L3cl60g>O zr;GmHJ-mi_iJZ=Y&^#jvBn3{zJG50JH~6IWQ7n;z%3|e6jTy>eBI;fh%6c<+qeyv7 zw;B^JMin2PMQBs23QCc0X7?-NBT5H~uT9Ub@g&tx99-ekoZWGKaP>{Kpr&n?oCYb0 znN|!@Se@po^~|k_BDi&N0U9(Z@5&mTpawxXwoq=`jG2Ew7uKOx7@O8%WNeh!x!5O7 z@$GaU&6f8YHdsXLGh(nTeIxecL)n!-QaFEn=g9QisvYx}Y95<6l z*gWST6*bB4q>SDOFZRbGPR|&r4_9i!i8-1%OYgu3rnAl3E{<>k0jW!)9S` zB=WPvO-q^3#|xesZ3|zhOqx{`>Ae<%n37Z_F2*?k_HZ*1FXvD~O+$Nig7BSXJl_o< zA~jiTJzgY6Jl|m9auOcNrP5Dd6EC76vOQ$Obn^O0oNe*=Mt>}K)Lzn?kD5D7EHS`s z0Srti5;E4@_TWH#TzIK+;3W!_=U@XX7R% zRr*%`s$MdLo(E2`BR1^i2momGtlymVRZ3Um4D5-d@@ub&^_Z}U91Oo%8ntVc>Z#P) zyeU6(`Sr>-h>lD0)uN`(!Py+tIJt+$lbI1e{QXTc*Ku>h31((6L-Hy_eypW!J=ehB zN3q#s9%k9uyyhm7r^2<+he2dF;sULeFUU;=wkO#jJVeZ3b zTw$XXJ<{5eDB)zH_VURwlJqa#kuv48b$=50Qvky9(lnaF{nao+I$579h$^<~4Ac0K z#l#%4|M{hT1x@my-quW7tzrl<#cv&BK|%=&M7(%}uE$ambfpawn3 zjHdOk$sFp<$+8QXtv87rGQKIXQ9in1$@KDWmE6iKHIqvV{FUMReD*TIum_$I)klf~ zmPSSVl0dY%IbHMHv!ss0v6L4T1sH*_70ny|>hoUPA4pY$TB^J667OUpyW#@FDF+r! zdU8bN7)>+96~C@0l}bV!VOnw4bE(Dmphl(VjnE|Af!Cwz6^uvcjK_txubV@=H|m`3 zWc>6 z_Sh`>d8U@>0-L@7a6i-izL|2eOP~EdCK(9`=v`C0u~-(ctLv0iK6w4|yLDcpG~T5B z`9L%sIuFAP@*oaSDgcIL)805sD0a2a&FWXY70g=7i2{3;(AHk%t3bnYHz(?&nSSjW ziU8swUmSVMjFF@_Kn2*j5k-JB6y?}A$MPaz#|wd``@q!C&Xhdo%!V?6$V&^H-Xp3S zz}0(_@LpxVIZhtijG7d(6_|6?;GAEUKMi84>?~bqR$pByw79UV^6qd@*8_E1Z#x0- z;H`CIuf2k(o>}HGL7(G=s}M!ut8?NOC$*sn0D?+x*ll-N#4MqG&L#|KUml1;EbX6+ z0J@cWj|~)J_Af;upwtX|a4|iok*mai>xpBeZ=q*Ws@taftH>2R8s&+zu*pPc45#~* z8dV|73&vf3-XOn)=#FDghBL&c(0=u?n**p%^Uz)B(N-cq%evE9cd@5ot_enj)A}0d zk3>pwfWQm0Si5d&M)c6^^q0@kmK8_Zj_fdhnW&3=_B-X*_hEEZ?YF$y#LW92CJ$D8 zz29qve!157NcAuNon$tL1j*O@e$MkfD@Y$NtT$DtP(P$xbT`QDYXi9E5%79A5-PUX*DDB4_nV+@G4V`1Em-On< z7!#tpt@8p=kC)X#{yrd>-hyg<^Uz8vdq4fVs&+Im;!M_D-ZN!7nn{9HX$*58v?BLT zCo)csbIGHy=9yNVG4f5tqTxbxvh4hs^Rx3#nGk;$dyX&kIc6Ee?1;4hzJ7PzJN44?6$=q(f{csa7i zI>$UFwOSf`Cf-m%n8DkPcnLO5%{12psU;Az4LIf%uUE@Pk?2E3wfq`L=APNvH>*&q zw23O~ReAhLo%vi=Y6Ktu+}Y}U({9ofdzoWqtIbwZJKC|qY;_|-w*hBRdA_bR06(lp z)OKr(Gyb)aC51X+IXBuLu*D&GIOLha4N(jn_3u3aiIvIx1?ceJQS%TJ4{LuNta|Fr z2hzVw0uRP`%;4hJk3^|uOAP1@;~s1G?7G;_44=C!g$bOR3M$mw;-<3ZvDybk^#F47 z)7Wwn|7meHtkAU-iUy*^cZm4#ya40X+6MD0)%#>2f}hITA21Y8kg6UT>gLkH#J;WA-G&WVB&E6M>C`|2)Jx+`#&x76kh34JLo!LgN+j*e+ z&C)Y}Cq_S;XCn@kjVeMbp>(j}3_l_PuBcI^JQh% zs}!^nP|q;!VJkz!60yL*sK>lf3SvxY2`dc-1jZ%X9sFj!B$y!)?A=Tz6(u%95^k7Z zs=*t#*cT;NgpO78fBWL$@fQAdH(j@Te(E8zsZ<~T5xUCoaaSPle1!{s(Q7b20V1+& zCt&bq+X?oWsNQGOE&qWZ&UGOQqYrkx@hrIKPW%s=aC{+O+GF-S?J97b+$-~VroHgf zo+Q59qx5#;Aa~Nl&XyqCWG2e;c4Hk!;HRbJo8H>(22&t5tG9lPsq)OJi1)2cKT=9t zgq={^S%g0^uObgwvga#G+EfuA?ma6BDDNw_O&HO#qs44)D4#cq?**QLPIh() z9gg&QHYT_=FeSJ9b6IyMbc|u(8g4Ojc`xUy3p^E32|Y~(%`PuVu1%kKOnmQPFatyP zo#f8H$c?=!gf{ZC2(Fn5MtA}qxPZ3(Aqw--9xa{wq_F})x zgr%hdi1Jse&t!BGVyr~7H^}raBCSQ&baXNEXJ%k2(nAELqYvOXYp|OZ#IIr8 zmgWv+bOX$B>ood53y_riq0COno&NgCYpY1p0kRs?5Aax9_;R?Sk!&MMyY!X(A*ADz z<{&jy!7@Ug2B7mjx}+CH&s?Ol7At{!4@J|$>&#QqFo6~5*lZ&}u3N=tjFOEst=kKZ z)Yrg3@Rgkpx6uv;NE!y+G;#07s2=l8Wv#TAhqlWYin>D#CLwvV0xMgy3WnBSnBkNK z9h@W_ki~kl47w!E{F1M&;11e!_Dgf7y38e9B5pQYxkC0nR4V4SGtELmHeS8gw@f3% zES6!%U!RBH77hHeDYRWZ7K*gVl3_5eBY7goX*fQZEWmM0r5W@d7;ku!^>^_TwD?44 zD*b_aGHn3P2L~6B)Exf+XV-xXhF_1nfzTNj3OBSDxP?B zneW43!W!51okL)d?voh#hgKsdWpvil)w2%ewJ5M2_IPV!eg5J{Lf9hM_hKc3#6H7$ zWf0zKI}7;!Y&q8}l)5$~PfJtha|Ky~eYC8)4_Gca^8ZZAE*~V3J=D6Z&fV%iT`|5S``O>y|ATxc`15YQI0Zm%r42 zmVV+6(HDP0j&ko!emw8{`r_4*m$v)*qQ43(O}bO1ez=KMn6H|K^IOik)HPh-RN;H5 zD|W+bxiqN#)bQUQ>dV&WYRu^Zl#wG_osz%zPm(B^fx($uo4Ljsp^JktI1fV9^c0UxuMDh_!et1r+lSIcWS349X!JA#+7Ha6 zX@s);K~ZI?rF`8>D)+8p{+C`#^j5^Hiui`otIUv>3ecJ;z&f(zmA6#oEsIL)sEQ@@F`1YDiQ; z&_~aWWa}=Z+`g3ctZeO*#H+?V8ZwwgbUD;iqC2(cA`i}RvQ@o0F~`-ic+WYtlxaO;)W94Zv;^5^ksk!5w1)o=OYiik=~$3 zWn~)ad$DP3!`;0DP&x^?bMe0Q!+HqgOx^Bm@o|n~{Pc26_{?Q5C6#&6xO_n2b%I8NnUzHEXepb^moK+Q8gNqspAb zA1bo>$y83SxW7Bp7o~lnE1&hcP5W?&k#qeFD~4^2hDXI4nkBify?dcGaQanWnt^b~ zQB(D~LzlzV(vhtVYxAKtufCW`YX$=c!eMKkV9>{Cy+VYl zAevNF^ucqvl;3h>IdHX=dgy%&phzC5`N*W#M*K_}OBUovUl^C_u~7hEpbM>m{hzEP z>g=+gy&JHb^Zo3+P?4675(PxB=2K<->Xu5BO=)IWLSB#FlZ*BcIpi=op%gK7PUO*b+;cfTb3+>jKLJvOm{ z$l8VXDAz0tN`EbYZ{ul+ebB>NKC9c1LHBOnq*M8q>5NI+2 zFIAtRd4>d^=O!^DLWtdb_ z?k93I$-z3@HxqeTU}DP27Ir|*T&9<~Fy3^-QBQ!KE#vm;O7kzG^IEflsTO(CwuPiL z%kq@z;08T#h^wz63`|WL-pLv6w2;14r9s8R_#?{_I@> zdXZ1ZQiyjYHnE>XPsnu3O_bH#wryhl9W^r)y4XmJh;@p?`oGoI2az(Jn!M7=54#^O zyumy+M#ZZAD)+e6`|NbymrTWMzc{}4z^RoF8V)3AlwxDYbNdE%0S3WN)jvzhHfYBv zvf%4Y*OquA_r$hqowsPcet8a#)rcPd^8ej4560fl%6RFvGut4ku~8N9OWlMmXft@= zf+(b${;0R$vCL~VkzAt+xxY3MA6c{G>6qK3Bx{X=%!<`yF221}c&)sdqmIw7SiLZ6 z@6EK*=Lm`-ODaIWFN>{3Q-&bhA>35y@mV563^aogfTW@=zj7d+g9Kw2^z@K82#H-Q7xQW+P~{@;a$~1x|P$B+5E|Um%oZa$k|Nk@YLXC)cQpctjk-%Znl2p zZ)#y)^(Z>9%SWm08`k^hp0iFpC&?v~?rw-^v4MWnGNR4YmV&yb)ft}JaZhB6Q=pF| zf?5P==&_!|)xH790lN+uO4Y=r)}~_DbdGwTM;uGkQ3S;Si1(bAZ+fF$E@hg8ua6;; zxol+TRJin&ROgq^OP?kc4qNV;HA5Q&%Kd?$Ecb0;Lis+?!<&iE2o5&|{x;Dm)_oMv z;dg<@((qtaQ-v8A6|-dYe2WZ#geA@MCTl}O>UB`V1 z2ODlm!)*;NmbVtR2(*%2?^W9B#ux@XF{A$jO8DceiswN4kZi#CR1bg~{0&cs1vmWX z==@0?C5CmX#YdqM`R}fm#bGBp7TvFeKw5!Zf8ozzhoiyWw3cEH-mU^ za4#+%eS4(rbj$-W_stzL6VA5auuVvS?ruUU>C0AjauIT|}oK zAYd?`1OOy|uP%1ZDO@W%*Qa?ZfTVDsGl_CkUqmN6v^MmDznyLkIe1tqFw^jF8u2_y zUo-qP-XB}liCui|7d!ppcJwgn&f4-idtSRS^zN@aY8~EnpA5QItHT_Pgv4|_rw64Z zg4&BY(cX_V3dYC=bG}KG!Kzg%P2Vh;#nuH$$26Eo=wwsH3J5sucqq3UJISGrUAyG_ znqx85X#18Itk>M0EtHAycWl>N@964?3n;gvnMqk;7VJu69^j>({n*t}B2va>{l{@= z)Z!3{yM3_D*a~ed_}iidBAmS6$f=8rs~rv4qxcNUS^+aMXX!0l*nBg9#_tEb*w7m& zeGPx^&~g~paB(yfec4g~eP3mv2iC4C(pd*ec>doATBMfU=dK?h8GRSnq+o?xIyCH! z2>FcY4exV6%6jf;jyAS2#v0DG`Cj7EZ_K6I&WyPfSG*S}Q}Y{2t&&Qq{q%Ak4Hl|^ z7p*4#R#1$tuzFG{#qyDD@(U#EbV<-I2rI_+pEj}AVatFk%Ri;t#J?va1@v~X;qw%s zDmdT(`{WYV1E@j?R{;gYy>|NyyP4ve%dIJ%x$IuYJQY1#at`prM5b7|y0jd{D)e8a zuIq!!1)6ndgY|ZN_OqR&Xv+(4VW-6p0z%gHHqpgxVMxR!i}k#t$;HjP@P<|6C!}J# zO=W|}PNpV{f`6b5eU-6GWahoDckIpLEH)fCXg6&J6OV;UZA(LiBW{M2p@O z?vrrg9N$2tD8Cj7jF1>_8n!Aqtgoj^s1~VRtAymOeLsfm&0TqLob8VfQmTql)Ha6^ z*;gA>|G*#b*x4S%gtwKTA1@afGYur$-KThvP_9oJn$-^~tn{Vi_a@w0{J)i-57R})3_*n@kvK1o{hqh~X(m(y}dlL{;wmWK8 zh{jtT6_vH#Ic){n!~~$&;u7QtzJ^l70B%Z}sjjM_;57U*9?z)#k4#vHqdLI(X~8e@A1#k7;&Xbf%}>t*?3dB z0ZMeyHUk&wi3Rb1u87*uG^`^ySzAqZP6TBNi@9H!ar#X`Wapf2B!kr!Iv@)paT~)? zg2kb&6sM9`h8LIkeFJOUQPJk{$!fYOk}i02x~8aN(+}|CBmn_78YA-TY-*@8OaQ5h zoGu0suJVCWzyQ!igp(89O4^xvAp2xNrt5QT9$;Iw0Qg7DXL9iF=k*08P`+gVzd8{@ zdVyOQg|4O+u_&QtczF+TXrG>iG+11m=0h23tRX5+UCQd-D@+baT%9LCUkSEwBIXW1 zpMJl3z6P`@!#P2zvxjr<)eKeDEkXt6@Ts@jYxm|*YCi6UB+ zBLu^w9kLh}c{Ip#b*KG~>ssU?-f!O5pjOHu0GTZ>qh{Y8z{b%dX~sNUsD(t^^H?Ym z=j8e%jd=j(sK=T+VCenz8-U608h(7H{N0B^SZ4HF^Zq1-L;V|lo2!2lw-*rVZ%y<+ zahVO`YI8xf(Z^=~iNyL<#z&$U_FqTA$}XUgEx={;vu6;*2Tw_C(MjCBpuUjw=n zjV8(KxUn(=)l zYz4zo+*aO?R5g^9ppuPh9J)wBiB_fm<0ToN}DsCEg;)ab+8S ze7#bfhJ;cMq+9>2XebNsV0Y@xKf4r@{V|@tV)x)Pt8%g!&k6d&^izxD@y}fC^Ecg! zlB@1v?`s}R^csJ1Y`p%vp2NEBG+|pqiah|#j07WZu3JgpK+YC4rnw5Zj2@0NRm65a zN7BD?l@{Fp0#SaQ2RMOy?AjgsS@IHQzw+3%NN*nl!aGWs@cad0Rc-LMPUsN~r>0)b z(RMzn`@Sqd8pH^9=6@Mk2Vj7j56hm;GF8Ogf+QjdDUH?7`Bvpqis6z-Ph2e@tTnED z_)gJ5X}W+zn(|Quuv`UB^$ak!_3xHO-Nq@Gfr6B;Gy@n_w`d005$@{#98r3^qO?w^ z)7kR+SI2qRbj1`4F)amVRJHZk<7;_4L87V#(ab}0U%R^Vmh!ox_VRA4hVtE8P899u z4X3~Ns7MO`GtOm<;l~6A+oLL&Tg+q?FeUNwNwE;Gf@4vGHZG5kt8b_ys~Z@nS~&dx znm9c&jZ7jVEn-h3Y`1S*+`?r$zE4im2tsZhlgo-R?Nk{~dRK3U)O5F|2_$0ZFT5A$ zA#lBuZNI|^G%`W5ti`fPD_=IO1kfQQ0sfh;gC(r*RTGdjMdj~A8U5I4|HpNb<23iV z>_8fiUO7==KwRLfoM|bEtp!HP+`!&E3wIxwDi>7<+%CvV;|2sU{D4(@H`*0TZ zevVthna|r#3BM)DGT1@@_!%>F9g&v2Z2$Wl&^%n~PYiW!gkUlNI}z%9iS}x@Dfi?A zP-_IQ=ce||_5yY8Ah}VKQzHqs85d3!o3{%Hd?3p~(=|+KAKHPbxjhlz%0&fgJ+@?X zWr{k^GXbBVt#(-drBEuj`P*Sl4CTcOhp>5$uT|IJVSwefjH#B^M*Q;Fn`)aj9uNjy z_{xw<%;pSSihJU(cz{WOD==dpM&>H76K)qvnowoJ}3E;IE${xSI!KET+MVdD>f5_3}k+QuAi-2 zFc+VT?^Zu|^m>O=(16pyUkUaxmtczt!<3$TM^D@JCLglGkdKSJF?gFg3$BoWf> z+&X=)9%(?n(9W7YV7foTqtf&oKXTB6$qboS_*BxR)&+}zbhK0{$(|%$R`A2 z(ZuxY-VBtZ#daDmI+|ZB-rDx7LKfcX=Rf!sQB@$i;Vz7^(wKVi@vg`Ap(B~Kh{G1_ z)#k6mm5*a8d?9(N0>q5U{EA{xU@g^*D!k;aB$+fF&O;5x2Z#^Y>xWymB}~p`hk11< z)3TOs(kq(nkeoXE>1A@Gm7qs5zFc%oHqJn>{e~B=PUGIez(oGr5wEjj228SgTf)z! z)r8Q~8Zkdx&*vld?))93Gxi6~80}KsdBo|^wq=q|8>QW&VqMc|i*X*nP(B}XqOlfZ zWW;}wCyyKaEQ?)D-%&3rJi$~b4wkdv;QckeA6};#`JDH>VLUT2HjwF&MN`?%ANQ>L zi~~$U!qp}E1hah=#-pfR!oyC9>$R{|32(E*;B>u%)#ZEQkRLv z=tWb1<38olks7b5bfg$7^j?^-Oyt3wdLy5?**mQ(Ne~2B2YO;yh?weTokL)U6FL{rz|yl3Sz5kTz}z3Iruw9V05I$o z_i0!G?Co}eZ%hJHRHO)_={*%dmM!KoZJl=mzh-=O8V~rE9K4=}pH4PGv5);e+$(%p zT?_)-7`+qQSJ+}+Xy|U3U!aWe@Krp{!NYX73K}%9o~&xIRx+8CL3J^?6*E6(KK@MV z&)YwrJQorxyrQJCkzJI8S;x|8Z!!>B8)CngqI#sZ>%GZtl{nC6x=MHG8#FAYOS!G^ zf(a-l*g1l@i56T*##@mF!BCX;2}?fm!?3=JiFOS;$(;Mk7(so!A>un>ISAWt7}4b; z)hW>^0D3TUmdTe-SXlZ?e`$cs+a{I8DKlWLzsR%Xthl1EmhUECysqNskkgVAFe1217)DS#BAl~2gqpyuy)C9wZ$QzW$8RmrSo}@ z7;rbGJ=9x&FPR%KT`I8bYM9KAD&MvWg&3}hZzSGEu&i5^3647<#PG-1z1nANrhOL&_)ukM3YI+Z(D7z zh~tY~p~WB9c~FB3=afb10DO3#-O1*7nveYNCxXN2#Ln#k`Mk8(f5!zleIBsc0I+dB zz-Uo_)jE8pZL+bYxmeQxuX}H)r~DX7h1Sa5_Hr%;ICeDW zs-jtR>;$T|@mlf&gK1&|2Agbnr10Un7m&FTCs4L!dh_ln(l-LQyCJD=*$uXy)#A_2 zfVu8H6L=uHIALdwrzdtEM(cf00Ogq97bsdAS#oq(iXZyP$P8q9@B;ZQP(y0FnH|zj zcnU?!cXb@b6XxAJ>-riSy)~ah_Chms?^M)&HX$QS$`6p3OZ1>O|lXmn&q+xSJ<CT5YK z?X^E}j=~E~SD&-Sd`iW6kEEWTGH?^cK|c^=Z*7hBq;ryA;)3Xs35QShq6LK|0HUz} z?6)YA=#~Ze&0#;;;JVoKiNs88xN&&G`|#~J-6t>RMyb%@d^)Maa~#^GwiGVX>AED& zpnaOz(gFj!(cNX(0K9jd7=CHTeS@Z^NQ=A2E#i<;)MUC{Z~^<E_yvCki}W0ebrkmmKf~%hAEFhNh42dg45>QZ3?3gp$Rb(ru zL_$oSU5lR_OcfEZHda@KeOLJNM3Qtl7w|H2)Q^ICtS;IoNYpRR$tm~u&# z&3qr^RK)}LpU$T1Kfo6@pEMo;mamgVO*{JgwY%uPg@blM)TvWrU7|Xb1MV4QWA%B2 zsL9KggSS*#^x;XKfMUlEP%v&pV(8&-ger_gpb4?h=lKsk4OhsE#?~KJdG!)cX*=~$ z*Che+*N*hESQubeJoHt+0n7+|K+Z0?8N(9o&plCu;?x1d>F@dx<6Fcq=JiOX4V*Xjq7pvFsHhI8IJQ|0|slCajQShapRVVkO_bM{X z0zU3w8_PlqK@H9FcCnY6Z(87EIRB(Os?fM`q%E*Bq zW|9vmrp_*=RKJ$Hp9BkXc-PufU+ogIUcrtZ@N86l zK&aS@Q-MXjzrYrPiv~v%t3sR4zoZvXpU_{vJtJv3Yk`fCZug(rP1f4ayieP{s)FH? zDiH^~TDU+BZ?3xL<5=~pEF}{(j`nicYl|oVH?|xrAmWq|pbRkob_(s%FmMQH!MgdkW)M)F zWcIWM6kePjhMZd&o3C6u{_P{AfU1A$kixn8a4Tun&5)xM3zM&asObaI0Q0#e|9ir{ zcxD@1{k(*op-RNdyyo#d&+IdDt-w<3@7$sWU-gsO*1*;K0wo#kAn~F7=I@)U&dxJB z5+#8;0$@PAu6Xnsn;Ny|K`$5mj%AASCvr2Kf+~JPod9k&s8!b-w4tXkj&d{rp%tuh zAYV5OG!5&+XVZ!zK(qZz#+o9HP>@`(ci|%~)feVnT8IL|uYHs2G({5ojH$sa=*}Qg zZ--cQmw*{#C$+Pn?kGFe^+rpR=+wUCvTmtyzCQo5?qI<{Wki1ri-wm&!~$=s;@1LY zr&-JXmPZDRFNSh+oL$ehzhw1qc+hLsF>-Y6+nXvxRN|4?bFki)Vr}b>dR*bLc91!P* zHP12ez|LC$-uq%z&b+dT)?)||BD<<`9={32ALR2NG%F5!0NO(thMulD*D>YG6bhBd z$8R_DE-%gkqrDcezkd2JEs}j-)k%)B^8aKOx7A`gV2<~)=z$}%++-$~yY#5umK*+D2n^NP0Onl%t^V}9lhwS*=^G2_Mmg%*dJox2t6&=p?#XSf6b|{{&c*w-DCON zq}u#)aAE9zvmBr8#3=8cXhhs$v)I+bA+#^lc+k1$jbUZ0&XM?Q2V_B(^>|~A-V#wI zCY(B6Q!S;qbT)ULl6$(2r)j$(uV4jsEm{y7i@(;^+0@qwZ?NNN8_+7zoZlL&PP3lM zFV$;v3ZYnsjTs#Q_L=j6%x_FqWLX1hu+>x>663$w9LzwE<=;gQil6Ux{8%a=eDPd1 z`~X2BcA$oSvzEYR>a}3{qWvDs7>IaH#f~U1Ja{g1Oi*dI9j(1fxE%HyD>y*Afg&Kq zF@(`f!wRu4PQV`z#pCZYl5xeixT_+3Ui~u*pyjMcvtZHl;l!D7TlrcK240p$=y*i= z5UH=adEZF!1>&90A#2%T|4b>etnnt1BC*R|R)?Y_o-Q3cYCjCrhdFG_>Mt@1wi0-X&{&G=s6616XLbMrzw7Y6{TUTymanPqEt|dZ>+RPF z9o!Xd?e{NfR^QY^G7^KlA=@TEQg{X?EU6{wdeKqJ zbvL4UM8a6`mw1))ak8Yo`#*}`?%8?9=UD|;_o8(4!%mnvTGZY8&R{?~vM9++STod_ z&*4q5^zY1!{cd|_5}dkQY<7KrED!oS5LmX)p$LvT!y{(Z6gC5Z8?5Ne894V79{($K z=^yEUM`4h`PFWz8#<}9b;I+@gJmyR`sGUEjI}Dwn68JP) z`)id1-vCk5@H}H5T2k+MJ*LF25Rj*5c;6t=pOg$YWd4z|jHJB#Zz;>cEPjAo4VePy zGhjOx)X>@YaW9RMRz33nKU;zl!M>dLu;i^137AA2)S7z5d)%YNUGKN;V~6Ga?HFbP z(8-WTR$0Mlev7Zs{zF!h3Sbm&{rP?o+%o-80N|fPAP2w(yeHMB;I*16u(&TJU7UOv zJ=N%5FxBAg0>m>H;_~Nvx;4doX04>!xTOAsA9~0RBq4_&FERxFah9qP5>?wyjRL`P z90)NW;!;0tGlSrtDYltJz}>N1vkWXIJQ4z6Yrzyi4o|x)h)xZ3+g6u*YAujV^mjx` z!kCK4*cH1jCmIN;p8!OAsPO^~lAHC&mJ4)ZNMs6PRh@BTYcNmeM?G@6rd6cZwP?>mjV{P3B4x~EbO4wig zTeRB$!;SL4Z!0?NZwY$pQ@(%v*DDYK5DBWX;msjG@+=yd2ZBfh905#-3%w?HyMJEj z6X|znN82Y_e21^;(6|2~e*grLoPcJ6ACOz|0fCo1`xXVtBFHjh2klZrYp~azG>_vu zn>0RLN!AU`Jz#&{$!ACcsKRzaV1}_Ba2I|D1QgiQc^SgZQ8iYr|I$_dw=K7;L#I|{ zq3qv-Zfj4)Q2zUtfja>|8r?QSef}&YzW1)*XakEB#XncopZMDUowZHZ0xXlYU>x`!L#rgrU5PVoQvvVP}uAA8W}849WY@-}~doq-G2`}CUVCFcI)ssD4; z0rdNFH^f1>`3CuA?AY}`UN{-_q(7D%g&D_r;V=^x9sT*61Bf_zRVN1pP0I<%YtqFRh1z3v-ZTJFv&9VU^cJt?kU! z@>Gk`=lvY`AS`)MIf8AF-&gYsB|8aUjY!HG6Fc>B_SC+?&PGt7NSV_LWSqzI$%mkV z(R%;iV5~;%TjeU38AemaD`Rj`uIPX8`<_d9u3j^ij;-B`k5susB!8QT;b30s8cT36 z*;%7I%4oB+rL=Uj5v>o!k0ENdrZ)>Wr-}L12qg)#@$+xwpFVy1nLfZFjmUDRA-X}J zj-f$5ZHZ$jaSU-4lQ@7C#eMsWDDppkyvhP)?AEF8Rqi5H=$_{_buxAiEOa~*(Jr}L z*tFLt|81@2ctFl)u(j_O-<(5U%nn1$8}@w|2L3%y&v-=Ug?V0&6x&K><= z^krs?W?Zb?Ww@JN;T3yH6*W(zymtD6MHRHvfS%!VlYu_@9}8Ku<_EayU2UxR#E(3t0J+F0 zUO~_$I<8XHn_^91`s;EZ3IAIUI;Gpy6blY!X4$T5!#~@7e*L&61ZWrBuzjS|)a-yZ zG-h&A7sv7J+3OcCUJSM^E}9e+7VgJrnV6W+KYjYsv^no9puM1Y{q~K#0{Ic4&sjU^ zm)>?Yy~jHod4~7ZJek0!#6p+*#tNRM;nPMx!&57vIDSvZrCBPI>J%5+s{Z-IISID5 zvNRw{x{s?TlrI`PpUOIx=eq>a&V7CjMCZpZnSt+>cis~#OY&x)F=kc;3lvHpcn;U| zFt9g8Od;7>ePXB~zV5aH0q~wQ?^G$7o}@hq@1swew7hJ#wQA6xsR%`jp?6h>Rr8*2 zEqsqPCy$obG<+HM?egQh?G`uawJk&prve%eazr*4`*l(%{5oxbL~nKvw%Pc|9(GtJvqDQO~*Z0LPcC=2mIGbL!-;Lb7H{|M2 ztgX;$73ItKxvd@{bX8WlxVNOGS!MWMU5vk_P79ypoBDjE38jk%8iWB=+W*&q@*f{J ze-Q;dy@uWR$Z1<%ru?bK=&SwH*1MfKd3hqiKHKKz78Xg`-T=^M7jb8e=2K`=QY{nn zo!i>1y{_lxFIj)yIwI?J=8W*Kt~Fp4G!E>QGn$yCW@clJ?vqp^Y3&dbvpleMS+ zjkW)K-}vn^48Qo?2IPQ6{`9{U80sM@>9>V$GX{<&C3Sm4!xX^N{l>)96fO(`fs~5c z0TR!-$OWK`#e+V)*Q@_65CboNx9YxYs*7ez7T3tk%(`0y%kin>5f@UQrg~Jcz==^c zhDB@AimpM0zW4t1UB=ZpS5Nb#RO@YxFO)ghoPz!p0r21__}oBcemIMO4^vC(o>Y?! z7=Rp~mz%FdeDgH(>FQ)s@Id*D+Wp`f6|dZB$uerX-EeT}I}nYcp+1TWofGb+5+Goa zkK!)&O|3Du+A;osx+3XTx^ilJQd}6Duy%WF1Dmiw#O*tEtO(SHKg-@hh}AH#lpkw*7@;xKk24h!F=L!G-7X1f*?sA}5f*=6vu*j`K!<84q?2njVT6cWO#xpaYY3$BK9&6{I%7Cc}V-D08BJNv}fL9>N zN&U-;_SX*(2!wjfN=GZ(kzoU?z3v@03kw}X5LOmGjb{ ztycJAK>6y|NS;FYd$)==&P*(`Rmw>A6R^9zp*DvE!8DZ{o=Qkw7`ka${k`c4|K;@% zIP0o{x=*Poje{R^nE_BExeV*dBX-!&h@k^JB}L|kh_Rg9#{a?ITZTm$_I<)CARVFz zNC^r^mvjm!A}QTn(lzuj(kLa}pdupO4BcHLARR+U4h=Iy4tsg;^W6LFKJUA`_qy-5 z_c;782jY0mIp_I5|M82~+IIkvJ0|*L-A9G2`;YrBYh1aMA~=yIO)RWE-e_k!?{C$y z9G=#&TZ%VHDAj}1eE=~n*b zG|l|PBceIST}6it@b>h~4%a zi{&T-%eF`SD@I+xuBMjP+WkvT4py`11ApsvDHjhb^ae%Mz)U8A*9A9skIA_InOiWJ zk&jt!FnW`HDywZBn_udSp7ce%h4P$2V@|<`LgQiENGYAe5YZWbkHo&|51@FPooEXe z#g^WdbGKIJE4r!j(cp?{B9izBhoWy*YqV?G?g`YH{99H7H|NF?NkmM4dEeY7w~Lf% zs;Q~zLdoOfgDeE~>YP51$j$-Q-l9G~jr)cCPVI`tfzDz=RTV!%icAf-g8qOB2MIXZ zlarTva&=apy85~A*)Pr;i9M{imzeb=LWy3+ z)vPAxqA0~V=t_Mf72kMHu$5N(OF*#>ZuKWA z!vqHhG@PxTfVmxhyKN3NOiMZ9KSoBAwFX?RGFT6gGHiEzzX?~6jxWgxQIYPhjl1?L zVY{kf4fR2NZ&RraMMV*P8Smp+vSkrJq7)wbK)GN6TSd0kKh~vh^G)b`-UdFC+n)1J zqn5rrNwqp(D0CmeI-m;f5Cd3yeA3>D5}@gKI_kOR_pJt#AqmgrsEVbC%wEzT$uy%e z)!zL@IPjUgokh7V&+}}UqKjPg_V33<;q4dMtS;`B=*{U=!sCmzrK|bcswJ{_Vh#AV zCQk}X{GiMt6BD1M4=`&s`b|FJ^hPk!v4dB`h=|u6nDC*ZF5BM;U?uif9OiMEBZGF z#*RQ2*-e(por??#z$`5KRScY@dbd2jj+L6_GFqg4Hkdfga2BRuZvW%LW2qFDCTrOA zOs5uWdVyH!HyqM1Q~bIjkFlohq7uf;{UtAF@)UM`D!MIYR^z#63RN5NJ5Wr&UeR>k z_9M=GR)D#HJe?$S^)rwrbAVh8msWWNUX#+v5cyA3dn^n(Zr!y!>F<%GOC+Z9Xf$%| z^N4k`z9d{9Km^Qt^yPrEvpi>8ViCC4=gR{$L>=eQSfmWE?*P~(!;K>U&!=LB zbLFp2m-jA?7U$yznqj6Ty0KDfIwRLcQYf=ps?K2qgZG{iY)N9wZQne{2vq=OE=C{v zff#Rn-GJP{Uee>7GG@EP1+uvH_C4AqdFbI!#qee;OQ1hG;~dUvHL3ucNlZs~pcE(` z4F|fy#c4{xmUA?uQ`Kk1JN0{Exy)ZI8+{Gy9jYa~FF&vkHtry9`R`e#B9l!QFlyAi z8_|9U0{^{Vl>2e`?$T7;BZ}TWu?hyC`(>6!qiuWo1Jn|ul|)IJ z+HYAHFl%>bYdjx1(;4%w-T#Qpiz~LoqPqjXMz|2&yF!!jfnMxAnH#ux*G0??LKm3S z>IgZW9C$~vFFboAq|9KR44OhBtR{O2DE3YSPtM?PrZodyzV}5~30-f#%00QrbOnaw zHYtF?!&j53Gwu+ppDLOohl9afRmTH~3*$aRh?Gylf0I`I`L{obu*JM~pCLzJf^u@Q z#>}A{USlpl5Hh}G81@LUYl>^8HuCGQSyxv9+O*|Q&B!A^y6J~Ha6VN88(I9sntv#$ zBWNnAsA}Wy{=SU_|6*5%Nc6ogg2ao zS78M=Iscu1iF_Kf69Ljt`)aC{m9oxFMQep8Vt%eyJ6-5jA>u!<2OFH#mEL;b6o#Z1 zQ{DGBZ&euMA@6)-X(~sRW~KL*Xv(*0IGRstugZV8F>6N#!rgX>BM_t6Tu`C7x%gO) zsJKG4gxAH7_FkmlAcNzXs4ylMc*J!QLC!+VM!ecp5mPZ*U37gAm-8qmhZ?+VqZc(r z*X;Nml<=a>>XG9v@yimYbhw?lw07;^PG0 z><>`Kel`8Z;5~Zqv^Y-b+0JwLMVEc?+t!IJbx@t~22FQ;f$2#kfqhMJ6$za(4%wcp zS#0gj@1MC*fj3p@y=*3=QPHvS4n*d)#-~xw&BFc6*c$lgy7!=MHT}S|fNVF2gt#U; zGwKovdjf{`1-?4Bibe*$-P{r=ONge&$}aLIBzy^3AdqlhI|y9X3fI)z`(n>A^NwCG zKEt;2T$tuzeSt_B$8IgErBKd2W8n(c;Qs6P5beolyU5G(>r35moE49n3?magbn9s3 z!8<*EbY0F^1U*(?J^x(57uwwKM$)R6nM<{au`2xazrudeiqTeVQ8NE}lpDm(>7`F8 zW$O-RY&L5&2y)#~K7ni?&GqA=^?`%djANRM*rPNCH0%TQC(U61lj@N;eVY3GV@Thc8D{aa;) zMJX;hkdcp?Ip8MLGnYK$wd!y^>(q5_=#|QPQ0-!C7puW!^25!6U6@J2!U)GV4>X4V zsKkM}r=lHS*nS+R%4Y+&$|+mvvyr|DJAg$-tQTD(u-g_dVn3~owyFl64O>?p^LNcT z1z2R`VW;4mUY&$}CA3c&#mJNF@>I5OZfxR7w|u3ZzkXpAwBVj<|V zZ)+g6zmxi4pp1(HQHvF9duj}wYXa@Ts{A^hN4fBHWvnmr6+GH2hKI+QoP~6QURMqF z=&^CcJ5Yjc^-$T?JslyaPWOsMB!lRHQ}mEhl=bMZR4W(?Io<+)9mH(L97`*`Zl8WR zNuyC!zS01f;(w!hvF>C8sz61z?#)%bAt(OgF#0|(U(+VGg^jT-Vwu=^q?yNhJxdMS zLRim6MN&gJG>ojaH0z{L4U~I6-Nc~~5>pXll%u}6-m#G_ zK^`uh|92vKNQx-TB1RM$HIHHAS=y^|FP(GGF>j$>D_XGcs@ff7kQTVa8{;XtT`W}e zJg3a8-nWN#)_gc>F*8L;+dAC}^@x2f#+_VKV8k&`wN*J~)JNBg2BFk|)pLG4IRw#y zZXj!l8LFo6I9GMFXE^f^=BT*TSEPPNlh!VLD?(PYm=ACml32>J6F8y<6_G$lgY+z>I^)LNzk!NuI?pZ-5An1FplCx=Qk? z^u~iBSC=}W#U1VB+(ZsOj zD|ucSNG{eWb-e6U_JhBIC9ds|L-NIC8HXp?`(5T<@UprK3I_FBX?_#vief-=pKH)n3=p)AU{C$JNu; z-a|Jt7<~BqJ`V2_nH87!SmgKbKiS^i)^UcEB4xKerKH%b!-j^cuTDdGg3cKrD^vA~ zx+cFqKYMLG)8w1Etky7C<*syQXrjSRSfHx;R>d#ojqAu-1{U{`gXZ%)Q!nC#IqTS= z@79fc_u@GwOWAykd9UdjFdb-|V3YbNXWuuNz%^_RVu?)M>!;F>?$jOGUiA`5pRYDq zEheN_dH4BI^Boy&Lw@1wT#)8owmhKelwaHvke4THy^f>!#cca2^H4Xgn*4mF!!P3f z*&eGiZ+DfzqI>6?BYC;{f~Mr~TSedO${F7Wjy;&zaRXYQ@xJgY!+qa<1w{#_B{Af9 z(_($$>88=iCwYc@=P!)VM}+9XRegp+yC|18esxBH(}Wtvpr0Q@YQV2QCfRa?gw_Kr42uhXI6BqDQ^x&3M`vb+)cfps=*Ku{& z6R%H^#iVIWHri7O)HlhQIhYp-G3P~DiDuxDE1vvcdeR=!;87|_Dvr|cpflH%X_tN{ z7!U8uC_M3_D*yGp2=0(+Pr*rC>#(h7g*JLfl_7+W zW%?0uhv?H{BL@0sz|7#Ld0j-aJG$!eXqYRtP68vQ$M3z~X|_U{OpOBWK5Ri`iQJ$p z9UZm{g9&zLLo+ z=?0#A-7Z4$B8n>N?MaG{ILE{6HVul&)qn0{X60B89*GmHMYfU*qD_N zNZQmF(kSz)sSd&3GwiBB9a#3xRAZjnb+RB7XqIcaz}%E}S6H4*BI837usWm>o=2|s zeeHovb1z%p(rK)l-6w?1_pvB$xV2UPNZvEDIp6;4K5mNa=hhE>DdWdBj;!6J*OzFh z!7Yat3;{$_Q}d<%c?sZC1ilQQyr)kwA$N!IFH`g=nE zps(pb6@xT%KXd#fe@v=rixQa!hqv62Lch!OOPs7hChuSGd{EK^Xq z2m`gbojVEx63FI0ABj5P0_d#m#AIX1TpmnPblDxk!9nmf3eE+14#-_A5q11WR z*o1H@!^2q6mlJOn>78D(yDd1`;N;>)@2hF@-BqjMCnCFFjy@E! zvwxe8XEk|uPRL&BukMCjK_S7{dIJ_Lwa$+s!62j8Nd%BFGuvJ=<8%p=@S_LRZatW zvbyfUmqCqLfy*A5kJf)ZowL)qQ+9uCWG*^I+gDXJw!61CBPRTrCE!#R=>1qgU}8{H zPtWdyQ;Ce<>(3wX!63mrMGa^yviAM?9PKMsC}E2eh{os zXEoAuN)7pJaB0iHY*;8r;iBigm-nwFMHuFwfv^Sd$Qbca^F$5TrQ~C3FcbQ5CY240?yk zuzim0#Y-B5(5!umbC572a~DBGL7q^7F6?rgOLej2(l_IsWE1$?(0KmG6VI2D*)d40 zBT!SM7#|IG?cmFI{+|g5Qyo%Gx=Oykr{iQ7Zvaw5Mg^6!Y6Bx^poR)xv8F*Ybfz?p zi7s?fP&=*q$VLe7t9kn5K=OnAggu9>wN-MBZ|KOi?5cE~VkCIm%(pOFLb3F+QIdhW z@<5KN$jDE3+DO;@LU88X2Fg-0XkxyrYfJqw2}IbyPNJ)~;v9|nA$B!Osznc?11eE$ z$kM`e`IX`u^xjcQ_s2}@OPMf=m1V{KB6EX#qr!c!*dh7|zvtqp_L?{!L3TjCnW8%-l+@gDHqM{wBf=tf=pskQkBX1n zY6O1+E6au;?`D3U=s$US`5-ltc3pedm&F%BIi=T#_UqJ!SU-Zk>$SaP40n<=~k{^v3qsjh(^@Pe~i*5>lQBUqFYa8{EJF*MZQ5HrbkvHY?^8^gS|n3s)73O)&hI(jsZ%Vc z&M+fol2#*OGS$n~0*~y7>Ire@uCX;xwAyz(AA-~7TxHWp=nxX7zd1t`YtNR3A5QD0 zmf%}Qp`6iaPOy|@ohR*Z_(=v1?(x8$*dyXpYiV_QQSva1votX(nU=%pi{UhO$o9|z27lNK?xn5>bDiSr-jzm2pl#b%oQYi1HjcEYH{sj zU*5LDoX<_z@_{ZG-Y3S=5cp6>3!D3?GXsMBa!P9#4K)lbh@hI^Ull_qsy>0G9xqU6 zG)|sB!9hthv;Ji_J;;@5S!{()wUl6@&dSQ_^>i6GM<$@aoxEz18m4KQ2}~VrIo<(d z#xo1*$w3)X{LnNR0Dtg7<-jTB(JZ6jk8$%BgN6ih7?WT!i;&b?-|I&DlnW+O?e^~! z9@bq|v*X@p@)S?23tBl}o;OT^HT?-%BKfoD_z$-d*T=;%@AO}JzFB*?!JqUF2Qihz zDC5MPnlm|6^r+L(h2(43)|07M;xwxr;h}A0mq}-KrQ?Pz9o>68hZ5!NL>yBe3PDqg z=Dy>UsZek!&%p5W4{U&%<96#J{RxGAr$^+bSCR1^vKa{d8zX0891&y1COE!kOATquoGN8_7*&d+$4h<9SYbjsket# z1~Yg{MAur|&(vS+_vTkwzwBbr{y8Loo|A?7N9PC?Lx zX3gUt-7&w45l7!GEaFTAa?EE+wpY_{@+4yTqy)7`pn+O#zXTzs#L}>6?HlvkwRS>KCS$WhDXb zRay@nolAD~x&IbH@tolHH2%RWwpQeWjEoF+QBhHy2zL(;W*#0`BYF}mDBhVbZ7LAV z+~*nd@^fQ1v(Lvjp7{7!g)Wmt6jh$v76OP8eYmh*C^tMCxqVV~8WBe`9D;q>jQ7r5 zv_93GS=ZZ=#grWmIg4&TcJinnXQEsS--!c;f=bT*bL3o|21j!}0#=h(<@si4ouIS_ zW&Uk>zk_KQgs)X^ic2R;kkpr|9-`h#0j*Fh+1ha0ndi_G?dLlVjR30Uw%34wVdPT~ z?odTeR{35{L8kknrSn(#b@j`Xo?(liA(NI?!Cm z(_rngd*oJJLhbCe-n8^CfjpQJWAp8me##WsuWOVY z^x}*cgk^Kc9b|Bg4S*Pywj@>_&7uatG3rmEp8jp5=>_@=<)n^47c(F5rqp?Z7sz-; z+zr~Dc{>O7rW=L9V5HxuHW-6G-4m$*$A2R!zi-NXN=2d706^Lkn)VwfH~Gy#HF6rP z0sv+tKB0|6B+8LY!~~s+juzZ#t?lu8oxpK(n9+Q^Y%K-lO2S|4DPK~e_uru)cl< zW+>?o(@#iksxvbqg^fnl4jY)3^N)uEK$Ma`OP1&r^F2w=uOPYNV<8OTJ2^XQ}6}cSsgr z>75sS^d4A|n*?IF@8h#20fg!JV#O69W#&|MVUf+hfkyt%r!i#wclK>=$>}&E*q$*m zz5vuOZ9zXOD%9(o7ws1>5d*^|)ly*rm*@kuq1A>9SXu23@x5oWXL-r;l#Y5qFa&}oLYENw{0G#g z)CVya28=DV(iRrnry3nFN65eElnTO#WxObq}N8FQm6S(Uop%uX>yn~lo%_|^S3)LE?}ngyUqemX-8 z6!%$|LenH8qM_r?rkB;g3e$uw4Rr^@=VS4nk|Y#UP0;w2S5UOTd0(olDM z%zO>r;QVFs;jR*u8pIet4ESzK74JklUvstX-=0XT$Cm6LVfcutrmtudK1{qPA+>)GVl&Sw{TepFwH46)Xq<5zT_DCwxOOq zPICx%e@G6mB){T19eu7FFTB)x)hDxv1wp80s%OZTe zAmVS6Uju^Mwm3RU@4!z0P?(g-T@qTm$am2br{N*$-V-dTNJ&U>Tx@JgcegwT4JYnI zyo|^FADlCsK$p};fQiZSDNC(?qTo9~v02CX`W5YgwwX2a=`uCn3N5u5iipE&2SGZZ zX4=N~r_Le}Ur&H5Q8LKCe(5V-A`w5P!g?&1e=j^zqoHV!e;w2$>my<{{La}NmAM*h zd?%`7F#D#djl-pV`dA~C>=|>HaFFA^%`|}K@g4phMTf`@SlQDNk)L13{aAY0dng}a zXXH;TK3eGuewFjMQRcb#8h@W>2lj@O2Y#jo@k+Dt>GwgYo!>*rx+J@3XKSfX82LxR z;)`@8u5}N5kIVO=IR$=x>#)TNE#G|fA>co%)+CN9LA0dY8(T^)7?cy|<;JRQ=`@L$ z0IMV`_0O;sLp2j#;m@}W2)a}R#)_S5^!c$Ed!|yvA~nANVrfi75-psnN3m_h|(SZ6Wbx?;RV!7vP3`jv`( zV%(54x_`j4A|Z8gQj-@4)0|YhZuC$~2Kmp)!yZnS%F|0E_B9>r(3T_{`wXm88;F4j(3Z`VyPTgKEiMzN3Om@b}Fz3YK~ z@!M2`%)eP3S#>L76l+|Ev?X-MZtM85!ldMC3KrVmCdOP>t|;JP_lIS)@Bfb4|8y1_ zTSRq|5x=MqPSfeMKE;!r-)s&EOCCssAX%Ya7Tmdk$S$23%#{(_T=irlX|gRQwY>hr zGl=hW6!IgzTW8ofUrRBC6gm;2AIPfq__|O^&%D$!Nffg{vqM2l*qZnJwtEZqt9Gc1 zq(!MXZ}TzFLDNX3XBRu-?8Mn~&^~N$cD2egQ@|?gvvgxuR?8V_`DIPuX+WdkYNf4l zfr4NWq^&X#_0D56H0t2tV#0HFHN>25xT@#gJOFHR{3V2Ac=mN05X%|D%p^MKU(4e0Rf=x%=3H}`m$Vh{+C046NsU*_=yhF0btv6%>Wy_BP5xvebVkle*6%>#(nv+MTgDdXQaq>k<#L-Ls8Lsgtt^u zS1q@Lr!#)%md(M!^i!~>@#REptDe`0kJ#s_p5EU254ucGT3qiZCoa0h zb|)9(H%3pP(&we=EG*nF${KG}e2-w14f&Pu2hnZp%1Y!!ai4=h}7W(3TZH7b`x57&Mltt=g47U4i7v)D^?6c znZmrT$ab@z{nYa58>v%^) zX#WEphO*LmHCymSv&?RB6U+qMP6lc-zuN-Rx;ub>9~J=}Y(IJpA@Fueh~CEp-^r)Uz97ae?LrcH8Ussi9eCUloT;4TgD(gP6Rxxj-W1? z!ONqfAu&g7{j0&qyeMvM>J`sy)I|vY?it}Qc;JBr{4!(rIVwIz$@a|>s+Pqz8U*`t zpOa(C%VFwEn#+&k_L)A$tZ;DvRPwFwb7j>Z-1Vm{mb_>X(F<2O?g!WJe#E9cY;!^e zbeP7yupIurW_e4lH}?sEWqb?G5r3MFXt-=2OR$lMP~JRLT>#2)?8~ut;nrItz^FMJ zK{?bQ8hG*VS^!H<#mr5x*Os|yoY^s(5$gYBd45dDF}AcCQcVqWck$JxJ&vXQ^3>r(?_lV&`3{KFLKGm|M#21!ZPm+(fZKs`z#S!)xpHKzY2Swxt2Dgw#rqM2FWD4tRKnBU*W6@aprP05k(b!#2VZcUiE=~ouYDr z5<-Ma(>Tb8^B7$D+~}-2)2Hj#HHG1j(~_izo5k}LZJidN%hz&_f>zDvwl2K#p=3US zDVeAXQ{|v`u}((<$Iyy@7i)Hb9u4^FOR3mJ@0t1DJM_D2UkqJ z?kEk2+~62ODQOgNLS3&nLT)azjgbAU39}xN)I?u6LhA-!>>3%==xPXfXnmRor81H) zRcsjsF{{@;xBoFt{X9yT-v|cnUqeyW1>eNf#uRei=Oe%0$Npk;`%bL z=tYujdndlWUsmy5Gvm7pt(iRejFR(~OXRuz|;r!jOHbKD% z>nRws`*`Jm&5~hRf6_d|{DzLIoUm?IHp{)e9StYA@jBF1FF9B0f`2`^#lxiTYGkF5 z8?+Y^kDr~9hhLKTx5-*C(=z`%8ZAC9X#sih#$w|3H^oqickkZm93>|wYrK7Hz6i`1 z$x5F?=S8m}r7Tw2o|)_DK21YJYiz*C<&psO&j`<455|c~!-;k$e!HvdB59MqE#MeT zG%jx-9e@g!5kdTZ2)=1$Ov!e7snUArHBpoYw3l~hD&%uo5uVkfKrJmdv+3MGy((c! zS5gk(UC-NStd2Ol3~HQAWvL^GNIZxtPoW3bUF_qT+S}RTWXEF;aq-FF%;p8h!~8L= zoWh)6_jwj9leY&>$}dNgNiiVkgY~_VK5XA2c2W@=FuKt2cVg}BFPB0lDW8}6Ro?Q($|}N8a3YjElW`79Yx$?~MUFBN;QT)|dYPEhfZlhgyr zi3+>RSS?!DJ=_Q)z8jOSH%J6&y`hP;`YyS5VbzlVm0z5MItJ(x4GiB%eMyLd+Ctxi zUNE%z)erN9ZjWZ1)lwm31@~&M;6%P$WOXR`h2)LY;`dGIrL*( z&yp0sd;3zk;(Ab!vr#&5(pB@PQEq-QsNx6F(AfOcus6=5R`n5Ky({p>_ahArJ$NS@ zDis(Hai5D%8G>{fJV#79ejZ}aGqi9n9vlRI-XzYK{?zgi@%vm{Eyd;LI?~7A#Dd{H z*-Zg}o}K=!?IA6UO6v4m@w?SsJtI&d?c?4NtM+UvPILa}zS@m%#DmQ}*T5W|BvI>P zN>r+?N6ZzdLz4xRlxBAmxU}f1Z(BU9kULa+h4CTxkBy(H5p&r1!;X5nbQe+;A>jl- zxwTn1F`s?P#zM((4B>)*4WAFk`F=fD$^Clr&ZT&yo6H%X%cg)mGi^k!4_9uhBDuZ>J zHlz~i^u)t!S5=Mus2|Gd;&DcVHzmWvXF4@NYL?|nueTjP$}{#aHkenc zT?5r>l-ir*+j(kR$3~2IfPQTSHC&H zes+Z%EdXp~`7Z{S4cqvNXW9b4JNm2@^_Ik1C(1-UU4EM66i+8QzLoMTH#CW;0oiaq zUS=#_jf^uIZyLav;_@w-^#T}uQ;LtdS!7cJg|xmh%`2*mm{SL$2nt2?=FMy=!O!J2 z5}u5B78qCSOt};~^2SNNuqe08znOH&?7$&}Czdk69n{93p^5P!mSV_H9nb)-inC$> z{2-Vhdf+7x*=d?hbp3zcFZ>5XY(@4~C%iFnX=R+LE(H7aXMKFF-%g)mT#R|f6tnYD zWL$y52(t=za=Q?0vk|YeBg%fYTuB~W4w7F_T!BKw0BG-@H$1qWdeVIh__%eiZ!y6$ z85Y>@zhcfkgX^Q<26lL2ZqS!!~5blqK#mMkbDnv)E7>%2h)-d5AN274-OBujF@)V1u;rb`y83z(|3UJ7 zE*P{kND$xsy{z_Vhp+$xEDC3n5LY5lhCKyxq|%89(&<5<-Ff~y-Oze|=iJ$?`EOBE z|9qODDOunPo8nK{{fGX*Cz(VtAK=DQ(NNRWCRe>?8=Yq?U-FKfMgB+=*-jfXPS6ln zT8c$#G`gs1GMfK&P4Q3StM2>H|I6S1#QZhz?p?0xGv5vwc>&H_HQ%4HeRFg3;X5kB ze;&YpER|DIJ76g@_R4?M`M(~N|Ahp{|2t#82Io%A+5E#->EOQ|2mbTm{D&8K{&yZ= z!mr6HgZ_Sb{_{IH1pyEmC-bCPg}?h=|HA|Sw}=^3!3xB_8Pa<+um8W;t`G6l|NmwG zZ>#;!uK-wfGHMi;71qB+wa+p4`bS4o0HcZYmL&kXLW5{|t*jjVt)L+Dx~!xmDL6P- zsN=I{fhsvAr7emA{0hGPZ_(>>B_03{eA5?8$IL&DgxvvT3KHh#=6Z|xIR|^h?=A^0 zA0HooD=K2=oa=cNDjfvSO$Yk>d1?Frk+T69%q8I!D>E}bW*Kz==gH5{SJ7~>)E?J? zBd^zIjZQ}3UUey_T<1_d3yZH$Sy?mX-fCztojGt%Pu+0kHPly|{EJ%>NYUCsolp=8 zwnIT8;0-9mG)lWJzo!-R>~BQ>?sy?i8{YfH?&_sHFvofscCKq=v^&jcPW!9doHHrJ z-A(<$SNbF%KiDtCCt|(bhJU&mGa zC=(1A&C*TV%E|_NBBn+->lzykgq#<)94M3(?r??Q%DD%)!wb&)pB+ZUn`%$1NRsuUbOEB)s)+d1EP`}Qrr`|sC)9Ch*hCDeXe z7#{HCtaKq`F%!XsB=@zP~kFT|h+5->n=8={nyjE`K!oAoxL^ zLR_6Z_>8#Oakh#qX)fSp&7?ON@`DT*Rz6eL`P>TfCSGRm?K1R4(Z z_Ew`=qE6orR3^s~RmBRI4m7ldIj`%y#&`lV*U||iNK0yx(L{p1&36@K@Db_+oCgYH)g+nyw#Zs4!*<2#Z|ixMw%^d-9h)(JRApXY5hhz8{Nq< z-@ku1c!#x}nw(Bgj>i|2l|}m&cLo`!jIBYOBRyC<=}XUzn>s1-yhoeCJ96=i@zeLu zqhdg$=#06w^kVWr*o8rd0O|!zLM=aGZhTM11UGK-!skrwTkfonXJyEyl{q zN}Ec6i&ex+qB2i6zI_MoG+&2LVlTTu7)3riJNq>>t|H)LNIziIQAgS3Pk#8}7Rl^( zgdHW9!Ea3||F3zmVuJ+1wV!%xuJXI-bi%?F@Sh=h&p==9loXA}%hZ##_t7K~PPx;T zw5{o5QU2(0o=i#c33C-=XCJip^Po4Xdo+ekZyfmzTTexutN0&9Lj_ZNONCoR-XFCR z9K>{aDg}p*9@?n~2$6==+r8VHfSTe{QPEk>03bF8YLjnarhvd+On>$2z4gAUYY?iS zv=xENZ__ahmDzC^^1YJ{TWKe9Ab@#Zh4<2rWicGtA#PIck(>lM{XbkF|I-t1XN+x- zf2d12XHoxnF3e|;fsdDS?}a1wy|Tp}lmAY7#f@r0@oXNb#T|M-Hv?zR04-ASq3bKz zRZ&;oYqgc~ut<7o{7~77;;0Blby6*fU55#z;MZd_l^MFw<3=iVQzcYQGi%Uymd{b+ zA+?=2m6Djbq7Z8rYe8z*z=lNqLXzcY!{?+r5=%*YHpYLp0oj{73xslt6D^zp&2PZ< z1P5n;WUrUn&sY1WaQdrH>NM1+WL_R88zZ+>^zqX3*N=amFPL?xe7XfYP3F)QdZ9wBJND;tGM80;@h@jIn0tS8Yr<}I zQsV`h7fzev4mA^tMtT7!)`2DD@jZaSb@2vJHp{FvRl|)!@6FrdL$a~sh-*WRp5D46 zLPms`a1}X&0)9dh2M0HvN4zD*smaObhM}h0jItHtk?4D6<;II*l;e3$OSC0-UwZVHgcavGtLP{@~}8PIkR(Uaw%X zu6}oLf^H*Q6aG`RK=6I@>w|-Um$|$!vmmN<3r9W}@94#eq6^KHpZKX?VnTv4Avz7~ zEV38y`z{f+<9VWmZqyb4leX)DfP1%u0nzs5ybOxFcQBqGCAyS$UytXkKfFAEuT{^b z;zw*{PZm2Dmmr$abgI&xaKj(qJm`~PkEB7lAmeN>1;p!qa)R!Dn0=@WPO~kBj@mNq<}DBHOtEMj zG8%ock#=A&322_Buiasp!TPoI`NFJi$3q4V9n;-SHj8N?@JH)(B{cg%DpK?I`4pKaT{i>91)^dS)X!_;wL;p! zg7zTcUMhd0B?jK!*8SNcPDuHe9W@c)U=4L@`Zb3X!RM*sfI)tyKL<*^*`aG?cK1}7 z#HMxo1fJSZxD*AfQ;q_aHw4a{=`StQmPISF9@^o;*Wz^1hA`tiBne0E?im|1xU_Jd z(L7S~_glcdxEkx5H7Ub5+sB=F#(~DiZ@9WN;Z&;s@&OGZx3i_?FE5DHSiNtG!xyBp zq<8MBhll%ok12R8Pr*>T%%GP2GuB(3+u^vl^#F3l9;bt#g8cqtvOSTFG|LhnJ+o&# zJkb4QT-=sFUIR<3?fa`eQQBIW&8wd&X-R7Dy4!Ij{rr^`WX7b&k@LkdRa3tp+baW9 zPvw*?>0hVGUv4fEDsJA1EkI22EfBD3iS?LrU<{OBZC_2d&3U)pp2opp1UT>}#?S~G zxK&h?hN5ONrEab~I8@Oxw|JcwMEd0Bw(bvh8#pO@cjB|A1>gTw`EG(mGxP(<*_({W zBCBFwvH?&npL@WVfAt4)9C(V-V4C_iZ-n9 zHO)sLW#vQ3(HiMS@P7c~V4mj5F_89pYlet

|;qaI54)eo#w^OU@BVaJ)r96BYu6GEt)!+mM1{!e}|er+DqT|Fz19|>a& zW;9&%a6}lMcHr75qnsQjc(@iPE!H|@!HqnC!`-fzC20@Xa+dl+=op%-SFXDmA^_2y zqdxj->ln+$pea zdK2P}brt&}*E51|EEnqI(o0*DI+=9&g7><^|8_4m3Akq|_Ij#ynu+AV>#RKpkf#7p z=50zsy(bS2oM$$(Xmh@JY>t9H@^{HLw5?Eom%pO2yb5gZQ{6p~oYA!z&DyS1>5vbt zl3qD2V<5UO$umWZA}_Gz4TP*b!P*gK$T{$#tZXvdpxNoA>R4Iqm>1_+>Wh^`=@t9! zCac2E&6fVejS4aE?)%PdJ%KN4h_*<@Jce0-_8^Gs8#U2mXtd=WTMllv}5udmRtSW6#~xrxkhc@6_$cKK}Iq zE1*#>EijD+*CU&@+jdYCKje>c$}*5bt`(n$`BMIL_uAa}Ea0a3bkRMJCPo2%I{ zdUnYREJkt^0c!yi%h8Q&R*^UInDLq0>VcN?WAh86o+}2xUSLhnoX*Eknrt!~(CSBa zOBAV4L56YEB9h}tEJUvL%a3<-Bf~r^8|ZPR^|Avmw!h;IzZ?C+@W-_(nb=`wn~vqd z^$TXRqPZY2rBejbk-|o>`|z={q~YnI>yc%7ALcINyXv0qUUxHcD$Z;=u88$hajUJr zL7VEj1&j+o8%cEgO#|UKfIk9;i6w{$meccdOhtp)5M+Am< ziIZTtW zax3}?*t|^%qx8y-=04uCAmEE3hi@GO8*J;ghpJG|FC6=TGc`EpeZE|o2#q0L9t`sy zZ#6CQb8%JR)z58v4Dh!1#gE=ZmcPt1d()NCh8nS7=xz!1`O@v0yG1%pskwidYaU@M z0rBt!Z;r`L;yKo7mL%ylmtB@`3vZYfaA{54c zx9^#kVUL|KQU+O%o+Ebqxw1=-WwjMcczO{gdF)m*VV|vc>Wh}0T(AU73Cs^%xX^&% z8-H1W6`~D_CQ@N`swScvdoehg%dYPnwn$9U{($ai6sKMMxRCH(K=twWt<_{~`BuKk z6B~?CazVPa*X^A6R_63o<(Yg(Aw$F{GkRU!l%UtN$5`#&vB6KmPH+?oC8Y@tF-x{{ zo*xt9(T?ZZyOecu@lu%rsH6ZFg5EacIqP6`+y=Kc+GGII%*Xbx|nZaUI5aW2aVl8Ft#1+YCzX zV4;{!6b$)B(=Ru!i9emfV_^Ax;ueprT6Us5wfzfmZ`c9puAWuNmb;`pRGBo*gPN-A zUI25rl2Ni9CSJY;&Ql*)LkaS3J99v2D>e!8V`j-#Uc4p=Wp10IL|n{0KCy?K+J2tJ zL--vid=KJP%Xo#IG9(U9u%rPQaw7c)qm!zc0Nx?pOH3BJ?>MX+I@NDq3h2F->y@8N zE2g%Eb>*7UrRaKejbixqKPnMk6(BYLMQ&|=-DXhAdra(h`Z&7&>sDJ2u7I9^?NW~i zt%r&m7CGI9&$Ji^4Q1WfwY)zps4YpbHzbWJP!Y14ar#aBSS=X}_b|`mj?^c$qve5G zLh?=QYN1g*uP-$Gx^kVX*95g%Dg3FCcP?=-h)!{KYO|2$oJcK!z{nGm)v=cRJsFeo zn=wfRxW$x)#4(}@37ZukD=v^t;@o_c0^Hv!8oebw>cy`4*F60T4}bE z`9r2(71HMZY-H)H3_RNsxqb@ij|Vq7S1K!}E$dRmM ziEh1uYrNgRjHHf5i_tWzOSQP-`NnL8-3(R>mAkr$I&xX`lY|27i@~SCRN=pY$qkB! z&U}-HZNjPxC~fFHmqnWWH|0Yg&AINQ-L{Q`#hz&=dPTUkPA*S{RFiDS_%7%m7*C{z zWJNJ_P55c&za0nS?2Ayp6xUanm}2cGH|mV&2ODG`^>Xz#jQW~k5}>~y-c45W*tJ5XM+XL-DJT4@pFnTYx!w-NS* z@jz_7QFe#wgOL&9Z79kmgpG}PU0ty-dpK6=_F2Q zVCwlc8(~-D8;^ZFZ~=S7u#4a|Ur&ZM$*pYIMX*E|cUHBpUaJR@Tb68Rt>@;8*WnlY z66YEOQPNpAPSd^SzKVy}3VzqMM44QF9qS$v2OvD+_uM3Vn^6MHmagvNJMWa{#G~Vs zLd1VZD28s<;7eRqMQjDE;xkge%?d6 zS3MRgbV=h8?&3d7I!y{^AVUuhVbet<(krlApwqg-9v;C&WJ&wAjgh1cYE;Yj%A~xv zjag&P;yF{wa96M0EdYjws1a1X`b?cF;juQRP8yQT=d1|U4}5izIURyE zYn$cw-3uhq1A5>z&ZCwWr+tEliA|^7BR)w#9fH;tY&%~ZD&`C5${32s5XX)c><$R& zFpb5Uki^o$vv!lGxZ({5AZd#kAmRU#N2dQg>}6EliRbA>fsv~s<1nKc{aS>q*rx;f zi{XMuI`O4DweG%@=z|W@Eu=BG?;2-u&0?HfBa`Yr$67Ct^FCMo!G!NHD7nq!<&cn= z8Ad@9j^`h0*u#m-lHdYIBPCmjbRPIVDxP~1TeE#dv38fFgc~nGUwDIxuA3(6u$+;J zzc=`sR6*E2(2}CMp7P5jismivW`YHKRA9$n6z+TIn>C12qd+Lrh5a3r&?mHlR3=iS zd*UfDnMi7yI)Ma%O=qaL*TWd(=`XtI7h02V1`3rZEzmAy9FLSQ3&Br5U?yCJkt8Q8 z9jj6K=I*D#doAWINi6rQOhcHJqd@_pkzx9;O8@Nhz!I5Nm|3oj9mgr>)vQ{B`I*Bf z48DdA+0r0m%&V3go@4ejpbqX#Ow`-RGdqC6YnLR7(iW#Se-)AX6#DjKeXH4=7{ zqMkM97fNr{7iG!e_dIyD#AQ-grf=4}B#|$h6?zhFn+E3lAu?aKB(QMYOzJN^kL87T zn)cBbQ4aM_9%Pu$xKiM}%!ga$Bu=gagDi_09AvLx6Wj_7my=P+i_sjDXY}_+XZMqG z1G2beFZU^rwak<*_wOg0!Xw`XjRwu+1YFx>0JDs%3sxkAAlJSg{0dDsaczNxz?&p@ z-oI=+YJ=}@dMwJpubTncbx}{t%{u{r5B-=9c5i@<+ zGwE;znssD<$llcYEX7z4Uz2<19?q< z>Q-aqg~Zv1`HJ|TI;y#mXEpXplqv+|U@h|on*KQ6`hlPb+PZ#SkSD= zVn6I%nj>B&D_FRfW_9@>idu~-hDRUPdWgPbU4*7MnK~mGqkng(6WIEiDs>C>O3Ugj zszUCx0;|5KkrJ78Gh3aS4^P}&vD2dJ^=G?Q{!FdcPh)0M*Dn?b@tr}HBmC|mBl;kB zP61{xUs;F$myg!Y*GA#)zLAqAKmy&qWFqtl@luL)c6-0@ri}UbM9<6wn)qUD-{QO+ zY96J;8-nkfe zLC}Q4Ou3qPeBxFrWPD*&Cb^&>%FGNNBCEA)eY7C7qwK5om%CTF%<{2t4A*`^lHC;n zS~`-6%_#fKcOAJhTF3{l!1}bx5?LhY#hy(`!J163LQUq9xOi?iG3A+YtIkWdNJ&SRM2+x^Dm*0o_ACvp6pr^@fdS2H>}a(5Dc;6*7iPlrW6$;OhzYc}~g z(dgrnJSPo={5?Ig27Gc0Z;Wrx3e0pkc(j%diY1v!J?x@uoiFH}-0x9so%o@)6ERq{!z`mPwA?Y!A;nJjE^A+d z;NL8n*Y}-T^&2UyP`iET9u%t~3Xj@6_P{~9!OQ7f{9^hiOvysC0i!6`&SLHJCDKua zPM3Z9J%4Qz%SYr6l>>x_hs;<`5@Lo7pp(g}Co3jWUWU?QQ`Iym9TA16EN5z|IPk3O zW8;nZ0)+YxnT9xJ^kUp&Dui@{6L=RH3RCWjVatS=4l}mLusQuW7L$Rm1kxcU4XezI zjRaD+Y(M7+>OVkXY<+PA3?YsiLj3L^R7?xxM8jocM253mRs!c0{4V_pOS0HH47HlC zcj_Uk@jgV%q%wG&l5plsh%+e|QN8~u8k(KxYWjk2_|z_;=(L29pZhw}w(FSsrFsg_ z;Q%H=0mz2D%a%-rT{6JrZ#BzL#eO?YI5vfCEKmxb9y0T8AI#)42;-A(8wgRXVO4Pe z{?@K?B2)oP4@*wWR^P_={Af?F(j!7!$FmI*Xh`HOaDyV{1pZyyU&;h~S#j zSmI8@$p`A-PKDbl#Tq->Rm%Z>q%YWtskb_mB08)Df6&=?T=#iXsP@=`^Rk+3EEPXV zN$4DYEPf2^Zoj_CPYV(~p9h~n#_RR;y zzZ^Nv0E?og@yMclHr)wkjF+TrZ5&bcQJV&6LU2aKTh)KQE3UgpIYDPxk~#Q3fZ%9NXr zXP4-E0OT~jP;$@X{U|ELEd2vXif*Il=5jP<>^64;f~B-Yj@n4!ObvkpBHn=9_x6Xi z879K*EZwS@lj*Ue7p-T){FaaU_vzeWYcB04}=Nq8y zNo8JOzA?&m*T9XTTv5Xh`6ehg<_GyK1Xe_?bj9l#Z!QfgP}P9@fLUlab9bcIAwGfA z7ySggSiq<>J#Lf*uZj>^Z{@aOwPA)_qA{O@S)5k=)QSCdefg~7OpPkKX-7I%w2LL0 zpi!nlHs*2|x1ayqJm%*86KzPj>GaNmi8SDP->@S5A@c~S=HNx!Tp>U$`N zh=rv1w~>J0%ZD=zPF*xs>~^NZDB9&E#CDS3yn<=b0S^rlyk%{Ls5Y0I7yR_|I?`P* zd&BSHh86E+GqldleCA`n;P7cq|0{o_R%952y~E#j=qenNfNJ5#PR@Q3)FBnlO9;>3 zIQa$uc6*I<^Xk_SVS;~K>aOF6OKUV=qy$n@T1(|Bu)901);qZ1*%@R@EX;8N@GF-nW&(4?Afu6N~55D ztkwyx?r-}Zl50@RMic0JCgr3GZKI@yG{kYRCf(@+-xrWtPi3C1i-Dml`5TGJbli2Y zu;?Z3+7G6Jt~-XV(dQP`c(n0{QP-Ak;1$_r2Mm#|jb>-mSY8U#@K9?A7HcPgsMAn+ z-M|z$zq!^0ca`RTnV4@+QYrA#xK)XbDF8nl#)6ZID3!N$Hz5oEgZ`QLgT^Xo|kEj^IEB>U|t4Xr+bOI*S$nmEl4i{Lx*9PDj3&vz?L3D zzuk3V2d#1qusFJtcmxuBc4JPOF&K5rS8zV(yG-3s=uZ|AnhF|F1Hrv$onzm)aK%0- zZFl&BeXEChcL5$0e$ZUkbf8c;;%a!n=)$NKaf7Q0`mq!ycX>f=MaYO~XPn0XhFL!J zT|f0G5@MWeV4Gn;#|58A+c6AnXPSCwCkkZwyw~EAR^O_bx)7Z|x$i{a4kp40RA%9H zVnNX!jUa27DUSy`YNXLTG{s$7>7pO3@^%#rP9<<}PB8Wh8(dPyDrI}Mkef9nK&dSt zg^r`#uJmC+6Qet1Z#M;F4s+z#!~I62%)&2tiu(BaeAH$5dM{0$-)4n0_+H?7XIb)@ z%T%H0kBGp?6Pu4amn#FL>z6G(M?27o?{)|_U*~EkWr=woXA@_GQ?ar5gufi!pM?S> zNx>Igs---vz11Wszw?|Jl%yTyE7G^ib%gE0II#nDoAAp8L@)e!g{Iy89%8630%Jz2 zO?xVG_3GA4a4IVHTRo{#I@cbJXdqs&Ubv4hvx+9*|X8`*rvw^Zdb5$J|acZTw?BnVxzAO+U}u zQ)eVezD$F(jOz6oJ^h*Ifz`F8l|+e9z7yEA3q{qgnn3r+sypt{2vz$7xnJ%hifm&v z%OLIwr6BoR7_vsnYwI^PF0ojR4L2~;Ls)amX!-G|0<{uT_QXy}tS6v6ecpu!e& zjIYD5_`+fOa)bAD{XJ#womdSr3Yg1xN=Eufmk?9q=}Wbe=^E~;`G6?5Wu8=-K8dPU zMkIF0%=q?kZQs~zV?hAR#E$^4Qi5@CWSeJsF%W|>uoYFA#p-nV>NBZhV3Jef-Yqy_ z`g&JKPHc011D55ZozOyc`MDQ~(USy88MAsceDZ2S?`l`7h&a}VXleocUKV*l>{i_> zIt~7@kepAj@!pmi$b`Q3Rzj$Wn)Xq{d&QJDxbdVW1#0*F|J!=1G| z@CAzYfRyJE7k7v}W&Z3Dc%s@iccG88rV%7@{X%Z)qz9VN5O2HULIZhDt@@X13=2@s zff(+)N$iORF9$JpQ9*@sqm0qKdvau7G!iuyKzAkwe4psOXy-CwPb?4%`L2=PfJDRW zUFMto2p<2uOZuKVu;F1Rp8~}wEmm`SLAl?YvrUxO1MZ&+rt#ayuqu*xTkssdX?79XxawupTa zv|8W9cE5QzkZoE9$!L3Um-7SM=B~pw%yY$SQk-#n&F@&9cTm$NU*>3pMaxC*3`xG; z;0Tv}Gg{@cFb|H!kE^1_4;=2BXRlfzTUT&%oK;RVoCP_pRLpmlN`&NQabI_4m5&iC zdinD+#iaxN7uMOM@8bxZ=yi%WlhW_`Hg0lS3?CM$q*+v}O&BHm>^Bv!WNJbje`ia2 z{dj2|hZ@Y3l3He&p>kyuSO=?^Tf}7xh}-AhQ+^23jBc=+H){!~Ki-?0F=!Mpn`sHX ziInJ6u%oSs$5 zG~B9@S8rZHacnJQ_a}WyDgsi7tYl8+Y5mJ+EQu`W6M6u1Pv)S;y$A z`LU_}N~G8GDw(3A5=LCSk_cpo|IjoE_o{aQQws!HyV=~Me3cGKt+liYkp8X`OX*DJ zvDWW~p3cusP4Y{5{>`WF6_{#t+iobz?id|C4pliHMuy~E-!lnnx>%Z1L6I0*c{K>k zcRl+7pOSbzLA62`dePA~Lu(#Q7s?9EPx>PU zea_{b))|!_fdrnA`_ph|rb4(makq0)4{nWeSBJud8ez|x-W;Nt7K`~Drq}`Sl^P5b z@V|+9t%MG8Jiv=?E9vOAcac3c6jEzG6q=57jlN&fv1SG*4xi@IZE6Sko9U>EUHU~`<_~Vpyw=R5{Td2+lFc!uMng)H;&W$V z-LAU2y2{crRFUIZq0{%Tp*>H86uo{&`aO?j7;>TFGo}_-^^$qkn^;eeBI?wJ9Xrsx zW#;Ntt!s`%Dff_$ux}shtKHV*$?IEH<{6Apczi5H0Us8N__nksT)oEG;w$NwmwBu7 z$N*wW!&f;yseEP#xI#M@J-h@>?Nh^Vu0iz0>|JpIB?|?Wo*C)(4PeVQk(ZX^H<7NI z%`wf8sU`$z*0kh1ZsgziXg$1eENpFRYHB>dvwcHZTA}X)4DsH){zHzaE-CG4)(Dd9 z$2+XTa~cbj-SA^PGezlFyopg+HpEqt7eYuC9q|-Rv@1`%q)OpG6&6zH-xq8uVCrd|*+M zW6LZ9`Lm*vFYZWtNnIn~bUxbk5&ZP|XQklCg#mrj#oNUu=Q#dgD_`TGE^Js>@>P|XRAPn%brHclDdU>9oziaM8Y zT6*;5e2l-8((8O2!yZ(oG7dt6#d6ta81_}4%aO6Ksp$V29pvU2x5PE!$ovlE%a>Kr z`Y(k^?#KDe7aEbAyzquEn!QBHS~c6h3i&VYn? znH?LZsY=UadEQp~ZkZ-B|2k%dAg| zeDmt09dRM?<8BKyxWmm`ByuGqD`V)5HNVVU>AmC@Uj;K>4q zdj)xZHqTqOVi`4yL|ye>AT0;N)5bQ}(pvKt_JtH-kRt4d9d{L^YBgk|^i`|vht*68uH-HK(# zR!e?%q9YwVUy~e>5x;J9H6JIrbcQW$WGLo<ooL{7+}Mdkt;BYy;l z=Ww8P19C*)li6B;hpt8YqWGMFWv>N&T5#n;)4(1eKA(X#QBW) zzWMU__|NkV8yX#w>P`}Trp!se7t1%A9;JiJlS{%VJ6oL+CkwM1W-)16(W;TTWU$04 zr_`GQ1M-cBicIl0ahG-l>&p65UD@7%qhmbCf~9%BDXz}&V0ATQyKp8)A#7HH(W1dP z!#|VqTUfFQf779*gqHF~X-`58yLDffcr`#gJAEZ!<~#M4Qej1r@Gk80tTU&NFv&0S z*vEz@RQocjkE6f{KiaCcWbp7!evDnE>Cf&j6wRu_{|O8yIin4dM`Ag z4lv5C%u1(vkZh|^rRlyaZ^?yWtk!X5DDMKpiD7E=H-mJos{AZ7i>J@!`Zhh&@X9GK zPM*?g5vqzf_{&V|5Jn5APFLBJQ`5JbAG1jdzokN=hyC6z-36u-u$Qg)p)IO<(ru~N z_05_{Ry5C^8uJ5FpLmT3vz95!K6wQx89jLX_M!ghuJnczBl0VdsWrAi_6aZN@=Mmk zU^8Kn+v`sV^VAX<$QWghWVdI$uns@^%|A`H{Uv~W**EAvX2ogR2FXLEPfXWPI&EKe zv3wst{CEPKM4!^R5SPD%wd@@;8IDgUjcG0XzN$l%GhSw`)nu%y8#(fFS!TN~W*e~(hiox7>g_}^t&Hu* zoGD-?4eGxg2~CK%h1};`wtnHmAO2&x;y*qoFHBi*7|~#bz*tDlH6?oN2ivbUmK6<>teT z0)$ACx|`($)Vsr$QeRKV&wDD$ja?w|U7?9(J|z$*Ub2-}u@hblrwlCpE~x8w6x_xN ztldKZD>maQ&OgR2;@CWX;8z`<>Gz*hPF35Y)Oqk+D3hG)IBhx^f8Ku9?gu;zE2Nh8`0D~K zyC}*vin+7l)NAGCKSjv&>Ta0+Otp$x{{T2)bi(t(x2CFHbT(U^zj^F4=@3+aBZo9J zHgo1g7&^#7B!@J|=h=~t608Ea#kLvdbe2T9a(R5N^L}i=o=qHQB2z4B|M8|ihcPeH zdsb;O_6mbfKWec@29rwQh`e}4Qr}tptgKR0bBJsOXVsuwSk^MwmTe4c1>4U`MuD*c zlh?(J07&R0!RvAX4{;Cyh1^JN@nde@3uayE9UBZ4}bXSv6<# zDG}wn^tY#mX=?qS!6Y$yRr*LYF^>S$N~Y^d>Qed=_ma8$ZkCSgTn!nzi`!L&0c^s# zeZdrWYThzLvKyuE2*{`g8}YLAj+;A#W6tKIPMSV)A(G|~Km7#1^CLy~Zy)=Uuh|bU zBGALKpwx})?{bsNnOC0Z9piX`{eaSyh*d2h`#UaSq$G^vz6yw6Cy@4ELWB0*(@=tH z_UrUvK+d*<66mdVkXh@>S)gw^Q9m^hdJO;++yFpv;7=I7=&GN3nDFl6!8RF$zx_eP z2@wRIsF0gI<-hXA@@CXSy1famm(RZ(sMaWe%oax15}}*Sr!2B+5&5EVe_g-J$&2~n zZP5r<_5I$q$VX5dL6eesrWjY~MyvB|jeS#kwNst!7ICg9U3xvNh#|dk5hl^ssL!)bs^r;U$?d0HdqS9DbDE53v~GNR?oqX>(9mhN(IkgqR2_MP*} zbmw7F{nsc-$FX!7fA8lh+D-OW61A9eoj7`q$6eVJHe1r#RM9o)@Yv|6f#2Tw0^!V{ zmd=&;xRwSpW&+vveNajM=-6w~Vqh!J8Z}=~dpz{DV=v?ueKGC7+k>Yqf59tiT(rMpuGW7?pV&J0lJEL)jES4ax~bCAS9#3sdz1 zLM6dst9g#Qu&J@erTaY1%P;Wn46`?$<}9=}q)#XWOIx&uvn)H0%^>ORuftF96IG<6 ze1D1aI!7ZH9-Hx#eu8`N8mhrCaw+KcYHJY^RGR2@4*af3VBj~LmUwr9$Q1)UHqSb1 zE62PGpo70F`uIG0ghV|Y$f}K6A0=i7^T(Y|x>r46vzxDWiSnVWj6Ef-_uE zL-j|SkmF7g)T02CxvGGy=S`26vdz^%(S{m50g#91Z<7UYsAc|7#+TQTMSI-wk9@()os@IXxZg%Czk|mjTN~s zMNl<(U}hQZRK|+Az%K^6%eUDE^Sde!PsmUdmv>9<8m-r^O*)8!`|yFSDRjUSye=!{ zV`b8TcdtrGrfIoWU^>6=Nq6G9ojj9wF>-8zB^q-67Mp*^4K2B% z-Lk!k2)r5H4z9g9{~5FJAoUqa0SJ-^CGSjmT69T$K2!tX(8u=rQ9V8N<46X;LVc~u zxM;d|wB4Y?BYLZueUsj`55NYT!0S(h403-bzE^$qO+$od_;ll>rX>4>+^JEF9%9rQ zmA%u*x~48;yDX!0ySEfr%M)`GDZ6MQci5;SvQ}gAOIH0m0M&?o8)>A5^t4wNn!pd5 z7>=*v7W~;DwXprHQ^+POQf+@W;*1G;AU1Wf?s(3tlxWa5xi5z0AOBD6ID5?1XAQxl zY(b8bV}sm^LldFb5PKK~1?~Ih^ffPrCs6~wplHAC+?C-VZ}Nk?-slpaZpEMP6v(L1 znuKwdPZ?F|xL+xo&J)8#gP|%I-IDd$ zGhR51)2KBIJV~~S5iES3sh8Id(!U!KJnUksSPv4n@ZjItT=%3;vPXP<`Z1ui*0L-t zVn|C4Jw~CB%P@cCyp7AP0!rGvc`KHs^gLpq45=W#?zJJcxL3PLHIt@6D13ULWxlQ}^U6(uzK#D0Q819UrU_cnA?JmvKq6nLf8PD^VIImb zA3!cKLHijkD#fZbYsDSh>G%G<%k}wT0uEc1+|OJ_3#?Osvi457E#tn3w`;bA*9)T+ zqI-nPH~F{z5uBW$i|5(0GI?@%0};P!dPKDe$?{}APM#~M&Ei21sGLsT&4!I|&?Zz2 zspZX?38)3iUi>CsD36hRC| z`&Pi2M^{4;1Kb<qlMXFIbV8-a`*u z-MlN`KWnkt{+0-Am90}CCuN(Cs22NkT&0g!Soa02Ta8f#;_aU_EHKe&!V{^&@87}~ zJX9;T5mN_7k)~$6*6_s9DF^AKznqOeB^U3BZhXgSwZq<#qp{9rQY8F1$Z;&{@r!5| z*oOz{x3EVbwPu}@=T1Q-yA{ZCn9hI;xkt%GI2ja>8fl7xeqj@kv~zN#NUO#_SUslg zjNp9u1V+OP{nL<3$$=3Z12U+)_f=H-I9@|7jN9_q*9067qU@{zc~y%g0yg6c$Zr~H zg_z%jZV+HfjN#E{3U-$dk2KPV?SOqzVd8gKOdUHT7*WKR?rxU3uo)~j3ek7V^TAlk zsSp-y7c_d%%>_6I-{rY22+A(DUWAd#Mt>38BM|LnB|T0YY2ko4JrgBLSs3EezrnK3I@6@SspH!9ujQtz$uTXAmrf(M3niHdgP?&4<6`|}T592m^+%MC91#wqFJG3wz@ET5DzhQ@O~o1BW_i}u0++!03WB>( z{r7yb_ZQ`vFx!tUfmf2_DviJxaHXEa1?n#%_RA$P=kXYUQ1LdAdyywiE3ZOtKgd72 z_axcYYUYi!mLgG{t(Ca`SdH$)Ap-_sTS2UPwe7Drb-CGJfk?ge@xzBD>7WqddD6qC z;Dsm8w*8ogPdGkbfp~X6pYlbGn_o798P z+{!#J)P$EIQl&({6n?*yOsNUGtm)|4#9cEtN_3O`%foBWw_1RN;G03E4T&m#N^3TN zFy_3$-|)g_YrX4aZ*ax?nNm>i?~)?%K>Wo_(0-&VNTwrHjGo}V{9CeCyj#Bd-}lbW zLI}v&KVA07yokkjQ2NX0%%6rfh#vz#sIMzM`VcVxc$R&qB(hD2;RaarlpiTXU3e|V zv2?TF<8^)@q~bePUGfXXHqXUQFK{Ek+e@ z0bH3G6wIce|Gk1F<>RBvY7yVRTit{taoi!?LMGQFyBhH&K6I@i4`wstZau3Arq~7i z2~kw4MW@*$imw~E^SW7MB>jK7G!zn|wT3fQLN|>JBh4wvkEzzO3m#gl-#l;LA0B?}Vcjll4zH@C#Y#<$5p==Dg zg-irBfL|2J5I+!c6+{;5C>^Y?w*~^rQb_6_><)w(;xQ=E^9zSjEI8WYR}z~$d%y-0 zwn%^I-vRDt5%Tr!s}Fg32Y4L-m3dh<1K{g6!fL+ol>1d7)45&BjcZCNj%<=J(5L+c zOfyyZ>v8(u;<~&sa0Bs#RIGo#VtE}*!1u!g%V&3b^-@bui>rDaK#wqW_)F3amU36` z9xi=gReRGGij$O?=@bTF<@Y!-FsWUt9++X8e`fo;xn$=Pd7~>C$aS5Sg-G|;xIcHx zf}uatjrXGpv|y8+oy}h-Ydc6M0X{AyUiZ1Pkw3{?Aq+@X6Myu@M~7TjEsyIk76VKK}Sa(6av%>PfSg-P*nG$mi|Mm>;He}|NfEpoFVQp>~AFhvK;ci zWGWGI02nyYGN`X9|5Ksv-@nm+^g97L09IRgKL4Nao|4C0A_J~2ozf2krvJyJ?O*Zd zJ$8U`)xMGT{(t1^?X23&O(kjM1mQ|KiV>mC2Gwt0m*2R$Yf7hbz5elJ;LBrj1XK7Y z^;Ew2pMM0{Wb4ur!uW4&ZL?{JEx7-+_q)sv(3ag;tuX&b));;^z}#69wodpbH^4ty zSO51?ATbOeXHf0N{=X0X=P&q6&w^xut9RJ;(*4WK3IF}dWO4?uk?#07f`9GT`S+_a z1^h9sLwu6>%bEXwrBaZe{d3;X(vbgy!1rHy{eS*H^5@uG;n{2+e=?kqF(&PNQ;#Bj z36tNypH4N~+rNGFuKM4io46JJCvGzZFwvE!xxY=&;g<|)H)qwTd zX%d$EhiT}11^E1M12g3I{N5J;BwP0mVzDRN$kK0aE8R&cDeSaj&YxZv>;Bq?!ubG} zG{Lh6WC@OoteJCje8qlt_er5419WOX&gCb_qyq=XOaD@50J;iwH;+S}PswLF`j88@l* zvkFt`i`O)s<8vYLU&J=)CA?Egn?nSAL;e+!j)@)9w&{Q>bWV-IPnoZ75i|dm8+0eM zKY<=-6gz>~q67Eq*BOcc?CS%k#ut$fKxxt&FE-Elr$cgm5G5DK#j-a6&2Bnhj!nvP z=1Jt5$WtM#zdq_)1w`6M11^x4fI~r1*@!x31h%0!?F(P`-U)~{ETWC&gNFQR($k9U zWmY*6BJN1};ytQf7%hY&`G;;|^k>uJkTLra-7h|S{DEb4>ZiNYJkVL6r^*?^hi_WF z8zqj&i0P1=zst7T;zG^+I=?&@ciRSl)Ws> z@ZYN^nA430qm|+F{kTNbOe;N!K0Fs$;%@E!2H?}3M}XlR-@P&{F5ME&{U%hxtlxU3 z5a25j7z6ne+c{ri?p_*mu{z&aJ@+a!ZM1lPIGFMTgcpRGaOoZM$^KNI-9k6H!!<7a z&7#Pio;(%1~moP$l1>dJRLiTE>(s}6DM~>C<9)^$WS^k;{ zjB0bS>ql85*~IQcbF6{V2|dz`f_}`z*??8VRVofqoQY2mNH6qB6(=h$S2@@ZavBHasi-ZW%Xul;O zd3*TS0r{!fpRly$k2&JN3Q&5H<(c_oV67x8{Lw#dbM?r=EdJRbS-3csGJN3 zpzA`i%hZoY6x4kQaFAV28FP)^hAz+5^zS1|UQ4m;-30otZVcy> zSaJ>q z+a{3#+%<_#CZJWUSqwz!1&mz$0L0~orS6ZX>fP$!K+{&~n%$b$Irr&0u$=b?9oN%z z*-WNS=^n*Td#28%>-9x;y?mp0`fS}W?>6x82y3LNvi|Jx-8x$&!oBi`UH6mm2i3Ev zt?CC2kYh90VS|-T0K;tU4DC*q-ctmq3Ttn%g-*izcg~8-I9k!(ar$-FnAQGie1-Gy zo2eG(4<5Yzx7zy;KA&XrB+~W``PEC&1!;6NTJ6WORYE+bDr`bZOwW`3c~g!Y9{)_D zr00K+Yd}AMo(9HA4ZI(4proV`PJTX9objcPgmIQXigYiQ&7VVaeCuLn? z8NFrNpBR^h92WX`qMfDjrygA%gtYfNtCV? z`TdSIfCDQwsSFKG;`;8wpLP1d(FEREWV0K|yE=QL2TV43Cy|{lD-NC9+J?kli29F9 z8`Qq}K_`HU%jS-`3cDyxdPKX|dLy%UjXZ72)r1$@tkufcK#Z)`_DZ)Y8^=S(FW(g) zr^Ec}yAsIggZB4IRn}<4RzT9!6TFhAA0*?A)EkP{6-LXNZJtwzk#OskGAC=v6t|9u z?1{BcpV2YL8+j!=ZKw7=v$ANZ^Xn32u5<<{YsX1M9wk`@h^0EW)d`y{lg0kWqFD=q zfHDmZ{wI`X|2`-HzYk(#u8$SHT>o0jyt#?9oV%=SG4EOAPLgX3oZEB`4Go&2- z{z-?QM8!tsI-CFD!-Z`S)T$%xw?3Km*;u8|AXgsn`U8>2!SEbhBHh zH`zzsF=uqkvkrTZ>8H4Y)3mofu>t#f&@V?an9n^D*_+SwKBF(-`IN&Kp?z;UPvED` z6XqA2aK@Cb(VjX#qNZiOO_?M1^?)ccC-~9Te%-`7)HQ;foNkG3x%uQbeT7?B#&S}p z7ro+7?!9w4`#G=oE)7l1jYQCNER`M~nVSeHNO#kL15Ln5VqgzqFj$wm=$8byz3G|li6@EYHQno9Lc^sl-DaXG?p~h`h6oJVg-yd z4Ve1HfF@AX=N?jBWMRD-5Y9U!_`u4X^u{-dANu02|9Tv(!cfll@-z!+WTj=U~SMPlm$h|vNPYHX&P`~$gvj>hnQ^9 zI2^kc?sErm`p&yyO5ZN6;GA7MeOb~yu!z<&^&9FJygliBc5|PRliF*Bb)>`u5$*rg zLl%6V6L1VQqX{_?q2D=&-VDDSIT}-wNEy8ByjWC-)eMa7?3=1FH4Xe7+1etug_L{N zH;4|Hz)zo|M16>^?GJFhp46ee?*?c`nDP{*|GN_)LWINbh+yC}&LH07PT9~&xPOh_ zm@p+oP3EhSib+L3TN}*W&gvM2S>&oT%r%DbJ}xtZ&ui$FTZX)r6ANaz$EkvecJb}h zJC5aQm2@5d5@D&Ke^xsFH4wHz71RH4^vBt%(D7*jeQZ7cUH3p}kUrS#YFmDof8@0$ zl+B5+PLeZrsJ(c?iG5CO&P4e*7PD9H$w!RHkJXdgydsr4v@|#QL6`3!WVKFk2m0-w zqV#JCz9y?&ua`AmJcJk;hTzPzP`zqpX056zbDL?u7>s0dr-Psv15{#v7H5{5gLj*u z7dA$t`fN@^6~$1{7<+3T(rfbMsPsxr>g-n}9zERa)~F@VtkcCp`AdiMwTbpfT6-d` z!yqzQIHg#zku*p3B ziyNhol>)1Mb>qVVGu839VFF*Vj3VF!$;Q?kg_y?@5|fFRjVQyjP%RC<-*o zy=kGN$Sc<6f~}`4=+cMN_mF6XppiVYv1;`Nm-}RBmZl!qK0ePSm|nR^?h=l`RDnm6 zD(sTpifEb#Hi($uyj)-!=HJpOR%lbBS#i+$mC^P@Lcn#Wgsj6etue?heJ>HMmRB;3*m)xI5?VH#6s( z*>hy?*>nC&xZYg3!ejTd*1FdsTvb){6NUOE7{0m&tc zjd*HBD81Ssov&AQ;$ca+Yp%}o+@n*eH>($;WGcDdw9}y$oEeS-@~4M77WWjB<6EJW zwZyML^Tl(Sc`l@${>=BcXmIlyl0%k4c#+b2v^{DJ5)pw1Vi&PQ<*Q8rN7JRDOJPLb zaeg&3!iX(J@~wN#kif<cBOXbZK(%F=o?RwRhezGz8%o`678Aq9PxBBX_xGEbzb@ ze>Gnt$IJpNm9(dWahoF>l&#WVTJx|=;4yTbMJY~i?n5~#P9cSsi zwu{HT^_BTSSXPFcd&WU%nBTT$KQLjgTWloX_wpe7dyd&qQKL$+vi!E=QEAz4{4=75 zor90$LPjy&;1XC%4#~sicvl&uCyc|%!CWRyEeCbR)8z?F|jfhKHeaCEU8+!;h5&&rE|9-pHL;D?h9SFbAGx3?G`#L?|_!COT-vFe~I5N5-$X+t5?j?|g z#qK;D` zM9WzJLGxPv`>`m_QINT!%WVU}nLGCG0&NEL=z}CZpUyZPvmCjwH^u6;ugM+|VmJ@K zJ(lBP9=`E+bZZYw^Ud+aIl@H+RrDk_-l9kH`=EpOO+^~mA;-;jXB?usXI*cHW%wBR zjS`*5VZRXUqP5#Rv$aIwmA*Y`koW}h`}h=*;hQz{A|b@{rkOMuR~zl^FrP3z46kYd zBJt8>c>LJa@RitKo2aMOr(*-;w+b5?TYEeW?Q-lAK&T~wCse8pao$WN(eNU)t)i*L z4PidOPF~-B8F*$X*hi`G&H~||2Hc-ubQ#n^$GM>lIc5kHtoF--N6h(ap3fNWXkw9CZIky}oecGUrGdE_H~Hdaf~cH%PX7fx z^!h5$R<}WN*^BSm`Ky7zxBnvj_CEn#G0Q&REe= z)HIx~5cij;3~#lI1Vr&Q`iR81IH?tTRNVAf%tzEAemWvo3R*ms1=G_!z>m0Vu39SE zU1(IE@wuyHzB%TmHV(y~-5`E+__GHu55|2Vw-#}i_6}(NUT3;31r;XOke}M}!dp^V zjyIsb%zcrhE?sq{$t?1{Q0BdBh^o~TQ_Utqnr}mk>!d3&nuZkc1zdx|^^1B74=llE{Ubs(bN6ekORI zrF&mwy$JhK|9knob!VTd6Q0UqZFZDfZ`La_)=x=&Jb{g3h!Mzk-|--eJdxo`5IBPt zfmRLxpltmNuFuf8z>9BsQQL1tjo*9^Sm%-&BT7aen=W&P?%n8`Gb8I9*7ldH zde08HC5BpmvHyScXwu$RWZiB#8P{3DVAM98B>jh>1XB6f zhQsiMH&M`sotJM%^{G+nQD$ePQ!)HZ9Ls8}s+yNhbJ)q|C$kVzcJauB(I52>o(W!U z6ByPo*5uV-c3g}o{d#d2#yru8!rg&0r|m9uksd4Gn}YXYpUlLkzJ20IjN0=86H*Oa zF~4c0ExyBB_U**Qoc{~M4dHtgzj(FP7eSx|lK7^+@gM@p2v=DTJ~~ z5Q$g)?E!$qFr?hPOuN9lL~hDi$SqW{7P*aTwB6Nig;`NcJN6@f=^MaCkjDyUBr#~-?V|N1+c58a-OypVmLhhzIzEFp z4-~_!J~RI%GwLscz3;s0E(NutT1&c=_WSVE$WlFInVjs^J$LWdJf>@5Foy+Fdw`1& zr*y~$M88~XbRF!gw-B6ts9Emuc3bF>xbZlDZ0IoMAv0&->(g?X)P&Q4*m`m{s%xnv z9EiA(-h^G}R-fK@Ig9o6Teb$Dr>nxJ)O+7_PoQPByE#A8wej=UT5nDx(?tB)G0rIx z0~c%pTxM#wreL0FYxLAO-v}lcwf3W$k;jCNrT%#aAoMc<&_HdclCJe! zaHYq<{g!Z)$ zkpWr$E(r1U<0}Ljj5z@}`a&hjW1guJtw~?pJG?wKfh}LOdKD1Od_?*$8vI<$BUiA8` zRFjA8>=mw^o`{~IN2TsnzvBVjsXLwG(`i1+LJJGgwQbSW8DqyTkr2yy)$CAG9g(IaOkG(3P4w_4uvbWGH>yLI!7Ic3ux zm+&jXg*rW;SgZa!uU5B*kBQWoAk>E!0EDWHj?}a`OiFkgxY6A4KTme6(C7Cy%&45;9~ADp3#jhP3Bvx6S2UegL6~+UKxjuP zRBcJjbFih`1;M$f6NNN5FHcO_9;1)(nczHn4JHv>xwP*|9n*slr3?JD*G{OmZ6y`J zv3$Lx?;i-Kge|Y7YLup1`ujv86BI9=!yAn2#PD^GrY`}KlEchW?32^1NzIcOzvc{mQ0 zE+#DhXY0UrOL+>OjXBGOmP4j{!0BZGpgIxex4->g49?eDFFEi1xk&~6KSK*NPH;4W29Fj4dYvBE2VV%HTeR$^RvCh1*% zST7eY!7-4&yV0|$OpJ?75(@EEJYo1jDcxJ-GI&fcalycp9#z?0`8oCHs%JU!M4c%C z>pt4?=Heg*X5h2B&Jyx(UI3IU%&vC2toB0g;U-zNCz(i^VtI(kN?j@F(OaOIt>mFr zG>)YhF?bFReLOTc*F<+n-2HhwKOnT$n|ZIZ$?m~=KMMPfH4;AoeLYd5v4}K;>UPPj zgz>tu%cIfGAs~3^dH9Hbn+ReJ5enjqU;(dIp4%8?xUb@1#Zw^4J z5w*LIz1+~GmzuponQnW$cMzlG*S3wnCv@`UYF7_3_TTz?r0xH4Q2Q@EwKJoJ6e)CUF!qZjO`}0|d0Hi>B$$Zc3&}~2F z2}^Smck5QX%=$DOU)u`ImU_GkZ=EJtPbcRfRG#F*L``{pmeRa(NO9{0eJHoaJ|)ny%U;(> z{=*pHljj^^pU0ABwMzEAwr%Zv7iQQvBo_VmJ!aFvy~ezQ zdlMHVb~89rot$jq2K8; zCt~ck9q8o!_P!@1mVl4XRGFSm1Svn&31Tb(2-Fz@7$zp(C6}0#9>6I`S5%lrNgFld z^&=A@yLN?0fVy?&DgW{OL?q^}nP*_-F3>o3#ZCAiWI1%m0P9CcXi5m|Q~EHkElZ+C zEe0O}l2|&;@ag5AjQx)x-&0M?aqy2AvonG49P{U)#g%;aEycd~Dgj$=3r$j0HaqCj zrp+4I^vbl|9eH!WP61*(c(|GYC97FE9y__kYinf@nwHpV^O`KmSDE&Lyok>V0>9ww z*9y30;z36|-kXj^JTD_6BxE-VtXB?Y9X%_F@LBYRv81hB%P*|$mCw8^G!SlC>tw_3 z9OZZ@5%i#f1Jx@Nq(R@%qmj>T^^#*C+_u=Su#hr)Tj#lA3Y!3rt-!&k4Zw1Ht1$24R?Gz+7S)5udi1tl|6oqL`hH4s z_SiCUnxm7Lckm-u{GL%-gVXd5=gkQ$Ta$XnQ=1RnQ2H14%v9}`TgFvp`|ZHNV8m{m z`LM;%!0lK5H678r{Le$P0+DJ*Zo~p&R@|0}N?;x~JxXiDrOvxg^zZ4Y{$}X^(YJm$ zPXW2_<6#oJ2Jt_E0k2~iBrv!CM%4eYY*qKAD*o8-RHYl^kmdfbi1j0e)1;r%_3XeBv;yR;xprV z5yZ$_g3(A4c^^x4Oy;YfFe`jeUPxRKn!X?z8^ET0Dm#1?ufe1_^rH*i$tOi+34_gF zH_wWDN#3i@-r;UL=`7EDiEjTYpc8~JLxsKl%XR|)i;JVcN#^NEmW>7uPJWW~!4k`i4 z(%tNngx2^iM<}kL4pz(bwDGz#IRrM5D}>WbA=C>D{DWEMZY7odg{>n%0;|;3GQd?W>t!EEj|Rjp(aKC zZotkuX`-F{&Ei<^*kjW{u3MW7CdFz`yNQS%Zc@l+n&_gio(bysfv{JkSDA2Jks2(YVf(;mguYOjcOu)dgrIbxg&`1H*=a2FY( zRQ@#%w3{JFe09bkfmK{40&Z^w;zNI932Q zv#t+ zNqs!PtO)pmYKHZNKOIMsgPCny$sB5_8@hVDP3Bz3&S(2#VvL?WbaXm&m3-xAdH)pF zDr-v`KrZMs>&3s?Vwakh`!rNtQt7{|0fCR*?!4w|;t3%S10UbAuNvGVT!O zIQ&>c2!1iKKvTSiX6H&vdGE#*xyoPRmN0y|E`@jzAB=8rhxgX?3e!@hRGJ0A%igks zJ*Ai0t&`4@8)4_kt~%&UeV3PhU~=fKATpdUo{QX|08}U^N%ZM&lnMWZw{nqyT3Z?P zf=oc|{=6RANGK00H(;ZdAq)=ArU^v?S+eneVs;fywsInyd_6x#ZbJB#~PeXIzUPg5Q*wX2@&&H>6RSw=J+}fa2XG;^80#hMwwJA21+pba1;;yrI{FfxQBezm{6<4`~Y%*H2)rKUV4`wV*yBo z>YFy0em34$k5q&2R7?Wv{U>+h^{!t#YIB2U+B>$+q@Dn3%f6A8AFftR_BSWxmPlR?o9&O?{7^rPDS5y?f1R8oZ7`^i8J%*(pP{Fnw!D zd@1FN-8oe{#ni3%sFV~YAiO!82_jABS4B}_{XUDnT4g#pdOWj$V36mP?na1V&a~qZ zg6$7SWEcC0SA;RH$gBY|KWTL6me&_2Iw{VuVQ@Nkg0jM-+vr4K`upNxj0}!ZY*dn1 zhkQ_Q|AYnenj$;)hbqQk*?acm8eOY50ZKH^OTmlA1Z<)#hj$!&sIrgCLR*4xqLD)9 zB=Ut`ZulV_yydBDn+E*CsyjT^2f)d6fy*n$Lj6U6Y-#+x$4@vuMz_&X{YksEVxKvU z9^(6f&^8DzCA|?=JB9SU4a2RL4wm+gszKg`Dn5AvkH}$^4 zL6EUCnUjEN`0e1Y&b3FXFdd-wL|UGtnn7$K$pXci#;`Z9o1(<%4r_SxgvIt2yAE2h$^!rj@jpk&se2&6<7 z(DnE4yCwed*K$c>S#zT*tPQ!L{7z6 zlml1$Vuj*+dzZUIvDBv3;(FZuaa3=N%%UImEQlq(sA15tr z_j)!`&3c!@g-Z>kCCMj+jrmCvW{14A!a3TiyhZpe=8BPv(jcl*WPK6^$;JU*Ya zOYz}mr^~|ha9Y$cd9Fgrq7iv?R5cY0t}oG}=^N1<&-9S7oT>^vLHE1Xmc|>R;{|3|{APrFz%~ zRrZE9meu0kSuwTZ9FhxE)X!QOu{P|jyfD3AcO%8xCi60Q$?;H{D7dUAV`I)QtrX_s za5s!DB9Pelm-AZ39sfipM(Y9?%5EG{v;A*<$N%W%PnoYARB7DpA^i=Crb6~qVwoZV(CGuo)vos~j)s)@R2!NGEckxzYlo?* zD&g(7m17?+>~Cia3A;;xiq!GmMfhS5bO5?zQQU3v>_v~BYe;*y{qC16wzy-pbC3W; z07?N##x1SggXsM-d%JjW4XA<44(e)^CwsgcXBHr_;`Kt5ub*R;P-woB*t#yo>~`(P zl0bCbxXIUQ2Wp6{vE(qX0*$2$7=eedpM6qo>LBPAQ__P}mYF#8L&ZCcNA{E0t!bk6 zsS46K^?<6QrGs-E#7yS8=C8=t-5$`e^y?HBJ)#jb^~wL=M4zT9)VN9 z?D64PFj|nf$Ydb2!J<0cOfJ}K;eu#oQ3ABPC-9pQ!8YU7zBo3LsCUXBQ@9(Z#JwW*kHDV~rnWK(F3f!cV9wHFS-nv~*N@ zo#QnxL+Jv>;kQa9Is!}Enj`aP4y^g=Wjnz|wu_9L{%G2lp@(XXqC|K(569GftFGD` zR*G?d5aVFkvD)d#o5ZcV@6DM+FMqG00FPGI_j^lb1EQsq%9p|SwTA`?kWTNz^*hL| z8v50>vYQawbjjq0CwgGFC_eP_js92mLfSO9cNPax3%(D2xEJxx07HD^HM!>h6d=qJ z06{`%uEqb<3H+B|0Ilcrn#WSH3Qqx1zaxS7>1RIzo|G*hrFMqo)gfju7LGm&L)uT2Le2gxfY zLuRgeg~5*J&5&q7lgm_*OtOx>ZWCn|qyM5QRgI7NFCBD8z3lz&?`wd-U_buMxlgJF z%{HjteL`L|wEx;6{o&S-dLzgIvX=J3cCNbjR#jv48if7I1dJ0eC+c&re|0b^g%-}k z=5>3UXE3y!Hg`THY%HS7zM^pTdthOSeNRi^>~YfRCUr!fIT^O-gq3PG{WKF2xIJv&D?{Y`G;-@|bxxXff;8r+Q z6-{WiuD)Gs8zRNZ^o498&B>1rAkrECu6RU6aG4m`p|b zc72fqdM2F>q6MM)Lk?`ELz>pL`fD}t-lZnH%Gu ze{bgp?@TddfBR#SK;+(2VS$%ev4Cma{umuQ7KjSqo2dmVX!^;Y3Neys9!4;>xMS<( zmPXYyz)Vt3>!Rb2UpjcM&8HdYvX5u@`A0JzD{3t1Cp8@0&dJAMK&h}}3XalN5FnB- zvqWKPYUX8?EusTB5+YWF@zufuHeILYZ)@+f=pxL3s(&t$J2=uuN? zGfpniVOOpzNq<%9t}ht=wEe4f49`-YeoUQ8pIF{LD zuPM4xCEfOV@7qQ-S(aOkjtgwfpkWOmY*Oev(m9}#r>(GU$h>HLE0&8T53LL%*HZ+} z++3~Z^k}2w0z*E8jo#aZuq}s+8HdtLB&X_9hTI)X-2Nx?JM)Rf)40=Q@Q5>#V^U^j zV6zr$;|p$Zx*aRftzoiP_p1|76*nvg+i1pGaaDXXe$x+hX;@8JZ3X+Kd5mC`ojAEk zmJUseddg|LZXa}O2_W%a->lw^R%-(43$o$~of#HR=Wb2u8ZQbfk#plNKrikBRQ5O+ z4KUVps){g085Ekshut)EcLJ$}Zw9#+(Ms=SQL-+u2~n}KjbAD6(#Mano*&;B9S{(B zt*KUGF=`~AQnlit1iaKn3BbNS;Oa}_vZ&7ANEO2v(}fL;DlQ~>E$o`6d;F6P(AeaD z#yugj-@Du{bCCVkGbK?gU0A&;+v8Hvr7Sk6h68NYS0B$pHJ7mYX5RBMro88&_lw2DYXgB%&}ZJHC-!&pvSb*3_bu z@HXTt(qkp<=WD@wd;axo15(oL#XQKJ(GG4g`dtMr7ep2Mc_;+N#W26dDg4ihS$>Fp z{?nPg*#-K8+y#e-U0H#1#ZzL;wsYAw+L!e_j$MHmQO9B5;zPX!o;Qvf@+a?tAJHfU zVCWvTJ1}g32qStrtTwkIzjdofMhz|0^`T8{#||0W0ah_^nz@vjZe46FK7prGvbHSG zb;#|BMXiSsy$2gBC+(q_UH{~r3ivoS8qgH~0?q7=KkA3y1(Zrz+P0QXw^9@94ZhJa zajbLJ2_N=1KQd(epaCbl;(>0b?Rt5~EZOP-*dXwW*jbZh1nWa$qLq`wLtEnUtDfOn z;&%y*-(@*?OFv%8QKcBOenTUbLZ#sQWH%%AGKN?-aPa%j4RliEk*W;D@Vr&X`;EJ@ z5z#+A3hh|{ZE}#6Icx&7ij(@Fk`}kATXCz2miJoRo>kjuwYD>b{Bhl(QOd=*^*I!a zvU)+{ypHpEeg(fUZc!++6Y}7rB;vIq0CdGae9%~&_=-6dL;EIDO6ss#;6 zj22hKfJ%$$Zyyrd$yM7Uw}<5=m2(Uz#P{x$A&GCN^t1A&EY!MhM#$(Hg`X0tjU!vh zt(_KB#rNS>OAG4cTVTUj#xC;We0P4oynZr2lltG4?SGf0$bWjCJ{dKHmX2;SiCaHQ z0&RL8@Kh!k(Wq7rOcwKh@?7l>IE-k6ZisCra=#bJ1Nh?l`Z}qG9ndTPjPJfMKb^Q@ zEUi-}(|uq!KaLFipB6#p7B0O;N#d_n`*Fc? z8(hFmhmz9aS0yV(2b=Fd9%S$z$MHjR!@xT5(nZE(HN9Qoi1NEPy z2>#QE{>wbTkOye(is1j|fB(M?CT2RY6wt;JW&UfE?*H;BzY0{j0EG@z8i(Mgqhy((wK=zDLMgRZ^hR-HQAg-tRK42hWN=v?6M(J?X3vq_n(4uM&$L4OIq5dUxX z%Lxh)i(^y=?1f%DwR-d4)aU&-vqIvJ8P7ZN-v1|lAnlZtz-~&}G3@`}V7&34?{5F$ z$o#*I?f+)F{vSTYNAt)1izd+n=l{(@Q2-XoFK;6G|K>UKFS`jabH2ZK!vFV^Cgd-_ zbUmg4GRBh|wRH=eqBl@=IyW8i;#!Wt=z}yZG3JFP z#E0$19iM$=qZ;h`he?2yKU8x%uIm5)rC+EHZ(E<|%Jr-cLJhC%R2Z^Rcc!f=o|EvX zln(WS7+$~Lma56KAq1Qcq9ilThGwD@L3-*Qqp46DK`*3Hx$pOvv^3ncSwOQbY|3n@ z>7!PY%lA3J9WDgLPbE)ofTNEzC%Fm;Bg+0oQ|E`es`$HM%@bo8%fY1Y{>{bliK-#s z#g?a>^R7^XrNh*q!m!L{zGh%|@;%BGtx~H#9)oIIbie3Be=;rCvChY=0a%%$S7U`b zL_K3%9un4|uRf?2HG0-0_hOr&8a5VvTFOKzeX2C>$(0Di+|m5`@pXsfrvRhqx4wWijTJHu#`G~kvrvVWL8q=H6I;-A z_XiM0z<=U@e>B+1{;$)U&lHuo_JCGFFoSLy`BS#XirefVeW{9CP@bn$i;4?!lVLNe z>)OAgLiEA~xltRo<#yeotCiGP&#n;z4teY+c+euFU1yUgcYOxS*x1e|4}D+A{Qp_r z8B-sw$BY#oe26`6f9y6iRTyK!#Qtq@sfmoKeu)S4^5x5u*edTUmB#yPKabAWVkk14 zemu7G1xFM$M)Nh)@)eFW&K66Nq$oHuBFDkyV__VlT`ad`?7uM^FIVN!)*9`2y)R{s z?{A{CIKhaG`>6MsH*+xg?IC z^#0^r#%KH4J#;R(dZz(ROXJO+(@jB2=cdtD>Wsho6sQD)0Gu)E;kM7s-gc=;>iSIZ zZBH1pV6g$T&1ShpOQT$$1s$98@MH1gN-8jLk$=3S z1V|SNoF(8mmZ$7Ux>0Y%kz*=OlXcdQ*0u^)`&yvl!ZqJw`z;D{p3)}}-J z4wSdK8Q;tSQF@+vIMu}Sgm2^o6QniYnHrT=O6br z;!#7G{oI#Dr3fdC?1%`nI#-qFN0PypC4=At-_&QXk8{i9()Y5ZvZOdYI7xdRfl^C6 z!5IV=%*@~5QM;I`UN7(8JE+QTKU{Dz6JxfUOY> zHRg)EFmh?%l_4&*Y}ae_xybTa8yLu7vZfXjAJIxf=i zkqG{@T{t)Ar8dbsB7d6Rd1`0B1VpFQIhi#b0o%;qx$LFV#G(l9<5~5zqoboyV}wuE z3@Q0u1|0(yQuzVh9VO=y^v}la*)?0-9s7!O<<*}sKb-{RwCfpScXVXAz9#Sh;>8&J z`^^k9<*~VjE?E^|Z<`*z9uXiv>V)6c<;$Hlac(7LtS7Fnz`gPYV-t=E@JvHVeLCSJ ztYr+e^7yK-q1Dr+D)X+kY~N5)$34Nbsbx8wuOTMNaUk8EkTxlOrQTQuDU(hoW}(FT zExcgFo$9G2SvsNX)~^9l_dlf+V4YbFp%=!P5IX&ZbiAE?Mi z)ojmpo~?;ar2~8cda!SGb^YLQ5|`8xrvHp33Ke=W$5bVFECe<$pz_ zpjw#py|dXe&~;yK;dfQbx_A}uCMcGdn@g+@#G&y3%7=d|RR1q8G7Io9%8&U`p0*Eu z3?*bSF1mt49!ih96tnKuN@6b_QqO3x?ctSKB2w$Qu<(2KfjSUJ#$jzcqiQf#+o{ci1l0kgwh#w)x>cg>a^zI_Ao>D8noZZ*jG zg?+A!3j7X!2z#Z|(8|ZF30~F-AGEZg9I=r-#RsDh9dyi&_&x4m`A7(U5>)JyCIIFR z8XX*jkdNU@eDcE~623;~b`9z5izHX2=nKyMb$`dkJuoq;*`Fz{ne5{k@dgFB^VWa7 zThU`sF8Y`*Z8BaHGHq3O=#PFrw97$#oGad5l?3(pw&3U7=R->?9~ZCJD09whGL&3O zla*>eOznfjoNM8_=7`+TiI+X!FIB0v;Wj&~x7+ZHZe%%lkhAd(TpByb{cRDvM%OXd zV6q$dJzp_xHG*~OCU9d3`@_QxTxRq^g@i%hq&EN}^2(~Bg!JzPA0)*yKVU*Avunvp znoZ5krD>mhn|&q9#?)3(R%1Hw(sHUGs*)n+$B*9(w^9v+a#4~0vZHWPOU%xQk{Bg1DN6! z@K*k+EBA1I==24l`jt7nyhN63eTA<8_xY=m#q2j-K@j(b;;uDvX%wjMX#rv!NY4fU zUA^2@>|HpMXzR%ri>41KGHo1u(WZeSBm69*ykOGSQ<=5MnUkTaaVKS@yjop#O2*sw zZ=s~NxPgqq(3r0o*#ELNrwWu+yRZ0h7$S9IRF-P;EW3TJJx=6lT--yIngm zzlufS-&-jG={0hPSk|`V0&E@S&0#>i2FVJWWOK!RHVYcE2C#IR((jN|X1SjB10(^{ z`n9FXIp0cj8#yV$1c7b6<7upOcd*%@2K&>&_;S-*jB<^f^f}lY(CTcpbO5%`>N%)eeTiF1)+q5!oMCik0+UW#)jLbL>Pzdl zf*aG$B@k2j-t6t@Hp7tJ<;D>v`Th#d4Mw>T6OUT)7;KeFD+L+vB-W%MM1NHyp2X&4 z6s>$h+&7jc*{=AdyqYdrlcRT90$wfab_*pj0gLmg&h_?DK3=Ycrz`>&@#{a+a=kZD z=cS8(6Ca!D=(#nbUc+{hH4J@G~exlpFt&=vn#0Fx$>IYWn zlmtZwroUNFx1<4CojsfmM1krP!K&9Jd$HfgP+U`OF&53BO1H5cgvx}s0@%8`9h0+x zku!Lp$nJo)s}sbxLE}|M%`#@dica%p3;sF2j~xC!nb&P!A-@edV>Vc0scP2o)q^f$ zVX{CuxyEJ=C<=BkuO)%B0;g;7?PEm78d<1O$190PP{1u>vC&ym^<4lIkg0Io9A+B4 z8pd?k7*tQKyDUrk@^N(Z`mD|Ei=fbyZ>e_eMmOFk6+lL^Jwc1TkffO5qEKL?cvCE! z#A$}I6XFb6{oa~u(l=V=xF($>0Cws|(64uNO3oCi%WEk~L)EbgI||(nL?$YXsI_Vt z-``)Z)n|U(TLsMfk-EhI0n_Ta)54bzNHSD5M^e_9gYj;YGRHW|9-nS>;7ee$6Y<)G zHEkNkUB#*@Iuov0G8;gII~yZ3XM@g9O(tyf74@d>{7>54kEjp=X)n)j-3c`?P#nvF z!%}8Fh?fY_m@;9qp8!zh+A3a95lz zj9CYbE^i89Z4S*=LXlmbb|%82SFOvZTzkJe{6|~k^Y-}{y&7g@!mkze{N4B8c#GFKJT8xLqkSAFj&tlaS0GxQ>r%~oSZ^D&&xoSx_Ts8%LLc% zfwow^?h&y-xu+#A;_&-RJLYkjUh~vUaT_T287$iMJll-^laA`l(d=rIOC;Cqk-OXP zAkWNQpufF9prP;0u8)uBxG{ryDCr+aD zW}jNudJAvWTV}^W_lA^`oCrTxUQrQz{f%YH3)80+2$Cy}kVihIPHUB6)kYHxy)T|L*9r&2DiUpL<3rPuj=g z)-2y-+A-4GU061(;AhEcyI7vUas?+Wu+TmZEVfwf#)&-X{; z^cH+BtWNg(B#uuvtZY|hQANI;jp&P-4!#hK^Z{bto9 zqR*hklmWrNL#|mh)b4?~sRVP1D=OStOjQ^KX(ZR|&3$qeGzo;<-4{Ch`oPnOkXArb z_wHY zf%1F#inWZ2%lxCN3E@^TaIYiHj(ZPbOAR$k9c3kfy%}{x&g`X%tm&WWg*q~L!=E@G zxz{h4viY2baWQ49YUEY-`|Rt>8?^49cXNP5R>PemI8I zDAi6%<+2!6i*W+~MQ2uL4O2W|w1#?ia-%F=;eH!P2f~}aToiz1Wktr#6crVR5%e0t z*U1C@{Yqa`Ktn_J_nqCj?9*sM<&a&bLgYug(B6^s!&2|7YrS+WitE;sxJt(TOfJfe z2Ucs=J9{4~Z5MtPLn{84VmQ|$IxqSSMooqGA`ZO5T}1B~3qd_^YksYq6B;knlW&&? zRJk@Jh>qim=zBcesL+nP88l4pE;P&kyt@{CEqrU~7CYa!-dRk3sTBQ{UHbro1OA#* zjQtT;Y&HKUqN}>$w0Cl49+!|&N%@S!vC(GBJxmXeLrYhs#oI(8k7KhJa1&17RvQzp9 zPZON#Weu~QHI(_V7hG+m^{P{AAohQFLaQ!)mBEILW zS^qRn_%rF~P!dcuXO;3e?YgUZN2n1EFA?LW<2_bY2vRopS1dRT#IG zvUsy;L9&rl?*j~~H_ZYTTMOt3b_VJHfsF)%(rAq z(~#Hiww_oxnZ4GFos; zu@>%z8gFG2)WFtu`El732^O5aM1R(xdwnk47d)d7urV+=PXQPRSGSO$LA;`U{}_OjAPfk|XJI$t`H$2jwR;3`ZPv zK;-9&xN>egNvrF7b$9>=jeRPCrQCh=r|2haHvW1HhUu}CL+@SNxv=rp*jf&Ezqoc= zqYL@oax{Es`jnwBO+m1m=>BQZWzv?B_+q|#OoSm)_`K$2@Vv*bHp=&J;$>rwLxk9q z?vpI^Yhr@VAUAuO$Me=~9zSmmAQ?(A@TD26SFjST9J+ypZKa^=Gi0$87rQKcXoWxg0K{B`J34pP zDPf932PF2=jGcXTs%W3DGHVM&+x1?F$XaWi&sj5`1NKRt&rm8*BhX?u<{aUoEliks zv9|{VHSR9`1<}?{7GT5ZPJDt&F~5?=W4|mUgR!uPp@I`s$uxyVWzU9Q$uM{(0PC-I z*;b+6zZfjhgv&o0)mDy~#z#s6m1N~sWLQtRq$-}Sexm!8T9_TTKgRa zTzKC;HZ|4e500B2s{ibbcX_Jo{OhLv;5uHocN$`qtMYt|*d(Pg^g*^A0-Rcu>#DN{{HCwPxK{Rxs~A>T7BvOvw|H18zYDoFl^@iZ9Jn@~o`in=`TUjg$B+Tdgz(ta zo{-{Pm@hccX0ee&w@w0&{NNxL1Q)Gr6SS%LAC$dyP?T@{_p1m3qNFaOASEDO(p>^l zDw0cwbi>jO(jeU-(w$3pgLLNtOT*H=EIhZ*oZp;h=FFM%J^$_S$Ik9@-`9Oz?|6M& zpu*Ry)b>kubm(Mq8oNxLm+N7pp#FN<=3bI9S|+U1yR-77o_t4v6Jf92-0f)t1y@ix%>?sk7%F`hIn25P$@CEVAV5K6Cof+FW>#2mtSDsSO z`fRGmt47rn$35nX0z&y6-%fpuEkA*kU&6D3?@lUzRVa3;+V8!>b5}g=Ioaczi8r)6 zyque{)f>*wa}es@(-XRh8zMj5cw!+kE6DYkBID8?;dX&Xe=GG){k&x@5SFuPx7MSo zJ=(0Ad&aL8PZs?!t>kf}65&&^-uE(=Fo|#Ze^>x1*uvwiR9>mCSKL%YACHVU&7%5l zmUn=+(hN3ce@vvR-J(^jY9-G`%bVeTh>_u;{{lX(7L;6LjmHFSy;`BOKj}&2yJ>0i z!RKmzxIfMkSJ(a_E}nhKKrjn{ao$k`b4EvECU99|%0&U&^Jn}71ZH2`CY6qgX>k@@ z*Mb7q@6O`^b@_nhGg-bt&u7<8r}i|y>RO%+5Xc3X(RcRmSO1wygk{=7dh6}BM%E4U zI3pW$i9b&{I9`(ny+JZ;q+SakO!!@%Fk&H##Uuw;T!+y}N>*B31 zXTx05GS$m?z7Kol%>%&4j>hXIz;xIq!Q2!`s^5KjqUi zEdrB?80}mtpjjDuR^aq-=jF=&q)~?Sx*g&^3Dh^z-|W3);?vXGJUK6DflFF%rfzA| zRu@gOZPnNL4JfF(FBCr#wNU#6DTfsVJa#kAnr-qrW=TFKDDsEhhaSRO2tKizpHa0KwJ+yH`Rl-E80V5j#d zBPdGjYT#Q7Ad1KDWz-3(H65SO;9X;Gv48>#d$OP5ag7D>U8;N6&wh}s`B=M%^%&Gj zpkY1KH#E0NQ>Ey8JYA;82wBNxD)+^em>`i0I*aZhxV}9yw3gK-@l_Z(j)Rln1;^;g zBW;%6-*2EoUynfj+$*q62n{Q;ZS*u)$H{}>&$XAA+@7GVdOri|@GcvKMkhlQNfs7mc`q|3wRi?e=RotE#gUZ?8&1kw2hw9fp z(;D)f0!O#`WJ3)iA8^DD{miFrsOYYmmeJui?9S^l8p1Z&MmAc^7i1lFu@Ip%tSG0S zhJaj_xN?yf_d!DwgYqFQ1UBSX_-E6{Faqk@7n=*0MNLbJ2M1v;-TZ8Ji@NG2*Unpk z@Lhb1$3yO`F~>OVo*8dnmVPT1Q#PC1Q?K>$ReU?jj9$6WLHIYITsQhvb)PJ|Nfm!d z_D6f#Hts{0P{kM%fz#opoDyp5=|h)3D#bvC>FL97+ghbbLaNe*2(do#&$nsVkM%Ec znF?}7k;*f?vpu)3957}qE%+{YFAv`47}RPqm<1_6?LQC^j=dOh!Vl@nk#9Eq0@R2`=tgR5U9YA?JW`dauKUr`hRhaH_V-bU_4b1o$4NzqgZ3G7#$Ho+~3|CHSp(Ro-YHyAAL;yVl%XHsguWCJarsN3>l7X!yq& z%ddyZbzyWRpGa>F-g1}B4)|HKhgUH0)itDOAp z|FF_s>jPV;O^(Fa`f9G9uB^zXpkXm1mFabxJi?b&>^u$X6dHcws;}TYUzHn4Q&&53 zgJ8lZ+Oq&9C{P;xbTUR*0z<5IE3y*fYga0B&U_kle?hu~m5c{sr0ijyc=RV!hq-`C zHxz&kcl`SK`&}na`I}1K5xkN``7~ZJgm$L)! z`!pF#cDb#WB$p-X6Df8Aa?KVyLQR0jTilDsbr3VNRuh7ex80X6?^boBc|q*`!^^*8 ziU$0ip>g%Pzk;jI5|An^zyg>wVaI}{m?2H%SV(YT9d5)dC8m%Z51lbQwfaGP)Jt38!FdKKvqlaWzY zzt%X0J1P~2m**zNtA&%CoXj7xu)Z|!r>BKuij#rTWGX4=Qup~8sNYSdn3%FKc0Tka z3K&pXbj1+Bvl?PT!UPkGtF{6wW)wxfy$Uj%pSB?*>?COU^_Z#D`+VHp^|U?Ik!{G&pq?1zaNI+j`3w{U+;0N}#X43i{w?mAhuxkD`A3Vna?bH&sHvVX;^KSO zTPgR;1JwlL@uP81$8(bL?NoNd6ycmbp51hHq*P;?dL7IQSzD!5Fw}55Xfd4q2pB9i z(?MCMQhZD7C5G(S-p-U3ur%S@Zf==;Kp5Y~4h(ojS7`45FrmUjRt?RuWv3AOVw3UoX?^LESG;#!rNTF&XlLIZZdq2UjRhLutU#W#Xs#wPd%Gm ziCPoV7wcMkBwqtFA;Y zF@V1?W@3+*9^B!ru(4$sleyw5YN7&GmzaT#wBdPwyX2d3v#Rs7NN535-0KQEg5>N# zA14pH!w#obg6ryM+Ppn0-q-E0R4f!Huin2ytw>Y>jRaBj$jaE$c%rnPBZlIWSDug5 zzgo|2p|>#p6JsZ?Y>Mm(-;C62)m4`fhdZ^`I)UiYIDZ6`XmE7pIJ&*+;1qTpjf8u2WK^3C~aN6+v@$Za+c537e%D75e#fNS5vk2%L2}M5p6#oq$;{6V zy*f{ej52og6;J`{ec#nDx+7l)ud50(@(7lFGR<4ikO_3rxB#{SpYlhT;JgwoQSh88rc zMKe^o@>@MhN`qnpNm;-kiv>ZJ-j%_P~P~HkIB$cGWBnrTD+=X4knzu1B6U!~RZqho$=A4|?j4Lhf5Pnhs`%i>x8&3tKl|EL zN2^mt(Eozc-G}_lL{d5YT-(u!q=Q7f|1dd)7|X@e)Ae1Ey=1az?HW=k0kL794+|(I z0G49vX;m6@_#W=iQ=3eEe`$|H7x4`1C%y`fH)rBVTyh&OUN9cC+H^0fs;dD?>v{E) zaA#qcf+C&$R-yqhZ1zcO!J@r|<8J&hq$h;fmlgrzRp9_B^?vALkpfvJ=**-+cF-kVkB&z z2&==~Ml&eZc>XU8Ej0aPs87+8JG9A42A%!%e4M+DZO z&a*_NjYGU`0km~{2CP}J4{J8dnwL#WU++Jy0cCdD3hQDrNkiuq*RT~8qFc(nshN&3 zm=A_*@Ec1LC5Xf|(1=H1xr=bfvPGX1mw!qgxWpI6C4bkCK}1oT^~m!d!i-+83a0Bl z{4Ewu|AL@QDoi!cqYiVkiHvpzpr5sTb~Ne}V|r{ChG3&V1KurOD9a0*cNQU}he!|$a+%M(rE%*xKOEApf z3_@egvN(9L)KEQq z@tmL*O7WuO2yD|*b}Dv&`wTd)lQ$w63zJE=qMme5ipsj1ub9Yr^tEz`4#>$Vt)*7#Cw`3JY5x;*sz$}Li&^TaYS|-+kB1rIxR0x>NC-N0 z5ywk)`vqOgVD-k&pHD-S@UKP$y3#^+Gn0&5g2euo!I&!|b&|A!LBa|bz;>meb<^q5 zp{$k!{*ZVa_Mvsqkp~j23mcWGb3W4Hg07ChYona^i&Tn9eK)oQ!+!ow1033d({tXZ z-G8E=d7m5x`n*Pys$&CneqYRXZeD;-_nLMsp_w7y`M9{Ia#|Bb_y^BGcr*2Y7c#_s zIt})@>v=Hg*CJ@(JH2t@*~c0AQ2$_RKE8Q$v6roGwYtH0m!`_0hSM5#ukL}^OtN55 zm&3HmY)Y5GNfcvQ{oFy9KL%wh>XLC9CZRiz03t=a2D`6lUx!Va0`7WRaE1WC5cGE5 zAV_M#re|(R=t|JEN<7Q{YT3Eq$O1iE$zOQEB-0ZSj3_SNf8q%c)jXy)d@<3A^}BSO z7f{9-S5=^LkNX>*-dn+dc7DxnJ?i}}vq`(;f7FD+)5(HjK^1`3PH%l%I> zTDDRcr~L4-y4EE>JVXi{s><3P`JQYId+9S$9phG}YexYxxHxmTL7)2#d_3`rfoGwD zTZn~CgQDIO4%OMx>{7!HNS*ZZP#RPzqIG%$WjCv(6R>bLIjueeAH9^J*fsg3UTCgxm9YxvHl^Ejvne!gxqz}#3E_!qwn z#3?Z9-By|=!mihhJ&Qe9zgKA^?-d-Z+e%r17g<$PtO-rI{5*1K2_G$|GpTz(Y2=2t z!Qx=2xGJqK-gG^u_hPArp3bJ$!1=>0qi$zN5P1;0x10;F?78j++q`h<%{#=|LGFJ% zdCe2j$NQugzoP!t(qj{?+XahqTabdrpUV@nY6p|DCAVVT@Tf{wvU0+nlPH_79J+1z zut#dzPKBCDO5|v>vCBb^+^_u1)OyX*aIFC2Jw~{OzwI?%1z9ib=Zm)t&dW}j)xoRf zkT_r>k98lK55ArSa4R}voSWFP05#gIJ>SaCWKPt>=(y|o%sbX@+3sB-8OU>c{= zct^w=JJ6wjx13NScM0`!q6+q#Wy<{Hoa<}IH;2%xtk;ZiqrDD_dWVOPO2O*$hf7TD zL&)4OIK|o`TYUTm2pc6C40nAwILTFlD6F!mDx}IPu=`+nLO*7o= zhTM{v2X)}dHQ*l~3 zy^PhPEh_9K0=+Lc;zusXK4|%=n9H*ufatA#-(vN~PvVDPKeR`&ROCgMHjaWw#>*qs z?`L0k7#SfH>sM6~TwwX^3qsT$dWF#wu`0+#Dr7=ulzBn|-&#OkU5jH`WZ*@@FY$&( zE>tJX6M6Q`MSL?*>KTH?bp=`hq8V-Rg`G{W~ft@Okl2ir|eBf@>X*>=Apv z&*Q{>ZP)Yh2b`pWa%ze%fnTt2uU<>K=_rD=C++Zm;J)*)c-KL*uJ1Z6L`j}th>-PY zBy9=2s5`KHFwzGbHO0JZE6vmU!0mrxoMp(a=arN>2 zEr`p{i1sgL%F=aB&B0+T+v;Cttq0>|7c7{9sq`lEn22GP40Cq{O`&F6y+y~7xkG6dX%T_ z40i8v*TGi~f-xS^c^$9CRaI5rjhCmBpDZ+FR`Uzaf#5H7X3=kp@VO_YKDGZaWtCrh z71^4IitxV&pRD&x``QX&RGZ^G<}Jgl2O=d;)#+7zgRYfOw=ez@NNCu1A%~WwKawy< zEt3c8@o1W~ZU5p)@!I#tyPsvUuGH^xlV);AB`{dHs6cM*ylo`A{aHcyT>lGOo$VSL zk;-pzDR>Z_4l3J69A2;7=t$Cq-Sdg+4)}L~MPK}U?m8Fj<%G_JzM$xxKc^2B5xEFf z(_JZ(_Cjr@N!5ot)EHe`U)Zb1;lO4vcGpqb*0Zm0++2ZSI#1zP*FRbJto>_0!1DeY z=QU^)-{J6BYF1ALbnTTx=ydP1G_hVFk(UQ?N}2WI(ioN^o~NH3UZ|9)%4xj7mC-|d zrw8{OAm;Yp;;}uxIX;+cTHdIV>Y+WxI+;6)lIeZAG+cE?&60A3H_>-{C`yu_xx%CO zI0KWsnJ#LFcz3lz^sms>(%K^S8P9?p(M#feUWq@S%tkt!?`@(1U?_W3!4*Ibe|}A# zjw&U}ll>}{pU3?XCx()`_x9MzT7bzV2=Ixo6=zUf0X-IJWk8Z*PjDX|PI^;XFV)76 zYlyBSd}G?)>Bc|OGCV54#Z?=WAcL%KE%yF6x7ifPyu>xRZ7|c7q+s}gd{&I3IznPu)J)O*qS_>Y&f2; zJGr%}gj@pzsnrU?Yxt1bsi#LUS%?sX{=5PZW3yO$n@zD7iuF(o<6K-H}EG<6)g5&OSoPhEU_p*)QS@_XbZxj zB{(n7(w&j}r)_<#4twOtoNo1fjo;=kwn=&7i)v$X=h#~ZZd91oAOqiwsfD|XFk+1t zx10#_qog}ukl<|eh>>kJgLPx$RQpn7b0G8BPTw}~7K8Zx=Bqcuwx7;_b-i=ZRV2Al z&9FuPOLi51zT?~!S{(Ofkuw6fn@cPAhi4BoJ06r!RqG$P{slKSv}Ngsg*|f#UXXn} z!}SRL#DTzSW(_d|-a3#PeA7XB35eiQmV(Qzp6+D63FUG#Sz=G5U+yc-G&m4HM8e%q zdQ6^NUf?oWns0-y1aEhgw}4QQv75}emEwph%^NX|ivD$)6^p5YO5wOFO_!q<=MS@d+?cGbZhtNe2Rq0>23D3;L&d2*(?jjJa4TMwOzH7)p<98iT2s63Sm=B`41tP?t>#mAc+2 z<9Cd9{DcNf^72yTOJ36Z*PS)BJq9i#Y2IEUedhbY9%}3}$b1RR2Q*qKLU?)Y89}!Q?jrvy_KCmfNCeKs3#8QmBtEgh;m7Limq~v?> zyX;L#*Lr#=`Q5@=E4nhO%ZoRkdElp9-}N#2vGq6$p~#8^zHz%s!51+Tm6=q^Jtu)Q zHQwOAwHHoI>csLC*c~F0%TSzz8AYN9aw=nlq5$G~Emq)SXL@9mQE}hsFUVkANVE~Q zjG+kJ&Psa027sQ2kOJApyb>Td!QoYBa%0~n%1YV6I_8kyC7hAFbJanmvpLx6^`bNN zqgiN#eJT&;GjcfKwi*+6&m7`pDZLuV#snsDajEzgEbK4mF>6p$u25DyBOP=)*wKB- zFyYo+%t~IQ6WwcEs$&_Gz@V(-rtMJ|esj=Jfkqcw=p$JF!w|(%SA2=uzdxcAxHCOH zvID)I!d=%!utD<4deLeb!Q&4I6@l7#+=S(Z#hl>~;uKGm;utvmDxUrbS!O+TD4G1Q z?Mz#WpjXZgpI>&+t2^1AtzKmKqb2(w&VR#vWV>07yt^SW=|4jD6}Q~DI%lP&S~m{A ztOK&7qb8-Y_md%E_cch+#E3 z%CTuxt79b#`2zXRpE=N00Lp!_cSX~~i6!_mOkKH6kjxJ8ESp4X>f>T9!2UlX#6OrbiQ;95 zC1W0-O7q;TR+e__*&DKj(Quhx6BD;fN+UieFck)1xRIj`=y$D5Hn~D;Es)FCouehO}rH=w5aODl@`qC;S94kY4fY z?Li}ON0sq)`eB@f!!FPFoT{F`ar~2oa64@vvq2&-94UTCwUJl@WsOe$0q9i+~!4`TC{B2H4G%&oH)!T z(EEz^qr^s&2UbtJ-5x$#%q+zvB{zIx`z=UFd~_BI+kfFS?dK?Hlc$tvUR2&ipckgK zKXsz}5H0V>gRwRFr1$n+r)LO~Dy_Qob$&j8F6$Wya>tB4t_9ba`d+$OFJE9?3RiJv zI*i=>aK1e^6N3?7c0TRLmwl_y5j5xT%+!mvdi(+iEy+!@U@@FL?;HgQgN!b0f%(~A zCHAHYsa;?}4h7}R!Y>k5yb_+ubshI(?O?3_;s+K&DL27>o!}=p*>hpp0sQ>vsE!fJ zvSGhgVE|x#818=4>VL8VBx!y}I^9}DKDsu!Iq8ee2pdGV!0WEO1>M{V0_2>0raQ4#lM(4*yC^EiCtBkGLU*)XIPS9_ujy0 zlMpra@^0TD58UImKM62DCYi^k?CyN>0|}3{{Mb>)mkR|s3xjNZYyrR;Xlh}Lm<%*$ zh5vulT)I+8c(gezBB z_oSiKp+7&_$8g5wq)N+rbS|;gEkN) z!^ms-7X#|`Jjo_qY8yQ}hW5O1_OnWzNugjJXX&0IQzX%w2sksP6s>S z{7N%*)5c_gFdD~O`P*HmH<)d!jB!B^{93!7?Tch#AW{F-q>@N|b*d-$qp^~s$j!#e z))FOqNuNr=uOFv@r*k-QJB}6g=3!xMn9I0V`Yvll2G z1ejb-d5Di$>Y3uLJ5Top0{mTu-bCnj-G7a$RI!LCAVYx#8=q;mwj&XgLYka?Zu z{5M4WNP5$ohtO9;5wJ3cJZiz|GQf2Nyu|%k8+_o|f=Q%;Qw^*ezwZD>qWvI!ivkz> zZ{)v5iin5ws%E&6fwSOYCco2N7>4N7tHQ9^n~)2)E=~odU>HzTAlMSaFD^Cdq^i9a z?&3*>c47}jU)Jg7SVeKCdq&s*mCfvf%Z(j95Ql){F;1vym&qP;AmRL`55p{FeA=6pH(U5pQlfs%h_ z)==!v@G#{f1OXT?^EBbln z6GE4RzZpV90lme#M$ecYMOl@)48-(<9#u*icHE9#Qh}nG+$L)Zz1d@A_6W*bJ(_=Y zcJBA{93@m+dyL%l9!C(6!##=(#F*|DG6hAk{kMTa!6&}mXA?chCaqZ~=Q3|!1~SM; zYrJ>IQS5W~PgJiTTQv9FXNo1;3*)qo+asm#j;Nhi(uDZF)!7TZ(kgT`c6OXX#t&W( z_0I!?qwWGJB}!njmCfE`_v$dR4}TUXJ{x>v5t%B6uzA(AxfNmeUK+=GuVLFZi9;wby(tEb<|KTv z3KA&DQxTE&aaGtj8X9A`-0cPF#FK01Y2*Hy(UzA!N4lxU8c z;@KOz&4dp+f0Mtf{Uwmb$oyE0X9IQ#6#bA?44&ob0G;5QTh8H|J|4(;X#;++PgHAy zSP>a1h1b#T>z~9dEosHF#9?--HIb&zfV_T}$dtNKiUfpIK=Q}}$VKjXKLeHLwev7; z#&MDWHo*5ztg$&t%`wN}a}st3Tyvi4CM$5(Sf`}qPG#V$`T4aWb3jp}=S!3MeDye5 zAE<@L;=N1V?TzTjEKiy$Tn2h`wLE2DFq=L&rxFj1u@4xh-dbkm`@&%0Y6Z#L?#CX` z0q;fqmb7hhK7x##c}=r=T`fl`R6^MZh{S8Va=sueA4gg>0B6HCr#c`ay}uDDHPYCN zN4b_E)&gbr0+BFe%A%S z3D95Dp%?eQ#}!(9FauKFF(AG|bm{^z5*$$yEaPz}Z1l8&9PG4}9c<$>+3fGbbc{Nz z!ObY3rN=GBqTBix&>ap2#yc{Ip|ACp8;@~@Yb;5$g>0=%8J7zz3L5isa+0>{r5tFp z@m-J0daLn9A>ohba163i@GSwn#`gqfFl`0C7JeB(S9qMQ8(hiW>r;uoSY!hf)6hU9 zVL2?9yr16hCg-hUx7*jDT3wUL)O>2ld#^`x;Pgo0)2bGF=;09+e8_)| zXwsJG=wx}_)O>%Nngj469>ZjLd9dCJdjwR!mWKu3ssiyUyz8xGfmwi@9%W_&zp$=5 zTKjS}`ulZ$^`f-Me~oJY8$0!SRDkKe-3>bp`Ybo>{I*YomaIg*Qk?E9*qz26-DMM} zznu&?C5p>t_3_Q7x@`i94HFywj^zGSH9@V`Z#yB5U~VIsVYgPRvpj_TDTgKm4 zUSYq1@@|a6esihxPkLHYM<&%Ay~1v&s-HipV}REKZ<`Eh0Q6t$`&Pg6i+L)1x_g#3 z-K|)*;=>;R@;3qRTr@t|9+moL^xcd<0}{xGyLURX>}lliLx(^S9+@wxQl?0X1J?c| zX1N`X`lfdw4c=AwY(f0}8eCKZ%MNT}Ny;ioUo<$b+`gBV#y-qcvp&dUdXwDlEwsr% zQ}6%G(R;o~$bNNI1Z|vED@yUz=GDL&9h0Gb3Iv)YAGC`AWPgit>cM6GyW{ql;Eb11 zs8@`qIu=+#fgJ(p4;u>rs3$~k)3Oo+Jqb_9u{?5c7HS15Z%Y(DDrNnscF9XZ+vito>yn9>z(;C5c?b}h9J&e4yj zEbi}I8{HnO7J^u`^g0pP?Q#j-edY=Dg2DM>Puf0k6I#HMjLJ&evvu`nVZxHD=y%7U zH*Y`6aL-d01_1`kMgIsc%N_4-j@GSK^>U{3!_u$zG5%S1NVJV`Io4? zwYkXyypszbgGEePEjBB*dhOE2HyiC%O=P?4nmMcoeyfv}uD+JB53~OE$4hy>p8wu6 z8V$vQ*XE^~lN7n&*yK5dU=#{7nRx#Uw+I@Pk(RI^~LbpxP3UV$ZYoUkKpf~-3~IMaE5yt*|gYL zF0)@AvI`1~0)cOR$jO656FKp<*U$rRx+lx}{K{SPqJkkA9*Cg%sI`Nk06<+eY^ChS zW0)`3bta9^n`F`fQU2WY;YnDbvKmoFYU)1UPg6qP44LwHYM^;(O^*7Hh#F}+fB|YK zcm$=ue0W($Mr+=<3|!5pC9T@IpI^m3kL`F?d_43$<{crgIF=sa(r-tun2En@y`Ca} zmCwV_r_E=0cAEwFIYF{#io%a2>uYpw)L2i#?n4tl&?hl9dY6xC7OCAzkX$a-@BXMN z52tJK{c*KxZs>DhR(yM${pvQ*-sV|u_Xm&@-cAtJDNQ zHZ78E9||CV#5>4XAQ=s%OM#O+mN=TPv6dCf6De1oe~}Yk(YJCH2KW+eMa`=@{pcLe`LSX^L*MUr1U9X?KX5AN9zZ zl1Rie8S}8+AEOzs@bjGyEcEwhR@eE`g+;)1dIr7WyBR(0>xB@Y4G-Wcgf6Bg{|c8$ zu#U45o+I2NW$T>wL4do(K2B%Q$GHOKFQx0t&a?y{7Ap6(iGE`9(&T+*o8@u%PZyW| zyG=|bc5pib9&hV9b-fmxZ{Hmi=_`bhn55-0{n(dONckA6hi07Va2!%d9zr4q!FM`>7$1m+kvP#YCii>k;BjoLGarT&?I8y+@P*>Y35Mm zzbbqnW5R-|C;k|#H6LL-kC`4DHdA~@A{fjpCLl?PZCZQ}RE)13=30d+lycANiC<5y z1)0A!bH|nPe5R~TWyRXPd3%G!IB{ZI4>@orG49lKtPuVo7#R{s*?PUMeBr)VxINtY zY;y=%4%h3e4D7tjChwSN>Oz=!d_<{U&FKJ$1moGVW*GM&yx|Ja$V5zl`-)3xoHc_8 zYJ3IYw9#KG;{!h8lkR%Mut+^KwiqeVg&H%H$du@{mbplGf-qZ@N7K9dEz9D8Ej<>c z=G#+9WqOliVt%IgFz&Z|IbrK{m#=P+N7sdie}HyH zAFl*Zwy6|Ycx6r*c(@!TO}KebiB1NJvicU|eMdRPJ2pUvB<9v^^RgO~=;Kf{5m|)a zJV+wb-|RLCsXt+dH~=;gKhE2km?)8V`ej2uUwFdgI!?LhpAm)i^Cdh z*VuVYR@`9sA32F%>ao!oRB)WNaRBo`Oi8I*a+8gH5|Xr<8XIfq$Hv|PHO-?w@RqRw zM!jM>0B`yW4{Z@z!qYHFZZMS96M2Gz(hKYw;<7EN`L0-icxBuR9=qlvOEf{jCWuk$mqo%-?DJz%crZ`R z;x_5zkUpAuby>c<)GJeUuLb2i592~YUlp_CfF!jhl^L$0t^=#9YMTn@h_>mIZITD* zurCobR3psfVC14rK;dbha=95@VceHKT>kg>1J$VQMr8|;AU({7#Y#OZrB5ZgZN4TG zzE3c*ZwYN>9)Kz*dQLT65A}MS@?G}lbbQn=ofgHJCJy@zo?g6BKz$i*wc?sU|Fqj7 z$%PQde&+P11u<0^cFC|7km!O&6$aD-7jpdR(kfUeJLm|d763MbL9C5h^$&$u=Y^Uv z)t+B$lPS%*08cP>_OiW*zGTVlstXUcUHRGs$JQ@I6Ig^c2OYJwwCbQ2s#pUQDaZD| zX+>2FzKk1HGApHu_Bk9j5C?lI&CPzGJx{oH*7pT+6Pybm?~RS?F1rWQ$E0QS$kxT0 z0a!ltX5MKa>Y)<{DVHg1lA;T!*KhZWZs=JvT)pmZ`h3=xviE#sOz38inBtxY0H#;c zLSO~#U4T&hm#--KE=e;ai9wiwl~|!C;*)^_8`Wz{!Zoi+qQ(=e1}{`2exc`ApjGzK z%ui!0+}Hdf=TbKVgAQ> zuWcLR*N@#!4#Y)71yC8Y$iq_R`l*DJWwRwD^cQtpLA@f`gTNxNUqx)^3rS08pH6-P z*9QxKu5ka5QdL?1tmJUMP0usQbTHy0!ln&n8S}Fd5?x>qV0?J-L^8%9Z8-YTyr^*L z1=HJ7my!8d``NN_W`;m`2O4jN=Ym2Kn~wVvXq3o(_%4#7^AOovt^3k;jQ4OZOu@+5 zD!9OCG4upTDGHrA9v(bEuxf(?M@ZG9n8--&Ep(MT4*g|rPcOwj$A?DAz*v-#v-zX( z2PM;PY78_#y?RY-&hwcGq*|VxIp6qtx+@@w_O6MoIDDmjO_rZM@UV8n)X`a0>mcrV z2YeOaSIR{$^o1(y=Sju|@LU>h?s4GkltAX*LQKaVqLrbnxJx!RDu6m~eH@nC5JNm? z4G2Xyo)5t0=J)S8*o&Q^z9A_AYr-hIp8%pJX>ajCn$tIOTjZgEYqd#m$&UcCVtNP7 zbwj#Ou{@b&?`5k2H@ie%7L^J;B^=^SZ^2J(QUBcDaau`qtr&5z{O*wL+N-9N&<1vh z@+NZTQ~xX9Bm=Sw0pw?j-rZ+N=aQ|zK#l7Eh+h4_z7}1h2Ie6Ca+m;^J|-LCcI--|$$I;@jZ7baY$1eRbN7_6xzLA&vvWS6nMs2=XEf&S?Ls;C3hD0t@RsM!$#!nX+YBxRX&hAPpP)PpAy15Kj-7V<)xL<V97 zkMmxzdEnHyiV~52QztZj&?JOUt&8k8naB$9e&y+$($$iw&Z98Wa6?l_YG7~C#VsVy zrH?_AHndVP_}*;du@g&93%)fu_V!k=5Cu$!Fv3j4A6oVpc!` zwuT)LBb*P?)!LOu8oXKR;lnb5EK199Dnf4am!^*af@k0(qqz#a9LHUbA}y>B!nZq~4$oac%%{55Nfg-Q25gwV z^WG20fHXIA^3nIakya7iAX=9n6=+s=(*KyPIxV8?A4>>v$!?+FOLmCII^9B<8!JLN zb--U+)Ovpw;zgW)#+WIq{Y z&0Azm^;Zvq((R3;Zf71?G2mlHS+z`Oygy)B$au616*doBcDp>snQ$Vhu=RvT@a${X z)?$zYts@>gX!|_KdoID<(%10EkGuh#sPw}*!zkyH^Sr0sivkr)7pFru=;~y(a2)?O z`^`ZPqyE^KxbHlsPVd}IgG2mX1ca7hiEIQ3z$%sx5R&q0=BrKKc)!p1S70sYK_(~c ztIN%9uBE;hrRS~7A{~8Jug*+fC{A@f*-))(2~zAY4Xb7jXI5v^#l*BkU|-|kG!a)k zlQ}rp$bYxHJM<*<-+uqeW#t(_VGUt^1fVP81GST%kDg5w@m2I+0~a0-ebLbgv3RR@ix#f1S#anJ4?$%&5AEXrFt&=*l305{fBpJ0Kw(3n>{ z09e-4fo)Sx9r2rn%>;ob-IBqxxK~JkXc23Y`Qi?0*BJZw&=2Pp<6RUp( z(45i#qa_G*VE($;fNPFf(W)%xV}e8Lj`|9f^If*g7H34b*AC&X#-`)h@z@Zs0yhCm zl;?}BI@Tiwj=W{45K?wD>?k27cgQV4xz*mFJzG1KGto6~(%0P?VJmso8u;P3W&D0a z&hdM{mHs^otidy^(0#VmKm5V;^zQP+(EhmHYkI>lH1U_*yE{og4Uyj3siB5E;0B1O z2=2{`VmAX$bRX|cg@lw*FrPNo2d;&KKw3|x|E-I!pB#?iBW%RZ>kv|@j&Cf%b=HiT z9voB~&UuQNnRc-NZ-+@^-Mh`_NJUM%xHt#uiOl!|dR_e_AFy7JdWUVoASV&lQPZmw zK$9u~C^J*6x*Q72H23Zv1Qy#4ZPnFrGb`YH=TeFLtYLVx33ZPo2Z7lR zgda)XsT5s5u!c&VP}z-#?!Zs1S>@r5(QF29{-Z9Qt<-Mgl^tCBN|oebVCQfvH!m-g zS$w|AIBbqed!vt)hDHjYot4o_7_NVy)e`St17UPkl?zpVC$|9*o}X*7>B2vnPsxP1 z>$hNR!pV;ofNGzF0@W;X3BZp_D(MZM&JQjy)3)pT9j~hO%Ji<2!~j${PCn~Q2HUlB zUE}#B>~Z3Ew0)-y-k(cv6;z5EBNqCFY~D5cy~C8v zP@|)4rhty#F8X$jMxyXUyZ%=IE314|DAH_k*C7~|cSrFLa+s|@4mn0T{BKf};r`Q` z?IV8%k98gi<3*53hWG!l0Jfa+f~Azb1ZxsZFB3L7$N&7U8UhHH4><*e#t|$>SC*C@$qgHLIg8p>uC4(Jv86h73vr9DW9c&!3B$ zPkNh95p}u@`^NYp3#yFA_ud!NqLq(0fW++qU;};zNNQ%uymo$oTtdWmfBo(;(Kf}c z6HYj-QpU!)A(X^|dRF_2yw5<9l>}%{8S|BTp^RkZhty!OG^6F#?lfk&kHUrZtI@VR~$fz@dtT^9lW=n%z4Qey^FQwywL+lzYPv@ z1iV=WRF#T)U^Y7LkfBtaTw+vi@ppl7d~Arw-pE$~oV2UKfgdo$Gc zp!WdC`UtDLZwF`f>T;31A81>m6ZzOFWidaDu6X)Le=U7M>g_uwfR2XU5~!0y%>e1Z z<^Eox_R<}5U!|ELw8baON82*XUP`J$OSEvp{Rp4p{jUJfYUcGLFWtAm2<@<*- z!J!O309yOk<_AyHQ1jW|P4?qoxAQt-PrbKh4KkJ8bbwq~$3f83g8kMVq;D&1u3UdP z=mg$208#67Ma}u|ncz5QwIX>JJgeLyyH5soZ??RY7MuAv!{RcC{ugUs9uIZDzMr)y zZITCBN>PX>Yj!FrYbndv_kCZplS)O1EMre1jCJhW&_b56Z-YVE4Kp#!V9fZvopYY& ze81=X&a<8GKVHpltN zkiX@Ac9=uNKJSrVKjJWjEq9VtwKqd{0*x+c5NSDaDe#~Hkzs>Yrqz0IPc%~&*OJGHj~Umf(%joJ_CUC)cm`Gg&onp8 zbYYZ8^Fx5C@&J+IWER0B=-R-HUWVJW(ru#4=jRrXAkQp7KbsX62>g{+?AGt~nAZX`eTTL+qn=HSkSKOe`;fs<1*AX7LEq_2JRd z@rJ0W?k^!gQlV;e%AD@7#DV-Il!FTZJ0h4AJwFl4Dg8~UTMf51yk5)OYGsnP8m`RX z17_RSd*VDis;DVi!Q`#v1^7$!UBx2nDd)uxTXiVeM?jG4s9)F{`Ivn;3AYGXBYSp% zTB_gSjf*W7k|VC;_s2JDb?Qw5BAu&48c=1{&+L=Tn%?Tcdzx~SeBMct0_*5Edq^(M z)lO<^V?v2mD=8sOu7Rzz``Gac!{eNHBwQFq+-`b>P`=uw@9i}OeTqk9kR8SryuFy= zYfh|p$D5;xX2>IQ%kR25zHP4>9OoB*ULA-Fq`vL3@6y-e;@7_hm85Vk5-$-O-7%3T zu*uViN06T7Zzvf@lwW$haGsT8!9Z z*6j&Anss2@Wf#V(?Px3J=PO1GD#m;%F48C2ihB|v71l56ej085c{HQ$Gd3S%2Ijux zJH)7uJh_t1+Nw#yU6v*fM9*k6{am3O)!ib%sV6el^{QpsOo7{xZo*X9M$p>$vT3u9 z&vHQPs|5>OjA>Bi7skS&mKj)Qi3?_~JvKAJl*}c?>bF8C^Q!nL$JQye{-et6jqVAP zd$oy7mELWE7Mz$I#o+YS_m0jq{i(t#Xb=h<{rE) zJ4SjPU-_V|$)iSoc?Y(bX=+>;-tQY%*)ZGByDUn1)pFD}KS=VHVa8NDgVN~HbXh_p zN^W(2YYXm!r0$P0!q*=oIY%DjO!4U7)Rix?<=B>W9y8+eDhYm_N>2}_{AQ`riXkNW zW3>`IJP+YoDAq5S8@rI3iW5supX~k+8O$SVE0DU0IWBAO+Gl}Y!y7PwJORlqV2LY; zHMaqwK}o}p+b?du+6CI`j#X$~VgFp`Fi6ioSZX^sq@*Hy-7tBOr*LTK41WqrF$L+g zY8C>$9N_WpEK|MvVYowD$P~V}BnNVDlJ%&gqF?{0%5*b%QggvlZNJ3~8Nc%_^4+}I ze&=@JyDa=Jp=ruaI`D=_*(QSL{^GLATi^BG7>61X{hf1g1rb}@hH}!a?+}r%mFi_- z3`Dv((4MboknII%@H1c|P$*W+nz8c9MEuCt<3XeN2fardY9mx9*=D}a&aMfMJne)+ z15+iDjZ0oV=cc0^B%IcP9@(;W-N_(a^13e?gsF}{+G#?Tv6Wn7rd zmLj}-^@>TRkbbY&q(O2iDDYWGHLA=ag5_k&I!bRpX=mTG%wdo(tHsPjFErGCTzvM~ z6@ng^?8+|eg zoFx`Xv@8wvktV}RHb`H?BE73(&*=5+7pC_N*v0MbCDjp!?aiMlJWi|u;#He)3q2K@ z%F$vYCv>#PY}MPW0_~~_#)ha6+hLw7rQbth6{mWOWu~4mOm|&M-t-+QE#2u7L0sT@ zm)(R#rir=nSk!2y{K&vV^cDGiaUu2oWB9GD3Wveli*EIyeYzJFSy7l{M2OpvJ5ao{ zt*Z@bhAYmZIJXuQvADAtvVK)|(CmwLA4_%MwhN@9sme=5Ig7^ErFdU_w%dVK3r_mi zD^|_Qrl^)(3n7nn?gnh%D?@3Kh`31+DS4?L=*YCf>a=3zHB`NFX6TGt2*s2#xRej$ zcxm$8TBYP+agz2~>tM}!y&1P<&&0W*F08julYl8+zlW^r3o~08mS3%A+YdH#G?b!o z?q9PMdqxrV>69LYs@6uhYE4~q@-2;jrpuu|EZRR%rp60N_-Sunrg6ke&G_(@`$Ds} zk^9b2-arCweI>~Tn2*oXEa0ZI&h{luFiG!ZzQH3DrAZSO6H81v3VT0jFvOR#8VMm> zii_#^?oU`NMT{Nae%e=+6~BZ#dp+3*jwL^YDtGYYlr^4+qC{uE0)%I<&O{Z&a&xV1 z<^0Y*zjx`HM~x42?R2hcEFAfK7u79Ut^YRb>K3l~Z0R)Hg&kQmv-Yvgo#yva$A%*H zJ@(sj@Vr|!O(qS5o)z(;(y1|RZc`PvAwOIb4Ylpos=q~xpUJ*f@UHRvU@mTlf`F@h zcMEhSYbBdCx9{?ZhW}QSIEW$qPnG%;ECuoAyjzMd(KbNHgNk*ue$mN9WMTN25b%E! zXEWVfoEQvf{r>$+l%^z412SY}YlX8mS=c1iMUp3wE%THTk5l+vE3?o#pc8<_27uS$>2#JBv1V4rGCaI zQ{@)Wj)im1XuhSu$%%~}d^1&G>#h^&aD;F?ZaTQnx_(P$Dw1%RK0J7P~tY!TW%+$EP`f9SSAHHs;je}&Utmq_1TBfY1 ztm+$kyl|dwzM35?TdOZJ)`%&Ypne?TbH3?1KH|h}gVrWCwoq#N3U=|R@1SJ*UdPpd zXjZjvV?sXs&h2eZ^e}tKrgpESDV-d&PxdnkR});jy9gOARt^IaTU89~HFn(@n2dsf z%+g+7)#C}*tQ5*bw=V^R#H31z{JexzTxyp$E!$0%n8JOsY7Y^>HIwod>wScfzB%Eb z`>!zMwNzUht;Cg4XRf?Zw}zdpuyL~6coZR+L3i^*ty{|M@e&`A@elWz?FPDTMYs*~ zqPJu!S^IiFWkDd3;&E-l6x69Ay;qX(&2)o0&pI@cal8;)DPmIp*}>25=+=q7VJ+U< zjZSnI6zxQLWsdIX4irau0v#KHn~}%Y)0nRpP+_nwr`O&pC&=7(Wi^RKB=5^?HO&E` z#-0swOOwX+Qtm*1q`Q5xIgX96XWlCG?4~(q@Cr#(CQFbSb)7)mVs$X%*>tt=@+CMWuQYY*7n-7AS_^0P+ z3&~ry7OBe*_De{iuEbrT0+h2p%;40?+_w|&yZA3&wD$L^fK^XB1w*!oS*$&j?buTV z%K(};#I1Kl7mtScSIv8)v9pUM4Wle-4NaW86K^uL+21h3mfRk!lqi3Pun+^_E37?o zP5nxG6CbRE4J%t1xz;dv2v3m@I+(b2prMZE`d+mL3D)agUerUEP{?jc9<$AaJyR>U znyGZVwrIp0Qp&76E!~buXBVIeG^T^&$`L(TL7v$=$DBoG_NAoRV)cN^o$83&pO;Pde7C;Lc|!jc9gl@jvwsZAV`k&M#?MDOyDa5O(py~_xFXr zkw}$+b#LSuHj1~5Mqw}Bp^?g%RO#)e$Q}u)-T@&51>t}0?ulbuF+)Vp(pPHQCn%(3 z{m^|$Cf|_x5lK;(Nmn2WfV+Zq?U+z(M9_fTrsgzCMLlW90{gB!}gasAHCK2rWYF( zC3cAYWCmJgxbEsOK!@QkfkQ`HRK8bWaBEwyHs6ke(PRJlNJ62+iXrq_gPO(~Uxn46 z8blPs+J9)mUA;f&%f+6~rTYkf{uctKIy&*iM;r8!$u8}$r7zao1}BhfgXVwgKPtyu z4NKA#Tr<#b-TWiFa!pjc;CgP*UNOnHZNbB3%)TK8>pK*G;N+ z>1|XKuAjAmLjwKW5^J!lwkyCbH-1}d(Fl@I^K}EN*fE8kxG}!jDY0^woP^FbTziD7 zb9h>{+B<^bzm{v`1%FT~CeR_PJt|gYfSAut_qj=coUVe~!Um50G+d-#L!A}_J-U&n zNfNVHN)pD8S!s6w0#Lp#X5oAktffF!(}ZR~yvXG#Ba6nusKa2Mt-o{kjgrtp{n%@4 z23t2I$wDAo)Dj$=k@2EA-Sk0H0=&?ADt+rx(IwP;63ECdS~08@triFL2pf( z+0v1p845RV>l`2(!S&MtP6#>q9`>Ng=B7ltp3XiPDsqeTb!E7yn-ospk`;X^znveE z;l@9E?dzJ$h!qTqo2YbfYCeja4sBsHG!ghl3n=&d@3ap!H$TJGEfOZDo`$Uh-z7&% z%t~Ohg7{a%P~N`PPp#A?H1sc&A}Gz-p}kvgCvsV*FuwN~^TL7~x5#FpMFZ1$o9SKJ z?Z$4M{e`+5{k^I6P3*bNj>Br0@(W!Y9&?Mld5FV~N@|07$Zk9L;8#v@RrD*aQ|Ufs zRakv*Z;Ae6aR-#uEH=uvm0BOig*m&($BiyK%kZF6n3}AB5x2YjRqX047^xFY4Em3^ zG9DHAL`aiOGm|eNLPUDiBN8l3zNjZ9$slF!YM>W%3N`%kB=wJNET?ijThg$V+?DY*9ZLA-V4+Ip>R zWC4A?Ienb001Iv3lzMyml3FV6BajtScso7#Nj_;8svoL7fZOzCQw+)3;(Xf(4O%Hs z-XKm7u0iSuup}VrA_*ReUjtxBvXAVu-d^#Ok+%cfFIO9d61V28C8qk#+sfFq!g=;* z5@lS;pdoA?64*Zq4+$}Z+rHX4wxpm}SI2}c#}7{XqD%HRx+dls9UK+wLe$S5oGd%hBQ`21swDS zajzvr$yvd56`kPntEfpUslf523yj4l3t}wp(VjeFG6Q&YV&O!>X>4{-!z(-5lV9bj zO2gv7yr^VuOT*-Z!0p?=oEPIWr3^Kn`89RXkie7%o0wyn8xQZu5_VN^cOnFsG^dT4 zm-!n8eV|BN)1@nki@C{jFBFhBC0zQ$ZHy$44=r*r! z%zYf0yl3C4y1ep1?zIL2^YKijdk)F0wWEDzL?JJG_+9B~4(gJG1xY<`z z)h=lr0%^11KOG9EzMLKIt#2|c)gCBm-*;01%Hk!*L&FoM)O@Dz7(!%E!JsgyKp-;q z+;M*ngqe(1=NS>+34#lg;F7+6ZfhDAXajTC@)xjLhARY@#8)}#cQyL&(_TKXd7@_u z7;wl^Actz9OMW!GxY~+;ae5|j^+mj0({JCdBWI3LQHLIF^RO2A$MWJiL96F-oktr{ zC9OZ23*}LJbNL(0>f6U1tqewL*YJ_ziI=8JsR=s8h5=e!48vIuS!x3{zZ z6;OaP90Z;|$TqBU1SO|)j9;^IMD#HSX|4}pC;FO5%RO9zyZG7J)YqQWc{M7xwA0!Qv;qW4zcHCyuY5l&c_|}bIwWiGK?!#)BWgRJOf#4 z>Rmf(;T!hdR%NBQ|I*t)`B24Kx3`G1gZ@`rh+~as?Sg;rNehKv=h zGHZEszfOZUu7TRa!^4*D?%libsi~t^<+ECr_R@2P{sl?peoYRbL{0 zW@DqGjZw|^AbHKLs4D&(brCl%;5I$H_ULSWX;uqRDdjuBZ5>RioeL(tde=haQ*QCx z%m!I}4qJ|wj=0l8raT)}u{2wx&8f>UYGCH)QK9kFDSO)gIG5Z>?02Eamb-%4sBuq2 z@k3_&N%v1G@!ZP>-D{l!o%t5Fc2o|P|K#fT>-|eH2ZeK-6&1P3>TBF+uEnR@Iytu( zveq~8(-bmkK9akw>%)EC;@*fUDdemlGq)t)Z*QJ|`(LdK;cAHj4B-g=ekwtswA3tW zb%s4AIn2i3I>V%l;cpxvJNw9iH<9B=Gz)UC!5@DcI0XeNqa+A4zp-KedOU3^roC4i z={I?QXEB21LQN;$fCE$Q-Ltf=^hLk!yT2al-(v)iHr>mG<#7YH-#z#*yXEgJqeqM< zw=o?ze*a|u*zx=Ym1f+g0^pMWe(JwOmEX9!fB%Ra-I2X5>$j)=$c_K~uMBTwdEPlO zTz+tNJf44hQOa_2FW%MEd^Oq9F0B)SI*xX(zVu_p;ox9NegyXa;wb;TEj(EaC%4mjj~_{k_&u!Ycb@y-qwc-y;Qn4sZ_jA@Ba82!=kcF@ z`)WrGwtYCw$A#aF>VN3m4i?-Qt%Gp3=wVlS>Nm5cKf0zipohW{JF8)3(tr3Ae)B?} zJ^%sbqyHqz>3=W2aB87G+<-mw=L=JEQe`}~cdevcg3eJ@>7dvnr77FfLbU%Ye)YS;S|ZZ8C>$X$A5xOrg%SmfIFr$PSZ zQJ7K#-<}WR&SQPuyE}_n^B@duuAJ4ID6{y~O;j|g1#agSuU>N;W#W{1_>xt`^;z?J z8^@*d=Ucrb;H>XES6&^?y`Q0Tn)Shrl2wRGGv!J@T;$cie8(U9GcJ^tF=(dL^du(- zhajjg{e;K$D8TUbj-#VvAMgD-PaB8H+VaIcMizk-U!*XAkc3e{ZMsiL9ZS{u<_a(P zha`}>$ROFbWdjM$cBzd2*tE|W|1ISMGn9j?Gk^hMvoUv<&d&}7XBNKK*HiPjT9JQ` z)`EudNlX7bRrqAA@=d7@DL1>IQZmt`>c}2aCkpz9F5rJ}*>fktsX4ZbAU?C-zh9J* zkr8r0o;;`4zb=ujPxC_J`DoD_5i?WA;lfM18p?lPs^K36-BC8dxwc3HnxFlIr6`vh z?QTr1`YX#$GmcZ{kdPKb#)cL}^#?XaA1w+XO|@^Xn7n}@o|2!K@BjJtRf{paFULsx zrAf!+*9x01HBiEea(w)Nf+i5KXu%gRUc@IQ@kJiz6m4w+m60gq$y#?4`*u-y6ChMD z8ax0-lbT7>VQk|6cwv>^GJnu3PKEaZKT7wNhbO->g+KOfW~n51yt3*^dCig{=U?&W z^8FhiePcz1;~!O)hD=>0qVIiz`6x~QR6$uNS1kGquk6etI!5amH{ezubS^$2!3Mv8 zY-c$JYi-{B(fK`a`-cUj-16xGPpt4^f#ry9m7{KNiy5(c$w1Z*dj_2e>^4Zwyv+Z2 zy!XoJfKld!`}e;fwN~sNgCR-QRZd%+)(54(KZ5kWgowmQ;3?x&`gBrC(JyGfh_pwDc;^;=5! zKLW;^7j>uv^TYlel`lPKRmUnH;tkSN_K(Jp8bPm)egO>+$y82JVwO z?{42FsO0w-u1-SD6$EQ1Rs(=9%6pynowhn|TAn{Ay#U~jE5MvPn{FdxcUnUkoJ&?QA-vz#WbA4|k zMhq}EQ;l^C(hW8~Av+uM?~Q7(1I@vz(qKyxGHtwL+q2iTs(!gkwO(6`m~YcHGEi>C zZ&f4}cz>|Y%g&}jk$ub%_z`;zLf0m0plINhSi8C8k>tJ9clY$^(?ZFJt65Jo8_q4` zk)|E%T-;>2bIb|;u7D6Y%q1{`Lg29I2AJ1n-k+}35cth`wUi>Je*O?lBIuNw%HvIL z^d^9#8ZCAh|83v63Z8ZP(#atSnIn z*^3BTi<(AbhN3zpl(xUV=Ed5s{IcX)=%xakYKIDSC%i-?TJQ!JKbo<-k1MI&P#rHEIQGaTa z;q-7!Q-FyxT{UN7uL5bzFyzf*MO}Z&AlU&>c=r|+MWn++36iEEbty_spg)lG?bCF1 z8ck+<^iDU!O3?Qgswy@4pc$#<{$9AR2DhbmZ^5#TI7LO(rMeq5nEk^&CYJtk$lf~Z zh%c+e#CE^xJD3;wQ`p+@4q)Rs(`AoJ;Kh&NLBl3V+RGNYd&)zVjpz)Nyv>d-4u{M6q z4K3e5UJkhC=X#jD(xX?B{@OMTdX@ZDxGcLtbfP%wt3)G)hMA$bV;AIEQuhD%j%R{UJ5J^Ta3S?-ofE^EP;v! z%fP-_bX2!MM{6|`cA7L;g(*ntkfl;a z5PVmV7UFTl*2COYX+fD1X?YnPx_01xMgaL4&h!>Fzr_Wl5tv=@t54IAPq9%_)xTMW zzsldP8lee1;Jar!4%qG1GCsv44<*V*kM9oCGd-$_2=S4LC%v1^SjuTPh_C{Y0ON1G zwl)|&nR-pCAqVP%Rz_ecsYntqQ>->^XF(&iK%$4uR7PkWE*bzL6@uFou>`hBG*&ls zF~g7gamZQ-U^XNj=6ckU*^Rejs^*e#d;^xnbeDKGN^nUko0e-w0#O)cONZ81bQ5vL9p zhasW^OMp%UYX$I}IrMIMFrU5>#e`M*+V(0f#kL96(V5s)+|HPwqBCJs<;Z*G3TgFA zw-*?$EarjhyT;oCSwej3?nFt3S&siRw zgW|8AZeIkw&6kbA8caY!9)JO5ln>06N078!Ng%JFHQ9Q8 ziuYDT>6+&!CaJOE*?;KdW{UzNs zJ$iDR<8iHR7Z9XRS}tfky4yEn)^L%ZALIz(t+Iq5Kppv8kj?(Vum_9+dbE;7%%*4+ z9V6&5z)mr+orN|(+@AdoM)-h!MybrEpnLr@`VF9B{T$FFZ=-EUwQW@F-0r3E3=L$|Q;A3HY|kcw ztej*$m?7zsns{}WYk9aR8Bz#h8Q*hV_|FG!NzB$8a~&17NOnKCk64(l-l6?zzMr;1 zR2IX7CLce$QiEMDS5`BYAy~VCOqd96KB1W*GaSJElSRFXiV9@WRTV1jl^0lUTN{?3(>{F2%n!^(NU&LwBSO%@d0ONwu>uG`Im-6!+Azj4 zA0k${dzd^fCIQc*$2dw_`uT5k*kv4A02wu;wUsCff=~!nsV`uQz1B_z#`S_+_w89) z@oL%^q~!a2?rPCTri;v*MPjF!0dpsiBV)~V=)>y=HG-hcP+62S3rwC&v_MR;0-E5y z!z&5cp(cTEnQpJ;6lU8)tq3MH+F~Y(>z@(xAYn{~_sEQ*teNb&6!u)~WDG7%k{KkY zUf9>b73^wUncBb@or^EJd++VdNcv5nc~jfbTqL$B3ubHMkd^KXv#WP-Nv>!yB(BX2>i zwXm@ZweHJ43}>QrJC3akTjc`#=$u|(P{+h}*QZXA^h*#1UrE(sY9 zeku{6n4tovR7*?8T03X}z{t|8I}$=!kmpv-K)vXbD(>Z~cPSlzRSIOz&rYz#dt@$2 z*3~!xKF(wM7!ocmu+H67kusa{d>M3opWEVx2LSIsfl7*>Dm^t^UyP2#%EUO@-2?_L zBtULaiktpoX9$)d(kFs`zrxdIAuuiUtRJw0y*#oDSiJAFsccrq z$_L&@xh4Gw(^6*dmgj$I(+xBJwlAo>Tb~BzjV@+|hn)X3J`_n>>n_W%sHr#~!w*ipIsbd~)ij4kEzFKJO20(A3kpUkWlF{=I?>RUYs zP#3>l`k44j=QPuI@Cv`^T@VIkeP)p8_BwIdS@Q{8 zkz$p;wETjZU#-R!-EF%>eAXIqxC`hBXq+8?dX%*jltCITt{*0rL%Hez<=aa3M-3n= zV}jE!<+3MDX`=Btm2T5hb`mRZMwJouRIM?w zYU;XJU~7+t2NH5(RW`EW7T4822^5H0BgbB3msHbf&kv zPuS#`$WDhff=Cxxk#g~pO$J&rS9woH#WK{e#&tG2HLmPaCxIhKb}jA861CIFHa*_q zUJd7JeirX&sTn33Q!-SP46XBNee92gP;DJNC>ezZ`IKcaO91j*|C#Uxnri8yXYK_4 zqIIp$jdfm&FKyf80qZ?|*h#6FeraX4u&6{7FAjs3Y&pru^)-M`7l#Fq0gV-8+ZrnDYIlHG zc*Nlo0m3davHw!NacmfD(VOv)#XcUnfrkl8-x~_$1S%2DDT4S|<1v*lg^OspmmZ zPJg14EVYcHGv(@lhFQu$FL7Y^Mjz zmqGk;1zwM3?QU^gPn$hn>CJA!;zvIV8UpnT&p`@@f{q;eZmtrMxF+hP_hV+=z4zd? zIjAktTz8Y3Pz!a|9r1d7-|uHt!}va;vtVs<_wlBoWS^b2n(17iOfisqmw8e4Nt1ki zDNyo5yt!(m2e3*zsX&ED_RZyKKwib-8Fq)AYY*~j`;jS^iRu?qb9cG`s3HUmmGH)X zA#Nb?jamwf&e+<1DOeJR*r!Z%R)_3C2k@R|64_Ex>dsrI6+XF*tId?2IPzDvvN>L` zlX*S*d0=257r+FzXZ-GIACI*0_(#fdnTHz4VR#a5DN3DF2pWSPe?L&Yc15cOtca8_ z$^7$aok08iJ1yB!XD4^nwtjzhf6wlYlHS15lB4Ihr^yDbd5YW4 zeq}GfTQX*_^EMcuaXBZhramrQiUV4SBkrOAi(7DO~Au&{1hs5Pq&c3qF?WJPoc@c@pFmf!#7W~^jaF&p8r#^ z=IbgM>U}WM_z0T_?7;i9LH=vk`U?VeKT1zu2o6dWcK{6N z=5Mrt{J`Xlsy8YZK*qKSxY}7)==F8Pc^e9oU1+0mohXkB{@+r8D#m>6AAtl zSi4TdgRTAsKexKI>WOYidviOW-26q+ezYn4AaBv$9h&_B!*PPIaCCByT;=| z^lfWzZ{WXK;^&qH^$DJ@r#UZT=hwLZwmrzzvdnTvXXjgk+bT-#SJKok5&RFd0hDOz zoHVNI?I7M45lfQJs z?4@Lr^G(9_-Tsrl?eYYnUrO*l75I5Rf}T1(mCFbWYR^|}&f4U}CxrYsmzkxjSHe^D z7EpNp)*WW7RodBrw$?ClNGf2P0Bfom-o3Xo)!LwS7|{s=VMY?z)Y=Os62*G1KfpE) zNY` znkRK#-z^Tf`B`OLT?3G(pp)kUlXp5>NTNHj-7SS#0fh(+l?FM(V^>w6q8{9=?+m81 z?acz)tYYOC;L+8JKU!$C(rjZvW$m_x&0(`yn{je!++8Wk@b`TWHgK@XvW_S4lkuSR zzY5@^o{%LEcSOF7*v4Iu(uR6h=YsNWptc-0eGEw`T5C6Q9KL*hxX`*$Si*s%I_-}b zJ%_8^{7b3a`Rb#Gm)CUq>QRP;VV#QsUcc8eh0Ct1S zux!>YRzbaP>nr#Zj3Y2Nndu_?lea+fmJY!xu`-==1zj#NZ9xtxSKt$WChJ#*)XdzO zzA$a%5kcaC5+3D`{xx;d1}1kl^*wri3lR zSoynyNkS^4X<*}%?=o5fLIL75C+C_tGE@H3!DcQ$?HLdx&b;~cHMcYsn*D3gVnz)_ zIT@N&su~+&Cfrn6!}7zZZS2^&?I(Mr>Da)vXM<<4lY0Y6b2p)mh?F5yk$oLdG_{GBg z@wWZ*m7ADR?H)P222|W3-k;MC@CXkONq+Y+Z-GPmz-;K9sN>LOubySU(qz+syFg`F zChJ%ipctGf)u_j&$)UXmH5J%F&pW={s{JL2{-^@y$CT|od~Y!azp;bs#cWInFxs61 zPF6_=vjMpGtj6xj2JMTP7%{OsA_kd!9VAi2;mC5R(BnU_@BiCJ>V)o@(}b!68VCEs z(=gCh9kIs(KUO6}2N&e@TAt{Y)#a zRQVuZSgTAAz`ZKmzNk8}^Y$~P1UOCaac%`?8!gQW)}zZi8Gci7=Wm+&>^f$bhL+)g zjGIPZvG2g4VNhycC!-VjGk>}ax-4;cN zjnf3#kzK@Q3`S7D3C-#<5QDlp*89`uqq)d07?y@z2GTH-fw&CNY7WTKd>D0#cdDvl zK*4gn!3QHO;nda%ShB&pb^IUE+{B*@M^`@*oH{ZWn;GKJNfW&RG(1eyBa!<3E&-tR z)nvO<>98;bc(VN*$ItsMrR8l zFTwo^@rvI3$;`W7Md9X(bdHqj^~?c$^h+(`+joxf9I_K~8llcRhsWAKRK4_4hN>&cBf z3xcinw{qoAlkhVUeqC>_Bs_MFHADyDw>Bo+668srzYKeh1E%-l5IPYw(`6Ih(uOR~ z1sx@BALAf|CqNA&0uM6<^ojLB{BFUOaZ^oQs|oa(3fnX9dMN(7o)wDNb@8L{P=+Lj z3540jynSGLkf1A7RK9up22ecJz7w9CiUhiX4hj&bweo`*XQ`=2@9aj*nI0b`b{gho z=xH(xM^%INP4nj*U)xRH6nWk4iBTl1Yc8e}xC4 zvAgTXOW0Dl16QvJ3huRrsrXES*YM@kk&nWrLO$;Cziof3`P**~hEeA*y3o*}Nr ztt_Tbh-FXvO^2}c-KO~~{Lx#tv+sC&SGs*Jk|@atm*i&^Qnkfv?OjgQybC|-^{U7pAW&Ld&j( zx3eZFF}rk#2=Ca)ZY10d89y5n%k^qf1Z;!xfXR{C-Ap3pcg%GpRCHIQqR%>m%IVK z1U`IF@{N#8uVTEs{oyAD^R?x%$B?EIz8A(fCe~j(3Ab&=_MM;g%81F&nipx_-V=)G z<1IJczji?A0=9?=V`BzjDPC)B*_HMJ;I^L9rt3adVX)T_8n)J(2Wr}eM$lbZkW~XC zyBa4k8}nU2YygUyYW&J2uAnd_q~8?a!+hp|4+d0cuJ6o2#6+_KRtj_~tnc>Ec*yI= z)O2%>>ImpZi$<9Q?+ZYimbMXQO&e|Q4%2Vp@D-ZF1ocw9R)Upktc=UUf1w5bp+9*< zsX^8dA1xThD`pygP6fW3xim9K&CsRwk5W!4lL6qcEsX3WwA_XA0g(Q54i$u^s$QR6 z)_e%4IM!U>gt(V&K%v{w(Qyj?YP0#Nm}!Wt!nf6kebM!GWKgOCdGnLpiQQqQJL>8Q z2T-=Nx)$H2fdjDOJLlGK9vpmcqcm*lqy>OBE!<`j<%_N>Bk)Oi&sa8#1Y_OCC+#>C z*ySH*n{l7|BRubaz3S&M!0~*&Wi9?or{Pez@k!v@cVDO4x$fMnMxaIHKc9GBnmyvF zwn8{~Kv4>-pk{QWdk|u)y^$VCo!aXAW2RNwbQYBUSAYbKS4{hrB^ua-_dNx2NHPj( zVYYh2$q!iYIg3Ikj^@8NEY0dwtmgOs3*gbgsqy@fV!g+9`d7%0r-B;f@bMQ^UM|?* zL&m6G38Ds_uFPJoST1rizw z^T-p-Wl6j(3EtlT9Yt-^qaqn(x^}E!sApkFJFoLG-O)KfgsZCXW9{g-&Cgp9igJn3 zGd;q}H&%0!%iH&tLg`=E%YP<;%sc_)_`n-G5b0lcOQp-y0CYS0o+J3=%Jh2$+87_aR`e2J^RZ0nUHS)nG7Pj&uOw5QPJ*TLjdN5FZ<^UsuWh=c@mC{lER& z$?Ct&{Y4`z@Z~)J7Y77i_nH~pA+VVO4YzPUM`qFTeuHcvRCfsJh7huiD)+} zQL|BBmB|pvH+>WZH4wMT*&`3C`m1>@DLH1A;H-^MFBBB`(^x0K2mk6yN{^=w-nfP*izJwNp4sOW&@FTn_uW;_MUcAj& zl~$SH#65GHn$R!P-`+lT{4W8RzoZ|Y+B}s@Ba=pzMM*S)X_8LhR$R9;)VMThyj&0?v zjsv+bgbd1B!~)CEkzkzpAe=K+D5-4-+YxmV{A7K8L9YMDJM$-=z!~~*YPRhnT`2tgmc+>=F@#Y4j8E@XqOi;72U7n$)6a6u&U>itSy{23PM4oEWZiEmRx3|n5 z0aB*cjN6OTmvX_lrKKI?NOS7EA8?bWMD1u`BpvC^kr!a^!D~xP**$XYlt%UqZ`~_; za;Fi{9S zr{I2Xq{r-{)1vU3PoS|{(tK-KN2glncAL}Mz4Cy{!BT^V*9wfq+Mv~fkuZ-3L|Xcm z2NVI+46K~Cv*TtmX5FRtARn}Oh$w=Ezs#ayt4kj96FQir4~^o17$W+ zS0MH2Ff#>py`KH7T6od8)uZC+%w)9JyrYLs?w$M6K}%t)>f=xoV%eg8lnc+R@pQf_ z_R1uAS*fn^OQBu6Ht=HN3@;=G@;<;tY(M2(f;>Z-W|M1Bpu=!gvaZO5uKgXPCs}sF zV^Z*bX`72ya)73+0jX(PMl!T(MP;xUFTOpU3G5iup`MA|Ka(C1J1Ilf4@!qWysDJm zvV8GU;Jj0E&l?teNb=3Y1CvEj_Dvc)ojRQ|+^ahE&TSZt{3D(flzZY$qDy)P}ELr=g)iF^<_{G!mPOV;%3 zM~avAgw#?iG3T#Ur5Ti_$&AQ$U-NPv6{ZLpiI`Md4yQglFHeq>&iB4Ctv%t5c$nif zB4xEqO2~A3`-XAkm9<(@_qKBZd2n#hM%!{Ei|z(nvcg~8k9p!q)GDCe8oN_^J3_n4 zerBb^;N_Vs7ucT%_KDb+1H7XLdq5tvp73G+_~Brt7|?;{g{1wk#?qb_G1+4I@S@Y) z+-{;|$AtgK+Lwnz+4t?=SyCjWB)gJSwvsK|a91QG*>|!pV>hzRgrc%5WLL89+t>{W zW#0#bA^S3RGtBzC+|Tm9&v87@?|ts&pN@_$rn$b$XFWgXX?xNPAcAyqnJYXt?rC}q zy>9}ph6nZm`WI%vsL7Ls9GW7+&gl%*oj86C!Zw-dF$pfb*obod@EOWhD)A<;^$Tc$ zppRy}e4qLifzfwT;0sEjyqB3zEtjnvDu zKR-;~@YSd3L52!)!xWA7rAK>=iJe|Y*w;vT0)UR{oMhZ>Z3?k&d4v4&*hE<|-v0_C zFVwZAt-{V&`P^tW6Ph2~FFWjIDDR&xL_(uI21zw^FLHQfgfh^)micmf3`DCy1(+W?e>lu@QI7N+Y41q|N6N$2e0F=wRDydG)LglQxcZu}&jyUrVvUvB zveFyO;I1a;y?k+J7`w)-zC7$7Ty}9-PEWIupPKg^)X-E*+#@8F`?#8mve#~iWHkBZ zrcMx^ye&o#IgIVCzE30=x9-EF!JCg8hW)#3YDg;YNU)Y-|CwWE%^4Z=63I0cnB?%B zKO_>`UXP)phHQy7JWT_Bu+^*br7)q{so}t6+_E&A)bp6r&}LkGMk>aCeJ*X1s|nuJHP8$#FMA9P>gXT|dq@x{{#$lcY%9BHFlf zvyu^u7V{4PK!)2_j__%8Hb08YH?C(acNA;B=iuQ0PYz-Ee-Qdjgnfv1sow8HD}Vyg zN8;{Lw-^S&b6DlC5wJfYov&S!-d|Mchx?FrnhmxWV0-)jq|^J4*Y-#`^I7)exLDh} zXy<3vk`Ji)h#^qEyA@kE;sx!jX-4#V_c;J`r%2(6ZxB`0A7`2?Q7@EvWrN1AGcFQO zNYT;cuX(V)(dq13ST}#Njxu)PAwM3-G{>Nuk#!!pl^QwfLtzMMKBR8%_0B|z5&_FY)KwgC?T~)BxQjCX;926wyCQ98BB{8^E_THp zc+c@cdT0}+T6GL!L&}Bw6)SrrvD{eY*)O!RzdmN1f&X@TWCVV}G}tC-tf!s{LCW=# z%XJ;VMGWaBSa}Z@b<`PN^$q}*&^x8n-~J;oYXM(98nJ6RSA6mV2VEq5scC_2zcB5f zc0E9T`Kneh7f)&VJbTp#Gby=M-_2Ep(P}D8wSA5)V`g>tJ$*VD*ghk{)NjI6W6ad< zYH)l7OTouXx8Bec-J9n5^*U7*oOZe%yU>Bgwz|(rsooJ55AX8g0%y7EzR|zyFL_`n zRl;V`6m|q)P(A9S7)m&9XiQ?iyIk%+^3&%0Czj-QM|%sf6X=oPBbfhQ`z6QOhrp=E zNI`sTthSURQ1Gz?8w1gk2IRT_95Bl=shfWOl;Lb#*rxaiC6(fc;grOZ55o8H~zVo&*FUjn`>OL_DYkc!EHM()>uV~`P-j0X zABN2>fcU*NZ=3L`R$ORBPIh`1jn2Oy?MFhd(C;IZ3$)r0CgLPfA3Nfq*3F{W_0tKTVWl z3Q(tQ-RDuaHSATGXl%RpL{G0b-GBOi+ae~2HL0DopQu`oZ5$lI9HhK;COb@F&*XM4 zjWVS9UAt9}W`E;Ehjd67K|t|O$Ar^v>K3LI-JG@>B7!tuZeeKJ8BTfYLNo&(Y$2tyc$KZ zfL);&80JV7eO%v8&e1Zh%uYr}Jxs7nusR7vX9Q1mC-0l)gK)N@X_&Q#~w~@2V4CHq|#IIN8F={h08Q1f4 zjBS$;B#%Ac{S-~Tf4I6MUklO|FEc`GZ{TvC=shK-qMPH2*Ds;MY2{E8Jrc55b5P(l z*_x8_zE8s%p>71?x-Tg+b0VAi$|4-A?y7#>HwmuXdryMIndzwJq}N(wWxKepY$G_+=A)o3=cP}% zjXd?>{1QX+{@41n$IOYfxS4R1k#GuuYmrU9VbZi1qCaMYm-D^3*8@z@%I&2m+1Zhj z(F(CGY5+I*2xqm3kXPK@P3}N^jnBjdA7V+{jA#HVWupcA4Tr(An!#m3Xa%a=;51kK z46?|>&p2iwB77tIwH{5DXooz930vkxmQS{u;>~OL@ z4}Qp067m?;B)jLW4^f-lN{|puBAYxrSIt0__j}=bPJMNZKjq22K(lkwm@eXxzWHgY z%IQYz&eVNG1&q}Cc{X|IR37^xmeTAKE*MwsAlV;HW$7)lF9q3Ui{)LtsU(ZT81R^x z-c;*O$UiNc_@IP3QL^O47<4Bd{?boa`(<9qAQQQh=PL%yeflc7AC|l< zdAd(SvQN{%Qe7E$xU)vW&Wkqop52PxWMZi**;^a>2_p5FQQ*6)R-Q9a;)r74&^O;EU@}-r8m-dx_t2u@*AOd}fj5DY-b>%u(bvw0)1s z$a{hK-Q2;z`jzD$FRt#J1vSq2+fT?=eExh@P*|9e{K4nM>&Z5tTkZ^WL|g5XO{eF9 zp zGf-+=zS7r#8E=KZ6gJ)S6v^1qOA{N`C>4t4*e|4hfn~xy49=dXd)~E|?ix_q<}QMt zmY=JLtN6xuGVFCl%;2d{?6hN=^j)T;XZ{x8_HC?|p6R_vnf0M81VZ@M3Q`!E_nv(k znZ0-Q#5WOLp7F&BNzz7lTO*Ydnj{K3OYUo45T5g}ImyVy)hGB;Iz?6Khe)w8-phYr z%ZY)-&1WkbwD^vOuhem2(Ar_SW6^S;RM2OCz|0ta2$gcG>~E0i5zLY?bt_+jVR^Qq z=<%as*#cWl^2}$(FTENVaX7wIwzz!l)u4a&mTg4*J_>1*d$sK2v5RMVSb}UtEaluce zO8o|VCmU&{Ui&5v?mS7Ik$hI2AnZ3Q;G#R0%YSp`0{yqKYNX-gT+q|B6g>sjsjYG) z1eu&39x=5(wA}@tb(i9CEf{Pv1vZT`!UMakz_)hSSMkWA=H1OdT+rMX3xdD-UfFJ{-8b$y^-!b0We9EEu%a?CC>JCigae#z^3pC?v@i>=7J5!V1*%1CU zYC|?=s9aOV6Jk)3UDw{xo6Jpguta=^i5zsV+ew5)8ypQ>Y5n}xuBU=^({x2IgLxPP zT_-qH@7aH=AiwAwtnn#ET^`dnc*eQZaJO=2)NWo6foAwsh(lbcAVPUfrz~HMJrXupyx%#7$Q|I8^Nv7gsRs#m;J)t4M~fcI;f z_71usBV(Pqv+?y-B2EWpPxE;q4B6^HCI#|lU^~-YJth3bC!jAh? zH^k0%uVA^CX?M%nJeoAuF!yGFuQTlu%}oMwb4n1+64f(3HF7!P!<1p#YDsDI)Lk2v zwvgUsbBdDj-tIgchRpFQ4Cg2+>54m`+kxnDI}GRT41*sns4(yDPU0<*i3I^#TD$&+ zt>f$xa+1|>xPi8nsdOCSP1g^tEbq<)%3?pvT2~j$H`3r8c9z@AFy}w!fB)Bmm^Pq; zmE-1dR+)-_KlejMhAaJKaZyp#yLay_CRPTsLU_}G`32g&G*W3<*??_dD%(l&$k-U< zo?C5YU|F;4X=lTFu|;Zb3E$@ik_cY(rK#OdZVHCBhlg<90c#r%2UG3)AzZRHse->A4v{w>xdDA9mzyeKPtDz$UF_V6_h7J`MK{LbP>O zQEGp6zSp}o$w_I};{6i5WsvdKfhwke??U_%EEb5qXC%INz)jANg` zW*s@jo~N3^h7+B4HyEypfLohgOgF^gh$z$2*_j9Vb>&yi5QT*tDR*AISj>2_aekQR zkGGVc$OkP9p3a@w@$wHhHZm&8$>|s?Hnszh&8Kiuz_k1K8!nh2&AE3UBdEfFF&!IP zTJRlYWMm{9m=$w-F!%9i&()Z?mKkBN(%bxt+$Q&A;-7PMrLL4+t6?4C0`tUH779m7 zO}gr@f7d&*8r=!`m4x5hV;~t0KWa?Msa8urRp^$bd#k1L`3sv`lcdTe^tm3*^gzqn z08+(6O9hUk!3%bwqxK7?kpW3JMme3Bu-u%d$2AhpVl;?WjAR9Izg)HZDo@-dN;LR_ zzP*hDJ$L*pR@WGyKAM{9U7UNO*~ON`{aHzXchI&>U&Y?;Acb*$WfsyGnAcK7QqmbB-A5t}Y? z{wpzW6%Wz_^Ic~q*%PMgY@0|sDQKqU_cqLt!70uu=_dNH#z3#WbY~UK4ZIH^Jf?bMJLDc6hkVKFW7wLQ{3qk#xW>0BLg!;JVImQl&K&NouM`m z91~@<_j+0mb4yxPFsIq7xvS$6lLG0wlS|Q7Rl9Jn2E-nXebVinttgU~ffa1u$R|Lp z)iRo;vhS;2dYSx;*7Sy#G$RFwHKvzLeY6Ky&)nc~wi3v2k(Csw=|QhYIEcogYnlhKn5md5+SPqJ+Sl#a zDC1^UY)tCd1d(i#I$o@+%9Pw)ePyqXi#CuwYq_)a(o>X(Q|9;*Gys~uEAqs%>3hYF44 z;n=7ss~tb`*c)fX=s@4Qv+*)514+r zAr4?5&(@H)f|mX0sna(eE!qoi42H6dL&&;Y)m^HU!lI(+lOLE)kKMF5+y>Ot1{x|5 z4{UJGrYt2xZ;~f7Kv!LB#p1MhKdXh|1YA2~9%Wiw<-oLM%NrwWov(d#4`(b*-Z`)$;CZFYIf&@|79NXSy7l<~1UPD)42VEfT$ zsfI#mPm>d$z}$dWI2{tnvQHpsioD^lkRwe=T^kn+|NZ=H|A5B?MNwheE<;Q@<1W(d zHobfpxsq}NKwWLL3~VMZfu&r;xxGQ_?b{Vce#nMpr{y9L7))vzmxh z`003S)R#KXs6FqzyVOmdA?_ZwnqL^QXyC zP&wq3<%i1OSJ5~XtrE{QH4N?Fzy`nUz7_hKuolTiTbL7f@f8r0oV&!ua=N)k?^#T~ zT7817TAdd(igSuf(r0`{)l$JYNvB^Ej$KCXjhmtw>Fj9kAejyO=`@CA$ zw6(>Jjbd}np+A}fhVQ{07Wd{#!lKeIFI}(!jNbMBX5J!~?&QRuCrJg0HlwL!Q$M;= zVRP+}_1xxjWKy>P$TcMFjJ#ok9q12Vn3y2NpN~e*+`tww&o# zPZHzjWHD%U0wmHTBQL7|nkhgd+1w~J1$JoXP4P1`zHL`~JF;hP+P|%s{@uH;0k@K_ zi~iEQTb0ix$#y$$>SWZ)^oaznvodY8VOX#fExOK&goX{;G>Ds$H!{BN0{5NkB(~{r zC9QQOJMsWb8ef!};Y>g^?!LaA(W|a)w@jsS~_sj3uVT=u`;!K633lbu|^v_T)0i zdN0YAIEx_$f6m+EDBU!X0g=C>hWi@7y(83+4pkZ+4xqj?h70%s}2w7|LMW?T*z zdQYoN>VB#$fi?whV_icR=WW;>9ox}Q%qekPnSCSp;y-w z)}Owlb*H_Ux;~V|ikQer^UY7e+)i_wtiv*y6Vo)LF{ydp)tzTk7&e7B(O5pZUX4h& z)%;X_P~^g@4%X6ZSC$F=N zK#!p>)r@yfSsTv+1Gy>K*o>J=G$UA1!RnN)!=Pd_Vk6kNyrTfOS*i72VB%xGuAVoR zP4B7B<&y{3om7ATNb<%0_ss9!H30*Cby#}YvcO!4W=UpjvoH$NPLMhIx*30XHHA{b z5rR=x=XB*E@4zPF!gy+a4xNDD*OyT-ck*euuR9r=o78Mam5v+kp_wDZCNBkGFKB0O z)@N%@%wX29wie76c?>zH$SwaW2qe$Ex46Wss7IT**1;Pe?tWdAZPM~Ghwh4`c;Fk| z(v&-<>#>V&3Mok-3ce76&6ZNe&jx?@PO+0BpwMsxn+nxBw~`+_qZwZn*fwNQWlvkswQSyudvI=} zXx`Dm<;+>DQFF@k^+eHkGS_Gg*IkDq>RNZzX7;bh&VQzb|2(1#QQV0;L0w$o2-ip@ z%W#<8s{^AhnqIV63zqIr#pPJ=&_P_!60+N2_kG{veDzBkbO4MQ)!DbxwH&?kf% z_T7B5+mFD%GsQKF(jW`5zSwMFDEqlj_AffL{5}cde&xz5>N@>Ey|H)ADcU>FmQtb- z`*K!vf&;ym^qn+(>5Uwru}}k+>le3oTnk=8tcJ9HS~)DRP2=%4U{8|-@O-qJM6611 zY?ewy8uJI_cf?*v!%at&mo4{UJ0c}mj*zHJlfuLqK2hUeQ(CPxpBvVmAn&=WQlr-b`|NMPs4Yub ziG0K*DS7?<6IkY8KZ}w-~`V&>40oNr*N84dz zk;0vFf4s_9q}cg=Bps|7jgf~uIOan#{A^)?d=z=P5g3y+ZVspesy+4XbK)}AkjF9;fpxb>L;QDV zP)*rjLt3`_k*Sdb0uqek(q@}EN`uiWYwDt&m!>^HTATKsC(INh$3uVui?!D*)=3&3 zIcXLY6V83;uu)LE=h%h>c?A_iSGAn-WM|6dBe}L>)%!HHtpdl-Ms}?~tE`#oC)gyj zPu6&&NMr=a1w`5Pzj`8Xr_?y!DbmDKmQU#m6M4zWrSjFVSHET>{e`sd7dG?4#_ViO zn~+aXg=L=4G51~DJd4bp{M2mi ze(lg0bai&cOne+F4oPgM{(7VP>^wKyi+jm z%zO6-j%|k%!{Chwht@YGg6RQ(FWxuXdvD3!5N(+yK$}&Qz{JgVy2rUHP*!Rj>#eq7 za6lgad=FHrrI4Gh(BGjUf0x;$p-ocA_#&sK9V2CzQo{5uPn1HG&879Nqv5MiR&F*U zAra%7#f7qk*Bt}R%$g(flfk-o`zybGf0IG~avEV30yf2Y47GgAd+ax-K9OnJdLU`N zaQH?IhC+B|VJ54tX77E_hytQ%kB`zMZ%MzOX9QQxx!L&r?as+H3w!X~dU~LvMmgj` z)a+>Y(*itC462`AgD_3Vz4pd+Nq10W0}ray0!N} z3N&y_p#LpVy7j#A!Oymw!Ce2V@rg`T1fBpfMd;Fr6`DU`>FlsCur-T_)bw8&`4$* z5wSJ>yi~!*G4ck=m=IFah~dHxMo+Vw1$ui|V><+wUhn?J*`;+w}*^k-gVORh0RgNq42JpV6YQmM0=V z6K6EZ;%D$+=R6JeeKnYyhiF3hviYUzwhYPwHqY1g4_t-6%{B4X016Min7#Y!z()jW zKg+CejACTFBQg)iiE@2#=V~eremlH8IeXsfu1rxv!XO*Czavmn5%&}2+T8n&kZ5Q# z>fGJ!3VRiR?MJB7{|bxwAh0edpk743E(h7jn?4}Ow)u+v>$d)$tt3!kv^eU}dPctu zD7d{lRRtH%xGF4vkUTLt>9Hn}d?{m>ia&c%5};q^in1E+THY8$!*bg^U?)gHrGum+ z4zyP`%f%}BpHfo8tUd^7|NlJC^$#HWzh6w=<2ff=(uT0LeqZ;AKU=$NTi=~wXgpw@_D-y`>it=x>QDt3Ix zleZN{nbp;!>>M1GMgsBw9MJf^i`DYu!itphc-h%Okc|!a#6ud!)W!>~>65g#1O-Eq z*47*g^Yb0d2dV1-2Cb9+(*Vg5z=2pwXVfC{$BRJ!Onov%PwD9B7?_z$KaKjAp}>E? zi2wg3{@c?a6INgz3E6)R^9T6#|IL4}ask*l?AzfUrN3t4XQ3V#P^*K6+VlL5gZ!Us zor)R2h-Zyvs_ohTneqHLZ}DFrTV5nBy+>0}6;n_;b1in#sm+v$M?tP9H`%b(&9dO( z&9FaM!1$M6yUa)SIRC%P8~^h3_dSTAriwUBp%w_bz5rL$SJ^yJq3^@+WqJSJd+=|* zLX6t+N2}R|z<=LY`cJ#HZwMfg2pjp!Eq}q)0XEq~6&P(Zk>RMK{pW@HGh3h84-BND z>@?-+epAf)PjB&GuLZDtv~?qwCxd|*)DQZm7TT1}<*{e5spP25@{TNj%=gJoOiMSS z=7Ml<-K6tmJb%zo*FDLfpAj|Ww(G`96SoCdKm!Fx1%QFUGSNTTVRXxNV!DtB#mbHrqd8?2h8-d6N3*Q^M5EIQnMJd!rBzkBrhT-Iy&9VsEKY!M&uMXG&T152pMF2f^l?;?v zTU}N4YHvr3gg>aPsHm7N1&|6r16jQrNNqz9Yiny3?5@TzVDLp$lnGlJU}^bDLPCNT z1;898=i0*f+_Q4^X7gYHfmh5conB*z-8Ds-UT@+fWl@hi)7Us6Kgv`k_ls)ATlF^; zvM;~8irizNY^T2hLsvDKjIB%qza9kIJcLq|w3HCN)nSdv?S z=Cb^*p%Wd)s>XP zC{HME4LJH%muoUBnspSKE9PL^lE*fOAL}qO#zr!1Jn*!tjX3k?&G5vh@xk&vMpvXSTc! zJ^S&J2qEjz%;|3YSPvaRSzW>)Z??3H@SD2#X zVDWVMvP)5ARn-VU92-B#ZDed5f{EsqcLbP#Dkdk5oSdD{1p7+_mnxs<7Po);R5=I% zs6JH#Uf*XtH#kV*bLpD2$HE&4adDbG`cq@rNf8hTH2$O&0f?TeO8dEmbr}v=QE7BC zy&{MR@tj}M%vPTsw9@Jwz0pE4Yq*r9w?CKE_?0|2NLZFLdGyD7w*RmOK|=KVT`lIU zkJeK!x-|e_RfLvW@Top*M|nq=_gMc946tiRT7QqRkOC&^BRLKm0**YK930#=PUrUa z_Uf6NyV47#-?e*E)(9|BO1jOqSRgEw#O~d6`<#7K0QE4dUh}2rOdxzD;?JJ?f$IZ; z)UfFv@&Si#=eCXY^_MSY%SEzob2RJ#WWH@JXrO%6-Q9gx>RFi}hv*8jcvuGvU<5wK zCnnN`cXxFG^Q%GMeQw=$Hp$jdz^NC?f!}e>G$Db8%m}>HghR@{X}C-5#_gljyUzO~ zx3v8~00<@v0^GSqqQBW*IM(7wN4tbmvjCIL`4^md=9Ty$1pOC4y)g+m3fA2>UF6G^ zn%T>x(iV_efW#eD{;5>=_H6j+~86*_Wi~%j)G(YPnf5xXBR|trFxGp zLKf*LeUG~y&yQvC;)}cWCyvp3QwJ`VC7jVtOxk}qTmNUw^8~Kw^=mbytdw2OxwA2XPO4!*QM!UT=rBD>&s<>&tMW@^oc1SY0mp-n1 z=>r@+U%vkFPgFbqe#UuGR83;rQm9Ae2RCEf7rw_zLN>)xABt4l)(z2eEsm29hJY?@k&xSz%Ni2Kl#+Qt~p<^I>OEcM+5gHU|SJ zMD$)yeUc>B{w_Q`1T5iw0x_wmga9U}E0>m*UZEb#fY>$3Ba5X3lLyaaCM5YZ&c5OyxkX{8Yr%^5^{Lr&) z$@Ew^pHVP6U~;K%kK(pxGC^0mhYS0z-02qlUX#RXe$J<+&P%SGk@L1+C}XOhdu^?4 zXT@#Jzrdbt9+S4vj{Xe~8)@tT%vi%+(ap8%&som`%^P}pnK&d8i2^jDi^|LIKrSqK z8d$88%*#}zpn~>udEu17E`h#kK8{O<)89Y6TYy7-nI_(jB@}VD#`6SZEUHjB#Ivuj zVWcuh9#eQ2VWM;#F+=L+{T?t|c17=*p5sBM)6WDAA4`Y!%sdUkVl`bGLC`40*tz{e zI0=9Y=&WC$sGHa3(#e`D8bJ4!$?O#JVxQwESnX^?!OTz)f}D7}*@}zG-IX zl!lKtcJ8^3HT~V1w=Z>-w6`T>Sj}l7J|IF(Als^VCN#$5Wgp9?_#4 z1}=Pkuo}h;!V^I*AKPu8{puxLH^F0!8rG>^Oz*x1RM_s8HVUO~*@1&|6aSIfFWNk4N%3Vs_bEx zJjA~JYu;kdpLWc=16;?L!A!sHS*78OXHaPK&8IaL6+^df-3qqJQi(oG6HbDUrO&V+3J;Iv6-3l{q;%Wt>S4WL!7R)_$NtlZpzhy=7K8z5Ealry!UUBIS`QV zKD%-Myk=&0b~{iibq3-jIN-_Mdh@ih)LR?#b2>Vd0bv~Tb1Q{1@w>ab!HTmw>zO9~ z^brUwgQO#wPPjBv+WvbXrnh45pCq;`ST^x%h>FhUh-Iuz{Ue3ls9~k z0wp^g7w#_&+mBI)F;yBSn%E;@KijaY1eldn;Fgn~i43pMyq(ADi!l;$8arfH=)9`m zSI&qy%B&vYVMsQ*L-I%=fATLfhkinP?fwP9zv=A48SUf)+hyg~fcjbmKz@;|yspbG z_o56l-B6Ez-92N(s7baizNR1$Axy7ixWKxGovA81#*#l-~e#R`#sIPH0UU7YAk z-TvvrO4;N##wO-In{59y?f>i+a`aa^_*Rwc)S*Jd&m7!%M0j6iP^{J)7UFu`F8k@j z1ary&d9MRUm$h8)oxC);lcxa${l$I<=FW>S#NZQzckCrYAWhQ#WqU53iEfX`^pAY% zpDy-aw)4Mu8uXiyyFUuVn;geMrW(L}V^r-xW0|tKE8=kA}?YV3%)AAjp9 zGP|*HUz#MNqhEhe3%QMf1`)~N)|yG}`B-_#=j=Ly5Bo&hAc?MxbcRb-rpJ!Y^D74w zNz3X}Z8lmym(7n26NRCg+1O6kZmyJe zS*EYVn0;~dsam*LbZkQ&tEsgmAV)`E1JJ3^Gi=P4kdF|(y#fMn#HVg1MbH>=pj4du z@;+aboT-D{H*j2=sw{q?NO4mbRwwOX=Pyg`RjC(NhEB>DS05ggrIV?FDTr>b<(=9< zYcVi5uh-fW{_xL~CVuX1U1HafxAx zAv_#&0HcTyQu--sQwQY?q(L817+SW-T!7DjDdYCo%x-@41Yka&7t$~1rh3|b1l4aT ze)LJ&l;f^p`r}aXf4aQXTU4~UkMB23_Wc9i(OXbZP?Vj`Zvq2+0tz7gmM+B{NI48$ zlLa_U9K_L~p(neeX^gR3XvF=eZU9`XOreN3?&hsq$L8ZCY?2I!TLHNZ&qj?j^M`x( z1H2r!EnXtt0wL60$MmGBi{Ax>He*929+tFrLZP{)N6}l1So3><1=D^=QOsy(dIeV@ z(pdX`mTtP_L`UC8TPwaS>@7FaO3?kA)d%Ik?8Fv%Z8^9iMEPuu=Co%RW}>z|IfXsM z25=fK{p7jkvXY>-(8<(p(X-^U8{;-9W=4*(NN`m`j%|wX&e3tVOVVPXrHr_TBi`(3 zQ1{`EMyXsMzEF(Ga$RPzb@f_QpZo^@)3&uqKNES9?D%0CsG+>Fd(zqfEhsKNuxkr2 zvmO}+>M66LCYRr9-QEIZD4r)M_dCMM2@xWeaQAs-wUMatiXL2%qUF)|vJ=7wonMJR zzRUR_Ns_jc)+vFj4_i0iJ${Etbt*kW7Mq}SJeu81uo1j^qM;JC#x;QM=ubMYHvwWk zwM9n`6}*~cY1K&sBa49$tMN8)a=Sk9p=EPJl)#kI$)p@B!q;L3x~NlsqEGbC%e8Vg zsBtrIU#DmfpcL2YovC)x&sC~rzw-i+iiIC1zF;uW!@bK+dkC=0Xz?-l+_-3%DF%cO zcOzxgy8?rtzDJS)o3d@8W1D6yOPYF1o2Ags&Dw)-Js)xR0e7bb{8Tk0M1FT(_L)n< zTEH3-QIovJcgbHmU!4Uc*ex$!mf18RKy;{jK?Bg@ipV#g#R zBvcg~9L#&U;wJMi`C8D1pV}rS&Vc?^YsQ(2H>S>=ey1b96CA23k?RZx!Y;AACqctN zIc=h-Ud`LoA5*P#1ZcTTz8t&@-nXGRzs|m2OvzhKFn`89Ry|k4Q?aHS{c4X4nfvO} zb5XgZ__U|(WZumS#V=ZZk*#n=V5S>;Aw@>0D=%sqlJEFA#;>}5U(wRL%ocRmf=z?l z%_me%#xQiwr|!}dP)Qj_g^MhVZsA3?ogTxFS~?{W7XBGWhPA1Gfz40)t=XbZ)>eOkcl?_L2--Lnzu;1F{38^Z|K_{$9*dsb{b^%ZpIyNR(9=OU^Z%NT z#VAxlL&ksoSwZl#F| zY32{!l9!G;^KX9cpWfiVjL$ukU!I3~F6j)M`%B(Cs9C7x4I=Pp!*fHG_L7K+eSCbp z(%)Ojsz&L5VzT3ZDzJ*zk9%`(xlw;jSC%)1A2{fhG^!GRI^_7<2UuSP4*GRJ=Rd*6 z_rI$OiV4RDo%!16|Nh7SS&iTQx0tuUK~GvK7yk2=;NRZY@c5vs#pwKLNB*~n7}#9^ zE%CYY&j)~i-woAFUbTa#jQ@Ds7;P$`yudi=`SaUp6d=X^q&l+Wcx9*gV-geXLQXPP z04h&ztUwF^0pcXLbagcIWk3+@U<(bBUIB8}<5~oo>d}tmV{jD*0 zO}_F!_XU%y;;sqm`nbEh8~g;++8Rwb9bMYz%HpVC zJOSIS3SRs9Tm_rm3?j9>LIM5qxL3d7dlavpAmx4CUj-6?vkAG(hyERGcCScY&NeDh zoT~}2=(p2Mdw<)?|MCLV@eiz1!w#rQl{eY$Jb!SmYW)!4$9G_t;L|#;s{kUX5}S@v z^qoMKglP$)hJ#U(K$RuRSaR@JT4LYFJA4Hieo3W;2iFQR76bJy0QLc;fv^jJrd3!s z#G&BjJ)dG8;A4!<#M9(_D}W5NSPk<|xaj4_<`^%t<({MqoCSTIg{94ttY-;dIJ1Jw zroNZaU(?T+L28Sbx~`^YXk{tC&eZ~qEB%@&O8>>5vQRLZ50%58xI&Bd;$NjRd3KsO zisJ&=-+}PpgRU@BCDE_2r-NY7Z7w~uF{`Lqszdy}$|iDCOEysU)83`4^V>UeU%sBU zdT%+^YH@L~HRo8ydR1li(J5;+MGEAj5N4)Hc4EyUZFBko-^s!jAYYa(4*AE0_-7*e z|6SfD&Est9R+(N_{8Z-!~1lcnyK+ zqo)qHvhLXUY}FYW|F&2>ls$7$(Z8+~6!GC*d9yL6JU|2a*-zx7tdEPqlM_k!*cf?# z>?^e9v(s|)g1jM$R3}W^Hf3BK98{mKjhJlEk<$x;J~bT?tvz%#KHk1UtVt{(rf6Iz zSfiTx%AAlQ4TQ~xHfj+djizO|M6*{vv+pXF#vdQfWkbZTmr9XhKE)~YtNyN|7^s=4 z53JftKpV`EElq>=;;mI1|Hv3!V`C>^#<#V552#kO-uMbw9r~^t+xl4#UC_<)AGbDO z^fR7(eO`JA2dBIq0;7X-TF5a#@NO!;7vRRr2!wn@1L{OIk?*Q3+fIhF#^h#NvFc=o z+UuD6XofO|TR$01+$C8(lGuvA_U#QQzaU$$1V$lSDpA2uH#}DT)NsT@kXcL@18(l2 z;>jShYcZRo_k}dM_?;F1*UAaF_s}!n`Dxej{SWcv*vCV-b5hSTgYQuGb3ul#3|;E& zL1NRQw}IJZH-UV!jJcEd(kB3+lJQ?@chlbGOJ!tu^@pX?O-El}C0J`{Xw>VLb5Y$q z9ln*i&H)@FRT z)KztD?e~B-)tLC&IH30uJbmM%RD6qhMu{fsd5A`x&)8vq+F8*ahU)!GqV8~(=8g^ znzXMbbu(i3K$BzqW(hvb>V!DO>o`pjnS;=I2YdT6Kw9EeBR-ZEw5`8RY(bY<2(aO% ze{C195LH5?y)2gjpTJG)v+Tp|uG7w}Z|OV%PU9DUGopn(iNJ6=X!Fvx3KNnE`sKZH z6epWY4h**7DZjw`dmQWj%^)+j!}Y#QGiAM}mZqj@#vgXY&01VHI{eCKnoNv!bS~0F zw{yggpk07FYZ)`K)SCkCh+rc-?w+RCPJS{nz%6_I=1GSQR7?fm`V>P7K`XdfLnD=s1MvEt(_h#k(FcEO7$$D=o&GE9=SAIQuE4K-zA3JMF0D`T0xU8cSl zuhmQiW~?5)m7noiZt$RdLxuH4Zrb5|vv}eL?SF1c&x5mU$jdRZbQRA)+4vFGRpPb! zr3!D#H+aAAmr3*W$!)?jAEELCM+JBhIvRr9`R1geDZEELsP zkjAoInOHWcwS31$xholO$AmD#Z7krF$bO67z3YC7k$4uaXaxrUpN0=H?nv0JjNDsW zx#|k2yBH=S#5yjzDPcsj;fud4q$%C};%xf*O*m`^wGINcH0(7op>MMUc~3x3&~ z;9k#QSQaqu@7R5k3mOQ_#hC083AO9iGI``mN-jZrGH^wJHtZs(5e2L=w z2q39B`^9R&cb5XrtHhRZ|BfU{+K`HLRrHR}i|#Jk*WQ;h-7458MoBBL#hUWi2tzwl zb)IbndL<@oINJU)MS8ZT07<*P)Uq$i{2Kc|Q|MP8)&ZI%bc+X64OCV{-fn#}U;er7 z(77jg#T=lrB>k9{sonoH&YF4QnX!!QCJ-XX1jHJ)+5_^8YtHY_uCv(Rah++js55H` zSosw8b++v6>jw8$Z=@;f$*nar-=!qGXEUg}<#Y}jtONDEB7^d;B8}T$^AwHrlkl}5 z%29u7p#Km4#8+8o)?cq%1Ap=lhKn|j>ss}LC;{6)ooad8dJOH-SR|+{ZjG)kqExtj zueoR)gaHa+`2fzO)3h|vRrc%-FdSwe5>33#w_Kxwk>;hc`r zSD9!L(xNErEyuS4=uwwo=^5(mQ2|kt+S_tKFtjkc7M12QRXdmnk7419sYH@mjavW$aT?7(^Qf95UB{D0`!7_z6P@i6pasFPn_D4lrB2yShKD8SPK0 zm0W!dIhfuF9!2lxNWI2|;)T=vY2Sa#u|_tUjUy|gH~HjU+tvJ%U`M-)TF4}Gm)(UQ z5MXUjhF_G+R zNDqJGt(URA@Lm(2a`MP|8dUPri{O;jxn7D;aIV3p0wqflDS|cIYAwsP z;t!bl(>|&9+2qw$l73YUj8`a?Q7iA~O^Zk3t#MwrPy`zC7X(s(XjRUznsNjT;u)ZY6usS}(IRI`q$@7ij&a@RJ?}Y7v~D{!+v8xXczVsa`Ti4n&ZR1uMav9*Dg%xkZQhj zMt#J72GEUtXDl+^k2R48B`I()+ zYyZXAdyo6NuKROe<@51%7?H|Fy!4L&bIjlZi$v4xM6k8)C$tUfBI!?Y7}>D&lB42m z`#!0NEr{j=#+~U+v)~w+D=)*GoR+0~Afh10clqfINjygDg)$u4bg(P*+lby?TB@H*lCZAabKvy6t-Dk)Eavz$v|< zNqG!PK0*?Q?n8}bK zR^2c>MA(Z=51D{jQD)*K*pXA-qzCMY?B^NfVa*7ugQ@hQ4Yqh2OM?$144Z^I%l`AM z;>u3-5NB?YEs1YxVS^dh@&vu5wAaR44I9EpW6S3FnV7tfE!T~Sz`i)07GcXBu0pU%d-p)qlf7 z7}spo`URpU);t=>@!MLpw5CW=Ah+C&jP7byRV%wHkIDO^S_`pM4=Vt5(?zc;P<3Zo!yU?J_$Ujr)`?#wFenZc zybkE0vTuHwJI=Dyk^LG(o8a!ZuS7Z$Y7hCEAB38X_}fwzA@Q+D$wu>=aY}VF7c!-f z>&=^9lML}MaHZpy=im7)gBaQLS_b2#J!kiC(>9;TRGa1Woy!FiPwV*;f1mI%!HBoG zj)dw$`X-Lok;zWdMjOh=FKUB|^zakwLi;~+-EjI#iJEu{FVth3+Ss2PO~6& zvQRi=99d^Wxdzt!{cH~QYB~l>Ng%WdA3uTTjo;S$vdb4G{Ul|KuwfN1XGBb~NG9-8lNWTM#j!Dp_ zfg*zWV`V9wlxO{-_#BOoZUj=a9xIUiAxEaC%f?p(8>~-wd|G^%mtVsvgz;&4X_(g1+XsFolZb309$rsI3B(~rBMBel^fJzDrWF9Tig1G(JD zE0v}N_RURkWIb3F;j??Lx*?aLUap!^z3q9KYomPXFE`UEEzwZ1dnS~z1K;nj-_Uf- zxlo+hs@FgUW5v-(=reTmmF$HEn{^IU&8B6)rnjpy_uAhGk+mOpJ+*fFWxwxZa&t%h zx1BFHjg!5!O`y9M4W%s#juEwvB8gk|<1HV+IQud4V@tU5IN^4~H*CFvecyMTa^Re-S)NiGXJEZ1z>Xl zSViPa_{_JhpFeH-mM3$%T$N}yR%pcn*>b_qmC$?Dv}ya{7urZe7^QZ&L|Qe;}qj$tI^k`qT@yO%7MNotnq4aej5$BeC}m3;W9z*ArU5+lqY&fV3u-Z<2ADcaO}>_04BybxKvo;& zOK%P90G zHo8bAY4+57fGeP=0VZ6#u=^d0i`YJuvB6>R_fOCeA!QT=!Oq3T8>C<3Dn>93fTEIr zp(x;}zn}*&wJ3q@I4lh`&4?bfEhD&fC^>w3>(r9Hki~#u*G!PJ2;m`B)D6jx&j=ct zvuWwWBIDL8hZ%mQyTAQ+UzJ_mEb`&1kXS**UELIG5na7=+=sat}E>rL3S z$kcI?#$17eApZdfk9SL%#LRn*N|g5Xxbk+r`hpn694(}*L}WxT>$*6ff%M>-?q&B5 z3@I{IH*b+qeYEn_XK<*cpL45Q=Lo~{H)Ho4w(-Mj0UDI>k2>f!Zw5BfPi}D3suAe1 zm%WAdUGUX&sc5v(hM9Vewqf~F^RN|L9A6ZIeP7G6aKdwG*he23D6x#z4JW(vT;v?o z!!;+yp!Fid5eH$@%PqMj0=#8B^J=w*dGA@0+-D)r)f`MX+3cIXmgLH|?mk3|{+hio zE986Xn}To9v|7l(4xNO0L;4aE^lly$*MOsoJ4qXi^H3o6Qk|L=Z9{}9DVBYh<>8t)NAXLmi z#f&oe0W#Rq;u99yCWSQipT12`3;E*Lnn8MlF{Tq9a#qtVLB1Bs4P*5O7q6iBYK}SL zvqUaGkl>9B5+3cht)Ee%M-E>%;f`EsSJ$|JSgRaJ=k2j`-=kYWU{a}*NlUG^0?s0v z$DU9-Q1L&Yh~6moaMMeplQVmZ>HQa84f2%tkx}>7p3-cZ7Ia~C%4{#p}c0z#_AeB zMx@en6HfMC$$VEkHEEQ7mhcQ4Xp=_3o%hzv#@aX|-}S1gSc_Bm;5>xJ^dXf(fh)Gy zLlqgK2B$V&$h9|Y+ucvcU1qYJvM`iJJE;G)S)Qpg2ZRUoD-X+c<))Rf{nSTKn`6KU zGRi$L^J(ssGMPMD2BHELoZ+WZ3jO{FcbS=YF=`NhDKO-+*$}x^nT0r(XIM9 ztb;KKLRP&!-m*}aX;zyt$sm20;b#2kpY+SgYTkLi3?e@8A)g~?|9!iheeo4v*LmAR zNPd%xJz3T;`iVFx^DNWNQ&$D+?43T zGWAiHulCvF&K~IgIH^x)3E!MI!O^BTn8To~>Uy~hB|7KfR2ab6l!_V*VK^%lP)p)f zpJZqdpB)3lb(+R7eO)QonS8gVbMSVhB3~jG;}CRenn0nzp%Fn!uvL$EYQg}_PVE<= zU8UzxCH)ew%x^8!a&54Qd>t9Mtn{ z%)}4|Y}d=@Xxn|7D`gcGXspqaedFlpI6E+I!x^C2OQ$y*1S`=C2rf0*SUY9e$1XUe zW+y-WbJ3;+S%fJ? zcxIf6i$v|_=Wd954isrR=a>|sojyq=9Ny{_#<2M}+Zmw|3;AZxM*RRVHz~6DaP<7I zp_9#&x^Lh%;^SRPe$EV*I*9^0nR|k-GirOWdNP^nNULnb+iOC4iYVgLD1^tgzT48} znLk)BJ*uHdMrBR%>@zP$2Fixj`mB?Yd_4EIdm|2y5f@uEcc3t8j3ymHFHq3g=q1_! z=Pc4vb$5m$^(+5`K2o*w1#?TN7yG#75v)Z4r(6jBsjYEZ+VJ5xhX>35!%C_AVh<5B z@f6Fu4y^?*NLip<54TJ~SCxrZb1d^>N5RqH9mvAY3F4oeuQoY=z60&Add^WKWy2(P zK+O?o`=7O?f2{bDFPq~{ho%oX6i6|*F*ixB6Ov=sdH`0$0EVMqG<&$#Y#r2C^$woE zQMP3^ji7c3->B;}(%TZ-36X$$z&a!7Sc7UR|);p}6v=$e$AY?DDv{ON~t?4lp z_X&YH!6V1nI{x7gbcq)mFNW1{bRq}Tb@qx8BlYv{>3_M5BR_2ts`)g8_H{L+&ux4q z{$Qza?p|8^OX-8lv$;cnZJoW0dA>R~(@bU$DRWKCd3a0FJ;qjNOQDyvYp0Z^ld29g zoqJ;9v-MLB3fs6((C$g?Q0&_&V@mUt2J`(g6FwPWn}8I~ztGo4vUL?H_b(G@TKhmK z&|GP2z<~yP>0SySjPvI`!x`<^R6oHTU)dgAxt!yCY&Im*F7hR?_9hMRXg_ZGLLLhe4g|JqMi zwoDC6PJm?NQkmq-mu0#Z>~UPlgDk8jTDxtVCqC3&V}cDVOt`j=d1}UTCw%(TYSeq~_v7y(?tIUu3uRiZS7EQ3Bq0?U1y2d5(Km zf$D1c;En-Q#;4JFqjsgogvlqMGlZ7>`2bM4WJpju z!jxax$Y$4U8-M*Lg}C&;%mWeI#M{FpP~f;sqE!7@!o%TBu<7R5COPD*8ZfPJwwz%a zhbj%o)ee|60k61&g0dx)w zjoPj__jibQ_MPC&2h7?7 z_y~rH5BpyrzSyI!K?}c@gQ^z1(RJYG}Upb=9wh&jFpdsH1Dn7*;n zq|~_4>jkYUyP2Kgyuwy$lcx7RyEElG*X?Q+9@9{(n;NwVwilw9%5h9wNy7raF*NFk z%y+wj@zWy-k76^eK=b`s&G+W@tS^lS?)tE?yn9E|*M0}VoIt78=(JJO5@2f_VvTEKBy==7~{)Uhkt{bFLtv}G68QB+QRw#Ym3rdVe>m(9=5|}rIU=0jAVYgTNKcy^ zyXDYy2>R5vTjTSiXFcO8}Ej=Gg( z!Z*)h3$ULpNQ;Yk{~!EVR_aP4wJ807Up(!b1UveB1vLKI_zjr| z-J8pFMAD2e4I916@2$t;``r-&&ClNZ^6OdLUYB~Yr0M=%Y|RM?YHA|Hh#fS#$ubXU zelttb+dKLU^HKZdNH)f>rF&)jau8Jn6?fK!#chUt(5g6fH6)|8>$vG?$3{hBQvII7 zQE0kz7tVJ)&+vO2OHU5VXcBE&5K9LMMPP9U%-pdjx7X7oJUzN^gnnm?4j`gfwkHy7 zyMqa)T4#A}WS~G-{GAvgxuJr1yv1DaHEonDuo9-ZdcG+_Hx^w*HqkI-9C2sQp>Z~N zmk_~Cg&`~bQUOeja{|dUG6&9V4Ea7;NwwW*mp3Ujw|+n-S^mtc7feCaLQC`2t%F?H zki|Q?EsVB!EHhVd5A^mJA=Msb{x-b((C?)acOc~e>-?!Q;*dFv7tF9m6=-L!T6gbZ zmDh{Z@1pakY*aYm-Fp+7)xokt)8#kLmzx;;2WHp1eKT8b14DN zB|S{+S5j?zL^83=G%ZvE-}j9I-2bU&5o?u%Ne~f#NF-i&v+_cgYsGXyb<3s`+^D=2)Xamfj2OKfNg~O zKvvX?X4JpFcMfj^Ofji?gf9{;L5T6zB4y^!bpR8ykwau%gCC*7RRnt3r; zX%h9-cDa-R`rdJs8=2oIzQOy6lu?J-IxW3e$UnAKz`S29q1WC-c>Nma18~K;e*RC&o0ZH;sFjAd-08l#%ryhe zinQW$SHzXD6RrK7zs|D>mo!EG(qch!Rz?Sh(j|_z^MoU}s(T0>)k&U!;fzpbbP1qx zxyx)NnE?#7U?+@7mTD);HQ^)jbZAhhs~y-X=Tm7c=p?b7F=Whw5kMs|nw(hsS-tLP zI{B`fW2CwdnTVo1N@)?eMRCX=v8=msF|K8h7G`#eVP{FT<(?JZxnzwMXivb<#&w9;wt^p!`!}%$SXzzOW%r%U@QJnS~~nY zrt#pCR9@v6Be}#)$F!sGv_gE{oW8F2KSSf0f2D_JDlkB#@< zAD2KwlhGoU7gDPvNGA(Bvzq%S-;J=rR>z=|W(u)qmb_u!B{-!{5J>J&wrN;L2$xPD zfBe~^d=};e9S)7M$==t*s^_&eQkx1o##YzEc2x2H@?yrz1K7mHeol5rm zoU!)LF~jPzMi(K+Q_jnSnGzvyI(SXLgtD9NJHI*K|AbOR$x#~w^^HeZ;S}QJ&KsBX z7ac_rEZBKu?Y86ycM^o1hrfy|nQQVc!ayM1^QKF>C(-q%3}d*4yrfjsq;buMhD7sY_Z zwKF(Un0Nk!8U@Z)g`IaD_#NS4oKpxlZ8B+o_@eTE$O1h({3wke$O@AWds$9~0zwsne$IJ$NI zhi*aB0dTso4Tw7g1v9A3t8$u~PKS2`Pa!Z2bfbJam2=@)^~H;TC5)(#qW-C*sHD-Q zu-(XS4&r6{Ke5hyo0>x(O1|Hwz5j_)o#5CcY>Yqua2vuETP`()ldE{aT2!($heXf@ zy^gd|?z6keIPFv?Mz`(Qa=L#X-=EU9{5^Nd_HXeT`wzW7((pg}I5_NnH~-suxWB?H zTHbjGf=QhlAqNV7Q1wU|nEjno%bCLuBet|Na|-N>|95-co>)Es?6shKF;k2Rk~HMV zud)dPu|C3NT}iRd))l}~KFT~?s%5@BM$aJUR+T{kmZ;2)A|jF>3!5O4KUv696Z;5f zZsM7Eg)VKLE7EOP)5`-De*%%J{dpGbE~o`Jp_}}#87gNWcjwEu5mM5`9WP~@CI{>l zNp)fEVnj-R^?08J3P&-@MW=+OucXUX;5Q8X5Oy;FGDVWS`(;M5agv5*+tr~DwE8M59?phW%<%Z8igH47?P~?Z|t8YF7Z(HAPCPV%d`+Sacv!T(QF#}ixneoLMVU5#gtkz-h?XGmMX3d_@e_Ed^V7LgoR zmO!+EEv9B=ktFE8=1MO}7!lgNe)z0pj|M$|lJ9Zrkzao%qQI=B+2~tF8Rdd{4chW@ zzfyOX`m2RzHcn2U+oK=9HWi4tk2c@1NqDNRrpYz5KI5IvVmP*E5Lf5K87e$vy-|fk zE-Sa}Q*Z70TW>VII346CqmGIYszC|F9s9W_@1GrCGEacY0R%h!!rV@i8;K`ZjD;y%VVx1I(oD)EdZ!)&H} zEkt5l%r{q>!&s~!d^Dx*to(4WdT(ZYxidn(FxXpuyzt#z86c!te`Qr8Ds_E-`__&q z11Fi&D7%rI6kE0V681*Q=YPqXLz86Zy#(n|=RmAq4edEvmhwlCale;qh>igV7V*YF zC_)nhsCO*1>X5GQh1O(;KGF!wb1$gP}< z_eXW2`iKf6_pry=ADh@GQ+PKe4bbXFcPo(} zfrNBuh}x%)=_;gMgaR4UX0u#=C*HQUhS*buPd`^mWadvk9I_og#2gMgnj8*;M@dG? z-_JGJnvit2DMU!Pi|twNdjg0S-~S`$lj5A^rt)@ijPQ`nNBauMAsNr65~OV0;^C(y zx>05+qND0xcV50n30czKj&QfNgvT6Eo@_VnOEdTmD8yi~`^_?jWp`X+=sVuX%wl@k zGIn&SwvNH%OVzg@veFOXbiR7EnX&`O_7P6_Qzj7g+zb|RkNGV=u>=H~8O14G(~Q-i zn-(8paGL^)NHn60jzcR7LWr9;GHP*F=F#m1n(A@E{tz-vpme1*1ZQL07ws zSz6^rQMfaZworq!ivcn&n-sybV`T5c85b!OVBikk`}CB_w7|J;2%(0+G0$bB_uINK zA7uUE&EtD1W1e<(zuf%fq1r`-_YQyU3E}?9UyLEOU2c3j2RFtw;?}Wn$M-wK8|;KB z>RaAP=?q&a+ZHELBG6=6R&?|WJ#>DHWC<`zlbrnefl3TMm!uRRi!<{^`YNiq~D- zX%_mX@Ldsg4?!Yt^;d$3+trJt=lgm95blN(etM|C_eC*XU-ou{h>zS8YG1`l#^+@( zBN+qPiN=IqRyRm@0I>|6Azm{sv$8@{=r^RSieWovMZ7-kbXNrv5u^7TJev5=KXRi zEQfPf2GuGf?oYCyJXZeG)Bb@p2|bM$OZfROBw6%*KaDdS)q6SVH%1Y(Z)$6q!N9Dc zoQ&($I3DiDFBLv0DziUK{LW_m#>;|)(q~13yfytI0T}PZ>kU~q3)y(6|*lD9i3=sB(=aT{2t%e}>Bk*LdT#L;^&`>)6?Z0#a zj;pl`kPb%zxEH3|C=<;EuA@%b+Oxu%tJ7i%Jq(3DLl$aSa^=hfffPvEEHWcB^G|K- zL%e;5W2sH)Teu(y(nZGSPfd~>!zYmNkj6uEY&(UW7^{foVmf+K#6E}}5%YKy! z{^5TE`J4bEe}2%+HaT=-g*?65zh?8I{n-517ka2;(`6SiZ4#xj1kLa2O9eRmzAf9d z`3mWuN3DdXc?+t!@)9+E?$SquVbN%Kqm>kc$%kS{V@H@@#LsLQS*ZDj>*Q~OL;s7? z<*T8EvjHmp^+iv{7m>7QU9yIL!Ilolg*PgcP8|jM(=>e}ytPM!iOFdQ)&q1lhR?Kx z-t01+p>NzjDm{48e*2#2kcaQ__L`)npPRWx5iC%0-t$jlPRu50(}EY-?(#+7$*nR6 z6kFo>T4r<2T;@PJc*0;%w2;4{ADKRKg7`T@2`#0_S^S)RSu2FLM8PlLkK+2NLs2#Qyf9ZSC!aA6B zi9VL};IF*~>PYj;6n$S5*UJDAgdoKpA0`3na_k+PGpW8TXodt^e*50zvk8J_sTReC z=CBo_-*`6M%%1}Y@4sZy-`%gA5B74jBeeLfktSY`phg@6EsT8=B4rP0EkF&j^naM| zK$$)%`OG*m#&u?ZA5sQ=Y6+_meO^nQy5~^#^)Yl}ss80B2O9q`lp}wKR-*O$<_YIn zaJ*9jE|ILEF||!w_JFS<4%>V!7O2KpY{_e=>$gL$Yjzi}FEA|<)DDi{YyBskeItKQ z5Uxl5GCMW6-yBI=FxCupS!AZv^zMu~$yh|7mPY@G^w8}Ds zT69;JPq2Jkeg_enLfnA&J+kx#yicK?QD!}1Gh^rbr_(3PJm{g@?E`vWCqQ?DAMU7# z<94?^cJ$bsTQC2FzZ}lrJPALEE*}~kKTg$6vJrbGP=h-7Hvm|UrA+&~KkCEX3uam} zGmZ^yyBdFMz6f6c?}!q-$b^mKc+&a1tR+rA%L?>#jx;w~ujT=-fJ-^OS{BosFs4|L zoc!K5Xt1BUQ~PK;1W3hrNJe`^c1pg2u4Kc;5ah_H)w2EWzlXHr@WaR%vRjncQ?u&l0}S^z0l+fAWc&4_J$R#Y_i?t zy9s+w!wmCEr3z-|`yH$QHJLWmL?H(LiSowz_&dH|QLN&7{g`{B?G*Z7?$l<^q=+VO z{34_tx8Uc%(!vfa@$5%iU0D?7IX^MQVpg%j4DGy0qi;Xx2=VOfs08l2_FHO4vNypJ19lv}%<3JCE8he53THNSV*} z#?dq3;n4ApFdB#R{YDuPkR(p{zymcgK-IH&etpo-*Zk5ZR}pH}{qbmD7eDfaOi~YS z@}O#Q;q%fa)h|??)p_+E*AIc<=|EA~+;4&s=S)5RybFxvv8JPVLL+ zfu9ckL$y;^z*s}5%e}*oJbt7V^kEko?hZ)gXPM!R6&}8cLxqj5I@5}aTi?D!sqMXX z&#=bu{DO7X1z^}g65V20A&0LPEt+picMlz=UM%~vPMrKa-1v8AXs-3b_5M&>#-#um ze9WnEdVcz7cIj|*`FES^^NoyXumR{oPHgxxFW^LU+95S4XW_w=5d3oeQ zgGImMY}`||RUnw1;!ehvP5R^uqKfLhI<1u20AD%z*WD;@MbMuN}dREIz zVKjH;knZdspbo^AuQ&ej#rl#l#vnJ@ajn$E>Y-DX2Q!V-j{}RFPpEg~KYdm-*Khq2 z5~MHtO1i*1ZsOqSZ>J>%y@Gll+k*N6USN{f4S;=K3^DI16ZOpJZr_i1&~mXWu|V)M z>p?V3FfclO;5AX_07k)B7lO4wp5nMb;ZGd;t#rNOo8|3-?@n)K zQPf#Dee%9hw~PzS>;}m}IJX1E7o{c+1sg@r4vpS`PyqyJpns``>&+uz=yjAZldtvc z^TE(Mqe5s+M$wzBpv(+>5{EcfRz;%|>3EmdN4UUNLWkA|I9jaGUYOFalt?UF!`%~P z@3X#xc5+#>5Ow0A+V^+m7s5SzPO6s<@|byJuNbF*P`ry#`8EY`*4S`YBfBO;_&M^s zw0uqc9mame3OUVA-U*r{O)*nI?dXSIw0_{-KRVuzMh{Qy+o~rSVQ*dD#%E&b0{clU zAvFJZSGh*#&vzSMe?EVn&d1CAEkx*GO3> zikbC9_*j9qvLP@HB^j)M-(V=&Xgkb|gnx{dn$1~!>5n~f`F-_^lUqn5^~FB>FX18; zJXTq}sXMY|cgv}sbVY-j&!71+fBp{>l_kC-+XzgU@Oe@a8x!klGu@SlE44wSM=w4B z>(@DFwf3>n{hKYz`r*505Eo6AZL2B&z2QH;$YgF3K}VMngQ>uuiYeaEeOoNt1xz~r zwhp^ZZS=n6F|^DIfWuX(g;!cGbo!z@V+HX*#fJc<8vl%r3T*TA?>5sKbA$Vp5uyEO z_y2hQ*HL`KDqC`9Z0EYXvf+_Yt&@q~5eYpBHFu94cO(7ZSAU|7zvmkdwnvs$oBm5j zy8wI&M%g70-rn~FeAn>S)!ul@<_8L902i=&U8-e4z^eq#JJeS+oH{D6zOj=tzY5r- z!Lt+po3Vajc;_3J-e8H3lG0~X{+It)f7c+{X20`X*R{UgpLbwt`gacX*{U_)dG)K(8e_4Kto(!3m%$C|+70~W`RNKE4XP%&e(v8$~ z1|v!nkCjX`P#nA+S`!);be~R~6;L-#qTM(I4RhI#`E_?^(1fW2H~qLs*nv$Gy}9{82yXCRBpv44JRr(Uy!Uo z*)=eiBH)+@r3*84Y?A!@9sYieXtK#FyZB3BkVwpxrzPV3lcR75lkDf`j%$4h0^n^O z;<3wC{>Z;?XTg{$N}Ek^{IHdu;~z(G;8_ZcU-OOYU8i32>%Xh09;D2=s}wK$_D*ho zzQmffl~qqPokX0WM{&qn9{jhVXCB)>FBJcuYs;b00pk-&N#eo<0Q&?h=wtYYf`9C% z|97rkPL{bRN^SUB?VksN|BDB3Fa!P;-ddsmuatfM&;KIex1k|GvAulA!tj6O?keO! z)kzyavGYI7@1H|~{|L?h+dq`$2HZC)gnIOU=I-G{Z-8<7GVa8G#aI8^oS6j^u&mrw z-~VUs{#GHNec?f%b@~5@$&--)%W9d`S@l11_pi)&53cfvxFeqa{~Z$kdPAT-u&lHs zJbC{!cYi>xqNY{<-`b2TLEy;Kk=2g;k80_S-mA47Gpk{ux{Aff0Kxv=^QM0BEqaJ~ z{iU$4&2P!q{}(~xzb-@=1rU_9g8pdYDKiCb-ftow{(Cpu{pXL7 zvN^kEgO>8A0o%ot}9Py$T`mkE8(7}xw9rp}OB4K9+smpV3 z_R`fk{~r3UcnSrR^DF>{Mn-aNhqHN$fbpDufZ%7=O-3_a(mPkb++xry>t#r;Y#?4x z*<6FC1oY9PM}xzBuzT{-{wB1$p0hxr>-WLs0kCUXJas-n^QrC&B&0e7n>H$bh+=qR zPp+!Akf}~8b{u!%-#=4nf1$;72_Oqtm9%4k4ro%hPq%<2BqHJ4+)QoX#DKk3XR3_# zL8xZTuf=JaGnWUU8`_n2$^{E~4cd`fcP498WlSf)9c)*4?uIf>=YI8=82(Dk3fSu6j`Os68J52Gcc zKmEpi)=vY%D?q2bQ#IZt#b(la&yq2t_qf&>SUewJIDQj+z5Pg9IK};&>lWDhdLEFD zTH!R{_l&zd!KGAy5T%nO*3rhwnda#Bk$QEPd{YSz`fsArW;E~UuD>_SQ*+PofQxA2 zj=~968%?cOTjZl>Z~JJy`w{lv2CD!1foLB*Z=j;#+2cz?*3b@+DkEvZV`&?R46{O= z0%j^s9cP7xliNW1DhJv0?RtP>Tdm3GI4FB=519Dwsj%+10<>|RzMlX+G3uOprNzN` zIG~62D^Nfs=wjd_-`d(5EP1IhhFz!Ie`+a#n{hY6{M%1Y7%%cz^I!kTh1$C{4<&BMyZ|2%K+&~rjR5xLj*abe>z+d%OG^lO+*GmVHpCrg8= zd(4=vd$wB`IfD!@*SfmK+S*%P55ub<*SX4$+{khf^u~SqNj?TCpDQglXs-hZA{o72 zww|BLf^+igioEu|1+qle3>;+G8}(<&6W$tKO$?nKV_*&LE%%V=ecvt+O^PSQ+o<+Y z_~XXx&excXZ)=D7PsT+d#d8QP+;cz9h1@y2kpjd!jXy^V&~FQ${Wjyb&xkqAMP%W7 zCp2j(^JO2)@A@1zuaL;{w#-mibE#d=n7MqccR6N0zdCMk^Nw=M^8vEaa$`R83-ezq zw!rPW9++LagWX#;JzWVT9eEOo%p?yuIrSt@s&#(NKi{kQ3uRZDAzEEmry;FE^&HEW z4GW3Po&Dbj?w|IvUBeaj{C$NQtmYAWr?leBCVO5x)d>ezNK}r}XrYVN`S#kMg)q-u zad!0!jR3!sV?7Y{O0mS;v8?NzVXuXPnNu1o;$8USLEGi-P1VM;5+>)cSLCvJ6S@ z0~Ppr+On++SaWk*8swl<;(M`CpKBvSJm}dn-M9w!s&%j=IAp3Ur$ zL+GYwZ{&XTaUKs!?{VyA$jH`C3LR>%jLdhC4%VlgB-~fu*Xi}NruO}NDZc9#vSCcK zl!SFVDJEI{_UGQb@ra+ghl3+^@(gxk%`u0K!D<$F|I@MMNfUlqRxA~6`LviIUb*i( zUq(`O|GJ8*rAfWd3T2uY|L+8{I(j}{vnxE;f%xF3W`>Z{L>k1|yS%7#!*$$w{5S3- zUa(<0GuuhC`0B;5`fG%i@?tZJvjI$hYU9_^0ugi1nS~fU%}=G}D`dZ>b9Ij>G+{jY zPa*$*i(~)G4_9B|b>{*i>dk&kWlS|Dm?qm^A4Hq+{)YPU)an>e-LP@%%a&h*gokG#ijb?zEpvJ zWqFkp+Ep|LWpjQ_Vq-qxP)7ck3(b9P52kWug(;uWdk_bQe({{Ov zf}r&pPPA`&Lsu0)=FxoHP9W*2827d02(tT^(()hwt^#r%2M{{ZwP8w48XVq?Da*9M zL=U&ei%gb4fp`S0z$}ji4}tIKK`MTn`i%%Ldr=gt2R~o2K5yD_19!$n{*y_Xi}sGV zwL+E3LEKM=gy{;abuY_DhirlGc@6bu^oNRdiVD7|!B(uMD$Em#&G-@D1SLzc3ce;F zcu*I!XBb8DM4jU-7F>R3cb_+jM{oXvXS9)kh=gv7Jf0L=S)3Ieckjnx*u7e1q5#4c zZ6Ck>0{c1yX&(=?Q3`XVk=*Bb@lM-nW9=Exc&Xj7b<5) znQyd2=h97PtT!fJ+skZ$jb1fP%ndXc$k%{OHyY!~lAmoC3fr+0kkBL&Ks8*#Un%*@ z%aPs6eH5YRY!vl^8b>(&2pb%?R@Aq=wPJOZ8yn;s+4XcpG(iB_Z#gehH(;M6rd*Zr zjP649SPA`S`J%q!eIL6Gc{AnKp;>Lj?j7$z%q&t=;i#xmc4x2cIxQ#I4+p%T8#m+~ zXj0<@J%>K3j>wOS=wThcP*sEm(Ej$-t%h(FjPI~=XxHZzn+lmwYtYe7+A#SS5Wh1K zsY$E5NgvaUaZH)$yYlx7i-OBwG#d=y=Xmp6h5FC$65VD#al43-P%E) z2leMRS!L8(9qy*3Ahw&L%R+K?UaG=pGRjbEOk-GqAe>Tb zpN~nX8$77;=N(}xeI4>~o_oC>mUt_De=LQFR%gs^q|H1?tUXSQ(t6&^GEHPvJ;E)Q z&j~A7C%?Y14(58&vH-<4legH-xr!PT?shk|@-K_MMdXK)W2gksZSZ!*%1;_Zr}iL; zflCL^R$~gw8`Ba`<`eD;B7@~6Y^Tm&7ko9N+_W9s?MU7NNeGnPS82LrgNuLtHU z-ItBHO}F9eB>uy4$44mZsaaKl(a2k3OMO2;_2N7lv7F%7GIr}05qA+(>sX*4>Zqyl z$~5#yJ*Zw9%UNeKQ(JfFFO{!keCOD22zlXu{r>K>c~?JU{>BrD8V4cEiTiAJ9hAPR z$DbX4+7=uHVKxZzFsAj3du-?YdlJG`^Ox}=@GU1hw&E;ipv+TA|P|29qA_PDF+S6tKEAZgZt`+ zb^7a`1^$CX_7>~6&nAqkoqtpo4C)GcD6V|1HAQLvEPf=fmdsCvG!^&FK8$+2B|&!R z+9=`dk)F&3k}j~BPrmKwD~`4(_f|TazxT0LB}V;QaR-Rq@W{Rcy?=^XsF-hM!CwAQ zmr&&yMNkPbFRi%^%=Z6*vGA)NK^hO;K?G`gzjm8FMeaL_$w#3?W_=|oaB_va`Q55d z2aLH#vyV%q2(7nM&(_N&Jn6n!7oDiwW5I?rG(x?-cg7P;-OUjI1HX+(WdC%T>xRbY zH7I7+NW!5l@^4b~A6_rkiB>uEN@tlcCRALB^$*=J^OK#y^A*v*z3DA|ZoZtA@)Zbq zR&yUcU0rFKEasNCGZ|ZdHhM2|SbLJF3=oxCU;iOw7iW;k!1?5tZpjaw(o_y=eL&@{ z*nl$Q-JMhB?m#vvDK~R(B_*YH1iO|oP{KMf9c;!~+uW=$5pwJ}c3HdR5ZGg&!SXUH z!Dq~_=c+FS&!T*D55;O}1I?a!nhaj5vaCkr!-nOiE_oW#`Q`{ESwp`4l4Wbp9|E^;C_)`GSyb zZx1@!?ay-UyQV?+U|CaX;b?IqB8pwuP41+HuY?bP@?%qxjH@r#@%=}W5XKt~-_2@` zxNV_p6NB?RS{W-+FQGblZ`FYo1c#+jHeQn1S;pauVaJJDJn29PE>L6QV!C_nlQy4+ z80rPlA-_i}JlTV+a29vvUMmw&y>m+cLYvJ6$97V0=wp0R=39F4$!Zoscgrj(j;g;u zu^P2@3cB6@3G}5WEBMNSwU$C`(Qa8Jr7jKWuDj|8mB66nmkb!;TI=F? zrd!uMqg|x`4`=Tc)N~u|3%?>NiZqobQWO!TDlPOV(v+^!oAlm$jR*+R1p(>OK}zVI zM0zLG&-}pgO)Qr|> z=>PI1KDz}T>8ph6HK+ES4rPDeLbru&p0@V*;Y09yCwBC>I}9M5BGD%Y(F!$5{y_}t z08=#Y=7xM|eYd4|_uBFOnFg;Rm2>=s&dPIY=?NI}8z_ih`}({hEgae##B18_-RL4B z5A|smng8Ck#TS3qmXC3nkSHQ?bn0kvTMUHVs<>qpm6l=PL#TkMgx+tlyq`Vi`zRGg z9NJ;WcgIVzUePX?9{t5Bwq@WKZX5+*_I`c`2JyTF`rRpxLwS!@OzbZ%?Ad+li=pD( zoHJ~_C<8Hwu4P0 zDS(D~qv?18DlNn~ZI=Zg`#(tdHJ<@Y= zP8V!d85}zj^#Ic`Y|0t$=BA6;& z&%?=W|1%4~UmcYS6I6w@(jtg)x&>|#5cLlf_Bri;!c7|@%@`MP*_`DHoy^cc2l>B+ zS!!-=%z#Rx=V)2iZ@hKqy*}dW{u0%g=?{B{-?*23GvAKkNktlO#th$4Gy}TPYUCMf z>_6BTN7x;wjipas^BzUO-Gt{({Wakp`2HG_)f zjahy!N3K&ICKT=XlPhDHr78E2+61 z7Nf^UHKeFCK`*c-_#moK-Peax!r_R1$6n-|u~LzTGus!aqDafrnOEE}i{fX26&a(; zHs*_ie+EYIL;NSZ{SS0gZ3oA6;zB35=a)~(PU_A0Y(}#W^9^tCZG5Azv0eP4B#WUZ z#eB-&{>h`;=qk~_&$ zTOfpA3tfH_`O789tF3M~_??(p7=Lk9^{M~<;Sof0L%NGBzMs*^ZJDx)?GdH8SmQ& z?U!&0Sj)k8$2`-5j#lrpuIq1?0a<`F!Vo$@LjZE3Z8~1rPJMtYfXvKJCae$G7;)ToyG+@HV5J*62>^BJY`@_tDTp4?WEVuoIucGI0wX zl4ojE;y%*rjz&SPYt8RClt8ZzD-BZxY!FX(tV3zRQq{=9%56rsP!nh$J>Gv(F@Vhz zIKBlmm|&%W-P$j*!9`kKMdqqAkjvHhAO+}ia=iMBoY-{pme;S> zqS-E#N1Jw<|Dtb7>vrQt+HVq0p6HfGNt_hYfYSGQsw(}{(zx?;!n&RTfo)!(2G7zv z%DkG-HA%}OMU>2R|6!fX2sWYpq2q-7DW7vg-r0WXM{xEbb z32%R8K07-fjkwVsRKbwZIq0k)Ec?KT+sVO;yn~f4eI|Gs*9uqmg#~8E^4XCHc9-)(DCNb4Y<>eG6w^hp;&pM zABgbOfk6WRXGThP3iEY3O_b);`ZAFfcpUg@FSp=Mt9s0HUp*T9N?$D3^ZtDVWTrW9 zmBb<3pwtAhUwJpU`d8E+n>i|%?(!twNO^A1azjlpCjY2c|Vt`WWLx?XNm>F5218b6%g zBm9W6yNppSmA^T?QF>_J$Y(l2j48oKTbl97eN=YV8z_x}GcGwi7M3sfct-6-9?##B=^_v1mb8+S zA4m7vJTbV4Lk1_#u^YL+S zLM^vkM#aAz{d4g1g!qi|8F3H7!lWV)u%Tje^+sA=2GPc3Z~TfGQ)@fuY3FC4iwPP^ zP0`rRnVrWjw3sDb9WBu^6Q_OLT|qjnuY*49TpFctd4E&r9Y?f1IZ-pEc&2R+5S1JI zSYU?wnE&T1edV5z4z`zorqZwVtQ4`G*5>Gzf3&Qn2MIdr-RFH7DC@ zlDeEa@&WxDfCjAF!I{W;bG)UqgzXC60iSKWXVPF)#c@5o%k3BIdoa<8aJ_t-X%UlS zU#{0FbP{Y4RO6O$FtIg7nT1m@7Hmd&`C*q;RpOOt0H^ERh1txhJZx-@mHykDSj-uB zOUk>UPbJTSz`o+b)mTsqGfffUvOR!Wqvn9SU`$-y*$>V2!cer#G`cWSA*p!qFODsm zOQpN6c@ujVe}VYW5t9ZNbwVuAyStb)%Jl{jQ)1oYYl(N4xBJvArGFu^{g+wQY0DD? z(@r8LVGjVEVr}ukDfUi;yC?f!&mn`uDl>c;++0ICLS$>p6Kxjk#nA3XO1|3x3*{rG z19kdsFnBIrL)giKgjQIcND8Mgzi}p&uh#e3IA!=AcC9sgZ6i1?B0}lc*=2{98FctE zos%LS!CJXKaYXxA!n;>T1Lpn=NqiWJDRuqzHXn>%`OcepqD<5lVQ_N-lA+K;TN*#8 z${19ddFl(CC*!n6xHyfw1li!;s9(Xul6u^%E)al@VCFM=dy${iHjAIh`_iBRbs{XP zs;p;)e7f*u%--TNQ|X|3-iw}_pIBjSZ+bIc4Y!=2gH`S@!WKoS@Q1f(Ff`1dqIed| z^0vyxfvgdC$!xDAk2s|8RjAUEI7;7Ym$AaZW8O+&p}zNtB;>od^OCI?l^tKb8Yt35 z7Z}kZAf)p-HN%^lt;*JDz%gZPXP9M4&C~$XBu}`+dK9a=Fw;t}FP{~O3~i};Zt0~6 zLQWp0$F}bQnguwS5#~dxOH%2V20lA)bNYWXy2Ki8N4f7|$RI)7gp2GwF{j^Fjg;gF zg6l7qF8@Ycl9BOMuh9x6J!f2e1|$+ z=v_UCOb5f0uMToN&-p8xn4B0h%*>X{j0b9V4(xg_H!FcUupM3eBrEI(BO+$j*S0ZD zc-moFEj`D*a`N02XtR7}Bp*F=vvlOE-|S?+!A(qQZ*Ab5^)dut zL6pdE1dcS!`f}CLPu}FM>^LIt&j=Q}LYtU-ge{FBPOfNV690nx!2;)?y%6*Nhc)>h zu@`?|z2&axb&uwKdKSDsB z0YNENGAH01XaXvmnWvxTR&|!{g<*kjTEdNOm&Ix0hIEBpxS5vdV8@dgMQbhM(MmAk zw6u#MLWnV5SLjKep$S%jBz~}Dh#|f>;f_t%fd=y4iV^4TH+v;cDChmy+`xOaWZnIT zbl!I>hRal%zCyf{+8RO*cb=;~wj0;sSd{M5({v=!OZR6c^h}TMfNV$tgG8F>tqM)M zp0;;dGh77;;u?wL%f}fvHsNpT=r{iAw@zqLfcAgAJV2#d4yO{w=U71z!j*uv*zmbd zI!&-KuS5?;aM=|2zEA@PbzTb9kj|isV*ka=q1LEG=PK#DgjDX}LBpxAp(e1Y=k?;4 zD-EnS>{Ex z=?puXu(0n}SL&D0@S4G?{4kHxM6N6Xc27HKaShw<+4pa{0p#mxWo|Y59&qd9-|TN? z6%Lx^0(Su<_(oEW%23w`8K2AE?*t|u=vjr)w+cJ^!|A@wiipQCT{Ll0^MLd+Jxi=fvySfYI$fSV&?D4W$~OzS?`o$i&kPCv zk>uNQ)z|w|GJNwv7Z9YQE`d@k)vJK0?XuyFv5~x*a;<^*4#HQPwWb&O zR$rTm3o$n~YLe~6-^d7D80xJG-g_f`u~%ViWOfyUi15 zi>Z;Wj$f}Hf4UMeyWke`+xwl+5OqrX&s*2KuMTfCwy!)05sQ{pkM?w$V`O>U>NQKg zQlTW!@1LVae&Dx9T>j~AJ&bZ&ML2#yHVrst=c8G4s_PGR`@$_xGgkj2klC7 zmoYE4WO1g%g4h4t)$OBTR!PHNlZXAt%uF9%YM5OjfEu>FBLhq!%?6<-s82{wEcl+MnV>CsxRT)8X_4l{+d;agN~o; zLjx;Cq?)00ue0rw27SOw$xe_uzx|p7bkuv%4CRzV9~b3JL(RKvRpDQl*JCJ-b}-!`wuey?n*Tj0WkyVmaDjBsIe)eLUxuZr0n z#kA8UFL_z^DM~sR*QQQJZt~wc-*;PIdDq*>BxVHkE18lYlpz-T z0~+&d0oTs-fiCC%Mi8;1cJY_Q{cp->2liB*CE*2)pjx^cvvPbDOF3P)(l5)0yj_&9 zm$i-to=zW)&c-&scd%$@Y3q`3Bo9NdmS3L?kj-4J=>wFL4$6(gOnN`_cAo&&HlUhh zmYK$gqM^lz;_K9A{9DLD|FNjloe-Nac9hhc; zof;>`?y`BPfD+1aTFR_0>2%u$jpk~H=vQKDP5HVTh86B_IIotN1t{15t8VDOf5IU^ zMkrESb+~Ye*x;=Bms>9p~!? zs!z)%lLd?oNN(ezP?Ar|l#JHVPXQ|Vn1KRyqhb1C!}R#v6>TnwBvt!zqZs~X>QlQ} z(HRd*5#!JkRVbqvRUGa7un2rR?$#~J)GpZzr3S)3dDAx)A5CMv6>ma9JS_imnl|O_ zesY_0BDbizy6^n>B*BN>ThMfjqTIb!MKK_BcBCcC5Mb!iupYKdo*|_N1fk%9Ls>ugV3hpOUjkstlW83H^bHH^0h}F?CKLrSJ#zSRQ<(wudB-<#Q-exp$IZO`*I6{KJ+&c6{udc4I9}$>h=I;KUtFvpB6-M1b*=n z1BcF@;%3m^p(rM;`W)Qhj}zk#PV&2q%NU5r!R$=6j?H9#rt1^i41wkKkRaSfDh&FA z@#f-lK@;yJRTc?&On|<5S{wHG-M$Y0#=LHJVk^YAj}Bf;uPo2OWHf2cCDb!2rm*}^ zSxD82q{SI&ecRlLiEqyTMw%G4QsmcE!C$*Kr(eP) zx+L0grtRs|&m8Ap4MycR+;Le?@{(SnDCPL|tqXT`V3GPQGWg7^HxSoC8pP}!!Xpoc zzmeXL3Z}WW)*N`U6(siEBKJQ0N0)@2__yZ@Qbz1vVQ)eIyz%8R%5X-u_QYKrhdau> zmzPtO=!%Rj5AB~taqtkgOC6RzN6Ia*xJ@?$fV@2_+OD0iKmjCBJoD9GwO>Qh4yk-e z`x!!Omxhu~IuqzEUq4w}AZ=9FVBO4!=vRM7o!?6|?D(O^ig}Uk#?LadEf0I$!85tB zoe%51fPtsJ4Vby!)l1r*;?A8B3U8+9>RHzg6ah2(_VGz*<$FDp8cN30ww&?b)EehS z3|buD1kiYbToMfEUwU*65uYRD*6iYzgU8)z6nt({lxQ(NopD$k&*l*Zp-=+)&T-~Q zeT4^a;rd$UtgkaV%6dM1w2P$2=dm@pps!fvwoGrf@5w4bFV!CV4xvIzZ>THN>B6iGCSf%Z*r7#W zaE*dEL%~u~7h9xJMHfI@`k-5OrU^~6^$()$C*JV$X!jU8?K}uf8Bpqr=61~0Qe+## zU*kKrZ?rc)KT_#aT1S95JeDKsw0Y?xpHWW!kIK{kOJDPPn7rnb<|`YSV4>G_WsD~% zsedzk9`NaDrU=6BS#102U0;R-wOU$QHd)R3Mt(<4mvPhH@6s;U(}IId1*Lqf`2!p5 z{GMI|l2r}r$+lIAGWE)SN%AwinXwJbGs2zHGGmYK&+)xL)eW4!ou#B4)%%rQ#D~ap z=~@fC>Nw8v(ef2SB`E8Y@DBb<1(`bWWkc}WTQp(hg`2RN2aibS6ZW7U8X$M20Sj7D zw+no)6w$2i_L+E1|9Hle`D~oA#(gx9m3~{pJ0SFV2aGfYnT}tc%yp-C9=Ro|@-KTo zu$}QaYY^rn%$xrG7-qeFeEs%XRq0>G-a*dto{o<6 zmwar7033$h>axjY&u%cD*#SNP&}iQ=tyCs&5=R;f2m=*2b)fI7A>l`>>gERqdkmo}np)Ly3i zoM}Oh`#a`@pXT3eU(2A;A_6DZuovIUXwuy*5X;7uqRV%z zKax4QO*d9CT_0jDtMILa=f>9Wc!zlWL6}}(_J-4MX_pwxSl^adV*{}q=X!1@zc@vC zV7m?iLc>Crn>55&RC=4|g3b@29%^TC#mJKr-LxQQ>BGrPm(-TH@PkeTl_rHp;#IIS zMhw=w)XTSA;Ync5RcU!Z3$w@Hk2Q`u2$s6E>tYY|Bz+R6gieB*+_mi$jBCM&Cctjp zfU;h*w{YVxk}^R#T0mb;djUMld6_I1k)ywKzvbeNZ?!}}tBblP)M}vB$p7zYGlUa|0z-bC=m?s}6N*v725Qc|be`#anB$lHL zUYHp8P^}0TKj6QPT=_WYO17|O#oPMs^UjQ9UA`+diy&6Qk-^ef>n!MV*Pcf=_8`m9 z$yK%QKY&U=rNQ&o1}AS=z0HIMyGr~JoA=i!9+fW1*t5O>pcv>$pG7n9x%QLOVl=A9_k8V_l_PX+GI@=i>&(0!I=X)J3gZ`aI47;U!kC$V48NX$sl2{GJnmQ3R z+PmA&LrR>J=m^QLD1Wb3{l%csYQlLn(`3dY7>?YegSz9}!2=WZoX8MlRTs zvjjtQ4Cwp3+f3yE6u*l&s=`rZ8ZqqkdWe8=cMzO~G{qf1hDNt{jG zDk#+Nrg?1rRQGRWwtLwjVEp`B__of*UFs@x)(ws?aOau0eoD9T(foP_?Ru@CMp&O$ zL%Ffwx-84nq==aQhBslAN(sQUeW!MVr|5Pz@*Ev`M$0+Aw4llPLV`IiYeB48dnlFR zvRvq=!YAodUZa&<76G)kRh4L5v%L_swfX2P2Q{ria4K6=9C_rG6{6<7}Hzs{ovmGTB3 zs;^L~lzYWc++F*OW6K|7?p?byRqE%l`2|r#m3l@+Q-SJZPd{sx<}5`RwvF2ZN2_n;CuHL{)SpZ ztdM;qU3Fu}D^`^h@NN;}QIV;EMfVtd&gDhGflO}zaM^uL0+@me6-CvGrT&v~Y&F@< z!oXWwS641^*b809_Amu2Ig8`O%ED2Ow=i7VR2%UF2M#5_g(e%_XHIQNsEF`vAJ*6usG zkOCZyf84Vw2P}*`a7l3v%Qgm1kn$uvvMgS~ zQ{t;>^QNs8KL?$AY4j7@f!fZ#d%U;rq2>d{50=_L=6t&lp7P!24wG2l1q~+C1TrOW zGu}WBun>g*!scC+!#@OmC@HzO!aMF!ms(*|Tb=R1TsX2WbdkC~_qCnH3yFWX65u({ zQ|XG=$NZ0VOP5489u7$QA=w$jAJii#rXapY=Ls*f<)68>NwYiVeT}8c^ZLcUc(nL( z$7AlT*7snoN>ZxvTo((~QmJ(Vhb>h>wm^udGg#B+W^#?PkYm)U{V_aA{Lb%LXl|E$Eu?Y8;uL^(@3 z1~Y7krN{nL-i6=B#!@x*k%F1FG&X$sFt-BE*+iVAqt*R;%3a#a$7TclYCWMffoh&7 zU9**cr~dm*@n5}a9Em|U9+k?geI}*seIT)#10>&eQnBaGM2+|Ue96f|80|en-6mHv z)aDQJ8oDp^MK#*?t*eG`@XvR^AU=oG(R+GnA=;msuEhr)P`ECIx%t;=7lkUG9(YwT zT|vFeyJ05+G%rPc7%lM1}7scB|0i{8Z*~7AEoF&CWEYG`xKa<4o00) zKcsw399XSUf_hfe<}D`o8mvuenGSxVr<6B*-Llg&PRIC(yVm6U&t%(xg;ty52eOV> z@ys4m@HDqxL)?Zpnxf(0UYyY#5^fKPE;)0s{ z>yhQq_($+89SiN=LZg&9E5}b7oA&Z|#lkiEqX$7F_x}|F%JWIl-+t)r$jxo++wjSb z*1q|{%vVjPxl?_i<93Y?Zg%=Ed_bU^6U&a@k<3Jau?FYmh%7_ry+efQLw*fX7-soD z(|0r6n*I6JQ@odI$uk3niykHQ1#(4`rnAMCrAF3^FP`MJ7LxP*wpC-#KNI zrd6zmtSy+QQhd&cL2Hh`Xg@Wu4L!MiEp$-X+qcO-Y&0nk6>XlT@(gF9xeO-J0+YSL ztlHzNVRco<24!}A3GO6z=TmR++1J0v`#)S407^s_Dlxb?a&%@D!$0T#N2LWmk|QDq@x6Q)@X(#_)6-hDZ{#;Ke^$~ulEh`z6V8<+O?^x7euw#X zj;#MMwkr=l&o8MmREbmxZ7BX;&tX_%ds||&P0H$&F)jML7h!!IxEBg)>NI`%^=!*{ zL5!P9;kJcc&A;vgKOhAEMV0NSG{9M=N^HY8(s4b}Zz{z*v{JXtv#>-UO*tU+h6C>f zKYh`Xt{CM~JtcRr=cGdMj%y+;=jFRY-2zLu9e=FCM4O?_3(cnpr&2M!RU6Gi250`n)pg5mF=Wfkh1N^VD+Fr*fbJpzJ-CYLKw(G7_ z3=;7LqFTn>U{Fuzjx%j{Gi@gKu7T$+_lTq=qi&Y9{2pa7k*6$mRQ>ecixJQu7xMi; z)aH7NV$Zy263^A<$r0$TTI{9=YD@J}UpDyMpR^)kEbZ>Wy?EIUZoQ94D+_y&{`I~L z@cGBmZ?(-|5mxV$hwc@i7a5iw3H+dv|J)&ygY+T4>irF}IV?j~?iKJw1m%052v}6Tb6B zo3gm2c$KfM<$GL}&F(gs9Pax#@S6(QNACCGOan8NC-r&KnHsX*WPxN8TjKjw*5>)~ zmhKf=kxApny)>r}5nKz<9=+d{dig&-@{f^owH}3Kd8!m-=tJqv^FSbs--DVMw&2^t1eYqfTQp^kbT~IzA>t1vG{)C?f+sg zPW@}e?odh*hB0DF~yQwG2Flmop0DVcCjt0+n%6d&nB=7CONF!e6>A>tbr`2gmj$G%O z%+Ve4Xr{+0fMKvBZ^3!=q?wn2x0^=Cq{eA9`7}$t$7Ij$K!)I@O@6pe&(NpS_D^Yp zqCs6chD1y#cNn?F7~hMG>|3Ie(@Fu?dlktq0z^*TA#Dcczdu!?eXH>=BXsJu`LxYRl(IgjHF<3rJ3%kItvY`a)bu^?P(A>t^}y>BmxMt!O?Q^W zCP#x{3B(u@jAuirtsGVHS1Xf(kfis?Z^I)_kRvIm%9d`OE=<$()JT;0&~vvum$m0)FbJMYmt@*? zy@-e(AZdozHeyJf;jonZ#I*hVK>MPQ#S#49<&*3H@R`K=>6FCUjM=0LeLcI&DW;YZ zy=lld@4z+-g=GnT!%@>Tnk6|a84in=8~cgsG83UQBrTyb7*I8VP1?yhLJ_;88ecir zi+)A_Yvi8fI+QM(a@yG-L3N6smwCJlo7`~THU^^J*WLeG^ep}m@De$_)f8ci?hAmf z7dv`{L-|?4**)6)+L5%>h5#40J?Lt-PY2hBS{=A}wbO!*-}*G8_x%GGfx$6J%;0$*%OP)w>50Nn^emMPD1{y3lCzoh_c~eOt68-4`ZhDgK1% zRT+VRetPQNLk>`E?|x7PM8{!POy0K5eR<>elfW)5=-mBpO>PDv+cz(L;k?oBu@f9$ z2L1a26KyDW$Bry_{Ow^0&;ywO8x=-@-y}ufW31M4&-F@*)SmBMayGm-DN>t$)KuR3 zVbI&MN$NZPnUUo0ZZHd0YS#=PF3SYJ%dB!{M6fU+8LL0)b2X3|Ks}eMoHAxw-q8OM zb;Zx;_Y6u(8-PUiofc;VTYJnxd@8KDo00P$3)SIrgc~0fcS?R@k$6IJo7aiV@u`Gv ze;8>hogQwQIz=sDDX`w?Y8LP8$}?}czs23U>7YRZ48QT!m^5c-1j@&^Wr^z;dbM-m-{S}m9ovFY_qs9U_A+b!}>*V*t-3fjq&Sz-9a!(I>fD7t|F1?Ym9vwJrr z9@DOOa~T8Ue0F)Z%zIgsc0Zz}Lm|rQ&X=Ws*kJ>`_BA;Ub67sWEUySG2@ub6E7~cz zQZZEQ!-QTK&|q<}M<4#@@l`m7s7|Ac3w*H+CDC|k4W3!lGuF-P(vB{|6{%SNX46oK zsD2FwHxCTce-4^x5hfA${uZ)w%0Bx*h-ZaC=aZdcV)MIYY@b4%_lL$R!GEAq%!tgP9`AmpnSV=ivlniY4k)zwzwkH5dzMD?y}bf1A?<(*2j z##p=ksz{^!@Yze3s2Nd`_FCj1K@|D$oRELqmw>UF{{>!rQZ1oen69>X!U5az8d@yT z%Z|@@aZSUdzIwr={&BLvz0NMh!SwpL+Tc3+B^ylZjsy!mMhjCv9vs~<|5Cp1$0Nw} znGfc}*{I)%9G^+0J^UM|7#mtz>{qq({)9dp^~fx3zQuS!xE!z%iQstulZw7N;;Hh) zK>1OqRbNW1vmGm}sRIL`1BAreEKQWhdLA0<)LBa8e0oyhZ?yX@pn{{7?%nw|;-5jC zfqTEcwW>Pr(`X`n5BdVYh}gxwn}xb}S#uU6pUbGBY@GiI*~sS(bMC#bMu#*NUm?!5 z(i}ejQy;SK!t?lcg5o`jT#N}l-3^6mqX30!R6XWczjB|a!2wMlz}WgkNAt&WfXnTy zuu~I=ANR21fO8E?VnP_vFWU;1DS;dwcCoPmNaIF%xwAdf@#2`a=%*r{#PfmF{fS%u z^HJarbH1#n`oy{*P@eIm9AK{M>S_~ESUIqAf4RMNh@>NA1wNh3ijIm(Bz4K(Z&C#C zr1LkCV%yd-Ma5-gmOkpv)4r^2v14E>dlWohuQMGCXCI_?yEH3p&x?w>`JD}f?Glg? z2}KU*5@F7he@FJ6Ltb85ASRuC)eU<5h-S{I*YfuyGOxGoDbmpMN)=X4{8Mwk^4ChP zZkMCvae2mOoKMQ&z>M_fS;Wa@7wW!%hp$bs3*!h6s$y@kZNg-FkZEBe;&;Ueul0h3 zNNZU!`z#F*``&F-$DXDnug0g(I>0GDx9{?5eS6qAZck_FW;`9{b%GhU(e7Eq1pKDM zdZ5ay8gB_=|JB}tNvicKf4SN(7;;%+oXa<0*G8kc9E=Jl<6Q9>EJODbN1JBvny4CA z&kyU_In78gk~qn}4yL{P zae+#-nQdG4>Y~^9ys}QHCXmf58(AJb{|>xEV&M||EDn4&m=%9VbB^uIV7Qg%;Za|Z zB+J$iwd?rb+#^horOTvY;j_McfNJ%7yLYAK8LgTot(RhcTW!3XXbp%^WpNzrU74w| zY#+;97YuS>_x;aWZPmgT&OKvS>c6!tOFW$FZStAIW4pV-y;PieYl(Z=P!0FR{?{y7 zNLE=m-Dh*E$d|H|qtG)hhiWZp4ea*qREMF>UJ3dgt`h6vIlz$qj5fqXFq@DSRBn99 z_Uz%+p3$i_Yq9Csucd-F+AO-G)v2gIiI7RUDY!%btMmGTmi-azzC~;F&96S};`1in z;O%Mxu0tc%f^7}*ezbkZ&yJbZr2%#3u-3I+INVR2?PRH%b9%h*4a!>Y{|K&0ZP&K< zmtNjFsSi2=Pi|luftBMHxOpmwb1yQO>g;T8^+6_sRp8CKn0KexU+2a7ILvhoWMZ~O z#3PU3`iybMrB+PPvMsWD-8o6Uo%%?;61kGUnSR^U-^fOkfhjFOl(T|?DvVvsITHMg3yw}{6fOXgP64J?^F>8t0v#h~Q=pc$)TZGq|Z zD}MO0Z;lah!n3)*X)e@5%mn%U3`Z=y4-p$R>{F9(s5IVKEc}3v$uOydc{pqi=mPB; zcW@4HjEh0pFtS``VSh8X&)9ONB8sr&53d00M|%;Z&p!4MeM<1tuq&ONGkDh62`-8| z_$LXv=&{PN*2uO6VW#PA5QJ|-{>DtcQxXCpGr|zJto(^D2KN0U?&P8<1RnD9o4?Fh z5P0CIiTz};usJc+)NP4|nmQp#QK{MI$gbJgyreF!^a5zIeoqh`RJ%~@<|+5j|NL09 zf1+7C^-^^1gG{{LcwYEZZtj33d*oZCf`DI<5$XxT}kK_-1sC?2Ws>I}EuJn<{ zs;aTO6HcT-K83$mVq)%kw9Djb*}==x>YNtfftEHlDkdh`4<0=D1uUuCa;5$}{u?o@ z3e%s@L>2}g-mz62xHy+l`=W(h>_uo9F2I{fbsE~e3Wo@nUB4e z4@)HEk0!_{o|}(+E(dbBI9vLu3e|wPFicy=4@WLnD|j#-sQK_MnkX-mASW>B$Ysu) zyvq7OU9`gMa9092blC%%JK0m$cOpcZf)Xk%1OiSC-@PJx#-M>S5{c9bW#_b;DptVJ-@Ec_TYBN*)=CgPMKgLMkXBvf6c%peCd2hhr9!40+? zRfG~q%LhZ`f*hx<+YJ?Y_S})K zjs6o@Vh4B3kIqHu)TPq>6E$w&RDT{LBDdJ~86W-{VXT^Qp4r3;@4_zoM?;{nvQkZe z<;Y?c>BBDKta{icA&0nLjJWt3BZ*@;3Hl9qZ0nFobdti{cS-992xJNDD7t#6nk#w4 zjjubWp7(kw3%^F;{-9TjTP#H;&okRwuV%Z_y($LIUN;s1u8&2SsMK%Aa-K4s%2do{ zh}PP$biECIyT?MdEjX7IWu4*yc^n48AeqokWtPm$Tu^`zG24Gh*!p7)-LUA|l!Ik& zWAgQ|@>ik~*+T0c93DvLG%L&AZ2X8N&Z8r}7LsGw`)u&bkK$i6BfCwb;yxc{1VzCe zLDUlJk{D*^KnBHy)-%|K&wfked)r#q=FK^TLO*Wp@U0se*4m~I z9eSx0sjNZJxAt486QoS>N+~0k@5CxHd9(c4pS+D{vmy5otyDFCC~|SatugqWaoK{+ zVdxim^LioFa%Y%*WMxrkJ)q5cde1D7IPSHO`L&)ebAVl%Co~qe!EquiqFL#?!l{3O zoauF_o4p$>z47bB$RsBR=uLi2-(#w$79#dGPI4hrvQ6RVqLdrN_Ope~rTThi<%Kl< zWMSrM*9%;eH{qyV$ufcN3%KL#VW9VTmdjv@C}qsas>WPejiN|^>xW{Fm1jMs+4JA5441)kNR&79v}KfT3-c*DrV{Mkcj zvJm%MtGC(r>k!7gHa`_4>wo#Md1ohQgm9@JI2XkJ5V?h@37%73Z?Dmw_u6qW@}Nm- z$huU1=a!qQ|7av2c0GPB)eSer%O(~I5^ZWK;h5R0o4lYFN7*Q?6p2-uO1_^xY1uNhZ+(eiyt_p-tA_gpKOxis`MB089?o zj4W_uFMkG1d4SVfZYQdy${tWM_r`{baOezuCyG^WDjuS;w;2eI$Q#-8Fn*sOb)K*8Uba){c==>+~Fj|Q|~q!DiM)4vJY}>03;-DR95lJ>>{*Z~D1SfRyA9x;N8)SUgNTdpkbd9~29nJJT!A^UyB zn}28>ZDH1ZyOd4Yk#{@hO%cH8SkxTHx>O27P<+WzUTIDSI!nD5(X#@%YMrw$d~uwaI5o@q)XX|H*dnMA@>rYHW=mUJ|Sg^BsxzMA#|wx6*}*qOquS@VHK4POc6 z)vXOApUPunw95F(8mr=pMjqWKQWSm@Vw!(pCEX9IedlWWwIx0mLa$lU(WmsVgME~1 zn!;#;T?O~y92tn~qHrGjr+1lCT?|mz0nIjHrz*z8owPDM+6i=lFs)^|I{uG&Ri_5^X0H=z&L5$?gMhljK8H>ueK3!OVY$ ze`iNP>O$pCJ+{`B1VoT-1f^Pj3|nv>-D~%lx$?AdfB?R)p9$LCoMB9=g4%os&II(U z_6Hum<{G_tG!@ZUGg{?JGwX#e3lZC8eaIl7lzHWXneJ6{c)xMN==^7jaMGvo@LF!M ziu_O%2aG|nYS66D)KRv4G~Lg=jBYzWq$9R)_@(o`AC7xqYiW2M+J?$#IzmtZRy}|Q zKH)ZYhcegYH-swX*vT&TITRtV(}4&#_K%ZRR8>>2t*A7o@^XroZpFE$Id5J8d2SGP zu}7o%sr`kRHiuh@^#EC^vsIPvaW338;#T77qF*xzmj|)$-vWaU6q`}?%v;z31V9jq zzV5g8XVoP1g@eCzve;rj%fnq%K00&JC)Eh-Sq7 ziTS4SF*hV)r_GL2{H4ZmEY#Sbr@_t6$8^?Wk$hW;GvR~F&EI{$kwwc)Z`eg&n6`Ol z7@dtF&ozU92IzNAQ=jL)4`Tl_3&0%n*VKu)7oM?+pb2yY0k`MT|Ni#lcauqx3#kDf zp@!LKT^SR-6zK=G=+^3+IlF4VPghmO@BY;(GQekIZ99Em@K;hiZ|p^lcs@fRp6SY% ziPZ}W{a_Ei^xC2dEtfrjAt0W$%$kn%Clu8hh%f;<-@ZK(`}}`)(EZ1O z_@(vr?|`n3mU3XAhX5(YUs(85vaxwa)S~JpN0t$=uj=Q_`|2vbbm+`Lry{e0R$#|p=?CG0FI z!~+t6MH_##e++haJ%KJkV{PQ zQ>k0`k3n2T~lj^(9pn z3!i=GOLsb!DUc2oZ4;l4m}BXJZqu?ym8y}pG?KM=!Mkj5wQ{2baEE)g322O(5O2|l zK-mGi>M5VSVQ=3_leolgg4-o7KZqV1eDoIc+I_?gO{`f&qd|1NQ15-Kiasxy5AU_Q zmR6nHuC#bPd`rgdPJ}}MvLtBIx5-9mu=mSV*~1E5!_koPrIyPNJs_^(dPY(IowwW? z`4|!Jur^nCpA4h^@T)25&t6BrqIH5TuBwAAz#t9=l@7gDvjJBs zv$aL4r5UmMF6Jxlj+jfA8h18GYyY;WF|iUxov$>(bQsjPurGvl77AKH$g)FVf;z7L zi|6}jq@Q*BtQUXVCJ|_JCNxkme{9E2!8r*caK6?+)^hsw{!!)=KEeM9vy7$pC|*ZWX5=SAi=^jvKePc`xU>l5`y1 zkA6wQXVRCnn~tme9H%}E7>g&E@b3`3Ik8aIPCP^uX9ZNH1zYG$wrdrKh@sr+ZdB7A z=S^;0l?Xxv1xBQY@hxPE*PkWVs7si(q_Iy*~Pn$v(&-%xCwJCT6TxKm*=Ojfg zjU#GYiVqtwC+oLR=A&+x;?Il2(`=!k``I(rbES;s!&g^qwbnEDjv3WSUl?kQ`i{W% z(Y9Z7AnsIk?>7h`Hb_-U-;-1CUyVS;Fa}?OrRHPoRdQ#ar_O0j(`N?fyZ-S|zSS0M zBGo17{*)_=((P-U62T(xDcEt~by)OP_qA@lkzLFiJaid=j>{wcO zYf0N?1<`F@<0Ue6fBST;5PJJr&uJ8zUt%3JbKFp{O15%p;vd$-H41OhWjGrCXjjEF zf_K$|nynowE-p@&A^B{r_d`@dC*5ZBh$vLo}m`$(IRky~aVWRumv_YvK z>km44z~0AmC*VVUeZ4~48H8({mlgLMj~}I~ZU=q(B{L7qkY4Cl6Edfz|jK7#I?J(jy~j8XD39@pkYFXb|5qoVLU% zYeqqG#r3riFElH6c3D1EcVqZ*ZHew%47nfVC%tP=>oO-iyC+ni?q9~h|LDWa&^i0Inu4u=&n=@lHti|RicEVuYTzN ze72t{ZU*gd2t7(!NIynQ)e$H3l$Uo}%4jNKBYkzN)rimr zGrP8r{#Dv$(TET;3po_Si*8P7+2HMmp+2^H2q7unS=<_5j#O5(lhq z>)`WN8ofg?Q1Uq`RzENml~X1f(KK05w=mT!Q!qno8nUBM5c$p?RZAeFcAzi=v3M5? zi=_b&m2s5$yFs3here5Da^sn%! zZHAu6bBlQ(^M8`+mh&dtnQ1nYST%O`UX^t;oF4L5T`A8_orz;F1ReBRt@=J@ZVDZi zSh#(8r86m(0*23x*&mEswM4cw1rcX z8|yoxEb=GY1E44DN2;8y#h$H^VI0Sk+Ek*~P4}Le@9AV5UVAoaz!I(j?t+R z?uPdU(IFqsD!#^bFU5ieV6{abR<<`pMs|`{PN^HUDh4hg#<%!)~1hR{cI20JF-S4jF-HU}`CX%olSblh(_!p<9cN=N{ z77DsCE;Aj}4e@pV#G9yW@8qwEKFrrNBfqwDNt(ZORjAPy!F+n=wSq)iw0&lASsx&? zaj(kBPxm*(B_y$Mbli&i?6O)DKL^!(An`{L(~Ng`JTdJ{!J0S(ou69%`LqC;7fuVN zOA6d{!fRJCp)$lH<;HDb|2z}cf7;TFa43D8i(_Kq6eA*$9*7OB^2-z*J0+$V!nV@h zi;Mo}!l^oFt^Jwex`nppW&_G(r?wU)oIj4{K5%+UeE>83WRCq$w{)OLT`8%02M_PW zHUtbGTcJfU#y$MUr5Er9j6qz``-=LPNsfyUgVCO=n2`~+JA~mC`EOtPhuJM{Ecs0b z7XI-Fy!{o8#Pa^DLoQIne>)#e+0-;O=}p5)0YOFnduSH}!)Xh?9pN9p)olrCKE5fr zyASq`2XJt3AYhb3`uXFtoyU(;|Kr}RlCZjP(6nqx8!zIsJ7i2|wP&x-FNHu-|xFE^YAdv+lpW zrN16f^T6us>x)WA*gVDsQi1EBWk(4E1A|<=z}{XtkZDrrhmR7z`1F9)Ngn9!jhLUG zKVNKyB1y+u>vx~w|4*a;ZSMbz&#BpBY1@@@JibpZFtXpi1k`WW6m|n_A-4A1_xu0i zygxAXKR%)c$HKmv667TN$3*&5e`R>z#PToZ&$|6jtL4vJs~fw-vSaGwsy{xV{%OVh z7k5$wEUY?jI`2Qe3jQTt_5VMX z;SJctu_k>G6DxD{v7_O0>8|xX!~4@ND3y0EOEvOirIHC!UvA4=$$f~4i&ZRt97kT^ z`@ZwvUykh^tbjr2xY!2mD$8W(O4ZZ5+Bj0GZj^~;gUs4X=zK3PAVv_P$IP4LzO81HA=pU&X}4$h~h6~Kh8(D8Y9Q%(`uuhMk}wH5DQ*6eSM~|1;JnCi>hl-8L*sXz zYhw=x*1@z|Ea4k2KSzi+P8z(-k7o0mwrw;9zTdzikTW@x*XjK_UdD@h;oHOLwVpRx z1MxVYDNO{I9`$7rmfF+|?+>M0;a=JFkjc!`)?GOH)|k!f}3X= zi9kS1Ju1O<-o}2*=k(y@^HbCHbDx>oV!1JH#a(yie}9_Xz>38ITE7*AzHy_Bjg4Jz zerw*+cl+uK5Xu3_7K51BB13{R`e;2WIeCZZxsZ@vqub7gvo9dK97F=G2BCm_%MAF( z;zoJT5Qda@vj7AidPGLHQ>p*@^+yt^X0yIW;XBq+?K%NTxZ%bZYyP>0<$J9Tc`BF| zC*#}TE6c?N2UsDsS~6BoSd+5QsnE}qqkKZD_?Q}eThO_8dT}9zsy$X1!u?})*jN7i zi+7VAQE!&P#D}H2g93Hf_^)>~0m)_qV+EtUz@yoWqJl6PN#^~XcS_;2~wT-V=Ry}W-h>3j_aH5vGL z+uq^9@((%*jo8%gfS_(zOd*!&3_PH$47uyrmwL}c=>Fko{BQrd{kFYsbLv)e^p%4c zE$!>`ldaYLm+@ET=H?raJXIA{)%fOS5hiA4u0U|-j~@f9KT7p#xG+Gx)8vk5mazn? z#7;77>cGckRaC;Tad8!nHwFhoehLxd1SH{=T!7=SakR`FQpC~xZTXvAW*tX3ux3P0+^WVzFCFM$^Y)^E@ld#c{#v zPi;_^0gNPPwm1@cafykEQAtVLIxj1TQg)cWJ32d8mKe3@@nrBbGIq}^+1Zu!v>OvV za+rbS*02C9bmEyx)1a1;*pDBve)rEL!QO>@#KHD?@|M>$Y%@ELq16-&-Yiqr-}Uy@ z`52;^ko`q)k%I%+AdCw4FW-Ujs7KClRCYjlz7I5}lxlabwEc92rH2syt%AD~ij( zYu;skaq%UaBlL_$dpTwqXk0cI(3Y8*X|Y@u%QU?W>@oVqHWp|%!t)v(QX*94&`tpW zlRq%Y`F`(??Z&(rOfjVW1QMkVp3z{S6;gPe+FkcGw6+Q7nQlS$9Q`y@kBNuN2yQ;* zi(D|3t&LhXp(DzBbA%5yJ1i2Z+8Y+{pc%}8jhNEYG$c#))Wv6gH0YbIQU=Hhai@xw zo~cD%QY_Y#Zyvg)#7EQMc+GUXux#{LQ9>_0LNW~3b=|aYQ@nxneMRBPZob81a zTzAa+pffDV+C#AfP)m6~hdkKj2vKC|3VpRMs7iHe(NJC8z{nw)Z{BkU@LyA!fON? zhKKHXI5~Z7NnMUmYbx7$zY>iwFOEvAHB?YkERhZ$KKFJbbINhu71Rv=eiRC`$Scu5 z4}bF1`)YS|b!2r^-Rz{VZ+_L;$lh*BM4eVovsqkGAvomNF@K@1EUag--A|MDUNrkH zS$Rxa&@)CHh*uZuj8*f{XS5)Ov)I%s=1_0TO-)gy+o60apc~C6U|k^Uw6U?}zOdB4 zM0Q<$%U{-AAWJ5oZRxsFC#@wv@EJ-V;-EreYff~20Bd)@b%g3q#10u-zh~Xj?yj9~ zvuEWKV&bVS7C2>rEe?$?837O0i`A8t66sNicXzRBXq+}g>*Uhk(21zjSWJna*RFa* z%c@ArJ%7FVrtr0n*f6c>J{diKD+;2hFaM@e#AVEj-QKOzX(f^evDnIn45<60~dv4OHM*17N zmhUdszB0NT-ZBbQ3>QG(C2?NK9iuIR?ElV?s^kZxIf@CWjJey@=6QIvZvWy4G5O_g zF$Z&;r%T0Rl$6Z6ZR&jB#7h-Gt)->Mak-1}VPsG`Pro$Xk|g`(F!<3Z*Od7saGWb1esxvogPHPW-*J8S^ILrH=6E^x z+$rN@M-iv8oD##gh3RQMb!`HJ_atDkTTSX~iOFHLm`UW}^y7V5>05prepXQc^y`{v zKHUm3zV$)e?}V0#*JwW}4z%y1-$>vtaDnWgrfJ%Kn6w%^Uiu)`2`KtG|`wNr>Ak@dUK_;dA{Lp5_0r#r^#Zt68kD z&0EBbdVYSGUQ9*BOY5ltP`7r|VgyvRlcwm;}cwi%UHzkS%IeHu27j+<)lR|ai zqVNmYx`jB34Bu+0pq{?L`$v4*mr3urE{_&A_|g#s796JU?qSoFB_4HP9~= zV~t$E-}7A9U7g=6q+BX1PH|t)W`EVDEk1bWgZ8EJBsi!!N1yMqWgiucmqqSSUbm_P zSJd3u9TJ@!YGR5qy+Rzr&ET!~dd?e-Tu{PU7=#h~MH@dN!+ zJv^WkeLL75=v9Mj!$40j*W^w_A~^ZJCyXLiF6Ea0@$vDX#M0WDne}8*?86UlBLma| zdGPPvHCyctjf#%eu)a_F;DG)BCL3*rNg_ZN1@us{jed*e9+;(=XBHQ`&XZ!OtM% zLkC($qb3^CPlR`k$I5nYG^uJ4v3xJVwH!LzGGyw7#sL$84WLPI1@VSkG2~x@Kl+@U z)EMP64GhP|9{a_XlEo!q9+J-v49pAv==CYmwR9u1G`Rc}Nr953d)qXyBT^dOn6Tqo zwhr=(v>2odwX1|pcXTC@2sF%5hm)ALsBFW7NArzsv0qcY3uk5@i1+gMVJ8dOEzM-xg?m0!k}`nP&tI?zSb=GMHB zP4^0vlF@1=)E>NE=-tKSx2Uj?+BG@!xyJJuT8(GMlY{q4-J2{}t}Kt{Abwlo7SsnL z*~5|SzARiWJvCeOJ)zg)iAR~X#C!bL;Iw&kzxYPONQu{{NWn8hI{a$7;@UJvLri#e z-Qi^MwWXQoq6LR-Zf#hP`Pk)K0mK(L!;9&MN{xTX1r9yoF7RsK1m#HXOAgL-hM;U8VC*QC$X3kI-1wkC_2qk|IF18Wxcn(UO)QUqIM@#ar@n|9oC;PnC;&` z(De@~-cIVeH&OG^NAmS+DXO6ver|4V^PQ>E*n$-9a~r%y7q*&6bT=lb_uZSSWbdd>)*0r%<;kn)s1Cn!Un*iQ+#!bAqEgL0bj9G7f~QA8 zX49NR9f_hrA(0~$PE5>BX8RLEAivAEfN6t{C5q3QmiC|La+^)Xpaw%aNK=YlMFoXX za8&tSwQsK+qIdZBIByx0#x{mx7Im#Gmng)LABFHQetS`}BsU@2@^h8)Mh$RRrU4IZ zi*j8aWk2)@(UsPWqiEt+0CrXjhfSt zVybu#s+OOWtA!BnUz+G;f1TN4;>*iWgUbVY;rb?2MP)3O|AKL}BmqCmfd@1RhYMb( zx{EF<3TZ-1gKH>DY_k#2p^MO!ycjQ_!!mdi}b zezHAjwaAZ6e$yl2M+-uIBCwJnsKq7y_iOZ`UUjE z{mZXTgB|vI2T~*V4?L0<%WY)*zAT6{v(A=bG-hg{&i1y%+w~i0?w%`TXgEQnM!56t z^>!!@MwnsspK=?2)Nua&b2jqS6>%HZW8+pEi(kLu9cQ}1GnSN-`TBqcf}zx%M+&$@ zB>txF-|uEDot(IGw|f9oc^Mgb*|?UR9C{F0EMwNqfIx{1t?$(F*{=7)K)S!)(fsJ$ zwk7iQ_l9O9C&xONxusgTl^&tL$2%5RUj=zkMRC#Lmk)5-QIF!os zLZAzexmMveoxXz>gRp5lU}TY#tNMcb9^ki{JGJgDwJbg1ZO~pdBj<3umLX-IGpzUw zV>sdxJy;BkUMIjW@9HBQuhgy~cAidgV(T{F1TJRf!ICT;%iVvcJ-J#%d7Tr#Ur@a_ z>}Xsy$HM|Lj2ZI1A3gmucz0Up`ezWk)1C90T0z8)4!!L@JLt`DEZ{X(YR?Rl#SQat z;k21@q&syOK1!d^0w~Roxos=UMg+yczbu+mB}>V@HbRkQ>lS$pKse9h=dM?2>36)MEQWKro%3ced$*wqzY5{4%rf&?7pVr%c;7S{)E~Cc z<<0?5rkD{G?b?*nRg!(hNUCuFHs$Qw2*o?jV2_C_t(xI%Jc6)v2b7ZIBBY z=c}XwjUdhSa;crv?nu?R`nH)_2!32C4xFwuk6noJP zF2oHxy*%MCwMTjTFsCH#Ifb{*v+i2NZe{x9vnNkzVPgDRSu4?ljF&ac@<)tmuir;Ww2;IK4X+q941GRSc7Z-MkDJdNsIt3qB@TOT} zCqX`dh?PW#rYbvD7B>)QIvgn$X2a~2+~bs9+gdJX^6`p|51X5;*U3jui-|9O*?Z=? z5BBer=Ikp}-tyNM#1R%k?TvaL8V(~cHUZ3raA)_ zZ4)bd)kid=WGK6Lt)3j#vMbN?_{jP?&4fco%i7-T=u~^r$0=nVy)B*v{|Gub&?#SH zOCo6CjH!^5{j#2#tmD0~UTsgd+rC7s(s7W6TWyoNHdYeQnXEJ5VqNS&Q};rrWT5$B zX5^$>xx25F+^2=-O}!YjoyU>dx9{%F#-VRFgb2?k4G*5^l;}?Ngjg|gKV9#IwdH}Q zHIn|d_xrDp-v1;a{b@2_+J$Z*4|i>2W1}Bv5kdb%``o*p zl;=<94;wE~ov|+GTH(6I#XduvTs7V-LpSRp-;}br39laot&M>fkC`@gZr{e%_9ZD} z#+#X~w~#3u^0cZBPP(N+GFM=Drz2&+UcCS-bFZI;7T}O{W#ur!uuJE}{QMqiL_*gP0+4&Q&@h6V&`0f~9-*&18;u_T~* zBDaS7P`nb?Hv!{qjFMNw{Sx)dL9#5^pJHIm4GfNVSFi`j?6B);V|gpv)fSDI1oLZ z8DGswIal19w!@WilMNf&+duWz&&o1`B0}#;)Id~QYZOgS7=QT7j+Z2EL#0P>`0$zQ zPiwC*>Z=5&YphUFdul$BAqSP=V%_C(qq&l(`2Bj_fJyE6;hBb9F7)s{^m@9I?uDVa z^3L`^AN(yU|+7t|83uBj8R6H&e4rmkO^xBV!kAGgO zr)74-b$DWj@@$9v<%U@HapMh?)oaucE8U0`PVF9RlnR3RR@Ms5D*vntIv(2 zZ}JW8+qeWtn%4Vv!ehq9f(Me2ce5Xjx?JCSkP0t`dix=bD!Isdo_nCc8sJ*{iXI-1 zeo8xjA+6W1DQ1Q|^2(g`#+{0+h52S?Qr!GKgei=bQAa6c>9KK~ci1~meOfMB3D*y8 z??*?yhwUD+Q`maZjPy#B62jH>EX-EY0BsAb)%PhpPTzUd^MFBOxxAe-hKSdxfJwp*&mDf+e1sMVz1U!WqJcxrU$TZAw+ z3|dqHmCUw48uut+R6;Mu9F`(hdR^@KrzCTK*7yC0*BD#>sKJ7jIQLVKix1YhF@ybQ zTofX#vQbejSF>2lfDCF`TqTrA;g27$<6mjZ7{_<};t%cIy?bAYIwJoviy+|qNkZkz zxyAW*qhIbVj6{P^g#2gey^cGM*J{ASF-I=4%kNRIvWrv3MDfNOKqU_+tYSk%^-GJ; zn%@++Z8*$@QuW=l zH2@UuG;_T(XqX=>gGEe(_r>`~jCfo|#CD+8Q%7T~;c3ybAj5Kb27#AvXKR%pLF_Y? z(?HCyHPiQSSmQDGTYpo94QwUm)+Xwx5K(pZueQp3f&nGV2s%=5qEr0O?0=c)L);z@@+k` zTd2?+^T?ZC(C@0P+(~18$Y#p0$Rshk{n!qhv~~+fDm;NxtJ&YfyH^2Qhnvm1!4-li zC371Q!YJ{P(^9hdnI<4nQu&Qy*W8%d#*v6XhQfV7z;<*Uod9yEjOUdT=6K#|R938z zrqMmKd1jW*SLL_m+LWI5T(sy8ZJjWHGQ z*S*@#kIb=k^~`m)g^IUN(eq^KpgxIW3e~o4=O*Pqjr{9_IOy4c?~Htn^Vu}M!PM4k zDd;o7>#2C=8veB}OjLqgBinvPeoL}hX=(ilRgQ60W#E4ESc`iqbCoj=!pM1j29dE- zw@K=qn=%{v#U;8Y`C6sp@RL;iT{M_Lu-nfbAww9eT)fe@R~q&~OLTGb%$?F(n}<@dGqW!Xo>f{pe#_Z=abzj*C%lQ9*!Qt+ z%FZ@0x>vC2RYw5eX1VNS1IUtz&CRSyQBmZxTVh)-B9jc43f%siLnyCglMNgWW-};+qQQBl{-LeNtI9@b- zQKaj7J6vphAf(ZJ@bygn`&wXKE9ptq#kB@eav(xkvtP;7>avkm{6=mjDcxRUC|!0y zZP1h@v8W#x2HY>TxEJ-zXLgy?H6tw9l7^Eic`JQYs}=zuwc&Wu-)yEN-E6$SVXP2E z!*#OhoTVE`rU7^|@#*4T>MG3#l%P5wi`NUl?+l8TS1*8C5s_T0LbI(HYPw^@o2;E$ zdjq4bgH|xcui+#OHGtfZQQNfVP>OD7^M8+vUAHx@&m%B(cpd}gcf80SBX=9kC=Yee zSM>b;qQPUuXQtV^)hu^E<_Hoz930(#W{CCn%PTWNk~MfbMBcVALE&@J$zWDX!T zSNM3Sr!PGRLheC`ef_TX%sX?J&3f%=q@Fv8HpwF6?)+U$cfLRMqePZk3f1SMGekq};phy8X&(Nqnx>dG>DQe?t9A!X%^37Swb9&N0HR-LbfeU7rBR?g^g zZJ9AG>9hH_{UJbc0!U@s<$X+i1C+E^@ZjtCKoCbyh2Pda?i-DOzcK-*Dn;XUmD9^xj@e+qSE-&HTHBXO}t7p6js|IFUi1DKx^gSG35o}_b;z2Gn#w6`kG#_ z@_pDNx=m#0@CBg{Qpk%y+fK<1J2HqDzog^dJ)rx-zfD^xz`sc=iY#ojG@GxrPfm=j zV|E>URzl((&#FsnZoYWyF|Yo?SgvBrP`)Xw+}Kg9XqIy4fm%RRR#BifN~f?s3|{VV zjkJjE6~~7RIwXBMTC|5cDV*48zLq)J|W<5=*5@^yYj)s<0KUHWATCGKL*!NhVO~>%3vY=J7{>K|F?7H@;!d6JL)TKF3xCx>N zvM4mXrFa<&R*9A`pRe4%DD7%WK_kH~i*XA{<#@-!$9J#UC=Ws%PFy$oKE zvTv6?#0zRz|b=bAprojR>yi{8wdm;0M!mCXp;t*G<(dK+@tx)px&~<;^zB? zf7RkO_J|GXhC@@hsD(XLmRjHVT_12ZF>whQbsM>~wd@uib^HK0`Nz0MCNSU96!CV> zjcnne*4gCy(viVBxy;}$BbTeBwW>QN2+BqTr{J{c^5DxpC@Z+UtT;+G0?QeuY$a@ubc-d`=U7Fyg|?DPcl)h!GhF-3d}xa3R#kA;N9Bff98%O9p6 zXY7cn7Dsq5)*$9}givA=z3yb}=!Qgyuv@B~5w|f<2HJ%6H;u-0>ERfVoMmF~k5`tN zfIF+Rr9TGwz%*4m_3Yi5VEHa=%W#>;k#y+fwfn12!B8+;go7{`{$ zuirFDyp%TPj`pf_R^IVHQcvej#59H`onSDli%~IZk)Pl8SgyzPFAhAKN!DVvG}sp{ zXknat|0mqjkrAAdX+2{kXt_P$w?05or)s#&u*t0BBhDleCZG)v;LWoneerp6Oy<5+ zbDUlZk#8bIeKdssQXzpXU0Ef%DP5&--0axPIF7wXfGb+KJR4Bl{JXd+k5<5!M`vX7ngN3B0B3g|i?Fp`OF;q3 z&?|>&atFOy6-)4*#r!4=eD-LqS<=Vs%)!hTsnQWB5v30jl8;92wS}wr%DwM2&8@GV zh8tqsyL28=K4PD%s+)YVsl(4>?)}AXL6_bO$DDw1QwL?+5o|z*Ie64?8pStO1xlz6 zBZw>@2G~q)hKhe?6Bc*?L=%*FZnfWTU`^fysL)V<<5@j>aUlV0y>3PYB_Bw3=9ikE z$OT)0C_oov7cj%beYx0SO?Gtv4#9lj@Kbo|%kvYc*u?nQXkBmafiW5K&cAIE?yCf} z2Od`l+5r1Z#@3yf_*mYSz?HB68W#N@j|K$FeF$m0J^FnxQzs|-?%!$w(0=&f5dd(z zz~&7xbEn;!GZj8@B7Udu9zA$aVccXGkzQrIN)qz#&yc^6|9Q*H~sH&>+ z-6MPO^r;Th4>rJ6O35fF=!JjV{3>C8=eJZw!`#eF&cVUKUKxPw0IAHx=8b2c{^a-n zzKF@YZ!2pi-Ag*}cXV_-dK+}i&HHap`~Re9IC~+nTpq6GD)}eefWPM@fp^Z1gLhG? zXt*Kse=}aYEFie?{gg%ae{{cYOn~6VaGQ(&|7bk1yV#iNa0fhUryDp?QBeb>mVcQ6 zdpGAF^M(E&ym>bUiSDJwD08DfW4Hh5+=~Z*@{W-8AL_(^clZ2{X{4s}TVEB+di;lV zXa56C6?6k&mzj(b{o5PR|7$M^XnX|dp~}n>pZ?#BcT*f2@8a~<_p(3t)c*bqCSoO= z43!6(|7o~0fVGjIZDuw0vI;{6GLB98VP_mP_FpItts<}jGJlQziV2d!3Zw^jD$Q{3 zAKRd~d6?y+x)&XgipEDRW@YEuvz)H~v_Aj)RT+@S04$AhZ&5+gzs;A7(L2?4Q|b-u_qn-~E zrFW~XMqhuqC-^gkn;TTlYEYk{4KLp^J4a8H>U&r(ip;0IKR*%A&B^&`l=l%xh6Ab< zhQc|CJ1;+);k#6sdGv25DUD}z(}yUszVtmsp)b(fOH=d7dHz{W4?Lw<|7gkYq67{uK-0m z%O22pZqU)ub^0KAwC8~2o<-Pc?V>)|+q)6SV1V_Nh5x$m@X+489NmssWsgCM2Fcsa zv5$#BVxO#;$xkg(L^ax^v7RAJ`=Da=fm9qME)66n#T+|78ytDEbm9$9b(Sl8(zrg} zN=oj$I!?cio~g1t7sk2#{rvTaM%r_4Q>B;;75WEJZMH8Ru5!d34>d`Yn8?8cFE_JM z>!}`#t`1pY64}IfgoN>}zL=z*h~#7zXgr7GL{H}so!V2Z>vI^BOBaz&vc~>=gJgHO zcoRF{>UfH`MzFp^gQQHjSpS*$QM-aEd&8O!fKwGts7Q`K{Axw?Tr#Xhf<9xThX)f> zm-AA*X9wF5H#E-Kqt(7_7zl1H%gI-298KRooGl8a4{81}Kl!725aNLz7DKpuS%1s9 zy7=TO;P%m~dznwxkVD_!Yb?L=kCllG$fFrqyX6n?v2yI^Y9CQiIpQMp0A+fDn!n~| zsg$fNnJ#{#m%#$WT(PRf7lVXY4pRbji0?gixIjb`6%(`O99BeH1%c!MwHk`pO8{%g zfz=ZBj6EpT3)0|@PUkj5!oN-$rIYoFe21s~z z6YwdlW#0j6nR+@5nEL}=^fI6K%Ik>Iyn9HrM8O&qSJ~|meP1+pr+t*mdma&0$s%pk z_zTbW^wsHnnHD5uOK3`D!(Lb4-2HAq2Ei6K-o1ML`a?*?%`2O+4PR*fiRD_}@FTt==$HQB?4sDn0f>&q$UJIWAG!kss zb64l)<@K|c$mBQ*VRuchaXwfi0jQ9MLKTpe4BVR`eNlc*)g8J+x*@m=OKKh+HUi`W) z!do%m+>uS>ZlINzq*I`?Izf4Q-y>s@P4hkWqnJ4&SyKF^y&uqq;q|&jp5ilhi8QiL zyr?il6`rEGb-)~{SCU1p>rObDrQ-!b@ zDZLVaFiLY{W7J*!2Gz0xe%2hC%BE)LdDEd}tv|d}n-T zuBhgk|L&pniprJe!FJVYbWduaFLQGmySAm`AQo`656Y2BY$zK(l+Z$s!_T8LM&YK$%9N z9yK$w!u$8{2UGxIOsLpF9q{4+%@{TgPGW6gVPW^6pF*)8=i50GoG|e#sjcyR+Eo`P zr!L!B6AvWyVkH1S&&jrV9?~`$EfEns^0}5dt>W%qC}_o{JYLC zbHWWExO zG&AUt(5De_B=ZYqZ3)(|Uy1O)W?k8*x4eHPE%Bz(BvW2v>toi*BF&u#c=Yr%54@ut zhr}%0-Iw;j9DVrM_3=wkm4@*l;O9PQV@eChVbP9~D+6mLlI6kKVb6YnUJa>?;nf9b zPr6tGRz`V5%ly*sLiMEUX}WQBqf^II!ho|H|Iz*#@dxXDt6JY=D8O%8v2a2U=(aG{ zJHdiRLU9P)}GxynD7Uz(w6wOTbnz6Ocfr~;up*5TP#mW9QPOe-8miYdo810D?g zzI76)Q+sA$%O8mMQ=Oxa$}@ZC8smMrq#@rAuxZ%NK5id$2U4z(~eZ{Ec9<5Hh`{2OBDn8!8ZC?QVM&@yjv>{?f@O< z^B2NvYGGX`J(=aG*VGBa!wi!LiY1U@opRa>_F5i?-Ac-@-XUZtL|57U_+dPQ2iO&@ zwE!NDuTK1QB~$`^M5MV~q{R}GOwoWJ04zhJle@9ZT1g6VCvV^M1jL&5gf(ost=u&r z$G)Gpn9NEYpcJ=J|V|H3w`^g%1lE{U#zfFULvX38OFcBif1^~S^N$x zz`%o@a37Y_Q(J0n4-{f9|7#mioPj>VGdI^nl*8EJ!I$F{aT+Qz%5ZYQ6~)xmX8{I5 zH_jcuxtND|UwR-}DQ44c>c7VZXW;78<&VX(jBQ0fXJYbuTAIk4K9nMas3OQ^mR3Kt z2z>!@Cs0_5S8`^7jqHW$8?wC%BH~b>`LSIa^IH0@V*W!Th>z}ie3&Uo(AL_UV%|(F z8XC=)tP^U2zAMW;-cnyZP4+WMkXz2{L{KqfG#Cx>x9i@%yzZIt6mPjQ=!>P?-mwz zBclG-5|sxoG2;F=W4W%qiYf3U3_KGRm{o-C=OVI!j;V6x>v|Px&xn|a-+f9IagGVI zAb&YeWXqEyq%5RSKTYm=W^$Lo&QP8#eh`u~2>`zQxxL#21)2>n?%rX04aV`}@>_jB z`@Br|VRf#z5?PT!ab-oT(T6A;L2kd!wrWS%#s>(Cdh?S>yXmy7ZJzA${4kCAFI`WX zuBb-$eW@;}xna&?35`0n@tJ#mP&8y z&VRo9G(SnXNlgk}M7yuxdf_C5m~9Sm55~BxY|?x$OU^gR{GnNYhQ4yYz@rdeTB5b( zdE{lR%mCHmEE(8cZ2VZu%FC~WTP(^;>Y=VB+2S@<9xSkbWx8L-_ zL_Nw936Xwa_w)0oPei%i_TFmijciu_KeU4lFZ1giI9IUHNtVe0ZiB{@s$xbWykf&aSi5LTep#HM7xWjC9Vy1EC>zp^?E#Sv@elGZ5q4hb2 zprwx`9_Z#O#Ei|bt%wRmVNT>W2;M3&*{bL$ewpjKD zer7rnv1rfBeMCaN`K`x7gxt1Y7c6}t*y(CXeX3U5o@qT!{Ded|vOkVZ5zt)|`I_El zGi;o$VQYWrDRG}tDgX87*97Fu+9gtL*J6?;jU8WEbjm~w!3ejk{U>~QUj^j)(wDt# z#`97OG(fN0B=qChFXOS~cR2RHKcphk3eC#ic{5owi9MQ2pPQTeFfE|%N-yI)vc(7q zrxP9~Ji6cQNxhS>fC01-$#yyx<j1)8i{7{k;cEu)srBQv*Um)Pn*w!nJRx z_?WXZPpId2NvWtPpW$1F^X|LTpASSN{pV^+KaMnWEu+F&h4~Evq`#ht0ey`l-lPJB z;Ym#C_af)?2=+=1^k31I49hX8W!(5>`Lr3ea3pC2p?td^&`!(dC-=0V*X2!^Qc&Yc zq7rC*axS#h$0yL0nI<$fGCH>%Bh#je^sK|&6#aI`btt$d=zUi( z2?}pI(@_G*ky?JrzBchCXp_K3VGYyl@lHK(P9NRJB8n-lQ=H-)Inf=pohbOm8Q#%^ zi&$tAPki*qee}m?f1#-bvAvAa1WCn?=CLcv&V(10vED~T!%SfmkC#H>@Vn;yF}Xvj z<#`IRMbB(+0itLg(8m4>iMx?$Bsz1~9U=5=-)O@8^1S9fWvk|3d`{Y2jZA3LlgH!j z2~U5ugnFHXQ5*tcw(*Le_j! zcXvo|4-D?^?(Q;!1c$-h-QC??cE5l9yY}h+z9SBRD!S?t08~e*poApD(m%>{0D@x7kaP=ff=2`Mhe{8LKn_Eck#%42cL$`whK9@U*=azlw zx=B{=Vs|};5E|Q=?KNwg=Fc7N=ln8yL9_!J#)<}=Qk6D77DSxA%&S~cF*-*`i-I`e z5%YMcuPoV7{QWsSxn3z|zmBEz9;DW27qQc{Wy#@>WFrz-=b;#m*dARj)LQjuU*JEB z8T53PC={)JR>(o@0Y8PY(!Gv=d$hytuq{|}N^h1FTplPFzd$qHZ$1^F;6#?oJ)pSG z;>i+7=Efm$A5qFSy>_CPr&(iq<$PJqM*8IS0@Hi({|zkve{};&4Ri@3w#}Xm2_RoOz^!`+6H%`vG7sJBZ zc6WCdqqPwyt^X~MGB(bK>FDr7s_}@b4l}VXk+Loc`jkmFn3yB5=4CCMfsL2F)=-IY z1G=Ds?NC{}M?t{!EAn8EogLNC-#_yD=6oW~lj)v(84}Uue35YaD!0Zc-g*10?fGbz zK3{L`X*w6k`$Q?`Srg{!9$(JyO_MXEPpTB4Dq@AX8{_}2bbxBy(pv$ZoKGo zU%Pabwheg%%sUCc*}dsw!*l!4z`LkeeHLQOSajWRrQ`@`b2-+?f;Ue1gMTIph z>1}k}F99!q`IW(4Dqt)wMWx%d@6wfTYMPN@!LRk1b2N+Bfk&lmF0^Uwh0laem7M=c zl_6a^PK=Mj&ll9{+Q3gzmy;p0W<29r{eNcT#RY~Wb{cu~7e}v!L~F-KHEq^0LcQfoth+y6=j1Z8 z%g#JkiH{d==H6atWL}OX+#r{0O#4c(xC^qKswkZ?4IV5WZ{|dEGXEH!TZAHnY}Rzb z2;FT8=h?Mn#yV|n^f;1wp>Nq$9kVowsO?;alPgmRJ!?H2C$ZH=iv z@b)kIN8fiB&sSrZ!PT;t3ub!q8JtcL#eb$e3pD>7QbH@EWDdr-ndgap_cxmG9LCtz z+@l=BB0${zP;kqoFA0{=TpIHpL%F%#gw7YW`@VRj)S!dy*kv$WNz3X(58-n`2j!2z-t}e#r?0yHDiL z(t7S2DO3A)9rn<-*S=D(;S^@6XtCRIp1bS2CN<)1-skgoYWCMd3{dNBxXI)+%jE`v z>zAU|-AUpC=*#U-l7)>fT*M0Cg6vHiV6xQb^hK|V|w{MJd0aaGZXf6 zSG#%HYk9?;3?5>8Je3rsV=TRUe^9qH+;*la`ZIH2N7udw~R=-;8>u)%39+al9_U)_Cl;Ewcm4?+sFRJ-y^9k5kfzVHMQ-a zWD8mtW081Q9e|XnaJKqaa}m7v{#mV3TXu}+E}l@@50OWN2efSY{%UWbmCNVx4mzYD zlcnUXzXEixfzDc^N=!#IbsyU|9`=I1A=S;3EY<#@*nAzU;vtS}d)TF^b-CcXH4Y>S zO5wg+9x_DNTe^AZ)83Ba^UTBGtM%;r;RmR5tL)s!*7&f-d|wUs#|2>Piz48#v*85R z@P207L=u#q&uX11h2d0i2Q0kOYg{t4-sfI%NvmZr?O-tWU6r3e&pVknS7w)zxemt= zukF@{KFM+CQmC8~d46R;52FGWWJr99WXWa7Y8`bN z*=#~u&F|GYt<8_YX7}9AuCo5v?_;*Z#VZ-3!(+r4+A(^Cal&quYqE$2_KV5 z4!(fIgYNNyK1|1%EJQH=C^KB6#1-d-U>=J;iaa74?99t7ULOnGaOv#?n_W~F9Qcf_ z+DU;FI;%=p<#Ep^F(UKz@-eXRu%+Tz?LsKk0;uOc} z3=lPtZcbxT32J-0s{t-AMc?T6g`%m~ka92m;AH2|+%jP9$+3dH~rt2!MzJ?g`pW?F|(lD-Fu0DsmsEfqI{_rP-8T#p3p~aR8 zdA}wDN%7e1J_wyY$PYq$*7JJtQ;J7{`y@zq5g><%CS%Zia!s z&JG!Wds%F0e0VmfVueoq*RHalgc*|bGCPBLtIqal;X+8FS)o^EVl=^9t+^YT$LG;hIN_Mg5CSiPWG z4ORk5({}^Tow)egIjVUY+OK2POHaLJKk0~Bott;B*bPD+f`~lr$X*0dRR!$U1+2f| zo5~l-5{O-9m2>rytSDB0z}UsUY1hOUwEv_&3h#h<1qwe8B$^4)z z+2nlGu2I5uJ|_X~hr?0C`}KQ0fbQpCPD(hJJg7>EuWQ^@YwyeNc}R}YBmdz^q7Ct% z6-UwVdqMnf_E~CAP9E`EC5k3I{kBHDX&NvWb28U=t0ABI4vMnKxq#b-5Ow_4E%0nR zNf(r$>vm!VX4fE}Yp`MvfZIeC$$6mGM|)-QllUUPhb`nH!2sQKJd59mCh%FR*Eb5X5_WMV7 z1~ahxF7ijHam$gv&?*Q#EOh*@;FZgcT!8=m=^AY zlORn3y|_x0b{6;v6{-P?w`~#{P%C#UGff@~-jme^k$={=`!*%g@e<3Wb2(@tEa8ls zQ*pOb&>sxVmJe(|EdKc6;ff76h3(?o|K=uQj$^!GK z<-=cGE8W_7!A`-FmyCMc5u&=Z~h|QWW*TMy`R+{x((Y0}} zspnWHOI1Fdq4D{bGkEf?tUTIu%lI70f?naS9f~OBNK&0wEp|4jLmaa*?YKy>bdSy$ zv?rE2^yLP<;3CqCF7jDQpFd%zFK9H=#NY2+jFTb1nO9~6!!phO7-VQzw~UD|Nx9Wk z;~c0+hdlWiK<8Z_Rm{4H7?B z?ev3q7K@1dqZp0aKH*#qH_iiU6j~Yh>Gq`H2n?Noz=lin|8jYKNNO!NT43wRi}JQa z9cppd9sY%k42OiSm^OVhXG7WlU7<5|SypN#^b5mx+F%cJ?y}%_jn{W;MN@ol&sNcx z){O;4Kj6E}arz6k`reEOgg}n42#07N8Q@iq^ z#XHTP@)I3Ju+?$0&uMOj_);%u)0du1D)o#tS_YIiXUhTHJUn63&-mCTvHmxqwU!62P~sCnqx>-Bx&)M?V_E~3VuRU4W`~eZgz2GH zu3lIj99dbkOsogJ8a>MOnl9w^I91$mLFc_+Cz$B#M4M#!0f>J^n*~Cey$PO}yyVjN z1N%w)MK6ylMUy%XBTj)LCQnx+Q@eo{|IB9&BDti0V9>s8Xy`ya=?q%<-$c?b@Ci5_ z$IAvg+&!aRo%{Usm$R0q*IM3<8Men$#YMPL$E~@Y!66!8zE)_B*nGe}b42T{dEQCN z>;4XJqI?VD(a-tvBJoAtqMj&OzC;n*uA%2Ei}m_TjpKpg1${chs)*VCs@s{`HeU;o zzJbf`@Y=PdLjoSWG!^7B0$-H*>Vk%)up}s zN0G+cvo~*(QQyXm?SW5!`Xbo{R58Asm4N*3=rZpb*gqL*EP&e{J1;-noVaEEm;`Ip z2LcXXrLxN0Oqm*0{YuWK5U1GvOrB$j9ZK z|EY{%sO+!Z=9?onOdS6+l`XtoSGKj~l`?Qo_phImMm$b{>)eaa$m*Q7|4AgmPw||- zCx&$>ZkScdQC@}*p(z3E!l^R*wwDmG5!Sy7YI$iv6o_OrI9LIK%?v)w|Ov>{qw zPXflxPj-AG7waJunTl)GkLjZo>%c)$BloBEW@8%bi5hG#APq2{hCK70j^}*xxaiqS z{B{1W?D=7YQ3c#5$LC?QtjB|O+N{&$+$yTB;wdmgbfXT@&%DU+Kg)%IBUD5pbUgEf z^LTq<>vgaiqiBBZ&9JG*&qfGqlk&n7I_Ugn*}!g0UoC26K3-MC?p~Q|q~HMc3X@bT zE!jK_J=-e=RiN?F4$^0`O7=+fsa}knNcr9X@BiPWbb9tD~%5}G9Uqw(oan>R?)9^oP)L_k6PLfS6ko8vPm>7Cg9`P`g+(;S6 zHkom~-1fW`cb&+UxT)!3dKnC;CoN^+lAs4L_aT%MRAk+iG)GlTNyn0f>JsA66w;s3>foj=)`DuI8_?tFf?5I*{2KO@*@X9ojY3b;zwq-+ zh7UPWr|$9x-rC_=@xh_kpD*sj7hyCRjq1Xieyi!j3LY?kTf~-Fb4A}ZVU6YuS0OKIOreC*ev&bzY^mO;PMiEub-{K!_{>?T!A{-+O*{)U=PY@4Z0 zhbQ9Cbe~n@Ip4$9#Qzeoe|dh;+Rqo2Ua2#M8NtCrH<+onB$I>2JvQ9pK9^h)V&hTq zfvRaT*qzk_VA!I=1b72$TPyiqSe$+laHUr|F5?pq`MPjE?&uG~+gXHCx z(YUUaAG~e3>}}0N3S~YqHrH4FWR(rXMlC{_;n_A%;Ae*n*zKg-fiQKZ-c$x1GRNDT zJK(D}ra@!0gQ;dc$7do>cT*ezUO%3P>+kUhZ?m8rO?*AzpB`RgCqF>7i7JJ&L2(7*` zZQJ?j(>MVyFZy6FrRf&1PBXf0_geiLVPUW+5=LPd+VP#bxX;^bb3a5J^&=g;us+)+ zLw`?`w?32ICc`h#H8Rha0nH@`XmW0}q446%&u~qxJ3oox=wE=1Gdp}=K1SSQlt0Ehh8m8X1i?_RMCbz)d z+S(W~a~Gf4C~e*u8t&zX7SSxY5ONllp7S9-;)h7W7Y>;erin0k$^l~N^CgXluuB`W zW}T(g_t!(!%D!-1vi<^l`SAk0py4HI z{qvm8|2v5Og6SP9050@GhD}enuV5kDr)&Nz^us-#G z)%p>32s;R4AJ(E@k$<(PNru?ho?luA=(cPd*3&m1|iur;2zbG9k~~v`T|vSQ;0eR z%6q?MkiITHeSpk9_0?G|eSobWhI4|=;R03&6K5Dn)9JOfOuXff_B7~vd0?m<+dyUV zqIf}i4|WhlbhLIZe5BNLo~NwPxJZCql`OLJSoaZ&_d1*&=ym5ufL|Zq`z+tL0Z-iT zJ70ntTn~s5Y`eTnEvglq(~S;l2Q0xwkIyb!y*HcDiEH7m4fsSqi!@s9i4qVa`QFkg zkSmnBpa15N;S)~7ogIgKD*EPt@BS%w*=mV9h&x-i3EMC{CmHHH{W{7;F5uE1P0=j? z-`t%}t3ohn_jrv9zVyY;u19bv7Vyhtt?qTGcfBHq_WZJ09nAH6xa`7MD?(4}e*Un= z5ZnDBJRLr0Tl~Mild+)G%}N+?HXh zXPD z5>-UmBiPb)QL<{HSEWuz!M0mHwvtOqd#(|UxcTvt>-qaGYwh(|Q$?MBRst&D?NXzn z{w`6mCA_gjCr}4PO}*a<_^DGbIU=DT1Q^x9i@c!Ui)svRF`g#eK;e_C2+%0kF(*;k zdc+|xK4c>d(+AdtE(t!)Owpz@#rAqV<`W9f_^TuZ+p8$gtASUnzP}6xBS1Z6aSt-# z2>7qf=TAj(cdkM?BS0lZUk<*6DE9RBkkz!^rSQ_k7<6ueKN@HwbYoG#xX!itOiM6u z89;_Ng&z}K39*tpeZ%4bM^>t6jV8EDHeZiao7?Kw_cQ&$4LFHk7RP1g$FZ(K*l0zI zBh3?N7*Me>4`{&S>ly=mt`#xt(KP45mp`^p&pBH9E>4*Ndj;JEgQ?PtYoH+NPKhG2 zG+WXW5@3QS@t6>zFM@=VP!JzlPM;Au7yIpkZOb??FH(s(vn0*BNkzoxK0D6Sq#J`T zJVCZgFzYh??>t+NUvYL^M>gWe66=gQ^O@2_OZ^^{ZIpi8s)@&qAS88hsNw@K;3mil z$j)SPU?18Ei)dU0-Oy1?GSnJ)%*omlaNW`{OoDacS?8o+LOQeBJF7lNOH`9^a&#x% zuxlWehf2V_SE6_sw8flvEc3lNoJmqR)NE_{Q}rIl4*+76eGv?(h@ZCoYt3gCV^1u= zt>xlSCRq3{I>)o`v4VI}%9@;qvOrD1Vn1pI+Es~;8j_cPLwVthX2RUzP&By#)7 z&6T0;zVycsDcMP0jt~-88((k4ldP$Tg2GHZ7aM1OfYmgbuqm6*KRvELQxa^=V{*>D ze)=m}%ad#A=V+qp;^NeTa{LeW+~IBh*U zw4vd|dP0<)Rz4^o<%oJHDeVZA_fuw6cZisbvMRSuF~dV)fq@N5^oK&bxv2jwtF$aCkD?7&oyTuN2eh0X2q_pmz36!(QfV z?*^l|AL#nbD=FYQ>>Lhh629%d?Kjw?MUL<6@8~f*?wHDVcJtw%nzg}4>1VoswQD;5 zwk>G}XTB=_-Fn*9A0*7fWnY&@>7{7IiH)g~;}Ls6#fhcvy;+0-)9}&07}o6e`lFya7NN-Ce`<;VE{c!T2N;Z}gO6p` z0hRQu&jT`9>;ig8#l@6<(y(PeQey0P2B~gpYkws`QH+sDY(suP&YSgMD_sLpcTI1$ zf}-T}tak&c49>dxDdcp=Znh_kLeI5oL_TTqy`6avHO_}pz~h1*YEv{yMW0KZA`cWl za;Gg|YUJlP!ptjhBq7RvyRl5P2m}haX=Vy1ebv>o^@9hIj97aAJYRl6W-Om572hb9 zXVG;1YpE%Ti^QGgrjku0_7Ak%y96M2@;i$%5k#>EXGjeObpO-`m_#FIa=kS-fJn-L*S<#BF*;Y3@+v)-j&BY%=?UNlMSjCR{MU|`jy*4 zjh1L!;D4BJg1c{@aogCZ7%Sx%3E%bYg3w^)u2+mNdomY#=mC$A8=)e+=Ca<(_j?t? zW+E0>@3CC$c@c`g_1F47i64a?^P_pU*z9j{i1s!)L|TcnnmnOWI}HV!wJ+*TI4e_mD(I~MAISf8ocCqAHo$gxLtFToK$h&cf!#w z`?$a!l~}`u{Zr&$O#a#NqK{m%=L~Ekp`0n#NYn4Y!Ko)kj{De8?v=3)F%FsOOdY0( zrh!mv)+Q_7h^2;ymlq??h+iKR5tYS8qp z(Fh?bDymRSmFBvj7IYEJpQHm{UIZ=vBRjs9$~ZEdZuYv5Ot8tooIdB6G)d zB(=;CuA*K5^7{A%)^phDc*CARZuAqWY?G78b*o{|Fh}Tg%$??=0WOXKlN>HR znAmR#;~Letl57gezDJwM%X7@_A>hlaoVq?iaet{#{+!b{7W3SeWE*@SX7K=Lx9@dJ`V==<`kX{kgU(Sl16=6*bVE#?Kha z1EnU`U>=`%$qU<*zw>Aly}?06c`TyAvuAk{p{0DkOXCl-5( z>y1dGPT)VXTe7Mz`vvrZ+*IS!lQ7=J2Z7`1v}6&HZa}tg*3@`A8mOg|v$p2Q)uysU z<~ZVTz88S-!D08yPhaLgB!~YK{ zrOk`%;yj?odomD{=$#x!1fRxRwZXu|q^RLWsYjT$c_p8nmIe8vT#pi$p3bqU5&0{Y z*#zF#zkOFk3U0JS{ZHIG#TIF*L&p0J?@854wY}IMuZ1U!Y)OdI{4!KCWG5TSQ-eaQ zSE_OUj2lRS-?-Or0%FgQ!>;jiB!}| zI_=L#Fj{h++wcoWEbc>9?Jn?=DDML7yDL*|EET&=Ma0w6kQB=ZF(zRI@MY#(;_JYV zadqHyx13TTm81GRi$|zn0c`t+?NfgE7c`(fHL$&U_=^yjO#RVn@`m0h&TfI)30`83 zwAB#Z&S~unrNI!>B3|?Czf`Ku+{(0cOw}r~i#fDrVEMI}+R7t4f?zVeOQ!I#s_tdw zNTfm^dYX|^+jHC5*hXBC3ZV!JV%wja-837e1O1F)S>WCC80hS8pwvj8K%Fw%>{O=K zgucwFp+81=m7U~#QmF`Uyx;LLQI?oLnLb(Q@uPb8j1%wEv60?kq#cX-bpCgtOl<$P z)LwEkv4Sg~SJnqVX=;fq;!1DIRFx7fw#8%`5*}p2TQ`HTdat)96-?UFMy$o`{5Y^9 zYIyL}8PcHBP!T{%%CiAW-)|;yr^~EU96Ed-B3;>RRuuz?IJYe&(7OvgUl7OX>aRa1 zJ`URnlhtz6Su$qL?2gC`Ij6DND5uJ#CU1+CwP|Ge`|C))-7cLeTeD|^4mHB`?)HU+ zxV}rx4WXR^jG+>sR!5Y2liptRk$i{+J}x!;fH{EradXtWEM;Yn0yygaJd?BDw}J7? zMCdUc88(CUf95CsZx~7>{r6p(;_#5O3D1aG{I4Q^gF{?!up;&0{e{tB1|GrJyL=HP zeE)Z-Wnz)|jG02(c9=nU2Tb!PFezV-xB*O4A;_#D!GHp$@!&iDiT(gD?Co91@t0fM zd&c_7J+%fsP7OQ@Hy@PQOWAZ=-gvk>)}k|p;4S+P)H+QcUhcPq7fE&tUBo)fE1``U ztFj);9UCwy*dC*>f|vDco}X-S=5*aM3e$ps$3fmh#b~w32wZmh?(L^Mz;U|Sqr z*%EArdRDvDb7Yk$^$Ed?ECZfMK-hP7exX6WH(+7nP(zy1m59o`D-!xeO!c2B!~@6H z&6jMVI%YsWiEL`R+2-G6yYG$uD9*F^?bIP8vu=STAVLiLi-DiW|r-g zn|oM9>D!CP9M*#UY9c3ISC)P!u?t&VP4bD?W2TL4K9ghY{%xeCwbE;G)U8tEdbnM7 z^<}7RdZq|&SAUztNML?mVVGg=tH^(R4hW6m8K#NJ@_x?Q z?XWV7EP9&Q{S6=?w%?;x|KD8z|6@u7&@|5>?({*4+S#o7LQ4~QVt)XbNjXOlAyybh z{k+GNqbTC{ZD|6XmMVh4+kDk>D~y^-B0;z}5j-S^fn-Lq{4yb5KBluRS7&Q z`Kz72%`V&Ipff&){t6{|*G(Cz<)K02ipO#AoAZGcC5~=l=Cf_&57t9F>(dt3Rte`O zr>SlK3Tp|SE|S4iVF5L=BIFB8_#Xp?TL%G&aeYza*9v3f5pY3Nu|$ub`}6Ku8XxKX zzP6l#2Yw0d@8ml|-(<|G`>T9HNy#3k_&m2aZGz#yJ5OxOMGzfo(U%hHaIHI)st?uH zIbCga9b5?z=%hJNvP`g?HUOhYpc^e|KoZz|0!|jgi#_QFwQ`OB)8)3Ei>KoYfAI7J zi^VcX^MJS5N|{c#f4QA{Yo+o(073ykf)yH1B8w?&S|P@TaRS~UvimQuPgS?ugL>u3 z8ujz)aqcUvPiT@z=zmHEKkl!?z|2Sh3RZ=$0QGxgrB+E|d?NSr_bisbH4&z^(w8CG zyHdcn3v#C>75~$?GqjUZ5Bb2QDm>d#@&Akmpp_zS*F?EPyuhVkV~wp?RK~%o;)0F*YF>1a4dh1 zia~3GF86+>Z1-)7U-n#AcX#KWsnAl>ID{AYlz3S14^)eN7M)%PA1<_*n>PYSL+WWg z#~%VM_JYv0H_aT_V<06q&A%{>QsHl}NT~qegoz(1-bY1o78oQE?)!EAtt21;kp1b4 z*{E7V?nn+1A!dJrk(BlK4(p{lk!bUZZqDYm>!1MaLSQ{SKP-MN);{+Sj)kVm$@;Ta zM}Ukg=`u0KwN@+NIn0e~yLll0nNaOgCGi{)$^@-SWMJEqQe>m3Y(mhkhqJu4zv*&@ zthP85G2<%R3@!dEyP?Hj0r4a<-0`VdkGH35ovvja$HnXB3cpt|CH7FGGV8>uzh%&D z)`w*|o|h`<6woHN+zjd(lg(h4tbuw&%ntu0mn!pLuw8E^nP1zf<~)!f|4+>LqxQs3 zx(0L0V$6m0m0hKHm3ZGagUd}+9gkPY^%C^@MCY{;yFl?8=vrQoS8Wz~|5k|(%3~M$ zAK_vD_es&Pj{Nh24KMm^r8$XzGhtRxGLcr|m37KciL!i7{Gy2A=6(=a8wDA7KwYF@ zc|cEdvnZw(IZ)vwJ@vDky3F`P=yNAGYOll8L8r8j-4o%`D#x#HPXmIFDqAkWJMe?WQ?qP?+kw*J+hc4LEAmS;j7CRT8)Lo9$j7 zOa+=qgb8AD@6${!5~E|mGWJOTIi3RFlWrS)rt4KVBI;b`ej}i2ksMQT-1=Hz8`x#1 z^^N`fJqeNj0cjGoO0M#&R3fda^&cKgn6NKt!WON(Qc0<#7!sX+ytKB5`5^zs_q2z* zrXA|z^=Bv3MPoXSTM_lhQdzqOGR16}8972(Y{8pxMURUoO zS%HlJGWK&oB=C6`C){kI1k*M7>!xbuwO-Wz{?~+&fw;Ccp2r-c_wTt>nwIz5zqWY3 zfVw7agoXVD?i03{4^i1>703JLDzuVFWcYC(@nN>8d*=ZmeM^VBk82o>UvV^?m?1GN z%KMckXt7+UnRWf{>*IdUXZ5m^l_yib?Ij@9BodnB)cFyVv3+OC9)ZkD?} zCCi`5;c-7FW2*bi_P+@5L5zcLsD_2L$zgsjkwkayeu50#%U7+wLhg!6a8GSwP30)) z-zn80*^+J6E8ljU9RMpvQN+jgh#Wv0)^vvwAIKSvhG&kdoGacy`wmiGL9hEr=a#F- z+hr1Jp81t zzrMBI{=Rd)kxmq3tl@6*zfo7hg1iUP8(f?k@}+ta8P$D#_q#FcMLS}BmhUk#;yAfPSv)lWlB%O2f5#tn|I@g<~O#M#h*zx*gGoiS<+dn+hXC6c8@P|Rps<{VE zuY#7mJUI}xvn0O6NH=%q$}>^d35`yBnc?8>e#4PkvD4vRFh!EQL(*ikFD9`zPErg+ ztAGQ<02OaJwZ<>vA}ne>NSexWh5Tg$<0t0N@r&^#SESQComiU-mCkK1VygI9Qr^Ql0S>Y_exAt_J(!!kvTY$iqHFdvioz?1ct!bIfzS{dyF6*`j)|oc} zl<5k{;dawT7vHboy4&lN3$?OcT&-yG=!h4lGvK7Hm?tWepXB-KiXVZ?EcsB7=W_8e z^g8V4%4XU01Xv+eg*oGQ&Jp}!rD6}M0aEOjV01-yteMlMBf=6>%=Co479onMMhyvz z)s_Is-7w;u`0DlXiu%XH8qSGn*-n?E3WLyVw|iSep3DAs47tpuh@0TgPcTB0xv4?x z?((HEq+aV8IiEC)J;v_}5b9c7uQXTx)vq`Uwfj@4=+pmQ$L++x!4`N2EIx_qL{>Rl zs^@zkc{ROz7&vsnEPsmAdeoA2#@1KK7spZ&CZ5FuvTkLtV_c4xxW2Ge`RX;MRtadm zaBKoZvl7n07Fb)Q5ta>?dZP&8$~d5`7pu1t$eNWoeJ*eI{+gbch;t1(I$|L{^bP({ zmf}3IrgY1GyJro5Z0vf?A@Ml8!g4o_js$YQo_OlT!0A70EaC(5kvdq+0@@zOKpRAM zXh-FUPo!+!G{&8+jB!}B0}4EY#$^=U>Vodpdk#R#Y`!P91i11YA@ z)W@yri2ey4ixT0CQBmFi8n(hNF85C-9@xo1a2lIdSGELyrAD^#e@$XaKacFTCZrWa zqp@NI?8``BRZCW;RmSKH*DC3hi~f8e zX%Y`nv^M|3-6Ar?dVPwN<(lC3H!F=&p~iB%VEv=*pM>f9G zgOI-jOUlSp{c&j_u5jERm*{!9U2@zB?2;|isxoW@WK>|iHbcf|yd&voc@z!D{aLNQ zr?nriOcEjFG!-Qqua@%=T~XXQ6l`hOo??Y8j#y8D^zo-#pj}mkkT@2WIatt~*LL5O~wt$=lEy!l6E}&2@D>Z|*CIJU0jsigD?pv=$ zk*3R2f=G26Aa7Mnfa9VHpm6`kajABKdm){zVDg)Pe>C$-3IN@$A6f~WX;z$d4w6(U zHu?mNttY{29*2!cRToiwrVS_FiGYpt_8{IZx7)?Lk`1OsCcxV`G~U0VgrAWgsZ?*q|XPr><%@W#O|G#Z0rS)9?py6BQ$*m(1jdy7b?9r-&PO~RMr{+2a=eETcX=q z_)QB^7_!GKKQT0z1?A5kpalWSO5O06Ob_Satwr-%NMt47)FTYWB+5^w*}d+jo@D^@ zb5#a5c&HF;ZW<uTd|0ZQ_1!ds_$+w9ic`-%T=vdEC%e9WekN_Nf6I1 zd_x^34i0r(9B-7e&mI9BB6q&8cNv&tr)CT)IHzky7MjKB6kB;Ikc8uI@|BOB;X(?rV+{*rE)z2A7SIZB#Ce`2 z?TDtzqZ6lT&vzZ4uKwWpR$-0FG~Ku^(n$tToX%%26Tgba589XoEnwwVLh3 zcA&|Tz6fw6bEXB6Pn&ZJAbVd)&GPuOh;4ap64rIekYasJ#smY|Iqt;`+`g#fL`tU> zNg!cch5WX2^v8E&RMM?;NR3Qg_Ljm)OAoBf|AD<>E#qFZ!bhT4A;cff*s@Uodn2UE zLdDUu%1+};^j=0jK*oilJ(Dj?N>EUAvXZ83_kv7hU<24o8HIImp~ zewC{q9AM^XWg~PbWMvKbLy`+VQ2@a?W#D5Q|Ji}CD6WH65(WeevK8fxxkTRQUyJwQ zTLBWQ;-e3|?UW38$iw*eJu~UV_ebrQws_MN<1(*It)3zav9>7Hw{0G7H@_L!f|-b8 z#7ndnT+<1Et_z4P`n=9p85w`vD%G;*vfG6Bk>4Zr!6Z$eG$EI+Z#Xa=(V$4h=dhm_ zWMa_y_R_^|yLASAv!{I>VOvvrK}G@Yb$Jk-W^z9Ai|hCR(Z$7XOL+miykMyH!8i4z zL@cKt;nQP>H-UK8xu+{O@=$huT5M5P7b)UAX2Upmw*E!`zphpmQ5`0yHrn?9spXovdCz*n6sF^3NpKBIs&Pq ztJ~7>L*x@iGihv z?>aMI4WA5H)Fh4bT_J%Vh6b^X%z(Ve3>Yv66aW5Iy&RVQ_R@~&WfAxI{W~#+nQAJV zO-XEiLCO&W^>`2oqg_;J56E0S*_A&g^n7c42uWc&gf`U19|(EQ#m4b6Ok#N2q3X3R zri&c}{Q^!Zi?KGcuI6)!9=9~K8sIuHIa~wH!9qdPp2ErNW9BjOTB24mA)|l15pa|Pv{dH9Z@)~IjEEyl{ zq+lv}&dJIzCWF-bR;hr5e-smep>s8r)` zmY=%)WIDHO6yk@JXzPYP(B$+P{DB!OI^nkVj3YVFvnCV7%@i&u7{;E6sNKAF*A&X- zu1}P~<01KQg04<<2pW@0)K}j=;9W<BJyEt_FxDb<=RIz|#EyLs!jtQ2a9ux_DI& zfFV@Dz2)JUM36$L&dMzTlBpzfutWgKWp}?955qRpDG~`&9ZZXf$yxScm(BbYa_e*i zii!fpR;(qKPt2&T2dYgOjwZ>gNCrAhvIKGXh#BMK@{f;4M8)zsf}$VG zdE6g%dQyZ2IG>t*leOC1U9*G-fMKlE^7?NUN-c*Y!OQBxG_7vN&x1Nb$DH>W)xH{k zqNMSTEv!qWR2S>q?yM6&Y`f~cz*%@RDH^?IU&4YSk$p?8DFW zgvtEKQtXEb@_aWDifu};5?ZZk$SYG)LKRsG(gG67qZjEP_ix54$hi&%e`c(s<<@z6 zqdDsT16ZJ8n_uo0R?7{#Q(NoEB+pe6b*cQ$(5MX8D{j`>x9Hf9;Qxyj$6h2$lAV(mJNV|0@#9+DS#koi}( zO;Dsne1}{$K>A*i<)EZiNlixC+WCL6S}VMLCxZWV=$|XZHqU0ey1qv9pLxCw&VN-T ziJq|u-zK-z{+X-5!ocD2S2Z$b5mOj`O7ZwaDc|Yz^Qv%wz%}n0^hqkv2i>uqxwXp;O!Gn7U!7T)LClK7-f&?eHy99TK!d(h? zx8T8@!rk3DEBiaA`)&EU_uf}`uKH1sqH3*GbIm#C7|*z$^S%!YwU$_A8caWhkZ^Kd zTUup?uznSat@uWYWO{#6A@gkeHVRdJ;Xrc@g7=>%{da_)*r^6=O{)w6sD* z&|39y*6nlI15Osx2HvEAjASe)e8?DyPUW|tU=tnCK&D)XFU*Qx!&(X+3?I?K+lqmT z;v;Z86t%Q+O}a+VawCq2-(= zs4M8_(-iq~cCa_6KX!qH)CAE=gnwN3gd>vm;T{ zesKggtvk5f3_^wKTb{lObx=vl2WTX_NoBkXQ(szYZF#z_+wMYIX)Z_D4GR@134Npb zZ$0j|)Z`-r{E^S_@Pgh}S&XFAA|#kFJNW}~Ru3%++-I{XwE)Twhf2o+gqrnMY;0q~ z>>qN`JRXi@;f5l>`$!X(57$Jk#})12R~>?hk$m@IfQaJz=9`kxC=$=xnNYdk06Mnf zj{W%OyQtsZwG1zh7wnev238s3OTMoz_JFcD%T%#SnHagar>J87*UxlCj=+9$>7a=w zv^xlOvH;|YDdnI5B1j&UjN&i^f>gv``Q2u%SNtKNc6>b0PpX64BQs8@!34KfolXdw zqueLx*b`>I0pCsJm5pO(ap7{L^=Gq|MGWIc2RO34y-}tCeZ$)3G z-5hwT<! z1;3#x4z%5y)s#%z<=ICQkp@5`J=$dA_c4}st|r4WW9CY=N~_79QQiyUODtvz!jhjT z77PokfKlwXhw56nuodo zVs`c6UbZ3^8i^_nIw**z3Q4U66i<#{1p^O z{2C7N4#wsH`q<$(Hh&xaCLscPlf$>r>=8dFg@YN(aJkFMvyFn^4Ym;UQp-Q=C7X`0 zwApM>>-EA=9ii_**>VfP8uvY*DO3cMYGDqMz{*4g^gtC)ADYpW5HSS#)kKguz7UI! zVANM&n~R%-op@Z1_wzlaV${(U2vfWDEX3~+RXfbngIn#L!C9udV;k~J>4_sA~ zTnzUzBbEO+F$s#?hMIg;|6FU3-lm9~?c?1-6!jb2Pn>LZoNw43^*0ii9=CGs)_dNB zgoitXDCp0CxbnM!} zi$G)!QTYI`ED&o_Bb-YOZLZ~qC$Pd&=>aP3NqW>)%eYscjFc3j_xpA`I0vP3!SkJFcI!*q+EeUDwO6t)q*v zkrK0?tUzuD+@r0mmozE`XKOxDZ2UM+iND^xg09P>oo4d{viZMr;@lpJ?`jTjD&ipn z&_k`e70QMS`25YI5y&sNsR~DH8<1uY@zW(^PKANtC$=KT#se?xT0o;c@iQmLzxMr@ zv4Ye$6xU}=f>y6Zu5{Pw6T`TPMpxC8n$DZoIu>u?2e2)DfGpnpEgta^DngemKd%JR z8HZ-ASy`8WTxY)B61kc}HPZc(3CM#E0Xy|jzAyjfC#F}HPAiXtxQ9Sh@7R~a9vE$L z%FOwJw@n$b4?qWTCZMR!02dKs09ZR>cbiO6RtlqbL5l=}!y^%y(5h4KLntJx7&^pt z!NodN^(g`3SAuehf_{Oxn})n!o&3Jp_7izrkqXvOlmGf?t=7f&@`wrZQw@Vy;5`wL zo(M(ZA>H8t3IgInnt77(@ofajGL#azd3Ti2MQ>Twpnhs0q9Fdj^qQFh5`@{me&6Ps z&X%{H#olFA9IvEjN}N61P!3UTAR2JPdFVvOZla>8+aFlOybW+adh)uzEc#PjEPnQB za~h)O4F|~wAB|=3<{OD>#+`Q=fZX$qNcZi@asi-{7&9)sKEh7KW-O|y-v~^V zHf70J&9kP0UB9rZqz!(+n**Uv-)G+2R} zxNlMg7O^ogaPnhbt(maCV8R`+7+g#-1D8718pp8Z$x3Trfarb!F>3UXP7bOyuV`#2!n3ubVxzhr>C-2^>GR3EtXE$ix=UY8i697!u(g517 z_IbDgc(>dXtX-RFFd0TeFa-6N!#W;UqA5Ug(msC!{L=%ZqC{LpfZEy}CpVz4&qdEA`2-77mS(pLFECRmKY9C60LG(SDgUc_ZHC*b zH+PmwLi)V<&GD?;NaT^rlB1@z6xwmLhXwpk4N3Qw3;fzEv{1WEM~;Z$g71^Y6W_y{ zo2I{Et*v&fNjXRM^-QrF=(pZQixb~W!0p`})$8J1&8=f4VnW{``6Faot8VPX@&9Vs z2;yCRXY{7q=Z93jm!Ksa^E+RMtU}lAG!p$+h=H!?UUmmS=3~*%@wKpxtU#3mW-0Cb zMkO1D#X934i0M$U>8AFlQn7(_4j1@wu{h{zm8RacDWIS{MI^r5>*x9Ai0m4&+wbzC zu}RMH*-zwosgSIxSR9X{rDWS(c*|e*=W>jDJGB2)#*+{3e7lWCI}KldGLB*HaL<~B znl0yKu2NVnP(%EgP4d@BJ{7EpJ{p!9uFnv%kKKzpC`VwCeXlHXcQLEt_gPqX`4_#P z4kt5eDZKZZszi9qCkM8lpKEWZdB3;o_s%}M`w<>~VBvpBQ5j1+!3wzinSEFRav!H< zi1MDKOdGP3a=Wf+gdQ#{xB70!^?0#ko&OVrns@o+Mo15p&b4MSGNDsZUBIg%cerNt z9FO#IBCN7v952Yef&WdH!jZ|?vV<#YkC*`a-BxVp{gCy;po_iS)Z}y8?p{RhNx>Hq z-u=WRn#t8?6oTJT*wW9#q_M6$We{pv8jJg<^ZDZ%cE|AHz8}0E=eSSjD^Lrxr3Vt6 zc3fbSgW=?k%WrMh<|+#pH=DAi0HA^I0e8>`Ym*v;lC8VaI;K;a=(QhANzKdINlSRk z0OCyOYxPW2C4@mi91@1K{%F=;oBaZPbfTs$R&2qBB{yHsa zb(STceG8Moz++%E{p_>zX->I{h+xyh-Hxq2#KVbubnH_446Jdr7IeZHVFEV38D{ZA zM*3!Tg~#g(2NXaK_;wsfOD(W_)@~qP{qzJeDm|G{p`FR-Q3-)4L>86DG?N>RzIi}1 zf2&k=vBT(GFr&j#c_i;O8lWVzhc!7dNopyr@Ns@!qL&;GXgFOcI$N4_+qos`B?@S> zv^)NkAgQUpgNXB%?x6*&M0S88F!fUdhl#Jh!msQcne--_t#WPdcugno#{x}7&Fa3? zRXCXY$2&X1ezQv-AbUS!;KRT+Mk;;LMu1*jU)}TE)g6MxuNdYI}~L#QnY1XQ1)bv?q8ikk!VG z@DXTdousX3kpLQ8+7xRH)qw0F{TeAQFzXLtBq$QMH0xVVuvBzcBeBUFBeY&E{94o_`7VpA=gKX@p%TkI!)sz0+(VhmlRbfZT3|d z@Kq->Wtt*H%k7rqj3%Rx+Jqgpy!si3vU(1Gh5%0PGDV+0qoao|c7knTR+^$7-!@x) z#e-3+O(NzR7U2QvIOQ128MK zisf2enFouI5jH1N*}bFutOS>bW1zG zAM01!%8dlG6v#A)8qp9Q^fl>)`Fj5@8{%Ys7T#2j?AABU$=H_!2m^|0){Z1jl{y&p z#$@!^a5i4&kRrnxuSyeoZtG_>n&n3suP=0GcS0d@dkGn}#GCO|>o`*Gq{QwwdqE?l zBQs^G9&Il$1Bnj*Ao}cY+BVW1^k3u%MLLHBjq=0Rfov8%K@?~fVf|vn7K6QF zj(wCSuHpacec&H(|mnrRXKatzI^na~~5yIlIN zu2Udm<4$>wsR_WcMW??DZWT{`RAZL;5|)#mn)u41k;8h$T`5cBtup2n4H|}6f3Fxo zq^YbiUz9|Oo{(i_aJ45MM^P*CF^WB{iVv5LcyO}D!gidM-_JP0sqv&35`7a|XZaSX zkvbbiGhy^ILKRL8h9F(3sWT^yZW*7bQlarBvxUSm2pn+TTahDNIV9?kFaa49OFd(~GC z#A{G9_8Ja%zPXdgUNy()M`xE zu$sT%B`g4@GlF1A_^J^gx1sgrl+#hMChRO6t_x8j8Z3dJ@Vb=Bm#Nw$(o3rSQ;E~c zU59Dn<%VX7c%*qxeWHnB+uN}L+EP{DOW5_dbkM%HH69OaXN&u>OQ2YXL93PdR{qAa zb|aj~A!c3)ACBKJ*r98$qmkg)!%&l>y8@6x{TPfjV%#rAaPiqkU$UeULUCuX;#0PNITCOZ@E&z#ijX(5fXs$hU)lw2za(4f~u!pR4Tj{Sj4*d)zH?xr8{2 zLa)=EisZYXP$IslcZcil+lj!I*F)tVF^o>D<(=ry+M*bvlHjX0IZ5d-tOJe%mR7L@ zKsmzds!!o_>vr9vuW_NmqJK4;u2w2cG;c{2e{vd(USmFp6j${~$;(CR6iLiJ4(J6m z?cv|PPM8=?H|Eqg#I%@RjN3%3RYd5&q(995?bb!@C+PF}znf*w zKyS=5_I||XV7wh170>=_d~s3XkZ~Z5S9EgAXTQx~Vw9n$Y&}!@YES{s+7TJMI1QCN ziWkoF>B>nzptx{QB<5ThiW``ENX5~2$2W`x5nLqWp+nPnUF{V;|6Mxz8$q__T(*ErLSm#s&d4YIzRSTbu`#ZdB0*kNSmlS-z=l{3Yv^4p8~L_ zfUQfP!7-G7M!kCqv{$2fUAU=+3;(+*(g!IBN}{b|*dy93zS!~|z6NO+3TPO?_0?cJ zZG}WT_(O_%Xs}=fnn{v5Ixc`9q|s`SsN1i1JTk*)J50COvZeU&dQFw`iJ04Q3f$vC zQIo#78vzwu2$Trd%F*T+rV;NFN&}wu3%5#U3fY4i$ zbCe-C?YT;HHQ6Mi0MJkxmw13b@Y$?B%@6uvvcQCOQ~7=I zO?z70Oxa@b;pF7xA2$teBA@+fbKKObqqXES5T6GZ%f4!ucVAX>DSnr0 z!%OMua+h9DmnIXbcp86%#-I{|EA{Jl9DVs9i^Z1`PtCn8{Y#P9WPLEc_xxC4MPZ5~umf*J--2SfuqfM%1>ui7#JA-M$w18dzuW%Jdi0sc zT?ubE!~`g>0>lJHDN1OJ;I}?WN&D9t2MrW_o?G!=qWO9WLjS-Ke~_bslLTN>0FVY7>#vJ-zW1iFfn7z zxzeGsAw4}J9tSSV4YoOQw+BCi(Et9M^Y4FU0iw^vD7S2O_K(CBm2xe00DedCDFN8x zNdY`=J87V!&{}FhOOYA+e{`7q%b*kR!ThD|sI{uR3JZ*s5KNzj1`g$Az`CVRR*R%dh1EwC;|IG2ErNB`=^0Gdpm;Dnr*nc~sm=H>J z+jRhGmXUvhoB3=xJ)oud5o!Ns6WNvQwax&JqR<+JogWGlm;`oEqSLlAus9W;i%n;27m~a{B@Q}nTA5Ov9$6E;8V2K;RB0K%bn(HU}%`9UTs{A zP=j;iXxEH-9L?a+EE(`=e4@|G?a^nc6{34mA9Q!~jBK0wpoA zKtf*EsWzvJI4XG|!04xt4^29bT2TxQsD_hWeUX(_RjqHa(x0P}2OuuvM!>)Mt#|R^ z$W~XzfBjg2Gjc#U^a_~H!;77bjr0Fx{%=`*S^ssG@!`SPE%ZbuZb5LbtY7vKTKZLh{JO^l1Z=^-FEvyacZidC zd;rvgKh2FIh=&r+LRVs&n;^7X*@HtJb$**Uy&Kw-pQ8SOTkBkEH5cbOfk9hif2t^l z4PBt7gvcKiO~APk01ADX%$L^AAzKY7(QR+zI&%Ylj7d*FO2PI4NMeaV&-UG$NOTl* zCM}>9je?$D8t{+)6Gzj8z5L6_{+B23_+dEg5zTox2=QwHhtu_0gq%J~O}DW8akmi6 zLPAX1*%fvT`MLNe`8M~RGXv?(Z|1Tb>CqmWn{^GU+25#(y!LDYb{i;oB%h3wGHfi9 zxrE+$MN>ZyqE|iE>bMN*Dq+@JEvr~HA2BGm#?xYM0yeQU#mYvlGB7Zdi_YBh3w9W9 zD;101^hc5~#vF~5=}gW(fAHg8p^6_=Nhn#+A%|2vt4z>Ib=dy{D=;=RZo)|DVzZO= zuK`(&HEY0K3uye40UGzvKfPrkV`C3mm*Xof5|lWsLx-0Xg46e*p)KJdL?)vDaMb@28T`8^9Yvy0fqF=T0r^(+g#|crjQ|;MMyz5+ zKi>0jjyc{7s0IJAv*ol|^(N$VSNrKU6i-`FiU6SNMe}@4aj?_btXBw6hhHP(-@b8= zjg1AAwM4~ffP|06_Q%me?a>clZZQJjhtOM0|8~tf7g_~|BcOT2j(=sR&h@VmAO{u# zA$JNr-goZ9eBwcbCw~!cMfB^Q42Kf!=JX5x+9#K@!?c&57|-uz57oQBy#(@K#I#D} zTduU^X;&zhs4RH8N@S8Eq*-hn0mD@Al5;4G&WBntUjj&I)7Xz^i$>G8ph-O#Eq~U$ zb+ZkX`qs66_T$ib^o1VVfc2K@Uk~Ij3l3>0l-U1c0sLn#@QID<_(J{2O23y4(SyOu z4r&SZA-nGF9|>U;c?a}}M+5#P0QofHRW#5y(v0W@D7np0(}7!U0LY0Sxdn%kVF%i% zg$74wbm^-+l1rG&eId2DP_Ved?*WRYW&JSy>&AertmT>I!S+OFA}b@C@8IBfUYJiT0CfjFH9%ND}V1uB5_ zjCNR2>^!w`YA~O?x%AxO%;EQu;XfAg6W;y__wSa@ zvQGpB(c6G*hJ2FGaHJByX-Da1jdLR2>wtz(_Ryy13FJYtD%Wb)f&o0LVz3l^a(&k!2)QaW4N~K!M5hWVklo)j1YrovIr+1ta zj&f1qxj7{ZLVHdXc~(bEG)SWsSzS2{_Q9#w+vguj0R1A^&=Qe#ruB?KGwg`lib0(l z$f#F^g`x0z*L7=4 zcCKvh&~~UL=PsgVG?Y;N@-g)Fs#BHw-FY$ntqEXEXn=@^US|!_xpG5kpImDV3m?Ht zgh%;SEc_ulU!`nvbIEQj*7XWs&92o#z1=hYYx;doEd$3UozQYl8i0G3$`K3C0}u+V zjDYESbgen25uiUSckz9dtqowbqZzcD)a`PA%s|HsRJmT!s8@aXe2{coCca{|JSyiP zxB^%~YIre@-Ju{~ANmF()$>+X*5)~#@F~<=@tW_F#P;;CRym(_X)XFSDs2raE5!mF zvZC#z1_1gw`eT&SV~UHBOuzB*dXW(z3|%@;q7KNu=zUF~iLYK+XmwNleTCNdx$lFP zSfGQPcdbkyZQ*rcm+UD&uHkaCQ=;=w4BbMc%Oem~y9ezEt=> z@68~e$gT7#ZG9 zyT*9z)^{^leOeEEJqqV1H~2=YPE?ck1kiu~G7j}74*cBBqZfqB_OS!&TI^oJ0iF%h zusYDrPY`h1IuZv0xbQN!@{VlNtolz>aTKGOz;G^jGQn1$?|1lhlFsDig8>TjQ zFs5dWX_i%`EgpR3XUm1Dh2Mva&b>Tn1pIcXV?gCf&TOW%Xb`9?DoU~8zEWWL?`aS=%EjB(-C14-(A#F)G`NQ zObYy7Sx$BC0luo`D|jZ(V7E(_zR<+(263+g*W|rZEB#WAc1Tnm!2dO)54!}cSI^&3 z>d~>A&kQrnXq8}#xSf(-aKF8|&CqGGr*1*FvkhMuoW2QD>Qbu^x+yq`l1J59rTOHs zHko$f+yZOO&nsX>#5a!d9DhcOD3nvt&qIOa_0Ywr1reBXT^4?cZwR!^RZ@!B)$QM- z9RzV-3E!=CajCelSdRh<`rYw zj@cblli()iPRY9e8Ij8TstfP@>=$>L({qyUQX}kfyj{h8kgl2)`(CrcX04l>+s6a` zOU}Ke9gSukW1(QteqJwOZ#2BFy@Gyvj8lIp_4cpNCgJStvm4o|TiKnm3-Tmw?j;`> z?xdG-MBEPHx5h7~dXTaG2yN#Rb55e;?b>eWvQEOsBxXacb542IPpXrj$+a4b~?J~w}#4ZW$eeL(%{19cTdTuZ?2sXcB*m#YlR_B_HG|@ah zI1$HEu<#*COlBVh{FoNDE;)U2s~gzmZidelgz|rxeS!2V6xh1WItM57SFKzu^_=`# zTAvxqHE>6%4v!^?UJm`(oPZ~(XHmhOYXuQko&a_VRnL>n!UHNFCYGEa!aw%%5_gIi z09siL;0m?EirQ1j*m{`~(w$~?y6SU2NSjm2*>+N|VA2Dz0(Pb72PgGjd!$lPPJv6F z56fnJIgnS}=hmnwr_K*Y>{~%3Z4P3umg>Jx$^@c%b*8wz9u<$mwOa*t+Jk^j4fgy! z)IqG*(*f4rTxF~|PfvSy5I+`EqK!16PlwGS?D+BSxHUC&ou&h+zvp%`WxU!b{qwY{ z_&i;{^ureg#rj`SWbBI&O)gni*OVpOemQfLT1EIG^W1(-j;D*Wevsxtj+*kH@O`lL zX60B_)nlXdLRHs;%(|7eNnjxdxl?XVT_+pm~+Hxw`Ow(uw> zgPA{78}ly^)1Dt-9;|sK>`qsq8+RY8TVhz!{_ZS7CK`gNr6n29;05{|V@5UY7|WNl zunw;`FC%mXpbaM0Ius7VQOmZ=FZj+vYOpYFTAczc|H3-O_SD%z73OxD%sAsj z2cld9%DPl=QtO~^0C8|=tr}PR*rer~1d?Ge^=z4!10RCQ#Y8`su1^W7AFO8@&yqCr?>=ktAO%sc z5q&BXAzQN7Q*3s$oUO}w{&jNgx&MhY`_+x!p}hu}W!8m@aF)wqAFiw*nXTP3j6Dq2 z-P-wz?EaM{+ibKm@eByf&K$l(ZQ(~UN;j6_7ZRQTx8P*i9J7IHUqmO4WSA~ZBf9i@Xp`v8IS{x%=i%99$jZd8jfCc zz(!IiW&XE@m?)H9kb=E#=sL1dZ#tOxVQ07W8P`pL#}fcIziAkIt6 z`sMBWhlrb7{+GK*Bl>&$Sp!lY$5gM>pOrJXEXH9*miL4#bJP5K9Z>P3mfCV9D)bb3 z4kLi61i4t)Ddv+96_RajDiYgGKi5Yk__ap@>lSpP8UYL zw|<|pe0xs7dt}4mU|a23KpJo`*w!FR^N)~Tv;oh-4cUVSGl|&DbLfs*WL#&@TK@X} zn`pmNb@d(KyI2VyVb1cfhxMyJh(u*+G)>>hafvj7V~|P&=9WUGYwulB_}S7@);S4p zs{r9#JnC3qpf0_!zv;Ww8GT*}?%W`69EU)^)ya`hOzU5>==Zm`NtgWMRgOqe{N$}TQLa}$&oOfEr1CIxH|X2 zR_rJbK3j9GZZ|YTZD>h;1o!jQP-n%keXn~Kso)LY-jOzlsoTt%re$Oh+Z0AIpr&Sb z!X!j6U5~@#hR$V{_rK}GSRXmdzc`>h@5lmGzV^9N3lp6ZjdZA49vQ4sqj%$+sQR+Ek^;_XhaDnGzl_ok(>DT$R zole)oG-{Gxqf=LsT5hft(AUj~wuN;t2kLUT=oC^3F$eTg?F&NmA(9%c0xF{~>I!Uh ziIe;6iDG3W;;T6EIJ1jO+<7*1ha_JxX^xT^| z)jG>xyU!;7#Nu^NsiOTHqhTuz=aCH>e;yu+Guk%nk5~|;OTMf9cDQT=Q7uEKG`VTl zUM2x{-2CpREkp&pnlp^EI_(F@kuBuP=C_`P>}A??UQeIouPq?o!fVSXN?wRUa8{;i ztw_jdOY4kD2C9bUzy{^R_xfpR4z>|nEqtmFMsw^Jj*t zrUP?zqwtrU`JgR5r`4 zmJ0?YO9&v8ktyI+E>?;MkiPua)l3CLF(&xw`$Pek zTTjJWU4c&P>xB5t${F|4v|@q<7V8zz`Jy#T>77R1lKmu;`LTv>Zx$*;%c(&!*Hw_W zBfyH8Mk!IRPPk$qjs?3H&rdy!73HJ5dnq%v#6HJT*^_eIT_+;&;lG`I9uMc|?H^}39-VvFpKEOe} zG`upuXQ>|WQ{Ina(;!PPh6hAGX()oTM)4QIIt=;Jmo1}1inAI z9gtVsK1m$3`3PVWhd^}z|xAJwzFW$p~Fn{U`nl}ZK zN0OX&-D1q)Mkd=4q@1{-|E84r*L?MVe4d4#dCCqa118QBZJX-}k8Fg7B6uMSv9X(L zh(P{0ClG;51XKzX*L8!j!2{hjC_&QHbKj)J|MCfF_|U;Sq=x~dm?)_mm4Y}kylYIe zUGQD?ON84_XnSQkty~@V6g~b)W63f|2WWxkmGdgIu=<7Yd>Vvr&sG5v!XsRI60O-9 zqe!Ywm+mBDX<`y4!J2%Vqh2h|8Y5i5LKZL3*Hgnz=105T0?sbo>B} zL`Ze1?dHM1^1;Qp_#SMEII;KK$wIpNRZ6Owq@Z`Pkh~ACPu2?MsyAu6OSa~fIaDmY z|27(TDoWSb=H@r4%gQ0^w`9m7>2tSXB|7y2Jx8o6_Kl;Sea^jhmq{ZdgOv=F?Wzd* zwYxZ4q#3NU!g~I;@NH*jXV4zu;V1bL*mu!7+#@29mVm%Ig;tG!jYy}?A{iq&hmc8- zlZa~*VT2UQ(X&90Flnr}VG89W53itmx!g1o+nSt@nOXj4rh~?*Hx)j_dhRsB3H|Bt z-ElUgGO*VPyKR=#Q9?pO?h#x>bQL7LyyU+eZ5CPXq_1sAe^%tk?{!~1{Ag9$7O$dsJb{ap4-RhKYr$Q&0)3M)} zJnz*+EpdJti=aP<+r3R36aTW!2XXqeu1HU|F)VLj;5A z+2bQiByr4bnP__{iKU(W2PHgKI>B#(P0!sKIP?Oq6Dw9+mJHUaw-Z{7vxY&}Kb1=G zDA{=)BM3PUF&naVM!2u*M5=5ZvD!UOKs2o=YLESiKk_Id0-$iqD~-sovKKD3eX`lo z;j_!wi5n%Z%1~evy;|5rmxZ8~N`)EKTTKHa5_q}UO4`Pu(fm`pbc1_^ZKW5|^ZZx2 zjv`5(rQY;h@%sPrl6jIN_At-KND)_8`3}EySLJ@)_r&$HNhY01D5dUzx?tKoe`Q)T z<5^B@X+`_ze0l2&^3QTD?L0pyk70gz4Z}|+e^kMI^rlmUa)QM3Qq0n^@lVA$8 zQFmFtRkhy$M(LQ7##pF2@3MpomEAd47K3)bY%}8X4 zaNzO?4;jV7Y~Xji%|sc!nWjFcCn6$O?-jXi*6ZYHcZ9eeq+dS)n_%kpm*)}>l8^$c zWkTC@nNUbqqV97d#o&V|d=V`QhK~cJln#;=5q!IyI*{Oeh)QwI$|7KYH?68GF_zJ~ z33_oC6kP*jv%|}u?G-$Tv{O@S(w!}Yn_1;gzFf_^K_B=!3J?-F~ z!Kdi7LcMo6-#nRaf%kd3*Tx`y4A5KTiG%TAx0nl`(c<1=H(sa#DJ7%w-4@c|w4b1P zoh;N&ddlSXY3APV08?NzDt}sG8$0PL-_6p+x4y8wgwr#a#*0z6BUfvH>2}->xoIsS ze?LvEz4Egy!)XQJijX!0^r{Z4)^s;v!^jUuGBcv|>W4dCjIfu~LQODgHOM{RA27Nc zH|{7omZ~;892mbDe`*hH16m4eKfVA4(lEr;&SwU9fFi7{?Ln@!Kuxtn@(f6J;6%;5 z#bq^%qfmMoKkGy2glt=G&`H$OH#J(*Ur_inYbr#}4PK%Y+e(7v;eb zVGh=wgfpA$%l5HPPaJmJU$5%pI{n~F)-O}$=z!0k@q`x>XyCD2_#6-Seht6_jNf|_ zF>XWNpL(DbFS?ml&_9+bluH)QCq?|-X$EgNUkn@eUX0H}ML0i4cIODgBkRg@sXtIq z6d?mxTMVKg+AiBBo{8@T0UfU0tX*VGKAHZ1eS1=Sm?ZvW1I^8zkJ^f+1@xYQ3N-%d zzfSCvCIwB4iP)YDH^7c)W1I&*90;~#`2O9m)rVoFO+qBd?kC?%upnpTl-UXSqlE;| z50iwDq((?XQd#-vdn3Nz?jsyQRJ4I%97smzJWCX`AwQXX$X< z!TDX&_S?aSiWz#Tpjf%<{)7bTu!9JcFIc&K6{i}nPZA(HmU2ovJo)O!Do>=)8#TmwG(RME8 z(sG9MtFpFuHUKArWpL1uo4^s(2u+{7Y^0nw>9Boe@ktK%DCfoJ?oC*Asuc zQ>{>*85hmED*Z3f&I3B6QsAK7aZB-Eb}FU5frQmOMxj6m)OHXn{_%>@myx-G_*c41 z8```(gKqY52UytlWV>w35pfPxPB$vtg~nQ)2-%FSE)7p_)$Rk7O$)klAI^{ZkMx40 zmY39|w94tByBE$@`}-t;;$gy!HX}GTCr$6YDfil&>kkyemFBt8vshMAL1G zktL1yU^-;%CF zw$kcoSP^&^5N`vrzJLH-Ms~aH6UVsOrTqa)Q01h>N}9#bh4P!U9na^xf`nCvm~>*| zV7^pV^YX4LdfIKLCFUvF%M#2;!n>;L`!`F69SAN!W&y4lnc%*yALP7_4qUwQZNTn! zR)={fkPGZ~!&0NF4RSli)4VJp&;NSX>W9FxQ#!UhqjAw%N-!Nm40ZkdBKQDqPP}ZXo`+v7xdCiYc7zcehR; zipS}4vpe6^!~>I4$-e|+|FxLi#tbd97lL+=ms)Zah;D(;q}^iVf|$B5P5aH5=W(u~ zqU{V%lqYeg5Gatfu=KkB3U#wo$4c;!hNc>1qW1>i*;soQ8^cXGGCHZtWEufm1{}fB zWLgLxMMh+`qx#?V3C$sdR#^ESJ|=(?-O+Hmt7r&CV!==c?*g~;cq;hdG+T{-k0Gfr z+zNY#L}CY$^R6I;aX*b8;F_o-h-)qpE)?{Z6-o(SG7qvIScVKP?{8uow=L>ujmvk^N6seJhK82>Q>fDGP`4GjpoL-QlZ#%C9ym_w-yi}w( zT_|V)!=ssdAv|lSruf>!1EI!tZfsQeAc!qs>1TirE8KW z;!3kpMVZk;CHz%$B79b3wJhdAa!>;-em)%vW}ZabNI=dC)}Vtx4q%7 zD9uuc2Lu`$D0L8B*7vHjKVk!6Mvfx@KlNNQsho)b^Pn+qu;X6bQVnsr3O3j*`f)9L zy>vTHlh*my8nPGA-@G4vXLC?wqm1-^2Z)m5 zhy? z$lFty+x~*od{?A+?%gK*t4zpe6%PEJIF)aikj>o;r&wZ4>aci-xguWx^`aZlWhaei zc(QYa_wYZG7ISjPzs>4#XEc1Iz9sv?i1ZK6)sCS4$QAlTb z8NwUtV1GEW52c^8K&Nk1WVIm@T9qi?dITs>vz3P8)5dCVCLC-rZJc=*OIBQYa>mw3 z!yFL9(BVU6)P((MP_8jlxrW#dLYsDP#BOTwNd6CVZy6P5mu-zE1SbIk0fI|Ha1S0V zxVyVUaCg@P3j}uv1b5fM-3f&h7NiIi?#_ME=X`zMzUO`W>%Qq9cZ>`MsiI^*d+%qj zHRoJ&p@5b@M^!7}Rd^zLC34%!RyDH4;G07ozIC_JeCJ%3)oYF!xwOBdp59gFyBDUx zvtfl4o(Rr8A&2ilv~OO<^cKF>w)q6x4Xw9xE^yaJLG zU0ZO7x2DIG5e7s&DSOg%zo?Uo0lhw4SrZ>HTAE^<5#2Gv?@221KVS5eX0 zwJx=rQswE1K2M;|)mtWLSI%r%x^e{<#JXZ0r23$ijN2w=EoEvqNP1D)y7ran^NZi7 z9|xpQ9*E)O_k-_GiI3-h-lPvk?A}3V&^8V`WoV3}%)=LXE{N$*d=E9pc!A_+xA{O$ zmkG10xruc%H-G$@yj0k-I^9vFHUZny@e{1Ev~5&~K1dV~B(CQ^?Bsi)$EiiMhnwXy zVJ=&#;<4hjnaJ_IQfbrMNWbP*;RG+lIfLg)BMrkphA+umi%NZ$ zDt>&PQ^axZGJPZ18-YECM2Fmit?{f1_%qCJUC#i%vAp$Is;*qG-Mfj*ce&MrTpinr zyn;P|hBZ3c70=D6%^g5`wALOxoA{M0np&}J=c{|!r5^NgC|p`}vBj7tEHz)QBn>Ar zM66=JryH{3i(352**4}}ej_tHAt@=DiP62n>4Vl0x(GxxZ1r0Cw+X1gk?~ zbiIFsr-Aa@;K>CFJPm_&cKAkwZDzmzH--#jeKll{`jD(1aamV}u}>>pQ_VH@a!tH{ zT01KfQHKCO(PV?Jj)VGx^n@5CQ6~muV0nyft_6D*k_KTLk=^g?D;u07g4vpecIA`x zOf=05mzC!P|EPSV(ZGs9tO2l()S3~xsdoK*uZ|d6B%TcqeRIX3RmIUz=-mp0ktlcR zYp5@!)+$jQweHXF*W^KE;H_FP{kwX#z!I`Q>^769Hv;_Rzf745fZ)x$r{ z;hF}j9k+#Lv1bRUS_4%#ZyS{q`5*7^+el`L3aXUphDfywGdU-Fgyb(R64BF$FU(lR z8;kNzZQdXLK%2@j_k&O{4*4Bib$V1^;&1b87PPYa-O<~4>E%>+HJ8!c+Dsi0wG4zz z^Vi>fD^QXtU1Z;xZEX|q14Wo|i*}M~KQi8w=wocLRNSP408LRTzj_}?x_+y;wI8D2 zZT%+bJW6mO{5WuCa3m|ak!Sp1X&}~40dy8Pxi$$jx9q%K+wWwU3Z>$X~ z)X_e=>CG{10a@44qPm`k=zjanejxR7&4>YvpY2PH-w5ajJg++^sB2}&)CV-Y9R`Qt z&I}V1_=86Gui3Z%Qr-tk`FE`-NH*n3%gU;z71kxggXcz`i8aoqagx2{SRYv<`v6o` z_VYaEkTFo^=;{3j@q37P#|tFrW)UXXLvzg`F^D^7+K`QxBXj49EV!)s9fPANiPM*= znn;Od*p(HvX)_AovWh1~KveuBLK~C8NUv;bk%uWbuCn&&b7N}4T$lD+9fzM7J)lZQ zc$k1zddYCHN>N;`)vO$#rrmMF{2a|$u}X-_X)f^Ac5zPrG{ON%T7K@*I=Tc2pc#O8zK;&ipagZH&Iu9+=j4{94Lq)w$BSjUY8 zj5RRQk#$oPe2-|8-P)Q&dSxLgjWERI@v2wCry{C{cypwKbHqktxe29!H?(UAE|Z?c zjqur93rstzyUiradVv??Ruxg_*mt(IrDylICocfYzz`FY-G;3YKnl~BDh$;Cgx=mo z`jeO1l^$fD*p`{9`lD!kM~8S`hoPH#LCoV^*s;b4HviV$xC_W`w6yu}FW1df{8#+=u`u`WCz_nh1tyu` zdw@QGHO1;uQlHNBpd)y;O`Eve^ECzL+@joY2kSsPr9Ia*K?s0J4U3aDJ(T0+*C&Tr zUya(mQW;D}WpS0XM7o#*RQ&%~F!0a*OGX6L#f1uw4@F>iki+@2$v<;jM&hL*A#|*~ zlCTqb&;8<_Ht#m5Tg%gk9|J%3KMS!QLEL6b+*xu=e#fk^2%8*l)CbloPcf;LjpbEDZMFP ztpWdPXUGd?zXhs544pkhhWu%6b;+s(D9b0gJeIRyCP-bAct@;|!RXa3e zCCv_No8Iqt%ZeABc3L(i4z+4}@97tfpQz9V4@)TSO;tTPDIhqIE1EKex9)NgKetIT z4#Pke0oiXFYYzo{U!~|Z7>_KU?TqG6&!p{-!Hqmqzad9h6TP&=F?=7|dWu{r@M35j ziTJKpq`Y_IN)-YrCNsau`kW-)-CTHpTde0Dry3owd3}3PA1-pV8`yRmYv0y>Ho zA06Iao$S7ollSe{&bvXPIIc1lsGTKm&MaK{BG3OSM&SN4I;!WWomU{PC)_Is1+X+z zTiyr%GtmmYw)nXQKnl0RiSnH5b&+9rXtl$-*m&yBS%x-T=|ip4*i1zelz=!NIxigh z)B(pR4aUPO%yPKe@#}9V!_~5Q@~ogr_Q3tUka!hqn#hmwK9*?(o0qyT5z{ll5^H1;qxvj0M(&k!~7RXwVkd{-U)kd6jo772Y9X>^6je9G*c2y7UFyM%CELtB5n(d1ub?Li=~84aS2^ zw|8G@VyQNlO5s|49B#1D!lsv=;0iCd^>U3nv)#D$VC=>kE!VtFbKdbu7@BpP_*!jy zMKqsU%WA#^4Q(7?!aQBupRHSWm3*bCamub@RJ@c;??MLng$_UFT&cv<#DDAi=(~pSB&%3 zP$piqW#aIa7!%^!?qk?|gJHRfjYIj6UX@TmWiTjV&1XgQ1{}udKH~y9Xb-zZ50;eC zVOa6Gh>B*6w*olsy#tfm=zU0%lZ1331^`YLB?$Ci^FYagZmMYPC5!IHV_f2hMCj{p zu0nRlef$IwaAy(rq0?9a5NG|H_Da6w^{xd*{$y;R z!{@?%`Om3*X@wt5(Dha8@++4+LeBG1)k-nWj7;-a)>C z17`f>zlupc-I%vtvKR&Hc3-i?grFhCa|3{lz|(**6^sIH`Q zls7etvoKqa=dNe$v(nzeD|1}|NOmChAv*5vKW@ms@612_MUEVfn>S4^2T{DbXb#@U z7VKb)$Z}An2~UW$NHpYN>+dSv&-_P3#}5wr&7KWW&9IJb%Y=u1kxs;U!H_>WYcz)k z)V?EI+ZZ;ZU-Jwz88?ru*DpEAQ&vXO*~1S$&9{^^=up0JF z>1vgPRLwJz7t2I{o<&DqdyKs|M(7SYhr&EZ1;ivbL8AFDrGY?HuibMCMRFzKRe2vT z&u&VLO^!ol*hT}NS&Hd#N9Tz7wYlG2qL21Wwf|E2?4y8Q?Z&U-=)=WL0&_>-`Va1^ zdiwPC7hxnPpN^ldRCz=ZBMo=uG~QW4_Dt$_uHgAxvo~3Khs?NcEg_s&ZM=7({0A~| z6*oRGvxO^K_95<(4)lSq1xmvD_dZrWo1t1Glu4&afL(r-fN+1`NqkmTsHXRyBmE&yaqSBZ1$4`I`z3D_pMl}3fnEY z6|K$}Ezr7jiM$vQuX^hv9|84po%uSg3YnspK9ssl1&{f`k zt##A#Xa(&F5_&bljO{iWn>8RWsdj;>-NZt9An4BSi0DK=kq4XhrVC<-+nu)LAQ&+o zg1Eusw&lObQJ8nb+g|dgutYpP_s(+Kdy?bZlX1v}=;W8woixxHP{mXC2~XEKcI9EZ z>5U_bH6dgST{nG)_iaD=NH5#rLZ{;-WfCOI3h@~Y>w!F@s`=Z0IVBW)jGcWr`@|lA zZt^|Pb}|WbssdU75Z3nylPq~`u`w!&^lWE_?W>JncWC?c;q#w$EIng_fF01^GfjUA z|EmOLYZN+0DB@A8#y%xtn>6Yj?QMgvsFSVX5ag&yCzNSk{7q>2hm?KHv?S;Jg8 z>>|1aYpu_&iGYo=D(}Dxen0Gl(G5TQpu1^CpM`DFuqgsQrDvsa$HxM6XIMq2eVKSZy1>=yc6 z&j_@@YF>IgBki1gt0yt)1rqti?4t%L_gAoUpR1p=Q#YSlfR_b4Qqx}QY2jIq;B;0A z(8bV946m~%9N(YXTKJrKHrgT&*)9f$e>th}8EAL&ECv_8nq35V&rxDeJw`z9Qd1*y z^^+1Zbeim^XVq3RPm7NG!OnN*32#Oc6=?5>mI?F&>3lDi4+2zFCN17q@2xZ%Men(J z#;K3h1ktKQ$Ie}X&)d$OL8lx=07bGA>Mg6eg?%fkUPM01la*z)+{Rl!XPKJ0+>gry z>i~3xxbZk64Cx%5(Y9Xa2~&CN+~;l6$`zt`O-D^kd3v7@ST^Qsc6oWNW^jG-M39m2 z=kTA(tAu>O(ya(W{Z&jnH9Nv=6cNMu=3BF_=H=N%IB{}BfzJ&QqC~yJdZ>=ljd&W; zR;@MurH_7v-V=QG9gwffLM_ca2otv75g;QloGs7C{*LS!95bos&z$~^rY$|xaL%%p zOb;{pk1=*HK8qna!(2m6?@s-cO2C#p)VZ?~wdQ*ZA}w+=#k~>{xD0z&`l#)~HT%clfqR6=gMr-DehaBa?qs@f@S*nA zZp{N#1n#B=p5J!<)@~|LjV3WM-qdtkPu1Xv#@lYU((X7d%h^;OtAJO^G9nzvVY3i# zg~J58J@)rFpEu9iQy&XPX+Lm(VNt%t)U*-jZ@y|@R*-c*N)CthqQ)Nq4R;_CzkMYd zKthIl@ou1lqGj9%Z5Nrkl%+`%{olG*UWPu!H$n{A6=*o}a9z*`%hmuT*ni)%|JPpx z8{u=i7_tkY{eH_{C^m{)fV;yyVWtBJXn(`fi#8C00m!XC1&^N3O@xd>=X5q+AQTi7 zl(@&|69udNToJr)du!k1r{cmD(XYESiuPr z^@aSLebH*j=(^hR_+rE`^bIAYCOEOUILLrG3pSAxRQ)=bn=H668AeV-p=SNPAG&)6 zTPh34q4jJ>Q7pivr64+yVffzNmi7dxpmE|w*xD7e&n-USs<8h4qnEWm&_|r1wRjn@ z^B$H+e)5%gwKycnBEphI-1Pb;i_hzPZoEr};7m|p_0v`5a<(1R;hNm6r_aK^=k}$H z3m>NKC*sM_#Y?W?@nJqF3^T@vNa*b+-}i0I{o)U4;8@}33GXqV)nj_(>aISn*W!w< z^KW7VQUrBO^H3E4P5#taj69E(aKVASXX|CaP168?ML3DksuHfiQ!h?Zi{yjx{4Ei<)ZMO1O_Zn|?~rj#cb3AkKoG$g9!bR#sqYef5`7&R?B_6n zLnMM(C~g~uwo$-$of6_=GqdS!xpW4{T`3@|#*|J@Lx}x)6l=eZ>yF5B@m!{e1Xjb` zYBpKXq=sf}F|fXFa&(|SbR9geRG_H6?RxK$TNd}8`MMj4=`x|l$0?U+ls|Wh>>-0m zCUK)jwEAbmpb~#`buG-{<9C~>WhQxt#;c=lyiMof4|MQ__IMh&>X59Nm9^W5yf zT8Wr7LML)lJy=p-mrRFL53Ru0n@%Pd^(HMCV}zIfJ=$<<>=Ax-?XyzSEo@9*77{14 zT6!o!gZIvUbe=qnQ?s=hG;p1)IuC~9bVmnc@n?>gb`F>43|6N5@}yUMu3sq+`;aIs z8ujiDKA)TG(V{pN3?!Zn=jntDVa*ms^=QAB)84STvrR46Dr4 z9c<@=#BZ*Y?0c$)1RTuY*(C|Id-Th#LkH!(7Kczctp_7NI_|r~lo&}R9^Y*{oG00N z;-3edaDOh9%=kU)YPLF#TEF!FHZGsx4ZPX-@tw{FWY;e9*4 zo>fCnqMyG^jI31QbL%s2RA-sN-sfhmRkouHxwf^OJEzwcNl#1W;&qD2tH>l*)lR3Q zloFGyQ^ULb7%;kpbfSLX9zxvab)@dNYu`DNv={c`vw1h-$|AwZQVf48HIV1T1AV&B zL`GJ~kY_0T%-Pr0eZp9PQtcjm;#1$zR8_E@ty97`0HiqXM9M-f9qTH#n=LmVm^Z&r zTlr{4PNzoCX=n2gi9elZx8l3guK2a@c)Q@sW=TbRB{U+f^h(g!60p_i;9*(dG9RPo z%{uQ`gK=-A7i5MV{BT<#W@0nHX9T1-HBeEnvM1rGQq$i?OV5V3KQIP(r^YhAikr2E zoZK9MesOELzONLRkP8JKymRXkwWyX_EOGmAoW7XKrGX6sU`?AqtoV@@GD~jqj1BT z!bp8}%G;Yk#0OA7PqR406KklUEp&@U*9N4LaX{I8(G?>Y4!FOloanWIyLemyW1S{7 zJgeF&<9@A!Qw(sE&O;n#=+#3%sh@RQ7+aaIqylW$ z_wKsLZEi$)@vfrnJk@!3Zc;C8(dS~R8Yru-d&34nj4kspz+F3iNa@6=AA1~ zRw)wPr?2jz0m5UewxB!L8781Byy97y2BcKEaNI_LUGIa~tkR$xkjc@xy$()I*#6T5 z?av=1Q-^C`a%+0Spodb){iF+nDeT$ww-c;j11EM4N-oYf$sSdfgo$4kiMk+lR^}0} zD=Q~@*{Cj;k+kohDl_oowZ0-eq zH*L{2^HzxPRTFnOVfxkRyPwA2^O=e0_jY8vY{$DjyJ`htiHL?TIW3aZH39K*SgNUk zZosn*d(4~nM8ycXJjB5rm}wO4jg9P9U=5>0=(&3bqL1=ihBj}dZ(ul%F%de2p?5ku zg%wj(Gn>upeR8Ef9tGZ$48fN@gK|HZy2z3HFDIS`mXXFTZv(Y=cNkUgc78Zx9tDQ@ zHXITo2Eb2w0TDreNo(NK3WcK7^kpyq>qb7LuGNZX5oNZPn2A0cl_Hu(0u|NYBy*g)C_2b;yWMt^iX5)JwQ9lbFfIFzI%4UVPmt|ifFH^LG4!4y2uq6D6|B;)75 z*}1tRsp`c#pS5vq)=%~ba@+cXXZsnJnP~vxbzykU$^WBquVz`bOFv$*2Ig{wbr0V4 zY|{rJ2ATT2ajNfJV+b(>q_&&2$L`Id_j6V4Qkt91NWP^f$ zfYn&*U53Deyt(tl&BZd|DNLj1S7iP<}l{X`p_-leQXN#F59gt&=9Gox*yIAdnng9XM zbrk7C=2Jq~mSPH#v>?Q#RW04{GAh~Yw`60r?p7p$Ycd)w^>$@&InK;UD@VAt50M0C ziCA{9W}q*DcB1>0 z$KJ-a_BYzi6enD}C-9n$ysQHfcX6(EP6gciho3;nGOENUm(%d)ui(1+qX?;du1~8T zNKsC%?(c3&V&o#LtL`UZJj8lB6&B;KV%`}Ma~zf%A=Gj&ikaD)qL@3GpgPjk0>Y| zUJ*mRxf_)BNlE-44EN9PIe!Ovvk#Hu>08Bd_NWZM1a4P8Uyy!UI&H~W&-5>H+L9)llSCy7v8GiV2@O91;~pmSvhfehwH*Kc`wg|3@mjBx!bqY$f% zs`^KS;ciPr!MQIFH1xTMhe8AwVaya6%e&aq73=ansxdUor)y!OXPEixJI(_!Zc7n_ zQ^q<$ElFfWWE!h{9Xy!pFI=4YyFDr(A@-;10Gy`_DVa80?51eAVtkKWjsb#`j>Kd7 zwpujXGM5cNL!COl5bV+siT*Nej^XO59h)jFxYl3~<;^psu?CU0WeW4}Xp76f*HYZ+ zI2y~7U*}mJP6akDDjv2Lfxr>#^Fyc(KEKKC7fDng+ahwRy=9@ zoUdg4*s+(lp3fs+Kam~H_qfHaMe`W;I_3IaV6(9Q=809)0l#OgzFGzUv9!sOVBXEj zjpwlIuv8u4!K*L~?wSEF`E&I|kBsO2r3V2B$^xHzLEdYTsEzWP4I+9i`E8}CH$hu& ztgOUyp#Eyx+osnQsEqGK7VZeQ20QmY9!lkhF6DWbt*-o_%{jt2jxULIvWTX&>eqV3 z@z(BOnLE&#?F=Y=uw2IdM0(Q8yZ`dd$=0|_hQ8tb#^y-3(&0W86_p323vd_`#JqC^ z!E}f>8T48eY@4?|wFN^jh;cQSheVl?smRVE%0bba$M zxaQ`|K>^9p{XwslZ{S*$n)^{N-XP zmvT*KVC@7PeRCmqe)?r2^nECE774$1qkbzy3w+CfUXSkLC6?Dc((GQAUm4AY(2V(R z1?X$#t9qn$b4iKn_{4R=V@9|isb%e96~NrZIs>fa3ZN#W-eg=FQoJWkJR_}Y)Ve~~ z>>v#U;vs%&feM!gUyc*5yGby)?bwBRovF{F$-zkXzivt#pd2QMGJO2GX+@<@#}3yO z;%>i_J!nZIchQGPrlH$Kvp)C8fAsuP{-O1F5_emHgkH&T9dW3WeXcKFIjX5X9?9xy z6AC|Ss;pv>v|s8c>PTzP>==MLNGTS)YN0%1T7$LEXMn1MXT*4g1ClO z*CIZtweQTyR@X9eM4f**+U-wmzO3;wUBI?eb^XP=50G7sFn@)IovljL=z-co9&$zy^rqfd;hWC`SkBC1f8t=<^(OQKXn;gO0 z1A3N%nWRsuA0!sWMynY-qO7aoGk>{k8M*(MCORTqo_S~~Pm$98>MCqGyN*>gk~~<9 zFl}PxICda65m-78e<(jIUB1+S4mLWD(>EcFdz~@aZ zti-^w85-OKKF9#sgUiMYrVG#TakI+ds(?qi6UjWQ&X&dW=3wWyfymt&RwhRsjX|pG z830f0A{@9|N#8fMnenJk;z@-0l3B+0miR{dW^28Slbe)_sjhLw8a*e=#hj%0PqYk! zboVM0YqyC6#y$mat*3=))p%t;_PN<;(rJSk<05N`J!n~*^~5bb#G_3++pK&O>PXR_ zar>3DfW81OuqCG`U&oS!d1u4Y)v1VBjPgt~Sj>Hcm~WT$Jhu_ZeUN^#%6)@v7q}$? zKK9fRZ8c_hhQwTJjEB$iM==%aKg?(W?a6cQNusVs05jFnC!)9^wS57}bwWYzs$zhf z*33IvO4A5R>*YcbP|kPqI7^^*0Q?Bh0#~}%s=xx;yrxZmbRl@)eh{yg{SmMF{hBJh z{%32F-h%#q%YmU!NjV^CVm#&V(rE&Gf0RJJK1I4M^`81=4R-n- zs{u$V)FL?m6|8s6c(U1!M0zpo zHvLRp(s2qA#Jv2kqgO8&0k?F9#e!>rXI@2LZ-d;oUO$R`pVw0WRDa6Ca%^?nz#;$O zkiQR4#zBn=C%`b|RAG9A+H1&}qd|E70VmigSv-s_sqdD15l~Dd&DtYJkyl5>KhdAo zvMSsRq@%C>m6?#2JLpfWZjCg$oDPl4lOt+mTEhcV)qRI6?7%?iiHnj zqgL=)5{-OdH&p%~%_E}`ls;!qix$>&il%OfX#BL;AgK10)pYDU-MDxA*H%jHfR70& zh0L^UGV^^r&Rt-4uBcy8%;0O#{SzeC%?c2-MBaC(VzlfQ@TTnyEB}er zvBL9BX0Sy;y@9$}rdDSXO6$_X<`ibS=T;m&G+k$2!SB1B#H1}VSwZ^zU!J{=B3VG8 zrrh!{@A*f%4~xqZxkJkuSmHqH2B7kmv4cX-)oN-(jKoz28Zggn=M>(GP?M{tqDW>Z zKYwYzH9VCqnpFA0huW#)_F|B(i#8|)U?Wj81&=x92itp29()x(ekO4@S#g~|-D9KO z%QRgHi|@YTvATiRFGeNtJH{IX9dkLfTk#nXRlGGJvj0W^2~q zy7oF?jt?_|3|6L<8{wC|PhZvNL#*AR=JRo{!(GwzA-;-c9-7s;CI?+ z;7F}n>-@Ij$RxditEl=Xf6$`-As_xz9XnS(io&Irl$!vd{67@OP+Y=O);R6>c}FT0B!s2o{beDf>UIB#7WJkM@%}$>lM4YpsG- zv7=$r1r_?|7t3C=2br9`F@it`@^Yk-J0u_C@SSTy$59el+w6^;Idk0 zLXJ6aTz}z8sd(f)GUN*J)yg-`izr0z92I21|ijPIb@qWK2incWj{{Dh^ z^p7F<{|$yl4gnFt|G5~%9t)GpH4^UTOE%#=JQnp7JP>M70z9Fj%VLdrlK0)&28FJ^ z8lxNByL3u7F_|B7WB`|N=VQNE?SDN)_uwc$pa3+3cmxL+dM37SIXCnya4U*ed-%V9 z^cwMBz0-8i$o*QY-j6D;{^v_7q$4M%O~n8{PwB;DKzU|B5E8}^&`GG*h9_*yW=+kZvsXvXt_tWq0>IYg)OkpR# z^N3p&c00yw+^bKc`1iwh`1! zx*agTPT`OQyb>R1IkY&D{Gadm&+DlaZjlu(wQsK@|7dZooG55!_H86f;33{dfH0Hy zu`*Gn*G`vY6%Z+Oc_=*QM<85{pn$+xvqtbEpxmywjDGSd0VEhNynprn`1OxW1x`~l z44#w+i%S({B#l%4`V6MNo0b(DtGEm4_?IvG-`30}@`TBk7zCexbx8kw!2hpj?Yn^S zdv#5mbpC&P`-kympAL0JQw$=3ybC#MNosOTslvcOgU2fLR^7`8ke!_cH{BaQUAMjR zmh-xXx{LNtWS^$I>>k4fKibZCeY-W{1ReGA*nS*$*mCm`fCd4ip`GoZ?X!+MoDuvy%6Eyk@5Ys_Xm*w%`g5}!>`rw z?^wabX8o%H|JCdMYIQN-ksUT{hDQFoultMP2u2_v-`cQ{Kl!WA`-|88)o>;pfz_{V z`~Tz1hiq|$`RnT4C>wxzgI<$!2-4D?OBp)USwl2wVpGT}!(cg5cqu;~MyvDBT|DV2?(^g(-e_9%{b<8>p;kPy=}vDPWHJ)!a1b z3w*Fk+#$2TcH&Fw2OoOb`=dpUtML}@8$-l0ukglw-Ta5SZf|t0^du(f_Ou^Pkj}Zw z6UY-v7XC_b5zI$W=y!L7#RD9Y?5drhpnq^!7(~6au~DPAq-4)UKLPLxmJ|^QzQV@B zq7V`i%C*_t+=R;e`nETn)>XKr?c-r%zcMs5gvOM^h)T0kQwa`qHN-m#I?}TC6E|#y zrr609Sg%7q#=?W?Ipz1jj8FWgF$7ei+tw(uwzL$rq*f2?Sd%iB=U@Hg1Qlwjl{0-= z@=!hAjP%a(ef#^DnkfLC^pf!9OX^>~!GK#Vo5gJNI{=bQii^XtsspofaHw6M?`fCl z66WUSj+~S5c@C88wwM6*%1WxLn>7_2p`oFv#+HYbH5O!*xX%Q^R~CXS2mzt+_va&O zEz+Q6^5ZkKyV0}k4!J2l7K!>zl?4byIKR3U=uvm#Kkl$NAmN3sIiKLTfk3zGLi=xS zt^d8!h=sGe5$_R^kffEA;$FW7T$!aTLs$D=5bM`mepuaKZu7F*%k69j;-2!Eee1)E zizI+C)U5lEkn(u0DT)W~45f5lgOM_y9g75N?kX++%+f6YbOO4~D!n!>Cr-{{t;|aI zxhOl!I2URvb91cpS)TS~sD-Kg_Nm4bEx4Ym4Vk|R4GSC2777B?z`$B@dg$tUKR7y? zFg2xAR9gBr$csH$y#`raTs+O^?IGtcb71RvC0H_G1X2%q%j|x4eHNFLWFC$E{JEhS z9JsW{*Vi{LG4Txmm{s2>3uUvwQJT)UuG&e>X7}w*L9gRCHX%;5V|0};l|{JJ$$8p& zUWmGyxz#fL^WQzIckt}b%m@ zkq;kEr%=br?7{$hRcRfa^m)-BS9Yt41R4#(453znx22Ba3tyE~b?DWd>@=Wc28zxI&S8iSb zp{`hTY*2~k;Cr-U+#yz)?!L6ix)yBQE6~9PYpAnwQLVc@zArewleW{6txL4o_WmFn zjrg0B@+bhEVRiQTxLnQIJ}g_`B_b-S?&>XaV{`L@-mFw*?Bf~Q)T4&-wMFQ`0k1(- zxsRoIcClGS)C9NfL*MZQ35SNQ$3?!D5a>KOQfjt#*>M`eBw@{|u4c7W4=&B}=$B>P z*;t1?y`C|)6trI`{NX}U&yW#w@w)px?*^pq!m>L0uTJ>?eH;4I*&_N5cf%=F8Khuk zrawB7mY!~%rReHfuiHQi%^t8h39jJ{XQ2!_H=i6aqiobaAhl*|hUb zEhC6s!$KwRDbJ3*m8xTd>G0|7a_pWJXSl7j)Pb=zDV^lq&4N!W9WY0&Tez4LlDV&z z4#)``_952L<$iPG-;LJ|9*`Sf4W5r5Eo>_0e*L;fw$jldI7#~KzD`O=D8PEDc}A-) z3FvO*%J=$pPq~+RS9dpGs?~_&rapd_e+V!x!ER(pEUvf(HB3 zdHi?cLSjK6))mv~$<8J_LLaMh9Ud8pPfsVZnlaYY)3dDz3kmsn4|D}tu+f@)v<954 zp0$>%6>JuB#;@p*-BA`Fb~#es(a3eZza3efu&hA;d^Id(viHrAhPEj2YFK*1PXNz- zZ{~RBITevH#&I{@!x{2*9fw8V5{|&Vk@-5`Y5e+yhA?941T0F8_8QV4-#e4dp#&vGMZ@x&o0~M7 zW@lUh0f8-A7x*2V!ot$n=LHN2kn&wdDk7X$x@%8NH&*RW#NBRt2hbr40idJ7CBACC zq@?(vaBSUxj*Om+)cP;6-|D*tI;;|cNe0#GRFil)Y^(dxP@lzqRA%~Y$pkV5+3rQT zs4Og8Eqb`b{eW@Li_%GN=3h8%oNQlZ5^DT*BK4CQNL4x3lz_lP`&2vvaXU0PSOSPl zdU|@2ZGhTvwjeT2yJhQg-iI2XqzP#I#hLc@kvm|?Yh(%s_BT8bG}>zf+6`@Cet&ME zu$tWcb@ThjDlEdib;>>7E1Mu=@N7^@} zd%{1>;s1@TAjpe%_?&WXY}|rW9@N~dB_$}$y9q4qrv@47Myf)nxR(B4Q3G!#}uDmC5oN_QTIE*_mOTKHRngNd$ zjI%_H(4fnpB}B+ef3A@a=d3tr6sFkR>z_86`mVZM(82TD!$!gc5>W&^2cQ@SC~m>4 zf^#(nx;+6Mpz6ecva^C0xVWDXk$^2P3AE%^QB{=$l7x-TO-V(?*wfwl>E)P65C=kn z81kaMr8@7=hGNf(NN)3{7YQnyM&nSod2LA!PZ`?JOHw_6>qUJnqe0#GxD_|ez~jHo#`_dP(uY*<&r z2#~E!pMd>=NtJ#66Ed7386i#x3gGZu4yMfDL}2@YBT?#f^&o}dg4fXe}8}OaCe*9UzFlsrlg}|t*S{eK^<_2dBN9ca@Iav z2umMH+$`Bueei!YNd^JaCYYL@E8IU0aBV9};1jF7>$3YcILx_3!}JpWRfVg)?_NaU=Y`T8;X)14qswis zKKknIzED$q&&5eBB3!fO{;h{S*ZFFry3({71y>W>xVduOJTDOcuY}|yGn`$WNRJrj z2QBG>J8IybVR25(dL*&UZj!w_w!r9h(OkVe=6Rs3Dd1Pdrxp|WnALj99p7tgJI-{3 z-08@1k{U^@%e z^+O`9;zb=0I9W@A%jc1&P;Ldq4Vl_ z3&=eejKGF&jhRVzX{)Ev4I0t?;-}4FPIUhJ&{GRsUexX0g2hBujWwiRb_W%){@Su{ zHHwgP2xu&r_pLAC3{Vq7C7B08;n+CvXkxrkYywlTn@#e9j{gV1J0#AX)V-`};p)tF(`aWl*WP<>(c^ zc!q}d1&Au05PN%jmDJS0J@Z6FOJ4wh9D8(p96+<;o_J2#STf@FpaJg9AEYXOftS|t zyq0d3no%aVwjXEq{OQ-fv`8Nq;$z{Hnw!j&#bu;53?$-Mi3HhRh;N&i`~QL%^k9GSaG3--SH!;U7bZAtk0{BA8vKW$)v?7+VA&4JC#O-&*PATj!*@ zkCeZ8J^Tf+5lZJ4-t2>mm)LP@+HSZY`s@iGH3qWOieKaEBK2ds#o& z2hZ=$O6Ey>XJ4@y86-cygzd`ycK(;m2i(;mBozcs{DlY{b`@{g?mm2*T@0kvY_FFg z@v&@4xjM@Z&iyT_%DzJZ=JdWCpH1vHqpbfzO@I0WNs?VN1BF)xSt{zK#Zk6$>!NAUkO%3AY)S6(qmv65d$l-+&z z*_3n?zh}yaHT@ZVy(|0}l+C;iw6GSvz0J4iW~#PYZh1z+(7d9E#ku>oW~KgsBbt%$ z$3BJFR&3m-xf>W{!y_O_7RY6c1gWX3OKWP*-=_%@@+-->N5WqtrLxhNQ76QG!t$!W z?@P*Ar&!xPYh8O+R9sX&%lmqbZh0vgWjM8|R(U zcCMZUvH0&aG60M-F@AoyYVR~ryhA%kH+aG&s3X#Pd2^LwL%B(*q@}r2m4Wl??hp`7 z{`u_@;zv^c`FAO|oBEtPd9=sXuYG?OnXPn$k5xnS(Fp6Z+zOIEzvO;vT1!N^ZaR66 zP)+XE=7tCUmrpq^cR0T%aB#2REuL-4we15TPi`mwC=HORVqs$&A86_6F;Y_QufFsO zQWp)1q@bX9O-n2FURZdP`vne;q@`ui?o!Ka31N){O zeGiowK|Rfsn}VC9r0nOoHPn;#i5uh2aToz_SN4J`d?Txa%tj z092jyqh8jHwF8t6(38@jjO6?9mfu4l@nVbVtXazO_x$?)#{2b+@|yjsSv#LSGtEYa zoHkq4H|YFg6z?fUW;|e9L*T_S@S7OZi@AMP+C7CD8|`I|los3Q{`30kxMeSAReMR<9GU^Xq;m{x~YobwisR!mrzXwlOlisM{CDbw*D4Z$|$QW#1jm*8l%s z)#^mGZ?%fHs)M36Ygb#e6h-ZkwuljX6OpQx)~vnvs+Axj2tw^mjhG3wXRHW`#4qpf zIln)Czu)(F&gXkh{<bOw#>sGn!VOc3HrRf4A9gWE)HRJzWS(QrGBH zV9lJ`*5>L#&k09=Gr*~SdxvMKV-W7;SP=G~QXQW)vs-OX#`*%eH{+6%?QBUS`hcbY zzq~JAklBZd{s%wl0-@v9Ai9-uAf^FD6*uzlKNDZJlf@%w_rVw;Bo334FDpBj|k#B|Hcy58J(%NIP- z&(Uz(Mvz^6yH>@0@e&u1lG)=>N87aBQfd;KXS?IR7TGzGhV$JEH4VZ9s}p1K_`uvw z5E4A-E3i|WREJOJDqTwG#2`9{!m?u6)*~J*&_|AhM;@D%j7tQWriI~7u+87%R-3(o z(CL1i8R`!Umq?9IBs*EcdfrwJPzNBgRFH7!uP?+s6wn)N`#M@_o1{3aEQmzhg8aFr zOS#|z(W!BovLIBbv@p2OHWp2^ObrZhpDV*w9rXw-HF7{>>y%+`&W9#CQQ9#->^oDY zYuKF=Cd~qOC*iP;UQx6j-74?w9JpOqWZfQS^`i^(Odb_0*+^v zm#&^{24uy#s9BlVboL8DI#wmD?ZmL)wcZiS*hpF8srJm(reN=+H0>snPrt1Srn+EM z6p0{_*blbTRX@8JxbfO(f9_dQ@(yR++M-!s+-$W+T*DC+Iz{~9Q@y_%csm0602`b> zMO6K?cTw`ihoPJ}>&-X%{h69js$Ssn`k310m^a$9dVdW%aY>wf&*P1#6HTBK`3(y}R$Fg@-1YI1RqBb1NHl}Ve>#M({ya-}j>$ZGW=x+LUokqFBJ4UW zZHHW}I>xVJxDU*XhOhpndm4aG+|5|em2BLyQ_n6qYikksRl#*1t;MYt>{{Lo=)ask zDr{K;9On&?^Ykp~Jh}q(119k*=3vZE)O|W0L=Rxf?KWD!S_wG)yUt3iSLBghWn&v9h&eOE{JPVO&4X6Vr zG;X3N`KeWbkr-C-sdd-8vrwKZ*a7nS^XL5noCz~^`j; zlc5Fv%`6hQok*(#>`XVS0AVM(+R)YaYt|<^nprT&;(R#&RC$lj|IPw%Vw3;)5v^ApQK@4Cr3T21;W-+c0&PK|fZf7Zbmi0w=5hc&^--&F4k%i}{Zj_nScyKnu* zM`bQW@hQlhi#pw74YqyianAJqkO1}C+OW%4+3&z6XF?E$cPl{ekGe*cTV(YrCXK~< z&IR-GzQ#(tr-!H_)2*pH^f#oyjjiU{l0OQMjHUV&FdZ~?iE|uI=^`4#3P}S#75q*HI*K z)=4G1Dp!L>8ve~xROM(1%z#LyIlc@+&iqdvt4fv<`dkvHsVjZP z0-ae>diD1^Q=R0-o%AhhQ1Ze>0QXw9lZ{kFVE5q|)E{`w`%rO+C{Y--f03MVI%0Z! z*!oQ`+32o72QfjSC`t+;Ksly#OZiZ>os}@&HzoQx13Hxl+53+`34RjTFeYcXMUB?q z>jDJ;wb)x=vg?nHTlQYXK3vzY38|CZ&f6Oi%B3X=M$wEstfmaqjAo&4-@g4D=?6*> zJWDai{#DkcWT|2wWKs0x|9lNqK+j!Q2RQQEt;`fEztZ->$*zb<>=@2HN^EFjzM$HSL__^=ndgKiZOJW)}-QtN*TDvOdTfN_15^2kmM3ky@*;^yafVQROxW!^EXb1(Q;k!fI% zu(-V3vp!b3<>u*V`#H8T=<-=7^XI|V7+pI^QqR)B(#U9v)jjCv&ueDc`T1=y{r~5I8x;IH zJ1*;9R8yDIyv07Qazm?lvHVEwaJ-i0&7PrTdG_~0S`~VhG>rsI6ZJ1>*ZdDORqq&l z$n7kvF-b`eOiWDvMgRUHMw)ZBXDw8Mxhu@{^+$e5_F2@|iho@{SA{@;&R^~9sILk( zy+L;l-Q&sm*0Ps$rlqK6YVO+t~6FDyUU?b8yns8n4PEL?F z1wLXp=~YgDzkdKj>e%K|k#0$iu!PigZaPmK%M4 zYK@9%F&3%5CFA$C%re%7H1f7NZs1v)rBRl>T5|>blLC*5Qoyn8@ewjaqTtpf#g5+2 znZ#bJLVELh_3>`oA-9#Q~uEpBNi8!D?lPty=8v=g`?I$I0s{vWRV2delwtceYSYYFxh`U9h40Z$|GX z>iyy7oMl1} z#)zZ4(Yc6+Z06;xr#t%|%Gi5Ph9Ldy&0q`V!P3%Mxb7_0|MPdH{FnSaZ1h0}cY%DH z&1vNN&71dib#<4e{=EH-!wTKL-5gjBf)Zr?247NEC&)j4)@wWv;Krw>jdi9*BXPQk zZfqTtIweT+Lv)xqp_9G`60aJ3*u5HaCq*`;%6jC}WGWijqJK!*Pf~fr6&w5Wu7y=S z7nRggQeJ9pGp^Asf}5SA;doCX#KJdjsTJ@F9Si!2L#YAXGbwAcPFZmE5H*buH%rFY z3mWa2mrd&Zirp-Q3#v-ov-sriE2y14nK}J>k>z4dGzSOQgG(`&4(koNCDKbkGjNI0 zSyS&=?LTNumsYQed+ma~A-o$lDQ-%Ubxq@(<#n6aXWP>?G22vYFwT3#`{kkk!oV(- z?3o(>KK`|d&Ftyn_lrM%{(O#QyrdzlQBYkqnqJS{rasR5BpWs!I9@l-N#G#Pw$8WA z=fZhJQr+rvdx&$nbicdiX+Fbs9yZ}=cT{(7WTVn};f z*-|WWn(F7$U;MN;zxLk#k^StSSIp+{6+yjs>*QNrQS;Sf^aYDgUqI!10-x;xSn3v1tSr7dAM-9rb-}lMIyUBr};ch%#XBQN0h&5w+2vi~Lj>1$L7;@0~ zRCXKEi5*?-w*w zcbO9Fu3lwHPzvsNofXk4IKlbAW9*g*VpV;gZx0!q8JrnzaCzT*)DPgmzv9QS%ylX) zgA=aaEZu*4!DSwLccES*D@Xm`?brg}oA}t@v#~Db2x2%i-l79EY;;K?FqDPG1CaG| z#}1uV-{HOX5pI_7Cs(2P*9tj5KRSN9W8*#y!%Q9Y6ih_v^^{FX0IN z1GAfo(6Ba_$?|wKf$Tp@OIfk?sBnX>gToWW7cBR1&XHU<*==#tV+P>-6BHJW><6bz z7$COh?kwE_zFMc(~(Kc|LF= zg$B7jcqISNe@){50X$A0)@w0H{L_I>h49?my8?C&ZsoV96VpGLnx@vFnHK3!)Hiy1 z4$wyf-~i_J;pW?=c7*`j;q0e`_XDYSd>1+*2b@RQR(H;70$t+ogc79(_xp+$7E>q~ zy8~IVbfmUuz4MnzK=5BOcT4L)vpy)BEfj6pS`TADO-t8dE^;_ouS9COLc86E#dykQ z6%vIxoSz2o9XvDb;FWo;mI8Wf8(RWhOZ%_3+tq?K-<^uD+6tdgAxEmOTGS zDn8IVgl*O6lp|nk;6k>z^PlIGUxKPjz(fGLMb|`HY^3Xx!i3`+{!Q9-xb!Wr7a{69 zJ6J-$&*mDsL}i@FP9$JuXSb`wi)dmnQ(k&Cmq@hOE7Prdg{^9dK7QM@aYF5ajySl6 z@O%+5AZH}n-olE>0n6D*c6q)pQsm?9Z&@!r5Mr9NO=us^p>_8u-3~NdwbC~3!+!3 zMH!fM#Omu)x?Zv>I$w}5;~7=!rT3}}(L<^$#%6#?bOW*!qdP>a!VKlC_8G+#SRc-` zDQaFjkFqJwrv|-zy!F8nhyq2#P)i*=|ThL8Mf2*?a%24_>Y7AQ-v*QSj>_7Wby)K zzjYnUt;sAMu#+1ad3zbA6bfGG#4aW9TOQVxOK}4l54|LgMzF^E9XjmPT~RFNK;5Lt zCdCI)r({2|>ps#g6V7z($I+g` znK4@y6b_Z!lIHq&?h<8hD9S$|;}i<@@5RBJdbsii%z_9le`m{Lr!CR9pf3lC0Pu2w^6nTU<6qGQ<$aiVpa*XxNeFUz*1W{;U}AV9gSKE9KLFzL;=YX_b3ri0QxjQc0GB&@61pV0rOtE zJaYwixnYF3Tyu3>HqaXTBpPqWKqTfxVO||{q8q5q|CrdGTafQ%XN3qp&9H#-9G}!F_vYFYp2?&U zX`y^#wz!ir6S1ED#0M}wi_&OmPl>ZjI;RUauG==SKoV|F+i&_qX{I zqz9aZaFSSVKIk`V63?ds7kPVowd;*H%3r#UtFzq^`i(o6+=Vp{WUV zom=qPvk6?jhmh#u$#1hPCCKKMVS9@Gkb~8a=jt53go3P1{n2J)<~AqCM`F_gveSE8 z+pTIvQ(m?i5_t=%#S*(ED(RlLSt&rOC)&QUSNNj&T549F72ac0etDc zJ?}0>d)nY@4??UqY4SD8y_;*LTf`dUf58eJ5H)Pedlp?~J)nku!WAD_LaAZcc6H##)Jiv2H ztOCqh!hrHgcPkp){r%h-Ou zVuR?}s+L3Y40W*RRMlDP>`B0R>N<-*gb#g?<$gH7ax{aH;_(tCW%xidRAAiMh0|hb z#*{!bDFa=Q-_VvG1*~kKlz|dmtO2*fe!Z{@~dUmT;I9Z-3y)VI*Oceo5qS z$?iP#+YdSArhsWQ0O(0xPFS=DCXboPzq4UjmjVH<+Ww)U#hle{j z>wcMLwo!XzrDH>Lg@CpMqmL9L&_Wf^`v?+>MNT?Li&rH$R1_SNL{;v5bnnM2-(=n) z8ZbpEjQ2@yf&it^=O2Ei`z*w{_t-QAvy=zczkRD6Hv&6Bs}I4E77{-!y|Ei!Ob<<| zrdGu*by#Jx7X9|}zskJItGISID^z|jUU;brjW1z80C^e01#}vFDyUr!B|d)iQx($> zZVlnP{sfQ>peRGL>H`+O8YWFCaTsl>4gfk&HJ$dFEXO`S-j`6u_S`dfvi=64&I@nB zxSy3Z;Z!9AvRvn#y!ZbAFxA08UjN|pAO?JI4`Iud&qT7 zHd`tXJA9#HlxC)Cjj^R5Nq^sx@Y|am_uq#}%(C)*e@o=8o*8llN2(h; zO>EJ47KfafF*-7mKnvE}AUoxn|Bm1OZ`2`BU^ISODxO3F2bTx2nY;0Ue^W0R!XJCyYonZ4{DQ+Qn0Lymi zNuyCOBs5*f*NmipcI$Wa^hQ$$Z2^GDE0I?l;|4fCI&*t|-yp8f!qrV}(e?w;nfu>8 ztSMvKbe78-K+w=tNx4V6`S2Dm$9ChS`RQTsvG}~t%X@d_Mo;vX>M+V0K&s2P{QUZr zoxcM3qZyQll-jGhs-4wzcOO5c+Gg271-MhH;^gIy?U^y&_(~^_jdQDo9d-Pv6;FNg zJcNkj{DDUdKO!P3DCVBS?*%xe2h6jiHXfwNVssqWoW$e0j1+`W8V z2>|450j4?;iCpmBo^oM9StS#gcvXn0$!i_u15dv-3P(XlXA<7aJ;5MB9CFNB<+v|C zS!)#>PbmIr`J-|1lfX|Q!JJUp)9~o}SAoWd!FEr8F9k980G21T^WA-u4_hM~eTe zjypbfDg~E{5WuIW_Y@|m$1-CVPe!xtL;#{kFP7mxPzKBCl8DW8;hM6c67}xYr^Zpd zxpjl)suEF6(p0HQNAqA$fg5Y_m-M$NyJ1$acoz<+fCEOX=TV+EF*zIv8lyP1MiJ>+ z?7JMCEu-A;el0b)t?-a~B(0{Iz(W2a&JgNN39}OEDCx66sfQL4dS^k;;s5=i>-_$Kg{o>uz*i#^5QSNKQ`kSOD{jQDT zpl|=g-+cWq>9ne{u(jYDokP&tm+4EY+W@AmG?dz*JSD2MvK$(=Stuf}eQI~*k`>5T z{d^3!-a5X^eUsV!K(yQo;}<v6 z4m62L?Uw;3GVA`T50~K;BS>)!9j#2-yk4noM_nbG8_C>1%So-8YS)hR1Q1>&Ziwl56S*k`-b|CgKS6Y^dnx*C`W-^@CQ~y^av=Rhf==AG zPNT2z9dtdUjr64Kjg(|FOI3v~S_D%a841u0Jjl zx_?f8)=RXRQP%Yc4@7JP&+jcf7}Pi{9E(-@)Nspt=G(G#e*<_~inW&!!*6xCPvmFb zHpd*;3h)pDChI>I#{?l>#YXtu^6N3U&b~sP#^$JvQl6XQ<^}CVc2uMg$Aqig+8uw$R3$~puZd6Rg9%q<4<`2e z`&w`d&#+RrO*>QeXU$^k95V0SFX+}SvT(WpX5j^g1)QAlc3?DTphhR;NGNB}C}iuS zxLVf3;$ZWjFh5xn@qNU~mXo2)QUjr^r13!FthrbN(PX$8B(h$4w4&4B*O%JwH`irl zO;+r1 zYlpY0bKxZB4oZKMP>}^mNB+49W5miSLCZvLfpK541Vm8z(|R$VFQ9D=cyqm@?@l!c ziZ<&WFYs=ZP583~0~?ZYW z+}qm=39*$w>!f!3*}Zq7Zq|r$&?hgtN&1vzdGcmE;IFv{Hb(s*!6z&0QK};9sm(yd zzZUx!Ne?9!HZwIyNjPw!pvLph7}@w^)!E5R04(~4&xPP|P7}z6a6$Wa_S`Q{e98}y z!(k8TlxzvB>m{DYzU(OMo{MSR{3w;@I^JP%=x6F=@DBFQ;rBB@`&e#EnI zF-r7_IITwQ$E8SQXtyvZU}yed4L?n>UmDeaFwKy|{fj~`Z18n-=?Np!s2x1;E@60s zF$jwoRML@l!7UEcx*zcOpzwi$^wJ-q9RLADa$QsajSsr7WROy)B`cmuOKb1#DGVAh z>WS5_>VZ$o%@B+0rD8H?Uu$mGOd_B$bX;tpZ+#k#+7;A;=c=?Db`K85X^P6~XlTq( zN~h0rm_ODpH2>%=zu$*g+Ct%fe))11gpx)cuw;%k+n4^s!69Rhqqhi4GkQwBHtMWA z`rRF@K6m7M}7?nnez63Y+FgTOC#5)VnCUvjUGLGUd+;R$NUfcs<+_m%rNv3 zp5sjv+iJc|5Zl*hwp)&V3uIKE7xS3`I_IMqku7U`?6n1tHA@FE0oFMOa)Uy-8;;k# z;3+AxUTI8c@uw=(Ac22jsvl32t_xf<4QILwdbc=Yq+kV8=V=L4=bF4{TbBG0hFXSh zKik&^*KVFT*8NTCRrnIO%*B8T7w71X#Gt!3WxRgd?A5WE+xL&*>b|inMj_I@C)T{@ z2t8#9kxHZuoq8Of+Tco6QQ>RVgbfMr<3t;^ibKzRvfVfU65R;YYgO?-{H*os98Zui zMtR!-%-SfHP6}c=S|^^Q#cUZd`Xgt&mS@G6iZ%P|iCI$9hP_wtRCQ714x(joP*Zs1 zMx}^L8ryAo(5{u_1%kJ``AK+(WGiq~Sv#{2Y3Hk8W0xAuZdGoi zJgJpH#HDX*`DN7T;X6~rVZVip}Q3q~$Bn~#? zRUQRzp82?SL=z))Bk=W>V&e=e+*Xamg*5lAAJ{jRm9|ejK(j96m8SKh&6cGKhm(1G z{kiaRgMCGf6$&{5`zjd7b0fJNlVnLf83R74X2~Z!QZ7GvV~L?L55N8EKYP$}4hJmv zf^2s4By9OjM^ebwk@>YNNHzSc@ZtReH-pIxzR_IfuF*;>|lfhBVG#FZ++u| zVu-^USRX{Uj_0%N^o#(M1<4DgtF13sMhWsw%OlA(6qW+EBS<<0*ezK z7MNg@X-~hsc<^RKJ9inSk2h|X!qWmnFvlq??IGKET5?RI6jutF7@<-}y8u+?Lv#)L z6jr&3g-5tGiFfX>UX%=O%)qLz6e}AJXIlyH7{Mpg2{e!seZbrs1#k7W%S9KtD9^G? zjPYVcX}ZhY46{b~)0|_j@%D@9e4eZKOq5o5qTMio3k)M=ni|Ro{HQ!2?gEV42`96H z+Y!4I9VSC5ouvPG3t_a=e_edj3URy5;zOL7VSmCYtrY@Tv9aZDsghXiB%MC805k9T z?t~*pmJK{!LCdaVMaEc8M8sjyOlaxC%|27mVaD!uo}TIIF^ZA-jOF3T1NV+do$k-W zFesKe&DFWQ8PASTB0U@Jdc!eIN5w$PGXA1`!POrGD?87C3HC0EcIQ--ZQ(22aE1&5 zRtzUdWmU8c^L9a@#te2@-IVPLOY&`4i}qRen6F01g#pjemXnsIM<&%vOea|HNpOFxU zAOA(m=w0+EYZyHyypTyYJ)q@dq|(w>nnyuHA9d-J&fWNJ%KyIDfb6N!s#8nU9z65J zc8-v#m^ocWEh~`Nkx>wDbATburJ->UrFvb&UC?mzUzyC4mNFFa^c+*&mjbU$!Klx+ z1V6Ct>+uMT;id4aH6?#DxQu1Keq{;+o=AvJDlK!R~7o=qOX+^jwaCZcww6iAla*QvApKBFx!~^^ z*x&YxjwqOFsG97V2c+YZ!A&~Eu*3bZ-o8jaxrxqx(}l{TA0EtN2QU#MxB?zmcx(HQv{yohHi{^A&8%HtyWCMAz6Mvtk%f094>1C#u08@h|K$AAX$0 zV-k)^F6DmWaK6NJdb&qk^e#@|IiVO%bGkq^_2?79IWhe(-B4$in<}YU-#ZZyz1Ck} zqRNPtsvR&ord%LRlVX8kubL;zH?Y%=*04oT)^fTsW`-;zTY*ehH+@#ulm#KD9zFJUVIV`Uzt1U*F_yc5o^! zDUO8((rQyOrX4`xy|v$K)wDDbLPngE?L0!<&&yfwx+Z@46L9QXL-9}deZ3VbT0Ks5 z<0JhL<3j}pmU}~VhVf$6tBPBFhfYNM@`C+FeMWOS3Nv7}3U1Yc&%6_6tZhmx&&^_M zI_pTx9J|_UdJv$k>{x{iAGGmMh6b>Vw{>jXVpSi?wxOevQt>z|64W&d>0k>%@dTDu z6G`_8$5lAVpzrvz_sSbjP6AF-bP(>MyO&oHhr5;oC!5ON^y}=@pSuJ1I%H13dQ5%N`4+QE4;rPrp@B_)yv`SON* z0#8ak#(zHQ-}UgZN&Jg-`SqDDKQk(8TU8}|*TADmx+TM0r=?i>=6 zw*>;FkA44jzbhGjfJ-DBOI*5n^JXf<6Fr7Eosy@ANkv}SEG|n-0f?3QB#tp#{~61` z%T&>Dd(B+S&laM19`ZNsA>JF-1}|^OH=4hCa(U@_+Qj+0Lu=Bw_iCW+Q>P+INWS!t8G6C+?6O2cMn6AvNi=QIhvJ-JD zhVvK84m0C`&%6_xpOe5@3HBx^iW~t%kX6;A_;_tQj~78|CK~u1oStyMV4MYvKZd(s z=pe77m8bdqR|)+}=}J2}wu6?rDG-6XGXQRHCCR%=N;%_4_V(1x8hS)h56nV-i`el# zgjv3AyReg6(yrn-FOvJ36}vJ<8(8xZ#6pjwPNLT|4o=N{Od1>8zQ7<^*aTO`NNMiS z!$TDt(#Y?wM`uiT_f!{*1PpkhW8NTbZLt(EHhGF5fRk7KruHT_#;;P-lcVy>r|WqZ zTr1TszOQRZqR4UOERtWjw9`;uJ=Y_yWocdvGF+-As&w+=NPR(yay_p5D9hj^0$a{x zRCurU%lnXnTX*qd)PboPU}EES@TAA^{&2Q5Ko!wyX>I*!JU6J1+jEuIcMF6mthP7Q zDzyt)eYzHER$5bD@9^lM$dj{v7Jv@y;}P!aHH&TEeQ!U?vQK~W+<@+ny#X!46rqSa zzFcMCLhfpv7J&8=!CF4~3f(FA1~uXAon6gRh~ZdU`9?d(IeAaYqY`0PqhH#vGke7l zIV(E$wA*z^+~(xHiS@ao?T4<4wS}?|mUvyAB6o*3S=%pLOG%t^`z%;4K)n){E%`wT zjZwJC1TV8lHqWAz!t%Eb{#2NDt+Qr z7y0e2f!IF_sKIMl8Ic|1Op61CtZU4d)v8@U`Egy58)KpXlODb z`_HMGfnEInhCg^kFf09si`6n)Ql~kEXrTU#M22s zbKWX!_3r)0$adi*NVrGi-m_66+D>o%_VDfX z`kpUq{6{nI=_7sa0y<^-?{)Ce=16SEIRVWIrE@(({?U=?u2FUCC#bw}VGVj2Pi*q0 ze6tyRYl9W=NZ;A#d~gvnpD;vx1`}$}w5F;SGIjWFFEaZ`w2>)QUrSs0)t`{)Brmm^ zbw&%x3YlSF=KGu~hYV5Jv`&IcP>c7O!=Ow!d|?A}{bNIto$SeIsZIY0!J0HqY^s-@ zSSGL^nORKk(Pc)QhR-XZ6_h)^%-S8pIeoi6H!*brmW1BPT!9kK;_oT+ylYa#@(M$QN zNR?;bRkv`h+W2IDdCqh5p;&1=2|zAxmzb##GOKavPH=wY27I@5$u>Gx#}ZDt0v}); zICeww9!*2PQ+nHIYOc;$YoD9-vLidx0wNn=DzcS*V)-;=MG-HaDWyo zJ{{(*u61A9W9r=5{+YN;`|=A|+PGGz?B}yv2UF>}@UoI`DraRXncT#3QvU1LHLC1{ z#`yN*tfF*4tPAP_(>Xf-sT$l3Q#ceFcC6&SY5*9{ZYPH^{c-@l2iS}ZyhY32ttR4= z$ev!1s8tn7`K?CV(=12>SqM^JIEFg@?Bu~zy_7JTVXqk+AoaPw-di!^Em{}_a~$&n zJ*hSD_u3w_o2LCMJf%Av+Q>y%=a>g#KIcVEgPx??94s5Tl*sswq;@tL!)BXmx?7np zoa>cc7)U^Lq;Iih8)2W{3A&?azQuB|EAb^bJtZc|$@_xCn3S5C3wCbpN>uGoI`GB& zFAaXJ(EbmUg0#e*6XyLTtQ3Zu;qNx7Fl3K_~>7j@hy{;WVc4&pXdaG zH-!9k%z`jM7@JO5sf)*S2Eo8a?Mx&P@9gly%i3z7ue;2H)Q^^)p01bL8Ty_WK%2N= zucnIMPgkidijvbhD0-^O|Gn~KXNalA^b~l+=nAGxN}W6P!8@w}?d<{FyuA|tbycN{dt;<3q-vHHl=TS?ZY9EgelnQaV_C;*Qq;E68P*9 zq5kt1+=?u;Ui28I-s z^8-y@W37y{tl2^(o~MnaFxtQ&f77YqLFj)v{0u!kKU2&tw|p$MQATHR+AkNDl$FJA zZgxO|x+ot8=(pr@a%}8fZsP(Qx+IQ|p^1KIB@ky-6-A$dhRQI8DXx3(1kPaGT=aXF zoy8gNdE&pXzWedr-Ddm^f2t!eXXG$8*S&kzgre!`hn{I+VPGKgi#?vbp;$du?t z;hfiePoD1RD2o)niLmU8r1|i6bI#j^{0~JQjAd`D-R!%>+27wX))JZ6NWP$mqg-NS$dv`dY;)jp z$E9}@-RVBTg%T>R@8q}0mG9ATIX7$Drop$oWI2(n`Y(b0fegiiZpd;sB|+i#T8&2> zS1N1MBd7+QyD^acn(W#WAJdxBZ7>gIG2e3LbDogV{YmVI`q<*dx@A2*VC#j&$TITr)6xnprv@1V-v>h~am{zxq!I)=dVb*F$nJqkVT@}nmqykyvZ97P z_-QK3ZT0TTxSQRpZ|+jFwqJ{g?KkKLk)E0swHy;k>E+B@47^uB3_lI>)8=Lc+<#!Z&+j^xwdaNph2Fpp9HI z+EA^DW|?ghE_dw=!~f(HBp?1+`=9pRe!3 zFP1ki^`3o#{EY4B2nm2d3X~=%C*xB~PIt1Dd)|kCGj@zPch*NJXhhvg&r|~lMd7(??-O@O^Bm+4qjt}s2tw#mmK#_7lU z0zJ3LFA68WUzyTFVOKY^@bTo`QbL4Zmw>&?{C=~*TSuU@qwS*L!VSqYgy5)jD zh8!$S4T_|C*yI9D7i+`Rm~u^a`5f)*gE3|;vSoC-Tz@*SZrIFtrxg!YC*QqQ=eY` zj&gqmoHWE)HUb~I{@rMso9GQe4J8h?bSrDeMiIU{=lyaEcCD%rk9an4mY9_Zcx{CV zcst{Ay=O*#4gdLOS;5E0*`-kn`pa$3u6blW+sC)zeeXw4Yoxc~&WJOOZX_N(U{JQ4 z;xTdI{o~w<#H430$mQNHLM~ZD&Rju@y}FXrlqku$VQjJL3d4(o>34n?KCuSiJnqe5 zn`Sgd9(aoCe>M&3tZG>_wv!_-i6ywfF9*%0w5F{sHhIOzUMs&S&&Y!+iW!7D454an zj=r#1pi~HYG96zP2^xP8{9XoCZpe$Z~{R?aOtp(k*ogsCV1*Y8&+=Eb?g>DAjbPe zHvGg_Zk6Nio8I6Z)Z=A4#{c00jXd)evvkYtCau1XEATUL=3CyA9%;JWHT5^3jy1fD zZrxtWtwy4-(D-(Chn9+}hF&wS{2-&KNVK$fA@Ga^B@W_khBNu6{90ZeO_!Bh zn%6-$Oth38a)fw}Bt7%;dqdc47o)1aC-kP+qfk3ZdBl3Z^;gPDfy;#8z(`Mit)2*R zJ>uPo__oKFoyMO#T)s+7)GDb~j0-Sb<6mUEYyCZblWnVUa8&mJ4L#x`%9Oex^x~U*N(C9J6FwSUIj7}i+>$SNxW$&a5jvO=E1Bqy_Yr5z@ zK^LRO=UJVl&TcCOi*^od+2NmTT&$qI>e>eCSzbPprvV>v4%=?UmCGzD1sk&Ub`TU< z4_aD3ZUF2Z%pc55ce>6s_VU%uK+qy|m1;vU@P`?!8MC#Nr#-v>kx0D4znkupj&l}o z2(BIP{}DL(Oi2ot9Sxr|&%8FC{Zd5KQ63q2)Y(1QnnkXrJHF*v1(XKTkN9M4y8iK} zCKc;V&Oo32EvtLoMSTC|6R{3p(b+kZ?yLq`WT#@H71OV(N+u43<^}hD^5QoF$Yo`V zob2k(!i9ytqdY|okl}BBJaug$q%05IU~Cn?j3naTcf=3BS2!JK5PdpW zP41Om2*{m>gDa;Nbu-uSX1bA7ou5=bTb$BUw;MBM62x13l3Pa`>TxxxCBFn{H6X#j z^|mYezc`BCq3oCPbT;qP+}zzsIW-Wz-0{D12k%s)w<%qt+-$V^?+@|YO=Jv|s_4Vb zi>q$4PW6t0$-FuM8z4V?lZ~lFptpHvtYf*^L!}?zrMc~~4_8kgLcW_4Z;8%gYoqXu zA&on-)T55uqN!SSZk=7__R7VxPv1S3^mWTJncm~R#W*E&UzICqE%nIfgN>dC|14&| z7EUHuBFus@kway|zi1j||doki}71{bi?jg5%3HnQJlc9lK^VAEY;!`X>zB z8o7B@u%n3Q$OSJDF-{E}%8t4crR}}=7j}A0?!M4u+p>2_?XA4%>|6i9!i`}_s1y3z z!?ADY+yAy2L#*>!(PHnCnzZu0qxfbTAh$E*93KMT$(beBrL*gt7d*DMb<#2PD(e~? z%la#hj4uBsnh-rNf`o_hirt)_%T|sC_LGfAGLT3qF0rd09lK(_*vz~1CYDF0^@^yg zT4Zm}5@I(;hqrsTjH6n|uyr-pKpRyf_KI(xNuO>l4rG|dUKIZD|m>g>L2E}_U~+RVXNQR9fnhT@(rzfuLqSp;4Hn4 zbn`U#xbm!4u9oYfW@NjoLsmjR;-bk-8X0V8K5C_~y-(7)A9d98BhO{vWFI5xbY!Mi zXN$1(beX2uHGWsJ7;e)ob9wK;HKD;3mPc`*FY?=OU!g^WD<__zZX2;#RSnUy1Z>os zMS8Q`(h646+%W5+oki`#e|f|6@zVnM9Ndd@eUE0oP&B{0d@sx%nQk|`Uhz7r4H_#! zB&3gd1z6*eAHgbue~|2hEUaw*i@mpwYV+&1Mt`LOEyb-xN^ys_Sn;AM?rtsa6!%a{ zDORAk6Wpb^CzRqAB)9~3cL;&+`MpQ(IrrS}j<@6e?tgcTFb49FN3!?YbI&!`T%lZL zUsO+YI=Ha?CH;UthRNwE&G}GcV^V@rN3-P%EqOvv!n!4nn9JKMpGPXbDOo=j2*qqt zQyTbno5Z%gdajtRg#pvv>xT}Px3`nO#+^?%>dWj8pp?AVH`nM|2&{ zVuF^|BA(}@G{?J%uvFPOeFS^W57bpZb8ScU$N7hEnB@;o)9Ew(67(Q{b?w%KUztjn zeTHFEJ*0t?upd<%9%pzwYg3HO%o0Dlaw)KGzkL13ErHZ|G}daPuOiQQ@)vwq#MJE| zkn-`=$auJO=dE7M_ng_39io}Ks8Nk1NDj-jdEh&m;&Qv<61})wVe0LW>7f@h{>sNz z_!=1$gXe6^X*zdfKBEVf9tmnH*z@S_>VR9MSqhc3`NY*;*x{r=Avc2qYADUR@oY#u zojA3$$50MR``otjP(_kVEU*8l!&Gh|MqzSaq{y-Y8pd+x|KwzSDC@LFBMUdhXj_-A%{O^b4HC}yea>B&*v z(@|pIR#f02$>_=EsFRnIiy5qZ7$B6=R@~_mkH)iBGww}{mz5vNPg9r=E?|GtiVENh z^E$nvKN=}h+4E}O`Bp<+T^U!&v~~A zn(l6Y^&Mmd%fv=RC^87oiyDT7hsUQEv10?BYmYB3_%9n98koVhl8iKlcNs)R-TQBBKI z#*I3USXZi_K%_({J#0*@AG7B9I~!GR>F#a9g`jV4V3jRC(@xhJ$|Ek0S#+w}#ms&6 zpb&VKj~mp+-`uHcx$qG;`@0|N;?D^hAx$Xj>49B7MorjM_ZaC^s+((T)|(A|FVT`} z^rWFYiN`sgyWE1o`Y+Dkys6(jsIm~%e`!!vHVQ^Xz3EXL%H7B(0?8+iVc$3YQBCSN zez71<^~mxE7j+}_vg<^GSA zOK6!nBr)goz|Yyx&5>K3h&VBlGeZtqs-UOF?!;p$AoA)~L_oi2?>84%iF5K{7P}VY z;@301EA*YJOqfH~eNqK6^pMH&Nq&n)GWzv-FSg^j#!RzC`K1p+v$Iw3O@&%fpIP2^ z1($pjUU=o2hMESmrD7fWh2QVo^3t#tJ9INNHR{$;%=~PrZr2r!obts;u}UfF>`Qq> zsg)rWZ_ z3KngxfmVx)ANw4Ke_$3VBYg&Ra>yS5PHlhi%4Ecnl93q=xR1$xn=aTl_16c4VKEOvP+e+kQj=voV%4TZ$6psDGRPU16l$MW9e0 z^mVax`Ry+wgyoNqry9!CmgHBbhG8)7?&ZQlmAjFW(N7fS%bfWtGR3z!d$M=W>7_qt z9W0y1qM}o&6`aEM2}@vOpQ}6CtlK6X{N+~kB?uA%2g!eV@6*GY3=89 z^(VSf6IatkdiN6qJ4mszv*VA<7o1!bs2TA@$B*%c?Tti zKgUx%VS@OE0i7-F1M5OUOo@qdU=|InV80VuE7BA2#k}x+YGxgo%%3WEN41HGiRS4J z;w5xscx=`CBd44;)F#)jdBZL5x13T(P=^U;o)(o4Ts=V3KJeh(k+sR9jQT}jad+^` zT4Gff`bt@(0OS)v!w-`Dr9eSo*idAw-nqL`h8^G1_?>bvdR7cDn= zqs67NR+vpmFlJzKUfl&YDR0!<5iluF+qd?M>d@j$ovrFQNZWp<*yQ*|U}~E#%LR7r zfMeyENDvmT*v-#+wLNgtqmB2Ux)kYEjlA;o7u}byHf6?@VieG)UUMsyQz@-03cYFUwNu&OB&o4o}K5f3$zau;QFOs&T+75uKTj}8%xh#P6bckanF_+ zmo&%MDdbos$px~GaW;tXo=k#QO%9-> z(l1gmPl9i(!05?*eg|=p+TTf69=o2?a~vH2kwqgr;}J@CD0w?drU(eYP& zvq=9|zg1LI^e{#)PckdUhHMnT_osLpA>_MG1x`SaFsUxyqc8n}zYZmK!P@J@NcR7ow zJCL+!{px{#&{GWK&t){=vF*pv=1kX`F>FQmc8=Y^M$CW97o7L%I)6IKycW+tur>@< zc**4iFMKbjjJRvflUJOc3IK=maEWYdGLVkPrU7G$2YO*R$=wPb3c8!+9X);o|a+!kJC2yR;+={ z-)HU7^JIlTGa`o2h^U(~Crx;nL{+mmKdwPH2haBfF`0lm4C zQv!5MVP)OtSBNH;AL7J|mzx@LihWww zeaVtST*HeahCP$YObMpt-0M*})dWtiORMHp9yJV+`IPwCFzP(qZrW-8ebRYi!1muFFyn@^b0N#!CdXrYiwt6-UFF^b>bi0wX!kF1-p?GaYF(H) zwKsb@=}50oE=W1=nvG|@?q>C>2$oWAX~R(Bkv7-KsXjlpP1ly&oV%@lv21BBj_8J} zLi;T?*l3ER{|Hbd5tkOPATBE2p_<@Rze%?rfg460&Zz#7P850!_H4dK+w! zzN)eWewF9g-hNXQG0KtOuTUlZTW~ZRgOhWmm1P!FxPgEgGxmiUL51*R(ir#)e*F+H zx9EvC&fFn6=;E;wY~wrzF0N=h9pNF26%Q~vYNmr8W}Mdj@$7fr^=%nSz0k1`|1;#} zIXrX&>RMp*nNCydw?AiraYDy1`*+K%<0zsH*~z1CIXj)Tds2S-=S1vHIy{8o6ZMc8 z#%#fhgk4m4VP9F`%rG)|a&-EVdv$q{_3_4my$i$@`2kg>W)82f^3}?<|9}$jAb?)! zAt@`9FJE*`8e>-Wh)*)k1H5lnSo0v$t>*Fi8^D<5$atip8Jrg)-_0yVX=?Q0ol)H9 zhdHpq2bH@80MKmon*Z(%2LGHgHZlkZTBHo}*+@<&PIpypvOIC~jA|fFN+nJgG8P-- zUiMvn_;A(quy2tCk*`WI;{k@y*KC0IzRa>v@lon4>t0=3R*$OOPY#z=?W?`nmpmBB zDwG@*?NuExRWq^be=PZH`0DFP&C02}G_&y0!p0WV{bH=klp?f($cUXrVJ=lim^1wF zsxeE6*Uhnb;I?oh$oGu!(^09i{l53R>pZNb)u51cVzTGrc_vv|r0EBFKS&LGe@z=c zcb!CH#{mc+;w{W5xi$3M-atXyWJt|3)dy++b770@*IQNr@iPu^D5(H6(H77;d>9a(Ryq2|_y~-GQ z)NP55(RH3ApYJky%PM_P#x_`j+j_o68Yb%U<4w#;XJZbkd9~<1#a7Fdwwqq_p{dQJ z?c2(i+Dz*i@~<~=!%sd^7>0^~_GxKLjX%jhu^&%QGjI#15@_-+HpHUvCod-ys&4bX z5W@yGt~F9D#|J&KP11HcZ|7_`t84tmFTx_6@~cp$y9HHijOmY5$Os6op#`G3g{HGC zO0OE7w}^r4RZbVx0S)pcnwC2GixZSJtb8KrXd~(wC8XDQFEfc7lbKsUNkG){qN3pa z>x8rzQ@Gru2&CX9jZ(~yr1ME#cO5645J=l*WaZv#YBcQkDtOIa`M^-#9wow_JRR=S zYb!=Y2F6pXd#f~A&Sh6=yT)%u`Op`MJc$RhU;C}0?$_KMKnh=prRrc&B1WrVXS@U# zmHCGI1ueTgg8rMva`*(5+)}63=LB=toX3UKxw{zk`Z49ZH_;fuEnLaoZoXfgO-{qL zbw?rg!m}cUN%=2yWwpbPZw{*cS-k#urF{4K@myWIv5=6Ev$OLX zpSZofJ)D{2W7gY%$bi5%PneW5auYc8pNzcp-_#C%+gIVVd<0MDCNXeK%!cJj05Z1zcpQ5SFQy_9O$uJJm1eSGSa1r5}f zA7{Vijr=x%!=hca=|A?g^O21hb!$T$V~ZDzK7ZYt%mZ^9QBrxTKI;U12}_FHjpQlk zV|J+-s9nzKQ7wBBy^RVwFIZzrcs>=U{nqmnjQ%SQ-ejmNB_(B%%SQR5dBA5(ldc^J z)Tl^e+4;wcCaiBreE2|@^6F#Euc@o6tGL)$4$=^2)cvcq{zTPki@_pg>UqqZiDgOT zE&3oH{0MiD*u<1;gdgck6B=ArTAC|xwml9Ci9#i9se)_E%9gx3M9l7exN3D&#s&`+ zd#KG%W$d2YKMNl36~bsZM9xdL*F?!Ua*U&w7fTL(P+Z}&sv1-5z?7x1K ze`O)~cIEqg7Ug7qbNq%22dqmFQ~my`Hb_0B;-Q;dzib}f-K9$ClYz;H;qP_-vgLF- zwG!>}9ddedgcA*}5{c3zYBxT=J35Zq3IvJ9eKQf~2C?u)YIxs_I@#FD5-&DwCzx`Z63z1u8xh9Q@vFmPy_FHM!H`@6R*K$^Yq8!-vAB zH!%Um_4Qqb{daY@7u2Rm{u18^*U6y*W#9Y|f3HfcTiq0$Pj_ePNao3>pbuK0j|pgc z3;NOeosFJOa^#SKKxESJ%=ZTBJ*ruyby_ucxsdH` z+Z6jdv;(|^;z1qjM1qHL#W$J`F_$fg4o;$9<&}H9M+fYru2r7eq{qefZwYs*xQx}b zWv?1~R$SMIEo^48AQ~1&uRyMvAh)$|ClZA{63hAwc_BTewq)S<_q&yd{7r|^icuSm zTcX5d>tjeUe}zDZFX$7Av+u7uKM27nJn0_jTBPO-Z)KaD<)p>EJeldSjn`ib{G_2J zL?Ajo(%a*!qp?#a>$#eTF_(#ZK#npIybWDHZn+~`xKkvLvJZQ5Z1wBA6XQD2@J^N^ zXi8laaxHelDlM~{?@4owkOOu`9LAbO)#a9KU!mwcNCKq97wub2)MH!Q@75ybb9Wuk zgg1tc_#CDD13#%mUF7ICll0bkR!j^k9SBKfNOpqA3^uAP7f*0w5xz zMir^;K^6p$sc|!3TJ~i3P)^U-;}pK_zVQMrwJqNHG?_Zz_fj8gc7JQuMuieVvXi;R zVrXZNK?7aAqtY~C;e!XwmCBqF}Mf>@%YTje75WV>>;X{KRq zGi(Lwr55(p+5v2La%h>u{8|#F$Hhyim~x`7h2DjU5~=be+Q>l7qxa_&#jr+J)jA(y z`$VV*usTyjH(Q{0xuQt517T`gvPndqh9S3{^ zG^81}d4{ykTU{#@@r;r0`)EyFLOXxciF*C;bSRoGV%)&u`ts45wRq9R=3?4V;szC+ zzZnOwoVWA<(7RDqNwH6U<&-g0iL$>pQhPLfGn-A1l zu;jy<1%W_IDRZUo?a9^kKw3dZYrD#gy)f~?i3?IW(~jV3=YTJM zl#P8K^r_&~_k*+B+84T^&*Pg(Fc>N!2wD%k{ z$1%0pBqvu}i>gpL3QA^(3tTsJSrTme09quGl;XMd{n97q$_FXx{8 z_aH5}zqUbOK0Ha7An!Ds<$i9@Pd#vgFJCCGqkg#;`uN7ZJROvp;8*V2>OSuJopAg_ zj_phN=+z^O^YXhOQNKz&hEBs*LN;KB{12tAnQc&jg}2 znyjOD&Ssh`*Tr#O0}R!Wg45i$EP9nkeu;33GGdRVXMQ)XAi>HD>OoVEi=~sb!-+Lw zKO2~VG@kGol<+FKTmKSS&@=beS9HyMC#llvI+TBd1zht6h^y1u){&3k5`zyUy0;1&Dft2%AKt}bHGrqW-&P#1h zOiAjm4Ak|zM!6Yh*TZ8%xX(DhdTyiDJVn^C;@!fa=!P?Ih++!L_6X$P{5 z>Q*V>{L#AqaRX5>ZLT)GVWvV;)ZTkQ$|#?hURd(;~ubwzQ&Vz@#AZ= z=8<+Xl+y3*Fq_J*zDpI!NT+j92nQ!eMm8Z`(a+ThA0w}3PxbybEyQpR4Zv1p$G&Fj zBi7OSmYnBjS8CtkMZtN=M~g{N`HF!p*+kuRYdJogmeHEwg?9q30rp<0G*1H~PAb-m zh@y-TX8*U_pOUk|^6mkhLyAEknxOiAl~%#=_|iskQYU)R_8dnZ+;+lg!g)Ta6;qh} zPLLHJx$pStGKK_`kZ)GTBHfAy4hdm5j%~Npa~x}a27ZOMD-QG~;)I}{Nab*KkJqUc zp)02DKU0U>qT^GqdE>Jej<1|#u>#>;klIZ_M5VRd;QbULY@~8m#*cjt5`qEbS3^#h z_g6C?IqS~sm^pckUNxGz6GXg8&#IikLgafOztPfK{$34R@e8G?3AOsZ&20_mC}YMnCc z9I0qYZxcw(#zwZNq!Gwt>EYe#zj-;y-=r}pBFII-m(`xCZ=-g$x-ecp;Sc$UI(`fO z!Kv%4d_&#%mc^NE|2p!dfm9R@hn`N|`-RN=PyR@E0vw$3z|6kPVg;wTrml_=%ij^- z?y0Fjzzn@}**_-s&l~1;!Uqmd@7WTpdHgEuT(#Sg@RDxiai69$<6K^hNG6a;7C7PF z23kL0EO&%rd0(x`%02&&aQz*-G~EpaV9&4 zsA0F-;*Sf4*r{6T(fE0>cyrELfne7hMrDqKV;0Or)zd!y{=FRYS3ZZ6#LEP%yb*V% z?0M^XR>|?Y{Jsb)@1?w=Fhwx<1U;&pLRY&yqEsw=sOa2Ai@e}N2b25oMq7L^h6hw(S38W_y<#V_nrkS+ z_>%K{DD5ix|9%Y)Oc6Tceeh?+cYsLO6{?}}INrvp#H0S7}CMLJen zlBZFiWXP%zRckfcsjJOwaV8W4XsLKf&qm(px!F7v2!RHMH0ScG%-SNq`vztbj zr+v(y|HAsC*WC4kmp83vQ8eek{V(#p#K+&2zDKj5xj^ItqM*4ct4h`H`xS&Z=@83J zRc`C-j898Hqn@P}@lGNntL@ht;Mij%k;@li#wwJl=3xG7UcoF*)4cbEOzRJZe7dh7esKf8y|@5&hd zT5>D{tazSbeQrya$~@h!1v))eR@AfH!^2aSlb4S@-%q&=ai1uSavT%sbO`t_Pibxo zxMZIK$h|55zxNvrUJqn&soqUYG~L+(+`#I(;sd(C|8n?0^K=o<00EcnQx3|%|MBzM zgWFp-G5f2Xq&2Dmo%IdU6l-x_EQD~t<|ecEW>yxj7(UQf?;m@e0R6bOTH8q}sXoE_ z&E41bz%O|NX4mHV`Q__B;T=#Qa~#G2MeLB7Av|Ahj7z)&$$BJd3CKMtK#KtHuc7gk zd5u5vtqjJW2|+28Gb4eFX|J}Ql9JM>!r@U*gxJex(LHdua{G_yXz|9zMt%}m`(%0h zaLz z{!ib*zr8;@-Cs);=4l@u{+ZtIzs;ckJxt@3`>P#E-if{OPagkghkbYsj9HGA2W)@1 z>HgnfVVq#)*a{7w@|G?>ilZE{MpYs3X zK>GjuQ^voYU^aS-`Ol4tKPxD?*N+7#Tb?uN{MYFH&xGTD>X>&Cgg?tw4?f}km%00r zz!SAszXe6@t6P}?>=EF;8u#YSzt5`=k?%r4%s9595;nJ}U2?%#-@ddWHRM7C-Pz-P zrualkR1je`Q5>Jy|25$MbL9WYH#S^%+1Xa2bY(Z%e{DxU-%d(JwY&3v{`5r zlmo@7mg+Lgohi>Ai8{Uvm}mw4$SFx&53xK)OKxeK@XR9O#W|YQ1Al03vob*Nz0$Ik z_f`9P5HB#eE<7X18!=^xuD6B_!Wk3dT!OrVPvh<8cjvd#Bkn9!#h(3(AJLovhR65A z$(fm%cT)i0FPWE@7oY8DZf^c^4(RBeIX7nz?l(O%6O*2vZsxx?!`s)_SJlAv^xvXO z&128&pwZtIcg(z`06RO-ooY>yJ@L5>$SByVEL53eD`p5!XW~A@FT{DEvpbc4_cmKF z9x_<8*I(GscI;8t7o{QOea*Wkf$oCGF{=NFRq9`$))QiM#~z@~lm#6>w#y#i;a#GY zhD?>kMR32s`NE=uWh1Z#*j#M2+D0fA=lLQV@Orw8U^;;_*4DDG_wIb4O>*2wmkxPE zp%>X8A1PW(&C(5LwNvfwu)Wt&3dcLbBNj zn022-(dp9yBV`WyAjOsZo&6)MB}Wpq(-D7`6I{Yut$X8CNVlF2<&e%6=O#Tp2}q=) zq_o8lb)9A9E2g?4mL*4P>q_A~IY;?0Y_@sr`4M?6Kak>8q~{XON{1VzZo?RQh5p4! zzR0_xqYy^Nf!>%ZO)56;x_|UfEuYyQ< zQOgGNh6V#j(22U7UfWU3-jur*Hb|+A%lSgi_O2V5Pde`wp3fY=W;WM?wr(%=4{3}` zwA-cZ9hr_*d)$sZ*0HYjaC9XTm~DEm*vz#@98PBTH^C&|165!umr{{OYOU^QP^V{gM!A1+|->sQ!TS2?F*`XZi$ck1Q~tEXRKf9>Q2UPpH!={ zoUbYoQIs#%39*I@x zo3^CnWLYOCCr#4(E)PCZP*4Ef8Qk6$fAW$QA-iQ36%a`F6kS?cT62>Y`j1bj&0gxm z#!x!2ZR;cGc^{eM$0j-EyB|6&oi{1hTO3K^c6y*t?(RVA{OMaChVH+H z@&ab07VC&_`#z72jWPUk1cRXlnpx5uB^FI%10o)|)X zljY>(Lg)zT0^0T@KIb$vj$cH(Z`fD^qa^RW7a5nbjh`~tG45%B2~C{x_a-UOq+@g`XEd|>HL=g(Z%PM0rtijvyu#L2buik z3SD?PqR^b%+0`Sb=JJ7H{Q-U_M8I(vGHbW%ij8enkS{y1jVP0kXm-!cpBE%Tg$p{T zalQzB)!*6nk(Wegm1stWa_lqX>h8W|BdxQAj2gRi7;_qn(>K&hysgDun#ibF1A0I? z!Qg0nAhiz-kkcJnH7`*AXjEswGp#pSop*?P@!qAE$mK26G;jJyQLu#7z`(H6Z%(Ob z3FYFg*O?tK6J{A09u9^~={k>+bQWlJO-?3mkB><+4h{}7fMp`cdF8^GVXj+hf-dXd z5oMYsT0C}BuUI)b^9NJ;$8OQ6+BsRb-D-fU?ZDPRR2UoUT94r4VptMii+t0ouHLfWjRC+Ct=7RwekkjUVZ>+yPZz{)Mr@!I%Pt z`_Bag1mdDUGJ~C+oCvzdrMD6i6AND1A)z8TRDy9p_cv>JhDeR=BxmQ)+m-!&qjhfM zy~&0Or|I6_P{6l`$q6XZq*Xh^WrF5~|1D7p`k(l=}&CzP@WooF!=k!+5lB4WQUyx*ZT`&;2LWBrw!AOm+ zP81ujcFV2l-(Ws!|L9aP2^C8L6#c(i#hJ(P>_Hi~iXARI%ECl+c>=5EjEU3ZO&JXp zibpj z(k-sZl z7$5&bv@PjP0z+g~&*Sg!GD(R(ogL+qk%8$3e`;VciIHDoMO?#6Ixw_JAC`=vW4p$- z;m|x&iu&S`Jm1t?KdT-#_+!=RCHtbuq-Y6Bb(=b54s|O-=vPI`uqTkkcjgY;=PRjo zBYnEYMI}~?*vjg&_x$pjurVWtm+M9OtP-&uOLds{$dK5g4IXg@_Enm2+lzw|W|Mv; z@{29Zum+v|HdG=Z5eO-at}>8T_7_N>^K~<^StpsRW2oKrNxTPtfrpnfz}9>EdzHVB z_$8ZC$&V!~zu(5UDPQzl`I7>7t6)9EYa64-a3}WO@@#4-IwpbB=z~fD=grjyB&?7}P%uSDqyLMh5*;Wq7YIJG zU-~hreSs<(_g$T3uw(04f?9X7^;rH0u!Rc=s#_nWaBLAjIy&NUT9yj?{+-9tq7J-1 zkj&$G_#x0;^bX>+{#^F5*Z~U{Hy>zW7#kI}e-l3oINsBk>uz56u~i^+5c;Iqx0fqX z$3I8UTQ3%Jkp6duMSv6i3topg9hU0DCR0#4zFc`4uPy1>ZV{P&Wzu;s6D00jk<`9= zufb_$bGb8|$NSVu_AA>(V!g3Hnzz=z#P7Bm2ir_{(a^~IY+T#==JF_P`aYiUJ70r~ z{du-Z-#uPQRVoOGy(4}shCx2}M1d1?e?Kwo$nyM2);{01;4yD8+k+p@Hgjk9WZ$(M z1+&Dt9yI`i7YE-2xnL^xYI8Oh6}a5Ol{a`|Q~;Qku#=7sb3lLItf-o(VxNRFYILKU zWXINdHi98I>s}IAea1l0kBqM&UBm!z-*6f6cNx)j} zLg+Vn>z0liqV9O!irx&3Wq03ybRaSxtdu*j>iIg6CN9yuA+sy4$dTY~C__LR+y6S? ze19Q}S0QL;hS#d%RKSZtqF0;oHyWs@ZT?2ZN`F(#{^z{SBNX6Ww zx|9H4Vp9~QMA@}du9PGJ?`-q6_ZYYF-K4>!P0@yx2hmp@mIiaYL4lsYpD&A5t2v!3 z<@8-ti9vTr38Ik-;U7Rrx`^PQ$}mH{rdhwLLP^T5=7?GU2?;TAZV1?1Ka#P86y0}5 ziB6>JDJGgtV7QLA7a%+gBVmiPOg1oHNa)O~%2cmg+p*k66ftHayQ%%tv?`43X|Ll^ zM+uNTU}}pDCcTz4G|cgG%hfLncpLW7E0k{e_V72JT&_i}NO-y~mVR=sn;`}23iut4 z6m0vv+^~5R=(&y1RD-toB?PTAQfZRtiO$s8GChva{b0}e8r~brGzR>vIArhQx9S~f zciZ+ex@L1yv*z@I*VW?=#Q;1UFkPLN1fmGI;%@gN+#l7W6P;s_7K++e1ZeVSp(u~) zj2x>&wv!H*Ar;EfI#Yt95bOR92|Uvd^u&!n|Xo5>q9lPy6i+CY3|V%tyE;Q=1R^{eU7rCsO1D=e<>a%7Z_YAmrEhQ|hj%Ct1}xfqV=c2E?vGT= zL=_k_x4yOHcj7TCLzMQTQ?iX~%ZxpRysuDzyG5V8A*Prl#{qfq)xyg59%!YYV#4*; z#cBSa-tc!_qWU4Y#a@5=MZ3{jhpiR=~L^0Tw z!FXChx*XCM836v5_FSI|2wy!d^D0ndHiZdP8Ry7E(Er_|aTyEx9(doG2Y})L!sI%l z9Da<=yxw6g_m)~(>BT;xP?P)k(DuV<<;7I6l&iR()IeH|>rCyga+nx}ER-gquv=1M z%2VXpz8Q5r5`C5mY*L?h!oMAm#VG$U3K`G#@OWY~re>q8tdKq5p6Dc4jr#1Q8Id3) z@(DuwLiYQ2QUzLRv)}B+)Z|jX_VloSC3yuTYG-l^E+)^Tq&s^2%yvE~x4xjFdA%mf zO>ws#!LpBNB%cm;N55dSjJghUjNEK?+>46iloES!MiFhSBV;pgnM=r^{JJG$`n2Em z7#B;sIQ8*IWtDITwd5d4AFb3UjPMt8g;V{>i&`GfvA$G|RSfTIB2};BOVxv0v0|ahtu{yg~x2Oa8Y(x2LKtZA2VPfQF0#H^ELm0TVDFvX8w$3JvwTD~+ zWg;*@rH0iOI6&V+`J7sJE$hc0*OHwzjE#+vHvXW)(^CX-K>x~do%sDRRB=$s0bZehL;R zif<~(V{o-WImUS|z48j{=_|Vy(OMT}rn1$w=nktW3=Vnas0o(|yPf^mX6kD7J6n&h zpMpCbkjIDQAp5o|@7VK6j9cE3(Yg0&k}UMW4*>xupliR<_>rh+-zoH7XI3@ z%AxT!dhD@|Y>Wr2k<3~hmIzB%hn~Ot< z7)lGP@zjLC;&{DS+RU^dTx04g0A;IiIh)h0y3?mH*spbulwN;z|=pgtE&Ud zZERTmuD1$^iHIZtU(n3QM2yd*uGUsWEr%!-#d+X9mpve>RY}vHdT5bnqlPeBB(;zN z_Qu`2?#LH!p4H1>FN6JRYm(~NJ;RsbyS&f(W+pQ9&b<(soGWrX>9f^gk>wE3Ly4EA zN<|WX`5yH!Zi}4zF-SOiZu|mVk6?_3!~w5RA%ZOd?wsiNdrHS{AI=gHE(6VRkaU}2 zMlvAf!n}-xtYv$;yA#3s9{W$r&TWa*c->Nj!3rgJtQWD7EG{^9)BS)M(#Jz7bDBqy ztAO7E5%b>h!(L469Ih}wit{d$K;~X^>9<;sV7l>n!(u0#suj__YvA7Rz^kScd#|bW)8P(w4uv zxedr0Sssag$F_y~2Sz&FDi&EpU+iEjtBB}h7L~8GMp0n-L%f%1j!#dsnYzT}{SIEd zQ&MU|F^FAA{3ahmQTx$moL$wdA#r#Pf*qN8Yj=;l@U?~b&2QS5i?LlJq@kSdNIF37^#7D00zfWN54<-oNF6!$)d>vA z^0aNMR*s3U<&1d_!ZJEd$m)@GuevOY+B#dqrq4eK49Nk& zsbd2#SUo!rF?R7q0Nu+HY1mvB#y~YK#-|dn;7D#sl#*x8zP6#45N7(PJYoMXlhor~ zw$Y(4w8}7*y#9ndZjzA-gI!_L1g~T{C0gGd0g8Na1lti?7oeVtvoqAd`bF-TGWpD zoAy&1U5kT-){bRuCCWkQYCpy5Rz7F2f+&y+%w)C<7PfPZk7>w_g$_ z%&x4MSg#!;I}WsESJ@|#J$nJ;#;GA-uNy)d8?%54L6T7B1|RJkWkd5AWW7lp5Zgww zwYG(K&GS+^o4c}&8!Kyalj=Bcq6|t$IKtg)*9j`U2+sVRn|SKVTDQ1qYkvFnwd7*; zOiII?89h{g zo~8^30>X1c<&c#?J=a(;;N}pk#swOgK;D81F3M}IHpO70#+c5*0L7hG=SQ88RQ;}H z=ZB>g>HyL|IO_ge0xi;&x#S%XH3HbY$z^{me_}Ngs-t1Y31EolA>irAieO;TRO@ec z#m;WVWhQGx45^PNx9rw2{=ccjsJ?r@=_iF#U!+@L%{%wi?DZAEVobktl zI)}tmRQ6qj;{cqs!I%Y4fI#Y#wrdpMf|w$BO69`?sC zrO&E&tW$;A+rxjpziQidi%+pYEUl!VV@#LhyqP?-8I0$Xzvt>4;{aA*XO5!*?K5Y2 z*q}O%i&y5?D^~6Q$lZ0<-O`ZZ)D@hUW+`24(GgPc*btKr+(k-AwBzWFNgkvJBuDJQ6)>XXrJ+B@Y=UL`NSBfxaA-CXg}~#)i~m37R;{P?&R3n zdS^Z2bgboonPK`cP5ZlpNE1 zD#CR*@m4>HII|{3IU2mwMk4HuWMXvE+5t1K= z>jn2GkB%y9tg^B`q2?OLjx{)D5{SvvIwIo{`Ecgm+l=n~d0=HRIy6218mUGmqD=B~HE85rqw|5e)l1*sYoY?33Fui`=V)RiH z{;dVw-YfL;@wC7;GHNO+Ep4tJYH9R+iY1lYPJQ__-0l-%v5FAH3OQb`9>u`?{Y^{? z_)-Ah-jhoN{P|MO&q1d%6pmx56|L_;xYQamtKSVp=Bv~CACBW6C8CKFh*{f>gT24O zpE>X+7Oz~t-k>=9mo{~OVdMi6M_zN0LRx^!D_y%4V(@t$*K?R7)7O&YG|0QALe%= za!*=gK#?^UJ*i@On5V@=i3U}JL2kZwy03wzobaDMJBPF3&nV5ZWvJ0_tmakiEa z+ozxKmi&T+gCjn>k$ke>e8mc8AZFf2yu~z|G;4FlYw1(HGg&qkeqml&=dIL5Yv`tL ze(bAYPSY@V_rKWt%CIQAwQVH?#g-5eFbI*9ltxiPNu*-8h?0jjhX6q~V7;#T~xg!C?69 z3Ind?`ar}JE^XV)zzZS%wU2fNN<4%>rTRo@$H&umHDeJ=u_Y2739;$5$FG}N7Yhse zygvHrbAQ9lxrD{mo3}#2kf*+PVP8WR?tj`^s5G~+vhJz*1nz6n_c?IZwA=%8q9>rr zTRg2xy!O&s9PTsi^j1~h2pzWAZa$2gqgycaLxN{rA_#wKUAKU_LOwD{KmG=&SuZsDOmIcQvbxWeK(3vOl~P%r^@3bfW9m`Op-$q$4(BZ z*^CpXw=nL#|J$Q*`@n0%)2%4QM?J!=V^6B|#VUd+L*GR>62~l# z@)=p~*Tmm@JD1H2?FNCH&Pc#9mcctV4J980wxxC+bQgV!3YdQLDPttVjGqdG{+DHm z>%9yoiNY^JlrnbdmXdBWaaLIoa}WDl)D;yT%WZ#Peru%NfiEu=tsP9}PG@{L@Rj4q zlP4OZXApr$PM$oej?Sr00T_F<=lsl!b-8oNOulXV)Ks?Vb4_bUCwE29hmDL6U0gOY zo+Ax!hF2dc0|TmebemgSEh=Qrh>Ksc;nFkla~OXge+W!WZgX2g3aL9^C`dRdqJ68- z^i(KI7NcC3R}N8Vc1@r0d}BM5&PI*xe`;#z=TBxOT)E`)jzrx-6 zGh@q1ATVAxbZnHE(=+!_J1Y9P&C}=46E@u*^(dRJ?S^YguJ>QNfUz1cWiKm?Yo2q_ zyKx|2MaMqClT;NH;W%oojW2!LN@vG^=6!s4v2Jhf&{VhwexO2^=YI381=$6Lho^^| zZd6)Y&Z<0tC8>H|=$S%_x#jvlGAK0iG|Ns^*WclI_)alk#wE=>KPom>8H{)Ztg4GI z{c3A#%i1sBY3?@N!DF;oB%DO&ZL%MKOH0ifw?T(%>b=8+C+42rFqF;EH}w$Wi+pM1 zQji?U=~IRQC72*3IniL5TK8EFM6KzLW{;qtU~IYL&<**Hon`V+^{JJrg0?bkg=*0+=Whv$pt!stS_wKm== zLSSL*L-*Pg;bADhW@V9xbxzKCk+1#FG3W%F_XBDbb;*Vq=G*1RniHwp*2M6bQARH) znXdceR>R=PM@}gyk$G|hLw=NYxI@cI71LK(we7Lm`nkxWp$I)|3bD15JSk6HJvLR& zjtg+su*8Y8?-1@9igVsN1Z9!Z=^_ZJZTy(ODT1dX@UOXCf4px$1r_aauvI_tg9YC~ zT7qn6ugWzZN~>J8UR?$CfjD{x&K3OCtg3?qqxYYV$6a-t2}AQyKSd8$Eu{^WmX)&M zhx^1zBBe7h`=@vnUCr?y=L2ENQaai3dMvZ1q+##jX*fg4tYF7*4>XxP0u{d;2(K=e zO*T)x-&!PS+QI@geJ2Z5MPwX=1WZR8;10!WT>Ic0fK9Ljv$41Q;S)!kU*PNTwOd;j zm-F-US0lV?F3J(-wU|t&zOa*A2%F9F5iv0_DOTc6qo-v>K9k02W?vj|LIxkbZEn&Kp%nRm7QOURXa%46>G9Se5Q zNV#p>LR|8ZNLk!nRO2_xnOWJcf@k2H~FpO zR*nSO^!!Et-p3;tTWOqRDqJupE4gpS%dh@sv-j-qNFAF&?er6EeL2aI`Ond_c$Q6R z$EL&pjP*9!Qb4w3HJO+fJB?+l-l18Ij;!I7$Cza&`mSTG@#Wn)nQ%wAd5d+xa&ISs z1ig<~bU>C~saxM#oQlB^y$}T{SlQ=Z%5KKGY41^YG+||Y{TNByyDZz4bDEur5Pi9a zHdAlA`@2EA`A>@6U&T_WoQjGRv4XX=#~#a4j{E-T)ZOv=&M}{HOybSV@Xe%{!{-xh zAr+{x?B3j+(YBiOOic?r*gm+E`a6OXxu3gu>YX6OzGh{E4DHu7GCR?0{r$$F7iZK} z8<0Nuu1m;*7 z-U8omylY}Q(_}Mp_F%D(uJ(uujL)!Vr_8&V)r+2*m|>sn)+wo2w+=2aWrJ@v3Qm^5 zhz>Q={LK_u03W)7qyMDWdFfAzfaA%SUK4>p^lTv9utxym-$2ONx zEa>U4-F(UM-q#q7{rx=NRgm(rP=Ttffo*V&s%v3+@)6l5WxSU!hXk7hY)#*smDO4X z#pGlS*8x+n#vK%yWVZCgZtx?iXcJ4`C_p0%0y;2X`wF+l;v~p}kb1jJ{;&!-c5JmA zObN(?SUCDkxWQhE!DY4^DW4dUv(J>QhFLZY3xOf5MLT}&ChJhYf=gIIK%L-)quhU9Kr8ZW-Cf!ykA zuaS$owfOqW*2*_ZzXl~aTiWRL__;#_etuqz*Nnn71W)cG165}K>ejS3Jy~(W`HP}X zo3Zw5zW7_dvN23@@?qBRpu<7lQwc~$L@gmi#r#26iKv7`W26%?zyu6+2{V<3p@+sW zTZNvZ?1;PWs{QaB9QxEDf^0Qz&?cyC1ha^bCwkQE#LGvntyv;gUO#6K!}#qi5|0dM z{#8VO%7i|yKS+C6U}1quK!`1~e_%ja>cHi;82-=#ixksp&qk1R9yn7Fxi3(Ts$6!> zJF)zcVSmZmB;EbB?>w$QR_d9t+jldv?8tAMgETWqQVA~Ij{`Ju4kO8Ub=ZiPQdg*% zr6ma!Pe1deI_aPQ5)!^Q;J?_{9|*DV6#i#g0zKBHb% z!^w>``MJdl?*x}}jxNl$nFV<8nH87XqM1ljB1QQD_Sz!~+=#06Ppbsp5Ob!D4dcn} zMLEf?(o@T7L(`C$0(@Elj$UXxg{d}c(Y-}p9#<6EXm5s%kGnE;H|A?863{Hz$0)C1 zYOtMV_L=)8cnc~o43CUJHuMY(n#Bf8PVo$ivR*XwL=Se`e*(7wpAm|dDyUk>`E2i@ zQ+UO)>_bt}l{W?ks@K{I12%G}5>N!|es{oeIClA!51B+XReK<>JKhfn43@<0)FDH` z%JHBSQZhHqF*d#jNJsudo4$RyW(+_pOkuFt9(zo2s24fU-$}0lt1q)4j+Eg&!?>>(!CyAUg zUwI=hv%Gv10~O9dm?nlx<3l9AQp#`lxXy<4?SFm@efdGKeEf%v#96W?ED$~`L&gV} z5?^mZOr@Oz3gH8x3k$)lo7I?a`P$?;Sr8;jD3^b>3SJOrJLrcNxn}sG5F***p0#6V2JL1c zJ^D_@L05TEpim#|zS?>H!0Hhewn#xnIb*_HzwsLJaQY+EDf|!cEuB!`(M=aj-sBTg z%;;8g9r_27dzlSg>NnbEzGZwff~UoB+_^LL7h{YY)WFbR%50=PembO{A4W1sBu_Hk zuscs@)7rVS4JR*d!ZBNm*Jr-;o3%x0C7(qQYf&MRbXuW>q$Op@hL;#%4vy-Dzr)Tn zt;b8cS_~}LI!GHn~8ztmzn2PIae%~Q&jdV(Ri}cRdq^N>qVTEJ1s3P zcO0uFAD_LvHc-pWR!Iz=V;g@feC(J+@4X7O@PvhUF?-)7kLlKE!kHukZo(# zh)9Wjp=z_;W+;3!bTbyZ6`P_B3LK6yJ41-h5uGL!y+S;NYIW=AC%22#R4Dgejn$Pe z$|B-0kAB0~I8d<3;k$a7+CRd5s21YIXxk@SDPfA~H+Jp_iY}}vzN!LAD@6I%%5SI2 zhh)kw*^MO>Lomo!xUFn0{~U;}zLsHhLPEk+jIq;8`q7bELI;YVflJiAjb5ejte%lw z{d&r<-gCfbduz!VDjk3;fi#k{{*EmLOkBw<#01HI+yqJcG@=FF_Im^pDCN@+8sLCU0sL5 zL^b9LL=2FIJc_0##9XH`kt~pHZ;Tcmp8?;|*M2`&-W*|?S=eY!EU=%dB5%A&86Y~> z5!tZ_=6U=?1i4B8Htd_0ecT;ow0YJ?ly1qYkdRtQOckWQHggI@y)@)3AJ#j0rTr$adca6>k;{@KM=Z82BfvoK+LHz|{jpPr@2SC06aKLF(^ z@Ec(%mR4;jhvGKKEbyw0W^HnpWw&n{Cu8y_8OD66i;PMB){HWbEC!PIW2#6Wlv7h* zS&34g%tRG>`IFv0+n4?PJ}M%~&_yMl(1qy#x?LUeL`yv1{~X;_f!wQSWY%cdcd9EF zn~d+z#%yQtnvh3%la1+XgvYtKZqL3$R0<3D%qL7WI+I2QKjOFzJ-o3_ z^0j`hfXzH*SEF!)wa;dI^}Xe+-p#U`@AO_D?@D?t%;;&=?)RVrf8T$?Xsk_x zOp0C2I2Isne~X!_x2D=@%kQj!31;0*pd%=%DiSugL2o82K($nfS764h6tk*An1c2}Rzk^~?&r0m<0J+4W(4-vXW$JdC^rD>)1w zGu0(BBfOOgB`L*5y{E!gdtw=FzG?=3@i(o8d+0FE#=;5HH<{n}n)RGfG|Yr=R1X7t zI3eM;Xg}mSY)3bh?@WfRqG!$6XpWtoJ0lFTfRUo26?|S9_;007`=j?a7{M4lx}JMI zcm$)=7`1SfSi_rQ?Ye4HLlP(dXxg!C-iBC`*03e#=@2y>W;-O7`&0fEN(%`(veGjG zhNj+vHGHj?FGHwLXR4NH8nda<4WP|35VAPK%Dnrx5}|z~RbI^vrX$ zNkRev)72@(5B0^dc7lGEeAVNvgVp~2=W|`h-cx*d?)~kpIN=-rvF5i4>=DD9%9NLB zhFb*T5dTDc(14Yq&TTX-V7v1!b_~H-_jS@DO<_F!8NPTT3Wi$Au3Trpv>*+7A&X?f z*QFxM-YQ!snQdvetXFoM(l9^7V>Jx2Tn;Dh@UkGUvCszrZ(Qc?XY#+&EFn*7ekK-L z@?21EadI;?l6*-AH)Z;4bz}g=KJRtaip|Vtf?+7RN`TPCisC;sxAYK060s5pm?dwy zjuMH2H`LBUFp>x#z3)jr+HxHE-94jmu*_S-HU?nAYAuc&>Xu9lxeFN?NCAl--*MkQ z5p$z;nfRXbyMcQAQSVOU-$`VqnVLz%zHGQ?cO6?*w<*_o8 zI>I0-m^~jZ7C#dIyz1%dPs0FzHU~1#C{Bs5RDk}HoSdBPbTk`Z^Z`~mze-dQ_wZ}n zl`b=1Ty!k^5gD28#ds|X8Ct^RBI+fz4PT_20Gw~c>E`s0%9V5j>t+`mEa)YaREGIl z0^QLYTBqMvvp)Y!y+}*G+^CgpRAi+B4F6pwE#s%&7}RmVyjFQbD5)3O{W$0pDzbuBJ0Wu3sTCXk}whE?TX6MSJ8se^l7E;8zmu4QA|O-z6VGd z4o~6R^A(e$*N@-6%(ID?G$5;X*Od2Pe2w$TiNe>+%GMUIW{Ct(N7{eTr+jIw%6WH zSrIju<547BMKhc@0>8QaC^|C*G$inoW{4QbWdSj?{pe~qG(ydM2k8)?s%qD6>}lrd zZtjA?9l2tOeDfJIQx9j6Cq=?TnBZ9Rwfeztz1Ck1V{4_Ps|p9qYn?W%T$ky#5f1Sb z!4O<#{d6{fdNsus7jTI>bQIKIz+y~Mi@-Ft!6)C&3~BdfsBThz8H*ENw;GcN*V zb|xegvU}mBE96cBn1)S^&ftM1FC7B^snEx(yJlM%^YW&R$?fl+HE-!@citBI%LtH{ zQX6XL{XH7iEZKc~AXBRp&|Wd8&9Bu{N7y$X;_4ES52dtQF1 zd)`&dnrNwkWT~@FTKz=et%2B}G>?MKT6v6^DD@h0{T+OvkJJYc3Z&1H)**~G=g`ib zVK>Cqw@cLgS}A+xK^ObhKxh<-gIj@C^0so711Pw|vzZtdX44aTX=H@!W zL@*5)N>#SK7$@au)IIxHv|uOJc0)o-`WKL~U6uH9>MA3vXwB9sYyCqJXKtzP7fRI& zu8Qp*e(rJbu-^L;OIx_I=^}JWkv$Ya9HL2?uWu;GFq7A1L~*nE$T)4S&-!j`I8<(I z3pN>$XV@(<5!@wwb+XV*9Tyk#=@~6Ec07{s#mv->RQ|cFklYJL_esPB_s`T74xmPH z{pB^e@Y)$lrBB7nvt+%N_zFmUE_!fNfv~e<#&{%w?W~K5!R#?I_TuUW)E5$SUWl4w z!&i=9!&EUe0J-u~K76E(&@Cr&0Ax&}gh>?1Ois?~tc;nRAQdmn*3MpfRjdlvMf6X% zA1i>FT2{d_9cp+kRlpCg?xJCgSwmu8mGTviBaA?DyB*q0?bF^D(p!ww`pv7Ehs?@i zd|WZLc${y>SabSplJH38zMk$&5@YVVers=G=(6YZ@7>2d25ugTk~Nd;L7-kNV}0wK zs`2T*c$>ZwjQ8x=Ea{6pK`||LcB5x2zXBOgZNctb`<+}hP%A)3T9Wh}C@^*H5F1!` zSjG|noiI{OuvWBgyRVQj6XR|=|b@$`VBG1Ylmmo|nPA#*@zq2~o$?aZ9-|tiWO3(X? zENT%M-`9)kJ;lG2&%brj)Nl|ReE!bSr6D%dW|w`+y)XXH@Dr99`N~I|am~vSKqX`1 zzVjci+UiQ)Z@~T%KA?C+=WP3q%J6!>@^Xl*v^c|(yubB)t_hi`@I@47rH$&fLN6rY zQzgD%a07kj`_>X_`-a~Z21UQ)<-}X#8G?$HlHNwDA)e`Wt#YG0d~jyTb!n+Kc1yUk z60$2;w3NZ1Q`mE;k8UB{!;Z+^Ul>ltcB-Y$ zk0Z@uM=DC>NK=%BZNdcH0-xyF;hhJBMVOg(3%ws&EqS{Nz6_7`-@uo7;>#QA%&HK~ z4#dD<^Trtegp!Hbc4>(PYd$vgcfZb{dAbr`d|7aD3!V8Lg4I>KBo)+&)4Z zkdqiAXwJrD;&SbKf4@@e16VOd=3`VTyn(7ec}`CEzzF>dzkWlT#$Di$XK~3}U|!PP zd*a#Z=&YPXRZ!7x(x&0;tDA;KjI}MAlea5plOa_SRvV>CzDXvYLss3x!)H*NO%mIO z4=jrn!Ge9TGggSJwaYq;(*TIJL2L%nu)Uz)ls?00YR?zbQydZpClKPQ*ArDX@{f`7 zR!FYogN|jzuZ9Sv3`~r|Qv$8U)EFerR#YZH>-^)@9|7WLIyE$srDPAyU!PJrzxeR- zw>i8V;YnU{P&s_1jtpeY|F-EGv#j0 z0`rhfSo3n7ScE9+8G6L$&vFa;rY4(-#qY;`m1P1jk@q<$CTToYwb|TfMoT6y8u;^7 zx0-I)PdY<4N!QF*Ed_UO@FmpBu#h`hkc=BU6-RxY2I?aN2w zn9KN@x1Qbk*_y~-f}utV)1or1RjW_|1ATo)tDF3q-~ldgsC9xznlV)p(whDHN0*0n zTL_TFZ&if28mB{5KHeQ2miL``?8jrC4?Jj&8|+d=-e{#y6fVlJ;^l2{B;oKXS!t!o0GD=U9VK+MmWW{`Ch3_&UbM_h>1tmbf z9NN}klEmhfgcfXkT9oIXt5ErR@Rzha@HNBnP3huf{fmFbP=n8{d^qNRsqKOEQ=Z!3 z40M?wWT?%z%>JCh_zzk>NxYA?cFWq%W;}U0dbKR&kWHIp-^rEBvXG;g2rcrOd2t5JVcQj7aBTpPd>Hif`nEQ|gom&0R&W9eehsI3 zT;D=ROJMcUD+`<;rI|%kGq$fc;JW_~y+U6=p{U3M$RI`jisE(5OEA8-rTu zOM2LND#F=s{fG15QQ9!dK>DvcW6Dlvdo(Lp zvm)ISRX%OLQ47s5$Ish`b|(F5@nnsH0;-Js9`ZjSzNSy$o1V2e_#^>6_Y!al+2qN? z$|<$^={B)$6jV*G>iJPSn93z(6vFF!&!m@l^X>CLhj0I-j3{(#_mv0xi~sz}`c>*W zP~=c<-G-!0-|4`CB-lO0edg3@*TDQ^NH(|Fyoel0x|FoEQd?rwv==Hu!*y|k%o~3c zEwJGB=;1+8iDiUyB}fDcbHil!H`G~T-VL7k6&b7l%DC%CdKb+N4fOP^yq4HEHPO%I z^)XHppPvo&h z6(%xPm&?)TcQlh7Dgdyt>Y0F3`x{2`vp<|tc+Xo7l7m}@hK4Ph5MkJ3`%`~|W8&&5 z0K4gh`=$Rmv7a_b_2X2x4oI|L`uV!KR>f6xE{>OZ)#FP z2mQoz{?{^q)C-d$PUcx1{6!7@N8LJn6KwtM(lE|{{KYRm_aD^ozxk%WnB)s!>n|BK z{l(b*7h?J6cc13m9|%vSvNznTEGV7;E`y%ma<4lb_C{goQvU9GlvKxO%?(+_N?Ipd zUUyz~$&yVT96HHPY{zX*4=bj+-)!5{$7?-%90u2VR&0O#^tC|4UbWObcOCTvqm!9^ zG0o3%GaI2KY>4-wy}k0v<(Lb5Irij-fx28%&cLjwCy4XoW!>j)msV8F&MIa{#l$qV zzZ1dofT;`JgM)D}yxzMjmP(#PFaRk|#^({3+Nq?gt1Iq|s`K~P=vI2K6(|^B`Is#(%TJ^YQT@^e!xO=hEqxqmT2^2}bgKd?wpXo3>j*4Ad(5JatQY|QeOizs!y zc*O*8YQ07+#z<@^(B^EpJo?E84;muxe+fRaH3^@7_!+LqAW}x!C(uJ2`^mGq-Ctq?KuLS^q{L^;ye<_Ovfi@}( zmVeYSlP7l>Alj1zEFuyF*bLOfqmJp5-FkX@H?P4PYa4BN+FYt|3fJIvO05(%pjMMr zP#|Dd&m1^KD^peU%5mF8S#F`-Dtb3s`4uPj4}W~xoZ^)56sFX!_dd9y;v$Jdr)ivl zSO2j67~s3u+S;}hAI>}s=Q-`&nJ8%}K3PDGxH=Vf7x0-%%gQ{&wp7O}DZ(|Dt~f4q zpC(mpF*LI}|HBLZ=8k^q2O)84t_S1Jh{M%@4Hmh*y?yHF0kcY%dw1@fJ(4H$=!Z&L z-sfiC=f~JP3u=LcnJM-rpJ8FK+%1fm597m_Mec)6^xCF}=el4Dke#CBH`iUNelaHd zx_553wUVHee1|a*`Lo1VGs1I$Dp4n#O~q==4gwT_g{s zi;;YEP7a_TQHIQO>_rP{!}97sC_Y#6Y`B*v?l#jN_bLz$%F$t9KBrP^tF(?4sFMxp zfC*$pK!UPzb6K*}OZ+{lNk_RtS6-M7Uf+Y9?z$yQrS}io(GRF3-UPWR3(r-Qmy3hZ z9q~&ppa%rxh*Ck-;c>!Nx9X60U(g~XQiTPmhNYyi{+&s(=PkFeJG#FX?fr41P8nKU zKR}B3LCGs97|E#?^FXbtbnX3F3SUA&Nyd`_|{O zJ1Glyi(MZ5a_IjLV#Xd=yjs$i8IUPr(;4QTR_ujAUiDrXf8lh$KhN+A$Ta*qn%N)@ zUnxVeje1;p^)&JuH)^&eted~LzPZHnHH*CBmOHsjb7rcjqr>%Mk?gYBz-bhDh;$G_ zb_)CByMD?2tJ4EtOO*KrQjxoLem?yP#e`jQ8|?KL`+~f@FkmWvy!Ap4o_KzgwH2X9 zdsu&5MNQdcrPaJ~2U&iuz!%vbCy^;5AmwG`nI;zCiaH+%f6^!#v4<5U-q>ByxF7&U zz*OB5Brp=Tj*d$PZZd-gQo6{q*gbBnI1PC9UVPi1BXU3 z6pzW$^W=WKZgG`@H}+0b8MLhQxJrOKZXzSXn@rA*WGAgDpvO?+iJTpK(HAPspvUzn zxh|WI_~?oZg|TQ}gPB=VV1{xE9=0dTN+0{7aqTnB(X%Z(RR&-V)&0I4J#dxAYq5%o zismQBEz>wIn*!QS%T&H*cVt-?UQepOlZ@lvVic$ZltN+f-XvTnLO|@j! zquzE; z78Jk^MlWCWyZhK0ZXp%S?~+wyIq0UbCx@X~0OG?`G#G-_6DJGt42V`{^WiuOhEV-7 zSMq}icIlH8VJ^YrS zUp+@8zp7`mva&YU;w+lhO&(lz^DUSld_S=nKHL5xJGwa_92$W7pgTJ=##*684?mucQ;)B~c+`3Dwi*#bPjhEY#l7#J| zUQ@?faJ1|6gT=L+ZR-%=vT$hUP>)ElMtM`XY|p2?=sazhIq(rv_@SXKp35sNP_xnH zkiX6XSXtrmopss^9HH(I_~xZQWO*-6Y7H^zDq3|H@U^E1`>SR5 zaw?Da1+Jb43A&#QclDl(5bg1}aRA(LZ&G?f_FzhP)p1G@Kp30enx3lvRyqHpmI*Zg z^hk4s294W`4FIocdJf##>S`kT%^o5caQGHMbWs{BJ8lpvO_e{PN1~_)dpf*&3+e|1 z*1Ra!J?=P_k~Y}#OOrMcJE&D-_|x|;k0_2n)dKfltIVKY&!ks z_7bz>SOJKe%*ra0lDns-!#=OQgnYDNRSNT9a;AJ2_A&zlgP|@20znkGLd-x>tFNz5 z+tBbGD~Ok$-R+p5wg)kD6QKH~TEwz)a&m&Ka=1`qEm6|Vx;;r+LVBhnAvP&<%g!8t zO~g)F2I&kfSn`<2`g&L@I4x^tUHjT~9c3E;Sz~bUW?Q}@A1Np|gNdMN>?aKhz@1*dqoxNm;andZdEE3-kl zCD?^@rsicx-D`aIAKmb;E@J`BeHY&8#r@-E77k* zYRYt!P*c(Li8YU=Tlwf#R+~W0lmfzD!-;D7VHmnrwWkP80b~&1W^dNzR&H11UlFCc zC-gEkAm}}xKQc7L%#(^qmWA90bbHqyEw9ls)KrMLD;GfAtc(qFm>MO#TGpFsO_?dqd&0xVWfw^|Uvr+U({){0S7^y807S z(K{Hp{BA?R5w(U|AaJhZ^?_IMqi!W6`nxiKgUqK=IY4#9^49y3S`YQ5X6wDUlE76# zq4Si`YPL3HEu`czDkCGKAmbi652V!8bc_$Mx;P{lrGJf@gkxAA@jqqfybJpPz%uVs zPR^}yXRmV}doru_JQsFfuX_$m+pxcAHO-n`435YlyR)-%u*Sy?g!tj#dkl}e4%`Py zX{sl`7lanbvF3TO`&RLPK#^+s%ALl}fM&akxRao*JUnW;A~)=Y=VU<{;jC<6C(g1k zu!l!P8FO8KPj*(5Iq=}SRWA;hnU9YTpJ6eFadCP&=b1BSlpMC`)oUDvid7om*=dib z$Ev*|2e%o|$OgtxO0PAx<<8ttZTvoGE16iaSH--14m3C3&x8f|s>h4+u#|y8MSNHB zS9Q0S%!=;cR8N+XG!`VH4{d6k(&@saM#`N5){)pbaK)2qI00u9SjRIi5lt<)`8Er_ zg=y|Qu=I3KuE1;84SGNLBhIuhH4-HTWc(8Eq6Ttw^z1Qtf=gQ1=hn>=gM=h_L@#tP zbtrgNe%4XDc71Y?ys4FHg(|>dIP5p(Gr%P+XD1Y+sG(>W4GPP-ripRA`Qw9<&U3! z0y^i49X^A+c*vs_z)y*8oi71A8_`m>MwcBHU!PVSlJ#kPA?wqe$Cd1_g*{oOQW$o;yLvM;LV-KV%LKx_+wjz!b;|zMqTJSxw?*LMRPXIxSTZ#^gYOH^ac@xY z;4ZHm(t24x8B6j2pvU5Ut|3|1 zfpa0$Yo+J#1NO8A;~fpG`>v7UGcM<2872-lC*+bj4yniAp}0jDbfyFp49-)NGM<6y_1KNxjUHc+ z!}}z(4xWmWantV3I1{isl;Xy{x1IQKDC)3B&?+Te+Tl7yexAV!h-x6bb&&B=lJG^8 zMH`8=dq{45Hd*lfp7Pt{muPokrndKWb#gsdZX1?67=Hi${edDFtHHn`?r_?6^Ra)4 z4We^LHv=_6b!?U{OJ)Kv?hs9@F6@KZENH7*%JciHkB!FUwW}MW- zPMEwr1_g&g%?$R0W6~bK>OsZj(1Zfs4wN(&@v0eNwcsjxAM)~8b?S!?=jGX7-nx17 zW_yB!pmcnE{3Mtz(mgtwXzI20rm$T&u{*uoaYWyJ`GLcss3`& zA@xB}#9{|2zy*j6By)fS&Hw*#&%C3~|& zYth|arS8hmF`hDB%l-u>d{tN7^MKwcu!(<$u>)HMTm1rPb;zW-(wf0uCyG42irc$R5#?Cw{$L`bX@9yH2jLAW=|N31&wN$`| zv&yX5_xK9;N5_%!D;3--K zx!lhgfqyA*f!B6Lfa=ZpfB6?b`2r zIB`gw2X=D6oVaC+afqzdfLP)u##T3%m8U>Q4FgT&+0)C#Gbi?B{hHG1(?FomnJk@~ zlhYb+WMt&)DapMOb+A1zkpTu-iuE-Wq^5vRvp9#zK2xyR6P@Oq&}r{_<_I(l?*DqtlU85`4x zRqVW{w@AW$FVl2$bHgv|)*+dbx<~uZE_%u9x2!;f7(4Gqy^B)6{L)a@x>2y4fR2)& z_-O<6&xA?+a3DRUvG^6IbaM42z_gMYdW*b6~L&PfVT9vw^B>f_=cq) zsB~)oBJ=-`rX}7YZ>0!huj<90tV>2sgYBSvpl)&zS(gN<;S1j~17h7eJnN zc`7BJK-~4kXzEV#cjQnqij-E9vA5*nGUJ8)AMonF27qEk@j5q9( z%??ZOI-5uO0J@W*8>rknAZsK+da!*)++t*XzSk0m9vX^cmG%r%QCNG-^nI_zA}6Yd zjAT}c5!O*9U6*B*1H}IR{w4rumxMZxRf+8?XvJ%%R4$Ep`nFg>gb`5h67{cRReCf$ zUC8d_$h>43*}Vq-P1W^J4-;6wJ=X!)vsw(_w-^UIyO+Vi!T0!K!c>`MIzyGNmhSHE zhwYPe{d-6={*n!o@04L`$UWwjr<(yf6p3BYlqasM4EgFB!UO!%96p0g)_8@mg)OlI zu=g&)@Il}np^#d9dFYjK4T(TLkhf~ou=1GXHYW4tyap!_Paam}?xIrjKl*w-l zWm2}Yv+FlDH)jVBDlrTV{{-?dpcBRWL9YC|Ut7~;eDY@O*HDDFYJ0qJ^}zk4?x9=_ z%AbrE{&@fd8n6M(GsOciIsS+C_9e-ncr#dJsmz`lfhq+^>TYpFT*&IMW&^zStUeX92;DK)!r)6`2ayN%ab!w_mvVDb*;r3Z3z zFkJ9Mm{Uu|f>XpMhy$EFNHq~)4yc8HJ!rdmEu)!FAf5a+*xn+}AJaeHid zIWHO(78G>G>#P*kqmreR5lo1?iC%uwB*8tW>fTJ3G$o~x80*7mcz*uUQ?J()(C9j9 zu2_Q^)&#s`=i=pm=J|j6YXesW&P_S9YkmCZnA4n?A2^TN;VOx!=;%gjCX-hZV{Qo9 zD<=cLYz3XF=@}gsZNPLb?J1PYd;RZ8*&Yv|F(PxcFgP?YFO8oSKnAT>{lwV+Or=MW}&5`Gxd&XXN<1c2Y*YYUy{OSB+ zU3^*jsOHMyHfRRzyOztP!-N2g|KxJbueQehgWZm! z-JKNSbwMUkm&le8qZMi+=9t>>@0Sk;K9s_y<9!m@mOqF=vrJ!{r zWNu!TBhb0?>pSTRPJA#6?KkrDL2RcqrWB=az1$&Uqp3D*fTP||bzEWJp8pB7<~h#J zF6fvr9aE%Dd+zZ*ioO3+D!iWpYCN>x#_PmySmA!E_{@EQ@D6O{N4>qTZTAcF)j=Y! z?^!=&`g^u;h6ls|SQ!BahTpJx=N>EYo;tTu5zXr2$+YL=-F?7&pF_ttM`R-DjGz6E z(>>SKN<~X>w4zBIySaDy0}HfGrl2B;Bc?v5;upBmUknG= zW}jqXvBx;s*=2))4#QIocRqjq%poU-OinK@*4c%NTx~cnUv71*?X*kwFbx(64f;Lm zxlLu{H|~7n#?!Qn43Of40M1U6+-J2|fen^Cd#^R!d1P%h2RHYKE} zD$k__hc#oww{NfWjVrd3I;nn-ZH(dVx=#rm0k;!^%;rs06n#%B6BE-c<2p;vvl5}- z^A3I9t_ze<(7}@qC6ms}XT@K+DlJ{z-Nw(y7X|VsI5svaYBQ&+|KV^Z+WNTA63#Y8C?43|+$=~CVX;nfG6Z*zSZyz9Lq@}5-tB3hi0XWDo2Xw#r zFMvz7H9vp((qV-LlH1*OPwDrFO$_JmK`Q#ZxNzYD$Hj|ZOwtZ4EDsi?c87wijjHD& z^+Xju0ZkQ+tNi$}>!I~;+SWtV!{wj-k3Nirtk0cy94@^wYgp}>Z~M_HD?~s-O3KI= zzsz6jyYZ&nQS$7EVyoY>!SxMX3Tbw-%6xKiX6wpo*RBOdMMZt@ttP30y!y&4qN5|4 zK=2dkEp&@``jkplOUp}KTlx3+_L~$F`L^ayhV?q?MoMh7+}JwSs_%UXem_$o#l*m% z3XCH?BcrbsT|{`emj6+S(&~&*0x9VEH#dju~*&9W=IZ^6|AN z#)Df50MZ-a+mA9aF>$b_>mR>|(9zfD0@$Ay9j&IS>MFYF>Te3?j-Oi@Xuj63UZcNn z8PFZ9z+HB7zRxnULEWN#&7Pm1i>oO|_{Q(tZ%SkzILPWkYvNL0Zmg`69=Mw(FUK8R zMM6NuGYGD?_O6R z9Ee#_Y++lCYwBGTpz`gXgpB9y=7xau1O6`IW1n}xW!mDe-t z-b6=ps;a75$BvGg7*;r$`i~Jcdk@2tq`k^BV`E~5Jud$y0aXS9s^Ognwl3Yc!s+CR z6BBOyVDsK2CGks@-UlhmH0890HZq8O!U7fyT)1KkTHa}pw~^p{FnH< z)W1nhE_dN9#$3u-{>dl*7p5#QX4iVCNyVe-e$V=@@dC*98f0$J<@apn|E=%8IMx4= zjsH8}y+L9Bw}1cN@85Cc8_!_>YkyO-K{$o>ME9e<7xrn62||W7{vZ6xW4!zXN?Dm?OKe;KlLuGp*4!AvsqgqlUn42O^{dg$cHm2b0L`EeWX=+T2e z+|Gp4o^7Xa{PNlA>$ljgv1jjKGQ1G{_dfv^0#_YU&i1+`9$dv{!1nEKW)4v(e-eGcEbzwh);%}!(v_0m&TBjK>?5>%-koIQqpp2 zZuARmk`#1GmX9AwWA#eqI4aj>a(|)+p;-BV(c?W;j+&>6AIy@IFQ=AcUDk|oR9YQ( z$AGF?aQxUzdp&t zWJ8+60S0*sNIKF1Wr;9kPxVUY#(gRGHy^l7ekf_1>YX=5j|2$DfXxl zE*A^B(&KW;J3jAd9*P((`R+u@X`Iw8Ia5oP7Uz2#T>>wig}HpAe;MX!%8fp#lwO`; z6tIQDc4oX9P^^_dk5XV9bfAj3O1yk9GVI|xZqBE079P`*byw195=IcPUydzoS#GUg zb`4(jKf+Zk zODp=R9usV0eSo+SlAJ(ve_QAbEjV{2KQj^EY}28);6Ddr+8Bf7+L&r^93Lvmb!Wpu z+~)OsSkf)#nKVkd7^~%}asB-&olNAYuwJr2eD|ltD+AwR1j!8RT%yeoh{=OQ<1S}a zy`uKP&9^@cetc^RIwFT(?V}b{D_*VTkrcn#^ni`?^}W~DaC>E9V7)o)zUa?~&5sY2 zZq}n-yr5Op(1-@`nY4ngm*0F(`hJ?lhftfpLU|fslHy{HD_6P) z9?Xw^DzV+S3NGmI({y$WuRSWSA0aiX1g|zVt~Ea7HQiE8u2b@KGMcDhKV?*2|5Png z#XXUiR(`N{tnOa6@wl_2qsPZkT08P>jFyT-#4|CLKp-2fMNG&#t&vlVY<4sxwmFBo z4@j7Q(7l=W)B^0D(Xv|p`<0Z>;MbFPj&J7Ti5US~LA4k2D}^0CV;;1uo?@ZTy2KwP zXr6c>6zW~rPzV3C!Tiz=_04-iGrVRS|FXFGbotXqi}_^kv8wch>PKWEz9oiVlK)=C z(FOlOokUA2B;k_sgRs|mnzB|mwl4+QgcEiny zYyOEt-eig~sf;$)p{b6e#-SBwUt!6wPH?xjyj={s8rwk-O~X48+g0p*DCRQ>L&$6m za`i|7jqW@O`rgE~QEY|}T*UM`Guf9fZfJhw2E`{gWK`*tbIeK{)w~q$;m{T~RL8Vf zB&$pe$b&WaK-=tP`^!Jxcm?qG9U<_~=k^t-_ZPN9wUgy%t$IIL-l?&Tu{gq(@hjPI zG6g>vsSgH@yorh70tspIPL0-7eEtCQI!nuE(GeGzod2ls(Vcj$9c_wJw4pCVMQY6g z$Tq^5T!ZP7+2z9yO1|fBN7h3NS(jo~@o%b8u@T?wHrg9FsE!5%=7i|@tl*z;^2vNg zzGF#_v#a5IGJc5VX^2+f(>YDy;++#SqW*XNJv;eeL|X?RitV28-a>zs1L3m9X0_EM zg$Z;+v&zWFDnzAr5o=n_Rrt-vVeHT#|D?S9e8&?z-%ol@j&VA_3xrn*&az9bKBkfr zmuOxdI~u*;zxiE4nE~$P=E&&L+q4z4d8FAvH3(#t#nT_E-?MW#+Q~mSF84b&Jk}Gf zMSS9HdSXeJ;{)p8Oz=PylS+4p^O>?!r??V1h&#uGW{(^@X8&C{j%S@>J1Cn~UXIsp z%2|vFx%C3YZ1@;+%=c!;5;FM&>>lPzP(GIB@OGIr+2|WDBHEGDINg5dPRUJ?{iik; zv%mfV?vteu8YT+ZQ(|n}i|lI`^9&&+B_&VH3OZ9q9_(Uj-LRe>9lMe8{2R*33Cu4o z@88c8I4nyQ;D>>qjO{Xf(^K4`(2i63f0UhjJk$UG_bWvw)Te`-E0xMAXJX`25ke*8 zFjLOPoHB+!rl9uM$)sibq%NV#m)t&TzcT!ymEK)m7>5B&Cxx9p7JtWF0{WP`_uG!4Lz z9p#ojj995btE^6kuN9_y_KIO%+glUR-)H@TUDE;8(hCZ=AL6PUW$_kMW8E%pgPoXU zkP3Z(c0pIA14_b0OUN>Gf|SRh(C@BI7~fD<-|L~kqPl9Ek0)zmnIyE)*h@z44@%*P zG$#9TLHmAlz3GRDQAo*FSK0RWoz;2tgW5ne$`~fX(8^96rW+|6jkwK=zt@7-0tQ@Rn<;~x!`TKPw8Wf z@H?bK62|WE)z#aOyLq;e>U>`22}~%#pyH7GxsiD+``A$dAvgx$soDXNh2dZN(AwGr&|F3LFKRqLZV6lt+$t$kxZbls zTIFufHZ|~5I_thvZFNjbN{xPZH|9!> z5v0LCK-y-KX#>T74OWMW@Xl^gizW1y_UXI{n2(8X7n(aVzo%+m{ny%BD$KA^#ykNH z3mGJT@^8d_9s;80r1gH1cXz^H^!voPJ=hFj(E@-Wr@K@eN3mTUA?$iyvTt!a+xv81 zD_cVLvCjfeNCmMb|E=VkcYSh&%l?1Q^%j;E#ALZBT?y{Vgo8#*h-E?PmO*$R;BLQ; z4ma~&UcF1vM<2(t74y-?<85c&GBq6!rws1?JPXMja9}dj5nkawuqdCUwQA3DeaZiP z-`E; zNW#i09K-gqEUU`tR^cyNgy2~Xu+5`KBo$qo>8_J>Z8KHB*Sq!E7dLfoMR_jBtr%K^ z1i$xtBX~8pX}-?7^5dnPseb3lGxLM$mcUfw&2K$3TTKvbd9=BIEqUtzmEyb0a=M+)KuAUE;09yjxFQQH|ld z08B;@7kTE|>`@u#0Htqa@Hrg~#ne|6JcBb4^N!(>b)wby2~nzLwg0y2FPH=Gz4s%P zn^!yEy&zY@l^GX5Q|`>e_OC!Sm<^@$m>=BD2tGcL&9Od3JC)eGNuZdszTn})8MI6H z4zr--G7()&SV?1N$87%T@^rl&3U}H#Cu6RLxuT(GyNW4IRbRs=C_qndIK0-VQH3n^ z_W5j;W$R3|@QDI)WMWNRsx{C(Y@D8Oisz&dX4XBY-_g}yrsQ#1qX+vlJJV&ei%`%| zuylQ3aQpOky8Vj;k{Wc1H{+_JmrQJ{wd~bG;UtwS?v^&37KEXGuLFC&7Ij zFVa(YF6e~2)UjMojw>67NofpgSwv?xV(B8g7l5D3Lsrj`!-sz3?qTF~DlorpwPa+b z+2qKLn}$;~k&K&{$N#O+&&T7d)%Pu9S=Squg7fTaLV3QF@`u*E)mIc~$$$%l$;hwA zYh&7NAsW;ZqSv;b&V$xN(Ap~3t<_}8-FySdfmv&hST8>=^()pdjX|sDk2vnQMh)wk z;q-^$gPM2E%~O^k`Zv8Ar<#q%Nb1W(QNMx{PjeSK_en@fDy*yojgr>44Xmud&m1Xu zuFJ1C_gjMF)cQn36u|Yj@Y_pJ1UTmusqEa%*QR!Mntw+|0QGBsEl77AF3F{X8)*S0 z{@|Xr1fx5-deL_r9djy5f>t|~&@mz>55P$<3LYon|Lcr%=IeAN4ZBL0iV6kQE@Z{< zlqa>-9^wjqT#!E?t(?8PulNT3wZU|HUh~PJKaR zka-Il05Yg6eV?Ghk0x6JXt!bBh;d2!J@ zl*=OijSZbu1n}5K!0_I6r=SVd)b!B^&i+NL9t3}11WDeWxrp%%|Afz~8VJFII^|P(@%lF6S zy7IW)6x|#~MGMn6%^%laiS@uf6m3*`ev*qYC^FApEZYju!=dbMGaGX_Gk^Y^Uz74= ztw`8$HpQq+C9i_pMAe9${p}qKp7Q!F4YCm&l4b-G6(%jN;_`JA!lWuID^~{5Put?c zl6Tezo)WD1)yOEy9%^9IoxsSawqe3Rkj(4Qp8b`3xDNimjvJX^VDrG?M=V`GG6%?l zxctHP%jXqLdRkgN;w?`ykV&p@w2=y(e$>Y>QQ`5>LD0BO?Z@-|zgdc^k$tUhlPLIt z+T5Vw0iH%Q0)f+Mzx7`T#(9VK|DP@S=43ufKujF^RoK(3Phb-Okv(+7bI6mQ)}Q;* zqEg0dB-8TJ_%+whGV=CbGIbBX5Y>|7ykzjeuEwK$w8tz+xIb)ZcxabrsP^byrzIxK ziQiFDe_lvtq=!qKOgjQgx=m@6k=FMwrk$U*K$Wa|p~ZL+j)hh%F~@ZxW-&S^m9UfB zu+4-vY&{YLqxsuiIY^hdg-v$6G4hv<->7jaMJ6g9+k5m_&Fs((bHV0sz%eX!7mkM< zDc)_fR80NcgX@zZ)%m~DjclF&s{?4hc!PKZ?wWd&q?AND<+|GCBWuzm#1shFmgu*T zirl)02~ClAJWGTizuDX0l-Wh@9GK5Zm>*_nx@TXGJyh`2zAZxPEiCt}J89#q3tRsu zW8+a~e(N0&1-T(+i_P;Fp0)4v@)%LRVpWEm7C>k6CsH&kQnNst%Gxf!j2*|}KbgF% zxw>CyyIA%Uqipz>7_E5~87ZQk?WauXi`B-m$S~r#Z5r?A-9{oQ-WnSLz{M<;@ZP_ylze=jiP) zq|VywT@&`CbHj_1L5TH+-bzK~R^IWrR+dL8EG70t4k>1lk}CUdrK zPQA~gcYFMo4x}0~?8Fk)m1Hm9U@J!gDOb7~a--4c5(FgbMYYUA^<{8~)(!qzNQx}@f!KGH*g=Vfol&QC;p z{gx@kygy>kn_cYKW78EBJ*-ejXQZvWdta#Hc*^Gf%LarPE#QAtPeN`B9<5G6WY&xw?P;=q}EjO~pK93G` zo?(tk>Ha#pqayNWC07v=^?H}N3;U+oYwSL7o7m0!eTYkk^{WwX8b5978LOo2}IK-hq;(Q6^eOB@pC*{Fk8!^V^T0!kZ~qc0EO z6zs*THV`DP!WXmEy^v;EW$VQm&KR{|9XN2M;z}jjyNDQ&QF-oRZmc*uRwSDvJx|>B z$VIc&_W2e~Xf#8|Fu-Y2I(&8;ZL?kLg2*8aoeH2swmY?p#DH)}N(L=H@UhtX_70TT zmUyb{8SD7Xo&;*EqfGnT^qw*pOIK!+ncz-H{a0oKm7jPl_o~g^F!Kl4^_9`;hEI12 zk-IO$L0r$=0U4Q3GyO-TQ}MXgtt@;%x5etBoXwjhDDwCG&XhYxbX(U9R{O{2?faku z7wpzh6g3;Ei0@12??b0M^7-94=I~H?;Z=Nt5(S(^^dKPn35vs&g+98Kh-!=Toc?h{3)tDQ;dVh0$puTZ!W5KyPXz`3M*-}*%F*5FAHt^WTr*wtW zv$@J?+_h568?~uhtdxr(2%R9+K=|NF_zjiO8lU2wmH4FYd{k&@O{;X|Fdn7P9*OJ< zWWSRugCp)|va_{To&Y|}eE$g)+KnZa;_W9%5ds+@%!CW_wI{~;M$NbW8#yTd%O8kjdc-G46ynC@Mb6cNjPaFUH{S2}U5`+$x{*a5Cr zO)FhG^IUZNfPnV+2r@f)t~R7@hewEsDJ#;+6fd#Z>J*RQW2>F5bWUVCnL&;S4Q(=Z zK&#a`v%`h9!l-MDh%=)eTuEt?8>?$hd}LFs11S+W%<2!GZr8(@MNNVT+@{tXrs^EA z&MeH_k=t9vPrxX~`#bZ7t*<-aB6rqfTYLxZnf1*>d###(Tn z2#o0zZ5Bt1kK&OBxOUtVmgo|%8_jbNrpVqP_CPyu>@G4zL*wRqjUzN?BpZpxpi$~? z8gL0Lcx0**$`={CNXSVy24S>IiB8n;Oog|eAdqZbEMz%Ssa;!Be_nIWMyI&*t0l@W zlOQJQGa<5`0dw`hjAb`Bw}LMdb$3cvu#y`_SY(}uRL;U-J=>b*V873S+iWAy2=~wo ztF-lpa=?J<+72K=^XL_Q-rX596KJ&|9B7cJ3B?vicHe`>ZjZ@A?Jh@~RqL~SKD)I; zyVOI6u2Pgf^#ysBmjn3DSZCz!_D7puRA7Db@kiroa!dD(BpI4>#0*sA?%vh8&v-uR zQoW4Z9H0R&wZb|6Td*`@y-kHLwsbSA8QpW;#xZO@NJpzp+l(GY-eqGNlk8!2q`<`S zjq=B3gj>nUrwpyTIN`ukyqf`j&}h0Thj2xeblO8L^afWx?Zd9@dH64DwDyVyl7LE= z;In1VO^I|Q$SAFbHXb_i{u-KeJykVq<5yTzM78geqNP<@W~1f{|9E)Mf|dT0kpru# z_7ThC>&2=b*3=Vmb!4cc&m7F<40k&>Vg>j$a?1r+Ac;2h;ZIP zYp<9R%tzhwuw|bs3;$j1Slj1FdcLvr#1**Pw;kcFe*#{SA=#@nQ4SvAIb+0s-Z4{} z!iNc6T~$#Lr9Ob&aUfPir}jleDO_;c?9QEX!|umGO5NX3V@HF=9`lTJR<|Za&GDUI zHF~t`e2KxQo`C5Dqw7YDt!I1r7VE9m#BuJu%-bU13)0B-gugGpAs0JpX#tv1tsNP) zpi3eoT{V-h@4Lw`)IZhzMBKaY2PE=KFjKFERkFmq3Zz6Emam^sflY+u615n#bhD8D z0@DHn=V&gsG|0>FPkWNDdeqBO4M;PP5Z0rW!W7**Y|GXNWe*T8L`&-p(vbI}Ugt*g zPSs7mFpj_&VRm1MII6!G&3$MaVf-r>-}C2VqEl5> zx?DY%m*OOK_BocV-hJkE3lVDuCfSctu6bwLb4;v9=jh_~svAr}VB`RvJm}hU4%ZO1ZeR z&awEdys!KkZfEv(h^Kb1YMTz{mkBu0BDwW8xof_iHs7>D#L{WhVr~2A^FLyi}+re{ExAtpF)& z)1uQor$Zlb|Kdb*n;*Q`-1biE5x*od?w4#ZH01HQrQ@fi&N)X~rh=h>$m(sUY+r-2 zf5I;T*L*<&se*KDP@?Z_dU*fVl-YZCp&zMjnDF^Wi`z!B!UyuEEKw0Z+N`%K(n$nu z)UZ00*hiy0(WF=VeoIgeAbpyDQ0t6-N>{xVCa7%=NZ!@kT5@6^^JsW}YmdIo)SZpz z9{h~43{t=QNQe$!4KFSm(K)cXUV0+y{j$Au*b9EtAZQWi+^jO{wg?IJ&na+WC&^PM ze4SlQ+FWI0vp2#4c-nLD6I^RdB)r6%Y7^f0~^ z??3^BpN{X^kajlfeXRU~TsMUo@!33q_t`?dC$r|$^ULm(jWo)dSrh|ty^KC&b*e>u zJ7~0g-F=Psr4hk3%3abti%0uQNd@vs+2&CGjr10ESKJEr#DH?27E|dOL@iHpJ$R#* z!ZR+!g~yW`@g~m9SM^<8FQwR@Y-pu5bb-qL5$-6Fp6Qqy5lA1Ht?nJ$HIs`_W;Tuw zD<*!7xfyeG`E$%&x@-n5W~f!$`#S<*38qx?*9iy#xMA-^cK=WC>L@x`E7-#c#=Cp~y@J#(+R9T7^BiPtT#!T=Pg zqL}V9N=ub$C+fq(7dHI_%1pqjWVzH%AXEGTpsPf&rG`W%+5iJk&GDBZKb48;G%UX`B%Iv5+NMg| zc1Urj8n@`px$jdbj$w?}dg4E(&`j-8@hTy`SN?G;!Co=7mL(p!GfYDXds%I7kzB_* zIVJ)1be#|gRW*^kR&`R05*fjpGe$9NJ;TdZ<+qTQkhsUmi7zBosLissAuoq~r;SxS z7PZ;I5ycj!5?(jT-3F^WPFUzZZhYC}wWdDER3UN<6WU8?PKG(|j1ZR9DoU>hy?v$*g`bBDCex?IY9UzD2f4i&KDcf3e>E z_vW8N$cmTzD_(tfJN|AdfohBlPE}KsaO%d!{xvC@gQ1-ri4)e1*9n|Gx~7MB>-JjH zE8B~X;+J&W1K#1HqbW$WR$jsXeIlaL5Cc2u)xtXE)gxg z+n?M+SKDceggw`N0BLXrxLnuRUw(wNw^jtKwil(h-s1#zd_>H&h=Y}~0~O`8wMP}4 zkjsCz zU>(N&lFR6LmQ4zj81-#Bg;|Mp|AocdjK)6v&!zu8dv5|ZKYnvQ%IzB%g@+(Q)IQURr6> z6-%bBC9o~8?f&%KvS-qs_6x$Jg&njRSAWxgT|bMfOBZvg3miB+pVddqQd1kB7f{oUIJZRO|I%(=2C%ExOdA=xPUJ0hn30YApU7UBI^p(gx-agm5p?UV;ba>B zx>w(gSQ<>b(`mzf3_xB5g;kR`qdei%*TJ^lVr zd!IBbYkQWp-JPm27ogiYngrf!2ka46H)4%Ut?J~C-HX&záNdM1tr%Q`~#hp-N zJnd6Mi#S4Q@WAg|!w1YgabGL%2?#Xo$La%We0KOIE{;CnxH;W!?>ZG+mWS<@qqR*a zL6jjI%i`1n{MAENFl#fUuP}>c260fH-gwK_o9n!-cEj=gu=*Uu*1UGwxBpU!;#t^K zu&=n1wa3Q9(;jAt^c#9L|7!ToN;KQeR}UU#jW%; z$Zov_ey5+Cv$;vj?HI7ocXOe0lRS1W#^|trBnNEiE*shLa1uwO3~`-cv9>$TOzFmcv`70 zu1D4P9R}*hwwnn`CZ4uAC67R)Qm~Q6to+B(BYGdOzPX&9F4Y#EcEZp=? zJ)+F~>sR>%0cm|Oe8#7IdtQ%_wU**iD4cR4_J#vNWokq}ZS+|+l8_@-$JCc?>zQD| zF|5qlbUJrH5R%p?4pNOaWtQA`JBuQZ)Ib zUC&zr*TC( zC0UQR;e16-E(y4c^a+JjUk9!C-UOtKBD>G4Ksh<~0MDzJsoW|d1BqnR*W?8DXu~6m z0eS0Tv6oPgeJNpJ_$83ybcXY$s2iz6FG0uT^(T?GcBs<3$09{v2Z?5E4qa7mQ9s|S zf?&&I%2FW_)gazfG_##U!A9nyWw*Y~nQCO+X1--MtQGpBkX@tR!%FpY57L#XMi{oR zez;A<&WZqPyMQb}iQJWJb}9kNStB)R0Kp!RNfdkg_U$QJ#2jcT1F9Ij?T}~C&BSk~ zcu!FqoQe9vGLvsZxFat}yZ_e+^MTY|sL9zEEppQ_~aO83u>U^S=KKa=3n}kY5e0*R}am zvIud2yU-<;HY4Y!oOggYU>wy}(*L=U6ZP@B&!DHxBXCS!+ZV_5Fm-5-mD&IbP&mAZ z&nn|{Ylp;=bE4ua=z>;i9|nM9Wlxbo_?H7Z;&!)+bERDOZyf+^XT72uVr{zlbC#Yi z5Tt9z0d~}SkL$us7O=ga^j0A#Lkt?NWkIqvCALnn@7$DF@)<0-{J>zWE#EMgfh~jZ z$$&a1sSctx`0fKvq`TK{94Yqj^virbr=)8#JxN;sC zywXX7JxA^BKKa7D$&s?I%R0Ih1bfYMoZEby{8XC8t2GWD8J%CpuT`#KX#hntJ2Yj% z)W5_;G!z)1y@D4KJ%bUU9h)$N#^IOJl*or_wTAEcr3JNCk3t{dnp?<6KL7kYkz)VA zYEdI1&+r9F8W+7pXPI$Wz0N(=!J*myf`R73)}50N>@5j$8OXgp;a&Cl6Bbbo{PMfUgE-_r{%c6?QWy28*(>a9}T8|w+)ar z*Ci^{wl3s}uB(}rp*`3J-QVfJvY+h!4J0N)#SaozTc~ev8St!7&092ahm_Z|4_VemOaT%d8J>9m)7!F3+_b>)2Gf)(60?^ak zd!KzS%7x>OH95X9`W*^3d9yUFoZN>ze)%f-oF%1}tT0EkBiF|Ux-`#j4u91KfHwBl z;jQZHp0ks##dx$~xBL%w8!CCpldn4lZ@o=ta{GXXcoFlp$mN-eeggP2S z2flmzfv_>{>0_MKfjQjcKfm4@eqeA6tw(KJkbg9&7f%G1*mmXf1n=^tBa>?qlwsZK zEkSw8w^fN=y(Ly|1o(k`dmlkTK#8pl>O;h!@*s@$ep7<@>{1iUvPh41YMt&dxjs)B z{|qp&aFT5uy{vIm6s|tU`SV_BeY5Tct#1!mK&qCYjXl1c=`A5l45nb2y!ZBiYGfPr zsk9NgK+{Dwy+QriDfv90KDUu#4_iLGHRM?znPFR-|G?P=i7}~7xQJJtxiK-0K7nWl z2*Q~do_lAkGb|z60@+1gzo>J%Gm-IramDE>q=e@HPafhT6;$LO%yjk0y@qW zrPBvk5B`hM^?AM8H?5FE9+y7mfap?sLjo5yy+Lf`N16llzYi-u1efJe&l#j96cs(K%%N~~*5Na)O%)!vy~ zvDeMqCq}7sMK`Se34|eSO6`_3q}tjBX}KRu;$g{Idvil<$tIjQErE<5e^A z`XMf|PtDhCB754t&V_s6YHNETM7MFr$NQ68f6Hc$2fs`h3QzV&c8>o!ET+{fP9C9W z!Z2PmWC>aDqYK$cODd@7nl z!@G&Ya(hP|!VMb}^dLv4>X!cZ_ZjIlkn=nL_xnr?t6z_c#o^~o1+$1n@v+{GO(}&9 z7-lESOf?6x`9p-Y6z7%_!I`2jFiv#5-LBNnAB)QYp&7Ro?5cXp1nfkCH8{ztQG6m| z+w6fQwIjpJ;%MF{nj>Icjb+N?3Y?9Iog!Q7{s%l}W`_?XYl#Gtf;7iI%UR0{Uv_HE zY5KapL^3jr*XxI6sLUv0muzj(ZpozS^t%3x-p1WM80Z*qaJx(&W{h(`e`;ZI&t5v; zVmA~a{(1qu5-~n`)_Q%4wzSvXpvy~&7AJY#)Z~e1PX~>a z3n?#9vpB6-x;y5g&?$E5SCPqhO&N1GIr&R~$L@)U?1`2IH%Ee8u|qChZBpyQ1Bc4a zwii3bXTg~T7FARU)YGi(=OrcD;lch9j{O83o?~9cBF(~OWIrjK5^)rmM}f2KAL> z8^;6ybg=zA>(`rSpaL)w7!AooYX^5qNsM|oL{M4LRC%)lkzX)PK}o5&2*Wf!bf^s4 z^W91g=U6+1P^6TG?S!!wWaj5d3}=RJA%2MyCM>Pd<+?MQ3E+}TiWIr!fiMnfw_HDd z!PGcnr|*>aqPFSd$9R8ksSW{*Xv$}x)RH0`}D*$ zVQNx&C`7p;V4ZY8sh%hwO3n9u4v#xpJhRtr@0inm-V(DCIOGG6nvKfV5NJ?)^&4h}WXd>V>}C8zy$_$1U|F)#Z?$qP>Gn{9kN4FDqV6 zq~(NmiTSKAkE0q-a<$Vs8$3}axl=*U_ltc9y7hmm={~hM?JGKUoY8P8sAmp}Ikh#~|EZ;)DAS&W;Z&9q+Ee z0>qy@cYIPzKghWm*BVKTTf)D1yvom?$YK6G0!gEBAr#5c|67^d2E67$+kD@ z3UK12q|)t?+xdHoGahpXieMt#aCD=ICBx#{c<#rKF2T7VL?KwXsvqO4kA<4|xKY2{ z=wz(ixGGi z#6)_#O%yr&l>3jQ2!XJb-y-2bN4_g){7l~4zm{=o@P*i@_TOcB-PWaSpP`K07mg8z zn42?QNldlM&H8;pT!jng&v!r{c!}6t+a6}fH56(N_LdgYZ%d4Ef@%8wz4Ei`8*ybK zq(RM_J;TUd`A3vh@eJ!fwF0fT`9c^YVdccdb z07Y?Emtcu_ax8h-gLuTm>+0bbX#+znVCH}#!+RtXH6F4TOOuD{id~F6mucD6Mx(~K zE+8tvtus{Dl^8tp9-zm9;h%K|c{L*oGehBJmZ z-lu4&wqX|;r$rST1>0VN;I(f5rP@jEkq_6eTV`PtzFK7i1kGRH2wzTX`euKIu`1i{ zi-&uhm0-xo#ZFMO`43h8kqRfoa#P!0#d@otZHj8}9Yf0TKe}YGYnkeEch+dNZzEOs zA}KpG*Ggn_KiBKTBFl_GEtbl-^!A(WUSIdjn#YdF&r}EDTFqJf0D!9#Rroyp_)`Xn zjmqN%odZX$s#}_u0IHc?cM~hreSTRJSnK{~DGd1|`%8$x-5viwcX$0f=5$<2h?1;c+qqNWxK@U+*Re{w|`&>-m5uKcp$aVTh zG(f}LQEQX!t#o>hD7@|7GIgH%TcOzcfXJO9x}@$1D8w@AE#H-`>{gq;m`3Y9MuncZ zy-%zt{7nEj@`&83IQro1%DKGO!UB0h>&aa+S*hTtyIO4iT}j=-jV<}ni@#Z`=@UDX z`j{_440=UMZ`@Lsz4X`t{<^AvjgEnhTI;0So@6u!r~Z0q)0>IE)(-LPI`VQyp}4Nb zUi3NgK-a<%s_uKdyg_71>hSz}SJzz(%(r3Xwf!W@{BQfN%fjHdfUWr=ENf`7tf%DX zb!9oZWkNITh^k@#zyK(-YX#TxzK1QAD?7fE@m5DyBme&M#-8ogj^rlXotv6}u~asD z9nKT5(mq%TEYi`KV%*a#dBHmKv1{M8$a>_sB@VY zFR56+4iZ0yOWJDt!n~U(Ms*OXxzKW<19?KKywSpQ&x(vb$i-z7EYsu$6NZ!4|MN7I z=TSz_egOFqCaQUlZcFD4c1h;kmM%n_0IEXF*=N^H1piS~RMe35tPyfwIl3QiKG4-T zd~;_%@4Bm4S+r3NT4%-w>`tT?pIn-7piE!NtZ^f20&kUz8K*aHJc+ovs z!=0=jb1}lX%VV!WQt5^{IEIVNiE8Fig`RZI;6u~Dpx)hVWEEhZ3nquvs7f{bXtkK| zk|I{n%u@z)qD>yXltbqznnev+)UD?Jb85iAEn@ZVvYf}XM27M8wEng73g7^bmFtKB zqFP+2m9~i(AKc(#*)@^i#a9^7(IN{r*27(+O~bJ8r_=ku2-0iXl9oc=?T5(%DbK5_ zesD}h_t_oF_TCFJkEevh92MQQ7uB2k$9OLBu_J9!$nXoYNHJhkUoW8uCaP4YU7Vei zQ6&X@FjeW-qaxnJeG=**xbpyWu8Jxe*4Ca^@~w4cmHNt#Z5=#XhH5kqd1 z+nIgsrd%YD5d?=Uy~>!v0OqPXym?=?3v?yrSxxB`odf8hEuk9OTmK<2s6c)b}jXl6kNtx*k zR?YcKCYwe~o&Hw#trH%$Gg1sR>xpcFa{y3qI7Hj1{C8;SkWa|6KgY=^va@)Mp?`2l z+rr=9Z`x;vh*`tDlu_C_zr zX!}5gKq+mH51EBGI}5-`%&m|)Q24|iME zo!znLKqpc0-6a^$b%4eiFg+67E<=p@2h!B6EV&>xQlo=-xQg-lFuktl25ogA^3kM7 zJ8>{Dwk@a7VDKD>8GBK>js6_xtngKZ(`j=nvg&EiqHMI}nz(4lwCz8q#+$qc5EG(A zefh1`7hLNX4S1G#&^w%GG0i+llevonEtTB*JqY^6^bQ>EG(CJlQE$}S#GJ{qGJ(S!m6xfY2s1s8Y_o(BL1pomyG4V;=mX{2o ze&y#m!l&nr)}s~8I^`InczI~0_gGaEa8&MNf_f&g04#WM62NZg<#?m{^>o!J;hdFf zhwcvdL1l;mbL);dIzEA=N#v9pW6xX)fg zYhO`r4h)E*+Se$cw{IC5W*W4@ZyvlVur)TV+p4PLYAjBrI8q_kW^P0Tx05Pc$b)Ub zxHi1l0+Gv(N$sdgseJk^_?VaBYYvZoUzRE8oF*mFSBoGsn=-e8jGiM{q zTYb;bfG^H%?bJTGz04{8__2o_7PJXy23Qa|t>baDV1@fya{frpnOk3cT!5;^#V3UO zDb%e9Urqjdo$h>my9f4I>qBmK<2R|>@frFu7Ih9K zYt~VZoOLc4+ukojjS7X>2iPeg#MO>e|J5Bo^o}Nbw&yh6AH_dTUl)ydG1`9*(&`OY zcb}2KN&$EfkQ?x&{`*gu&WGg3GKTGMWwV!R4q4_#KG5))nEZ>2n_SeNyy3?x?Fz*V*smr?a~ zd0K+|E-Z~5Ez^<9s0N+C+A=zArPM)sBEVaCfAxjJUxya?X1u2Rdq$eX;-cADByYG5 zKIyyL!#4xiZ`J3w{>3fd15fTSYpR#~j6cYq`l9)fyZZ zaT{4A^y4z=;X6C@Xe59ivY#4%L$tqY^ck-wojRI2_B)x>4~ZnOvwX@n0Y3WT`G)KS zpAnWe1-;v(fv*mE@6posb=gBT%Ehh~mS|a3*M~j+9oXU7Uinbjxst8Xzv2C5Z+1rP zAbO5NaWc7#w+Do-h->4eNI+6`!e_OGb^|Lp>P&)>l)wETfHqIG1i5Sm5I13F;Q+@> z+V?-mnfT&|lq{zwif80K^RQ>PB2YG7gvf@E3AykUu8YMhMT+3Y$A@M;JWisOxu zDqnA}(}@%;5vg#wSd`X@T15G^|^IMGmbPi z%sN0{{6R5Serp|guelapmd6r2KyKPHP>2D%O#kVvulEU%N;m=WxU>>U{e2*;59`opG=Yo{UP;^Fgj$gu4KyvZzTMyoa5+BhYpCbd&VEx|Y zk3Hb&G-?Z$>o6D6rryiYnW;jPQk16(1_}aG%bxd0tw!9An^d4FkENdK-kBD~2#kuK zIEYoE3%iju46XHxAAUS-XNAe;gU?!Gp(*>ax*Wh-nj}U5n;!ykB~X4b~~L4Z@M_FX9OIfC<+#mS4@G zan1;v%kSha?Fc+;nC`RWSK|)0eOqFpk-|0q05-$~e+V3Za%vDNbu{Bs9eF&8d|Y33 za1nlhc(Jg)GIMjDT#~7tHgMH6Wq)pI8KiOV@M2|v>!gyevAMZMCAWUxT%pBolVcnj z0JS*dw$H1PWL@HW)sl$unmRqx>#CA=1L9%}9C6zF7{fS;p+^!%S2YCXmMj;EsW}bP}8_%@LD>e1|)Uo%hwR>;IQ>L*g}FPwd`S`^+wLL2CEl1 zcSQSNs~6m*2U)cGmS6BYM?F;6FB(|)FDmK2#fxQN?5|Btc?M#sj%J5WYySNnO#2Y{ z6Q~={{_MsDcIc_)<=0Sf9}mEpxWht4vP5q!X61*J(siCVaL)A@?;Xlks&69@j(AA9 z7ZqHuq->eY{{`(6je;M*anW+9DHy$`ND=X^{L@$nnsj_>X8< zsEK0eBv@z8M0FpM_Y));P7n|Ftv+7ho&48EpcVHT^W?U%0opdaF=WLNnsy6rkys(Z z>vM$Jy^S&b_!grtXOxW$9I%o{T*({NC{5IRQt~v`xcoFoFV}A#;<7PfEJfsqtCJ&e z)t2O*xJ=R)t>7Z0gjgQA>SfUTgg|CE-V@y!P?%7m8H}I`C$bubejtNyBg?|4Po!GC zcQdaZe=VVUf1S1bQ0>fSrGWl1!K#8Pv%Cw9E7kf-JJ?(3$(n~fxWIR6sY7sp`DI)g z%P<(p$&-}JFsm=CQP%S4vem5jHj57&JS2jx()8JYFUXh&g13G=RqYHOh^P-=EYO+h z%G_mCdC@Ztm@~7{F|7M5xa=)0#iP=}cn9vBNSqnNnt1nx?H6pTB;IIutp>AYzAhx%>OJji`{GD z={f)BOw8g)=v?m<0E{3KKMraz6WEUc*Kt&^{0kktNsLBX)FLjwwix3#_t^+sYj5k z3eI1$v4Cx2r-9Y8%i3@Yrz_N5_cHDualUy;j(T^SL>SiRfa~yUQTFN9FY0)KMML3JkX^=~4UVM?$FW85MOfHKfODW# z=-b7yhM%xrW=>Q7adxHkdW%8+@%!dJ0$cwMEaJl&2>QDXx@%pktCLZ}9VNEtuCw+= z(dy9QGkZ(u5}Auz!4#xBvHFQ?XSLX0Yg6&UdWmSHCd_+hu{SyF=3&8u5dgUpTT+vn zCS2MGbkqZ9cL&w4BLlI_l6JX34HGMa!n!%>eyj6|Ms~#wVR3Ig8&W(;Tbid({NmX{ zI*SLf(1Ej1#H(l%D=Vs*8UN8UbN$5t{J%PANzi5t442wFYi){(nOMkyzA& zGDqEWLRc^DR2A%d{X+HrW<#;$F)~}S!R@}qy~-0*+!8_H-0gG zoED=R=0G`Z;6)+Sv3M{F^}8tQuOB*KgP^m=k_IUc8?_y5s%{U;lLSN^7NAl%IMtDJwoF znZ$~vrK>j)r1j)vTGV&W4y=S&bNj=845wJF-IliQE#NN@lnN{?$>F^6rj+0P_b1kv zFnBIeckQxo42hXIe{P}vaJeWxW^LT7?I*(oP*>wmHLo^efeTleULAXc!8bP*5* z0qN3FDGCA#(n~~o?*s@{6qGK#gH&mu*8l-gdM^nfgn*O)N$3!2xZCr)@44^$d(S!d z@wv~3`{D0LNwW7^d+oL69CMB_BruxBCchOe zm&(ua9;214=IF*BF*WA#9C=aELA3Pz(i#l@w+!Q|jD#m(ISH!p<9i#vw4z}C`@Z#4 z=MVU zOV2`YNrP*MKZS*FB^mDF#QI-(#|FYc$EqIodiS*#2l{()UHq9XGs3nf?P@VWmt+-s zR5s0zvmF(xFgGnMmEoT|Rj^-_p1*h!iUA?P^D%X%Ip4X&(heD-CHKAxnWG4#JV09E zq69MBH4^Es-kJUQJGS{)eK?DO*Ly3#AoEZ`yZ`t_ZApfsMd)~V&vE#Rmc{{rr5`C< z$Nol^RAB>xbp>KA^~UanZE1KRZ9kc+Nd4`T2lZ@0rr$u4 zW&W=YwLOC$gBPg~S%A#D%;E%r&|z1BFmr?-=TCVUw3Ar-AMJN@fqDVr;vF6x=tJ`2 z@||BwME2A)3~$NDni@a%CB2oEO+CJu_a^A4T5VNXBr&IYG)a?tYcf$g1Nx}snt?tK z{2HrOMuXVg3QeLHpGXEYN|M!9iKX3TFIshWJ!4JzTyxv zp;U$A$JtFre*(=_rg9wRZo2XMY)U4&x_*9Qg32)UWZ zBeKW$wq9vzEeiJcv1Y`YDuVco*xyEM3ClUac763Kyc0_F#SALL|Ml=N=xM)efvoLP{78A}cAq)ui=#wSek^V3{5d8a*Uyi?|o`0vKQPt31 z3%tLcUb&{b&ZAANa(GX&yTWH@^VsD_J8P=y7o(hh_=&%WL&+ouPhbngFsXQ)=4EuZqKqlzH#Dv&7dR5Pzoc z;=Z@nT!dH;669~+l8?x3Yin~s=vnH8*?SM9Y*lh(lEJQaQ*3n4mJvUU2j@K5FEk5u z8aS#Zir8xZ5+4^2A*Z5M_@y0v#GqhF-1=;U*!o1HNV`3&dIVsGnGi&~;s`~&L5WR! zDz)tW)SPpz8#;TBg}0N*H7z#Y!?3}n0ljPt)cL%YzWAr$w-o~cp4bPVA@s1Lq9g$j zQW$Ri`6`Dt{_9sOXW-sNQ2g+|ct8?i8BscW*zJzQaCEXrsC2TlGC3oPwLN}79 z2KVZ^W;=W^{U#ZL`;iRpA4N*{9TN_W-m0ruMFnx(;~q}SZ?sB`v#7U-cCcn-CRQ~& zfal;Fr_WH;RUbMa&(LRfN0_f2A0z5jZT@@`ST1|^kj7`G%W46YEs|*Y) z)yn?YCs-8xeHvUAl;@PTDf?Ml@RvlGg^nZ~G=rir$8y*Tb<0vnkCU!`68q?ha|3-i zDnm5IsLKeU)M?*nQ1)0>kG_}*mb~+1E@Y5%A7&`nWs~KkvT)1=jqi=H%V&6&s}Qug zOSX1U#9om-{<7M`0BghnVZKHkhhZ$Az)#-8ta*|8V$k11%@UvCCmuhsmO@l@K(&Mb}Sm_!(O!^R(7JQ zCVc94sa!zyY-gxU)BS@WV%^Ew+lD1_p@)-E897Iu^*Z)~)kDSLD>>mF7A=_XuZZbIyA=or5CkM~mq0t{^yl?fe zz;qb@)I52E{cs|fwNeu5S~7U@^TyV(zVJ%8RFJ2Brp$3+>L^hTzM z9-HCYf_|g|l_5xMto`IyB1x-}CD-T+i_7c>RS)bOK*rc9qs;C6bBKs*O{itc{i@?) zos&C39cgUd*KY8>Qlx(7tE(WZw42z91?u1x5 z`e^T3e~3upPKiHj!-a!=LY4Y_xX@h&F)?Kkm`!WE#htMbST?{X3pMTNIDMh%Qt+-Y zwk!83N0)4uVYBC9nek~E?-ab8by=ZEOPSx+*EH!_zpZHDKRmxjYo^nx2RWkI*GVvO z{!bPM5uY492f84cxU-}GLYepV{d5eA3GhOLU)V(tg=$7A7&2?UsG^+L4v_#n-r4v;5mkUrX zy}Wg3dY5Zgy+dV6ve)*3&dULPH?LJ>85~pl_QPS8A?#^v&#yi%u1uezC0u4gZmzLn zv`0HoOB!bkTCz-YAB{YHVbP#CEyI6*!E&EimuK+?3LTokUf@e2jCJZyRC2Z#O%8g~ z9HX(TiNLRPI7sfzP-I_HHz)g$GV4N^M)pY41LV%=_zB2*mBl`IiWASc{#qd zxI`Q(z#A<*F6RXCe{6)l{~IW;oLr4j_TD!GEe4bVJBBYebwsicF(9CX6dPm+^WyZ z4zw6NnWakJL9{C(I0or;$86?CSm){HLXgvO`t0|zN`DAIJPdF{&hEzKF0gv-@MHx; zxb$(RPLiIrh%U0CzIU-{q-$PJdu;FN%TBVkQI&U#&ziME(6>?<;zo(=c?Z>DGC#&O zlopx(p(z%JYbsu=wG|Fk5->(w@tierM^)Bx`Ut&m z5exz!YUxMwYOX$-el*>|YK<2`YVNNu8^}xZC`+F?SXk?cW({YgspmmJxVT(PVdEC5 z8Bb5^8JG`*tYT$XsaKaRP0Z~-__Q2cbG4zVmfX+MoU+gVQHv?vQyZT$D-~w}fw0>L z+hxVUskr(AQk9gEUTf_s*w|LPI6NbKvz?lw;{nzA$Lb!06Vmat_v4Y}8)cvHvUN zm;5I{Y$VJwik4L2Re69IA@&T*URC;yie+!3fx$sBK~6R2x*j{&?j%oN_T?5e5#3q~k>#D-Fr`qs3YfD=KV;XE!6$L5p6X!qB%!dY%T_GFB)$Dz$UaDK+DR4=HP64Tl#|t{Fs~GN&3=KPE-P_ z$`aO0#@CmWJeae%XqiOu4I!100hnCRd5i-h6@*$$#RjnsD=OH{!UMPwZ`AWof5>A-2r|WmkPBw!Z=w;bmZAee~U8c;cb}B0c8^{O6{oy;~<52%pt7unOPEpYT z<7THXV1F@v%5A{d9OejMG&0RCe0r77_~1U3?Uqvx)_nDQ1CkN&8$e&=F6@JYCO~Qx zO~yVh@pbY+w9W$OjD`o%k_QHo}Muct@f@r~Fjfvl0U+d_a^7cavbG-3ousJq@tyofoFVC%_3l7*Ih;bMi=X7 zRat}jm0{_=+nzM{rfdBwtX|$V#{wPVgVSeNZH!~L4_+t5-bWc|_tv_HLODZ2@Nl@#^73(? z912whzd<8sW4k=c^`r0nEmmxMm*6eCz6L#QsNw8&`KhU?6ykbT5UnU~=s^rabwYCT zeFo1d!+h-Gq8+}m?cCFa*=wvKA%kcM9kRgTms+(S^&Xc$hQ5fFX%1G2+H>pfnZAt| zB|o?kZ!Zfz4j*iPzq%YV1xcb}pa|m31I$j4Hr)d|G6CEY+{04^K;4{?0xS|^8jfkP zjfjhU20r)5#IOmylq*#nRdQ}-sx%8w{T#&7=g5xV9C z)C_exowL9Uf@U9?yyib!Af`WDpkolzN#gR3{owm*WMsq)XyN!J)NRo+Uee024g<`U zwT~GSGe0}~?D>YtQ~Kk>ZNH5u(F#TnSR)2s zt~uPAaTo{)_+uHlcANg;o9N_)hQ`K@qY`B6G>}?=pBheXZ~4r$wprZ#IW+XLyT4yR z7Ohh{!YE6?xNH*EN3P84$&GJJ731_WI=*IU7mkh<*Ar;9ubomcNpZxa3cLYKQzDi9V60mDnK6feJe;M z$nu})RiO5T7fb$)hTy%3#rj0LmfM-74&neATn3|Yjig*RpN-bP{89Gj)#ozDYZhgF{46mg4P`YC z-;FaHwaVtEUKu(rb`yX;9|wZSI<80o4LS&zlBv@a|231SRKUaoW_B%`gQo15OD6V! zEXmz@MrFOKLIAsBSJwYnNiVjlCr_5<&nHv?0n}vb*8f(6lQTHoqEBjAx`aHAxabQD zFVVUV4Dk)qf@CLT(2WZEf~)$J3QKb)mOU@bXpCIycN#(dj1mmMag*qFqNv zk6ocL;iv5ZVoMwIPStTiIIGz{6l-QU>A5^y6Y@Ry$MY9f;dVXPC4{5-FCT{$GxC)v>MCT+_tZR;<62Zw#Tw7^?>9 zuKtY~{l9;R`LUc3`M~`>vkB|}X4M2zzRH^J`mXZlt1bVuDQPvJ5F~r^D9HYEb^h~D zS@Ea*{K!`sMoQyz3}HI2Z>sqErsL1+|L^Pn^DF;G*q`aV~5fB)zH{_EZP7Z2}GOy~cZzyC9Tzq4|fwQpy&uO>%llA3v7gZ1w|EwL}aI48deZ{)uJz zCq8lrZ>3<}W4v|i9zaS5!YY2CQ?~+C5znL3NQ0=66xIY9B@%!NDq7kF@VOn$SKY1D z`VK{U1lbu74n<=(VN^vw7qC^&|>7?`f?5 zaVmuN+_}%+zspyJSuB*6l{pHm*EQ^yxK~tEWGBC`0c>xc0r-AR=>HRF{=c2e|7kJ; z)i{1lK|)+ySEYHceAVVbQEov&swQ!|*`U@Abq8?8-R&L&L@dj3-2(%)_}?Jg{fqJb z^O;E`24Dj{>lxDUy;<13JFa@!l~u_p#$`QbCG&{db&Nb@Nc@73~;Sful}6uY!&nmR~=cHnRzauY8L@dR>&JbL48p096DCx zZ@O9;)vv3$aB^{l!Qt=*58&+t{3PeTSmINIf`T}uq^4Ms;^WQ#wz>TE+%Qe63~`J= zDhn-yLK6U2nug`^-Fy~l?};FHGT_?_N&X$=<=@Aja=7bfm(oHoN3WEWl+et=ct^P3 zF~PhTutzod)j6Sf>J$TDXIl@bxfvs?0sTX|Uyewa7qy_&cYn(r3>5;;(tdUU*^2%8 z^{WMBe}5n4d;Y?OR6s$g!A-4retuq8E937uK_n^yKwL7r9^%`Rlam&>UvibmUmnRS z$HalZX+NR00`i+iFRwa#^j%=D{$&skwAZ0H#l&;~W2Z4gu&dF_m(gy-$??_1zw`Zb z04}@w11T#bGd-931k1ceqr`oiAU$sNs8hd(#tqn=b>Nt`rmz zQz#UwWtwV>?ccBN--tX3ou~W`H(CzekOrx~buBF|TIi^-u&P5Hz*hEp`djf2>xIjEc+;2pzvIaFAEqFS7jQSMRfrJyn})lm`-@l@B*^?XrS|q$ zZm-wz+Jyf-=a5`$CotTDTXD<(VM=~yFCP2XN&cC)55tdqH3=z*Iut6zTX6E8uq~cE%JKuJ6VFA8&nB zd!91?bLV3{3!v`ZdX$3#mIp3GT;*L$t+1*Lfpxp*QOjIf?pm8iO_q5MV52b8UG0#G z@<(%?cY7XVE+s4tSuHb+jZY2sVl$iSJOYV-bqzzk!iGSwR>O%aaghVGWHC=F!DDL~GA!P|M`v#znhkxhNLt`4JWVcp#ifU89k% z+uGbToBj4d&~@>}eLg;i<6Ps&XY@X~96-^p5DeIbnL&@WD(gxV={zRIn&aYnwYPhUb4wY{G5|ftp0Dzk64E_uFaT!&%vib@{yAr2aY*}eeAx4UI`0wAl z7abmc5deV%&=OlGkuoHY=jfnTY-5TIK+FDl&TVI0r}z7(Yw6RVMlb2I5E{n2$A_du zKrSU0v-?b_Y?slisdL}9sK@;9Aa9d=4XLc9P}u2L^2q75@Z4s7*eWK6a{JQRN=ko{ zyC?|6I>^%Y&=Y>`))1F5G-Jl6>U~IoAJ0DLjYCWYQ#hsNj{5(09uex$OlAQAHXR zvJaV@juc^4nUY91O0`F!~ z%%3!Rzu!AUH5uZ8j`LDnhh+lg!@x-Hhr%@lOhP4PqpQ-#CJzJQYIhF(X1ipRlIbDt z>WdD^>-;&*x5*7fCI4Q5&u z{u`*)z(mLpwYqKU?d@Hh{|g1t3|LFxHQfAnf3r7!Q6E2ck00oG`Kp9np=<^T@5`BSR6$5rw|nm>7e_olLn%7X04 zepFwwP^T1pbYx_HG1V~vpaa6xAv#4oy=JpW$7gOnj-Q^ti0`WBI2Z9zPz=v{i^Fny zJ6FErZckd&uESz`6Oqvj*k${UyA12}f_`z%)^q(O@VQa-=s~2<E8bps#}9HxM$|TQWUZYmZXzGxHvuM> zURb5`oMOW-*P4aqSB2dCfW)#_pS5O)YQ07W=*V(o%dvin*>|8+kTi0e`VotY8P)6ab|MEO&GL$CeZhO z^jK+P?vGs|@Rz2>7uu`()A^X>3Nnw-y3UzQbE>Ory{({5%CE&`u7l7^Pn!J{Q0;Ew`3xR=+e(C~_n z_DmTyh32GEmVur6#-+2uT>O0~K3GI+Y(VQ9p(TEq{Ws@?D+2+U0xq6KpF2OiR;&1I z*R2jdR$Rrx;PPDC0zznj*7-~@;pD*wakPH(oCK)Mk3DZNYxpXX$0*bld`mA}r)Tms z_9Hc0?dwLjjacI|5pgX~BV&>>?pL~wx(HcGfYApD!72ElC*L@w1Q8|ww6#=b;)#uK@WN6lOSAYA6-e*j2q*+I{un-zu!dq;PBCSDu(oY3FCEj*-eTO|Ma1|v@ zDw3Yn!faceTot17&}%50;+_a(S?=tPtC%8*%Y6OTvgF>gbF_GF1D(M{8Wjr_puGdO z%4ct4WE$>##R8)DD#Oadoc9c?UntNV{Pn$(d*V@gs(Jg*HM7IuyhRD{$pukp9;Q)b zYN=H}GZy3dl&ZM2!LmPrg%ODE?9{$N2HB z7Mor7odto_<(<~a#HIJwpEC<~)cfToq2hL$CMs<*yqF7%t&eSU*P5@-H4)v1?rkw- z#5SmjmhI_PPMP`C?Y3=*O9`rt1hd+v6@( zs3dO{{hnIP!m;#gQNl=QFj9o$o?Il;m{M>7m$KTc)wjB~&CF-}g-N;{O`a7j}O_ww@c;%ivMQWPL7{|s>ZHAriO4v6O@ zN4o1U9eS_ueuL5P>qq; zwh~|7gg<}rw&+Tqwfx?rxLH%KWEF;?-C?1+2AXL1B?oPH*}ItI82WOwTRPv`v=M)5 z!Z8P{lvi`-O!YaW6hQfccUk)jKir`*^--|?(zHXmzyZNCfJf2xN@*SuOs>}ucn3YgLujLHQ?*g|(xVV&JVi`|qsY@(#=)tF90j34r zq;K!2<>~0#raxmC1+Paj$)ZeW9L)@~r?xYL!$;j~L^h+kkLS}Q$+lGWYEG3148ry2 z7Tvbbe&*;atA~UJu$r??)lFfmT`V%P@}^OSqmOqj^TVUrQL)~lhD_LY1w$l!$#^)t zLtpuV>wF=ewniH@2rvN!_xVRT1niSA`SB*5>6U!9S^Eb5k|5!ASc6MjbD47XmCMkD zM0HSfysSTWBAF z-CA`90=%F&X0g`}l9u749;tjyPPp&+s++^=JoBHev9M}cpYd*&`574xh?iDGnj5Ki zb5c5%L%MKQ@#?N}PIe#^C-ZRJVMGoqtIopH9{vZq^$&kovvpp6ty;#3TSk+(sq?6o zTJLAYms@ZLss6M<>mO?ub~?ai=8PU)C#uJ4wH7xT-OiogP7HxQdesr}0<2d+P)$}lb6Le zD&dV($168Q%IoSrw~bY7%WiXgQdM?6cjQLMLFtH0Xj1N^@T8=Z1`=;V028)~6nAZ* z*NXBar)1?So#{<%Lv~xSYEX3P0Ki*y={E(@)7uPIr!;xD%m*&BP+k^k6%vH9IU!OA zA*_DoMS>>Zs6Iuw(;QSv66Si2_(2sUIS^03!-}f7%}-vznU9(necK_=QC9`r#fOWI zwx|k|Wa;hl*mTNn!VS0%HH%jxrg{~b?13q=N*I$g)}Oz+ZCi@Oy^nkBa(LmwcY)FJ zIdAaJAMBE~FhDxmvE<5aY|7P@pcgn^^EZzDWI}0+3Fhtm<{8=by^N||_B#^BjSPB@ zBoCm&{7t}>^;Nzlq%%DBAmZUb-G{}Uv5IEv<8QL?`#AEfSJY$pB*;iH)6ahN%i?BI zm7`!;pthnbI9)Lk{>;H=1+wLhcW8#yBK$n+Q`;+e?|mgA&)c$qn*2)|m@lD0D?EJr|^rCP3!?buUCgOqdKhsh9uW^Z`{V`= z8ud{?i!WiSe(LP0UAq33!a(bc&|Pe`Pox=C&nkRh6-W{|*xWyci*HdcGsM23Wpw{$ zrgwmG8-7rwszN90&px^q=CNpE1b6R0#jdiBT=W4rt_g9Eb0P?p1)dibB~POG87b;N z?T(=lya}Ax7T(jaTIJ1vc6rKa;hb{nOX+^cbBj{|Eu4@sg=NaQMu#I_P8W0RygPhb zjYb>s=4bvwI(Yi?^VqwesEt;3$z&3|7qC*Bsx}DGovwBGJnFZ-BqRp}aw}s9w>H_^ zFC)|43Q#3wJKA&Z*c$5(^iD~3R3T#h;dT*NAb?MnK0X&QBbpj>K$Gal9#y9;b||&B zmDqo=ee%A5Z_<)@6>M4@QV$)K!+iX@sxQ(z$SQ5C)o;mMfK!%xQ{GS_c1KqLXQ~G< zBMOU46UZSMR+iz2@FE;$C%eg$)UD>~ssCs`SB2=x$zvMt1x=*GJ@@I6doD5%&!?Eh zlxH6JOXEQJtWlW7zOk@t$^)@VC7rk%&!1o)cO33J(YtJ;c&SHgoAMAOD?oT}Qu);? z?XcXoQEDQiUMDgI*%6qd9{bo-O>BTs_T0I(ySOPbC<>QKjV_>(>_{2t173JEn8S2| zKO6bRca4U@H9x%#y}Ad<3vp(NY@Ts|=~Yz>9{w~(9ii2)-lVrpBhe{i+f4g*4p?N! zKV`d1>Qdk)K_YqvvXUhmXMR>uFE#dVx#ye6{E9!iM<5?hpGCyazs5i=zi zHN1g-*TBF{n$?I;pRV|`m%A+ueX&?Cvp9u#^StvxE5o*dq2bg>TnQ;KfI2h&=3*C~ zl*tR^9BCF~a^vV@Epyvd0g029JhHu)`ehB)oeA1Dyq@2P{oUm*SEB7BExi%!0@ zFsdR|Pj)9oiEuH&o6nbggsB8rLmsj;@zQqOC() zG;L%(*xS^C=mmYG^E+;wk}%JpfAID32g|9w_da{uydJFTH+UfH>L-U$N9)tEd>F+{ z=k)p2iKQ{WVFkKmT*Y`&Lc(2KIyj^0gnX#28R9j7O`fghXE4KP%#_i-q@#J{gJVsk zFAH&<(L3mJu0)@ex6|iVK5rKJ^fq*NOLQH))5IU%YRGjaAs(WhXhhFL=- zR~~v6eSL0ZAJKI3y{6Kno1}&jj;+k#iAy;BGnTQ++mE!Hv)Nm~KM}MEsJCmm$|jb9 z_QRNbCb~6Z>PC(0#JKGnSdI?*Q#Vtu)Dt{2mRnX-FAHDx1X$dH8@0iIxJzS&Azna+ zG&)Na;vR20(A@8!8KOgWYkaL0HwiFteMtkRi>kD48Tkuok{MO0J)xWP4d|%YqRp!? zRih}0LkocH3G1tES8rBc^ppCf#vUX0yht$f7?8%SFtp)A&x*cY zGp7o|uK)8y*F*Y|x`OR+_knkWM>2xB8+RGCL?XmOoe85U-X`XO7-_*rBha;eWzU!O zX_B5X&D}c%j`?+O_D{_2stfB*jCJsK(peME`g z(;-LAI1fVva-rsM!0lYZn5s=yvJ8_-M`%NK)MC%OGUIq>I*hFcpuhk|yH8AP5q4D- zwRM56Hpqup!*9&MC>?dtcjBel6rGWP6$y;G%U5*4L7X&j-$HZpV+Eqtw|@5&N5AVLgwsOs=XonMWS5IaO7#7#Qy)otM^*zG2f3oQ;z)pWL{ z4J=Cz%MoW&co>`@lkQQW)FHOZ_GYX0-YpUEc^RP@BP9NChj*?ScWb+tsJ*|RbE2f}64AFKNa=ZHvSh_mW?Y@1T%!mhW?PF;q#>Ma^!KW5SjRV$p;a7BvAHyOSkTvLqHOIaf zeq7n-18-bvVaY@qC#iWe;^<*+nP#iK@{{Vh>sRSn?wBg&iq|a57@o|BRGKxnt6pxo zaqhyo7$Cs6rDm6;tzQjiXQET+1g+1YvjZFTMePP-LyH)^W-2#;ZBST-H1Q?dc=~$! zTv6wAqKhd@r^}=j`&`o%4kGmX`;Liz&hZEeyoV_d&yV;B3XF;3AFI>%DoiQ_rJUp5 zQ&FkBtuq#sIi|{Cv2kbw;4T?`lxKTvbA_xOLUAz0t&8?bV_Yk1gg<4P|`ViWH9UfO6 z2p;^#p#Qv~{$x_y=*lR0kiiV`W9o&cS&2^S;p}li(+aLvjUmnoSg=4uBo3Hj!7hVp3L)Sb7J0h3eLbCq5hG4G)9TWfDQj)##m{yN{o9 zL(_V)YqVYDXB24*q^;uP_CC#dUha7){;u@fMrAwX!@0%FG)PPTlVD3**6Juz`Zs3O z4*C`k4A+>p4gO}ZGBGO3W0}6 z8&^^Z#rIfNzfR72y~C9a2sc|G+isCEtJzU$Noh51G_>W?wrh@b??m;6OZUg#bkT|$ zr?9@shfiDdNO{5-u7b!1f3nc@zso8CK#RyM$B>*6FpPi!0JRoB{m}c?&sy>O_n&W@ z#1ja1-GG7~?gFi-;1|xj%4TM{^dG-G{+z=6NLCiRGT1kw)Fj_JHBo<2;iADqHieb(i>&nm1 z$1Bo&7J?$fSn%2pD>`Z6WnJjywEl)XawHyEV$60h5vyVNnxm{~K7|OBYNqH+k^E$B z#c){bRP`iweZKCOPlBXa*=4{d;q3sIF`Ub{`2^T;A2}SBpVR3XzUKIO2s%Ko&wQx6 zll2D4$l>N%-_W+Zqf!DjmbHD^1aK3*R%%YlZ>IY0iY_(tW-=p!;U^x!OQ!0f{L`|K zN?&!;6H*RoZJCO_i!@uT7V`yg?^eZ)u-usSfo|h(;6`wmwZz71FPmp7Zp|C*73~`4 zvs-nZ3~%cSI6Ue04!1%t);)&r%Cm6iX+`MyvA<)N+TLstpJMBE#H==YTmoz>(9N)E z^E0tI2VE1@bLLN{CG?UPj`x2GUilp^*#Cg~-A)B|+ygMN@@ba0K&AM5rI>UuS!|A1`W|{D3z~=OAx~%+MPCd^;2%I50O1ph=Axn=2Xtz@L&d;j3vo1}uHH+! z3=q_uwQJpM zX?X&Dvr-Z*pReK=dJ7k25j*L-d#XQ2T=EEM*B#*m19^^c$|L1hOGO0jlbC zf(X^}wuDt&n%5RwdcXjLO`;f-;Ft37sLF0>5io^9{q{37Bl?Ep9lRyP#*v6;fpjQ) zKz??>05=R(c^V>0eS2-HVe~#^#xm3QZjMq^!WDMKBuYT5SYNNnvtmiy;WT-**bXir zeJH`)2Mq_%!quDGHPbrg14@HE(K&;nVyvl2cL9`EL+cfH_Zil^kJ)GfEmO3dhr{a( zJ)G;>8?uvwKn-gb6J=Hzih3A@R2vN(YvOO#!xQxIUb|{?paPr&D^HGElP;~~{`pU8 zOYA9mhzdY0FuIt$-_YcQ{1k&%C~usbkS>Hkq|0l+B)gkl(=1iE--B|X%2SUANy%n2!RA9qk&LSKp+;U1Vb>50~E{ZTUE+92{WyT=(3atv4rTkSPPI z7904Vm|*1|v`1{%yPl3e7NY}RZV0_w!DGyZ>?;je=uE#c1m#}fX29(}Y7OBjvMDyR zA7I#Tr>pDf#Wk^2n9yL|2N~QVk4T9HzV)2>PkyIG?!Ps1&a_^2ihL+h9@)>OloJSl z_3Bmsz=9=Jf$pzvWnwEfI{Gri5a<*&a?~#@Exkc=5n*pV>`X-#)!HOh)}ff)i$l_U zl9|H`0<-wZ8`tY7JkKz@JgJgwFr5>G_&)Q@H6qml6}Qbi6?gP+wo(CD41s;VMxK&k|1*3YS> z_F`JvtQ&H8muwBR<9KF2JLk`tT!Y4Bl1bI!GF#pd9k8A5-PL!oV7sIK)j8H%^XRSb zNev=vtPrKIp4WAO-2FVn+H~0w1%b z9U2!B^|;tAka(AoFVM1OpqSL-Tjs+qQWGIom$b1reib7!HrK>hi)$!RQ4NpBih3u0 z@jb3JOx)lRsx*t=uqw2hOvY-^x%%4koXTeA>f;}b?U_73oCV@d;RKudp=Haczh9~> z0Hwk@fb=hvn$N%d$f#j;J+-g@u7~XrONAII$o{XQ-{o+ibqznKqa5T3q-Jf})~dle zJdkpc1e`C=5P1C-KM zk9d2+mCzr5W8qVL;Ftp;ApVA{%x56A@0qFs$~CssAAnMZZ7rgi3J zVd19F7DZR7)f_7K)AC2ENM zr#s&)t#|1bLhTF?yARl}?TD2f_xl(gA;BExLsnZ4-=>xC3^)uVXS;< zi&ZD%WqP3&LbMmp*?Kf)PZ0ry?6sgv_O)fOcs&E{F!yW0>s`TryagZcDxke^>IoE- zArq<4qM|r|>0SSyd(Cae%U^zmk<`$enj{zrgudxm@HR`N@~q66Ab_X*TUu zt#xPi6tfyiPaVDiQiWC58`|}m#LwMrxCE_2)FHRB6~YLGIXOAz+e^W%^048rfJFcE zX`d}sSa**_Iw0K;IY*==8q$MjSrvjnrJMcuOSr@EqWr_xtdQgvCQ6y>OE|9nWV=(O0VNmfArLwW7}@rVgKiG6#)B~ zr(UC#oyaSdW&n-_!~BS-NGBUfAgA9Dsx%bSLDZi+VwSw48p)inBKRQRAW6y}CojIR zPTp;FF_q;mW^^3O=J^Fb0flSoa&&q`=<0xV&Y7;x6L8_Ss?|xBR_7lWwsY-F;5;pN zfA}B2Iv1n%?Qt5gmO7priZ@OFI;q8z3uur9tJ$w;0nE&(Q34#Gtkotm^Y|X_x*NvD zTt#Lv70^B)XayRj>P(_lfF?p_Piqm6<)2)1N6YSjg*|V)g3xp&Y@6P*K3rx_0)nal z(rP{E3G&6KkC9-z1b*Wtq;Vu6gTpi;KwF(tknh#qX>tjZ`)+?mV|5|m$fyhCM}PvB z4xoflqHyR17~W~TeEEjocA>P6Aqs1)AjxYrGy_zid6hEUbDBT=Y+|moS;g(TC_&@s za4KZzMF^cbZ1oka#cRP3whFDZ0*dTjT>{rQeZT8M8mtwBij8+?&RArbkGemAaJ`Iy zkFI)7?SnsAwAmM?L2%ct`HG3_6*#nJwMbC8^kYeF;Z!#xds8{wtq@Xbjh^(tE5NgZ z*V~8uPwC%tQQ@xWlZofxo@B8Tv^54Ha)ASUNDU)CFm0yphj6!drt|B_uE+#Tk0u>A z`}XqT@Rclsr{{u`AD3P-@`{miLV0cp08nHmtBqm;zV<}QtHjC)ny`^GvVd^ysIJGv zY;y10ko6P&)Tf+^np{W?E~9!m3y4pqKvxg{iPwjv3i)73%PW2hy&u%(C@GH?F65N4 zoFto4_dH^c-YYs6(!-8Sdr)=an~uu3PPczTz<_<2e(ZN{C^eI&c>yPl)_@DmbdtA5 zPf?xajF#K`z!ClO$=T=6&R#zI{<8O4+iTNsfm-LaN^=A4s?uqQ__2pJVMPthl^$yU zoczMLvwr~i*RsZe%PeErAQ2C+-l-oTPV4pvu|=)XSc}j^rNLG4r^O6}Sp?t*D$;0HX`=$bqN}d1P6G4XzyJB&yHi{B{1V)I z#ZQ`S_=|pYbc6z|H-Jy1Y-*abcX05F&-B%%Rgs6A`)b&aw@jPUm#9YIC*LnFc^^`D z@t;&F?Anv{J#1!&m*zhUnzvnr1wgCp{WpFF37V|l+1RixcB-G*1oiHT(>?F#;8!>u z&VDTfKigaVi3=Yu(Cjn$?PZ5I3f4lmqw&RL{B^6t)F-;7co0ykk5yi@Hnca2^~>lkEdJ6K$Eo~?-XnSUuOpupsju2|8$Yx`hpJ(Qhm}xUTx-zxKE3Pd(KjnK3RWq z49gE0T_cyx6H)gLYfGZPrD3waEv&#|B>W=jOWbajyLnPl+f%jp9S^#o94Ctmi(itB z1|4IM2#y}pkBvNc>aP;uzxwk^di-*i+X+ik6b zDbA!l9~FbHasM#^U2kv=kO*^*KTAd?&56F!O1@ZAIcGt_P!QIL6C&>ZHgK z1TtBu8&ma|6u~U0eYhGm8m@j-tMvHUu}mdeSC;;fu128_Y-h*e#5cP(|4HeJxiA%B`OyZy%i3duX2I2|)!DxGqLq z+gT}U-rJ|v69zZQht%pYX~zd^nS*vD5=ygMo*;0({GOf*Z}r^Y^NkVqCkc*bOSzgQA%ufc{q=dI2**$D^m(9A@n-3=8tj(tK8(f`z2%9aXh)FsJgNosqRPqCBHG0*i8pb zUD0U-L7~%D;m~`khX;2)?WRwEAO99MRZk_3!@Nh?p0^5<$ie==Jz0Gc&m=7eeMg!T z(~CMBf8@&$Su(1zNxqFtw@m%>2kY?pN@M*_^5|2+zVXk{LhV@x+dc}2LHS46yQTa* z1W-qA4isafjb@)(adb5s?B_DLx|t=H8i+7K@kPS6nEN=F-926X1PcQCD3;Di%GMY= zLY$dI@@y=)N0o8crHUA;@?^YA6Gu?Tf!KpO1w+HAyAJVP{pKU>G>e-d>tU-f*KgE! zi}rA(%&MXij*gDbA}jW50BZRKz%oHv2zx6BAWv1|wQlN-FW9jy=S*^b_cBSOcZ7YM zMVK3=Z<6bm0us@tJRutdnQrG!j|%38L;~Wd5O}}gLbf6UQUVbh@FW-%s^1;(0v+1 zj{7+8mvC2u46336;$Yu^H6)iPP~mr<`vN{cZ#9)9xjsPHdMJZk^O!VJ{Jr}vk)Tz{sW&QU+VR7R1`>&$fcrdAj@;c-2k&|*R~xSPFqZI2 z>a@X@vhu2$W(x$jHmr85QMGqj3(60ZEyrq$^W;{%mdq5oc^?OgK}=Abs$C@1QA=9^ zRpWHlms%Lx0p=T|#8m0qxPE+);%vUjp?r!#b)nLGS^ex^aj0Q7s*U#LL7U~k)bS>j zGalFM8u?(FQu1_qu{2l-*Z zR_V1XWACfvwV#0InE1)3Ke39b(_|5hiSaDFgifQoR|A(oGN)uSw=cgU`zL=vm?4au zdqyNFWbRnBRMN6N;E>Z29GQN<|I2yKgR2XRU;ZM+ssqaBR8C+!ckUc%6eysl1<_TO zo_Le$^p3LT+SzcW7%f80)f@DgLCqLXHm6k%_4Jpc#k6W5Sk!anA!s0`+s#|O@S0^# zFic}yO$V|pG}s^xx2;piw0iNvyw-fx@czCKl;G+-(#ul^K`gb7`t-JDHln3p95Kh0 z+7)PBV|9Hz?%2^eE<4@dtkgEFH@f-)dPs93chzqtB{ca=5rN(`O_lQ90mS@`V%Y`N zkI{4V!TBRGJff6c?K zU{}y`rZszmW)NWFZ6a)aby`A?~jj9K5?Iy;0 z2eDq2-Y)=fu8u@#&u;45pR7_6UN!GKl_U9pc7`KfV1wH=JFWUj+mhn!CyYb4O-k0E ztv9T9;l9kkz%f$Gi=17qcd6+FDP;~0^)Z3x%aN;y)kG;~vb z4-l~9EfQs*oqjhxyS|x94_Y6p&a-X2j`A(sz6|-Z%#|>MlXM5$5{{`URR7ZaGmZ7U z1Y+l0d`wxoLy$hmOlNdXmNC2Xn;L^Y!@lx@4q@LJb6antStdTQ{K*$tO}0L1jXS6A zWEW?*#-L6A^x2ILJwXQzPYh3>lKYeR;J<%tp@;%DT?B@XGwuIb!13P)d@|{E_0}#} z0x~Lb|4)1V|C*G0f}*>%i*=G_5DNU?yrF;kMgPTj&JyP?A4sN1Ii%42$;|Y>e=H40 zeffY;!FrMLuc;OnNjZI%%%Ykq)cyG{dEXu<%CqDhY- z7g=BhFy1~vzM=UKmHGa!|2d5FWcSSCYwtn-+Yu2FX-;LewT1w}_e}G*5%#~rAbXTf za+7ziMzsGm0uq-O&YygTf~2=F{P*7fzc0wYZWh2|wlv;OI`N&XV)}P8{l9kUfBmCB z@-ndfu7A$=|4Xd#?GwJ==J@~f^wpQf4Y`Q|rqWYHc~zxGv$o-Cc2%{mtF(8n$!bg| zv!wr5+9JB659_8j`B6#XD>2$i?Y%Xkp2s~ulg?f~aHnW^NOAUpum9u}r^48n!4?&l zK5?`jdMhQZ`?P){BfIG|CCTSv6BQd2gW9)upg-;(_2G6NI}MeTlw`kktNslP$UMi! zrhvS**482b#aOoj63ORxU2HhBJD|e5We1cm%he4OkG@|o(R~ocYnGo%ofQ@m`76D5 zZl$l{m*P~q>t-cfMa%x<%VdFryAxof{;EP%l%K& ztPk;5p-X&?{n9V5c2z2U7Dn=Px)&Z@xC<1MA8XSwo%4Unda%8*@dZ%i`VbUSO3n^o2kiRBlearhB5juYS^W zwElACTv$IlKgaOc^3Jy2#+Iy7r^QvNI`DNwhZNjO`5f$XRKF3g{LP_<&3*p6# ztM;#;q}Q$DYWb?_-F}M~IX#7pq;)iO*^4B%5xEhC?)|Q-u1y7-`9am=(0OUNxi{x) zeC}d!llWs}lM3g~;6APKa!(z{Yu7H{4(78xe{uf$O3V>t{kjgXS=WiH)`+r}rvx|U zsqDQ^q@EY9(_ldk^NHD}fkn(UNTG+O?*eDcPx)~mF%X0#+i zrvTNNGov5;YV?%?An0&br|TpHQU!FGMc6SZ7h!W~a_d&l5XTnWL&DZnBaTt$^$^fr zOd}{A7j_-4Sm~lL#T>Lf6EM^j88FmYeE!fQDIcZ?Z)-%C$UUQK?OqW#DXew)p^keF z?8Q#-9CSZ_#4~$l{`!NN=czE1r5&(#lh^J|Y=!A2Fm43}Cwb&mg7;~8=5sH=xlh7j zjVmiFq)|YE?$LbzVk(8eT-bN)SL&s2p`T+q#`iqtLr&5Shbo*EykxQ3CA%@zZpS8E zstZVhv3XmUg?x>;cfKq2o)pq}P6FT6)9b=-BJNaHGHt6K8)O-#xOW+08`H?T#*ewWXKqmp)-s zhge3rLg|8%l`RfL=&c=WVoMxYl^Ua!wqU48&Fi0Fmz0m|ZH2|Wg)FV;60&Gk;oJ-Q z6+r21YkNE1{f5Zx+kkjt-F7x31H%^V=OA%$m`EhXrKR0+6S;d=cEC79+sKFqTj4YW zzY13?);9=*_z4)7?SJs24d&jqql2 zvMW4$^WD2kkCXVM_yJ~RB(dCdQAqu^5&oM@o9Ds$ozl^rY~dvPGf+$|-vriNa(o%= zRoxzcK4%GiQU7ZdCpb9Xt**+rmo(HV#e7$= z=|=$h;(R@_w`~%UO?}+lFYvidobq2ASZm8hIkxOlcGIJf>=iRT>XH+we!AMwcwWww z33{(f)Z6_s^%_Y|uebJGLD^o)S`vb8^BzoUQ=T zlp~ROdB(Q*wt^sgk{|M^{#O*i^KC-T99-y*LwOdP@|U#w7hJrZks*h0c2ti`lZ7Wi zuTSHf!W;91XCK%i8yf*q7U*hnR#}x;@v*hq5?XrQpx0 zp5s4dX}2WV*+b&Klo*brB8)H1=HNjcHPxe|RmH{HOH22+l}s~(+FM?`ZCT~#bAMqX z+!Wv+dV?@bO)Bb|xEDKj#$`y#YPH8}y*G)mElDS8#Y>ZwfD4?Qyqq|d@slFa?9zXA z>ih?%Q0MmwR{+{1<&NXrFm5Lk#OsE@MJ0r7UK7A{R8Ul0aCGMgNwF8vKCq3UijuG@)|l>xUh+JhAz? ziSp-YZzE>-T7GZXo413Ns!kLA6>|wcOlIk$E_3X8Th!^5wA&rdply&2sL=$w_Gfj~ zwgNd1qUGkLC!G_*D^L<^aE!*sElD6vH5 z(RNiB|6DeB&{^Vwm*1G9Ld9_KoW|#dG9sQ78Xr`8fe}!uP;c(X2M2b-cHP6qO`{@K zhmM5W)p~vJC6rEkx0A2@7sO>3w6>8ZH`H&#FfX@b)eF`gZdZ289XR$N<7w%fiVcCn zMo4t1@Hp>vBiFpn1FKX&Lu2SRW#XgbFX3q>&NjoU64q|@sWIe*Ll}20nM@|p&d<%+ z#)uoiLl$Rd%((MDqq-8dMQLbgtom=PQc;x7h4XtBo5_|N*9mc!wlF2uy($~2Sh;q+ z3?wAjJeMRjxZr`W%PVe5f^O)|bofCDxzw$L1=%B}5U*#X9}Oyxhd>y^ec8>e4HpIy zXkSSo$-1<&w?Q@XcB^JtL{&lRHXGdweR}YY3f1F$el#ylH6o4iBnwaM_oP9EW(kM_(`K@T5`n-F~XhTZBpc z1k%HIw7*BRHPkuyNgsfFvF?>D#|wzUr2U`jtyl0#Kj-7)Q&3Rojng_g4kRJt;wmnk z1^bBQtazy~3kwU^__A`aNcu<8UhPbD&_(F1IvLlQ0Pa`sK5*y7g_}6hTw#b(Dw`~# z&SJ#8>o(xm*A1r1*ajRB*yHz)*J6jCzj)*2^SC?yDHI;Awb#DH1P|Zv|3Wlul z#-hLEflfQ8dll^*4k}N3{c0eUc6jm@n(t$(Q-rr8 zzN^~;TiCt5opHC{TzBb$s7v!z$pbr;lBJG#?*MvgWD64)ck7q#SZPONXmhOryHq*P zW#}lEunl+*XtY>cuVA$har2vk-;{CdFiL-5RQ-yq`Sh>=8=J^rYYar%5bPXOW&IXI zL^J(qaPc1=KNI`Od7FXEGJmpP;=q8GKz9P^c$0=4@MGK(v{ejsyj zC^K-4;29^E0^ZIkkv%WUs2uPK;|49B=Gt4IMrUV_lqXbG#HAW~?Kp)lk{|`EW`@v) znC{kL^-UmAZG7flj#jmx z@8QMc?bOR6+5n^^9!YcYBHgw|L4N*A7z`#B?*N4%krPZ?MB?>rSV4gxT1y`EHZ&Ab zV4wF6HJJW7@w|wLB?ae$8)g&Yc24Pfc@<^3inegZM(G}TX=$VLHGcbhDsF|n-uRIi ze)~5`dc``SU>~24usiw2+!BUB7-a&fl+%9TZkXqRZnoFkTf8K?m%jrmUlNc0%8-ZZ zsx<#RV3R(BFv)HYD$0*(4ouOZ5ZWQM?IS!>czN`1j4JP&IDbXua{u(d?KhX*Hb2XW zvxHfH2 z(Vn_8lCN`7JLV(Amm(`Yy?M$I|05JDRRZ>yIUq9P9#zX9)ak*I_K#`cOD)YeR*&Z~ zzOC;CP-6VEQ6R4abQy-FIygAQ0NtrL1(IogE13cm4lghmAN4%s#%(}EL;qIcQ|XYMQV;aurVa*GgFeP4JL7fOQ)r&h@~8XAT2;?M7~r~fVx?EQ*oE9q9W-n$ zAz!DT)2}Qi5M^~=)QX~qI9rw(lOrZ|B|q9Rp^jQ*pAXFvqZ<|G47V@L$Q$Scdh~bS zi~+;#+So*L3r1b_+ukU2>%KO|=WkA+X+*@`wSYfH0IEC~?dTHZ;1SD;`_rY_8k$B9 z0`9Y)GihBbs<^0*w{8#b0pPUQ-i@fJsLm&jfPl4jOlfOtM^_LHlgO>R@?isY17y0F{2oTk4HNN+}K8=N5YQ&6X}u zURCkS?FO^P_8Q4&g%tHbAY@vF|2)5CTPt*4m)V@a6XBU+Vjg+?1?-eY>4>@KEpKX76MH&~%fQ5kl`N1l`vgdt{OGC-{! zkAOXj5QhYj#rnYJe>(T{H@96x>hyBIDH`qONs0y_fve2p^h{cG;LXiV@nqacD-gM= zPvLIM27djaVq#*FsH7!01r*5vQB5BjBWZJ}^lI>6=duM5X;<3(nCSUOVyWA$RBmInByQUX6df_;6gACPXR^$wijjcUBs7W^@mmI{)moTys{J#Ath{Pn-^@{%JNV28BBrEHKj-_eCl!UPv0_S&bt`lP z&pA7d6!}Z84Ca=g zfPnZ+78VwM-(Ba;;f2#@&M+9AqoEmkm*^19&1R^lXOp6t49K%V9ta6(17K)Vceg71 z?dXHq*;$~^1qTQO`dyJ@EZbxfm4SPs6@jtl{<@DoIv5stvnyps&gFfN8oVwfT+xzH z)MtSXeBiyi#~Msc1OGtJVfh}xbADbNjd;+eaf{k9vfUp+cj=eGT3uBSb#A0;;eXw`ecxUIbC(x{x8^<7+ zg)`{KOT5`tA`Otd>Ad{O*&ay zg9Ts6_m7W{cZza%U?1(m3vH~eBY?nCJ`Vr%RR!xiZ|=)4@g@|2k7fB5gGmmJPg-8m zO7sTNxtD>X=j5ML)%fV8c9!bu&$jL#~>x`f=G48h_I+v@tcRfFs>V@ zuPP|7#F9&Rc8-}gL8qVifs-QlfUk~$V%~;o8;xss_KVCN4xfLS*l)Z((q|gkX(zz! z*fu_{%+bvPOWj=G{*qO8ueI}mt4KxZkLv2@n`J>(2D2t^^-U^9%KHq)`U^X{Wqldk zdt|(1287ESp&YF3rH4PW}oQ_cDwd6{c_c zQ&+xWPIn?b*%F6sSAF+BBfF$+yRBhq`seg1%QazcevF~hcXtZSZ}H(;RjUT2tBRbw zQcnvjm&6kD+L61@gq%iS2{fNPrs+(6uJ2VYt18L#d&tShr#b*H1=1EAk&%(4XrP-* zYsVX=GX(pK?p^Ke?S}HqtP;bXbb=V4vWfE@U&VhKvH{-R!8~7TBAQto3Yq1cW?jgn z={9~i%CXDH%*q`Q)Fy6h>X{^Vr(~zSm>)m#;}n<= z9e|Uo!IkaaN|v7)#J?0EMKm9TBBoaed@CtZ)3hlME@q34S6j$g_>1Du*zRT4(6Ac$ z{i0dY88r0l6A(`FHOV5`F$Y$yTXe%-i^kY%0M2cvT^}XMSADJ@UYiAl+Ycf|0^B%2Y-AE zr;xnQ2`IjI^iu+Av`mTsleTSleP&xND?!b`;J%L`ZvU*hY%x{yZWU;UylIVhef4(SzXG)!bi#rA0C{S$=MFB;12h)fQ znWnDM+)oOYF-C$`fWK^|84l2!Ky~)|b-3DYuKAGbtC?#4mFDeKbCP#CMgsXeX_MbD zludqb>dWs|ql0pWNtQ;9K)~FqufW+8=gd^D)4*?iuZ~JgOf;-oaLRz~dSIlC$TV)B zeFEb(uP2}ff4f#yhk+IB_0k1p&F)&!zuCcQ0&EzkWz&|%Od&PO@1SZf{@KlHL{ua-9ba+OMi|A9oRr$ zzhe_njr+}kXCZ>nSggVGa26hAW#!*j%J%m5^vVjaEfi>IZ@Hi|&L=EfQRLVz24Q<> zsaTS$hDt#)}#RhC!+d-xTHfl zpcwD>z0L2o@&bY^{tmm8glr;CviLVuj-tHH^6Z zoNnS>#$kyK_Q=p6pRv@#B0u7M7YX4PKs`;K8p2!54ANL&ySmvqe7+{R{uI1Q_oy+O zE)KF;mc+l$aE>~pXP&QWw>yKI=!o45*m(eEVS9&av;7C0&pcDiRj@KJUFP`+R_pM z_;o?^HzhnMO6Mzd1`7r$s_86}p{gE^E%e*oFjzjUGeKBU3T%}*e(KpXs!u-3gEAFi z`fhH)5*|)qjJ~|v!9krIWfZ1e4?Is{1onWUg@(sLkGN2-ThB4W?S{e)z1m@0K8P?;HYb8q!t~2o>CsPI zTx*JhcLr=t%x+11eLSw_myV94lP1^j*Q2(mc8mAgph{$6>kZdkr04wYs?|B2?W!;i z-3R0QNKeB|GwY$gzC9n9{`X!j494j5gm|HY@Q)_{T0Sgn0JgY(-fv|ZMCiX{ zL+8S}i|6{1vK~4x5c{dglu^sk(Z)V?Os*)e3jDN3So)ygfx#Xh&ojp(BXy9MG->(D z-bNxc-qXRRcs$Wt2A_LteU&Ai9ajh$newr91TaD0Oprn$jJFs$u#BqMdg{HEcRnkB z`n%|0F`z`8Wl&eK9REEE4jNXOAbqI-R7>l)C*Y<+#b_a+Pu2inW6cyYLp zmd~AYc#Q?x3jy2&7cr-_6lYJ*sNpQS5n8g#bzeeADVq;mbW(cNrj=|uFWnU(#&cRcA_2fMe;PYgq7eC)PzoXdo!@(!pR)>CPV=J<8xA-cp<4mN8U6amsylU0kol!SsUV_;S7tZe?>!Pxj!_sj`ZtouvjLf;=_$2 zi)D6@UWE0QdI9mvFC=D;*mi!UE?MoM{NT}q-NqmJT|qK3GPCcq+Z{NJyhr4|#3efX z6<*t0YO+r?f21g2EcH*WsnPin>s&LvsL&s?1GrmG5d^d_pNeV@OzI|fuHR3IE)d63 zOg5X+>2LpP-jFr5DO^=w&?#^u#n0bpUtCQTF5uj54GQDbuPAJlHYf|7S~bY68@xyILB4tK?I0)Pp#ZFYdGdf`S+!Kul{y&_0@rv zH^={e#r*-(^gqe@WX-c4Vs3xqA2aYTngW0Pf_?Q6V8t?rq;hwEIG)M=eYPG>0>I;? z%J7hj$2Gyf4S3->upIB#HD}}hz$E>LnK_dL#OWuAk;Sk7n&tR$4_JaYsaZ9~>bL~NzsE(+zjxc1d~@JmvwhEG0?YAZH*e$R zU$fgzsnomG6Dorkceb{o-@ZMu2}H=YHa378#O(g_=g-FRI=uZGJ3DxEY^<36Ps@(Z zPGyQyr`UmR8V3gl&j{%Nal+QlPOjkTaal`$n=TPQ$}^C)q4svA>6saJpdE+S+Mu<# z=Sp-!0>ezt)c)F319O--gJFeZa^`Ed2lwv1cpl1NQ5po$YYuCvZ>@4?c{SbBaDB@M|W8rosPwBKePZmp03+1`30?%{sV;L@wd zwa5B2+8bp*Ojuc26<)lEXlZFNBd6z4qqw*5`QBb$EtM`a&jKRxczm+58PiE||JVIF zAA@p&q*madvciJgvc!h^V%o0{cV6BUGp|Pa6KdkF97uYwQhNTgP~^`YTxUMir(GbQ zu|C;SY=+($q3RhOtRn&n+xT&xb1P-azE>ucQ-;o(spV4@>~ zrX~S>_pfe?|L^Cu(7oz0lHJ(nS}7ZL6n2I_f4+UFPJB1^w1==$bs#l8uL|Br-r8X%9on)+g$wSu2h*z+6?rhdsF;Y$&X(h*4&JtSclWOO z&pd#i>zeV{<~8x4!+vCA&(+4!zNAXo`em6%c)7Fh$W-~;x=~!Erb=}5IkT*X_vLpA zv22v1+wwI=&Oe%5+qgEfp-zw@FJ#pDH)Tb*tO92Q!o=S{KW~Yg0UNU!z&iL}61}x5?)*T(o4+>;c zj&1%X*4i;~>o?~tuZj?UN2I#>h9<6JGOZj3r&lV~0#!h811Zg6#RMxOMePQT%>?e|2Pf3SWG5Lfv5KPiEXTljG9je<{fJc z9DU}TuBKeJDjm_go_ar2|KYBQ@S#S?L-?bo0d7S;zlc|*UB5ocLIKR@6mkk`^=<81 zJMI%Ty+K99!o4a&6I7pOWDB~n+aQEqdO`_h6)}q(-&H-@)=~F2z(|p>{Uv*)May#` zDFT{)TQxOX>uu8-d;4D)m*;X%;vop&Tx9Jseh|D;rTIMdaeKapgQ3@8=g<-nOPZxN zd*KLPOr5KhPI8Ms*ov2D=YKRIQ6zT0u+ETw&@n>T@8~1>r4Z+S?+>R{-9jomW{1Tj z&DG1>OT*;#%4KywDRxp zznqIpr|`xJH?85~r|^fPah(kfvNY?kTSYb6CowT|nV>g<38R`o4{DcO6b-Z3z??2~ zE&@|$eM)w62{i`rz6Cv23MhR+_Xex8RT%hCzIgANo}%rf;n#VtXvXeEI^P0xxQ7Yo z_KJeIcdN`zw+(xN4!gR*nw@bK7U5B!mT%A*O(?(tXP|v1;DhrDQxTio3!?v(xO}Pkhcn8v>|Zf z$w$l|@6$`cy4~nWAiSL1g-CBs0ZF)MTmBI^Lt>SD~^bw!&<}b3Cy`83=1R-;uTlq~^Ik zL!!mNr+$mJk(@<4pM6rx^u8avDsI^Lb~$h$@<0ys5(T@-BinN<$OB?~pRSbwyDn%+ zGNH4fUvtiQT>G%BxX{?uBddL?F8=Bb77nf%dGU)1jNlMOg=@h(n`KkbRHbqc2Q9@f zNpD7)G6q2o2M1AGpMLJg znnUc*^THL8ZmN~qNYdcWzD0iePeebbi8&K+Kg9SVHcVV^Sw&f59<+XRyUHrw zmt;1s4mR|iV(m;1Y}Vg<27jCsU-xuh@&?SPM(x{65mo8bi~>Pu*Tqrelt=U8_*}*2 z=W@RiM)^moz*WDPC)l6*NB#zDb8g#M;U69IOh3zH2SiVj2d5$Xc>OTn z!)Zp3M2XkElp0Ck9wzDea=aX+4@ff|XXUgf-HP+9mq0l+SdQ$r@>h{t<+oPfQPYP@ z*~Df+YqV4Q$A;M$r5w+HWw@T~z3Hxhue?BJE0zx#JNj91X5bN6hgZ+Qv*kX@`-Ohl zYK1$alpBm?8NpJzaz8Go@F;*K&5_aMZjE+fY~s=3SHE0}`Ub0)ks%1id_Ft~I#Ii4 zdG=_zv^&asQzb^874l3wf49wXJR(A^>WD1e26(ESZgD1lh?@t58_Sa3I~dC~9ZKJd z<=w{G!Ww2eHEqIp_-b5?opD)}VQ6PkwVGnvM#nn9@!qrFlQwViJi@%IF2@A}2@jvk zUQ^!0MT{#(&JCeh7xoS%H9>am6(uI%=a|NLRS&?$kA)CH9Rj7ownT4ZEfB79VQS7W z(``FD9H<(=?Cj>CyRXra1ruDciB;OXb!)dF3uFDO(HOi*|EcC?Cacvpi_M+vjSVcS zhx|&WRFp8oN4{gj)nE3iWJbEG^`l~pfm!JbdeOp`D&5dys6lH8QQ2jG^+r3$^mZ<9Ap^Rk$_`Qxg zsKa!?DU4@KbsfyJJi=c$t^f)LIJMlzjP4KJ2;!eP5a=X7SsVZjwFG;PTU`gJ#kl>$ z=Od`s!Ts_ICWt}qEv!(%J#kenIg3m=4)z=4Qr;#=-}o_4oaAV?7uG79`)IcOv^jV^K4gme>-0&%ljI)>4ywmHcyOPsL+Vh-FdD|?5{p3gvag8H(u zp}r)H^s)@9*?Swg)sBh}dg_105?AfE#3lSGF6WAFMT-ERF;Jj{NU5rh9fsaHItD#TJ$aFoenyHN(RF;Zt5C+ z^^wXz&*L5WPbPJ#)z&L$A)rqcWo24GeldW{WEFd!8{cE}@E)mTrlph6j!cl{7899bAhjxKkrF&+u zxovfkS7h1vB@`r}XE$I?T5t70oghAd3(oVz&LCS<^z}RMZXR)|n56`b&EXgon6~?n zwQ}dhFE^y0LlL2R5TKz|TnuaMLd)aBfu4bzC9m;8&DknA>4W9hIrCx7pZKHYK_tY(Cj7-{d?Uq#(z^<7J$C)YjYt=r<4ykJ-N zYohMvMvp8}!PvNPdrf_D2&3aJ{suogdp{?|H?t$rtuA-cNv9JacPxpWhGyQ?>})S_ z6^e)Gh@bmShJ(4TA(T>t!o~4yjiEq3(VN!{=V^JQ`^F;&@M<%Ti@VmjGZBwwJ&j-q-{GYi-NQFun(B%1<~Q%8XOG&sD=r^!h0EpC@Coc^kL!AIkL9a z93$3wQS#v}!!L6>Q|P*n2g%sL*{+yMTw@&C$#u`C#A5GZCHazGP>JlDEP$6}ZvE zKM%>{Qy}iFKut^4&M4lZH$w@LYQq=Q-VA7HN|V>4mq(&_p$9XkT-RQuGPygj{@xU{m-`d#}`ENW%zeRus-ULtgXuuA->XyW9r@HQSO{0Ij#`W-Q3jhr{w|-ST8M+z2}YY z36D9K8Y8e?J)McdOFzhq{Z^l;_oNTEXkBMQD?Y*|Bwc@5drt)nnU7Z^Hd^k|C|Fno zxQtu@>tGy=9DooXI7J4N$N)p9eK0vS9{n7R=1gnvaq^Z!K9kE@h--XyDaHt_eIu@B zD+LgV0%!+IZkR*G_HcqHE?ZgP+MI~pyq0uRfb*Lh+WuUFijoNK0a2+y|jvF1_`P>eiAcclrQzIMW zp17s%0za}m|-I9#2Wa-|v4;4OUs8lCTpq zc>Afl4CovWAD{4iu9}md9}+-fel}p=#{~ogG(TK@{~~SK*U*egBg5IA}x0#N8d*AwS|$`~E_b_DwjyLdVsy+5t2Tn>$>_i1%g zJ<8rrZ}9Ulu4&rs%~7y^k>B9mbp~+jzUKUFxXR9B;T&KZ^bblG{xjUqR7!yPn74nL z`0qQ&8p!Q^c4wam>jyHsY@$_?5A$SD+{4&nx@*_I%BJXN4}Jgsa8uXa)YP;Qhr==5 z-L=!WP~8=H1aXw=|DdTFIVJGzD?pfQoq67hfF8YP3uVTvM|Zj?%Vm4}{`|Sw>8F#t z@owks-bX#nrc7DHWW2rww*LE$;($?sa8EbR1Ka5{Nz9HTNhuzAFZ_;zQf5>OfvW!_ya6EWyoB>=vW|;y2JffhSV#_23IkKG<=(DC{ zLGC5QHQ~C~J!gK6=(Gn|9SvF*)XIv_KIwYywu}x=jhMWJl}>n-G9WgCPU2l+d3?+{ zobt%CY3?_Prwo97VANQGnRHFFCkUHg#6@EhC!ESi`O%xi=StCSu7(z)Q^-uYbW zx(d`mG*eeg^k`f86K6NGsN8)Idpn!~cT~4w8V$T>HQ7mu6Nf@+G1%J5QTl6ghOT12$iA`$MIx6_G zI#|c6Cz|*scz9vz%Qa~gfR``t3sj~cFw=biljE34tP4W^PZJ8?P`Ji#D(0CLPA2q8klJA_yZgO z@4XeO**58Mcn}nm$sT$$59LGps+8)b(%hMN*H}u5bT$1^Z-()6P2!tt2Rt2Zk<&>M zpI)jAp1xS``w_<-s=FDE#jsoZ?T?pH_~Ze zVi)e1_Oo2NYWn7(F$;?^zsqtwshu>pUpm+tk=2^fK9=|Ao5 z=9hsItLYNa(f3m`_Q79wZTg8?BD#7KqoXX1@=zh7r?w>}#>lv!Bd1kk86XHaapLIP zqVApIAI23KYITN|r1FGRiMjOTDjLVLcNoN!weotMT{MPO2))|DH$ z_deq}mFF(sdh+(fNkEVGkA3r%(Lc6I@7s=!!c{gU1C5hjZ??4Ly86g{_^bpcRaI5< z(viNE5`5NYC$VH+?Y-oKhk8VS!5Z0W{>{i~Lzj3|RBxS5u@zsAWQBfOsaXl{h{Iij zC8!+CDbADT8(SAfitk@q?Tq$_Gva*2wh7r@*?%-F{ctuZiV8(uBkgYXM7EAc^7#^R zewC8Q{Wn%4rHf+C8!<#Jn`K?32fW5{WJAS%c+K~Xr?e*5fz7@!(#6T%XWxHeUs5x7 zLtJBr>|9vQ)@$gPYrm|;yno4;-l>lG;=;waBhB|&8IGj-E-#zS>XtaIA!g=+17)Yf zUwK}yXP8|w)Cwv!@B}4vm=Ry<&U#86DTXCM9^#`-8Lm&$Uqtt@ln&PPT~mIRdpQU)4^mV~=^?&8MZQoUPH6 z)yAgh=Is1^H<8<=^oxPUy70O(_a&MO7oKS>dU9-PC7`a5YO1S0V_#g&pv`>l7|d&Q zHLjqVWAwVwwalu>7M8`(iH`1G=<=#4c4vCF-E{UM+|)Sz&UQL$pG(9*UVkQkkXf)6}CNF7-@tGq5aAZgRPxV&c1COWXO8YdtxZA=AWQ}VtNfA7(>!qbI@RUFm4RkqrX=AQ?)HJenBNbAVr;$p9r5l-}~ z(I4Bt|1#CDI4G_{tuibx{C=f@&?i!<(wxOobgAg#Ph79fnV) zS33wHY`>RC>~c%!1-Xs>Kfl%R6g&u)wB0{Fz~9&V@%y)pI7<-=@bAa^<0tGtUhZ

Date: Thu, 21 Aug 2025 10:44:16 -0700 Subject: [PATCH 268/505] rlqs: Persist rate_limit_quota filter state & centralize filters to share state (#40497) Commit Message: Persist RLQS client state & bucket assignment+usage caches across filter config updates (e.g. via LDS). This is done by aggregating rate_limit_quota filters to share RLQS global clients & bucket caches based on their configured RLQS server destination & domain, instead of creating a new global client + cache per filter factory. Now, the TlsStores (global client + tls slots) are referenced via weak_ptrs in a static map & owned by filter factories. If all filter factories drop and stop owning a TlsStore, its shared_ptr will trigger destruction of the global resources & index. This persistence has a positive side-effect of centralizing usage reporting + assignment generation from the RLQS server's perspective, while still allowing for separation between filter configs via the domain field if needed, e.g. if 2 filter chains send traffic to different upstreams & want separate rate limit assignments for each. Additional Description: - The design for the global, static map came from the registration model for filter factory cbs (//envoy/registry/registry.h, FactoryRegistry). - Updates to the global map (removals or additions of indices) are not thread-safe, and so are always done from the main thread. - Additions occur during filter factory creation, if needed, which is handled by the main thread (e.g. during startup or when triggered by an LDS update). - A garbage collection timer (every 10s) on the main thread handles removal of any map indices that are no longer referenced by any active filter factories. - Map indexing does not account for differences in gRPC client configurations (excluding RLQS server destination), such as differences in timeouts. The global RLQS client will be created according to the first-seen configuration. Risk Level: Minimal to moderate (thread-safety warrants scrutiny but changes are to a WIP filter) Testing: integration & manual testing (config changes + filter replacements shown to not interrupt rate limiting). Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Brian Surber --- .../filters/http/rate_limit_quota/BUILD | 22 + .../http/rate_limit_quota/client_impl.cc | 5 +- .../http/rate_limit_quota/client_impl.h | 18 +- .../filters/http/rate_limit_quota/config.cc | 53 +- .../rate_limit_quota/filter_persistence.cc | 81 +++ .../rate_limit_quota/filter_persistence.h | 114 ++++ .../rate_limit_quota/global_client_impl.cc | 12 +- .../rate_limit_quota/global_client_impl.h | 29 +- .../filters/http/rate_limit_quota/BUILD | 28 + .../http/rate_limit_quota/client_test.cc | 17 +- .../http/rate_limit_quota/client_test_utils.h | 22 +- .../http/rate_limit_quota/config_test.cc | 89 +++ .../filter_persistence_test.cc | 527 ++++++++++++++++++ .../http/rate_limit_quota/filter_test.cc | 1 + .../http/rate_limit_quota/integration_test.cc | 193 +++---- 15 files changed, 1005 insertions(+), 206 deletions(-) create mode 100644 source/extensions/filters/http/rate_limit_quota/filter_persistence.cc create mode 100644 source/extensions/filters/http/rate_limit_quota/filter_persistence.h create mode 100644 test/extensions/filters/http/rate_limit_quota/filter_persistence_test.cc diff --git a/source/extensions/filters/http/rate_limit_quota/BUILD b/source/extensions/filters/http/rate_limit_quota/BUILD index 09bfd31ef640b..0437fb46f8237 100644 --- a/source/extensions/filters/http/rate_limit_quota/BUILD +++ b/source/extensions/filters/http/rate_limit_quota/BUILD @@ -39,6 +39,7 @@ envoy_cc_extension( srcs = ["config.cc"], hdrs = ["config.h"], deps = [ + ":filter_persistence", ":global_client_lib", ":rate_limit_quota", "//envoy/grpc:async_client_manager_interface", @@ -116,3 +117,24 @@ envoy_cc_library( "@envoy_api//envoy/service/rate_limit_quota/v3:pkg_cc_proto", ], ) + +envoy_cc_library( + name = "filter_persistence", + srcs = ["filter_persistence.cc"], + hdrs = ["filter_persistence.h"], + deps = [ + ":global_client_lib", + ":quota_bucket_cache", + "//envoy/grpc:async_client_manager_interface", + "//envoy/registry", + "//source/common/http:headers_lib", + "//source/common/http:message_lib", + "//source/common/http:utility_lib", + "//source/common/http/matching:data_impl_lib", + "//source/common/matcher:matcher_lib", + "//source/common/protobuf:utility_lib", + "//source/extensions/filters/http/common:factory_base_lib", + "//source/extensions/filters/http/common:pass_through_filter_lib", + "//source/extensions/matching/input_matchers/cel_matcher:config", + ], +) diff --git a/source/extensions/filters/http/rate_limit_quota/client_impl.cc b/source/extensions/filters/http/rate_limit_quota/client_impl.cc index 7d95b03072006..8731678923b93 100644 --- a/source/extensions/filters/http/rate_limit_quota/client_impl.cc +++ b/source/extensions/filters/http/rate_limit_quota/client_impl.cc @@ -21,11 +21,10 @@ void LocalRateLimitClientImpl::createBucket( const BucketId& bucket_id, size_t id, const BucketAction& default_bucket_action, std::unique_ptr fallback_action, std::chrono::milliseconds fallback_ttl, bool initial_request_allowed) { - std::shared_ptr global_client = getGlobalClient(); // Intentionally crash if the local client is initialized with a null global // client or TLS slot due to a bug. - global_client->createBucket(bucket_id, id, default_bucket_action, std::move(fallback_action), - fallback_ttl, initial_request_allowed); + global_client_->createBucket(bucket_id, id, default_bucket_action, std::move(fallback_action), + fallback_ttl, initial_request_allowed); } std::shared_ptr LocalRateLimitClientImpl::getBucket(size_t id) { diff --git a/source/extensions/filters/http/rate_limit_quota/client_impl.h b/source/extensions/filters/http/rate_limit_quota/client_impl.h index 1d17e88a923da..70fc2df48849b 100644 --- a/source/extensions/filters/http/rate_limit_quota/client_impl.h +++ b/source/extensions/filters/http/rate_limit_quota/client_impl.h @@ -31,9 +31,9 @@ class LocalRateLimitClientImpl : public RateLimitClient, public Logger::Loggable { public: explicit LocalRateLimitClientImpl( - Envoy::ThreadLocal::TypedSlot& global_client_tls, + GlobalRateLimitClientImpl* global_client, Envoy::ThreadLocal::TypedSlot& buckets_cache_tls) - : global_client_tls_(global_client_tls), buckets_cache_tls_(buckets_cache_tls) {} + : global_client_(global_client), buckets_cache_tls_(buckets_cache_tls) {} void createBucket(const BucketId& bucket_id, size_t id, const BucketAction& default_bucket_action, std::unique_ptr fallback_action, @@ -44,24 +44,20 @@ class LocalRateLimitClientImpl : public RateLimitClient, std::shared_ptr getBucket(size_t id) override; private: - inline std::shared_ptr getGlobalClient() { - return (global_client_tls_.get().has_value()) ? global_client_tls_.get()->global_client - : nullptr; - } inline std::shared_ptr getBucketsCache() { return (buckets_cache_tls_.get().has_value()) ? buckets_cache_tls_.get()->quota_buckets_ : nullptr; } // Lockless access to global resources via TLS. - ThreadLocal::TypedSlot& global_client_tls_; + GlobalRateLimitClientImpl* global_client_; ThreadLocal::TypedSlot& buckets_cache_tls_; }; -inline std::unique_ptr createLocalRateLimitClient( - ThreadLocal::TypedSlot& global_client_tls, - ThreadLocal::TypedSlot& buckets_cache_tls_) { - return std::make_unique(global_client_tls, buckets_cache_tls_); +inline std::unique_ptr +createLocalRateLimitClient(GlobalRateLimitClientImpl* global_client, + ThreadLocal::TypedSlot& buckets_cache_tls_) { + return std::make_unique(global_client, buckets_cache_tls_); } } // namespace RateLimitQuota diff --git a/source/extensions/filters/http/rate_limit_quota/config.cc b/source/extensions/filters/http/rate_limit_quota/config.cc index eb005e4e5cdeb..3d88cec22b381 100644 --- a/source/extensions/filters/http/rate_limit_quota/config.cc +++ b/source/extensions/filters/http/rate_limit_quota/config.cc @@ -16,6 +16,7 @@ #include "source/extensions/filters/http/rate_limit_quota/client_impl.h" #include "source/extensions/filters/http/rate_limit_quota/filter.h" +#include "source/extensions/filters/http/rate_limit_quota/filter_persistence.h" #include "source/extensions/filters/http/rate_limit_quota/global_client_impl.h" #include "source/extensions/filters/http/rate_limit_quota/quota_bucket_cache.h" @@ -24,15 +25,7 @@ namespace Extensions { namespace HttpFilters { namespace RateLimitQuota { -// Object to hold TLS slots after the factory itself has been cleaned up. -struct TlsStore { - TlsStore(Server::Configuration::FactoryContext& context) - : global_client_tls(context.serverFactoryContext().threadLocal()), - buckets_tls(context.serverFactoryContext().threadLocal()) {} - - ThreadLocal::TypedSlot global_client_tls; - ThreadLocal::TypedSlot buckets_tls; -}; +using TlsStore = GlobalTlsStores::TlsStore; Http::FilterFactoryCb RateLimitQuotaFilterFactory::createFilterFactoryFromProtoTyped( const envoy::extensions::filters::http::rate_limit_quota::v3::RateLimitQuotaFilterConfig& @@ -47,32 +40,6 @@ Http::FilterFactoryCb RateLimitQuotaFilterFactory::createFilterFactoryFromProtoT Grpc::GrpcServiceConfigWithHashKey config_with_hash_key = Grpc::GrpcServiceConfigWithHashKey(config->rlqs_server()); - // Quota bucket & global client TLS objects are created with the config and - // kept alive via shared_ptr to a storage struct. The local rate limit client - // in each filter instance assumes that the slot will outlive them. - std::shared_ptr tls_store = std::make_shared(context); - auto tl_buckets_cache = - std::make_shared(std::make_shared()); - tls_store->buckets_tls.set( - [tl_buckets_cache]([[maybe_unused]] Envoy::Event::Dispatcher& dispatcher) { - return tl_buckets_cache; - }); - - // TODO(bsurber): Implement report timing & usage aggregation based on each - // bucket's reporting_interval field. Currently this is not supported and all - // usage is reported on a hardcoded interval. - std::chrono::milliseconds reporting_interval(5000); - - // Create the global client resource to be shared via TLS to all worker - // threads (accessed through a filter-specific LocalRateLimitClient). - auto tl_global_client = std::make_shared( - createGlobalRateLimitClientImpl(context, filter_config.domain(), reporting_interval, - tls_store->buckets_tls, config_with_hash_key)); - tls_store->global_client_tls.set( - [tl_global_client]([[maybe_unused]] Envoy::Event::Dispatcher& dispatcher) { - return tl_global_client; - }); - RateLimitOnMatchActionContext action_context; RateLimitQuotaValidationVisitor visitor; Matcher::MatchTreeFactory matcher_factory( @@ -83,10 +50,24 @@ Http::FilterFactoryCb RateLimitQuotaFilterFactory::createFilterFactoryFromProtoT matcher = matcher_factory.create(config->bucket_matchers())(); } + // Get the rlqs_server destination from the cluster manager. + absl::StatusOr rlqs_stream_client = + context.serverFactoryContext() + .clusterManager() + .grpcAsyncClientManager() + .getOrCreateRawAsyncClientWithHashKey(config_with_hash_key, context.scope(), true); + if (!rlqs_stream_client.ok()) { + throw EnvoyException(std::string(rlqs_stream_client.status().message())); + } + + // Get the TLS store from the global map, or create one if it doesn't exist. + std::shared_ptr tls_store = GlobalTlsStores::getTlsStore( + config_with_hash_key, context, (*rlqs_stream_client)->destination(), filter_config.domain()); + return [&, config = std::move(config), config_with_hash_key, tls_store = std::move(tls_store), matcher = std::move(matcher)](Http::FilterChainFactoryCallbacks& callbacks) -> void { std::unique_ptr local_client = - createLocalRateLimitClient(tls_store->global_client_tls, tls_store->buckets_tls); + createLocalRateLimitClient(tls_store->global_client.get(), tls_store->buckets_tls); callbacks.addStreamFilter(std::make_shared( config, context, std::move(local_client), config_with_hash_key, matcher)); diff --git a/source/extensions/filters/http/rate_limit_quota/filter_persistence.cc b/source/extensions/filters/http/rate_limit_quota/filter_persistence.cc new file mode 100644 index 0000000000000..a0e865f2e969d --- /dev/null +++ b/source/extensions/filters/http/rate_limit_quota/filter_persistence.cc @@ -0,0 +1,81 @@ +#include "source/extensions/filters/http/rate_limit_quota/filter_persistence.h" + +#include +#include +#include +#include + +#include "envoy/grpc/async_client_manager.h" +#include "envoy/server/factory_context.h" + +#include "source/extensions/filters/http/rate_limit_quota/global_client_impl.h" +#include "source/extensions/filters/http/rate_limit_quota/quota_bucket_cache.h" + +#include "absl/base/no_destructor.h" +#include "absl/container/flat_hash_map.h" +#include "absl/strings/string_view.h" + +namespace Envoy { +namespace Extensions { +namespace HttpFilters { +namespace RateLimitQuota { + +using TlsStore = GlobalTlsStores::TlsStore; + +// Helper to initialize a new TLS store based on a rate_limit_quota config's +// settings. +std::shared_ptr initTlsStore(Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, + Server::Configuration::FactoryContext& context, + absl::string_view target_address, absl::string_view domain) { + // Quota bucket & global client TLS objects are created with the config and + // kept alive via shared_ptr to a storage struct. The local rate limit client + // in each filter instance assumes that the slot will outlive them. + std::shared_ptr tls_store = std::make_shared(context, target_address, domain); + auto tl_buckets_cache = + std::make_shared(std::make_shared()); + tls_store->buckets_tls.set( + [tl_buckets_cache]([[maybe_unused]] Envoy::Event::Dispatcher& dispatcher) { + return tl_buckets_cache; + }); + + // TODO(bsurber): Implement report timing & usage aggregation based on each + // bucket's reporting_interval field. Currently this is not supported and all + // usage is reported on a hardcoded interval. + std::chrono::milliseconds reporting_interval(5000); + + // Create the global client resource to be shared via TLS to all worker + // threads (accessed through a filter-specific LocalRateLimitClient). + std::unique_ptr tl_global_client = createGlobalRateLimitClientImpl( + context, domain, reporting_interval, tls_store->buckets_tls, config_with_hash_key); + tls_store->global_client = std::move(tl_global_client); + + return tls_store; +} + +// References a statically shared map. This is not thread-safe so it should +// only be called during RLQS filter factory creation on the main thread. +std::shared_ptr +GlobalTlsStores::getTlsStore(Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, + Server::Configuration::FactoryContext& context, + absl::string_view target_address, absl::string_view domain) { + TlsStoreIndex index = std::make_pair(std::string(target_address), std::string(domain)); + // Find existing TlsStore or initialize a new one. + auto it = stores().find(index); + if (it != stores().end()) { + ENVOY_LOG(debug, "Found existing cache & RLQS client for target ({}) and domain ({}).", + index.first, index.second); + return it->second.lock(); + } + ENVOY_LOG(debug, "Creating a new cache & RLQS client for target ({}) and domain ({}).", + index.first, index.second); + std::shared_ptr tls_store = + initTlsStore(config_with_hash_key, context, index.first, index.second); + // Save weak_ptr as an unowned reference. + stores()[index] = tls_store; + return tls_store; +} + +} // namespace RateLimitQuota +} // namespace HttpFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/http/rate_limit_quota/filter_persistence.h b/source/extensions/filters/http/rate_limit_quota/filter_persistence.h new file mode 100644 index 0000000000000..0b49973fc476a --- /dev/null +++ b/source/extensions/filters/http/rate_limit_quota/filter_persistence.h @@ -0,0 +1,114 @@ +#pragma once + +#ifndef THIRD_PARTY_ENVOY_SRC_SOURCE_EXTENSIONS_FILTERS_HTTP_RATE_LIMIT_QUOTA_FILTER_PERSISTENCE_H_ +#define THIRD_PARTY_ENVOY_SRC_SOURCE_EXTENSIONS_FILTERS_HTTP_RATE_LIMIT_QUOTA_FILTER_PERSISTENCE_H_ + +#include +#include +#include + +#include "envoy/event/deferred_deletable.h" +#include "envoy/event/timer.h" +#include "envoy/grpc/async_client_manager.h" +#include "envoy/server/factory_context.h" + +#include "source/extensions/filters/http/rate_limit_quota/global_client_impl.h" +#include "source/extensions/filters/http/rate_limit_quota/quota_bucket_cache.h" + +#include "absl/base/no_destructor.h" +#include "absl/strings/string_view.h" + +namespace Envoy { +namespace Extensions { +namespace HttpFilters { +namespace RateLimitQuota { + +// GlobalTlsStores holds a singleton hash map of rate_limit_quota TLS stores, +// indexed by their combined RLQS server targets & domains. +// +// This follows the data sharing model of FactoryRegistry, and similarly does +// not guarantee thread-safety. Additions or removals of indices can only be +// done on the main thread, as part of filter factory creation and garbage +// collection respectively. +// +// Note, multiple RLQS clients with different configs (e.g. timeouts) can hit +// the same index (destination + domain). The global map does not guarantee +// which config will be selected for the client creation. +class GlobalTlsStores : public Logger::Loggable { +public: + // Object to hold TLS slots after the factory itself has been cleaned up. + struct TlsStore { + TlsStore(Server::Configuration::FactoryContext& context, absl::string_view target_address, + absl::string_view domain) + : buckets_tls(context.serverFactoryContext().threadLocal()), + target_address_(target_address), domain_(domain), + main_dispatcher_(context.serverFactoryContext().mainThreadDispatcher()) {} + + ~TlsStore() { + // Clean up the index from the global map. This is not thread-safe, so + // it's only called after asserting that we're on the main thread. + ASSERT_IS_MAIN_OR_TEST_THREAD(); + // The global client must be cleaned up by the server main thread before + // it shuts down. + if (global_client != nullptr) { + main_dispatcher_.deferredDelete(std::move(global_client)); + } + GlobalTlsStores::clearTlsStore(std::make_pair(target_address_, domain_)); + } + + std::unique_ptr global_client = nullptr; + ThreadLocal::TypedSlot buckets_tls; + + private: + std::string target_address_; + std::string domain_; + Envoy::Event::Dispatcher& main_dispatcher_; + }; + + // Get an existing TLS store by index, or create one if not found. + static std::shared_ptr + getTlsStore(Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, + Server::Configuration::FactoryContext& context, absl::string_view target_address, + absl::string_view domain); + + // Test-only: only thread-safe if filter factories are stable. + static size_t size() { return stores().size(); } + + // Test-only: unsafely clear the global map, used in testing to reset static + // state. A safer alternative is to delete all rate_limit_quota filters from + // config with LDS & let the garbage collector handle cleanup. + static void clear() { + ASSERT_IS_MAIN_OR_TEST_THREAD(); + stores().clear(); + } + +private: + // The index is a pair of . + using TlsStoreIndex = std::pair; + + // Map of rate_limit_quota TLS stores & looping garbage collection timer. + using TlsStoreMap = absl::flat_hash_map>; + + // Static reference to shared map of rate_limit_quota TLS stores (follows the + // data sharing model of FactoryRegistry::factories()). + static TlsStoreMap& stores() { + static absl::NoDestructor tls_stores{}; + return *tls_stores; + } + + // Find or initialize a TLS store for the given config. + static std::shared_ptr + getTlsStoreImpl(Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, + Server::Configuration::FactoryContext& context, TlsStoreIndex& index, + bool* new_store_out); + + // Clear a specified index when it is no longer captured by any filter factories. + static void clearTlsStore(const TlsStoreIndex& index) { stores().erase(index); } +}; + +} // namespace RateLimitQuota +} // namespace HttpFilters +} // namespace Extensions +} // namespace Envoy + +#endif // THIRD_PARTY_ENVOY_SRC_SOURCE_EXTENSIONS_FILTERS_HTTP_RATE_LIMIT_QUOTA_FILTER_PERSISTENCE_H_ diff --git a/source/extensions/filters/http/rate_limit_quota/global_client_impl.cc b/source/extensions/filters/http/rate_limit_quota/global_client_impl.cc index f666533d301bf..bcf38a5dfedce 100644 --- a/source/extensions/filters/http/rate_limit_quota/global_client_impl.cc +++ b/source/extensions/filters/http/rate_limit_quota/global_client_impl.cc @@ -54,7 +54,7 @@ GlobalRateLimitClientImpl::GlobalRateLimitClientImpl( Envoy::ThreadLocal::TypedSlot& buckets_tls, Envoy::Event::Dispatcher& main_dispatcher) : domain_name_(domain_name), - aync_client_(getOrThrow( + async_client_(getOrThrow( context.serverFactoryContext() .clusterManager() .grpcAsyncClientManager() @@ -63,6 +63,8 @@ GlobalRateLimitClientImpl::GlobalRateLimitClientImpl( time_source_(context.serverFactoryContext().mainThreadDispatcher().timeSource()), main_dispatcher_(main_dispatcher) {} +void GlobalRateLimitClientImpl::deleteIsPending() { async_client_.reset(); } + void getUsageFromBucket(const CachedBucket& cached_bucket, TimeSource& time_source, BucketQuotaUsage& usage) { std::shared_ptr cached_usage = cached_bucket.quota_usage; @@ -377,10 +379,10 @@ bool GlobalRateLimitClientImpl::startStreamImpl() { // Starts stream if it has not been opened yet. if (stream_ == nullptr) { ENVOY_LOG(debug, "Trying to start the new gRPC stream"); - stream_ = aync_client_.start(*Protobuf::DescriptorPool::generated_pool()->FindMethodByName( - "envoy.service.rate_limit_quota.v3.RateLimitQuotaService." - "StreamRateLimitQuotas"), - *this, Http::AsyncClient::RequestOptions()); + stream_ = async_client_.start(*Protobuf::DescriptorPool::generated_pool()->FindMethodByName( + "envoy.service.rate_limit_quota.v3.RateLimitQuotaService." + "StreamRateLimitQuotas"), + *this, Http::AsyncClient::RequestOptions()); } // Returns error status if start failed (i.e., stream_ is nullptr). return (stream_ != nullptr); diff --git a/source/extensions/filters/http/rate_limit_quota/global_client_impl.h b/source/extensions/filters/http/rate_limit_quota/global_client_impl.h index f72ffcff31e7e..224217be804a6 100644 --- a/source/extensions/filters/http/rate_limit_quota/global_client_impl.h +++ b/source/extensions/filters/http/rate_limit_quota/global_client_impl.h @@ -57,6 +57,7 @@ class GlobalRateLimitClientCallbacks { // worker threads' local RateLimitClients. class GlobalRateLimitClientImpl : public Grpc::AsyncStreamCallbacks< envoy::service::rate_limit_quota::v3::RateLimitQuotaResponse>, + public Event::DeferredDeletable, public Logger::Loggable { public: GlobalRateLimitClientImpl(const Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, @@ -65,7 +66,11 @@ class GlobalRateLimitClientImpl : public Grpc::AsyncStreamCallbacks< std::chrono::milliseconds send_reports_interval, ThreadLocal::TypedSlot& buckets_tls, Envoy::Event::Dispatcher& main_dispatcher); - ~GlobalRateLimitClientImpl() = default; + ~GlobalRateLimitClientImpl() { + if (stream_ != nullptr) { + stream_.resetStream(); + } + } void onReceiveMessage(RateLimitQuotaResponsePtr&& response) override; @@ -75,6 +80,11 @@ class GlobalRateLimitClientImpl : public Grpc::AsyncStreamCallbacks< void onReceiveTrailingMetadata(Http::ResponseTrailerMapPtr&&) override {} void onRemoteClose(Grpc::Status::GrpcStatus status, const std::string& message) override; + // DeferredDeletable + // Cleanup resources that have to be deleted on the main thread before this deferred deletion. + // Not thread-safe & should only be called by the main thread. + void deleteIsPending() override; + // Functions needed by LocalRateLimitClientImpl to make unsafe modifications // to global resources. All are non-blocking & safely callable by worker // threads and make unsafe changes by ensuring that all such changes are done @@ -155,7 +165,7 @@ class GlobalRateLimitClientImpl : public Grpc::AsyncStreamCallbacks< std::string domain_name_; // Client is stored as the bare object since there is no ownership transfer // involved. - GrpcAsyncClient aync_client_; + GrpcAsyncClient async_client_; Grpc::AsyncStream stream_{}; // Reference to TLS slot for the global quota bucket cache. It outlives @@ -180,29 +190,18 @@ class GlobalRateLimitClientImpl : public Grpc::AsyncStreamCallbacks< * Create a shared rate limit client. It should be shared to each worker * thread via TLS. */ -inline std::shared_ptr +inline std::unique_ptr createGlobalRateLimitClientImpl(Server::Configuration::FactoryContext& context, absl::string_view domain_name, std::chrono::milliseconds send_reports_interval, ThreadLocal::TypedSlot& buckets_tls, Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key) { Envoy::Event::Dispatcher& main_dispatcher = context.serverFactoryContext().mainThreadDispatcher(); - return std::make_shared(config_with_hash_key, context, domain_name, + return std::make_unique(config_with_hash_key, context, domain_name, send_reports_interval, buckets_tls, main_dispatcher); } -struct ThreadLocalGlobalRateLimitClientImpl : public Envoy::ThreadLocal::ThreadLocalObject, - Logger::Loggable { -public: - ThreadLocalGlobalRateLimitClientImpl(std::shared_ptr global_client) - : global_client(global_client) {} - - // Thread-unsafe operations like index creation should only be done by the - // global ThreadLocalClient. - std::shared_ptr global_client; -}; - } // namespace RateLimitQuota } // namespace HttpFilters } // namespace Extensions diff --git a/test/extensions/filters/http/rate_limit_quota/BUILD b/test/extensions/filters/http/rate_limit_quota/BUILD index b620048c90af2..65cf6d47e7877 100644 --- a/test/extensions/filters/http/rate_limit_quota/BUILD +++ b/test/extensions/filters/http/rate_limit_quota/BUILD @@ -127,3 +127,31 @@ envoy_extension_cc_test( "@envoy_api//envoy/type/v3:pkg_cc_proto", ], ) + +envoy_extension_cc_test( + name = "filter_persistence_test", + size = "large", + srcs = ["filter_persistence_test.cc"], + extension_names = ["envoy.filters.http.rate_limit_quota"], + shard_count = 4, + tags = [ + "cpu:3", + "skip_on_windows", + ], + deps = [ + ":test_utils", + "//source/common/http:message_lib", + "//source/extensions/filters/http/rate_limit_quota", + "//source/extensions/filters/http/rate_limit_quota:config", + "//test/common/http:common_lib", + "//test/integration:http_integration_lib", + "//test/mocks/server:factory_context_mocks", + "//test/test_common:status_utility_lib", + "//test/test_common:test_runtime_lib", + "//test/test_common:utility_lib", + "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/http/rate_limit_quota/v3:pkg_cc_proto", + "@envoy_api//envoy/service/rate_limit_quota/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/filters/http/rate_limit_quota/client_test.cc b/test/extensions/filters/http/rate_limit_quota/client_test.cc index 8f01704f73733..4a480c6dc0ddf 100644 --- a/test/extensions/filters/http/rate_limit_quota/client_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/client_test.cc @@ -109,7 +109,7 @@ class GlobalClientTest : public ::testing::Test { buckets_tls_->set([initial_tl_buckets_cache](Unused) { return initial_tl_buckets_cache; }); mock_stream_client->expectClientCreation(); - global_client_ = std::make_shared( + global_client_ = std::make_unique( mock_stream_client->config_with_hash_key_, mock_stream_client->context_, mock_domain_, reporting_interval_, *buckets_tls_, *mock_stream_client->dispatcher_); // Set callbacks to handle asynchronous timing. @@ -121,7 +121,7 @@ class GlobalClientTest : public ::testing::Test { } std::unique_ptr mock_stream_client = nullptr; - std::shared_ptr global_client_ = nullptr; + std::unique_ptr global_client_ = nullptr; ThreadLocal::TypedSlotPtr buckets_tls_ = nullptr; GlobalClientCallbacks* cb_ptr_ = nullptr; @@ -1258,22 +1258,11 @@ class LocalClientTest : public GlobalClientTest { void SetUp() override { GlobalClientTest::SetUp(); - // Initialize the TLS slot. - client_tls_ = std::make_unique>( - mock_stream_client->context_.server_factory_context_.thread_local_); - // Create a ThreadLocal wrapper for the global client initialized in the - // GlobalClientTest. - auto tl_global_client = std::make_shared(global_client_); - // Set the TLS slot to return copies of the shared_ptr holding that - // ThreadLocal object. - client_tls_->set([tl_global_client](Unused) { return tl_global_client; }); - // Create the local client for testing. - local_client_ = std::make_unique(*client_tls_, *buckets_tls_); + local_client_ = std::make_unique(global_client_.get(), *buckets_tls_); } std::unique_ptr local_client_ = nullptr; - ThreadLocal::TypedSlotPtr client_tls_ = nullptr; }; TEST_F(LocalClientTest, TestLocalClient) { diff --git a/test/extensions/filters/http/rate_limit_quota/client_test_utils.h b/test/extensions/filters/http/rate_limit_quota/client_test_utils.h index c03c7c340e3aa..0391391a87eee 100644 --- a/test/extensions/filters/http/rate_limit_quota/client_test_utils.h +++ b/test/extensions/filters/http/rate_limit_quota/client_test_utils.h @@ -54,7 +54,15 @@ class RateLimitTestClient { void expectClientCreation() { EXPECT_CALL(context_.server_factory_context_.cluster_manager_.async_client_manager_, getOrCreateRawAsyncClientWithHashKey(_, _, _)) - .WillOnce(Invoke(this, &RateLimitTestClient::mockCreateAsyncClient)); + .Times(testing::AtLeast(1)) + .WillRepeatedly(Invoke(this, &RateLimitTestClient::mockCreateAsyncClient)); + } + + void failClientCreation() { + EXPECT_CALL(context_.server_factory_context_.cluster_manager_.async_client_manager_, + getOrCreateRawAsyncClientWithHashKey(_, _, _)) + .Times(testing::AtLeast(1)) + .WillRepeatedly([]() { return absl::InternalError("Mock client creation failure"); }); } void expectStreamCreation(int times) { @@ -75,6 +83,8 @@ class RateLimitTestClient { .Times(times) .WillRepeatedly(Invoke(this, &RateLimitTestClient::mockStartRaw)); } + // The stream object is only directly reset when undergoing filter shutdown. + EXPECT_CALL(stream_, resetStream()); } // We don't know the eventual intent of each timer at creation time. Expect @@ -127,9 +137,11 @@ class RateLimitTestClient { void expectTimeSource() {} Grpc::RawAsyncClientSharedPtr mockCreateAsyncClient(Unused, Unused, Unused) { - auto client = std::make_shared(); - async_client_ = client.get(); - return client; + if (async_client_ != nullptr) { + return async_client_; + } + async_client_ = std::make_shared(); + return async_client_; } void setStreamStartToFail(int fail_starts) { fail_starts_ = fail_starts; } @@ -150,7 +162,7 @@ class RateLimitTestClient { Grpc::GrpcServiceConfigWithHashKey config_with_hash_key_; envoy::config::core::v3::GrpcService grpc_service_; - Grpc::MockAsyncClient* async_client_ = nullptr; + std::shared_ptr async_client_ = nullptr; Grpc::MockAsyncStream stream_; NiceMock stream_info_; Grpc::RawAsyncStreamCallbacks* stream_callbacks_; diff --git a/test/extensions/filters/http/rate_limit_quota/config_test.cc b/test/extensions/filters/http/rate_limit_quota/config_test.cc index 11c5f878d90fe..9b81005555ca7 100644 --- a/test/extensions/filters/http/rate_limit_quota/config_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/config_test.cc @@ -5,6 +5,7 @@ #include "envoy/http/filter_factory.h" #include "source/extensions/filters/http/rate_limit_quota/config.h" +#include "source/extensions/filters/http/rate_limit_quota/filter_persistence.h" #include "test/extensions/filters/http/rate_limit_quota/client_test_utils.h" #include "test/mocks/http/mocks.h" @@ -63,6 +64,94 @@ TEST(RateLimitQuotaFilterConfigTest, RateLimitQuotaFilterWithCorrectProto) { Http::FilterFactoryCb cb = factory.createFilterFactoryFromProtoTyped( filter_config, stats_prefix, mock_stream_client->context_); cb(filter_callback); + + GlobalTlsStores::clear(); +} + +TEST(RateLimitQuotaFilterConfigTest, RateLimitQuotaFilterWithInvalidMatcher) { + std::string filter_config_yaml = R"EOF( + rlqs_server: + envoy_grpc: + cluster_name: "rate_limit_quota_server" + domain: test + bucket_matchers: + matcher_list: + matchers: + # Assign requests with header['env'] set to 'staging' to the bucket { name: 'staging' } + predicate: + single_predicate: + input: + name: input_not_found + typed_config: + "@type": type.googleapis.com/google.protobuf.StringValue + value_match: + exact: 3.14 + on_match: + action: + name: rate_limit_quota + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings + bucket_id_builder: + bucket_id_builder: + "name": + string_value: "prod" + reporting_interval: 60s + )EOF"; + envoy::extensions::filters::http::rate_limit_quota::v3::RateLimitQuotaFilterConfig filter_config; + TestUtility::loadFromYaml(filter_config_yaml, filter_config); + + // Handle the global client's creation by expecting the underlying async grpc + // client creation. getOrThrow fails otherwise. + auto mock_stream_client = std::make_unique(); + + RateLimitQuotaFilterFactory factory; + std::string stats_prefix = "test"; + EXPECT_THROW_WITH_REGEX(factory.createFilterFactoryFromProtoTyped(filter_config, stats_prefix, + mock_stream_client->context_), + EnvoyException, + "Didn't find a registered implementation.*'input_not_found'"); +} + +TEST(RateLimitQuotaFilterConfigTest, RateLimitQuotaFilterWithInvalidGrpcClient) { + std::string filter_config_yaml = R"EOF( + rlqs_server: + envoy_grpc: + cluster_name: "rate_limit_quota_server" + domain: test + bucket_matchers: + matcher_list: + matchers: + # Assign requests with header['env'] set to 'staging' to the bucket { name: 'staging' } + predicate: + single_predicate: + input: + typed_config: + "@type": type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: environment + value_match: + exact: staging + on_match: + action: + name: rate_limit_quota + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings + bucket_id_builder: + bucket_id_builder: + "name": + string_value: "prod" + reporting_interval: 60s + )EOF"; + envoy::extensions::filters::http::rate_limit_quota::v3::RateLimitQuotaFilterConfig filter_config; + TestUtility::loadFromYaml(filter_config_yaml, filter_config); + + auto mock_stream_client = std::make_unique(); + mock_stream_client->failClientCreation(); + + RateLimitQuotaFilterFactory factory; + std::string stats_prefix = "test"; + EXPECT_THROW_WITH_REGEX(factory.createFilterFactoryFromProtoTyped(filter_config, stats_prefix, + mock_stream_client->context_), + EnvoyException, "Mock client creation failure"); } } // namespace diff --git a/test/extensions/filters/http/rate_limit_quota/filter_persistence_test.cc b/test/extensions/filters/http/rate_limit_quota/filter_persistence_test.cc new file mode 100644 index 0000000000000..238f0be7b55cc --- /dev/null +++ b/test/extensions/filters/http/rate_limit_quota/filter_persistence_test.cc @@ -0,0 +1,527 @@ +#include "envoy/config/cluster/v3/cluster.pb.h" +#include "envoy/config/core/v3/config_source.pb.h" +#include "envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.pb.h" +#include "envoy/network/connection.h" +#include "envoy/service/rate_limit_quota/v3/rlqs.pb.h" + +#include "source/extensions/filters/http/rate_limit_quota/filter_persistence.h" + +#include "test/common/http/common.h" +#include "test/integration/autonomous_upstream.h" +#include "test/integration/fake_upstream.h" +#include "test/integration/http_integration.h" +#include "test/integration/integration_stream_decoder.h" +#include "test/test_common/simulated_time_system.h" +#include "test/test_common/utility.h" + +#include "absl/strings/str_cat.h" +#include "absl/time/clock.h" +#include "absl/time/time.h" +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace HttpFilters { +namespace RateLimitQuota { +namespace { + +using Envoy::ProtoEq; +using envoy::config::cluster::v3::Cluster; +using envoy::extensions::filters::http::rate_limit_quota::v3::RateLimitQuotaBucketSettings; +using envoy::extensions::filters::http::rate_limit_quota::v3::RateLimitQuotaFilterConfig; +using envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager; +using envoy::service::rate_limit_quota::v3::BucketId; +using envoy::service::rate_limit_quota::v3::RateLimitQuotaResponse; +using envoy::service::rate_limit_quota::v3::RateLimitQuotaUsageReports; +using Protobuf::util::MessageDifferencer; + +MATCHER_P2(ProtoEqIgnoringFieldAndOrdering, expected, + /* const FieldDescriptor* */ ignored_field, "") { + MessageDifferencer differencer; + ASSERT(ignored_field != nullptr, "Field to ignore not found."); + differencer.IgnoreField(ignored_field); + differencer.set_repeated_field_comparison(MessageDifferencer::AS_SET); + + if (differencer.Compare(arg, expected)) { + return true; + } + *result_listener << "Expected:\n" << expected.DebugString() << "\nActual:\n" << arg.DebugString(); + return false; +} + +static constexpr char kDefaultRateLimitQuotaFilter[] = R"EOF( +name: "envoy.filters.http.rate_limit_quota" +typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaFilterConfig" + rlqs_server: + envoy_grpc: + cluster_name: "rlqs_upstream_0" + domain: "test_domain" + bucket_matchers: + matcher_list: + matchers: + predicate: + single_predicate: + input: + typed_config: + "@type": type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: environment + name: "HttpRequestHeaderMatchInput" + value_match: + exact: staging + on_match: + action: + name: rate_limit_quota + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings + bucket_id_builder: + bucket_id_builder: + "test_key_1": + string_value: "test_value_1" + "test_key_2": + string_value: "test_value_2" + no_assignment_behavior: + fallback_rate_limit: + blanket_rule: ALLOW_ALL + reporting_interval: 5s + on_no_match: + action: + name: rate_limit_quota + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings" + bucket_id_builder: + bucket_id_builder: + "on_no_match_key": + string_value: "on_no_match_value" + no_assignment_behavior: + fallback_rate_limit: + blanket_rule: ALLOW_ALL + reporting_interval: 5s +)EOF"; + +class FilterPersistenceTest : public Event::TestUsingSimulatedTime, + public HttpIntegrationTest, + public Grpc::GrpcClientIntegrationParamTest { +protected: + FilterPersistenceTest() : HttpIntegrationTest(Http::CodecType::HTTP2, ipVersion()) { + setUpstreamProtocol(Http::CodecType::HTTP2); + setUpIntegrationTest(); + } + + void setUpIntegrationTest() { + config_helper_.addConfigModifier( + [&]([[maybe_unused]] envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Start the server with a default RLQS filter that will then be + // updated by LDS / xDS in the test cases. + config_helper_.prependFilter(kDefaultRateLimitQuotaFilter); + }); + setUpstreamProtocol(Http::CodecType::HTTP2); + setDownstreamProtocol(Http::CodecType::HTTP2); + HttpIntegrationTest::initialize(); + } + + // The RLQS upstream shouldn't be autonomous as it will handle the long-lived + // RLQS stream. + void createUpstreams() override { + setUpstreamCount(3); + + autonomous_upstream_ = true; + traffic_endpoint_ = upstream_address_fn_(0); + createUpstream(traffic_endpoint_, upstreamConfig()); + traffic_upstream_ = dynamic_cast(fake_upstreams_[0].get()); + + autonomous_upstream_ = false; + // Testing requires multiple RLQS upstream targets. + for (int i = 0; i < 2; ++i) { + FakeRlqsUpstreamRefs rlqs_upstream{}; + rlqs_upstream.rlqs_endpoint_ = upstream_address_fn_(i + 1); + createUpstream(rlqs_upstream.rlqs_endpoint_, upstreamConfig()); + rlqs_upstream.rlqs_upstream_ = fake_upstreams_[i + 1].get(); + + rlqs_upstreams_.push_back(std::move(rlqs_upstream)); + } + + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + traffic_cluster_ = bootstrap.mutable_static_resources()->mutable_clusters(0); + for (size_t i = 0; i < rlqs_upstreams_.size(); ++i) { + FakeRlqsUpstreamRefs& rlqs_upstream_refs = rlqs_upstreams_.at(i); + rlqs_upstream_refs.rlqs_cluster_ = bootstrap.mutable_static_resources()->add_clusters(); + + rlqs_upstream_refs.rlqs_cluster_->MergeFrom(bootstrap.static_resources().clusters(0)); + + rlqs_upstream_refs.rlqs_cluster_->set_name(absl::StrCat("rlqs_upstream_", i)); + } + }); + } + + void updateConfigInPlace(std::function modifier) { + // update_success starts at 1 after the initial server configuration. + test_server_->waitForCounterEq("listener_manager.lds.update_success", config_updates_ + 1); + test_server_->waitForCounterEq("listener_manager.listener_modified", config_updates_); + test_server_->waitForCounterEq("listener_manager.listener_in_place_updated", config_updates_); + + ConfigHelper new_config_helper(version_, config_helper_.bootstrap()); + new_config_helper.addConfigModifier(modifier); + new_config_helper.setLds(absl::StrCat(config_updates_ + 1)); + + test_server_->waitForCounterEq("listener_manager.lds.update_success", config_updates_ + 2); + test_server_->waitForCounterEq("listener_manager.listener_modified", config_updates_ + 1); + test_server_->waitForCounterEq("listener_manager.listener_in_place_updated", + config_updates_ + 1); + test_server_->waitForGaugeEq("listener_manager.total_filter_chains_draining", 0); + config_updates_++; + } + + void wipeFilters() { + updateConfigInPlace([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + auto* hcm_filter = listener->mutable_filter_chains(0)->mutable_filters(0); + HttpConnectionManager hcm_config; + hcm_filter->mutable_typed_config()->UnpackTo(&hcm_config); + hcm_config.clear_http_filters(); + hcm_filter->mutable_typed_config()->PackFrom(hcm_config); + }); + absl::SleepFor(absl::Seconds(1)); + EXPECT_EQ(GlobalTlsStores::size(), 0); + } + + void cleanUp() { + wipeFilters(); + for (auto& rlqs_upstream : rlqs_upstreams_) { + if (rlqs_upstream.rlqs_connection_ != nullptr) { + ASSERT_TRUE(rlqs_upstream.rlqs_connection_->close()); + ASSERT_TRUE(rlqs_upstream.rlqs_connection_->waitForDisconnect()); + } + } + cleanupUpstreamAndDownstream(); + } + + void TearDown() override { cleanUp(); } + + // Send a request through the envoy & possibly to traffic_upstream_. Returns + // the response's status code. + std::string + sendRequest(const absl::flat_hash_map* custom_headers = nullptr) { + auto codec_client = makeHttpConnection(makeClientConnection(lookupPort("http"))); + + Http::TestRequestHeaderMapImpl headers; + HttpTestUtility::addDefaultHeaders(headers); + if (custom_headers != nullptr) { + for (auto const& pair : *custom_headers) { + headers.addCopy(pair.first, pair.second); + } + } + // Trigger responses from the autonomous upstream. + headers.addCopy(AutonomousStream::RESPOND_AFTER_REQUEST_HEADERS, "yes"); + + IntegrationStreamDecoderPtr response = codec_client->makeHeaderOnlyRequest(headers); + bool stream_ended = response->waitForEndStream(); + + codec_client->close(); + if (!stream_ended) { + return ""; + } + EXPECT_TRUE(response->complete()); + return std::string(response->headers().getStatusValue()); + } + + void expectRlqsUsageReports(int upstream_index, + const RateLimitQuotaUsageReports& expected_reports, + bool expect_new_stream = false) { + FakeRlqsUpstreamRefs& rlqs_refs = rlqs_upstreams_.at(upstream_index); + if (expect_new_stream) { + ASSERT_TRUE(rlqs_refs.rlqs_upstream_->waitForHttpConnection(*dispatcher_, + rlqs_refs.rlqs_connection_)); + ASSERT_TRUE( + rlqs_refs.rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_refs.rlqs_stream_)); + rlqs_refs.rlqs_stream_->startGrpcStream(); + } + + RateLimitQuotaUsageReports reports; + ASSERT_TRUE(rlqs_refs.rlqs_stream_->waitForGrpcMessage(*dispatcher_, reports)); + + // Ignore time_elapsed as it is often not deterministic. + const Protobuf::FieldDescriptor* time_elapsed_desc = + RateLimitQuotaUsageReports::BucketQuotaUsage::GetDescriptor()->FindFieldByName( + "time_elapsed"); + ASSERT_THAT(reports, ProtoEqIgnoringFieldAndOrdering(expected_reports, time_elapsed_desc)); + } + + // Can only be called after the RLQS stream has been established with a RLQS + // usage report. + void sendRlqsResponse(int upstream_index, const RateLimitQuotaResponse& rlqs_response) { + rlqs_upstreams_.at(upstream_index).rlqs_stream_->sendGrpcMessage(rlqs_response); + } + + void cleanupRlqsStream(int upstream_index) { + FakeRlqsUpstreamRefs& rlqs_refs = rlqs_upstreams_.at(upstream_index); + if (rlqs_refs.rlqs_connection_ != nullptr) { + ASSERT_TRUE(rlqs_refs.rlqs_connection_->close()); + ASSERT_TRUE(rlqs_refs.rlqs_connection_->waitForDisconnect()); + rlqs_refs.rlqs_connection_ = nullptr; + rlqs_refs.rlqs_stream_ = nullptr; + } + absl::SleepFor(absl::Seconds(1)); + } + + envoy::extensions::filters::http::rate_limit_quota::v3::RateLimitQuotaFilterConfig + rlqs_filter_config_{}; + + struct FakeRlqsUpstreamRefs { + Network::Address::InstanceConstSharedPtr rlqs_endpoint_ = nullptr; + FakeUpstream* rlqs_upstream_ = nullptr; + // Each FakeUpstream can only handle 1 active stream at a time, so we just + // keep track of the most recent connection & stream. + FakeHttpConnectionPtr rlqs_connection_ = nullptr; + FakeStreamPtr rlqs_stream_ = nullptr; + Cluster* rlqs_cluster_ = nullptr; + }; + std::vector rlqs_upstreams_{}; + + Network::Address::InstanceConstSharedPtr traffic_endpoint_ = nullptr; + AutonomousUpstream* traffic_upstream_ = nullptr; + Cluster* traffic_cluster_ = nullptr; + + int config_updates_ = 0; +}; +INSTANTIATE_TEST_SUITE_P(IpVersionsClientTypeDeferredProcessing, FilterPersistenceTest, + GRPC_CLIENT_INTEGRATION_PARAMS, + Grpc::GrpcClientIntegrationParamTest::protocolTestParamsToString); + +TEST_P(FilterPersistenceTest, TestPersistenceWithLdsUpdates) { + RateLimitQuotaUsageReports expected_reports; + TestUtility::loadFromYaml(R"EOF( +domain: "test_domain" +bucket_quota_usages: + bucket_id: + bucket: + "test_key_1": + "test_value_1" + "test_key_2": + "test_value_2" + num_requests_allowed: 1 +)EOF", + expected_reports); + // The first request should trigger an immediate usage report. The + // no-assignment behavior is ALLOW_ALL so the first request should be allowed. + absl::flat_hash_map headers = {{"environment", "staging"}}; + ASSERT_EQ(sendRequest(&headers), "200"); + expectRlqsUsageReports(0, expected_reports, true); + + RateLimitQuotaResponse rlqs_response; + TestUtility::loadFromYaml(R"EOF( +bucket_action: + bucket_id: + bucket: + "test_key_1": + "test_value_1" + "test_key_2": + "test_value_2" + quota_assignment_action: + assignment_time_to_live: + seconds: 120 + rate_limit_strategy: + blanket_rule: DENY_ALL +)EOF", + rlqs_response); + // RLQS response explicitly sets the cache to DENY_ALL. + sendRlqsResponse(0, rlqs_response); + absl::SleepFor(absl::Seconds(0.5)); + ASSERT_EQ(sendRequest(&headers), "429"); + + // Send an LDS update and make sure that the cache persisted. The cached + // DENY_ALL assignment should be hit, and the filter's new + // deny_response_settings should set the response code to 403. + updateConfigInPlace([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + + auto* hcm_filter = listener->mutable_filter_chains(0)->mutable_filters(0); + HttpConnectionManager hcm_config; + hcm_filter->mutable_typed_config()->UnpackTo(&hcm_config); + + auto* rlqs_filter = hcm_config.mutable_http_filters(0); + RateLimitQuotaFilterConfig rlqs_filter_config; + rlqs_filter->mutable_typed_config()->UnpackTo(&rlqs_filter_config); + + // Change the deny_response_settings to send 403 status codes. + auto* on_match_action = rlqs_filter_config.mutable_bucket_matchers() + ->mutable_matcher_list() + ->mutable_matchers(0) + ->mutable_on_match() + ->mutable_action(); + RateLimitQuotaBucketSettings on_match_settings; + on_match_action->mutable_typed_config()->UnpackTo(&on_match_settings); + on_match_settings.mutable_deny_response_settings()->mutable_http_status()->set_code( + envoy::type::v3::StatusCode::Forbidden); + + // Re-pack in reverse order. + on_match_action->mutable_typed_config()->PackFrom(on_match_settings); + rlqs_filter->mutable_typed_config()->PackFrom(rlqs_filter_config); + hcm_filter->mutable_typed_config()->PackFrom(hcm_config); + }); + ASSERT_EQ(sendRequest(&headers), "403"); +} + +TEST_P(FilterPersistenceTest, TestPersistenceWithLdsUpdateToNewDomain) { + RateLimitQuotaUsageReports expected_reports; + TestUtility::loadFromYaml(R"EOF( +domain: "test_domain" +bucket_quota_usages: + bucket_id: + bucket: + "test_key_1": + "test_value_1" + "test_key_2": + "test_value_2" + num_requests_allowed: 1 +)EOF", + expected_reports); + // The first request should trigger an immediate usage report. The + // no-assignment behavior is ALLOW_ALL so the first request should be allowed. + absl::flat_hash_map headers = {{"environment", "staging"}}; + ASSERT_EQ(sendRequest(&headers), "200"); + expectRlqsUsageReports(0, expected_reports, true); + + RateLimitQuotaResponse rlqs_response; + TestUtility::loadFromYaml(R"EOF( +bucket_action: + bucket_id: + bucket: + "test_key_1": + "test_value_1" + "test_key_2": + "test_value_2" + quota_assignment_action: + assignment_time_to_live: + seconds: 120 + rate_limit_strategy: + blanket_rule: DENY_ALL +)EOF", + rlqs_response); + // RLQS response explicitly sets the cache to DENY_ALL. + sendRlqsResponse(0, rlqs_response); + absl::SleepFor(absl::Seconds(0.5)); + ASSERT_EQ(sendRequest(&headers), "429"); + + // Send an LDS update with a new filter domain. A different domain or RLQS + // server target should not match to the same persistent cache, so this should + // trigger creation of a new filter factory that will create a new, global + // RLQS client, quota assignment cache, etc. + updateConfigInPlace([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + + auto* hcm_filter = listener->mutable_filter_chains(0)->mutable_filters(0); + HttpConnectionManager hcm_config; + hcm_filter->mutable_typed_config()->UnpackTo(&hcm_config); + + auto* rlqs_filter = hcm_config.mutable_http_filters(0); + RateLimitQuotaFilterConfig rlqs_filter_config; + rlqs_filter->mutable_typed_config()->UnpackTo(&rlqs_filter_config); + + // Change the filter's top-level domain. + rlqs_filter_config.set_domain("new_domain"); + + // Re-pack in reverse order. + rlqs_filter->mutable_typed_config()->PackFrom(rlqs_filter_config); + hcm_filter->mutable_typed_config()->PackFrom(hcm_config); + }); + + // With an entirely fresh quota cache state & RLQS stream again, the next + // request should be allowed & trigger an initial usage report. + // Cleanup of the previous RLQS stream is needed as the same FakeUpstream can + // only handle 1 active stream at a time. + cleanupRlqsStream(0); + ASSERT_EQ(sendRequest(&headers), "200"); + + RateLimitQuotaUsageReports expected_reports_2 = expected_reports; + expected_reports_2.set_domain("new_domain"); + expectRlqsUsageReports(0, expected_reports_2, true); + + // RLQS response explicitly sets the new cache to DENY_ALL. + sendRlqsResponse(0, rlqs_response); + absl::SleepFor(absl::Seconds(0.5)); + ASSERT_EQ(sendRequest(&headers), "429"); +} + +TEST_P(FilterPersistenceTest, TestPersistenceWithLdsUpdateToNewRlqsServer) { + RateLimitQuotaUsageReports expected_reports; + TestUtility::loadFromYaml(R"EOF( +domain: "test_domain" +bucket_quota_usages: + bucket_id: + bucket: + "test_key_1": + "test_value_1" + "test_key_2": + "test_value_2" + num_requests_allowed: 1 +)EOF", + expected_reports); + // The first request should trigger an immediate usage report. The + // no-assignment behavior is ALLOW_ALL so the first request should be allowed. + absl::flat_hash_map headers = {{"environment", "staging"}}; + ASSERT_EQ(sendRequest(&headers), "200"); + expectRlqsUsageReports(0, expected_reports, true); + + RateLimitQuotaResponse rlqs_response; + TestUtility::loadFromYaml(R"EOF( +bucket_action: + bucket_id: + bucket: + "test_key_1": + "test_value_1" + "test_key_2": + "test_value_2" + quota_assignment_action: + assignment_time_to_live: + seconds: 120 + rate_limit_strategy: + blanket_rule: DENY_ALL +)EOF", + rlqs_response); + // RLQS response explicitly sets the cache to DENY_ALL. + sendRlqsResponse(0, rlqs_response); + absl::SleepFor(absl::Seconds(0.5)); + ASSERT_EQ(sendRequest(&headers), "429"); + + // Send an LDS update with a new filter domain. A different domain or RLQS + // server target should not match to the same persistent cache, so this should + // trigger creation of a new filter factory that will create a new, global + // RLQS client, quota assignment cache, etc. + updateConfigInPlace([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + + auto* hcm_filter = listener->mutable_filter_chains(0)->mutable_filters(0); + HttpConnectionManager hcm_config; + hcm_filter->mutable_typed_config()->UnpackTo(&hcm_config); + + auto* rlqs_filter = hcm_config.mutable_http_filters(0); + RateLimitQuotaFilterConfig rlqs_filter_config; + rlqs_filter->mutable_typed_config()->UnpackTo(&rlqs_filter_config); + + // Change the filter's top-level RLQS server target. + rlqs_filter_config.mutable_rlqs_server()->mutable_envoy_grpc()->set_cluster_name( + "rlqs_upstream_1"); + + // Re-pack in reverse order. + rlqs_filter->mutable_typed_config()->PackFrom(rlqs_filter_config); + hcm_filter->mutable_typed_config()->PackFrom(hcm_config); + }); + + ASSERT_EQ(sendRequest(&headers), "200"); + + // Expect a duplicate, initial report on the new stream. + expectRlqsUsageReports(1, expected_reports, true); + + // RLQS response explicitly sets the new cache to DENY_ALL. + sendRlqsResponse(1, rlqs_response); + absl::SleepFor(absl::Seconds(0.5)); + ASSERT_EQ(sendRequest(&headers), "429"); +} + +} // namespace +} // namespace RateLimitQuota +} // namespace HttpFilters +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/filters/http/rate_limit_quota/filter_test.cc b/test/extensions/filters/http/rate_limit_quota/filter_test.cc index 20b860a1a3704..50cbfb708c776 100644 --- a/test/extensions/filters/http/rate_limit_quota/filter_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/filter_test.cc @@ -68,6 +68,7 @@ class FilterTest : public testing::Test { void addMatcherConfig(xds::type::matcher::v3::Matcher& matcher) { config_.mutable_bucket_matchers()->MergeFrom(matcher); match_tree_ = matcher_factory_.create(matcher)(); + EXPECT_TRUE(visitor_.errors().empty()); } void addMatcherConfig(MatcherConfigType config_type) { diff --git a/test/extensions/filters/http/rate_limit_quota/integration_test.cc b/test/extensions/filters/http/rate_limit_quota/integration_test.cc index d5585a693eeca..29bdfeca4b0eb 100644 --- a/test/extensions/filters/http/rate_limit_quota/integration_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/integration_test.cc @@ -18,6 +18,7 @@ #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" #include "source/common/runtime/runtime_features.h" +#include "source/extensions/filters/http/rate_limit_quota/filter_persistence.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/common/http/common.h" @@ -42,6 +43,7 @@ namespace RateLimitQuota { namespace { using Envoy::ProtoEq; +using envoy::config::cluster::v3::Cluster; using envoy::service::rate_limit_quota::v3::BucketId; using envoy::service::rate_limit_quota::v3::RateLimitQuotaResponse; using envoy::service::rate_limit_quota::v3::RateLimitQuotaUsageReports; @@ -88,43 +90,43 @@ class RateLimitQuotaIntegrationTest : public Event::TestUsingSimulatedTime, } void createUpstreams() override { - HttpIntegrationTest::createUpstreams(); - - // Create separate side stream for rate limit quota server - for (int i = 0; i < 2; ++i) { - grpc_upstreams_.push_back(&addFakeUpstream(Http::CodecType::HTTP2)); - } + setUpstreamCount(2); + + autonomous_upstream_ = true; + traffic_endpoint_ = upstream_address_fn_(0); + createUpstream(traffic_endpoint_, upstreamConfig()); + traffic_upstream_ = dynamic_cast(fake_upstreams_[0].get()); + + autonomous_upstream_ = false; + // Testing requires multiple RLQS upstream targets. + rlqs_endpoint_ = upstream_address_fn_(1); + createUpstream(rlqs_endpoint_, upstreamConfig()); + rlqs_upstream_ = fake_upstreams_[1].get(); } void initializeConfig(ConfigOption config_option = {}, const std::string& log_format = "") { config_helper_.addConfigModifier([this, config_option, log_format]( envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - // Ensure "HTTP2 with no prior knowledge." Necessary for gRPC and for - // headers - ConfigHelper::setHttp2( - *(bootstrap.mutable_static_resources()->mutable_clusters()->Mutable(0))); - // Enable access logging for testing dynamic metadata. if (!log_format.empty()) { HttpIntegrationTest::useAccessLog(log_format); } - // Clusters for ExtProc gRPC servers, starting by copying an existing - // cluster - for (size_t i = 0; i < grpc_upstreams_.size(); ++i) { - auto* server_cluster = bootstrap.mutable_static_resources()->add_clusters(); - server_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); - std::string cluster_name = absl::StrCat("rlqs_server_", i); - server_cluster->set_name(cluster_name); - server_cluster->mutable_load_assignment()->set_cluster_name(cluster_name); - } + traffic_cluster_ = bootstrap.mutable_static_resources()->mutable_clusters(0); + // Ensure "HTTP2 with no prior knowledge." Necessary for gRPC and for + // headers + ConfigHelper::setHttp2(*traffic_cluster_); + + rlqs_cluster_ = bootstrap.mutable_static_resources()->add_clusters(); + rlqs_cluster_->MergeFrom(bootstrap.static_resources().clusters(0)); + rlqs_cluster_->set_name("rlqs_server"); if (config_option.valid_rlqs_server) { // Load configuration of the server from YAML and use a helper to // add a grpc_service stanza pointing to the cluster that we just // made - setGrpcService(*proto_config_.mutable_rlqs_server(), "rlqs_server_0", - grpc_upstreams_[0]->localAddress()); + setGrpcService(*proto_config_.mutable_rlqs_server(), "rlqs_server", + rlqs_upstream_->localAddress()); } else { // Set up the gRPC service with wrong cluster name and address. setGrpcService(*proto_config_.mutable_rlqs_server(), "rlqs_wrong_server", @@ -192,8 +194,8 @@ class RateLimitQuotaIntegrationTest : public Event::TestUsingSimulatedTime, // Send downstream client request. void sendClientRequest(const absl::flat_hash_map* custom_headers = nullptr) { - auto conn = makeClientConnection(lookupPort("http")); - codec_client_ = makeHttpConnection(std::move(conn)); + auto codec_client = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl headers; HttpTestUtility::addDefaultHeaders(headers); if (custom_headers != nullptr) { @@ -201,7 +203,14 @@ class RateLimitQuotaIntegrationTest : public Event::TestUsingSimulatedTime, headers.addCopy(pair.first, pair.second); } } - response_ = codec_client_->makeHeaderOnlyRequest(headers); + // Trigger responses from the autonomous upstream. + headers.addCopy(AutonomousStream::RESPOND_AFTER_REQUEST_HEADERS, "yes"); + + response_ = codec_client->makeHeaderOnlyRequest(headers); + EXPECT_TRUE(response_->waitForEndStream()); + + codec_client->close(); + EXPECT_TRUE(response_->complete()); } void cleanUp() { @@ -217,9 +226,8 @@ class RateLimitQuotaIntegrationTest : public Event::TestUsingSimulatedTime, bool expectDeniedRequest(int expected_status_code, std::vector> expected_headers = {}, std::string expected_body = "") { - if (!response_->waitForEndStream()) + if (!response_->complete()) return false; - EXPECT_TRUE(response_->complete()); EXPECT_EQ(response_->headers().getStatusValue(), absl::StrCat(expected_status_code)); // Check for expected headers & body if set. @@ -234,37 +242,28 @@ class RateLimitQuotaIntegrationTest : public Event::TestUsingSimulatedTime, if (!expected_body.empty()) { EXPECT_THAT(response_->body(), testing::StrEq(expected_body)); } - - cleanupUpstreamAndDownstream(); return true; } bool expectAllowedRequest() { - // Handle the request received by upstream. - if (!fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)) - return false; - if (!fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)) - return false; - if (!upstream_request_->waitForEndStream(*dispatcher_)) - return false; - upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); - upstream_request_->encodeData(100, true); - // Verify the response to downstream. - if (!response_->waitForEndStream()) + if (!response_->complete()) return false; - EXPECT_TRUE(response_->complete()); EXPECT_EQ(response_->headers().getStatusValue(), "200"); - - cleanupUpstreamAndDownstream(); return true; } envoy::extensions::filters::http::rate_limit_quota::v3::RateLimitQuotaFilterConfig proto_config_{}; - std::vector grpc_upstreams_; + Network::Address::InstanceConstSharedPtr traffic_endpoint_; + AutonomousUpstream* traffic_upstream_; + Cluster* traffic_cluster_; + + Network::Address::InstanceConstSharedPtr rlqs_endpoint_; + FakeUpstream* rlqs_upstream_; FakeHttpConnectionPtr rlqs_connection_; FakeStreamPtr rlqs_stream_; + Cluster* rlqs_cluster_; IntegrationStreamDecoderPtr response_; // TODO(bsurber): Implement report timing & usage aggregation based on each // bucket's reporting_interval field. Currently this is not supported and all @@ -272,6 +271,9 @@ class RateLimitQuotaIntegrationTest : public Event::TestUsingSimulatedTime, int report_interval_sec_ = 5; RateLimitStrategy deny_all_strategy; RateLimitStrategy allow_all_strategy; + + // Access to static state, needed to reset between tests. + GlobalTlsStores global_tls_stores_; }; INSTANTIATE_TEST_SUITE_P(IpVersionsClientTypeDeferredProcessing, RateLimitQuotaIntegrationTest, @@ -287,8 +289,8 @@ TEST_P(RateLimitQuotaIntegrationTest, StartFailed) { absl::flat_hash_map custom_headers = {{"environment", "staging"}, {"group", "envoy"}}; sendClientRequest(&custom_headers); - EXPECT_FALSE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_, - std::chrono::seconds(1))); + EXPECT_FALSE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_, + std::chrono::seconds(1))); } TEST_P(RateLimitQuotaIntegrationTest, BasicFlowEmptyResponse) { @@ -300,7 +302,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowEmptyResponse) { sendClientRequest(&custom_headers); // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); @@ -308,23 +310,8 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowEmptyResponse) { RateLimitQuotaUsageReports reports; ASSERT_TRUE(rlqs_stream_->waitForGrpcMessage(*dispatcher_, reports)); - // Send the response from RLQS server. - RateLimitQuotaResponse rlqs_response; - // Response with empty bucket action. - rlqs_response.add_bucket_action(); - rlqs_stream_->sendGrpcMessage(rlqs_response); - - // Handle the request received by upstream. - ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); - ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); - ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); - upstream_request_->encodeData(100, true); - // Verify the response to downstream. - ASSERT_TRUE(response_->waitForEndStream()); - EXPECT_TRUE(response_->complete()); - EXPECT_EQ(response_->headers().getStatusValue(), "200"); + ASSERT_TRUE(expectAllowedRequest()); } TEST_P(RateLimitQuotaIntegrationTest, BasicFlowResponseNotMatched) { @@ -336,7 +323,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowResponseNotMatched) { sendClientRequest(&custom_headers); // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); @@ -353,16 +340,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowResponseNotMatched) { rlqs_stream_->sendGrpcMessage(rlqs_response); // Handle the request received by upstream. - ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); - ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); - ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); - upstream_request_->encodeData(100, true); - - // Verify the response to downstream. - ASSERT_TRUE(response_->waitForEndStream()); - EXPECT_TRUE(response_->complete()); - EXPECT_EQ(response_->headers().getStatusValue(), "200"); + expectAllowedRequest(); } TEST_P(RateLimitQuotaIntegrationTest, BasicFlowResponseMatched) { @@ -374,7 +352,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowResponseMatched) { sendClientRequest(&custom_headers); // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); // Handle the request received by upstream. @@ -408,7 +386,7 @@ TEST_P(RateLimitQuotaIntegrationTest, TestBasicMetadataLogging) { sendClientRequest(&custom_headers); // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Wait for the first usage reports. @@ -428,16 +406,7 @@ TEST_P(RateLimitQuotaIntegrationTest, TestBasicMetadataLogging) { rlqs_stream_->sendGrpcMessage(rlqs_response); // Handle the request received by upstream. - ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); - ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); - ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); - upstream_request_->encodeData(100, true); - - // Verify the response to downstream. - ASSERT_TRUE(response_->waitForEndStream()); - EXPECT_TRUE(response_->complete()); - EXPECT_EQ(response_->headers().getStatusValue(), "200"); + ASSERT_TRUE(expectAllowedRequest()); std::string log_output0 = HttpIntegrationTest::waitForAccessLog(HttpIntegrationTest::access_log_name_, 0, true); @@ -464,7 +433,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowMultiSameRequest) { // the cache. if (i == 0) { // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); @@ -489,17 +458,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowMultiSameRequest) { // Send the response from RLQS server. rlqs_stream_->sendGrpcMessage(rlqs_response); } - // Handle the request received by upstream. - ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); - ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); - ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); - upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); - upstream_request_->encodeData(100, true); - - // Verify the response to downstream. - ASSERT_TRUE(response_->waitForEndStream()); - EXPECT_TRUE(response_->complete()); - EXPECT_EQ(response_->headers().getStatusValue(), "200"); + ASSERT_TRUE(expectAllowedRequest()); cleanUp(); } @@ -525,7 +484,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowMultiDifferentRequest) { // Expect a stream to open to the RLQS server with the first filter hit. if (i == 0) { // Start the gRPC stream to RLQS server on the first request. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); } @@ -587,7 +546,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiSameRequestNoAssignmentDenyAll) { if (i == 0) { // Start the gRPC stream to RLQS server on the first request. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); @@ -642,7 +601,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiSameRequestNoAssignmentDenyAllWithSet if (i == 0) { // Start the gRPC stream to RLQS server on the first request. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); @@ -697,7 +656,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiSameRequestNoAssignmentDenyAllWithEmp if (i == 0) { // Start the gRPC stream to RLQS server on the first request. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); @@ -767,7 +726,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiDifferentRequestNoAssignementAllowAll if (i == 0) { // Start the gRPC stream to RLQS server on the first reports. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); } @@ -834,7 +793,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiDifferentRequestNoAssignementDenyAll) if (i == 0) { // Start the gRPC stream to RLQS server on the first reports. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); } @@ -873,7 +832,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowPeriodicalReport) { sendClientRequest(&custom_headers); // Expect the RLQS stream to start. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // No-assignment behavior dictates that initial traffic should be allowed. @@ -957,7 +916,7 @@ TEST_P(RateLimitQuotaIntegrationTest, BasicFlowPeriodicalReportWithStreamClosed) WAIT_FOR_LOG_CONTAINS("debug", "RLQS buckets cache written to TLS.", { sendClientRequest(&custom_headers); }); - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when traffic first hits the RLQS bucket. @@ -1067,7 +1026,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiRequestWithTokenBucketThrottling) { // server as the subsequent requests will find the entry in the cache. if (i == 0) { // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); ASSERT_TRUE(expectAllowedRequest()); @@ -1135,7 +1094,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiRequestWithTokenBucketExpiration) { sendClientRequest(&custom_headers); // Start the gRPC stream to RLQS server on the first request. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); rlqs_stream_->startGrpcStream(); @@ -1219,7 +1178,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiRequestWithTokenBucketReplacement) { sendClientRequest(&custom_headers); // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. @@ -1320,7 +1279,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiRequestWithUnsupportedStrategy) { // server as the subsequent requests will find the entry in the cache. if (i == 0) { // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. @@ -1370,7 +1329,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiRequestWithUnsetStrategy) { // server as the subsequent requests will find the entry in the cache. if (i == 0) { // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. @@ -1412,7 +1371,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiRequestWithUnsupportedDefaultAction) EXPECT_TRUE(expectAllowedRequest()); // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. @@ -1447,7 +1406,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiSameRequestWithExpiredAssignmentDeny) { sendClientRequest(&custom_headers); }); // Start the gRPC stream to RLQS server. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. @@ -1509,7 +1468,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiSameRequestWithExpiredAssignmentAllow // 1st request will start the gRPC stream. if (i == 0) { // Start the gRPC stream to RLQS server on the first request. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. @@ -1575,7 +1534,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiSameRequestWithExpirationToDefaultDen expectAllowedRequest(); if (i == 0) { // Expect a gRPC stream to the RLQS server opened with the first bucket. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. @@ -1634,7 +1593,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiSameRequestWithExpirationWithoutFallb if (i == 0) { // Start the gRPC stream to RLQS server & send the initial report. - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. @@ -1681,7 +1640,7 @@ TEST_P(RateLimitQuotaIntegrationTest, MultiSameRequestWithAbandonAction) { // Send first request & expect a new RLQS stream. sendClientRequest(&custom_headers); - ASSERT_TRUE(grpc_upstreams_[0]->waitForHttpConnection(*dispatcher_, rlqs_connection_)); + ASSERT_TRUE(rlqs_upstream_->waitForHttpConnection(*dispatcher_, rlqs_connection_)); ASSERT_TRUE(rlqs_connection_->waitForNewStream(*dispatcher_, rlqs_stream_)); // Expect an initial report when the RLQS bucket is first hit. From 7ebdf6da0a49240778fd6fed42670157fde371db Mon Sep 17 00:00:00 2001 From: botengyao Date: Thu, 21 Aug 2025 14:28:45 -0400 Subject: [PATCH 269/505] tls inspector test: change the test description for ContinueOnListenerTimeout (#40822) The comments on the ContinueOnListenerTimeout doesn't make sense. 1. the max length is changed to 16K. 2. the reason is also not correct. Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Boteng Yao --- .../listener/tls_inspector/tls_inspector_integration_test.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc index 687c3334ea14a..97da6715a8c42 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc @@ -250,9 +250,8 @@ TEST_P(TlsInspectorIntegrationTest, DisabledTlsInspectorFailsFilterChainFind) { TEST_P(TlsInspectorIntegrationTest, ContinueOnListenerTimeout) { setupConnections(/*listener_filter_disabled=*/false, /*expect_connection_open=*/true, /*ssl_client=*/false); - // The length of tls hello message is defined as `TLS_MAX_CLIENT_HELLO = 64 * 1024` - // if tls inspect filter doesn't read the max length of hello message data, it - // will continue wait. Then the listener filter timeout timer will be triggered. + // The listener filter will not process the following data but will only wait for 1 second + // to timeout and then fall over to another listener filter chain. Buffer::OwnedImpl buffer("fake data"); client_->write(buffer, false); // The timeout is set as one seconds, advance 2 seconds to trigger the timeout. From 4e2078dc75dfa0350b62287799d2ef81b9a9ff40 Mon Sep 17 00:00:00 2001 From: Nigel Brittain <108375408+nbaws@users.noreply.github.com> Date: Fri, 22 Aug 2025 09:01:21 +1000 Subject: [PATCH 270/505] aws: preserve plus sign intent inside query parameters (#40619) Commit Message: aws: preserve plus sign inside query parameters Additional Description: Ambiguity in the way query parameters containing literal plus signs could have been encoded leads to a signature verification failure. We now correctly preserve the intent behind plus signs when they arrive in the canonicalizer logic. A raw plus becomes a space, an encoded plus (%2B) stays as a %2B and an encoded space (%20) stays as a %20. Risk Level: Low Testing: Unit Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] https://github.com/envoyproxy/envoy/issues/40523 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain --- .../extensions/common/aws/signer_base_impl.cc | 8 +-- .../common/aws/signers/sigv4a_signer_impl.cc | 6 +- source/extensions/common/aws/utility.cc | 62 ++++++++++++------- source/extensions/common/aws/utility.h | 18 ++++-- test/extensions/common/aws/utility_test.cc | 12 +++- 5 files changed, 69 insertions(+), 37 deletions(-) diff --git a/source/extensions/common/aws/signer_base_impl.cc b/source/extensions/common/aws/signer_base_impl.cc index dd4b81f50c8c5..8aa16384e744f 100644 --- a/source/extensions/common/aws/signer_base_impl.cc +++ b/source/extensions/common/aws/signer_base_impl.cc @@ -193,11 +193,11 @@ void SignerBaseImpl::createQueryParams(Envoy::Http::Utility::QueryParamsMulti& q } // X-Amz-Credential query_params.add(SignatureQueryParameterValues::AmzCredential, - Utility::encodeQueryComponent(credential)); + Utility::encodeQueryComponentPreservingPlus(credential)); // X-Amz-SignedHeaders - query_params.add( - SignatureQueryParameterValues::AmzSignedHeaders, - Utility::encodeQueryComponent(Utility::joinCanonicalHeaderNames(signed_headers))); + query_params.add(SignatureQueryParameterValues::AmzSignedHeaders, + Utility::encodeQueryComponentPreservingPlus( + Utility::joinCanonicalHeaderNames(signed_headers))); } } // namespace Aws diff --git a/source/extensions/common/aws/signers/sigv4a_signer_impl.cc b/source/extensions/common/aws/signers/sigv4a_signer_impl.cc index 105304fd58848..680d8c1aba95f 100644 --- a/source/extensions/common/aws/signers/sigv4a_signer_impl.cc +++ b/source/extensions/common/aws/signers/sigv4a_signer_impl.cc @@ -45,9 +45,9 @@ void SigV4ASignerImpl::addRegionHeader(Http::RequestHeaderMap& headers, void SigV4ASignerImpl::addRegionQueryParam(Envoy::Http::Utility::QueryParamsMulti& query_params, const absl::string_view override_region) const { - query_params.add( - SignatureQueryParameterValues::AmzRegionSet, - Utility::encodeQueryComponent(override_region.empty() ? getRegion() : override_region)); + query_params.add(SignatureQueryParameterValues::AmzRegionSet, + Utility::encodeQueryComponentPreservingPlus( + override_region.empty() ? getRegion() : override_region)); } std::string SigV4ASignerImpl::createSignature( diff --git a/source/extensions/common/aws/utility.cc b/source/extensions/common/aws/utility.cc index 4522f3b2cd4a1..a983714a3b994 100644 --- a/source/extensions/common/aws/utility.cc +++ b/source/extensions/common/aws/utility.cc @@ -186,6 +186,14 @@ bool isReservedChar(const char c) { return std::isalnum(c) || RESERVED_CHARS.find(c) != std::string::npos; } +void Utility::encodeCharacter(unsigned char c, std::string& result) { + if (isReservedChar(c)) { + result.push_back(c); + } else { + absl::StrAppend(&result, fmt::format(URI_ENCODE, c)); + } +} + std::string Utility::uriEncodePath(absl::string_view original_path) { const absl::string_view::size_type query_start = original_path.find_first_of("?#"); @@ -196,10 +204,10 @@ std::string Utility::uriEncodePath(absl::string_view original_path) { for (unsigned char c : path) { // Do not encode slashes or unreserved chars from RFC 3986 - if ((isReservedChar(c)) || c == PATH_SPLITTER[0]) { + if (c == PATH_SPLITTER[0]) { encoded.push_back(c); } else { - absl::StrAppend(&encoded, fmt::format(URI_ENCODE, c)); + encodeCharacter(c, encoded); } } @@ -229,13 +237,9 @@ std::string Utility::canonicalizeQueryString(absl::string_view query_string) { // Encode query params name and value separately for (auto& query : query_list) { - // The token has already been url encoded, so don't do it again - if (query.first == SignatureQueryParameterValues::AmzSecurityToken) { - query = std::make_pair(query.first, query.second); - } else { - query = std::make_pair( - encodeQueryComponent(Envoy::Http::Utility::PercentEncoding::decode(query.first)), - encodeQueryComponent(Envoy::Http::Utility::PercentEncoding::decode(query.second))); + if (query.first != SignatureQueryParameterValues::AmzSecurityToken) { + query.first = Utility::encodeQueryComponentPreservingPlus(query.first); + query.second = Utility::encodeQueryComponentPreservingPlus(query.second); } } @@ -245,22 +249,36 @@ std::string Utility::canonicalizeQueryString(absl::string_view query_string) { return absl::StrJoin(query_list, QUERY_SEPERATOR, absl::PairFormatter(QUERY_PARAM_SEPERATOR)); } -// To avoid modifying the path, we handle spaces as if they have already been encoded to a plus, and -// avoid additional equals signs in the query parameters -std::string Utility::encodeQueryComponent(absl::string_view decoded) { - std::string encoded; - for (unsigned char c : decoded) { - if (isReservedChar(c)) { - // Escape unreserved chars from RFC 3986 - encoded.push_back(c); - } else if (c == '+') { - // Encode '+' as space - absl::StrAppend(&encoded, "%20"); +// Encode query component while preserving original %2B semantics +// %2B stays as %2B, raw + becomes %20 (space) +std::string Utility::encodeQueryComponentPreservingPlus(absl::string_view original) { + std::string result; + + for (size_t i = 0; i < original.size(); ++i) { + if (i + 2 < original.size() && absl::EqualsIgnoreCase(original.substr(i, 3), "%2B")) { + // %2B stays as %2B (preserve original encoding) + absl::StrAppend(&result, "%2B"); + i += 2; // Skip the "2B" part + } else if (original[i] == '+') { + // Raw + becomes %20 (space) + absl::StrAppend(&result, "%20"); + } else if (original[i] == '%' && i + 2 < original.size()) { + std::string decoded_seq = + Envoy::Http::Utility::PercentEncoding::decode(original.substr(i, 3)); + if (decoded_seq.size() == 1) { + // Valid percent encoding - encode the decoded character + encodeCharacter(decoded_seq[0], result); + i += 2; + } else { + // Invalid percent encoding - treat as regular character + encodeCharacter(original[i], result); + } } else { - absl::StrAppend(&encoded, fmt::format(URI_ENCODE, c)); + // Regular character + encodeCharacter(original[i], result); } } - return encoded; + return result; } std::string diff --git a/source/extensions/common/aws/utility.h b/source/extensions/common/aws/utility.h index 3990c3c70daf9..c8d5abf431211 100644 --- a/source/extensions/common/aws/utility.h +++ b/source/extensions/common/aws/utility.h @@ -64,12 +64,12 @@ class Utility : public Logger::Loggable { static std::string canonicalizeQueryString(absl::string_view query_string); /** - * URI encodes the given string based on AWS requirements. - * See step 3 in https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html - * @param decoded the decoded string. - * @return the URI encoded string. + * URI encodes query component while preserving %2B semantics. + * %2B remains as literal +, raw + becomes %20 (space). + * @param original the original string (may contain percent-encoded sequences). + * @return the properly encoded string. */ - static std::string encodeQueryComponent(absl::string_view decoded); + static std::string encodeQueryComponentPreservingPlus(absl::string_view original); /** * Get the semicolon-delimited string of canonical header names. @@ -214,6 +214,14 @@ class Utility : public Logger::Loggable { * @return boolean */ static bool shouldNormalizeUriPath(const std::string service_name); + +private: + /** + * Helper method to encode a character based on reserved character rules. + * @param c the character to encode. + * @param result the string to append the encoded result to. + */ + static void encodeCharacter(unsigned char c, std::string& result); }; } // namespace Aws diff --git a/test/extensions/common/aws/utility_test.cc b/test/extensions/common/aws/utility_test.cc index 88df73339465c..09d8372ee1944 100644 --- a/test/extensions/common/aws/utility_test.cc +++ b/test/extensions/common/aws/utility_test.cc @@ -323,6 +323,12 @@ TEST(UtilityTest, CanonicalizeQueryStringWithPlus) { EXPECT_EQ("a=1%202", canonical_query); } +TEST(UtilityTest, CanonicalizeQueryStringWithPlusEncoded) { + const absl::string_view query = "a=1%2B2"; + const auto canonical_query = Utility::canonicalizeQueryString(query); + EXPECT_EQ("a=1%2B2", canonical_query); +} + TEST(UtilityTest, CanonicalizeQueryStringWithTilde) { const absl::string_view query = "a=1%7E~2"; const auto canonical_query = Utility::canonicalizeQueryString(query); @@ -331,13 +337,13 @@ TEST(UtilityTest, CanonicalizeQueryStringWithTilde) { TEST(UtilityTest, EncodeQuerySegment) { const absl::string_view query = "^!@/-_~."; - const auto encoded_query = Utility::encodeQueryComponent(query); + const auto encoded_query = Utility::encodeQueryComponentPreservingPlus(query); EXPECT_EQ("%5E%21%40%2F-_~.", encoded_query); } TEST(UtilityTest, EncodeQuerySegmentReserved) { const absl::string_view query = "?=&"; - const auto encoded_query = Utility::encodeQueryComponent(query); + const auto encoded_query = Utility::encodeQueryComponentPreservingPlus(query); EXPECT_EQ("%3F%3D%26", encoded_query); } @@ -353,7 +359,7 @@ TEST(UtilityTest, CanonicalizationFuzzTest) { fuzz.push_back(k); Utility::uriEncodePath(fuzz); Utility::normalizePath(fuzz); - Utility::encodeQueryComponent(fuzz); + Utility::encodeQueryComponentPreservingPlus(fuzz); Utility::canonicalizeQueryString(fuzz); fuzz.pop_back(); } From 618e4480c92a2e6d790c4945d71b703c10737beb Mon Sep 17 00:00:00 2001 From: Nigel Brittain <108375408+nbaws@users.noreply.github.com> Date: Fri, 22 Aug 2025 09:03:24 +1000 Subject: [PATCH 271/505] aws: assumerole missing protobuf validations (#40273) Commit Message: aws: assumerole missing protobuf validations Additional Description: Adds missing protobuf validations that were unintentionally skipped, plus test cases to match Risk Level: Low Testing: Unit Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain Signed-off-by: Nigel Brittain <108375408+nbaws@users.noreply.github.com> --- .../common/aws/v3/credential_provider.proto | 3 +- changelogs/current.yaml | 3 + .../common/aws/credential_provider_chains.cc | 7 +- .../assume_role_credentials_provider.cc | 15 ++- .../assume_role_credentials_provider.h | 1 + .../aws/credential_provider_chains_test.cc | 27 +++++ .../assume_role_credentials_provider_test.cc | 107 +++++++++++++++++- 7 files changed, 158 insertions(+), 5 deletions(-) diff --git a/api/envoy/extensions/common/aws/v3/credential_provider.proto b/api/envoy/extensions/common/aws/v3/credential_provider.proto index 395a2e9a9ac87..e51ade1318d54 100644 --- a/api/envoy/extensions/common/aws/v3/credential_provider.proto +++ b/api/envoy/extensions/common/aws/v3/credential_provider.proto @@ -163,7 +163,8 @@ message AssumeRoleCredentialProvider { // The ARN of the role to assume. string role_arn = 1 [(validate.rules).string = {min_len: 1}]; - // Optional string value to use as the role session name + // An optional role session name, used when identifying the role in subsequent AWS API calls. If not provided, the role session name will default + // to the current timestamp. string role_session_name = 2; // Optional string value to use as the externalId diff --git a/changelogs/current.yaml b/changelogs/current.yaml index f99f54ac5f76c..076cf1a618dbf 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -68,6 +68,9 @@ bug_fixes: when used with other listener filters. The bug was triggered when a previous listener filter processed more data than the TLS inspector had requested, causing the TLS inspector to incorrectly calculate its buffer growth strategy. The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. +- area: aws + change: | + Adds missing session name, session duration and externalid parameters in assumerole credentials provider. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/extensions/common/aws/credential_provider_chains.cc b/source/extensions/common/aws/credential_provider_chains.cc index b053494ea4606..e56e64ec532c8 100644 --- a/source/extensions/common/aws/credential_provider_chains.cc +++ b/source/extensions/common/aws/credential_provider_chains.cc @@ -118,11 +118,16 @@ CommonCredentialsProviderChain::CommonCredentialsProviderChain( } if (chain_to_create.has_assume_role_credential_provider()) { - const auto& assume_role_config = chain_to_create.assume_role_credential_provider(); + auto assume_role_config = chain_to_create.assume_role_credential_provider(); const auto sts_endpoint = Utility::getSTSEndpoint(region) + ":443"; const auto cluster_name = stsClusterName(region); + // Default session name if not provided. + if (assume_role_config.role_session_name().empty()) { + assume_role_config.set_role_session_name(sessionName(context.api())); + } + ENVOY_LOG(debug, "Using assumerole credentials provider with STS endpoint: {} and session name: {}", sts_endpoint, assume_role_config.role_session_name()); diff --git a/source/extensions/common/aws/credential_providers/assume_role_credentials_provider.cc b/source/extensions/common/aws/credential_providers/assume_role_credentials_provider.cc index 5ca89611c5114..8ecccc34b850e 100644 --- a/source/extensions/common/aws/credential_providers/assume_role_credentials_provider.cc +++ b/source/extensions/common/aws/credential_providers/assume_role_credentials_provider.cc @@ -31,6 +31,7 @@ AssumeRoleCredentialsProvider::AssumeRoleCredentialsProvider( initialization_timer), role_arn_(assume_role_config.role_arn()), role_session_name_(assume_role_config.role_session_name()), region_(region), + external_id_(assume_role_config.external_id()), assume_role_signer_(std::move(assume_role_signer)) { if (assume_role_config.has_session_duration()) { @@ -71,10 +72,20 @@ void AssumeRoleCredentialsProvider::continueRefresh() { message.headers().setScheme(Http::Headers::get().SchemeValues.Https); message.headers().setMethod(Http::Headers::get().MethodValues.Get); message.headers().setHost(Http::Utility::parseAuthority(uri.value()).host_); - message.headers().setPath( + std::string path = fmt::format("/?Version=2011-06-15&Action=AssumeRole&RoleArn={}&RoleSessionName={}", Envoy::Http::Utility::PercentEncoding::encode(role_arn_), - Envoy::Http::Utility::PercentEncoding::encode(role_session_name_))); + Envoy::Http::Utility::PercentEncoding::encode(role_session_name_)); + if (session_duration_) { + path += fmt::format("&DurationSeconds={}", session_duration_.value()); + } + + if (!external_id_.empty()) { + path += + fmt::format("&ExternalId={}", Envoy::Http::Utility::PercentEncoding::encode(external_id_)); + } + + message.headers().setPath(path); // Use the Accept header to ensure that AssumeRoleResponse is returned as JSON. message.headers().setReference(Http::CustomHeaders::get().Accept, Http::Headers::get().ContentTypeValues.Json); diff --git a/source/extensions/common/aws/credential_providers/assume_role_credentials_provider.h b/source/extensions/common/aws/credential_providers/assume_role_credentials_provider.h index c1c1a8e2d6001..0902e7bfbd94d 100644 --- a/source/extensions/common/aws/credential_providers/assume_role_credentials_provider.h +++ b/source/extensions/common/aws/credential_providers/assume_role_credentials_provider.h @@ -44,6 +44,7 @@ class AssumeRoleCredentialsProvider : public MetadataCredentialsProviderBase, const std::string role_arn_; const std::string role_session_name_; const std::string region_; + const std::string external_id_; absl::optional session_duration_; std::unique_ptr assume_role_signer_; }; diff --git a/test/extensions/common/aws/credential_provider_chains_test.cc b/test/extensions/common/aws/credential_provider_chains_test.cc index 241ac9713fd72..372eb3bf1c0cd 100644 --- a/test/extensions/common/aws/credential_provider_chains_test.cc +++ b/test/extensions/common/aws/credential_provider_chains_test.cc @@ -427,6 +427,33 @@ TEST_F(CustomCredentialsProviderChainTest, AssumeRoleWithEnvironment) { EXPECT_EQ(2, chain.value()->getNumProviders()); } +TEST_F(CustomCredentialsProviderChainTest, AssumeRoleWithoutSessionName) { + envoy::extensions::common::aws::v3::AwsCredentialProvider credential_provider_config = {}; + credential_provider_config.set_custom_credential_provider_chain(true); + credential_provider_config.mutable_assume_role_credential_provider()->set_role_arn( + "test-role-arn"); + // Intentionally not setting role_session_name to test auto-generation. + + std::string role_session_name; + time_system_.setSystemTime(std::chrono::milliseconds(1234567890)); + + EXPECT_CALL(factories_, createAssumeRoleCredentialsProvider(Ref(context_), _, _, _)) + .WillOnce(Invoke(WithArg<3>( + [&role_session_name]( + const envoy::extensions::common::aws::v3::AssumeRoleCredentialProvider& provider) + -> CredentialsProviderSharedPtr { + role_session_name = provider.role_session_name(); + return std::make_shared(); + }))); + + CommonCredentialsProviderChain chain(context_, "us-east-1", credential_provider_config, + factories_); + + // Verify that a session name was auto-generated based on the timestamp. + EXPECT_FALSE(role_session_name.empty()); + EXPECT_EQ(role_session_name, "1234567890000000"); +} + } // namespace Aws } // namespace Common } // namespace Extensions diff --git a/test/extensions/common/aws/credential_providers/assume_role_credentials_provider_test.cc b/test/extensions/common/aws/credential_providers/assume_role_credentials_provider_test.cc index 5ca452718026c..874a31634c12a 100644 --- a/test/extensions/common/aws/credential_providers/assume_role_credentials_provider_test.cc +++ b/test/extensions/common/aws/credential_providers/assume_role_credentials_provider_test.cc @@ -632,7 +632,27 @@ TEST_F(AssumeRoleCredentialsProviderTest, Coverage) { TEST_F(AssumeRoleCredentialsProviderTest, WithSessionDuration) { timer_ = new NiceMock(&context_.dispatcher_); - expectDocument(200, std::move(R"EOF( + // Custom matcher for request with session duration parameter. + Http::TestRequestHeaderMapImpl headers_with_duration{ + {":path", "/?Version=2011-06-15&Action=AssumeRole&RoleArn=aws:iam::123456789012:role/" + "arn&RoleSessionName=role-session-name&DurationSeconds=3600"}, + {":authority", "sts.region.amazonaws.com"}, + {":scheme", "https"}, + {":method", "GET"}, + {"Accept", "application/json"}, + {"x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}, + {"x-amz-security-token", "token"}, + {"x-amz-date", "20180102T030405Z"}, + {"authorization", + "AWS4-HMAC-SHA256 Credential=akid/20180102/region/sts/aws4_request, " + "SignedHeaders=accept;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, " + "Signature=88533b93b82077848fa88b5d1fe69540a0916960fdd48a1df66b764dc73a6d9a"}}; + + // Use a custom expectation for this test to verify the DurationSeconds parameter. + EXPECT_CALL(*raw_metadata_fetcher_, fetch(messageMatches(headers_with_duration), _, _)) + .WillRepeatedly(Invoke( + [](Http::RequestMessage&, Tracing::Span&, MetadataFetcher::MetadataReceiver& receiver) { + receiver.onMetadataSuccess(std::move(R"EOF( { "AssumeRoleResponse": { "AssumeRoleResult": { @@ -645,6 +665,7 @@ TEST_F(AssumeRoleCredentialsProviderTest, WithSessionDuration) { } } )EOF")); + })); // Setup provider with session duration ON_CALL(context_, clusterManager()).WillByDefault(ReturnRef(cluster_manager_)); @@ -862,6 +883,90 @@ TEST_F(AssumeRoleCredentialsProviderTest, CredentialsPendingReturn) { delete (raw_metadata_fetcher_); } +TEST_F(AssumeRoleCredentialsProviderTest, WithExternalId) { + timer_ = new NiceMock(&context_.dispatcher_); + + // Custom matcher for request with external ID parameter. + Http::TestRequestHeaderMapImpl headers_with_external_id{ + {":path", "/?Version=2011-06-15&Action=AssumeRole&RoleArn=aws:iam::123456789012:role/" + "arn&RoleSessionName=role-session-name&ExternalId=test-external-id"}, + {":authority", "sts.region.amazonaws.com"}, + {":scheme", "https"}, + {":method", "GET"}, + {"Accept", "application/json"}, + {"x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}, + {"x-amz-security-token", "token"}, + {"x-amz-date", "20180102T030405Z"}, + {"authorization", + "AWS4-HMAC-SHA256 Credential=akid/20180102/region/sts/aws4_request, " + "SignedHeaders=accept;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, " + "Signature=cc05851f97c3e6c1d8c28c205a1dcbb6248a944375f3e7b349800c2b3744fc48"}}; + + EXPECT_CALL(*raw_metadata_fetcher_, fetch(messageMatches(headers_with_external_id), _, _)) + .WillRepeatedly(Invoke( + [](Http::RequestMessage&, Tracing::Span&, MetadataFetcher::MetadataReceiver& receiver) { + receiver.onMetadataSuccess(std::move(R"EOF( +{ + "AssumeRoleResponse": { + "AssumeRoleResult": { + "Credentials": { + "AccessKeyId": "test-access-key", + "SecretAccessKey": "test-secret-key", + "SessionToken": "test-session-token" + } + } + } +} +)EOF")); + })); + + // Setup provider with external ID. + ON_CALL(context_, clusterManager()).WillByDefault(ReturnRef(cluster_manager_)); + envoy::extensions::common::aws::v3::AssumeRoleCredentialProvider cred_provider = {}; + cred_provider.set_role_arn("aws:iam::123456789012:role/arn"); + cred_provider.set_role_session_name("role-session-name"); + cred_provider.set_external_id("test-external-id"); + + mock_manager_ = std::make_shared(); + EXPECT_CALL(*mock_manager_, getUriFromClusterName(_)) + .WillRepeatedly(Return("sts.region.amazonaws.com:443")); + + auto cluster_name = "credentials_provider_cluster"; + envoy::extensions::common::aws::v3::AwsCredentialProvider defaults; + envoy::extensions::common::aws::v3::EnvironmentCredentialProvider env_provider; + TestEnvironment::setEnvVar("AWS_ACCESS_KEY_ID", "akid", 1); + TestEnvironment::setEnvVar("AWS_SECRET_ACCESS_KEY", "secret", 1); + TestEnvironment::setEnvVar("AWS_SESSION_TOKEN", "token", 1); + + defaults.mutable_environment_credential_provider()->CopyFrom(env_provider); + auto credentials_provider_chain = + std::make_shared(context_, "region", + defaults); + auto signer = std::make_unique( + STS_SERVICE_NAME, "region", credentials_provider_chain, context_, + Extensions::Common::Aws::AwsSigningHeaderExclusionVector{}); + + provider_ = std::make_shared( + context_, mock_manager_, cluster_name, + [this](Upstream::ClusterManager&, absl::string_view) { + metadata_fetcher_.reset(raw_metadata_fetcher_); + return std::move(metadata_fetcher_); + }, + "region", MetadataFetcher::MetadataReceiver::RefreshState::Ready, std::chrono::seconds(2), + std::move(signer), cred_provider); + + timer_->enableTimer(std::chrono::milliseconds(1), nullptr); + EXPECT_CALL(*timer_, enableTimer(_, nullptr)); + + auto provider_friend = MetadataCredentialsProviderBaseFriend(provider_); + provider_friend.onClusterAddOrUpdate(); + timer_->invokeCallback(); + + const auto credentials = provider_->getCredentials(); + EXPECT_TRUE(credentials.accessKeyId().has_value()); + EXPECT_EQ("test-access-key", credentials.accessKeyId().value()); +} + } // namespace Aws } // namespace Common } // namespace Extensions From 0c7818d537cb0ea8f7c0ccf7a0028e02acdd764d Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Thu, 21 Aug 2025 20:35:31 -0400 Subject: [PATCH 272/505] Use uint64_t for buffer watermark values (#40745) This is needed to support the new `request_body_buffer_limit` route configuration. WatermarkBufferTest.OverflowWatermarkDisabledOnVeryHighValue had to be refactored to not used allocations as it is no longer practical with 64 bit limit and 32 bit multiplier. Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Yan Avlasov --- .../network/test/postgres_decoder_test.cc | 4 +- envoy/buffer/buffer.h | 4 +- envoy/http/filter.h | 4 +- source/common/buffer/buffer_impl.h | 4 +- source/common/buffer/watermark_buffer.cc | 5 +- source/common/buffer/watermark_buffer.h | 12 +++-- source/common/http/async_client_impl.h | 6 +-- source/common/http/filter_manager.cc | 6 +-- source/common/http/filter_manager.h | 10 ++-- source/common/tcp_proxy/tcp_proxy.h | 4 +- test/common/buffer/buffer_fuzz.cc | 4 +- test/common/buffer/watermark_buffer_test.cc | 48 ++++++------------- test/integration/tracked_watermark_buffer.cc | 8 ++-- test/integration/tracked_watermark_buffer.h | 10 ++-- test/mocks/http/mocks.h | 4 +- 15 files changed, 57 insertions(+), 76 deletions(-) diff --git a/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc index f4be5d2973d8b..cb6f420e25165 100644 --- a/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc +++ b/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc @@ -728,8 +728,8 @@ class FakeBuffer : public Buffer::Instance { MOCK_METHOD(ssize_t, search, (const void*, uint64_t, size_t, size_t), (const, override)); MOCK_METHOD(bool, startsWith, (absl::string_view), (const, override)); MOCK_METHOD(std::string, toString, (), (const, override)); - MOCK_METHOD(void, setWatermarks, (uint32_t, uint32_t), (override)); - MOCK_METHOD(uint32_t, highWatermark, (), (const, override)); + MOCK_METHOD(void, setWatermarks, (uint64_t, uint32_t), (override)); + MOCK_METHOD(uint64_t, highWatermark, (), (const, override)); MOCK_METHOD(bool, highWatermarkTriggered, (), (const, override)); MOCK_METHOD(size_t, addFragments, (absl::Span)); }; diff --git a/envoy/buffer/buffer.h b/envoy/buffer/buffer.h index bd53cade2a8d0..0e0a7f7b2ab8f 100644 --- a/envoy/buffer/buffer.h +++ b/envoy/buffer/buffer.h @@ -506,13 +506,13 @@ class Instance { * If set to non-zero, overflow callbacks will be called if the * buffered data exceeds watermark * overflow_multiplier. */ - virtual void setWatermarks(uint32_t watermark, uint32_t overflow_multiplier = 0) PURE; + virtual void setWatermarks(uint64_t watermark, uint32_t overflow_multiplier = 0) PURE; /** * Returns the configured high watermark. A return value of 0 indicates that watermark * functionality is disabled. */ - virtual uint32_t highWatermark() const PURE; + virtual uint64_t highWatermark() const PURE; /** * Determine if the buffer watermark trigger condition is currently set. The watermark trigger is * set when the buffer size exceeds the configured high watermark and is cleared once the buffer diff --git a/envoy/http/filter.h b/envoy/http/filter.h index 91d59de40b3e7..8c79afcaf84d8 100644 --- a/envoy/http/filter.h +++ b/envoy/http/filter.h @@ -766,7 +766,7 @@ class StreamDecoderFilterCallbacks : public virtual StreamFilterCallbacks { * * @param limit supplies the desired buffer limit. */ - virtual void setDecoderBufferLimit(uint32_t limit) PURE; + virtual void setDecoderBufferLimit(uint64_t limit) PURE; /** * This routine returns the current buffer limit for decoder filters. Filters should abide by @@ -775,7 +775,7 @@ class StreamDecoderFilterCallbacks : public virtual StreamFilterCallbacks { * * @return the buffer limit the filter should apply. */ - virtual uint32_t decoderBufferLimit() PURE; + virtual uint64_t decoderBufferLimit() PURE; /** * @return the account, if any, used by this stream. diff --git a/source/common/buffer/buffer_impl.h b/source/common/buffer/buffer_impl.h index f9f7f5632401a..72cca4ba9b1a2 100644 --- a/source/common/buffer/buffer_impl.h +++ b/source/common/buffer/buffer_impl.h @@ -699,8 +699,8 @@ class OwnedImpl : public LibEventInstance { // Does not implement watermarking. // TODO(antoniovicente) Implement watermarks by merging the OwnedImpl and WatermarkBuffer // implementations. Also, make high-watermark config a constructor argument. - void setWatermarks(uint32_t, uint32_t) override { ASSERT(false, "watermarks not implemented."); } - uint32_t highWatermark() const override { return 0; } + void setWatermarks(uint64_t, uint32_t) override { ASSERT(false, "watermarks not implemented."); } + uint64_t highWatermark() const override { return 0; } bool highWatermarkTriggered() const override { return false; } /** diff --git a/source/common/buffer/watermark_buffer.cc b/source/common/buffer/watermark_buffer.cc index bc9d6629c5e69..47bf4d5a706ad 100644 --- a/source/common/buffer/watermark_buffer.cc +++ b/source/common/buffer/watermark_buffer.cc @@ -116,11 +116,10 @@ size_t WatermarkBuffer::addFragments(absl::Span fragmen return total_size_to_write; } -void WatermarkBuffer::setWatermarks(uint32_t high_watermark, +void WatermarkBuffer::setWatermarks(uint64_t high_watermark, uint32_t overflow_watermark_multiplier) { if (overflow_watermark_multiplier > 0 && - (static_cast(overflow_watermark_multiplier) * high_watermark) > - std::numeric_limits::max()) { + (high_watermark > std::numeric_limits::max() / overflow_watermark_multiplier)) { ENVOY_LOG_MISC(debug, "Error setting overflow threshold: overflow_watermark_multiplier * " "high_watermark is overflowing. Disabling overflow watermark."); overflow_watermark_multiplier = 0; diff --git a/source/common/buffer/watermark_buffer.h b/source/common/buffer/watermark_buffer.h index c9de30551a4c0..18c5df1cb0007 100644 --- a/source/common/buffer/watermark_buffer.h +++ b/source/common/buffer/watermark_buffer.h @@ -45,8 +45,8 @@ class WatermarkBuffer : public OwnedImpl { void appendSliceForTest(const void* data, uint64_t size) override; void appendSliceForTest(absl::string_view data) override; - void setWatermarks(uint32_t high_watermark, uint32_t overflow_watermark = 0) override; - uint32_t highWatermark() const override { return high_watermark_; } + void setWatermarks(uint64_t high_watermark, uint32_t overflow_watermark = 0) override; + uint64_t highWatermark() const override { return high_watermark_; } // Returns true if the high watermark callbacks have been called more recently // than the low watermark callbacks. bool highWatermarkTriggered() const override { return above_high_watermark_called_; } @@ -55,6 +55,8 @@ class WatermarkBuffer : public OwnedImpl { virtual void checkHighAndOverflowWatermarks(); virtual void checkLowWatermark(); + uint64_t overflowWatermarkForTestOnly() const { return overflow_watermark_; } + private: void commit(uint64_t length, absl::Span slices, ReservationSlicesOwnerPtr slices_owner) override; @@ -65,9 +67,9 @@ class WatermarkBuffer : public OwnedImpl { // Used for enforcing buffer limits (off by default). If these are set to non-zero by a call to // setWatermarks() the watermark callbacks will be called as described above. - uint32_t high_watermark_{0}; - uint32_t low_watermark_{0}; - uint32_t overflow_watermark_{0}; + uint64_t high_watermark_{0}; + uint64_t low_watermark_{0}; + uint64_t overflow_watermark_{0}; // Tracks the latest state of watermark callbacks. // True between the time above_high_watermark_ has been called until below_low_watermark_ has // been called. diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h index 9e0bc1248dda6..eedb6e17ad4fc 100644 --- a/source/common/http/async_client_impl.h +++ b/source/common/http/async_client_impl.h @@ -230,10 +230,10 @@ class AsyncStreamImpl : public virtual AsyncClient::Stream, void removeDownstreamWatermarkCallbacks(DownstreamWatermarkCallbacks&) override {} void sendGoAwayAndClose() override {} - void setDecoderBufferLimit(uint32_t) override { + void setDecoderBufferLimit(uint64_t) override { IS_ENVOY_BUG("decoder buffer limits should not be overridden on async streams."); } - uint32_t decoderBufferLimit() override { return buffer_limit_.value_or(0); } + uint64_t decoderBufferLimit() override { return buffer_limit_.value_or(0); } bool recreateStream(const ResponseHeaderMap*) override { return false; } const ScopeTrackedObject& scope() override { return *this; } void restoreContextOnContinue(ScopeTrackedObjectStack& tracked_object_stack) override { @@ -285,7 +285,7 @@ class AsyncStreamImpl : public virtual AsyncClient::Stream, bool remote_closed_{}; Buffer::InstancePtr buffered_body_; Buffer::BufferMemoryAccountSharedPtr account_{nullptr}; - absl::optional buffer_limit_{absl::nullopt}; + absl::optional buffer_limit_{absl::nullopt}; RequestHeaderMap* request_headers_{}; RequestTrailerMap* request_trailers_{}; bool encoded_response_headers_{}; diff --git a/source/common/http/filter_manager.cc b/source/common/http/filter_manager.cc index 9c34168e1fca8..71301fc84483c 100644 --- a/source/common/http/filter_manager.cc +++ b/source/common/http/filter_manager.cc @@ -1633,7 +1633,7 @@ void FilterManager::callLowWatermarkCallbacks() { } } -void FilterManager::setBufferLimit(uint32_t new_limit) { +void FilterManager::setBufferLimit(uint64_t new_limit) { ENVOY_STREAM_LOG(debug, "setting buffer limit to {}", *this, new_limit); buffer_limit_ = new_limit; if (buffered_request_data_) { @@ -1748,11 +1748,11 @@ void ActiveStreamDecoderFilter::removeDownstreamWatermarkCallbacks( parent_.watermark_callbacks_.remove(&watermark_callbacks); } -void ActiveStreamDecoderFilter::setDecoderBufferLimit(uint32_t limit) { +void ActiveStreamDecoderFilter::setDecoderBufferLimit(uint64_t limit) { parent_.setBufferLimit(limit); } -uint32_t ActiveStreamDecoderFilter::decoderBufferLimit() { return parent_.buffer_limit_; } +uint64_t ActiveStreamDecoderFilter::decoderBufferLimit() { return parent_.buffer_limit_; } bool ActiveStreamDecoderFilter::recreateStream(const ResponseHeaderMap* headers) { // Because the filter's and the HCM view of if the stream has a body and if diff --git a/source/common/http/filter_manager.h b/source/common/http/filter_manager.h index 0ec304f94c06c..5f1b179e91fc8 100644 --- a/source/common/http/filter_manager.h +++ b/source/common/http/filter_manager.h @@ -289,8 +289,8 @@ struct ActiveStreamDecoderFilter : public ActiveStreamFilterBase, void addDownstreamWatermarkCallbacks(DownstreamWatermarkCallbacks& watermark_callbacks) override; void removeDownstreamWatermarkCallbacks(DownstreamWatermarkCallbacks& watermark_callbacks) override; - void setDecoderBufferLimit(uint32_t limit) override; - uint32_t decoderBufferLimit() override; + void setDecoderBufferLimit(uint64_t limit) override; + uint64_t decoderBufferLimit() override; bool recreateStream(const Http::ResponseHeaderMap* original_response_headers) override; void addUpstreamSocketOptions(const Network::Socket::OptionsSharedPtr& options) override; @@ -682,7 +682,7 @@ class FilterManager : public ScopeTrackedObject, FilterManager(FilterManagerCallbacks& filter_manager_callbacks, Event::Dispatcher& dispatcher, OptRef connection, uint64_t stream_id, Buffer::BufferMemoryAccountSharedPtr account, bool proxy_100_continue, - uint32_t buffer_limit) + uint64_t buffer_limit) : filter_manager_callbacks_(filter_manager_callbacks), dispatcher_(dispatcher), connection_(connection), stream_id_(stream_id), account_(std::move(account)), proxy_100_continue_(proxy_100_continue), buffer_limit_(buffer_limit) {} @@ -800,7 +800,7 @@ class FilterManager : public ScopeTrackedObject, virtual void executeLocalReplyIfPrepared() PURE; // Possibly increases buffer_limit_ to the value of limit. - void setBufferLimit(uint32_t limit); + void setBufferLimit(uint64_t limit); /** * @return bool whether any above high watermark triggers are currently active @@ -1114,7 +1114,7 @@ class FilterManager : public ScopeTrackedObject, std::unique_ptr request_metadata_map_vector_; Buffer::InstancePtr buffered_response_data_; Buffer::InstancePtr buffered_request_data_; - uint32_t buffer_limit_{0}; + uint64_t buffer_limit_{0}; uint32_t high_watermark_count_{0}; std::list watermark_callbacks_; Network::Socket::OptionsSharedPtr upstream_options_ = diff --git a/source/common/tcp_proxy/tcp_proxy.h b/source/common/tcp_proxy/tcp_proxy.h index a4cd362afdda8..6a63e8b81d5a9 100644 --- a/source/common/tcp_proxy/tcp_proxy.h +++ b/source/common/tcp_proxy/tcp_proxy.h @@ -548,8 +548,8 @@ class Filter : public Network::ReadFilter, } void addDownstreamWatermarkCallbacks(Http::DownstreamWatermarkCallbacks&) override {} void removeDownstreamWatermarkCallbacks(Http::DownstreamWatermarkCallbacks&) override {} - void setDecoderBufferLimit(uint32_t) override {} - uint32_t decoderBufferLimit() override { return 0; } + void setDecoderBufferLimit(uint64_t) override {} + uint64_t decoderBufferLimit() override { return 0; } bool recreateStream(const Http::ResponseHeaderMap*) override { return false; } void addUpstreamSocketOptions(const Network::Socket::OptionsSharedPtr&) override {} Network::Socket::OptionsSharedPtr getUpstreamSocketOptions() const override { return nullptr; } diff --git a/test/common/buffer/buffer_fuzz.cc b/test/common/buffer/buffer_fuzz.cc index bb6903d9c0894..3377befecc515 100644 --- a/test/common/buffer/buffer_fuzz.cc +++ b/test/common/buffer/buffer_fuzz.cc @@ -216,14 +216,14 @@ class StringBuffer : public Buffer::Instance { return total_size_to_write; } - void setWatermarks(uint32_t, uint32_t) override { + void setWatermarks(uint64_t, uint32_t) override { // Not implemented. // TODO(antoniovicente) Implement and add fuzz coverage as we merge the Buffer::OwnedImpl and // WatermarkBuffer implementations. ASSERT(false); } - uint32_t highWatermark() const override { return 0; } + uint64_t highWatermark() const override { return 0; } bool highWatermarkTriggered() const override { return false; } absl::string_view asStringView() const { return {start(), size_}; } diff --git a/test/common/buffer/watermark_buffer_test.cc b/test/common/buffer/watermark_buffer_test.cc index 46585eefab5d3..3473db20de37d 100644 --- a/test/common/buffer/watermark_buffer_test.cc +++ b/test/common/buffer/watermark_buffer_test.cc @@ -442,47 +442,27 @@ TEST_F(WatermarkBufferTest, OverflowWatermarkDisabled) { EXPECT_EQ(21, buffer1.length()); } +class TestWatermarkBuffer : public Buffer::WatermarkBuffer { +public: + using WatermarkBuffer::overflowWatermarkForTestOnly; + using WatermarkBuffer::WatermarkBuffer; +}; + TEST_F(WatermarkBufferTest, OverflowWatermarkDisabledOnVeryHighValue) { -// Disabling execution with TSAN as it causes the test to use too much memory -// and time, making the test fail in some settings (such as CI) -#if defined(__has_feature) && (__has_feature(thread_sanitizer) || __has_feature(memory_sanitizer)) - ENVOY_LOG_MISC(critical, "WatermarkBufferTest::OverflowWatermarkDisabledOnVeryHighValue not " - "supported by this compiler configuration"); -#else // Verifies that the overflow watermark is disabled when its value is higher - // than uint32_t max value - int high_watermark_buffer1 = 0; - int overflow_watermark_buffer1 = 0; - Buffer::WatermarkBuffer buffer1{[&]() -> void {}, [&]() -> void { ++high_watermark_buffer1; }, - [&]() -> void { ++overflow_watermark_buffer1; }}; + // than uint64_t max value + TestWatermarkBuffer buffer1{[&]() -> void {}, [&]() -> void {}, [&]() -> void {}}; // Make sure the overflow threshold will be above std::numeric_limits::max() const uint64_t overflow_multiplier = 3; - const uint32_t high_watermark_threshold = - (std::numeric_limits::max() / overflow_multiplier) + 1; + uint64_t high_watermark_threshold = + (std::numeric_limits::max() / overflow_multiplier) + 1; buffer1.setWatermarks(high_watermark_threshold, overflow_multiplier); + EXPECT_EQ(buffer1.overflowWatermarkForTestOnly(), 0); - // Add many segments instead of full uint32_t::max to get around std::bad_alloc exception - const uint32_t segment_denominator = 128; - const uint32_t big_segment_len = std::numeric_limits::max() / segment_denominator + 1; - for (uint32_t i = 0; i < segment_denominator; ++i) { - auto reservation = buffer1.reserveSingleSlice(big_segment_len); - reservation.commit(big_segment_len); - } - EXPECT_GT(buffer1.length(), std::numeric_limits::max()); - EXPECT_LT(buffer1.length(), high_watermark_threshold * overflow_multiplier); - EXPECT_EQ(1, high_watermark_buffer1); - EXPECT_EQ(0, overflow_watermark_buffer1); - - // Reserve and commit additional space on the buffer beyond the expected - // high_watermark_threshold * overflow_multiplier threshold. - const uint64_t size = high_watermark_threshold * overflow_multiplier - buffer1.length() + 1; - auto reservation = buffer1.reserveSingleSlice(size); - reservation.commit(size); - EXPECT_EQ(buffer1.length(), high_watermark_threshold * overflow_multiplier + 1); - EXPECT_EQ(1, high_watermark_buffer1); - EXPECT_EQ(0, overflow_watermark_buffer1); -#endif + high_watermark_threshold = (std::numeric_limits::max() / overflow_multiplier) - 1; + buffer1.setWatermarks(high_watermark_threshold, overflow_multiplier); + EXPECT_EQ(buffer1.overflowWatermarkForTestOnly(), high_watermark_threshold * overflow_multiplier); } TEST_F(WatermarkBufferTest, OverflowWatermarkEqualHighWatermark) { diff --git a/test/integration/tracked_watermark_buffer.cc b/test/integration/tracked_watermark_buffer.cc index 664036e279235..175cf83c5a44c 100644 --- a/test/integration/tracked_watermark_buffer.cc +++ b/test/integration/tracked_watermark_buffer.cc @@ -141,14 +141,14 @@ uint64_t TrackedWatermarkBufferFactory::sumMaxBufferSizes() const { return val; } -std::pair TrackedWatermarkBufferFactory::highWatermarkRange() const { +std::pair TrackedWatermarkBufferFactory::highWatermarkRange() const { absl::MutexLock lock(&mutex_); - uint32_t min_watermark = 0; - uint32_t max_watermark = 0; + uint64_t min_watermark = 0; + uint64_t max_watermark = 0; bool watermarks_set = false; for (auto& item : buffer_infos_) { - uint32_t watermark = item.second.watermark_; + uint64_t watermark = item.second.watermark_; if (watermark == 0) { max_watermark = 0; watermarks_set = true; diff --git a/test/integration/tracked_watermark_buffer.h b/test/integration/tracked_watermark_buffer.h index 8ede6a903f476..4af467b3f5fc8 100644 --- a/test/integration/tracked_watermark_buffer.h +++ b/test/integration/tracked_watermark_buffer.h @@ -20,7 +20,7 @@ class TrackedWatermarkBuffer : public Buffer::WatermarkBuffer { public: TrackedWatermarkBuffer( std::function update_size, - std::function update_high_watermark, + std::function update_high_watermark, std::function on_delete, std::function on_bind, std::function below_low_watermark, std::function above_high_watermark, @@ -30,7 +30,7 @@ class TrackedWatermarkBuffer : public Buffer::WatermarkBuffer { on_delete_(on_delete), on_bind_(on_bind) {} ~TrackedWatermarkBuffer() override { on_delete_(this); } - void setWatermarks(uint32_t watermark, uint32_t overload) override { + void setWatermarks(uint64_t watermark, uint32_t overload) override { update_high_watermark_(watermark); WatermarkBuffer::setWatermarks(watermark, overload); } @@ -53,7 +53,7 @@ class TrackedWatermarkBuffer : public Buffer::WatermarkBuffer { private: std::function update_size_; - std::function update_high_watermark_; + std::function update_high_watermark_; std::function on_delete_; std::function on_bind_; }; @@ -85,7 +85,7 @@ class TrackedWatermarkBufferFactory : public WatermarkBufferFactory { uint64_t sumMaxBufferSizes() const; // Get lower and upper bound on buffer high watermarks. A watermark of 0 indicates that watermark // functionality is disabled. - std::pair highWatermarkRange() const; + std::pair highWatermarkRange() const; // Number of accounts created. uint64_t numAccountsCreated() const; @@ -152,7 +152,7 @@ class TrackedWatermarkBufferFactory : public WatermarkBufferFactory { void checkIfExpectedBalancesMet() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_); struct BufferInfo { - uint32_t watermark_ = 0; + uint64_t watermark_ = 0; uint64_t current_size_ = 0; uint64_t max_size_ = 0; }; diff --git a/test/mocks/http/mocks.h b/test/mocks/http/mocks.h index 5eb005aaace20..88ef777490e26 100644 --- a/test/mocks/http/mocks.h +++ b/test/mocks/http/mocks.h @@ -277,8 +277,8 @@ class MockStreamDecoderFilterCallbacks : public StreamDecoderFilterCallbacks, MOCK_METHOD(void, onDecoderFilterBelowWriteBufferLowWatermark, ()); MOCK_METHOD(void, addDownstreamWatermarkCallbacks, (DownstreamWatermarkCallbacks&)); MOCK_METHOD(void, removeDownstreamWatermarkCallbacks, (DownstreamWatermarkCallbacks&)); - MOCK_METHOD(void, setDecoderBufferLimit, (uint32_t)); - MOCK_METHOD(uint32_t, decoderBufferLimit, ()); + MOCK_METHOD(void, setDecoderBufferLimit, (uint64_t)); + MOCK_METHOD(uint64_t, decoderBufferLimit, ()); MOCK_METHOD(bool, recreateStream, (const ResponseHeaderMap* headers)); MOCK_METHOD(void, sendGoAwayAndClose, ()); MOCK_METHOD(void, addUpstreamSocketOptions, (const Network::Socket::OptionsSharedPtr& options)); From 1c1fc145aac2fce7048557e9024396bfb4839f48 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 22 Aug 2025 04:53:18 +0000 Subject: [PATCH 273/505] reverse conn upstream interface: split into different classes Signed-off-by: Basundhara Chakrabarty --- api/BUILD | 2 +- .../upstream_socket_interface}/v3/BUILD | 4 +- ..._reverse_connection_socket_interface.proto | 8 +- api/versioning/BUILD | 2 +- .../bootstrap/reverse_tunnel/common/BUILD | 22 + .../reverse_connection_utility.cc | 2 +- .../{ => common}/reverse_connection_utility.h | 0 .../reverse_tunnel/reverse_tunnel_acceptor.h | 434 ---- .../upstream_socket_interface/BUILD | 74 + .../reverse_tunnel_acceptor.cc | 154 ++ .../reverse_tunnel_acceptor.h | 177 ++ .../reverse_tunnel_acceptor_extension.cc | 282 +++ .../reverse_tunnel_acceptor_extension.h | 179 ++ .../upstream_socket_manager.cc} | 405 +--- .../upstream_socket_manager.h | 140 ++ source/extensions/extensions_build_config.bzl | 3 +- source/extensions/extensions_metadata.yaml | 4 +- .../bootstrap/reverse_tunnel/common/BUILD | 25 + .../reverse_connection_utility_test.cc | 2 +- .../reverse_tunnel_acceptor_test.cc | 1801 ----------------- .../upstream_socket_interface/BUILD | 94 + .../config_validation_test.cc | 56 + .../reverse_tunnel_acceptor_extension_test.cc | 347 ++++ .../reverse_tunnel_acceptor_test.cc | 241 +++ ...tream_reverse_connection_io_handle_test.cc | 109 + .../upstream_socket_manager_test.cc | 763 +++++++ 26 files changed, 2681 insertions(+), 2649 deletions(-) rename api/envoy/extensions/bootstrap/{reverse_connection_socket_interface => reverse_tunnel/upstream_socket_interface}/v3/BUILD (72%) rename api/envoy/extensions/bootstrap/{reverse_connection_socket_interface => reverse_tunnel/upstream_socket_interface}/v3/upstream_reverse_connection_socket_interface.proto (68%) create mode 100644 source/extensions/bootstrap/reverse_tunnel/common/BUILD rename source/extensions/bootstrap/reverse_tunnel/{ => common}/reverse_connection_utility.cc (97%) rename source/extensions/bootstrap/reverse_tunnel/{ => common}/reverse_connection_utility.h (100%) delete mode 100644 source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h rename source/extensions/bootstrap/reverse_tunnel/{reverse_tunnel_acceptor.cc => upstream_socket_interface/upstream_socket_manager.cc} (50%) create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h create mode 100644 test/extensions/bootstrap/reverse_tunnel/common/BUILD rename test/extensions/bootstrap/reverse_tunnel/{ => common}/reverse_connection_utility_test.cc (98%) delete mode 100644 test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc diff --git a/api/BUILD b/api/BUILD index 150f133a9e328..c353fa6e39d80 100644 --- a/api/BUILD +++ b/api/BUILD @@ -137,7 +137,7 @@ proto_library( "//envoy/extensions/access_loggers/stream/v3:pkg", "//envoy/extensions/access_loggers/wasm/v3:pkg", "//envoy/extensions/bootstrap/internal_listener/v3:pkg", - "//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg", + "//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg", "//envoy/extensions/clusters/aggregate/v3:pkg", "//envoy/extensions/clusters/common/dns/v3:pkg", "//envoy/extensions/clusters/dns/v3:pkg", diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/BUILD similarity index 72% rename from api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD rename to api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/BUILD index b514f18ab81a3..29ebf0741406e 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/BUILD +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/BUILD @@ -5,7 +5,5 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 api_proto_package( - deps = [ - "@com_github_cncf_xds//udpa/annotations:pkg", - ], + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], ) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto similarity index 68% rename from api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto rename to api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto index 80210fe008d9c..8256baccbe88d 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto @@ -1,17 +1,17 @@ syntax = "proto3"; -package envoy.extensions.bootstrap.reverse_connection_socket_interface.v3; +package envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3; import "udpa/annotations/status.proto"; -option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_connection_socket_interface.v3"; +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3"; option java_outer_classname = "UpstreamReverseConnectionSocketInterfaceProto"; option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3;reverse_connection_socket_interfacev3"; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3;upstream_socket_interfacev3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Bootstrap settings for Upstream Reverse Connection Socket Interface] -// [#extension: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface] +// [#extension: envoy.bootstrap.reverse_tunnel.upstream_socket_interface] // Configuration for the upstream reverse connection socket interface. message UpstreamReverseConnectionSocketInterface { diff --git a/api/versioning/BUILD b/api/versioning/BUILD index de7803639db9d..221ca73b7751d 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -75,7 +75,7 @@ proto_library( "//envoy/extensions/access_loggers/stream/v3:pkg", "//envoy/extensions/access_loggers/wasm/v3:pkg", "//envoy/extensions/bootstrap/internal_listener/v3:pkg", - "//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg", + "//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg", "//envoy/extensions/clusters/aggregate/v3:pkg", "//envoy/extensions/clusters/common/dns/v3:pkg", "//envoy/extensions/clusters/dns/v3:pkg", diff --git a/source/extensions/bootstrap/reverse_tunnel/common/BUILD b/source/extensions/bootstrap/reverse_tunnel/common/BUILD new file mode 100644 index 0000000000000..5388185785ceb --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/common/BUILD @@ -0,0 +1,22 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "reverse_connection_utility_lib", + srcs = ["reverse_connection_utility.cc"], + hdrs = ["reverse_connection_utility.h"], + visibility = ["//visibility:public"], + deps = [ + "//envoy/buffer:buffer_interface", + "//envoy/network:connection_interface", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + ], +) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc similarity index 97% rename from source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc rename to source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc index b221d9adf33e6..be2bbf3f5d099 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.cc +++ b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc @@ -1,4 +1,4 @@ -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" #include "source/common/buffer/buffer_impl.h" #include "source/common/common/assert.h" diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h rename to source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h deleted file mode 100644 index f8a7a0e258a74..0000000000000 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h +++ /dev/null @@ -1,434 +0,0 @@ -#pragma once - -#include - -#include -#include - -#include "envoy/event/dispatcher.h" -#include "envoy/event/timer.h" -#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" -#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.validate.h" -#include "envoy/network/io_handle.h" -#include "envoy/network/listen_socket.h" -#include "envoy/network/socket.h" -#include "envoy/registry/registry.h" -#include "envoy/server/bootstrap_extension_config.h" -#include "envoy/stats/scope.h" -#include "envoy/stats/stats_macros.h" -#include "envoy/thread_local/thread_local.h" - -#include "source/common/common/random_generator.h" -#include "source/common/network/io_socket_handle_impl.h" -#include "source/common/network/socket_interface.h" - -namespace Envoy { -namespace Extensions { -namespace Bootstrap { -namespace ReverseConnection { - -// Forward declarations -class ReverseTunnelAcceptor; -class ReverseTunnelAcceptorExtension; -class UpstreamSocketManager; - -/** - * Custom IoHandle for upstream reverse connections that manages ConnectionSocket lifetime. - * This class implements RAII principles to ensure proper socket cleanup and provides - * reverse connection semantics where the connection is already established. - */ -class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { -public: - /** - * Constructs an UpstreamReverseConnectionIOHandle that takes ownership of a socket. - * - * @param socket the reverse connection socket to own and manage. - * @param cluster_name the name of the cluster this connection belongs to. - */ - UpstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, - const std::string& cluster_name); - - ~UpstreamReverseConnectionIOHandle() override; - - // Network::IoHandle overrides - /** - * Override of connect method for reverse connections. - * For reverse connections, the connection is already established so this method - * is a no-op and always returns success. - * - * @param address the target address (unused for reverse connections). - * @return SysCallIntResult with success status (0, 0). - */ - Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; - - /** - * Override of close method for reverse connections. - * Cleans up the owned socket and calls the parent close method. - * - * @return IoCallUint64Result indicating the result of the close operation. - */ - Api::IoCallUint64Result close() override; - - /** - * Get the owned socket for read-only operations. - * - * @return const reference to the owned socket. - */ - const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } - -private: - // The name of the cluster this reverse connection belongs to. - std::string cluster_name_; - // The socket that this IOHandle owns and manages lifetime for. - Network::ConnectionSocketPtr owned_socket_; -}; - -/** - * Thread local storage for ReverseTunnelAcceptor. - */ -class UpstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { -public: - /** - * Creates a new socket manager instance for the given dispatcher. - * @param dispatcher the thread-local dispatcher. - * @param extension the upstream extension for stats integration. - */ - UpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, - ReverseTunnelAcceptorExtension* extension = nullptr) - : dispatcher_(dispatcher), - socket_manager_(std::make_unique(dispatcher, extension)) {} - - /** - * @return reference to the thread-local dispatcher. - */ - Event::Dispatcher& dispatcher() { return dispatcher_; } - - /** - * @return pointer to the thread-local socket manager. - */ - UpstreamSocketManager* socketManager() { return socket_manager_.get(); } - const UpstreamSocketManager* socketManager() const { return socket_manager_.get(); } - -private: - // Thread-local dispatcher. - Event::Dispatcher& dispatcher_; - // Thread-local socket manager. - std::unique_ptr socket_manager_; -}; - -/** - * Socket interface that creates upstream reverse connection sockets. - * Manages cached reverse TCP connections and provides them when requested. - */ -class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, - public Envoy::Logger::Loggable { -public: - /** - * Constructs a ReverseTunnelAcceptor with the given server factory context. - * - * @param context the server factory context for this socket interface. - */ - ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context); - - ReverseTunnelAcceptor() : extension_(nullptr), context_(nullptr) {} - - // SocketInterface overrides - /** - * Create a socket without a specific address (no-op for reverse connections). - * @param socket_type the type of socket to create. - * @param addr_type the address type. - * @param version the IP version. - * @param socket_v6only whether to create IPv6-only socket. - * @param options socket creation options. - * @return nullptr since reverse connections require specific addresses. - */ - Envoy::Network::IoHandlePtr - socket(Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, - Envoy::Network::Address::IpVersion version, bool socket_v6only, - const Envoy::Network::SocketCreationOptions& options) const override; - - /** - * Create a socket with a specific address. - * @param socket_type the type of socket to create. - * @param addr the address to bind to. - * @param options socket creation options. - * @return IoHandlePtr for the reverse connection socket. - */ - Envoy::Network::IoHandlePtr - socket(Envoy::Network::Socket::Type socket_type, - const Envoy::Network::Address::InstanceConstSharedPtr addr, - const Envoy::Network::SocketCreationOptions& options) const override; - - /** - * @param domain the IP family domain (AF_INET, AF_INET6). - * @return true if the family is supported. - */ - bool ipFamilySupported(int domain) override; - - /** - * @return pointer to the thread-local registry, or nullptr if not available. - */ - UpstreamSocketThreadLocal* getLocalRegistry() const; - - /** - * Create a bootstrap extension for this socket interface. - * @param config the config. - * @param context the server factory context. - * @return BootstrapExtensionPtr for the socket interface extension. - */ - Server::BootstrapExtensionPtr - createBootstrapExtension(const Protobuf::Message& config, - Server::Configuration::ServerFactoryContext& context) override; - - /** - * @return MessagePtr containing the empty configuration. - */ - ProtobufTypes::MessagePtr createEmptyConfigProto() override; - - /** - * @return the interface name. - */ - std::string name() const override { - return "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"; - } - - /** - * @return pointer to the extension for cross-thread aggregation. - */ - ReverseTunnelAcceptorExtension* getExtension() const { return extension_; } - - ReverseTunnelAcceptorExtension* extension_{nullptr}; - -private: - Server::Configuration::ServerFactoryContext* context_; -}; - -/** - * Socket interface extension for upstream reverse connections. - */ -class ReverseTunnelAcceptorExtension - : public Envoy::Network::SocketInterfaceExtension, - public Envoy::Logger::Loggable { - // Friend class for testing - friend class ReverseTunnelAcceptorExtensionTest; - -public: - /** - * @param sock_interface the socket interface to extend. - * @param context the server factory context. - * @param config the configuration for this extension. - */ - ReverseTunnelAcceptorExtension( - Envoy::Network::SocketInterface& sock_interface, - Server::Configuration::ServerFactoryContext& context, - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface& config) - : Envoy::Network::SocketInterfaceExtension(sock_interface), context_(context), - socket_interface_(static_cast(&sock_interface)) { - ENVOY_LOG(debug, - "ReverseTunnelAcceptorExtension: creating upstream reverse connection " - "socket interface with stat_prefix: {}", - stat_prefix_); - stat_prefix_ = - PROTOBUF_GET_STRING_OR_DEFAULT(config, stat_prefix, "upstream_reverse_connection"); - } - - /** - * Called when the server is initialized. - */ - void onServerInitialized() override; - - /** - * Called when a worker thread is initialized. - */ - void onWorkerThreadInitialized() override {} - - /** - * @return pointer to the thread-local registry, or nullptr if not available. - */ - UpstreamSocketThreadLocal* getLocalRegistry() const; - - /** - * @return reference to the stat prefix string. - */ - const std::string& statPrefix() const { return stat_prefix_; } - - /** - * Synchronous version for admin API endpoints that require immediate response on reverse - * connection stats. - * @param timeout_ms maximum time to wait for aggregation completion - * @return pair of or empty if timeout - */ - std::pair, std::vector> - getConnectionStatsSync(std::chrono::milliseconds timeout_ms = std::chrono::milliseconds(5000)); - - /** - * Get cross-worker aggregated reverse connection stats. - * @return map of node/cluster -> connection count across all worker threads. - */ - absl::flat_hash_map getCrossWorkerStatMap(); - - /** - * Update the cross-thread aggregated stats for the connection. - * @param node_id the node identifier for the connection. - * @param cluster_id the cluster identifier for the connection. - * @param increment whether to increment (true) or decrement (false) the connection count. - */ - void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, - bool increment); - - /** - * Update per-worker connection stats for debugging. - * @param node_id the node identifier for the connection. - * @param cluster_id the cluster identifier for the connection. - * @param increment whether to increment (true) or decrement (false) the connection count. - */ - void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, - bool increment); - - /** - * Get per-worker connection stats for debugging. - * @return map of node/cluster -> connection count for the current worker thread. - */ - absl::flat_hash_map getPerWorkerStatMap(); - - /** - * Get the stats scope for accessing global stats. - * @return reference to the stats scope. - */ - Stats::Scope& getStatsScope() const { return context_.scope(); } - - /** - * Test-only method to set the thread local slot. - * @param slot the thread local slot to set. - */ - void - setTestOnlyTLSRegistry(std::unique_ptr> slot) { - tls_slot_ = std::move(slot); - } - -private: - Server::Configuration::ServerFactoryContext& context_; - // Thread-local slot for storing the socket manager per worker thread. - std::unique_ptr> tls_slot_; - ReverseTunnelAcceptor* socket_interface_; - std::string stat_prefix_; -}; - -/** - * Thread-local socket manager for upstream reverse connections. - */ -class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, - public Logger::Loggable { - // Friend class for testing - friend class TestUpstreamSocketManager; - -public: - UpstreamSocketManager(Event::Dispatcher& dispatcher, - ReverseTunnelAcceptorExtension* extension = nullptr); - - ~UpstreamSocketManager(); - - // RPING message now handled by ReverseConnectionUtility - - /** - * Add accepted connection to socket manager. - * @param node_id node_id of initiating node. - * @param cluster_id cluster_id of receiving cluster. - * @param socket the socket to be added. - * @param ping_interval the interval at which ping keepalives are sent. - * @param rebalanced true if adding socket after rebalancing. - */ - void addConnectionSocket(const std::string& node_id, const std::string& cluster_id, - Network::ConnectionSocketPtr socket, - const std::chrono::seconds& ping_interval, bool rebalanced); - - /** - * Get an available reverse connection socket. - * @param node_id the node ID to get a socket for. - * @return the connection socket, or nullptr if none available. - */ - Network::ConnectionSocketPtr getConnectionSocket(const std::string& node_id); - - /** - * Mark connection socket dead and remove from internal maps. - * @param fd the FD for the socket to be marked dead. - */ - void markSocketDead(const int fd); - - /** - * Ping all active reverse connections for health checks. - */ - void pingConnections(); - - /** - * Ping reverse connections for a specific node. - * @param node_id the node ID whose connections should be pinged. - */ - void pingConnections(const std::string& node_id); - - /** - * Enable the ping timer if not already enabled. - * @param ping_interval the interval at which ping keepalives should be sent. - */ - void tryEnablePingTimer(const std::chrono::seconds& ping_interval); - - /** - * Clean up stale node entries when no active sockets remain. - * @param node_id the node ID to clean up. - */ - void cleanStaleNodeEntry(const std::string& node_id); - - /** - * Handle ping response from a reverse connection. - * @param io_handle the IO handle for the socket that sent the ping response. - */ - void onPingResponse(Network::IoHandle& io_handle); - - /** - * Get the upstream extension for stats integration. - * @return pointer to the upstream extension or nullptr if not available. - */ - ReverseTunnelAcceptorExtension* getUpstreamExtension() const { return extension_; } - /** - * Automatically discern whether the key is a node ID or cluster ID. - * @param key the key to get the node ID for. - * @return the node ID. - */ - std::string getNodeID(const std::string& key); - -private: - // Thread local dispatcher instance. - Event::Dispatcher& dispatcher_; - Random::RandomGeneratorPtr random_generator_; - - // Map of node IDs to connection sockets. - absl::flat_hash_map> - accepted_reverse_connections_; - - // Map from file descriptor to node ID. - absl::flat_hash_map fd_to_node_map_; - - // Map of node ID to cluster. - absl::flat_hash_map node_to_cluster_map_; - - // Map of cluster IDs to node IDs. - absl::flat_hash_map> cluster_to_node_map_; - - // File events and timers for ping functionality. - absl::flat_hash_map fd_to_event_map_; - absl::flat_hash_map fd_to_timer_map_; - - Event::TimerPtr ping_timer_; - std::chrono::seconds ping_interval_{0}; - - // Upstream extension for stats integration. - ReverseTunnelAcceptorExtension* extension_; -}; - -DECLARE_FACTORY(ReverseTunnelAcceptor); - -} // namespace ReverseConnection -} // namespace Bootstrap -} // namespace Extensions -} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD new file mode 100644 index 0000000000000..b87502f21f14e --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -0,0 +1,74 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "reverse_tunnel_acceptor_includes", + hdrs = [ + "reverse_tunnel_acceptor.h", + "reverse_tunnel_acceptor_extension.h", + ], + visibility = ["//visibility:public"], + deps = [ + "//envoy/event:dispatcher_interface", + "//envoy/event:timer_interface", + "//envoy/network:address_interface", + "//envoy/network:io_handle_interface", + "//envoy/network:socket_interface", + "//envoy/registry", + "//envoy/server:bootstrap_extension_config_interface", + "//envoy/stats:stats_interface", + "//envoy/stats:stats_macros", + "//envoy/thread_local:thread_local_interface", + "//source/common/network:address_lib", + "//source/common/network:socket_interface_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_extension( + name = "reverse_tunnel_acceptor_lib", + srcs = [ + "reverse_tunnel_acceptor.cc", + "reverse_tunnel_acceptor_extension.cc", + ], + visibility = ["//visibility:public"], + deps = [ + ":reverse_tunnel_acceptor_includes", + ":upstream_socket_manager_lib", + "//envoy/common:random_generator_interface", + "//source/common/api:os_sys_calls_lib", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + "//source/common/network:default_socket_interface_lib", + "//source/common/protobuf", + ], + alwayslink = 1, +) + +envoy_cc_extension( + name = "upstream_socket_manager_lib", + srcs = ["upstream_socket_manager.cc"], + hdrs = ["upstream_socket_manager.h"], + visibility = ["//visibility:public"], + deps = [ + "reverse_tunnel_acceptor_includes", + "//envoy/event:dispatcher_interface", + "//envoy/event:timer_interface", + "//envoy/network:io_handle_interface", + "//envoy/network:socket_interface", + "//envoy/thread_local:thread_local_object", + "//source/common/api:os_sys_calls_lib", + "//source/common/common:logger_lib", + "//source/common/common:random_generator_lib", + "//source/common/network:default_socket_interface_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + ], +) diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc new file mode 100644 index 0000000000000..47b632b11dfaf --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc @@ -0,0 +1,154 @@ +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" + +#include +#include +#include +#include +#include + +#include "source/common/api/os_sys_calls_impl.h" +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" +#include "source/common/common/random_generator.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// UpstreamReverseConnectionIOHandle implementation +UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( + Network::ConnectionSocketPtr socket, const std::string& cluster_name) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), + owned_socket_(std::move(socket)) { + + ENVOY_LOG(trace, "reverse_tunnel: created IO handle for cluster: {}, fd: {}", cluster_name_, fd_); +} + +UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { + ENVOY_LOG(trace, "reverse_tunnel: destroying IO handle for cluster: {}, fd: {}", cluster_name_, + fd_); + // The owned_socket_ will be automatically destroyed via RAII. +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::connect( + Envoy::Network::Address::InstanceConstSharedPtr address) { + ENVOY_LOG(trace, "reverse_tunnel: connect() to {} - connection already established", + address->asString()); + + // For reverse connections, the connection is already established. + return Api::SysCallIntResult{0, 0}; +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { + ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); + + // Reset the owned socket to properly close the connection + if (owned_socket_) { + ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); + owned_socket_.reset(); + } + + // Call the parent close method + return IoSocketHandleImpl::close(); +} + +// ReverseTunnelAcceptor implementation +ReverseTunnelAcceptor::ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context) + : extension_(nullptr), context_(&context) { + ENVOY_LOG(debug, "reverse_tunnel: created acceptor"); +} + +Envoy::Network::IoHandlePtr +ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type, Envoy::Network::Address::Type, + Envoy::Network::Address::IpVersion, bool, + const Envoy::Network::SocketCreationOptions&) const { + + ENVOY_LOG(warn, "reverse_tunnel: socket() called without address - returning nullptr"); + + // Reverse connection sockets should always have an address. + return nullptr; +} + +Envoy::Network::IoHandlePtr +ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, + const Envoy::Network::Address::InstanceConstSharedPtr addr, + const Envoy::Network::SocketCreationOptions& options) const { + ENVOY_LOG(debug, "reverse_tunnel: socket() called for address: {}, node: {}", addr->asString(), + addr->logicalName()); + + // For upstream reverse connections, we need to get the thread-local socket manager + // and check if there are any cached connections available + auto* tls_registry = getLocalRegistry(); + if (tls_registry && tls_registry->socketManager()) { + ENVOY_LOG(trace, "reverse_tunnel: running on dispatcher: {}", + tls_registry->dispatcher().name()); + auto* socket_manager = tls_registry->socketManager(); + + // The address's logical name is the node ID. + std::string node_id = addr->logicalName(); + ENVOY_LOG(debug, "reverse_tunnel: using node_id: {}", node_id); + + // Try to get a cached socket for the node. + auto socket = socket_manager->getConnectionSocket(node_id); + if (socket) { + ENVOY_LOG(info, "reverse_tunnel: reusing cached socket for node: {}", node_id); + // Create IOHandle that owns the socket using RAII. + auto io_handle = + std::make_unique(std::move(socket), node_id); + return io_handle; + } + } + + // No sockets available, fallback to standard socket interface. + ENVOY_LOG(debug, "reverse_tunnel: no available connection, falling back to standard socket"); + return Network::socketInterface( + "envoy.extensions.network.socket_interface.default_socket_interface") + ->socket(socket_type, addr, options); +} + +bool ReverseTunnelAcceptor::ipFamilySupported(int domain) { + return domain == AF_INET || domain == AF_INET6; +} + +// Get thread local registry for the current thread +UpstreamSocketThreadLocal* ReverseTunnelAcceptor::getLocalRegistry() const { + if (extension_) { + return extension_->getLocalRegistry(); + } + return nullptr; +} + +// BootstrapExtensionFactory +Server::BootstrapExtensionPtr ReverseTunnelAcceptor::createBootstrapExtension( + const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { + ENVOY_LOG(debug, "ReverseTunnelAcceptor::createBootstrapExtension()"); + // Cast the config to the proper type. + const auto& message = MessageUtil::downcastAndValidate< + const envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); + + // Set the context for this socket interface instance. + context_ = &context; + + // Return a SocketInterfaceExtension that wraps this socket interface. + return std::make_unique(*this, context, message); +} + +ProtobufTypes::MessagePtr ReverseTunnelAcceptor::createEmptyConfigProto() { + return std::make_unique(); +} + +REGISTER_FACTORY(ReverseTunnelAcceptor, Server::Configuration::BootstrapExtensionFactory); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h new file mode 100644 index 0000000000000..173d57657598a --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h @@ -0,0 +1,177 @@ +#pragma once + +#include + +#include +#include + +#include "envoy/event/dispatcher.h" +#include "envoy/event/timer.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.validate.h" +#include "envoy/network/io_handle.h" +#include "envoy/network/listen_socket.h" +#include "envoy/network/socket.h" +#include "envoy/registry/registry.h" +#include "envoy/server/bootstrap_extension_config.h" +#include "envoy/stats/scope.h" +#include "envoy/stats/stats_macros.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class ReverseTunnelAcceptor; +class ReverseTunnelAcceptorExtension; +class UpstreamSocketManager; + +/** + * Custom IoHandle for upstream reverse connections that manages ConnectionSocket lifetime. + * This class implements RAII principles to ensure proper socket cleanup and provides + * reverse connection semantics where the connection is already established. + */ +class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { +public: + /** + * Constructs an UpstreamReverseConnectionIOHandle that takes ownership of a socket. + * + * @param socket the reverse connection socket to own and manage. + * @param cluster_name the name of the cluster this connection belongs to. + */ + UpstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, + const std::string& cluster_name); + + ~UpstreamReverseConnectionIOHandle() override; + + // Network::IoHandle overrides + /** + * Override of connect method for reverse connections. + * For reverse connections, the connection is already established so this method + * is a no-op and always returns success. + * + * @param address the target address (unused for reverse connections). + * @return SysCallIntResult with success status (0, 0). + */ + Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; + + /** + * Override of close method for reverse connections. + * Cleans up the owned socket and calls the parent close method. + * + * @return IoCallUint64Result indicating the result of the close operation. + */ + Api::IoCallUint64Result close() override; + + /** + * Get the owned socket for read-only operations. + * + * @return const reference to the owned socket. + */ + const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } + +private: + // The name of the cluster this reverse connection belongs to. + std::string cluster_name_; + // The socket that this IOHandle owns and manages lifetime for. + Network::ConnectionSocketPtr owned_socket_; +}; + +/** + * Socket interface that creates upstream reverse connection sockets. + * Manages cached reverse TCP connections and provides them when requested. + */ +class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, + public Envoy::Logger::Loggable { +public: + /** + * Constructs a ReverseTunnelAcceptor with the given server factory context. + * + * @param context the server factory context for this socket interface. + */ + ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context); + + ReverseTunnelAcceptor() : extension_(nullptr), context_(nullptr) {} + + // SocketInterface overrides + /** + * Create a socket without a specific address (no-op for reverse connections). + * @param socket_type the type of socket to create. + * @param addr_type the address type. + * @param version the IP version. + * @param socket_v6only whether to create IPv6-only socket. + * @param options socket creation options. + * @return nullptr since reverse connections require specific addresses. + */ + Envoy::Network::IoHandlePtr + socket(Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, bool socket_v6only, + const Envoy::Network::SocketCreationOptions& options) const override; + + /** + * Create a socket with a specific address. + * @param socket_type the type of socket to create. + * @param addr the address to bind to. + * @param options socket creation options. + * @return IoHandlePtr for the reverse connection socket. + */ + Envoy::Network::IoHandlePtr + socket(Envoy::Network::Socket::Type socket_type, + const Envoy::Network::Address::InstanceConstSharedPtr addr, + const Envoy::Network::SocketCreationOptions& options) const override; + + /** + * @param domain the IP family domain (AF_INET, AF_INET6). + * @return true if the family is supported. + */ + bool ipFamilySupported(int domain) override; + + /** + * @return pointer to the thread-local registry, or nullptr if not available. + */ + class UpstreamSocketThreadLocal* getLocalRegistry() const; + + /** + * Create a bootstrap extension for this socket interface. + * @param config the config. + * @param context the server factory context. + * @return BootstrapExtensionPtr for the socket interface extension. + */ + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override; + + /** + * @return MessagePtr containing the empty configuration. + */ + ProtobufTypes::MessagePtr createEmptyConfigProto() override; + + /** + * @return the interface name. + */ + std::string name() const override { + return "envoy.bootstrap.reverse_tunnel.upstream_socket_interface"; + } + + /** + * @return pointer to the extension for cross-thread aggregation. + */ + ReverseTunnelAcceptorExtension* getExtension() const { return extension_; } + + ReverseTunnelAcceptorExtension* extension_{nullptr}; + +private: + Server::Configuration::ServerFactoryContext* context_; +}; + +DECLARE_FACTORY(ReverseTunnelAcceptor); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc new file mode 100644 index 0000000000000..771d22310d5ce --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc @@ -0,0 +1,282 @@ +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" + +#include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// UpstreamSocketThreadLocal implementation +UpstreamSocketThreadLocal::UpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, + ReverseTunnelAcceptorExtension* extension) + : dispatcher_(dispatcher), + socket_manager_(std::make_unique(dispatcher, extension)) {} + +// ReverseTunnelAcceptorExtension implementation +void ReverseTunnelAcceptorExtension::onServerInitialized() { + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension::onServerInitialized - creating thread local slot"); + + // Set the extension reference in the socket interface. + if (socket_interface_) { + socket_interface_->extension_ = this; + } + + // Create thread local slot for dispatcher and socket manager. + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); + + // Set up the thread local dispatcher and socket manager. + tls_slot_->set([this](Event::Dispatcher& dispatcher) { + return std::make_shared(dispatcher, this); + }); +} + +// Get thread local registry for the current thread +UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() const { + if (!tls_slot_) { + ENVOY_LOG(error, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); + return nullptr; + } + + if (auto opt = tls_slot_->get(); opt.has_value()) { + return &opt.value().get(); + } + + return nullptr; +} + +std::pair, std::vector> +ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds /* timeout_ms */) { + + ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: obtaining reverse connection stats"); + + // Get all gauges with the reverse_connections prefix. + auto connection_stats = getCrossWorkerStatMap(); + + std::vector connected_nodes; + std::vector accepted_connections; + + // Process the stats to extract connection information + for (const auto& [stat_name, count] : connection_stats) { + if (count > 0) { + // Parse stat name to extract node/cluster information. + // Format: ".reverse_connections.nodes." or + // ".reverse_connections.clusters.". + if (stat_name.find("reverse_connections.nodes.") != std::string::npos) { + // Find the position after "reverse_connections.nodes.". + size_t pos = stat_name.find("reverse_connections.nodes."); + if (pos != std::string::npos) { + std::string node_id = stat_name.substr(pos + strlen("reverse_connections.nodes.")); + connected_nodes.push_back(node_id); + } + } else if (stat_name.find("reverse_connections.clusters.") != std::string::npos) { + // Find the position after "reverse_connections.clusters.". + size_t pos = stat_name.find("reverse_connections.clusters."); + if (pos != std::string::npos) { + std::string cluster_id = stat_name.substr(pos + strlen("reverse_connections.clusters.")); + accepted_connections.push_back(cluster_id); + } + } + } + } + + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension: found {} connected nodes, {} accepted connections", + connected_nodes.size(), accepted_connections.size()); + + return {connected_nodes, accepted_connections}; +} + +absl::flat_hash_map ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Iterate through all gauges and filter for cross-worker stats only. + // Cross-worker stats have the pattern "reverse_connections.nodes." or + // "reverse_connections.clusters." (no dispatcher name in the middle). + Stats::IterateFn gauge_callback = + [&stats_map](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && + (gauge_name.find("reverse_connections.nodes.") != std::string::npos || + gauge_name.find("reverse_connections.clusters.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension: collected {} stats for reverse connections across all " + "worker threads", + stats_map.size()); + + return stats_map; +} + +void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& node_id, + const std::string& cluster_id, + bool increment) { + + // Register stats with Envoy's system for automatic cross-thread aggregation + auto& stats_store = context_.scope(); + + // Create/update node connection stat + if (!node_id.empty()) { + std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", node_id); + Stats::StatNameManagedStorage node_stat_name_storage(node_stat_name, stats_store.symbolTable()); + auto& node_gauge = stats_store.gaugeFromStatName(node_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + if (increment) { + node_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented node stat {} to {}", + node_stat_name, node_gauge.value()); + } else { + if (node_gauge.value() > 0) { + node_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented node stat {} to {}", + node_stat_name, node_gauge.value()); + } + } + } + + // Create/update cluster connection stat. + if (!cluster_id.empty()) { + std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", cluster_id); + Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, + stats_store.symbolTable()); + auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + if (increment) { + cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } else { + if (cluster_gauge.value() > 0) { + cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } + } + } + + // Also update per-worker stats for debugging. + updatePerWorkerConnectionStats(node_id, cluster_id, increment); +} + +void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::string& node_id, + const std::string& cluster_id, + bool increment) { + auto& stats_store = context_.scope(); + + // Get dispatcher name from the thread local dispatcher. + std::string dispatcher_name; + auto* local_registry = getLocalRegistry(); + if (local_registry == nullptr) { + ENVOY_LOG(error, "ReverseTunnelAcceptorExtension: No local registry found"); + return; + } + + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: Updating stats for worker {}", dispatcher_name); + + // Create/update per-worker node connection stat + if (!node_id.empty()) { + std::string worker_node_stat_name = + fmt::format("reverse_connections.{}.node.{}", dispatcher_name, node_id); + Stats::StatNameManagedStorage worker_node_stat_name_storage(worker_node_stat_name, + stats_store.symbolTable()); + auto& worker_node_gauge = stats_store.gaugeFromStatName( + worker_node_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_node_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker node stat {} to {}", + worker_node_stat_name, worker_node_gauge.value()); + } else { + // Guardrail: only decrement if the gauge value is greater than 0 + if (worker_node_gauge.value() > 0) { + worker_node_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker node stat {} to {}", + worker_node_stat_name, worker_node_gauge.value()); + } else { + ENVOY_LOG(trace, + "ReverseTunnelAcceptorExtension: skipping decrement for worker node stat {} " + "(already at 0)", + worker_node_stat_name); + } + } + } + + // Create/update per-worker cluster connection stat + if (!cluster_id.empty()) { + std::string worker_cluster_stat_name = + fmt::format("reverse_connections.{}.cluster.{}", dispatcher_name, cluster_id); + Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, + stats_store.symbolTable()); + auto& worker_cluster_gauge = stats_store.gaugeFromStatName( + worker_cluster_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + // Guardrail: only decrement if the gauge value is greater than 0 + if (worker_cluster_gauge.value() > 0) { + worker_cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + ENVOY_LOG(trace, + "ReverseTunnelAcceptorExtension: skipping decrement for worker cluster stat {} " + "(already at 0)", + worker_cluster_stat_name); + } + } + } +} + +absl::flat_hash_map ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Get the current dispatcher name. + std::string dispatcher_name = "main_thread"; // Default for main thread. + auto* local_registry = getLocalRegistry(); + if (local_registry) { + // Dispatcher name is of the form "worker_x" where x is the worker index. + dispatcher_name = local_registry->dispatcher().name(); + } + + // Iterate through all gauges and filter for the current dispatcher. + Stats::IterateFn gauge_callback = + [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && + gauge_name.find(dispatcher_name + ".") != std::string::npos && + (gauge_name.find(".node.") != std::string::npos || + gauge_name.find(".cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: collected {} stats for dispatcher '{}'", + stats_map.size(), dispatcher_name); + + return stats_map; +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h new file mode 100644 index 0000000000000..6e5c3c520539f --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h @@ -0,0 +1,179 @@ +#pragma once + +#include + +#include +#include + +#include "envoy/event/dispatcher.h" +#include "envoy/event/timer.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.validate.h" +#include "envoy/network/io_handle.h" +#include "envoy/network/listen_socket.h" +#include "envoy/network/socket.h" +#include "envoy/registry/registry.h" +#include "envoy/server/bootstrap_extension_config.h" +#include "envoy/stats/scope.h" +#include "envoy/stats/stats_macros.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class UpstreamSocketManager; +class ReverseTunnelAcceptorExtension; + +/** + * Thread local storage for ReverseTunnelAcceptor. + */ +class UpstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { +public: + /** + * Creates a new socket manager instance for the given dispatcher. + * @param dispatcher the thread-local dispatcher. + * @param extension the upstream extension for stats integration. + */ + UpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, + ReverseTunnelAcceptorExtension* extension = nullptr); + + /** + * @return reference to the thread-local dispatcher. + */ + Event::Dispatcher& dispatcher() { return dispatcher_; } + + /** + * @return pointer to the thread-local socket manager. + */ + UpstreamSocketManager* socketManager() { return socket_manager_.get(); } + const UpstreamSocketManager* socketManager() const { return socket_manager_.get(); } + +private: + // Thread-local dispatcher. + Event::Dispatcher& dispatcher_; + // Thread-local socket manager. + std::unique_ptr socket_manager_; +}; + +/** + * Socket interface extension for upstream reverse connections. + */ +class ReverseTunnelAcceptorExtension + : public Envoy::Network::SocketInterfaceExtension, + public Envoy::Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelAcceptorExtensionTest; + +public: + /** + * @param sock_interface the reverse tunnel acceptor to extend. + * @param context the server factory context. + * @param config the configuration for this extension. + */ + ReverseTunnelAcceptorExtension( + ReverseTunnelAcceptor& sock_interface, Server::Configuration::ServerFactoryContext& context, + const envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface& config) + : Envoy::Network::SocketInterfaceExtension(sock_interface), context_(context), + socket_interface_(&sock_interface) { + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension: creating upstream reverse connection " + "socket interface with stat_prefix: {}", + stat_prefix_); + stat_prefix_ = + PROTOBUF_GET_STRING_OR_DEFAULT(config, stat_prefix, "upstream_reverse_connection"); + } + + /** + * Called when the server is initialized. + */ + void onServerInitialized() override; + + /** + * Called when a worker thread is initialized. + */ + void onWorkerThreadInitialized() override {} + + /** + * @return pointer to the thread-local registry, or nullptr if not available. + */ + UpstreamSocketThreadLocal* getLocalRegistry() const; + + /** + * @return reference to the stat prefix string. + */ + const std::string& statPrefix() const { return stat_prefix_; } + + /** + * Synchronous version for admin API endpoints that require immediate response on reverse + * connection stats. + * @param timeout_ms maximum time to wait for aggregation completion + * @return pair of or empty if timeout + */ + std::pair, std::vector> + getConnectionStatsSync(std::chrono::milliseconds timeout_ms = std::chrono::milliseconds(5000)); + + /** + * Get cross-worker aggregated reverse connection stats. + * @return map of node/cluster -> connection count across all worker threads. + */ + absl::flat_hash_map getCrossWorkerStatMap(); + + /** + * Update the cross-thread aggregated stats for the connection. + * @param node_id the node identifier for the connection. + * @param cluster_id the cluster identifier for the connection. + * @param increment whether to increment (true) or decrement (false) the connection count. + */ + void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, + bool increment); + + /** + * Update per-worker connection stats for debugging. + * @param node_id the node identifier for the connection. + * @param cluster_id the cluster identifier for the connection. + * @param increment whether to increment (true) or decrement (false) the connection count. + */ + void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, + bool increment); + + /** + * Get per-worker connection stats for debugging. + * @return map of node/cluster -> connection count for the current worker thread. + */ + absl::flat_hash_map getPerWorkerStatMap(); + + /** + * Get the stats scope for accessing global stats. + * @return reference to the stats scope. + */ + Stats::Scope& getStatsScope() const { return context_.scope(); } + + /** + * Test-only method to set the thread local slot. + * @param slot the thread local slot to set. + */ + void + setTestOnlyTLSRegistry(std::unique_ptr> slot) { + tls_slot_ = std::move(slot); + } + +private: + Server::Configuration::ServerFactoryContext& context_; + // Thread-local slot for storing the socket manager per worker thread. + std::unique_ptr> tls_slot_; + ReverseTunnelAcceptor* socket_interface_; + std::string stat_prefix_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc similarity index 50% rename from source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc rename to source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc index c0647927dea4a..16dcf80526d0e 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc @@ -1,4 +1,4 @@ -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" #include #include @@ -14,405 +14,16 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/protobuf/utility.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" namespace Envoy { namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -// UpstreamReverseConnectionIOHandle implementation -UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( - Network::ConnectionSocketPtr socket, const std::string& cluster_name) - : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), - owned_socket_(std::move(socket)) { - - ENVOY_LOG(trace, "reverse_tunnel: created IO handle for cluster: {}, fd: {}", cluster_name_, fd_); -} - -UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { - ENVOY_LOG(trace, "reverse_tunnel: destroying IO handle for cluster: {}, fd: {}", cluster_name_, - fd_); - // The owned_socket_ will be automatically destroyed via RAII. -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::connect( - Envoy::Network::Address::InstanceConstSharedPtr address) { - ENVOY_LOG(trace, "reverse_tunnel: connect() to {} - connection already established", - address->asString()); - - // For reverse connections, the connection is already established. - return Api::SysCallIntResult{0, 0}; -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { - ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); - - // Reset the owned socket to properly close the connection - if (owned_socket_) { - ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); - owned_socket_.reset(); - } - - // Call the parent close method - return IoSocketHandleImpl::close(); -} - -// ReverseTunnelAcceptor implementation -ReverseTunnelAcceptor::ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context) - : extension_(nullptr), context_(&context) { - ENVOY_LOG(debug, "reverse_tunnel: created acceptor"); -} - -Envoy::Network::IoHandlePtr -ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, - Envoy::Network::Address::Type addr_type, - Envoy::Network::Address::IpVersion version, bool socket_v6only, - const Envoy::Network::SocketCreationOptions& options) const { - - (void)socket_type; - (void)addr_type; - (void)version; - (void)socket_v6only; - (void)options; - - ENVOY_LOG(warn, "reverse_tunnel: socket() called without address - returning nullptr"); - - // Reverse connection sockets should always have an address. - return nullptr; -} - -Envoy::Network::IoHandlePtr -ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, - const Envoy::Network::Address::InstanceConstSharedPtr addr, - const Envoy::Network::SocketCreationOptions& options) const { - ENVOY_LOG(debug, "reverse_tunnel: socket() called for address: {}, node: {}", addr->asString(), - addr->logicalName()); - - // For upstream reverse connections, we need to get the thread-local socket manager - // and check if there are any cached connections available - auto* tls_registry = getLocalRegistry(); - if (tls_registry && tls_registry->socketManager()) { - ENVOY_LOG(trace, "reverse_tunnel: running on dispatcher: {}", - tls_registry->dispatcher().name()); - auto* socket_manager = tls_registry->socketManager(); - - // The address's logical name is the node ID. - std::string node_id = addr->logicalName(); - ENVOY_LOG(debug, "reverse_tunnel: using node_id: {}", node_id); - - // Try to get a cached socket for the node. - auto socket = socket_manager->getConnectionSocket(node_id); - if (socket) { - ENVOY_LOG(info, "reverse_tunnel: reusing cached socket for node: {}", node_id); - // Create IOHandle that owns the socket using RAII. - auto io_handle = - std::make_unique(std::move(socket), node_id); - return io_handle; - } - } - - // No sockets available, fallback to standard socket interface. - ENVOY_LOG(debug, "reverse_tunnel: no available connection, falling back to standard socket"); - return Network::socketInterface( - "envoy.extensions.network.socket_interface.default_socket_interface") - ->socket(socket_type, addr, options); -} - -bool ReverseTunnelAcceptor::ipFamilySupported(int domain) { - return domain == AF_INET || domain == AF_INET6; -} - -// Get thread local registry for the current thread -UpstreamSocketThreadLocal* ReverseTunnelAcceptor::getLocalRegistry() const { - if (extension_) { - return extension_->getLocalRegistry(); - } - return nullptr; -} - -// BootstrapExtensionFactory -Server::BootstrapExtensionPtr ReverseTunnelAcceptor::createBootstrapExtension( - const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { - ENVOY_LOG(debug, "ReverseTunnelAcceptor::createBootstrapExtension()"); - // Cast the config to the proper type. - const auto& message = MessageUtil::downcastAndValidate< - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); - - // Set the context for this socket interface instance. - context_ = &context; - - // Return a SocketInterfaceExtension that wraps this socket interface. - return std::make_unique(*this, context, message); -} - -ProtobufTypes::MessagePtr ReverseTunnelAcceptor::createEmptyConfigProto() { - return std::make_unique(); -} - -// ReverseTunnelAcceptorExtension implementation -void ReverseTunnelAcceptorExtension::onServerInitialized() { - ENVOY_LOG(debug, - "ReverseTunnelAcceptorExtension::onServerInitialized - creating thread local slot"); - - // Set the extension reference in the socket interface. - if (socket_interface_) { - socket_interface_->extension_ = this; - } - - // Create thread local slot for dispatcher and socket manager. - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); - - // Set up the thread local dispatcher and socket manager. - tls_slot_->set([this](Event::Dispatcher& dispatcher) { - return std::make_shared(dispatcher, this); - }); -} - -// Get thread local registry for the current thread -UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() const { - if (!tls_slot_) { - ENVOY_LOG(error, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); - return nullptr; - } - - if (auto opt = tls_slot_->get(); opt.has_value()) { - return &opt.value().get(); - } - - return nullptr; -} - -std::pair, std::vector> -ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds /* timeout_ms */) { - - ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: obtaining reverse connection stats"); - - // Get all gauges with the reverse_connections prefix. - auto connection_stats = getCrossWorkerStatMap(); - - std::vector connected_nodes; - std::vector accepted_connections; - - // Process the stats to extract connection information - for (const auto& [stat_name, count] : connection_stats) { - if (count > 0) { - // Parse stat name to extract node/cluster information. - // Format: ".reverse_connections.nodes." or - // ".reverse_connections.clusters.". - if (stat_name.find("reverse_connections.nodes.") != std::string::npos) { - // Find the position after "reverse_connections.nodes.". - size_t pos = stat_name.find("reverse_connections.nodes."); - if (pos != std::string::npos) { - std::string node_id = stat_name.substr(pos + strlen("reverse_connections.nodes.")); - connected_nodes.push_back(node_id); - } - } else if (stat_name.find("reverse_connections.clusters.") != std::string::npos) { - // Find the position after "reverse_connections.clusters.". - size_t pos = stat_name.find("reverse_connections.clusters."); - if (pos != std::string::npos) { - std::string cluster_id = stat_name.substr(pos + strlen("reverse_connections.clusters.")); - accepted_connections.push_back(cluster_id); - } - } - } - } - - ENVOY_LOG(debug, - "ReverseTunnelAcceptorExtension: found {} connected nodes, {} accepted connections", - connected_nodes.size(), accepted_connections.size()); - - return {connected_nodes, accepted_connections}; -} - -absl::flat_hash_map ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { - absl::flat_hash_map stats_map; - auto& stats_store = context_.scope(); - - // Iterate through all gauges and filter for cross-worker stats only. - // Cross-worker stats have the pattern "reverse_connections.nodes." or - // "reverse_connections.clusters." (no dispatcher name in the middle). - Stats::IterateFn gauge_callback = - [&stats_map](const Stats::RefcountPtr& gauge) -> bool { - const std::string& gauge_name = gauge->name(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, - gauge->value()); - if (gauge_name.find("reverse_connections.") != std::string::npos && - (gauge_name.find("reverse_connections.nodes.") != std::string::npos || - gauge_name.find("reverse_connections.clusters.") != std::string::npos) && - gauge->used()) { - stats_map[gauge_name] = gauge->value(); - } - return true; - }; - stats_store.iterate(gauge_callback); - - ENVOY_LOG(debug, - "ReverseTunnelAcceptorExtension: collected {} stats for reverse connections across all " - "worker threads", - stats_map.size()); - - return stats_map; -} - -void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& node_id, - const std::string& cluster_id, - bool increment) { - - // Register stats with Envoy's system for automatic cross-thread aggregation - auto& stats_store = context_.scope(); - - // Create/update node connection stat - if (!node_id.empty()) { - std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", node_id); - Stats::StatNameManagedStorage node_stat_name_storage(node_stat_name, stats_store.symbolTable()); - auto& node_gauge = stats_store.gaugeFromStatName(node_stat_name_storage.statName(), - Stats::Gauge::ImportMode::Accumulate); - if (increment) { - node_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented node stat {} to {}", - node_stat_name, node_gauge.value()); - } else { - if (node_gauge.value() > 0) { - node_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented node stat {} to {}", - node_stat_name, node_gauge.value()); - } - } - } - - // Create/update cluster connection stat. - if (!cluster_id.empty()) { - std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", cluster_id); - Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, - stats_store.symbolTable()); - auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), - Stats::Gauge::ImportMode::Accumulate); - if (increment) { - cluster_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); - } else { - if (cluster_gauge.value() > 0) { - cluster_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); - } - } - } - - // Also update per-worker stats for debugging. - updatePerWorkerConnectionStats(node_id, cluster_id, increment); -} - -void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::string& node_id, - const std::string& cluster_id, - bool increment) { - auto& stats_store = context_.scope(); - - // Get dispatcher name from the thread local dispatcher. - std::string dispatcher_name; - auto* local_registry = getLocalRegistry(); - if (local_registry == nullptr) { - ENVOY_LOG(error, "ReverseTunnelAcceptorExtension: No local registry found"); - return; - } - - // Dispatcher name is of the form "worker_x" where x is the worker index - dispatcher_name = local_registry->dispatcher().name(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: Updating stats for worker {}", dispatcher_name); - - // Create/update per-worker node connection stat - if (!node_id.empty()) { - std::string worker_node_stat_name = - fmt::format("reverse_connections.{}.node.{}", dispatcher_name, node_id); - Stats::StatNameManagedStorage worker_node_stat_name_storage(worker_node_stat_name, - stats_store.symbolTable()); - auto& worker_node_gauge = stats_store.gaugeFromStatName( - worker_node_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); - if (increment) { - worker_node_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker node stat {} to {}", - worker_node_stat_name, worker_node_gauge.value()); - } else { - // Guardrail: only decrement if the gauge value is greater than 0 - if (worker_node_gauge.value() > 0) { - worker_node_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker node stat {} to {}", - worker_node_stat_name, worker_node_gauge.value()); - } else { - ENVOY_LOG(trace, - "ReverseTunnelAcceptorExtension: skipping decrement for worker node stat {} " - "(already at 0)", - worker_node_stat_name); - } - } - } - - // Create/update per-worker cluster connection stat - if (!cluster_id.empty()) { - std::string worker_cluster_stat_name = - fmt::format("reverse_connections.{}.cluster.{}", dispatcher_name, cluster_id); - Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, - stats_store.symbolTable()); - auto& worker_cluster_gauge = stats_store.gaugeFromStatName( - worker_cluster_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); - if (increment) { - worker_cluster_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker cluster stat {} to {}", - worker_cluster_stat_name, worker_cluster_gauge.value()); - } else { - // Guardrail: only decrement if the gauge value is greater than 0 - if (worker_cluster_gauge.value() > 0) { - worker_cluster_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker cluster stat {} to {}", - worker_cluster_stat_name, worker_cluster_gauge.value()); - } else { - ENVOY_LOG(trace, - "ReverseTunnelAcceptorExtension: skipping decrement for worker cluster stat {} " - "(already at 0)", - worker_cluster_stat_name); - } - } - } -} - -absl::flat_hash_map ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { - absl::flat_hash_map stats_map; - auto& stats_store = context_.scope(); - - // Get the current dispatcher name. - std::string dispatcher_name = "main_thread"; // Default for main thread. - auto* local_registry = getLocalRegistry(); - if (local_registry) { - // Dispatcher name is of the form "worker_x" where x is the worker index. - dispatcher_name = local_registry->dispatcher().name(); - } - - // Iterate through all gauges and filter for the current dispatcher. - Stats::IterateFn gauge_callback = - [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { - const std::string& gauge_name = gauge->name(); - ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, - gauge->value()); - if (gauge_name.find("reverse_connections.") != std::string::npos && - gauge_name.find(dispatcher_name + ".") != std::string::npos && - (gauge_name.find(".node.") != std::string::npos || - gauge_name.find(".cluster.") != std::string::npos) && - gauge->used()) { - stats_map[gauge_name] = gauge->value(); - } - return true; - }; - stats_store.iterate(gauge_callback); - - ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: collected {} stats for dispatcher '{}'", - stats_map.size(), dispatcher_name); - - return stats_map; -} +// Forward declaration +class ReverseTunnelAcceptorExtension; // UpstreamSocketManager implementation UpstreamSocketManager::UpstreamSocketManager(Event::Dispatcher& dispatcher, @@ -426,8 +37,7 @@ UpstreamSocketManager::UpstreamSocketManager(Event::Dispatcher& dispatcher, void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, const std::string& cluster_id, Network::ConnectionSocketPtr socket, - const std::chrono::seconds& ping_interval, - bool rebalanced) { + const std::chrono::seconds& ping_interval, bool) { ENVOY_LOG(debug, "reverse_tunnel: adding connection for node: {}, cluster: {}", node_id, cluster_id); @@ -439,7 +49,6 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, return; } - (void)rebalanced; const int fd = socket->ioHandle().fdDoNotUse(); const std::string& connectionKey = socket->connectionInfoProvider().localAddress()->asString(); @@ -836,8 +445,6 @@ UpstreamSocketManager::~UpstreamSocketManager() { } } -REGISTER_FACTORY(ReverseTunnelAcceptor, Server::Configuration::BootstrapExtensionFactory); - } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h new file mode 100644 index 0000000000000..3e6e288fceb58 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h @@ -0,0 +1,140 @@ +#pragma once + +#include + +#include +#include +#include + +#include "envoy/event/dispatcher.h" +#include "envoy/event/timer.h" +#include "envoy/network/io_handle.h" +#include "envoy/network/listen_socket.h" +#include "envoy/network/socket.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/common/logger.h" +#include "source/common/common/random_generator.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class ReverseTunnelAcceptorExtension; + +/** + * Thread-local socket manager for upstream reverse connections. + */ +class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, + public Logger::Loggable { + // Friend class for testing + friend class TestUpstreamSocketManager; + +public: + UpstreamSocketManager(Event::Dispatcher& dispatcher, + ReverseTunnelAcceptorExtension* extension = nullptr); + + ~UpstreamSocketManager(); + + /** + * Add accepted connection to socket manager. + * @param node_id node_id of initiating node. + * @param cluster_id cluster_id of receiving cluster. + * @param socket the socket to be added. + * @param ping_interval the interval at which ping keepalives are sent. + * @param rebalanced true if adding socket after rebalancing. + */ + void addConnectionSocket(const std::string& node_id, const std::string& cluster_id, + Network::ConnectionSocketPtr socket, + const std::chrono::seconds& ping_interval, bool rebalanced); + + /** + * Get an available reverse connection socket. + * @param node_id the node ID to get a socket for. + * @return the connection socket, or nullptr if none available. + */ + Network::ConnectionSocketPtr getConnectionSocket(const std::string& node_id); + + /** + * Mark connection socket dead and remove from internal maps. + * @param fd the FD for the socket to be marked dead. + */ + void markSocketDead(const int fd); + + /** + * Ping all active reverse connections for health checks. + */ + void pingConnections(); + + /** + * Ping reverse connections for a specific node. + * @param node_id the node ID whose connections should be pinged. + */ + void pingConnections(const std::string& node_id); + + /** + * Enable the ping timer if not already enabled. + * @param ping_interval the interval at which ping keepalives should be sent. + */ + void tryEnablePingTimer(const std::chrono::seconds& ping_interval); + + /** + * Clean up stale node entries when no active sockets remain. + * @param node_id the node ID to clean up. + */ + void cleanStaleNodeEntry(const std::string& node_id); + + /** + * Handle ping response from a reverse connection. + * @param io_handle the IO handle for the socket that sent the ping response. + */ + void onPingResponse(Network::IoHandle& io_handle); + + /** + * Get the upstream extension for stats integration. + * @return pointer to the upstream extension or nullptr if not available. + */ + ReverseTunnelAcceptorExtension* getUpstreamExtension() const { return extension_; } + + /** + * Automatically discern whether the key is a node ID or cluster ID. + * @param key the key to get the node ID for. + * @return the node ID. + */ + std::string getNodeID(const std::string& key); + +private: + // Thread local dispatcher instance. + Event::Dispatcher& dispatcher_; + Random::RandomGeneratorPtr random_generator_; + + // Map of node IDs to connection sockets. + absl::flat_hash_map> + accepted_reverse_connections_; + + // Map from file descriptor to node ID. + absl::flat_hash_map fd_to_node_map_; + + // Map of node ID to cluster. + absl::flat_hash_map node_to_cluster_map_; + + // Map of cluster IDs to node IDs. + absl::flat_hash_map> cluster_to_node_map_; + + // File events and timers for ping functionality. + absl::flat_hash_map fd_to_event_map_; + absl::flat_hash_map fd_to_timer_map_; + + Event::TimerPtr ping_timer_; + std::chrono::seconds ping_interval_{0}; + + // Upstream extension for stats integration. + ReverseTunnelAcceptorExtension* extension_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 0bbd06d2c9f05..766dd3449a330 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -62,8 +62,7 @@ EXTENSIONS = { # Reverse Connection # - "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface": "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface": "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", + "envoy.bootstrap.reverse_tunnel.upstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", # # Health checkers diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index b81235b1b3d4e..90beb866cf2a5 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -82,13 +82,13 @@ envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interfac status: wip type_urls: - envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface -envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface: +envoy.bootstrap.reverse_tunnel.upstream_socket_interface: categories: - envoy.bootstrap security_posture: unknown status: wip type_urls: - - envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.UpstreamReverseConnectionSocketInterface + - envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface envoy.clusters.reverse_connection: categories: - envoy.cluster diff --git a/test/extensions/bootstrap/reverse_tunnel/common/BUILD b/test/extensions/bootstrap/reverse_tunnel/common/BUILD new file mode 100644 index 0000000000000..718c050ff92f8 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/common/BUILD @@ -0,0 +1,25 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_extension_package", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_package() + +envoy_cc_test( + name = "reverse_connection_utility_test", + size = "medium", + srcs = ["reverse_connection_utility_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/network:connection_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_utility_test.cc b/test/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility_test.cc similarity index 98% rename from test/extensions/bootstrap/reverse_tunnel/reverse_connection_utility_test.cc rename to test/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility_test.cc index 1f961997fc5ec..dc9b849efc318 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_utility_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility_test.cc @@ -1,6 +1,6 @@ #include "source/common/buffer/buffer_impl.h" #include "source/common/network/connection_impl.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" #include "test/mocks/network/mocks.h" #include "test/test_common/test_runtime.h" diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc deleted file mode 100644 index e536272530287..0000000000000 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor_test.cc +++ /dev/null @@ -1,1801 +0,0 @@ -#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" -#include "envoy/network/socket_interface.h" -#include "envoy/server/factory_context.h" -#include "envoy/thread_local/thread_local.h" - -#include "source/common/network/address_impl.h" -#include "source/common/network/socket_interface.h" -#include "source/common/network/utility.h" -#include "source/common/thread_local/thread_local_impl.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" - -#include "test/mocks/event/mocks.h" -#include "test/mocks/server/factory_context.h" -#include "test/mocks/stats/mocks.h" -#include "test/mocks/thread_local/mocks.h" -#include "test/test_common/test_runtime.h" - -#include "gmock/gmock.h" -#include "gtest/gtest.h" - -using testing::_; -using testing::Invoke; -using testing::NiceMock; -using testing::Return; -using testing::ReturnRef; - -namespace Envoy { -namespace Extensions { -namespace Bootstrap { -namespace ReverseConnection { - -class ReverseTunnelAcceptorExtensionTest : public testing::Test { -protected: - ReverseTunnelAcceptorExtensionTest() { - // Set up the stats scope. - stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - - // Set up the mock context. - EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); - EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - - // Create the config. - config_.set_stat_prefix("test_prefix"); - - // Create the socket interface. - socket_interface_ = std::make_unique(context_); - - // Create the extension. - extension_ = - std::make_unique(*socket_interface_, context_, config_); - } - - // Helper function to set up thread local slot for tests. - void setupThreadLocalSlot() { - // Create a thread local registry. - thread_local_registry_ = - std::make_shared(dispatcher_, extension_.get()); - - // Create the actual TypedSlot - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); - thread_local_.setDispatcher(&dispatcher_); - - // Set up the slot to return our registry - tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - - // Set the slot directly in the extension - extension_->tls_slot_ = std::move(tls_slot_); - - // Set the extension reference in the socket interface - extension_->socket_interface_->extension_ = extension_.get(); - } - - // Helper function to set up a second thread local slot for multi-dispatcher testing - void setupAnotherThreadLocalSlot() { - // Create another thread local registry with a different dispatcher name - another_thread_local_registry_ = - std::make_shared(another_dispatcher_, extension_.get()); - } - - void TearDown() override { - tls_slot_.reset(); - thread_local_registry_.reset(); - extension_.reset(); - socket_interface_.reset(); - } - - NiceMock context_; - NiceMock thread_local_; - Stats::IsolatedStoreImpl stats_store_; - Stats::ScopeSharedPtr stats_scope_; - NiceMock dispatcher_{"worker_0"}; - - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface config_; - - std::unique_ptr socket_interface_; - std::unique_ptr extension_; - - // Real thread local slot and registry - std::unique_ptr> tls_slot_; - std::shared_ptr thread_local_registry_; - - // Additional mock dispatcher and registry for multi-thread testing - NiceMock another_dispatcher_{"worker_1"}; - std::shared_ptr another_thread_local_registry_; -}; - -// Basic functionality tests -TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithDefaultStatPrefix) { - // Test with empty config (should use default stat prefix) - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface empty_config; - - auto extension_with_default = - std::make_unique(*socket_interface_, context_, empty_config); - - EXPECT_EQ(extension_with_default->statPrefix(), "upstream_reverse_connection"); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithCustomStatPrefix) { - // Test with custom stat prefix - EXPECT_EQ(extension_->statPrefix(), "test_prefix"); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, GetStatsScope) { - // Test that getStatsScope returns the correct scope - EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, OnWorkerThreadInitialized) { - // This should be a no-op - extension_->onWorkerThreadInitialized(); -} - -// Thread local initialization tests -TEST_F(ReverseTunnelAcceptorExtensionTest, OnServerInitializedSetsExtensionReference) { - // Call onServerInitialized to set the extension reference in the socket interface - extension_->onServerInitialized(); - - // Verify that the socket interface extension reference is set - EXPECT_EQ(socket_interface_->getExtension(), extension_.get()); -} - -// Thread local registry access tests -TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryBeforeInitialization) { - // Before tls_slot_ is set, getLocalRegistry should return nullptr - EXPECT_EQ(extension_->getLocalRegistry(), nullptr); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryAfterInitialization) { - // Initialize the thread local slot - setupThreadLocalSlot(); - - // Now getLocalRegistry should return the actual registry - auto* registry = extension_->getLocalRegistry(); - EXPECT_NE(registry, nullptr); - - // Verify we can access the socket manager from the registry (non-const version) - auto* socket_manager = registry->socketManager(); - EXPECT_NE(socket_manager, nullptr); - - // Verify the socket manager has the correct extension reference - EXPECT_EQ(socket_manager->getUpstreamExtension(), extension_.get()); - - // Test const socketManager() - const auto* const_registry = extension_->getLocalRegistry(); - EXPECT_NE(const_registry, nullptr); - - const auto* const_socket_manager = const_registry->socketManager(); - EXPECT_NE(const_socket_manager, nullptr); - - // Verify the const socket manager has the correct extension reference - EXPECT_EQ(const_socket_manager->getUpstreamExtension(), extension_.get()); -} - -// Test stats aggregation for one thread only (test thread) -TEST_F(ReverseTunnelAcceptorExtensionTest, GetPerWorkerStatMapSingleThread) { - - // Set up thread local slot first - setupThreadLocalSlot(); - - // Update per-worker stats for the current (test) thread - extension_->updatePerWorkerConnectionStats("node1", "cluster1", true); - extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); - extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); - - // Get the per-worker stat map - auto stat_map = extension_->getPerWorkerStatMap(); - - // Verify the stats are collected correctly for worker_0 - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 1); - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 1); - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); - - // Verify that only worker_0 stats are included - for (const auto& [stat_name, value] : stat_map) { - EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); - } - - // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats - // creates the same gauges and increments them correctly - extension_->updateConnectionStats("node1", "cluster1", true); - extension_->updateConnectionStats("node1", "cluster1", true); - - // Get stats again to verify the same gauges were incremented - stat_map = extension_->getPerWorkerStatMap(); - - // Verify the gauge values were incremented correctly - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 3); // 1 + 2 - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 3); // 1 + 2 - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); // unchanged - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); // unchanged - - // Test decrement operations to cover the decrement code paths - extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); // Decrement node1 - extension_->updatePerWorkerConnectionStats("node2", "cluster2", false); // Decrement node2 once - extension_->updatePerWorkerConnectionStats("node2", "cluster2", false); // Decrement node2 again - - // Get stats again to verify the decrements worked correctly - stat_map = extension_->getPerWorkerStatMap(); - - // Verify the gauge values were decremented correctly - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 2); // 3 - 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 2); // 3 - 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 0); // 2 - 2 - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 0); // 2 - 2 -} - -// Test cross-thread stat map functions using multiple dispatchers -TEST_F(ReverseTunnelAcceptorExtensionTest, GetCrossWorkerStatMapMultiThread) { - // Set up thread local slot for the test thread (dispatcher name: "worker_0") - setupThreadLocalSlot(); - - // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") - setupAnotherThreadLocalSlot(); - - // Simulate stats updates from worker_0 - extension_->updateConnectionStats("node1", "cluster1", true); - extension_->updateConnectionStats("node1", "cluster1", true); // Increment twice - extension_->updateConnectionStats("node2", "cluster2", true); - - // Simulate stats updates from worker_1 - // Temporarily switch the thread local registry to simulate the other dispatcher - auto original_registry = thread_local_registry_; - thread_local_registry_ = another_thread_local_registry_; - - // Update stats from worker_1 - extension_->updateConnectionStats("node1", "cluster1", true); // Increment from worker_1 - extension_->updateConnectionStats("node3", "cluster3", true); // New node from worker_1 - - // Restore the original registry - thread_local_registry_ = original_registry; - - // Get the cross-worker stat map - auto stat_map = extension_->getCrossWorkerStatMap(); - - // Verify that cross-worker stats are collected correctly across multiple dispatchers - // node1: incremented 3 times total (2 from worker_0 + 1 from worker_1) - EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 3); - // node2: incremented 1 time from worker_0 - EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 1); - // node3: incremented 1 time from worker_1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); - - // cluster1: incremented 3 times total (2 from worker_0 + 1 from worker_1) - EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 3); - // cluster2: incremented 1 time from worker_0 - EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 1); - // cluster3: incremented 1 time from worker_1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); - - // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again - // with the same names increments the existing gauges (not creates new ones) - extension_->updateConnectionStats("node1", "cluster1", true); // Increment again - extension_->updateConnectionStats("node2", "cluster2", false); // Decrement - - // Get stats again to verify the same gauges were updated - stat_map = extension_->getCrossWorkerStatMap(); - - // Verify the gauge values were updated correctly (StatNameManagedStorage ensures same gauge) - EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 4); // 3 + 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 4); // 3 + 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 0); // 1 - 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 0); // 1 - 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); // unchanged - EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); // unchanged - - // Test per-worker decrement operations to cover the per-worker decrement code paths - // First, test decrements from worker_0 context - extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); // Decrement from worker_0 - - // Get per-worker stats to verify decrements worked correctly for worker_0 - auto per_worker_stat_map = extension_->getPerWorkerStatMap(); - - // Verify worker_0 stats were decremented correctly - EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.node.node1"], 3); // 4 - 1 - EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], - 3); // 4 - 1 - - // Decrement cluster2 which is already at 0 from cross-worker stats - extension_->updateConnectionStats("node2", "cluster2", false); - - // Get cross-worker stats to verify the guardrail worked - auto cross_worker_stat_map = extension_->getCrossWorkerStatMap(); - - // Verify that cluster2 remains at 0 (guardrail prevented underflow) - EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster2"], 0); - - per_worker_stat_map = extension_->getPerWorkerStatMap(); - - // Verify that node2/cluster2 remain at 0 (not wrapped around to UINT64_MAX) - EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.node.node2"], 0); - EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 0); - - // Now test decrements from worker_1 context - thread_local_registry_ = another_thread_local_registry_; - - // Decrement some stats from worker_1 - extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); // Decrement from worker_1 - extension_->updatePerWorkerConnectionStats("node3", "cluster3", false); // Decrement node3 to 0 - - // Get per-worker stats from worker_1 context - auto worker1_stat_map = extension_->getPerWorkerStatMap(); - - // Verify worker_1 stats were decremented correctly - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.node.node1"], 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1"], - 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.node.node3"], 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3"], - 0); // 1 - 1 - - // Restore original registry - thread_local_registry_ = original_registry; -} - -// Test getConnectionStatsSync using multiple dispatchers -TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncMultiThread) { - // Set up thread local slot for the test thread (dispatcher name: "worker_0") - setupThreadLocalSlot(); - - // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") - setupAnotherThreadLocalSlot(); - - // Simulate stats updates from worker_0 - extension_->updateConnectionStats("node1", "cluster1", true); - extension_->updateConnectionStats("node1", "cluster1", true); // Increment twice - extension_->updateConnectionStats("node2", "cluster2", true); - - // Simulate stats updates from worker_1 - // Temporarily switch the thread local registry to simulate the other dispatcher - auto original_registry = thread_local_registry_; - thread_local_registry_ = another_thread_local_registry_; - - // Update stats from worker_1 - extension_->updateConnectionStats("node1", "cluster1", true); // Increment from worker_1 - extension_->updateConnectionStats("node3", "cluster3", true); // New node from worker_1 - - // Restore the original registry - thread_local_registry_ = original_registry; - - // Get connection stats synchronously - auto result = extension_->getConnectionStatsSync(); - auto& [connected_nodes, accepted_connections] = result; - - // Verify the result contains the expected data - EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); - - // Verify that we have the expected node and cluster data - // node1: should be present (incremented 3 times total) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node1") != - connected_nodes.end()); - // node2: should be present (incremented 1 time) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node2") != - connected_nodes.end()); - // node3: should be present (incremented 1 time) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node3") != - connected_nodes.end()); - - // cluster1: should be present (incremented 3 times total) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != - accepted_connections.end()); - // cluster2: should be present (incremented 1 time) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != - accepted_connections.end()); - // cluster3: should be present (incremented 1 time) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != - accepted_connections.end()); - - // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again - // with the same names updates the existing gauges and the sync result reflects this - extension_->updateConnectionStats("node1", "cluster1", true); // Increment again - extension_->updateConnectionStats("node2", "cluster2", false); // Decrement to 0 - - // Get connection stats again to verify the updated values - result = extension_->getConnectionStatsSync(); - auto& [updated_connected_nodes, updated_accepted_connections] = result; - - // Verify that node2 is no longer present (gauge value is 0) - EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node2") == - updated_connected_nodes.end()); - EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), - "cluster2") == updated_accepted_connections.end()); - - // Verify that node1 and node3 are still present - EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node1") != - updated_connected_nodes.end()); - EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node3") != - updated_connected_nodes.end()); - EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), - "cluster1") != updated_accepted_connections.end()); - EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), - "cluster3") != updated_accepted_connections.end()); -} - -// Test getConnectionStatsSync with timeouts -TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncTimeout) { - // Test with a very short timeout to verify timeout behavior - auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); - - // With no connections and short timeout, should return empty results - auto& [connected_nodes, accepted_connections] = result; - EXPECT_TRUE(connected_nodes.empty()); - EXPECT_TRUE(accepted_connections.empty()); -} - -// ============================================================================ -// TestUpstreamSocketManager Test Class -// ============================================================================ - -class TestUpstreamSocketManager : public testing::Test { -protected: - TestUpstreamSocketManager() { - // Set up the stats scope - stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - - // Set up the mock context - EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); - EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - - // Create the config - config_.set_stat_prefix("test_prefix"); - - // Create the socket interface - socket_interface_ = std::make_unique(context_); - - // Create the extension - extension_ = - std::make_unique(*socket_interface_, context_, config_); - - // Set up mock dispatcher with default expectations - EXPECT_CALL(dispatcher_, createTimer_(_)) - .WillRepeatedly(testing::ReturnNew>()); - EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) - .WillRepeatedly(testing::ReturnNew>()); - - // Create the socket manager with real extension - socket_manager_ = std::make_unique(dispatcher_, extension_.get()); - } - - void TearDown() override { - socket_manager_.reset(); - - extension_.reset(); - socket_interface_.reset(); - } - - // Helper methods to access private members (friend class works for these methods) - void verifyInitialState() { - EXPECT_EQ(socket_manager_->accepted_reverse_connections_.size(), 0); - EXPECT_EQ(socket_manager_->fd_to_node_map_.size(), 0); - EXPECT_EQ(socket_manager_->node_to_cluster_map_.size(), 0); - EXPECT_EQ(socket_manager_->cluster_to_node_map_.size(), 0); - } - - bool verifyFDToNodeMap(int fd) { - return socket_manager_->fd_to_node_map_.find(fd) != socket_manager_->fd_to_node_map_.end(); - } - - bool verifyFDToEventMap(int fd) { - return socket_manager_->fd_to_event_map_.find(fd) != socket_manager_->fd_to_event_map_.end(); - } - - bool verifyFDToTimerMap(int fd) { - return socket_manager_->fd_to_timer_map_.find(fd) != socket_manager_->fd_to_timer_map_.end(); - } - - size_t getFDToEventMapSize() { return socket_manager_->fd_to_event_map_.size(); } - - size_t getFDToTimerMapSize() { return socket_manager_->fd_to_timer_map_.size(); } - - size_t verifyAcceptedReverseConnectionsMap(const std::string& node_id) { - auto it = socket_manager_->accepted_reverse_connections_.find(node_id); - if (it == socket_manager_->accepted_reverse_connections_.end()) { - return 0; - } - return it->second.size(); - } - - std::string getNodeToClusterMapping(const std::string& node_id) { - auto it = socket_manager_->node_to_cluster_map_.find(node_id); - if (it == socket_manager_->node_to_cluster_map_.end()) { - return ""; - } - return it->second; - } - - std::vector getClusterToNodeMapping(const std::string& cluster_id) { - auto it = socket_manager_->cluster_to_node_map_.find(cluster_id); - if (it == socket_manager_->cluster_to_node_map_.end()) { - return {}; - } - return it->second; - } - - size_t getNodeToClusterMapSize() { return socket_manager_->node_to_cluster_map_.size(); } - - size_t getClusterToNodeMapSize() { return socket_manager_->cluster_to_node_map_.size(); } - - size_t getAcceptedReverseConnectionsSize() { - return socket_manager_->accepted_reverse_connections_.size(); - } - - // Helper methods for the new test cases - void addNodeToClusterMapping(const std::string& node_id, const std::string& cluster_id) { - socket_manager_->node_to_cluster_map_[node_id] = cluster_id; - socket_manager_->cluster_to_node_map_[cluster_id].push_back(node_id); - } - - void addFDToNodeMapping(int fd, const std::string& node_id) { - socket_manager_->fd_to_node_map_[fd] = node_id; - } - - // Helper to create a mock socket with proper address setup - Network::ConnectionSocketPtr createMockSocket(int fd = 123, - const std::string& local_addr = "127.0.0.1:8080", - const std::string& remote_addr = "127.0.0.1:9090") { - auto socket = std::make_unique>(); - - // Parse local address (IP:port format) - auto local_colon_pos = local_addr.find(':'); - std::string local_ip = local_addr.substr(0, local_colon_pos); - uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); - auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); - - // Parse remote address (IP:port format) - auto remote_colon_pos = remote_addr.find(':'); - std::string remote_ip = remote_addr.substr(0, remote_colon_pos); - uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); - auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); - - // Create a mock IO handle and set it up - auto mock_io_handle = std::make_unique>(); - auto* mock_io_handle_ptr = mock_io_handle.get(); - EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); - EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); - - // Store the mock_io_handle in the socket - socket->io_handle_ = std::move(mock_io_handle); - - // Set up connection info provider with the desired addresses - socket->connection_info_provider_->setLocalAddress(local_address); - socket->connection_info_provider_->setRemoteAddress(remote_address); - - return socket; - } - - // Helper to create a mock timer - Event::MockTimer* createMockTimer() { - auto timer = new NiceMock(); - EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(timer)); - return timer; - } - - // Helper to create a mock file event - Event::MockFileEvent* createMockFileEvent() { - auto file_event = new NiceMock(); - EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)).WillOnce(Return(file_event)); - return file_event; - } - - // Helper to get sockets for a node - std::list& getSocketsForNode(const std::string& node_id) { - return socket_manager_->accepted_reverse_connections_[node_id]; - } - - NiceMock context_; - NiceMock thread_local_; - Stats::IsolatedStoreImpl stats_store_; - Stats::ScopeSharedPtr stats_scope_; - NiceMock dispatcher_; - - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface config_; - - std::unique_ptr socket_interface_; - std::unique_ptr extension_; - std::unique_ptr socket_manager_; -}; - -TEST_F(TestUpstreamSocketManager, CreateUpstreamSocketManager) { - // Test that constructor doesn't crash and creates a valid instance - EXPECT_NE(socket_manager_, nullptr); - - // Test constructor with nullptr extension - auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); - EXPECT_NE(socket_manager_no_extension, nullptr); -} - -TEST_F(TestUpstreamSocketManager, GetUpstreamExtension) { - // Test that getUpstreamExtension returns the correct extension - EXPECT_EQ(socket_manager_->getUpstreamExtension(), extension_.get()); - - // Test with nullptr extension - auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); - EXPECT_EQ(socket_manager_no_extension->getUpstreamExtension(), nullptr); -} - -TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyClusterId) { - // Test adding a socket with empty cluster_id (should log error and return early without adding - // socket) - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = ""; - const std::chrono::seconds ping_interval(30); - - // Verify initial state - verifyInitialState(); - - // Add the socket - should return early and not add anything - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Verify nothing was added - all maps should remain empty - verifyInitialState(); // Should still be in initial state - - // Verify no file events or timers were created - EXPECT_EQ(getFDToEventMapSize(), 0); - EXPECT_EQ(getFDToTimerMapSize(), 0); - - // Verify no socket can be retrieved - auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); - EXPECT_EQ(retrieved_socket, nullptr); // Should return nullptr because nothing was added -} - -TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyNodeId) { - // Test adding a socket with empty node_id (should log error and return early without adding - // socket) - auto socket = createMockSocket(456); - const std::string node_id = ""; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Verify initial state - verifyInitialState(); - - // Add the socket - should return early and not add anything - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Verify nothing was added - all maps should remain empty - verifyInitialState(); // Should still be in initial state - - // Verify no file events or timers were created - EXPECT_EQ(getFDToEventMapSize(), 0); - EXPECT_EQ(getFDToTimerMapSize(), 0); - - // Verify no socket can be retrieved - auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); - EXPECT_EQ(retrieved_socket, nullptr); // Should return nullptr because nothing was added -} - -TEST_F(TestUpstreamSocketManager, AddAndGetMultipleSocketsSameNode) { - // Test adding multiple sockets for the same node - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - auto socket3 = createMockSocket(789); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Verify initial state - verifyInitialState(); - - // Add first socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, - false); - - // Verify maps after first socket - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - EXPECT_TRUE(verifyFDToNodeMap(123)); - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); - auto cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 1); - EXPECT_EQ(cluster_nodes[0], node_id); - - // Add second socket for same node - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, - false); - - // Verify maps after second socket (should have 2 sockets for same node, but cluster maps - // unchanged) - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - EXPECT_TRUE(verifyFDToNodeMap(456)); - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); // Should still be same cluster - cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 1); // Still 1 node per cluster - - // Add third socket for same node - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, - false); - - // Verify maps after third socket - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); - EXPECT_TRUE(verifyFDToNodeMap(789)); - - // Verify file events and timers were created for all sockets - EXPECT_EQ(getFDToEventMapSize(), 3); - EXPECT_EQ(getFDToTimerMapSize(), 3); - - // Get sockets in FIFO order - auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); - EXPECT_NE(retrieved_socket1, nullptr); - - // Verify socket count decreased - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - - auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); - EXPECT_NE(retrieved_socket2, nullptr); - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - - auto retrieved_socket3 = socket_manager_->getConnectionSocket(node_id); - EXPECT_NE(retrieved_socket3, nullptr); - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); - - // No more sockets should be available - auto retrieved_socket4 = socket_manager_->getConnectionSocket(node_id); - EXPECT_EQ(retrieved_socket4, nullptr); -} - -TEST_F(TestUpstreamSocketManager, AddAndGetSocketsMultipleNodes) { - // Test adding sockets for different nodes - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - const std::string node1 = "node1"; - const std::string node2 = "node2"; - const std::string cluster1 = "cluster1"; - const std::string cluster2 = "cluster2"; - const std::chrono::seconds ping_interval(30); - - // Verify initial state - verifyInitialState(); - - // Add socket for first node - socket_manager_->addConnectionSocket(node1, cluster1, std::move(socket1), ping_interval, false); - - // Verify maps after first node - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); - EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); - auto cluster1_nodes = getClusterToNodeMapping(cluster1); - EXPECT_EQ(cluster1_nodes.size(), 1); - EXPECT_EQ(cluster1_nodes[0], node1); - - // Add socket for second node - socket_manager_->addConnectionSocket(node2, cluster2, std::move(socket2), ping_interval, false); - - // Verify maps after second node - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 1); - EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); - EXPECT_EQ(getNodeToClusterMapping(node2), cluster2); - cluster1_nodes = getClusterToNodeMapping(cluster1); - EXPECT_EQ(cluster1_nodes.size(), 1); - EXPECT_EQ(cluster1_nodes[0], node1); - auto cluster2_nodes = getClusterToNodeMapping(cluster2); - EXPECT_EQ(cluster2_nodes.size(), 1); - EXPECT_EQ(cluster2_nodes[0], node2); - - // Verify file events and timers were created for both sockets - EXPECT_EQ(getFDToEventMapSize(), 2); - EXPECT_EQ(getFDToTimerMapSize(), 2); - - // Verify both nodes have their sockets - auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); - EXPECT_NE(retrieved_socket1, nullptr); - - // Verify first node's socket count decreased - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 0); - - auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); - EXPECT_NE(retrieved_socket2, nullptr); - - // Verify second node's socket count decreased - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 0); -} - -TEST_F(TestUpstreamSocketManager, TestGetNodeID) { - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Call getNodeID with a cluster ID that has active connections - // First add a socket to create the cluster mapping and update stats - auto socket1 = createMockSocket(123); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, - false); - - // Verify the socket was added and mappings are correct - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); - auto cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 1); - EXPECT_EQ(cluster_nodes[0], node_id); - - // Now call getNodeID with the cluster_id - should return the node_id that was added for this - // cluster - std::string result_for_cluster = socket_manager_->getNodeID(cluster_id); - EXPECT_EQ(result_for_cluster, node_id); - - // Call getNodeID with a node ID - should return the same node ID - std::string result_for_node = socket_manager_->getNodeID(node_id); - EXPECT_EQ(result_for_node, node_id); - - // Call getNodeID with a non-existent cluster ID - should return the key as-is - // assuming it to be the node ID. A subsequent call to getConnectionSocket with - // this node ID should return nullptr. - const std::string non_existent_cluster = "non-existent-cluster"; - std::string result_for_non_existent = socket_manager_->getNodeID(non_existent_cluster); - EXPECT_EQ(result_for_non_existent, non_existent_cluster); -} - -TEST_F(TestUpstreamSocketManager, GetConnectionSocketEmpty) { - // Test getting a socket when none exists - auto socket = socket_manager_->getConnectionSocket("non-existent-node"); - EXPECT_EQ(socket, nullptr); -} - -TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryWithActiveSockets) { - // Test cleanStaleNodeEntry when node still has active sockets (should be no-op) - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add sockets and verify initial state - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, - false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, - false); - - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); - EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); - - // Call cleanStaleNodeEntry while sockets exist - should be no-op - socket_manager_->cleanStaleNodeEntry(node_id); - - // Verify no cleanup happened (all mappings should remain unchanged) - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); - EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); -} - -TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryClusterCleanup) { - // Test that cluster entry is removed when last node is cleaned up - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - const std::string node1 = "node1"; - const std::string node2 = "node2"; - const std::string cluster_id = "shared-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add two nodes to the same cluster - socket_manager_->addConnectionSocket(node1, cluster_id, std::move(socket1), ping_interval, false); - socket_manager_->addConnectionSocket(node2, cluster_id, std::move(socket2), ping_interval, false); - - // Verify both nodes are in the cluster - EXPECT_EQ(getNodeToClusterMapping(node1), cluster_id); - EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); - auto cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 2); - EXPECT_EQ(getClusterToNodeMapSize(), 1); // One cluster - - // Get socket from first node (should trigger cleanup for node1) - auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); - EXPECT_NE(retrieved_socket1, nullptr); - - // Verify node1 is cleaned up but cluster still exists for node2 - EXPECT_EQ(getNodeToClusterMapping(node1), ""); // node1 removed - EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); // node2 still there - cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 1); // Only node2 remains - EXPECT_EQ(cluster_nodes[0], node2); - EXPECT_EQ(getClusterToNodeMapSize(), 1); // Cluster still exists - - // Get socket from second node (should trigger cleanup for node2 and remove cluster) - auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); - EXPECT_NE(retrieved_socket2, nullptr); - - // Verify both nodes and cluster are cleaned up - EXPECT_EQ(getNodeToClusterMapping(node1), ""); - EXPECT_EQ(getNodeToClusterMapping(node2), ""); - cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 0); // No nodes in cluster - EXPECT_EQ(getClusterToNodeMapSize(), 0); // Cluster completely removed -} - -TEST_F(TestUpstreamSocketManager, FileEventAndTimerCleanup) { - // Test that file events and timers are properly cleaned up when getting sockets - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add sockets - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, - false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, - false); - - // Verify file events and timers are created - EXPECT_EQ(getFDToEventMapSize(), 2); - EXPECT_EQ(getFDToTimerMapSize(), 2); - - // Get first socket - should clean up its file event and timer - auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); - EXPECT_NE(retrieved_socket1, nullptr); - - // Verify that the entry for the fd is removed from the maps - EXPECT_FALSE(verifyFDToEventMap(123)); - EXPECT_FALSE(verifyFDToTimerMap(123)); - - // Get second socket - should clean up remaining file event and timer - auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); - EXPECT_NE(retrieved_socket2, nullptr); - - // Verify all file events and timers are cleaned up - EXPECT_EQ(getFDToEventMapSize(), 0); - EXPECT_EQ(getFDToTimerMapSize(), 0); -} - -// ============================================================================ -// MarkSocketDead Tests -// ============================================================================ - -TEST_F(TestUpstreamSocketManager, MarkSocketNotPresentDead) { - // Test MarkSocketDead with an fd which isn't in the fd_to_node_map_ - // Should log debug and return early - socket_manager_->markSocketDead(999); - - // Test with negative fd - socket_manager_->markSocketDead(-1); - - // Test with zero fd - socket_manager_->markSocketDead(0); -} - -TEST_F(TestUpstreamSocketManager, MarkIdleSocketDead) { - // Test MarkSocketDead with an idle socket (in the pool) - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add sockets to the pool - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, - false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, - false); - - // Verify initial state - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - EXPECT_TRUE(verifyFDToNodeMap(123)); - - // Mark first idle socket as dead - socket_manager_->markSocketDead(123); - - // Verify markSocketDead touched the right maps: - // 1. Socket removed from pool - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - // 2. FD mapping removed - EXPECT_FALSE(verifyFDToNodeMap(123)); - // 3. File event and timer cleaned up for this specific FD - EXPECT_FALSE(verifyFDToEventMap(123)); - EXPECT_FALSE(verifyFDToTimerMap(123)); - - // Verify remaining socket is still accessible - auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); - EXPECT_NE(retrieved_socket, nullptr); -} - -TEST_F(TestUpstreamSocketManager, MarkUsedSocketDead) { - // Test MarkSocketDead with a used socket - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add socket to pool - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Verify socket is in pool - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - EXPECT_TRUE(verifyFDToNodeMap(123)); - - // Get the socket (removes it from pool, simulating "used" state) - auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); - EXPECT_NE(retrieved_socket, nullptr); - - // Verify socket is no longer in pool but FD mapping might still exist until cleanup - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); - - // Mark the used socket as dead - should only update stats and return - socket_manager_->markSocketDead(123); - - // Verify FD mapping is removed - EXPECT_FALSE(verifyFDToNodeMap(123)); - - // Verify all mappings are cleaned up since no sockets remain - EXPECT_EQ(getNodeToClusterMapping(node_id), ""); - auto cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 0); -} - -TEST_F(TestUpstreamSocketManager, MarkSocketDeadTriggerCleanup) { - // Test that marking the last socket dead triggers cleanStaleNodeEntry - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Verify mappings exist - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); - auto cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 1); - - // Mark the socket as dead - socket_manager_->markSocketDead(123); - - // Verify complete cleanup occurred - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); - EXPECT_EQ(getNodeToClusterMapping(node_id), ""); - cluster_nodes = getClusterToNodeMapping(cluster_id); - EXPECT_EQ(cluster_nodes.size(), 0); - EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); -} - -TEST_F(TestUpstreamSocketManager, MarkSocketDeadMultipleSockets) { - // Test marking sockets dead when multiple exist for the same node - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - auto socket3 = createMockSocket(789); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add multiple sockets - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, - false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, - false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, - false); - - // Verify all sockets are added - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); - EXPECT_EQ(getFDToEventMapSize(), 3); - EXPECT_EQ(getFDToTimerMapSize(), 3); - - // Mark first socket as dead - socket_manager_->markSocketDead(123); - - // Verify specific socket removed, others remain - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - EXPECT_EQ(getFDToEventMapSize(), 2); - EXPECT_EQ(getFDToTimerMapSize(), 2); - // FD mapping removed - EXPECT_FALSE(verifyFDToNodeMap(123)); - EXPECT_FALSE(verifyFDToEventMap(123)); - EXPECT_FALSE(verifyFDToTimerMap(123)); - // other socket still mapped - EXPECT_TRUE(verifyFDToNodeMap(456)); - EXPECT_TRUE(verifyFDToNodeMap(789)); - - // Node mappings should still exist - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); - - // Mark second socket as dead - socket_manager_->markSocketDead(456); - - // Verify specific socket removed - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); - // FD mapping removed - EXPECT_FALSE(verifyFDToNodeMap(456)); - EXPECT_FALSE(verifyFDToEventMap(456)); - EXPECT_FALSE(verifyFDToTimerMap(456)); - // other socket still mapped - EXPECT_TRUE(verifyFDToNodeMap(789)); - - // Mark last socket as dead - should trigger cleanup - socket_manager_->markSocketDead(789); - - // Verify complete cleanup - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); - EXPECT_EQ(getNodeToClusterMapping(node_id), ""); - EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); - EXPECT_EQ(getFDToEventMapSize(), 0); - EXPECT_EQ(getFDToTimerMapSize(), 0); -} - -TEST_F(TestUpstreamSocketManager, PingConnectionsWriteSuccess) { - // Test pingConnections when writing RPING succeeds - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add sockets first - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, - false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, - false); - - // Verify sockets are added - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - - // Now get the IoHandles from the socket manager and set up mock expectations - auto& sockets = getSocketsForNode(node_id); - auto* mock_io_handle1 = - dynamic_cast*>(&sockets.front()->ioHandle()); - auto* mock_io_handle2 = - dynamic_cast*>(&sockets.back()->ioHandle()); - - EXPECT_CALL(*mock_io_handle1, write(_)) - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; - })); - EXPECT_CALL(*mock_io_handle2, write(_)) - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate successful write - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; - })); - - // Manually call pingConnections - socket_manager_->pingConnections(); - - // Verify sockets are still there (no cleanup occurred) - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); -} - -TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { - // Test pingConnections when writing RPING fails - should trigger cleanup - auto socket1 = createMockSocket(123); - auto socket2 = createMockSocket(456); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add sockets first (this will trigger pingConnections via tryEnablePingTimer) - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, - false); - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, - false); - - // Verify sockets are added - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); - - // Now get the IoHandles from the socket manager and set up mock expectations - auto& sockets = getSocketsForNode(node_id); - auto* mock_io_handle1 = - dynamic_cast*>(&sockets.front()->ioHandle()); - auto* mock_io_handle2 = - dynamic_cast*>(&sockets.back()->ioHandle()); - - // First call: Send failed ping on mock_io_handle1 - // When the first socket fails, the loop breaks and doesn't process the second socket - EXPECT_CALL(*mock_io_handle1, write(_)) - .Times(1) // Called once - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate write attempt - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; - })); - // Second socket should NOT be called in the first pingConnections call - - // Manually call pingConnections to test the functionality - socket_manager_->pingConnections(node_id); - - // Verify first socket was cleaned up but second socket remains (node not cleaned up) - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); // Second socket still there - EXPECT_FALSE(verifyFDToNodeMap(123)); // First socket removed - EXPECT_TRUE(verifyFDToNodeMap(456)); // Second socket still there - EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); // Node mapping still exists - EXPECT_EQ(getAcceptedReverseConnectionsSize(), 1); // One node still exists - - // Now send failed ping on mock_io_handle2 to trigger ping failure and node cleanup - EXPECT_CALL(*mock_io_handle2, write(_)) - .Times(1) // Called once during second ping - .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { - // Drain the buffer to simulate write attempt - buffer.drain(buffer.length()); - return Api::IoCallUint64Result{0, Network::IoSocketError::create(EPIPE)}; - })); - - // Manually call pingConnections again. This should ping socket2, fail and trigger node cleanup - socket_manager_->pingConnections(node_id); - - // Verify complete cleanup occurred (both sockets removed due to node cleanup) - EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); - EXPECT_FALSE(verifyFDToNodeMap(123)); - EXPECT_FALSE(verifyFDToNodeMap(456)); - EXPECT_EQ(getNodeToClusterMapping(node_id), ""); - EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); -} - -TEST_F(TestUpstreamSocketManager, OnPingResponseValidResponse) { - // Test onPingResponse with valid ping response - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Create mock IoHandle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock successful read with valid ping response - const std::string ping_response = "RPING"; - EXPECT_CALL(*mock_io_handle, read(_, _)) - .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { - buffer.add(ping_response); - return Api::IoCallUint64Result{ping_response.size(), Api::IoError::none()}; - }); - - // Call onPingResponse - should succeed and not mark socket dead - socket_manager_->onPingResponse(*mock_io_handle); - - // Socket should still be alive - EXPECT_TRUE(verifyFDToNodeMap(123)); -} - -TEST_F(TestUpstreamSocketManager, OnPingResponseReadError) { - // Test onPingResponse with read error - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Create mock IoHandle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock read error - EXPECT_CALL(*mock_io_handle, read(_, _)) - .WillOnce( - Return(Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()})); - - // Call onPingResponse - should mark socket dead due to read error - socket_manager_->onPingResponse(*mock_io_handle); - - // Socket should be marked dead and removed - EXPECT_FALSE(verifyFDToNodeMap(123)); -} - -TEST_F(TestUpstreamSocketManager, OnPingResponseConnectionClosed) { - // Test onPingResponse when connection is closed (0 bytes read) - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Create mock IoHandle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock connection closed (0 bytes read) - EXPECT_CALL(*mock_io_handle, read(_, _)) - .WillOnce(Return(Api::IoCallUint64Result{0, Api::IoError::none()})); - - // Call onPingResponse - should mark socket dead due to connection closed - socket_manager_->onPingResponse(*mock_io_handle); - - // Socket should be marked dead and removed - EXPECT_FALSE(verifyFDToNodeMap(123)); -} - -TEST_F(TestUpstreamSocketManager, OnPingResponseInvalidData) { - // Test onPingResponse with invalid ping response data - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add socket - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Create mock IoHandle for ping response - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - - // Mock successful read but with invalid ping response - const std::string invalid_response = "INVALID_DATA"; - EXPECT_CALL(*mock_io_handle, read(_, _)) - .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { - buffer.add(invalid_response); - return Api::IoCallUint64Result{invalid_response.size(), Api::IoError::none()}; - }); - - // Call onPingResponse - should mark socket dead due to invalid response - socket_manager_->onPingResponse(*mock_io_handle); - - // Socket should be marked dead and removed - EXPECT_FALSE(verifyFDToNodeMap(123)); -} - -class TestReverseTunnelAcceptor : public testing::Test { -protected: - TestReverseTunnelAcceptor() { - // Set up the stats scope - stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - - // Set up the mock context - EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); - EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - - // Create the config - config_.set_stat_prefix("test_prefix"); - - // Create the socket interface - socket_interface_ = std::make_unique(context_); - - // Create the extension - extension_ = - std::make_unique(*socket_interface_, context_, config_); - - // Set up mock dispatcher with default expectations - EXPECT_CALL(dispatcher_, createTimer_(_)) - .WillRepeatedly(testing::ReturnNew>()); - EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) - .WillRepeatedly(testing::ReturnNew>()); - - // Create the socket manager with real extension - socket_manager_ = std::make_unique(dispatcher_, extension_.get()); - } - - void TearDown() override { - // Destroy socket manager first so it can still access thread local slot during cleanup - socket_manager_.reset(); - - // Then destroy thread local components - tls_slot_.reset(); - thread_local_registry_.reset(); - - extension_.reset(); - socket_interface_.reset(); - } - - // Helper to set up thread local slot for tests - void setupThreadLocalSlot() { - // First, call onServerInitialized to set up the extension reference properly - extension_->onServerInitialized(); - - // Create a thread local registry with the properly initialized extension - thread_local_registry_ = - std::make_shared(dispatcher_, extension_.get()); - - // Create the actual TypedSlot - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); - thread_local_.setDispatcher(&dispatcher_); - - // Set up the slot to return our registry - tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - - // Override the TLS slot with our test version - extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); - } - - // Helper to create a mock socket with proper address setup - Network::ConnectionSocketPtr createMockSocket(int fd = 123, - const std::string& local_addr = "127.0.0.1:8080", - const std::string& remote_addr = "127.0.0.1:9090") { - auto socket = std::make_unique>(); - - // Parse local address (IP:port format) - auto local_colon_pos = local_addr.find(':'); - std::string local_ip = local_addr.substr(0, local_colon_pos); - uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); - auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); - - // Parse remote address (IP:port format) - auto remote_colon_pos = remote_addr.find(':'); - std::string remote_ip = remote_addr.substr(0, remote_colon_pos); - uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); - auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); - - // Create a mock IO handle and set it up - auto mock_io_handle = std::make_unique>(); - auto* mock_io_handle_ptr = mock_io_handle.get(); - EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); - EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); - - // Store the mock_io_handle in the socket - socket->io_handle_ = std::move(mock_io_handle); - - // Set up connection info provider with the desired addresses - socket->connection_info_provider_->setLocalAddress(local_address); - socket->connection_info_provider_->setRemoteAddress(remote_address); - - return socket; - } - - // Helper to create an address with a specific logical name for testing. This allows us to test - // reverse connection address socket creation. - Network::Address::InstanceConstSharedPtr - createAddressWithLogicalName(const std::string& logical_name) { - // Create a simple address that returns the specified logical name - class TestAddress : public Network::Address::Instance { - public: - TestAddress(const std::string& logical_name) : logical_name_(logical_name) { - address_string_ = "127.0.0.1:8080"; // Dummy address string - } - - bool operator==(const Instance& rhs) const override { - return logical_name_ == rhs.logicalName(); - } - Network::Address::Type type() const override { return Network::Address::Type::Ip; } - const std::string& asString() const override { return address_string_; } - absl::string_view asStringView() const override { return address_string_; } - const std::string& logicalName() const override { return logical_name_; } - const Network::Address::Ip* ip() const override { return nullptr; } - const Network::Address::Pipe* pipe() const override { return nullptr; } - const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { - return nullptr; - } - const sockaddr* sockAddr() const override { return nullptr; } - socklen_t sockAddrLen() const override { return 0; } - absl::string_view addressType() const override { return "test"; } - absl::optional networkNamespace() const override { return absl::nullopt; } - const Network::SocketInterface& socketInterface() const override { - return Network::SocketInterfaceSingleton::get(); - } - - private: - std::string logical_name_; - std::string address_string_; - }; - - return std::make_shared(logical_name); - } - - NiceMock context_; - NiceMock thread_local_; - Stats::IsolatedStoreImpl stats_store_; - Stats::ScopeSharedPtr stats_scope_; - NiceMock dispatcher_; - - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface config_; - - std::unique_ptr socket_interface_; - std::unique_ptr extension_; - std::unique_ptr socket_manager_; - - // Real thread local slot and registry - std::unique_ptr> tls_slot_; - std::shared_ptr thread_local_registry_; -}; - -TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryNoExtension) { - // Test getLocalRegistry when extension is not set - auto* registry = socket_interface_->getLocalRegistry(); - EXPECT_EQ(registry, nullptr); -} - -TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryWithExtension) { - // Test getLocalRegistry when extension is set - setupThreadLocalSlot(); - - auto* registry = socket_interface_->getLocalRegistry(); - EXPECT_NE(registry, nullptr); - EXPECT_EQ(registry, thread_local_registry_.get()); -} - -TEST_F(TestReverseTunnelAcceptor, CreateBootstrapExtension) { - // Test createBootstrapExtension function - auto extension = socket_interface_->createBootstrapExtension(config_, context_); - EXPECT_NE(extension, nullptr); -} - -TEST_F(TestReverseTunnelAcceptor, CreateEmptyConfigProto) { - // Test createEmptyConfigProto function - auto config = socket_interface_->createEmptyConfigProto(); - EXPECT_NE(config, nullptr); -} - -TEST_F(TestReverseTunnelAcceptor, SocketWithoutAddress) { - // Test socket() without address - should return nullptr - Network::SocketCreationOptions options; - auto io_handle = - socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, - Network::Address::IpVersion::v4, false, options); - EXPECT_EQ(io_handle, nullptr); -} - -TEST_F(TestReverseTunnelAcceptor, SocketWithAddressNoThreadLocal) { - // Test socket() with reverse connection address but no thread local slot initialized - should - // fall back to default socket interface Do not setup thread local slot - const std::string node_id = "test-node"; - auto address = createAddressWithLogicalName(node_id); - Network::SocketCreationOptions options; - auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); - EXPECT_NE(io_handle, nullptr); // Should return default socket interface - - // Verify that the io_handle is a default IoHandle, not an UpstreamReverseConnectionIOHandle - EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); -} - -TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalNoCachedSockets) { - // Test socket() with reverse connection address and thread local slot but no cached sockets - - // should fall back to default socket interface - setupThreadLocalSlot(); - - const std::string node_id = "test-node"; - auto address = createAddressWithLogicalName(node_id); - - // Call socket() before calling addConnectionSocket() so that no sockets are cached - Network::SocketCreationOptions options; - auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); - EXPECT_NE(io_handle, nullptr); // Should fall back to default socket interface - - // Verify that the io_handle is a default IoHandle, not an UpstreamReverseConnectionIOHandle - EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); -} - -TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalWithCachedSockets) { - // Test socket() with address and thread local slot with cached sockets - setupThreadLocalSlot(); - - // Get the socket manager from the thread local registry - auto* tls_socket_manager = socket_interface_->getLocalRegistry()->socketManager(); - EXPECT_NE(tls_socket_manager, nullptr); - - // Add a socket to the thread local socket manager - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - tls_socket_manager->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Create address with the same logical name as the node_id - auto address = createAddressWithLogicalName(node_id); - - Network::SocketCreationOptions options; - auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); - EXPECT_NE(io_handle, nullptr); // Should return cached socket - - // Verify that we got an UpstreamReverseConnectionIOHandle - auto* upstream_io_handle = dynamic_cast(io_handle.get()); - EXPECT_NE(upstream_io_handle, nullptr); - - // Try to get another socket for the same node. This will return a default IoHandle, not an - // UpstreamReverseConnectionIOHandle - auto another_io_handle = - socket_interface_->socket(Network::Socket::Type::Stream, address, options); - EXPECT_NE(another_io_handle, nullptr); - // This should be a default IoHandle, not an UpstreamReverseConnectionIOHandle - EXPECT_EQ(dynamic_cast(another_io_handle.get()), nullptr); -} - -TEST_F(TestReverseTunnelAcceptor, IpFamilySupported) { - // Reverse connection sockets support standard IP families. (IPv4 and IPv6) - EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); - EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); - EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); -} - -class TestUpstreamReverseConnectionIOHandle : public testing::Test { -protected: - TestUpstreamReverseConnectionIOHandle() { - // Create a mock socket for testing - mock_socket_ = std::make_unique>(); - - // Create a mock IO handle - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - // Store the mock IO handle in the socket - mock_socket_->io_handle_ = std::move(mock_io_handle); - - // Create the IO handle under test - io_handle_ = std::make_unique(std::move(mock_socket_), - "test-cluster"); - } - - void TearDown() override { io_handle_.reset(); } - - std::unique_ptr> mock_socket_; - std::unique_ptr io_handle_; -}; - -TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { - // Test that connect() returns success immediately for reverse connections - auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); - - // For UpstreamReverseConnectionIOHandle, connect() is a no-op. - auto result = io_handle_->connect(address); - - // Should return success (0) with no error - EXPECT_EQ(result.return_value_, 0); - EXPECT_EQ(result.errno_, 0); -} - -TEST_F(TestUpstreamReverseConnectionIOHandle, CloseCleansUpSocket) { - // Test that close() properly cleans up the owned socket - auto result = io_handle_->close(); - - // Should successfully close the socket and return - EXPECT_EQ(result.err_, nullptr); -} - -TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { - // Test that getSocket() returns a const reference to the owned socket - const auto& socket = io_handle_->getSocket(); - - // Should return a valid reference - EXPECT_NE(&socket, nullptr); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv4) { - // Test that IPv4 is supported - EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv6) { - // Test that IPv6 is supported - EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportUnknown) { - // Test that unknown families are not supported - EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); - EXPECT_FALSE(socket_interface_->ipFamilySupported(-1)); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, ExtensionNotInitialized) { - // Test that we handle calls before onServerInitialized - ReverseTunnelAcceptor acceptor(context_); - - auto registry = acceptor.getLocalRegistry(); - EXPECT_EQ(registry, nullptr); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, CreateEmptyConfigProto) { - // Test that createEmptyConfigProto returns valid proto - auto proto = socket_interface_->createEmptyConfigProto(); - EXPECT_NE(proto, nullptr); - - // Should be able to cast to the correct type - auto* typed_proto = - dynamic_cast(proto.get()); - EXPECT_NE(typed_proto, nullptr); -} - -TEST_F(ReverseTunnelAcceptorExtensionTest, FactoryName) { - // Test that factory returns correct name - EXPECT_EQ(socket_interface_->name(), - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); -} - -class UpstreamReverseConnectionIOHandleTest : public testing::Test { -protected: - void SetUp() override { - auto socket = std::make_unique>(); - - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - socket->io_handle_ = std::move(mock_io_handle); - - handle_ = - std::make_unique(std::move(socket), "test-cluster"); - } - - std::unique_ptr handle_; -}; - -TEST_F(UpstreamReverseConnectionIOHandleTest, ConnectReturnsSuccess) { - // Test that connect() returns success immediately for reverse connections - auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); - - auto result = handle_->connect(address); - - EXPECT_EQ(result.return_value_, 0); - EXPECT_EQ(result.errno_, 0); -} - -TEST_F(UpstreamReverseConnectionIOHandleTest, GetSocketReturnsValidReference) { - // Test that getSocket() returns a valid reference - const auto& socket = handle_->getSocket(); - EXPECT_NE(&socket, nullptr); -} - -// Configuration validation tests -class ConfigValidationTest : public testing::Test { -protected: - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface config_; - NiceMock context_; -}; - -TEST_F(ConfigValidationTest, ValidConfiguration) { - // Test that valid configuration gets accepted - config_.set_stat_prefix("reverse_tunnel"); - - ReverseTunnelAcceptor acceptor(context_); - - // Should not throw when creating bootstrap extension - EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); -} - -TEST_F(ConfigValidationTest, EmptyStatPrefix) { - // Test that empty stat_prefix still works with default - ReverseTunnelAcceptor acceptor(context_); - - // Should not throw and should use default prefix - EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); -} - -TEST_F(TestUpstreamSocketManager, GetConnectionSocketNoSocketsButValidMapping) { - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - - // Manually add mapping without adding any actual sockets - addNodeToClusterMapping(node_id, cluster_id); - - // Try to get a socket - should hit the "No available sockets" log and return nullptr - auto socket = socket_manager_->getConnectionSocket(node_id); - EXPECT_EQ(socket, nullptr); -} - -TEST_F(TestUpstreamSocketManager, MarkSocketDeadInvalidSocketNotInPool) { - auto socket = createMockSocket(123); - const std::string node_id = "test-node"; - const std::string cluster_id = "test-cluster"; - const std::chrono::seconds ping_interval(30); - - // Add socket to create mappings - socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, - false); - - // Get the socket (removes it from pool but keeps fd mapping temporarily) - auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); - EXPECT_NE(retrieved_socket, nullptr); - - // Manually add the fd back to fd_to_node_map to simulate the edge case - addFDToNodeMapping(123, node_id); - - // Now mark socket dead - it should find the node but not find the socket in the pool - // This will trigger the "Marking an invalid socket dead" error log - socket_manager_->markSocketDead(123); - - // Verify the fd mapping was cleaned up - EXPECT_FALSE(verifyFDToNodeMap(123)); -} - -} // namespace ReverseConnection -} // namespace Bootstrap -} // namespace Extensions -} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD new file mode 100644 index 0000000000000..38c3c26ee9f17 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -0,0 +1,94 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "reverse_tunnel_acceptor_test", + size = "medium", + srcs = ["reverse_tunnel_acceptor_test.cc"], + extension_names = ["envoy.bootstrap.reverse_tunnel.upstream_socket_interface"], + deps = [ + "//source/common/network:socket_interface_lib", + "//source/common/thread_local:thread_local_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "reverse_tunnel_acceptor_extension_test", + size = "medium", + srcs = ["reverse_tunnel_acceptor_extension_test.cc"], + deps = [ + "//source/common/network:socket_interface_lib", + "//source/common/thread_local:thread_local_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "upstream_socket_manager_test", + size = "large", + srcs = ["upstream_socket_manager_test.cc"], + deps = [ + "//source/common/network:socket_interface_lib", + "//source/common/thread_local:thread_local_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "upstream_reverse_connection_io_handle_test", + size = "medium", + srcs = ["upstream_reverse_connection_io_handle_test.cc"], + deps = [ + "//source/common/network:socket_interface_lib", + "//source/common/thread_local:thread_local_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "config_validation_test", + size = "small", + srcs = ["config_validation_test.cc"], + deps = [ + "//source/common/network:socket_interface_lib", + "//source/common/thread_local:thread_local_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc new file mode 100644 index 0000000000000..3ed6375fa9273 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc @@ -0,0 +1,56 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/network/socket_interface.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/network/utility.h" +#include "source/common/thread_local/thread_local_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ConfigValidationTest : public testing::Test { +protected: + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + NiceMock context_; +}; + +TEST_F(ConfigValidationTest, ValidConfiguration) { + config_.set_stat_prefix("reverse_tunnel"); + + ReverseTunnelAcceptor acceptor(context_); + + EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyStatPrefix) { + ReverseTunnelAcceptor acceptor(context_); + + EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc new file mode 100644 index 0000000000000..4bf3c5cdfbb6c --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc @@ -0,0 +1,347 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/network/socket_interface.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/network/utility.h" +#include "source/common/thread_local/thread_local_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseTunnelAcceptorExtensionTest : public testing::Test { +protected: + ReverseTunnelAcceptorExtensionTest() { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + config_.set_stat_prefix("test_prefix"); + socket_interface_ = std::make_unique(context_); + extension_ = + std::make_unique(*socket_interface_, context_, config_); + } + + void setupThreadLocalSlot() { + thread_local_registry_ = + std::make_shared(dispatcher_, extension_.get()); + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + extension_->tls_slot_ = std::move(tls_slot_); + extension_->socket_interface_->extension_ = extension_.get(); + } + + void setupAnotherThreadLocalSlot() { + another_thread_local_registry_ = + std::make_shared(another_dispatcher_, extension_.get()); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + + NiceMock another_dispatcher_{"worker_1"}; + std::shared_ptr another_thread_local_registry_; +}; + +TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithDefaultStatPrefix) { + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface empty_config; + + auto extension_with_default = + std::make_unique(*socket_interface_, context_, empty_config); + + EXPECT_EQ(extension_with_default->statPrefix(), "upstream_reverse_connection"); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithCustomStatPrefix) { + EXPECT_EQ(extension_->statPrefix(), "test_prefix"); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetStatsScope) { + EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, OnWorkerThreadInitialized) { + extension_->onWorkerThreadInitialized(); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, OnServerInitializedSetsExtensionReference) { + extension_->onServerInitialized(); + EXPECT_EQ(socket_interface_->getExtension(), extension_.get()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryBeforeInitialization) { + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryAfterInitialization) { + setupThreadLocalSlot(); + + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + + auto* socket_manager = registry->socketManager(); + EXPECT_NE(socket_manager, nullptr); + EXPECT_EQ(socket_manager->getUpstreamExtension(), extension_.get()); + + const auto* const_registry = extension_->getLocalRegistry(); + EXPECT_NE(const_registry, nullptr); + + const auto* const_socket_manager = const_registry->socketManager(); + EXPECT_NE(const_socket_manager, nullptr); + EXPECT_EQ(const_socket_manager->getUpstreamExtension(), extension_.get()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetPerWorkerStatMapSingleThread) { + setupThreadLocalSlot(); + + extension_->updatePerWorkerConnectionStats("node1", "cluster1", true); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); + + auto stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); + + for (const auto& [stat_name, value] : stat_map) { + EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); + } + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); + + stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 3); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 3); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); + + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", false); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", false); + + stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 0); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetCrossWorkerStatMapMultiThread) { + setupThreadLocalSlot(); + setupAnotherThreadLocalSlot(); + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node2", "cluster2", true); + + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node3", "cluster3", true); + + thread_local_registry_ = original_registry; + + auto stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 3); + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 3); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node2", "cluster2", false); + + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 4); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 4); + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); + + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); + + auto per_worker_stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.node.node1"], 3); + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 3); + + extension_->updateConnectionStats("node2", "cluster2", false); + + auto cross_worker_stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster2"], 0); + + per_worker_stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.node.node2"], 0); + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 0); + + thread_local_registry_ = another_thread_local_registry_; + + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); + extension_->updatePerWorkerConnectionStats("node3", "cluster3", false); + + auto worker1_stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.node.node1"], 0); + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1"], 0); + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.node.node3"], 0); + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3"], 0); + + thread_local_registry_ = original_registry; +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncMultiThread) { + setupThreadLocalSlot(); + setupAnotherThreadLocalSlot(); + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node2", "cluster2", true); + + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node3", "cluster3", true); + + thread_local_registry_ = original_registry; + + auto result = extension_->getConnectionStatsSync(); + auto& [connected_nodes, accepted_connections] = result; + + EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); + + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node1") != + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node2") != + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node3") != + connected_nodes.end()); + + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != + accepted_connections.end()); + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node2", "cluster2", false); + + result = extension_->getConnectionStatsSync(); + auto& [updated_connected_nodes, updated_accepted_connections] = result; + + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node2") == + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster2") == updated_accepted_connections.end()); + + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node1") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node3") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster1") != updated_accepted_connections.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster3") != updated_accepted_connections.end()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncTimeout) { + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); + + auto& [connected_nodes, accepted_connections] = result; + EXPECT_TRUE(connected_nodes.empty()); + EXPECT_TRUE(accepted_connections.empty()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv4) { + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv6) { + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportUnknown) { + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(-1)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, ExtensionNotInitialized) { + ReverseTunnelAcceptor acceptor(context_); + auto registry = acceptor.getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, CreateEmptyConfigProto) { + auto proto = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(proto, nullptr); + + auto* typed_proto = + dynamic_cast(proto.get()); + EXPECT_NE(typed_proto, nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, FactoryName) { + EXPECT_EQ(socket_interface_->name(), "envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc new file mode 100644 index 0000000000000..9dadd2bac1c1d --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc @@ -0,0 +1,241 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/network/socket_interface.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/network/utility.h" +#include "source/common/thread_local/thread_local_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class TestReverseTunnelAcceptor : public testing::Test { +protected: + TestReverseTunnelAcceptor() { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + config_.set_stat_prefix("test_prefix"); + socket_interface_ = std::make_unique(context_); + extension_ = + std::make_unique(*socket_interface_, context_, config_); + + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + + socket_manager_ = std::make_unique(dispatcher_, extension_.get()); + } + + void TearDown() override { + socket_manager_.reset(); + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + void setupThreadLocalSlot() { + extension_->onServerInitialized(); + thread_local_registry_ = + std::make_shared(dispatcher_, extension_.get()); + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { + auto socket = std::make_unique>(); + + auto local_colon_pos = local_addr.find(':'); + std::string local_ip = local_addr.substr(0, local_colon_pos); + uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); + auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); + + auto remote_colon_pos = remote_addr.find(':'); + std::string remote_ip = remote_addr.substr(0, remote_colon_pos); + uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); + auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); + + auto mock_io_handle = std::make_unique>(); + auto* mock_io_handle_ptr = mock_io_handle.get(); + EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + + socket->io_handle_ = std::move(mock_io_handle); + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + return socket; + } + + Network::Address::InstanceConstSharedPtr + createAddressWithLogicalName(const std::string& logical_name) { + class TestAddress : public Network::Address::Instance { + public: + TestAddress(const std::string& logical_name) : logical_name_(logical_name) { + address_string_ = "127.0.0.1:8080"; + } + + bool operator==(const Instance& rhs) const override { + return logical_name_ == rhs.logicalName(); + } + Network::Address::Type type() const override { return Network::Address::Type::Ip; } + const std::string& asString() const override { return address_string_; } + absl::string_view asStringView() const override { return address_string_; } + const std::string& logicalName() const override { return logical_name_; } + const Network::Address::Ip* ip() const override { return nullptr; } + const Network::Address::Pipe* pipe() const override { return nullptr; } + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { + return nullptr; + } + const sockaddr* sockAddr() const override { return nullptr; } + socklen_t sockAddrLen() const override { return 0; } + absl::string_view addressType() const override { return "test"; } + absl::optional networkNamespace() const override { return absl::nullopt; } + const Network::SocketInterface& socketInterface() const override { + return Network::SocketInterfaceSingleton::get(); + } + + private: + std::string logical_name_; + std::string address_string_; + }; + + return std::make_shared(logical_name); + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_; + + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr socket_manager_; + + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; +}; + +TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryNoExtension) { + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryWithExtension) { + setupThreadLocalSlot(); + + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); +} + +TEST_F(TestReverseTunnelAcceptor, CreateBootstrapExtension) { + auto extension = socket_interface_->createBootstrapExtension(config_, context_); + EXPECT_NE(extension, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, CreateEmptyConfigProto) { + auto config = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(config, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithoutAddress) { + Network::SocketCreationOptions options; + auto io_handle = + socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v4, false, options); + EXPECT_EQ(io_handle, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressNoThreadLocal) { + const std::string node_id = "test-node"; + auto address = createAddressWithLogicalName(node_id); + Network::SocketCreationOptions options; + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); + EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalNoCachedSockets) { + setupThreadLocalSlot(); + + const std::string node_id = "test-node"; + auto address = createAddressWithLogicalName(node_id); + + Network::SocketCreationOptions options; + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); + EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalWithCachedSockets) { + setupThreadLocalSlot(); + + auto* tls_socket_manager = socket_interface_->getLocalRegistry()->socketManager(); + EXPECT_NE(tls_socket_manager, nullptr); + + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + tls_socket_manager->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto address = createAddressWithLogicalName(node_id); + + Network::SocketCreationOptions options; + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); + + auto* upstream_io_handle = dynamic_cast(io_handle.get()); + EXPECT_NE(upstream_io_handle, nullptr); + + auto another_io_handle = + socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(another_io_handle, nullptr); + EXPECT_EQ(dynamic_cast(another_io_handle.get()), nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, IpFamilySupported) { + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc new file mode 100644 index 0000000000000..c34b64af92f6d --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc @@ -0,0 +1,109 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/network/socket_interface.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/network/utility.h" +#include "source/common/thread_local/thread_local_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class TestUpstreamReverseConnectionIOHandle : public testing::Test { +protected: + TestUpstreamReverseConnectionIOHandle() { + mock_socket_ = std::make_unique>(); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + mock_socket_->io_handle_ = std::move(mock_io_handle); + + io_handle_ = std::make_unique(std::move(mock_socket_), + "test-cluster"); + } + + void TearDown() override { io_handle_.reset(); } + + std::unique_ptr> mock_socket_; + std::unique_ptr io_handle_; +}; + +TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { + auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); + + auto result = io_handle_->connect(address); + + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + +TEST_F(TestUpstreamReverseConnectionIOHandle, CloseCleansUpSocket) { + auto result = io_handle_->close(); + + EXPECT_EQ(result.err_, nullptr); +} + +TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { + const auto& socket = io_handle_->getSocket(); + + EXPECT_NE(&socket, nullptr); +} + +class UpstreamReverseConnectionIOHandleTest : public testing::Test { +protected: + void SetUp() override { + auto socket = std::make_unique>(); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + socket->io_handle_ = std::move(mock_io_handle); + + handle_ = + std::make_unique(std::move(socket), "test-cluster"); + } + + std::unique_ptr handle_; +}; + +TEST_F(UpstreamReverseConnectionIOHandleTest, ConnectReturnsSuccess) { + auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); + + auto result = handle_->connect(address); + + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + +TEST_F(UpstreamReverseConnectionIOHandleTest, GetSocketReturnsValidReference) { + const auto& socket = handle_->getSocket(); + EXPECT_NE(&socket, nullptr); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc new file mode 100644 index 0000000000000..5cecd7a2eaf65 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc @@ -0,0 +1,763 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/network/socket_interface.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/network/utility.h" +#include "source/common/thread_local/thread_local_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class TestUpstreamSocketManager : public testing::Test { +protected: + TestUpstreamSocketManager() { + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + + // Create the config + config_.set_stat_prefix("test_prefix"); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = + std::make_unique(*socket_interface_, context_, config_); + + // Set up mock dispatcher with default expectations + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + + // Create the socket manager with real extension + socket_manager_ = std::make_unique(dispatcher_, extension_.get()); + } + + void TearDown() override { + socket_manager_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + // Helper methods to access private members (friend class works for these methods) + void verifyInitialState() { + EXPECT_EQ(socket_manager_->accepted_reverse_connections_.size(), 0); + EXPECT_EQ(socket_manager_->fd_to_node_map_.size(), 0); + EXPECT_EQ(socket_manager_->node_to_cluster_map_.size(), 0); + EXPECT_EQ(socket_manager_->cluster_to_node_map_.size(), 0); + } + + bool verifyFDToNodeMap(int fd) { + return socket_manager_->fd_to_node_map_.find(fd) != socket_manager_->fd_to_node_map_.end(); + } + + bool verifyFDToEventMap(int fd) { + return socket_manager_->fd_to_event_map_.find(fd) != socket_manager_->fd_to_event_map_.end(); + } + + bool verifyFDToTimerMap(int fd) { + return socket_manager_->fd_to_timer_map_.find(fd) != socket_manager_->fd_to_timer_map_.end(); + } + + size_t getFDToEventMapSize() { return socket_manager_->fd_to_event_map_.size(); } + size_t getFDToTimerMapSize() { return socket_manager_->fd_to_timer_map_.size(); } + + size_t verifyAcceptedReverseConnectionsMap(const std::string& node_id) { + auto it = socket_manager_->accepted_reverse_connections_.find(node_id); + if (it == socket_manager_->accepted_reverse_connections_.end()) { + return 0; + } + return it->second.size(); + } + + std::string getNodeToClusterMapping(const std::string& node_id) { + auto it = socket_manager_->node_to_cluster_map_.find(node_id); + if (it == socket_manager_->node_to_cluster_map_.end()) { + return ""; + } + return it->second; + } + + std::vector getClusterToNodeMapping(const std::string& cluster_id) { + auto it = socket_manager_->cluster_to_node_map_.find(cluster_id); + if (it == socket_manager_->cluster_to_node_map_.end()) { + return {}; + } + return it->second; + } + + size_t getNodeToClusterMapSize() { return socket_manager_->node_to_cluster_map_.size(); } + size_t getClusterToNodeMapSize() { return socket_manager_->cluster_to_node_map_.size(); } + size_t getAcceptedReverseConnectionsSize() { + return socket_manager_->accepted_reverse_connections_.size(); + } + + // Helper methods for the new test cases + void addNodeToClusterMapping(const std::string& node_id, const std::string& cluster_id) { + socket_manager_->node_to_cluster_map_[node_id] = cluster_id; + socket_manager_->cluster_to_node_map_[cluster_id].push_back(node_id); + } + + void addFDToNodeMapping(int fd, const std::string& node_id) { + socket_manager_->fd_to_node_map_[fd] = node_id; + } + + // Helper to create a mock socket with proper address setup + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { + auto socket = std::make_unique>(); + + // Parse local address (IP:port format) + auto local_colon_pos = local_addr.find(':'); + std::string local_ip = local_addr.substr(0, local_colon_pos); + uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); + auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); + + // Parse remote address (IP:port format) + auto remote_colon_pos = remote_addr.find(':'); + std::string remote_ip = remote_addr.substr(0, remote_colon_pos); + uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); + auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); + + // Create a mock IO handle and set it up + auto mock_io_handle = std::make_unique>(); + auto* mock_io_handle_ptr = mock_io_handle.get(); + EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + + // Store the mock_io_handle in the socket + socket->io_handle_ = std::move(mock_io_handle); + + // Set up connection info provider with the desired addresses + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + return socket; + } + + // Helper to get sockets for a node + std::list& getSocketsForNode(const std::string& node_id) { + return socket_manager_->accepted_reverse_connections_[node_id]; + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_; + + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr socket_manager_; +}; + +TEST_F(TestUpstreamSocketManager, CreateUpstreamSocketManager) { + EXPECT_NE(socket_manager_, nullptr); + auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); + EXPECT_NE(socket_manager_no_extension, nullptr); +} + +TEST_F(TestUpstreamSocketManager, GetUpstreamExtension) { + EXPECT_EQ(socket_manager_->getUpstreamExtension(), extension_.get()); + auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); + EXPECT_EQ(socket_manager_no_extension->getUpstreamExtension(), nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyClusterId) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = ""; + const std::chrono::seconds ping_interval(30); + + verifyInitialState(); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + verifyInitialState(); + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyNodeId) { + auto socket = createMockSocket(456); + const std::string node_id = ""; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + verifyInitialState(); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + verifyInitialState(); + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddAndGetMultipleSocketsSameNode) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + auto socket3 = createMockSocket(789); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + verifyInitialState(); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_TRUE(verifyFDToNodeMap(123)); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_TRUE(verifyFDToNodeMap(456)); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, + false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); + EXPECT_TRUE(verifyFDToNodeMap(789)); + + EXPECT_EQ(getFDToEventMapSize(), 3); + EXPECT_EQ(getFDToTimerMapSize(), 3); + + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket1, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket2, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + + auto retrieved_socket3 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket3, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + + auto retrieved_socket4 = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket4, nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddAndGetSocketsMultipleNodes) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node1 = "node1"; + const std::string node2 = "node2"; + const std::string cluster1 = "cluster1"; + const std::string cluster2 = "cluster2"; + const std::chrono::seconds ping_interval(30); + + verifyInitialState(); + + socket_manager_->addConnectionSocket(node1, cluster1, std::move(socket1), ping_interval, false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); + EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); + + socket_manager_->addConnectionSocket(node2, cluster2, std::move(socket2), ping_interval, false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 1); + EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); + EXPECT_EQ(getNodeToClusterMapping(node2), cluster2); + + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); + EXPECT_NE(retrieved_socket1, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 0); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); + EXPECT_NE(retrieved_socket2, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 0); +} + +TEST_F(TestUpstreamSocketManager, TestGetNodeID) { + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + auto socket1 = createMockSocket(123); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + + std::string result_for_cluster = socket_manager_->getNodeID(cluster_id); + EXPECT_EQ(result_for_cluster, node_id); + + std::string result_for_node = socket_manager_->getNodeID(node_id); + EXPECT_EQ(result_for_node, node_id); + + const std::string non_existent_cluster = "non-existent-cluster"; + std::string result_for_non_existent = socket_manager_->getNodeID(non_existent_cluster); + EXPECT_EQ(result_for_non_existent, non_existent_cluster); +} + +TEST_F(TestUpstreamSocketManager, GetConnectionSocketEmpty) { + auto socket = socket_manager_->getConnectionSocket("non-existent-node"); + EXPECT_EQ(socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryWithActiveSockets) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); + + socket_manager_->cleanStaleNodeEntry(node_id); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); +} + +TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryClusterCleanup) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node1 = "node1"; + const std::string node2 = "node2"; + const std::string cluster_id = "shared-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node1, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node2, cluster_id, std::move(socket2), ping_interval, false); + + EXPECT_EQ(getNodeToClusterMapping(node1), cluster_id); + EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 2); + EXPECT_EQ(getClusterToNodeMapSize(), 1); + + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); + EXPECT_NE(retrieved_socket1, nullptr); + + EXPECT_EQ(getNodeToClusterMapping(node1), ""); + EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); + EXPECT_EQ(cluster_nodes[0], node2); + EXPECT_EQ(getClusterToNodeMapSize(), 1); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); + EXPECT_NE(retrieved_socket2, nullptr); + + EXPECT_EQ(getNodeToClusterMapping(node1), ""); + EXPECT_EQ(getNodeToClusterMapping(node2), ""); + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); + EXPECT_EQ(getClusterToNodeMapSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, FileEventAndTimerCleanup) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket1, nullptr); + + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket2, nullptr); + + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketNotPresentDead) { + socket_manager_->markSocketDead(999); + socket_manager_->markSocketDead(-1); + socket_manager_->markSocketDead(0); +} + +TEST_F(TestUpstreamSocketManager, MarkIdleSocketDead) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_TRUE(verifyFDToNodeMap(123)); + + socket_manager_->markSocketDead(123); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, MarkUsedSocketDead) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_TRUE(verifyFDToNodeMap(123)); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + + socket_manager_->markSocketDead(123); + + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadTriggerCleanup) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); + + socket_manager_->markSocketDead(123); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadMultipleSockets) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + auto socket3 = createMockSocket(789); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); + EXPECT_EQ(getFDToEventMapSize(), 3); + EXPECT_EQ(getFDToTimerMapSize(), 3); + + socket_manager_->markSocketDead(123); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + EXPECT_TRUE(verifyFDToNodeMap(456)); + EXPECT_TRUE(verifyFDToNodeMap(789)); + + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + + socket_manager_->markSocketDead(456); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_FALSE(verifyFDToNodeMap(456)); + EXPECT_FALSE(verifyFDToEventMap(456)); + EXPECT_FALSE(verifyFDToTimerMap(456)); + EXPECT_TRUE(verifyFDToNodeMap(789)); + + socket_manager_->markSocketDead(789); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, PingConnectionsWriteSuccess) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + auto& sockets = getSocketsForNode(node_id); + auto* mock_io_handle1 = + dynamic_cast*>(&sockets.front()->ioHandle()); + auto* mock_io_handle2 = + dynamic_cast*>(&sockets.back()->ioHandle()); + + EXPECT_CALL(*mock_io_handle1, write(_)) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; + })); + EXPECT_CALL(*mock_io_handle2, write(_)) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; + })); + + socket_manager_->pingConnections(); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); +} + +TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + auto& sockets = getSocketsForNode(node_id); + auto* mock_io_handle1 = + dynamic_cast*>(&sockets.front()->ioHandle()); + auto* mock_io_handle2 = + dynamic_cast*>(&sockets.back()->ioHandle()); + + EXPECT_CALL(*mock_io_handle1, write(_)) + .Times(1) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; + })); + + socket_manager_->pingConnections(node_id); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_TRUE(verifyFDToNodeMap(456)); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 1); + + EXPECT_CALL(*mock_io_handle2, write(_)) + .Times(1) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(EPIPE)}; + })); + + socket_manager_->pingConnections(node_id); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_FALSE(verifyFDToNodeMap(456)); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseValidResponse) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + const std::string ping_response = "RPING"; + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { + buffer.add(ping_response); + return Api::IoCallUint64Result{ping_response.size(), Api::IoError::none()}; + }); + + socket_manager_->onPingResponse(*mock_io_handle); + + EXPECT_TRUE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseReadError) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce( + Return(Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()})); + + socket_manager_->onPingResponse(*mock_io_handle); + + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseConnectionClosed) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce(Return(Api::IoCallUint64Result{0, Api::IoError::none()})); + + socket_manager_->onPingResponse(*mock_io_handle); + + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseInvalidData) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + const std::string invalid_response = "INVALID_DATA"; + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { + buffer.add(invalid_response); + return Api::IoCallUint64Result{invalid_response.size(), Api::IoError::none()}; + }); + + socket_manager_->onPingResponse(*mock_io_handle); + + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, GetConnectionSocketNoSocketsButValidMapping) { + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + + addNodeToClusterMapping(node_id, cluster_id); + + auto socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadInvalidSocketNotInPool) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); + + addFDToNodeMapping(123, node_id); + + socket_manager_->markSocketDead(123); + + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy From 87afb50b6953ed5eb604f1a393d8368b00acf315 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 22 Aug 2025 05:04:14 +0000 Subject: [PATCH 274/505] reverse conn downstream interface changes Signed-off-by: Basundhara Chakrabarty --- api/BUILD | 1 + .../downstream_socket_interface/v3/BUILD | 7 ++ ...reverse_connection_socket_interface.proto} | 12 +-- api/versioning/BUILD | 1 + .../extensions/bootstrap/reverse_tunnel/BUILD | 73 ++++++++----------- .../reverse_connection_address.h | 4 +- .../reverse_tunnel_initiator.cc | 27 +++---- .../reverse_tunnel/reverse_tunnel_initiator.h | 10 +-- source/extensions/extensions_build_config.bzl | 2 +- source/extensions/extensions_metadata.yaml | 4 +- .../extensions/bootstrap/reverse_tunnel/BUILD | 33 +-------- .../reverse_connection_address_test.cc | 2 +- .../reverse_tunnel_initiator_test.cc | 20 ++--- 13 files changed, 78 insertions(+), 118 deletions(-) create mode 100644 api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD rename api/envoy/extensions/bootstrap/{reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto => reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto} (78%) diff --git a/api/BUILD b/api/BUILD index c353fa6e39d80..d55a5e9552ea3 100644 --- a/api/BUILD +++ b/api/BUILD @@ -137,6 +137,7 @@ proto_library( "//envoy/extensions/access_loggers/stream/v3:pkg", "//envoy/extensions/access_loggers/wasm/v3:pkg", "//envoy/extensions/bootstrap/internal_listener/v3:pkg", + "//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg", "//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg", "//envoy/extensions/clusters/aggregate/v3:pkg", "//envoy/extensions/clusters/common/dns/v3:pkg", diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD new file mode 100644 index 0000000000000..75972f7fcc6fb --- /dev/null +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD @@ -0,0 +1,7 @@ +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], +) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto similarity index 78% rename from api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto rename to api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto index 6fb9b6553f9f8..f5825958cbb90 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto @@ -1,17 +1,17 @@ syntax = "proto3"; -package envoy.extensions.bootstrap.reverse_connection_socket_interface.v3; +package envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3; import "udpa/annotations/status.proto"; -option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_connection_socket_interface.v3"; -option java_outer_classname = "ReverseConnectionSocketInterfaceProto"; +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3"; +option java_outer_classname = "DownstreamReverseConnectionSocketInterfaceProto"; option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_connection_socket_interface/v3;reverse_connection_socket_interfacev3"; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3;downstream_socket_interfacev3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Bootstrap settings for Downstream Reverse Connection Socket Interface] -// [#extension: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface] +// [#extension: envoy.bootstrap.reverse_tunnel.downstream_socket_interface] // Configuration for the downstream reverse connection socket interface. // This interface initiates reverse connections to upstream Envoys and provides @@ -41,4 +41,4 @@ message RemoteClusterConnectionCount { // Number of reverse connections to establish to this cluster uint32 reverse_connection_count = 2; -} +} \ No newline at end of file diff --git a/api/versioning/BUILD b/api/versioning/BUILD index 221ca73b7751d..4ece8bdcc208f 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -75,6 +75,7 @@ proto_library( "//envoy/extensions/access_loggers/stream/v3:pkg", "//envoy/extensions/access_loggers/wasm/v3:pkg", "//envoy/extensions/bootstrap/internal_listener/v3:pkg", + "//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg", "//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg", "//envoy/extensions/clusters/aggregate/v3:pkg", "//envoy/extensions/clusters/common/dns/v3:pkg", diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index 0918800e50091..5cf5c370437aa 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -8,19 +8,6 @@ licenses(["notice"]) # Apache 2 envoy_extension_package() -envoy_cc_extension( - name = "reverse_connection_utility_lib", - srcs = ["reverse_connection_utility.cc"], - hdrs = ["reverse_connection_utility.h"], - visibility = ["//visibility:public"], - deps = [ - "//envoy/buffer:buffer_interface", - "//envoy/network:connection_interface", - "//source/common/buffer:buffer_lib", - "//source/common/common:logger_lib", - ], -) - envoy_cc_extension( name = "reverse_connection_address_lib", srcs = ["reverse_connection_address.cc"], @@ -79,37 +66,37 @@ envoy_cc_extension( "//source/common/protobuf", "//source/common/upstream:load_balancer_context_base_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], alwayslink = 1, ) -envoy_cc_extension( - name = "reverse_tunnel_acceptor_lib", - srcs = ["reverse_tunnel_acceptor.cc"], - hdrs = [ - "factory_base.h", - "reverse_tunnel_acceptor.h", - ], - visibility = ["//visibility:public"], - deps = [ - "//envoy/common:random_generator_interface", - "//envoy/network:address_interface", - "//envoy/network:io_handle_interface", - "//envoy/network:socket_interface", - "//envoy/registry", - "//envoy/server:bootstrap_extension_config_interface", - "//envoy/stats:stats_interface", - "//envoy/stats:stats_macros", - "//envoy/thread_local:thread_local_object", - "//source/common/api:os_sys_calls_lib", - "//source/common/common:logger_lib", - "//source/common/common:random_generator_lib", - "//source/common/network:address_lib", - "//source/common/network:default_socket_interface_lib", - "//source/common/protobuf", - ":reverse_connection_utility_lib", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", - ], - alwayslink = 1, -) +# envoy_cc_extension( +# name = "reverse_tunnel_acceptor_lib", +# srcs = ["reverse_tunnel_acceptor.cc"], +# hdrs = [ +# "factory_base.h", +# "reverse_tunnel_acceptor.h", +# ], +# visibility = ["//visibility:public"], +# deps = [ +# "//envoy/common:random_generator_interface", +# "//envoy/network:address_interface", +# "//envoy/network:io_handle_interface", +# "//envoy/network:socket_interface", +# "//envoy/registry", +# "//envoy/server:bootstrap_extension_config_interface", +# "//envoy/stats:stats_interface", +# "//envoy/stats:stats_macros", +# "//envoy/thread_local:thread_local_object", +# "//source/common/api:os_sys_calls_lib", +# "//source/common/common:logger_lib", +# "//source/common/common:random_generator_lib", +# "//source/common/network:address_lib", +# "//source/common/network:default_socket_interface_lib", +# "//source/common/protobuf", +# ":reverse_connection_utility_lib", +# "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", +# ], +# alwayslink = 1, +# ) diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h index 79cf2b0009ea9..0a2633a99fe0c 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h @@ -55,8 +55,8 @@ class ReverseConnectionAddress : public Network::Address::Instance { absl::string_view addressType() const override { return "reverse_connection"; } const Network::SocketInterface& socketInterface() const override { // Return the appropriate reverse connection socket interface for downstream connections - auto* reverse_socket_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + auto* reverse_socket_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); if (reverse_socket_interface) { ENVOY_LOG_MISC(debug, "Reverse connection address: using reverse socket interface"); return *reverse_socket_interface; diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index 3058af32e6fb7..c8ae239eb9801 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -302,10 +302,9 @@ ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, const ReverseConnectionSocketConfig& config, Upstream::ClusterManager& cluster_manager, ReverseTunnelInitiatorExtension* extension, - Stats::Scope& scope) + Stats::Scope&) : IoSocketHandleImpl(fd), config_(config), cluster_manager_(cluster_manager), extension_(extension), original_socket_fd_(fd) { - (void)scope; // Mark as unused ENVOY_LOG( debug, "Created ReverseConnectionIOHandle: fd={}, src_node={}, src_cluster: {}, num_clusters={}", @@ -395,8 +394,7 @@ void ReverseConnectionIOHandle::cleanup() { ENVOY_LOG(debug, "ReverseConnectionIOHandle: Completed cleanup of reverse connection resources."); } -Api::SysCallIntResult ReverseConnectionIOHandle::listen(int backlog) { - (void)backlog; +Api::SysCallIntResult ReverseConnectionIOHandle::listen(int) { // No-op for reverse connections. return Api::SysCallIntResult{0, 0}; } @@ -459,9 +457,6 @@ void ReverseConnectionIOHandle::initializeFileEvent(Event::Dispatcher& dispatche Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* addr, socklen_t* addrlen) { - // Mark parameters unused - (void)addr; - (void)addrlen; if (isTriggerPipeReady()) { char trigger_byte; @@ -856,8 +851,7 @@ void ReverseConnectionIOHandle::maintainClusterConnections( } bool ReverseConnectionIOHandle::shouldAttemptConnectionToHost(const std::string& host_address, - const std::string& cluster_name) { - (void)cluster_name; // Mark as unused for now + const std::string&) { if (!config_.enable_circuit_breaker) { return true; } @@ -1430,10 +1424,8 @@ DownstreamSocketThreadLocal* ReverseTunnelInitiatorExtension::getLocalRegistry() Envoy::Network::IoHandlePtr ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, - Envoy::Network::Address::IpVersion version, bool socket_v6only, - const Envoy::Network::SocketCreationOptions& options) const { - (void)socket_v6only; - (void)options; + Envoy::Network::Address::IpVersion version, bool, + const Envoy::Network::SocketCreationOptions&) const { ENVOY_LOG(debug, "ReverseTunnelInitiator: type={}, addr_type={}", static_cast(socket_type), static_cast(addr_type)); @@ -1544,7 +1536,7 @@ Server::BootstrapExtensionPtr ReverseTunnelInitiator::createBootstrapExtension( const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { ENVOY_LOG(debug, "ReverseTunnelInitiator::createBootstrapExtension()"); const auto& message = MessageUtil::downcastAndValidate< - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); context_ = &context; // Create the bootstrap extension and store reference to it. @@ -1554,14 +1546,15 @@ Server::BootstrapExtensionPtr ReverseTunnelInitiator::createBootstrapExtension( } ProtobufTypes::MessagePtr ReverseTunnelInitiator::createEmptyConfigProto() { - return std::make_unique(); + return std::make_unique< + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface>(); } // ReverseTunnelInitiatorExtension constructor implementation. ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( Server::Configuration::ServerFactoryContext& context, - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface& config) : context_(context), config_(config) { ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension - TLS slot will be created in " diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index 0b110e8b54481..3fa4bd464ca44 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -9,8 +9,8 @@ #include #include "envoy/api/io_error.h" -#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.pb.h" -#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.pb.validate.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.validate.h" #include "envoy/network/io_handle.h" #include "envoy/network/socket.h" #include "envoy/registry/registry.h" @@ -620,7 +620,7 @@ class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, ProtobufTypes::MessagePtr createEmptyConfigProto() override; std::string name() const override { - return "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"; + return "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"; } ReverseTunnelInitiatorExtension* extension_; @@ -642,7 +642,7 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, public: ReverseTunnelInitiatorExtension( Server::Configuration::ServerFactoryContext& context, - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface& config); void onServerInitialized() override; @@ -714,7 +714,7 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, private: Server::Configuration::ServerFactoryContext& context_; - const envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config_; ThreadLocal::TypedSlotPtr tls_slot_; }; diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 766dd3449a330..f252151e810d1 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -61,7 +61,7 @@ EXTENSIONS = { # # Reverse Connection # - + "envoy.bootstrap.reverse_tunnel.downstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", "envoy.bootstrap.reverse_tunnel.upstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", # diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 90beb866cf2a5..0bb4b93d178f5 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -75,13 +75,13 @@ envoy.bootstrap.wasm: status: alpha type_urls: - envoy.extensions.wasm.v3.WasmService -envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface: +envoy.bootstrap.reverse_tunnel.downstream_socket_interface: categories: - envoy.bootstrap security_posture: unknown status: wip type_urls: - - envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface + - envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface envoy.bootstrap.reverse_tunnel.upstream_socket_interface: categories: - envoy.bootstrap diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD index e43b22e0129a7..2b09b322fbd67 100644 --- a/test/extensions/bootstrap/reverse_tunnel/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/BUILD @@ -12,40 +12,11 @@ licenses(["notice"]) # Apache 2 envoy_package() -envoy_extension_cc_test( - name = "reverse_tunnel_acceptor_test", - size = "large", - srcs = ["reverse_tunnel_acceptor_test.cc"], - extension_names = ["envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"], - deps = [ - "//source/common/network:socket_interface_lib", - "//source/common/thread_local:thread_local_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", - "//test/mocks/event:event_mocks", - "//test/mocks/server:factory_context_mocks", - "//test/mocks/thread_local:thread_local_mocks", - "//test/test_common:test_runtime_lib", - ], -) - -envoy_cc_test( - name = "reverse_connection_utility_test", - size = "medium", - srcs = ["reverse_connection_utility_test.cc"], - deps = [ - "//source/common/buffer:buffer_lib", - "//source/common/network:connection_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_utility_lib", - "//test/mocks/network:network_mocks", - "//test/test_common:test_runtime_lib", - ], -) - envoy_extension_cc_test( name = "reverse_tunnel_initiator_test", size = "large", srcs = ["reverse_tunnel_initiator_test.cc"], - extension_names = ["envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"], + extension_names = ["envoy.bootstrap.reverse_tunnel.downstream_socket_interface"], deps = [ "//source/common/network:address_lib", "//source/common/network:socket_interface_lib", @@ -59,7 +30,7 @@ envoy_extension_cc_test( "//test/mocks/upstream:upstream_mocks", "//test/test_common:test_runtime_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc index 712e6bd7ed994..fcdedf18464d9 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc @@ -203,7 +203,7 @@ TEST_F(ReverseConnectionAddressTest, SocketInterfaceWithReverseInterface) { ProtobufTypes::MessagePtr createEmptyConfigProto() override { return nullptr; } std::string name() const override { - return "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"; + return "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"; } std::set configTypes() override { return {}; } diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc index dc952fdcca527..aab00e2c102c2 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc @@ -3,7 +3,7 @@ #include #include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" -#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" #include "envoy/network/socket_interface.h" #include "envoy/server/factory_context.h" #include "envoy/thread_local/thread_local.h" @@ -106,7 +106,7 @@ class ReverseTunnelInitiatorExtensionTest : public testing::Test { Stats::ScopeSharedPtr stats_scope_; NiceMock dispatcher_{"worker_0"}; - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config_; std::unique_ptr socket_interface_; @@ -121,7 +121,7 @@ class ReverseTunnelInitiatorExtensionTest : public testing::Test { // Basic functionality tests. TEST_F(ReverseTunnelInitiatorExtensionTest, InitializeWithDefaultConfig) { // Test with empty config (should initialize successfully). - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface empty_config; auto extension_with_default = @@ -614,7 +614,7 @@ class ReverseTunnelInitiatorTest : public testing::Test { Stats::ScopeSharedPtr stats_scope_; NiceMock dispatcher_{"worker_0"}; - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config_; std::unique_ptr socket_interface_; @@ -630,7 +630,7 @@ class ReverseTunnelInitiatorTest : public testing::Test { TEST_F(ReverseTunnelInitiatorTest, CreateBootstrapExtension) { // Test createBootstrapExtension function. - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config; auto extension = socket_interface_->createBootstrapExtension(config, context_); @@ -647,7 +647,7 @@ TEST_F(ReverseTunnelInitiatorTest, CreateEmptyConfigProto) { // Should be able to cast to the correct type. auto* typed_config = - dynamic_cast(config.get()); EXPECT_NE(typed_config, nullptr); } @@ -676,7 +676,7 @@ TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryWithExtension) { TEST_F(ReverseTunnelInitiatorTest, FactoryName) { EXPECT_EQ(socket_interface_->name(), - "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); } TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv4) { @@ -892,7 +892,7 @@ TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithSocketCreationOptions) { // Configuration validation tests. class ConfigValidationTest : public testing::Test { protected: - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config_; NiceMock context_; NiceMock thread_local_; @@ -995,7 +995,7 @@ class ReverseConnectionIOHandleTest : public testing::Test { Stats::ScopeSharedPtr stats_scope_; NiceMock dispatcher_{"worker_0"}; - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config_; std::unique_ptr socket_interface_; @@ -3201,7 +3201,7 @@ class RCConnectionWrapperTest : public testing::Test { Stats::IsolatedStoreImpl stats_store_; Stats::ScopeSharedPtr stats_scope_; NiceMock dispatcher_{"worker_0"}; - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config_; std::unique_ptr extension_; std::unique_ptr io_handle_; From cb7589fced4b10501fd2e75add72c5bae5d55bc9 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 22 Aug 2025 05:05:42 +0000 Subject: [PATCH 275/505] reverse conn cluster changes Signed-off-by: Basundhara Chakrabarty --- .../clusters/reverse_connection/v3/BUILD | 4 +--- .../extensions/clusters/reverse_connection/BUILD | 2 +- .../reverse_connection/reverse_connection.cc | 4 ++-- .../reverse_connection/reverse_connection.h | 7 ++++--- .../reverse_connection_cluster_test.cc | 16 +++++++--------- 5 files changed, 15 insertions(+), 18 deletions(-) diff --git a/api/envoy/extensions/clusters/reverse_connection/v3/BUILD b/api/envoy/extensions/clusters/reverse_connection/v3/BUILD index b514f18ab81a3..29ebf0741406e 100644 --- a/api/envoy/extensions/clusters/reverse_connection/v3/BUILD +++ b/api/envoy/extensions/clusters/reverse_connection/v3/BUILD @@ -5,7 +5,5 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 api_proto_package( - deps = [ - "@com_github_cncf_xds//udpa/annotations:pkg", - ], + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], ) diff --git a/source/extensions/clusters/reverse_connection/BUILD b/source/extensions/clusters/reverse_connection/BUILD index bbe8ef293e2d3..53f8331064f78 100644 --- a/source/extensions/clusters/reverse_connection/BUILD +++ b/source/extensions/clusters/reverse_connection/BUILD @@ -19,7 +19,7 @@ envoy_cc_extension( "//source/common/network:address_lib", "//source/common/upstream:cluster_factory_lib", "//source/common/upstream:upstream_includes", - "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", "//source/extensions/transport_sockets/raw_buffer:config", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.cc b/source/extensions/clusters/reverse_connection/reverse_connection.cc index 7be59049ed27b..557d20033af69 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.cc +++ b/source/extensions/clusters/reverse_connection/reverse_connection.cc @@ -228,8 +228,8 @@ absl::string_view RevConCluster::getHostIdValue(const Http::RequestHeaderMap* re } BootstrapReverseConnection::UpstreamSocketManager* RevConCluster::getUpstreamSocketManager() const { - auto* upstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto* upstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (upstream_interface == nullptr) { ENVOY_LOG(error, "Upstream reverse socket interface not found"); return nullptr; diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.h b/source/extensions/clusters/reverse_connection/reverse_connection.h index 3f115f3510676..f49874c3288b0 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.h +++ b/source/extensions/clusters/reverse_connection/reverse_connection.h @@ -18,7 +18,8 @@ #include "source/common/network/socket_interface.h" #include "source/common/upstream/cluster_factory_impl.h" #include "source/common/upstream/upstream_impl.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" #include "absl/status/statusor.h" @@ -85,8 +86,8 @@ class UpstreamReverseConnectionAddress const Network::SocketInterface& socketInterface() const override { ENVOY_LOG(debug, "UpstreamReverseConnectionAddress: socketInterface() called for node: {}", node_id_); - auto* upstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto* upstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (upstream_interface) { ENVOY_LOG(debug, "UpstreamReverseConnectionAddress: Using ReverseTunnelAcceptor for node: {}", node_id_); diff --git a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc index e101cfb119709..5bed128c45f7b 100644 --- a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc +++ b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc @@ -100,8 +100,8 @@ class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, publi *socket_interface_, server_context_, config_); // Get the registered socket interface from the global registry and set up its extension. - auto* registered_socket_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto* registered_socket_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (registered_socket_interface) { auto* registered_acceptor = dynamic_cast( const_cast(registered_socket_interface)); @@ -724,8 +724,7 @@ TEST_F(ReverseConnectionClusterTest, SocketInterfaceNotRegistered) { // Find and remove the specific socket interface factory. auto& factories = Registry::FactoryRegistry::factories(); - auto it = factories.find( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto it = factories.find("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (it != factories.end()) { factories.erase(it); } @@ -1270,8 +1269,8 @@ class UpstreamReverseConnectionAddressTest : public testing::Test { extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); // Get the registered socket interface from the global registry and set up its extension. - auto* registered_socket_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto* registered_socket_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (registered_socket_interface) { auto* registered_acceptor = dynamic_cast( const_cast(registered_socket_interface)); @@ -1298,7 +1297,7 @@ class UpstreamReverseConnectionAddressTest : public testing::Test { std::unique_ptr extension_; // Configuration for the extension. - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: UpstreamReverseConnectionSocketInterface config_; // Stats store and scope. @@ -1420,8 +1419,7 @@ TEST_F(UpstreamReverseConnectionAddressTest, SocketInterfaceWithUnavailableInter // Find and remove the specific socket interface factory. auto& factories = Registry::FactoryRegistry::factories(); - auto it = factories.find( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto it = factories.find("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (it != factories.end()) { factories.erase(it); } From 3503800498c0b15abb0de26eed5c5eba1139476e Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 22 Aug 2025 05:07:00 +0000 Subject: [PATCH 276/505] reverse conn listener filter changes Signed-off-by: Basundhara Chakrabarty --- .../extensions/filters/listener/reverse_connection/v3/BUILD | 4 +--- .../listener/reverse_connection/v3/reverse_connection.proto | 3 +-- source/extensions/filters/listener/reverse_connection/BUILD | 2 +- .../filters/listener/reverse_connection/reverse_connection.cc | 2 +- 4 files changed, 4 insertions(+), 7 deletions(-) diff --git a/api/envoy/extensions/filters/listener/reverse_connection/v3/BUILD b/api/envoy/extensions/filters/listener/reverse_connection/v3/BUILD index b514f18ab81a3..29ebf0741406e 100644 --- a/api/envoy/extensions/filters/listener/reverse_connection/v3/BUILD +++ b/api/envoy/extensions/filters/listener/reverse_connection/v3/BUILD @@ -5,7 +5,5 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 api_proto_package( - deps = [ - "@com_github_cncf_xds//udpa/annotations:pkg", - ], + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], ) diff --git a/api/envoy/extensions/filters/listener/reverse_connection/v3/reverse_connection.proto b/api/envoy/extensions/filters/listener/reverse_connection/v3/reverse_connection.proto index 41864578ad558..e781ae375c5f3 100644 --- a/api/envoy/extensions/filters/listener/reverse_connection/v3/reverse_connection.proto +++ b/api/envoy/extensions/filters/listener/reverse_connection/v3/reverse_connection.proto @@ -12,7 +12,6 @@ option java_outer_classname = "ReverseConnectionProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/reverse_connection/v3;reverse_connectionv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -option (udpa.annotations.file_status).work_in_progress = true; // [#protodoc-title: Reverse Connection Filter] // Reverse Connection listener filter. @@ -23,4 +22,4 @@ message ReverseConnection { "envoy.extensions.filters.listener.reverse_connection.v3alpha.ReverseConnection"; google.protobuf.UInt32Value ping_wait_timeout = 1; -} \ No newline at end of file +} diff --git a/source/extensions/filters/listener/reverse_connection/BUILD b/source/extensions/filters/listener/reverse_connection/BUILD index 4aba81cf47e12..5a28db2c9ec5d 100644 --- a/source/extensions/filters/listener/reverse_connection/BUILD +++ b/source/extensions/filters/listener/reverse_connection/BUILD @@ -30,7 +30,7 @@ envoy_cc_extension( "//envoy/network:filter_interface", "//source/common/api:os_sys_calls_lib", "//source/common/common:logger_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_utility_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", ], ) diff --git a/source/extensions/filters/listener/reverse_connection/reverse_connection.cc b/source/extensions/filters/listener/reverse_connection/reverse_connection.cc index 44dda591a0dcd..6565118b640cf 100644 --- a/source/extensions/filters/listener/reverse_connection/reverse_connection.cc +++ b/source/extensions/filters/listener/reverse_connection/reverse_connection.cc @@ -13,7 +13,7 @@ #include "source/common/api/os_sys_calls_impl.h" #include "source/common/buffer/buffer_impl.h" #include "source/common/common/assert.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" // #include "source/common/network/io_socket_handle_impl.h" From 933ae17cfeedce994b3c0001ca80070a22971a6e Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 22 Aug 2025 05:08:04 +0000 Subject: [PATCH 277/505] reverse conn http filter changes Signed-off-by: Basundhara Chakrabarty --- .../filters/http/reverse_conn/BUILD | 2 +- .../filters/http/reverse_conn/config.cc | 3 +-- .../http/reverse_conn/reverse_conn_filter.h | 20 ++++++++++--------- .../filters/http/reverse_conn/BUILD | 2 +- .../reverse_conn/reverse_conn_filter_test.cc | 14 ++++++------- 5 files changed, 21 insertions(+), 20 deletions(-) diff --git a/source/extensions/filters/http/reverse_conn/BUILD b/source/extensions/filters/http/reverse_conn/BUILD index 74f6f219498f6..109f9439f7cd8 100644 --- a/source/extensions/filters/http/reverse_conn/BUILD +++ b/source/extensions/filters/http/reverse_conn/BUILD @@ -37,8 +37,8 @@ envoy_cc_extension( "//source/common/network:connection_socket_lib", "//source/common/network:filter_lib", "//source/common/protobuf:utility_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", ], diff --git a/source/extensions/filters/http/reverse_conn/config.cc b/source/extensions/filters/http/reverse_conn/config.cc index 0f52c993d60cc..93a7a9767f3be 100644 --- a/source/extensions/filters/http/reverse_conn/config.cc +++ b/source/extensions/filters/http/reverse_conn/config.cc @@ -13,8 +13,7 @@ namespace ReverseConn { Http::FilterFactoryCb ReverseConnFilterConfigFactory::createFilterFactoryFromProtoTyped( const envoy::extensions::filters::http::reverse_conn::v3::ReverseConn& proto_config, - const std::string&, Server::Configuration::FactoryContext& context) { - (void)context; + const std::string&, Server::Configuration::FactoryContext&) { ReverseConnFilterConfigSharedPtr config = std::make_shared(ReverseConnFilterConfig(proto_config)); diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index 85df4e3585590..8c1ecc6b6e5a3 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -14,8 +14,10 @@ #include "source/common/http/utility.h" #include "source/common/network/filter_impl.h" #include "source/common/protobuf/protobuf.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" #include "absl/types/optional.h" @@ -140,8 +142,8 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str // Get the upstream socket manager from the thread-local registry ReverseConnection::UpstreamSocketManager* getUpstreamSocketManager() { - auto* upstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto* upstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (!upstream_interface) { ENVOY_LOG(debug, "Upstream reverse socket interface not found"); return nullptr; @@ -165,8 +167,8 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str // Get the downstream socket interface (for initiator role) const ReverseConnection::ReverseTunnelInitiator* getDownstreamSocketInterface() { - auto* downstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + auto* downstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); if (!downstream_interface) { ENVOY_LOG(debug, "Downstream reverse socket interface not found"); return nullptr; @@ -184,8 +186,8 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str // Get the upstream socket interface extension for production cross-thread aggregation ReverseConnection::ReverseTunnelAcceptorExtension* getUpstreamSocketInterfaceExtension() { - auto* upstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto* upstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (!upstream_interface) { ENVOY_LOG(debug, "Upstream reverse socket interface not found"); return nullptr; @@ -204,8 +206,8 @@ class ReverseConnFilter : Logger::Loggable, public Http::Str // Get the downstream socket interface extension for production cross-thread aggregation ReverseConnection::ReverseTunnelInitiatorExtension* getDownstreamSocketInterfaceExtension() { - auto* downstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + auto* downstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); if (!downstream_interface) { ENVOY_LOG(debug, "Downstream reverse socket interface not found"); return nullptr; diff --git a/test/extensions/filters/http/reverse_conn/BUILD b/test/extensions/filters/http/reverse_conn/BUILD index a074544ef3975..cb49e7cda4343 100644 --- a/test/extensions/filters/http/reverse_conn/BUILD +++ b/test/extensions/filters/http/reverse_conn/BUILD @@ -26,6 +26,6 @@ envoy_cc_test( "//test/mocks/server:factory_context_mocks", "//test/test_common:test_runtime_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc index 9181cf9f57447..f7451bb8d69f2 100644 --- a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc +++ b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc @@ -1,6 +1,6 @@ #include "envoy/common/optref.h" #include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" -#include "envoy/extensions/bootstrap/reverse_connection_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/network/connection.h" #include "source/common/buffer/buffer_impl.h" @@ -76,8 +76,8 @@ class ReverseConnFilterTest : public testing::Test { *upstream_socket_interface_, context_, upstream_config_); // Set up the extension in the global socket interface registry - auto* registered_upstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface"); + auto* registered_upstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); if (registered_upstream_interface) { auto* registered_acceptor = dynamic_cast( const_cast(registered_upstream_interface)); @@ -97,8 +97,8 @@ class ReverseConnFilterTest : public testing::Test { context_, downstream_config_); // Set up the extension in the global socket interface registry - auto* registered_downstream_interface = Network::socketInterface( - "envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface"); + auto* registered_downstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); if (registered_downstream_interface) { auto* registered_initiator = dynamic_cast( const_cast(registered_downstream_interface)); @@ -331,9 +331,9 @@ class ReverseConnFilterTest : public testing::Test { std::unique_ptr downstream_extension_; // Config for reverse connection socket interface - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: UpstreamReverseConnectionSocketInterface upstream_config_; - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface downstream_config_; // Set debug logging for this test From 4fa5cddbf4a9b5de06295c04d6cc8655c380bf02 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 22 Aug 2025 06:12:53 +0000 Subject: [PATCH 278/505] formatting files and test network filter Signed-off-by: Basundhara Chakrabarty --- .dockerignore | 2 + .../reverse_conn/v3/reverse_conn.proto | 21 + ci/Dockerfile-ntnx | 6 +- ci/docker-entrypoint-ntnx.sh | 16 + ci/run_envoy_docker.sh | 2 +- .../reverse_connection/backend_service.py | 11 +- examples/reverse_connection/cloud-envoy.yaml | 2 +- .../reverse_connection/on-prem-envoy.yaml | 2 +- .../test_reverse_connections.py | 377 ++++++++--------- source/common/network/connection_impl.cc | 21 +- source/common/network/connection_impl.h | 4 +- .../common/network/io_socket_handle_impl.cc | 29 +- source/common/network/socket_impl.h | 4 +- .../filters/network/reverse_conn/BUILD | 43 ++ .../filters/network/reverse_conn/README.md | 230 ++++++++++ .../reverse_conn/reverse_conn_filter.cc | 394 ++++++++++++++++++ .../reverse_conn/reverse_conn_filter.h | 134 ++++++ .../reverse_conn_filter_factory.cc | 31 ++ .../reverse_conn_filter_factory.h | 28 ++ .../listener_manager_impl_test.cc | 38 +- 20 files changed, 1146 insertions(+), 249 deletions(-) create mode 100644 api/envoy/extensions/filters/network/reverse_conn/v3/reverse_conn.proto create mode 100755 ci/docker-entrypoint-ntnx.sh create mode 100644 source/extensions/filters/network/reverse_conn/BUILD create mode 100644 source/extensions/filters/network/reverse_conn/README.md create mode 100644 source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc create mode 100644 source/extensions/filters/network/reverse_conn/reverse_conn_filter.h create mode 100644 source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.cc create mode 100644 source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h diff --git a/.dockerignore b/.dockerignore index 5927e0e01954b..66f2e6b90aa0a 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,10 +1,12 @@ /* !/VERSION.txt !/build_envoy +!/build_envoy_debug !/ci !/distribution/docker !/configs/google-vrp !/configs/*yaml +!/linux/amd64/build_envoy_debug !/linux/amd64/release.tar.zst !/linux/amd64/schema_validator_tool !/linux/amd64/router_check_tool diff --git a/api/envoy/extensions/filters/network/reverse_conn/v3/reverse_conn.proto b/api/envoy/extensions/filters/network/reverse_conn/v3/reverse_conn.proto new file mode 100644 index 0000000000000..e0f60aa44d5e4 --- /dev/null +++ b/api/envoy/extensions/filters/network/reverse_conn/v3/reverse_conn.proto @@ -0,0 +1,21 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.reverse_conn.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/reverse_conn/v3;reverse_connv3"; + +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc_title: Reverse Connection Network Filter] +// Reverse Connection Network Filter :ref:`configuration overview +// `. +// [#extension: envoy.filters.network.reverse_conn] + +// Configuration for the reverse connection network filter. +message ReverseConn { + // This filter has no configuration options currently. + // All behavior is hardcoded to handle reverse connection requests. +} \ No newline at end of file diff --git a/ci/Dockerfile-ntnx b/ci/Dockerfile-ntnx index 42b507dc5ee9f..cf57136118ecd 100644 --- a/ci/Dockerfile-ntnx +++ b/ci/Dockerfile-ntnx @@ -8,10 +8,10 @@ FROM scratch AS binary ARG TARGETPLATFORM ENV TARGETPLATFORM=${TARGETPLATFORM:-linux/amd64} ARG ENVOY_BINARY=envoy -ARG ENVOY_BINARY_SUFFIX=_stripped -ADD ${TARGETPLATFORM}/build_${ENVOY_BINARY}_release${ENVOY_BINARY_SUFFIX}/envoy* /usr/local/bin/ +ARG ENVOY_BINARY_SUFFIX= +ADD ${TARGETPLATFORM}/build_${ENVOY_BINARY}_debug${ENVOY_BINARY_SUFFIX}/envoy* /usr/local/bin/ ADD configs/envoyproxy_io_proxy.yaml /etc/envoy/envoy.yaml -COPY ${TARGETPLATFORM}/build_${ENVOY_BINARY}_release/schema_validator_tool /usr/local/bin/schema_validator_tool +COPY ${TARGETPLATFORM}/build_${ENVOY_BINARY}_debug${ENVOY_BINARY_SUFFIX}/schema_validator_tool /usr/local/bin/schema_validator_tool COPY ci/docker-entrypoint.sh / diff --git a/ci/docker-entrypoint-ntnx.sh b/ci/docker-entrypoint-ntnx.sh new file mode 100755 index 0000000000000..5819cc3fa8bcb --- /dev/null +++ b/ci/docker-entrypoint-ntnx.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env sh +set -e + +# if the first argument look like a parameter (i.e. start with '-'), run Envoy +if [ "${1#-}" != "$1" ]; then + set -- envoy "$@" +fi + +if [ "$1" = 'envoy' ]; then + # set the log level if the $loglevel variable is set + if [ -n "$loglevel" ]; then + set -- "$@" --log-level "$loglevel" + fi +fi + +exec "$@" \ No newline at end of file diff --git a/ci/run_envoy_docker.sh b/ci/run_envoy_docker.sh index 1ff8dec096f9a..033f34149da71 100755 --- a/ci/run_envoy_docker.sh +++ b/ci/run_envoy_docker.sh @@ -49,7 +49,7 @@ elif [[ -n "$ENVOY_DOCKER_IN_DOCKER" ]]; then COMPOSE_SERVICE="envoy-build-dind" fi -exec docker compose \ +exec docker-compose \ -f "${SCRIPT_DIR}/docker-compose.yml" \ ${ENVOY_DOCKER_PLATFORM:+-p "$ENVOY_DOCKER_PLATFORM"} \ run \ diff --git a/examples/reverse_connection/backend_service.py b/examples/reverse_connection/backend_service.py index 83d282356d6e0..a5f4bdf214ca0 100755 --- a/examples/reverse_connection/backend_service.py +++ b/examples/reverse_connection/backend_service.py @@ -5,7 +5,9 @@ import json from datetime import datetime + class BackendHandler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): # Create a response showing that the backend service is working response = { @@ -14,7 +16,7 @@ def do_GET(self): "path": self.path, "method": "GET" } - + self.send_response(200) self.send_header('Content-type', 'application/json') self.end_headers() @@ -24,7 +26,7 @@ def do_POST(self): # Handle POST requests as well content_length = int(self.headers.get('Content-Length', 0)) body = self.rfile.read(content_length).decode('utf-8') if content_length > 0 else "" - + response = { "message": "POST request received by on-premises backend service!", "timestamp": datetime.now().isoformat(), @@ -32,15 +34,16 @@ def do_POST(self): "method": "POST", "body": body } - + self.send_response(200) self.send_header('Content-type', 'application/json') self.end_headers() self.wfile.write(json.dumps(response, indent=2).encode()) + if __name__ == "__main__": PORT = 7070 with socketserver.TCPServer(("", PORT), BackendHandler) as httpd: print(f"Backend service running on port {PORT}") print(f"Visit http://localhost:{PORT}/on_prem_service to test") - httpd.serve_forever() \ No newline at end of file + httpd.serve_forever() diff --git a/examples/reverse_connection/cloud-envoy.yaml b/examples/reverse_connection/cloud-envoy.yaml index 16c01c45ad8dd..b97e699b7f168 100644 --- a/examples/reverse_connection/cloud-envoy.yaml +++ b/examples/reverse_connection/cloud-envoy.yaml @@ -98,4 +98,4 @@ layered_runtime: bootstrap_extensions: - name: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.UpstreamReverseConnectionSocketInterface + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface diff --git a/examples/reverse_connection/on-prem-envoy.yaml b/examples/reverse_connection/on-prem-envoy.yaml index 0b74ea2d576fd..08c9c710cfdb6 100644 --- a/examples/reverse_connection/on-prem-envoy.yaml +++ b/examples/reverse_connection/on-prem-envoy.yaml @@ -143,7 +143,7 @@ layered_runtime: bootstrap_extensions: - name: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface src_cluster_id: on-prem src_node_id: on-prem-node src_tenant_id: on-prem diff --git a/examples/reverse_connection_socket_interface/test_reverse_connections.py b/examples/reverse_connection_socket_interface/test_reverse_connections.py index 44351d639665b..9358532f112fd 100644 --- a/examples/reverse_connection_socket_interface/test_reverse_connections.py +++ b/examples/reverse_connection_socket_interface/test_reverse_connections.py @@ -29,71 +29,91 @@ # Configuration CONFIG = { # File paths - use absolute paths based on script location - 'script_dir': os.path.dirname(os.path.abspath(__file__)), - 'docker_compose_file': os.path.join(os.path.dirname(os.path.abspath(__file__)), 'docker-compose.yaml'), - 'on_prem_config_file': os.path.join(os.path.dirname(os.path.abspath(__file__)), 'on-prem-envoy-custom-resolver.yaml'), - 'cloud_config_file': os.path.join(os.path.dirname(os.path.abspath(__file__)), 'cloud-envoy.yaml'), - + 'script_dir': + os.path.dirname(os.path.abspath(__file__)), + 'docker_compose_file': + os.path.join(os.path.dirname(os.path.abspath(__file__)), 'docker-compose.yaml'), + 'on_prem_config_file': + os.path.join( + os.path.dirname(os.path.abspath(__file__)), 'on-prem-envoy-custom-resolver.yaml'), + 'cloud_config_file': + os.path.join(os.path.dirname(os.path.abspath(__file__)), 'cloud-envoy.yaml'), + # Ports - 'cloud_admin_port': 8889, - 'cloud_api_port': 9001, - 'cloud_egress_port': 8085, - 'on_prem_admin_port': 8888, - 'xds_server_port': 18000, # Port for our xDS server - + 'cloud_admin_port': + 8889, + 'cloud_api_port': + 9001, + 'cloud_egress_port': + 8085, + 'on_prem_admin_port': + 8888, + 'xds_server_port': + 18000, # Port for our xDS server + # Container names - 'cloud_container': 'cloud-envoy', - 'on_prem_container': 'on-prem-envoy', - + 'cloud_container': + 'cloud-envoy', + 'on_prem_container': + 'on-prem-envoy', + # Timeouts - 'envoy_startup_timeout': 30, - 'docker_startup_delay': 10, + 'envoy_startup_timeout': + 30, + 'docker_startup_delay': + 10, } # Configure logging logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s') logger = logging.getLogger(__name__) + class ReverseConnectionTester: + def __init__(self): self.docker_compose_process: Optional[subprocess.Popen] = None self.temp_dir = tempfile.mkdtemp() self.docker_compose_dir = CONFIG['script_dir'] self.current_compose_file = None # Track which compose file is being used - self.current_compose_cwd = None # Track which directory to run from - + self.current_compose_cwd = None # Track which directory to run from + def create_on_prem_config_with_xds(self) -> str: """Create on-prem Envoy config with xDS for dynamic listener management.""" # Load the original config with open(CONFIG['on_prem_config_file'], 'r') as f: config = yaml.safe_load(f) - + # Remove the reverse_conn_listener (will be added via xDS) listeners = config['static_resources']['listeners'] config['static_resources']['listeners'] = [ - listener for listener in listeners - if listener['name'] != 'reverse_conn_listener' + listener for listener in listeners if listener['name'] != 'reverse_conn_listener' ] - + # Update the on-prem-service cluster to point to on-prem-service container for cluster in config['static_resources']['clusters']: if cluster['name'] == 'on-prem-service': - cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint']['address']['socket_address']['address'] = 'on-prem-service' - cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint']['address']['socket_address']['port_value'] = 80 - + cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint'][ + 'address']['socket_address']['address'] = 'on-prem-service' + cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint'][ + 'address']['socket_address']['port_value'] = 80 + # Update the cloud cluster to point to cloud-envoy container for cluster in config['static_resources']['clusters']: if cluster['name'] == 'cloud': - cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint']['address']['socket_address']['address'] = 'cloud-envoy' - cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint']['address']['socket_address']['port_value'] = 9000 - + cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint'][ + 'address']['socket_address']['address'] = 'cloud-envoy' + cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint'][ + 'address']['socket_address']['port_value'] = 9000 + # Add xDS cluster for dynamic configuration config['static_resources']['clusters'].append({ 'name': 'xds_cluster', 'type': 'STRICT_DNS', 'connect_timeout': '30s', 'load_assignment': { - 'cluster_name': 'xds_cluster', + 'cluster_name': + 'xds_cluster', 'endpoints': [{ 'lb_endpoints': [{ 'endpoint': { @@ -109,7 +129,7 @@ def create_on_prem_config_with_xds(self) -> str: }, 'dns_lookup_family': 'V4_ONLY' }) - + # Add dynamic resources configuration config['dynamic_resources'] = { 'lds_config': { @@ -122,28 +142,28 @@ def create_on_prem_config_with_xds(self) -> str: } } } - + config_file = os.path.join(self.temp_dir, "on-prem-envoy-with-xds.yaml") with open(config_file, 'w') as f: yaml.dump(config, f, default_flow_style=False) - + return config_file - + def start_docker_compose(self, on_prem_config: str = None) -> bool: """Start Docker Compose services.""" logger.info("Starting Docker Compose services") - + # Create a temporary docker-compose file with the custom on-prem config if provided if on_prem_config: # Copy the original docker-compose file and modify it with open(CONFIG['docker_compose_file'], 'r') as f: compose_config = yaml.safe_load(f) - + # Update the on-prem-envoy service to use the custom config compose_config['services']['on-prem-envoy']['volumes'] = [ f"{on_prem_config}:/etc/on-prem-envoy.yaml" ] - + # Copy cloud-envoy.yaml to temp directory and update the path import shutil temp_cloud_config = os.path.join(self.temp_dir, "cloud-envoy.yaml") @@ -151,72 +171,58 @@ def start_docker_compose(self, on_prem_config: str = None) -> bool: compose_config['services']['cloud-envoy']['volumes'] = [ f"{temp_cloud_config}:/etc/cloud-envoy.yaml" ] - + # Copy Dockerfile.xds to temp directory dockerfile_xds = os.path.join(CONFIG['script_dir'], "Dockerfile.xds") temp_dockerfile_xds = os.path.join(self.temp_dir, "Dockerfile.xds") shutil.copy(dockerfile_xds, temp_dockerfile_xds) - + temp_compose_file = os.path.join(self.temp_dir, "docker-compose.yaml") with open(temp_compose_file, 'w') as f: yaml.dump(compose_config, f, default_flow_style=False) - + compose_file = temp_compose_file else: compose_file = CONFIG['docker_compose_file'] - + # Start docker-compose in background with logs visible - cmd = [ - "docker-compose", "-f", compose_file, "up" - ] - + cmd = ["docker-compose", "-f", compose_file, "up"] + # If using a temporary compose file, run from temp directory, otherwise from docker_compose_dir if on_prem_config: # Run from temp directory where both files are located self.docker_compose_process = subprocess.Popen( - cmd, - cwd=self.temp_dir, - universal_newlines=True - ) + cmd, cwd=self.temp_dir, universal_newlines=True) self.current_compose_file = compose_file self.current_compose_cwd = self.temp_dir else: # Run from original directory self.docker_compose_process = subprocess.Popen( - cmd, - cwd=self.docker_compose_dir, - universal_newlines=True - ) + cmd, cwd=self.docker_compose_dir, universal_newlines=True) self.current_compose_file = compose_file self.current_compose_cwd = self.docker_compose_dir - + # Wait a moment for containers to be ready time.sleep(CONFIG['docker_startup_delay']) - + # Check if process is still running if self.docker_compose_process.poll() is not None: logger.error("Docker Compose failed to start") return False - + return True - + def stop_docker_compose(self) -> bool: """Stop Docker Compose services.""" logger.info("Stopping Docker Compose services") - - cmd = [ - "docker-compose", "-f", "docker-compose.yaml", "down" - ] - - process = subprocess.Popen( - cmd, - cwd=self.docker_compose_dir, - universal_newlines=True - ) - + + cmd = ["docker-compose", "-f", "docker-compose.yaml", "down"] + + process = subprocess.Popen(cmd, cwd=self.docker_compose_dir, universal_newlines=True) + process.wait() return process.returncode == 0 - + def wait_for_envoy_ready(self, admin_port: int, name: str, timeout: int = 30) -> bool: """Wait for Envoy to be ready by checking admin endpoint.""" start_time = time.time() @@ -228,12 +234,12 @@ def wait_for_envoy_ready(self, admin_port: int, name: str, timeout: int = 30) -> return True except requests.exceptions.RequestException: pass - + time.sleep(1) - + logger.error(f"{name} Envoy failed to start within {timeout} seconds") return False - + def check_reverse_connections(self, api_port: int) -> bool: """Check if reverse connections are established by calling the cloud API.""" try: @@ -242,7 +248,7 @@ def check_reverse_connections(self, api_port: int) -> bool: if response.status_code == 200: data = response.json() logger.info(f"Reverse connections state: {data}") - + # Check if on-prem is connected if "connected" in data and "on-prem-node" in data["connected"]: logger.info("Reverse connections are established") @@ -261,21 +267,15 @@ def check_reverse_connections(self, api_port: int) -> bool: logger.error(f"Error parsing JSON response: {e}") logger.error(f"Response text: {response.text}") return False - + def test_reverse_connection_request(self, port: int) -> bool: """Test sending a request through reverse connection.""" try: - headers = { - "x-remote-node-id": "on-prem-node", - "x-dst-cluster-uuid": "on-prem" - } + headers = {"x-remote-node-id": "on-prem-node", "x-dst-cluster-uuid": "on-prem"} # Use port 8081 (cloud-envoy's egress_listener) as specified in docker-compose response = requests.get( - f"http://localhost:{port}/on_prem_service", - headers=headers, - timeout=10 - ) - + f"http://localhost:{port}/on_prem_service", headers=headers, timeout=10) + if response.status_code == 200: logger.info(f"Reverse connection request successful: {response.text[:100]}...") return True @@ -285,28 +285,28 @@ def test_reverse_connection_request(self, port: int) -> bool: except requests.exceptions.RequestException as e: logger.error(f"Error testing reverse connection request: {e}") return False - + def get_reverse_conn_listener_config(self) -> dict: """Get the reverse_conn_listener configuration.""" # Load the original config to extract the reverse_conn_listener with open(CONFIG['on_prem_config_file'], 'r') as f: config = yaml.safe_load(f) - + # Find the reverse_conn_listener for listener in config['static_resources']['listeners']: if listener['name'] == 'reverse_conn_listener': return listener - + raise Exception("reverse_conn_listener not found in config") - + def add_reverse_conn_listener_via_xds(self) -> bool: """Add reverse_conn_listener via xDS.""" logger.info("Adding reverse_conn_listener via xDS") - + try: # Get the reverse_conn_listener configuration listener_config = self.get_reverse_conn_listener_config() - + # Send request to xDS server running in Docker import requests response = requests.post( @@ -315,46 +315,42 @@ def add_reverse_conn_listener_via_xds(self) -> bool: 'name': 'reverse_conn_listener', 'config': listener_config }, - timeout=10 - ) - + timeout=10) + if response.status_code == 200: logger.info("✓ reverse_conn_listener added via xDS") return True else: logger.error(f"Failed to add listener via xDS: {response.status_code}") return False - + except Exception as e: logger.error(f"Failed to add reverse_conn_listener via xDS: {e}") return False - + def remove_reverse_conn_listener_via_xds(self) -> bool: """Remove reverse_conn_listener via xDS.""" logger.info("Removing reverse_conn_listener via xDS") - + try: # Send request to xDS server running in Docker import requests response = requests.post( f"http://localhost:{CONFIG['xds_server_port']}/remove_listener", - json={ - 'name': 'reverse_conn_listener' - }, - timeout=10 - ) - + json={'name': 'reverse_conn_listener'}, + timeout=10) + if response.status_code == 200: logger.info("✓ reverse_conn_listener removed via xDS") return True else: logger.error(f"Failed to remove listener via xDS: {response.status_code}") return False - + except Exception as e: logger.error(f"Failed to remove reverse_conn_listener via xDS: {e}") return False - + def get_container_name(self, service_name: str) -> str: """Get the actual container name for a service, handling Docker Compose suffixes.""" try: @@ -363,43 +359,42 @@ def get_container_name(self, service_name: str) -> str: stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, - timeout=10 - ) + timeout=10) if result.returncode == 0 and result.stdout.strip(): container_name = result.stdout.strip() logger.info(f"Found container name for service {service_name}: {container_name}") return container_name else: - logger.error(f"Failed to find container for service {service_name}: {result.stderr}") + logger.error( + f"Failed to find container for service {service_name}: {result.stderr}") return service_name # Fallback to service name except Exception as e: logger.error(f"Error finding container name for {service_name}: {e}") return service_name # Fallback to service name - + def check_container_network_status(self) -> bool: """Check the network status of containers to help debug DNS issues.""" logger.info("Checking container network status") try: # Check if containers are running and their network info cmd = [ - 'docker', 'ps', '--filter', 'name=envoy', '--format', + 'docker', 'ps', '--filter', 'name=envoy', '--format', 'table {{.Names}}\t{{.Status}}\t{{.Ports}}' ] - + result = subprocess.run( cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, - timeout=10 - ) - + timeout=10) + if result.returncode == 0: logger.info("Container status:") logger.info(result.stdout) else: logger.error(f"Failed to get container status: {result.stderr}") - + # Check network info for the envoy-network cmd = ['docker', 'network', 'inspect', 'envoy-network'] result = subprocess.run( @@ -407,15 +402,14 @@ def check_container_network_status(self) -> bool: stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, - timeout=10 - ) - + timeout=10) + if result.returncode == 0: logger.info("Network info:") logger.info(result.stdout) else: logger.error(f"Failed to get network info: {result.stderr}") - + return True except Exception as e: logger.error(f"Error checking container network status: {e}") @@ -427,67 +421,55 @@ def check_network_connectivity(self) -> bool: try: # First check container network status self.check_container_network_status() - + # Get the on-prem container name on_prem_container = self.get_container_name(CONFIG['on_prem_container']) - + # Test DNS resolution first logger.info("Testing DNS resolution...") - dns_cmd = [ - 'docker', 'exec', on_prem_container, 'sh', '-c', - 'nslookup cloud-envoy' - ] - + dns_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'nslookup cloud-envoy'] + dns_result = subprocess.run( dns_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, - timeout=15 - ) - + timeout=15) + logger.info(f"DNS resolution result: {dns_result.stdout}") if dns_result.stderr: logger.error(f"DNS resolution error: {dns_result.stderr}") - + # Test ping connectivity logger.info("Testing ping connectivity...") - ping_cmd = [ - 'docker', 'exec', on_prem_container, 'sh', '-c', - 'ping -c 1 cloud-envoy' - ] - + ping_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'ping -c 1 cloud-envoy'] + ping_result = subprocess.run( ping_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, - timeout=15 - ) - + timeout=15) + logger.info(f"Ping result: {ping_result.stdout}") if ping_result.stderr: logger.error(f"Ping error: {ping_result.stderr}") - + # Test TCP connectivity to the specific port logger.info("Testing TCP connectivity to cloud-envoy:9000...") - tcp_cmd = [ - 'docker', 'exec', on_prem_container, 'sh', '-c', - 'nc -z cloud-envoy 9000' - ] - + tcp_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'nc -z cloud-envoy 9000'] + tcp_result = subprocess.run( tcp_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, - timeout=15 - ) - + timeout=15) + logger.info(f"TCP connectivity result: {tcp_result.stdout}") if tcp_result.stderr: logger.error(f"TCP connectivity error: {tcp_result.stderr}") - + # Consider it successful if at least DNS resolution works if dns_result.returncode == 0: logger.info("✓ DNS resolution is working") @@ -495,7 +477,7 @@ def check_network_connectivity(self) -> bool: else: logger.error("✗ DNS resolution failed") return False - + except Exception as e: logger.error(f"Error checking network connectivity: {e}") return False @@ -515,30 +497,31 @@ def start_cloud_envoy(self) -> bool: logger.warn("No stored compose file found, using default") compose_file = CONFIG['docker_compose_file'] compose_cwd = self.docker_compose_dir - - logger.info("Using docker-compose up to start cloud-envoy with consistent network config") + + logger.info( + "Using docker-compose up to start cloud-envoy with consistent network config") result = subprocess.run( ['docker-compose', '-f', compose_file, 'up', '-d', CONFIG['cloud_container']], stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, timeout=60, - cwd=compose_cwd - ) - + cwd=compose_cwd) + if result.returncode == 0: logger.info("✓ Cloud Envoy container started") - + # Add a small delay to ensure network is properly established logger.info("Waiting for network to be established...") time.sleep(3) - + # Check network connectivity if not self.check_network_connectivity(): logger.warn("Network connectivity check failed, but continuing...") - + # Wait for cloud Envoy to be ready - if not self.wait_for_envoy_ready(CONFIG['cloud_admin_port'], "cloud", CONFIG['envoy_startup_timeout']): + if not self.wait_for_envoy_ready(CONFIG['cloud_admin_port'], "cloud", + CONFIG['envoy_startup_timeout']): logger.error("Cloud Envoy failed to become ready after restart") return False logger.info("✓ Cloud Envoy is ready after restart") @@ -549,19 +532,17 @@ def start_cloud_envoy(self) -> bool: except Exception as e: logger.error(f"Error starting cloud Envoy: {e}") return False - + def stop_cloud_envoy(self) -> bool: """Stop the cloud Envoy container.""" logger.info("Stopping cloud Envoy container") try: container_name = self.get_container_name(CONFIG['cloud_container']) - result = subprocess.run( - ['docker', 'stop', container_name], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - universal_newlines=True, - timeout=30 - ) + result = subprocess.run(['docker', 'stop', container_name], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + universal_newlines=True, + timeout=30) if result.returncode == 0: logger.info("✓ Cloud Envoy container stopped") return True @@ -571,60 +552,65 @@ def stop_cloud_envoy(self) -> bool: except Exception as e: logger.error(f"Error stopping cloud Envoy: {e}") return False - + def run_test(self): """Run the complete reverse connection test.""" try: logger.info("Starting reverse connection test") - + # Step 0: Start Docker Compose services with xDS config on_prem_config_with_xds = self.create_on_prem_config_with_xds() if not self.start_docker_compose(on_prem_config_with_xds): raise Exception("Failed to start Docker Compose services") - + # Step 1: Wait for Envoy instances to be ready - if not self.wait_for_envoy_ready(CONFIG['cloud_admin_port'], "cloud", CONFIG['envoy_startup_timeout']): + if not self.wait_for_envoy_ready(CONFIG['cloud_admin_port'], "cloud", + CONFIG['envoy_startup_timeout']): raise Exception("Cloud Envoy failed to start") - - if not self.wait_for_envoy_ready(CONFIG['on_prem_admin_port'], "on-prem", CONFIG['envoy_startup_timeout']): + + if not self.wait_for_envoy_ready(CONFIG['on_prem_admin_port'], "on-prem", + CONFIG['envoy_startup_timeout']): raise Exception("On-prem Envoy failed to start") - + # Step 2: Verify reverse connections are NOT established logger.info("Verifying reverse connections are NOT established") time.sleep(5) # Give some time for any potential connections if self.check_reverse_connections(CONFIG['cloud_api_port']): # cloud-envoy's API port - raise Exception("Reverse connections should not be established without reverse_conn_listener") + raise Exception( + "Reverse connections should not be established without reverse_conn_listener") logger.info("✓ Reverse connections are correctly not established") - + # Step 3: Add reverse_conn_listener to on-prem via xDS logger.info("Adding reverse_conn_listener to on-prem via xDS") if not self.add_reverse_conn_listener_via_xds(): raise Exception("Failed to add reverse_conn_listener via xDS") - + # Step 4: Wait for reverse connections to be established logger.info("Waiting for reverse connections to be established") max_wait = 60 start_time = time.time() while time.time() - start_time < max_wait: - if self.check_reverse_connections(CONFIG['cloud_api_port']): # cloud-envoy's API port + if self.check_reverse_connections( + CONFIG['cloud_api_port']): # cloud-envoy's API port logger.info("✓ Reverse connections are established") break logger.info("Waiting for reverse connections to be established") time.sleep(1) else: raise Exception("Reverse connections failed to establish within timeout") - + # Step 5: Test request through reverse connection logger.info("Testing request through reverse connection") - if not self.test_reverse_connection_request(CONFIG['cloud_egress_port']): # cloud-envoy's egress port + if not self.test_reverse_connection_request( + CONFIG['cloud_egress_port']): # cloud-envoy's egress port raise Exception("Reverse connection request failed") logger.info("✓ Reverse connection request successful") - + # Step 6: Stop cloud Envoy and verify reverse connections are down logger.info("Step 6: Stopping cloud Envoy to test connection recovery") if not self.stop_cloud_envoy(): raise Exception("Failed to stop cloud Envoy") - + # Verify reverse connections are down logger.info("Verifying reverse connections are down after stopping cloud Envoy") time.sleep(2) # Give some time for connections to be detected as down @@ -632,79 +618,82 @@ def run_test(self): logger.warn("Reverse connections still appear active after stopping cloud Envoy") else: logger.info("✓ Reverse connections are correctly down after stopping cloud Envoy") - + # Step 7: Wait for > drain timer (3s) and then start cloud Envoy logger.info("Step 7: Waiting for drain timer (3s) before starting cloud Envoy") time.sleep(15) # Wait more than the reverse conn retry timer for the connections # to be drained. - + logger.info("Starting cloud Envoy to test reverse connection re-establishment") if not self.start_cloud_envoy(): raise Exception("Failed to start cloud Envoy") - + # Step 8: Verify reverse connections are re-established logger.info("Step 8: Verifying reverse connections are re-established") max_wait = 60 start_time = time.time() while time.time() - start_time < max_wait: if self.check_reverse_connections(CONFIG['cloud_api_port']): - logger.info("✓ Reverse connections are re-established after cloud Envoy restart") + logger.info( + "✓ Reverse connections are re-established after cloud Envoy restart") break logger.info("Waiting for reverse connections to be re-established") time.sleep(1) else: raise Exception("Reverse connections failed to re-establish within timeout") - + # # Step 10: Remove reverse_conn_listener from on-prem via xDS logger.info("Removing reverse_conn_listener from on-prem via xDS") if not self.remove_reverse_conn_listener_via_xds(): raise Exception("Failed to remove reverse_conn_listener via xDS") - + # # Step 11: Verify reverse connections are torn down logger.info("Verifying reverse connections are torn down") time.sleep(10) # Wait for connections to be torn down if self.check_reverse_connections(CONFIG['cloud_api_port']): # cloud-envoy's API port raise Exception("Reverse connections should be torn down after removing listener") logger.info("✓ Reverse connections are correctly torn down") - + logger.info("Test completed successfully!") return True - + except Exception as e: logger.error(f"Test failed: {e}") return False finally: self.cleanup() - + def cleanup(self): """Clean up processes and temporary files.""" logger.info("Cleaning up") - + # Stop Docker Compose services if self.docker_compose_process: self.docker_compose_process.terminate() self.docker_compose_process.wait() - + self.stop_docker_compose() - + # Clean up temp directory import shutil shutil.rmtree(self.temp_dir, ignore_errors=True) + def main(): """Main function.""" tester = ReverseConnectionTester() - + # Handle Ctrl+C gracefully def signal_handler(sig, frame): logger.info("Received interrupt signal, cleaning up...") tester.cleanup() sys.exit(0) - + signal.signal(signal.SIGINT, signal_handler) - + success = tester.run_test() sys.exit(0 if success else 1) + if __name__ == "__main__": - main() \ No newline at end of file + main() diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc index ccf8dba0358f4..b2c5198c79e9d 100644 --- a/source/common/network/connection_impl.cc +++ b/source/common/network/connection_impl.cc @@ -120,12 +120,15 @@ ConnectionImpl::ConnectionImpl(Event::Dispatcher& dispatcher, ConnectionSocketPt } ConnectionImpl::~ConnectionImpl() { - ENVOY_CONN_LOG(trace, "ConnectionImpl destructor called, socket_={}, socket_isOpen={}, delayed_close_timer_={}, reuse_socket_={}", - *this, socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, + ENVOY_CONN_LOG(trace, + "ConnectionImpl destructor called, socket_={}, socket_isOpen={}, " + "delayed_close_timer_={}, reuse_socket_={}", + *this, socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, delayed_close_timer_ ? "not_null" : "null", static_cast(reuse_socket_)); if (reuse_socket_) { - ENVOY_CONN_LOG(trace, "ConnectionImpl destructor called, reuse_socket_=true, skipping close", *this); + ENVOY_CONN_LOG(trace, "ConnectionImpl destructor called, reuse_socket_=true, skipping close", + *this); return; } @@ -348,9 +351,10 @@ void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_actio } void ConnectionImpl::closeSocket(ConnectionEvent close_type) { - ENVOY_CONN_LOG(trace, "closeSocket called, socket_={}, socket_isOpen={}, reuse_socket_={}", - *this, socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, static_cast(reuse_socket_)); - + ENVOY_CONN_LOG(trace, "closeSocket called, socket_={}, socket_isOpen={}, reuse_socket_={}", *this, + socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, + static_cast(reuse_socket_)); + if (socket_ == nullptr || !socket_->isOpen()) { ENVOY_CONN_LOG(trace, "closeSocket: socket is null or not open, returning", *this); return; @@ -395,7 +399,8 @@ void ConnectionImpl::closeSocket(ConnectionEvent close_type) { } // It is safe to call close() since there is an IO handle check. - ENVOY_CONN_LOG(trace, "closeSocket: about to close socket, reuse_socket_={}", *this, static_cast(reuse_socket_)); + ENVOY_CONN_LOG(trace, "closeSocket: about to close socket, reuse_socket_={}", *this, + static_cast(reuse_socket_)); if (!reuse_socket_) { ENVOY_LOG_MISC(debug, "closeSocket:"); ENVOY_CONN_LOG(trace, "closeSocket: calling socket_->close()", *this); @@ -991,7 +996,7 @@ bool ConnectionImpl::setSocketOption(Network::SocketOptionName name, absl::Span< SocketOptionImpl::setSocketOption(*socket_, name, value.data(), value.size()); if (result.return_value_ != 0) { ENVOY_LOG_MISC(warn, "Setting option on socket failed, errno: {}, message: {}", result.errno_, - errorDetails(result.errno_)); + errorDetails(result.errno_)); return false; } diff --git a/source/common/network/connection_impl.h b/source/common/network/connection_impl.h index befd614e8b9cd..1a69d66c4f9ed 100644 --- a/source/common/network/connection_impl.h +++ b/source/common/network/connection_impl.h @@ -68,9 +68,9 @@ class ConnectionImpl : public ConnectionImplBase, public TransportSocketCallback RELEASE_ASSERT(socket_ != nullptr, "socket is null."); return socket_; } - void setSocketReused(bool value) override { + void setSocketReused(bool value) override { ENVOY_LOG_MISC(trace, "setSocketReused called with value={}", value); - reuse_socket_ = value; + reuse_socket_ = value; } bool isSocketReused() override { return reuse_socket_; } diff --git a/source/common/network/io_socket_handle_impl.cc b/source/common/network/io_socket_handle_impl.cc index 4bb69ea53b4d6..a2505ca9c06d3 100644 --- a/source/common/network/io_socket_handle_impl.cc +++ b/source/common/network/io_socket_handle_impl.cc @@ -60,9 +60,9 @@ IoSocketHandleImpl::~IoSocketHandleImpl() { } Api::IoCallUint64Result IoSocketHandleImpl::close() { - ENVOY_LOG_MISC(error, "IoSocketHandleImpl::close() called, fd_={}, SOCKET_VALID={}", - fd_, SOCKET_VALID(fd_)); - + ENVOY_LOG_MISC(error, "IoSocketHandleImpl::close() called, fd_={}, SOCKET_VALID={}", fd_, + SOCKET_VALID(fd_)); + if (file_event_) { ENVOY_LOG_MISC(error, "IoSocketHandleImpl::close() resetting file_event_"); file_event_.reset(); @@ -231,7 +231,7 @@ Api::IoCallUint64Result IoSocketHandleImpl::sendmsg(const Buffer::RawSlice* slic const Api::SysCallSizeResult result = os_syscalls.sendmsg(fd_, &message, flags); if (result.return_value_ < 0 && result.errno_ == SOCKET_ERROR_INVAL) { ENVOY_LOG_MISC(error, fmt::format("EINVAL error. Socket is open: {}, IPv{}.", isOpen(), - self_ip->version() == Address::IpVersion::v6 ? 6 : 4)); + self_ip->version() == Address::IpVersion::v6 ? 6 : 4)); } return sysCallResultToIoCallResult(result); } @@ -607,24 +607,27 @@ void IoSocketHandleImpl::initializeFileEvent(Event::Dispatcher& dispatcher, Even Event::FileTriggerType trigger, uint32_t events) { ASSERT(file_event_ == nullptr, "Attempting to initialize two `file_event_` for the same " "file descriptor. This is not allowed."); - + // Add trace logging to identify thread - ENVOY_LOG_MISC(trace, "IoSocketHandleImpl::initializeFileEvent() called for fd={} on thread: {} (isThreadSafe={})", - fd_, dispatcher.name(), dispatcher.isThreadSafe()); - + ENVOY_LOG_MISC( + trace, + "IoSocketHandleImpl::initializeFileEvent() called for fd={} on thread: {} (isThreadSafe={})", + fd_, dispatcher.name(), dispatcher.isThreadSafe()); + // Log additional thread info if (dispatcher.isThreadSafe()) { ENVOY_LOG_MISC(trace, "initializeFileEvent: Called on MAIN thread for fd={}", fd_); } else { - ENVOY_LOG_MISC(trace, "initializeFileEvent: Called on WORKER thread '{}' for fd={}", + ENVOY_LOG_MISC(trace, "initializeFileEvent: Called on WORKER thread '{}' for fd={}", dispatcher.name(), fd_); } - - ENVOY_LOG_MISC(trace, "initializeFileEvent: Creating file event with trigger={}, events={} for fd={}", + + ENVOY_LOG_MISC(trace, + "initializeFileEvent: Creating file event with trigger={}, events={} for fd={}", static_cast(trigger), events, fd_); - + file_event_ = dispatcher.createFileEvent(fd_, cb, trigger, events); - + ENVOY_LOG_MISC(trace, "initializeFileEvent: File event created successfully for fd={}", fd_); } diff --git a/source/common/network/socket_impl.h b/source/common/network/socket_impl.h index 5166aeb352248..726037014f3f0 100644 --- a/source/common/network/socket_impl.h +++ b/source/common/network/socket_impl.h @@ -133,8 +133,8 @@ class SocketImpl : public virtual Socket { IoHandle& ioHandle() override { return *io_handle_; } const IoHandle& ioHandle() const override { return *io_handle_; } void close() override { - ENVOY_LOG_MISC(trace, "SocketImpl::close() called, io_handle_={}, io_handle_isOpen={}", - io_handle_ ? "not_null" : "null", io_handle_ ? io_handle_->isOpen() : false); + ENVOY_LOG_MISC(trace, "SocketImpl::close() called, io_handle_={}, io_handle_isOpen={}", + io_handle_ ? "not_null" : "null", io_handle_ ? io_handle_->isOpen() : false); if (io_handle_ && io_handle_->isOpen()) { ENVOY_LOG_MISC(trace, "SocketImpl::close() calling io_handle_->close()"); io_handle_->close(); diff --git a/source/extensions/filters/network/reverse_conn/BUILD b/source/extensions/filters/network/reverse_conn/BUILD new file mode 100644 index 0000000000000..b7a58ad6921a7 --- /dev/null +++ b/source/extensions/filters/network/reverse_conn/BUILD @@ -0,0 +1,43 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_cc_library", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "reverse_conn_config_lib", + srcs = ["reverse_conn_filter_factory.cc"], + hdrs = ["reverse_conn_filter_factory.h"], + deps = [ + "//source/extensions/filters/network/generic_proxy/interface:filter_lib", + "//source/extensions/filters/network/reverse_conn:reverse_conn_lib", + "//source/extensions/filters/network/reverse_conn/v3:reverse_conn_proto", + ], +) + +envoy_cc_library( + name = "reverse_conn_lib", + srcs = [ + "reverse_conn_filter.cc", + ], + hdrs = [ + "reverse_conn_filter.h", + ], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/common:minimal_logger_lib", + "//source/common/network:filter_impl_lib", + "//source/common/protobuf:protobuf_lib", + "//source/extensions/bootstrap/reverse_connection_handshake/v3:reverse_connection_handshake_proto", + "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", + "//source/extensions/filters/network/generic_proxy/interface:filter_lib", + "//source/extensions/filters/network/generic_proxy/interface:stream_lib", + "//source/extensions/filters/network/reverse_conn/v3:reverse_conn_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", + ], +) diff --git a/source/extensions/filters/network/reverse_conn/README.md b/source/extensions/filters/network/reverse_conn/README.md new file mode 100644 index 0000000000000..8e9b6563601ab --- /dev/null +++ b/source/extensions/filters/network/reverse_conn/README.md @@ -0,0 +1,230 @@ +# Reverse Connection Generic Proxy Filter (Terminal Filter) + +This filter provides a robust, **protocol-agnostic** implementation for handling reverse connection acceptance/rejection using the **Generic Proxy StreamFilter interface**. It's designed as a **terminal filter** that stops processing after handling reverse connection requests. + +## What It Does + +The filter **only** handles: +1. **Reverse Connection Acceptance/Rejection** - Processes POST requests to `/reverse_connections/request` +2. **Protobuf Parsing** - Extracts node, cluster, and tenant UUIDs from the request body +3. **SSL Certificate Processing** - Overrides UUIDs with values from SSL certificate DNS SANs +4. **Socket Management** - Duplicates and saves the connection to the upstream socket manager +5. **Terminal Behavior** - Closes the connection after processing (no further filters run) + +## How It Works + +### **1. Generic Proxy StreamFilter Interface** +```cpp +class ReverseConnFilter : public Network::Filter, + public GenericProxy::StreamFilter, + public Logger::Loggable { +public: + // Terminal filter behavior + bool isTerminalFilter() const { return true; } + + // GenericProxy::DecoderFilter + GenericProxy::HeaderFilterStatus decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) override; + GenericProxy::CommonFilterStatus decodeCommonFrame(GenericProxy::RequestCommonFrame& request) override; +}; +``` + +### **2. Protocol-Agnostic Request Processing** +```cpp +GenericProxy::HeaderFilterStatus ReverseConnFilter::decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) { + // Check if this is a reverse connection request + if (isReverseConnectionRequest(request)) { + ENVOY_LOG(debug, "ReverseConnFilter: Detected reverse connection request"); + is_reverse_connection_request_ = true; + + // Continue to receive body frames + return GenericProxy::HeaderFilterStatus::Continue; + } + + // Not a reverse connection request, continue to next filter + return GenericProxy::HeaderFilterStatus::Continue; +} +``` + +### **3. Terminal Filter Behavior** +```cpp +GenericProxy::CommonFilterStatus ReverseConnFilter::decodeCommonFrame(GenericProxy::RequestCommonFrame& request) { + if (!is_reverse_connection_request_) { + return GenericProxy::CommonFilterStatus::Continue; + } + + // Extract body data from the common frame + extractRequestBody(request); + + // Process when complete + if (!request_body_.empty()) { + processReverseConnectionRequest(); + + // As a terminal filter, stop processing after handling the request + return GenericProxy::CommonFilterStatus::StopIteration; + } + + return GenericProxy::CommonFilterStatus::Continue; +} +``` + +### **4. Connection Closure** +```cpp +void ReverseConnFilter::closeConnection() { + // Mark connection as reused + connection->setSocketReused(true); + + // Reset file events on the connection socket + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); + } + + // Close the connection + connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); +} +``` + +## Configuration + +### **Correct Configuration Structure** + +Your filter must be configured as part of a **Generic Proxy filter chain**, not as a standalone network filter: + +```yaml +static_resources: + listeners: + - name: "reverse_conn_listener" + address: + socket_address: + address: "0.0.0.0" + port_value: 8080 + listener_filters: + # Generic Proxy network filter intercepts all TCP data + - name: "envoy.filters.network.generic_proxy" + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.network.generic_proxy.v3.GenericProxy" + stat_prefix: "reverse_conn" + codec_config: + # HTTP/1.1 codec parses raw HTTP data into frames + name: "envoy.generic_proxy.codecs.http1" + typed_config: + "@type": "type.googleapis.com/envoy.extensions/filters.network/generic_proxy.codecs/http1/v3.Http1CodecConfig" + filters: + # Your reverse connection filter (L7 filter, not network filter) + - name: "envoy.filters.generic.reverse_conn" + typed_config: + "@type": "type.googleapis.com/envoy/extensions/filters/generic/reverse_conn/v3.ReverseConn" + + # Router filter for non-reverse-connection requests + - name: "envoy.filters.generic.router" + typed_config: + "@type": "type.googleapis.com/envoy/extensions/filters/network/generic_proxy/router/v3.Router" + bind_upstream_connection: false +``` + +### **Why This Structure?** + +1. **Generic Proxy network filter** intercepts all TCP data first +2. **HTTP/1.1 codec** parses raw HTTP into `RequestHeaderFrame` and `RequestCommonFrame` +3. **Your filter** receives parsed frames (not raw TCP data) +4. **Terminal behavior** stops processing after handling reverse connection requests + +## Data Flow + +### **Complete Flow:** +``` +Raw HTTP Data → Generic Proxy Network Filter → HTTP1 Codec → Your Terminal Filter → Connection Closed +``` + +### **Step-by-Step:** +1. **Raw HTTP arrives**: `POST /reverse_connections/request HTTP/1.1\r\n...` +2. **Generic Proxy intercepts**: Network filter receives the data +3. **HTTP1 codec parses**: Creates `RequestHeaderFrame` and `RequestCommonFrame` +4. **Your filter processes**: `decodeHeaderFrame()` then `decodeCommonFrame()` +5. **Terminal behavior**: Returns `StopIteration`, closes connection +6. **No further processing**: Connection is closed, no more filters run + +## Key Benefits + +### **1. Terminal Filter Behavior** +- ✅ **Stops processing** after handling reverse connection requests +- ✅ **Closes connections** automatically +- ✅ **No downstream filters** run after your filter + +### **2. Protocol-Agnostic Operation** +- ✅ **Works with HTTP, gRPC, or any custom protocol** +- ✅ **Same filter logic** across all protocols +- ✅ **Future-proof architecture** + +### **3. Zero Protocol Parsing** +- ✅ **100% reuse** of Generic Proxy's parsing logic +- ✅ **No manual HTTP state machines** or CRLF searching +- ✅ **Automatic protocol compliance** guaranteed + +### **4. Standard Envoy Patterns** +- ✅ **Follows Envoy's filter architecture** exactly +- ✅ **Built-in observability** and metrics +- ✅ **Production-ready infrastructure** + +## What Generic Proxy Provides + +### **1. Complete Protocol Support** +- **HTTP/1.1, HTTP/2, HTTP/3** parsing and encoding +- **gRPC** support with streaming +- **Custom protocols** via codec interface +- **Protocol evolution** handled automatically + +### **2. Stream Management** +- **Automatic stream multiplexing** for concurrent requests +- **Frame routing** to correct streams +- **Connection lifecycle** management + +### **3. Production-Ready Features** +- **Automatic error handling** and recovery +- **Protocol validation** and sanitization +- **Built-in observability** and metrics + +## Implementation Details + +### **Filter Registration** +```cpp +// Register as Generic Proxy filter, not network filter +REGISTER_FACTORY(ReverseConnFilterConfigFactory, GenericProxy::NamedFilterConfigFactory); +``` + +### **Terminal Filter Implementation** +```cpp +class ReverseConnFilter : public GenericProxy::StreamFilter { +public: + // This makes it a terminal filter + bool isTerminalFilter() const { return true; } + + // Process parsed frames (not raw TCP data) + GenericProxy::HeaderFilterStatus decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) override; + GenericProxy::CommonFilterStatus decodeCommonFrame(GenericProxy::RequestCommonFrame& request) override; +}; +``` + +### **Connection Management** +```cpp +void ReverseConnFilter::processReverseConnectionRequest() { + // Send acceptance response + sendLocalReply(GenericProxy::Status::Ok, response_body); + + // Save the connection + saveDownstreamConnection(node_uuid_, cluster_uuid_); + + // Close the connection after processing (terminal filter behavior) + closeConnection(); +} +``` + +## Summary + +This filter is a **Generic Proxy L7 filter** (not a network filter) that: + +1. **Runs inside Generic Proxy framework** - receives parsed HTTP frames, not raw TCP +2. **Acts as a terminal filter** - stops processing and closes connections after handling requests +3. **Works with HTTP/1.1 codec** - automatically parses HTTP into usable frames +4. **Follows standard patterns** - integrates seamlessly with Generic Proxy infrastructure + +The key insight is that **Generic Proxy handles all the HTTP parsing and stream management**, while your filter just processes the parsed data and acts as a terminal point in the filter chain. \ No newline at end of file diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc new file mode 100644 index 0000000000000..dd3002c2e6409 --- /dev/null +++ b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc @@ -0,0 +1,394 @@ +#include "source/extensions/filters/network/reverse_conn/reverse_conn_filter.h" + +#include "envoy/network/connection.h" +#include "envoy/network/connection_socket_impl.h" +#include "envoy/ssl/connection.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/empty_string.h" +#include "source/common/common/enum_to_int.h" +#include "source/common/common/logger.h" +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_option_impl.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/protobuf/utility.h" + +#include "absl/strings/str_cat.h" +#include "absl/strings/str_split.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseConn { + +// Static constants +const std::string ReverseConnFilter::REVERSE_CONNECTIONS_REQUEST_PATH = + "/reverse_connections/request"; +const std::string ReverseConnFilter::HTTP_POST_METHOD = "POST"; + +// ReverseConnFilter implementation + +ReverseConnFilter::ReverseConnFilter(ReverseConnFilterConfigSharedPtr config) : config_(config) { + // No custom codec needed - Generic Proxy handles all protocol parsing +} + +Network::FilterStatus ReverseConnFilter::onNewConnection() { + ENVOY_LOG(debug, "ReverseConnFilter: New connection established"); + return Network::FilterStatus::Continue; +} + +Network::FilterStatus ReverseConnFilter::onData(Buffer::Instance& data, bool end_stream) { + ENVOY_LOG(debug, "ReverseConnFilter: Received {} bytes, end_stream: {}", data.length(), + end_stream); + + // Note: In a real Generic Proxy setup, this method would typically not be called + // because the Generic Proxy filter would intercept the data and call our + // decodeHeaderFrame/decodeCommonFrame methods directly. + // This is kept for compatibility with the network filter interface. + + // For now, we'll just continue to let Generic Proxy handle the data + return Network::FilterStatus::Continue; +} + +Network::FilterStatus ReverseConnFilter::onWrite(Buffer::Instance&, bool) { + return Network::FilterStatus::Continue; +} + +void ReverseConnFilter::initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) { + read_callbacks_ = &callbacks; +} + +void ReverseConnFilter::initializeWriteFilterCallbacks(Network::WriteFilterCallbacks& callbacks) { + write_callbacks_ = &callbacks; +} + +// GenericProxy::DecoderFilter implementation + +void ReverseConnFilter::onDestroy() { ENVOY_LOG(debug, "ReverseConnFilter: Filter destroyed"); } + +void ReverseConnFilter::setDecoderFilterCallbacks(GenericProxy::DecoderFilterCallback& callbacks) { + decoder_callbacks_ = &callbacks; + ENVOY_LOG(debug, "ReverseConnFilter: Decoder filter callbacks set"); +} + +GenericProxy::HeaderFilterStatus +ReverseConnFilter::decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) { + ENVOY_LOG(debug, "ReverseConnFilter: Processing header frame - protocol: {}, host: {}, path: {}", + request.protocol(), request.host(), request.path()); + + // Check if this is a reverse connection request + if (isReverseConnectionRequest(request)) { + ENVOY_LOG(debug, "ReverseConnFilter: Detected reverse connection request"); + is_reverse_connection_request_ = true; + + // Continue to receive body frames + return GenericProxy::HeaderFilterStatus::Continue; + } + + // Not a reverse connection request, continue to next filter + ENVOY_LOG(debug, "ReverseConnFilter: Not a reverse connection request, continuing"); + return GenericProxy::HeaderFilterStatus::Continue; +} + +GenericProxy::CommonFilterStatus +ReverseConnFilter::decodeCommonFrame(GenericProxy::RequestCommonFrame& request) { + if (!is_reverse_connection_request_) { + // Not a reverse connection request, continue + return GenericProxy::CommonFilterStatus::Continue; + } + + ENVOY_LOG(debug, "ReverseConnFilter: Processing common frame for reverse connection request"); + + // Extract body data from the common frame + extractRequestBody(request); + + // Check if we have enough data to process + if (!request_body_.empty()) { + message_complete_ = true; + processReverseConnectionRequest(); + + // As a terminal filter, stop processing after handling the request + return GenericProxy::CommonFilterStatus::StopIteration; + } + + return GenericProxy::CommonFilterStatus::Continue; +} + +// GenericProxy::EncoderFilter implementation + +void ReverseConnFilter::setEncoderFilterCallbacks(GenericProxy::EncoderFilterCallback& callbacks) { + encoder_callbacks_ = &callbacks; + ENVOY_LOG(debug, "ReverseConnFilter: Encoder filter callbacks set"); +} + +GenericProxy::HeaderFilterStatus +ReverseConnFilter::encodeHeaderFrame(GenericProxy::ResponseHeaderFrame& response) { + // We don't modify response headers for reverse connection requests + // Just continue to the next filter + return GenericProxy::HeaderFilterStatus::Continue; +} + +GenericProxy::CommonFilterStatus +ReverseConnFilter::encodeCommonFrame(GenericProxy::ResponseCommonFrame& response) { + // We don't modify response body for reverse connection requests + // Just continue to the next filter + return GenericProxy::CommonFilterStatus::Continue; +} + +// Private methods + +bool ReverseConnFilter::isReverseConnectionRequest( + const GenericProxy::RequestHeaderFrame& request) const { + // Check method (for HTTP, this would be "POST") + auto method = request.get("method"); + if (!method.has_value() || method.value() != HTTP_POST_METHOD) { + return false; + } + + // Check path (for HTTP, this would be "/reverse_connections/request") + auto path = request.path(); + if (path != REVERSE_CONNECTIONS_REQUEST_PATH) { + return false; + } + + ENVOY_LOG(debug, "ReverseConnFilter: Valid reverse connection request - method: {}, path: {}", + method.value(), path); + + return true; +} + +void ReverseConnFilter::extractRequestBody(GenericProxy::RequestCommonFrame& frame) { + // In a real implementation, you would extract the body data from the common frame + // This depends on how the Generic Proxy codec represents body data + + // For now, we'll use a placeholder approach + // In practice, you might access frame.data() or similar methods + + ENVOY_LOG(debug, "ReverseConnFilter: Extracting request body from common frame"); + + // This is a simplified approach - in reality, you'd get the actual body data + // from the Generic Proxy frame structure + // request_body_ = frame.bodyData(); // or similar method +} + +bool ReverseConnFilter::parseProtobufPayload(const std::string& payload, std::string& node_uuid, + std::string& cluster_uuid, std::string& tenant_uuid) { + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + + if (!arg.ParseFromString(payload)) { + ENVOY_LOG(error, "ReverseConnFilter: Failed to parse protobuf from request body"); + return false; + } + + ENVOY_LOG(debug, "ReverseConnFilter: Successfully parsed protobuf: {}", arg.DebugString()); + + node_uuid = arg.node_uuid(); + cluster_uuid = arg.cluster_uuid(); + tenant_uuid = arg.tenant_uuid(); + + ENVOY_LOG(debug, "ReverseConnFilter: Extracted values - tenant='{}', cluster='{}', node='{}'", + tenant_uuid, cluster_uuid, node_uuid); + + return !node_uuid.empty(); +} + +void ReverseConnFilter::sendLocalReply(GenericProxy::Status status, const std::string& data) { + if (!decoder_callbacks_) { + ENVOY_LOG(error, "ReverseConnFilter: No decoder callbacks available for local reply"); + return; + } + + // Send local reply using Generic Proxy callbacks + // This will create a response frame and send it back to the client + decoder_callbacks_->sendLocalReply(status, data); + + ENVOY_LOG(debug, "ReverseConnFilter: Sent local reply with status: {}, data: {}", + static_cast(status), data); +} + +void ReverseConnFilter::saveDownstreamConnection(const std::string& node_id, + const std::string& cluster_id) { + ENVOY_LOG(debug, "ReverseConnFilter: Adding connection to upstream socket manager"); + + auto* socket_manager = getUpstreamSocketManager(); + if (!socket_manager) { + ENVOY_LOG(error, "ReverseConnFilter: Failed to get upstream socket manager"); + return; + } + + // Get connection from Generic Proxy callbacks if available, otherwise fall back to network + // callbacks + const Network::Connection* connection = nullptr; + if (decoder_callbacks_) { + connection = decoder_callbacks_->connection(); + } else if (read_callbacks_) { + connection = &read_callbacks_->connection(); + } + + if (!connection) { + ENVOY_LOG(error, "ReverseConnFilter: No connection available"); + return; + } + + const Network::ConnectionSocketPtr& original_socket = connection->getSocket(); + + if (!original_socket || !original_socket->isOpen()) { + ENVOY_LOG(error, "ReverseConnFilter: Original socket is not available or not open"); + return; + } + + // Duplicate the file descriptor + Network::IoHandlePtr duplicated_handle = original_socket->ioHandle().duplicate(); + if (!duplicated_handle || !duplicated_handle->isOpen()) { + ENVOY_LOG(error, "ReverseConnFilter: Failed to duplicate file descriptor"); + return; + } + + ENVOY_LOG(debug, + "ReverseConnFilter: Successfully duplicated file descriptor: original_fd={}, " + "duplicated_fd={}", + original_socket->ioHandle().fdDoNotUse(), duplicated_handle->fdDoNotUse()); + + // Create a new socket with the duplicated handle + Network::ConnectionSocketPtr duplicated_socket = std::make_unique( + std::move(duplicated_handle), original_socket->connectionInfoProvider().localAddress(), + original_socket->connectionSocket()->connectionInfoProvider().remoteAddress()); + + // Reset file events on the duplicated socket + duplicated_socket->ioHandle().resetFileEvents(); + + // Add the duplicated socket to the manager + socket_manager->addConnectionSocket(node_id, cluster_id, std::move(duplicated_socket), + config_->pingInterval(), false /* rebalanced */); + + ENVOY_LOG(debug, + "ReverseConnFilter: Successfully added duplicated socket to upstream socket manager"); +} + +void ReverseConnFilter::closeConnection() { + if (connection_closed_) { + return; + } + + // Get connection from Generic Proxy callbacks if available, otherwise fall back to network + // callbacks + Network::Connection* connection = nullptr; + if (decoder_callbacks_) { + connection = const_cast(decoder_callbacks_->connection()); + } else if (read_callbacks_) { + connection = &read_callbacks_->connection(); + } + + if (connection) { + ENVOY_LOG(debug, + "ReverseConnFilter: Closing connection after processing reverse connection request"); + + // Mark connection as reused + connection->setSocketReused(true); + + // Reset file events on the connection socket + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); + } + + // Close the connection + connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); + } + + connection_closed_ = true; +} + +ReverseConnection::UpstreamSocketManager* ReverseConnFilter::getUpstreamSocketManager() { + auto* upstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); + if (!upstream_interface) { + ENVOY_LOG(debug, "ReverseConnFilter: Upstream reverse socket interface not found"); + return nullptr; + } + + auto* upstream_socket_interface = + dynamic_cast(upstream_interface); + if (!upstream_socket_interface) { + ENVOY_LOG(error, "ReverseConnFilter: Failed to cast to ReverseTunnelAcceptor"); + return nullptr; + } + + auto* tls_registry = upstream_socket_interface->getLocalRegistry(); + if (!tls_registry) { + ENVOY_LOG(error, + "ReverseConnFilter: Thread local registry not found for upstream socket interface"); + return nullptr; + } + + return tls_registry->socketManager(); +} + +void ReverseConnFilter::processReverseConnectionRequest() { + ENVOY_LOG(info, "ReverseConnFilter: Processing reverse connection request"); + + // Parse protobuf payload + if (!parseProtobufPayload(request_body_, node_uuid_, cluster_uuid_, tenant_uuid_)) { + // Send rejection response + sendLocalReply(GenericProxy::Status::InvalidArgument, + "Failed to parse request message or required fields missing"); + + // Close connection after rejection + closeConnection(); + return; + } + + // Check SSL certificate for additional tenant/cluster info + const Network::Connection* connection = nullptr; + if (decoder_callbacks_) { + connection = decoder_callbacks_->connection(); + } else if (read_callbacks_) { + connection = &read_callbacks_->connection(); + } + + if (connection) { + Envoy::Ssl::ConnectionInfoConstSharedPtr ssl = connection->ssl(); + + if (ssl && ssl->peerCertificatePresented()) { + absl::Span dnsSans = ssl->dnsSansPeerCertificate(); + for (const std::string& dns : dnsSans) { + auto parts = absl::StrSplit(dns, "="); + if (parts.size() == 2) { + if (parts[0] == "tenantId") { + tenant_uuid_ = std::string(parts[1]); + } else if (parts[0] == "clusterId") { + cluster_uuid_ = std::string(parts[1]); + } + } + } + } + } + + ENVOY_LOG(info, + "ReverseConnFilter: Accepting reverse connection. tenant '{}', cluster '{}', node '{}'", + tenant_uuid_, cluster_uuid_, node_uuid_); + + // Create acceptance response + envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + ReverseConnHandshakeRet::ACCEPTED); + + std::string response_body = ret.SerializeAsString(); + ENVOY_LOG(info, "ReverseConnFilter: Response body length: {}, content: '{}'", + response_body.length(), response_body); + + // Send acceptance response + sendLocalReply(GenericProxy::Status::Ok, response_body); + + // Save the connection + saveDownstreamConnection(node_uuid_, cluster_uuid_); + + // Close the connection after processing (terminal filter behavior) + closeConnection(); + + ENVOY_LOG(info, "ReverseConnFilter: Reverse connection accepted and connection closed"); +} + +} // namespace ReverseConn +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h new file mode 100644 index 0000000000000..be5a487ed32f5 --- /dev/null +++ b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h @@ -0,0 +1,134 @@ +#pragma once + +#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" +#include "envoy/network/filter.h" +#include "envoy/upstream/cluster_manager.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" +#include "source/common/network/filter_impl.h" +#include "source/common/protobuf/protobuf.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/extensions/filters/network/generic_proxy/interface/filter.h" +#include "source/extensions/filters/network/generic_proxy/interface/stream.h" + +#include "absl/types/optional.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseConn { + +namespace ReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; +namespace GenericProxy = Envoy::Extensions::NetworkFilters::GenericProxy; + +/** + * Configuration for the reverse connection network filter. + */ +class ReverseConnFilterConfig { +public: + ReverseConnFilterConfig() : ping_interval_(std::chrono::seconds(2)) {} + + std::chrono::seconds pingInterval() const { return ping_interval_; } + +private: + const std::chrono::seconds ping_interval_; +}; + +using ReverseConnFilterConfigSharedPtr = std::shared_ptr; + +/** + * Network filter that handles reverse connection acceptance/rejection using the Generic Proxy + * interface. This filter only processes POST requests to /reverse_connections/request and + * accepts/rejects reverse connections based on protobuf payload. + * + * Uses the Generic Proxy StreamFilter interface for protocol-agnostic operation. + * This is a TERMINAL filter that stops processing after handling reverse connection requests. + */ +class ReverseConnFilter : public Network::Filter, + public GenericProxy::StreamFilter, + public Logger::Loggable { +public: + ReverseConnFilter(ReverseConnFilterConfigSharedPtr config); + + // Network::Filter + Network::FilterStatus onData(Buffer::Instance& data, bool end_stream) override; + Network::FilterStatus onNewConnection() override; + Network::FilterStatus onWrite(Buffer::Instance& data, bool end_stream) override; + void initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) override; + void initializeWriteFilterCallbacks(Network::WriteFilterCallbacks& callbacks) override; + + // GenericProxy::DecoderFilter + void onDestroy() override; + void setDecoderFilterCallbacks(GenericProxy::DecoderFilterCallback& callbacks) override; + GenericProxy::HeaderFilterStatus + decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) override; + GenericProxy::CommonFilterStatus + decodeCommonFrame(GenericProxy::RequestCommonFrame& request) override; + + // GenericProxy::EncoderFilter + void setEncoderFilterCallbacks(GenericProxy::EncoderFilterCallback& callbacks) override; + GenericProxy::HeaderFilterStatus + encodeHeaderFrame(GenericProxy::ResponseHeaderFrame& response) override; + GenericProxy::CommonFilterStatus + encodeCommonFrame(GenericProxy::ResponseCommonFrame& response) override; + + // Terminal filter behavior + bool isTerminalFilter() const { return true; } + +private: + // Parse protobuf payload and extract cluster details + bool parseProtobufPayload(const std::string& payload, std::string& node_uuid, + std::string& cluster_uuid, std::string& tenant_uuid); + + // Send local reply using Generic Proxy callbacks + void sendLocalReply(GenericProxy::Status status, const std::string& data); + + // Save the connection to upstream socket manager + void saveDownstreamConnection(const std::string& node_id, const std::string& cluster_id); + + // Get the upstream socket manager from the thread-local registry + ReverseConnection::UpstreamSocketManager* getUpstreamSocketManager(); + + // Process the reverse connection request + void processReverseConnectionRequest(); + + // Check if this is a reverse connection request + bool isReverseConnectionRequest(const GenericProxy::RequestHeaderFrame& request) const; + + // Extract body from common frames + void extractRequestBody(GenericProxy::RequestCommonFrame& frame); + + // Close the connection after processing + void closeConnection(); + + ReverseConnFilterConfigSharedPtr config_; + Network::ReadFilterCallbacks* read_callbacks_{nullptr}; + Network::WriteFilterCallbacks* write_callbacks_{nullptr}; + + // Generic Proxy filter callbacks + GenericProxy::DecoderFilterCallback* decoder_callbacks_{nullptr}; + GenericProxy::EncoderFilterCallback* encoder_callbacks_{nullptr}; + + // Request data from Generic Proxy frames + std::string request_body_; + + // Request state + bool is_reverse_connection_request_{false}; + bool message_complete_{false}; + bool connection_closed_{false}; + + // Reverse connection data + std::string node_uuid_; + std::string cluster_uuid_; + std::string tenant_uuid_; + + // Constants + static const std::string REVERSE_CONNECTIONS_REQUEST_PATH; + static const std::string HTTP_POST_METHOD; +}; + +} // namespace ReverseConn +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.cc b/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.cc new file mode 100644 index 0000000000000..ad93424476a32 --- /dev/null +++ b/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.cc @@ -0,0 +1,31 @@ +#include "source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h" + +#include "source/extensions/filters/network/reverse_conn/reverse_conn_filter.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseConn { + +GenericProxy::FilterFactoryCb ReverseConnFilterConfigFactory::createFilterFactoryFromProtoTyped( + const envoy::extensions::filters::network::reverse_conn::v3::ReverseConn& proto_config, + Server::Configuration::FactoryContext& context) { + UNREFERENCED_PARAMETER(proto_config); + UNREFERENCED_PARAMETER(context); + + auto config = std::make_shared(); + + return [config](GenericProxy::FilterChainManager& filter_chain_manager) -> void { + filter_chain_manager.addFilter( + [config](GenericProxy::FilterChainFactoryCallbacks& callbacks) -> void { + callbacks.addFilter(std::make_shared(config)); + }); + }; +} + +REGISTER_FACTORY(ReverseConnFilterConfigFactory, GenericProxy::NamedFilterConfigFactory); + +} // namespace ReverseConn +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h b/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h new file mode 100644 index 0000000000000..fcd498b7b8c2d --- /dev/null +++ b/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h @@ -0,0 +1,28 @@ +#pragma once + +#include "envoy/server/filter_config.h" + +#include "source/extensions/filters/network/generic_proxy/interface/filter.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseConn { + +/** + * Config registration for the reverse connection filter. + */ +class ReverseConnFilterConfigFactory : public GenericProxy::NamedFilterConfigFactory { +public: + ReverseConnFilterConfigFactory() : FactoryBase("envoy.filters.generic.reverse_conn") {} + +private: + GenericProxy::FilterFactoryCb createFilterFactoryFromProtoTyped( + const envoy::extensions::filters::network::reverse_conn::v3::ReverseConn& proto_config, + Server::Configuration::FactoryContext& context) override; +}; + +} // namespace ReverseConn +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/test/common/listener_manager/listener_manager_impl_test.cc b/test/common/listener_manager/listener_manager_impl_test.cc index 109d1abfc496c..9b61d2e5fa5a0 100644 --- a/test/common/listener_manager/listener_manager_impl_test.cc +++ b/test/common/listener_manager/listener_manager_impl_test.cc @@ -8505,23 +8505,24 @@ INSTANTIATE_TEST_SUITE_P(Matcher, ListenerManagerImplWithDispatcherStatsTest, // Test address implementation for reverse connection testing class TestReverseConnectionAddress : public Network::Address::Instance { public: - TestReverseConnectionAddress() - : address_string_("127.0.0.1:0"), // Dummy IP address - logical_name_("rc://test-node:test-cluster:test-tenant@remote-cluster:1"), // Address with the same format as reverse connection addresses + TestReverseConnectionAddress() + : address_string_("127.0.0.1:0"), // Dummy IP address + logical_name_( + "rc://test-node:test-cluster:test-tenant@remote-cluster:1"), // Address with the same + // format as reverse + // connection addresses ipv4_instance_(std::make_shared("127.0.0.1", 0)) {} // Network::Address::Instance - bool operator==(const Instance& rhs) const override { - return address_string_ == rhs.asString(); - } + bool operator==(const Instance& rhs) const override { return address_string_ == rhs.asString(); } Network::Address::Type type() const override { return Network::Address::Type::Ip; } const std::string& asString() const override { return address_string_; } absl::string_view asStringView() const override { return address_string_; } const std::string& logicalName() const override { return logical_name_; } const Network::Address::Ip* ip() const override { return ipv4_instance_->ip(); } const Network::Address::Pipe* pipe() const override { return nullptr; } - const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { - return nullptr; + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { + return nullptr; } absl::optional networkNamespace() const override { return absl::nullopt; } const sockaddr* sockAddr() const override { return ipv4_instance_->sockAddr(); } @@ -8539,37 +8540,34 @@ class TestReverseConnectionAddress : public Network::Address::Instance { TEST_P(ListenerManagerImplTest, ReverseConnectionAddressUsesCorrectSocketInterface) { auto reverse_connection_address = std::make_shared(); - + // Verify the address has the expected logical name format EXPECT_TRUE(absl::StartsWith(reverse_connection_address->logicalName(), "rc://")); - EXPECT_EQ(reverse_connection_address->logicalName(), "rc://test-node:test-cluster:test-tenant@remote-cluster:1"); + EXPECT_EQ(reverse_connection_address->logicalName(), + "rc://test-node:test-cluster:test-tenant@remote-cluster:1"); // Verify asString() returns the localhost address EXPECT_EQ(reverse_connection_address->asString(), "127.0.0.1:0"); - + // Create listener factory to test the actual implementation ProdListenerComponentFactory real_listener_factory(server_); - + Network::Socket::OptionsSharedPtr options = nullptr; Network::SocketCreationOptions creation_options; // This should use the default socket interface returned by the address's // socketInterface() method. auto socket_result = real_listener_factory.createListenSocket( - reverse_connection_address, - Network::Socket::Type::Stream, - options, - ListenerComponentFactory::BindType::NoBind, - creation_options, - 0 /* worker_index */ + reverse_connection_address, Network::Socket::Type::Stream, options, + ListenerComponentFactory::BindType::NoBind, creation_options, 0 /* worker_index */ ); - + // The socket creation should succeed and use the address's socket interface EXPECT_TRUE(socket_result.ok()); if (socket_result.ok()) { auto socket = socket_result.value(); EXPECT_NE(socket, nullptr); // Verify the socket was created with the expected address - EXPECT_EQ(socket->connectionInfoProvider().localAddress()->logicalName(), + EXPECT_EQ(socket->connectionInfoProvider().localAddress()->logicalName(), reverse_connection_address->logicalName()); } } From 8c03b2aac400361f89183ab3736864087a3557cf Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 22 Aug 2025 15:23:25 +0200 Subject: [PATCH 279/505] ext_authz: add grpc_service field on the per-route filter (#40169) ## Description This PR adds support for per-route gRPC service override in the `ext_authz` HTTP filter, allowing different routes to use different external authorization backends. Routes would now be able to specify a different authorization service by configuring `grpc_service` in the per-route `check_settings`. --- Commit Message: ext_authz: add grpc_service field on the per-route filter Additional Description: Add a new `grpc_service` field on the per-route ExtAuthZ filter to be able to override the AuthService backend on a per-route basis. Risk Level: Low Testing: Added Unit & Integration Tests Docs Changes: Added Release Notes: Added --------- Signed-off-by: Rohit Agrawal --- .../filters/http/ext_authz/v3/ext_authz.proto | 13 + changelogs/current.yaml | 12 +- .../common/ext_authz/ext_authz_http_impl.cc | 24 + .../common/ext_authz/ext_authz_http_impl.h | 5 + .../filters/http/ext_authz/config.cc | 6 +- .../filters/http/ext_authz/ext_authz.cc | 135 +- .../filters/http/ext_authz/ext_authz.h | 55 +- .../ext_authz/ext_authz_http_impl_test.cc | 21 + .../filters/http/ext_authz/config_test.cc | 411 ++++++ .../ext_authz/ext_authz_integration_test.cc | 27 + .../filters/http/ext_authz/ext_authz_test.cc | 1233 ++++++++++++++--- 11 files changed, 1725 insertions(+), 217 deletions(-) diff --git a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto index 0a2492b2ff5f5..690a9956454df 100644 --- a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +++ b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -476,6 +476,7 @@ message ExtAuthzPerRoute { } // Extra settings for the check request. +// [#next-free-field: 6] message CheckSettings { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.CheckSettings"; @@ -513,4 +514,16 @@ message CheckSettings { // :ref:`disable_request_body_buffering ` // may be specified. BufferSettings with_request_body = 3; + + // Override the external authorization service for this route. + // This allows different routes to use different external authorization service backends + // and service types (gRPC or HTTP). If specified, this overrides the filter-level service + // configuration regardless of the original service type. + oneof service_override { + // Override with a gRPC service configuration. + config.core.v3.GrpcService grpc_service = 4; + + // Override with an HTTP service configuration. + HttpService http_service = 5; + } } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 076cf1a618dbf..4495eeb525b54 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -203,9 +203,8 @@ new_features: for more details. - area: socket change: | - Added :ref:``network_namespace_filepath `` to - :ref:`SocketAddress `. This field allows specifying a Linux network namespace filepath - for socket creation, enabling network isolation in containerized environments. + Added ``network_namespace_filepath`` to :ref:`SocketAddress `. This field allows + specifying a Linux network namespace filepath for socket creation, enabling network isolation in containerized environments. - area: ratelimit change: | Add the :ref:`rate_limits @@ -256,6 +255,13 @@ new_features: Added ``virtualHost()`` to the Stream handle API, allowing Lua scripts to retrieve virtual host information. So far, the only method implemented is ``metadata()``, allowing Lua scripts to access virtual host metadata scoped to the specific filter name. See :ref:`Virtual host object API ` for more details. +- area: ext_authz + change: | + Added support for per-route gRPC service override in the ``ext_authz`` HTTP filter. This allows different routes + to use different external authorization backends by configuring a + :ref:`grpc_service ` + in the per-route ``check_settings``. Routes without this configuration continue to use the default + authorization service. - area: tracing change: | Added :ref:`trace_context_option ` enum diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc index 070636df941af..170ee16ef84a8 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc +++ b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc @@ -133,6 +133,30 @@ ClientConfig::ClientConfig(const envoy::extensions::filters::http::ext_authz::v3 Router::HeaderParserPtr)), encode_raw_headers_(config.encode_raw_headers()) {} +ClientConfig::ClientConfig( + const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service, + bool encode_raw_headers, uint32_t timeout, Server::Configuration::CommonFactoryContext& context) + : client_header_matchers_(toClientMatchers( + http_service.authorization_response().allowed_client_headers(), context)), + client_header_on_success_matchers_(toClientMatchersOnSuccess( + http_service.authorization_response().allowed_client_headers_on_success(), context)), + to_dynamic_metadata_matchers_(toDynamicMetadataMatchers( + http_service.authorization_response().dynamic_metadata_from_headers(), context)), + upstream_header_matchers_(toUpstreamMatchers( + http_service.authorization_response().allowed_upstream_headers(), context)), + upstream_header_to_append_matchers_(toUpstreamMatchers( + http_service.authorization_response().allowed_upstream_headers_to_append(), context)), + cluster_name_(http_service.server_uri().cluster()), timeout_(timeout), + path_prefix_( + THROW_OR_RETURN_VALUE(validatePathPrefix(http_service.path_prefix()), std::string)), + tracing_name_(fmt::format("async {} egress", http_service.server_uri().cluster())), + request_headers_parser_(THROW_OR_RETURN_VALUE( + Router::HeaderParser::configure( + http_service.authorization_request().headers_to_add(), + envoy::config::core::v3::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD), + Router::HeaderParserPtr)), + encode_raw_headers_(encode_raw_headers) {} + MatcherSharedPtr ClientConfig::toClientMatchersOnSuccess(const envoy::type::matcher::v3::ListStringMatcher& list, Server::Configuration::CommonFactoryContext& context) { diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h index d79b34876548d..0847afe6c5a14 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h +++ b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h @@ -28,6 +28,11 @@ class ClientConfig { uint32_t timeout, absl::string_view path_prefix, Server::Configuration::CommonFactoryContext& context); + // Build config directly from HttpService without constructing a temporary ExtAuthz. + ClientConfig(const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service, + bool encode_raw_headers, uint32_t timeout, + Server::Configuration::CommonFactoryContext& context); + /** * Returns the name of the authorization cluster. */ diff --git a/source/extensions/filters/http/ext_authz/config.cc b/source/extensions/filters/http/ext_authz/config.cc index 83a3c60287ae6..8f7febefa8ccc 100644 --- a/source/extensions/filters/http/ext_authz/config.cc +++ b/source/extensions/filters/http/ext_authz/config.cc @@ -39,7 +39,8 @@ Http::FilterFactoryCb ExtAuthzFilterConfig::createFilterFactoryFromProtoWithServ &server_context](Http::FilterChainFactoryCallbacks& callbacks) { auto client = std::make_unique( server_context.clusterManager(), client_config); - callbacks.addStreamFilter(std::make_shared(filter_config, std::move(client))); + callbacks.addStreamFilter( + std::make_shared(filter_config, std::move(client), server_context)); }; } else { // gRPC client. @@ -57,7 +58,8 @@ Http::FilterFactoryCb ExtAuthzFilterConfig::createFilterFactoryFromProtoWithServ THROW_IF_NOT_OK_REF(client_or_error.status()); auto client = std::make_unique( client_or_error.value(), std::chrono::milliseconds(timeout_ms)); - callbacks.addStreamFilter(std::make_shared(filter_config, std::move(client))); + callbacks.addStreamFilter( + std::make_shared(filter_config, std::move(client), server_context)); }; } return callback; diff --git a/source/extensions/filters/http/ext_authz/ext_authz.cc b/source/extensions/filters/http/ext_authz/ext_authz.cc index 9efd5b6fc36f6..7fd7abf65f365 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/ext_authz.cc @@ -1,4 +1,3 @@ -#include "ext_authz.h" #include "source/extensions/filters/http/ext_authz/ext_authz.h" #include @@ -21,6 +20,9 @@ namespace ExtAuthz { namespace { +// Default timeout for per-route gRPC client creation. +constexpr uint32_t kDefaultPerRouteTimeoutMs = 200; + using MetadataProto = ::envoy::config::core::v3::Metadata; using Filters::Common::MutationRules::CheckOperation; using Filters::Common::MutationRules::CheckResult; @@ -172,6 +174,86 @@ void FilterConfigPerRoute::merge(const FilterConfigPerRoute& other) { } } +// Constructor used for merging configurations from different levels (vhost, route, etc.) +FilterConfigPerRoute::FilterConfigPerRoute(const FilterConfigPerRoute& less_specific, + const FilterConfigPerRoute& more_specific) + : context_extensions_(less_specific.context_extensions_), + check_settings_(more_specific.check_settings_), disabled_(more_specific.disabled_), + // Only use the most specific per-route override. Do not inherit overrides from less + // specific configuration. If the more specific configuration has no override, leave both + // unset so that the main filter configuration is used. + grpc_service_(more_specific.grpc_service_.has_value() ? more_specific.grpc_service_ + : absl::nullopt), + http_service_(more_specific.http_service_.has_value() ? more_specific.http_service_ + : absl::nullopt) { + // Merge context extensions from more specific configuration, overriding less specific ones. + for (const auto& extension : more_specific.context_extensions_) { + context_extensions_[extension.first] = extension.second; + } +} + +Filters::Common::ExtAuthz::ClientPtr +Filter::createPerRouteGrpcClient(const envoy::config::core::v3::GrpcService& grpc_service) { + if (server_context_ == nullptr) { + ENVOY_STREAM_LOG( + debug, "ext_authz filter: server context not available for per-route gRPC client creation.", + *decoder_callbacks_); + return nullptr; + } + + // Use the timeout from the gRPC service configuration, use default if not specified. + const uint32_t timeout_ms = + PROTOBUF_GET_MS_OR_DEFAULT(grpc_service, timeout, kDefaultPerRouteTimeoutMs); + + // We can skip transport version check for per-route gRPC service here. + // The transport version is already validated at the main configuration level. + Envoy::Grpc::GrpcServiceConfigWithHashKey config_with_hash_key = + Envoy::Grpc::GrpcServiceConfigWithHashKey(grpc_service); + + auto client_or_error = server_context_->clusterManager() + .grpcAsyncClientManager() + .getOrCreateRawAsyncClientWithHashKey(config_with_hash_key, + server_context_->scope(), true); + if (!client_or_error.ok()) { + ENVOY_STREAM_LOG(warn, + "ext_authz filter: failed to create per-route gRPC client: {}. Falling back " + "to default client.", + *decoder_callbacks_, client_or_error.status().ToString()); + return nullptr; + } + + ENVOY_STREAM_LOG(debug, "ext_authz filter: created per-route gRPC client for cluster: {}.", + *decoder_callbacks_, + grpc_service.has_envoy_grpc() ? grpc_service.envoy_grpc().cluster_name() + : "google_grpc"); + + return std::make_unique( + client_or_error.value(), std::chrono::milliseconds(timeout_ms)); +} + +Filters::Common::ExtAuthz::ClientPtr Filter::createPerRouteHttpClient( + const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service) { + if (server_context_ == nullptr) { + ENVOY_STREAM_LOG( + debug, "ext_authz filter: server context not available for per-route HTTP client creation.", + *decoder_callbacks_); + return nullptr; + } + + // Use the timeout from the HTTP service configuration, use default if not specified. + const uint32_t timeout_ms = + PROTOBUF_GET_MS_OR_DEFAULT(http_service.server_uri(), timeout, kDefaultPerRouteTimeoutMs); + + ENVOY_STREAM_LOG(debug, "ext_authz filter: creating per-route HTTP client for URI: {}.", + *decoder_callbacks_, http_service.server_uri().uri()); + + const auto client_config = std::make_shared( + http_service, config_->headersAsBytes(), timeout_ms, *server_context_); + + return std::make_unique( + server_context_->clusterManager(), client_config); +} + void Filter::initiateCall(const Http::RequestHeaderMap& headers) { if (filter_return_ == FilterReturn::StopDecoding) { return; @@ -205,9 +287,10 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { for (const FilterConfigPerRoute& cfg : Http::Utility::getAllPerFilterConfig(decoder_callbacks_)) { if (maybe_merged_per_route_config.has_value()) { - maybe_merged_per_route_config.value().merge(cfg); + FilterConfigPerRoute current_config = maybe_merged_per_route_config.value(); + maybe_merged_per_route_config.emplace(current_config, cfg); } else { - maybe_merged_per_route_config = cfg; + maybe_merged_per_route_config.emplace(cfg); } } @@ -216,6 +299,46 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { context_extensions = maybe_merged_per_route_config.value().takeContextExtensions(); } + // Check if we need to use a per-route service override (gRPC or HTTP). + Filters::Common::ExtAuthz::Client* client_to_use = client_.get(); + if (maybe_merged_per_route_config) { + if (maybe_merged_per_route_config->grpcService().has_value()) { + const auto& grpc_service = maybe_merged_per_route_config->grpcService().value(); + ENVOY_STREAM_LOG(debug, "ext_authz filter: using per-route gRPC service configuration.", + *decoder_callbacks_); + + // Create a new gRPC client for this route. + per_route_client_ = createPerRouteGrpcClient(grpc_service); + if (per_route_client_ != nullptr) { + client_to_use = per_route_client_.get(); + ENVOY_STREAM_LOG(debug, "ext_authz filter: successfully created per-route gRPC client.", + *decoder_callbacks_); + } else { + ENVOY_STREAM_LOG( + warn, + "ext_authz filter: failed to create per-route gRPC client, falling back to default.", + *decoder_callbacks_); + } + } else if (maybe_merged_per_route_config->httpService().has_value()) { + const auto& http_service = maybe_merged_per_route_config->httpService().value(); + ENVOY_STREAM_LOG(debug, "ext_authz filter: using per-route HTTP service configuration.", + *decoder_callbacks_); + + // Create a new HTTP client for this route. + per_route_client_ = createPerRouteHttpClient(http_service); + if (per_route_client_ != nullptr) { + client_to_use = per_route_client_.get(); + ENVOY_STREAM_LOG(debug, "ext_authz filter: successfully created per-route HTTP client.", + *decoder_callbacks_); + } else { + ENVOY_STREAM_LOG( + warn, + "ext_authz filter: failed to create per-route HTTP client, falling back to default.", + *decoder_callbacks_); + } + } + } + // If metadata_context_namespaces or typed_metadata_context_namespaces is specified, // pass matching filter metadata to the ext_authz service. // If metadata key is set in both the connection and request metadata, @@ -241,7 +364,7 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { config_->destinationLabels(), config_->allowedHeadersMatcher(), config_->disallowedHeadersMatcher()); - ENVOY_STREAM_LOG(trace, "ext_authz filter calling authorization server", *decoder_callbacks_); + ENVOY_STREAM_LOG(trace, "ext_authz filter calling authorization server.", *decoder_callbacks_); // Store start time of ext_authz filter call start_time_ = decoder_callbacks_->dispatcher().timeSource().monotonicTime(); @@ -250,8 +373,8 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { // going to invoke check call. cluster_ = decoder_callbacks_->clusterInfo(); initiating_call_ = true; - client_->check(*this, check_request_, decoder_callbacks_->activeSpan(), - decoder_callbacks_->streamInfo()); + client_to_use->check(*this, check_request_, decoder_callbacks_->activeSpan(), + decoder_callbacks_->streamInfo()); initiating_call_ = false; } diff --git a/source/extensions/filters/http/ext_authz/ext_authz.h b/source/extensions/filters/http/ext_authz/ext_authz.h index 3f309b97c6d2e..123daee1a6154 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.h +++ b/source/extensions/filters/http/ext_authz/ext_authz.h @@ -6,8 +6,10 @@ #include #include "envoy/extensions/filters/http/ext_authz/v3/ext_authz.pb.h" +#include "envoy/grpc/async_client_manager.h" #include "envoy/http/filter.h" #include "envoy/runtime/runtime.h" +#include "envoy/server/factory_context.h" #include "envoy/service/auth/v3/external_auth.pb.h" #include "envoy/stats/scope.h" #include "envoy/stats/stats_macros.h" @@ -17,6 +19,7 @@ #include "source/common/common/logger.h" #include "source/common/common/matchers.h" #include "source/common/common/utility.h" +#include "source/common/grpc/typed_async_client.h" #include "source/common/http/codes.h" #include "source/common/http/header_map_impl.h" #include "source/common/runtime/runtime_protos.h" @@ -305,7 +308,13 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { check_settings_(config.has_check_settings() ? config.check_settings() : envoy::extensions::filters::http::ext_authz::v3::CheckSettings()), - disabled_(config.disabled()) { + disabled_(config.disabled()), + grpc_service_(config.has_check_settings() && config.check_settings().has_grpc_service() + ? absl::make_optional(config.check_settings().grpc_service()) + : absl::nullopt), + http_service_(config.has_check_settings() && config.check_settings().has_http_service() + ? absl::make_optional(config.check_settings().http_service()) + : absl::nullopt) { if (config.has_check_settings() && config.check_settings().disable_request_body_buffering() && config.check_settings().has_with_request_body()) { ExceptionUtil::throwEnvoyException( @@ -314,6 +323,12 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { } } + // This constructor is used as a way to merge more-specific config into less-specific config in a + // clearly defined way (e.g. route config into VH config). All fields on this class must be const + // and thus must be initialized in the constructor initialization list. + FilterConfigPerRoute(const FilterConfigPerRoute& less_specific, + const FilterConfigPerRoute& more_specific); + void merge(const FilterConfigPerRoute& other); /** @@ -329,12 +344,30 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { return check_settings_; } + /** + * @return The gRPC service override for this route, if any. + */ + const absl::optional& grpcService() const { + return grpc_service_; + } + + /** + * @return The HTTP service override for this route, if any. + */ + const absl::optional& + httpService() const { + return http_service_; + } + private: // We save the context extensions as a protobuf map instead of a std::map as this allows us to // move it to the CheckRequest, thus avoiding a copy that would incur by converting it. ContextExtensionsMap context_extensions_; envoy::extensions::filters::http::ext_authz::v3::CheckSettings check_settings_; - bool disabled_; + const bool disabled_; + const absl::optional grpc_service_; + const absl::optional + http_service_; }; /** @@ -348,6 +381,12 @@ class Filter : public Logger::Loggable, Filter(const FilterConfigSharedPtr& config, Filters::Common::ExtAuthz::ClientPtr&& client) : config_(config), client_(std::move(client)), stats_(config->stats()) {} + // Constructor that includes server context for per-route service support. + Filter(const FilterConfigSharedPtr& config, Filters::Common::ExtAuthz::ClientPtr&& client, + Server::Configuration::ServerFactoryContext& server_context) + : config_(config), client_(std::move(client)), server_context_(&server_context), + stats_(config->stats()) {} + // Http::StreamFilterBase void onDestroy() override; @@ -383,6 +422,14 @@ class Filter : public Logger::Loggable, // code. void rejectResponse(); + // Create a new gRPC client for per-route gRPC service configuration. + Filters::Common::ExtAuthz::ClientPtr + createPerRouteGrpcClient(const envoy::config::core::v3::GrpcService& grpc_service); + + // Create a new HTTP client for per-route HTTP service configuration. + Filters::Common::ExtAuthz::ClientPtr createPerRouteHttpClient( + const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service); + absl::optional start_time_; void addResponseHeaders(Http::HeaderMap& header_map, const Http::HeaderVector& headers); void initiateCall(const Http::RequestHeaderMap& headers); @@ -410,6 +457,10 @@ class Filter : public Logger::Loggable, Http::HeaderMapPtr getHeaderMap(const Filters::Common::ExtAuthz::ResponsePtr& response); FilterConfigSharedPtr config_; Filters::Common::ExtAuthz::ClientPtr client_; + // Per-route gRPC client that overrides the default client when specified. + Filters::Common::ExtAuthz::ClientPtr per_route_client_; + // Server context for creating per-route clients. + Server::Configuration::ServerFactoryContext* server_context_{nullptr}; Http::StreamDecoderFilterCallbacks* decoder_callbacks_{}; Http::StreamEncoderFilterCallbacks* encoder_callbacks_{}; Http::RequestHeaderMap* request_headers_; diff --git a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc index 298abb58a10e0..92cc6cddc5e62 100644 --- a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc +++ b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc @@ -209,6 +209,27 @@ class ExtAuthzHttpClientTest : public testing::Test { NiceMock stream_info_; }; +// Verify ClientConfig could be built directly from HttpService and that the +// fields get wired correctly. +TEST_F(ExtAuthzHttpClientTest, ClientConfigFromHttpService) { + envoy::extensions::filters::http::ext_authz::v3::HttpService http_service; + http_service.mutable_server_uri()->set_uri("ext_authz:9000"); + http_service.mutable_server_uri()->set_cluster("ext_authz"); + http_service.mutable_server_uri()->mutable_timeout()->set_seconds(0); + http_service.set_path_prefix("/prefix"); + // Add one header to add to request to exercise header parser creation. + auto* add = http_service.mutable_authorization_request()->add_headers_to_add(); + add->set_key("x-added"); + add->set_value("v"); + + auto cfg = std::make_shared(http_service, /*encode_raw_headers=*/true, + /*timeout_ms=*/123, factory_context_); + EXPECT_EQ(cfg->cluster(), "ext_authz"); + EXPECT_EQ(cfg->pathPrefix(), "/prefix"); + EXPECT_EQ(cfg->timeout(), std::chrono::milliseconds{123}); + EXPECT_TRUE(cfg->encodeRawHeaders()); +} + TEST_F(ExtAuthzHttpClientTest, StreamInfo) { envoy::service::auth::v3::CheckRequest request; client_->check(request_callbacks_, request, parent_span_, stream_info_); diff --git a/test/extensions/filters/http/ext_authz/config_test.cc b/test/extensions/filters/http/ext_authz/config_test.cc index bfb2a593b4114..9a84ee2e73deb 100644 --- a/test/extensions/filters/http/ext_authz/config_test.cc +++ b/test/extensions/filters/http/ext_authz/config_test.cc @@ -8,6 +8,7 @@ #include "source/common/network/address_impl.h" #include "source/common/thread_local/thread_local_impl.h" #include "source/extensions/filters/http/ext_authz/config.h" +#include "source/extensions/filters/http/ext_authz/ext_authz.h" #include "test/mocks/server/factory_context.h" #include "test/test_common/real_threads_test_helper.h" @@ -28,6 +29,10 @@ namespace Extensions { namespace HttpFilters { namespace ExtAuthz { +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + class TestAsyncClientManagerImpl : public Grpc::AsyncClientManagerImpl { public: TestAsyncClientManagerImpl(Upstream::ClusterManager& cm, ThreadLocal::Instance& tls, @@ -217,6 +222,412 @@ TEST_F(ExtAuthzFilterHttpTest, FilterWithServerContext) { cb(filter_callback); } +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfiguration) { + const std::string per_route_config_yaml = R"EOF( + check_settings: + context_extensions: + virtual_host: "my_virtual_host" + route_type: "high_qps" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_high_qps" + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_FALSE(typed_config.disabled()); + EXPECT_TRUE(typed_config.grpcService().has_value()); + + const auto& grpc_service = typed_config.grpcService().value(); + EXPECT_TRUE(grpc_service.has_envoy_grpc()); + EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_high_qps"); + + const auto& context_extensions = typed_config.contextExtensions(); + EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); + EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteHttpServiceConfiguration) { + const std::string per_route_config_yaml = R"EOF( + check_settings: + context_extensions: + virtual_host: "my_virtual_host" + route_type: "high_qps" + http_service: + server_uri: + uri: "https://ext-authz-http.example.com" + cluster: "ext_authz_http_cluster" + timeout: 2s + path_prefix: "/api/auth" + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_FALSE(typed_config.disabled()); + EXPECT_TRUE(typed_config.httpService().has_value()); + EXPECT_FALSE(typed_config.grpcService().has_value()); + + const auto& http_service = typed_config.httpService().value(); + EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-http.example.com"); + EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_http_cluster"); + EXPECT_EQ(http_service.server_uri().timeout().seconds(), 2); + EXPECT_EQ(http_service.path_prefix(), "/api/auth"); + + const auto& context_extensions = typed_config.contextExtensions(); + EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); + EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteServiceTypeSwitching) { + // Test that we can switch service types - e.g., have gRPC in less specific and HTTP in more + // specific + const std::string less_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + base_setting: "from_base" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_grpc_cluster" + )EOF"; + + const std::string more_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + override_setting: "from_override" + http_service: + server_uri: + uri: "https://ext-authz-http.example.com" + cluster: "ext_authz_http_cluster" + timeout: 3s + path_prefix: "/auth/check" + )EOF"; + + ExtAuthzFilterConfig factory; + + // Create less specific configuration with gRPC service + ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); + FilterConfigPerRoute less_specific_config( + *dynamic_cast( + less_specific_proto.get())); + + // Create more specific configuration with HTTP service + ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); + FilterConfigPerRoute more_specific_config( + *dynamic_cast( + more_specific_proto.get())); + + // Merge configurations - should use HTTP service from more specific config + FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); + + // Verify that HTTP service from more specific config is used (service type switching) + EXPECT_TRUE(merged_config.httpService().has_value()); + EXPECT_FALSE(merged_config.grpcService().has_value()); + + const auto& http_service = merged_config.httpService().value(); + EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-http.example.com"); + EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_http_cluster"); + EXPECT_EQ(http_service.path_prefix(), "/auth/check"); + + // Verify context extensions are properly merged (less specific preserved, more specific + // overrides) + const auto& context_extensions = merged_config.contextExtensions(); + EXPECT_EQ(context_extensions.size(), 2); + EXPECT_EQ(context_extensions.at("base_setting"), "from_base"); + EXPECT_EQ(context_extensions.at("override_setting"), "from_override"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteServiceTypeSwitchingHttpToGrpc) { + // Test that we can switch from HTTP service to gRPC service (reverse of the other test) + const std::string less_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + base_setting: "from_base" + http_service: + server_uri: + uri: "https://ext-authz-http.example.com" + cluster: "ext_authz_http_cluster" + timeout: 1s + path_prefix: "/auth" + )EOF"; + + const std::string more_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + override_setting: "from_override" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_grpc_cluster" + authority: "ext-authz.example.com" + timeout: 5s + )EOF"; + + ExtAuthzFilterConfig factory; + + // Create less specific configuration with HTTP service + ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); + FilterConfigPerRoute less_specific_config( + *dynamic_cast( + less_specific_proto.get())); + + // Create more specific configuration with gRPC service + ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); + FilterConfigPerRoute more_specific_config( + *dynamic_cast( + more_specific_proto.get())); + + // Merge configurations - should use gRPC service from more specific config + FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); + + // Verify that gRPC service from more specific config is used (service type switching) + EXPECT_TRUE(merged_config.grpcService().has_value()); + EXPECT_FALSE(merged_config.httpService().has_value()); + + const auto& grpc_service = merged_config.grpcService().value(); + EXPECT_TRUE(grpc_service.has_envoy_grpc()); + EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_grpc_cluster"); + EXPECT_EQ(grpc_service.envoy_grpc().authority(), "ext-authz.example.com"); + EXPECT_EQ(grpc_service.timeout().seconds(), 5); + + // Verify context extensions are properly merged + const auto& context_extensions = merged_config.contextExtensions(); + EXPECT_EQ(context_extensions.size(), 2); + EXPECT_EQ(context_extensions.at("base_setting"), "from_base"); + EXPECT_EQ(context_extensions.at("override_setting"), "from_override"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteHttpServiceWithTimeout) { + // Test HTTP service configuration with custom timeout + const std::string per_route_config_yaml = R"EOF( + check_settings: + http_service: + server_uri: + uri: "https://ext-authz-custom.example.com" + cluster: "ext_authz_custom_cluster" + timeout: 10s + path_prefix: "/custom/auth" + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_TRUE(typed_config.httpService().has_value()); + EXPECT_FALSE(typed_config.grpcService().has_value()); + + const auto& http_service = typed_config.httpService().value(); + EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-custom.example.com"); + EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_custom_cluster"); + EXPECT_EQ(http_service.server_uri().timeout().seconds(), 10); + EXPECT_EQ(http_service.path_prefix(), "/custom/auth"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceWithTimeout) { + // Test gRPC service configuration with custom timeout + const std::string per_route_config_yaml = R"EOF( + check_settings: + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_custom_grpc" + authority: "custom-ext-authz.example.com" + timeout: 15s + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_TRUE(typed_config.grpcService().has_value()); + EXPECT_FALSE(typed_config.httpService().has_value()); + + const auto& grpc_service = typed_config.grpcService().value(); + EXPECT_TRUE(grpc_service.has_envoy_grpc()); + EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_custom_grpc"); + EXPECT_EQ(grpc_service.envoy_grpc().authority(), "custom-ext-authz.example.com"); + EXPECT_EQ(grpc_service.timeout().seconds(), 15); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteEmptyContextExtensionsMerging) { + // Test merging when one config has empty context extensions + const std::string less_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + base_key: "base_value" + shared_key: "base_shared" + grpc_service: + envoy_grpc: + cluster_name: "base_cluster" + )EOF"; + + const std::string more_specific_config_yaml = R"EOF( + check_settings: + grpc_service: + envoy_grpc: + cluster_name: "specific_cluster" + )EOF"; + + ExtAuthzFilterConfig factory; + + ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); + FilterConfigPerRoute less_specific_config( + *dynamic_cast( + less_specific_proto.get())); + + ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); + FilterConfigPerRoute more_specific_config( + *dynamic_cast( + more_specific_proto.get())); + + FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); + + // Should use gRPC service from more specific + EXPECT_TRUE(merged_config.grpcService().has_value()); + EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "specific_cluster"); + + // Should preserve context extensions from less specific since more specific has none + const auto& context_extensions = merged_config.contextExtensions(); + EXPECT_EQ(context_extensions.size(), 2); + EXPECT_EQ(context_extensions.at("base_key"), "base_value"); + EXPECT_EQ(context_extensions.at("shared_key"), "base_shared"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationMerging) { + // Test merging of per-route configurations + const std::string less_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + virtual_host: "my_virtual_host" + shared_setting: "from_less_specific" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_default" + )EOF"; + + const std::string more_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + route_type: "high_qps" + shared_setting: "from_more_specific" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_high_qps" + )EOF"; + + ExtAuthzFilterConfig factory; + + // Create less specific configuration + ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); + FilterConfigPerRoute less_specific_config( + *dynamic_cast( + less_specific_proto.get())); + + // Create more specific configuration + ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); + FilterConfigPerRoute more_specific_config( + *dynamic_cast( + more_specific_proto.get())); + + // Merge configurations + FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); + + // Check that more specific gRPC service is used + EXPECT_TRUE(merged_config.grpcService().has_value()); + const auto& grpc_service = merged_config.grpcService().value(); + EXPECT_TRUE(grpc_service.has_envoy_grpc()); + EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_high_qps"); + + // Check that context extensions are properly merged + const auto& context_extensions = merged_config.contextExtensions(); + EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); + EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); + EXPECT_EQ(context_extensions.at("shared_setting"), "from_more_specific"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationWithoutGrpcService) { + const std::string per_route_config_yaml = R"EOF( + check_settings: + context_extensions: + virtual_host: "my_virtual_host" + disable_request_body_buffering: true + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_FALSE(typed_config.disabled()); + EXPECT_FALSE(typed_config.grpcService().has_value()); + + const auto& context_extensions = typed_config.contextExtensions(); + EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationDisabled) { + const std::string per_route_config_yaml = R"EOF( + disabled: true + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_TRUE(typed_config.disabled()); + EXPECT_FALSE(typed_config.grpcService().has_value()); +} + class ExtAuthzFilterGrpcTest : public ExtAuthzFilterTest { public: void testFilterFactoryAndFilterWithGrpcClient(const std::string& ext_authz_config_yaml) { diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index e072262e484b5..9eb2348bdbafd 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -5,6 +5,7 @@ #include "source/common/common/macros.h" #include "source/extensions/filters/common/ext_authz/ext_authz.h" +#include "source/extensions/filters/http/ext_authz/ext_authz.h" #include "source/server/config_validation/server.h" #include "test/common/grpc/grpc_client_integration.h" @@ -983,6 +984,32 @@ INSTANTIATE_TEST_SUITE_P(IpVersionsCientType, ExtAuthzGrpcIntegrationTest, testing::Bool()), ExtAuthzGrpcIntegrationTest::testParamsToString); +// Test per-route gRPC service configuration parsing +TEST_P(ExtAuthzGrpcIntegrationTest, PerRouteGrpcServiceConfigurationParsing) { + // Create a simple per-route configuration with gRPC service + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_cluster"); + (*per_route_config.mutable_check_settings()->mutable_context_extensions())["route_type"] = + "special"; + + // Test configuration parsing and validation + Envoy::Extensions::HttpFilters::ExtAuthz::FilterConfigPerRoute config_per_route(per_route_config); + + // Verify the configuration was parsed correctly + ASSERT_TRUE(config_per_route.grpcService().has_value()); + EXPECT_TRUE(config_per_route.grpcService().value().has_envoy_grpc()); + EXPECT_EQ(config_per_route.grpcService().value().envoy_grpc().cluster_name(), + "per_route_cluster"); + + // Verify context extensions are present + const auto& check_settings = config_per_route.checkSettings(); + ASSERT_TRUE(check_settings.context_extensions().contains("route_type")); + EXPECT_EQ(check_settings.context_extensions().at("route_type"), "special"); +} + // Verifies that the request body is included in the CheckRequest when the downstream protocol is // HTTP/1.1. TEST_P(ExtAuthzGrpcIntegrationTest, HTTP1DownstreamRequestWithBody) { diff --git a/test/extensions/filters/http/ext_authz/ext_authz_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_test.cc index 129798b8cefb5..9d5fa891fb18c 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_test.cc @@ -71,7 +71,8 @@ template class HttpFilterTestBase : public T { config_ = std::make_shared(proto_config, *stats_store_.rootScope(), "ext_authz_prefix", factory_context_); client_ = new NiceMock(); - filter_ = std::make_unique(config_, Filters::Common::ExtAuthz::ClientPtr{client_}); + filter_ = std::make_unique(config_, Filters::Common::ExtAuthz::ClientPtr{client_}, + factory_context_); ON_CALL(decoder_filter_callbacks_, filterConfigName()).WillByDefault(Return(FilterConfigName)); filter_->setDecoderFilterCallbacks(decoder_filter_callbacks_); filter_->setEncoderFilterCallbacks(encoder_filter_callbacks_); @@ -439,9 +440,13 @@ class InvalidMutationTest : public HttpFilterTestBase { EXPECT_EQ(1U, config_->stats().invalid_.value()); } - const std::string invalid_key_ = "invalid-\nkey"; - const uint8_t invalid_value_bytes_[3]{0x7f, 0x7f, 0}; + static constexpr const char* invalid_key_ = "invalid-\nkey"; + static constexpr uint8_t invalid_value_bytes_[3]{0x7f, 0x7f, 0}; const std::string invalid_value_; + + static std::string getInvalidValue() { + return std::string(reinterpret_cast(invalid_value_bytes_)); + } }; TEST_F(HttpFilterTest, DisableDynamicMetadataIngestion) { @@ -484,139 +489,149 @@ TEST_F(HttpFilterTest, DisableDynamicMetadataIngestion) { // Tests that the filter rejects authz responses with mutations with an invalid key when // validate_authz_response is set to true in config. -TEST_F(InvalidMutationTest, HeadersToSetKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_set = {{invalid_key_, "bar"}}; - testResponse(response); -} - -// Same as above, setting a different field... -TEST_F(InvalidMutationTest, HeadersToAddKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_add = {{invalid_key_, "bar"}}; - testResponse(response); -} - -// headers_to_set is also used when the authz response has status denied. -TEST_F(InvalidMutationTest, HeadersToSetKeyDenied) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::Denied; - response.headers_to_set = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, HeadersToAppendKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_append = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToAddKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.response_headers_to_set = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToSetKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.response_headers_to_set = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToAddIfAbsentKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.response_headers_to_add_if_absent = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToOverwriteIfExistsKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.response_headers_to_overwrite_if_exists = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, QueryParametersToSetKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.query_parameters_to_set = {{"f o o", "bar"}}; - testResponse(response); -} - -// Test that the filter rejects mutations with an invalid value -TEST_F(InvalidMutationTest, HeadersToSetValueOk) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_set = {{"foo", invalid_value_}}; - testResponse(response); -} - -// Same as above, setting a different field... -TEST_F(InvalidMutationTest, HeadersToAddValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_add = {{"foo", invalid_value_}}; - testResponse(response); -} - -// headers_to_set is also used when the authz response has status denied. -TEST_F(InvalidMutationTest, HeadersToSetValueDenied) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::Denied; - response.headers_to_set = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, HeadersToAppendValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_append = {{"foo", invalid_value_}}; - testResponse(response); -} +// Parameterized test for invalid mutation scenarios to reduce redundancy. +class InvalidMutationParamTest + : public InvalidMutationTest, + public testing::WithParamInterface< + std::tuple, // setup func + Filters::Common::ExtAuthz::CheckStatus // status + >> {}; + +TEST_P(InvalidMutationParamTest, InvalidMutationFields) { + const auto& [test_name, setup_func, status] = GetParam(); -TEST_F(InvalidMutationTest, ResponseHeadersToAddValue) { Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.response_headers_to_set = {{"foo", invalid_value_}}; + response.status = status; + setup_func(response); testResponse(response); } -TEST_F(InvalidMutationTest, ResponseHeadersToSetValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.response_headers_to_set = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToAddIfAbsentValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.response_headers_to_add_if_absent = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToOverwriteIfExistsValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.response_headers_to_overwrite_if_exists = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, QueryParametersToSetValue) { +INSTANTIATE_TEST_SUITE_P( + InvalidMutationScenarios, InvalidMutationParamTest, + testing::Values( + // Invalid key tests + std::make_tuple( + "HeadersToSetKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "HeadersToAddKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_add = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "HeadersToSetKeyDenied", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::Denied), + std::make_tuple( + "HeadersToAppendKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_append = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToAddKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToSetKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToAddIfAbsentKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_add_if_absent = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToOverwriteIfExistsKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_overwrite_if_exists = { + {InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "QueryParametersToSetKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.query_parameters_to_set = {{"f o o", "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + // Invalid value tests + std::make_tuple( + "HeadersToSetValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "HeadersToAddValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_add = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "HeadersToSetValueDenied", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::Denied), + std::make_tuple( + "HeadersToAppendValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_append = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToAddValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToSetValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToAddIfAbsentValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_add_if_absent = { + {"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToOverwriteIfExistsValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_overwrite_if_exists = { + {"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "QueryParametersToSetValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.query_parameters_to_set = {{"foo", "b a r"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK)), + [](const testing::TestParamInfo& info) { + return std::get<0>(info.param); + }); + +// Keep one simple focused test to ensure backward compatibility. +TEST_F(InvalidMutationTest, BasicInvalidKey) { Filters::Common::ExtAuthz::Response response; response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.query_parameters_to_set = {{"foo", "b a r"}}; + response.headers_to_set = {{invalid_key_, "bar"}}; testResponse(response); } @@ -824,68 +839,55 @@ TEST_F(DecoderHeaderMutationRulesTest, DisallowAll) { runTest(opts); } -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAdd) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_all()->set_value(true); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_add = {{"cant-add-me", "sad"}}; - runTest(opts); -} - -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAppend) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_all()->set_value(true); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_append = {{"cant-append-to-me", "fail"}}; - runTest(opts); -} - -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAppendPseudoheader) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_append = {{":fake-pseudo-header", "fail"}}; - runTest(opts); -} - -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseSet) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_all()->set_value(true); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_set = {{"cant-override-me", "nope"}}; - runTest(opts); -} - -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseRemove) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_all()->set_value(true); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_remove = {"cant-delete-me"}; - runTest(opts); -} +// Consolidated rejection test that covers all the scenarios previously tested individually. +TEST_F(DecoderHeaderMutationRulesTest, RejectResponseOperations) { + // Test data structure for all rejection scenarios + struct TestCase { + std::string name; + bool use_disallow_all; + std::function setup_func; + }; -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseRemovePseudoHeader) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; + std::vector test_cases = { + {"RejectResponseAdd", true, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_add = {{"cant-add-me", "sad"}}; + }}, + {"RejectResponseAppend", true, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_append = {{"cant-append-to-me", "fail"}}; + }}, + {"RejectResponseAppendPseudoheader", false, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_append = {{":fake-pseudo-header", "fail"}}; + }}, + {"RejectResponseSet", true, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_set = {{"cant-override-me", "nope"}}; + }}, + {"RejectResponseRemove", true, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_remove = {"cant-delete-me"}; + }}, + {"RejectResponseRemovePseudoHeader", false, [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_remove = {":fake-pseudo-header"}; + }}}; + + // Run all test cases + for (const auto& test_case : test_cases) { + SCOPED_TRACE(test_case.name); + + DecoderHeaderMutationRulesTestOpts opts; + opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); + if (test_case.use_disallow_all) { + opts.rules->mutable_disallow_all()->set_value(true); + } + opts.rules->mutable_disallow_is_error()->set_value(true); + opts.expect_reject_response = true; - opts.disallowed_headers_to_remove = {":fake-pseudo-header"}; - runTest(opts); + test_case.setup_func(opts); + runTest(opts); + } } TEST_F(DecoderHeaderMutationRulesTest, DisallowExpression) { @@ -2828,19 +2830,20 @@ TEST_P(HttpFilterTestParam, ContextExtensions) { // Test that filter can be disabled with route config. TEST_P(HttpFilterTestParam, DisabledOnRoute) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - FilterConfigPerRoute auth_per_route(settings); + std::unique_ptr auth_per_route = + std::make_unique(settings); prepareCheck(); - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(&auth_per_route)); - auto test_disable = [&](bool disabled) { initialize(""); // Set disabled settings.set_disabled(disabled); // Initialize the route's per filter config. - auth_per_route = FilterConfigPerRoute(settings); + auth_per_route = std::make_unique(settings); + // Update the mock to return the new pointer + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(auth_per_route.get())); }; // baseline: make sure that when not disabled, check is called @@ -2861,10 +2864,8 @@ TEST_P(HttpFilterTestParam, DisabledOnRoute) { // Test that filter can be disabled with route config. TEST_P(HttpFilterTestParam, DisabledOnRouteWithRequestBody) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - FilterConfigPerRoute auth_per_route(settings); - - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(&auth_per_route)); + std::unique_ptr auth_per_route = + std::make_unique(settings); auto test_disable = [&](bool disabled) { initialize(R"EOF( @@ -2880,7 +2881,10 @@ TEST_P(HttpFilterTestParam, DisabledOnRouteWithRequestBody) { // Set the filter disabled setting. settings.set_disabled(disabled); // Initialize the route's per filter config. - auth_per_route = FilterConfigPerRoute(settings); + auth_per_route = std::make_unique(settings); + // Update the mock to return the new pointer. + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(auth_per_route.get())); }; test_disable(false); @@ -3914,6 +3918,31 @@ TEST_F(HttpFilterTest, PerRouteCheckSettingsWorks) { } // Checks that the per-route filter can override the check_settings set on the main filter. +TEST_F(HttpFilterTest, NullRouteSkipsCheck) { + initialize(R"EOF( + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_server" + failure_mode_allow: false + stat_prefix: "ext_authz" + )EOF"); + + prepareCheck(); + + // Set up a null route return value. + ON_CALL(decoder_filter_callbacks_, route()).WillByDefault(Return(nullptr)); + + // With null route, no authorization check should be performed. + EXPECT_CALL(*client_, check(_, _, _, _)).Times(0); + + // Call the filter directly. + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + // With null route, the filter should continue without an auth check. + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, false)); +} + TEST_F(HttpFilterTest, PerRouteCheckSettingsOverrideWorks) { InSequence s; @@ -3975,10 +4004,8 @@ TEST_F(HttpFilterTest, PerRouteCheckSettingsOverrideWorks) { // Verify that request body buffering can be skipped per route. TEST_P(HttpFilterTestParam, DisableRequestBodyBufferingOnRoute) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - FilterConfigPerRoute auth_per_route(settings); - - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(&auth_per_route)); + std::unique_ptr auth_per_route = + std::make_unique(settings); auto test_disable_request_body_buffering = [&](bool bypass) { initialize(R"EOF( @@ -3994,7 +4021,10 @@ TEST_P(HttpFilterTestParam, DisableRequestBodyBufferingOnRoute) { // Set bypass request body buffering for this route. settings.mutable_check_settings()->set_disable_request_body_buffering(bypass); // Initialize the route's per filter config. - auth_per_route = FilterConfigPerRoute(settings); + auth_per_route = std::make_unique(settings); + // Update the mock to return the new pointer. + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(auth_per_route.get())); }; test_disable_request_body_buffering(false); @@ -4159,6 +4189,801 @@ TEST_P(EmitFilterStateTest, PreexistingFilterStateSameTypeMutable) { TEST_P(ExtAuthzLoggingInfoTest, FieldTest) { test(); } +// Test per-route gRPC service override with null server context (fallback to default client) +TEST_P(HttpFilterTestParam, PerRouteGrpcServiceOverrideWithNullServerContext) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - per-route gRPC service only applies to gRPC clients + return; + } + + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_ext_authz_cluster"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Set up route to return per-route config + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + prepareCheck(); + + // Mock the default client check call (should fall back to default since server context is null) + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + Filters::Common::ExtAuthz::Response response{}; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::make_unique(response)); + })); + + EXPECT_CALL(decoder_filter_callbacks_, continueDecoding()).Times(0); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); +} + +// Test per-route configuration merging with context extensions +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithContextExtensions) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - configuration merging applies to gRPC clients + return; + } + + // Create base configuration with context extensions + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"base_key", "base_value"}); + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "base_shared_value"}); + + // Create more specific configuration with context extensions + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"specific_key", "specific_value"}); + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "specific_shared_value"}); + + // Test merging using the merge constructor + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify merged context extensions + const auto& merged_extensions = merged_config.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 3); + EXPECT_EQ(merged_extensions.at("base_key"), "base_value"); + EXPECT_EQ(merged_extensions.at("specific_key"), "specific_value"); + EXPECT_EQ(merged_extensions.at("shared_key"), "specific_shared_value"); // More specific wins +} + +// Test per-route configuration merging with gRPC service override +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithGrpcServiceOverride) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - gRPC service override applies to gRPC clients + return; + } + + // Create base configuration without gRPC service + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"base_key", "base_value"}); + + // Create more specific configuration with gRPC service + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("specific_cluster"); + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"specific_key", "specific_value"}); + + // Test merging using the merge constructor + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify gRPC service override is from more specific config + EXPECT_TRUE(merged_config.grpcService().has_value()); + EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "specific_cluster"); + + // Verify context extensions are merged + const auto& merged_extensions = merged_config.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 2); + EXPECT_EQ(merged_extensions.at("base_key"), "base_value"); + EXPECT_EQ(merged_extensions.at("specific_key"), "specific_value"); +} + +// Test per-route configuration merging with request body settings +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithRequestBodySettings) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - request body settings apply to gRPC clients + return; + } + + // Create base configuration with request body settings + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_with_request_body()->set_max_request_bytes(1000); + base_config.mutable_check_settings()->mutable_with_request_body()->set_allow_partial_message( + true); + + // Create more specific configuration with different request body settings + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings()->mutable_with_request_body()->set_max_request_bytes( + 2000); + specific_config.mutable_check_settings()->mutable_with_request_body()->set_allow_partial_message( + false); + + // Test merging using the merge constructor + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify request body settings are from more specific config + const auto& merged_check_settings = merged_config.checkSettings(); + EXPECT_TRUE(merged_check_settings.has_with_request_body()); + EXPECT_EQ(merged_check_settings.with_request_body().max_request_bytes(), 2000); + EXPECT_EQ(merged_check_settings.with_request_body().allow_partial_message(), false); +} + +// Test per-route configuration merging with disable_request_body_buffering +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithDisableRequestBodyBuffering) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - disable request body buffering applies to gRPC clients + return; + } + + // Create base configuration without disable_request_body_buffering + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"base_key", "base_value"}); + + // Create more specific configuration with disable_request_body_buffering + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings()->set_disable_request_body_buffering(true); + + // Test merging using the merge constructor + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify disable_request_body_buffering is from more specific config + const auto& merged_check_settings = merged_config.checkSettings(); + EXPECT_TRUE(merged_check_settings.disable_request_body_buffering()); +} + +// Test per-route configuration merging with multiple levels +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingMultipleLevels) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - configuration merging applies to gRPC clients + return; + } + + // Create virtual host level configuration + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute vh_config; + vh_config.mutable_check_settings()->mutable_context_extensions()->insert({"vh_key", "vh_value"}); + vh_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "vh_shared_value"}); + + // Create route level configuration + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute route_config; + route_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"route_key", "route_value"}); + route_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "route_shared_value"}); + route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("route_cluster"); + + // Create weighted cluster level configuration + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute wc_config; + wc_config.mutable_check_settings()->mutable_context_extensions()->insert({"wc_key", "wc_value"}); + wc_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "wc_shared_value"}); + + // Test merging from least specific to most specific + FilterConfigPerRoute vh_filter_config(vh_config); + FilterConfigPerRoute route_filter_config(route_config); + FilterConfigPerRoute wc_filter_config(wc_config); + + // First merge: vh + route + FilterConfigPerRoute vh_route_merged(vh_filter_config, route_filter_config); + + // Second merge: (vh + route) + weighted cluster + FilterConfigPerRoute final_merged(vh_route_merged, wc_filter_config); + + // Verify final merged context extensions + const auto& merged_extensions = final_merged.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 4); + EXPECT_EQ(merged_extensions.at("vh_key"), "vh_value"); + EXPECT_EQ(merged_extensions.at("route_key"), "route_value"); + EXPECT_EQ(merged_extensions.at("wc_key"), "wc_value"); + EXPECT_EQ(merged_extensions.at("shared_key"), "wc_shared_value"); // Most specific wins + + // Verify gRPC service override is NOT inherited from less specific levels. + EXPECT_FALSE(final_merged.grpcService().has_value()); +} + +// Test per-route context extensions take precedence over check_settings context extensions. +TEST_P(HttpFilterTestParam, PerRouteContextExtensionsPrecedence) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as context extensions apply to gRPC clients. + return; + } + + // Create configuration with context extensions in both places. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"check_key", "check_value"}); + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "check_shared_value"}); + + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"specific_check_key", "specific_check_value"}); + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "specific_check_shared_value"}); + + // Test merging using the merge constructor. + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify context extensions are properly merged. + const auto& merged_extensions = merged_config.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 3); + EXPECT_EQ(merged_extensions.at("check_key"), "check_value"); + EXPECT_EQ(merged_extensions.at("specific_check_key"), "specific_check_value"); + EXPECT_EQ(merged_extensions.at("shared_key"), + "specific_check_shared_value"); // More specific wins +} + +// Test per-route Google gRPC service configuration. +TEST_P(HttpFilterTestParam, PerRouteGoogleGrpcServiceConfiguration) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. + return; + } + + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_google_grpc() + ->set_target_uri("https://ext-authz.googleapis.com"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Verify Google gRPC service is properly configured + EXPECT_TRUE(per_route_filter_config->grpcService().has_value()); + EXPECT_TRUE(per_route_filter_config->grpcService().value().has_google_grpc()); + EXPECT_EQ(per_route_filter_config->grpcService().value().google_grpc().target_uri(), + "https://ext-authz.googleapis.com"); +} + +// Test existing functionality still works with new logic. +TEST_P(HttpFilterTestParam, ExistingFunctionalityWithNewLogic) { + // Test that the existing functionality still works with our new per-route merging logic. + prepareCheck(); + + // Mock the default client check call (no per-route config). + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + Filters::Common::ExtAuthz::Response response{}; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::make_unique(response)); + })); + + EXPECT_CALL(decoder_filter_callbacks_, continueDecoding()).Times(0); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); +} + +// Test per-route configuration merging with empty configurations. +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithEmptyConfigurations) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as configuration merging applies to gRPC clients. + return; + } + + // Create empty base configuration. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + + // Create empty specific configuration. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + + // Test merging using the merge constructor. + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify merged configuration has empty context extensions. + const auto& merged_extensions = merged_config.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 0); + + // Verify no gRPC service override + EXPECT_FALSE(merged_config.grpcService().has_value()); +} + +// Test per-route gRPC service configuration merging functionality. +TEST_P(HttpFilterTestParam, PerRouteGrpcServiceMergingWithBaseConfiguration) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. + return; + } + + // Create base per-route configuration. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + (*base_config.mutable_check_settings()->mutable_context_extensions())["base"] = "value"; + FilterConfigPerRoute base_filter_config(base_config); + + // Create per-route configuration with gRPC service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_cluster"); + (*per_route_config.mutable_check_settings()->mutable_context_extensions())["route"] = "override"; + + // Test merging constructor. + FilterConfigPerRoute merged_config(base_filter_config, per_route_config); + + // Verify the merged configuration has the gRPC service from the per-route config. + EXPECT_TRUE(merged_config.grpcService().has_value()); + EXPECT_TRUE(merged_config.grpcService().value().has_envoy_grpc()); + EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "per_route_cluster"); + + // Verify that context extensions are properly merged. + const auto& merged_settings = merged_config.checkSettings(); + EXPECT_TRUE(merged_settings.context_extensions().contains("route")); + EXPECT_EQ(merged_settings.context_extensions().at("route"), "override"); +} + +// Test focused integration test to verify per-route configuration is processed correctly. +TEST_P(HttpFilterTestParam, PerRouteConfigurationIntegrationTest) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - per-route gRPC service only applies to gRPC clients. + return; + } + + // This test covers the per-route configuration processing in initiateCall + // which exercises the lines where getAllPerFilterConfig is called and processed. + + // Set up per-route configuration with gRPC service override + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_cluster"); + + // Add context extensions to test that path too. + (*per_route_config.mutable_check_settings()->mutable_context_extensions())["test_key"] = + "test_value"; + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Mock decoder callbacks to return per-route config. + ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) + .WillByDefault(Return(per_route_filter_config.get())); + + // Mock perFilterConfigs to return the per-route config vector. + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + // Set up basic request headers. + Http::TestRequestHeaderMapImpl headers{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "https"}, {"host", "example.com"}}; + + prepareCheck(); + + // Mock client check to capture and verify the check request has proper context extensions. + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest& check_request, + Tracing::Span&, const StreamInfo::StreamInfo&) -> void { + // Verify that per-route context extensions were merged correctly + auto context_extensions = check_request.attributes().context_extensions(); + EXPECT_TRUE(context_extensions.contains("test_key")); + EXPECT_EQ(context_extensions.at("test_key"), "test_value"); + + // Return OK to complete the test + auto response = std::make_unique(); + response->status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::move(response)); + })); + + // This exercises the per-route configuration processing logic which includes + // the getAllPerFilterConfig call and per-route gRPC service detection. + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, true)); +} + +// Test per-route gRPC client creation and usage. +TEST_P(HttpFilterTestParam, PerRouteGrpcClientCreationAndUsage) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. + return; + } + + // Create per-route configuration with valid gRPC service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_ext_authz_cluster"); + + // Add context extensions to test merging. + (*per_route_config.mutable_check_settings()->mutable_context_extensions())["test_key"] = + "test_value"; + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Set up route to return per-route config. + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + // Mock perFilterConfigs to return the per-route config vector which exercises + // getAllPerFilterConfig. + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + prepareCheck(); + + // Create a filter with server context for per-route gRPC client creation. + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client), factory_context_); + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Mock successful gRPC async client manager access. + auto mock_grpc_client_manager = std::make_shared(); + ON_CALL(factory_context_, clusterManager()).WillByDefault(ReturnRef(cm_)); + ON_CALL(cm_, grpcAsyncClientManager()).WillByDefault(ReturnRef(*mock_grpc_client_manager)); + + // Mock successful raw gRPC client creation which exercises createPerRouteGrpcClient. + auto mock_raw_grpc_client = std::make_shared(); + EXPECT_CALL(*mock_grpc_client_manager, getOrCreateRawAsyncClientWithHashKey(_, _, true)) + .WillOnce(Return(absl::StatusOr(mock_raw_grpc_client))); + + // Set up expectations for the sendRaw call that will be made by the GrpcClientImpl. + EXPECT_CALL(*mock_raw_grpc_client, sendRaw(_, _, _, _, _, _)) + .WillOnce( + Invoke([](absl::string_view /*service_full_name*/, absl::string_view /*method_name*/, + Buffer::InstancePtr&& /*request*/, Grpc::RawAsyncRequestCallbacks& callbacks, + Tracing::Span& parent_span, + const Http::AsyncClient::RequestOptions& /*options*/) -> Grpc::AsyncRequest* { + envoy::service::auth::v3::CheckResponse check_response; + check_response.mutable_status()->set_code(Grpc::Status::WellKnownGrpcStatus::Ok); + check_response.mutable_ok_response(); + + // Serialize the response to a buffer. + std::string serialized_response; + check_response.SerializeToString(&serialized_response); + auto response = std::make_unique(serialized_response); + + callbacks.onSuccessRaw(std::move(response), parent_span); + return nullptr; // No async request handle needed for immediate response. + })); + + // Since per-route gRPC client creation succeeds, the per-route client should be used + // instead of the default client. We won't see a call to new_client_ptr. + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)).Times(0); + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + new_filter->decodeHeaders(request_headers_, false)); +} + +// Test per-route HTTP service configuration parsing. +TEST_P(HttpFilterTestParam, PerRouteHttpServiceConfigurationParsing) { + if (!std::get<1>(GetParam())) { + // Skip gRPC client test as per-route HTTP service only applies to HTTP clients. + return; + } + + // Create per-route configuration with valid HTTP service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings()->mutable_http_service()->mutable_server_uri()->set_uri( + "https://per-route-ext-authz.example.com"); + per_route_config.mutable_check_settings() + ->mutable_http_service() + ->mutable_server_uri() + ->set_cluster("per_route_http_cluster"); + per_route_config.mutable_check_settings()->mutable_http_service()->set_path_prefix( + "/api/v2/auth"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Verify the per-route HTTP service configuration is correctly parsed + EXPECT_TRUE(per_route_filter_config->httpService().has_value()); + EXPECT_FALSE(per_route_filter_config->grpcService().has_value()); + + const auto& http_service = per_route_filter_config->httpService().value(); + EXPECT_EQ(http_service.server_uri().uri(), "https://per-route-ext-authz.example.com"); + EXPECT_EQ(http_service.server_uri().cluster(), "per_route_http_cluster"); + EXPECT_EQ(http_service.path_prefix(), "/api/v2/auth"); +} + +// Test error handling when server context is not available for per-route gRPC client. +TEST_P(HttpFilterTestParam, PerRouteGrpcClientCreationNoServerContext) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - per-route gRPC service only applies to gRPC clients. + return; + } + + // Create per-route configuration with gRPC service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_grpc_cluster"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + prepareCheck(); + + // Create filter without server context. This should cause per-route client creation to fail. + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client)); // No server context + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Since per-route client creation fails (no server context), should fall back to default client. + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + // Verify this is using the default client. + auto response = std::make_unique(); + response->status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::move(response)); + })); + + Http::TestRequestHeaderMapImpl request_headers_{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + new_filter->decodeHeaders(request_headers_, false)); +} + +// Test error handling when server context is not available for per-route HTTP client. +TEST_P(HttpFilterTestParam, PerRouteHttpClientCreationNoServerContext) { + if (!std::get<1>(GetParam())) { + // Skip gRPC client test as per-route HTTP service only applies to HTTP clients. + return; + } + + // Create per-route configuration with HTTP service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings()->mutable_http_service()->mutable_server_uri()->set_uri( + "https://per-route-ext-authz.example.com"); + per_route_config.mutable_check_settings() + ->mutable_http_service() + ->mutable_server_uri() + ->set_cluster("per_route_http_cluster"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + prepareCheck(); + + // Create filter without server context. + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client)); // No server context + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Since per-route client creation fails, should fall back to default client. + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + auto response = std::make_unique(); + response->status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::move(response)); + })); + + Http::TestRequestHeaderMapImpl request_headers_{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + new_filter->decodeHeaders(request_headers_, false)); +} + +// Test gRPC client error handling for per-route config. +TEST_F(HttpFilterTest, GrpcClientPerRouteError) { + // Initialize with gRPC client configuration. + initialize(R"EOF( + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_server" + failure_mode_allow: false + stat_prefix: "ext_authz" + )EOF"); + + prepareCheck(); + + // Create per-route configuration with gRPC service override. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + auto* grpc_service = per_route_config.mutable_check_settings()->mutable_grpc_service(); + grpc_service->mutable_envoy_grpc()->set_cluster_name("nonexistent_cluster"); + + FilterConfigPerRoute per_route_filter_config(per_route_config); + + // Set up route config to use the per-route configuration. + ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) + .WillByDefault(Return(&per_route_filter_config)); + + // Since cluster doesn't exist, per-route client creation should fail + // and we'll use the default client instead. + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + Filters::Common::ExtAuthz::Response response{}; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::make_unique(response)); + })); + + // Verify filter processes the request with the default client. + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); +} + +// Test HTTP client with per-route configuration. +TEST_F(HttpFilterTest, HttpClientPerRouteOverride) { + // Initialize with HTTP client configuration. + initialize(R"EOF( + http_service: + server_uri: + uri: "https://ext-authz.example.com" + cluster: "ext_authz_server" + path_prefix: "/api/v1/auth" + failure_mode_allow: false + stat_prefix: "ext_authz" + )EOF"); + + prepareCheck(); + + // Create per-route configuration with HTTP service override. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + auto* http_service = per_route_config.mutable_check_settings()->mutable_http_service(); + http_service->mutable_server_uri()->set_uri("https://per-route-ext-authz.example.com"); + http_service->mutable_server_uri()->set_cluster("per_route_http_cluster"); + http_service->set_path_prefix("/api/v2/auth"); + + FilterConfigPerRoute per_route_filter_config(per_route_config); + + // Set up route config to use the per-route configuration. + ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) + .WillByDefault(Return(&per_route_filter_config)); + + // Set up a check expectation that will be satisfied by the default client. + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + Filters::Common::ExtAuthz::Response response{}; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::make_unique(response)); + })); + + // Verify filter processes the request. + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); +} + +// Test invalid response header validation via response_headers_to_add. +TEST_F(InvalidMutationTest, InvalidResponseHeadersToAddName) { + Filters::Common::ExtAuthz::Response r; + r.status = Filters::Common::ExtAuthz::CheckStatus::OK; + r.response_headers_to_add = {{"invalid header name", "value"}}; + testResponse(r); +} + +// Test invalid response header validation via response_headers_to_add value. +TEST_F(InvalidMutationTest, InvalidResponseHeadersToAddValue) { + Filters::Common::ExtAuthz::Response r; + r.status = Filters::Common::ExtAuthz::CheckStatus::OK; + r.response_headers_to_add = {{"valid-name", getInvalidValue()}}; + testResponse(r); +} + +// Test per-route timeout configuration is correctly used in gRPC client creation. +TEST_P(HttpFilterTestParam, PerRouteGrpcClientTimeoutConfiguration) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. + return; + } + + // Create per-route configuration with custom timeout. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + auto* grpc_service = per_route_config.mutable_check_settings()->mutable_grpc_service(); + grpc_service->mutable_envoy_grpc()->set_cluster_name("per_route_grpc_cluster"); + grpc_service->mutable_timeout()->set_seconds(30); // Custom 30s timeout + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + prepareCheck(); + + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client), factory_context_); + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Mock gRPC client manager. + auto mock_grpc_client_manager = std::make_shared(); + ON_CALL(factory_context_, clusterManager()).WillByDefault(ReturnRef(cm_)); + ON_CALL(cm_, grpcAsyncClientManager()).WillByDefault(ReturnRef(*mock_grpc_client_manager)); + + auto mock_raw_grpc_client = std::make_shared(); + EXPECT_CALL(*mock_grpc_client_manager, getOrCreateRawAsyncClientWithHashKey(_, _, true)) + .WillOnce(Return(absl::StatusOr(mock_raw_grpc_client))); + + // Mock the sendRaw call and verify the timeout is used correctly. + EXPECT_CALL(*mock_raw_grpc_client, sendRaw(_, _, _, _, _, _)) + .WillOnce(Invoke([](absl::string_view, absl::string_view, Buffer::InstancePtr&&, + Grpc::RawAsyncRequestCallbacks& callbacks, Tracing::Span& parent_span, + const Http::AsyncClient::RequestOptions& options) -> Grpc::AsyncRequest* { + // Verify that the timeout from the per-route config is used (30s = 30000ms) + EXPECT_TRUE(options.timeout.has_value()); + EXPECT_EQ(options.timeout->count(), 30000); + + envoy::service::auth::v3::CheckResponse check_response; + check_response.mutable_status()->set_code(Grpc::Status::WellKnownGrpcStatus::Ok); + check_response.mutable_ok_response(); + + std::string serialized_response; + check_response.SerializeToString(&serialized_response); + auto response = std::make_unique(serialized_response); + + callbacks.onSuccessRaw(std::move(response), parent_span); + return nullptr; + })); + + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)).Times(0); + + Http::TestRequestHeaderMapImpl request_headers_{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + new_filter->decodeHeaders(request_headers_, false)); +} + } // namespace } // namespace ExtAuthz } // namespace HttpFilters From 6e335cfdca56c593dc7827eb67ad3b1e499984cf Mon Sep 17 00:00:00 2001 From: Joe Kralicky Date: Fri, 22 Aug 2025 09:36:51 -0400 Subject: [PATCH 280/505] generic proxy: add onDownstreamConnected() callback to ServerCodec (#40747) Commit Message: generic proxy: add onDownstreamConnected() callback to ServerCodec Additional Description: This adds a new method ServerCodec::onDownstreamConnected() that is called when the downstream connection is established. This can be used for initialization steps that require the connection returned by ServerCodecCallbacks::connection() to have a value and be in a connected state. Risk Level: Low; the new method has an empty default implementation, as to not break existing ServerCodec implementations. Testing: Updated unit tests and mocks Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Joe Kralicky --- .../filters/network/generic_proxy/interface/codec.h | 10 +++++++++- .../extensions/filters/network/generic_proxy/proxy.h | 1 + .../filters/network/generic_proxy/fake_codec.h | 5 +++++ .../filters/network/generic_proxy/mocks/codec.h | 1 + .../filters/network/generic_proxy/proxy_test.cc | 6 ++++++ 5 files changed, 22 insertions(+), 1 deletion(-) diff --git a/source/extensions/filters/network/generic_proxy/interface/codec.h b/source/extensions/filters/network/generic_proxy/interface/codec.h index 2b1ba02ceefc7..682a2ea5fbf55 100644 --- a/source/extensions/filters/network/generic_proxy/interface/codec.h +++ b/source/extensions/filters/network/generic_proxy/interface/codec.h @@ -22,12 +22,20 @@ class ServerCodec { virtual ~ServerCodec() = default; /** - * Set callbacks of server codec. + * Set callbacks of server codec. Called before onConnected(). * @param callbacks callbacks of server codec. This callback will have same or longer * lifetime as the server codec. */ virtual void setCodecCallbacks(ServerCodecCallbacks& callbacks) PURE; + /** + * Called when the downstream connection is established. + * + * The connection obtained from ServerCodecCallbacks::connection() will be valid when this + * callback is invoked. It should not be relied upon to be valid until this point. + */ + virtual void onConnected() {} + /** * Decode request frame from downstream connection. * @param buffer data to decode. diff --git a/source/extensions/filters/network/generic_proxy/proxy.h b/source/extensions/filters/network/generic_proxy/proxy.h index 8e196116b83ba..f6d220401e775 100644 --- a/source/extensions/filters/network/generic_proxy/proxy.h +++ b/source/extensions/filters/network/generic_proxy/proxy.h @@ -370,6 +370,7 @@ class Filter : public Envoy::Network::ReadFilter, // Envoy::Network::ReadFilter Envoy::Network::FilterStatus onData(Envoy::Buffer::Instance& data, bool end_stream) override; Envoy::Network::FilterStatus onNewConnection() override { + server_codec_->onConnected(); return Envoy::Network::FilterStatus::Continue; } void initializeReadFilterCallbacks(Envoy::Network::ReadFilterCallbacks& callbacks) override { diff --git a/test/extensions/filters/network/generic_proxy/fake_codec.h b/test/extensions/filters/network/generic_proxy/fake_codec.h index 66e63a9bd7d79..fb96daf46c107 100644 --- a/test/extensions/filters/network/generic_proxy/fake_codec.h +++ b/test/extensions/filters/network/generic_proxy/fake_codec.h @@ -163,6 +163,11 @@ class FakeStreamCodecFactory : public CodecFactory { } void setCodecCallbacks(ServerCodecCallbacks& callback) override { callback_ = &callback; } + void onConnected() override { + ASSERT(callback_->connection().has_value()); + ASSERT(callback_->connection()->state() == Network::Connection::State::Open); + ASSERT(!callback_->connection()->connecting()); + } void decode(Buffer::Instance& buffer, bool) override { ENVOY_LOG(debug, "FakeServerCodec::decode: {}", buffer.toString()); diff --git a/test/extensions/filters/network/generic_proxy/mocks/codec.h b/test/extensions/filters/network/generic_proxy/mocks/codec.h index b93f4c8184fcb..8a89e5cc3a079 100644 --- a/test/extensions/filters/network/generic_proxy/mocks/codec.h +++ b/test/extensions/filters/network/generic_proxy/mocks/codec.h @@ -55,6 +55,7 @@ class MockServerCodec : public ServerCodec { } MOCK_METHOD(void, setCodecCallbacks, (ServerCodecCallbacks & callbacks)); + MOCK_METHOD(void, onConnected, ()); MOCK_METHOD(void, decode, (Buffer::Instance & buffer, bool end_stream)); MOCK_METHOD(EncodingResult, encode, (const StreamFrame&, EncodingContext& ctx)); MOCK_METHOD(ResponseHeaderFramePtr, respond, diff --git a/test/extensions/filters/network/generic_proxy/proxy_test.cc b/test/extensions/filters/network/generic_proxy/proxy_test.cc index d905524e5ffd3..73ccb1556bad9 100644 --- a/test/extensions/filters/network/generic_proxy/proxy_test.cc +++ b/test/extensions/filters/network/generic_proxy/proxy_test.cc @@ -232,6 +232,12 @@ class FilterTest : public FilterConfigTest { TEST_F(FilterTest, SimpleOnNewConnection) { initializeFilter(); + + EXPECT_CALL(*server_codec_, onConnected()).WillOnce(Invoke([this] { + ASSERT_NE(server_codec_callbacks_, nullptr); + ASSERT_EQ(&filter_callbacks_.connection_, server_codec_callbacks_->connection().ptr()); + })); + EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); } From b6ac394c8e915febdd6affc6bbbb20e44d2d9128 Mon Sep 17 00:00:00 2001 From: Pradeep Rao <84025829+pradeepcrao@users.noreply.github.com> Date: Fri, 22 Aug 2025 09:48:31 -0400 Subject: [PATCH 281/505] rate-limit: Unconditionally set request headers in decodeHeaders call for ratelimit filter (#40760) Signed-off-by: pcrao --- source/extensions/filters/http/ratelimit/ratelimit.cc | 7 +++++-- test/mocks/grpc/mocks.cc | 3 +++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/source/extensions/filters/http/ratelimit/ratelimit.cc b/source/extensions/filters/http/ratelimit/ratelimit.cc index 45aa5b31b164f..997fba719bc71 100644 --- a/source/extensions/filters/http/ratelimit/ratelimit.cc +++ b/source/extensions/filters/http/ratelimit/ratelimit.cc @@ -133,11 +133,11 @@ double Filter::getHitAddend() { } Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, bool) { + request_headers_ = &headers; if (!config_->enabled()) { return Http::FilterHeadersStatus::Continue; } - request_headers_ = &headers; initiateCall(headers); return (state_ == State::Calling || state_ == State::Responded) ? Http::FilterHeadersStatus::StopIteration @@ -190,7 +190,10 @@ void Filter::onDestroy() { if (state_ == State::Calling) { state_ = State::Complete; client_->cancel(); - } else if (client_ != nullptr) { + } else if (client_ != nullptr && + request_headers_ != nullptr) // If decodeHeaders is not called because of a local + // reply, we do not set request_headers_. + { std::vector descriptors; populateRateLimitDescriptors(descriptors, *request_headers_, true); if (!descriptors.empty()) { diff --git a/test/mocks/grpc/mocks.cc b/test/mocks/grpc/mocks.cc index c375a51226c7f..4cd28643d1903 100644 --- a/test/mocks/grpc/mocks.cc +++ b/test/mocks/grpc/mocks.cc @@ -44,6 +44,9 @@ MockAsyncClientManager::MockAsyncClientManager() { .WillByDefault(Invoke([](const envoy::config::core::v3::GrpcService&, Stats::Scope&, bool) { return std::make_unique>(); })); + ON_CALL(*this, getOrCreateRawAsyncClientWithHashKey(_, _, _)).WillByDefault(Invoke([] { + return std::make_shared>(); + })); } MockAsyncClientManager::~MockAsyncClientManager() = default; From 9b71b5a27debfc63194c0817adfc466c9c719c19 Mon Sep 17 00:00:00 2001 From: danzh Date: Fri, 22 Aug 2025 17:14:27 -0400 Subject: [PATCH 282/505] upstream: introduce new drain behavior DrainExistingNonMigratableConnections (#40801) Commit Message: Introduces new enum value `ConnectionPool::DrainBehavior::DrainExistingNonMigratableConnections`. When this behavior is used, HTTP/3 connection pools will only drain existing connections if QUIC connection migration is not enabled. The mobile engine is updated to use this new drain behavior when DNS refreshing is disabled on network changes, allowing migratable QUIC connections to persist across network transitions. Additional Description: also add QUICHE migration code into build target Risk Level: low, the new behavior is disabled Testing: new unit test pass Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- bazel/external/quiche.BUILD | 22 +++++++++++++++++++ envoy/common/conn_pool.h | 3 +++ envoy/upstream/cluster_manager.h | 3 ++- mobile/library/common/internal_engine.cc | 6 +++-- .../common/network/connectivity_manager.cc | 3 ++- .../network/connectivity_manager_test.cc | 2 +- source/common/http/http3/conn_pool.h | 12 ++++++++++ .../quic/client_connection_factory_impl.cc | 1 + .../quic/client_connection_factory_impl.h | 3 +++ .../common/upstream/cluster_manager_impl.cc | 15 +++++++------ source/common/upstream/cluster_manager_impl.h | 3 ++- test/common/http/http3/conn_pool_test.cc | 11 ++++++++++ .../http_conn_pool_integration_test.cc | 6 +++-- test/mocks/upstream/cluster_manager.h | 4 +++- tools/spelling/spelling_dictionary.txt | 1 + 15 files changed, 79 insertions(+), 16 deletions(-) diff --git a/bazel/external/quiche.BUILD b/bazel/external/quiche.BUILD index b60b80b8d156a..aab49a6148420 100644 --- a/bazel/external/quiche.BUILD +++ b/bazel/external/quiche.BUILD @@ -3029,13 +3029,17 @@ envoy_cc_library( envoy_quic_cc_library( name = "quic_core_http_client_lib", srcs = [ + "quiche/quic/core/http/quic_connection_migration_manager.cc", "quiche/quic/core/http/quic_spdy_client_session.cc", "quiche/quic/core/http/quic_spdy_client_session_base.cc", + "quiche/quic/core/http/quic_spdy_client_session_with_migration.cc", "quiche/quic/core/http/quic_spdy_client_stream.cc", ], hdrs = [ + "quiche/quic/core/http/quic_connection_migration_manager.h", "quiche/quic/core/http/quic_spdy_client_session.h", "quiche/quic/core/http/quic_spdy_client_session_base.h", + "quiche/quic/core/http/quic_spdy_client_session_with_migration.h", "quiche/quic/core/http/quic_spdy_client_stream.h", ], deps = [ @@ -3047,10 +3051,12 @@ envoy_quic_cc_library( ":quic_core_http_server_initiated_spdy_stream_lib", ":quic_core_http_spdy_session_lib", ":quic_core_packets_lib", + ":quic_core_path_context_factory_interface_lib", ":quic_core_qpack_qpack_streams_lib", ":quic_core_server_id_lib", ":quic_core_types_lib", ":quic_core_utils_lib", + ":quic_force_blockable_packet_writer_lib", ":quic_platform_base", ], ) @@ -3204,6 +3210,12 @@ envoy_quic_cc_library( ], ) +envoy_quic_cc_library( + name = "quic_force_blockable_packet_writer_lib", + hdrs = ["quiche/quic/core/quic_force_blockable_packet_writer.h"], + deps = [":quic_core_packet_writer_lib"], +) + envoy_quic_cc_library( name = "quic_core_http_spdy_stream_body_manager_lib", srcs = ["quiche/quic/core/http/quic_spdy_stream_body_manager.cc"], @@ -3394,6 +3406,16 @@ envoy_quic_cc_library( ], ) +envoy_quic_cc_library( + name = "quic_core_path_context_factory_interface_lib", + hdrs = ["quiche/quic/core/quic_path_context_factory.h"], + deps = [ + ":quic_core_path_validator_lib", + ":quic_platform_export", + ":quic_platform_socket_address", + ], +) + envoy_cc_library( name = "quic_core_syscall_wrapper_lib", srcs = select({ diff --git a/envoy/common/conn_pool.h b/envoy/common/conn_pool.h index 8fd7f1061bf95..14c5b05c7c1c0 100644 --- a/envoy/common/conn_pool.h +++ b/envoy/common/conn_pool.h @@ -49,6 +49,9 @@ enum class DrainBehavior { // all new streams take place on a new connection. For example, when a health check failure // occurs. DrainExistingConnections, + // Same as DrainExistingConnections, but only drains connections unable to migrate to a different + // network on mobile. + DrainExistingNonMigratableConnections, }; /** diff --git a/envoy/upstream/cluster_manager.h b/envoy/upstream/cluster_manager.h index 8253cfcf81ced..a871334f85d0b 100644 --- a/envoy/upstream/cluster_manager.h +++ b/envoy/upstream/cluster_manager.h @@ -503,7 +503,8 @@ class ClusterManager { * @param predicate supplies the optional drain connections host predicate. If not supplied, all * hosts are drained. */ - virtual void drainConnections(DrainConnectionsHostPredicate predicate) PURE; + virtual void drainConnections(DrainConnectionsHostPredicate predicate, + ConnectionPool::DrainBehavior drain_behavior) PURE; /** * Check if the cluster is active and statically configured, and if not, return an error diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index c4da556ff596a..f0dfa516e9c77 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -458,9 +458,11 @@ void InternalEngine::resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity if (disable_dns_refresh_on_network_change_) { if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.drain_pools_on_network_change")) { - // Since DNS refreshing is disabled, explicitly drain all connections. + // Since DNS refreshing is disabled, explicitly drain all non-migratable connections. ENVOY_LOG_EVENT(debug, "netconf_immediate_drain", "DrainAllHosts"); - getClusterManager().drainConnections([](const Upstream::Host&) { return true; }); + getClusterManager().drainConnections( + [](const Upstream::Host&) { return true; }, + Envoy::ConnectionPool::DrainBehavior::DrainExistingNonMigratableConnections); } } } diff --git a/mobile/library/common/network/connectivity_manager.cc b/mobile/library/common/network/connectivity_manager.cc index a2015a213c34a..c67676e6f1455 100644 --- a/mobile/library/common/network/connectivity_manager.cc +++ b/mobile/library/common/network/connectivity_manager.cc @@ -248,7 +248,8 @@ void RefreshDnsWithPostDrainHandler::onDnsResolutionComplete( // Pass predicate to only drain connections to the resolved host (for any cluster). cluster_manager_.drainConnections( - [resolved_host](const Upstream::Host& host) { return host.hostname() == resolved_host; }); + [resolved_host](const Upstream::Host& host) { return host.hostname() == resolved_host; }, + ConnectionPool::DrainBehavior::DrainExistingConnections); } void ConnectivityManagerImpl::setDrainPostDnsRefreshEnabled(bool enabled) { diff --git a/mobile/test/common/network/connectivity_manager_test.cc b/mobile/test/common/network/connectivity_manager_test.cc index 42ee049c219a0..6da466b5277f0 100644 --- a/mobile/test/common/network/connectivity_manager_test.cc +++ b/mobile/test/common/network/connectivity_manager_test.cc @@ -111,7 +111,7 @@ TEST_F(ConnectivityManagerTest, WhenDrainPostDnsRefreshEnabledDrainsPostDnsRefre envoy_netconf_t configuration_key = connectivity_manager_->getConfigurationKey(); connectivity_manager_->refreshDns(configuration_key, true); - EXPECT_CALL(cm_, drainConnections(_)); + EXPECT_CALL(cm_, drainConnections(_, ConnectionPool::DrainBehavior::DrainExistingConnections)); dns_completion_callback->onDnsResolutionComplete( "cached.example.com", std::make_shared(), diff --git a/source/common/http/http3/conn_pool.h b/source/common/http/http3/conn_pool.h index 5ded8dbefea24..e27b723106eef 100644 --- a/source/common/http/http3/conn_pool.h +++ b/source/common/http/http3/conn_pool.h @@ -158,6 +158,18 @@ class Http3ConnPoolImpl : public FixedHttpConnPoolImpl { ConnectionPool::Callbacks& callbacks, const Instance::StreamOptions& options) override; + void drainConnections(Envoy::ConnectionPool::DrainBehavior drain_behavior) override { + if (drain_behavior == + Envoy::ConnectionPool::DrainBehavior::DrainExistingNonMigratableConnections && + quic_info_.migration_config_.migrate_session_on_network_change) { + // If connection migration is enabled, don't drain existing connections. + // Each connection will observe network change signals and decide whether + // to migrate or drain. + return; + } + FixedHttpConnPoolImpl::drainConnections(drain_behavior); + } + // For HTTP/3 the base connection pool does not track stream capacity, rather // the HTTP3 active client does. bool trackStreamCapacity() override { return false; } diff --git a/source/common/quic/client_connection_factory_impl.cc b/source/common/quic/client_connection_factory_impl.cc index bca398c9d744f..c0ac52c733d70 100644 --- a/source/common/quic/client_connection_factory_impl.cc +++ b/source/common/quic/client_connection_factory_impl.cc @@ -10,6 +10,7 @@ PersistentQuicInfoImpl::PersistentQuicInfoImpl(Event::Dispatcher& dispatcher, ui : conn_helper_(dispatcher), alarm_factory_(dispatcher, *conn_helper_.GetClock()), buffer_limit_(buffer_limit), max_packet_length_(max_packet_length) { quiche::FlagRegistry::getInstance(); + migration_config_.migrate_session_on_network_change = false; } std::unique_ptr diff --git a/source/common/quic/client_connection_factory_impl.h b/source/common/quic/client_connection_factory_impl.h index 7d955602c43fa..f8edd9888a38c 100644 --- a/source/common/quic/client_connection_factory_impl.h +++ b/source/common/quic/client_connection_factory_impl.h @@ -12,6 +12,7 @@ #include "source/common/tls/client_ssl_socket.h" #include "source/extensions/quic/crypto_stream/envoy_quic_crypto_client_stream.h" +#include "quiche/quic/core/http/quic_connection_migration_manager.h" #include "quiche/quic/core/quic_utils.h" namespace Envoy { @@ -34,6 +35,8 @@ struct PersistentQuicInfoImpl : public Http::PersistentQuicInfo { // Override the maximum packet length of connections for tunneling. Use the default length in // QUICHE if this is set to 0. quic::QuicByteCount max_packet_length_; + // TODO(danzh): Add a config knob to configure connection migration. + quic::QuicConnectionMigrationConfig migration_config_; }; std::unique_ptr diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 1fe95455eaa22..43b0151371cf1 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -1073,15 +1073,16 @@ void ClusterManagerImpl::drainConnections(const std::string& cluster, }); } -void ClusterManagerImpl::drainConnections(DrainConnectionsHostPredicate predicate) { +void ClusterManagerImpl::drainConnections(DrainConnectionsHostPredicate predicate, + ConnectionPool::DrainBehavior drain_behavior) { ENVOY_LOG_EVENT(debug, "drain_connections_call_for_all_clusters", "drainConnections called for all clusters"); - tls_.runOnAllThreads([predicate](OptRef cluster_manager) { - for (const auto& cluster_entry : cluster_manager->thread_local_clusters_) { - cluster_entry.second->drainConnPools(predicate, - ConnectionPool::DrainBehavior::DrainExistingConnections); - } - }); + tls_.runOnAllThreads( + [predicate, drain_behavior](OptRef cluster_manager) { + for (const auto& cluster_entry : cluster_manager->thread_local_clusters_) { + cluster_entry.second->drainConnPools(predicate, drain_behavior); + } + }); } absl::Status ClusterManagerImpl::checkActiveStaticCluster(const std::string& cluster) { diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h index 3ef053a5da275..c81e6d97061b2 100644 --- a/source/common/upstream/cluster_manager_impl.h +++ b/source/common/upstream/cluster_manager_impl.h @@ -361,7 +361,8 @@ class ClusterManagerImpl : public ClusterManager, void drainConnections(const std::string& cluster, DrainConnectionsHostPredicate predicate) override; - void drainConnections(DrainConnectionsHostPredicate predicate) override; + void drainConnections(DrainConnectionsHostPredicate predicate, + ConnectionPool::DrainBehavior drain_behavior) override; absl::Status checkActiveStaticCluster(const std::string& cluster) override; diff --git a/test/common/http/http3/conn_pool_test.cc b/test/common/http/http3/conn_pool_test.cc index 77014d7eda84d..67f12a2e500f1 100644 --- a/test/common/http/http3/conn_pool_test.cc +++ b/test/common/http/http3/conn_pool_test.cc @@ -281,6 +281,17 @@ TEST_F(Http3ConnPoolImplTest, NewAndDrainClientBeforeConnect) { cancellable->cancel(Envoy::ConnectionPool::CancelPolicy::CloseExcess); } +TEST_F(Http3ConnPoolImplTest, MigrationEnabledNoDrain) { + quic_info_.migration_config_.migrate_session_on_network_change = true; + createNewStream(); + EXPECT_FALSE(pool_->isIdle()); + // Draining non-migratable connections should not drain the connection which might be able to + // migrate. + pool_->drainConnections( + Envoy::ConnectionPool::DrainBehavior::DrainExistingNonMigratableConnections); + EXPECT_FALSE(pool_->isIdle()); +} + } // namespace Http3 } // namespace Http } // namespace Envoy diff --git a/test/integration/http_conn_pool_integration_test.cc b/test/integration/http_conn_pool_integration_test.cc index ffe975921d72e..a15d46b329889 100644 --- a/test/integration/http_conn_pool_integration_test.cc +++ b/test/integration/http_conn_pool_integration_test.cc @@ -210,8 +210,10 @@ TEST_P(HttpConnPoolIntegrationTest, PoolDrainAfterDrainApiAllClusters) { EXPECT_TRUE(response->complete()); // Drain connection pools via API. Need to post this to the server thread. - test_server_->server().dispatcher().post( - [this] { test_server_->server().clusterManager().drainConnections(nullptr); }); + test_server_->server().dispatcher().post([this] { + test_server_->server().clusterManager().drainConnections( + nullptr, ConnectionPool::DrainBehavior::DrainExistingConnections); + }); ASSERT_TRUE(first_connection->waitForDisconnect()); ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); diff --git a/test/mocks/upstream/cluster_manager.h b/test/mocks/upstream/cluster_manager.h index 92db8e71ad696..6dcb21b32a723 100644 --- a/test/mocks/upstream/cluster_manager.h +++ b/test/mocks/upstream/cluster_manager.h @@ -84,7 +84,9 @@ class MockClusterManager : public ClusterManager { } MOCK_METHOD(void, drainConnections, (const std::string& cluster, DrainConnectionsHostPredicate predicate)); - MOCK_METHOD(void, drainConnections, (DrainConnectionsHostPredicate predicate)); + MOCK_METHOD(void, drainConnections, + (DrainConnectionsHostPredicate predicate, + ConnectionPool::DrainBehavior drain_behavior)); MOCK_METHOD(absl::Status, checkActiveStaticCluster, (const std::string& cluster)); MOCK_METHOD(absl::StatusOr, allocateOdCdsApi, (OdCdsCreationFunction creation_function, diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index e1e479b218197..54d4c26c34c69 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -1007,6 +1007,7 @@ metaprogramming metatable microbenchmarks midp +migratable milli mimics misconfiguration From 960c1c41df955a85a184fc3c028d7b1ad78c9b04 Mon Sep 17 00:00:00 2001 From: phlax Date: Sun, 24 Aug 2025 08:34:55 +0100 Subject: [PATCH 283/505] =?UTF-8?q?Revert=20"ext=5Fauthz:=20add=20grpc=5Fs?= =?UTF-8?q?ervice=20field=20on=20the=20per-route=20filter=20(#4=E2=80=A6?= =?UTF-8?q?=20(#40836)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …0169)" This reverts commit 8c03b2aac400361f89183ab3736864087a3557cf. Signed-off-by: Ryan Northey --- .../filters/http/ext_authz/v3/ext_authz.proto | 13 - changelogs/current.yaml | 12 +- .../common/ext_authz/ext_authz_http_impl.cc | 24 - .../common/ext_authz/ext_authz_http_impl.h | 5 - .../filters/http/ext_authz/config.cc | 6 +- .../filters/http/ext_authz/ext_authz.cc | 135 +- .../filters/http/ext_authz/ext_authz.h | 55 +- .../ext_authz/ext_authz_http_impl_test.cc | 21 - .../filters/http/ext_authz/config_test.cc | 411 ------ .../ext_authz/ext_authz_integration_test.cc | 27 - .../filters/http/ext_authz/ext_authz_test.cc | 1233 +++-------------- 11 files changed, 217 insertions(+), 1725 deletions(-) diff --git a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto index 690a9956454df..0a2492b2ff5f5 100644 --- a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +++ b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -476,7 +476,6 @@ message ExtAuthzPerRoute { } // Extra settings for the check request. -// [#next-free-field: 6] message CheckSettings { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.CheckSettings"; @@ -514,16 +513,4 @@ message CheckSettings { // :ref:`disable_request_body_buffering ` // may be specified. BufferSettings with_request_body = 3; - - // Override the external authorization service for this route. - // This allows different routes to use different external authorization service backends - // and service types (gRPC or HTTP). If specified, this overrides the filter-level service - // configuration regardless of the original service type. - oneof service_override { - // Override with a gRPC service configuration. - config.core.v3.GrpcService grpc_service = 4; - - // Override with an HTTP service configuration. - HttpService http_service = 5; - } } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 4495eeb525b54..076cf1a618dbf 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -203,8 +203,9 @@ new_features: for more details. - area: socket change: | - Added ``network_namespace_filepath`` to :ref:`SocketAddress `. This field allows - specifying a Linux network namespace filepath for socket creation, enabling network isolation in containerized environments. + Added :ref:``network_namespace_filepath `` to + :ref:`SocketAddress `. This field allows specifying a Linux network namespace filepath + for socket creation, enabling network isolation in containerized environments. - area: ratelimit change: | Add the :ref:`rate_limits @@ -255,13 +256,6 @@ new_features: Added ``virtualHost()`` to the Stream handle API, allowing Lua scripts to retrieve virtual host information. So far, the only method implemented is ``metadata()``, allowing Lua scripts to access virtual host metadata scoped to the specific filter name. See :ref:`Virtual host object API ` for more details. -- area: ext_authz - change: | - Added support for per-route gRPC service override in the ``ext_authz`` HTTP filter. This allows different routes - to use different external authorization backends by configuring a - :ref:`grpc_service ` - in the per-route ``check_settings``. Routes without this configuration continue to use the default - authorization service. - area: tracing change: | Added :ref:`trace_context_option ` enum diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc index 170ee16ef84a8..070636df941af 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc +++ b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc @@ -133,30 +133,6 @@ ClientConfig::ClientConfig(const envoy::extensions::filters::http::ext_authz::v3 Router::HeaderParserPtr)), encode_raw_headers_(config.encode_raw_headers()) {} -ClientConfig::ClientConfig( - const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service, - bool encode_raw_headers, uint32_t timeout, Server::Configuration::CommonFactoryContext& context) - : client_header_matchers_(toClientMatchers( - http_service.authorization_response().allowed_client_headers(), context)), - client_header_on_success_matchers_(toClientMatchersOnSuccess( - http_service.authorization_response().allowed_client_headers_on_success(), context)), - to_dynamic_metadata_matchers_(toDynamicMetadataMatchers( - http_service.authorization_response().dynamic_metadata_from_headers(), context)), - upstream_header_matchers_(toUpstreamMatchers( - http_service.authorization_response().allowed_upstream_headers(), context)), - upstream_header_to_append_matchers_(toUpstreamMatchers( - http_service.authorization_response().allowed_upstream_headers_to_append(), context)), - cluster_name_(http_service.server_uri().cluster()), timeout_(timeout), - path_prefix_( - THROW_OR_RETURN_VALUE(validatePathPrefix(http_service.path_prefix()), std::string)), - tracing_name_(fmt::format("async {} egress", http_service.server_uri().cluster())), - request_headers_parser_(THROW_OR_RETURN_VALUE( - Router::HeaderParser::configure( - http_service.authorization_request().headers_to_add(), - envoy::config::core::v3::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD), - Router::HeaderParserPtr)), - encode_raw_headers_(encode_raw_headers) {} - MatcherSharedPtr ClientConfig::toClientMatchersOnSuccess(const envoy::type::matcher::v3::ListStringMatcher& list, Server::Configuration::CommonFactoryContext& context) { diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h index 0847afe6c5a14..d79b34876548d 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h +++ b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h @@ -28,11 +28,6 @@ class ClientConfig { uint32_t timeout, absl::string_view path_prefix, Server::Configuration::CommonFactoryContext& context); - // Build config directly from HttpService without constructing a temporary ExtAuthz. - ClientConfig(const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service, - bool encode_raw_headers, uint32_t timeout, - Server::Configuration::CommonFactoryContext& context); - /** * Returns the name of the authorization cluster. */ diff --git a/source/extensions/filters/http/ext_authz/config.cc b/source/extensions/filters/http/ext_authz/config.cc index 8f7febefa8ccc..83a3c60287ae6 100644 --- a/source/extensions/filters/http/ext_authz/config.cc +++ b/source/extensions/filters/http/ext_authz/config.cc @@ -39,8 +39,7 @@ Http::FilterFactoryCb ExtAuthzFilterConfig::createFilterFactoryFromProtoWithServ &server_context](Http::FilterChainFactoryCallbacks& callbacks) { auto client = std::make_unique( server_context.clusterManager(), client_config); - callbacks.addStreamFilter( - std::make_shared(filter_config, std::move(client), server_context)); + callbacks.addStreamFilter(std::make_shared(filter_config, std::move(client))); }; } else { // gRPC client. @@ -58,8 +57,7 @@ Http::FilterFactoryCb ExtAuthzFilterConfig::createFilterFactoryFromProtoWithServ THROW_IF_NOT_OK_REF(client_or_error.status()); auto client = std::make_unique( client_or_error.value(), std::chrono::milliseconds(timeout_ms)); - callbacks.addStreamFilter( - std::make_shared(filter_config, std::move(client), server_context)); + callbacks.addStreamFilter(std::make_shared(filter_config, std::move(client))); }; } return callback; diff --git a/source/extensions/filters/http/ext_authz/ext_authz.cc b/source/extensions/filters/http/ext_authz/ext_authz.cc index 7fd7abf65f365..9efd5b6fc36f6 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/ext_authz.cc @@ -1,3 +1,4 @@ +#include "ext_authz.h" #include "source/extensions/filters/http/ext_authz/ext_authz.h" #include @@ -20,9 +21,6 @@ namespace ExtAuthz { namespace { -// Default timeout for per-route gRPC client creation. -constexpr uint32_t kDefaultPerRouteTimeoutMs = 200; - using MetadataProto = ::envoy::config::core::v3::Metadata; using Filters::Common::MutationRules::CheckOperation; using Filters::Common::MutationRules::CheckResult; @@ -174,86 +172,6 @@ void FilterConfigPerRoute::merge(const FilterConfigPerRoute& other) { } } -// Constructor used for merging configurations from different levels (vhost, route, etc.) -FilterConfigPerRoute::FilterConfigPerRoute(const FilterConfigPerRoute& less_specific, - const FilterConfigPerRoute& more_specific) - : context_extensions_(less_specific.context_extensions_), - check_settings_(more_specific.check_settings_), disabled_(more_specific.disabled_), - // Only use the most specific per-route override. Do not inherit overrides from less - // specific configuration. If the more specific configuration has no override, leave both - // unset so that the main filter configuration is used. - grpc_service_(more_specific.grpc_service_.has_value() ? more_specific.grpc_service_ - : absl::nullopt), - http_service_(more_specific.http_service_.has_value() ? more_specific.http_service_ - : absl::nullopt) { - // Merge context extensions from more specific configuration, overriding less specific ones. - for (const auto& extension : more_specific.context_extensions_) { - context_extensions_[extension.first] = extension.second; - } -} - -Filters::Common::ExtAuthz::ClientPtr -Filter::createPerRouteGrpcClient(const envoy::config::core::v3::GrpcService& grpc_service) { - if (server_context_ == nullptr) { - ENVOY_STREAM_LOG( - debug, "ext_authz filter: server context not available for per-route gRPC client creation.", - *decoder_callbacks_); - return nullptr; - } - - // Use the timeout from the gRPC service configuration, use default if not specified. - const uint32_t timeout_ms = - PROTOBUF_GET_MS_OR_DEFAULT(grpc_service, timeout, kDefaultPerRouteTimeoutMs); - - // We can skip transport version check for per-route gRPC service here. - // The transport version is already validated at the main configuration level. - Envoy::Grpc::GrpcServiceConfigWithHashKey config_with_hash_key = - Envoy::Grpc::GrpcServiceConfigWithHashKey(grpc_service); - - auto client_or_error = server_context_->clusterManager() - .grpcAsyncClientManager() - .getOrCreateRawAsyncClientWithHashKey(config_with_hash_key, - server_context_->scope(), true); - if (!client_or_error.ok()) { - ENVOY_STREAM_LOG(warn, - "ext_authz filter: failed to create per-route gRPC client: {}. Falling back " - "to default client.", - *decoder_callbacks_, client_or_error.status().ToString()); - return nullptr; - } - - ENVOY_STREAM_LOG(debug, "ext_authz filter: created per-route gRPC client for cluster: {}.", - *decoder_callbacks_, - grpc_service.has_envoy_grpc() ? grpc_service.envoy_grpc().cluster_name() - : "google_grpc"); - - return std::make_unique( - client_or_error.value(), std::chrono::milliseconds(timeout_ms)); -} - -Filters::Common::ExtAuthz::ClientPtr Filter::createPerRouteHttpClient( - const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service) { - if (server_context_ == nullptr) { - ENVOY_STREAM_LOG( - debug, "ext_authz filter: server context not available for per-route HTTP client creation.", - *decoder_callbacks_); - return nullptr; - } - - // Use the timeout from the HTTP service configuration, use default if not specified. - const uint32_t timeout_ms = - PROTOBUF_GET_MS_OR_DEFAULT(http_service.server_uri(), timeout, kDefaultPerRouteTimeoutMs); - - ENVOY_STREAM_LOG(debug, "ext_authz filter: creating per-route HTTP client for URI: {}.", - *decoder_callbacks_, http_service.server_uri().uri()); - - const auto client_config = std::make_shared( - http_service, config_->headersAsBytes(), timeout_ms, *server_context_); - - return std::make_unique( - server_context_->clusterManager(), client_config); -} - void Filter::initiateCall(const Http::RequestHeaderMap& headers) { if (filter_return_ == FilterReturn::StopDecoding) { return; @@ -287,10 +205,9 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { for (const FilterConfigPerRoute& cfg : Http::Utility::getAllPerFilterConfig(decoder_callbacks_)) { if (maybe_merged_per_route_config.has_value()) { - FilterConfigPerRoute current_config = maybe_merged_per_route_config.value(); - maybe_merged_per_route_config.emplace(current_config, cfg); + maybe_merged_per_route_config.value().merge(cfg); } else { - maybe_merged_per_route_config.emplace(cfg); + maybe_merged_per_route_config = cfg; } } @@ -299,46 +216,6 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { context_extensions = maybe_merged_per_route_config.value().takeContextExtensions(); } - // Check if we need to use a per-route service override (gRPC or HTTP). - Filters::Common::ExtAuthz::Client* client_to_use = client_.get(); - if (maybe_merged_per_route_config) { - if (maybe_merged_per_route_config->grpcService().has_value()) { - const auto& grpc_service = maybe_merged_per_route_config->grpcService().value(); - ENVOY_STREAM_LOG(debug, "ext_authz filter: using per-route gRPC service configuration.", - *decoder_callbacks_); - - // Create a new gRPC client for this route. - per_route_client_ = createPerRouteGrpcClient(grpc_service); - if (per_route_client_ != nullptr) { - client_to_use = per_route_client_.get(); - ENVOY_STREAM_LOG(debug, "ext_authz filter: successfully created per-route gRPC client.", - *decoder_callbacks_); - } else { - ENVOY_STREAM_LOG( - warn, - "ext_authz filter: failed to create per-route gRPC client, falling back to default.", - *decoder_callbacks_); - } - } else if (maybe_merged_per_route_config->httpService().has_value()) { - const auto& http_service = maybe_merged_per_route_config->httpService().value(); - ENVOY_STREAM_LOG(debug, "ext_authz filter: using per-route HTTP service configuration.", - *decoder_callbacks_); - - // Create a new HTTP client for this route. - per_route_client_ = createPerRouteHttpClient(http_service); - if (per_route_client_ != nullptr) { - client_to_use = per_route_client_.get(); - ENVOY_STREAM_LOG(debug, "ext_authz filter: successfully created per-route HTTP client.", - *decoder_callbacks_); - } else { - ENVOY_STREAM_LOG( - warn, - "ext_authz filter: failed to create per-route HTTP client, falling back to default.", - *decoder_callbacks_); - } - } - } - // If metadata_context_namespaces or typed_metadata_context_namespaces is specified, // pass matching filter metadata to the ext_authz service. // If metadata key is set in both the connection and request metadata, @@ -364,7 +241,7 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { config_->destinationLabels(), config_->allowedHeadersMatcher(), config_->disallowedHeadersMatcher()); - ENVOY_STREAM_LOG(trace, "ext_authz filter calling authorization server.", *decoder_callbacks_); + ENVOY_STREAM_LOG(trace, "ext_authz filter calling authorization server", *decoder_callbacks_); // Store start time of ext_authz filter call start_time_ = decoder_callbacks_->dispatcher().timeSource().monotonicTime(); @@ -373,8 +250,8 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { // going to invoke check call. cluster_ = decoder_callbacks_->clusterInfo(); initiating_call_ = true; - client_to_use->check(*this, check_request_, decoder_callbacks_->activeSpan(), - decoder_callbacks_->streamInfo()); + client_->check(*this, check_request_, decoder_callbacks_->activeSpan(), + decoder_callbacks_->streamInfo()); initiating_call_ = false; } diff --git a/source/extensions/filters/http/ext_authz/ext_authz.h b/source/extensions/filters/http/ext_authz/ext_authz.h index 123daee1a6154..3f309b97c6d2e 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.h +++ b/source/extensions/filters/http/ext_authz/ext_authz.h @@ -6,10 +6,8 @@ #include #include "envoy/extensions/filters/http/ext_authz/v3/ext_authz.pb.h" -#include "envoy/grpc/async_client_manager.h" #include "envoy/http/filter.h" #include "envoy/runtime/runtime.h" -#include "envoy/server/factory_context.h" #include "envoy/service/auth/v3/external_auth.pb.h" #include "envoy/stats/scope.h" #include "envoy/stats/stats_macros.h" @@ -19,7 +17,6 @@ #include "source/common/common/logger.h" #include "source/common/common/matchers.h" #include "source/common/common/utility.h" -#include "source/common/grpc/typed_async_client.h" #include "source/common/http/codes.h" #include "source/common/http/header_map_impl.h" #include "source/common/runtime/runtime_protos.h" @@ -308,13 +305,7 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { check_settings_(config.has_check_settings() ? config.check_settings() : envoy::extensions::filters::http::ext_authz::v3::CheckSettings()), - disabled_(config.disabled()), - grpc_service_(config.has_check_settings() && config.check_settings().has_grpc_service() - ? absl::make_optional(config.check_settings().grpc_service()) - : absl::nullopt), - http_service_(config.has_check_settings() && config.check_settings().has_http_service() - ? absl::make_optional(config.check_settings().http_service()) - : absl::nullopt) { + disabled_(config.disabled()) { if (config.has_check_settings() && config.check_settings().disable_request_body_buffering() && config.check_settings().has_with_request_body()) { ExceptionUtil::throwEnvoyException( @@ -323,12 +314,6 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { } } - // This constructor is used as a way to merge more-specific config into less-specific config in a - // clearly defined way (e.g. route config into VH config). All fields on this class must be const - // and thus must be initialized in the constructor initialization list. - FilterConfigPerRoute(const FilterConfigPerRoute& less_specific, - const FilterConfigPerRoute& more_specific); - void merge(const FilterConfigPerRoute& other); /** @@ -344,30 +329,12 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { return check_settings_; } - /** - * @return The gRPC service override for this route, if any. - */ - const absl::optional& grpcService() const { - return grpc_service_; - } - - /** - * @return The HTTP service override for this route, if any. - */ - const absl::optional& - httpService() const { - return http_service_; - } - private: // We save the context extensions as a protobuf map instead of a std::map as this allows us to // move it to the CheckRequest, thus avoiding a copy that would incur by converting it. ContextExtensionsMap context_extensions_; envoy::extensions::filters::http::ext_authz::v3::CheckSettings check_settings_; - const bool disabled_; - const absl::optional grpc_service_; - const absl::optional - http_service_; + bool disabled_; }; /** @@ -381,12 +348,6 @@ class Filter : public Logger::Loggable, Filter(const FilterConfigSharedPtr& config, Filters::Common::ExtAuthz::ClientPtr&& client) : config_(config), client_(std::move(client)), stats_(config->stats()) {} - // Constructor that includes server context for per-route service support. - Filter(const FilterConfigSharedPtr& config, Filters::Common::ExtAuthz::ClientPtr&& client, - Server::Configuration::ServerFactoryContext& server_context) - : config_(config), client_(std::move(client)), server_context_(&server_context), - stats_(config->stats()) {} - // Http::StreamFilterBase void onDestroy() override; @@ -422,14 +383,6 @@ class Filter : public Logger::Loggable, // code. void rejectResponse(); - // Create a new gRPC client for per-route gRPC service configuration. - Filters::Common::ExtAuthz::ClientPtr - createPerRouteGrpcClient(const envoy::config::core::v3::GrpcService& grpc_service); - - // Create a new HTTP client for per-route HTTP service configuration. - Filters::Common::ExtAuthz::ClientPtr createPerRouteHttpClient( - const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service); - absl::optional start_time_; void addResponseHeaders(Http::HeaderMap& header_map, const Http::HeaderVector& headers); void initiateCall(const Http::RequestHeaderMap& headers); @@ -457,10 +410,6 @@ class Filter : public Logger::Loggable, Http::HeaderMapPtr getHeaderMap(const Filters::Common::ExtAuthz::ResponsePtr& response); FilterConfigSharedPtr config_; Filters::Common::ExtAuthz::ClientPtr client_; - // Per-route gRPC client that overrides the default client when specified. - Filters::Common::ExtAuthz::ClientPtr per_route_client_; - // Server context for creating per-route clients. - Server::Configuration::ServerFactoryContext* server_context_{nullptr}; Http::StreamDecoderFilterCallbacks* decoder_callbacks_{}; Http::StreamEncoderFilterCallbacks* encoder_callbacks_{}; Http::RequestHeaderMap* request_headers_; diff --git a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc index 92cc6cddc5e62..298abb58a10e0 100644 --- a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc +++ b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc @@ -209,27 +209,6 @@ class ExtAuthzHttpClientTest : public testing::Test { NiceMock stream_info_; }; -// Verify ClientConfig could be built directly from HttpService and that the -// fields get wired correctly. -TEST_F(ExtAuthzHttpClientTest, ClientConfigFromHttpService) { - envoy::extensions::filters::http::ext_authz::v3::HttpService http_service; - http_service.mutable_server_uri()->set_uri("ext_authz:9000"); - http_service.mutable_server_uri()->set_cluster("ext_authz"); - http_service.mutable_server_uri()->mutable_timeout()->set_seconds(0); - http_service.set_path_prefix("/prefix"); - // Add one header to add to request to exercise header parser creation. - auto* add = http_service.mutable_authorization_request()->add_headers_to_add(); - add->set_key("x-added"); - add->set_value("v"); - - auto cfg = std::make_shared(http_service, /*encode_raw_headers=*/true, - /*timeout_ms=*/123, factory_context_); - EXPECT_EQ(cfg->cluster(), "ext_authz"); - EXPECT_EQ(cfg->pathPrefix(), "/prefix"); - EXPECT_EQ(cfg->timeout(), std::chrono::milliseconds{123}); - EXPECT_TRUE(cfg->encodeRawHeaders()); -} - TEST_F(ExtAuthzHttpClientTest, StreamInfo) { envoy::service::auth::v3::CheckRequest request; client_->check(request_callbacks_, request, parent_span_, stream_info_); diff --git a/test/extensions/filters/http/ext_authz/config_test.cc b/test/extensions/filters/http/ext_authz/config_test.cc index 9a84ee2e73deb..bfb2a593b4114 100644 --- a/test/extensions/filters/http/ext_authz/config_test.cc +++ b/test/extensions/filters/http/ext_authz/config_test.cc @@ -8,7 +8,6 @@ #include "source/common/network/address_impl.h" #include "source/common/thread_local/thread_local_impl.h" #include "source/extensions/filters/http/ext_authz/config.h" -#include "source/extensions/filters/http/ext_authz/ext_authz.h" #include "test/mocks/server/factory_context.h" #include "test/test_common/real_threads_test_helper.h" @@ -29,10 +28,6 @@ namespace Extensions { namespace HttpFilters { namespace ExtAuthz { -using testing::NiceMock; -using testing::Return; -using testing::ReturnRef; - class TestAsyncClientManagerImpl : public Grpc::AsyncClientManagerImpl { public: TestAsyncClientManagerImpl(Upstream::ClusterManager& cm, ThreadLocal::Instance& tls, @@ -222,412 +217,6 @@ TEST_F(ExtAuthzFilterHttpTest, FilterWithServerContext) { cb(filter_callback); } -TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfiguration) { - const std::string per_route_config_yaml = R"EOF( - check_settings: - context_extensions: - virtual_host: "my_virtual_host" - route_type: "high_qps" - grpc_service: - envoy_grpc: - cluster_name: "ext_authz_high_qps" - )EOF"; - - ExtAuthzFilterConfig factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); - - testing::NiceMock context; - EXPECT_CALL(context, messageValidationVisitor()); - auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, - context.messageValidationVisitor()); - EXPECT_TRUE(route_config.ok()); - - const auto& typed_config = dynamic_cast(*route_config.value()); - EXPECT_FALSE(typed_config.disabled()); - EXPECT_TRUE(typed_config.grpcService().has_value()); - - const auto& grpc_service = typed_config.grpcService().value(); - EXPECT_TRUE(grpc_service.has_envoy_grpc()); - EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_high_qps"); - - const auto& context_extensions = typed_config.contextExtensions(); - EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); - EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteHttpServiceConfiguration) { - const std::string per_route_config_yaml = R"EOF( - check_settings: - context_extensions: - virtual_host: "my_virtual_host" - route_type: "high_qps" - http_service: - server_uri: - uri: "https://ext-authz-http.example.com" - cluster: "ext_authz_http_cluster" - timeout: 2s - path_prefix: "/api/auth" - )EOF"; - - ExtAuthzFilterConfig factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); - - testing::NiceMock context; - EXPECT_CALL(context, messageValidationVisitor()); - auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, - context.messageValidationVisitor()); - EXPECT_TRUE(route_config.ok()); - - const auto& typed_config = dynamic_cast(*route_config.value()); - EXPECT_FALSE(typed_config.disabled()); - EXPECT_TRUE(typed_config.httpService().has_value()); - EXPECT_FALSE(typed_config.grpcService().has_value()); - - const auto& http_service = typed_config.httpService().value(); - EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-http.example.com"); - EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_http_cluster"); - EXPECT_EQ(http_service.server_uri().timeout().seconds(), 2); - EXPECT_EQ(http_service.path_prefix(), "/api/auth"); - - const auto& context_extensions = typed_config.contextExtensions(); - EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); - EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteServiceTypeSwitching) { - // Test that we can switch service types - e.g., have gRPC in less specific and HTTP in more - // specific - const std::string less_specific_config_yaml = R"EOF( - check_settings: - context_extensions: - base_setting: "from_base" - grpc_service: - envoy_grpc: - cluster_name: "ext_authz_grpc_cluster" - )EOF"; - - const std::string more_specific_config_yaml = R"EOF( - check_settings: - context_extensions: - override_setting: "from_override" - http_service: - server_uri: - uri: "https://ext-authz-http.example.com" - cluster: "ext_authz_http_cluster" - timeout: 3s - path_prefix: "/auth/check" - )EOF"; - - ExtAuthzFilterConfig factory; - - // Create less specific configuration with gRPC service - ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); - FilterConfigPerRoute less_specific_config( - *dynamic_cast( - less_specific_proto.get())); - - // Create more specific configuration with HTTP service - ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); - FilterConfigPerRoute more_specific_config( - *dynamic_cast( - more_specific_proto.get())); - - // Merge configurations - should use HTTP service from more specific config - FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); - - // Verify that HTTP service from more specific config is used (service type switching) - EXPECT_TRUE(merged_config.httpService().has_value()); - EXPECT_FALSE(merged_config.grpcService().has_value()); - - const auto& http_service = merged_config.httpService().value(); - EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-http.example.com"); - EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_http_cluster"); - EXPECT_EQ(http_service.path_prefix(), "/auth/check"); - - // Verify context extensions are properly merged (less specific preserved, more specific - // overrides) - const auto& context_extensions = merged_config.contextExtensions(); - EXPECT_EQ(context_extensions.size(), 2); - EXPECT_EQ(context_extensions.at("base_setting"), "from_base"); - EXPECT_EQ(context_extensions.at("override_setting"), "from_override"); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteServiceTypeSwitchingHttpToGrpc) { - // Test that we can switch from HTTP service to gRPC service (reverse of the other test) - const std::string less_specific_config_yaml = R"EOF( - check_settings: - context_extensions: - base_setting: "from_base" - http_service: - server_uri: - uri: "https://ext-authz-http.example.com" - cluster: "ext_authz_http_cluster" - timeout: 1s - path_prefix: "/auth" - )EOF"; - - const std::string more_specific_config_yaml = R"EOF( - check_settings: - context_extensions: - override_setting: "from_override" - grpc_service: - envoy_grpc: - cluster_name: "ext_authz_grpc_cluster" - authority: "ext-authz.example.com" - timeout: 5s - )EOF"; - - ExtAuthzFilterConfig factory; - - // Create less specific configuration with HTTP service - ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); - FilterConfigPerRoute less_specific_config( - *dynamic_cast( - less_specific_proto.get())); - - // Create more specific configuration with gRPC service - ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); - FilterConfigPerRoute more_specific_config( - *dynamic_cast( - more_specific_proto.get())); - - // Merge configurations - should use gRPC service from more specific config - FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); - - // Verify that gRPC service from more specific config is used (service type switching) - EXPECT_TRUE(merged_config.grpcService().has_value()); - EXPECT_FALSE(merged_config.httpService().has_value()); - - const auto& grpc_service = merged_config.grpcService().value(); - EXPECT_TRUE(grpc_service.has_envoy_grpc()); - EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_grpc_cluster"); - EXPECT_EQ(grpc_service.envoy_grpc().authority(), "ext-authz.example.com"); - EXPECT_EQ(grpc_service.timeout().seconds(), 5); - - // Verify context extensions are properly merged - const auto& context_extensions = merged_config.contextExtensions(); - EXPECT_EQ(context_extensions.size(), 2); - EXPECT_EQ(context_extensions.at("base_setting"), "from_base"); - EXPECT_EQ(context_extensions.at("override_setting"), "from_override"); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteHttpServiceWithTimeout) { - // Test HTTP service configuration with custom timeout - const std::string per_route_config_yaml = R"EOF( - check_settings: - http_service: - server_uri: - uri: "https://ext-authz-custom.example.com" - cluster: "ext_authz_custom_cluster" - timeout: 10s - path_prefix: "/custom/auth" - )EOF"; - - ExtAuthzFilterConfig factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); - - testing::NiceMock context; - EXPECT_CALL(context, messageValidationVisitor()); - auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, - context.messageValidationVisitor()); - EXPECT_TRUE(route_config.ok()); - - const auto& typed_config = dynamic_cast(*route_config.value()); - EXPECT_TRUE(typed_config.httpService().has_value()); - EXPECT_FALSE(typed_config.grpcService().has_value()); - - const auto& http_service = typed_config.httpService().value(); - EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-custom.example.com"); - EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_custom_cluster"); - EXPECT_EQ(http_service.server_uri().timeout().seconds(), 10); - EXPECT_EQ(http_service.path_prefix(), "/custom/auth"); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceWithTimeout) { - // Test gRPC service configuration with custom timeout - const std::string per_route_config_yaml = R"EOF( - check_settings: - grpc_service: - envoy_grpc: - cluster_name: "ext_authz_custom_grpc" - authority: "custom-ext-authz.example.com" - timeout: 15s - )EOF"; - - ExtAuthzFilterConfig factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); - - testing::NiceMock context; - EXPECT_CALL(context, messageValidationVisitor()); - auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, - context.messageValidationVisitor()); - EXPECT_TRUE(route_config.ok()); - - const auto& typed_config = dynamic_cast(*route_config.value()); - EXPECT_TRUE(typed_config.grpcService().has_value()); - EXPECT_FALSE(typed_config.httpService().has_value()); - - const auto& grpc_service = typed_config.grpcService().value(); - EXPECT_TRUE(grpc_service.has_envoy_grpc()); - EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_custom_grpc"); - EXPECT_EQ(grpc_service.envoy_grpc().authority(), "custom-ext-authz.example.com"); - EXPECT_EQ(grpc_service.timeout().seconds(), 15); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteEmptyContextExtensionsMerging) { - // Test merging when one config has empty context extensions - const std::string less_specific_config_yaml = R"EOF( - check_settings: - context_extensions: - base_key: "base_value" - shared_key: "base_shared" - grpc_service: - envoy_grpc: - cluster_name: "base_cluster" - )EOF"; - - const std::string more_specific_config_yaml = R"EOF( - check_settings: - grpc_service: - envoy_grpc: - cluster_name: "specific_cluster" - )EOF"; - - ExtAuthzFilterConfig factory; - - ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); - FilterConfigPerRoute less_specific_config( - *dynamic_cast( - less_specific_proto.get())); - - ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); - FilterConfigPerRoute more_specific_config( - *dynamic_cast( - more_specific_proto.get())); - - FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); - - // Should use gRPC service from more specific - EXPECT_TRUE(merged_config.grpcService().has_value()); - EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "specific_cluster"); - - // Should preserve context extensions from less specific since more specific has none - const auto& context_extensions = merged_config.contextExtensions(); - EXPECT_EQ(context_extensions.size(), 2); - EXPECT_EQ(context_extensions.at("base_key"), "base_value"); - EXPECT_EQ(context_extensions.at("shared_key"), "base_shared"); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationMerging) { - // Test merging of per-route configurations - const std::string less_specific_config_yaml = R"EOF( - check_settings: - context_extensions: - virtual_host: "my_virtual_host" - shared_setting: "from_less_specific" - grpc_service: - envoy_grpc: - cluster_name: "ext_authz_default" - )EOF"; - - const std::string more_specific_config_yaml = R"EOF( - check_settings: - context_extensions: - route_type: "high_qps" - shared_setting: "from_more_specific" - grpc_service: - envoy_grpc: - cluster_name: "ext_authz_high_qps" - )EOF"; - - ExtAuthzFilterConfig factory; - - // Create less specific configuration - ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); - FilterConfigPerRoute less_specific_config( - *dynamic_cast( - less_specific_proto.get())); - - // Create more specific configuration - ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); - FilterConfigPerRoute more_specific_config( - *dynamic_cast( - more_specific_proto.get())); - - // Merge configurations - FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); - - // Check that more specific gRPC service is used - EXPECT_TRUE(merged_config.grpcService().has_value()); - const auto& grpc_service = merged_config.grpcService().value(); - EXPECT_TRUE(grpc_service.has_envoy_grpc()); - EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_high_qps"); - - // Check that context extensions are properly merged - const auto& context_extensions = merged_config.contextExtensions(); - EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); - EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); - EXPECT_EQ(context_extensions.at("shared_setting"), "from_more_specific"); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationWithoutGrpcService) { - const std::string per_route_config_yaml = R"EOF( - check_settings: - context_extensions: - virtual_host: "my_virtual_host" - disable_request_body_buffering: true - )EOF"; - - ExtAuthzFilterConfig factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); - - testing::NiceMock context; - EXPECT_CALL(context, messageValidationVisitor()); - auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, - context.messageValidationVisitor()); - EXPECT_TRUE(route_config.ok()); - - const auto& typed_config = dynamic_cast(*route_config.value()); - EXPECT_FALSE(typed_config.disabled()); - EXPECT_FALSE(typed_config.grpcService().has_value()); - - const auto& context_extensions = typed_config.contextExtensions(); - EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); -} - -TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationDisabled) { - const std::string per_route_config_yaml = R"EOF( - disabled: true - )EOF"; - - ExtAuthzFilterConfig factory; - ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); - TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); - - testing::NiceMock context; - EXPECT_CALL(context, messageValidationVisitor()); - auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, - context.messageValidationVisitor()); - EXPECT_TRUE(route_config.ok()); - - const auto& typed_config = dynamic_cast(*route_config.value()); - EXPECT_TRUE(typed_config.disabled()); - EXPECT_FALSE(typed_config.grpcService().has_value()); -} - class ExtAuthzFilterGrpcTest : public ExtAuthzFilterTest { public: void testFilterFactoryAndFilterWithGrpcClient(const std::string& ext_authz_config_yaml) { diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index 9eb2348bdbafd..e072262e484b5 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -5,7 +5,6 @@ #include "source/common/common/macros.h" #include "source/extensions/filters/common/ext_authz/ext_authz.h" -#include "source/extensions/filters/http/ext_authz/ext_authz.h" #include "source/server/config_validation/server.h" #include "test/common/grpc/grpc_client_integration.h" @@ -984,32 +983,6 @@ INSTANTIATE_TEST_SUITE_P(IpVersionsCientType, ExtAuthzGrpcIntegrationTest, testing::Bool()), ExtAuthzGrpcIntegrationTest::testParamsToString); -// Test per-route gRPC service configuration parsing -TEST_P(ExtAuthzGrpcIntegrationTest, PerRouteGrpcServiceConfigurationParsing) { - // Create a simple per-route configuration with gRPC service - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_envoy_grpc() - ->set_cluster_name("per_route_cluster"); - (*per_route_config.mutable_check_settings()->mutable_context_extensions())["route_type"] = - "special"; - - // Test configuration parsing and validation - Envoy::Extensions::HttpFilters::ExtAuthz::FilterConfigPerRoute config_per_route(per_route_config); - - // Verify the configuration was parsed correctly - ASSERT_TRUE(config_per_route.grpcService().has_value()); - EXPECT_TRUE(config_per_route.grpcService().value().has_envoy_grpc()); - EXPECT_EQ(config_per_route.grpcService().value().envoy_grpc().cluster_name(), - "per_route_cluster"); - - // Verify context extensions are present - const auto& check_settings = config_per_route.checkSettings(); - ASSERT_TRUE(check_settings.context_extensions().contains("route_type")); - EXPECT_EQ(check_settings.context_extensions().at("route_type"), "special"); -} - // Verifies that the request body is included in the CheckRequest when the downstream protocol is // HTTP/1.1. TEST_P(ExtAuthzGrpcIntegrationTest, HTTP1DownstreamRequestWithBody) { diff --git a/test/extensions/filters/http/ext_authz/ext_authz_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_test.cc index 9d5fa891fb18c..129798b8cefb5 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_test.cc @@ -71,8 +71,7 @@ template class HttpFilterTestBase : public T { config_ = std::make_shared(proto_config, *stats_store_.rootScope(), "ext_authz_prefix", factory_context_); client_ = new NiceMock(); - filter_ = std::make_unique(config_, Filters::Common::ExtAuthz::ClientPtr{client_}, - factory_context_); + filter_ = std::make_unique(config_, Filters::Common::ExtAuthz::ClientPtr{client_}); ON_CALL(decoder_filter_callbacks_, filterConfigName()).WillByDefault(Return(FilterConfigName)); filter_->setDecoderFilterCallbacks(decoder_filter_callbacks_); filter_->setEncoderFilterCallbacks(encoder_filter_callbacks_); @@ -440,13 +439,9 @@ class InvalidMutationTest : public HttpFilterTestBase { EXPECT_EQ(1U, config_->stats().invalid_.value()); } - static constexpr const char* invalid_key_ = "invalid-\nkey"; - static constexpr uint8_t invalid_value_bytes_[3]{0x7f, 0x7f, 0}; + const std::string invalid_key_ = "invalid-\nkey"; + const uint8_t invalid_value_bytes_[3]{0x7f, 0x7f, 0}; const std::string invalid_value_; - - static std::string getInvalidValue() { - return std::string(reinterpret_cast(invalid_value_bytes_)); - } }; TEST_F(HttpFilterTest, DisableDynamicMetadataIngestion) { @@ -489,152 +484,142 @@ TEST_F(HttpFilterTest, DisableDynamicMetadataIngestion) { // Tests that the filter rejects authz responses with mutations with an invalid key when // validate_authz_response is set to true in config. -// Parameterized test for invalid mutation scenarios to reduce redundancy. -class InvalidMutationParamTest - : public InvalidMutationTest, - public testing::WithParamInterface< - std::tuple, // setup func - Filters::Common::ExtAuthz::CheckStatus // status - >> {}; - -TEST_P(InvalidMutationParamTest, InvalidMutationFields) { - const auto& [test_name, setup_func, status] = GetParam(); - +TEST_F(InvalidMutationTest, HeadersToSetKey) { Filters::Common::ExtAuthz::Response response; - response.status = status; - setup_func(response); + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.headers_to_set = {{invalid_key_, "bar"}}; testResponse(response); } -INSTANTIATE_TEST_SUITE_P( - InvalidMutationScenarios, InvalidMutationParamTest, - testing::Values( - // Invalid key tests - std::make_tuple( - "HeadersToSetKey", - [](Filters::Common::ExtAuthz::Response& r) { - r.headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "HeadersToAddKey", - [](Filters::Common::ExtAuthz::Response& r) { - r.headers_to_add = {{InvalidMutationTest::invalid_key_, "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "HeadersToSetKeyDenied", - [](Filters::Common::ExtAuthz::Response& r) { - r.headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::Denied), - std::make_tuple( - "HeadersToAppendKey", - [](Filters::Common::ExtAuthz::Response& r) { - r.headers_to_append = {{InvalidMutationTest::invalid_key_, "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "ResponseHeadersToAddKey", - [](Filters::Common::ExtAuthz::Response& r) { - r.response_headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "ResponseHeadersToSetKey", - [](Filters::Common::ExtAuthz::Response& r) { - r.response_headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "ResponseHeadersToAddIfAbsentKey", - [](Filters::Common::ExtAuthz::Response& r) { - r.response_headers_to_add_if_absent = {{InvalidMutationTest::invalid_key_, "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "ResponseHeadersToOverwriteIfExistsKey", - [](Filters::Common::ExtAuthz::Response& r) { - r.response_headers_to_overwrite_if_exists = { - {InvalidMutationTest::invalid_key_, "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "QueryParametersToSetKey", - [](Filters::Common::ExtAuthz::Response& r) { - r.query_parameters_to_set = {{"f o o", "bar"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - // Invalid value tests - std::make_tuple( - "HeadersToSetValue", - [](Filters::Common::ExtAuthz::Response& r) { - r.headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "HeadersToAddValue", - [](Filters::Common::ExtAuthz::Response& r) { - r.headers_to_add = {{"foo", InvalidMutationTest::getInvalidValue()}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "HeadersToSetValueDenied", - [](Filters::Common::ExtAuthz::Response& r) { - r.headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; - }, - Filters::Common::ExtAuthz::CheckStatus::Denied), - std::make_tuple( - "HeadersToAppendValue", - [](Filters::Common::ExtAuthz::Response& r) { - r.headers_to_append = {{"foo", InvalidMutationTest::getInvalidValue()}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "ResponseHeadersToAddValue", - [](Filters::Common::ExtAuthz::Response& r) { - r.response_headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "ResponseHeadersToSetValue", - [](Filters::Common::ExtAuthz::Response& r) { - r.response_headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "ResponseHeadersToAddIfAbsentValue", - [](Filters::Common::ExtAuthz::Response& r) { - r.response_headers_to_add_if_absent = { - {"foo", InvalidMutationTest::getInvalidValue()}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "ResponseHeadersToOverwriteIfExistsValue", - [](Filters::Common::ExtAuthz::Response& r) { - r.response_headers_to_overwrite_if_exists = { - {"foo", InvalidMutationTest::getInvalidValue()}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK), - std::make_tuple( - "QueryParametersToSetValue", - [](Filters::Common::ExtAuthz::Response& r) { - r.query_parameters_to_set = {{"foo", "b a r"}}; - }, - Filters::Common::ExtAuthz::CheckStatus::OK)), - [](const testing::TestParamInfo& info) { - return std::get<0>(info.param); - }); - -// Keep one simple focused test to ensure backward compatibility. -TEST_F(InvalidMutationTest, BasicInvalidKey) { +// Same as above, setting a different field... +TEST_F(InvalidMutationTest, HeadersToAddKey) { Filters::Common::ExtAuthz::Response response; response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.headers_to_add = {{invalid_key_, "bar"}}; + testResponse(response); +} + +// headers_to_set is also used when the authz response has status denied. +TEST_F(InvalidMutationTest, HeadersToSetKeyDenied) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::Denied; response.headers_to_set = {{invalid_key_, "bar"}}; testResponse(response); } +TEST_F(InvalidMutationTest, HeadersToAppendKey) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.headers_to_append = {{invalid_key_, "bar"}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, ResponseHeadersToAddKey) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.response_headers_to_set = {{invalid_key_, "bar"}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, ResponseHeadersToSetKey) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.response_headers_to_set = {{invalid_key_, "bar"}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, ResponseHeadersToAddIfAbsentKey) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.response_headers_to_add_if_absent = {{invalid_key_, "bar"}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, ResponseHeadersToOverwriteIfExistsKey) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.response_headers_to_overwrite_if_exists = {{invalid_key_, "bar"}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, QueryParametersToSetKey) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.query_parameters_to_set = {{"f o o", "bar"}}; + testResponse(response); +} + +// Test that the filter rejects mutations with an invalid value +TEST_F(InvalidMutationTest, HeadersToSetValueOk) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.headers_to_set = {{"foo", invalid_value_}}; + testResponse(response); +} + +// Same as above, setting a different field... +TEST_F(InvalidMutationTest, HeadersToAddValue) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.headers_to_add = {{"foo", invalid_value_}}; + testResponse(response); +} + +// headers_to_set is also used when the authz response has status denied. +TEST_F(InvalidMutationTest, HeadersToSetValueDenied) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::Denied; + response.headers_to_set = {{"foo", invalid_value_}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, HeadersToAppendValue) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.headers_to_append = {{"foo", invalid_value_}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, ResponseHeadersToAddValue) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + // Add a valid header to see if it gets added to the downstream response. + response.response_headers_to_set = {{"foo", invalid_value_}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, ResponseHeadersToSetValue) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + // Add a valid header to see if it gets added to the downstream response. + response.response_headers_to_set = {{"foo", invalid_value_}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, ResponseHeadersToAddIfAbsentValue) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + // Add a valid header to see if it gets added to the downstream response. + response.response_headers_to_add_if_absent = {{"foo", invalid_value_}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, ResponseHeadersToOverwriteIfExistsValue) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + // Add a valid header to see if it gets added to the downstream response. + response.response_headers_to_overwrite_if_exists = {{"foo", invalid_value_}}; + testResponse(response); +} + +TEST_F(InvalidMutationTest, QueryParametersToSetValue) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + // Add a valid header to see if it gets added to the downstream response. + response.query_parameters_to_set = {{"foo", "b a r"}}; + testResponse(response); +} + struct DecoderHeaderMutationRulesTestOpts { absl::optional rules; bool expect_reject_response = false; @@ -839,55 +824,68 @@ TEST_F(DecoderHeaderMutationRulesTest, DisallowAll) { runTest(opts); } -// Consolidated rejection test that covers all the scenarios previously tested individually. -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseOperations) { - // Test data structure for all rejection scenarios - struct TestCase { - std::string name; - bool use_disallow_all; - std::function setup_func; - }; +TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAdd) { + DecoderHeaderMutationRulesTestOpts opts; + opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); + opts.rules->mutable_disallow_all()->set_value(true); + opts.rules->mutable_disallow_is_error()->set_value(true); + opts.expect_reject_response = true; - std::vector test_cases = { - {"RejectResponseAdd", true, - [](DecoderHeaderMutationRulesTestOpts& opts) { - opts.disallowed_headers_to_add = {{"cant-add-me", "sad"}}; - }}, - {"RejectResponseAppend", true, - [](DecoderHeaderMutationRulesTestOpts& opts) { - opts.disallowed_headers_to_append = {{"cant-append-to-me", "fail"}}; - }}, - {"RejectResponseAppendPseudoheader", false, - [](DecoderHeaderMutationRulesTestOpts& opts) { - opts.disallowed_headers_to_append = {{":fake-pseudo-header", "fail"}}; - }}, - {"RejectResponseSet", true, - [](DecoderHeaderMutationRulesTestOpts& opts) { - opts.disallowed_headers_to_set = {{"cant-override-me", "nope"}}; - }}, - {"RejectResponseRemove", true, - [](DecoderHeaderMutationRulesTestOpts& opts) { - opts.disallowed_headers_to_remove = {"cant-delete-me"}; - }}, - {"RejectResponseRemovePseudoHeader", false, [](DecoderHeaderMutationRulesTestOpts& opts) { - opts.disallowed_headers_to_remove = {":fake-pseudo-header"}; - }}}; - - // Run all test cases - for (const auto& test_case : test_cases) { - SCOPED_TRACE(test_case.name); - - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - if (test_case.use_disallow_all) { - opts.rules->mutable_disallow_all()->set_value(true); - } - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; + opts.disallowed_headers_to_add = {{"cant-add-me", "sad"}}; + runTest(opts); +} - test_case.setup_func(opts); - runTest(opts); - } +TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAppend) { + DecoderHeaderMutationRulesTestOpts opts; + opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); + opts.rules->mutable_disallow_all()->set_value(true); + opts.rules->mutable_disallow_is_error()->set_value(true); + opts.expect_reject_response = true; + + opts.disallowed_headers_to_append = {{"cant-append-to-me", "fail"}}; + runTest(opts); +} + +TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAppendPseudoheader) { + DecoderHeaderMutationRulesTestOpts opts; + opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); + opts.rules->mutable_disallow_is_error()->set_value(true); + opts.expect_reject_response = true; + + opts.disallowed_headers_to_append = {{":fake-pseudo-header", "fail"}}; + runTest(opts); +} + +TEST_F(DecoderHeaderMutationRulesTest, RejectResponseSet) { + DecoderHeaderMutationRulesTestOpts opts; + opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); + opts.rules->mutable_disallow_all()->set_value(true); + opts.rules->mutable_disallow_is_error()->set_value(true); + opts.expect_reject_response = true; + + opts.disallowed_headers_to_set = {{"cant-override-me", "nope"}}; + runTest(opts); +} + +TEST_F(DecoderHeaderMutationRulesTest, RejectResponseRemove) { + DecoderHeaderMutationRulesTestOpts opts; + opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); + opts.rules->mutable_disallow_all()->set_value(true); + opts.rules->mutable_disallow_is_error()->set_value(true); + opts.expect_reject_response = true; + + opts.disallowed_headers_to_remove = {"cant-delete-me"}; + runTest(opts); +} + +TEST_F(DecoderHeaderMutationRulesTest, RejectResponseRemovePseudoHeader) { + DecoderHeaderMutationRulesTestOpts opts; + opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); + opts.rules->mutable_disallow_is_error()->set_value(true); + opts.expect_reject_response = true; + + opts.disallowed_headers_to_remove = {":fake-pseudo-header"}; + runTest(opts); } TEST_F(DecoderHeaderMutationRulesTest, DisallowExpression) { @@ -2830,20 +2828,19 @@ TEST_P(HttpFilterTestParam, ContextExtensions) { // Test that filter can be disabled with route config. TEST_P(HttpFilterTestParam, DisabledOnRoute) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - std::unique_ptr auth_per_route = - std::make_unique(settings); + FilterConfigPerRoute auth_per_route(settings); prepareCheck(); + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(&auth_per_route)); + auto test_disable = [&](bool disabled) { initialize(""); // Set disabled settings.set_disabled(disabled); // Initialize the route's per filter config. - auth_per_route = std::make_unique(settings); - // Update the mock to return the new pointer - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(auth_per_route.get())); + auth_per_route = FilterConfigPerRoute(settings); }; // baseline: make sure that when not disabled, check is called @@ -2864,8 +2861,10 @@ TEST_P(HttpFilterTestParam, DisabledOnRoute) { // Test that filter can be disabled with route config. TEST_P(HttpFilterTestParam, DisabledOnRouteWithRequestBody) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - std::unique_ptr auth_per_route = - std::make_unique(settings); + FilterConfigPerRoute auth_per_route(settings); + + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(&auth_per_route)); auto test_disable = [&](bool disabled) { initialize(R"EOF( @@ -2881,10 +2880,7 @@ TEST_P(HttpFilterTestParam, DisabledOnRouteWithRequestBody) { // Set the filter disabled setting. settings.set_disabled(disabled); // Initialize the route's per filter config. - auth_per_route = std::make_unique(settings); - // Update the mock to return the new pointer. - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(auth_per_route.get())); + auth_per_route = FilterConfigPerRoute(settings); }; test_disable(false); @@ -3918,31 +3914,6 @@ TEST_F(HttpFilterTest, PerRouteCheckSettingsWorks) { } // Checks that the per-route filter can override the check_settings set on the main filter. -TEST_F(HttpFilterTest, NullRouteSkipsCheck) { - initialize(R"EOF( - grpc_service: - envoy_grpc: - cluster_name: "ext_authz_server" - failure_mode_allow: false - stat_prefix: "ext_authz" - )EOF"); - - prepareCheck(); - - // Set up a null route return value. - ON_CALL(decoder_filter_callbacks_, route()).WillByDefault(Return(nullptr)); - - // With null route, no authorization check should be performed. - EXPECT_CALL(*client_, check(_, _, _, _)).Times(0); - - // Call the filter directly. - Http::TestRequestHeaderMapImpl request_headers{ - {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; - - // With null route, the filter should continue without an auth check. - EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, false)); -} - TEST_F(HttpFilterTest, PerRouteCheckSettingsOverrideWorks) { InSequence s; @@ -4004,8 +3975,10 @@ TEST_F(HttpFilterTest, PerRouteCheckSettingsOverrideWorks) { // Verify that request body buffering can be skipped per route. TEST_P(HttpFilterTestParam, DisableRequestBodyBufferingOnRoute) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - std::unique_ptr auth_per_route = - std::make_unique(settings); + FilterConfigPerRoute auth_per_route(settings); + + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(&auth_per_route)); auto test_disable_request_body_buffering = [&](bool bypass) { initialize(R"EOF( @@ -4021,10 +3994,7 @@ TEST_P(HttpFilterTestParam, DisableRequestBodyBufferingOnRoute) { // Set bypass request body buffering for this route. settings.mutable_check_settings()->set_disable_request_body_buffering(bypass); // Initialize the route's per filter config. - auth_per_route = std::make_unique(settings); - // Update the mock to return the new pointer. - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(auth_per_route.get())); + auth_per_route = FilterConfigPerRoute(settings); }; test_disable_request_body_buffering(false); @@ -4189,801 +4159,6 @@ TEST_P(EmitFilterStateTest, PreexistingFilterStateSameTypeMutable) { TEST_P(ExtAuthzLoggingInfoTest, FieldTest) { test(); } -// Test per-route gRPC service override with null server context (fallback to default client) -TEST_P(HttpFilterTestParam, PerRouteGrpcServiceOverrideWithNullServerContext) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test - per-route gRPC service only applies to gRPC clients - return; - } - - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_envoy_grpc() - ->set_cluster_name("per_route_ext_authz_cluster"); - - std::unique_ptr per_route_filter_config = - std::make_unique(per_route_config); - - // Set up route to return per-route config - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(per_route_filter_config.get())); - - prepareCheck(); - - // Mock the default client check call (should fall back to default since server context is null) - EXPECT_CALL(*client_, check(_, _, _, _)) - .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, - const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, - const StreamInfo::StreamInfo&) -> void { - Filters::Common::ExtAuthz::Response response{}; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - callbacks.onComplete(std::make_unique(response)); - })); - - EXPECT_CALL(decoder_filter_callbacks_, continueDecoding()).Times(0); - EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); -} - -// Test per-route configuration merging with context extensions -TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithContextExtensions) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test - configuration merging applies to gRPC clients - return; - } - - // Create base configuration with context extensions - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; - base_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"base_key", "base_value"}); - base_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"shared_key", "base_shared_value"}); - - // Create more specific configuration with context extensions - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; - specific_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"specific_key", "specific_value"}); - specific_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"shared_key", "specific_shared_value"}); - - // Test merging using the merge constructor - FilterConfigPerRoute base_filter_config(base_config); - FilterConfigPerRoute specific_filter_config(specific_config); - FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); - - // Verify merged context extensions - const auto& merged_extensions = merged_config.contextExtensions(); - EXPECT_EQ(merged_extensions.size(), 3); - EXPECT_EQ(merged_extensions.at("base_key"), "base_value"); - EXPECT_EQ(merged_extensions.at("specific_key"), "specific_value"); - EXPECT_EQ(merged_extensions.at("shared_key"), "specific_shared_value"); // More specific wins -} - -// Test per-route configuration merging with gRPC service override -TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithGrpcServiceOverride) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test - gRPC service override applies to gRPC clients - return; - } - - // Create base configuration without gRPC service - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; - base_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"base_key", "base_value"}); - - // Create more specific configuration with gRPC service - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; - specific_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_envoy_grpc() - ->set_cluster_name("specific_cluster"); - specific_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"specific_key", "specific_value"}); - - // Test merging using the merge constructor - FilterConfigPerRoute base_filter_config(base_config); - FilterConfigPerRoute specific_filter_config(specific_config); - FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); - - // Verify gRPC service override is from more specific config - EXPECT_TRUE(merged_config.grpcService().has_value()); - EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "specific_cluster"); - - // Verify context extensions are merged - const auto& merged_extensions = merged_config.contextExtensions(); - EXPECT_EQ(merged_extensions.size(), 2); - EXPECT_EQ(merged_extensions.at("base_key"), "base_value"); - EXPECT_EQ(merged_extensions.at("specific_key"), "specific_value"); -} - -// Test per-route configuration merging with request body settings -TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithRequestBodySettings) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test - request body settings apply to gRPC clients - return; - } - - // Create base configuration with request body settings - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; - base_config.mutable_check_settings()->mutable_with_request_body()->set_max_request_bytes(1000); - base_config.mutable_check_settings()->mutable_with_request_body()->set_allow_partial_message( - true); - - // Create more specific configuration with different request body settings - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; - specific_config.mutable_check_settings()->mutable_with_request_body()->set_max_request_bytes( - 2000); - specific_config.mutable_check_settings()->mutable_with_request_body()->set_allow_partial_message( - false); - - // Test merging using the merge constructor - FilterConfigPerRoute base_filter_config(base_config); - FilterConfigPerRoute specific_filter_config(specific_config); - FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); - - // Verify request body settings are from more specific config - const auto& merged_check_settings = merged_config.checkSettings(); - EXPECT_TRUE(merged_check_settings.has_with_request_body()); - EXPECT_EQ(merged_check_settings.with_request_body().max_request_bytes(), 2000); - EXPECT_EQ(merged_check_settings.with_request_body().allow_partial_message(), false); -} - -// Test per-route configuration merging with disable_request_body_buffering -TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithDisableRequestBodyBuffering) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test - disable request body buffering applies to gRPC clients - return; - } - - // Create base configuration without disable_request_body_buffering - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; - base_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"base_key", "base_value"}); - - // Create more specific configuration with disable_request_body_buffering - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; - specific_config.mutable_check_settings()->set_disable_request_body_buffering(true); - - // Test merging using the merge constructor - FilterConfigPerRoute base_filter_config(base_config); - FilterConfigPerRoute specific_filter_config(specific_config); - FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); - - // Verify disable_request_body_buffering is from more specific config - const auto& merged_check_settings = merged_config.checkSettings(); - EXPECT_TRUE(merged_check_settings.disable_request_body_buffering()); -} - -// Test per-route configuration merging with multiple levels -TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingMultipleLevels) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test - configuration merging applies to gRPC clients - return; - } - - // Create virtual host level configuration - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute vh_config; - vh_config.mutable_check_settings()->mutable_context_extensions()->insert({"vh_key", "vh_value"}); - vh_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"shared_key", "vh_shared_value"}); - - // Create route level configuration - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute route_config; - route_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"route_key", "route_value"}); - route_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"shared_key", "route_shared_value"}); - route_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_envoy_grpc() - ->set_cluster_name("route_cluster"); - - // Create weighted cluster level configuration - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute wc_config; - wc_config.mutable_check_settings()->mutable_context_extensions()->insert({"wc_key", "wc_value"}); - wc_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"shared_key", "wc_shared_value"}); - - // Test merging from least specific to most specific - FilterConfigPerRoute vh_filter_config(vh_config); - FilterConfigPerRoute route_filter_config(route_config); - FilterConfigPerRoute wc_filter_config(wc_config); - - // First merge: vh + route - FilterConfigPerRoute vh_route_merged(vh_filter_config, route_filter_config); - - // Second merge: (vh + route) + weighted cluster - FilterConfigPerRoute final_merged(vh_route_merged, wc_filter_config); - - // Verify final merged context extensions - const auto& merged_extensions = final_merged.contextExtensions(); - EXPECT_EQ(merged_extensions.size(), 4); - EXPECT_EQ(merged_extensions.at("vh_key"), "vh_value"); - EXPECT_EQ(merged_extensions.at("route_key"), "route_value"); - EXPECT_EQ(merged_extensions.at("wc_key"), "wc_value"); - EXPECT_EQ(merged_extensions.at("shared_key"), "wc_shared_value"); // Most specific wins - - // Verify gRPC service override is NOT inherited from less specific levels. - EXPECT_FALSE(final_merged.grpcService().has_value()); -} - -// Test per-route context extensions take precedence over check_settings context extensions. -TEST_P(HttpFilterTestParam, PerRouteContextExtensionsPrecedence) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test as context extensions apply to gRPC clients. - return; - } - - // Create configuration with context extensions in both places. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; - base_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"check_key", "check_value"}); - base_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"shared_key", "check_shared_value"}); - - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; - specific_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"specific_check_key", "specific_check_value"}); - specific_config.mutable_check_settings()->mutable_context_extensions()->insert( - {"shared_key", "specific_check_shared_value"}); - - // Test merging using the merge constructor. - FilterConfigPerRoute base_filter_config(base_config); - FilterConfigPerRoute specific_filter_config(specific_config); - FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); - - // Verify context extensions are properly merged. - const auto& merged_extensions = merged_config.contextExtensions(); - EXPECT_EQ(merged_extensions.size(), 3); - EXPECT_EQ(merged_extensions.at("check_key"), "check_value"); - EXPECT_EQ(merged_extensions.at("specific_check_key"), "specific_check_value"); - EXPECT_EQ(merged_extensions.at("shared_key"), - "specific_check_shared_value"); // More specific wins -} - -// Test per-route Google gRPC service configuration. -TEST_P(HttpFilterTestParam, PerRouteGoogleGrpcServiceConfiguration) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. - return; - } - - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_google_grpc() - ->set_target_uri("https://ext-authz.googleapis.com"); - - std::unique_ptr per_route_filter_config = - std::make_unique(per_route_config); - - // Verify Google gRPC service is properly configured - EXPECT_TRUE(per_route_filter_config->grpcService().has_value()); - EXPECT_TRUE(per_route_filter_config->grpcService().value().has_google_grpc()); - EXPECT_EQ(per_route_filter_config->grpcService().value().google_grpc().target_uri(), - "https://ext-authz.googleapis.com"); -} - -// Test existing functionality still works with new logic. -TEST_P(HttpFilterTestParam, ExistingFunctionalityWithNewLogic) { - // Test that the existing functionality still works with our new per-route merging logic. - prepareCheck(); - - // Mock the default client check call (no per-route config). - EXPECT_CALL(*client_, check(_, _, _, _)) - .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, - const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, - const StreamInfo::StreamInfo&) -> void { - Filters::Common::ExtAuthz::Response response{}; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - callbacks.onComplete(std::make_unique(response)); - })); - - EXPECT_CALL(decoder_filter_callbacks_, continueDecoding()).Times(0); - EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); -} - -// Test per-route configuration merging with empty configurations. -TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithEmptyConfigurations) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test as configuration merging applies to gRPC clients. - return; - } - - // Create empty base configuration. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; - - // Create empty specific configuration. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; - - // Test merging using the merge constructor. - FilterConfigPerRoute base_filter_config(base_config); - FilterConfigPerRoute specific_filter_config(specific_config); - FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); - - // Verify merged configuration has empty context extensions. - const auto& merged_extensions = merged_config.contextExtensions(); - EXPECT_EQ(merged_extensions.size(), 0); - - // Verify no gRPC service override - EXPECT_FALSE(merged_config.grpcService().has_value()); -} - -// Test per-route gRPC service configuration merging functionality. -TEST_P(HttpFilterTestParam, PerRouteGrpcServiceMergingWithBaseConfiguration) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. - return; - } - - // Create base per-route configuration. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; - (*base_config.mutable_check_settings()->mutable_context_extensions())["base"] = "value"; - FilterConfigPerRoute base_filter_config(base_config); - - // Create per-route configuration with gRPC service. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_envoy_grpc() - ->set_cluster_name("per_route_cluster"); - (*per_route_config.mutable_check_settings()->mutable_context_extensions())["route"] = "override"; - - // Test merging constructor. - FilterConfigPerRoute merged_config(base_filter_config, per_route_config); - - // Verify the merged configuration has the gRPC service from the per-route config. - EXPECT_TRUE(merged_config.grpcService().has_value()); - EXPECT_TRUE(merged_config.grpcService().value().has_envoy_grpc()); - EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "per_route_cluster"); - - // Verify that context extensions are properly merged. - const auto& merged_settings = merged_config.checkSettings(); - EXPECT_TRUE(merged_settings.context_extensions().contains("route")); - EXPECT_EQ(merged_settings.context_extensions().at("route"), "override"); -} - -// Test focused integration test to verify per-route configuration is processed correctly. -TEST_P(HttpFilterTestParam, PerRouteConfigurationIntegrationTest) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test - per-route gRPC service only applies to gRPC clients. - return; - } - - // This test covers the per-route configuration processing in initiateCall - // which exercises the lines where getAllPerFilterConfig is called and processed. - - // Set up per-route configuration with gRPC service override - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_envoy_grpc() - ->set_cluster_name("per_route_cluster"); - - // Add context extensions to test that path too. - (*per_route_config.mutable_check_settings()->mutable_context_extensions())["test_key"] = - "test_value"; - - std::unique_ptr per_route_filter_config = - std::make_unique(per_route_config); - - // Mock decoder callbacks to return per-route config. - ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) - .WillByDefault(Return(per_route_filter_config.get())); - - // Mock perFilterConfigs to return the per-route config vector. - Router::RouteSpecificFilterConfigs per_route_configs; - per_route_configs.push_back(per_route_filter_config.get()); - ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); - - // Set up basic request headers. - Http::TestRequestHeaderMapImpl headers{ - {":method", "GET"}, {":path", "/test"}, {":scheme", "https"}, {"host", "example.com"}}; - - prepareCheck(); - - // Mock client check to capture and verify the check request has proper context extensions. - EXPECT_CALL(*client_, check(_, _, _, _)) - .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, - const envoy::service::auth::v3::CheckRequest& check_request, - Tracing::Span&, const StreamInfo::StreamInfo&) -> void { - // Verify that per-route context extensions were merged correctly - auto context_extensions = check_request.attributes().context_extensions(); - EXPECT_TRUE(context_extensions.contains("test_key")); - EXPECT_EQ(context_extensions.at("test_key"), "test_value"); - - // Return OK to complete the test - auto response = std::make_unique(); - response->status = Filters::Common::ExtAuthz::CheckStatus::OK; - callbacks.onComplete(std::move(response)); - })); - - // This exercises the per-route configuration processing logic which includes - // the getAllPerFilterConfig call and per-route gRPC service detection. - EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, true)); -} - -// Test per-route gRPC client creation and usage. -TEST_P(HttpFilterTestParam, PerRouteGrpcClientCreationAndUsage) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. - return; - } - - // Create per-route configuration with valid gRPC service. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_envoy_grpc() - ->set_cluster_name("per_route_ext_authz_cluster"); - - // Add context extensions to test merging. - (*per_route_config.mutable_check_settings()->mutable_context_extensions())["test_key"] = - "test_value"; - - std::unique_ptr per_route_filter_config = - std::make_unique(per_route_config); - - // Set up route to return per-route config. - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(per_route_filter_config.get())); - - // Mock perFilterConfigs to return the per-route config vector which exercises - // getAllPerFilterConfig. - Router::RouteSpecificFilterConfigs per_route_configs; - per_route_configs.push_back(per_route_filter_config.get()); - ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); - - prepareCheck(); - - // Create a filter with server context for per-route gRPC client creation. - auto new_client = std::make_unique(); - auto* new_client_ptr = new_client.get(); - auto new_filter = std::make_unique(config_, std::move(new_client), factory_context_); - new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); - - // Mock successful gRPC async client manager access. - auto mock_grpc_client_manager = std::make_shared(); - ON_CALL(factory_context_, clusterManager()).WillByDefault(ReturnRef(cm_)); - ON_CALL(cm_, grpcAsyncClientManager()).WillByDefault(ReturnRef(*mock_grpc_client_manager)); - - // Mock successful raw gRPC client creation which exercises createPerRouteGrpcClient. - auto mock_raw_grpc_client = std::make_shared(); - EXPECT_CALL(*mock_grpc_client_manager, getOrCreateRawAsyncClientWithHashKey(_, _, true)) - .WillOnce(Return(absl::StatusOr(mock_raw_grpc_client))); - - // Set up expectations for the sendRaw call that will be made by the GrpcClientImpl. - EXPECT_CALL(*mock_raw_grpc_client, sendRaw(_, _, _, _, _, _)) - .WillOnce( - Invoke([](absl::string_view /*service_full_name*/, absl::string_view /*method_name*/, - Buffer::InstancePtr&& /*request*/, Grpc::RawAsyncRequestCallbacks& callbacks, - Tracing::Span& parent_span, - const Http::AsyncClient::RequestOptions& /*options*/) -> Grpc::AsyncRequest* { - envoy::service::auth::v3::CheckResponse check_response; - check_response.mutable_status()->set_code(Grpc::Status::WellKnownGrpcStatus::Ok); - check_response.mutable_ok_response(); - - // Serialize the response to a buffer. - std::string serialized_response; - check_response.SerializeToString(&serialized_response); - auto response = std::make_unique(serialized_response); - - callbacks.onSuccessRaw(std::move(response), parent_span); - return nullptr; // No async request handle needed for immediate response. - })); - - // Since per-route gRPC client creation succeeds, the per-route client should be used - // instead of the default client. We won't see a call to new_client_ptr. - EXPECT_CALL(*new_client_ptr, check(_, _, _, _)).Times(0); - - EXPECT_EQ(Http::FilterHeadersStatus::Continue, - new_filter->decodeHeaders(request_headers_, false)); -} - -// Test per-route HTTP service configuration parsing. -TEST_P(HttpFilterTestParam, PerRouteHttpServiceConfigurationParsing) { - if (!std::get<1>(GetParam())) { - // Skip gRPC client test as per-route HTTP service only applies to HTTP clients. - return; - } - - // Create per-route configuration with valid HTTP service. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings()->mutable_http_service()->mutable_server_uri()->set_uri( - "https://per-route-ext-authz.example.com"); - per_route_config.mutable_check_settings() - ->mutable_http_service() - ->mutable_server_uri() - ->set_cluster("per_route_http_cluster"); - per_route_config.mutable_check_settings()->mutable_http_service()->set_path_prefix( - "/api/v2/auth"); - - std::unique_ptr per_route_filter_config = - std::make_unique(per_route_config); - - // Verify the per-route HTTP service configuration is correctly parsed - EXPECT_TRUE(per_route_filter_config->httpService().has_value()); - EXPECT_FALSE(per_route_filter_config->grpcService().has_value()); - - const auto& http_service = per_route_filter_config->httpService().value(); - EXPECT_EQ(http_service.server_uri().uri(), "https://per-route-ext-authz.example.com"); - EXPECT_EQ(http_service.server_uri().cluster(), "per_route_http_cluster"); - EXPECT_EQ(http_service.path_prefix(), "/api/v2/auth"); -} - -// Test error handling when server context is not available for per-route gRPC client. -TEST_P(HttpFilterTestParam, PerRouteGrpcClientCreationNoServerContext) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test - per-route gRPC service only applies to gRPC clients. - return; - } - - // Create per-route configuration with gRPC service. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings() - ->mutable_grpc_service() - ->mutable_envoy_grpc() - ->set_cluster_name("per_route_grpc_cluster"); - - std::unique_ptr per_route_filter_config = - std::make_unique(per_route_config); - - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(per_route_filter_config.get())); - - Router::RouteSpecificFilterConfigs per_route_configs; - per_route_configs.push_back(per_route_filter_config.get()); - ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); - - prepareCheck(); - - // Create filter without server context. This should cause per-route client creation to fail. - auto new_client = std::make_unique(); - auto* new_client_ptr = new_client.get(); - auto new_filter = std::make_unique(config_, std::move(new_client)); // No server context - new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); - - // Since per-route client creation fails (no server context), should fall back to default client. - EXPECT_CALL(*new_client_ptr, check(_, _, _, _)) - .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, - const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, - const StreamInfo::StreamInfo&) -> void { - // Verify this is using the default client. - auto response = std::make_unique(); - response->status = Filters::Common::ExtAuthz::CheckStatus::OK; - callbacks.onComplete(std::move(response)); - })); - - Http::TestRequestHeaderMapImpl request_headers_{ - {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; - - EXPECT_EQ(Http::FilterHeadersStatus::Continue, - new_filter->decodeHeaders(request_headers_, false)); -} - -// Test error handling when server context is not available for per-route HTTP client. -TEST_P(HttpFilterTestParam, PerRouteHttpClientCreationNoServerContext) { - if (!std::get<1>(GetParam())) { - // Skip gRPC client test as per-route HTTP service only applies to HTTP clients. - return; - } - - // Create per-route configuration with HTTP service. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - per_route_config.mutable_check_settings()->mutable_http_service()->mutable_server_uri()->set_uri( - "https://per-route-ext-authz.example.com"); - per_route_config.mutable_check_settings() - ->mutable_http_service() - ->mutable_server_uri() - ->set_cluster("per_route_http_cluster"); - - std::unique_ptr per_route_filter_config = - std::make_unique(per_route_config); - - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(per_route_filter_config.get())); - - Router::RouteSpecificFilterConfigs per_route_configs; - per_route_configs.push_back(per_route_filter_config.get()); - ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); - - prepareCheck(); - - // Create filter without server context. - auto new_client = std::make_unique(); - auto* new_client_ptr = new_client.get(); - auto new_filter = std::make_unique(config_, std::move(new_client)); // No server context - new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); - - // Since per-route client creation fails, should fall back to default client. - EXPECT_CALL(*new_client_ptr, check(_, _, _, _)) - .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, - const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, - const StreamInfo::StreamInfo&) -> void { - auto response = std::make_unique(); - response->status = Filters::Common::ExtAuthz::CheckStatus::OK; - callbacks.onComplete(std::move(response)); - })); - - Http::TestRequestHeaderMapImpl request_headers_{ - {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; - - EXPECT_EQ(Http::FilterHeadersStatus::Continue, - new_filter->decodeHeaders(request_headers_, false)); -} - -// Test gRPC client error handling for per-route config. -TEST_F(HttpFilterTest, GrpcClientPerRouteError) { - // Initialize with gRPC client configuration. - initialize(R"EOF( - grpc_service: - envoy_grpc: - cluster_name: "ext_authz_server" - failure_mode_allow: false - stat_prefix: "ext_authz" - )EOF"); - - prepareCheck(); - - // Create per-route configuration with gRPC service override. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - auto* grpc_service = per_route_config.mutable_check_settings()->mutable_grpc_service(); - grpc_service->mutable_envoy_grpc()->set_cluster_name("nonexistent_cluster"); - - FilterConfigPerRoute per_route_filter_config(per_route_config); - - // Set up route config to use the per-route configuration. - ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) - .WillByDefault(Return(&per_route_filter_config)); - - // Since cluster doesn't exist, per-route client creation should fail - // and we'll use the default client instead. - EXPECT_CALL(*client_, check(_, _, _, _)) - .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, - const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, - const StreamInfo::StreamInfo&) -> void { - Filters::Common::ExtAuthz::Response response{}; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - callbacks.onComplete(std::make_unique(response)); - })); - - // Verify filter processes the request with the default client. - Http::TestRequestHeaderMapImpl request_headers{ - {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; - - EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); -} - -// Test HTTP client with per-route configuration. -TEST_F(HttpFilterTest, HttpClientPerRouteOverride) { - // Initialize with HTTP client configuration. - initialize(R"EOF( - http_service: - server_uri: - uri: "https://ext-authz.example.com" - cluster: "ext_authz_server" - path_prefix: "/api/v1/auth" - failure_mode_allow: false - stat_prefix: "ext_authz" - )EOF"); - - prepareCheck(); - - // Create per-route configuration with HTTP service override. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - auto* http_service = per_route_config.mutable_check_settings()->mutable_http_service(); - http_service->mutable_server_uri()->set_uri("https://per-route-ext-authz.example.com"); - http_service->mutable_server_uri()->set_cluster("per_route_http_cluster"); - http_service->set_path_prefix("/api/v2/auth"); - - FilterConfigPerRoute per_route_filter_config(per_route_config); - - // Set up route config to use the per-route configuration. - ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) - .WillByDefault(Return(&per_route_filter_config)); - - // Set up a check expectation that will be satisfied by the default client. - EXPECT_CALL(*client_, check(_, _, _, _)) - .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, - const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, - const StreamInfo::StreamInfo&) -> void { - Filters::Common::ExtAuthz::Response response{}; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - callbacks.onComplete(std::make_unique(response)); - })); - - // Verify filter processes the request. - Http::TestRequestHeaderMapImpl request_headers{ - {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; - - EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); -} - -// Test invalid response header validation via response_headers_to_add. -TEST_F(InvalidMutationTest, InvalidResponseHeadersToAddName) { - Filters::Common::ExtAuthz::Response r; - r.status = Filters::Common::ExtAuthz::CheckStatus::OK; - r.response_headers_to_add = {{"invalid header name", "value"}}; - testResponse(r); -} - -// Test invalid response header validation via response_headers_to_add value. -TEST_F(InvalidMutationTest, InvalidResponseHeadersToAddValue) { - Filters::Common::ExtAuthz::Response r; - r.status = Filters::Common::ExtAuthz::CheckStatus::OK; - r.response_headers_to_add = {{"valid-name", getInvalidValue()}}; - testResponse(r); -} - -// Test per-route timeout configuration is correctly used in gRPC client creation. -TEST_P(HttpFilterTestParam, PerRouteGrpcClientTimeoutConfiguration) { - if (std::get<1>(GetParam())) { - // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. - return; - } - - // Create per-route configuration with custom timeout. - envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; - auto* grpc_service = per_route_config.mutable_check_settings()->mutable_grpc_service(); - grpc_service->mutable_envoy_grpc()->set_cluster_name("per_route_grpc_cluster"); - grpc_service->mutable_timeout()->set_seconds(30); // Custom 30s timeout - - std::unique_ptr per_route_filter_config = - std::make_unique(per_route_config); - - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(per_route_filter_config.get())); - - Router::RouteSpecificFilterConfigs per_route_configs; - per_route_configs.push_back(per_route_filter_config.get()); - ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); - - prepareCheck(); - - auto new_client = std::make_unique(); - auto* new_client_ptr = new_client.get(); - auto new_filter = std::make_unique(config_, std::move(new_client), factory_context_); - new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); - - // Mock gRPC client manager. - auto mock_grpc_client_manager = std::make_shared(); - ON_CALL(factory_context_, clusterManager()).WillByDefault(ReturnRef(cm_)); - ON_CALL(cm_, grpcAsyncClientManager()).WillByDefault(ReturnRef(*mock_grpc_client_manager)); - - auto mock_raw_grpc_client = std::make_shared(); - EXPECT_CALL(*mock_grpc_client_manager, getOrCreateRawAsyncClientWithHashKey(_, _, true)) - .WillOnce(Return(absl::StatusOr(mock_raw_grpc_client))); - - // Mock the sendRaw call and verify the timeout is used correctly. - EXPECT_CALL(*mock_raw_grpc_client, sendRaw(_, _, _, _, _, _)) - .WillOnce(Invoke([](absl::string_view, absl::string_view, Buffer::InstancePtr&&, - Grpc::RawAsyncRequestCallbacks& callbacks, Tracing::Span& parent_span, - const Http::AsyncClient::RequestOptions& options) -> Grpc::AsyncRequest* { - // Verify that the timeout from the per-route config is used (30s = 30000ms) - EXPECT_TRUE(options.timeout.has_value()); - EXPECT_EQ(options.timeout->count(), 30000); - - envoy::service::auth::v3::CheckResponse check_response; - check_response.mutable_status()->set_code(Grpc::Status::WellKnownGrpcStatus::Ok); - check_response.mutable_ok_response(); - - std::string serialized_response; - check_response.SerializeToString(&serialized_response); - auto response = std::make_unique(serialized_response); - - callbacks.onSuccessRaw(std::move(response), parent_span); - return nullptr; - })); - - EXPECT_CALL(*new_client_ptr, check(_, _, _, _)).Times(0); - - Http::TestRequestHeaderMapImpl request_headers_{ - {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; - - EXPECT_EQ(Http::FilterHeadersStatus::Continue, - new_filter->decodeHeaders(request_headers_, false)); -} - } // namespace } // namespace ExtAuthz } // namespace HttpFilters From bcd41362388b0e3f0f5204e61563737a14d88138 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 25 Aug 2025 02:13:22 +0000 Subject: [PATCH 284/505] revert reverse_conn_force_local_reply to runtime guard Signed-off-by: Basundhara Chakrabarty --- envoy/http/filter.h | 5 ----- source/common/http/async_client_impl.h | 5 ----- source/common/http/filter_manager.cc | 8 +++----- source/common/http/filter_manager.h | 4 ---- source/common/runtime/runtime_features.cc | 2 ++ source/common/tcp_proxy/tcp_proxy.h | 1 - test/mocks/http/mocks.h | 1 - 7 files changed, 5 insertions(+), 21 deletions(-) diff --git a/envoy/http/filter.h b/envoy/http/filter.h index 87ad8d711ef7e..8c79afcaf84d8 100644 --- a/envoy/http/filter.h +++ b/envoy/http/filter.h @@ -833,11 +833,6 @@ class StreamDecoderFilterCallbacks : public virtual StreamFilterCallbacks { * @return true if the filter should shed load based on the system pressure, typically memory. */ virtual bool shouldLoadShed() const PURE; - - /** - * @return set a flag to send a local reply immediately for reverse connections. - */ - virtual void setReverseConnForceLocalReply(bool value) PURE; }; /** diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h index 7110c4db5a190..eedb6e17ad4fc 100644 --- a/source/common/http/async_client_impl.h +++ b/source/common/http/async_client_impl.h @@ -155,11 +155,6 @@ class AsyncStreamImpl : public virtual AsyncClient::Stream, const StreamInfo::StreamInfo& streamInfo() const override { return stream_info_; } StreamInfo::StreamInfoImpl& streamInfo() override { return stream_info_; } - void setReverseConnForceLocalReply(bool value) override { - ENVOY_LOG(error, "Cannot set value {}. AsyncStreamImpl does not support reverse connection.", - value); - } - protected: AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCallbacks& callbacks, const AsyncClient::StreamOptions& options, absl::Status& creation_status); diff --git a/source/common/http/filter_manager.cc b/source/common/http/filter_manager.cc index 590a04c7ae1ee..91f9f27a2e6c0 100644 --- a/source/common/http/filter_manager.cc +++ b/source/common/http/filter_manager.cc @@ -12,6 +12,7 @@ #include "source/common/http/header_map_impl.h" #include "source/common/http/header_utility.h" #include "source/common/http/utility.h" +#include "source/common/runtime/runtime_features.h" #include "matching/data_impl.h" @@ -469,10 +470,6 @@ void ActiveStreamDecoderFilter::modifyDecodingBuffer( callback(*parent_.buffered_request_data_.get()); } -void ActiveStreamDecoderFilter::setReverseConnForceLocalReply(bool value) { - parent_.setReverseConnForceLocalReply(value); -} - void ActiveStreamDecoderFilter::sendLocalReply( Code code, absl::string_view body, std::function modify_headers, @@ -1032,7 +1029,8 @@ void DownstreamFilterManager::sendLocalReply( // send local replies immediately rather than queuing them. This ensures proper handling of the // reversed connection flow and prevents potential issues with connection state and filter chain // processing. - if (!reverse_conn_force_local_reply_ && + if (!Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.reverse_conn_force_local_reply") && (state_.filter_call_state_ & FilterCallState::IsDecodingMask)) { prepareLocalReplyViaFilterChain(is_grpc_request, code, body, modify_headers, is_head_request, grpc_status, details); diff --git a/source/common/http/filter_manager.h b/source/common/http/filter_manager.h index 26dc4d6cc69ba..5f1b179e91fc8 100644 --- a/source/common/http/filter_manager.h +++ b/source/common/http/filter_manager.h @@ -319,8 +319,6 @@ struct ActiveStreamDecoderFilter : public ActiveStreamFilterBase, void stopDecodingIfNonTerminalFilterEncodedEndStream(bool encoded_end_stream); StreamDecoderFilters::Iterator entry() const { return entry_; } - void setReverseConnForceLocalReply(bool value) override; - StreamDecoderFilterSharedPtr handle_; StreamDecoderFilters::Iterator entry_; bool is_grpc_request_{}; @@ -907,7 +905,6 @@ class FilterManager : public ScopeTrackedObject, bool sawDownstreamReset() { return state_.saw_downstream_reset_; } virtual bool shouldLoadShed() { return false; }; - void setReverseConnForceLocalReply(bool value) { reverse_conn_force_local_reply_ = value; } void sendGoAwayAndClose() { // Stop filter chain iteration by checking encoder or decoder chain. @@ -1105,7 +1102,6 @@ class FilterManager : public ScopeTrackedObject, const uint64_t stream_id_; Buffer::BufferMemoryAccountSharedPtr account_; const bool proxy_100_continue_; - bool reverse_conn_force_local_reply_{false}; StreamDecoderFilters decoder_filters_; StreamEncoderFilters encoder_filters_; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 9f594e0cc89da..c756a59fc2d59 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -167,6 +167,8 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_no_ai_flags); // take over the split ones, and will be used as a base for the // implementation of on-demand DNS. FALSE_RUNTIME_GUARD(envoy_reloadable_features_enable_new_dns_implementation); +// Force a local reply from upstream envoy for reverse connections. +FALSE_RUNTIME_GUARD(envoy_reloadable_features_reverse_conn_force_local_reply); // Block of non-boolean flags. Use of int flags is deprecated. Do not add more. ABSL_FLAG(uint64_t, re2_max_program_size_error_level, 100, ""); // NOLINT diff --git a/source/common/tcp_proxy/tcp_proxy.h b/source/common/tcp_proxy/tcp_proxy.h index bc91bb2b21106..d475e0de6f057 100644 --- a/source/common/tcp_proxy/tcp_proxy.h +++ b/source/common/tcp_proxy/tcp_proxy.h @@ -583,7 +583,6 @@ class Filter : public Network::ReadFilter, DUMP_DETAILS(parent_->getStreamInfo().upstreamInfo()); } - void setReverseConnForceLocalReply(bool) override {} Filter* parent_{}; Http::RequestTrailerMapPtr request_trailer_map_; std::shared_ptr route_; diff --git a/test/mocks/http/mocks.h b/test/mocks/http/mocks.h index d8b9a12f258da..88ef777490e26 100644 --- a/test/mocks/http/mocks.h +++ b/test/mocks/http/mocks.h @@ -341,7 +341,6 @@ class MockStreamDecoderFilterCallbacks : public StreamDecoderFilterCallbacks, MOCK_METHOD(absl::optional, upstreamOverrideHost, (), (const)); MOCK_METHOD(bool, shouldLoadShed, (), (const)); - MOCK_METHOD(void, setReverseConnForceLocalReply, (bool)); Buffer::InstancePtr buffer_; std::list callbacks_; From 2ddc85381b0b3665caf8df4c9fe680e7c3e7d42e Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 25 Aug 2025 03:07:38 +0000 Subject: [PATCH 285/505] remove moveSocket() API Signed-off-by: Basundhara Chakrabarty --- envoy/network/connection.h | 9 --- source/common/network/connection_impl.cc | 62 +++---------------- source/common/network/connection_impl.h | 7 +-- .../network/multi_connection_base_impl.h | 1 - .../quic_filter_manager_connection_impl.h | 1 - .../default_api_listener/api_listener_impl.h | 1 - test/common/network/connection_impl_test.cc | 17 ----- .../multi_connection_base_impl_test.cc | 23 +++---- ...uic_filter_manager_connection_impl_test.cc | 2 - test/mocks/network/connection.h | 1 - 10 files changed, 17 insertions(+), 107 deletions(-) diff --git a/envoy/network/connection.h b/envoy/network/connection.h index 5928cc7eafa4c..754fbc8c12614 100644 --- a/envoy/network/connection.h +++ b/envoy/network/connection.h @@ -342,15 +342,6 @@ class Connection : public Event::DeferredDeletable, */ virtual bool aboveHighWatermark() const PURE; - /** - * Transfers ownership of the connection socket to the caller. This should only be called when - * the connection is marked as reused. The connection will be cleaned up but the socket will - * not be closed. - * - * @return ConnectionSocketPtr The connection socket. - */ - virtual ConnectionSocketPtr moveSocket() PURE; - /** * @return ConnectionSocketPtr& To get socket from current connection. */ diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc index b2c5198c79e9d..4a1dda33b1cd6 100644 --- a/source/common/network/connection_impl.cc +++ b/source/common/network/connection_impl.cc @@ -159,7 +159,7 @@ void ConnectionImpl::removeReadFilter(ReadFilterSharedPtr filter) { bool ConnectionImpl::initializeReadFilters() { return filter_manager_.initializeReadFilters(); } void ConnectionImpl::close(ConnectionCloseType type) { - if (socket_ == nullptr || !socket_->isOpen()) { + if (!socket_->isOpen()) { ENVOY_CONN_LOG_EVENT(debug, "connection_closing", "Not closing conn, socket object is null or socket is not open", *this); return; @@ -188,7 +188,7 @@ void ConnectionImpl::close(ConnectionCloseType type) { } void ConnectionImpl::closeInternal(ConnectionCloseType type) { - if (socket_ == nullptr || !socket_->isOpen()) { + if (!socket_->isOpen()) { return; } @@ -270,7 +270,7 @@ void ConnectionImpl::closeInternal(ConnectionCloseType type) { } Connection::State ConnectionImpl::state() const { - if (socket_ == nullptr || !socket_->isOpen()) { + if (!socket_->isOpen()) { return State::Closed; } else if (inDelayedClose()) { return State::Closing; @@ -304,37 +304,6 @@ void ConnectionImpl::setDetectedCloseType(DetectedCloseType close_type) { detected_close_type_ = close_type; } -ConnectionSocketPtr ConnectionImpl::moveSocket() { - // ASSERT(isSocketReused()); - - // Clean up connection internals but don't close the socket. - // cleanUpConnectionImpl(); - - // Transfer socket ownership to the caller. - return std::move(socket_); -} - -// void ConnectionImpl::cleanUpConnectionImpl() { -// // No need for a delayed close now. -// if (delayed_close_timer_) { -// delayed_close_timer_->disableTimer(); -// delayed_close_timer_ = nullptr; -// } - -// // Drain input and output buffers. -// updateReadBufferStats(0, 0); -// updateWriteBufferStats(0, 0); - -// // Drain any remaining data from write buffer. -// write_buffer_->drain(write_buffer_->length()); - -// // Reset connection stats. -// connection_stats_.reset(); - -// // Notify listeners that the connection is closing but don't close the actual socket. -// ConnectionImpl::raiseEvent(ConnectionEvent::LocalClose); -// } - void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_action) { if (!socket_->isOpen()) { return; @@ -355,7 +324,7 @@ void ConnectionImpl::closeSocket(ConnectionEvent close_type) { socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, static_cast(reuse_socket_)); - if (socket_ == nullptr || !socket_->isOpen()) { + if (!socket_->isOpen()) { ENVOY_CONN_LOG(trace, "closeSocket: socket is null or not open, returning", *this); return; } @@ -402,10 +371,7 @@ void ConnectionImpl::closeSocket(ConnectionEvent close_type) { ENVOY_CONN_LOG(trace, "closeSocket: about to close socket, reuse_socket_={}", *this, static_cast(reuse_socket_)); if (!reuse_socket_) { - ENVOY_LOG_MISC(debug, "closeSocket:"); - ENVOY_CONN_LOG(trace, "closeSocket: calling socket_->close()", *this); socket_->close(); - ENVOY_CONN_LOG(trace, "closeSocket: socket_->close() completed", *this); } else { ENVOY_CONN_LOG(trace, "closeSocket: skipping socket close due to reuse_socket_=true", *this); return; @@ -428,7 +394,7 @@ void ConnectionImpl::noDelay(bool enable) { // invalid. For this call instead of plumbing through logic that will immediately indicate that a // connect failed, we will just ignore the noDelay() call if the socket is invalid since error is // going to be raised shortly anyway and it makes the calling code simpler. - if (socket_ == nullptr || !socket_->isOpen()) { + if (!socket_->isOpen()) { return; } @@ -469,7 +435,7 @@ void ConnectionImpl::onRead(uint64_t read_buffer_size) { (enable_close_through_filter_manager_ && filter_manager_.pendingClose())) { return; } - ASSERT(socket_ != nullptr && socket_->isOpen()); + ASSERT(socket_->isOpen()); if (read_buffer_size == 0 && !read_end_stream_) { return; @@ -995,8 +961,6 @@ bool ConnectionImpl::setSocketOption(Network::SocketOptionName name, absl::Span< Api::SysCallIntResult result = SocketOptionImpl::setSocketOption(*socket_, name, value.data(), value.size()); if (result.return_value_ != 0) { - ENVOY_LOG_MISC(warn, "Setting option on socket failed, errno: {}, message: {}", result.errno_, - errorDetails(result.errno_)); return false; } @@ -1117,7 +1081,7 @@ ClientConnectionImpl::ClientConnectionImpl( false), stream_info_(dispatcher_.timeSource(), socket_->connectionInfoProviderSharedPtr(), StreamInfo::FilterState::LifeSpan::Connection) { - if (socket_ == nullptr || !socket_->isOpen()) { + if (!socket_->isOpen()) { setFailureReason("socket creation failure"); // Set up the dispatcher to "close" the connection on the next loop after // the owner has a chance to add callbacks. @@ -1174,18 +1138,6 @@ ClientConnectionImpl::ClientConnectionImpl( } } -// Constructor to create "clientConnection" object from an existing socket. -ClientConnectionImpl::ClientConnectionImpl(Event::Dispatcher& dispatcher, - Network::TransportSocketPtr&& transport_socket, - Network::ConnectionSocketPtr&& downstream_socket) - : ConnectionImpl(dispatcher, std::move(downstream_socket), std::move(transport_socket), - stream_info_, false), - stream_info_(dispatcher.timeSource(), socket_->connectionInfoProviderSharedPtr(), - StreamInfo::FilterState::LifeSpan::Connection) { - - stream_info_.setUpstreamInfo(std::make_shared()); -} - void ClientConnectionImpl::connect() { ENVOY_CONN_LOG_EVENT(debug, "client_connection", "connecting to {}", *this, socket_->connectionInfoProvider().remoteAddress()->asString()); diff --git a/source/common/network/connection_impl.h b/source/common/network/connection_impl.h index 1a69d66c4f9ed..2a5dca6055bbc 100644 --- a/source/common/network/connection_impl.h +++ b/source/common/network/connection_impl.h @@ -62,12 +62,7 @@ class ConnectionImpl : public ConnectionImplBase, public TransportSocketCallback void removeReadFilter(ReadFilterSharedPtr filter) override; bool initializeReadFilters() override; - ConnectionSocketPtr moveSocket() override; - const ConnectionSocketPtr& getSocket() const override { - // socket is null if it has been moved. - RELEASE_ASSERT(socket_ != nullptr, "socket is null."); - return socket_; - } + const ConnectionSocketPtr& getSocket() const override { return socket_; } void setSocketReused(bool value) override { ENVOY_LOG_MISC(trace, "setSocketReused called with value={}", value); reuse_socket_ = value; diff --git a/source/common/network/multi_connection_base_impl.h b/source/common/network/multi_connection_base_impl.h index cc4686965cebc..54273a69398dc 100644 --- a/source/common/network/multi_connection_base_impl.h +++ b/source/common/network/multi_connection_base_impl.h @@ -135,7 +135,6 @@ class MultiConnectionBaseImpl : public ClientConnection, void dumpState(std::ostream& os, int indent_level) const override; const Network::ConnectionSocketPtr& getSocket() const override { PANIC("not implemented"); } - Network::ConnectionSocketPtr moveSocket() override { return nullptr; } void setSocketReused(bool) override {} bool isSocketReused() override { return false; } diff --git a/source/common/quic/quic_filter_manager_connection_impl.h b/source/common/quic/quic_filter_manager_connection_impl.h index 39d67db0be21c..0653d52159f30 100644 --- a/source/common/quic/quic_filter_manager_connection_impl.h +++ b/source/common/quic/quic_filter_manager_connection_impl.h @@ -147,7 +147,6 @@ class QuicFilterManagerConnectionImpl : public Network::ConnectionImplBase, std::chrono::microseconds rtt) override; absl::optional congestionWindowInBytes() const override; const Network::ConnectionSocketPtr& getSocket() const override { PANIC("not implemented"); } - Network::ConnectionSocketPtr moveSocket() override { return nullptr; } void setSocketReused(bool) override {} bool isSocketReused() override { return false; } diff --git a/source/extensions/api_listeners/default_api_listener/api_listener_impl.h b/source/extensions/api_listeners/default_api_listener/api_listener_impl.h index a299e7023ab20..8cfcc6ce9e694 100644 --- a/source/extensions/api_listeners/default_api_listener/api_listener_impl.h +++ b/source/extensions/api_listeners/default_api_listener/api_listener_impl.h @@ -121,7 +121,6 @@ class ApiListenerImplBase : public Server::ApiListener, const Network::ConnectionSocketPtr& getSocket() const override { return parent_.connection_.getSocket(); } - Network::ConnectionSocketPtr moveSocket() override { return nullptr; } void setSocketReused(bool) override {} bool isSocketReused() override { return false; } void addBytesSentCallback(Network::Connection::BytesSentCb) override { diff --git a/test/common/network/connection_impl_test.cc b/test/common/network/connection_impl_test.cc index 77b558bedf577..a3774ac176b54 100644 --- a/test/common/network/connection_impl_test.cc +++ b/test/common/network/connection_impl_test.cc @@ -362,23 +362,6 @@ TEST_P(ConnectionImplTest, GetCongestionWindow) { disconnect(true); } -TEST_P(ConnectionImplTest, TestMoveSocket) { - setUpBasicConnection(); - connect(); - - EXPECT_CALL(client_callbacks_, onEvent(ConnectionEvent::LocalClose)); - // Mark the client connection's socket as reused. - client_connection_->setSocketReused(true); - // Call moveSocket and verify the behavior. - auto moved_socket = client_connection_->moveSocket(); - EXPECT_NE(moved_socket, nullptr); // Ensure the socket is moved. - EXPECT_EQ(client_connection_->state(), Connection::State::Closed); // Connection should be closed. - - // Mark the socket dead to raise a close() event on the server connection. - moved_socket->close(); - disconnect(true /* wait_for_remote_close */, true /* client_socket_closed */); -} - TEST_P(ConnectionImplTest, CloseDuringConnectCallback) { setUpBasicConnection(); diff --git a/test/common/network/multi_connection_base_impl_test.cc b/test/common/network/multi_connection_base_impl_test.cc index 6463f6d26325e..1a3f9cbc4b20b 100644 --- a/test/common/network/multi_connection_base_impl_test.cc +++ b/test/common/network/multi_connection_base_impl_test.cc @@ -1209,22 +1209,17 @@ TEST_F(MultiConnectionBaseImplTest, SetSocketOptionFailedTest) { absl::Span sockopt_val(reinterpret_cast(&val), sizeof(val)); EXPECT_FALSE(impl_->setSocketOption(sockopt_name, sockopt_val)); -======= - TEST_F(MultiConnectionBaseImplTest, MoveSocket) { - setupMultiConnectionImpl(2); - - EXPECT_EQ(impl_->moveSocket(), nullptr); - } +} - TEST_F(MultiConnectionBaseImplTest, setSocketReused) { - setupMultiConnectionImpl(2); - impl_->setSocketReused(true); - } +TEST_F(MultiConnectionBaseImplTest, setSocketReused) { + setupMultiConnectionImpl(2); + impl_->setSocketReused(true); +} - TEST_F(MultiConnectionBaseImplTest, isSocketReused) { - setupMultiConnectionImpl(2); - EXPECT_EQ(impl_->isSocketReused(), false); - } +TEST_F(MultiConnectionBaseImplTest, isSocketReused) { + setupMultiConnectionImpl(2); + EXPECT_EQ(impl_->isSocketReused(), false); +} } // namespace Network } // namespace Envoy diff --git a/test/common/quic/quic_filter_manager_connection_impl_test.cc b/test/common/quic/quic_filter_manager_connection_impl_test.cc index 7c20bd506eb3f..525c7dc6274a4 100644 --- a/test/common/quic/quic_filter_manager_connection_impl_test.cc +++ b/test/common/quic/quic_filter_manager_connection_impl_test.cc @@ -153,8 +153,6 @@ TEST_F(QuicFilterManagerConnectionImplTest, SetSocketOption) { EXPECT_FALSE(impl_.setSocketOption(sockopt_name, sockopt_val)); } -TEST_F(QuicFilterManagerConnectionImplTest, MoveSocket) { EXPECT_EQ(impl_.moveSocket(), nullptr); } - TEST_F(QuicFilterManagerConnectionImplTest, setSocketReused) { impl_.setSocketReused(true); } TEST_F(QuicFilterManagerConnectionImplTest, isSocketReused) { diff --git a/test/mocks/network/connection.h b/test/mocks/network/connection.h index 9664642ba6bce..59bf4be7d5af8 100644 --- a/test/mocks/network/connection.h +++ b/test/mocks/network/connection.h @@ -86,7 +86,6 @@ class MockConnectionBase { MOCK_METHOD(uint32_t, bufferLimit, (), (const)); \ MOCK_METHOD(bool, aboveHighWatermark, (), (const)); \ MOCK_METHOD(Network::ConnectionSocketPtr&, getSocket, (), (const)); \ - MOCK_METHOD(ConnectionSocketPtr, moveSocket, ()); \ MOCK_METHOD(void, setSocketReused, (bool value)); \ MOCK_METHOD(bool, isSocketReused, ()); \ MOCK_METHOD(const Network::ConnectionSocket::OptionsSharedPtr&, socketOptions, (), (const)); \ From 9d828879ffb34900e47b2d158a89e3ac32f893f0 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 25 Aug 2025 03:08:13 +0000 Subject: [PATCH 286/505] reverse conn http filter: remove moveSocket() API Signed-off-by: Basundhara Chakrabarty --- .../filters/http/reverse_conn/reverse_conn_filter.cc | 3 --- 1 file changed, 3 deletions(-) diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index 9d20f4c8c7384..27a19a95aeb62 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -80,7 +80,6 @@ void ReverseConnFilter::getClusterDetailsUsingProtobuf(std::string* node_uuid, Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { std::string node_uuid, cluster_uuid, tenant_uuid; - decoder_callbacks_->setReverseConnForceLocalReply(true); envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; getClusterDetailsUsingProtobuf(&node_uuid, &cluster_uuid, &tenant_uuid); if (node_uuid.empty()) { @@ -89,7 +88,6 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { ret.set_status_message("Failed to parse request message or required fields missing"); decoder_callbacks_->sendLocalReply(Http::Code::BadGateway, ret.SerializeAsString(), nullptr, absl::nullopt, ""); - decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; } @@ -147,7 +145,6 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { } connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); - decoder_callbacks_->setReverseConnForceLocalReply(false); return Http::FilterDataStatus::StopIterationNoBuffer; } From e74cbccdd263952292817c50d39b74db75fdc161 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 25 Aug 2025 03:08:46 +0000 Subject: [PATCH 287/505] nits Signed-off-by: Basundhara Chakrabarty --- .../cloud-envoy.yaml | 5 +++-- .../on-prem-envoy-custom-resolver.yaml | 4 ++-- .../reverse_tunnel/grpc_reverse_tunnel_client.cc | 9 +++++---- .../reverse_tunnel/grpc_reverse_tunnel_service.cc | 10 +++++----- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/examples/reverse_connection_socket_interface/cloud-envoy.yaml b/examples/reverse_connection_socket_interface/cloud-envoy.yaml index 45d811daba6dc..5d46207ae4497 100644 --- a/examples/reverse_connection_socket_interface/cloud-envoy.yaml +++ b/examples/reverse_connection_socket_interface/cloud-envoy.yaml @@ -94,9 +94,10 @@ layered_runtime: - name: layer static_layer: re2.max_program_size.error_level: 1000 + envoy.reloadable_features.reverse_conn_force_local_reply: true # Enable reverse connection bootstrap extension bootstrap_extensions: -- name: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface +- name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.UpstreamReverseConnectionSocketInterface + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface stat_prefix: "upstream_reverse_connection" \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml index 586cb760b013b..e6a86de9932cf 100644 --- a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml +++ b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml @@ -5,9 +5,9 @@ node: # Enable reverse connection bootstrap extension which registers the custom resolver bootstrap_extensions: -- name: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface +- name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface stat_prefix: "downstream_reverse_connection" static_resources: diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc index 9f7ab54745986..4fac6d616a82c 100644 --- a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc +++ b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc @@ -18,11 +18,11 @@ namespace Bootstrap { namespace ReverseConnection { GrpcReverseTunnelClient::GrpcReverseTunnelClient( - Upstream::ClusterManager& cluster_manager, - const std::string& cluster_name, + Upstream::ClusterManager& cluster_manager, const std::string& cluster_name, const envoy::service::reverse_tunnel::v3::ReverseTunnelGrpcConfig& config, GrpcReverseTunnelCallbacks& callbacks) - : cluster_manager_(cluster_manager), cluster_name_(cluster_name), config_(config), callbacks_(callbacks), + : cluster_manager_(cluster_manager), cluster_name_(cluster_name), config_(config), + callbacks_(callbacks), service_method_(Protobuf::DescriptorPool::generated_pool()->FindMethodByName( "envoy.service.reverse_tunnel.v3.ReverseTunnelHandshakeService.EstablishTunnel")) { @@ -52,7 +52,8 @@ absl::Status GrpcReverseTunnelClient::createGrpcClient() { try { // Verify cluster name is provided if (cluster_name_.empty()) { - return absl::InvalidArgumentError("Cluster name cannot be empty for gRPC reverse tunnel handshake"); + return absl::InvalidArgumentError( + "Cluster name cannot be empty for gRPC reverse tunnel handshake"); } auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name_); diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc index 9244d42d93840..520b6a88c9228 100644 --- a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc +++ b/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc @@ -376,13 +376,13 @@ bool GrpcReverseTunnelService::registerTunnelConnection( auto* socket_manager = local_registry->socketManager(); - // Create a connection socket from the TCP connection - // This is a simplified approach - in full implementation we'd need proper socket management - Network::ConnectionSocketPtr socket = connection->moveSocket(); + // Get the socket from the connection without moving it + // Since we're not duplicating sockets, we use the existing socket + const Network::ConnectionSocketPtr& socket = connection->getSocket(); // Register the connection with the socket manager - socket_manager->addConnectionSocket(initiator.node_id(), initiator.cluster_id(), - std::move(socket), ping_interval, + socket_manager->addConnectionSocket(initiator.node_id(), initiator.cluster_id(), socket, + ping_interval, false // not rebalanced ); From c14c2bbebd92e9ff89fb36bc204c2caa43ba7c13 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 25 Aug 2025 07:49:17 +0200 Subject: [PATCH 288/505] Reapply "ext_authz: add grpc_service field on the per-route filter" (#40843) --- .../filters/http/ext_authz/v3/ext_authz.proto | 13 + changelogs/current.yaml | 12 +- .../common/ext_authz/ext_authz_http_impl.cc | 24 + .../common/ext_authz/ext_authz_http_impl.h | 5 + .../filters/http/ext_authz/config.cc | 6 +- .../filters/http/ext_authz/ext_authz.cc | 135 +- .../filters/http/ext_authz/ext_authz.h | 55 +- .../ext_authz/ext_authz_http_impl_test.cc | 21 + .../filters/http/ext_authz/config_test.cc | 411 ++++++ .../ext_authz/ext_authz_integration_test.cc | 27 + .../filters/http/ext_authz/ext_authz_test.cc | 1300 ++++++++++++++--- 11 files changed, 1792 insertions(+), 217 deletions(-) diff --git a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto index 0a2492b2ff5f5..690a9956454df 100644 --- a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +++ b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -476,6 +476,7 @@ message ExtAuthzPerRoute { } // Extra settings for the check request. +// [#next-free-field: 6] message CheckSettings { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.CheckSettings"; @@ -513,4 +514,16 @@ message CheckSettings { // :ref:`disable_request_body_buffering ` // may be specified. BufferSettings with_request_body = 3; + + // Override the external authorization service for this route. + // This allows different routes to use different external authorization service backends + // and service types (gRPC or HTTP). If specified, this overrides the filter-level service + // configuration regardless of the original service type. + oneof service_override { + // Override with a gRPC service configuration. + config.core.v3.GrpcService grpc_service = 4; + + // Override with an HTTP service configuration. + HttpService http_service = 5; + } } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 076cf1a618dbf..4495eeb525b54 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -203,9 +203,8 @@ new_features: for more details. - area: socket change: | - Added :ref:``network_namespace_filepath `` to - :ref:`SocketAddress `. This field allows specifying a Linux network namespace filepath - for socket creation, enabling network isolation in containerized environments. + Added ``network_namespace_filepath`` to :ref:`SocketAddress `. This field allows + specifying a Linux network namespace filepath for socket creation, enabling network isolation in containerized environments. - area: ratelimit change: | Add the :ref:`rate_limits @@ -256,6 +255,13 @@ new_features: Added ``virtualHost()`` to the Stream handle API, allowing Lua scripts to retrieve virtual host information. So far, the only method implemented is ``metadata()``, allowing Lua scripts to access virtual host metadata scoped to the specific filter name. See :ref:`Virtual host object API ` for more details. +- area: ext_authz + change: | + Added support for per-route gRPC service override in the ``ext_authz`` HTTP filter. This allows different routes + to use different external authorization backends by configuring a + :ref:`grpc_service ` + in the per-route ``check_settings``. Routes without this configuration continue to use the default + authorization service. - area: tracing change: | Added :ref:`trace_context_option ` enum diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc index 070636df941af..170ee16ef84a8 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc +++ b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc @@ -133,6 +133,30 @@ ClientConfig::ClientConfig(const envoy::extensions::filters::http::ext_authz::v3 Router::HeaderParserPtr)), encode_raw_headers_(config.encode_raw_headers()) {} +ClientConfig::ClientConfig( + const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service, + bool encode_raw_headers, uint32_t timeout, Server::Configuration::CommonFactoryContext& context) + : client_header_matchers_(toClientMatchers( + http_service.authorization_response().allowed_client_headers(), context)), + client_header_on_success_matchers_(toClientMatchersOnSuccess( + http_service.authorization_response().allowed_client_headers_on_success(), context)), + to_dynamic_metadata_matchers_(toDynamicMetadataMatchers( + http_service.authorization_response().dynamic_metadata_from_headers(), context)), + upstream_header_matchers_(toUpstreamMatchers( + http_service.authorization_response().allowed_upstream_headers(), context)), + upstream_header_to_append_matchers_(toUpstreamMatchers( + http_service.authorization_response().allowed_upstream_headers_to_append(), context)), + cluster_name_(http_service.server_uri().cluster()), timeout_(timeout), + path_prefix_( + THROW_OR_RETURN_VALUE(validatePathPrefix(http_service.path_prefix()), std::string)), + tracing_name_(fmt::format("async {} egress", http_service.server_uri().cluster())), + request_headers_parser_(THROW_OR_RETURN_VALUE( + Router::HeaderParser::configure( + http_service.authorization_request().headers_to_add(), + envoy::config::core::v3::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD), + Router::HeaderParserPtr)), + encode_raw_headers_(encode_raw_headers) {} + MatcherSharedPtr ClientConfig::toClientMatchersOnSuccess(const envoy::type::matcher::v3::ListStringMatcher& list, Server::Configuration::CommonFactoryContext& context) { diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h index d79b34876548d..0847afe6c5a14 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h +++ b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.h @@ -28,6 +28,11 @@ class ClientConfig { uint32_t timeout, absl::string_view path_prefix, Server::Configuration::CommonFactoryContext& context); + // Build config directly from HttpService without constructing a temporary ExtAuthz. + ClientConfig(const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service, + bool encode_raw_headers, uint32_t timeout, + Server::Configuration::CommonFactoryContext& context); + /** * Returns the name of the authorization cluster. */ diff --git a/source/extensions/filters/http/ext_authz/config.cc b/source/extensions/filters/http/ext_authz/config.cc index 83a3c60287ae6..8f7febefa8ccc 100644 --- a/source/extensions/filters/http/ext_authz/config.cc +++ b/source/extensions/filters/http/ext_authz/config.cc @@ -39,7 +39,8 @@ Http::FilterFactoryCb ExtAuthzFilterConfig::createFilterFactoryFromProtoWithServ &server_context](Http::FilterChainFactoryCallbacks& callbacks) { auto client = std::make_unique( server_context.clusterManager(), client_config); - callbacks.addStreamFilter(std::make_shared(filter_config, std::move(client))); + callbacks.addStreamFilter( + std::make_shared(filter_config, std::move(client), server_context)); }; } else { // gRPC client. @@ -57,7 +58,8 @@ Http::FilterFactoryCb ExtAuthzFilterConfig::createFilterFactoryFromProtoWithServ THROW_IF_NOT_OK_REF(client_or_error.status()); auto client = std::make_unique( client_or_error.value(), std::chrono::milliseconds(timeout_ms)); - callbacks.addStreamFilter(std::make_shared(filter_config, std::move(client))); + callbacks.addStreamFilter( + std::make_shared(filter_config, std::move(client), server_context)); }; } return callback; diff --git a/source/extensions/filters/http/ext_authz/ext_authz.cc b/source/extensions/filters/http/ext_authz/ext_authz.cc index 9efd5b6fc36f6..7fd7abf65f365 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/ext_authz.cc @@ -1,4 +1,3 @@ -#include "ext_authz.h" #include "source/extensions/filters/http/ext_authz/ext_authz.h" #include @@ -21,6 +20,9 @@ namespace ExtAuthz { namespace { +// Default timeout for per-route gRPC client creation. +constexpr uint32_t kDefaultPerRouteTimeoutMs = 200; + using MetadataProto = ::envoy::config::core::v3::Metadata; using Filters::Common::MutationRules::CheckOperation; using Filters::Common::MutationRules::CheckResult; @@ -172,6 +174,86 @@ void FilterConfigPerRoute::merge(const FilterConfigPerRoute& other) { } } +// Constructor used for merging configurations from different levels (vhost, route, etc.) +FilterConfigPerRoute::FilterConfigPerRoute(const FilterConfigPerRoute& less_specific, + const FilterConfigPerRoute& more_specific) + : context_extensions_(less_specific.context_extensions_), + check_settings_(more_specific.check_settings_), disabled_(more_specific.disabled_), + // Only use the most specific per-route override. Do not inherit overrides from less + // specific configuration. If the more specific configuration has no override, leave both + // unset so that the main filter configuration is used. + grpc_service_(more_specific.grpc_service_.has_value() ? more_specific.grpc_service_ + : absl::nullopt), + http_service_(more_specific.http_service_.has_value() ? more_specific.http_service_ + : absl::nullopt) { + // Merge context extensions from more specific configuration, overriding less specific ones. + for (const auto& extension : more_specific.context_extensions_) { + context_extensions_[extension.first] = extension.second; + } +} + +Filters::Common::ExtAuthz::ClientPtr +Filter::createPerRouteGrpcClient(const envoy::config::core::v3::GrpcService& grpc_service) { + if (server_context_ == nullptr) { + ENVOY_STREAM_LOG( + debug, "ext_authz filter: server context not available for per-route gRPC client creation.", + *decoder_callbacks_); + return nullptr; + } + + // Use the timeout from the gRPC service configuration, use default if not specified. + const uint32_t timeout_ms = + PROTOBUF_GET_MS_OR_DEFAULT(grpc_service, timeout, kDefaultPerRouteTimeoutMs); + + // We can skip transport version check for per-route gRPC service here. + // The transport version is already validated at the main configuration level. + Envoy::Grpc::GrpcServiceConfigWithHashKey config_with_hash_key = + Envoy::Grpc::GrpcServiceConfigWithHashKey(grpc_service); + + auto client_or_error = server_context_->clusterManager() + .grpcAsyncClientManager() + .getOrCreateRawAsyncClientWithHashKey(config_with_hash_key, + server_context_->scope(), true); + if (!client_or_error.ok()) { + ENVOY_STREAM_LOG(warn, + "ext_authz filter: failed to create per-route gRPC client: {}. Falling back " + "to default client.", + *decoder_callbacks_, client_or_error.status().ToString()); + return nullptr; + } + + ENVOY_STREAM_LOG(debug, "ext_authz filter: created per-route gRPC client for cluster: {}.", + *decoder_callbacks_, + grpc_service.has_envoy_grpc() ? grpc_service.envoy_grpc().cluster_name() + : "google_grpc"); + + return std::make_unique( + client_or_error.value(), std::chrono::milliseconds(timeout_ms)); +} + +Filters::Common::ExtAuthz::ClientPtr Filter::createPerRouteHttpClient( + const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service) { + if (server_context_ == nullptr) { + ENVOY_STREAM_LOG( + debug, "ext_authz filter: server context not available for per-route HTTP client creation.", + *decoder_callbacks_); + return nullptr; + } + + // Use the timeout from the HTTP service configuration, use default if not specified. + const uint32_t timeout_ms = + PROTOBUF_GET_MS_OR_DEFAULT(http_service.server_uri(), timeout, kDefaultPerRouteTimeoutMs); + + ENVOY_STREAM_LOG(debug, "ext_authz filter: creating per-route HTTP client for URI: {}.", + *decoder_callbacks_, http_service.server_uri().uri()); + + const auto client_config = std::make_shared( + http_service, config_->headersAsBytes(), timeout_ms, *server_context_); + + return std::make_unique( + server_context_->clusterManager(), client_config); +} + void Filter::initiateCall(const Http::RequestHeaderMap& headers) { if (filter_return_ == FilterReturn::StopDecoding) { return; @@ -205,9 +287,10 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { for (const FilterConfigPerRoute& cfg : Http::Utility::getAllPerFilterConfig(decoder_callbacks_)) { if (maybe_merged_per_route_config.has_value()) { - maybe_merged_per_route_config.value().merge(cfg); + FilterConfigPerRoute current_config = maybe_merged_per_route_config.value(); + maybe_merged_per_route_config.emplace(current_config, cfg); } else { - maybe_merged_per_route_config = cfg; + maybe_merged_per_route_config.emplace(cfg); } } @@ -216,6 +299,46 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { context_extensions = maybe_merged_per_route_config.value().takeContextExtensions(); } + // Check if we need to use a per-route service override (gRPC or HTTP). + Filters::Common::ExtAuthz::Client* client_to_use = client_.get(); + if (maybe_merged_per_route_config) { + if (maybe_merged_per_route_config->grpcService().has_value()) { + const auto& grpc_service = maybe_merged_per_route_config->grpcService().value(); + ENVOY_STREAM_LOG(debug, "ext_authz filter: using per-route gRPC service configuration.", + *decoder_callbacks_); + + // Create a new gRPC client for this route. + per_route_client_ = createPerRouteGrpcClient(grpc_service); + if (per_route_client_ != nullptr) { + client_to_use = per_route_client_.get(); + ENVOY_STREAM_LOG(debug, "ext_authz filter: successfully created per-route gRPC client.", + *decoder_callbacks_); + } else { + ENVOY_STREAM_LOG( + warn, + "ext_authz filter: failed to create per-route gRPC client, falling back to default.", + *decoder_callbacks_); + } + } else if (maybe_merged_per_route_config->httpService().has_value()) { + const auto& http_service = maybe_merged_per_route_config->httpService().value(); + ENVOY_STREAM_LOG(debug, "ext_authz filter: using per-route HTTP service configuration.", + *decoder_callbacks_); + + // Create a new HTTP client for this route. + per_route_client_ = createPerRouteHttpClient(http_service); + if (per_route_client_ != nullptr) { + client_to_use = per_route_client_.get(); + ENVOY_STREAM_LOG(debug, "ext_authz filter: successfully created per-route HTTP client.", + *decoder_callbacks_); + } else { + ENVOY_STREAM_LOG( + warn, + "ext_authz filter: failed to create per-route HTTP client, falling back to default.", + *decoder_callbacks_); + } + } + } + // If metadata_context_namespaces or typed_metadata_context_namespaces is specified, // pass matching filter metadata to the ext_authz service. // If metadata key is set in both the connection and request metadata, @@ -241,7 +364,7 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { config_->destinationLabels(), config_->allowedHeadersMatcher(), config_->disallowedHeadersMatcher()); - ENVOY_STREAM_LOG(trace, "ext_authz filter calling authorization server", *decoder_callbacks_); + ENVOY_STREAM_LOG(trace, "ext_authz filter calling authorization server.", *decoder_callbacks_); // Store start time of ext_authz filter call start_time_ = decoder_callbacks_->dispatcher().timeSource().monotonicTime(); @@ -250,8 +373,8 @@ void Filter::initiateCall(const Http::RequestHeaderMap& headers) { // going to invoke check call. cluster_ = decoder_callbacks_->clusterInfo(); initiating_call_ = true; - client_->check(*this, check_request_, decoder_callbacks_->activeSpan(), - decoder_callbacks_->streamInfo()); + client_to_use->check(*this, check_request_, decoder_callbacks_->activeSpan(), + decoder_callbacks_->streamInfo()); initiating_call_ = false; } diff --git a/source/extensions/filters/http/ext_authz/ext_authz.h b/source/extensions/filters/http/ext_authz/ext_authz.h index 3f309b97c6d2e..123daee1a6154 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.h +++ b/source/extensions/filters/http/ext_authz/ext_authz.h @@ -6,8 +6,10 @@ #include #include "envoy/extensions/filters/http/ext_authz/v3/ext_authz.pb.h" +#include "envoy/grpc/async_client_manager.h" #include "envoy/http/filter.h" #include "envoy/runtime/runtime.h" +#include "envoy/server/factory_context.h" #include "envoy/service/auth/v3/external_auth.pb.h" #include "envoy/stats/scope.h" #include "envoy/stats/stats_macros.h" @@ -17,6 +19,7 @@ #include "source/common/common/logger.h" #include "source/common/common/matchers.h" #include "source/common/common/utility.h" +#include "source/common/grpc/typed_async_client.h" #include "source/common/http/codes.h" #include "source/common/http/header_map_impl.h" #include "source/common/runtime/runtime_protos.h" @@ -305,7 +308,13 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { check_settings_(config.has_check_settings() ? config.check_settings() : envoy::extensions::filters::http::ext_authz::v3::CheckSettings()), - disabled_(config.disabled()) { + disabled_(config.disabled()), + grpc_service_(config.has_check_settings() && config.check_settings().has_grpc_service() + ? absl::make_optional(config.check_settings().grpc_service()) + : absl::nullopt), + http_service_(config.has_check_settings() && config.check_settings().has_http_service() + ? absl::make_optional(config.check_settings().http_service()) + : absl::nullopt) { if (config.has_check_settings() && config.check_settings().disable_request_body_buffering() && config.check_settings().has_with_request_body()) { ExceptionUtil::throwEnvoyException( @@ -314,6 +323,12 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { } } + // This constructor is used as a way to merge more-specific config into less-specific config in a + // clearly defined way (e.g. route config into VH config). All fields on this class must be const + // and thus must be initialized in the constructor initialization list. + FilterConfigPerRoute(const FilterConfigPerRoute& less_specific, + const FilterConfigPerRoute& more_specific); + void merge(const FilterConfigPerRoute& other); /** @@ -329,12 +344,30 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { return check_settings_; } + /** + * @return The gRPC service override for this route, if any. + */ + const absl::optional& grpcService() const { + return grpc_service_; + } + + /** + * @return The HTTP service override for this route, if any. + */ + const absl::optional& + httpService() const { + return http_service_; + } + private: // We save the context extensions as a protobuf map instead of a std::map as this allows us to // move it to the CheckRequest, thus avoiding a copy that would incur by converting it. ContextExtensionsMap context_extensions_; envoy::extensions::filters::http::ext_authz::v3::CheckSettings check_settings_; - bool disabled_; + const bool disabled_; + const absl::optional grpc_service_; + const absl::optional + http_service_; }; /** @@ -348,6 +381,12 @@ class Filter : public Logger::Loggable, Filter(const FilterConfigSharedPtr& config, Filters::Common::ExtAuthz::ClientPtr&& client) : config_(config), client_(std::move(client)), stats_(config->stats()) {} + // Constructor that includes server context for per-route service support. + Filter(const FilterConfigSharedPtr& config, Filters::Common::ExtAuthz::ClientPtr&& client, + Server::Configuration::ServerFactoryContext& server_context) + : config_(config), client_(std::move(client)), server_context_(&server_context), + stats_(config->stats()) {} + // Http::StreamFilterBase void onDestroy() override; @@ -383,6 +422,14 @@ class Filter : public Logger::Loggable, // code. void rejectResponse(); + // Create a new gRPC client for per-route gRPC service configuration. + Filters::Common::ExtAuthz::ClientPtr + createPerRouteGrpcClient(const envoy::config::core::v3::GrpcService& grpc_service); + + // Create a new HTTP client for per-route HTTP service configuration. + Filters::Common::ExtAuthz::ClientPtr createPerRouteHttpClient( + const envoy::extensions::filters::http::ext_authz::v3::HttpService& http_service); + absl::optional start_time_; void addResponseHeaders(Http::HeaderMap& header_map, const Http::HeaderVector& headers); void initiateCall(const Http::RequestHeaderMap& headers); @@ -410,6 +457,10 @@ class Filter : public Logger::Loggable, Http::HeaderMapPtr getHeaderMap(const Filters::Common::ExtAuthz::ResponsePtr& response); FilterConfigSharedPtr config_; Filters::Common::ExtAuthz::ClientPtr client_; + // Per-route gRPC client that overrides the default client when specified. + Filters::Common::ExtAuthz::ClientPtr per_route_client_; + // Server context for creating per-route clients. + Server::Configuration::ServerFactoryContext* server_context_{nullptr}; Http::StreamDecoderFilterCallbacks* decoder_callbacks_{}; Http::StreamEncoderFilterCallbacks* encoder_callbacks_{}; Http::RequestHeaderMap* request_headers_; diff --git a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc index 298abb58a10e0..92cc6cddc5e62 100644 --- a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc +++ b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc @@ -209,6 +209,27 @@ class ExtAuthzHttpClientTest : public testing::Test { NiceMock stream_info_; }; +// Verify ClientConfig could be built directly from HttpService and that the +// fields get wired correctly. +TEST_F(ExtAuthzHttpClientTest, ClientConfigFromHttpService) { + envoy::extensions::filters::http::ext_authz::v3::HttpService http_service; + http_service.mutable_server_uri()->set_uri("ext_authz:9000"); + http_service.mutable_server_uri()->set_cluster("ext_authz"); + http_service.mutable_server_uri()->mutable_timeout()->set_seconds(0); + http_service.set_path_prefix("/prefix"); + // Add one header to add to request to exercise header parser creation. + auto* add = http_service.mutable_authorization_request()->add_headers_to_add(); + add->set_key("x-added"); + add->set_value("v"); + + auto cfg = std::make_shared(http_service, /*encode_raw_headers=*/true, + /*timeout_ms=*/123, factory_context_); + EXPECT_EQ(cfg->cluster(), "ext_authz"); + EXPECT_EQ(cfg->pathPrefix(), "/prefix"); + EXPECT_EQ(cfg->timeout(), std::chrono::milliseconds{123}); + EXPECT_TRUE(cfg->encodeRawHeaders()); +} + TEST_F(ExtAuthzHttpClientTest, StreamInfo) { envoy::service::auth::v3::CheckRequest request; client_->check(request_callbacks_, request, parent_span_, stream_info_); diff --git a/test/extensions/filters/http/ext_authz/config_test.cc b/test/extensions/filters/http/ext_authz/config_test.cc index bfb2a593b4114..9a84ee2e73deb 100644 --- a/test/extensions/filters/http/ext_authz/config_test.cc +++ b/test/extensions/filters/http/ext_authz/config_test.cc @@ -8,6 +8,7 @@ #include "source/common/network/address_impl.h" #include "source/common/thread_local/thread_local_impl.h" #include "source/extensions/filters/http/ext_authz/config.h" +#include "source/extensions/filters/http/ext_authz/ext_authz.h" #include "test/mocks/server/factory_context.h" #include "test/test_common/real_threads_test_helper.h" @@ -28,6 +29,10 @@ namespace Extensions { namespace HttpFilters { namespace ExtAuthz { +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + class TestAsyncClientManagerImpl : public Grpc::AsyncClientManagerImpl { public: TestAsyncClientManagerImpl(Upstream::ClusterManager& cm, ThreadLocal::Instance& tls, @@ -217,6 +222,412 @@ TEST_F(ExtAuthzFilterHttpTest, FilterWithServerContext) { cb(filter_callback); } +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfiguration) { + const std::string per_route_config_yaml = R"EOF( + check_settings: + context_extensions: + virtual_host: "my_virtual_host" + route_type: "high_qps" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_high_qps" + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_FALSE(typed_config.disabled()); + EXPECT_TRUE(typed_config.grpcService().has_value()); + + const auto& grpc_service = typed_config.grpcService().value(); + EXPECT_TRUE(grpc_service.has_envoy_grpc()); + EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_high_qps"); + + const auto& context_extensions = typed_config.contextExtensions(); + EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); + EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteHttpServiceConfiguration) { + const std::string per_route_config_yaml = R"EOF( + check_settings: + context_extensions: + virtual_host: "my_virtual_host" + route_type: "high_qps" + http_service: + server_uri: + uri: "https://ext-authz-http.example.com" + cluster: "ext_authz_http_cluster" + timeout: 2s + path_prefix: "/api/auth" + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_FALSE(typed_config.disabled()); + EXPECT_TRUE(typed_config.httpService().has_value()); + EXPECT_FALSE(typed_config.grpcService().has_value()); + + const auto& http_service = typed_config.httpService().value(); + EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-http.example.com"); + EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_http_cluster"); + EXPECT_EQ(http_service.server_uri().timeout().seconds(), 2); + EXPECT_EQ(http_service.path_prefix(), "/api/auth"); + + const auto& context_extensions = typed_config.contextExtensions(); + EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); + EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteServiceTypeSwitching) { + // Test that we can switch service types - e.g., have gRPC in less specific and HTTP in more + // specific + const std::string less_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + base_setting: "from_base" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_grpc_cluster" + )EOF"; + + const std::string more_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + override_setting: "from_override" + http_service: + server_uri: + uri: "https://ext-authz-http.example.com" + cluster: "ext_authz_http_cluster" + timeout: 3s + path_prefix: "/auth/check" + )EOF"; + + ExtAuthzFilterConfig factory; + + // Create less specific configuration with gRPC service + ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); + FilterConfigPerRoute less_specific_config( + *dynamic_cast( + less_specific_proto.get())); + + // Create more specific configuration with HTTP service + ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); + FilterConfigPerRoute more_specific_config( + *dynamic_cast( + more_specific_proto.get())); + + // Merge configurations - should use HTTP service from more specific config + FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); + + // Verify that HTTP service from more specific config is used (service type switching) + EXPECT_TRUE(merged_config.httpService().has_value()); + EXPECT_FALSE(merged_config.grpcService().has_value()); + + const auto& http_service = merged_config.httpService().value(); + EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-http.example.com"); + EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_http_cluster"); + EXPECT_EQ(http_service.path_prefix(), "/auth/check"); + + // Verify context extensions are properly merged (less specific preserved, more specific + // overrides) + const auto& context_extensions = merged_config.contextExtensions(); + EXPECT_EQ(context_extensions.size(), 2); + EXPECT_EQ(context_extensions.at("base_setting"), "from_base"); + EXPECT_EQ(context_extensions.at("override_setting"), "from_override"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteServiceTypeSwitchingHttpToGrpc) { + // Test that we can switch from HTTP service to gRPC service (reverse of the other test) + const std::string less_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + base_setting: "from_base" + http_service: + server_uri: + uri: "https://ext-authz-http.example.com" + cluster: "ext_authz_http_cluster" + timeout: 1s + path_prefix: "/auth" + )EOF"; + + const std::string more_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + override_setting: "from_override" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_grpc_cluster" + authority: "ext-authz.example.com" + timeout: 5s + )EOF"; + + ExtAuthzFilterConfig factory; + + // Create less specific configuration with HTTP service + ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); + FilterConfigPerRoute less_specific_config( + *dynamic_cast( + less_specific_proto.get())); + + // Create more specific configuration with gRPC service + ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); + FilterConfigPerRoute more_specific_config( + *dynamic_cast( + more_specific_proto.get())); + + // Merge configurations - should use gRPC service from more specific config + FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); + + // Verify that gRPC service from more specific config is used (service type switching) + EXPECT_TRUE(merged_config.grpcService().has_value()); + EXPECT_FALSE(merged_config.httpService().has_value()); + + const auto& grpc_service = merged_config.grpcService().value(); + EXPECT_TRUE(grpc_service.has_envoy_grpc()); + EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_grpc_cluster"); + EXPECT_EQ(grpc_service.envoy_grpc().authority(), "ext-authz.example.com"); + EXPECT_EQ(grpc_service.timeout().seconds(), 5); + + // Verify context extensions are properly merged + const auto& context_extensions = merged_config.contextExtensions(); + EXPECT_EQ(context_extensions.size(), 2); + EXPECT_EQ(context_extensions.at("base_setting"), "from_base"); + EXPECT_EQ(context_extensions.at("override_setting"), "from_override"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteHttpServiceWithTimeout) { + // Test HTTP service configuration with custom timeout + const std::string per_route_config_yaml = R"EOF( + check_settings: + http_service: + server_uri: + uri: "https://ext-authz-custom.example.com" + cluster: "ext_authz_custom_cluster" + timeout: 10s + path_prefix: "/custom/auth" + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_TRUE(typed_config.httpService().has_value()); + EXPECT_FALSE(typed_config.grpcService().has_value()); + + const auto& http_service = typed_config.httpService().value(); + EXPECT_EQ(http_service.server_uri().uri(), "https://ext-authz-custom.example.com"); + EXPECT_EQ(http_service.server_uri().cluster(), "ext_authz_custom_cluster"); + EXPECT_EQ(http_service.server_uri().timeout().seconds(), 10); + EXPECT_EQ(http_service.path_prefix(), "/custom/auth"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceWithTimeout) { + // Test gRPC service configuration with custom timeout + const std::string per_route_config_yaml = R"EOF( + check_settings: + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_custom_grpc" + authority: "custom-ext-authz.example.com" + timeout: 15s + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_TRUE(typed_config.grpcService().has_value()); + EXPECT_FALSE(typed_config.httpService().has_value()); + + const auto& grpc_service = typed_config.grpcService().value(); + EXPECT_TRUE(grpc_service.has_envoy_grpc()); + EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_custom_grpc"); + EXPECT_EQ(grpc_service.envoy_grpc().authority(), "custom-ext-authz.example.com"); + EXPECT_EQ(grpc_service.timeout().seconds(), 15); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteEmptyContextExtensionsMerging) { + // Test merging when one config has empty context extensions + const std::string less_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + base_key: "base_value" + shared_key: "base_shared" + grpc_service: + envoy_grpc: + cluster_name: "base_cluster" + )EOF"; + + const std::string more_specific_config_yaml = R"EOF( + check_settings: + grpc_service: + envoy_grpc: + cluster_name: "specific_cluster" + )EOF"; + + ExtAuthzFilterConfig factory; + + ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); + FilterConfigPerRoute less_specific_config( + *dynamic_cast( + less_specific_proto.get())); + + ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); + FilterConfigPerRoute more_specific_config( + *dynamic_cast( + more_specific_proto.get())); + + FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); + + // Should use gRPC service from more specific + EXPECT_TRUE(merged_config.grpcService().has_value()); + EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "specific_cluster"); + + // Should preserve context extensions from less specific since more specific has none + const auto& context_extensions = merged_config.contextExtensions(); + EXPECT_EQ(context_extensions.size(), 2); + EXPECT_EQ(context_extensions.at("base_key"), "base_value"); + EXPECT_EQ(context_extensions.at("shared_key"), "base_shared"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationMerging) { + // Test merging of per-route configurations + const std::string less_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + virtual_host: "my_virtual_host" + shared_setting: "from_less_specific" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_default" + )EOF"; + + const std::string more_specific_config_yaml = R"EOF( + check_settings: + context_extensions: + route_type: "high_qps" + shared_setting: "from_more_specific" + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_high_qps" + )EOF"; + + ExtAuthzFilterConfig factory; + + // Create less specific configuration + ProtobufTypes::MessagePtr less_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(less_specific_config_yaml, *less_specific_proto); + FilterConfigPerRoute less_specific_config( + *dynamic_cast( + less_specific_proto.get())); + + // Create more specific configuration + ProtobufTypes::MessagePtr more_specific_proto = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(more_specific_config_yaml, *more_specific_proto); + FilterConfigPerRoute more_specific_config( + *dynamic_cast( + more_specific_proto.get())); + + // Merge configurations + FilterConfigPerRoute merged_config(less_specific_config, more_specific_config); + + // Check that more specific gRPC service is used + EXPECT_TRUE(merged_config.grpcService().has_value()); + const auto& grpc_service = merged_config.grpcService().value(); + EXPECT_TRUE(grpc_service.has_envoy_grpc()); + EXPECT_EQ(grpc_service.envoy_grpc().cluster_name(), "ext_authz_high_qps"); + + // Check that context extensions are properly merged + const auto& context_extensions = merged_config.contextExtensions(); + EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); + EXPECT_EQ(context_extensions.at("route_type"), "high_qps"); + EXPECT_EQ(context_extensions.at("shared_setting"), "from_more_specific"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationWithoutGrpcService) { + const std::string per_route_config_yaml = R"EOF( + check_settings: + context_extensions: + virtual_host: "my_virtual_host" + disable_request_body_buffering: true + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_FALSE(typed_config.disabled()); + EXPECT_FALSE(typed_config.grpcService().has_value()); + + const auto& context_extensions = typed_config.contextExtensions(); + EXPECT_EQ(context_extensions.at("virtual_host"), "my_virtual_host"); +} + +TEST_F(ExtAuthzFilterHttpTest, PerRouteGrpcServiceConfigurationDisabled) { + const std::string per_route_config_yaml = R"EOF( + disabled: true + )EOF"; + + ExtAuthzFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyRouteConfigProto(); + TestUtility::loadFromYaml(per_route_config_yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + auto route_config = factory.createRouteSpecificFilterConfig(*proto_config, context, + context.messageValidationVisitor()); + EXPECT_TRUE(route_config.ok()); + + const auto& typed_config = dynamic_cast(*route_config.value()); + EXPECT_TRUE(typed_config.disabled()); + EXPECT_FALSE(typed_config.grpcService().has_value()); +} + class ExtAuthzFilterGrpcTest : public ExtAuthzFilterTest { public: void testFilterFactoryAndFilterWithGrpcClient(const std::string& ext_authz_config_yaml) { diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index e072262e484b5..9eb2348bdbafd 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -5,6 +5,7 @@ #include "source/common/common/macros.h" #include "source/extensions/filters/common/ext_authz/ext_authz.h" +#include "source/extensions/filters/http/ext_authz/ext_authz.h" #include "source/server/config_validation/server.h" #include "test/common/grpc/grpc_client_integration.h" @@ -983,6 +984,32 @@ INSTANTIATE_TEST_SUITE_P(IpVersionsCientType, ExtAuthzGrpcIntegrationTest, testing::Bool()), ExtAuthzGrpcIntegrationTest::testParamsToString); +// Test per-route gRPC service configuration parsing +TEST_P(ExtAuthzGrpcIntegrationTest, PerRouteGrpcServiceConfigurationParsing) { + // Create a simple per-route configuration with gRPC service + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_cluster"); + (*per_route_config.mutable_check_settings()->mutable_context_extensions())["route_type"] = + "special"; + + // Test configuration parsing and validation + Envoy::Extensions::HttpFilters::ExtAuthz::FilterConfigPerRoute config_per_route(per_route_config); + + // Verify the configuration was parsed correctly + ASSERT_TRUE(config_per_route.grpcService().has_value()); + EXPECT_TRUE(config_per_route.grpcService().value().has_envoy_grpc()); + EXPECT_EQ(config_per_route.grpcService().value().envoy_grpc().cluster_name(), + "per_route_cluster"); + + // Verify context extensions are present + const auto& check_settings = config_per_route.checkSettings(); + ASSERT_TRUE(check_settings.context_extensions().contains("route_type")); + EXPECT_EQ(check_settings.context_extensions().at("route_type"), "special"); +} + // Verifies that the request body is included in the CheckRequest when the downstream protocol is // HTTP/1.1. TEST_P(ExtAuthzGrpcIntegrationTest, HTTP1DownstreamRequestWithBody) { diff --git a/test/extensions/filters/http/ext_authz/ext_authz_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_test.cc index 129798b8cefb5..c6b342ba95016 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_test.cc @@ -53,6 +53,50 @@ namespace HttpFilters { namespace ExtAuthz { namespace { +// Matcher to convert a Buffer::Instance to its string representation for composition. +MATCHER_P(BufferString, m, "") { + return testing::ExplainMatchResult(m, arg->toString(), result_listener); +} + +// Matcher to parse a buffer string into a CheckRequest proto. +MATCHER_P(AsCheckRequest, m, "") { + envoy::service::auth::v3::CheckRequest check_request; + if (!check_request.ParseFromString(arg)) { + *result_listener << "failed to parse CheckRequest from buffer"; + return false; + } + return testing::ExplainMatchResult(m, check_request, result_listener); +} + +// Matcher to verify CheckRequest has specific context extension. +MATCHER_P2(HasContextExtension, key, value, "") { + const auto& context_extensions = arg.attributes().context_extensions(); + if (context_extensions.find(key) == context_extensions.end()) { + *result_listener << "context extension '" << key << "' not found"; + return false; + } + if (context_extensions.at(key) != value) { + *result_listener << "context extension '" << key << "' has value '" + << context_extensions.at(key) << "', expected '" << value << "'"; + return false; + } + return true; +} + +// Matcher to verify RequestOptions has specific timeout value. +MATCHER_P(HasTimeout, expected_timeout_ms, "") { + if (!arg.timeout.has_value()) { + *result_listener << "timeout not set"; + return false; + } + if (arg.timeout->count() != expected_timeout_ms) { + *result_listener << "timeout is " << arg.timeout->count() << "ms, expected " + << expected_timeout_ms << "ms"; + return false; + } + return true; +} + constexpr char FilterConfigName[] = "ext_authz_filter"; template class HttpFilterTestBase : public T { @@ -71,7 +115,8 @@ template class HttpFilterTestBase : public T { config_ = std::make_shared(proto_config, *stats_store_.rootScope(), "ext_authz_prefix", factory_context_); client_ = new NiceMock(); - filter_ = std::make_unique(config_, Filters::Common::ExtAuthz::ClientPtr{client_}); + filter_ = std::make_unique(config_, Filters::Common::ExtAuthz::ClientPtr{client_}, + factory_context_); ON_CALL(decoder_filter_callbacks_, filterConfigName()).WillByDefault(Return(FilterConfigName)); filter_->setDecoderFilterCallbacks(decoder_filter_callbacks_); filter_->setEncoderFilterCallbacks(encoder_filter_callbacks_); @@ -439,9 +484,13 @@ class InvalidMutationTest : public HttpFilterTestBase { EXPECT_EQ(1U, config_->stats().invalid_.value()); } - const std::string invalid_key_ = "invalid-\nkey"; - const uint8_t invalid_value_bytes_[3]{0x7f, 0x7f, 0}; + static constexpr const char* invalid_key_ = "invalid-\nkey"; + static constexpr uint8_t invalid_value_bytes_[3]{0x7f, 0x7f, 0}; const std::string invalid_value_; + + static std::string getInvalidValue() { + return std::string(reinterpret_cast(invalid_value_bytes_)); + } }; TEST_F(HttpFilterTest, DisableDynamicMetadataIngestion) { @@ -484,139 +533,149 @@ TEST_F(HttpFilterTest, DisableDynamicMetadataIngestion) { // Tests that the filter rejects authz responses with mutations with an invalid key when // validate_authz_response is set to true in config. -TEST_F(InvalidMutationTest, HeadersToSetKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_set = {{invalid_key_, "bar"}}; - testResponse(response); -} - -// Same as above, setting a different field... -TEST_F(InvalidMutationTest, HeadersToAddKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_add = {{invalid_key_, "bar"}}; - testResponse(response); -} - -// headers_to_set is also used when the authz response has status denied. -TEST_F(InvalidMutationTest, HeadersToSetKeyDenied) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::Denied; - response.headers_to_set = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, HeadersToAppendKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_append = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToAddKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.response_headers_to_set = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToSetKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.response_headers_to_set = {{invalid_key_, "bar"}}; - testResponse(response); -} +// Parameterized test for invalid mutation scenarios to reduce redundancy. +class InvalidMutationParamTest + : public InvalidMutationTest, + public testing::WithParamInterface< + std::tuple, // setup func + Filters::Common::ExtAuthz::CheckStatus // status + >> {}; + +TEST_P(InvalidMutationParamTest, InvalidMutationFields) { + const auto& [test_name, setup_func, status] = GetParam(); -TEST_F(InvalidMutationTest, ResponseHeadersToAddIfAbsentKey) { Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.response_headers_to_add_if_absent = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToOverwriteIfExistsKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.response_headers_to_overwrite_if_exists = {{invalid_key_, "bar"}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, QueryParametersToSetKey) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.query_parameters_to_set = {{"f o o", "bar"}}; - testResponse(response); -} - -// Test that the filter rejects mutations with an invalid value -TEST_F(InvalidMutationTest, HeadersToSetValueOk) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_set = {{"foo", invalid_value_}}; - testResponse(response); -} - -// Same as above, setting a different field... -TEST_F(InvalidMutationTest, HeadersToAddValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_add = {{"foo", invalid_value_}}; - testResponse(response); -} - -// headers_to_set is also used when the authz response has status denied. -TEST_F(InvalidMutationTest, HeadersToSetValueDenied) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::Denied; - response.headers_to_set = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, HeadersToAppendValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - response.headers_to_append = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToAddValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.response_headers_to_set = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToSetValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.response_headers_to_set = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, ResponseHeadersToAddIfAbsentValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.response_headers_to_add_if_absent = {{"foo", invalid_value_}}; + response.status = status; + setup_func(response); testResponse(response); } -TEST_F(InvalidMutationTest, ResponseHeadersToOverwriteIfExistsValue) { - Filters::Common::ExtAuthz::Response response; - response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.response_headers_to_overwrite_if_exists = {{"foo", invalid_value_}}; - testResponse(response); -} - -TEST_F(InvalidMutationTest, QueryParametersToSetValue) { +INSTANTIATE_TEST_SUITE_P( + InvalidMutationScenarios, InvalidMutationParamTest, + testing::Values( + // Invalid key tests + std::make_tuple( + "HeadersToSetKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "HeadersToAddKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_add = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "HeadersToSetKeyDenied", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::Denied), + std::make_tuple( + "HeadersToAppendKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_append = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToAddKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToSetKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_set = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToAddIfAbsentKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_add_if_absent = {{InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToOverwriteIfExistsKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_overwrite_if_exists = { + {InvalidMutationTest::invalid_key_, "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "QueryParametersToSetKey", + [](Filters::Common::ExtAuthz::Response& r) { + r.query_parameters_to_set = {{"f o o", "bar"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + // Invalid value tests + std::make_tuple( + "HeadersToSetValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "HeadersToAddValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_add = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "HeadersToSetValueDenied", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::Denied), + std::make_tuple( + "HeadersToAppendValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.headers_to_append = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToAddValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToSetValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_set = {{"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToAddIfAbsentValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_add_if_absent = { + {"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "ResponseHeadersToOverwriteIfExistsValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.response_headers_to_overwrite_if_exists = { + {"foo", InvalidMutationTest::getInvalidValue()}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK), + std::make_tuple( + "QueryParametersToSetValue", + [](Filters::Common::ExtAuthz::Response& r) { + r.query_parameters_to_set = {{"foo", "b a r"}}; + }, + Filters::Common::ExtAuthz::CheckStatus::OK)), + [](const testing::TestParamInfo& info) { + return std::get<0>(info.param); + }); + +// Keep one simple focused test to ensure backward compatibility. +TEST_F(InvalidMutationTest, BasicInvalidKey) { Filters::Common::ExtAuthz::Response response; response.status = Filters::Common::ExtAuthz::CheckStatus::OK; - // Add a valid header to see if it gets added to the downstream response. - response.query_parameters_to_set = {{"foo", "b a r"}}; + response.headers_to_set = {{invalid_key_, "bar"}}; testResponse(response); } @@ -824,68 +883,55 @@ TEST_F(DecoderHeaderMutationRulesTest, DisallowAll) { runTest(opts); } -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAdd) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_all()->set_value(true); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_add = {{"cant-add-me", "sad"}}; - runTest(opts); -} - -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAppend) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_all()->set_value(true); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_append = {{"cant-append-to-me", "fail"}}; - runTest(opts); -} - -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseAppendPseudoheader) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_append = {{":fake-pseudo-header", "fail"}}; - runTest(opts); -} - -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseSet) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_all()->set_value(true); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_set = {{"cant-override-me", "nope"}}; - runTest(opts); -} - -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseRemove) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_all()->set_value(true); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; - - opts.disallowed_headers_to_remove = {"cant-delete-me"}; - runTest(opts); -} +// Consolidated rejection test that covers all the scenarios previously tested individually. +TEST_F(DecoderHeaderMutationRulesTest, RejectResponseOperations) { + // Test data structure for all rejection scenarios + struct TestCase { + std::string name; + bool use_disallow_all; + std::function setup_func; + }; -TEST_F(DecoderHeaderMutationRulesTest, RejectResponseRemovePseudoHeader) { - DecoderHeaderMutationRulesTestOpts opts; - opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); - opts.rules->mutable_disallow_is_error()->set_value(true); - opts.expect_reject_response = true; + std::vector test_cases = { + {"RejectResponseAdd", true, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_add = {{"cant-add-me", "sad"}}; + }}, + {"RejectResponseAppend", true, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_append = {{"cant-append-to-me", "fail"}}; + }}, + {"RejectResponseAppendPseudoheader", false, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_append = {{":fake-pseudo-header", "fail"}}; + }}, + {"RejectResponseSet", true, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_set = {{"cant-override-me", "nope"}}; + }}, + {"RejectResponseRemove", true, + [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_remove = {"cant-delete-me"}; + }}, + {"RejectResponseRemovePseudoHeader", false, [](DecoderHeaderMutationRulesTestOpts& opts) { + opts.disallowed_headers_to_remove = {":fake-pseudo-header"}; + }}}; + + // Run all test cases + for (const auto& test_case : test_cases) { + SCOPED_TRACE(test_case.name); + + DecoderHeaderMutationRulesTestOpts opts; + opts.rules = envoy::config::common::mutation_rules::v3::HeaderMutationRules(); + if (test_case.use_disallow_all) { + opts.rules->mutable_disallow_all()->set_value(true); + } + opts.rules->mutable_disallow_is_error()->set_value(true); + opts.expect_reject_response = true; - opts.disallowed_headers_to_remove = {":fake-pseudo-header"}; - runTest(opts); + test_case.setup_func(opts); + runTest(opts); + } } TEST_F(DecoderHeaderMutationRulesTest, DisallowExpression) { @@ -2828,19 +2874,20 @@ TEST_P(HttpFilterTestParam, ContextExtensions) { // Test that filter can be disabled with route config. TEST_P(HttpFilterTestParam, DisabledOnRoute) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - FilterConfigPerRoute auth_per_route(settings); + std::unique_ptr auth_per_route = + std::make_unique(settings); prepareCheck(); - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(&auth_per_route)); - auto test_disable = [&](bool disabled) { initialize(""); // Set disabled settings.set_disabled(disabled); // Initialize the route's per filter config. - auth_per_route = FilterConfigPerRoute(settings); + auth_per_route = std::make_unique(settings); + // Update the mock to return the new pointer + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(auth_per_route.get())); }; // baseline: make sure that when not disabled, check is called @@ -2861,10 +2908,8 @@ TEST_P(HttpFilterTestParam, DisabledOnRoute) { // Test that filter can be disabled with route config. TEST_P(HttpFilterTestParam, DisabledOnRouteWithRequestBody) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - FilterConfigPerRoute auth_per_route(settings); - - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(&auth_per_route)); + std::unique_ptr auth_per_route = + std::make_unique(settings); auto test_disable = [&](bool disabled) { initialize(R"EOF( @@ -2880,7 +2925,10 @@ TEST_P(HttpFilterTestParam, DisabledOnRouteWithRequestBody) { // Set the filter disabled setting. settings.set_disabled(disabled); // Initialize the route's per filter config. - auth_per_route = FilterConfigPerRoute(settings); + auth_per_route = std::make_unique(settings); + // Update the mock to return the new pointer. + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(auth_per_route.get())); }; test_disable(false); @@ -3914,6 +3962,31 @@ TEST_F(HttpFilterTest, PerRouteCheckSettingsWorks) { } // Checks that the per-route filter can override the check_settings set on the main filter. +TEST_F(HttpFilterTest, NullRouteSkipsCheck) { + initialize(R"EOF( + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_server" + failure_mode_allow: false + stat_prefix: "ext_authz" + )EOF"); + + prepareCheck(); + + // Set up a null route return value. + ON_CALL(decoder_filter_callbacks_, route()).WillByDefault(Return(nullptr)); + + // With null route, no authorization check should be performed. + EXPECT_CALL(*client_, check(_, _, _, _)).Times(0); + + // Call the filter directly. + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + // With null route, the filter should continue without an auth check. + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, false)); +} + TEST_F(HttpFilterTest, PerRouteCheckSettingsOverrideWorks) { InSequence s; @@ -3975,10 +4048,8 @@ TEST_F(HttpFilterTest, PerRouteCheckSettingsOverrideWorks) { // Verify that request body buffering can be skipped per route. TEST_P(HttpFilterTestParam, DisableRequestBodyBufferingOnRoute) { envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute settings; - FilterConfigPerRoute auth_per_route(settings); - - ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) - .WillByDefault(Return(&auth_per_route)); + std::unique_ptr auth_per_route = + std::make_unique(settings); auto test_disable_request_body_buffering = [&](bool bypass) { initialize(R"EOF( @@ -3994,7 +4065,10 @@ TEST_P(HttpFilterTestParam, DisableRequestBodyBufferingOnRoute) { // Set bypass request body buffering for this route. settings.mutable_check_settings()->set_disable_request_body_buffering(bypass); // Initialize the route's per filter config. - auth_per_route = FilterConfigPerRoute(settings); + auth_per_route = std::make_unique(settings); + // Update the mock to return the new pointer. + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(auth_per_route.get())); }; test_disable_request_body_buffering(false); @@ -4159,6 +4233,824 @@ TEST_P(EmitFilterStateTest, PreexistingFilterStateSameTypeMutable) { TEST_P(ExtAuthzLoggingInfoTest, FieldTest) { test(); } +// Test per-route gRPC service override with null server context (fallback to default client) +TEST_P(HttpFilterTestParam, PerRouteGrpcServiceOverrideWithNullServerContext) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - per-route gRPC service only applies to gRPC clients + return; + } + + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_ext_authz_cluster"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Set up route to return per-route config + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + prepareCheck(); + + // Mock the default client check call (should fall back to default since server context is null) + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + Filters::Common::ExtAuthz::Response response{}; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::make_unique(response)); + })); + + EXPECT_CALL(decoder_filter_callbacks_, continueDecoding()).Times(0); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); +} + +// Test per-route configuration merging with context extensions +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithContextExtensions) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - configuration merging applies to gRPC clients + return; + } + + // Create base configuration with context extensions + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"base_key", "base_value"}); + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "base_shared_value"}); + + // Create more specific configuration with context extensions + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"specific_key", "specific_value"}); + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "specific_shared_value"}); + + // Test merging using the merge constructor + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify merged context extensions + const auto& merged_extensions = merged_config.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 3); + EXPECT_EQ(merged_extensions.at("base_key"), "base_value"); + EXPECT_EQ(merged_extensions.at("specific_key"), "specific_value"); + EXPECT_EQ(merged_extensions.at("shared_key"), "specific_shared_value"); // More specific wins +} + +// Test per-route configuration merging with gRPC service override +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithGrpcServiceOverride) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - gRPC service override applies to gRPC clients + return; + } + + // Create base configuration without gRPC service + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"base_key", "base_value"}); + + // Create more specific configuration with gRPC service + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("specific_cluster"); + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"specific_key", "specific_value"}); + + // Test merging using the merge constructor + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify gRPC service override is from more specific config + EXPECT_TRUE(merged_config.grpcService().has_value()); + EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "specific_cluster"); + + // Verify context extensions are merged + const auto& merged_extensions = merged_config.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 2); + EXPECT_EQ(merged_extensions.at("base_key"), "base_value"); + EXPECT_EQ(merged_extensions.at("specific_key"), "specific_value"); +} + +// Test per-route configuration merging with request body settings +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithRequestBodySettings) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - request body settings apply to gRPC clients + return; + } + + // Create base configuration with request body settings + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_with_request_body()->set_max_request_bytes(1000); + base_config.mutable_check_settings()->mutable_with_request_body()->set_allow_partial_message( + true); + + // Create more specific configuration with different request body settings + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings()->mutable_with_request_body()->set_max_request_bytes( + 2000); + specific_config.mutable_check_settings()->mutable_with_request_body()->set_allow_partial_message( + false); + + // Test merging using the merge constructor + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify request body settings are from more specific config + const auto& merged_check_settings = merged_config.checkSettings(); + EXPECT_TRUE(merged_check_settings.has_with_request_body()); + EXPECT_EQ(merged_check_settings.with_request_body().max_request_bytes(), 2000); + EXPECT_EQ(merged_check_settings.with_request_body().allow_partial_message(), false); +} + +// Test per-route configuration merging with disable_request_body_buffering +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithDisableRequestBodyBuffering) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - disable request body buffering applies to gRPC clients + return; + } + + // Create base configuration without disable_request_body_buffering + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"base_key", "base_value"}); + + // Create more specific configuration with disable_request_body_buffering + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings()->set_disable_request_body_buffering(true); + + // Test merging using the merge constructor + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify disable_request_body_buffering is from more specific config + const auto& merged_check_settings = merged_config.checkSettings(); + EXPECT_TRUE(merged_check_settings.disable_request_body_buffering()); +} + +// Test per-route configuration merging with multiple levels +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingMultipleLevels) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - configuration merging applies to gRPC clients + return; + } + + // Create virtual host level configuration + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute vh_config; + vh_config.mutable_check_settings()->mutable_context_extensions()->insert({"vh_key", "vh_value"}); + vh_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "vh_shared_value"}); + + // Create route level configuration + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute route_config; + route_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"route_key", "route_value"}); + route_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "route_shared_value"}); + route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("route_cluster"); + + // Create weighted cluster level configuration + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute wc_config; + wc_config.mutable_check_settings()->mutable_context_extensions()->insert({"wc_key", "wc_value"}); + wc_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "wc_shared_value"}); + + // Test merging from least specific to most specific + FilterConfigPerRoute vh_filter_config(vh_config); + FilterConfigPerRoute route_filter_config(route_config); + FilterConfigPerRoute wc_filter_config(wc_config); + + // First merge: vh + route + FilterConfigPerRoute vh_route_merged(vh_filter_config, route_filter_config); + + // Second merge: (vh + route) + weighted cluster + FilterConfigPerRoute final_merged(vh_route_merged, wc_filter_config); + + // Verify final merged context extensions + const auto& merged_extensions = final_merged.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 4); + EXPECT_EQ(merged_extensions.at("vh_key"), "vh_value"); + EXPECT_EQ(merged_extensions.at("route_key"), "route_value"); + EXPECT_EQ(merged_extensions.at("wc_key"), "wc_value"); + EXPECT_EQ(merged_extensions.at("shared_key"), "wc_shared_value"); // Most specific wins + + // Verify gRPC service override is NOT inherited from less specific levels. + EXPECT_FALSE(final_merged.grpcService().has_value()); +} + +// Test per-route context extensions take precedence over check_settings context extensions. +TEST_P(HttpFilterTestParam, PerRouteContextExtensionsPrecedence) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as context extensions apply to gRPC clients. + return; + } + + // Create configuration with context extensions in both places. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"check_key", "check_value"}); + base_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "check_shared_value"}); + + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"specific_check_key", "specific_check_value"}); + specific_config.mutable_check_settings()->mutable_context_extensions()->insert( + {"shared_key", "specific_check_shared_value"}); + + // Test merging using the merge constructor. + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify context extensions are properly merged. + const auto& merged_extensions = merged_config.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 3); + EXPECT_EQ(merged_extensions.at("check_key"), "check_value"); + EXPECT_EQ(merged_extensions.at("specific_check_key"), "specific_check_value"); + EXPECT_EQ(merged_extensions.at("shared_key"), + "specific_check_shared_value"); // More specific wins +} + +// Test per-route Google gRPC service configuration. +TEST_P(HttpFilterTestParam, PerRouteGoogleGrpcServiceConfiguration) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. + return; + } + + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_google_grpc() + ->set_target_uri("https://ext-authz.googleapis.com"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Verify Google gRPC service is properly configured + EXPECT_TRUE(per_route_filter_config->grpcService().has_value()); + EXPECT_TRUE(per_route_filter_config->grpcService().value().has_google_grpc()); + EXPECT_EQ(per_route_filter_config->grpcService().value().google_grpc().target_uri(), + "https://ext-authz.googleapis.com"); +} + +// Test existing functionality still works with new logic. +TEST_P(HttpFilterTestParam, ExistingFunctionalityWithNewLogic) { + // Test that the existing functionality still works with our new per-route merging logic. + prepareCheck(); + + // Mock the default client check call (no per-route config). + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + Filters::Common::ExtAuthz::Response response{}; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::make_unique(response)); + })); + + EXPECT_CALL(decoder_filter_callbacks_, continueDecoding()).Times(0); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); +} + +// Test per-route configuration merging with empty configurations. +TEST_P(HttpFilterTestParam, PerRouteConfigurationMergingWithEmptyConfigurations) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as configuration merging applies to gRPC clients. + return; + } + + // Create empty base configuration. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + + // Create empty specific configuration. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute specific_config; + + // Test merging using the merge constructor. + FilterConfigPerRoute base_filter_config(base_config); + FilterConfigPerRoute specific_filter_config(specific_config); + FilterConfigPerRoute merged_config(base_filter_config, specific_filter_config); + + // Verify merged configuration has empty context extensions. + const auto& merged_extensions = merged_config.contextExtensions(); + EXPECT_EQ(merged_extensions.size(), 0); + + // Verify no gRPC service override + EXPECT_FALSE(merged_config.grpcService().has_value()); +} + +// Test per-route gRPC service configuration merging functionality. +TEST_P(HttpFilterTestParam, PerRouteGrpcServiceMergingWithBaseConfiguration) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. + return; + } + + // Create base per-route configuration. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute base_config; + (*base_config.mutable_check_settings()->mutable_context_extensions())["base"] = "value"; + FilterConfigPerRoute base_filter_config(base_config); + + // Create per-route configuration with gRPC service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_cluster"); + (*per_route_config.mutable_check_settings()->mutable_context_extensions())["route"] = "override"; + + // Test merging constructor. + FilterConfigPerRoute merged_config(base_filter_config, per_route_config); + + // Verify the merged configuration has the gRPC service from the per-route config. + EXPECT_TRUE(merged_config.grpcService().has_value()); + EXPECT_TRUE(merged_config.grpcService().value().has_envoy_grpc()); + EXPECT_EQ(merged_config.grpcService().value().envoy_grpc().cluster_name(), "per_route_cluster"); + + // Verify that context extensions are properly merged. + const auto& merged_settings = merged_config.checkSettings(); + EXPECT_TRUE(merged_settings.context_extensions().contains("route")); + EXPECT_EQ(merged_settings.context_extensions().at("route"), "override"); +} + +// Test focused integration test to verify per-route configuration is processed correctly. +TEST_P(HttpFilterTestParam, PerRouteConfigurationIntegrationTest) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - per-route gRPC service only applies to gRPC clients. + return; + } + + // This test covers the per-route configuration processing in initiateCall + // which exercises the lines where getAllPerFilterConfig is called and processed. + + // Set up per-route configuration with gRPC service override + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_cluster"); + + // Add context extensions to test that path too. + (*per_route_config.mutable_check_settings()->mutable_context_extensions())["test_key"] = + "test_value"; + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Mock decoder callbacks to return per-route config. + ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) + .WillByDefault(Return(per_route_filter_config.get())); + + // Mock perFilterConfigs to return the per-route config vector. + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + // Set up basic request headers. + Http::TestRequestHeaderMapImpl headers{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "https"}, {"host", "example.com"}}; + + prepareCheck(); + + // Create a new filter with server context to enable per-route client creation. + // We'll mock the gRPC client manager to return a controlled mock client. + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client), factory_context_); + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Mock the cluster manager to successfully create a per-route gRPC client + // but use a mock raw gRPC client that we can control. + ON_CALL(factory_context_, clusterManager()).WillByDefault(ReturnRef(cm_)); + auto mock_grpc_client_manager = std::make_shared(); + ON_CALL(cm_, grpcAsyncClientManager()).WillByDefault(ReturnRef(*mock_grpc_client_manager)); + + // Return a mock raw gRPC client for per-route client creation. + auto mock_raw_grpc_client = std::make_shared(); + EXPECT_CALL(*mock_grpc_client_manager, getOrCreateRawAsyncClientWithHashKey(_, _, true)) + .WillOnce(Return(absl::StatusOr(mock_raw_grpc_client))); + + // Mock the sendRaw call with matcher-based validation for the gRPC authorization check. + EXPECT_CALL(*mock_raw_grpc_client, + sendRaw(_, _, + BufferString(AsCheckRequest(HasContextExtension("test_key", "test_value"))), + _, _, _)) + .WillOnce([&](absl::string_view /*service_full_name*/, absl::string_view /*method_name*/, + Buffer::InstancePtr&& /*request*/, Grpc::RawAsyncRequestCallbacks& callbacks, + Tracing::Span& parent_span, + const Http::AsyncClient::RequestOptions& /*options*/) -> Grpc::AsyncRequest* { + // Create and send successful response. + envoy::service::auth::v3::CheckResponse check_response; + check_response.mutable_status()->set_code(Grpc::Status::WellKnownGrpcStatus::Ok); + check_response.mutable_ok_response(); + + std::string serialized_response; + check_response.SerializeToString(&serialized_response); + auto response = std::make_unique(serialized_response); + + callbacks.onSuccessRaw(std::move(response), parent_span); + return nullptr; // No async request handle needed for immediate response. + }); + + // Since we're using the per-route client, the default client should not be called. + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)).Times(0); + + // This exercises the per-route configuration processing logic which includes + // the getAllPerFilterConfig call and per-route gRPC service detection. + EXPECT_EQ(Http::FilterHeadersStatus::Continue, new_filter->decodeHeaders(headers, true)); +} + +// Test per-route gRPC client creation and usage. +TEST_P(HttpFilterTestParam, PerRouteGrpcClientCreationAndUsage) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. + return; + } + + // Create per-route configuration with valid gRPC service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_ext_authz_cluster"); + + // Add context extensions to test merging. + (*per_route_config.mutable_check_settings()->mutable_context_extensions())["test_key"] = + "test_value"; + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Set up route to return per-route config. + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + // Mock perFilterConfigs to return the per-route config vector which exercises + // getAllPerFilterConfig. + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + prepareCheck(); + + // Create a filter with server context for per-route gRPC client creation. + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client), factory_context_); + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Mock successful gRPC async client manager access. + auto mock_grpc_client_manager = std::make_shared(); + ON_CALL(factory_context_, clusterManager()).WillByDefault(ReturnRef(cm_)); + ON_CALL(cm_, grpcAsyncClientManager()).WillByDefault(ReturnRef(*mock_grpc_client_manager)); + + // Mock successful raw gRPC client creation which exercises createPerRouteGrpcClient. + auto mock_raw_grpc_client = std::make_shared(); + EXPECT_CALL(*mock_grpc_client_manager, getOrCreateRawAsyncClientWithHashKey(_, _, true)) + .WillOnce(Return(absl::StatusOr(mock_raw_grpc_client))); + + // Set up expectations for the sendRaw call that will be made by the GrpcClientImpl. + EXPECT_CALL(*mock_raw_grpc_client, sendRaw(_, _, _, _, _, _)) + .WillOnce([](absl::string_view /*service_full_name*/, absl::string_view /*method_name*/, + Buffer::InstancePtr&& /*request*/, Grpc::RawAsyncRequestCallbacks& callbacks, + Tracing::Span& parent_span, + const Http::AsyncClient::RequestOptions& /*options*/) -> Grpc::AsyncRequest* { + envoy::service::auth::v3::CheckResponse check_response; + check_response.mutable_status()->set_code(Grpc::Status::WellKnownGrpcStatus::Ok); + check_response.mutable_ok_response(); + + // Serialize the response to a buffer. + std::string serialized_response; + check_response.SerializeToString(&serialized_response); + auto response = std::make_unique(serialized_response); + + callbacks.onSuccessRaw(std::move(response), parent_span); + return nullptr; // No async request handle needed for immediate response. + }); + + // Since per-route gRPC client creation succeeds, the per-route client should be used + // instead of the default client. We won't see a call to new_client_ptr. + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)).Times(0); + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + new_filter->decodeHeaders(request_headers_, false)); +} + +// Test per-route HTTP service configuration parsing. +TEST_P(HttpFilterTestParam, PerRouteHttpServiceConfigurationParsing) { + if (!std::get<1>(GetParam())) { + // Skip gRPC client test as per-route HTTP service only applies to HTTP clients. + return; + } + + // Create per-route configuration with valid HTTP service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings()->mutable_http_service()->mutable_server_uri()->set_uri( + "https://per-route-ext-authz.example.com"); + per_route_config.mutable_check_settings() + ->mutable_http_service() + ->mutable_server_uri() + ->set_cluster("per_route_http_cluster"); + per_route_config.mutable_check_settings()->mutable_http_service()->set_path_prefix( + "/api/v2/auth"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + // Verify the per-route HTTP service configuration is correctly parsed + EXPECT_TRUE(per_route_filter_config->httpService().has_value()); + EXPECT_FALSE(per_route_filter_config->grpcService().has_value()); + + const auto& http_service = per_route_filter_config->httpService().value(); + EXPECT_EQ(http_service.server_uri().uri(), "https://per-route-ext-authz.example.com"); + EXPECT_EQ(http_service.server_uri().cluster(), "per_route_http_cluster"); + EXPECT_EQ(http_service.path_prefix(), "/api/v2/auth"); +} + +// Test error handling when server context is not available for per-route gRPC client. +TEST_P(HttpFilterTestParam, PerRouteGrpcClientCreationNoServerContext) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test - per-route gRPC service only applies to gRPC clients. + return; + } + + // Create per-route configuration with gRPC service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings() + ->mutable_grpc_service() + ->mutable_envoy_grpc() + ->set_cluster_name("per_route_grpc_cluster"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + prepareCheck(); + + // Create filter without server context. This should cause per-route client creation to fail. + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client)); // No server context + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Since per-route client creation fails (no server context), should fall back to default client. + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + // Verify this is using the default client. + auto response = std::make_unique(); + response->status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::move(response)); + })); + + Http::TestRequestHeaderMapImpl request_headers_{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + new_filter->decodeHeaders(request_headers_, false)); +} + +// Test error handling when server context is not available for per-route HTTP client. +TEST_P(HttpFilterTestParam, PerRouteHttpClientCreationNoServerContext) { + if (!std::get<1>(GetParam())) { + // Skip gRPC client test as per-route HTTP service only applies to HTTP clients. + return; + } + + // Create per-route configuration with HTTP service. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + per_route_config.mutable_check_settings()->mutable_http_service()->mutable_server_uri()->set_uri( + "https://per-route-ext-authz.example.com"); + per_route_config.mutable_check_settings() + ->mutable_http_service() + ->mutable_server_uri() + ->set_cluster("per_route_http_cluster"); + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + prepareCheck(); + + // Create filter without server context. + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client)); // No server context + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Since per-route client creation fails, should fall back to default client. + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + auto response = std::make_unique(); + response->status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::move(response)); + })); + + Http::TestRequestHeaderMapImpl request_headers_{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + new_filter->decodeHeaders(request_headers_, false)); +} + +// Test gRPC client error handling for per-route config. +TEST_F(HttpFilterTest, GrpcClientPerRouteError) { + // Initialize with gRPC client configuration. + initialize(R"EOF( + grpc_service: + envoy_grpc: + cluster_name: "ext_authz_server" + failure_mode_allow: false + stat_prefix: "ext_authz" + )EOF"); + + prepareCheck(); + + // Create per-route configuration with gRPC service override. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + auto* grpc_service = per_route_config.mutable_check_settings()->mutable_grpc_service(); + grpc_service->mutable_envoy_grpc()->set_cluster_name("nonexistent_cluster"); + + FilterConfigPerRoute per_route_filter_config(per_route_config); + + // Set up route config to use the per-route configuration. + ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) + .WillByDefault(Return(&per_route_filter_config)); + + // Since cluster doesn't exist, per-route client creation should fail + // and we'll use the default client instead. + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + Filters::Common::ExtAuthz::Response response{}; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::make_unique(response)); + })); + + // Verify filter processes the request with the default client. + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); +} + +// Test HTTP client with per-route configuration. +TEST_F(HttpFilterTest, HttpClientPerRouteOverride) { + // Initialize with HTTP client configuration. + initialize(R"EOF( + http_service: + server_uri: + uri: "https://ext-authz.example.com" + cluster: "ext_authz_server" + path_prefix: "/api/v1/auth" + failure_mode_allow: false + stat_prefix: "ext_authz" + )EOF"); + + prepareCheck(); + + // Create per-route configuration with HTTP service override. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + auto* http_service = per_route_config.mutable_check_settings()->mutable_http_service(); + http_service->mutable_server_uri()->set_uri("https://per-route-ext-authz.example.com"); + http_service->mutable_server_uri()->set_cluster("per_route_http_cluster"); + http_service->set_path_prefix("/api/v2/auth"); + + FilterConfigPerRoute per_route_filter_config(per_route_config); + + // Set up route config to use the per-route configuration. + ON_CALL(decoder_filter_callbacks_, mostSpecificPerFilterConfig()) + .WillByDefault(Return(&per_route_filter_config)); + + // Set up a check expectation that will be satisfied by the default client. + EXPECT_CALL(*client_, check(_, _, _, _)) + .WillOnce(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, + const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, + const StreamInfo::StreamInfo&) -> void { + Filters::Common::ExtAuthz::Response response{}; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + callbacks.onComplete(std::make_unique(response)); + })); + + // Verify filter processes the request. + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); +} + +// Test invalid response header validation via response_headers_to_add. +TEST_F(InvalidMutationTest, InvalidResponseHeadersToAddName) { + Filters::Common::ExtAuthz::Response r; + r.status = Filters::Common::ExtAuthz::CheckStatus::OK; + r.response_headers_to_add = {{"invalid header name", "value"}}; + testResponse(r); +} + +// Test invalid response header validation via response_headers_to_add value. +TEST_F(InvalidMutationTest, InvalidResponseHeadersToAddValue) { + Filters::Common::ExtAuthz::Response r; + r.status = Filters::Common::ExtAuthz::CheckStatus::OK; + r.response_headers_to_add = {{"valid-name", getInvalidValue()}}; + testResponse(r); +} + +// Test per-route timeout configuration is correctly used in gRPC client creation. +TEST_P(HttpFilterTestParam, PerRouteGrpcClientTimeoutConfiguration) { + if (std::get<1>(GetParam())) { + // Skip HTTP client test as per-route gRPC service only applies to gRPC clients. + return; + } + + // Create per-route configuration with custom timeout. + envoy::extensions::filters::http::ext_authz::v3::ExtAuthzPerRoute per_route_config; + auto* grpc_service = per_route_config.mutable_check_settings()->mutable_grpc_service(); + grpc_service->mutable_envoy_grpc()->set_cluster_name("per_route_grpc_cluster"); + grpc_service->mutable_timeout()->set_seconds(30); // Custom 30s timeout + + std::unique_ptr per_route_filter_config = + std::make_unique(per_route_config); + + ON_CALL(*decoder_filter_callbacks_.route_, mostSpecificPerFilterConfig(_)) + .WillByDefault(Return(per_route_filter_config.get())); + + Router::RouteSpecificFilterConfigs per_route_configs; + per_route_configs.push_back(per_route_filter_config.get()); + ON_CALL(decoder_filter_callbacks_, perFilterConfigs()).WillByDefault(Return(per_route_configs)); + + prepareCheck(); + + auto new_client = std::make_unique(); + auto* new_client_ptr = new_client.get(); + auto new_filter = std::make_unique(config_, std::move(new_client), factory_context_); + new_filter->setDecoderFilterCallbacks(decoder_filter_callbacks_); + + // Mock gRPC client manager. + auto mock_grpc_client_manager = std::make_shared(); + ON_CALL(factory_context_, clusterManager()).WillByDefault(ReturnRef(cm_)); + ON_CALL(cm_, grpcAsyncClientManager()).WillByDefault(ReturnRef(*mock_grpc_client_manager)); + + auto mock_raw_grpc_client = std::make_shared(); + EXPECT_CALL(*mock_grpc_client_manager, getOrCreateRawAsyncClientWithHashKey(_, _, true)) + .WillOnce(Return(absl::StatusOr(mock_raw_grpc_client))); + + // Mock the sendRaw call with matcher-based validation for timeout verification. + EXPECT_CALL(*mock_raw_grpc_client, sendRaw(_, _, _, _, _, HasTimeout(30000))) + .WillOnce([](absl::string_view /*service_full_name*/, absl::string_view /*method_name*/, + Buffer::InstancePtr&& /*request*/, Grpc::RawAsyncRequestCallbacks& callbacks, + Tracing::Span& parent_span, + const Http::AsyncClient::RequestOptions& /*options*/) -> Grpc::AsyncRequest* { + envoy::service::auth::v3::CheckResponse check_response; + check_response.mutable_status()->set_code(Grpc::Status::WellKnownGrpcStatus::Ok); + check_response.mutable_ok_response(); + + std::string serialized_response; + check_response.SerializeToString(&serialized_response); + auto response = std::make_unique(serialized_response); + + callbacks.onSuccessRaw(std::move(response), parent_span); + return nullptr; + }); + + EXPECT_CALL(*new_client_ptr, check(_, _, _, _)).Times(0); + + Http::TestRequestHeaderMapImpl request_headers_{ + {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {"host", "example.com"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + new_filter->decodeHeaders(request_headers_, false)); +} + } // namespace } // namespace ExtAuthz } // namespace HttpFilters From 6f603950d32d8e03916f6aa9654f73cf8191666d Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 25 Aug 2025 03:09:33 +0000 Subject: [PATCH 289/505] reverse conn downstream int: changes and fixing comments Signed-off-by: Basundhara Chakrabarty --- .../downstream_socket_interface/v3/BUILD | 2 + ..._reverse_connection_socket_interface.proto | 27 +-- configs/reverse_connection/README.md | 63 ++++++ configs/reverse_connection/cloud-envoy.yaml | 103 +++++++++ .../reverse_connection/docker-compose.yaml | 55 +++++ configs/reverse_connection/onprem-envoy.yaml | 149 +++++++++++++ .../_static/reverse_connection_concept.png | Bin 0 -> 69081 bytes .../_static/reverse_connection_workflow.png | Bin 0 -> 262707 bytes .../other_features/reverse_connection.rst | 208 ++++++++++++++++++ .../reverse_connection_address.cc | 6 +- .../reverse_connection_resolver.cc | 8 + .../reverse_tunnel_initiator.cc | 58 ++--- .../reverse_tunnel/reverse_tunnel_initiator.h | 1 + .../reverse_connection_resolver_test.cc | 20 ++ .../reverse_tunnel_initiator_test.cc | 77 ++++++- 15 files changed, 718 insertions(+), 59 deletions(-) create mode 100644 configs/reverse_connection/README.md create mode 100644 configs/reverse_connection/cloud-envoy.yaml create mode 100644 configs/reverse_connection/docker-compose.yaml create mode 100644 configs/reverse_connection/onprem-envoy.yaml create mode 100644 docs/root/_static/reverse_connection_concept.png create mode 100644 docs/root/_static/reverse_connection_workflow.png create mode 100644 docs/root/configuration/other_features/reverse_connection.rst diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD index 75972f7fcc6fb..29ebf0741406e 100644 --- a/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD @@ -1,3 +1,5 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto index f5825958cbb90..d906de2ad827a 100644 --- a/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto @@ -10,35 +10,14 @@ option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3;downstream_socket_interfacev3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -// [#protodoc-title: Bootstrap settings for Downstream Reverse Connection Socket Interface] +// [#protodoc-title: Bootstrap settings for Downstream Reverse Connection Socket Interface]. // [#extension: envoy.bootstrap.reverse_tunnel.downstream_socket_interface] // Configuration for the downstream reverse connection socket interface. -// This interface initiates reverse connections to upstream Envoys and provides +// This interface initiates reverse connections to upstream Envoys and provides. // them as socket connections for downstream requests. -// [#next-free-field: 6] +// . message DownstreamReverseConnectionSocketInterface { // Stat prefix to be used for downstream reverse connection socket interface stats. string stat_prefix = 1; - - // Source cluster ID for this reverse connection initiator - string src_cluster_id = 2; - - // Source node ID for this reverse connection initiator - string src_node_id = 3; - - // Source tenant ID for this reverse connection initiator - string src_tenant_id = 4; - - // Map of remote clusters to connection counts - repeated RemoteClusterConnectionCount remote_cluster_to_conn_count = 5; } - -// Configuration for remote cluster connection count -message RemoteClusterConnectionCount { - // Name of the remote cluster - string cluster_name = 1; - - // Number of reverse connections to establish to this cluster - uint32 reverse_connection_count = 2; -} \ No newline at end of file diff --git a/configs/reverse_connection/README.md b/configs/reverse_connection/README.md new file mode 100644 index 0000000000000..641ec9d7f2a9f --- /dev/null +++ b/configs/reverse_connection/README.md @@ -0,0 +1,63 @@ +# Running the Sandbox for reverse connections + +## Steps to run sandbox + +1. Build envoy with reverse connections feature: + - ```./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.release.server_only'``` +2. Build envoy docker image: + - ```docker build -f ci/Dockerfile-envoy-image -t envoy:latest .``` +3. Launch test containers. + - ```docker-compose -f configs/reverse_connection/docker-compose.yaml up``` + + **Note**: The docker-compose maps the following ports: + - **on-prem-envoy**: Host port 9000 → Container port 9000 (reverse connection API) + - **cloud-envoy**: Host port 9001 → Container port 9000 (reverse connection API) + +4. The reverse example configuration in onprem-envoy.yaml initiates reverse connections to cloud envoy using a custom address resolver. The configuration includes: + + ```yaml + # Bootstrap extension for reverse tunnel functionality + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + + # Reverse connection listener with custom address format + - name: reverse_conn_listener + address: + socket_address: + # Format: rc://src_node_id:src_cluster_id:src_tenant_id@remote_cluster:connection_count + address: "rc://on-prem-node:on-prem:on-prem@cloud:1" + port_value: 0 + resolver_name: "envoy.resolvers.reverse_connection" + ``` + +5. Verify that the reverse connections are established by sending requests to the reverse conn API: + On on-prem envoy, the expected output is a list of envoy clusters to which reverse connections have been + established, in this instance, just "cloud". + + ```bash + [basundhara.c@basundhara-c ~]$ curl localhost:9000/reverse_connections + {"accepted":[],"connected":["cloud"]} + ``` + On cloud-envoy, the expected output is a list on nodes that have initiated reverse connections to it, + in this case, "on-prem-node". + + ```bash + [basundhara.c@basundhara-c ~]$ curl localhost:9001/reverse_connections + {"accepted":["on-prem-node"],"connected":[]} + ``` + +6. Test reverse connection: + - Perform http request for the service behind on-prem envoy, to cloud-envoy. This request will be sent + over a reverse connection. + + ```bash + [basundhara.c@basundhara-c ~]$ curl -H "x-remote-node-id: on-prem-node" -H "x-dst-cluster-uuid: on-prem" http://localhost:8081/on_prem_service + Server address: 172.21.0.3:80 + Server name: 281282e5b496 + Date: 26/Nov/2024:04:04:03 +0000 + URI: /on_prem_service + Request ID: 726030e25e52db44a6c06061c4206a53 + ``` \ No newline at end of file diff --git a/configs/reverse_connection/cloud-envoy.yaml b/configs/reverse_connection/cloud-envoy.yaml new file mode 100644 index 0000000000000..5d46207ae4497 --- /dev/null +++ b/configs/reverse_connection/cloud-envoy.yaml @@ -0,0 +1,103 @@ +--- +node: + id: cloud-node + cluster: cloud +static_resources: + listeners: + # Services reverse conn APIs + - name: rev_conn_api_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: rev_conn_api + # Any dummy route config works + route_config: + virtual_hosts: + - name: rev_conn_api_route + domains: + - "*" + routes: + - match: + prefix: '/on_prem_service' + route: + cluster: reverse_connection_cluster + http_filters: + # Filter that services reverse conn APIs + - name: envoy.filters.http.reverse_conn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + ping_interval: 2 + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Listener that will route the downstream request to the reverse connection cluster + - name: egress_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 8085 + filter_chains: + - filters: + - name: envoy.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: egress_http + route_config: + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: "/on_prem_service" + route: + cluster: reverse_connection_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + # Cluster used to write requests to cached sockets + clusters: + - name: reverse_connection_cluster + connect_timeout: 200s + lb_policy: CLUSTER_PROVIDED + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + # The following headers are expected in downstream requests + # to be sent over reverse connections + http_header_names: + - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., on-prem-node + - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., on-prem + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + # Right the moment, reverse connections are supported over HTTP/2 only + http2_protocol_options: {} +admin: + access_log_path: "/dev/stdout" + address: + socket_address: + address: 0.0.0.0 + port_value: 8888 +layered_runtime: + layers: + - name: layer + static_layer: + re2.max_program_size.error_level: 1000 + envoy.reloadable_features.reverse_conn_force_local_reply: true +# Enable reverse connection bootstrap extension +bootstrap_extensions: +- name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_reverse_connection" \ No newline at end of file diff --git a/configs/reverse_connection/docker-compose.yaml b/configs/reverse_connection/docker-compose.yaml new file mode 100644 index 0000000000000..cc0d7fdc7318c --- /dev/null +++ b/configs/reverse_connection/docker-compose.yaml @@ -0,0 +1,55 @@ +version: '2' +services: + + xds-server: + build: + context: . + dockerfile: Dockerfile.xds + ports: + - "18000:18000" + networks: + - envoy-network + + on-prem-envoy: + image: debug/envoy:latest + volumes: + - ./onprem-envoy.yaml:/etc/on-prem-envoy.yaml + command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 + ports: + # Admin interface + - "8888:8888" + # Reverse connection API listener + - "9000:9000" + # Ingress HTTP listener + - "6060:6060" + extra_hosts: + - "host.docker.internal:host-gateway" + networks: + - envoy-network + depends_on: + - xds-server + - on-prem-service + + on-prem-service: + image: nginxdemos/hello:plain-text + networks: + - envoy-network + + cloud-envoy: + image: debug/envoy:latest + volumes: + - ./cloud-envoy.yaml:/etc/cloud-envoy.yaml + command: envoy -c /etc/cloud-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 + ports: + # Admin interface + - "8889:8888" + # Reverse connection API listener + - "9001:9000" + # Egress listener + - "8085:8085" + networks: + - envoy-network + +networks: + envoy-network: + driver: bridge \ No newline at end of file diff --git a/configs/reverse_connection/onprem-envoy.yaml b/configs/reverse_connection/onprem-envoy.yaml new file mode 100644 index 0000000000000..8c970f2c8136e --- /dev/null +++ b/configs/reverse_connection/onprem-envoy.yaml @@ -0,0 +1,149 @@ +--- +node: + id: on-prem-node + cluster: on-prem + +# Enable reverse connection bootstrap extension which registers the custom resolver +bootstrap_extensions: +- name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + +static_resources: + listeners: + # Services reverse conn APIs + - name: rev_conn_api_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: rev_conn_api + codec_type: AUTO + route_config: + name: rev_conn_api_route + virtual_hosts: [] + http_filters: + - name: envoy.filters.http.reverse_conn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + ping_interval: 30 + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Forwards incoming http requests to backend + - name: ingress_http_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 6060 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + route_config: + name: ingress_http_route + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/on_prem_service' + route: + cluster: on-prem-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Initiates reverse connections to cloud using custom resolver + - name: reverse_conn_listener + listener_filters_timeout: 0s + listener_filters: + # Filter that responds to keepalives on reverse connection sockets + - name: envoy.filters.listener.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection + ping_wait_timeout: 10 + # Use custom address with reverse connection metadata encoded in URL format + address: + socket_address: + # This encodes: src_node_id=on-prem-node, src_cluster_id=on-prem, src_tenant_id=on-prem + # and remote clusters: cloud with 1 connection + address: "rc://on-prem-node:on-prem:on-prem@cloud:1" + port_value: 0 + # Use custom resolver that can parse reverse connection metadata + resolver_name: "envoy.resolvers.reverse_connection" + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: reverse_conn_listener + route_config: + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/on_prem_service' + route: + cluster: on-prem-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Cluster designating cloud-envoy + clusters: + - name: cloud + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: cloud + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: cloud-envoy # Container name of cloud-envoy in docker-compose + port_value: 9000 # Port where cloud-envoy's rev_conn_api_listener listens + + # Backend HTTP service behind onprem which + # we will access via reverse connections + - name: on-prem-service + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: on-prem-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: on-prem-service + port_value: 80 + +admin: + access_log_path: "/dev/stdout" + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 8888 + +layered_runtime: + layers: + - name: layer + static_layer: + re2.max_program_size.error_level: 1000 \ No newline at end of file diff --git a/docs/root/_static/reverse_connection_concept.png b/docs/root/_static/reverse_connection_concept.png new file mode 100644 index 0000000000000000000000000000000000000000..e967fec213fa23bb31b8633b8e4d1ac2abdd13e0 GIT binary patch literal 69081 zcmeFY2T;@9(=dt^6%`@^Dgp`$N>z~>iVBEy=^ZpQX+cU7IwB&02#820peP`O7FvMN z)X)Ti^iTpyhcpor1PpxP`IqQxS^q9L-7_&@V+$5#V|((9jct?l=*bcr8{`@r z+sXqrHsy3SHonK%4aO?04_5B$n`!Or>?|xUQE5LIjPU{_YFRSBJ75vIpoGXt6IHJa|wUI30(yW{HqZ zNAtE>;5eCibmHCJ{blZP_D5b`!8R69{BoC2!ombNGi*rH#-DUpWnGpxOOIPLJ8xeiVu_w7L=;mN{ z7UYBJr%o*EPbn;X6np5j-@f@}Fx;qI*(Z7wli*3qOJoCtc-C_HU@BNkQs5_8_C-JB z-3&H2@(Hnh9lWs7lo2vOpe7I91VRl=2w*IeUr3U zK*-_-X*uV-m6I$sS{VA;#d@{#Jf3pA_Ub4QRR{hy?kRf}#3w-}AgZvu?$34|r9KyY z&X&)3Fw9Jpl+{O>{^@qE!^XRBH5k|IBiJ(2Z z)C@g{HX7k!!XTryIXKc=0aR$4 zKv?v4Y1aXSL<{hHdBXOwv3+~TC%-C2Zoa5NHI-&~Viy`RW+^${4JiLWMbPL!wjHG0 zC5LtcfD;z3*{9KN5we5G+8Qit(;xj3!QL3tFk~p%zUi9 zVG%J-B2cobSGGcvRxjOujQ#*UUFM_dMZ<6-VXCRhEcQl5=2FIk#9ocoXDsKHFh8#j zG&d8NZ!dqm=mor~*T>w@HqW#HOqqF~JeZ#a2nqBpw)|D8+~M&BTCBk@*w!%~jk3N} zZ(k_L=fSZiS!=Ph`8E#>=6MaNntym%teAM(GE!w)j! zG=yMTC9PdOVB&nT|7-6_~o_*+j^A+fz!l|ne(*^b&T`j9?~f_^1k`a@rVS^W|?aH zns329n8AtZuhx`T0~=FAqshF%hZii}Iwq#B`-b>3Zue7Xy8Csrn&W>`*+K;J7JSUN ze41K@*Ms~!rnc@xX*^WbdSxFf!Dm6V|2l0S84Mh18Jt`>CBxNW>)^<_`GCx1$&u|r zTps__YcMWBdLbTHuXu88YAY&-3$2Rqe=dNjAP44PdQrr4F-ezudauAMvk#D1Da~SlE$?$1w7co0iVKP z(lJj#J~7j@@)?}(nWylKZ9!k! z%oN|b>^9)c88|t&Y9m@vL+JfxGL%@Akdo7YGf zUFp>qrV3cJsV?`lj0>T2c)@N+NDnsNfPJ*Vlj1i# zJ~>Iv>^7FRl#$lo94u}!gVq|hNh@)rJoBu<_)YUoClaEw{lP*$NaQ>)@YvP|>=J{A z2q#)=`ww0?ifevNGA&kM>Qt!iADC3b8BsAwQ@`)b7su+ZF&-J$REk3u{iZgj^nFOr zg=>{X6Br3+?6S4Wo3r0E*BB!OUM@@3YS~sE^JfR{M8;dP!9#4@=gkneRZsK|AHXD@a zXwiGBr_k)YmZUj81T4fnyLWo+Qr}z^A=>a^|4vXbPF7CDBxU6O89o5f@L{>FWH zB7^-xvbh_GyRGR7V@8cfHc3abPo-9RdqU<;XvNLjjQ5Kpp`AB7%2XrGE+xCF&fbwU z?6EfM{!;KwOyZB#pu?|fkifhk+;h$Tuq#XeVwghv@>#Sb44YTAlNI(z@D?0QDWTfE z8l*?{7nwPxh=I07(e`B}&OEeSAAw-uLPToUqApDWolt3GCn$BB#-W<^?sBqE?k~04 zOs`Irvl&7rS?7SZZae$+8|i}F9=f4*pwqaUau8PN(AoLk?vM0mA~QVrQjfUA_M0MoirT$ht;sc({oOcPl=r=P5cP z>`?Yx;50|_HA-gn7l&pTTV>BUyYSIYqqw0rneMqmJxKOqEsxmYN)69&P<}!zkxYQe ziqte;Y|_^ClyP2|=94Y8qU!h*ZEoud+%pZyC2g@~)GPRM8KhtxLw$BoHRS=-Xqbg_ zjwS|Y;T9D6r85UkwC$*}E(s!Ofs z;=rWAOT;P|sQ?0YJag~=CP^i4EO(9-1NnkEk9(Q0q6 zqH0l8bC2wCpZG%lG1T&XfzmktISXb&Sx61Rcb!uM*gbO-ZrSlb9mHAk?$6Y491{7t z)BlV^iGWazTr+wi_|~+=YQ)>0Y{OL}7@zEW67nlI>mXBb%GBq_RR2KU(GA`b_D?RB zs~Y?+LP5$|D2SrXmZBd6CJW@=@Y!i@%92clEH_J-d(3A(pU!uaj{?~4$kRuZkwWkP zp-64PZ?4y$F9kRB4x`FIaxxG|y89HrRT|czsOU2Pt3VrU0|47nr?RSII29ilTvn5H zfXubhEK%O#FM&VIaH*FuI;cZSawm@0lKUp9)%u4TTT9=LtOHCWc7}2wW!cwKT&-Io zmd(Oq@zqJ0BZl!HIggr*6l{7$7_dcd(-^jsWxL_ZFh7Qs<_ z_!qHs)97$ZeXaSk@Dy|FLFeYRt;~&O zi%S`6;VWa2Q>m8^@XredrA+Sg5D4~`@Q{sq7uG?6;uzs?3l8r*m@ena!;PA2dYweR zg(HDm^Px-7ZbvROD{iVdBU_gIp?Ab`Zed04@!;2sXhB4iqK}w@Z~#OsrKW0W1cW`& z21Iyn+lu9oet>a61?#Q6>>RwI892%l3Q`V1#9Z(K38@<>d=O3J^&8?V+^T?RY z&?@4!%o?r>NR^yvaQk|bcK7m>JJQF9)@<0aSjfl^+6=k{+hNE19j>jmm7_fq4iUow zu-wwJ^nu8p;eLlBCXhZTA8;y!Qx*_Wmv0n}P5!r{a|uJG&l(RHk+A(JLIkuvMVWl? zm8Xd*W9HUVte_pX^?q1BT=3Da@3DlANT*LNiZSHh%)nY&=n1c(eylA{xlU>o+u|SQ zKL^G!d@7T}`j9{YzIE=0gE1PZ#6*It>JSRgDc^*tWO3eV_t3a&)z4#N+^%WdyNib& zUf55+zu*!4w!t<=RT#9zTlm~d996Yw%JO9Wc-b=YzMxXLce(wF?USav0{K-1!Q%Cu zCT@L*P0RH!jx;XrX_=hD)G(kST!mjQozlZtDqSN>uQm&wZcq#2mkwBuh%gw8RKl*E z;YP;_wgds|qR4qv?pV&x#;D6!YU<0Mmm zx(%n@dO{+>K>f=+^BL0$rW4m&*O*EU^hGmf$jk|xaL6Dsp;zrGtKoYd_46A zJ@rfK;}E9unH8NsiG{(R5$8^zSlhcNgK^-Wj^r_6rQxyjr&AX7T7=LsPctI~@5+EU z%bX(Wb9C|Bn1P_dsXCzJ2lX}H96HDITJRMRA5!P(=MV5OxOmvX_ierLKUKR+pNr{{ zx5p3rU|+-$mMJiaz8;qy67fza7W<3OOa6YTxf^9AM1q5LPAXafI^>fX^I18^I&=WQ z+V-I)12NstD%L?xzHa{R(uL{g(epfiF85ZFPusnU5r!&NK@?U`7>Yy}_@yH93G4h7W8{JhQERXa69~2?j6ocOa0MFTU zu+C=)6e2QuA6NG3C}6_!I#3A&W6>K=@W>9RkAT3Ia^gLpPg)XHiu}~RO-#QNX0&aA zhaGdOs>Ut2gKX?M=c~;5r^f7OMW7HL7nX;4vUqK_GZQuX_FQff0C@VdY@!aKSv!t& z9k7*o3Ev^V8e0-93*z)lhn&lZzr5LZXe zD^DA}D!vSSCmRG~-qKhN&$ZJH)Fl##xgWnRpMOu>4fo7BZ1UEm?Pc z5Fxqtr{q_#nFV(WOSlyL%fAw81uhcDBY*k|#e3r`R!|U5h_+>inohO+Xj+P%w$J|X zG_9sw1K{&U$nAO+!fixB1iFwBOREgK2EwSOS$nrsIbQ(@&HetIgsC*1gfCG-V2ZNL zw#}Bp@9?k?FOjhcI|a!^1OavA1%U~Vi;3gmcb4B;18jFnqR z3MI|8P$>?ai&H%pPB91wYgp^|=XKd?@pg80#RpZ-tRDV(duHyW{db@gh*M5Y-~|EQ z820$aS$g)b=apYd>)AmzMk%GX@7x!_ezEninJnlPkmD;Xq*ptI*x)!pfve`_m-(P`I5kI7*drCPxd~p09n*78u9Lb->w8*A20&TD>NdnIJ z7g^_RZK`^SO2t~wXS&6iQu`+#ITX5|gErUd`n}El$%|j9Ci(DtV(x2u)<3`k+LT2^@%5|BEx>g#Jgf< za7eNc-2iwR4TM=%zDw5#C?2R#N6&}jNQF)ELGW?4BIfQL-Ex2ZM}3`^0dO)bHQ@Psj7Y6{eYgk+(ez>c zuI^uH=P6uD0C=<_c3dFnqv!m}0@1|YtRp`xzWjhM+1u3a($rM_Nn@^q&ERTH)GT5f z5&9Kl;J@8wPsY73-`0?5tq1hg+rL4X=y^(4!u&EOSVxy}(2T$VdF`7U4#|vnEG$Zd zHp-B#Pa7JP2g;ezv#c>U%w`XgQZ<1K{qB#)BU#a>urbM0@$JaQ;RZ+CM{cwX2AW!0 zD}U<*eln3&v?15xpsZ-+fiGa^3xTZ9tgFhYayR+*ye?!++K<|3hDYbu8b+9pzzPzZ zBAsTyI4BLYl&)N1oK$m~_yBi)M|(|ApOSUJtqCYgdK6!Yno?thZMSKigD@rt0{p0! z{Rv@yB|U1BI{MPuvEux__`h6HVKSiBVsyukjIwj+9AZ1>b&hDW z;H#|e@1_rAt;5U`kvMW-EV}JJ!2xcExW}~4fbWv>dn6fS&UM{O20-HjPMhF zWw;6+HKP2Uh$l3$n`n7G^5J^s`nxJpbL4}wS1t9m5h4MLk9o@nqN;yq?AYp zdw;soeCl8SuT}70G|3sb6mAKAj*2lj?0Y3908pn|iu+DRmnzhVb(& zStB0S`41;Tp-uw5(tbjbqn?1kQA@%7AV^*^RZJQWWY>F4;t=@KXt9P+lwJLbfy|I( zdP98#xM3o-iVZ^o)z|8)j2D7D>klMQmErGnwyABagC_x8OFHvqG9^A`Es0@Sy#g)Z(#j&2Bd0Z{_WZ7YTS0h76(PmFK-- zjlx9x;*wW`o!wAl;6$im_sXP@-77&Fo88?H1>M8y0e?>CF3T8Nc-SWtI(d|akK;v_ z=x?MnLXj>-HENZs%UWQ^iw-G}^{TEW8!{tRE7;4jqRHA<1cb@*jD~E)-<$~at=)c8 zJj&kwRk;=+ZE#W@Q+0};r_;BqxK*8UAD4RI`C`$y{f*@=N)O6ZlrwX?m5>JA5jrfw zXvO<=+Nwc-3$G_sHrthhq183KD@!YaK|jx^JCsn&NP$dwUH=OGctRy#b0vN}NT`%E zvlM7+Tasw2^mbFY>Wi8vRokmxM<>jKvw$I;5%I1O*cwMj3Oc{_!S!WaVm0J5n$97# za+kOk4Haf3=I*ws@I$GUI(LI#jAQwbxf@@@lh!&-lgelqkKMAgpvlq|)Tz?q>iF@N z&J{dDF1GkgcYvQ>$zxBBS2;j{?Z_+J?iD-9b-vNsNNQttf0tS2>yD2Re=yUYGycjL3br*#!F?w%5&F@~R=k+;`$%@w|Mn?af!g3nDi z=;%8>nWmn*T4B+dkRF8qW^lg0?bd%=OcZfw>5A`lS>FW-!Tn*EK(_AUqonXzYp=6f zo^HGgq8d{{wM+(=ja!X%evW8&DQs>%QCtMrua>v_)9cwxjf@z|C zRRTNpUBCVnn~BxY4lBu;F8xabl(yT#IYPEYrP#Ys|(4rT~%JIXiRSo)5l}_e? z6EfPjjXvyL`#NJSS=YI;(x8UNy84>Kd>^Lf_Z}wD94r+iaOS@u)=h`9i^YM_)DY{i z9qQ6I)y2nG|F$y0h%>~&==Mhm-hz-u?lGJx)fgUSc32SZ#BxUFc zmnzP7VBb~lHdcJ7@z~=(6{4B&_d|`}&F6IFB1HRmtZU|jDx2smfL3jvXgKpaY=8FU z=E%|~CzM0j@7gAx>9Kbq7Zg5;FBM|pxP=QhEu3@mxssR$NXzn!ky5^#cGfoFN_vO? z;%+*uau%@FE3ewE$%j{ojZfp6qJ9GN%m|u?Gp`ExQ!Q9Q{DWjT!6#p!;zPmAiNM#Y z$`@fM*1C$@nqQdK;!_mLqq&{=c6fECSb=cuAYq}vb_YodO>|Um; zx3PZ4v;NvLuuN23{%v`~wt`iNi$iA=U~98zZZnq~@@@Cy3Jq@@9!?O+4!Ds}DH-x0 zBL4%@njQ(T9(T=^qpplVPF{xvZEa(~qVF4ju6PE-jtneOUM} z+hc3Y%X80`G;2=%R-_+)n;$(dJ7x{O@ojY={EzTwS8h(E{5-@KFr{x>JD9nzwd8Ev zDEhaXEVk!Zxi7IfYc$GOEm^{3{GB~=_{+RDy(84w=`l(g@i9&OejMUZYLPo&NdtKdhl`4NHCH)JEg1pnyNJ}z4m>n!_Pw6*ipr;;}g z`VXWg8%aHlkKDc`5;AIdgNc6-BD;w_>%5D{8@}7LPlty}&3!ZNy-!11;hW4aGje>WyUNW*>9f4MpxHSoQtiNa=H2&m13HU%kMSz-nunz6dcLlUcNO`T z{)=BkeTM?S6kH>$1^jlLwa8b16BYaW`N3E}ZKG+BkZjL6{W zpN#5jT=>kdhnEFB#_N~K18g+|#%|e}ZKScY8aY*pyL7aolx<>b*12ko7R=@kTSz?) zHM?4?Tar41*8QRd8z0YnXj>Cfd*GK=Z$TyRSxDwvj4n4=M6TvYhlha%^H<=5(L@C2 zm$5Oq@jP^h>qwtNU68HnEo5;B_Y~aTri#aWS}Vdg?U`@IuGW7W7Vwvt$QM~Lk;R^< z`K<}5aFhcuy)0vLhc4yASQ7t|i4A817FXsKi6)Tm%RKcTvzKs-HRqp}6__0khSPZg zwte3}q%934@_BfO6(Zt0SwR$P^A<7dhZgyhL#9>#&-R&Jw%BA06tMWaL;0>2$SN;a z@HX#nN6qnVHLTJ;ivdEG_&Y_uvrnbL42;*S@&O+uXesDs(Owa)C z{mQ$nz(94-)nmV04bcYTdTnWkPjo5RhRz+Ek{(WO;%z~)!BMGTy}j%L&&DY z5?np#;&hqG>E%o@5Ny1IRbTxlKGHGeeNcVeNJ@XspQ}+bI+wrRTO51q4(x6HY_n4% zFLG}>mOwm@n$`z;=Fq2F_|V=(aYjlE*4ftA=NNwCL9JKU8 zB~oS8G6J$s=mV`F((RpP9i zbV@E3X`)tj0Jbj>JRyZBP5SRPvrC+;lvlaQ1NFA*)V@vBUv*5C7@{QAvyE%Fs?Fdp`oz^%**NRMVc-!v(*atz4kvb4dK1e3zx zx-KN2SmnfS57V$FaE*~~(B?)2tLp0KobaQWegzSvlkB5x+(-glmWHWg}lB@rf~ zWAcw~6$Jy8=T~Yq-j05XBaCFB$H+;53E+&v?&&^=(hS%CGP^4L6cw1ni&5*3B~(t+ zy04>jS7ipD+dgwxygo;*t~4BrCHTE+l&);3_N!U?t)f$!ZQO|??Ua>4+C9teLa7Kk#pT%Z?0k!zVk^exhYQw(mUGkdNIFTqW^g$rJ~F2 zIo);D(+F2f;~Ltoc?`TlBZL1LbHrUh73)I|2_lVd2Y9Y19tq}twkX+K=|7oUsa{^O zq|Z+;5U&(BAeAij$S4YsBsorg&hv*dt-glH_Tm|D#(IO5JkK(wsg249qha4a7Ad>p zSJ(?lBU(+&A;+35gg zJ<7&UA0DNRNMB}&^hr|lMaKh#TAv+*&fS3yiNJN@_$Z$3@u;QqZj;?>8e2X@C&4_` z{f@G!PKRl???Ry-aWf*+@-;59P>rqUWp9Eh^j)H;T$W{yp_Qz-zx70JY*wUWdDA)8 z<5mM&bNphu!q~TWZ0nt?AtfxXEFa z;h)TZ1oo3Z%8K|rl$E#0BpPe^y`1>X87!@(AVq(<1TBXhtfuWK^ZNMA=)kQzR~ToQB$idjTMPYcE>!WlJkxQM@3>6x zU<=M+Q@yn5oSvtMJo{(WTzQ@`$I>R=R_)!Q-&*KL7Vt}>EXPrp*@Nj-Lo?@{+);=4 z=q|Vc`nlNTqt%Yb!Mj~ zNHT(w5_lq4Zt?Oa`@Rtk7Sl><-&st5fvH4aw~!6^w&Oxcu^Ne(f8PDbv0vjzh4?P2 z)uX!<6owSpKz{JCyBTXAqzK{3$> z_J0oVdvH?M_`&t9#Q46doiHt&U?Mkng>-ln+coz5D;4R?j`qc|on~QBVn^&zE54T7 zZ0S)Zr>%Onoo3g_5smPSV3>?uNO#U&H|LAKuAd?fWcMszvw;&}E;_HAk?RAb5TJ_d9)ER~ zk3S0MtEA;wzJ87cCkFsh8rNA}WqH9KrT^~Ng06rRlvWI8``o#G5%924ZV_lxEG_iR z9-qtV{7c)$Ihu8r&0uW1J^l?@|9=5lYiM}eBJPEKvweHBmoONBrUg6T5^A>(D(peY zsYyopOAB^|SG{P8uhYUcqhbk=#inrF$pb#QL2rq)-}O64_S+8<>J+a$-PWJ^rtBG^ zy>Dcq*UgP4vFD-?L=a-`JCnyVuBfnoJP;*&$jx!;7-juw_~bES9fZ+Q3c3Q0#=B`x ziC+LsL$KPuL8p<uz)H&x zikgKD84YT&8HJUA_MS-G9vKI*h5*jmie=P+bNlfV+SSP7?(u}#x1kpo&kT8s{=}6w zz=tYrGnRgraAWY^le!*2*)}l&%>EFGN)5ZAAQ^Cc@z5pEw45-=t-vXmp3j%Rk&x_a zZNctnZovr=WI$Vu(n|<%@2?PU~ zX>kRii5IUk>(1HazKqmyS+W@kM_~MrVXqK>NL}%^8LVoeC|Cezo=CXDuDN4kb|GkpRjDInwIO?pX>>!EH+SQu3CL)PB zmirT@4*@{Ndnb~97kWJe!21>qw$^?Kw`}UIMS{p-DYy4r&nklGKIJLR8;Y?29x#HLoAdTWU<9^r}4IBF7E5@qI#8t~P#@UMNV6Z&gX zp9^t|cPv-c-my&_EJt~v4f?nCn{9r>H5fPje}i%Gwt z@vdHxBS~Q|QZ}a}hc$&)ERZnHWu3jsqXH5NkS;6vcB#^HqTTY&4bX{=K~%FfXgGFITF9^354$A3@09) zR;HAEt~LDW_0%-kGa$!(pl{=AyVP*tpOPD|x%)Hgcs{@=@X~i?^EfHw3MJThHBUa* zJlU~CzFnB2>dB%*0Zyn1SNASdy*%>nH{Ov2+#rXTv|vW2yfIi`T?jm(FLF3YOk11o zJH2sjj{>>gC5s9RAio7X%Gzw-B>E?N>ZTNuw^Ka97o5`XdqELkD^#Bm_C8?? zAG0T_Tzh8YrJ%SR{@$?o%kP2epHkz_0>#dhaNU+uiQNlg3eK$QNcVCJZv)ubI9pK= z&{r?!ws39rpEveM`KcMweUXwBb3lmNJVW30`LO)BdUVIoIaIGExo6w!n{}(kUd8%U zMF4wxt9lbG&bA9%YIz^}sbi20%pG8r=rPKGkl@K10PN46WO!-gZJazUOMcQ#)gs6t zy2&UuV`RmY{uL%DL{x|+v^M`cM(=?WT(XRn4IuRD{NvSbXWx&K1+F5ytz2Q0Vyn=A8$4f3j`iUg7DVt?YufmU!GN2g0Bfs=)T&!J{ z)5JgrLjE0guLa@~%qVo$jGFV);yKyAl(L_xMz=V%$fOsE`CknAtow+ugqqFQ<#($x z%Ho%AfL%1n{W+)5z|XmD3s{P_7wOHh1WGTDKSu#mHx7&|+n*M!Ui6My!s5f>-+ZvV z0sR(E1F$725_px}?iHsKyYlF9ZE}wQBrZ)l_>!Ja*dp@~!e?VBmrkLD;tTx#dk(So7?+?&clH;{%^9jj z-_tX2flXKjO5ZV@D1@nlU<)#{srL+6h7H``cWN4La09$-$HRrz&JsWquMa=_5{jY5 zzXnf#JJJ8ECB#f=dZKFwiFl`_-V`AUI)Lr?SEj<+#Sr4KGB>C%R#>g`Ioe|*OM%m= zu;JKG2OQYcwA6JugctjxL(1)e3;@%v>DAsAerI=Xa!P7d<+jK6qr)DkSK*_N@+d8j z_^+Qvw{?2@`qYExp{y|-XyU)pq=kOCea76}i)&Ka_*Y6RL+?vL zhpYt@s|EmDWZUF{q9gILN=e-4C|oQ7|HQH3ZVFtgH<4gWy~&g4i8{6Qk`MvJ#Pp68 zrIwkSmGv%8(i+_x?iVl5cGEvELZw&0dY6Re5{KM8>BhqH6(ax6Fj-o6DZ`Nn*p zbi#~CrLL_!!*I}v2IS)z3CcW_VfSfFvbHC#*ee0PU~cWU*0T0+&wctLkzjA(_BBmj z1nImv($~uy%dC{Acg3(g0JUA}dXVB7%u~b3FFmh*IvLCL!av)zm!`9#N?BoO_B`I# zB!`}>388E4Xc76ZW-kw8DRu+fPRAmvo-n2iUr+eIge=Fh9BK_~__sX%zo{T{+}@@w zg(*h*{s@(dE=Aynr~d%9?klb?vw}Q5qscgA-DRgO$U{wXNDcs9?mnt~{%10seU;g< z!Y=_4b9?AbtT#5e@TvPNY)b7rQR$?Hxu^7D&2m=n7v|O~_+S3vG`f4XUN%yvT~twE ze8rny60kHB#;NHQF&XEBlS*DRX|hNHmrhFNT>vHi%7zmIY++vpZkATHF4LNrsZk|{ zs844vNhzDV+Y}6U1uIBb{t9dmG-UO;-(sIAc9scs-f$CLB!!Y{V^%fHoC|M-%ilop zr1Kmrms#)<*%Kenf}FU`j?*sP_HA6qs^X6pcKg|y0DLO|JIM&}<;UDmU`1;)7FT9c zJv1kAr35DV04sb~HN8NrqQUfk0dfmyXij8F!|Ea5xaeRA}0qi`NO07DP;|Z%d5%-YaZZER^4m~kJ8Bz zM7Z@N!cTL-n?l;Q<*^w?K z(oe6P#MgwPJygOE@1dACEi^p%A#Ta?|taxdXJ2VZVp4-99`7HD7KaWo+ z^X)N&Ze062{=EJDkN(V)q+$t)fD{7M?T0mYy`_LJ>F6F+w-%L`Pa)LMl|95Ot7#_CBFZ$;vCW9#K$q<7s#1|?|gcG-wi-yZAe#_|Ifuxl$2J4Wj*t5zzOv!{hMm1 zw5IMub6$RtN0-++XTXsRYI%0w2ux^*617FQZn>;>vEkxQ3zYwsS!Lw2!FPe#U1Hn` zjAvp>x>m0&5yuPhdxRy7M(f;*T{8@={P{S$Mnf@0o9QaPi=tfFXyxt==X%vR_L@$k zBH}(9Gsp4m;@f1uovOod963HH``lJNtUO zX2}>Q_x_LFt~ZZG2L_@K`&_{YKu)7h|BW8(>gq%NcUvOE>r&(F;DRF?H{;XNDe z-?@MXT*YesOljg$Bf8=iuKBu+%t0hTmOpR3bc_h`7Y%5CVVhU3y5~GoLwG|zOjSPq zWHcpzk~dbT8S-fSL@qIdht<+tOMbCZj9U335Ev9WGQ(1g*z&GiKUt>Bq5Ps~a5JgF z{WsF(b~aF|4OLq?p-C2vTGR@FBgT6!4lCFg&O8VTSC#)Cns678ZQ}EVCst=jyuEV3 zX2iDOhFQLKYOGOK>WuLOvpSZ5UNWGZ%lzcT-R+0YzJ)oGpxLO)X{3z{f9d7_GG{9S zp#3@D+wbM_0!O5MzP(b-SMkRrxPaBs1{41yCC9w`=iY{I-rWp__E@UURX>}!-0=!$VW`KcfcLih3N4~*KU|3j7h+Y8+1pn7pD2@lX{A{o zwQW8X^Sse;og1gj5X`H9gJnwDm^ zybOu4H!3wD*am`Bn~ZlV>r1?qGigVx(ir9ShQqfDJE{$6s1w##Kv^${=TFhQaQ5pN zPZl0?JyfnpJbXQA^IqvmAs%#_|IQ|&Z@@Fo$7eOYjlFBXM*ChC&AcS_3v>r&$AYF; z8pTZk5;gw*4=>N%R~;!8Vf2I7`SX|2Iz}~Fc_yCVtZB;$v>6T@`~(&(XS!~G3KOp6 zos1^_whjO8t+#5WZu3T%(X~#9_$KHQb6N2G-eeO^IOCR|QuL)Kcxt5BafFU2LOund z@_!rCALNVFnsS!C2lKg)ol>;}pcmnIZPfbXpyQgz&=S8Y;EL^|{Z;iFd7{0cs~dAH zsmnk5F&C|N4Lq@mj1wDMkPtG95t4pj9bE?Q!l3 zvGI#0+RK%>VUs8G^6hHKsw*}=tZ|Msu2bmT?*_sQdSK_o$WHUPs}U|?C@l4ks@!8S zPzZRA3mu94{;!TiP!{0~!lSL=+(dF%C;)4cGVYRh7vFpq9VV3!OGs`q#_=i`X7)^) z89DB^T=Rwr*9t;V@+Zy=?Q_Zp!#0a|`8=?PPoLBLT1HzPW3j|v?-JPdSxhtU z(U@=?xS-r+z#?pZ`GBZz$Kt6*;tTb&dkALT4L<^?js9L5Myg+*Vp;Qe%Nj}5!*2|g zp)RqqYH6=8al9Cyi*9-7@x~Hd2Kb#RC3*DL(UEvUo{cgud*U(D=97AYf+gNPljn2I zY#(k9*{9Ixdz1YM{AuzwoWn9u5$Gk4CJoYUTLCQIP~w|%Y2~9jXeepR!MD}CN!E(`6Oc~)vhd`3&Dwd5V9Y%ciJU@daY?c;4j|DbKTk znJaDbx^!Wvq-=`LiYPS0=I0et)s*hgk;636di97N)~y{iqnnTiEvk}4>B|10n_oH^ z&q`c8R%JGK(lSnd#-#KWdWC=6zASAZ^$YkP+T8v{5I7 zHbQQRGWKzk(sNdp!r`8()5NS5y^T)*HIh+h%)%6Ks+D#}bvX#k>8I$jWq zy4<62Bw>_Sr0Yix8Yi9 z*s9t4y^5jS82699tKF27(qB^nsJPOtZQ0$Ecr$3za|hqK~;{~ zN=D9lsIbaJ{Iu}jt4t$x1+~VV`B9;%(k3;bqkp%6yQOKTes*0w+$tnr?eO2w{D3cf zi|Llj8S$r{kx3D>44d_Zwrl>&iXH+5qoq_fm-*UFS<7NX!)bsNnJc)}AX~9q%gIPAQhPv!=Ss zX+Gj;OPu+1U^eo4|3A;yn2@0T5OMjjUA#8#u)}oj=c8N9aZ+u>-xB^jw{3eOhur5l z)e^BIqWVIeHPiFI7e=I^-m3c44i$ylerquEB86%8cgQ)z{Y4mbWXtwOk!h^AfktPz z@ZX&t2e>^oESt&P<_vk|NWK~#iea3i9sWCV*u|V8ehizmz)XI}u;z1So4);x%z)pW zy&Sb?)FD9r9Z!n+6#L)N!q+l&_9QFFiP+v4t+5Q^t6SkutdbQS|L0`Nv5D0yUg(1f zs8u+j75wKR<^WCIlW7@ouRM3#CIkt4@;4SiZpTiS{`%vzLu+BkGWt}KRQdmoN6x~W z@xj?KqnsDaoU%5zztajJXw-CPW@Af;1-s?wSx!gH{*63BcA+U7Tk8Ldwf78bI@|g{ zopBT!U_?MfKtYOBkzS)Ch$uxwdWnYKLJu8AQ3-t%ks45u-V8_$O$Z>;q=W=QKzd0+ zCzKF!|LC0izULf$@0a_9hvy;e?7jBtd#&Hfh@p_qGf(|r9I1v%i(*WqeN%w6?b|Fu zA5Q!q>!R1DD7h%6Yx1nNy-mO3(5grT4>EqiDDlYZ{pe#)E?Nf3JXTm)YN`L?ONPDG?b~wQliw867tg&&?B7ez2Lvi@TylUg( zmR^1j6H4Lql?iE)()A9A7*v0FZH}CM{60UmZ5WFW+Y#PbKg>l7_~lB*ad;F@ej1M7 zs}uhDlVS6e*@K5#QtYT)*Bx(a|Jmc9AW{+h8<<6Bt)Ns6_wGd+&XMcnsp{PLHe91wvHG_Mxl##gKW@vhwCK`FJ z=vyQ^L57$8p0}x27k6->U3mX5*6rVl=<<=4EH5Fmk5X7A*ushfmsMnxqZmE{@EoyD z6{s3|@F}@jyzUh8S>_-uK*jf>z2$tBZr;aTy{fVLp1KFi_6-uaFum#SCuuGlSO@@q2n{N5^w=p;a15}bkqDmgMzfM(A1+acSNln3U6yC z1~PvB$PG5clR_cgNbwYh-0MQMmTkkc#GGdya2CCVd-4glZn?hrAZ6xJ;+251E1k>z zb{b(n?B)oY^fBzmH}V#1jY>&s=U05~rr}dn zH(a!5`gGMy=WjIoCeDe?MQX=nFk}A~rr~mcZ!OF}U%_%vf3Ds8EIZWCatkJIvUHgf zzw~7KWt1q4k@S8@RQ0ojluZyg8<*cY7l-3A()8d!uLaLvnOPEh(#$(u7qF$wAVo2i zRW_R0CnQMCCU91$L7&)wG#w0-q^L8)YR=A#W=MQwFW=GJ9RdKyK&qGirEPMjAgpS9 zYb%9vD;P2B8aS)yw$Ej3Yh8numEPxz+LmsS`E>_EDK*Cu6U~Ch_5{i}_zTPpgC?$B z%^1YEsksw$YOj(Wqu=k*$54@T|6=8F92Tn0M9Q3Gx%G&W`-LpD**9YG!ZJDEhLrZ&tihvEwW`AJJske1 z;kO$8$viQN1qii&9zu-wi=Zf4voPWuyfPyUu_(14*{ZNzKb@?h+w(WIx zP^s|%&Y0+-f2}~v6TMY&{YcFh>)S;FX7)xoU;Me|;}Z+YY98bdyMe;)KQar}b2D|W z@{t#Ni=*vM_7kp)LAOjkqV?V7&f?f2MBiqdak*YWik3ALbI@`%GE>_SL{gf9e4J^U zwXfj2n{A{0)=A}|FGkQ6_q>b9L7+gfJ2c{TthEC*CfXw6>s?ga^sbx7yYZv^RHjfo?V9BN42UR6%ccsxm*?d=`*ij} z{jqfO03t6vS#c^X$*oDnm;Yn%#4WN{UW8l4BY13;S>G3{cj%`*VpT8b*~CV(Nz$J^ zQFsRj3#NwmA|C>!6{1g(mrKeBO%@8w=`~iPz6dOMBdUEd!69hzE;_wu!k`jjYTJku zLeG=Qi$wYh6sw*bRUh6K+DKh&JoigQh!v)%=R*$eV>C*>aOLh z(H7T|0$*cgw$LXnM)(n*k;Ex+8_4|YB?8p}jgeV;-HSJ}Rmx{PU!K}{1#?U0X;%|- zu3<;%Qi^MNPWyAhG+nLw!bo=)i%XpDmHK5GCb~*AnF$sK*4zt{@g2i$&eTMHc`?F_ zOuG;mSFvON&OocfWjjR2x>A{)vB0Wg!>9$e&hg8wZwgS249w{EBA==Pp!`G>3k=^nN`f$0!Z|2^PmR)sH@To&G#bYsF zi}0F8j(+woi+kR59?L+hO7|hi7H`r%7Bj=0V2;|&^n+V?-fGWy@=LB416d$WDq&Cy z66Ou=%nb7MN4>n@JD3u*yD@UQfL965S#r1v4AshzxCgZ8@frh_7jLs%mL2cgvmh^J zgvd=-@mH!~HQmt<7Lz<`!8>#c6 z%l0En1EjQ#r6g9|**zK!63VUDJA|-QP(D_rtV)|%nPWc04MDVTK4)N)hKt&! zeV@2d`iIwffDH9iL^e{v=y$S~D{ADiVNLO$jw>D*b&N3bUNIAv!dy;$>8>eJbv_Dh zm@hea&1%OoBe2}p`CSO)<-(Sl6RCP!1WFPbFVGB?f@%fo`kZiAmsMOOJjY|Z!Swaq zuy>vy!Xi5*e1LhU7t9D~GW}(6W)Y1ymVyeY%O&PJ%>p&6<<6*RTaBBm6XveOd!uy} z4RR019}xy1ny6~QD=V6O5t6D{!9fFfmgvW{dt=AOPfCTLydfBwx}uuECmr%mHy)p; z;!Y%{xJL^Bu#Ud)E$tAJ`jbViy~z#p1}nXGTQFlU0(>gI@b60VD8@`oj&A8B+b>fC zZj#XG(?W}9h|ec097gn*AV8t6q7YO#UW5EKGn?sFSYmb_p7B z*ih~yxI=XDO?gs~^zgc1k;OZbt#4=voW7b~ZG zGtqUIf-Eun?Z~ds3$%y|g$>_dZmO6Ul?5X>sKq66qe6bGSq}}&dbn?+Z4>UIo$8b;t&)cb9zphRg&9WVQf!3^LT=VQC+T z;CFAES94j5OiiGCu-00yu>nI1vE7=z4(%A+<|uV<*E>^KlOZb#W!QmZD0O=~TmSbK zxl!e^%SIQJvDs_IJwUzY)DrEmT02IyMT9H~VERd0& zIxwJgY_jD5IK@9ep4{h&5)+1|^%c}+g~?6cCx*^zkh9d>dy}R^wXmNNMC4tHnV?*8 zWb4p=7YcQX=IMSN6dw<`&GUoHc|?C<0@)+W^B!f2~QqdJ@pU|)xQ!idH0wOsZ7zg!#pcf7V_``=&Ai2b=)OY@3} z#=np=D=L5^?^qe66>_SpL$xA#;#*X;^#cWr#D}CuZAV>P>oL@>qQCPLy2kF>YkEU$ z#fw|*BH2)zBdu=zepS=9rIvQapK(j0`!7!fWyeRtI*HsXcgIIoG+j}0fl;I+52ZF| z^DqnyhCQnll&ivge3T}Q8=l6-a?7Tz<$|G%y@WJ`)-Bh<5%UdI*rrBLla** z%J~)&RPAW6bVy*f(2>Ze+2*Spkw`D!HPQ6b1Z*r`Gc`vutZYPF*wE=~oZlqN^#TU$ zJcomG1z;yW_Xaq2XZN#xbdLxeFtn<&8u6{qURJ;1JQnk^Cu)co*-FI@?UxC_(`Gim zL{f}j5bI7`HM9rL6hEr0hrIOPH5Vdm*ZNptfybI%__L~%y4#BmE>Y3@Nnogg@2;;C z*aBiYetlj8F1Nk?jXBjV0Q@&9jL`|kb|c(kV_I@b2U|W0^S><>5 zPR-7XQED`owz=z$c3nW7r1UGRsIA(%%B}n8cPR5d$A`2hBF>`zLB-ivo=+`2>M#nPqI+|c)tlD#&`}}U{pQE7ar7!s)i!LFhqumN_A;*Ct z&?4z7uaA}q_F6}B>(=kx$k^V(3DM@qejZgIZJ!mG$rHulrDY8AbK^Qcr-6 zFCaHNh`F^yja?hw7oakNiOoO~Jd$&j2!L<`>EVZdijnbE@c2p8`PJb(!t1^pP^<(m zQhVga8;n3*VgRjw`Lr^rTfJ|YCMt2#L3hNrh^(-lkm5}dp94SzNnmdW$%0$*Wq#K! zI-K1CW=et@!ID8zzQ%)wccp@knyh>A!ySt=_iQcEC*9|A8^VDOhI+{ThxNYq$8D}E zK_fWFYXPYCx9L}TQ#GCZ)WbeDEOiHMtzRsRC<8i@&yN;TIJ%vc^>QbtP6K^sKrXqV zmiOBD_tbd;U5m`fAI9_onSR{L5fJyur&I;)Q)cKC*i}%3 zpj>`{4K%wf!`82MJje@EnUt`wWA=%5#(X(8jDz+~$XIN=RcJGZYB)?0KB^@Wb?vr*DFz5u_r3Em)mX0FVvzeKYgPt#Otz^;N@6w5_3F^l<)ZLKq6yKC)Krn6)Fg9zQ}R3-(6AFSJ@0r9A^Oc*C;J zseW^t9lI>k4Q_C)N4}Dw#HhN3l5XPAW2pt@ar?xV_m{qIKS=6sa8obDp*}1_c(8th zU_Ix)q6T@DFZHX5%9&>&AzzW2>&&m5hGGY5a)oQUciWx0)ss=}RCB7K0+fKoSBW+C zo##Ro3tjGxe;=3OQO>EQF8wiIW9y zeDLz6b%$vp=CRQ41l!Fk`!vWh(={p{L3Fys?Iu@g*24xhDl>rfm4MjKPI2%7zQ$E{(RsWT{X#!8|`Dza*4OboPU|YzI2nWA< z+G18De*6s2veWsn;GNbHm&ZIK_c4-@_|8jEa7R1PhS4F^-|h%jMusvr(P=2n#>p^W zYu4Q?K2)*!8Y@r3SlQE`4Csa`-JDHLi``bEtLe zk!U=QEw*B1rFME>wIsKuoT18QMhZYWPy2HN#HKD;fX+40HrQ^ttOag$Z;b=sJ|GP; zgDTjz9ZHcpiT>yjKUo$SAAKr*^(vrpenIH5G|}95}<0ke+5-@Rm4L zv^Z^gs?_!9U+QK8a&zk=TxU=>FjSWO20P=wU}=vTv$kY#QRNtzn31RewOG&1-VR~a za!o-I!h6*PK5B-+=vVc75(r+eYIN%C)N}g-ZDS8fvBDIf(I?zirMXatU9Qt);W#~{ z#eV9Pptd2oz&AN;L+#X|O99w4l+uHD!%QC5$HtEf4+~iy#LdUh-5s;TRr~Y1{QPHJ-`x>p+$4yfLY1w6u2h1t#;%89Zt$N%= zX-s`j%psQ|U9!z((^M27VUjr&EKluo?7WpS?F?v1@10A`^#Y(dwFqU(Eamo|VI_na zLXQ3_$kUX$_6msfv=XGF9!wOs4HOTL|E;1%IBTb^R5W~gK$-OPKxrUBOD z=&8IEDh1r;?)3P0NEO_FxS+HlsrX4+SSejif|PRP_6EvW!d1uq$}Ot_uryTRBqfFf zvK$X=5rgtq2KGkb3$)XZ)pdhUkbb}UfFChU0HAs*A7hL3EpdaBna0`A&#e^FtCE#j zyD!7BJ4MU0*#hz_FRroPO@n_6+ZLcwSX!CPUs*`BGF~q433BcXKwR8+k9H&QwSUBu z3E7LTXHud_B&Bcn7b8$r~EDTfscGSyguqVIShOi ztmpyjWzO4O%YlRf&(`Posb{%BL2PGCtchyzs?t!4?nd%(-6I~LWvSjl)77_1-8e}u zB{7!uQQ%o4Y&{~x!0>$}v0Hcjj!xJ$-(zdf>h7H&-}29Hc=!yi{QOVYNdN`41y=`OdWj03`e;#|E_b3v@>P8;H@LsE0{v` zw;Ww&PdcF&vWDu>^Q4skfR7pR1-}J?FKkO4cCX#8ssZw zI47Mt7wz5|JwkI32z`6N$ChTjB$R=T z!!KHE+qV1EMEm0GU(jI%jO-F;3^pllF~@6S6@U>qYJIoy_0A$uKjSH#hE$?Y$KoSk zcYRzQgG=gH(`00z3WC)QCSvTA`k}1Qt<=okXUgkODP{odx7p&l@xo}65m3|i5p1t( zmEx`I`g}%tvE0NtlR?f4rAk&rBbddXBh-$7g1Bvy_)Iw2%G{ZzgFr!(%_>9$fHgbk z@ccXbXpox&8h7B$m?RV$WMPH+gDTkbsb*Jt6cK_-%EK+KHC@6IO*CA;RhSY}%$Pqh z_P)mBw`#@KRk1|>@s4>up{}(o83Aa78)hjT1SL@t0tMn8AgLYBDt6}5`Q8S8;vbBK zp(a#kv)*@hW1ZaIL!Ls*8G}m@5um29^)xCMcs~m_G{mz+c%mWkxmx7QS?_OCGMjCjS??Ecz8ubERz2zO57_6&xV5?K*YT?fLbThK0)VDDph7Efq_%ieJ?ez>=2iHZUa*(Cou0Jwb&_m(nK!UK z>6)8JSG~>bt&%0h_cHo`Sjhuor9pO^S6dFO+xnwOJzVof)$Yz?M2M`_-IIFX&NTNl z$?Rb6T^K+AF#wymeZSC3b%q#4!ep3M%TqUT;Jg6)&`Q8M@w1 z?|8qIuGHcatncOmxU(fH%LmPVfzKsnIpry^WewN*hyh?Tuh$B17m9ZtpoQ?scvKAB z9iFh7^CSmtb{mJUG^T^AiElQK5_2G)oiPZjip{S#fkMP{<$p6?g!|`WrMjpTl%|a1$yFV2eXeF zP+3OUQ>uM8q*PUsA182A1LP_fZ%Vze_78d|%X+#BX-Z0&XZbU{Um11F{%wAd6Gg+d z@BD6P>046Z9ZW;Dd+V;)mWC^-mS3^bZ+~X4IJ)2+H>$8HdrW^ZPvxNIDmqM&bhET! zCqiW%=;zrlTofafymS2$`thb1It|=W2VswKR!i zYl&MJ07X|Hr{f9l)qJGl&eOXIpvXI6;H3L-lE82mj{sEv24?JeD5fEAU?>)0WvV|| z$wlBq9j48C&RF@w5o?(97YNFw&$H>PqZnDP6pE>E?e)I;_}7%ED%K-OHFAe*E~V5W z-H=K)49APyGBgF#jmFicSUfD@_pPF{$S%8BUjuA(hi}-Y$&#*oFo^&PS~@5albWU9 zlZ6kgL%k6;ME>MNUvo^XV0+#SR*Ld|99anGp6o@zNnO6tiS` z?Mvm@+D8Cmt~S8prN8@t{M(U@#oAtT^1bl~2$+6ymuhdEbxKbVg%Ve_#*r2&_~Y(c zY%1^pFCA_e7CQl93pCn!V)sIOnN^bC)lQv^$h$!vG1SkekE3fjx+pSrFEXwd-L^$; z*!uceSZldq*o+8CIdgrtN6(0C{wZb0R$kt$?%kFYy18_;d!PB}Y)|9;6!(#O{wu2E zsXJdHfU@*3Iey9N4WsT91as3|{3ir`$xrOqI3>x|<9?z1p1WU{WUVSGP!Y-$DLRGT zd63zC*z=AE!GfGSTgNlcwnIcnEJtls}%km)T#PW74B?fE=v z_3E2c8DRU&UX#4(!doUptigRes_1Wf?VoR)3*R!Rqj(bTu=E{CJYkyjog=!*!vAuxdOt;y1RIHB+pqF7(Q)+_)F)Ch^Q|bI(fs?Nry~2Wcd{5Hp@%e5N)OtmN}_(=R@=ao$`fS+d$D4xyWO(J}< zkr{01w!c{KT{s!?r6%;UPIt)Wdlg3$@6=;a zSw?A=W+2+6MMASKd@iA`ciFP#Jq%OHwAas?Nx1}t^j7P;CR@b}UqU8&5`F^=_KwU= zV9EvdAH|b9dc5eU8n6ZR_2h4Z@pw*JU239}@>vuG;Ie#i500$D92M5pFJ|%*T~M`v zD-Om=6*)|3?G)`7&al##2Zue|+mI$DWUSV>Q2(Bh1G}4!>^w_UvvO0PtNg>YL5#T8 z==4`+CZQ(Jg7*bkL05sJ2&)D3G`BAqWA+UdNDV5Lud!ow+{s{55KRk$v7eTld5e&^ zMZW3~+oWC}wL+|PL}%1URWzst(QzI1?k;+wi)GEQHKAU+-Tca?Dxsb?Z+35?iT5mJ zlU(#~)Js=j8zHjL%;^^VoOl8cVY(OHrlfuvMTE2X3BWf7@9AJdeSg^FhlwhWJYFA} z$ll5g_q~e?iP6qv3IeHYR5CA1T3$GUQes^+G@IaPdTU`^E2qcm5;yey9BeWOOGf@_ zygg$U0{%+-mO)akm&32jpLV`?F*2PJNx_42WiD5r-*R4vioPoLfrlq!=U+47ix zQ(}q59b;wQo$YE<3VG&#C)Qp`(W~gjg*oj$QR(cw9Kgk|^04tjZ);y*&K-FwM@u%~ zfK?ZD42XZ8KGS25vNM(y$ez;;Z+c%OqmO~#Vx*!0P^+fs8l&itZv49wyIYM*-7``$ zNs!vGa(=3c%&Z)Li_d~1>aQ&bu0r~mmCyXY zG}#X@*op)o@-u16K?3kVzX^)L8w);?p&4?+gz~MYGC$6ZsisTwBZqh1$Z-|H0$vjt zRIe%&CiUtAP_^x9vFen)qpaz>neF%Dfxi@Tq~<++S=oc*tGsHwR}f2?q}r;6>l{~2 z4FD0wT$fA$(N^YI!TZwC>BX?4K`P};j6ioa6n#ns?d@5BdZr}+&lq;M%Za z?`~AIS>O8jL5&?LTR7h0Of|hvC^zFVB ze|B4F4Exlp1(xo2MS4<68~*npPOs%ChwjU?UQ%^%N@1Z|jA^)f>W>v{dPtprGKuf{ zmKPU$T^{CcTw-QLSMpPvsg3qMRaTI4!=6RbPX>9ixjFcBDUk0zhz~{wpk|rSIsJ(J zLcI=pI)bM#qF^Jx%iF|Kygk)zFe6?DRFWlco;38g)livFi}#!{Oh!QoM%`ICld;Yn zBTBmeIaI@X^fLnc*L05GtFN_F2KnVyd8ImmE;W2$lM9P)wgI8leKXKyFHuC(9dexk;gah`r~IJ8<<(=iNPsICp3%DN*>v}ZNFDVw zcdoIs5zZQm!gn*xX}YQ@QePp6?-%aq1->l(vt~qhm)P8t2 zJv9yO%b_UIK7wSk^)+Yj(Yy}~LHVd7M(e-wy%~F{y4r8Ua{NmP--ji2g&y3_(C(1` z3*_%R!=HGPV56>U4$& z%Z;jSoMuDN{Ydh{6LEI-*YMjX%59KHn;IeH?AM7+jYMOZpqu4|fsMQ#{Tr{5Ej?02}sHVh)_mi#lt*OQzz4;b>(YiVK5D%DkBk3D-vk&aB+%g~-BD7w|Xv>|e@V86#@Jh0e0CZ03nh5pLYQlDG%fu!S0dj8a1Ay@n7Mp!z zKvVl0d$lI|da28Dgzh;ml&60&0x5_j2i!@&WIFiQRenwdp29y;ZWq3*fd~bf88ElD zUe-o-%ubE1i1Nc7T+et53a4GXAfseqMg-YHnKi?gMlD}|7L&)WmB31=7%!>e8j4e? z)${7-WZ3N6;?PTv8ZZ1f#5r!1&B1Kc{M~T4U{9XK;k#e8Zm1|$vY|pE5Im^fcYmo> zb-rM=!7cWcsB(pJ5K=7eKSu%3@HqgyA5elW^;v^F&X*Y}XNz;M2L}pN`a=oM3hFi! zDt}^l-KPMY+~a2Qpa=0D6~ZBXt_E`u`W*~JDcg}{%z9urwo1mZo=4VqBHPcd|E7cD zd2d0J)UKd1$<__*Z9CDD(oWIt;=e4dDbMVW6v3wK($<#jl?}fo{s^91@CYE6LJ0O- z^}sZY#=7*R+a4VPq0fU*tnVJGR|=K@5kOU^N#UxO3@yvA`~htvsk&4f05JrV*F~9; zAzHfwbklN(Z-)d7o!u|o=^P*81{c)}RQ`of8>e&l4I``Z@=5 zn=~;QPZ0IYHUiWR08u5BQS_xF6jO4hkPVf$w()KLxv#WhWgLFj;0=o~6sKzzV9@Hm zeifbo>#1ii<^k_^FQ( zYOOf}@P}pMxl7|QRNeuZ+M4I>*@3(EN>TsJ0tPAvmodC)b1AiEQ`a0theA020GFcu42VM$o~_3^Mh7Yh9YP}sdHe*txJSW)$B*frMG{De?f zt6|N3>R1X(i!o+NRoUMsjdjtf%hxz3DQ%Jc!|qFTUZRYNz;3a(w}DB1V%`h^xpr&b^qc?B9A-9bQ<`)rw?Cb-v%a zZT-!RD*$Q799LXY-;AMDXt54CmE5{kfv_nze`ZdD%P6z5A6=yWrE)tt-GWj``gHf= zzpkR-s#`AMhHz`6ofC1aqAt6`*bjh-J*2I1WO@Pi;cF7RT8|7+7EM!Uh3HlbLmBd($LB;DA|;OwE>9VnWai4~U_+(32$&%+4C|I6 zZxqr%DmuGB;i`;cWi3@X!2W9_zB^S8=Z>mtaN%p~8KE5_=JrGgz&Foqimd#TO|VE2 zl@YYIGhdcv0CR(Lvr?+rPMJ%v zG_E^i)9|$;t`hNOSllS!T~UNF(sySnYsFd zmQ9z1G^H(`(q*eT|F14to$DfoVsFQl9B{2BxlQ7YAF33~z>-O0LC|1BdEYbR)e!=f ziKRejm{vBqI@m_|Li|+Bm^XsPyT0UQhi8wqdobSwjG&>z98d)_|CahtlTsOFrXZ~k z`1^>&KA;#a4#40W+`8n_hAQg5VkZ$KVk~oy`5bcM5n(BCFh&KW67mA(HgV%XESPnw z@)Ne()Xt)&-t9w1C1HIl(v~ei4Fq9ucn2s% z1HMc9IX0`K=pBj2Ap^L|wwv|!*Mu~y!fgs|DJ-SVsNRO8oPFi{iKGCw5*h4YeIc{v zEXrA9ehTHz%g44y9zaRovki|IzMpvkq#{|%3Sj;`uG*NQG&Hq;5JSSI!BfrbWce= z;3!Q?ykq3+GhwX53E%V&lhLeKjkjsMcyN!d4{LRi7zG#<6Q`FEtcy81_7%+6U>6;Ff;UG~dCE8cgV4H>_y%Plk-E}Gj{D5(DhxA$vic+s zY2zEmi!i*OaT=~Zz;^}%C2|o-lmtt|!@=t25{(pd*Wt}!gWh-DSpKV|&*x|Ce3vBp zV)0%ct~@9i;0aWz=EBW-Xzh_*-{J20M_xmKiF|D4?Ch>z1fJ#Mv~a&wPsN3I{BMHy zfmAN^0AKg5d#{vH#Xui#SmsObprNnOtpL4sRkhsPh=r4xuSM=azv&{8Kr(o|8hKYsqN7&aeT)%@2kM^{(&GQQsDzp`G=S+w; zah7Nuz`d>b9oyY~_GbMxWhzih02u$HIfOy&;3>cz7tuZB`iaqUqJfnvtp4r{&0XOU ztHaKl^hRw9d8pr+A8ZHAez|Ox;K@q4o`>~S|0J#NwR-1NFTb)<;bH05N&d;TuD8Zm zW?GD2xZ9=cwe+rS-|gPL>?Bio(dCR6?P7H@PU-KKPY9jTn-#%1cinHU%XCNQafQ!9 zjURf*v_33RjiWpNFA6C-qaG)%F+N(jgB9a5myDr&p&m44lI|vMe1t&)@Wyu-EV~Rk zan+G?p8M7hfo$i8r-gK9eOVh6fyvE05@(q6*%laOzFJkdLa1G6MqhKovoGy+0QYf{IPQ!wO8U=_?CHc)8u#$*ilcO5tx`SENS&ZyNb?aQk0bo-=_m;EiVp z0pHM#Z^mnpZ*^BX$6c129R$AXxpf7L{gHzhNs|#I`2I<7vuMu0l|-!KgYbk-e7Hid9F>PMW@z zqk4^JlskjFH0Ho4aVNue5~{0&6p-NYDg`wtpT?Jc2#|asloR~Hcx1I&5!FMjnmr4= zhutA8XO(aK#fKY!3qxLI!9oH4GqHtGl2ZZulRlNBZQU+*9d4aY=4W!ysjeC?OM z@2Lwh#K((#hSl5a>jCDtskyVEw!GT_SitD-F~`vy3pHqF`teq95z}aD)brXMEsBn4 zNtgy&t&n$uOw}mwI=DlEgWOu^wzP90avQ>0dhBOs!wSH^>4@yVNQq9nqqZ}|6()O6 z=D3d4%|ykieDU&wL@Jf;c4iUG+A|s9@R1Dw=>aP4A>x}IfIDmmwg3W9VMg1FpFRDeMOQ+?!HLWmb zYu&lFMs8cKyqbjQZplpMhFMpWxPUtn)lm=KHXx7B5sb<;3_|a2))_g{dS>93l)}z;{WmQ)J%ffzinOy znmLoG=hk+=kEi}l%6apdiv`?X(r!CP4|2P%<9jTvx`ykS+G(BKYWz+zlXtAD>5Y<=-`Sv>C2y!{MCLh}AG%d^9tBzXHy#MY zu++0X@2=2ugG{}LXMgHYJ?Hl~`>Fi=P*b1pR7~T!#|Y@j!XNN}05uxMu4Eb?{K+J#e5TMu94Fo)6B3(KMxhy8$_CSidb4BuI&O@n!1<34{r*cRy`v? z{dbLuR*ZDWfusUY&5v;p0W3gDT`@xKs~)Yl;`hp9!!FC??Gk*b@h0vJPwP;~Z$LxZ zkH{t>!QXPkrdS+M^mRwqfnlR5nS6`)f-96=Cw#f1moGsZXSn9DTkIbU{?Xh)ijfLg zuXx8FDgktsGi@;k59aN{r0kZ}b$VO%H#$dDwjTun(>4Rz0yaaAxSsvTva#q*>Sooe zW`Hx%fSz&ra6SQ_rr)sORJb6d< z`vZL%&<*@L=R)!t%hA1FjNR+vp*cxB9i$2YDk0O;+7I$u+N~dl+8PmFeZzA6<}kB0&j`X3;NJPSzOeWBh8WP%o) zw&?XWtlI!KqQM0D)W6(|xPx)aXt?cJ${vP!26GK;^HwZkh&k?;RQRHA+_vxZWeU(%+20!&{*%nv zrYSxnQ$X}dJNqj#Nq|SVXzi<+GMD@x-gW~py?%Nh=3{i219|*bSRA7MEZ_vEBmb#J zJ3QcdhVLLbel9nEdpm|6y&%*L{_R&^CfBIUMax{stX28#fF*ynPC6t#hTdKs+FJYv zeQE5E@1pw?2JsrBPXp!7w_@W%6uQiTQntq2Ye3cQ`(FA@%zmE7e=$@bVBKuVtTw!# zEBPzKysGFs1OaH+AOFoZH;^&(bt!@K(P{Z~x0*;i>%pX=VJ=f3P(JW;d4QfDfQiI* zixc$0dmdW?#uvBtkqA1FclZfW-ox7Vcj)!PWxDaU-~fgmCiL`A+1XIaCTx2X?y?H* zdOz04hT_uzeDZRc@8zI?XP~S%2_POl=EQaaKtZA971iu-8EbTUgfAO4!qX<+?dOXc zRrQus>D60*0K3vZEumNi}Lfd_zJ(7sh{%Am;EIL4!+>a1fMJW>rJDf{$O=B@IVCE zx{4(Y&|(e_{~?u96rxnd=iM=aN)>i|_~9}!jP6Ej51s_BH+j1ziL#&rAUgl|0itQ2 z3}4X8OU?0%*Y7Rb^WY~URJigH{2X(Z8L%@cy z(^9$&u4|MwKDNqtM(fVKVtu;f` zSGHuVlE%ZvGVm&&ak3h&rvIfZwm;X=C^!g%Hz_z0Z}T$^eCQ_P|Gz)%r}Lp0>5Uu~ zT0hYazn$8(gEjBlQ6&5i|BRoS-V95$hM5MP96R(g6?BzMuX{=lrEG?s{Gb1RA-FJ- zcDU}sclGnz=n9UHkGC7g7rJ+h7X#E9<$n8N*IQE%vGFGNIahD;O@Ft&hi3nWU!pE* z4~<=TDA9qvc_r<;@drTP{^xop0l4fj-iLyb4>`ddS|fWLI%2X02mi=Fo>!I-@Rwm~s=4D*i+2*E;@Q^KW1XyeE#G zV*qjUKiGd+N>c!W*_}fwz$8(uu#eainPGp9XNNL& zcMGK&F9ZA35k0^t%;{D9n9KC~Pt4J)Us`r*S9g-mO@-~fTsv`y7iYOiud0Y%;{;|n zLO4D^y7gTtzNQ?2V;0rE?mIP5Ath-2scQV5^>0lV-kqI^k!h~_c!ufqz~1K}>j*o~ zjuWb_F~P)bGOa>NxN<4FciaH@q<9(dNpF4cw%ZI6L_% zzA7YUli?l<#csZD5toO9CMvaTUdUMjCqK;*2(`mr~;jHaDm3}TtYU5 zeH+>K%FmPcU^`w~pf8u7;~~T+MC@gFFP+zqORQM zfP`QV1Gmg-N2RjMUA=?5Uu{gttTXQ=&d@ji%ERX#FzbAn_hpg*_LHTx-Au@psW$-Y z+a$Z)XSGCjBOttmpn#=CQ`^H**Pc-6M+s)(u2!12R5=JO>qP zUr<{{hQUAw{)nR&0p)h&gwp%re>IVE2bM+#o0y)@=P@^0jhTJpn9rr~zDf zZ}4vm&z}2GPI&q%toh)_$)v0|Ya*XInSY1Umwb?gym&%kOkVr@XY^!2Xv}H{hA~=Y zLf9_>J^i+Kad|~Dg9_j=s+Q}6*QL)I`tP8$b3ii;W1L!}-T7UNMiomH;A9*=1u(>> zYK-)iEBPdy-1$xLzk1RnLs=_q{wUE_;s$z@`CgOfHQZ0qFN{&DE~pmLCJ@*S2Jzl* z(hO$}BIhgq)1VF-vk^6Zn}R8Z4ikB|0NO3=PVCDYnS!ThviNVSOksmjKP%jJvuIhw z53OG<^-;$%7ZkT+b;Q}jh0jW){{FU!oaNmxVpdX`AfX|uLt{Y=Xqud6lbKb6fFNGo_}5F|GxOY z!XZZkXOzAFYdQZrI{pcM{(s~;aPq*QfXSwfQH!e-cVb>FWzbc9?v% z^9=HgjQult;Xr4E{FJu|*<-VmpN1cojiH0c4CEB=k{^`GnUN{o|JaZ}YmSX%q?H-@ zQLQ6?@-*c=O78fIx;2IIEpoVe+5aM=M~~7Pa^np0`{&a2nrMpm(&TTD$ja-mV+teQ=7QnPu$R!lFzg31b^G6fZqSg-2luzTgzsFXY_ts^ z5|CQY2!a7(WaRa~(i$v7by^n(^-)$AGpYn-sJW8*B9g>!b?TT zu^-b_77AN?4$0u5FU7mIr5gbh6qWw&f*K8`e%uuP^K#Wm ziqoZav@VsorzWITCW_Dif z7aGOd3L+iw%3i(t$El9ANODoSx_im%fPAlh4(^G8f2m9q2j# zp%VpG$+OqzD>p{#n=WtmANEOs7(b9NHM-Z44oMsJ#-!&gjctp?8y%zMtN&m9m5b@# zy4X)PL!&zvx5n2fp!zF;&e)w`ZP zP{jju(fQ3L4}wzqXWo(#JGj))L_TmwMHa884WFgPaOGNs4I%kuri<2CNq9z+6-Zynqm@mGgj?of z@jynwo9(P4E5BMXDE>0}ba14cY&Q(;!%jBZ(Bp+uJ(o7%}gFZQK+3jK~)X#w2$2>Mock@))On^>E%j@2DN zLQquS=-zQKhh6XBP@>PUzc^9LX|`JezodnAJq|5fFocwueAnOWl)tGxIxLNKY1gfq z`{on$_<>^2G?Z>XtpbVl&1jvtcqNrp&m*5&2XEnU;t({F5s$*GH|O+3OQnI2RfQU; zP8ITg6)qoh%i666h7So*S3VDbOhL8%w})2Dzz?>CoohpE{*PS7d?ng!hLV!>jzfoO*z-69+DQ0i(`l3@Hy=1?Ga}@s}qp{8;mU8 z5E3eZ5)Q|9{_sd)z2uapOt6&ZD6wE$i^+3y3mZt1$F^q-Au!+q%Ye|+iHQokDU$ky zN`_36@M#Ofi96Cy7|gI(raG&Bnfh8YmYDJJV9fZ(4-@AoC^j7nv9u(<&jfbU?PJvj z_p5lFG@%aR%<>o3#B#F_DH%vp0Zp7@K*o<~Tt_e8_pWf(B8dvW`|^b+{X02zL%3T; zcuT!gPtO-?&V6-Okr1aS{mRf8rGQ2@djZ4B!a4BX^6~sS9K4<5RanDFJiLvX4$Xfq zQABcov?BrUO2H)CRkN#aiN8NwEzvowUs^jFO7I!R0!)BV^C0;ZwuP?s51f17?sRDd zq%fW$^_StIW)G1n?3e0QLMXwtvin2Yh&?QxRrrJx!Hd_-yjx0$j;@J6QDyOT0YpJXdyjjA&Vge0PY9||GqdRN7 zcGjf26fmpwd);6ju zzcYicS@nF%f3X4AB=9D4jW{uo{3JWDOqf!Zt50aK<2oajJwUYLp->~?I>c>F$c+Lj&ucrMEhnIyT|V` zO$C=hFxx*h(iG~jZ~l;XV~#MEwB39s^#dt68UAE9u?YV20L%BJp%f!s?}1|#a-V00 z1ma4^SQmcHIF=Hk7>FLepcTKnSk3(b+X8UiX#X$)}qCx$mTH z7=VdnEfjc6gLOtum6&1#j8%A98`D5Xd2;0?#o|aeO#$Ho=vw;Pmmv!`quJAe0X2b) z<1YyYhSXa3S4j(oMG|nZs^5W-n6iZ(!ShnlhwzMLqYuVCw!B@0Xu@HHXY7V#KzW)= zj!}nk2lohA)?w)d(rhr#ux>QkP3jYGwa(Dc~?-@{%>?%GKE#Fw^_tKs2?I;;8JoqMa?XZ;kGPrhMXva2eq&ksq zW8K^H9vt;_Jt}g-pVb(Px?~UbAUY1P$-^h+YapvOeou+)R?uN*_j=0HXQSQ1pwZ5H z70)lh6Cv8m36@%XX`)rdcS%xcT;PFU&561A<7NL`l{y9=TcXw}k_<#^tUY-ec-%Jn zE+r=#8cE7UvbZ>v9w`gskrUeEW2S5(lw_OK?u0Jb0->p!YPAfBCb_0W?)ROZVCIS361h1#`A1tY&(6cOaqu0p;|%v(AVe({Xx>0M{8m zJE+H?E3{+`W?4oACHL5^#X{Q0*$$rd-~HAQL_S17P;*V=WJk`mrpUg0HLLN8R$hXNV+r;A$+P6nY6x6LX751+xU^gHqAxf4j_>xO z#>m*MK3Ci0S1$g!4uY?e(bZjp4Ro|7ZAN)Z-Z|a6ZALR(#PVZ~o{1~dQabQG2Nhg`3T_S(c0bb`3kIZ#1nnlFOFz-t|Q-U=!2f@GQPkV#D1T8LbRY`DM@l-X2j4u7;zOW4|dse zwLF&Q2c{M3`#J3N51H1;o>!=J@zuJ24KR}SumU}-&C&6` zPa5gxiN?PW=EnEt9y`8?W~)1za93Hfo-P|W#+i9(}x5EstN<6aNQ`+z6#fdoay7FDOLgqMDu7lBr zJ6FWE3?#*n9BPJ8rduBNc)y7LS|B>xg1!sEH z(-Sf8dkJ?<-?i^)fKy^VaFpqypo8D+%_GW;31+w=Ky3A55%QSZxi#Aqt7$6!5;ZjCu4sBz4m0-KyZVLp)5^23%C;PE z`mppQ8$kWelrcM`rd*2-m9b#I=_c`_vTxntU0YbtQ)4@9K46#i^_;z3uKavUJ)rpu{!H}?D5x;j}VVj)m2m0m)039E=yy)nxDhZ`+_nqGr9umE%T$) z6DOQ~FOUU7hQrlX=>${#AbhT*_dib%^_-%n6t2LAn`f?rr&(6s8=6sh=Jetww<0#-6Kfs@Zvs8^l9{r*vvy@Z7`_~Wn@vGgccEY}hNiJ& zHXxk2*TNm~^b(=l{N3BI6Eq;fWRHItm#^(RxTAwlyH8xNKgEB2cscsxdh(*rLP?Iv z2NYncdiX^R9AP55d$ECx^(LW{?+ZuGR;cP!(=SG+ED&-YT4`6m-9ZtS;HmcKGVgmBYjni4oX9!B_L<1YekGLM(N72nmxry!v(>|iNVZtMaMJgdS&?&~fK=eEGdL6b9KQz-j z2GZtuxhClFpj1N7J^9#dwB@y@B`?r!QVH2h{6J?+H|eZ8vEEy`?^c8+Q?Izt-#Crl zkQ?~s{Ok4}xHkSp3!+*jEs-|(c}Z!Ofaea0_(OtCeeTmoWLa)+myEtvwerTUuA34l&KJ&Ya z5q;Y}E0Rd#u_op_Mk~CzywzzZ*AELpc z5$nHyb#_d)Pfe4@!ZE=5ZO~7#mukW+#+GYa-Y%5^ez{>Bhz#bJ-R@I+%8q?|0wXVD zh~|bT_oHQKu-bj#ONE24$ELLGT_V=cq4(hjRoI>MU-Ho+6ySCH*0?xfljld+ z%OXA$lhGa5E$3Ax`46XV*DWuP-M86JATJB7JWXNetQL)58Fk>n&549J0xWq-uYzRlP*lBj@mARJ?=hd#f>+Ua5X+AKly_k7SN|&)=Sb zA$crSi%Evdj=^M_)O$cLxd1Xw>xU8NV}yU(XuGJ&sCn8U?m+5nCii~nD&eQTA>xjg ztNg3TQgr>f2$^w29V2V2!a+)2EUf4tjRoch$GH8OtnJixA}xDz5|PU5>An=AAbn>3MuvUmwPpKmaVWcNk%Hf-lb#u$`BK$N=X1*Vdh!mT0_V zOWcnu$$2*NGKhY(8q#XY!eb~;8P^=n%Z}wOpc@?16_Rt;)V$C?6FQq~7kwN)dEK?= z@?sHchYXlosW5R&Lq!fmx;^(&R-zw)=v+j8jyLxKNz4(HYP=Zf=F-B`sb%RS|5{^+ z%j?))xd-vQ;7j@f+Z7`Z+&C|sjdPf zZyZw_4qT&~wxBl*J@MR2;{>e*GA3bEhQ6Egh86anEi6%NMi!2gX(f%MV%A)>-bOCi z{$znB+tnEfIsqcjk1Xb*%c2T!pT5a`GBNMy-kB|OPQ{sSj?((+d1*tri7or&JplAO zx)HK(E9c*pmWVBCf>aTaR-x`;;JPGCz|Quc+=>p90B+dAP_T;ITce+;>NufzpY)91 zK^(B9k~zZnKVwD;K5hA;()r%QSZ3EnFL#3lMp`U5=Xk4r85b3PqphS%W>?ELHE6I_ zj#(xt*70%KO?+n^#c!3xQYOo+c$XN`^j(u^z$3r#0InefNHi_I0cLpVtaE=<3R8FP z?OxGf8s@2L!OZ8sMyfkUF&$4Vf7s@ic75HXSNi*2SYq*4qVL19MIJxr-yle7zGEM` zXG#>NOO^a;jO$dLC|?C^f(6YhRh;>?%tEH|lURp5waZN#+(eK5-ZF6A@gZ`b>*&mC46Cp zaJGO*(I~udg}#Sx6O`8;daj6Njt85db@FN65K{dl=UvoS$fZ|;9uTR1_Ja+NY0;J@I5+O3{45$_Nhb^Y8JG%Y&fIuP{B$G;*BQD{&Bsg zo_Q*Xb)+}YbUti7y+959+By3tqZ08&^dA1XMk&oqU8T^BEuUL(EzhutN zFIuLS;)PESp;g!v?hZarCl|E%M&$I}#9ylx9r&g3P9F((PKJjU`}Ud60%8h^hAV!0 zz3Ymm61^g-Z!hPHetwd6-`VNr&kC!T{P!7HezB%b+|cA4GxPfm=2s*UL~5wL6rF3! zC7&1FUG6B-&GFFPHVU}i$%n*c4!5=|K!^GS5V-EKZs!?83ga;2j5pTl(io(#uVg_H zAI9@-ob=a9#jpgG6Wiw>XuLA0It;eBw(>fJtfbUIR8GiCW*LfUvw&zbh~W6dr2Uix zZmRoNh^EmbEeEm$T?V8qZ22786<_B@i)}BS0(f5ih!cS6u&M*(s=`)S>JKERdvfR2 zO6EL~>548a!3JT9=}{v=#K<>BPPEPe_hCKyV$hja-UkC+UNxAqe3gz*NeiHC%o6`b zm#;&xaxy)QK9)QC#@G+6QoQZ9WqJ3RC{Gd=%Ij3w94OJme3`+uli=WW|cNy@8voVzJF3z4_8(FWy=; z|90gH;)gj^KfjE9I0}5=pM)`_A&Egq0bjC@a>?jz#S(C==G*m^TXmW;?ra-k{j+yx zo1DPScw3OxC$Y;y=Fy~B?+9QQ5Bqo-E0D^Zd$GmbQ=4FCn4gE@L(Nr{^nfiF-*`zs zo|_5>qL55|U}vSk++u@`GUxmi%4Aw>@mL`2a&(F!lnYUOSdV%7qvI`hIs$0 z1x0JsMeSNVEqx9oNoPh47%NMDp4t8axRF1Bj#BudC`Id+$m!Lb6yCLF@H3+X5(6qs ztE5FmE6b^D7Z-Tlllb{15ZgSz`n8{*Jrx=_Yk1vHsQ|N1mDuNPz}c=T(c zhp%uisopX&Lvqy6rlLz?2aYy8?i$_Xf(-*FV{`SQVIeEz4moASj>6ZiMEF=p#z?u0u z<}DtbdVA2#N9M1OJ`l7%9(ltGD3WE< z*zw1A@1{Mk&+w?hLs6u_Xsy-q4-9kN=R3ZztKKiBnrz&dDzbM>b~$P$NReh&@b%m< zB|x85JCrThY)Po{(}^-rzVk&&ZqlVt>Yhk^Z#I!tb8LiWLk(9u=d@t7lr0H{Ge*lF zSPlt}NY9&n+Llkk^xb6IU656ZS&})^J+`Ff(AllvjRthT6eIsfpxlVx_yLEM2T#ALeK8Xyt5Ya zy{`p`q&+-qKl2qj(*G!*85=1-`*bbhhv@=_fLEfj&@IcrsmMRIsby?RbAfBC`n%Nz zHN0RWXkI&P-zsyq(yPu<$}f*G-wHMeGDYH+c&aki^J@5;J*W&RJYccyp_N0T{aMP5;yrXx=r+~TH(q~gnM1*|D-{0nUogmfu!e`Kj(`8( z54{I-c?Jy9|AP7Z|0dNl;PglIN!~r!+2o7j56ee%{Uyk;*0ZzVnLH$ zB0CV^d8}z(A8-(1w>s-7J#2(poId9jbfFW=3-dqd_LpiB)*xhinIHSso}~P(c|XuY zYp_=Si(qCU7Ab7Gr8!wEluvRPJp%k$cX{eZ;z9^#rEDng+pJjZmK9sZjLOsfeQ!Eu zgCCX*1@|;upe3=qM{7U*E0D&l_Ps<5yY;^QP*!)sX7^+1qKO2CIe>QH$aTHpotj5254=g``8pGuLBH&WB$>|e)8L(5cJ8H4Q}$W zMFSvmS`o;oiW@!hp#}V>w4ke8#7(F=ZZS<2cN22V%=K5-jqJbVg<-`pcQ+Yz0~sN8 zoG{Dae^j*3`HmKqSyN^N@dwH8+>w>Lf#U+8M>e z^vR!V)_}6xJ6(0dMZn7bmEh*ZiK4v86Q` zoyx07JL)00ZcN5D=9$Kq3)^`o3V9?;ltrrf@}x;38~5y;8Tr?_!4jEA3mFY^70XA> zGd(A6u`32`u5BVHyUuERNjoHI!z5pgQ9d{Ekx`<1z;Kqibgk&aww%N=mOn!^f#+Z= ze?UxvNeiRf=*0m!&J)tB@gI9X`Bi9g$_4F5Z@!|9PJm*c&Q-8d zjYg8PjgqNx>?gg_H>cNnCM$=GXi=Y)A3)5#0seug8?x*N>jU-N#v-Vr+48#Wq`t1z zLBO>JO1J4xxHY*10akt7QkP*aLnO=-1Da_N**E|atE-+l&)=|&X+Q@Mwh}!RnJV6S zrpHya3GDOafA?r9-Lk=^Q?Ui_kTfMbxWd0(z%SU#0s1UKro~C)uT|F8TpSimgQz54 zeL5;Rd_7DnKDyIPbQHn%jpz6TgdmQDfG|%hB+~rbgu!>S*?2i{^_LK&i}o=uD*x^L z<_&!P`Od^*zgOeW{nr}AsUw~YmTjJ34{Kj$9=Y?H{xTStPIWT&%$Jz`y3wx+VL7H9 zyd1m(h+wQA?_*EgG;BiD^a1xq7y15)ACc;>|Vy~372Zh z#{@`BD`@vcI2mjm-cw)K9Ir(i#`L~usecgk(qA3~OyupKRVd3m69>g~h}Cjn`^Pty zwuQ#HEB;9JcWV$2rNYvzEqH+69stVs0KVE|o@7k|WJE;h?c5Qw{Lg5Rv!h(4eE z;7ZB(TU0$2u$0#A*OXzz_z?J=P-%I@(8CW1uh`y`aQDNfq}&`vVUW**-;!t*wacv<1Fe z3u$#l+R{VH_TL=MB=~q;1{5w;*{+q!Qr;5gBF=Phev_{%GcqA*Y}5p7G8el@jrRGP zoq{25?*_@>iju?JwR$`CSVngr`M91)g4H6o3XRN9$H`tF;AZC6S3w}O$9`+w5NzY& z;w0gsm1QXw6;UVr+P7!MA5;K+>XBRer`GX#g)+pv&4(qe^drCg;6Pna0XV*C#cHr` zP@PBMu(xB+|9+dod$~MTw6Ll&5KCmwycsWlb8*y4Olw-bgFT4H_q6;ICF7aM|Da|s z!)+5Rdmwiua{O32Ja+Vy?slL*ExnUg#eMl133Q6M;KSJ7$t*eqb4;G$v&PLXblnvz z&v9Wl13iCKwWaUX_QHcHY)Mj_&6W><2jB6pJ^wCJH3w1d?vQayM7zjpM(N$J*GdJR zpZTXh>Gh>Oq1UZQEyO64H*C3I{y38xXaB63zR>Qb0?aAWrV)nb% z9Cj15A?m|Liv~H*2jAFLq5N-k^etjPH;C5_eyVjAVY-{h&#I0|)1i3YFBcwy9rF z0O65awrf}D`n2J-cz)u-hkyuvlMd0B+jm>bfbu2H@%9!8Eu)la{ukb`d}q*cRR(Ts zg*4p>Shs!o8O96!rPF^0RF-l1*T=t6!G3*}ZtLUkuT`d=H#`~n6_bX4i=h;=lMmPC zLX6(_+cztFkx@a5a!^e0i1Br10Ds-u+xi~Uw0;o4{&HkB!u|&#l957xs1-5w40Q#< z3LoN<|NQJ%!nRv`i*KuzYFXL?nStL~Kl_bFRcjyCY*_CL_&aZd0vLGvWKG{>Y_)Cw zyqAcPW4=3AuB;c5vT3G`oltYMlpieqtmVe+XAI0#b-X`sHzt96F)+2Pc4M1>zB5VF znU&U^xwU;M#HZ{2;#64ZRz`rs{6~i@%ljzDl?A)+RnEQk`O0in`~Y42CbNd1`*e0V z!8YY8J=ck*^`luF z(QqHk{~H_Crz2t&c5ZzeyfD^5U7Gkvq_BD60ZgI&9U(bVdA&(ui3@SbdYiR+oX^wN zqk~~0SxR=lRpsUN6!FzrHN$84>&YOWhp=GKbA#NG>t-G1w%e-Qh;fTz&*8|e`9gP8 zem*UhWTV$&^lP~7?%s>VyRws4ocNdI(9WsMY@oq|uy66u@TTXhroET1#9uQ_5tozE z>rd9=*_|$sW3>QWH0qS%d$!;=D%A9_^B{M;7i&;F3FNlg+j!~jQmsAE1qi+{JaE!) zWSkqtcO(GoTFRjtZ@A_|zY2@od2|%4-=Y0xLhMyf_u1H_*mpC{rD(oW(?7R9Rv7U- z3fwGUEC>t6UFodR_s#2rXtRF0?x)Tx!r##U@{8GEtn-efQ?Dk0o!>wR&F}{X?j=v4M`M*4_*%OuKC(+CY93BTpa#9fAwT&&VzG9OEly8#y$CJ{h@SFZj)p+wTnx+`Ne5)(RK%qEu)udu#M$Z z>Vz%9)z%-ZvW2GVcklnW8Sz{W31n;E9k4j-{d?gb2I@UwuLge?k7|e1u%Tmg8s|!L16;u;;399m+=rzJbhSHf1}mSw zynZ61#l=d0G+Ip?bxIn`RM%!3K)&JoLCxp);0Sjdk5TorWqe&nE{8@`ZudzG>!q3miTt4KM5@aKv+p*9PF2af}k3&^B$jd z)ZZ-b#dnqw<{ksZ+SWl++;gCjy)(qPQw^tQ8LuB{Q_yY6e!MW2-hfl=T!m{`ETc*% zlhj(CLlg37Y@03x-*jNic((G%Fjd;-+Lf<#Ay!i}w<{`V;K&xp=SO>fzsEwimD>GW z*1@6beD(aiDj*IGcMH59GG|{p5i3!zzfK+kaUI1%a>SvUubLOo_G6_uz6x%G!N((- zlt!$=FFBogURzRqs-Curb9$$A!zbB9qJTx(cxhuJEuBN6Z1@@$KPbPuc3ivSCXpF| z+Fcu|j>Y5y=1QUlcS(*9r6Cys9&vW^9`YM~a+1U2^Tf%&bD@16vSTm305?^g^YV^p z#$Jc8y6_d(MT8iG9nyig#M-AZ^bj)eQdGJn zKmxH;9I~5p?dKvFm}g_5ck^D_oTX{ORc!Fkjmj*jnZ-+4@Ok-5b?wGu=62hvT;OCi z`rc}1UU(~j7q+%GTWp^3*?hUlT-mAYJ!+&>J5=QttDS#XL(SrIU>hUDn{$nYTR9Kp z)Nu2Vgleg%%n%ywlc~dEqlX!?HD=+K<{h8WWu)#5AW2f%PBu-FA2u4P!W)aJ+lz<# zo~J$AcSun$=#=wO*Eu~)|DODP7@c$h-AakTeZ533st(&?pfbr7p>B&pG$mOOo~1es z`t&`pL1(&t==srOeyj>KN~y&Hn!TXI&ualoOr&TIO>X%U)tp|nE=zSBaVrx&0^3cd zC5c=Tl-wV^TZm4Q=w!?y_OgG$bSY6b#9`V{>64@0SC+!nywJQ43;LvyDgFa)-)DZH z<=9_3A->74r`xpGgcIJnFJ&>NmCcf9QD5D?TDhtE?;F{R(W123i(ZjFjh&PG^*jAP zGd3hQ)9;4+u({iVNN%ubp|oz83}v(Z*9@LDr$=7MU@z1i)J^6kN2ON{%*qGOt@y-& zZgj6E&K3ULZbezjo=|t&TB6qlqV@7~38jhu+@pUy+Haq=_t~nljIXu_>e5gl-O5Y6? z)A=a)zD+JNuUJ8D|NcF^70sUUATw>;&;BRiXZ1j;FhF<0xPH8<`kFOPMgzC*np&Hs zWcEE8T>k~5Vns?J!}Gc@K{6f=INq2x%r9}_2Cs%6WdfyE-96$&*AJ4)u0|&fX@?0N z3aZw}>d>|9=-SM|-Y|<=jtl}X)Y+paN`^D*+GB|1h5bbuDz8q<3k~)1&hy|zq5w>* zy>5?9H%5CKw;}orJJH*EW`z{{hSmrGf9dBArKdsfviH~Uy>TpnLVzeXBV{+t^Jw}LdX*>d>ndR@GZP1jH9S}S+t z*jO4Z%4Z^{^hzZ?xg>5-T=K2YwQ-o4f(^~sw8Py{w6?_jFyMyCu!1ZfDG<^ub#_mg*JGMrSUB{qOxU zg(osz*o+0n{C~8hW6B+R^u~N4q~`D$q|}Q&vy2P;c^|LmWqlJbYAMk6c7g%KVAc1A z;#3caJ)QttKG(KijP~_?Jf_#BxS@&@Po5X3Xnbe$Gm?zsNDP#5Gl?)I!;SjEtO>d3 z`p@tsG1ofY0zTdSci?Ar2NO^(a82z~Uz={OLsc^E^B=m_MfCtgYaysME>lLR)@F$S zmDWGZ>@gn!;};6xsC;MIV| z&7JJNQ6b*MWS&@z#y_hK@8!b`dj@WFDzrFo+Cl2px_n%*4~NT_#5Z{8bNU@h8}t>= zFTEb|E(jZmsf%gB7>FOh(UMHX=6P%#>N}#sk30<)*%L4t@zn1S$)SBJ0sO9Ml4!OI zizkw?twkL|7e{O+HE`9{03$%p{Qc)8G8HK$=gYr_R1eN61Cd(bJd^_?&G4DyVT4i( z$6UN*Wp;H4q{5FqbGea|i%qu) z(CctpZ6dU~F}T*3A*1eg2Ix+K(Q2<~=w`J1+C6A=3r4@&6C|n*UmlmfIp4h14{VS! z2b6AhBCfOe6joM3dt2%gF(HQD$FoGKh9vSigCgB|vxoG>Tyx*^5L?5~9Ymh}d2YP= z;BDRBQnHYGR*xx=(k`aV31x%b)eIqg*WomJVl{9MYh%(3aV+L@lOe4qqP1;Z_DAYs zG4Sd)s_49=&dAy=45KjVW43O9??ypY2Ns$Bn+z7 zU6+>REt#*^?m$Qvs7Z(?6IdeBR*j~X`gi%NYBp{xE zPtX><;_|nT+Fa#P@c_M2P%oWf(_L!IOmE(I>B*y!H64s1qE3N=h#d?2y=PgqeK}@U zI)=nhFEQU5=`&Ml^lDzmJ5rV>e*MHZ0#4GnQ*=tk4X=(;VHoCUJ&d#Je)9GEiGFpf zTB)sK-Pfk5rkklvi*r#--G#qI%fW_4w%WB(pG*Z`$LWahrIOjk2C%UW(kz|JR{(Ux zFN}mrJ+rS_$KTOHA*1=PyQ0u?M>)5laI}wY>@&w?zuO#I@n*MWTf2;!+#=2+Rx1Zu z9{{WrC$Yh4IcR5us5tg+#hMeFvR7X{-hU+}U<LWEcX&z`?dX)Lmx@SE+wLcpnO6lUeVhb_bNqeD&-t{P@(U# z4VHX|YxgR~aMR5LaLERPs*Gx}F`j^aZ8zYw?Enjwr?@YAp_5%5r;c~U0d7n1q>_PF3g;u3i+FAn7#uj&ziUeP7?cIB)`haAneym3oywp zefj-pez^U&Wu&&z6zpM&K)z!ztJ}ND&I)y?Op}pkYlQC&1%l7DV&mq7otHp)?o1u| zww7*qvUh9huoGVym@}w)a_kxXt_iBMDqm^-rbwmqkc{!~&n9(YY^Sw2g`vnfRNm+Cca-!-;e zW2KWMGJK!@wEbk#>Vdk)2fLmy4G616%2xyuI(cnWZpKq-GZlB@S+Femz5L7<|IzuD zUQ<@!ZZtZ}7-iojV)W^UP>plb*|-(KEfJ~)Y^^;_E7FGg?dH%%ABs0gEo@$7*_p+p_`{r*m|K=&fg3q#XepjD#C2<;PK(9iu3i-pomrR`yAQ4 zyl38k>`al1#*2J*;>cvTjUW#BgMIdFd9Br$|H?0&+-uSWCe0$(CWFj@?0}zCMwT4^ zm#E<GuC89YfK`{%qJ2zdd}O zwDolyaXkC{M}@-(Y;MDV)#gJ%ed{VhTi%i(| z;cl?B3b2yf+)M^n=WMRVv#87b{bDyFbDdHbr5hc?hTcrPIFCJAr|XF@=cjm4%aopwpvMqp;I2nB;pf`9B*87!`+qgm83OM(V}! zlk+PZGi@)^M!E2(fAB%dKo|DuPw12P4f?>eJH*fbq{vP)`l(*paS>S@f2qkMYWKce z>Y4+n;_%5Vn^-O)Dp%3#sG1hF|5kJt`cSk4x^CfvryKr=0%~zXV^8#sinKUD?_RU%l0SERNe~%>Z3D_ws z{OmbsUsPEoM2;+FC4TZHcn*4RM^jHRkJaH&IUZ5;SkHlDXXdu!9M6Ap_oi`yQ_%@h9!@N!y#L1+%u>OqQ71f$oV5Hi6k?mJhizeN4-LiZ*Qj@jesOzSINqXJpcQxFEJBN|YzE3u1R_-kOy_@>UgGHQp+uxi3wKD;C~4Y8W-5B^?vxDj*}yBA)n~;otlab01`1 zS8CFD5ufQ`>p?>0@>6%BXKrCOGAwi@w(V=i_=|RTe z_zkJz*ytmT?*Z8yx0nejGAt7DYLfDc7L=}8$+F6_30rATEY?@?=^X|$9PXTk!rb7O z<{ZJCga?uOQ*2_v$Ja-3v)Q+hg`TFsw50N6PzpZN$K+eo7dEHb6M%S>{nC7mo1Gyr zXke=KWM8YGq}(2&Zm=)|x4y>-%XjaMd2T3$oY{S&kE`qS?77Q!-e%@Ed9Iy{d$g7N zxyojThQy`&z%?EcMM=VpQU$v_NE`ul%5slzH)sO0u-a03r;jyoe0CEGV1%8s=i;`< zeVAD0Kl>6IH_%!jg8mz73DHYVv$K|FSZ7^M!6?&<)qb88)&t`=0P?k^Q9tjDJHz;z z9VGIH#u0GKC0qAYuAO?NbK40i#O49Kaz;0CRTopk3Tw<|&HnU=mh^LiNUW&bD0;W{ z3CwgfT^>;7=3|qH>RqQ zYje`(bP%0MLg|oX)Y@$r!_e6|7!2MqMF*icRA;GR8#~- zigfAHkt!f?6oPc5_aLE337yd4C^b}(5;_9X2@oKmgn(4(QF;wX6_QY-H@P_n&+p!s z|J!}I4>u!Y?2)~*_S$>xwdb1ao8LFr7V*GnMq<_o_*M^D%{tS%@HXiFe(`){t%-^d1)CI% zH-8veVL3+sGbiwn-6u7lxa-fQF_KH1>A3~Ma&DwRS~(cnx&4r>}CBcV3mHAwx(w%D=Is}4ebn|=VtI0 zm;JY2{i<%!M|=+Ro|GbYUFTOkIpLxyDNm zDb}q&a?)&O$ScC)#b#|b+ao@GPCrRG_aFXItmgpBdY=6Tblr>olBOsH(GKP*L4J+L zZMnE7A7~wuRwSXMtr5Scy*H#av~G{WOs2U7Wn-(}U)d-ri@cgV9zr(w6^j;QXJsC&5 zOO~lYmg^x#X~(!_q{Gw}#otD&m68@?pb-$SEUvVu#2K!-_dV4ltC+lHI;yQ#X}lT z>OksoRN?6phQN2-m?_7N8Aby815L*EXXjTHI#XxyX5SF&$NY#V@XXedRcR+GDg5qYB|;%g4raT`;{%DOCh zLUH0f$j>@Oi~`QnfR6FoP|NI7i`AHfH-4eWcRq@^5an%vS&XhRQ8r28TvmMT9D7e z*W9>MwG=dl%hhaygGxI=qpw~>p99(@{OGNu2szfru?`03pG#)-XXUh-7kd*4_C z`sPNj=zW9kO6P(&@>((HoJlzqlei@fOviYL7ds;Hq`5u%(LE*x9$@gd)PCCmyA$0& zX+23D;BI*{V-{nc+TFYZ|K*LkF3Lc&D2jvY)^OGPuWh$;x&}DRFAjS;DxgcvW8Hkt zm|8z?re-Tu!r|CDox_(!kw_yaLn`uhCEt^WJIlOWkVk<(VDyd-8%%26F}If|Q1R6# zAa9$7OPBW;er5ORxKLNq-G8TA#|mwoM{dU&qu(^4g-ZK)}KiAX%< zZ+fa4UiP*FhY+4KaaaBlYX*%hmo)DqxFd@qe z7~DU3XwE1kWWV4}PklBf3{YiBeP_`0oOZ4Dyc9EDk<{VKg!!RZ>1~8qBth#6vw7Yh z2r>g4Z*RD+kR%DZ*$v27OPNSi+I|_Kd$auA_kx|`z9GV}D#0+zNaI4L!o`YEpW+iA zfLufon`?(RS;X0-8;j`Z&L~DQElBuVO5IQ3yj+Y$8XK}<#D-nY%3)wrgh?%+1ffp~ zNEIL9#$LxmXlaQnHy+csw|O+z?5Kd&)#p7K_n^ljRejMOoCFoAGSt(I-rrU~2 zy_aY*UoEByj$BV#70hYQK2_UqyH$0#X@s_G?&nON z!WH5&k;6tW`CJ5KlnuS(2=xXH!|OIn1QJ>`Fv37c|s`ypK339{$h zhgGmH79DNCQ>D*7b3ugaqLY`htTV2oKZ^tfM z0`QjMlaX~0@S3HV#m6D?cVX~7n~fhqHv9s$>V@E8YP15k5w*F%_F?f(A{VM2Gz<(? z0SAfPg_u+_se-{ z*RXel`>W%L7gT_}1mpQpVoJ4q%F{c>)N=TLJ0NYfLkV9xS<*>c-Q!!}=(?(2zistbmL!D-?3kD9ke3J- zz}JmV$7F09vH`EV=m!foex;Uk3stX5K9OxblI3C5fmfeBI^0KIq?DD9?7&ILXHsWspFXV4ldtuap`ljKs z0(ljn+?T+9@K`6PO($!%qcn5Qdu16H8;#&nUgz3yKke<&p}}e*Ng#6ub<`R!Z%kgS zIqUWZi~A+t@cp*%x?Ap61!+x5hbK-5}&Q?J?0jN60mG3_xYR~%8Jsc|hz^ZvVZ8*t(<{|54` zK?oxJ?8#rkZH0cdd`(jYfk`hyFIAxOrGg_Wwdmi&ZO&b}A!Rdrn>m23H4W?)kg-_t zGT@u+5^Cnz4&93hV@DDRejdE}KvlXrs!gWI#_o~~2oy}Qa;%x5aV{K!4^TvKUa~+=iS>vAI za}K!c=D}6i+-695C#T6ZbC7EIzedvV5x`<&*S|qWUCf~HxOt>-7FUwWpdBptnQ-2r zCZE-WgB^VQb8OAJF7_)}UE#EX0Sb;$%!{3uuezORE{5*1?-d!-EuE+`a8D1av>}l6 zT1b+tgFNt&13Z?NW&lBNh%YBv>aY0Zy0`{DnqcIw(2t;_${1v5+BYSQ4JdW6_jpn% zDR{Ky1FIYfKEA#)IlKEX2GC}yfN6+b=>U^lj83AQD;LC>$}vh--?s>^l5h{d2I%Gj?B_crzzZBwQK^pb{$z#(F*$LT35stH47%o?>@`aH$6AG9 z4EjzM6ebuEMD;EDc74u7%_VmG`Tn5JkO_VAI3TTWcf51UVA(R=f(#x6^|43*)8zGk z!b#cQp>8cDDtrkp*8f8Wd9%-kDnr{~(1Dl(n;J1_SZ>0Hc+h(Yak7ajj2SEYAZGmqQ@seP%NCWdrySBDbWG8_uEM-x=NteEFroYz@z`W>ryj<<8AHT8(Ha%G8EMtSo}1>7FOF|-Pg|~)0!h7j1^Ns z;MeQ1qK8e`lf=4AsWxS$fvGnO@1~YAnq^{07IF5*nB%I#qg7$=aDin_9qIOq5}0&# zi(MeClDMt2`?voNynQ2%fu6*ceIq#+-PCv^O@r!@TsmL2TTQdzOm4c#Y=hmBqhIcMJZ1OAC<}!-~mTb?&jGb18S@D+A zo~Xh2FNA`8@4WlGY10fFo*Bp?|JRmg^sFIDAmb_mzLN-4BlOvQ5vo18I9al+gnZAf zAk42t*;dIphpskovqARWbF{h5Mf~eg8Gd|T_8?PLz+00Wpu$50u8UY-K+F~>|*4)P?hu?#WAD+fQ5i;CZ z3jG+X##{XX?F=<@>%b9OA$j$_z+(ULmG_ZDLmJc5Vz*{D5av*Lmg@lFR+^C$qv!ZN z)ILX`hyQ#0w7^$bSQU)rDexd3HdCZ0Qv2gj=&wq3%s^bM#brvDNVZpq1qg2y{zWzG zwJ$h3PnT1+9?e{j_!fVuqDu`r$MjoawTw~7#Z=e?qs;iuO;o_Ocy&kaP^*<~m= zn9o{_I`Za0z6bYgtGe(`hN^<(ZkNBZuj^i3G@CvuCfd%8KC7BcXEpDE?+0m7CIZJF zuK(M`dCLp%%>_YnL=yvFwOqcmBJ)v+)fpds58rIvixw{-Px^&AVq|Q`03Tcv0co0H zG1627cc(hXbjH;=3{O}Zxyc%DXE<)Ht*?H^Hv45l8;k0Gz{7V9e(oKi?eJ~ z6mM!QYb^z3I-OVEFm$epWxAcHm@*@%$zAP~0$JPK7?5(@EPwDh=o(dLiLXzg<3u80 zZO`$LTTldhw~c>VqAlb}E?7i9_wjJOy1S<#&2DVx*%2UQh2d{7f`p->EFz;WT~KYc zMprv_a!xe3519m5u6~k*@P(FiZJ7-G17466msxFkAmdIe6TYkC$7|=Q)adWcc?*M7 zS9=yYf2#iy{E+RO{n7@Jk)2b|poncVf2V5uzx+AAU)Efe)jAWMSNJGqv!Y*N&NvA9 zAE3DW(771fKM*|Gxd4sUXuTD<3oAN=Wt5nwPYr3TzI38*DGts&xzTd->WYr*PDZ&Q zlM+@!h)c2~_J0FF(wm|Ur&M2~VYCdCZ!qi#uapSb_|+Vq?61rC$6djBAoQcQne4oB zRq>#Fzw-&|Kv%}2Nqrak1LLfJkXN!D-`b%0u}v$D%WmiVwz{sWtbgNDi=j4W=3Ixy z*uQ>~CR0~DG*W9_Z*>o=u_CFdGAVyGru#D_r0@yZ3_L%#3o+sISQwkQQ7~J8&xI|= z;0vA@iHaOP*{GpILq2Ov;>8crdncSW3B=C@xJnoa@7Lt@xL`BmmVS(03tosX_yab7>aEEhFJfo!bN;TZcY1tvUvTxVpB&rW9vRg*^=T ze(sf~6=jIS+aWvr$bO&krW0pOX#!Q@rMF-Uup169@6(N%4oxusa8r@x(qJi|-e$ks zV8Fdfb#rs1h@sdS3jSkjw@9=x=6aMY%eaUV=^;M!nBp+=rl332vpq{=YBob7{lC8o z#qa{rBLC?6$QIoSX`DO}u(%W{rvcTL=0v_snJ)H$XBMtJq3aP{I5u5=DuqN(x+69# z+d=&z+qWN7I-mwwmj!gR&QgU0v!rfY;GN^HD9Y3&k<_V?YtIx=QF(E1!LY^O&F5eD zY;`qMMF(ZETgcyxB28M@Z3<742ZO5ja;LjjW!FWM>b%l1?8TBozI+H{M}PplRIK|~ z_w_Nki8{#oG6fWug*vn{&P;?mDcx;=z|h0JU)%q%2WOsSK-9TVeKo{GQ&oTS!>{!o(|CdbI_i0jRNfpJ2OKEAUW!{6FOj(N|m$g02EAM*FVpvdhh-2 zpzit7Q~mIP;2!G(0*h3|(ZfPGI=-FFxMafMTSiT=DwJ4hl}(F!k-pTd>G7*au&5w1 z`p`x9VpaZPd^0wfY|hIZmdTSVGb=Y_CucbQN1<-qK8*xL#RqL@)Fay|BRy?w@ zAWqHY<6%p(8GUC(qEl>!;Ip?gkIr`;_)_*?x$xWA^>EqT%M}XGwk)`K5i@;SMz?D! z&^a%-HR8Cf;4}w%y%PRLrnxzO$-HIhi79d#ITQvv;Nc>64C@;pa=<-e61rKwQ-aKn zo+NPwn_8r^1Qt+(%u3*x;~?|W_ci}JbsZ@nXca|~iURUD`AEk)cB*ii?l#6s08%VS zu!D+-Lte)tCAR1DKVtMsb?t-wRTkOt2KXEVkAI(NcR`_ zF8BR2>NOe(mZOoM4)RfFcSl)sI=lKIoPXx98dp`>?)YJ4ZK>nGo`?qV3TM*P?Zly5 zBY8G$5$egt{-p5Zyb~{T=`I*6$ zd3ZOnR==v$&0-EWM7uoraR71mg!jO!YCtURZwE^{}-J_~}fk7s*e^Dw;kR-@1)!dLq-k@9husfq9((f&O zRcR|V0w7p6MzI5*9zppOabmNXGi1$gn z!B$3LE{Q%$6Z;J0d;syF*e`sY<;C~5<(;6I{h3L{{SdU}yWly=w%j2h4pP0VnDO9r z%`X!oJ+8|ZL{F@NvOOFY6v~5GRWs28>8zV$De)rA6Gd(>v;pM2`$MK6`b3TVE3aZ_ z(nAPw5x#nR<6x)cF-gIS_vJn`9h}}PRDew_ld$R>f{WJqOi!)W+|js;>n;EYn$()o zg*O~E+7T}-0k#u;8j*9)zD*YmI&!K*S*jOE*u94UX)SRV(sP$(@6d7iHS~UJ>p*rL zhFYn+c=a3A`OZIvABPkiFGq1hd^F2kBa4`PNOu^H7qicb-eRWNdHiBNH%?yi$h>i0 zji6ra2L27-3GbCs(_%%Isd|<7#&-?p=%z)+)Wshox>}*2teZ#cA<0QoWv55U-;#a_ ztE<0A2P7a?xe(&M+A6OC-}tx9Pn&|M93RtP6Hu8g+lw{isgxC5>vXi`Q2uV6ZI0a)3R#u!W5e6Xoel}C8F3VAcv?-Y= z&0y)Eh+`0`)Hpo-6NtYZPn`H*m-mpj)_5@Rjj}S z3j~rToIL0~8b9;CR?6mGlQ{Xc5>e&bH760hGKHO zk4Xe)89X)!wJY%%eKe6PuRr(1#nm&gHRE0I>yIU_xwBm^+u`cY`*$~A{L;oNc5-xd z6~Ts_JZtW`>&glZ*eaAB|6mTQw@k5B2T}1WdHKI*H!U0?g)9VRMH#nPpz^1Rpq2*L zKsSP4%M0>D=2*nhT#}{UpUwv+*Q2_xrrB7c5Q{< zl{%>$zVML!6a+8Y<~rPcF(=o8gCP&oq6T7(w>#L|Z=MorcACk4d6t(HQC!(MCT5v_ z>2>MMbL!tF1G|yk6-fD=>5$EWY!bZheCVDAgDtPVOP=zS4RCA_RlH^<5^f9cnCh4* z>Z^jX~WA`90=#Ey8DNuy+UJd(S~p^;Iz&`eHYguyTXM?bh=|# zS#hs<%`zhNT21&Y31_Mno>i{XY>oPaDGj7$`~Yu7Y6g4wq2619$r`EBZfJA&P1JR!IAybSd-DES7v41*yZ{vJ5R!=P!27&L z@rYZUH9lcm9UuKdp?h>wIQ-*m=j^$uuo$C)Mp=l95N;)bpa&G48F6)S{i8N^v!uih z$s=Cf4VQ>aG9h^FtS9ort3we zBDO4jB-(Ws@_$Gw%CuVuf`A@oogpX=OY~L#gB|);g+)qo(W?9Y@w@DIVZn5c{DD>r zjF0V>s)wYm+4+~2kkXrUdqpj`frr$pI%vW54vxIZ4HfF1+z87x^S0S?t!7z;Ij8%p zPdPEK5~p!3w~M`E{KW{MQAKo8ei7VAu82C&r&YYna~%}rgq*lbj|OVd zt_M#m-?sF(msNAQmnfCWteieS8SJ_$@SjkEAA8PX^9ZhCq|5<2&pm(Tq%BsrYkhJB zRi1LOl(6&M?01fV@s#k!`t`+HbX&fPsw{Sn}5P<;0bqje;7@u z<+nVv6s2#Xp{g#th$8|^Elrb3u2(Ao>bugkh00s5!_BRsiLEfNmM6WZ4qPZ40Latq zKIPqNc838YQYU*=7�vIrFHNvqOp<2xaT=mi}~)h-V2?x#;T~AwOQ;9`(?KMtiRF` zknM=m#6R`_CqEYHi70$XZ@x=T%-YMaym~%lJJ*p<)5;&1Wd5CVp7hxX>ng0kw_4}^ zBfTRzs)>487bOj-ZF`?jzfMUO)Wc6ThYJ~MUAQVkcFEzh4mh0i7`e)2LH0@KrOrGK zB{%R7U-Z|X{{QCxx4{2nEf8|^^0%L}qT)dTp|+$;9RsBAbdL+ZkddNs{a>(>xW~O@wUMl#qmx z{k|rf5NqtSFJdKoVqsx@$JIRV^LvK(kN5lI`~DiwGry_jUiap@&g(pn^Ei&{9-oui zYHL<)UPYl$)~Fv>Jx!skKS`mi)cyJ^e4>!^@;3gp&EoiJEegd|ghKK97lks5kGwum zD31Fml#f4BDDw9y6y7UQd8ZWdi?7U2sHsvo}6a=Rl!|ZzumObBtMUbCF9BH51c^m$b@gyS2>>NF&Ml& ze0iD6v$pFSJ7o3u7zS_re*Mwp(=L8O4|o!DW%eJQiOu`{j{UXOd9>fp2;`mfDLj05 zAdTl#+Hv6z>-CKrWOshyx!2-{d?zjejW^K;_D0_NRwt&USmmnHKo6fnP0y9LlR*z_ zSc;wu*4BIDD@Q^T@q?RO^mF{~(dw8*pW(01!`GkuV#&v+)ee2L76%sEVT)%$@MRxfY8vper{L%e;cX>HJLC;U>Tb0gQPw7#9)UFD%GVc%4 z++!&G=u1k%_TRqz+c%ywTYb1iW9Jq|dU|w}ZOJ!Y6uCFny)yPZmyz-Hu4T`S7xyyL z?eYun)W+Iafz@uBMn*Qq*R73=J^SNoo0>NJ^6tHJ)VE|eMYcFTKK`L=_jy%SP3^Ni z^%WI(hzghGG+W!`+Ob}V((Y2<2qh27wC3Vg>#YM7L)pphsJ$QcRJy$jXVte758R<| zEFSvhA>C+2xsBy2b32tEyElxEB$xW~9A!6Fbw9({PU$UsE4jEy^J0Vqs?11f^wR8d zBphZe(=PRIv{yGWN>BKP;ut`iJ~hX#?XmBEUy9jt6rRE9+k&NbT`Hk(vdEdUda4$*mwR!jr_x3LHbE2$^W*!9#GQpK&yJ~$`VxUt zNnzh;QGS&_k&>e*-&%a{&2`-TG|NIz%IzX$H2nKT6MX37{BT!bsZX#dcN-4hpl|GH zou2R&g*t>G^GOOd3x6~9Vl1#5GeqK1nS1d=9M9Ad6^%ta``99s{u<~8%G)TD@La{# zRzvPKPhI8B7>nwd%@nC4zx;|2vER1R>7YRC8?7&2PwzwnA*9CzD7 zv}2;~RH_MzX6-G$s!mSMt9s(Z339HItd{S8piDnp+`(@PQC@goUy_rYe2_fyQ*;_7~4 zf*y5)yD-jQFCJ(4Ms88=9;BA{ds4ro^w;IdhTp-`E2{{`obphlZZ4VAZ0Eb2OFUi@ zw~)m0uDnHTF~%=ae!aY)_1)j5(5oRl>ZwSXFHg3Vn+D}d?d!EGV`S|gw&-H`zgu$S z+S<{YeiDU`lF9FV`^Kvz)cul>;M{*$92(>ziHkEC`S4M|;(Nu1zsfJplKAk@$Hn77 zzW>ij|6U!)nEW%Qi&7fKco-KrH;Xuj-%rex9K4!qJi)VpLMhs| zIMu#&FmHTv#&Q2|{0i5l+zfFc-hV9)X!o^#fq`ldPCjlcavJF*DVy^4#s%A{MHA=c z!1`3LBhzlWJH*`GT`?~|KT@ewPD@i$xUAX4$s|1i$3J@ha0!l)m1(?qaB8^2Xp7Ue zYr<2U`7Vw}dV*|fO-)S+y{QSn2N?7CGEN@}jsN=DS`IwX%VCUYm z#lBuk<|viQJZIu?>C&D~PxesW!KZq=Pl<>1bU1bS+oTp|4bNgMJZGxR#4m`ip82XT zvYuQ}NlA%Wz*B0ze=Wbf-j>vJ=_2w93bBUCWp}r$^|?1)&E2|k?bgR0kv2_FeT**W z?kE}$N!{}yTHB2C=Yu0-eUWx$Bc7~$gF;uwr}%D4{;>Qz35u7-KDoS>i)(&<-e;_&q=ZlH4$oB%lTP!jIn;1T z;rih5r&_8dZ{PlS?b@}H6B32jnjXZuE1R(jBqt{)OSyFv?aTJZ2y&*&GpYXGZ?f&o z_84XDX-Y9MYLiw}jJnU7o_2m}l$~<9I(~9$s?33*6n4LAFjr8~`S*7U{@!`4G`p^% zl7)FTtK6xW-65GrQ!ROL|?!Zs}x(Q)ATq1l>npw2oZNY~5!nrJJaCC)1|+Seik>Hk;pn zWmD5zR&;RGRAx_^C|dV9=H=zpe3ZMI+g>pC$XoXmz0Iyz=}F^9x#S8XyTXlK3sc$5 z_F^g{=9N|YL`utt4;PGS^OKo&LctZPc6N5%_gltNtb2NT9Ghciw1!*KMTc{G0_rYJ2wbLR@clh z)*&g}TAUOfz44VOy1&V;J!ikrM++H@mE-pj!^6WLK72TS$!(@LY+(3QqMrG+Yf@=L z3SBeWL#!;@w)OVmot>RKH>@I4lQ+=i!i;8mtPya2`*X=Wdv^BW$(<#mqoe0KX!6G! z+uF9|JB?g+ejVufDONI~2eWNbLS+qi?BBniYvnot&DRcyo0@&Khv!Fct3*joV@S;h znv#8Nj~qFIV@|DJrX?1lk%pAj>U`bX#;U+3K7sBjzh7X}CT~pH zeTWULVLwHfI(9KLUfy0OI^}rnnkq(w)#)Z7A|mp!a|9WIn-is%)HprtR2(TApPHH~ z-5k#G3(<(n87X4d^cOCpT(Mf5UAL85-F7cx6^=A|cF{QVJ{}Ck3C)g~NEy2rmMhof z-FS?~1v|SyZ*TK71KwJf!L;&+$X89NW`Z{lf1j3ma;Ivhp^_a#MOoR@i4(2hbj-=g z>HXDQ=l-~`kHa*1#GU=<+ZVD|-X6Nt@@z+dpo+lq<;#66t`D`I;e8arKw633wC>w) zOG5V=JxouRbai#@j&|x)SG~8u z%WGR&_&Pc|#*n{6{y0RIKh*>|4gT6MfZWQ49?YkrNqZT}mu$D=I4bFfibYdZe)M?zW)zzaBqpxuiH&!kw8b zAbVxo?Ck7Cw%V~{>zT_bSAJTI!47GJRP}D+=TG)mkeA0eswmRwW;tMM)beByPavf2E|}tSY;wcl6fH6U{8%( zwf`2GV>&uIwow)5Kbq^+4-|jbcrjDF{Zlh-zS+m##>PhIfZomx+6s(%myd}F>$_fN zw7f_xo{22>L2)WE9?oUPlOP|%6VfE*qB_3 zfk)#rH^E@Ap9U(=Ug#EZ;M=;@5BW(nYp6X}5-3`T&QMdP>$pp*uv-}G%azApZTHE% z^El9gA5)w$fx0_)L5X!@Q68!u4dhG*`iu>3IxQ0HgOD;jpNPoGHP-&}R%=_^_Q-0H zFH~-?6HF<+uscLUsBQyS+U1VCJofnm;oh5gO|@)Z5xe>5b*q)(Jg)P(dxUpxu;1+^rK}wDW(s9Rq>PlgAr=cEuKKTjQI#3> zOI<~U(wKMW5CY_Tgy6Tc&6JC)6;6iaQWwwy9lVh^U@t?K2;n4(akwk(!F zk0+K3xb4|*itB9fEiK97jGHZ-5c(n=t6z0cM5w#dZA44eij+4)cV;QCndVl7efv)G zMkbz38XJANt{hcJx9I^&YP?pY`T6tj3ykfmBMz>~W~|lP+mJs}WR#s;T+F$VqHbnp z_Hrn_IMCbRPd9~YA5M~WCnSWRLI&Kf5qDa(;dZVSElhH`M*8+ss|z^*08GF2$S1G) z4qddf(@`ynN2H2mt--3CXLZrPK6@sqF+D;IIhOIiU?T^T#rM+}78X8y{HQS(&hOrm z?_}4J`8n#QD@5r}=NE3%rf-)Njd+Z>`Pkez`??{SvNuk1d3L#4hYg74@ZZ<0AwqhNME&K$$tD+u2d-g` zd^;hKZquBC%imFQn`+3KXBTtW=c*@f@|wyrnJXwi{$$9QUxZhmmrel+(i>gkPVXu! zFOS7q&D#4{Z30FU3CJBQ+rs_R!+?N*5*Mz78=5#Q&Gy2Dozk|g8wgg+$jUl);zZR7 zquZh}&gPwLHPwvF%;?&KD${R&xz(1?%+yRimmYta6fLpTf~%bq2f|;wn57Ns{>#z&(a|d}S>I3&IV|qp4ppKYyg`jRN9V9;99EhGv!*1AJyNW~ z^|k9*DR0l4Gz%XK0Tlf_oB8*mD(Zf2Zf-q4uN3fZYSQKGa!50Hs=)M@>GTHBop{FM zKV0m=o@#Y=cc1f1l~dTakqgjaARzzUtt~v)3XhG^@ucGg$v>!;=oim6uHbLpxoQI! zRWS_T1`0TZV%@E0`~)D^B2Xz*cDP1iL~+OiPk7z5*<3taQv|vHVM2mvmR*-X?^U_A zTV=m%%d$->y@#0Hs_ZU{U*iN)m#$yvH-Ej6;&t;}!{B0Wm)bY_?xo|Yu!@R``wXK+C2gBiOim?(F+qh4+oUq}#$xP!u#QNU2UDRdF|umVM&;9=M>3sHf5u)PYvf!% zeQ-H<8y9urkQ}P+XXZXunr_(DVwLKoS|Z396O{Pi>i_Vle^Z>XxLTTlpLyDweQ%`b zA!7RC({C^PK|s+GHtLGarofMYAAYoj2|B%Tp7)_)G5{9I zu+60zBol^Jl}<2J=x-K!1UWfV>?R{StwA>=D`vD!?2ntU1eY}Pk6sV{Uiy}$yR^`s|%(Ka7x6>Krz&ammTsZSA zMwL9$Y#v)>{!=}Q>&0}7@&E#xJ6t4tj{0{i;`?{ddZ_|QdV2%>^4_nsN?+4#Ar27Z zGltWkBs7Lh-A~Xah7OqWq|eqVxWjy`F;D0B&B#J;DjJ|^2`qOWB7!EJ#j z3RXn}?Z7!mn*n2kt(jtHlMOc_33+^CvD5%~QTprs2oHok`+oNSYklG*?~e zKAbm@QsR8=T86klhU?@<)%VnR$APAU?VeS8vm0#1Hmu6LuZ=>3-u+FXo0Bc)+CC;a zIc9-C*G!Gm=1yAcpMU-t#gYiCT9Z1{psUju5b2U^jjKDPlp7xi*Cbu7||=xS0leo0^cd8&%>A$^4_m>L%QQ zw>Q{>DZk<{tJICE({A5U;unMGU*-ScqPX9k!SA&Hm(&hO8MSNi)ZxQ_d=UR9A4JaA z02vt>84U|qv!4m8(^~&0>z>!d+amU`FIeph*493#b%Xsd12X?#1yRv+-l#3j$wy>GB+OTkI;dCbXHA4#KnOieaSEqA-2i4jPQ0Li0A{IUY1`2};?3 z#S*lcs!f7|fihk0lAe=EW~C7aZMwzGW;6)eBG()(K%kQL*4F*y8W~m6P<2Uoj`=!| zSBQRQz(^uT3&a<$89yvg)n?aRCK)Kk<2yE(&L{&lWB&5i8Xvc)iit~ae*Yec zqK91IrJPh=8BjF$L>{1!`Q*pO+SZ6Uos5YYcU4uzh3OujAsxjr)u+a}2ZV$$3oofA z=~mTI0}2yzYXz0J_Fm1MGF_NsaNKL0-11oC-M$iKoP{n<{*rhij6Q-$M# z1-w&8Ncz&7?+A-FkdlA7(_tCq?O~g6bjKH`g#X@iz17^x8I7GDVwYd+kub}Y3N^NO zNl$RBMT3fxv|nDn^$HDCS#52toP`1)JZZQQyMCXT(gCl$uf=(V)Wnj=oYsr4{XZ@JtepOsHDH2UrA+%SS;za+fjlByNZi{Qrso z%dP1>mxkV?Z3ipp*2;Q@K819eFP#+X(FF<2xEKATXzi-icSm;bc>$DY2TuzM<;sJ_ zx$#gXdPal%>$V+Js1&5+o=v9QEG%?n%B)&J2uaj{^-LWzi|@x`33d_^0($y1 zIoUWQ$j|Su5qDtZVAkahL*H%a>{L;XI`-?R%wOxsLi4Dwe|Tuf-^a)2{{8#j81|AP zLX8D<=*Bx2g$FKL+Pb_B z;3H*rtf!nH7}5v*=<43oGC^0T>_rd?@I858&KL4{W^et8Wa<@?T0(->l zPq&$V9h&?|CgG6tSXT#QZ8DuH<~L*@9(97V@@8 zS!(gZY(X>nOrK49stx|s)R%)UV2F066Mv+Oa%4I~zP! z;Oe+qx5EDT$jt%@?83Q^`o$5fR>F~YWI;-4P-1BU{RJTBwdUyUK8kb+Caw(p6KP}| z?cqttd9$?j_?#Y0oH`s=E7PoGKWH-Od_&gnA-m`dWK{=9Zd`TKC3P&>&LipF6xt2d zQR-h()Rr0>L`tXZpZzhGs4}Y!11Az|-Ape0_5nP`eJ2k3aD!}H*P*^=*7fnKhjw-A zsam76&9ui#Rs`!{4?HO4XS|H^{ASkwq6BCGI^PIXLUVhAVOHcm!&lwou6pfkim{7n zvq-YMygZNlr9{05Ct57atv5u!#!Z__r4}Ij)iyWFjCf>U?$~@HbdQflT;2PP%PDVt zk1qxfryqesxonhcY&tq4(|+YhM^R&5MJH)nQXx zvx_E^OJ;7b<$sc|mT8!r%!DjMDgvLZ{1%yxYq}j-+tmW36sJH+bAmS^eCQMN;DP(v zn>#xN(7%wR0mBCY-zb1S7Dy^?rp?PK6rRINM+)sZQnPv6XMsXLsnH<&vI*%xX*3%0 zIv5)}RaK#_Qq42<$JErgdk)$(NwLSa%#!%r#8~^SR%!*x4JyJ;9$(<=i|nE?e>>p- zem=fL-(^ZO?}IZZ3kY4Alw{K>SI8dDr+)g@U+B2Q&8Ss351Y5$TC=6bxw_N2$KQp; z>sz`B1=n4fZjj`y+x2Hnv;qoUc2=_9?rJ{wFDPECk1o0WzPoAy>V705fCwJ@(?MAR zIrvzRp0RbLBi~6zktTmn5=A%ZZ1R)*5%ekbgKBmcz~=bagAg+o=S9C@|GG8PCKfF` zl%(#la>3Lg@T?|)7Q!iGlc}`A>z-f=QAA4?P&qEZA>~h{bN)QCF1l6{y~w7`n>8*C zjEtnZNsu18`#zfSoQWC*hI4g*fRa432uz?Vp(0H3rDxgfp2)5_tB(C(DZs}RmSh1v z4f`>HESXDZ#|kO#ZnYJ68ybEKNYAx(b*FjR{iu%+k6NeMT^vu7Q7UMS&^_nY;|V{j zWDiar9~6XYrzt`n_3uagGe;xJ>@P3^ zLk%dChr=0$CO>+4T1w4$WPLcU2GBHAsJ`s)0FG3W@*M+tfNlJyLf1u{6(a{hABOkas2 zYV-a3gm1Zf_b%a@2osYg4JZShMJFoEh3qz3TK_;!f9{TfHa^}^;7U0B!^@X1$J!kj zjion)govWjsBh-~IsQ;2Hc`#Zg}^0tj&7#!z>pJ6N+en!MrlPWwANS)2&7x=Z19aY z5C2p%0e!C@c(y*HAn=pzbd z`XVQ4daiYWpfkR(7ij<{p+(+fsf-BFp^!l!_I{4Y zU!)lezEJBww|#O+&`J?9NCUb*b;y?-`#{hxYeV3B`p(~GHfI9&c;Z0oaLYQFJJ zK&*q^1vf8yeb7Kvb*qvqY$>4kIt=>9Zg8w&w zUx5b#oj!f|k)u2r+|E~${U?^Z3*D>+EM zeyu-*i_5-rW4J+qv%RWnl&rmw^4#z1xwy&$Jig;hrE)gY-Dj=cuN15&{zWnIV#S5` zIt#)Cg<7d>hQ%&JQ%g(hpxYuj>Wau`*X`82Mdnyos^Mn%SPNR}XJ1dxkI)1;Fz&1` zR=K`ML^KIBC=bc?#vYT6xD9=nF{^H*NFF@6QP6Yxr#VRfzChSC-;0h1;6t@&sf!z< zFVxfSSXPA|WS?4A^y}v)IYW9e>GFJLKh6Q!CY5x(qIB)DhKj`L;M4_m_nE4p)d3>a z4Rv+v(JY|#AWn|4wyw|~I&G4HKNJcA^K*^@hq{AzQAz^2OoE8e`qSOk7RULHO&1(YE0{~_3-o2>%>(QUL=*lNcRYPxbUF?|r z)jT*jcnp@z@|9?6Q8{_c*saaxEzc}@=Ze5l`=)vf+1SGfQA&PaB~iQ;$5)#MF#L$@ z`LNSYzP;hKb3JW=!I3+5>{!Ir5s4dcN@aIkHyTn}PFYg36CJxte4GK!yMuL9{Nql9 zmD1;1=tqr=+K%SajEs!tTIloV_L$`DA(s2k$CdbSSDS`1{&o1ll~coTpLA!nUG@d0 zidVM7W1{2Z;`$4c*Jk`$PX*RVs*!ikpm7!q(#(%S2bE^;r%;r27cazZH{k^6o@_P? z>9OKxHR_jiwZ(Fx>?@Qsh5dequmilQ;DBaYJjZe-dL89mmP#6Zajt0p}WfkQ)bxB!!^k*tPengHmOIxr4Jg?$*y}SkHU@IgY;+7BwX(7@LTbmI zmWy?$>>cN;PBu)AnaoY6ry=yAq!j>1+D}x=nB6Zm_5zr4dSN3yPkq2JP1IXI!qkKs zzM{BZ@{D*G@28Hr@vvgWqya&>tHPK<(!s-x(+%TD(Kg01%CBda#LNN20BI87^Wl@} zaCZPJdeBV++XQ&X-`r>W6LYn+wN3A_`zB@x;cAnTD+2PAfI1S8EtjOxIXpGY+>IvZ zWsVm7QAC^rf+Qr=zY#S7rbrUiQE4%tEK20SeR-4f;KBQ%Z2&jgF6ZyXa$3*K%E%}| zLamu@2}2qNw*q;B4`7LDsbusQ`W&B`C zmio~sBIYA65ut3%Grl>=Fj-nL6|^kTqTE7}+Ch8u@~y}edN^fEXz0SW{*lX2{S)Rd z#}}8k*cAM^so~nTr1bO&zrJ;p(W6VEf7b-D37(%+g~C#PM&G1yu)o3BvGEKHa00=N z+=R<9ZEy?IhyxF!O8_N$+Kb=Qp@2e(8=LM4Y>swd4`mY{g>5?=L2$oh4mdhGHXe0C z$8G^)@3VIh5r<|b4gRECEFam8%MJfp3CBtj|2zr7YwuG@S=mikqHTOi6SI>8Fb=RE zrcAVuCW^S_(B8n8hYk=z(FRNwFyy6tj+#JZCx*9u8-K-{4uxV8Oe%aPn2Q^sU>sV-pe*vf$(zCM(!`I*_F@U#LZsk^JR^ zWY@%}9MHD#7+5nwTe+AnKS!a^WtIe=5QJ!ZK=Q}feR8X&#!4rlW=(W7St`Kdfhr5r z4?Edl8;Ba^3>u42u7oQ4@yBgKLWC18NkgvWl8gY4M>HpekpgZ&@XTN9h>c5j1bv~8 zx9$&g^7Y9^eIhdhCldxTMXqi6I>nQ04|u^|F(>Xan4hsa4)pehUrOs=P7yzW%)(O= zY6ad1Vp3ohiPGH<2x*tzGDWp}lj}f*cSp$-6@w6U0qW zRejQkd29d+)aF!tKSv34Q^8cL4Pg@CCNiDPFJ|Yv&@JI`C8k5%z~;?&jK%fa^!M;s zfKh=6UL!TX0QR2n51Fs(Y4fR^%>_x{RWHdr59QiUfeY2Ad&F z*tb}Q9dwg-6we=gMoe@S6&E!%HH{nGh$oTAF))#+65hOcHmMk}1+faM>-r!O)w}f? zMB%k!a(qu^;xO?rUt(6h-g)g&g0XlxIx$EKvmau8+#Ii8Z#o(gU#*D8^B}!Tn~XChzVi?fh-jC;30=i%PXNZUgOoRo353o$m}SyadKp;!E|cqfO~Jy!+Nrjn@8`XA^Z4OE1L2%XcK z75;NvI2d85>cVNZv!JNKc4WVEArezQGP2)_Lbcj6=BNkpM;WpQdPCxbs(8Kx0TrT zs?&%#@~ZBd^8m5f5h7K7=%7Px`%xG0yJmX*)3oZp6TF9rh-cq@-q^`REj{6?AqEq2 zTj|cQD&D=nUCaCMCx~C34BI|QWGmT!o7h0?7`Dks{w}2(`<8L-ji}JaZVmsfa#zpS z4A7c1%Y*UYeST}PTFPM6-asU`!H#?x5Ds5>YI6;; zE}e^d9OF$`Lbu%$u08%TeeL?l_7ClUO)%Iat(b61irP1W5{vxMH}3$G$3eGqJWrvm z32EPafGn@Vv`3?#28$KRy~Jq@)gE*pa+bubAg71c5Iyn7YKhk_h2i^?`X?h|s$T!t z7!C`;NEjf>lTwQeeFcbOh5=PoC6cL-_KK(R+0|2!Q$}vpjzs2OnqvLHm!lc|*(S38RFjC&r zEey}5D;#|96x)NSys8I`4-#v#cCPVd=VU_QjX;1&d$%79B$us5FcLYj`+9rFss)Nn zo!K1%N_EXk4L~5&D4U*s=h{!MYN`d3O-5@*DJAMMMRcdbp3Jhu%s0az`t@g=YsIJDbBWSJIkw42?PKssUm2HL(03-uPy!k{c%se z#^N&6H>)XcCk`#4oZqHz`d(wAT?Tr%@8&gY*Oq|@wP3_3kzpsY=!R7{IrPHfz?3BA zLDi9wv>j~*U;M%^*PR^twf*tO?}gW>rzx$g){9?}EeweMtK;+Ik77Et zH3jmgGBUz<1^e2+eEqxYxiHbtR!ytTF{`bRO8~46D{B`IHY0<6wq<`o; zs@61dTP;EP_*aqHJr*=&8|yTd-AGqw*Sv!GRi{7o)q_%DKsYn8FvwWgqYi~M9i#)< z83I=h96pSX6yv@c`n^bs|Hj#Xnn|nedyE_p3DJV?b@*F zj2ZWeAK>gc(^G!BGQ+&|4%lKL2#hq{0aUHPvqRaLnZ5Cmmo6ipP(GngFu_kHJZ(z2|5q%8hncum`m7M@AdWdk)^3#*VuSwS9ZjGC|Aupdv~<5(G41 z30NP(w6?KHGPWD*E)5xiFZ2MOU6)6r@GLIcNNwrtG?klbWpGB#BV(oD@)ifHpEbrnVdVL0@*07|MyxpbdX{Xm7 z{0YVL9Af_-OMawa;u$7d__jts&=EQlTy!)8K2Nof+y@W7@0uTWs>guhMj7sXl28-0 zg1|)g-4RQ9?C!~ZQ=6NW3;jeSAiSolaQJfxkVJtD(%h{Ou@768gyon~4)J?-Zsy~w!1kuQ(7yK={JsqcV2UgC zU}F@%=sx<3pyrVyFHbRBfWnE%?jXwm!GIDv@VLhI;zjw7>!W=#FIrox>+05@V&YM& z?`#yS>*z4qwK+l~QLhr6z^|xsalk|<`)VQm=o=~^20sH26k92src6S+gI!QN5vmb~ zL?RqM$7GJWMS0Hl=YDwT+j%8gbl54w#(jFe>(#p%wB65;doCdicdyXa6zyUCK)HYC zi$(7X`dCw8u$AnzQH0so@!W5p?gqLGqe><_ZteVmdxeJjhN-QhHHZw1iwcqElVeBM z%JLPj`{KD?e53r|N1QTRX2pn!KKzs6G3;t{yca8d_3fcmH?6~!+^&=FVJFEsOE*X+ zP4?QZAXp&W&p>@N8rVspjO<*o==B6AMOWQ?|NPbQWQ(nt%eQaewc%p)4W}dM=z+0= zg|SepQ53^56NcsT*3qsX6I-B|5KYNYZ5hQ`ZP%hb!(Q_H;1AlcK-~hKdsN4&kV?>Ch6_AZ2fe&uO=GLRB!^F_Bh=1XiTU?kq%f+d9MDW;nEW!wrbR0e!7Je zXQ<|K1XRqL`Yl&$xGkJt1K z9hJK;R&eI{=LqbTwZ@LSZ`ZBUae0dMfMR?uh?R6tC40#sae;@)YR9ivcw)L6AhF?;*vpE%Z6Ja1?6NHqQMS}3XeVAc5% zX}B}X4cYoVoI|hw{PV|Ea`&59HH@RYCil=C8>%d*rxq8}D#w70Nv>8WKB+zsr8QvD zurrqRp6q!-fZi!JPl1<5-GRn*@)T7cPoT{vWO^dt?w?+oo9qI?X~Hvb9$1k0k0QWL z>{zEX{UeCzI#fXG%a?1gyaW3quohgfK&S$GpZD;3zd}Q1c?pn)RLQzO{~XO@fpOKhEKW?^ z1;L;^$_1XrXB|yVXC1L?x;L#{AW4yNW5w!cSKj@h&O)%)Y!6gC&>w+gk#H;X90!7g z(Q@TNi%9B|K6tRV)h4wX?u>DOI_*lQg&C%(I@JHRPrIPux1CtL+@er(4%aBN2f-s* zA@R0=xQOXuxyN`6xA+NeW%N^{V$y5m71F5;?V#6Da_OgUkd1NrrY<|wufiKX*pjZm zj_C^fBja$q4n0O!J3Jii5OTC!xpB!S?T;wjc)Wx?v;BjEuUW;MdG(veVMC}IneQCo zx7Vi8IQQa?gQ!IP=!X+yvl+Ht656GCuc>@HHa9)Po(7h4BBH_Agf+iS2v#LQZ&~q zp~pHE%;fm6HUOE!NexUq)V`{ zQoGdxVAdpYB-`VM@?zCl;1V*_(}?u>4Al$WVlTEJB+5$zNg{U$R{%7l++(3kh!u~E zVT3f{vbmhw8;aU}h78jCCrK$9X$G(19!d9{pA}XI`}p(-k{mfmBexDIE+R5gtQ=0q zU||wE0|QB$w`|(UixbEhQ?Y_RrGEO%Ft+m= z?Yb);Dk!L;$bxwBr0HGe0JFUA-E=p58)a+V$$`JY7gVbJ*tE3$WRB)$CX&jaQ;L-j zXrUwo&0$~mYur$r-cEHq)d6^7c73lAL|l{P$%5R;HZ8r)8Q8$%J|0Zhga82l^~qf) zXU76*#&S$ZT~G6LK%jt7iy)R;s87n~O)sm0iF5l*%spYEcLoas)12v5S4YbDl{T5W za3=0hKX!IiV-H;y)f#51{bBI zr1Z|jNS%6pEyw4;V;#@&VBOG-2c@K7;Zsn525g?4aT#^70!4#h#Vwa}eyT)TU`AC= zH5W}~W?xgGP@F|~E<&D^k7uDm#_2sqF~izMiyKY+Ca~Hq!OvuwY11tx||MzWN>ET+|CX0a}l!4YUB=bB62e=E#X)p zyQ(6Bj@;BDw!EP8Xg2ZNaJ`c&&><};n~!aXoH`7Pv&P-iS0DfDLVsPH9IM?y5_@a; z0LN&vx0)5;hYfUo8W-1le*)Y>yuqHcS%|={aY@bxH5K_jIpnx7lk4X|8=^-JA=`cI zrWK)OKE1aSt(ql!YRFDbfkG)TS&Yaij>+i#;G0wj`oP+A=<;A$qGSAAd$E1hA;dvt z%tuEr3r@oLf=<01KX4yC0?}b4vN8ud*Pfad%Bw#^zfa(Vd;*lh&uI!;X7ju&jPZf} z3m^!Poi$+`M7Q98ovCpT9=uz_1O!1Ec@kuUVr4gc1U^0|uf;9V+kfpp6`z46s^L>d zTH&w03KGWa2V8sGPbW(C9u&Zy#meiL&>-3#Q`nGpg;fRjp}wDoPJ^ok2VhB4VU^3p zo(D27!nxDkzM|2r3LVb_>gdT?St(@hL4FgS15bl?SKy2bS^qmmh?NR>qtX?tb8HEY zJP8%=G$J(}PS;&0{E5uave1-W6e3Lezugw-59#B1WT#osqtgQSgt6*UE@928#7I%m zO=Gt@KuV+>6Ls6XSm0IoL<3ee6mGAKp!`ub<`dEfucVf$HBtwzPLVT#UvZpP)wBAA_eq5~9L+P@KV)zu<<&+CEb*&^P~D zNtn7ztr@$vZ{M!IHiQRwOiv?#y!u414~$J5ypI(R%;U&7%;QE$zEyXKM}iN6uqH{y zFl?_;mR>+IBn4y;^&qm7`1GkdQd$Y4WRjQhq$Cm2!n66zRFCA3o`1EP*3b`R;0WCw zs!(_r70GGP;Y*5_%o6x;GK{b&9V4DH>g3WS`Ge{qG!)NX!+Suh!s?&1808wNe|PR6 z^Zg30h+t-{ZlvuKLDvuhsAgwa`FPF2?g{uE?*hunkP-_!Uhvl4XI+P)5(yC#vOWO> zjpc<4kH;0wIJ3>c!q6Gc!H7dBuTKD~CwHEQ>sdVr&X3e5QvJ~2lP;yAFr#%vkx&mR zo^LDG3PR^7B_oq?a_82ufzdy9Q7DgBE`|nPd5uj?p~w=rIkIG+{wbVM+{64iRI)Yii5K#fj{~}%TzwOZ zcFgeh-z$?Byc0i%jSqJ6?q-jKyBS7M>8A$_wys3<15T61_z_k!e`K&Q7M%58go?tH zBL0GKk|}H>O9UY%>?3&Mc8~7}+<&iXIYaz^zsOrzB>y17A-QXh58vC|_)ymRkDfr4 z7=k>WoWuL?ot5e@F8UJ1s|Rc25P>hkF1o#^DU{L67aluOytrFB3mH_l(+K0`5tY{y zZuC^r#Qyd3_R9&Iu(@F23N_{Sa8{9%=jP3G2@fcghQO=2Q7;|{_T3fa2&+uL_z^vG z)TaU}MFdD3TqjAmWdKtW4e~q`ie?3ewQ5uvYIC^*BYU{IW4@~r8^%pZZ~xcN^KS-g z@{7*3crprHW;%3CLTnc3^qRqzga&yytTg+dV@#j3is&5dO@FeWy!z0P3xlG$3GV3K zI<4SNh%ta48zJNM{>`U(aliO^xrF7sAjgNZ40!XepU1faMWeT8t}zlW@}u8=;?AbE zhe@PxvR$TfnHTw2cv)OgET%e-JwM@cePngWJnOa6-s)BKw|m9Hs#?$%KqJ9X&iqB- zkiJKhc7C-^`O_~?XXXTF1nvLlB3?aZ3Ho!F7e1JAitEu{5Q-@3JqqSRb>14!pY|W( zS1|38+!;W5d%lmL8)Txlds_?Lbn-kWXmZ_SI;qngdran%ek8ZAJFjP3vT{Yz@Q)1Q^ zBTNP!Q$&+pJs7{qe&H1yP6EsOiydCsKaO-V9eP#R9qJNaN-Q)6QhS*TN97efXL4-L z{Abv-712;GZ{sMN8FTDJ=UJK@_?v|F_i(BW)xM;>6`l-}=?dCwHlq_m#W;xSKiH>%Nd=+Ro`lj#^5_%J>i%pnRl5I)8rwPXYa0SCQItCpF=^&Cg0Od z$MVluv@Ni~f~^3F^Zwlf!Lvi07ZD+u0bf3kd=KLpg;Fj_9`6sNIlWAdPay4S)7}3$ z3+0LN)E1L7?9b~MH+p5g%fi9poas4Mv_5#Hf)$;TIP^-v>EFH_6;WJB7kx6txbJrC zzn)1i_w91Q$F0Q^DRxcr7=O{bY|cBkGwg(@s~R|Ll;_{W0vhjmyuu4GEnE?p9eLEIYR99|byJQu% zs*o3;5VhN4cVGc#-zYuD}q7E0+}0BO~gh+^%olyu|^xbhg^%-A%Jcit-V6m#@6~ z<9T5nUf*3IG1VFU^>wqItaxnRA#C$xEUvM*NATjV28~L*L>r)u_!Y@Vq^12LH}6+3 z=`>tGa8p{^n74zGVV`~$`ZV3$A=Yq?g-rB1mgRXY6J6U;g>S}dw-rNT%B1Tvr(hZj|JVU{=n&h+IlTEgr zoCOvW>U7HFb}R(ZT}uZ13)BooY@l+4l8#EWz8Sw(m7C$S-;(#@iCv9Sx^VV&##ese z$;h;1j$YAVgpPmE@eJZMb^e|g9}}7>43Q^Wp_$}}fB*N-+hjg)iYNi_(*^6B@l~%> z9{t%JY-?xM_@kF_MTrUKyuIO$weu<|)ekYE#J72KC87Ak-sSAux9?YQC@_h{iI83Q zBh!=F5aaMsgfcVj{wwk-p@E%hws_k@6Bqt-Ha8YG1CPOvS-4=Q$LYBlNj^r#wQJYo z<17~xJi9_eXZk-3zIKj}o1UPKKVQD?{H04zo2pJZU~eR8h%du***%iWc7b9jN814q!bJLqnnKt9$i6D8@mnSYa zR}RPz|BsZmJ^lDg%9Ssd%7O)Q*ta}Gn#a4S-mMw^GicW$!0R{-Er4FHz`N>d$<8=F zxzW>jLz^HGoCx=PLe~MHaAaBuAgivuU9q>2&1O5m@X3S?0^NLl+k!D@xtUm%*;r#x zts~P8O~DvSbfuPf_l;I{WF;Z#qDS0C(MjqM!uD;BWOCDgvi4uo>LtS@uY3fUtBmb+ zDpa&Sj3HK@tqqJ(ef>mMsATll0eUw+xxz3fHgP$xKYkEfj4>L7vBLhu;H`!u;8_h-1Srq# z)fV%H4G#d&MHJwzgF!=EjY`$33>E?WkB?24#3wa1qV(5z52fxvZv~n)3{rq~4c;*X ztL%P;izNPKw7Z0mnGi^Wg$bB@l?j8DgymQzJ4VV-p3_AUDA4!C%8CYtK2e1P`c6dqlkcTu8 zO19mmB6Cc1vWi}ZOC~hkJpf@S3h(&pZPZtrc(pwcAv$Q1i=NvK!H8}~uf+_K9B8Nd z_Vy^EXW5#O3pyb#*WHd6x>UID0WO)(D@T7%wry5U zt}ABTjY)+tfCU}gbiVfCQRt%{9c){?q>GSY{r!or<(j^T$DTKh8kk_t@NdCxYh$;C zxf#M`cqV& zi*Tj2)%t(+z|sc~m0W;+-l8Oi0>P^mFNWW_1VHO-T0% z=2Ju+ABvSr+jU0aokg_M-|K)=!>&>IJ;W@~u#y%Le;qF7EbN*9BN2tI%PlaQfZ?|^ z1=Ek?h%-Wcg>q^FmL|+-3~X|h?H$7_wYqK1df*HYQHLER-o5BAkHUjzq1;TuxPXV{ z+qCKaRV`fGI8%h1&cw~e?{SIPX<~@C^?<0kiuXsJ?Soag_$TYycdX)%Pm*>sGN2Pz z602Jr<{POfBn=OTma>vM-^z56#A_6uLHq|#5g!|CK|X9Q3Kc$A=sIb{`ED6Sd*9+h z^IHInIF{)D`1toS@p3aW$b;jkPZF`Qy<|aRy^nk>ltJGNc8`kVAYUbr_bX}mFov?b zOdW^OW5sPHk_)TD$&Bp7E&z$rl4EZ{h`qBRAB8LEa}{*GN>AcJAUnr(lqU5E+4%nC zSe;(e({sAv*$6%8Hq8D6dJSpoKu>EdfYr{n+`BMk$H^MMl-dYx8y|x|p4KwSkBhUc zd($;n-6briciU+(O_~=Ju=hIR1SN8^2MJo*QrFIWfxW_ zQ%#sJJ{?prBvDWmO>zY}gwWLloeN?F%RZP;jSdK0jdS(?X0t2PK&T)<&fbY3S#EG| z>XBUI8dQTIP4NJYAW%8@rB!cbh+SK&PCGN0K6f6M+TBAkBX+lvnIm4`h^ty8X_FHv zXXA$6LkCNFT2Vp`A)P*MS|^Ao3pfuMMwC$T;<<4RzQ$^JP)nYIc~IM8(ZXMAb31|AuvT8RSgyWV8A078@+d^K-bDt%2TLal0 z0sDp+pi&LUQNwb%hYmGLGWaVpLI{58G*nbPwxxK#H4(o;hRC}iLWX>v#hS4*{~z|= zJ1WX-`xeDEN9@Lg2xyB01E`230b6Yqkt85N0TmG>OU_^$P)Uji2A~v>90Umx%LtMc zBqx<5vB(7!;muuk+ebaWzwUVN-EqgQbB4B16yLY^+H1`<*Iet#=kmfY{@dA2*=i2hc?$EWZZ5i z3RMD|P^)u!-7yy5JQ2S!fNxU)0cbp(eSIN=!lc9sFXY!Mgg&a~fRW%Q;J5$AB6mU~ z&^>V$Eaq*?Us!IAaePY$zlQJ+*9me1rjEFf=XK=Ql7T2hId9=}XL~-r$nJl+7;w5Y z%d%NcFym}_&8NBhzy!-3)4n{6#XeJL91OsHI}ZUsyH+~;RHp@su6I5^sBRLKC74N| zqqi}OzD;HZF%|^A>lR=VQVT*=uxU`_HbN9XB-!U5TYrI323eO9JrOz#K$e^XQ3mca z_cmElQla$!^N@$+v4IbtC?$x~2&jW4=B~oBo97-(9C4hnBeIv1wzc}iuHbe_v-nZX zBi8VcyyC+h;pn(G)qE9}3Z(-mvktJ&@}Rx^;5#Ex4iJT~_}A)1;2$3Um_l`tp;J3| z+ir(EsPqK2MzRO6p%`L>GlMs&nNC z`&qq;zmb%x;j8utWLy2k^`oTWnm|je1lo zSp8D&$rs!xo>K?!kRl6_P+69URI5sdy{c|KOsPlvAD{PBWAl`@Un{h;d)hn5G&lV$ zR85{=oUPL26#DE-zkz)^XYc%GOfsRGw#gPe`X!u)z&MQFbbCDnuFCT7;&?F@q5_`0RcXU})Ix~p zNdPxVrtHb;nMa6qrk3p-*aIU2Q-5erIvP`!%Ea1bzB45CMw> z;3SD3yCTvG?QSu1L*yU@_JcTp1{eWXbs=V*j?yq%vyVF9SRW?yvHiNrDQA+z+Oh%P zW%Y=Vs?OZl*r_p5Pe7(FSzj(dQ2Ra)i4LR&nC_Aj0`V3TGLUZo+*C`EqB%i4s4^po z`AQeFKzDX8g;(W{!lp_}$!mk%1MEjrOU=W@6v6u9h5KW&nSP?dfnlN%22;7IaYp>k;wYAENMw0 z1rGoqAC1sq20|%-94S+AB~1oRxj*I<4AUKfV}fN!TkO zON#eAWPU7aK`}lMJ*Xb}3#_;mS{Qj{;Z|a9xFc4^wxh?vtkB8jGaKbF)3eIyPLzia z27~1-63p5PAPq5Sg|f`6K0PXY3g$gN8x{BWvC9ZPfXu%k4JUPr~HQB%g%Kyl|* zuB8yi^g3|!D`l6h_YhaNkw7-Cn zRxjqR&hC3k>Ig6uS%ObvQpYAcWOQqDA>HO%c>*yp5;-NQOsL(e`t;`sm6ay)`p{C{ z>4j5O7&mBHtUI<3x=kyDe>I=4fjrmriUJGE$bYe){c{CcQhf$^y|@G01fe;xd3?

jx||9gAUg1(M}p>W61fT78MET34LC4F)2#4-S@zdzqjhB2{9|{ zBtrr2zz+Z#v;%F)p|D4G0NpKIY8cVukJc}q0;otxYQNDHS;J!^Gt??KF_JW%oOYB2;nK|JG_ zBYO`r(ZUhw;YX}$X)_;Lr`JQ?4Dl~#0;X9Ipi97Q1a<=;MGiR{VC-$!0dWt}g0@He z&^tip0i(b0&5pp+vsi-o*EUW3pyzbAD~gT`KHj|`-`}P=x5JoI?+7p!DcYmR4U0gR z-dzl2R1YR49oU7ccRa?gffgeA8b2N~)Nx%sf=j8)%p~+5XUeD0G)an2LS*5Pp&*CY zyh)y|5B+warPirUQ!xuR+C*`MKu!n-4&}Cqkg~BZeS%2dNhSlaOX0*(3@RxBxX~4< z!af3(nlYaN=Gywe-eooDNaG0yp!JV zG&R6Ib3tu<1q+ME&#Claxtvg?#LFG}+g3EyIuUURj% ze@Wc!CRuveG4J5xoat;PQs;0spQ?Ms)c%p9I1Dl(jscBoYfNE(!3)zPj( znfTyOAIIZ5rV1sf$3Z9(ApqDWVcDHKclrU!LkQ6dcvZX_NqnJ{Un`lYK7@{mv1@L- z$v7L*SR5NigC5h@NFFoY2eEsRkaqp8SSJ7MfM`qVbKN$qA4a#{zVQr{B=0}vz9><< zhVkYhkC}GQJ5z2m9d3SG0%p#|>wTk&RL4){=f{k??HSI|I)s#+=MycIg)gLKpt<+I zs=Dhi8;Gb7i|<(-l(u*=7gAPLSLnrRsWaowtsA)u8ZxYmIX%)1!A)r9Iy?Bi_KoJ| z2A2^41B7&uE6L;rTSdW`3kGoR{4bQ%Zl}?naHY3~4k;u!7&`0{Sg}k$vQOLk{hxPw z38j=T-ig4#)GMkd9>Dc1a@CDk3I6&;eK>3iOC;+D zl^KpC5N=del7bf06)?OKvIRuZ9K|l;_n*8ds;BcI?!5PMX6r`qibYJdZl?{R%qCgH zZG20!TP$1N6%(#ykkiW^8#jPYiPsDEC$0)wyzVtDEFwRH*S(LF-eR$yc66R0`bpSJ zl|*@W9o5ZkQN=R-5PsLt>1{xTNODOrk1&;xu6$q?EOz`9Rr$b$1sa41001`TyId>} zk;Peo`KtPT`15KTnwS(r6iUR+D9{;kc3d0na}m69{z_0?Ll7LRRzA#4LFs4qVzOLl z>KN8^@HLwx6tyU^-X=`Kbv|3r@EfSZa#Yo?it3|3A*fp@C>M+OruY|yk!KDVaT+kI z>1~6C?LoH4(Y1`2it39$gUw_7D+Y<|Qg|)LP-|&0vbT7f@Ef2W_MpM{+^*g2=<9I9 z#xg5L|3z4BKt#C}3X&ofk%~o-E*a+K=Noeh5GuGpk&B4AN!bKuA&!F9f0apdY9a6; z)F!*lOz#=JP5B_9z{My~B>#lCKp&jk*QK8G(^7L9VX4VDHY9%G!zKbaEYX?)NCn70 zkPE&g-yaSO8U6dY3yax>2TADx9nOQ=W&P;>YQIjI+A3^N{Pqg> zgc4IqtS@f%RT&YE&hIMah+SyVz!8MARQ1LbIRX`dB#6i+Uhfx{=fD2E*1KU-*)*39 z{i-;2hrxp2aU{m)Kw)!IX++fxzd^nVb@M?`sY65*ttFH%OVs^v<56YJ0JhNYkiHf2 z5SE=ykT!rZ1Bx*~-b2(IC{+KCdSxPfHGCghd|yPktk-2XtJJU(k+IwLxC&7xEr}D` zlTNQC-}YR!tq|`v%2~pf3U(H3>{L`K!Sh6ED(?Vg)+REkQU^I9q^`WOkf0@2{!jAc z?I?9QPlkG08d+KCIJC7n(=N^*e2TRN8)sfGh23HPs~Oxx_F!QVk%V$nzl0VCOQu)( zx|Mf#cT09zk*8ZA)6VS^N9$Aun#VzOPm~85P1&Og_xLKx$lt%3xXAk;PGSZKWS93S ztA~c6Nq#(cu_d^#2$Z$twej?*UF1eW8q^A@u_#Nj$R7AZHA9$Ka-60xk=lVsosria z3Pv-|$y7Y%ar7$TqJc+3(D>o}Wk2^3hKDg5=@% zBldoN3mA*^f1fu!&J#njp?WIy1 zL0n#t1{B~DZIdNMA{;-MRctPi!Q**P=L*Hadi^7lhsu;Z;0j4G2yY@;M8Uy-2!;mc z0KNnNCw59yKp-ye?xcf5vuuJaM~#fM4?qI~q6=w*BaJiAdxF8=iQ<<{-)nIX8YbIy zVBP}7x(radnUT{h=huLTT&b+uDgPLgCpf3)z&n?mhtTEw*T-H_oHXYiJ#J>L6?0=J zkz6QdOd4U$@1PqbPQotqFo1!Yw<26Px=q^rRnE2N&|J(*CA#C7MG9Z0`svtu!eJ2J ztO$eTrpa#yEmMX-!PKG?QQ>_ndjTcnpb5DXT}-7s5rU!1R+OZ`Yu8Q>97>jhJkHUP zu=7k%5854h0#RQP4Jw&m2@BB?9fD^dU*uu3C=k(!lU{$K3mn`7UhA}9>sPL)7|Pp! zVDipM)X+$0oW6|gs;wH^J9CkZf`|bNZi9GgH1!@*^b=G z0vDJdVd%}lAMzBSMD53e+R9-+v|Zr;K`x`UguFc;8H_zs>OOR@oM1_0_kRr|08o$F zr+|t#sZZNh6ev^%y2BE~j#Q6al7=u^y}iNW)zXZKu2?8$ZeonCG?_O^naFeOnic6SV<*RpLo%GP$2h#r)GDyUz?%?YSTV5Gur z0wvf1U=Y>)&Q1(>qG`zy!Pl6R9z`BSA?r7ZIZuP(dSGH42-(d8QV8z;$cA@#!kUu6 z;UfgF;?V)pSRA5e#bAnqjzwF)j)RvV8I4~- zn=G3H?>e23UAKDCTPlYv-%s@p6oSX1RRuIMk@>_XFdRuYL7^>JjV{dK>o>c1{6{VI zUQ?nIM8<{&h9gLoNjs4`q|Jl*n35pt2arjaMleun`Sl+1SW$2Dg2P+XZsq#zrZ9O=a-kNOt^qkb~qa zC%!-Mz8sW7#ryXcJ`BOrZLSAVHlthyF}$7U4aM&d?n5(z;ZSKLnIX;y)|;pR32}%WBQU9fjJhI2^r0D-bB$a1&L1o2Bb#&b{i zd*oZwpv@#O7#~hbmpvj++ zIAyw%f`Ai&4}?{bYQXrsVt6P-$~?@2U(To;{1N0^T8kaJTt>1H4*e^QAftQCMSS5gDC zHBF{JB1HGhDnxu_yQC69D!!a{4YvpqI2LY=F;t{(gf?3+Hg_y>;P&W8zXLO2`PvDz zoQ$Iidloir-DVX`5g@Hc_OEwFTrZDIH~OdCT{!xQWPm&cfw{wvk0hz$d{q*uHJP)~ zMjjkyF24G|imLg%0HlxHJ4Q17i3yVO;+T;3gWxQb8f5ik2jO@VlU<;n*UDp<(914k&lTK0~mo?spbNpF2sfU?%W^JO!!MI*c?oR~X^(A5kJpS2+e# zTY}>|hf*CBz(wILWDe6J#x;iVZ`>3<*QjCWpl%eco7gKOW+9+iJi$d=-CV z2qn?fiywz%hfpCw*UKMAlg=!r+#M=uRc!-&$emsQyrY|q)_!gHAW08tgv(vnH4ue{eLZ+5sX4?T_B#8iCGNyS z{)9*r5+`hTxVQ>ojB$?e1H`~#@`!^xL}fuF%rQ=+?1i@zh4|kE&6sWx5fNrf!m>O2 z{%K}#Fy%&3!H#x`=*Ayma2ry?95jzXj4zGzf~XL6GkH=)lv&ghlvw2&#v#4uN+j!j4uu`W@f1ZapXU%_Vw?*ewh7Dx}ivSC=B8@4`q5d(wM1I z{;8+Moktdk4*^`?4Tp<#4}N{)ho2;dEbF+jg2_-E6i%aiM}=&Q#epB)Jj-D}Fp!V& ze8s9A=yr(u*{|Uu-SvK=Q1I3NPbHN9ziT-E?*;rXtblu_x}a~R#4jw_#>=?YCECnk z5fl88lz!M(9JC|M$jw?6gcF~yx(<7M9p!zE66{uq?MJhXauT8r8pUs9*;}$=QP)Nm zG4b(b3%)y6dmGQ2+|@~yvF$&Vm$$46Qt0e0Iw#hN#VbYG@UTQJ{E^1{@Hj%{oLaAM zKoOyiXwNRq&lk3RlDW%b!g}OamY^W#`QIPghl0VDg&m+i1?ZoHCrg>SgMTGIX#eFdrN*=4Z#valj7m?l`?{i z!q_n8kK83v4X4xLMkWD}aQ>`)jXGhaU>sBDW*QA<_OQ;06=E)RDaD4W59d5D_^AWP zCKj_o)EHzL4;Eomz+4vdEPTFyNWHGeXx;DdkhMQulbQU3<8R~c3CHAxIGE`&xwoY( zO~*G1<&cis*gTyRJPTO(IDT5%)Qm_`^@CF;xgL--jrqYj%OlY~fXH)hZ?>1!V5Aa6wYFQa2cI^XcQ?2%(I#qmC z$?9htvFZrA-&qmkW<7eZV-)huY>4_l%5y-(TSjRNWL|Pd@C7YGIJRI9endwP`@pne zV1tUtZV9c@GKyO0oV_k}uO>xyyIY-&~v}yn<(1$;0B;46vVy()p z3*%yvU?n11A+F@MjX7CadDUkKwOvgq`C^#SRfBi#?D!CYHVOBZt3L{K71odr zAv`unS!6ftIm9v3e>H2iKemg!f8*bm^wh3dh?nz$h}FR+Mo0y?4?U!QI}zC%ks05{t!2B6i-A=yR@l@y6S^cJhW2 z`p27u>ARY@ucIM?_{5SzbQFoa(S>@ke8+o=a1(wCKxADj1@44)0d`rPNB)Hp6 z3y$-Rzx9x`!qdMhN#U=58QQGuMVb9cWJ%E|C4)fMFOfSX(^oVzKGQqG-87qagLG@z zHI0<;6sXU1)C?B6ZlvfAF{Up$KQxmXt!Wt-n(5^j@2a9E*sS=-vtxiBeces)q`m8I z=Yi%{43fd@DP$$)x9CfrXMJsIV*W0%X#^*Cfu2T&^YjR}cBI(Cs0>Nk#JRrg?gyIV z8E*HQsiRMkUs!wqS)Mz*dM1n8aE?(QrjV4~D4R^oU^f3bqtSPl{ia2bwd6U?`)L1( z+3&^t{B>^3Lclt6F6S@vH7yHvw#h!fpkJgutuj3_W2;R{Jz*@_k8+$SWqeryj7JAQ zJ{xSL&Uj3gMoI_ctBDvO#qx0tR%e|rnmhk~xwm-eUYf_^QJX~{j~gqVk!VZ$)^5lr zG|ndu6@?M!O0ikJxGx=y&LBNwgWP5feq;x`#)9o!gk=X;&-5u8bFTb&4Ofvc-jhoD zzIZvE{%HW!r%o3H+37rJE?t)0yKEh%p~=iRyG~=wTQ5WC4pl~;JYI|0x!6$e7U?#B z7Rz2vY-Q9Y8v8%j`B0jf_K4}M6YD>gFlj)QJnuZNPrY@~y!m$hOt)@Fg%ssj$ee6F zQqX|l@wni)+t!lanUO>*1_n208#HCdSdpz5ADwxYSfxD6=Zo&iEXQNB8eU%M=om$p z#CU15i!jx#*Wf7{_go(?us>9csT^Qj#a+m5(X33PGpRwQ#bz&gK3PW5noI8c4 z=~{=-xY3QchN$DF`h3)cXkk5%vZ#XG3 z+GADLc9G^n1?u9h9piJ;Np%}Yblv0TI+X|Q1sZlOej^GfiZ1m+IjhD@;LNDE)**CW z>3G2U2i`JU`k41DHVr81&ND;LX-;4^V~$T5W1^Y{3tFN1wdq%6;?^>#ea~X6l2~H! zoK=HzbIln~p{ZzYqd7i{Aq^U*yN&Xx>5+RPK$m6RMe+-Z|Kk_rGJk;^y_criJM*5~ zH5ZUR=H&E)z~jBm4%MP6f@ncp{P6Q5?j^^2g{VEE=&57JM=2#?I~`z&YI=!N7fo;k z#y(2Tw#XhL9hqNWKHR{i>pgB9UPf1xagYVrS0y#It=OW(b-57M8bgJo_V>9M2S;{%FDoC`l*Ym#(x zC0|eOsg}`9otc`?9Ya3mBmYlF^AgD+9MKOOU8hSrNe}&Ux19635r<)ECfo*kk2+S1xppetkAte!;KF zzuos-F?+-BD`l_e8C^6#`-f|w(xR@HQS!>yem}mkXuja0(Rr%|*}C?dY`u}XYu?SP zTdu?{_uCtj@OqBGcaAbt8xz$K zcB61{o7b?cW6!5Mb1;SMKVO25>IX8v`_eP}50#=(7Sm^XV(5O7{#|nYai=h^ zt94Dcd`Y4ItM{=v+>^?QxuaJzdu-_p)_}O$5^mF;heaXa`Og+uY{BKFi+Kepi)2F0T z%I}W7-;myGC1Eo?x!TCc?0u)O!G{Z7DVbSLD>yj9YVNLakrCFuZ63lOD^f=rU3MsO zS>=b!B6aPNZMcOVbq2=+#h9l<=6!>&KeW1=a+^3^>a{!GWKEZjp>rRT@BNkTq#w(@ zFe~JK-Nq?1PpYewRhmk?X|Kfl!K6A#1%chW5Blwz&b&}~m=f;a`e22A(r}j9cb9x^ z*Dv1<^ZU4an`F@fCDhT~t~NxZ#%q&h3vA@F2)+R=WVp!VO?~bg%=NpAye%u6(itn) z4tt7pd++XP$UOh9cbhJC_t~2j^|b8Bn668GgK^oN$#(Q8!vaf+%h+NiBNOT94&8?E zs4Gi%AkY7PtxmjAXjf?+ z`bOKe-+*2;nphw*FE(jByvemA=X5kNpfz4we%y;ax#%1_I6iz&_>bzuC};IQ-xOWC z`m4j{6S@h#l6J9Wox1`~#J}IX^{r?Cr)1L#+pH7yb>6#qHu3Tc>^O~k5zy{V&v`K{ z9;}tsmvNKv1UC|8pAithb>W(jRu?ZJlZH?=U+G^{q+ApttKysl&)WOR1vVzU9QU+& zHfmUt|BZIs-Y^lQ5Zt?`W7>e$cisB-UzTEy-lHMCd#V$6L_B(D9r~wQ<^0AO=m@z0}YDsM4{2A*S{*JPHoVHHtTes{ExKiJ= zm)MfF%l>yZxK62li|Aj2Rv0`Lu$$N=e>hi`P388;NcA!-QTTq5)PpWC?Ygnpct^uG zQ?A`Q&ND|Sdn4cs?h7-H+l_PUx<;?wZMLIIKtMazv!(=QsH_^|!6kEg`q9fud{ zdGQE|9)jIow|@G|M9B&22)pN*9>6b_HLi2M8(+G&{E8AqFQ3C(A6GGz&}}h1v22bE9OybZvV!nsuQp+WhS1dR5Mi!8_NQA`mE3bN z)^PbYse1d#Q8ms5;-}xd2`}p$X7}_9SJ!oFNnWZnF=3p4^FxcpaF>#NeE4F$+tYbf zxPA9i3D>O2sEuzgiwpJ!Wen+0l1V#uxK>YLtwahhzP!dGPP_r=e8!}hn5EK$^67i`srdXA&V&iqw)T;{j_c{CUqdmFZA zsiUyHmeGxXty-tHN?N5=806r1p7o!7g-_OR+wOzJhN}Dn))Z-rMt!@i1ApaY4G~F-%jk5mt&X-%CGzov1w`k+wE?(D^Uw=_mb5R=YkR#Y7pC2=B9?0Xj}C~P2EHg_sLvCAF%`))Ki>yDLi?vW$aF$uXZqBfSEQ|a?M z@7gVc1?4vgS6sw?uyyd2rm***2Sa9OA);8Gd>c&mkNuuFZ)&Q2I|3f_G_Od>amWy# zZAN=^zwT!J>sk}oq{J5qOm$n^2CsOYQQG)N`t@WDER6N@y*xB4F@w?g4X&$B!c}H%cpVMk;XV(`vmh4J@-ps9ebY3vmg|*LMG&Mk&}-pJ1ZK zaT9-`z#S_{3!)L;(l@ccesGXPjF7()@-_2 zTj||Z+xI||G|(1!Fr)K;CkYa>>pBd2Ii-uvl|Fm3K*=%ebFllYBiwy5XZ@{Qw^tej zR~VEo(R9kna@v<5ykR`zX14}2Zm7d4=#3}e*>vQ{(RafqlJ8)#M0qyB9d4_wYl9b=Ty$(1#BVp$PIZGF4H-1?T<3>j%#n9y#auE-6O|8?T~b<*AV3 z90y-%}YlC1HNTNDEqQ}{QSrFPuEZdI(zrPS4t$brhe zRA8%zk&(A0Y}qfI-}BG8GMSB1Iu-iq1Q7s#O{lq1DxwjZKM9AluI;v*vKuODn;qlS zl9)DebnKG^>!oN(|Gh6Xnp*6QkH}5>oStWtl@4%o<7w@%wPxo{Zn9f~TtDL2HCiH- zPM4-7$MP48F5;-4q~Ds=XKLS|B38!FE!ouiw6q|=*E_lUsZ?98l|HNe`IS1dk5ttQ7 z{BiP(UZK0$K}DGL$ifzn6mI}jL;vO|`$H;EcY5nHPllBFVLBkJp1*K8-}qLJBkDTm zd#fkTM++R0lYd|SnPJ^yf4eElp6{b~KaP1h3_QiEn|EUrBG-VXsF0|^^Ze}>_6

Y$#AD?)0e{^_ z#tUvW_2!5ATjYS%&%d28lRtl*hd3yvC+TQw=a)3Tk+o+><+`VUYHDI`Nl9CYS06q< ztG+MUG+$7*9Kmm0>T%k9`YdTbT zq_`Y6PFb{guu(X_3RzKEr}g}~2!?ra$xWi+^M&Ek_t!NIRC{wI>xJCE6CJI2ugglJ z^8G-@vgytz%bZnPtgI$4ZHgUfH$HKRYY59Mc(3-}KeqE+w4zkod`-)Gp@768$qTRF z7?w53tYP}%xTh)hw-BK+i=1S}!WJ!VzZ%Cd=@6$3JSq_i+_FvNjYa^jngFV<_k1|P z4+XQN&Nd<)*-^@?y)TfOKWwq5I&`NW z6bE!KHGOb)=>DEJS-pZ}-xd3Eg?ldiiS;?T_D68DoE6c{Iw!Qpo^5LUDJw4mEz)qiK?li$dT*x^*$Pv=oIQsH0 zXT5uN3kaqabol|;?AMHcuay*6qj5Yf_vC0_$isU1{>*X4W%ax7m1Jde3l=P!u$b9E zP1Nq5=NByUhMyvBbxxyB@?_}NRlN;q1qS03-zvmFj_NYE0s3K4&cAPp<#{3r8v${) zfh{JxZU0W)xd|x0x_s7mkJ)IpFjkj2PL2~wfF^BH^PjzAN1eX#hLzkitj-M^cm#7`Q@XjWC(dNMLetNsjR&1OraXD!qTU+x>;1sj(<;k-g!Y@+bS81y>;r@m?O9-4OI})*+k# zM5=~1B-nrCzrBC|gx4TJWp(;PYb6IGV~dt34ss1G<|#b0(5dm$G4 zbUvj64pwTUc%B}wo@`<9-5wP?qy>3P@&NreYbBpVXv#a92hW0xvg?X>;gh?0>+U{i>LOVM_Rn;d)g2e?ebEd)a|y)+eQ!ymFCcF!c}}YRkR_^ zxvJ??NLzZ5nW)bWA<=yM=KA))B7INq0ZlIbq%Us$VvQCm1yKLvaDo*&#>VQFv$%~7kquClJGPx!@k9)M5w zq!xBjTa%h@g`k@zLDa*8A#vf<`wA&hPfnSIvl0Zizx78>Z?y-~LEtcsq7VT$*<~Ix z?Am}6B$Wr5ag0LG>=|`GeL!y2Hl^CGLoY+*YgTcDf!UBQ`U*alF~$zY4Ylp619zRs@E3w=9ytby`3o^r`zk1+Kze`+hVE$wrHUbmbX z?J_oBqN(jPI{kt+c%98}qsv`a@3T*Cr++cDI{IWn@zu>MLh|$B( zFFg0WUSb?%@ucJQzCrn0(x_CiEZOiw8h!y35_@uH=+=N)m4SdS*j+m(B#L-Og&HQ5 zlr1fpeJkL8Xvzow4U(mgOlYU-cjK6^T3u2N^wwwVJe9hCW^%&VJF{JKtw`7XSsomq z$abAGm#%kED8Hg&i6W)<`cpg8zVv%w4_|&q`wLp{JdaS!| z73{sdXw_Pq61%H8l&f+Qfy z4x%q#wo&+FMFruyQ?$N?PG|fHVOJ~i9)*1tLDuix-`^XBzt-%oNPbH4I%@isAZpE& z#6}lCE+_lPS?f3(sr{iZq8gr7o2dWcN_}-ZeDMn@7&|;%AP;aBN!}I=4@f5<7CBCK z#DZR)6VEVgOuEUShnR$=#!JPm4+S5<>OdK-9_!9yZ)2sqg@ZTPkZvXB=<+i0^JkN< zjQ)~GKhn4VUSFV4tcaH0=RD5g2b31&5FD;zo6zfi2p z_k6A9!HiH#-*rAZz=?0m0oV1h8yX$piI8}XcaRiV_0ef4&&pZBIuaAD! zwd0~{YTVW{#uD#$evwG;tL}(?b!qxzub*{PL>0f2$5xx#UZ9j?oC#80%Z>rv zRMt2j6Ebmr)0ijrU|Z{S#W5AmkA;>cZ#$t|i4?QX zEhPIDi4`PmK+a`0N1!&#iNw!E9YVWbCL+@j;dLFp$xT{gf8X*$6#Dm)-91b2X}|#6 z1K_Hcm`L#6_(bZ#6F`8f zs@W&YuiT8>Yg&Am(#rN6Ih}jatChFDua^9K$tO)*skHrJL4gl8#)>$;8;N)v!C!jL zDv%TrmT!>7HERR%vc~3u3Nti19zl4f(=?fe%ppswlxK#ypIZ_+hc7UO`Y#nRQl~$} z9aZaTG8?AIJ?sw$FttZJSOw5=~cM83_rC zQ%c~2n;5-jYJIh_E#7?2FFlBd?{CVwBdLe!X<04P>B@AaxtlZUl588T4sv`p*$s~~ zlvRRCSB&$Jni@?e{41yQD$*QQybIN*iBEC&NUT3x2T$bg$@V=8|MzwTCE(FJ|6viX z*Gx0?uyT@P{C9Dg*h0e#@0|&C>^8kvc93Jyhvt^_H+kfXcH=lo?lvIMuExutHb6+1 zO|rmN)73LmRN|HzdBK*<_#lXrWWm1Sd#><5F31v5wb>%<(asNo*{Xg9z`SwS@{olue?|=H)|9G;Q?-LaNpIj69 zw!7T2|2KcN@(<_1ecBj>m-J?bvagl7RUB-c=e}ii`3zImI7zDAccs-T%pjy$rUp}XtVbxnKhK8Q54r_JX8@or=7 zoB#(~`GISP*^R((SeSgSxICMm`7w}@u=%UmfXt`9pl%l#(Z0&g;fzso-fLeU>!;+d zkRW%XsM~6olV;NRh}1K?&xI?NOI;b-HQs(bSu1Q~qc!t=-~JGkAlv3%bkI)G7xnC{ zBC!4YS3PXiPUoYsY&1tEPDqbqe&%acA07h{)-~lp3VLwTv#O1eQGnpzyjjQ}b*aDM zmavKloI?_>t%c@|Z0c{TuwVzFn2L<5E=^Cprk>Q^!OE6jx!{|BJf7!pC&x=+6DJVQ zhee4`{`V!Q#r%LJPm$E4#=o(1-`(=i8LLE`rm2`$O^spmxdfMrv!%+wmuyCH59^gP zJUQV?L-qA!U1(U?oxlezf^bE9LK)5KHhY0jcx0J1K0D?wS^n##@sQ@nF%u8Fd_}sd zAM9S9Il1(Ses^r2?4G~o@}n}N@cg?$i|*!ME7SAVgL<22-9>2|$zKbKV17gC%7|fP z52zex0sGx#fFhfcR{hoBY4pcK>05wa4r&i^(g(3J!KjyV*0q*{4Gi5>lxkJayAQ?g zv3W^v@(%2JW=NawrmF37=^uk?KKggLuWaz|g65li-B_9rqq&dP$LXVELm&P^XGk+~ zM;<3M1uIK+mtQ(!VTs<&pAZS`E!iqKdUvsy6U*{%NVQR{l^i+F%vk~gKeMn7gbH;QNm+Rnj z4<4XYbT0e)t3Ez>+tk=1y5~F?OjK9sS>Bavw*fAJyNWe@Ayt>ry|g9ERhA@Qo12|Q z;;yf?=mfMpkoj$FKJ!8?3ZDJW%n+Zgt39Jf2+TKs4ylc|$JR|+X28Si1w)5HO1JR7 zv$_XXODN^K#uFCNng8X8#Tz6%-fbub*rW}e49^0Jb)Fq0GxKNo1LlYCeT^DAK^l6R z$R=(y*3Z7m=ir&FL84$`bs|$<5!2+xU+!`3^x$|W_25qzckKqVDk^9PZw!Jz1^c*i zn`Qz~*OU(S&$iETKW>=OSS4uV#3o`>vj1Zm1x)q+Je9xvgI9gG5u# zcLt@1m(tB6AW76Rgd^ro#dS`coX}(l1dG>4N3dzDzTgi7S` zu&I_rj>rpo`B!@`?PZ`=`yVQg48~cc{r;e)PLIg02P5XW|t{VVt)ml`$$j;f&4gxLJ0a7+BFRTB7FL1|n9vDRlrxG#uk z%-)$2jsu)c1u3(!I<~j9e@V+`KQi6q?KXEnbrzq)Y@JjQIVT{mYwa zbeAX}l}K-o{n}VTLSePHHFFLAAz8NDftHS94~Xc;L?G0Q+EZtehx%x@IbZeuOSo56 zx48FXS&EsUk5KrmEV=A7BlP+r7>ok#n*@up&IegUyec<|~(v0-q zjf#k*N13=}WSvZM$^zyjd4fSoblRIho94CAs~5WR{IASg0p<$a~d?~ z#7M-_({8RrqXJRMZ`Q$ot6)H-|B@!IM4@6W$D9K{X(GkIv|>SZEu$mvrbk+H8Y<~8 zO6Arg?r}Ly3Q(J`*r$traJW6su208lY8%r%kB}-J^A#A%)X;oxX8V0kmfLSE^ETGF zRNy;-!pwMjQ0d|F$AwZ(sW_Eo6GVU%cG4|Q*+s#CYS6;TCUgHCa`4&xW30T$4S75hSFlatI@GvP5lVavR>EbVq zyw$Ghw1(cH?Xi*AI(X1^wqnW%Zd_Y6d+8UI0|m3R|E?FQ!pB6M)1P;;n$e(dAg_F6 zP<{iqC9~FYpy^iFh;)&wB|Z33Oofs6aru#^CsmE=HtSEV@s)umQp2UA3ZioC%s!2J zXK2YVN@~`t+j}Yz4xvU;%N;kW(OZXwE3>~Lqivf7RB{}0rum%fTD57McBR#DX)Z5) zCKq-vmUOT zB!d4-M|W-(mWMKbNwtF8_$aCxjoRU#aseJowl4y`Na~yK6D=N2OBeHN+dqHWPW7F$ zRB=!hb%%TGw=Z$&J!6%1M4Yatd2F)lbG+0~7!;OgbF!5Oe3W&P4PRWF`+97#BB{=z zj+!}em50zE6LC}i(}M+(68*~F3}H812?#=nOr+vu*{7XTnmF^=z6yhgYAr00^YK3b zs<^joO+FMD$9$!x{gvsLTOaJ&A)+Z?vW*DQkZ`T3pF}L1H|f;~9youor^_!c$PN5a z1JRatY4<9l&&3K~Uh+qiy3O+rr&;QaU>WM3(pjZ@ZF=)7+u;hqR{k#Q*gKN$MLTn{ zNc)W5#EjHY(9?JP6GQ??ZZNT}cB08!^vlHMZtH1JYAm!E9hn+w$vizY9a8NlDy|KZ zU%?3TK;Vz%i|5^Sp;)2&I&nmmL=`qiVw5dE3jQRn)8rV>>2}zvCDItet2f zMKg~{FO<;PfT6oIZt$Ymu?zYNg3?n z*Hp<7HI$sZG8;9Nay`~We;&INlTr&ZP4s1JSnYGMD^4;^`L$RbsA?$l7j2>UEFD{~ ziyNd&d!jIXW?Vws;jtQIKmeEEK@-5L=gq!Jj!HTn&v0d~)&8`4#)}G)Z8p>-`3deh z%k*c@?Csrhr?4(wZ(SKd3Z@O&l^OxiDR6|il;3@Q`skz~I4{-re>pk7^h!5zshkp* zS);zdhdKeExoeAgW}dES=>nd*XAZ_1vyLQ`)k1BiXfcFbk0eq6%R6(qYtr-r$w_p* z6ayjI;6lYkD~u-LaYu?ebazj*g0@fvl8|OQeRy^5>V6Xs>Ta2o&#tIqC6TwEw<=|g z*bHhP3{MudIx1S~jI-PJ6>P?PWf=DB4rUQt77K1n<+9#Vz6!BNQIX za`9@ulcK*f29_-vTIbmB@tz1=H36&W=`4sEviKn(B8~c=a$(lZYli$?KU>BEg zJS&~=Fn@0RWakXu7X#1R2LvSlLYC#Tpeznj3Pv?)-|ZIzsP)BGwX3(1Cu zi4(l%!P+6=%pydjgHftFW(v>yc@&#IDK^b2EWbjVn>{;rU&+2n&^*ivD{HLGyjNMh zSWD|q4Pai*ZmmxqseCeO*Zk7yYU{r%>a{DRh%B$5JTomjaM~v9Y2?wapp|I?n0rNt{G+Uo7NAIQjC-jDaM+N zY$Qh)r;RmcDcr}-LZa`w$y$ep2!CdH4K}e(uc?~u%W=|qYs1?dbk1MKSf=f%54~rf zjF7|nQ}%w5PzmglzT8;`!+9Bl7)9(dCnvYL$oI8D2F{Y#b_#0xeCxz+GF5x?rDGNv zX9?Wv+)#b*rt@v(zMjbw8a6YneUkeVhI(U5XuA}~7V=N;uXGIy3KrQEH+4vJYo_@p zsXj}DQ$?`=I{g>$)BCC(fXYYm0C{-Uvgr%HO)iYoCw0O~fNP3k?;%*ani@}c#0h;> zXNIcr{sgwt3{nPSzSf+d?psN?e2W1ltX;n^n|lph&2QFIB+@>z7}0lBxPpH0%9 z{6fi|(P2P3JrSn@1j?^VvC!7&^-0$7mmY7PC6Cnk^juv>nRm?7?Cwb~X$YZ6?jKmD z1xB59JZJC0iSQ>cedliuqRnF#*!x04T+P|M?B14jM9vub=ghv6JhL&|B4Wot7~xf) zj8clmhjiBvG5%>c+L_dYjFTKq8;)H}Tl^-g$>Lu`|J;I6#7Fr%v6{F3D-Zj8E>eos zmcjV2k#{#3B;h0?U#jz9w2x?r5)lOV5`;}w1lR|%3z>2cT)E&*h}Sez%hNTj z%&{w5yv4+Dd+v1IX@5Lkth;*j?-GIarx$OMD}Co^Q)O6hUM<&8=V+TARzteb@<$Qw z>?Z3P9{|gN7<^%OFK zU#6Ysejc~#&YainE0RgmUN&OI;nm$yVB`JFb@f>T`5mrl*=Y0F9LIQ2W*brg=|lo_ z$&g{ay_pJ9=~OtA)?2=zNwkqj-g`{rs|Z;6fG9%WS-o0~;#?Pl^3C>KXWLpp5T0K{ zksB<*YD2P2^01`ruVnvWKOF9nsbcF*ZnV4&oc{i;Lw24Wt{$&Waj&;YnlXO(LB+N& zXjb*=QWpIv_f5oM>}?%qG_2d~Whmy1)67WCHQ0MWjF+c**F)P3vlZM6VHagPX*8Lu z<%cOP7q5A<*U`RBhaBTYEoG#pMREM-)n0M-v*0{d7gaCiw|ET_4T6Uu$=b9IX&wRa zR8IuKio0}^abEMDdeE=vL z1rF-;+@pj;CBif+uQwBU~ywKq+)!#3K#I>BZ|Jv*UUm@zc_j*1FUp1>N+U2^3-z74&-xxF9N#xr0mYhAmG+Wh~Axi^oe zGX4L@wQ8lNX(C~aCM_x@k>vy3ZRt<$*F$%meV4VeK?5U2v zK5Ic8DPUXVGGB&HMig6UHc!5Wwqr+Y1~3_5W&)!U(9A_+b^tVsXe{jADq9rXZhH{? zB6hvN@OBzLI26tK6FtY```0p3FYn)V zz;+qdIOkyqp7LeE##N)QQlTiB7ldN0%`SG~USS53i?I}VRu?ni^>Z6}C%3c#}Z zRmE9$`=CZa&@~xH+B57HdonQhbN4>M(*@cS3-*{Z)=izaw_yMIPttbiBDW#oCroR$ce{UO%)P3zG ztT`+BR!oSyNOdnkxmN0t>K8zB_*5%#G;7XZJ{jCE5})juz{y@;UpyzE);5(51G-EM zF{JNB4IVk9KdJX^{ju`lsJYPW=eA>K*zm%NZ?2}l8*0kPfoZOgnsob{SP&k%4%K>9ozL~5b%R1XzrRe5xWQb4K&UC@BipxhE04|b+A^vqhLR5PH} z!cdi&bhDs9c$LjtN3_XaG=nM&Iq49MP8r-on z_~=W7IB6783y_K~_Tg!aIIFNYyaUmKe8U04G6Y3WKG(Ob4WHJ{d0U@aZdv5uXYt>Nt(`~&jq1WV1#Y-%GO-JaE7 zJA12-Wuosd<@BtMA!Ux;$!G9yS#OPwqUL5IU2@ZdXx{d8p70MQdqwx*E zP{iP6sqdDIVJg^95jnhX=lrZ72xtUL@9%1wKuBPeK__2X-fmT*`S7*Dtq#>=zVhf6 zEcH>E89u_@tb3gWCY_LJnH>pxAO{f_N=BcolIGIgGFljti_#Atd{?RTVk)}RGE;Xpt$0ydW#-?VF{ zd;ktdaQ#9}e}2pDZvh|85oknvaao|65T;T>HRpz+-UUJjDS^KL+d>Pd|`VeOX*$FinL*O&3aClNrg%I-4-B7wqL#(e= z#k!PAmEjJ5PE~ufxNMV?z9od8dF}Te<1rDY8Ou|?+o?y36;v2GY;CQ=?yhKT5q#Ae zxXm^u2g^URG$*{~&6A$So_3%3K&;zotZ=YP0+TgtCCbzn(^MKo?Z6>*XznQTI>ay1 zI8@$lX9~PksO)jKw&I;dyf8Mt(2Y7&W$AXu zDeS-up+9bGQI1vJ&w(}>J*@(F)bRCCtX3X*-`JC}by8Bk@$tgbmiP`B`C>`sS3MYrqB&PNJXo(0RcN8t72Y zN(;uN!RAGuW^m6Xv{pv_xm&YKhhU19iFwz@!4O4dPGI;(x9+QWb)vb_ktfj zC<%W2IX2IGGHon#0~`Jk@0bS=-nuo^)yZT*F6}87P|rq42gFv7xc~N9co?*>MfVX! z1ll}6U;v4>H?bPHss$tz?I*9i^NOP34iCh<0shk`wpJBB!{3^w4t7MqwCink2H^x+ z%soNvMaTcD55z>i!)twm!pTc7acVr^m!MFpHjEm+ZIvwUalOXIq5YToRQz6O4d2XU z4Da%u8a{we?5>m!5j7g>)o85;P_CzEou98gWu zx=%3V&w4E)zKob^dtaGU^X;*((d!g7_w$?3iKxrQK*9a}?l^Ra`RxpTKw2ib&cC}xw2@5W5iHcDd%u7OMNPaeO#-K$Z%4I=-~zK zFWcM%x&y9I^{}*4#4G%?-%&4>)Lz$RC>uBq*`M zn}xp<)T8X4xu^^KIaWD%Ao{AYz0bJ?x_O;2iA{$=oJdEZO(S& zl#5+|?RBI8)le+d;F$GJoj0n#<5pyk*Ph5`*42|qfP!}ExYq+fir@=Y**yT&MNv4J zH``GclTh;I3qoShx&i%v0B}RfIY7pWDTStfqYF1La#Rc?ls!DHV^iqlgqz0FutCPLG@f&VQ^UbVqf{R@`!!rjZe6@x zoC|ej1z(cCOS?t3%@Ta~1Q;F8RBwZTNv|gLO7M3EIUV8RVCauMPZeamZ7avYS|S^=JmOv!Rv;G zC(MT95C0ZO*>&iIS^uvh43@dlyzz_L7a8?^)wn?EI;T>T2f(Q$&~c!djRI6fOps@@ zS7gN|TZt?k;9?AZiQAeLr)e1xJMOO@3joJq+6$|Oe5+Gnt8GBMBQ;EZ`pSSUpGhKb zi%s6e=~Ge-7hkS-nLd0qvF4?8Q1euS6sQgL(y4&{f-Z1$EpXTJ?!uGWH{*9W?S;Ly z0`)JYSkT=ny>WyF)mA}}-ffx-HCJKwR8G?Y{Y6OJd z@MPh$a-r14$C+3l3w||34L9U*DqfnqT7Z9)bLpIc&{B*DoJDdw3iGA z5*=86Z6Eafm#e;`B9f{Q+xXg~bE6t8;rpQySS*AG^P&bIGv$&3zTw1TOC>;es;Z^jrMzHHcQ^oxx-3q6=SGR?iYHc z(fp_@rq>R@<>L5ajb(#jScJ0P3WvHvFca&!9YkToIsNpTRX#}OD|xPwl0$FLhU^o4 z;#mC_$ATSX>a%~h1EU4v>|rvInXU3hPb8=HqE_n{lf)~x??7y~g}U-K17ds~dfST4 zg53{SGJWV4?R}DdHd3BB*nSA5Lu1J4oiOz}L;)jVPHk(uKBtY3np`QTLv%xc9)``t zoZ<-|QqZ$u#*Nk_7NPuAR5$+Vw|3(D@`=*Zsb3 zu3qC~092Sb${E*`P-rHf{V+R1pD@E%g^I!(Wn|I9JJM32+ij^hPYWxC3fzY{-ipnt zcxX(@4s_(q+U=%nOGKV{6#DhwfYKN<~%GFzZghTdIJhsN+e{JTL)(*-JL z{Hbe{%cLs~E3%>Nv&_gs_PeVncu0FP5DpPC#ZY!Lb^H~(R($R{xC7+4KBD0%W8ZTb zb#HR--MXeoreDNiLB1{gS?bshwsBR%*yS(NPQ*MB#wW?T%&5blSv8 z7aw(sLsk)EkHFND*40UfW{55(YOb${R?e(r$gQuwt*PykMOA)jl`Kp@{bVJPoJ4x*yu>Q@`{yu>@V0PtD+bq8O9Uz(U4)ntq)@KpH6RrB3sM51C0> zIClhXDA5v~IhlY@HgBl{)JOI&+6>ueN}O938>qrasW+p6(OvuHT~6hgO9W6TKu16C zco&I%W8idnD^+aU&Vn@^?jSQ~6IlDqk|sP9Gl0u;-R@fJSI%ltpk!vN5GYRe3&x?( zl1+mMtJ4lMni6;^3hM|dl^LEfAFt3>%H{usRhni$Gkv!ZcOkHtk@46Zu*Ht_UHZ72 zA4MWJd`0At&wm1CNC!!20CLvvV%P%^fA;)U0|j7MkqjteeQ0L@Oyg$M&Acw zn9tc7_$Vw$R_qM-Dl$*V%WB)|gXgX~=Blr6K4{w63FnJKci5c=ZCpnNL$vbS%2c}R z<7i>`ERymijIH5AwT^q5|G}(hDD|@JFcljslILl)Xb8$5VJx>w4Ve zuGFP29%@pT6dT%$Tn;{wzdUavfl~7VD=BW`w`SLi@Vz09*yo$s9~zq?cY8}8f1aAE z8904C;o)S>0N01E7j=HtucpAGAE(8EaPVl}P5R8V3y@D#5uFOp3WDgc-IHJuf z8?ACv5R%SBtA?+!qnfK!G8cXZunbN~g@gwl#Q zP{priojGZ(#mzktEGM!CPA~D=?$7LH##mYreS)qgj$!ho8z9f{KdB)UNkLrc*z=hu zXypV-cj3h$hoJg~xB)W2gp@8_`-L6>xv_6qSS*7Fu-)&cxnw(IW&-@h{=;$Rm&;pO8|+DQEX=Yxiu+x7@8z6^`+58g%56rHLh&f6 zb%R_yOLNY^s;)}XbjGEuHdN#h@LZ^I^KwAhQg7zmvKorWD;h{jzv^o3$8=xa%({{`1{D|~@u4U5yB?OzE-Ee|9`Bd;)5XC- z6XOuHMQ)U1q{TD2=QpEQ$SB?}Tl9M6**5mL-l8=mQKqx=#mDP;g|Wdyf-aNK;xFIS zW%GBq`U_6$p$X&e^y|eUE1+#nBV9${$7BkF#b>#QIrjHXGqz5enL1<;@El&V^K+A9o zBniNln^{Ovj+oW|Nm)*2H3FzlC)fxWQ z*W(*lc5Hh&=kPo;Om-L@qTK;6u-K>ff+K)~Ha3jzX0qp}K^&&^dMoZL(2~`tqtOOE zk2l$+{o>rEMT6~gCs_q(iZS@jYTov9Izp#03^({l@zSk65>M|!x`_#;V5!JMK&e3p zalEs*|8}{d*fm)C8$5)BUoE(BkgTO1#lhV}OxU!KVK{ekYp^`sM@#VdgUi=F{gqnk zVIj3u^lo&Kq*?{m@v4D>6_h;6*G+|}8%v65a;;-~;kH6=MsGtXg;%9NoCtosS(dG% zn#@-Vo9oYZXV;T(mW~OOqY$N)6SE=pX>A>_>-S$`b-5lv!Go2c7ASnwvGcE1x`V+zdsz9KmCo%1|2bmGBu?l6~ zX9)l6zjwtdh8UNw1=Z95BrLT1>|?ReK|<0t*WnIVe^3ASx&zx z2@cCzO}hqCkeHUus8-zQAZ0Qc)w1XuTpmCZz@4O%za8_=;JL{)Kk}3a5{4ZS@YzQg zxT7a>g$!}_^m9EmxkLrxQTyn?)#~){oo|uSFBFaJ>FZ@<74VZ@H#~+0W%ky5tKM0LXc*PL}<$lq0w8>>1O+>+H=fMJxsn zm3u?RySKryXt;=;2=qe?5nFOD1o42}uysA09cwp0M9W}1r21F!+fMiX#J3`1VUgqp zln9OHXr69Aci#g6=nQkGMlshY|Kk@tx8oD7NsHMMLMMSY{vJb1&SL#azjrvRO!a9m z`hOzBc*mRitz3in{sZ72G!Yw-R7R*zl#E1V83W8KZAPELaieY5Vhb2DzvZCN83Cvm zu9rA;%N-_)Y8YKTMh&j{@xDLQ`Zaxm_f7_9#)If-JuKzGH)Xu?4k|AN)~xWfY%~|D3aBzRjetTOXMmAjZS9Fs}I9VL2kfTn&st#6`{4cb{f z-RM)hd&-};Ynd{9$pihTsjRhlj*y6{Byr0!<*&CSzb=@`IHM|^5~X_1NSwU`x?QGk zSP8u{IcJfZ6S72e8rf)`i_Y5c_L+Hg&-@DRg~$6Wk$Bk;gVtKiv6@UJ&M@EA_I^N| zvW0sbfNoQYC;c{&2Jx1jfqbmhT2-R(C2mTJ)6*v>@Bv217Fr5woBv3d|1E4w1l2k9 zDebjZ!-s+Kt7_VzLBWQ@xv9kdj}Lw&t@Ryl=N#T^%Gp6`OiPDhMArzxPKQFnOpmuQV;9c~nlH z$bA@}!m^rH5voSO5=jpuhAD%2TU9?I)kt|4nt;X;0v2SK)v9$u0qBUJ3s&``#it5; zm-msh475&Yf%}XgO+YHxOVe($-o=c(#NO{+uZ9bUIl@pBHV(m$qh5wsHzOty+O_m# zeM6zG+e>?))MpLUeR>WokJ0M-6{i|AtGS1C^)_aCmO&vtIsg863)@A=aUv<)9({t3 z1``-gel3m3_yet#@JAC|O#UBaX#5YaUp>g!xE?|BJUG-qxuWi05IqG?FXTv}*#_oJ z<<~OGPQVyuRX;!p?apqG7>OEZ2=~2k^dL?58L#JdaLUXPtV}CLPro3OJNR&tSGI*1 ztb%)qgeyb`YtLDyPeS_}z;Rv9(VtNbw_i`HF~U0RXQMHa7hl^5VdEtq>ce!$%@sh` zfnINK9e^%(Q4d>yDF{ordV5C)v}~yKcii#gUm<803=#>T!P4_}P%e;>o^SzS z1By`7Pgb5F{S>%Xl8b{tnK1iUH6F`b+4;$`KyH)9rf!o?qWkb7`MDjz1wcGcjsor8 z@fI*q{zUr7Brh6-4_LA&-SrX-uCNSGJrSstM$-%Cz~Z;<@(1D8N) zvo)xeGhXp1rM?kk|JP08*u4x{c4uxO&rJ^4BRJ~L@2=2j0k@a@7T8CYz32li0Q`cl z7(ChsFx!-e8whudbTW#NG`D=3YzGAdhJ#NVqDYj-j>iA`2&ID^E%qtB#r?spyT9sO zc(>0k+hAs7Kq2!>BkiN5J}!AiPJWAaRx}{7W^(>#bPGIfe!;0-m~Bkj5rsp|cj5L~ zu1zKzx^HY)7ISUVV;`^DnR8}1bFJKH|Nby%%i>^znJ^E4UnFkv6!Dt@pS5Rfg)0PR z$o?9Or~V^0CTJ)y;0s<%P0_a??834hs+e&v9pWj;Pgbe7msyiNy-3{owO*Ww7(mzR zBLF@LyB20^iKZ0#Z^|Vr)Ih|I&@7HS*>CxyFYf#8wb}-uH<6AjbL>Y0wR}&jIeM8H znyBfsdX*gmS8KiI*MjUB$eG4oSpG?t48sNH3%)w|$DpGATr%{%nd|H%)d|!lwpTO&!=$O zOqms5<;m8{IZPaX8K~HD3;(P4)+#}VP>=f$ywqkQ zx8yd2fgm9ao(m#r0+1ai;=|VOM@bES;k@;S$@tN2wgo%FjMB>^=Mfty5tW9uA<|0f zZtNPe3Bh?Ai%z0F8;j)Wi{z3WEb4w16Eg+qJt@$AghU^~_oIPpZye=Zq()3pL~I)4 z*xRLoS<#e8*T+2q2%LnVFQGJ0^pjfx00~2H2@LUoTSNDYI`$MDAl=h5Ob3)eOEb!l zN)TUm2yaR92sAX^HuV@1T_(W?vW#b65t(_0gbBLw^ACAl-^Uh5&}9^Fw^8!TxlD&6 z`pxa-c`U)h(3;|&{H98@01Mv!;qT9NavC~|%1P#OBxejPoCCSfEuiqkb#!W~m+V*; ztfi`dP#(%nDc;ViKPIJ?aO$Db!`a7S>+^Fv1bgubzHHVeKv1-9Qf|DJ)UU)IG=e>B z-jYLsk5IIc?t~RG_Y4YRNRlfc4AdC8q@?U|5I4Jp?j)%8bf~KYMhz5lb~+79*yHE2 zkxx5sN!>~9tbJ&TltRr=tfbHeU!Vi{2x(KBq!dvdP88KUzBOe#y1pah>?be~ zMnT#_-kFEfCTnW;UzZ1RjAuV!P4RR%buk>U-x7tM^jKs*QO319lfDhG&Fu#gdtukQ z!nW;Rw3x-t;kM5j@G6rC#0@0*Ty!dXjR+)S?jy~l7&Lo=KrpbC{Vw$crHOTN^qS;F zA$0ZDbT@UXojN7*(GU22i3<`0iVUOc+XnSx%lU1MRWeTUgwv)*d~3=8Zgtlu?d>Z0DGN@kXHCqN9tY;p;_#hi8zwg| z;s_FSPi0kO?*xInR&RkYFBc%|ke)HjUcS|j=Q~rpp486T#$Z>TwG)`&9e~g&@KDKfnuYY@nH>GK9 z(BfGX;Z>h)pV^F*A9)b4{+iJqat#|u<{#Y53mD^Rs5Ln_5JO> zelctRKej6R+bR6RKl}Q>x;FpLE&Ab?g4Xps(!>QKS0DosK|a-#jg46S^DejJ{SUlzuf2}NvZ$5(nObs&rtr~ zz6IkjqyiDLw`T1}ZA#)*fp&*6f&T3eBpFaUkM}ejCQ##lyq2u^_bu6?NWeZ69%;qk z!=sSH!HzNn+${V~1SRe%=c!Kj%4Vx!LS+`bV7h1Oq{Z2CgNp)(O!~qHi=I z+6Qd#TfOY}w;*4PDgXJ^@A>_^O`Fhis>eoKUeEuq3AX*1URYTOqI%LD$U8V5uX=xO zrr`Fsh=P>+s3-mz94IO3v{JBQpefsvasK;zkuUoF9KK2l|M{*yu!+|-7Ybge>D0Y! z$cbpNr4=I;VxrQ&YmTu8Qc54~b1b>q-PgH|1h{&M{0&OYyhH9@kAICWk81#oEF|Bu z7s``G$UR7K?CH85X%bC?s?G@2#@-B_-z>nAtNh?~<@ongxBBpQJnwjfE~wW0hAQ#( z8vsYJGk`2`saR^+uX!$Gd<#~3y5ADW?`ni&=wS_k%lEPc z(x{2^E;9?tZ_>Dv&`~0RLJ*Wv9}TOYdd_A`<@Y17J`-arp;sVIL%;;2lZ}x-A-%87vQ0|qQby@Rsy{)*Ygjcogk|e#_C#Cf@Rlk4ejN7 ziUn%;AKz>Nsaedvkv;7BS}50{uQp49m-qKp3X`~3As#!Mtn70kGFty-J=UE6czG|L z!B4+`XVo**s_4jOEWlNRL28QLg2|I@DjzAE5lpU^=F#ZS=Dj? zr$|~8*ZD;!8VO2sNy(Bn6q+!N$&4Hqb;201cn*3%PMA3p)A=p*&@QR(E`0r*vRsTD z-g6#-NS`khpzcRoD8$-~=|!}@A|72-cH?yMIWtrzj*ae{JKUjs9@>=yG|y+rsoEDK z8ZDoqM|0%DTR6-0%F%CgsP0iX{?BE4djh#62D83Fy`jDZW`oOdwYnKUF1yPN&Fw7OYNek)T z&HY+j7VdZjF#lJFSAKso%lsk9XL_xNTLUX&>OM(gRm&IsAs%M;>6zHkXoy^)1W-tQ zHq%334-d3M293)}umKo8GkM6;Gs-pO9J2Hn&rEjmJe2-;<^2;Bh444N2Mt*HH9WU~ z_(MiO9ulqf3HhwVcD4|=8mXhTQc$^JrPvn;--X$s&MQo{uw4;Q1C6g~Jk8WUno%_q zkO}aw+eNY=oTQ8ry*iY0{9{iG_|HM)066w1bN6)m-3?55o0X?iFw}@VC2g7zpv9n0 zA^_9Pv9Lu`qRwS^=={BA8>1HLGFgOFZc&(BfOJpI7jn^s+ zq4VvMvPFsf#BIkS33bA|2{|~Uah&=c*?T2TPf^bOoo~ML5rozdachrstRV3`Da<8d z1k_P>gHBRVZ1*#y=y#!xVCeIfn6?zzI8u_wc!T)fctIKr&Vcv;a~gnKCEciR7kvt!W9v8mcwDin!Lr6S13y(aaWYz69u8# zcYWJODb8=w6Fo?Rco>NC<*}M3fUiEufraGPalE`L#iOpW;(ql5n%Un-7$Ty$u+c$i zpo^Zovc7zURW_c2#bwq^W^2wYav=NYT-_Y2J3Yk{TB?}eGM2359kXi341N08In z)3C1*t|FC-vFrgP3t{$IN*-v2$k=fb#ag_Q08$8U%9F)o#^ zMO1Shsvo$vYTgnx8vs}&A0*)d(P_Rg*?j`H1GkN4@8o@fD5;p@<@H94CQ&uag!(wP z9&p8PuUxBv&>lkfSp7H@;Xgj@#Win{JPH9njx}Yc*QlQ*I@I--cgo01JiP8hig~SD2{D@Xi*|nesF31I;fv$62%pN#Z zCjNfk_Bk)sHvTFa1bE7d7JB!741|syTd;2yKvyKB*--txJW3nxf$9;D@`lCyWp^N_ zx?w>c%9f-5hJSQt+e8KnDU0Y(Mo$*Xh!u+Ss05-hg%r;wh#R(+MmG)kt|MGYoR#z; zk$3Nf8U3NBv#OVxq}CY`Sl~^18+2)cRuAToV?1U6!I-L!_>^R5_;GJU z6CIgp`YxPjoj46tS1G2*&Iv)6dk6A8{`WvCwh)D>4C8vVl~UOEoBbLwcUOU-sKbl_ z(N~k>Z0@ErO;*FJS3D-a6Z+%HB3=kx+<~lk>mXDmx1bq_8ET$V>Z?ZQkAxP=$id=L z8_w=ExL+cB5D8*PcU`l-DY8x&>w9e0$JL_=!zOw`e3tuGTQ$PT;eG8lS=GU%zx_F4 z>wh_&Vvx1mgFw-pibUr?W)ISp1MNt6G#VmeZSTw`)LC|iZ>;$4}xSfv*H!xDz%FB%&3sJWycM(5r)8!wd z1-*VTN?4DQER&AO2_!kw6xi#@G%c#Z_9&@ghskAn?a_3-icf^rB^ zM{M0ElXhd~4v_R30;EDf3MJtz)Vsn}u~>JAD;;7APb}@L6itxJj%fR{??*7tMqn^< z&%Zg@3Hv&7$%*wRvtC4-asoRDHg5Jj|Ym1_f#OL+8hc5bD%+3=$z;@kh=LYu1<~VlQY(^#|0Jc4GpF z#^qAF^EO<_NQF4x*Eq1fm|eUTqvX&FBfvq{7O3lN%5;0ME=qR0gl;YC#VvpZA4e=W zR5wHIptrsKZz(f}7fL2GguxM9QpLZ@4AP8(i@)UHF&$loNkYm^bL=I5D92t zC+rzSk=O|Vr0Z-;@*qf(k@eOftWC%Rq!VEv$&~tD^L^709$?*x*nmr`UdO$ z*eDcHNA&Gf`*vauni_W7O*OZdUMUycBx1Hj_w@<%(nq{A&9R!kExrF2A}yrhBOfV> zd`@P+VK52vJ(n5gZ0xBPejL~q(FbHs!lYIK^M!%$VhhYvz^xtd>~m>3Vq3@O9eC!V z?Qn;v=7<)htbyCt>^Y1++y zen!owR>cmbrJZxvVv&P=*wT&=9IDEsT68hDVg9%t`=KZOsI>;Rvb$SY653mk*IRHl6NzoAsp+ zDlpuRpQ=jwl%Rp`ow2(#J~hi}NsPgr&$O(C_$C@qMc}(%A3;MA){D-~R{laim_*hr zPn6aL(todOO@k|p5=hn}z}YBNqi~dUivL2QtD(arp;kVEy0PSZAftpO=Vd?)NGN)v z&>~3d-CjD;-Uo8~nWQR<_bk#+{Y=1_l{H>TH}%ZJPgCKc^B zhW7JX$D*mL6=`Sghm(s=gNL zvy>iBUJ*%uc}*5-3O%AFUGSWEx-bvj^OMj`k@T*FcQSO6k^yWJ(>rAO8L~U!v&P}p zKO5684E z2!N^y&_<93y-FS4bWjTo&|h`k&qaX^o=5S;1R;hHXI4}vlHq+4*;8D zJ`{39ad7D(+-jmyQkZiMMkQPnQnkk1bF#EY9qMOKq9h@j@&| z;tGGZO9hB9jy&7ltQwo+4u1}T_Y)>ZQX2+znEum@?!ILrs_^Z6^e`7#A+HS^lh~c! z8kWK*_O>GseJuB0J5Sy+kYO)0?kzTNMHk(PnJ*HS!sQ~5VX3?2pX(!|G|lUxw=gIf zX>j5w<6G9Xq61i}O`INS_vrS=MjzhSHq8DxU^l-d=BdQnhUNo#U`gMu=QiTGDOq;% zJPBpBkexy*E94MdbyL|+WnSI9t}Fj^ynAD0q|x zX1%i-;G!&Q&r+QUBUF!_tY;bcNg!)+kyBq*;YD!KOUwkxoj&~IogSl0)zSaDLvuYN z%7<=6sJjT3P<95&ZZ#=2#B{t5e$>(uC-IhjZ{eulpU_G%EwT(=O~j$wEhu3F#|U*c z&cE8LAGrJ!u`rM@k`bP zfYo3?0W15{37xFMx|d5w2DnZQwnJKp8uGd@RlwcK>8{+kWvGJcme?WfRyhg2c+Hrpa&UxjZbTe*lr;$2Vi(u%!tkN@Nr_)4fFRNzQ^bn1lo11B*90 zAHajP;DWK4+w6n^nx6%xn3yC{;nf6@wIS19@($43<3P}atL8KAT}MA=rB&yaHho?F z6x<+CBH%DNW;bGFmEYW<`K+GIW@5RwzR3c7u)JHC+*9(hvL^9WV3dw0GkfC|4JPtk zKK_CAUD1N<16Yh`H&wQ?Z59YqWA>$dH?c99H^ z%h!HDs+Z*eb0lun8XNR!XBmACG(n3uB_P+7oluV`?}Dh*JI3(*z;DQ{vJaZJ9p8xU zXG4=;J0b;$RNt`XPovku4#G*~%nZaEuQsQmIv^o}%NI%L622IFPram^<=46$o#0Pa z!DxmHmK33&wDElB6%3q+UF%}pd|EQk#N?25+%y`+f|8cz(l_6a>f}t~CL*Got<$b~<$oAI+n|_|d}$|Z((=G{ z=v90d)J$lin;NPT{U5#Zinj<23%qAR{~2~A*oJHfB}~X~w+L&9S1?51Zw;f?ENET0 za`ui8?DMM?jt34y*+G0|pi%NO7+(bn#NzH!11AqraYA{g+*k)FsCg=27$!Ppev)O= z;YTO_82UwTlBmv=_MqLR;nE=`_HO95zrJ`@6Ref8V&mA&px_8>O-oGmQRUU9vr6Je zs|ArwvMt691RHxzH^LUv^$YJ&cA4+)UHvCVR31{Xs^cs9FX(PO`f?#(H#g(R2E3`S z?2mUNPcg6{VA|r-$U)lgbqfyL6orY)#Pq^+N6sN6)_CKqM+aw9Hbdb@Z&p4f=ib0llgl@_ct-au-bz{I zZkO4}*Wg)V#n+Jy%_*hF?R$H&rTjor)Y4iQS<`kYO-$NJZ3BSI1A5Hi*-K z44y?2JxKW547uKrhR6!&i;ogAC^-NKCZ%06gfADkx9cblu{*EDno%;7=c?<9nkovR z_6&qz8T9-`3VadA#$6rOVUYfAdmCFMGrt9CmcrF1J;i=DQ1?tga}31rvO38MqZHln>>N-_dEH02<8 z1?6_0nS+kF7aus1Y+GI&^tHF_> z*cN_6i{#Q6I^x{8pl<`ndBgf6z2wv=Y$7A%5C`J&$y3EmC&4Z_Kdd&+hZ_OIgPj3Z zvCFC5kJdI;#JPVT?85DNVfAs3Uo)@hZlw?0!J0x;DwF;?`&JdWVXH~UKkce+70820 z1M9i>TB&EWLcV>6dT$7s9S{Q+gTwJ|2@x>C_YZXlAd?$gJTDzYJGAol^cG2pRFZco zWX3vTTW4{y=7r#5ctXX?n5wnBM_4|O3rXW-RGFvh@ce^46h-VHBI?)DYWs@KL_w#4Ox6i zY@26PJ`UYOu?1V0#ObRa07?#{MDf|YOvKIR{&Mm+xi*Fu$*hlznrI3yC?LTj%DZ+N zTe&p|D)EZ0>=xO5?&<7X-cg~=JMYHFl2aaNRm>&Pm`b_*Kb$ zR)WXu+p8IZ^~1!L4trG_lMUw-Il}2cYGky)NL zYjEOaKuh8%SA;8cgUU{6EW@;mOk3)lOPBw+mdHz7Yi0;Dyq^qxUrY0;2znu88 znZF9`)xbjfqE;L^s-AOPkwDa2O#Tg;{{7)NI2y&EC*$G?xrK!f2Sz=FTxGdg8BAxq zZBPoY*&gx*+yOkMJ>*ClXJ&6Ty$$MV^jd{_FlNnAh$*k}98eV**0gPRy6PxT&fP+0 zvy0Zly+{>(KLXrR`J4ukR*jvvev`q_Pk7tG029XDoh%7;^^E878Pa3l^a23{Yt2)f zr4-@4A5^S?j5~%-amjyG2zlHf=bxziC)N;POQY9Khsdx$^h1$~+GO_4jZ|jNL`Z3P z-38L!!Mk3vzR`s#8!-tnq(O2U%$B_5*fcNtm&8&3<-Kvlr!yux)YlI76o@icbPkeh zqI&4N(7JDeoV|iEeiFW=^@6*!1(OJ}>H0DX(`8Y{p%SVf?{V5BF=-BlW(#^{RXtif zOE(nQ8ZrrakL%3-ga3&$md!0H|Mf{6!JF|~#@?|6+p$f489S_ts+B8>XMl*680A{_f5h7L10KGYe zp*}bcEh)e@me=VSL7}t=IphqFoYCW?k5&rO-}LZVhc3+=ko7GNj+`p7;HZt>D&THt z6EcIg0^Y#7)GVitTe0B452yG1Gr>-u1;OKMx55?6DLH(R0Bpr(P;JsIA<#?(_AR>{c5!e99L%`Zse;L7Wj z^^L^PfP~IClGjFDj%aX+*dUcbW+&XCBb%hi=@j6caJ;rBLiPF={(V;L2;{s=PFmvW z?xg9GW6yX;;HI9jwZN98&`tLG+m<<9IaNf0wlIL`eQ|DcMNnI4`B(utYaD zo=4N=|92H>!XL39BR?Id#Xiv&qL3rf$&nlcen1}oKEcm>4W%Y(+pt0GRZ;O-d1R$8 zx(!Wzx61es$!hy;YYJh$^LV)GzseeSi$O1N-KPdKgZTeH`Z#>x_0MtOjhYg;z;R4W zm$(Rn?)-@A|MQf|R~}RUE-e22Q;z>1i^={!)Uo}SKb<=rmOUL19d&ScYMLo$)i>wC z`P0YNN#CC9D6xLopn~DqC40AvT>I+pTRDmu;B+wMOOn-vxk5|Leggr{DaW)&5~TEcxFLRT27M)q`TKd%QC-5C5mv z7XHyuuI%BhaoTMa+ln@dris%_W@l+9Ow8++umu!%y8pj@u3V4Ko*rb+Qw(_@?%;{J z8;!U3tV?}a|3CeiZ{PC>{d0-q_eSU6zj!)6+EVIaRn^wDs>g=bUCD%52yTFX^=kj| z59TI)dAt;-aNpSD@$vDaC(e#(!Q`j%IV=1Akt6-b?_=FPT~%3ceq}}($0Pf1H10os zQU36Qi34BXEO+t0o8fncc5mqyYuY0Vz(F_yZ|MaqYW+Nq?OnY(yv`AETME=FC zGGR7XTT}O{+zDoD=WslzZ z+WqdEapKrIwTg~bzLmVoo0I($pSRn^G`}1$cj;Z)lFc18y1MO|(@kf4-O>T3{Xr9* zvS(icIAiQB_VY#HpX-I)>ag!AO$jYGv&=H`bHeuKn{YmRwWUd&sVVn99BIx}B{~;7 zy_f6#GDb~}j304IG{m}XC^}bMQ)N5R%PH7Z(OLG~O{)DIdTSh&Q_#*cuS>}%;@I?P zfu(PTxcEnjZ88T8E%#TxSw1j}^~yd5Xy>4F)>IXa!1xebPZKZA$JU1?X+3qqoRGZE z2X$E=cg2a+2lm<@9_zNnB6@A%zX|N`Pa&7Xc7EoC+86ch(xtgUpwqZ1R$+amw0g_y zz6ge_icL%z(TE#je+;~R|GLDM4u@*VkoWh4c4`^y>D#!`k!ZrW=~T-&r7LuMdq=ZQ zLp5HZBlmba-#(E2&^>`E^IVsGIUy%n$zH|oY2Q`yPsD}wHU-IdNj&P(Qi?cn`twwD;jxJkGiP% zsMHI8_F?rZnaIy87wKzh*}S``PP*aC^X>uFRi#0@5{;wIeQ}#rX71wR^XC`Qy@q`?$5G*7I%flrRl^L@jJQ zY3>nsD5JOV(cNM-8?6-O-A~6h_OEq(U3{YJ^+?>rbIpupQHf_p7Hh|+eKNTiNREQX z?J>0-_opy#$Mru-E|c$-u=;|x&1ebbrR3kFV>0~p*RI8L1ddVR4j9xjwq(3tv1$Ko z3s&*Rpf)SJ{ee4!7z-}GGk3_u)eOs2l}?SW3~fDx#b{;e-OVm8Dgpl4In8^Hw0qe4 zUVc73ByK`X*b=funqk99y_Y8P^)Ciy9@0sPc4Zx=b&oAl8?4d{kRSKOMN~Ez2;59f z$0B02?dpG9tUL}}K^P~laCI>;G~}|Gg!>X!c@>=&7)^pPv8G(7(%#?!^&=W92g+@ar?K1tMp9WRRi z8mZ%^?C__RSZIErU)i{|j+{DaHvXzdRHNsUsOrX$ZFNt}(`74a>tu%C3l~=yr$WW2 zFkT+HfyHY1U9}y_aiLo3XRdT4;q*O=UTGr}zf}K7nt+9>g z)|icivhUxQEb7J~W>N2ihYOQS4f10v5cvFU2CVKTv!pD+I+ew4)L~f*w0{adYF}gY zVIrn2$z3zK@UCTPc!XmE{g?Q@Y{AN>gT2g{488VFlg*JMk)HO-yKg1-Rj1y*B6{|X zeM9LziDQkK&CX^ADQ3H#>)*+_;3Y(6hkQCyAdclIB`x>zW=Ok(>HZhqOEZr~9%k?L z2@oi+GG8^CIh+uwXhY6BRhso*my2B&JK|^h@$pJ~<&J}PcDIyYaaUJlsb*}pe6f7d z@$pfYjrX0xRQ8n=ym(HesR~=;HrxO&_S8|aO6t&?)sa{=g{_M8Jr3+`lTmIuf)!H} zhX++{7EL>LWu9XfhPSedq|o)_+a=33aTojj=?L35qg<$G1Ip`~S^x42!Q&XEeN_!}FO6ddV8hkiwC zP1$trORJ@P*3~A)tn8saCrn*A6JN>n7x~|88pW=LQ#fyR~XV;L=k0D$Z ztNmr$I;=R+gCo!H%ULFDn|7d0yR7_$-l<;Q$D}frhaS&4?`drT_Y?`8sA&|8d&!$9 zrx=fiu*JA>5vc)qF6dJCA)Bz3zDnOKb0NpFq}bS4vZu-d$Q7o~=uh7-o-E}!E%w>* z?>&9DK4_uyx5D(2-uG1daJBw17a)&Z;{opWRfrm&)Nn!T1Q3p;WD zY(s8Vu)dzjFswq9nmQS0dexDkRX;x%H+c4xPb?0%WL!MqLUopKfSI}~nO6-#_hX$ppPPY>SS7S!`QDrkM=7u$;f2Llx za1qP8BC>0*@}6^3^pgcI;FZdb%_LKPyqd3SLN-+egK<;$eiWKk8%RNBRm4Y`+!!%g zSUYD@h~lBp`R?9{2-yuLXVQY_a@=9yVZJSq8w)taA$Fw4;!=7!^`Z{>396vQ?j{^! zKljW0U4?~jt(AG_5sHm$wnbuxi7gbOIuezc$)@8GxB>Kw)5($zFfKUO_etI=(%wqV zP;W>w$|M8Jh?A>|7iZDC(((=l4!_A?><0iOjQKPG3lq=7L#6#|sVw`YI)RU{$x`yo zLbiB)l07FHO;65LG4JIj8*<|S-%Zzu!tKliyP$15OV($WDXC^qHmJ85@g*U@=!EE| zDqOVNe4|}tN<`=$bNRKSB`dDK&tqtK%7wA>ZNrzRl32Uu#kibtxT8)v?)b_q{CGe6&6e{0&*RDOc5o=ZrG+Cwru6Kbc^}`2swABf3`xFi~i@DW4cW-nQOnm1%?7^Je#2*JpwMSq5xn81<-)YXSjx7GfAlkIxcu0; zA^ed}g;C!}l)Ss*gL#A;!})mMZBx_$VZonoAmt(@g{a*NwR!*pqNU zL-iRYR_;^u1O|?r;tBd3he=+So8zu86TFopdQLGVG^vtLo#)J(xM*m}5JRwLC&vB! znCR%ty7d5XvukNL^FP#dn=9qXX%*HR1?}Z)`}C{-NY@Qvzrn_-(J-O&W)}`JCU%Jn z%Qaa`r_a}&x9QVB*xd(4x9Z!emQFHdN_lQ;+=`~A#==RGTpG{Uj%dmJo3`t^YV_}D zx0%=Jmm3Di#=O}_**I$nmxN$-S21m>a-+V}>y@i1lTlVM$cakQ`{jKHgQ)Ci%6Kc) zNtDyW>bzN^8Pk$#A}V~HxSM!F#vaVdJzdE7o6GdbA?pZgxTvTG6Va`wQjP{5M+Q-F zq0xG9t#en-ww;;`ax*Qv+sdb*&O15bws75GVMD`1)IWYkaWR`Jv215|d9IAsU*Oz` z;p}JQqN4J?newpeX8)$ho|vhH#k=a950i~sTZeY!Q12|aDx0^$N1{_NFLWDh>yG1h zZ)B(ny0;G&E7`~j6jm3X-he95+8@~#Vh!9o?>;Y`o#u#j$chcQo7YX<*Vr=k+9o^Qmalpf zhe35^IIr<^wifLlqb0eUzv1SJS**$8xGudthc2t?_Z}nJ(S1!vVI3gzZFByk*`gSGOq9J zTC>RB-u?>i#})%UJw5XO><_*AjVBW(2dpGPuyJ?@{JCQ%l3rqH+qB@C{i zdIXZpq^L*7oyw_?R#nrY(3;Jzs;}<9i-4);)m$p=9>Xdql9z`9NL6s2EHbI6tmn64 zp*5cW=t0nB^ln}LF2-}0%$$w|TolvWB{>Z3yF#4Iy77WpGVaym)CAtALs*_phYzTU z&*tdY@0%V77%m9DJ<)n|+Gw-OXwYM@H{9$pPQmw>PCl7`aBLC6MMaILohS}-E)bUO z{6qg|+e5R(*4JC*Prsid&Zti5jXPQFFg@ysr;+?+++^h{lWwJ6j`y}~(jB3Jl{j5LR`qZ%?Bg%1*J z-%)R@(Z7W3J0=f$d->f=Z<=Wxva_r3V5)|c81qj*%n;t#m~$-gn(^>cu<>){tfsTG zEtD=CeCHv^JROgcYNvUPg(wcBN;;RP`}oOPvrqAx(El1_QBfEyGI`fGkTca19e4Q@ z6FtHF81DJoV~T>GKAn%AOWLT0cf@526+_*7OnK7;6R6gj}Ha!@vIkJ`J ztRX*LBU>+R^kS+rY)g56v*w2FfdT3q4@ZzC#vX4~Wsf>)6euag3fy&~2_P#kEqDzVkG@k+0d38Y36p6QU!*_DMZopw?H}9~~Q5Vl2FbYxf%rt!L@!duh{F0jKIt zHZR|^LGR)MR&`v=V#i}-ZJm1w+l|)>8uqTQuld?%_jr9gs=Ntx;~mlakr+nDhYIJ^ zCbQg#zomQ1uKB1&PEO^b7uMXz(2J~nWM2GkAGgzk1|Yf44wc)NW)3bAzHU-}r}yo< zeVW)9!|L2wb<<~W#U0>z3~*o~yF}@v>!gNqO>@Wa0=12zZ>s+aD;ZgEXwj8pk@Ad@ zjAt8)+^ZR8SGA;S&M2*DKxgL7I)V>3e@PLhecD)`ql&4E(>($0!MlZmxze7uIDXa5 z36nS#AU9~07Cei?eXp`|S8rq1lj(8l*8Z`ePmUN|wd}gaD`YqtkacK^Iz6%IQX1Yg zciGHX6912}l!~#Wp=A~ML@iT;w4EqlyR&y@>XGUnq*T=lNO`p)MF4CMv!)K6H}vIr zjGH8@7(B7@Ys-D&;ycJ$v^9>JW>3HR^QRU!$Lim8&2B|UG0#^HswmYKTq}v+6esr9 zq%_4jM!Y+W!3gSqG*uOpyOk*xYsF{ZTd6#rc&A+90kxN3NpcS)H{p?A5h$@wXMGP< z*U_8~;VSkvZkpq7vp>M0!=Wpr8~fBOOHQzzhPz2*benE!2eMJ^MW${@1y#^Wn@F*>1zk zJkNUWb>F|XQg=<#lD>+#bE)h#2tI5>Z+wbYjnDZwSHWPxJ9cW6MLJHLZ?h)S9dDsl zbiF={r`_*k*vdU~PbCx&0uWl+0YFBzu35<4rKAl4of|h6d?v3EX@~RScuysGa zlv}J*+;C>itWDf=gEl8+>?IFOO&>d#eqUj0<9lvzp+9_mt2@0ochc_N>$$pWLMeOD1|_rTO|FlyJ0hGYqSNU;&ey6q@&Q;eNwk!_WfyO{nIm4ugn;uf}6;a@~V z9E*p~WtooctPxargsSKG`9LlfE2na+wgA^&voSuK;}pt6>#$vSyi)lK_OCTPpVjO+ zB*kIphgG(TFzd4!ue>fdPCXdde2%r03nWc$HjTFq+3|oU4#mOy1~1kL|5@xl-(TH) zXhdsbZyk#>IQje-rnlLRW%4gJ0)RX^@iv#mue|GyO@7p)2dqsyetBh+D@-4Kv#}ie z6MD{~9nfun0FDoTaJ|IvA+wxSx|}9^wliJW{cIqFIy2K=8)79Ii5Vt5%3P3OhKrJEb?}?(wxr zlKkl56jyeXq_nRG7tcdCVX6?XSTLTV*58x~fUNw6KPb^Rxrbs>bEq$092EcR3g{;XYqUk02LIEmgeSD zvu>(?;EOskuh(T!jbLTxprC?EcwfIDCBr2%xep(|vdi;=1*3bey7w_WKX%rKK4`2E z*Tw{Gr1B0oJldtMBtQ^rzd&;!!B+amqWtHd8B2j^&=(&Vs=9KB`Dsj78&_$OS`_pL zQh=j-0GLqDk5(0pp=DCN`8z8*dkuz9%y|0_3A-I+F5GY$lR|Gow7c4Z?R+rP3v^*M3F+-8CsQGzXm!!0Wn{fS{|H20Rdn1?Bzd*HhgnH zQ5X=Oj-XvG3uVA7ci(Y*Liug~AIo?hP%*I>=ILR&%tQA^jdUWaDQ)$01tSWqcek(m z{@#5&EWuzRda)DG)bX+LZ*I_} zPbTSZ*}O=sF-p-lYou3!x_IT{h}@hiH+*4|h()f7Wz1(WK?Fapht)NUcVK4DN*b_UwoQNKg(iHZVb{*opWm4jCsI&dkNa{|KbUetMqAnTC z^4dVW(24uRN}{(o_x2!g*=;5n*HfBa)`sBddC9&QX^)YYN$5xY&iE$jp z>p13shbE=D99`tAXiKT}qpE(Ts~aL)?~`BVF>x;BtXvEN7?D=zr%F!F%@RKq=y`!9 z=-IGp*)p?P2cFzihjIfS7Pg8!SgKy!x{d`-4=_WIsVyOjcN$1Ms1 zl1z$tlPe9QNhMe&Tlc%&@wr} z%D$E3_x85Lk+Yj3OlS$o`-z@Ix97H0V9Bpd7cc!b$F%9*Z?Zf=n!^n|+HR?_ zkE_L!;9kVl+WS186qMbjY1(B_b;Ne~Qw*ui&6SZA&my+SI%hGnKnEOJ{(gb;Z4~se z{iicl{j;$D_+LuMvFuIv4x8XzBp?>CPvuF7&wC}7z89TwY@SAMFMU@D_N=+ze#^rD zg3P0f+KXCWT|agO#A7$w1~{|8m1p}6f>J2-;Ky5XuKpwApjM@PRfgAet90Xl3x>qJ_7(Z*C-m{QvDMl+3JTq)5YW z0XHgn7pMd3rv|pWgQ<1>wS$N)EcBR*|Cl4TIB-50cNz=0k^wx`sJ3H`x%2s5ze|1T=u;~IGYtMh$`KNycA1&5)au#)_;A|E|^ z<&nWDTKRaVl+7*78E~K96Y@aqUQ9m&sVVQq|Ni^d%gEr&bIy|UOHt`jk_$b4pGiL^ zPndM)Z~VaY&;O5~DcAq&jmE!|_&k-A|BwG-+W)xvUo<4&{z*Z=f0G7I{r~?TR(Sj$ zed#6B_k*`+D(_8nXvd95W-~Og+vd|A-&98!ZAhE7j5oIq8V#E~W}>#|*RCOGM0@Ue zAous|uY-QK9-}eFVk%1|Pr&q7LHJY~KJ`}xK82MrBR3aecHDUvR`@5CZ>7a{{PIiV zVcrtVtG7PettLA}-}AFm>vH``8Ch9v?c8!Pb8|n|TupmpwVxx_6|9R+WiDtxDd9!; zxwUsm_-9@<`-FU$uqR0k!*a@8P9T%%FaDi>KUI2UCV78o6(NNkLcVdb+ITd4b{xRC zTMY&)DWSm$T^}pk8a&>mY-`;zKEhHF8B^!^6#RomF! zIv#}cJk~wIIaJ4{3TD+-!=@%m=RHferQ?-n(k-#S)Pqd{HNl}2o}Bu^D%{@Bb~jMU z+65ls;qIxjz9R}83;3MMF^|G|scD{T)yZ6iQF{8f!_VSke<^ee)|KHVUb}HG4vp(w z^g|{5LF?5mz@h^{D`GFZlYQZRjR=qv^9(*^vMEI^xJOy-6NlCe!AtTt3(-RBw)xhH zZ9Ne)??n46j{{s1twwI`TO$qh0u-Y!4PK1}d9EKO|JOVI^;shJ|E1V5c(wZGk!9~s zoSnso+2t(AF8skyb8>Vhv^%)lrjsL|#{3>C^y@%}ccq{I`=sdKfu1bO)!=I4p$whE ztA;V?BHHzi>OZ8B2khuF*;!@-Sen*a|S`2r@xe1 zJf;=(%jIp6#lBElQye)b{qZOI)(Q-r4<#+1stLCJX2Tc|2qpb0Zdes4LIOt4)vy;j zgeT$7J*x^3Qu1kDb{y3`t3yu7igWSvLMPs4{VKpYjcM>rH#Ggt4XXcIcHW0RVr=yt zM1#IeP_V-}2-EkqUw5xa zT_44=`qE4Ao;#W+!!44I(rJ6l@Gt?7V2(bJB>gY#;Ub8|Zrjf2Q2=aW7UIst8Js{KpDI$_vm6j#uAxR~oF4Vy}!IsnSD}F9`{r6^< zu@8?)j0GzQ3qC*;WQB;yPgjng7v3wkHv-f)@EmiJTE{s4ObxZHo&Ycx4yD2A^3uG* z-vJU_?WdSLj9Q!*iq)a$U{+y%6}h3ZymQGxNLKt>qpu4FG5IDr!de6EJn}PQJIfKW z()E!jqaePKtG)La(5iL~J3c%Rr0>?TIs^Y_{*VqOcs+R+Edq}{V|Rvwjf!jC)qvqj z^px`Touq+=bgKd&t8yxV;)txlUt-mUu5qMgJwfHoZ+=$GXgr5UxX2b20woYU`SNA& z4ZBk&FyPf^Sw)2svVXU)TNAkaYCNfc0i(~B?e$l%yP2M1eDIKt#opQs1!g{N0uv>3 z@S!;;(d%pXcGFdxGFro=wpl$Z5-mG3B#^c9C)0blmqe_jb|55aXd6HHC;!Z6rz_n- z(zp!YNy>9hOOmE012MQ`(-MOchsoYG#03vK5!n!MB!1{^)L{z#B5w7&aeG1Co>z|R zDpK2^q~I^kJ6$<0G<##Fu`Y*s?)A<0Mv876L)~=_iA2WJF{s8~`s^<=)A!rVt3AEf zX9_K0!Bs$p9+%m}Mp)n_rMu2LRr-3jsRITnfu2el zQjTcbqVwoQ=j0?&Orcd9xg^8V=ChZWi;Ka9j^ld`P5@IZCbj&{53`ETb zS_Ow2l~;EMC8#;nQ@`M%M`N?%_Ag(l132Log8~3U8{2@wOqWKqo6rvF<8S(pHUO*u z66C7M+y-P7v%;lV7RI4%!#C~?h}vAgm%#gR!^A!{wUzBIzzonAa;%4-=MgHsDYbK~ z309DuMWW6h_W3&^;$US!^5&MjDiOJuZNaB>6EXYtNQFl$1_QXM8(Pj@sA12-9zh{u zxx@!kls-{RT7$)BBXilWoogljq==*AvJkqq+ z>SvD4CW9^34X;bs>^KOteB0qQOg2*6|G>i_&m&50D&cqkg3g1tmbs_Ubtf&VU2!oy z#|sPyC)0i7(s+-m2f<+L_Df!}NO$}A!H2Jr8s%v_$1JmqiJiDZBkatTj6QZ@ajZLA zUgYy>Xa{qjCu(7ql<$qV+1<8%!*}f&V^zEMRvV9BHPvP`F_Po4PY`KKrk|ThS>RiQQKC=rZwIAB z9X^*nN6P8T7hTtoC3FBZMf^cfNxd#Inj7PwIC-hf_5$UyAz0C>-AQD&Fj7oE6JnQ` zmA8Q@CqdLYiiR20B8`17dFWLOsT+D8#^rBTA1m#eOaz#)W9%z#vHb9x9j5dQe|EFK z#ki4(f|bQcW@C#>Us8-zy)1c*ZW3ikjq?@BGpiVxtRCQW0v*@~CTBdN+@EG%!{|JYv&xTv2YQ zG*va=SK#hyUrA!znHBGm0xqjMPv|U3P)PZNrO^(R%Q-bY!LkrkpQ}#QUFDIJ zeEyIo_rbEELVZq|lQ{|#R+S||+U3WGT!l=#%IY@c6=gkZJ#zSg`weMUZc3tQtBf#E$S-?@(K7k<+iy6mrGag6^!)971*VfBleO~p z_ZnZ>Y*JY9k4K;IB(J9l)C($}C!ddF%D^~N&b=z)Cty)v5h%U+*KWll#qHxgPQ)5y6Sc=pqptZSDtpLA`sSg*;LW(k@dI~FdIKM$BEZ&Y zy4u{M@Q?7Dc+(+$FM@jh^eEqbf}za%Gd~$wfYHy^wCL5|b7eG_aS-50m9MQhn;VK9 zztW4|W|J7pqNf|-2Cr(9#gB2)kcBdIex({XWMvk95o>D$$;8P>y>Jq`EFw~?J z((M$Tqkg5kdLOgF<_Cs|bMpjts#=A~7j~SO*k)vPIuz9Z;PHOklFO_9ex|}}q=O|c znO#3KzPs`8Em08D*SYJ;v7(586`%?^%?_}Q#jFIEp~9HszV?UvFFs=)f982~JfOvv z{~J>$eHSIU$J=8uc2N}GlV&y%JC>xR_&&Gfy1tFR_7H1Xb5m6NB&6vA9pgP!<0ESL zkah;QhOwoqx?&vk9URY08L#ab#^5`k@4pSL@j|_PH$ClVYt_(u@b0b!dnH*?oO{`y zdD(K!ZOe@TveY303f7%yPk3&baceV_HH!;66nL6cyc>)E6NJg-eVA;iUZ>Ek&!uRB zxY^PHz{MrUh+14@;1cpx zF+3D$m#$*8bic}*NpGuE1Ke{>KIW{%7lNe;eM{ zY{V~?Pk!_tF~ap>&OUYSS~f(xs{=gL)YORTom2{oW>LJ`qKv~@S}m6}U!5Ay;LT^G zJKr}AzzGXl`~jjJM?%jADmJFHY$X2`C=@Y>abU*yq95h<=2-X$yM60_PM3Vvza*3B z?3JPdIUzwm(LV_|W(oVa&Gp?zZ`*ot?A2Qgko+&Nx^;}3>@9E<&)!nMF+EtOseL3P ztIq1z^0d&QtWe8>2CRdFht(IkxI-}gpN-~TlR*{hpthXLed{r4nrqImwmVq`DJELc z{m}Ek<6A05DqBCCc^)^fmVgIdX~rrL_cEB7BHGg$QCMr)<@mAZEXOX%G2^Bs{qY|~ zlZQS;9e!_=-oQTUSLy7rFlBx%WXuAD5GP5*^|hSf3-UiSs6Vc6>u-MpZfn+jQ`Wz@ zw2vI&mVH(=BS=bg)++Dqdb5^Xy)aRlFVK-J{baUbzFSlCB}cS5=K}eJVwx;~>YdFZWWRMMTX_1*7U*IkGYdo1YD-K8~%QwGz3opg`=(KF$ z(vOQ9GVJ+8WNItAlW$sPXrZEjfb<<<&zG=YIQ9oJO@8sr&{l9rtI?Cj5vkpy7(3B( zzt`*B%2gIZn{bPLG$<&-wZ#CU!wX*#C`VV9sOC=(h%HBkU_m47GkFHt{e{tH zo&1V8j_ZQ$EBlv+K8HRQhNUXn2+C~o(Xud4{R8Ym`TLKh(K$Co^_#l!zrwjTu&X-r zHREc$`niZS*tn;(@z@yoa6sL@js`wy!EKUY70|Dwch&)c5~5!3&1EN0A$hgVp;CwT zn4W*QxUm{4vbQXk5wkv^6y2|xs}kT=UY<4}8e`+J0%XHc1x$gFeL~TWXpQ8`w5fK7 zCz=O=GqmlAW8r68lLl4S>#GW@2rhx zlJJ0Ag9t#;`X7@4CiNzFQyBaQn|1SBrN+&p4+-90Z5smdn4djTO%M1)0$(N?Lri-* zoV-^`VlAHK6hWLJD?0E-TjJuei{t$^lPf>$3Yi>CIyH~?w)m_WR}M`KpVLv&{6@J) zf0>wgc#`Ib?t)1{|Kyk`1hj4ppwg);g_$;8@1re~7Bzff4-v0HV$Fvu$@6tFh{!)k zDNM|H#bDFBMhVDb259L-yMTGh3F;!M<$-UTI5z7Or3Oho2z2odHK$W+^5!qC{r6mC zuw}ZBYmP7;t~2HO=V#dm-i=?qvyF_}s(S+4 zH|>Smin>%8GLKEpe?ot?C)=R zSBM6tJvc{UQzgv_oRF`Kz~uNJM}@%3wd^vGw?7?rvu*sISO2{{J3b907ys&^nVN1q zBF(>a`Dgtk!@?9CwR7SKXdnSbrqOM3&zng}VN$}AHhAPFE=n!OY3%=at^vr=oXx0d2U>D4M=_ zDw-PLX9EpaC%^W_DF_xqE!9m`u$MO%JqO7zK7-sC{Wn|m4Mg54>aQeA4UdQPm7hU; zC5dk_y6S~l0dHDdbnn5R3gN}=6PdNgSFpSO-7K_D%T8B6hKdC3&dwQ^rUR#)E2r+_ z<`z$l{gR9Y{GLDaV%Y%a5-KI$n*ox}C!cpAS?%nHC+lS`-ScP7Afs?i7uH45N9ZBq zi2uY9=~+29^))i7N1ZeB${md`9vro1bax;3AZoW3{G|Uz!wctJ?meafB7E6HGTQ2R z-?F@4i(2Ssg=a7D!JpPw`Y^(p8&(B7s(-*3MCmKfP4XAC8J;^Ru!SHmjglG`EOtJX zaNniE;zo%ux-9(aSdv=4u7#>&Q|2{F^`>QbEy}nVXL(-}dT@za2f-@1WH9{ms*~NS zhyp5db;ZP3S;sxTZgT$n^w&Q-U8S$zU2LwGH{7wQm*|GV`W$YjuRTUX&}eJ}1^^q! zVtL6IFlxzQCApOAcfSXg=d6Bp!;_oaRm?zI_TA$w{j4EfLc~H8k4Ik~L&6j%=S7bX z=$A$lK)xscWuRIRLEr^qy;6xWu`ei(ipfii7 z0(V;Xwtcnmy*;}=7YknJN;JWPL^kftpoa+F@~*8o%>9f~eVZ7JG%+bDlHFGN`uP&H zLHk80BxqP(in*<#Vowu!@s=r>fKg>p@fD}ctMb5Hu89UDZ7}fPe+!Dwyx9>8i^~7) z(+pSqn>ML{TxZ8C5i(MbrS0%<{o~~?Ku)LZBN+KpFG)~9qgIdUmWZn35g_a+HUd3{ zY~daQ_Qv}Yqi8FyW@qoEU!~plwJ(jS;yf3IjB2qM*`;b}d`&Y_usj8xbJqK2)oyI? z;g$F<+=!ptlX(rt?=p_-Iy-AR0v%t~^;C4>DkrlyHyxwZv5C~ufV-h@1A2oVEBUT5 zyqU=%wDIT|`899lqH<^V9|&E$Q-0n)xJ~6}WQ=XD?j+`j8D2W#URs#vwTWg1=Y|iL z=6Trhon*(a`%3#ymw6d~2ha_Q;Wn?aowQU31Ir1Qf|GY;&po2{6Y&={Y?sub9V!{n zRyr!N58j&U&a#adGwebpZ<+HinZDTYv+Z^f*iyc|#O(kRNzFKkr!zO_>3>9q&7N&~ z6Gl%yZ(3Iy?sLw7V7p&7gl&Iy1Wy9=4E0^Rfb1;LO9C?l(Cu1w+}<+z@J`L9Kf_h7 ziZVBL_hOhzHGV-7~r(y&I|lRATrgFcrpqT5^ZR zDn>TX!{D=W$T4Z8La!ll$$l@XaXbcHAd)%H877(6EI1uQUg zUz04!n{m;=Cpox1EB|TjNhg%Pqy|##jAWCH6Fnrw9s0bPx2quPSM9ztL|NhM;q~=n zg7FM5g?|H8EBd5L&2z4r0dWq_?HZkulbjs;cwBz|P){$t zmMr7Fk41aFs4ZXB0WE~DJ%D{~+C;jvXM6Iym4n*@@!*^*i+@n`yu>iur{2k7bWz9Q z$v>}miW4~zcd-Sr(oEQvs|iKyrC(I@AgVf%H>ct2nmNZI0cJIHTF9eO930piIo_$y zm{YTy#cZU_dxEZpH=|5x&cN3l@GjDrglo#AjfKWxG7%|&a&u3+!SD*}&&^%gPLtx% zPFXy2GQ%V}TQOr6E1(26M{=d)*(&;9T6oeDj-6M1coyB~Y|Pwdga6g3f*LrGWe9>` zYUs2WAKIXUqb+FEawV^>3SejEfj;wWXt)AsxO~l6EpE>FsU&%E`iuYkbT%eG_sc4g z=-*yH{}eDsjdT)qnNln*XGV9m&XGG8T;*oykEbySJXNZQ!;WV|xkFB<;>4!@UAAHlyB)^$Jf` zGIoJBQO$Ut*u^?Rg3ejU;S>fcUwhyH zrinV*j4EjIJR6eH3@jeJjj?RdRPZ{1`YE}rNC6SKBIBPvK=2$-h2Kbk;ddmjvdf8X zs(UnZb9AypZsKLjK4=-tht*O3QDE1btkK(;5vB%Rk$FVRPwTL63W*z8Z_!6)5W^D# zO#-z;)+pVGyZXTXP{!_YWkA*&XzA1f=Kr*Wf(vVuIj-oAwi0@U`SQ(cRm4*<@ zo5fvIM`};I2e#X9Omo$?!SCv(nh6LI>W<-zQ1m)z=^Y9hgoyx*8c2YCk-1=Eb-z5n zb4z^IJ>T3-hfQzURHx^2G{zcQCJ<=OGkl_SQxf+9)aqf%7Qk;Hnj}Y3fP`X%IXCt~ zpNu_Zx`>ZB+F;~X7|SM_wxI-Pzcs;rX8Ka#kOg-29h|~)^RMiMw3Uo!m-nIU*L*3u zT@vO=^oP3mdnh2M;76k@9J)KUX3g*_4IWu8^{veD*a+;y%h=Tx9!Z2tbcgH>?xG z?uVwREZC|BMtGb9Bkte7mc*AZ>p83Q(42NTp$yfoz927*A#q0NHF(vN;Hf@o*7XtK z@yp##7-&vrjvsBZE9bSWo93E`=xqIbBs3Zj&k5>#Y%35q_O5u%w+U7xy{@;!xlgRQ zC&r%J`MocF|7Gr52WM2UxO~H6DIoUw4ILewdbI4&!il{Z6cLDtD-%J|5Y~%f;F&23 z8CKnVxj`pGLnv3lpHji|Ng>M;En)!X6)P*J1a?h6#lQ<7sKn#`e~&(MWdG8OwEkR! zu!dRM2hM!mr*TC@N&OZYIii)FVs8R24TS@5psf-7KMV{oZOwh+^`nv1VAVVh+YGX^37CXBf! zt?{Dduhz%i2Gi2r_Nk-R^^=Ts-sv-s<6xmTYB_XhWdc#>4z2q*LF8&JnXa4u@cmul zl}#|})%YCy(fPXY4BHoY9Dz@tw8ch#O@Mw*3Cf}$0GM_%0;lV8MZ?GEX`@RB9ce3x zy>x?_^l_q0Ma#9qHW!h`t&XGb+jopxcL|;U{Fy(p*7&JacBqAg-wD1Kqzt-?!#w?<3#bu*uZ63dXUB8z|3Fs1&skc;Cl=R zcz-&Kra08CQ$4?!I5Th!XEhn42?4$@6yW`wTo2C{wP=?G@`Rjhu>xR`bMr|Omyk2s zy^*ttfQh4Fl>#lilurLZEV^BUeT3Gxo8=*^LPu+Isrd}{J&No56y=Z>L|Ga6#id)3 zzt0n&O&Dzg)lodU98+JMHmhhLHx4j6P4eHXEhBJRDvI~O?#T{gx20#>GLPUEF%0~N#r5qKTNT^M7r>KmgjgG%QC;k(Zb7h7ppfl+CK7dq_LH>BO zA}DVRoN-VtFCHhFR%9I{px;J503pTiz_y&cy(NChvSrJjB{fpN)G*{1U*C>>AOYjR zIj_SBL@J18l86xX5LmAUpb@bdacZ3Y3zNCdak+)OZlje=&cmZ$XC|W`7>c7^_@T-? z>D9P94WE%DfnYaGC%k%W8PJb>4p5QEqg0~=?AThMin(VRQe?L^rVl-lrv5Q;AC{zi zXCJj}Y$t15ok(dxZPx4fc>li872DYlX)~pq=v`J?TCENimF3{K?1Tj6E_|Hp(%auS z?}Z^&w9Zy9EyXPMqHpBA4atb1kpMx%dlCon1@1h&wR$-7^Jj&`TQhFbqK{Ht-bGAg zJ$)zsFoMx!n@fTLWa!|lAjWi`^MY8sK}tjW>I2|kZGTps^{J;nRb z;xI3Kg1IZ``?*^`6@EL{`ccMiFVl{WHA zuq@tmS6t)zAEZ;=G_K;uH=OpTcj*5bA@zS48T9vLH0>>a{P_Q?=zd&@zyADxS33B| z^qz^NtW1~St$fC5fDrXVevZYR(F_ z^skTn{fAS3hb$>2Bp62%$xkShKZflx|9%hr?_sTJLSZEh!tk3eglO=Ox)Z>!<~!dWClm4X{3nTx=*4w!Ed{(f1%*u| zLQVh8SEmV9i6}0j;wQIWzDQCw}_xB|qDq`>OM|uvtl?S}>8%dC8?88B#g24rx;VQ;H?A@9&6R{vGHS zVU;ax@(l-uc8_FR%*lmy?+U^N{`I;#O)9HWWUMgBvXzd2Ur!&_W-k6=XySRD|2=YZ z@gDslWmuC#Q0e#S&8a1%@PfVBRhtaA+!HU?8itJ0?sz@UrK3im`4wuq6sX_Vh^_E? zF5cg#8soMgt{dO)1BLkB*p?P#i~6pzLT^BFo``U(X*7K^3}amrAq}#xi;c~iY%=n6 z5q9&D4tH2I_LJfI^{kPnFy4X!&*xNtPQ-SXz=2QhwkS=HsJJlmbD9@q(w!SDZTK0u z!_qU|#NHscw-Lg_D0gt3DigpAQZn0a}*YYx5fn8*xGBKk^Vo$C{U z1IU7nmL@l`0XPPxZ^z!@u3FbH$m%|R0}3!%nhj<`Vn z*`Sg~e?3oPI~jJuy8ID59c{S^6w*^kbA3nTY}X_udi>N~FLX26fnLfcS z@+Nfy-`G_Z47g=slgEC<48Rpk^dTyb`nyS%m<7OIZ6i#J?cCK^Py`)oarCx*Qx;+! zXc_Cwicw%?hTaRR>e5_4EXdL=D6q}n5dAT^u3e~tDudY=I;G^6F|eFO1{=n@Gm-d` z&KPa4r<>3ng8wE#gsMHi^{L6!fnQjhv36QY9P(O7V9{*%ug5`o>{kq0_2DO+`m5Ka z=OQa^9CinS+mn-VI{+EY&qzX7vF%RcNc}xH1hp_x>L4(}a9fh=uI_f*upscE;G0`h zbIZr=6Bd8^l$1Ns`8;2t(IBtT^yX;RWHWS_(IZF~At5cwvr|5P%TS6RSnc&4(jD0y zzDcjFwM40S_jit~b)1fVK|i~>3X}hw)JcrA0H#Jr<61^I`TRc|KN6 zX_Bplb;KcsC?M4hE&Ly@r2wXq*a`7=H6%ncaQ@RVKnTQK8xZjFF@zlurHPrWxgPgj z#3yw&Hp!|-J>a$|Zon}DiwZa)qsO3vTlBl`c+Rp3QN#PI_B*VgEc{tOQM_=YaI7rC zbR@gm$8F0!Bd74?7wHhV-MJgjEB4||3<>sXAA@1gXMU(X5YeN!kz@pi1ZE&J)Qw+z z4GA|Y=6knLY)fnu<-=VJ*EF!bM6easq5|>S$;`1ULLr4^6kQ;sm>|N_8w~P9qB*-~ zI$c`WexA`?G4ZfIyz>nP=ZEQMW2h1my19ZwfZk?|sB2t$fbct_i~T-(DyK&!p?#E3 zcQVvmdpOZ5LDrxp($x!Ah}hBgivhldcyvHst=7uVsy(sOxy_rk?OzY3gxCZfyk&>Ex`hd;1HkasWAxonl060a+)L8IkW&Clm#jbglb2h&w5N(u4y=L) zr?SB)*6(FRavr}p{RG16TD|nB=6YtR+M0uaah|6XZT^=G4x-Pw^{y~z){pnfwCA}H znN>3uf*&QM)Z@$YP>@gODlcW~C?5KdWz31IJYznf-a*q>@$_#-@dNJSHv)(JZBgth zyJ{VQT;DvA^;3}y3{f7)Ab3psIk5(6JAb98kR*=zC*>W30ipIephP&{Rt_(N6&R_6xkITYeQ^`95Wr+6ir9HEOIIRD+m&7R`s00m926XjEtt$! z+j#)jC1STo;ub><%9+!%<$IJGcD5%-ABdnfyOe&+m)s&2sC=rqp6CHVWOQd;wq%|t zJ=Y)aQflhC4YJCxwFjFoxdSwc!7np(U^*{j`cFn{1U#S}0n`m$W8-EL-Pc z(S;IdfeTOI0iiMnyH1F&Oqf74RvbQ13Pd~>2u&I%yG(aRV5`_i*GwGo{76okdrf0- z#47Y@l))8;!0<;F8G?CoQ#z;t1M|0Fhs5;o^EM1Plz5F~=kVOEJ;#3|cq6Ymc_*iL| zFIf&0<3p0@$F8rOsVK2ssP6t1#At$Pyi}z1G%YPeNI3z4n>%M1IqBpq)AIg67;t-l zA;lTPsku;L4mAiL`6h(d=iZf9M7lL8!X^kgYzJsT_8ug~ZAhri0(J z$aJS%^I7NBSLC&1@swpyH>qP3AlA|2>sv^)qTdh@;y*WcjrJr=kZ<8>aFrlyc4axp zfds5&RN=^e=!KoJ)-;ENzCoZ!OI5HjrT3rwwAz8yvSU2ejf7%)(EA@gfH@MNn(M4z z6`?GeAD>lmm*0O3H)G7*kdV?Ma&H?l_LOg6xvt&RO^b2p!yRO7S9Ftcf&;pHmqMtc zOqV_G<4(8c-%Pi_c`z9ASFYCg^>r`!yDPWgbvQN|kXg}Z>93T9Ltg*@$0Zm!YmO_8 zyf7Wtx;feivHUJM(#~$t!ru^yX(X}554ZDlmLSlAb!wpio$p*E1GxdpUPh+|WSd=f zpqux;K~4ezeo<}i{SKWP&XMpnL$Dn3f%MUg%h9EXe6wo|B1IBCQ}i54nR)8^jfL*+ zvqPs+0D;@AvILBOYlb#u{_ozzQ4^@%ajIUpiMRcywuJQ zoz1*n**8=EkifS~W~QYByz*~w`{j2wZ`W$}{x2$?g@=0=QCD@`;of^=Ip=&L8X?iQ zy^&zUOa)oqYrAp=m+_M`Gk_Qj8Dev8=W<^j5ay)qfYo36whZd$yR$v%=SS zIUZb5)@E#@M@wJig^xON!VB0P90H}-pgmP8YoqS%-eMToLiZLjXP2DioE-55OFDW?aEW%20eQsPR# zbkktAq!XPJf{zK=BkP1Y-q6VC_;2y$ETMl@5`*jCD#_RzY<46`VTvdRqlhkGr;x&G zUQjaKU%YLBfDS%ih!q=3?2X?PQ1PtD$VhT6Af(hvWgiBTxvBvQHRM@l*$UT(+x5Aa zW(3(*j=qT5(|EXGe>jB!?+`ba_(^}c9Enz$+0GBRe?oO$6NZ};NL#M-*%}nTbO{1-JORdOuJ;dg8MHZF!gT#$RZDB zP0Ng08t+S|i8Odg|M4=g_@hTxcMM89elxS1ycdVfRLZ1)RYLOPQ6``k5)_kbH*yq@q{%2r)B(!CRu9N=%%6L%HevX(VKIOX8#4gyCmMJ-NRkCyk1nSW_04)pPZ0ulSzq5*YbS(>UEX95`L#nn z^OUa{UU`@jc1eDDPmrAx=_g4TL2WW2{L4M%0Vfm-h|761CMptB@?rjRz}Sd00}dfe z?<6stgvf9*A!d&s#Q`Cw{c<-+Me`i-cyHe2xoCBK6$GX+$o)md_yD92UDjA^O*C~mWB@|A=JOe=5VnvL?jt~vS)Mnx{eI?W zPhNN?PMi{)sBd*=AgIjOkwUS~N}sZ**p-zD*u0p>CB81PO-#Pc(`uT!G&g}QuZsyaGQIp*E)_~tx! zYc~g6TuLw%QoC48N7~j%q(l54h5lf}yo3J+(%rwEcr^Fof>Zm}%^XuQ(by@K?jrZ~ zE5eH042@A+iIyEG!Xr3+Su6X7plT4{yG-~y+{R(V(-7MvZEU{g7#1CP)-kJcwB>-O zdQgLvd3Z?-0MOT7R)kKM8_2HZTkpp;zFm^5;L;oCLCW$N(oIIjDjYE1k)g`SAiuI* zo@(bHWR9kDrUDg<+_!z$aZ6cy4BYvoS>!jTn*J#+XG=`_{;dyylq#@mJTjB61*5DF z+kUYRvkJ&t*>3Wxys>L2<6Sa|YQYpQW|a1UHW5PW>geo#YrJJ)?@Kd0O2lnJOcM=s zn0a_(jabQ>zd3tJc!5iwDaM3#vlY`p^YDB8{OeDZP|>JnehYaR%6^YVR_^A@w=M47 zw9K9o3~%TkrWW$o`C1ggaXtE^3(Zv6CJcO33S2}>iPE3DgRDT=f zhb!STvH%%3hv{QEB~B*ijJh01iUN*J3z1G|o?SIHbKH{t?g!`0S)B>QQ+ua##Ii;0 z{z+?=dO0S2(;smA7*WVoM+DH^v9+x4q6qMAPQ*9(>*otCLU0Dg0cs3Q;>{ycoM}(tmAlpbHLW9msOLsmCkD||_ znkiKUI_%4$dTkId6z!qJM^rLqGEuHvx5PDPE4I2$rE|Mt?DnvBdj?F`v4ZN0_a?qk z?a{GXWzGXo4#+ksvXx$Y`a3pK!3v9TLOnk^viy?3k>u?Y45`(N%ELo7Ssl}UR!(jo zJ2SFP_GZqQHsRjtN=usx=}r+~I$ z^!Ay5L*M{$uU?abUX?_}doZrj91UNk%7Dgpgwb%sQ_Iwsfhq;lwl&iVvZDv$!oVYH+6IkEhB7$Zb%Yt#`M(n{wz=0KX6khaHP6202wg*r3h?zpcA z_5>tNo8;G6%=h~p+_0LX^`F(3U_6Me=zp6@-B@LV$zQ5X@F< zz+Uc&fEtT$9b#%jOqx*3 zTTJ9;fw@<<8O^=2GWffYgyabX+2qn36897y2w`m`jxT>ZviKz%uSteemUy=Byg#FK zP8=AiS521>?Zuqd&*q2=?$(P6S!OfJo1Xv&GbHxJ-#nAmLJB?)#|EYFA1@`ZZ<|lX zn-ImxC&kYJD=og8cD^a?_=hXk%7l%xK6a^mBQJrpzV=_S~WMw72#aXt`0%TiI$qzEoFh!u@@f2F47XY z6+#H&mlmQ;d=He5G$zs>HT_rTN+;P5f5hDv-6z-xR5T=5i2x9DLy13pnGvy%NUf)H zADkG&s4^@N`gyCtn})BbG@qnDzqylQh&Rwe1M1uUD+WV+B9d(3x2KKbo7d|=GPeBF ze#IWzFt~ozT0Y!+G3Wjf8RtgrJWgoMHYg~US0|7ChLm&^dZ}%+MO3yS5FhVKwX%Mq zx-XZIKrd$(3d8C03v7y;b(a0r7Z~MendYH86E_o^B~e>EkgJ@_r$2dcCEvE08E1jq zA+-8(Bh<{fo{NadNikSvKL{No#%2}4@XuxP12!AyFLm$nPx3Bg&u8p=YVzl5Ci6e4ltv_9T3~ zUvM#mlbo;(8^2u=|Hk_%Nn`E&WBMD5<*J9=qf5#JS{Py6B)2L+>Il-gNWKam%l$D- zdqzpzc%l$L8jDVexNvQq{~cZ-(fVz45?7|5Ql9w)Z5O)v0-iAd{VzAN=fi|BD8 zsg6;aGD(i>KbO+rvxvQNZoiL?l;PvK^x;gn1wWSL)iZlX^sj6KrQ{MGL$&e{+) zIA%e(f|l&UDKAN8-awSK07oA8b}BB+>Rn#sO@k2fE+n-bP$S z5|Yo&E+6&IOmBVGd>>+QXi{&DHFzhaLV`PpSvlw+=?Cp zv3Hl$fm_%~;k;`SxPc9kAT()~Te*g#G-ul_x@)q=hIRVlD}{AENSXAs(bt$UIVW!7 z>?Gy}9NGw*x7$+^pvusAAh$iff8iCtGMf)P0j@+OK4iNlhMBp1*pHb|@QrcuP*|g% z33g3IbdMe;iLV}c#>iAT(`f4C_6UgumwKa60Y(J&ndS0;-e#jti{%bNr z+Q<)?%QSm|nxs*AK4|4$pTB0L{QEgHI%m35`npbGFaG5u%m^bV0Og5J~NX z+R>Bd2O$^`89y_+vU2XxT=V=d&l~`tm9G)fg?B=-s6wi7QzKkdW`UDKv?NXM(S$_HxPSf%$A1>+@461zr~PP{O& zF0ia19YP0s;F--wxRlCCCAHI7ufAW>bM;;C!0PR10*bItoazq>9dxp(6jm0+(}uL- z^b#c9z|m@T2a`Oa6jJKkn~%FLxb(#-Y}ZFT8RTdRL`ipJtqU=9k>om7$Z3wD+j@Mg zr#Iit=kzPG4WisMk7x{wY8ChFRjO*W#}2Ey2b@A=qtGi?L7>j=!j6-RcI&|#^!TU~ zUtIqmw(gSy8?XlfZ%sX2DTm;QmUfOw{*r$WB`cOpi5u5fcWS#%>;o2SfPb{BWXRoWozbfEr`5W3mn zw)SS{+^AC#`&kSuifSvW6cDj0YV&1+Gy^jcMVOUs^hquUbn@j4tuFf&>3}5GQC<@O*{dMs!TdS2CVF zy-!WY{3Se)HiL^orkBXozkWPRIK}*9%Lmg8!UE3*x(NjC;h$)&lh;ha*)p6D6WHah zr+6$W8fpt&z!Iik+)ZEm;9@<_9$}0<$(2XU&0I>~w#$VNxy2G$mlGrI9N}@FWi-OF ztN+c^*Dfx)ahX;{sfz!W{wT~ecW5sY9EEPLS(mM{* zscDpUp{1SWBzt^!ae3IJeL=$ye;9uw;zqQZhlP8ARDjH*vv$BqXHMCwZ6tum1J@I7mLBYkZEV>w>J_IP^ww#BQ>{lx}-LV67&`!J=Sc zsa}D&tzftAiE?^OLSVv^>~&P!K>0a(x!B8D=eP=<^g)tBB(k-;g5lxJUBq)C{~A1k zQ5(FHs~Ncm(JL2mZr)~hg>B1Ihyxf-rb1fE(Oc-iYS9sL)1YZkA@mtqufZsds=&AD zF0=M6x*XQ%=3hy2cPQ>XpS(E;!_xeA_=5H~?$f1lMaE{*n;WCDl0ebaflWSw!oXQT*QAkSP-fLM!`FaA z!Sv8Lk<1amM(E%LzXwvqxfhhmhr6w6%;zK19wh|i6-csLV&mjyTzj&hE5b4te}NXQ zDav$c!+lE?P~dAVecTk2U{WE%<3{oO+o#R|k-lqHiOpXjDX4jG7kzV1gN-ckE*vhB zO>J3amAoCNtZdJV#9$%OnuC+1{1{vDk&1X0f5PaST)s9HcZHmCB()6#9HhWfCc@)k zlZ?qX*3w>TBxzS6^@jl4_6w2fj%}4|oU~f}y?pHbV=5Z1^%v>BlFh#M&ra>*w1JAB znbGFXl ze-H%(Zp#;RjV2$FCdJ8MXkGl+;b8E|89_!3?Lyrth}Ja34%iY9i(6W|3%7`5BpnWO zvW(7_kM`bZvsQCx`PLf54ZBZNI^q}VBznH=EyeV7YpF!{=WEBK_}Q)?oQvce5y3D6 z2e6GOOnjDvg`rX?ReF8rV8E=6n1!Y3#y2{*@bZTbB7E83O_w#W)MhOiS+s9>?xLDE zeG50(hr;=Q_{cRhg4&$Zp$(Yzg{++Tejn?3^#sRgz3k!# zx=WBg`QD8CWN1N%`zha1m~6yw>Q~El=aI<#?aqoeAOW>t$S!}Dj?@OZJmD;!$gJ`@ zw4lh?U~LMw0g~o7)PooocE}0>?cneZUo)&|!GHl{GP;xS#Vz%G@t<{9qd%gFDyuC8EHU2V1zJ-6aN=;Umi$h`o7&{OOZ)Q8zrPH$xKp2A!V0JoGgXN zv9(cA8Z9bYi^#6Ba|jbjDB{?cRF=a*mSa17uLm{LO!NEu=MTy9p7%WO^W4jIUH5%g zqtVmzB>!d)#`Iz`7wB^ZG7HaRnV7h4CE#arD==#XOj{YL79}zs`xG}1l@bW_y@wYf zTLUTg^oft$v6&ty)Yd|?H`6q5**XL|s-ctC*=ul5sAt)3Sk2&EeF|M?waC-MenAJh zJ9dq(8NjnJ+fV$wsjxXj{zAVjx6AaK+b_^B!m4Z9Bu~m!;EHpf1wlPZbZ7nPuX1Th zAOQz$1v!(0!OdNJhO)d}O)f0=JI2*iAR%Rjbm~I44*S^0N&1~gcv#9Wnl~K8J>(8J z*gNQToZ_ytY3!5x%Fxn7tTmX%6QJPF22?}PIPcvFgD$i!5r0FVJ%Z}SSDuZr+F0MXfNxn$=lC!+ z>@N3*g}kA5DD%|<(1`9^-2>ad5wARNzZIgh3lP5}%W~WiPkX#lm|L6sBBJ?M{a=j| zQ0aqVPGr%Ql1nblUbz%N_lH|^8QlD5o^-!^mNfgOQej_KQP5SN%m}0Ea?O8dy#{IZ ztQLpXY^5jyZa}3Gfe~_sg8fVa=Yj-STT}bq6xLUHg_64CTs3}uax3QPO~^h}4VNhpNGQba|dacO0}$ZL)%Hj1Q7@X!}dDc=ypjHHv=yFR(hAyELv zmbU|0BFuBL`v@)qa-U#5r5rI&Np1Z)w4bWF0jMlqeRGa$O|{;Z9(j8^XM*pPlYZU1 zD*e#&t~St(`m*nQqbs*SyWFn7l?XZ9KfCIC-(%*{RGh0dDJTplLy};gIWH$CKXPLjg*)5n@bTsh9G}bMoH&pQ$8J08tabW@;eYt7{YQ&n(F^Gz3fmMkf z43zJOSnkF0qpv>-$W7@~CpxV8!FVpW(W9x}bZedC^ZM(>=Gq*By9HE%%Mk?(z)~nQ zNU2;e3hT*eAjg&$g%i^hAkE>b%n(c-GaRoE+Su|8Gf zp|AB=k!+=d7%hX~QMyx@4#&o%q42>^yEb&8jw-$E*q z>QjU+%W3svE-%G>2_gBEhK)R~F;ERUF{5?Hb9DN1$A;KAdZ}=JQ64mr8FV)9BGF9y-DGPvbVVW)JG48T`~= z@&W4zbcqXuyXDEE>aC7lIFInVAMDX}Bx3}<&h6qy9W|z^XF+UVLNreBZHh)0hE0oD zzhRT4HVz2~)7{(}Rp3gc*IRyTcB7xpp*gt?#I+{a4gG2Q)AtCQqqXA@I*hK_wk<-v zPaf^aBDU+tq9?^HPN6vmk<0WdeU$4XOd8r`^*)$(1{~MUs_Vc*ddWQ3u2>$HAq1DIwAf%a*5fy>*U*aEt%NckC&0=DpuCq9nSn~m|45gHj|861ze(6 zfIvhpW+4f6oD6^{LslcA0`<7@hT_02n@;ADVBVx!dJ1Pe%AiR@t=o?u$tv7L*J^Kj zXv$d;R;=R8pmI43qayNM+^X(5X_y|gEZ_}J$ZFT|MdYnn#*{{o8#zxfn#I9~sy8~D zRcAS42-Tt|(5GOM+$McfAP&dC`P^hNQe}rAoAhO1pu=ZohdmKqp+$cwM4QX4Wy9}i zhRL1(9bn9@KuJSn(L>JGof|8j^{s+`iM*o_Az16;iK<1Fyz9~tOdHy%*kEM9FnFRE zge*Ut6$~pvMu~;(bF*4680c&o+eT)DLO*^OtK$(ui?NLrA*Ttwv!HeBnCu{!`B0Q; zTS{DH!eAK=)(ayr3XhR5vN*1hW_>6Z)roLmxVVuwb{q{nZwKDydO@yDot z<^Le5VM<1MBCsg~4n71`aPULpiKIbJIJ0xo3Qd`RIZ6BpmZ`rjvu84v+VOOv97BKF z_%MOh5Z{!|S=)LI%ffhA0A(rZk_rK9s=VhKFf$SYUq&!I=^gj<*&hW|ZH*dh6)jnZ z3&L--*JDi1PMqW13s1n2d&%#}Cr$TI%^5+&D}!jqp(q#ERyc_eqMmt&#?-^pI}qky z`-<6y^fhU-S8^_f6(Iv1i|PSClHL_tgHUuKP>mK-Q4BO`w7PU9#c+10>O3QNU+M~_ zIFCIKmQG1Vg0sBKwgNsG?c0_wvfs|=O;QsdwkJ(rm_8SNN%qEmgUpN+z!+E0oy*k1 zahBVbi(L}wN``{%Jma=Zl{)-JW>!%uU~WdmP7^c`y&=GY4=nFyCD3RxI{Gq7t^s)` zknfo_U+V8YHg9WlG-W%a(y1d~tv!VoC5e!6xI{%n#U;i|<>V7`ssk97fiyYp^OZ3o z^stP?eEMC_kK3OnF|@2NoC*{=bguVH&FLWZqBH1fp*P$fevXH9DWfP9$&)U4C6^kW z>}_Rz^CB-Bnm9FmGkzH<1}2z&Yx1dHoEQuM-+~7~I#~88&-EpN8d|Y2$^$m82JjXp&v49N|R>1jho0^5%= zW5czv(xf>jgN<$HRJ#%GZ@kaVI7DOHGZgZtji9d2HIWsF|-Q31#a~)$Vxg8 zd}o%|e{USV{dC;eV$bMmtE;+yx~E5aJQp8n%Wa9aA+)CcjG##|AnyIpL1C zaB&bCyl7JZZHEATrn5%egnoZdVQ}C9KyUrEvhaE*v|LR1@`OvEV2sSr z+ja-6h5T?onvEn*L%cre5N0^Pi^qj#D!6J$>3L(6mfVTaiV$=fBcnw6@{$*Cmzv#Y zW2Wp`=|?)1&a8o)y|+powgMKEXR1DQKNs%TgONCa3zC_0D1+Y8ANpacON#>p0zfIaiodK$;?O<~vbB|r;V&rs=yMzu|2ZPwfk9Qd~*{6~IGtD{B>9j&6rp`d= zZto4B-{YFazuAr{;&;DwoK6NBULOnt5`fhch;vEt5JlKSdRJZ=?wYhK`oB)FGP5=z z5H}q1)46sGhPx^<6)Ah~fmRE&(mheGGfwLe)iMd^ZHGzY66lUE^2^Y)QmZ->PZ8gs<L6=oWEMdf zeGp-i(|RAD%r_*XD#chcDwi8C#-fqf7OZddF{1e(9T@8~^wAsyTn02OKsIUQ1O#xp}S9eH|p3O$qF2mOn9rw0Tw~tz0jf zr+@=CxuyiPhZJ?dLC%gJOP}d!iEN{1>yx>*y`*Y>2t^oAQAJ1%$M5U`Z<%>vlEQ;i2F0Q+9EJNf|mno6JB%b7#`gO1dZ?s8XB?Y45^F@uKqOYX$(S`XrZ(nw6t#3yGuR$Rwc z);`=kT<_*mUBg;Bbjn!bUWK`@vG(+}LUWg0zy9#`p@k|3wn$Ye`q^CHcKvw4)7*d$ zn?tkjJjr{XA)V^27Z|?g>htccmwj95kJoS6(VBPuUH6RRIUW*)Cz%Nq^(kXr?Q+9a z^wF6op_Iwfec@4@5X(S)b|<6iI@O0hxg$AePYgV`@UFJhbk4c%y!wpW)HC{b-rYGr zayYfA|F;c?4UafQCqx@WTXsZ5&5>1)DvQu5DCf>saJn3KsMn&>DaX2?{duL

!=@ z{boClct=c;J%awXHzg!)1>LdW5UR?sO-k&niT?AVW2y7AgOO_!t-JZ64v0H6y0IkG zeZ=%IvEb^}ErptgwJkZuWDca!`)sweLK3akmP%0eTr=5k#fYzTN}r{p;+Gw{(czts z*n%Zq_^CvV4sI%jS~uvwPi}gaEVbjBS=Vjq*pt1T%UKNC$E98$YHLlCi!9na(lT&8HImO&Vi(`C_y!;s4Vl31`9_7nt5-1 z*7r+dopw9xZ`$<5GNvmkpgl_QQt3BPYswVAg6mi1V#ewdRw$?!xEh`uctsqX(uPe! zhG$b)7Pt(D+P6$&z5YVx_}BWbqD?pZ8q=t^ZU#y|XabT}s+ac0vsX|-c=ex*XoJs& z6uVh+XJ6QB-kbB)Y%su~qfLZX-eH-6RZq*lnP~M@z_knyi$~$v5%bLQdzq=JlgfZI@f2rXU}tu%2B>P$a&&Q zg6?gpO}}ey7BO$TrTY8tzt6J2{!5eZw3zq7PoM6N)?+n^^(rXogU$2( z22%dGV>ODM2S>EQ*z@p%M)VTi0o&e+U)a<_MVB(ya*9E#dH7mgarJx^2ajICtlU?% zN1txk$Xs12AH;f;4I4S>l`fTpV=Mh!SXBT1({=E8RDt)2JvzFU_L7K0a z(%OBa${rfw*pb03ZN<^`YJ*`aL+sJ%+o;TR`joIkk=ldYHDM#^HSSY?%j(VdAI;zn zXf&a+*otaldipH?vo2@f6wpK(6n^`fekQ2zqVC04j~>nJvFoonOHX{3RQJEGAhn^a z<)N(I&k3L|}>6iNkh+wwS#oD^aYyL?p zzStIy73}Qg@H?MXR4?loGHLfWv6&`41>gEQzVsjKM!%vC>&A`KrtG@U&0=cimqr>i zJzq*^jMh+d43@Z?{A#{4)ug6GOOWa7?)t2nicQyzTfcdxwa_xPd>?50ndfu-fOk6(`sD$Le0TSMpFS7fh0(yyM%tfJU=B<#PC8XG`A zxx%(0mHMH&I`Z}F*9-c5oIHl)X?&HbRJ$B5dTGIe^O;8DyUbmqkveP2%d*R3?6l48 zu`(g{Pmb-u`}uwFj*TCJ^j$YZD^nCZ`P<$Jk8YeZMMq%tcH7Q`pe+3td+Da1W{6xmQrKlBJoCg~2f{z; z&R*XoOT{=GL@~5;&O*EfxgtK2YbGMCiT_P}_7K%`@JT%>rBV{&9Y20=F;gzCp1fMJ z@4tH!aB9+MG~bOgm;ZKXed9*lwYLU#=6y|ZJr#xI3*TQ$XVLfmL*HJ`-GqR^zIJ*e z6*hi&`nw)HFG;xXNS}dY<&m~%^4EC&_wPYCIW-k}*1tHQ(%*Q-{eXK5m^kC(AI7^4 zCXL(VH^%=Na40C0_Dq|MV92+4&iwnG|LreU&YR$%|MsoFeQErs(D!zHfBW{gFTJ<^ z`-Z>$3@Gse&+o&G#=omCrTN@8;ZzTUoK<kKB7qJ7H~P z#444UgJVM3VAOCVC$B*xVga3QxH~EXx{~9PX{vD5*|NIU1U&Ey) zeq;GRf8*SbTf*I>P(roUlh^$FgWU4NUG3octBC{of%}3SIaN`)4cfMIjxP-T+atoy zbVPsLGvdFZ7#9-|L{%<|{euJ#*LHBAXYB=p3RXL zg*oZ__6#qom9{P^`%s>eJ7Y~&?X7lwl>_Zh-?ybYD*Dy@QGg*pE2ogZ~(ts^)?vdy@-(c<)m<7fi0w zj@Jm0J`PnHxtFAtsaw>xiR2h;^bj@MaiHX)U2OHlU)3zQ|Bpo${PyR&VYjjkCe3in z|GuC4iQ9fzcJ135AJ`D=^8L)&%v`zU$Ceun-+G>KgcoNFY_3@~ae;<8N+-UZ)5%Nn zkH55g%th--uoQ!nw#ai4~C+ri_$jTkY4B zs^TC`Rn>T5^Y-ZRfTJ^K-SWVtWaJoM-mBV>Tiy9=-Gb5kN*>)GMDHP_TjuNJ5=f_6 zrO|XUU4{(;&|v6jqiR5+t6@aeAK>m zkA3Ay4;Pn9W6R{u>|7ODJ|tJ%ADFh7lF(N6yw7ktb#zE4t^D?#lw3s6@{VRY?-+6R zES~FrA*l*l)LI9(LZQ+Ob~HV3SYM{{@E+dasN63Sy3f=9jE^;XpXQql)g4{BijK{ z|FOMSZ_Bw@XmD>&NKByoo^KH>XKQ5i{`}ds0n&M$>2-CpeaEP;Qrr|>gYK}?E1E~J zYdmDuvf4Ee%=7sdx7?F_Vn}arwKQ}d)seq&MRs^(B-UtCR8Dm|zci+W>qZ!!ZB22N zJ5*j(9s^H}?ZDEFv}+wT(wD7YwC_{pbcdkoS|wj+gQZ5!?8?v4v(Lr&C#8C}RZX0+ z6X2jT2aK6m}X7P5E zZshXC)M-I(jgLON=G>HR-mqRb;(F0swys$m?e$ozb8Mpu6E7IOZbRvtupsT=oJQMB zc~2#N>CBkyk53f)R8tr2Ncb9Vc8tONC6$T4gi~7hfp*}qc675Fdr#(2307oP!QN>x zD2}-0I&|V$eb81$A+DU+s1nrkWz5c1L+(_D^&Bt1SZV~k=qsY}gKc%N?U!D8s~ zj#UJWy>uZ7AjKJH7pHl)_TIia7mrhhOgW**q@!iJc(G^UhSoS{}j{YL`j%I3Sb6or|M;uP&)*_~Z5J zg_3Q#ovo4mwnOb+Vn{pc$Gj;pv$(W&VV%RG#fy2nWQ`JnOJfTR=MGijU`Jwm7gHwn zW}S1s_G~d7(pn`_t8(Z^FJk<1B9@EUS+wF&K>PaWfmgpCHhn~6(kq;E7wtmk-zGV5 zJhwNkuPu{i#c{YY`K1(Y_xqKVEwzNW1&6gY#F zo{w<&i7Z)md*f`Hzzc_ZLCz*5MB5GPk3K!7T65xww|aSYc1qR$XL;}ZEkAFk&053m z?{HA7COK^OPSd9)Zv)Jc9VxHdbC7@9b(qZXN6vd+2F*T_#JZn-QGafB&GwZCM?K8_ zsg8e?;?A5-^s}9gtA#hFYPFv&Fst3Zwx7o-=R;`RREyqfxEjW^){S&jci!)3g&r-da;Fzb zd@86O_|&?7Z>@HvqrBt&iDhjTajngDS45(yY9l#0GL|szHU zkEEFRQyUJhz}a)M%$Y0SJX)E<&6kM%>mQS3C#vwubNAf0uu znY{@9G=b}hA?5njs~>PqLpyL1xl=`^f9B=;l5UmZm?lP`Dr5vtdp;jE8>F2Hayem1 z;dYvAw0^lu_}gNR|GVS$B!m3q;K-3b>goLc#ZMEWYbE!oUS{#``eb#yXp7R068^Nh zEi=7jhhFD+JTu$si}6J)-du^$dO6{~S^OCbDGB$d*-T3r9b$}R2mmE`)$I1pdylN#K%tC7#ut6JCtCJ4V| zKE3YIjXtdXQ9?F9UvB`2v0bv z7g@GiB|))#=w16TJ40acV)Nu?;nt6@tUcquDT{wtu9p)tWgFHK`yeg+yYIH`nVYfAN!fi{sy#1a~lXl+gpYqFVO*xdm9voY0lsGThkhLRhqko~z zMx*CpYLb`u&+<_j8$7ywKd+j4!R67TUnOx`is=fLvK`NgsONPbn;lX|-X>ZRp@0zN zDYol105a3-5Yl@Ahur@;XgNWrwgGgEE5B2mA>JMwbcZi4Z(k5gOZ=fc_LnQQ1G(~{ zoC>|ye*l@0G=BYu@T=eWspY8ltqSYEacaZDT#=b&H#ePn%q64{B=noF%#3vm<(t!s z^k6MW_=DGo7*5W8VORdGoM z0=<@IF1J};H!bnJ$+auxcaz^6PPdUC{)KbTcx?M^ZtWprkR3T^VNcLOsWo2yKFQlx84eAA_~#W z%yt|Z^yIhV>0M@494PJG^wEm1OFu}C_2tW^Q`7IKz3AbGhw4xBF*{VYV1 zC!*lEL>a@-7AIZczDs7kaS$G_q@|vYu2jR&`Cq1e{fs>*)cS`)R!vxpi*jv6=b*J$ zru}OR?%yBWk~Wa4eh`zQfP-O!KK7I{NO}#LLxLeSbLHlsu zx%U1#8?jTrbuWpqUxlHyDJPq+UipO?G%xATivxuXCTo;LmL7G8EOSTKRJdvoHR zr_VcdPkduOqaQD zB`_C98O-*+WtLV*&X6L3X>4uW5F@tE?YJn;;j;=5(+y^Kk;^dc-HBJC## zX`WY8`;Jlk=Pi?ss#5agqTr@`dt-y>K=!+~*8`pKIJO+Q?%ctEAVnFr$=qK@ngy+r zg@oDF->2T3aME)_sdev22id*f2mr1s7Hyx@qiIu(uD}5WR1!#hhv4qcy zOBsD!VVvyC-rk%J`5Tj7)m!k4(SyfiTV(Q9)td95H~$Qmlh)R;CbG9!ISKS#T$MHF zE^hk-#zXQX<(Kl$^R~3LkF2iQ`%T~V?S{txRh(!j?5+dr#Mv}@v9ebgQIm;tLqlFn zaAe)s>pojV`&dFn`Y?=dL3yMG4}!pBPbg~Ddh)~BeJ_&w(q^wWU^>+k<`0ukC zSq#j%U;8vDec;XN#cvIso==%8xoW%4FlAnf;a-ph9xk=hV384qrRKtFwY8+r|M1L5uG{;#T<_B}TJ8Hyd+xcLi1^5Vjcb&J z_YfU8dSKW6dYR{8>XIMy$Qy71fTT&wYGHN@Ue$u7K+W}*H95oO;m{bGKn(8wg!LE5goo^9jqT-uUoaJ#(CU($NUH0*t z2=4S*XU}F7N3xi69ThCsx#fr#xiw_CC(Ph?{Dg^vA)<%c2d;QLxZcOv=!8gYdd$ij z)gP^wKTr9Y1#@?pumD|avyZ$V4~f;IU5h9jUTFXsFvNHdl3Nm@a>ZKhzxe7Si>Elw z|7Nfh?|F43YtxDvqwAJRpPX~Z8Z?typGWrcBoV%Bw}ZE$?$p*XSa*@>kZjzf`eL_= zM>p)toBX2F*V0Z(5hSSI{XSp`3O%!Zj&K$7HP_6smk;Q71MI?toXrf(@6}I zm;~INF9x2@#NSM#=&Em-Yph9d&coa4a+Lck*RI`c%&vD~`6;qie2Ae*y@}s&%=x*{ zp>TvINOfkUfANufM&1HEH-VS7?RP7QHv)Y%=u@=mEp1TxvwU+$OSbk4Qp4-~$`$xO zq)hAPT-pXFaH4Wg2bd(RqlZgJzacKl2rnzsPAB;qn77Ay`&yof1a0aYy0Un$nyr(^ zOaOvwfg}OP3!Osnq|gMFl41c@n|Bm`D_LrSOS2VS(xKV4uy%SnSYN!?HhX3b)$JsY z&OvQT(-(SKRXH;?c;ifKS_}?5*Klaq6TTQfboKHRwye{Q!4+f12Ijhb&6U`y>dVOJ z;yi%+eSlr2%JOd>{;4_jcK*(cEk>dOWKwtk^Qy%sNTv}taNw?&#MW1GPhS}zy)ewt zcJ5&CUR-G~$Mu&p*EK$DUu|Xg+KH8&s!j6W$UE?2K*VgL*I6F9%C}F7FZ)pqJ9b0t zn(QN+ERm|{QV!lu{^Gmw((f`kmL;VJ%KFO=$M)pvMmw3*u8r-P_Zw1h0!jnEG+>{J zE$~BrervOQC4&-cxu(oiJ?gXp5(TxrcZ}wI{OZ6JNb$OQl{3G}<0fEgqEN7`NiR%@ zR-o6=X~G6`#H&-o-XOdf<~~cyB51|c4m}vm`-Tk2EHw3+CAy9?LN{lg6C>d9 z>Ed~@jR)XCos0CIxp);fJUT~o83WIM2Td*3VhU8Gr<#J(dL}(1+=wm?ulb2G*E6=N zc+fd|h1(q@C|ynpgQ;Jx{L&p!k+I6yQ3JS?%K%d#)|T4To)oJQ8m_q+Hj%HS?vUxD zzBhY|&(i1!MgVG(KdE`4gxk0jzr-2<_3(}0pC&Kgqjn|h>}27bt(!MLH_B5!v|cx9 zNJVbTujNU8{5XgRwa>iCTr<;@oF@MWc#sRJ(gCc1 zObSsHRDaBC3kql@%%@FJa%!pNlNw|qhINnvuN{vX7T3pjWt0ASY4lOFk_1M7C~lhm~WU) zTJABi7&35$xc>c&M0<2Qj%Isf}tvhh;96l}=& zeZVZt`{6#;|HyKat8lJ#ndeEuA7Svh`FsnZKKXWW=ok+Dd)^4oYJ>=c6M*}@nxLD| z-u&u2p-ukMBl;i80P@WpL`DF2o|=8raD!efhu5l_V}Ch!_@Ec#M&J!F0#0Wwe z^5+vD#vBzLG!T{VUs;cZh-I8C18k_}SGZaQx1kN&jx42dDsbnmGp9m+9}%3jO_H{dL(XQxvaoIE=4| zhvDDY^)EvyFr|Pswcuk2ORbh407`9l}_u+_{aI9-2!))t_$2zhzy}k)q%xaZwr`wYo6Y4t^9_U$RR7%d% zGQ!KdbRUbnzb}a=aXVca6cKzN(_zfAR?cFueXdLYD?cJPqYQ&-e?w#Cv6=V65E7y* z)}}tO)!THNe3@GMHELjzWgk&F{{9}nf9*JNdXnd)_tbfghe>8%R5g(c6lRL*ki^M| z#Rlqm2vP$5CWNsh?jw;yGxU6Yhyz`7oNBZWx;%jBY_QgBxTqH5EPxezj$OMVMXReV zeGC>@-bXUPn#4E?$W+aH%1;L~PU`^YbM5cCpy(;k@wCD;B8NsN3^IaFgi$&Kj+G44 zr05a49C=4AB&KW!ELC~b+HSsG_9@gupgQ5)XD?qi?r*-opUE%WBdaI9$PP!xx$0jD z@T0TU2T3GInE|fXtw;kvz18m!Y}QBWs`|1^I1CSF@sbVN$X;)-Oq5>u`dVkfsoR5v~b4V)f^z)@2SU3r5 z>ARAQJ^Lo`Cp+~byK5Qdw~+QGfF?t3_$Hwf`53~u-!J{Xca;iIBY@;(-mRK_5D2`d zFAoe|5pq?|+8hiIEhr7yEz%;*ihV#p2sKA>hK7QxQK`r#lt{t??lo2kELt2!y|I9N?$B zyu|dlSSsS*Ovpc;*2sjSD0vQ6{HCyFtyU=F`)h3 zQ#y!VaB7@AL~;qt_njmmY_A%v_XU|@$E>>Gsn$sJq2?xy`lT5P_hghv_C3F)hw+@= zix5-434&8ZFcT-vq(1m^HV zgvop6Y)MLzT)p~F3YZ~m-p3u=9cC|o)H}?cJx+6iTsBGFNbY`j@Y4i_(V0s};D@Tf zAmSjkJZISe%8!3^G=VWR%ni3A;V38xbq7)|I3a#&oL!5}H0DiOw} zJGJv3cy`;cuqQ+MkA)FGQ`&+R2y@3HrgxydFLgIrO)ZDvO4|#}`W@7}Kmrx}er}05 zE{^BwV1y82=ilR%HwuRAhp3F1J-j6=RU|^yCA~9;nPQj!ceU&#BP_bogbttO9rJ>A(i>;#<0To2e{ zz3Hyn0l9Hv2h?$4d|@rOM9KLGX`nes>`nmlz`aj_=3o4$~ zOM7QpC@}05irpVoFI+gSC=hFccQ{}CGl7vJ>x>z9LgKH8j+@%q)tTq|-$@wf>u~?& zg8#N7+;_zMGU19gW+Gr~VQsp=RsBZ@lPQq1wRN_`43~C=8k-9yHD$-<4pnGe!I@}+ z5i6CK@*&%k$`$f;wdIjF$Mp7ETX!DY?x#@qAC_sx%I^ySyeGnFSY-8|o}bbQrrWfz zPvnApKj;OIQxrYw>$dTe54K1pFtGk^(bDzB#*dIy%_6K5NwXO&8F;6*w&w&b3e%I< zaZvX$5B9iuO{n9x*u$3p*zcT^a<+HKyx3Kl3PL+F5J!btLZFjfJBMs=s5-O{YI~+F zV&`y4_fp2#lAix@u^8QnxHow{@|tXe^D6Kn2p$jm6)t%$Bj!3BCKOu@ArKDcL2MEs z1)UX2@4v+)e_MNexq@dB$oEIpz*Is0r4FSJif9vA(7nW^pPCWt3K&o=Z~eM*CH&nP z+VLdTS`n5|X3zE1ZmLq%3;1GUpW@{J|9g2YZAl!^Tcu+9aTmX#(TmYz5RW0}c9RQ$ z5Ec84Hub-b*Q|+HD*HHWe$MGS;CoPl@h3tB*48R=$N#)%jXkTE)7)UJuUTPsjhWsc zzsD(vO_r8N9{>)JnRjWMta)<(&(E%o4`o8b?;e@+biefd#LCp1g`u|HACrKTaaP|M z8!;N0H8x}2=FO*H=1B!w{gUisHopX?U?tt8%|APNP%sbO0Y!n zmY{o-<*7f9?xti-HnW_AWx&?hktLsX-%;nPi9Rd;eO%O7TIc8y9y4`+zOK6yOE+86 z4X?`+EH|9zo<~&Z0NES_t?7jlaruy=SaYVD1$m@;{hsWNU-`ruSdsg!Pif#G|lfaEc@>#~4N(iqWrhxIs>SJ!E>~Kf<>eJIAv|_k!b) z)gU|KO_XCtHkUQq49Ho1)+`2ZNP;LStGZCc3}QR1sz-o>$ZT#!CcI{;lv~zb_>&>}lXbL=FY7*t zRtS*2&Teaj43FLRAIE!APQ5X59MDJJr<;5t1tAZY;+`|qPPf@}X(So+Fby(HsbSOr z$R)NWt)IT^0Fn?;H8&8q`EIfJa1B`$*Ko|b4Vs9Ib+`askhlqQz!;my1UdvBx0T5n z=1%@%4-w2dvfC`7Lt8F)COgg=mm=>IL5py{)=lZ4san?UPUz=84`it1+qB0=d_Y5x z1w$wWM_pl4)3`D(eb&;M)j4oN)BEF!8*TdD@dhnA`CrC*Qk@K$IV?R?7ed3%IN|(Zw8jd+Wxj{7vJ?O zUTOKAqp&$dHn`38k>Z%4tp%xUG%;%s7EZSp#X>?S z7BvNzEGa5eKVJ0Ci(d+}zit)Vrg=(1JV&HaM36Sm#raQd!q@~&xk1sj2VXd#d7WCxySAD4p1eKX-e0TT#8&*6? zTgp7sgpL0sl5ALd-;ld4Cw~8(OI|e$m?A0RdD^uKiVr6$bullmC`GmRMik`JJ9pDX zR3_j;VbPX^{-iIBAC#u(2#&f=q+mNQb@HP0VC5)_=!P1ze~t{gYhs_{Kq+lAbNiCE zXh0(Vp~6GMU|~|avfkS~PSWW5Kg|66IYmZ%En6y#j~dZyyoAS8~J`$8{>MB zjUV|E9|Pa7KJov_&z$EaR|6j5ya(d&(zgnomtj8vw#XmoT$sQGPF)l6Rxd%6;JhQ;6vkb;hSOwI$E+jI3P)jLOP)Ly~w@DHB?Nmlo zU0QKh6>PpoHw2L}!9+6$*-R+~`@?m(KP`q&m}ICfCop6MAZvov%wJ_QVSD{j%_^pSXdN%5&&zWl~oJ$<^52TQNB(EFi%muGw~Dz z^vJDq@&cvQ$JQHtPiZ&^#G*-rueVcjHW%Fu1ch2Ufa# z-~r0F5ZmfEAu%V~(CY%*AHwdd4bvg~MhxUjvhjq-U{0PtKXR@kY;Up4c-<1RN+-}O zY9^b5>{EMcn6B;HJ6&2L=!3d&Z)BSXEk}^uaqoZnK6716b zq|tRF$}A!IoJGq;e+z;U@m^<@%{5}}hNn8?qlFsAK9mQD#+?-J3mS>ff0qL*KIvGU(HNiHg_KOT2>#UtY zdk#k1FJHJ;*(dNFMAv=jIIae6d4qm@O{ZK-E5ghF_40vS#PY96qtWB!pd93CieM?U z(YHZQ(6c?5Dt4Zx9FV|_l{xCvAtGVM8Bqt-GrMR)qV4^?s_FZCoY+0r_9Z#T6zUbM zA}rngGpt4IhU?Y#kP8Cfdtc|`CO#t-un6Iox$7#A-H(Lv7IlWEMq4xNXd86n=WG8EE)6K^$f|&>-Q!&VvTl{HeBy*6*Sw)V z2`UM1r@)F`s-NXmwvAb7PCIRD)0`0xV{0;TsmGoY>)ngD6@i$Or&N zdSCI-`=cbeLUY4-?5l@NESUlQL|pnz2ZR{9i6Iq4p{s+sUrxD6c>v*_PaqI3O)p}6 z`jnoBhcXF|lZu%S*Xm0NEDsHAn$wrw>ZJNIh|oQ@!Auyil>G`rv2jRsgT5Jp&&G_? zMW0iA%*621+kVv8)pe4J&z>E$w>Q`p)=VuK9JR?*M&2(~R*m==)!@_1DGcVOGDdXq z__J&1{OQTJDf9C7PH%6vo0S)W?2VKXL;vAqiF*bh6^f*mQ)pL4_93V?+)b8&Fa8og z9>*F2evLt3W7TLt? zh=8uGQ#Odkp%qEMIr2jEWI!s&$vB5q-|Uv~UKbgGJa0x6-PRzeXToww{4}Upp(^0= z$t2TcgKs=E-ccw{lOJ1G*6yN=vPp>Q#Rj-!_?|A#JoJgxcWy?- zZoi!_HA*MRu1gT{k(Jehp5p}YIReZft(aae3;m);H~hPq2IX3UF6>H9GXusd)DrGx z(13!{b^ctSK->{a++?Rmf>#q1-?1Jr8kCXJC$~F)I;7D&_lp3l{Ve*Gn4AP>Fk>qq zOSwDu%|@nMJKDe6t|9-;7tVO(%`TU=Dd-naU*!C z)`khw+40lk=PsVVJDA5t5J?mAkDNpzqV>*0AYqaYG5}|0AW(Yk+S9vt-V8{eS?&l; zVy<}58P=@_N~Uv~M?Z-7FVT>|Nx_~ZWgvv8z|oi;z=8rZ%lcZzCj}d$OzJ1z8=qQH zbHv%i6c~G`m}SG=`bP-SB7ZnVpdV%qh6`Ir>dMs=7wP_#3uK_&3!@evrLl zlaRde%Nv?ie=f?5C5xFjbK#>cx0ri)m)ZoQBx<(4r&v(qP9pb;i`MqFN*Vm(KI}Nl zWG27iqP1W;Ih&x?eK0*zxXGo3_s>siZp{uP`ZD)7OWqG9t84R9h;VZpiNMbgCT-U8 zHA_sM-DPSQYrG&3I*uM6I*j^8S369(GwcLo%9S?}g4h42*R%2x<#}x>CQS_n-QY>We)O{I6_296P(MoQ7T|Bpfad$<|Tj!3>=p+DrPf-&` zADGmzQ)tX{S`b6pydE0YW4*k6eX<;Q{KnkEE!GS* z$QTlh_#m9}s=;{z_kCqVL;8yE%9kyEAUrrvIAZwIQFL!Q~ld?@91UZQ+ zyyhOK@O%}^w%hMHzMC>G32NALW>Nz6{iY|raJNZw?5>_F2p9N^!=P^nkRokbp9dfi zO=Q5uY$6l{4)b};E(7{d6cq6@OFUH(vS0Hz(lO~SF~R5#l}(%8UkLuR_9mo?IGprk zB8wl^rj7lL4TO%02I!Cs#eY6N^pR?j! z*d%Q>eVY_%6_R+#>yH043idN;48mvM#9Fj)x#gV5N+a9d@bH>$_C(ZLQ=WWzgZ)}jq%76oWh?E4S;dY^) zZAlw|vSC5qX?lpUNP`r#kjcJ5U;Y}e$zyZlb{J7Ac7-44X2?Fa8Zq3>_}Ui)fsroGXAJcjSw9re zFa+#kr4b~ep-ll@b^OW1O!=lX|Hp$$u0h_%)r6igT#hkF8jN}BmncYm>JyMTQ`598 zsh=@0@z@do%AojX6U`7=0CH=*hs$Oa9}wRydY)2`((KX{a?3nHpDGy-4`}K+94>0w zxRDuJ;97LYoB`Fu_F(#=>269tE65p{mVp9f#M?^0 zrqG?56}E|lNRB@S8_5aC`5!m`Qo9*ksK+T{g6s@iSh6snWJARj8Vz`*0gyl{s@PGz zJllrgb~qjqmezyqUN-_)9$MJBXOnm4z;pZ8MF=;oHHOiurvEvs@iZ^?7H8ALd8dYA z6~@l)$Rqs6fJ-e~H!(3GEjtsK8gHuZin{Ex3fou?&Ae~ESfS5O4y;g) zZwQ{MhZ7zXbq9Og`ZieX`j^@W@5McGUkNu;+_L)M=&sD>?lW&uB($ivo0QijtD}x) zj`_Gg))h(qy4|a90OBJDF|GqCP)TPW_Z_nv+QeoE@~>&nmEb_FV+n#|m?S?Mw_gE3 z2f(*#lz9i;rg;d5x7rolh{};TK}vmAsgzO2YU5md^Vpx!(V|Rz-WT?od^?{%b)!*i z)0^T3JQWO|e$$%>3n1+=D^{6pDCemcn%GM(xBoQk(YJ@#24URhlaUB~iA68o53RX{ z1%tC1_ybA1>1?3un=Ng*HM(C(e0YNTL@4GTUO&t&7ZFh7X*YJk_QJd=#NC-VqugVr zY%T=)sR~(lZ~bwcqZc^`_u6-1Pz0bLybSFxEFm>UB5yK>m4X9f;{3@?kb7&hhfdPn z#Nhq~5fc67dONGUj4yr+D7dqTKNk`3ytZUKnKwhHf(Z1C?n~G;$?XgWfYI^L{M$RT$ZRrBnAH-mg59&XR;jW zu0%;kf(9hOm0nj>ZZ*e^F#jksWDlZ-bzXX-A)46?9m_ZMuq=)eIwj!*l;t3M zQ!|lSn7fKM7r1+=b+C?nUlhG7yh^D~DTag{H~N3&dAQXKl3)*pE)F%M<^yuMZ26O@ zbz0y^nu7%H{gFD)2EJhvxM<6!Z?T+rC-qoN0 zY)B&l4;eU1PMviVM)dv9ji@%@UeXP%ltAq3#=?3CwGa_Cv;#r69Xd!61YQ!fA*v@- z8G++cuumz|`ZVN3F9XEVOb7V;rH|-S6u3Z10 zYssaMZYuF;AuItuu@jZf{uaEb?$k2v-(o8M7Ks7Te&0t;$nsu$z~?3$cOY6JdolqG zq|k1ZR6d5@{6yi9AJe{#l4aBlIMzWmS>3Ucv3$Ggc?p2eX=$!M{)OR z3bw65pR}4uEN@j-G-aeajWUfLB3Jy;+S&QupR(}fdZuQ9@IDEB^P~1 zpi8G^IFL#YBDZJzZ4i~Z z3!$&%M*mPb8#cMsnTX9#knHdO$olR;s@wN}O%2kH6zxc%gk)8;L_|fIB}ryxwiZ35 zlt@uDjBMHah)R(WaqN*5$L2WMzt@ePr{Cw>A3Z(NanAj|@9TP9uj_TaZp>OOvCEia z1woC>o+99V5`ZhsJdzoowJD{g$_X&1%PyZ20=GR_97RZIuB1` z#?aZWa%;cG7I2u*gd@c+(B3?~0~@1e8vFl~L6)9GEqOYQu^xlVtPK?sq%^}<=3927 z4{+vDfPO`*fCMCvT~_|s^Q5f+9y2-`SFV|JwHej{wn??IY{dtGRGesFY#nP=6_IEL zsz*aq`Pot@Q1PaX^kV1AWVYVeXW#AcrIk#c-Rs{)f^+onA{O%5`2-}}2AooAxG-!; z?IKgoff;vE%;KB+-a{KO!$J516qZ&9ovKicBL|)(b&n&K+e$TW-}t3g z_eT!=+Cu{u3&6Z0f{M&tPZ%D5ku%cYj+KH<=0S6>oCGLL_*Z z%-5pH%$7plvBm6KE6}2%ilo0HGavPaOMF}JBj#Z9kB}+$5kH_xkXffeXRIIjeHU5U z8_h{IU8wO~iz9W)X_apeKsCVH_N%Aw2Fy3eI03QlA&ei8sBgEezDNIn`JDONS>v^e zwBS*<^2aqq5Z{|cAincmX8XUmaB+KwVh4m7!3<}dCsa-0glPj@&tkk4K*&CWO2sfe z`T7T!*6H);Gv-13-kcZPEMpQZaY(iakn`8-TI-X6iR?CD@>nL86~|YUur@sn9x?NQ zFjMe~VL2t@*{@%(CO4kt>0?Yksiiv{ik7ZLO#D$fJVjAL?nsPqxRi+JkWGz0d++PC zd_7FXE`s|UJo-ZGE(IFGD*c#!^@f({D${I@&BmjXj?xf4iHC4)5^Q&f-a zZyVk2RZp>XqNp<5I`T)H*1Gd`6+thHR*m<@8Ho!N!1Cx9$h_&Pb|V_;P|?z06;eh+V)D>+A!4 z)@=!gVRPrU6?sm_=5C*NE35m&q45b==CL*sv$4(FB&NoLT^jHGDgFkDaS8Car|h%o zeo$7K4pfII5X66tqc5KTN@B_nBRi#$UpnIFPZMQq(hHp@F!zMvgH6ZD_VSuawRu^QWfF&46W4dv}wzOBmcI&1bMnI$dT}upP`ELU0`Z3 zRpK!vAA+&g?mMK5OUf0Z6eP-W(g-2_8&-;#rYHEINQ52CNH1aR$=-(kLNU!*m+FV+ z=$2u&Ei;p>7c^A?8IuM6&9!6I+7@4W*I&hEMcwpAHockak34+Ab0ixtRRu6x4voe%jB|*Wj^545$ zBmK8=@`;%+bYw3200Nn@UsoQOEE&HIflL4X~ti%$AxobkS`2HNtLloFy-~Q8t)2Sesfefx^ zx7NZMXLtScsn=V&X=e8@>3kuP32YuB*jeN>2<85KV4bTlPOOy8_`5R&_6*3KPi}|8yl? z^3mKZ1rlMsAcx@juZ!CBPI2*j_UsDy@-(i&VZ^-o659~K@sLPhHy(vm4cNfVHTiw8 zuW%<`S=8&F1Xd$;!I(oPS8?wZ_2HAzY~pwU8srNjtZ(~XjJ~d9@R0dy*8-M!Ek)9np-|WTQ0>xp91;d~42M|LV-z9aMpb&9 zGZ8Tt-4JpI_u|5IT=w8;$D1jiGwl)@%XVo|eb8ouK3ljYVB4L&ck>4_&9vqqs^GC7 zn!NVrL(ExctKZ?2X=~VZg9+^ry%K#k5YuSazzV*nsdbza$@PXnwJBU8@fh7kQ-N;l z5AZbJ;lrn3Wn-yToY*g_(S!y&cETx&9R)0Yp}%;~S^<84>7O!9WFKlskr8Cb(UaxT z(M%X?o6HvAn$pE@`1t4a9H>Zk<2~-fmHvFUAFpS&7Fwi@CS2KH`!hky z6qug0lKB00>2SZOFC(5#d|sdH&)jVstq;hN|h8J_0llCgQv{m>{0y>TAmwO7^)ve)ky2d;A3zcqD-uF35lwKZX zu4-0}E}c`(L%=+gyDz3(#c~o~%r0oDYlBdSC^4uaUL##@qiZ=&iiB-&KC8sAg%1p7 z4Sh!>(b2iOuky;ip~r6e%F7)?bMkEYuZ66{9J67O&y$x{=L%tG+%>}bt59(3)b}yD zOOQUA`_Z4bTu`1on{AEH7d>kitlq*d_lW0o&*E`@y$AXZSO+{KmqkG-N(`7)i%XTL zKTjauLttJOu15ne%I&#-_MPp3d2n`$3ufA)f5n5M^d5wmjU%OWHpUwN=I|my2BuBu z0SVn{D8CX%bWXMEi1}JF5hz14MognQqjZ6D5PpPyjG$FB7FAIDRnd>7314YiGqnSI zq2N{~(}8I$OfsD%Hj=N$GpE~@*N^_85L{nEs`UN4=r7EkvCb?h(=Q^FUU_l=J;>cP zdh~pi@BoWD(GgJgx)1*2YUW396ICx7Ow{ZHE@d952%LH4n7zc}0D1J)R%j z`vMxE66nBPV~D+Ad6aXdS*`!Hu$*&wN6bdEB0#yYyrD45}Tkv z6mqG#>32qMXJaM@!I}>b1aO*Hto@{Fj3Sz6#8X>M9VUhw8z!**IHMF$>9USjpk^Us z4O-DBP@?ime6=`*a4axrj_XYL-dRZznVw!8szb6LtOlO#Q&oV#L4-Jk z8H1xB`mNUw$I>-qGQdu)92^}cP12?@38z_qkBRxLn9822E=prf2H2y{2%5HEiXP+O zUwLwbYXGmL7UYjgG&k(r3m-4PcMwsuTc(YRkH~BN~V)%JwBdiV&SI`{F4uf<)TITigy~ zsi@xI54|jDu*G3;{D=cvhZ_H~OmY!I^ z*T4neYe)QKw}SQt;=BsmxM78w z>F?V7!Z_m$25w=Hax3gD)_5b!cBKOzX^`oadA9i6yn}cK0x&7jGzLW1Jv*Iuc zQzR$_>W?~3{JR1vZujPOSls?}(M}p1&w`F|s5V!bNf$|7pKownnMef_&f`2E_e3hg z%yMSEPH;!YC`%J6@>#UMN0eS${o6yy@)jUH0s-|1C^_Gv1P5|HJR=UvS``M^A#7id zQx&m{(|^irYwst6?0vcoxD7|Nk-v5eJ{RdfCiuUG>6BQ`KI4mW#ko$CPo4L=XWXe{ zk;QI84~}`AHSwCSdJ2!EFe@SohPBD@f)CF;#l8v_=4XgD?Dqd~NM*vnvwnQ@<_C;Z zIbV-ZM%jXkGC{vOQP=NOPwLx$WV(BilZc}~ELkVHE&{U7Wuy9k?&%}XdGopdwt+XU z8T_*i7M_@f)5-TvpFI-}`^sq~-ybuN!E$7*Lj6`%53#VR30k6tO0YDMSW#g>q&tnm z{&{?1THlyfAI`f>)e6KT!+pv&aIw=hRg@Prws7UyH91VV0@o|;A+wh{-9?y0SbNCj z;+t`2ADXQ~s!^g7Rrs0I37{1<*Bu);AYht@Y` zxitxnVOH66!92Zt=l|z=Hi=V2JNCb9SMgzX(ylGa5j<1xlL?kkHlrho}B3UV-@aFEGdT1k9Y!+^Wr0M%V zBTvXcAUrh<7kuNmiYB_KI~CK{ng*3Ft$;o3v8gi?hd9m3#K&rGKa1?N@VJx|OkLo_ zrfzf~S~7S_L?G|_w2YSCn7f$ua6={3ZHLPBO=sVcqPrn%0N+PR=L0Q*S8Sr&ffQ*Q z5!=1dzh})~OR-@3c5r+cK^~vc*W4Q(q5gQq{V^y7TZ2LjX4H*OqIdna^Sona1_;kGd37ntyj=_Mw{wU`ECs;`Qrf_T&3Au z551%0@}V`MG(ZfXV3A;8+|4L@3kgG@;S{WyezHuNe};`+oHk#YuezhitwQVkX|Bo$s zb;{czH{^_}_9iS7K_oOo?0nBanESsW6P^i<)SkK}`;82cc}a``NpvQIQ4hYe%Zh?h z7^bv*$4SIgIZ$-0O(2S7$P8<*2z;jE=~=;Kah1NK{flj2LjjSFA z3HwTJ^pc>dA_Xn9;@%ixfM`hJ;2E$RrI7jLV~+i49m@~nK3#=s;t4qg13=pvR5&Jy zptOGfZ=Z@@K-u<39tH3`;=2}W*;+eK>~ulF!1z_yrg$; z9PVR7=Fm__kZKSVnwif%ruhR0Hj`z_`U1KQPl>qU0HvbG@sHE`o?UA5e2(VpYd=dQ zOy~6)?a8Zbw!5Im*jm$N*2hxluOc`a>&!5KtswMsgg?({?Mi(ho8Y#DlaNjG%i2)C z`y`xn7Di6*S|slo2r;C&qo^7_36+d6#&DCLKJzPi>`#r$#3YL9B&@<@$thAo!Z$h3 zr8OQ)j`9_?3>i7arfAf<`~{IgFk+Y2z>rO*l7BrSR@lahh6oS~WH!ITA-FzwzEJdN z4e1LarU-#B3LFrt@j`9vFd7ced3e3-vsXji3Y3Nn$+s3T%?V zSGS`&q0@RMFccu{4hk|SBQX54P5t;MK_d9rkrjNgNPS~;3$sm)342d1!!2g;V|80C zQS4mTzzp%m&^A?yhQXpbVqJcrUEv*OKwbOr;F%?eb4Po!nYu=LR!p$at^nvcf}4pI z+#hRzhOpu`vv=T4L`<9{Yl5a0%JubM((arG2-z5#co%aewDChEI?L1Ey<^h7mH3wz z8GdBc0O!iKcKftC^E^27Xf{D&hXjP8*#xvP%h@lZZ8t&^sUs=57`P(}TH0>hs-Rho za89psU9&~g?o}5iYDlQlYLmyPFs@jYgRI~nJ&nA-^wh(6GE$?&2(#AzS%cL{#{OC{ z?p`Yt-LfbfQ_7VDZCx7Gyx(2yJ{J-9wsv2+Q|luoM9ZG!2v=K>m(l|?rQL74aRh_k)EVZjyun* z(a#CLAzeCc7jX*mHv$VFL|k~i3%-w%faOpsUo)n4bNFU8o88CN?y&r<&Z`$R9wnn; z1*Wv_b}EDa156w)vvb3I2iGr0HVWBvXGkv@ww+D`X8(**46jX!o_9i@65DrI}d0?M#CI&&lY36{p}|$YD;B!_RkY+i$)d&T^pJb z0X0hnqV}JwQF;J!NvM6TlpOKUiMo|E!4X~c)gEj?1DZC$+=e!)e6dwC-T^e&bWZ;* znyH^bWL-tOk~zK=c4gs6(J+NHR>OV(I}(pplVO^W&KFg36ARqoS?wY>e*(ueD>@g2 zd^EL@K(NoIXEUkM7F1M@#0hy_^e6&gbE?QhcP?pvMiNTPF3G#6Q#E4>61KI}RYw!6 zO2PE&i?>u_)|ytoRWbu6d<1jfqmBcJp(qd>)8FDJC!#wb z)#DD(?ND-0pLJ}Y$2F*SwXqO&46%nNX7pfZ>9F8m7#2(n#RdI6#SF4A(Is)qd&(Ja z5=(u3JZj^!o}4YANl7-x%F*^^@2P82bA;-I`3a7j4{wsT zcjE|=J93qK^Us@uou<)vuG>MA_>*2rVk^kG??Xg>!G>LiwFpYVz3<>6%i07;evlCi zQw5@tN+e{4K|rqm^&{9?^10}NBiRu)fqH(xd4K(2?={qYuA{FKA~Uqvcqs4{oif*D zP}&hQ*v}&9to=Nbc#Des5LQTAo|i@MlR*09kzQ1%XF!^|PHIF-NV_pai+|L<H z{b*;LP`uh6hL}=sNlWjO=Rz#H48vBALo8Ft$K}Sx>8nZv)&A1gxyHf0$69jdc1=5_ zL3AdFiu{5!VU2V=QFDX@sF_sQUJ@i_M@5Jmx|&G>j?@)sI#Y&UZDF^gXYaYp7WkO zipJL&kQn%avFM>&6JG`^|C!5~sAI&&2q^5r1Jn#V)oqdxqwpiH4i`;+qAP_A>>sC< zc)M2N;I6iubPI?2t)W8($ULto-wN|1JuMJ1=v{whlM}9f`c&p8;fFD55EFlLPh6!n|(Y?(n`nGW=vLs?OQu5rPp?U#rce$sHV9}t0Tv>NSg&TW)K@y z@D8hD>Ja;6G6+#Znqz`{a5aMx&Q#;TQNmlpZ4_q`6H|s5ky;P?HBb2)f+ayk>u<4U zrmU5RiRmwGKvXXKpB$gYYkaJS(OI))_R0XTB>>O zogOX=1;{Verw|bgFb)L1rSN)yTX4Sr znh3&@)#jg*E+ob^aJ#&u`MdQEjO}i{E<$8)$EXkcp&x)@XarEnFq>YWB1?Y2W}*Yn zd}~1z7q7og9WbT^{xGuuxzY|Tf!(;&)UdwG#D6Nov6#=Yeq5d-$o;|NWWo;l_rQ9F zm^MaZRgOK-Z;&Tb6urR!$Wl4i$XlT4Gnj|)=DUSHLboOyVOUkGGB)%EN}zfxOcd}P zcWv+{Ib+aF9|a-rmS50+Wz3Is|A#XYY^pMhKb-7^)e4>Op202xFzHK`(l4r^ZXeDp zCnz2Mc(_62apQgyC|Xevf7ok-cJD}+Ey}gDoA+v^ny!S}E-hT+G>vg1G~(XIAjl7Ovm74rIl3d?Ld2Q^m8`8XnEm6Wr#mxTxLX z1M;BgJh|ij)oswOU^;|-WQ;LE7vK^9fotppGfXjeEYLi2Z)k&D8;gP+n$4vG_oouQ zj^JOSB*B{6)zamHLt_sH>JC{E`rL{84bjK_9H8tms!mVPKrl0uK!d@RijeJ4*fw#X z>ZY^PM>BMT=YvI2_d=p#vO?;vG!bNgl>%v}u9=EMX}5+3Ye3 z-3~ZXU+Pz7qILSyB2qWksa|l%A>g*0jg1GOD@%uTcTd~_h(5=pIx$*q&`~x8qwvEZ zbBH2xUG#mNifFr($ehy!4G3`>UzY&UkXwJCA|=CSF_B?*(FOqsg4ASU;b3=mMw*_W z&1Ma{K<7G~$BAbrhTne*HH`X8CYhp0MIi?N*(a35&nK#mTYDQ8mj-5Prs zb^CJ8zWfjd%9|xX*O9aZkSoT+2qT2uv{3Dd3T|Q|e`;^LuRU(Amqo`LCjCr02lxYG zMLAo`50843F7=q-QHpI)vg8@+KO@O&V7eu8Ji!8ehbxfeUGy zb069}_WqD`-wv(iDyN@gxkr$AiMqBu8IyLLpZ#a;BZdU&g-wM6R;FwZwQRZ)T>F4q zy#st`c1oqH(YU~5kB%a96HIgGNJaeO@Jg_zKRGDb@EaY1z3WENn3O*#3jW9{a7g*l z1L6fSyRd7RDKsf-hqgpcl*EG*sVd%QoVnpzGwR5+H~V7Bpi8{^72;XnW3~P+Kpk9I z%#!-v7pVD0PBIFMyWowu$ugdMx!_ zunrVayVFi^iM?#AX;NYxjFBW_Li~aprFZ8^ri>-}Ef6gzeuyjEcN8O zBvYY*dC-ynDH*bdvC*DO!p!0fV%_X`i?y4zHF@IOONhlxyLM19a%~B<;gq=?-01ys zKXTlB%8g8l>(KTLe)l8M5;ZxoNF`nVn>O3sPn5tM+KzQQnME45O(8$u5rZRJzS8t> z0uc~vS6pC3Ja%D*qd|YT*6Jw+j6leJ2fIKpi>x zBfzq3mu9M)Gkgz7g*n1<8B=U!>ZZQ{BvLbb?%q!$RuSw&7R~|dFp1}TQhU)ylYNyu z$H^2qJ}JgK3uw0Ua|W~qthAE{(tU0=Iz5Ers>2XD)x@f-(aE};M} z?c_v9w+HxD1XG%YsonXjUno7(=`q<8g)$N1)kQdX#B3p7%+mYshQ+ypaG2S+^7E5X z87Jl5joUoEFtQ0@bL(3B`O$Ej3Psn!llblm%M$93J`kT4GUaS&IX)*4C?fj8?gY09 zu2-a~(|aRhLQ1}^nWLe3*Sk;-jZR+QdP+$(!sbR&>z#qt-(wbUkg$S@uB#yrPDAC*-&iQl zA*^RX_fumUloncdV{eR(i}6-8jfmR_N+Oc1`_Z~}#f3@zOBAH@tZt8P()H}~bhl-XW^ zCpJp?H}3DAMXv9fav&8K$R3Lom0O5f`jt05r{L%UC6y2K~qKit}=lW zTq+n$NbWo+_u=+N%|&xY(lD_#zCRb_sU{vk2HTP8b{}h{okeWih~qbmP_2s{@L2gl zVkzHoOrNeb<1Q+GgGhk;72w8bPz63oFujL3dF=9M$biQYoLitapeEx|LQ(@;J|wC2{MEuk=SBR!~?Nbn!@0YnV633Mr@*Bwzl zDGVeNbN^X}4{*IgvSQ4H^H8_+&bblCDaXYTv&TL>$gw?Jf_sB2#p1M_By~+<$y;mNoOyqz4x#WWP;#EsWt{uF> zbt6Gf$B=VEr*L@U!}H4F8iu40BP;8b6gRcZsxPH2Q<~8>kRr{H6tO6x)ums{Xl{-= z`#Fkw`N>UIzr&Y!Shh(TXV$#e$&|mJRuHZ8tWj`<>)_!w+aL{13k?o?XDcfP51y2f z<9L7LcaOkfBfq`=SJ!@DC$xN7w{x<>=^qbf8RwYk1%`CA4qQnQv%7kLX5SpbCU@b~ z`*4R2`M7R})f|gFz80nu#{&iKFu~$J5eB%cTr@et9)HkErdaw{`xO?bUI03G)|=g;{~zN00m==*9qht&GNF%mUwwN$P4Q?K&s zeeJ88AUFO&=fMJ>><6@#uU3YEiBVcZ8BR(IZ=0(o>QlVBDh1x}{@$N=;_xh1i?srs zL$hpgd!p5Vg6tOF-3K>q%GT>pP`Q-X{58+;?fOJZ;l+a~T&q`y&Gi%B>;Lqio6I4k zsr|Q>xbf|i|7ej_Sx*_amjA4yS7**!5mR|4Dl**X4u=6(wO^V;XvuW9fu9-Qu8}(E zeV66VY9H?FDr+Rt4P{@yE&1x$rC+Yx zU2H)YalJ$XcbcP4g>-PLm|d7jW#_rRD2lzY$a^|HZT6X~v<}Vaty{P8RO7c}mHy+K zHYuw*XRormNTaEmD49n~vu9@?(!-p>&Tq$7sB2SR8138YCjI;Eg-1&EM?;M2`rjBi zHa>sl77yp;FHbz8IfjN-Y^!T${CF7WJAQqS&B-^)b&QdNTMrzst|Qy8L3er_ z^-7v$JKtBW*z6`+<+%9_tul1c`L76-V7J_NNwu9z?_57rC*1JiiN??LO`A%FzUphy z*tQwUCiBS~6gNJyXv_3^kzSU!ADcO-^@?$^bNp)D|FgT|i?;Qs3twlRL8pJkalUrc>4o%AnQtFz5J7g`HVeSwKzeCAf<&w0WhrXvUb!digz(XHK8}`YLDRCYjg9h#67T*tk8CuJ7-_1gla~-gsa7 zyikK^d+#%Dtkr3IOl`Arr!Mt$dB1e++8rG2q00>t?%h2WShgc2-zU%BlzYRp`kZM4 z(~E<0J(&rLc_(a+Au2`{U7T71_W$mS&dTcUpQDT;8oP6|-Ap>au`$O z_NyzZOjPvlA55-hp^i4bkfqk=N`;knZSNXdnbTF{BbpTd&)s7P4LNp>?^%Tek8uwE zjD9W@d>lV2FZQ#F!salGecKf8Dd$Z`t_8vIb^ z5X1K}+DV^(o5ykoImxM-%MeQstG_`s1X4{Tg zC%k*o1vYKkUXxuRD|@-<9$N#?)G-#c#%@$jzLr7aUTC=3PO<=a{>uzMmJL@<9RjAT zE9Pt}Vf$j#%Uh!dM;f+It%}2+o35Fd_PS?3k(E8$x=Tny+Udv(Woy^_zp=rO9oF-X zHFA=RZA|U{u%&DL%Zo{D$v3@Z2M_Kzl27YUJcg|>SY_l&AK4=)*dOx>fh#rDzWEq^ zcjeiB-}Wq@7eQ=%dJHLdZ{(P-#}v;zEh{hc>t;Oe&L$g5 zS59IR<*BTcme{}Y>QMP>hDQFT$g|JIbbYCI@zlj}jmA~4f-9a~3CO*QI7qF}5b=w* zvCQLK<))F3?Gs(q#5%p-r+#n8s^*j-cTXlqq)&A`OK!n@#h@Z2g8ADb&roIQq|ej3|bcOK`ba%zu7n#`H2Jl-N- zzI6%dcI7kFx0Hlc?mpZwNb3w+K2lQ-uYA#uBS;&rA_;K8ndRe{o+F< z^953RN;5LwUqprs{5V%N1wg7mU2Aad>Ps}5kMY(tFTK9fCQI7k!?o|cIM*tkfRE~d zYSWcZ>BXCEwPXzO>Pk1S;qhxWl-*t^`YUm?_CpdYjn>iqIKu7eajeci@#n2X?{=M(X9UGn&{Djka=bqnpC||aEHHi(WdDtXCazp#Lnb$8l$M{$(*LzC&;>~X_ zb{Di|BFE}!cUvJVTI6i{Yk3y1XM0Wk@5F+Ig!-8JrL*@8b)9Oq;g~m4Zp4>!KP@En zV;+uXo{i*vgirWf*dmqWGtv4nO@3>u6ULeu%cXwSc!Vt75>grWQ`0%g#xix{WSZnB znzcbv2oH_3O!R5_*iY@P+f5U~Yl^R*-?LhB0}g;^$}j%sl6+bd6J1IDm2F)m4v7kD z6@_`LkDiY-&%Ie~MZYTZkF2bJ#c%hTb&_XfT@U#<%)9XX{T|cj<}Y5p7XBwrUrw%H z1Ay-7(8H6V;nElOG5S?o+8id zv*BJoU61m@a`O6W&!iqDfDfo`+klFvV_|rH!LcF(8$XeiU$WifUk&Qwd{H%)eP><{ zB&bj}5Xao(lV?-sqvfX{>)P5R$q;z#K6v{0aeux(p`U>%K?;S5jypmM_qIpPQB&X;2i*RECMbbYw*IqS8)!IcSkECG(+yQNF6vR0{7B7+5`Te?Y{ zjrqQ6WYeCNi&~_tkGyz&@JQnxq%}{kXRqddM?BeaWA}{(O1=mKb@rn!1g#iqV-tny z1pItcut&i5VWZ(N<;xQQz`SP&eO$R8#g>Fh`-ZI3)(_y@ad^j)&di^)y`r`}zu&z_ zB9m|6sbAFQojXt0)u`@JL~mpd!?7UuSoj&IG~IA*>OSLNPfFjUb+c5lPlfX76>tf6 zt7KN5g6&cK)VXO>f5Kl0YGJFMK(0~NN|hn?0OjW47qM}x^9#E^AtU-$)gu)OuJRxB z7!k6{M~Lc6EntL3W!dAU_Yae|j+~pB8#Tz?w3KtjF7c!_9(Dn4y2XtPtXJIpX{zmP zd{t8MgG`+Mr_lroB0YI2PaKm_dR*L|p#Fl4oYc<-IWPB=s4Q&%>vK+j+PMXj1C+^8 z$|Ps!5mYa&89Cg?K0M*nZ28%i^hNT1_af^!CifNB`i{$`M5b)4P{0c$NA&gZ{l>M3 zk52ex_S>g5&i&^%(5H`pz*v&QkZs!D0OKcjd(ED6+4zwayA)`prYIX%%^Vm_sqaa& zL8;b)zYci4Ju%aXgPq;Xd%Jw{K|})zqb1xCC^{ZH6&bvxW_a$!8ec zlYcI8t~F$f-x323%YDrNMnM^GRmi@s57=`KiQhAsyQX8UMVG`vR@U`HD>`0SIexd* zk{a%`P~}$kY`b^&cbPTgy>z9S9KS|758#kl!OM5=IQ3fH4WvdLYpv=Z`@Jv zs47l9Vo~_J^x=V$A%ogejFu5!Oc6)_h)B$yBUg;rPh%kcOkfvX~nwUJNUu@9V{ag(`OIh z(~`RHyqh*5002Z}>WJc{vIHCovD9n(CNK}-qSILahRLj@v1$oO=yf z8$l4U-5KIjkBEHNf4?+Z{$&U7TB=xL9K%!RP~GzUso(zlW+si6LpN*x`+s)=lqH6L z#FZGvr99Qs*SjaYNuokwDlkWj7~7r-Gklnqw~E<1Kk(f@A58wbt%Qkb_P;_oyk2re z*PIe+JusBjq}8EB?@nbckNERjC)e11FxmFs&zt$vzp4O`Qrswdf@0oP^d{iwYVp@? z+PL~ej2{;1e}4TNr(klqtK_P8f9!f>KsIX?@_iaDJ9gB2x5gQxU;z5*AbmsLKfEj>!M}^{xkom!BR>|mM`y|hL?Z7>>>?pvU~*kpXIApuZ`KCmTK?SkEb%rc;Hpe>)Vra zQ=tS@d}em*w%X3kQKcr_k1{7FT&T2l9w11M0LD5QQ)^0Azgi}AR9s-T*!;q4W&vw% zaOo~vc*WkWG^Ds#iQ*B*k(fDgDs-9*nEt^UT7PXX@+HA;M-6A?2_?tV*c*KLn*(G1^DQkucP-~!(e=JNs+)_HlxOPVUmsX~IS^HW%877N^doGrChg*{ z+Bx9a_KfQZ0C66JvJoe}_(7ZskViAW_6{L^c_Gbcdu=D@W*M=eQ!h;<(jO#PJJbdR z3Ml6lzF)JfGQQ<-5O;U9tzlDCNrqP2Vf@30;ZGDhNt43V&p#{h#FQ=K&jLltMHgJI zs5@*^%WL6z+2ee}qsVCO9pOt(w21d`CLX+WC9^F$@5$i2f$>FF=3Fb@ig6eu$dzZ< zoWKi$$TI$x^XAW^!+#I-{t?v9d{L*S1AuG0h*Z<=Z^1xtz-^a6yqxo+C}We^N17r6 zd#auYdJ~)1mPtxrz~QaGKXYdel^Vt!KUsHGrK`M3)9FCoP$whxiD zh1C)C=nz$1d>u2)3R}!_3sucL?d@M4R6v#0KNhDryh>#C-HE#_1q{H`N-zSpEkT6e(!gSZxIjUw?YO3c)8q#k=C8&pW`*M^fP0{LUM z@$UX$RtrFFaMgf*UK`w<=aZx=DACelB}esYS169ITao5?fXi-6k)TfQl?Z~1Pj+7| z)m^^;5ir93r$G)3J_j!15e&C9QC6opW({V}w(TsJ?2BKydKD*^sG_k6R+3H9vrW}6 zqi?mpm)A3$iX_B_fZX4xXFM}5-MMhxGsNz&EMRM|Sp6Slfu+du-nymY?*a;6iwu5x z_FO{nfpdu9}=!#O7U%F6j1CGUSqtQ$%Tk4?zQgn&0uHnb4QfVkI`_(=i3EGt= z$B+Y+B1MxL`@l`G>D{}R^!4%-xziOE<(*91OS93A4LSci{m0C zG4lBI`iU&z%Yb=gkqLUi-vQQ_>Jh9%)h)vtF@N3G8BJsI1|s_{60RxF^r{B(?rYN;9^r4tUBp7F%nR6A5L!wP+T zd9lE@w*7s=av9ijFT@!^_yo7iS%1@mH-$P_M8`V+wYkk&Qn&r@leNKy;+HUJ8@h;( z*t*DV;d?dAg&4$&OrENYKd5PgErti}rKeddDcAcjuF&?Yg%{x9GSFJ6eKz6q?Z~(B zh9Rhv{?cN=PgI9$3*(n9BV|W@cSYFFa6E7PjH1++uf+@pRP(CFj(Rh3=~vg+sD>FT z;-Ot|#Dm_^f_$2nZ+*;2K7J2BU^q#PE7ur5#g`3|BBSeLy7AGy9|hp!5;_(~DlOX> zd4l{rExuE^Z%OTf8QH7pN3%`1i|;UrwcQy?zH{eJUV5__A*5m*dNM^V2MX?5>=ZHP zd9+IGgk`P?DwopSsHlnC%7uk_dyV3RH)*tPEqaU{#FNigZ(D!bFJrj(*U?lx#VGa7 z$O9eO_b(Sd+XjfimtP~}QKJc#mH$`guzo;E8Ry0KQ*uA$#{YHIIrNOt6B{*s7RSLEE$!lGE> z+MDd>BXM-i#A%$sB>!5eS96qGMY~(lfRx1kO`49{c_V7r(Jt;d(KkBMl{hkvv z#WlNsd-?r^=pwh0AsgcfxoEnp+Rj+pCOa@c-Z*%bNS52`_Fecm{->xW>*3?}=zq~h zO;;_$Rr%y_TZ$Hy?Y&yF>O6{<^l9!@%O3x3zqY5*wI@X@shZjA)rMt{hk3sSSM{3> zIZja>PPAfssX5lulx6@eu-1PQ;!2dc#R)$YjK3_zjf)>WZoigv{BVnO-kP*jE7}-1 zIXT-(So^Rlnv<#zMT(~Gd6dVVaf26dEHr3WWMWE6Tlu0nhbwO}@>2%Z$jWZnB%wjt z8F9NdpFs#zJ~{qfLWS_*Jk?J-chc9oH?MrB8$w4CBYe9S6^HC{*n`X7KHW=~EdwRa z!ouyj3=%qp51z~L{em(z~ z4MW>f*ZhQ$yK;9z<(BO>37{GTSM~li?7{T^RlDSa0eT<*+4+2P)LYb9yhXlZwS$RA z4xX?c&3czqxgu_swCK_LW{Z~s`-^z>jLjZMlkM+SD-$CtyRD`-;}qwU#*zMPXFfgW zhw9Ufth`uKF{VDK)LkRJxv*_N@1%rkQiM^F6X7dC2fCNseJ%>#69KB5vUrWaNR0@J zchR$jOM{RL1KR$-!H(41|JCL*@AgMciAcxjvpu%`cN2SPJ)$gU&F=+ti!@f|)i(qx0*FPWn~ZTe7d`~-i$@`cV2t7X_szQ9fE6f8dY1so{@2ZUF|d) zqd?#HzZ9=4L_;F@Q|;AnOlzJ&f!hJ5kMAlmU!Fm`4Dit;pqi z9uhn6cc+#b#^A<u zYxR~@{Jphj-}<-NHvM^;j-UY>V_#8y z_0~&5+MrB1!)3Yev*tU}NtPQnst$=2+-zJyuU+S;QaplcZZF}9Qb$%P?-1+(|qNRi)ENG%xm-?nE`I z)aqkj>xfo1{O=!pcsCQReJF@BK@z-IFUI)I)mcXvkdmNi4OFm7?;pNp_Sj$sw3jzW zZJT`Zg&N1CTs0=9^#3{xQ=d93`8Dg$g>#LS9#Y~r?)|X0xaJZu2v11Db^JOy*@Z3T)jpEQuQ`d=`4@J~Mr zvlbL{hj=}jEpXq5KO%&3)CvGGfDy+SzdNUT`ze%Qhk(=9bQsB_CLZsZn6CfN^{_72 z2*(GyTJ_3zl$A#`LPU5%q9#7xJ#_b`?Jc8Mhn(DRnv9H$&RPA+%Tq!%<^6ARVuTJj z6}wu|>BFLlRZ4G)m3nkVOKe5gk-}4ja(+7=0Fv5y+sN=V{R)d=kWq4C;(Qk00@69b zZUabv31*##ay24-sO`yvKNY^l)++J+Ex!Y#o`Q^3&F%#Q_lGjjov8G_OBx=y&4oL; zhl^~PdPhF#-r(?c(vl~!`A2J?Di99cW4!t;h>Nit$m5fjgZYw+@dN8K|KHxp^t!q8 zfo)FBHo#9LosNOrb-;_U;g->VxH6CzmgDS)IlW4+hkdnF$M<=g8_8S7xNX-#Ec0Ia z3Xz+6=Q=s@lev?F??c~POuXYkfV+DaO~WN>@18tOtV0As)9G1NK*0thgLo&imC}+X zvej-gzyhIe%q1cv$haa`-F`_e^ch9QXkuvoI=uni=O>8Za$vio^n}qf0)U=XKSLXQ zX2YKF#|^rgX2~jOav=`c@X| zbboi`XZ(mRf6$KYZ6@}7kFELC(zqJ_O<9rUF=I5j&yyRzl*1cP-MOQduS_^M2#JPw z=Z>>Zdsm>>f13gRI8|qh;={>y-JloN_Hr?9`f4w3$ksjW+EJ^Unu!>NO40kETTU-M zRD~jda~tl^`F4MRm9-UvwB}Az*ZH8x#Y+xxTy8d)ybOKGjut2u6pR^Ap?H~FpKZNc z)mUH?P0`}59vLBQ<-^n5PikA3<;yOhH8Xa`_HFs+9u51*A}c4f-vekY``49})o$jd z26*AS0>jgCe?X7ZFpjn?&&=h^s{V)rw!a=rcr+eAkEr*2V&^U;W#_$$ylHN{&(8ol z$)RQu8h`#=rPleS66t=ToN~v4v2#)!#;Bg2na7k%*36421PKdFm_@Ij!>C=+X>!p^ z!mM60?|r${tNBbWegA7C-IP}&_K)1}lbBHf0i||0r%H6e|3S@e6C_7R0ZY1Sb!0!8ZK{%Oq3=|z8 z)oiNX#BFZWkgT_|AyFB->NXS?2VO|*vM!U3(Q{UBIQFZ(!#X-N``@P2n7Ax)Ayy*K9TZ zmT0D&UJ>TMu^=1JEYQoZXoNB6sZPoK6RV6WI_XDc!MG2jNYy)s9#xK2!UYvP0Cra% zFk1cB#*b?*C||$0l~!IR)s=WjKQz>3{Z!4LZH>s0QFtG08u?-9(xg7cR?h>om}7E_ zLi7tk8o=R2W??dCdT35Y!nVpkVyc%Ss8Q#GB_X7X4H|7%{0T&lE?cKECx&ndg{4}4 z1+>1U9KKJ0!L_QVjelJDa-U%G&Y|4f>)D1h?P`87R^BLpw}@;zk5c`yO?_3!VuSiK zsruilI4-{bbu*JTLA%}FRV_9A&1@Jw-YcmO@lMyg+q2zZ=-Go=F7KNZ55P|(%bVx_ zGAyWH(7H)=T2P9WRPOmkxL(pTa~>Tr4BbC=WBH|~!Rqzuth5>&lvT|?BP>3>HQWL{ z0(1h87K%D3`l?qo0}d!#M4TO7b~3OmZ1LRG<>c9*8ujA-zS5{-Cl25q>8c;M@i(036f#zbV) zsN(LtZ~Lip^&BxPmhD~{F_`7Z_&q+@1Rai7Z!m(iC%t&jaYa7?=@(CU@aVS`>@qfQ z{CRka-z-G!C=#4&1l&}+TOEWFGG$N!q!B*%HET(ObIr*XUY2hWAcLaTsV;l$ewgi; z_1WM{P)7`owRjS#36M$i+GuFsTJ+iK1OTATj0waI-X-v-+X-br&cI%Jp*%JHI4Z~f zt|V)MD4|CwxgK`h;3(80Han9YN1H6kqVVy3~78f16`{`oxL|(dHUfVyY z8PN|3UEILE3!K#}2N6|uRe{QL_Z5ss-8$YzQFL|RXa>YhE46ZT18Nfz9mBlv#ZPOO zbz6ut`2@5+&2MWY-XU*Ex8?6&O($^-Nt2cIs-2dq03@%O-xQU6C6077f1k%e_wwm} zl)FeIHT&@k>1Sw=*6Y5+6GR<7vTRi^&@gxyUsWr`++U9=IN!q{B=$*wrnDl z$ixtxn)iDoOdMTO^QTfqzt7jOnUw9ah~`69t)C?aXd(CMMs5E<8BJs04TvR>kvV4D zL$G!Lv~OOGHC(|`e2Jq}hP_yPxvFzrJuv-|cxRNMMpa51a7gmZ6-RCALqx{D+Md)8 z3?WP%7;(}P%tyH)x4zK!Evt$78qmzPl}nuFPPYfl?o^?h%xhYgTt{nrLTDb1_;cuz z=SL=e%tME=^qG_OUi-7@$|9Ujdm*a|7{`X;pT{YZme*G3Xs~0h+^ColBw1Qi)Fj2b z;^_4JtSlD?wAMf;97Nx3(HH#|Ko9fwa7rHOz?(eGJbp+^r}Fkm~kcGJL- z2C}Jjwkd)s-8(L877{9|uyCljeXNTXEt$C*93{{&L3b@wzk3=R5BU>%hjjHbzojYE z%BOGA{|ANNui4k!I|{VDx3@2DwU3~#T^68G=H9cEZTQw9~wDdQ`ai{ap zHs<@#3}t}dBBlLkhfJ|4(X^w<5A>0w)4}w51W1mIRt|&2g=Fm!Vwa?o2>Wy=!*8V1 zs`Tj^@1iBNt4mO8O4yD!Z1gxdP{_Q^y}a!%N;#tSq83TN3@GFOc5LylOpnvtDu;Ub zmUKSF60|_7#0yVHhlezWf@5Ih5seCH`f)kK5{V>Xv!%Dc*J2da8qzvgM=u6ba@KD* zg~ACUK`r#-n)?QN2{Sox-&xqoWPjyM-@@U`Q5<7JK0z3;T_wax+eYik=uiHwj*peC z{WnjLrb_2lJ`KILoTUh*m`Z zQ8pdq3(67+^M#Lc^RK{!_M{qNVNEX_m zKg!GU@7!NQI`PYq&2iL~{eMkVP$YLiS;4FO^MR1pFQ{)N3KJfGyWhwqZaQEvEj)b! zLP5+bxY8;e90aKYiC6{=*RKdUOK8c%gda;!i9U_G@a)4-i%b+8s6s`zsD##&T*)SgJ7->A7B0=OO?$hs;<_@|q@w=++Hk7DX8ZHdo3w(Z5! zAJ_!Eb8Hi5G|1`$PXQ)f^r|Yfu)DPGgozJl+sj5!9$_-P{0)5DCF+vzj5XF3p6-@j zlm7wSnig;Y@`2Gup;E!I?q$W~m}QWA;BaYw-IvH+A$NN6i^gQ7WI&%lh$BEc0@f(0 zS{$Jzy@MBl#jD{iUv`LeBx9`QF;J_82SV1KQW^?B&H1PuTE{oRg_rIwTy3g6?7>*_@}xU8?`8Z)|E6k%x^94e`_!$?7-c18 z6O{^|BC~JaxG^e!eyJuRJj|bm$7~w&4}C&~ROvh?D5CzkETjVW(o5N|?*^ zo76p3x-IB0)?K({=Ld1OR_7I}FXy z*B50$Qg5Q5wuw%sg0TC(Bz-ku`kyDp5Hjro3e^S=3@fA`$;mumW+(Z&4% z*~*^p*|0U(ixD=$ux@)m@w9-%+4C0DzU@1WH)Vrb@Kp;>uh*Xpv z+Kfz{7uVV4h}^qib(=NQ#=Xa3)Qg56kXPjM_KV%p0INsTh(uyS^I;T}h{mWF0I8|Z)4~+f0PFj;#Pj|U9I8^yQeoAZe;(WptwI(dOPO)cBqaQ9d;&yZ+S zgd6Kjg>_B(AFd9^&ktB#-2MPhXgS_GmZ^Th$Jpv*4V!)nwA+tE?#J#dt=ScgBKR^q zG;T`8yOh5}yiLo2kV?S#!`{9jiyXh6o}B&4soeT~@A8eUa|O`Cb-vA3q$vsI2)XP# zm2xKUyhCsI9QUV+_|&5ELMY&5EOg^fH_FKnNkLvzz78%!QI0M6gVmmhcpxyU2tx+7 zeBZdm8u##Z(TWj^HH4u&ptNlgCeqQ%J$3$SM-Bs;gpOKo0Jk4y-Xo$h=!}h#lRs~W zUO1X3hOkiOdUl;Oh!m(owFcwtEo&@X2b8`e7+|qUKz`oXYA#j|O3wKm@tU~G8f`M6 zIVbqiiBdltRo@{XWQ*5CWf)eiuK|!ZBGVs*@gUcCW9zL`ieh?PKk&2jFEmt|Gzmru zH-Y;GT^v=uU0aVoi_8jeHUtY%pv6$lAef=$01DG{HJu}rST|?ql!AKb z%VFcFBA`C6P$`M7+4$~HpQI6QaLu|Jju2$38H^q@O+(4 zsayicNl-h)B|_j^z1k-_IyP4nRdNMN2Xk;SJ-)-w?{_@^tOBu49JQU#!F400_+aox zQfZq6I99CCVh|EMFWGcX7O3`c%VtL$2U~#=nL6O8cBcp9&L@DO7O2hg-!$czZNUkn zv`EKm2X?xm@!144yh)lgw!yB0LPoIwN1ZZD+3EI=Cb7)bwj4#%)MB)g`~|rNLjB=6 z^>Bv=T??z%x0pdoj2@>9Nk#&sYGY~=GTyC7D}-Ryq_})33~;e&;&iRz@wX3gE_%~L zN!o~Kf)sXzeM53bCc7@raIZgFJR-$I<;bCQee<$f@ zs7+h~nQyo3diMaecG%*lR{pq@gk*y+O6sM^))@YL`!F(#rUYAwsQmdv@STq9D4gSK zoLEJzSQjs@ns>p0b$~SJNA*$t4LEw@^odxkvM5pLfgn>?mFH+P!g1?C#P#Vm%{MxA zclXCr1_n7t^`SE|J&k+H7iv-hl%TB=-@HL-^4{(tA|vQzIy$wK?NjIK zB(&woJnv3>%jTY|a9GLdhf8=J4k4KmXD)N6`fDx3-*j?=E>WQRHb!m#PT?_IsE-BQ zGj4(!HD`1Mngmdgg%VNIguJ<4H}hlBU#ByJ3xN6)Rg{Z28_WN2)W6>Zi~o)6Y!@P& zrhR>k>Xb0K>O8EQV4YYL$;k=MaTD~*q9;va>z46^`DWeVOIxs~MB~5-{X39HsD&iv zavuf~pmyrCx2*TruiYUG0_k^7lqPpnM-#N`{MAFs?pGzCP);jE+a2L`nn;tt)!M8x zvpf)AA`{EO83)8g5HNo@G#JO$e(rv~4wdSr(%|T={nlGmJ72mwRWcZ8|I#fbEOG^U zE76S|6zAvOZCgOt_jq`gO#yE>dEK=C_gGe>{l9*bXS;@4N#>v;#yql|KZ5P6 z6nA7`c#3n;>%FxWscGXu#Hx8Y$C{!vNaDpbfdCvdmicH-~P#hdTzngDly$aso zp%+24B2<^E-#|4D>8jI@U3?Usx9pZ~w#AG6@cM`jUuwy`Poe=3=m?$O_|{J`=+bth z)Ep>RG=-SU=X0X8@12kizSx&`Sgr3zZ7ADyNm8?_SH%S__ZOwM*tur?Tp9fRmeYQ< zP;{H=AGgF=8x)rAqkV-9@kbm}Q%qyCVM+uLa z{e$GJ^F}DGg+g{zbXnEobXYXc6DEM}c7}FdGY+#u3$9;?Paz(o{q;n&(I~Rbkey{s z$bYnfznAtKqm5u1>1xTuQMSY&1Y`(snIjJ&^Y@Q1?#aP13}+DycT-g z1DG=>Pv%Tq?-{^%$EOf!{;m<_{n&52^Nv)rRe#Og_0steyDk4LVZ&)CqK^qdRdntlqYP zpH#P<8rUafJvxj-EbaHo>Fa&5^Lsr!Yr@0X+TMRSt1d2)NRgg(K+AxmnAs+_J=5HxNWKA zoDqKvEf4nL$Ga4KXYCMxasrfcJxQk%V;*k{^3|XMn1QMa`>=ax4xH%A;K$g1^v}1C zbgzlEjr4vvrM_NMyvB6exk4XA`2`cIxU2o>$j+p4?bzHsg)l-Jwd9r+8?zzBGzK`s`zh7QIKR2Uc*b1f7YmOmhoH zx#q|5(2%c6h@o*O45o~eb4I(mAftm91aT2LHVGvGwbv`C zZrrKptcb+*%ZXP9!BDnD8^k@}xFhhnggpwR;I;benov*5jLmjI%eh#SNYRNeu<3Kj()KaBd&J$L!BIkc!+WPk z&&F;7PrIeJijOz$cruzIc^Y#rORA*q|94viqo@)#3gDY1(!4?bfbzM{%3hHcy!*5X z#R}_cLxUs`7Ix#^OK2RNKypr<>TT*`Uah9@kFhy41dYzz@DQ=A*!c`Rp#2UVOA%$m z&yVwUv6_?EYL(qPuMksm{6K+lyD-XnT;Vfbz~`esPLsmRJPUGwYch>DiI0i=8Io-S zkMX%2B&SE57C=KBEps!XXRTD)DEe7_&2cE8pe<^21)?l)Qgow2l_AHUAhE)ole;V2 zk~E#xEj?Ec*7DYW0RP{c!t?aciYoEjSFT(+Th%P``TREGb=`gx7Xj*0;w8Q!0j}X| z60aFYMO*he_)b9T7xocDi8ga|Y+?9i<82Y3+l5Cf5C4E;j6xD6U{^+knFSnZ776D8XfLC^9s(t6T+ zx3pwWG-a`Kr4803oTb;>zYq#-o(F#Sw+i9+r=I!!OkKKRZnxUVkgDRgq#*U>tk#rY zm7#-sdAxo(INcOo@|X4xBn>>f{$hKcKai>PhuE8UaFUNT@qYWx9wxD_H<7;7I=E1i@$KciN(=3bbV@$A*y&)CEW(-hsUqh9Iy%g)#vxL7^4&s^-ET42Yx&6-=9~^Bw?FD9m`G z5UH{kw+1m^lH(d$k}aQq#O>`(dk90GWJyt)BjuO6TH4QJ6;bm@?I4?^k9P`YKTO7! z#jX55LXp3pOa33YOqZoUt~rFQEZ=!B@Wjr_}2+Jqg=w*2|5%xtOa4^=H2C7fuutk-*r zt@P_v1MYCvzzk|25VX-z&f3X-nddvX!9MJtcp+cGMM4r58Fzzx6S&6&`-Hq@u4X68~(|WQgNQkzwPiF`wms+#kOm@|)B_a)qTi zPx9!~Qw9de-Bb9=*EQHQ)f^WD3bNMGvP&NBIXIgA5# zjCEg%!pF#)OgH17diFyttD)df}gpib`*4h_HPWQ{4!Q(w?f zR&p%_W)Rag#prNy0<$uZOGf3UuD9I%s*f#E_uYTlKI;qo6=sH2XNdwGm&biDdO{9K zmBv9+2+J`#CCA;Kr|9KJY21~D8k~Cg5d8AP21BGh7+$2nHa-T9m z%3P}IamQpRV)vJrIuRf7EYtWLqB>5CVw<~ya|AVzb9Mi)VT@lN-e<&UqC?RgwGdBQ zToJFsNg<`lPqy&`qm&?I4E&R=`un9!|9(c7bRdghYkh41udnzL9TTjeKwW9y4L~f= zA8(7zfMpbApWbAaO?#FmL$&o;hOR4$Y_fcgPr#h7Wn+Tv5+t!aL9zx+NJWy>=?|v7 z*CYT7)=LyY#{u0do2|CITA+fKP%jiUYlaDKCdN0JB=S)NIGRHiZ9@6uXeis_i>R;} z!S*$VmQ|=g@&9xj&1C4WaBJjI4)S~_8egoI^CvB^7oZwBlTI28;r>iOg9Lpm6`K}6 zJj9Aw?P&CFOVs(QC$r<9DiawE-ng$(&5uX1#rxFKfV^X`_H(b&>bn>%So>=cUsxUCfS8$1W`egF^naYz`~*EB0Yq>3M= z=MnsHsA`w}7~Cwd+1^>~mp_wv3euoVO{@29sV1b`mGcK;M;t3SK!!d?5<$J(3Y5Ks zm`dqcx7b{p#1+`&omrhz~eRmkDbjA_h_{0c7bM^3G5v-Zs(U%g z{AVqel^`G<_>ldF82_jjTpz7O5q6o>i2IHc%t#Ow60Je)qOljY4$f>t0= zBwK0;k_dE|zIHn#Iz(`=V*&^h1fVp}7(s$wpzyZ!D;n(bN0o8_e6%EjBhqkgeriQ; zeaf01R45btT*ah&peVk~r~2{L#Et#A8m)4@RU!&4z%;M2r4mcN zBx9lB0aV_-qXm(_`_n&(fZEC&HLHQ*gy}7hg{wJz3MRTWUrsbOUIC)hUP|eRIHU+Mn?=!y4$MYGwUhPV$lm8Y!ydpC%RU2>=qx8Ae{ z#|jj`RX5~uXQ9^&}x1H8QIOgs0 z{0XG5M*RK7DA!TL*TkiS1y2ruwFK`X2OR{-O08!l(O(?3I+HTyJg}o>yIk$}13)%& z>R(pjd_z@0Y(FhyzqTy^M(Hr|C6f4u)RStre2*fS#mDBZW*DV?o`fYubS{NcX2`TQ z{Cm~WmXkZ;rO`q;)yde697SpT?ne?F=_J|5y4ESf{c*HxOGsPiY=b%m59__f$o_o) z(P5&V5l^3|^|*t$0Z9;!<^}&#*xEt8r*fQ~uStq!-Bq7PUFG#Bi7Tb=(>fTV^4(JC z20-le_CKk>hRgBFh1dJz-3N~ed$t=7QGwPES>geJjI_JKwA}$<@gJ~7&X!SOaeGNo zPk{dD-@j5v2`7YG=<@jLg*^lFUX=d)hQlV@0-Yk8>5Luq>*cm3&ws3X^feKix68$h z`DnqX;rrm7Q?`N#%jxt0#OGdQj3g40_OOx?_V zFe;(8GJI38h(&yKB4l#B5&t_QJDWvRws+mcF4o|>cHz}ZIs1A}S!*W*%sUh4aYy55 zp;-xAt~rLFy)nA$YB1&daNE^HnSaKa*g{*PUjhkLg}`{55QmM|YP>HY4GY`Jmv@yI zUpw>uZTmKs*RO>EmqafRfB?0PdPKvveG!L(x8jk(!cu4LcCB7w}-=5$oA<^VRRgIiW^CbAOL;UV7t;Zb95l&I%hkRkgMBz^~7WxGoc^eUCjn>ef;# z5?Ze?Kkr~m;pOxJtOlR48f+Y5IP3i=McS^;Nk5^S0Rb&+h)XMO?z0OyN>SSrYTI7+ z+5TbKSp7v-@HM5tA=c5!j5c_O$OvE)k~{GFrcFr#9RJC*1{=jxKBcgi5?Ub?Uj0=2 za_RXKzbb-kGm8Uz!L^Y}`^nB4#SsdPS<(Abak8FaZhqmxYqOBs9;x}?AAWvxHc9SC z_qraN<2zMVc1#>b;mON{T4^kypc9~$4SjugVCA3?$M`H3&+PxPGX36kKj;uE(ky+u zV*kpc32xnLeJGD}c2bVdd=@r4W|Mha*Ux*k>t0ivw1j@l$731|sLh~j|lIdSknvms!UP(T*n;rE|`^nU@yj^Qb?ZLaJ zw_1m`dOfCk4UNRdA+$|_e2f9BO>MriVOC2(-)PZ8%R85|oU#6ouY$!t8Zz(|Q+6vu z+vPj*;}KFI09;SVJKRhlJ}vl%E|JFH{I`uuciw++R=1*iSX?-Q^^9iwa=edJV-j5~ z%2Vyf|EEP3U-f^o1g0L?M8@Z;bzPfTMA77~#P9$7a*N^k43j9k~tU~h&-A>RvcwdUx}pk1uv3jpk(CjJhs7fkI$>i8nh^&Xm-bVs0`EyP&1 zSn89qG68TSmQj> zacyX1WdxLX@1MRHB2jyJbWqtX1zd}XB!)Y=JWGtc*CHMbX`;XsX6$IY#wk@WM!qLR zW=v{v5qoBIVo6ph3k;7)u8(Aa_3)38TZGF6E81XXhYxtI+gH zu=n}+-NCdw*wIsPG{8JwW;(owIeWYV>Dw*nw_=@oAEE|VWK{9)Y_oYW?IAf{Dip@p z_|NiU(H8l?C5&6qG1%h-j)j3=B`$7gbS_pd;KczoIepN^_M9c36F(8 z>(lezu)B1};ybrnkmg1{A`$G3_w+(t%KvR=*Sp4UGyz&~13du~%%mm~uPXf>H)rE+ z>BHpNnyKR&ixZO%o0|{mSOahO<*+y0u3iqvmLi{TmO?A!kt7So+!a71$9w+ zq?yPcfI!w_2TL?QAj&1(md}scH5Y3v6Z!5ZA}alw8A{!$ z>HXXILK@TS4cDOsSZ}aFwTAK?$meoSAJu+3*L;(-A!!I!9T4#Oz;2#jh7_|66#h7Y7g#k@tY4ggsU5bDrOkYC7#$7sO)J zr`PJayfIAJkINP05{)42uQJBmkms^^@CWh#!)4ztC4aya?G+l|H>O!4ym}iUK1fe^ zLewpr52N;-Qon@eao!`TBwiyDvYjFQk4#5u3M>hMQe(8Oy42PTc=D-Lz@14X;48qb z70k(TA9laK!pxRgz0H>PPrUiRQ50*s=ghirt)Kh5i2Q+C_rSU;{cHCUOM{q4iAwVo z>a>fW3s9E2WJSMc$N`g_YA(xuY%IV<-q(XOes|hSq?Eq7$owuPFgFI`v&yw`HdUvI zXWLv?X&Z0H9bE==`RNaNh&k-#)w_9$tx5)2hl!ZRzPOw8<)m+Dne5XFcg0Q}>-kzs ze$Wm>#iMv&sb0-b48~$e#gD>}Uvitafs*}xvWOYl$4(q*ea1(Ge5R-He?%BvPUE3X zRx$+PS3@f_EYXo7i(+U*n$J~h?6zqG;YSIp2^GK{58~yg<7QOl^nvV9zqYA^`xg?! zQfVuLTMfaHL@SOxWSn$tme)p9$jI?rF`IGuqtru-)EP-%d?|-xfFPxFNQN<#(Q=PD zYWaLB0Pu6`cDg3f9KEh5su_ARD%8IB8hqASt2lXkC{F)6RA{UIN7gbskE>G?Drh2p zxe;J;Z5NS$%$mwGB)0Da$kCD3btnAW8*`EfSRF5?WBS>>k#FRPkRW<)RITL->$U@Z zCoKZX-M?aqX*23BLNhlA>^!KDT(7Ww3q%koX!W2TK33g`B#gZDfU;zvDdRZ~Wuw@A z%BWChq$x7TxPI?-EGs#ySLF#k#9Sw9j@YY;0Wo|_!jyweSFPi7 z-R^COSF$Ws3g}pDiR&@hl$fQHyM=H!i5L>G6t2w>CRWz5e0ju49{XBm5)-5J)E7#e ztkQxuR@p5@Lp@H0@63MKvR%$OvAwOCbT#WDu_3jXm)!;ZU=i+W!^lf>fvY{1ou&=u!Ed0%{ia-e8-zE7J@jM|djC&x?|(h|HDdoMOGLGB)2ADezmKX) zKgFq|WnH=%KGIK|?oqdhJATuri#C7suMnSJTSy;Ki}I*OF=m~+CD`Pe$Ls?<;@_9- z`&nsgoN&kKhZ^8sa>l*i!&Y4;kzHPSNhDE|GaXLFa`jezuwVYPyjgi=hwN3snB zi3ry{W%Ic$+k476meyWi_{rFSq{OwL(Ra{uCC(n_VgoBIE?8R-bk>bTzZerMHW8JNW#jXgi%=$`b^;ju6_Ny2Z6yT-OgaBgDp7G~M*`_)kJCGS_Ah@b#O`w{u}ftLJx_><#lwjbF~QT;cpv&FqtL zopN&3{V!pqJV{4v032h;QY2!CtrfQub&PrfmE#%LZ`|l?b<=#WiEBsgi}tR-2ZQNj zQ1(9QjCUdip1*&I|DDiu<|?68XA0EebDJ|&c-$VqZ{0E4Z2V4$$j|&P!}#ugdB?`+*;2R8RTNh=-|5R7w0iwSu?*lvHFu!wIM2BpWt6 zMZh$J5*-;bD+-pI?fOJ44nk135~W&99r(>r+Pc+4a?&TRXr4E@e*5_(Lbg~ADDOVz zU4F8x03dX@yi@g|irT|d&@#^LGBYF^1hC58{=qqT{ukHF$8Otwo{lv0h8nGSvl488 z`4Hqj}$iAd8dqPKO@@w_!Lv%h) zn)?mh-Tmnk5R$7`F+_e{c%Il@4F|ah$`TW;D^CBa=g^psj;O6&6u#!>w>yVKZ^I)FXJ)1s9@&dKPb=1>3|Z^_i|N}l6|ZOvj#zW zYadKJ@fi(sNH;Q+<4Xb)dfrjbEa3}68)oa|$Wq5U9lCj=jPgs$wTKe1R{2-ck&RhP z|5dYCCjFE7==O8Q;l2OGQrA%V-3{Xfe@s7-X1~WjxXs!%ah=Yp&5?;}OJ`&+@7loW z^OVK!wpv*{`;sMFTA)BbaKK<&*En0%khfdtOit|7#jO9^a!PDYW0r@X6$h{6`>{*N z?ERtj-f1$&HVb#=yCqYf7kjlN(cOhw5E@48J*Q;A-UC9>Ym!B1?)}L-@_O$}5WKL1 zhFV}}*t%t{-gvAb{Ss)^5I0vyB)}#u zs;wVC4VB$gSc*5GHm>8m`CmCeZgRi-l&>%7IMGo>F!nr{ehf6_^Rrdm5Asw}z=1`i z*sw<|O2jpkM5ia^ZVB4}D3_l<{Uf)anSBWyo*R*SwfKEDRJpR9)0Ptz{c`Bz|js%hI%V;S2t z+8U6vAS2^ntMm=a@9r>F7}Z}PbQE1b7wnn-8~$NvW2rR5&6e+CUoL6ox`oH8Z@_ow zj4!q#xzu2SIcN$m9kyYCVbhX$Jn9xG?=~)_ZP+GnNy1i_h5kZnir!Q#vz{vmx@JlH z{mQ;0!z8Zu$^jkxeEvl?8$ZKoFfZfZ`Ea_ces7;Q$FF^y8t}kk86JR#;7of!vL}Z~ z>xfrje$0uwOza#NP?dOs|ym)b+P3hfMn?1@T;(@Pg!}KFfy_n|O zYL|puR?R{zsQDQOn)6YC5T%&#O?UUHq`s2bmNzcv@KUm7vF!5x-TLd6&rDcgIkL~h zJYt-@$*u+LprZ70CHeP;lz46$7CeH)>#S@SI-*Zfne6=G5_!g<;chX_J9kri}Y7?~OW1TW2w1C&fcbN^zO=a+McAyxL< znSC^&p*%e7#2sC)DE?x=bk3PX_}4zf52%trLlS8Qu=>T;-lQ)o+f-@{CrV^p*-r-K zIE@eF)tD!Gr#&c9wSQPKCGV;Xh_KhSBe%cA3usdry(vqxU|SH9XnN%`+B;L;SZ^@F zP1|85{mtxBfmHYQVb=50K+c;MVuvD~#A=mB!~o&qx>_$!UbNfaV8z$lyG(#hl7IIe zku{x^ARv1}EmM%kBmh3+lQz)jUBU^?@iC>bhH7rOx!nkD&RH{AZmdEg{WTwfz9Em+ ze_640LY&ozbQ4;&F37r7b3h)xKHUJKR9X%=E0Xho#oAJE9M#(VOmD+K!0l-33xB%d z_;{W6My1q&RpHKvQktJwf_0;6w3XO{2$!WQy|4?mZ-t9C(;sY?G}y8arJrUJ55*7t zeWbkt$N?UWF?nP29|F@O09kgutJF$pi`*pA0+Cfj9zgmj>f8J21}ml1dH$$g>1pPCrH^u>Ei;F70}T3{~Ij zX}N?f&)Bjq!yfN!m+>`^>dRhwcl!1PKL3Kx4iaffCQ*4~k9tKh{pXp~ehEfHhM!S( zYnUu?%C&$n<1OP08*~cr4iiE(PIy_PB%6VV&lE627kb`5e zg%13{-2K$Z=VGk3LsPfrn}y1UA8pCGnsNm~r65KRJE=JZzz zlOyTav6T#4bbaWCZO1)`LR;Sv>e zyb93-cr%b;;OFA_8Ubm`CWu7moRR3!QDYLzM_0t&{9xc0nRo%74ZjI0Qt7gizsOZ1 zG(CQ6hTQ1p_}cAzO~5QyW}UYtuaW&QE)W|#z4<@9YV45XE4k zxPZ>i+b2g-r$hS7-(z#K)k>^Ib~1R$i`r@Mwu2|^?LX8Vs?^L0AX2rjhh7-d$I1jd^_2-&TTWwSK;1rslv1s>C zMcbJMS} z>h8jmJ8L6X;udNl&*5ZbxkRI$%lh>N&PZ<8;|tKyQSf@KR3OihxlR=id@2lfaM-Z5 zmDCB%q%hao^AxszFNy9jpdBu;zA1iPefF_|Fg{n66p+Z6xJb6`wa3%xhCvhh*OZkB zAoFRdsq*z`zIZCsnR8@Z(2o}~Rp8?QM$|m8!-|X{(WwHrNy?(6nalZ#tkVhSgaGju z&QujP-CMAEt)6+xH~tQHa#JErHu|}DNYFt^-*Wf%Uc{puH$j=V|?^=Ck=t3+VVy{7ULw|)!8Y;E}kni~5Rwt7y2r+~5c8ymBa6xyQvY-cB zz#A>IMku5XF{LARpFklY7%4^Kxkq&c0p}>cYipASIzn_K%XE$}R61Vmxwft1%_PM9mVeU5&ib zmkQ9~q$|>Nv_jYR!|@51YW&)M504+33Ja#K@f!#)4IJ@#WC?v;0f1_?44^IWy9Pv$ z-t~&3>C&32%{A9D8JZW-dIG!|FR>`vBrsya$pU| zatNY8fRgmBxi^76$t>AVI?EY9{lypc#JoWck?8jViY9&B4&Oa< zXmA$E+6a#e?zHpA8%EaRpTjyW0Zs(d6tNiuT#QqX{&MhmFI+F3itH42TQ1f#Ry)7f zhyf=tFGMj@G$z+t`hzFTs=w_KkQk;-@l6I)#C_n0KipQO@5fJG)=d1<_;K?r*K0gf z=t~d{G&O4I)9j}2H-j-IZ)E#6#ResV0U175OU57RxP6)}<9Ca#wpgUIzY28(;nL+_ z{^X*wn@>o%G^FUk{s7(Wyzu&|?ZC1|4-^R*Mng>c%E~i-d<7R;rxH6DL6T8%q-wDwX+V4DS! z0N<5)^qZcRYW_K$5Mf=Vz)gul(9N%;f-j9&|3xJj;#!#2TsFMDK!JmPF3dFR{riGC z?0sTn?)N_!(LjRcWMhA}cPFI{a(dW$%M4K(#>cpNyXUja{X3j5wJYtWPz!P)b!rv; zFy?4k#PliuH4inc`<30nWasv|jzpIQ+=0E?{mKrVyhX8A?gPUYDcA*2MD6t@V*!_ zTWWLJ2ZCg`8RC!_iRs%!&2{!>kZ~tgDB0_ z#{oW!j@=P^-D{^oe*u^#ZWrFuNX$58p4@}(8giV$VYz;iLy6%O)=XT$LXDH|0Xm_s~Ma`m=r;M-gaVMV_M^xDdg``@!L8Pe8 z?HXOtZkknr#*5@5Bb;bWGI8KS$t=EBN~-av93wt1hP~6K%HT?HGv+D$vqYca^^?^^ zqQI6#9HVq?>_{4zH=Qfa!ZJ%5u`x3i|8e$}5Qh`Ne4FDF3R;8bC{-8(B#;x@@g|JZ z=%fzCQAv0dKm~vFrPd1ToFIjP1}fLI{a$=J5!xWDbqmQo49`NvE`UihmtV))2122n zYdVfaNs{?U(19cWj~UlL%_^8cj7r&^y0BLQ4Mb$O775JKrs9@GIDrnPGznvt2r;6n zdzYY0gg;x5=oON?wK^ERB+G&bTnk)u$iOmd)sNmI0E&Ex40JSgSn}*!wnD3=Y;4DC zNH!GVNWk~iTP=C_Ab6jO67Tl!XzF_X{$pSWSdOFh?IFw!?AP1mD&H8`m3nf!z6obmpV?nvaQdD*ur@VnyS(tAvh3OC2I9*6-GQe?J%U(zJGJiGT&&X?qX z$6<#{(=Kk_S`@`jLX`_lyIpWY)}g9CR1#n`QiMv;N%ixFLuFW94wYbWMIM6FYT>E;^FY- zA}Hw?7@vsjlhYUUnqD-Ob5>P@s7EG1Dw*r@<3LTGG;np82&0@>yZ1w9PuoFFvP*6L zUMKodL-a0+{@_(RKLt1j8FuwrEgqC$|30>o>&fy4FF(v^a(Iy-hHgqtj#BPD=S0fG z$3MACAL(D{w@U55*seNjVp9Cg_zsEtw#+9vGgqAw5k#-?BH;+o8S+14k0oThQ;)$n zZH{~p=mmQAMCQNj{LVWwCOn#=q?=UFJRTc#$FM1V1N5qS8cpM1(^lmnfSu zZ`h)g$CxV+{&WVR(Oi!II9M^@#A@?X#(0MElQsV4Vj1&FA1a&p5Ou`DwLe5^D-n8f zKO_bMLXFwy4WJ!GK%W>ulFGZMArUiQiseU=H(SW~_t;*vsyIw#oJ$KgUKV9#a<7ueE-l8BMRO`jjbED$$*97bw27a;&N36(q~{##%v`80dQh|;)qtq& z^XRDcxG+3QxOeoZmc52}Dur^*4fJN$Sl0J@|41a{cd3*`w+WbExV^HxicItvWIoT& zcJ4ffZ}Ja&=#|(3=h|$WDQ`Ut-5u@|Byq?Bg z$~PN&uRV{Z(FqnePLiyGMk^+kjemxE6?dtsT5CI=1%*^jh% zS_^_BU2eSCxfe5mCCMba@G_#r?seU}NSpxOB$jE-Ll{2R%&#z+Baa&@T23eCdMBg+ zB>x;5IE!6ZPa;!JWavJ+cK2E8Xql&`Utp6WE>7k+iIo2*Az9Sa z{nkS5IZ-4H$olDalGGG1Nme^>xgJw}#Zl7|R=(ovZBrw-n559!dvpy}PuZ-ewWFDq? z{3BO#J7YOtC<{~9NGt#p&H_s2v-5>ezY=jJBL{k(YxSGnSQHzcafZD8c+D@$IL%!~ST5)D;)->I*EhQ>%@(*wI0s|>3wPpAc zg^py3l@UH`!8jiTDKqH`lV6HHBj3c&PzrHCrhGvZ8}vVG=08Fs^Q`N%^7nyjH?0{1 z12N;6ra=a;xEqqAnuMp@ZB^MJNcse!oqMfNx!i;9m3$~bL4>_;S&QsV%{_ONJ@XzY zyZ4->K`V+QDtfCcBEQ|uUco?V2>~Ijs*?DEqM?F-3ZbO3X+|Gv@nW*{$Me2dPqWkM ze0UxpSi^bvEDDGt4sh)SVJX4^BbagJYDF z_fdVcIluxW^T9a)gKCmjO zR_o+icqacI=}dD3DmY_FTd2kQjMfv(IgY(JH@qGfefT<1#R&}ZsnRp+D=np=J-dg4 zk2d+FtWQ8tREaF9b_jYdi`v>v3LqVqZum6IRC-B~o*5;@sE^it>NcSNU# z2V&b%2L}+f-&Ye~yie&wVNhEsqq=;4DB-aq@`XWlk=24Yg=It6PE(Vs3`&1UTFB4q zu{U*slTl!8Btm$as9{7;dKn!IC}$@#ZyD=0NV6iC8DO8-_Qoi??|J7r`yJ8B6c|eX z(IXQc%XW>`mjE@$2x?~FbC~OT?y*a3i~C}lHJEJ>t0+s;pZ`Dk0sa ziIazyCi;wJfOc>t6McA6V6YMe>sMIP&A(S;qu{UUB9tZd6*X#6&4+ZlF6h-miFj#n z$YOvEN)+5-!(-VZ2pO)U3O>vcE^9M>O4sL!@Fm#G={68_bbF5_^&)M5e9sfYd&F*| zF}rZeVBAhfJ}QkrV4>f_cwy=)Bq4kt&fifvo6aG> zfk|gf(%#-mjNvY6^jiE782BK*rGR<}YfXz%rTx)=a1Gaub_k7;=mSv??D;>|v^KAe zDbFrD%5yaW3#L7rZxX5e0WX*&7Lr^`g}~!&&MFYOxHjc;QalC=<+sUya$gm6VTWmY z4oMYnWAqe=0o-M*g#^@hWUJ(_H|4u-=3U71@gxJjgm~s1%yRj0@95I+@bane$IL$C zti5MXKQ6qc;JN08)Z;YTZ4dd0&lgW6oi_p}u!{Gy6avX)}U)GW0dfKDwM|h?z0TFw3N%$4AI)Dzy>B2~y3Qebd@S zy~mNTg{Y6J<21PwrY8%crAlZyAV%(ZaDOIqZWRlZciP=0^mT`eL)bbdss1l(--(M? zT0g+dl8H>YhIK*6;rYu@A>pFSPkVy?>sl6MRJ1UyT^!jqcS^A~bSEI+ZW zIT9;^!f+`SzCU>dGNuy0*f~ch(B#y(#^{T0|yVotLg#5;@+(0~5tNiLt89aOQ zgUK~7(ba&NqX!VVPz)OVWre$_Ls*t5k*NAzZWfXb{BX!gc`U5(6u1$oW4#oq5q}a&z|n z8F_d-8y9 zpQoXLzY<6K^5kw|uJoU8TAvG^pM4{7wfHSi9`DM> zt!I!S_4hB`;_KS>Qh_YtKl4K@HyGqIuH8>$cjM{>;bK)UMS;bT=-CFIII%z$bI!Y# zU?Bi8n;lCO68C4+pR`i^{PmwX?jM`8b`ym&lwhO?jrY4Gy>7o@HTd;m-8O_#&Z=*N zYe4AA5fp2f#l^FvU_A;EWo42uNnm(~yX(0p@BY%63^I*h=VyzRHmqAvO_vpB@{(9P z($Bf)sux?axSjgVMYAkSCrT}6fx4}d)lh@Bye_K^AL;sd(gjH<1muElQBt8t2Jn_~ z=OWBNaf9YOqp+qMe|Ktx>rU6*&`SvL^XvY$`4BDsz$Vg=Oabcnf_hBr>eZftdu%ZI z7+6FLtTlj`D0iQ}|ESI}lUCYj$VW0#3(<^?r*q{2HxT4GEK~$|-@&XGoWC$emH2@0 zS95B{rzQT;;3ciMQVhX-Z;a=Y-$WhXtFhUUa6-o;Ngezf^P|7Qe+1}W6iEtV2s&B9 zP(iA$BsUq=IRa1$L&ID?%YML-7>?fc`-3t?e@dHJYW6+Qw7k{JTZ%uH#-Qc)6Z~t0 zdrq5!u;ex|z^y|y)g-r9`pfu*%PM9+WeVyUoSbqnJ|f)rAo3X=KiIZ&egFQ95NbT% zuNr-eHUg7EpCT}0X=>pX)c^Tphgrodi}+64W&bW z7_|90DJ4+`5MppF*u70rJBddvnF4q41kq}?WS3;sk^}3N`tlM~lj~P{()Bw7#kQgy(-S~;h2gYpyOT22p za*(aFcwWVQk0aK@vX>$Zg#uR22efeXaU0aXzV`$pQ8zpEMH>@tY?#{XF55E{YES&R z7b>Q){OxDV>_-|6DoRpjpqbu*i9d!dp3@y&;}>6Bs`{ptLBvVp{{B6wmwNPuF&lb% zbXp%QB>KI*Bs}!%KjQTs ztpsd>S&F&uqwyC>T%MNfE695bVYlZs5X04sSQzz2PswFu8zT+BAV9dTme{GmtDGAa z7{LH}G7s_i;Lv6dobj}Pqss2)mTSzNAoDCj(h7-1>UZbRC~$^bUCnhWB5}EoPyPBI z5MPklZoC$uRy|UndWqhQ?zRMX-`=Iiv&0bR3vmN(M<~j`hZO3s+G6iC3;YKdcNOc3TT0yn+x%xB9DR$<%gLzcwfbCrR(}kLt(*5J&0$Am zQvZQ-?X7==IReIV7?eFd$2Q2y4m>+Oa`x>A!EU``fDnjo-%F3QAQ8~0<$O70`PbXHtqUQ;Vk)W$>F|Vy~~CSn;T>;40}tv zYan<4`jm#%*Xa}=>Prw;%`)ngEIs8)`Sap%~N!A%O?4#pAs zVTLJ)267o0j<;bhe8*(kS3&SVkn`<)?v%jd%*NYGN^D$d(-Q#5{z#RdE4)qRTzl?X z{{WDJ^I~Zz%~~>wki#myWtLjlIF-cg^##2~)ACC(i9KSQB+M0b#$Si|EO|L;Ub>|KJcl ziBnN@yoGh447y&$zaJ4jeHW|2ip#QTIb~2)AksoY3I+krb^-x zNQj%fAEc;Ks^|;rD3i;G`Kc#q=c;1uLXut_^9K>u_-eUsE3=%ONKApKIM&|!Zezh1 zu;h?jmZ^|y%oRQgg+jC(rgiFonI`cdMjxAgqy|G)LKGVqM(Kn4f+T4mw==VvaSRzH zW|A{qug!zlwc9rvG9{y|}azrc_L!tCzKz z3QBXnwBpN=oQ)2K$v&g1gi;}jjdz2t>BS3G_2<6DO<;!nh)ocQl#G@jpa_08b)^e& zIP}nAasCpNkx5A;-Kg=$hZK4AG|bHGW5==?{aFd*b7E`=4rDSKtO>_gk3!eOl`(LN9)-FuUi$<)M`LoD+p8sg~N> zjjej$o6Wy%=#4djg6b&}%yoTW&&Fv^XWonjmfwaJ z)DyKInr%+5bnk+ZaSB)j`VQzo6u!M&`v))&Vy3@+M~0!#?EjGO)^pIQha09BtIE-u z+L*~wr>P(wDl?8+S+inc?!rS-2c6=E+9sBCJHueab5BNZv@>3j&Sf#Q{BadMp05$J zE)-LEdMRsJ#0US;ma(`^qVB7>ah9Nr$fpy)(MPf!2(?dYAipz@u|!A|G8uWU#T==n z8x#RW#^~G4I18aBA?D%((6?Ne_U(4MC{N5x-g6(|x?xYgE=oQ!lN3GAq39GMVX3gT zJ(iyU40*NwOa$C}cJr)#q{)(YCnK=TS%jgCf*0l?6f$WKNsxv^-w|wv4ncRwKZKQf zP?l6Hj1+L~dhQ3Q#^t@o@%RLWNzs56Qv`%t+NL5G_j`@?8lO|BgGly(9-nd9la41E zjV`ACV4$bcEbK^B0Y;4dxjhoc=!XwgHyfc05FSW|ei@3@sLIpe34aZ_b~`#g@xcvd zZRi80nDD27o(L66L?uR(r6b)PYsL3Exi~G>K>PDOm^r|_>~-bApsvmQU`!r7(yD`J z^d<3Zd*)|&fs7h<`tRI#eKJe|oH2b~PpY?He_eHH8J;zM{DaV(*vMXd+|8h7?rXO(euPUY@=JJfah>E>mN@-J=sNKKQ6|P}jGs+;jakDAi zN$$O};MqSR0B0;9SIHlq7#HNNGU*Ou)34DLM>Tp= zN==iPE=j#9pi^ynQ~utusq%2E%Oi%q+3t`|&CQonL4fssZ`w0nftD_`3q?UB?^32% zLooPWhq55%r^+Fxngy*~()au@WIk}}X(8#-bcK07Sp0U> zoG-v)(5F88RQ>$jbr!F__D7J>W2nRNZ1#A$6O4giaaU=$FdT}rm0Ci4$qYz`PHo2Q z%N9N|sl*}(3YBWE?eewcY`4Ys+%wwTW*nM8WZ9TH@mUW|8dZz+m)DhD&~SkgNX-G< z%r#rRfvGsjS6}2@#x(d4rpMxD<^EgR&9b{~qLSao)p@rG;&yN!rbiyc2j}^JbiD~U zl>7TXu9Oy})sj$3wouk&OQen^LfJ|7W$Zgc8>vVON%mwbOWAitwy}&Yld&bnWSN=l z%NTz5(>bTp=X?GCuCD9k#52$Hyx;fsdcE%Zjnhu%U_?fvL_;$%f{@zugOUgdmdNZD zbw4ejq>w0+E#{TDg+*O4wt)^E00X|ct)t!PE7 zUEoDkHW-9}%&rVh_;5ZLFvjVZ2r~) zE`)TE-2pYX4G_Rc`0?HIX2X8?{hj?0OVc7p#$Xy$pGYgrpkRAj2)8EAMl*y#>sb*- z5KhFS_+iL>qy_jI0>cqkPi0PqLYU6sLYBjl5R`>))g5l%}VUPUAhRsQ3{!aNY zNU)NdBXR(F-5_B&wHcc{Raa59eS9SiB%B;dY11T_&w=nUaIAPArFepkN(JBYsB8&L6c05P4R&)3CTfY;?*NJ z+P_(Q)xTCEn%R7@)JsKoaQeb0AdQ_`BVT>XJvz>~Zua$VaQYZbaz~AQr%+MwYCX)l zYexP-PvGFuIWL%Mk6BJc)ZU9j@sP2sZXoAO18up}$G5Q!DiH71qEuv2qHI<}^RLlH%T797}wSp2zK~vg?or{Q8 zxqWU!gUiMF)C%}xR48WQo9r@_FrThze4x9rGT6mY@g!}}{a%XFkNL7>t;^n##9A(g z7o#|4y1SAa{g*4`aaqbv)=&=CsZA(CsWQjYAfvsgy-(=mm&rJUS-DIcK__ zz1*8WNVLVV_LIdT}4HAQS4$N#E(Nq(&)zHwo z+Sq%3V(n^L@avg0^y9NC*s4k2vtD8&60fUqCIk5Nw8GZjb8jDah&rrb>z~ceKe$_? zNS%5Yk~P`Ho!rEpduS`&w;iJ{|GHlL#f2qI_aQM2pANLRt8(@!v3#A4RtuP_@zKReIrBiavAa~K2GE=uz@RgKa zzwN>BqaK1Ybwd?Whk}RbZ&wXv5k3pXm8SGA5MMEG@le+ckHyPK3!|q^Pn_9{A4~is zmShMcA{q!bm=c}s>He>)$-`^y{S#9{-kSP(1AC+GIwdq(W9Ebp2{YyU-)j(0`LOhT zPCV{~Lc^FmTZDf`-o~v_d8?vu;)5n)Ajy@)E*m_zaElsnGy%Iyn^DSce3vLC!9?`m7)pvVV7)fZJ0UVf8a9vz>TR%(lt!Je$LN|m-*veHwg*OCFXiq ze%GSqqRgKso@&ruCCivOmZ0=YsD)XG#E$hv+ZlQ6&PNxyH**ggX3;9!1)osKks_SY z)I7(Y>v}Ze5#JEw%BhDe+P|LKz@X-bySyV&UmN@Rd{QZ=g-KfAaKPa|s=S~R{E=5{ ztUPLR8rVpW9MmTc?ch7X$1ab?@i<<+`n1AZUQH~xyI^qv18>B}-#>H^?Rs0YmNL4f z)S`02Y5oQ2=Je!ZSx9aDv097rM*X4V-@`OOK={tNXre8=3(uJX(J|)~ z`-x}N#N-YOkc?l7_$@OD{pqJKy&2;!y0WT&71MM#np?zPlIBS= zL(=hJUr(xbaGzOh7{5`Xa9o%_W%EU>!OOLXni@qThbI~%I96#x6O9)^sUd1M9pFwL{fLA=dajYg^EF2s|%ywaiY{7~KQGA2)AwsKsm~dI?ayCD!z<^Kf=I!i_ z7Hli?l*zp-NgJOjR_fd$FJ7TI2_JXJrKbj$ik?@k?Bo}bYUt%81fw^r)%ykfE^vB0 zdAXNTSX<0^qbSv|<}90U`8@0EW3MgNpC`voOKrP6-d)zokmo>Yzg^Jyd1a6v96_)1 zfPi=9$g{AuA;keMO*Lh9yt`$Pd6&BVU#0CQ??*|pWQpKUCl>V{OtzH09Z?Kz6v!vh~O4x7o#n@b`vZmZ5fd?Bvow zB_(BKF@Q1t@a~SHTOsSbn_Z`jwHbwwH7u zhe+xe3fbiw`>#u-JG!%IM5WzCXUdy~Z=6D5H16L7QNXKnvd*Na2Yn&2Fz(~(dk36T zZ!bAIUD$kyeaW(Pxy4F5TF^)(o02?!&!xNz_Geu;2szKHu$s{1|Aj+sTrof6 zvG!6Kc_K!s>g4M7LYPT8cOS&KEKIR-dkr|xwRL;wZR%{OpW$^Wn`W$c=-1QaN+WTG+!1Ko z_GtYF^is{W^d$elFI{c@D_wr0&s}jk^1a~+Frw9)vg}1;_8w{#*<(d0Y2%&G!GLn| zOesQ?q2<(ZqSmq@@pdh@E(R~w1R1Wt#Kw}CtJ-JgSlE9Cax$*{%YWI6DH#KSBI&p0!6C=ZKEv0HmI@~esF>6$>HG%Fu|ebGLGShef^<`v-G!B zRl}Go`|@Sp_Xh-|zqhX`*!ju8?^*apQoxVkdGr%Fz2dOJwfK@f0w3+azITf8(3?Ml ztaQOtIF`oh^4z)b(>;lm?8w_eXoGWXsR*MDB&sm7M)cs0>3Pjt}-mVTKuL9EN7mpn3+GHN+UkxRf6$1Q^vE97V zt?26H=&Rn6rb5)J`)w#YH9fl7hw#t+8P)kjq%OK>aU(ve8-6oEp7!7fE$iYkZ^bkJ zQCf$9kdW^F1K(qOP{Rdg{>Mh<_#W-Z6=Bqv5OT_$nqs*;-^JSUO5CXNam~f=-}9bl zOjs3c)-#w{G#ckBTHLbg1Lv4uMfU;n4RKd&46H8>Uogh6Ej%(WDk3bk*!>wXe#)MU zqLFc*@A<{ewKCyeuCA~9uVxY6xM<<)o|P-sT4`%&xuZ8pHH~$+in1KR=VneEgHaNd zE+@XecoCy+IqUmL3e4t&98obnzXsm&>PiomiHgy)kL(JlPfpdJ5Z#?7=dU{T7Je* zMvj5|c`AbHwF0~^Nxq-at6t1x^*PLu9H7qe>u=Y>F8tWt6=~j|{3z5%% zVbM%K~M@vbi!FLP=2K+?^FH9cMZ>Dze62mLGOLT5gOspUTsb{z577IeBR9x?oS zOxy5f;4Kx1A>h!k)Xy`;XIkyIV5+vKXI!`=zf02V!gzPx(PgKvK!R;UL*||}lMJbG z#uW33y;&opI|X2_dWg2e-H0j<@A^e`Be}=4eU=}7kQob)sgM4gw98fRPnMY&Vh_2i ztJo9la~{?8*otI2^`I6v#gE%8#KCm*r1Av6K+ZH7HOo83wrjF=H@igM98n)+vplC@ zUSZu?CsOSCxKheLXVR*e)WbkvpUn*R#oyp2#nW5mUaw_EIZ)&z>JFK*?Ewo=ey0&g zi9E8;ZtZKt!UN1Ko2co!x!Lb*?3VDCx3NjFQ@H~$bvhmv4BW=ha^@9CC98Bl)J?bA zGdx<_?hbEyuDb8Wc7X@s;Okdnmu6hB{Ny{|2&YoRk&h=yOw;xs*^V&DJE| z&6O$PbPLs*$~@!gKK&Kbs8N^IXAR;mGxq5leI-5)D5vFfwn?Jsw%*oi`Rarg+$$l{ zquGRH&b(NolP5p7LRyV@YeJ=)1)AXO>;1*JUW&W#rTv3qW9DhE-Dn_ezNQoQz1|!xL~rW9b^v z{$Frsy?EsAqSVM{1)j^)isDi5xKnHR>O{P32Th)1jP57xw>^Y2T&z2Xev7W`b_1qQC zlUdAdvvyZ=q!*k8I3(6shl)LFIIycHJ7!BCKZj~mTmZWP&VJcxy+UI5V(;z+ihOR3 zqBnP`aoP^Ak=5OGjJ7GAgrl9*lGNGvb27KDejEfVuATDq9sM5ro7x9~-WJ|dtZ`k|-QUWgbu2joU}F?Om3)n3N_Xz=r2 z9y}C5W-^30l$~cRTrB4s&z*L$&=!+Vsl`nzT&FhLA^};k>FaqTz@f&RoV-5CC5;ma z7?ox0&owiTdkws<&izMgEs7hb5BEU6>c3vVr~4*8Q9fn>$V%b`SZ$92epZwa-%u>M7rO+P?de=xQByzdnHjcdHD&1 zi}vc%ov~2NnZGmTo0f6z3$1X#Iyo3krbM~J80!B{PPQacINu?!?}fs}lB$i2{pMH8 zT~xl(M+ZxhO199_>_fIjLoS)UKE{x5!Mf)VKnz=WIA==pxRmx)-4e7zx;g zGvUdU`_t!F{W{Ovt6V86N|jY!ZA&t*-&k3sEi(*G+>UtER|2!moLc^}vbJn79pZdn z6L|bvx<95oT!h#$aKG*K`H&8|-chm9-7mWt>_Z)s0NSu_>R4tPiI$FzT>SY$EyRJ| zb3M+rI8_0h)jK!eM;fpI5Q&iF%0)SLNh<*c)p?9WRMHz?o_Zji(%5Fgsc`1NS1D1! zvy8P+3g}@{gKMaq?EdA9edu@0FAs2hoi8bzf0Xh#^+yUy}#k zKn3(QAb>zg-i)2*yO8EmW}e3*tJ}yI`NFb3PpW!2#de@kS&rBry8T&f{P9es4gC&Z zuZQ8y&HLOvtg6-uo}C{U4^D_`?_!1*lVSdtY{j&p-U&scMJvn52ijX|^gedtO znAVFYc_Wvv96k;e3V=BpaL>;XcqwVv9QnbBBm4NrT)8rH{AZWtpFeMG&MPem&&@Qb zs6=%`aO0FX)77;l_uVRu5j)j)aCJ)9NwbK2xJi||5o{EQeQ9Q4<0FskWFO1h2Rnjv zt|V@J{<+-@iUa~+L_fR}<4VM?S1(j0C{TUD-^XIHP|IC<{3|a(BAtimhPgo+_7xat zAtR%yRm-YJ+shyJ9CB-{`s*&v?@46YUgsEu7o#VfvmJkO?W7+5By)ly`^! zbBXSl*-=-Xb4_i9+F~BnZ?4I?tS1^IqM8Az;$4e1+M}wk|K`-GxZ{Nzgw&MBU>D23 zoA>BMP0D3`g^n@VZgf#&Uc)Bl7Bhp9iJm!M90Nw)vWLn|AZfw61y7aqTYD1%jLgav zPbdrB-nn?>fD3F~#btMv<4iFC-uZj9%-@|eqCb>#D?#U6@LUl@a28()Q-DZx!6(TE zy)i1m&HOyuBwHUDcJn3v26b)PweHWMuA9@{j8R)d1RqG9G)ADt1WDWTVsuBEA5piW zO1oZV+$a+490O;;u}>zblUkQW1GM0NPDp~)$uq|k?ZqM^9zJCHA-8hA<5*{4;|TU4 zlvJ_~ZMP^Q%WLwvJ)R@{FUPQG`5jid_vdRCrKH=Fe2)@2n+-XC$a6;cu#BH2%5JmD zlX;74lVUDn86sW_X^hO2{z}>$7qWn2^ll%^#?t+zBj}+4I1GsA-(f_sRHa(9^!+I( zcyE?2o6T(Gs0;OP=N-JWjVu7n&ZdtB;DCs)t(05$ zDOVb))o$C?!qhr6t*ssRCk`9J7j z{OR9_XnJ}^v!3>;pKI3>9(Uy3QWQJ4_9~@l;D>RX&B3bEd+YOP?mE-+3oN6q@#lX3Z z#B{exGaR;ESj3I^(a`W40M&gHvM6&qW9?dOVkmAP9;|qES8O)C?`~Z^*jN#h0Trl{ zV=|%%mPSz3T?U*$a-C=?`?WKRvF$DVn0Uw;htA;*Nk~QsYe^1DY$c_vw!r?PJ}fTm zv9Do@UedbpDao$S^=nQvB-E=t_-mFSCe~Sz6{BlzGRK?|696-uo6mRzSRP=Cq9JnK zrxvL!LR-8Mpk;A}5i()6yG#8nN?sv4BXcr_dC^2F!DaAkm*Vp1xjz(?wm~UJ5J>4F);ndtgohirGqcO^C2e<~^ z_G{nP1V?zH&(S-k6gT5W8>F~hhVm-U!`Sg*(>F0xmgaod3uW?$&PTtjE&`H+CpaMk zLE1?V!5d?RebP22@RPb^-?Ljcf>6y5;(p${VOW}R0iLcEQtX1F9R1ZHz+oHudgKI1 z>`VyO8a(Xf?@f60EIIZawVL|+p$@f6%JFnU{&^AK+hJY)uek!zX!Mpo$~U8ic z_3IximfoFwW_JwdLx4;B+IQULV9H38pv74gdA_GgG2Zi;3B8#UXDJ!A-6^TuZS=Lv zz=}!Js(fB?u7W_aQZyh)6)0QEfH0rD*qLMILYUael1YQaO z&!;zy1T7v|ZK&Uf?7~KU+SBvzW<%`1?1*XEO8O}g;TXV2=YU{hMs(6TdsF@ylyfvk z`nv1$h@2xWRSE`kjJBXvR)A)Ib^{hjEOmLUXIh>i;OGF4SwBFkktC!am` z#fl5U|9+=phTh@SM(3}{ZmhT!`3nUaYkYhi1CFFwe@M;BaY5VlItH)vh$JPa`NhOg z(gL|T1PD>P{&-|mT3f_8#dI1LNw*rLgS2ALVe+yPjH|fQ?n03`RB^!aLvsP&qZm(8 zN&g*IhH(w&oB*XSy<|x));HC@#bce&puG%8h+@xrn{KBDcv!BQ2W9CfchNZj{q~By(n}5L3E`4S;s1t{zpmX~Q)Fk92k+wnW5xaYxW&Dbirvi&y)j8wA8e#q=;x z3W<9syT9=r#}fnLu`(Vz zp`3h&e4$FePgqs#MF(#LbxsBR*x*p_pBXuVC!(B80?R7@^m2e>3-AA(*VG9?jQeby zizyk&HyvAK2j?PRKJIU00@+BY1drrkEijQr72j=eAyUPab!hw+P9IWKj7Mqv#3GLs zC3`@uwN;oY#CK_CWJfW{N-|X)kj5%=M!3#;-uEw0iumCA`$o61(^aQ6aYH?=9Sgj!4e@)r#%e}@?wu`T~g^z z9!4_r?%trbYobtrOWZ(C!NGWQMxziEJUZ<)Zwy^3I6(yX$DOA~o~5wJv|qY(WnVp- zk&#;m6Qyu<;sY6S4xBma@n^67DB(xaMc&wO}RJ zV&#P21?jK996kH*WK6ofK78{Jf3XFEr;@}(_^*`TxjwU`2+8I%*xnw?)!QpNQw)Tz zU%uCH(=f!2$OdOTeq0=xeVz$9$QI6hGNx<-@2jdV?2+PjryX~J9bi0wx0!qxYc~29 zfFDAeKcNK~iht%QrHH8ahS4A42q?gx5i8!G1xPI4{lih0ExUpyOZvTtoToe=*$EQf zYMI!06PzmCcwj$(_3+NKMhgvSOdJY4;z=$VJxNxUgSfHZ@O%4#C@ikn7d}m)WI5Z; zLZ{9gkbN8DrRXOM=`sjsS?7*yNO(KlLrs4t1e17CUIe|Gp4tE`L5P6h`#)NUZxBF2 z%5C^S#~DI&VvGYj`TL9*>Sfz&{^aK`4rH2+9__dl2W;!rsmNkubQs?6Ii!F%yQHlN zMXARiwApk$$NmLQqoCH)^i;r{EMF(aWW`i%O*P#VUYL}aua{5x+NU4pc*AO~Nnw7X zd>->Xj>{pkHd|11CovRJLKNdo-W{yxG=>xXU*Q-p;UVgQhTH;`M z@6hB3sZ9Nca|c0$;Ef#v{5(&#%Y|~FvKpp8qs=`-m67Pv6oI6;a0*MfX79ZL?*V7= zOzWp`@%+l`9p#3cGwe>qhdUbRt22or0x=5S)RLqG0LW7AycLc z%Gvd{)0zF;9~K(}GDEOcJb3~@!kl|-@E$S#z+b2Xvt(xftOu~|urUc>q55*ObtZP( z(Zv^P<2w?ha%3O~a&MB3W<1WzeSm_ZJ)i2oj&guwuwAUn!mhk<0Mc0%d@LclyrnxCW>xpg&G4 za;UGDKnBz%T6NI)%<*N>zcjSY$miwfyXxRwfK-qvasK&rk1yQkDU$-jU6*!d0H$Nh z#@dW5Z>`L3ZP*9tuY=;?T4M(GEq7NXm`X<=5Cj*?0<7Fb{cIwj>iq?;ysLTcGejpu z_vAMOnV}!kkt_j=lTg&j_a!Dsstuz9<1N2xBjy|M$hJK?GCy~=pT7p5d&sF+9iBm% zqY$!4e|P`50k7Q;cjEKNjxqqiZd4ZJRh(h`NPS=F>N<~iz5Ub9GjHqeQPliY+3KqyvEq37_b(ZVYAnf#=YkrKx1!CRm?S{ggsq#^08Dtk6niMymJ~B*%qED zD#Wv>q&V;hG1c$4>g?|&y+u*ISNU(&{4E+-kjh~^FH{*G-}3LjSxQ{?+T1G(n7IeJ z$_&s}X)fLUfEt2PR$!o**kc@D?0r#9jlncliPVOT7v)e&7RawHS8;UoJ-kGKC}Xhk zp+w?+YQVHl|EA?#xCxEFcd8lbaYO`D7W976#@^-2lQ|C^5`1SKVD2*$r2RNq9>uPY zJkmH}qU^$!3*I!<8pdEa`A?;O=`7VA-~f+-UJHhU`lsD5y!F__%L{n0VoC*AY5G!R zd)|hVBL3zI%hLS32cHaaPkqQZMYPk2oc|AYh@%b&_BqBp^KWq05;FCosB^Bmq2U=+2uC5CS7KTta2rkw^L zY_xzgtiS@MXF7RTf@H@`e+w#BLJfy+{B937hU2vHwWkICtv>16fNb&s-fXi8#L6=e z+UfJxDxDT2TiZN=Qy5`VI89z~SG@4oZPn*sg9b?8*S`Mb60kehRS7H@STD3 z<8NkLLtp<}h{3kBYJAO4uPd;n`xpCI9U$+5I@I1TGBE)c(DuWm>hailvcpr#hT7VE zQnd#NDY@zQ&6CSDR!yvq(yTv^)b4|~Kmb*o^)i*`9%+@kt=5T_N;54)%XiLu2ft9l z;Z|juMvu26q&jzUDKN7TXik3m>tCPr_kWr0Y!X8@;1B;`By`ueS5}V1c4xjQ!yKx$ zIOa z3NkXl?e1#^1_1*yUKjd^msi~RYw@_Y?hjo&_Fiv~J`zog2Z@CEa+u7Q$5i4yG;+y%pRQbvzzbEY?hWifbhp#uCo>m0kJY6}iXuyYPa4IK2~cV<2V)!LuM7 za`yl=1_^l}mBWqskb_4SJ%Jz{Rs26G4aoM6{ySC;xje&Pma{?WN4U_D0LPskEQNvt zqvY}g@*7+UsDPQ51^@RZ=;%}$S?d0o^ZDzaRusb@K8yz5HwFb1GzO$$6=+cA@lkGH zLil(m6NqA(C;t4*U%%$|;J@4o{>L}!YqyEJh!g_>V@j@}@Ir7kn12Q=;=;m$Is~1e z5BYhgz`OGeX8zxMV&eD>5W_!xJo@0h;W*@D1yBt@rs7?j|4!+KpXtR_aiE{?SFZl? z>!xRbJ4A4-cSkrlT72hS;M;xs%$FoT138wSpO3x9y-!AdQ0qdtx0jEgO`4O7ZL$t% zpxA+i=oEXU5tqH`a`gKdhbUf}USdRc~%8jxlX`TUp3a(96)P^UKkANOYY1cEx; zn|C$G&y@!~c_R%CX8cxaBXuT6{*7PA+e`s#Jprp3{p|$5wpci#k*|yV-R=S3?K}?t zK3sJNDc1?U`~7u03v>mi<#)mVV8{Hf@_zsG-+ytt_#UtmfNH|SoBzJk2De(^-as`v zCDhbl#zxM#e+^I*C_@DX=H@+YTxO5&hsXvj@2Jc7Ln6n8FR7|RG_V0p2jH$@dzbwk zv(}mnEJEP`hFcWb-ze<=`CQX|S3=gavuObKD})K7d5{+m*?@s8#IaC5Pg4S9we>@v zg;_`Se@=M3%!CNaMTV1JYKXyme{1^w&o$4V4qBhI8+EBWbPSZ_bwl?kkrE{0FaGLQ z>)}6*_s?I<+sRX$z~p-%ZzrO?AfF6!-Ma>m%jwg9IGR6yo{nzssgfk~$?53>`<}vG z?l850_XA>@X!tNy)$zs^&O6sjp93GDP+jc-?$Q*PDI0{R0iZhu%*UQo>o%*g?`g^x z6ku6omw3n_S|L4-o!a9Oe^K@3uf5#8@Bsh{hV@lj*!OVGuZ21k+zB% zRO05Lf)6fX^J@>nk0`kt11`wfy?n2v8lV)9FW0WB z9D?3yZEjQ`VySmnBx$J%BtNT*V_9RWZ*Io8(-L4LY-{W()_qUG1!fN~g(1+Jyy!m~ z2lKn!FY^41WNUytf2VC8;&~q`vjxLtKy7KeKYZ0IwE*p8pmTmWqS|j;i@m?Tr|F09 z**E_sYtz9NkcF+UZ3Hq?>#9SBL_j$WC2$ye1a2F|rOYA32e5R=1Eld3v%_JFEJ%L> zoU25`HyGy@Oy`Q^m29WtIr`zlCV5=Z{BuKJ=OibPrUnGe3T#}J6S2SzRExDo@VhQ6 z*N1SwNUR(&P~-;UIjjmZ*4=kYX$UCw{DOF_1f5*FOa?yNzW*~+K7I}`S5E!F)<~wRwDh==sMC{E( z<%RX=oo$(0aV2h3&}5%uKg4is!%N`j2IYzn(t|0TBTkL6(jn zt4w$IBlr)1b8*2V^@vX2hzM}7E}-&|O9wES@7)JT&l_kQh*Pk;ogGjNJsZ#JzOS0s zhl5>0q;;2ck0sRG^^3qnhlAl-_V<|0=Hs&^eMv5?gnP!Ohz{ zDzg4m;1RN&c!p>y0RoD1EQPyA&`d-eEVV6bz}7QzQD@=OKMJb}5rIYgo~M+FRd{I3 zq8Fz1no2lAvz^%w1Dx@C zpbu5J%H(JWP<8YRk)BXd0GEN=6NYG5VFeFP0MbKqN0lTGY9HWnZ6-Qzov|I5g|B3T zji0Y9Xvo^i-Us1Ml((2z{!b$d(0uwa+x?{(j{719Z9oV(RanjWu9SnJ?@fBf<(w~X z2SU6FYsxHDS=mE;@I1^-7a`$*Vr&YJM-?KukskWnc$E)6c;^D1`2~`NqGWshR3S!l zGVt2~k^+WqY0&|)c$~K@EK`$4Y#FA*$wq&fVvxJhA%-I(IO$VaqzNg&yl{Cl(ZG_FQZ$&}pMl`f- zK>GA3Jp3Q3dBDl1?1D(bF?B>L2I;SQBG@$$F?#*i|8a3K=vXl$Bv=`he7E5{H5Qjn zKy)6EomG_#^)mpXbyi#9!+DTA8g%4>kK`MF4KAonBv`c{d%&(15j#RoV8-4E+e-bT zD!d0or2>weX*!U=l0SLpE^=Q`YGI`9ZbVXRAl0`v?Y561^@aJv&O!Ja4yh^rykKWo z8Tt@~H!}vs4)1=ck^uM!50~tv_?Xp$W#!R8>x?Oy5mcnMaYC5_NVh==0y=mSkI$v>aknz29a@;-B}3Bi>!U20v{71ujym|%phJbmhNYhTa12m(NLI36{U8Sv~b z>Y6*tsz3En+>K-|O^*)Q8o%kGp%Zi; zHxZs8F757Y##vP2@bHX(I^)I7Jr{vJ3NrU>{DX-K(cf^tyZ`!Acs&qnqW6Y_o*aUN zGV;-|^m!zZKglYf>L>QY2M1~AlAA)6Ao^6Kxfk3haq+Bk_;l3{j#rfv+Za7>Q91J4; zo}LP(wR3S#`>@Q11L9WUm zG(3FNPXc6a+~EITCM@47F&y}ZSU)LbYLW_L_0it&9NYqt)PL}UYLOQ9hUg=qME9xj{#Mw z&D(0QKA^#G$a$|F7%BmgkzYcqbWMp`e;TCjR*ocV$xM*mBUlQwAr<{ z`vj-9bpc+xt-7P8hC-=(uCqYV@me2uNX8|&|5vemM1Teex8p^D4r)W{sZ^0r4h48ItZiJa<^l|eAjb+SSzh`oMK6Mwxn@E@tAV3}& zM)ltvGuOwD|C#v;pBR>U5PviwQ-eo>Y0ho!7jpx&A=}b^XOPK22K3fhV)uCG(kF_A z-}U|yz@?ym(nQ<7&odLSd86HnLX<*m3=?@ssg2N&tuIb31?2Ja0%NL=NosulbforY zPSYCyn@AiAT4T>JF?s}m5LI^rXzV+k@${M1GDSsJjXj68P;`;dDamiQH!|?60m5r@ zPbY!v>Gqk(DL_G?WF7_mSw_%JFp@y}5;hzcr&5GvM1?SPo1>AD6nt&rhIt*uoZlfYWF0-=DBF0}MC#{U%49{r1qsFb0BLvR4{L577@ zx?4a0oYeMb{D@^neN=|%h~4`lC;K@c_(!CC1EN44@j{ehOT}LsN(8I}!0!sA*AQtw zoIh*v=@2ik4Btrso5C%ekpG$AbyihnbL>JDPF~Q47R3te!XY8T8)lZSu$%0mHzI-g z!JPy87P&UqF2aEzTA{oOA&h?D)Di8rUbgTZ;^hdh5IE^BrJ27;(&pubx>Fy6Mo%pd+2UtlO=N?0Nzc=GxNu)k6G53a+D{>pAu25- zTH0N1Ilo=JFX5MCndeGWjB2@@%&sHXe$OXV7u+oN{jdHXLE^-qLq#yEHh!1r?l)qW zHWwyzeDp4_cv_s}2z5zxP|A#M8hPbhQIl-CiB(^9rDxLV-o2nmnIwII<3-kbYvz-1 z=a$G+9YL%}l2jInIR;{b-WC<|=!K2boYFFmz1q>xllI}3qBiI546f(HWl@Vz?0r~d z8uq56+xBNZ^pW5Q@vVK)Cf7MWd!Xxc0rjy5VpS$%wDT&o?yD!{@DnJ8ojd!K5! zrbtp5F8*f&qwX2B99?dZJnS&FgXBfGFYKJ3C!oUWtMl_jH1~lB>A;)PKY6`_3ZTmT zxe|y^zk4$Rm>TYa5)1EZ`Z`lx3~!-e5d&IuhkmT|;0591=$p-JR!4)12jb7) zLEZ5tF~m!&p6Vq!+V1&Tx?%WE>IY4neQTlylz)WK8z7;3y&ep$+S4}r8*ibP8g}*` z%qmi~SrG$0AX+#m;>A+}y9I&BFu3(Bycw)goJj|oyoIbpp#7Gp(R-n5SjYZv;9Y=Z zhYdxGI76wh@Z86F4O~?Ez>B9b2iyW5C!gi&wv(hgD*0b^bCgcaqHHVOQ4fb>y*Ezv zUHloeX5>^B|NE)wZqPyRq|f=Lfq;M=UR76rs%5Qko;tG^Sdty2Dp9u7Jzv;=7;#LwG zeIsgG#!f!@Q5zbB>;IHspC)Xs*KRfu6;t=DD&Gju+~y6wbJWH5eA~Tnquj17J6cWi zXm>s$DR3R-I!D+#QfX;w7DaH%86!P<7z)D3OvWY=hCE{-Tnh2>LaqiF)O6!4?7Yh0 z$AB@&I%s~yb25Plqy-e8-piJMb6k8U&lw|KbgM(q91A<|O0AO9>ATyv(CtNr{{8(G zmH>#w9v+7mU_*_?xzL#NS@lvYN{_!)>%p!q)kYv66%K(%cmpCq2YdNb3JTTx4;&ET z75`R|xR|`LqK7m%j)St*%wp-W#$m2!+hrl!1u84c8K9))we)wTitNy{V7(sn8dm}u zv=(rVX1LEoNRi?X{!?!;+;sPTqz9t>c;MTJjmh?#v=Ql0T@WwLLDL;m(W*8k_Tb{P$?@)`P20D1(8NsFyT=yGQBz_n-7@&;GqT5r zym`)2n*QmXFo?0U0cw@AnXQ-sUCopxe3H9=wJf}{tPJBn`J*P4UB-2 z+@GY!Pg?O(YC6AWgWx5TlcX3BpjI~41oBuzrzSMpDwsQ=DyvA-lk9~wpRCz%aW*;1 zG@#eW`x^2gu5!_Sl)1FQ4@=U@)qX*VIE88Lkkz-#&?$zzJL}E+%pO+j0{iy;dj48( z)5{~@k%=GX1B-zAm{9@G$BajKm9J)~uC^?0&diz?kI6etS=X{+p`(~^x#y}u|Hw47 z_c|u;3mGmn0BXMbnslHNN4xTDn#&W=kR8D^5a$XC#H`(?Vhwj z9-cq_dVL?8ui4j*dLGDWFpI?l)UD=v`y_Tw*VPf;zIz=+_Ox2hxay9a(X+S!ae}(m%(f zI2V};X-G{9g6nPTOPR`-jlj4e7v%FVmsMtA!t0feOtX91O)#!QcMxGP7AkW@{tfVA zLD~6n-Ofi{?C+tp{3Wsyj##sWmJ_6ggV`bndqZ#Fr;VWnP4(i%fS`eAg$f;t;se|g zL_uC%sQkebAr-whP6;G0GJTMx1?J`hf#}-?N(n_u6K-TMbx?v*Q;qs~``qxF{y-@x z!7&kom0svTfTS_22r3HMT6Hivd3okbr0NJFncc9M+{UW%_e0r>E`gt`eA;Af0f0h?-*G zrwOfsDFc_NYSJO}PhiBr^|d!pDOsR!9rwvaXi|b*)vQ-7bS8L;sLv5Ac1#)M76uD9S1e>oyoA2Jx=yDv_5X~1dCv5nd`oD zWU(YpXN1=wz<$=7W|q%wm%ItbGfmK-=+x^w@rA69gZAo)ZPnFxSKE;0pwcVjz-wPv zd!|r$XNbkNuW2h?p8Ow;3UskG>#c#`_Cafn<)AFhBZJyRqW3b znNYC7xD{#+E*m6c$WRxoSRxerEznyH8_h&#%?U71IJpVw_PwYCoAuf9$K&So$BR(y zaD8C78PaokV_8p#n9UZ9v$aVtZbw7<1dJtM!Rsj{R`A|9_TnS)I`pi2q zNH|c2wPMiTQ4xGaGn_}~r2$~M$kKhuyaL9?X+9kfljP<=hLG${+I;`xn72C!cIp07 zRn}K7ZO55R{u;a>>pM(dTnClp87W*J4C`PEF2xXoA=Dxt*khFe;4;!33b2*`P(Bo? zO-X)@y$a_5KOJRfia{i!?N8xJ4=ZX~dU1BgA>&OQI2h8yB|2t}_4UiDjRIFvSK0d|Dwu3ps6)XOR{% zy$~l7Q1`%x&|XEs7$4gyR~27SRg)hYnL<0z-(R;KpmbAut`v_hwiQ(H-;T$wTq3_FpY6l zz4~v{o_V`G;7S76NVIZf^P^Yw6~M^6ERP{=9Uvz`#zj<9_e^bksErFi13sL-?c~|| z=MgmtWRTOs0#uMdg(dE@Ad=^yGG=Kri%c2t9Wgly<1*BNuy>*YA&6Abs;a;y3wWO^ zf#xW?|5hX_}P=}bz z4HOIt)S16S-f5m60{gYMyV%3D++?K4=o|`fd+AWuzMJze+8M|8)!@6z4iT< zkbY^7;Gxs?RH#3YsanrKW*xRz4B6sV>A~shGaC#BBa}f}jnk+;JOQY4G2qJ8hY(5k zpb65n3V_8=KSl6F-UCY^U%xFX7D1x#*%WPI%ao;Uu`(nyr0@jN0x*iaL3$`2coFkb z9PrO|8u>bNI0Q;`L}yvSfGE>zq`LZgoY=p)L!WCtqe#)Gi!eGZaIh4hYaERbZ1Eu6 z%P063RZTMj%{oHd&CVxoF*n8ss>rb-{sma2K(vJ6Vjro()3f7}8a5P6-;B6l9m#Vh z>t{<(wqj4d!F(~;>>Qh?Kx6!I1RNMRdFApKGZh%_)O#UWFH`Ai-c=~sMqCXZJ$US+ zz=-72;^ZQn=t=zip!eJYf1ZD@{T}gG2ddkZKLxXf#a}fvf;g<%aXB{LRXy4gw_*5C z|LygO15Y(lZ@};(53>QP?Vt$KG7Gh7jGZ-Xf`ap+Af_^tLp*=H$=|v%FO-?N`7vas zg3U|?uz@ksl}fdVL|MSEyB8a_BZ8FpQfGsueCTdNhAMG4Q6Mj_sI~k@^FV-S8pCIB z)dLNdPMi6E?0tDu&g=Vi#+;O7Xw)F0L{cizBngpHsA!NhXjYmuD#8(o29yS=go@^Q zkfSuJ=+P|Ar9#8g+`I4i8os}E-v8dU-amfUS?4%Z&u6&q`@XJy?Y%F_8h6Gir%K(L zdDj0~)@bBe`sD2v7;JKQ+eVEZ!1ir>ndTql@URxqZb>*>Xu&=+^t@`kI7iq{4QCkVMJiXyv3ZuXHa2E*R_i}UV?RM2? z`V0?`PUINvR*+A;S;CD1Xq;ZU%564xa+;CgAnGIBV|{CZ7)}=CH$i)^)(il##`csj zTh13Vp9Xdom0sv&Gkj~2%SL58v|J%lJYX;ZBdql-Ss9{q4NH$X)5>#rP|?5)D?*wH zlG><;Oy%dXs!=_j%1U5Eq!XJW1e)rKYU2eor@DWYF)yFFwd`(cFxJ)4ir;L)$|TV^ zvNv>;JC_1@gJ_)7`1hVnhzXA%q-Fp%cuMLo7i3Q_m_n-VFGmxZ33zz_oCU>Tcy%)x zl6*rfcjiyrt|{xvJejATWEm{(qo_dcQ(&{B9Lt$wIsFV!K)$fy47o0q+`1r?*#?+x zCQmHbyO~6X69kW<_OC4!M?4cilt?IGHL`G;R*pi$JT@dai2=Cq`nIl>9S{)+tQCjp zl`})nxq3V?G+Chu{0}*>Xp#Dib{Ob&C4-xEk4;2Dv^DSYIj2wbyGp+2aF3E@(Wy?1 zJ{$-hl4^WkiAF8qmU@qzEmA@d3wgY(qoOf=o5&(A9X9FXa_`#_m7C|3A&x3-#nn&R z>(OW(uq&wR@s&MR0>a@cYj+fBJumN|SM*M2SC_PKpB`6r(*lC3Q_IM^^Q{P-&MK1p zXIi_F<-qpsT%(yZW~gBZE$es!Y>;hZs+{;X-tYsAX-63W1Vo6d-Xn1?du0QqnmFo> z<+1h5e(h}Vrg}Fu$1GJ7HBB1L5N2J=pF5$dfb-0(#5D~#u%VwakTxPk=yH4>QT0wf zE9d^A1CalYxh}JKd+BK2%@@i=S)59P6yJKe+` zhG751n65h1edJ4ox{If0h`t`L;Sn-gHVLp8zwNZdj#&*4Z480pB@$$ky!$&@lZ-iI z$i7f=2cW0KgrS+*nf{L8c9Y=eC0Ezig`R8&)u@m=d8-59 zcf)s&!!BiApZ{>WLcO69SwYVr17swiVO}APFfNK6vBXIfYK4l$HU7v6D5Zy~oOS9s z1G8|;U{?(@(aSsrs#tXG=ChRktKEes;@1;2tI`!cEY*^k>@}t1(#h(tD>r&i`tMcX z&Ss{UUOZ3UOCS76e->Fu%DsD9eRW848D^a{A=*8cZ?=$kwkPa-!_43;)t!&G#MwI7 z{>CG=`k-;iE?0|FLH6aL)y?~77gYMxTGNY*QlC{#bizeI;+Q*dJut;wy|Xw$Xc3^D zNGu|0LE7>Z8Z0jqj&(ws8+o&DY7P``*B-gr4~`h-Xh@H(>uPeU7A zq`D%@!J5mdj!W5BFcISrghEN`tmBYHp(~_8@&0^B%P!-M!sc^%wIxO53#NWNvM6&Q{RKk;u7p9d*Q_CEZG}RT9CNy=%B|(wCg)KnJd*isXD`^9O4y_umf+_-;BEw@VsdI~MSW{#n zx){;JL&0{J>6)^Z199R#k7K|t0aai}C~;rF2BqBrNVbDIGAW&Rtry;wS#F2XlVfHf zTE(yF@SjsJS)lbUhQVqZUGX_%P~3Yri7ipgO5dBsvv*f+({%s-q`oeYdIl%7cFi=x zCPwK23doKjDG-#ULpAVNmU2yN7zW4m8LcY&)Zcs;>!;T~FUsc{>1VC+C8l?2TJ6=g z1=CI|O>^tj5u`Su6&{ifpa=)6i6;p^X=zpUyoc?%aAw0>)F)b+B1LW5gnW;3SjW(q z|9-8i6Z7Ib_Elfu1?AW%0sBu4jVJC&$k=T1E#7*EIH5C`u{~ysUZQ4TV61x~=|&eY`P#rqRM(o`6dMY_ z!VymB<^(%hj%D}SN#Clqtz`SEz#3Do$i%zScM6 zYU~OWczJO?FKV>PB`_lLe2w?@wU(^k+GkG7>m^t2i_CqSx+iO<^cnW(05KsXYlox@ z;m!62${MmJpvp8hb)%)BSN_Qxle>F%*3TJMHZs0Wqdj|xam|{sQ!(HK)NWb)R%lak zW$DN`Glp_$&3?P37LR;}+TnmDR>DFk(=uKglCPU2TX}s0p7?aB%89h-mwmif34-9y z5?D4e-kF5sJ@kS+!|BIO84U@k6DV!JW`y&gfAgDPWOVbHE@hCVe`uWv*9GUpgti=E zuPcoMg@hL^7%7$8B6MyYKayM4HF6EMjXK;GJcpjIVwU=tv}Iu4I^Ks%MOIePDwk~u z?XbPr808VIRgyaArPt(ji)b8{9&Tj0iTqEa{`1VJ%ob|?>i*Na-LY@kwQfP%ao8zD z3e}pg5Y(w8Rq8_34TM#oXVo%c}QR?)`N;ve6xN7z1`AwiI zq@B_<`*i7Ol=-UV#>1WRdad_)g9Zes|M;P>j%GQVo1Xpo?-Q$js}T2b1gZk~A;PhS zO6WaNXxg3|w;Z1W=Lw}X|3bxolPzhpNy2ck78ktZo&#~gp z5Ey{CLDY@*O%7szjbByo_T_yLDYbza83rfV?F{0GOmRW-PZ|EIXr?&daFu)#Z~>|K zbN_+3YW?9pDW0PHo}>R@3xv?Z+7g6N0x_U%lU2Q#YjbUYQ#rT7gEuEYG9On_)4S;`86jiof5REsEDVoeel|LslUAsk$ z@1ynhNE%_i$}d>$q!u?k89whY`n=bF@wGor3axW}n7G3jd=o7MzFGcm2(w2H%3FLW zx7fhav18A{#=KkEU{!z9s^?*`czct{nCI42QU*_q`1au9)HELn9s2fOmey5TUD<-O_%3(!x^Rd@I0=$G| ztg!~Jml-AdY`glDtp~b3xw#VCM%Tkes8fSam@`LewWALgV$%d3bzX~O*I8MMS>u`0 zw-bwdiT6?K!Ctt{h0}^HR4YO-XK5Q(QXM2=dU~3wuss>57b|3_Y#7 z3vx=qQTMZ5ugJPIPimMvZ#TJfE0f>0NULol;|n06x__UlI6G_+_h)0x5CoBL(NXJu7h!CMn4#sFje=Kwl4xyK+R=Xi}MS?w&@x*tk8 zfF{A;fpw`|X*OVx1Pvw}AqIw=hKN*XLp9yn$Hn(zkl|7RwvY)8uV_9O_SiwZXhvvHg zicq5B86QqM4yzQC4=wm2>CsYb5*mb`IP$;9eK8n1yIFVOnb+cWi=mgCYa(WagFu5$dhajF8WYe~bvF?0g#opsS*g6Lz|KJvi`)>64=A39UB*|`}hRnp(t5mNC|Ipvfmr*Ynk&X zY;s8gn``RJlc)X}C0a%4FCzI+PccjizdU_pz>2yP#fW-e42qbeH*Kv32}&@I=@_Gb zUlmCppc(+ygnov1L@6~=045_J-U63fw;NN&svRB8gG5j8{LD?ldoGK$RbqZKcJfXK z=!4SnjOUuWDl%-Q;@%KAXzqg1U8;TG^SS6^G3X-%U9hfO|^YLZ$1l3#xJWHj%V{)R3<26@a&GW59n z?Us218VRnq0^lszfySPq0Bm=T2m~|KF=cGGOuqgVt`pjAnj9{X3@j@$R=sX>n|gdi z){mGG$(4<7;I{|{cpBHkXd9uT2s3B}0pAe=p^~w21w)|;n4x}~gx2L4vu`@p_l~ni z4Zxx9iWqbb^=T*w6>V8#W5WsU53JAfIU~2VF;X)WIW|SP)`Z*}T9J_~w?9ixa1}9W zdFNK2@xf%-+uYUhXvs=dq@f}ex#`n;> zmbssR&aU>qFi;%&gd;LSH=&JmF4c1M$cCn%B0YFef$%hoA zD*7wzqR`wBk}Izp;MTFdQIsNzF1PuP(YdF7!JlA)X3wN<^ju7pSdOKbo%~4>gylGM z06-d^OCDgKXs?T5xmFy-;=xw#3S9(Om@^SpO0@X%lgBqo9oA;f*sif`*iZ-GPxyX> zUsyd@(RD2?BNJ^dL3`z`G%k8SEof-;jW7UcQPkDPRzjsy|E$*-yS5dt+cH@8;(Xc6 zPWHTdZZ@|2;nx80!m&YX{Inz3NwHh^-^RDH(uEf=%<%bOZMX_cI2WSTyigq^>0 zH$!wc&{;^-&gUp^)GWKSR;RaeP&2N|O(zVpN4u^SWtZn0?QtXh(7r*y-f99xV@|F) z@Zn4$TF`;gNp;KCy~s}Eop{Vj9Ii_P@2_c6A81>R`bEH^_!eRH#%vzWLdUu?6*?f6FHRXXH`z|ARC;vAqkCf4lw!vymOHR9 zsY~FYyI_c@aGA*zr%d%T|H0sM4(VC)uWyL49O^Drb!J{%N<4Hl-_GC2fTGA+rpF8Ilh75!12XV`2MaGPqCZ7xO}3wfnuRH z`W8HXJv-M&5YY?b-4L4*@yda+o=`bG?@5vVUkvk>FBz}pIpUcHSf<9z6dJ7yPeJ

k2t>(Y6vD=ty;L`4vamZ8DOc9OeZlsyitM zN1jgK-T4+);b2Eg&==Nh!mI~6W0~#~cLD%264{_zWh{z7;yKCZazOAFjl30%?@*`i zvxLc6sMZNf(|Do#VxlHtj5JHQf9jx4EzyMFgZNCGpSQMN;;3ZaV-7f<`bO*rm5biA z!DYH_Ms@R-?w%g8&%R(hN8h9@9!7qlo9DkQh4@CIJ=qjgRG(%<&Re7tN)->%uAI3@ zoVA>H={}EwS9(SzhzLq`H5@)d4n_;a$}*uhGGw|nd9n!m&_9-g>aTB1PPe%YPMOO; zF)JfpcCKFsb3Z~_ToE2xh~C1zW(wtHC^9P~SPom-O@NC9KW(h+h<>$@2|Mmf>Ey#4 z`6F6p!D>a_Vb~z!E-nrs`Xd3eqB6O`8%tS)GAk^2+Rl;wq>DMf35$PbSd6-51!u|W z@&{S7ylCro_txts6^_6zap!vGmt!1fy5G#jE@?I69B$<`q)Kq^Wa*j)XL~n;dbJSU znqtvo93ovkE?%vVPCgDzO^{!!*#-}!AHRf2$PvjdF=xVr6r#*VYlT=Z6D6>S(Ai{q z4*NL0tq%_Zr-KhBA)+)jiAPn0HM`t_rqxT&j`&iGz;Gt7GR~+$F|UsZ3~wdBVLS8! zXE&N9Z+;Ox`g{AHCd@<-dr}R(U46PpgryKYM9LTfau>Jz#J%BBH$IYGfcNo6C4Sbp zrtdv*1;Fa;G>!aWM&(9z`BF))Z7Pey``CC^aZehOTod|APoM(s`LP3&&zN zj6YYc>zp**HkiTQbf;p{6>9Tuk!JCJum#VKH|Bf{REeZ<1pK+6^~g5<+V!jo>o{Lq zZ6ZBGmx-8o^5cB`XzO!aBkp}%+E?Qy#Y_LJNF2SNVQ-W$h*w5VkiH>uvO{6ahvMX_ zcBZe->vz~9#=+3dtk{Bs?zBN%e2ZC8)Ewecine|`Nb=)g)js+`5+X?z2%mR*+vGZf zai|d5M2Tpls~Z#3y<6g;w|3E_d;U5B_Q(NeA_{xhjVd(Pe~mA4f7|@dVv!{2{E)QvOPn~0>mSrN zGDM_NqHQ4jvJ>Jc_`*=#sj=@~m*~L^mSne z6P2 z0K#pw`C0bk0|ndq$vK@^S^dpeN>|qAOmTxPGFf_4SL|&{`NzQu5pYV@)Ou!^Mir&0CJK75&Njd}b*a}wYzew*5^_S6? zv&%@UYA{~Jt7))h4Mm7`nrZcFw&b9NJNwvS|0(Cnwm*0(XJ!GLs1d*|*PD~76@1MV zlB=j$Y^19P?JEwKF)B)0`S7$gR!6EhL8LrAq^l= zP(cS(ZvB|Ddks3bs0)^j+2)OpHiRd;W5XcWE)W=hU|oJ_*ec=47P`WFV?QZwHANiq zmoEE35U^`_uvQsPmM;)0|5`Jh5)kc@6|k<|mP3FN{GHu_x$_rc&#tz}8a~d4USdkR97npyTj5wR0=X8ndKO53jBPMl z36781nyj!=B*BhSuo`=wDE!cEcDHZQqK5SKVz0XA+`5Uy!0WLi^C*M;&0mbA+}vc+ z4JiBhJ>Qd(1N4j5P29*0HVf|p)Mq%G-B@sMXmP2kEAwKQ96TZ?EwVwSVHLZ9S@67udCf|QUzxpSNm%n@!)W872i8_M-BgSzS z#D_+hH5`H}(2=xoC^9kWEUA!#Y37BwcGbd%=~ogKHh{B5>UXH$;w^{?4}1)r80<69 zQjRiDQKXd?*5_#~OhoERq@V<|{O;Q+Vw;;w{O8mFS^LF=YJMEKvB%!IC46LG?^yd< zJ6F%WyOud$aHc&PCT_m3T`k{Nl)ndq4+PEol4`{%G9)`2FA#u;Qp1sgi;e#n1$ueB zE6DMM_3mJrfb`wWg8lQ|>RUd3F zC_fI8D}bsyA6v-}k4SMoA#bqx$xmDU?@v5_$?r6q=DmCODj{tl!3&#ezFN~`ZY>!3 zP?zMck;<^%d|%&$-@1TAan-Zo5yFZn;{X!L1Ge!4)PSJY7@vlR{S@8Uxy5Dl$FQT2 z#wqb2MgyeREzg#!H$Og$(6VL-iXW!W7?B=-nAqSNCh7Bg5o&~&n#!3oCZ7K^X3$O% zhgKx0BT09}6);81c%@oEn}Pzs9zOF|u3>VJTpTSS*s*qy{eZ0vG^CIa6J>;iN||bvp}#SpB5@B(T8YO7gsg=xJ+CUspz!Ptp8tz1cuTE|imLoCjq?1wN4BL!+PrCz4N9hBZEQBdg zo<(g}z|Bf4XWK0Lj%1HIG{>iByyj7;{b}}1;-V441$0az-{$N#8BngcA;uk{8W4hbUkqs0z4~ zUXbtmn+4c0yeBhgr8zOo#6bveaK-8<#v~iYz@6|lx$44_zurdRuE5LFY}VXk22kWh zttqqK)<5>uSZX54Dm=N8OU0+tCbF;3KiKw)S~E@xXue@wP$vV?!&=#*0((gWD<3p^ zD<1OM^jIx%muF2$w)L}}VKq&rULGAxBYwyZD}U7qa}V0n^QS8TD=z?nL;XP@qac$G zuqaY_GVAC*haNx&c;*RFHP1~9Gos`M!4}Xw zjMHo_MCryR?w+${nPiXp%=NjwRJU9@*iWX)T9z8VG18VycqweN z1fDPgH(PzCBZVc6UiTJX7ym-6B!`mxeDvjXR;bEe0)j(8u3oNPV%2 zuHgQHWcNI@7g<$rt@<>>}IuPE^Z=R)r;u!h^cmke-oT(b*!XqMZ|vlL}$ zqB2Y1>h5JT1ML*;Dqh1?ot?4D$TmuhO)CFU&#%Cq6CZ}-z1uT}ycy#2Pxt^0#7ZF6 z;3TF74lqPINn*^C0QcFQy-B)B2I8#Al|1W^NBG;I(wda&Y`rqzFx`mOLvR}zfp9CV z0URsuDbe`ci7S~FUelZDQ@|w+BqpWz(z;4OISO_Y0qE@t6=quWTR*?QY8t#@PA%Rf#iU9onE~+(cdQVWlAq z9>|y&Em&+q@blJM&w{@c%m}+l5<<(p$&?lKtkN#0T*7-u6#tUX{o=*(C`>1EV(2Aw zHKo!(wwVDmplKVI#gWz_&EJGHibp{)06TuXd}?p}bPxz|a9OUpTb0J&rKO%#)5S`} zA%8J~$-oENy6>bfIR105wYcTx_N`EJu!4DMItCqH&hG@ebA9Uel zB2S?t6`Z#m@A!_+#-53BC`vbVed6+OKg^Mx+|#1xFpcpkgBryrg$vK2>PLx=7vU`Z z+I7ahnFHxQ+i(r1k`wTF%EuruGSBZm9?^bQ#(}73SyDUuo2{#xX$NezfmaY|&9LpY zYsU*|HF6WhSLsBjWA|uERh3;zd-BlvWWnxd*oRghN(a9q^P{-Mjz{9EvDhuzl0?wT zzg#a3L)S3(Jd0<|8%QpTP6D_@w1$UF&d$c4)X8Wzb|liKzQGERKGaU69-5e$%%jce z|8ozZ3H?2Jr#vlZq%yg!^6dgQkdAp+JNVqmw1ud~PBH3UHNCww{Lc?mix-;M&r z6W+eS=KF(me9JRd)wc;8mFFn__$&)TYE;|`?OC_H|6_`2`03I+kI82+6jE|Lf`hX3 zc(ys~;s^#ylpyb)Ga`+$fv{oD8}rOsKuT;G4s5A=IEs&ev`4aSd?K;9A1NdQwmzq! zgN}VadN@EGoo-<5w-Hw*qdvp=g~WheiS>GM6pt^uW!kQ9VR??Hfz?vJ`nD<{CZY5m z5YEQwuL_s)dpsn}T38!ceuf3-8+cKWHX^?P=HTdpPq9SFS^l4HDdJa4x|Cf#YpwvA zoHHB6Hu34JC_bxXx|_>Ulu%@RLCdcHau@2S#}`HF#~1y92NZquGc`2*M(?UZ->hRmj62vkkQ-s&h*~->hyek8Ijtlg z2Svd<5A7?#^<6`v<+d;fZ?bF2l3llW4}aKYFJ+GTWWpYCQo){5H4=;6fIRm10eu1e ziUtKWN!3m{$<$Esg>T0l{9|66RL?rdGLw@0?A^ODhG?`2?J7q>njVvNQlYo~zqy6ngv@ zHy*}>-dAngLgjBKMvu)%x#wgiYI8Y1EPMYNrc-u#I|>7Q>M=5+gh+$Ec`_*a@3uCB zQ`9Z5tdLEsa_#CX1=@{Lj}j786o&2CZm>}&D;w^jyrS-O&r8ofbnhuP{|?EBW4L&2 zS(`^9MtfR`L06~mEZJ7HhXN8_vHwota^E?gS$k20PW=4fo-R?|yHE{Src3)* zzAOktK1a?=ss+kp$}~oG61To@j_$Y;LU#1dE5*D#wslCD;$>DaoqgQWPllHH!8N#; zjLphxDf7|sJ4g+PaT0t-)ZvgKZK~9uzUb+%3r5X}N}T@SPxHnfK_fN(n_*{*10g9u zIInT*=5bs^LhAt>O;WYefPe|F121~O0e3{-r-OG-+z2YI*XZ@v;;e|eP*^|j%D@iU zNz5PcCuV6%pp#^}4h=<5HjxN{%jgKJ@H(W2I$pzkhbj*{VPtJv=Ti zt|`K>27q~C%Ee)zbqN?f&e^#^o_dQd5p_qcH2c0zu##vcZj~jP?DVK`NSg*j@#x*H zRt+;jCIlliL}t-Z>jRxzH?WP~Niewa`isSe`N30$;99}fbK6ulHrv8me&FpPzWeNM z+6ILMnQ2~;fG(TWlDgWQVA*c{gIlTF49;6QF1=C*&QbzZk;FU*0nc?KCva@>1N)~P zneu_zo)DMJvajqv*UY$DMPE9oLTr2GOY6I+ zEcxea&K-WyJ23l#d|Mh)w0h z7+awuO`!fOhwd`}XW@VUuZQ|?W+%(Rr16KifS;jPF_1CAuXL4@LSl8X21%3zhMF=nX=&9?XtY?9V&RJNJZanbM!*%X>o5Uu{ z5H60z&_y~kWb&g0Kr+5?@8bkQ@d;D$2j7TTKHKGCx*Bo0N(gcO0ZKkevkb!ElJt7w zXyxbUH&1U@WThJdmjH7_2J1`Nh%^(^W0qXdR0a*IMA9VTL0wyj>nGBZBOIJF7=+jX z`vvc{+z34~F^>olr|GVW&<$sjMo}BlDOv`{s7740X%=-jqY^-LiSVuJ9`M3_WNdTu zZ}gKsMkx4CXCO5v?fjB;jI#WM_=}hA5Eh)XZ>pczj6T&t-O%+_>)4K=0uOm@+>Sqvk){#{ z`Z1|&f=_^^CO||+U4#afsTYbl%6pq#z!Y?F~ zvoJD25L2NBwv}y#1Kj$p5=C920&maJ{~3kCsvlVe_ve~rT1Xu9)s|?(K}a*N&5gZbylq8>=)Hss~OUE zP{EV^-Kxz4(<`5ylU*g5PX9hibtt-s-Ok1suieuQU$xOaht)eTZ-&03z)RK7 zZ4npxX>GU)c7|Q_$tz7!ar$GH1%y$hRg8Z)SuP16-CAV(4NyW#<0X*m`|a2Ag+GfO z{Av2>V^&Q<$H5ZW3}+SaPh^M-#jjuat9kNHrK(vzZh@1c z&NfK19uHgL(QVdC+|gLheiWo!GGhH{He^S@)-q1ZIy@&!&_8JSy?Mj_CF~fZ_>*md zA8WnW5!2Ytz~=;$A;}!iAhatr+E2dy^^xCyr!D`-6?y`@Q+T*nVLiFR^53tJeEIUz zzd!pwepGH69tm-D`{_8zMb$ZRoPD5E_XS)N17>bq&k|}>Wke z+O?Ymc?l~5(p6p4APAOQAR2dPAn+7-HQ#Y5Gw0&4K2Ooz*rcom;vYd=f6$BIEA-Y8 zWMV$J#F;`JUlhskJ-&_*-4UVhV6%k9B2sy;TBEKVplBT?=*4&I-`Nm5J&gZxnI4fK zo7L`&fr#wR3K^EK?mo2un7(uc!+?bkBa{R{a=Ub<@k(z!8ig5d%P6jqu)wd;?XoQo0nWy}5_a1BcFol4y7mff#yzz zxN1nEyaWGCtT7Gc(v!5D)}$PyumnC&2y4JkgUHctdQNkzm!XJyWBl_T<5?%VK$62D zpl@TMuiNGML=FiNTh8KIVsV2>jw`=?WVA9s49~H=;PX>=ehli9Ip@fUXnaYFfV_#&rjI+k1(L2 zKa0=7SZ6A`Qrlq;xmE%-orSX@ULTq2&@>3@OWKOtFVJSuo2P`~iAPJ&U}YcBK)nj} zJh!!T4wS+r7##Pl?n>@Ur(_EPR1wl5h*{1IF>nTLCu|h0gkpzz;$%26{dKxaqTR*n zZ+!qM_ya#9{^1xSP-eUfm9ig*`=+KoM6-)G+yRxxy=B{Bl0_^|0_VVy&_TNv09Zg) zS`sEO_M1tMss%iv5d!B}vz5JOmeG|@G2jCT&Vo#1&mTr2pD5|VqRq*kPW>*6HcCo% z(J-+M&y1`NX@3VN=GSt-5YXe3ukxB^9n$W#Dn z;TxC<;m|lQzc+QMLQ*+Eyvwt&R`S^vABZ39^J6_?}PP(PvTCu zHQ6I$1GP z0w*T}o!ZhNLl9fTLg<&u{X#WiE6dC%=$qpI*}XS9ncD7{Ak$`q=~a|a0ARiQQWc=$ zCIa;wX>`2~==-sU`a{5)!r9!pDv3ONASZSP;Qcj!k$H^RA+xFyjIYF0iqWZv&|U5Y z4oAx+G|C?OsDERZ>vQ-9QtXj`h|sIp++09)&L0mU?#c|$Df4Ld9QoJt!?C)irjJga zSVy4PC7#6XP%9IU-;!Ji?|S9ge=Gw6ZPmj>;SKCEkG#|&cncVdu*=I&*@D6ycf@Dj z1sRwj>Zq`O8Mw~r?1E?W0#jn6r8{0|CezS&0KE>%3v{8rp(j9`j%!C+@urm}3E5FL zPKOU*ykJ8=?9$Q1@_d-ps%A14A-m^aV8RjX+v6^kCUNkPgK9C(!aIf4WF z`mc$u-}uAcV;~dHQ|)CsHdSfem2r65fuQ3PeQea}%PVq;_aCts&1eQ4gzRzvidbt| zO3W-*HUDz7{EYWRstr>8nC?UCVvbRR)?ob5319|9SPk4t!ETMvC#V!d{Wl@usc-7?6b-6Oa?xpOrwUSvVNgIn zCW_uh^<`R|jdws%vAx03Wmk`xpnWnhuH66&+hh3#jor4hgkst^(|)^4xpI+jkkFA) zqBcf4)z`TblcyYp0{ctEBQq#YzO$GyjlH;2tQej};}gFjG=J{lj!>2sgB^$>z7%Dx z2(V{j${0b1MGY={_!_fSitBlaqd3__;lxS2=u$Os&-j8wD*{J3IhQX}?{5Y@Mh$#A zb%DtmT@;@B&Sv0DrIro2-*k%l;unIWWek1aIA3dv>=SOEm~kaQ#N3)He79+h2oqICBNOhPhGu_m1W5Dm!B%16|AxH^`D`jUnYIZPx z$Sk6gQS=GW%v_YC6Z-n0ZLW5jBEvgk7n~Z}>>*Q%!@_ClyUBAXS%{nGJ?9Wg&p#c8 zCAl!Kn&0b1K&eWx`@RZ7<%Zf63@i6+4?&&DW9h&YEzgWhh*g%_#~LPe@aq!wBO@5-tgWS}?>WRRvHV=bK>z z8bI(OL9DN-y>!hHfuht}Mk`&LAWbxug~H4Z1kxqg6Q;ruK^Mp&;SELnr;7Qd3egO& zS~L$0(j_}gUZFUDyGUxhcaR`9{v?hBI2J8hUE%W9Y!~5h0_{qSgEdc0gbdkH5-esQ z3HG;vhf(yTNkQbSDXYwlR*trrA_F3-R^bT)~o?O2i z(7ffd@k~qJpx2REIP{gTG)j$JqK)_LrUsNpvaC}v&8c<7cEP=+AS99z4`#tJ`A-qs0v(tv z`;_9Gk2yp{(Mge9KqJKcZ|`qEtTZWR&#zzIj}u_dAh9xk1(WOZSAmq4cm0tJI$u^x zMKG9bGcAQwMYSaNCAUM@DQ*_wq*;T$M`uzq0-Uf=2&V&8Nk9wKlWw&1 zlG8xoKxElbq*osvixWI-x}P3G*H?Jl$33OkXVf`u0oO;zN1&$6@J475SKP277(-8F zGbU5=)r#rYhmdt>Q#r zm=K&4H&C!m(T)u;Iz`7}OJpU*yIMi<$s{pNgNAI}e29>Wp#nIh6!uZnT7dQR!}pbr zpc%R>zD4xvxF_xg=;bAr7}CI(LMZ@RXD9)ZNAX0@XO2!7kA zov`nt$(C?wW}Hq1o_M{T^Q~a}nH-^6-xWprH1IdDFq&vNB#R-zD*yUovf%9%HfiF; z?q)MB8yr6iu2_5+@EN-TUYsR!TWZ2cf0Ki%0LNu<6E6$Jn^%{n=j6WJqo4pic2(ct zjh81eicW0x!}d31=5V5H0bhN7knf4ZiyN0Q`OPVWQFaO2HR2J(d)x(u)Zd;{*6Bo@ z1Z@3k`rphA$1Ifd0sbf!ZcFiAbMLJ0#`NcR5_Srq1xH}S2I8I0_Hg@${=I_VN7#so*!+1@~;E$?y0zRrSx)jQ%X}_puar%y{3V`H#Rl9R?N=I_7hXx;RCn zmulJcV%7i}Ku^&;PFQO3cCjn0kTbuqS`qI6|C9(Z#j;DUSr-lO*yCTeSS(`_6L-|O z+|3g8ip(aZ?!t9LKi|$|PgXpfQ-@y=6+=`bK<_kP@m1^Jiko>I@)=wCv7=lrA;Y=Y zcl18DY=rmYblPhSeD&jnVSUj}8YhDYr}xl%PJ`2j%g~5PBcm}<7x01Bwzg-h`wjHT zGc78XN1$jO31 zH*kNIl;}F#BvYRs3E_w)IjKS0(GgZfIz{ZlVB;5dH^fhfI44xz+GJ6@7smjfwyE&Q z@Yu44Y>zQdLo6pj{Aj7qU6Y}RQ!{jm;r_*MGdo)!GB~qcg<`{XKoo15wtonmnZVJc zuJf(O2+7>~Tvso*)2eLYHLOnA-zj^)KOq{A zi^6nL>`N?`_*^X}bipZ1g7Pl1OsI?Sx5ZSlv`P?4mYL21X}I4^g>dEo-Ui~HeI^&F zGhrwbryw$Bm!#3ilUj4b!enJ1clF#5U%p}0)L*+ZdY|y;^)c?#ypgwf=)UnI6?$q9 zd$o6tg5qMgCZEoSssMG*U}zt)(=Kwwus*renr|rV#w-p- zrCooRL;mp?X!hKV;o){@ahbFzZUA>!fN(Qy0L|)H-$Jsy@G!cHtlrJ=^kI6J3VVm0 zCdBHJSb4+oXfFoI-693ooV_`UDl+hhe$P=d^z?BT%q3QTc`>svgvWYM&wa+#WEOC% zrKcV?5c2)YT%N1r`&B!ovoPwDp?RZ%P2IN4}CXUT>t30!%L zw+%#b&&SjAu1AHWtxsKG8D262WP`m{6iS6Taw~dctiz+r$e=Ue$LnmbbNgZN<0HfX z@z@p8j0EWbH{O9B^fj^0EbChkJd&BL$8^89w=Z>QTl#SG;qB>ewx08l{(=HyX{y&RwH?F8+*|`k zomfl>ghP~l{RAz5#G3~V)v;qLJG$Jlw+#MnQUCjcr1^NwdHFT12)dGcJJuc}4n?X0 zR%F!_k$HnTio3b@8~|&Sw6AdX67>LSqmkivX)OeLFp~y^S7^Ts0#`3xV=P@Yl#2Id z?1c+MrWj2AiU!6{8yA1KyZfSs&An|ac_dg->XOPA9mIVk=71x^iO!&VAwXEEIAO*evbsaszxikDEjP#aK#SU3l~P^V&%p@;hJxL- zPd0aAlSw}bs>LqmzT89GX+D1Y#n}7f_R)p%TKx?Cd*T@UR2zCjY}iapC?oxO9-#=5 zUTmN}uv-`%a+1Od$?fH^Ukyjh^x)nXTL=YrT6AJ!KBFOxUG*G=qHOw3-ePb&p)WS1Xumi+=CMG|^(M=_)aXm6$n)}%R9UW>wRC)4gIgv@F zBSS=A)8T+B#gm!m(^iXzkQ7$ffXXgnW82yFyBL@Z14Y ze(j;Ez*{$N5DxHYR%0j{IYUcSCuZw1sE^a1NDa=m6nz?>mb>G9+UKGV`=u!R_!Z1A z?mb%f*Xeq3Z{~kegU3!W3tLpPJ=F3uG4MadtGoaB_U#)+<(Ty^je4GrJQuS4^y$Ui z^=JI{3pr}>9NDck!b01YzWp<|cs9nG9;bRXn<)S`KrW~(*uJWK%X7Y0qmCN}7 znYi~qfAPZiv?a=4&vjb4rf9&@VL`FEDlYl{f1@NGk;gIjk`TC zK$8n~2^03*vS**<8jXyOl;);RC+18zg%z+5P-7Y1SsUND{yt?-)*E5AEZ3v3TRmW< z=e}QFBH3=+%3%>6`*eCNXc%)=#puaDux671)s(k3~6Q4zU#DfK` z-?B6S#C*ZCP5+6S@7mz!x^kJyucf=JDDNqUXf7q?KBWXIjVA6obcJ(V z?T8lN>VRXo=}iq!9p2#1T)1i)C<#kf-xujni_+FT{={F;@$2fa0u=+Gs>8)bu}`i1 zJwJ)vc2d7NJUT+_>dV-erzjw?J-6L%mPOA=M<6C9O6gEp%O2wuE2B5fQ_FFkj-F^7 z)N@i6V2RU?2$8sL5|&mxCNp$TH2zp~@Wv;hBkbCuc!iXGR@ydRl+5H5?j@T-HgDK) z;_u_}s;T3>X1o*Ou}Jg|9Jxg?l>Ej{kb#PC3GF0j7CfLlzd)a z)|aq&s#9G2x+WQF#w3fwrjF`FW!*j3U$0pf`}mn!YE(>A?@M*H+jq{d-6NZq^}*mn z(cQwe3^%q4Ts->q_|rpSZkH>azZedDzNa*HSjRO||5RX;%%(vHuIfcM8v`7IEnANL zL*+NrbFES-buB(0e7nyy*RBwQU84>yPPQHoRkZu4JlZ%+tadJ#rz@O z=i_TXpwRwz>Fl<4J2T6(BV#@f=IIZN2=`u}dF#D$^{TjSF1iS&Z|&kE(pS??1kh}7 zU%%nd`^%340xd+cQ^mVu(-QRP26g)EHh;i-HXJx`;IPOuGs_B*D3|oU$3>%Qcq_PG z9ogkfa-W5KEjz_@c$(+=q2#Ygc8J6-%Z#lM@Ht+UIY3@=# z#w@#tqaB7((US+)vsD`Bn&^AKIvE$AyA!XvQ(5wMXyB&n%tpo7&=gP1dS68zyj}7acGgoT>}D}AH!=Q9fO$f5NBwb)7XB^njt3K& zx8CM1SGi-AH~rMbX(HL>gR4Acu~E@O)rp>JjsSaGnIy-j?~fTX`T5F>A3f|k6J<${ zcW&4*JMm9??KZ4{Z#K66)=B;Ev(7k=2vLUeI(t{Kt(j8Vxl{I5<%CL4bH>8}K~Fj% z5w&ES%VwMFW_7QWWm(3T-9Hz1=>GX@Q$4Cd$*|Vw^EGpyuH3C-+v#J52l4*BLr7(* zs+%err|TgUnA=;tB4y|Yv1BFNeQo?Ph;)&Z|k1r694tR_Of|O$?7?8Xl7yt7^!)t%*HIzc0hGEcJX z5p{+6>m7DE9DUPRCn{arRZh8orY0~Zz&2RgO3CJSkN5~#;)%BV0;IHcV;5d`e0mVk z>pzwGp-oay-0~K}ihnu+tLMVxL_qj52W$;f(Ze!@s?qy#w!RkbHkJx=LiFnEjf^x) z=^p9awqxI<3}cfp>YL41@iL#M6>D4Q3s8(u&<&uDj-4N;#|T4*%!D zuP((_t7@!UwAakvq43aywz%VGA3y!eN!ZWNj*qHj{`pK(mKaxCwiem!rcQl3Q>U9# zIx--U=GZK|s_lgTKfDd07Y>QbzEJLYTG8j6WzYXIBeZeq>eST0X+CSSp_L7fT+aHP zU-N6#%RN@WnI7M+TbB{3^eOIm*d#g9_E_9#iC{0a%za}$S;j_Le6;0BiE?yr@Phz0 zRoC)b!v=NV1Gw=XYhN5yXD#ddw@JNu!_Fc|uDv$knTTC8BC;K?#wAo@xvg=fzjr2k zSU;y#iW0s{Dr@8%pULa}c$jA&kGLN8vvnQlU@=`MBlRZet4n7^?){+PHe0;?HD?

3RNS$sx8k0aN3Q#~uXh?siT>*^Ot+GB9yMzcH`9KWoSnT7XQ=QoV?WzU zi-#}ogwQSh78Q}ISY4y0+#iMqhL|}}@ORehxWh&hx01Lb*eMS;Gsk{NFF0zgXMfyi zf6=?UV9!RIUQdj}R{hxwu3QqxQa-!6U5TY0Yaetip-8o_p~aq(GZ2KI$6zN$W;5K` zptIukBrQ#d-b_);%xGHP<*XGn%g;79PNw?HBv&1azhHB{G4pe$wZ_tXr_--P&PO%c zezs133Wn73DowpPijRkCYaR$SxxRO2@oJU}J=;6)<4e&hgUS4lY*8V1g~dMF)_Lzc zV^X{Uhl0(+E(2)3M_ShI8>;DAw0a^U&iMTK^KaMkMm$MyZkiuQ!FNg8XYb3Eay>z| z6SK(>Ezx$`I~z+MUS`83b6Ph%n4YK<*)bMy{=6GcO+vP|P?)IWkJP92GjABQGN zEx7|~7I;-7IeKSM@tIA;up~;x>yFEVA%)7K6&$;?+#Ji_+Z?M7aC=ZAF2x%e85y5g zXHcFkdogs^+qRGq_5@=YWH~Z@v)VEf?doi7Bm>B5V|8MG`lZvBGxX<>F#H zXQ6lZ+;n>OQ>17sKA$oAoY=6hqxecu`*42vnq5_G^#h;va1cc=Xf4~+@+}z&mUTdI zuzl7<0kQ$^HNCgVHvBXUQC{+1;7xRWNu5f_R1Zf5HNTE|sc5{!G}polIu>~=zD^(B zQRJy2(;r~4@q)IklKe|U5!=@(^KN8SV+FZuibr{8?|UlR-j`Cpr`8~=TS$Z&{%?@{_aph=Ao=en^8ay=9BGaJd9{9L%35zF z8Ryvt;AH-XorPn-R7d#x!Fn#B?X&^kh7CI#-^*W`$Q|C;?|S&2O)QeYmeN$YkBb*q zrq38z4we5n)oo6{d}poE#L5y{#=uNhk7 zYZtYh+81;5=<$pa6j_PeozJB|y}V?^wMV6X(%iB>ZmI2fZt|k}MU98n{FIhp${c-BWTheX@K= zkuqJ8r5R2H1d-fd`@!wasLNX8#sBLk;(wP{{UmJ*uT|W)54f6KafO4-LVi1LS%H&b zvD@emRogT>qsqK`byb}9+Pv%`drzF%|NYB@<`-Yrjie+I`@~Cu%FPRljL$tn5WDPW zM+1$vE~9Q~b^e%3%Vj@OcXKqSHGbK0|0V|Ic)85Z=%(Aq^cs)t94x;ly{81u0N)f& z+)X(&N9eA+zFeU@gX(+fQt3+_PVI2krGH+5+~c30e@b3q-#&Qs808nGA^Vv|+U?yh zV_vvU4RxKjxpp$8o=;`-7{+WB^SRD)^T+jP{d{L0imzzp3)5g&&gorfnz{&M#U4%t~!q zJ8nA)tV#Tf6iot~iy2E@TVF~DJ8oz^Mk8;80B_EnvDR4NHukA>md;@{O$eyVZu2qneJ+@tF0R7I{F3aqYivIFI2~pPL zI0+F+xx=`<4M{;bq@qmpnLDVpo+f3%oWQ_c=zI-*9Cdb8B_|JtiQUo;d$q;1*Zd}` z?0|qXDC4C_m+~%syf!vvb}Hv~N$hXU7rG)MtW)2=fA82S(>E@nsCX>N@#!Kb-B>HW z1)H16V^UC&UVf0uuUlowKc~-(mCcwq)bTcE!S$y?i`l)Snp{!%7Cqz8h$OL2g0P)-&fs zQi~=M^n$ia?>rlhNaLGByPg0dbWL7rrF-4 z)slajBih?8DWb4DrumqHWUmDtIze!8W_kTWvf-ltDxB;1S~yoxq`}4Ge5$uo3^yj9 zeI2m$SFZmsF5~r{%GB;@Pa$c0Hg3a1-67q=R$fOi0$bip+3VM%PUZMbCc? z_5YS}@F=(2Z`dQ49EAy{ooW4+_@?(o^6NMX9S*y=`LllDSZ5gMtdAb@(Je0t15#mL z<~(`YWAB6QV^Wz+DGf*LS6&@u|~eiw^CQ^ zkBCO784J}uFp2HPY~GvsS;MfE$r?=y|J{zfZPbc!pcuhzTw=H z4(M^bxKOlmQ*uDrD5rUifB~btl`u2Jo25w!!@+eK#o% z4D8qZ_Zcs;|0jJo7_W5R)_(c1r4bXM?DerU(T%Q8c|*Ra)<_=hReJdRR+7jS7s1rx zv9U;1f7vLm_uR#fUEoKK+gEc|*0)KSJYU;4bjHp)9Dw@)({)vRAF~bE14l2diQJoI zz`pLkIy&GS&(5pU%&*dIhUhidX6hnCJ({aa&%IyK@42l+-6u0SupAjjU$0;%FqrE= z&vwvcjvyO?HehB_qD^Pxk)#12I`4a_G_iW5wyYazDWz!h-DlBXPvXcD$XZtDWg+i) zr!%6HHuj4Ck!yl|jXWRGJ9BO(ap(qr0klAiDppW;A!x}nJr7_=b= z%fU1L(L`On@AkZ4mp5%o%-76S;&&1;Mm7&{Z+`M9!`_*HLtXRH$-4UNz zmA`Gs%|4gTH>*aiY!6Pz;>D?7k8*&eMjR_6KnnoH!kMreltoxR&bn}B?|&*E^|pHs z27m8_t2hX8K21i(hgZ6M)V@nl4Y9K0$!lgiBaOtJa($Xssq^W4Ib*th6O?z_*k7#^ zu{=jTzJyi=>{x>(A*ikC>L}B7II=v|ojgmW=e+ppW^5_spDnaF)LF2J#axC#C%gAu zN9-sWpZjNhU@yeY)0jM`oLFLk&w$mu@TPh3nr=Sr{}Uq~+|uFj+acNsl4fSSveC(A zV_&3AJlFDnJcyON$VuV#q&fz4dvvuC@ib@asdUdC8ImGCFXi+_FjVaom96pk#+q4( zf=pB^^K7Vd>j)BFuQu{<;Cr;$gZ)CKU77JGvqQX;P43#}6nfnXv-cb;uqgpUgf(7X z^+y$_qE^XBFQe4v_~?C{;@5AazI_Y{Qg@0P)WNbPq?#>`Y471fF@lkRZzKv;Ww4LP z*$r{_EckHxqc50;ioSsLwL=qqO8G!@S6t7USBg8qUfti33(UOD>r}bLjal-K&+PzR zh4L)+j5n*9qeE+b=2w&&=6tg`sqsNBlNa&hAdQNk|N2d3C~(D+i3~5>M<8PsxF{)< z&E{Mau-|bW@oCSFuPckkiX(>J;q34J!#upNfN&aa(p{X`)0a+QXS7e$1f`^To7C3l zV-v=V_6{0XvkbfOI*lz}CO8{nqQ-0SL6`Cs{@xxxe?1%d@P9idgCua%#WCkMt*@ZY za}{GIy}F{lv?DC@RH$T=)rtPApn8V9qGbBlAjk`Nok&jeLq(mIYFq5o0vHUXNR4z( znINIAC|1TOQc|eYgpA$zH-sIIY0A@R@Iz=sq~77)GVIRRRdt+z>`6Iq`U{GWrME1Z zA`OZIx3{&fetG>-?(@R*s=<`VwJ4H>og@ps08Kk(U|T5R^K3<6?Z80H*_iD2t|}Kd zTn_v`5l(Y?K5OUHxtz&2g=yArYPG#(vok7^R?sSHdS0d2?nz&kUokiRrWmW&iqXv( z_o$(KkCR-d-ME3&6CdA;NfnIz*)0&gM!VXMqI|bItJqtQX52D%FRQx8qtAplb^Lj( zWV2^bOe6NGWwq}nK06I~*zu6$qlK&Ug@!gNPb>*#lDjb86Y#FUP=cQ%{aS_Q}z=xN3QPL`hq-rT9H zZkdx`=T2rJojWXO#5wTP(Z75A%^N9~)xgNDxAEmr8%0-@e^F_oWtlv7uNQYU#ulUx z7j>;<6gpPL6MX(aCamK0ueR91SR-+>WTpH4X@JdL#>*a3KY-an>+;AmFSgU1=8A46 zUTBi#^!3$dVc{QOYzSZc`Fpa$PI%E8J!eOfqo1H9!P7c!%7@)0SZTB3hQYGAVXh`b zA5gdqSux{#>n8KYv`BmX3KZUwR#Mnpgjq-l0qr~RZf#^Z#|8A#QMbXp31c@lfH;kq zr;AR8S3^o=$d5xIksndCHSd+2@;#eN1mFirn$pymcikI*B)lovJKQpjb@5hvR@Cun z$M|L_F15-{r3A$=K(xnYoVk(MgvWV!38T%?S9;D3oEIdD@TXOtJy8uZI@K!wJ}@VI zj28FJ`RmWl*55epF3P-ApUP`P8PlbtgjrVR$em)zjm;lN<3}x1P!nPd*O>(f+Dla$ zZv-hR+GtD}ue{rx$a|v#XMV1}?lvSHoZP#tR!!+SiiBOEZ9w^M4u(xk>VW@E?9V0WqPEjy zyJUXs|5bg8r$1Uw-0wAt@9E6_A+6x8NbNA_rU1d+ zy6ZS&fq`INckilB9oJ(dT@pCbEi1Z4-ZDbJPqAjTi_s;my6yf@8+bG`uvbD1!d`aj(%Z4ZIU|qsOLWKn_aqlhL&%QQ%TJ?%Jg>OLMbF6SPtG|rSB^C;zf&+x!WhA z-TB5o?8Mr(J`uT!rS_L+Ta z8SQeOyQM>d-8?$~;exZdM{$e4zZSF}egGJ-#2Fx_oJZq5cDr@^(x-7C$X zmfwgJ+>aND$*&BaT0|JUxw@wxCVusx*ixdo+?A;Uqm^DFXHR#_$mWeh2cTa8Jx{5n z5{U}n4zCTQ>63$+vTyfrKCgNuE$;xg=(L8ON@i%P<9dizUYz$4NfLkO`yX4rddUCU z(j~pKDvMt1dC^J|l~>U=DZx^2^4bt2pu)cU(m?en=Pp${Q zkPSyOjQ-4V&7^b$H`>X%HWhSth??J5z0b54)YZ9tx~n1R0iN|6%hkq^MGdL$9nQtY zitmu!xnng8qJ={#@?ZDal$qOlLM&L+(@3m;z&mCQh|R{iN=&PmlZE znA+)_RL5~!IlU^;y1j2iU%r=18oq=phpbDqan9i;5xkg4VX}z5`as#}oa+&y7Uv}& z=oYJs*)(cvwwH>?i!$pA?Y&i4C=1X|RAdoBRmChN#c(G?!$*2mpl*!<>7jffqaP%( z>$OqcB%WE%v->zB!_&F2kG&X@jpt_wG$jC`n)P0OBHiW{?*nqS zIAn8oPeZEz<3u@~FAlW*M<+ks-!VhRTFs6Y(ByG)vBO~Nv%oRQyey^`N}umX=ZEkD-!MT#1@VSTwpUaYOm8oz!oNt`}A zIoCdHyLe^A$1_u{S%>dG*{++>9W~B&y{%Z)qrAB#!|d?_8C%n!D~Dbr0kSBZ`8}#G zDIDkOoza8)gVW>BtZ%QjZm5(OV?yUr_w6YOn`j|Y(jxlT!8PME7^FXJnJjOa#o26A z%9pyo0(!y4i<7^uxaXoe+A3=>%Oz@9pqN{g5|+u%mZx*}HJ1H*VYYkxLxg@R*l)mi z80P26>TOM_x$ti0`pPXU)Xf6a1TRLKF1Bmux$Rjzc#R?WnU5#tz3t$JtrFH_;o1$N z?JuKK`_G@~v9r=YuLr1t60qU&7k~M;7xsIYWrxgkEjUV_vS5MpnibEtbjeH@%I~Y4 z<#SOd@FB(L9^F85-I~_4v%!N)+V4|z$7g$QKKV_j%7A`iovyF6XBv%>X?r{7rq_;) z*!Lp`3>cz~iPT$tZ5zr8C;gxb(l3Ilr?zaTR-*Hzh!Z!gFV9}{C|mBDd5f#_xME9T zbLEBW7rpHG0_1YUmnZ&dAkNgd6ynjuK?V?KLb3O*ckt-sqqE(QdDkfpjowNK1`1P- zU0#vJ_;5xhb7GsDdUQyJYyYKTqneoqFMn6jv^Hs+7_{IS=s={JuDCDX_YM&tZ(q8Fp+x1T(qdF$i}0>!{ySk)o*=A{p8b(o z=5v0a5EUqhC1oME5M?!!7_sN|MeeT4cG+gx~nGeI3~o8cSMP-LZX zI)iQcaK_5=d-1%d9PLx*8r|)VJ@;HD&n$CIkT+xEJ`_GlN^Wmk_2}}bVV+3cnSFnb z2)b2l&roPsGm{IF>RkA(OFRY!=1xz!vj02fA;a&r&nGW{hec=-{Vl&qRc3Bwb}0Bh8coPzInb& zY6jg`cMfxJ>rpfX0!adaVh5EHCRU)c16h$|d|dnuJLmYF<1O>^DRp(ZsoHl0(!63+ zxI-5*w2)DZK9-|C*x;=y=c+8o(A_9ARgvg)9#`xYC^5z9o!-|5C8AA)>H2pa=@Zo& z#x!;$G#M|9E;=4Ka!m^9LzU}?cKPpyH)(R#7Qq<4jB^{G4=kCIBi%OUz!=C0#Ar|T zuSDt9bDTaZ3vq5jmEc?YZhpH{n*96LIZ6IjaprEDN9rt85JWYFdQ5<04G;{{P9nO+ zIlPW_XgjvS?}GTd*P@1hcLaYOd`-Fkh2mvR)2&e2A6O%_=nwv`MO}A)>n$6$=uV_Ge|%(bup^)Bi(18ZGzs2 z)MFhsdkI4GNVO5f!{RR_O#U;KKG>bRRvnCcw2U&vH!F`s*)=Q2j<4#^{C9b@Y{bhT^F=} zVI1h!t~F7c7xsyZEwwO|f^683iCDeMbcgS*Diz=a*|uZfBwkS7Bphu!DI(>bi<;{e zo^{RFVzp~P8=W8{wPOH`yc`srlwsuJl95*J@cZ;j=wbZTE(;s3r2w=T35)nzKFTXO zb1?8zc5Ci9$gv$0(I0CX?NPTa0mlIVQfh`o-}M6zimt5{6u5yZfIqO8*LU1D~*JR z)q7k;Ny1sZuh5D)hg^pKK=(-~ft_sGKb7}|0!r33BH9Z2=L4a2yPS=e!}?K;?q--S zG}6i&SDg5GIp%IkZ(@jjYKw^3Jgr@QA9Ow*5NcgX-(1O%yLyU2vE+O02?pmt1$Brz zhm#zX2ni>O)OENzw4l2hTMT&1XaMj0^Md8#NT9&`A*Rl@h#D=rl6EBQ=@6gOtU(vwY;1EpW_=(jE*b1_1fo0&0>_6; zO5D2u*MD#HvvdE~e!Z{*GpX$fO>2pf$RE%mi-_XQ;i&L;P~8EgfmYVb+LS-K{y^Ex zu>}*Fh?nM1aR`c#!M^x%GqQD2V%AgpBU%?^uFi;EPsDIyAzB_gusMJS?13N?{fKfV zb3c=V!$7KrvbI$1Jbf|UgY)-`T9xcmU$UwlMutrf+nT4ResAq*+j-9Z!9L1@>)!mS z^OyE+n}3FX=XG$E*P<*d;wPmgSwV{dv<;No*LROiUaMSMw~c>U;>;EwZm&rRB{9K@ zCGgu1=w<-LZ0>|FtJ%N8zNP-Ev&AD*$BEw_u2xD3E~Xb*w?i^%^!ys)j>H->R7z*) z0~s_=eSYnPfdmC>$ z80>if*jk^sH&CDWE3#7PD%uJVKZC;1S*@g~xbmHBreJ7D_H~nG-P7bU1V7nmc#Z4;;$EIC~&dm3-_AZKOYco$;BAMH&!C=9yjF_50RR*v|;z7alfZqkS0vU;CYNBYtA zFI3D<);Z*9`KBA^hLjj-#gFA43n{Z<)h$|2gS{W2g&fj`1YYH6t5~lG85EC#j${9> zPNg0H;fm%T2DF(RMsjkW_=<{SX}gv!d!;<76!3&N5gQKi z2;mRm&)I}$Ty2KqoGZbWGmn&ecfzz3-5mSEgM2z$+{Af+lt<%4E}9(NwP(qX=0 zj&Tuao;GT^nt4>EQ9V>HWvKxKxO3XfR`169+_!;gN7~(G8^df-_zBR0=?a;-@gKe| zZ|#}f$-eT_1ackU5(j)Zf$^v*%G{TcuJ*RdAZ1+Zdn4mUXKkup{WqMkPNAJFF1?W^ zxPbj1;{;>bKkAg<6HzB&p8N7wf`9}8La@gyhs~^Huwq19Z08M&PVEi}VU}uvF&aaC z^eJa_Q5DBGT+ukp_}UL>hG6r=+kiTa^p2__D}GXo;kM}4?}cTy9>k5PQk%i!+my`e zGr8X=1((2V1%)QpI?FGIhN_OmN2T|4oTYb%GLj7X5_ZjLdHS4~p$7|c7?q&xAt}_^ zeT8|S2mB6JK&_zNa9s4d+uNlI%XFAF!7v|@E+-B26F9uki$~v-%0^X)j_g&6Imk|u zm6fzbShQJHT_Cn0&gRzT6A9I`KL0=yNG)Mt;#YeJk^xt<7&Lq&oG{4k_97+@H`2j1-h2UJ*u#(6T^AkNTE1S137qo#-#7CFYaHc()D+22{1$gnAHk_utWdWhYbatRwe2m?3=o`gSdlq@(ssdg zV){t!-%;b;+U@+MHuB}ieH}~{gOI5pgs+sQ0Lecp!UL{ zD^Qs^n+HMwvZtXak^Hm{!Fz+e+QOQ=;7jK6jJPm9up^Ki8LPdpxANHyQ4j)&;o4t( zStO;4m9l3a;7m#HDiv*y z#aGhgKEkPoqBE=)9-8HSYyl@!`=UYz`*L~@#}^>hncm$_>L;jT(l+7hfamZ&w9TX> z;6ImfsvlMZZ|*uDq}E^dot#Og&#ifYTVy$5MuzKj%jqvRD4vId*Bh1KlLF-oYqzxqB- zU15NKFCO5<^E0@?@HgB7m~Gxj;R{~N*;2PpK9n-O1@|LIF;x{FKCf6YLpT0@Ki`W|cyIRwp7F*Zx^ zP-z6dq*?LbMZlB`TK{VqK5={NSSI4k#Oopx;-B$B3H~K?-uZ*}M_KO4#4uWVaS;R*h@i@nsti zppTL?)X-dK^IF)m^_4-`yW6k;l7Eh4qDMRknlIZtVLB?T&qqZoGT#)z303P43C`yM z>zX`{ZOOAcs10|h5Ti|=Tp|L6Lb~M_)x1e&boL$?vYeV5(b)cCS~FC&z4IN0=5}O5 z$qR29X2x{o5u{EEqL?=nKIM%RYV>vR5#R-9t(qncpa2-fp{_898Ba4letca)$@NCu zUWk#Fwp66Jc5Iw*)xlf#MWJv8@Nlon#i_R&p3njgxzHgUfe7X=5u&t!pX`yU-M3Ys zyzVReqi7J}usFNwKmW1CrZjVa*;zYa%9(ATlmI6J-DENy@oV-&%3D!LRQejM7)tgO zJEPa)B^=KJBWKq??HY5XubFnDBm+ndz|up#>mJ2^x^>B*`FDA*TYKKf!KO8l1Jfix zs4b)IwZ;l=_sSf68*@vxiAq4i#4L0Y=>A^ZXQl`6JuFG`a7P`vq``z$#B6tQ1?@^; z`Q@09c*^9CW~Jr!nJbGJv0FPFmIoUp{>k27I)jzdzDkWWY{bIWX3E%OSYrG;yCy z`$NoxyXrflC_5XCpASd;QzlaZm;f8v z`n|Ul5+>F+IW0+$tYGPWFyIQ%nD%=aVgOScnda%w ze7?nLjg53~URBbIlj3_Zd&$!FH_X}uu~R_-& z2=`i}cYG}|kl{W%+i)|a+y|d8esRX=f+aESVYl)PSDv;ZL)Bf5lM8`>b~w)j=^ooU z97py5YZLwlfk?j1>H#xi4vr1Gmr|dN%PJF!+D`m>%skS_`JRk4qaEBdd24JOis0?r9ym-KSO@Wh0!GXd#^>dlsaS=~UX?v183lu?EvK(|7|Do*XK z)iaRkn=0LBn*)>IqsL9B9{b@i059Bo#NQ8KPJC?2`iE0e^yYjkRAIn1$NAjDXTiz> ziUR<*V#yQBQ-9eh9}OzRgCl+;Rd>gW54Ogm25H&=YL9%>*o$;YXjDp3_da3>27_MK z|7g(2<=aTmA@sTd)srBzzN^w85lLV@M;aoQ$fF+D51?>KF$ueAOF+In%Cb{$Z^0;d zfNhFD2RJasqi_fOAr@*E&P)P*4eA6uO3xy%e1;m?yzcIKTNn44)T zX!-92J=^8?z1QB4dpt*C>Xguq%0l}+of`Z`%*PwD%ah;O&2!J361BnN?QVk#m9lx4 z^0o257X%G`xTwp0KLR1`%ueg?$mhQ({RcODW6o)Qi9>C9t320gqB9S#} zx0R2QU_}&#XS>ayr+fc?e{th(Z$oJ4ueD^O&(Km;UJswF0hH>`GAWR!lRdv%+e!b~ znhj94tyq~x;uZ1a!HISYQtwkh4Ca5M0QYh7I-#e)A(rVwyA8&a-S3XSh3>00bb)zf zs!eY8bA)c@pKl(#=3B3O6aTTjE9_LUhFcT+xTYaz)mv}YqZSjNQImn!4+;lf-FjeN z4+}8zL@ui8Zw-g(Zhu}0lBH1F-didUIkNIqEQfiDt9#E-pFd9xV=1apVro?BMIDbe zWwcpIvoCoID!d@CtZJo&kLA8yiWr+&vlM;Ns-7>47i{jCq^sH_#88KaUqgj1ESykg1S#Nm;7H7$ zcD}WE5X%;PwTYSi!LUo$?_Kbos;oV`a&(CFwa)Wx@Qmk9f_s!JZO^4hOk4fnYDd)x z)<(|L5`~$%dvyA}Re9nzWmN0G-8r3~?gjet{@BUD2+RdS7L z(_5`KI@nKcXXKygc!|B}G~BKB23M5gdZ9em(E>oJ@RpIqr6cSgFAC@&HTs3QHv6aK z^h;;`kiA!Fq5s=H1s(n;-bsJ_^>(YLMboATIoYQA8s9m7jMO-Y50LKT?^9Lv;P1PxV~}~#6nC^2OQ`1%g6lv1#Lp&zgQBVU3`Vz zmhb2IATSU@5mchUmH&?~klg-H6AWWv+)uU3XK3{Q{?NaFbvXA+nEm??fBp6URm0=| zJ*(ya&o^uS>i;f6Z@9k#9j%6M5GeSf(T?MQV7h$MA*uE__3}{gm7wt3x4$^Z!((!L zI|)pySG$InnW_AzcliE`t#TWi$y_GRgr#MT$`7?WM7cZ-X98$M^hY|?-oMfDNQnA% z?*3!>(I^!7&qkW~r{$e8#V56y^Q;71gjG)BfBqTv%XgPwfOXiW!6+|``AVC9?%q*hVIqtGu8M4Mdpop@D6HKdooowm zFqkz(hwxo!t%QYZ-WSo@eBGPe5>ch9HhuVyRl)9;v&J}H_2jn)P_N;sS}j;Wo4n`; zmGHWzL)&j-C1%6B^2{C~(N5(PnQ1`A7qq5q`Sm#9brR0M-l>Bsv_T?U#eRdiy4Jy9 zs_DSdNmgshv?(LK-=3X-8|B|W=ePgQ{(3g><*Qc#`E!AF@0rM4cfjl8sp|k`ObY$;^b3g}(=Zk#vkK!Jo9)C&fVvK!9y7+hT&*O=K z;A41s`p`Cb(Me`Z(azg)iWL(mx4G8BvUnn$luJ6iiwV*y=J^)Y$EK$5Jx`fz>i!&ce7Y@L@1iB_5wr6opA$s&%a?~foM33Ju0Q9{(l)_S>tG5nFGSv7Q@2-ybja{w?AW6dEu zjAwZHQZv#^?k@vZEz8c1z6pWFh_+mr9_9(EJIxX!RO5O%7QtT+>pu9iLY!I9(y<*5=U}hJ`~P{M93s?oQv$RrT~9MjeQ@wcFX~dZtGx>@OZoG2?h*pww@o z5~8wgUw54(Hjp^iuX2+GEn_!(JX=LV26cZ93^_A)tV&jk7HSv5BJdhXt!0Cf#cg)X zkJJ6m3^fSQ&ED1>&+p)QWhn8PLg_SoGn!u?5ja}&Q)ye0R!=hb*FU!ucU*$p*BUd$ zy2s?OVMzDaT~H-w@5i~@L!_DPGiU=Bw@)@b*_2`Xsj9K5yA#^^`w_AZKdWpnirvm3 zH&rDWn-hLiQl9+s6Z-joMu+YFz>tSloc&Y>{2l|Aj-ae5^nI!Hm*Bv!{|5kHT%B(h ztgi|n+CfbhoKR92oIJd0>)caQAMkyT9%{z86Eh0M6Yd994JC-e$waS)H+}u|ma44d zKvkXmd_%yq`WX9RloYWHj5+3}t7yNGdkv*0aPaR%x+Y+&K&mrbLt@5uffhX_m9GJz zL%-)fBFSjUKMZ7cfc|600t+PnGS!POZcFqd#lF6AhO|a@HGp5S0{3KE(I?+Z;@io${X-L9d<`2d z)wVkXxm3>9^O%CkPwwzi`*(|!Vvsh#c1L`CtDbhlNFlc>A6;5_TIyF#uHheVhhh;= z!UiyjVo}ZEeS{TB&Sr5}UHYRcNR42*MEszCiv)zeYW7z}3yAHtjeTPYI+*%&WV}iv zftv?RlIZ`)%%Q;*m`bCKxlgsWM0gL5@Xj$MP@vcF91gTmgs`J`;e$43N)nL;TqAex z7>qMlu?$i-$quz(I8;PT+jLhA>Af=d&e8x$LJw@ z=uwu;Tb`0hOhA8GJPxqV*m=S>LK`t;2tY1G^ZcV~s2bNtbbMv*Spd}uyw4Tz@Gz{e zEXoOKD;oO)S3@u}t0a6`JM6aHo@EnRn}6B8_-*JvZ`~Gp0l$>BxPy9o)2u<5Vw8Os zM?>F>*1jSOKo}EPRJZyH)U2-01<q7y8 z>!HKd2I5E5$-YG9LtyK(7qJ8Syg!+Oz8LUmMxTo_8gAS2BKbUFKTM6Tb_od+s)EM% z6nH8VKq9Z&%4)!GMD|~;_p(^%_XVNsqVzYwYd_5BK%c&{J|B_RrE#@V%i0gsAH*py zJ?-x2$!BNGT+*|JGPVR`hlAtHvqM&9rKSqa?d9fSNSZ+foFRmnXwGd*uD_;A>;RZD zB=Kpu#%bnuD=H1@>A4NEK1Pfc_hOl=Br?n%lrzdCdyjm*(IcXr3xPv{F~e%r@P|v9 znzOS}X^>)YwzbrPP#h5cU?n`Vl;N79GL%7Ze2b#!3doSG++>e2x$Bz?Zp7R?{gKf~ z=Oai~gd(RQb#f!TkUG7M2pcp0h?$-P^rSgT24MpmxmxcgC}zSzl`x{%S?_%;)=zn9 zQYEy(ufx-_@xnj@e-MA4tLU-Z7Y=U)fxQ;ZswkDcZH|G2`l(1@2&dr4sJaSmP% zAtH>0Yuk-1>d3KK0*XE_pHvl**;h@)`#&Y9MV*s77E{jyK--gd?HrdPmzgK;xO$y< zC%sB~vCV4B{N>56SF4N=4_uSm3>jXLjG&Geh~)=NwQ!T#P&*k#qApnxY(jKtSfl87 z^F>%IKUx_ALj5)}skBXFNu^WDIgO#7fA7LT&Hewhb!R{2Tyi0j=s7zs2OlnxLI`Z0 zHTV;c5*54$bIE{L_wkBZ)qsKskwko|VQp;CCd?Aftve>SU_qeNH`ob&ph)|Tf8UA; z(IF}0kJ$eFf;R%_E2*y5HflmpYdA$0gT#kCNrM*f!zmPJ^wTM{9(o3SD$&y*Y|$q0 zH6%Hb5m3!TYTN4KxliaThCllngZ+zX%F?jTCZ_|H#Ckwos_fdUppCSb8~k)_?^hio zN|Wi6qeV4rK)y^286rcnniYaD2Jv*(Zs;*+SpY{7xZ^POj#+@Js2y749~!_U?sz=E zdAWs5QhItz6(#CzmJz5+n&ZyuCSfkDz2~7*O9Y!@QcX#8nu6UZtC$Tl~V+7eN)uFmK|g zF{~!@sC0@4oTzP=xk^O6O-hj*d&EY`gH`|%n>|K+S!+D+bsaTlKsiSwYXTY;(6Sw@ z07~ct&v{}a0~IGRx@U0k(9x@%4lg;Xm) zKyp+&v{!eKnGnPu=3Y_jbJTz#N+zZ~8m*xndjK<`XHLPEyP3gU!&7y%jKT0gPUb#X zr}rk?v(eNsVPQ-?&XB{L&ZjL{JeM^Nz*0{^N^3a&5zm2;zmUYIa7tF(`v&0h56x4s z<sj{M$@}L;PSh6qv8b;dBS|CLr+4PZYKWffH5G95G1y8@Lp7*bVeso$&&4wWH^H`(kuCmv5f`?*)xQ@^c@-?Yt zxDW5~i)qGTPw4w_Gz7ME$o|+~lW#BVwgOG6ufANlP`Aw-GatI5Gb^&9l^*kOgUWNI z9{??8M%&q_-TiGPRE*)O%|(-UJ^wQF}|X9xO5eRZP} zi6{hf5FD4ly1Oc7yxG?IONoY*WZ$AIeTl8B5ZKX*ZDhS{}z4E^0-0r&oV2k({1 zuEgWlx7sDeHDi2lqpxrbYtMam@sFcU$GbM-GlVu*-n+ljlN|a^{R5XTICx zU2t2K?BfTnbwodjv6yMi4~thgPE4N1=sW>xv&^C6VYWpr{{c3IdH=RnJ)7|f4NghO z_h=-^5{FgyL-L~u)c_tV%$EKv0$N1Qf*iS3ugfujLE?u(IRg z5Ix`+iI!ve&`lB_8Z@49n3n)Bw%redbq_RXaUC-wo-Df`(pETwc{|=V5yMFevN%%g z0wXbuebheT|GsPxk=(diOc>iT^};kb^&Ve%?J*cx!!3yM!_rlhjS8PsY=4LymU>Q= zQ2v_gn&;=Ni1=D!6E=Vur(R7o6}=5GfYrF|Y@IGVCcT=I$FGu4%um!cnmBI8{$~q7 zsEFUiY)i=CdHgr87gye`DHs=eE7ENF%(g1PR6m3x!(_@b6A{y8Jefjk%AGYErgHJ> z4=P7?ClZrI^Lffr3+uA&mR6VLu``m!htwn*-v;P-q;q=J#F@Bzp6S}e9aIyv!J?xW z39%rC_QhBE;+))UxX`@A2fgM9Dhz%&8sCD{VN4~#gwsU1l~#HDW6;r<7o`QwmLQPH zhy?9%3`-8b+YKztugf|9`@88jg?(y7ZmUu%b1fbZgW7wKcMPmX=kVN9m7&+8;^tPq zFOoox6gAgvE8-4g|BL+on!-~vRvRlBuZ((jYIeNaYAzXNX`|MAOqYM3d0mLSZIg7$ zAQJ|nuX*+F10v@&oDrZ+JBINdl$6ZOwp;rPRW53K+K|F1e5es<=bYETymIJJaV|k*S-98%4(5O|>k^kHYW8r$3W^IG9VQyO)sx)m z2g;gnI$wD-uKdGk?ovtB%g}olklU1VD)dnsCPZq9p#c$ZyW$o#j@dg~ltZ}AMzs0!&)hA*^JU6Cq% zohn)Qo~1fhrq1$I-FmugnUQC9#4%@LrByfbDU^umP~{NelIV_IblE^9&b4PfNpH_; zd?hBV+-h3WO^~qwTJ-7_-%qk9yT^?9J8odk%jrV#g&%#aEtDZRbUC*JB2U}L`{>de z*BXfIHK-mRqPlXeSn4ust_qJ0^`_9hP`l6HC^OiD(Z}n^YmQEPRelglps&@VI~u;^ zPko{10tx#gfoisvEpi4_BydS+KP&j<@g2=$A$DNxW%RHfo<_ zj}S+H*Z>hqrWdIdbeygo`p}n{oVq|p@ap6`@5=iHt}n4uxTBttrD%ktDX zP&OUZ3)?_<5J;ao0}1R6LIkle6U*G}sCT~G`gBFF$mt|Z*0EGWc1Oy~-_@HTvqp=Y zuJaxc^i;CDz0*emE~XTtrjhNj=^IzF`I;L7QS;UecH|B3+xt+Z*SOIwE#>NVYN{Ep zQfkeoWYRbWs7TVF5=-pi(cQv-a)CJ1>Cev1Mv}=B;^RD<%elK?0cFa~8(imT8Sj7} zV-bk_v&>2(tI1!#v@w+L!{&DeR-sD0w+D_EvmIaDAPn;}d6`%**jM);lLeUFT_9t2 zc~~`yow=g#+)-g+zb(J()y!FUss|#dG0N3?GVe&NIzqPO+f!$YL~elacCn9gvzPQ1 zM)Y1eMt2PhEVmqg5SAA4OzHtNb?sx`FPUir{gqt#N zo^O1k7I)viJv!1xe4J}kwDRV7cbMst_aWXpN#}w)Nzpry9_wdRzmH+*UMH?%+h(Ld~ja8!hJTd8bI~1+^ zTZ?K*W;O4<^x}EFL4K-S-19)WCuQYV1&!}FcJS=?f*Rgb`m$7C>=fb82A|$++$;U& z%fm?;=OtBWu5Lyv@5F_<)@m7?#Y@|&RJMxNaXKb8Pioe{`si<`S$B3Z>&Pd8XR*9x z3l)}a|0H1dN#N?5dwj(s&)Z)obSJHrf@=B8@O#ziGE*&LK$Iv*y||%S_iSybv#G+w zZyMIz2=6HxNKeR97|Ee`{l;*vqJ}|JNxf=sZ|&*_ybW9U#}?0_U*q*Ve=@`D&-YD> zA7*$K`Oltiy1rje$+B{w&C{wxH^cdn6j}ts$>Gdi_i-+~Ru>Aub6<_{{CH!Las8_2 z80%wbOD5rFT!Am|#0>hfpcslYJF?!L(SX-lJPDCorQdF-lvmBH(%Z)Q$`F00$A8{B zW9i&5HTKO7^ml9h&Y#a1jNhMs@o|;K3*pRG#h8&}i>zoR78;@|A4({8vR$-R9_2wz zCBf0bri|`oGE*Hbs74R{RsX$c+o->gc<0U58}8!ncQf`ieMVDqyN6ozmPDf+-YGy} zK=ERP-3TO{z9UFaqi0ny?OXbbCV$>S9SYQm*N}sV89A^y@Mlq^|Kb>YecWwqvA?8v z$XvW^MlDYC&KLC<-n z&Ng_|_W)H+OGeu$PC1Qy=D9<{h`WCDu5HP(CVzt8@D^~xdkD;<;Cl&R`s2U{^2 z9=DdFPJ_BiMv9p8JJc;>vABH31RGt z{7oBsLt}0}4!eK9a>g)u!N_BAdC%`>3-Oo$zYrXa$dQR!*3|0xXa{UpGJUlE4F^B@ zDEkRvUi|M}BdD5Zzjz;0t#U!4<@BNRB26LAd@1u6h`iMCHhi*P+(%23fSGn@8oxFb z@B28ES;VapsQX%UJ}+wO(S3BGB=;5-D-TId+i)>0c9jfzt#MPBdiNgjj>behy)y2i ziVh;3Smeeiy0C?(d=Yjap~HwG^Eme$7TDTjcUj|Ho~Qs*6|AB?o7SnR z2~jF9r}xhFYYs>C%J?sW3H{g4pUfiVN0-kSAPULPfNbjBFPIfZ^7qDE!2FJ0z7$x(t zYK7Y%WI7eg8;d5{Q?>hSPs61SzyTs{$Uh18wWKMQmv)D$YX73I?2JS7hFBiGIn3ND zcYu@?#MsW+0HG9Y?_>aGx4Ji>ULzP%n(#Rqyzq*`*%pz6{PQo#lJyOMiU!lli>iSQ z{CF*ZfS+QW2(o0puNoM!F>eB!_-P&8SmB5`NgO-f_U?UUGlV7OTujd`5?S0Gc-c*L zMoqMoWbO#m9{-M7XXgt1)6Q}9fMC#Ob;aHre=<&t%dG-nl^1Tkh7uQ**(2v-*fUMm zXe}ZWR0swE?;pN0uFcO+2v&c*1obb7(VN$muwOw2CcnQagdF_$QH9JMGjRBw%ehUX z`}oxt27-pzi8qk$0oe43KCyQ1@(Ay>%|Ur>$k1HcaHv}A_bLX z(>UB^w1t>wtm-s#Mn2!Z8>|McQ#Azw<#$8ho2ZFkTV}s}Uu1Li%Cg)Srbso;L6zim zW-v8_)1MnlgsoYPN>;&?)0_IZVz2i6z0&BEjed-|M8_fm<#UL08u#{Q<5DxDlZR2} zv)EAN#@Mcm~dAg-XwvVk@2n5K(x#VZ{q0Y zkOAqoeF6(bg?EH>{`66=v3n^5shBEf_A5p8Qztb(|8VXhJ!+4bNhj#!9u$LVIOYj= zpbS!2!!lRjeb42pw$J7iEw<16Q+A)AKwHbKXf7!!nC|wmV*8%|mSe?W>Yc_6pzfkU)EzXS z#)N>={h}0ayN7dESSG`C<4#jSGCVRYx_U_WQl4RB#?&Lir=QhBWPqug9&N^DUwsb8 z#8pNnhS~c5R%2Bbc66rci3tb6xoALiJ&td)o_^*x?CJExWLn)mCzndi#!QMMQ`}CuCp6&A8uC2<5 z3>{-i6(`@1`)>J7aB!CT@ms*g_Rgp#FFit9>>YzWZVk=;faLfra|X=Kktw=mlM~y; zK%=Krn*nZz;Ngl?@a#Vp1xs-BW>`MC;%!oKtf0Jq8%Jn0YoeDsDRB22N+tC2YTp^~ zIqsz$;`U^)okXptUm?)n!mSQ)a$`o}Ry&&fJ>F;1jZ&Fraeg%I!>D6Y0njcjE!dPqj?v~6dyL&4tT_K`x8_WUCSEA22VO6%luSGt+ ziM5t>yMxDe(Pq0wh@#AYOs?ZhM0l<*dinCm^kBT3ty0V&Q*+B4 z^SLfT7Me}_<1ebB)s;s(+$oj6VUiPZ#^n|5D;g$dv%h?p zS@1zVmLvchybrEaBH!p!t)xTC0IqGz_$tc#`d2!)YtiGQy7@FF4;OX{gS3XGa;SU~ zsF&rWG1UfcTK8BdzAU&(UZM&{jx%b6c(W3VyZuji@NsQF#!J{@9Li>8GS03c0ioJpgDrmrh;wXZm z2uM{FL?(0y5CTCIP!wpikuhI@0*z31-J_SyTlfBVTF0Z%hbnyN>^%Huj<^jGP#ClK|b4i}5ok34=Kyt226kX7Z`S&O$?gJmaP`Bf0=WEZb#wh*Wu>5&n^neY@GkeS=z$ z>uD~kwe~2>UUepP$4FM)KueE*H=q*+_H}d^IBsn=O4|));sDvd{K}1;#Ap@nwV50J zug(@1gbsdiKFGt(b>a~G9sxJ-`L3U2Ba6^R2i)B#P7#10fu9KV?K}5vK#Y6c#Sy*% zCj-Da4bFr?JxD|!=uFK3j}=N%)@oMx^FX)k8=NkQi1^TZI=jd0C#bM9<#ev+M7$4$$}weC*htgG~(rj0(we9)AzNf za4u6q!Bqo_t;pc0q&6Dl^H<0_D}md}E&w-URi=;z+LC$Bk+2HL&Gm#X%zj@34qydV zEXf{%F&2)tAr`9VvmumXaM7d1BJF$W-JTiF`ouEG3m=@YDX*w$lugM7m*fJOdnkah^p&n>t+@gqo*GfU7_2NyX{T``Lysmq`znjqKK1~}*q*QN^a8BN&ztoaM*e&Cj z*n##0gC18aJwL#l?Jyhv2m+M)D|3mD$zENa{Rn~s42}CD`Tf z4j>J*m23J>{@mY$lxJ3NDkTYph`uQ({_-C8wV?KKss{3g4~aj0uX3Gm{ot6V!MYuY zEydj(VCW)vR*7iK=A$o{Es3A*fN}|p>IZ$4D=5M>UjW*N5?S1J%NdPax&d(2yn|`T zcgU=v3xW!9KWV}|fp8&!bh5((>jbFY_x!5qB$w{KHsr=GPTcE{M~2F&C(Alz?43ev zz|g=o)=$&s5_16IrEgC;O!x@p0x$_KW5n*C4kU7N2R?QRjijL$8KF!?qB2dePGPcVJ>aP-B#X;$|HV2S3HbrX69_ znzqBzp_;-rRg!|Kbczf_P&h~aovO9+7;=9hK=d@%1Kaf!#n z%vRvZLA$;lSK{Q!)8ZpU%L5q)dn8YxAiu!a{ve2Al=Z(1P&)cxA0QuO>NV^1p~04U z9ET~4MQwssIv;5rsd-pQbBXKH8Pkt6E)%4GA|IWS>sO z;X%KHGt3_XQ5N2@S*5^so62U+*0@}R+;_;Q8P5i5(J_duP9hFB0{!dqJ-|q=-fc$G z(t!SkTxtL<%uJV~1cwK-wAx6Jx?@p(KEynNdkNE*M>Au1JFMOdT}~K$j-l9$v@T|hba2Jj2Wn({7i`7(pw zUtArw${z&=*583+vpK5|TvZv2hz=)T6jsR%Q3dnU%O@{X{0bYFFJ9(x`0_OC`b@>S z{YIbyLx9_i7fbIoxfs;!H4E6D5KT&EWk3ZHP3${QnD*>$yCK{DKwn+{F^ISYVD?5j zi39GH$mcG`dWwoCV!eCb%YnBJMil#fV!)_w$!0Yp6UdDUzK7Gu98k4jVRN*aLe2H_ zH^P?xaeMF-pm+3i0%7$5^8-6`Xxji-X0tNaLHitY(c3Z-qoC^+qmX@cNqNe#oKJM>a&?+6g|2U13ZJ9@Cq7dL@dBt+xRbUwq;c zV_l0q6)0{FDZ+sIJk#pZFl}xr_^^uA0vV#|+utsa?oR|{2qGd3CeU>UDu-ogL&m9} z-&B-T&nUm_7(&QNa*3s zR_!%4duuu+`=5+-n^rZ0rEE3mUv_v&NmS<|`|Zn00go6aT&bySY5DK5Dw;9zY+9x}>&QkV19NJ;;3BV>L>p{iX-cKMs1p(-8=JeK|Lu zz9>=mQx-+$ z0qUapWB0MOB5%r4N=x;``}&-6?x~=ThmVi92=m*26{bB?*c2jl=ACL@;Z4{FzfZMt zkCl#wzvxA2R2YQ; zZ~VzY=p1_AZev@oH&_00eI@)WKb}WBKN}g=hHbe^yN?pt6Wfmj{uwD3? zkrCRsJf0B|z7*D?DYu(o8zSmqC%B8jC=;@ysU#p0Vnm??R()n3lmg#yD?#**>^7=& zHLzQZy3SOb-zyvccqM9Y<2JhE)Y~W63Is(k?MEGv>I!M|N*-yZ1 zgW8Ys!4EVEL>b&G!cAY92%PDknz}`%0WV|P$E2%XVZsk8Ljc>5BX0DI)*W!VX5pC# z*`H!&UQ1$JJAe$+2poe49r7mL;bMLA3LsqqR}~ssu_H9dPJma#8OvWYd3YdFrl$gN z6lH7$?fIY!XAFB}(5?a2KWP16@o75xjD_zy*YsxvkxHClK>zPl8$p`r~aVu#E^dUvPSvNH?H1`cXBoJ_s@cfqPNYFsMP_X4U4B?*G<-zS(m zFTT5f{37g7XPI8U#&xB&ZGJojM;iaTheG%qv9)8w0DjC{CS`j z2>89FILA>6U%<^@1mYtw`3I|HewCOizJ97B0G8&LiCy@dM}#B{c_V$v5K-CzP}#9u zmQt|%{JD8sR{EO9$3n&O0?6BWP#OOtY{sCK{F81ve1OHKVtQ3mB1l@6!WMRiWV&szf!7?oi zPE#nPFi55ID4WtXXR~#_V*kKy2)#`{pk0xt0Gh=PumsL@3bX6pwJuZmVe;*wkVDxO zJ8UEt;uJEo-%{m`shM}rDGv}8*+$t!0|=TAiz-y^e^M)FK79uzi*~BH!zhrr{7M}y zvS<12?2qTBc{+tJGyNZjs-kXp_k}BjPdiI&=fM24Qdi4+YQc5SCtQ?_rNYD{N`ifq zdo&rc`J+(&S5s^LH}Rf)BHSMd;s?b~oZ-kPmYNW! zt@0R_L~w73BFFWOr&`|wxdnt<;7I1d$HD?PZHiY?TH{i3W~n^!h?3H_tS^%9wYrp^ z#Y52G3q-r-V#UONPxto2QV)^k^LZXKFHufEXVie!001z^6bI3`DW3ac5@FQEcj_Yi(}F;YSf;@+Ut|AOp!?E6tw5gxo_^@XT5mdd;Hc#^UkX*DY^Mt-Riex zyYxP3zJ9*o;9`!J?yKj9Mn9j8e{n5M@5b;vkyT1j@c{>d+aEe#QJaD>3X^W!$m$(p zwcZPef5l^H$FMysd6E>lX2cXft)bzI8@G+1KyP`W4$Rkt2RuzJFLT*86NyTsC{;PS65=X$}7K zuz`^jg>&AEeKa&`0y%?bY4{-@>K_5wk2dk2c@&;GIK<*ST)b5* zUT@(-yUG#`yQ*@tYl|>L?8Zj^1hkU>UXHkXUt>R&f)J939j>brEXUfR@n=lhaDr^- zoCv3mSt_F%4W2~Mke8>4k?Q<1}Q?k_l~0Q`nIT653@WmxxoQ{f=$;!g8&UGJ6djk zM#KzE?5Rs-ZC`zyFgm4Y^Xd;O`I-=ZPqVzdaIB|+j^%NAyq%NB&wq$oH(sDX zhc|vO>_gP*2|w(e_`~DNAGNmXbqm>b-V^Ev>GG+VFryeqM{Qhago zug3O^jaP<$cBKz*{^6ejI+OqT>@uM=);M10@zYl04Z=T3-ZNQEzA)eq{#-rr4iHSuwlPjo7UXss~OXDN*Ifh*k^#|oRLNnpO1t5 z+**qTC*9w8vZr8!r9F$_g11r(6Zrc65fz&p^*mXi@5xa=Q5x9fiXmKpOvM;S{_M_6d_JvVchbQxnqHnm3)66h~Up4cKq(P2bz~9$#D?8Zs(tAm7SR{$9cus9yVm_B}czkRA{iUKP3RY}69J7w& zNCIPk82NVSuKqAzoV__5Vc1CxL1krsWO&Y(LpWwpq{Gv`Hpd6OTd=;D&CM4R2P*J5 z!g`kv->4~2EGkZLyF*q8l{GWA%Z|no`iDD5;hMkZ`i|5s>@5w{Z_ONfV;YkRyJ-yL zn;X7Y4pVUxKD(tu&R{5GclEb#R8&q#4VU|1o1Wbz3Vn%G{(bpyRhH?$sA$12&pN9% zUje<2$Uzv7g7M!!JOw2POkkFB& zyxTkuWZcae376v3)TCKH*J8!O{oWqpZ{rY0RTXJ<3k z4J^lfdD768@NC;(SxAxXT<4i4KA}b!CX&9BvL~0FO*{m311s0#xvIEJR=D(*qDIv8 zVyW_pe1izLpnG!Nio_u{<0NVVDyMXAtDBI-72GUxhGpwUZ`QEdw)iU55zF!jTs2tH zFf3=Q;Evm{c8jj`S>YwOYHqs{@a^>j2Q@Tsxu1feS?4&?n~tzXIwDV}7?=OXH6k)( z1xrWWkhAe&4{)<^J(ikdh7))h?t!7fEWWv5{MY}~faTU;Qo9{*2>5GqF%b~Qq;@MP zj!ErSKpvAOO965GgDk7k!^)YkGv7wB#$M06b2tf^yHh@);sYn>-&9|7z}qr z^u)$&F~`jsyMFN4{#k~KWw_5l5k1r9Dm3S(@lDr40R|i=HHu^3+ml=c43&7R2};<| z`M$Qht@g@9c7$VJCRfY)em6#Elk%>lQ~D=^!P43^vwK{vid*o*ymb4KaJ$l0Ssa0;OVVIzkKOPsA-}8EEIF6z zG<|hG^;0B2r_Q^c4c#^> zqpNuC8h3Eke85hqs#0GEl48YO8;dhWa^Ws?r%hvzz@+!vpHRtZV*W{`cja=$aAxeM zpasxEr0#MHQU;Q2uL!RQ8CuM&clYSs&t-C1e7|PU4s`j~>MEVq%?7zig+&?Z5&Sxe zT}49p-CNOMiHp-=JNaqai#`B<}^#ccU29Y2xwszYFqy z*mH1CPg)%WBsJ+u5)jAVo9hKGgM&#$QBWe2n-~FkOe%^3;+Rwv1;p_WQWSahnzRG( zB*FcjoZbb*F=+=76vzLA>3!H@FJV7Y`d5D8uP8PY4Qp; z{sxnO^6_dx7XbGM`{`pyPX1*WR^TIOL+1YU*ZhBBIo&&T3_3WW^#A2b9$srpgjbFD zRp|h4XZMejYB+W6ZamP0_Hg3`@D>+MjUE5Kz#n2dg-~Dv{|UCH_)9jn=kb<*U*^>;CoX2@ N*TbqxNe2zD{uk+7Ae{gJ literal 0 HcmV?d00001 diff --git a/docs/root/configuration/other_features/reverse_connection.rst b/docs/root/configuration/other_features/reverse_connection.rst new file mode 100644 index 0000000000000..7366f2ba851e6 --- /dev/null +++ b/docs/root/configuration/other_features/reverse_connection.rst @@ -0,0 +1,208 @@ +.. _config_reverse_connection: + +Reverse Connection +------------------ + +Envoy supports reverse connections that enable re-using existing connectionns to access services behind a private network from behind a public network. This feature is designed to solve the challenge of accessing downstream services in private networks from applications behind a firewall or NAT. + +Background +---------- + +The following is an environment where reverse connections are used: + +* There are services behind downstream Envoy instances in a private network. +* There are services behind upstream Envoy instances in a public network. These services cannot access the services behind the downstream Envoy instances using forward connections but need to send requests to them using reverse connections. +* Downstream envoys initiate HTTPS connections to upstream envoy instances, following which upstream envoy caches the connection socket -> these are "reverse connections". +* When a request for a downstream service is received, the upstream Envoy picks an available "reverse connection" or cached connection socket for the downstream cluster and uses it to send the request. + +.. image:: /_static/reverse_connection_concept.png + :alt: Reverse Connection Architecture + :align: center + +Reverse Connection Workflow +--------------------------- + +The following sequence diagram illustrates the workflow for establishing and managing reverse connections: + +.. image:: /_static/reverse_connection_workflow.png + :alt: Reverse Connection Workflow + :align: center + +**Workflow Steps:** + +1. **Create Reverse Connection Listener**: On downstream envoy, reverse connections are initiated by the addition of a reverse connection listener via a LDS update. This makes it easy to pass metadata identifying source Envoy and the remote clusters and reverse tunnel count to each cluster. The upstream clusters are dynamically configurable via CDS. +2. **Initiate Reverse Connections**: The listener calls the reverse connection workflow and initiates raw TCP connections to upstream clusters. This triggers the reverse connection handshake where downstream Envoy should passes metadata identifying itself (node ID, cluster ID) in the reverse connection request. Upstream Envoy will use this to index and store sockets for each downstream node ID by node ID. +3. **Map Connections**: Upstream Envoy accepts the reverse connection handshake and stores the TCP socket mapped to the downstream node ID. +4. **Keepalive**: Reverse connections are long lived connections between downstream and upstream Envoy. Once established, there is a keepalive mechanism to detect connection closure. +6. **Request Routing**: When upstream envoy receives a request that needs to be sent to a downstream service, specific headers indicate which downstream node the request needs to be sent to. Upstream envoy picks a cached socket for the downstream node and sends the request over it. +7. **Connection Closure and Re-initiation**: If a cached reverse connection socket closes on either downstream or upstream envoy, envoy detects it and downstream envoy re-initiates the reverse connection. + +Configuration +------------- + +Reverse connections require different configurations on downstream (on-prem) and upstream (cloud) Envoy instances. The following sections describe the required components for each side. + +Configuration Required on Downstream (On-Prem Envoy) +------------------------------------------------------- + +The downstream Envoy instance initiates reverse connections to upstream clusters. A complete example configuration can be found :repo:`here `. + +**Downstream Socket Interface** + +The downstream socket interface is a bootstrap extension that instantiates necessary components for reverse connection initiation on downstream envoy. + +.. validated-code-block:: yaml + :type-name: envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + +**Reverse Connection Listener** + +Reverse Connections are initiated by the addition of a listener on downstream envoy. The reverse connection listener uses a special address format to encode reverse connection metadata, indicating the local identifiers, and the upstream cluster to which reverse connections need to be initiated, and how many need to be initiated. The local identifiers are crucial as upstream envoy uses them to index and store sockets for each downstream node ID by node ID. + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + - name: reverse_conn_listener + listener_filters_timeout: 0s + listener_filters: + - name: envoy.filters.listener.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection + ping_wait_timeout: 10 + address: + socket_address: + address: "rc://node-id:cluster-id:tenant-id@remote-cluster:connection-count" + port_value: 0 + resolver_name: "envoy.resolvers.reverse_connection" + +The address format `rc://` encodes: +- `node-id`: Source node identifier +- `cluster-id`: Source cluster identifier +- `tenant-id`: Source tenant identifier +- `remote-cluster`: Target upstream cluster name +- `connection-count`: Number of reverse connections to establish + +**Reverse Connection Handshake** + +The addition of the reverse connection listener triggers a handshake process between downstream and upstream Envoy instances. The downstream Envoy initiates TCP connections to each host of the upstream cluster, and writes the handshake request on it over HTTP/1.1 POST. + +The handshake request contains a protobuf message with node identification metadata: + +.. validated-code-block:: yaml + :type-name: envoy.extensions.bootstrap.reverse_connection_handshake.v3.ReverseConnHandshakeArg + + POST /reverse_connections/request HTTP/1.1 + Host: {upstream_host} + Accept: */* + Content-length: {protobuf_size} + + {protobuf_body} + +The protobuf message contains: +- `tenant_uuid`: Source tenant identifier +- `cluster_uuid`: Source cluster identifier +- `node_uuid`: Source node identifier + +Upstream Envoy validates whether the request contains the node identifier, and then sends an HTTP response indicating where the reverse connection is accepted or rejected. + +.. validated-code-block:: yaml + :type-name: envoy.extensions.bootstrap.reverse_connection_handshake.v3.ReverseConnHandshakeRet + + HTTP/1.1 200 OK + Content-Type: application/octet-stream + Content-Length: {protobuf_size} + Connection: close + + {protobuf_body} + +The response protobuf contains: +- `status`: ACCEPTED or REJECTED +- `status_message`: Optional error message if rejected + +**Reverse Connection Listener Filter** + +The reverse connection listener filter on downstream envoy owns the socket after the handshake is complete and before data is received on it. It is responsible for replying to TCP keepalives on the socket, and mark the socket dead if replies are not received within a timeout. + +.. validated-code-block:: yaml + :type-name: envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection + + listener_filters: + - name: envoy.filters.listener.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection + ping_wait_timeout: 10 + +Configuration Required on Upstream (Cloud Envoy) +----------------------------------------------- + +The upstream Envoy instance instantiates components that accept and manage reverse connections from downstream instances. A complete example configuration can be found :repo:`here `. + +**Upstream Socket Interface** + +The upstream socket interface is configured via bootstrap extensions and enables the Envoy instance to accept and manage reverse connections from downstream instances. + +.. validated-code-block:: yaml + :type-name: envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface + + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_reverse_connection" + +**Reverse Connection HTTP Filter** + +The reverse connection HTTP filter on upstream envoy is responsible for accepting reverse connection handshake from downstream envoy and passing the socket to the upstream socket inteface. +It also exposes the reverse connection API endpoint exposing details like the list of connected clusters via reverse connections. + +.. validated-code-block:: yaml + :type-name: envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + + - name: envoy.filters.http.reverse_conn + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn + ping_interval: 2 + +**Reverse Connection Cluster** + +On upstream envoy, any downstream node that needs to be reached via reverse connection needs to be added as a REVERSE_CONNECTION cluster. Requests to such a node need to be made with: +- Special headers set as indicated in the REVERSE_CONNECTION cluster configuration. By default, the headers are: + - x-remote-node-id: Downstream node ID + - x-dst-cluster-uuid: Downstream cluster ID +- Host Header set to the downstream node/cluster ID +- SNI set to the downstream node ID + +The REVERSE_CONNECTION cluster checks for the uuid in the above sequence, and if found, interfaces with the upstream socket interface and ensures that a cached socket is used to service the request. + +.. validated-code-block:: yaml + :type-name: envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + + - name: reverse_connection_cluster + connect_timeout: 200s + lb_policy: CLUSTER_PROVIDED + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + http_header_names: + - x-remote-node-id # Downstream node ID + - x-dst-cluster-uuid # Downstream cluster ID + +**Runtime Configuration** + +Enable the following reverse connection on upstream envoy to ensure that it sends a response immediately to the reverse connection handshake request. + +.. code-block:: yaml + + layered_runtime: + layers: + - name: layer + static_layer: + envoy.reloadable_features.reverse_conn_force_local_reply: true + + diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc index 359d04dd47dc8..7343877767ce5 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc @@ -14,6 +14,8 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { +static const std::string reverse_connection_address = "127.0.0.1:0"; + ReverseConnectionAddress::ReverseConnectionAddress(const ReverseConnectionConfig& config) : config_(config) { @@ -21,9 +23,9 @@ ReverseConnectionAddress::ReverseConnectionAddress(const ReverseConnectionConfig logical_name_ = fmt::format("rc://{}:{}:{}@{}:{}", config.src_node_id, config.src_cluster_id, config.src_tenant_id, config.remote_cluster, config.connection_count); - // Use localhost with a random port for the actual address string to pass IP validation + // Use localhost with a static port for the actual address string to pass IP validation // This will be used by the filter chain manager for matching. - address_string_ = "127.0.0.1:0"; + address_string_ = reverse_connection_address; ENVOY_LOG_MISC(info, "Reverse connection address: logical_name={}, address_string={}", logical_name_, address_string_); diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc index 3cbb3f66ca049..4b5942fde7358 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc @@ -61,6 +61,14 @@ ReverseConnectionResolver::extractReverseConnectionConfig( "Invalid source info format. Expected: src_node_id:src_cluster_id:src_tenant_id"); } + // Validate that node_id and cluster_id are not empty. + if (source_parts[0].empty()) { + return absl::InvalidArgumentError("Source node ID cannot be empty"); + } + if (source_parts[1].empty()) { + return absl::InvalidArgumentError("Source cluster ID cannot be empty"); + } + // Parse cluster configuration (cluster_name:count) std::vector cluster_parts = absl::StrSplit(parts[1], ':'); if (cluster_parts.size() != 2) { diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index c8ae239eb9801..ee26b3fd24db3 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -1556,9 +1556,12 @@ ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( Server::Configuration::ServerFactoryContext& context, const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface& config) - : context_(context), config_(config) { - ENVOY_LOG(debug, "Created ReverseTunnelInitiatorExtension - TLS slot will be created in " - "onWorkerThreadInitialized"); + : context_(context), config_(config), + stat_prefix_(config.stat_prefix().empty() ? "reverse_connections" : config.stat_prefix()) { + ENVOY_LOG(debug, + "Created ReverseTunnelInitiatorExtension - TLS slot will be created in " + "onWorkerThreadInitialized with stat_prefix: {}", + stat_prefix_); } void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& host_address, @@ -1571,7 +1574,7 @@ void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& h // Create/update host connection stat with state suffix if (!host_address.empty() && !state_suffix.empty()) { std::string host_stat_name = - fmt::format("reverse_connections.host.{}.{}", host_address, state_suffix); + fmt::format("{}.host.{}.{}", stat_prefix_, host_address, state_suffix); Stats::StatNameManagedStorage host_stat_name_storage(host_stat_name, stats_store.symbolTable()); auto& host_gauge = stats_store.gaugeFromStatName(host_stat_name_storage.statName(), Stats::Gauge::ImportMode::Accumulate); @@ -1589,7 +1592,7 @@ void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& h // Create/update cluster connection stat with state suffix. if (!cluster_id.empty() && !state_suffix.empty()) { std::string cluster_stat_name = - fmt::format("reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + fmt::format("{}.cluster.{}.{}", stat_prefix_, cluster_id, state_suffix); Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, stats_store.symbolTable()); auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), @@ -1628,8 +1631,8 @@ void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats( // Create/update per-worker host connection stat. if (!host_address.empty() && !state_suffix.empty()) { - std::string worker_host_stat_name = fmt::format("reverse_connections.{}.host.{}.{}", - dispatcher_name, host_address, state_suffix); + std::string worker_host_stat_name = + fmt::format("{}.{}.host.{}.{}", stat_prefix_, dispatcher_name, host_address, state_suffix); Stats::StatNameManagedStorage worker_host_stat_name_storage(worker_host_stat_name, stats_store.symbolTable()); auto& worker_host_gauge = stats_store.gaugeFromStatName( @@ -1647,8 +1650,8 @@ void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats( // Create/update per-worker cluster connection stat. if (!cluster_id.empty() && !state_suffix.empty()) { - std::string worker_cluster_stat_name = fmt::format("reverse_connections.{}.cluster.{}.{}", - dispatcher_name, cluster_id, state_suffix); + std::string worker_cluster_stat_name = + fmt::format("{}.{}.cluster.{}.{}", stat_prefix_, dispatcher_name, cluster_id, state_suffix); Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, stats_store.symbolTable()); auto& worker_cluster_gauge = stats_store.gaugeFromStatName( @@ -1671,16 +1674,16 @@ ReverseTunnelInitiatorExtension::getCrossWorkerStatMap() { auto& stats_store = context_.scope(); // Iterate through all gauges and filter for cross-worker stats only. - // Cross-worker stats have the pattern "reverse_connections.host.." or - // "reverse_connections.cluster.." (no dispatcher name in the middle). + // Cross-worker stats have the pattern ".host.." or + // ".cluster.." (no dispatcher name in the middle). Stats::IterateFn gauge_callback = - [&stats_map](const Stats::RefcountPtr& gauge) -> bool { + [&stats_map, this](const Stats::RefcountPtr& gauge) -> bool { const std::string& gauge_name = gauge->name(); ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, gauge->value()); - if (gauge_name.find("reverse_connections.") != std::string::npos && - (gauge_name.find("reverse_connections.host.") != std::string::npos || - gauge_name.find("reverse_connections.cluster.") != std::string::npos) && + if (gauge_name.find(stat_prefix_ + ".") != std::string::npos && + (gauge_name.find(stat_prefix_ + ".host.") != std::string::npos || + gauge_name.find(stat_prefix_ + ".cluster.") != std::string::npos) && gauge->used()) { stats_map[gauge_name] = gauge->value(); } @@ -1709,27 +1712,28 @@ ReverseTunnelInitiatorExtension::getConnectionStatsSync( std::vector accepted_connections; // Process the stats to extract connection information - // For initiator, stats format is: reverse_connections.host.. or - // reverse_connections.cluster.. We only want hosts/clusters with + // For initiator, stats format is: .host.. or + // .cluster.. We only want hosts/clusters with // "connected" state for (const auto& [stat_name, count] : connection_stats) { if (count > 0) { // Parse stat name to extract host/cluster information with state suffix. - if (stat_name.find("reverse_connections.host.") != std::string::npos && + std::string host_pattern = stat_prefix_ + ".host."; + std::string cluster_pattern = stat_prefix_ + ".cluster."; + + if (stat_name.find(host_pattern) != std::string::npos && stat_name.find(".connected") != std::string::npos) { - // Find the position after "reverse_connections.host." and before ".connected". - size_t start_pos = - stat_name.find("reverse_connections.host.") + strlen("reverse_connections.host."); + // Find the position after ".host." and before ".connected". + size_t start_pos = stat_name.find(host_pattern) + host_pattern.length(); size_t end_pos = stat_name.find(".connected"); if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { std::string host_address = stat_name.substr(start_pos, end_pos - start_pos); connected_hosts.push_back(host_address); } - } else if (stat_name.find("reverse_connections.cluster.") != std::string::npos && + } else if (stat_name.find(cluster_pattern) != std::string::npos && stat_name.find(".connected") != std::string::npos) { - // Find the position after "reverse_connections.cluster." and before ".connected". - size_t start_pos = - stat_name.find("reverse_connections.cluster.") + strlen("reverse_connections.cluster."); + // Find the position after ".cluster." and before ".connected". + size_t start_pos = stat_name.find(cluster_pattern) + cluster_pattern.length(); size_t end_pos = stat_name.find(".connected"); if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { std::string cluster_id = stat_name.substr(start_pos, end_pos - start_pos); @@ -1762,11 +1766,11 @@ absl::flat_hash_map ReverseTunnelInitiatorExtension::getP // Iterate through all gauges and filter for the current dispatcher. Stats::IterateFn gauge_callback = - [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { + [&stats_map, &dispatcher_name, this](const Stats::RefcountPtr& gauge) -> bool { const std::string& gauge_name = gauge->name(); ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, gauge->value()); - if (gauge_name.find("reverse_connections.") != std::string::npos && + if (gauge_name.find(stat_prefix_ + ".") != std::string::npos && gauge_name.find(dispatcher_name + ".") != std::string::npos && (gauge_name.find(".host.") != std::string::npos || gauge_name.find(".cluster.") != std::string::npos) && diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h index 3fa4bd464ca44..7d8dde569e1e9 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h @@ -717,6 +717,7 @@ class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: DownstreamReverseConnectionSocketInterface config_; ThreadLocal::TypedSlotPtr tls_slot_; + std::string stat_prefix_; // Reverse connection stats prefix }; /** diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc index 3fb9f3dc7d237..c876bfae5994a 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc @@ -140,6 +140,26 @@ TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidSourc EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid source info format")); } +// Test extraction failure for empty node ID. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigEmptyNodeId) { + auto socket_address = createSocketAddress("rc://:cluster:tenant@remote:5"); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Source node ID cannot be empty")); +} + +// Test extraction failure for empty cluster ID. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigEmptyClusterId) { + auto socket_address = createSocketAddress("rc://node::tenant@remote:5"); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Source cluster ID cannot be empty")); +} + // Test extraction failure for invalid cluster config format. TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidClusterConfig) { auto socket_address = createSocketAddress("rc://node:cluster:tenant@remote"); // Missing count diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc index aab00e2c102c2..76e74182d3f41 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc @@ -559,9 +559,6 @@ class ReverseTunnelInitiatorTest : public testing::Test { EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - // Create the config. - config_.set_stat_prefix("test_prefix"); - // Create the socket interface. socket_interface_ = std::make_unique(context_); @@ -945,9 +942,6 @@ class ReverseConnectionIOHandleTest : public testing::Test { EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - // Create the config. - config_.set_stat_prefix("test_prefix"); - // Create the socket interface. socket_interface_ = std::make_unique(context_); @@ -1442,6 +1436,9 @@ TEST_F(ReverseConnectionIOHandleTest, NoThreadLocalClusterCannotConnect) { // Verify that CannotConnect gauge was updated for the cluster. auto stat_map = extension_->getCrossWorkerStatMap(); + for (const auto& stat : stat_map) { + std::cout << stat.first << " " << stat.second << std::endl; + } EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.non-existent-cluster.cannot_connect"], 1); } @@ -2060,6 +2057,74 @@ TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionSuccess) { EXPECT_EQ(connection_wrappers.size(), 1); } +// Test that reverse connection initiation works with custom stat scope. +TEST_F(ReverseConnectionIOHandleTest, InitiateReverseConnectionWithCustomScope) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Create config with custom stat prefix. + ReverseConnectionSocketConfig custom_prefix_config; + custom_prefix_config.src_cluster_id = "test-cluster"; + custom_prefix_config.src_node_id = "test-node"; + custom_prefix_config.remote_clusters.push_back(RemoteClusterConnectionConfig("test-cluster", 1)); + + // Create a new extension with custom stat prefix. + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface custom_config; + custom_config.set_stat_prefix("custom_stats"); + + auto custom_extension = + std::make_unique(context_, custom_config); + custom_extension->setTestOnlyTLSRegistry(std::move(tls_slot_)); + + // Replace the class member io_handle_ with our custom one for this test + auto original_io_handle = std::move(io_handle_); + io_handle_ = std::make_unique(8, // dummy fd + custom_prefix_config, cluster_manager_, + custom_extension.get(), *stats_scope_); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry using helper method. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Set up mock for successful connection. + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection using the helper method - should succeed. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify that Connecting stats are set with custom stat prefix. + auto stat_map = custom_extension->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.custom_stats.host.192.168.1.1.connecting"], 1); + + // Restore the original io_handle_ + io_handle_ = std::move(original_io_handle); +} + // Test maintainClusterConnections skips hosts that already have enough connections. TEST_F(ReverseConnectionIOHandleTest, MaintainClusterConnectionsSkipsHostsWithEnoughConnections) { // Set up thread local slot first so stats can be properly tracked. From 1eeffef30d0f22b48f509231f68d189c1ff03af4 Mon Sep 17 00:00:00 2001 From: Cliff Chen Date: Mon, 25 Aug 2025 22:43:03 +0800 Subject: [PATCH 290/505] Transport Tap/Buffered trace - Submit captured transport streamed trace data as smoothly as possible with the configured chunk size (#40471) Commit Message:Submit captured transport streamed trace data as smoothly as possible with the configured chunk size Additional Description: After PR [35940](https://github.com/envoyproxy/envoy/pull/39540), found: 1) Tapped data isn't even, tapped packet like, 5K, 4K, 40K, 5K, in fact, the configured size is 4K 2) Configured size is 4K, the sent out packet is far bigger than 4K 3) if traffic is low, before closing TCP connection, the less thank 4K data isn't sent in time Therefore, in this PR, enhance all above and let traced data submitted as smoothly as possible with the configured chunk size Notes(8/20/2025): Based on comments, 1) and 2) will **not** covered. Risk Level: low Testing: done load and UT test Docs Changes: done Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: fchen7 --- changelogs/current.yaml | 6 + .../transport_sockets/tap/tap_config_impl.cc | 36 ++++- .../transport_sockets/tap/tap_config_impl.h | 6 + .../tap/tap_config_impl_test.cc | 146 +++++++++++++++--- 4 files changed, 163 insertions(+), 31 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 4495eeb525b54..3b380f3efb75c 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -17,6 +17,12 @@ behavior_changes: minor_behavior_changes: # *Changes that may cause incompatibilities for some users, but should not for most* +- area: tap + change: | + Previously, streamed trace buffered data was only flushed when it reached the configured size. + If the threshold was never met, the data remained buffered until the connection was closed. + With this change, buffered data will be flushed proactively. Specifically, if the buffer does not + reach the configured size but has been held for more than 15 seconds, it will be sent immediately. - area: websocket change: | Allow 4xx and 5xx to go through the filter chain for websocket handshake response check, and the behaviour can be disabled diff --git a/source/extensions/transport_sockets/tap/tap_config_impl.cc b/source/extensions/transport_sockets/tap/tap_config_impl.cc index e7421e51c33a0..1e9f1bc019a08 100644 --- a/source/extensions/transport_sockets/tap/tap_config_impl.cc +++ b/source/extensions/transport_sockets/tap/tap_config_impl.cc @@ -55,9 +55,7 @@ void PerSocketTapperImpl::closeSocket(Network::ConnectionEvent) { initStreamingEvent(event); event.mutable_closed(); // submit directly and don't check current_streamed_rx_tx_bytes_ any more - sink_handle_->submitTrace(std::move(streamed_trace_)); - buffered_trace_.reset(); - current_streamed_rx_tx_bytes_ = 0; + submitStreamedDataPerConfiguredSize(); } else { TapCommon::TraceWrapperPtr trace = makeTraceSegment(); auto& event = *trace->mutable_socket_streamed_trace_segment()->mutable_event(); @@ -106,6 +104,31 @@ bool PerSocketTapperImpl::shouldSendStreamedMsgByConfiguredSize() const { return config_->minStreamedSentBytes() > 0; } +void PerSocketTapperImpl::submitStreamedDataPerConfiguredSize() { + sink_handle_->submitTrace(std::move(streamed_trace_)); + streamed_trace_.reset(); + current_streamed_rx_tx_bytes_ = 0; +} + +bool PerSocketTapperImpl::shouldSubmitStreamedDataPerConfiguredSizeByAgedDuration() const { + if (streamed_trace_ == nullptr) { + return false; + } + const envoy::data::tap::v3::SocketEvents& streamed_events = + streamed_trace_->socket_streamed_trace_segment().events(); + auto& repeated_streamed_events = streamed_events.events(); + if (repeated_streamed_events.size() < 2) { + // Only one event. + return false; + } + + const Protobuf::Timestamp& first_event_ts = repeated_streamed_events[0].timestamp(); + const Protobuf::Timestamp& last_event_ts = + repeated_streamed_events[repeated_streamed_events.size() - 1].timestamp(); + return (last_event_ts.seconds() - first_event_ts.seconds()) >= + static_cast(DefaultBufferedAgedDuration); +} + void PerSocketTapperImpl::handleSendingStreamTappedMsgPerConfigSize(const Buffer::Instance& data, const uint32_t total_bytes, const bool is_read, @@ -127,10 +150,9 @@ void PerSocketTapperImpl::handleSendingStreamTappedMsgPerConfigSize(const Buffer current_streamed_rx_tx_bytes_ += event.write().data().as_bytes().size(); } - if (current_streamed_rx_tx_bytes_ >= config_->minStreamedSentBytes()) { - sink_handle_->submitTrace(std::move(streamed_trace_)); - streamed_trace_.reset(); - current_streamed_rx_tx_bytes_ = 0; + if (current_streamed_rx_tx_bytes_ >= config_->minStreamedSentBytes() || + shouldSubmitStreamedDataPerConfiguredSizeByAgedDuration()) { + submitStreamedDataPerConfiguredSize(); pegSubmitCounter(true); } } diff --git a/source/extensions/transport_sockets/tap/tap_config_impl.h b/source/extensions/transport_sockets/tap/tap_config_impl.h index 2c47b432a5565..19c2798cfc2c7 100644 --- a/source/extensions/transport_sockets/tap/tap_config_impl.h +++ b/source/extensions/transport_sockets/tap/tap_config_impl.h @@ -48,6 +48,8 @@ class PerSocketTapperImpl : public PerSocketTapper { } void pegSubmitCounter(const bool is_streaming); bool shouldSendStreamedMsgByConfiguredSize() const; + bool shouldSubmitStreamedDataPerConfiguredSizeByAgedDuration() const; + void submitStreamedDataPerConfiguredSize(); void handleSendingStreamTappedMsgPerConfigSize(const Buffer::Instance& data, const uint32_t total_bytes, const bool is_read, const bool is_end_stream); @@ -55,6 +57,10 @@ class PerSocketTapperImpl : public PerSocketTapper { // (This means that per transport socket buffer trace, the minimum amount // which triggering to send the tapped messages size is 9 bytes). static constexpr uint32_t DefaultMinBufferedBytes = 9; + // It isn't easy to meet data submit threshold when the configured byte size is too large + // and the tapped data volume is low, therefore, set below buffer aged duration (seconds) + // to make sure that the tapped data is submitted in time. + static constexpr uint32_t DefaultBufferedAgedDuration = 15; SocketTapConfigSharedPtr config_; Extensions::Common::Tap::PerTapSinkHandleManagerPtr sink_handle_; const Network::Connection& connection_; diff --git a/test/extensions/transport_sockets/tap/tap_config_impl_test.cc b/test/extensions/transport_sockets/tap/tap_config_impl_test.cc index 5dd98221543fa..397e04eca2190 100644 --- a/test/extensions/transport_sockets/tap/tap_config_impl_test.cc +++ b/test/extensions/transport_sockets/tap/tap_config_impl_test.cc @@ -371,8 +371,8 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsFalse) { pegging_counter_ = local_pegging_counter; } -// Verify the full streaming flow for submiting tapped message on all cases -// When send_streamed_msg_on_configured_size_ is True. +// Verify the full streaming flow for submiting tapped message on all cases. +// When the send_streamed_msg_on_configured_size_ is True. TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrue) { // Keep the original value. bool local_output_conn_info_per_event = output_conn_info_per_event_; @@ -382,7 +382,6 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrue) { bool local_send_streamed_msg_on_configured_size_ = send_streamed_msg_on_configured_size_; send_streamed_msg_on_configured_size_ = true; bool local_default_min_buffered_bytes = default_min_buffered_bytes_; - default_min_buffered_bytes_ = 15; // Submit when the transport socket is created. EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( @@ -403,7 +402,10 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrue) { InSequence s; - // Submit when the transport socket is gotten read event + // Submit the single read event. + default_min_buffered_bytes_ = 50; + EXPECT_CALL(*config_, minStreamedSentBytes()).WillRepeatedly(Return(default_min_buffered_bytes_)); + EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -426,7 +428,8 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrue) { )EOF"))); tapper_->onRead(Buffer::OwnedImpl("Test transport socket tap buffered data onRead submit"), 53); - // Submit when the transport socket is gotten write event + // Submit the single write event. + EXPECT_CALL(*config_, minStreamedSentBytes()).WillRepeatedly(Return(default_min_buffered_bytes_)); EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -452,7 +455,7 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrue) { tapper_->onWrite(Buffer::OwnedImpl("Test transport socket tap buffered data onWrite submit"), 54, true); - // Submit when the transport socket is gotten close event + // Submit when the transport socket is gotten close event. EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -474,15 +477,16 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrue) { time_system_.setSystemTime(std::chrono::seconds(2)); tapper_->closeSocket(Network::ConnectionEvent::RemoteClose); - // Restore the value + // Restore the value. output_conn_info_per_event_ = local_output_conn_info_per_event; pegging_counter_ = local_pegging_counter; send_streamed_msg_on_configured_size_ = local_send_streamed_msg_on_configured_size_; default_min_buffered_bytes_ = local_default_min_buffered_bytes; } -// Verify the full streaming flow for submiting tapped message on all cases -// When send_streamed_msg_on_configured_size_ is True and two read events +// Verify the full streaming flow for submiting tapped message on all cases. +// When the send_streamed_msg_on_configured_size_ is True and two read events. +// and submitted because aged duration is reached threshold. TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrueTwoReadEvents) { // Keep the original value. bool local_output_conn_info_per_event = output_conn_info_per_event_; @@ -492,9 +496,9 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrueTwoReadEve bool local_send_streamed_msg_on_configured_size_ = send_streamed_msg_on_configured_size_; send_streamed_msg_on_configured_size_ = true; bool local_default_min_buffered_bytes = default_min_buffered_bytes_; - default_min_buffered_bytes_ = 100; + default_min_buffered_bytes_ = 120; - // Submit when the transport socket is created + // Submit when the transport socket is created. EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -513,7 +517,7 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrueTwoReadEve InSequence s; - // Submit when the transport socket is gotten read event + // Store the read event. EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -533,7 +537,7 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrueTwoReadEve socket_address: address: 10.0.0.3 port_value: 50000 - - timestamp: 1970-01-01T00:00:01Z + - timestamp: 1970-01-01T00:00:15Z read: data: as_bytes: VGVzdCB0cmFuc3BvcnQgc29ja2V0IHRhcCBidWZmZXJlZCBkYXRhIG9uUmVhZCBzdWJtaXQ= @@ -548,10 +552,10 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrueTwoReadEve port_value: 50000 )EOF"))); tapper_->onRead(Buffer::OwnedImpl("Test transport socket tap buffered data onRead submit"), 53); - time_system_.setSystemTime(std::chrono::seconds(1)); + time_system_.setSystemTime(std::chrono::seconds(15)); tapper_->onRead(Buffer::OwnedImpl("Test transport socket tap buffered data onRead submit"), 53); - // Submit when the transport socket is gotten close event + // Submit when the transport socket is gotten close event. EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -573,7 +577,7 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrueTwoReadEve time_system_.setSystemTime(std::chrono::seconds(2)); tapper_->closeSocket(Network::ConnectionEvent::RemoteClose); - // Restore the value + // Restore the value. output_conn_info_per_event_ = local_output_conn_info_per_event; pegging_counter_ = local_pegging_counter; send_streamed_msg_on_configured_size_ = local_send_streamed_msg_on_configured_size_; @@ -581,7 +585,7 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrueTwoReadEve } // Verify the full streaming flow for submiting tapped message on all cases -// When send_streamed_msg_on_configured_size_ is True and two write events +// When the send_streamed_msg_on_configured_size_ is True and two write events TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTruetwoWriteEvents) { // Keep the original value. bool local_output_conn_info_per_event = output_conn_info_per_event_; @@ -591,9 +595,9 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTruetwoWriteEv bool local_send_streamed_msg_on_configured_size_ = send_streamed_msg_on_configured_size_; send_streamed_msg_on_configured_size_ = true; bool local_default_min_buffered_bytes = default_min_buffered_bytes_; - default_min_buffered_bytes_ = 100; + default_min_buffered_bytes_ = 120; - // Submit when the transport socket is created + // Submit when the transport socket is created. EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -612,7 +616,7 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTruetwoWriteEv InSequence s; - // Submit when the transport socket is gotten write event + // Submit when the aged duration is equal 12. EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -633,7 +637,7 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTruetwoWriteEv socket_address: address: 10.0.0.3 port_value: 50000 - - timestamp: 1970-01-01T00:00:01Z + - timestamp: 1970-01-01T00:00:15Z write: data: as_bytes: VGVzdCB0cmFuc3BvcnQgc29ja2V0IHRhcCBidWZmZXJlZCBkYXRhIG9uV3JpdGUgc3VibWl0 @@ -650,11 +654,11 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTruetwoWriteEv )EOF"))); tapper_->onWrite(Buffer::OwnedImpl("Test transport socket tap buffered data onWrite submit"), 54, true); - time_system_.setSystemTime(std::chrono::seconds(1)); + time_system_.setSystemTime(std::chrono::seconds(15)); tapper_->onWrite(Buffer::OwnedImpl("Test transport socket tap buffered data onWrite submit"), 54, true); - // Submit when the transport socket is gotten close event + // Submit when the transport socket is gotten close event. EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( R"EOF( socket_streamed_trace_segment: @@ -676,7 +680,101 @@ TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTruetwoWriteEv time_system_.setSystemTime(std::chrono::seconds(2)); tapper_->closeSocket(Network::ConnectionEvent::RemoteClose); - // Restore the value + // Restore the value. + output_conn_info_per_event_ = local_output_conn_info_per_event; + pegging_counter_ = local_pegging_counter; + send_streamed_msg_on_configured_size_ = local_send_streamed_msg_on_configured_size_; + default_min_buffered_bytes_ = local_default_min_buffered_bytes; +} + +// All data are submitted in close event +TEST_F(PerSocketTapperImplTest, StreamingFlowWhenSendStreamedMsgIsTrueInCloseEvents) { + // Keep the original value. + bool local_output_conn_info_per_event = output_conn_info_per_event_; + output_conn_info_per_event_ = true; + bool local_pegging_counter = pegging_counter_; + pegging_counter_ = true; + bool local_send_streamed_msg_on_configured_size_ = send_streamed_msg_on_configured_size_; + send_streamed_msg_on_configured_size_ = true; + bool local_default_min_buffered_bytes = default_min_buffered_bytes_; + default_min_buffered_bytes_ = 128; + + // Submit when the transport socket is created. + EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( + R"EOF( +socket_streamed_trace_segment: + trace_id: 1 + connection: + local_address: + socket_address: + address: 127.0.0.1 + port_value: 1000 + remote_address: + socket_address: + address: 10.0.0.3 + port_value: 50000 +)EOF"))); + setup(true); + + InSequence s; + + time_system_.setSystemTime(std::chrono::seconds(1)); + EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( + R"EOF( +socket_streamed_trace_segment: + trace_id: 1 + events: + events: + - timestamp: 1970-01-01T00:00:01Z + read: + data: + as_bytes: VGVzdCB0cmFuc3BvcnQgc29ja2V0IHRhcCBidWZmZXJlZCBkYXRhIG9uUmVhZCBzdWJtaXQ= + + connection: + local_address: + socket_address: + address: 127.0.0.1 + port_value: 1000 + remote_address: + socket_address: + address: 10.0.0.3 + port_value: 50000 + - timestamp: 1970-01-01T00:00:02Z + write: + data: + as_bytes: VGVzdCB0cmFuc3BvcnQgc29ja2V0IHRhcCBidWZmZXJlZCBkYXRhIG9uV3JpdGUgc3VibWl0 + + end_stream: true + connection: + local_address: + socket_address: + address: 127.0.0.1 + port_value: 1000 + remote_address: + socket_address: + address: 10.0.0.3 + port_value: 50000 + - timestamp: 1970-01-01T00:00:03Z + closed: {} + connection: + local_address: + socket_address: + address: 127.0.0.1 + port_value: 1000 + remote_address: + socket_address: + address: 10.0.0.3 + port_value: 50000 +)EOF"))); + tapper_->onRead(Buffer::OwnedImpl("Test transport socket tap buffered data onRead submit"), 53); + time_system_.setSystemTime(std::chrono::seconds(2)); + tapper_->onWrite(Buffer::OwnedImpl("Test transport socket tap buffered data onWrite submit"), 54, + true); + + time_system_.setSystemTime(std::chrono::seconds(3)); + tapper_->closeSocket(Network::ConnectionEvent::RemoteClose); + + // Restore the value. output_conn_info_per_event_ = local_output_conn_info_per_event; pegging_counter_ = local_pegging_counter; send_streamed_msg_on_configured_size_ = local_send_streamed_msg_on_configured_size_; From 6fde43c99cdc7b2f518f570d754eaae262960ef9 Mon Sep 17 00:00:00 2001 From: Greg Greenway Date: Mon, 25 Aug 2025 13:04:13 -0700 Subject: [PATCH 291/505] upstream: clarify docs for PrioritySet update callbacks (#40850) Signed-off-by: Greg Greenway --- envoy/upstream/upstream.h | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/envoy/upstream/upstream.h b/envoy/upstream/upstream.h index 380a70e900871..bc25159891814 100644 --- a/envoy/upstream/upstream.h +++ b/envoy/upstream/upstream.h @@ -519,24 +519,28 @@ class PrioritySet { virtual ~PrioritySet() = default; /** - * Install a callback that will be invoked when any of the HostSets in the PrioritySet changes. - * hosts_added and hosts_removed will only be populated when a host is added or completely removed - * from the PrioritySet. - * This includes when a new HostSet is created. + * Install a callback that will be invoked when anything on any host in the PrioritySet is + * changed. + * + * hosts_added and hosts_removed will only be populated when a host is added or + * completely removed from the PrioritySet. This includes when a new HostSet is created. * * @param callback supplies the callback to invoke. - * @return Common::CallbackHandlePtr a handle which can be used to unregister the callback. + * @return Common::CallbackHandlePtr a handle which unregisters the callback upon its destruction. */ ABSL_MUST_USE_RESULT virtual Common::CallbackHandlePtr addMemberUpdateCb(MemberUpdateCb callback) const PURE; /** - * Install a callback that will be invoked when a host set changes. Triggers when any change - * happens to the hosts within the host set. If hosts are added/removed from the host set, the - * added/removed hosts will be passed to the callback. + * Install a callback that will be invoked when a host changes. Triggers when any change + * happens to the hosts within that priority, and is invoked once for each priority that has a + * change. + * + * If hosts are added/removed from the host set, the added/removed hosts will be passed to + * the callback. * * @param callback supplies the callback to invoke. - * @return Common::CallbackHandlePtr a handle which can be used to unregister the callback. + * @return Common::CallbackHandlePtr a handle which unregisters the callback upon its destruction. */ ABSL_MUST_USE_RESULT virtual Common::CallbackHandlePtr addPriorityUpdateCb(PriorityUpdateCb callback) const PURE; From 9e15fa972d987b9e7d3cab99dec1b5c84782d170 Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Tue, 26 Aug 2025 03:44:03 +0530 Subject: [PATCH 292/505] fix ConnectedStateValue enum to have proper enum case (#40845) Commit Message: fix ConnectedStateValue enum to have proper enum case Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Signed-off-by: Rama Chavali --- source/extensions/config_subscription/grpc/grpc_mux_impl.cc | 6 +++--- source/extensions/config_subscription/grpc/grpc_stream.h | 4 ++-- .../config_subscription/grpc/new_grpc_mux_impl.cc | 6 +++--- .../config_subscription/grpc/xds_mux/grpc_mux_impl.cc | 6 +++--- .../extensions/config_subscription/grpc/grpc_stream_test.cc | 4 ++-- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/source/extensions/config_subscription/grpc/grpc_mux_impl.cc b/source/extensions/config_subscription/grpc/grpc_mux_impl.cc index 907ec17b2b0db..3832b2778fade 100644 --- a/source/extensions/config_subscription/grpc/grpc_mux_impl.cc +++ b/source/extensions/config_subscription/grpc/grpc_mux_impl.cc @@ -104,7 +104,7 @@ GrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_client std::move(backoff_strategy), rate_limit_settings, GrpcStream::ConnectedStateValue:: - FIRST_ENTRY); + FirstEntry); }, /*failover_stream_creator=*/ failover_async_client @@ -129,7 +129,7 @@ GrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_client rate_limit_settings, GrpcStream:: - ConnectedStateValue::SECOND_ENTRY); + ConnectedStateValue::SecondEntry); }) : absl::nullopt, /*grpc_mux_callbacks=*/*this, @@ -141,7 +141,7 @@ GrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_client std::move(backoff_strategy), rate_limit_settings, GrpcStream< envoy::service::discovery::v3::DiscoveryRequest, - envoy::service::discovery::v3::DiscoveryResponse>::ConnectedStateValue::FIRST_ENTRY); + envoy::service::discovery::v3::DiscoveryResponse>::ConnectedStateValue::FirstEntry); } GrpcMuxImpl::~GrpcMuxImpl() { AllMuxes::get().erase(this); } diff --git a/source/extensions/config_subscription/grpc/grpc_stream.h b/source/extensions/config_subscription/grpc/grpc_stream.h index 60d7a7c789ac6..4eeaa6f08f227 100644 --- a/source/extensions/config_subscription/grpc/grpc_stream.h +++ b/source/extensions/config_subscription/grpc/grpc_stream.h @@ -29,9 +29,9 @@ class GrpcStream : public GrpcStreamInterface, // The entry value corresponding to the grpc stream's configuration entry index. enum class ConnectedStateValue { // The first entry in the config corresponds to the primary xDS source. - FIRST_ENTRY = 1, + FirstEntry = 1, // The second entry in the config corresponds to the failover xDS source. - SECOND_ENTRY + SecondEntry }; GrpcStream(GrpcStreamCallbacks* callbacks, diff --git a/source/extensions/config_subscription/grpc/new_grpc_mux_impl.cc b/source/extensions/config_subscription/grpc/new_grpc_mux_impl.cc index 80406edb4c604..6d2202d660265 100644 --- a/source/extensions/config_subscription/grpc/new_grpc_mux_impl.cc +++ b/source/extensions/config_subscription/grpc/new_grpc_mux_impl.cc @@ -78,7 +78,7 @@ NewGrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_cli std::move(backoff_strategy), rate_limit_settings, GrpcStream:: - ConnectedStateValue::FIRST_ENTRY); + ConnectedStateValue::FirstEntry); }, /*failover_stream_creator=*/ failover_async_client @@ -104,7 +104,7 @@ NewGrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_cli rate_limit_settings, GrpcStream:: - ConnectedStateValue::SECOND_ENTRY); + ConnectedStateValue::SecondEntry); }) : absl::nullopt, /*grpc_mux_callbacks=*/*this, @@ -116,7 +116,7 @@ NewGrpcMuxImpl::createGrpcStreamObject(Grpc::RawAsyncClientSharedPtr&& async_cli std::move(backoff_strategy), rate_limit_settings, GrpcStream< envoy::service::discovery::v3::DeltaDiscoveryRequest, - envoy::service::discovery::v3::DeltaDiscoveryResponse>::ConnectedStateValue::FIRST_ENTRY); + envoy::service::discovery::v3::DeltaDiscoveryResponse>::ConnectedStateValue::FirstEntry); } NewGrpcMuxImpl::~NewGrpcMuxImpl() { AllMuxes::get().erase(this); } diff --git a/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.cc b/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.cc index e261c81aa045a..526a67cd826f5 100644 --- a/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.cc +++ b/source/extensions/config_subscription/grpc/xds_mux/grpc_mux_impl.cc @@ -78,7 +78,7 @@ std::unique_ptr> GrpcMuxImpl::createGr return std::make_unique>( callbacks, std::move(async_client), service_method, dispatcher, scope, std::move(backoff_strategy), rate_limit_settings, - GrpcStream::ConnectedStateValue::FIRST_ENTRY); + GrpcStream::ConnectedStateValue::FirstEntry); }, /*failover_stream_creator=*/ failover_async_client @@ -93,7 +93,7 @@ std::unique_ptr> GrpcMuxImpl::createGr // be the same as the primary source. std::make_unique( GrpcMuxFailover::DefaultFailoverBackoffMilliseconds), - rate_limit_settings, GrpcStream::ConnectedStateValue::SECOND_ENTRY); + rate_limit_settings, GrpcStream::ConnectedStateValue::SecondEntry); }) : absl::nullopt, /*grpc_mux_callbacks=*/*this, @@ -102,7 +102,7 @@ std::unique_ptr> GrpcMuxImpl::createGr return std::make_unique>(this, std::move(async_client), service_method, dispatcher_, scope, std::move(backoff_strategy), rate_limit_settings, - GrpcStream::ConnectedStateValue::FIRST_ENTRY); + GrpcStream::ConnectedStateValue::FirstEntry); } template GrpcMuxImpl::~GrpcMuxImpl() { diff --git a/test/extensions/config_subscription/grpc/grpc_stream_test.cc b/test/extensions/config_subscription/grpc/grpc_stream_test.cc index 2ef55b4b367bf..ebe23e6e82c39 100644 --- a/test/extensions/config_subscription/grpc/grpc_stream_test.cc +++ b/test/extensions/config_subscription/grpc/grpc_stream_test.cc @@ -39,7 +39,7 @@ class GrpcStreamTest : public testing::Test { dispatcher_, *stats_.rootScope(), std::move(backoff_strategy_), rate_limit_settings_, GrpcStream::ConnectedStateValue:: - FIRST_ENTRY)) {} + FirstEntry)) {} void setUpCustomBackoffRetryTimer(uint32_t retry_initial_delay_ms, absl::optional retry_max_delay_ms, @@ -59,7 +59,7 @@ class GrpcStreamTest : public testing::Test { dispatcher_, *stats_.rootScope(), std::move(backoff_strategy_), rate_limit_settings_, GrpcStream< envoy::service::discovery::v3::DiscoveryRequest, - envoy::service::discovery::v3::DiscoveryResponse>::ConnectedStateValue::FIRST_ENTRY); + envoy::service::discovery::v3::DiscoveryResponse>::ConnectedStateValue::FirstEntry); } NiceMock dispatcher_; From 676c27603547e20598c191f5abfeacfffcdf1c23 Mon Sep 17 00:00:00 2001 From: Kevin Baichoo Date: Mon, 25 Aug 2025 18:57:18 -0400 Subject: [PATCH 293/505] Docs: Overload Manager clarify docs (#40852) Commit Message: Docs: Overload Manager clarify docs Additional Description: Risk Level: n/a Testing: n/a Docs Changes: yes Release Notes: n/a Platform Specific Features: Fixes #40831 Signed-off-by: Kevin Baichoo --- api/envoy/config/overload/v3/overload.proto | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/api/envoy/config/overload/v3/overload.proto b/api/envoy/config/overload/v3/overload.proto index 1f267c1863da3..245010221fa8e 100644 --- a/api/envoy/config/overload/v3/overload.proto +++ b/api/envoy/config/overload/v3/overload.proto @@ -134,9 +134,16 @@ message OverloadAction { option (udpa.annotations.versioning).previous_message_type = "envoy.config.overload.v2alpha.OverloadAction"; - // The name of the overload action. This is just a well-known string that listeners can - // use for registering callbacks. Custom overload actions should be named using reverse - // DNS to ensure uniqueness. + // The name of the overload action. This is just a well-known string that + // listeners can use for registering callbacks. + // Valid known overload actions include: + // - envoy.overload_actions.stop_accepting_requests + // - envoy.overload_actions.disable_http_keepalive + // - envoy.overload_actions.stop_accepting_connections + // - envoy.overload_actions.reject_incoming_connections + // - envoy.overload_actions.shrink_heap + // - envoy.overload_actions.reduce_timeouts + // - envoy.overload_actions.reset_high_memory_stream string name = 1 [(validate.rules).string = {min_len: 1}]; // A set of triggers for this action. The state of the action is the maximum @@ -148,7 +155,7 @@ message OverloadAction { // in this list. repeated Trigger triggers = 2 [(validate.rules).repeated = {min_items: 1}]; - // Configuration for the action being instantiated. + // Configuration for the action being instantiated if applicable. google.protobuf.Any typed_config = 3; } From 2259b4aa10b2889d69bc00df200a15c1a8e77deb Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Mon, 25 Aug 2025 21:55:52 -0400 Subject: [PATCH 294/505] Set larger request buffer size if configured (#40849) Add plumbing for the larger request buffer size into the filter manager buffer. Risk Level: low Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/router/router.cc | 10 ++++ test/integration/protocol_integration_test.cc | 56 +++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/source/common/router/router.cc b/source/common/router/router.cc index b3d24c1d23a4f..52ac0037bcbaf 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -585,6 +585,16 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, return Http::FilterHeadersStatus::StopIteration; } + // If large request buffering is enabled and its size is more than current buffer limit, update + // the buffer limit to a new larger value. + uint64_t effective_buffer_limit = calculateEffectiveBufferLimit(); + if (effective_buffer_limit != std::numeric_limits::max() && + effective_buffer_limit > callbacks_->decoderBufferLimit()) { + ENVOY_STREAM_LOG(debug, "Setting new filter manager buffer limit: {}", *callbacks_, + effective_buffer_limit); + callbacks_->setDecoderBufferLimit(effective_buffer_limit); + } + // Increment the attempt count from 0 to 1 at the first upstream request. attempt_count_++; callbacks_->streamInfo().setAttemptCount(attempt_count_); diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 2d36148c6496b..45f0881af079e 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -1066,6 +1066,62 @@ TEST_P(ProtocolIntegrationTest, Retry) { BytesCountExpectation(2204, 520, 150, 6)); } +TEST_P(ProtocolIntegrationTest, RetryWithBodyLargerThanNetworkBuffer) { + // Set the network buffer to be 16KB. + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + RELEASE_ASSERT(bootstrap.mutable_static_resources()->listeners_size() >= 1, ""); + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + + listener->mutable_per_connection_buffer_limit_bytes()->set_value(16 * 1024); + }); + // Set the request body buffer limit to be 1MB so it can retry requests up to 1MB. + config_helper_.addConfigModifier( + [](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) { + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_request_body_buffer_limit() + ->set_value(1024 * 1024); + }); + + initialize(); + codec_client_ = makeHttpConnection(lookupPort("http")); + // Send a request with 64Kb body so it is larger than the network 16Kb buffer. + constexpr uint32_t kRequestBodySize = 64 * 1024; + auto response = codec_client_->makeRequestWithBody( + Http::TestRequestHeaderMapImpl{{":method", "POST"}, + {":path", "/test/long/url"}, + {":scheme", "http"}, + {":authority", "sni.lyft.com"}, + {"x-forwarded-for", "10.0.0.1"}, + {"x-envoy-retry-on", "5xx"}}, + kRequestBodySize); + waitForNextUpstreamRequest(); + // Note that 503 is sent with end_stream=false (response with body). This will cause Envoy to + // reset the response because it knows it is going to retry the request and it does not need the + // response body. + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "503"}}, false); + if (fake_upstreams_[0]->httpType() == Http::CodecType::HTTP1) { + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_, + std::chrono::milliseconds(500))); + } else { + ASSERT_TRUE(upstream_request_->waitForReset()); + } + + waitForNextUpstreamRequest(); + upstream_request_->encodeHeaders(default_response_headers_, false); + upstream_request_->encodeData(512, true); + + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_TRUE(upstream_request_->complete()); + EXPECT_EQ(kRequestBodySize, upstream_request_->bodyLength()); + + EXPECT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().getStatusValue()); + EXPECT_EQ(512U, response->body().size()); +} + // Regression test to guarantee that buffering for retries and shadows doesn't double the body size. // This test is actually irrelevant for QUIC, as this issue only shows up with header-only requests. // QUIC will always send an empty data frame with FIN. From d9e0412bd471a80e0938102c0c8cbff1caedd4cf Mon Sep 17 00:00:00 2001 From: Gustavo Moyano Date: Mon, 25 Aug 2025 23:48:55 -0300 Subject: [PATCH 295/505] oauth2: fix passthrough logic to avoid modifying request when skipping filter (#40718) ### Description This PR fixes a bug introduced in PR #40228, where OAuth2 cookies were removed for requests matching the `pass_through_matcher` configuration. This broke setups with multiple OAuth2 filter instances using different `pass_through_matcher` configurations, because the first matching instance removed the OAuth2 cookies--even when a passthrough was intended--impacting subsequent filters that still needed those cookies. The changes in this PR realign the filter behavior with the documentation, which states that `pass_through_matcher` provides an interface for users to specify header matching criteria such that, when applicable, the OAuth flow is entirely skipped. When this occurs, only the `oauth_passthrough` metric is incremented; no cookies or request headers are modified, and no OAuth success is recorded. In summary, when the `pass_through_matcher` configuration matches, the filter should simply skip processing and leave the request untouched. --- **Commit Message:** oauth2: fix passthrough logic to avoid modifying request when skipping filter **Risk Level:** Low **Testing:** Unit test added and single page app test fixed by [envoyproxy/examples PR #819](https://github.com/envoyproxy/examples/pull/819) **Docs Changes:** N/A **Release Notes:** Added **Platform Specific Features:** N/A --------- Signed-off-by: Gustavo Moyano --- changelogs/current.yaml | 6 ++++ .../extensions/filters/http/oauth2/filter.cc | 20 ++++++------ .../filters/http/oauth2/filter_test.cc | 32 +++++++++++++++++++ 3 files changed, 47 insertions(+), 11 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 3b380f3efb75c..923f3e4165568 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -77,6 +77,12 @@ bug_fixes: - area: aws change: | Adds missing session name, session duration and externalid parameters in assumerole credentials provider. +- area: oauth2 + change: | + Fixed a bug introduced in PR [#40228](https://github.com/envoyproxy/envoy/pull/40228), where OAuth2 cookies were + removed for requests matching the ``pass_through_matcher`` configuration. This broke setups with multiple OAuth2 + filter instances using different ``pass_through_matcher`` configurations, because the first matching instance removed + the OAuth2 cookies--even when a passthrough was intended--impacting subsequent filters that still needed those cookies. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index db290adc838ae..a0aab5445da15 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -574,24 +574,22 @@ OAuth2Filter::OAuth2Filter(FilterConfigSharedPtr config, * 5) user is unauthorized */ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& headers, bool) { - // Decrypt the OAuth tokens and update the corresponding cookies in the request headers - // before forwarding the request upstream. This step must occur early to ensure that - // other parts of the filter can access the decrypted tokens—for example, to calculate - // the HMAC for the cookies. - decryptAndUpdateOAuthTokenCookies(headers); - - // Skip Filter and continue chain if a Passthrough header is matching - // Must be done before the sanitation of the authorization header, - // otherwise the authorization header might be altered or removed + // Skip Filter and continue chain if a Passthrough header is matching. + // Only increment counters here; do not modify request headers, as there may be + // other instances of this filter configured that still need to process the request. for (const auto& matcher : config_->passThroughMatchers()) { if (matcher->matchesHeaders(headers)) { config_->stats().oauth_passthrough_.inc(); - // Remove OAuth flow cookies to prevent them from being sent upstream. - removeOAuthFlowCookies(headers); return Http::FilterHeadersStatus::Continue; } } + // Decrypt the OAuth tokens and update the corresponding cookies in the request headers + // before forwarding the request upstream. This step must occur early to ensure that + // other parts of the filter can access the decrypted tokens—for example, to calculate + // the HMAC for the cookies. + decryptAndUpdateOAuthTokenCookies(headers); + // Only sanitize the Authorization header if preserveAuthorizationHeader is false if (!config_->preserveAuthorizationHeader()) { // Sanitize the Authorization header, since we have no way to validate its content. Also, diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 9fa62e44a06b6..235a62e157648 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -3737,6 +3737,38 @@ TEST_F(OAuth2Test, CookiesDecryptedBeforeForwardingWithCleanupOAuthCookiesDisabl EXPECT_EQ(cookies.at("RefreshToken"), "some-refresh-token"); } +// Verifies that requests matching the pass_through_matcher configuration are not modified by the +// filter. The request headers and cookies remain unchanged, and only the oauth_passthrough metric +// is incremented. This ensures correct behavior when the filter is configured to skip processing +// for specific requests. +TEST_F(OAuth2Test, RequestIsUnchangedWhenPassThroughMatcherMatches) { + Http::TestRequestHeaderMapImpl request_headers{ + {Http::Headers::get().Host.get(), "traffic.example.com"}, + {Http::Headers::get().Path.get(), "/anypath"}, + {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Options}, + {Http::Headers::get().Cookie.get(), "OauthHMAC=some_oauth_hmac_value"}, + {Http::Headers::get().Cookie.get(), "OauthExpires=some_oauth_expires_value"}, + {Http::Headers::get().Cookie.get(), "RefreshToken=some_refresh_token_value"}, + {Http::Headers::get().Cookie.get(), "OauthNonce=some_oauth_nonce_value"}, + {Http::Headers::get().Cookie.get(), "CodeVerifier=some_code_verifier_value"}}; + + Http::TestRequestHeaderMapImpl expected_headers{ + {Http::Headers::get().Host.get(), "traffic.example.com"}, + {Http::Headers::get().Path.get(), "/anypath"}, + {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Options}, + {Http::Headers::get().Cookie.get(), "OauthHMAC=some_oauth_hmac_value"}, + {Http::Headers::get().Cookie.get(), "OauthExpires=some_oauth_expires_value"}, + {Http::Headers::get().Cookie.get(), "RefreshToken=some_refresh_token_value"}, + {Http::Headers::get().Cookie.get(), "OauthNonce=some_oauth_nonce_value"}, + {Http::Headers::get().Cookie.get(), "CodeVerifier=some_code_verifier_value"}}; + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, false)); + EXPECT_EQ(request_headers, expected_headers); + EXPECT_EQ(scope_.counterFromString("test.my_prefix.oauth_failure").value(), 0); + EXPECT_EQ(scope_.counterFromString("test.my_prefix.oauth_passthrough").value(), 1); + EXPECT_EQ(scope_.counterFromString("test.my_prefix.oauth_success").value(), 0); +} + } // namespace Oauth2 } // namespace HttpFilters } // namespace Extensions From 853488bdfe127c4249e7261005b54449c83feeba Mon Sep 17 00:00:00 2001 From: Raven Black Date: Tue, 26 Aug 2025 09:22:39 -0700 Subject: [PATCH 296/505] Use gmock mock functions for testing callbacks (#40813) Commit Message: Use gmock mock functions for testing callbacks Additional Description: This is a testing-the-waters PR, is this change desirable? If so I'll do the same to the rest of the file. The main hope is that a good example existing would propagate next time someone cargo-cults "how do I test this kind of thing". (This change also slightly improves the test behavior in that now it only passes if the initialize callback is called during `initialize`, where before the test would also have passed if the initialize callback was called during `dns_callback_`. This distinction seems like it might be important based on the name of the test case and the comment `Initialized without completing DNS resolution.`.) Risk Level: test-only Testing: test-only Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Raven Black --- test/common/upstream/BUILD | 1 - test/common/upstream/upstream_impl_test.cc | 183 +++++++++------------ 2 files changed, 76 insertions(+), 108 deletions(-) diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index 521b701838df2..9f6d72e9f8c84 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -542,7 +542,6 @@ envoy_cc_test( "//source/extensions/upstreams/tcp:config", "//source/server:transport_socket_config_lib", "//test/common/stats:stat_test_utility_lib", - "//test/mocks:common_lib", "//test/mocks/local_info:local_info_mocks", "//test/mocks/network:network_mocks", "//test/mocks/protobuf:protobuf_mocks", diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index 3fda2e6869e3a..9fc1cef3f9656 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -36,7 +36,6 @@ #include "test/common/stats/stat_test_utility.h" #include "test/common/upstream/test_local_address_selector.h" #include "test/common/upstream/utility.h" -#include "test/mocks/common.h" #include "test/mocks/http/mocks.h" #include "test/mocks/network/mocks.h" #include "test/mocks/protobuf/mocks.h" @@ -63,6 +62,7 @@ using testing::_; using testing::AnyNumber; using testing::ContainerEq; using testing::Invoke; +using testing::MockFunction; using testing::NiceMock; using testing::Return; using testing::ReturnRef; @@ -70,6 +70,10 @@ using testing::ReturnRef; namespace Envoy { namespace Upstream { +using MockInitializeCallback = MockFunction; +using MockPriorityUpdateCallback = + MockFunction; + class UpstreamImplTestBase { protected: UpstreamImplTestBase() { ON_CALL(server_context_, api()).WillByDefault(ReturnRef(*api_)); } @@ -198,7 +202,6 @@ class StrictDnsParamTest : public testing::TestWithParam, scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); - ReadyWatcher initialized; const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -240,7 +243,6 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); - ReadyWatcher initialized; const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -257,7 +259,6 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { address: foo.bar.com port_value: 443 )EOF"; - EXPECT_CALL(initialized, ready()); EXPECT_CALL(*dns_resolver, resolve("foo.bar.com", std::get<1>(GetParam()), _)) .WillOnce(Invoke([&](const std::string&, Network::DnsLookupFamily, Network::DnsResolver::ResolveCb cb) -> Network::ActiveDnsQuery* { @@ -271,10 +272,12 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { false); auto cluster = *createStrictDnsCluster(cluster_config, factory_context, dns_resolver); - cluster->initialize([&]() -> absl::Status { - initialized.ready(); - return absl::OkStatus(); - }); + { + MockInitializeCallback initialize_cb; + EXPECT_CALL(initialize_cb, Call).WillOnce(Return(absl::OkStatus())); + cluster->initialize(initialize_cb.AsStdFunction()); + // initialize_cb going out of scope ensures it was called here. + } EXPECT_EQ(2UL, cluster->prioritySet().hostSetsPerPriority()[0]->hosts().size()); EXPECT_EQ(2UL, cluster->prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); } @@ -284,7 +287,6 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBasicMillion) { scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); - ReadyWatcher initialized; const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -313,7 +315,6 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBasicTenThousand) { scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); - ReadyWatcher initialized; const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -342,7 +343,6 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBadDenominator) { scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); - ReadyWatcher initialized; const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -372,7 +372,6 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestBadNumerator) { scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); - ReadyWatcher initialized; const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -403,7 +402,6 @@ TEST_P(StrictDnsParamTest, DropOverLoadConfigTestMultipleCategory) { scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", std::get<3>(GetParam())}}); auto dns_resolver = std::make_shared>(); - ReadyWatcher initialized; const std::string yaml = R"EOF( name: name connect_timeout: 0.25s @@ -463,7 +461,6 @@ INSTANTIATE_TEST_SUITE_P(DnsImplementations, StrictDnsClusterImplParamTest, testing::ValuesIn({"true", "false"})); TEST_P(StrictDnsClusterImplParamTest, ZeroHostsIsInializedImmediately) { - ReadyWatcher initialized; scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); @@ -482,18 +479,19 @@ TEST_P(StrictDnsClusterImplParamTest, ZeroHostsIsInializedImmediately) { false); auto cluster = *createStrictDnsCluster(cluster_config, factory_context, dns_resolver_); - EXPECT_CALL(initialized, ready()); - cluster->initialize([&]() -> absl::Status { - initialized.ready(); - return absl::OkStatus(); - }); + + { + MockInitializeCallback initialize_cb; + EXPECT_CALL(initialize_cb, Call).WillOnce(Return(absl::OkStatus())); + cluster->initialize(initialize_cb.AsStdFunction()); + // initialize_cb going out of scope ensures it was called here. + } EXPECT_EQ(0UL, cluster->prioritySet().hostSetsPerPriority()[0]->hosts().size()); EXPECT_EQ(0UL, cluster->prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); } // Resolve zero hosts, while using health checking. TEST_P(StrictDnsClusterImplParamTest, ZeroHostsHealthChecker) { - ReadyWatcher initialized; scoped_runtime.mergeValues( {{"envoy.reloadable_features.enable_new_dns_implementation", GetParam()}}); @@ -523,13 +521,13 @@ TEST_P(StrictDnsClusterImplParamTest, ZeroHostsHealthChecker) { EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); cluster->setHealthChecker(health_checker); - cluster->initialize([&]() -> absl::Status { - initialized.ready(); - return absl::OkStatus(); - }); + + MockInitializeCallback initialize_cb; + cluster->initialize(initialize_cb.AsStdFunction()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); - EXPECT_CALL(initialized, ready()); + // We expect initialize_cb to only be called on resolve, not during initialize. + EXPECT_CALL(initialize_cb, Call).WillOnce(Return(absl::OkStatus())); EXPECT_CALL(*resolver.timer_, enableTimer(_, _)); resolver.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", {}); EXPECT_EQ(0UL, cluster->prioritySet().hostSetsPerPriority()[0]->hosts().size()); @@ -567,25 +565,19 @@ TEST_P(StrictDnsClusterImplParamTest, DontWaitForDNSOnInit) { false); auto cluster = *createStrictDnsCluster(cluster_config, factory_context, dns_resolver_); + { + MockInitializeCallback initialize_cb; + EXPECT_CALL(initialize_cb, Call).WillOnce(Return(absl::OkStatus())); + cluster->initialize(initialize_cb.AsStdFunction()); + // initialize_cb going out of scope validates that it was called here. + } - ReadyWatcher initialized; - - // Initialized without completing DNS resolution. - EXPECT_CALL(initialized, ready()); - cluster->initialize([&]() -> absl::Status { - initialized.ready(); - return absl::OkStatus(); - }); - - ReadyWatcher membership_updated; - auto priority_update_cb = cluster->prioritySet().addPriorityUpdateCb( - [&](uint32_t, const HostVector&, const HostVector&) { - membership_updated.ready(); - return absl::OkStatus(); - }); + MockPriorityUpdateCallback priority_update_cb; + auto priority_update_handle = + cluster->prioritySet().addPriorityUpdateCb(priority_update_cb.AsStdFunction()); EXPECT_CALL(*resolver.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.2", "127.0.0.1"})); } @@ -686,18 +678,15 @@ TEST_P(StrictDnsClusterImplParamTest, Basic) { EXPECT_CALL(runtime_.snapshot_, featureEnabled("upstream.maintenance_mode.name", 0)); EXPECT_FALSE(cluster->info()->maintenanceMode()); - ReadyWatcher membership_updated; - auto priority_update_cb = cluster->prioritySet().addPriorityUpdateCb( - [&](uint32_t, const HostVector&, const HostVector&) { - membership_updated.ready(); - return absl::OkStatus(); - }); + MockPriorityUpdateCallback priority_update_cb; + auto priority_update_handle = + cluster->prioritySet().addPriorityUpdateCb(priority_update_cb.AsStdFunction()); cluster->initialize([] { return absl::OkStatus(); }); resolver1.expectResolve(*dns_resolver_); EXPECT_CALL(*resolver1.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver1.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"})); EXPECT_THAT( @@ -726,7 +715,7 @@ TEST_P(StrictDnsClusterImplParamTest, Basic) { resolver1.timer_->invokeCallback(); EXPECT_CALL(*resolver1.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver1.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.3"})); EXPECT_THAT( @@ -735,7 +724,7 @@ TEST_P(StrictDnsClusterImplParamTest, Basic) { // Make sure we de-dup the same address. EXPECT_CALL(*resolver2.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver2.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"10.0.0.1", "10.0.0.1"})); EXPECT_THAT( @@ -757,7 +746,7 @@ TEST_P(StrictDnsClusterImplParamTest, Basic) { resolver1.expectResolve(*dns_resolver_); resolver1.timer_->invokeCallback(); EXPECT_CALL(*resolver1.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver1.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({})); EXPECT_THAT( @@ -890,11 +879,9 @@ TEST_P(StrictDnsClusterImplParamTest, HostRemovalAfterHcFail) { EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); cluster->setHealthChecker(health_checker); - ReadyWatcher initialized; - cluster->initialize([&]() -> absl::Status { - initialized.ready(); - return absl::OkStatus(); - }); + + MockInitializeCallback initialize_cb; + cluster->initialize(initialize_cb.AsStdFunction()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); EXPECT_CALL(*resolver.timer_, enableTimer(_, _)).Times(2); @@ -913,7 +900,8 @@ TEST_P(StrictDnsClusterImplParamTest, HostRemovalAfterHcFail) { hosts[i]->healthFlagClear(Host::HealthFlag::FAILED_ACTIVE_HC); hosts[i]->healthFlagClear(Host::HealthFlag::PENDING_ACTIVE_HC); if (i == 1) { - EXPECT_CALL(initialized, ready()); + // We only expect initialize_cb to be called on the second time around this loop. + EXPECT_CALL(initialize_cb, Call).WillOnce(Return(absl::OkStatus())); } health_checker->runCallbacks(hosts[i], HealthTransition::Changed, HealthState::Healthy); } @@ -974,12 +962,10 @@ TEST_P(StrictDnsClusterImplParamTest, HostUpdateWithDisabledACEndpoint) { EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); cluster->setHealthChecker(health_checker); - ReadyWatcher initialized; - cluster->initialize([&]() -> absl::Status { - initialized.ready(); - return absl::OkStatus(); - }); - EXPECT_CALL(initialized, ready()); + MockInitializeCallback initialize_cb; + cluster->initialize(initialize_cb.AsStdFunction()); + // initialize_cb should only be called during dns_callback_; + EXPECT_CALL(initialize_cb, Call).WillOnce(Return(absl::OkStatus())); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); EXPECT_CALL(*resolver.timer_, enableTimer(_, _)).Times(2); @@ -1116,18 +1102,15 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasic) { EXPECT_CALL(runtime_.snapshot_, featureEnabled("upstream.maintenance_mode.name", 0)); EXPECT_FALSE(cluster->info()->maintenanceMode()); - ReadyWatcher membership_updated; - auto priority_update_cb = cluster->prioritySet().addPriorityUpdateCb( - [&](uint32_t, const HostVector&, const HostVector&) { - membership_updated.ready(); - return absl::OkStatus(); - }); + MockPriorityUpdateCallback priority_update_cb; + auto priority_update_handle = + cluster->prioritySet().addPriorityUpdateCb(priority_update_cb.AsStdFunction()); cluster->initialize([] { return absl::OkStatus(); }); resolver1.expectResolve(*dns_resolver_); EXPECT_CALL(*resolver1.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver1.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"})); EXPECT_THAT( @@ -1174,7 +1157,7 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasic) { EXPECT_EQ(2UL, stats_.counter("cluster.name.update_no_rebuild").value()); EXPECT_CALL(*resolver2.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver2.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"10.0.0.1", "10.0.0.1"})); @@ -1192,7 +1175,7 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasic) { resolver1.timer_->invokeCallback(); EXPECT_CALL(*resolver1.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver1.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.3"})); EXPECT_THAT( @@ -1215,7 +1198,7 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasic) { // Make sure that we *don't* de-dup between resolve targets. EXPECT_CALL(*resolver3.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver3.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"10.0.0.1"})); @@ -1252,12 +1235,12 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasic) { }); EXPECT_CALL(*resolver2.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver2.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({})); EXPECT_CALL(*resolver3.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver3.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({})); @@ -1335,18 +1318,15 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasicMultiplePriorities) { auto cluster = *createStrictDnsCluster(cluster_config, factory_context, dns_resolver_); - ReadyWatcher membership_updated; - auto priority_update_cb = cluster->prioritySet().addPriorityUpdateCb( - [&](uint32_t, const HostVector&, const HostVector&) { - membership_updated.ready(); - return absl::OkStatus(); - }); + MockPriorityUpdateCallback priority_update_cb; + auto priority_update_handle = + cluster->prioritySet().addPriorityUpdateCb(priority_update_cb.AsStdFunction()); cluster->initialize([] { return absl::OkStatus(); }); resolver1.expectResolve(*dns_resolver_); EXPECT_CALL(*resolver1.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver1.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"})); EXPECT_THAT( @@ -1375,7 +1355,7 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasicMultiplePriorities) { resolver1.timer_->invokeCallback(); EXPECT_CALL(*resolver1.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver1.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"127.0.0.3"})); EXPECT_THAT( @@ -1384,7 +1364,7 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasicMultiplePriorities) { // Make sure we de-dup the same address. EXPECT_CALL(*resolver2.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver2.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"10.0.0.1", "10.0.0.1"})); EXPECT_THAT( @@ -1401,7 +1381,7 @@ TEST_P(StrictDnsClusterImplParamTest, LoadAssignmentBasicMultiplePriorities) { } EXPECT_CALL(*resolver3.timer_, enableTimer(std::chrono::milliseconds(4000), _)); - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); resolver3.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"192.168.1.1", "192.168.1.2"})); @@ -1675,24 +1655,21 @@ TEST_P(StrictDnsClusterImplParamTest, TtlAsDnsRefreshRateNoJitter) { auto cluster = *createStrictDnsCluster(cluster_config, factory_context, dns_resolver_); - ReadyWatcher membership_updated; - auto priority_update_cb = cluster->prioritySet().addPriorityUpdateCb( - [&](uint32_t, const HostVector&, const HostVector&) { - membership_updated.ready(); - return absl::OkStatus(); - }); + MockPriorityUpdateCallback priority_update_cb; + auto priority_update_handle = + cluster->prioritySet().addPriorityUpdateCb(priority_update_cb.AsStdFunction()); cluster->initialize([] { return absl::OkStatus(); }); // TTL is recorded when the DNS response is successful and not empty - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); EXPECT_CALL(*resolver.timer_, enableTimer(std::chrono::milliseconds(5000), _)); resolver.dns_callback_( Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({"192.168.1.1", "192.168.1.2"}, std::chrono::seconds(5))); // If the response is successful but empty, the cluster uses the cluster configured refresh rate. - EXPECT_CALL(membership_updated, ready()); + EXPECT_CALL(priority_update_cb, Call).WillOnce(Return(absl::OkStatus())); EXPECT_CALL(*resolver.timer_, enableTimer(std::chrono::milliseconds(4000), _)); resolver.dns_callback_(Network::DnsResolver::ResolutionStatus::Completed, "", TestUtility::makeDnsResponse({}, std::chrono::seconds(5))); @@ -2885,11 +2862,8 @@ TEST_F(StaticClusterImplTest, HealthyStat) { std::shared_ptr health_checker(new NiceMock()); cluster->setHealthChecker(health_checker); - ReadyWatcher initialized; - cluster->initialize([&initialized] { - initialized.ready(); - return absl::OkStatus(); - }); + MockInitializeCallback initialize_cb; + cluster->initialize(initialize_cb.AsStdFunction()); EXPECT_EQ(2UL, cluster->prioritySet().hostSetsPerPriority()[0]->hosts().size()); EXPECT_EQ(0UL, cluster->prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -2902,7 +2876,7 @@ TEST_F(StaticClusterImplTest, HealthyStat) { HealthTransition::Changed, HealthState::Healthy); cluster->prioritySet().hostSetsPerPriority()[0]->hosts()[1]->healthFlagClear( Host::HealthFlag::FAILED_ACTIVE_HC); - EXPECT_CALL(initialized, ready()); + EXPECT_CALL(initialize_cb, Call).WillOnce(Return(absl::OkStatus())); health_checker->runCallbacks(cluster->prioritySet().hostSetsPerPriority()[0]->hosts()[1], HealthTransition::Changed, HealthState::Healthy); @@ -3028,11 +3002,8 @@ TEST_F(StaticClusterImplTest, InitialHostsDisableHC) { std::shared_ptr health_checker(new NiceMock()); cluster->setHealthChecker(health_checker); - ReadyWatcher initialized; - cluster->initialize([&initialized] { - initialized.ready(); - return absl::OkStatus(); - }); + MockInitializeCallback initialize_cb; + cluster->initialize(initialize_cb.AsStdFunction()); // The endpoint with disabled active health check should not be set FAILED_ACTIVE_HC // at beginning. @@ -3048,7 +3019,7 @@ TEST_F(StaticClusterImplTest, InitialHostsDisableHC) { EXPECT_EQ(0UL, cluster->info()->endpointStats().membership_degraded_.value()); // Perform a health check for the second host, and then the initialization is finished. - EXPECT_CALL(initialized, ready()); + EXPECT_CALL(initialize_cb, Call).WillOnce(Return(absl::OkStatus())); cluster->prioritySet().hostSetsPerPriority()[0]->hosts()[1]->healthFlagClear( Host::HealthFlag::FAILED_ACTIVE_HC); health_checker->runCallbacks(cluster->prioritySet().hostSetsPerPriority()[0]->hosts()[0], @@ -4062,7 +4033,6 @@ class ClusterImplTest : public testing::Test, public UpstreamImplTestBase {}; // configured. TEST_F(ClusterImplTest, CloseConnectionsOnHostHealthFailure) { auto dns_resolver = std::make_shared(); - ReadyWatcher initialized; const std::string yaml = R"EOF( name: name @@ -4313,7 +4283,6 @@ class ClusterInfoImplTest : public testing::Test, public UpstreamImplTestBase { std::shared_ptr dns_resolver_{new NiceMock()}; - ReadyWatcher initialized_; envoy::config::cluster::v3::Cluster cluster_config_; }; From 9bd5745f63900e23ece62ff00c74b5d2e1e1b41f Mon Sep 17 00:00:00 2001 From: Joe Kralicky Date: Tue, 26 Aug 2025 14:33:13 -0400 Subject: [PATCH 297/505] userspace socket: allow providing an existing PassthroughState when creating IoHandle pair (#40748) Commit Message: userspace socket: allow providing an existing PassthroughState when creating IoHandle pair Additional Description: This change is to allow extensions to provide their own implementation of PassthroughState and/or derive from the default PassthroughStateImpl when creating userspace IoHandle pairs with the IoHandleFactory. Risk Level: Low; changes are backwards compatible Testing: Unit tests added Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Joe Kralicky --- .../io_socket/user_space/io_handle.h | 1 + .../io_socket/user_space/io_handle_impl.cc | 35 ++++++++++++++++++ .../io_socket/user_space/io_handle_impl.h | 37 ++++++++----------- .../user_space/io_handle_impl_test.cc | 22 +++++++++++ 4 files changed, 74 insertions(+), 21 deletions(-) diff --git a/source/extensions/io_socket/user_space/io_handle.h b/source/extensions/io_socket/user_space/io_handle.h index 8266c9e0b465d..20c9e24f1eb21 100644 --- a/source/extensions/io_socket/user_space/io_handle.h +++ b/source/extensions/io_socket/user_space/io_handle.h @@ -32,6 +32,7 @@ class PassthroughState { }; using PassthroughStateSharedPtr = std::shared_ptr; +using PassthroughStatePtr = std::unique_ptr; /** * The interface for the peer as a writer and supplied read status query. diff --git a/source/extensions/io_socket/user_space/io_handle_impl.cc b/source/extensions/io_socket/user_space/io_handle_impl.cc index 8ca2088cb4d31..c08347967fc1f 100644 --- a/source/extensions/io_socket/user_space/io_handle_impl.cc +++ b/source/extensions/io_socket/user_space/io_handle_impl.cc @@ -392,6 +392,41 @@ void PassthroughStateImpl::mergeInto(envoy::config::core::v3::Metadata& metadata filter_state_objects_.clear(); state_ = State::Done; } + +std::pair +IoHandleFactory::createIoHandlePair(PassthroughStatePtr state) { + PassthroughStateSharedPtr shared_state; + if (state != nullptr) { + shared_state = std::move(state); + } else { + shared_state = std::make_shared(); + } + auto p = std::pair{new IoHandleImpl(shared_state), + new IoHandleImpl(shared_state)}; + p.first->setPeerHandle(p.second.get()); + p.second->setPeerHandle(p.first.get()); + return p; +} + +std::pair +IoHandleFactory::createBufferLimitedIoHandlePair(uint32_t buffer_size, PassthroughStatePtr state) { + PassthroughStateSharedPtr shared_state; + if (state != nullptr) { + shared_state = std::move(state); + } else { + shared_state = std::make_shared(); + } + auto p = std::pair{new IoHandleImpl(shared_state), + new IoHandleImpl(shared_state)}; + // This buffer watermark setting emulates the OS socket buffer parameter + // `/proc/sys/net/ipv4/tcp_{r,w}mem`. + p.first->setWatermarks(buffer_size); + p.second->setWatermarks(buffer_size); + p.first->setPeerHandle(p.second.get()); + p.second->setPeerHandle(p.first.get()); + return p; +} + } // namespace UserSpace } // namespace IoSocket } // namespace Extensions diff --git a/source/extensions/io_socket/user_space/io_handle_impl.h b/source/extensions/io_socket/user_space/io_handle_impl.h index 0c75dfda4d8f1..0b2e67553d0f8 100644 --- a/source/extensions/io_socket/user_space/io_handle_impl.h +++ b/source/extensions/io_socket/user_space/io_handle_impl.h @@ -193,7 +193,7 @@ class PassthroughStateImpl : public PassthroughState, public Logger::Loggable metadata_; @@ -203,27 +203,22 @@ class PassthroughStateImpl : public PassthroughState, public Logger::Loggable; class IoHandleFactory { public: - static std::pair createIoHandlePair() { - auto state = std::make_shared(); - auto p = std::pair{new IoHandleImpl(state), - new IoHandleImpl(state)}; - p.first->setPeerHandle(p.second.get()); - p.second->setPeerHandle(p.first.get()); - return p; - } + /** + * @return a pair of connected IoHandleImpl instances. + * @param state optional existing value to use as the shared PassthroughState. If omitted, a + * newly constructed PassthroughStateImpl will be used. + */ static std::pair - createBufferLimitedIoHandlePair(uint32_t buffer_size) { - auto state = std::make_shared(); - auto p = std::pair{new IoHandleImpl(state), - new IoHandleImpl(state)}; - // This buffer watermark setting emulates the OS socket buffer parameter - // `/proc/sys/net/ipv4/tcp_{r,w}mem`. - p.first->setWatermarks(buffer_size); - p.second->setWatermarks(buffer_size); - p.first->setPeerHandle(p.second.get()); - p.second->setPeerHandle(p.first.get()); - return p; - } + createIoHandlePair(PassthroughStatePtr state = nullptr); + + /** + * @return a pair of connected IoHandleImpl instances with pre-configured watermarks. + * @param buffer_size buffer watermark size in bytes + * @param state optional existing value to use as the shared PassthroughState. If omitted, a + * newly constructed PassthroughStateImpl will be used. + */ + static std::pair + createBufferLimitedIoHandlePair(uint32_t buffer_size, PassthroughStatePtr state = nullptr); }; } // namespace UserSpace } // namespace IoSocket diff --git a/test/extensions/io_socket/user_space/io_handle_impl_test.cc b/test/extensions/io_socket/user_space/io_handle_impl_test.cc index f19d50bccbfdb..615c512115f6d 100644 --- a/test/extensions/io_socket/user_space/io_handle_impl_test.cc +++ b/test/extensions/io_socket/user_space/io_handle_impl_test.cc @@ -1293,6 +1293,28 @@ TEST_F(IoHandleImplNotImplementedTest, ErrorOnGetOption) { TEST_F(IoHandleImplNotImplementedTest, ErrorOnIoctl) { EXPECT_THAT(io_handle_->ioctl(0, nullptr, 0, nullptr, 0, nullptr), IsNotSupportedResult()); } + +class TestPassthroughState : public PassthroughStateImpl {}; + +TEST(IoHandleFactoryTest, UseExistingPassthroughState) { + { + auto [io_handle, io_handle_peer] = + IoHandleFactory::createIoHandlePair(std::make_unique()); + EXPECT_NE(std::dynamic_pointer_cast(io_handle->passthroughState()), + nullptr); + EXPECT_NE(std::dynamic_pointer_cast(io_handle_peer->passthroughState()), + nullptr); + } + { + auto [io_handle, io_handle_peer] = IoHandleFactory::createBufferLimitedIoHandlePair( + 1024, std::make_unique()); + EXPECT_NE(std::dynamic_pointer_cast(io_handle->passthroughState()), + nullptr); + EXPECT_NE(std::dynamic_pointer_cast(io_handle_peer->passthroughState()), + nullptr); + } +} + } // namespace } // namespace UserSpace } // namespace IoSocket From 0b431b31c5da67ddde0ce775fe79f72245cd171c Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 26 Aug 2025 14:53:06 -0400 Subject: [PATCH 298/505] json-fuzz: prevent large size inputs (#40855) Commit Message: json-fuzz: prevent large size inputs Additional Description: The original [fuzzer test-case](https://oss-fuzz.com/testcase-detail/4819251528007680) created a large input file with ~1MiB of base64 contents that was truncated in the middle and caused the fuzzer to OOM due to a test-function allocation: ``` #9 0x5ca72f569401 in testing::internal::edit_distance::CreateUnifiedDiff(std::__1::vector, std::__1::allocator>, std::__1::allocator, std::__1::allocator>>> const&, std::__1::vector, std::__1::allocator>, std::__1::allocator, std::__1::allocator>>> const&, unsigned long) /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:1352:39 ``` This PR limits the input sizes for the json input to 32KiB, as most errors should be detected with this limit. Risk Level: low - tests only Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Fixes fuzz issue [421951268](https://issues.oss-fuzz.com/issues/421951268). --------- Signed-off-by: Adi Suissa-Peleg --- .../json_sanitizer_corpus/very_large_file | 500 ++++++++++++++++++ test/common/json/json_sanitizer_fuzz_test.cc | 6 + 2 files changed, 506 insertions(+) create mode 100644 test/common/json/json_sanitizer_corpus/very_large_file diff --git a/test/common/json/json_sanitizer_corpus/very_large_file b/test/common/json/json_sanitizer_corpus/very_large_file new file mode 100644 index 0000000000000..f3421134ee8df --- /dev/null +++ b/test/common/json/json_sanitizer_corpus/very_large_file @@ -0,0 +1,500 @@ + + + + + Some ASCII string + Test ASCII String + Some UTF8 strings + + àéèçù + 日本語 + 汉语/漢語 + 한국어/조선말 + русский язык + الْعَرَبيّة + עִבְרִית + język polski + हिन्दी + + Keys & "entities" + hellow world & others <nodes> are "fun!?' + Boolean + + Another Boolean + + Some Int + 32434543632 + Some Real + 58654.347656 + Some Date + 2009-02-12T22:23:00Z + Some Data + + MDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1 + w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qm + w6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAow + MTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXD + uSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbD + qSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAx + MjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5 + JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOp + IicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEy + MzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7kl + IcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6ki + Jygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIz + NDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUh + wqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSIn + KC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0 + NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHC + pzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIico + LcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1 + Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKn + Oi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygt + w6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2 + Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6 + LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3D + qF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3 + ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzov + Oy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOo + X8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4 + OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87 + Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hf + w6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5 + VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6Lzsu + LD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/D + p8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlU + RVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4s + Pz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8On + w6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRF + U1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/ + Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fD + oCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVT + VDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+ + PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8Og + KT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNU + MDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48 + fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6Ap + PSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1Qw + MTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+ + I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9 + K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAx + MjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4j + e1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0r + wrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEy + MzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7 + W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvC + sCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIz + NDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tb + fGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8Kw + JMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0 + NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8 + YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAk + wqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1 + Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xg + XF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTC + oyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2 + Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBc + XkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKj + JF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3 + ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxe + QF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMk + XsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4 + OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5A + XX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRe + wqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5 + dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBd + fcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7C + qCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0 + ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19 + wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKo + KsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRl + c3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3C + pAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgq + wrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVz + dCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKk + CjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrC + tcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0 + JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQK + MDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1 + w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qm + w6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAow + MTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXD + uSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbD + qSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAx + MjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5 + JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOp + IicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEy + MzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7kl + IcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6ki + Jygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIz + NDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUh + wqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSIn + KC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0 + NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHC + pzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIico + LcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1 + Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKn + Oi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygt + w6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2 + Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6 + LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3D + qF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3 + ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzov + Oy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOo + X8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4 + OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87 + Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hf + w6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5 + VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6Lzsu + LD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/D + p8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlU + RVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4s + Pz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLc󠁴OoX8On + w6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRF + U1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/ + Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fD + oCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVT + VDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+ + PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8Og + KT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNU + MDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48 + fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6Ap + PSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1Qw + MTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+ + I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9 + K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAx + MjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4j + e1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0r + wrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEy + MzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7 + W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvC + sCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIz + NDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tb + fGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8Kw + JMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0 + NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8 + YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAk + wqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1 + Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xg + XF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTC + oyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2 + Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBc + XkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKj + JF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3 + ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxe + QF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMk + XsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4 + OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5A + XX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRe + wqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5 + dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBd + fcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7C + qCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0 + ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19 + wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKo + KsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRl + c3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3C + pAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgq + wrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVz + dCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKk + CjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrC + tcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0 + JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQK + MDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1 + w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qm + w6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAow + MTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXD + uSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbD + qSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAx + MjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5 + JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOp + IicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEy + MzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7kl + IcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6ki + Jygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIz + NDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUh + wqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSIn + KC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0 + NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHC + pzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIico + LcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1 + Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKn + Oi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygt + w6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2 + Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6 + LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3D + qF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3 + ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzov + Oy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOo + X8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4 + OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87 + Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hf + w6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5 + VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6Lzsu + LD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/D + p8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlU + RVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4s + Pz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8On + w6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRF + U1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/ + Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fD + oCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVT + VDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+ + PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8Og + KT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNU + MDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48 + fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6Ap + PSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1Qw + MTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+ + I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9 + K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAx + MjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4j + e1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0r + wrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEy + MzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7 + W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvC + sCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIz + NDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tb + fGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8Kw + JMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0 + NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8 + YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAk + wqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1 + Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xg + XF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTC + oyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2 + Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBc + XkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKj + JF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3 + ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxe + QF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMk + XsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4 + OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5A + XX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRe + wqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5 + dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBd + fcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7C + qCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0 + ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19 + wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKo + KsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRl + c3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3C + pAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgq + wrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVz + dCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKk + CjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrC + tcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0 + JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQK + MDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1 + w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qm + w6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAow + MTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXD + uSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbD + qSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAx + MjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5 + JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOp + IicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEy + MzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7kl + IcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6ki + Jygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIz + NDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUh + wqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSIn + KC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0 + NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHC + pzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIico + LcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1 + Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKn + Oi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygt + w6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2 + Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6 + LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3D + qF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3 + ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzov + Oy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOo + X8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4 + OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87 + Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hf + w6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5 + VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6Lzsu + LD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/D + p8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlU + RVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4s + Pz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8On + w6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRF + U1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/ + Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fD + oCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVT + VDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+ + PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8Og + KT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNU + MDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48 + fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6Ap + PSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1Qw + MTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+ + I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9 + K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAx + MjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4j + e1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0r + wrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEy + MzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7 + W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvC + sCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIz + NDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tb + fGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8Kw + JMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0 + NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8 + YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAk + wqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1 + Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xg + XF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTC + oyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2 + Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBc + XkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKj + JF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3 + ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxe + QF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMk + XsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4 + OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5A + XX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRe + wqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5 + dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBd + fcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7C + qCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0 + ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19 + wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKo + KsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRl + c3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3C + pAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgq + wrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVz + dCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKk + CjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrC + tcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0 + JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQK + MDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1 + w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qm + w6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAow + MTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXD + uSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbD + qSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAx + MjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5 + JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOp + IicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEy + MzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7kl + IcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6ki + Jygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIz + NDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUh + wqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSIn + KC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0 + NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHC + pzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIico + LcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1 + Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKn + Oi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygt + w6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2 + Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6 + LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3D + qF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3 + ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzov + Oy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOo + X8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4 + OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87 + Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hf + w6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5 + VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6Lzsu + LD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/D + p8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlU + RVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4s + Pz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8On + w6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRF + U1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/ + Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fD + oCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVT + VDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+ + PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8Og + KT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNU + MDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48 + fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6Ap + PSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1Qw + MTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+ + I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9 + K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAx + MjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4j + e1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0r + wrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEy + MzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7 + W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvC + sCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIz + NDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tb + fGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8Kw + JMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0 + NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8 + YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAk + wqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1 + Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xg + XF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTC + oyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2 + Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBc + XkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKj + JF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3 + ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxe + QF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMk + XsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4 + OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5A + XX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRe + wqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5 + dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBd + fcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7C + qCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0 + ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19 + wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKo + KsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRl + c3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3C + pAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgq + wrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVz + dCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKk + CjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrC + tcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0 + JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQK + MDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1 + w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qm + w6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAow + MTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXD + uSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbD + qSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAx + MjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5 + JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOp + IicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEy + MzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7kl + IcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6ki + Jygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIz + NDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUh + wqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSIn + KC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0 + NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHC + pzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIico + LcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1 + Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKn + Oi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygt + w6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2 + Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6 + LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3D + qF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3 + ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzov + Oy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOo + X8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4 + OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87 + Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hf + w6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5 + VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6Lzsu + LD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/D + p8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlU + RVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fDoCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4s + Pz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVTVDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8On + w6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRF + U1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8OgKT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/ + Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNUMDEyMzQ1Njc4OXRlc3Qmw6kiJygtw6hfw6fD + oCk9K8KwJMKjJF7CqCrCtcO5JSHCpzovOy4sPz48fiN7W3xgXF5AXX3CpAowMTIzNDU2Nzg5VEVT + VDAxMjM0NTY3ODl0ZXN0JsOpIicoLcOoX8Onw6ApPSvCsCTCoyRewqgqwrXDuSUhwqc6LzsuLD8+ + PH4je1t8YFxeQF19wqQKMDEyMzQ1Njc4OVRFU1QwMTIzNDU2Nzg5dGVzdCbDqSInKC3DqF/Dp8Og + KT0rwrAkwqMkXsKoKsK1w7klIcKnOi87Liw/Pjx+I3tbfGBcXkBdfcKkCjAxMjM0NTY3ODlURVNU + MDEyMzQ1Njc4OXRlc3Qmw diff --git a/test/common/json/json_sanitizer_fuzz_test.cc b/test/common/json/json_sanitizer_fuzz_test.cc index ed6d33758ea18..026b82386031e 100644 --- a/test/common/json/json_sanitizer_fuzz_test.cc +++ b/test/common/json/json_sanitizer_fuzz_test.cc @@ -12,6 +12,12 @@ namespace Envoy { namespace Fuzz { DEFINE_FUZZER(const uint8_t* buf, size_t len) { + // Cap the input string by 32KiB. The fuzzer should be able to detect issues + // for smaller inputs. + if (len > 32 * 1024) { + ENVOY_LOG_MISC(warn, "The input buffer is longer than 32KiB, skipping"); + return; + } FuzzedDataProvider provider(buf, len); std::string buffer1, buffer2, errmsg; while (provider.remaining_bytes() != 0) { From 2e7cdb126570839f50ffadbdc8834ddd7ad1aa56 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 26 Aug 2025 17:51:03 -0400 Subject: [PATCH 299/505] deps: upgrading GO to v1.24.6 in dependency_imports.bzl (#40860) Commit Message: deps: upgrading GO to v1.24.6 in dependency_imports.bzl Additional Description: Attempt to solve the issue that has been seen today in some PRs: ``` compilepkg: missing strict dependencies: /mnt/engflow/worker/work/3/exec/external/org_golang_google_grpc/internal/status/status.go: import of "google.golang.org/genproto/googleapis/rpc/status" ``` ([example](https://github.com/envoyproxy/envoy/actions/runs/17246350777/job/48936907349#step:17:601)) Signed-off-by: Adi Suissa-Peleg --- bazel/dependency_imports.bzl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bazel/dependency_imports.bzl b/bazel/dependency_imports.bzl index 8fe4b68252065..78aa56773eb64 100644 --- a/bazel/dependency_imports.bzl +++ b/bazel/dependency_imports.bzl @@ -24,7 +24,7 @@ load("@rules_rust//rust:defs.bzl", "rust_common") load("@rules_rust//rust:repositories.bzl", "rules_rust_dependencies", "rust_register_toolchains", "rust_repository_set") # go version for rules_go -GO_VERSION = "1.23.1" +GO_VERSION = "1.24.6" JQ_VERSION = "1.7" YQ_VERSION = "4.24.4" From 55f965713e99769c729f87680c7349fd2307f6b7 Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 26 Aug 2025 23:39:21 +0100 Subject: [PATCH 300/505] ci: Temporarily disable CVE test (broken cache) (#40862) Signed-off-by: Ryan Northey --- ci/do_ci.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ci/do_ci.sh b/ci/do_ci.sh index 4502baeaf6052..9a9eeeb833dac 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -477,11 +477,12 @@ case $CI_TARGET in # Using todays date as an action_env expires the NIST cache daily, which is the update frequency TODAY_DATE=$(date -u -I"date") export TODAY_DATE + # TODO(phlax): Re-enable cve tests bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:check \ --//tools/dependency:preload_cve_data \ --action_env=TODAY_DATE \ -- -v warn \ - -c cves release_dates releases + -c release_dates releases # Run dependabot tests echo "Check dependabot ..." bazel run "${BAZEL_BUILD_OPTIONS[@]}" \ From 37521e14e366aed89da54c5d51cc098f4ad6a3c1 Mon Sep 17 00:00:00 2001 From: William T Zhang Date: Tue, 26 Aug 2025 20:28:39 -0700 Subject: [PATCH 301/505] dynamic_modules: make sure rust's new_http_filter entrypoint matches the c abi (#40864) Commit Message: dynamic_modules: make sure rust's new_http_filter entrypoint matches the c abi Additional Description: Currently, for the second argument `filter_envoy_ptr` of the `envoy_dynamic_module_on_http_filter_new` entrypoint, the Rust `new_http_filter` function expects to take a pointer to `DynamicModuleHttpFilterConfig` but should take in `DynamicModuleHttpFilter` as declared in the [C abi](https://github.com/envoyproxy/envoy/blob/55f965713e99769c729f87680c7349fd2307f6b7/source/extensions/dynamic_modules/abi.h#L571-L573). Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: William Zhang --- .../dynamic_modules/sdk/rust/src/lib.rs | 31 +++++------- .../dynamic_modules/sdk/rust/src/lib_test.rs | 26 +++------- .../dynamic_modules/test_data/rust/http.rs | 32 ++++-------- .../test_data/rust/http_integration_test.rs | 50 +++++++------------ .../dynamic_modules/test_data/rust/no_op.rs | 8 ++- 5 files changed, 52 insertions(+), 95 deletions(-) diff --git a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs index ea0a54f83d8fd..aa89fc6ad9205 100644 --- a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs +++ b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs @@ -45,16 +45,13 @@ pub mod abi { /// _envoy_filter_config: &mut EC, /// _name: &str, /// _config: &[u8], -/// ) -> Option>> { +/// ) -> Option>> { /// Some(Box::new(MyHttpFilterConfig {})) /// } /// /// struct MyHttpFilterConfig {} /// -/// impl HttpFilterConfig -/// for MyHttpFilterConfig -/// { -/// } +/// impl HttpFilterConfig for MyHttpFilterConfig {} /// ``` #[macro_export] macro_rules! declare_init_functions { @@ -210,7 +207,7 @@ pub type NewHttpFilterConfigFunction = fn( envoy_filter_config: &mut EC, name: &str, config: &[u8], -) -> Option>>; +) -> Option>>; /// The global init function for HTTP filter configurations. This is set via the /// `declare_init_functions` macro, and is not intended to be set directly. @@ -239,10 +236,10 @@ pub static NEW_HTTP_FILTER_PER_ROUTE_CONFIG_FUNCTION: OnceLock< /// /// The object is created when the corresponding Envoy Http filter config is created, and it is /// dropped when the corresponding Envoy Http filter config is destroyed. Therefore, the -/// imlementation is recommended to implement the [`Drop`] trait to handle the necessary cleanup. -pub trait HttpFilterConfig { +/// implementation is recommended to implement the [`Drop`] trait to handle the necessary cleanup. +pub trait HttpFilterConfig { /// This is called when a HTTP filter chain is created for a new stream. - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { panic!("not implemented"); } } @@ -1599,8 +1596,7 @@ fn envoy_dynamic_module_on_http_filter_config_new_impl( unsafe extern "C" fn envoy_dynamic_module_on_http_filter_config_destroy( config_ptr: abi::envoy_dynamic_module_type_http_filter_config_module_ptr, ) { - drop_wrapped_c_void_ptr!(config_ptr, - HttpFilterConfig); + drop_wrapped_c_void_ptr!(config_ptr, HttpFilterConfig); } #[no_mangle] @@ -1659,22 +1655,21 @@ unsafe extern "C" fn envoy_dynamic_module_on_http_filter_new( filter_config_ptr: abi::envoy_dynamic_module_type_http_filter_config_module_ptr, filter_envoy_ptr: abi::envoy_dynamic_module_type_http_filter_envoy_ptr, ) -> abi::envoy_dynamic_module_type_http_filter_module_ptr { - let mut envoy_filter_config = EnvoyHttpFilterConfigImpl { + let mut envoy_filter = EnvoyHttpFilterImpl { raw_ptr: filter_envoy_ptr, }; let filter_config = { - let raw = filter_config_ptr - as *mut *mut dyn HttpFilterConfig; + let raw = filter_config_ptr as *mut *mut dyn HttpFilterConfig; &mut **raw }; - envoy_dynamic_module_on_http_filter_new_impl(&mut envoy_filter_config, filter_config) + envoy_dynamic_module_on_http_filter_new_impl(&mut envoy_filter, filter_config) } fn envoy_dynamic_module_on_http_filter_new_impl( - envoy_filter_config: &mut EnvoyHttpFilterConfigImpl, - filter_config: &mut dyn HttpFilterConfig, + envoy_filter: &mut EnvoyHttpFilterImpl, + filter_config: &mut dyn HttpFilterConfig, ) -> abi::envoy_dynamic_module_type_http_filter_module_ptr { - let filter = filter_config.new_http_filter(envoy_filter_config); + let filter = filter_config.new_http_filter(envoy_filter); wrap_into_c_void_ptr!(filter) } diff --git a/source/extensions/dynamic_modules/sdk/rust/src/lib_test.rs b/source/extensions/dynamic_modules/sdk/rust/src/lib_test.rs index 9b8de43cbb160..d2b32e426002f 100644 --- a/source/extensions/dynamic_modules/sdk/rust/src/lib_test.rs +++ b/source/extensions/dynamic_modules/sdk/rust/src/lib_test.rs @@ -16,10 +16,7 @@ fn test_loggers() { #[test] fn test_envoy_dynamic_module_on_http_filter_config_new_impl() { struct TestHttpFilterConfig; - impl HttpFilterConfig - for TestHttpFilterConfig - { - } + impl HttpFilterConfig for TestHttpFilterConfig {} let mut envoy_filter_config = EnvoyHttpFilterConfigImpl { raw_ptr: std::ptr::null_mut(), @@ -55,10 +52,7 @@ fn test_envoy_dynamic_module_on_http_filter_config_destroy() { // Box. static DROPPED: AtomicBool = AtomicBool::new(false); struct TestHttpFilterConfig; - impl HttpFilterConfig - for TestHttpFilterConfig - { - } + impl HttpFilterConfig for TestHttpFilterConfig {} impl Drop for TestHttpFilterConfig { fn drop(&mut self) { DROPPED.store(true, std::sync::atomic::Ordering::SeqCst); @@ -90,10 +84,8 @@ fn test_envoy_dynamic_module_on_http_filter_config_destroy() { fn test_envoy_dynamic_module_on_http_filter_new_destroy() { static DROPPED: AtomicBool = AtomicBool::new(false); struct TestHttpFilterConfig; - impl HttpFilterConfig - for TestHttpFilterConfig - { - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { + impl HttpFilterConfig for TestHttpFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(TestHttpFilter) } } @@ -108,7 +100,7 @@ fn test_envoy_dynamic_module_on_http_filter_new_destroy() { let mut filter_config = TestHttpFilterConfig; let result = envoy_dynamic_module_on_http_filter_new_impl( - &mut EnvoyHttpFilterConfigImpl { + &mut EnvoyHttpFilterImpl { raw_ptr: std::ptr::null_mut(), }, &mut filter_config, @@ -126,10 +118,8 @@ fn test_envoy_dynamic_module_on_http_filter_new_destroy() { // This tests all the on_* methods on the HttpFilter trait through the actual entry points. fn test_envoy_dynamic_module_on_http_filter_callbacks() { struct TestHttpFilterConfig; - impl HttpFilterConfig - for TestHttpFilterConfig - { - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { + impl HttpFilterConfig for TestHttpFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(TestHttpFilter) } } @@ -203,7 +193,7 @@ fn test_envoy_dynamic_module_on_http_filter_callbacks() { let mut filter_config = TestHttpFilterConfig; let filter = envoy_dynamic_module_on_http_filter_new_impl( - &mut EnvoyHttpFilterConfigImpl { + &mut EnvoyHttpFilterImpl { raw_ptr: std::ptr::null_mut(), }, &mut filter_config, diff --git a/test/extensions/dynamic_modules/test_data/rust/http.rs b/test/extensions/dynamic_modules/test_data/rust/http.rs index b2317fcb766b1..9d456da4a23a5 100644 --- a/test/extensions/dynamic_modules/test_data/rust/http.rs +++ b/test/extensions/dynamic_modules/test_data/rust/http.rs @@ -17,7 +17,7 @@ fn new_http_filter_config_fn( _envoy_filter_config: &mut EC, name: &str, _config: &[u8], -) -> Option>> { +) -> Option>> { match name { "header_callbacks" => Some(Box::new(HeaderCallbacksFilterConfig {})), "send_response" => Some(Box::new(SendResponseFilterConfig {})), @@ -34,10 +34,8 @@ fn new_http_filter_config_fn( /// related callbacks. struct HeaderCallbacksFilterConfig {} -impl HttpFilterConfig - for HeaderCallbacksFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for HeaderCallbacksFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(HeaderCallbacksFilter {}) } } @@ -255,10 +253,8 @@ impl HttpFilter for HeaderCallbacksFilter { /// callback struct SendResponseFilterConfig {} -impl HttpFilterConfig - for SendResponseFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for SendResponseFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(SendResponseFilter {}) } } @@ -290,10 +286,8 @@ impl HttpFilter for SendResponseFilter { /// callbacks. struct DynamicMetadataCallbacksFilterConfig {} -impl HttpFilterConfig - for DynamicMetadataCallbacksFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for DynamicMetadataCallbacksFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(DynamicMetadataCallbacksFilter {}) } } @@ -450,10 +444,8 @@ impl HttpFilter for DynamicMetadataCallbacksFilter { /// callbacks. struct FilterStateCallbacksFilterConfig {} -impl HttpFilterConfig - for FilterStateCallbacksFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for FilterStateCallbacksFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(FilterStateCallbacksFilter {}) } } @@ -559,10 +551,8 @@ impl HttpFilter for FilterStateCallbacksFilter { /// to test the body related callbacks. struct BodyCallbacksFilterConfig {} -impl HttpFilterConfig - for BodyCallbacksFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for BodyCallbacksFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(BodyCallbacksFilter::default()) } } diff --git a/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs b/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs index 47bad3b9cc252..c35e74aeb2bab 100644 --- a/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs +++ b/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs @@ -16,7 +16,7 @@ fn new_http_filter_config_fn( _envoy_filter_config: &mut EC, name: &str, config: &[u8], -) -> Option>> { +) -> Option>> { match name { "passthrough" => Some(Box::new(PassthroughHttpFilterConfig {})), "header_callbacks" => Some(Box::new(HeadersHttpFilterConfig { @@ -49,10 +49,8 @@ fn new_http_filter_per_route_config_fn(name: &str, config: &[u8]) -> Option HttpFilterConfig - for PassthroughHttpFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for PassthroughHttpFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { // Just to test that loggers can be accessible in a filter config callback. envoy_log_trace!("new_http_filter called"); envoy_log_debug!("new_http_filter called"); @@ -87,10 +85,8 @@ struct HeadersHttpFilterConfig { headers_to_add: String, } -impl HttpFilterConfig - for HeadersHttpFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for HeadersHttpFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { let headers_to_add: Vec<(String, String)> = self .headers_to_add .split(',') @@ -204,10 +200,8 @@ struct PerRouteFilterConfig { value: String, } -impl HttpFilterConfig - for PerRouteFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for PerRouteFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(PerRouteFilter { value: self.value.clone(), per_route_config: None, @@ -264,10 +258,8 @@ struct BodyCallbacksFilterConfig { immediate_end_of_stream: bool, } -impl HttpFilterConfig - for BodyCallbacksFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for BodyCallbacksFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(BodyCallbacksFilter { immediate_end_of_stream: self.immediate_end_of_stream, seen_request_body: false, @@ -369,10 +361,8 @@ impl SendResponseHttpFilterConfig { } } -impl HttpFilterConfig - for SendResponseHttpFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for SendResponseHttpFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(self.f.clone()) } } @@ -440,10 +430,8 @@ struct HttpCalloutsFilterConfig { cluster_name: String, } -impl HttpFilterConfig - for HttpCalloutsFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for HttpCalloutsFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(HttpCalloutsFilter { cluster_name: self.cluster_name.clone(), }) @@ -539,10 +527,8 @@ impl HttpFilter for HttpCalloutsFilter { struct HttpFilterSchedulerConfig {} -impl HttpFilterConfig - for HttpFilterSchedulerConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for HttpFilterSchedulerConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(HttpFilterScheduler { event_ids: vec![], thread_handles: vec![], @@ -610,10 +596,8 @@ impl Drop for HttpFilterScheduler { /// This implements a fake external caching filter that simulates an asynchronous cache lookup. struct FakeExternalCachingFilterConfig {} -impl HttpFilterConfig - for FakeExternalCachingFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for FakeExternalCachingFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(FakeExternalCachingFilter { rx: None }) } } diff --git a/test/extensions/dynamic_modules/test_data/rust/no_op.rs b/test/extensions/dynamic_modules/test_data/rust/no_op.rs index 60ee27a30afce..eee9443417dce 100644 --- a/test/extensions/dynamic_modules/test_data/rust/no_op.rs +++ b/test/extensions/dynamic_modules/test_data/rust/no_op.rs @@ -21,7 +21,7 @@ fn new_nop_http_filter_config_fn Option>> { +) -> Option>> { let name = name.to_string(); let config = String::from_utf8(config.to_owned()).unwrap_or_default(); Some(Box::new(NopHttpFilterConfig { name, config })) @@ -35,10 +35,8 @@ struct NopHttpFilterConfig { config: String, } -impl HttpFilterConfig - for NopHttpFilterConfig -{ - fn new_http_filter(&mut self, _envoy: &mut EC) -> Box> { +impl HttpFilterConfig for NopHttpFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { Box::new(NopHttpFilter { on_request_headers_called: false, on_request_body_called: false, From 2eebe6d18142c79a06d2f1c3373b84c1cf481750 Mon Sep 17 00:00:00 2001 From: Vanessa Reimer Date: Tue, 26 Aug 2025 23:39:10 -0600 Subject: [PATCH 302/505] Update QUICHE from 2013a0735 to 1c35d6308 (#40848) https://github.com/google/quiche/compare/2013a0735..1c35d6308 ``` $ git log 2013a0735..1c35d6308 --date=short --no-merges --format="%ad %al %s" 2025-08-22 wub In QuicSentPacketManager::OnConnectionMigration, call old_send_algorithm->OnPacketNeutered on all inflight packets. 2025-08-22 quiche-dev [Chunked OHTTP] Implementing chunked OHTTP Gateway 2025-08-21 danzh Fix QuicheClientSparseHistogram API. 2025-08-21 quiche-dev Add an optional `ProofVerifier` parameter to `QuicServer` constructors. 2025-08-21 davidben Remove stale BORINGSSL_API_VERSION ifdefs 2025-08-20 quiche-dev Add BoringSSL API_VERSION guard around SSL_CREDENTIAL call 2025-08-20 quiche-dev Update types in `HpackEntryCollector::ValidateIndexedHeader` to `uint64_t`. 2025-08-19 ricea QUICHE: Type check client histogram macro arguments 2025-08-19 danzh Keep track of the platform-picked default network and migrate the connection back to the default network after a period of time if previously the connection started on non-default network or migrated off the default network. 2025-08-18 quiche-dev No public description 2025-08-18 ricea QUICHE: Remove Net. prefix from client histograms ``` Commit Message: Weekly merge. Additional Description: N/A Risk Level: Low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Vanessa Reimer --- bazel/repository_locations.bzl | 6 +++--- test/common/quic/platform/quic_platform_test.cc | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 9dcc696362a84..72ce130e027a3 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1277,12 +1277,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "QUICHE", project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols", project_url = "https://github.com/google/quiche", - version = "2013a0735d16e1d1f131d57417850025d750513d", - sha256 = "b2ff7620a7a50a220e29f77bce623436e47524de9cbf7148d9bc2386ce78d893", + version = "1c35d630893fc2adacfffeb91bcb0561240cf5f1", + sha256 = "3ed465a20769e2ad899831b31b005b0410c4e00446434464cc38f791ab2aad4f", urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"], strip_prefix = "quiche-{version}", use_category = ["controlplane", "dataplane_core"], - release_date = "2025-08-18", + release_date = "2025-08-22", cpe = "N/A", license = "BSD-3-Clause", license_url = "https://github.com/google/quiche/blob/{version}/LICENSE", diff --git a/test/common/quic/platform/quic_platform_test.cc b/test/common/quic/platform/quic_platform_test.cc index c7c71a6772c5e..15e37b581f68c 100644 --- a/test/common/quic/platform/quic_platform_test.cc +++ b/test/common/quic/platform/quic_platform_test.cc @@ -98,12 +98,12 @@ TEST_F(QuicPlatformTest, QuicClientStats) { QUIC_CLIENT_HISTOGRAM_ENUM("my.enum.histogram", TestEnum::ONE, TestEnum::COUNT, "doc"); QUIC_CLIENT_HISTOGRAM_BOOL("my.bool.histogram", false, "doc"); QUIC_CLIENT_HISTOGRAM_TIMES("my.timing.histogram", QuicTime::Delta::FromSeconds(5), - QuicTime::Delta::FromSeconds(1), QuicTime::Delta::FromSecond(3600), + QuicTime::Delta::FromSeconds(1), QuicTime::Delta::FromSeconds(3600), 100, "doc"); QUIC_CLIENT_HISTOGRAM_COUNTS("my.count.histogram", 123, 0, 1000, 100, "doc"); QuicClientSparseHistogram("my.sparse.histogram", 345); // Make sure compiler doesn't report unused-parameter error. - bool should_be_used; + bool should_be_used = false; QUIC_CLIENT_HISTOGRAM_BOOL("my.bool.histogram", should_be_used, "doc"); } @@ -121,7 +121,7 @@ TEST_F(QuicPlatformTest, QuicExportedStats) { QUIC_HISTOGRAM_ENUM("my.enum.histogram", TestEnum::ONE, TestEnum::COUNT, "doc"); QUIC_HISTOGRAM_BOOL("my.bool.histogram", false, "doc"); QUIC_HISTOGRAM_TIMES("my.timing.histogram", QuicTime::Delta::FromSeconds(5), - QuicTime::Delta::FromSeconds(1), QuicTime::Delta::FromSecond(3600), 100, + QuicTime::Delta::FromSeconds(1), QuicTime::Delta::FromSeconds(3600), 100, "doc"); QUIC_HISTOGRAM_COUNTS("my.count.histogram", 123, 0, 1000, 100, "doc"); } @@ -141,7 +141,7 @@ TEST_F(QuicPlatformTest, QuicServerStats) { QUIC_SERVER_HISTOGRAM_ENUM("my.enum.histogram", TestEnum::ONE, TestEnum::COUNT, "doc"); QUIC_SERVER_HISTOGRAM_BOOL("my.bool.histogram", false, "doc"); QUIC_SERVER_HISTOGRAM_TIMES("my.timing.histogram", QuicTime::Delta::FromSeconds(5), - QuicTime::Delta::FromSeconds(1), QuicTime::Delta::FromSecond(3600), + QuicTime::Delta::FromSeconds(1), QuicTime::Delta::FromSeconds(3600), 100, "doc"); QUIC_SERVER_HISTOGRAM_COUNTS("my.count.histogram", 123, 0, 1000, 100, "doc"); } From ab5d2499526f8e89c2f07bf6ec2bc134eeaf5e84 Mon Sep 17 00:00:00 2001 From: danzh Date: Wed, 27 Aug 2025 11:14:34 -0400 Subject: [PATCH 303/505] quic: more logging for encodeHeader() called on write closed stream (#40829) Commit Message: we are seeing these 2 ENVOY_BUG hit in production, log more stream states for debugging. Risk Level: low, logging only Testing: existing tests pass Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- source/common/quic/envoy_quic_server_stream.cc | 3 ++- source/common/quic/envoy_quic_stream.cc | 15 ++++++++++++++- source/common/quic/envoy_quic_stream.h | 2 ++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/source/common/quic/envoy_quic_server_stream.cc b/source/common/quic/envoy_quic_server_stream.cc index abd2d709ac4f4..cff38f731a6e1 100644 --- a/source/common/quic/envoy_quic_server_stream.cc +++ b/source/common/quic/envoy_quic_server_stream.cc @@ -60,7 +60,8 @@ void EnvoyQuicServerStream::encode1xxHeaders(const Http::ResponseHeaderMap& head void EnvoyQuicServerStream::encodeHeaders(const Http::ResponseHeaderMap& headers, bool end_stream) { ENVOY_STREAM_LOG(debug, "encodeHeaders (end_stream={}) {}.", *this, end_stream, headers); if (write_side_closed()) { - IS_ENVOY_BUG("encodeHeaders is called on write-closed stream."); + IS_ENVOY_BUG( + fmt::format("encodeHeaders is called on write-closed stream. {}", quicStreamState())); return; } diff --git a/source/common/quic/envoy_quic_stream.cc b/source/common/quic/envoy_quic_stream.cc index 021ccde92a899..ba8df49f225c3 100644 --- a/source/common/quic/envoy_quic_stream.cc +++ b/source/common/quic/envoy_quic_stream.cc @@ -17,7 +17,7 @@ void EnvoyQuicStream::encodeData(Buffer::Instance& data, bool end_stream) { return; } if (quic_stream_.write_side_closed()) { - IS_ENVOY_BUG("encodeData is called on write-closed stream."); + IS_ENVOY_BUG(fmt::format("encodeData is called on write-closed stream. {}", quicStreamState())); return; } ASSERT(!local_end_stream_); @@ -185,5 +185,18 @@ void EnvoyQuicStream::encodeMetadata(const Http::MetadataMapVector& metadata_map } } +std::string EnvoyQuicStream::quicStreamState() { + return fmt::format( + "QUIC stream state: local_end_stream_ {}, rst_received " + "{}, rst_sent {}, fin_received {}, fin_sent {}, fin_buffered {}, fin_outstanding {}, " + "stream_error {}, connection_error {}, connection connected: {}.", + local_end_stream_, quic_stream_.rst_received(), quic_stream_.rst_sent(), + quic_stream_.fin_received(), quic_stream_.fin_sent(), quic_stream_.fin_buffered(), + quic_stream_.fin_outstanding(), + quic::QuicRstStreamErrorCodeToString(quic_stream_.stream_error()), + quic::QuicErrorCodeToString(quic_stream_.connection_error()), + quic_session_.connection()->connected()); +} + } // namespace Quic } // namespace Envoy diff --git a/source/common/quic/envoy_quic_stream.h b/source/common/quic/envoy_quic_stream.h index 0111a1bcfa40c..a9e48b495bc88 100644 --- a/source/common/quic/envoy_quic_stream.h +++ b/source/common/quic/envoy_quic_stream.h @@ -239,6 +239,8 @@ class EnvoyQuicStream : public virtual Http::StreamEncoder, return received_metadata_bytes_ > 1 << 20; } + std::string quicStreamState(); + http2::adapter::HeaderValidator& header_validator() { return header_validator_; } #ifdef ENVOY_ENABLE_HTTP_DATAGRAMS From d552b66f5d70ddd9e13c68c40f70729a45fb24e0 Mon Sep 17 00:00:00 2001 From: "Antonio V. Leonti" <53806445+antoniovleonti@users.noreply.github.com> Date: Wed, 27 Aug 2025 11:49:39 -0400 Subject: [PATCH 304/505] add override knob for stream flush timeout (#40811) Commit Message: add override knob for stream flush timeout Additional Description: Today it is not possible to configure the stream idle timeout and the stream flush timeout (i.e. the time envoy will wait for the downstream client to open enough window for its response) independently. This PR makes it possible to configure an explicit flush timeout. It also maintains the current behavior of allowing you to configure it just through the stream idle timeout knob for backwards compatibility. Risk Level: low --------- Signed-off-by: antoniovleonti --- .../config/route/v3/route_components.proto | 22 +++- .../v3/http_connection_manager.proto | 32 +++-- changelogs/current.yaml | 7 +- envoy/router/router.h | 6 + source/common/http/codec_helper.h | 30 ++--- source/common/http/conn_manager_config.h | 6 + source/common/http/conn_manager_impl.cc | 60 ++++++---- source/common/http/conn_manager_impl.h | 7 +- source/common/http/http2/codec_impl.cc | 2 +- source/common/http/null_route_impl.h | 1 + source/common/router/config_impl.cc | 5 + source/common/router/config_impl.h | 8 +- source/common/router/delegating_route_impl.cc | 4 + source/common/router/delegating_route_impl.h | 1 + .../network/http_connection_manager/config.cc | 2 + .../network/http_connection_manager/config.h | 4 + source/server/admin/admin.h | 3 + .../http/conn_manager_impl_fuzz_test.cc | 4 + test/common/http/conn_manager_impl_test.cc | 98 +++++++++++++++ .../http/conn_manager_impl_test_base.cc | 3 + .../common/http/conn_manager_impl_test_base.h | 4 + .../http_connection_manager/config_test.cc | 113 ++++++++++++++++++ .../multiplexed_integration_test.cc | 45 +++++++ test/mocks/http/mocks.h | 1 + test/mocks/router/mocks.h | 2 + 25 files changed, 418 insertions(+), 52 deletions(-) diff --git a/api/envoy/config/route/v3/route_components.proto b/api/envoy/config/route/v3/route_components.proto index b9607c9c3b39d..1b286f911ff78 100644 --- a/api/envoy/config/route/v3/route_components.proto +++ b/api/envoy/config/route/v3/route_components.proto @@ -793,7 +793,7 @@ message CorsPolicy { google.protobuf.BoolValue forward_not_matching_preflights = 13; } -// [#next-free-field: 42] +// [#next-free-field: 43] message RouteAction { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction"; @@ -1318,8 +1318,28 @@ message RouteAction { // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" // is configured, this timeout is scaled according to the value for // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. + // + // This timeout may also be used in place of ``flush_timeout`` in very specific cases. See the + // documentation for ``flush_timeout`` for more details. google.protobuf.Duration idle_timeout = 24; + // Specifies the codec stream flush timeout for the route. + // + // If not specified, the first preference is the global :ref:`stream_flush_timeout + // `, + // but only if explicitly configured. + // + // If neither the explicit HCM-wide flush timeout nor this route-specific flush timeout is configured, + // the route's stream idle timeout is reused for this timeout. This is for + // backwards compatibility since both behaviors were historically controlled by the one timeout. + // + // If the route also does not have an idle timeout configured, the global :ref:`stream_idle_timeout + // `. used, again + // for backwards compatibility. That timeout defaults to 5 minutes. + // + // A value of 0 via any of the above paths will completely disable the timeout for a given route. + google.protobuf.Duration flush_timeout = 42; + // Specifies how to send request over TLS early data. // If absent, allows `safe HTTP requests `_ to be sent on early data. // [#extension-category: envoy.route.early_data_policy] diff --git a/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto index 32389d90bf30f..730e065e6c417 100644 --- a/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +++ b/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -37,7 +37,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // HTTP connection manager :ref:`configuration overview `. // [#extension: envoy.filters.network.http_connection_manager] -// [#next-free-field: 59] +// [#next-free-field: 60] message HttpConnectionManager { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"; @@ -527,16 +527,6 @@ message HttpConnectionManager { // is terminated with a 408 Request Timeout error code if no upstream response // header has been received, otherwise a stream reset occurs. // - // This timeout also specifies the amount of time that Envoy will wait for the peer to open enough - // window to write any remaining stream data once the entirety of stream data (local end stream is - // true) has been buffered pending available window. In other words, this timeout defends against - // a peer that does not release enough window to completely write the stream, even though all - // data has been proxied within available flow control windows. If the timeout is hit in this - // case, the :ref:`tx_flush_timeout ` counter will be - // incremented. Note that :ref:`max_stream_duration - // ` does not apply to - // this corner case. - // // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" // is configured, this timeout is scaled according to the value for // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. @@ -549,9 +539,29 @@ message HttpConnectionManager { // // A value of 0 will completely disable the connection manager stream idle // timeout, although per-route idle timeout overrides will continue to apply. + // + // This timeout is also used as the default value for :ref:`stream_flush_timeout + // `. google.protobuf.Duration stream_idle_timeout = 24 [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + // The stream flush timeout for connections managed by the connection manager. + // + // If not specified, the value of stream_idle_timeout is used. This is for backwards compatibility + // since this was the original behavior. In essence this timeout is an override for the + // stream_idle_timeout that applies specifically to the end of stream flush case. + // + // This timeout specifies the amount of time that Envoy will wait for the peer to open enough + // window to write any remaining stream data once the entirety of stream data (local end stream is + // true) has been buffered pending available window. In other words, this timeout defends against + // a peer that does not release enough window to completely write the stream, even though all + // data has been proxied within available flow control windows. If the timeout is hit in this + // case, the :ref:`tx_flush_timeout ` counter will be + // incremented. Note that :ref:`max_stream_duration + // ` does not apply to + // this corner case. + google.protobuf.Duration stream_flush_timeout = 59; + // The amount of time that Envoy will wait for the entire request to be received. // The timer is activated when the request is initiated, and is disarmed when the last byte of the // request is sent upstream (i.e. all decoding filters have processed the request), OR when the diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 923f3e4165568..ef8923f9241f3 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -302,6 +302,11 @@ new_features: - area: http change: | Added ``upstream_rq_per_cx`` histogram to track requests per connection for monitoring connection reuse efficiency. - +- area: http + change: | + Added + :ref:`stream_flush_timeout + ` + to allow for configuring a stream flush timeout independently from the stream idle timeout. deprecated: diff --git a/envoy/router/router.h b/envoy/router/router.h index 2fe9d575342d4..0569f793f42cd 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -1033,6 +1033,12 @@ class RouteEntry : public ResponseEntry { */ virtual absl::optional idleTimeout() const PURE; + /** + * @return optional the route's flush timeout. Zero indicates a + * disabled idle timeout, while nullopt indicates deference to the global timeout. + */ + virtual absl::optional flushTimeout() const PURE; + /** * @return true if new style max_stream_duration config should be used over the old style. */ diff --git a/source/common/http/codec_helper.h b/source/common/http/codec_helper.h index a6ee26e1db765..aec7224bfac5f 100644 --- a/source/common/http/codec_helper.h +++ b/source/common/http/codec_helper.h @@ -89,11 +89,11 @@ class StreamCallbackHelper { class MultiplexedStreamImplBase : public Stream, public StreamCallbackHelper { public: MultiplexedStreamImplBase(Event::Dispatcher& dispatcher) : dispatcher_(dispatcher) {} - ~MultiplexedStreamImplBase() override { ASSERT(stream_idle_timer_ == nullptr); } + ~MultiplexedStreamImplBase() override { ASSERT(stream_flush_timer_ == nullptr); } // TODO(mattklein123): Optimally this would be done in the destructor but there are currently // deferred delete lifetime issues that need sorting out if the destructor of the stream is // going to be able to refer to the parent connection. - virtual void destroy() { disarmStreamIdleTimer(); } + virtual void destroy() { disarmStreamFlushTimer(); } void onLocalEndStream() { ASSERT(local_end_stream_); @@ -102,11 +102,11 @@ class MultiplexedStreamImplBase : public Stream, public StreamCallbackHelper { } } - void disarmStreamIdleTimer() { - if (stream_idle_timer_ != nullptr) { + void disarmStreamFlushTimer() { + if (stream_flush_timer_ != nullptr) { // To ease testing and the destructor assertion. - stream_idle_timer_->disableTimer(); - stream_idle_timer_.reset(); + stream_flush_timer_->disableTimer(); + stream_flush_timer_.reset(); } } @@ -117,18 +117,18 @@ class MultiplexedStreamImplBase : public Stream, public StreamCallbackHelper { protected: void setFlushTimeout(std::chrono::milliseconds timeout) override { - stream_idle_timeout_ = timeout; + stream_flush_timeout_ = timeout; } void createPendingFlushTimer() { - ASSERT(stream_idle_timer_ == nullptr); - if (stream_idle_timeout_.count() > 0) { - stream_idle_timer_ = dispatcher_.createTimer([this] { onPendingFlushTimer(); }); - stream_idle_timer_->enableTimer(stream_idle_timeout_); + ASSERT(stream_flush_timer_ == nullptr); + if (stream_flush_timeout_.count() > 0) { + stream_flush_timer_ = dispatcher_.createTimer([this] { onPendingFlushTimer(); }); + stream_flush_timer_->enableTimer(stream_flush_timeout_); } } - virtual void onPendingFlushTimer() { stream_idle_timer_.reset(); } + virtual void onPendingFlushTimer() { stream_flush_timer_.reset(); } virtual bool hasPendingData() PURE; @@ -136,9 +136,9 @@ class MultiplexedStreamImplBase : public Stream, public StreamCallbackHelper { private: Event::Dispatcher& dispatcher_; - // See HttpConnectionManager.stream_idle_timeout. - std::chrono::milliseconds stream_idle_timeout_{}; - Event::TimerPtr stream_idle_timer_; + // See HttpConnectionManager.stream_flush_timeout. + std::chrono::milliseconds stream_flush_timeout_{}; + Event::TimerPtr stream_flush_timer_; }; } // namespace Http diff --git a/source/common/http/conn_manager_config.h b/source/common/http/conn_manager_config.h index c80f6bf90deda..071b6464af3fb 100644 --- a/source/common/http/conn_manager_config.h +++ b/source/common/http/conn_manager_config.h @@ -311,6 +311,12 @@ class ConnectionManagerConfig { */ virtual std::chrono::milliseconds streamIdleTimeout() const PURE; + /** + * @return per-stream flush timeout for incoming connection manager connections. Zero indicates a + * disabled idle timeout. + */ + virtual absl::optional streamFlushTimeout() const PURE; + /** * @return request timeout for incoming connection manager connections. Zero indicates * a disabled request timeout. diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc index 81df610026576..4e12fff583b7e 100644 --- a/source/common/http/conn_manager_impl.cc +++ b/source/common/http/conn_manager_impl.cc @@ -431,7 +431,12 @@ RequestDecoder& ConnectionManagerImpl::newStream(ResponseEncoder& response_encod new_stream->response_encoder_ = &response_encoder; new_stream->response_encoder_->getStream().addCallbacks(*new_stream); new_stream->response_encoder_->getStream().registerCodecEventCallbacks(new_stream.get()); - new_stream->response_encoder_->getStream().setFlushTimeout(new_stream->idle_timeout_ms_); + if (config_->streamFlushTimeout().has_value()) { + new_stream->response_encoder_->getStream().setFlushTimeout( + config_->streamFlushTimeout().value()); + } else { + new_stream->response_encoder_->getStream().setFlushTimeout(config_->streamIdleTimeout()); + } new_stream->streamInfo().setDownstreamBytesMeter(response_encoder.getStream().bytesMeter()); // If the network connection is backed up, the stream should be made aware of it on creation. // Both HTTP/1.x and HTTP/2 codecs handle this in StreamCallbackHelper::addCallbacksHelper. @@ -846,6 +851,8 @@ ConnectionManagerImpl::ActiveStream::ActiveStream(ConnectionManagerImpl& connect connection_manager_.overload_manager_), request_response_timespan_(new Stats::HistogramCompletableTimespanImpl( connection_manager_.stats_.named_.downstream_rq_time_, connection_manager_.timeSource())), + has_explicit_global_flush_timeout_( + connection_manager.config_->streamFlushTimeout().has_value()), header_validator_( connection_manager.config_->makeHeaderValidator(connection_manager.codec_->protocol())), trace_refresh_after_route_refresh_(Runtime::runtimeFeatureEnabled( @@ -2216,30 +2223,43 @@ void ConnectionManagerImpl::ActiveStream::setVirtualHostRoute( refreshTracing(); refreshDurationTimeout(); - refreshIdleTimeout(); + refreshIdleAndFlushTimeouts(); } -void ConnectionManagerImpl::ActiveStream::refreshIdleTimeout() { - if (hasCachedRoute()) { - const Router::RouteEntry* route_entry = cached_route_.value()->routeEntry(); - if (route_entry != nullptr && route_entry->idleTimeout()) { - idle_timeout_ms_ = route_entry->idleTimeout().value(); - response_encoder_->getStream().setFlushTimeout(idle_timeout_ms_); - if (idle_timeout_ms_.count()) { - // If we have a route-level idle timeout but no global stream idle timeout, create a timer. - if (stream_idle_timer_ == nullptr) { - stream_idle_timer_ = connection_manager_.dispatcher_->createScaledTimer( - Event::ScaledTimerType::HttpDownstreamIdleStreamTimeout, - [this]() -> void { onIdleTimeout(); }); - } - } else if (stream_idle_timer_ != nullptr) { - // If we had a global stream idle timeout but the route-level idle timeout is set to zero - // (to override), we disable the idle timer. - stream_idle_timer_->disableTimer(); - stream_idle_timer_ = nullptr; +void ConnectionManagerImpl::ActiveStream::refreshIdleAndFlushTimeouts() { + if (!hasCachedRoute()) { + return; + } + const Router::RouteEntry* route_entry = cached_route_.value()->routeEntry(); + if (route_entry == nullptr) { + return; + } + + if (route_entry->idleTimeout().has_value()) { + idle_timeout_ms_ = route_entry->idleTimeout().value(); + if (idle_timeout_ms_.count()) { + // If we have a route-level idle timeout but no global stream idle timeout, create a timer. + if (stream_idle_timer_ == nullptr) { + stream_idle_timer_ = connection_manager_.dispatcher_->createScaledTimer( + Event::ScaledTimerType::HttpDownstreamIdleStreamTimeout, + [this]() -> void { onIdleTimeout(); }); } + } else if (stream_idle_timer_ != nullptr) { + // If we had a global stream idle timeout but the route-level idle timeout is set to zero + // (to override), we disable the idle timer. + stream_idle_timer_->disableTimer(); + stream_idle_timer_ = nullptr; } } + + if (route_entry->flushTimeout().has_value()) { + response_encoder_->getStream().setFlushTimeout(route_entry->flushTimeout().value()); + } else if (!has_explicit_global_flush_timeout_ && route_entry->idleTimeout().has_value()) { + // If there is no route-level flush timeout, and the global flush timeout was also inherited + // from the idle timeout, also inherit the route-level idle timeout. This is for backwards + // compatibility. + response_encoder_->getStream().setFlushTimeout(idle_timeout_ms_); + } } void ConnectionManagerImpl::ActiveStream::refreshAccessLogFlushTimer() { diff --git a/source/common/http/conn_manager_impl.h b/source/common/http/conn_manager_impl.h index db0aad3e6ed6c..4a6743e0e27fa 100644 --- a/source/common/http/conn_manager_impl.h +++ b/source/common/http/conn_manager_impl.h @@ -333,7 +333,7 @@ class ConnectionManagerImpl : Logger::Loggable, void refreshCachedRoute(const Router::RouteCallback& cb); void refreshDurationTimeout(); - void refreshIdleTimeout(); + void refreshIdleAndFlushTimeouts(); void refreshAccessLogFlushTimer(); void refreshTracing(); @@ -473,6 +473,11 @@ class ConnectionManagerImpl : Logger::Loggable, Event::TimerPtr access_log_flush_timer_; std::chrono::milliseconds idle_timeout_ms_{}; + // If an explicit global flush timeout is set, never override it with the route entry idle + // timeout. If there is no explicit global flush timeout, then override with the route entry + // idle timeout if it exists. This is to prevent breaking existing user expectations that the + // flush timeout is the same as the idle timeout. + const bool has_explicit_global_flush_timeout_{false}; State state_; // Snapshot of the route configuration at the time of request is started. This is used to ensure diff --git a/source/common/http/http2/codec_impl.cc b/source/common/http/http2/codec_impl.cc index 713eb309af3e8..40b20b20dd590 100644 --- a/source/common/http/http2/codec_impl.cc +++ b/source/common/http/http2/codec_impl.cc @@ -1234,7 +1234,7 @@ int ConnectionImpl::onFrameSend(int32_t stream_id, size_t length, uint8_t type, // teardown. As part of the work to remove exceptions we should aim to clean up all of this // error handling logic and only handle this type of case at the end of dispatch. for (auto& stream : active_streams_) { - stream->disarmStreamIdleTimer(); + stream->disarmStreamFlushTimer(); } return ERR_CALLBACK_FAILURE; } diff --git a/source/common/http/null_route_impl.h b/source/common/http/null_route_impl.h index 2043bf37267b0..7e9c16fe203c0 100644 --- a/source/common/http/null_route_impl.h +++ b/source/common/http/null_route_impl.h @@ -174,6 +174,7 @@ struct RouteEntryImpl : public Router::RouteEntry { } bool usingNewTimeouts() const override { return false; } absl::optional idleTimeout() const override { return absl::nullopt; } + absl::optional flushTimeout() const override { return absl::nullopt; } absl::optional maxStreamDuration() const override { return absl::nullopt; } diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index df46ccc0c604b..ae6df86f80d08 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -1188,6 +1188,7 @@ RouteEntryImplBase::OptionalTimeouts RouteEntryImplBase::buildOptionalTimeouts( // Calculate how many values are actually set, to initialize `OptionalTimeouts` packed_struct, // avoiding memory re-allocation on each set() call. int num_timeouts_set = route.has_idle_timeout() ? 1 : 0; + num_timeouts_set += route.has_flush_timeout() ? 1 : 0; num_timeouts_set += route.has_max_grpc_timeout() ? 1 : 0; num_timeouts_set += route.has_grpc_timeout_offset() ? 1 : 0; if (route.has_max_stream_duration()) { @@ -1200,6 +1201,10 @@ RouteEntryImplBase::OptionalTimeouts RouteEntryImplBase::buildOptionalTimeouts( timeouts.set( std::chrono::milliseconds(PROTOBUF_GET_MS_REQUIRED(route, idle_timeout))); } + if (route.has_flush_timeout()) { + timeouts.set( + std::chrono::milliseconds(PROTOBUF_GET_MS_REQUIRED(route, flush_timeout))); + } if (route.has_max_grpc_timeout()) { timeouts.set( std::chrono::milliseconds(PROTOBUF_GET_MS_REQUIRED(route, max_grpc_timeout))); diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index 39c48c059c159..0ccf576b8d76e 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -747,13 +747,17 @@ class RouteEntryImplBase : public RouteEntryAndRoute, GrpcTimeoutHeaderMax, GrpcTimeoutHeaderOffset, MaxGrpcTimeout, - GrpcTimeoutOffset + GrpcTimeoutOffset, + FlushTimeout, }; - using OptionalTimeouts = PackedStruct; + using OptionalTimeouts = PackedStruct; absl::optional idleTimeout() const override { return getOptionalTimeout(); } + absl::optional flushTimeout() const override { + return getOptionalTimeout(); + } absl::optional maxStreamDuration() const override { return getOptionalTimeout(); } diff --git a/source/common/router/delegating_route_impl.cc b/source/common/router/delegating_route_impl.cc index c43d527dae4f0..fe1fb3f64c47e 100644 --- a/source/common/router/delegating_route_impl.cc +++ b/source/common/router/delegating_route_impl.cc @@ -93,6 +93,10 @@ absl::optional DelegatingRouteEntry::idleTimeout() co return base_route_entry_->idleTimeout(); } +absl::optional DelegatingRouteEntry::flushTimeout() const { + return base_route_entry_->flushTimeout(); +} + bool DelegatingRouteEntry::usingNewTimeouts() const { return base_route_entry_->usingNewTimeouts(); } diff --git a/source/common/router/delegating_route_impl.h b/source/common/router/delegating_route_impl.h index e720b6940d29e..bb3ef724189d1 100644 --- a/source/common/router/delegating_route_impl.h +++ b/source/common/router/delegating_route_impl.h @@ -108,6 +108,7 @@ class DelegatingRouteEntry : public DelegatingRouteBase { const std::vector& shadowPolicies() const override; std::chrono::milliseconds timeout() const override; absl::optional idleTimeout() const override; + absl::optional flushTimeout() const override; bool usingNewTimeouts() const override; absl::optional maxStreamDuration() const override; absl::optional grpcTimeoutHeaderMax() const override; diff --git a/source/extensions/filters/network/http_connection_manager/config.cc b/source/extensions/filters/network/http_connection_manager/config.cc index cf1c3bae5d74c..7f59880891068 100644 --- a/source/extensions/filters/network/http_connection_manager/config.cc +++ b/source/extensions/filters/network/http_connection_manager/config.cc @@ -395,6 +395,8 @@ HttpConnectionManagerConfig::HttpConnectionManagerConfig( PROTOBUF_GET_OPTIONAL_MS(config.common_http_protocol_options(), max_stream_duration)), stream_idle_timeout_( PROTOBUF_GET_MS_OR_DEFAULT(config, stream_idle_timeout, StreamIdleTimeoutMs)), + stream_flush_timeout_( + PROTOBUF_GET_MS_OR_DEFAULT(config, stream_flush_timeout, stream_idle_timeout_.count())), request_timeout_(PROTOBUF_GET_MS_OR_DEFAULT(config, request_timeout, RequestTimeoutMs)), request_headers_timeout_( PROTOBUF_GET_MS_OR_DEFAULT(config, request_headers_timeout, RequestHeaderTimeoutMs)), diff --git a/source/extensions/filters/network/http_connection_manager/config.h b/source/extensions/filters/network/http_connection_manager/config.h index 51e4e651f404d..60c8c8daf7087 100644 --- a/source/extensions/filters/network/http_connection_manager/config.h +++ b/source/extensions/filters/network/http_connection_manager/config.h @@ -184,6 +184,9 @@ class HttpConnectionManagerConfig : Logger::Loggable, return http1_safe_max_connection_duration_; } std::chrono::milliseconds streamIdleTimeout() const override { return stream_idle_timeout_; } + absl::optional streamFlushTimeout() const override { + return stream_flush_timeout_; + } std::chrono::milliseconds requestTimeout() const override { return request_timeout_; } std::chrono::milliseconds requestHeadersTimeout() const override { return request_headers_timeout_; @@ -330,6 +333,7 @@ class HttpConnectionManagerConfig : Logger::Loggable, const bool http1_safe_max_connection_duration_; absl::optional max_stream_duration_; std::chrono::milliseconds stream_idle_timeout_; + absl::optional stream_flush_timeout_; std::chrono::milliseconds request_timeout_; std::chrono::milliseconds request_headers_timeout_; Router::RouteConfigProviderSharedPtr route_config_provider_; diff --git a/source/server/admin/admin.h b/source/server/admin/admin.h index 2bf3706e07100..25af385aff56c 100644 --- a/source/server/admin/admin.h +++ b/source/server/admin/admin.h @@ -152,6 +152,9 @@ class AdminImpl : public Admin, uint32_t maxRequestHeadersKb() const override { return max_request_headers_kb_; } uint32_t maxRequestHeadersCount() const override { return max_request_headers_count_; } std::chrono::milliseconds streamIdleTimeout() const override { return {}; } + absl::optional streamFlushTimeout() const override { + return std::nullopt; + } std::chrono::milliseconds requestTimeout() const override { return {}; } std::chrono::milliseconds requestHeadersTimeout() const override { return {}; } std::chrono::milliseconds delayedCloseTimeout() const override { return {}; } diff --git a/test/common/http/conn_manager_impl_fuzz_test.cc b/test/common/http/conn_manager_impl_fuzz_test.cc index 53bc9d6ba4f5b..d7f367977e27c 100644 --- a/test/common/http/conn_manager_impl_fuzz_test.cc +++ b/test/common/http/conn_manager_impl_fuzz_test.cc @@ -160,6 +160,9 @@ class FuzzConfig : public ConnectionManagerConfig { return max_stream_duration_; } std::chrono::milliseconds streamIdleTimeout() const override { return stream_idle_timeout_; } + absl::optional streamFlushTimeout() const override { + return stream_flush_timeout_; + } std::chrono::milliseconds requestTimeout() const override { return request_timeout_; } std::chrono::milliseconds requestHeadersTimeout() const override { return request_headers_timeout_; @@ -282,6 +285,7 @@ class FuzzConfig : public ConnectionManagerConfig { bool http1_safe_max_connection_duration_{false}; absl::optional max_stream_duration_; std::chrono::milliseconds stream_idle_timeout_{}; + std::chrono::milliseconds stream_flush_timeout_{}; std::chrono::milliseconds request_timeout_{}; std::chrono::milliseconds request_headers_timeout_{}; std::chrono::milliseconds delayed_close_timeout_{}; diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index a951ab5f7dfaa..c30e487cb005c 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -3472,6 +3472,104 @@ TEST_F(HttpConnectionManagerImplTest, PerStreamIdleTimeoutRouteOverride) { filter_callbacks_.connection_.raiseEvent(Network::ConnectionEvent::RemoteClose); } +// Per-stream flush and idle timeouts have a somewhat complex precedence order, so here we test +// every combination of global and per-route flush and idle timeouts. Note that global idle timeout +// not being set or unset doesn't affect the behavior of the flush timeout since it's the same as +// the idle timeout being set explicitly to the default value. For this reason it's a constant in +// the below tests. +class IdleAndFlushTimeoutTestFixture : public HttpConnectionManagerImplMixin, + public testing::TestWithParam> { +public: + IdleAndFlushTimeoutTestFixture() + : global_flush_timeout_set_(std::get<0>(GetParam())), + route_flush_timeout_set_(std::get<1>(GetParam())), + route_idle_timeout_set_(std::get<2>(GetParam())) { + if (route_flush_timeout_set_) { + route_flush_timeout_ = std::chrono::milliseconds(30); + } + if (route_idle_timeout_set_) { + route_idle_timeout_ = std::chrono::milliseconds(40); + } + } + +protected: + const bool global_flush_timeout_set_; + const bool route_flush_timeout_set_; + const bool route_idle_timeout_set_; + absl::optional global_flush_timeout_{absl::nullopt}; + absl::optional route_flush_timeout_{absl::nullopt}; + absl::optional route_idle_timeout_{absl::nullopt}; +}; + +INSTANTIATE_TEST_SUITE_P(IdleAndFlushTimeoutTestFixture, IdleAndFlushTimeoutTestFixture, + testing::Combine(testing::Bool(), testing::Bool(), testing::Bool()), + [](const testing::TestParamInfo>& info) { + return absl::StrCat(std::get<0>(info.param) ? "GlobalFlushTimeoutSet" + : "NoGlobalFlushTimeout", + std::get<1>(info.param) ? "RouteFlushTimeoutSet" + : "NoRouteFlushTimeout", + std::get<2>(info.param) ? "RouteIdleTimeoutSet" + : "NoRouteIdleTimeout"); + }); + +TEST_P(IdleAndFlushTimeoutTestFixture, TestAllCases) { + stream_idle_timeout_ = std::chrono::milliseconds(10); // Constant across all cases. + if (global_flush_timeout_set_) { + stream_flush_timeout_ = std::chrono::milliseconds(20); + } + setup(); + ON_CALL(route_config_provider_.route_config_->route_->route_entry_, flushTimeout()) + .WillByDefault(Return(route_flush_timeout_)); + ON_CALL(route_config_provider_.route_config_->route_->route_entry_, idleTimeout()) + .WillByDefault(Return(route_idle_timeout_)); + + EXPECT_CALL(*codec_, dispatch(_)) + .WillRepeatedly(Invoke([&](Buffer::Instance& data) -> Http::Status { + // Both timers will get initialized in all cases here. The value of the flush timeout + // just depends on whether it was set explicitly or inherited from the idle timeout. + EXPECT_CALL(response_encoder_.stream_, + setFlushTimeout(global_flush_timeout_set_ ? stream_flush_timeout_.value() + : stream_idle_timeout_)); + Event::MockTimer* idle_timer = setUpTimer(); + EXPECT_CALL(*idle_timer, enableTimer(stream_idle_timeout_, _)); + decoder_ = &conn_manager_->newStream(response_encoder_); + + RequestHeaderMapPtr headers{new TestRequestHeaderMapImpl{ + {":authority", "host"}, {":path", "/"}, {":method", "GET"}}}; + + if (route_flush_timeout_set_) { + // If a route flush timeout is set it will ALWAYS be used. + EXPECT_CALL(response_encoder_.stream_, setFlushTimeout(route_flush_timeout_.value())); + } else if (!global_flush_timeout_set_ && route_idle_timeout_set_) { + // If no route flush timeout is set and the global flush timeout was inherited from the + // idle timeout, adopt the route idle timeout. This is for backwards compatibility with + // existing Envoy behavior. + EXPECT_CALL(response_encoder_.stream_, setFlushTimeout(route_idle_timeout_.value())); + } else { + // One of the following is true: + // 1. No route flush or idle timeout is set, so there's nothing to do here. + // 2. The global flush timeout is set explicitly, so the route idle timeout is ignored. + EXPECT_CALL(response_encoder_.stream_, setFlushTimeout(_)).Times(0); + } + + EXPECT_CALL(*idle_timer, disableTimer()); + EXPECT_CALL(*idle_timer, enableTimer(route_idle_timeout_set_ ? route_idle_timeout_.value() + : stream_idle_timeout_, + _)); + + decoder_->decodeHeaders(std::move(headers), false); + + data.drain(4); + return Http::okStatus(); + })); + + Buffer::OwnedImpl fake_input("1234"); + conn_manager_->onData(fake_input, false); + + EXPECT_EQ(0U, stats_.named_.downstream_rq_idle_timeout_.value()); + filter_callbacks_.connection_.raiseEvent(Network::ConnectionEvent::RemoteClose); +} + // Per-route zero timeout overrides the global stream idle timeout. TEST_F(HttpConnectionManagerImplTest, PerStreamIdleTimeoutRouteZeroOverride) { stream_idle_timeout_ = std::chrono::milliseconds(10); diff --git a/test/common/http/conn_manager_impl_test_base.cc b/test/common/http/conn_manager_impl_test_base.cc index 36fb2509d7f5e..e40871cbe3c1f 100644 --- a/test/common/http/conn_manager_impl_test_base.cc +++ b/test/common/http/conn_manager_impl_test_base.cc @@ -61,6 +61,9 @@ class ConnectionManagerConfigProxyObject : public ConnectionManagerConfig { std::chrono::milliseconds streamIdleTimeout() const override { return parent_.streamIdleTimeout(); } + absl::optional streamFlushTimeout() const override { + return parent_.streamFlushTimeout(); + } std::chrono::milliseconds requestTimeout() const override { return parent_.requestTimeout(); } std::chrono::milliseconds requestHeadersTimeout() const override { return parent_.requestHeadersTimeout(); diff --git a/test/common/http/conn_manager_impl_test_base.h b/test/common/http/conn_manager_impl_test_base.h index 3e830da57b1e9..dd5d0ebad5b57 100644 --- a/test/common/http/conn_manager_impl_test_base.h +++ b/test/common/http/conn_manager_impl_test_base.h @@ -122,6 +122,9 @@ class HttpConnectionManagerImplMixin : public ConnectionManagerConfig { return http1_safe_max_connection_duration_; } std::chrono::milliseconds streamIdleTimeout() const override { return stream_idle_timeout_; } + absl::optional streamFlushTimeout() const override { + return stream_flush_timeout_; + } std::chrono::milliseconds requestTimeout() const override { return request_timeout_; } std::chrono::milliseconds requestHeadersTimeout() const override { return request_headers_timeout_; @@ -285,6 +288,7 @@ class HttpConnectionManagerImplMixin : public ConnectionManagerConfig { absl::optional max_connection_duration_; bool http1_safe_max_connection_duration_{false}; std::chrono::milliseconds stream_idle_timeout_{}; + absl::optional stream_flush_timeout_{}; std::chrono::milliseconds request_timeout_{}; std::chrono::milliseconds request_headers_timeout_{}; std::chrono::milliseconds delayed_close_timeout_{}; diff --git a/test/extensions/filters/network/http_connection_manager/config_test.cc b/test/extensions/filters/network/http_connection_manager/config_test.cc index f7fe6b9eb9aa1..56120bd3d5bcc 100644 --- a/test/extensions/filters/network/http_connection_manager/config_test.cc +++ b/test/extensions/filters/network/http_connection_manager/config_test.cc @@ -906,6 +906,119 @@ TEST_F(HttpConnectionManagerConfigTest, DisabledStreamIdleTimeout) { EXPECT_EQ(0, config.streamIdleTimeout().count()); } +TEST_F(HttpConnectionManagerConfigTest, StreamIdleTimeoutDefault) { + const std::string yaml_string = R"EOF( + stat_prefix: ingress_http + route_config: + name: local_route + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + )EOF"; + + HttpConnectionManagerConfig config(parseHttpConnectionManagerFromYaml(yaml_string), context_, + date_provider_, route_config_provider_manager_, + &scoped_routes_config_provider_manager_, tracer_manager_, + filter_config_provider_manager_, creation_status_); + ASSERT_TRUE(creation_status_.ok()); + // 5 minutes -> ms. + EXPECT_EQ(5 * 60 * 1000, config.streamIdleTimeout().count()); +} + +// Tracks stream_idle_timeout. If neither stream_idle_timeout nor stream_flush_timeout are set, +// stream_flush_timeout should default to stream_idle_timeout's default. +TEST_F(HttpConnectionManagerConfigTest, StreamFlushTimeoutDefault) { + const std::string yaml_string = R"EOF( + stat_prefix: ingress_http + route_config: + name: local_route + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + )EOF"; + + HttpConnectionManagerConfig config(parseHttpConnectionManagerFromYaml(yaml_string), context_, + date_provider_, route_config_provider_manager_, + &scoped_routes_config_provider_manager_, tracer_manager_, + filter_config_provider_manager_, creation_status_); + ASSERT_TRUE(creation_status_.ok()); + ASSERT_TRUE(config.streamFlushTimeout().has_value()); + // 5 minutes. + EXPECT_EQ(5 * 60 * 1000, config.streamFlushTimeout().value().count()); +} + +// If stream_idle_timeout is set and stream_flush_timeout is not set, stream_flush_timeout should +// default to stream_idle_timeout. +TEST_F(HttpConnectionManagerConfigTest, StreamFlushTimeoutDefaultStreamIdleTimeoutSet) { + const std::string yaml_string = R"EOF( + stat_prefix: ingress_http + stream_idle_timeout: 10s + route_config: + name: local_route + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + )EOF"; + + HttpConnectionManagerConfig config(parseHttpConnectionManagerFromYaml(yaml_string), context_, + date_provider_, route_config_provider_manager_, + &scoped_routes_config_provider_manager_, tracer_manager_, + filter_config_provider_manager_, creation_status_); + ASSERT_TRUE(creation_status_.ok()); + ASSERT_TRUE(config.streamFlushTimeout().has_value()); + // 10 seconds. + EXPECT_EQ(10 * 1000, config.streamFlushTimeout().value().count()); +} + +// Validate that an explicit zero stream flush timeout disables it. +TEST_F(HttpConnectionManagerConfigTest, DisabledStreamFlushTimeout) { + const std::string yaml_string = R"EOF( + stat_prefix: ingress_http + stream_flush_timeout: 0s + route_config: + name: local_route + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + )EOF"; + + HttpConnectionManagerConfig config(parseHttpConnectionManagerFromYaml(yaml_string), context_, + date_provider_, route_config_provider_manager_, + &scoped_routes_config_provider_manager_, tracer_manager_, + filter_config_provider_manager_, creation_status_); + ASSERT_TRUE(creation_status_.ok()); + ASSERT_TRUE(config.streamFlushTimeout().has_value()); + EXPECT_EQ(0, config.streamFlushTimeout().value().count()); +} + +// Validate that the flush timeout and idle timeout can be set independently. +TEST_F(HttpConnectionManagerConfigTest, StreamFlushTimeoutAndStreamIdleTimeoutSet) { + const std::string yaml_string = R"EOF( + stat_prefix: ingress_http + stream_idle_timeout: 10s + stream_flush_timeout: 20s + route_config: + name: local_route + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + )EOF"; + + HttpConnectionManagerConfig config(parseHttpConnectionManagerFromYaml(yaml_string), context_, + date_provider_, route_config_provider_manager_, + &scoped_routes_config_provider_manager_, tracer_manager_, + filter_config_provider_manager_, creation_status_); + ASSERT_TRUE(creation_status_.ok()); + EXPECT_EQ(10 * 1000, config.streamIdleTimeout().count()); + ASSERT_TRUE(config.streamFlushTimeout().has_value()); + EXPECT_EQ(20 * 1000, config.streamFlushTimeout().value().count()); +} + // Validate that idle_timeout set in common_http_protocol_options is used. TEST_F(HttpConnectionManagerConfigTest, CommonHttpProtocolIdleTimeout) { const std::string yaml_string = R"EOF( diff --git a/test/integration/multiplexed_integration_test.cc b/test/integration/multiplexed_integration_test.cc index 558974d6380cc..8173e20caf91a 100644 --- a/test/integration/multiplexed_integration_test.cc +++ b/test/integration/multiplexed_integration_test.cc @@ -254,6 +254,51 @@ TEST_P(MultiplexedIntegrationTest, CodecStreamIdleTimeout) { ASSERT_TRUE(response->waitForReset()); } +// Test that the codec stream flush timeout can be overridden independently from +// the connection manager stream idle timeout. +TEST_P(MultiplexedIntegrationTest, CodecStreamIdleTimeoutOverride) { + config_helper_.setBufferLimits(1024, 1024); + config_helper_.addConfigModifier( + [&](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) -> void { + // Disable the generic stream idle timeout. This will be overridden by the + // stream_flush_timeout and the test should work exactly the same as the + // CodecStreamIdleTimeout test. + hcm.mutable_stream_idle_timeout()->set_seconds(0); + hcm.mutable_stream_idle_timeout()->set_nanos(0); + + hcm.mutable_stream_flush_timeout()->set_seconds(0); + constexpr uint64_t FlushTimeoutMs = 400; + hcm.mutable_stream_flush_timeout()->set_nanos(FlushTimeoutMs * 1000 * 1000); + }); + initialize(); + const size_t stream_flow_control_window = + downstream_protocol_ == Http::CodecType::HTTP3 ? 32 * 1024 : 65535; + envoy::config::core::v3::Http2ProtocolOptions http2_options = + ::Envoy::Http2::Utility::initializeAndValidateOptions( + envoy::config::core::v3::Http2ProtocolOptions()) + .value(); + http2_options.mutable_initial_stream_window_size()->set_value(stream_flow_control_window); +#ifdef ENVOY_ENABLE_QUIC + if (downstream_protocol_ == Http::CodecType::HTTP3) { + dynamic_cast(*quic_connection_persistent_info_) + .quic_config_.SetInitialStreamFlowControlWindowToSend(stream_flow_control_window); + dynamic_cast(*quic_connection_persistent_info_) + .quic_config_.SetInitialSessionFlowControlWindowToSend(stream_flow_control_window); + } +#endif + codec_client_ = makeRawHttpConnection(makeClientConnection(lookupPort("http")), http2_options); + auto response = codec_client_->makeHeaderOnlyRequest(default_request_headers_); + waitForNextUpstreamRequest(); + upstream_request_->encodeHeaders(default_response_headers_, false); + upstream_request_->encodeData(stream_flow_control_window + 2000, true); + std::string flush_timeout_counter(downstreamProtocol() == Http::CodecType::HTTP3 + ? "http3.tx_flush_timeout" + : "http2.tx_flush_timeout"); + test_server_->waitForCounterEq(flush_timeout_counter, 1); + ASSERT_TRUE(response->waitForReset()); +} + TEST_P(MultiplexedIntegrationTest, Http2DownstreamKeepalive) { EXCLUDE_DOWNSTREAM_HTTP3; // Http3 keepalive doesn't timeout and close connection. constexpr uint64_t interval_ms = 1; diff --git a/test/mocks/http/mocks.h b/test/mocks/http/mocks.h index 88ef777490e26..51ab250d9e6a6 100644 --- a/test/mocks/http/mocks.h +++ b/test/mocks/http/mocks.h @@ -652,6 +652,7 @@ class MockConnectionManagerConfig : public ConnectionManagerConfig { MOCK_METHOD(bool, http1SafeMaxConnectionDuration, (), (const)); MOCK_METHOD(absl::optional, maxStreamDuration, (), (const)); MOCK_METHOD(std::chrono::milliseconds, streamIdleTimeout, (), (const)); + MOCK_METHOD(absl::optional, streamFlushTimeout, (), (const)); MOCK_METHOD(std::chrono::milliseconds, requestTimeout, (), (const)); MOCK_METHOD(std::chrono::milliseconds, requestHeadersTimeout, (), (const)); MOCK_METHOD(std::chrono::milliseconds, delayedCloseTimeout, (), (const)); diff --git a/test/mocks/router/mocks.h b/test/mocks/router/mocks.h index f715a0cb79ebe..cf3be8346367d 100644 --- a/test/mocks/router/mocks.h +++ b/test/mocks/router/mocks.h @@ -436,6 +436,7 @@ class MockRouteEntry : public RouteEntry { MOCK_METHOD(const std::vector&, shadowPolicies, (), (const)); MOCK_METHOD(std::chrono::milliseconds, timeout, (), (const)); MOCK_METHOD(absl::optional, idleTimeout, (), (const)); + MOCK_METHOD(absl::optional, flushTimeout, (), (const)); MOCK_METHOD(bool, usingNewTimeouts, (), (const)); MOCK_METHOD(absl::optional, maxStreamDuration, (), (const)); MOCK_METHOD(absl::optional, grpcTimeoutHeaderMax, (), (const)); @@ -556,6 +557,7 @@ class MockRoute : public RouteEntryAndRoute { MOCK_METHOD(const std::vector&, shadowPolicies, (), (const)); MOCK_METHOD(std::chrono::milliseconds, timeout, (), (const)); MOCK_METHOD(absl::optional, idleTimeout, (), (const)); + MOCK_METHOD(absl::optional, flushTimeout, (), (const)); MOCK_METHOD(bool, usingNewTimeouts, (), (const)); MOCK_METHOD(absl::optional, maxStreamDuration, (), (const)); MOCK_METHOD(absl::optional, grpcTimeoutHeaderMax, (), (const)); From 5591191bc3819be34ca87ead7c6f682e192db4e8 Mon Sep 17 00:00:00 2001 From: Kuat Date: Wed, 27 Aug 2025 15:12:53 -0700 Subject: [PATCH 305/505] cel: ensure proper lifetimes (#40749) Change-Id: I1a9af6c83f51f78236d72f86ea3da8c7d42d86dc Commit Message: Ensure that no CEL expression outlives the builder or the proto. Additional Description: none Risk Level: low Testing: same tests should pass Docs Changes: none Release Notes: none --------- Signed-off-by: Kuat Yessenov --- .../access_loggers/filters/cel/cel.cc | 21 +++-- .../access_loggers/filters/cel/cel.h | 6 +- source/extensions/common/wasm/foreign.cc | 7 +- .../filters/common/expr/evaluator.cc | 91 +++++++++++++------ .../filters/common/expr/evaluator.h | 73 +++++++++------ .../filters/common/rbac/engine_impl.cc | 4 +- .../filters/common/rbac/engine_impl.h | 2 +- .../filters/common/rbac/matchers.cc | 2 +- .../extensions/filters/common/rbac/matchers.h | 30 +++--- .../filters/http/ext_proc/ext_proc.cc | 2 +- .../filters/http/ext_proc/ext_proc.h | 2 +- .../filters/http/ext_proc/matching_utils.cc | 15 +-- .../filters/http/ext_proc/matching_utils.h | 9 +- source/extensions/formatter/cel/cel.cc | 42 ++++----- source/extensions/formatter/cel/cel.h | 6 +- .../input_matchers/cel_matcher/matcher.cc | 74 +++------------ .../input_matchers/cel_matcher/matcher.h | 10 +- .../rate_limit_descriptors/expr/config.cc | 40 ++++---- .../opentelemetry/samplers/cel/cel_sampler.cc | 18 ++-- .../opentelemetry/samplers/cel/cel_sampler.h | 6 +- .../opentelemetry/samplers/cel/config.cc | 8 +- .../common/access_log/access_log_impl_test.cc | 18 ++++ test/coverage.yaml | 6 +- .../common/expr/evaluator_fuzz_test.cc | 10 +- .../filters/common/rbac/matchers_test.cc | 4 +- .../filters/http/ext_proc/filter_test.cc | 4 +- .../filters/http/ext_proc/ordering_test.cc | 4 +- .../unit_test_fuzz/ext_proc_unit_test_fuzz.cc | 4 +- test/extensions/formatter/cel/cel_test.cc | 12 +++ .../cel_matcher/cel_matcher_test.cc | 5 +- 30 files changed, 273 insertions(+), 262 deletions(-) diff --git a/source/extensions/access_loggers/filters/cel/cel.cc b/source/extensions/access_loggers/filters/cel/cel.cc index a039806b302cc..009bcd3aa7924 100644 --- a/source/extensions/access_loggers/filters/cel/cel.cc +++ b/source/extensions/access_loggers/filters/cel/cel.cc @@ -10,19 +10,24 @@ namespace Expr = Envoy::Extensions::Filters::Common::Expr; CELAccessLogExtensionFilter::CELAccessLogExtensionFilter( const ::Envoy::LocalInfo::LocalInfo& local_info, - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder, + Extensions::Filters::Common::Expr::BuilderInstanceSharedConstPtr builder, const cel::expr::Expr& input_expr) - : local_info_(local_info), builder_(builder), parsed_expr_(input_expr) { - compiled_expr_ = - Extensions::Filters::Common::Expr::createExpression(builder_->builder(), parsed_expr_); -} + : local_info_(local_info), expr_([&]() { + auto compiled_expr = + Extensions::Filters::Common::Expr::CompiledExpression::Create(builder, input_expr); + if (!compiled_expr.ok()) { + throw EnvoyException( + absl::StrCat("failed to create an expression: ", compiled_expr.status().message())); + } + return std::move(compiled_expr.value()); + }()) {} bool CELAccessLogExtensionFilter::evaluate(const Formatter::HttpFormatterContext& log_context, const StreamInfo::StreamInfo& stream_info) const { Protobuf::Arena arena; - const auto result = Extensions::Filters::Common::Expr::evaluate( - *compiled_expr_.get(), arena, &local_info_, stream_info, &log_context.requestHeaders(), - &log_context.responseHeaders(), &log_context.responseTrailers()); + const auto result = + expr_.evaluate(arena, &local_info_, stream_info, &log_context.requestHeaders(), + &log_context.responseHeaders(), &log_context.responseTrailers()); if (!result.has_value() || result.value().IsError()) { return false; } diff --git a/source/extensions/access_loggers/filters/cel/cel.h b/source/extensions/access_loggers/filters/cel/cel.h index 0b496f4a4cfc9..681515db90aec 100644 --- a/source/extensions/access_loggers/filters/cel/cel.h +++ b/source/extensions/access_loggers/filters/cel/cel.h @@ -20,7 +20,7 @@ namespace CEL { class CELAccessLogExtensionFilter : public AccessLog::Filter { public: CELAccessLogExtensionFilter(const ::Envoy::LocalInfo::LocalInfo& local_info, - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr, + Extensions::Filters::Common::Expr::BuilderInstanceSharedConstPtr, const cel::expr::Expr&); bool evaluate(const Formatter::HttpFormatterContext& log_context, @@ -28,9 +28,7 @@ class CELAccessLogExtensionFilter : public AccessLog::Filter { private: const ::Envoy::LocalInfo::LocalInfo& local_info_; - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder_; - const cel::expr::Expr parsed_expr_; - Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; + const Extensions::Filters::Common::Expr::CompiledExpression expr_; }; } // namespace CEL diff --git a/source/extensions/common/wasm/foreign.cc b/source/extensions/common/wasm/foreign.cc index eae08f81aaf81..208a2fb96abdd 100644 --- a/source/extensions/common/wasm/foreign.cc +++ b/source/extensions/common/wasm/foreign.cc @@ -145,7 +145,8 @@ class ExpressionFactory : public Logger::Loggable { class ExpressionContext : public StorageObject { public: friend class ExpressionFactory; - ExpressionContext(Filters::Common::Expr::BuilderPtr builder) : builder_(std::move(builder)) {} + ExpressionContext(Filters::Common::Expr::BuilderConstPtr builder) + : builder_(std::move(builder)) {} uint32_t createToken() { uint32_t token = next_expr_token_++; for (;;) { @@ -159,10 +160,10 @@ class ExpressionFactory : public Logger::Loggable { bool hasExpression(uint32_t token) { return expr_.contains(token); } ExpressionData& getExpression(uint32_t token) { return expr_[token]; } void deleteExpression(uint32_t token) { expr_.erase(token); } - Filters::Common::Expr::Builder* builder() { return builder_.get(); } + const Filters::Common::Expr::Builder* builder() const { return builder_.get(); } private: - Filters::Common::Expr::BuilderPtr builder_{}; + const Filters::Common::Expr::BuilderConstPtr builder_{}; uint32_t next_expr_token_ = 0; absl::flat_hash_map expr_; }; diff --git a/source/extensions/filters/common/expr/evaluator.cc b/source/extensions/filters/common/expr/evaluator.cc index eef3dba98d579..a5f943762972a 100644 --- a/source/extensions/filters/common/expr/evaluator.cc +++ b/source/extensions/filters/common/expr/evaluator.cc @@ -101,7 +101,7 @@ ActivationPtr createActivation(const LocalInfo::LocalInfo* local_info, response_trailers); } -BuilderPtr createBuilder(Protobuf::Arena* arena) { +BuilderInstanceSharedPtr createBuilder(Protobuf::Arena* arena) { ASSERT_IS_MAIN_OR_TEST_THREAD(); google::api::expr::runtime::InterpreterOptions options; @@ -138,48 +138,74 @@ BuilderPtr createBuilder(Protobuf::Arena* arena) { throw CelException(absl::StrCat("failed to register extension regex functions: ", ext_register_status.message())); } - return builder; + return std::make_shared(std::move(builder)); } SINGLETON_MANAGER_REGISTRATION(expression_builder); -BuilderInstanceSharedPtr getBuilder(Server::Configuration::CommonFactoryContext& context) { +BuilderInstanceSharedConstPtr getBuilder(Server::Configuration::CommonFactoryContext& context) { return context.singletonManager().getTyped( - SINGLETON_MANAGER_REGISTERED_NAME(expression_builder), - [] { return std::make_shared(createBuilder(nullptr)); }); + SINGLETON_MANAGER_REGISTERED_NAME(expression_builder), [] { return createBuilder(nullptr); }); } -absl::optional getExpr(const ::xds::type::v3::CelExpression& expression) { - if (expression.has_cel_expr_checked()) { - return expression.cel_expr_checked().expr(); - } else if (expression.has_cel_expr_parsed()) { - return expression.cel_expr_parsed().expr(); - } else { - return {}; +absl::StatusOr +CompiledExpression::Create(const BuilderInstanceSharedConstPtr& builder, + const cel::expr::Expr& expr) { + std::vector warnings; + CompiledExpression out = CompiledExpression(builder, expr); + auto cel_expression_status = out.builder_->builder().CreateExpression( + &out.source_expr_, &cel::expr::SourceInfo::default_instance(), &warnings); + if (!cel_expression_status.ok()) { + return cel_expression_status.status(); } + out.expr_ = std::move(cel_expression_status.value()); + return out; } -ExpressionPtr createExpression(Builder& builder, const cel::expr::Expr& expr) { - cel::expr::SourceInfo source_info; - std::vector warnings; +absl::StatusOr +CompiledExpression::Create(const BuilderInstanceSharedConstPtr& builder, + const xds::type::v3::CelExpression& xds_expr) { + // First try to get expression from the new CEL canonical format + if (xds_expr.has_cel_expr_checked()) { + return Create(builder, xds_expr.cel_expr_checked().expr()); + } else if (xds_expr.has_cel_expr_parsed()) { + return Create(builder, xds_expr.cel_expr_parsed().expr()); + } + // Fallback to handling legacy formats for backward compatibility + switch (xds_expr.expr_specifier_case()) { + case xds::type::v3::CelExpression::ExprSpecifierCase::kParsedExpr: + return Create(builder, xds_expr.parsed_expr().expr()); + case xds::type::v3::CelExpression::ExprSpecifierCase::kCheckedExpr: + return Create(builder, xds_expr.checked_expr().expr()); + default: + return absl::InvalidArgumentError("CEL expression not set."); + } + PANIC_DUE_TO_CORRUPT_ENUM; +} - auto cel_expression_status = builder.CreateExpression(&expr, &source_info, &warnings); - if (!cel_expression_status.ok()) { - throw CelException( - absl::StrCat("failed to create an expression: ", cel_expression_status.status().message())); +absl::StatusOr +CompiledExpression::Create(const BuilderInstanceSharedConstPtr& builder, + const google::api::expr::v1alpha1::Expr& expr) { + std::string serialized; + if (!expr.SerializeToString(&serialized)) { + return absl::InvalidArgumentError( + "Failed to serialize google::api::expr::v1alpha1 expression."); } - return std::move(cel_expression_status.value()); + cel::expr::Expr new_expr; + if (!new_expr.ParseFromString(serialized)) { + return absl::InvalidArgumentError("Failed to convert to cel::expr expression."); + } + return Create(builder, new_expr); } -absl::optional evaluate(const Expression& expr, Protobuf::Arena& arena, - const ::Envoy::LocalInfo::LocalInfo* local_info, - const StreamInfo::StreamInfo& info, - const ::Envoy::Http::RequestHeaderMap* request_headers, - const ::Envoy::Http::ResponseHeaderMap* response_headers, - const ::Envoy::Http::ResponseTrailerMap* response_trailers) { +absl::optional CompiledExpression::evaluate( + Protobuf::Arena& arena, const ::Envoy::LocalInfo::LocalInfo* local_info, + const StreamInfo::StreamInfo& info, const ::Envoy::Http::RequestHeaderMap* request_headers, + const ::Envoy::Http::ResponseHeaderMap* response_headers, + const ::Envoy::Http::ResponseTrailerMap* response_trailers) const { auto activation = createActivation(local_info, info, request_headers, response_headers, response_trailers); - auto eval_status = expr.Evaluate(*activation, &arena); + auto eval_status = expr_->Evaluate(*activation, &arena); if (!eval_status.ok()) { return {}; } @@ -187,10 +213,15 @@ absl::optional evaluate(const Expression& expr, Protobuf::Arena& arena return eval_status.value(); } -bool matches(const Expression& expr, const StreamInfo::StreamInfo& info, - const Http::RequestHeaderMap& headers) { +absl::StatusOr CompiledExpression::evaluate(const Activation& activation, + Protobuf::Arena* arena) const { + return expr_->Evaluate(activation, arena); +} + +bool CompiledExpression::matches(const StreamInfo::StreamInfo& info, + const Http::RequestHeaderMap& headers) const { Protobuf::Arena arena; - auto eval_status = Expr::evaluate(expr, arena, nullptr, info, &headers, nullptr, nullptr); + auto eval_status = evaluate(arena, nullptr, info, &headers, nullptr, nullptr); if (!eval_status.has_value()) { return false; } diff --git a/source/extensions/filters/common/expr/evaluator.h b/source/extensions/filters/common/expr/evaluator.h index fd20363c459c9..bb1fb6135c4de 100644 --- a/source/extensions/filters/common/expr/evaluator.h +++ b/source/extensions/filters/common/expr/evaluator.h @@ -33,7 +33,7 @@ namespace Expr { using Activation = google::api::expr::runtime::BaseActivation; using ActivationPtr = std::unique_ptr; using Builder = google::api::expr::runtime::CelExpressionBuilder; -using BuilderPtr = std::unique_ptr; +using BuilderConstPtr = std::unique_ptr; using Expression = google::api::expr::runtime::CelExpression; using ExpressionPtr = std::unique_ptr; @@ -78,42 +78,63 @@ ActivationPtr createActivation(const ::Envoy::LocalInfo::LocalInfo* local_info, // Shared expression builder instance. class BuilderInstance : public Singleton::Instance { public: - explicit BuilderInstance(BuilderPtr builder) : builder_(std::move(builder)) {} - Builder& builder() { return *builder_; } + explicit BuilderInstance(BuilderConstPtr builder) : builder_(std::move(builder)) {} + const Builder& builder() const { return *builder_; } private: - BuilderPtr builder_; + const BuilderConstPtr builder_; }; using BuilderInstanceSharedPtr = std::shared_ptr; +using BuilderInstanceSharedConstPtr = std::shared_ptr; // Creates an expression builder. The optional arena is used to enable constant folding // for intermediate evaluation results. // Throws an exception if fails to construct an expression builder. -BuilderPtr createBuilder(Protobuf::Arena* arena); +BuilderInstanceSharedPtr createBuilder(Protobuf::Arena* arena); // Gets the singleton expression builder. Must be called on the main thread. -BuilderInstanceSharedPtr getBuilder(Server::Configuration::CommonFactoryContext& context); - -absl::optional getExpr(const ::xds::type::v3::CelExpression& expression); - -// Creates an interpretable expression from the new CEL expr format. -// Throws an exception if fails to construct a runtime expression. -ExpressionPtr createExpression(Builder& builder, const cel::expr::Expr& expr); - -// Evaluates an expression for a request. The arena is used to hold intermediate computational -// results and potentially the final value. -absl::optional evaluate(const Expression& expr, Protobuf::Arena& arena, - const ::Envoy::LocalInfo::LocalInfo* local_info, - const StreamInfo::StreamInfo& info, - const ::Envoy::Http::RequestHeaderMap* request_headers, - const ::Envoy::Http::ResponseHeaderMap* response_headers, - const ::Envoy::Http::ResponseTrailerMap* response_trailers); - -// Evaluates an expression and returns true if the expression evaluates to "true". -// Returns false if the expression fails to evaluate. -bool matches(const Expression& expr, const StreamInfo::StreamInfo& info, - const ::Envoy::Http::RequestHeaderMap& headers); +BuilderInstanceSharedConstPtr getBuilder(Server::Configuration::CommonFactoryContext& context); + +// Compiled CEL expression. This class ensures both the builder and the source expression outlive +// the compiled expression. +class CompiledExpression { +public: + // Creates an interpretable expression from the new CEL expr format, making a copy of it. + static absl::StatusOr Create(const BuilderInstanceSharedConstPtr& builder, + const cel::expr::Expr& expr); + + // Creates an interpretable expression from xDS CEL expr format, making a copy of it. + static absl::StatusOr Create(const BuilderInstanceSharedConstPtr& builder, + const xds::type::v3::CelExpression& expr); + + // DEPRECATED. Use the above. + static absl::StatusOr Create(const BuilderInstanceSharedConstPtr& builder, + const google::api::expr::v1alpha1::Expr& expr); + + // Evaluates an expression for a request. The arena is used to hold intermediate computational + // results and potentially the final value. + absl::optional + evaluate(Protobuf::Arena& arena, const ::Envoy::LocalInfo::LocalInfo* local_info, + const StreamInfo::StreamInfo& info, + const ::Envoy::Http::RequestHeaderMap* request_headers, + const ::Envoy::Http::ResponseHeaderMap* response_headers, + const ::Envoy::Http::ResponseTrailerMap* response_trailers) const; + + absl::StatusOr evaluate(const Activation& activation, Protobuf::Arena* arena) const; + + // Evaluates an expression and returns true if the expression evaluates to "true". + // Returns false if the expression fails to evaluate. + bool matches(const StreamInfo::StreamInfo& info, const Http::RequestHeaderMap& headers) const; + +private: + explicit CompiledExpression(const BuilderInstanceSharedConstPtr& builder, + const cel::expr::Expr& expr) + : builder_(builder), source_expr_(expr) {} + const BuilderInstanceSharedConstPtr builder_; + const cel::expr::Expr source_expr_; + ExpressionPtr expr_; +}; // Returns a string for a CelValue. std::string print(CelValue value); diff --git a/source/extensions/filters/common/rbac/engine_impl.cc b/source/extensions/filters/common/rbac/engine_impl.cc index 05f03c4a96fca..de30fce305d63 100644 --- a/source/extensions/filters/common/rbac/engine_impl.cc +++ b/source/extensions/filters/common/rbac/engine_impl.cc @@ -46,13 +46,13 @@ RoleBasedAccessControlEngineImpl::RoleBasedAccessControlEngineImpl( Server::Configuration::CommonFactoryContext& context, const EnforcementMode mode) : action_(rules.action()), mode_(mode) { // A pointer to the builder, if one will be created. - Expr::Builder* builder = nullptr; + Expr::BuilderInstanceSharedPtr builder = nullptr; // guard expression builder by presence of a condition in policies for (const auto& policy : rules.policies()) { if (policy.second.has_condition()) { builder_with_arena_ = std::make_unique(); builder_with_arena_->builder_ = Expr::createBuilder(&builder_with_arena_->constant_arena_); - builder = builder_with_arena_->builder_.get(); + builder = builder_with_arena_->builder_; break; } } diff --git a/source/extensions/filters/common/rbac/engine_impl.h b/source/extensions/filters/common/rbac/engine_impl.h index bc659958fdad7..62e7ae873df91 100644 --- a/source/extensions/filters/common/rbac/engine_impl.h +++ b/source/extensions/filters/common/rbac/engine_impl.h @@ -92,7 +92,7 @@ class RoleBasedAccessControlEngineImpl : public RoleBasedAccessControlEngine, No // allocated if CEL is configured. struct ExprBuilderWithArena { Protobuf::Arena constant_arena_; - Expr::BuilderPtr builder_; + Expr::BuilderInstanceSharedPtr builder_; }; std::unique_ptr builder_with_arena_; }; diff --git a/source/extensions/filters/common/rbac/matchers.cc b/source/extensions/filters/common/rbac/matchers.cc index 8167977b88e35..e849a32f6d0e9 100644 --- a/source/extensions/filters/common/rbac/matchers.cc +++ b/source/extensions/filters/common/rbac/matchers.cc @@ -366,7 +366,7 @@ bool PolicyMatcher::matches(const Network::Connection& connection, const StreamInfo::StreamInfo& info) const { return permissions_.matches(connection, headers, info) && principals_.matches(connection, headers, info) && - (expr_ == nullptr ? true : Expr::matches(*expr_, info, headers)); + (expr_ ? expr_->matches(info, headers) : true); } bool RequestedServerNameMatcher::matches(const Network::Connection& connection, diff --git a/source/extensions/filters/common/rbac/matchers.h b/source/extensions/filters/common/rbac/matchers.h index 5916d54eb71ce..18c68ebf04a01 100644 --- a/source/extensions/filters/common/rbac/matchers.h +++ b/source/extensions/filters/common/rbac/matchers.h @@ -198,28 +198,23 @@ class AuthenticatedMatcher : public Matcher { */ class PolicyMatcher : public Matcher, NonCopyable { public: - PolicyMatcher(const envoy::config::rbac::v3::Policy& policy, Expr::Builder* builder, + PolicyMatcher(const envoy::config::rbac::v3::Policy& policy, + Expr::BuilderInstanceSharedPtr& builder, ProtobufMessage::ValidationVisitor& validation_visitor, Server::Configuration::CommonFactoryContext& context) : permissions_(policy.permissions(), validation_visitor, context), - principals_(policy.principals(), context), condition_([&policy]() { + principals_(policy.principals(), context), + expr_([&]() -> absl::optional { if (policy.has_condition()) { - std::string serialized; - if (!policy.condition().SerializeToString(&serialized)) { - throw EnvoyException("Failed to serialize RBAC policy condition"); + auto compiled = Expr::CompiledExpression::Create(builder, policy.condition()); + if (!compiled.ok()) { + throw Expr::CelException( + absl::StrCat("failed to create an expression: ", compiled.status().message())); } - cel::expr::Expr new_expr; - if (!new_expr.ParseFromString(serialized)) { - throw EnvoyException("Failed to convert RBAC policy condition to new format"); - } - return new_expr; + return std::move(compiled.value()); } - return cel::expr::Expr{}; - }()) { - if (policy.has_condition()) { - expr_ = Expr::createExpression(*builder, condition_); - } - } + return {}; + }()) {} bool matches(const Network::Connection& connection, const Envoy::Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo&) const override; @@ -227,8 +222,7 @@ class PolicyMatcher : public Matcher, NonCopyable { private: const OrMatcher permissions_; const OrMatcher principals_; - const cel::expr::Expr condition_; - Expr::ExpressionPtr expr_; + const absl::optional expr_; }; class MetadataMatcher : public Matcher { diff --git a/source/extensions/filters/http/ext_proc/ext_proc.cc b/source/extensions/filters/http/ext_proc/ext_proc.cc index 0af5ec63b1573..f5c55c6cb1aa9 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.cc +++ b/source/extensions/filters/http/ext_proc/ext_proc.cc @@ -219,7 +219,7 @@ FilterConfig::FilterConfig(const ExternalProcessor& config, const std::chrono::milliseconds message_timeout, const uint32_t max_message_timeout_ms, Stats::Scope& scope, const std::string& stats_prefix, bool is_upstream, - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder, + Extensions::Filters::Common::Expr::BuilderInstanceSharedConstPtr builder, Server::Configuration::CommonFactoryContext& context) : failure_mode_allow_(config.failure_mode_allow()), observability_mode_(config.observability_mode()), diff --git a/source/extensions/filters/http/ext_proc/ext_proc.h b/source/extensions/filters/http/ext_proc/ext_proc.h index a739993186816..06d906b6d2518 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.h +++ b/source/extensions/filters/http/ext_proc/ext_proc.h @@ -225,7 +225,7 @@ class FilterConfig { const std::chrono::milliseconds message_timeout, const uint32_t max_message_timeout_ms, Stats::Scope& scope, const std::string& stats_prefix, bool is_upstream, - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder, + Extensions::Filters::Common::Expr::BuilderInstanceSharedConstPtr builder, Server::Configuration::CommonFactoryContext& context); bool failureModeAllow() const { return failure_mode_allow_; } diff --git a/source/extensions/filters/http/ext_proc/matching_utils.cc b/source/extensions/filters/http/ext_proc/matching_utils.cc index a4dfe31e92fdb..29e36000985ca 100644 --- a/source/extensions/filters/http/ext_proc/matching_utils.cc +++ b/source/extensions/filters/http/ext_proc/matching_utils.cc @@ -27,12 +27,13 @@ ExpressionManager::initExpressions(const Protobuf::RepeatedPtrField const auto& parsed_expr = parse_status.value(); const cel::expr::Expr& cel_expr = parsed_expr.expr(); - - Filters::Common::Expr::ExpressionPtr compiled_expression = - Extensions::Filters::Common::Expr::createExpression(builder_->builder(), cel_expr); - - expressions.emplace( - matcher, ExpressionManager::CelExpression{parsed_expr, std::move(compiled_expression)}); + auto compiled_expression = + Extensions::Filters::Common::Expr::CompiledExpression::Create(builder_, cel_expr); + if (!compiled_expression.ok()) { + throw EnvoyException( + absl::StrCat("failed to create an expression: ", compiled_expression.status().message())); + } + expressions.emplace(matcher, std::move(compiled_expression.value())); } #else ENVOY_LOG(warn, "CEL expression parsing is not available for use in this environment." @@ -54,7 +55,7 @@ ExpressionManager::evaluateAttributes(const Filters::Common::Expr::Activation& a for (const auto& hash_entry : expr) { Protobuf::Arena arena; - const auto result = hash_entry.second.compiled_expr_->Evaluate(activation, &arena); + const auto result = hash_entry.second.evaluate(activation, &arena); if (!result.ok()) { // TODO: Stats? continue; diff --git a/source/extensions/filters/http/ext_proc/matching_utils.h b/source/extensions/filters/http/ext_proc/matching_utils.h index 87e20360771aa..112ea9bc04392 100644 --- a/source/extensions/filters/http/ext_proc/matching_utils.h +++ b/source/extensions/filters/http/ext_proc/matching_utils.h @@ -14,12 +14,9 @@ namespace ExternalProcessing { class ExpressionManager : public Logger::Loggable { public: - struct CelExpression { - cel::expr::ParsedExpr parsed_expr_; - Filters::Common::Expr::ExpressionPtr compiled_expr_; - }; + using CelExpression = Filters::Common::Expr::CompiledExpression; - ExpressionManager(Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder, + ExpressionManager(Extensions::Filters::Common::Expr::BuilderInstanceSharedConstPtr builder, const LocalInfo::LocalInfo& local_info, const Protobuf::RepeatedPtrField& request_matchers, const Protobuf::RepeatedPtrField& response_matchers) @@ -51,7 +48,7 @@ class ExpressionManager : public Logger::Loggable { absl::flat_hash_map initExpressions(const Protobuf::RepeatedPtrField& matchers); - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder_; + const Extensions::Filters::Common::Expr::BuilderInstanceSharedConstPtr builder_; const LocalInfo::LocalInfo& local_info_; const absl::flat_hash_map request_expr_; diff --git a/source/extensions/formatter/cel/cel.cc b/source/extensions/formatter/cel/cel.cc index 47163f87f4f2a..7cdc10fcd866a 100644 --- a/source/extensions/formatter/cel/cel.cc +++ b/source/extensions/formatter/cel/cel.cc @@ -17,21 +17,26 @@ namespace Formatter { namespace Expr = Filters::Common::Expr; CELFormatter::CELFormatter(const ::Envoy::LocalInfo::LocalInfo& local_info, - Expr::BuilderInstanceSharedPtr expr_builder, + Expr::BuilderInstanceSharedConstPtr expr_builder, const cel::expr::Expr& input_expr, absl::optional& max_length, bool typed) - : local_info_(local_info), expr_builder_(expr_builder), parsed_expr_(input_expr), - max_length_(max_length), typed_(typed) { - compiled_expr_ = Expr::createExpression(expr_builder_->builder(), parsed_expr_); -} + : local_info_(local_info), max_length_(max_length), compiled_expr_([&]() { + auto compiled_expr = Expr::CompiledExpression::Create(expr_builder, input_expr); + if (!compiled_expr.ok()) { + throw EnvoyException( + absl::StrCat("failed to create an expression: ", compiled_expr.status().message())); + } + return std::move(compiled_expr.value()); + }()), + typed_(typed) {} absl::optional CELFormatter::formatWithContext(const Envoy::Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { Protobuf::Arena arena; auto eval_status = - Expr::evaluate(*compiled_expr_, arena, &local_info_, stream_info, &context.requestHeaders(), - &context.responseHeaders(), &context.responseTrailers()); + compiled_expr_.evaluate(arena, &local_info_, stream_info, &context.requestHeaders(), + &context.responseHeaders(), &context.responseTrailers()); if (!eval_status.has_value() || eval_status.value().IsError()) { return absl::nullopt; } @@ -49,8 +54,8 @@ CELFormatter::formatValueWithContext(const Envoy::Formatter::HttpFormatterContex if (typed_) { Protobuf::Arena arena; auto eval_status = - Expr::evaluate(*compiled_expr_, arena, &local_info_, stream_info, &context.requestHeaders(), - &context.responseHeaders(), &context.responseTrailers()); + compiled_expr_.evaluate(arena, &local_info_, stream_info, &context.requestHeaders(), + &context.responseHeaders(), &context.responseTrailers()); if (!eval_status.has_value() || eval_status.value().IsError()) { return ValueUtil::nullValue(); } @@ -82,24 +87,11 @@ CELFormatterCommandParser::parse(absl::string_view command, absl::string_view su if (!parse_status.ok()) { throw EnvoyException("Not able to parse expression: " + parse_status.status().ToString()); } - Server::Configuration::ServerFactoryContext& context = Server::Configuration::ServerFactoryContextInstance::get(); - - const auto& parsed_expr = parse_status.value(); - std::string serialized_expr; - if (!parsed_expr.expr().SerializeToString(&serialized_expr)) { - throw EnvoyException("Failed to serialize expression"); - } - - cel::expr::Expr cel_expr; - if (!cel_expr.ParseFromString(serialized_expr)) { - throw EnvoyException("Failed to parse expression into cel::expr::Expr format"); - } - - return std::make_unique(context.localInfo(), - Extensions::Filters::Common::Expr::getBuilder(context), - cel_expr, max_length, command == "TYPED_CEL"); + return std::make_unique( + context.localInfo(), Extensions::Filters::Common::Expr::getBuilder(context), + parse_status.value().expr(), max_length, command == "TYPED_CEL"); } return nullptr; diff --git a/source/extensions/formatter/cel/cel.h b/source/extensions/formatter/cel/cel.h index 8b1d9cd912772..6a5fb8398f2ef 100644 --- a/source/extensions/formatter/cel/cel.h +++ b/source/extensions/formatter/cel/cel.h @@ -15,7 +15,7 @@ namespace Formatter { class CELFormatter : public ::Envoy::Formatter::FormatterProvider { public: CELFormatter(const ::Envoy::LocalInfo::LocalInfo& local_info, - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr expr_builder, + Extensions::Filters::Common::Expr::BuilderInstanceSharedConstPtr expr_builder, const cel::expr::Expr& input_expr, absl::optional& max_length, bool typed); absl::optional @@ -26,10 +26,8 @@ class CELFormatter : public ::Envoy::Formatter::FormatterProvider { private: const ::Envoy::LocalInfo::LocalInfo& local_info_; - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr expr_builder_; - const cel::expr::Expr parsed_expr_; const absl::optional max_length_; - Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; + const Extensions::Filters::Common::Expr::CompiledExpression compiled_expr_; const bool typed_; }; diff --git a/source/extensions/matching/input_matchers/cel_matcher/matcher.cc b/source/extensions/matching/input_matchers/cel_matcher/matcher.cc index cf06122592542..fdcf42a9608bc 100644 --- a/source/extensions/matching/input_matchers/cel_matcher/matcher.cc +++ b/source/extensions/matching/input_matchers/cel_matcher/matcher.cc @@ -10,73 +10,27 @@ using ::Envoy::Extensions::Matching::Http::CelInput::CelMatchData; using ::xds::type::v3::CelExpression; CelInputMatcher::CelInputMatcher(CelMatcherSharedPtr cel_matcher, - Filters::Common::Expr::BuilderInstanceSharedPtr builder) - : builder_(builder), cel_matcher_(std::move(cel_matcher)) { - const CelExpression& input_expr = cel_matcher_->expr_match(); - - // First try to get expression from the new CEL canonical format - auto expr = Filters::Common::Expr::getExpr(input_expr); - if (expr.has_value()) { - compiled_expr_ = Filters::Common::Expr::createExpression(builder_->builder(), expr.value()); - return; - } - - // Fallback to handling legacy formats for backward compatibility - switch (input_expr.expr_specifier_case()) { - case CelExpression::ExprSpecifierCase::kParsedExpr: { - // For legacy parsed_expr, we need to convert to the new format - const auto& legacy_parsed = input_expr.parsed_expr(); - - // Convert legacy expr to cel::expr::Expr format - std::string serialized_expr; - if (!legacy_parsed.expr().SerializeToString(&serialized_expr)) { - throw EnvoyException("Failed to serialize legacy expression"); - } - - converted_expr_ = cel::expr::Expr(); - if (!converted_expr_->ParseFromString(serialized_expr)) { - throw EnvoyException("Failed to convert legacy expression to new format"); - } - - compiled_expr_ = Filters::Common::Expr::createExpression(builder_->builder(), *converted_expr_); - return; - } - case CelExpression::ExprSpecifierCase::kCheckedExpr: { - // For legacy checked_expr, we need to convert to the new format - const auto& legacy_checked = input_expr.checked_expr(); - - // Convert legacy expr to cel::expr::Expr format - std::string serialized_expr; - if (!legacy_checked.expr().SerializeToString(&serialized_expr)) { - throw EnvoyException("Failed to serialize legacy expression"); - } - - converted_expr_ = cel::expr::Expr(); - if (!converted_expr_->ParseFromString(serialized_expr)) { - throw EnvoyException("Failed to convert legacy expression to new format"); - } - - compiled_expr_ = Filters::Common::Expr::createExpression(builder_->builder(), *converted_expr_); - return; - } - case CelExpression::ExprSpecifierCase::EXPR_SPECIFIER_NOT_SET: - PANIC_DUE_TO_PROTO_UNSET; - } - PANIC_DUE_TO_CORRUPT_ENUM; -} + Filters::Common::Expr::BuilderInstanceSharedConstPtr builder) + : compiled_expr_([&]() { + auto compiled_expr = + Filters::Common::Expr::CompiledExpression::Create(builder, cel_matcher->expr_match()); + if (!compiled_expr.ok()) { + throw EnvoyException( + absl::StrCat("failed to create an expression: ", compiled_expr.status().message())); + } + return std::move(compiled_expr.value()); + }()) {} bool CelInputMatcher::match(const MatchingDataType& input) { Protobuf::Arena arena; if (auto* ptr = absl::get_if>(&input); ptr != nullptr) { CelMatchData* cel_data = dynamic_cast((*ptr).get()); - // Compiled expression should not be nullptr at this point because the program should have - // encountered a panic in the constructor earlier if any such error cases occurred. CEL matching - // data should also not be nullptr since any errors should have been thrown by the CEL library - // already. - ASSERT(compiled_expr_ != nullptr && cel_data != nullptr); + // CEL matching data should also not be nullptr since any errors should + // have been thrown by the CEL library already. + ASSERT(cel_data != nullptr); - auto eval_result = compiled_expr_->Evaluate(*cel_data->activation_, &arena); + auto eval_result = compiled_expr_.evaluate(*cel_data->activation_, &arena); if (eval_result.ok() && eval_result.value().IsBool()) { return eval_result.value().BoolOrDie(); } diff --git a/source/extensions/matching/input_matchers/cel_matcher/matcher.h b/source/extensions/matching/input_matchers/cel_matcher/matcher.h index d72e477b23a43..0404526341361 100644 --- a/source/extensions/matching/input_matchers/cel_matcher/matcher.h +++ b/source/extensions/matching/input_matchers/cel_matcher/matcher.h @@ -24,14 +24,13 @@ using ::Envoy::Matcher::InputMatcherFactoryCb; using ::Envoy::Matcher::MatchingDataType; using CelMatcher = ::xds::type::matcher::v3::CelMatcher; -using CompiledExpressionPtr = std::unique_ptr; using BaseActivationPtr = std::unique_ptr; using CelMatcherSharedPtr = std::shared_ptr<::xds::type::matcher::v3::CelMatcher>; class CelInputMatcher : public InputMatcher, public Logger::Loggable { public: CelInputMatcher(CelMatcherSharedPtr cel_matcher, - Filters::Common::Expr::BuilderInstanceSharedPtr builder); + Filters::Common::Expr::BuilderInstanceSharedConstPtr builder); bool match(const MatchingDataType& input) override; @@ -41,12 +40,7 @@ class CelInputMatcher : public InputMatcher, public Logger::Loggable converted_expr_; - CompiledExpressionPtr compiled_expr_; + const Filters::Common::Expr::CompiledExpression compiled_expr_; }; } // namespace CelMatcher diff --git a/source/extensions/rate_limit_descriptors/expr/config.cc b/source/extensions/rate_limit_descriptors/expr/config.cc index 457470ad24980..87b3b3ca758cd 100644 --- a/source/extensions/rate_limit_descriptors/expr/config.cc +++ b/source/extensions/rate_limit_descriptors/expr/config.cc @@ -23,21 +23,16 @@ class ExpressionDescriptor : public RateLimit::DescriptorProducer { public: ExpressionDescriptor( const envoy::extensions::rate_limit_descriptors::expr::v3::Descriptor& config, - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr& builder, - const cel::expr::Expr& input_expr) - : builder_(builder), input_expr_(input_expr), descriptor_key_(config.descriptor_key()), - skip_if_error_(config.skip_if_error()) { - compiled_expr_ = - Extensions::Filters::Common::Expr::createExpression(builder_->builder(), input_expr_); - } + Extensions::Filters::Common::Expr::CompiledExpression&& compiled_expr) + : descriptor_key_(config.descriptor_key()), skip_if_error_(config.skip_if_error()), + compiled_expr_(std::move(compiled_expr)) {} // Ratelimit::DescriptorProducer bool populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry, const std::string&, const Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo& info) const override { Protobuf::Arena arena; - const auto result = Filters::Common::Expr::evaluate(*compiled_expr_.get(), arena, nullptr, info, - &headers, nullptr, nullptr); + const auto result = compiled_expr_.evaluate(arena, nullptr, info, &headers, nullptr, nullptr); if (!result.has_value() || result.value().IsError()) { // If result is an error and if skip_if_error is true skip this descriptor, // while calling rate limiting service. If skip_if_error is false, do not call rate limiting @@ -49,11 +44,9 @@ class ExpressionDescriptor : public RateLimit::DescriptorProducer { } private: - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder_; - const cel::expr::Expr input_expr_; const std::string descriptor_key_; const bool skip_if_error_; - Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; + const Extensions::Filters::Common::Expr::CompiledExpression compiled_expr_; }; } // namespace @@ -79,20 +72,23 @@ ExprDescriptorFactory::createDescriptorProducerFromProto( return absl::InvalidArgumentError(absl::StrCat("Unable to parse descriptor expression: ", parse_status.status().ToString())); } - - return std::make_unique(config, builder, parse_status.value().expr()); + auto compiled_expr = Extensions::Filters::Common::Expr::CompiledExpression::Create( + builder, parse_status.value().expr()); + if (!compiled_expr.ok()) { + return absl::InvalidArgumentError( + absl::StrCat("failed to create an expression: ", compiled_expr.status().message())); + } + return std::make_unique(config, std::move(compiled_expr.value())); } #endif case envoy::extensions::rate_limit_descriptors::expr::v3::Descriptor::kParsed: { - std::string serialized; - if (!config.parsed().SerializeToString(&serialized)) { - return absl::InvalidArgumentError("Failed to serialize parsed expression"); - } - cel::expr::Expr new_expr; - if (!new_expr.ParseFromString(serialized)) { - return absl::InvalidArgumentError("Failed to convert parsed expression to new format"); + auto compiled_expr = + Extensions::Filters::Common::Expr::CompiledExpression::Create(builder, config.parsed()); + if (!compiled_expr.ok()) { + return absl::InvalidArgumentError( + absl::StrCat("failed to create an expression: ", compiled_expr.status().message())); } - return std::make_unique(config, builder, new_expr); + return std::make_unique(config, std::move(compiled_expr.value())); } default: return absl::InvalidArgumentError( diff --git a/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.cc b/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.cc index 26ed41a4312a3..d493e7b50a38a 100644 --- a/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.cc +++ b/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.cc @@ -13,10 +13,16 @@ namespace Tracers { namespace OpenTelemetry { CELSampler::CELSampler(const ::Envoy::LocalInfo::LocalInfo& local_info, - Expr::BuilderInstanceSharedPtr builder, const cel::expr::Expr& expr) - : local_info_(local_info), builder_(builder), parsed_expr_(expr) { - compiled_expr_ = Expr::createExpression(builder_->builder(), parsed_expr_); -} + Expr::BuilderInstanceSharedConstPtr builder, + const xds::type::v3::CelExpression& expr) + : local_info_(local_info), compiled_expr_([&]() { + auto compiled_expr = Expr::CompiledExpression::Create(builder, expr); + if (!compiled_expr.ok()) { + throw EnvoyException( + absl::StrCat("failed to create an expression: ", compiled_expr.status().message())); + } + return std::move(compiled_expr.value()); + }()) {} SamplingResult CELSampler::shouldSample(const StreamInfo::StreamInfo& stream_info, const absl::optional parent_context, @@ -31,8 +37,8 @@ SamplingResult CELSampler::shouldSample(const StreamInfo::StreamInfo& stream_inf request_headers = trace_context->requestHeaders().ptr(); } - auto eval_status = Expr::evaluate( - *compiled_expr_, arena, &local_info_, stream_info, request_headers /* request_headers */, + auto eval_status = compiled_expr_.evaluate( + arena, &local_info_, stream_info, request_headers /* request_headers */, nullptr /* response_headers */, nullptr /* response_trailers */); SamplingResult result; if (!eval_status.has_value() || eval_status.value().IsError()) { diff --git a/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.h b/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.h index 86eae6e839bb6..ac9611fcfb4b0 100644 --- a/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.h +++ b/source/extensions/tracers/opentelemetry/samplers/cel/cel_sampler.h @@ -25,7 +25,7 @@ namespace Expr = Envoy::Extensions::Filters::Common::Expr; class CELSampler : public Sampler, Logger::Loggable { public: CELSampler(const ::Envoy::LocalInfo::LocalInfo& local_info, - Expr::BuilderInstanceSharedPtr builder, const cel::expr::Expr& expr); + Expr::BuilderInstanceSharedConstPtr builder, const xds::type::v3::CelExpression& expr); SamplingResult shouldSample(const StreamInfo::StreamInfo& stream_info, const absl::optional parent_context, @@ -38,9 +38,7 @@ class CELSampler : public Sampler, Logger::Loggable { private: const ::Envoy::LocalInfo::LocalInfo& local_info_; - Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder_; - const cel::expr::Expr parsed_expr_; - Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; + const Extensions::Filters::Common::Expr::CompiledExpression compiled_expr_; }; } // namespace OpenTelemetry diff --git a/source/extensions/tracers/opentelemetry/samplers/cel/config.cc b/source/extensions/tracers/opentelemetry/samplers/cel/config.cc index 4ad951dc7cee8..f14741a889265 100644 --- a/source/extensions/tracers/opentelemetry/samplers/cel/config.cc +++ b/source/extensions/tracers/opentelemetry/samplers/cel/config.cc @@ -23,14 +23,10 @@ CELSamplerFactory::createSampler(const Protobuf::Message& config, const envoy::extensions::tracers::opentelemetry::samplers::v3::CELSamplerConfig&>( *mptr, context.messageValidationVisitor()); - auto expr = Expr::getExpr(proto_config.expression()); - if (!expr.has_value()) { - throw EnvoyException("CEL expression not set"); - } - return std::make_unique( context.serverFactoryContext().localInfo(), - Extensions::Filters::Common::Expr::getBuilder(context.serverFactoryContext()), expr.value()); + Extensions::Filters::Common::Expr::getBuilder(context.serverFactoryContext()), + proto_config.expression()); } /** diff --git a/test/common/access_log/access_log_impl_test.cc b/test/common/access_log/access_log_impl_test.cc index c397271572e57..cfbd6190fc613 100644 --- a/test/common/access_log/access_log_impl_test.cc +++ b/test/common/access_log/access_log_impl_test.cc @@ -1845,6 +1845,24 @@ name: accesslog EXPECT_THROW_WITH_REGEX(AccessLogFactory::fromProto(parseAccessLogFromV3Yaml(yaml), context_), EnvoyException, "Not able to parse filter expression: .*"); } + +TEST_F(AccessLogImplTest, CelExtensionFilterExpressionUncompilable) { + const std::string yaml = R"EOF( +name: accesslog +filter: + extension_filter: + name: cel_extension_filter + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.filters.cel.v3.ExpressionFilter + expression: "f()" +typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + )EOF"; + + EXPECT_THROW_WITH_REGEX(AccessLogFactory::fromProto(parseAccessLogFromV3Yaml(yaml), context_), + EnvoyException, "failed to create an expression: .*"); +} #endif // USE_CEL_PARSER } // namespace diff --git a/test/coverage.yaml b/test/coverage.yaml index d0b2b2be3e2b6..e4d14fa48ee4a 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -36,7 +36,7 @@ directories: source/extensions/common/wasm/ext: 100.0 source/extensions/filters/common: 97.1 source/extensions/filters/common/fault: 94.5 - source/extensions/filters/common/rbac: 92.6 + source/extensions/filters/common/rbac: 95.4 source/extensions/filters/common/lua: 95.6 source/extensions/filters/http/cache: 95.9 source/extensions/filters/http/dynamic_forward_proxy: 94.8 @@ -53,7 +53,7 @@ directories: source/extensions/filters/network/dubbo_proxy: 96.2 source/extensions/filters/network/mongo_proxy: 96.1 source/extensions/filters/network/sni_cluster: 88.9 - source/extensions/formatter/cel: 93.9 + source/extensions/formatter/cel: 100.0 source/extensions/internal_redirect: 86.2 source/extensions/internal_redirect/safe_cross_scheme: 81.3 source/extensions/internal_redirect/allow_listed_routes: 85.7 @@ -79,4 +79,4 @@ directories: source/extensions/health_checkers/http: 94.6 source/extensions/health_checkers/grpc: 92.3 source/extensions/config_subscription/rest: 94.9 - source/extensions/matching/input_matchers/cel_matcher: 82.6 # Death tests don't report LCOV + source/extensions/matching/input_matchers/cel_matcher: 100.0 diff --git a/test/extensions/filters/common/expr/evaluator_fuzz_test.cc b/test/extensions/filters/common/expr/evaluator_fuzz_test.cc index 75ec3eaee1e9f..8ae0147154077 100644 --- a/test/extensions/filters/common/expr/evaluator_fuzz_test.cc +++ b/test/extensions/filters/common/expr/evaluator_fuzz_test.cc @@ -20,7 +20,7 @@ namespace { DEFINE_PROTO_FUZZER(const test::extensions::filters::common::expr::EvaluatorTestCase& input) { // Create builder without constant folding. - static Expr::BuilderPtr builder = Expr::createBuilder(nullptr); + static auto builder = Expr::createBuilder(nullptr); MockTimeSystem time_source; std::unique_ptr stream_info; @@ -51,11 +51,15 @@ DEFINE_PROTO_FUZZER(const test::extensions::filters::common::expr::EvaluatorTest ENVOY_LOG_MISC(debug, "Failed to convert expression to new format"); return; } - Expr::ExpressionPtr expr = Expr::createExpression(*builder, new_expr); + auto expr = Expr::CompiledExpression::Create(builder, new_expr); + if (!expr.ok()) { + ENVOY_LOG_MISC(debug, "Failed to compile"); + return; + } // Evaluate the CEL expression. Protobuf::Arena arena; - Expr::evaluate(*expr, arena, nullptr, *stream_info, &request_headers, &response_headers, + expr->evaluate(arena, nullptr, *stream_info, &request_headers, &response_headers, &response_trailers); } catch (const CelException& e) { ENVOY_LOG_MISC(debug, "CelException: {}", e.what()); diff --git a/test/extensions/filters/common/rbac/matchers_test.cc b/test/extensions/filters/common/rbac/matchers_test.cc index 07e749febcb8a..fa6fa08fd1003 100644 --- a/test/extensions/filters/common/rbac/matchers_test.cc +++ b/test/extensions/filters/common/rbac/matchers_test.cc @@ -663,9 +663,9 @@ TEST(PolicyMatcher, PolicyMatcher) { policy.add_permissions()->set_destination_port(456); policy.add_principals()->mutable_authenticated()->mutable_principal_name()->set_exact("foo"); policy.add_principals()->mutable_authenticated()->mutable_principal_name()->set_exact("bar"); - Expr::BuilderPtr builder = Expr::createBuilder(nullptr); + auto builder = Expr::createBuilder(nullptr); - RBAC::PolicyMatcher matcher(policy, builder.get(), ProtobufMessage::getStrictValidationVisitor(), + RBAC::PolicyMatcher matcher(policy, builder, ProtobufMessage::getStrictValidationVisitor(), factory_context); Envoy::Network::MockConnection conn; diff --git a/test/extensions/filters/http/ext_proc/filter_test.cc b/test/extensions/filters/http/ext_proc/filter_test.cc index c3396e2b52e30..102fd241f94e9 100644 --- a/test/extensions/filters/http/ext_proc/filter_test.cc +++ b/test/extensions/filters/http/ext_proc/filter_test.cc @@ -140,9 +140,7 @@ class HttpFilterTest : public testing::Test { } config_ = std::make_shared( proto_config, 200ms, 10000, *stats_store_.rootScope(), "", is_upstream_filter, - std::make_shared( - Envoy::Extensions::Filters::Common::Expr::createBuilder(nullptr)), - factory_context_); + Envoy::Extensions::Filters::Common::Expr::createBuilder(nullptr), factory_context_); filter_ = std::make_unique(config_, std::move(client_)); filter_->setEncoderFilterCallbacks(encoder_callbacks_); EXPECT_CALL(encoder_callbacks_, encoderBufferLimit()).WillRepeatedly(Return(BufferSize)); diff --git a/test/extensions/filters/http/ext_proc/ordering_test.cc b/test/extensions/filters/http/ext_proc/ordering_test.cc index 57302cb103700..51375b583c881 100644 --- a/test/extensions/filters/http/ext_proc/ordering_test.cc +++ b/test/extensions/filters/http/ext_proc/ordering_test.cc @@ -73,9 +73,7 @@ class OrderingTest : public testing::Test { } config_ = std::make_shared( proto_config, kMessageTimeout, kMaxMessageTimeoutMs, *stats_store_.rootScope(), "", false, - std::make_shared( - Envoy::Extensions::Filters::Common::Expr::createBuilder(nullptr)), - factory_context_); + Envoy::Extensions::Filters::Common::Expr::createBuilder(nullptr), factory_context_); filter_ = std::make_unique(config_, std::move(client_)); filter_->setEncoderFilterCallbacks(encoder_callbacks_); filter_->setDecoderFilterCallbacks(decoder_callbacks_); diff --git a/test/extensions/filters/http/ext_proc/unit_test_fuzz/ext_proc_unit_test_fuzz.cc b/test/extensions/filters/http/ext_proc/unit_test_fuzz/ext_proc_unit_test_fuzz.cc index f8635e18598d0..08eb648ab65f5 100644 --- a/test/extensions/filters/http/ext_proc/unit_test_fuzz/ext_proc_unit_test_fuzz.cc +++ b/test/extensions/filters/http/ext_proc/unit_test_fuzz/ext_proc_unit_test_fuzz.cc @@ -88,9 +88,7 @@ DEFINE_PROTO_FUZZER( try { config = std::make_shared( proto_config, std::chrono::milliseconds(200), 200, *stats_store.rootScope(), "", false, - std::make_shared( - Envoy::Extensions::Filters::Common::Expr::createBuilder(nullptr)), - mocks.factory_context_); + Envoy::Extensions::Filters::Common::Expr::createBuilder(nullptr), mocks.factory_context_); } catch (const EnvoyException& e) { ENVOY_LOG_MISC(debug, "EnvoyException during ext_proc filter config validation: {}", e.what()); return; diff --git a/test/extensions/formatter/cel/cel_test.cc b/test/extensions/formatter/cel/cel_test.cc index e3491d8b44747..abf83f4d85a6e 100644 --- a/test/extensions/formatter/cel/cel_test.cc +++ b/test/extensions/formatter/cel/cel_test.cc @@ -339,6 +339,18 @@ TEST_F(CELFormatterTest, TestTypedInvalidExpression) { EnvoyException, "Not able to parse expression: .*"); } +TEST_F(CELFormatterTest, TestInvalidSemanticExpression) { + const std::string yaml = R"EOF( + text_format_source: + inline_string: "%CEL(f())%" +)EOF"; + TestUtility::loadFromYaml(yaml, config_); + + EXPECT_THROW_WITH_REGEX( + *Envoy::Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config_, context_), + EnvoyException, "failed to create an expression: .*"); +} + TEST_F(CELFormatterTest, TestRegexExtFunctions) { const std::string yaml = R"EOF( text_format_source: diff --git a/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc b/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc index 887dfc3917039..14d61060a626e 100644 --- a/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc +++ b/test/extensions/matching/input_matchers/cel_matcher/cel_matcher_test.cc @@ -473,8 +473,9 @@ TEST_F(CelMatcherTest, CelMatcherRequestResponseNotMatchedWithParsedExprUseCel) } TEST_F(CelMatcherTest, NoCelExpression) { - EXPECT_DEATH(buildMatcherTree(RequestHeaderCelExprString, ExpressionType::NoExpression), - ".*panic: unset oneof.*"); + EXPECT_THROW_WITH_REGEX( + buildMatcherTree(RequestHeaderCelExprString, ExpressionType::NoExpression), EnvoyException, + ".*CEL expression not set.*"); } // Add a test case specifically for testing format conversion From a0c83403f675741f817512f4f3410370444809e7 Mon Sep 17 00:00:00 2001 From: kishor7007 <148222973+kishor7007@users.noreply.github.com> Date: Thu, 28 Aug 2025 04:02:33 +0530 Subject: [PATCH 306/505] dns: adding support for edns0 size customisation via envoy filters (#40776) Implementation for https://github.com/envoyproxy/envoy/issues/40696 Currently dns response size is 1232 on UDP support as per c-ares lib(https://github.com/c-ares/c-ares/blob/main/src/lib/ares_private.h#L133) on EDNS0. we can provide the option via envoy filters to customise the size as per end user needs like 4096, etc. [optional Relevant Links:] Any extra documentation required to understand the issue. https://datatracker.ietf.org/doc/html/rfc6891 --------- Signed-off-by: kishor7007 --- .../cares/v3/cares_dns_resolver.proto | 14 +++++++- .../network/dns_resolver/cares/dns_impl.cc | 11 +++++- .../network/dns_resolver/cares/dns_impl.h | 1 + .../dns_resolver/cares/dns_impl_test.cc | 35 +++++++++++++++++++ 4 files changed, 59 insertions(+), 2 deletions(-) diff --git a/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto b/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto index b36a3a0d095e0..20b6a8a7f0642 100644 --- a/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto +++ b/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto @@ -20,7 +20,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#extension: envoy.network.dns_resolver.cares] // Configuration for c-ares DNS resolver. -// [#next-free-field: 9] +// [#next-free-field: 10] message CaresDnsResolverConfig { // A list of DNS resolver addresses. // :ref:`use_resolvers_as_fallback ` @@ -77,4 +77,16 @@ message CaresDnsResolverConfig { // This setting overrides any system configuration for name server rotation. // bool rotate_nameservers = 8; + + // Maximum EDNS0 UDP payload size in bytes. + // If set, c-ares will include EDNS0 in DNS queries and use this value as the maximum UDP response size. + + // Recommended values: + // + // - 1232: Safe default (avoids fragmentation) + // - 4096: Maximum allowed + // + // If unset, c-ares uses its internal default (usually 1232). + google.protobuf.UInt32Value edns0_max_payload_size = 9 + [(validate.rules).uint32 = {lte: 4096 gte: 512}]; } diff --git a/source/extensions/network/dns_resolver/cares/dns_impl.cc b/source/extensions/network/dns_resolver/cares/dns_impl.cc index 69588e9897067..1feb74e5bfc27 100644 --- a/source/extensions/network/dns_resolver/cares/dns_impl.cc +++ b/source/extensions/network/dns_resolver/cares/dns_impl.cc @@ -51,7 +51,10 @@ DnsResolverImpl::DnsResolverImpl( config, query_timeout_seconds, DEFAULT_QUERY_TIMEOUT_SECONDS))), query_tries_(static_cast( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, query_tries, DEFAULT_QUERY_TRIES))), - rotate_nameservers_(config.rotate_nameservers()), resolvers_csv_(resolvers_csv), + rotate_nameservers_(config.rotate_nameservers()), + edns0_max_payload_size_(static_cast(PROTOBUF_GET_WRAPPED_OR_DEFAULT( + config, edns0_max_payload_size, 0))), // 0 means use c-ares default EDNS0 + resolvers_csv_(resolvers_csv), filter_unroutable_families_(config.filter_unroutable_families()), scope_(root_scope.createScope("dns.cares.")), stats_(generateCaresDnsResolverStats(*scope_)) { AresOptions options = defaultAresOptions(); @@ -126,6 +129,12 @@ DnsResolverImpl::AresOptions DnsResolverImpl::defaultAresOptions() { options.optmask_ |= ARES_OPT_NOROTATE; } + // Configure EDNS0 payload size if specified + if (edns0_max_payload_size_ > 0) { + options.optmask_ |= ARES_OPT_EDNSPSZ; + options.options_.ednspsz = edns0_max_payload_size_; + } + // Disable query cache by default. options.optmask_ |= ARES_OPT_QUERY_CACHE; options.options_.qcache_max_ttl = 0; diff --git a/source/extensions/network/dns_resolver/cares/dns_impl.h b/source/extensions/network/dns_resolver/cares/dns_impl.h index 20b772853e399..7fc7aa8d8795c 100644 --- a/source/extensions/network/dns_resolver/cares/dns_impl.h +++ b/source/extensions/network/dns_resolver/cares/dns_impl.h @@ -201,6 +201,7 @@ class DnsResolverImpl : public DnsResolver, protected Logger::Loggable resolvers_csv_; const bool filter_unroutable_families_; Stats::ScopeSharedPtr scope_; diff --git a/test/extensions/network/dns_resolver/cares/dns_impl_test.cc b/test/extensions/network/dns_resolver/cares/dns_impl_test.cc index 772b90d464cff..0ef68b6c77bc9 100644 --- a/test/extensions/network/dns_resolver/cares/dns_impl_test.cc +++ b/test/extensions/network/dns_resolver/cares/dns_impl_test.cc @@ -727,6 +727,11 @@ class DnsImplTest : public testing::TestWithParam { cares.set_allocated_udp_max_queries(udpMaxQueries()); cares.set_rotate_nameservers(setRotateNameservers()); + // Set EDNS0 configuration if specified + if (getEdns0MaxPayloadSize() > 0) { + cares.mutable_edns0_max_payload_size()->set_value(getEdns0MaxPayloadSize()); + } + // Copy over the dns_resolver_options_. cares.mutable_dns_resolver_options()->MergeFrom(dns_resolver_options); // setup the typed config @@ -976,6 +981,7 @@ class DnsImplTest : public testing::TestWithParam { virtual bool filterUnroutableFamilies() const { return false; } virtual bool setRotateNameservers() const { return false; } virtual Protobuf::UInt32Value* udpMaxQueries() const { return nullptr; } + virtual uint32_t getEdns0MaxPayloadSize() const { return 0; } Stats::TestUtil::TestStore stats_store_; NiceMock runtime_; std::unique_ptr server_; @@ -2314,5 +2320,34 @@ TEST_P(DnsImplAresFlagsForNoNameserverRotationTest, NameserverRotationDisabled) ares_destroy_options(&opts); } +// EDNS0 configuration test + +class DnsImplEdns0Test : public DnsImplTest { +protected: + bool tcpOnly() const override { return false; } + uint32_t getEdns0MaxPayloadSize() const override { return 4096; } +}; + +INSTANTIATE_TEST_SUITE_P(IpVersions, DnsImplEdns0Test, + testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + TestUtility::ipTestParamsToString); + +// Test: Verify EDNS0 configuration is applied to c-ares options +// Note: EDNS0 is only relevant for UDP DNS queries. +// The DNS tests in this file use TCP-only mode to avoid instability and flakiness from UDP. +// Therefore, this test only verifies that the EDNS0 configuration flag is set in c-ares, +// not its functional behavior. +TEST_P(DnsImplEdns0Test, Edns0ConfigurationApplied) { + ares_options opts{}; + int optmask = 0; + EXPECT_EQ(ARES_SUCCESS, ares_save_options(peer_->channel(), &opts, &optmask)); + + // Verify EDNS0 payload size flag is set and value is correct + EXPECT_TRUE((optmask & ARES_OPT_EDNSPSZ) == ARES_OPT_EDNSPSZ); + EXPECT_EQ(opts.ednspsz, 4096); + + ares_destroy_options(&opts); +} + } // namespace Network } // namespace Envoy From 35e4745f3b0a50569e4f065d9be02c8af7e72726 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 28 Aug 2025 00:34:34 +0200 Subject: [PATCH 307/505] network: centralize IP parsing and unify on getaddrinfo() to avoid circular deps (#40737) ## Description This PR ntroduces a new `ip_address_parsing_lib` which provides helper methods to parse IPv4 and IPv6 addresses that use `getaddrinfo()` with `AI_NUMERICHOST|AI_NUMERICSERV` for numeric-only parsing. We have refactored `parseInternetAddressNoThrow()` and `parseInternetAddressAndPortNoThrow()` to use these newly added helpers. **Note:** For IPv4, we enforce strict dotted-quad by round-tripping via `inet_ntop` to avoid platform quirks and keep the behavior consistent. Fix https://github.com/envoyproxy/envoy/issues/23952 --- **Commit Message:** network: centralize IP parsing and unify on getaddrinfo() to avoid circular deps **Additional Description:** Refactor IP parsing logic and consolidate the scattered logic with a single low-level implementation. **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal --- source/common/network/BUILD | 11 ++ source/common/network/ip_address_parsing.cc | 67 +++++++++ source/common/network/ip_address_parsing.h | 34 +++++ source/common/network/utility.cc | 66 +-------- test/common/network/BUILD | 9 ++ .../common/network/ip_address_parsing_test.cc | 138 ++++++++++++++++++ 6 files changed, 264 insertions(+), 61 deletions(-) create mode 100644 source/common/network/ip_address_parsing.cc create mode 100644 source/common/network/ip_address_parsing.h create mode 100644 test/common/network/ip_address_parsing_test.cc diff --git a/source/common/network/BUILD b/source/common/network/BUILD index 62772ee0a6edc..789b768c72e5b 100644 --- a/source/common/network/BUILD +++ b/source/common/network/BUILD @@ -500,6 +500,7 @@ envoy_cc_library( deps = [ ":address_lib", ":default_socket_interface_lib", + ":ip_address_parsing_lib", ":socket_lib", ":socket_option_lib", "//envoy/api:os_sys_calls_interface", @@ -517,6 +518,16 @@ envoy_cc_library( ], ) +envoy_cc_library( + name = "ip_address_parsing_lib", + srcs = ["ip_address_parsing.cc"], + hdrs = ["ip_address_parsing.h"], + deps = [ + "//source/common/api:os_sys_calls_lib", + "//source/common/common:statusor_lib", + ], +) + envoy_cc_library( name = "transport_socket_options_lib", srcs = ["transport_socket_options_impl.cc"], diff --git a/source/common/network/ip_address_parsing.cc b/source/common/network/ip_address_parsing.cc new file mode 100644 index 0000000000000..9ea583662b555 --- /dev/null +++ b/source/common/network/ip_address_parsing.cc @@ -0,0 +1,67 @@ +#include "source/common/network/ip_address_parsing.h" + +#include + +#include "source/common/api/os_sys_calls_impl.h" + +namespace Envoy { +namespace Network { +namespace IpAddressParsing { + +StatusOr parseIPv4(const std::string& ip_address, uint16_t port) { + // Use inet_pton() for IPv4 as it's simpler, faster, and already enforces + // strict dotted-quad format while rejecting non-standard notations. + sockaddr_in sa4; + memset(&sa4, 0, sizeof(sa4)); + if (inet_pton(AF_INET, ip_address.c_str(), &sa4.sin_addr) != 1) { + return absl::FailedPreconditionError("failed parsing ipv4"); + } + sa4.sin_family = AF_INET; + sa4.sin_port = htons(port); + return sa4; +} + +StatusOr parseIPv6(const std::string& ip_address, uint16_t port) { + // Parse IPv6 with optional scope using getaddrinfo(). + // While inet_pton() would be faster and simpler, it does not support IPv6 + // addresses that specify a scope, e.g. `::%eth0` to listen on only one interface. + struct addrinfo hints; + memset(&hints, 0, sizeof(hints)); + struct addrinfo* res = nullptr; + // Suppresses any potentially lengthy network host address lookups and inhibit the + // invocation of a name resolution service. + hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV; + hints.ai_family = AF_INET6; + // Given that we do not specify a service but we use getaddrinfo() to only parse the node + // address, specifying the socket type allows to hint the getaddrinfo() to return only an + // element with the below socket type. The behavior though remains platform dependent and + // anyway we consume only the first element if the call succeeds. + hints.ai_socktype = SOCK_DGRAM; + hints.ai_protocol = IPPROTO_UDP; + + // We want to use the interface of OsSysCalls for this for the platform-independence, but + // we do not want to use the common OsSysCallsSingleton. + // + // The problem with using OsSysCallsSingleton is that we likely want to override getaddrinfo() + // for DNS lookups in tests, but typically that override would resolve a name to e.g. the + // address from resolveUrl("tcp://[::1]:80"). But resolveUrl calls ``parseIPv6``, which calls + // getaddrinfo(), so if we use the mock here then mocking DNS causes infinite recursion. + // + // We do not ever need to mock this getaddrinfo() call, because it is only used to parse + // numeric IP addresses, per ``ai_flags``, so it should be deterministic resolution. There + // is no need to mock it to test failure cases. + static Api::OsSysCallsImpl os_sys_calls; + const Api::SysCallIntResult rc = + os_sys_calls.getaddrinfo(ip_address.c_str(), /*service=*/nullptr, &hints, &res); + if (rc.return_value_ != 0) { + return absl::FailedPreconditionError(absl::StrCat("getaddrinfo error: ", rc.return_value_)); + } + sockaddr_in6 sa6 = *reinterpret_cast(res->ai_addr); + os_sys_calls.freeaddrinfo(res); + sa6.sin6_port = htons(port); + return sa6; +} + +} // namespace IpAddressParsing +} // namespace Network +} // namespace Envoy diff --git a/source/common/network/ip_address_parsing.h b/source/common/network/ip_address_parsing.h new file mode 100644 index 0000000000000..dbf5090d5ba0d --- /dev/null +++ b/source/common/network/ip_address_parsing.h @@ -0,0 +1,34 @@ +#pragma once + +#include +#include + +#include "envoy/common/platform.h" + +#include "source/common/common/statusor.h" + +namespace Envoy { +namespace Network { + +// Utilities for parsing numeric IP addresses into sockaddr structures. +// These helper methods avoid higher-level dependencies and are suitable for +// use by multiple components that need low-level parsing without constructing +// `Address::Instance` objects. +namespace IpAddressParsing { + +// Parse an IPv4 address string into a sockaddr_in with the provided port. +// Returns a failure status if the address is not a valid numeric IPv4 string. +StatusOr parseIPv4(const std::string& ip_address, uint16_t port); + +// Parse an IPv6 address string (optionally with a scope id, e.g. ``fe80::1%2`` +// or ``fe80::1%eth0``) into a sockaddr_in6 with the provided port. +// +// Uses getaddrinfo() with ``AI_NUMERICHOST|AI_NUMERICSERV`` to avoid DNS lookups +// and to support scoped addresses consistently across all platforms. +// +// Returns a failure status if the address is not a valid numeric IPv6 string. +StatusOr parseIPv6(const std::string& ip_address, uint16_t port); + +} // namespace IpAddressParsing +} // namespace Network +} // namespace Envoy diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc index f7913adba3d58..c3271f301d717 100644 --- a/source/common/network/utility.cc +++ b/source/common/network/utility.cc @@ -22,6 +22,7 @@ #include "source/common/common/utility.h" #include "source/common/network/address_impl.h" #include "source/common/network/io_socket_error_impl.h" +#include "source/common/network/ip_address_parsing.h" #include "source/common/network/socket_option_impl.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" @@ -106,75 +107,18 @@ Api::IoCallUint64Result receiveMessage(uint64_t max_rx_datagram_size, Buffer::In return result; } -StatusOr parseV4Address(const std::string& ip_address, uint16_t port) { - sockaddr_in sa4; - memset(&sa4, 0, sizeof(sa4)); - if (inet_pton(AF_INET, ip_address.c_str(), &sa4.sin_addr) != 1) { - return absl::FailedPreconditionError("failed parsing ipv4"); - } - sa4.sin_family = AF_INET; - sa4.sin_port = htons(port); - return sa4; -} - -StatusOr parseV6Address(const std::string& ip_address, uint16_t port) { - // Parse IPv6 with optional scope using getaddrinfo(). - // While inet_pton() would be faster and simpler, it does not support IPv6 - // addresses that specify a scope, e.g. `::%eth0` to listen on only one interface. - struct addrinfo hints; - memset(&hints, 0, sizeof(hints)); - struct addrinfo* res = nullptr; - // Suppresses any potentially lengthy network host address lookups and inhibit the invocation of - // a name resolution service. - hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV; - hints.ai_family = AF_INET6; - // Given that we don't specify a service but we use getaddrinfo() to only parse the node - // address, specifying the socket type allows to hint the getaddrinfo() to return only an - // element with the below socket type. The behavior though remains platform dependent and anyway - // we consume only the first element (if the call succeeds). - hints.ai_socktype = SOCK_DGRAM; - hints.ai_protocol = IPPROTO_UDP; - - // We want to use the interface of OsSysCalls for this for the - // platform-independence, but we don't want to use the common - // OsSysCallsSingleton. - // - // The problem with using OsSysCallsSingleton is that we likely - // want to override getaddrinfo() for DNS lookups in tests, but - // typically that override would resolve a name to e.g. - // the address from resolveUrl("tcp://[::1]:80") - but resolveUrl - // calls parseV6Address, which calls getaddrinfo(), so if we use - // the mock *here* then mocking DNS causes infinite recursion. - // - // We don't ever need to mock *this* getaddrinfo() call, because - // it's only used to parse numeric IP addresses, per `ai_flags`, - // so it should be deterministic resolution; there's no need to - // mock it to test failure cases. - static Api::OsSysCallsImpl os_sys_calls; - - const Api::SysCallIntResult rc = - os_sys_calls.getaddrinfo(ip_address.c_str(), /*service=*/nullptr, &hints, &res); - if (rc.return_value_ != 0) { - return absl::FailedPreconditionError(fmt::format("getaddrinfo error: {}", rc.return_value_)); - } - sockaddr_in6 sa6 = *reinterpret_cast(res->ai_addr); - os_sys_calls.freeaddrinfo(res); - sa6.sin6_port = htons(port); - return sa6; -} - } // namespace Address::InstanceConstSharedPtr Utility::parseInternetAddressNoThrow(const std::string& ip_address, uint16_t port, bool v6only, absl::optional network_namespace) { - StatusOr sa4 = parseV4Address(ip_address, port); + StatusOr sa4 = IpAddressParsing::parseIPv4(ip_address, port); if (sa4.ok()) { return instanceOrNull(Address::InstanceFactory::createInstancePtr( &sa4.value(), nullptr, network_namespace)); } - StatusOr sa6 = parseV6Address(ip_address, port); + StatusOr sa6 = IpAddressParsing::parseIPv6(ip_address, port); if (sa6.ok()) { return instanceOrNull(Address::InstanceFactory::createInstancePtr( *sa6, v6only, nullptr, network_namespace)); @@ -200,7 +144,7 @@ Utility::parseInternetAddressAndPortNoThrow(const std::string& ip_address, bool if (port_str.empty() || !absl::SimpleAtoi(port_str, &port64) || port64 > 65535) { return nullptr; } - StatusOr sa6 = parseV6Address(ip_str, port64); + StatusOr sa6 = IpAddressParsing::parseIPv6(ip_str, static_cast(port64)); if (sa6.ok()) { return instanceOrNull(Address::InstanceFactory::createInstancePtr( *sa6, v6only, nullptr, network_namespace)); @@ -218,7 +162,7 @@ Utility::parseInternetAddressAndPortNoThrow(const std::string& ip_address, bool if (port_str.empty() || !absl::SimpleAtoi(port_str, &port64) || port64 > 65535) { return nullptr; } - StatusOr sa4 = parseV4Address(ip_str, port64); + StatusOr sa4 = IpAddressParsing::parseIPv4(ip_str, static_cast(port64)); if (sa4.ok()) { return instanceOrNull(Address::InstanceFactory::createInstancePtr( &sa4.value(), nullptr, network_namespace)); diff --git a/test/common/network/BUILD b/test/common/network/BUILD index c607c3acfb236..a78fe172f9357 100644 --- a/test/common/network/BUILD +++ b/test/common/network/BUILD @@ -405,6 +405,15 @@ envoy_cc_test( ], ) +envoy_cc_test( + name = "ip_address_parsing_test", + srcs = ["ip_address_parsing_test.cc"], + rbe_pool = "6gig", + deps = [ + "//source/common/network:ip_address_parsing_lib", + ], +) + envoy_cc_fuzz_test( name = "udp_fuzz_test", srcs = ["udp_fuzz.cc"], diff --git a/test/common/network/ip_address_parsing_test.cc b/test/common/network/ip_address_parsing_test.cc new file mode 100644 index 0000000000000..d07a40f40b0f6 --- /dev/null +++ b/test/common/network/ip_address_parsing_test.cc @@ -0,0 +1,138 @@ +#include + +#include "source/common/network/ip_address_parsing.h" + +#include "gtest/gtest.h" + +namespace Envoy { +namespace Network { + +TEST(IpAddressParsingTest, ParseIPv4Valid) { + // Test standard dotted-quad notation. + auto sa4_or = IpAddressParsing::parseIPv4("127.0.0.1", /*port=*/8080); + ASSERT_TRUE(sa4_or.ok()); + const sockaddr_in sa4 = sa4_or.value(); + EXPECT_EQ(AF_INET, sa4.sin_family); + EXPECT_EQ(htons(8080), sa4.sin_port); + EXPECT_EQ(htonl(INADDR_LOOPBACK), sa4.sin_addr.s_addr); + + // Test another valid IPv4. + auto sa4_or2 = IpAddressParsing::parseIPv4("192.168.1.1", /*port=*/443); + ASSERT_TRUE(sa4_or2.ok()); + const sockaddr_in sa4_2 = sa4_or2.value(); + EXPECT_EQ(AF_INET, sa4_2.sin_family); + EXPECT_EQ(htons(443), sa4_2.sin_port); + char buf[INET_ADDRSTRLEN]; + inet_ntop(AF_INET, &sa4_2.sin_addr, buf, INET_ADDRSTRLEN); + EXPECT_EQ("192.168.1.1", std::string(buf)); + + // Test edge case IPs. + EXPECT_TRUE(IpAddressParsing::parseIPv4("0.0.0.0", 0).ok()); + EXPECT_TRUE(IpAddressParsing::parseIPv4("255.255.255.255", 65535).ok()); +} + +TEST(IpAddressParsingTest, ParseIPv4Invalid) { + // Test incomplete addresses. + EXPECT_FALSE(IpAddressParsing::parseIPv4("1.2.3", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("1.2", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("1", 0).ok()); + + // Test out-of-range octets. + EXPECT_FALSE(IpAddressParsing::parseIPv4("1.2.3.256", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("256.0.0.1", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("1.2.3.999", 0).ok()); + + // Test non-numeric input. + EXPECT_FALSE(IpAddressParsing::parseIPv4("not_an_ip", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("abc.def.ghi.jkl", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("", 0).ok()); + + // Test IPv6 addresses (should fail for IPv4 parser). + EXPECT_FALSE(IpAddressParsing::parseIPv4("::1", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("fe80::1", 0).ok()); + + // Test that inet_pton() correctly rejects non-standard formats. + // These formats might be accepted by some liberal parsers but should be rejected + // by inet_pton() which enforces strict dotted-quad notation. + EXPECT_FALSE(IpAddressParsing::parseIPv4("127.1", 0).ok()); // Short form + EXPECT_FALSE(IpAddressParsing::parseIPv4("0x7f.0.0.1", 0).ok()); // Hex notation + // Note: Some platforms (e.g., macOS) may accept octal notation in inet_pton(), + // so we skip this test to maintain platform compatibility. + + // Test extra dots. + EXPECT_FALSE(IpAddressParsing::parseIPv4("1.2.3.4.", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4(".1.2.3.4", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("1..2.3.4", 0).ok()); + + // Test with spaces. + EXPECT_FALSE(IpAddressParsing::parseIPv4(" 1.2.3.4", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("1.2.3.4 ", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv4("1.2. 3.4", 0).ok()); +} + +TEST(IpAddressParsingTest, ParseIPv6Valid) { + // Test loopback. + auto sa6_or = IpAddressParsing::parseIPv6("::1", /*port=*/443); + ASSERT_TRUE(sa6_or.ok()); + const sockaddr_in6 sa6 = sa6_or.value(); + EXPECT_EQ(AF_INET6, sa6.sin6_family); + EXPECT_EQ(htons(443), sa6.sin6_port); + in6_addr loopback = IN6ADDR_LOOPBACK_INIT; + EXPECT_EQ(0, memcmp(&loopback, &sa6.sin6_addr, sizeof(in6_addr))); + + // Test other valid IPv6 addresses. + EXPECT_TRUE(IpAddressParsing::parseIPv6("::", 0).ok()); + EXPECT_TRUE(IpAddressParsing::parseIPv6("::ffff:127.0.0.1", 0).ok()); // IPv4-mapped + EXPECT_TRUE(IpAddressParsing::parseIPv6("2001:db8::1", 0).ok()); + EXPECT_TRUE(IpAddressParsing::parseIPv6("fe80::1", 0).ok()); + EXPECT_TRUE(IpAddressParsing::parseIPv6("2001:0db8:0000:0000:0000:0000:0000:0001", 0).ok()); + + // Test IPv6 with scope (this is why we need getaddrinfo() for IPv6). + // Note: Actual scope parsing depends on platform support. +#ifdef __linux__ + // Numeric scope ID. + auto sa6_scope = IpAddressParsing::parseIPv6("fe80::1%2", 80); + ASSERT_TRUE(sa6_scope.ok()); + EXPECT_EQ(2, sa6_scope.value().sin6_scope_id); +#endif +} + +TEST(IpAddressParsingTest, ParseIPv6Invalid) { + // Test invalid characters. + EXPECT_FALSE(IpAddressParsing::parseIPv6("::g", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv6("gggg::1", 0).ok()); + + // Test invalid format. + EXPECT_FALSE(IpAddressParsing::parseIPv6("1:::1", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv6(":::1", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv6("1::2::3", 0).ok()); // Multiple :: + + // Test non-IP strings. + EXPECT_FALSE(IpAddressParsing::parseIPv6("not_an_ip", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv6("", 0).ok()); + + // Test IPv4 addresses (should fail for IPv6 parser). + EXPECT_FALSE(IpAddressParsing::parseIPv6("127.0.0.1", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv6("192.168.1.1", 0).ok()); + + // Test too many groups. + EXPECT_FALSE(IpAddressParsing::parseIPv6("1:2:3:4:5:6:7:8:9", 0).ok()); + + // Test with spaces. + EXPECT_FALSE(IpAddressParsing::parseIPv6(" ::1", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv6("::1 ", 0).ok()); + EXPECT_FALSE(IpAddressParsing::parseIPv6(":: 1", 0).ok()); +} + +TEST(IpAddressParsingTest, PortBoundaries) { + // Test port boundaries for IPv4. + EXPECT_TRUE(IpAddressParsing::parseIPv4("127.0.0.1", 0).ok()); + EXPECT_TRUE(IpAddressParsing::parseIPv4("127.0.0.1", 65535).ok()); + + // Test port boundaries for IPv6. + EXPECT_TRUE(IpAddressParsing::parseIPv6("::1", 0).ok()); + EXPECT_TRUE(IpAddressParsing::parseIPv6("::1", 65535).ok()); +} + +} // namespace Network +} // namespace Envoy From 946855810f700ad28798aa3d5a562e859763d87b Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 25 Aug 2025 17:01:01 +0000 Subject: [PATCH 308/505] downstream interface changes and fixes Signed-off-by: Basundhara Chakrabarty --- source/extensions/bootstrap/reverse_tunnel/BUILD | 16 ++++++++++++---- .../reverse_tunnel/reverse_tunnel_initiator.cc | 8 ++++---- .../reverse_tunnel_initiator_test.cc | 2 +- 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index 5cf5c370437aa..c631ce8786964 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -1,14 +1,16 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_extension", + "envoy_cc_library", "envoy_extension_package", + "envoy_proto_library", ) licenses(["notice"]) # Apache 2 envoy_extension_package() -envoy_cc_extension( +envoy_cc_library( name = "reverse_connection_address_lib", srcs = ["reverse_connection_address.cc"], hdrs = ["reverse_connection_address.h"], @@ -20,7 +22,7 @@ envoy_cc_extension( ], ) -envoy_cc_extension( +envoy_cc_library( name = "reverse_connection_resolver_lib", srcs = ["reverse_connection_resolver.cc"], hdrs = ["reverse_connection_resolver.h"], @@ -65,10 +67,16 @@ envoy_cc_extension( "//source/common/network:filter_lib", "//source/common/protobuf", "//source/common/upstream:load_balancer_context_base_lib", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", + ":reverse_connection_handshake_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], - alwayslink = 1, + alwayslink = 1, + ) + +# Proto library for internal handshake messages +envoy_proto_library( + name = "reverse_connection_handshake_proto", + srcs = ["reverse_connection_handshake.proto"], ) # envoy_cc_extension( diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index ee26b3fd24db3..450c812215fc3 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -5,7 +5,7 @@ #include #include "envoy/event/deferred_deletable.h" -#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.pb.h" #include "envoy/network/address.h" #include "envoy/network/connection.h" #include "envoy/registry/registry.h" @@ -146,12 +146,12 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: if (!response_body.empty()) { // Try to parse the protobuf response - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + envoy::source::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; if (ret.ParseFromString(response_body)) { ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); // Check if the status is ACCEPTED - if (ret.status() == envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + if (ret.status() == envoy::source::extensions::bootstrap::reverse_tunnel:: ReverseConnHandshakeRet::ACCEPTED) { ENVOY_LOG(debug, "SimpleConnReadFilter: Reverse connection accepted by cloud side"); parent_->onHandshakeSuccess(); @@ -207,7 +207,7 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); // Use HTTP handshake logic - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + envoy::source::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; arg.set_tenant_uuid(src_tenant_id); arg.set_cluster_uuid(src_cluster_id); arg.set_node_uuid(src_node_id); diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc index 76e74182d3f41..7d34beb6d7e50 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc @@ -2,7 +2,7 @@ #include #include -#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.pb.h" #include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" #include "envoy/network/socket_interface.h" #include "envoy/server/factory_context.h" From 81aa21ab0f6d0eee6a552320d969c9def2c45fe5 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 25 Aug 2025 21:11:52 +0000 Subject: [PATCH 309/505] cherry-pick move handshake proto out of API Signed-off-by: Basundhara Chakrabarty --- .../reverse_connection_handshake/v3/BUILD | 9 -------- .../extensions/bootstrap/reverse_tunnel/BUILD | 16 +++++++------- .../reverse_connection_handshake.proto | 22 ++++--------------- .../reverse_tunnel_initiator.cc | 10 ++++----- .../extensions/bootstrap/reverse_tunnel/BUILD | 2 +- .../reverse_tunnel_initiator_test.cc | 16 ++++++-------- 6 files changed, 25 insertions(+), 50 deletions(-) delete mode 100644 api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD rename {api/envoy/extensions/bootstrap/reverse_connection_handshake/v3 => source/extensions/bootstrap/reverse_tunnel}/reverse_connection_handshake.proto (56%) diff --git a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD deleted file mode 100644 index 29ebf0741406e..0000000000000 --- a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/BUILD +++ /dev/null @@ -1,9 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], -) diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/BUILD index c631ce8786964..398be042622a0 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/BUILD @@ -10,6 +10,12 @@ licenses(["notice"]) # Apache 2 envoy_extension_package() +# Proto library for internal handshake messages +envoy_proto_library( + name = "reverse_connection_handshake", + srcs = ["reverse_connection_handshake.proto"], +) + envoy_cc_library( name = "reverse_connection_address_lib", srcs = ["reverse_connection_address.cc"], @@ -45,6 +51,7 @@ envoy_cc_extension( visibility = ["//visibility:public"], deps = [ ":reverse_connection_address_lib", + ":reverse_connection_handshake_cc_proto", ":reverse_connection_resolver_lib", "//envoy/api:io_error_interface", "//envoy/grpc:async_client_interface", @@ -67,16 +74,9 @@ envoy_cc_extension( "//source/common/network:filter_lib", "//source/common/protobuf", "//source/common/upstream:load_balancer_context_base_lib", - ":reverse_connection_handshake_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], - alwayslink = 1, - ) - -# Proto library for internal handshake messages -envoy_proto_library( - name = "reverse_connection_handshake_proto", - srcs = ["reverse_connection_handshake.proto"], + alwayslink = 1, ) # envoy_cc_extension( diff --git a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.proto similarity index 56% rename from api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto rename to source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.proto index ac5b20d4a9130..5ef91a8619c0c 100644 --- a/api/envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.proto +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.proto @@ -1,19 +1,10 @@ syntax = "proto3"; -package envoy.extensions.bootstrap.reverse_connection_handshake.v3; +package envoy.extensions.bootstrap.reverse_tunnel; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_connection_handshake.v3"; -option java_outer_classname = "ReverseConnectionHandshakeProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_connection_handshake/v3;reverse_connection_handshakev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Reverse Connection Handshake] -// Reverse Connection Handshake protocol for establishing reverse connections between Envoy instances. -// [#extension: envoy.bootstrap.reverse_connection_handshake] +// Internal proto definitions for reverse connection handshake protocol. +// These messages are used internally by the reverse tunnel extension +// and are not exposed to users. // Configuration for the reverse connection handshake extension. // This extension provides message definitions for establishing reverse connections @@ -30,9 +21,6 @@ message ReverseConnectionHandshakeConfig { // sent as a response can be used to transfer/negotiate parameter between the // two envoys. message ReverseConnHandshakeArg { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.reverse_conn.v3.ReverseConnHandshakeArg"; - // Tenant UUID of the local cluster. string tenant_uuid = 1; @@ -45,8 +33,6 @@ message ReverseConnHandshakeArg { // Config used by the remote cluster in response to the above 'ReverseConnHandshakeArg'. message ReverseConnHandshakeRet { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.reverse_conn.v3.ReverseConnHandshakeRet"; enum ConnectionStatus { REJECTED = 0; diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc index 450c812215fc3..c6a9c04a7d3d4 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc @@ -5,7 +5,6 @@ #include #include "envoy/event/deferred_deletable.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.pb.h" #include "envoy/network/address.h" #include "envoy/network/connection.h" #include "envoy/registry/registry.h" @@ -23,6 +22,7 @@ #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.pb.h" namespace Envoy { namespace Extensions { @@ -146,13 +146,13 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: if (!response_body.empty()) { // Try to parse the protobuf response - envoy::source::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; if (ret.ParseFromString(response_body)) { ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); // Check if the status is ACCEPTED - if (ret.status() == envoy::source::extensions::bootstrap::reverse_tunnel:: - ReverseConnHandshakeRet::ACCEPTED) { + if (ret.status() == + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::ACCEPTED) { ENVOY_LOG(debug, "SimpleConnReadFilter: Reverse connection accepted by cloud side"); parent_->onHandshakeSuccess(); return Network::FilterStatus::StopIteration; @@ -207,7 +207,7 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); // Use HTTP handshake logic - envoy::source::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; arg.set_tenant_uuid(src_tenant_id); arg.set_cluster_uuid(src_cluster_id); arg.set_node_uuid(src_node_id); diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD index 2b09b322fbd67..010af79579520 100644 --- a/test/extensions/bootstrap/reverse_tunnel/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/BUILD @@ -22,6 +22,7 @@ envoy_extension_cc_test( "//source/common/network:socket_interface_lib", "//source/common/network:utility_lib", "//source/common/thread_local:thread_local_lib", + "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_handshake_cc_proto", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", "//test/mocks/event:event_mocks", "//test/mocks/server:factory_context_mocks", @@ -29,7 +30,6 @@ envoy_extension_cc_test( "//test/mocks/thread_local:thread_local_mocks", "//test/mocks/upstream:upstream_mocks", "//test/test_common:test_runtime_lib", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc index 7d34beb6d7e50..0eef58229e08a 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc @@ -2,7 +2,6 @@ #include #include -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.pb.h" #include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" #include "envoy/network/socket_interface.h" #include "envoy/server/factory_context.h" @@ -14,6 +13,7 @@ #include "source/common/protobuf/utility.h" #include "source/common/thread_local/thread_local_impl.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.pb.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" #include "test/mocks/event/mocks.h" @@ -3340,7 +3340,7 @@ TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { EXPECT_FALSE(body.empty()); // Verify the protobuf content by deserializing it. - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; bool parse_success = arg.ParseFromString(body); EXPECT_TRUE(parse_success); EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); @@ -3412,7 +3412,7 @@ TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWithHttpProxy) { EXPECT_FALSE(body.empty()); // Verify the protobuf content by deserializing it. - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; bool parse_success = arg.ParseFromString(body); EXPECT_TRUE(parse_success); EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); @@ -4112,9 +4112,8 @@ TEST_F(SimpleConnReadFilterTest, OnDataWithProtobufResponse) { auto filter = createFilter(wrapper.get()); // Create a proper ReverseConnHandshakeRet protobuf response. - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: - ReverseConnHandshakeRet::ACCEPTED); + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::ACCEPTED); ret.set_status_message("Connection accepted"); std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) @@ -4132,9 +4131,8 @@ TEST_F(SimpleConnReadFilterTest, OnDataWithRejectedProtobufResponse) { auto filter = createFilter(wrapper.get()); // Create a ReverseConnHandshakeRet protobuf response with REJECTED status. - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: - ReverseConnHandshakeRet::REJECTED); + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::REJECTED); ret.set_status_message("Connection rejected by server"); std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) From 015a9575a5db8965049cbeee7d8af7c83a7269d2 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 25 Aug 2025 03:07:38 +0000 Subject: [PATCH 310/505] envoy core: remove moveSocket() API Signed-off-by: Basundhara Chakrabarty --- .../default_api_listener/api_listener_impl.h | 4 +- test/common/network/connection_impl_test.cc | 43 ++++++++++++++++ .../multi_connection_base_impl_test.cc | 2 +- ...uic_filter_manager_connection_impl_test.cc | 4 +- test/server/api_listener_test.cc | 50 +++++++++++++++++++ 5 files changed, 97 insertions(+), 6 deletions(-) diff --git a/source/extensions/api_listeners/default_api_listener/api_listener_impl.h b/source/extensions/api_listeners/default_api_listener/api_listener_impl.h index 8cfcc6ce9e694..51b72124f4802 100644 --- a/source/extensions/api_listeners/default_api_listener/api_listener_impl.h +++ b/source/extensions/api_listeners/default_api_listener/api_listener_impl.h @@ -118,9 +118,7 @@ class ApiListenerImplBase : public Server::ApiListener, void removeConnectionCallbacks(Network::ConnectionCallbacks& cb) override { callbacks_.remove(&cb); } - const Network::ConnectionSocketPtr& getSocket() const override { - return parent_.connection_.getSocket(); - } + const Network::ConnectionSocketPtr& getSocket() const override { PANIC("not implemented"); } void setSocketReused(bool) override {} bool isSocketReused() override { return false; } void addBytesSentCallback(Network::Connection::BytesSentCb) override { diff --git a/test/common/network/connection_impl_test.cc b/test/common/network/connection_impl_test.cc index a3774ac176b54..e127c083d3a28 100644 --- a/test/common/network/connection_impl_test.cc +++ b/test/common/network/connection_impl_test.cc @@ -4588,6 +4588,49 @@ TEST_P(ClientConnectionWithCustomRawBufferSocketTest, TransportSocketCallbacks) disconnect(false); } +TEST_P(ConnectionImplTest, TestSocketReuse) { + setUpBasicConnection(); + connect(); + + // Test socket reuse flag functionality. + EXPECT_FALSE(client_connection_->isSocketReused()); + client_connection_->setSocketReused(true); + EXPECT_TRUE(client_connection_->isSocketReused()); + + // Test getSocket functionality. + const auto& socket_ref = client_connection_->getSocket(); + EXPECT_NE(socket_ref, nullptr); +} + +TEST_P(ConnectionImplTest, TestSocketReuseFlagDefaultState) { + setUpBasicConnection(); + connect(); + + // Test that socket reuse flag defaults to false. + EXPECT_FALSE(client_connection_->isSocketReused()); + + // Test that setting to false works when already false. + client_connection_->setSocketReused(false); + EXPECT_FALSE(client_connection_->isSocketReused()); + + disconnect(true); +} + +TEST_P(ConnectionImplTest, TestConstSocketAccess) { + setUpBasicConnection(); + connect(); + + // Test const access to socket. + const Network::Connection& const_connection = *client_connection_; + const auto& socket_ref = const_connection.getSocket(); + EXPECT_NE(socket_ref, nullptr); + + // Verify that const and non-const getSocket return the same socket. + EXPECT_EQ(&socket_ref, &client_connection_->getSocket()); + + disconnect(true); +} + } // namespace } // namespace Network } // namespace Envoy diff --git a/test/common/network/multi_connection_base_impl_test.cc b/test/common/network/multi_connection_base_impl_test.cc index 1a3f9cbc4b20b..eef12c97e68e1 100644 --- a/test/common/network/multi_connection_base_impl_test.cc +++ b/test/common/network/multi_connection_base_impl_test.cc @@ -1211,7 +1211,7 @@ TEST_F(MultiConnectionBaseImplTest, SetSocketOptionFailedTest) { EXPECT_FALSE(impl_->setSocketOption(sockopt_name, sockopt_val)); } -TEST_F(MultiConnectionBaseImplTest, setSocketReused) { +TEST_F(MultiConnectionBaseImplTest, SetSocketReused) { setupMultiConnectionImpl(2); impl_->setSocketReused(true); } diff --git a/test/common/quic/quic_filter_manager_connection_impl_test.cc b/test/common/quic/quic_filter_manager_connection_impl_test.cc index 525c7dc6274a4..b13278038a069 100644 --- a/test/common/quic/quic_filter_manager_connection_impl_test.cc +++ b/test/common/quic/quic_filter_manager_connection_impl_test.cc @@ -153,9 +153,9 @@ TEST_F(QuicFilterManagerConnectionImplTest, SetSocketOption) { EXPECT_FALSE(impl_.setSocketOption(sockopt_name, sockopt_val)); } -TEST_F(QuicFilterManagerConnectionImplTest, setSocketReused) { impl_.setSocketReused(true); } +TEST_F(QuicFilterManagerConnectionImplTest, SetSocketReused) { impl_.setSocketReused(true); } -TEST_F(QuicFilterManagerConnectionImplTest, isSocketReused) { +TEST_F(QuicFilterManagerConnectionImplTest, IsSocketReused) { EXPECT_EQ(impl_.isSocketReused(), false); } diff --git a/test/server/api_listener_test.cc b/test/server/api_listener_test.cc index 697cb166e2de4..a48df21b8f276 100644 --- a/test/server/api_listener_test.cc +++ b/test/server/api_listener_test.cc @@ -240,5 +240,55 @@ name: test_api_listener EXPECT_ENVOY_BUG(connection.isHalfCloseEnabled(), "Unexpected function call"); } +// Test the new socket management methods added to Network::Connection interface +TEST_F(ApiListenerTest, SyntheticConnectionSocketMethods) { + const std::string yaml = R"EOF( +name: test_api_listener +address: + socket_address: + address: 127.0.0.1 + port_value: 1234 +api_listener: + api_listener: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: hcm + route_config: + name: api_router + virtual_hosts: + - name: api + domains: + - "*" + routes: + - match: + prefix: "/" + route: + cluster: dynamic_forward_proxy_cluster + )EOF"; + + const envoy::config::listener::v3::Listener config = parseListenerFromV3Yaml(yaml); + server_.server_factory_context_->cluster_manager_.initializeClusters( + {"dynamic_forward_proxy_cluster"}, {}); + HttpApiListenerFactory factory; + auto http_api_listener = factory.create(config, server_, config.name()).value(); + + auto api_listener = http_api_listener->createHttpApiListener(server_.dispatcher()); + ASSERT_NE(api_listener, nullptr); + auto& connection = dynamic_cast(api_listener.get()) + ->readCallbacks() + .connection(); + + // Test getSocket() - should PANIC for SyntheticConnection + EXPECT_DEATH(connection.getSocket(), "not implemented"); + + // Test setSocketReused() - should be a no-op for SyntheticConnection + EXPECT_NO_THROW(connection.setSocketReused(true)); + EXPECT_NO_THROW(connection.setSocketReused(false)); + + // Test isSocketReused() - should always return false for SyntheticConnection + EXPECT_FALSE(connection.isSocketReused()); + connection.setSocketReused(true); + EXPECT_FALSE(connection.isSocketReused()); // Should still return false +} + } // namespace Server } // namespace Envoy From 57ed0f1c31624b8e5404dbd23a8f68b23b079507 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 26 Aug 2025 02:37:18 +0000 Subject: [PATCH 311/505] Nit in bootstrap.rst and connection_impl_test Signed-off-by: Basundhara Chakrabarty --- docs/root/api-v3/bootstrap/bootstrap.rst | 2 ++ test/common/network/connection_impl_test.cc | 14 -------------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/docs/root/api-v3/bootstrap/bootstrap.rst b/docs/root/api-v3/bootstrap/bootstrap.rst index 4c454d0180976..389543f3d6945 100644 --- a/docs/root/api-v3/bootstrap/bootstrap.rst +++ b/docs/root/api-v3/bootstrap/bootstrap.rst @@ -7,6 +7,8 @@ Bootstrap ../config/bootstrap/v3/bootstrap.proto ../extensions/bootstrap/internal_listener/v3/internal_listener.proto + ../extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto + ../extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto ../config/metrics/v3/metrics_service.proto ../config/overload/v3/overload.proto ../config/ratelimit/v3/rls.proto diff --git a/test/common/network/connection_impl_test.cc b/test/common/network/connection_impl_test.cc index e127c083d3a28..95dc3a2ecb076 100644 --- a/test/common/network/connection_impl_test.cc +++ b/test/common/network/connection_impl_test.cc @@ -4588,20 +4588,6 @@ TEST_P(ClientConnectionWithCustomRawBufferSocketTest, TransportSocketCallbacks) disconnect(false); } -TEST_P(ConnectionImplTest, TestSocketReuse) { - setUpBasicConnection(); - connect(); - - // Test socket reuse flag functionality. - EXPECT_FALSE(client_connection_->isSocketReused()); - client_connection_->setSocketReused(true); - EXPECT_TRUE(client_connection_->isSocketReused()); - - // Test getSocket functionality. - const auto& socket_ref = client_connection_->getSocket(); - EXPECT_NE(socket_ref, nullptr); -} - TEST_P(ConnectionImplTest, TestSocketReuseFlagDefaultState) { setUpBasicConnection(); connect(); From 2d37141dd621bf6a24d5013d3f7587c07edae94a Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 26 Aug 2025 06:37:13 +0000 Subject: [PATCH 312/505] Move classes and tests into separate files Signed-off-by: Basundhara Chakrabarty --- .../{ => downstream_socket_interface}/BUILD | 53 +- .../reverse_connection_address.cc | 2 +- .../reverse_connection_address.h | 0 .../reverse_connection_handshake.proto | 0 .../reverse_connection_io_handle.cc} | 434 +-------- .../reverse_connection_io_handle.h} | 326 ++----- .../reverse_connection_resolver.cc | 2 +- .../reverse_connection_resolver.h | 2 +- .../reverse_tunnel_initiator.cc | 183 ++++ .../reverse_tunnel_initiator.h | 109 +++ .../reverse_tunnel_initiator_extension.cc | 277 ++++++ .../reverse_tunnel_initiator_extension.h | 138 +++ source/extensions/extensions_build_config.bzl | 2 +- .../extensions/bootstrap/reverse_tunnel/BUILD | 63 -- .../downstream_socket_interface/BUILD | 98 ++ .../reverse_connection_address_test.cc | 2 +- .../reverse_connection_io_handle_test.cc} | 909 +----------------- .../reverse_connection_resolver_test.cc | 2 +- ...reverse_tunnel_initiator_extension_test.cc | 583 +++++++++++ .../reverse_tunnel_initiator_test.cc | 378 ++++++++ tools/code_format/config.yaml | 2 + 21 files changed, 1881 insertions(+), 1684 deletions(-) rename source/extensions/bootstrap/reverse_tunnel/{ => downstream_socket_interface}/BUILD (74%) rename source/extensions/bootstrap/reverse_tunnel/{ => downstream_socket_interface}/reverse_connection_address.cc (95%) rename source/extensions/bootstrap/reverse_tunnel/{ => downstream_socket_interface}/reverse_connection_address.h (100%) rename source/extensions/bootstrap/reverse_tunnel/{ => downstream_socket_interface}/reverse_connection_handshake.proto (100%) rename source/extensions/bootstrap/reverse_tunnel/{reverse_tunnel_initiator.cc => downstream_socket_interface/reverse_connection_io_handle.cc} (75%) rename source/extensions/bootstrap/reverse_tunnel/{reverse_tunnel_initiator.h => downstream_socket_interface/reverse_connection_io_handle.h} (73%) rename source/extensions/bootstrap/reverse_tunnel/{ => downstream_socket_interface}/reverse_connection_resolver.cc (97%) rename source/extensions/bootstrap/reverse_tunnel/{ => downstream_socket_interface}/reverse_connection_resolver.h (92%) create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h delete mode 100644 test/extensions/bootstrap/reverse_tunnel/BUILD create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD rename test/extensions/bootstrap/reverse_tunnel/{ => downstream_socket_interface}/reverse_connection_address_test.cc (99%) rename test/extensions/bootstrap/reverse_tunnel/{reverse_tunnel_initiator_test.cc => downstream_socket_interface/reverse_connection_io_handle_test.cc} (79%) rename test/extensions/bootstrap/reverse_tunnel/{ => downstream_socket_interface}/reverse_connection_resolver_test.cc (98%) create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_test.cc diff --git a/source/extensions/bootstrap/reverse_tunnel/BUILD b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD similarity index 74% rename from source/extensions/bootstrap/reverse_tunnel/BUILD rename to source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index 398be042622a0..4f3c77f0d37a2 100644 --- a/source/extensions/bootstrap/reverse_tunnel/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -40,43 +40,66 @@ envoy_cc_library( ], ) -envoy_cc_extension( - name = "reverse_tunnel_initiator_lib", - srcs = [ - "reverse_tunnel_initiator.cc", - ], - hdrs = [ - "reverse_tunnel_initiator.h", +envoy_cc_library( + name = "reverse_tunnel_extension_lib", + srcs = ["reverse_tunnel_initiator_extension.cc"], + hdrs = ["reverse_tunnel_initiator_extension.h"], + visibility = ["//visibility:public"], + deps = [ + "//envoy/server:bootstrap_extension_config_interface", + "//envoy/stats:stats_interface", + "//envoy/thread_local:thread_local_interface", + "//source/common/common:logger_lib", + "//source/common/stats:symbol_table_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], +) + +envoy_cc_library( + name = "reverse_connection_io_handle_lib", + srcs = ["reverse_connection_io_handle.cc"], + hdrs = ["reverse_connection_io_handle.h"], visibility = ["//visibility:public"], deps = [ ":reverse_connection_address_lib", ":reverse_connection_handshake_cc_proto", - ":reverse_connection_resolver_lib", + ":reverse_tunnel_extension_lib", "//envoy/api:io_error_interface", "//envoy/grpc:async_client_interface", "//envoy/network:address_interface", "//envoy/network:io_handle_interface", "//envoy/network:socket_interface", - "//envoy/registry", - "//envoy/server:bootstrap_extension_config_interface", "//envoy/stats:stats_interface", "//envoy/stats:stats_macros", - "//envoy/tracing:trace_driver_interface", "//envoy/upstream:cluster_manager_interface", "//source/common/buffer:buffer_lib", "//source/common/common:logger_lib", "//source/common/grpc:typed_async_client_lib", - "//source/common/http:headers_lib", "//source/common/network:address_lib", "//source/common/network:connection_socket_lib", "//source/common/network:default_socket_interface_lib", "//source/common/network:filter_lib", - "//source/common/protobuf", "//source/common/upstream:load_balancer_context_base_lib", - "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], - alwayslink = 1, +) + +envoy_cc_extension( + name = "reverse_tunnel_initiator_lib", + srcs = ["reverse_tunnel_initiator.cc"], + hdrs = ["reverse_tunnel_initiator.h"], + visibility = ["//visibility:public"], + deps = [ + ":reverse_connection_address_lib", + ":reverse_connection_io_handle_lib", + ":reverse_tunnel_extension_lib", + "//envoy/network:socket_interface", + "//envoy/registry", + "//envoy/server:bootstrap_extension_config_interface", + "//source/common/common:logger_lib", + "//source/common/network:address_lib", + "//source/common/network:socket_interface_lib", + "//source/common/protobuf:utility_lib", + ], ) # envoy_cc_extension( diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.cc similarity index 95% rename from source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc rename to source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.cc index 7343877767ce5..35bd266c91104 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.cc @@ -1,4 +1,4 @@ -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" #include #include diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h rename to source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.proto b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.proto rename to source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc similarity index 75% rename from source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc rename to source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc index c6a9c04a7d3d4..287f7eed7a352 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc @@ -1,4 +1,4 @@ -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" #include #include @@ -7,22 +7,17 @@ #include "envoy/event/deferred_deletable.h" #include "envoy/network/address.h" #include "envoy/network/connection.h" -#include "envoy/registry/registry.h" -#include "envoy/tracing/tracer.h" #include "envoy/upstream/cluster_manager.h" #include "source/common/buffer/buffer_impl.h" -#include "source/common/common/assert.h" #include "source/common/common/logger.h" -#include "source/common/http/headers.h" #include "source/common/network/address_impl.h" #include "source/common/network/connection_socket_impl.h" #include "source/common/network/socket_interface_impl.h" -#include "source/common/protobuf/message_validator_impl.h" -#include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" namespace Envoy { namespace Extensions { @@ -81,10 +76,6 @@ Api::IoCallUint64Result DownstreamReverseConnectionIOHandle::close() { return IoSocketHandleImpl::close(); } -// Forward declaration. -class ReverseConnectionIOHandle; -class ReverseTunnelInitiator; - // RCConnectionWrapper constructor implementation RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, @@ -298,6 +289,7 @@ void RCConnectionWrapper::shutdown() { ENVOY_LOG(debug, "RCConnectionWrapper: Shutdown completed"); } +// ReverseConnectionIOHandle implementation ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, const ReverseConnectionSocketConfig& config, Upstream::ClusterManager& cluster_manager, @@ -1373,422 +1365,6 @@ void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, } } -// ReverseTunnelInitiator implementation -ReverseTunnelInitiator::ReverseTunnelInitiator(Server::Configuration::ServerFactoryContext& context) - : extension_(nullptr), context_(&context) { - ENVOY_LOG(debug, "Created ReverseTunnelInitiator."); -} - -DownstreamSocketThreadLocal* ReverseTunnelInitiator::getLocalRegistry() const { - if (!extension_ || !extension_->getLocalRegistry()) { - return nullptr; - } - return extension_->getLocalRegistry(); -} - -// ReverseTunnelInitiatorExtension implementation -void ReverseTunnelInitiatorExtension::onServerInitialized() { - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::onServerInitialized"); -} - -void ReverseTunnelInitiatorExtension::onWorkerThreadInitialized() { - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: creating thread local slot"); - - // Create thread local slot on worker thread initialization. - tls_slot_ = - ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); - - // Set up the thread local dispatcher for each worker thread. - tls_slot_->set([this](Event::Dispatcher& dispatcher) { - return std::make_shared(dispatcher, context_.scope()); - }); - - ENVOY_LOG( - debug, - "ReverseTunnelInitiatorExtension: thread local slot created successfully in worker thread"); -} - -DownstreamSocketThreadLocal* ReverseTunnelInitiatorExtension::getLocalRegistry() const { - if (!tls_slot_) { - ENVOY_LOG(error, "ReverseTunnelInitiatorExtension: no thread local slot"); - return nullptr; - } - - if (auto opt = tls_slot_->get(); opt.has_value()) { - return &opt.value().get(); - } - - return nullptr; -} - -Envoy::Network::IoHandlePtr -ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, - Envoy::Network::Address::Type addr_type, - Envoy::Network::Address::IpVersion version, bool, - const Envoy::Network::SocketCreationOptions&) const { - ENVOY_LOG(debug, "ReverseTunnelInitiator: type={}, addr_type={}", static_cast(socket_type), - static_cast(addr_type)); - - // This method is called without reverse connection config, so create a regular socket. - int domain; - if (addr_type == Envoy::Network::Address::Type::Ip) { - domain = (version == Envoy::Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; - } else { - // For pipe addresses. - domain = AF_UNIX; - } - int sock_type = (socket_type == Envoy::Network::Socket::Type::Stream) ? SOCK_STREAM : SOCK_DGRAM; - int sock_fd = ::socket(domain, sock_type, 0); - if (sock_fd == -1) { - ENVOY_LOG(error, "Failed to create fallback socket: {}", errorDetails(errno)); - return nullptr; - } - return std::make_unique(sock_fd); -} - -/** - * Thread-safe helper method to create reverse connection socket with config. - */ -Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocket( - Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, - Envoy::Network::Address::IpVersion version, const ReverseConnectionSocketConfig& config) const { - - // Return early if no remote clusters are configured - if (config.remote_clusters.empty()) { - ENVOY_LOG(debug, "ReverseTunnelInitiator: No remote clusters configured, returning nullptr"); - return nullptr; - } - - ENVOY_LOG(debug, "ReverseTunnelInitiator: Creating reverse connection socket for cluster: {}", - config.remote_clusters[0].cluster_name); - - // For stream sockets on IP addresses, create our reverse connection IOHandle. - if (socket_type == Envoy::Network::Socket::Type::Stream && - addr_type == Envoy::Network::Address::Type::Ip) { - // Create socket file descriptor using system calls. - int domain = (version == Envoy::Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; - int sock_fd = ::socket(domain, SOCK_STREAM, 0); - if (sock_fd == -1) { - ENVOY_LOG(error, "Failed to create socket: {}", errorDetails(errno)); - return nullptr; - } - - ENVOY_LOG( - debug, - "ReverseTunnelInitiator: Created socket fd={}, wrapping with ReverseConnectionIOHandle", - sock_fd); - - // Get the scope from thread local registry, fallback to context scope - Stats::Scope* scope_ptr = &context_->scope(); - auto* tls_registry = getLocalRegistry(); - if (tls_registry) { - scope_ptr = &tls_registry->scope(); - } - - // Create ReverseConnectionIOHandle with cluster manager from context and scope. - return std::make_unique(sock_fd, config, context_->clusterManager(), - extension_, *scope_ptr); - } - - // Fall back to regular socket for non-stream or non-IP sockets. - return socket(socket_type, addr_type, version, false, Envoy::Network::SocketCreationOptions{}); -} - -Envoy::Network::IoHandlePtr -ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, - const Envoy::Network::Address::InstanceConstSharedPtr addr, - const Envoy::Network::SocketCreationOptions& options) const { - - // Extract reverse connection configuration from address. - const auto* reverse_addr = dynamic_cast(addr.get()); - if (reverse_addr) { - // Get the reverse connection config from the address. - ENVOY_LOG(debug, "ReverseTunnelInitiator: reverse_addr: {}", reverse_addr->asString()); - const auto& config = reverse_addr->reverseConnectionConfig(); - - // Convert ReverseConnectionAddress::ReverseConnectionConfig to ReverseConnectionSocketConfig. - ReverseConnectionSocketConfig socket_config; - socket_config.src_node_id = config.src_node_id; - socket_config.src_cluster_id = config.src_cluster_id; - socket_config.src_tenant_id = config.src_tenant_id; - - // Add the remote cluster configuration. - RemoteClusterConnectionConfig cluster_config(config.remote_cluster, config.connection_count); - socket_config.remote_clusters.push_back(cluster_config); - - // Pass config directly to helper method. - return createReverseConnectionSocket( - socket_type, addr->type(), - addr->ip() ? addr->ip()->version() : Envoy::Network::Address::IpVersion::v4, socket_config); - } - - // Delegate to the other socket() method for non-reverse-connection addresses. - return socket(socket_type, addr->type(), - addr->ip() ? addr->ip()->version() : Envoy::Network::Address::IpVersion::v4, false, - options); -} - -bool ReverseTunnelInitiator::ipFamilySupported(int domain) { - return domain == AF_INET || domain == AF_INET6; -} - -Server::BootstrapExtensionPtr ReverseTunnelInitiator::createBootstrapExtension( - const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { - ENVOY_LOG(debug, "ReverseTunnelInitiator::createBootstrapExtension()"); - const auto& message = MessageUtil::downcastAndValidate< - const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); - context_ = &context; - // Create the bootstrap extension and store reference to it. - auto extension = std::make_unique(context, message); - extension_ = extension.get(); - return extension; -} - -ProtobufTypes::MessagePtr ReverseTunnelInitiator::createEmptyConfigProto() { - return std::make_unique< - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface>(); -} - -// ReverseTunnelInitiatorExtension constructor implementation. -ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( - Server::Configuration::ServerFactoryContext& context, - const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface& config) - : context_(context), config_(config), - stat_prefix_(config.stat_prefix().empty() ? "reverse_connections" : config.stat_prefix()) { - ENVOY_LOG(debug, - "Created ReverseTunnelInitiatorExtension - TLS slot will be created in " - "onWorkerThreadInitialized with stat_prefix: {}", - stat_prefix_); -} - -void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& host_address, - const std::string& cluster_id, - const std::string& state_suffix, - bool increment) { - // Register stats with Envoy's system for automatic cross-thread aggregation. - auto& stats_store = context_.scope(); - - // Create/update host connection stat with state suffix - if (!host_address.empty() && !state_suffix.empty()) { - std::string host_stat_name = - fmt::format("{}.host.{}.{}", stat_prefix_, host_address, state_suffix); - Stats::StatNameManagedStorage host_stat_name_storage(host_stat_name, stats_store.symbolTable()); - auto& host_gauge = stats_store.gaugeFromStatName(host_stat_name_storage.statName(), - Stats::Gauge::ImportMode::Accumulate); - if (increment) { - host_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented host stat {} to {}", - host_stat_name, host_gauge.value()); - } else { - host_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented host stat {} to {}", - host_stat_name, host_gauge.value()); - } - } - - // Create/update cluster connection stat with state suffix. - if (!cluster_id.empty() && !state_suffix.empty()) { - std::string cluster_stat_name = - fmt::format("{}.cluster.{}.{}", stat_prefix_, cluster_id, state_suffix); - Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, - stats_store.symbolTable()); - auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), - Stats::Gauge::ImportMode::Accumulate); - if (increment) { - cluster_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); - } else { - cluster_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented cluster stat {} to {}", - cluster_stat_name, cluster_gauge.value()); - } - } - - // Also update per-worker stats for debugging. - updatePerWorkerConnectionStats(host_address, cluster_id, state_suffix, increment); -} - -void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats( - const std::string& host_address, const std::string& cluster_id, const std::string& state_suffix, - bool increment) { - auto& stats_store = context_.scope(); - - // Get dispatcher name from the thread local dispatcher. - std::string dispatcher_name; - auto* local_registry = getLocalRegistry(); - if (local_registry == nullptr) { - ENVOY_LOG(error, "ReverseTunnelInitiatorExtension: No local registry found"); - return; - } - // Dispatcher name is of the form "worker_x" where x is the worker index - dispatcher_name = local_registry->dispatcher().name(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: Updating stats for worker {}", - dispatcher_name); - - // Create/update per-worker host connection stat. - if (!host_address.empty() && !state_suffix.empty()) { - std::string worker_host_stat_name = - fmt::format("{}.{}.host.{}.{}", stat_prefix_, dispatcher_name, host_address, state_suffix); - Stats::StatNameManagedStorage worker_host_stat_name_storage(worker_host_stat_name, - stats_store.symbolTable()); - auto& worker_host_gauge = stats_store.gaugeFromStatName( - worker_host_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); - if (increment) { - worker_host_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker host stat {} to {}", - worker_host_stat_name, worker_host_gauge.value()); - } else { - worker_host_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented worker host stat {} to {}", - worker_host_stat_name, worker_host_gauge.value()); - } - } - - // Create/update per-worker cluster connection stat. - if (!cluster_id.empty() && !state_suffix.empty()) { - std::string worker_cluster_stat_name = - fmt::format("{}.{}.cluster.{}.{}", stat_prefix_, dispatcher_name, cluster_id, state_suffix); - Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, - stats_store.symbolTable()); - auto& worker_cluster_gauge = stats_store.gaugeFromStatName( - worker_cluster_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); - if (increment) { - worker_cluster_gauge.inc(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker cluster stat {} to {}", - worker_cluster_stat_name, worker_cluster_gauge.value()); - } else { - worker_cluster_gauge.dec(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented worker cluster stat {} to {}", - worker_cluster_stat_name, worker_cluster_gauge.value()); - } - } -} - -absl::flat_hash_map -ReverseTunnelInitiatorExtension::getCrossWorkerStatMap() { - absl::flat_hash_map stats_map; - auto& stats_store = context_.scope(); - - // Iterate through all gauges and filter for cross-worker stats only. - // Cross-worker stats have the pattern ".host.." or - // ".cluster.." (no dispatcher name in the middle). - Stats::IterateFn gauge_callback = - [&stats_map, this](const Stats::RefcountPtr& gauge) -> bool { - const std::string& gauge_name = gauge->name(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, - gauge->value()); - if (gauge_name.find(stat_prefix_ + ".") != std::string::npos && - (gauge_name.find(stat_prefix_ + ".host.") != std::string::npos || - gauge_name.find(stat_prefix_ + ".cluster.") != std::string::npos) && - gauge->used()) { - stats_map[gauge_name] = gauge->value(); - } - return true; - }; - stats_store.iterate(gauge_callback); - - ENVOY_LOG( - debug, - "ReverseTunnelInitiatorExtension: collected {} stats for reverse connections across all " - "worker threads", - stats_map.size()); - - return stats_map; -} - -std::pair, std::vector> -ReverseTunnelInitiatorExtension::getConnectionStatsSync( - std::chrono::milliseconds /* timeout_ms */) { - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: obtaining reverse connection stats"); - - // Get all gauges with the reverse_connections prefix. - auto connection_stats = getCrossWorkerStatMap(); - - std::vector connected_hosts; - std::vector accepted_connections; - - // Process the stats to extract connection information - // For initiator, stats format is: .host.. or - // .cluster.. We only want hosts/clusters with - // "connected" state - for (const auto& [stat_name, count] : connection_stats) { - if (count > 0) { - // Parse stat name to extract host/cluster information with state suffix. - std::string host_pattern = stat_prefix_ + ".host."; - std::string cluster_pattern = stat_prefix_ + ".cluster."; - - if (stat_name.find(host_pattern) != std::string::npos && - stat_name.find(".connected") != std::string::npos) { - // Find the position after ".host." and before ".connected". - size_t start_pos = stat_name.find(host_pattern) + host_pattern.length(); - size_t end_pos = stat_name.find(".connected"); - if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { - std::string host_address = stat_name.substr(start_pos, end_pos - start_pos); - connected_hosts.push_back(host_address); - } - } else if (stat_name.find(cluster_pattern) != std::string::npos && - stat_name.find(".connected") != std::string::npos) { - // Find the position after ".cluster." and before ".connected". - size_t start_pos = stat_name.find(cluster_pattern) + cluster_pattern.length(); - size_t end_pos = stat_name.find(".connected"); - if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { - std::string cluster_id = stat_name.substr(start_pos, end_pos - start_pos); - accepted_connections.push_back(cluster_id); - } - } - } - } - - ENVOY_LOG(debug, - "ReverseTunnelInitiatorExtension: found {} connected hosts, {} accepted connections", - connected_hosts.size(), accepted_connections.size()); - - return {connected_hosts, accepted_connections}; -} - -absl::flat_hash_map ReverseTunnelInitiatorExtension::getPerWorkerStatMap() { - absl::flat_hash_map stats_map; - auto& stats_store = context_.scope(); - - // Get the current dispatcher name - std::string dispatcher_name = "main_thread"; // Default for main thread - auto* local_registry = getLocalRegistry(); - if (local_registry) { - // Dispatcher name is of the form "worker_x" where x is the worker index. - dispatcher_name = local_registry->dispatcher().name(); - } - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: Getting per worker stats map for {}", - dispatcher_name); - - // Iterate through all gauges and filter for the current dispatcher. - Stats::IterateFn gauge_callback = - [&stats_map, &dispatcher_name, this](const Stats::RefcountPtr& gauge) -> bool { - const std::string& gauge_name = gauge->name(); - ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, - gauge->value()); - if (gauge_name.find(stat_prefix_ + ".") != std::string::npos && - gauge_name.find(dispatcher_name + ".") != std::string::npos && - (gauge_name.find(".host.") != std::string::npos || - gauge_name.find(".cluster.") != std::string::npos) && - gauge->used()) { - stats_map[gauge_name] = gauge->value(); - } - return true; - }; - stats_store.iterate(gauge_callback); - - ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: collected {} stats for dispatcher '{}'", - stats_map.size(), dispatcher_name); - - return stats_map; -} - -REGISTER_FACTORY(ReverseTunnelInitiator, Server::Configuration::BootstrapExtensionFactory); - } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h similarity index 73% rename from source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h rename to source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h index 7d8dde569e1e9..b19949505cac2 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h @@ -1,22 +1,13 @@ #pragma once -#include -#include -#include #include #include #include #include -#include "envoy/api/io_error.h" -#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" -#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.validate.h" #include "envoy/network/io_handle.h" #include "envoy/network/socket.h" -#include "envoy/registry/registry.h" -#include "envoy/server/bootstrap_extension_config.h" #include "envoy/stats/scope.h" -#include "envoy/stats/stats_macros.h" #include "envoy/thread_local/thread_local.h" #include "envoy/upstream/cluster_manager.h" @@ -36,10 +27,68 @@ namespace Bootstrap { namespace ReverseConnection { // Forward declarations. -class ReverseTunnelInitiator; class ReverseTunnelInitiatorExtension; class ReverseConnectionIOHandle; +namespace { +// HTTP protocol constants. +static constexpr absl::string_view kCrlf = "\r\n"; +static constexpr absl::string_view kDoubleCrlf = "\r\n\r\n"; + +// Connection timing constants. +static constexpr uint32_t kDefaultMaxReconnectAttempts = 10; +} // namespace + +/** + * Connection state tracking for reverse connections. + */ +enum class ReverseConnectionState { + Connecting, // Connection is being established (handshake initiated). + Connected, // Connection has been successfully established. + Recovered, // Connection has recovered from a previous failure. + Failed, // Connection establishment failed during handshake. + CannotConnect, // Connection cannot be initiated (early failure). + Backoff // Connection is in backoff state due to failures. +}; + +/** + * Configuration for remote cluster connections. + * Defines connection parameters for each remote cluster that reverse connections should be + * established to. + */ +struct RemoteClusterConnectionConfig { + std::string cluster_name; // Name of the remote cluster. + uint32_t reverse_connection_count; // Number of reverse connections to maintain per host. + // TODO(basundhara-c): Implement retry logic using max_reconnect_attempts for connections to this + // cluster. This is the max reconnection attempts made for a cluster when the initial reverse + // connection attempt fails. + uint32_t max_reconnect_attempts; // Maximum number of reconnection attempts. + + RemoteClusterConnectionConfig(const std::string& name, uint32_t count, + uint32_t max_attempts = kDefaultMaxReconnectAttempts) + : cluster_name(name), reverse_connection_count(count), max_reconnect_attempts(max_attempts) {} +}; + +/** + * Configuration for reverse connection socket interface. + */ +struct ReverseConnectionSocketConfig { + std::string src_cluster_id; // Cluster identifier of local envoy instance. + std::string src_node_id; // Node identifier of local envoy instance. + std::string src_tenant_id; // Tenant identifier of local envoy instance. + // TODO(basundhara-c): Add support for multiple remote clusters using the same + // ReverseConnectionIOHandle. Currently, each ReverseConnectionIOHandle handles + // reverse connections for a single upstream cluster since a different ReverseConnectionAddress + // is created for different upstream clusters. Eventually, we should embed metadata for + // multiple remote clusters in the same ReverseConnectionAddress and therefore should be able + // to use a single ReverseConnectionIOHandle for multiple remote clusters. + std::vector + remote_clusters; // List of remote cluster configurations. + bool enable_circuit_breaker; // Whether to place a cluster in backoff when reverse connection + // attempts fail. + ReverseConnectionSocketConfig() : enable_circuit_breaker(true) {} +}; + /** * RCConnectionWrapper manages the lifecycle of a ClientConnectionPtr for reverse connections. * It handles the handshake process (both gRPC and HTTP fallback) and manages connection @@ -137,65 +186,6 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, const std::string cluster_name_; }; -namespace { -// HTTP protocol constants. -static constexpr absl::string_view kCrlf = "\r\n"; -static constexpr absl::string_view kDoubleCrlf = "\r\n\r\n"; - -// Connection timing constants. -static constexpr uint32_t kDefaultMaxReconnectAttempts = 10; -} // namespace - -/** - * Connection state tracking for reverse connections. - */ -enum class ReverseConnectionState { - Connecting, // Connection is being established (handshake initiated). - Connected, // Connection has been successfully established. - Recovered, // Connection has recovered from a previous failure. - Failed, // Connection establishment failed during handshake. - CannotConnect, // Connection cannot be initiated (early failure). - Backoff // Connection is in backoff state due to failures. -}; - -/** - * Configuration for remote cluster connections. - * Defines connection parameters for each remote cluster that reverse connections should be - * established to. - */ -struct RemoteClusterConnectionConfig { - std::string cluster_name; // Name of the remote cluster. - uint32_t reverse_connection_count; // Number of reverse connections to maintain per host. - // TODO(basundhara-c): Implement retry logic using max_reconnect_attempts for connections to this - // cluster. This is the max reconnection attempts made for a cluster when the initial reverse - // connection attempt fails. - uint32_t max_reconnect_attempts; // Maximum number of reconnection attempts. - - RemoteClusterConnectionConfig(const std::string& name, uint32_t count, - uint32_t max_attempts = kDefaultMaxReconnectAttempts) - : cluster_name(name), reverse_connection_count(count), max_reconnect_attempts(max_attempts) {} -}; - -/** - * Configuration for reverse connection socket interface. - */ -struct ReverseConnectionSocketConfig { - std::string src_cluster_id; // Cluster identifier of local envoy instance. - std::string src_node_id; // Node identifier of local envoy instance. - std::string src_tenant_id; // Tenant identifier of local envoy instance. - // TODO(basundhara-c): Add support for multiple remote clusters using the same - // ReverseConnectionIOHandle. Currently, each ReverseConnectionIOHandle handles - // reverse connections for a single upstream cluster since a different ReverseConnectionAddress - // is created for different upstream clusters. Eventually, we should embed metadata for - // multiple remote clusters in the same ReverseConnectionAddress and therefore should be able - // to use a single ReverseConnectionIOHandle for multiple remote clusters. - std::vector - remote_clusters; // List of remote cluster configurations. - bool enable_circuit_breaker; // Whether to place a cluster in backoff when reverse connection - // attempts fail. - ReverseConnectionSocketConfig() : enable_circuit_breaker(true) {} -}; - /** * This class handles the lifecycle of reverse connections, including establishment, * maintenance, and cleanup of connections to remote clusters. @@ -522,204 +512,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, os_fd_t original_socket_fd_{-1}; }; -/** - * Thread local storage for ReverseTunnelInitiator. - * Stores the thread-local dispatcher and stats scope for each worker thread. - */ -class DownstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { -public: - DownstreamSocketThreadLocal(Event::Dispatcher& dispatcher, Stats::Scope& scope) - : dispatcher_(dispatcher), scope_(scope) {} - - /** - * @return reference to the thread-local dispatcher - */ - Event::Dispatcher& dispatcher() { return dispatcher_; } - - /** - * @return reference to the stats scope - */ - Stats::Scope& scope() { return scope_; } - -private: - Event::Dispatcher& dispatcher_; - Stats::Scope& scope_; -}; - -/** - * Socket interface that creates reverse connection sockets. - * This class implements the SocketInterface interface to provide reverse connection - * functionality for downstream connections. - */ -class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, - public Envoy::Logger::Loggable { - // Friend class for testing - friend class ReverseTunnelInitiatorTest; - -public: - ReverseTunnelInitiator(Server::Configuration::ServerFactoryContext& context); - - // Default constructor for registry - ReverseTunnelInitiator() : extension_(nullptr), context_(nullptr) {} - - /** - * Create a ReverseConnectionIOHandle and kick off the reverse connection establishment. - * @param socket_type the type of socket to create - * @param addr_type the address type - * @param version the IP version - * @param socket_v6only whether to create IPv6-only socket - * @param options socket creation options - * @return IoHandlePtr for the created socket, or nullptr for unsupported types - */ - Envoy::Network::IoHandlePtr - socket(Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, - Envoy::Network::Address::IpVersion version, bool socket_v6only, - const Envoy::Network::SocketCreationOptions& options) const override; - - // No-op for reverse connections. - Envoy::Network::IoHandlePtr - socket(Envoy::Network::Socket::Type socket_type, - const Envoy::Network::Address::InstanceConstSharedPtr addr, - const Envoy::Network::SocketCreationOptions& options) const override; - - /** - * @return true if the IP family is supported - */ - bool ipFamilySupported(int domain) override; - - /** - * @return pointer to the thread-local registry, or nullptr if not available. - */ - DownstreamSocketThreadLocal* getLocalRegistry() const; - - /** - * Thread-safe helper method to create reverse connection socket with config. - * @param socket_type the type of socket to create - * @param addr_type the address type - * @param version the IP version - * @param config the reverse connection configuration - * @return IoHandlePtr for the reverse connection socket - */ - Envoy::Network::IoHandlePtr - createReverseConnectionSocket(Envoy::Network::Socket::Type socket_type, - Envoy::Network::Address::Type addr_type, - Envoy::Network::Address::IpVersion version, - const ReverseConnectionSocketConfig& config) const; - - /** - * Get the extension instance for accessing cross-thread aggregation capabilities. - * @return pointer to the extension, or nullptr if not available - */ - ReverseTunnelInitiatorExtension* getExtension() const { return extension_; } - - // BootstrapExtensionFactory implementation - Server::BootstrapExtensionPtr - createBootstrapExtension(const Protobuf::Message& config, - Server::Configuration::ServerFactoryContext& context) override; - - ProtobufTypes::MessagePtr createEmptyConfigProto() override; - - std::string name() const override { - return "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"; - } - - ReverseTunnelInitiatorExtension* extension_; - -private: - Server::Configuration::ServerFactoryContext* context_; -}; - -DECLARE_FACTORY(ReverseTunnelInitiator); - -/** - * Bootstrap extension for ReverseTunnelInitiator. - */ -class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, - public Logger::Loggable { - // Friend class for testing - friend class ReverseTunnelInitiatorExtensionTest; - -public: - ReverseTunnelInitiatorExtension( - Server::Configuration::ServerFactoryContext& context, - const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface& config); - - void onServerInitialized() override; - void onWorkerThreadInitialized() override; - - /** - * @return pointer to the thread-local registry, or nullptr if not available. - */ - DownstreamSocketThreadLocal* getLocalRegistry() const; - - /** - * Update all connection stats for reverse connections. This updates the cross-worker stats - * as well as the per-worker stats. - * @param node_id the node identifier for the connection - * @param cluster_id the cluster identifier for the connection - * @param state_suffix the state suffix (e.g., "connecting", "connected", "failed") - * @param increment whether to increment (true) or decrement (false) the connection count - */ - void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, - const std::string& state_suffix, bool increment); - - /** - * Update per-worker connection stats for debugging purposes. - * Creates worker-specific stats - * @param node_id the node identifier for the connection - * @param cluster_id the cluster identifier for the connection - * @param state_suffix the state suffix for the connection - * @param increment whether to increment (true) or decrement (false) the connection count - */ - void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, - const std::string& state_suffix, bool increment); - - /** - * Get per-worker stat map for the current dispatcher. - * @return map of stat names to values for the current worker thread - */ - absl::flat_hash_map getPerWorkerStatMap(); - - /** - * Get cross-worker stat map across all workers. - * @return map of stat names to values across all worker threads - */ - absl::flat_hash_map getCrossWorkerStatMap(); - - /** - * Get connection stats synchronously with timeout. - * @param timeout_ms timeout for the operation - * @return pair of vectors containing connected nodes and accepted connections - */ - std::pair, std::vector> - getConnectionStatsSync(std::chrono::milliseconds timeout_ms); - - /** - * Get the stats scope for accessing stats. - * @return reference to the stats scope. - */ - Stats::Scope& getStatsScope() const { return context_.scope(); } - - /** - * Test-only method to set the thread local slot for testing purposes. - * This allows tests to inject a custom thread local registry and is used - * in unit tests to simulate different worker threads. - * @param slot the thread local slot to set - */ - void setTestOnlyTLSRegistry( - std::unique_ptr> slot) { - tls_slot_ = std::move(slot); - } - -private: - Server::Configuration::ServerFactoryContext& context_; - const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface config_; - ThreadLocal::TypedSlotPtr tls_slot_; - std::string stat_prefix_; // Reverse connection stats prefix -}; - /** * Custom load balancer context for reverse connections. This class enables the * ReverseConnectionIOHandle to propagate upstream host details to the cluster_manager, ensuring diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.cc similarity index 97% rename from source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc rename to source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.cc index 4b5942fde7358..179ef92f8232b 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.cc @@ -1,4 +1,4 @@ -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h similarity index 92% rename from source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h rename to source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h index eeb6cf1a57c4b..e628910b46334 100644 --- a/source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h @@ -3,7 +3,7 @@ #include "envoy/network/resolver.h" #include "envoy/registry/registry.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.cc new file mode 100644 index 0000000000000..f3d4d26c4871a --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.cc @@ -0,0 +1,183 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" + +#include +#include +#include + +#include "envoy/network/address.h" +#include "envoy/registry/registry.h" + +#include "source/common/common/logger.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface_impl.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// ReverseTunnelInitiator implementation +ReverseTunnelInitiator::ReverseTunnelInitiator(Server::Configuration::ServerFactoryContext& context) + : extension_(nullptr), context_(&context) { + ENVOY_LOG(debug, "Created ReverseTunnelInitiator."); +} + +DownstreamSocketThreadLocal* ReverseTunnelInitiator::getLocalRegistry() const { + if (!extension_ || !extension_->getLocalRegistry()) { + return nullptr; + } + return extension_->getLocalRegistry(); +} + +Envoy::Network::IoHandlePtr +ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, + Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, bool, + const Envoy::Network::SocketCreationOptions&) const { + ENVOY_LOG(debug, "ReverseTunnelInitiator: type={}, addr_type={}", static_cast(socket_type), + static_cast(addr_type)); + + // This method is called without reverse connection config, so create a regular socket. + int domain; + if (addr_type == Envoy::Network::Address::Type::Ip) { + domain = (version == Envoy::Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; + } else { + // For pipe addresses. + domain = AF_UNIX; + } + int sock_type = (socket_type == Envoy::Network::Socket::Type::Stream) ? SOCK_STREAM : SOCK_DGRAM; + int sock_fd = ::socket(domain, sock_type, 0); + if (sock_fd == -1) { + ENVOY_LOG(error, "Failed to create fallback socket: {}", errorDetails(errno)); + return nullptr; + } + return std::make_unique(sock_fd); +} + +/** + * Thread-safe helper method to create reverse connection socket with config. + */ +Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocket( + Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, const ReverseConnectionSocketConfig& config) const { + + // Return early if no remote clusters are configured + if (config.remote_clusters.empty()) { + ENVOY_LOG(debug, "ReverseTunnelInitiator: No remote clusters configured, returning nullptr"); + return nullptr; + } + + ENVOY_LOG(debug, "ReverseTunnelInitiator: Creating reverse connection socket for cluster: {}", + config.remote_clusters[0].cluster_name); + + // For stream sockets on IP addresses, create our reverse connection IOHandle. + if (socket_type == Envoy::Network::Socket::Type::Stream && + addr_type == Envoy::Network::Address::Type::Ip) { + // Create socket file descriptor using system calls. + int domain = (version == Envoy::Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; + int sock_fd = ::socket(domain, SOCK_STREAM, 0); + if (sock_fd == -1) { + ENVOY_LOG(error, "Failed to create socket: {}", errorDetails(errno)); + return nullptr; + } + + ENVOY_LOG( + debug, + "ReverseTunnelInitiator: Created socket fd={}, wrapping with ReverseConnectionIOHandle", + sock_fd); + + // Get the scope from thread local registry, fallback to context scope + Stats::Scope* scope_ptr = &context_->scope(); + auto* tls_registry = getLocalRegistry(); + if (tls_registry) { + scope_ptr = &tls_registry->scope(); + } + + // Create ReverseConnectionIOHandle with cluster manager from context and scope. + return std::make_unique(sock_fd, config, context_->clusterManager(), + extension_, *scope_ptr); + } + + // Fall back to regular socket for non-stream or non-IP sockets. + return socket(socket_type, addr_type, version, false, Envoy::Network::SocketCreationOptions{}); +} + +Envoy::Network::IoHandlePtr +ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, + const Envoy::Network::Address::InstanceConstSharedPtr addr, + const Envoy::Network::SocketCreationOptions& options) const { + + // Extract reverse connection configuration from address. + const auto* reverse_addr = dynamic_cast(addr.get()); + if (reverse_addr) { + // Get the reverse connection config from the address. + ENVOY_LOG(debug, "ReverseTunnelInitiator: reverse_addr: {}", reverse_addr->asString()); + const auto& config = reverse_addr->reverseConnectionConfig(); + + // Convert ReverseConnectionAddress::ReverseConnectionConfig to ReverseConnectionSocketConfig. + ReverseConnectionSocketConfig socket_config; + socket_config.src_node_id = config.src_node_id; + socket_config.src_cluster_id = config.src_cluster_id; + socket_config.src_tenant_id = config.src_tenant_id; + + // Add the remote cluster configuration. + RemoteClusterConnectionConfig cluster_config(config.remote_cluster, config.connection_count); + socket_config.remote_clusters.push_back(cluster_config); + + // Pass config directly to helper method. + return createReverseConnectionSocket( + socket_type, addr->type(), + addr->ip() ? addr->ip()->version() : Envoy::Network::Address::IpVersion::v4, socket_config); + } + + // Delegate to the other socket() method for non-reverse-connection addresses. + return socket(socket_type, addr->type(), + addr->ip() ? addr->ip()->version() : Envoy::Network::Address::IpVersion::v4, false, + options); +} + +bool ReverseTunnelInitiator::ipFamilySupported(int domain) { + return domain == AF_INET || domain == AF_INET6; +} + +Server::BootstrapExtensionPtr ReverseTunnelInitiator::createBootstrapExtension( + const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { + ENVOY_LOG(debug, "ReverseTunnelInitiator::createBootstrapExtension()"); + const auto& message = MessageUtil::downcastAndValidate< + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); + context_ = &context; + // Create the bootstrap extension and store reference to it. + auto extension = std::make_unique(context, message); + extension_ = extension.get(); + return extension; +} + +ProtobufTypes::MessagePtr ReverseTunnelInitiator::createEmptyConfigProto() { + return std::make_unique< + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface>(); +} + +// ReverseTunnelInitiatorExtension constructor implementation. +ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( + Server::Configuration::ServerFactoryContext& context, + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface& config) + : context_(context), config_(config), + stat_prefix_(config.stat_prefix().empty() ? "reverse_connections" : config.stat_prefix()) { + ENVOY_LOG(debug, + "Created ReverseTunnelInitiatorExtension - TLS slot will be created in " + "onWorkerThreadInitialized with stat_prefix: {}", + stat_prefix_); +} + +REGISTER_FACTORY(ReverseTunnelInitiator, Server::Configuration::BootstrapExtensionFactory); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h new file mode 100644 index 0000000000000..5506e3659e49e --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h @@ -0,0 +1,109 @@ +#pragma once + +#include +#include + +#include "envoy/network/socket.h" +#include "envoy/registry/registry.h" +#include "envoy/server/bootstrap_extension_config.h" + +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +struct ReverseConnectionSocketConfig; + +/** + * Socket interface that creates reverse connection sockets. + * This class implements the SocketInterface interface to provide reverse connection + * functionality for downstream connections. + */ +class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, + public Envoy::Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelInitiatorTest; + +public: + ReverseTunnelInitiator(Server::Configuration::ServerFactoryContext& context); + + // Default constructor for registry + ReverseTunnelInitiator() : extension_(nullptr), context_(nullptr) {} + + /** + * Create a ReverseConnectionIOHandle and kick off the reverse connection establishment. + * @param socket_type the type of socket to create + * @param addr_type the address type + * @param version the IP version + * @param socket_v6only whether to create IPv6-only socket + * @param options socket creation options + * @return IoHandlePtr for the created socket, or nullptr for unsupported types + */ + Envoy::Network::IoHandlePtr + socket(Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, bool socket_v6only, + const Envoy::Network::SocketCreationOptions& options) const override; + + // No-op for reverse connections. + Envoy::Network::IoHandlePtr + socket(Envoy::Network::Socket::Type socket_type, + const Envoy::Network::Address::InstanceConstSharedPtr addr, + const Envoy::Network::SocketCreationOptions& options) const override; + + /** + * @return true if the IP family is supported + */ + bool ipFamilySupported(int domain) override; + + /** + * @return pointer to the thread-local registry, or nullptr if not available. + */ + DownstreamSocketThreadLocal* getLocalRegistry() const; + + /** + * Thread-safe helper method to create reverse connection socket with config. + * @param socket_type the type of socket to create + * @param addr_type the address type + * @param version the IP version + * @param config the reverse connection configuration + * @return IoHandlePtr for the reverse connection socket + */ + Envoy::Network::IoHandlePtr + createReverseConnectionSocket(Envoy::Network::Socket::Type socket_type, + Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, + const ReverseConnectionSocketConfig& config) const; + + /** + * Get the extension instance for accessing cross-thread aggregation capabilities. + * @return pointer to the extension, or nullptr if not available + */ + ReverseTunnelInitiatorExtension* getExtension() const { return extension_; } + + // BootstrapExtensionFactory implementation + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override; + + ProtobufTypes::MessagePtr createEmptyConfigProto() override; + + std::string name() const override { + return "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"; + } + + ReverseTunnelInitiatorExtension* extension_; + +private: + Server::Configuration::ServerFactoryContext* context_; +}; + +DECLARE_FACTORY(ReverseTunnelInitiator); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc new file mode 100644 index 0000000000000..05288d9d19d54 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc @@ -0,0 +1,277 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +#include "envoy/event/dispatcher.h" +#include "envoy/stats/scope.h" +#include "envoy/stats/stats_macros.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/common/logger.h" +#include "source/common/stats/symbol_table.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// ReverseTunnelInitiatorExtension implementation +void ReverseTunnelInitiatorExtension::onServerInitialized() { + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::onServerInitialized"); +} + +void ReverseTunnelInitiatorExtension::onWorkerThreadInitialized() { + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: creating thread local slot"); + + // Create thread local slot on worker thread initialization. + tls_slot_ = + ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); + + // Set up the thread local dispatcher for each worker thread. + tls_slot_->set([this](Event::Dispatcher& dispatcher) { + return std::make_shared(dispatcher, context_.scope()); + }); + + ENVOY_LOG( + debug, + "ReverseTunnelInitiatorExtension: thread local slot created successfully in worker thread"); +} + +DownstreamSocketThreadLocal* ReverseTunnelInitiatorExtension::getLocalRegistry() const { + if (!tls_slot_) { + ENVOY_LOG(error, "ReverseTunnelInitiatorExtension: no thread local slot"); + return nullptr; + } + + if (auto opt = tls_slot_->get(); opt.has_value()) { + return &opt.value().get(); + } + + return nullptr; +} + +void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& host_address, + const std::string& cluster_id, + const std::string& state_suffix, + bool increment) { + // Register stats with Envoy's system for automatic cross-thread aggregation. + auto& stats_store = context_.scope(); + + // Create/update host connection stat with state suffix + if (!host_address.empty() && !state_suffix.empty()) { + std::string host_stat_name = + fmt::format("{}.host.{}.{}", stat_prefix_, host_address, state_suffix); + Stats::StatNameManagedStorage host_stat_name_storage(host_stat_name, stats_store.symbolTable()); + auto& host_gauge = stats_store.gaugeFromStatName(host_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + if (increment) { + host_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented host stat {} to {}", + host_stat_name, host_gauge.value()); + } else { + host_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented host stat {} to {}", + host_stat_name, host_gauge.value()); + } + } + + // Create/update cluster connection stat with state suffix. + if (!cluster_id.empty() && !state_suffix.empty()) { + std::string cluster_stat_name = + fmt::format("{}.cluster.{}.{}", stat_prefix_, cluster_id, state_suffix); + Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, + stats_store.symbolTable()); + auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + if (increment) { + cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } else { + cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } + } + + // Also update per-worker stats for debugging. + updatePerWorkerConnectionStats(host_address, cluster_id, state_suffix, increment); +} + +void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats( + const std::string& host_address, const std::string& cluster_id, const std::string& state_suffix, + bool increment) { + auto& stats_store = context_.scope(); + + // Get dispatcher name from the thread local dispatcher. + std::string dispatcher_name; + auto* local_registry = getLocalRegistry(); + if (local_registry == nullptr) { + ENVOY_LOG(error, "ReverseTunnelInitiatorExtension: No local registry found"); + return; + } + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: Updating stats for worker {}", + dispatcher_name); + + // Create/update per-worker host connection stat. + if (!host_address.empty() && !state_suffix.empty()) { + std::string worker_host_stat_name = + fmt::format("{}.{}.host.{}.{}", stat_prefix_, dispatcher_name, host_address, state_suffix); + Stats::StatNameManagedStorage worker_host_stat_name_storage(worker_host_stat_name, + stats_store.symbolTable()); + auto& worker_host_gauge = stats_store.gaugeFromStatName( + worker_host_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_host_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker host stat {} to {}", + worker_host_stat_name, worker_host_gauge.value()); + } else { + worker_host_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented worker host stat {} to {}", + worker_host_stat_name, worker_host_gauge.value()); + } + } + + // Create/update per-worker cluster connection stat. + if (!cluster_id.empty() && !state_suffix.empty()) { + std::string worker_cluster_stat_name = + fmt::format("{}.{}.cluster.{}.{}", stat_prefix_, dispatcher_name, cluster_id, state_suffix); + Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, + stats_store.symbolTable()); + auto& worker_cluster_gauge = stats_store.gaugeFromStatName( + worker_cluster_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + worker_cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } + } +} + +absl::flat_hash_map +ReverseTunnelInitiatorExtension::getCrossWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Iterate through all gauges and filter for cross-worker stats only. + // Cross-worker stats have the pattern ".host.." or + // ".cluster.." (no dispatcher name in the middle). + Stats::IterateFn gauge_callback = + [&stats_map, this](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find(stat_prefix_ + ".") != std::string::npos && + (gauge_name.find(stat_prefix_ + ".host.") != std::string::npos || + gauge_name.find(stat_prefix_ + ".cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG( + debug, + "ReverseTunnelInitiatorExtension: collected {} stats for reverse connections across all " + "worker threads", + stats_map.size()); + + return stats_map; +} + +std::pair, std::vector> +ReverseTunnelInitiatorExtension::getConnectionStatsSync( + std::chrono::milliseconds /* timeout_ms */) { + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: obtaining reverse connection stats"); + + // Get all gauges with the reverse_connections prefix. + auto connection_stats = getCrossWorkerStatMap(); + + std::vector connected_hosts; + std::vector accepted_connections; + + // Process the stats to extract connection information + // For initiator, stats format is: .host.. or + // .cluster.. We only want hosts/clusters with + // "connected" state + for (const auto& [stat_name, count] : connection_stats) { + if (count > 0) { + // Parse stat name to extract host/cluster information with state suffix. + std::string host_pattern = stat_prefix_ + ".host."; + std::string cluster_pattern = stat_prefix_ + ".cluster."; + + if (stat_name.find(host_pattern) != std::string::npos && + stat_name.find(".connected") != std::string::npos) { + // Find the position after ".host." and before ".connected". + size_t start_pos = stat_name.find(host_pattern) + host_pattern.length(); + size_t end_pos = stat_name.find(".connected"); + if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { + std::string host_address = stat_name.substr(start_pos, end_pos - start_pos); + connected_hosts.push_back(host_address); + } + } else if (stat_name.find(cluster_pattern) != std::string::npos && + stat_name.find(".connected") != std::string::npos) { + // Find the position after ".cluster." and before ".connected". + size_t start_pos = stat_name.find(cluster_pattern) + cluster_pattern.length(); + size_t end_pos = stat_name.find(".connected"); + if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { + std::string cluster_id = stat_name.substr(start_pos, end_pos - start_pos); + accepted_connections.push_back(cluster_id); + } + } + } + } + + ENVOY_LOG(debug, + "ReverseTunnelInitiatorExtension: found {} connected hosts, {} accepted connections", + connected_hosts.size(), accepted_connections.size()); + + return {connected_hosts, accepted_connections}; +} + +absl::flat_hash_map ReverseTunnelInitiatorExtension::getPerWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Get the current dispatcher name + std::string dispatcher_name = "main_thread"; // Default for main thread + auto* local_registry = getLocalRegistry(); + if (local_registry) { + // Dispatcher name is of the form "worker_x" where x is the worker index. + dispatcher_name = local_registry->dispatcher().name(); + } + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: Getting per worker stats map for {}", + dispatcher_name); + + // Iterate through all gauges and filter for the current dispatcher. + Stats::IterateFn gauge_callback = + [&stats_map, &dispatcher_name, this](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find(stat_prefix_ + ".") != std::string::npos && + gauge_name.find(dispatcher_name + ".") != std::string::npos && + (gauge_name.find(".host.") != std::string::npos || + gauge_name.find(".cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: collected {} stats for dispatcher '{}'", + stats_map.size(), dispatcher_name); + + return stats_map; +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h new file mode 100644 index 0000000000000..51f7ec0dcb7f0 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h @@ -0,0 +1,138 @@ +#pragma once + +#include +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.validate.h" +#include "envoy/server/bootstrap_extension_config.h" +#include "envoy/stats/scope.h" +#include "envoy/thread_local/thread_local.h" + +#include "absl/container/flat_hash_map.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class DownstreamSocketThreadLocal; + +/** + * Bootstrap extension for ReverseTunnelInitiator. + */ +class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, + public Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelInitiatorExtensionTest; + +public: + ReverseTunnelInitiatorExtension( + Server::Configuration::ServerFactoryContext& context, + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface& config); + + void onServerInitialized() override; + void onWorkerThreadInitialized() override; + + /** + * @return pointer to the thread-local registry, or nullptr if not available. + */ + DownstreamSocketThreadLocal* getLocalRegistry() const; + + /** + * Update all connection stats for reverse connections. This updates the cross-worker stats + * as well as the per-worker stats. + * @param node_id the node identifier for the connection + * @param cluster_id the cluster identifier for the connection + * @param state_suffix the state suffix (e.g., "connecting", "connected", "failed") + * @param increment whether to increment (true) or decrement (false) the connection count + */ + void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, + const std::string& state_suffix, bool increment); + + /** + * Update per-worker connection stats for debugging purposes. + * Creates worker-specific stats + * @param node_id the node identifier for the connection + * @param cluster_id the cluster identifier for the connection + * @param state_suffix the state suffix for the connection + * @param increment whether to increment (true) or decrement (false) the connection count + */ + void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, + const std::string& state_suffix, bool increment); + + /** + * Get per-worker stat map for the current dispatcher. + * @return map of stat names to values for the current worker thread + */ + absl::flat_hash_map getPerWorkerStatMap(); + + /** + * Get cross-worker stat map across all workers. + * @return map of stat names to values across all worker threads + */ + absl::flat_hash_map getCrossWorkerStatMap(); + + /** + * Get connection stats synchronously with timeout. + * @param timeout_ms timeout for the operation + * @return pair of vectors containing connected nodes and accepted connections + */ + std::pair, std::vector> + getConnectionStatsSync(std::chrono::milliseconds timeout_ms); + + /** + * Get the stats scope for accessing stats. + * @return reference to the stats scope. + */ + Stats::Scope& getStatsScope() const { return context_.scope(); } + + /** + * Test-only method to set the thread local slot for testing purposes. + * This allows tests to inject a custom thread local registry and is used + * in unit tests to simulate different worker threads. + * @param slot the thread local slot to set + */ + void setTestOnlyTLSRegistry( + std::unique_ptr> slot) { + tls_slot_ = std::move(slot); + } + +private: + Server::Configuration::ServerFactoryContext& context_; + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + ThreadLocal::TypedSlotPtr tls_slot_; + std::string stat_prefix_; // Reverse connection stats prefix +}; + +/** + * Thread local storage for ReverseTunnelInitiator. + * Stores the thread-local dispatcher and stats scope for each worker thread. + */ +class DownstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { +public: + DownstreamSocketThreadLocal(Event::Dispatcher& dispatcher, Stats::Scope& scope) + : dispatcher_(dispatcher), scope_(scope) {} + + /** + * @return reference to the thread-local dispatcher + */ + Event::Dispatcher& dispatcher() { return dispatcher_; } + + /** + * @return reference to the stats scope + */ + Stats::Scope& scope() { return scope_; } + +private: + Event::Dispatcher& dispatcher_; + Stats::Scope& scope_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 66586d7b4efc0..30f2ed147d735 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -61,7 +61,7 @@ EXTENSIONS = { # # Reverse Connection # - "envoy.bootstrap.reverse_tunnel.downstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", + "envoy.bootstrap.reverse_tunnel.downstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", "envoy.bootstrap.reverse_tunnel.upstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", # diff --git a/test/extensions/bootstrap/reverse_tunnel/BUILD b/test/extensions/bootstrap/reverse_tunnel/BUILD deleted file mode 100644 index 010af79579520..0000000000000 --- a/test/extensions/bootstrap/reverse_tunnel/BUILD +++ /dev/null @@ -1,63 +0,0 @@ -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_test", - "envoy_package", -) -load( - "//test/extensions:extensions_build_system.bzl", - "envoy_extension_cc_test", -) - -licenses(["notice"]) # Apache 2 - -envoy_package() - -envoy_extension_cc_test( - name = "reverse_tunnel_initiator_test", - size = "large", - srcs = ["reverse_tunnel_initiator_test.cc"], - extension_names = ["envoy.bootstrap.reverse_tunnel.downstream_socket_interface"], - deps = [ - "//source/common/network:address_lib", - "//source/common/network:socket_interface_lib", - "//source/common/network:utility_lib", - "//source/common/thread_local:thread_local_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_handshake_cc_proto", - "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", - "//test/mocks/event:event_mocks", - "//test/mocks/server:factory_context_mocks", - "//test/mocks/stats:stats_mocks", - "//test/mocks/thread_local:thread_local_mocks", - "//test/mocks/upstream:upstream_mocks", - "//test/test_common:test_runtime_lib", - "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", - ], -) - -envoy_cc_test( - name = "reverse_connection_address_test", - size = "medium", - srcs = ["reverse_connection_address_test.cc"], - deps = [ - "//source/common/network:address_lib", - "//source/common/network:default_socket_interface_lib", - "//source/common/singleton:threadsafe_singleton", - "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_address_lib", - "//test/mocks/network:network_mocks", - "//test/test_common:registry_lib", - "//test/test_common:test_runtime_lib", - ], -) - -envoy_cc_test( - name = "reverse_connection_resolver_test", - size = "medium", - srcs = ["reverse_connection_resolver_test.cc"], - deps = [ - "//source/common/network:address_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_resolver_lib", - "//test/mocks/network:network_mocks", - "//test/test_common:test_runtime_lib", - "@envoy_api//envoy/config/core/v3:pkg_cc_proto", - ], -) diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD new file mode 100644 index 0000000000000..1b9ecdeda6930 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -0,0 +1,98 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "reverse_tunnel_initiator_test", + size = "large", + srcs = ["reverse_tunnel_initiator_test.cc"], + extension_names = ["envoy.bootstrap.reverse_tunnel.downstream_socket_interface"], + deps = [ + "//source/common/network:address_lib", + "//source/common/network:utility_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_address_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_io_handle_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "//test/test_common:logging_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "reverse_tunnel_initiator_extension_test", + size = "medium", + srcs = ["reverse_tunnel_initiator_extension_test.cc"], + deps = [ + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_extension_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "reverse_connection_io_handle_test", + size = "large", + srcs = ["reverse_connection_io_handle_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_io_handle_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_extension_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "reverse_connection_address_test", + size = "medium", + srcs = ["reverse_connection_address_test.cc"], + deps = [ + "//source/common/network:address_lib", + "//source/common/network:default_socket_interface_lib", + "//source/common/singleton:threadsafe_singleton", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_address_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:registry_lib", + "//test/test_common:test_runtime_lib", + ], +) + +envoy_cc_test( + name = "reverse_connection_resolver_test", + size = "medium", + srcs = ["reverse_connection_resolver_test.cc"], + deps = [ + "//source/common/network:address_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_resolver_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address_test.cc similarity index 99% rename from test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc rename to test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address_test.cc index fcdedf18464d9..a48204e9cba83 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_address_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address_test.cc @@ -1,7 +1,7 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/singleton/threadsafe_singleton.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" #include "test/mocks/network/mocks.h" #include "test/test_common/registry.h" diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc similarity index 79% rename from test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc rename to test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc index 0eef58229e08a..3b30b78fea78e 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc @@ -1,30 +1,21 @@ -#include -#include #include #include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" -#include "envoy/network/socket_interface.h" #include "envoy/server/factory_context.h" #include "envoy/thread_local/thread_local.h" -#include "source/common/network/address_impl.h" -#include "source/common/network/socket_interface.h" -#include "source/common/network/utility.h" -#include "source/common/protobuf/utility.h" -#include "source/common/thread_local/thread_local_impl.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_address.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_handshake.pb.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" +#include "source/common/buffer/buffer_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" #include "test/mocks/event/mocks.h" #include "test/mocks/server/factory_context.h" #include "test/mocks/stats/mocks.h" #include "test/mocks/thread_local/mocks.h" #include "test/mocks/upstream/mocks.h" -#include "test/test_common/logging.h" -#include "test/test_common/test_runtime.h" -#include "absl/container/flat_hash_map.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -39,896 +30,6 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -class ReverseTunnelInitiatorExtensionTest : public testing::Test { -protected: - ReverseTunnelInitiatorExtensionTest() { - // Set up the stats scope. - stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - - // Set up the mock context. - EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); - EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - - // Create the socket interface. - socket_interface_ = std::make_unique(context_); - - // Create the extension. - extension_ = std::make_unique(context_, config_); - } - - // Helper function to set up thread local slot for tests. - void setupThreadLocalSlot() { - // Create a thread local registry. - thread_local_registry_ = - std::make_shared(dispatcher_, *stats_scope_); - - // Create the actual TypedSlot. - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); - thread_local_.setDispatcher(&dispatcher_); - - // Set up the slot to return our registry. - tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - - // Set the slot in the extension using the test-only method. - extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); - } - - void setupAnotherThreadLocalSlot() { - // Create a thread local registry for the other dispatcher. - another_thread_local_registry_ = - std::make_shared(dispatcher_, *stats_scope_); - - // Create the actual TypedSlot. - another_tls_slot_ = - ThreadLocal::TypedSlot::makeUnique(thread_local_); - thread_local_.setDispatcher(&dispatcher_); - - // Set up the slot to return our registry. - another_tls_slot_->set( - [registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); - - // Set the slot in the extension using the test-only method. - extension_->setTestOnlyTLSRegistry(std::move(another_tls_slot_)); - } - - void TearDown() override { - tls_slot_.reset(); - thread_local_registry_.reset(); - extension_.reset(); - socket_interface_.reset(); - } - - NiceMock context_; - NiceMock thread_local_; - NiceMock cluster_manager_; - Stats::IsolatedStoreImpl stats_store_; - Stats::ScopeSharedPtr stats_scope_; - NiceMock dispatcher_{"worker_0"}; - - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface config_; - - std::unique_ptr socket_interface_; - std::unique_ptr extension_; - - std::unique_ptr> tls_slot_; - std::shared_ptr thread_local_registry_; - std::unique_ptr> another_tls_slot_; - std::shared_ptr another_thread_local_registry_; -}; - -// Basic functionality tests. -TEST_F(ReverseTunnelInitiatorExtensionTest, InitializeWithDefaultConfig) { - // Test with empty config (should initialize successfully). - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface empty_config; - - auto extension_with_default = - std::make_unique(context_, empty_config); - - EXPECT_NE(extension_with_default, nullptr); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, OnServerInitialized) { - // This should be a no-op. - extension_->onServerInitialized(); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, OnWorkerThreadInitialized) { - // Test that onWorkerThreadInitialized creates thread local slot. - extension_->onWorkerThreadInitialized(); - - // Verify that the thread local slot was created by checking getLocalRegistry. - EXPECT_NE(extension_->getLocalRegistry(), nullptr); -} - -// Thread local registry access tests. -TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryBeforeInitialization) { - // Before tls_slot_ is set, getLocalRegistry should return nullptr. - EXPECT_EQ(extension_->getLocalRegistry(), nullptr); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryAfterInitialization) { - - // First test with uninitialized TLS. - EXPECT_EQ(extension_->getLocalRegistry(), nullptr); - - // Initialize the thread local slot. - setupThreadLocalSlot(); - - // Now getLocalRegistry should return the actual registry. - auto* registry = extension_->getLocalRegistry(); - EXPECT_NE(registry, nullptr); - EXPECT_EQ(registry, thread_local_registry_.get()); - - // Test multiple calls return same registry. - auto* registry2 = extension_->getLocalRegistry(); - EXPECT_EQ(registry, registry2); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, GetStatsScope) { - // Test that getStatsScope returns the correct scope. - EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, DownstreamSocketThreadLocalScope) { - // Set up thread local slot first. - setupThreadLocalSlot(); - - // Get the thread local registry. - auto* registry = extension_->getLocalRegistry(); - EXPECT_NE(registry, nullptr); - - // Test that the scope() method returns the correct scope. - EXPECT_EQ(®istry->scope(), stats_scope_.get()); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsIncrement) { - // Set up thread local slot first so stats can be properly tracked. - setupThreadLocalSlot(); - - // Test updateConnectionStats with increment=true. - std::string node_id = "test-node-123"; - std::string cluster_id = "test-cluster-456"; - std::string state_suffix = "connecting"; - - // Call updateConnectionStats to increment. - extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); - - // Verify that the correct stats were created and incremented using cross-worker stat map. - auto stat_map = extension_->getCrossWorkerStatMap(); - - std::string expected_node_stat = - fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); - std::string expected_cluster_stat = - fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); - - EXPECT_EQ(stat_map[expected_node_stat], 1); - EXPECT_EQ(stat_map[expected_cluster_stat], 1); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsDecrement) { - // Set up thread local slot first so stats can be properly tracked. - setupThreadLocalSlot(); - - // Test updateConnectionStats with increment=false. - std::string node_id = "test-node-789"; - std::string cluster_id = "test-cluster-012"; - std::string state_suffix = "connected"; - - // First increment to have something to decrement. - extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); - extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); - - // Verify incremented values using cross-worker stat map. - auto stat_map = extension_->getCrossWorkerStatMap(); - std::string expected_node_stat = - fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); - std::string expected_cluster_stat = - fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); - - EXPECT_EQ(stat_map[expected_node_stat], 2); - EXPECT_EQ(stat_map[expected_cluster_stat], 2); - - // Now decrement. - extension_->updateConnectionStats(node_id, cluster_id, state_suffix, false); - - // Get updated stats after decrement. - stat_map = extension_->getCrossWorkerStatMap(); - - EXPECT_EQ(stat_map[expected_node_stat], 1); - EXPECT_EQ(stat_map[expected_cluster_stat], 1); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsMultipleStates) { - // Set up thread local slot first so stats can be properly tracked. - setupThreadLocalSlot(); - - // Test updateConnectionStats with multiple different states. - std::string node_id = "test-node-multi"; - std::string cluster_id = "test-cluster-multi"; - - // Create stats for different states. - extension_->updateConnectionStats(node_id, cluster_id, "connecting", true); - extension_->updateConnectionStats(node_id, cluster_id, "connected", true); - extension_->updateConnectionStats(node_id, cluster_id, "failed", true); - - // Verify all states have separate gauges using cross-worker stat map. - auto stat_map = extension_->getCrossWorkerStatMap(); - - EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connecting", node_id)], 1); - EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connected", node_id)], 1); - EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.failed", node_id)], 1); -} - -TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsEmptyValues) { - // Test updateConnectionStats with empty values - should not update stats. - auto& stats_store = extension_->getStatsScope(); - - // Empty host_id - should not create/update stats. - extension_->updateConnectionStats("", "test-cluster", "connecting", true); - auto& empty_host_gauge = stats_store.gaugeFromString("reverse_connections.host..connecting", - Stats::Gauge::ImportMode::Accumulate); - EXPECT_EQ(empty_host_gauge.value(), 0); - - // Empty cluster_id - should not create/update stats. - extension_->updateConnectionStats("test-host", "", "connecting", true); - auto& empty_cluster_gauge = stats_store.gaugeFromString("reverse_connections.cluster..connecting", - Stats::Gauge::ImportMode::Accumulate); - EXPECT_EQ(empty_cluster_gauge.value(), 0); - - // Empty state_suffix - should not create/update stats. - extension_->updateConnectionStats("test-host", "test-cluster", "", true); - auto& empty_state_gauge = stats_store.gaugeFromString("reverse_connections.host.test-host.", - Stats::Gauge::ImportMode::Accumulate); - EXPECT_EQ(empty_state_gauge.value(), 0); -} - -// Test per-worker stats aggregation for one thread only (test thread) -TEST_F(ReverseTunnelInitiatorExtensionTest, GetPerWorkerStatMapSingleThread) { - // Set up thread local slot first. - setupThreadLocalSlot(); - - // Update per-worker stats for the current (test) thread. - extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", true); - extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); - extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); - - // Get the per-worker stat map. - auto stat_map = extension_->getPerWorkerStatMap(); - - // Verify the stats are collected correctly for worker_0. - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], 1); - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host2.connected"], 2); - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], 1); - EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2.connected"], 2); - - // Verify that only worker_0 stats are included. - for (const auto& [stat_name, value] : stat_map) { - EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); - } -} - -// Test cross-thread stat map functions using multiple dispatchers. -TEST_F(ReverseTunnelInitiatorExtensionTest, GetCrossWorkerStatMapMultiThread) { - // Set up thread local slot for the test thread (dispatcher name: "worker_0") - setupThreadLocalSlot(); - - // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") - setupAnotherThreadLocalSlot(); - - // Simulate stats updates from worker_0. - extension_->updateConnectionStats("host1", "cluster1", "connecting", true); - extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment twice - extension_->updateConnectionStats("host2", "cluster2", "connected", true); - - // Temporarily switch the thread local registry to simulate updates from worker_1. - auto original_registry = thread_local_registry_; - thread_local_registry_ = another_thread_local_registry_; - - // Update stats from worker_1. - extension_->updateConnectionStats("host1", "cluster1", "connecting", - true); // Increment from worker_1 - extension_->updateConnectionStats("host3", "cluster3", "failed", true); // New host from worker_1 - - // Restore the original registry. - thread_local_registry_ = original_registry; - - // Get the cross-worker stat map. - auto stat_map = extension_->getCrossWorkerStatMap(); - - // Verify that cross-worker stats are collected correctly across multiple dispatchers. - // host1: incremented 3 times total (2 from worker_0 + 1 from worker_1) - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 3); - // host2: incremented 1 time from worker_0 - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 1); - // host3: incremented 1 time from worker_1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); - - // cluster1: incremented 3 times total (2 from worker_0 + 1 from worker_1) - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 3); - // cluster2: incremented 1 time from worker_0 - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 1); - // cluster3: incremented 1 time from worker_1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); - - // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again. - // with the same names increments the existing gauges (not creates new ones) - extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment again - extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 - - // Get stats again to verify the same gauges were updated. - stat_map = extension_->getCrossWorkerStatMap(); - - // Verify the gauge values were updated correctly (StatNameManagedStorage ensures same gauge) - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 4); // 3 + 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 4); // 3 + 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 0); // 1 - 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 0); // 1 - 1 - EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); // unchanged - EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); // unchanged - - // Test per-worker decrement operations to cover the per-worker decrement code paths. - // First, test decrements from worker_0 context. - extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", - false); // Decrement from worker_0 - - // Get per-worker stats to verify decrements worked correctly for worker_0. - auto per_worker_stat_map = extension_->getPerWorkerStatMap(); - - // Verify worker_0 stats were decremented correctly. - EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], - 3); // 4 - 1 - EXPECT_EQ( - per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], - 3); // 4 - 1 - - // Now test decrements from worker_1 context. - thread_local_registry_ = another_thread_local_registry_; - - // Decrement some stats from worker_1. - extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", - false); // Decrement from worker_1 - extension_->updatePerWorkerConnectionStats("host3", "cluster3", "failed", - false); // Decrement host3 to 0 - - // Get per-worker stats from worker_1 context. - auto worker1_stat_map = extension_->getPerWorkerStatMap(); - - // Verify worker_1 stats were decremented correctly. - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host1.connecting"], - 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1.connecting"], - 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host3.failed"], - 0); // 1 - 1 - EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3.failed"], - 0); // 1 - 1 - - // Restore original registry. - thread_local_registry_ = original_registry; -} - -// Test getConnectionStatsSync using multiple dispatchers. -TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { - // Set up thread local slot for the test thread (dispatcher name: "worker_0") - setupThreadLocalSlot(); - - // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") - setupAnotherThreadLocalSlot(); - - // Simulate stats updates from worker_0. - extension_->updateConnectionStats("host1", "cluster1", "connected", true); - extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment twice - extension_->updateConnectionStats("host2", "cluster2", "connected", true); - - // Simulate stats updates from worker_1. - // Temporarily switch the thread local registry to simulate the other dispatcher. - auto original_registry = thread_local_registry_; - thread_local_registry_ = another_thread_local_registry_; - - // Update stats from worker_1. - extension_->updateConnectionStats("host1", "cluster1", "connected", - true); // Increment from worker_1 - extension_->updateConnectionStats("host3", "cluster3", "connected", - true); // New host from worker_1 - - // Restore the original registry. - thread_local_registry_ = original_registry; - - // Get connection stats synchronously. - auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); - auto& [connected_nodes, accepted_connections] = result; - - // Verify the result contains the expected data. - EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); - - // Verify that we have the expected host and cluster data. - // host1: should be present (incremented 3 times total) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") != - connected_nodes.end()); - // host2: should be present (incremented 1 time) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != - connected_nodes.end()); - // host3: should be present (incremented 1 time) - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") != - connected_nodes.end()); - - // cluster1: should be present (incremented 3 times total) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != - accepted_connections.end()); - // cluster2: should be present (incremented 1 time) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != - accepted_connections.end()); - // cluster3: should be present (incremented 1 time) - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != - accepted_connections.end()); - - // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again. - // with the same names updates the existing gauges and the sync result reflects this - extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment again - extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 - - // Get connection stats again to verify the updated values. - result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); - auto& [updated_connected_nodes, updated_accepted_connections] = result; - - // Verify that host2 is no longer present (gauge value is 0) - EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host2") == - updated_connected_nodes.end()); - EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), - "cluster2") == updated_accepted_connections.end()); - - // Verify that host1 and host3 are still present. - EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host1") != - updated_connected_nodes.end()); - EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host3") != - updated_connected_nodes.end()); - EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), - "cluster1") != updated_accepted_connections.end()); - EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), - "cluster3") != updated_accepted_connections.end()); -} - -// Test getConnectionStatsSync with timeouts. -TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncTimeout) { - // Test with a very short timeout to verify timeout behavior. - auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); - - // With no connections and short timeout, should return empty results. - auto& [connected_nodes, accepted_connections] = result; - EXPECT_TRUE(connected_nodes.empty()); - EXPECT_TRUE(accepted_connections.empty()); -} - -// Test getConnectionStatsSync filters only "connected" state. -TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncFiltersConnectedState) { - // Set up thread local slot. - setupThreadLocalSlot(); - - // Add connections with different states. - extension_->updateConnectionStats("host1", "cluster1", "connecting", true); - extension_->updateConnectionStats("host2", "cluster2", "connected", true); - extension_->updateConnectionStats("host3", "cluster3", "failed", true); - extension_->updateConnectionStats("host4", "cluster4", "connected", true); - - // Get connection stats synchronously. - auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); - auto& [connected_nodes, accepted_connections] = result; - - // Should only include hosts/clusters with "connected" state. - EXPECT_EQ(connected_nodes.size(), 2); - EXPECT_EQ(accepted_connections.size(), 2); - - // Verify only connected hosts are included. - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != - connected_nodes.end()); - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host4") != - connected_nodes.end()); - - // Verify connecting and failed hosts are NOT included. - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") == - connected_nodes.end()); - EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") == - connected_nodes.end()); - - // Verify only connected clusters are included. - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != - accepted_connections.end()); - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster4") != - accepted_connections.end()); - - // Verify connecting and failed clusters are NOT included. - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") == - accepted_connections.end()); - EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") == - accepted_connections.end()); -} - -// ReverseTunnelInitiator Test Class. - -class ReverseTunnelInitiatorTest : public testing::Test { -protected: - ReverseTunnelInitiatorTest() { - // Set up the stats scope. - stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - - // Set up the mock context. - EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); - EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - - // Create the socket interface. - socket_interface_ = std::make_unique(context_); - - // Create the extension. - extension_ = std::make_unique(context_, config_); - } - - // Thread Local Setup Helpers. - - // Helper function to set up thread local slot for tests. - void setupThreadLocalSlot() { - // First, call onServerInitialized to set up the extension reference properly. - extension_->onServerInitialized(); - - // Create a thread local registry with the properly initialized extension. - thread_local_registry_ = - std::make_shared(dispatcher_, *stats_scope_); - - // Create the actual TypedSlot. - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); - thread_local_.setDispatcher(&dispatcher_); - - // Set up the slot to return our registry. - tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - - // Override the TLS slot with our test version. - extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); - - // Set the extension reference in the socket interface. - socket_interface_->extension_ = extension_.get(); - } - - // Helper to create a test address. - Network::Address::InstanceConstSharedPtr createTestAddress(const std::string& ip = "127.0.0.1", - uint32_t port = 8080) { - return Network::Utility::parseInternetAddressNoThrow(ip, port); - } - - void TearDown() override { - tls_slot_.reset(); - thread_local_registry_.reset(); - extension_.reset(); - socket_interface_.reset(); - } - - NiceMock context_; - NiceMock thread_local_; - NiceMock cluster_manager_; - Stats::IsolatedStoreImpl stats_store_; - Stats::ScopeSharedPtr stats_scope_; - NiceMock dispatcher_{"worker_0"}; - - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface config_; - - std::unique_ptr socket_interface_; - std::unique_ptr extension_; - - // Real thread local slot and registry. - std::unique_ptr> tls_slot_; - std::shared_ptr thread_local_registry_; - - // Set log level to debug for this test class. - LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); -}; - -TEST_F(ReverseTunnelInitiatorTest, CreateBootstrapExtension) { - // Test createBootstrapExtension function. - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface config; - - auto extension = socket_interface_->createBootstrapExtension(config, context_); - EXPECT_NE(extension, nullptr); - - // Verify extension is stored in socket interface. - EXPECT_NE(socket_interface_->getExtension(), nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, CreateEmptyConfigProto) { - // Test createEmptyConfigProto function. - auto config = socket_interface_->createEmptyConfigProto(); - EXPECT_NE(config, nullptr); - - // Should be able to cast to the correct type. - auto* typed_config = - dynamic_cast(config.get()); - EXPECT_NE(typed_config, nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, IpFamilySupported) { - // Test IP family support. - EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); - EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); - EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); -} - -TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryNoExtension) { - // Test getLocalRegistry when extension is not set. - auto* registry = socket_interface_->getLocalRegistry(); - EXPECT_EQ(registry, nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryWithExtension) { - // Test getLocalRegistry when extension is set. - setupThreadLocalSlot(); - - auto* registry = socket_interface_->getLocalRegistry(); - EXPECT_NE(registry, nullptr); - EXPECT_EQ(registry, thread_local_registry_.get()); -} - -TEST_F(ReverseTunnelInitiatorTest, FactoryName) { - EXPECT_EQ(socket_interface_->name(), - "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv4) { - // Test basic socket creation for IPv4. - auto socket = socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, - Network::Address::IpVersion::v4, false, - Network::SocketCreationOptions{}); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); - - // Verify it's NOT a ReverseConnectionIOHandle (should be a regular socket) - auto* reverse_handle = dynamic_cast(socket.get()); - EXPECT_EQ(reverse_handle, nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv6) { - // Test basic socket creation for IPv6. - auto socket = socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, - Network::Address::IpVersion::v6, false, - Network::SocketCreationOptions{}); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodDatagram) { - // Test datagram socket creation. - auto socket = socket_interface_->socket( - Network::Socket::Type::Datagram, Network::Address::Type::Ip, Network::Address::IpVersion::v4, - false, Network::SocketCreationOptions{}); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodUnixDomain) { - // Test Unix domain socket creation. - auto socket = socket_interface_->socket( - Network::Socket::Type::Stream, Network::Address::Type::Pipe, Network::Address::IpVersion::v4, - false, Network::SocketCreationOptions{}); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithAddressIPv4) { - // Test socket creation with IPv4 address. - auto address = std::make_shared("127.0.0.1", 8080); - auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, - Network::SocketCreationOptions{}); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithAddressIPv6) { - // Test socket creation with IPv6 address. - auto address = std::make_shared("::1", 8080); - auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, - Network::SocketCreationOptions{}); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithReverseConnectionAddress) { - // Test socket creation with ReverseConnectionAddress. - ReverseConnectionAddress::ReverseConnectionConfig config; - config.src_cluster_id = "test-cluster"; - config.src_node_id = "test-node"; - config.src_tenant_id = "test-tenant"; - config.remote_cluster = "remote-cluster"; - config.connection_count = 2; - - auto reverse_address = std::make_shared(config); - - auto socket = socket_interface_->socket(Network::Socket::Type::Stream, reverse_address, - Network::SocketCreationOptions{}); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); - - // Verify it's a ReverseConnectionIOHandle (not a regular socket) - auto* reverse_handle = dynamic_cast(socket.get()); - EXPECT_NE(reverse_handle, nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketStreamIPv4) { - // Test createReverseConnectionSocket for stream IPv4 with TLS registry setup. - setupThreadLocalSlot(); - - ReverseConnectionSocketConfig config; - config.src_cluster_id = "test-cluster"; - config.src_node_id = "test-node"; - config.src_tenant_id = "test-tenant"; - config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); - - auto socket = socket_interface_->createReverseConnectionSocket( - Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v4, - config); - - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); - - // Verify it's a ReverseConnectionIOHandle. - auto* reverse_handle = dynamic_cast(socket.get()); - EXPECT_NE(reverse_handle, nullptr); - - // Verify that the TLS registry scope is being used. - // The socket should be created with the scope from TLS registry, not context scope. - EXPECT_EQ(&reverse_handle->getDownstreamExtension()->getStatsScope(), stats_scope_.get()); -} - -TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketStreamIPv6) { - // Test createReverseConnectionSocket for stream IPv6. - ReverseConnectionSocketConfig config; - config.src_cluster_id = "test-cluster"; - config.src_node_id = "test-node"; - config.src_tenant_id = "test-tenant"; - config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); - - auto socket = socket_interface_->createReverseConnectionSocket( - Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v6, - config); - - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); - - // Verify it's a ReverseConnectionIOHandle. - auto* reverse_handle = dynamic_cast(socket.get()); - EXPECT_NE(reverse_handle, nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketDatagram) { - // Test createReverseConnectionSocket for datagram (should fallback to regular socket) - ReverseConnectionSocketConfig config; - config.src_cluster_id = "test-cluster"; - config.src_node_id = "test-node"; - config.src_tenant_id = "test-tenant"; - config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); - - auto socket = socket_interface_->createReverseConnectionSocket( - Network::Socket::Type::Datagram, Network::Address::Type::Ip, Network::Address::IpVersion::v4, - config); - - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); - - // Verify it's NOT a ReverseConnectionIOHandle. - auto* reverse_handle = dynamic_cast(socket.get()); - EXPECT_EQ(reverse_handle, nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketNonIP) { - // Test createReverseConnectionSocket for non-IP address (should fallback to regular socket) - ReverseConnectionSocketConfig config; - config.src_cluster_id = "test-cluster"; - config.src_node_id = "test-node"; - config.src_tenant_id = "test-tenant"; - config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); - - auto socket = socket_interface_->createReverseConnectionSocket( - Network::Socket::Type::Stream, Network::Address::Type::Pipe, Network::Address::IpVersion::v4, - config); - - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); - - // Verify it's NOT a ReverseConnectionIOHandle (should be a regular socket) - auto* reverse_handle = dynamic_cast(socket.get()); - EXPECT_EQ(reverse_handle, nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketEmptyRemoteClusters) { - // Test createReverseConnectionSocket with empty remote_clusters (should return early) - ReverseConnectionSocketConfig config; - config.src_cluster_id = "test-cluster"; - config.src_node_id = "test-node"; - config.src_tenant_id = "test-tenant"; - // No remote_clusters added - should return early. - - auto socket = socket_interface_->createReverseConnectionSocket( - Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v4, - config); - - // Should return nullptr due to empty remote_clusters. - EXPECT_EQ(socket, nullptr); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithEmptyReverseConnectionAddress) { - // Test socket creation with empty ReverseConnectionAddress. - ReverseConnectionAddress::ReverseConnectionConfig config; - config.src_cluster_id = ""; - config.src_node_id = ""; - config.src_tenant_id = ""; - config.remote_cluster = ""; - config.connection_count = 0; - - auto reverse_address = std::make_shared(config); - - auto socket = socket_interface_->socket(Network::Socket::Type::Stream, reverse_address, - Network::SocketCreationOptions{}); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); -} - -TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithSocketCreationOptions) { - // Test socket creation with socket creation options. - Network::SocketCreationOptions options; - options.mptcp_enabled_ = true; - options.max_addresses_cache_size_ = 100; - - auto address = std::make_shared("127.0.0.1", 0); - auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, options); - EXPECT_NE(socket, nullptr); - EXPECT_TRUE(socket->isOpen()); -} - -// Configuration validation tests. -class ConfigValidationTest : public testing::Test { -protected: - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface config_; - NiceMock context_; - NiceMock thread_local_; - NiceMock cluster_manager_; - Stats::IsolatedStoreImpl stats_store_; - Stats::ScopeSharedPtr stats_scope_; - - ConfigValidationTest() { - stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); - EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - } -}; - -TEST_F(ConfigValidationTest, ValidConfiguration) { - // Test that valid configuration gets accepted. - ReverseTunnelInitiator initiator(context_); - - // Should not throw when creating bootstrap extension. - EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); -} - -TEST_F(ConfigValidationTest, EmptyConfiguration) { - // Test that empty configuration still works. - ReverseTunnelInitiator initiator(context_); - - // Should not throw with empty config. - EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); -} - -TEST_F(ConfigValidationTest, EmptyStatPrefix) { - // Test that empty stat_prefix still works with default. - ReverseTunnelInitiator initiator(context_); - - // Should not throw and should use default prefix. - EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); -} - // ReverseConnectionIOHandle Test Class. class ReverseConnectionIOHandleTest : public testing::Test { diff --git a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver_test.cc similarity index 98% rename from test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc rename to test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver_test.cc index c876bfae5994a..ab7ebfc075e32 100644 --- a/test/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver_test.cc @@ -1,6 +1,6 @@ #include "envoy/config/core/v3/address.pb.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_connection_resolver.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h" #include "test/test_common/logging.h" diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension_test.cc new file mode 100644 index 0000000000000..a65d65e09413a --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension_test.cc @@ -0,0 +1,583 @@ +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseTunnelInitiatorExtensionTest : public testing::Test { +protected: + ReverseTunnelInitiatorExtensionTest() { + // Set up the stats scope. + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context. + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the socket interface. + socket_interface_ = std::make_unique(context_); + + // Create the extension. + extension_ = std::make_unique(context_, config_); + } + + // Helper function to set up thread local slot for tests. + void setupThreadLocalSlot() { + // Create a thread local registry. + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot. + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry. + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method. + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + void setupAnotherThreadLocalSlot() { + // Create a thread local registry for the other dispatcher. + another_thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot. + another_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry. + another_tls_slot_->set( + [registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method. + extension_->setTestOnlyTLSRegistry(std::move(another_tls_slot_)); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + std::unique_ptr> another_tls_slot_; + std::shared_ptr another_thread_local_registry_; +}; + +// Basic functionality tests. +TEST_F(ReverseTunnelInitiatorExtensionTest, InitializeWithDefaultConfig) { + // Test with empty config (should initialize successfully). + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface empty_config; + + auto extension_with_default = + std::make_unique(context_, empty_config); + + EXPECT_NE(extension_with_default, nullptr); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, OnServerInitialized) { + // This should be a no-op. + extension_->onServerInitialized(); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, OnWorkerThreadInitialized) { + // Test that onWorkerThreadInitialized creates thread local slot. + extension_->onWorkerThreadInitialized(); + + // Verify that the thread local slot was created by checking getLocalRegistry. + EXPECT_NE(extension_->getLocalRegistry(), nullptr); +} + +// Thread local registry access tests. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryBeforeInitialization) { + // Before tls_slot_ is set, getLocalRegistry should return nullptr. + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryAfterInitialization) { + + // First test with uninitialized TLS. + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); + + // Initialize the thread local slot. + setupThreadLocalSlot(); + + // Now getLocalRegistry should return the actual registry. + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); + + // Test multiple calls return same registry. + auto* registry2 = extension_->getLocalRegistry(); + EXPECT_EQ(registry, registry2); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, GetStatsScope) { + // Test that getStatsScope returns the correct scope. + EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, DownstreamSocketThreadLocalScope) { + // Set up thread local slot first. + setupThreadLocalSlot(); + + // Get the thread local registry. + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + + // Test that the scope() method returns the correct scope. + EXPECT_EQ(®istry->scope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsIncrement) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Test updateConnectionStats with increment=true. + std::string node_id = "test-node-123"; + std::string cluster_id = "test-cluster-456"; + std::string state_suffix = "connecting"; + + // Call updateConnectionStats to increment. + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + + // Verify that the correct stats were created and incremented using cross-worker stat map. + auto stat_map = extension_->getCrossWorkerStatMap(); + + std::string expected_node_stat = + fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); + std::string expected_cluster_stat = + fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + + EXPECT_EQ(stat_map[expected_node_stat], 1); + EXPECT_EQ(stat_map[expected_cluster_stat], 1); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsDecrement) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Test updateConnectionStats with increment=false. + std::string node_id = "test-node-789"; + std::string cluster_id = "test-cluster-012"; + std::string state_suffix = "connected"; + + // First increment to have something to decrement. + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + + // Verify incremented values using cross-worker stat map. + auto stat_map = extension_->getCrossWorkerStatMap(); + std::string expected_node_stat = + fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); + std::string expected_cluster_stat = + fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + + EXPECT_EQ(stat_map[expected_node_stat], 2); + EXPECT_EQ(stat_map[expected_cluster_stat], 2); + + // Now decrement. + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, false); + + // Get updated stats after decrement. + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map[expected_node_stat], 1); + EXPECT_EQ(stat_map[expected_cluster_stat], 1); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsMultipleStates) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Test updateConnectionStats with multiple different states. + std::string node_id = "test-node-multi"; + std::string cluster_id = "test-cluster-multi"; + + // Create stats for different states. + extension_->updateConnectionStats(node_id, cluster_id, "connecting", true); + extension_->updateConnectionStats(node_id, cluster_id, "connected", true); + extension_->updateConnectionStats(node_id, cluster_id, "failed", true); + + // Verify all states have separate gauges using cross-worker stat map. + auto stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connecting", node_id)], 1); + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connected", node_id)], 1); + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.failed", node_id)], 1); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsEmptyValues) { + // Test updateConnectionStats with empty values - should not update stats. + auto& stats_store = extension_->getStatsScope(); + + // Empty host_id - should not create/update stats. + extension_->updateConnectionStats("", "test-cluster", "connecting", true); + auto& empty_host_gauge = stats_store.gaugeFromString("reverse_connections.host..connecting", + Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_host_gauge.value(), 0); + + // Empty cluster_id - should not create/update stats. + extension_->updateConnectionStats("test-host", "", "connecting", true); + auto& empty_cluster_gauge = stats_store.gaugeFromString("reverse_connections.cluster..connecting", + Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_cluster_gauge.value(), 0); + + // Empty state_suffix - should not create/update stats. + extension_->updateConnectionStats("test-host", "test-cluster", "", true); + auto& empty_state_gauge = stats_store.gaugeFromString("reverse_connections.host.test-host.", + Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_state_gauge.value(), 0); +} + +// Test per-worker stats aggregation for one thread only (test thread) +TEST_F(ReverseTunnelInitiatorExtensionTest, GetPerWorkerStatMapSingleThread) { + // Set up thread local slot first. + setupThreadLocalSlot(); + + // Update per-worker stats for the current (test) thread. + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", true); + extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); + extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); + + // Get the per-worker stat map. + auto stat_map = extension_->getPerWorkerStatMap(); + + // Verify the stats are collected correctly for worker_0. + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host2.connected"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2.connected"], 2); + + // Verify that only worker_0 stats are included. + for (const auto& [stat_name, value] : stat_map) { + EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); + } +} + +// Test cross-thread stat map functions using multiple dispatchers. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetCrossWorkerStatMapMultiThread) { + // Set up thread local slot for the test thread (dispatcher name: "worker_0") + setupThreadLocalSlot(); + + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") + setupAnotherThreadLocalSlot(); + + // Simulate stats updates from worker_0. + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment twice + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + + // Temporarily switch the thread local registry to simulate updates from worker_1. + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + // Update stats from worker_1. + extension_->updateConnectionStats("host1", "cluster1", "connecting", + true); // Increment from worker_1 + extension_->updateConnectionStats("host3", "cluster3", "failed", true); // New host from worker_1 + + // Restore the original registry. + thread_local_registry_ = original_registry; + + // Get the cross-worker stat map. + auto stat_map = extension_->getCrossWorkerStatMap(); + + // Verify that cross-worker stats are collected correctly across multiple dispatchers. + // host1: incremented 3 times total (2 from worker_0 + 1 from worker_1) + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 3); + // host2: incremented 1 time from worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 1); + // host3: incremented 1 time from worker_1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); + + // cluster1: incremented 3 times total (2 from worker_0 + 1 from worker_1) + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 3); + // cluster2: incremented 1 time from worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 1); + // cluster3: incremented 1 time from worker_1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again. + // with the same names increments the existing gauges (not creates new ones) + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment again + extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 + + // Get stats again to verify the same gauges were updated. + stat_map = extension_->getCrossWorkerStatMap(); + + // Verify the gauge values were updated correctly (StatNameManagedStorage ensures same gauge) + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 4); // 3 + 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 4); // 3 + 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); // unchanged + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); // unchanged + + // Test per-worker decrement operations to cover the per-worker decrement code paths. + // First, test decrements from worker_0 context. + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", + false); // Decrement from worker_0 + + // Get per-worker stats to verify decrements worked correctly for worker_0. + auto per_worker_stat_map = extension_->getPerWorkerStatMap(); + + // Verify worker_0 stats were decremented correctly. + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], + 3); // 4 - 1 + EXPECT_EQ( + per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], + 3); // 4 - 1 + + // Now test decrements from worker_1 context. + thread_local_registry_ = another_thread_local_registry_; + + // Decrement some stats from worker_1. + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", + false); // Decrement from worker_1 + extension_->updatePerWorkerConnectionStats("host3", "cluster3", "failed", + false); // Decrement host3 to 0 + + // Get per-worker stats from worker_1 context. + auto worker1_stat_map = extension_->getPerWorkerStatMap(); + + // Verify worker_1 stats were decremented correctly. + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host1.connecting"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1.connecting"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host3.failed"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3.failed"], + 0); // 1 - 1 + + // Restore original registry. + thread_local_registry_ = original_registry; +} + +// Test getConnectionStatsSync using multiple dispatchers. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { + // Set up thread local slot for the test thread (dispatcher name: "worker_0") + setupThreadLocalSlot(); + + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") + setupAnotherThreadLocalSlot(); + + // Simulate stats updates from worker_0. + extension_->updateConnectionStats("host1", "cluster1", "connected", true); + extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment twice + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + + // Simulate stats updates from worker_1. + // Temporarily switch the thread local registry to simulate the other dispatcher. + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + // Update stats from worker_1. + extension_->updateConnectionStats("host1", "cluster1", "connected", + true); // Increment from worker_1 + extension_->updateConnectionStats("host3", "cluster3", "connected", + true); // New host from worker_1 + + // Restore the original registry. + thread_local_registry_ = original_registry; + + // Get connection stats synchronously. + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [connected_nodes, accepted_connections] = result; + + // Verify the result contains the expected data. + EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); + + // Verify that we have the expected host and cluster data. + // host1: should be present (incremented 3 times total) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") != + connected_nodes.end()); + // host2: should be present (incremented 1 time) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != + connected_nodes.end()); + // host3: should be present (incremented 1 time) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") != + connected_nodes.end()); + + // cluster1: should be present (incremented 3 times total) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != + accepted_connections.end()); + // cluster2: should be present (incremented 1 time) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); + // cluster3: should be present (incremented 1 time) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != + accepted_connections.end()); + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again. + // with the same names updates the existing gauges and the sync result reflects this + extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment again + extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 + + // Get connection stats again to verify the updated values. + result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [updated_connected_nodes, updated_accepted_connections] = result; + + // Verify that host2 is no longer present (gauge value is 0) + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host2") == + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster2") == updated_accepted_connections.end()); + + // Verify that host1 and host3 are still present. + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host1") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host3") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster1") != updated_accepted_connections.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster3") != updated_accepted_connections.end()); +} + +// Test getConnectionStatsSync with timeouts. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncTimeout) { + // Test with a very short timeout to verify timeout behavior. + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); + + // With no connections and short timeout, should return empty results. + auto& [connected_nodes, accepted_connections] = result; + EXPECT_TRUE(connected_nodes.empty()); + EXPECT_TRUE(accepted_connections.empty()); +} + +// Test getConnectionStatsSync filters only "connected" state. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncFiltersConnectedState) { + // Set up thread local slot. + setupThreadLocalSlot(); + + // Add connections with different states. + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + extension_->updateConnectionStats("host3", "cluster3", "failed", true); + extension_->updateConnectionStats("host4", "cluster4", "connected", true); + + // Get connection stats synchronously. + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [connected_nodes, accepted_connections] = result; + + // Should only include hosts/clusters with "connected" state. + EXPECT_EQ(connected_nodes.size(), 2); + EXPECT_EQ(accepted_connections.size(), 2); + + // Verify only connected hosts are included. + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host4") != + connected_nodes.end()); + + // Verify connecting and failed hosts are NOT included. + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") == + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") == + connected_nodes.end()); + + // Verify only connected clusters are included. + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster4") != + accepted_connections.end()); + + // Verify connecting and failed clusters are NOT included. + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") == + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") == + accepted_connections.end()); +} + +// Configuration validation tests. +class ConfigValidationTest : public testing::Test { +protected: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + + ConfigValidationTest() { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + } +}; + +TEST_F(ConfigValidationTest, ValidConfiguration) { + // Test that valid configuration gets accepted. + ReverseTunnelInitiator initiator(context_); + + // Should not throw when creating bootstrap extension. + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyConfiguration) { + // Test that empty configuration still works. + ReverseTunnelInitiator initiator(context_); + + // Should not throw with empty config. + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyStatPrefix) { + // Test that empty stat_prefix still works with default. + ReverseTunnelInitiator initiator(context_); + + // Should not throw and should use default prefix. + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_test.cc new file mode 100644 index 0000000000000..dc05a016fbe9b --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_test.cc @@ -0,0 +1,378 @@ +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" +#include "test/test_common/logging.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// ReverseTunnelInitiator Test Class. + +class ReverseTunnelInitiatorTest : public testing::Test { +protected: + ReverseTunnelInitiatorTest() { + // Set up the stats scope. + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context. + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the socket interface. + socket_interface_ = std::make_unique(context_); + + // Create the extension. + extension_ = std::make_unique(context_, config_); + } + + // Thread Local Setup Helpers. + + // Helper function to set up thread local slot for tests. + void setupThreadLocalSlot() { + // First, call onServerInitialized to set up the extension reference properly. + extension_->onServerInitialized(); + + // Create a thread local registry with the properly initialized extension. + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot. + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry. + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version. + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + + // Set the extension reference in the socket interface. + socket_interface_->extension_ = extension_.get(); + } + + // Helper to create a test address. + Network::Address::InstanceConstSharedPtr createTestAddress(const std::string& ip = "127.0.0.1", + uint32_t port = 8080) { + return Network::Utility::parseInternetAddressNoThrow(ip, port); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + // Real thread local slot and registry. + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); +}; + +TEST_F(ReverseTunnelInitiatorTest, CreateBootstrapExtension) { + // Test createBootstrapExtension function. + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config; + + auto extension = socket_interface_->createBootstrapExtension(config, context_); + EXPECT_NE(extension, nullptr); + + // Verify extension is stored in socket interface. + EXPECT_NE(socket_interface_->getExtension(), nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateEmptyConfigProto) { + // Test createEmptyConfigProto function. + auto config = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(config, nullptr); + + // Should be able to cast to the correct type. + auto* typed_config = + dynamic_cast(config.get()); + EXPECT_NE(typed_config, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, IpFamilySupported) { + // Test IP family support. + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); +} + +TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryNoExtension) { + // Test getLocalRegistry when extension is not set. + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryWithExtension) { + // Test getLocalRegistry when extension is set. + setupThreadLocalSlot(); + + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); +} + +TEST_F(ReverseTunnelInitiatorTest, FactoryName) { + EXPECT_EQ(socket_interface_->name(), + "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv4) { + // Test basic socket creation for IPv4. + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v4, false, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle (should be a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv6) { + // Test basic socket creation for IPv6. + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v6, false, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodDatagram) { + // Test datagram socket creation. + auto socket = socket_interface_->socket( + Network::Socket::Type::Datagram, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + false, Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodUnixDomain) { + // Test Unix domain socket creation. + auto socket = socket_interface_->socket( + Network::Socket::Type::Stream, Network::Address::Type::Pipe, Network::Address::IpVersion::v4, + false, Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithAddressIPv4) { + // Test socket creation with IPv4 address. + auto address = std::make_shared("127.0.0.1", 8080); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithAddressIPv6) { + // Test socket creation with IPv6 address. + auto address = std::make_shared("::1", 8080); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithReverseConnectionAddress) { + // Test socket creation with ReverseConnectionAddress. + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_cluster = "remote-cluster"; + config.connection_count = 2; + + auto reverse_address = std::make_shared(config); + + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, reverse_address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle (not a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketStreamIPv4) { + // Test createReverseConnectionSocket for stream IPv4 with TLS registry setup. + setupThreadLocalSlot(); + + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); + + // Verify that the TLS registry scope is being used. + // The socket should be created with the scope from TLS registry, not context scope. + EXPECT_EQ(&reverse_handle->getDownstreamExtension()->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketStreamIPv6) { + // Test createReverseConnectionSocket for stream IPv6. + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v6, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketDatagram) { + // Test createReverseConnectionSocket for datagram (should fallback to regular socket) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Datagram, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketNonIP) { + // Test createReverseConnectionSocket for non-IP address (should fallback to regular socket) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Pipe, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle (should be a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketEmptyRemoteClusters) { + // Test createReverseConnectionSocket with empty remote_clusters (should return early) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + // No remote_clusters added - should return early. + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + // Should return nullptr due to empty remote_clusters. + EXPECT_EQ(socket, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithEmptyReverseConnectionAddress) { + // Test socket creation with empty ReverseConnectionAddress. + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_cluster_id = ""; + config.src_node_id = ""; + config.src_tenant_id = ""; + config.remote_cluster = ""; + config.connection_count = 0; + + auto reverse_address = std::make_shared(config); + + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, reverse_address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithSocketCreationOptions) { + // Test socket creation with socket creation options. + Network::SocketCreationOptions options; + options.mptcp_enabled_ = true; + options.max_addresses_cache_size_ = 100; + + auto address = std::make_shared("127.0.0.1", 0); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/tools/code_format/config.yaml b/tools/code_format/config.yaml index 245920af2d934..a8d320bff3fb3 100644 --- a/tools/code_format/config.yaml +++ b/tools/code_format/config.yaml @@ -324,6 +324,8 @@ paths: - test/extensions/filters/http/common/fuzz/uber_filter.h - test/extensions/http/cache/file_system_http_cache/cache_file_header_proto_util_test.cc - test/tools/router_check/router_check.cc + - source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc + - test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc # Files in these paths can use std::regex std_regex: From 318af79fc6a577bdada12d6ff4258796fb1d61cf Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 22 Aug 2025 04:53:18 +0000 Subject: [PATCH 313/505] split classes into separate files, separate upstream files into its own directory, etc Signed-off-by: Basundhara Chakrabarty --- CODEOWNERS | 1 + .../reverse_tunnel_acceptor.cc | 16 +++++++++++++--- .../reverse_tunnel_acceptor.h | 1 - .../reverse_tunnel_acceptor_extension.h | 5 +++++ .../upstream_socket_manager.cc | 3 --- .../bootstrap/reverse_tunnel/common/BUILD | 3 --- .../reverse_tunnel_acceptor_test.cc | 7 +++++++ 7 files changed, 26 insertions(+), 10 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index f0b9d936918b5..0233f2483b062 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -206,6 +206,7 @@ extensions/upstreams/tcp @ggreenway @mattklein123 # user space socket pair, event, connection and listener /*/extensions/io_socket/user_space @kyessenov @lambdai /*/extensions/bootstrap/internal_listener @kyessenov @adisuissa +/*/extensions/bootstrap/reverse_tunnel/ @agrawroh @basundhara-c @botengyao @yanavlasov # Default UUID4 request ID extension /*/extensions/request_id/uuid @mattklein123 @botengyao # HTTP header formatters diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc index 47b632b11dfaf..5e2a9f1d9aa6f 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc @@ -49,13 +49,16 @@ Api::SysCallIntResult UpstreamReverseConnectionIOHandle::connect( Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); - // Reset the owned socket to properly close the connection + // Prefer letting the owned ConnectionSocket perform the actual close to avoid + // double-close. if (owned_socket_) { ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); owned_socket_.reset(); + // Invalidate our fd so base destructor won't close again. + SET_SOCKET_INVALID(fd_); + return Api::ioCallUint64ResultNoError(); } - - // Call the parent close method + // If we no longer own the socket, fall back to base close. return IoSocketHandleImpl::close(); } @@ -108,6 +111,13 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, // No sockets available, fallback to standard socket interface. ENVOY_LOG(debug, "reverse_tunnel: no available connection, falling back to standard socket"); + // Emit a counter to aid diagnostics in NAT scenarios where direct connect will fail. + if (extension_) { + auto& scope = extension_->getStatsScope(); + auto& counter = scope.counterFromString( + fmt::format("{}.fallback_no_reverse_socket", extension_->statPrefix())); + counter.inc(); + } return Network::socketInterface( "envoy.extensions.network.socket_interface.default_socket_interface") ->socket(socket_type, addr, options); diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h index 173d57657598a..89a66e5d5eb4d 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h @@ -27,7 +27,6 @@ namespace Bootstrap { namespace ReverseConnection { // Forward declarations -class ReverseTunnelAcceptor; class ReverseTunnelAcceptorExtension; class UpstreamSocketManager; diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h index 6e5c3c520539f..9e2c573fe608e 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h @@ -89,6 +89,11 @@ class ReverseTunnelAcceptorExtension stat_prefix_); stat_prefix_ = PROTOBUF_GET_STRING_OR_DEFAULT(config, stat_prefix, "upstream_reverse_connection"); + // Ensure the socket interface has a reference to this extension early, so stats can be + // recorded even before onServerInitialized(). + if (socket_interface_ != nullptr) { + socket_interface_->extension_ = this; + } } /** diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc index 16dcf80526d0e..44bac00d563e0 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc @@ -22,9 +22,6 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -// Forward declaration -class ReverseTunnelAcceptorExtension; - // UpstreamSocketManager implementation UpstreamSocketManager::UpstreamSocketManager(Event::Dispatcher& dispatcher, ReverseTunnelAcceptorExtension* extension) diff --git a/test/extensions/bootstrap/reverse_tunnel/common/BUILD b/test/extensions/bootstrap/reverse_tunnel/common/BUILD index 718c050ff92f8..01739aedda6ce 100644 --- a/test/extensions/bootstrap/reverse_tunnel/common/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/common/BUILD @@ -1,7 +1,6 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_test", - "envoy_extension_package", "envoy_package", ) @@ -9,8 +8,6 @@ licenses(["notice"]) # Apache 2 envoy_package() -envoy_extension_package() - envoy_cc_test( name = "reverse_connection_utility_test", size = "medium", diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc index 9dadd2bac1c1d..b45eab892925f 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc @@ -186,6 +186,13 @@ TEST_F(TestReverseTunnelAcceptor, SocketWithAddressNoThreadLocal) { auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); EXPECT_NE(io_handle, nullptr); EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); + + // Verify fallback counter increments for diagnostics. + // Counter name is "..fallback_no_reverse_socket". + auto& scope = extension_->getStatsScope(); + auto& counter = scope.counterFromString( + absl::StrCat(extension_->statPrefix(), ".fallback_no_reverse_socket")); + EXPECT_EQ(counter.value(), 1); } TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalNoCachedSockets) { From d28e5f3af24c499cf590d21204f92c547e687693 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Sat, 23 Aug 2025 00:33:33 +0000 Subject: [PATCH 314/505] Fix format and cleanup imports Signed-off-by: Basundhara Chakrabarty --- .../upstream_socket_interface/BUILD | 12 ++------- .../reverse_tunnel_acceptor.cc | 14 +++------- .../reverse_tunnel_acceptor.h | 2 -- .../reverse_tunnel_acceptor_extension.cc | 1 - .../reverse_tunnel_acceptor_extension.h | 2 -- .../upstream_socket_manager.cc | 9 ------- .../upstream_socket_manager.h | 1 - .../upstream_socket_interface/BUILD | 27 +++++-------------- .../config_validation_test.cc | 16 +---------- .../reverse_tunnel_acceptor_extension_test.cc | 11 +------- .../reverse_tunnel_acceptor_test.cc | 13 +++------ ...tream_reverse_connection_io_handle_test.cc | 15 +---------- .../upstream_socket_manager_test.cc | 8 ------ 13 files changed, 18 insertions(+), 113 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index b87502f21f14e..e883312ac22c5 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -18,16 +18,13 @@ envoy_cc_extension( deps = [ "//envoy/event:dispatcher_interface", "//envoy/event:timer_interface", - "//envoy/network:address_interface", "//envoy/network:io_handle_interface", "//envoy/network:socket_interface", "//envoy/registry", "//envoy/server:bootstrap_extension_config_interface", "//envoy/stats:stats_interface", - "//envoy/stats:stats_macros", "//envoy/thread_local:thread_local_interface", - "//source/common/network:address_lib", - "//source/common/network:socket_interface_lib", + "//source/common/network:default_socket_interface_lib", "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", ], @@ -43,9 +40,6 @@ envoy_cc_extension( deps = [ ":reverse_tunnel_acceptor_includes", ":upstream_socket_manager_lib", - "//envoy/common:random_generator_interface", - "//source/common/api:os_sys_calls_lib", - "//source/common/buffer:buffer_lib", "//source/common/common:logger_lib", "//source/common/network:default_socket_interface_lib", "//source/common/protobuf", @@ -63,12 +57,10 @@ envoy_cc_extension( "//envoy/event:dispatcher_interface", "//envoy/event:timer_interface", "//envoy/network:io_handle_interface", - "//envoy/network:socket_interface", "//envoy/thread_local:thread_local_object", - "//source/common/api:os_sys_calls_lib", + "//source/common/buffer:buffer_lib", "//source/common/common:logger_lib", "//source/common/common:random_generator_lib", - "//source/common/network:default_socket_interface_lib", "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", ], ) diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc index 5e2a9f1d9aa6f..9ca3201c5357e 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc @@ -1,16 +1,8 @@ #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" -#include -#include -#include #include -#include -#include "source/common/api/os_sys_calls_impl.h" -#include "source/common/buffer/buffer_impl.h" #include "source/common/common/logger.h" -#include "source/common/common/random_generator.h" -#include "source/common/network/address_impl.h" #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/protobuf/utility.h" @@ -114,8 +106,10 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, // Emit a counter to aid diagnostics in NAT scenarios where direct connect will fail. if (extension_) { auto& scope = extension_->getStatsScope(); - auto& counter = scope.counterFromString( - fmt::format("{}.fallback_no_reverse_socket", extension_->statPrefix())); + std::string counter_name = + fmt::format("{}.fallback_no_reverse_socket", extension_->statPrefix()); + Stats::StatNameManagedStorage counter_name_storage(counter_name, scope.symbolTable()); + auto& counter = scope.counterFromStatName(counter_name_storage.statName()); counter.inc(); } return Network::socketInterface( diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h index 89a66e5d5eb4d..43484ea906161 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h @@ -10,12 +10,10 @@ #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.validate.h" #include "envoy/network/io_handle.h" -#include "envoy/network/listen_socket.h" #include "envoy/network/socket.h" #include "envoy/registry/registry.h" #include "envoy/server/bootstrap_extension_config.h" #include "envoy/stats/scope.h" -#include "envoy/stats/stats_macros.h" #include "envoy/thread_local/thread_local.h" #include "source/common/network/io_socket_handle_impl.h" diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc index 771d22310d5ce..e253439cd5083 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc @@ -1,6 +1,5 @@ #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" -#include "source/common/protobuf/utility.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" namespace Envoy { diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h index 9e2c573fe608e..0b3bb4632873a 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h @@ -10,12 +10,10 @@ #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.validate.h" #include "envoy/network/io_handle.h" -#include "envoy/network/listen_socket.h" #include "envoy/network/socket.h" #include "envoy/registry/registry.h" #include "envoy/server/bootstrap_extension_config.h" #include "envoy/stats/scope.h" -#include "envoy/stats/stats_macros.h" #include "envoy/thread_local/thread_local.h" #include "source/common/network/io_socket_handle_impl.h" diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc index 44bac00d563e0..71ae06dbaa93f 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc @@ -1,19 +1,10 @@ #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" -#include -#include -#include #include -#include -#include "source/common/api/os_sys_calls_impl.h" #include "source/common/buffer/buffer_impl.h" #include "source/common/common/logger.h" #include "source/common/common/random_generator.h" -#include "source/common/network/address_impl.h" -#include "source/common/network/io_socket_handle_impl.h" -#include "source/common/network/socket_interface.h" -#include "source/common/protobuf/utility.h" #include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h index 3e6e288fceb58..43d435f8abb96 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h @@ -9,7 +9,6 @@ #include "envoy/event/dispatcher.h" #include "envoy/event/timer.h" #include "envoy/network/io_handle.h" -#include "envoy/network/listen_socket.h" #include "envoy/network/socket.h" #include "envoy/thread_local/thread_local.h" diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index 38c3c26ee9f17..607f4e8222b0f 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -18,13 +18,12 @@ envoy_extension_cc_test( srcs = ["reverse_tunnel_acceptor_test.cc"], extension_names = ["envoy.bootstrap.reverse_tunnel.upstream_socket_interface"], deps = [ - "//source/common/network:socket_interface_lib", - "//source/common/thread_local:thread_local_lib", + "//source/common/network:utility_lib", "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", "//test/mocks/event:event_mocks", "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", "//test/mocks/thread_local:thread_local_mocks", - "//test/test_common:test_runtime_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", ], ) @@ -34,13 +33,11 @@ envoy_cc_test( size = "medium", srcs = ["reverse_tunnel_acceptor_extension_test.cc"], deps = [ - "//source/common/network:socket_interface_lib", - "//source/common/thread_local:thread_local_lib", "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", "//test/mocks/event:event_mocks", "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", "//test/mocks/thread_local:thread_local_mocks", - "//test/test_common:test_runtime_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", ], ) @@ -50,13 +47,12 @@ envoy_cc_test( size = "large", srcs = ["upstream_socket_manager_test.cc"], deps = [ - "//source/common/network:socket_interface_lib", - "//source/common/thread_local:thread_local_lib", + "//source/common/network:utility_lib", "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", "//test/mocks/event:event_mocks", "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", "//test/mocks/thread_local:thread_local_mocks", - "//test/test_common:test_runtime_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", ], ) @@ -66,14 +62,8 @@ envoy_cc_test( size = "medium", srcs = ["upstream_reverse_connection_io_handle_test.cc"], deps = [ - "//source/common/network:socket_interface_lib", - "//source/common/thread_local:thread_local_lib", "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", - "//test/mocks/event:event_mocks", - "//test/mocks/server:factory_context_mocks", - "//test/mocks/thread_local:thread_local_mocks", - "//test/test_common:test_runtime_lib", - "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + "//test/mocks/network:network_mocks", ], ) @@ -82,13 +72,8 @@ envoy_cc_test( size = "small", srcs = ["config_validation_test.cc"], deps = [ - "//source/common/network:socket_interface_lib", - "//source/common/thread_local:thread_local_lib", "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", - "//test/mocks/event:event_mocks", "//test/mocks/server:factory_context_mocks", - "//test/mocks/thread_local:thread_local_mocks", - "//test/test_common:test_runtime_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc index 3ed6375fa9273..7c9d808dd3cd4 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc @@ -1,28 +1,14 @@ #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" -#include "envoy/network/socket_interface.h" -#include "envoy/server/factory_context.h" -#include "envoy/thread_local/thread_local.h" - -#include "source/common/network/address_impl.h" -#include "source/common/network/socket_interface.h" -#include "source/common/network/utility.h" -#include "source/common/thread_local/thread_local_impl.h" + #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" -#include "test/mocks/event/mocks.h" #include "test/mocks/server/factory_context.h" -#include "test/mocks/stats/mocks.h" -#include "test/mocks/thread_local/mocks.h" -#include "test/test_common/test_runtime.h" #include "gmock/gmock.h" #include "gtest/gtest.h" using testing::_; -using testing::Invoke; using testing::NiceMock; -using testing::Return; -using testing::ReturnRef; namespace Envoy { namespace Extensions { diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc index 4bf3c5cdfbb6c..ee8ade1e45a77 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc @@ -1,12 +1,5 @@ #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" -#include "envoy/network/socket_interface.h" -#include "envoy/server/factory_context.h" -#include "envoy/thread_local/thread_local.h" - -#include "source/common/network/address_impl.h" -#include "source/common/network/socket_interface.h" -#include "source/common/network/utility.h" -#include "source/common/thread_local/thread_local_impl.h" + #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" @@ -15,13 +8,11 @@ #include "test/mocks/server/factory_context.h" #include "test/mocks/stats/mocks.h" #include "test/mocks/thread_local/mocks.h" -#include "test/test_common/test_runtime.h" #include "gmock/gmock.h" #include "gtest/gtest.h" using testing::_; -using testing::Invoke; using testing::NiceMock; using testing::Return; using testing::ReturnRef; diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc index b45eab892925f..73b2a395f9837 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc @@ -1,12 +1,6 @@ #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" -#include "envoy/network/socket_interface.h" -#include "envoy/server/factory_context.h" -#include "envoy/thread_local/thread_local.h" -#include "source/common/network/address_impl.h" -#include "source/common/network/socket_interface.h" #include "source/common/network/utility.h" -#include "source/common/thread_local/thread_local_impl.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" @@ -15,13 +9,11 @@ #include "test/mocks/server/factory_context.h" #include "test/mocks/stats/mocks.h" #include "test/mocks/thread_local/mocks.h" -#include "test/test_common/test_runtime.h" #include "gmock/gmock.h" #include "gtest/gtest.h" using testing::_; -using testing::Invoke; using testing::NiceMock; using testing::Return; using testing::ReturnRef; @@ -190,8 +182,9 @@ TEST_F(TestReverseTunnelAcceptor, SocketWithAddressNoThreadLocal) { // Verify fallback counter increments for diagnostics. // Counter name is "..fallback_no_reverse_socket". auto& scope = extension_->getStatsScope(); - auto& counter = scope.counterFromString( - absl::StrCat(extension_->statPrefix(), ".fallback_no_reverse_socket")); + std::string counter_name = absl::StrCat(extension_->statPrefix(), ".fallback_no_reverse_socket"); + Stats::StatNameManagedStorage counter_name_storage(counter_name, scope.symbolTable()); + auto& counter = scope.counterFromStatName(counter_name_storage.statName()); EXPECT_EQ(counter.value(), 1); } diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc index c34b64af92f6d..ea1f5231176d8 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc @@ -1,25 +1,12 @@ -#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" -#include "envoy/network/socket_interface.h" -#include "envoy/server/factory_context.h" -#include "envoy/thread_local/thread_local.h" - -#include "source/common/network/address_impl.h" -#include "source/common/network/socket_interface.h" #include "source/common/network/utility.h" -#include "source/common/thread_local/thread_local_impl.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" -#include "test/mocks/event/mocks.h" -#include "test/mocks/server/factory_context.h" -#include "test/mocks/stats/mocks.h" -#include "test/mocks/thread_local/mocks.h" -#include "test/test_common/test_runtime.h" +#include "test/mocks/network/mocks.h" #include "gmock/gmock.h" #include "gtest/gtest.h" using testing::_; -using testing::Invoke; using testing::NiceMock; using testing::Return; using testing::ReturnRef; diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc index 5cecd7a2eaf65..83dd07f61012a 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc @@ -1,12 +1,6 @@ #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" -#include "envoy/network/socket_interface.h" -#include "envoy/server/factory_context.h" -#include "envoy/thread_local/thread_local.h" -#include "source/common/network/address_impl.h" -#include "source/common/network/socket_interface.h" #include "source/common/network/utility.h" -#include "source/common/thread_local/thread_local_impl.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" @@ -15,12 +9,10 @@ #include "test/mocks/server/factory_context.h" #include "test/mocks/stats/mocks.h" #include "test/mocks/thread_local/mocks.h" -#include "test/test_common/test_runtime.h" #include "gmock/gmock.h" #include "gtest/gtest.h" -using testing::_; using testing::Invoke; using testing::NiceMock; using testing::Return; From 0d70745f1a276d9ada1fe5ae674cd283d075cba9 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Wed, 27 Aug 2025 23:51:37 +0000 Subject: [PATCH 315/505] Move extra files to backup_files dir Signed-off-by: Basundhara Chakrabarty --- .../bootstrap/reverse_tunnel/{ => backup_files}/factory_base.h | 0 .../{ => backup_files}/grpc_reverse_tunnel_client.cc | 0 .../{ => backup_files}/grpc_reverse_tunnel_client.h | 0 .../{ => backup_files}/grpc_reverse_tunnel_service.cc | 0 .../{ => backup_files}/grpc_reverse_tunnel_service.h | 0 .../{ => backup_files}/reverse_tunnel_initiator.cc.backup | 0 .../reverse_tunnel/{ => backup_files}/trigger_mechanism.cc | 0 .../reverse_tunnel/{ => backup_files}/trigger_mechanism.h | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename source/extensions/bootstrap/reverse_tunnel/{ => backup_files}/factory_base.h (100%) rename source/extensions/bootstrap/reverse_tunnel/{ => backup_files}/grpc_reverse_tunnel_client.cc (100%) rename source/extensions/bootstrap/reverse_tunnel/{ => backup_files}/grpc_reverse_tunnel_client.h (100%) rename source/extensions/bootstrap/reverse_tunnel/{ => backup_files}/grpc_reverse_tunnel_service.cc (100%) rename source/extensions/bootstrap/reverse_tunnel/{ => backup_files}/grpc_reverse_tunnel_service.h (100%) rename source/extensions/bootstrap/reverse_tunnel/{ => backup_files}/reverse_tunnel_initiator.cc.backup (100%) rename source/extensions/bootstrap/reverse_tunnel/{ => backup_files}/trigger_mechanism.cc (100%) rename source/extensions/bootstrap/reverse_tunnel/{ => backup_files}/trigger_mechanism.h (100%) diff --git a/source/extensions/bootstrap/reverse_tunnel/factory_base.h b/source/extensions/bootstrap/reverse_tunnel/backup_files/factory_base.h similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/factory_base.h rename to source/extensions/bootstrap/reverse_tunnel/backup_files/factory_base.h diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc b/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_client.cc similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.cc rename to source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_client.cc diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h b/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_client.h similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h rename to source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_client.h diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc b/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_service.cc similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.cc rename to source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_service.cc diff --git a/source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h b/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_service.h similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h rename to source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_service.h diff --git a/source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc.backup b/source/extensions/bootstrap/reverse_tunnel/backup_files/reverse_tunnel_initiator.cc.backup similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.cc.backup rename to source/extensions/bootstrap/reverse_tunnel/backup_files/reverse_tunnel_initiator.cc.backup diff --git a/source/extensions/bootstrap/reverse_tunnel/trigger_mechanism.cc b/source/extensions/bootstrap/reverse_tunnel/backup_files/trigger_mechanism.cc similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/trigger_mechanism.cc rename to source/extensions/bootstrap/reverse_tunnel/backup_files/trigger_mechanism.cc diff --git a/source/extensions/bootstrap/reverse_tunnel/trigger_mechanism.h b/source/extensions/bootstrap/reverse_tunnel/backup_files/trigger_mechanism.h similarity index 100% rename from source/extensions/bootstrap/reverse_tunnel/trigger_mechanism.h rename to source/extensions/bootstrap/reverse_tunnel/backup_files/trigger_mechanism.h From db2a366fa9a2cc32852c703aab02d041cd7ff338 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 28 Aug 2025 08:42:24 +0800 Subject: [PATCH 316/505] chore: rename tasks_example.json (#40844) In most cases, we should not submit `tasks.json` to the code base because in actual development we need to customize a lot (e.g more tasks or environment variables). Rename `tasks.json` to `tasks_example.json` instead of deleting it, in case someone want to use it as an example. Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: zirain --- .vscode/{tasks.json => tasks_example.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .vscode/{tasks.json => tasks_example.json} (100%) diff --git a/.vscode/tasks.json b/.vscode/tasks_example.json similarity index 100% rename from .vscode/tasks.json rename to .vscode/tasks_example.json From 69a019355be432e3a82d1009eb3de74e237ee967 Mon Sep 17 00:00:00 2001 From: danzh Date: Thu, 28 Aug 2025 09:30:30 -0400 Subject: [PATCH 317/505] mobile: decouple DNS refresh and explicit pool drain upon network change (#40847) Commit Message: Explicitly drain connection pools regardless of whether we disable DNS refresh or not upon network change events. Draining connection pools itself is already behind a runtime guard `envoy.reloadable_features.drain_pools_on_network_change`. Enabling it without disable DNS refresh should allow us both drain pools and refresh DNS. This is the original behavior but accidentally removed in https://github.com/envoyproxy/envoy/pull/38531 and added back with `disable_dns_refresh_on_network_change_` dependency in https://github.com/envoyproxy/envoy/pull/39418. Also disable request rehashing upon network change achieved via `NetworkTypeSocketOptionImpl` in ConnectivityManagerImpl. Rehashing new requests has the equivalent effect as explicitly draining any existing connections. And explicitly draining connections is more robust to network changes between same type. If `envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh` and `envoy.reloadable_features.drain_pools_on_network_change` both true, we know connections have been drained by the engine and ConnectivityManagerImpl shouldn't need to create a NetworkTypeSocketOptionImpl using current network type to rehash new requests. Additional Message: Also fix JniLibrary.isRuntimeFeatureEnabled() by renaming it to runTimeFeatureEnabled() to match its native implementation `Java_io_envoyproxy_envoymobile_engine_JniLibrary_runtimeFeatureEnabled()`. Risk Level: medium Testing: modified existing unit and integration tests Docs Changes: N/A Release Notes: Y Platform Specific Features: N/A Runtime guard: envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- changelogs/current.yaml | 5 +++ mobile/library/common/internal_engine.cc | 4 ++- .../common/network/connectivity_manager.cc | 13 ++++--- .../envoymobile/engine/JniLibrary.java | 2 +- .../network/connectivity_manager_test.cc | 8 ++++- .../org/chromium/net/CronetHttp3Test.java | 35 +++++++++++++------ source/common/runtime/runtime_features.cc | 1 + 7 files changed, 51 insertions(+), 17 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index ef8923f9241f3..10fee72688779 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -41,6 +41,11 @@ minor_behavior_changes: change: | turn off HTTP/3 happy eyeball in upstream via runtime guard ``envoy.reloadable_features.http3_happy_eyeballs``. It is found to favor TCP over QUIC when UDP does not work on v6 network but works on v4. +- area: mobile + change: | + Explicitly drain connections upon network change events regardless of whether the DNS cache is refreshed or not. This behavior + can be reverted by setting the runtime guard ``envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh`` + to false. - area: http change: | Adds accounting for decompressed HTTP header bytes sent and received. Existing stats only count wire-encoded header bytes. diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index f0dfa516e9c77..0299f5de802b9 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -456,7 +456,9 @@ void InternalEngine::resetHttpPropertiesAndDrainHosts(bool has_ipv6_connectivity cache_manager.forEachThreadLocalCache(clear_brokenness); } - if (disable_dns_refresh_on_network_change_) { + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh") || + disable_dns_refresh_on_network_change_) { if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.drain_pools_on_network_change")) { // Since DNS refreshing is disabled, explicitly drain all non-migratable connections. ENVOY_LOG_EVENT(debug, "netconf_immediate_drain", "DrainAllHosts"); diff --git a/mobile/library/common/network/connectivity_manager.cc b/mobile/library/common/network/connectivity_manager.cc index c67676e6f1455..085f55046ce76 100644 --- a/mobile/library/common/network/connectivity_manager.cc +++ b/mobile/library/common/network/connectivity_manager.cc @@ -332,11 +332,16 @@ Socket::OptionsSharedPtr ConnectivityManagerImpl::getUpstreamSocketOptions(int n return getAlternateInterfaceSocketOptions(network); } - // Envoy uses the hash signature of overridden socket options to choose a connection pool. - // Setting a dummy socket option is a hack that allows us to select a different - // connection pool without materially changing the socket configuration. auto options = std::make_shared(); - options->push_back(std::make_shared(network)); + if (!Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh") || + !Runtime::runtimeFeatureEnabled("envoy.reloadable_features.drain_pools_on_network_change")) { + // Envoy uses the hash signature of overridden socket options to choose a connection pool. + // Setting a dummy socket option is a hack that allows us to select a different + // connection pool without materially changing the socket configuration when + // pools are not explicitly drained during network change. + options->push_back(std::make_shared(network)); + } return options; } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java index b45c7142b9c24..828410c815b46 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java @@ -353,5 +353,5 @@ public static native long createBootstrap( /** * Returns true if the runtime feature is enabled. */ - public static native boolean isRuntimeFeatureEnabled(String featureName); + public static native boolean runtimeFeatureEnabled(String featureName); } diff --git a/mobile/test/common/network/connectivity_manager_test.cc b/mobile/test/common/network/connectivity_manager_test.cc index 6da466b5277f0..2b47ea5ac01e3 100644 --- a/mobile/test/common/network/connectivity_manager_test.cc +++ b/mobile/test/common/network/connectivity_manager_test.cc @@ -287,7 +287,13 @@ TEST_F(ConnectivityManagerTest, NetworkChangeResultsInDifferentSocketOptionsHash for (const auto& option : *options2) { option->hashKey(hash2); } - EXPECT_NE(hash1, hash2); + if (!Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh") || + !Runtime::runtimeFeatureEnabled("envoy.reloadable_features.drain_pools_on_network_change")) { + EXPECT_NE(hash1, hash2); + } else { + EXPECT_EQ(hash1, hash2); + } } // Verifies that when the platform notifies about the same default network diff --git a/mobile/test/java/org/chromium/net/CronetHttp3Test.java b/mobile/test/java/org/chromium/net/CronetHttp3Test.java index acf5e7006f66f..27d655ae5a697 100644 --- a/mobile/test/java/org/chromium/net/CronetHttp3Test.java +++ b/mobile/test/java/org/chromium/net/CronetHttp3Test.java @@ -328,8 +328,11 @@ public void testRetryPostHandshake() throws Exception { @SmallTest @Feature({"Cronet"}) public void networkChangeNoDrains() throws Exception { - // Disable dns refreshment so that the engine will attempt immediate draining. - disableDnsRefreshOnNetworkChange = true; + if (!JniLibrary.runtimeFeatureEnabled( + "envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh")) { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + } drainOnNetworkChange = false; setUp(printEnvoyLogs); @@ -367,8 +370,11 @@ public void networkChangeNoDrains() throws Exception { @SmallTest @Feature({"Cronet"}) public void networkChangeWithDrains() throws Exception { - // Disable dns refreshment so that the engine will attempt immediate draining. - disableDnsRefreshOnNetworkChange = true; + if (!JniLibrary.runtimeFeatureEnabled( + "envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh")) { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + } drainOnNetworkChange = true; setUp(printEnvoyLogs); @@ -407,8 +413,11 @@ public void networkChangeWithDrains() throws Exception { @SmallTest @Feature({"Cronet"}) public void networkChangeMonitorV2FromCellToWifi() throws Exception { - // Disable dns refreshment so that the engine will attempt immediate draining. - disableDnsRefreshOnNetworkChange = true; + if (!JniLibrary.runtimeFeatureEnabled( + "envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh")) { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + } drainOnNetworkChange = true; useAndroidNetworkMonitorV2 = true; setUp(printEnvoyLogs); @@ -494,8 +503,11 @@ public void networkChangeMonitorV2FromCellToWifi() throws Exception { @SmallTest @Feature({"Cronet"}) public void networkChangeMonitorV2FromDisconnectedCellToWifi() throws Exception { - // Disable dns refreshment so that the engine will attempt immediate draining. - disableDnsRefreshOnNetworkChange = true; + if (!JniLibrary.runtimeFeatureEnabled( + "envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh")) { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + } drainOnNetworkChange = true; useAndroidNetworkMonitorV2 = true; setUp(printEnvoyLogs); @@ -572,8 +584,11 @@ public void networkChangeMonitorV2FromDisconnectedCellToWifi() throws Exception @SmallTest @Feature({"Cronet"}) public void networkChangeMonitorV2VpnOnAndOff() throws Exception { - // Disable dns refreshment so that the engine will attempt immediate draining. - disableDnsRefreshOnNetworkChange = true; + if (!JniLibrary.runtimeFeatureEnabled( + "envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh")) { + // Disable dns refreshment so that the engine will attempt immediate draining. + disableDnsRefreshOnNetworkChange = true; + } drainOnNetworkChange = true; useAndroidNetworkMonitorV2 = true; setUp(printEnvoyLogs); diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 9f594e0cc89da..7a469b2eb2e33 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -35,6 +35,7 @@ // ASAP by filing a bug on github. Overriding non-buggy code is strongly discouraged to avoid the // problem of the bugs being found after the old code path has been removed. RUNTIME_GUARD(envoy_reloadable_features_async_host_selection); +RUNTIME_GUARD(envoy_reloadable_features_decouple_explicit_drain_pools_and_dns_refresh); RUNTIME_GUARD(envoy_reloadable_features_dfp_cluster_resolves_hosts); RUNTIME_GUARD(envoy_reloadable_features_disallow_quic_client_udp_mmsg); RUNTIME_GUARD(envoy_reloadable_features_enable_cel_regex_precompilation); From 0685d7bf568485eb112df2a9c73248cb8bfc1c37 Mon Sep 17 00:00:00 2001 From: Melissa Ginaldi <93894818+melginaldi@users.noreply.github.com> Date: Thu, 28 Aug 2025 14:40:17 -0400 Subject: [PATCH 318/505] ext_proc: propagate detailed GRPC status for fail open (#40808) ext_proc: propagate detailed GRPC status for fail open Commit Message: Propagate detailed GRPC status for fail open rather than always ABORT. In order to have a better understanding of what is causing a request to fail we should log the GRPC status even if fail open is being used. Additional Description: For backwards compatibility this CL uses optional parameters for call_status with a default value of Grpc::Status::Aborted. Risk Level: Low Testing: Added a unit test within ext_proc_integration_test.cc to validate the logged call_status changed accordingly. I did some additional unit testing within the Google codebase for products that use ext_proc. Docs Changes: N/A Release Notes: If failure_mode_allowed is true, save the grpc failure status code returned from the ext_proc server in the filter state. Previously all fail-open cases would return call_status Grpc::Status::Aborted. Platform Specific Features: N/A Signed-off-by: Melissa Ginaldi --------- Signed-off-by: Melissa Ginaldi --- changelogs/current.yaml | 5 +++ .../filters/http/ext_proc/ext_proc.cc | 19 +++++---- .../filters/http/ext_proc/ext_proc.h | 3 +- .../filters/http/ext_proc/processor_state.cc | 4 +- .../filters/http/ext_proc/processor_state.h | 2 +- .../ext_proc/ext_proc_integration_test.cc | 41 +++++++++++++++++++ 6 files changed, 61 insertions(+), 13 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 10fee72688779..bd550853fe7ae 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -52,6 +52,11 @@ minor_behavior_changes: This can be accessed through the ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%``, and the ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%`` access_log command operators. +- area: ext_proc + change: | + If :ref:`failure_mode_allow ` is true, + save the grpc failure status code returned from the ext_proc server in the filter state. + Previously all fail-open cases would return call_status Grpc::Status::Aborted. bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* diff --git a/source/extensions/filters/http/ext_proc/ext_proc.cc b/source/extensions/filters/http/ext_proc/ext_proc.cc index f5c55c6cb1aa9..1fdb6a859ae6e 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.cc +++ b/source/extensions/filters/http/ext_proc/ext_proc.cc @@ -1631,7 +1631,7 @@ void Filter::onReceiveMessage(std::unique_ptr&& r) { // instance's lifetime to protect us from a malformed server. stats_.failure_mode_allowed_.inc(); closeStream(); - clearAsyncState(); + clearAsyncState(processing_status.raw_code()); processing_complete_ = true; } else { // Send an immediate response if fail close is configured. @@ -1655,8 +1655,7 @@ void Filter::onGrpcError(Grpc::Status::GrpcStatus status, const std::string& mes } if (failure_mode_allow_) { - // Ignore this and treat as a successful close - onGrpcClose(); + onGrpcCloseWithStatus(status); stats_.failure_mode_allowed_.inc(); } else { @@ -1673,7 +1672,9 @@ void Filter::onGrpcError(Grpc::Status::GrpcStatus status, const std::string& mes } } -void Filter::onGrpcClose() { +void Filter::onGrpcClose() { onGrpcCloseWithStatus(Grpc::Status::Aborted); } + +void Filter::onGrpcCloseWithStatus(Grpc::Status::GrpcStatus status) { ENVOY_STREAM_LOG(debug, "Received gRPC stream close", *decoder_callbacks_); processing_complete_ = true; @@ -1681,7 +1682,7 @@ void Filter::onGrpcClose() { // Successful close. We can ignore the stream for the rest of our request // and response processing. closeStream(); - clearAsyncState(); + clearAsyncState(status); } void Filter::onMessageTimeout() { @@ -1696,7 +1697,7 @@ void Filter::onMessageTimeout() { processing_complete_ = true; closeStream(); stats_.failure_mode_allowed_.inc(); - clearAsyncState(); + clearAsyncState(Grpc::Status::DeadlineExceeded); } else { // Return an error and stop processing the current stream. @@ -1714,9 +1715,9 @@ void Filter::onMessageTimeout() { // Regardless of the current filter state, reset it to "IDLE", continue // the current callback, and reset timers. This is used in a few error-handling situations. -void Filter::clearAsyncState() { - decoding_state_.clearAsyncState(); - encoding_state_.clearAsyncState(); +void Filter::clearAsyncState(Grpc::Status::GrpcStatus call_status) { + decoding_state_.clearAsyncState(call_status); + encoding_state_.clearAsyncState(call_status); } // Regardless of the current state, ensure that the timers won't fire diff --git a/source/extensions/filters/http/ext_proc/ext_proc.h b/source/extensions/filters/http/ext_proc/ext_proc.h index 06d906b6d2518..44411ad74b945 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.h +++ b/source/extensions/filters/http/ext_proc/ext_proc.h @@ -471,6 +471,7 @@ class Filter : public Logger::Loggable, std::unique_ptr&& response) override; void onGrpcError(Grpc::Status::GrpcStatus error, const std::string& message) override; void onGrpcClose() override; + void onGrpcCloseWithStatus(Grpc::Status::GrpcStatus status); void logStreamInfoBase(const Envoy::StreamInfo::StreamInfo* stream_info); void logStreamInfo() override; @@ -523,7 +524,7 @@ class Filter : public Logger::Loggable, void halfCloseAndWaitForRemoteClose(); void onFinishProcessorCalls(Grpc::Status::GrpcStatus call_status); - void clearAsyncState(); + void clearAsyncState(Grpc::Status::GrpcStatus call_status = Grpc::Status::Aborted); void sendImmediateResponse(const envoy::service::ext_proc::v3::ImmediateResponse& response); Http::FilterHeadersStatus onHeaders(ProcessorState& state, diff --git a/source/extensions/filters/http/ext_proc/processor_state.cc b/source/extensions/filters/http/ext_proc/processor_state.cc index 62830935b5534..1ff3c2a7ba1f3 100644 --- a/source/extensions/filters/http/ext_proc/processor_state.cc +++ b/source/extensions/filters/http/ext_proc/processor_state.cc @@ -535,8 +535,8 @@ QueuedChunkPtr ProcessorState::dequeueStreamingChunk(Buffer::OwnedImpl& out_data return chunk_queue_.pop(out_data); } -void ProcessorState::clearAsyncState() { - onFinishProcessorCall(Grpc::Status::Aborted); +void ProcessorState::clearAsyncState(Grpc::Status::GrpcStatus call_status) { + onFinishProcessorCall(call_status); if (chunkQueue().receivedData().length() > 0) { const auto& all_data = consolidateStreamedChunks(); ENVOY_STREAM_LOG(trace, "Injecting leftover buffer of {} bytes", *filter_callbacks_, diff --git a/source/extensions/filters/http/ext_proc/processor_state.h b/source/extensions/filters/http/ext_proc/processor_state.h index fde56c016a7ce..1c53b1b72262a 100644 --- a/source/extensions/filters/http/ext_proc/processor_state.h +++ b/source/extensions/filters/http/ext_proc/processor_state.h @@ -210,7 +210,7 @@ class ProcessorState : public Logger::Loggable { virtual void continueProcessing() const PURE; void continueIfNecessary(); - void clearAsyncState(); + void clearAsyncState(Grpc::Status::GrpcStatus call_status = Grpc::Status::Aborted); virtual envoy::service::ext_proc::v3::HttpHeaders* mutableHeaders(envoy::service::ext_proc::v3::ProcessingRequest& request) const PURE; diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 37d4bbee7d1b4..a5605bf242998 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -6181,4 +6181,45 @@ TEST_P(ExtProcIntegrationTest, FilterStateAccessLogSerialization) { ENVOY_LOG_MISC(info, "Sample FIELD: bytes_sent={}", *bytes_sent); } +TEST_P(ExtProcIntegrationTest, ExtProcLoggingInfoGRPCTimeout) { + auto access_log_path = TestEnvironment::temporaryPath("ext_proc_filter_state_access.log"); + + config_helper_.addConfigModifier([&](HttpConnectionManager& cm) { + auto* access_log = cm.add_access_log(); + access_log->set_name("accesslog"); + envoy::extensions::access_loggers::file::v3::FileAccessLog access_log_config; + access_log_config.set_path(access_log_path); + auto* json_format = access_log_config.mutable_log_format()->mutable_json_format(); + + (*json_format->mutable_fields())["field_request_header_call_status"].set_string_value( + "%FILTER_STATE(envoy.filters.http.ext_proc:FIELD:request_header_call_status)%"); + + access_log->mutable_typed_config()->PackFrom(access_log_config); + }); + proto_config_.set_failure_mode_allow(true); + proto_config_.mutable_message_timeout()->set_nanos(200000000); + initializeConfig(); + HttpIntegrationTest::initialize(); + auto response = sendDownstreamRequest(absl::nullopt); + processRequestHeadersMessage(*grpc_upstreams_[0], true, + [this](const HttpHeaders&, HeadersResponse&) { + // Travel forward 400 ms + timeSystem().advanceTimeWaitImpl(400ms); + return false; + }); + + // We should be able to continue from here since the error was ignored + handleUpstreamRequest(); + // Since we are ignoring errors, the late response to the request headers + // message meant that subsequent messages are spurious and the response + // headers message was never sent. + // Despite the timeout the request should succeed. + verifyDownstreamResponse(*response, 200); + std::string log_result = waitForAccessLog(access_log_path, 0, true); + auto json_log = Json::Factory::loadFromString(log_result).value(); + auto field_request_header_status = json_log->getString("field_request_header_call_status"); + // Should be 4:DEADLINE_EXCEEDED instead of 10:ABORTED + EXPECT_EQ(*field_request_header_status, "4"); +} + } // namespace Envoy From d44ec3bb1986f811db80fde19121a45811d878ba Mon Sep 17 00:00:00 2001 From: basundhara-c Date: Thu, 28 Aug 2025 17:40:33 -0700 Subject: [PATCH 319/505] bootstrap: add reverse tunnel socket interface extension for upstream connections (#40315) ## Description Commit Message: Implement reverse tunnel acceptor socket interface for socket caching and reuse on upstream envoy Additional Description: This PR implements a ReverseTunnelAcceptor that runs on upstream envoy and enables caching and reuse of previously established connections, eliminating the need for new TCP connections on each request. [Github Issue](https://github.com/envoyproxy/envoy/issues/33320) ### Architecture Overview ### 1. Bootstrap Extension Registration - `ReverseTunnelAcceptorExtension` is registered as a bootstrap extension on the acceptor Envoy instance and manages thread local data - A thread local slot is set up in ReverseTunnelAcceptorExtension::onServerInitialized(), initializing components that can be retrieved thread locally later - Provides APIs for stats collection and cross-worker aggregation ### 2. Thread-Local Data Management - thread local data management is via a `UpstreamSocketThreadLocal` containing the per-worker thread dispatcher and socket manager ### 3. Socket Caching Service ('UpstreamSocketManager') - Maintains maps of accepted reverse connection sockets per node/cluster - Implements socket lifecycle management with RPINGs - Exposes `getConnectionSocket()` API to retrieve cached sockets - Detects socket closures and performs cleanup ### 4. Custom socket interface (ReverseTunnelAcceptor) - Custom socket interface that returns cached sockets instead of creating new ones - When a request arrives, the 'REVERSE_CONNECTION' cluster (incoming PR) selects/creates a host This Host uses a special address which returns the 'ReverseTunnelAcceptor' in its 'socketInterface()' method, allowing the 'ReverseTunnelAcceptor''s socket() to be called when creating a socket. - In the socket() method, the ReverseTunnelAcceptor retrieves a cached socket from the `UpstreamSocketManager`. Therefore, the connection re-uses an existing 'reverse connection' instead of establishing a new TCP connection. This is described in the diagram below: Reverse Conn Socket Interface_ Life of a Request [Link to diagram](https://lucid.app/lucidchart/c369b0df-436b-4dbb-b32b-03d2412c1db2/edit?page=IjcZ1O4Q5TdRF&invitationId=inv_1aa0e150-484c-4b43-9799-afb3d61289e1#) Risk Level: Low Testing: Unit Tests Docs Changes: Release Notes: Platform Specific Features: Signed-off-by: Basundhara Chakrabarty Co-authored-by: Rohit Agrawal [rohit.agrawal@databricks.com](mailto:rohit.agrawal@databricks.com) Co-authored-by: Arun Vasudevan [Arun.Vasudev@nutanix.com](mailto:Arun.Vasudev@nutanix.com) Co-authored-by: Tejas Sangol [tejas.sangol@nutanix.com](mailto:tejas.sangol@nutanix.com) Co-authored-by: Aditya Jaltade [aditya.jaltade@nutanix.com](mailto:aditya.jaltade@nutanix.com) --------- Signed-off-by: Basundhara Chakrabarty Signed-off-by: Rohit Agrawal Co-authored-by: Rohit Agrawal --- CODEOWNERS | 1 + api/BUILD | 1 + .../upstream_socket_interface/v3/BUILD | 9 + ..._reverse_connection_socket_interface.proto | 20 + api/versioning/BUILD | 1 + docs/root/api-v3/bootstrap/bootstrap.rst | 1 + .../bootstrap/reverse_tunnel/common/BUILD | 22 + .../common/reverse_connection_utility.cc | 81 ++ .../common/reverse_connection_utility.h | 61 ++ .../upstream_socket_interface/BUILD | 66 ++ .../reverse_tunnel_acceptor.cc | 158 ++++ .../reverse_tunnel_acceptor.h | 174 ++++ .../reverse_tunnel_acceptor_extension.cc | 281 +++++++ .../reverse_tunnel_acceptor_extension.h | 182 +++++ .../upstream_socket_manager.cc | 439 ++++++++++ .../upstream_socket_manager.h | 139 ++++ source/extensions/extensions_build_config.bzl | 6 + source/extensions/extensions_metadata.yaml | 7 + .../bootstrap/reverse_tunnel/common/BUILD | 22 + .../common/reverse_connection_utility_test.cc | 236 ++++++ .../upstream_socket_interface/BUILD | 79 ++ .../config_validation_test.cc | 42 + .../reverse_tunnel_acceptor_extension_test.cc | 338 ++++++++ .../reverse_tunnel_acceptor_test.cc | 241 ++++++ ...tream_reverse_connection_io_handle_test.cc | 96 +++ .../upstream_socket_manager_test.cc | 755 ++++++++++++++++++ tools/spelling/spelling_dictionary.txt | 1 + 27 files changed, 3459 insertions(+) create mode 100644 api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/BUILD create mode 100644 api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto create mode 100644 source/extensions/bootstrap/reverse_tunnel/common/BUILD create mode 100644 source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h create mode 100644 test/extensions/bootstrap/reverse_tunnel/common/BUILD create mode 100644 test/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc diff --git a/CODEOWNERS b/CODEOWNERS index 04b46ae4222a7..b382e8c149fbc 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -206,6 +206,7 @@ extensions/upstreams/tcp @ggreenway @mattklein123 # user space socket pair, event, connection and listener /*/extensions/io_socket/user_space @kyessenov @lambdai /*/extensions/bootstrap/internal_listener @kyessenov @adisuissa +/*/extensions/bootstrap/reverse_tunnel/ @agrawroh @basundhara-c @botengyao @yanavlasov # Default UUID4 request ID extension /*/extensions/request_id/uuid @mattklein123 @botengyao # HTTP header formatters diff --git a/api/BUILD b/api/BUILD index 47dfa333a2ec2..6ae90f01d3592 100644 --- a/api/BUILD +++ b/api/BUILD @@ -137,6 +137,7 @@ proto_library( "//envoy/extensions/access_loggers/stream/v3:pkg", "//envoy/extensions/access_loggers/wasm/v3:pkg", "//envoy/extensions/bootstrap/internal_listener/v3:pkg", + "//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg", "//envoy/extensions/clusters/aggregate/v3:pkg", "//envoy/extensions/clusters/common/dns/v3:pkg", "//envoy/extensions/clusters/dns/v3:pkg", diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/BUILD new file mode 100644 index 0000000000000..29ebf0741406e --- /dev/null +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/BUILD @@ -0,0 +1,9 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], +) diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto new file mode 100644 index 0000000000000..8256baccbe88d --- /dev/null +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto @@ -0,0 +1,20 @@ +syntax = "proto3"; + +package envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3"; +option java_outer_classname = "UpstreamReverseConnectionSocketInterfaceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3;upstream_socket_interfacev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Bootstrap settings for Upstream Reverse Connection Socket Interface] +// [#extension: envoy.bootstrap.reverse_tunnel.upstream_socket_interface] + +// Configuration for the upstream reverse connection socket interface. +message UpstreamReverseConnectionSocketInterface { + // Stat prefix to be used for upstream reverse connection socket interface stats. + string stat_prefix = 1; +} diff --git a/api/versioning/BUILD b/api/versioning/BUILD index cdcf5f206f24c..0c7c9456d6e45 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -75,6 +75,7 @@ proto_library( "//envoy/extensions/access_loggers/stream/v3:pkg", "//envoy/extensions/access_loggers/wasm/v3:pkg", "//envoy/extensions/bootstrap/internal_listener/v3:pkg", + "//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg", "//envoy/extensions/clusters/aggregate/v3:pkg", "//envoy/extensions/clusters/common/dns/v3:pkg", "//envoy/extensions/clusters/dns/v3:pkg", diff --git a/docs/root/api-v3/bootstrap/bootstrap.rst b/docs/root/api-v3/bootstrap/bootstrap.rst index 4c454d0180976..f2b6f6c6b1c97 100644 --- a/docs/root/api-v3/bootstrap/bootstrap.rst +++ b/docs/root/api-v3/bootstrap/bootstrap.rst @@ -7,6 +7,7 @@ Bootstrap ../config/bootstrap/v3/bootstrap.proto ../extensions/bootstrap/internal_listener/v3/internal_listener.proto + ../extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto ../config/metrics/v3/metrics_service.proto ../config/overload/v3/overload.proto ../config/ratelimit/v3/rls.proto diff --git a/source/extensions/bootstrap/reverse_tunnel/common/BUILD b/source/extensions/bootstrap/reverse_tunnel/common/BUILD new file mode 100644 index 0000000000000..5388185785ceb --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/common/BUILD @@ -0,0 +1,22 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "reverse_connection_utility_lib", + srcs = ["reverse_connection_utility.cc"], + hdrs = ["reverse_connection_utility.h"], + visibility = ["//visibility:public"], + deps = [ + "//envoy/buffer:buffer_interface", + "//envoy/network:connection_interface", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + ], +) diff --git a/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc new file mode 100644 index 0000000000000..2f186c0e1eb20 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc @@ -0,0 +1,81 @@ +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/assert.h" +#include "source/common/common/logger.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +bool ReverseConnectionUtility::isPingMessage(absl::string_view data) { + if (data.empty()) { + return false; + } + return (data.length() == PING_MESSAGE.length() && + !memcmp(data.data(), PING_MESSAGE.data(), PING_MESSAGE.length())); +} + +Buffer::InstancePtr ReverseConnectionUtility::createPingResponse() { + return std::make_unique(PING_MESSAGE); +} + +bool ReverseConnectionUtility::sendPingResponse(Network::Connection& connection) { + auto ping_buffer = createPingResponse(); + connection.write(*ping_buffer, false); + ENVOY_LOG(debug, "Reverse connection utility: sent RPING response on connection {}", + connection.id()); + return true; +} + +Api::IoCallUint64Result ReverseConnectionUtility::sendPingResponse(Network::IoHandle& io_handle) { + auto ping_buffer = createPingResponse(); + Api::IoCallUint64Result result = io_handle.write(*ping_buffer); + if (result.ok()) { + ENVOY_LOG(trace, "Reverse connection utility: sent RPING response, bytes: {}", + result.return_value_); + } else { + ENVOY_LOG(trace, "Reverse connection utility: failed to send RPING response, error: {}", + result.err_->getErrorDetails()); + } + return result; +} + +bool ReverseConnectionUtility::handlePingMessage(absl::string_view data, + Network::Connection& connection) { + if (!isPingMessage(data)) { + return false; + } + ENVOY_LOG(debug, "Reverse connection utility: received RPING on connection {}, echoing back", + connection.id()); + return sendPingResponse(connection); +} + +bool ReverseConnectionUtility::extractPingFromHttpData(absl::string_view http_data) { + if (http_data.find(PING_MESSAGE) != absl::string_view::npos) { + ENVOY_LOG(debug, "Reverse connection utility: found RPING in HTTP data"); + return true; + } + return false; +} + +std::shared_ptr ReverseConnectionMessageHandlerFactory::createPingHandler() { + return std::make_shared(); +} + +bool PingMessageHandler::processPingMessage(absl::string_view data, + Network::Connection& connection) { + if (ReverseConnectionUtility::isPingMessage(data)) { + ++ping_count_; + ENVOY_LOG(debug, "Ping handler: processing ping #{} on connection {}", ping_count_, + connection.id()); + return ReverseConnectionUtility::sendPingResponse(connection); + } + return false; +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h new file mode 100644 index 0000000000000..d11800a5304a0 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h @@ -0,0 +1,61 @@ +#pragma once + +#include + +#include "envoy/buffer/buffer.h" +#include "envoy/network/connection.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" + +#include "absl/strings/string_view.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseConnectionUtility : public Logger::Loggable { +public: + static constexpr absl::string_view PING_MESSAGE = "RPING"; + static constexpr absl::string_view PROXY_MESSAGE = "PROXY"; + + static bool isPingMessage(absl::string_view data); + + static Buffer::InstancePtr createPingResponse(); + + static bool sendPingResponse(Network::Connection& connection); + + static Api::IoCallUint64Result sendPingResponse(Network::IoHandle& io_handle); + + static bool handlePingMessage(absl::string_view data, Network::Connection& connection); + + static bool extractPingFromHttpData(absl::string_view http_data); + +private: + ReverseConnectionUtility() = delete; +}; + +class ReverseConnectionMessageHandlerFactory { +public: + static std::shared_ptr createPingHandler(); +}; + +class PingMessageHandler : public std::enable_shared_from_this, + public Logger::Loggable { +public: + PingMessageHandler() = default; + ~PingMessageHandler() = default; + + bool processPingMessage(absl::string_view data, Network::Connection& connection); + + uint64_t getPingCount() const { return ping_count_; } + +private: + uint64_t ping_count_{0}; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD new file mode 100644 index 0000000000000..e883312ac22c5 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -0,0 +1,66 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "reverse_tunnel_acceptor_includes", + hdrs = [ + "reverse_tunnel_acceptor.h", + "reverse_tunnel_acceptor_extension.h", + ], + visibility = ["//visibility:public"], + deps = [ + "//envoy/event:dispatcher_interface", + "//envoy/event:timer_interface", + "//envoy/network:io_handle_interface", + "//envoy/network:socket_interface", + "//envoy/registry", + "//envoy/server:bootstrap_extension_config_interface", + "//envoy/stats:stats_interface", + "//envoy/thread_local:thread_local_interface", + "//source/common/network:default_socket_interface_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_extension( + name = "reverse_tunnel_acceptor_lib", + srcs = [ + "reverse_tunnel_acceptor.cc", + "reverse_tunnel_acceptor_extension.cc", + ], + visibility = ["//visibility:public"], + deps = [ + ":reverse_tunnel_acceptor_includes", + ":upstream_socket_manager_lib", + "//source/common/common:logger_lib", + "//source/common/network:default_socket_interface_lib", + "//source/common/protobuf", + ], + alwayslink = 1, +) + +envoy_cc_extension( + name = "upstream_socket_manager_lib", + srcs = ["upstream_socket_manager.cc"], + hdrs = ["upstream_socket_manager.h"], + visibility = ["//visibility:public"], + deps = [ + "reverse_tunnel_acceptor_includes", + "//envoy/event:dispatcher_interface", + "//envoy/event:timer_interface", + "//envoy/network:io_handle_interface", + "//envoy/thread_local:thread_local_object", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + "//source/common/common:random_generator_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + ], +) diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc new file mode 100644 index 0000000000000..9ca3201c5357e --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc @@ -0,0 +1,158 @@ +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" + +#include + +#include "source/common/common/logger.h" +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// UpstreamReverseConnectionIOHandle implementation +UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( + Network::ConnectionSocketPtr socket, const std::string& cluster_name) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), + owned_socket_(std::move(socket)) { + + ENVOY_LOG(trace, "reverse_tunnel: created IO handle for cluster: {}, fd: {}", cluster_name_, fd_); +} + +UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { + ENVOY_LOG(trace, "reverse_tunnel: destroying IO handle for cluster: {}, fd: {}", cluster_name_, + fd_); + // The owned_socket_ will be automatically destroyed via RAII. +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::connect( + Envoy::Network::Address::InstanceConstSharedPtr address) { + ENVOY_LOG(trace, "reverse_tunnel: connect() to {} - connection already established", + address->asString()); + + // For reverse connections, the connection is already established. + return Api::SysCallIntResult{0, 0}; +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { + ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); + + // Prefer letting the owned ConnectionSocket perform the actual close to avoid + // double-close. + if (owned_socket_) { + ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); + owned_socket_.reset(); + // Invalidate our fd so base destructor won't close again. + SET_SOCKET_INVALID(fd_); + return Api::ioCallUint64ResultNoError(); + } + // If we no longer own the socket, fall back to base close. + return IoSocketHandleImpl::close(); +} + +// ReverseTunnelAcceptor implementation +ReverseTunnelAcceptor::ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context) + : extension_(nullptr), context_(&context) { + ENVOY_LOG(debug, "reverse_tunnel: created acceptor"); +} + +Envoy::Network::IoHandlePtr +ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type, Envoy::Network::Address::Type, + Envoy::Network::Address::IpVersion, bool, + const Envoy::Network::SocketCreationOptions&) const { + + ENVOY_LOG(warn, "reverse_tunnel: socket() called without address - returning nullptr"); + + // Reverse connection sockets should always have an address. + return nullptr; +} + +Envoy::Network::IoHandlePtr +ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, + const Envoy::Network::Address::InstanceConstSharedPtr addr, + const Envoy::Network::SocketCreationOptions& options) const { + ENVOY_LOG(debug, "reverse_tunnel: socket() called for address: {}, node: {}", addr->asString(), + addr->logicalName()); + + // For upstream reverse connections, we need to get the thread-local socket manager + // and check if there are any cached connections available + auto* tls_registry = getLocalRegistry(); + if (tls_registry && tls_registry->socketManager()) { + ENVOY_LOG(trace, "reverse_tunnel: running on dispatcher: {}", + tls_registry->dispatcher().name()); + auto* socket_manager = tls_registry->socketManager(); + + // The address's logical name is the node ID. + std::string node_id = addr->logicalName(); + ENVOY_LOG(debug, "reverse_tunnel: using node_id: {}", node_id); + + // Try to get a cached socket for the node. + auto socket = socket_manager->getConnectionSocket(node_id); + if (socket) { + ENVOY_LOG(info, "reverse_tunnel: reusing cached socket for node: {}", node_id); + // Create IOHandle that owns the socket using RAII. + auto io_handle = + std::make_unique(std::move(socket), node_id); + return io_handle; + } + } + + // No sockets available, fallback to standard socket interface. + ENVOY_LOG(debug, "reverse_tunnel: no available connection, falling back to standard socket"); + // Emit a counter to aid diagnostics in NAT scenarios where direct connect will fail. + if (extension_) { + auto& scope = extension_->getStatsScope(); + std::string counter_name = + fmt::format("{}.fallback_no_reverse_socket", extension_->statPrefix()); + Stats::StatNameManagedStorage counter_name_storage(counter_name, scope.symbolTable()); + auto& counter = scope.counterFromStatName(counter_name_storage.statName()); + counter.inc(); + } + return Network::socketInterface( + "envoy.extensions.network.socket_interface.default_socket_interface") + ->socket(socket_type, addr, options); +} + +bool ReverseTunnelAcceptor::ipFamilySupported(int domain) { + return domain == AF_INET || domain == AF_INET6; +} + +// Get thread local registry for the current thread +UpstreamSocketThreadLocal* ReverseTunnelAcceptor::getLocalRegistry() const { + if (extension_) { + return extension_->getLocalRegistry(); + } + return nullptr; +} + +// BootstrapExtensionFactory +Server::BootstrapExtensionPtr ReverseTunnelAcceptor::createBootstrapExtension( + const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { + ENVOY_LOG(debug, "ReverseTunnelAcceptor::createBootstrapExtension()"); + // Cast the config to the proper type. + const auto& message = MessageUtil::downcastAndValidate< + const envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); + + // Set the context for this socket interface instance. + context_ = &context; + + // Return a SocketInterfaceExtension that wraps this socket interface. + return std::make_unique(*this, context, message); +} + +ProtobufTypes::MessagePtr ReverseTunnelAcceptor::createEmptyConfigProto() { + return std::make_unique(); +} + +REGISTER_FACTORY(ReverseTunnelAcceptor, Server::Configuration::BootstrapExtensionFactory); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h new file mode 100644 index 0000000000000..43484ea906161 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h @@ -0,0 +1,174 @@ +#pragma once + +#include + +#include +#include + +#include "envoy/event/dispatcher.h" +#include "envoy/event/timer.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.validate.h" +#include "envoy/network/io_handle.h" +#include "envoy/network/socket.h" +#include "envoy/registry/registry.h" +#include "envoy/server/bootstrap_extension_config.h" +#include "envoy/stats/scope.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class ReverseTunnelAcceptorExtension; +class UpstreamSocketManager; + +/** + * Custom IoHandle for upstream reverse connections that manages ConnectionSocket lifetime. + * This class implements RAII principles to ensure proper socket cleanup and provides + * reverse connection semantics where the connection is already established. + */ +class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { +public: + /** + * Constructs an UpstreamReverseConnectionIOHandle that takes ownership of a socket. + * + * @param socket the reverse connection socket to own and manage. + * @param cluster_name the name of the cluster this connection belongs to. + */ + UpstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, + const std::string& cluster_name); + + ~UpstreamReverseConnectionIOHandle() override; + + // Network::IoHandle overrides + /** + * Override of connect method for reverse connections. + * For reverse connections, the connection is already established so this method + * is a no-op and always returns success. + * + * @param address the target address (unused for reverse connections). + * @return SysCallIntResult with success status (0, 0). + */ + Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; + + /** + * Override of close method for reverse connections. + * Cleans up the owned socket and calls the parent close method. + * + * @return IoCallUint64Result indicating the result of the close operation. + */ + Api::IoCallUint64Result close() override; + + /** + * Get the owned socket for read-only operations. + * + * @return const reference to the owned socket. + */ + const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } + +private: + // The name of the cluster this reverse connection belongs to. + std::string cluster_name_; + // The socket that this IOHandle owns and manages lifetime for. + Network::ConnectionSocketPtr owned_socket_; +}; + +/** + * Socket interface that creates upstream reverse connection sockets. + * Manages cached reverse TCP connections and provides them when requested. + */ +class ReverseTunnelAcceptor : public Envoy::Network::SocketInterfaceBase, + public Envoy::Logger::Loggable { +public: + /** + * Constructs a ReverseTunnelAcceptor with the given server factory context. + * + * @param context the server factory context for this socket interface. + */ + ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context); + + ReverseTunnelAcceptor() : extension_(nullptr), context_(nullptr) {} + + // SocketInterface overrides + /** + * Create a socket without a specific address (no-op for reverse connections). + * @param socket_type the type of socket to create. + * @param addr_type the address type. + * @param version the IP version. + * @param socket_v6only whether to create IPv6-only socket. + * @param options socket creation options. + * @return nullptr since reverse connections require specific addresses. + */ + Envoy::Network::IoHandlePtr + socket(Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, bool socket_v6only, + const Envoy::Network::SocketCreationOptions& options) const override; + + /** + * Create a socket with a specific address. + * @param socket_type the type of socket to create. + * @param addr the address to bind to. + * @param options socket creation options. + * @return IoHandlePtr for the reverse connection socket. + */ + Envoy::Network::IoHandlePtr + socket(Envoy::Network::Socket::Type socket_type, + const Envoy::Network::Address::InstanceConstSharedPtr addr, + const Envoy::Network::SocketCreationOptions& options) const override; + + /** + * @param domain the IP family domain (AF_INET, AF_INET6). + * @return true if the family is supported. + */ + bool ipFamilySupported(int domain) override; + + /** + * @return pointer to the thread-local registry, or nullptr if not available. + */ + class UpstreamSocketThreadLocal* getLocalRegistry() const; + + /** + * Create a bootstrap extension for this socket interface. + * @param config the config. + * @param context the server factory context. + * @return BootstrapExtensionPtr for the socket interface extension. + */ + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override; + + /** + * @return MessagePtr containing the empty configuration. + */ + ProtobufTypes::MessagePtr createEmptyConfigProto() override; + + /** + * @return the interface name. + */ + std::string name() const override { + return "envoy.bootstrap.reverse_tunnel.upstream_socket_interface"; + } + + /** + * @return pointer to the extension for cross-thread aggregation. + */ + ReverseTunnelAcceptorExtension* getExtension() const { return extension_; } + + ReverseTunnelAcceptorExtension* extension_{nullptr}; + +private: + Server::Configuration::ServerFactoryContext* context_; +}; + +DECLARE_FACTORY(ReverseTunnelAcceptor); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc new file mode 100644 index 0000000000000..e253439cd5083 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc @@ -0,0 +1,281 @@ +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" + +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// UpstreamSocketThreadLocal implementation +UpstreamSocketThreadLocal::UpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, + ReverseTunnelAcceptorExtension* extension) + : dispatcher_(dispatcher), + socket_manager_(std::make_unique(dispatcher, extension)) {} + +// ReverseTunnelAcceptorExtension implementation +void ReverseTunnelAcceptorExtension::onServerInitialized() { + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension::onServerInitialized - creating thread local slot"); + + // Set the extension reference in the socket interface. + if (socket_interface_) { + socket_interface_->extension_ = this; + } + + // Create thread local slot for dispatcher and socket manager. + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); + + // Set up the thread local dispatcher and socket manager. + tls_slot_->set([this](Event::Dispatcher& dispatcher) { + return std::make_shared(dispatcher, this); + }); +} + +// Get thread local registry for the current thread +UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() const { + if (!tls_slot_) { + ENVOY_LOG(error, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); + return nullptr; + } + + if (auto opt = tls_slot_->get(); opt.has_value()) { + return &opt.value().get(); + } + + return nullptr; +} + +std::pair, std::vector> +ReverseTunnelAcceptorExtension::getConnectionStatsSync(std::chrono::milliseconds /* timeout_ms */) { + + ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: obtaining reverse connection stats"); + + // Get all gauges with the reverse_connections prefix. + auto connection_stats = getCrossWorkerStatMap(); + + std::vector connected_nodes; + std::vector accepted_connections; + + // Process the stats to extract connection information + for (const auto& [stat_name, count] : connection_stats) { + if (count > 0) { + // Parse stat name to extract node/cluster information. + // Format: ".reverse_connections.nodes." or + // ".reverse_connections.clusters.". + if (stat_name.find("reverse_connections.nodes.") != std::string::npos) { + // Find the position after "reverse_connections.nodes.". + size_t pos = stat_name.find("reverse_connections.nodes."); + if (pos != std::string::npos) { + std::string node_id = stat_name.substr(pos + strlen("reverse_connections.nodes.")); + connected_nodes.push_back(node_id); + } + } else if (stat_name.find("reverse_connections.clusters.") != std::string::npos) { + // Find the position after "reverse_connections.clusters.". + size_t pos = stat_name.find("reverse_connections.clusters."); + if (pos != std::string::npos) { + std::string cluster_id = stat_name.substr(pos + strlen("reverse_connections.clusters.")); + accepted_connections.push_back(cluster_id); + } + } + } + } + + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension: found {} connected nodes, {} accepted connections", + connected_nodes.size(), accepted_connections.size()); + + return {connected_nodes, accepted_connections}; +} + +absl::flat_hash_map ReverseTunnelAcceptorExtension::getCrossWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Iterate through all gauges and filter for cross-worker stats only. + // Cross-worker stats have the pattern "reverse_connections.nodes." or + // "reverse_connections.clusters." (no dispatcher name in the middle). + Stats::IterateFn gauge_callback = + [&stats_map](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && + (gauge_name.find("reverse_connections.nodes.") != std::string::npos || + gauge_name.find("reverse_connections.clusters.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension: collected {} stats for reverse connections across all " + "worker threads", + stats_map.size()); + + return stats_map; +} + +void ReverseTunnelAcceptorExtension::updateConnectionStats(const std::string& node_id, + const std::string& cluster_id, + bool increment) { + + // Register stats with Envoy's system for automatic cross-thread aggregation + auto& stats_store = context_.scope(); + + // Create/update node connection stat + if (!node_id.empty()) { + std::string node_stat_name = fmt::format("reverse_connections.nodes.{}", node_id); + Stats::StatNameManagedStorage node_stat_name_storage(node_stat_name, stats_store.symbolTable()); + auto& node_gauge = stats_store.gaugeFromStatName(node_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + if (increment) { + node_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented node stat {} to {}", + node_stat_name, node_gauge.value()); + } else { + if (node_gauge.value() > 0) { + node_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented node stat {} to {}", + node_stat_name, node_gauge.value()); + } + } + } + + // Create/update cluster connection stat. + if (!cluster_id.empty()) { + std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", cluster_id); + Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, + stats_store.symbolTable()); + auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + if (increment) { + cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } else { + if (cluster_gauge.value() > 0) { + cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } + } + } + + // Also update per-worker stats for debugging. + updatePerWorkerConnectionStats(node_id, cluster_id, increment); +} + +void ReverseTunnelAcceptorExtension::updatePerWorkerConnectionStats(const std::string& node_id, + const std::string& cluster_id, + bool increment) { + auto& stats_store = context_.scope(); + + // Get dispatcher name from the thread local dispatcher. + std::string dispatcher_name; + auto* local_registry = getLocalRegistry(); + if (local_registry == nullptr) { + ENVOY_LOG(error, "ReverseTunnelAcceptorExtension: No local registry found"); + return; + } + + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: Updating stats for worker {}", dispatcher_name); + + // Create/update per-worker node connection stat + if (!node_id.empty()) { + std::string worker_node_stat_name = + fmt::format("reverse_connections.{}.node.{}", dispatcher_name, node_id); + Stats::StatNameManagedStorage worker_node_stat_name_storage(worker_node_stat_name, + stats_store.symbolTable()); + auto& worker_node_gauge = stats_store.gaugeFromStatName( + worker_node_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_node_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker node stat {} to {}", + worker_node_stat_name, worker_node_gauge.value()); + } else { + // Guardrail: only decrement if the gauge value is greater than 0 + if (worker_node_gauge.value() > 0) { + worker_node_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker node stat {} to {}", + worker_node_stat_name, worker_node_gauge.value()); + } else { + ENVOY_LOG(trace, + "ReverseTunnelAcceptorExtension: skipping decrement for worker node stat {} " + "(already at 0)", + worker_node_stat_name); + } + } + } + + // Create/update per-worker cluster connection stat + if (!cluster_id.empty()) { + std::string worker_cluster_stat_name = + fmt::format("reverse_connections.{}.cluster.{}", dispatcher_name, cluster_id); + Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, + stats_store.symbolTable()); + auto& worker_cluster_gauge = stats_store.gaugeFromStatName( + worker_cluster_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: incremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + // Guardrail: only decrement if the gauge value is greater than 0 + if (worker_cluster_gauge.value() > 0) { + worker_cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: decremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + ENVOY_LOG(trace, + "ReverseTunnelAcceptorExtension: skipping decrement for worker cluster stat {} " + "(already at 0)", + worker_cluster_stat_name); + } + } + } +} + +absl::flat_hash_map ReverseTunnelAcceptorExtension::getPerWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Get the current dispatcher name. + std::string dispatcher_name = "main_thread"; // Default for main thread. + auto* local_registry = getLocalRegistry(); + if (local_registry) { + // Dispatcher name is of the form "worker_x" where x is the worker index. + dispatcher_name = local_registry->dispatcher().name(); + } + + // Iterate through all gauges and filter for the current dispatcher. + Stats::IterateFn gauge_callback = + [&stats_map, &dispatcher_name](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelAcceptorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find("reverse_connections.") != std::string::npos && + gauge_name.find(dispatcher_name + ".") != std::string::npos && + (gauge_name.find(".node.") != std::string::npos || + gauge_name.find(".cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG(debug, "ReverseTunnelAcceptorExtension: collected {} stats for dispatcher '{}'", + stats_map.size(), dispatcher_name); + + return stats_map; +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h new file mode 100644 index 0000000000000..0b3bb4632873a --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h @@ -0,0 +1,182 @@ +#pragma once + +#include + +#include +#include + +#include "envoy/event/dispatcher.h" +#include "envoy/event/timer.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.validate.h" +#include "envoy/network/io_handle.h" +#include "envoy/network/socket.h" +#include "envoy/registry/registry.h" +#include "envoy/server/bootstrap_extension_config.h" +#include "envoy/stats/scope.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class UpstreamSocketManager; +class ReverseTunnelAcceptorExtension; + +/** + * Thread local storage for ReverseTunnelAcceptor. + */ +class UpstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { +public: + /** + * Creates a new socket manager instance for the given dispatcher. + * @param dispatcher the thread-local dispatcher. + * @param extension the upstream extension for stats integration. + */ + UpstreamSocketThreadLocal(Event::Dispatcher& dispatcher, + ReverseTunnelAcceptorExtension* extension = nullptr); + + /** + * @return reference to the thread-local dispatcher. + */ + Event::Dispatcher& dispatcher() { return dispatcher_; } + + /** + * @return pointer to the thread-local socket manager. + */ + UpstreamSocketManager* socketManager() { return socket_manager_.get(); } + const UpstreamSocketManager* socketManager() const { return socket_manager_.get(); } + +private: + // Thread-local dispatcher. + Event::Dispatcher& dispatcher_; + // Thread-local socket manager. + std::unique_ptr socket_manager_; +}; + +/** + * Socket interface extension for upstream reverse connections. + */ +class ReverseTunnelAcceptorExtension + : public Envoy::Network::SocketInterfaceExtension, + public Envoy::Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelAcceptorExtensionTest; + +public: + /** + * @param sock_interface the reverse tunnel acceptor to extend. + * @param context the server factory context. + * @param config the configuration for this extension. + */ + ReverseTunnelAcceptorExtension( + ReverseTunnelAcceptor& sock_interface, Server::Configuration::ServerFactoryContext& context, + const envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface& config) + : Envoy::Network::SocketInterfaceExtension(sock_interface), context_(context), + socket_interface_(&sock_interface) { + ENVOY_LOG(debug, + "ReverseTunnelAcceptorExtension: creating upstream reverse connection " + "socket interface with stat_prefix: {}", + stat_prefix_); + stat_prefix_ = + PROTOBUF_GET_STRING_OR_DEFAULT(config, stat_prefix, "upstream_reverse_connection"); + // Ensure the socket interface has a reference to this extension early, so stats can be + // recorded even before onServerInitialized(). + if (socket_interface_ != nullptr) { + socket_interface_->extension_ = this; + } + } + + /** + * Called when the server is initialized. + */ + void onServerInitialized() override; + + /** + * Called when a worker thread is initialized. + */ + void onWorkerThreadInitialized() override {} + + /** + * @return pointer to the thread-local registry, or nullptr if not available. + */ + UpstreamSocketThreadLocal* getLocalRegistry() const; + + /** + * @return reference to the stat prefix string. + */ + const std::string& statPrefix() const { return stat_prefix_; } + + /** + * Synchronous version for admin API endpoints that require immediate response on reverse + * connection stats. + * @param timeout_ms maximum time to wait for aggregation completion + * @return pair of or empty if timeout + */ + std::pair, std::vector> + getConnectionStatsSync(std::chrono::milliseconds timeout_ms = std::chrono::milliseconds(5000)); + + /** + * Get cross-worker aggregated reverse connection stats. + * @return map of node/cluster -> connection count across all worker threads. + */ + absl::flat_hash_map getCrossWorkerStatMap(); + + /** + * Update the cross-thread aggregated stats for the connection. + * @param node_id the node identifier for the connection. + * @param cluster_id the cluster identifier for the connection. + * @param increment whether to increment (true) or decrement (false) the connection count. + */ + void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, + bool increment); + + /** + * Update per-worker connection stats for debugging. + * @param node_id the node identifier for the connection. + * @param cluster_id the cluster identifier for the connection. + * @param increment whether to increment (true) or decrement (false) the connection count. + */ + void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, + bool increment); + + /** + * Get per-worker connection stats for debugging. + * @return map of node/cluster -> connection count for the current worker thread. + */ + absl::flat_hash_map getPerWorkerStatMap(); + + /** + * Get the stats scope for accessing global stats. + * @return reference to the stats scope. + */ + Stats::Scope& getStatsScope() const { return context_.scope(); } + + /** + * Test-only method to set the thread local slot. + * @param slot the thread local slot to set. + */ + void + setTestOnlyTLSRegistry(std::unique_ptr> slot) { + tls_slot_ = std::move(slot); + } + +private: + Server::Configuration::ServerFactoryContext& context_; + // Thread-local slot for storing the socket manager per worker thread. + std::unique_ptr> tls_slot_; + ReverseTunnelAcceptor* socket_interface_; + std::string stat_prefix_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc new file mode 100644 index 0000000000000..71ae06dbaa93f --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc @@ -0,0 +1,439 @@ +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +#include + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" +#include "source/common/common/random_generator.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// UpstreamSocketManager implementation +UpstreamSocketManager::UpstreamSocketManager(Event::Dispatcher& dispatcher, + ReverseTunnelAcceptorExtension* extension) + : dispatcher_(dispatcher), random_generator_(std::make_unique()), + extension_(extension) { + ENVOY_LOG(debug, "reverse_tunnel: creating socket manager with stats integration"); + ping_timer_ = dispatcher_.createTimer([this]() { pingConnections(); }); +} + +void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, + const std::string& cluster_id, + Network::ConnectionSocketPtr socket, + const std::chrono::seconds& ping_interval, bool) { + ENVOY_LOG(debug, "reverse_tunnel: adding connection for node: {}, cluster: {}", node_id, + cluster_id); + + // Both node_id and cluster_id are mandatory for consistent state management and stats tracking. + if (node_id.empty() || cluster_id.empty()) { + ENVOY_LOG(error, + "reverse_tunnel: node_id or cluster_id cannot be empty. node: '{}', cluster: '{}'", + node_id, cluster_id); + return; + } + + const int fd = socket->ioHandle().fdDoNotUse(); + const std::string& connectionKey = socket->connectionInfoProvider().localAddress()->asString(); + + ENVOY_LOG(debug, "reverse_tunnel: adding socket for node: {}, cluster: {}", node_id, cluster_id); + + // Store node -> cluster mapping. + ENVOY_LOG(trace, "reverse_tunnel: adding mapping node: {} -> cluster: {}", node_id, cluster_id); + if (node_to_cluster_map_.find(node_id) == node_to_cluster_map_.end()) { + node_to_cluster_map_[node_id] = cluster_id; + cluster_to_node_map_[cluster_id].push_back(node_id); + } + ENVOY_LOG(trace, + "UpstreamSocketManager: node_to_cluster_map_ has {} entries, cluster_to_node_map_ has " + "{} entries", + node_to_cluster_map_.size(), cluster_to_node_map_.size()); + + ENVOY_LOG(trace, + "UpstreamSocketManager: added socket to accepted_reverse_connections_ for node: {} " + "cluster: {}", + node_id, cluster_id); + + // If local envoy is responding to reverse connections, add the socket to + // accepted_reverse_connections_. Thereafter, initiate ping keepalives on the socket. + accepted_reverse_connections_[node_id].push_back(std::move(socket)); + Network::ConnectionSocketPtr& socket_ref = accepted_reverse_connections_[node_id].back(); + + ENVOY_LOG(debug, "reverse_tunnel: mapping fd {} to node: {}", fd, node_id); + fd_to_node_map_[fd] = node_id; + + // Update stats registry + if (auto extension = getUpstreamExtension()) { + extension->updateConnectionStats(node_id, cluster_id, true /* increment */); + ENVOY_LOG(debug, "UpstreamSocketManager: updated stats registry for node '{}' cluster '{}'", + node_id, cluster_id); + } + + // onPingResponse() expects a ping reply on the socket. + fd_to_event_map_[fd] = dispatcher_.createFileEvent( + fd, + [this, &socket_ref](uint32_t events) { + ASSERT(events == Event::FileReadyType::Read); + onPingResponse(socket_ref->ioHandle()); + return absl::OkStatus(); + }, + Event::FileTriggerType::Edge, Event::FileReadyType::Read); + + fd_to_timer_map_[fd] = dispatcher_.createTimer([this, fd]() { markSocketDead(fd); }); + + // Initiate ping keepalives on the socket. + tryEnablePingTimer(std::chrono::seconds(ping_interval.count())); + + ENVOY_LOG( + info, + "UpstreamSocketManager: done adding socket to maps with node: {} connection key: {} fd: {}", + node_id, connectionKey, fd); +} + +Network::ConnectionSocketPtr +UpstreamSocketManager::getConnectionSocket(const std::string& node_id) { + + ENVOY_LOG(debug, "UpstreamSocketManager: getConnectionSocket() called with node_id: {}", node_id); + + if (node_to_cluster_map_.find(node_id) == node_to_cluster_map_.end()) { + ENVOY_LOG(error, "UpstreamSocketManager: cluster -> node mapping changed for node: {}", + node_id); + return nullptr; + } + + const std::string& cluster_id = node_to_cluster_map_[node_id]; + + ENVOY_LOG(debug, "UpstreamSocketManager: Looking for socket with node: {} cluster: {}", node_id, + cluster_id); + + // Find first available socket for the node. + auto node_sockets_it = accepted_reverse_connections_.find(node_id); + if (node_sockets_it == accepted_reverse_connections_.end() || node_sockets_it->second.empty()) { + ENVOY_LOG(debug, "UpstreamSocketManager: No available sockets for node: {}", node_id); + return nullptr; + } + + // Debugging: Print the number of free sockets on this worker thread + ENVOY_LOG(debug, "UpstreamSocketManager: Found {} sockets for node: {}", + node_sockets_it->second.size(), node_id); + + // Fetch the socket from the accepted_reverse_connections_ and remove it from the list + Network::ConnectionSocketPtr socket(std::move(node_sockets_it->second.front())); + node_sockets_it->second.pop_front(); + + const int fd = socket->ioHandle().fdDoNotUse(); + const std::string& remoteConnectionKey = + socket->connectionInfoProvider().remoteAddress()->asString(); + + ENVOY_LOG(debug, + "UpstreamSocketManager: Reverse conn socket with FD:{} connection key:{} found for " + "node: {} cluster: {}", + fd, remoteConnectionKey, node_id, cluster_id); + + fd_to_event_map_.erase(fd); + fd_to_timer_map_.erase(fd); + + cleanStaleNodeEntry(node_id); + + return socket; +} + +std::string UpstreamSocketManager::getNodeID(const std::string& key) { + ENVOY_LOG(debug, "UpstreamSocketManager: getNodeID() called with key: {}", key); + + // First check if the key exists as a cluster ID by checking global stats + // This ensures we check across all threads, not just the current thread + if (auto extension = getUpstreamExtension()) { + // Check if any thread has sockets for this cluster by looking at global stats. + std::string cluster_stat_name = fmt::format("reverse_connections.clusters.{}", key); + auto& stats_store = extension->getStatsScope(); + Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, + stats_store.symbolTable()); + auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + + if (cluster_gauge.value() > 0) { + // Key is a cluster ID with active connections, find a node from this cluster + auto cluster_nodes_it = cluster_to_node_map_.find(key); + if (cluster_nodes_it != cluster_to_node_map_.end() && !cluster_nodes_it->second.empty()) { + // Return a random existing node from this cluster + auto node_idx = random_generator_->random() % cluster_nodes_it->second.size(); + std::string node_id = cluster_nodes_it->second[node_idx]; + ENVOY_LOG(debug, + "UpstreamSocketManager: key '{}' is cluster ID with {} connections, returning " + "random node: {}", + key, cluster_gauge.value(), node_id); + return node_id; + } + // If cluster has connections but no local mapping, assume key is a node ID + } + } + + // Key is not a cluster ID, has no connections, or has no local mapping + // Treat it as a node ID and return it directly + ENVOY_LOG(debug, "UpstreamSocketManager: key '{}' is node ID, returning as-is", key); + return key; +} + +void UpstreamSocketManager::markSocketDead(const int fd) { + ENVOY_LOG(trace, "UpstreamSocketManager: markSocketDead called for fd {}", fd); + + auto node_it = fd_to_node_map_.find(fd); + if (node_it == fd_to_node_map_.end()) { + ENVOY_LOG(debug, "UpstreamSocketManager: FD {} not found in fd_to_node_map_", fd); + return; + } + + const std::string node_id = node_it->second; // Make a COPY, not a reference + ENVOY_LOG(debug, "UpstreamSocketManager: found node '{}' for fd {}", node_id, fd); + + std::string cluster_id = (node_to_cluster_map_.find(node_id) != node_to_cluster_map_.end()) + ? node_to_cluster_map_[node_id] + : ""; + fd_to_node_map_.erase(fd); // Now it's safe to erase since node_id is a copy + + // Check if this is a used connection by looking for node_id in accepted_reverse_connections_ + auto& sockets = accepted_reverse_connections_[node_id]; + if (sockets.empty()) { + // This is a used connection. Mark the stats and return. The socket will be closed by the + // owning UpstreamReverseConnectionIOHandle. + ENVOY_LOG(debug, "UpstreamSocketManager: Marking used socket dead. node: {} cluster: {} FD: {}", + node_id, cluster_id, fd); + // Update Envoy's stats system for production multi-tenant tracking + // This ensures stats are decremented when connections are removed + if (auto extension = getUpstreamExtension()) { + extension->updateConnectionStats(node_id, cluster_id, false /* decrement */); + ENVOY_LOG(debug, + "UpstreamSocketManager: decremented stats registry for node '{}' cluster '{}'", + node_id, cluster_id); + } + + return; + } + + // This is an idle connection, find and remove it from the pool + bool socket_found = false; + for (auto itr = sockets.begin(); itr != sockets.end(); itr++) { + if (fd == itr->get()->ioHandle().fdDoNotUse()) { + ENVOY_LOG(debug, "UpstreamSocketManager: Marking socket dead; node: {}, cluster: {} FD: {}", + node_id, cluster_id, fd); + ::shutdown(fd, SHUT_RDWR); + itr = sockets.erase(itr); + socket_found = true; + + fd_to_event_map_.erase(fd); + fd_to_timer_map_.erase(fd); + + // Update Envoy's stats system for production multi-tenant tracking + // This ensures stats are decremented when connections are removed + if (auto extension = getUpstreamExtension()) { + extension->updateConnectionStats(node_id, cluster_id, false /* decrement */); + ENVOY_LOG(debug, + "UpstreamSocketManager: decremented stats registry for node '{}' cluster '{}'", + node_id, cluster_id); + } + break; + } + } + + if (!socket_found) { + ENVOY_LOG(error, "UpstreamSocketManager: Marking an invalid socket dead. node: {} FD: {}", + node_id, fd); + } + + if (sockets.size() == 0) { + cleanStaleNodeEntry(node_id); + } +} + +void UpstreamSocketManager::tryEnablePingTimer(const std::chrono::seconds& ping_interval) { + ENVOY_LOG(debug, "UpstreamSocketManager: trying to enable ping timer, ping interval: {}", + ping_interval.count()); + if (ping_interval_ != std::chrono::seconds::zero()) { + return; + } + ENVOY_LOG(debug, "UpstreamSocketManager: enabling ping timer, ping interval: {}", + ping_interval.count()); + ping_interval_ = ping_interval; + ping_timer_->enableTimer(ping_interval_); +} + +void UpstreamSocketManager::cleanStaleNodeEntry(const std::string& node_id) { + // Clean the given node-id, if there are no active sockets. + if (accepted_reverse_connections_.find(node_id) != accepted_reverse_connections_.end() && + accepted_reverse_connections_[node_id].size() > 0) { + ENVOY_LOG(debug, "Found {} active sockets for node: {}", + accepted_reverse_connections_[node_id].size(), node_id); + return; + } + ENVOY_LOG(debug, "UpstreamSocketManager: Cleaning stale node entry for node: {}", node_id); + + // Check if given node-id, is present in node_to_cluster_map_. If present, + // fetch the corresponding cluster-id. Use cluster-id and node-id to delete entry + // from cluster_to_node_map_ and node_to_cluster_map_ respectively. + const auto& node_itr = node_to_cluster_map_.find(node_id); + if (node_itr != node_to_cluster_map_.end()) { + const auto& cluster_itr = cluster_to_node_map_.find(node_itr->second); + if (cluster_itr != cluster_to_node_map_.end()) { + const auto& node_entry_itr = + find(cluster_itr->second.begin(), cluster_itr->second.end(), node_id); + + if (node_entry_itr != cluster_itr->second.end()) { + ENVOY_LOG(debug, "UpstreamSocketManager:Removing stale node {} from cluster {}", node_id, + cluster_itr->first); + cluster_itr->second.erase(node_entry_itr); + + // If the cluster to node-list map has an empty vector, remove + // the entry from map. + if (cluster_itr->second.size() == 0) { + cluster_to_node_map_.erase(cluster_itr); + } + } + } + node_to_cluster_map_.erase(node_itr); + } + + // Remove empty node entry from accepted_reverse_connections_ + accepted_reverse_connections_.erase(node_id); +} + +void UpstreamSocketManager::onPingResponse(Network::IoHandle& io_handle) { + const int fd = io_handle.fdDoNotUse(); + + Buffer::OwnedImpl buffer; + const auto ping_size = + ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::PING_MESSAGE + .size(); + Api::IoCallUint64Result result = io_handle.read(buffer, absl::make_optional(ping_size)); + if (!result.ok()) { + ENVOY_LOG(debug, "UpstreamSocketManager: Read error on FD: {}: error - {}", fd, + result.err_->getErrorDetails()); + markSocketDead(fd); + return; + } + + // In this case, there is no read error, but the socket has been closed by the remote + // peer in a graceful manner, unlike a connection refused, or a reset. + if (result.return_value_ == 0) { + ENVOY_LOG(debug, "UpstreamSocketManager: FD: {}: reverse connection closed", fd); + markSocketDead(fd); + return; + } + + if (result.return_value_ < ping_size) { + ENVOY_LOG(debug, "UpstreamSocketManager: FD: {}: no complete ping data yet", fd); + return; + } + + if (!::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::isPingMessage( + buffer.toString())) { + ENVOY_LOG(debug, "UpstreamSocketManager: FD: {}: response is not RPING", fd); + markSocketDead(fd); + return; + } + ENVOY_LOG(trace, "UpstreamSocketManager: FD: {}: received ping response", fd); + fd_to_timer_map_[fd]->disableTimer(); +} + +void UpstreamSocketManager::pingConnections(const std::string& node_id) { + ENVOY_LOG(debug, "UpstreamSocketManager: Pinging connections for node: {}", node_id); + auto& sockets = accepted_reverse_connections_[node_id]; + ENVOY_LOG(debug, "UpstreamSocketManager: node:{} Number of sockets:{}", node_id, sockets.size()); + + auto itr = sockets.begin(); + while (itr != sockets.end()) { + int fd = itr->get()->ioHandle().fdDoNotUse(); + auto buffer = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility:: + createPingResponse(); + + auto ping_response_timeout = ping_interval_ / 2; + fd_to_timer_map_[fd]->enableTimer(ping_response_timeout); + + // Use a flag to signal whether the socket needs to be marked dead. If the socket is marked dead + // in markSocketDead(), it is erased from the list, and the iterator becomes invalid. We need to + // break out of the loop to avoid a use after free error. + bool socket_dead = false; + while (buffer->length() > 0) { + Api::IoCallUint64Result result = itr->get()->ioHandle().write(*buffer); + ENVOY_LOG(trace, + "UpstreamSocketManager: node:{} FD:{}: sending ping request. return_value: {}", + node_id, fd, result.return_value_); + if (result.return_value_ == 0) { + ENVOY_LOG(trace, "UpstreamSocketManager: node:{} FD:{}: sending ping rc {}, error - ", + node_id, fd, result.return_value_, result.err_->getErrorDetails()); + if (result.err_->getErrorCode() != Api::IoError::IoErrorCode::Again) { + ENVOY_LOG(error, "UpstreamSocketManager: node:{} FD:{}: failed to send ping", node_id, + fd); + markSocketDead(fd); + socket_dead = true; + break; + } + } + } + + if (buffer->length() > 0) { + // Move to next socket if current one couldn't be fully written + ++itr; + continue; + } + + if (socket_dead) { + // Socket was marked dead, iterator is now invalid, break out of the loop + break; + } + + // Move to next socket + ++itr; + } +} + +void UpstreamSocketManager::pingConnections() { + ENVOY_LOG(error, "UpstreamSocketManager: Pinging connections"); + for (auto& itr : accepted_reverse_connections_) { + pingConnections(itr.first); + } + ping_timer_->enableTimer(ping_interval_); +} + +UpstreamSocketManager::~UpstreamSocketManager() { + ENVOY_LOG(debug, "UpstreamSocketManager destructor called"); + + // Clean up all active file events and timers first + for (auto& [fd, event] : fd_to_event_map_) { + ENVOY_LOG(debug, "UpstreamSocketManager: cleaning up file event for FD: {}", fd); + event.reset(); // This will cancel the file event. + } + fd_to_event_map_.clear(); + + for (auto& [fd, timer] : fd_to_timer_map_) { + ENVOY_LOG(debug, "UpstreamSocketManager: cleaning up timer for FD: {}", fd); + timer.reset(); // This will cancel the timer. + } + fd_to_timer_map_.clear(); + + // Now mark all sockets as dead + std::vector fds_to_cleanup; + for (const auto& [fd, node_id] : fd_to_node_map_) { + fds_to_cleanup.push_back(fd); + } + + for (int fd : fds_to_cleanup) { + ENVOY_LOG(trace, "UpstreamSocketManager: marking socket dead in destructor for FD: {}", fd); + markSocketDead(fd); // false = not used, just cleanup + } + + // Clear the ping timer + if (ping_timer_) { + ping_timer_->disableTimer(); + ping_timer_.reset(); + } +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h new file mode 100644 index 0000000000000..43d435f8abb96 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h @@ -0,0 +1,139 @@ +#pragma once + +#include + +#include +#include +#include + +#include "envoy/event/dispatcher.h" +#include "envoy/event/timer.h" +#include "envoy/network/io_handle.h" +#include "envoy/network/socket.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/common/logger.h" +#include "source/common/common/random_generator.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class ReverseTunnelAcceptorExtension; + +/** + * Thread-local socket manager for upstream reverse connections. + */ +class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, + public Logger::Loggable { + // Friend class for testing + friend class TestUpstreamSocketManager; + +public: + UpstreamSocketManager(Event::Dispatcher& dispatcher, + ReverseTunnelAcceptorExtension* extension = nullptr); + + ~UpstreamSocketManager(); + + /** + * Add accepted connection to socket manager. + * @param node_id node_id of initiating node. + * @param cluster_id cluster_id of receiving cluster. + * @param socket the socket to be added. + * @param ping_interval the interval at which ping keepalives are sent. + * @param rebalanced true if adding socket after rebalancing. + */ + void addConnectionSocket(const std::string& node_id, const std::string& cluster_id, + Network::ConnectionSocketPtr socket, + const std::chrono::seconds& ping_interval, bool rebalanced); + + /** + * Get an available reverse connection socket. + * @param node_id the node ID to get a socket for. + * @return the connection socket, or nullptr if none available. + */ + Network::ConnectionSocketPtr getConnectionSocket(const std::string& node_id); + + /** + * Mark connection socket dead and remove from internal maps. + * @param fd the FD for the socket to be marked dead. + */ + void markSocketDead(const int fd); + + /** + * Ping all active reverse connections for health checks. + */ + void pingConnections(); + + /** + * Ping reverse connections for a specific node. + * @param node_id the node ID whose connections should be pinged. + */ + void pingConnections(const std::string& node_id); + + /** + * Enable the ping timer if not already enabled. + * @param ping_interval the interval at which ping keepalives should be sent. + */ + void tryEnablePingTimer(const std::chrono::seconds& ping_interval); + + /** + * Clean up stale node entries when no active sockets remain. + * @param node_id the node ID to clean up. + */ + void cleanStaleNodeEntry(const std::string& node_id); + + /** + * Handle ping response from a reverse connection. + * @param io_handle the IO handle for the socket that sent the ping response. + */ + void onPingResponse(Network::IoHandle& io_handle); + + /** + * Get the upstream extension for stats integration. + * @return pointer to the upstream extension or nullptr if not available. + */ + ReverseTunnelAcceptorExtension* getUpstreamExtension() const { return extension_; } + + /** + * Automatically discern whether the key is a node ID or cluster ID. + * @param key the key to get the node ID for. + * @return the node ID. + */ + std::string getNodeID(const std::string& key); + +private: + // Thread local dispatcher instance. + Event::Dispatcher& dispatcher_; + Random::RandomGeneratorPtr random_generator_; + + // Map of node IDs to connection sockets. + absl::flat_hash_map> + accepted_reverse_connections_; + + // Map from file descriptor to node ID. + absl::flat_hash_map fd_to_node_map_; + + // Map of node ID to cluster. + absl::flat_hash_map node_to_cluster_map_; + + // Map of cluster IDs to node IDs. + absl::flat_hash_map> cluster_to_node_map_; + + // File events and timers for ping functionality. + absl::flat_hash_map fd_to_event_map_; + absl::flat_hash_map fd_to_timer_map_; + + Event::TimerPtr ping_timer_; + std::chrono::seconds ping_interval_{0}; + + // Upstream extension for stats integration. + ReverseTunnelAcceptorExtension* extension_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 06512d6bd5279..c8120e840da1e 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -57,6 +57,12 @@ EXTENSIONS = { "envoy.bootstrap.wasm": "//source/extensions/bootstrap/wasm:config", + # + # Reverse Connection + # + + "envoy.bootstrap.reverse_tunnel.upstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + # # Health checkers # diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index b6a83474b7423..0642ed52854f4 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -75,6 +75,13 @@ envoy.bootstrap.wasm: status: alpha type_urls: - envoy.extensions.wasm.v3.WasmService +envoy.bootstrap.reverse_tunnel.upstream_socket_interface: + categories: + - envoy.bootstrap + security_posture: unknown + status: wip + type_urls: + - envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface envoy.extensions.http.cache.file_system_http_cache: categories: - envoy.http.cache diff --git a/test/extensions/bootstrap/reverse_tunnel/common/BUILD b/test/extensions/bootstrap/reverse_tunnel/common/BUILD new file mode 100644 index 0000000000000..01739aedda6ce --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/common/BUILD @@ -0,0 +1,22 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_cc_test( + name = "reverse_connection_utility_test", + size = "medium", + srcs = ["reverse_connection_utility_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/network:connection_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility_test.cc b/test/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility_test.cc new file mode 100644 index 0000000000000..dc9b849efc318 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility_test.cc @@ -0,0 +1,236 @@ +#include "source/common/buffer/buffer_impl.h" +#include "source/common/network/connection_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" + +#include "test/mocks/network/mocks.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; +using testing::Return; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseConnectionUtilityTest : public testing::Test { +protected: + ReverseConnectionUtilityTest() = default; +}; + +// Test isPingMessage functionality +TEST_F(ReverseConnectionUtilityTest, IsPingMessageEmptyData) { + // Test with empty data + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("")); + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage(absl::string_view())); +} + +TEST_F(ReverseConnectionUtilityTest, IsPingMessageExactMatch) { + // Test with exact RPING match + EXPECT_TRUE(ReverseConnectionUtility::isPingMessage("RPING")); + EXPECT_TRUE(ReverseConnectionUtility::isPingMessage(absl::string_view("RPING"))); +} + +TEST_F(ReverseConnectionUtilityTest, IsPingMessageInvalidData) { + // Test with non-RPING data. isPingMessage should return false for these cases. + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("PING")); + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("RPIN")); + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("RPINGG")); + EXPECT_FALSE(ReverseConnectionUtility::isPingMessage("Hello World")); +} + +// Test createPingResponse functionality +TEST_F(ReverseConnectionUtilityTest, CreatePingResponse) { + auto ping_buffer = ReverseConnectionUtility::createPingResponse(); + + EXPECT_NE(ping_buffer, nullptr); + EXPECT_EQ(ping_buffer->toString(), "RPING"); + EXPECT_EQ(ping_buffer->length(), 5); +} + +// Test sendPingResponse with Connection +TEST_F(ReverseConnectionUtilityTest, SendPingResponseConnection) { + auto connection = std::make_unique>(); + + // Set up mock expectations + EXPECT_CALL(*connection, write(_, false)); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = ReverseConnectionUtility::sendPingResponse(*connection); + + EXPECT_TRUE(result); +} + +// Test sendPingResponse with IoHandle +TEST_F(ReverseConnectionUtilityTest, SendPingResponseIoHandleSuccess) { + auto io_handle = std::make_unique>(); + + EXPECT_CALL(*io_handle, write(_)) + .WillOnce(Return(Api::IoCallUint64Result{5, Api::IoError::none()})); + + Api::IoCallUint64Result result = ReverseConnectionUtility::sendPingResponse(*io_handle); + + EXPECT_TRUE(result.ok()); + EXPECT_EQ(result.return_value_, 5); + EXPECT_EQ(result.err_, nullptr); +} + +TEST_F(ReverseConnectionUtilityTest, SendPingResponseIoHandleFailure) { + auto io_handle = std::make_unique>(); + + // Set up mock expectations for failed write + EXPECT_CALL(*io_handle, write(_)) + .WillOnce(Return(Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)})); + + Api::IoCallUint64Result result = ReverseConnectionUtility::sendPingResponse(*io_handle); + + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.return_value_, 0); + EXPECT_NE(result.err_, nullptr); +} + +// Test handlePingMessage functionality +TEST_F(ReverseConnectionUtilityTest, HandlePingMessageValidPing) { + auto connection = std::make_unique>(); + + // should call sendPingResponse and return true since it is a valid RPING message + EXPECT_CALL(*connection, write(_, false)); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = ReverseConnectionUtility::handlePingMessage("RPING", *connection); + + EXPECT_TRUE(result); +} + +TEST_F(ReverseConnectionUtilityTest, HandlePingMessageInvalidData) { + auto connection = std::make_unique>(); + + // Should not call sendPingResponse for invalid data + EXPECT_CALL(*connection, write(_, _)).Times(0); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = ReverseConnectionUtility::handlePingMessage("INVALID", *connection); + + EXPECT_FALSE(result); +} + +TEST_F(ReverseConnectionUtilityTest, HandlePingMessageEmptyData) { + auto connection = std::make_unique>(); + + // Should not call sendPingResponse for empty data + EXPECT_CALL(*connection, write(_, _)).Times(0); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = ReverseConnectionUtility::handlePingMessage("", *connection); + + EXPECT_FALSE(result); +} + +// Test extractPingFromHttpData functionality +TEST_F(ReverseConnectionUtilityTest, ExtractPingFromHttpDataValid) { + // Test with RPING in HTTP response body + EXPECT_TRUE(ReverseConnectionUtility::extractPingFromHttpData("HTTP/1.1 200 OK\r\n\r\nRPING")); + EXPECT_TRUE(ReverseConnectionUtility::extractPingFromHttpData( + "GET /ping HTTP/1.1\r\nHost: example.com\r\n\r\nRPING")); + EXPECT_TRUE(ReverseConnectionUtility::extractPingFromHttpData( + "POST /data HTTP/1.1\r\nContent-Length: 5\r\n\r\nRPING")); +} + +TEST_F(ReverseConnectionUtilityTest, ExtractPingFromHttpDataInvalid) { + // Test with no RPING in HTTP data + EXPECT_FALSE(ReverseConnectionUtility::extractPingFromHttpData("HTTP/1.1 200 OK\r\n\r\nHello")); + EXPECT_FALSE(ReverseConnectionUtility::extractPingFromHttpData( + "GET /ping HTTP/1.1\r\nHost: example.com\r\n\r\nPING")); + EXPECT_FALSE(ReverseConnectionUtility::extractPingFromHttpData("")); +} + +// Test ReverseConnectionMessageHandlerFactory functionality +TEST_F(ReverseConnectionUtilityTest, CreatePingHandler) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + + EXPECT_NE(handler, nullptr); + EXPECT_EQ(handler->getPingCount(), 0); +} + +// Test PingMessageHandler functionality +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerProcessValidPing) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + auto connection = std::make_unique>(); + + // Set up mock expectations + EXPECT_CALL(*connection, write(_, false)); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = handler->processPingMessage("RPING", *connection); + + EXPECT_TRUE(result); + EXPECT_EQ(handler->getPingCount(), 1); +} + +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerProcessInvalidPing) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + auto connection = std::make_unique>(); + + // Set up mock expectations - should not call write for invalid data + EXPECT_CALL(*connection, write(_, _)).Times(0); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = handler->processPingMessage("INVALID", *connection); + + EXPECT_FALSE(result); + EXPECT_EQ(handler->getPingCount(), 0); +} + +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerProcessMultiplePings) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + auto connection = std::make_unique>(); + + // Set up mock expectations for multiple writes + EXPECT_CALL(*connection, write(_, false)).Times(3); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + // Process multiple valid pings + EXPECT_TRUE(handler->processPingMessage("RPING", *connection)); + EXPECT_TRUE(handler->processPingMessage("RPING", *connection)); + EXPECT_TRUE(handler->processPingMessage("RPING", *connection)); + + EXPECT_EQ(handler->getPingCount(), 3); +} + +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerProcessEmptyPing) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + auto connection = std::make_unique>(); + + // Set up mock expectations - should not call write for empty data + EXPECT_CALL(*connection, write(_, _)).Times(0); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + bool result = handler->processPingMessage("", *connection); + + EXPECT_FALSE(result); + EXPECT_EQ(handler->getPingCount(), 0); +} + +TEST_F(ReverseConnectionUtilityTest, PingMessageHandlerGetPingCount) { + auto handler = ReverseConnectionMessageHandlerFactory::createPingHandler(); + + // Initially should be 0 + EXPECT_EQ(handler->getPingCount(), 0); + + // After processing a ping, should be 1 + auto connection = std::make_unique>(); + EXPECT_CALL(*connection, write(_, false)); + EXPECT_CALL(*connection, id()).WillRepeatedly(Return(12345)); + + handler->processPingMessage("RPING", *connection); + EXPECT_EQ(handler->getPingCount(), 1); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD new file mode 100644 index 0000000000000..607f4e8222b0f --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -0,0 +1,79 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "reverse_tunnel_acceptor_test", + size = "medium", + srcs = ["reverse_tunnel_acceptor_test.cc"], + extension_names = ["envoy.bootstrap.reverse_tunnel.upstream_socket_interface"], + deps = [ + "//source/common/network:utility_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "reverse_tunnel_acceptor_extension_test", + size = "medium", + srcs = ["reverse_tunnel_acceptor_extension_test.cc"], + deps = [ + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "upstream_socket_manager_test", + size = "large", + srcs = ["upstream_socket_manager_test.cc"], + deps = [ + "//source/common/network:utility_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "upstream_reverse_connection_io_handle_test", + size = "medium", + srcs = ["upstream_reverse_connection_io_handle_test.cc"], + deps = [ + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/network:network_mocks", + ], +) + +envoy_cc_test( + name = "config_validation_test", + size = "small", + srcs = ["config_validation_test.cc"], + deps = [ + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//test/mocks/server:factory_context_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc new file mode 100644 index 0000000000000..7c9d808dd3cd4 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/config_validation_test.cc @@ -0,0 +1,42 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" + +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" + +#include "test/mocks/server/factory_context.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ConfigValidationTest : public testing::Test { +protected: + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + NiceMock context_; +}; + +TEST_F(ConfigValidationTest, ValidConfiguration) { + config_.set_stat_prefix("reverse_tunnel"); + + ReverseTunnelAcceptor acceptor(context_); + + EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyStatPrefix) { + ReverseTunnelAcceptor acceptor(context_); + + EXPECT_NO_THROW(acceptor.createBootstrapExtension(config_, context_)); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc new file mode 100644 index 0000000000000..ee8ade1e45a77 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc @@ -0,0 +1,338 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" + +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseTunnelAcceptorExtensionTest : public testing::Test { +protected: + ReverseTunnelAcceptorExtensionTest() { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + config_.set_stat_prefix("test_prefix"); + socket_interface_ = std::make_unique(context_); + extension_ = + std::make_unique(*socket_interface_, context_, config_); + } + + void setupThreadLocalSlot() { + thread_local_registry_ = + std::make_shared(dispatcher_, extension_.get()); + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + extension_->tls_slot_ = std::move(tls_slot_); + extension_->socket_interface_->extension_ = extension_.get(); + } + + void setupAnotherThreadLocalSlot() { + another_thread_local_registry_ = + std::make_shared(another_dispatcher_, extension_.get()); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + + NiceMock another_dispatcher_{"worker_1"}; + std::shared_ptr another_thread_local_registry_; +}; + +TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithDefaultStatPrefix) { + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface empty_config; + + auto extension_with_default = + std::make_unique(*socket_interface_, context_, empty_config); + + EXPECT_EQ(extension_with_default->statPrefix(), "upstream_reverse_connection"); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithCustomStatPrefix) { + EXPECT_EQ(extension_->statPrefix(), "test_prefix"); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetStatsScope) { + EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, OnWorkerThreadInitialized) { + extension_->onWorkerThreadInitialized(); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, OnServerInitializedSetsExtensionReference) { + extension_->onServerInitialized(); + EXPECT_EQ(socket_interface_->getExtension(), extension_.get()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryBeforeInitialization) { + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetLocalRegistryAfterInitialization) { + setupThreadLocalSlot(); + + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + + auto* socket_manager = registry->socketManager(); + EXPECT_NE(socket_manager, nullptr); + EXPECT_EQ(socket_manager->getUpstreamExtension(), extension_.get()); + + const auto* const_registry = extension_->getLocalRegistry(); + EXPECT_NE(const_registry, nullptr); + + const auto* const_socket_manager = const_registry->socketManager(); + EXPECT_NE(const_socket_manager, nullptr); + EXPECT_EQ(const_socket_manager->getUpstreamExtension(), extension_.get()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetPerWorkerStatMapSingleThread) { + setupThreadLocalSlot(); + + extension_->updatePerWorkerConnectionStats("node1", "cluster1", true); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", true); + + auto stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); + + for (const auto& [stat_name, value] : stat_map) { + EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); + } + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); + + stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 3); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 3); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 2); + + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", false); + extension_->updatePerWorkerConnectionStats("node2", "cluster2", false); + + stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node1"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.node.node2"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 0); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetCrossWorkerStatMapMultiThread) { + setupThreadLocalSlot(); + setupAnotherThreadLocalSlot(); + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node2", "cluster2", true); + + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node3", "cluster3", true); + + thread_local_registry_ = original_registry; + + auto stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 3); + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 3); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node2", "cluster2", false); + + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node1"], 4); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster1"], 4); + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node2"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster2"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.nodes.node3"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.clusters.cluster3"], 1); + + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); + + auto per_worker_stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.node.node1"], 3); + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1"], 3); + + extension_->updateConnectionStats("node2", "cluster2", false); + + auto cross_worker_stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(cross_worker_stat_map["test_scope.reverse_connections.clusters.cluster2"], 0); + + per_worker_stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.node.node2"], 0); + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2"], 0); + + thread_local_registry_ = another_thread_local_registry_; + + extension_->updatePerWorkerConnectionStats("node1", "cluster1", false); + extension_->updatePerWorkerConnectionStats("node3", "cluster3", false); + + auto worker1_stat_map = extension_->getPerWorkerStatMap(); + + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.node.node1"], 0); + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1"], 0); + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.node.node3"], 0); + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3"], 0); + + thread_local_registry_ = original_registry; +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncMultiThread) { + setupThreadLocalSlot(); + setupAnotherThreadLocalSlot(); + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node2", "cluster2", true); + + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node3", "cluster3", true); + + thread_local_registry_ = original_registry; + + auto result = extension_->getConnectionStatsSync(); + auto& [connected_nodes, accepted_connections] = result; + + EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); + + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node1") != + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node2") != + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "node3") != + connected_nodes.end()); + + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != + accepted_connections.end()); + + extension_->updateConnectionStats("node1", "cluster1", true); + extension_->updateConnectionStats("node2", "cluster2", false); + + result = extension_->getConnectionStatsSync(); + auto& [updated_connected_nodes, updated_accepted_connections] = result; + + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node2") == + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster2") == updated_accepted_connections.end()); + + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node1") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "node3") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster1") != updated_accepted_connections.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster3") != updated_accepted_connections.end()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, GetConnectionStatsSyncTimeout) { + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); + + auto& [connected_nodes, accepted_connections] = result; + EXPECT_TRUE(connected_nodes.empty()); + EXPECT_TRUE(accepted_connections.empty()); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv4) { + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportIPv6) { + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, IpFamilySupportUnknown) { + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(-1)); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, ExtensionNotInitialized) { + ReverseTunnelAcceptor acceptor(context_); + auto registry = acceptor.getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, CreateEmptyConfigProto) { + auto proto = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(proto, nullptr); + + auto* typed_proto = + dynamic_cast(proto.get()); + EXPECT_NE(typed_proto, nullptr); +} + +TEST_F(ReverseTunnelAcceptorExtensionTest, FactoryName) { + EXPECT_EQ(socket_interface_->name(), "envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc new file mode 100644 index 0000000000000..73b2a395f9837 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_test.cc @@ -0,0 +1,241 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" + +#include "source/common/network/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class TestReverseTunnelAcceptor : public testing::Test { +protected: + TestReverseTunnelAcceptor() { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + config_.set_stat_prefix("test_prefix"); + socket_interface_ = std::make_unique(context_); + extension_ = + std::make_unique(*socket_interface_, context_, config_); + + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + + socket_manager_ = std::make_unique(dispatcher_, extension_.get()); + } + + void TearDown() override { + socket_manager_.reset(); + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + void setupThreadLocalSlot() { + extension_->onServerInitialized(); + thread_local_registry_ = + std::make_shared(dispatcher_, extension_.get()); + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { + auto socket = std::make_unique>(); + + auto local_colon_pos = local_addr.find(':'); + std::string local_ip = local_addr.substr(0, local_colon_pos); + uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); + auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); + + auto remote_colon_pos = remote_addr.find(':'); + std::string remote_ip = remote_addr.substr(0, remote_colon_pos); + uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); + auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); + + auto mock_io_handle = std::make_unique>(); + auto* mock_io_handle_ptr = mock_io_handle.get(); + EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + + socket->io_handle_ = std::move(mock_io_handle); + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + return socket; + } + + Network::Address::InstanceConstSharedPtr + createAddressWithLogicalName(const std::string& logical_name) { + class TestAddress : public Network::Address::Instance { + public: + TestAddress(const std::string& logical_name) : logical_name_(logical_name) { + address_string_ = "127.0.0.1:8080"; + } + + bool operator==(const Instance& rhs) const override { + return logical_name_ == rhs.logicalName(); + } + Network::Address::Type type() const override { return Network::Address::Type::Ip; } + const std::string& asString() const override { return address_string_; } + absl::string_view asStringView() const override { return address_string_; } + const std::string& logicalName() const override { return logical_name_; } + const Network::Address::Ip* ip() const override { return nullptr; } + const Network::Address::Pipe* pipe() const override { return nullptr; } + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { + return nullptr; + } + const sockaddr* sockAddr() const override { return nullptr; } + socklen_t sockAddrLen() const override { return 0; } + absl::string_view addressType() const override { return "test"; } + absl::optional networkNamespace() const override { return absl::nullopt; } + const Network::SocketInterface& socketInterface() const override { + return Network::SocketInterfaceSingleton::get(); + } + + private: + std::string logical_name_; + std::string address_string_; + }; + + return std::make_shared(logical_name); + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_; + + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr socket_manager_; + + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; +}; + +TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryNoExtension) { + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, GetLocalRegistryWithExtension) { + setupThreadLocalSlot(); + + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); +} + +TEST_F(TestReverseTunnelAcceptor, CreateBootstrapExtension) { + auto extension = socket_interface_->createBootstrapExtension(config_, context_); + EXPECT_NE(extension, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, CreateEmptyConfigProto) { + auto config = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(config, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithoutAddress) { + Network::SocketCreationOptions options; + auto io_handle = + socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v4, false, options); + EXPECT_EQ(io_handle, nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressNoThreadLocal) { + const std::string node_id = "test-node"; + auto address = createAddressWithLogicalName(node_id); + Network::SocketCreationOptions options; + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); + EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); + + // Verify fallback counter increments for diagnostics. + // Counter name is "..fallback_no_reverse_socket". + auto& scope = extension_->getStatsScope(); + std::string counter_name = absl::StrCat(extension_->statPrefix(), ".fallback_no_reverse_socket"); + Stats::StatNameManagedStorage counter_name_storage(counter_name, scope.symbolTable()); + auto& counter = scope.counterFromStatName(counter_name_storage.statName()); + EXPECT_EQ(counter.value(), 1); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalNoCachedSockets) { + setupThreadLocalSlot(); + + const std::string node_id = "test-node"; + auto address = createAddressWithLogicalName(node_id); + + Network::SocketCreationOptions options; + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); + EXPECT_EQ(dynamic_cast(io_handle.get()), nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, SocketWithAddressAndThreadLocalWithCachedSockets) { + setupThreadLocalSlot(); + + auto* tls_socket_manager = socket_interface_->getLocalRegistry()->socketManager(); + EXPECT_NE(tls_socket_manager, nullptr); + + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + tls_socket_manager->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto address = createAddressWithLogicalName(node_id); + + Network::SocketCreationOptions options; + auto io_handle = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(io_handle, nullptr); + + auto* upstream_io_handle = dynamic_cast(io_handle.get()); + EXPECT_NE(upstream_io_handle, nullptr); + + auto another_io_handle = + socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(another_io_handle, nullptr); + EXPECT_EQ(dynamic_cast(another_io_handle.get()), nullptr); +} + +TEST_F(TestReverseTunnelAcceptor, IpFamilySupported) { + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc new file mode 100644 index 0000000000000..ea1f5231176d8 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc @@ -0,0 +1,96 @@ +#include "source/common/network/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" + +#include "test/mocks/network/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class TestUpstreamReverseConnectionIOHandle : public testing::Test { +protected: + TestUpstreamReverseConnectionIOHandle() { + mock_socket_ = std::make_unique>(); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + mock_socket_->io_handle_ = std::move(mock_io_handle); + + io_handle_ = std::make_unique(std::move(mock_socket_), + "test-cluster"); + } + + void TearDown() override { io_handle_.reset(); } + + std::unique_ptr> mock_socket_; + std::unique_ptr io_handle_; +}; + +TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { + auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); + + auto result = io_handle_->connect(address); + + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + +TEST_F(TestUpstreamReverseConnectionIOHandle, CloseCleansUpSocket) { + auto result = io_handle_->close(); + + EXPECT_EQ(result.err_, nullptr); +} + +TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { + const auto& socket = io_handle_->getSocket(); + + EXPECT_NE(&socket, nullptr); +} + +class UpstreamReverseConnectionIOHandleTest : public testing::Test { +protected: + void SetUp() override { + auto socket = std::make_unique>(); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + socket->io_handle_ = std::move(mock_io_handle); + + handle_ = + std::make_unique(std::move(socket), "test-cluster"); + } + + std::unique_ptr handle_; +}; + +TEST_F(UpstreamReverseConnectionIOHandleTest, ConnectReturnsSuccess) { + auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); + + auto result = handle_->connect(address); + + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + +TEST_F(UpstreamReverseConnectionIOHandleTest, GetSocketReturnsValidReference) { + const auto& socket = handle_->getSocket(); + EXPECT_NE(&socket, nullptr); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc new file mode 100644 index 0000000000000..83dd07f61012a --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc @@ -0,0 +1,755 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" + +#include "source/common/network/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class TestUpstreamSocketManager : public testing::Test { +protected: + TestUpstreamSocketManager() { + // Set up the stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + + // Create the config + config_.set_stat_prefix("test_prefix"); + + // Create the socket interface + socket_interface_ = std::make_unique(context_); + + // Create the extension + extension_ = + std::make_unique(*socket_interface_, context_, config_); + + // Set up mock dispatcher with default expectations + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + + // Create the socket manager with real extension + socket_manager_ = std::make_unique(dispatcher_, extension_.get()); + } + + void TearDown() override { + socket_manager_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + // Helper methods to access private members (friend class works for these methods) + void verifyInitialState() { + EXPECT_EQ(socket_manager_->accepted_reverse_connections_.size(), 0); + EXPECT_EQ(socket_manager_->fd_to_node_map_.size(), 0); + EXPECT_EQ(socket_manager_->node_to_cluster_map_.size(), 0); + EXPECT_EQ(socket_manager_->cluster_to_node_map_.size(), 0); + } + + bool verifyFDToNodeMap(int fd) { + return socket_manager_->fd_to_node_map_.find(fd) != socket_manager_->fd_to_node_map_.end(); + } + + bool verifyFDToEventMap(int fd) { + return socket_manager_->fd_to_event_map_.find(fd) != socket_manager_->fd_to_event_map_.end(); + } + + bool verifyFDToTimerMap(int fd) { + return socket_manager_->fd_to_timer_map_.find(fd) != socket_manager_->fd_to_timer_map_.end(); + } + + size_t getFDToEventMapSize() { return socket_manager_->fd_to_event_map_.size(); } + size_t getFDToTimerMapSize() { return socket_manager_->fd_to_timer_map_.size(); } + + size_t verifyAcceptedReverseConnectionsMap(const std::string& node_id) { + auto it = socket_manager_->accepted_reverse_connections_.find(node_id); + if (it == socket_manager_->accepted_reverse_connections_.end()) { + return 0; + } + return it->second.size(); + } + + std::string getNodeToClusterMapping(const std::string& node_id) { + auto it = socket_manager_->node_to_cluster_map_.find(node_id); + if (it == socket_manager_->node_to_cluster_map_.end()) { + return ""; + } + return it->second; + } + + std::vector getClusterToNodeMapping(const std::string& cluster_id) { + auto it = socket_manager_->cluster_to_node_map_.find(cluster_id); + if (it == socket_manager_->cluster_to_node_map_.end()) { + return {}; + } + return it->second; + } + + size_t getNodeToClusterMapSize() { return socket_manager_->node_to_cluster_map_.size(); } + size_t getClusterToNodeMapSize() { return socket_manager_->cluster_to_node_map_.size(); } + size_t getAcceptedReverseConnectionsSize() { + return socket_manager_->accepted_reverse_connections_.size(); + } + + // Helper methods for the new test cases + void addNodeToClusterMapping(const std::string& node_id, const std::string& cluster_id) { + socket_manager_->node_to_cluster_map_[node_id] = cluster_id; + socket_manager_->cluster_to_node_map_[cluster_id].push_back(node_id); + } + + void addFDToNodeMapping(int fd, const std::string& node_id) { + socket_manager_->fd_to_node_map_[fd] = node_id; + } + + // Helper to create a mock socket with proper address setup + Network::ConnectionSocketPtr createMockSocket(int fd = 123, + const std::string& local_addr = "127.0.0.1:8080", + const std::string& remote_addr = "127.0.0.1:9090") { + auto socket = std::make_unique>(); + + // Parse local address (IP:port format) + auto local_colon_pos = local_addr.find(':'); + std::string local_ip = local_addr.substr(0, local_colon_pos); + uint32_t local_port = std::stoi(local_addr.substr(local_colon_pos + 1)); + auto local_address = Network::Utility::parseInternetAddressNoThrow(local_ip, local_port); + + // Parse remote address (IP:port format) + auto remote_colon_pos = remote_addr.find(':'); + std::string remote_ip = remote_addr.substr(0, remote_colon_pos); + uint32_t remote_port = std::stoi(remote_addr.substr(remote_colon_pos + 1)); + auto remote_address = Network::Utility::parseInternetAddressNoThrow(remote_ip, remote_port); + + // Create a mock IO handle and set it up + auto mock_io_handle = std::make_unique>(); + auto* mock_io_handle_ptr = mock_io_handle.get(); + EXPECT_CALL(*mock_io_handle_ptr, fdDoNotUse()).WillRepeatedly(Return(fd)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_ptr)); + + // Store the mock_io_handle in the socket + socket->io_handle_ = std::move(mock_io_handle); + + // Set up connection info provider with the desired addresses + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + return socket; + } + + // Helper to get sockets for a node + std::list& getSocketsForNode(const std::string& node_id) { + return socket_manager_->accepted_reverse_connections_[node_id]; + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_; + + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr socket_manager_; +}; + +TEST_F(TestUpstreamSocketManager, CreateUpstreamSocketManager) { + EXPECT_NE(socket_manager_, nullptr); + auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); + EXPECT_NE(socket_manager_no_extension, nullptr); +} + +TEST_F(TestUpstreamSocketManager, GetUpstreamExtension) { + EXPECT_EQ(socket_manager_->getUpstreamExtension(), extension_.get()); + auto socket_manager_no_extension = std::make_unique(dispatcher_, nullptr); + EXPECT_EQ(socket_manager_no_extension->getUpstreamExtension(), nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyClusterId) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = ""; + const std::chrono::seconds ping_interval(30); + + verifyInitialState(); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + verifyInitialState(); + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddConnectionSocketEmptyNodeId) { + auto socket = createMockSocket(456); + const std::string node_id = ""; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + verifyInitialState(); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + verifyInitialState(); + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddAndGetMultipleSocketsSameNode) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + auto socket3 = createMockSocket(789); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + verifyInitialState(); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_TRUE(verifyFDToNodeMap(123)); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_TRUE(verifyFDToNodeMap(456)); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, + false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); + EXPECT_TRUE(verifyFDToNodeMap(789)); + + EXPECT_EQ(getFDToEventMapSize(), 3); + EXPECT_EQ(getFDToTimerMapSize(), 3); + + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket1, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket2, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + + auto retrieved_socket3 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket3, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + + auto retrieved_socket4 = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(retrieved_socket4, nullptr); +} + +TEST_F(TestUpstreamSocketManager, AddAndGetSocketsMultipleNodes) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node1 = "node1"; + const std::string node2 = "node2"; + const std::string cluster1 = "cluster1"; + const std::string cluster2 = "cluster2"; + const std::chrono::seconds ping_interval(30); + + verifyInitialState(); + + socket_manager_->addConnectionSocket(node1, cluster1, std::move(socket1), ping_interval, false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); + EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); + + socket_manager_->addConnectionSocket(node2, cluster2, std::move(socket2), ping_interval, false); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 1); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 1); + EXPECT_EQ(getNodeToClusterMapping(node1), cluster1); + EXPECT_EQ(getNodeToClusterMapping(node2), cluster2); + + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); + EXPECT_NE(retrieved_socket1, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node1), 0); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); + EXPECT_NE(retrieved_socket2, nullptr); + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node2), 0); +} + +TEST_F(TestUpstreamSocketManager, TestGetNodeID) { + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + auto socket1 = createMockSocket(123); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + + std::string result_for_cluster = socket_manager_->getNodeID(cluster_id); + EXPECT_EQ(result_for_cluster, node_id); + + std::string result_for_node = socket_manager_->getNodeID(node_id); + EXPECT_EQ(result_for_node, node_id); + + const std::string non_existent_cluster = "non-existent-cluster"; + std::string result_for_non_existent = socket_manager_->getNodeID(non_existent_cluster); + EXPECT_EQ(result_for_non_existent, non_existent_cluster); +} + +TEST_F(TestUpstreamSocketManager, GetConnectionSocketEmpty) { + auto socket = socket_manager_->getConnectionSocket("non-existent-node"); + EXPECT_EQ(socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryWithActiveSockets) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); + + socket_manager_->cleanStaleNodeEntry(node_id); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + EXPECT_EQ(getClusterToNodeMapping(cluster_id).size(), 1); +} + +TEST_F(TestUpstreamSocketManager, CleanStaleNodeEntryClusterCleanup) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node1 = "node1"; + const std::string node2 = "node2"; + const std::string cluster_id = "shared-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node1, cluster_id, std::move(socket1), ping_interval, false); + socket_manager_->addConnectionSocket(node2, cluster_id, std::move(socket2), ping_interval, false); + + EXPECT_EQ(getNodeToClusterMapping(node1), cluster_id); + EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 2); + EXPECT_EQ(getClusterToNodeMapSize(), 1); + + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node1); + EXPECT_NE(retrieved_socket1, nullptr); + + EXPECT_EQ(getNodeToClusterMapping(node1), ""); + EXPECT_EQ(getNodeToClusterMapping(node2), cluster_id); + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); + EXPECT_EQ(cluster_nodes[0], node2); + EXPECT_EQ(getClusterToNodeMapSize(), 1); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node2); + EXPECT_NE(retrieved_socket2, nullptr); + + EXPECT_EQ(getNodeToClusterMapping(node1), ""); + EXPECT_EQ(getNodeToClusterMapping(node2), ""); + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); + EXPECT_EQ(getClusterToNodeMapSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, FileEventAndTimerCleanup) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + + auto retrieved_socket1 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket1, nullptr); + + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + + auto retrieved_socket2 = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket2, nullptr); + + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketNotPresentDead) { + socket_manager_->markSocketDead(999); + socket_manager_->markSocketDead(-1); + socket_manager_->markSocketDead(0); +} + +TEST_F(TestUpstreamSocketManager, MarkIdleSocketDead) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_TRUE(verifyFDToNodeMap(123)); + + socket_manager_->markSocketDead(123); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, MarkUsedSocketDead) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_TRUE(verifyFDToNodeMap(123)); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + + socket_manager_->markSocketDead(123); + + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadTriggerCleanup) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + auto cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 1); + + socket_manager_->markSocketDead(123); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + cluster_nodes = getClusterToNodeMapping(cluster_id); + EXPECT_EQ(cluster_nodes.size(), 0); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadMultipleSockets) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + auto socket3 = createMockSocket(789); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket3), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 3); + EXPECT_EQ(getFDToEventMapSize(), 3); + EXPECT_EQ(getFDToTimerMapSize(), 3); + + socket_manager_->markSocketDead(123); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + EXPECT_EQ(getFDToEventMapSize(), 2); + EXPECT_EQ(getFDToTimerMapSize(), 2); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_FALSE(verifyFDToEventMap(123)); + EXPECT_FALSE(verifyFDToTimerMap(123)); + EXPECT_TRUE(verifyFDToNodeMap(456)); + EXPECT_TRUE(verifyFDToNodeMap(789)); + + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + + socket_manager_->markSocketDead(456); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_FALSE(verifyFDToNodeMap(456)); + EXPECT_FALSE(verifyFDToEventMap(456)); + EXPECT_FALSE(verifyFDToTimerMap(456)); + EXPECT_TRUE(verifyFDToNodeMap(789)); + + socket_manager_->markSocketDead(789); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); + EXPECT_EQ(getFDToEventMapSize(), 0); + EXPECT_EQ(getFDToTimerMapSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, PingConnectionsWriteSuccess) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + auto& sockets = getSocketsForNode(node_id); + auto* mock_io_handle1 = + dynamic_cast*>(&sockets.front()->ioHandle()); + auto* mock_io_handle2 = + dynamic_cast*>(&sockets.back()->ioHandle()); + + EXPECT_CALL(*mock_io_handle1, write(_)) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; + })); + EXPECT_CALL(*mock_io_handle2, write(_)) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()}; + })); + + socket_manager_->pingConnections(); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); +} + +TEST_F(TestUpstreamSocketManager, PingConnectionsWriteFailure) { + auto socket1 = createMockSocket(123); + auto socket2 = createMockSocket(456); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket1), ping_interval, + false); + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket2), ping_interval, + false); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 2); + + auto& sockets = getSocketsForNode(node_id); + auto* mock_io_handle1 = + dynamic_cast*>(&sockets.front()->ioHandle()); + auto* mock_io_handle2 = + dynamic_cast*>(&sockets.back()->ioHandle()); + + EXPECT_CALL(*mock_io_handle1, write(_)) + .Times(1) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(ECONNRESET)}; + })); + + socket_manager_->pingConnections(node_id); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 1); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_TRUE(verifyFDToNodeMap(456)); + EXPECT_EQ(getNodeToClusterMapping(node_id), cluster_id); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 1); + + EXPECT_CALL(*mock_io_handle2, write(_)) + .Times(1) + .WillRepeatedly(Invoke([](Buffer::Instance& buffer) -> Api::IoCallUint64Result { + buffer.drain(buffer.length()); + return Api::IoCallUint64Result{0, Network::IoSocketError::create(EPIPE)}; + })); + + socket_manager_->pingConnections(node_id); + + EXPECT_EQ(verifyAcceptedReverseConnectionsMap(node_id), 0); + EXPECT_FALSE(verifyFDToNodeMap(123)); + EXPECT_FALSE(verifyFDToNodeMap(456)); + EXPECT_EQ(getNodeToClusterMapping(node_id), ""); + EXPECT_EQ(getAcceptedReverseConnectionsSize(), 0); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseValidResponse) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + const std::string ping_response = "RPING"; + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { + buffer.add(ping_response); + return Api::IoCallUint64Result{ping_response.size(), Api::IoError::none()}; + }); + + socket_manager_->onPingResponse(*mock_io_handle); + + EXPECT_TRUE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseReadError) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce( + Return(Api::IoCallUint64Result{0, Network::IoSocketError::getIoSocketEagainError()})); + + socket_manager_->onPingResponse(*mock_io_handle); + + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseConnectionClosed) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce(Return(Api::IoCallUint64Result{0, Api::IoError::none()})); + + socket_manager_->onPingResponse(*mock_io_handle); + + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, OnPingResponseInvalidData) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto mock_io_handle = std::make_unique>(); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); + + const std::string invalid_response = "INVALID_DATA"; + EXPECT_CALL(*mock_io_handle, read(_, _)) + .WillOnce([&](Buffer::Instance& buffer, absl::optional) -> Api::IoCallUint64Result { + buffer.add(invalid_response); + return Api::IoCallUint64Result{invalid_response.size(), Api::IoError::none()}; + }); + + socket_manager_->onPingResponse(*mock_io_handle); + + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +TEST_F(TestUpstreamSocketManager, GetConnectionSocketNoSocketsButValidMapping) { + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + + addNodeToClusterMapping(node_id, cluster_id); + + auto socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_EQ(socket, nullptr); +} + +TEST_F(TestUpstreamSocketManager, MarkSocketDeadInvalidSocketNotInPool) { + auto socket = createMockSocket(123); + const std::string node_id = "test-node"; + const std::string cluster_id = "test-cluster"; + const std::chrono::seconds ping_interval(30); + + socket_manager_->addConnectionSocket(node_id, cluster_id, std::move(socket), ping_interval, + false); + + auto retrieved_socket = socket_manager_->getConnectionSocket(node_id); + EXPECT_NE(retrieved_socket, nullptr); + + addFDToNodeMapping(123, node_id); + + socket_manager_->markSocketDead(123); + + EXPECT_FALSE(verifyFDToNodeMap(123)); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 54d4c26c34c69..d00f0c2cdbdcb 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -5,6 +5,7 @@ ABI ACK ACL +ACCEPTOR AES AJAX AllMuxes From ee9d3b13f0e73930236b9371554e3f3ac3fcf7c4 Mon Sep 17 00:00:00 2001 From: Matt Leon Date: Thu, 28 Aug 2025 20:42:37 -0400 Subject: [PATCH 320/505] composite: allow filters to be added on encode path (#40800) * Commit Message: composite: allow filters to be added on encode path * Additional Description: Removes assertion preventing matchers from inserting a filter on the response path. It appears like this behavior used to cause a crash or be validated against, but it doesn't appear to still be the case. This is very useful for end-users who would like to, for example, mutate the response body for a filter when a request header is specified and the content-type matches, which could be especially expensive if the executed filter is ext_proc. * Risk Level: medium (new feature in existing filter) * Testing: integration. Also tested locally with an end-to-end test with ext_proc. * Docs Changes: Removed stipulation that matching can only rely on request headers. * Release Notes: Added note that composite filter can be configured to match outside of request headers. * Platform Specific Features: None. Signed-off-by: Matt Leon --- changelogs/current.yaml | 3 + .../http/http_filters/composite_filter.rst | 8 +- .../filters/http/composite/factory_wrapper.cc | 3 - .../filters/http/composite/filter.cc | 2 - .../filters/http/composite/filter.h | 6 -- test/extensions/filters/http/composite/BUILD | 2 + .../composite_filter_integration_test.cc | 73 +++++++++++++++++++ 7 files changed, 82 insertions(+), 15 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index bd550853fe7ae..da41eb3fb180e 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -291,6 +291,9 @@ new_features: extract trace information from W3C trace headers when B3 headers are not present (downstream), and inject both B3 and W3C trace headers for upstream requests to maximize compatibility. The default value ``USE_B3`` maintains backward compatibility with B3-only behavior. +- area: composite + change: | + Allow composite filter to be configured to insert a filter into filter chain outside of the decode headers lifecycle phase. - area: rbac change: | Switch the IP matcher to use LC-Trie for performance improvements. diff --git a/docs/root/configuration/http/http_filters/composite_filter.rst b/docs/root/configuration/http/http_filters/composite_filter.rst index 2f2851e8864de..5c07663308fb4 100644 --- a/docs/root/configuration/http/http_filters/composite_filter.rst +++ b/docs/root/configuration/http/http_filters/composite_filter.rst @@ -9,10 +9,10 @@ or filter configurations to be selected based on the incoming request, allowing configuration that could become prohibitive when making use of per route configurations (e.g. because the cardinality would cause a route table explosion). -The filter does not do any kind of buffering, and as a result it must be able to instantiate the -filter it will delegate to before it receives any callbacks that it needs to delegate. Because of -this, in order to delegate all the data to the specified filter, the decision must be made based -on just the request headers. +The filter does not do any kind of buffering, and as a result it will only +delegate callbacks received during or after the phase which instantiates the +delegated filter. In order to delegate all the data to the specified filter, +the decision must be made based on just the request headers. Delegation can fail if the filter factory attempted to use a callback not supported by the composite filter. In either case, the ``.composite.delegation_error`` stat will be diff --git a/source/extensions/filters/http/composite/factory_wrapper.cc b/source/extensions/filters/http/composite/factory_wrapper.cc index c53399f08f6e4..36ba47fcbb506 100644 --- a/source/extensions/filters/http/composite/factory_wrapper.cc +++ b/source/extensions/filters/http/composite/factory_wrapper.cc @@ -7,7 +7,6 @@ namespace Extensions { namespace HttpFilters { namespace Composite { void FactoryCallbacksWrapper::addStreamDecoderFilter(Http::StreamDecoderFilterSharedPtr filter) { - ASSERT(!filter_.decoded_headers_); if (filter_to_inject_) { errors_.push_back(absl::InvalidArgumentError( "cannot delegate to decoder filter that instantiates multiple filters")); @@ -18,7 +17,6 @@ void FactoryCallbacksWrapper::addStreamDecoderFilter(Http::StreamDecoderFilterSh } void FactoryCallbacksWrapper::addStreamEncoderFilter(Http::StreamEncoderFilterSharedPtr filter) { - ASSERT(!filter_.decoded_headers_); if (filter_to_inject_) { errors_.push_back(absl::InvalidArgumentError( "cannot delegate to encoder filter that instantiates multiple filters")); @@ -29,7 +27,6 @@ void FactoryCallbacksWrapper::addStreamEncoderFilter(Http::StreamEncoderFilterSh } void FactoryCallbacksWrapper::addStreamFilter(Http::StreamFilterSharedPtr filter) { - ASSERT(!filter_.decoded_headers_); if (filter_to_inject_) { errors_.push_back(absl::InvalidArgumentError( "cannot delegate to stream filter that instantiates multiple filters")); diff --git a/source/extensions/filters/http/composite/filter.cc b/source/extensions/filters/http/composite/filter.cc index 072beefa78da0..f53850ee4b327 100644 --- a/source/extensions/filters/http/composite/filter.cc +++ b/source/extensions/filters/http/composite/filter.cc @@ -40,8 +40,6 @@ std::unique_ptr MatchedActionInfo::buildProtoStruct() const { } Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, bool end_stream) { - decoded_headers_ = true; - return delegateFilterActionOr(delegated_filter_, &StreamDecoderFilter::decodeHeaders, Http::FilterHeadersStatus::Continue, headers, end_stream); } diff --git a/source/extensions/filters/http/composite/filter.h b/source/extensions/filters/http/composite/filter.h index 3f64e619e8abb..b1ddf8f07ef36 100644 --- a/source/extensions/filters/http/composite/filter.h +++ b/source/extensions/filters/http/composite/filter.h @@ -118,12 +118,6 @@ class Filter : public Http::StreamFilter, const std::string& action_name); Event::Dispatcher& dispatcher_; - // Use these to track whether we are allowed to insert a specific kind of filter. These mainly - // serve to surface an easier to understand error, as attempting to insert a filter at a later - // time will result in various FM assertions firing. - // We should be protected against this by the match tree validation that only allows request - // headers, this just provides some additional sanity checking. - bool decoded_headers_{false}; // Wraps a stream encoder OR a stream decoder filter into a stream filter, making it easier to // delegate calls. diff --git a/test/extensions/filters/http/composite/BUILD b/test/extensions/filters/http/composite/BUILD index 98b3de4f8eea3..6fa15687520a9 100644 --- a/test/extensions/filters/http/composite/BUILD +++ b/test/extensions/filters/http/composite/BUILD @@ -36,6 +36,7 @@ envoy_extension_cc_test( srcs = ["composite_filter_integration_test.cc"], extension_names = ["envoy.filters.http.composite"], rbe_pool = "6gig", + shard_count = 6, deps = [ "//source/common/http:header_map_lib", "//source/extensions/filters/http/composite:config", @@ -44,6 +45,7 @@ envoy_extension_cc_test( "//test/common/grpc:grpc_client_integration_lib", "//test/common/http:common_lib", "//test/integration:http_integration_lib", + "//test/integration/filters:local_reply_during_encoding_filter_lib", "//test/integration/filters:server_factory_context_filter_config_proto_cc_proto", "//test/integration/filters:server_factory_context_filter_lib", "//test/integration/filters:set_response_code_filter_config_proto_cc_proto", diff --git a/test/extensions/filters/http/composite/composite_filter_integration_test.cc b/test/extensions/filters/http/composite/composite_filter_integration_test.cc index 3aedb41e314b3..952046adbbf1b 100644 --- a/test/extensions/filters/http/composite/composite_filter_integration_test.cc +++ b/test/extensions/filters/http/composite/composite_filter_integration_test.cc @@ -177,6 +177,51 @@ class CompositeFilterIntegrationTest : public testing::TestWithParammakeRequestWithBody(match_request_headers_, 1024); + waitForNextUpstreamRequest(); + + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_THAT(response->headers(), Http::HttpStatusIs("200")); + } + + { + auto response = codec_client_->makeRequestWithBody(match_request_headers_, 1024); + waitForNextUpstreamRequest(); + + upstream_request_->encodeHeaders(match_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_THAT(response->headers(), + Http::HttpStatusIs("500")); // local-reply-during-encode sets 500. + } +} + // Verifies that if we don't match the match action the request is proxied as normal, while if the // match action is hit we apply the specified dynamic filter to the stream. TEST_P(CompositeFilterIntegrationTest, TestBasicDynamicFilter) { From 01a229fbb6b353833659049d1789be7114fa52b9 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 29 Aug 2025 06:09:18 +0000 Subject: [PATCH 321/505] reverse conn http filter: fix imports Signed-off-by: Basundhara Chakrabarty --- .../filters/http/reverse_conn/BUILD | 4 +-- .../http/reverse_conn/reverse_conn_filter.cc | 13 ++++----- .../http/reverse_conn/reverse_conn_filter.h | 5 ++-- .../filters/http/reverse_conn/BUILD | 1 - .../reverse_conn/reverse_conn_filter_test.cc | 27 +++++++++++-------- 5 files changed, 27 insertions(+), 23 deletions(-) diff --git a/source/extensions/filters/http/reverse_conn/BUILD b/source/extensions/filters/http/reverse_conn/BUILD index 109f9439f7cd8..546d9b9bc2462 100644 --- a/source/extensions/filters/http/reverse_conn/BUILD +++ b/source/extensions/filters/http/reverse_conn/BUILD @@ -37,9 +37,9 @@ envoy_cc_extension( "//source/common/network:connection_socket_lib", "//source/common/network:filter_lib", "//source/common/protobuf:utility_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_initiator_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index 27a19a95aeb62..fbc8f65e22146 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -20,6 +20,9 @@ namespace Extensions { namespace HttpFilters { namespace ReverseConn { +// Using statement for the new proto namespace +namespace ReverseConnectionHandshake = envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface; + const std::string ReverseConnFilter::reverse_connections_path = "/reverse_connections"; const std::string ReverseConnFilter::reverse_connections_request_path = "/reverse_connections/request"; @@ -53,7 +56,7 @@ void ReverseConnFilter::getClusterDetailsUsingProtobuf(std::string* node_uuid, std::string* cluster_uuid, std::string* tenant_uuid) { - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + ReverseConnectionHandshake::ReverseConnHandshakeArg arg; const std::string request_body = accept_rev_conn_proto_.toString(); ENVOY_STREAM_LOG(debug, "Received protobuf request body length: {}", *decoder_callbacks_, request_body.length()); @@ -80,11 +83,10 @@ void ReverseConnFilter::getClusterDetailsUsingProtobuf(std::string* node_uuid, Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { std::string node_uuid, cluster_uuid, tenant_uuid; - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + ReverseConnectionHandshake::ReverseConnHandshakeRet ret; getClusterDetailsUsingProtobuf(&node_uuid, &cluster_uuid, &tenant_uuid); if (node_uuid.empty()) { - ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: - ReverseConnHandshakeRet::REJECTED); + ret.set_status(ReverseConnectionHandshake::ReverseConnHandshakeRet::REJECTED); ret.set_status_message("Failed to parse request message or required fields missing"); decoder_callbacks_->sendLocalReply(Http::Code::BadGateway, ret.SerializeAsString(), nullptr, absl::nullopt, ""); @@ -115,8 +117,7 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { } ENVOY_STREAM_LOG(info, "Accepting reverse connection", *decoder_callbacks_); - ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: - ReverseConnHandshakeRet::ACCEPTED); + ret.set_status(ReverseConnectionHandshake::ReverseConnHandshakeRet::ACCEPTED); ENVOY_STREAM_LOG(info, "return value", *decoder_callbacks_); // Create response with explicit Content-Length diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index 8c1ecc6b6e5a3..823b032d24704 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -1,7 +1,6 @@ #pragma once -#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" -#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.validate.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" #include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.validate.h" #include "envoy/http/async_client.h" @@ -14,7 +13,7 @@ #include "source/common/http/utility.h" #include "source/common/network/filter_impl.h" #include "source/common/protobuf/protobuf.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" diff --git a/test/extensions/filters/http/reverse_conn/BUILD b/test/extensions/filters/http/reverse_conn/BUILD index cb49e7cda4343..ee9722bd61f81 100644 --- a/test/extensions/filters/http/reverse_conn/BUILD +++ b/test/extensions/filters/http/reverse_conn/BUILD @@ -25,7 +25,6 @@ envoy_cc_test( "//test/mocks/network:network_mocks", "//test/mocks/server:factory_context_mocks", "//test/test_common:test_runtime_lib", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc index f7451bb8d69f2..02e6d72f747f5 100644 --- a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc +++ b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc @@ -1,6 +1,8 @@ #include "envoy/common/optref.h" -#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "envoy/network/connection.h" #include "source/common/buffer/buffer_impl.h" @@ -24,7 +26,10 @@ #include "test/test_common/test_runtime.h" // Include reverse connection components for testing -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" #include "source/common/thread_local/thread_local_impl.h" // Add namespace alias for convenience @@ -62,9 +67,9 @@ class ReverseConnFilterTest : public testing::Test { EXPECT_CALL(callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); EXPECT_CALL(stream_info_, dynamicMetadata()).WillRepeatedly(ReturnRef(metadata_)); - // Create the configs - upstream_config_.set_stat_prefix("test_prefix"); - downstream_config_.set_stat_prefix("test_prefix"); + // // Create the configs + // upstream_config_.set_stat_prefix("test_prefix"); + // downstream_config_.set_stat_prefix("test_prefix"); } // Helper method to set up upstream extension only @@ -207,7 +212,7 @@ class ReverseConnFilterTest : public testing::Test { // Helper function to create a protobuf handshake argument std::string createHandshakeArg(const std::string& tenant_uuid, const std::string& cluster_uuid, const std::string& node_uuid) { - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; arg.set_tenant_uuid(tenant_uuid); arg.set_cluster_uuid(cluster_uuid); arg.set_node_uuid(node_uuid); @@ -684,9 +689,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionInvalidProtobufParseFailure EXPECT_EQ(code, Http::Code::BadGateway); // Deserialize the protobuf response to check the actual message - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; EXPECT_TRUE(ret.ParseFromString(std::string(body))); - EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface:: ReverseConnHandshakeRet::REJECTED); EXPECT_EQ(ret.status_message(), "Failed to parse request message or required fields missing"); @@ -722,7 +727,7 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { auto filter = createFilter(); // Create protobuf with empty node_uuid - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; arg.set_tenant_uuid("tenant-123"); arg.set_cluster_uuid("cluster-456"); arg.set_node_uuid(""); // Empty node_uuid @@ -744,9 +749,9 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { EXPECT_EQ(code, Http::Code::BadGateway); // Deserialize the protobuf response to check the actual message - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; EXPECT_TRUE(ret.ParseFromString(std::string(body))); - EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_connection_handshake::v3:: + EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface:: ReverseConnHandshakeRet::REJECTED); EXPECT_EQ(ret.status_message(), "Failed to parse request message or required fields missing"); From 531f26444dd6fe67de4b2fcf771340fe088cbcd4 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 29 Aug 2025 06:09:41 +0000 Subject: [PATCH 322/505] test commit: network filter Signed-off-by: Basundhara Chakrabarty --- source/extensions/filters/network/reverse_conn/BUILD | 4 ++-- .../network/reverse_conn/reverse_conn_filter.cc | 10 ++++++---- .../filters/network/reverse_conn/reverse_conn_filter.h | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/source/extensions/filters/network/reverse_conn/BUILD b/source/extensions/filters/network/reverse_conn/BUILD index b7a58ad6921a7..003c93d846c65 100644 --- a/source/extensions/filters/network/reverse_conn/BUILD +++ b/source/extensions/filters/network/reverse_conn/BUILD @@ -33,11 +33,11 @@ envoy_cc_library( "//source/common/common:minimal_logger_lib", "//source/common/network:filter_impl_lib", "//source/common/protobuf:protobuf_lib", - "//source/extensions/bootstrap/reverse_connection_handshake/v3:reverse_connection_handshake_proto", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", "//source/extensions/filters/network/generic_proxy/interface:filter_lib", "//source/extensions/filters/network/generic_proxy/interface:stream_lib", "//source/extensions/filters/network/reverse_conn/v3:reverse_conn_proto", - "@envoy_api//envoy/extensions/bootstrap/reverse_connection_handshake/v3:pkg_cc_proto", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", ], ) diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc index dd3002c2e6409..fd7e59c418260 100644 --- a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc @@ -21,6 +21,9 @@ namespace Extensions { namespace NetworkFilters { namespace ReverseConn { +// Using statement for the new proto namespace +using ReverseConnectionHandshake = envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface; + // Static constants const std::string ReverseConnFilter::REVERSE_CONNECTIONS_REQUEST_PATH = "/reverse_connections/request"; @@ -173,7 +176,7 @@ void ReverseConnFilter::extractRequestBody(GenericProxy::RequestCommonFrame& fra bool ReverseConnFilter::parseProtobufPayload(const std::string& payload, std::string& node_uuid, std::string& cluster_uuid, std::string& tenant_uuid) { - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeArg arg; + ReverseConnectionHandshake::ReverseConnHandshakeArg arg; if (!arg.ParseFromString(payload)) { ENVOY_LOG(error, "ReverseConnFilter: Failed to parse protobuf from request body"); @@ -368,9 +371,8 @@ void ReverseConnFilter::processReverseConnectionRequest() { tenant_uuid_, cluster_uuid_, node_uuid_); // Create acceptance response - envoy::extensions::bootstrap::reverse_connection_handshake::v3::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::bootstrap::reverse_connection_handshake::v3:: - ReverseConnHandshakeRet::ACCEPTED); + ReverseConnectionHandshake::ReverseConnHandshakeRet ret; + ret.set_status(ReverseConnectionHandshake::ReverseConnHandshakeRet::ACCEPTED); std::string response_body = ret.SerializeAsString(); ENVOY_LOG(info, "ReverseConnFilter: Response body length: {}, content: '{}'", diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h index be5a487ed32f5..71df9fd0d8a71 100644 --- a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h @@ -1,6 +1,6 @@ #pragma once -#include "envoy/extensions/bootstrap/reverse_connection_handshake/v3/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "envoy/network/filter.h" #include "envoy/upstream/cluster_manager.h" From a352bd7a13b055b888a61897a766eff8e9122c00 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 29 Aug 2025 06:10:54 +0000 Subject: [PATCH 323/505] reverse conn cluster: fix imports Signed-off-by: Basundhara Chakrabarty --- .../reverse_connection/reverse_connection_cluster_test.cc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc index 5bed128c45f7b..bd50523289e40 100644 --- a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc +++ b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc @@ -16,7 +16,8 @@ #include "source/common/singleton/manager_impl.h" #include "source/common/singleton/threadsafe_singleton.h" #include "source/common/upstream/upstream_impl.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" #include "source/extensions/clusters/reverse_connection/reverse_connection.h" #include "source/extensions/transport_sockets/raw_buffer/config.h" #include "source/server/transport_socket_config_impl.h" @@ -36,6 +37,9 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" +// Add namespace alias for convenience +namespace BootstrapReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; + using testing::_; using testing::NiceMock; using testing::Return; @@ -276,7 +280,7 @@ class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, publi // Stats and config. Stats::IsolatedStoreImpl stats_store_; Stats::ScopeSharedPtr stats_scope_; - envoy::extensions::bootstrap::reverse_connection_socket_interface::v3:: + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: UpstreamReverseConnectionSocketInterface config_; }; From dbd3b30f34e5b181427866494745a8a872307e65 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 29 Aug 2025 06:11:24 +0000 Subject: [PATCH 324/505] fix imports Signed-off-by: Basundhara Chakrabarty --- .../downstream_socket_interface/BUILD | 35 ++----------------- .../reverse_connection_handshake.proto | 2 +- .../reverse_connection_io_handle.cc | 6 ++-- .../upstream_socket_interface/BUILD | 2 +- source/extensions/extensions_build_config.bzl | 2 +- source/extensions/extensions_metadata.yaml | 5 +++ .../reverse_connection_io_handle_test.cc | 12 +++---- tools/extensions/extensions_schema.yaml | 1 + 8 files changed, 21 insertions(+), 44 deletions(-) diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index 4f3c77f0d37a2..c10e237184187 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -28,7 +28,7 @@ envoy_cc_library( ], ) -envoy_cc_library( +envoy_cc_extension( name = "reverse_connection_resolver_lib", srcs = ["reverse_connection_resolver.cc"], hdrs = ["reverse_connection_resolver.h"], @@ -51,6 +51,7 @@ envoy_cc_library( "//envoy/thread_local:thread_local_interface", "//source/common/common:logger_lib", "//source/common/stats:symbol_table_lib", + ":reverse_connection_handshake_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], ) @@ -100,34 +101,4 @@ envoy_cc_extension( "//source/common/network:socket_interface_lib", "//source/common/protobuf:utility_lib", ], -) - -# envoy_cc_extension( -# name = "reverse_tunnel_acceptor_lib", -# srcs = ["reverse_tunnel_acceptor.cc"], -# hdrs = [ -# "factory_base.h", -# "reverse_tunnel_acceptor.h", -# ], -# visibility = ["//visibility:public"], -# deps = [ -# "//envoy/common:random_generator_interface", -# "//envoy/network:address_interface", -# "//envoy/network:io_handle_interface", -# "//envoy/network:socket_interface", -# "//envoy/registry", -# "//envoy/server:bootstrap_extension_config_interface", -# "//envoy/stats:stats_interface", -# "//envoy/stats:stats_macros", -# "//envoy/thread_local:thread_local_object", -# "//source/common/api:os_sys_calls_lib", -# "//source/common/common:logger_lib", -# "//source/common/common:random_generator_lib", -# "//source/common/network:address_lib", -# "//source/common/network:default_socket_interface_lib", -# "//source/common/protobuf", -# ":reverse_connection_utility_lib", -# "@envoy_api//envoy/extensions/bootstrap/reverse_connection_socket_interface/v3:pkg_cc_proto", -# ], -# alwayslink = 1, -# ) +) \ No newline at end of file diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto index 5ef91a8619c0c..2ee19de84499b 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto @@ -1,6 +1,6 @@ syntax = "proto3"; -package envoy.extensions.bootstrap.reverse_tunnel; +package envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface; // Internal proto definitions for reverse connection handshake protocol. // These messages are used internally by the reverse tunnel extension diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc index 287f7eed7a352..473da5c5d9cbb 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc @@ -137,13 +137,13 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: if (!response_body.empty()) { // Try to parse the protobuf response - envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; if (ret.ParseFromString(response_body)) { ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); // Check if the status is ACCEPTED if (ret.status() == - envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::ACCEPTED) { + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet::ACCEPTED) { ENVOY_LOG(debug, "SimpleConnReadFilter: Reverse connection accepted by cloud side"); parent_->onHandshakeSuccess(); return Network::FilterStatus::StopIteration; @@ -198,7 +198,7 @@ std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); // Use HTTP handshake logic - envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; arg.set_tenant_uuid(src_tenant_id); arg.set_cluster_uuid(src_cluster_id); arg.set_node_uuid(src_node_id); diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index e883312ac22c5..bcb77ffa6980c 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -63,4 +63,4 @@ envoy_cc_extension( "//source/common/common:random_generator_lib", "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", ], -) +) \ No newline at end of file diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 30f2ed147d735..e467976513dab 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -497,7 +497,7 @@ EXTENSIONS = { # Address Resolvers # - "envoy.resolvers.reverse_connection": "//source/extensions/bootstrap/reverse_tunnel:reverse_connection_resolver_lib", + "envoy.resolvers.reverse_connection": "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_resolver_lib", # # Custom matchers diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 23f7119a793e1..6a84c7e012531 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -1549,6 +1549,11 @@ envoy.network.dns_resolver.getaddrinfo: status: stable type_urls: - envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig +envoy.resolvers.reverse_connection: + categories: + - envoy.resolvers + security_posture: unknown + status: wip envoy.rbac.matchers.upstream_ip_port: categories: - envoy.rbac.matchers diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc index 3b30b78fea78e..c150005737228 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc @@ -2441,7 +2441,7 @@ TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { EXPECT_FALSE(body.empty()); // Verify the protobuf content by deserializing it. - envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; bool parse_success = arg.ParseFromString(body); EXPECT_TRUE(parse_success); EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); @@ -2513,7 +2513,7 @@ TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWithHttpProxy) { EXPECT_FALSE(body.empty()); // Verify the protobuf content by deserializing it. - envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; bool parse_success = arg.ParseFromString(body); EXPECT_TRUE(parse_success); EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); @@ -3213,8 +3213,8 @@ TEST_F(SimpleConnReadFilterTest, OnDataWithProtobufResponse) { auto filter = createFilter(wrapper.get()); // Create a proper ReverseConnHandshakeRet protobuf response. - envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::ACCEPTED); + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet::ACCEPTED); ret.set_status_message("Connection accepted"); std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) @@ -3232,8 +3232,8 @@ TEST_F(SimpleConnReadFilterTest, OnDataWithRejectedProtobufResponse) { auto filter = createFilter(wrapper.get()); // Create a ReverseConnHandshakeRet protobuf response with REJECTED status. - envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::REJECTED); + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet::REJECTED); ret.set_status_message("Connection rejected by server"); std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) diff --git a/tools/extensions/extensions_schema.yaml b/tools/extensions/extensions_schema.yaml index 03e48628f01c8..c96efd33cfd89 100644 --- a/tools/extensions/extensions_schema.yaml +++ b/tools/extensions/extensions_schema.yaml @@ -120,6 +120,7 @@ categories: - envoy.common.key_value - envoy.network.dns_resolver - envoy.network.connection_balance +- envoy.resolvers - envoy.rbac.matchers - envoy.rbac.principals - envoy.rbac.audit_loggers From d7b2be80f72abea5b4fb824fa48eead9172f92bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alex=20Sundstr=C3=B6m?= Date: Fri, 29 Aug 2025 10:47:31 +0200 Subject: [PATCH 325/505] maxmind geoip provider: add gauge to track database creation timestamp (#40809) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This change adds a gauge metric to track the build epoch of a Maxmind database file, see https://maxmind.github.io/MaxMind-DB/#build_epoch. This value is part of the MMDB file formats metadata field and according to docs should always be present https://maxmind.github.io/libmaxminddb. The main usage of this metric would be to track the freshness of the database files that the Envoy process has loaded into memory. Commit Message: maxmind geoip provider: add gauge to track database creation timestamp Additional Description: Adds a new gauge metric to track maxmind database freshness Risk Level: low Testing: unit and integration tests Docs Changes: added Release Notes: added Platform Specific Features: n/a Signed-off-by: Alex Sundström Signed-off-by: Alex Sundström Co-authored-by: Alex Sundström --- changelogs/current.yaml | 5 +++ .../http/http_filters/geoip_filter.rst | 1 + .../geoip_providers/maxmind/geoip_provider.cc | 7 +++ .../geoip_providers/maxmind/geoip_provider.h | 7 +++ .../geoip/geoip_filter_integration_test.cc | 7 +++ .../maxmind/geoip_provider_test.cc | 44 ++++++++++++++++++- 6 files changed, 70 insertions(+), 1 deletion(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index da41eb3fb180e..bdbc4dd44b1ee 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -321,5 +321,10 @@ new_features: :ref:`stream_flush_timeout ` to allow for configuring a stream flush timeout independently from the stream idle timeout. +- area: geoip + change: | + Added a new metric ``db_build_epoch`` to track the build timestamp of the Maxmind geolocation database files. + This can be used to monitor the freshness of the databases currently in use by the filter. + See https://maxmind.github.io/MaxMind-DB/#build_epoch for more details. deprecated: diff --git a/docs/root/configuration/http/http_filters/geoip_filter.rst b/docs/root/configuration/http/http_filters/geoip_filter.rst index 14340f611c7e1..3732f42518fad 100644 --- a/docs/root/configuration/http/http_filters/geoip_filter.rst +++ b/docs/root/configuration/http/http_filters/geoip_filter.rst @@ -78,5 +78,6 @@ per geolocation database type (rooted at ``.maxmind.``). Database t ``.lookup_error``, Counter, Total number of errors that occured during lookups for a given geolocation database file. ``.db_reload_success``, Counter, Total number of times when the geolocation database file was reloaded successfully. ``.db_reload_error``, Counter, Total number of times when the geolocation database file failed to reload. + ``.db_build_epoch``, Gauge, The build timestamp of the geolocation database file represented as a Unix epoch value. diff --git a/source/extensions/geoip_providers/maxmind/geoip_provider.cc b/source/extensions/geoip_providers/maxmind/geoip_provider.cc index efeea7485a31c..1e5fea39bda30 100644 --- a/source/extensions/geoip_providers/maxmind/geoip_provider.cc +++ b/source/extensions/geoip_providers/maxmind/geoip_provider.cc @@ -99,6 +99,7 @@ void GeoipProviderConfig::registerGeoDbStats(const absl::string_view& db_type) { stat_name_set_->rememberBuiltin(absl::StrCat(db_type, ".lookup_error")); stat_name_set_->rememberBuiltin(absl::StrCat(db_type, ".db_reload_error")); stat_name_set_->rememberBuiltin(absl::StrCat(db_type, ".db_reload_success")); + stat_name_set_->rememberBuiltin(absl::StrCat(db_type, ".db_build_epoch")); } bool GeoipProviderConfig::isLookupEnabledForHeader(const absl::optional& header) { @@ -109,6 +110,10 @@ void GeoipProviderConfig::incCounter(Stats::StatName name) { stats_scope_->counterFromStatName(name).inc(); } +void GeoipProviderConfig::setGuage(Stats::StatName name, const uint64_t value) { + stats_scope_->gaugeFromStatName(name, Stats::Gauge::ImportMode::Accumulate).set(value); +} + GeoipProvider::GeoipProvider(Event::Dispatcher& dispatcher, Api::Api& api, Singleton::InstanceSharedPtr owner, GeoipProviderConfigSharedPtr config) @@ -396,6 +401,8 @@ MaxmindDbSharedPtr GeoipProvider::initMaxmindDb(const std::string& db_path, return nullptr; } + config_->setDbBuildEpoch(db_type, maxmind_db.metadata.build_epoch); + ENVOY_LOG(info, "Succeeded to reload Maxmind database {} from file {}.", db_type, db_path); return std::make_shared(std::move(maxmind_db)); } diff --git a/source/extensions/geoip_providers/maxmind/geoip_provider.h b/source/extensions/geoip_providers/maxmind/geoip_provider.h index 77e7e4523e8fa..91731fdf4407a 100644 --- a/source/extensions/geoip_providers/maxmind/geoip_provider.h +++ b/source/extensions/geoip_providers/maxmind/geoip_provider.h @@ -67,6 +67,12 @@ class GeoipProviderConfig { unknown_hit_)); } + void setDbBuildEpoch(absl::string_view maxmind_db_type, const uint64_t value) { + setGuage( + stat_name_set_->getBuiltin(absl::StrCat(maxmind_db_type, ".db_build_epoch"), unknown_hit_), + value); + } + void registerGeoDbStats(const absl::string_view& db_type); Stats::Scope& getStatsScopeForTest() const { return *stats_scope_; } @@ -95,6 +101,7 @@ class GeoipProviderConfig { Stats::StatNameSetPtr stat_name_set_; const Stats::StatName unknown_hit_; void incCounter(Stats::StatName name); + void setGuage(Stats::StatName name, const uint64_t value); }; using GeoipProviderConfigSharedPtr = std::shared_ptr; diff --git a/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc b/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc index e6148bf5c9bf6..9fa8eb429863c 100644 --- a/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc +++ b/test/extensions/filters/http/geoip/geoip_filter_integration_test.cc @@ -349,6 +349,13 @@ TEST_P(GeoipFilterIntegrationTest, OnlyApplePrivateRelayHeaderIsPopulated) { EXPECT_EQ(1, test_server_->counter("http.config_test.maxmind.isp_db.hit")->value()); } +TEST_P(GeoipFilterIntegrationTest, MetricForDbBuildEpochIsEmitted) { + config_helper_.prependFilter(TestEnvironment::substitute(ConfigWithXff)); + initialize(); + EXPECT_EQ(1671567063, + test_server_->gauge("http.config_test.maxmind.city_db.db_build_epoch")->value()); +} + } // namespace } // namespace Geoip } // namespace HttpFilters diff --git a/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc b/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc index a1cb1aba998b6..f05691e0c269c 100644 --- a/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc +++ b/test/extensions/geoip_providers/maxmind/geoip_provider_test.cc @@ -148,13 +148,22 @@ class GeoipProviderTestBase { } void expectStats(const absl::string_view& db_type, const uint32_t total_count = 1, - const uint32_t hit_count = 1, const uint32_t error_count = 0) { + const uint32_t hit_count = 1, const uint32_t error_count = 0, + const uint64_t build_epoch = 0) { auto& provider_scope = GeoipProviderPeer::providerScope(provider_); EXPECT_EQ(provider_scope.counterFromString(absl::StrCat(db_type, ".total")).value(), total_count); EXPECT_EQ(provider_scope.counterFromString(absl::StrCat(db_type, ".hit")).value(), hit_count); EXPECT_EQ(provider_scope.counterFromString(absl::StrCat(db_type, ".lookup_error")).value(), error_count); + + if (build_epoch > 0) { + EXPECT_EQ(provider_scope + .gaugeFromString(absl::StrCat(db_type, ".db_build_epoch"), + Stats::Gauge::ImportMode::Accumulate) + .value(), + build_epoch); + } } void expectReloadStats(const absl::string_view& db_type, const uint32_t reload_success_count = 0, @@ -621,6 +630,39 @@ TEST_F(GeoipProviderTest, DbReloadedOnMmdbFileUpdate) { TestEnvironment::renameFile(city_db_path + "1", city_db_path); } +TEST_F(GeoipProviderTest, DbEpochGaugeUpdatesWhenReloadedOnMmdbFileUpdate) { + constexpr absl::string_view config_yaml = R"EOF( + common_provider_config: + geo_headers_to_add: + city: "x-geo-city" + city_db_path: {} + )EOF"; + std::string city_db_path = TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/extensions/geoip_providers/maxmind/test_data/GeoLite2-City-Test.mmdb"); + std::string reloaded_city_db_path = TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/extensions/geoip_providers/maxmind/test_data/GeoLite2-City-Test-Updated.mmdb"); + const std::string formatted_config = + fmt::format(config_yaml, TestEnvironment::substitute(city_db_path)); + auto cb_added_opt = absl::make_optional(); + initializeProvider(formatted_config, cb_added_opt); + expectStats("city_db", 0, 0, 0, 1671567063); + TestEnvironment::renameFile(city_db_path, city_db_path + "1"); + TestEnvironment::renameFile(reloaded_city_db_path, city_db_path); + cb_added_opt.value().waitReady(); + { + absl::ReaderMutexLock guard(&mutex_); + EXPECT_TRUE(on_changed_cbs_[0](Filesystem::Watcher::Events::MovedTo).ok()); + } + expectReloadStats("city_db", 1, 0); + expectStats("city_db", 0, 0, 0, 1753263760); + + // Clean up modifications to mmdb file names. + TestEnvironment::renameFile(city_db_path, reloaded_city_db_path); + TestEnvironment::renameFile(city_db_path + "1", city_db_path); +} + TEST_F(GeoipProviderTest, DbReloadError) { constexpr absl::string_view config_yaml = R"EOF( common_provider_config: From 3c50075376e9f9400e5499347a097caae94b8a40 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Fri, 29 Aug 2025 07:41:10 -0700 Subject: [PATCH 326/505] Replace more ReadyWatchers with MockFunction (#40858) Commit Message: Replace more ReadyWatchers with MockFunction Additional Description: Test cleanup towards standard gmock tools. Risk Level: Test-only Testing: Yes it is. Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Raven Black --- test/common/tcp/conn_pool_test.cc | 41 +++++++++++++++---------------- test/server/BUILD | 1 - test/server/server_test.cc | 11 ++++----- 3 files changed, 25 insertions(+), 28 deletions(-) diff --git a/test/common/tcp/conn_pool_test.cc b/test/common/tcp/conn_pool_test.cc index 3ab7803a86050..509bd29a8b909 100644 --- a/test/common/tcp/conn_pool_test.cc +++ b/test/common/tcp/conn_pool_test.cc @@ -8,7 +8,6 @@ #include "source/common/upstream/upstream_impl.h" #include "test/common/upstream/utility.h" -#include "test/mocks/common.h" #include "test/mocks/event/mocks.h" #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" @@ -59,7 +58,7 @@ struct ConnPoolCallbacks : public Tcp::ConnectionPool::Callbacks { conn_data_->addUpstreamCallbacks(callbacks_); host_ = host; ssl_ = conn_data_->connection().streamInfo().downstreamAddressProvider().sslConnection(); - pool_ready_.ready(); + mock_pool_ready_cb_.Call(); } void onPoolFailure(ConnectionPool::PoolFailureReason reason, absl::string_view failure_reason, @@ -67,12 +66,12 @@ struct ConnPoolCallbacks : public Tcp::ConnectionPool::Callbacks { reason_ = reason; host_ = host; failure_reason_string_ = std::string(failure_reason); - pool_failure_.ready(); + mock_pool_failure_cb_.Call(); } StrictMock callbacks_; - ReadyWatcher pool_failure_; - ReadyWatcher pool_ready_; + testing::MockFunction mock_pool_failure_cb_; + testing::MockFunction mock_pool_ready_cb_; ConnectionPool::ConnectionDataPtr conn_data_{}; absl::optional reason_; std::string failure_reason_string_; @@ -301,7 +300,7 @@ class TcpConnPoolImplDestructorTest : public Event::TestUsingSimulatedTime, publ EXPECT_NE(nullptr, handle); EXPECT_CALL(*connect_timer_, disableTimer()); - EXPECT_CALL(callbacks_->pool_ready_, ready()); + EXPECT_CALL(callbacks_->mock_pool_ready_cb_, Call); connection_->raiseEvent(Network::ConnectionEvent::Connected); connection_->stream_info_.downstream_connection_info_provider_->setSslConnection(ssl_); } @@ -364,7 +363,7 @@ struct ActiveTestConn { completed_ = true; } - void expectNewConn() { EXPECT_CALL(callbacks_.pool_ready_, ready()); } + void expectNewConn() { EXPECT_CALL(callbacks_.mock_pool_ready_cb_, Call); } void releaseConn() { callbacks_.conn_data_.reset(); } @@ -564,7 +563,7 @@ TEST_F(TcpConnPoolImplTest, VerifyBufferLimitsAndOptions) { EXPECT_CALL(*cluster_, perConnectionBufferLimitBytes()).WillOnce(Return(8192)); EXPECT_CALL(*conn_pool_->test_conns_.back().connection_, setBufferLimits(8192)); - EXPECT_CALL(callbacks.pool_failure_, ready()); + EXPECT_CALL(callbacks.mock_pool_failure_cb_, Call); Tcp::ConnectionPool::Cancellable* handle = conn_pool_->newConnection(callbacks); EXPECT_NE(nullptr, handle); @@ -684,7 +683,7 @@ TEST_F(TcpConnPoolImplTest, MaxPendingRequests) { EXPECT_NE(nullptr, handle); ConnPoolCallbacks callbacks2; - EXPECT_CALL(callbacks2.pool_failure_, ready()); + EXPECT_CALL(callbacks2.mock_pool_failure_cb_, Call); Tcp::ConnectionPool::Cancellable* handle2 = conn_pool_->newConnection(callbacks2); EXPECT_EQ(nullptr, handle2); @@ -712,7 +711,7 @@ TEST_F(TcpConnPoolImplTest, RemoteConnectFailure) { Tcp::ConnectionPool::Cancellable* handle = conn_pool_->newConnection(callbacks); EXPECT_NE(nullptr, handle); - EXPECT_CALL(callbacks.pool_failure_, ready()); + EXPECT_CALL(callbacks.mock_pool_failure_cb_, Call); EXPECT_CALL(*conn_pool_->test_conns_[0].connect_timer_, disableTimer()); EXPECT_CALL(*conn_pool_, onConnDestroyedForTest()); @@ -741,7 +740,7 @@ TEST_F(TcpConnPoolImplTest, LocalConnectFailure) { Tcp::ConnectionPool::Cancellable* handle = conn_pool_->newConnection(callbacks); EXPECT_NE(nullptr, handle); - EXPECT_CALL(callbacks.pool_failure_, ready()); + EXPECT_CALL(callbacks.mock_pool_failure_cb_, Call); EXPECT_CALL(*conn_pool_->test_conns_[0].connect_timer_, disableTimer()); EXPECT_CALL(*conn_pool_, onConnDestroyedForTest()); @@ -766,14 +765,14 @@ TEST_F(TcpConnPoolImplTest, ConnectTimeout) { EXPECT_NE(nullptr, conn_pool_->newConnection(callbacks1)); ConnPoolCallbacks callbacks2; - EXPECT_CALL(callbacks1.pool_failure_, ready()).WillOnce(Invoke([&]() -> void { + EXPECT_CALL(callbacks1.mock_pool_failure_cb_, Call).WillOnce([&]() -> void { conn_pool_->expectConnCreate(); EXPECT_NE(nullptr, conn_pool_->newConnection(callbacks2)); - })); + }); conn_pool_->test_conns_[0].connect_timer_->invokeCallback(); - EXPECT_CALL(callbacks2.pool_failure_, ready()); + EXPECT_CALL(callbacks2.mock_pool_failure_cb_, Call); conn_pool_->test_conns_[1].connect_timer_->invokeCallback(); EXPECT_CALL(*conn_pool_, onConnDestroyedForTest()).Times(2); @@ -838,7 +837,7 @@ TEST_F(TcpConnPoolImplTest, DisconnectWhileBound) { Tcp::ConnectionPool::Cancellable* handle = conn_pool_->newConnection(callbacks); EXPECT_NE(nullptr, handle); - EXPECT_CALL(callbacks.pool_ready_, ready()); + EXPECT_CALL(callbacks.mock_pool_ready_cb_, Call); EXPECT_CALL(callbacks.callbacks_, onEvent(_)); conn_pool_->test_conns_[0].connection_->raiseEvent(Network::ConnectionEvent::Connected); @@ -863,7 +862,7 @@ TEST_F(TcpConnPoolImplTest, DisconnectWhilePending) { EXPECT_NE(nullptr, handle); EXPECT_CALL(*conn_pool_->test_conns_[0].connect_timer_, disableTimer()); - EXPECT_CALL(callbacks.pool_ready_, ready()); + EXPECT_CALL(callbacks.mock_pool_ready_cb_, Call); EXPECT_CALL(callbacks.callbacks_, onEvent(_)); conn_pool_->test_conns_[0].connection_->raiseEvent(Network::ConnectionEvent::Connected); @@ -881,7 +880,7 @@ TEST_F(TcpConnPoolImplTest, DisconnectWhilePending) { // test_conns_[1] is the new connection EXPECT_CALL(*conn_pool_->test_conns_[1].connect_timer_, disableTimer()); - EXPECT_CALL(callbacks2.pool_ready_, ready()); + EXPECT_CALL(callbacks2.mock_pool_ready_cb_, Call); conn_pool_->test_conns_[1].connection_->raiseEvent(Network::ConnectionEvent::Connected); EXPECT_CALL(*conn_pool_, onConnReleasedForTest()); @@ -913,13 +912,13 @@ TEST_F(TcpConnPoolImplTest, MaxConnections) { EXPECT_NE(nullptr, handle); // Connect event will bind to request 1. - EXPECT_CALL(callbacks.pool_ready_, ready()); + EXPECT_CALL(callbacks.mock_pool_ready_cb_, Call); conn_pool_->test_conns_[0].connection_->raiseEvent(Network::ConnectionEvent::Connected); // Finishing request 1 will immediately bind to request 2. EXPECT_CALL(*conn_pool_, onConnReleasedForTest()); conn_pool_->expectEnableUpstreamReady(false); - EXPECT_CALL(callbacks2.pool_ready_, ready()); + EXPECT_CALL(callbacks2.mock_pool_ready_cb_, Call); callbacks.conn_data_.reset(); conn_pool_->expectEnableUpstreamReady(true); @@ -947,7 +946,7 @@ TEST_F(TcpConnPoolImplTest, MaxRequestsPerConnection) { EXPECT_NE(nullptr, handle); - EXPECT_CALL(callbacks.pool_ready_, ready()); + EXPECT_CALL(callbacks.mock_pool_ready_cb_, Call); conn_pool_->test_conns_[0].connection_->raiseEvent(Network::ConnectionEvent::Connected); EXPECT_CALL(*conn_pool_, onConnReleasedForTest()); @@ -1214,7 +1213,7 @@ TEST_F(TcpConnPoolImplDestructorTest, TestPendingConnectionsAreClosed) { ConnectionPool::Cancellable* handle = conn_pool_->newConnection(*callbacks_); EXPECT_NE(nullptr, handle); - EXPECT_CALL(callbacks_->pool_failure_, ready()); + EXPECT_CALL(callbacks_->mock_pool_failure_cb_, Call); EXPECT_CALL(*connection_, close(Network::ConnectionCloseType::NoFlush)); EXPECT_CALL(dispatcher_, clearDeferredDeleteList()); conn_pool_.reset(); diff --git a/test/server/BUILD b/test/server/BUILD index 2e8665af462a9..b26802f61a59d 100644 --- a/test/server/BUILD +++ b/test/server/BUILD @@ -69,7 +69,6 @@ envoy_cc_test( "//source/extensions/transport_sockets/raw_buffer:config", "//source/server:configuration_lib", "//test/common/upstream:utility_lib", - "//test/mocks:common_lib", "//test/mocks/network:network_mocks", "//test/mocks/server:factory_context_mocks", "//test/mocks/server:instance_mocks", diff --git a/test/server/server_test.cc b/test/server/server_test.cc index 25bb1121a89a4..c942b8e899b0f 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -24,7 +24,6 @@ #include "test/config/v2_link_hacks.h" #include "test/integration/server.h" #include "test/mocks/api/mocks.h" -#include "test/mocks/common.h" #include "test/mocks/config/xds_manager.h" #include "test/mocks/server/bootstrap_extension_factory.h" #include "test/mocks/server/fatal_action_factory.h" @@ -234,7 +233,7 @@ class RunHelperTest : public testing::Test { helper_ = std::make_unique( server_, options_, dispatcher_, xds_manager_, cm_, access_log_manager_, init_manager_, - overload_manager_, null_overload_manager_, [this] { start_workers_.ready(); }); + overload_manager_, null_overload_manager_, mock_workers_start_cb_.AsStdFunction()); } NiceMock server_; @@ -246,7 +245,7 @@ class RunHelperTest : public testing::Test { NiceMock overload_manager_; NiceMock null_overload_manager_; Init::ManagerImpl init_manager_{""}; - ReadyWatcher start_workers_; + testing::MockFunction mock_workers_start_cb_; std::unique_ptr helper_; std::function cm_init_callback_; #ifndef WIN32 @@ -259,14 +258,14 @@ class RunHelperTest : public testing::Test { }; TEST_F(RunHelperTest, Normal) { - EXPECT_CALL(start_workers_, ready()); + EXPECT_CALL(mock_workers_start_cb_, Call); cm_init_callback_(); } // no signals on Windows #ifndef WIN32 TEST_F(RunHelperTest, ShutdownBeforeCmInitialize) { - EXPECT_CALL(start_workers_, ready()).Times(0); + EXPECT_CALL(mock_workers_start_cb_, Call).Times(0); sigterm_->callback_(); EXPECT_CALL(server_, isShutdown()).WillOnce(Return(shutdown_)); cm_init_callback_(); @@ -276,7 +275,7 @@ TEST_F(RunHelperTest, ShutdownBeforeCmInitialize) { // no signals on Windows #ifndef WIN32 TEST_F(RunHelperTest, ShutdownBeforeInitManagerInit) { - EXPECT_CALL(start_workers_, ready()).Times(0); + EXPECT_CALL(mock_workers_start_cb_, Call).Times(0); Init::ExpectableTargetImpl target; init_manager_.add(target); EXPECT_CALL(target, initialize()); From 25f893b44c9ac785d57f21399fb5aff540f0bef7 Mon Sep 17 00:00:00 2001 From: code Date: Fri, 29 Aug 2025 22:56:52 +0800 Subject: [PATCH 327/505] router: fix a bug where header mutations may not be processed properly (#40856) Commit Message: router: fix a bug where header mutations may not be processed properly Additional Description: The https://github.com/envoyproxy/envoy/pull/39534 introduced a bug where the `response_headers_to_add`` may be processed multiple times for local responses from the router filter. The sendLocalReply method will call the `finalizeResponseHeaders()` and the https://github.com/envoyproxy/envoy/pull/39534 updated the code and make the `finalizeResponseHeaders()` be called in the modify_headers_ callback. This finally resulted in this problem. Risk Level: low. Testing: integration. Docs Changes: n/a. Release Notes: added. Platform Specific Features: n/a. Signed-off-by: WangBaiping --- changelogs/current.yaml | 4 +++ source/common/router/router.cc | 3 +- test/common/router/router_test.cc | 5 --- test/integration/header_integration_test.cc | 39 +++++++++++++++++++++ 4 files changed, 44 insertions(+), 7 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index bdbc4dd44b1ee..abe0329c79a67 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -78,6 +78,10 @@ bug_fixes: Fixed a bug where the premature resets of streams may result in the recursive draining and potential stack overflow. Setting proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate the risk of the stack overflow before this fix. +- area: http + change: | + Fixed a bug where the ``response_headers_to_add`` may be processed multiple times for the local responses from + the router filter. - area: listeners change: | Fixed issue where :ref:`TLS inspector listener filter ` timed out diff --git a/source/common/router/router.cc b/source/common/router/router.cc index 52ac0037bcbaf..1fc451ede41c8 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -450,8 +450,6 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, modify_headers_from_upstream_lb_(headers); } - route_entry_->finalizeResponseHeaders(headers, callbacks_->streamInfo()); - if (attempt_count_ == 0 || !route_entry_->includeAttemptCountInResponse()) { return; } @@ -1791,6 +1789,7 @@ void Filter::onUpstreamHeaders(uint64_t response_code, Http::ResponseHeaderMapPt // Modify response headers after we have set the final upstream info because we may need to // modify the headers based on the upstream host. + route_entry_->finalizeResponseHeaders(*headers, callbacks_->streamInfo()); modify_headers_(*headers); if (end_stream) { diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index 3a1e2d07805e2..45901dc081d12 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -814,7 +814,6 @@ TEST_F(RouterTest, NoHost) { EXPECT_CALL(callbacks_, encodeData(_, true)); EXPECT_CALL(callbacks_.stream_info_, setResponseFlag(StreamInfo::CoreResponseFlag::NoHealthyUpstream)); - EXPECT_CALL(callbacks_.route_->route_entry_, finalizeResponseHeaders(_, _)); Http::TestRequestHeaderMapImpl headers; HttpTestUtility::addDefaultHeaders(headers); @@ -849,7 +848,6 @@ TEST_F(RouterTest, MaintenanceMode) { EXPECT_CALL(callbacks_, encodeData(_, true)); EXPECT_CALL(callbacks_.stream_info_, setResponseFlag(StreamInfo::CoreResponseFlag::UpstreamOverflow)); - EXPECT_CALL(callbacks_.route_->route_entry_, finalizeResponseHeaders(_, _)); Http::TestRequestHeaderMapImpl headers; HttpTestUtility::addDefaultHeaders(headers); @@ -897,7 +895,6 @@ TEST_F(RouterTest, DropOverloadDropped) { EXPECT_CALL(callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), false)); EXPECT_CALL(callbacks_, encodeData(_, true)); EXPECT_CALL(callbacks_.stream_info_, setResponseFlag(StreamInfo::CoreResponseFlag::DropOverLoad)); - EXPECT_CALL(callbacks_.route_->route_entry_, finalizeResponseHeaders(_, _)); Http::TestRequestHeaderMapImpl headers; HttpTestUtility::addDefaultHeaders(headers); @@ -1229,7 +1226,6 @@ TEST_F(RouterTest, AllDebugConfig) { Http::TestResponseHeaderMapImpl response_headers{{":status", "204"}, {"x-envoy-not-forwarded", "true"}}; EXPECT_CALL(callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true)); - EXPECT_CALL(callbacks_.route_->route_entry_, finalizeResponseHeaders(_, _)); Http::TestRequestHeaderMapImpl headers; HttpTestUtility::addDefaultHeaders(headers); @@ -3673,7 +3669,6 @@ TEST_F(RouterTest, RetryNoneHealthy) { EXPECT_CALL(callbacks_, encodeData(_, true)); EXPECT_CALL(callbacks_.stream_info_, setResponseFlag(StreamInfo::CoreResponseFlag::NoHealthyUpstream)); - EXPECT_CALL(callbacks_.route_->route_entry_, finalizeResponseHeaders(_, _)); router_->retry_state_->callback_(); EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); // Pool failure for the first try, so only 1 upstream request was made. diff --git a/test/integration/header_integration_test.cc b/test/integration/header_integration_test.cc index bb4cd7b191a66..8c1f0c007a662 100644 --- a/test/integration/header_integration_test.cc +++ b/test/integration/header_integration_test.cc @@ -1053,6 +1053,45 @@ TEST_P(HeaderIntegrationTest, TestDynamicHeaders) { }); } +TEST_P(HeaderIntegrationTest, TestResponseHeadersOnlyBeHandledOnce) { + initializeFilter(HeaderMode::Append, false); + registerTestServerPorts({"http"}); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + + auto encoder_decoder = codec_client_->startRequest(Http::TestRequestHeaderMapImpl{ + {":method", "POST"}, + {":path", "/vhost-and-route"}, + {":scheme", "http"}, + {":authority", "vhost-headers.com"}, + }); + auto response = std::move(encoder_decoder.second); + + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + ASSERT_TRUE(fake_upstream_connection_->close()); + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); + ASSERT_TRUE(response->waitForEndStream()); + + if (downstream_protocol_ == Http::CodecType::HTTP1) { + ASSERT_TRUE(codec_client_->waitForDisconnect()); + } else { + codec_client_->close(); + } + + EXPECT_FALSE(upstream_request_->complete()); + EXPECT_EQ(0U, upstream_request_->bodyLength()); + + EXPECT_TRUE(response->complete()); + + Http::TestResponseHeaderMapImpl response_headers{response->headers()}; + EXPECT_EQ(1, response_headers.get(Http::LowerCaseString("x-route-response")).size()); + EXPECT_EQ("route", response_headers.get_("x-route-response")); + EXPECT_EQ(1, response_headers.get(Http::LowerCaseString("x-vhost-response")).size()); + EXPECT_EQ("vhost", response_headers.get_("x-vhost-response")); +} + // Validates that XFF gets properly parsed. TEST_P(HeaderIntegrationTest, TestXFFParsing) { initializeFilter(HeaderMode::Replace, false); From 1dd0f7281206f16a761e9988046f6fde60900ce9 Mon Sep 17 00:00:00 2001 From: Nigel Brittain <108375408+nbaws@users.noreply.github.com> Date: Sat, 30 Aug 2025 00:57:27 +1000 Subject: [PATCH 328/505] aws: weak_ptr implementations for race condition crash (#40817) Commit Message: aws: weak_ptr implementations for race condition crash Additional Description: Addresses two customer reported issues in high load situations, where race conditions occur during async credential handling. These implementations use the weak_ptr pattern to ensure safety when making callbacks after an async credential retrieval has completed. Risk Level: Low Testing: Unit Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain --- .../common/aws/credential_provider_chains.cc | 33 +++-- .../common/aws/credential_provider_chains.h | 4 + .../common/aws/credentials_provider.h | 25 +++- .../aws/metadata_credentials_provider_base.cc | 28 ++-- .../aws/metadata_credentials_provider_base.h | 13 +- .../common/aws/credentials_provider_test.cc | 138 +++++++++++++++++- test/extensions/common/aws/mocks.h | 5 + 7 files changed, 209 insertions(+), 37 deletions(-) diff --git a/source/extensions/common/aws/credential_provider_chains.cc b/source/extensions/common/aws/credential_provider_chains.cc index e56e64ec532c8..a79478da98f87 100644 --- a/source/extensions/common/aws/credential_provider_chains.cc +++ b/source/extensions/common/aws/credential_provider_chains.cc @@ -39,12 +39,27 @@ CommonCredentialsProviderChain::customCredentialsProviderChain( "Custom credential provider chain must have at least one credential provider"); } - return std::make_shared(context, region, - credential_provider_config); + auto chain = + std::make_shared(context, region, credential_provider_config); + chain->setupSubscriptions(); + return chain; } CredentialsProviderChainSharedPtr CommonCredentialsProviderChain::defaultCredentialsProviderChain( Server::Configuration::ServerFactoryContext& context, absl::string_view region) { - return std::make_shared(context, region, absl::nullopt); + auto chain = std::make_shared(context, region, absl::nullopt); + chain->setupSubscriptions(); + return chain; +} + +void CommonCredentialsProviderChain::setupSubscriptions() { + for (auto& provider : providers_) { + // Set up subscription for each provider that supports it + auto metadata_provider = std::dynamic_pointer_cast(provider); + if (metadata_provider) { + storeSubscription(metadata_provider->subscribeToCredentialUpdates( + std::static_pointer_cast(shared_from_this()))); + } + } } CommonCredentialsProviderChain::CommonCredentialsProviderChain( @@ -272,8 +287,7 @@ CredentialsProviderSharedPtr CommonCredentialsProviderChain::createAssumeRoleCre credential_provider->setClusterReadyCallbackHandle(std::move(handleOr.value())); } - storeSubscription(credential_provider->subscribeToCredentialUpdates(*this)); - + // Note: Subscription will be set up after construction return credential_provider; }; @@ -308,8 +322,7 @@ CredentialsProviderSharedPtr CommonCredentialsProviderChain::createContainerCred credential_provider->setClusterReadyCallbackHandle(std::move(handleOr.value())); } - storeSubscription(credential_provider->subscribeToCredentialUpdates(*this)); - + // Note: Subscription will be set up after construction return credential_provider; } @@ -342,8 +355,7 @@ CommonCredentialsProviderChain::createInstanceProfileCredentialsProvider( credential_provider->setClusterReadyCallbackHandle(std::move(handleOr.value())); } - storeSubscription(credential_provider->subscribeToCredentialUpdates(*this)); - + // Note: Subscription will be set up after construction return credential_provider; } @@ -374,8 +386,7 @@ CredentialsProviderSharedPtr CommonCredentialsProviderChain::createWebIdentityCr credential_provider->setClusterReadyCallbackHandle(std::move(handleOr.value())); } - storeSubscription(credential_provider->subscribeToCredentialUpdates(*this)); - + // Note: Subscription will be set up after construction return credential_provider; }; diff --git a/source/extensions/common/aws/credential_provider_chains.h b/source/extensions/common/aws/credential_provider_chains.h index 070714f7cd145..d2e4eb908e1a5 100644 --- a/source/extensions/common/aws/credential_provider_chains.h +++ b/source/extensions/common/aws/credential_provider_chains.h @@ -118,6 +118,10 @@ class CommonCredentialsProviderChain : public CredentialsProviderChain, defaultCredentialsProviderChain(Server::Configuration::ServerFactoryContext& context, absl::string_view region); + // Where credential providers use async functionality, subscribe to credential notifications for + // these providers + void setupSubscriptions(); + private: CredentialsProviderSharedPtr createEnvironmentCredentialsProvider() const override { return std::make_shared(); diff --git a/source/extensions/common/aws/credentials_provider.h b/source/extensions/common/aws/credentials_provider.h index fafe0ba470bba..45033fefd9d2e 100644 --- a/source/extensions/common/aws/credentials_provider.h +++ b/source/extensions/common/aws/credentials_provider.h @@ -165,20 +165,28 @@ class CredentialSubscriberCallbacks { virtual void onCredentialUpdate() PURE; }; +using CredentialSubscriberCallbacksSharedPtr = std::shared_ptr; + // Subscription model allowing CredentialsProviderChains to be notified of credential provider // updates. A credential provider chain will call credential_provider->subscribeToCredentialUpdates // to register itself for updates via onCredentialUpdate callback. When a credential provider has // successfully updated all threads with new credentials, via the setCredentialsToAllThreads method // it will notify all subscribers that credentials have been retrieved. +// +// Subscription is only relevant for metadata credentials providers, as these are the only +// credential providers that implement async credential retrieval functionality. +// // RAII is used, as credential providers may be instantiated as singletons, as such they may outlive -// the credential provider chain. Subscription is only relevant for metadata credentials providers, -// as these are the only credential providers that implement async credential retrieval -// functionality. -class CredentialSubscriberCallbacksHandle : public RaiiListElement { +// the credential provider chain. +// +// Uses weak_ptr to safely handle subscriber lifetime without dangling pointers. +class CredentialSubscriberCallbacksHandle + : public RaiiListElement> { public: - CredentialSubscriberCallbacksHandle(CredentialSubscriberCallbacks& cb, - std::list& parent) - : RaiiListElement(parent, &cb) {} + CredentialSubscriberCallbacksHandle( + CredentialSubscriberCallbacksSharedPtr cb, + std::list>& parent) + : RaiiListElement>(parent, cb) {} }; using CredentialSubscriberCallbacksHandlePtr = std::unique_ptr; @@ -187,7 +195,8 @@ using CredentialSubscriberCallbacksHandlePtr = std::unique_ptr { + public Logger::Loggable, + public std::enable_shared_from_this { public: ~CredentialsProviderChain() override { for (auto& subscriber_handle : subscriber_handles_) { diff --git a/source/extensions/common/aws/metadata_credentials_provider_base.cc b/source/extensions/common/aws/metadata_credentials_provider_base.cc index ef1af1a4aa8ff..90f42bd7b8883 100644 --- a/source/extensions/common/aws/metadata_credentials_provider_base.cc +++ b/source/extensions/common/aws/metadata_credentials_provider_base.cc @@ -34,10 +34,17 @@ MetadataCredentialsProviderBase::MetadataCredentialsProviderBase( void MetadataCredentialsProviderBase::onClusterAddOrUpdate() { ENVOY_LOG(debug, "Received callback from aws cluster manager for cluster {}", cluster_name_); if (!cache_duration_timer_) { - cache_duration_timer_ = context_.mainThreadDispatcher().createTimer([this]() -> void { - stats_->credential_refreshes_performed_.inc(); - refresh(); - }); + std::weak_ptr weak_stats = stats_; + std::weak_ptr weak_self = shared_from_this(); + cache_duration_timer_ = + context_.mainThreadDispatcher().createTimer([weak_stats, weak_self]() -> void { + if (auto stats = weak_stats.lock()) { + stats->credential_refreshes_performed_.inc(); + } + if (auto self = weak_self.lock()) { + self->refresh(); + } + }); } if (!cache_duration_timer_->enabled()) { cache_duration_timer_->enableTimer(std::chrono::milliseconds(1)); @@ -116,21 +123,24 @@ void MetadataCredentialsProviderBase::setCredentialsToAllThreads( /* Notify waiting signers on completion of credential setting above */ [this]() { credentials_pending_.store(false); - std::list subscribers_copy; + std::list> subscribers_copy; { Thread::LockGuard guard(mu_); subscribers_copy = credentials_subscribers_; } - for (auto& cb : subscribers_copy) { - ENVOY_LOG(debug, "Notifying subscriber of credential update"); - cb->onCredentialUpdate(); + for (auto& weak_cb : subscribers_copy) { + if (auto cb = weak_cb.lock()) { + ENVOY_LOG(debug, "Notifying subscriber of credential update"); + cb->onCredentialUpdate(); + } } }); } } CredentialSubscriberCallbacksHandlePtr -MetadataCredentialsProviderBase::subscribeToCredentialUpdates(CredentialSubscriberCallbacks& cs) { +MetadataCredentialsProviderBase::subscribeToCredentialUpdates( + CredentialSubscriberCallbacksSharedPtr cs) { Thread::LockGuard guard(mu_); return std::make_unique(cs, credentials_subscribers_); } diff --git a/source/extensions/common/aws/metadata_credentials_provider_base.h b/source/extensions/common/aws/metadata_credentials_provider_base.h index 472d9936fca63..7cdefefae4939 100644 --- a/source/extensions/common/aws/metadata_credentials_provider_base.h +++ b/source/extensions/common/aws/metadata_credentials_provider_base.h @@ -27,9 +27,11 @@ struct MetadataCredentialsProviderStats { using CreateMetadataFetcherCb = std::function; -class MetadataCredentialsProviderBase : public CredentialsProvider, - public Logger::Loggable, - public AwsManagedClusterUpdateCallbacks { +class MetadataCredentialsProviderBase + : public CredentialsProvider, + public Logger::Loggable, + public AwsManagedClusterUpdateCallbacks, + public std::enable_shared_from_this { public: friend class MetadataCredentialsProviderBaseFriend; using OnAsyncFetchCb = std::function; @@ -53,7 +55,7 @@ class MetadataCredentialsProviderBase : public CredentialsProvider, } CredentialSubscriberCallbacksHandlePtr - subscribeToCredentialUpdates(CredentialSubscriberCallbacks& cs); + subscribeToCredentialUpdates(CredentialSubscriberCallbacksSharedPtr cs); protected: struct ThreadLocalCredentialsCache : public ThreadLocal::ThreadLocalObject { @@ -120,7 +122,8 @@ class MetadataCredentialsProviderBase : public CredentialsProvider, // Are credentials pending? std::atomic credentials_pending_ = true; Thread::MutexBasicLockable mu_; - std::list credentials_subscribers_ ABSL_GUARDED_BY(mu_); + std::list> + credentials_subscribers_ ABSL_GUARDED_BY(mu_); }; } // namespace Aws diff --git a/test/extensions/common/aws/credentials_provider_test.cc b/test/extensions/common/aws/credentials_provider_test.cc index 5c7238419ec48..d09c17c0ff1d7 100644 --- a/test/extensions/common/aws/credentials_provider_test.cc +++ b/test/extensions/common/aws/credentials_provider_test.cc @@ -3,6 +3,7 @@ #include "source/extensions/common/aws/signers/sigv4_signer_impl.h" #include "test/extensions/common/aws/mocks.h" +#include "test/mocks/event/mocks.h" #include "test/mocks/server/server_factory_context.h" #include "gtest/gtest.h" @@ -81,7 +82,7 @@ class AsyncCredentialHandlingTest : public testing::Test { MetadataFetcherPtr metadata_fetcher_; NiceMock context_; WebIdentityCredentialsProviderPtr provider_; - Event::MockTimer* timer_{}; + Event::MockTimer* timer_; NiceMock cm_; std::shared_ptr mock_manager_; Http::RequestMessagePtr message_; @@ -180,7 +181,7 @@ TEST_F(AsyncCredentialHandlingTest, ChainCallbackCalledWhenCredentialsReturned) } )EOF"; - auto handle = provider_->subscribeToCredentialUpdates(*chain); + auto handle = provider_->subscribeToCredentialUpdates(chain); auto signer = std::make_unique( "vpc-lattice-svcs", "ap-southeast-2", chain, context_, @@ -249,8 +250,8 @@ TEST_F(AsyncCredentialHandlingTest, SubscriptionsCleanedUp) { } )EOF"; - auto handle = provider_->subscribeToCredentialUpdates(*chain); - auto handle2 = provider_->subscribeToCredentialUpdates(*chain); + auto handle = provider_->subscribeToCredentialUpdates(chain); + auto handle2 = provider_->subscribeToCredentialUpdates(chain); auto signer = std::make_unique( "vpc-lattice-svcs", "ap-southeast-2", chain, context_, @@ -275,6 +276,135 @@ TEST_F(AsyncCredentialHandlingTest, SubscriptionsCleanedUp) { ASSERT_TRUE(result.ok()); } +// Mock WebIdentityCredentialsProvider to track refresh calls +class MockWebIdentityProvider : public WebIdentityCredentialsProvider { +public: + MockWebIdentityProvider( + Server::Configuration::ServerFactoryContext& context, + AwsClusterManagerPtr aws_cluster_manager, absl::string_view cluster_name, + CreateMetadataFetcherCb create_metadata_fetcher_cb, + MetadataFetcher::MetadataReceiver::RefreshState refresh_state, + std::chrono::seconds initialization_timer, + const envoy::extensions::common::aws::v3::AssumeRoleWithWebIdentityCredentialProvider& config) + : WebIdentityCredentialsProvider(context, aws_cluster_manager, cluster_name, + create_metadata_fetcher_cb, refresh_state, + initialization_timer, config) {} + MOCK_METHOD(void, refresh, (), (override)); +}; + +TEST_F(AsyncCredentialHandlingTest, WeakPtrProtectionInTimerCallback) { + + MetadataFetcher::MetadataReceiver::RefreshState refresh_state = + MetadataFetcher::MetadataReceiver::RefreshState::Ready; + std::chrono::seconds initialization_timer = std::chrono::seconds(2); + + envoy::extensions::common::aws::v3::AssumeRoleWithWebIdentityCredentialProvider cred_provider = + {}; + cred_provider.mutable_web_identity_token_data_source()->set_inline_string("token"); + cred_provider.set_role_arn("aws:iam::123456789012:role/arn"); + cred_provider.set_role_session_name("session"); + + mock_manager_ = std::make_shared(); + EXPECT_CALL(*mock_manager_, getUriFromClusterName(_)).WillRepeatedly(Return("uri")); + + auto mock_provider = std::make_shared( + context_, mock_manager_, "cluster", + [this](Upstream::ClusterManager&, absl::string_view) { + metadata_fetcher_.reset(raw_metadata_fetcher_); + return std::move(metadata_fetcher_); + }, + refresh_state, initialization_timer, cred_provider); + + timer_ = new NiceMock(&context_.dispatcher_); + Event::MockTimer* timer_ptr = timer_; // Keep raw pointer to test after provider destruction + auto provider_friend = MetadataCredentialsProviderBaseFriend(mock_provider); + + // When provider is alive, refresh should be called + EXPECT_CALL(*mock_provider, refresh()); + provider_friend.onClusterAddOrUpdate(); + timer_ptr->enabled_ = true; + timer_ptr->invokeCallback(); + delete (raw_metadata_fetcher_); +} + +TEST_F(AsyncCredentialHandlingTest, WeakPtrProtectionForStatsInTimerCallback) { + MetadataFetcher::MetadataReceiver::RefreshState refresh_state = + MetadataFetcher::MetadataReceiver::RefreshState::Ready; + std::chrono::seconds initialization_timer = std::chrono::seconds(2); + + envoy::extensions::common::aws::v3::AssumeRoleWithWebIdentityCredentialProvider cred_provider = + {}; + cred_provider.mutable_web_identity_token_data_source()->set_inline_string("token"); + cred_provider.set_role_arn("aws:iam::123456789012:role/arn"); + cred_provider.set_role_session_name("session"); + + mock_manager_ = std::make_shared(); + EXPECT_CALL(*mock_manager_, getUriFromClusterName(_)).WillRepeatedly(Return("uri")); + + auto mock_provider = std::make_shared( + context_, mock_manager_, "cluster", + [this](Upstream::ClusterManager&, absl::string_view) { + metadata_fetcher_.reset(raw_metadata_fetcher_); + return std::move(metadata_fetcher_); + }, + refresh_state, initialization_timer, cred_provider); + + timer_ = new NiceMock(&context_.dispatcher_); + Event::MockTimer* timer_ptr = timer_; + auto provider_friend = MetadataCredentialsProviderBaseFriend(mock_provider); + provider_friend.onClusterAddOrUpdate(); + + // Invalidate stats pointer + provider_friend.invalidateStats(); + + // Timer callback will skip the stats call due to weak_ptr lock failing + EXPECT_CALL(*mock_provider, refresh()); + timer_ptr->enabled_ = true; + timer_ptr->invokeCallback(); + delete (raw_metadata_fetcher_); +} + +TEST_F(AsyncCredentialHandlingTest, WeakPtrProtectionInSubscriberCallback) { + MetadataFetcher::MetadataReceiver::RefreshState refresh_state = + MetadataFetcher::MetadataReceiver::RefreshState::Ready; + std::chrono::seconds initialization_timer = std::chrono::seconds(2); + + envoy::extensions::common::aws::v3::AssumeRoleWithWebIdentityCredentialProvider cred_provider = + {}; + cred_provider.mutable_web_identity_token_data_source()->set_inline_string("token"); + cred_provider.set_role_arn("aws:iam::123456789012:role/arn"); + cred_provider.set_role_session_name("session"); + + mock_manager_ = std::make_shared(); + EXPECT_CALL(*mock_manager_, getUriFromClusterName(_)).WillRepeatedly(Return("uri")); + + provider_ = std::make_shared( + context_, mock_manager_, "cluster", + [this](Upstream::ClusterManager&, absl::string_view) { + metadata_fetcher_.reset(raw_metadata_fetcher_); + return std::move(metadata_fetcher_); + }, + refresh_state, initialization_timer, cred_provider); + + auto provider_friend = MetadataCredentialsProviderBaseFriend(provider_); + + // Test 1: When subscriber is alive, onCredentialUpdate should be called + auto chain = std::make_shared(); + EXPECT_CALL(*chain, onCredentialUpdate()); + auto handle = provider_->subscribeToCredentialUpdates(chain); + + // Trigger credential update + provider_friend.setCredentialsToAllThreads(std::make_unique("key", "secret")); + + // Test 2: When subscriber is destroyed, onCredentialUpdate should not be called + EXPECT_CALL(*chain, onCredentialUpdate()).Times(0); + chain.reset(); // Destroy the subscriber + + // Trigger credential update - should not crash due to weak_ptr protection + provider_friend.setCredentialsToAllThreads(std::make_unique("key2", "secret2")); + delete (raw_metadata_fetcher_); +} + class ControlledCredentialsProvider : public CredentialsProvider { public: ControlledCredentialsProvider(CredentialSubscriberCallbacks* cb) : cb_(cb) {} diff --git a/test/extensions/common/aws/mocks.h b/test/extensions/common/aws/mocks.h index d8cec3e088d1f..5ffe21c265980 100644 --- a/test/extensions/common/aws/mocks.h +++ b/test/extensions/common/aws/mocks.h @@ -157,6 +157,11 @@ class MetadataCredentialsProviderBaseFriend { provider_->metadata_fetcher_ = std::move(fetcher); } void setCacheDurationTimer(Event::Timer* timer) { provider_->cache_duration_timer_.reset(timer); } + void setCredentialsToAllThreads(CredentialsConstUniquePtr&& creds) { + provider_->setCredentialsToAllThreads(std::move(creds)); + } + void invalidateStats() { provider_->stats_.reset(); } + std::shared_ptr provider_; }; From 30cccff5c8a1431f6540e8b861f16c6abe84d5b0 Mon Sep 17 00:00:00 2001 From: Kuo-Chung Hsu Date: Fri, 29 Aug 2025 12:11:44 -0700 Subject: [PATCH 329/505] thrift_proxy: simply propagate exception while downstream connection is closing (#40886) After we merged https://github.com/envoyproxy/envoy/pull/26386, we've seen internal error from time to time. For those observed internal error, downstream connection is always in closing state so try to avoid logging this known case. Moreover, while downstream connection is in closing state, we shouldn't expect we could successfully proxy this request. Risk Level: low Testing: unit Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: kuochunghsu --- .../network/thrift_proxy/conn_manager.cc | 24 +++++++++----- .../network/thrift_proxy/conn_manager_test.cc | 31 +++++++++++++++++++ 2 files changed, 47 insertions(+), 8 deletions(-) diff --git a/source/extensions/filters/network/thrift_proxy/conn_manager.cc b/source/extensions/filters/network/thrift_proxy/conn_manager.cc index 89f45d5f3ea04..d342ec5679b46 100644 --- a/source/extensions/filters/network/thrift_proxy/conn_manager.cc +++ b/source/extensions/filters/network/thrift_proxy/conn_manager.cc @@ -880,14 +880,22 @@ FilterStatus ConnectionManager::ActiveRpc::messageBegin(MessageMetadataSharedPtr metadata->hasFrameSize() ? static_cast(metadata->frameSize()) : -1; if (error.has_value()) { - parent_.stats_.request_internal_error_.inc(); - std::ostringstream oss; - parent_.read_callbacks_->connection().dumpState(oss, 0); - ENVOY_STREAM_LOG(error, - "Catch exception: {}. Request seq_id: {}, method: {}, frame size: {}, cluster " - "name: {}, downstream connection state {}, headers:\n{}", - *this, error.value(), metadata_->sequenceId(), method, frame_size, - cluster_name, oss.str(), metadata->requestHeaders()); + // If downstream connection is closing, we won't be able to proxy and expect this exception. + // In this case, just propagate the error and do *not* increase the internal error counter. + if (parent_.read_callbacks_->connection().state() == Network::Connection::State::Closing) { + ENVOY_CONN_LOG(debug, "thrift: downstream connection closing, not proxying", + parent_.read_callbacks_->connection()); + } else { + parent_.stats_.request_internal_error_.inc(); + std::ostringstream oss; + parent_.read_callbacks_->connection().dumpState(oss, 0); + ENVOY_STREAM_LOG( + error, + "Catch exception: {}. Request seq_id: {}, method: {}, frame size: {}, cluster " + "name: {}, downstream connection state {}, headers:\n{}", + *this, error.value(), metadata_->sequenceId(), method, frame_size, cluster_name, + oss.str(), metadata->requestHeaders()); + } throw EnvoyException(error.value()); } diff --git a/test/extensions/filters/network/thrift_proxy/conn_manager_test.cc b/test/extensions/filters/network/thrift_proxy/conn_manager_test.cc index 70b4693c552d0..a53b2a0afbc87 100644 --- a/test/extensions/filters/network/thrift_proxy/conn_manager_test.cc +++ b/test/extensions/filters/network/thrift_proxy/conn_manager_test.cc @@ -1433,6 +1433,37 @@ TEST_F(ThriftConnectionManagerTest, BadFunctionCallExceptionHandling) { EXPECT_EQ(access_log_data_, ""); } +TEST_F(ThriftConnectionManagerTest, + BadFunctionCallExceptionHandlingWithClosingDownstreamConnection) { + initializeFilter(); + + writeFramedBinaryMessage(buffer_, MessageType::Oneway, 0x0F); + + ThriftFilters::DecoderFilterCallbacks* callbacks{}; + EXPECT_CALL(*decoder_filter_, setDecoderFilterCallbacks(_)) + .WillOnce( + Invoke([&](ThriftFilters::DecoderFilterCallbacks& cb) -> void { callbacks = &cb; })); + EXPECT_CALL(*decoder_filter_, messageBegin(_)) + .WillOnce(Invoke([&](MessageMetadataSharedPtr) -> FilterStatus { + // mock that downstream connection is closing + filter_callbacks_.connection_.state_ = Network::Connection::State::Closing; + + std::function func; + func(); // throw bad_function_call + return FilterStatus::Continue; + })); + + // A local exception is sent by error handling. + EXPECT_CALL(*decoder_filter_, onLocalReply(_, _)); + EXPECT_EQ(filter_->onData(buffer_, false), Network::FilterStatus::StopIteration); + + EXPECT_EQ(1U, store_.counter("test.request_decoding_error").value()); + // Won't increase this counter as it's expected. + EXPECT_EQ(0U, store_.counter("test.request_internal_error").value()); + + EXPECT_EQ(access_log_data_, ""); +} + // Tests that a request is routed and a non-thrift response is handled. TEST_F(ThriftConnectionManagerTest, RequestAndGarbageResponse) { initializeFilter(); From 5deb153358364b9b7350085c34919429b6cfb741 Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Fri, 29 Aug 2025 15:36:25 -0400 Subject: [PATCH 330/505] Replace c-ares with getaddrinfo DNS resolver in RBAC filter integration test (#40896) This is a follow up of https://github.com/envoyproxy/envoy/pull/40895 It's the 4th step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- test/extensions/filters/http/rbac/BUILD | 1 + .../filters/http/rbac/rbac_filter_integration_test.cc | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/test/extensions/filters/http/rbac/BUILD b/test/extensions/filters/http/rbac/BUILD index 84236e4bd44d3..b83daa7ba2a3a 100644 --- a/test/extensions/filters/http/rbac/BUILD +++ b/test/extensions/filters/http/rbac/BUILD @@ -78,6 +78,7 @@ envoy_extension_cc_test( "//source/extensions/matching/input_matchers/cel_matcher:config", "//source/extensions/matching/input_matchers/ip:config", "//source/extensions/matching/network/common:inputs_lib", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/config:utility_lib", "//test/integration:http_protocol_integration_lib", "@envoy_api//envoy/extensions/filters/http/rbac/v3:pkg_cc_proto", diff --git a/test/extensions/filters/http/rbac/rbac_filter_integration_test.cc b/test/extensions/filters/http/rbac/rbac_filter_integration_test.cc index dbfb437482d22..9cf8df7c3dfc4 100644 --- a/test/extensions/filters/http/rbac/rbac_filter_integration_test.cc +++ b/test/extensions/filters/http/rbac/rbac_filter_integration_test.cc @@ -2,6 +2,7 @@ #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" #include "source/common/protobuf/utility.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/integration/http_protocol_integration.h" @@ -1594,6 +1595,10 @@ name: dynamic_forward_proxy dns_cache_config: name: foo dns_lookup_family: {} + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig )EOF", save_upstream_config, Network::Test::ipVersionToDnsFamily(GetParam())); @@ -1636,6 +1641,10 @@ name: envoy.clusters.dynamic_forward_proxy dns_cache_config: name: foo dns_lookup_family: {} + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig )EOF", Network::Test::ipVersionToDnsFamily(GetParam())); From d01f42d380908409a28f22da01108f3e4d9d709a Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Fri, 29 Aug 2025 15:37:05 -0400 Subject: [PATCH 331/505] Replace c-ares with getaddrinfo DNS resolver in ext_authz filter integration test (#40895) This is a follow up of https://github.com/envoyproxy/envoy/pull/40894 It's the 3rd step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- test/extensions/filters/http/ext_authz/BUILD | 1 + test/extensions/filters/http/ext_authz/ext_authz.yaml | 8 ++++++++ .../filters/http/ext_authz/ext_authz_integration_test.cc | 1 + 3 files changed, 10 insertions(+) diff --git a/test/extensions/filters/http/ext_authz/BUILD b/test/extensions/filters/http/ext_authz/BUILD index 33e055d352187..cf6a0897dfcb1 100644 --- a/test/extensions/filters/http/ext_authz/BUILD +++ b/test/extensions/filters/http/ext_authz/BUILD @@ -82,6 +82,7 @@ envoy_extension_cc_test( "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/filters/http/ext_authz:config", "//source/extensions/listener_managers/validation_listener_manager:validation_listener_manager_lib", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//source/server/config_validation:server_lib", "//test/integration:http_integration_lib", "//test/mocks/server:options_mocks", diff --git a/test/extensions/filters/http/ext_authz/ext_authz.yaml b/test/extensions/filters/http/ext_authz/ext_authz.yaml index 148b47e42ed75..2dce2f248dd18 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz.yaml +++ b/test/extensions/filters/http/ext_authz/ext_authz.yaml @@ -43,6 +43,10 @@ static_resources: - name: local_service connect_timeout: 30s type: STRICT_DNS + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig lb_policy: ROUND_ROBIN load_assignment: cluster_name: local_service @@ -55,6 +59,10 @@ static_resources: port_value: 8080 - name: ext_authz-service type: STRICT_DNS + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig lb_policy: ROUND_ROBIN typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index 9eb2348bdbafd..9585af931ebe5 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -6,6 +6,7 @@ #include "source/common/common/macros.h" #include "source/extensions/filters/common/ext_authz/ext_authz.h" #include "source/extensions/filters/http/ext_authz/ext_authz.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "source/server/config_validation/server.h" #include "test/common/grpc/grpc_client_integration.h" From ea478821c253f5b2c901bc46e29f1d3afab2059b Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Fri, 29 Aug 2025 15:37:36 -0400 Subject: [PATCH 332/505] Replace c-ares with getaddrinfo DNS resolver in sni_dynamic_forward_proxy filter integration test (#40894) This is a follow up of https://github.com/envoyproxy/envoy/pull/39901 It's the 2nd step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- .../filters/network/sni_dynamic_forward_proxy/BUILD | 1 + .../proxy_filter_integration_test.cc | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/test/extensions/filters/network/sni_dynamic_forward_proxy/BUILD b/test/extensions/filters/network/sni_dynamic_forward_proxy/BUILD index 7955f5267b4da..b2f243cf4829f 100644 --- a/test/extensions/filters/network/sni_dynamic_forward_proxy/BUILD +++ b/test/extensions/filters/network/sni_dynamic_forward_proxy/BUILD @@ -46,6 +46,7 @@ envoy_extension_cc_test( "//source/extensions/filters/listener/tls_inspector:config", "//source/extensions/filters/network/sni_dynamic_forward_proxy:config", "//source/extensions/filters/network/tcp_proxy:config", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/integration:http_integration_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", diff --git a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc index ec041d14c7e79..295df517c842a 100644 --- a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -5,6 +5,7 @@ #include "source/common/tls/client_ssl_socket.h" #include "source/common/tls/context_config_impl.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/integration/http_integration.h" #include "test/integration/ssl_utility.h" @@ -49,6 +50,10 @@ name: envoy.filters.network.sni_dynamic_forward_proxy max_hosts: {} dns_cache_circuit_breaker: max_pending_requests: {} + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig port_value: {} )EOF", Network::Test::ipVersionToDnsFamily(GetParam()), max_hosts, @@ -73,6 +78,10 @@ name: envoy.clusters.dynamic_forward_proxy max_hosts: {} dns_cache_circuit_breaker: max_pending_requests: {} + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig )EOF", Network::Test::ipVersionToDnsFamily(GetParam()), max_hosts, max_pending_requests); From f384ab2b3e3aa0564ef25f57dc2ed8ad61eaf0cb Mon Sep 17 00:00:00 2001 From: Raven Black Date: Fri, 29 Aug 2025 14:45:14 -0700 Subject: [PATCH 333/505] More ReadyWatchers to MockFunction in test (#40897) Commit Message: More ReadyWatchers to MockFunction in test Additional Description: Cleaning up more awkward ReadyWatcher constructs in favor of idiomatic MockFunction. Test-only. Signed-off-by: Raven Black --- test/common/event/BUILD | 1 - test/common/event/dispatcher_impl_test.cc | 652 ++++++++++------------ 2 files changed, 280 insertions(+), 373 deletions(-) diff --git a/test/common/event/BUILD b/test/common/event/BUILD index 8675587e14e7d..c49b038eaa78d 100644 --- a/test/common/event/BUILD +++ b/test/common/event/BUILD @@ -19,7 +19,6 @@ envoy_cc_test( "//source/common/event:dispatcher_lib", "//source/common/network:address_lib", "//source/common/stats:isolated_store_lib", - "//test/mocks:common_lib", "//test/mocks/server:watch_dog_mocks", "//test/mocks/stats:stats_mocks", "//test/test_common:simulated_time_system_lib", diff --git a/test/common/event/dispatcher_impl_test.cc b/test/common/event/dispatcher_impl_test.cc index 84e2b06bef0d6..a5fc026c631d1 100644 --- a/test/common/event/dispatcher_impl_test.cc +++ b/test/common/event/dispatcher_impl_test.cc @@ -14,7 +14,6 @@ #include "source/common/network/address_impl.h" #include "source/common/stats/isolated_store_impl.h" -#include "test/mocks/common.h" #include "test/mocks/event/mocks.h" #include "test/mocks/server/watch_dog.h" #include "test/mocks/stats/mocks.h" @@ -47,10 +46,10 @@ class RunOnDelete { std::function on_destroy_; }; -void onWatcherReady(evwatch*, const evwatch_prepare_cb_info*, void* arg) { - // `arg` contains the ReadyWatcher passed in from evwatch_prepare_new. - auto watcher = static_cast(arg); - watcher->ready(); +void callPrepareCallback(evwatch*, const evwatch_prepare_cb_info*, void* arg) { + // `arg` contains the MockFunction passed in from evwatch_prepare_new. + auto callback = static_cast*>(arg); + callback->Call(); } class SchedulableCallbackImplTest : public testing::Test { @@ -68,9 +67,9 @@ class SchedulableCallbackImplTest : public testing::Test { }; TEST_F(SchedulableCallbackImplTest, ScheduleCurrentAndCancel) { - ReadyWatcher watcher; + MockFunction callback; - auto cb = dispatcher_->createSchedulableCallback([&]() { watcher.ready(); }); + auto cb = dispatcher_->createSchedulableCallback(callback.AsStdFunction()); // Cancel is a no-op if not scheduled. cb->cancel(); @@ -85,7 +84,7 @@ TEST_F(SchedulableCallbackImplTest, ScheduleCurrentAndCancel) { // Scheduled callback executes. cb->scheduleCallbackCurrentIteration(); - EXPECT_CALL(watcher, ready()); + EXPECT_CALL(callback, Call); dispatcher_->run(Dispatcher::RunType::Block); // Callbacks implicitly cancelled if runner is deleted. @@ -95,9 +94,9 @@ TEST_F(SchedulableCallbackImplTest, ScheduleCurrentAndCancel) { } TEST_F(SchedulableCallbackImplTest, ScheduleNextAndCancel) { - ReadyWatcher watcher; + MockFunction callback; - auto cb = dispatcher_->createSchedulableCallback([&]() { watcher.ready(); }); + auto cb = dispatcher_->createSchedulableCallback(callback.AsStdFunction()); // Cancel is a no-op if not scheduled. cb->cancel(); @@ -112,7 +111,7 @@ TEST_F(SchedulableCallbackImplTest, ScheduleNextAndCancel) { // Scheduled callback executes. cb->scheduleCallbackNextIteration(); - EXPECT_CALL(watcher, ready()); + EXPECT_CALL(callback, Call); dispatcher_->run(Dispatcher::RunType::Block); // Callbacks implicitly cancelled if runner is deleted. @@ -122,12 +121,12 @@ TEST_F(SchedulableCallbackImplTest, ScheduleNextAndCancel) { } TEST_F(SchedulableCallbackImplTest, ScheduleOrder) { - ReadyWatcher watcher0; - createCallback([&]() { watcher0.ready(); }); - ReadyWatcher watcher1; - createCallback([&]() { watcher1.ready(); }); - ReadyWatcher watcher2; - createCallback([&]() { watcher2.ready(); }); + MockFunction callback0; + createCallback(callback0.AsStdFunction()); + MockFunction callback1; + createCallback(callback1.AsStdFunction()); + MockFunction callback2; + createCallback(callback2.AsStdFunction()); // Current iteration callbacks run in the order they are scheduled. Next iteration callbacks run // after current iteration callbacks. @@ -135,73 +134,71 @@ TEST_F(SchedulableCallbackImplTest, ScheduleOrder) { callbacks_[1]->scheduleCallbackCurrentIteration(); callbacks_[2]->scheduleCallbackCurrentIteration(); InSequence s; - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(watcher0, ready()); + EXPECT_CALL(callback1, Call); + EXPECT_CALL(callback2, Call); + EXPECT_CALL(callback0, Call); dispatcher_->run(Dispatcher::RunType::Block); } TEST_F(SchedulableCallbackImplTest, ScheduleChainingAndCancellation) { DispatcherImpl* dispatcher_impl = static_cast(dispatcher_.get()); - ReadyWatcher prepare_watcher; - evwatch_prepare_new(&dispatcher_impl->base(), onWatcherReady, &prepare_watcher); + MockFunction prepare_callback; + evwatch_prepare_new(&dispatcher_impl->base(), callPrepareCallback, &prepare_callback); - ReadyWatcher watcher0; - createCallback([&]() { - watcher0.ready(); + MockFunction callback0, callback1, callback2, callback3, callback4, callback5; + createCallback(callback0.AsStdFunction()); + createCallback(callback1.AsStdFunction()); + createCallback(callback2.AsStdFunction()); + createCallback(callback3.AsStdFunction()); + createCallback(callback4.AsStdFunction()); + createCallback(callback5.AsStdFunction()); + + // Chained callbacks run in the same event loop iteration, as signaled by a single call to + // prepare_callback. callback3 and callback4 are not invoked because cb2 cancels + // cb3 and deletes cb4 as part of its execution. cb5 runs after a second call to the + // prepare callback since it's scheduled for the next iteration. + callbacks_[0]->scheduleCallbackCurrentIteration(); + InSequence s; + EXPECT_CALL(prepare_callback, Call); + EXPECT_CALL(callback0, Call).WillOnce([this]() { callbacks_[1]->scheduleCallbackCurrentIteration(); }); - - ReadyWatcher watcher1; - createCallback([&]() { - watcher1.ready(); + EXPECT_CALL(callback1, Call).WillOnce([this]() { callbacks_[2]->scheduleCallbackCurrentIteration(); callbacks_[3]->scheduleCallbackCurrentIteration(); callbacks_[4]->scheduleCallbackCurrentIteration(); callbacks_[5]->scheduleCallbackNextIteration(); }); - - ReadyWatcher watcher2; - createCallback([&]() { - watcher2.ready(); + EXPECT_CALL(callback2, Call).WillOnce([this]() { EXPECT_TRUE(callbacks_[3]->enabled()); callbacks_[3]->cancel(); EXPECT_TRUE(callbacks_[4]->enabled()); callbacks_[4].reset(); }); - - ReadyWatcher watcher3; - createCallback([&]() { watcher3.ready(); }); - - ReadyWatcher watcher4; - createCallback([&]() { watcher4.ready(); }); - - ReadyWatcher watcher5; - createCallback([&]() { watcher5.ready(); }); - - // Chained callbacks run in the same event loop iteration, as signaled by a single call to - // prepare_watcher.ready(). watcher3 and watcher4 are not invoked because cb2 cancels - // cb3 and deletes cb4 as part of its execution. cb5 runs after a second call to the - // prepare callback since it's scheduled for the next iteration. - callbacks_[0]->scheduleCallbackCurrentIteration(); - InSequence s; - EXPECT_CALL(prepare_watcher, ready()); - EXPECT_CALL(watcher0, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(prepare_watcher, ready()); - EXPECT_CALL(watcher5, ready()); + EXPECT_CALL(prepare_callback, Call); + EXPECT_CALL(callback5, Call); dispatcher_->run(Dispatcher::RunType::Block); } TEST_F(SchedulableCallbackImplTest, RescheduleNext) { DispatcherImpl* dispatcher_impl = static_cast(dispatcher_.get()); - ReadyWatcher prepare_watcher; - evwatch_prepare_new(&dispatcher_impl->base(), onWatcherReady, &prepare_watcher); + MockFunction prepare_callback; + evwatch_prepare_new(&dispatcher_impl->base(), callPrepareCallback, &prepare_callback); - ReadyWatcher watcher0; - createCallback([&]() { - watcher0.ready(); + MockFunction callback0, callback1, callback2, callback3; + createCallback(callback0.AsStdFunction()); + createCallback(callback1.AsStdFunction()); + createCallback(callback2.AsStdFunction()); + createCallback(callback3.AsStdFunction()); + + // Schedule callbacks 0 and 1 outside the loop, both will run in the same iteration of the event + // loop. + callbacks_[0]->scheduleCallbackCurrentIteration(); + callbacks_[1]->scheduleCallbackNextIteration(); + + InSequence s; + EXPECT_CALL(prepare_callback, Call); + EXPECT_CALL(callback0, Call).WillOnce([this]() { // Callback 1 was scheduled from the previous iteration, expect it to fire in the current // iteration despite the attempt to reschedule. callbacks_[1]->scheduleCallbackNextIteration(); @@ -212,26 +209,10 @@ TEST_F(SchedulableCallbackImplTest, RescheduleNext) { callbacks_[3]->scheduleCallbackNextIteration(); callbacks_[3]->scheduleCallbackCurrentIteration(); }); - - ReadyWatcher watcher1; - createCallback([&]() { watcher1.ready(); }); - ReadyWatcher watcher2; - createCallback([&]() { watcher2.ready(); }); - ReadyWatcher watcher3; - createCallback([&]() { watcher3.ready(); }); - - // Schedule callbacks 0 and 1 outside the loop, both will run in the same iteration of the event - // loop. - callbacks_[0]->scheduleCallbackCurrentIteration(); - callbacks_[1]->scheduleCallbackNextIteration(); - - InSequence s; - EXPECT_CALL(prepare_watcher, ready()); - EXPECT_CALL(watcher0, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(prepare_watcher, ready()); - EXPECT_CALL(watcher3, ready()); + EXPECT_CALL(callback1, Call); + EXPECT_CALL(callback2, Call); + EXPECT_CALL(prepare_callback, Call); + EXPECT_CALL(callback3, Call); dispatcher_->run(Dispatcher::RunType::Block); } @@ -257,30 +238,29 @@ TEST(DeferredDeleteTest, DeferredDelete) { InSequence s; Api::ApiPtr api = Api::createApiForTest(); DispatcherPtr dispatcher(api->allocateDispatcher("test_thread")); - ReadyWatcher watcher1; + MockFunction callback1; dispatcher->deferredDelete( - DeferredDeletablePtr{new TestDeferredDeletable([&]() -> void { watcher1.ready(); })}); + DeferredDeletablePtr{new TestDeferredDeletable(callback1.AsStdFunction())}); // The first one will get deleted inline. - EXPECT_CALL(watcher1, ready()); + EXPECT_CALL(callback1, Call); dispatcher->clearDeferredDeleteList(); // This one does a nested deferred delete. We should need two clear calls to actually get // rid of it with the vector swapping. We also test that inline clear() call does nothing. - ReadyWatcher watcher2; - ReadyWatcher watcher3; - dispatcher->deferredDelete(DeferredDeletablePtr{new TestDeferredDeletable([&]() -> void { - watcher2.ready(); + MockFunction callback2, callback3; + dispatcher->deferredDelete( + DeferredDeletablePtr{new TestDeferredDeletable(callback2.AsStdFunction())}); + + EXPECT_CALL(callback2, Call).WillOnce([&]() { dispatcher->deferredDelete( - DeferredDeletablePtr{new TestDeferredDeletable([&]() -> void { watcher3.ready(); })}); + DeferredDeletablePtr{new TestDeferredDeletable(callback3.AsStdFunction())}); dispatcher->clearDeferredDeleteList(); - })}); - - EXPECT_CALL(watcher2, ready()); + }); dispatcher->clearDeferredDeleteList(); - EXPECT_CALL(watcher3, ready()); + EXPECT_CALL(callback3, Call); dispatcher->clearDeferredDeleteList(); } @@ -288,20 +268,19 @@ TEST(DeferredTaskTest, DeferredTask) { InSequence s; Api::ApiPtr api = Api::createApiForTest(); DispatcherPtr dispatcher(api->allocateDispatcher("test_thread")); - ReadyWatcher watcher1; + MockFunction callback1; - DeferredTaskUtil::deferredRun(*dispatcher, [&watcher1]() -> void { watcher1.ready(); }); + DeferredTaskUtil::deferredRun(*dispatcher, callback1.AsStdFunction()); // The first one will get deleted inline. - EXPECT_CALL(watcher1, ready()); + EXPECT_CALL(callback1, Call); dispatcher->clearDeferredDeleteList(); // Deferred task is scheduled FIFO. - ReadyWatcher watcher2; - ReadyWatcher watcher3; - DeferredTaskUtil::deferredRun(*dispatcher, [&watcher2]() -> void { watcher2.ready(); }); - DeferredTaskUtil::deferredRun(*dispatcher, [&watcher3]() -> void { watcher3.ready(); }); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(watcher3, ready()); + MockFunction callback2, callback3; + DeferredTaskUtil::deferredRun(*dispatcher, callback2.AsStdFunction()); + DeferredTaskUtil::deferredRun(*dispatcher, callback3.AsStdFunction()); + EXPECT_CALL(callback2, Call); + EXPECT_CALL(callback3, Call); dispatcher->clearDeferredDeleteList(); } @@ -310,16 +289,15 @@ TEST(DeferredDeleteTest, DeferredDeleteAndPostOrdering) { Api::ApiPtr api = Api::createApiForTest(); DispatcherPtr dispatcher(api->allocateDispatcher("test_thread")); - ReadyWatcher post_watcher; - ReadyWatcher delete_watcher; + MockFunction post_callback, delete_callback; // DeferredDelete should always run before post callbacks. - EXPECT_CALL(delete_watcher, ready()); - EXPECT_CALL(post_watcher, ready()); + EXPECT_CALL(delete_callback, Call); + EXPECT_CALL(post_callback, Call); - dispatcher->post([&]() { post_watcher.ready(); }); + dispatcher->post(post_callback.AsStdFunction()); dispatcher->deferredDelete( - std::make_unique([&]() -> void { delete_watcher.ready(); })); + std::make_unique(delete_callback.AsStdFunction())); dispatcher->run(Dispatcher::RunType::NonBlock); } @@ -411,33 +389,27 @@ TEST_F(DispatcherImplTest, Post) { } TEST_F(DispatcherImplTest, PostExecuteAndDestructOrder) { - ReadyWatcher parent_watcher; - ReadyWatcher deferred_delete_watcher; - ReadyWatcher run_watcher1; - ReadyWatcher delete_watcher1; - ReadyWatcher run_watcher2; - ReadyWatcher delete_watcher2; + MockFunction parent_callback, deferred_delete_callback, run_callback1, delete_callback1, + run_callback2, delete_callback2; // Expect the following events to happen in order. The destructor of the post callback should run // before execution of the next post callback starts. The post callback runner should yield after // running each group of callbacks in a chain, so the deferred deletion should run before the // post callbacks that are also scheduled by the parent post callback. InSequence s; - EXPECT_CALL(parent_watcher, ready()); - EXPECT_CALL(deferred_delete_watcher, ready()); - EXPECT_CALL(run_watcher1, ready()); - EXPECT_CALL(delete_watcher1, ready()); - EXPECT_CALL(run_watcher2, ready()); - EXPECT_CALL(delete_watcher2, ready()); + EXPECT_CALL(parent_callback, Call); + EXPECT_CALL(deferred_delete_callback, Call); + EXPECT_CALL(run_callback1, Call); + EXPECT_CALL(delete_callback1, Call); + EXPECT_CALL(run_callback2, Call); + EXPECT_CALL(delete_callback2, Call); dispatcher_->post([&]() { - parent_watcher.ready(); - auto on_delete_task1 = - std::make_shared([&delete_watcher1]() { delete_watcher1.ready(); }); - dispatcher_->post([&run_watcher1, on_delete_task1]() { run_watcher1.ready(); }); - auto on_delete_task2 = - std::make_shared([&delete_watcher2]() { delete_watcher2.ready(); }); - dispatcher_->post([&run_watcher2, on_delete_task2]() { run_watcher2.ready(); }); + parent_callback.Call(); + auto on_delete_task1 = std::make_shared(delete_callback1.AsStdFunction()); + dispatcher_->post([&run_callback1, on_delete_task1]() { run_callback1.Call(); }); + auto on_delete_task2 = std::make_shared(delete_callback2.AsStdFunction()); + dispatcher_->post([&run_callback2, on_delete_task2]() { run_callback2.Call(); }); dispatcher_->post([this]() { { Thread::LockGuard lock(mu_); @@ -446,8 +418,8 @@ TEST_F(DispatcherImplTest, PostExecuteAndDestructOrder) { } cv_.notifyOne(); }); - dispatcher_->deferredDelete(std::make_unique( - [&deferred_delete_watcher]() -> void { deferred_delete_watcher.ready(); })); + dispatcher_->deferredDelete( + std::make_unique(deferred_delete_callback.AsStdFunction())); }); Thread::LockGuard lock(mu_); @@ -517,21 +489,17 @@ TEST_F(DispatcherImplTest, DispatcherThreadDeleted) { TEST(DispatcherThreadDeletedImplTest, DispatcherThreadDeletedAtNextCycle) { Api::ApiPtr api_(Api::createApiForTest()); DispatcherPtr dispatcher(api_->allocateDispatcher("test_thread")); - std::vector> watchers; - watchers.reserve(3); - for (int i = 0; i < 3; ++i) { - watchers.push_back(std::make_unique()); - } + std::vector> callbacks(3); dispatcher->deleteInDispatcherThread( - std::make_unique([&watchers]() { watchers[0]->ready(); })); - EXPECT_CALL(*watchers[0], ready()); + std::make_unique(callbacks[0].AsStdFunction())); + EXPECT_CALL(callbacks[0], Call); dispatcher->run(Event::Dispatcher::RunType::NonBlock); dispatcher->deleteInDispatcherThread( - std::make_unique([&watchers]() { watchers[1]->ready(); })); + std::make_unique(callbacks[1].AsStdFunction())); dispatcher->deleteInDispatcherThread( - std::make_unique([&watchers]() { watchers[2]->ready(); })); - EXPECT_CALL(*watchers[1], ready()); - EXPECT_CALL(*watchers[2], ready()); + std::make_unique(callbacks[2].AsStdFunction())); + EXPECT_CALL(callbacks[1], Call); + EXPECT_CALL(callbacks[2], Call); dispatcher->run(Event::Dispatcher::RunType::NonBlock); } @@ -545,47 +513,44 @@ class DispatcherShutdownTest : public testing::Test { }; TEST_F(DispatcherShutdownTest, ShutdownClearThreadLocalDeletables) { - ReadyWatcher watcher; + MockFunction callback; dispatcher_->deleteInDispatcherThread( - std::make_unique([&watcher]() { watcher.ready(); })); - EXPECT_CALL(watcher, ready()); + std::make_unique(callback.AsStdFunction())); + EXPECT_CALL(callback, Call); dispatcher_->shutdown(); } TEST_F(DispatcherShutdownTest, ShutdownDoesnotClearDeferredListOrPostCallback) { - ReadyWatcher watcher; - ReadyWatcher deferred_watcher; - ReadyWatcher post_watcher; + MockFunction callback, deferred_callback, post_callback; { InSequence s; - dispatcher_->deferredDelete(std::make_unique( - [&deferred_watcher]() { deferred_watcher.ready(); })); - dispatcher_->post([&post_watcher]() { post_watcher.ready(); }); + dispatcher_->deferredDelete( + std::make_unique(deferred_callback.AsStdFunction())); + dispatcher_->post(post_callback.AsStdFunction()); dispatcher_->deleteInDispatcherThread( - std::make_unique([&watcher]() { watcher.ready(); })); - EXPECT_CALL(watcher, ready()); + std::make_unique(callback.AsStdFunction())); + EXPECT_CALL(callback, Call); dispatcher_->shutdown(); - ::testing::Mock::VerifyAndClearExpectations(&watcher); - EXPECT_CALL(deferred_watcher, ready()); + ::testing::Mock::VerifyAndClearExpectations(&callback); + EXPECT_CALL(deferred_callback, Call); dispatcher_.reset(); } } TEST_F(DispatcherShutdownTest, DestroyClearAllList) { - ReadyWatcher watcher; - ReadyWatcher deferred_watcher; + MockFunction callback, deferred_callback; dispatcher_->deferredDelete( - std::make_unique([&deferred_watcher]() { deferred_watcher.ready(); })); + std::make_unique(deferred_callback.AsStdFunction())); dispatcher_->deleteInDispatcherThread( - std::make_unique([&watcher]() { watcher.ready(); })); + std::make_unique(callback.AsStdFunction())); { InSequence s; - EXPECT_CALL(deferred_watcher, ready()); - EXPECT_CALL(watcher, ready()); + EXPECT_CALL(deferred_callback, Call); + EXPECT_CALL(callback, Call); dispatcher_.reset(); } } @@ -862,7 +827,7 @@ class TimerImplTest : public testing::Test { protected: TimerImplTest() { // Hook into event loop prepare and check events. - evwatch_prepare_new(&libevent_base_, onWatcherReady, &prepare_watcher_); + evwatch_prepare_new(&libevent_base_, callPrepareCallback, &prepare_callback_); evwatch_check_new(&libevent_base_, onCheck, this); } ~TimerImplTest() override { ASSERT(check_callbacks_.empty()); } @@ -903,7 +868,7 @@ class TimerImplTest : public testing::Test { Api::ApiPtr api_{Api::createApiForTest()}; DispatcherPtr dispatcher_{api_->allocateDispatcher("test_thread")}; event_base& libevent_base_{static_cast(*dispatcher_).base()}; - ReadyWatcher prepare_watcher_; + MockFunction prepare_callback_; std::vector callbacks_; private: @@ -949,32 +914,28 @@ TEST_F(TimerImplTest, TimerEnabledDisabled) { EXPECT_FALSE(timer->enabled()); timer->enableTimer(std::chrono::milliseconds(0)); EXPECT_TRUE(timer->enabled()); - EXPECT_CALL(prepare_watcher_, ready()); + EXPECT_CALL(prepare_callback_, Call); dispatcher_->run(Dispatcher::RunType::NonBlock); EXPECT_FALSE(timer->enabled()); timer->enableHRTimer(std::chrono::milliseconds(0)); EXPECT_TRUE(timer->enabled()); - EXPECT_CALL(prepare_watcher_, ready()); + EXPECT_CALL(prepare_callback_, Call); dispatcher_->run(Dispatcher::RunType::NonBlock); EXPECT_FALSE(timer->enabled()); } TEST_F(TimerImplTest, ChangeTimerBackwardsBeforeRun) { - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { watcher1.ready(); }); - - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); - - ReadyWatcher watcher3; - Event::TimerPtr timer3 = dispatcher_->createTimer([&] { watcher3.ready(); }); + MockFunction callback1, callback2, callback3; + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); + Event::TimerPtr timer3 = dispatcher_->createTimer(callback3.AsStdFunction()); - // Expect watcher3 to trigger first because the deadlines for timers 1 and 2 was moved backwards. + // Expect callback3 to trigger first because the deadlines for timers 1 and 2 was moved backwards. InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher3, ready()); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(watcher1, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback3, Call); + EXPECT_CALL(callback2, Call); + EXPECT_CALL(callback1, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::milliseconds(0)); timer2->enableTimer(std::chrono::milliseconds(1)); @@ -988,17 +949,15 @@ TEST_F(TimerImplTest, ChangeTimerBackwardsBeforeRun) { } TEST_F(TimerImplTest, ChangeTimerForwardsToZeroBeforeRun) { - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { watcher1.ready(); }); + MockFunction callback1, callback2; + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); - - // Expect watcher1 to trigger first because timer1's deadline was moved forward. + // Expect callback1 to trigger first because timer1's deadline was moved forward. InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher2, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call); + EXPECT_CALL(callback2, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::milliseconds(2)); timer2->enableTimer(std::chrono::milliseconds(1)); @@ -1010,17 +969,15 @@ TEST_F(TimerImplTest, ChangeTimerForwardsToZeroBeforeRun) { } TEST_F(TimerImplTest, ChangeTimerForwardsToNonZeroBeforeRun) { - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { watcher1.ready(); }); - - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); + MockFunction callback1, callback2; + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); - // Expect watcher1 to trigger first because timer1's deadline was moved forward. + // Expect callback1 to trigger first because timer1's deadline was moved forward. InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher2, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call); + EXPECT_CALL(callback2, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::milliseconds(3)); timer2->enableTimer(std::chrono::milliseconds(2)); @@ -1032,17 +989,15 @@ TEST_F(TimerImplTest, ChangeTimerForwardsToNonZeroBeforeRun) { } TEST_F(TimerImplTest, ChangeLargeTimerForwardToZeroBeforeRun) { - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { watcher1.ready(); }); - - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); + MockFunction callback1, callback2; + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); - // Expect watcher1 to trigger because timer1's deadline was moved forward. + // Expect callback1 to trigger because timer1's deadline was moved forward. InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(prepare_watcher_, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call); + EXPECT_CALL(prepare_callback_, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::seconds(2000)); timer2->enableTimer(std::chrono::seconds(1000)); @@ -1051,17 +1006,15 @@ TEST_F(TimerImplTest, ChangeLargeTimerForwardToZeroBeforeRun) { } TEST_F(TimerImplTest, ChangeLargeTimerForwardToNonZeroBeforeRun) { - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { watcher1.ready(); }); + MockFunction callback1, callback2; + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); - - // Expect watcher1 to trigger because timer1's deadline was moved forward. + // Expect callback1 to trigger because timer1's deadline was moved forward. InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(prepare_watcher_, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call); + EXPECT_CALL(prepare_callback_, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::seconds(2000)); timer2->enableTimer(std::chrono::seconds(1000)); @@ -1074,21 +1027,17 @@ TEST_F(TimerImplTest, ChangeLargeTimerForwardToNonZeroBeforeRun) { // Timers scheduled at different times execute in order. TEST_F(TimerImplTest, TimerOrdering) { - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { watcher1.ready(); }); - - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); - - ReadyWatcher watcher3; - Event::TimerPtr timer3 = dispatcher_->createTimer([&] { watcher3.ready(); }); + MockFunction callback1, callback2, callback3; + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); + Event::TimerPtr timer3 = dispatcher_->createTimer(callback3.AsStdFunction()); - // Expect watcher calls to happen in order since timers have different times. + // Expect callback calls to happen in order since timers have different times. InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(watcher3, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call); + EXPECT_CALL(callback2, Call); + EXPECT_CALL(callback3, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::milliseconds(0)); @@ -1106,23 +1055,16 @@ TEST_F(TimerImplTest, TimerOrdering) { // Alarms that are scheduled to execute and are cancelled do not trigger. TEST_F(TimerImplTest, TimerOrderAndDisableAlarm) { - ReadyWatcher watcher3; - Event::TimerPtr timer3 = dispatcher_->createTimer([&] { watcher3.ready(); }); + MockFunction callback1, callback2, callback3; + Event::TimerPtr timer3 = dispatcher_->createTimer(callback3.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); - - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { - timer2->disableTimer(); - watcher1.ready(); - }); - - // Expect watcher calls to happen in order since timers have different times. + // Expect callback calls to happen in order since timers have different times. InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher3, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call).WillOnce([&]() { timer2->disableTimer(); }); + EXPECT_CALL(callback3, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::milliseconds(0)); timer2->enableTimer(std::chrono::milliseconds(1)); @@ -1140,38 +1082,31 @@ TEST_F(TimerImplTest, TimerOrderAndDisableAlarm) { // Change the registration time for a timer that is already activated by disabling and re-enabling // the timer. Verify that execution is delayed. TEST_F(TimerImplTest, TimerOrderDisableAndReschedule) { - ReadyWatcher watcher4; - Event::TimerPtr timer4 = dispatcher_->createTimer([&] { watcher4.ready(); }); - - ReadyWatcher watcher3; - Event::TimerPtr timer3 = dispatcher_->createTimer([&] { watcher3.ready(); }); - - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); + MockFunction callback1, callback2, callback3, callback4; + Event::TimerPtr timer4 = dispatcher_->createTimer(callback4.AsStdFunction()); + Event::TimerPtr timer3 = dispatcher_->createTimer(callback3.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { + // timer1 is expected to run first and reschedule timers 2 and 3. timer4 should fire before + // timer2 and timer3 since timer4's registration is unaffected. + InSequence s; + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call).WillOnce([&]() { timer2->disableTimer(); timer2->enableTimer(std::chrono::milliseconds(0)); timer3->disableTimer(); timer3->enableTimer(std::chrono::milliseconds(1)); - watcher1.ready(); }); - - // timer1 is expected to run first and reschedule timers 2 and 3. timer4 should fire before - // timer2 and timer3 since timer4's registration is unaffected. - InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher4, ready()); + EXPECT_CALL(callback4, Call); // Sleep during prepare to ensure that enough time has elapsed before timer evaluation to ensure // that timers 2 and 3 are picked up by the same loop iteration. Without the sleep the two // timers could execute in different loop iterations. - EXPECT_CALL(prepare_watcher_, ready()).WillOnce(testing::InvokeWithoutArgs([&]() { + EXPECT_CALL(prepare_callback_, Call).WillOnce([this]() { advanceLibeventTimeNextIteration(absl::Milliseconds(10)); - })); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(watcher3, ready()); + }); + EXPECT_CALL(callback2, Call); + EXPECT_CALL(callback3, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::milliseconds(0)); timer2->enableTimer(std::chrono::milliseconds(1)); @@ -1191,37 +1126,30 @@ TEST_F(TimerImplTest, TimerOrderDisableAndReschedule) { // Change the registration time for a timer that is already activated by re-enabling the timer // without calling disableTimer first. TEST_F(TimerImplTest, TimerOrderAndReschedule) { - ReadyWatcher watcher4; - Event::TimerPtr timer4 = dispatcher_->createTimer([&] { watcher4.ready(); }); - - ReadyWatcher watcher3; - Event::TimerPtr timer3 = dispatcher_->createTimer([&] { watcher3.ready(); }); - - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { watcher2.ready(); }); - - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { - timer2->enableTimer(std::chrono::milliseconds(0)); - timer3->enableTimer(std::chrono::milliseconds(1)); - watcher1.ready(); - }); + MockFunction callback1, callback2, callback3, callback4; + Event::TimerPtr timer4 = dispatcher_->createTimer(callback4.AsStdFunction()); + Event::TimerPtr timer3 = dispatcher_->createTimer(callback3.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); // Rescheduling timers that are already scheduled to run in the current event loop iteration has // no effect if the time delta is 0. Expect timers 1, 2 and 4 to execute in the original order. // Timer 3 is delayed since it is rescheduled with a non-zero delta. InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher4, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call).WillOnce([&]() { + timer2->enableTimer(std::chrono::milliseconds(0)); + timer3->enableTimer(std::chrono::milliseconds(1)); + }); + EXPECT_CALL(callback4, Call); // Sleep during prepare to ensure that enough time has elapsed before timer evaluation to ensure // that timers 2 and 3 are picked up by the same loop iteration. Without the sleep the two // timers could execute in different loop iterations. - EXPECT_CALL(prepare_watcher_, ready()).WillOnce(testing::InvokeWithoutArgs([&]() { + EXPECT_CALL(prepare_callback_, Call).WillOnce([this]() { advanceLibeventTimeNextIteration(absl::Milliseconds(10)); - })); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(watcher3, ready()); + }); + EXPECT_CALL(callback2, Call); + EXPECT_CALL(callback3, Call); runInEventLoop([&]() { timer1->enableTimer(std::chrono::milliseconds(0)); timer2->enableTimer(std::chrono::milliseconds(1)); @@ -1239,26 +1167,11 @@ TEST_F(TimerImplTest, TimerOrderAndReschedule) { } TEST_F(TimerImplTest, TimerChaining) { - ReadyWatcher watcher1; - Event::TimerPtr timer1 = dispatcher_->createTimer([&] { watcher1.ready(); }); - - ReadyWatcher watcher2; - Event::TimerPtr timer2 = dispatcher_->createTimer([&] { - watcher2.ready(); - timer1->enableTimer(std::chrono::milliseconds(0)); - }); - - ReadyWatcher watcher3; - Event::TimerPtr timer3 = dispatcher_->createTimer([&] { - watcher3.ready(); - timer2->enableTimer(std::chrono::milliseconds(0)); - }); - - ReadyWatcher watcher4; - Event::TimerPtr timer4 = dispatcher_->createTimer([&] { - watcher4.ready(); - timer3->enableTimer(std::chrono::milliseconds(0)); - }); + MockFunction callback1, callback2, callback3, callback4; + Event::TimerPtr timer4 = dispatcher_->createTimer(callback4.AsStdFunction()); + Event::TimerPtr timer3 = dispatcher_->createTimer(callback3.AsStdFunction()); + Event::TimerPtr timer2 = dispatcher_->createTimer(callback2.AsStdFunction()); + Event::TimerPtr timer1 = dispatcher_->createTimer(callback1.AsStdFunction()); timer4->enableTimer(std::chrono::milliseconds(0)); @@ -1267,14 +1180,20 @@ TEST_F(TimerImplTest, TimerChaining) { EXPECT_FALSE(timer3->enabled()); EXPECT_TRUE(timer4->enabled()); InSequence s; - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher4, ready()); - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher3, ready()); - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher1, ready()); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback4, Call).WillOnce([&]() { + timer3->enableTimer(std::chrono::milliseconds(0)); + }); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback3, Call).WillOnce([&]() { + timer2->enableTimer(std::chrono::milliseconds(0)); + }); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback2, Call).WillOnce([&]() { + timer1->enableTimer(std::chrono::milliseconds(0)); + }); + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback1, Call); dispatcher_->run(Dispatcher::RunType::NonBlock); EXPECT_FALSE(timer1->enabled()); @@ -1284,21 +1203,14 @@ TEST_F(TimerImplTest, TimerChaining) { } TEST_F(TimerImplTest, TimerChainDisable) { - ReadyWatcher watcher; + MockFunction callback; Event::TimerPtr timer1; Event::TimerPtr timer2; Event::TimerPtr timer3; - auto timer_cb = [&] { - watcher.ready(); - timer1->disableTimer(); - timer2->disableTimer(); - timer3->disableTimer(); - }; - - timer1 = dispatcher_->createTimer(timer_cb); - timer2 = dispatcher_->createTimer(timer_cb); - timer3 = dispatcher_->createTimer(timer_cb); + timer1 = dispatcher_->createTimer(callback.AsStdFunction()); + timer2 = dispatcher_->createTimer(callback.AsStdFunction()); + timer3 = dispatcher_->createTimer(callback.AsStdFunction()); timer3->enableTimer(std::chrono::milliseconds(0)); timer2->enableTimer(std::chrono::milliseconds(0)); @@ -1308,28 +1220,25 @@ TEST_F(TimerImplTest, TimerChainDisable) { EXPECT_TRUE(timer2->enabled()); EXPECT_TRUE(timer3->enabled()); InSequence s; - // Only 1 call to watcher ready since the other 2 timers were disabled by the first timer. - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher, ready()); + // Only 1 call to callback since the other 2 timers were disabled by the first timer. + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback, Call).WillOnce([&]() { + timer1->disableTimer(); + timer2->disableTimer(); + timer3->disableTimer(); + }); dispatcher_->run(Dispatcher::RunType::NonBlock); } TEST_F(TimerImplTest, TimerChainDelete) { - ReadyWatcher watcher; + MockFunction callback; Event::TimerPtr timer1; Event::TimerPtr timer2; Event::TimerPtr timer3; - auto timer_cb = [&] { - watcher.ready(); - timer1.reset(); - timer2.reset(); - timer3.reset(); - }; - - timer1 = dispatcher_->createTimer(timer_cb); - timer2 = dispatcher_->createTimer(timer_cb); - timer3 = dispatcher_->createTimer(timer_cb); + timer1 = dispatcher_->createTimer(callback.AsStdFunction()); + timer2 = dispatcher_->createTimer(callback.AsStdFunction()); + timer3 = dispatcher_->createTimer(callback.AsStdFunction()); timer3->enableTimer(std::chrono::milliseconds(0)); timer2->enableTimer(std::chrono::milliseconds(0)); @@ -1339,9 +1248,13 @@ TEST_F(TimerImplTest, TimerChainDelete) { EXPECT_TRUE(timer2->enabled()); EXPECT_TRUE(timer3->enabled()); InSequence s; - // Only 1 call to watcher ready since the other 2 timers were deleted by the first timer. - EXPECT_CALL(prepare_watcher_, ready()); - EXPECT_CALL(watcher, ready()); + // Only 1 call to callback since the other 2 timers were deleted by the first timer. + EXPECT_CALL(prepare_callback_, Call); + EXPECT_CALL(callback, Call).WillOnce([&]() { + timer1.reset(); + timer2.reset(); + timer3.reset(); + }); dispatcher_->run(Dispatcher::RunType::NonBlock); } @@ -1504,61 +1417,61 @@ TEST_F(DispatcherWithWatchdogTest, PeriodicTouchTimer) { } TEST_F(DispatcherWithWatchdogTest, TouchBeforeEachPostCallback) { - ReadyWatcher watcher1; - ReadyWatcher watcher2; - ReadyWatcher watcher3; - dispatcher_->post([&]() { watcher1.ready(); }); - dispatcher_->post([&]() { watcher2.ready(); }); - dispatcher_->post([&]() { watcher3.ready(); }); + MockFunction callback1; + MockFunction callback2; + MockFunction callback3; + dispatcher_->post(callback1.AsStdFunction()); + dispatcher_->post(callback2.AsStdFunction()); + dispatcher_->post(callback3.AsStdFunction()); InSequence s; EXPECT_CALL(*watchdog_, touch()); - EXPECT_CALL(watcher1, ready()); + EXPECT_CALL(callback1, Call); EXPECT_CALL(*watchdog_, touch()); - EXPECT_CALL(watcher2, ready()); + EXPECT_CALL(callback2, Call); EXPECT_CALL(*watchdog_, touch()); - EXPECT_CALL(watcher3, ready()); + EXPECT_CALL(callback3, Call); dispatcher_->run(Dispatcher::RunType::NonBlock); } TEST_F(DispatcherWithWatchdogTest, TouchBeforeDeferredDelete) { - ReadyWatcher watcher1; - ReadyWatcher watcher2; - ReadyWatcher watcher3; + MockFunction callback1; + MockFunction callback2; + MockFunction callback3; - DeferredTaskUtil::deferredRun(*dispatcher_, [&watcher1]() -> void { watcher1.ready(); }); - DeferredTaskUtil::deferredRun(*dispatcher_, [&watcher2]() -> void { watcher2.ready(); }); - DeferredTaskUtil::deferredRun(*dispatcher_, [&watcher3]() -> void { watcher3.ready(); }); + DeferredTaskUtil::deferredRun(*dispatcher_, callback1.AsStdFunction()); + DeferredTaskUtil::deferredRun(*dispatcher_, callback2.AsStdFunction()); + DeferredTaskUtil::deferredRun(*dispatcher_, callback3.AsStdFunction()); InSequence s; EXPECT_CALL(*watchdog_, touch()); - EXPECT_CALL(watcher1, ready()); - EXPECT_CALL(watcher2, ready()); - EXPECT_CALL(watcher3, ready()); + EXPECT_CALL(callback1, Call); + EXPECT_CALL(callback2, Call); + EXPECT_CALL(callback3, Call); dispatcher_->run(Dispatcher::RunType::NonBlock); } TEST_F(DispatcherWithWatchdogTest, TouchBeforeSchedulableCallback) { - ReadyWatcher watcher; + MockFunction callback; - auto cb = dispatcher_->createSchedulableCallback([&]() { watcher.ready(); }); + auto cb = dispatcher_->createSchedulableCallback(callback.AsStdFunction()); cb->scheduleCallbackCurrentIteration(); InSequence s; EXPECT_CALL(*watchdog_, touch()); - EXPECT_CALL(watcher, ready()); + EXPECT_CALL(callback, Call); dispatcher_->run(Dispatcher::RunType::NonBlock); } TEST_F(DispatcherWithWatchdogTest, TouchBeforeTimer) { - ReadyWatcher watcher; + MockFunction callback; - auto timer = dispatcher_->createTimer([&]() { watcher.ready(); }); + auto timer = dispatcher_->createTimer(callback.AsStdFunction()); timer->enableTimer(std::chrono::milliseconds(0)); InSequence s; EXPECT_CALL(*watchdog_, touch()); - EXPECT_CALL(watcher, ready()); + EXPECT_CALL(callback, Call); dispatcher_->run(Dispatcher::RunType::NonBlock); } @@ -1566,21 +1479,16 @@ TEST_F(DispatcherWithWatchdogTest, TouchBeforeFdEvent) { os_fd_t fd = os_sys_calls_.socket(AF_INET6, SOCK_DGRAM, 0).return_value_; ASSERT_TRUE(SOCKET_VALID(fd)); - ReadyWatcher watcher; + MockFunction callback; const FileTriggerType trigger = Event::PlatformDefaultTriggerType; - Event::FileEventPtr file_event = dispatcher_->createFileEvent( - fd, - [&](uint32_t) { - watcher.ready(); - return absl::OkStatus(); - }, - trigger, FileReadyType::Read); + Event::FileEventPtr file_event = + dispatcher_->createFileEvent(fd, callback.AsStdFunction(), trigger, FileReadyType::Read); file_event->activate(FileReadyType::Read); InSequence s; EXPECT_CALL(*watchdog_, touch()).Times(2); - EXPECT_CALL(watcher, ready()); + EXPECT_CALL(callback, Call).WillOnce(Return(absl::OkStatus())); dispatcher_->run(Dispatcher::RunType::NonBlock); } From 9dec4de927480f8523b6e886dd0d067f688bd219 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 2 Sep 2025 06:06:58 +0200 Subject: [PATCH 334/505] api_listener: improve test coverage (#40898) --- test/server/api_listener_test.cc | 142 +++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) diff --git a/test/server/api_listener_test.cc b/test/server/api_listener_test.cc index 697cb166e2de4..4611a37fe3e36 100644 --- a/test/server/api_listener_test.cc +++ b/test/server/api_listener_test.cc @@ -240,5 +240,147 @@ name: test_api_listener EXPECT_ENVOY_BUG(connection.isHalfCloseEnabled(), "Unexpected function call"); } +// Exercise SyntheticReadCallbacks unimplemented methods and PANIC behavior for socket(). +TEST_F(ApiListenerTest, SyntheticReadCallbacksUnimplementedMethods) { + const std::string yaml = R"EOF( +name: test_api_listener +address: + socket_address: + address: 127.0.0.1 + port_value: 1234 +api_listener: + api_listener: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: hcm + route_config: + name: api_router + virtual_hosts: + - name: api + domains: + - "*" + routes: + - match: + prefix: "/" + route: + cluster: dynamic_forward_proxy_cluster + )EOF"; + + const envoy::config::listener::v3::Listener config = parseListenerFromV3Yaml(yaml); + server_.server_factory_context_->cluster_manager_.initializeClusters( + {"dynamic_forward_proxy_cluster"}, {}); + HttpApiListenerFactory factory; + auto http_api_listener = factory.create(config, server_, config.name()).value(); + auto api_listener = http_api_listener->createHttpApiListener(server_.dispatcher()); + ASSERT_NE(api_listener, nullptr); + + // Access SyntheticReadCallbacks through the wrapper. + auto* wrapper = dynamic_cast(api_listener.get()); + ASSERT_NE(wrapper, nullptr); + auto& read_callbacks = wrapper->readCallbacks(); + + Buffer::OwnedImpl dummy_buffer("x"); + EXPECT_ENVOY_BUG(read_callbacks.continueReading(), "Unexpected call to continueReading"); + EXPECT_ENVOY_BUG(read_callbacks.injectReadDataToFilterChain(dummy_buffer, false), + "Unexpected call to injectReadDataToFilterChain"); + EXPECT_ENVOY_BUG(read_callbacks.disableClose(true), "Unexpected call to disableClose"); + EXPECT_ENVOY_BUG(read_callbacks.startUpstreamSecureTransport(), + "Unexpected call to startUpstreamSecureTransport"); + EXPECT_EQ(read_callbacks.upstreamHost(), nullptr); + EXPECT_ENVOY_BUG(read_callbacks.upstreamHost(nullptr), "Unexpected call to upstreamHost"); + EXPECT_DEATH(read_callbacks.socket(), "not implemented"); +} + +// Verify base address access and drain decision behavior. +TEST_F(ApiListenerTest, NewStreamHandleReturnsDecoderHandle) { + const std::string yaml = R"EOF( +name: test_api_listener +address: + socket_address: + address: 127.0.0.1 + port_value: 1234 +api_listener: + api_listener: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: hcm + route_config: + name: api_router + virtual_hosts: + - name: api + domains: + - "*" + routes: + - match: + prefix: "/" + route: + cluster: dynamic_forward_proxy_cluster + )EOF"; + + const envoy::config::listener::v3::Listener config = parseListenerFromV3Yaml(yaml); + server_.server_factory_context_->cluster_manager_.initializeClusters( + {"dynamic_forward_proxy_cluster"}, {}); + + HttpApiListenerFactory factory; + auto http_api_listener = factory.create(config, server_, config.name()).value(); + auto api_listener = http_api_listener->createHttpApiListener(server_.dispatcher()); + ASSERT_NE(api_listener, nullptr); + + testing::NiceMock response_encoder; + ON_CALL(response_encoder, getStream()) + .WillByDefault(testing::ReturnRef(response_encoder.stream_)); + ON_CALL(response_encoder, setRequestDecoder(testing::_)).WillByDefault(testing::Return()); + + auto decoder_handle = api_listener->newStreamHandle(response_encoder); + ASSERT_NE(decoder_handle, nullptr); + + // Tear down in safe order. + decoder_handle.reset(); + api_listener.reset(); +} + +// Removing callbacks prevents receiving RemoteClose on ApiListenerWrapper destruction. +TEST_F(ApiListenerTest, NoEventAfterCallbackRemovalOnShutdown) { + const std::string yaml = R"EOF( +name: test_api_listener +address: + socket_address: + address: 127.0.0.1 + port_value: 1234 +api_listener: + api_listener: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: hcm + route_config: + name: api_router + virtual_hosts: + - name: api + domains: + - "*" + routes: + - match: + prefix: "/" + route: + cluster: dynamic_forward_proxy_cluster + )EOF"; + + const envoy::config::listener::v3::Listener config = parseListenerFromV3Yaml(yaml); + server_.server_factory_context_->cluster_manager_.initializeClusters( + {"dynamic_forward_proxy_cluster"}, {}); + + HttpApiListenerFactory factory; + auto http_api_listener = factory.create(config, server_, config.name()).value(); + auto api_listener = http_api_listener->createHttpApiListener(server_.dispatcher()); + ASSERT_NE(api_listener, nullptr); + + Network::MockConnectionCallbacks network_connection_callbacks; + auto& connection = dynamic_cast(api_listener.get()) + ->readCallbacks() + .connection(); + connection.addConnectionCallbacks(network_connection_callbacks); + connection.removeConnectionCallbacks(network_connection_callbacks); + + EXPECT_CALL(network_connection_callbacks, onEvent(testing::_)).Times(0); + api_listener.reset(); +} + } // namespace Server } // namespace Envoy From 48ea1f1751e1cd887c35f9919a98ac0d88c784f7 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Tue, 2 Sep 2025 17:42:42 +0800 Subject: [PATCH 335/505] chore: set response code details to oauth2 filter 401 local response (#40736) Commit Message: add error details to the OAuth2 filter 401 local response. Additional Description: Risk Level: low Testing: unit test Docs Changes: no Release Notes: yes Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #37933] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] The following example shows the `response_code_details` added by this PR: `response_code_details":"Failed_to_get_access_token,_response_code:_400,_response_body:_{"error":"invalid_client"}` ``` {"start_time":"2025-08-15T10:17:29.682Z","method":"GET","x-envoy-origin-path":"/myapp/oauth2/callback?code=22ef226d-ff19-417e-ab6b-cf4bce2824e0&state=eyJ1cmwiOiJodHRwczovL3d3dy5leGFtcGxlLmNvbS9teWFwcCIsImNzcmZfdG9rZW4iOiJiNmY2MWZkZWUwNjliZmI1LjdiRVdwY3JsWld3M1RIYjVMOGEyM3JyMndBRHBSRTIyZWEzeDU1RDJHWTg9In0","protocol":"HTTP/2","response_code":"401","response_flags":"-","response_code_details":"Failed_to_get_access_token,_response_code:_400,_response_body:_{"error":"invalid_client"}","connection_termination_details":"-","upstream_transport_failure_reason":"-","bytes_received":"0","bytes_sent":"18","duration":"452","x-envoy-upstream-service-time":"-","x-forwarded-for":"10.244.0.13","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36","x-request-id":"c080a8b9-3fd2-4a9e-b187-87a749fb1f65",":authority":"www.example.com","upstream_host":"-","upstream_cluster":"httproute/default/myapp/rule/0","upstream_local_address":"-","downstream_local_address":"127.0.0.1:10443","downstream_remote_address":"127.0.0.1:42518","requested_server_name":"-","route_name":"httproute/default/myapp/rule/0/match/0/www_example_com"} ``` --------- Signed-off-by: Huabing (Robin) Zhao --- changelogs/current.yaml | 3 + .../extensions/filters/http/oauth2/filter.cc | 55 +++++++++---------- .../extensions/filters/http/oauth2/filter.h | 3 +- source/extensions/filters/http/oauth2/oauth.h | 2 +- .../filters/http/oauth2/oauth_client.cc | 22 ++++---- .../filters/http/oauth2/oauth_test.cc | 16 +++--- 6 files changed, 53 insertions(+), 48 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index abe0329c79a67..31f005dc56b32 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -52,6 +52,9 @@ minor_behavior_changes: This can be accessed through the ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%``, and the ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%`` access_log command operators. +- area: oauth2 + change: | + Added response code details to 401 local responses generated by the OAuth2 filter. - area: ext_proc change: | If :ref:`failure_mode_allow ` is true, diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index a0aab5445da15..ac753f9086434 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -631,7 +631,7 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he // https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2 const CallbackValidationResult result = validateOAuthCallback(headers, path_str); if (!result.is_valid_) { - sendUnauthorizedResponse(); + sendUnauthorizedResponse(result.error_details_); return Http::FilterHeadersStatus::StopIteration; } @@ -640,9 +640,9 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he Http::Utility::Url original_request_url; original_request_url.initialize(result.original_request_url_, false); if (config_->redirectPathMatcher().match(original_request_url.pathAndQueryParams())) { - ENVOY_LOG(debug, "state url query params {} matches the redirect path matcher", - original_request_url.pathAndQueryParams()); - sendUnauthorizedResponse(); + sendUnauthorizedResponse( + fmt::format("State url query params matches the redirect path matcher: {}", + original_request_url.pathAndQueryParams())); return Http::FilterHeadersStatus::StopIteration; } @@ -685,8 +685,8 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he redirectToOAuthServer(headers); return Http::FilterHeadersStatus::StopIteration; } else { - ENVOY_LOG(debug, "unauthorized, redirecting to OAuth server is not allowed", path_str); - sendUnauthorizedResponse(); + sendUnauthorizedResponse(fmt::format( + "Unauthorized, and redirecting to OAuth server is not allowed: {}", path_str)); return Http::FilterHeadersStatus::StopIteration; } } @@ -696,7 +696,7 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he // token. const CallbackValidationResult result = validateOAuthCallback(headers, path_str); if (!result.is_valid_) { - sendUnauthorizedResponse(); + sendUnauthorizedResponse(result.error_details_); return Http::FilterHeadersStatus::StopIteration; } @@ -710,16 +710,14 @@ Http::FilterHeadersStatus OAuth2Filter::decodeHeaders(Http::RequestHeaderMap& he std::string encrypted_code_verifier = Http::Utility::parseCookieValue(headers, config_->cookieNames().code_verifier_); if (encrypted_code_verifier.empty()) { - ENVOY_LOG(error, "code verifier cookie is missing in the request"); - sendUnauthorizedResponse(); + sendUnauthorizedResponse("Code verifier cookie is missing in the request"); return Http::FilterHeadersStatus::StopIteration; } DecryptResult decrypt_result = decrypt(encrypted_code_verifier, config_->hmacSecret()); if (decrypt_result.error.has_value()) { - ENVOY_LOG(error, "failed to decrypt code verifier: {}, error: {}", encrypted_code_verifier, - decrypt_result.error.value()); - sendUnauthorizedResponse(); + sendUnauthorizedResponse(fmt::format("Failed to decrypt code verifier: {}, error: {}", + encrypted_code_verifier, decrypt_result.error.value())); return Http::FilterHeadersStatus::StopIteration; } @@ -1213,7 +1211,8 @@ void OAuth2Filter::onRefreshAccessTokenFailure() { if (canRedirectToOAuthServer(*request_headers_)) { redirectToOAuthServer(*request_headers_); } else { - sendUnauthorizedResponse(); + sendUnauthorizedResponse( + "Failed to refresh the access token, and redirecting to OAuth server is not allowed"); } } @@ -1274,10 +1273,11 @@ void OAuth2Filter::addResponseCookies(Http::ResponseHeaderMap& headers, } } -void OAuth2Filter::sendUnauthorizedResponse() { +void OAuth2Filter::sendUnauthorizedResponse(const std::string& details) { + ENVOY_LOG(warn, "Responding with 401 Unauthorized. Cause: {}", details); config_->stats().oauth_failure_.inc(); decoder_callbacks_->sendLocalReply(Http::Code::Unauthorized, UnauthorizedBodyMessage, nullptr, - absl::nullopt, EMPTY_STRING); + absl::nullopt, details); } // Validates the OAuth callback request. @@ -1291,16 +1291,17 @@ OAuth2Filter::validateOAuthCallback(const Http::RequestHeaderMap& headers, // Return 401 unauthorized if the query parameters contain an error response. const auto query_parameters = Http::Utility::QueryParamsMulti::parseQueryString(path_str); if (query_parameters.getFirstValue(queryParamsError).has_value()) { - ENVOY_LOG(debug, "OAuth server returned an error: \n{}", query_parameters.data()); - return {false, "", ""}; + return {false, "", "", + fmt::format("OAuth server returned an error: {}", query_parameters.toString())}; } // Return 401 unauthorized if the query parameters do not contain the code and state. auto codeVal = query_parameters.getFirstValue(queryParamsCode); auto stateVal = query_parameters.getFirstValue(queryParamsState); if (!codeVal.has_value() || !stateVal.has_value()) { - ENVOY_LOG(error, "code or state query param does not exist: \n{}", query_parameters.data()); - return {false, "", ""}; + return { + false, "", "", + fmt::format("Code or state query param does not exist: {}", query_parameters.toString())}; } // Return 401 unauthorized if the state query parameter does not contain the original request URL @@ -1312,15 +1313,14 @@ OAuth2Filter::validateOAuthCallback(const Http::RequestHeaderMap& headers, auto status = MessageUtil::loadFromJsonNoThrow(state, message, has_unknown_field); if (!status.ok()) { - ENVOY_LOG(error, "state query param is not a valid JSON: \n{}", state); - return {false, "", ""}; + return {false, "", "", fmt::format("State query param is not a valid JSON: {}", state)}; } const auto& filed_value_pair = message.fields(); if (!filed_value_pair.contains(stateParamsUrl) || !filed_value_pair.contains(stateParamsCsrfToken)) { - ENVOY_LOG(error, "state query param does not contain url or CSRF token: \n{}", state); - return {false, "", ""}; + return {false, "", "", + fmt::format("State query param does not contain url or CSRF token: {}", state)}; } // Return 401 unauthorized if the CSRF token cookie does not match the CSRF token in the state. @@ -1331,19 +1331,18 @@ OAuth2Filter::validateOAuthCallback(const Http::RequestHeaderMap& headers, // More information can be found at https://datatracker.ietf.org/doc/html/rfc6819#section-5.3.5 std::string csrf_token = filed_value_pair.at(stateParamsCsrfToken).string_value(); if (!validateCsrfToken(headers, csrf_token)) { - ENVOY_LOG(error, "csrf token validation failed"); - return {false, "", ""}; + return {false, "", "", "CSRF token validation failed"}; } const std::string original_request_url = filed_value_pair.at(stateParamsUrl).string_value(); // Return 401 unauthorized if the URL in the state is not valid. Http::Utility::Url url; if (!url.initialize(original_request_url, false)) { - ENVOY_LOG(error, "state url {} can not be initialized", original_request_url); - return {false, "", ""}; + return {false, "", "", + fmt::format("State url can not be initialized: {}", original_request_url)}; } - return {true, codeVal.value(), original_request_url}; + return {true, codeVal.value(), original_request_url, ""}; } // Validates the csrf_token in the state parameter against the one in the cookie. diff --git a/source/extensions/filters/http/oauth2/filter.h b/source/extensions/filters/http/oauth2/filter.h index 37c7921250005..76329bea6d707 100644 --- a/source/extensions/filters/http/oauth2/filter.h +++ b/source/extensions/filters/http/oauth2/filter.h @@ -300,6 +300,7 @@ struct CallbackValidationResult { bool is_valid_; std::string auth_code_; std::string original_request_url_; + std::string error_details_; }; /** @@ -331,7 +332,7 @@ class OAuth2Filter : public Http::PassThroughFilter, // a catch-all function used for request failures. we don't retry, as a user can simply refresh // the page in the case of a network blip. - void sendUnauthorizedResponse() override; + void sendUnauthorizedResponse(const std::string& details) override; void finishGetAccessTokenFlow(); void finishRefreshAccessTokenFlow(); diff --git a/source/extensions/filters/http/oauth2/oauth.h b/source/extensions/filters/http/oauth2/oauth.h index f7850d35fd99f..ea851a4c7d923 100644 --- a/source/extensions/filters/http/oauth2/oauth.h +++ b/source/extensions/filters/http/oauth2/oauth.h @@ -30,7 +30,7 @@ class FilterCallbacks { virtual void onRefreshAccessTokenFailure() PURE; - virtual void sendUnauthorizedResponse() PURE; + virtual void sendUnauthorizedResponse(const std::string& details) PURE; }; /** diff --git a/source/extensions/filters/http/oauth2/oauth_client.cc b/source/extensions/filters/http/oauth2/oauth_client.cc index 562ccd48c0a8c..13f6d40f83adf 100644 --- a/source/extensions/filters/http/oauth2/oauth_client.cc +++ b/source/extensions/filters/http/oauth2/oauth_client.cc @@ -121,7 +121,7 @@ void OAuth2ClientImpl::dispatchRequest(Http::RequestMessagePtr&& msg) { in_flight_request_ = thread_local_cluster->httpAsyncClient().send(std::move(msg), *this, options); } else { - parent_->sendUnauthorizedResponse(); + parent_->sendUnauthorizedResponse("Token endpoint cluster not found"); } } @@ -142,7 +142,9 @@ void OAuth2ClientImpl::onSuccess(const Http::AsyncClient::Request&, ENVOY_LOG(debug, "Oauth response body: {}", message->bodyAsString()); switch (oldState) { case OAuthState::PendingAccessToken: - parent_->sendUnauthorizedResponse(); + parent_->sendUnauthorizedResponse( + fmt::format("Failed to get access token, response code: {}, response body: {}", + response_code, message->bodyAsString())); break; case OAuthState::PendingAccessTokenByRefreshToken: parent_->onRefreshAccessTokenFailure(); @@ -160,17 +162,16 @@ void OAuth2ClientImpl::onSuccess(const Http::AsyncClient::Request&, MessageUtil::loadFromJson(response_body, response, ProtobufMessage::getNullValidationVisitor()); } END_TRY catch (EnvoyException& e) { - ENVOY_LOG(debug, "Error parsing response body, received exception: {}", e.what()); - ENVOY_LOG(debug, "Response body: {}", response_body); - parent_->sendUnauthorizedResponse(); + parent_->sendUnauthorizedResponse(fmt::format( + "Failed to parse oauth response body: {}, exception: {}", response_body, e.what())); return; } // TODO(snowp): Should this be a pgv validation instead? A more readable log // message might be good enough reason to do this manually? if (!response.has_access_token()) { - ENVOY_LOG(debug, "No access token after asyncGetAccessToken"); - parent_->sendUnauthorizedResponse(); + parent_->sendUnauthorizedResponse( + fmt::format("No access token found in the token exchange response: {}", response_body)); return; } @@ -183,8 +184,9 @@ void OAuth2ClientImpl::onSuccess(const Http::AsyncClient::Request&, expires_in = std::chrono::seconds{response.expires_in().value()}; } if (expires_in <= 0s) { - ENVOY_LOG(debug, "No default or explicit access token expiration after asyncGetAccessToken"); - parent_->sendUnauthorizedResponse(); + parent_->sendUnauthorizedResponse(fmt::format( + "No default or explicit access token expiration found in the token exchange response: {}", + response_body)); return; } @@ -209,7 +211,7 @@ void OAuth2ClientImpl::onFailure(const Http::AsyncClient::Request&, switch (oldState) { case OAuthState::PendingAccessToken: - parent_->sendUnauthorizedResponse(); + parent_->sendUnauthorizedResponse("Failed to get access token due to HTTP request failure"); break; case OAuthState::PendingAccessTokenByRefreshToken: parent_->onRefreshAccessTokenFailure(); diff --git a/test/extensions/filters/http/oauth2/oauth_test.cc b/test/extensions/filters/http/oauth2/oauth_test.cc index 2de33bb063088..c8751d1aaeae9 100644 --- a/test/extensions/filters/http/oauth2/oauth_test.cc +++ b/test/extensions/filters/http/oauth2/oauth_test.cc @@ -29,7 +29,7 @@ using testing::Return; class MockCallbacks : public FilterCallbacks { public: - MOCK_METHOD(void, sendUnauthorizedResponse, ()); + MOCK_METHOD(void, sendUnauthorizedResponse, (const std::string& details)); MOCK_METHOD(void, onGetAccessTokenSuccess, (const std::string&, const std::string&, const std::string&, std::chrono::seconds)); MOCK_METHOD(void, onRefreshAccessTokenSuccess, @@ -135,7 +135,7 @@ TEST_F(OAuth2ClientTest, RequestAccessTokenMissingExpiresIn) { client_->setCallbacks(*mock_callbacks_); client_->asyncGetAccessToken("a", "b", "c", "d", "e"); EXPECT_EQ(1, callbacks_.size()); - EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse()); + EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse(_)); Http::MockAsyncClientRequest request(&cm_.thread_local_cluster_.async_client_); ASSERT_TRUE(popPendingCallback( [&](auto* callback) { callback->onSuccess(request, std::move(mock_response)); })); @@ -202,7 +202,7 @@ TEST_F(OAuth2ClientTest, RequestAccessTokenIncompleteResponse) { client_->setCallbacks(*mock_callbacks_); client_->asyncGetAccessToken("a", "b", "c", "d", "e"); EXPECT_EQ(1, callbacks_.size()); - EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse()); + EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse(_)); Http::MockAsyncClientRequest request(&cm_.thread_local_cluster_.async_client_); ASSERT_TRUE(popPendingCallback( [&](auto* callback) { callback->onSuccess(request, std::move(mock_response)); })); @@ -227,7 +227,7 @@ TEST_F(OAuth2ClientTest, RequestAccessTokenErrorResponse) { client_->setCallbacks(*mock_callbacks_); client_->asyncGetAccessToken("a", "b", "c", "d", "e"); EXPECT_EQ(1, callbacks_.size()); - EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse()); + EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse(_)); Http::MockAsyncClientRequest request(&cm_.thread_local_cluster_.async_client_); ASSERT_TRUE(popPendingCallback( [&](auto* callback) { callback->onSuccess(request, std::move(mock_response)); })); @@ -258,7 +258,7 @@ TEST_F(OAuth2ClientTest, RequestAccessTokenInvalidResponse) { client_->setCallbacks(*mock_callbacks_); client_->asyncGetAccessToken("a", "b", "c", "d", "e"); EXPECT_EQ(1, callbacks_.size()); - EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse()); + EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse(_)); Http::MockAsyncClientRequest request(&cm_.thread_local_cluster_.async_client_); ASSERT_TRUE(popPendingCallback( [&](auto* callback) { callback->onSuccess(request, std::move(mock_response)); })); @@ -277,7 +277,7 @@ TEST_F(OAuth2ClientTest, RequestAccessTokenNetworkError) { client_->asyncGetAccessToken("a", "b", "c", "d", "e"); EXPECT_EQ(1, callbacks_.size()); - EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse()); + EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse(_)); Http::MockAsyncClientRequest request(&cm_.thread_local_cluster_.async_client_); ASSERT_TRUE(popPendingCallback([&](auto* callback) { callback->onFailure(request, Http::AsyncClient::FailureReason::Reset); @@ -301,7 +301,7 @@ TEST_F(OAuth2ClientTest, RequestAccessTokenUnhealthyUpstream) { })); client_->setCallbacks(*mock_callbacks_); - EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse()); + EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse(_)); client_->asyncGetAccessToken("a", "b", "c", "d", "e"); } @@ -478,7 +478,7 @@ TEST_F(OAuth2ClientTest, RequestRefreshAccessTokenNetworkErrorDoubleCallStateInv TEST_F(OAuth2ClientTest, NoCluster) { ON_CALL(cm_, getThreadLocalCluster("auth")).WillByDefault(Return(nullptr)); client_->setCallbacks(*mock_callbacks_); - EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse()); + EXPECT_CALL(*mock_callbacks_, sendUnauthorizedResponse(_)); client_->asyncGetAccessToken("a", "b", "c", "d", "e"); EXPECT_EQ(0, callbacks_.size()); } From 8119b989d8891011b9add9c41406fecb8932683e Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Tue, 2 Sep 2025 17:43:11 +0800 Subject: [PATCH 336/505] OAuth2: relax the token endpoint cluster validation in the OAuth2 filter (#40785) Commit Message: When the Cluster referenced by an OAuth2 filter comes after the Listener, Envoy rejects the Listener because the OAuth2 filter checks the Cluster existence. This PR relaxes the cluster check during the initialization of the OAuth filter, and only checks it when sending out the authorization request. Additional Description: Risk Level: low Testing: unit test Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #40735] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Huabing (Robin) Zhao --- source/extensions/filters/http/oauth2/filter.cc | 7 ++++--- source/extensions/filters/http/oauth2/filter.h | 2 +- test/extensions/filters/http/oauth2/filter_test.cc | 9 --------- 3 files changed, 5 insertions(+), 13 deletions(-) diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index ac753f9086434..b7044b3fefde1 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -469,9 +469,10 @@ FilterConfig::FilterConfig( ? CookieSettings(proto_config.cookie_configs().code_verifier_cookie_config()) : CookieSettings()) { if (!context.clusterManager().clusters().hasCluster(oauth_token_endpoint_.cluster())) { - throw EnvoyException(fmt::format("OAuth2 filter: unknown cluster '{}' in config. Please " - "specify which cluster to direct OAuth requests to.", - oauth_token_endpoint_.cluster())); + // This is not necessarily a configuration error — sometimes cluster is sent later than the + // listener in the xDS stream. + ENVOY_LOG(warn, "OAuth2 filter: unknown cluster '{}' in config. ", + oauth_token_endpoint_.cluster()); } if (!authorization_endpoint_url_.initialize(authorization_endpoint_, /*is_connect_request=*/false)) { diff --git a/source/extensions/filters/http/oauth2/filter.h b/source/extensions/filters/http/oauth2/filter.h index 76329bea6d707..3c0906cd9f516 100644 --- a/source/extensions/filters/http/oauth2/filter.h +++ b/source/extensions/filters/http/oauth2/filter.h @@ -126,7 +126,7 @@ struct CookieNames { * This class encapsulates all data needed for the filter to operate so that we don't pass around * raw protobufs and other arbitrary data. */ -class FilterConfig { +class FilterConfig : public Logger::Loggable { public: FilterConfig(const envoy::extensions::filters::http::oauth2::v3::OAuth2Config& proto_config, Server::Configuration::CommonFactoryContext& context, diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 235a62e157648..a6a4cf43dcc20 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -387,15 +387,6 @@ name: client EXPECT_EQ(secret_reader.clientSecret(), "client_test_recheck"); EXPECT_EQ(secret_reader.hmacSecret(), "token_test"); } -// Verifies that we fail constructing the filter if the configured cluster doesn't exist. -TEST_F(OAuth2Test, InvalidCluster) { - ON_CALL(factory_context_.server_factory_context_.cluster_manager_, clusters()) - .WillByDefault(Return(Upstream::ClusterManager::ClusterInfoMaps())); - - EXPECT_THROW_WITH_MESSAGE(init(), EnvoyException, - "OAuth2 filter: unknown cluster 'auth.example.com' in config. Please " - "specify which cluster to direct OAuth requests to."); -} // Verifies that we fail constructing the filter if the authorization endpoint isn't a valid URL. TEST_F(OAuth2Test, InvalidAuthorizationEndpoint) { From 9f3eca3ada37d934b77d6f13c27859af9bc3541e Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 2 Sep 2025 15:01:50 +0100 Subject: [PATCH 337/505] docker/ci: Fix debug publishing (#40923) fix #40851 Signed-off-by: Ryan Northey --- .../workflows/_publish_release_container.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/_publish_release_container.yml b/.github/workflows/_publish_release_container.yml index e5452e5f8426b..94029364d18c3 100644 --- a/.github/workflows/_publish_release_container.yml +++ b/.github/workflows/_publish_release_container.yml @@ -89,6 +89,15 @@ jobs: artifact-pattern: envoy-contrib-debug.{arch}.tar additional-tags: - contrib-debug-dev-${{ github.sha }} + - name: ${{ inputs.dockerhub-repo }} + tag: debug-dev + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-dev.{arch}.tar + additional-tags: + - debug-dev-${{ github.sha }} - name: ${{ inputs.dockerhub-repo }} tag: distroless-dev registry: docker.io/envoyproxy @@ -152,6 +161,15 @@ jobs: artifact-pattern: envoy-contrib-debug.{arch}.tar additional-tags: - contrib-debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest + - name: ${{ inputs.dockerhub-repo }} + tag: debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-debug.{arch}.tar + additional-tags: + - debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - name: ${{ inputs.dockerhub-repo }} tag: distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} registry: docker.io/envoyproxy From 5c49d9e7a90267c0f19c13e95021be333528ca52 Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 2 Sep 2025 15:49:43 +0100 Subject: [PATCH 338/505] docker/publishing: Minor fix (#40926) Signed-off-by: Ryan Northey --- .github/workflows/_publish_release_container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_publish_release_container.yml b/.github/workflows/_publish_release_container.yml index 94029364d18c3..5edcd53baab44 100644 --- a/.github/workflows/_publish_release_container.yml +++ b/.github/workflows/_publish_release_container.yml @@ -95,7 +95,7 @@ jobs: architectures: - amd64 - arm64 - artifact-pattern: envoy-dev.{arch}.tar + artifact-pattern: envoy-debug.{arch}.tar additional-tags: - debug-dev-${{ github.sha }} - name: ${{ inputs.dockerhub-repo }} From 46313ac4e6bc2250d0948cc1cceb543ad16ccc88 Mon Sep 17 00:00:00 2001 From: code Date: Wed, 3 Sep 2025 03:59:37 +0800 Subject: [PATCH 339/505] stats: fix a bug where the prometheus name of ssl certificate stats are wrong (#40891) Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: WangBaiping --- changelogs/current.yaml | 6 ++++++ source/common/config/well_known_names.cc | 2 +- test/common/stats/tag_extractor_impl_test.cc | 5 +++-- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 31f005dc56b32..68427112e4d86 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -100,6 +100,12 @@ bug_fixes: removed for requests matching the ``pass_through_matcher`` configuration. This broke setups with multiple OAuth2 filter instances using different ``pass_through_matcher`` configurations, because the first matching instance removed the OAuth2 cookies--even when a passthrough was intended--impacting subsequent filters that still needed those cookies. +- area: stats + change: | + Fixed a bug where the metric name ``expiration_unix_time_seconds`` of + ``cluster..ssl.certificate..`` + and ``listener.

.ssl.certificate..`` + was not being properly extracted in the final prometheus stat name. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/common/config/well_known_names.cc b/source/common/config/well_known_names.cc index 5481186c989d4..62cc028565916 100644 --- a/source/common/config/well_known_names.cc +++ b/source/common/config/well_known_names.cc @@ -242,7 +242,7 @@ TagNameValues::TagNameValues() { // listener.[
.]ssl.certificate.(). or // cluster.[.]ssl.certificate.(). addRe2(TLS_CERTIFICATE, - R"(^\.ssl\.certificate(\.()\..*)$)", + R"(^\.ssl\.certificate\.(()\.).*$)", ".ssl.certificate"); } diff --git a/test/common/stats/tag_extractor_impl_test.cc b/test/common/stats/tag_extractor_impl_test.cc index 0d2605c6d1666..e5de22ffe61af 100644 --- a/test/common/stats/tag_extractor_impl_test.cc +++ b/test/common/stats/tag_extractor_impl_test.cc @@ -526,7 +526,8 @@ TEST(TagExtractorTest, DefaultTagExtractors) { listener_address.value_ = "0.0.0.0_0"; regex_tester.testRegex( "listener.0.0.0.0_0.ssl.certificate.server_cert.expiration_unix_time_seconds", - "listener.ssl.certificate", {listener_address, certificate_name}); + "listener.ssl.certificate.expiration_unix_time_seconds", + {listener_address, certificate_name}); // Cluster test Tag test_cluster; @@ -534,7 +535,7 @@ TEST(TagExtractorTest, DefaultTagExtractors) { test_cluster.value_ = "test_cluster"; regex_tester.testRegex( "cluster.test_cluster.ssl.certificate.server_cert.expiration_unix_time_seconds", - "cluster.ssl.certificate", {test_cluster, certificate_name}); + "cluster.ssl.certificate.expiration_unix_time_seconds", {test_cluster, certificate_name}); } TEST(TagExtractorTest, ExtAuthzTagExtractors) { From 88b397ff240e98aaead095080d0cac415d8e5bf7 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Sat, 30 Aug 2025 01:21:25 -0700 Subject: [PATCH 340/505] addressed comments from @yanavlasov Signed-off-by: Rohit Agrawal --- source/common/network/connection_impl.cc | 14 +- source/common/network/connection_impl.h | 5 +- .../downstream_socket_interface/BUILD | 7 +- .../downstream_reverse_connection_io_handle.h | 65 +++++++ .../rc_connection_wrapper.h | 139 +++++++++++++++ .../reverse_connection_io_handle.cc | 62 +++++-- .../reverse_connection_io_handle.h | 158 +----------------- ...reverse_connection_load_balancer_context.h | 44 +++++ .../upstream_socket_interface/BUILD | 2 + .../reverse_connection_io_handle.cc | 55 ++++++ .../reverse_connection_io_handle.h | 78 +++++++++ .../reverse_tunnel_acceptor.cc | 41 +---- .../reverse_tunnel_acceptor.h | 52 +----- .../upstream_socket_manager.cc | 2 +- .../reverse_connection_io_handle_test.cc | 41 ++++- .../upstream_socket_interface/BUILD | 4 +- ...c => reverse_connection_io_handle_test.cc} | 10 +- 17 files changed, 493 insertions(+), 286 deletions(-) create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h rename test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/{upstream_reverse_connection_io_handle_test.cc => reverse_connection_io_handle_test.cc} (92%) diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc index 4a1dda33b1cd6..127d24bdee621 100644 --- a/source/common/network/connection_impl.cc +++ b/source/common/network/connection_impl.cc @@ -320,9 +320,8 @@ void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_actio } void ConnectionImpl::closeSocket(ConnectionEvent close_type) { - ENVOY_CONN_LOG(trace, "closeSocket called, socket_={}, socket_isOpen={}, reuse_socket_={}", *this, - socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, - static_cast(reuse_socket_)); + ENVOY_CONN_LOG(trace, "closeSocket called, socket_={}, socket_isOpen={}", *this, + socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false); if (!socket_->isOpen()) { ENVOY_CONN_LOG(trace, "closeSocket: socket is null or not open, returning", *this); @@ -368,14 +367,7 @@ void ConnectionImpl::closeSocket(ConnectionEvent close_type) { } // It is safe to call close() since there is an IO handle check. - ENVOY_CONN_LOG(trace, "closeSocket: about to close socket, reuse_socket_={}", *this, - static_cast(reuse_socket_)); - if (!reuse_socket_) { - socket_->close(); - } else { - ENVOY_CONN_LOG(trace, "closeSocket: skipping socket close due to reuse_socket_=true", *this); - return; - } + socket_->close(); // Call the base class directly as close() is called in the destructor. ConnectionImpl::raiseEvent(close_type); diff --git a/source/common/network/connection_impl.h b/source/common/network/connection_impl.h index 2a5dca6055bbc..f58b4f204fb59 100644 --- a/source/common/network/connection_impl.h +++ b/source/common/network/connection_impl.h @@ -63,10 +63,7 @@ class ConnectionImpl : public ConnectionImplBase, public TransportSocketCallback bool initializeReadFilters() override; const ConnectionSocketPtr& getSocket() const override { return socket_; } - void setSocketReused(bool value) override { - ENVOY_LOG_MISC(trace, "setSocketReused called with value={}", value); - reuse_socket_ = value; - } + void setSocketReused(bool value) override { reuse_socket_ = value; } bool isSocketReused() override { return reuse_socket_; } // Network::Connection diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index c10e237184187..27f957b13d8bd 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -59,7 +59,12 @@ envoy_cc_library( envoy_cc_library( name = "reverse_connection_io_handle_lib", srcs = ["reverse_connection_io_handle.cc"], - hdrs = ["reverse_connection_io_handle.h"], + hdrs = [ + "downstream_reverse_connection_io_handle.h", + "rc_connection_wrapper.h", + "reverse_connection_io_handle.h", + "reverse_connection_load_balancer_context.h", + ], visibility = ["//visibility:public"], deps = [ ":reverse_connection_address_lib", diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h new file mode 100644 index 0000000000000..27d04f1d2a5cd --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h @@ -0,0 +1,65 @@ +#pragma once + +#include + +#include "envoy/network/io_handle.h" +#include "envoy/network/socket.h" + +#include "source/common/common/logger.h" +#include "source/common/network/io_socket_handle_impl.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declaration. +class ReverseConnectionIOHandle; + +/** + * Custom IoHandle for downstream reverse connections that owns a ConnectionSocket. + * This class is used internally by ReverseConnectionIOHandle to manage the lifecycle + * of accepted downstream connections. + */ +class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { +public: + /** + * Constructor that takes ownership of the socket and stores parent pointer and connection key. + */ + DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, + ReverseConnectionIOHandle* parent, + const std::string& connection_key); + + ~DownstreamReverseConnectionIOHandle() override; + + // Network::IoHandle overrides + Api::IoCallUint64Result close() override; + Api::SysCallIntResult shutdown(int how) override; + + /** + * Tell this IO handle to ignore close() and shutdown() calls. + * This is called by the HTTP filter during socket hand-off to prevent + * the handed-off socket from being affected by connection cleanup. + */ + void ignoreCloseAndShutdown() { ignore_close_and_shutdown_ = true; } + + /** + * Get the owned socket for read-only access. + */ + const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } + +private: + // The socket that this IOHandle owns and manages lifetime for. + Network::ConnectionSocketPtr owned_socket_; + // Pointer to parent ReverseConnectionIOHandle for connection lifecycle management. + ReverseConnectionIOHandle* parent_; + // Connection key for tracking this specific connection. + std::string connection_key_; + // Flag to ignore close and shutdown calls during socket hand-off. + bool ignore_close_and_shutdown_{false}; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h new file mode 100644 index 0000000000000..c2b3873ad510b --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h @@ -0,0 +1,139 @@ +#pragma once + +#include +#include + +#include "envoy/buffer/buffer.h" +#include "envoy/event/deferred_deletable.h" +#include "envoy/network/connection.h" +#include "envoy/network/filter.h" +#include "envoy/upstream/upstream.h" + +#include "source/common/common/logger.h" +#include "source/common/network/filter_impl.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declaration. +class ReverseConnectionIOHandle; + +/** + * Simple read filter for handling reverse connection handshake responses. + * This filter processes the HTTP response from the upstream server during handshake. + */ +class SimpleConnReadFilter : public Network::ReadFilterBaseImpl, + public Logger::Loggable { +public: + /** + * Constructor that stores pointer to parent wrapper. + */ + explicit SimpleConnReadFilter(void* parent) : parent_(parent) {} + + // Network::ReadFilter overrides + Network::FilterStatus onData(Buffer::Instance& buffer, bool end_stream) override; + +private: + void* parent_; // Pointer to RCConnectionWrapper to avoid circular dependency. +}; + +/** + * Wrapper for reverse connections that manages the connection lifecycle and handshake. + * It handles the handshake process (both gRPC and HTTP fallback) and manages connection + * callbacks and cleanup. + */ +class RCConnectionWrapper : public Network::ConnectionCallbacks, + public Event::DeferredDeletable, + public Logger::Loggable { + friend class SimpleConnReadFilterTest; + +public: + /** + * Constructor for RCConnectionWrapper. + * @param parent reference to the parent ReverseConnectionIOHandle + * @param connection the client connection to wrap + * @param host the upstream host description + * @param cluster_name the name of the cluster + */ + RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, + Upstream::HostDescriptionConstSharedPtr host, + const std::string& cluster_name); + + /** + * Destructor for RCConnectionWrapper. + * Performs defensive cleanup to prevent crashes during shutdown. + */ + ~RCConnectionWrapper() override; + + // Network::ConnectionCallbacks overrides + void onEvent(Network::ConnectionEvent event) override; + void onAboveWriteBufferHighWatermark() override {} + void onBelowWriteBufferLowWatermark() override {} + + /** + * Initiate the reverse connection handshake (HTTP only). + * @param src_tenant_id the tenant identifier + * @param src_cluster_id the cluster identifier + * @param src_node_id the node identifier + * @return the local address as string + */ + std::string connect(const std::string& src_tenant_id, const std::string& src_cluster_id, + const std::string& src_node_id); + + /** + * Release ownership of the connection. + * @return the connection pointer (ownership transferred to caller) + */ + Network::ClientConnectionPtr releaseConnection() { return std::move(connection_); } + + /** + * Process HTTP response from upstream. + * @param buffer the response data + * @param end_stream whether this is the end of the stream + */ + void processHttpResponse(Buffer::Instance& buffer, bool end_stream); + + /** + * Handle successful handshake completion. + */ + void onHandshakeSuccess(); + + /** + * Handle handshake failure. + * @param message error message + */ + void onHandshakeFailure(const std::string& message); + + /** + * Perform graceful shutdown of the connection. + */ + void shutdown(); + + /** + * Get the underlying connection. + * @return pointer to the client connection + */ + Network::ClientConnection* getConnection() { return connection_.get(); } + + /** + * Get the host description. + * @return shared pointer to the host description + */ + Upstream::HostDescriptionConstSharedPtr getHost() { return host_; } + +private: + ReverseConnectionIOHandle& parent_; + Network::ClientConnectionPtr connection_; + Upstream::HostDescriptionConstSharedPtr host_; + std::string cluster_name_; + std::string connection_key_; + bool http_handshake_sent_{false}; + bool handshake_completed_{false}; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc index 473da5c5d9cbb..0d6e1a4aadc03 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc @@ -44,13 +44,23 @@ DownstreamReverseConnectionIOHandle::~DownstreamReverseConnectionIOHandle() { fd_, connection_key_); } -// DownstreamReverseConnectionIOHandle close() implementation +// DownstreamReverseConnectionIOHandle close() implementation. Api::IoCallUint64Result DownstreamReverseConnectionIOHandle::close() { ENVOY_LOG( debug, "DownstreamReverseConnectionIOHandle: closing handle for FD: {} with connection key: {}", fd_, connection_key_); + // If we're ignoring close calls during socket hand-off, just return success. + if (ignore_close_and_shutdown_) { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: ignoring close() call during socket hand-off for " + "connection key: {}", + connection_key_); + return Api::ioCallUint64ResultNoError(); + } + // Prevent double-closing by checking if already closed if (fd_ < 0) { ENVOY_LOG(debug, @@ -76,6 +86,26 @@ Api::IoCallUint64Result DownstreamReverseConnectionIOHandle::close() { return IoSocketHandleImpl::close(); } +// DownstreamReverseConnectionIOHandle shutdown() implementation. +Api::SysCallIntResult DownstreamReverseConnectionIOHandle::shutdown(int how) { + ENVOY_LOG(trace, + "DownstreamReverseConnectionIOHandle: shutdown({}) called for FD: {} with connection " + "key: {}", + how, fd_, connection_key_); + + // If we're ignoring shutdown calls during socket hand-off, just return success. + if (ignore_close_and_shutdown_) { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: ignoring shutdown() call during socket hand-off " + "for connection key: {}", + connection_key_); + return Api::SysCallIntResult{0, 0}; + } + + return IoSocketHandleImpl::shutdown(how); +} + // RCConnectionWrapper constructor implementation RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, @@ -89,7 +119,7 @@ RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, // RCConnectionWrapper destructor implementation RCConnectionWrapper::~RCConnectionWrapper() { ENVOY_LOG(debug, "RCConnectionWrapper destructor called"); - shutdown(); + this->shutdown(); } void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { @@ -114,15 +144,15 @@ void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { } // SimpleConnReadFilter::onData implementation -Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer::Instance& buffer, - bool) { +Network::FilterStatus SimpleConnReadFilter::onData(Buffer::Instance& buffer, bool) { if (parent_ == nullptr) { - ENVOY_LOG(error, "SimpleConnReadFilter: RCConnectionWrapper is null. Aborting read."); return Network::FilterStatus::StopIteration; } + // Cast parent_ back to RCConnectionWrapper + RCConnectionWrapper* wrapper = static_cast(parent_); + const std::string data = buffer.toString(); - ENVOY_LOG(debug, "SimpleConnReadFilter: Received data: {}", data); // Look for HTTP response status line first (supports both HTTP/1.1 and HTTP/2) if (data.find("HTTP/1.1 200 OK") != std::string::npos || @@ -145,17 +175,17 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: if (ret.status() == envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet::ACCEPTED) { ENVOY_LOG(debug, "SimpleConnReadFilter: Reverse connection accepted by cloud side"); - parent_->onHandshakeSuccess(); + wrapper->onHandshakeSuccess(); return Network::FilterStatus::StopIteration; } else { ENVOY_LOG(error, "SimpleConnReadFilter: Reverse connection rejected: {}", ret.status_message()); - parent_->onHandshakeFailure(ret.status_message()); + wrapper->onHandshakeFailure(ret.status_message()); return Network::FilterStatus::StopIteration; } } else { ENVOY_LOG(error, "Could not parse protobuf response - invalid response format"); - parent_->onHandshakeFailure( + wrapper->onHandshakeFailure( "Invalid response format - expected ReverseConnHandshakeRet protobuf"); return Network::FilterStatus::StopIteration; } @@ -171,7 +201,7 @@ Network::FilterStatus RCConnectionWrapper::SimpleConnReadFilter::onData(Buffer:: data.find("HTTP/2 ") != std::string::npos) { // Found HTTP response but not 200 OK - this is an error ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); - parent_->onHandshakeFailure("HTTP handshake failed with non-200 response"); + wrapper->onHandshakeFailure("HTTP handshake failed with non-200 response"); return Network::FilterStatus::StopIteration; } else { ENVOY_LOG(debug, "Waiting for HTTP response, received {} bytes", data.length()); @@ -543,8 +573,16 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a std::move(duplicated_socket), this, connection_key); ENVOY_LOG(debug, "ReverseConnectionIOHandle: RAII IoHandle created with duplicated socket."); - connection->setSocketReused(true); - // Close the original connection + + // Reset file events on the original socket to prevent any pending operations. The socket + // fd has been duplicated, so we have an independent fd. Closing the original connection + // will only close its fd, not affect our duplicated fd. + // + // Note: For raw TCP connections, no shutdown() is called during close, only close() on + // the fd, which doesn't affect the duplicated fd. + original_socket->ioHandle().resetFileEvents(); + + // Close the original connection. connection->close(Network::ConnectionCloseType::NoFlush); ENVOY_LOG(debug, "ReverseConnectionIOHandle: returning io_handle."); diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h index b19949505cac2..b148ef14fb95d 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h @@ -15,6 +15,9 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/upstream/load_balancer_context_base.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h" #include "absl/container/flat_hash_map.h" #include "absl/container/flat_hash_set.h" @@ -89,103 +92,6 @@ struct ReverseConnectionSocketConfig { ReverseConnectionSocketConfig() : enable_circuit_breaker(true) {} }; -/** - * RCConnectionWrapper manages the lifecycle of a ClientConnectionPtr for reverse connections. - * It handles the handshake process (both gRPC and HTTP fallback) and manages connection - * callbacks and cleanup. - */ -class RCConnectionWrapper : public Network::ConnectionCallbacks, - public Event::DeferredDeletable, - public Logger::Loggable { - friend class SimpleConnReadFilterTest; - -public: - /** - * Constructor for RCConnectionWrapper. - * @param parent reference to the parent ReverseConnectionIOHandle - * @param connection the client connection to wrap - * @param host the upstream host description - * @param cluster_name the name of the cluster - */ - RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, - Upstream::HostDescriptionConstSharedPtr host, - const std::string& cluster_name); - - /** - * Destructor for RCConnectionWrapper. - * Performs defensive cleanup to prevent crashes during shutdown. - */ - ~RCConnectionWrapper() override; - - // Network::ConnectionCallbacks overrides - void onEvent(Network::ConnectionEvent event) override; - void onAboveWriteBufferHighWatermark() override {} - void onBelowWriteBufferLowWatermark() override {} - - /** - * Initiate the reverse connection handshake (HTTP only). - * @param src_tenant_id the tenant identifier - * @param src_cluster_id the cluster identifier - * @param src_node_id the node identifier - * @return the local address as string - */ - std::string connect(const std::string& src_tenant_id, const std::string& src_cluster_id, - const std::string& src_node_id); - - /** - * Handle successful handshake completion. - */ - void onHandshakeSuccess(); - - /** - * Handle handshake failure. - * @param message error message - */ - void onHandshakeFailure(const std::string& message); - - /** - * Perform graceful shutdown of the connection. - */ - void shutdown(); - - /** - * Get the underlying connection. - * @return pointer to the client connection - */ - Network::ClientConnection* getConnection() { return connection_.get(); } - - /** - * Get the host description. - * @return shared pointer to the host description - */ - Upstream::HostDescriptionConstSharedPtr getHost() { return host_; } - - /** - * Release the connection when handshake succeeds. - * @return the released connection - */ - Network::ClientConnectionPtr releaseConnection() { return std::move(connection_); } - -private: - /** - * Simplified read filter for reading HTTP replies sent by upstream envoy - * during reverse connection handshake. - */ - struct SimpleConnReadFilter : public Network::ReadFilterBaseImpl { - SimpleConnReadFilter(RCConnectionWrapper* parent) : parent_(parent) {} - - Network::FilterStatus onData(Buffer::Instance& buffer, bool) override; - - RCConnectionWrapper* parent_; - }; - - ReverseConnectionIOHandle& parent_; - // The connection to the upstream envoy instance. - Network::ClientConnectionPtr connection_; - Upstream::HostDescriptionConstSharedPtr host_; - const std::string cluster_name_; -}; - /** * This class handles the lifecycle of reverse connections, including establishment, * maintenance, and cleanup of connections to remote clusters. @@ -512,64 +418,6 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, os_fd_t original_socket_fd_{-1}; }; -/** - * Custom load balancer context for reverse connections. This class enables the - * ReverseConnectionIOHandle to propagate upstream host details to the cluster_manager, ensuring - * that connections are initiated to specified hosts rather than random ones. It inherits - * from the LoadBalancerContextBase class and overrides the `overrideHostToSelect` method. - */ -class ReverseConnectionLoadBalancerContext : public Upstream::LoadBalancerContextBase { -public: - explicit ReverseConnectionLoadBalancerContext(const std::string& host_to_select) - : host_string_(host_to_select), host_to_select_(host_string_, false) {} - - /** - * @return optional OverrideHost specifying the host to initiate reverse connection to. - */ - absl::optional overrideHostToSelect() const override { - return absl::make_optional(host_to_select_); - } - -private: - // Own the string data. This is to prevent use after free when the host_to_select - // is destroyed. - std::string host_string_; - OverrideHost host_to_select_; -}; - -/** - * Custom IoHandle for downstream reverse connections that owns a ConnectionSocket. - * This class is used internally by ReverseConnectionIOHandle to manage the lifecycle - * of accepted downstream connections. - */ -class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { -public: - /** - * Constructor that takes ownership of the socket and stores parent pointer and connection key. - */ - DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, - ReverseConnectionIOHandle* parent, - const std::string& connection_key); - - ~DownstreamReverseConnectionIOHandle() override; - - // Network::IoHandle overrides - Api::IoCallUint64Result close() override; - - /** - * Get the owned socket for read-only access. - */ - const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } - -private: - // The socket that this IOHandle owns and manages lifetime for - Network::ConnectionSocketPtr owned_socket_; - // Pointer to parent ReverseConnectionIOHandle for connection lifecycle management - ReverseConnectionIOHandle* parent_; - // Connection key for tracking this specific connection - std::string connection_key_; -}; - } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h new file mode 100644 index 0000000000000..13dde91c11cc0 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h @@ -0,0 +1,44 @@ +#pragma once + +#include + +#include "envoy/upstream/load_balancer.h" + +#include "source/common/upstream/load_balancer_context_base.h" + +#include "absl/types/optional.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +/** + * Load balancer context for reverse connections. + * This context is used to select specific upstream hosts by address. + */ +class ReverseConnectionLoadBalancerContext : public Upstream::LoadBalancerContextBase { +public: + /** + * Constructor that sets the host to select. + * @param host_address the address of the host to select + */ + explicit ReverseConnectionLoadBalancerContext(const std::string& host_address) + : host_string_(host_address), host_to_select_(host_string_, false) {} + + // Upstream::LoadBalancerContext overrides + absl::optional overrideHostToSelect() const override { + return absl::make_optional(host_to_select_); + } + +private: + // Own the string data. This is to prevent use after free when the host_to_select + // is destroyed. + std::string host_string_; + OverrideHost host_to_select_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index bcb77ffa6980c..f633cf08fd8f4 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -11,6 +11,7 @@ envoy_extension_package() envoy_cc_extension( name = "reverse_tunnel_acceptor_includes", hdrs = [ + "reverse_connection_io_handle.h", "reverse_tunnel_acceptor.h", "reverse_tunnel_acceptor_extension.h", ], @@ -33,6 +34,7 @@ envoy_cc_extension( envoy_cc_extension( name = "reverse_tunnel_acceptor_lib", srcs = [ + "reverse_connection_io_handle.cc", "reverse_tunnel_acceptor.cc", "reverse_tunnel_acceptor_extension.cc", ], diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.cc new file mode 100644 index 0000000000000..6669f327c832a --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.cc @@ -0,0 +1,55 @@ +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h" + +#include "source/common/common/logger.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( + Network::ConnectionSocketPtr socket, const std::string& cluster_name) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), + owned_socket_(std::move(socket)) { + ENVOY_LOG(trace, "reverse_tunnel: created IO handle for cluster: {}, fd: {}", cluster_name_, fd_); +} + +UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { + ENVOY_LOG(trace, "reverse_tunnel: destroying IO handle for cluster: {}, fd: {}", cluster_name_, + fd_); +} + +Api::SysCallIntResult +UpstreamReverseConnectionIOHandle::connect(Network::Address::InstanceConstSharedPtr address) { + ENVOY_LOG(trace, "reverse_tunnel: connect() to {} - connection already established", + address->asString()); + return Api::SysCallIntResult{0, 0}; +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { + ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); + + if (owned_socket_) { + ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); + owned_socket_.reset(); + SET_SOCKET_INVALID(fd_); + return Api::ioCallUint64ResultNoError(); + } + return IoSocketHandleImpl::close(); +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::shutdown(int how) { + ENVOY_LOG(trace, "reverse_tunnel: shutdown({}) called for fd: {}", how, fd_); + // If we still own the socket, ignore shutdown to avoid affecting a socket that will be + // handed over to the upstream connection. + if (owned_socket_) { + ENVOY_LOG(debug, "reverse_tunnel: ignoring shutdown() call for owned socket fd: {}", fd_); + return Api::SysCallIntResult{0, 0}; + } + return IoSocketHandleImpl::shutdown(how); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h new file mode 100644 index 0000000000000..03c928fab3936 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h @@ -0,0 +1,78 @@ +#pragma once + +#include + +#include "envoy/network/io_handle.h" +#include "envoy/network/socket.h" + +#include "source/common/network/io_socket_handle_impl.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +/** + * Custom IoHandle for upstream reverse connections that manages ConnectionSocket lifetime. + * This class implements RAII principles to ensure proper socket cleanup and provides + * reverse connection semantics where the connection is already established. + */ +class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { +public: + /** + * Constructs an UpstreamReverseConnectionIOHandle that takes ownership of a socket. + * + * @param socket the reverse connection socket to own and manage. + * @param cluster_name the name of the cluster this connection belongs to. + */ + UpstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, + const std::string& cluster_name); + + ~UpstreamReverseConnectionIOHandle() override; + + // Network::IoHandle overrides + /** + * Override of connect method for reverse connections. + * For reverse connections, the connection is already established so this method + * is a no-op and always returns success. + * + * @param address the target address (unused for reverse connections). + * @return SysCallIntResult with success status (0, 0). + */ + Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; + + /** + * Override of close method for reverse connections. + * Cleans up the owned socket and calls the parent close method. + * + * @return IoCallUint64Result indicating the result of the close operation. + */ + Api::IoCallUint64Result close() override; + + /** + * Override of shutdown for reverse connections. + * When the IO handle owns the socket, ignore shutdown to avoid affecting the handed-off socket. + * + * @param how the type of shutdown (`SHUT_RD`, `SHUT_WR`, `SHUT_RDWR`). + * @return SysCallIntResult with success status if ignored, or result of base call. + */ + Api::SysCallIntResult shutdown(int how) override; + + /** + * Get the owned socket for read-only operations. + * + * @return const reference to the owned socket. + */ + const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } + +private: + // The name of the cluster this reverse connection belongs to. + std::string cluster_name_; + // The socket that this IOHandle owns and manages lifetime for. + Network::ConnectionSocketPtr owned_socket_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc index 9ca3201c5357e..8a571ed48ca74 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc @@ -6,6 +6,7 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" @@ -14,46 +15,6 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -// UpstreamReverseConnectionIOHandle implementation -UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( - Network::ConnectionSocketPtr socket, const std::string& cluster_name) - : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), - owned_socket_(std::move(socket)) { - - ENVOY_LOG(trace, "reverse_tunnel: created IO handle for cluster: {}, fd: {}", cluster_name_, fd_); -} - -UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { - ENVOY_LOG(trace, "reverse_tunnel: destroying IO handle for cluster: {}, fd: {}", cluster_name_, - fd_); - // The owned_socket_ will be automatically destroyed via RAII. -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::connect( - Envoy::Network::Address::InstanceConstSharedPtr address) { - ENVOY_LOG(trace, "reverse_tunnel: connect() to {} - connection already established", - address->asString()); - - // For reverse connections, the connection is already established. - return Api::SysCallIntResult{0, 0}; -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { - ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); - - // Prefer letting the owned ConnectionSocket perform the actual close to avoid - // double-close. - if (owned_socket_) { - ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); - owned_socket_.reset(); - // Invalidate our fd so base destructor won't close again. - SET_SOCKET_INVALID(fd_); - return Api::ioCallUint64ResultNoError(); - } - // If we no longer own the socket, fall back to base close. - return IoSocketHandleImpl::close(); -} - // ReverseTunnelAcceptor implementation ReverseTunnelAcceptor::ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context) : extension_(nullptr), context_(&context) { diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h index 43484ea906161..b5437525439c2 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h @@ -18,6 +18,7 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h" namespace Envoy { namespace Extensions { @@ -28,57 +29,6 @@ namespace ReverseConnection { class ReverseTunnelAcceptorExtension; class UpstreamSocketManager; -/** - * Custom IoHandle for upstream reverse connections that manages ConnectionSocket lifetime. - * This class implements RAII principles to ensure proper socket cleanup and provides - * reverse connection semantics where the connection is already established. - */ -class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { -public: - /** - * Constructs an UpstreamReverseConnectionIOHandle that takes ownership of a socket. - * - * @param socket the reverse connection socket to own and manage. - * @param cluster_name the name of the cluster this connection belongs to. - */ - UpstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, - const std::string& cluster_name); - - ~UpstreamReverseConnectionIOHandle() override; - - // Network::IoHandle overrides - /** - * Override of connect method for reverse connections. - * For reverse connections, the connection is already established so this method - * is a no-op and always returns success. - * - * @param address the target address (unused for reverse connections). - * @return SysCallIntResult with success status (0, 0). - */ - Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; - - /** - * Override of close method for reverse connections. - * Cleans up the owned socket and calls the parent close method. - * - * @return IoCallUint64Result indicating the result of the close operation. - */ - Api::IoCallUint64Result close() override; - - /** - * Get the owned socket for read-only operations. - * - * @return const reference to the owned socket. - */ - const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } - -private: - // The name of the cluster this reverse connection belongs to. - std::string cluster_name_; - // The socket that this IOHandle owns and manages lifetime for. - Network::ConnectionSocketPtr owned_socket_; -}; - /** * Socket interface that creates upstream reverse connection sockets. * Manages cached reverse TCP connections and provides them when requested. diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc index 71ae06dbaa93f..66393355bdaf0 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc @@ -400,7 +400,7 @@ void UpstreamSocketManager::pingConnections() { } UpstreamSocketManager::~UpstreamSocketManager() { - ENVOY_LOG(debug, "UpstreamSocketManager destructor called"); + ENVOY_LOG(debug, "UpstreamSocketManager: destructor called"); // Clean up all active file events and timers first for (auto& [fd, event] : fd_to_event_map_) { diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc index c150005737228..28aa54a19e1b6 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc @@ -3093,9 +3093,8 @@ class SimpleConnReadFilterTest : public testing::Test { } // Helper to create SimpleConnReadFilter. - std::unique_ptr - createFilter(RCConnectionWrapper* parent) { - return std::make_unique(parent); + std::unique_ptr createFilter(void* parent) { + return std::make_unique(parent); } NiceMock cluster_manager_; @@ -3316,7 +3315,6 @@ TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSuccessfulWithAddress) { })); // Set up socket expectations. - EXPECT_CALL(*mock_connection, setSocketReused(true)); EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); // Add connection to the established queue. @@ -3364,7 +3362,6 @@ TEST_F(ReverseConnectionIOHandleTest, AcceptMethodAddressHandlingEdgeCases) { return *mock_provider; })); - EXPECT_CALL(*mock_connection, setSocketReused(true)); EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); addConnectionToEstablishedQueue(std::move(mock_connection)); @@ -3394,7 +3391,6 @@ TEST_F(ReverseConnectionIOHandleTest, AcceptMethodAddressHandlingEdgeCases) { return *mock_provider; })); - EXPECT_CALL(*mock_connection, setSocketReused(true)); EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); addConnectionToEstablishedQueue(std::move(mock_connection)); @@ -3426,7 +3422,6 @@ TEST_F(ReverseConnectionIOHandleTest, AcceptMethodAddressHandlingEdgeCases) { return *mock_provider; })); - EXPECT_CALL(*mock_connection, setSocketReused(true)); EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); addConnectionToEstablishedQueue(std::move(mock_connection)); @@ -3471,7 +3466,6 @@ TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSuccessfulScenarios) { return *mock_provider; })); - EXPECT_CALL(*mock_connection, setSocketReused(true)); EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); addConnectionToEstablishedQueue(std::move(mock_connection)); @@ -3705,6 +3699,37 @@ TEST_F(DownstreamReverseConnectionIOHandleTest, GetSocket) { EXPECT_EQ(handle->fdDoNotUse(), 42); } +// Test ignoreCloseAndShutdown() functionality. +TEST_F(DownstreamReverseConnectionIOHandleTest, IgnoreCloseAndShutdown) { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Initially, close and shutdown should work normally + // Test shutdown before ignoring - we don't check the result since it depends on base + // implementation + handle->shutdown(SHUT_RDWR); + + // Now enable ignore mode + handle->ignoreCloseAndShutdown(); + + // Test that close() is ignored when flag is set + auto close_result = handle->close(); + EXPECT_EQ(close_result.err_, nullptr); // Should return success but do nothing + + // Test that shutdown() is ignored when flag is set + auto shutdown_result2 = handle->shutdown(SHUT_RDWR); + EXPECT_EQ(shutdown_result2.return_value_, 0); + EXPECT_EQ(shutdown_result2.errno_, 0); + + // Test different shutdown modes are all ignored + auto shutdown_rd = handle->shutdown(SHUT_RD); + EXPECT_EQ(shutdown_rd.return_value_, 0); + EXPECT_EQ(shutdown_rd.errno_, 0); + + auto shutdown_wr = handle->shutdown(SHUT_WR); + EXPECT_EQ(shutdown_wr.return_value_, 0); + EXPECT_EQ(shutdown_wr.errno_, 0); +} + } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index 607f4e8222b0f..25105c3b83c2d 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -58,9 +58,9 @@ envoy_cc_test( ) envoy_cc_test( - name = "upstream_reverse_connection_io_handle_test", + name = "reverse_connection_io_handle_test", size = "medium", - srcs = ["upstream_reverse_connection_io_handle_test.cc"], + srcs = ["reverse_connection_io_handle_test.cc"], deps = [ "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", "//test/mocks/network:network_mocks", diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle_test.cc similarity index 92% rename from test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc rename to test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle_test.cc index ea1f5231176d8..fc0aed483f087 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle_test.cc @@ -1,5 +1,7 @@ +#include + #include "source/common/network/utility.h" -#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h" #include "test/mocks/network/mocks.h" @@ -58,6 +60,12 @@ TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { EXPECT_NE(&socket, nullptr); } +TEST_F(TestUpstreamReverseConnectionIOHandle, ShutdownIgnoredWhenOwned) { + auto result = io_handle_->shutdown(SHUT_RDWR); + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + class UpstreamReverseConnectionIOHandleTest : public testing::Test { protected: void SetUp() override { From a9c654ec393700900b3348d0176d6d53bf6afcf7 Mon Sep 17 00:00:00 2001 From: cai <142059836+cqi1217@users.noreply.github.com> Date: Tue, 2 Sep 2025 15:05:55 -0700 Subject: [PATCH 341/505] lb: add a new field to use host weight in zone aware lb (#39803) Additional Description: Currently, zone-aware load balancing calculates the percentage based on the number of local and upstream hosts. However, in some scenarios, we also want to account for the weight assigned to each host. To support this, I am introducing a new field in ZoneAwareLbConfig. When this field is enabled, the percentage calculation will consider each host's weight in addition to the host count. Testing: 1. unit test 2. I also test the functionality on my private hosts. --------- Signed-off-by: cqi1217 --- .../common/v3/common.proto | 17 +++- .../common/load_balancer_impl.cc | 66 +++++++++++++--- .../common/load_balancer_impl.h | 1 + .../round_robin/round_robin_lb_test.cc | 77 +++++++++++++++++++ 4 files changed, 150 insertions(+), 11 deletions(-) diff --git a/api/envoy/extensions/load_balancing_policies/common/v3/common.proto b/api/envoy/extensions/load_balancing_policies/common/v3/common.proto index 3efea24772cb9..22faf11b9c5b8 100644 --- a/api/envoy/extensions/load_balancing_policies/common/v3/common.proto +++ b/api/envoy/extensions/load_balancing_policies/common/v3/common.proto @@ -24,8 +24,17 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; message LocalityLbConfig { // Configuration for :ref:`zone aware routing // `. - // [#next-free-field: 6] + // [#next-free-field: 7] message ZoneAwareLbConfig { + // Basis for computing per-locality percentages in zone-aware routing. + enum LocalityBasis { + // Use the number of healthy hosts in each locality. + HEALTHY_HOSTS_NUM = 0; + + // Use the weights of healthy hosts in each locality. + HEALTHY_HOSTS_WEIGHT = 1; + } + // Configures Envoy to always route requests to the local zone regardless of the // upstream zone structure. In Envoy's default configuration, traffic is distributed proportionally // across all upstream hosts while trying to maximize local routing when possible. The approach @@ -67,6 +76,12 @@ message LocalityLbConfig { [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; ForceLocalZone force_local_zone = 5; + + // Determines how locality percentages are computed: + // - HEALTHY_HOSTS_NUM: proportional to the count of healthy hosts. + // - HEALTHY_HOSTS_WEIGHT: proportional to the weights of healthy hosts. + // Default value is HEALTHY_HOSTS_NUM if unset. + LocalityBasis locality_basis = 6; } // Configuration for :ref:`locality weighted load balancing diff --git a/source/extensions/load_balancing_policies/common/load_balancer_impl.cc b/source/extensions/load_balancing_policies/common/load_balancer_impl.cc index c7463e08cab18..0c736f110c04d 100644 --- a/source/extensions/load_balancing_policies/common/load_balancer_impl.cc +++ b/source/extensions/load_balancing_policies/common/load_balancer_impl.cc @@ -417,6 +417,9 @@ ZoneAwareLoadBalancerBase::ZoneAwareLoadBalancerBase( ? PROTOBUF_PERCENT_TO_ROUNDED_INTEGER_OR_DEFAULT( locality_config->zone_aware_lb_config(), routing_enabled, 100, 100) : 100), + locality_basis_(locality_config.has_value() + ? locality_config->zone_aware_lb_config().locality_basis() + : LocalityLbConfig::ZoneAwareLbConfig::HEALTHY_HOSTS_NUM), fail_traffic_on_panic_(locality_config.has_value() ? locality_config->zone_aware_lb_config().fail_traffic_on_panic() : false), @@ -637,18 +640,57 @@ absl::FixedArray ZoneAwareLoadBalancerBase::calculateLocalityPercentages( const HostsPerLocality& local_hosts_per_locality, const HostsPerLocality& upstream_hosts_per_locality) { - uint64_t total_local_hosts = 0; - std::map local_counts; + absl::flat_hash_map + local_weights; + absl::flat_hash_map + upstream_weights; + uint64_t total_local_weight = 0; for (const auto& locality_hosts : local_hosts_per_locality.get()) { - total_local_hosts += locality_hosts.size(); + uint64_t locality_weight = 0; + switch (locality_basis_) { + // If locality_basis_ is set to HEALTHY_HOSTS_WEIGHT, it uses the host's weight to calculate the + // locality percentage. + case LocalityLbConfig::ZoneAwareLbConfig::HEALTHY_HOSTS_WEIGHT: + for (const auto& host : locality_hosts) { + locality_weight += host->weight(); + } + break; + // By default it uses the number of healthy hosts in the locality. + case LocalityLbConfig::ZoneAwareLbConfig::HEALTHY_HOSTS_NUM: + locality_weight = locality_hosts.size(); + break; + default: + PANIC_DUE_TO_CORRUPT_ENUM; + } + total_local_weight += locality_weight; // If there is no entry in the map for a given locality, it is assumed to have 0 hosts. if (!locality_hosts.empty()) { - local_counts.insert(std::make_pair(locality_hosts[0]->locality(), locality_hosts.size())); + local_weights.emplace(locality_hosts[0]->locality(), locality_weight); } } - uint64_t total_upstream_hosts = 0; + uint64_t total_upstream_weight = 0; for (const auto& locality_hosts : upstream_hosts_per_locality.get()) { - total_upstream_hosts += locality_hosts.size(); + uint64_t locality_weight = 0; + switch (locality_basis_) { + // If locality_basis_ is set to HEALTHY_HOSTS_WEIGHT, it uses the host's weight to calculate the + // locality percentage. + case LocalityLbConfig::ZoneAwareLbConfig::HEALTHY_HOSTS_WEIGHT: + for (const auto& host : locality_hosts) { + locality_weight += host->weight(); + } + break; + // By default it uses the number of healthy hosts in the locality. + case LocalityLbConfig::ZoneAwareLbConfig::HEALTHY_HOSTS_NUM: + locality_weight = locality_hosts.size(); + break; + default: + PANIC_DUE_TO_CORRUPT_ENUM; + } + total_upstream_weight += locality_weight; + // If there is no entry in the map for a given locality, it is assumed to have 0 hosts. + if (!locality_hosts.empty()) { + upstream_weights.emplace(locality_hosts[0]->locality(), locality_weight); + } } absl::FixedArray percentages(upstream_hosts_per_locality.get().size()); @@ -664,13 +706,17 @@ ZoneAwareLoadBalancerBase::calculateLocalityPercentages( } const auto& locality = upstream_hosts[0]->locality(); - const auto& local_count_it = local_counts.find(locality); - const uint64_t local_count = local_count_it == local_counts.end() ? 0 : local_count_it->second; + const auto local_weight_it = local_weights.find(locality); + const uint64_t local_weight = + local_weight_it == local_weights.end() ? 0 : local_weight_it->second; + const auto upstream_weight_it = upstream_weights.find(locality); + const uint64_t upstream_weight = + upstream_weight_it == upstream_weights.end() ? 0 : upstream_weight_it->second; const uint64_t local_percentage = - total_local_hosts > 0 ? 10000ULL * local_count / total_local_hosts : 0; + total_local_weight > 0 ? 10000ULL * local_weight / total_local_weight : 0; const uint64_t upstream_percentage = - total_upstream_hosts > 0 ? 10000ULL * upstream_hosts.size() / total_upstream_hosts : 0; + total_upstream_weight > 0 ? 10000ULL * upstream_weight / total_upstream_weight : 0; percentages[i] = LocalityPercentages{local_percentage, upstream_percentage}; } diff --git a/source/extensions/load_balancing_policies/common/load_balancer_impl.h b/source/extensions/load_balancing_policies/common/load_balancer_impl.h index 1f2fd332481d1..308f9aafbaa8b 100644 --- a/source/extensions/load_balancing_policies/common/load_balancer_impl.h +++ b/source/extensions/load_balancing_policies/common/load_balancer_impl.h @@ -459,6 +459,7 @@ class ZoneAwareLoadBalancerBase : public LoadBalancerBase { const absl::optional force_local_zone_min_size_; // Keep small members (bools and enums) at the end of class, to reduce alignment overhead. const uint32_t routing_enabled_; + const LocalityLbConfig::ZoneAwareLbConfig::LocalityBasis locality_basis_; const bool fail_traffic_on_panic_ : 1; // If locality weight aware routing is enabled. diff --git a/test/extensions/load_balancing_policies/round_robin/round_robin_lb_test.cc b/test/extensions/load_balancing_policies/round_robin/round_robin_lb_test.cc index 6ad3b1d3a9b0e..985d69aed0669 100644 --- a/test/extensions/load_balancing_policies/round_robin/round_robin_lb_test.cc +++ b/test/extensions/load_balancing_policies/round_robin/round_robin_lb_test.cc @@ -966,6 +966,83 @@ TEST_P(RoundRobinLoadBalancerTest, ZoneAwareDifferentZoneSize) { EXPECT_EQ(2U, stats_.lb_zone_routing_cross_zone_.value()); } +TEST_P(RoundRobinLoadBalancerTest, ZoneAwareUseHostWeight) { + if (&hostSet() == &failover_host_set_) { // P = 1 does not support zone-aware routing. + return; + } + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + + // Setup is: + // L = local envoy + // U = upstream host + // + // Zone A: 2L with 100 weight each, 1U with 100 weight + // Zone B: 1L with 200 weight, 1U with 100 weight + + HostVectorSharedPtr upstream_hosts( + new HostVector({makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_b)})); + HostVectorSharedPtr local_hosts( + new HostVector({makeTestHost(info_, "tcp://127.0.0.1:0", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:1", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:2", zone_b)})); + HostsPerLocalitySharedPtr upstream_hosts_per_locality = + makeHostsPerLocality({{// zone A + makeTestHost(info_, "tcp://127.0.0.1:80", zone_a)}, + {// zone B + makeTestHost(info_, "tcp://127.0.0.1:81", zone_b)}}); + HostsPerLocalitySharedPtr local_hosts_per_locality = + makeHostsPerLocality({{// zone A + makeTestHost(info_, "tcp://127.0.0.1:0", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:1", zone_a)}, + {// zone B + makeTestHost(info_, "tcp://127.0.0.1:2", zone_b)}}); + + local_hosts_per_locality->get()[0][0]->weight(100); + local_hosts_per_locality->get()[0][1]->weight(100); + local_hosts_per_locality->get()[1][0]->weight(200); + upstream_hosts_per_locality->get()[0][0]->weight(100); + upstream_hosts_per_locality->get()[1][0]->weight(100); + + hostSet().healthy_hosts_ = *upstream_hosts; + hostSet().hosts_ = *upstream_hosts; + hostSet().healthy_hosts_per_locality_ = upstream_hosts_per_locality; + common_config_.mutable_healthy_panic_threshold()->set_value(100); + round_robin_lb_config_.mutable_locality_lb_config() + ->mutable_zone_aware_lb_config() + ->mutable_routing_enabled() + ->set_value(100); + round_robin_lb_config_.mutable_locality_lb_config() + ->mutable_zone_aware_lb_config() + ->mutable_min_cluster_size() + ->set_value(2); + round_robin_lb_config_.mutable_locality_lb_config() + ->mutable_zone_aware_lb_config() + ->set_locality_basis(envoy::extensions::load_balancing_policies::common::v3:: + LocalityLbConfig::ZoneAwareLbConfig::HEALTHY_HOSTS_WEIGHT); + init(true); + updateHosts(local_hosts, local_hosts_per_locality); + + EXPECT_CALL(runtime_.snapshot_, getInteger("upstream.healthy_panic_threshold", 100)) + .WillRepeatedly(Return(50)); + EXPECT_CALL(runtime_.snapshot_, featureEnabled("upstream.zone_routing.enabled", 100)) + .WillRepeatedly(Return(true)); + EXPECT_CALL(runtime_.snapshot_, getInteger("upstream.zone_routing.force_local_zone.min_size", 0)) + .WillRepeatedly(Return(0)); + EXPECT_CALL(runtime_.snapshot_, getInteger("upstream.zone_routing.min_cluster_size", 2)) + .WillRepeatedly(Return(2)); + + // Although there are two local hosts in zone A, the zone A and zone B has the same total weight + // in total. So all traffic should go directly to the same zone. + EXPECT_EQ(hostSet().healthy_hosts_per_locality_->get()[0][0], lb_->chooseHost(nullptr).host); + EXPECT_EQ(1U, stats_.lb_zone_routing_all_directly_.value()); + EXPECT_EQ(hostSet().healthy_hosts_per_locality_->get()[0][0], lb_->chooseHost(nullptr).host); + EXPECT_EQ(2U, stats_.lb_zone_routing_all_directly_.value()); +} + TEST_P(RoundRobinLoadBalancerTest, ZoneAwareRoutingLargeZoneSwitchOnOff) { if (&hostSet() == &failover_host_set_) { // P = 1 does not support zone-aware routing. return; From 77e7493cb132c316aacd7728ff003024b133b7a8 Mon Sep 17 00:00:00 2001 From: "Antonio V. Leonti" <53806445+antoniovleonti@users.noreply.github.com> Date: Tue, 2 Sep 2025 19:05:51 -0400 Subject: [PATCH 342/505] ext_authz: validate OkResponse header append actions (#40650) Commit Message: Validate ext_authz OkResponse header append actions Additional Description: This PR adds validation (and removes sentinel value check) to the ext authz grpc client. If an invalid header append action is found and validate_mutations is true, the response and thus downstream request will be rejected. If validation_mutations is false, invalid actions are ignored. Risk Level: low Testing: unit / integration tests added --------- Signed-off-by: antoniovleonti --- .../filters/common/ext_authz/ext_authz.h | 2 + .../common/ext_authz/ext_authz_grpc_impl.cc | 4 +- .../common/ext_authz/ext_authz_http_impl.cc | 3 + .../filters/http/ext_authz/ext_authz.cc | 11 ++++ .../ext_authz/ext_authz_grpc_impl_test.cc | 5 ++ .../filters/common/ext_authz/test_common.h | 4 ++ test/extensions/filters/http/ext_authz/BUILD | 1 + .../ext_authz/ext_authz_integration_test.cc | 61 ++++++++++++++++++- .../filters/http/ext_authz/ext_authz_test.cc | 7 +++ 9 files changed, 96 insertions(+), 2 deletions(-) diff --git a/source/extensions/filters/common/ext_authz/ext_authz.h b/source/extensions/filters/common/ext_authz/ext_authz.h index 4a09ad5dd3a9e..80831badf9fe7 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz.h +++ b/source/extensions/filters/common/ext_authz/ext_authz.h @@ -110,6 +110,8 @@ struct Response { // "setCopy") to the response sent back to the downstream client on OK auth responses // only if the headers were returned from the authz server. UnsafeHeaderVector response_headers_to_overwrite_if_exists{}; + // Whether the authorization server returned any headers with an invalid append action type. + bool saw_invalid_append_actions{false}; // A set of HTTP headers consumed by the authorization server, will be removed // from the request to the upstream server. std::vector headers_to_remove{}; diff --git a/source/extensions/filters/common/ext_authz/ext_authz_grpc_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_grpc_impl.cc index 2190493375bb3..cc2858b0454f7 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_grpc_impl.cc +++ b/source/extensions/filters/common/ext_authz/ext_authz_grpc_impl.cc @@ -43,7 +43,6 @@ void copyOkResponseMutations(ResponsePtr& response, } } else { switch (header.append_action()) { - PANIC_ON_PROTO_ENUM_SENTINEL_VALUES; case Router::HeaderValueOption::APPEND_IF_EXISTS_OR_ADD: response->response_headers_to_add.emplace_back(header.header().key(), header.header().value()); @@ -60,6 +59,9 @@ void copyOkResponseMutations(ResponsePtr& response, response->response_headers_to_set.emplace_back(header.header().key(), header.header().value()); break; + default: + response->saw_invalid_append_actions = true; + break; } } } diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc index 170ee16ef84a8..0c9587fe119eb 100644 --- a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc +++ b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc @@ -41,6 +41,7 @@ const Response& errorResponse() { UnsafeHeaderVector{}, UnsafeHeaderVector{}, UnsafeHeaderVector{}, + false, {{}}, Http::Utility::QueryParamsVector{}, {}, @@ -385,6 +386,7 @@ ResponsePtr RawHttpClientImpl::toResponse(Http::ResponseMessagePtr message) { UnsafeHeaderVector{}, UnsafeHeaderVector{}, UnsafeHeaderVector{}, + false, std::move(headers_to_remove), Http::Utility::QueryParamsVector{}, {}, @@ -408,6 +410,7 @@ ResponsePtr RawHttpClientImpl::toResponse(Http::ResponseMessagePtr message) { UnsafeHeaderVector{}, UnsafeHeaderVector{}, UnsafeHeaderVector{}, + false, {{}}, Http::Utility::QueryParamsVector{}, {}, diff --git a/source/extensions/filters/http/ext_authz/ext_authz.cc b/source/extensions/filters/http/ext_authz/ext_authz.cc index 7fd7abf65f365..8984cb37f0ebc 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/ext_authz.cc @@ -601,6 +601,17 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) { updateLoggingInfo(response->grpc_status); + if (response->saw_invalid_append_actions) { + if (config_->validateMutations()) { + ENVOY_STREAM_LOG(trace, "Rejecting response with invalid header append action.", + *decoder_callbacks_); + rejectResponse(); + return; + } + ENVOY_STREAM_LOG(trace, "Ignoring response headers with invalid header append action.", + *decoder_callbacks_); + } + if (!response->dynamic_metadata.fields().empty()) { if (!config_->enableDynamicMetadataIngestion()) { ENVOY_STREAM_LOG(trace, diff --git a/test/extensions/filters/common/ext_authz/ext_authz_grpc_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_grpc_impl_test.cc index 59c629a50b7a1..75d89e50439cb 100644 --- a/test/extensions/filters/common/ext_authz/ext_authz_grpc_impl_test.cc +++ b/test/extensions/filters/common/ext_authz/ext_authz_grpc_impl_test.cc @@ -445,6 +445,10 @@ TEST_F(ExtAuthzGrpcClientTest, AuthorizationOkWithAppendActions) { key: overwrite-if-exists-or-add value: overwrite-if-exists-or-add-value append_action: OVERWRITE_IF_EXISTS_OR_ADD + - header: + key: invalid-append-action + value: invalid-append-action-value + append_action: 404 )EOF", check_response); @@ -458,6 +462,7 @@ TEST_F(ExtAuthzGrpcClientTest, AuthorizationOkWithAppendActions) { UnsafeHeaderVector{{"add-if-absent", "add-if-absent-value"}}, .response_headers_to_overwrite_if_exists = UnsafeHeaderVector{{"overwrite-if-exists", "overwrite-if-exists-value"}}, + .saw_invalid_append_actions = true, .status_code = Http::Code::OK, .grpc_status = Grpc::Status::WellKnownGrpcStatus::Ok, }; diff --git a/test/extensions/filters/common/ext_authz/test_common.h b/test/extensions/filters/common/ext_authz/test_common.h index 762d37d614344..19532ddbad6e0 100644 --- a/test/extensions/filters/common/ext_authz/test_common.h +++ b/test/extensions/filters/common/ext_authz/test_common.h @@ -133,6 +133,10 @@ MATCHER_P(AuthzOkResponse, response, "") { return false; } + if (response.saw_invalid_append_actions != arg->saw_invalid_append_actions) { + return false; + } + if (!TestCommon::compareQueryParamsVector(response.query_parameters_to_set, arg->query_parameters_to_set)) { return false; diff --git a/test/extensions/filters/http/ext_authz/BUILD b/test/extensions/filters/http/ext_authz/BUILD index cf6a0897dfcb1..b622affef674d 100644 --- a/test/extensions/filters/http/ext_authz/BUILD +++ b/test/extensions/filters/http/ext_authz/BUILD @@ -89,6 +89,7 @@ envoy_extension_cc_test( "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/config/listener/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/http/ext_authz/v3:pkg_cc_proto", "@envoy_api//envoy/service/auth/v3:pkg_cc_proto", diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index 9585af931ebe5..0d0368ce57149 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -1,4 +1,5 @@ #include "envoy/config/bootstrap/v3/bootstrap.pb.h" +#include "envoy/config/core/v3/base.pb.h" #include "envoy/config/listener/v3/listener_components.pb.h" #include "envoy/extensions/filters/http/ext_authz/v3/ext_authz.pb.h" #include "envoy/service/auth/v3/external_auth.pb.h" @@ -458,7 +459,8 @@ class ExtAuthzGrpcIntegrationTest const Headers& response_headers_to_append, const Headers& response_headers_to_set, const Headers& response_headers_to_append_if_absent, - const Headers& response_headers_to_set_if_exists = {}) { + const Headers& response_headers_to_set_if_exists = {}, + bool add_sentinel_header_append_action = false) { ext_authz_request_->startGrpcStream(); envoy::service::auth::v3::CheckResponse check_response; check_response.mutable_status()->set_code(Grpc::Status::WellKnownGrpcStatus::Ok); @@ -519,6 +521,20 @@ class ExtAuthzGrpcIntegrationTest ENVOY_LOG_MISC(trace, "sendExtAuthzResponse: set response_header_to_add {}={}", key, value); } + if (add_sentinel_header_append_action) { + auto* entry = check_response.mutable_ok_response()->mutable_response_headers_to_add()->Add(); + entry->set_append_action( + static_cast( + std::numeric_limits::max())); + const auto key = std::string("invalid-append-action"); + const auto value = std::string("invalid-append-action-value"); + entry->mutable_header()->set_key(key); + entry->mutable_header()->set_value(value); + ENVOY_LOG_MISC(trace, + "sendExtAuthzResponse: set response header with invalid append action {}={}", + key, value); + } + for (const auto& response_header_to_set : response_headers_to_set) { auto* entry = check_response.mutable_ok_response()->mutable_response_headers_to_add()->Add(); const auto key = std::string(response_header_to_set.first); @@ -1295,6 +1311,49 @@ TEST_P(ExtAuthzGrpcIntegrationTest, ValidateMutations) { cleanup(); } +TEST_P(ExtAuthzGrpcIntegrationTest, ValidateMutationsSentinelAppendAction) { + GrpcInitializeConfigOpts opts; + opts.validate_mutations = true; + initializeConfig(opts); + + // Use h1, set up the test. + setDownstreamProtocol(Http::CodecType::HTTP1); + HttpIntegrationTest::initialize(); + + // Start a client connection and request. + initiateClientConnection(0); + waitForExtAuthzRequest(expectedCheckRequest(Http::CodecType::HTTP1)); + sendExtAuthzResponse({}, {}, {}, {}, {}, {}, {}, {}, {}, + /*add_sentinel_header_append_action=*/true); + + ASSERT_TRUE(response_->waitForEndStream()); + EXPECT_TRUE(response_->complete()); + EXPECT_EQ("500", response_->headers().getStatusValue()); + test_server_->waitForCounterEq("cluster.cluster_0.ext_authz.invalid", 1); + + cleanup(); +} + +// Ignore invalid header append actions when validate_mutations is false. +TEST_P(ExtAuthzGrpcIntegrationTest, NoValidateMutationsSentinelAppendAction) { + GrpcInitializeConfigOpts opts; + opts.validate_mutations = false; + initializeConfig(opts); + + // Use h1, set up the test. + setDownstreamProtocol(Http::CodecType::HTTP1); + HttpIntegrationTest::initialize(); + + // Start a client connection and request. + initiateClientConnection(0); + + waitForExtAuthzRequest(expectedCheckRequest(Http::CodecType::HTTP1)); + sendExtAuthzResponse({}, {}, {}, {}, {}, {}, {}, {}, {}, + /*add_sentinel_header_append_action=*/true); + waitForSuccessfulUpstreamResponse("200"); + cleanup(); +} + TEST_P(ExtAuthzGrpcIntegrationTest, TimeoutFailOpen) { GrpcInitializeConfigOpts init_opts; init_opts.stats_expect_response_bytes = false; diff --git a/test/extensions/filters/http/ext_authz/ext_authz_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_test.cc index c6b342ba95016..871f6eeb7be99 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_test.cc @@ -679,6 +679,13 @@ TEST_F(InvalidMutationTest, BasicInvalidKey) { testResponse(response); } +TEST_F(InvalidMutationTest, InvalidHeaderAppendAction) { + Filters::Common::ExtAuthz::Response response; + response.status = Filters::Common::ExtAuthz::CheckStatus::OK; + response.saw_invalid_append_actions = true; + testResponse(response); +} + struct DecoderHeaderMutationRulesTestOpts { absl::optional rules; bool expect_reject_response = false; From f9a24c0b1b0224fa4b3816c903ebd0f6e09379de Mon Sep 17 00:00:00 2001 From: Tony Allen Date: Fri, 25 Jul 2025 21:26:14 +0000 Subject: [PATCH 343/505] oauth2: add Secure attribute for prefixed cookies on signout When using cookie names prefixed with `__Secure-` or `__Host-`, browsers require the `Secure` attribute to be present on the `Set-Cookie` header for any modification, including deletion. The OAuth2 filter did not add this attribute when generating the `Set-Cookie` headers to clear the OAuth cookies. This caused the browser to ignore the deletion request for prefixed cookies, effectively preventing the user from being signed out correctly. This patch fixes the behavior to set the `Secure` attribute when either prefix is found. Signed-off-by: Tony Allen Signed-off-by: Ryan Northey --- changelogs/current.yaml | 4 ++ .../extensions/filters/http/oauth2/filter.cc | 42 ++++++------- .../filters/http/oauth2/filter_test.cc | 63 +++++++++++++++++++ 3 files changed, 85 insertions(+), 24 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 68427112e4d86..bcd66e74822d0 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -106,6 +106,10 @@ bug_fixes: ``cluster..ssl.certificate..`` and ``listener.
.ssl.certificate..`` was not being properly extracted in the final prometheus stat name. +- area: oauth2 + change: | + Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a + Secure attribute. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index b7044b3fefde1..e03857ce71a2e 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -940,30 +940,24 @@ Http::FilterHeadersStatus OAuth2Filter::signOutUser(const Http::RequestHeaderMap cookie_domain = fmt::format(CookieDomainFormatString, config_->cookieDomain()); } - response_headers->addReferenceKey( - Http::Headers::get().SetCookie, - absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().oauth_hmac_), - cookie_domain)); - response_headers->addReferenceKey( - Http::Headers::get().SetCookie, - absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().bearer_token_), - cookie_domain)); - response_headers->addReferenceKey( - Http::Headers::get().SetCookie, - absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().id_token_), - cookie_domain)); - response_headers->addReferenceKey( - Http::Headers::get().SetCookie, - absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().refresh_token_), - cookie_domain)); - response_headers->addReferenceKey( - Http::Headers::get().SetCookie, - absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().oauth_nonce_), - cookie_domain)); - response_headers->addReferenceKey( - Http::Headers::get().SetCookie, - absl::StrCat(fmt::format(CookieDeleteFormatString, config_->cookieNames().code_verifier_), - cookie_domain)); + const std::vector cookie_names{ + config_->cookieNames().oauth_hmac_, config_->cookieNames().bearer_token_, + config_->cookieNames().id_token_, config_->cookieNames().refresh_token_, + config_->cookieNames().oauth_nonce_, config_->cookieNames().code_verifier_, + }; + + for (const auto& cookie_name : cookie_names) { + // Cookie names prefixed with "__Secure-" or "__Host-" are special. They MUST be set with the + // Secure attribute so that the browser handles their deletion properly. + const bool add_secure_attr = + cookie_name.starts_with("__Secure-") || cookie_name.starts_with("__Host-"); + const absl::string_view maybe_secure_attr = add_secure_attr ? "; Secure" : ""; + + response_headers->addReferenceKey( + Http::Headers::get().SetCookie, + absl::StrCat(fmt::format(CookieDeleteFormatString, cookie_name), cookie_domain, + maybe_secure_attr)); + } const std::string post_logout_redirect_url = absl::StrCat(headers.getSchemeValue(), "://", host_, "/"); diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index a6a4cf43dcc20..1f63ff9be24b6 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -157,6 +157,7 @@ class OAuth2Test : public testing::TestWithParam { ::envoy::extensions::filters::http::oauth2::v3::CookieConfig_SameSite:: CookieConfig_SameSite_DISABLED, int csrf_token_expires_in = 0, int code_verifier_token_expires_in = 0) { + envoy::extensions::filters::http::oauth2::v3::OAuth2Config p; auto* endpoint = p.mutable_token_endpoint(); endpoint->set_cluster("auth.example.com"); @@ -3760,6 +3761,68 @@ TEST_F(OAuth2Test, RequestIsUnchangedWhenPassThroughMatcherMatches) { EXPECT_EQ(scope_.counterFromString("test.my_prefix.oauth_success").value(), 0); } +// Verify cookie prefixes "__Secure-" and "__Host-" cause addition of the "Secure" attribute at +// signout. +TEST_F(OAuth2Test, SecureAttributeAddedForSecureCookiePrefixesOnSignout) { + auto make_config = + [&](absl::string_view prefix) -> envoy::extensions::filters::http::oauth2::v3::OAuth2Config { + envoy::extensions::filters::http::oauth2::v3::OAuth2Config p; + auto* endpoint = p.mutable_token_endpoint(); + endpoint->set_cluster("auth.example.com"); + endpoint->set_uri("auth.example.com/_oauth"); + p.set_authorization_endpoint("https://auth2.example.com/oauth/authorize/"); + p.mutable_signout_path()->mutable_path()->set_exact("/_signout"); + p.mutable_redirect_path_matcher()->mutable_path()->set_exact(TEST_CALLBACK); + auto* credentials = p.mutable_credentials(); + credentials->set_client_id(TEST_CLIENT_ID); + credentials->mutable_token_secret()->set_name("secret"); + credentials->mutable_hmac_secret()->set_name("hmac"); + auto* cookie_names = credentials->mutable_cookie_names(); + cookie_names->set_oauth_hmac(absl::StrCat(prefix, "OauthHMAC")); + cookie_names->set_bearer_token(absl::StrCat(prefix, "BearerToken")); + cookie_names->set_id_token(absl::StrCat(prefix, "IdToken")); + cookie_names->set_refresh_token(absl::StrCat(prefix, "RefreshToken")); + cookie_names->set_oauth_nonce(absl::StrCat(prefix, "OauthNonce")); + cookie_names->set_code_verifier(absl::StrCat(prefix, "CodeVerifier")); + + auto* matcher = p.add_pass_through_matcher(); + matcher->set_name(":method"); + matcher->mutable_string_match()->set_exact("OPTIONS"); + + return p; + }; + + auto run_test_with_prefix = [&](absl::string_view prefix, bool expect_secure) { + auto p = make_config(prefix); + auto secret_reader = std::make_shared(); + init(std::make_shared(p, factory_context_.server_factory_context_, secret_reader, + scope_, "test.")); + + EXPECT_CALL(decoder_callbacks_, encodeHeaders_(_, true)) + .WillOnce(Invoke([&](Http::ResponseHeaderMap& passed_headers, bool) { + EXPECT_EQ(passed_headers.get(Http::Headers::get().SetCookie).size(), 6); + const auto& cookie_str = + passed_headers.get(Http::Headers::get().SetCookie)[0]->value().getStringView(); + if (expect_secure) { + EXPECT_THAT(cookie_str, testing::HasSubstr("; Secure")); + } else { + EXPECT_THAT(cookie_str, testing::Not(testing::HasSubstr("; Secure"))); + } + })); + auto request_headers = Http::TestRequestHeaderMapImpl{ + {Http::Headers::get().Host.get(), "traffic.example.com"}, + {Http::Headers::get().Path.get(), "/_signout"}, + {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, + }; + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers, false)); + }; + + run_test_with_prefix("__Secure-", true); + run_test_with_prefix("__Host-", true); + run_test_with_prefix("", false); +} + } // namespace Oauth2 } // namespace HttpFilters } // namespace Extensions From a3f6c1c6d58978a0075c5365adab6e0d15673f48 Mon Sep 17 00:00:00 2001 From: Yan Avlasov Date: Mon, 11 Aug 2025 13:02:10 -0400 Subject: [PATCH 344/505] Fixed an UAF in DNS cache (#1709) Fix for https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw Signed-off-by: Yan Avlasov --- changelogs/current.yaml | 4 ++ .../dynamic_forward_proxy/dns_cache_impl.cc | 8 +++- .../filters/http/dynamic_forward_proxy/BUILD | 16 ++++++++ .../modify_host_filter.cc | 37 +++++++++++++++++++ .../proxy_filter_integration_test.cc | 35 ++++++++++++++++-- 5 files changed, 95 insertions(+), 5 deletions(-) create mode 100644 test/extensions/filters/http/dynamic_forward_proxy/modify_host_filter.cc diff --git a/changelogs/current.yaml b/changelogs/current.yaml index bcd66e74822d0..027b4838feb63 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -110,6 +110,10 @@ bug_fixes: change: | Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a Secure attribute. +- area: dns + change: | + Fixed an UAF in DNS cache that can occur when the Host header is modified between the Dynamic Forwarding and Router + filters. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc b/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc index 8037e43178c9a..0daf32908e8fa 100644 --- a/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc +++ b/source/extensions/common/dynamic_forward_proxy/dns_cache_impl.cc @@ -642,12 +642,16 @@ void DnsCacheImpl::ThreadLocalHostInfo::onHostMapUpdate( const HostMapUpdateInfoSharedPtr& resolved_host) { auto host_it = pending_resolutions_.find(resolved_host->host_); if (host_it != pending_resolutions_.end()) { - for (auto* resolution : host_it->second) { + // Calling the onLoadDnsCacheComplete may trigger more host resolutions adding more elements + // to the `pending_resolutions_` map, potentially invalidating the host_it iterator. So we + // copy the list of handles to a local variable before cleaning up the map. + std::list completed_resolutions(std::move(host_it->second)); + pending_resolutions_.erase(host_it); + for (auto* resolution : completed_resolutions) { auto& callbacks = resolution->callbacks_; resolution->cancel(); callbacks.onLoadDnsCacheComplete(resolved_host->info_); } - pending_resolutions_.erase(host_it); } } diff --git a/test/extensions/filters/http/dynamic_forward_proxy/BUILD b/test/extensions/filters/http/dynamic_forward_proxy/BUILD index 2ee9530fc5533..2a0946b675689 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/BUILD +++ b/test/extensions/filters/http/dynamic_forward_proxy/BUILD @@ -66,6 +66,20 @@ envoy_cc_test_library( alwayslink = 1, ) +envoy_cc_test_library( + name = "modify_host_filter_lib", + srcs = ["modify_host_filter.cc"], + deps = [ + "//envoy/http:filter_interface", + "//envoy/registry", + "//envoy/server:filter_config_interface", + "//source/extensions/filters/http/common:factory_base_lib", + "//source/extensions/filters/http/common:pass_through_filter_lib", + "//test/extensions/filters/http/common:empty_http_filter_config_lib", + "//test/integration/filters:common_lib", + ], +) + envoy_extension_cc_test( name = "proxy_filter_integration_test", size = "large", @@ -79,6 +93,7 @@ envoy_extension_cc_test( # https://gist.github.com/wrowe/a152cb1d12c2f751916122aed39d8517 tags = ["fails_on_clang_cl"], deps = [ + ":modify_host_filter_lib", ":test_resolver_lib", "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/dynamic_forward_proxy:cluster", @@ -114,6 +129,7 @@ envoy_extension_cc_test( # https://gist.github.com/wrowe/a152cb1d12c2f751916122aed39d8517 tags = ["fails_on_clang_cl"], deps = [ + ":modify_host_filter_lib", ":test_resolver_lib", "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/clusters/dynamic_forward_proxy:cluster", diff --git a/test/extensions/filters/http/dynamic_forward_proxy/modify_host_filter.cc b/test/extensions/filters/http/dynamic_forward_proxy/modify_host_filter.cc new file mode 100644 index 0000000000000..c20815cfb7ae4 --- /dev/null +++ b/test/extensions/filters/http/dynamic_forward_proxy/modify_host_filter.cc @@ -0,0 +1,37 @@ +#include "envoy/http/filter.h" +#include "envoy/registry/registry.h" +#include "envoy/server/filter_config.h" + +#include "source/extensions/filters/http/common/factory_base.h" +#include "source/extensions/filters/http/common/pass_through_filter.h" + +#include "test/integration/filters/common.h" + +namespace Envoy { + +class ModifyHostFilter : public Http::PassThroughFilter { +public: + ModifyHostFilter() = default; + Http::FilterHeadersStatus decodeHeaders(Http::RequestHeaderMap& headers, bool) override { + headers.setHost("non-existing.foo.bar.bats.com"); + return Http::FilterHeadersStatus::Continue; + } +}; + +class ModifyHostFilterFactory : public Extensions::HttpFilters::Common::EmptyHttpDualFilterConfig { +public: + ModifyHostFilterFactory() : EmptyHttpDualFilterConfig("modify-host-filter") {} + absl::StatusOr + createDualFilter(const std::string&, Server::Configuration::ServerFactoryContext&) override { + return [](Http::FilterChainFactoryCallbacks& callbacks) -> void { + callbacks.addStreamFilter(std::make_shared<::Envoy::ModifyHostFilter>()); + }; + } +}; + +// perform static registration +static Registry::RegisterFactory + register_; + +} // namespace Envoy diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc index e67ba891b371d..ad7ae5dcf4d9a 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -112,7 +112,8 @@ class ProxyFilterIntegrationTest : public testing::TestWithParam& prepend_custom_filter_config_yaml = absl::nullopt) { + const absl::optional& prepend_custom_filter_config_yaml = absl::nullopt, + bool use_dfp_even_when_cluster_resolves_hosts = false) { const std::string filter_use_sub_cluster = R"EOF( name: dynamic_forward_proxy typed_config: @@ -147,7 +148,8 @@ name: stream-info-to-headers-filter if (prepend_custom_filter_config_yaml.has_value()) { // Prepend DFP filter. - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.dfp_cluster_resolves_hosts")) { + if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.dfp_cluster_resolves_hosts") || + use_dfp_even_when_cluster_resolves_hosts) { config_helper_.prependFilter(use_sub_cluster ? filter_use_sub_cluster : filter_use_dns_cache); } else if (use_sub_cluster) { @@ -162,7 +164,8 @@ name: stream-info-to-headers-filter // Prepend stream_info_filter. config_helper_.prependFilter(stream_info_filter_config_str); } else { - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.dfp_cluster_resolves_hosts")) { + if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.dfp_cluster_resolves_hosts") || + use_dfp_even_when_cluster_resolves_hosts) { config_helper_.prependFilter(use_sub_cluster ? filter_use_sub_cluster : filter_use_dns_cache); } else if (use_sub_cluster) { @@ -1677,5 +1680,31 @@ TEST_P(ProxyFilterIntegrationTest, ResetStreamDuringDnsLookup) { EXPECT_EQ("504", response->headers().getStatusValue()); } +// This test validates that processing of DNS resolutions on worker threads is handled correctly. +// The test uses specific scenario where DFP filter AND async resolution in DFP cluster are enabled. +// Normally DFP filter is not needed, however this configuration can occur as the +// envoy.reloadable_features.dfp_cluster_resolves_hosts flag is now enabled by default. The test +// also requires the Host header to be modified between DFP and Router filters to trigger abnormal +// behavior in the DNS resolution processing loop. +TEST_P(ProxyFilterIntegrationTest, DoubleResolution) { + config_helper_.addRuntimeOverride("envoy.reloadable_features.dfp_cluster_resolves_hosts", "true"); + config_helper_.addRuntimeOverride( + "envoy.reloadable_features.skip_dns_lookup_for_proxied_requests", "true"); + upstream_tls_ = false; + autonomous_upstream_ = true; + // Add DFP filter even if async DNS resolution is enabled. + config_helper_.prependFilter("{ name: modify-host-filter }"); + initializeWithArgs(1024, 1024, "", typed_dns_resolver_config_, false, 5, false, false, + absl::nullopt, true); + + codec_client_ = makeHttpConnection(lookupPort("http")); + + auto response = codec_client_->makeHeaderOnlyRequest(default_request_headers_); + + ASSERT_TRUE(response->waitForEndStream()); + // The host modification filter sets a non-existing host which should result in a 503. + EXPECT_EQ("503", response->headers().getStatusValue()); +} + } // namespace } // namespace Envoy From d5bfb77b22f148d658410eea3dfde986f3f965b5 Mon Sep 17 00:00:00 2001 From: Renin John <224198430+reninjohn@users.noreply.github.com> Date: Wed, 3 Sep 2025 09:42:30 -0700 Subject: [PATCH 345/505] docs: clarify http cache filter architecture and document filesystem storage backend configuration (#40842) Commit Message: docs: clarify http cache filter architecture; document filesystem storage backend config Additional Description: - Clarify the architecture and extension points (HTTP Cache filter vs. storage backends) and how a storage backend is selected - Add a filesystem storage backend configuration example - Add links to related API/docs in the "See also" section Partially addresses #16246. Risk Level: None (docs-only) Testing: - CI passed for this PR - Verified in the preview artifact: * the "Architecture and extension points" section appears in the page (anchor link visible) * both example blocks appear under "Example configuration" * the File System backend YAML snippet renders via `literalinclude` (slice) with line numbers matching the source * the download link for `http-cache-configuration-fs.yaml` works * the "See also" links resolve Docs Changes: - docs/root/configuration/http/http_filters/cache_filter.rst - docs/root/configuration/http/http_filters/_include/http-cache-configuration-fs.yaml (new) - docs/BUILD (added FS include path to `configs` exclude list) --------- Signed-off-by: Renin John <224198430+reninjohn@users.noreply.github.com> --- docs/BUILD | 1 + .../_include/http-cache-configuration-fs.yaml | 68 +++++++++++++++++++ .../http/http_filters/cache_filter.rst | 29 +++++++- 3 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 docs/root/configuration/http/http_filters/_include/http-cache-configuration-fs.yaml diff --git a/docs/BUILD b/docs/BUILD index c47696b7d0dc7..2e317b672a110 100644 --- a/docs/BUILD +++ b/docs/BUILD @@ -22,6 +22,7 @@ filegroup( "root/operations/_include/traffic_tapping_*.yaml", "root/configuration/http/http_filters/_include/checksum_filter.yaml", "root/configuration/http/http_filters/_include/dns-cache-circuit-breaker.yaml", + "root/configuration/http/http_filters/_include/http-cache-configuration-fs.yaml", "root/configuration/other_features/_include/dlb.yaml", "root/configuration/other_features/_include/hyperscan_matcher.yaml", "root/configuration/other_features/_include/hyperscan_matcher_multiple.yaml", diff --git a/docs/root/configuration/http/http_filters/_include/http-cache-configuration-fs.yaml b/docs/root/configuration/http/http_filters/_include/http-cache-configuration-fs.yaml new file mode 100644 index 0000000000000..78977ee5f58fb --- /dev/null +++ b/docs/root/configuration/http/http_filters/_include/http-cache-configuration-fs.yaml @@ -0,0 +1,68 @@ +static_resources: + listeners: + - address: + socket_address: + address: 0.0.0.0 + port_value: 8000 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + codec_type: AUTO + stat_prefix: ingress_http + route_config: + name: local_route + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: "/service/1" + route: + cluster: service1 + - match: + prefix: "/service/2" + route: + cluster: service2 + http_filters: + - name: envoy.filters.http.cache + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.cache.v3.CacheConfig + typed_config: + "@type": type.googleapis.com/envoy.extensions.http.cache.file_system_http_cache.v3.FileSystemHttpCacheConfig + manager_config: + thread_pool: + thread_count: 2 + cache_path: /var/cache/envoy + max_cache_size_bytes: 1073741824 + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + - name: service1 + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: service1 + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: service1 + port_value: 8000 + - name: service2 + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: service2 + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: service2 + port_value: 8000 diff --git a/docs/root/configuration/http/http_filters/cache_filter.rst b/docs/root/configuration/http/http_filters/cache_filter.rst index 68deed12bb0a3..1527e0e1693f1 100644 --- a/docs/root/configuration/http/http_filters/cache_filter.rst +++ b/docs/root/configuration/http/http_filters/cache_filter.rst @@ -36,7 +36,15 @@ For HTTP Responses: HTTP Cache delegates the actual storage of HTTP responses to implementations of the ``HttpCache`` interface. These implementations can cover all points on the spectrum of persistence, performance, and distribution, from local RAM caches to globally distributed persistent caches. They can be fully custom caches, or wrappers/adapters around local or remote open-source or proprietary caches. -Currently the only available cache storage implementation is :ref:`SimpleHTTPCache `. +Built-in cache storage backends include :ref:`SimpleHttpCacheConfig ` (in-memory) and :ref:`FileSystemHttpCacheConfig ` (persistent; LRU). + +Architecture and extension points +--------------------------------- + +Envoy’s HTTP caching is split into: + +* **HTTP Cache filter** (extension name ``envoy.filters.http.cache``, category ``envoy.filters.http``) — configured via ``CacheConfig`` to apply HTTP caching semantics. +* **Cache storage backends** (extension category ``envoy.http.cache``) — the filter delegates object storage/retrieval to a backend, selected via a nested ``typed_config`` in ``CacheConfig``. Example configuration --------------------- @@ -50,7 +58,26 @@ Example filter configuration with a ``SimpleHttpCache`` cache implementation: :lineno-start: 29 :caption: :download:`http-cache-configuration.yaml <_include/http-cache-configuration.yaml>` +Example filter configuration with a ``FileSystemHttpCache`` cache implementation: + +.. literalinclude:: _include/http-cache-configuration-fs.yaml + :language: yaml + :start-at: http_filters: + :end-before: envoy.filters.http.router + :linenos: + :lineno-match: + :caption: :download:`http-cache-configuration-fs.yaml <_include/http-cache-configuration-fs.yaml>` + .. seealso:: :ref:`Envoy Cache Sandbox ` Learn more about the Envoy Cache filter in the step by step sandbox. + + :ref:`HTTP Cache filter (proto file) ` + ``CacheConfig`` API reference. + + :ref:`In-memory storage backend ` + ``SimpleHttpCacheConfig`` API reference. + + :ref:`Persistent on-disk storage backend ` + Docs page for File System Http Cache; links to ``FileSystemHttpCacheConfig`` API reference. From b553edc68281085c11c96fec67e7747eee31bc78 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Wed, 3 Sep 2025 09:46:40 -0700 Subject: [PATCH 346/505] More ReadyWatcher to MockFunction cleanup (#40900) Commit Message: More ReadyWatcher to MockFunction cleanup Signed-off-by: Raven Black --- test/common/event/BUILD | 1 - test/common/event/file_event_impl_test.cc | 191 ++++++++++------------ 2 files changed, 90 insertions(+), 102 deletions(-) diff --git a/test/common/event/BUILD b/test/common/event/BUILD index c49b038eaa78d..077b821a9db16 100644 --- a/test/common/event/BUILD +++ b/test/common/event/BUILD @@ -36,7 +36,6 @@ envoy_cc_test( "//source/common/event:dispatcher_includes", "//source/common/event:dispatcher_lib", "//source/common/stats:isolated_store_lib", - "//test/mocks:common_lib", "//test/test_common:environment_lib", "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", diff --git a/test/common/event/file_event_impl_test.cc b/test/common/event/file_event_impl_test.cc index 3157cedc0b42c..2476fc5c40a4d 100644 --- a/test/common/event/file_event_impl_test.cc +++ b/test/common/event/file_event_impl_test.cc @@ -6,7 +6,6 @@ #include "source/common/event/dispatcher_impl.h" #include "source/common/stats/isolated_store_impl.h" -#include "test/mocks/common.h" #include "test/test_common/environment.h" #include "test/test_common/utility.h" @@ -16,6 +15,8 @@ namespace Envoy { namespace Event { namespace { +using ::testing::MockFunction; + class FileEventImplTest : public testing::Test { public: FileEventImplTest() @@ -61,10 +62,10 @@ class FileEventImplActivateTest : public testing::TestWithParam(arg); - watcher->ready(); + static void callPrepareCallback(evwatch*, const evwatch_prepare_cb_info*, void* arg) { + // `arg` contains the MockFunction passed in from evwatch_prepare_new. + auto callback = static_cast*>(arg); + callback->Call(); } int domain() { return GetParam() == Network::Address::IpVersion::v4 ? AF_INET : AF_INET6; } @@ -82,10 +83,9 @@ TEST_P(FileEventImplActivateTest, Activate) { Api::ApiPtr api = Api::createApiForTest(); DispatcherPtr dispatcher(api->allocateDispatcher("test_thread")); - ReadyWatcher read_event; - EXPECT_CALL(read_event, ready()); - ReadyWatcher write_event; - EXPECT_CALL(write_event, ready()); + MockFunction read_callback, write_callback; + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); const FileTriggerType trigger = Event::PlatformDefaultTriggerType; @@ -93,11 +93,11 @@ TEST_P(FileEventImplActivateTest, Activate) { fd, [&](uint32_t events) { if (events & FileReadyType::Read) { - read_event.ready(); + read_callback.Call(); } if (events & FileReadyType::Write) { - write_event.ready(); + write_callback.Call(); } return absl::OkStatus(); }, @@ -115,27 +115,24 @@ TEST_P(FileEventImplActivateTest, ActivateChaining) { Api::ApiPtr api = Api::createApiForTest(); DispatcherPtr dispatcher(api->allocateDispatcher("test_thread")); - ReadyWatcher fd_event; - ReadyWatcher read_event; - ReadyWatcher write_event; + MockFunction fd_callback, read_callback, write_callback, prepare_callback; - ReadyWatcher prepare_watcher; - evwatch_prepare_new(&static_cast(dispatcher.get())->base(), onWatcherReady, - &prepare_watcher); + evwatch_prepare_new(&static_cast(dispatcher.get())->base(), callPrepareCallback, + &prepare_callback); const FileTriggerType trigger = Event::PlatformDefaultTriggerType; Event::FileEventPtr file_event = dispatcher->createFileEvent( fd, [&](uint32_t events) { - fd_event.ready(); + fd_callback.Call(); if (events & FileReadyType::Read) { - read_event.ready(); + read_callback.Call(); file_event->activate(FileReadyType::Write); } if (events & FileReadyType::Write) { - write_event.ready(); + write_callback.Call(); } return absl::OkStatus(); }, @@ -145,17 +142,17 @@ TEST_P(FileEventImplActivateTest, ActivateChaining) { // First loop iteration: handle scheduled read event and the real write event produced by poll. // Note that the real and injected events are combined and delivered in a single call to the fd // callback. - EXPECT_CALL(prepare_watcher, ready()); - EXPECT_CALL(fd_event, ready()); - EXPECT_CALL(read_event, ready()); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(prepare_callback, Call); + EXPECT_CALL(fd_callback, Call); + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); // Second loop iteration: handle write and close events scheduled while handling read. - EXPECT_CALL(prepare_watcher, ready()); - EXPECT_CALL(fd_event, ready()); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(prepare_callback, Call); + EXPECT_CALL(fd_callback, Call); + EXPECT_CALL(write_callback, Call); if constexpr (Event::PlatformDefaultTriggerType != Event::FileTriggerType::EmulatedEdge) { // Third loop iteration: poll returned no new real events. - EXPECT_CALL(prepare_watcher, ready()); + EXPECT_CALL(prepare_callback, Call); } file_event->activate(FileReadyType::Read); @@ -170,28 +167,25 @@ TEST_P(FileEventImplActivateTest, SetEnableCancelsActivate) { Api::ApiPtr api = Api::createApiForTest(); DispatcherPtr dispatcher(api->allocateDispatcher("test_thread")); - ReadyWatcher fd_event; - ReadyWatcher read_event; - ReadyWatcher write_event; + MockFunction fd_callback, read_callback, write_callback, prepare_callback; - ReadyWatcher prepare_watcher; - evwatch_prepare_new(&static_cast(dispatcher.get())->base(), onWatcherReady, - &prepare_watcher); + evwatch_prepare_new(&static_cast(dispatcher.get())->base(), callPrepareCallback, + &prepare_callback); const FileTriggerType trigger = Event::PlatformDefaultTriggerType; Event::FileEventPtr file_event = dispatcher->createFileEvent( fd, [&](uint32_t events) { - fd_event.ready(); + fd_callback.Call(); if (events & FileReadyType::Read) { - read_event.ready(); + read_callback.Call(); file_event->activate(FileReadyType::Closed); file_event->setEnabled(FileReadyType::Write | FileReadyType::Closed); } if (events & FileReadyType::Write) { - write_event.ready(); + write_callback.Call(); } return absl::OkStatus(); }, @@ -201,17 +195,17 @@ TEST_P(FileEventImplActivateTest, SetEnableCancelsActivate) { // First loop iteration: handle scheduled read event and the real write event produced by poll. // Note that the real and injected events are combined and delivered in a single call to the fd // callback. - EXPECT_CALL(prepare_watcher, ready()); - EXPECT_CALL(fd_event, ready()); - EXPECT_CALL(read_event, ready()); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(prepare_callback, Call); + EXPECT_CALL(fd_callback, Call); + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); // Second loop iteration: handle real write event after resetting event mask via setEnabled. Close // injected event is discarded by the setEnable call. - EXPECT_CALL(prepare_watcher, ready()); - EXPECT_CALL(fd_event, ready()); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(prepare_callback, Call); + EXPECT_CALL(fd_callback, Call); + EXPECT_CALL(write_callback, Call); // Third loop iteration: poll returned no new real events. - EXPECT_CALL(prepare_watcher, ready()); + EXPECT_CALL(prepare_callback, Call); file_event->activate(FileReadyType::Read); dispatcher->run(Event::Dispatcher::RunType::NonBlock); @@ -221,20 +215,19 @@ TEST_P(FileEventImplActivateTest, SetEnableCancelsActivate) { #ifndef WIN32 // Libevent on Windows doesn't support edge trigger. TEST_F(FileEventImplTest, EdgeTrigger) { - ReadyWatcher read_event; - EXPECT_CALL(read_event, ready()); - ReadyWatcher write_event; - EXPECT_CALL(write_event, ready()); + MockFunction read_callback, write_callback; + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); Event::FileEventPtr file_event = dispatcher_->createFileEvent( fds_[0], [&](uint32_t events) { if (events & FileReadyType::Read) { - read_event.ready(); + read_callback.Call(); } if (events & FileReadyType::Write) { - write_event.ready(); + write_callback.Call(); } return absl::OkStatus(); }, @@ -246,8 +239,7 @@ TEST_F(FileEventImplTest, EdgeTrigger) { TEST_F(FileEventImplTest, LevelTrigger) { testing::InSequence s; - ReadyWatcher read_event; - ReadyWatcher write_event; + MockFunction read_callback, write_callback; int count = 0; Event::FileEventPtr file_event = dispatcher_->createFileEvent( @@ -258,11 +250,11 @@ TEST_F(FileEventImplTest, LevelTrigger) { dispatcher_->exit(); } if (events & FileReadyType::Read) { - read_event.ready(); + read_callback.Call(); } if (events & FileReadyType::Write) { - write_event.ready(); + write_callback.Call(); } return absl::OkStatus(); }, @@ -270,31 +262,31 @@ TEST_F(FileEventImplTest, LevelTrigger) { // Expect events to be delivered twice since count=2 and level events are delivered on each // iteration until the fd state changes. - EXPECT_CALL(read_event, ready()); - EXPECT_CALL(write_event, ready()); - EXPECT_CALL(read_event, ready()); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); count = 2; dispatcher_->run(Event::Dispatcher::RunType::Block); // Change the event mask to just Write and verify that only that event is delivered. - EXPECT_CALL(read_event, ready()).Times(0); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(read_callback, Call).Times(0); + EXPECT_CALL(write_callback, Call); file_event->setEnabled(FileReadyType::Write); count = 1; dispatcher_->run(Event::Dispatcher::RunType::Block); // Activate read, and verify it is delivered despite not being part of the enabled event mask. - EXPECT_CALL(read_event, ready()); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); file_event->activate(FileReadyType::Read); count = 1; dispatcher_->run(Event::Dispatcher::RunType::Block); // Activate read and then call setEnabled. Verify that the read event is not delivered; setEnabled // clears events from explicit calls to activate. - EXPECT_CALL(read_event, ready()).Times(0); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(read_callback, Call).Times(0); + EXPECT_CALL(write_callback, Call); file_event->activate(FileReadyType::Read); file_event->setEnabled(FileReadyType::Write); count = 1; @@ -303,8 +295,7 @@ TEST_F(FileEventImplTest, LevelTrigger) { TEST_F(FileEventImplTest, SetEnabled) { testing::InSequence s; - ReadyWatcher read_event; - ReadyWatcher write_event; + MockFunction read_callback, write_callback; const FileTriggerType trigger = Event::PlatformDefaultTriggerType; @@ -312,73 +303,72 @@ TEST_F(FileEventImplTest, SetEnabled) { fds_[0], [&](uint32_t events) { if (events & FileReadyType::Read) { - read_event.ready(); + read_callback.Call(); } if (events & FileReadyType::Write) { - write_event.ready(); + write_callback.Call(); } return absl::OkStatus(); }, trigger, FileReadyType::Read | FileReadyType::Write); - EXPECT_CALL(read_event, ready()); + EXPECT_CALL(read_callback, Call); file_event->setEnabled(FileReadyType::Read); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(write_callback, Call); file_event->setEnabled(FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); file_event->setEnabled(0); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(read_event, ready()); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); file_event->setEnabled(FileReadyType::Read | FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - // Run a manual event to ensure that previous expectations are satisfied before moving on. - ReadyWatcher manual_event; - EXPECT_CALL(manual_event, ready()); - manual_event.ready(); + // Ensure that previous expectations are satisfied before moving on. + testing::Mock::VerifyAndClearExpectations(&read_callback); + testing::Mock::VerifyAndClearExpectations(&write_callback); clearReadable(); file_event->setEnabled(FileReadyType::Read); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(write_callback, Call); file_event->setEnabled(FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(write_callback, Call); file_event->setEnabled(FileReadyType::Read | FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); // Repeat the previous registration, verify that write event is delivered again. - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(write_callback, Call); file_event->setEnabled(FileReadyType::Read | FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); // Synthetic read events are delivered even if the active registration doesn't contain them. - EXPECT_CALL(read_event, ready()); + EXPECT_CALL(read_callback, Call); file_event->activate(FileReadyType::Read); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - // Run a manual event to ensure that previous expectations are satisfied before moving on. - EXPECT_CALL(manual_event, ready()); - manual_event.ready(); + // Ensure that previous expectations are satisfied before moving on. + testing::Mock::VerifyAndClearExpectations(&read_callback); + testing::Mock::VerifyAndClearExpectations(&write_callback); // Do a read activation followed setEnabled to verify that the activation is cleared. - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(write_callback, Call); file_event->activate(FileReadyType::Read); file_event->setEnabled(FileReadyType::Read | FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); // Repeat the previous steps but with the same input to setEnabled to verify that the activation // is cleared even in cases where the setEnable mask hasn't changed. - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(write_callback, Call); file_event->activate(FileReadyType::Read); file_event->setEnabled(FileReadyType::Read | FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); @@ -391,8 +381,7 @@ TEST_F(FileEventImplTest, RegisterIfEmulatedEdge) { } testing::InSequence s; - ReadyWatcher read_event; - ReadyWatcher write_event; + MockFunction read_callback, write_callback; const FileTriggerType trigger = Event::PlatformDefaultTriggerType; @@ -400,47 +389,47 @@ TEST_F(FileEventImplTest, RegisterIfEmulatedEdge) { fds_[0], [&](uint32_t events) { if (events & FileReadyType::Read) { - read_event.ready(); + read_callback.Call(); } if (events & FileReadyType::Write) { - write_event.ready(); + write_callback.Call(); } return absl::OkStatus(); }, trigger, FileReadyType::Read | FileReadyType::Write); - EXPECT_CALL(read_event, ready()).Times(0); - EXPECT_CALL(write_event, ready()).Times(0); + EXPECT_CALL(read_callback, Call).Times(0); + EXPECT_CALL(write_callback, Call).Times(0); file_event->unregisterEventIfEmulatedEdge(FileReadyType::Read | FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(read_event, ready()); + EXPECT_CALL(read_callback, Call); file_event->registerEventIfEmulatedEdge(FileReadyType::Read); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(write_callback, Call); file_event->registerEventIfEmulatedEdge(FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(read_event, ready()); + EXPECT_CALL(read_callback, Call); file_event->registerEventIfEmulatedEdge(FileReadyType::Read | FileReadyType::Write); file_event->unregisterEventIfEmulatedEdge(FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(read_event, ready()).Times(0); - EXPECT_CALL(write_event, ready()).Times(0); + EXPECT_CALL(read_callback, Call).Times(0); + EXPECT_CALL(write_callback, Call).Times(0); file_event->unregisterEventIfEmulatedEdge(FileReadyType::Read); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); - EXPECT_CALL(read_event, ready()); - EXPECT_CALL(write_event, ready()); + EXPECT_CALL(read_callback, Call); + EXPECT_CALL(write_callback, Call); file_event->registerEventIfEmulatedEdge(FileReadyType::Read | FileReadyType::Write); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); // Events are delivered once due to auto unregistration after they are delivered. - EXPECT_CALL(read_event, ready()).Times(0); - EXPECT_CALL(write_event, ready()).Times(0); + EXPECT_CALL(read_callback, Call).Times(0); + EXPECT_CALL(write_callback, Call).Times(0); dispatcher_->run(Event::Dispatcher::RunType::NonBlock); } From baca79165ad5276b7e8657624a74b79d0f31e71d Mon Sep 17 00:00:00 2001 From: Elisha Ziskind Date: Wed, 3 Sep 2025 13:19:26 -0400 Subject: [PATCH 347/505] Add dynamic metadata for TLS inspector filter errors (#40529) Export dynamic metadata from the TLS inspector to provide more detailed reason for subsequent extensions in case SNI could not be detected. Signed-off-by: Elisha Ziskind --- changelogs/current.yaml | 3 ++ .../advanced/well_known_dynamic_metadata.rst | 1 + .../listener_filters/tls_inspector.rst | 8 +++++ .../listener/tls_inspector/tls_inspector.cc | 26 ++++++++++++++++ .../listener/tls_inspector/tls_inspector.h | 7 +++++ .../tls_inspector_integration_test.cc | 30 +++++++++++++++++++ .../tls_inspector/tls_inspector_test.cc | 15 +++++++++- 7 files changed, 89 insertions(+), 1 deletion(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 027b4838feb63..d4aa4fdc553b8 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -318,6 +318,9 @@ new_features: - area: rbac change: | Switch the IP matcher to use LC-Trie for performance improvements. +- area: tls_inspector + change: | + Added dynamic metadata when failing to parse the ``ClientHello``. - area: lua change: | Added ``route()`` to the Stream handle API, allowing Lua scripts to retrieve route information. So far, the only method diff --git a/docs/root/configuration/advanced/well_known_dynamic_metadata.rst b/docs/root/configuration/advanced/well_known_dynamic_metadata.rst index 8b21caa3941a4..88c1a3f9440a5 100644 --- a/docs/root/configuration/advanced/well_known_dynamic_metadata.rst +++ b/docs/root/configuration/advanced/well_known_dynamic_metadata.rst @@ -32,6 +32,7 @@ The following Envoy filters can be configured to consume dynamic metadata emitte ` * :ref:`RateLimit Filter limit override ` * :ref:`Original destination listener filter ` +* :ref:`TLS Inspector listener filter ` .. _shared_dynamic_metadata: diff --git a/docs/root/configuration/listeners/listener_filters/tls_inspector.rst b/docs/root/configuration/listeners/listener_filters/tls_inspector.rst index c933678c144cd..4bd8988af986c 100644 --- a/docs/root/configuration/listeners/listener_filters/tls_inspector.rst +++ b/docs/root/configuration/listeners/listener_filters/tls_inspector.rst @@ -81,4 +81,12 @@ This filter has a statistics tree rooted at *tls_inspector* with the following s If the connection terminates early nothing is recorded if we didn't have sufficient bytes for either of the cases above. +.. _config_listener_filters_tls_inspector_dynamic_metadata: + +Dynamic Metadata +---------------- + +If the filter fails to detect TLS it will populate dynamic metadata under the key +`envoy.filters.listener.tls_inspector` indicating the reason (eg. ``ClientHello`` too +large or not detected at all). diff --git a/source/extensions/filters/listener/tls_inspector/tls_inspector.cc b/source/extensions/filters/listener/tls_inspector/tls_inspector.cc index 31e2fbf71b3a0..0d785cde20455 100644 --- a/source/extensions/filters/listener/tls_inspector/tls_inspector.cc +++ b/source/extensions/filters/listener/tls_inspector/tls_inspector.cc @@ -175,6 +175,13 @@ Network::FilterStatus Filter::onData(Network::ListenerFilterBuffer& buffer) { return Network::FilterStatus::StopIteration; } +void Filter::setDynamicMetadata(absl::string_view failure_reason) { + Protobuf::Struct metadata; + auto& fields = *metadata.mutable_fields(); + fields[failureReasonKey()].set_string_value(failure_reason); + cb_->setDynamicMetadata(dynamicMetadataKey(), metadata); +} + ParseState Filter::parseClientHello(const void* data, size_t len, uint64_t bytes_already_processed) { // Ownership remains here though we pass a reference to it in `SSL_set0_rbio()`. @@ -198,6 +205,7 @@ ParseState Filter::parseClientHello(const void* data, size_t len, // We've hit the specified size limit. This is an unreasonably large ClientHello; // indicate failure. config_->stats().client_hello_too_large_.inc(); + setDynamicMetadata(failureReasonClientHelloTooLarge()); return ParseState::Error; } if (read_ >= requested_read_bytes_) { @@ -219,9 +227,11 @@ ParseState Filter::parseClientHello(const void* data, size_t len, // We've hit the specified size limit. This is an unreasonably large ClientHello; // indicate failure. config_->stats().client_hello_too_large_.inc(); + setDynamicMetadata(failureReasonClientHelloTooLarge()); return ParseState::Error; } config_->stats().tls_not_found_.inc(); + setDynamicMetadata(failureReasonClientHelloNotDetected()); ENVOY_LOG( debug, "tls inspector: parseClientHello failed: {}", Extensions::TransportSockets::Tls::Utility::getLastCryptoError().value_or("unknown")); @@ -369,6 +379,22 @@ void Filter::createJA4Hash(const SSL_CLIENT_HELLO* ssl_client_hello) { cb_->socket().setJA4Hash(fingerprint); } +const std::string& Filter::dynamicMetadataKey() { + CONSTRUCT_ON_FIRST_USE(std::string, "envoy.filters.listener.tls_inspector"); +} + +const std::string& Filter::failureReasonKey() { + CONSTRUCT_ON_FIRST_USE(std::string, "failure_reason"); +} + +const std::string& Filter::failureReasonClientHelloTooLarge() { + CONSTRUCT_ON_FIRST_USE(std::string, "ClientHelloTooLarge"); +} + +const std::string& Filter::failureReasonClientHelloNotDetected() { + CONSTRUCT_ON_FIRST_USE(std::string, "ClientHelloNotDetected"); +} + } // namespace TlsInspector } // namespace ListenerFilters } // namespace Extensions diff --git a/source/extensions/filters/listener/tls_inspector/tls_inspector.h b/source/extensions/filters/listener/tls_inspector/tls_inspector.h index 47a347acc5d86..9fd1087166deb 100644 --- a/source/extensions/filters/listener/tls_inspector/tls_inspector.h +++ b/source/extensions/filters/listener/tls_inspector/tls_inspector.h @@ -47,6 +47,7 @@ enum class ParseState { // Parser reports unrecoverable error. Error }; + /** * Global configuration for TLS inspector. */ @@ -93,6 +94,11 @@ class Filter : public Network::ListenerFilter, Logger::LoggablemaxClientHelloSize(); } + void setDynamicMetadata(absl::string_view failure_reason); ConfigSharedPtr config_; Network::ListenerFilterCallbacks* cb_{}; diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc index 97da6715a8c42..f846b5378ce74 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc @@ -260,6 +260,36 @@ TEST_P(TlsInspectorIntegrationTest, ContinueOnListenerTimeout) { EXPECT_THAT(waitForAccessLog(listener_access_log_name_), testing::Eq("-")); } +TEST_P(TlsInspectorIntegrationTest, TlsInspectorMetadataPopulatedInAccessLog) { + initializeWithTlsInspector( + /*ssl_client=*/false, + /*log_format=*/"%DYNAMIC_METADATA(envoy.filters.listener.tls_inspector:failure_reason)%", + false, false, false); + Network::Address::InstanceConstSharedPtr address = + Ssl::getSslAddress(version_, lookupPort("echo")); + context_ = + Ssl::createClientSslTransportSocketFactory(/*ssl_options=*/{}, *context_manager_, *api_); + auto transport_socket_factory = std::make_unique(); + Network::TransportSocketPtr transport_socket = + transport_socket_factory->createTransportSocket(nullptr, nullptr); + client_ = dispatcher_->createClientConnection(address, Network::Address::InstanceConstSharedPtr(), + std::move(transport_socket), nullptr, nullptr); + std::shared_ptr payload_reader = + std::make_shared(*dispatcher_); + client_->addReadFilter(payload_reader); + client_->addConnectionCallbacks(connect_callbacks_); + client_->connect(); + Buffer::OwnedImpl buffer("fake data"); + client_->write(buffer, false); + while (!connect_callbacks_.connected() && !connect_callbacks_.closed()) { + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + } + // The timeout is set as one seconds, advance 2 seconds to trigger the timeout. + timeSystem().advanceTimeWaitImpl(std::chrono::milliseconds(2000)); + client_->close(Network::ConnectionCloseType::NoFlush); + EXPECT_THAT(waitForAccessLog(listener_access_log_name_), testing::Eq("ClientHelloNotDetected")); +} + // The `JA3` fingerprint is correct in the access log. TEST_P(TlsInspectorIntegrationTest, JA3FingerprintIsSet) { // These TLS options will create a client hello message with diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_test.cc index 6580927c1f456..70be65038c9e9 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_test.cc @@ -103,7 +103,7 @@ class TlsInspectorTest : public testing::TestWithParam filter_; - Network::MockListenerFilterCallbacks cb_; + NiceMock cb_; Network::MockConnectionSocket socket_; NiceMock dispatcher_; Event::FileReadyCb file_event_callback_; @@ -281,6 +281,12 @@ TEST_P(TlsInspectorTest, ClientHelloTooBig) { mockSysCallForPeek(client_hello, true); EXPECT_CALL(socket_, detectedTransportProtocol()).Times(::testing::AnyNumber()); EXPECT_TRUE(file_event_callback_(Event::FileReadyType::Read).ok()); + + Protobuf::Struct expected_metadata; + auto& fields = *expected_metadata.mutable_fields(); + fields[Filter::failureReasonKey()].set_string_value(Filter::failureReasonClientHelloTooLarge()); + EXPECT_CALL(cb_, setDynamicMetadata(Filter::dynamicMetadataKey(), ProtoEq(expected_metadata))); + auto state = filter_->onData(*buffer_); EXPECT_EQ(Network::FilterStatus::StopIteration, state); EXPECT_EQ(1, cfg_->stats().client_hello_too_large_.value()); @@ -409,6 +415,13 @@ TEST_P(TlsInspectorTest, NotSsl) { mockSysCallForPeek(data); // trigger the event to copy the client hello message into buffer:q EXPECT_TRUE(file_event_callback_(Event::FileReadyType::Read).ok()); + + Protobuf::Struct expected_metadata; + auto& fields = *expected_metadata.mutable_fields(); + fields[Filter::failureReasonKey()].set_string_value( + Filter::failureReasonClientHelloNotDetected()); + EXPECT_CALL(cb_, setDynamicMetadata(Filter::dynamicMetadataKey(), ProtoEq(expected_metadata))); + auto state = filter_->onData(*buffer_); EXPECT_EQ(Network::FilterStatus::Continue, state); EXPECT_EQ(1, cfg_->stats().tls_not_found_.value()); From 55a2ea53f1b485beac47622ac5200f11ed572e3d Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Wed, 3 Sep 2025 19:43:31 +0200 Subject: [PATCH 348/505] deps: update gperftools from 2.10 to 2.17.2 (#40909) Commit Message: Update gperftools from 2.10 to 2.17.2 Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #40750] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Matthieu MOREL --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 72ce130e027a3..3199a47552307 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -407,11 +407,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "gperftools", project_desc = "tcmalloc and profiling libraries", project_url = "https://github.com/gperftools/gperftools", - version = "2.10", - sha256 = "83e3bfdd28b8bcf53222c3798d4d395d52dadbbae59e8730c4a6d31a9c3732d8", + version = "2.17.2", + sha256 = "bb172a54312f623b53d8b94cab040248c559decdb87574ed873e80b516e6e8eb", strip_prefix = "gperftools-{version}", urls = ["https://github.com/gperftools/gperftools/releases/download/gperftools-{version}/gperftools-{version}.tar.gz"], - release_date = "2022-05-31", + release_date = "2025-08-15", use_category = ["dataplane_core", "controlplane"], cpe = "cpe:2.3:a:gperftools_project:gperftools:*", license = "BSD-3-Clause", From 8e917c56806675210276bd0b90c53261ddd4a8bf Mon Sep 17 00:00:00 2001 From: botengyao Date: Wed, 3 Sep 2025 14:03:36 -0400 Subject: [PATCH 349/505] weighted cluster: add header mutation integrations tests for weighted clusters (#40857) Commit Message: Additional Description: Risk Level: low Testing: added integration tests Docs Changes: Release Notes: --------- Signed-off-by: Boteng Yao --- .../filters/http/header_mutation/BUILD | 3 ++ test/integration/BUILD | 2 + .../weighted_cluster_integration_test.cc | 54 +++++++++++++++++-- 3 files changed, 56 insertions(+), 3 deletions(-) diff --git a/source/extensions/filters/http/header_mutation/BUILD b/source/extensions/filters/http/header_mutation/BUILD index 48f12a0525023..0d999deb96ae1 100644 --- a/source/extensions/filters/http/header_mutation/BUILD +++ b/source/extensions/filters/http/header_mutation/BUILD @@ -28,6 +28,9 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], + extra_visibility = [ + "//test/integration:__subpackages__", + ], deps = [ ":header_mutation_lib", "//envoy/registry", diff --git a/test/integration/BUILD b/test/integration/BUILD index 7e4d98558cfdf..96296d191d78f 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -2736,9 +2736,11 @@ envoy_cc_test( deps = [ ":http_integration_lib", ":integration_lib", + "//source/extensions/filters/http/header_mutation:config", "//test/integration/filters:repick_cluster_filter_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", "@envoy_api//envoy/config/route/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/http/header_mutation/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/network/http_connection_manager/v3:pkg_cc_proto", ], ) diff --git a/test/integration/weighted_cluster_integration_test.cc b/test/integration/weighted_cluster_integration_test.cc index df4676f4c1089..fb405b30119df 100644 --- a/test/integration/weighted_cluster_integration_test.cc +++ b/test/integration/weighted_cluster_integration_test.cc @@ -4,6 +4,7 @@ #include "envoy/config/bootstrap/v3/bootstrap.pb.h" #include "envoy/config/route/v3/route_components.pb.h" +#include "envoy/extensions/filters/http/header_mutation/v3/header_mutation.pb.h" #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" #include "test/integration/filters/repick_cluster_filter.h" @@ -28,7 +29,7 @@ class WeightedClusterIntegrationTest : public testing::TestWithParam& weights) { + void initializeConfig(const std::vector& weights, bool test_header_mutation = false) { // Set the cluster configuration for `cluster_1` config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto* cluster = bootstrap.mutable_static_resources()->add_clusters(); @@ -39,10 +40,13 @@ class WeightedClusterIntegrationTest : public testing::TestWithParamset_name("cluster_0"); cluster->mutable_weight()->set_value(weights[0]); + if (test_header_mutation) { + envoy::config::core::v3::HeaderValueOption* header_value_option = + cluster->mutable_request_headers_to_add()->Add(); + auto* mutable_header = header_value_option->mutable_header(); + mutable_header->set_key("x-cluster-name-test"); + mutable_header->set_value("cluster_0"); + + envoy::extensions::filters::http::header_mutation::v3::HeaderMutationPerRoute + header_mutation; + std::string header_mutation_config = R"EOF( + mutations: + response_mutations: + - append: + header: + key: "x-cluster-header-mutation-test" + value: "cluster-0" + )EOF"; + TestUtility::loadFromYaml(header_mutation_config, header_mutation); + (*cluster->mutable_typed_per_filter_config())["envoy.filters.http.header_mutation"] + .PackFrom(header_mutation); + } + // Add a cluster with `cluster_header` specified. cluster = weighted_clusters->add_clusters(); cluster->set_cluster_header(std::string(Envoy::RepickClusterFilter::ClusterHeaderName)); @@ -67,7 +93,8 @@ class WeightedClusterIntegrationTest : public testing::TestWithParam& getDefaultWeights() { return default_weights_; } - void sendRequestAndValidateResponse(const std::vector& upstream_indices) { + void sendRequestAndValidateResponse(const std::vector& upstream_indices, + bool check_header_mutation = false) { // Create a client aimed at Envoy’s default HTTP port. codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); @@ -86,6 +113,14 @@ class WeightedClusterIntegrationTest : public testing::TestWithParamcomplete()); EXPECT_EQ(0U, upstream_request_->bodyLength()); + if (check_header_mutation) { + EXPECT_EQ( + upstream_request_->headers().get(Http::LowerCaseString("x-cluster-name-test")).size(), 1); + EXPECT_EQ(result.response->headers() + .get(Http::LowerCaseString("x-cluster-header-mutation-test")) + .size(), + 1); + } // Verify the proxied response was received downstream, as expected. EXPECT_TRUE(result.response->complete()); EXPECT_EQ("200", result.response->headers().getStatusValue()); @@ -121,6 +156,19 @@ TEST_P(WeightedClusterIntegrationTest, SteerTrafficToOneClusterWithName) { EXPECT_EQ(test_server_->counter("cluster.cluster_0.upstream_cx_total")->value(), 1); } +// Test the header mutations in weighted clusters. +TEST_P(WeightedClusterIntegrationTest, SteerTrafficToOneClusterWithHeaderMutation) { + setDeterministicValue(); + initializeConfig(getDefaultWeights(), true); + + // The expected destination cluster upstream is index 0 since the selected + // value is set to 0 indirectly via `setDeterministicValue()` above to set the weight to 0. + sendRequestAndValidateResponse({0}, true); + + // Check that the expected upstream cluster has incoming request. + EXPECT_EQ(test_server_->counter("cluster.cluster_0.upstream_cx_total")->value(), 1); +} + // Steer the traffic (i.e. send the request) to the weighted cluster with `cluster_header` // specified. TEST_P(WeightedClusterIntegrationTest, SteerTrafficToOneClusterWithHeader) { From 269a7227c86f8d1125b52579d60d45aee8b0ff27 Mon Sep 17 00:00:00 2001 From: James Roper Date: Thu, 4 Sep 2025 04:06:17 +1000 Subject: [PATCH 350/505] grpc_web: fixes response content length handling (#40804) Fixes #40097 This fixes a bug in the grpc web filter where if an upstream grpc server sends a response with the content length, the grpc web filter modifies the body without updating or removing the content length. The result is that some clients truncate the body, other clients throw a protocol error, and if the downstream protocol is HTTP/1.1, there's a potential for HTTP response splitting. I have attempted to run the tests, but multiple attempts to run the tests in docker have caused my machine to go to 100% CPU for multiple hours before the machine crashes. Running the tests outside of docker seem to have dependency issues. Signed-off-by: James Roper --- .../filters/http/grpc_web/grpc_web_filter.cc | 4 ++++ .../filters/http/grpc_web/grpc_web_filter_test.cc | 11 +++++++++++ 2 files changed, 15 insertions(+) diff --git a/source/extensions/filters/http/grpc_web/grpc_web_filter.cc b/source/extensions/filters/http/grpc_web/grpc_web_filter.cc index 1d4dfca44184a..754e84a4d5d7f 100644 --- a/source/extensions/filters/http/grpc_web/grpc_web_filter.cc +++ b/source/extensions/filters/http/grpc_web/grpc_web_filter.cc @@ -251,6 +251,10 @@ Http::FilterHeadersStatus GrpcWebFilter::encodeHeaders(Http::ResponseHeaderMap& needs_transformation_for_non_proto_encoded_response_ = needsTransformationForNonProtoEncodedResponse(headers, end_stream); + // If upstream sets a content length, we must remove it because we're going to change the + // length of the body + headers.removeContentLength(); + if (is_text_response_) { headers.setReferenceContentType(Http::Headers::get().ContentTypeValues.GrpcWebTextProto); } else { diff --git a/test/extensions/filters/http/grpc_web/grpc_web_filter_test.cc b/test/extensions/filters/http/grpc_web/grpc_web_filter_test.cc index 8476cfebb8d1d..deaecf95dd4cd 100644 --- a/test/extensions/filters/http/grpc_web/grpc_web_filter_test.cc +++ b/test/extensions/filters/http/grpc_web/grpc_web_filter_test.cc @@ -502,6 +502,17 @@ TEST_P(GrpcWebFilterTest, MediaTypeWithParameter) { EXPECT_EQ(Http::FilterDataStatus::Continue, filter_.encodeData(data, false)); } +TEST_P(GrpcWebFilterTest, RemoveResponseContentLength) { + Http::TestRequestHeaderMapImpl request_headers{ + {"content-type", Http::Headers::get().ContentTypeValues.GrpcWeb}, {":path", "/"}}; + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_.decodeHeaders(request_headers, false)); + + Http::TestResponseHeaderMapImpl response_headers{ + {":status", "200"}, {"content-type", "application/grpc"}, {"content-length", "123"}}; + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_.encodeHeaders(response_headers, false)); + EXPECT_EQ(nullptr, response_headers.ContentLength()); +} + TEST_P(GrpcWebFilterTest, Unary) { // Tests request headers. request_headers_.addCopy(Http::Headers::get().ContentType, requestContentType()); From be135e0aa1b8bf6d301b8c15d959aa9522962bb8 Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Wed, 3 Sep 2025 20:49:56 -0400 Subject: [PATCH 351/505] Replace c-ares with getaddrinfo DNS resolver in connect_integration_test (#40936) This is a follow up of https://github.com/envoyproxy/envoy/pull/40896 It's the 5th step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- test/extensions/transport_sockets/http_11_proxy/BUILD | 1 + .../http_11_proxy/connect_integration_test.cc | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/test/extensions/transport_sockets/http_11_proxy/BUILD b/test/extensions/transport_sockets/http_11_proxy/BUILD index 66c830693601c..ebd0658b51f53 100644 --- a/test/extensions/transport_sockets/http_11_proxy/BUILD +++ b/test/extensions/transport_sockets/http_11_proxy/BUILD @@ -38,6 +38,7 @@ envoy_extension_cc_test( "//source/extensions/filters/http/dynamic_forward_proxy:config", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/key_value/file_based:config_lib", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//source/extensions/transport_sockets/http_11_proxy:upstream_config", "//test/integration:http_integration_lib", "//test/integration:integration_lib", diff --git a/test/extensions/transport_sockets/http_11_proxy/connect_integration_test.cc b/test/extensions/transport_sockets/http_11_proxy/connect_integration_test.cc index d09f2a0354982..d58c516d52651 100644 --- a/test/extensions/transport_sockets/http_11_proxy/connect_integration_test.cc +++ b/test/extensions/transport_sockets/http_11_proxy/connect_integration_test.cc @@ -30,6 +30,10 @@ class Http11ConnectHttpIntegrationTest : public testing::TestWithParammutable_cluster_type()); cluster->clear_load_assignment(); From 82c1a44f25671cfdb0d9093f22fdc445e46327c5 Mon Sep 17 00:00:00 2001 From: basundhara-c Date: Wed, 3 Sep 2025 17:58:33 -0700 Subject: [PATCH 352/505] filter: add runtime flag to force an immediate local reply (#40259) ## Description This PR adds a new runtime flag which is used to force an immediate local reply from the filter(s). This change is required for the incoming reverse connection feature. --- **Commit Message:** filter: add setForceImmediateLocalReply() method to force an immediate local reply **Additional Description:** This is crucial for the handshake between initiator and responder envoy during reverse connection establishment. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Basundhara Chakrabarty Co-authored-by: Rohit Agrawal --------- Signed-off-by: Basundhara Chakrabarty --- source/common/http/filter_manager.cc | 15 +++++++++++---- source/common/runtime/runtime_features.cc | 2 ++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/source/common/http/filter_manager.cc b/source/common/http/filter_manager.cc index 71301fc84483c..91f9f27a2e6c0 100644 --- a/source/common/http/filter_manager.cc +++ b/source/common/http/filter_manager.cc @@ -12,6 +12,7 @@ #include "source/common/http/header_map_impl.h" #include "source/common/http/header_utility.h" #include "source/common/http/utility.h" +#include "source/common/runtime/runtime_features.h" #include "matching/data_impl.h" @@ -1021,10 +1022,16 @@ void DownstreamFilterManager::sendLocalReply( // route refreshment in the response filter chain. cb->route(nullptr); } - - // We only prepare a local reply to execute later if we're actively - // invoking filters to avoid re-entrant in filters. - if (state_.filter_call_state_ & FilterCallState::IsDecodingMask) { + // We only prepare a local reply to execute later if we're actively invoking filters to avoid + // re-entrant in filters. + // + // For reverse connections (where upstream initiates the connection to downstream), we need to + // send local replies immediately rather than queuing them. This ensures proper handling of the + // reversed connection flow and prevents potential issues with connection state and filter chain + // processing. + if (!Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.reverse_conn_force_local_reply") && + (state_.filter_call_state_ & FilterCallState::IsDecodingMask)) { prepareLocalReplyViaFilterChain(is_grpc_request, code, body, modify_headers, is_head_request, grpc_status, details); } else { diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 7a469b2eb2e33..5b4a9c8774a9c 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -168,6 +168,8 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_no_ai_flags); // take over the split ones, and will be used as a base for the // implementation of on-demand DNS. FALSE_RUNTIME_GUARD(envoy_reloadable_features_enable_new_dns_implementation); +// Force a local reply from upstream envoy for reverse connections. +FALSE_RUNTIME_GUARD(envoy_reloadable_features_reverse_conn_force_local_reply); // Block of non-boolean flags. Use of int flags is deprecated. Do not add more. ABSL_FLAG(uint64_t, re2_max_program_size_error_level, 100, ""); // NOLINT From b019a7e89933fb1f2e8a587d38a4a216e5a16190 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 4 Sep 2025 01:09:54 -0400 Subject: [PATCH 353/505] tls: future-proof UnsupportedCurveEcdsaCert's test expectation (#40962) Commit Message: Envoy has logic to reject P-224, but newer versions of BoringSSL reject it in `SSL_CTX` before Envoy's logic runs. Fix the test expectation to accept both paths. (It was already not possible to use a P-224 TLS key in BoringSSL because we didn't recognize the P-224 NamedCurve codepoint in TLS 1.2, and there is no P-224 SignatureScheme codepoint in TLS 1.3. BoringSSL just didn't notice in SSL_CTX_use_certificate before.) Additional Description: Risk Level: none, this is a test-only change Testing: run the test changed in this test-only change Docs Changes: no, this is a test only change Release Notes: no, this is a test only change Platform Specific Features: no, this is a test only change [Optional Runtime guard:] no, this is a test only change [Optional Fixes #Issue] no, this is a test only change [Optional Fixes commit #PR or SHA] no, this is a test only change [Optional Deprecated:] no, this is a test only change [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] no, this is a test only change Signed-off-by: David Benjamin --- test/common/tls/context_impl_test.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/common/tls/context_impl_test.cc b/test/common/tls/context_impl_test.cc index 2a29334c0890a..0a8d2661f807d 100644 --- a/test/common/tls/context_impl_test.cc +++ b/test/common/tls/context_impl_test.cc @@ -1618,12 +1618,13 @@ TEST_F(ClientContextConfigImplTest, UnsupportedCurveEcdsaCert) { *tls_context.mutable_common_tls_context()->add_tls_certificates()); auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; + // Envoy has logic to reject P-224, but newer versions of BoringSSL reject it in `SSL_CTX` + // before Envoy's logic runs. This test expectation is written to accept both paths. EXPECT_THAT(manager_.createSslClientContext(*store.rootScope(), *client_context_config) .status() .message(), testing::ContainsRegex( - "Failed to load certificate chain from .*selfsigned_secp224r1_cert.pem, " - "only P-256, P-384 or P-521 ECDSA certificates are supported")); + "Failed to load certificate chain from .*selfsigned_secp224r1_cert.pem")); } // Multiple TLS certificates are not yet supported. From cbb0cf66fe35c1ce041c46af16a54e190e9425ba Mon Sep 17 00:00:00 2001 From: phlax Date: Thu, 4 Sep 2025 06:16:59 +0100 Subject: [PATCH 354/505] docker/release: Fix distroless hash to use nonroot (#40956) Fix #40954 Signed-off-by: Ryan Northey --- distribution/docker/Dockerfile-envoy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distribution/docker/Dockerfile-envoy b/distribution/docker/Dockerfile-envoy index fc5dd5cfd6902..3f3375f8ab870 100644 --- a/distribution/docker/Dockerfile-envoy +++ b/distribution/docker/Dockerfile-envoy @@ -59,7 +59,7 @@ COPY --chown=0:0 --chmod=755 \ # STAGE: envoy-distroless -FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:6fe9fd551fab9d442b7ee7096b8fcf286047ff91bac31bc577270bb77afa0184 AS envoy-distroless +FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:8981b63f968e829d21351ea9d28cc21127e5f034707f1d8483d2993d9577be0b AS envoy-distroless EXPOSE 10000 ENTRYPOINT ["/usr/local/bin/envoy"] CMD ["-c", "/etc/envoy/envoy.yaml"] From 3f791c82084300f92caed5bf439362d8cb5f8b5d Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Thu, 4 Sep 2025 13:17:11 -0400 Subject: [PATCH 355/505] test: replace c-ares with getaddrinfo DNS resolver in protocol integration test (#40938) This is a follow up of https://github.com/envoyproxy/envoy/pull/40936. It's the 6th step to address: https://github.com/envoyproxy/envoy/issues/39900 --------- Signed-off-by: Yanjun Xiang --- .../extensions/network/dns_resolver/getaddrinfo/BUILD | 1 + test/integration/BUILD | 1 + test/integration/protocol_integration_test.cc | 11 +++++++++++ 3 files changed, 13 insertions(+) diff --git a/source/extensions/network/dns_resolver/getaddrinfo/BUILD b/source/extensions/network/dns_resolver/getaddrinfo/BUILD index 05b119daa59cd..d66bbe96dc81a 100644 --- a/source/extensions/network/dns_resolver/getaddrinfo/BUILD +++ b/source/extensions/network/dns_resolver/getaddrinfo/BUILD @@ -12,6 +12,7 @@ envoy_cc_extension( name = "config", srcs = ["getaddrinfo.cc"], hdrs = ["getaddrinfo.h"], + extra_visibility = ["//test:__subpackages__"], deps = [ "//envoy/network:dns_resolver_interface", "//envoy/registry", diff --git a/test/integration/BUILD b/test/integration/BUILD index 96296d191d78f..d1edcbb265429 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -905,6 +905,7 @@ envoy_cc_test_library( "//source/common/http:header_map_lib", "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/filters/http/buffer:config", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/common/http/http2:http2_frame", "//test/integration/filters:add_invalid_data_filter_lib", "//test/integration/filters:buffer_continue_filter_lib", diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 45f0881af079e..8f7fedbe5cdf7 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -26,6 +26,7 @@ #include "source/common/protobuf/utility.h" #include "source/common/runtime/runtime_impl.h" #include "source/common/upstream/upstream_impl.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/common/http/http2/http2_frame.h" #include "test/common/upstream/utility.h" @@ -163,6 +164,11 @@ TEST_P(ProtocolIntegrationTest, LogicalDns) { auto& cluster = *bootstrap.mutable_static_resources()->mutable_clusters(0); cluster.set_type(envoy::config::cluster::v3::Cluster::LOGICAL_DNS); cluster.set_dns_lookup_family(envoy::config::cluster::v3::Cluster::ALL); + auto* typed_dns_resolver_config = cluster.mutable_typed_dns_resolver_config(); + typed_dns_resolver_config->set_name("envoy.network.dns_resolver.getaddrinfo"); + envoy::extensions::network::dns_resolver::getaddrinfo::v3::GetAddrInfoDnsResolverConfig + getaddrinfo_config; + typed_dns_resolver_config->mutable_typed_config()->PackFrom(getaddrinfo_config); }); config_helper_.addConfigModifier( [](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& @@ -185,6 +191,11 @@ TEST_P(ProtocolIntegrationTest, StrictDns) { auto& cluster = *bootstrap.mutable_static_resources()->mutable_clusters(0); cluster.set_type(envoy::config::cluster::v3::Cluster::STRICT_DNS); cluster.set_dns_lookup_family(envoy::config::cluster::v3::Cluster::ALL); + auto* typed_dns_resolver_config = cluster.mutable_typed_dns_resolver_config(); + typed_dns_resolver_config->set_name("envoy.network.dns_resolver.getaddrinfo"); + envoy::extensions::network::dns_resolver::getaddrinfo::v3::GetAddrInfoDnsResolverConfig + getaddrinfo_config; + typed_dns_resolver_config->mutable_typed_config()->PackFrom(getaddrinfo_config); }); initialize(); codec_client_ = makeHttpConnection(lookupPort("http")); From c32d7b1262f3e894e4dcafd7f4534b8b7f72c7df Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 4 Sep 2025 18:23:37 -0400 Subject: [PATCH 356/505] tls: fix no_extension_cert.pem (#40990) Commit Message: no_extension_cert.pem was generated by an OpenSSL impacted by https://github.com/openssl/openssl/issues/28397. This input is not actually a valid certificate and future versions of BoringSSL may reject it as invalid. Refresh it with an OpenSSL with the fix applied. As of writing the fix has been approved but not yet merged. Because of this, I've made the generation script double-check the output and error if it was wrong and, to not interfere with other runs of the script, disabled regeneration of it for now. An actual no-extension certificate also makes for a better test because the extension list will be null. In the certificate Envoy was previously testing against, the extension list was non-null but empty. Additional Description: Risk Level: none, this is a test-only change Testing: run unit tests, this test-only change Docs Changes: no, this is a test only change Release Notes: no, this is a test only change Platform Specific Features: no, this is a test only change [Optional Runtime guard:] no, this is a test only change [Optional Fixes #Issue] no, this is a test only change [Optional Fixes commit #PR or SHA] no, this is a test only change [Optional Deprecated:] no, this is a test only change [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] no, this is a test only change --------- Signed-off-by: David Benjamin --- test/common/tls/test_data/README.md | 4 ++ test/common/tls/test_data/certs.sh | 12 ++++- .../tls/test_data/no_extension_cert.pem | 32 ++++++------ .../tls/test_data/no_extension_cert_info.h | 12 ++--- .../common/tls/test_data/no_extension_key.pem | 52 +++++++++---------- 5 files changed, 62 insertions(+), 50 deletions(-) diff --git a/test/common/tls/test_data/README.md b/test/common/tls/test_data/README.md index 01f782e586a23..5c062426bede7 100644 --- a/test/common/tls/test_data/README.md +++ b/test/common/tls/test_data/README.md @@ -76,3 +76,7 @@ Note that macOS is unable to generate the expired unit test cert starting with its switch from OpenSSL to LibreSSL in High Sierra (10.13). Specifically, that version of the openssl command will not accept a non-positive "-days" parameter. + +`no_extension_cert.pem` can only be generated by a new enough OpenSSL to have +https://github.com/openssl/openssl/issues/28397 fixed. As of writing, the fix +has been approved but not yet merged. diff --git a/test/common/tls/test_data/certs.sh b/test/common/tls/test_data/certs.sh index 6fc0cb3e38b65..0a767f8918b17 100755 --- a/test/common/tls/test_data/certs.sh +++ b/test/common/tls/test_data/certs.sh @@ -154,6 +154,12 @@ generate_x509_cert_no_extension() { openssl x509 -req -days "$days" -in "${1}_cert.csr" -sha256 -CA "${2}_cert.pem" -CAkey \ "${2}_key.pem" -out "${1}_cert.pem" -extensions v3_req -extfile "${1}_cert.cfg" generate_info_header "$1" + # Older OpenSSLs do not correctly generate this certificate. See + # https://github.com/openssl/openssl/issues/28397 + if openssl asn1parse -in "${1}_cert.pem" | grep -F 'cont [ 3 ]' > /dev/null; then + echo "ERROR: ${1}_cert.pem was not generated correctly. Use a newer OpenSSL." + exit 1 + fi } # $1= $2= $3=[days] @@ -446,8 +452,10 @@ generate_rsa_key no_subject generate_x509_cert_nosubject no_subject ca # Generate a certificate with no extensions -generate_rsa_key no_extension -generate_x509_cert_no_extension no_extension ca +# This is skipped for now because OpenSSL cannot generate it correctly. +# See https://github.com/openssl/openssl/issues/28397. +# generate_rsa_key no_extension +# generate_x509_cert_no_extension no_extension ca # Generate unit test certificate generate_rsa_key unittest diff --git a/test/common/tls/test_data/no_extension_cert.pem b/test/common/tls/test_data/no_extension_cert.pem index d5916937b5b5a..33f47d7ed0796 100644 --- a/test/common/tls/test_data/no_extension_cert.pem +++ b/test/common/tls/test_data/no_extension_cert.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDaDCCAlCgAwIBAgIURV1cFLzZAOimcNK931D2PYfy5TowDQYJKoZIhvcNAQEL +MIIDZDCCAkygAwIBAgIUbFB1OMClcQjf5PYkiOrDdV3ev9UwDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwOTA3MDU0MzE4WhcNMjYw -OTA3MDU0MzE4WjBiMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEM +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjUwOTA0MjAxNjU1WhcNMjcw +OTA0MjAxNjU1WjBiMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEM MAoGA1UECgwDT3JnMRgwFgYDVQQLDA9PcmcgRW5naW5lZXJpbmcxFjAUBgNVBAMM -DUxlZ2FjeSBTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp -DcgNmR0dVWDPmmpxuJoNlILfPTL7Z5CHuUMzbhhPYI83+9kRIDE7QAYPP4cqSaQL -qQoc+Svb4OV4fTRmmhyaeXbUAxIrJE6qB0XdtAzlSr8UpJsYmB0kHlIryXd3PLSg -hh3g75poufc8swomDiIE+tZzo8ngZHKiOVsqGsHBnbs+83k452nvM0XbGLXRjLCI -WrUyGOM6x6WYNJEs0skP5F0HQn0Q8aQBkMWqYDCu44nafsaxUji2PTj9wo+yGmUR -EDSXqqWm+9aPihq+XHNDWIdpe7Gb07QsmGaEK/+J/VtRbCnyBZTxbYHXyIbV4xkk -Kd6e2j6i7/Cqs4DPK8stAgMBAAGjAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBoDP+n -8Vqo4up5BHuXTqZsul3IjpGP8O2AMLC0DXfo59HJkAg3tiSWmxY7UN0YfWotOboV -Jy5TsxoviIOw8eGQbXgyEvtseAPy6Rkl7DBD4PD73buXbHE5oN31cVf9R+E0YBLc -oihpp/wvYpGEl9/PlDBwLQ2W0mGNyQ45M8uCaff8HnloiEUCyfdWaxrpiuN6AXZJ -UCdgfsCdDom9N8eszCIblwrprnG1hgvK+6JQLmqs/6E8zwMXLF56TkHhLK13N+v7 -YkCqnGuMRGuTJVnT3mV9u+lhtPAHh/Pb6g6fwUw9VirrKEOSgaNCxAwKqnkq6+Y5 -B3x8ME8Jm8YxhP4J +DUxlZ2FjeSBTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr +42lU62lb1lijMevEO6rSIhlKORHqBXUrZBvXvaJx8tWGZEzxgPXL/+dum0WyKAdz +jxJIkLHHv2tAqcpajcvRtBMONgt6W4DWfRLpVSkyjG7JDkynDc5jyPtO6Bnw3Twl +mapkVnYIW4T6xSNAJBXz/VhD/fiXvO7X9q0JDlD57PMSQ2chVVBkF+Nhac62TwsK +DW3HW1xWviUDErN4hs90IjI+M0Z7NEZK5qJrUPviTdq0LxhJEhTsDetPOlSqHdpz +t83KP+CTKagQZPB3CWNCSNn/z+CdFfvVvvIrwlzZBKSPWH+WRiKLBd/XqGN3eUEA +hqsbDd0LqQL4Ed4cVkiHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEJ6ex48+lmX +PS1TKB59kuMY0QYpYOMqK1XVR43qKfmJUaNm0WHxNovfnxl+3X7SFXmu7VFFynbS +jWhDewzLV0kj8XAZjHYb6WMMx1mnhjDWZ/p5oymkJOnQNVVUfY9w0zQOsygpA+WP +r8bjV3ZnYHEcQ6p/MpeEUhxjXZRT5/+r4yXoFvPtEcJE9TgRQXcIGfSrJyInDGHB +y6KWRyGpDj/f5ljWWs/5lbLQ1E18yEVbtaWdcFpw6Z1NOo3plE3UhvT7kfH9m5vs +yl55kLMnZZhZgrcrh4iIp2+rx4lJNzDLgW0ZzHjaYPJCpH7ihWATlMbJzDl8N0gt +3lgGFeO4t30= -----END CERTIFICATE----- diff --git a/test/common/tls/test_data/no_extension_cert_info.h b/test/common/tls/test_data/no_extension_cert_info.h index 35abdd7556e3b..83b2411db0119 100644 --- a/test/common/tls/test_data/no_extension_cert_info.h +++ b/test/common/tls/test_data/no_extension_cert_info.h @@ -3,9 +3,9 @@ // NOLINT(namespace-envoy) // This file is auto-generated by certs.sh. constexpr char TEST_NO_EXTENSION_CERT_256_HASH[] = - "464d1eb8e3217b515bfb540df3e5f8d136f2e9ea897533c2e296e96c0dcc2585"; -constexpr char TEST_NO_EXTENSION_CERT_1_HASH[] = "a7a954b8a78d7c001cbf56a57db48823e6991a8c"; -constexpr char TEST_NO_EXTENSION_CERT_SPKI[] = "3Fc0C/VBNBl71wdP4oM0/E777sOgEyltsTVeCUPkvBE="; -constexpr char TEST_NO_EXTENSION_CERT_SERIAL[] = "455d5c14bcd900e8a670d2bddf50f63d87f2e53a"; -constexpr char TEST_NO_EXTENSION_CERT_NOT_BEFORE[] = "Sep 7 05:43:18 2024 GMT"; -constexpr char TEST_NO_EXTENSION_CERT_NOT_AFTER[] = "Sep 7 05:43:18 2026 GMT"; + "ed644eb3210685dbf492adc8e1527e2aaf2283b250eccd5d89cda24524aaa39e"; +constexpr char TEST_NO_EXTENSION_CERT_1_HASH[] = "97d501aba5923cdedbcdfda76be0d5f21fc92881"; +constexpr char TEST_NO_EXTENSION_CERT_SPKI[] = "vcaIfQKpeH1I2HoVx2IClqbELHuAJma3cCez596W9KY="; +constexpr char TEST_NO_EXTENSION_CERT_SERIAL[] = "6c507538c0a57108dfe4f62488eac3755ddebfd5"; +constexpr char TEST_NO_EXTENSION_CERT_NOT_BEFORE[] = "Sep 4 20:16:55 2025 GMT"; +constexpr char TEST_NO_EXTENSION_CERT_NOT_AFTER[] = "Sep 4 20:16:55 2027 GMT"; diff --git a/test/common/tls/test_data/no_extension_key.pem b/test/common/tls/test_data/no_extension_key.pem index 1657de4d8b61c..4c7bb9bed2220 100644 --- a/test/common/tls/test_data/no_extension_key.pem +++ b/test/common/tls/test_data/no_extension_key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDpDcgNmR0dVWDP -mmpxuJoNlILfPTL7Z5CHuUMzbhhPYI83+9kRIDE7QAYPP4cqSaQLqQoc+Svb4OV4 -fTRmmhyaeXbUAxIrJE6qB0XdtAzlSr8UpJsYmB0kHlIryXd3PLSghh3g75poufc8 -swomDiIE+tZzo8ngZHKiOVsqGsHBnbs+83k452nvM0XbGLXRjLCIWrUyGOM6x6WY -NJEs0skP5F0HQn0Q8aQBkMWqYDCu44nafsaxUji2PTj9wo+yGmUREDSXqqWm+9aP -ihq+XHNDWIdpe7Gb07QsmGaEK/+J/VtRbCnyBZTxbYHXyIbV4xkkKd6e2j6i7/Cq -s4DPK8stAgMBAAECggEACqCDVY68kOHxMkOX5HvMNzUlMEGgZu3enY3BW8xCpVtM -FJEHoXwJZVVX9rnec5DG6fWJPZp6w+yR/NKgFn34XW6PUFTGhJCZL1rPC7Bs4RzC -21Gz38/POQkn6pFl1kT+oI4/uQomopgORyaL3oHeTmyouukGU3+JFE7PZ9CvXUvP -cwfGs6xEfDw27BhHmwznVgzTYm0kH1LcQjfJ1wLiO4D6BB3MqMAHpepTF/b3r/Lu -JkwtF+M8x/Gk9uGdoh5EMNrYxNw1HQgTsIFWHdKjrFhOj6BuRsmpLMVUndRcajME -BoMpy6Cal1lsxQtUVjNPEUi3EoqPAfmUYlMrGSEcMQKBgQD6TxGNG66VdZ5yxO4i -jTfwEIx8WzFVi/nYQx1MJiotjP8Xg12MllTQePSfmKIBZDBAl84i5b081x2dH3tb -mTWRWsna9DaQRWeXAJ82exx53G59Pw2NeqZje5aKfYItn2zigqYLPfoJu/PzApF9 -1Sp3zPe9uOVq7n+8O7xZvCIgsQKBgQDuWkeHUgeGHQwIuLQpxZjtwnvPx4hiNEUh -2s76fKJ2K+DvyToEEgPLzqDfrbmPZISa5nknMtCHAp2//N4dJADKkGpKNys+JNku -ii6xBZ00pa+waOTzhJaioLsKCQyywDPHRDetUPY3U4qjQl8AIk97sL9odK7T/M19 -phQillJRPQKBgQDnYkwRKvO6CZ5M7apMmkqJSmLzWcFDGT/+IBxnFiiLLvloHPFP -UnBYvlczaP7pVloce7f8Hm9OXHRtmHqJ9BjGoyxRkMsXlnDp75M945QxOgmREcZP -cH97GvXQU7EQx3z57lfbsJEAipQ5obgon/LAB+NDqDW7IXlG4dl9AiJyIQKBgDms -mrZBwRRQnwLVPrME3zZY4wCp9XRd1YSVn5O46M7TW0BqXqFxgn2kaAT30njCB9w7 -fIFhqFei6Gz2UQCYH6DkRPPkWZBV9j9urFGlXB7LILH9D7llEdYUMm4BNpNiMqU6 -+oXzm0BT9K4Ad2Be7QCvCgHKiis9drO6phCgcxa5AoGAH00R39pxMG5R4yoOcYuL -kxOpyeOyILQXNlGKTT9eQ78wNK0dtbd/fQeTezqNDSpoY6DsZXn67sfc6gHXl8nv -RaG4fyXBraPWRWozgtLs1Fpn092eR9ufdNyd5IzEhzVDNV8Z20d7N24fcCwiEURl -jOciCXiAcdgLKRhYtDv0Drc= +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCr42lU62lb1lij +MevEO6rSIhlKORHqBXUrZBvXvaJx8tWGZEzxgPXL/+dum0WyKAdzjxJIkLHHv2tA +qcpajcvRtBMONgt6W4DWfRLpVSkyjG7JDkynDc5jyPtO6Bnw3TwlmapkVnYIW4T6 +xSNAJBXz/VhD/fiXvO7X9q0JDlD57PMSQ2chVVBkF+Nhac62TwsKDW3HW1xWviUD +ErN4hs90IjI+M0Z7NEZK5qJrUPviTdq0LxhJEhTsDetPOlSqHdpzt83KP+CTKagQ +ZPB3CWNCSNn/z+CdFfvVvvIrwlzZBKSPWH+WRiKLBd/XqGN3eUEAhqsbDd0LqQL4 +Ed4cVkiHAgMBAAECggEAGrbV1IJf1guarAZir5VcZ5swFgaHn7jobG17HE0XNaF5 +iREGmlQiH2nuxJRyQQ2SluWqAEgosTQxTZP15Jv8DOPxQDirEQGupOc8bLI1HGuR +/kJwLFhrdruyPyG4gmRH6EoZHs4HOyZKJRVFdL8HAGwj7zFGFQMilcL7QpiMgkMN +kJX73IMsrbH8L7Dl3jf0RCRIBxvUuaxzq7E/NAwt5QpOioWu+/Gg1iWyBQbEVVdt +q6dQHctv6hcCXU1yxDG26sxkIPt+HfWa9C/2hrO/I6OCeqAW9ACNGT0WCCezPpUf ++CXal3WwHA8NqE3wtJ4pMK+eJdsgeruwJ0f2nTLweQKBgQDUSns3/fr1rJ3vvRLD +WQpZOSlch3H180RrxOKHb6yjoPlUczNSOv61rkXuekD6xDW69BzXXzjwlPxpusjK +4us/Vy4AKMQNwhDH/b0FSIv2RDWsqjUvwmv5VzVeYVlzXOYd5BC7fH2f3gkYLuUl +ckzPdqew9nFOaKJpccIuBoeT2QKBgQDPR19Ql1thSt6HCNXUiDa+6IPzm21k5Ju7 +xx53x8VzKVnP9gxeuhFG+bwoR8EWfbi9tsWwd40RwMU2uUGxv/Jy/C7yTdxPPiJq +bUpXHUqlnyqCxfNStpwO1xqq8gPJ8opPmBhbkvVsOZ6MSMY7oYv052+wYEWvupwP +faMfPDXjXwKBgCZ+yxFAMP3Tq2AJvRlHUCUVxHZO6U9cKZARR7KfgYK6cfvqV+gV +YpK3Y173NElEwyl/kqtLTRvzKEJT6I1B0L7PpDvLKKIGCtz5GgmXOioR/FmvE63x +Z3rzYW4X4QyWT/QjoxUcYftXW/bSqiK8M0l7jrT8O1eoiartQfTuoi8hAoGBAMxx +GRHkN70+mz2U+VMnBthFfeBI7R0WXoRXYTXDVHzBzFPR22GTJHdc2rjgDRKh7hUw +sMvdHsbj26CeGK25JOlE0wkqwqFmJ4vRQAGsYnP5CXTyyYxLkKESiLsS+am2D7Vx +zpSD3o1gR4EWRm+KZwCnRQIx8onhBQxCXyHvwTcBAoGBALzqNRq4r7Q8jMw0tmdw +mWWtuni+8Wf9BQTplDMEUfrrKcrh19QmldtJnKPd/fEZr6NP5jstnA8dtukTg1Dh +Zb62cpVubaZPaCjX8g2I0j42f8SbP7Th1IBeSuAMQr4CBIYN8U2LMTUGgDfUxi0d +E9q7vanEsRQMkqtiVUY5/SK7 -----END PRIVATE KEY----- From 0e8c5f02584cb486e3313c0927bb62eb663a7299 Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Thu, 4 Sep 2025 20:08:36 -0400 Subject: [PATCH 357/505] ext_proc: increasing tracing integration test timeout to be 1s to avoid flaky (#40929) Fix https://github.com/envoyproxy/envoy/issues/36041 Signed-off-by: Yanjun Xiang --- .../filters/http/ext_proc/ext_proc_integration_test.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index a5605bf242998..41fa4f45661be 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -950,6 +950,7 @@ TEST_P(ExtProcIntegrationTest, GetAndCloseStream) { } TEST_P(ExtProcIntegrationTest, GetAndCloseStreamWithTracing) { + proto_config_.mutable_message_timeout()->set_seconds(1); // Turn on debug to troubleshoot possible flaky test. // TODO(cainelli): Remove this and the debug logs in the tracer test filter after a test failure // occurs. From 9be163f985a38ea868130fc9f8f4440c5e648787 Mon Sep 17 00:00:00 2001 From: Ian Kerins Date: Thu, 4 Sep 2025 20:19:42 -0400 Subject: [PATCH 358/505] dynamic_modules: add support for user-defined metrics (#40661) Commit Message: dynamic_modules: add support for user-defined metrics Additional Description: Similar to how it is done in wasm: - DynamicModuleHttpFilterConfig now holds a Stats::Scope. All metrics declared in this scope are placed in a custom stat namespace so as to not collide with envoy-defined metrics. Using Stats::CustomStatNamespaces, this namespace prefix is stripped from all stat names before they are emitted, e.g. to Prometheus format. - Add new ABI "method"s on envoy_dynamic_module_http_filter_envoy_config_ptr that allow metrics to be declared in the scope of the filter config. These methods return opaque pointers to Stats::{Counter,Gauge,Histogram} that allow said declared metrics to be manipulated. Right now, only the basics of each metric type are exposed in the ABI. For example, you can't read metric values, or reset metrics to 0, or... - Add corresponding wrappers to the Rust SDK. - Add tests, both against the C++ ABI implementation, and against the Rust SDK. Risk Level: Low, in that this is a new feature in the experimental dynamic modules system. Testing: Tests for both the C++ implementation in isolation, and in the rust "integration" tests. Docs Changes: There are not any docs covering specific dynamic modules features (yet?), so I've added nothing beyond doc comments. Release Notes: Platform Specific Features: N/A --------- Signed-off-by: Ian Kerins --- source/extensions/dynamic_modules/abi.h | 113 ++++++++++++++++- .../extensions/dynamic_modules/abi_version.h | 2 +- .../dynamic_modules/sdk/rust/src/lib.rs | 120 +++++++++++++++++- .../filters/http/dynamic_modules/abi_impl.cc | 77 +++++++++++ .../filters/http/dynamic_modules/factory.cc | 9 +- .../filters/http/dynamic_modules/filter.h | 2 + .../http/dynamic_modules/filter_config.cc | 25 ++-- .../http/dynamic_modules/filter_config.h | 70 ++++++++-- test/extensions/dynamic_modules/http/BUILD | 3 + .../dynamic_modules/http/abi_impl_test.cc | 52 ++++++++ .../dynamic_modules/http/factory_test.cc | 6 + .../dynamic_modules/http/filter_test.cc | 116 +++++++++++++++-- .../test_data/c/no_http_filter_new.c | 1 + .../dynamic_modules/test_data/rust/http.rs | 58 ++++++++- 14 files changed, 609 insertions(+), 45 deletions(-) diff --git a/source/extensions/dynamic_modules/abi.h b/source/extensions/dynamic_modules/abi.h index 65d48378c0396..68076fea64ace 100644 --- a/source/extensions/dynamic_modules/abi.h +++ b/source/extensions/dynamic_modules/abi.h @@ -74,7 +74,7 @@ typedef const char* envoy_dynamic_module_type_abi_version_envoy_ptr; * * OWNERSHIP: Envoy owns the pointer. */ -typedef const void* envoy_dynamic_module_type_http_filter_config_envoy_ptr; +typedef void* envoy_dynamic_module_type_http_filter_config_envoy_ptr; /** * envoy_dynamic_module_type_http_filter_config_module_ptr is a pointer to an in-module HTTP @@ -767,6 +767,117 @@ void envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level level */ bool envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_level level); +// ----------------------------- Metrics callbacks ----------------------------- + +/** + * envoy_dynamic_module_callback_http_filter_config_define_counter is called by the module during + * initialization to create a new Stats::Counter with the given name. + * + * @param filter_config_envoy_ptr is the pointer to the DynamicModuleHttpFilterConfig in which the + * counter will be defined. + * @param name is the name of the counter to be defined. + * @param name_length is the length of the name. + * @return an opaque ID that represents a unique metric. This can be passed to + * envoy_dynamic_module_callback_http_filter_increment_counter together with filter_envoy_ptr + * created from filter_config_envoy_ptr. + */ +size_t envoy_dynamic_module_callback_http_filter_config_define_counter( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length); + +/** + * envoy_dynamic_module_callback_http_filter_increment_counter is called by the module to increment + * a previously defined counter. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object. + * @param id is the ID of the counter previously defined using the config that created + * filter_envoy_ptr + * @param value is the value to increment the counter by. + */ +void envoy_dynamic_module_callback_http_filter_increment_counter( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); + +/** + * envoy_dynamic_module_callback_http_filter_config_define_gauge is called by the module during + * initialization to create a new Stats::Gauge with the given name. + * + * @param filter_config_envoy_ptr is the pointer to the DynamicModuleHttpFilterConfig in which the + * gauge will be defined. + * @param name is the name of the gauge to be defined. + * @param name_length is the length of the name. + * @return an opaque ID that represents a unique metric. This can be passed to + * envoy_dynamic_module_callback_http_filter_increment_gauge together with filter_envoy_ptr created + * from filter_config_envoy_ptr. + */ +size_t envoy_dynamic_module_callback_http_filter_config_define_gauge( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length); + +/** + * envoy_dynamic_module_callback_http_filter_increase_gauge is called by the module to increase the + * value of a previously defined gauge. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object. + * @param id is the ID of the gauge previously defined using the config that created + * filter_envoy_ptr + * @param value is the value to increase the gauge by. + */ +void envoy_dynamic_module_callback_http_filter_increase_gauge( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); + +/** + * envoy_dynamic_module_callback_http_filter_decrease_gauge is called by the module to decrease the + * value of a previously defined gauge. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object. + * @param id is the ID of the gauge previously defined using the config that created + * filter_envoy_ptr + * @param value is the value to decrease the gauge by. + */ +void envoy_dynamic_module_callback_http_filter_decrease_gauge( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); + +/** + * envoy_dynamic_module_callback_http_filter_set_gauge is called by the module to set the value + * of a previously defined gauge. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object. + * @param id is the ID of the gauge previously defined using the config that created + * filter_envoy_ptr + * @param value is the value to set the gauge to. + */ +void envoy_dynamic_module_callback_http_filter_set_gauge( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); + +/** + * envoy_dynamic_module_callback_http_filter_config_define_histogram is called by the module during + * initialization to create a new Stats::Histogram with the given name. + * + * @param filter_config_envoy_ptr is the pointer to the DynamicModuleHttpFilterConfig in which the + * histogram will be defined. + * @param name is the name of the histogram to be defined. + * @param name_length is the length of the name. + * @return an opaque ID that represents a unique metric. This can be passed to + * envoy_dynamic_module_callback_http_filter_increment_gauge together with filter_envoy_ptr created + * from filter_config_envoy_ptr. + */ +size_t envoy_dynamic_module_callback_http_filter_config_define_histogram( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length); + +/** + * envoy_dynamic_module_callback_http_filter_record_histogram_value is called by the module to + * record a value in a previously defined histogram. + * + * @param histogram_envoy_ptr is a pointer to a histogram previously defined using + * envoy_dynamic_module_callback_http_define_histogram. + * @param id is the ID of the histogram previously defined using the config that created + * filter_envoy_ptr + * @param value is the value to record in the histogram. + */ +void envoy_dynamic_module_callback_http_filter_record_histogram_value( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); + // ---------------------- HTTP Header/Trailer callbacks ------------------------ /** diff --git a/source/extensions/dynamic_modules/abi_version.h b/source/extensions/dynamic_modules/abi_version.h index 178e7299fb846..3a9a55b833b84 100644 --- a/source/extensions/dynamic_modules/abi_version.h +++ b/source/extensions/dynamic_modules/abi_version.h @@ -6,7 +6,7 @@ namespace DynamicModules { #endif // This is the ABI version calculated as a sha256 hash of the ABI header files. When the ABI // changes, this value must change, and the correctness of this value is checked by the test. -const char* kAbiVersion = "c07c1d909f0fa183d9c454377242978585ca4569d2e7e9aa27002ccebf34a00d"; +const char* kAbiVersion = "56b4589b9f99ce76622a82bf3972f007679c197ed5b21be1f6c723a2dd0c8237"; #ifdef __cplusplus } // namespace DynamicModules diff --git a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs index aa89fc6ad9205..7a46e96df123f 100644 --- a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs +++ b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs @@ -369,20 +369,78 @@ pub trait HttpFilter { /// An opaque object that represents the underlying Envoy Http filter config. This has one to one /// mapping with the Envoy Http filter config object as well as [`HttpFilterConfig`] object. pub trait EnvoyHttpFilterConfig { - // TODO: add methods like defining metrics, filter metadata, etc. + /// Define a new counter scoped to this filter config with the given name. + fn define_counter(&mut self, name: &str) -> EnvoyCounterId; + + /// Define a new gauge scoped to this filter config with the given name. + fn define_gauge(&mut self, name: &str) -> EnvoyGaugeId; + + /// Define a new histogram scoped to this filter config with the given name. + fn define_histogram(&mut self, name: &str) -> EnvoyHistogramId; } pub struct EnvoyHttpFilterConfigImpl { raw_ptr: abi::envoy_dynamic_module_type_http_filter_config_envoy_ptr, } -impl EnvoyHttpFilterConfig for EnvoyHttpFilterConfigImpl {} +impl EnvoyHttpFilterConfig for EnvoyHttpFilterConfigImpl { + fn define_counter(&mut self, name: &str) -> EnvoyCounterId { + let name_ptr = name.as_ptr(); + let name_size = name.len(); + let id = unsafe { + abi::envoy_dynamic_module_callback_http_filter_config_define_counter( + self.raw_ptr, + name_ptr as *const _ as *mut _, + name_size, + ) + }; + EnvoyCounterId(id) + } + + fn define_gauge(&mut self, name: &str) -> EnvoyGaugeId { + let name_ptr = name.as_ptr(); + let name_size = name.len(); + let id = unsafe { + abi::envoy_dynamic_module_callback_http_filter_config_define_gauge( + self.raw_ptr, + name_ptr as *const _ as *mut _, + name_size, + ) + }; + EnvoyGaugeId(id) + } + + fn define_histogram(&mut self, name: &str) -> EnvoyHistogramId { + let name_ptr = name.as_ptr(); + let name_size = name.len(); + let id = unsafe { + abi::envoy_dynamic_module_callback_http_filter_config_define_histogram( + self.raw_ptr, + name_ptr as *const _ as *mut _, + name_size, + ) + }; + EnvoyHistogramId(id) + } +} + +/// The identifier for an EnvoyCounter. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] +pub struct EnvoyCounterId(usize); + +/// The identifier for an EnvoyGauge. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] +pub struct EnvoyGaugeId(usize); + +/// The identifier for an EnvoyHistogram. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] +pub struct EnvoyHistogramId(usize); /// An opaque object that represents the underlying Envoy Http filter. This has one to one /// mapping with the Envoy Http filter object as well as [`HttpFilter`] object per HTTP stream. /// /// The Envoy filter object is inherently not thread-safe, and it is always recommended to -/// access it from the same thread as the one that [`HttpFilter`] even hooks are called. +/// access it from the same thread as the one that [`HttpFilter`] event hooks are called. #[automock] #[allow(clippy::needless_lifetimes)] // Explicit lifetime specifiers are needed for mockall. pub trait EnvoyHttpFilter { @@ -779,6 +837,21 @@ pub trait EnvoyHttpFilter { /// } /// ``` fn new_scheduler(&self) -> Box; + + /// Increment the counter with the given id. + fn increment_counter(&self, id: EnvoyCounterId, value: u64); + + /// Increase the gauge with the given id. + fn increase_gauge(&self, id: EnvoyGaugeId, value: u64); + + /// Decrease the gauge with the given id. + fn decrease_gauge(&self, id: EnvoyGaugeId, value: u64); + + /// Set the value of the gauge with the given id. + fn set_gauge(&self, id: EnvoyGaugeId, value: u64); + + /// Record a value in the histogram with the given id. + fn record_histogram_value(&self, id: EnvoyHistogramId, value: u64); } /// This implements the [`EnvoyHttpFilter`] trait with the given raw pointer to the Envoy HTTP @@ -1332,6 +1405,45 @@ impl EnvoyHttpFilter for EnvoyHttpFilterImpl { }) } } + + fn increment_counter(&self, id: EnvoyCounterId, value: u64) { + let EnvoyCounterId(id) = id; + unsafe { + abi::envoy_dynamic_module_callback_http_filter_increment_counter(self.raw_ptr, id, value); + } + } + + fn increase_gauge(&self, id: EnvoyGaugeId, value: u64) { + let EnvoyGaugeId(id) = id; + unsafe { + abi::envoy_dynamic_module_callback_http_filter_increase_gauge(self.raw_ptr, id, value); + } + } + + fn decrease_gauge(&self, id: EnvoyGaugeId, value: u64) { + let EnvoyGaugeId(id) = id; + unsafe { + abi::envoy_dynamic_module_callback_http_filter_decrease_gauge(self.raw_ptr, id, value); + } + } + + fn set_gauge(&self, id: EnvoyGaugeId, value: u64) { + let EnvoyGaugeId(id) = id; + unsafe { + abi::envoy_dynamic_module_callback_http_filter_set_gauge(self.raw_ptr, id, value); + } + } + + fn record_histogram_value(&self, id: EnvoyHistogramId, value: u64) { + let EnvoyHistogramId(id) = id; + unsafe { + abi::envoy_dynamic_module_callback_http_filter_record_histogram_value( + self.raw_ptr, + id, + value, + ); + } + } } impl EnvoyHttpFilterImpl { @@ -1468,7 +1580,7 @@ impl EnvoyHttpFilterImpl { /// This represents a thin thread-safe object that can be used to schedule a generic event to the /// Envoy HTTP filter on the work thread. /// -/// For eaxmple, this can be used to offload some blocking work from the HTTP filter processing +/// For example, this can be used to offload some blocking work from the HTTP filter processing /// thread to a module-managed thread, and then schedule an event to continue /// processing the request. /// diff --git a/source/extensions/filters/http/dynamic_modules/abi_impl.cc b/source/extensions/filters/http/dynamic_modules/abi_impl.cc index 9aaecb4db7871..a1ea31531b59a 100644 --- a/source/extensions/filters/http/dynamic_modules/abi_impl.cc +++ b/source/extensions/filters/http/dynamic_modules/abi_impl.cc @@ -71,6 +71,83 @@ bool getSslInfo( return true; } +size_t envoy_dynamic_module_callback_http_filter_config_define_counter( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length) { + auto filter_config = static_cast(filter_config_envoy_ptr); + ASSERT(!filter_config->stat_creation_frozen_); + absl::string_view name_view(name, name_length); + Stats::StatNameManagedStorage storage(name_view, filter_config->stats_scope_->symbolTable()); + Stats::StatName stat_name = storage.statName(); + Stats::Counter& c = Stats::Utility::counterFromStatNames( + *filter_config->stats_scope_, {filter_config->custom_stat_namespace_, stat_name}); + return filter_config->addCounter(c); +} + +void envoy_dynamic_module_callback_http_filter_increment_counter( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto& counter = filter->getFilterConfig().getCounterById(id); + return counter.add(value); +} + +size_t envoy_dynamic_module_callback_http_filter_config_define_gauge( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length) { + auto filter_config = static_cast(filter_config_envoy_ptr); + ASSERT(!filter_config->stat_creation_frozen_); + absl::string_view name_view(name, name_length); + Stats::StatNameManagedStorage storage(name_view, filter_config->stats_scope_->symbolTable()); + Stats::StatName stat_name = storage.statName(); + Stats::Gauge& g = Stats::Utility::gaugeFromStatNames( + *filter_config->stats_scope_, {filter_config->custom_stat_namespace_, stat_name}, + Stats::Gauge::ImportMode::Accumulate); + return filter_config->addGauge(g); +} + +void envoy_dynamic_module_callback_http_filter_increase_gauge( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto& gauge = filter->getFilterConfig().getGaugeById(id); + return gauge.add(value); +} + +void envoy_dynamic_module_callback_http_filter_decrease_gauge( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto& gauge = filter->getFilterConfig().getGaugeById(id); + return gauge.sub(value); +} + +void envoy_dynamic_module_callback_http_filter_set_gauge( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto& gauge = filter->getFilterConfig().getGaugeById(id); + return gauge.set(value); +} + +size_t envoy_dynamic_module_callback_http_filter_config_define_histogram( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length) { + auto filter_config = static_cast(filter_config_envoy_ptr); + ASSERT(!filter_config->stat_creation_frozen_); + absl::string_view name_view(name, name_length); + Stats::StatNameManagedStorage storage(name_view, filter_config->stats_scope_->symbolTable()); + Stats::StatName stat_name = storage.statName(); + Stats::Histogram& h = Stats::Utility::histogramFromStatNames( + *filter_config->stats_scope_, {filter_config->custom_stat_namespace_, stat_name}, + // TODO should we allow callers to specify this? + Stats::Histogram::Unit::Unspecified); + return filter_config->addHistogram(h); +} + +void envoy_dynamic_module_callback_http_filter_record_histogram_value( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto& hist = filter->getFilterConfig().getHistogramById(id); + hist.recordValue(value); +} + size_t envoy_dynamic_module_callback_http_get_request_header( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, envoy_dynamic_module_type_buffer_module_ptr key, size_t key_length, diff --git a/source/extensions/filters/http/dynamic_modules/factory.cc b/source/extensions/filters/http/dynamic_modules/factory.cc index e91f3c6170b74..c2cc1e85b652b 100644 --- a/source/extensions/filters/http/dynamic_modules/factory.cc +++ b/source/extensions/filters/http/dynamic_modules/factory.cc @@ -8,7 +8,7 @@ namespace Server { namespace Configuration { absl::StatusOr DynamicModuleConfigFactory::createFilterFactoryFromProtoTyped( - const FilterConfig& proto_config, const std::string&, DualInfo, + const FilterConfig& proto_config, const std::string&, DualInfo dual_info, Server::Configuration::ServerFactoryContext& context) { const auto& module_config = proto_config.dynamic_module_config(); @@ -29,12 +29,17 @@ absl::StatusOr DynamicModuleConfigFactory::createFilterFa Envoy::Extensions::DynamicModules::HttpFilters::DynamicModuleHttpFilterConfigSharedPtr> filter_config = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - proto_config.filter_name(), config, std::move(dynamic_module.value()), context); + proto_config.filter_name(), config, std::move(dynamic_module.value()), + dual_info.scope, context); if (!filter_config.ok()) { return absl::InvalidArgumentError("Failed to create filter config: " + std::string(filter_config.status().message())); } + + context.api().customStatNamespaces().registerStatNamespace( + Extensions::DynamicModules::HttpFilters::CustomStatNamespace); + return [config = filter_config.value()](Http::FilterChainFactoryCallbacks& callbacks) -> void { auto filter = std::make_shared( diff --git a/source/extensions/filters/http/dynamic_modules/filter.h b/source/extensions/filters/http/dynamic_modules/filter.h index a1ad0bc36902a..e2babeaa265e2 100644 --- a/source/extensions/filters/http/dynamic_modules/filter.h +++ b/source/extensions/filters/http/dynamic_modules/filter.h @@ -164,6 +164,8 @@ class DynamicModuleHttpFilter : public Http::StreamFilter, sendHttpCallout(uint32_t callout_id, absl::string_view cluster_name, Http::RequestMessagePtr&& message, uint64_t timeout_milliseconds); + const DynamicModuleHttpFilterConfig& getFilterConfig() const { return *config_; } + private: /** * This is a helper function to get the `this` pointer as a void pointer which is passed to the diff --git a/source/extensions/filters/http/dynamic_modules/filter_config.cc b/source/extensions/filters/http/dynamic_modules/filter_config.cc index 81a8c4d410ae2..fd4923f2434bb 100644 --- a/source/extensions/filters/http/dynamic_modules/filter_config.cc +++ b/source/extensions/filters/http/dynamic_modules/filter_config.cc @@ -7,9 +7,11 @@ namespace HttpFilters { DynamicModuleHttpFilterConfig::DynamicModuleHttpFilterConfig( const absl::string_view filter_name, const absl::string_view filter_config, - Extensions::DynamicModules::DynamicModulePtr dynamic_module, + Extensions::DynamicModules::DynamicModulePtr dynamic_module, Stats::Scope& stats_scope, Server::Configuration::ServerFactoryContext& context) - : cluster_manager_(context.clusterManager()), filter_name_(filter_name), + : cluster_manager_(context.clusterManager()), stats_scope_(stats_scope.createScope("")), + stat_name_pool_(stats_scope_->symbolTable()), + custom_stat_namespace_(stat_name_pool_.add(CustomStatNamespace)), filter_name_(filter_name), filter_config_(filter_config), dynamic_module_(std::move(dynamic_module)) {}; DynamicModuleHttpFilterConfig::~DynamicModuleHttpFilterConfig() { @@ -34,7 +36,7 @@ newDynamicModuleHttpPerRouteConfig(const absl::string_view per_route_config_name "envoy_dynamic_module_on_http_filter_per_route_config_new"); RETURN_IF_NOT_OK_REF(constructor.status()); - auto destroy = dynamic_module->getFunctionPointer( + auto destroy = dynamic_module->getFunctionPointer( "envoy_dynamic_module_on_http_filter_per_route_config_destroy"); RETURN_IF_NOT_OK_REF(destroy.status()); @@ -49,17 +51,16 @@ newDynamicModuleHttpPerRouteConfig(const absl::string_view per_route_config_name destroy.value()); } -absl::StatusOr -newDynamicModuleHttpFilterConfig(const absl::string_view filter_name, - const absl::string_view filter_config, - Extensions::DynamicModules::DynamicModulePtr dynamic_module, - Server::Configuration::ServerFactoryContext& context) { +absl::StatusOr newDynamicModuleHttpFilterConfig( + const absl::string_view filter_name, const absl::string_view filter_config, + Extensions::DynamicModules::DynamicModulePtr dynamic_module, Stats::Scope& stats_scope, + Server::Configuration::ServerFactoryContext& context) { auto constructor = dynamic_module->getFunctionPointer( "envoy_dynamic_module_on_http_filter_config_new"); RETURN_IF_NOT_OK_REF(constructor.status()); - auto on_config_destroy = dynamic_module->getFunctionPointer( + auto on_config_destroy = dynamic_module->getFunctionPointer( "envoy_dynamic_module_on_http_filter_config_destroy"); RETURN_IF_NOT_OK_REF(on_config_destroy.status()); @@ -108,8 +109,8 @@ newDynamicModuleHttpFilterConfig(const absl::string_view filter_name, "envoy_dynamic_module_on_http_filter_scheduled"); RETURN_IF_NOT_OK_REF(on_scheduled.status()); - auto config = std::make_shared(filter_name, filter_config, - std::move(dynamic_module), context); + auto config = std::make_shared( + filter_name, filter_config, std::move(dynamic_module), stats_scope, context); const void* filter_config_envoy_ptr = (*constructor.value())(static_cast(config.get()), filter_name.data(), @@ -118,6 +119,8 @@ newDynamicModuleHttpFilterConfig(const absl::string_view filter_name, return absl::InvalidArgumentError("Failed to initialize dynamic module"); } + config->stat_creation_frozen_ = true; + config->in_module_config_ = filter_config_envoy_ptr; config->on_http_filter_config_destroy_ = on_config_destroy.value(); config->on_http_filter_new_ = on_new_filter.value(); diff --git a/source/extensions/filters/http/dynamic_modules/filter_config.h b/source/extensions/filters/http/dynamic_modules/filter_config.h index 30101ea335966..cf1686d9ab61e 100644 --- a/source/extensions/filters/http/dynamic_modules/filter_config.h +++ b/source/extensions/filters/http/dynamic_modules/filter_config.h @@ -11,10 +11,14 @@ namespace Extensions { namespace DynamicModules { namespace HttpFilters { -using OnHttpConfigDestoryType = decltype(&envoy_dynamic_module_on_http_filter_config_destroy); +// The custom stat namespace which prepends all the user-defined metrics. +// Note that the prefix is removed from the final output of /stats endpoints. +constexpr absl::string_view CustomStatNamespace = "dynamicmodulescustom"; + +using OnHttpConfigDestroyType = decltype(&envoy_dynamic_module_on_http_filter_config_destroy); using OnHttpFilterNewType = decltype(&envoy_dynamic_module_on_http_filter_new); -using OnHttpPerRouteConfigDestoryType = +using OnHttpPerRouteConfigDestroyType = decltype(&envoy_dynamic_module_on_http_filter_per_route_config_destroy); using OnHttpFilterRequestHeadersType = decltype(&envoy_dynamic_module_on_http_filter_request_headers); @@ -49,7 +53,7 @@ class DynamicModuleHttpFilterConfig { */ DynamicModuleHttpFilterConfig(const absl::string_view filter_name, const absl::string_view filter_config, - DynamicModulePtr dynamic_module, + DynamicModulePtr dynamic_module, Stats::Scope& stats_scope, Server::Configuration::ServerFactoryContext& context); ~DynamicModuleHttpFilterConfig(); @@ -60,7 +64,7 @@ class DynamicModuleHttpFilterConfig { // The function pointers for the module related to the HTTP filter. All of them are resolved // during the construction of the config and made sure they are not nullptr after that. - OnHttpConfigDestoryType on_http_filter_config_destroy_ = nullptr; + OnHttpConfigDestroyType on_http_filter_config_destroy_ = nullptr; OnHttpFilterNewType on_http_filter_new_ = nullptr; OnHttpFilterRequestHeadersType on_http_filter_request_headers_ = nullptr; OnHttpFilterRequestBodyType on_http_filter_request_body_ = nullptr; @@ -74,6 +78,46 @@ class DynamicModuleHttpFilterConfig { OnHttpFilterScheduled on_http_filter_scheduled_ = nullptr; Envoy::Upstream::ClusterManager& cluster_manager_; + const Stats::ScopeSharedPtr stats_scope_; + Stats::StatNamePool stat_name_pool_; + const Stats::StatName custom_stat_namespace_; + // We only allow the module to create stats during envoy_dynamic_module_on_http_filter_config_new, + // and not later during request handling, so that we don't have to wrap the stat storage in a + // lock. + bool stat_creation_frozen_ = false; + + size_t addCounter(Stats::Counter& counter) { + size_t id = counters_.size(); + counters_.push_back(counter); + return id; + } + + Stats::Counter& getCounterById(size_t id) const { + ASSERT(id < counters_.size()); + return counters_[id]; + } + + size_t addGauge(Stats::Gauge& gauge) { + size_t id = gauges_.size(); + gauges_.push_back(gauge); + return id; + } + + Stats::Gauge& getGaugeById(size_t id) const { + ASSERT(id < gauges_.size()); + return gauges_[id]; + } + + size_t addHistogram(Stats::Histogram& hist) { + size_t id = hists_.size(); + hists_.push_back(hist); + return id; + } + + Stats::Histogram& getHistogramById(size_t id) const { + ASSERT(id < hists_.size()); + return hists_[id]; + } private: // The name of the filter passed in the constructor. @@ -82,6 +126,11 @@ class DynamicModuleHttpFilterConfig { // The configuration for the module. const std::string filter_config_; + // The cached references to stats and their metadata. + std::vector> counters_; + std::vector> gauges_; + std::vector> hists_; + // The handle for the module. Extensions::DynamicModules::DynamicModulePtr dynamic_module_; }; @@ -90,14 +139,14 @@ class DynamicModuleHttpPerRouteFilterConfig : public Router::RouteSpecificFilter public: DynamicModuleHttpPerRouteFilterConfig( envoy_dynamic_module_type_http_filter_config_module_ptr config, - OnHttpPerRouteConfigDestoryType destroy) + OnHttpPerRouteConfigDestroyType destroy) : config_(config), destroy_(destroy) {} ~DynamicModuleHttpPerRouteFilterConfig() override; envoy_dynamic_module_type_http_filter_config_module_ptr config_; private: - OnHttpPerRouteConfigDestoryType destroy_; + OnHttpPerRouteConfigDestroyType destroy_; }; using DynamicModuleHttpFilterConfigSharedPtr = std::shared_ptr; @@ -117,11 +166,10 @@ newDynamicModuleHttpPerRouteConfig(const absl::string_view per_route_config_name * @param context the server factory context. * @return a shared pointer to the new config object or an error if the module could not be loaded. */ -absl::StatusOr -newDynamicModuleHttpFilterConfig(const absl::string_view filter_name, - const absl::string_view filter_config, - Extensions::DynamicModules::DynamicModulePtr dynamic_module, - Server::Configuration::ServerFactoryContext& context); +absl::StatusOr newDynamicModuleHttpFilterConfig( + const absl::string_view filter_name, const absl::string_view filter_config, + Extensions::DynamicModules::DynamicModulePtr dynamic_module, Stats::Scope& stats_scope, + Server::Configuration::ServerFactoryContext& context); } // namespace HttpFilters } // namespace DynamicModules diff --git a/test/extensions/dynamic_modules/http/BUILD b/test/extensions/dynamic_modules/http/BUILD index 9ede15afb784b..06f288dc26bf8 100644 --- a/test/extensions/dynamic_modules/http/BUILD +++ b/test/extensions/dynamic_modules/http/BUILD @@ -55,6 +55,7 @@ envoy_cc_test( "//test/extensions/dynamic_modules:util", "//test/mocks/http:http_mocks", "//test/mocks/server:server_factory_context_mocks", + "//test/mocks/stats:stats_mocks", "//test/mocks/upstream:cluster_manager_mocks", "//test/mocks/upstream:thread_local_cluster_mocks", ], @@ -67,8 +68,10 @@ envoy_cc_test( rbe_pool = "6gig", deps = [ "//source/extensions/filters/http/dynamic_modules:abi_impl", + "//test/common/stats:stat_test_utility_lib", "//test/mocks/http:http_mocks", "//test/mocks/network:network_mocks", + "//test/mocks/server:server_factory_context_mocks", "//test/mocks/ssl:ssl_mocks", ], ) diff --git a/test/extensions/dynamic_modules/http/abi_impl_test.cc b/test/extensions/dynamic_modules/http/abi_impl_test.cc index b0b5c999d6668..2b15bf61b5e31 100644 --- a/test/extensions/dynamic_modules/http/abi_impl_test.cc +++ b/test/extensions/dynamic_modules/http/abi_impl_test.cc @@ -1,7 +1,9 @@ #include "source/extensions/filters/http/dynamic_modules/filter.h" +#include "test/common/stats/stat_test_utility.h" #include "test/mocks/http/mocks.h" #include "test/mocks/network/mocks.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/stream_info/mocks.h" #include "test/test_common/utility.h" @@ -1085,6 +1087,56 @@ TEST(ABIImpl, Log) { envoy_dynamic_module_callback_log(envoy_dynamic_module_type_log_level_Off, ptr, len); } +TEST(ABIImpl, Stats) { + Stats::TestUtil::TestStore stats_store; + Stats::TestUtil::TestScope stats_scope{"", stats_store}; + NiceMock context; + auto filter_config = std::make_shared( + "some_name", "some_config", nullptr, stats_scope, context); + DynamicModuleHttpFilter filter{filter_config}; + + const std::string counter_name{"some_counter"}; + size_t counter_id = envoy_dynamic_module_callback_http_filter_config_define_counter( + filter_config.get(), const_cast(counter_name.data()), counter_name.size()); + Stats::CounterOptConstRef counter = + stats_store.findCounterByString("dynamicmodulescustom.some_counter"); + EXPECT_TRUE(counter.has_value()); + EXPECT_EQ(counter->get().value(), 0); + envoy_dynamic_module_callback_http_filter_increment_counter(&filter, counter_id, 10); + EXPECT_EQ(counter->get().value(), 10); + envoy_dynamic_module_callback_http_filter_increment_counter(&filter, counter_id, 42); + EXPECT_EQ(counter->get().value(), 52); + + const std::string gauge_name{"some_gauge"}; + size_t gauge_id = envoy_dynamic_module_callback_http_filter_config_define_gauge( + filter_config.get(), const_cast(gauge_name.data()), gauge_name.size()); + Stats::GaugeOptConstRef gauge = stats_store.findGaugeByString("dynamicmodulescustom.some_gauge"); + EXPECT_TRUE(gauge.has_value()); + EXPECT_EQ(gauge->get().value(), 0); + envoy_dynamic_module_callback_http_filter_increase_gauge(&filter, gauge_id, 10); + EXPECT_EQ(gauge->get().value(), 10); + envoy_dynamic_module_callback_http_filter_increase_gauge(&filter, gauge_id, 42); + EXPECT_EQ(gauge->get().value(), 52); + envoy_dynamic_module_callback_http_filter_decrease_gauge(&filter, gauge_id, 50); + EXPECT_EQ(gauge->get().value(), 2); + envoy_dynamic_module_callback_http_filter_set_gauge(&filter, gauge_id, 9001); + EXPECT_EQ(gauge->get().value(), 9001); + + const std::string histogram_name{"some_histogram"}; + size_t histogram_id = envoy_dynamic_module_callback_http_filter_config_define_histogram( + filter_config.get(), const_cast(histogram_name.data()), histogram_name.size()); + Stats::HistogramOptConstRef histogram = + stats_store.findHistogramByString("dynamicmodulescustom.some_histogram"); + EXPECT_TRUE(histogram.has_value()); + EXPECT_FALSE(stats_store.histogramRecordedValues("dynamicmodulescustom.some_histogram")); + envoy_dynamic_module_callback_http_filter_record_histogram_value(&filter, histogram_id, 10); + EXPECT_EQ(stats_store.histogramValues("dynamicmodulescustom.some_histogram", false), + (std::vector{10})); + envoy_dynamic_module_callback_http_filter_record_histogram_value(&filter, histogram_id, 42); + EXPECT_EQ(stats_store.histogramValues("dynamicmodulescustom.some_histogram", false), + (std::vector{10, 42})); +} + } // namespace HttpFilters } // namespace DynamicModules } // namespace Extensions diff --git a/test/extensions/dynamic_modules/http/factory_test.cc b/test/extensions/dynamic_modules/http/factory_test.cc index 9cee6638ea49f..46bd4be287e63 100644 --- a/test/extensions/dynamic_modules/http/factory_test.cc +++ b/test/extensions/dynamic_modules/http/factory_test.cc @@ -37,6 +37,8 @@ filter_name: foo TestUtility::loadFromYamlAndValidate(yaml, proto_config); NiceMock context; + Api::ApiPtr api = Api::createApiForTest(); + EXPECT_CALL(context.server_factory_context_, api()).WillRepeatedly(testing::ReturnRef(*api)); Envoy::Server::Configuration::DynamicModuleConfigFactory factory; auto result = factory.createFilterFactoryFromProto(proto_config, "", context); @@ -66,6 +68,8 @@ filter_name: foo TestUtility::loadFromYamlAndValidate(yaml, proto_config); NiceMock context; + Api::ApiPtr api = Api::createApiForTest(); + EXPECT_CALL(context.server_factory_context_, api()).WillRepeatedly(testing::ReturnRef(*api)); Envoy::Server::Configuration::DynamicModuleConfigFactory factory; auto result = factory.createFilterFactoryFromProto(proto_config, "", context); @@ -98,6 +102,8 @@ filter_name: foo TestUtility::loadFromYamlAndValidate(yaml, proto_config); NiceMock context; + Api::ApiPtr api = Api::createApiForTest(); + EXPECT_CALL(context.server_factory_context_, api()).WillRepeatedly(testing::ReturnRef(*api)); Envoy::Server::Configuration::DynamicModuleConfigFactory factory; auto result = factory.createFilterFactoryFromProto(proto_config, "", context); diff --git a/test/extensions/dynamic_modules/http/filter_test.cc b/test/extensions/dynamic_modules/http/filter_test.cc index 63b86a3892b4f..6e49cc01a3234 100644 --- a/test/extensions/dynamic_modules/http/filter_test.cc +++ b/test/extensions/dynamic_modules/http/filter_test.cc @@ -5,6 +5,7 @@ #include "test/extensions/dynamic_modules/util.h" #include "test/mocks/http/mocks.h" #include "test/mocks/server/server_factory_context.h" +#include "test/mocks/stats/mocks.h" #include "test/mocks/upstream/cluster_manager.h" #include "test/mocks/upstream/thread_local_cluster.h" #include "test/test_common/utility.h" @@ -26,9 +27,11 @@ TEST_P(DynamicModuleTestLanguages, Nop) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); auto filter = std::make_shared(filter_config_or_status.value()); @@ -64,13 +67,84 @@ TEST(DynamicModulesTest, ConfigInitializationFailure) { auto dynamic_module = newDynamicModule(testSharedObjectPath("http", "rust"), false); EXPECT_TRUE(dynamic_module.ok()) << dynamic_module.status().message(); NiceMock context; - auto filter_config_or_status = newDynamicModuleHttpFilterConfig( - "config_init_failure", "", std::move(dynamic_module.value()), context); + Stats::IsolatedStoreImpl stats_store; + auto filter_config_or_status = + newDynamicModuleHttpFilterConfig("config_init_failure", "", std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_FALSE(filter_config_or_status.ok()); EXPECT_THAT(filter_config_or_status.status().message(), testing::HasSubstr("Failed to initialize dynamic module")); } +TEST(DynamicModulesTest, StatsCallbacks) { + const std::string filter_name = "stats_callbacks"; + const std::string filter_config = ""; + // TODO: Add non-Rust test program once we have non-Rust SDK. + auto dynamic_module = newDynamicModule(testSharedObjectPath("http", "rust"), false); + if (!dynamic_module.ok()) { + ENVOY_LOG_MISC(debug, "Failed to load dynamic module: {}", dynamic_module.status().message()); + } + EXPECT_TRUE(dynamic_module.ok()); + + NiceMock context; + Stats::TestUtil::TestStore stats_store; + Stats::TestUtil::TestScope stats_scope{"", stats_store}; + auto filter_config_or_status = + Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( + filter_name, filter_config, std::move(dynamic_module.value()), stats_scope, context); + EXPECT_TRUE(filter_config_or_status.ok()); + + auto filter = std::make_shared(filter_config_or_status.value()); + filter->initializeInModuleFilter(); + + Stats::CounterOptConstRef counter = + stats_store.findCounterByString("dynamicmodulescustom.streams_total"); + EXPECT_TRUE(counter.has_value()); + EXPECT_EQ(counter->get().value(), 1); + Stats::GaugeOptConstRef gauge = + stats_store.findGaugeByString("dynamicmodulescustom.concurrent_streams"); + EXPECT_TRUE(gauge.has_value()); + EXPECT_EQ(gauge->get().value(), 1); + Stats::GaugeOptConstRef magicNumberGauge = + stats_store.findGaugeByString("dynamicmodulescustom.magic_number"); + EXPECT_TRUE(gauge.has_value()); + EXPECT_EQ(magicNumberGauge->get().value(), 42); + Stats::HistogramOptConstRef histogram = + stats_store.findHistogramByString("dynamicmodulescustom.ones"); + EXPECT_TRUE(histogram.has_value()); + EXPECT_FALSE(stats_store.histogramRecordedValues("dynamicmodulescustom.ones")); + + Http::MockStreamDecoderFilterCallbacks decoder_callbacks; + StreamInfo::MockStreamInfo stream_info; + EXPECT_CALL(decoder_callbacks, streamInfo()).WillRepeatedly(testing::ReturnRef(stream_info)); + Http::MockDownstreamStreamFilterCallbacks downstream_callbacks; + filter->setDecoderFilterCallbacks(decoder_callbacks); + Http::MockStreamEncoderFilterCallbacks encoder_callbacks; + filter->setEncoderFilterCallbacks(encoder_callbacks); + + std::initializer_list> headers = {}; + Http::TestRequestHeaderMapImpl request_headers{headers}; + Http::TestRequestTrailerMapImpl request_trailers{headers}; + Http::TestResponseHeaderMapImpl response_headers{headers}; + Http::TestResponseTrailerMapImpl response_trailers{headers}; + EXPECT_EQ(FilterHeadersStatus::Continue, filter->decodeHeaders(request_headers, false)); + EXPECT_EQ(FilterTrailersStatus::Continue, filter->decodeTrailers(request_trailers)); + EXPECT_EQ(FilterHeadersStatus::Continue, filter->encodeHeaders(response_headers, false)); + EXPECT_EQ(FilterTrailersStatus::Continue, filter->encodeTrailers(response_trailers)); + EXPECT_EQ(counter->get().value(), 1); + EXPECT_EQ(gauge->get().value(), 1); + EXPECT_EQ(stats_store.histogramValues("dynamicmodulescustom.ones", false), + (std::vector{1})); + + filter->onStreamComplete(); + EXPECT_EQ(counter->get().value(), 1); + EXPECT_EQ(gauge->get().value(), 0); + EXPECT_EQ(stats_store.histogramValues("dynamicmodulescustom.ones", false), + (std::vector{1})); + + filter->onDestroy(); +} + TEST(DynamicModulesTest, HeaderCallbacks) { const std::string filter_name = "header_callbacks"; const std::string filter_config = ""; @@ -82,9 +156,11 @@ TEST(DynamicModulesTest, HeaderCallbacks) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); auto filter = std::make_shared(filter_config_or_status.value()); @@ -141,9 +217,11 @@ TEST(DynamicModulesTest, DynamicMetadataCallbacks) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); auto filter = std::make_shared(filter_config_or_status.value()); @@ -221,9 +299,11 @@ TEST(DynamicModulesTest, FilterStateCallbacks) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); auto filter = std::make_shared(filter_config_or_status.value()); @@ -295,9 +375,11 @@ TEST(DynamicModulesTest, BodyCallbacks) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); auto filter = std::make_shared(filter_config_or_status.value()); @@ -360,6 +442,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_non_existing_cluster) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -371,7 +454,8 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_non_existing_cluster) { .WillOnce(testing::Return(nullptr)); auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); Http::MockStreamDecoderFilterCallbacks callbacks; @@ -396,6 +480,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_immediate_failing_cluster) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -405,7 +490,8 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_immediate_failing_cluster) { const std::string filter_config = "immediate_failing_cluster"; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); std::shared_ptr cluster = @@ -446,6 +532,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_success) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -455,7 +542,8 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_success) { const std::string filter_config = "success_cluster"; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); std::shared_ptr cluster = @@ -512,6 +600,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_resetting) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -521,7 +610,8 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_resetting) { const std::string filter_config = "resetting_cluster"; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); std::shared_ptr cluster = @@ -562,6 +652,7 @@ TEST(DynamicModulesTest, HttpFilterPerFilterConfigLifetimes) { EXPECT_TRUE(dynamic_module.ok()); NiceMock context; + Stats::IsolatedStoreImpl stats_store; Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -571,7 +662,8 @@ TEST(DynamicModulesTest, HttpFilterPerFilterConfigLifetimes) { const std::string filter_config = "listener config"; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), context); + filter_name, filter_config, std::move(dynamic_module.value()), + *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); auto dynamic_module_for_route = diff --git a/test/extensions/dynamic_modules/test_data/c/no_http_filter_new.c b/test/extensions/dynamic_modules/test_data/c/no_http_filter_new.c index 7a0cea56a2a03..c1d1490565b34 100644 --- a/test/extensions/dynamic_modules/test_data/c/no_http_filter_new.c +++ b/test/extensions/dynamic_modules/test_data/c/no_http_filter_new.c @@ -16,3 +16,4 @@ envoy_dynamic_module_on_http_filter_config_new( void envoy_dynamic_module_on_http_filter_config_destroy( envoy_dynamic_module_type_http_filter_config_module_ptr filter_config_ptr) {} + diff --git a/test/extensions/dynamic_modules/test_data/rust/http.rs b/test/extensions/dynamic_modules/test_data/rust/http.rs index 9d456da4a23a5..9ab325f3383a2 100644 --- a/test/extensions/dynamic_modules/test_data/rust/http.rs +++ b/test/extensions/dynamic_modules/test_data/rust/http.rs @@ -14,11 +14,17 @@ fn init() -> bool { /// This implements the [`envoy_proxy_dynamic_modules_rust_sdk::NewHttpFilterConfigFunction`] /// signature. fn new_http_filter_config_fn( - _envoy_filter_config: &mut EC, + envoy_filter_config: &mut EC, name: &str, _config: &[u8], ) -> Option>> { match name { + "stats_callbacks" => Some(Box::new(StatsCallbacksFilterConfig { + streams_total: envoy_filter_config.define_counter("streams_total"), + concurrent_streams: envoy_filter_config.define_gauge("concurrent_streams"), + ones: envoy_filter_config.define_histogram("ones"), + magic_number: envoy_filter_config.define_gauge("magic_number"), + })), "header_callbacks" => Some(Box::new(HeaderCallbacksFilterConfig {})), "send_response" => Some(Box::new(SendResponseFilterConfig {})), "dynamic_metadata_callbacks" => Some(Box::new(DynamicMetadataCallbacksFilterConfig {})), @@ -29,6 +35,52 @@ fn new_http_filter_config_fn( } } +/// An HTTP filter configuration that implements +/// [`envoy_proxy_dynamic_modules_rust_sdk::HttpFilterConfig`] to test the stats +/// related callbacks. +struct StatsCallbacksFilterConfig { + streams_total: EnvoyCounterId, + concurrent_streams: EnvoyGaugeId, + magic_number: EnvoyGaugeId, + // It's full of 1s. + ones: EnvoyHistogramId, +} + +impl HttpFilterConfig for StatsCallbacksFilterConfig { + fn new_http_filter(&mut self, envoy_filter: &mut EHF) -> Box> { + envoy_filter.increment_counter(self.streams_total, 1); + envoy_filter.increase_gauge(self.concurrent_streams, 1); + envoy_filter.set_gauge(self.magic_number, 42); + // Copy the stats handles onto the filter so that we can observe stats while + // handling requests. + Box::new(StatsCallbacksFilter { + concurrent_streams: self.concurrent_streams, + ones: self.ones, + }) + } +} + +/// An HTTP filter that implements [`envoy_proxy_dynamic_modules_rust_sdk::HttpFilter`]. +struct StatsCallbacksFilter { + concurrent_streams: EnvoyGaugeId, + ones: EnvoyHistogramId, +} + +impl HttpFilter for StatsCallbacksFilter { + fn on_request_headers( + &mut self, + envoy_filter: &mut EHF, + _end_of_stream: bool, + ) -> abi::envoy_dynamic_module_type_on_http_filter_request_headers_status { + envoy_filter.record_histogram_value(self.ones, 1); + abi::envoy_dynamic_module_type_on_http_filter_request_headers_status::Continue + } + + fn on_stream_complete(&mut self, envoy_filter: &mut EHF) { + envoy_filter.decrease_gauge(self.concurrent_streams, 1); + } +} + /// A HTTP filter configuration that implements /// [`envoy_proxy_dynamic_modules_rust_sdk::HttpFilterConfig`] to test the header/trailer /// related callbacks. @@ -87,9 +139,9 @@ impl HttpFilter for HeaderCallbacksFilter { assert_eq!(all_headers[3].0.as_slice(), b"new"); assert_eq!(all_headers[3].1.as_slice(), b"value"); - let downstrean_port = + let downstream_port = envoy_filter.get_attribute_int(abi::envoy_dynamic_module_type_attribute_id::SourcePort); - assert_eq!(downstrean_port, Some(1234)); + assert_eq!(downstream_port, Some(1234)); let downstream_addr = envoy_filter.get_attribute_string(abi::envoy_dynamic_module_type_attribute_id::SourceAddress); assert!(downstream_addr.is_some()); From b8583e6f9494d65be3f8793b4d5fa6bea672a0de Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 4 Sep 2025 18:24:16 -0700 Subject: [PATCH 359/505] chore: add docs for SNI DFP and some tests for testing stats emission (#40966) ## Description There are stats docs that are missing for the SNI DFP today. We have these on [HTTP DFP](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/dynamic_forward_proxy_filter#statistics). This PR add the missing docs and some tests to validate that cache stats are indeed being recorded for SNI DFP as well. --- Commit Message: chore: add docs for SNI DFP and some tests for testing stats emission Additional Description: Risk Level: Low Testing: Added Unit Tests Docs Changes: Added Release Notes: N/A Signed-off-by: Rohit Agrawal --- .../dynamic_forward_proxy_filter.rst | 4 +- .../sni_dynamic_forward_proxy_filter.rst | 30 ++ .../proxy_filter_integration_test.cc | 268 ++++++++++++++++++ 3 files changed, 300 insertions(+), 2 deletions(-) diff --git a/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst b/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst index cd61aaf6885b1..34090f4d0069e 100644 --- a/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst +++ b/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst @@ -155,5 +155,5 @@ namespace. :header: Name, Type, Description :widths: 1, 1, 2 - rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1) - rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens + rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1). + rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens. diff --git a/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst b/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst index 4d64134b3c8ea..b81a83733aab3 100644 --- a/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst +++ b/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst @@ -39,3 +39,33 @@ by setting a per-connection state object under the key ``envoy.upstream.dynamic_ objects are set, they take precedence over the SNI value and default port. In case that the overridden port is out of the valid port range, the overriding value will be ignored and the default port configured will be used. See the implementation for the details. + +Statistics +---------- + +The SNI dynamic forward proxy DNS cache outputs statistics in the ``dns_cache..`` +namespace. + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + dns_query_attempt, Counter, Number of DNS query attempts. + dns_query_success, Counter, Number of DNS query successes. + dns_query_failure, Counter, Number of DNS query failures. + dns_query_timeout, Counter, Number of DNS query :ref:`timeouts `. + host_address_changed, Counter, Number of DNS queries that resulted in a host address change. + host_added, Counter, Number of hosts that have been added to the cache. + host_removed, Counter, Number of hosts that have been removed from the cache. + num_hosts, Gauge, Number of hosts that are currently in the cache. + dns_rq_pending_overflow, Counter, Number of DNS pending request overflow. + +The dynamic forward proxy DNS cache circuit breakers output statistics in the ``dns_cache..circuit_breakers`` +namespace. + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1). + rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens. diff --git a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc index 295df517c842a..eb594cf62f29a 100644 --- a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -154,5 +154,273 @@ TEST_P(SniDynamicProxyFilterIntegrationTest, CircuitBreakerInvokedUpstreamTls) { EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_rq_pending_overflow")->value()); } +// Test that verifies DNS cache statistics are properly recorded for successful resolution. +TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheStatisticsSuccess) { + setup(); + fake_upstreams_[0]->setReadDisableOnNewConnection(false); + + // Initial state where we have no DNS queries yet. + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_success")->value()); + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.host_added")->value()); + EXPECT_EQ(0, test_server_->gauge("dns_cache.foo.num_hosts")->value()); + + // First connection. It should trigger DNS resolution. + codec_client_ = makeHttpConnection( + makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("localhost"))); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + + // Verify DNS resolution statistics. + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_success")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_added")->value()); + EXPECT_EQ(1, test_server_->gauge("dns_cache.foo.num_hosts")->value()); + + // Send a request to complete the flow. + const Http::TestRequestHeaderMapImpl request_headers{ + {":method", "POST"}, + {":path", "/test/long/url"}, + {":scheme", "http"}, + {":authority", + fmt::format("localhost:{}", fake_upstreams_[0]->localAddress()->ip()->port())}}; + + auto response = codec_client_->makeHeaderOnlyRequest(request_headers); + waitForNextUpstreamRequest(); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + checkSimpleRequestSuccess(0, 0, response.get()); + + // Close the connection. + codec_client_->close(); + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); + + // Second connection to the same host. It should use cached entry. + codec_client_ = makeHttpConnection( + makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("localhost"))); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + + // Verify no new DNS query was made. + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_success")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_added")->value()); + EXPECT_EQ(1, test_server_->gauge("dns_cache.foo.num_hosts")->value()); +} + +// Test that verifies DNS query failure statistics with invalid hostname. +TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheQueryFailureStatistics) { + setup(); + + // Initial state. It should have no DNS queries yet. + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_failure")->value()); + + // Attempt connection with invalid hostname that will fail DNS resolution. + codec_client_ = + makeRawHttpConnection(makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni( + "invalid.doesnotexist.example.com")), + absl::nullopt); + ASSERT_FALSE(codec_client_->connected()); + + // Verify DNS failure statistics. + test_server_->waitForCounterGe("dns_cache.foo.dns_query_attempt", 1); + test_server_->waitForCounterGe("dns_cache.foo.dns_query_failure", 1); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_failure")->value()); +} + +// Test that verifies DNS query timeout statistics. +TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheQueryTimeoutStatistics) { + // Configure with very short DNS timeout to trigger timeout scenario. + config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Switch predefined cluster_0 to CDS filesystem sourcing. + bootstrap.mutable_dynamic_resources()->mutable_cds_config()->set_resource_api_version( + envoy::config::core::v3::ApiVersion::V3); + bootstrap.mutable_dynamic_resources() + ->mutable_cds_config() + ->mutable_path_config_source() + ->set_path(cds_helper_.cdsPath()); + bootstrap.mutable_static_resources()->clear_clusters(); + + const std::string filter = fmt::format( + R"EOF( +name: envoy.filters.network.sni_dynamic_forward_proxy +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig + dns_cache_config: + name: foo + dns_lookup_family: {} + max_hosts: 1024 + dns_query_timeout: 0.001s + dns_cache_circuit_breaker: + max_pending_requests: 1024 + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig + port_value: {} +)EOF", + Network::Test::ipVersionToDnsFamily(GetParam()), + fake_upstreams_[0]->localAddress()->ip()->port()); + config_helper_.addNetworkFilter(filter); + }); + + // Setup cluster with matching DNS config. + cluster_.mutable_connect_timeout()->CopyFrom( + Protobuf::util::TimeUtil::MillisecondsToDuration(100)); + cluster_.set_name("cluster_0"); + cluster_.set_lb_policy(envoy::config::cluster::v3::Cluster::CLUSTER_PROVIDED); + + const std::string cluster_type_config = fmt::format( + R"EOF( +name: envoy.clusters.dynamic_forward_proxy +typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig + dns_cache_config: + name: foo + dns_lookup_family: {} + max_hosts: 1024 + dns_query_timeout: 0.001s + dns_cache_circuit_breaker: + max_pending_requests: 1024 + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig +)EOF", + Network::Test::ipVersionToDnsFamily(GetParam())); + + TestUtility::loadFromYaml(cluster_type_config, *cluster_.mutable_cluster_type()); + + config_helper_.addListenerFilter(ConfigHelper::tlsInspectorFilter()); + cds_helper_.setCds({cluster_}); + HttpIntegrationTest::initialize(); + test_server_->waitForCounterEq("cluster_manager.cluster_added", 1); + test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 0); + + // Initial state. It should have no timeouts yet. + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_timeout")->value()); + + // Attempt connection with hostname that should trigger DNS timeout. + codec_client_ = makeRawHttpConnection( + makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("slowresolve.example.com")), + absl::nullopt); + ASSERT_FALSE(codec_client_->connected()); + + // Verify DNS timeout statistics. + test_server_->waitForCounterGe("dns_cache.foo.dns_query_attempt", 1); + // Note: timeout detection can be flaky in test environment, so we check attempts were made. + EXPECT_GE(test_server_->counter("dns_cache.foo.dns_query_attempt")->value(), 1); +} + +// Test that verifies host removal statistics due to TTL expiration. +TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheHostRemovedStatistics) { + // Configure with very short host TTL to trigger removal scenario. + config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Switch predefined cluster_0 to CDS filesystem sourcing. + bootstrap.mutable_dynamic_resources()->mutable_cds_config()->set_resource_api_version( + envoy::config::core::v3::ApiVersion::V3); + bootstrap.mutable_dynamic_resources() + ->mutable_cds_config() + ->mutable_path_config_source() + ->set_path(cds_helper_.cdsPath()); + bootstrap.mutable_static_resources()->clear_clusters(); + + const std::string filter = fmt::format( + R"EOF( +name: envoy.filters.network.sni_dynamic_forward_proxy +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig + dns_cache_config: + name: foo + dns_lookup_family: {} + max_hosts: 1024 + host_ttl: 2s + dns_cache_circuit_breaker: + max_pending_requests: 1024 + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig + port_value: {} +)EOF", + Network::Test::ipVersionToDnsFamily(GetParam()), + fake_upstreams_[0]->localAddress()->ip()->port()); + config_helper_.addNetworkFilter(filter); + }); + + // Setup cluster with matching DNS config. + cluster_.mutable_connect_timeout()->CopyFrom( + Protobuf::util::TimeUtil::MillisecondsToDuration(100)); + cluster_.set_name("cluster_0"); + cluster_.set_lb_policy(envoy::config::cluster::v3::Cluster::CLUSTER_PROVIDED); + + const std::string cluster_type_config = fmt::format( + R"EOF( +name: envoy.clusters.dynamic_forward_proxy +typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig + dns_cache_config: + name: foo + dns_lookup_family: {} + max_hosts: 1024 + host_ttl: 2s + dns_cache_circuit_breaker: + max_pending_requests: 1024 + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig +)EOF", + Network::Test::ipVersionToDnsFamily(GetParam())); + + TestUtility::loadFromYaml(cluster_type_config, *cluster_.mutable_cluster_type()); + + config_helper_.addListenerFilter(ConfigHelper::tlsInspectorFilter()); + cds_helper_.setCds({cluster_}); + HttpIntegrationTest::initialize(); + test_server_->waitForCounterEq("cluster_manager.cluster_added", 1); + test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 0); + + fake_upstreams_[0]->setReadDisableOnNewConnection(false); + + // Initial state. It should have no hosts in cache. + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.host_added")->value()); + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.host_removed")->value()); + EXPECT_EQ(0, test_server_->gauge("dns_cache.foo.num_hosts")->value()); + + // First connection. It should add host to cache. + codec_client_ = makeHttpConnection( + makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("localhost"))); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + + // Verify host was added. + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_added")->value()); + EXPECT_EQ(1, test_server_->gauge("dns_cache.foo.num_hosts")->value()); + + const Http::TestRequestHeaderMapImpl request_headers{ + {":method", "POST"}, + {":path", "/test/long/url"}, + {":scheme", "http"}, + {":authority", + fmt::format("localhost:{}", fake_upstreams_[0]->localAddress()->ip()->port())}}; + + auto response = codec_client_->makeHeaderOnlyRequest(request_headers); + waitForNextUpstreamRequest(); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + checkSimpleRequestSuccess(0, 0, response.get()); + + codec_client_->close(); + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); + + // Wait for host TTL to expire and host to be removed. + simTime().advanceTimeWait(std::chrono::milliseconds(3000)); // Wait 3 seconds (TTL is 2 seconds) + test_server_->waitForCounterGe("dns_cache.foo.host_removed", 1); + + // Verify host removal statistics. + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_removed")->value()); + EXPECT_EQ(0, test_server_->gauge("dns_cache.foo.num_hosts")->value()); +} + } // namespace } // namespace Envoy From f86b0918d97478db28c509c730dfc615fd68a994 Mon Sep 17 00:00:00 2001 From: code Date: Fri, 5 Sep 2025 09:54:01 +0800 Subject: [PATCH 360/505] ratelimits: to support apply on stream done at filter config (#40986) Commit Message: ratelimits: to support apply on stream done at filter config Additional Description: At #40118, we added the `rate_limits` in the filter config of rate limit filter. But the apply on stream done is disabled. This PR removed related restrictions and make the `rate_limits` at the filter config has similar ability with the one in the route level filter config. **Change log is not added because this should could be treat as supplement to the #40118 and could reuse its change log.** Risk Level: low. Testing: unit. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. Signed-off-by: WangBaiping --- .../http/ratelimit/v3/rate_limit.proto | 2 - .../filters/http/ratelimit/ratelimit.cc | 4 +- .../filters/http/ratelimit/ratelimit.h | 12 ++-- .../filters/http/ratelimit/ratelimit_test.cc | 59 +++++++++++++++++++ 4 files changed, 69 insertions(+), 8 deletions(-) diff --git a/api/envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto b/api/envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto index 495bc84f838a1..5c5a9f3e0b57e 100644 --- a/api/envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto +++ b/api/envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto @@ -185,8 +185,6 @@ message RateLimit { // 2. :ref:`dynamic metadata `. // 3. :ref:`disable_key `. // 4. :ref:`override limit `. - // 5. :ref:`hits_addend `. - // 6. :ref:`apply_on_stream_done `. repeated config.route.v3.RateLimit rate_limits = 17; } diff --git a/source/extensions/filters/http/ratelimit/ratelimit.cc b/source/extensions/filters/http/ratelimit/ratelimit.cc index 997fba719bc71..23c9ba9202f41 100644 --- a/source/extensions/filters/http/ratelimit/ratelimit.cc +++ b/source/extensions/filters/http/ratelimit/ratelimit.cc @@ -97,8 +97,8 @@ void Filter::populateRateLimitDescriptors(std::vectorhasRateLimitConfigs()) { - config_.get()->populateDescriptors(headers, callbacks_->streamInfo(), descriptors); + if (config_->hasRateLimitConfigs()) { + config_->populateDescriptors(headers, callbacks_->streamInfo(), descriptors, on_stream_done); return; } diff --git a/source/extensions/filters/http/ratelimit/ratelimit.h b/source/extensions/filters/http/ratelimit/ratelimit.h index ec35b7aa83da6..59dc7478b728d 100644 --- a/source/extensions/filters/http/ratelimit/ratelimit.h +++ b/source/extensions/filters/http/ratelimit/ratelimit.h @@ -37,6 +37,8 @@ enum class FilterRequestType { Internal, External, Both }; */ enum class VhRateLimitOptions { Override, Include, Ignore }; +using RateLimitConfig = Extensions::Filters::Common::RateLimit::RateLimitConfig; + /** * Global configuration for the HTTP rate limit filter. */ @@ -116,9 +118,11 @@ class FilterConfig { } void populateDescriptors(const Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo& info, - Filters::Common::RateLimit::RateLimitDescriptors& descriptors) const { + Filters::Common::RateLimit::RateLimitDescriptors& descriptors, + bool on_stream_done) const { ASSERT(rate_limit_config_ != nullptr); - rate_limit_config_->populateDescriptors(headers, info, local_info_.clusterName(), descriptors); + rate_limit_config_->populateDescriptors(headers, info, local_info_.clusterName(), descriptors, + on_stream_done); } private: @@ -167,7 +171,7 @@ class FilterConfig { const absl::optional filter_enabled_; const absl::optional filter_enforced_; const absl::optional failure_mode_deny_percent_; - std::unique_ptr rate_limit_config_; + std::unique_ptr rate_limit_config_; }; using FilterConfigSharedPtr = std::shared_ptr; @@ -210,7 +214,7 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig { const envoy::extensions::filters::http::ratelimit::v3::RateLimitPerRoute::VhRateLimitsOptions vh_rate_limits_; const std::string domain_; - std::unique_ptr rate_limit_config_; + std::unique_ptr rate_limit_config_; }; using FilterConfigPerRouteSharedPtr = std::shared_ptr; diff --git a/test/extensions/filters/http/ratelimit/ratelimit_test.cc b/test/extensions/filters/http/ratelimit/ratelimit_test.cc index b84a335092bf6..419de7935a95e 100644 --- a/test/extensions/filters/http/ratelimit/ratelimit_test.cc +++ b/test/extensions/filters/http/ratelimit/ratelimit_test.cc @@ -184,6 +184,10 @@ class HttpRateLimitFilterTest : public testing::Test { - request_headers: header_name: "x-header-name" descriptor_key: "header-name" + - actions: + - generic_key: + descriptor_value: "generic-key" + apply_on_stream_done: true )EOF"; Filters::Common::RateLimit::MockClient* client_; @@ -2219,6 +2223,61 @@ TEST_F(HttpRateLimitFilterTest, PerRouteOverridesInlinedRateLimit) { EXPECT_EQ("request_rate_limited", filter_callbacks_.details()); } +TEST_F(HttpRateLimitFilterTest, InlinedRateLimitActionOnStreamDone) { + setUpTest(inlined_rate_limit_actions_config_); + request_headers_.addCopy("x-header-name", "header-value"); + + EXPECT_CALL(*client_, limit(_, _, _, _, _, 0)) + .WillOnce(Invoke( + [this](Filters::Common::RateLimit::RequestCallbacks& callbacks, const std::string& domain, + const std::vector& descriptors, Tracing::Span&, + OptRef, uint32_t) -> void { + request_callbacks_ = &callbacks; + EXPECT_EQ("bar", domain); + EXPECT_EQ(1, descriptors.size()); + EXPECT_EQ("header-name", descriptors[0].entries_[0].key_); + EXPECT_EQ("header-value", descriptors[0].entries_[0].value_); + })); + + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); + + EXPECT_CALL(filter_callbacks_, continueDecoding()); + + request_callbacks_->complete(Filters::Common::RateLimit::LimitStatus::OK, nullptr, + std::make_unique(), nullptr, "", + nullptr); + + EXPECT_CALL(*client_, limit(_, _, _, _, _, 0)) + .WillOnce(Invoke( + [this](Filters::Common::RateLimit::RequestCallbacks& callbacks, const std::string& domain, + const std::vector& descriptors, Tracing::Span&, + OptRef, uint32_t) -> void { + request_callbacks_ = &callbacks; + EXPECT_EQ("bar", domain); + EXPECT_EQ(1, descriptors.size()); + EXPECT_EQ("generic_key", descriptors[0].entries_[0].key_); + EXPECT_EQ("generic-key", descriptors[0].entries_[0].value_); + })); + filter_->onDestroy(); + + request_callbacks_->complete(Filters::Common::RateLimit::LimitStatus::OK, nullptr, + std::make_unique(), nullptr, "", + nullptr); + + EXPECT_EQ(0U, filter_callbacks_.clusterInfo() + ->statsScope() + .counterFromStatName(ratelimit_over_limit_) + .value()); + + EXPECT_EQ( + 0U, + filter_callbacks_.clusterInfo()->statsScope().counterFromStatName(upstream_rq_4xx_).value()); + EXPECT_EQ( + 0U, + filter_callbacks_.clusterInfo()->statsScope().counterFromStatName(upstream_rq_429_).value()); +} + } // namespace } // namespace RateLimitFilter } // namespace HttpFilters From efa7b430abb408207577a4c65c4ff79e89c43663 Mon Sep 17 00:00:00 2001 From: Cliff Chen Date: Fri, 5 Sep 2025 09:56:33 +0800 Subject: [PATCH 361/505] Ext/Filter/http/Tap: Record the upstream connection information in the HTTP buffer trace output (#40875) Signed-off-by: fchen7 --- api/envoy/data/tap/v3/http.proto | 3 + .../extensions/filters/http/tap/v3/tap.proto | 3 + changelogs/current.yaml | 4 ++ .../extensions/filters/http/tap/tap_config.h | 6 +- .../filters/http/tap/tap_config_impl.cc | 30 ++++++-- .../filters/http/tap/tap_config_impl.h | 15 ++-- .../extensions/filters/http/tap/tap_filter.h | 4 +- test/extensions/filters/http/tap/BUILD | 1 + test/extensions/filters/http/tap/common.h | 9 ++- .../filters/http/tap/tap_config_impl_test.cc | 28 ++++++-- .../http/tap/tap_filter_integration_test.cc | 70 +++++++++++++++++++ .../filters/http/tap/tap_filter_test.cc | 4 +- 12 files changed, 148 insertions(+), 29 deletions(-) diff --git a/api/envoy/data/tap/v3/http.proto b/api/envoy/data/tap/v3/http.proto index 2e5c566e59ed5..42ba44c1d0bab 100644 --- a/api/envoy/data/tap/v3/http.proto +++ b/api/envoy/data/tap/v3/http.proto @@ -49,6 +49,9 @@ message HttpBufferedTrace { // downstream connection Connection downstream_connection = 3; + + // upstream connection + Connection upstream_connection = 4; } // A streamed HTTP trace segment. Multiple segments make up a full trace. diff --git a/api/envoy/extensions/filters/http/tap/v3/tap.proto b/api/envoy/extensions/filters/http/tap/v3/tap.proto index 0ed35de97095b..0c12c3f60d247 100644 --- a/api/envoy/extensions/filters/http/tap/v3/tap.proto +++ b/api/envoy/extensions/filters/http/tap/v3/tap.proto @@ -34,4 +34,7 @@ message Tap { // Indicates whether report downstream connection info bool record_downstream_connection = 3; + + // If enabled, upstream connection information will be reported. + bool record_upstream_connection = 4; } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index d4aa4fdc553b8..379f75d9a6585 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -218,6 +218,10 @@ new_features: support evictable metrics. This is done :ref:`periodically ` during the metric flush. +- area: tap + change: | + Add :ref:`record_upstream_connection ` + to determine whether upstream connection information is recorded in the HTTP buffer trace output. - area: quic change: | Added new option to support :ref:`base64 encoded server ID diff --git a/source/extensions/filters/http/tap/tap_config.h b/source/extensions/filters/http/tap/tap_config.h index d318686b608e8..04219d76110d5 100644 --- a/source/extensions/filters/http/tap/tap_config.h +++ b/source/extensions/filters/http/tap/tap_config.h @@ -66,12 +66,12 @@ class HttpTapConfig : public virtual Extensions::Common::Tap::TapConfig { public: /** * @return a new per-request HTTP tapper which is used to handle tapping of a discrete request. - * @param tap_config provides http tap config - * @param stream_id supplies the owning HTTP stream ID. + * @param tap_config provides http tap config. + * @param decoder_callbacks supplies all needed information for HTTP tap. */ virtual HttpPerRequestTapperPtr createPerRequestTapper(const envoy::extensions::filters::http::tap::v3::Tap& tap_config, - uint64_t stream_id, OptRef connection) PURE; + Http::StreamDecoderFilterCallbacks& decoder_callbacks) PURE; /** * @return time source to use for timestamp diff --git a/source/extensions/filters/http/tap/tap_config_impl.cc b/source/extensions/filters/http/tap/tap_config_impl.cc index d26d5ebe1485f..249cee77515e2 100644 --- a/source/extensions/filters/http/tap/tap_config_impl.cc +++ b/source/extensions/filters/http/tap/tap_config_impl.cc @@ -36,10 +36,10 @@ HttpTapConfigImpl::HttpTapConfigImpl(const envoy::config::tap::v3::TapConfig& pr time_source_(context.serverFactoryContext().mainThreadDispatcher().timeSource()) {} HttpPerRequestTapperPtr HttpTapConfigImpl::createPerRequestTapper( - const envoy::extensions::filters::http::tap::v3::Tap& tap_config, uint64_t stream_id, - OptRef connection) { - return std::make_unique(shared_from_this(), tap_config, stream_id, - connection); + const envoy::extensions::filters::http::tap::v3::Tap& tap_config, + Http::StreamDecoderFilterCallbacks& decoder_callbacks) { + return std::make_unique(shared_from_this(), tap_config, + decoder_callbacks); } void HttpPerRequestTapperImpl::streamRequestHeaders() { @@ -163,6 +163,24 @@ void HttpPerRequestTapperImpl::onResponseTrailers(const Http::ResponseTrailerMap } } +void HttpPerRequestTapperImpl::setUpstreamConnection( + envoy::data::tap::v3::Connection& up_stream_conn) { + envoy::config::core::v3::Address local_address; + envoy::config::core::v3::Address remote_address; + auto& stream_info = decoder_callbacks_.streamInfo(); + if (stream_info.upstreamInfo() && stream_info.upstreamInfo()->upstreamLocalAddress()) { + Envoy::Network::Utility::addressToProtobufAddress( + *stream_info.upstreamInfo()->upstreamLocalAddress(), local_address); + up_stream_conn.mutable_local_address()->MergeFrom(local_address); + } + + if (stream_info.upstreamInfo() && stream_info.upstreamInfo()->upstreamRemoteAddress()) { + Envoy::Network::Utility::addressToProtobufAddress( + *stream_info.upstreamInfo()->upstreamRemoteAddress(), remote_address); + up_stream_conn.mutable_remote_address()->MergeFrom(remote_address); + } +} + bool HttpPerRequestTapperImpl::onDestroyLog() { if (config_->streaming() || !config_->rootMatcher().matchStatus(statuses_).matches_) { return config_->rootMatcher().matchStatus(statuses_).matches_; @@ -207,6 +225,10 @@ bool HttpPerRequestTapperImpl::onDestroyLog() { downstream_remote_address); } + if (should_record_upstream_connection_) { + setUpstreamConnection(*http_trace.mutable_upstream_connection()); + } + ENVOY_LOG(debug, "submitting buffered trace sink"); // move is safe as onDestroyLog is the last method called. sink_handle_->submitTrace(std::move(buffered_full_trace_)); diff --git a/source/extensions/filters/http/tap/tap_config_impl.h b/source/extensions/filters/http/tap/tap_config_impl.h index 042b6bbe91de9..e02f0da17b048 100644 --- a/source/extensions/filters/http/tap/tap_config_impl.h +++ b/source/extensions/filters/http/tap/tap_config_impl.h @@ -26,7 +26,7 @@ class HttpTapConfigImpl : public Extensions::Common::Tap::TapConfigBaseImpl, // TapFilter::HttpTapConfig HttpPerRequestTapperPtr createPerRequestTapper(const envoy::extensions::filters::http::tap::v3::Tap& tap_config, - uint64_t stream_id, OptRef connection) override; + Http::StreamDecoderFilterCallbacks& decoder_callbacks) override; TimeSource& timeSource() const override { return time_source_; } @@ -38,12 +38,14 @@ class HttpPerRequestTapperImpl : public HttpPerRequestTapper, Logger::Loggable connection) - : config_(std::move(config)), + Http::StreamDecoderFilterCallbacks& callbacks) + : config_(std::move(config)), decoder_callbacks_(callbacks), should_record_headers_received_time_(tap_config.record_headers_received_time()), should_record_downstream_connection_(tap_config.record_downstream_connection()), - stream_id_(stream_id), sink_handle_(config_->createPerTapSinkHandleManager(stream_id)), - statuses_(config_->createMatchStatusVector()), connection_(connection) { + should_record_upstream_connection_(tap_config.record_upstream_connection()), + stream_id_(callbacks.streamId()), + sink_handle_(config_->createPerTapSinkHandleManager(callbacks.streamId())), + statuses_(config_->createMatchStatusVector()), connection_(callbacks.connection()) { config_->rootMatcher().onNewStream(statuses_); } @@ -91,10 +93,13 @@ class HttpPerRequestTapperImpl : public HttpPerRequestTapper, Logger::LoggabletimeSource().systemTime().time_since_epoch()) .count(); } + void setUpstreamConnection(envoy::data::tap::v3::Connection& up_stream_conn); HttpTapConfigSharedPtr config_; + Http::StreamDecoderFilterCallbacks& decoder_callbacks_; const bool should_record_headers_received_time_; const bool should_record_downstream_connection_; + const bool should_record_upstream_connection_; const uint64_t stream_id_; Extensions::Common::Tap::PerTapSinkHandleManagerPtr sink_handle_; Extensions::Common::Tap::Matcher::MatchStatusVector statuses_; diff --git a/source/extensions/filters/http/tap/tap_filter.h b/source/extensions/filters/http/tap/tap_filter.h index b779e6f8426b8..232e5f5c35856 100644 --- a/source/extensions/filters/http/tap/tap_filter.h +++ b/source/extensions/filters/http/tap/tap_filter.h @@ -100,9 +100,7 @@ class Filter : public Http::StreamFilter, public AccessLog::Instance { void setDecoderFilterCallbacks(Http::StreamDecoderFilterCallbacks& callbacks) override { HttpTapConfigSharedPtr config = config_->currentConfig(); if (config != nullptr) { - auto streamId = callbacks.streamId(); - auto connection = callbacks.connection(); - tapper_ = config->createPerRequestTapper(config_->getTapConfig(), streamId, connection); + tapper_ = config->createPerRequestTapper(config_->getTapConfig(), callbacks); } else { tapper_ = nullptr; } diff --git a/test/extensions/filters/http/tap/BUILD b/test/extensions/filters/http/tap/BUILD index e692767264af1..ba500cd660673 100644 --- a/test/extensions/filters/http/tap/BUILD +++ b/test/extensions/filters/http/tap/BUILD @@ -47,6 +47,7 @@ envoy_extension_cc_test( "//source/extensions/filters/http/tap:tap_config_impl", "//test/extensions/common/tap:common", "//test/mocks:common_lib", + "//test/mocks/http:http_mocks", "//test/mocks/network:network_mocks", "//test/test_common:simulated_time_system_lib", "//test/test_common:utility_lib", diff --git a/test/extensions/filters/http/tap/common.h b/test/extensions/filters/http/tap/common.h index dc8876c148137..70f10c0b35c2e 100644 --- a/test/extensions/filters/http/tap/common.h +++ b/test/extensions/filters/http/tap/common.h @@ -13,9 +13,8 @@ class MockHttpTapConfig : public HttpTapConfig { public: HttpPerRequestTapperPtr createPerRequestTapper(const envoy::extensions::filters::http::tap::v3::Tap& tap_config, - uint64_t stream_id, - OptRef connection) override { - return HttpPerRequestTapperPtr{createPerRequestTapper_(tap_config, stream_id, connection)}; + Http::StreamDecoderFilterCallbacks& decoder_callbacks) override { + return HttpPerRequestTapperPtr{createPerRequestTapper_(tap_config, decoder_callbacks)}; } Extensions::Common::Tap::PerTapSinkHandleManagerPtr @@ -25,8 +24,8 @@ class MockHttpTapConfig : public HttpTapConfig { } MOCK_METHOD(HttpPerRequestTapper*, createPerRequestTapper_, - (const envoy::extensions::filters::http::tap::v3::Tap& tap_config, uint64_t stream_id, - OptRef)); + (const envoy::extensions::filters::http::tap::v3::Tap& tap_config, + Http::StreamDecoderFilterCallbacks& decoder_callbacks)); MOCK_METHOD(Extensions::Common::Tap::PerTapSinkHandleManager*, createPerTapSinkHandleManager_, (uint64_t trace_id)); MOCK_METHOD(uint32_t, maxBufferedRxBytes, (), (const)); diff --git a/test/extensions/filters/http/tap/tap_config_impl_test.cc b/test/extensions/filters/http/tap/tap_config_impl_test.cc index f413af5ca371b..63d0be2921496 100644 --- a/test/extensions/filters/http/tap/tap_config_impl_test.cc +++ b/test/extensions/filters/http/tap/tap_config_impl_test.cc @@ -6,6 +6,7 @@ #include "test/extensions/common/tap/common.h" #include "test/extensions/filters/http/tap/common.h" #include "test/mocks/common.h" +#include "test/mocks/http/mocks.h" #include "test/mocks/network/mocks.h" #include "test/test_common/simulated_time_system.h" #include "test/test_common/utility.h" @@ -28,6 +29,7 @@ namespace TapCommon = Extensions::Common::Tap; class HttpPerRequestTapperImplTest : public testing::Test { public: HttpPerRequestTapperImplTest() { + EXPECT_CALL(callbacks_, streamId()).WillRepeatedly(Return(1)); EXPECT_CALL(*config_, createPerTapSinkHandleManager_(1)).WillOnce(Return(sink_manager_)); EXPECT_CALL(*config_, createMatchStatusVector()) .WillOnce(Return(ByMove(TapCommon::Matcher::MatchStatusVector(1)))); @@ -35,8 +37,7 @@ class HttpPerRequestTapperImplTest : public testing::Test { EXPECT_CALL(*config_, timeSource()).WillRepeatedly(ReturnRef(time_system_)); time_system_.setSystemTime(std::chrono::seconds(0)); EXPECT_CALL(matcher_, onNewStream(_)).WillOnce(SaveArgAddress(&statuses_)); - tapper_ = std::make_unique(config_, tap_config_, 1, - OptRef{}); + tapper_ = std::make_unique(config_, tap_config_, callbacks_); } std::shared_ptr config_{std::make_shared()}; @@ -52,6 +53,7 @@ class HttpPerRequestTapperImplTest : public testing::Test { const Http::TestRequestTrailerMapImpl request_trailers_{{"c", "d"}}; const Http::TestResponseHeaderMapImpl response_headers_{{"e", "f"}}; const Http::TestResponseTrailerMapImpl response_trailers_{{"g", "h"}}; + NiceMock callbacks_; Event::SimulatedTimeSystem time_system_; }; @@ -324,23 +326,27 @@ TEST_F(HttpPerRequestTapperImplTest, StreamedMatchResponseTrailers) { class HttpPerRequestTapperImplForSpecificConfigTest : public testing::Test { public: HttpPerRequestTapperImplForSpecificConfigTest() { + EXPECT_CALL(callbacks_, streamId()).WillRepeatedly(Return(1)); EXPECT_CALL(*config_, createPerTapSinkHandleManager_(1)).WillOnce(Return(sink_manager_)); EXPECT_CALL(*config_, createMatchStatusVector()) .WillOnce(Return(ByMove(TapCommon::Matcher::MatchStatusVector(1)))); EXPECT_CALL(*config_, rootMatcher()).WillRepeatedly(ReturnRef(matcher_)); EXPECT_CALL(*config_, timeSource()).WillRepeatedly(ReturnRef(time_system_)); - time_system_.setSystemTime(std::chrono::seconds(0)); + time_system_.setSystemTime(std::chrono::seconds(9)); EXPECT_CALL(matcher_, onNewStream(_)).WillOnce(SaveArgAddress(&statuses_)); tap_config_.set_record_headers_received_time(true); tap_config_.set_record_downstream_connection(true); + tap_config_.set_record_upstream_connection(true); connection_.stream_info_.downstream_connection_info_provider_->setLocalAddress( std::make_shared("127.0.0.1", 1234)); connection_.stream_info_.downstream_connection_info_provider_->setRemoteAddress( std::make_shared("127.0.0.1", 4321)); - tapper_ = std::make_unique(config_, tap_config_, 1, connection_); + EXPECT_CALL(callbacks_, connection()) + .WillRepeatedly(Return(OptRef(connection_))); + tapper_ = std::make_unique(config_, tap_config_, callbacks_); Network::ConnectionInfoProviderSharedPtr local_connection_info_provider = std::make_shared( @@ -363,6 +369,7 @@ class HttpPerRequestTapperImplForSpecificConfigTest : public testing::Test { const Http::TestResponseTrailerMapImpl response_trailers_{{"g", "h"}}; Event::SimulatedTimeSystem time_system_; NiceMock connection_; + NiceMock callbacks_; }; // Buffered tap with a match and with record_headers_received_time is true. @@ -399,7 +406,7 @@ TEST_F(HttpPerRequestTapperImplForSpecificConfigTest, BufferedFlowTapWithSpecifi trailers: - key: c value: d - headers_received_time: 1970-01-01T00:00:00Z + headers_received_time: 1970-01-01T00:00:09Z response: headers: - key: e @@ -409,7 +416,7 @@ TEST_F(HttpPerRequestTapperImplForSpecificConfigTest, BufferedFlowTapWithSpecifi trailers: - key: g value: h - headers_received_time: 1970-01-01T00:00:00Z + headers_received_time: 1970-01-01T00:00:09Z downstream_connection: local_address: socket_address: @@ -419,6 +426,15 @@ TEST_F(HttpPerRequestTapperImplForSpecificConfigTest, BufferedFlowTapWithSpecifi socket_address: address: 127.0.0.1 port_value: 4321 + upstream_connection: + local_address: + socket_address: + address: 127.1.2.3 + port_value: 58443 + remote_address: + socket_address: + address: 10.0.0.1 + port_value: 443 )EOF"))); EXPECT_TRUE(tapper_->onDestroyLog()); } diff --git a/test/extensions/filters/http/tap/tap_filter_integration_test.cc b/test/extensions/filters/http/tap/tap_filter_integration_test.cc index 4dbb77b196892..d809ba2a05d62 100644 --- a/test/extensions/filters/http/tap/tap_filter_integration_test.cc +++ b/test/extensions/filters/http/tap/tap_filter_integration_test.cc @@ -1206,6 +1206,76 @@ name: tap EXPECT_EQ(1UL, test_server_->counter("http.config_test.tap.rq_tapped")->value()); } +// Verify option record_upstream_connection +// when a request header is matched in a static configuration. +TEST_P(TapIntegrationTest, StaticFilePerHttpBufferTraceTapUpstreamConnection) { + constexpr absl::string_view filter_config = + R"EOF( +name: tap +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.tap.v3.Tap + common_config: + static_config: + match: + http_request_headers_match: + headers: + - name: foo + string_match: + exact: bar + output_config: + sinks: + - format: PROTO_BINARY_LENGTH_DELIMITED + file_per_tap: + path_prefix: {} + record_upstream_connection: true +)EOF"; + + const std::string path_prefix = getTempPathPrefix(); + initializeFilter(fmt::format(filter_config, path_prefix)); + + // Initial request/response with tap. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + makeRequest(request_headers_tap_, {"hello"}, &request_trailers_, response_headers_no_tap_, + {"world"}, &response_trailers_); + codec_client_->close(); + test_server_->waitForCounterGe("http.config_test.downstream_cx_destroy", 1); + + std::vector traces = + Extensions::Common::Tap::readTracesFromPath(path_prefix); + ASSERT_EQ(1, traces.size()); + EXPECT_TRUE(traces[0].has_http_buffered_trace()); + EXPECT_TRUE(traces[0].http_buffered_trace().has_upstream_connection()); + using ::testing::AnyOf; + using ::testing::StrEq; + std::string upstream_local_address = traces[0] + .http_buffered_trace() + .upstream_connection() + .local_address() + .socket_address() + .address(); + EXPECT_THAT(upstream_local_address, AnyOf(StrEq("127.0.0.1"), StrEq("::1"))); + EXPECT_TRUE(traces[0] + .http_buffered_trace() + .upstream_connection() + .local_address() + .socket_address() + .has_port_value()); + std::string upstream_remote_address = traces[0] + .http_buffered_trace() + .upstream_connection() + .remote_address() + .socket_address() + .address(); + EXPECT_THAT(upstream_remote_address, AnyOf(StrEq("127.0.0.1"), StrEq("::1"))); + EXPECT_TRUE(traces[0] + .http_buffered_trace() + .upstream_connection() + .remote_address() + .socket_address() + .has_port_value()); + EXPECT_EQ(1UL, test_server_->counter("http.config_test.tap.rq_tapped")->value()); +} + // Verify that body matching works. TEST_P(TapIntegrationTest, AdminBodyMatching) { initializeFilter(admin_filter_config_); diff --git a/test/extensions/filters/http/tap/tap_filter_test.cc b/test/extensions/filters/http/tap/tap_filter_test.cc index 893d26281de7d..0d14b6f59852f 100644 --- a/test/extensions/filters/http/tap/tap_filter_test.cc +++ b/test/extensions/filters/http/tap/tap_filter_test.cc @@ -54,10 +54,8 @@ class TapFilterTest : public testing::Test { filter_ = std::make_unique(filter_config_); if (has_config) { - EXPECT_CALL(callbacks_, streamId()); - EXPECT_CALL(callbacks_, connection()); http_per_request_tapper_ = new MockHttpPerRequestTapper(); - EXPECT_CALL(*http_tap_config_, createPerRequestTapper_(_, _, _)) + EXPECT_CALL(*http_tap_config_, createPerRequestTapper_(_, _)) .WillOnce(Return(http_per_request_tapper_)); } From 831ba5bb95f94faf256bbd81822b6f2007c5d603 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20R=2E=20Sede=C3=B1o?= Date: Thu, 4 Sep 2025 22:14:44 -0400 Subject: [PATCH 362/505] Update QUICHE from 1c35d6308 to 4f1f0fcea (#40959) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.com/google/quiche/compare/1c35d6308..4f1f0fcea ``` $ git log 1c35d6308..4f1f0fcea --date=short --no-merges --format="%ad %al %s" 2025-08-30 davidben Const-correct some pointers in `quic_test_client.cc` 2025-08-29 danzh Support various migrations upon detecting path degrading: Perform early migration to a different network if allowed. Otherwise migrate to a different port if allowed. Otherwise do nothing. 2025-08-29 rch Add a new HttpValidationPolicy option: sanitize_firstline_spaces Which will allow, reject, or sanitize HTTP/1 firstlines which contain multiple spaces. 2025-08-28 martinduke Rename QUIC MESSAGE_FRAME to DATAGRAM_FRAME. 2025-08-28 martinduke Close Connection when outgoing ACK frame is empty. 2025-08-28 quiche-dev Have tracing hooks be owned by GetAuthTokens 2025-08-27 jprat No public description 2025-08-26 quiche-dev Remove unused `has_encoded_response_nonce_` member. 2025-08-25 vreimer [oncall] Fix `FromSecond(` typo and add `s` at the end. 2025-08-25 jprat Add code count for disabling blackhole detection. 2025-08-25 quiche-dev Enabling rolled out flags. 2025-08-25 quiche-dev Change Binary HTTP message section handler methods to return Status. ``` Risk Level: low Testing: CI --------- Signed-off-by: Alejandro R. Sedeño --- bazel/external/quiche.BUILD | 4 ++-- bazel/repository_locations.bzl | 6 +++--- source/common/quic/http_datagram_handler.cc | 19 ++++++++++--------- .../quic/envoy_quic_client_stream_test.cc | 10 +++++----- test/common/quic/envoy_quic_h3_fuzz.proto | 6 +++--- test/common/quic/envoy_quic_h3_fuzz_helper.cc | 8 ++++---- test/common/quic/envoy_quic_h3_fuzz_helper.h | 2 +- .../quic/envoy_quic_server_stream_test.cc | 8 ++++---- .../common/quic/http_datagram_handler_test.cc | 10 +++++----- test/common/quic/test_utils.h | 8 ++++---- 10 files changed, 41 insertions(+), 40 deletions(-) diff --git a/bazel/external/quiche.BUILD b/bazel/external/quiche.BUILD index aab49a6148420..d73c10e236dde 100644 --- a/bazel/external/quiche.BUILD +++ b/bazel/external/quiche.BUILD @@ -2884,12 +2884,12 @@ envoy_cc_library( "quiche/quic/core/frames/quic_blocked_frame.cc", "quiche/quic/core/frames/quic_connection_close_frame.cc", "quiche/quic/core/frames/quic_crypto_frame.cc", + "quiche/quic/core/frames/quic_datagram_frame.cc", "quiche/quic/core/frames/quic_frame.cc", "quiche/quic/core/frames/quic_goaway_frame.cc", "quiche/quic/core/frames/quic_handshake_done_frame.cc", "quiche/quic/core/frames/quic_immediate_ack_frame.cc", "quiche/quic/core/frames/quic_max_streams_frame.cc", - "quiche/quic/core/frames/quic_message_frame.cc", "quiche/quic/core/frames/quic_new_connection_id_frame.cc", "quiche/quic/core/frames/quic_new_token_frame.cc", "quiche/quic/core/frames/quic_padding_frame.cc", @@ -2911,13 +2911,13 @@ envoy_cc_library( "quiche/quic/core/frames/quic_blocked_frame.h", "quiche/quic/core/frames/quic_connection_close_frame.h", "quiche/quic/core/frames/quic_crypto_frame.h", + "quiche/quic/core/frames/quic_datagram_frame.h", "quiche/quic/core/frames/quic_frame.h", "quiche/quic/core/frames/quic_goaway_frame.h", "quiche/quic/core/frames/quic_handshake_done_frame.h", "quiche/quic/core/frames/quic_immediate_ack_frame.h", "quiche/quic/core/frames/quic_inlined_frame.h", "quiche/quic/core/frames/quic_max_streams_frame.h", - "quiche/quic/core/frames/quic_message_frame.h", "quiche/quic/core/frames/quic_mtu_discovery_frame.h", "quiche/quic/core/frames/quic_new_connection_id_frame.h", "quiche/quic/core/frames/quic_new_token_frame.h", diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 3199a47552307..8b016a6321efe 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1277,12 +1277,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "QUICHE", project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols", project_url = "https://github.com/google/quiche", - version = "1c35d630893fc2adacfffeb91bcb0561240cf5f1", - sha256 = "3ed465a20769e2ad899831b31b005b0410c4e00446434464cc38f791ab2aad4f", + version = "4f1f0fcea045cd71410c2c318773fc24c3523ed7", + sha256 = "f3276f1de23d383092ffa189b38c8127252c3550c8750e20db76dbe8fc135c07", urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"], strip_prefix = "quiche-{version}", use_category = ["controlplane", "dataplane_core"], - release_date = "2025-08-22", + release_date = "2025-08-30", cpe = "N/A", license = "BSD-3-Clause", license_url = "https://github.com/google/quiche/blob/{version}/LICENSE", diff --git a/source/common/quic/http_datagram_handler.cc b/source/common/quic/http_datagram_handler.cc index 9de2e09d93469..19c4c0e82678b 100644 --- a/source/common/quic/http_datagram_handler.cc +++ b/source/common/quic/http_datagram_handler.cc @@ -8,6 +8,7 @@ #include "quiche/common/capsule.h" #include "quiche/common/quiche_buffer_allocator.h" #include "quiche/quic/core/http/quic_spdy_stream.h" +#include "quiche/quic/core/quic_types.h" namespace Envoy { namespace Quic { @@ -45,27 +46,27 @@ bool HttpDatagramHandler::OnCapsule(const quiche::Capsule& capsule) { stream_.WriteCapsule(capsule, fin_set_); return true; } - quic::MessageStatus status = + quic::DatagramStatus status = stream_.SendHttp3Datagram(capsule.datagram_capsule().http_datagram_payload); - if (status == quic::MessageStatus::MESSAGE_STATUS_SUCCESS) { + if (status == quic::DatagramStatus::DATAGRAM_STATUS_SUCCESS) { return true; } // When SendHttp3Datagram cannot send a datagram immediately, it puts it into the queue and - // returns MESSAGE_STATUS_BLOCKED. - if (status == quic::MessageStatus::MESSAGE_STATUS_BLOCKED) { + // returns DATAGRAM_STATUS_BLOCKED. + if (status == quic::DatagramStatus::DATAGRAM_STATUS_BLOCKED) { ENVOY_LOG(trace, fmt::format("SendHttpH3Datagram failed: status = {}, buffers the Datagram.", - quic::MessageStatusToString(status))); + quic::DatagramStatusToString(status))); return true; } - if (status == quic::MessageStatus::MESSAGE_STATUS_TOO_LARGE || - status == quic::MessageStatus::MESSAGE_STATUS_SETTINGS_NOT_RECEIVED) { + if (status == quic::DatagramStatus::DATAGRAM_STATUS_TOO_LARGE || + status == quic::DatagramStatus::DATAGRAM_STATUS_SETTINGS_NOT_RECEIVED) { ENVOY_LOG(warn, fmt::format("SendHttpH3Datagram failed: status = {}, drops the Datagram.", - quic::MessageStatusToString(status))); + quic::DatagramStatusToString(status))); return true; } // Otherwise, returns false and thus resets the corresponding stream. ENVOY_LOG(error, fmt::format("SendHttpH3Datagram failed: status = {}, resets the stream.", - quic::MessageStatusToString(status))); + quic::DatagramStatusToString(status))); return false; } diff --git a/test/common/quic/envoy_quic_client_stream_test.cc b/test/common/quic/envoy_quic_client_stream_test.cc index e36e0161d0e27..473dd22af5e05 100644 --- a/test/common/quic/envoy_quic_client_stream_test.cc +++ b/test/common/quic/envoy_quic_client_stream_test.cc @@ -745,10 +745,10 @@ TEST_F(EnvoyQuicClientStreamTest, EncodeTrailersOnClosedStream) { TEST_F(EnvoyQuicClientStreamTest, EncodeCapsule) { setUpCapsuleProtocol(false, true); Buffer::OwnedImpl buffer(capsule_fragment_); - EXPECT_CALL(*quic_connection_, SendMessage(_, _, _)) - .WillOnce([this](quic::QuicMessageId, absl::Span message, bool) { - EXPECT_EQ(message.data()->AsStringView(), datagram_fragment_); - return quic::MESSAGE_STATUS_SUCCESS; + EXPECT_CALL(*quic_connection_, SendDatagram(_, _, _)) + .WillOnce([this](quic::QuicDatagramId, absl::Span datagram, bool) { + EXPECT_EQ(datagram.data()->AsStringView(), datagram_fragment_); + return quic::DATAGRAM_STATUS_SUCCESS; }); quic_stream_->encodeData(buffer, /*end_stream=*/true); EXPECT_CALL(stream_callbacks_, onResetStream(_, _)); @@ -757,7 +757,7 @@ TEST_F(EnvoyQuicClientStreamTest, EncodeCapsule) { TEST_F(EnvoyQuicClientStreamTest, DecodeHttp3Datagram) { setUpCapsuleProtocol(true, false); EXPECT_CALL(stream_decoder_, decodeData(BufferStringEqual(capsule_fragment_), _)); - quic_session_.OnMessageReceived(datagram_fragment_); + quic_session_.OnDatagramReceived(datagram_fragment_); EXPECT_CALL(stream_callbacks_, onResetStream(_, _)); } diff --git a/test/common/quic/envoy_quic_h3_fuzz.proto b/test/common/quic/envoy_quic_h3_fuzz.proto index 8f768a867c131..0e6e84ef78e50 100644 --- a/test/common/quic/envoy_quic_h3_fuzz.proto +++ b/test/common/quic/envoy_quic_h3_fuzz.proto @@ -174,8 +174,8 @@ message QuicStopSendingFrame { uint32 error_code = 3; } -message QuicMessageFrame { - uint32 message_id = 1; +message QuicDatagramFrame { + uint32 datagram_id = 1; bytes data = 2; } @@ -213,7 +213,7 @@ message QuicFrame { QuicPathResponseFrame path_response = 18; QuicPathChallengeFrame path_challenge = 19; QuicStopSendingFrame stop_sending = 20; - QuicMessageFrame message_frame = 21; + QuicDatagramFrame datagram_frame = 21; QuicNewTokenFrame new_token = 22; QuickAckFrequencyFrame ack_frequency = 23; } diff --git a/test/common/quic/envoy_quic_h3_fuzz_helper.cc b/test/common/quic/envoy_quic_h3_fuzz_helper.cc index 6897306effaca..bb53108da6e8e 100644 --- a/test/common/quic/envoy_quic_h3_fuzz_helper.cc +++ b/test/common/quic/envoy_quic_h3_fuzz_helper.cc @@ -312,8 +312,8 @@ QuicPacketizer::QuicPacketPtr QuicPacketizer::serializePacket(const QuicFrame& f auto quic_stop = quic::QuicStopSendingFrame(f.control_frame_id(), f.stream_id(), error_code); return serialize(quic::QuicFrame(quic_stop)); } - case QuicFrame::kMessageFrame: - return serializeMessageFrame(frame.message_frame()); + case QuicFrame::kDatagramFrame: + return serializeDatagramFrame(frame.datagram_frame()); case QuicFrame::kNewToken: return serializeNewTokenFrame(frame.new_token()); case QuicFrame::kAckFrequency: { @@ -404,12 +404,12 @@ QuicPacketizer::serializeNewTokenFrame(const test::common::quic::QuicNewTokenFra } QuicPacketizer::QuicPacketPtr -QuicPacketizer::serializeMessageFrame(const test::common::quic::QuicMessageFrame& frame) { +QuicPacketizer::serializeDatagramFrame(const test::common::quic::QuicDatagramFrame& frame) { char buffer[1024]; auto message = frame.data(); size_t len = std::min(message.size(), sizeof(buffer)); memcpy(buffer, message.data(), len); - auto message_frame = quic::QuicMessageFrame(buffer, len); + auto message_frame = quic::QuicDatagramFrame(buffer, len); return serialize(quic::QuicFrame(&message_frame)); } diff --git a/test/common/quic/envoy_quic_h3_fuzz_helper.h b/test/common/quic/envoy_quic_h3_fuzz_helper.h index 3bbd2205748b9..7f3231551c3e0 100644 --- a/test/common/quic/envoy_quic_h3_fuzz_helper.h +++ b/test/common/quic/envoy_quic_h3_fuzz_helper.h @@ -48,7 +48,7 @@ class QuicPacketizer { QuicPacketPtr serialize(quic::QuicFrame frame); QuicPacketPtr serializeStreamFrame(const test::common::quic::QuicStreamFrame& frame); QuicPacketPtr serializeNewTokenFrame(const test::common::quic::QuicNewTokenFrame& frame); - QuicPacketPtr serializeMessageFrame(const test::common::quic::QuicMessageFrame& frame); + QuicPacketPtr serializeDatagramFrame(const test::common::quic::QuicDatagramFrame& frame); QuicPacketPtr serializeCryptoFrame(const test::common::quic::QuicCryptoFrame& frame); QuicPacketPtr serializeAckFrame(const test::common::quic::QuicAckFrame& frame); QuicPacketPtr diff --git a/test/common/quic/envoy_quic_server_stream_test.cc b/test/common/quic/envoy_quic_server_stream_test.cc index 197ccc5d27d1e..b1163035d0457 100644 --- a/test/common/quic/envoy_quic_server_stream_test.cc +++ b/test/common/quic/envoy_quic_server_stream_test.cc @@ -898,10 +898,10 @@ TEST_F(EnvoyQuicServerStreamTest, MetadataNotSupported) { TEST_F(EnvoyQuicServerStreamTest, EncodeCapsule) { setUpCapsuleProtocol(false, true); Buffer::OwnedImpl buffer(capsule_fragment_); - EXPECT_CALL(quic_connection_, SendMessage(_, _, _)) - .WillOnce([this](quic::QuicMessageId, absl::Span message, bool) { + EXPECT_CALL(quic_connection_, SendDatagram(_, _, _)) + .WillOnce([this](quic::QuicDatagramId, absl::Span message, bool) { EXPECT_EQ(message.data()->AsStringView(), datagram_fragment_); - return quic::MESSAGE_STATUS_SUCCESS; + return quic::DATAGRAM_STATUS_SUCCESS; }); quic_stream_->encodeData(buffer, /*end_stream=*/true); } @@ -909,7 +909,7 @@ TEST_F(EnvoyQuicServerStreamTest, EncodeCapsule) { TEST_F(EnvoyQuicServerStreamTest, DecodeHttp3Datagram) { setUpCapsuleProtocol(true, false); EXPECT_CALL(stream_decoder_, decodeData(BufferStringEqual(capsule_fragment_), _)); - quic_session_.OnMessageReceived(datagram_fragment_); + quic_session_.OnDatagramReceived(datagram_fragment_); } #endif diff --git a/test/common/quic/http_datagram_handler_test.cc b/test/common/quic/http_datagram_handler_test.cc index 440bd9aa13b5d..2cc35df0fe493 100644 --- a/test/common/quic/http_datagram_handler_test.cc +++ b/test/common/quic/http_datagram_handler_test.cc @@ -40,7 +40,7 @@ class MockStream : public quic::QuicSpdyStream { : quic::QuicSpdyStream(kStreamId, spdy_session, quic::BIDIRECTIONAL) {} MOCK_METHOD(void, OnBodyAvailable, (), (override)); - MOCK_METHOD(quic::MessageStatus, SendHttp3Datagram, (absl::string_view data), (override)); + MOCK_METHOD(quic::DatagramStatus, SendHttp3Datagram, (absl::string_view data), (override)); MOCK_METHOD(void, WriteOrBufferBody, (absl::string_view data, bool fin), (override)); }; @@ -77,8 +77,8 @@ TEST_F(HttpDatagramHandlerTest, Http3DatagramToCapsule) { TEST_F(HttpDatagramHandlerTest, CapsuleToHttp3Datagram) { EXPECT_CALL(stream_, SendHttp3Datagram(testing::Eq(datagram_payload_))) - .WillOnce(testing::Return(quic::MessageStatus::MESSAGE_STATUS_SUCCESS)) - .WillOnce(testing::Return(quic::MessageStatus::MESSAGE_STATUS_BLOCKED)); + .WillOnce(testing::Return(quic::DatagramStatus::DATAGRAM_STATUS_SUCCESS)) + .WillOnce(testing::Return(quic::DatagramStatus::DATAGRAM_STATUS_BLOCKED)); EXPECT_TRUE( http_datagram_handler_.encodeCapsuleFragment(capsule_fragment_, /*end_stream=*/false)); EXPECT_TRUE( @@ -102,7 +102,7 @@ TEST_F(HttpDatagramHandlerTest, SendCapsulesWithUnknownType) { TEST_F(HttpDatagramHandlerTest, SendHttp3DatagramInternalError) { EXPECT_CALL(stream_, SendHttp3Datagram(_)) - .WillOnce(testing::Return(quic::MessageStatus::MESSAGE_STATUS_INTERNAL_ERROR)); + .WillOnce(testing::Return(quic::DatagramStatus::DATAGRAM_STATUS_INTERNAL_ERROR)); EXPECT_FALSE( http_datagram_handler_.encodeCapsuleFragment(capsule_fragment_, /*end_stream*/ false)); } @@ -111,7 +111,7 @@ TEST_F(HttpDatagramHandlerTest, SendHttp3DatagramTooEarly) { // If SendHttp3Datagram is called before receiving SETTINGS from a peer, HttpDatagramHandler // drops the datagram without resetting the stream. EXPECT_CALL(stream_, SendHttp3Datagram(_)) - .WillOnce(testing::Return(quic::MessageStatus::MESSAGE_STATUS_SETTINGS_NOT_RECEIVED)); + .WillOnce(testing::Return(quic::DatagramStatus::DATAGRAM_STATUS_SETTINGS_NOT_RECEIVED)); EXPECT_TRUE( http_datagram_handler_.encodeCapsuleFragment(capsule_fragment_, /*end_stream*/ false)); } diff --git a/test/common/quic/test_utils.h b/test/common/quic/test_utils.h index 230d39f719307..69a2d7bca49b2 100644 --- a/test/common/quic/test_utils.h +++ b/test/common/quic/test_utils.h @@ -62,8 +62,8 @@ class MockEnvoyQuicServerConnection : public EnvoyQuicServerConnection { MOCK_METHOD(void, SendConnectionClosePacket, (quic::QuicErrorCode, quic::QuicIetfTransportErrorCodes, const std::string&)); MOCK_METHOD(bool, SendControlFrame, (const quic::QuicFrame& frame)); - MOCK_METHOD(quic::MessageStatus, SendMessage, - (quic::QuicMessageId, absl::Span, bool)); + MOCK_METHOD(quic::DatagramStatus, SendDatagram, + (quic::QuicDatagramId, absl::Span, bool)); MOCK_METHOD(void, dumpState, (std::ostream&, int), (const)); }; @@ -81,8 +81,8 @@ class MockEnvoyQuicClientConnection : public EnvoyQuicClientConnection { supported_versions, dispatcher, std::move(connection_socket), generator) {} - MOCK_METHOD(quic::MessageStatus, SendMessage, - (quic::QuicMessageId, absl::Span, bool)); + MOCK_METHOD(quic::DatagramStatus, SendDatagram, + (quic::QuicDatagramId, absl::Span, bool)); }; class TestQuicCryptoStream : public quic::test::MockQuicCryptoStream { From fbf85ab3d3e6e017c3f2c36e598d750c2b12cd93 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 5 Sep 2025 06:42:45 +0000 Subject: [PATCH 363/505] Move RCConnectionWrapper out and small changes Signed-off-by: Basundhara Chakrabarty --- .../downstream_socket_interface/BUILD | 10 +- ...downstream_reverse_connection_io_handle.cc | 96 ++ .../rc_connection_wrapper.cc | 235 ++++ .../reverse_connection_handshake.proto | 12 +- .../reverse_connection_io_handle.cc | 299 +---- .../upstream_socket_interface/BUILD | 2 +- .../downstream_socket_interface/BUILD | 19 + .../rc_connection_wrapper_test.cc | 1044 +++++++++++++++++ .../reverse_connection_io_handle_test.cc | 1007 ---------------- .../upstream_socket_interface/BUILD | 4 +- ...ream_reverse_connection_io_handle_test.cc} | 12 +- 11 files changed, 1414 insertions(+), 1326 deletions(-) create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc rename test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/{reverse_connection_io_handle_test.cc => upstream_reverse_connection_io_handle_test.cc} (88%) diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index 27f957b13d8bd..e13eca6dc2101 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -46,19 +46,23 @@ envoy_cc_library( hdrs = ["reverse_tunnel_initiator_extension.h"], visibility = ["//visibility:public"], deps = [ + ":reverse_connection_handshake_cc_proto", "//envoy/server:bootstrap_extension_config_interface", "//envoy/stats:stats_interface", "//envoy/thread_local:thread_local_interface", "//source/common/common:logger_lib", "//source/common/stats:symbol_table_lib", - ":reverse_connection_handshake_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", ], ) envoy_cc_library( name = "reverse_connection_io_handle_lib", - srcs = ["reverse_connection_io_handle.cc"], + srcs = [ + "downstream_reverse_connection_io_handle.cc", + "rc_connection_wrapper.cc", + "reverse_connection_io_handle.cc", + ], hdrs = [ "downstream_reverse_connection_io_handle.h", "rc_connection_wrapper.h", @@ -106,4 +110,4 @@ envoy_cc_extension( "//source/common/network:socket_interface_lib", "//source/common/protobuf:utility_lib", ], -) \ No newline at end of file +) diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc new file mode 100644 index 0000000000000..f778bae8789ee --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc @@ -0,0 +1,96 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h" + +#include "source/common/common/logger.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// DownstreamReverseConnectionIOHandle constructor implementation +DownstreamReverseConnectionIOHandle::DownstreamReverseConnectionIOHandle( + Network::ConnectionSocketPtr socket, ReverseConnectionIOHandle* parent, + const std::string& connection_key) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), owned_socket_(std::move(socket)), + parent_(parent), connection_key_(connection_key) { + ENVOY_LOG(debug, + "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {} for " + "connection key: {}", + fd_, connection_key_); +} + +// DownstreamReverseConnectionIOHandle destructor implementation +DownstreamReverseConnectionIOHandle::~DownstreamReverseConnectionIOHandle() { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: destroying handle for FD: {} with connection key: {}", + fd_, connection_key_); +} + +// DownstreamReverseConnectionIOHandle close() implementation. +Api::IoCallUint64Result DownstreamReverseConnectionIOHandle::close() { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: closing handle for FD: {} with connection key: {}", fd_, + connection_key_); + + // If we're ignoring close calls during socket hand-off, just return success. + if (ignore_close_and_shutdown_) { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: ignoring close() call during socket hand-off for " + "connection key: {}", + connection_key_); + return Api::ioCallUint64ResultNoError(); + } + + // Prevent double-closing by checking if already closed + if (fd_ < 0) { + ENVOY_LOG(debug, + "DownstreamReverseConnectionIOHandle: handle already closed for connection key: {}", + connection_key_); + return Api::ioCallUint64ResultNoError(); + } + + // Notify parent that this downstream connection has been closed + // This will trigger re-initiation of the reverse connection if needed. + if (parent_) { + parent_->onDownstreamConnectionClosed(connection_key_); + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: notified parent of connection closure for key: {}", + connection_key_); + } + + // Reset the owned socket to properly close the connection. + if (owned_socket_) { + owned_socket_.reset(); + } + return IoSocketHandleImpl::close(); +} + +// DownstreamReverseConnectionIOHandle shutdown() implementation. +Api::SysCallIntResult DownstreamReverseConnectionIOHandle::shutdown(int how) { + ENVOY_LOG(trace, + "DownstreamReverseConnectionIOHandle: shutdown({}) called for FD: {} with connection " + "key: {}", + how, fd_, connection_key_); + + // If we're ignoring shutdown calls during socket hand-off, just return success. + if (ignore_close_and_shutdown_) { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: ignoring shutdown() call during socket hand-off " + "for connection key: {}", + connection_key_); + return Api::SysCallIntResult{0, 0}; + } + + return IoSocketHandleImpl::shutdown(how); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc new file mode 100644 index 0000000000000..9e7998c669189 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc @@ -0,0 +1,235 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" + +#include "envoy/network/address.h" +#include "envoy/network/connection.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/connection_socket_impl.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// RCConnectionWrapper constructor implementation +RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, + Network::ClientConnectionPtr connection, + Upstream::HostDescriptionConstSharedPtr host, + const std::string& cluster_name) + : parent_(parent), connection_(std::move(connection)), host_(std::move(host)), + cluster_name_(cluster_name) { + ENVOY_LOG(debug, "RCConnectionWrapper: Using HTTP handshake for reverse connections"); +} + +// RCConnectionWrapper destructor implementation +RCConnectionWrapper::~RCConnectionWrapper() { + ENVOY_LOG(debug, "RCConnectionWrapper destructor called"); + this->shutdown(); +} + +void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { + if (event == Network::ConnectionEvent::RemoteClose) { + if (!connection_) { + ENVOY_LOG(debug, "RCConnectionWrapper: connection is null, skipping event handling"); + return; + } + + // Store connection info before it gets invalidated. + const std::string connectionKey = + connection_->connectionInfoProvider().localAddress()->asString(); + const uint64_t connectionId = connection_->id(); + + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, found connection {} remote closed", + connectionId, connectionKey); + + // Don't call shutdown() here as it may cause cleanup during event processing + // Instead, just notify parent of closure. + parent_.onConnectionDone("Connection closed", this, true); + } +} + +// SimpleConnReadFilter::onData implementation +Network::FilterStatus SimpleConnReadFilter::onData(Buffer::Instance& buffer, bool) { + if (parent_ == nullptr) { + return Network::FilterStatus::StopIteration; + } + + // Cast parent_ back to RCConnectionWrapper + RCConnectionWrapper* wrapper = static_cast(parent_); + + const std::string data = buffer.toString(); + + // Look for HTTP response status line first (supports both HTTP/1.1 and HTTP/2) + if (data.find("HTTP/1.1 200 OK") != std::string::npos || + data.find("HTTP/2 200") != std::string::npos) { + ENVOY_LOG(debug, "Received HTTP 200 OK response"); + + // Find the end of headers (double CRLF) + size_t headers_end = data.find("\r\n\r\n"); + if (headers_end != std::string::npos) { + // Extract the response body (after headers) + std::string response_body = data.substr(headers_end + 4); + + if (!response_body.empty()) { + // Try to parse the protobuf response + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; + if (ret.ParseFromString(response_body)) { + ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); + + // Check if the status is ACCEPTED + if (ret.status() == + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::ACCEPTED) { + ENVOY_LOG(debug, "SimpleConnReadFilter: Reverse connection accepted by cloud side"); + wrapper->onHandshakeSuccess(); + return Network::FilterStatus::StopIteration; + } else { + ENVOY_LOG(error, "SimpleConnReadFilter: Reverse connection rejected: {}", + ret.status_message()); + wrapper->onHandshakeFailure(ret.status_message()); + return Network::FilterStatus::StopIteration; + } + } else { + ENVOY_LOG(error, "Could not parse protobuf response - invalid response format"); + wrapper->onHandshakeFailure( + "Invalid response format - expected ReverseConnHandshakeRet protobuf"); + return Network::FilterStatus::StopIteration; + } + } else { + ENVOY_LOG(debug, "Response body is empty, waiting for more data"); + return Network::FilterStatus::Continue; + } + } else { + ENVOY_LOG(debug, "HTTP headers not complete yet, waiting for more data"); + return Network::FilterStatus::Continue; + } + } else if (data.find("HTTP/1.1 ") != std::string::npos || + data.find("HTTP/2 ") != std::string::npos) { + // Found HTTP response but not 200 OK - this is an error + ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); + wrapper->onHandshakeFailure("HTTP handshake failed with non-200 response"); + return Network::FilterStatus::StopIteration; + } else { + ENVOY_LOG(debug, "Waiting for HTTP response, received {} bytes", data.length()); + return Network::FilterStatus::Continue; + } +} + +std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, + const std::string& src_cluster_id, + const std::string& src_node_id) { + // Register connection callbacks. + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, adding connection callbacks", + connection_->id()); + connection_->addConnectionCallbacks(*this); + connection_->connect(); + + // Use HTTP handshake + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, sending reverse connection creation " + "request through HTTP", + connection_->id()); + + // Add read filter to handle HTTP response + connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); + + // Use HTTP handshake logic + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; + arg.set_tenant_uuid(src_tenant_id); + arg.set_cluster_uuid(src_cluster_id); + arg.set_node_uuid(src_node_id); + ENVOY_LOG(debug, + "RCConnectionWrapper: Creating protobuf with tenant='{}', cluster='{}', node='{}'", + src_tenant_id, src_cluster_id, src_node_id); + std::string body = arg.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) + ENVOY_LOG(debug, "RCConnectionWrapper: Serialized protobuf body length: {}, debug: '{}'", + body.length(), arg.DebugString()); + std::string host_value; + const auto& remote_address = connection_->connectionInfoProvider().remoteAddress(); + // This is used when reverse connections need to be established through a HTTP proxy. + // The reverse connection listener connects to an internal cluster, to which an + // internal listener listens. This internal listener has tunneling configuration + // to tcp proxy the reverse connection requests over HTTP/1 CONNECT to the remote + // proxy. + if (remote_address->type() == Network::Address::Type::EnvoyInternal) { + const auto& internal_address = + std::dynamic_pointer_cast(remote_address); + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, remote address is internal " + "listener {}, using endpoint ID in host header", + connection_->id(), internal_address->envoyInternalAddress()->addressId()); + host_value = internal_address->envoyInternalAddress()->endpointId(); + } else { + host_value = remote_address->asString(); + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, remote address is external, " + "using address as host header", + connection_->id()); + } + // Build HTTP request with protobuf body. + Buffer::OwnedImpl reverse_connection_request( + fmt::format("POST /reverse_connections/request HTTP/1.1\r\n" + "Host: {}\r\n" + "Accept: */*\r\n" + "Content-length: {}\r\n" + "\r\n{}", + host_value, body.length(), body)); + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, writing request to connection: {}", + connection_->id(), reverse_connection_request.toString()); + // Send reverse connection request over TCP connection. + connection_->write(reverse_connection_request, false); + + return connection_->connectionInfoProvider().localAddress()->asString(); +} + +void RCConnectionWrapper::onHandshakeSuccess() { + std::string message = "reverse connection accepted"; + ENVOY_LOG(debug, "handshake succeeded: {}", message); + parent_.onConnectionDone(message, this, false); +} + +void RCConnectionWrapper::onHandshakeFailure(const std::string& message) { + ENVOY_LOG(debug, "handshake failed: {}", message); + parent_.onConnectionDone(message, this, false); +} + +void RCConnectionWrapper::shutdown() { + if (!connection_) { + ENVOY_LOG(error, "RCConnectionWrapper: Connection already null, nothing to shutdown"); + return; + } + + ENVOY_LOG(debug, "RCConnectionWrapper: Shutting down connection ID: {}, state: {}", + connection_->id(), static_cast(connection_->state())); + + // Remove connection callbacks first to prevent recursive calls during shutdown. + auto state = connection_->state(); + if (state != Network::Connection::State::Closed) { + connection_->removeConnectionCallbacks(*this); + ENVOY_LOG(debug, "Connection callbacks removed"); + } + + // Close the connection if it's still open. + state = connection_->state(); + if (state == Network::Connection::State::Open) { + ENVOY_LOG(debug, "Closing open connection gracefully"); + connection_->close(Network::ConnectionCloseType::FlushWrite); + } else if (state == Network::Connection::State::Closing) { + ENVOY_LOG(debug, "Connection already closing"); + } else { + ENVOY_LOG(debug, "Connection already closed"); + } + + // Clear the connection pointer to prevent further access. + connection_.reset(); + ENVOY_LOG(debug, "RCConnectionWrapper: Shutdown completed"); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto index 2ee19de84499b..df42f0691f71a 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.proto @@ -1,21 +1,11 @@ syntax = "proto3"; -package envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface; +package envoy.extensions.bootstrap.reverse_tunnel; // Internal proto definitions for reverse connection handshake protocol. // These messages are used internally by the reverse tunnel extension // and are not exposed to users. -// Configuration for the reverse connection handshake extension. -// This extension provides message definitions for establishing reverse connections -// between Envoy instances. -message ReverseConnectionHandshakeConfig { - // This is a placeholder config message for the reverse connection handshake extension. - // The extension primarily provides message definitions for the handshake protocol - // rather than configuration. - bool enabled = 1; -} - // Config sent by the local cluster as part of the Initiation workflow. // This message combined with message 'ReverseConnHandshakeRet' which is // sent as a response can be used to transfer/negotiate parameter between the diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc index 0d6e1a4aadc03..1c1bb5bb11047 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc @@ -15,6 +15,8 @@ #include "source/common/network/connection_socket_impl.h" #include "source/common/network/socket_interface_impl.h" #include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" @@ -24,301 +26,6 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -// DownstreamReverseConnectionIOHandle constructor implementation -DownstreamReverseConnectionIOHandle::DownstreamReverseConnectionIOHandle( - Network::ConnectionSocketPtr socket, ReverseConnectionIOHandle* parent, - const std::string& connection_key) - : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), owned_socket_(std::move(socket)), - parent_(parent), connection_key_(connection_key) { - ENVOY_LOG(debug, - "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {} for " - "connection key: {}", - fd_, connection_key_); -} - -// DownstreamReverseConnectionIOHandle destructor implementation -DownstreamReverseConnectionIOHandle::~DownstreamReverseConnectionIOHandle() { - ENVOY_LOG( - debug, - "DownstreamReverseConnectionIOHandle: destroying handle for FD: {} with connection key: {}", - fd_, connection_key_); -} - -// DownstreamReverseConnectionIOHandle close() implementation. -Api::IoCallUint64Result DownstreamReverseConnectionIOHandle::close() { - ENVOY_LOG( - debug, - "DownstreamReverseConnectionIOHandle: closing handle for FD: {} with connection key: {}", fd_, - connection_key_); - - // If we're ignoring close calls during socket hand-off, just return success. - if (ignore_close_and_shutdown_) { - ENVOY_LOG( - debug, - "DownstreamReverseConnectionIOHandle: ignoring close() call during socket hand-off for " - "connection key: {}", - connection_key_); - return Api::ioCallUint64ResultNoError(); - } - - // Prevent double-closing by checking if already closed - if (fd_ < 0) { - ENVOY_LOG(debug, - "DownstreamReverseConnectionIOHandle: handle already closed for connection key: {}", - connection_key_); - return Api::ioCallUint64ResultNoError(); - } - - // Notify parent that this downstream connection has been closed - // This will trigger re-initiation of the reverse connection if needed. - if (parent_) { - parent_->onDownstreamConnectionClosed(connection_key_); - ENVOY_LOG( - debug, - "DownstreamReverseConnectionIOHandle: notified parent of connection closure for key: {}", - connection_key_); - } - - // Reset the owned socket to properly close the connection. - if (owned_socket_) { - owned_socket_.reset(); - } - return IoSocketHandleImpl::close(); -} - -// DownstreamReverseConnectionIOHandle shutdown() implementation. -Api::SysCallIntResult DownstreamReverseConnectionIOHandle::shutdown(int how) { - ENVOY_LOG(trace, - "DownstreamReverseConnectionIOHandle: shutdown({}) called for FD: {} with connection " - "key: {}", - how, fd_, connection_key_); - - // If we're ignoring shutdown calls during socket hand-off, just return success. - if (ignore_close_and_shutdown_) { - ENVOY_LOG( - debug, - "DownstreamReverseConnectionIOHandle: ignoring shutdown() call during socket hand-off " - "for connection key: {}", - connection_key_); - return Api::SysCallIntResult{0, 0}; - } - - return IoSocketHandleImpl::shutdown(how); -} - -// RCConnectionWrapper constructor implementation -RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, - Network::ClientConnectionPtr connection, - Upstream::HostDescriptionConstSharedPtr host, - const std::string& cluster_name) - : parent_(parent), connection_(std::move(connection)), host_(std::move(host)), - cluster_name_(cluster_name) { - ENVOY_LOG(debug, "RCConnectionWrapper: Using HTTP handshake for reverse connections"); -} - -// RCConnectionWrapper destructor implementation -RCConnectionWrapper::~RCConnectionWrapper() { - ENVOY_LOG(debug, "RCConnectionWrapper destructor called"); - this->shutdown(); -} - -void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { - if (event == Network::ConnectionEvent::RemoteClose) { - if (!connection_) { - ENVOY_LOG(debug, "RCConnectionWrapper: connection is null, skipping event handling"); - return; - } - - // Store connection info before it gets invalidated. - const std::string connectionKey = - connection_->connectionInfoProvider().localAddress()->asString(); - const uint64_t connectionId = connection_->id(); - - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, found connection {} remote closed", - connectionId, connectionKey); - - // Don't call shutdown() here as it may cause cleanup during event processing - // Instead, just notify parent of closure. - parent_.onConnectionDone("Connection closed", this, true); - } -} - -// SimpleConnReadFilter::onData implementation -Network::FilterStatus SimpleConnReadFilter::onData(Buffer::Instance& buffer, bool) { - if (parent_ == nullptr) { - return Network::FilterStatus::StopIteration; - } - - // Cast parent_ back to RCConnectionWrapper - RCConnectionWrapper* wrapper = static_cast(parent_); - - const std::string data = buffer.toString(); - - // Look for HTTP response status line first (supports both HTTP/1.1 and HTTP/2) - if (data.find("HTTP/1.1 200 OK") != std::string::npos || - data.find("HTTP/2 200") != std::string::npos) { - ENVOY_LOG(debug, "Received HTTP 200 OK response"); - - // Find the end of headers (double CRLF) - size_t headers_end = data.find("\r\n\r\n"); - if (headers_end != std::string::npos) { - // Extract the response body (after headers) - std::string response_body = data.substr(headers_end + 4); - - if (!response_body.empty()) { - // Try to parse the protobuf response - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; - if (ret.ParseFromString(response_body)) { - ENVOY_LOG(debug, "Successfully parsed protobuf response: {}", ret.DebugString()); - - // Check if the status is ACCEPTED - if (ret.status() == - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet::ACCEPTED) { - ENVOY_LOG(debug, "SimpleConnReadFilter: Reverse connection accepted by cloud side"); - wrapper->onHandshakeSuccess(); - return Network::FilterStatus::StopIteration; - } else { - ENVOY_LOG(error, "SimpleConnReadFilter: Reverse connection rejected: {}", - ret.status_message()); - wrapper->onHandshakeFailure(ret.status_message()); - return Network::FilterStatus::StopIteration; - } - } else { - ENVOY_LOG(error, "Could not parse protobuf response - invalid response format"); - wrapper->onHandshakeFailure( - "Invalid response format - expected ReverseConnHandshakeRet protobuf"); - return Network::FilterStatus::StopIteration; - } - } else { - ENVOY_LOG(debug, "Response body is empty, waiting for more data"); - return Network::FilterStatus::Continue; - } - } else { - ENVOY_LOG(debug, "HTTP headers not complete yet, waiting for more data"); - return Network::FilterStatus::Continue; - } - } else if (data.find("HTTP/1.1 ") != std::string::npos || - data.find("HTTP/2 ") != std::string::npos) { - // Found HTTP response but not 200 OK - this is an error - ENVOY_LOG(error, "Received non-200 HTTP response: {}", data.substr(0, 100)); - wrapper->onHandshakeFailure("HTTP handshake failed with non-200 response"); - return Network::FilterStatus::StopIteration; - } else { - ENVOY_LOG(debug, "Waiting for HTTP response, received {} bytes", data.length()); - return Network::FilterStatus::Continue; - } -} - -std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, - const std::string& src_cluster_id, - const std::string& src_node_id) { - // Register connection callbacks. - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, adding connection callbacks", - connection_->id()); - connection_->addConnectionCallbacks(*this); - connection_->connect(); - - // Use HTTP handshake - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, sending reverse connection creation " - "request through HTTP", - connection_->id()); - - // Add read filter to handle HTTP response - connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); - - // Use HTTP handshake logic - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; - arg.set_tenant_uuid(src_tenant_id); - arg.set_cluster_uuid(src_cluster_id); - arg.set_node_uuid(src_node_id); - ENVOY_LOG(debug, - "RCConnectionWrapper: Creating protobuf with tenant='{}', cluster='{}', node='{}'", - src_tenant_id, src_cluster_id, src_node_id); - std::string body = arg.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) - ENVOY_LOG(debug, "RCConnectionWrapper: Serialized protobuf body length: {}, debug: '{}'", - body.length(), arg.DebugString()); - std::string host_value; - const auto& remote_address = connection_->connectionInfoProvider().remoteAddress(); - // This is used when reverse connections need to be established through a HTTP proxy. - // The reverse connection listener connects to an internal cluster, to which an - // internal listener listens. This internal listener has tunneling configuration - // to tcp proxy the reverse connection requests over HTTP/1 CONNECT to the remote - // proxy. - if (remote_address->type() == Network::Address::Type::EnvoyInternal) { - const auto& internal_address = - std::dynamic_pointer_cast(remote_address); - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, remote address is internal " - "listener {}, using endpoint ID in host header", - connection_->id(), internal_address->envoyInternalAddress()->addressId()); - host_value = internal_address->envoyInternalAddress()->endpointId(); - } else { - host_value = remote_address->asString(); - ENVOY_LOG(debug, - "RCConnectionWrapper: connection: {}, remote address is external, " - "using address as host header", - connection_->id()); - } - // Build HTTP request with protobuf body. - Buffer::OwnedImpl reverse_connection_request( - fmt::format("POST /reverse_connections/request HTTP/1.1\r\n" - "Host: {}\r\n" - "Accept: */*\r\n" - "Content-length: {}\r\n" - "\r\n{}", - host_value, body.length(), body)); - ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, writing request to connection: {}", - connection_->id(), reverse_connection_request.toString()); - // Send reverse connection request over TCP connection. - connection_->write(reverse_connection_request, false); - - return connection_->connectionInfoProvider().localAddress()->asString(); -} - -void RCConnectionWrapper::onHandshakeSuccess() { - std::string message = "reverse connection accepted"; - ENVOY_LOG(debug, "handshake succeeded: {}", message); - parent_.onConnectionDone(message, this, false); -} - -void RCConnectionWrapper::onHandshakeFailure(const std::string& message) { - ENVOY_LOG(debug, "handshake failed: {}", message); - parent_.onConnectionDone(message, this, false); -} - -void RCConnectionWrapper::shutdown() { - if (!connection_) { - ENVOY_LOG(error, "RCConnectionWrapper: Connection already null, nothing to shutdown"); - return; - } - - ENVOY_LOG(debug, "RCConnectionWrapper: Shutting down connection ID: {}, state: {}", - connection_->id(), static_cast(connection_->state())); - - // Remove connection callbacks first to prevent recursive calls during shutdown. - auto state = connection_->state(); - if (state != Network::Connection::State::Closed) { - connection_->removeConnectionCallbacks(*this); - ENVOY_LOG(debug, "Connection callbacks removed"); - } - - // Close the connection if it's still open. - state = connection_->state(); - if (state == Network::Connection::State::Open) { - ENVOY_LOG(debug, "Closing open connection gracefully"); - connection_->close(Network::ConnectionCloseType::FlushWrite); - } else if (state == Network::Connection::State::Closing) { - ENVOY_LOG(debug, "Connection already closing"); - } else { - ENVOY_LOG(debug, "Connection already closed"); - } - - // Clear the connection pointer to prevent further access. - connection_.reset(); - ENVOY_LOG(debug, "RCConnectionWrapper: Shutdown completed"); -} - // ReverseConnectionIOHandle implementation ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, const ReverseConnectionSocketConfig& config, @@ -479,7 +186,7 @@ void ReverseConnectionIOHandle::initializeFileEvent(Event::Dispatcher& dispatche Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* addr, socklen_t* addrlen) { - + ENVOY_LOG(debug, "ReverseConnectionIOHandle: accept() called"); if (isTriggerPipeReady()) { char trigger_byte; ssize_t bytes_read = ::read(trigger_pipe_read_fd_, &trigger_byte, 1); diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index f633cf08fd8f4..a73203716b3dd 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -65,4 +65,4 @@ envoy_cc_extension( "//source/common/common:random_generator_lib", "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", ], -) \ No newline at end of file +) diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index 1b9ecdeda6930..d539a8c643013 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -96,3 +96,22 @@ envoy_cc_test( "@envoy_api//envoy/config/core/v3:pkg_cc_proto", ], ) + +envoy_cc_test( + name = "rc_connection_wrapper_test", + size = "large", + srcs = ["rc_connection_wrapper_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_io_handle_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_extension_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc new file mode 100644 index 0000000000000..2f23efc529248 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc @@ -0,0 +1,1044 @@ +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// RCConnectionWrapper Tests. + +class RCConnectionWrapperTest : public testing::Test { +protected: + void SetUp() override { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + extension_ = std::make_unique(context_, config_); + setupThreadLocalSlot(); + io_handle_ = createTestIOHandle(createDefaultTestConfig()); + } + + void TearDown() override { + io_handle_.reset(); + extension_.reset(); + } + + void setupThreadLocalSlot() { + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + ReverseConnectionSocketConfig createDefaultTestConfig() { + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.enable_circuit_breaker = true; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + return config; + } + + std::unique_ptr + createTestIOHandle(const ReverseConnectionSocketConfig& config) { + int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); + EXPECT_GE(test_fd, 0); + return std::make_unique(test_fd, config, cluster_manager_, + extension_.get(), *stats_scope_); + } + + // Connection Management Helpers. + + bool initiateOneReverseConnection(const std::string& cluster_name, + const std::string& host_address, + Upstream::HostConstSharedPtr host) { + return io_handle_->initiateOneReverseConnection(cluster_name, host_address, host); + } + + // Data Access Helpers. + + const std::vector>& getConnectionWrappers() const { + return io_handle_->connection_wrappers_; + } + + const absl::flat_hash_map& getConnWrapperToHostMap() const { + return io_handle_->conn_wrapper_to_host_map_; + } + + // Test Data Setup Helpers. + + void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, + uint32_t target_count) { + io_handle_->host_to_conn_info_map_[host_address] = + ReverseConnectionIOHandle::HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + target_count, // target_connection_count + 0, // failure_count + // last_failure_time + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + // backoff_until + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + {} // connection_states + }; + } + + // Helper to create a mock host. + Upstream::HostConstSharedPtr createMockHost(const std::string& address) { + auto mock_host = std::make_shared>(); + auto mock_address = std::make_shared(address, 8080); + EXPECT_CALL(*mock_host, address()).WillRepeatedly(Return(mock_address)); + return mock_host; + } + + // Helper method to set up mock connection with proper socket expectations. + std::unique_ptr> setupMockConnection() { + auto mock_connection = std::make_unique>(); + + // Create a mock socket for the connection. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + auto duplicated_handle = std::make_unique>(); + EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); + return duplicated_handle; + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Cast the mock to the base ConnectionSocket type and store it in member variable. + mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); + + // Set up connection expectations for getSocket() + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); + + return mock_connection; + } + + // Test fixtures. + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + std::unique_ptr extension_; + std::unique_ptr io_handle_; + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + + // Mock socket for testing. + std::unique_ptr mock_socket_; +}; + +// Test RCConnectionWrapper::connect() method with HTTP/1.1 handshake success +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { + // Create a mock connection. + auto mock_connection = std::make_unique>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + + // Set up socket expectations for address info. + auto mock_address = std::make_shared("192.168.1.1", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations directly on the mock connection. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_address, + mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, mock_address); + return *mock_provider; + })); + + // Capture the written buffer to verify HTTP POST content. + Buffer::OwnedImpl captured_buffer; + EXPECT_CALL(*mock_connection, write(_, _)) + .WillOnce(Invoke( + [&captured_buffer](Buffer::Instance& buffer, bool) { captured_buffer.add(buffer); })); + + // Create a mock host. + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call connect() method. + std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + + // Verify connect() returns the local address. + EXPECT_EQ(result, "127.0.0.1:12345"); + + // Verify the HTTP POST request content. + std::string written_data = captured_buffer.toString(); + + // Check HTTP headers. + EXPECT_THAT(written_data, testing::HasSubstr("POST /reverse_connections/request HTTP/1.1")); + EXPECT_THAT(written_data, testing::HasSubstr("Host: 192.168.1.1:8080")); + EXPECT_THAT(written_data, testing::HasSubstr("Accept: */*")); + EXPECT_THAT(written_data, testing::HasSubstr("Content-length:")); + + // Check that the body contains the protobuf serialized data. + // The protobuf should contain tenant_uuid, cluster_uuid, and node_uuid. + EXPECT_THAT(written_data, testing::HasSubstr("\r\n\r\n")); // Empty line after headers + + // Extract the body (everything after the double CRLF) + size_t body_start = written_data.find("\r\n\r\n"); + EXPECT_NE(body_start, std::string::npos); + std::string body = written_data.substr(body_start + 4); + EXPECT_FALSE(body.empty()); + + // Verify the protobuf content by deserializing it. + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; + bool parse_success = arg.ParseFromString(body); + EXPECT_TRUE(parse_success); + EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); + EXPECT_EQ(arg.cluster_uuid(), "test-cluster"); + EXPECT_EQ(arg.node_uuid(), "test-node"); +} + +// Test RCConnectionWrapper::connect() method with HTTP proxy (internal address) scenario. +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWithHttpProxy) { + // Create a mock connection. + auto mock_connection = std::make_unique>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + + // Set up socket expectations for internal address (HTTP proxy scenario). + auto mock_internal_address = std::make_shared( + "internal_listener_name", "endpoint_id_123"); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations with internal address. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_internal_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_internal_address); + return *mock_provider; + })); + + // Capture the written buffer to verify HTTP POST content. + Buffer::OwnedImpl captured_buffer; + EXPECT_CALL(*mock_connection, write(_, _)) + .WillOnce(Invoke( + [&captured_buffer](Buffer::Instance& buffer, bool) { captured_buffer.add(buffer); })); + + // Create a mock host. + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call connect() method. + std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + + // Verify connect() returns the local address. + EXPECT_EQ(result, "127.0.0.1:12345"); + + // Verify the HTTP POST request content. + std::string written_data = captured_buffer.toString(); + + // Check HTTP headers. + EXPECT_THAT(written_data, testing::HasSubstr("POST /reverse_connections/request HTTP/1.1")); + // For HTTP proxy scenario, the Host header should use the endpoint ID from the internal address. + EXPECT_THAT(written_data, testing::HasSubstr("Host: endpoint_id_123")); + EXPECT_THAT(written_data, testing::HasSubstr("Accept: */*")); + EXPECT_THAT(written_data, testing::HasSubstr("Content-length:")); + + // Check that the body contains the protobuf serialized data. + EXPECT_THAT(written_data, testing::HasSubstr("\r\n\r\n")); // Empty line after headers + + // Extract the body (everything after the double CRLF) + size_t body_start = written_data.find("\r\n\r\n"); + EXPECT_NE(body_start, std::string::npos); + std::string body = written_data.substr(body_start + 4); + EXPECT_FALSE(body.empty()); + + // Verify the protobuf content by deserializing it. + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeArg arg; + bool parse_success = arg.ParseFromString(body); + EXPECT_TRUE(parse_success); + EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); + EXPECT_EQ(arg.cluster_uuid(), "test-cluster"); + EXPECT_EQ(arg.node_uuid(), "test-node"); +} + +// Test RCConnectionWrapper::connect() method with connection write failure. +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWriteFailure) { + // Create a mock connection that fails to write. + auto mock_connection = std::make_unique>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, write(_, _)).WillOnce(Invoke([](Buffer::Instance&, bool) -> void { + throw EnvoyException("Write failed"); + })); + + // Set up socket expectations. + auto mock_address = std::make_shared("192.168.1.1", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations directly on the mock connection. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_address, + mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, mock_address); + return *mock_provider; + })); + + // Create a mock host. + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call connect() method - should handle the write failure gracefully. + // The method should not throw but should handle the exception internally. + std::string result; + try { + result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + } catch (const EnvoyException& e) { + // The connect() method doesn't handle exceptions, so we expect it to throw. + // This is the current behavior - the method should be updated to handle exceptions. + EXPECT_STREQ(e.what(), "Write failed"); + return; // Exit test early since exception was thrown + } + + // If no exception was thrown, verify connect() still returns the local address. + EXPECT_EQ(result, "127.0.0.1:12345"); +} + +// Test RCConnectionWrapper::onHandshakeSuccess method. +TEST_F(RCConnectionWrapperTest, OnHandshakeSuccess) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onHandshakeSuccess. + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_stat_name = "test_scope.reverse_connections.host.192.168.1.1.connected"; + std::string cluster_stat_name = "test_scope.reverse_connections.cluster.test-cluster.connected"; + + // Call onHandshakeSuccess. + wrapper_ptr->onHandshakeSuccess(); + + // Get stats after onHandshakeSuccess. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that connected stats were incremented. + EXPECT_EQ(final_stats[host_stat_name], initial_stats[host_stat_name] + 1); + EXPECT_EQ(final_stats[cluster_stat_name], initial_stats[cluster_stat_name] + 1); +} + +// Test RCConnectionWrapper::onHandshakeFailure method. +TEST_F(RCConnectionWrapperTest, OnHandshakeFailure) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onHandshakeFailure. + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_failed_stat_name = "test_scope.reverse_connections.host.192.168.1.1.failed"; + std::string cluster_failed_stat_name = + "test_scope.reverse_connections.cluster.test-cluster.failed"; + + // Call onHandshakeFailure with an error message. + std::string error_message = "Handshake failed due to authentication error"; + wrapper_ptr->onHandshakeFailure(error_message); + + // Get stats after onHandshakeFailure. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that failed stats were incremented. + EXPECT_EQ(final_stats[host_failed_stat_name], initial_stats[host_failed_stat_name] + 1); + EXPECT_EQ(final_stats[cluster_failed_stat_name], initial_stats[cluster_failed_stat_name] + 1); +} + +// Test RCConnectionWrapper::onEvent method with RemoteClose event. +TEST_F(RCConnectionWrapperTest, OnEventRemoteClose) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent. + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_connected_stat_name = + "test_scope.reverse_connections.host.192.168.1.1.connected"; + std::string cluster_connected_stat_name = + "test_scope.reverse_connections.cluster.test-cluster.connected"; + + // Call onEvent with RemoteClose event. + wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); + + // Get stats after onEvent. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that the connection closure was handled gracefully. +} + +// Test RCConnectionWrapper::onEvent method with Connected event (should be ignored) +TEST_F(RCConnectionWrapperTest, OnEventConnected) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent. + auto initial_stats = extension_->getCrossWorkerStatMap(); + + // Call onEvent with Connected event (should be ignored) + wrapper_ptr->onEvent(Network::ConnectionEvent::Connected); + + // Get stats after onEvent. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that Connected event doesn't change stats (it should be ignored) + // The stats should remain the same. + EXPECT_EQ(final_stats, initial_stats); +} + +// Test RCConnectionWrapper::onEvent method with null connection. +TEST_F(RCConnectionWrapperTest, OnEventWithNullConnection) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent. + auto initial_stats = extension_->getCrossWorkerStatMap(); + + // Call onEvent with RemoteClose event. + wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); + + // Get stats after onEvent. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that the event was handled gracefully even with connection closure. + // The exact behavior depends on the implementation, but it should not crash. +} + +// Test RCConnectionWrapper::releaseConnection method. +TEST_F(RCConnectionWrapperTest, ReleaseConnection) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Verify connection exists before release. + EXPECT_NE(wrapper.getConnection(), nullptr); + + // Release the connection. + auto released_connection = wrapper.releaseConnection(); + + // Verify connection was released. + EXPECT_NE(released_connection, nullptr); + EXPECT_EQ(wrapper.getConnection(), nullptr); +} + +// Test RCConnectionWrapper::getConnection method. +TEST_F(RCConnectionWrapperTest, GetConnection) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Get the connection. + auto* connection = wrapper.getConnection(); + + // Verify connection is returned. + EXPECT_NE(connection, nullptr); + + // Test after release. + wrapper.releaseConnection(); + EXPECT_EQ(wrapper.getConnection(), nullptr); +} + +// Test RCConnectionWrapper::getHost method. +TEST_F(RCConnectionWrapperTest, GetHost) { + // Create a mock connection and host with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Get the host. + auto host = wrapper.getHost(); + + // Verify host is returned. + EXPECT_EQ(host, mock_host); +} + +// Test RCConnectionWrapper::onAboveWriteBufferHighWatermark method (no-op) +TEST_F(RCConnectionWrapperTest, OnAboveWriteBufferHighWatermark) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call onAboveWriteBufferHighWatermark - should be a no-op. + wrapper.onAboveWriteBufferHighWatermark(); +} + +// Test RCConnectionWrapper::onBelowWriteBufferLowWatermark method (no-op) +TEST_F(RCConnectionWrapperTest, OnBelowWriteBufferLowWatermark) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call onBelowWriteBufferLowWatermark - should be a no-op. + wrapper.onBelowWriteBufferLowWatermark(); +} + +// Test RCConnectionWrapper::shutdown method. +TEST_F(RCConnectionWrapperTest, Shutdown) { + // Test 1: Shutdown with open connection. + { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for open connection. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + // Test 2: Shutdown with already closed connection. + { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for closed connection. + EXPECT_CALL(*mock_connection, state()) + .WillRepeatedly(Return(Network::Connection::State::Closed)); + EXPECT_CALL(*mock_connection, close(_)) + .Times(0); // Should not call close on already closed connection + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12346)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + + // Test 3: Shutdown with closing connection. + { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for closing connection. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, state()) + .WillRepeatedly(Return(Network::Connection::State::Closing)); + EXPECT_CALL(*mock_connection, close(_)) + .Times(0); // Should not call close on already closing connection + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12347)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + // Test 4: Shutdown with null connection (should be safe) + { + auto mock_host = std::make_shared>(); + + // Create wrapper with null connection. + RCConnectionWrapper wrapper(*io_handle_, nullptr, mock_host, "test-cluster"); + + EXPECT_EQ(wrapper.getConnection(), nullptr); + wrapper.shutdown(); // Should not crash + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + // Test 5: Multiple shutdown calls (should be safe) + { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12348)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + + // First shutdown. + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + + // Second shutdown (should be safe) + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } +} + +// Test SimpleConnReadFilter::onData method. +class SimpleConnReadFilterTest : public testing::Test { +protected: + void SetUp() override { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Create a mock IO handle. + auto mock_io_handle = std::make_unique>(); + io_handle_ = std::make_unique( + 7, // dummy fd + ReverseConnectionSocketConfig{}, cluster_manager_, + nullptr, // extension + *stats_scope_); // Use the created scope + } + + void TearDown() override { io_handle_.reset(); } + + // Helper to create a mock RCConnectionWrapper. + std::unique_ptr createMockWrapper() { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + return std::make_unique(*io_handle_, std::move(mock_connection), mock_host, + "test-cluster"); + } + + // Helper to create SimpleConnReadFilter. + std::unique_ptr createFilter(void* parent) { + return std::make_unique(parent); + } + + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + std::unique_ptr io_handle_; +}; + +TEST_F(SimpleConnReadFilterTest, OnDataWithNullParent) { + // Create filter with null parent. + auto filter = createFilter(nullptr); + + // Create a buffer with some data. + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); + + // Call onData - should return StopIteration when parent is null. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp200Response) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 200 response but invalid protobuf. + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\nreverse connection accepted"); + + // Call onData - should return StopIteration for invalid response format. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2Response) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP/2 response but invalid protobuf. + Buffer::OwnedImpl buffer("HTTP/2 200\r\n\r\nACCEPTED"); + + // Call onData - should return StopIteration for invalid response format. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithIncompleteHeaders) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with incomplete HTTP headers. + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\nContent-Length: 10\r\n"); + + // Call onData - should return Continue for incomplete headers. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::Continue); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithEmptyResponseBody) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 200 but empty body. + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); + + // Call onData - should return Continue for empty body. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::Continue); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithNon200Response) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 404 response. + Buffer::OwnedImpl buffer("HTTP/1.1 404 Not Found\r\n\r\n"); + + // Call onData - should return StopIteration for error response. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2ErrorResponse) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP/2 error response. + Buffer::OwnedImpl buffer("HTTP/2 500\r\n\r\n"); + + // Call onData - should return StopIteration for error response. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithPartialData) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with partial data (no HTTP response yet) + Buffer::OwnedImpl buffer("partial data"); + + // Call onData - should return Continue for partial data. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::Continue); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithProtobufResponse) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a proper ReverseConnHandshakeRet protobuf response. + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::ACCEPTED); + ret.set_status_message("Connection accepted"); + + std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) + std::string http_response = "HTTP/1.1 200 OK\r\n\r\n" + protobuf_data; + Buffer::OwnedImpl buffer(http_response); + + // Call onData - should return StopIteration for successful protobuf response. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithRejectedProtobufResponse) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a ReverseConnHandshakeRet protobuf response with REJECTED status. + envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet ret; + ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::ReverseConnHandshakeRet::REJECTED); + ret.set_status_message("Connection rejected by server"); + + std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) + std::string http_response = "HTTP/1.1 200 OK\r\n\r\n" + protobuf_data; + Buffer::OwnedImpl buffer(http_response); + + // Call onData - should return StopIteration for rejected protobuf response. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc index 28aa54a19e1b6..40407fa140ace 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc @@ -2237,1013 +2237,6 @@ TEST_F(ReverseConnectionIOHandleTest, UpdateStateGaugeWithUnknownState) { EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.unknown"], 1); } -// RCConnectionWrapper Tests. - -class RCConnectionWrapperTest : public testing::Test { -protected: - void SetUp() override { - stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); - EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); - EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); - extension_ = std::make_unique(context_, config_); - setupThreadLocalSlot(); - io_handle_ = createTestIOHandle(createDefaultTestConfig()); - } - - void TearDown() override { - io_handle_.reset(); - extension_.reset(); - } - - void setupThreadLocalSlot() { - thread_local_registry_ = - std::make_shared(dispatcher_, *stats_scope_); - tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); - thread_local_.setDispatcher(&dispatcher_); - tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); - extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); - } - - ReverseConnectionSocketConfig createDefaultTestConfig() { - ReverseConnectionSocketConfig config; - config.src_cluster_id = "test-cluster"; - config.src_node_id = "test-node"; - config.enable_circuit_breaker = true; - config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); - return config; - } - - std::unique_ptr - createTestIOHandle(const ReverseConnectionSocketConfig& config) { - int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); - EXPECT_GE(test_fd, 0); - return std::make_unique(test_fd, config, cluster_manager_, - extension_.get(), *stats_scope_); - } - - // Connection Management Helpers. - - bool initiateOneReverseConnection(const std::string& cluster_name, - const std::string& host_address, - Upstream::HostConstSharedPtr host) { - return io_handle_->initiateOneReverseConnection(cluster_name, host_address, host); - } - - // Data Access Helpers. - - const std::vector>& getConnectionWrappers() const { - return io_handle_->connection_wrappers_; - } - - const absl::flat_hash_map& getConnWrapperToHostMap() const { - return io_handle_->conn_wrapper_to_host_map_; - } - - // Test Data Setup Helpers. - - void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, - uint32_t target_count) { - io_handle_->host_to_conn_info_map_[host_address] = - ReverseConnectionIOHandle::HostConnectionInfo{ - host_address, - cluster_name, - {}, // connection_keys - empty set initially - target_count, // target_connection_count - 0, // failure_count - // last_failure_time - std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) - // backoff_until - std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) - {} // connection_states - }; - } - - // Helper to create a mock host. - Upstream::HostConstSharedPtr createMockHost(const std::string& address) { - auto mock_host = std::make_shared>(); - auto mock_address = std::make_shared(address, 8080); - EXPECT_CALL(*mock_host, address()).WillRepeatedly(Return(mock_address)); - return mock_host; - } - - // Helper method to set up mock connection with proper socket expectations. - std::unique_ptr> setupMockConnection() { - auto mock_connection = std::make_unique>(); - - // Create a mock socket for the connection. - auto mock_socket_ptr = std::make_unique>(); - auto mock_io_handle = std::make_unique>(); - - // Set up IO handle expectations. - EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); - EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); - EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { - auto duplicated_handle = std::make_unique>(); - EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); - return duplicated_handle; - })); - - // Set up socket expectations. - EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); - - // Store the mock_io_handle in the socket before casting. - mock_socket_ptr->io_handle_ = std::move(mock_io_handle); - - // Cast the mock to the base ConnectionSocket type and store it in member variable. - mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); - - // Set up connection expectations for getSocket() - EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); - - return mock_connection; - } - - // Test fixtures. - NiceMock context_; - NiceMock thread_local_; - NiceMock cluster_manager_; - Stats::IsolatedStoreImpl stats_store_; - Stats::ScopeSharedPtr stats_scope_; - NiceMock dispatcher_{"worker_0"}; - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: - DownstreamReverseConnectionSocketInterface config_; - std::unique_ptr extension_; - std::unique_ptr io_handle_; - std::unique_ptr> tls_slot_; - std::shared_ptr thread_local_registry_; - - // Mock socket for testing. - std::unique_ptr mock_socket_; -}; - -// Test RCConnectionWrapper::connect() method with HTTP/1.1 handshake success -TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { - // Create a mock connection. - auto mock_connection = std::make_unique>(); - - // Set up connection expectations. - EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); - EXPECT_CALL(*mock_connection, addReadFilter(_)); - EXPECT_CALL(*mock_connection, connect()); - EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); - EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); - - // Set up socket expectations for address info. - auto mock_address = std::make_shared("192.168.1.1", 8080); - auto mock_local_address = std::make_shared("127.0.0.1", 12345); - - // Set up connection info provider expectations directly on the mock connection. - EXPECT_CALL(*mock_connection, connectionInfoProvider()) - .WillRepeatedly(Invoke([mock_address, - mock_local_address]() -> const Network::ConnectionInfoProvider& { - static auto mock_provider = - std::make_unique(mock_local_address, mock_address); - return *mock_provider; - })); - - // Capture the written buffer to verify HTTP POST content. - Buffer::OwnedImpl captured_buffer; - EXPECT_CALL(*mock_connection, write(_, _)) - .WillOnce(Invoke( - [&captured_buffer](Buffer::Instance& buffer, bool) { captured_buffer.add(buffer); })); - - // Create a mock host. - auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection. - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call connect() method. - std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); - - // Verify connect() returns the local address. - EXPECT_EQ(result, "127.0.0.1:12345"); - - // Verify the HTTP POST request content. - std::string written_data = captured_buffer.toString(); - - // Check HTTP headers. - EXPECT_THAT(written_data, testing::HasSubstr("POST /reverse_connections/request HTTP/1.1")); - EXPECT_THAT(written_data, testing::HasSubstr("Host: 192.168.1.1:8080")); - EXPECT_THAT(written_data, testing::HasSubstr("Accept: */*")); - EXPECT_THAT(written_data, testing::HasSubstr("Content-length:")); - - // Check that the body contains the protobuf serialized data. - // The protobuf should contain tenant_uuid, cluster_uuid, and node_uuid. - EXPECT_THAT(written_data, testing::HasSubstr("\r\n\r\n")); // Empty line after headers - - // Extract the body (everything after the double CRLF) - size_t body_start = written_data.find("\r\n\r\n"); - EXPECT_NE(body_start, std::string::npos); - std::string body = written_data.substr(body_start + 4); - EXPECT_FALSE(body.empty()); - - // Verify the protobuf content by deserializing it. - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; - bool parse_success = arg.ParseFromString(body); - EXPECT_TRUE(parse_success); - EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); - EXPECT_EQ(arg.cluster_uuid(), "test-cluster"); - EXPECT_EQ(arg.node_uuid(), "test-node"); -} - -// Test RCConnectionWrapper::connect() method with HTTP proxy (internal address) scenario. -TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWithHttpProxy) { - // Create a mock connection. - auto mock_connection = std::make_unique>(); - - // Set up connection expectations. - EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); - EXPECT_CALL(*mock_connection, addReadFilter(_)); - EXPECT_CALL(*mock_connection, connect()); - EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); - EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); - - // Set up socket expectations for internal address (HTTP proxy scenario). - auto mock_internal_address = std::make_shared( - "internal_listener_name", "endpoint_id_123"); - auto mock_local_address = std::make_shared("127.0.0.1", 12345); - - // Set up connection info provider expectations with internal address. - EXPECT_CALL(*mock_connection, connectionInfoProvider()) - .WillRepeatedly(Invoke( - [mock_internal_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { - static auto mock_provider = std::make_unique( - mock_local_address, mock_internal_address); - return *mock_provider; - })); - - // Capture the written buffer to verify HTTP POST content. - Buffer::OwnedImpl captured_buffer; - EXPECT_CALL(*mock_connection, write(_, _)) - .WillOnce(Invoke( - [&captured_buffer](Buffer::Instance& buffer, bool) { captured_buffer.add(buffer); })); - - // Create a mock host. - auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection. - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call connect() method. - std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); - - // Verify connect() returns the local address. - EXPECT_EQ(result, "127.0.0.1:12345"); - - // Verify the HTTP POST request content. - std::string written_data = captured_buffer.toString(); - - // Check HTTP headers. - EXPECT_THAT(written_data, testing::HasSubstr("POST /reverse_connections/request HTTP/1.1")); - // For HTTP proxy scenario, the Host header should use the endpoint ID from the internal address. - EXPECT_THAT(written_data, testing::HasSubstr("Host: endpoint_id_123")); - EXPECT_THAT(written_data, testing::HasSubstr("Accept: */*")); - EXPECT_THAT(written_data, testing::HasSubstr("Content-length:")); - - // Check that the body contains the protobuf serialized data. - EXPECT_THAT(written_data, testing::HasSubstr("\r\n\r\n")); // Empty line after headers - - // Extract the body (everything after the double CRLF) - size_t body_start = written_data.find("\r\n\r\n"); - EXPECT_NE(body_start, std::string::npos); - std::string body = written_data.substr(body_start + 4); - EXPECT_FALSE(body.empty()); - - // Verify the protobuf content by deserializing it. - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; - bool parse_success = arg.ParseFromString(body); - EXPECT_TRUE(parse_success); - EXPECT_EQ(arg.tenant_uuid(), "test-tenant"); - EXPECT_EQ(arg.cluster_uuid(), "test-cluster"); - EXPECT_EQ(arg.node_uuid(), "test-node"); -} - -// Test RCConnectionWrapper::connect() method with connection write failure. -TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWriteFailure) { - // Create a mock connection that fails to write. - auto mock_connection = std::make_unique>(); - - // Set up connection expectations. - EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); - EXPECT_CALL(*mock_connection, addReadFilter(_)); - EXPECT_CALL(*mock_connection, connect()); - EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); - EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); - EXPECT_CALL(*mock_connection, write(_, _)).WillOnce(Invoke([](Buffer::Instance&, bool) -> void { - throw EnvoyException("Write failed"); - })); - - // Set up socket expectations. - auto mock_address = std::make_shared("192.168.1.1", 8080); - auto mock_local_address = std::make_shared("127.0.0.1", 12345); - - // Set up connection info provider expectations directly on the mock connection. - EXPECT_CALL(*mock_connection, connectionInfoProvider()) - .WillRepeatedly(Invoke([mock_address, - mock_local_address]() -> const Network::ConnectionInfoProvider& { - static auto mock_provider = - std::make_unique(mock_local_address, mock_address); - return *mock_provider; - })); - - // Create a mock host. - auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection. - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call connect() method - should handle the write failure gracefully. - // The method should not throw but should handle the exception internally. - std::string result; - try { - result = wrapper.connect("test-tenant", "test-cluster", "test-node"); - } catch (const EnvoyException& e) { - // The connect() method doesn't handle exceptions, so we expect it to throw. - // This is the current behavior - the method should be updated to handle exceptions. - EXPECT_STREQ(e.what(), "Write failed"); - return; // Exit test early since exception was thrown - } - - // If no exception was thrown, verify connect() still returns the local address. - EXPECT_EQ(result, "127.0.0.1:12345"); -} - -// Test RCConnectionWrapper::onHandshakeSuccess method. -TEST_F(RCConnectionWrapperTest, OnHandshakeSuccess) { - // Set up thread local slot first so stats can be properly tracked. - setupThreadLocalSlot(); - - // Set up mock thread local cluster. - auto mock_thread_local_cluster = std::make_shared>(); - EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) - .WillRepeatedly(Return(mock_thread_local_cluster.get())); - - // Set up priority set with hosts. - auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) - .WillRepeatedly(ReturnRef(*mock_priority_set)); - - // Create host map with a host. - auto host_map = std::make_shared(); - auto mock_host = createMockHost("192.168.1.1"); - (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); - - EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - - // Create HostConnectionInfo entry. - addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - - // Create a mock connection with proper socket setup. - auto mock_connection = setupMockConnection(); - Upstream::MockHost::MockCreateConnectionData success_conn_data; - success_conn_data.connection_ = mock_connection.get(); - success_conn_data.host_description_ = mock_host; - - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); - - mock_connection.release(); - - // Call initiateOneReverseConnection to create the wrapper and add it to the map. - bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); - EXPECT_TRUE(result); - - // Verify wrapper was created and mapped. - const auto& connection_wrappers = getConnectionWrappers(); - EXPECT_EQ(connection_wrappers.size(), 1); - - const auto& wrapper_to_host_map = getConnWrapperToHostMap(); - EXPECT_EQ(wrapper_to_host_map.size(), 1); - - RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); - EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - - // Get initial stats before onHandshakeSuccess. - auto initial_stats = extension_->getCrossWorkerStatMap(); - std::string host_stat_name = "test_scope.reverse_connections.host.192.168.1.1.connected"; - std::string cluster_stat_name = "test_scope.reverse_connections.cluster.test-cluster.connected"; - - // Call onHandshakeSuccess. - wrapper_ptr->onHandshakeSuccess(); - - // Get stats after onHandshakeSuccess. - auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that connected stats were incremented. - EXPECT_EQ(final_stats[host_stat_name], initial_stats[host_stat_name] + 1); - EXPECT_EQ(final_stats[cluster_stat_name], initial_stats[cluster_stat_name] + 1); -} - -// Test RCConnectionWrapper::onHandshakeFailure method. -TEST_F(RCConnectionWrapperTest, OnHandshakeFailure) { - // Set up thread local slot first so stats can be properly tracked. - setupThreadLocalSlot(); - - // Set up mock thread local cluster. - auto mock_thread_local_cluster = std::make_shared>(); - EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) - .WillRepeatedly(Return(mock_thread_local_cluster.get())); - - // Set up priority set with hosts. - auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) - .WillRepeatedly(ReturnRef(*mock_priority_set)); - - // Create host map with a host. - auto host_map = std::make_shared(); - auto mock_host = createMockHost("192.168.1.1"); - (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); - - EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - - // Create HostConnectionInfo entry. - addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - - auto mock_connection = setupMockConnection(); - Upstream::MockHost::MockCreateConnectionData success_conn_data; - success_conn_data.connection_ = mock_connection.get(); - success_conn_data.host_description_ = mock_host; - - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); - - mock_connection.release(); - - // Call initiateOneReverseConnection to create the wrapper and add it to the map. - bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); - EXPECT_TRUE(result); - - // Verify wrapper was created and mapped. - const auto& connection_wrappers = getConnectionWrappers(); - EXPECT_EQ(connection_wrappers.size(), 1); - - const auto& wrapper_to_host_map = getConnWrapperToHostMap(); - EXPECT_EQ(wrapper_to_host_map.size(), 1); - - RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); - EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - - // Get initial stats before onHandshakeFailure. - auto initial_stats = extension_->getCrossWorkerStatMap(); - std::string host_failed_stat_name = "test_scope.reverse_connections.host.192.168.1.1.failed"; - std::string cluster_failed_stat_name = - "test_scope.reverse_connections.cluster.test-cluster.failed"; - - // Call onHandshakeFailure with an error message. - std::string error_message = "Handshake failed due to authentication error"; - wrapper_ptr->onHandshakeFailure(error_message); - - // Get stats after onHandshakeFailure. - auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that failed stats were incremented. - EXPECT_EQ(final_stats[host_failed_stat_name], initial_stats[host_failed_stat_name] + 1); - EXPECT_EQ(final_stats[cluster_failed_stat_name], initial_stats[cluster_failed_stat_name] + 1); -} - -// Test RCConnectionWrapper::onEvent method with RemoteClose event. -TEST_F(RCConnectionWrapperTest, OnEventRemoteClose) { - // Set up thread local slot first so stats can be properly tracked. - setupThreadLocalSlot(); - - // Set up mock thread local cluster. - auto mock_thread_local_cluster = std::make_shared>(); - EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) - .WillRepeatedly(Return(mock_thread_local_cluster.get())); - - // Set up priority set with hosts. - auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) - .WillRepeatedly(ReturnRef(*mock_priority_set)); - - // Create host map with a host. - auto host_map = std::make_shared(); - auto mock_host = createMockHost("192.168.1.1"); - (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); - - EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - - // Create HostConnectionInfo entry. - addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - - // Create a mock connection with proper socket setup. - auto mock_connection = setupMockConnection(); - Upstream::MockHost::MockCreateConnectionData success_conn_data; - success_conn_data.connection_ = mock_connection.get(); - success_conn_data.host_description_ = mock_host; - - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); - - mock_connection.release(); - - // Call initiateOneReverseConnection to create the wrapper and add it to the map. - bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); - EXPECT_TRUE(result); - - // Verify wrapper was created and mapped. - const auto& connection_wrappers = getConnectionWrappers(); - EXPECT_EQ(connection_wrappers.size(), 1); - - const auto& wrapper_to_host_map = getConnWrapperToHostMap(); - EXPECT_EQ(wrapper_to_host_map.size(), 1); - - RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); - EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - - // Get initial stats before onEvent. - auto initial_stats = extension_->getCrossWorkerStatMap(); - std::string host_connected_stat_name = - "test_scope.reverse_connections.host.192.168.1.1.connected"; - std::string cluster_connected_stat_name = - "test_scope.reverse_connections.cluster.test-cluster.connected"; - - // Call onEvent with RemoteClose event. - wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); - - // Get stats after onEvent. - auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that the connection closure was handled gracefully. -} - -// Test RCConnectionWrapper::onEvent method with Connected event (should be ignored) -TEST_F(RCConnectionWrapperTest, OnEventConnected) { - // Set up thread local slot first so stats can be properly tracked. - setupThreadLocalSlot(); - - // Set up mock thread local cluster. - auto mock_thread_local_cluster = std::make_shared>(); - EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) - .WillRepeatedly(Return(mock_thread_local_cluster.get())); - - // Set up priority set with hosts. - auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) - .WillRepeatedly(ReturnRef(*mock_priority_set)); - - // Create host map with a host. - auto host_map = std::make_shared(); - auto mock_host = createMockHost("192.168.1.1"); - (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); - - EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - - // Create HostConnectionInfo entry. - addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - - // Create a mock connection with proper socket setup. - auto mock_connection = setupMockConnection(); - Upstream::MockHost::MockCreateConnectionData success_conn_data; - success_conn_data.connection_ = mock_connection.get(); - success_conn_data.host_description_ = mock_host; - - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); - - mock_connection.release(); - - // Call initiateOneReverseConnection to create the wrapper and add it to the map. - bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); - EXPECT_TRUE(result); - - // Verify wrapper was created and mapped. - const auto& connection_wrappers = getConnectionWrappers(); - EXPECT_EQ(connection_wrappers.size(), 1); - - const auto& wrapper_to_host_map = getConnWrapperToHostMap(); - EXPECT_EQ(wrapper_to_host_map.size(), 1); - - RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); - EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - - // Get initial stats before onEvent. - auto initial_stats = extension_->getCrossWorkerStatMap(); - - // Call onEvent with Connected event (should be ignored) - wrapper_ptr->onEvent(Network::ConnectionEvent::Connected); - - // Get stats after onEvent. - auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that Connected event doesn't change stats (it should be ignored) - // The stats should remain the same. - EXPECT_EQ(final_stats, initial_stats); -} - -// Test RCConnectionWrapper::onEvent method with null connection. -TEST_F(RCConnectionWrapperTest, OnEventWithNullConnection) { - // Set up thread local slot first so stats can be properly tracked. - setupThreadLocalSlot(); - - // Set up mock thread local cluster. - auto mock_thread_local_cluster = std::make_shared>(); - EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) - .WillRepeatedly(Return(mock_thread_local_cluster.get())); - - // Set up priority set with hosts. - auto mock_priority_set = std::make_shared>(); - EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) - .WillRepeatedly(ReturnRef(*mock_priority_set)); - - // Create host map with a host. - auto host_map = std::make_shared(); - auto mock_host = createMockHost("192.168.1.1"); - (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); - - EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); - - // Create HostConnectionInfo entry. - addHostConnectionInfo("192.168.1.1", "test-cluster", 1); - - // Create a mock connection with proper socket setup. - auto mock_connection = setupMockConnection(); - Upstream::MockHost::MockCreateConnectionData success_conn_data; - success_conn_data.connection_ = mock_connection.get(); - success_conn_data.host_description_ = mock_host; - - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); - - mock_connection.release(); - - // Call initiateOneReverseConnection to create the wrapper and add it to the map. - bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); - EXPECT_TRUE(result); - - // Verify wrapper was created and mapped. - const auto& connection_wrappers = getConnectionWrappers(); - EXPECT_EQ(connection_wrappers.size(), 1); - - const auto& wrapper_to_host_map = getConnWrapperToHostMap(); - EXPECT_EQ(wrapper_to_host_map.size(), 1); - - RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); - EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); - - // Get initial stats before onEvent. - auto initial_stats = extension_->getCrossWorkerStatMap(); - - // Call onEvent with RemoteClose event. - wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); - - // Get stats after onEvent. - auto final_stats = extension_->getCrossWorkerStatMap(); - - // Verify that the event was handled gracefully even with connection closure. - // The exact behavior depends on the implementation, but it should not crash. -} - -// Test RCConnectionWrapper::releaseConnection method. -TEST_F(RCConnectionWrapperTest, ReleaseConnection) { - // Create a mock connection with proper socket setup. - auto mock_connection = setupMockConnection(); - auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection. - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Verify connection exists before release. - EXPECT_NE(wrapper.getConnection(), nullptr); - - // Release the connection. - auto released_connection = wrapper.releaseConnection(); - - // Verify connection was released. - EXPECT_NE(released_connection, nullptr); - EXPECT_EQ(wrapper.getConnection(), nullptr); -} - -// Test RCConnectionWrapper::getConnection method. -TEST_F(RCConnectionWrapperTest, GetConnection) { - // Create a mock connection with proper socket setup. - auto mock_connection = setupMockConnection(); - auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection. - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Get the connection. - auto* connection = wrapper.getConnection(); - - // Verify connection is returned. - EXPECT_NE(connection, nullptr); - - // Test after release. - wrapper.releaseConnection(); - EXPECT_EQ(wrapper.getConnection(), nullptr); -} - -// Test RCConnectionWrapper::getHost method. -TEST_F(RCConnectionWrapperTest, GetHost) { - // Create a mock connection and host with proper socket setup. - auto mock_connection = setupMockConnection(); - auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection. - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Get the host. - auto host = wrapper.getHost(); - - // Verify host is returned. - EXPECT_EQ(host, mock_host); -} - -// Test RCConnectionWrapper::onAboveWriteBufferHighWatermark method (no-op) -TEST_F(RCConnectionWrapperTest, OnAboveWriteBufferHighWatermark) { - // Create a mock connection with proper socket setup. - auto mock_connection = setupMockConnection(); - auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection. - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call onAboveWriteBufferHighWatermark - should be a no-op. - wrapper.onAboveWriteBufferHighWatermark(); -} - -// Test RCConnectionWrapper::onBelowWriteBufferLowWatermark method (no-op) -TEST_F(RCConnectionWrapperTest, OnBelowWriteBufferLowWatermark) { - // Create a mock connection with proper socket setup. - auto mock_connection = setupMockConnection(); - auto mock_host = std::make_shared>(); - - // Create RCConnectionWrapper with the mock connection. - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - // Call onBelowWriteBufferLowWatermark - should be a no-op. - wrapper.onBelowWriteBufferLowWatermark(); -} - -// Test RCConnectionWrapper::shutdown method. -TEST_F(RCConnectionWrapperTest, Shutdown) { - // Test 1: Shutdown with open connection. - { - auto mock_connection = setupMockConnection(); - auto mock_host = std::make_shared>(); - - // Set up connection expectations for open connection. - EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); - EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); - EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); - EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); - - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - EXPECT_NE(wrapper.getConnection(), nullptr); - wrapper.shutdown(); - EXPECT_EQ(wrapper.getConnection(), nullptr); - } - // Test 2: Shutdown with already closed connection. - { - auto mock_connection = setupMockConnection(); - auto mock_host = std::make_shared>(); - - // Set up connection expectations for closed connection. - EXPECT_CALL(*mock_connection, state()) - .WillRepeatedly(Return(Network::Connection::State::Closed)); - EXPECT_CALL(*mock_connection, close(_)) - .Times(0); // Should not call close on already closed connection - EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12346)); - - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - EXPECT_NE(wrapper.getConnection(), nullptr); - wrapper.shutdown(); - EXPECT_EQ(wrapper.getConnection(), nullptr); - } - - // Test 3: Shutdown with closing connection. - { - auto mock_connection = setupMockConnection(); - auto mock_host = std::make_shared>(); - - // Set up connection expectations for closing connection. - EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); - EXPECT_CALL(*mock_connection, state()) - .WillRepeatedly(Return(Network::Connection::State::Closing)); - EXPECT_CALL(*mock_connection, close(_)) - .Times(0); // Should not call close on already closing connection - EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12347)); - - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - EXPECT_NE(wrapper.getConnection(), nullptr); - wrapper.shutdown(); - EXPECT_EQ(wrapper.getConnection(), nullptr); - } - // Test 4: Shutdown with null connection (should be safe) - { - auto mock_host = std::make_shared>(); - - // Create wrapper with null connection. - RCConnectionWrapper wrapper(*io_handle_, nullptr, mock_host, "test-cluster"); - - EXPECT_EQ(wrapper.getConnection(), nullptr); - wrapper.shutdown(); // Should not crash - EXPECT_EQ(wrapper.getConnection(), nullptr); - } - // Test 5: Multiple shutdown calls (should be safe) - { - auto mock_connection = std::make_unique>(); - auto mock_host = std::make_shared>(); - - // Set up connection expectations. - EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); - EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); - EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); - EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12348)); - - RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); - - EXPECT_NE(wrapper.getConnection(), nullptr); - - // First shutdown. - wrapper.shutdown(); - EXPECT_EQ(wrapper.getConnection(), nullptr); - - // Second shutdown (should be safe) - wrapper.shutdown(); - EXPECT_EQ(wrapper.getConnection(), nullptr); - } -} - -// Test SimpleConnReadFilter::onData method. -class SimpleConnReadFilterTest : public testing::Test { -protected: - void SetUp() override { - stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); - - // Create a mock IO handle. - auto mock_io_handle = std::make_unique>(); - io_handle_ = std::make_unique( - 7, // dummy fd - ReverseConnectionSocketConfig{}, cluster_manager_, - nullptr, // extension - *stats_scope_); // Use the created scope - } - - void TearDown() override { io_handle_.reset(); } - - // Helper to create a mock RCConnectionWrapper. - std::unique_ptr createMockWrapper() { - auto mock_connection = std::make_unique>(); - auto mock_host = std::make_shared>(); - return std::make_unique(*io_handle_, std::move(mock_connection), mock_host, - "test-cluster"); - } - - // Helper to create SimpleConnReadFilter. - std::unique_ptr createFilter(void* parent) { - return std::make_unique(parent); - } - - NiceMock cluster_manager_; - Stats::IsolatedStoreImpl stats_store_; - Stats::ScopeSharedPtr stats_scope_; - std::unique_ptr io_handle_; -}; - -TEST_F(SimpleConnReadFilterTest, OnDataWithNullParent) { - // Create filter with null parent. - auto filter = createFilter(nullptr); - - // Create a buffer with some data. - Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); - - // Call onData - should return StopIteration when parent is null. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::StopIteration); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithHttp200Response) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP 200 response but invalid protobuf. - Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\nreverse connection accepted"); - - // Call onData - should return StopIteration for invalid response format. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::StopIteration); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2Response) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP/2 response but invalid protobuf. - Buffer::OwnedImpl buffer("HTTP/2 200\r\n\r\nACCEPTED"); - - // Call onData - should return StopIteration for invalid response format. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::StopIteration); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithIncompleteHeaders) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a buffer with incomplete HTTP headers. - Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\nContent-Length: 10\r\n"); - - // Call onData - should return Continue for incomplete headers. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::Continue); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithEmptyResponseBody) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP 200 but empty body. - Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); - - // Call onData - should return Continue for empty body. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::Continue); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithNon200Response) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP 404 response. - Buffer::OwnedImpl buffer("HTTP/1.1 404 Not Found\r\n\r\n"); - - // Call onData - should return StopIteration for error response. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::StopIteration); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2ErrorResponse) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a buffer with HTTP/2 error response. - Buffer::OwnedImpl buffer("HTTP/2 500\r\n\r\n"); - - // Call onData - should return StopIteration for error response. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::StopIteration); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithPartialData) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a buffer with partial data (no HTTP response yet) - Buffer::OwnedImpl buffer("partial data"); - - // Call onData - should return Continue for partial data. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::Continue); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithProtobufResponse) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a proper ReverseConnHandshakeRet protobuf response. - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet::ACCEPTED); - ret.set_status_message("Connection accepted"); - - std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) - std::string http_response = "HTTP/1.1 200 OK\r\n\r\n" + protobuf_data; - Buffer::OwnedImpl buffer(http_response); - - // Call onData - should return StopIteration for successful protobuf response. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::StopIteration); -} - -TEST_F(SimpleConnReadFilterTest, OnDataWithRejectedProtobufResponse) { - // Create wrapper and filter. - auto wrapper = createMockWrapper(); - auto filter = createFilter(wrapper.get()); - - // Create a ReverseConnHandshakeRet protobuf response with REJECTED status. - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; - ret.set_status(envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet::REJECTED); - ret.set_status_message("Connection rejected by server"); - - std::string protobuf_data = ret.SerializeAsString(); // NOLINT(protobuf-use-MessageUtil-hash) - std::string http_response = "HTTP/1.1 200 OK\r\n\r\n" + protobuf_data; - Buffer::OwnedImpl buffer(http_response); - - // Call onData - should return StopIteration for rejected protobuf response. - auto result = filter->onData(buffer, false); - EXPECT_EQ(result, Network::FilterStatus::StopIteration); -} - // Test ReverseConnectionIOHandle::accept() method - trigger pipe edge cases. TEST_F(ReverseConnectionIOHandleTest, AcceptMethodTriggerPipeEdgeCases) { setupThreadLocalSlot(); diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index 25105c3b83c2d..607f4e8222b0f 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -58,9 +58,9 @@ envoy_cc_test( ) envoy_cc_test( - name = "reverse_connection_io_handle_test", + name = "upstream_reverse_connection_io_handle_test", size = "medium", - srcs = ["reverse_connection_io_handle_test.cc"], + srcs = ["upstream_reverse_connection_io_handle_test.cc"], deps = [ "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", "//test/mocks/network:network_mocks", diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc similarity index 88% rename from test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle_test.cc rename to test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc index fc0aed483f087..bac0d7fdb1bf8 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc @@ -18,9 +18,9 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -class TestUpstreamReverseConnectionIOHandle : public testing::Test { +class UpstreamReverseConnectionIOHandleTest : public testing::Test { protected: - TestUpstreamReverseConnectionIOHandle() { + UpstreamReverseConnectionIOHandleTest() { mock_socket_ = std::make_unique>(); auto mock_io_handle = std::make_unique>(); @@ -39,7 +39,7 @@ class TestUpstreamReverseConnectionIOHandle : public testing::Test { std::unique_ptr io_handle_; }; -TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { +TEST_F(UpstreamReverseConnectionIOHandleTest, ConnectReturnsSuccess) { auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); auto result = io_handle_->connect(address); @@ -48,19 +48,19 @@ TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { EXPECT_EQ(result.errno_, 0); } -TEST_F(TestUpstreamReverseConnectionIOHandle, CloseCleansUpSocket) { +TEST_F(UpstreamReverseConnectionIOHandleTest, CloseCleansUpSocket) { auto result = io_handle_->close(); EXPECT_EQ(result.err_, nullptr); } -TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { +TEST_F(UpstreamReverseConnectionIOHandleTest, GetSocketReturnsConstReference) { const auto& socket = io_handle_->getSocket(); EXPECT_NE(&socket, nullptr); } -TEST_F(TestUpstreamReverseConnectionIOHandle, ShutdownIgnoredWhenOwned) { +TEST_F(UpstreamReverseConnectionIOHandleTest, ShutdownIgnoredWhenOwned) { auto result = io_handle_->shutdown(SHUT_RDWR); EXPECT_EQ(result.return_value_, 0); EXPECT_EQ(result.errno_, 0); From a8f2974f57c1e46cfd7579246f1d57286a655e6a Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 5 Sep 2025 06:44:00 +0000 Subject: [PATCH 364/505] http filter changes Signed-off-by: Basundhara Chakrabarty --- .../filters/http/reverse_conn/BUILD | 2 +- .../http/reverse_conn/reverse_conn_filter.cc | 2 +- .../http/reverse_conn/reverse_conn_filter.h | 2 +- .../filters/http/reverse_conn/BUILD | 2 ++ .../reverse_conn/reverse_conn_filter_test.cc | 22 +++++++++++-------- 5 files changed, 18 insertions(+), 12 deletions(-) diff --git a/source/extensions/filters/http/reverse_conn/BUILD b/source/extensions/filters/http/reverse_conn/BUILD index 546d9b9bc2462..cc94afbd25467 100644 --- a/source/extensions/filters/http/reverse_conn/BUILD +++ b/source/extensions/filters/http/reverse_conn/BUILD @@ -37,9 +37,9 @@ envoy_cc_extension( "//source/common/network:connection_socket_lib", "//source/common/network:filter_lib", "//source/common/protobuf:utility_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", - "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index fbc8f65e22146..22ec30fcc5098 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -21,7 +21,7 @@ namespace HttpFilters { namespace ReverseConn { // Using statement for the new proto namespace -namespace ReverseConnectionHandshake = envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface; +namespace ReverseConnectionHandshake = envoy::extensions::bootstrap::reverse_tunnel; const std::string ReverseConnFilter::reverse_connections_path = "/reverse_connections"; const std::string ReverseConnFilter::reverse_connections_request_path = diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h index 823b032d24704..74b20715f6f54 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.h @@ -1,6 +1,5 @@ #pragma once -#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" #include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.validate.h" #include "envoy/http/async_client.h" @@ -13,6 +12,7 @@ #include "source/common/http/utility.h" #include "source/common/network/filter_impl.h" #include "source/common/protobuf/protobuf.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" diff --git a/test/extensions/filters/http/reverse_conn/BUILD b/test/extensions/filters/http/reverse_conn/BUILD index ee9722bd61f81..47fdc349e5408 100644 --- a/test/extensions/filters/http/reverse_conn/BUILD +++ b/test/extensions/filters/http/reverse_conn/BUILD @@ -25,6 +25,8 @@ envoy_cc_test( "//test/mocks/network:network_mocks", "//test/mocks/server:factory_context_mocks", "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/http/reverse_conn/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc index 02e6d72f747f5..2313c1290d7b6 100644 --- a/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc +++ b/test/extensions/filters/http/reverse_conn/reverse_conn_filter_test.cc @@ -2,7 +2,6 @@ #include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/extensions/filters/http/reverse_conn/v3/reverse_conn.pb.h" -#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "envoy/network/connection.h" #include "source/common/buffer/buffer_impl.h" @@ -13,6 +12,7 @@ #include "source/common/network/socket_interface.h" #include "source/common/network/socket_interface_impl.h" #include "source/common/protobuf/protobuf.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "source/extensions/filters/http/reverse_conn/reverse_conn_filter.h" #include "test/mocks/event/mocks.h" @@ -212,7 +212,8 @@ class ReverseConnFilterTest : public testing::Test { // Helper function to create a protobuf handshake argument std::string createHandshakeArg(const std::string& tenant_uuid, const std::string& cluster_uuid, const std::string& node_uuid) { - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface:: + ReverseConnHandshakeArg arg; arg.set_tenant_uuid(tenant_uuid); arg.set_cluster_uuid(cluster_uuid); arg.set_node_uuid(node_uuid); @@ -689,10 +690,11 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionInvalidProtobufParseFailure EXPECT_EQ(code, Http::Code::BadGateway); // Deserialize the protobuf response to check the actual message - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface:: + ReverseConnHandshakeRet ret; EXPECT_TRUE(ret.ParseFromString(std::string(body))); - EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface:: - ReverseConnHandshakeRet::REJECTED); + EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_tunnel:: + downstream_socket_interface::ReverseConnHandshakeRet::REJECTED); EXPECT_EQ(ret.status_message(), "Failed to parse request message or required fields missing"); })); @@ -727,7 +729,8 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { auto filter = createFilter(); // Create protobuf with empty node_uuid - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg arg; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeArg + arg; arg.set_tenant_uuid("tenant-123"); arg.set_cluster_uuid("cluster-456"); arg.set_node_uuid(""); // Empty node_uuid @@ -749,10 +752,11 @@ TEST_F(ReverseConnFilterTest, AcceptReverseConnectionEmptyNodeUuid) { EXPECT_EQ(code, Http::Code::BadGateway); // Deserialize the protobuf response to check the actual message - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::ReverseConnHandshakeRet ret; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface:: + ReverseConnHandshakeRet ret; EXPECT_TRUE(ret.ParseFromString(std::string(body))); - EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface:: - ReverseConnHandshakeRet::REJECTED); + EXPECT_EQ(ret.status(), envoy::extensions::bootstrap::reverse_tunnel:: + downstream_socket_interface::ReverseConnHandshakeRet::REJECTED); EXPECT_EQ(ret.status_message(), "Failed to parse request message or required fields missing"); })); From c1dce9809ac94c13d13ce2176efc99ca3becee5e Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Fri, 5 Sep 2025 06:44:41 +0000 Subject: [PATCH 365/505] format files Signed-off-by: Basundhara Chakrabarty --- source/common/network/connection_impl.cc | 70 ++++++++++++++----- source/common/network/connection_impl_base.cc | 1 + source/common/network/io_socket_handle_impl.h | 7 +- .../grpc_reverse_tunnel_client.cc | 3 +- .../grpc_reverse_tunnel_service.cc | 3 +- .../backup_files/trigger_mechanism.cc | 3 +- .../filters/network/reverse_conn/BUILD | 3 +- .../reverse_conn/reverse_conn_filter.cc | 3 +- .../reverse_conn/reverse_conn_filter.h | 2 +- 9 files changed, 68 insertions(+), 27 deletions(-) diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc index 127d24bdee621..d36c243f656ea 100644 --- a/source/common/network/connection_impl.cc +++ b/source/common/network/connection_impl.cc @@ -91,7 +91,8 @@ ConnectionImpl::ConnectionImpl(Event::Dispatcher& dispatcher, ConnectionSocketPt enable_close_through_filter_manager_(Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.connection_close_through_filter_manager")) { - if (socket_ == nullptr || !socket_->isOpen()) { + ENVOY_CONN_LOG(debug, "ConnectionImpl constructor called", *this); + if (!socket_->isOpen()) { IS_ENVOY_BUG("Client socket failure"); return; } @@ -103,9 +104,15 @@ ConnectionImpl::ConnectionImpl(Event::Dispatcher& dispatcher, ConnectionSocketPt // We never ask for both early close and read at the same time. If we are reading, we want to // consume all available data. + ENVOY_CONN_LOG( + debug, "Initializing file event with callback that captures this={}, connection_id={}, fd={}", + *this, static_cast(this), id(), socket_->ioHandle().fdDoNotUse()); + socket_->ioHandle().initializeFileEvent( dispatcher_, [this](uint32_t events) { + ENVOY_CONN_LOG(debug, "File event callback ENTRY - this={}, connection_id={}, events={}", + *this, static_cast(this), id(), events); onFileEvent(events); return absl::OkStatus(); }, @@ -120,11 +127,13 @@ ConnectionImpl::ConnectionImpl(Event::Dispatcher& dispatcher, ConnectionSocketPt } ConnectionImpl::~ConnectionImpl() { - ENVOY_CONN_LOG(trace, - "ConnectionImpl destructor called, socket_={}, socket_isOpen={}, " - "delayed_close_timer_={}, reuse_socket_={}", - *this, socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, - delayed_close_timer_ ? "not_null" : "null", static_cast(reuse_socket_)); + ENVOY_CONN_LOG(debug, + "ConnectionImpl destructor ENTRY - this={}, socket_={}, socket_isOpen={}, " + "delayed_close_timer_={}, reuse_socket_={}, connection_id={}, fd={}", + *this, static_cast(this), socket_ ? "not_null" : "null", + socket_ ? socket_->isOpen() : false, delayed_close_timer_ ? "not_null" : "null", + static_cast(reuse_socket_), id(), + socket_ ? socket_->ioHandle().fdDoNotUse() : -1); if (reuse_socket_) { ENVOY_CONN_LOG(trace, "ConnectionImpl destructor called, reuse_socket_=true, skipping close", @@ -132,9 +141,6 @@ ConnectionImpl::~ConnectionImpl() { return; } - ASSERT((socket_ == nullptr || !socket_->isOpen()) && delayed_close_timer_ == nullptr, - "ConnectionImpl destroyed with open socket and/or active timer"); - // In general we assume that owning code has called close() previously to the destructor being // run. This generally must be done so that callbacks run in the correct context (vs. deferred // deletion). Hence the assert above. However, call close() here just to be completely sure that @@ -159,6 +165,12 @@ void ConnectionImpl::removeReadFilter(ReadFilterSharedPtr filter) { bool ConnectionImpl::initializeReadFilters() { return filter_manager_.initializeReadFilters(); } void ConnectionImpl::close(ConnectionCloseType type) { + ENVOY_CONN_LOG( + debug, + "ConnectionImpl::close() ENTRY - this={}, type={}, connection_id={}, fd={}, socket_isOpen={}", + *this, static_cast(this), static_cast(type), id(), + socket_ ? socket_->ioHandle().fdDoNotUse() : -1, socket_ ? socket_->isOpen() : false); + if (!socket_->isOpen()) { ENVOY_CONN_LOG_EVENT(debug, "connection_closing", "Not closing conn, socket object is null or socket is not open", *this); @@ -305,10 +317,12 @@ void ConnectionImpl::setDetectedCloseType(DetectedCloseType close_type) { } void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_action) { + ENVOY_LOG_MISC(debug, "ConnectionImpl: closeThroughFilterManager() called."); if (!socket_->isOpen()) { + ENVOY_LOG_MISC(debug, "socket is not open"); return; } - + ENVOY_LOG_MISC(debug, "socket is open"); if (!enable_close_through_filter_manager_) { ENVOY_CONN_LOG(trace, "connection is closing not through the filter manager", *this); closeConnection(close_action); @@ -324,7 +338,6 @@ void ConnectionImpl::closeSocket(ConnectionEvent close_type) { socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false); if (!socket_->isOpen()) { - ENVOY_CONN_LOG(trace, "closeSocket: socket is null or not open, returning", *this); return; } @@ -449,7 +462,8 @@ void ConnectionImpl::onRead(uint64_t read_buffer_size) { } read_end_stream_raised_ = true; } - + ENVOY_CONN_LOG(debug, "calling filter_manager_.onRead() - connection_id={}, fd={}", *this, id(), + socket_->ioHandle().fdDoNotUse()); filter_manager_.onRead(); } @@ -680,7 +694,7 @@ void ConnectionImpl::setFailureReason(absl::string_view failure_reason) { void ConnectionImpl::onFileEvent(uint32_t events) { ScopeTrackerScopeState scope(this, this->dispatcher_); - ENVOY_CONN_LOG(trace, "socket event: {}", *this, events); + ENVOY_CONN_LOG(debug, "onFileEvent() ENTRY", *this); if (immediate_error_event_ == ConnectionEvent::LocalClose || immediate_error_event_ == ConnectionEvent::RemoteClose) { @@ -719,12 +733,27 @@ void ConnectionImpl::onFileEvent(uint32_t events) { // It's possible for a write event callback to close the socket (which will cause fd_ to be -1). // In this case ignore read event processing. + ENVOY_CONN_LOG(debug, "onFileEvent() read check - socket_isOpen={}, readEvent={}, fd={}", *this, + socket_ ? socket_->isOpen() : false, + (events & Event::FileReadyType::Read) ? "true" : "false", + socket_ ? socket_->ioHandle().fdDoNotUse() : -1); + if (socket_->isOpen() && (events & Event::FileReadyType::Read)) { + ENVOY_CONN_LOG(debug, "onFileEvent() calling onReadReady() - connection_id={}, fd={}", *this, + id(), socket_->ioHandle().fdDoNotUse()); onReadReady(); + } else { + ENVOY_CONN_LOG(debug, + "onFileEvent() NOT calling onReadReady() - socket_={}, isOpen={}, readEvent={}", + *this, socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false, + (events & Event::FileReadyType::Read) ? "true" : "false"); } } void ConnectionImpl::onReadReady() { + ENVOY_CONN_LOG(debug, "onReadReady() ENTRY - socket_={}, state={}, id={}", *this, + socket_ ? "not_null" : "null", static_cast(state()), id()); + ENVOY_CONN_LOG(trace, "read ready. dispatch_buffered_data={}", *this, static_cast(dispatch_buffered_data_)); const bool latched_dispatch_buffered_data = dispatch_buffered_data_; @@ -753,7 +782,9 @@ void ConnectionImpl::onReadReady() { } return; } - + ENVOY_CONN_LOG(debug, + "onReadReady() calling transport_socket_->doRead() - connection_id={}, fd={}", + *this, id(), socket_->ioHandle().fdDoNotUse()); // Clear transport_wants_read_ just before the call to doRead. This is the only way to ensure that // the transport socket read resumption happens as requested; onReadReady() returns early without // reading from the transport if the read buffer is above high watermark at the start of the @@ -762,7 +793,9 @@ void ConnectionImpl::onReadReady() { IoResult result = transport_socket_->doRead(*read_buffer_); uint64_t new_buffer_size = read_buffer_->length(); updateReadBufferStats(result.bytes_processed_, new_buffer_size); - + ENVOY_CONN_LOG(debug, + "onReadReady() transport_socket_->doRead() returned - connection_id={}, fd={}", + *this, id(), socket_->ioHandle().fdDoNotUse()); // The socket is closed immediately when receiving RST. if (result.err_code_.has_value() && result.err_code_ == Api::IoError::IoErrorCode::ConnectionReset) { @@ -789,6 +822,8 @@ void ConnectionImpl::onReadReady() { } read_end_stream_ |= result.end_stream_read_; + ENVOY_CONN_LOG(debug, "calling onRead() - connection_id={}, fd={}", *this, id(), + socket_->ioHandle().fdDoNotUse()); if (result.bytes_processed_ != 0 || result.end_stream_read_ || (latched_dispatch_buffered_data && read_buffer_->length() > 0)) { // Skip onRead if no bytes were processed unless we explicitly want to force onRead for @@ -796,7 +831,8 @@ void ConnectionImpl::onReadReady() { // more data. onRead(new_buffer_size); } - + ENVOY_CONN_LOG(debug, "onRead() returned - connection_id={}, fd={}", *this, id(), + socket_->ioHandle().fdDoNotUse()); // The read callback may have already closed the connection. if (result.action_ == PostIoAction::Close || bothSidesHalfClosed()) { ENVOY_CONN_LOG(debug, "remote close", *this); @@ -953,6 +989,8 @@ bool ConnectionImpl::setSocketOption(Network::SocketOptionName name, absl::Span< Api::SysCallIntResult result = SocketOptionImpl::setSocketOption(*socket_, name, value.data(), value.size()); if (result.return_value_ != 0) { + ENVOY_LOG(warn, "Setting option on socket failed, errno: {}, message: {}", result.errno_, + errorDetails(result.errno_)); return false; } diff --git a/source/common/network/connection_impl_base.cc b/source/common/network/connection_impl_base.cc index e047afd0382ef..487e4d1a70923 100644 --- a/source/common/network/connection_impl_base.cc +++ b/source/common/network/connection_impl_base.cc @@ -63,6 +63,7 @@ void ConnectionImplBase::raiseConnectionEvent(ConnectionEvent event) { } if (callback != nullptr) { + ENVOY_LOG_MISC(debug, "ConnectionImplBase: calling onEvent()"); callback->onEvent(event); } } diff --git a/source/common/network/io_socket_handle_impl.h b/source/common/network/io_socket_handle_impl.h index 28430cc9eac4e..80fa3f451974b 100644 --- a/source/common/network/io_socket_handle_impl.h +++ b/source/common/network/io_socket_handle_impl.h @@ -75,7 +75,12 @@ class IoSocketHandleImpl : public IoSocketHandleBaseImpl { void activateFileEvents(uint32_t events) override; void enableFileEvents(uint32_t events) override; - void resetFileEvents() override { file_event_.reset(); } + void resetFileEvents() override { + ENVOY_LOG_MISC(debug, "IoSocketHandleImpl::resetFileEvents() called for fd={}, file_event_={}", + fd_, file_event_ ? "not_null" : "null"); + file_event_.reset(); + ENVOY_LOG_MISC(debug, "IoSocketHandleImpl::resetFileEvents() completed for fd={}", fd_); + } Api::SysCallIntResult shutdown(int how) override; diff --git a/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_client.cc b/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_client.cc index 4fac6d616a82c..453c700101c71 100644 --- a/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_client.cc +++ b/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_client.cc @@ -1,5 +1,3 @@ -#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h" - #include #include @@ -9,6 +7,7 @@ #include "source/common/common/logger.h" #include "source/common/grpc/typed_async_client.h" #include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_client.h" #include "absl/strings/str_cat.h" diff --git a/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_service.cc b/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_service.cc index 520b6a88c9228..e10b551b1d099 100644 --- a/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_service.cc +++ b/source/extensions/bootstrap/reverse_tunnel/backup_files/grpc_reverse_tunnel_service.cc @@ -1,5 +1,3 @@ -#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h" - #include #include @@ -9,6 +7,7 @@ #include "source/common/common/logger.h" #include "source/common/network/address_impl.h" #include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/grpc_reverse_tunnel_service.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" #include "absl/strings/str_cat.h" diff --git a/source/extensions/bootstrap/reverse_tunnel/backup_files/trigger_mechanism.cc b/source/extensions/bootstrap/reverse_tunnel/backup_files/trigger_mechanism.cc index 11a307c651e6d..d5b086eec76fb 100644 --- a/source/extensions/bootstrap/reverse_tunnel/backup_files/trigger_mechanism.cc +++ b/source/extensions/bootstrap/reverse_tunnel/backup_files/trigger_mechanism.cc @@ -1,11 +1,10 @@ -#include "source/extensions/bootstrap/reverse_tunnel/trigger_mechanism.h" - #include #include #include #include "source/common/common/assert.h" +#include "source/extensions/bootstrap/reverse_tunnel/trigger_mechanism.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/filters/network/reverse_conn/BUILD b/source/extensions/filters/network/reverse_conn/BUILD index 003c93d846c65..de441b2795ca6 100644 --- a/source/extensions/filters/network/reverse_conn/BUILD +++ b/source/extensions/filters/network/reverse_conn/BUILD @@ -33,11 +33,10 @@ envoy_cc_library( "//source/common/common:minimal_logger_lib", "//source/common/network:filter_impl_lib", "//source/common/protobuf:protobuf_lib", - "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", "//source/extensions/filters/network/generic_proxy/interface:filter_lib", "//source/extensions/filters/network/generic_proxy/interface:stream_lib", "//source/extensions/filters/network/reverse_conn/v3:reverse_conn_proto", - "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", ], ) diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc index fd7e59c418260..28a18b29bd4d4 100644 --- a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc @@ -22,7 +22,8 @@ namespace NetworkFilters { namespace ReverseConn { // Using statement for the new proto namespace -using ReverseConnectionHandshake = envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface; +using ReverseConnectionHandshake = + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface; // Static constants const std::string ReverseConnFilter::REVERSE_CONNECTIONS_REQUEST_PATH = diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h index 71df9fd0d8a71..8ee722348be5f 100644 --- a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h +++ b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h @@ -1,6 +1,5 @@ #pragma once -#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "envoy/network/filter.h" #include "envoy/upstream/cluster_manager.h" @@ -8,6 +7,7 @@ #include "source/common/common/logger.h" #include "source/common/network/filter_impl.h" #include "source/common/protobuf/protobuf.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" #include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" #include "source/extensions/filters/network/generic_proxy/interface/filter.h" #include "source/extensions/filters/network/generic_proxy/interface/stream.h" From 7bbfd62be49228767f90b38512b547263a296441 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 5 Sep 2025 02:48:34 -0700 Subject: [PATCH 366/505] changelog: fix typos in the current changelogs and clean them up (#40993) ## Description This PR fixes the changelog style and clean it up. There are a few issues with the styling and rendering. --- **Commit Message:** changelog: fix typos in the current changelogs and clean them up **Additional Description:** This PR fixes the changelog style and clean it up. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 80 +++++++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 39 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 379f75d9a6585..27aa9e760a1d0 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -3,17 +3,18 @@ date: Pending behavior_changes: - area: http change: | - The route refresh will now results in a tracing refresh. The trace sampling decision and decoration - of new route will be applied to the active span. + A route refresh will now result in a tracing refresh. The trace sampling decision and decoration + of the new route will be applied to the active span. This change can be reverted by setting the runtime guard ``envoy.reloadable_features.trace_refresh_after_route_refresh`` to ``false``. Note, if :ref:`pack_trace_reason ` is set - to ``true`` (it is ``true`` by default), then a request have been marked as traced may cannot be - unmarked as traced after the tracing refresh. + to ``true`` (it is ``true`` by default), a request marked as traced cannot be unmarked as traced + after the tracing refresh. - area: ext_proc change: | - Reverted https://github.com/envoyproxy/envoy/pull/39740 to re-enable fail_open+FULL_DUPLEX_STREAMED configuration combination. + Reverted `#39740 `_ to re-enable ``fail_open`` + + ``FULL_DUPLEX_STREAMED`` configuration combination. minor_behavior_changes: # *Changes that may cause incompatibilities for some users, but should not for most* @@ -25,52 +26,53 @@ minor_behavior_changes: reach the configured size but has been held for more than 15 seconds, it will be sent immediately. - area: websocket change: | - Allow 4xx and 5xx to go through the filter chain for websocket handshake response check, and the behaviour can be disabled - by a runtime ``envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain``. + Allow 4xx and 5xx to go through the filter chain for websocket handshake response check, and the behavior can be + disabled by the runtime guard ``envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain``. - area: testing change: | - In test code for external extensions, matchers ``Http::HeaderValueOf``, ``HasHeader`` and ``HeaderHasValueRef`` + In test code for external extensions, matchers ``Http::HeaderValueOf``, ``HasHeader``, and ``HeaderHasValueRef`` must be replaced with ``ContainsHeader``. Any uses of matcher ``HeaderHasValue(...)`` should be replaced with ``::testing::Pointee(ContainsHeader(...))``. - area: generic_proxy change: | - Generic proxy codec add the same buffer limit as connection buffer limit, if the buffer limit is + Generic proxy codec adds the same buffer limit as the connection buffer limit. If the buffer limit is exceeded, the connection is disconnected. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.generic_proxy_codec_buffer_limit`` to ``false``. - area: http3 change: | - turn off HTTP/3 happy eyeball in upstream via runtime guard ``envoy.reloadable_features.http3_happy_eyeballs``. - It is found to favor TCP over QUIC when UDP does not work on v6 network but works on v4. + Turn off HTTP/3 happy eyeballs in upstream via runtime guard ``envoy.reloadable_features.http3_happy_eyeballs``. + It was found to favor TCP over QUIC when UDP does not work on IPv6 but works on IPv4. - area: mobile change: | - Explicitly drain connections upon network change events regardless of whether the DNS cache is refreshed or not. This behavior - can be reverted by setting the runtime guard ``envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh`` - to false. + Explicitly drain connections upon network change events regardless of whether the DNS cache is refreshed or not. + This behavior can be reverted by setting the runtime guard + ``envoy.reloadable_features.decouple_explicit_drain_pools_and_dns_refresh`` to ``false``. - area: http change: | - Adds accounting for decompressed HTTP header bytes sent and received. Existing stats only count wire-encoded header bytes. + Added accounting for decompressed HTTP header bytes sent and received. Existing stats only count wire-encoded header bytes. This can be accessed through the ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%``, and the - ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%`` access_log command operators. + ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%`` access log command operators. - area: oauth2 change: | - Added response code details to 401 local responses generated by the OAuth2 filter. + Added response code details to ``401`` local responses generated by the OAuth2 filter. - area: ext_proc change: | If :ref:`failure_mode_allow ` is true, - save the grpc failure status code returned from the ext_proc server in the filter state. - Previously all fail-open cases would return call_status Grpc::Status::Aborted. + save the gRPC failure status code returned from the ext_proc server in the filter state. + Previously, all fail-open cases would return ``call_status`` ``Grpc::Status::Aborted``. bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* - area: udp_proxy change: | - Fixed a crash in the UDP proxy that occurred during ENVOY_SIGTERM when active tunneling sessions were present. + Fixed a crash in the UDP proxy that occurred during ``ENVOY_SIGTERM`` when active tunneling sessions were present. - area: geoip change: | - Fixed a bug in the maxmind provider where the found_entry field in the lookup result was not checked before trying to populate - headers with data. If this field is not checked the provider could try to populate headers with wrong data, as per the - documentation for the Maxmind library https://github.com/maxmind/libmaxminddb/blob/main/doc/libmaxminddb.md#mmdb_lookup_result_s. + Fixed a bug in the MaxMind provider where the ``found_entry`` field in the lookup result was not checked before + trying to populate headers with data. If this field is not checked the provider could try to populate headers + with wrong data, as per the documentation for the MaxMind library + `libmaxminddb.md `_. - area: http3 change: | Fixed a bug where access log gets skipped for HTTP/3 requests when the stream is half closed. This behavior can be @@ -93,7 +95,7 @@ bug_fixes: The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. - area: aws change: | - Adds missing session name, session duration and externalid parameters in assumerole credentials provider. + Added missing session name, session duration, and ``external_id`` parameters in AssumeRole credentials provider. - area: oauth2 change: | Fixed a bug introduced in PR [#40228](https://github.com/envoyproxy/envoy/pull/40228), where OAuth2 cookies were @@ -105,15 +107,15 @@ bug_fixes: Fixed a bug where the metric name ``expiration_unix_time_seconds`` of ``cluster..ssl.certificate..`` and ``listener.
.ssl.certificate..`` - was not being properly extracted in the final prometheus stat name. + was not being properly extracted in the final Prometheus stat name. - area: oauth2 change: | Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a - Secure attribute. + ``Secure`` attribute. - area: dns change: | - Fixed an UAF in DNS cache that can occur when the Host header is modified between the Dynamic Forwarding and Router - filters. + Fixed a use-after-free (UAF) in DNS cache that can occur when the ``Host`` header is modified between the Dynamic + Forwarding Proxy and Router filters. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` @@ -254,7 +256,7 @@ new_features: specifying a Linux network namespace filepath for socket creation, enabling network isolation in containerized environments. - area: ratelimit change: | - Add the :ref:`rate_limits + Added the :ref:`rate_limits ` field to generate rate limit descriptors. If this field is set, the :ref:`VirtualHost.rate_limits` or @@ -263,10 +265,10 @@ new_features: will take precedence over this field. - area: redis change: | - Added support for ``GEOSEARCH``and ``GETEX``. + Added support for ``GEOSEARCH`` and ``GETEX``. - area: observability change: | - Added ``ENVOY_NOTIFICATION`` macro to track specific conditions in produiction environments. + Added ``ENVOY_NOTIFICATION`` macro to track specific conditions in production environments. - area: dns_filter, redis_proxy and prefix_matcher_map change: | Switch to using Radix Tree instead of Trie for performance improvements. @@ -282,10 +284,10 @@ new_features: endpoint statistics and metrics, but only for endpoints with updated stats, optimizing report size and efficiency. - area: overload management change: | - Added load shed point ``envoy.load_shed_points.http2_server_go_away_and_close_on_dispatch`` - that sends ``GOAWAY`` AND closes connections for HTTP2 server processing of requests. When - a ``GOAWAY`` frame is submitted by this the counter ``http2.goaway_sent`` will be - incremented. + Added load shed point ``envoy.load_shed_points.http2_server_go_away_and_close_on_dispatch`` + that sends ``GOAWAY`` and closes connections for HTTP/2 server processing of requests. When + a ``GOAWAY`` frame is submitted by this load shed point, the counter ``http2.goaway_sent`` will be + incremented. - area: router change: | Added :ref:`request_body_buffer_limit @@ -318,7 +320,7 @@ new_features: The default value ``USE_B3`` maintains backward compatibility with B3-only behavior. - area: composite change: | - Allow composite filter to be configured to insert a filter into filter chain outside of the decode headers lifecycle phase. + Allow composite filter to be configured to insert a filter into the filter chain outside of the decode headers lifecycle phase. - area: rbac change: | Switch the IP matcher to use LC-Trie for performance improvements. @@ -332,7 +334,7 @@ new_features: :ref:`Route object API ` for more details. - area: cel change: | - Add a new %TYPED_CEL% formatter command that, unlike %CEL%, can output non-string values (number, boolean, null, etc) + Added a new ``%TYPED_CEL%`` formatter command that, unlike ``%CEL%``, can output non-string values (number, boolean, null, etc.) when used in formatting contexts that accept non-string values, such as :ref:`json_format `. The new command is introduced so as to not break compatibility with the existing command's behavior. @@ -351,8 +353,8 @@ new_features: to allow for configuring a stream flush timeout independently from the stream idle timeout. - area: geoip change: | - Added a new metric ``db_build_epoch`` to track the build timestamp of the Maxmind geolocation database files. + Added a new metric ``db_build_epoch`` to track the build timestamp of the MaxMind geolocation database files. This can be used to monitor the freshness of the databases currently in use by the filter. - See https://maxmind.github.io/MaxMind-DB/#build_epoch for more details. + See `MaxMind DB build_epoch `_ for more details. deprecated: From 1d15ff7caf85aa938d1fc3de920f80dffee8c57d Mon Sep 17 00:00:00 2001 From: Ted Poole Date: Fri, 5 Sep 2025 14:05:10 +0100 Subject: [PATCH 367/505] ci: Don't run toolchain-test in non-envoy repos (#40996) Signed-off-by: Ted Poole --- .github/workflows/toolchain-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/toolchain-test.yml b/.github/workflows/toolchain-test.yml index fe85d7edc1e56..04c2c9ae3a64a 100644 --- a/.github/workflows/toolchain-test.yml +++ b/.github/workflows/toolchain-test.yml @@ -16,6 +16,7 @@ concurrency: jobs: toolchain-test: runs-on: ubuntu-22.04 + if: github.repository == 'envoyproxy/envoy' strategy: fail-fast: false matrix: From 7ced9f43c09576b7f6dc9fbd7c76333f57686d48 Mon Sep 17 00:00:00 2001 From: code Date: Sat, 6 Sep 2025 00:52:17 +0800 Subject: [PATCH 368/505] fix: fix substitution formatter for header mutation (#40905) In previous implementation, part of substitution commands could be used at header mutation and only could be used in the logging, like %TRACE_ID%. This PR try to make the header mutation could support as more as possible commands. This will close https://github.com/envoyproxy/envoy/issues/40698 Risk Level: low. Testing: unit. Docs Changes: n/a. Release Notes: added. Platform Specific Features: n/a. --------- Signed-off-by: WangBaiping Signed-off-by: code Co-authored-by: yanavlasov --- changelogs/current.yaml | 3 + envoy/formatter/http_formatter_context.h | 11 +- envoy/router/router.h | 2 + source/common/http/filter_manager.cc | 22 +- source/common/http/null_route_impl.h | 6 +- source/common/router/config_impl.cc | 7 +- source/common/router/config_impl.h | 4 +- source/common/router/delegating_route_impl.cc | 8 +- source/common/router/delegating_route_impl.h | 2 + source/common/router/router.cc | 21 +- .../router/weighted_cluster_specifier.cc | 15 +- .../http/header_mutation/header_mutation.cc | 23 +- .../http/header_mutation/header_mutation.h | 4 +- test/common/http/conn_manager_impl_test.cc | 11 +- test/common/router/config_impl_test.cc | 281 ++++++++++++------ .../router/delegating_route_impl_test.cc | 5 +- test/common/router/route_fuzz_test.cc | 3 +- test/common/router/router_2_test.cc | 10 +- test/common/router/router_test.cc | 13 +- .../header_mutation/header_mutation_test.cc | 52 +++- test/mocks/router/mocks.h | 17 +- test/tools/router_check/router.cc | 12 +- 22 files changed, 369 insertions(+), 163 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 27aa9e760a1d0..316b2373f7e1c 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -87,6 +87,9 @@ bug_fixes: change: | Fixed a bug where the ``response_headers_to_add`` may be processed multiple times for the local responses from the router filter. +- area: formatter + change: | + Fixed a bug where the ``%TRACE_ID%`` command cannot work properly at the header mutations. - area: listeners change: | Fixed issue where :ref:`TLS inspector listener filter ` timed out diff --git a/envoy/formatter/http_formatter_context.h b/envoy/formatter/http_formatter_context.h index cdee09339cb84..8422a52db81ae 100644 --- a/envoy/formatter/http_formatter_context.h +++ b/envoy/formatter/http_formatter_context.h @@ -132,6 +132,15 @@ class HttpFormatterContext { */ AccessLogType accessLogType() const; + /** + * Set or overwrite the active span. + * @param active_span supplies the active span. + */ + HttpFormatterContext& setActiveSpan(const Tracing::Span& active_span) { + active_span_ = &active_span; + return *this; + } + /** * @return const Tracing::Span& the active span. */ @@ -163,7 +172,7 @@ class HttpFormatterContext { const Http::RequestHeaderMap* request_headers_{}; const Http::ResponseHeaderMap* response_headers_{}; const Http::ResponseTrailerMap* response_trailers_{}; - absl::string_view local_reply_body_{}; + absl::string_view local_reply_body_; AccessLogType log_type_{AccessLogType::NotSet}; const Tracing::Span* active_span_ = nullptr; OptRef extension_; diff --git a/envoy/router/router.h b/envoy/router/router.h index 0569f793f42cd..d37a0bd61968d 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -57,6 +57,7 @@ class ResponseEntry { * @param stream_info holds additional information about the request. */ virtual void finalizeResponseHeaders(Http::ResponseHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const PURE; /** @@ -941,6 +942,7 @@ class RouteEntry : public ResponseEntry { * or x-envoy-original-host header if host rewritten. */ virtual void finalizeRequestHeaders(Http::RequestHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info, bool keep_original_host_or_path) const PURE; diff --git a/source/common/http/filter_manager.cc b/source/common/http/filter_manager.cc index 91f9f27a2e6c0..9e124fe23e8ca 100644 --- a/source/common/http/filter_manager.cc +++ b/source/common/http/filter_manager.cc @@ -46,6 +46,16 @@ void recordLatestDataFilter(typename Filters::Iterator current_filter, } } +void finalizeHeaders(FilterManagerCallbacks& callbacks, StreamInfo::StreamInfo& stream_info, + ResponseHeaderMap& headers) { + const Router::RouteConstSharedPtr& route = stream_info.route(); + if (route != nullptr && route->routeEntry() != nullptr) { + const Formatter::HttpFormatterContext formatter_context{ + callbacks.requestHeaders().ptr(), &headers, {}, {}, {}, &callbacks.activeSpan()}; + route->routeEntry()->finalizeResponseHeaders(headers, formatter_context, stream_info); + } +} + } // namespace void ActiveStreamFilterBase::commonContinue() { @@ -1077,9 +1087,7 @@ void DownstreamFilterManager::prepareLocalReplyViaFilterChain( prepared_local_reply_ = Utility::prepareLocalReply( Utility::EncodeFunctions{ [this, modify_headers](ResponseHeaderMap& headers) -> void { - if (streamInfo().route() && streamInfo().route()->routeEntry()) { - streamInfo().route()->routeEntry()->finalizeResponseHeaders(headers, streamInfo()); - } + finalizeHeaders(filter_manager_callbacks_, streamInfo(), headers); if (modify_headers) { modify_headers(headers); } @@ -1128,9 +1136,7 @@ void DownstreamFilterManager::sendLocalReplyViaFilterChain( state_.destroyed_, Utility::EncodeFunctions{ [this, modify_headers](ResponseHeaderMap& headers) -> void { - if (streamInfo().route() && streamInfo().route()->routeEntry()) { - streamInfo().route()->routeEntry()->finalizeResponseHeaders(headers, streamInfo()); - } + finalizeHeaders(filter_manager_callbacks_, streamInfo(), headers); if (modify_headers) { modify_headers(headers); } @@ -1161,9 +1167,7 @@ void DownstreamFilterManager::sendDirectLocalReply( state_.destroyed_, Utility::EncodeFunctions{ [this, modify_headers](ResponseHeaderMap& headers) -> void { - if (streamInfo().route() && streamInfo().route()->routeEntry()) { - streamInfo().route()->routeEntry()->finalizeResponseHeaders(headers, streamInfo()); - } + finalizeHeaders(filter_manager_callbacks_, streamInfo(), headers); if (modify_headers) { modify_headers(headers); } diff --git a/source/common/http/null_route_impl.h b/source/common/http/null_route_impl.h index 7e9c16fe203c0..ce2228fa9fbf5 100644 --- a/source/common/http/null_route_impl.h +++ b/source/common/http/null_route_impl.h @@ -134,13 +134,13 @@ struct RouteEntryImpl : public Router::RouteEntry { currentUrlPathAfterRewrite(const Http::RequestHeaderMap&) const override { return {}; } - void finalizeRequestHeaders(Http::RequestHeaderMap&, const StreamInfo::StreamInfo&, - bool) const override {} + void finalizeRequestHeaders(Http::RequestHeaderMap&, const Formatter::HttpFormatterContext&, + const StreamInfo::StreamInfo&, bool) const override {} Http::HeaderTransforms requestHeaderTransforms(const StreamInfo::StreamInfo&, bool) const override { return {}; } - void finalizeResponseHeaders(Http::ResponseHeaderMap&, + void finalizeResponseHeaders(Http::ResponseHeaderMap&, const Formatter::HttpFormatterContext&, const StreamInfo::StreamInfo&) const override {} Http::HeaderTransforms responseHeaderTransforms(const StreamInfo::StreamInfo&, bool) const override { diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index ae6df86f80d08..7059d996bea7e 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -910,12 +910,13 @@ void RouteEntryImplBase::finalizeHostHeader(Http::RequestHeaderMap& headers, } void RouteEntryImplBase::finalizeRequestHeaders(Http::RequestHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info, bool keep_original_host_or_path) const { for (const HeaderParser* header_parser : getRequestHeaderParsers( /*specificity_ascend=*/vhost_->globalRouteConfig().mostSpecificHeaderMutationsWins())) { // Later evaluated header parser wins. - header_parser->evaluateHeaders(headers, stream_info); + header_parser->evaluateHeaders(headers, context, stream_info); } // Restore the port if this was a CONNECT request. @@ -940,12 +941,12 @@ void RouteEntryImplBase::finalizeRequestHeaders(Http::RequestHeaderMap& headers, } void RouteEntryImplBase::finalizeResponseHeaders(Http::ResponseHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const { for (const HeaderParser* header_parser : getResponseHeaderParsers( /*specificity_ascend=*/vhost_->globalRouteConfig().mostSpecificHeaderMutationsWins())) { // Later evaluated header parser wins. - header_parser->evaluateHeaders(headers, {stream_info.getRequestHeaders(), &headers}, - stream_info); + header_parser->evaluateHeaders(headers, context, stream_info); } } diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index 0ccf576b8d76e..5122a0fe1e3c6 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -90,7 +90,7 @@ using RouteEntryImplBaseConstSharedPtr = std::shared_ptrfinalizeResponseHeaders(headers, stream_info); + Http::ResponseHeaderMap& headers, const Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info) const { + return base_route_entry_->finalizeResponseHeaders(headers, context, stream_info); } Http::HeaderTransforms @@ -33,9 +34,10 @@ DelegatingRouteEntry::currentUrlPathAfterRewrite(const Http::RequestHeaderMap& h } void DelegatingRouteEntry::finalizeRequestHeaders(Http::RequestHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info, bool insert_envoy_original_path) const { - return base_route_entry_->finalizeRequestHeaders(headers, stream_info, + return base_route_entry_->finalizeRequestHeaders(headers, context, stream_info, insert_envoy_original_path); } diff --git a/source/common/router/delegating_route_impl.h b/source/common/router/delegating_route_impl.h index bb3ef724189d1..80871603ee6fb 100644 --- a/source/common/router/delegating_route_impl.h +++ b/source/common/router/delegating_route_impl.h @@ -80,6 +80,7 @@ class DelegatingRouteEntry : public DelegatingRouteBase { // Router::ResponseEntry void finalizeResponseHeaders(Http::ResponseHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; Http::HeaderTransforms responseHeaderTransforms(const StreamInfo::StreamInfo& stream_info, bool do_formatting = true) const override; @@ -91,6 +92,7 @@ class DelegatingRouteEntry : public DelegatingRouteBase { absl::optional currentUrlPathAfterRewrite(const Http::RequestHeaderMap& headers) const override; void finalizeRequestHeaders(Http::RequestHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info, bool insert_envoy_original_path) const override; Http::HeaderTransforms requestHeaderTransforms(const StreamInfo::StreamInfo& stream_info, diff --git a/source/common/router/router.cc b/source/common/router/router.cc index 1fc451ede41c8..8e5e0c2aac79b 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -485,11 +485,11 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, direct_response->rewritePathHeader(headers, !config_->suppress_envoy_headers_); callbacks_->sendLocalReply( direct_response->responseCode(), direct_response->responseBody(), - [this, direct_response, - &request_headers = headers](Http::ResponseHeaderMap& response_headers) -> void { + [this, direct_response](Http::ResponseHeaderMap& response_headers) -> void { std::string new_uri; - if (request_headers.Path()) { - new_uri = direct_response->newUri(request_headers); + ASSERT(downstream_headers_ != nullptr); + if (downstream_headers_->Path()) { + new_uri = direct_response->newUri(*downstream_headers_); } // See https://tools.ietf.org/html/rfc7231#section-7.1.2. const auto add_location = @@ -498,7 +498,10 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, if (!new_uri.empty() && add_location) { response_headers.addReferenceKey(Http::Headers::get().Location, new_uri); } - direct_response->finalizeResponseHeaders(response_headers, callbacks_->streamInfo()); + const Formatter::HttpFormatterContext formatter_context( + downstream_headers_, &response_headers, {}, {}, {}, &callbacks_->activeSpan()); + direct_response->finalizeResponseHeaders(response_headers, formatter_context, + callbacks_->streamInfo()); }, absl::nullopt, StreamInfo::ResponseCodeDetails::get().DirectResponse); return Http::FilterHeadersStatus::StopIteration; @@ -598,7 +601,9 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers, callbacks_->streamInfo().setAttemptCount(attempt_count_); // Finalize the request headers before the host selection. - route_entry_->finalizeRequestHeaders(headers, callbacks_->streamInfo(), + const Formatter::HttpFormatterContext formatter_context(&headers, {}, {}, {}, {}, + &callbacks_->activeSpan()); + route_entry_->finalizeRequestHeaders(headers, formatter_context, callbacks_->streamInfo(), !config_->suppress_envoy_headers_); // Fetch a connection pool for the upstream cluster. @@ -1789,7 +1794,9 @@ void Filter::onUpstreamHeaders(uint64_t response_code, Http::ResponseHeaderMapPt // Modify response headers after we have set the final upstream info because we may need to // modify the headers based on the upstream host. - route_entry_->finalizeResponseHeaders(*headers, callbacks_->streamInfo()); + const Formatter::HttpFormatterContext formatter_context(downstream_headers_, headers.get(), {}, + {}, {}, &callbacks_->activeSpan()); + route_entry_->finalizeResponseHeaders(*headers, formatter_context, callbacks_->streamInfo()); modify_headers_(*headers); if (end_stream) { diff --git a/source/common/router/weighted_cluster_specifier.cc b/source/common/router/weighted_cluster_specifier.cc index f37ba65854a6a..adedaaf6e15e4 100644 --- a/source/common/router/weighted_cluster_specifier.cc +++ b/source/common/router/weighted_cluster_specifier.cc @@ -130,13 +130,15 @@ class WeightedClusterEntry : public DynamicRouteEntry { } void finalizeRequestHeaders(Http::RequestHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info, bool insert_envoy_original_path) const override { - requestHeaderParser().evaluateHeaders(headers, stream_info); + requestHeaderParser().evaluateHeaders(headers, context, stream_info); if (!config_->host_rewrite_.empty()) { headers.setHost(config_->host_rewrite_); } - DynamicRouteEntry::finalizeRequestHeaders(headers, stream_info, insert_envoy_original_path); + DynamicRouteEntry::finalizeRequestHeaders(headers, context, stream_info, + insert_envoy_original_path); } Http::HeaderTransforms requestHeaderTransforms(const StreamInfo::StreamInfo& stream_info, bool do_formatting) const override { @@ -146,13 +148,10 @@ class WeightedClusterEntry : public DynamicRouteEntry { return transforms; } void finalizeResponseHeaders(Http::ResponseHeaderMap& headers, + const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override { - const Http::RequestHeaderMap& request_headers = - stream_info.getRequestHeaders() == nullptr - ? *Http::StaticEmptyHeaders::get().request_headers - : *stream_info.getRequestHeaders(); - responseHeaderParser().evaluateHeaders(headers, {&request_headers, &headers}, stream_info); - DynamicRouteEntry::finalizeResponseHeaders(headers, stream_info); + responseHeaderParser().evaluateHeaders(headers, context, stream_info); + DynamicRouteEntry::finalizeResponseHeaders(headers, context, stream_info); } Http::HeaderTransforms responseHeaderTransforms(const StreamInfo::StreamInfo& stream_info, bool do_formatting) const override { diff --git a/source/extensions/filters/http/header_mutation/header_mutation.cc b/source/extensions/filters/http/header_mutation/header_mutation.cc index b4a76c97fc623..7b7ee37d00566 100644 --- a/source/extensions/filters/http/header_mutation/header_mutation.cc +++ b/source/extensions/filters/http/header_mutation/header_mutation.cc @@ -167,7 +167,8 @@ void HeaderMutation::maybeInitializeRouteConfigs(Http::StreamFilterCallbacks* ca } Http::FilterHeadersStatus HeaderMutation::decodeHeaders(Http::RequestHeaderMap& headers, bool) { - Formatter::HttpFormatterContext context{&headers}; + const Formatter::HttpFormatterContext context{&headers, {}, {}, + {}, {}, &decoder_callbacks_->activeSpan()}; config_->mutations().mutateRequestHeaders(headers, context, decoder_callbacks_->streamInfo()); maybeInitializeRouteConfigs(decoder_callbacks_); @@ -181,7 +182,9 @@ Http::FilterHeadersStatus HeaderMutation::decodeHeaders(Http::RequestHeaderMap& } Http::FilterHeadersStatus HeaderMutation::encodeHeaders(Http::ResponseHeaderMap& headers, bool) { - Formatter::HttpFormatterContext context{encoder_callbacks_->requestHeaders().ptr(), &headers}; + Formatter::HttpFormatterContext context{ + encoder_callbacks_->requestHeaders().ptr(), &headers, {}, {}, {}, + &encoder_callbacks_->activeSpan()}; config_->mutations().mutateResponseHeaders(headers, context, encoder_callbacks_->streamInfo()); // Note if the filter before this one has send local reply then the decodeHeaders() will not be @@ -199,7 +202,11 @@ Http::FilterHeadersStatus HeaderMutation::encodeHeaders(Http::ResponseHeaderMap& Http::FilterTrailersStatus HeaderMutation::encodeTrailers(Http::ResponseTrailerMap& trailers) { Formatter::HttpFormatterContext context{encoder_callbacks_->requestHeaders().ptr(), - encoder_callbacks_->responseHeaders().ptr(), &trailers}; + encoder_callbacks_->responseHeaders().ptr(), + &trailers, + {}, + {}, + &encoder_callbacks_->activeSpan()}; config_->mutations().mutateResponseTrailers(trailers, context, encoder_callbacks_->streamInfo()); maybeInitializeRouteConfigs(encoder_callbacks_); @@ -214,14 +221,16 @@ Http::FilterTrailersStatus HeaderMutation::encodeTrailers(Http::ResponseTrailerM Http::FilterTrailersStatus HeaderMutation::decodeTrailers(Http::RequestTrailerMap& trailers) { // TODO(davinci26): if `HttpFormatterContext` supports request trailers we can also pass the // trailers to the context so we can support substitutions from other trailers. - Formatter::HttpFormatterContext context{encoder_callbacks_->requestHeaders().ptr()}; - config_->mutations().mutateRequestTrailers(trailers, context, encoder_callbacks_->streamInfo()); + Formatter::HttpFormatterContext context{ + decoder_callbacks_->requestHeaders().ptr(), {}, {}, {}, {}, + &decoder_callbacks_->activeSpan()}; + config_->mutations().mutateRequestTrailers(trailers, context, decoder_callbacks_->streamInfo()); - maybeInitializeRouteConfigs(encoder_callbacks_); + maybeInitializeRouteConfigs(decoder_callbacks_); for (const PerRouteHeaderMutation& route_config : route_configs_) { route_config.mutations().mutateRequestTrailers(trailers, context, - encoder_callbacks_->streamInfo()); + decoder_callbacks_->streamInfo()); } return Http::FilterTrailersStatus::Continue; } diff --git a/source/extensions/filters/http/header_mutation/header_mutation.h b/source/extensions/filters/http/header_mutation/header_mutation.h index 4a6c44a06b667..0dbd56cd72911 100644 --- a/source/extensions/filters/http/header_mutation/header_mutation.h +++ b/source/extensions/filters/http/header_mutation/header_mutation.h @@ -151,10 +151,10 @@ class HeaderMutation : public Http::PassThroughFilter, public Logger::Loggable, 4> route_configs_{}; + absl::InlinedVector, 4> route_configs_; }; } // namespace HeaderMutation diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index c30e487cb005c..78a7a42a1919d 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -1322,15 +1322,20 @@ TEST_F(HttpConnectionManagerImplTest, DelegatingRouteEntryAllCalls) { EXPECT_EQ(default_route->routeName(), delegating_route_foo->routeName()); + Formatter::HttpFormatterContext formatter_context; + // Coverage for finalizeRequestHeaders NiceMock stream_info; - delegating_route_foo->routeEntry()->finalizeRequestHeaders(test_req_headers, stream_info, - true); + formatter_context.setRequestHeaders(test_req_headers); + delegating_route_foo->routeEntry()->finalizeRequestHeaders( + test_req_headers, formatter_context, stream_info, true); EXPECT_EQ("/new_endpoint/foo", test_req_headers.get_(Http::Headers::get().Path)); // Coverage for finalizeResponseHeaders Http::TestResponseHeaderMapImpl test_resp_headers; - delegating_route_foo->routeEntry()->finalizeResponseHeaders(test_resp_headers, stream_info); + formatter_context.setResponseHeaders(test_resp_headers); + delegating_route_foo->routeEntry()->finalizeResponseHeaders(test_resp_headers, + formatter_context, stream_info); EXPECT_EQ(test_resp_headers, Http::TestResponseHeaderMapImpl{}); return FilterHeadersStatus::StopIteration; diff --git a/test/common/router/config_impl_test.cc b/test/common/router/config_impl_test.cc index 1273817260a37..438646cbf22be 100644 --- a/test/common/router/config_impl_test.cc +++ b/test/common/router/config_impl_test.cc @@ -447,7 +447,8 @@ TEST_F(RouteMatcherTest, TestConnectRoutes) { genHeaders("bat3.com", "/api/locations?works=true", "CONNECT"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rewrote?works=true", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rewrote?works=true", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("bat3.com", headers.get_(Http::Headers::get().Host)); } @@ -468,7 +469,8 @@ TEST_F(RouteMatcherTest, TestConnectRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("bat3.com", "/api/locations?works=true", "CONNECT"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("bat3.com:10", headers.get_(Http::Headers::get().Host)); } // No port addition for CONNECT with port @@ -476,7 +478,8 @@ TEST_F(RouteMatcherTest, TestConnectRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("bat3.com:20", "/api/locations?works=true", "CONNECT"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("bat3.com:20", headers.get_(Http::Headers::get().Host)); } @@ -884,7 +887,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { EXPECT_EQ("www2", route_entry->clusterName()); EXPECT_EQ("www2", virtualHostName(route.get())); EXPECT_EQ("/api/new_endpoint/foo", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/api/new_endpoint/foo", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("/new_endpoint/foo", headers.get_(Http::Headers::get().EnvoyOriginalPath)); } @@ -897,7 +901,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { EXPECT_EQ("www2", route_entry->clusterName()); EXPECT_EQ("www2", virtualHostName(route.get())); EXPECT_EQ("/api/new_endpoint/foo", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, false); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, false); EXPECT_EQ("/api/new_endpoint/foo", headers.get_(Http::Headers::get().Path)); EXPECT_FALSE(headers.has(Http::Headers::get().EnvoyOriginalPath)); } @@ -908,7 +913,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { genHeaders("api.lyft.com", "/api/locations?works=true", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rewrote?works=true", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rewrote?works=true", headers.get_(Http::Headers::get().Path)); } @@ -916,7 +922,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("api.lyft.com", "/foo", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/bar", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/bar", headers.get_(Http::Headers::get().Path)); } @@ -929,7 +936,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { EXPECT_EQ("www2", route_entry->clusterName()); EXPECT_EQ("www2", virtualHostName(route.get())); EXPECT_EQ("/forreg1_rewritten_endpoint/foo", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/forreg1_rewritten_endpoint/foo", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("/newforreg1_endpoint/foo", headers.get_(Http::Headers::get().EnvoyOriginalPath)); } @@ -944,7 +952,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { EXPECT_EQ("www2", route_entry->clusterName()); EXPECT_EQ("www2", virtualHostName(route.get())); EXPECT_EQ("/nXwforrXg2_Xndpoint/tXX?test=me", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/nXwforrXg2_Xndpoint/tXX?test=me", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("/newforreg2_endpoint/tee?test=me", headers.get_(Http::Headers::get().EnvoyOriginalPath)); @@ -959,7 +968,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { EXPECT_EQ("www2", route_entry->clusterName()); EXPECT_EQ("www2", virtualHostName(route.get())); EXPECT_EQ("/VxVct/pVth/fVr/rVgVx1", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/VxVct/pVth/fVr/rVgVx1", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("/exact/path/for/regex1", headers.get_(Http::Headers::get().EnvoyOriginalPath)); } @@ -975,7 +985,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { EXPECT_EQ("www2", virtualHostName(route.get())); EXPECT_EQ("/VxVct/pVth/fVr/rVgVx1?test=aeiou", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/VxVct/pVth/fVr/rVgVx1?test=aeiou", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("/exact/path/for/regex1?test=aeiou", headers.get_(Http::Headers::get().EnvoyOriginalPath)); @@ -988,7 +999,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ(absl::optional(), route_entry->currentUrlPathAfterRewrite(headers)); EXPECT_FALSE(route_entry->currentUrlPathAfterRewrite(headers).has_value()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("new_host", headers.get_(Http::Headers::get().Host)); EXPECT_EQ("api.lyft.com", headers.getEnvoyOriginalHostValue()); // Config setting append_x_forwarded_host is false (by default). Expect empty x-forwarded-host @@ -996,8 +1008,9 @@ TEST_F(RouteMatcherTest, TestRoutes) { EXPECT_EQ("", headers.get_(Http::Headers::get().ForwardedHost)); Http::TestRequestHeaderMapImpl headers2 = genHeaders("api.lyft.com", "/host/rewrite/me", "GET"); + const Formatter::HttpFormatterContext formatter_context2(&headers2); // Host rewrite testing with x-envoy-* headers suppressed. - route_entry->finalizeRequestHeaders(headers2, stream_info, false); + route_entry->finalizeRequestHeaders(headers2, formatter_context2, stream_info, false); EXPECT_EQ("new_host", headers2.get_(Http::Headers::get().Host)); EXPECT_EQ("", headers2.getEnvoyOriginalHostValue()); } @@ -1008,7 +1021,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { genHeaders("api.lyft.com", "/rewrite-host-with-header-value", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_FALSE(route_entry->currentUrlPathAfterRewrite(headers).has_value()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("rewrote", headers.get_(Http::Headers::get().Host)); EXPECT_EQ("api.lyft.com", headers.getEnvoyOriginalHostValue()); EXPECT_EQ("api.lyft.com", headers.get_(Http::Headers::get().ForwardedHost)); @@ -1020,7 +1034,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { genHeaders("api.lyft.com", "/do-not-rewrite-host-with-header-value", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_FALSE(route_entry->currentUrlPathAfterRewrite(headers).has_value()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("api.lyft.com", headers.get_(Http::Headers::get().Host)); EXPECT_EQ("", headers.getEnvoyOriginalHostValue()); EXPECT_EQ("", headers.get_(Http::Headers::get().ForwardedHost)); @@ -1032,7 +1047,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { genHeaders("api.lyft.com", "/rewrite-host-with-path-regex/envoyproxy.io", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_FALSE(route_entry->currentUrlPathAfterRewrite(headers).has_value()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("envoyproxy.io", headers.get_(Http::Headers::get().Host)); EXPECT_EQ("api.lyft.com", headers.getEnvoyOriginalHostValue()); EXPECT_EQ("api.lyft.com", headers.get_(Http::Headers::get().ForwardedHost)); @@ -1044,7 +1060,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { "api.lyft.com", "/rewrite-host-with-path-regex/envoyproxy.io?query=query", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_FALSE(route_entry->currentUrlPathAfterRewrite(headers).has_value()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("envoyproxy.io", headers.get_(Http::Headers::get().Host)); EXPECT_EQ("api.lyft.com", headers.getEnvoyOriginalHostValue()); EXPECT_EQ("api.lyft.com", headers.get_(Http::Headers::get().ForwardedHost)); @@ -1056,7 +1073,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { genHeaders("api.lyft.com", "/API/locations?works=true", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rewrote?works=true", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rewrote?works=true", headers.get_(Http::Headers::get().Path)); } @@ -1064,7 +1082,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("api.lyft.com", "/fooD", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/cAndy", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/cAndy", headers.get_(Http::Headers::get().Path)); } @@ -1073,7 +1092,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("api.lyft.com", "/FOO", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_FALSE(route_entry->currentUrlPathAfterRewrite(headers).has_value()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/FOO", headers.get_(Http::Headers::get().Path)); } @@ -1081,7 +1101,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("api.lyft.com", "/ApPles", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_FALSE(route_entry->currentUrlPathAfterRewrite(headers).has_value()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/ApPles", headers.get_(Http::Headers::get().Path)); } @@ -1090,7 +1111,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("api.lyft.com", "/oLDhost/rewrite/me", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("api.lyft.com", headers.get_(Http::Headers::get().Host)); } @@ -1099,7 +1121,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("api.lyft.com", "/Tart", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_FALSE(route_entry->currentUrlPathAfterRewrite(headers).has_value()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/Tart", headers.get_(Http::Headers::get().Path)); } @@ -1108,7 +1131,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("api.lyft.com", "/newhost/rewrite/me", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("new_host", headers.get_(Http::Headers::get().Host)); } @@ -1117,7 +1141,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("bat.com", "/647", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rewrote", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rewrote", headers.get_(Http::Headers::get().Path)); } @@ -1126,14 +1151,16 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("bat.com", "/970?foo=true", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rewrote?foo=true", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rewrote?foo=true", headers.get_(Http::Headers::get().Path)); } { Http::TestRequestHeaderMapImpl headers = genHeaders("bat.com", "/foo/bar/238?bar=true", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rewrote?bar=true", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rewrote?bar=true", headers.get_(Http::Headers::get().Path)); } @@ -1142,7 +1169,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { Http::TestRequestHeaderMapImpl headers = genHeaders("bat.com", "/xx/yy/6472", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/four/6472/endpoint/xx/yy", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/four/6472/endpoint/xx/yy", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("/xx/yy/6472", headers.get_(Http::Headers::get().EnvoyOriginalPath)); } @@ -1153,7 +1181,8 @@ TEST_F(RouteMatcherTest, TestRoutes) { const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/four/6472/endpoint/xx/yy?test=foo", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/four/6472/endpoint/xx/yy?test=foo", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("/xx/yy/6472?test=foo", headers.get_(Http::Headers::get().EnvoyOriginalPath)); } @@ -1366,14 +1395,16 @@ TEST_F(RouteMatcherTest, TestMatchTree) { { Http::TestRequestHeaderMapImpl headers = genHeaders("lyft.com", "/new_endpoint/foo", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("match_tree", headers.get_("x-route-header")); } { Http::TestRequestHeaderMapImpl headers = genHeaders("lyft.com", "/new_endpoint/bar", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("match_tree_2", headers.get_("x-route-header")); } Http::TestRequestHeaderMapImpl headers = genHeaders("lyft.com", "/new_endpoint/baz", "GET"); @@ -1584,7 +1615,8 @@ TEST_F(RouteMatcherTest, TestRouteList) { { Http::TestRequestHeaderMapImpl headers = genHeaders("lyft.com", "/new_endpoint/foo/1", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("match_tree_1_1", headers.get_("x-route-header")); } @@ -1592,7 +1624,8 @@ TEST_F(RouteMatcherTest, TestRouteList) { Http::TestRequestHeaderMapImpl headers = genHeaders("lyft.com", "/new_endpoint/foo/2/bar", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("match_tree_1_2", headers.get_("x-route-header")); } @@ -1601,7 +1634,8 @@ TEST_F(RouteMatcherTest, TestRouteList) { genHeaders("lyft.com", "/new_endpoint/foo/match_header", "GET"); headers.setCopy(Http::LowerCaseString("x-match-header"), "matched"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("match_tree_1_3", headers.get_("x-route-header")); } @@ -1613,7 +1647,8 @@ TEST_F(RouteMatcherTest, TestRouteList) { { Http::TestRequestHeaderMapImpl headers = genHeaders("lyft.com", "/new_endpoint/bar", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("match_tree_2", headers.get_("x-route-header")); } Http::TestRequestHeaderMapImpl headers = genHeaders("lyft.com", "/new_endpoint/baz", "GET"); @@ -1768,7 +1803,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveRequestHeaders) { Http::TestRequestHeaderMapImpl headers = genHeaders("www.lyft.com", "/new_endpoint/foo", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("route-override", headers.get_("x-global-header1")); EXPECT_EQ("route-override", headers.get_("x-vhost-header1")); EXPECT_EQ("route-new_endpoint", headers.get_("x-route-header")); @@ -1791,7 +1827,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveRequestHeaders) { { Http::TestRequestHeaderMapImpl headers = genHeaders("www.lyft.com", "/", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("vhost-override", headers.get_("x-global-header1")); EXPECT_EQ("vhost1-www2", headers.get_("x-vhost-header1")); EXPECT_EQ("route-allpath", headers.get_("x-route-header")); @@ -1812,7 +1849,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveRequestHeaders) { { Http::TestRequestHeaderMapImpl headers = genHeaders("www-staging.lyft.net", "/foo", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("global1", headers.get_("x-global-header1")); EXPECT_EQ("vhost1-www2_staging", headers.get_("x-vhost-header1")); EXPECT_EQ("route-allprefix", headers.get_("x-route-header")); @@ -1832,7 +1870,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveRequestHeaders) { { Http::TestRequestHeaderMapImpl headers = genHeaders("api.lyft.com", "/", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("global1", headers.get_("x-global-header1")); auto transforms = route_entry->requestHeaderTransforms(stream_info); EXPECT_THAT(transforms.headers_to_append_or_add, @@ -1860,8 +1899,9 @@ TEST_F(RouteMatcherTest, TestRequestHeadersToAddWithAppendFalse) { { Http::TestRequestHeaderMapImpl headers = genHeaders("www.lyft.com", "/endpoint", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); - // Added headers. + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, + true); // Added headers. EXPECT_EQ("global", headers.get_("x-global-header")); EXPECT_EQ("vhost-www2", headers.get_("x-vhost-header")); EXPECT_EQ("route-endpoint", headers.get_("x-route-header")); @@ -1888,8 +1928,9 @@ TEST_F(RouteMatcherTest, TestRequestHeadersToAddWithAppendFalse) { { Http::TestRequestHeaderMapImpl headers = genHeaders("www.lyft.com", "/", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); - // Added headers. + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, + true); // Added headers. EXPECT_EQ("global", headers.get_("x-global-header")); EXPECT_EQ("vhost-www2", headers.get_("x-vhost-header")); EXPECT_FALSE(headers.has("x-route-header")); @@ -1912,8 +1953,9 @@ TEST_F(RouteMatcherTest, TestRequestHeadersToAddWithAppendFalse) { { Http::TestRequestHeaderMapImpl headers = genHeaders("www.example.com", "/", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); - // Added headers. + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, + true); // Added headers. EXPECT_EQ("global", headers.get_("x-global-header")); EXPECT_FALSE(headers.has("x-vhost-header")); EXPECT_FALSE(headers.has("x-route-header")); @@ -1942,8 +1984,9 @@ TEST_F(RouteMatcherTest, TestRequestHeadersToAddWithAppendFalseMostSpecificWins) { Http::TestRequestHeaderMapImpl headers = genHeaders("www.lyft.com", "/endpoint", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); - // Added headers. + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, + true); // Added headers. EXPECT_EQ("route-endpoint", headers.get_("x-global-header")); EXPECT_EQ("route-endpoint", headers.get_("x-vhost-header")); EXPECT_EQ("route-endpoint", headers.get_("x-route-header")); @@ -1969,8 +2012,9 @@ TEST_F(RouteMatcherTest, TestRequestHeadersToAddWithAppendFalseMostSpecificWins) { Http::TestRequestHeaderMapImpl headers = genHeaders("www.lyft.com", "/", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); - // Added headers. + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, + true); // Added headers. EXPECT_EQ("vhost-www2", headers.get_("x-global-header")); EXPECT_EQ("vhost-www2", headers.get_("x-vhost-header")); EXPECT_FALSE(headers.has("x-route-header")); @@ -2006,7 +2050,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveResponseHeaders) { genHeaders("www.lyft.com", "/new_endpoint/foo", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_EQ("route-override", headers.get_("x-global-header1")); EXPECT_EQ("route-override", headers.get_("x-vhost-header1")); EXPECT_EQ("route-override", headers.get_("x-route-header")); @@ -2029,7 +2074,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveResponseHeaders) { Http::TestRequestHeaderMapImpl req_headers = genHeaders("www.lyft.com", "/", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_EQ("vhost-override", headers.get_("x-global-header1")); EXPECT_EQ("vhost1-www2", headers.get_("x-vhost-header1")); EXPECT_EQ("route-allpath", headers.get_("x-route-header")); @@ -2052,7 +2098,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveResponseHeaders) { genHeaders("www-staging.lyft.net", "/foo", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_EQ("global1", headers.get_("x-global-header1")); EXPECT_EQ("vhost1-www2_staging", headers.get_("x-vhost-header1")); EXPECT_EQ("route-allprefix", headers.get_("x-route-header")); @@ -2071,7 +2118,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveResponseHeaders) { Http::TestRequestHeaderMapImpl req_headers = genHeaders("api.lyft.com", "/", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_EQ("global1", headers.get_("x-global-header1")); auto transforms = route_entry->responseHeaderTransforms(stream_info); EXPECT_THAT(transforms.headers_to_append_or_add, @@ -2098,7 +2146,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveResponseHeadersOverwriteIfExistOrAdd) { genHeaders("www.lyft.com", "/new_endpoint/foo", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_EQ("global1", headers.get_("x-global-header1")); EXPECT_EQ("vhost1-www2", headers.get_("x-vhost-header1")); EXPECT_EQ("route-override", headers.get_("x-route-header")); @@ -2128,7 +2177,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveResponseHeadersAddIfAbsent) { genHeaders("www.lyft.com", "/new_endpoint/foo", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers{{":status", "200"}, {"x-route-header", "exist-value"}}; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_EQ("route-override", headers.get_("x-global-header1")); EXPECT_EQ("route-override", headers.get_("x-vhost-header1")); // If related header is exist in the headers then do nothing. @@ -2160,7 +2210,8 @@ TEST_F(RouteMatcherTest, TestAddRemoveResponseHeadersAppendMostSpecificWins) { genHeaders("www.lyft.com", "/new_endpoint/foo", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_EQ("route-override", headers.get_("x-global-header1")); EXPECT_EQ("route-override", headers.get_("x-vhost-header1")); EXPECT_EQ("route-override", headers.get_("x-route-header")); @@ -2218,8 +2269,8 @@ class HeaderTransformsDoFormattingTest : public RouteMatcherTest { genHeaders("www.lyft.com", "/new_endpoint/foo", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); - + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); auto transforms = run_request_header_test ? route_entry->requestHeaderTransforms(stream_info, /*do_formatting=*/true) @@ -2274,7 +2325,8 @@ most_specific_header_mutations_wins: true Http::TestRequestHeaderMapImpl req_headers = genHeaders("www.lyft.com", "/cacheable", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_FALSE(headers.has("cache-control")); } @@ -2282,7 +2334,8 @@ most_specific_header_mutations_wins: true Http::TestRequestHeaderMapImpl req_headers = genHeaders("www.lyft.com", "/foo", "GET"); const RouteEntry* route_entry = config.route(req_headers, 0)->routeEntry(); Http::TestResponseHeaderMapImpl headers; - route_entry->finalizeResponseHeaders(headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&req_headers, &headers); + route_entry->finalizeResponseHeaders(headers, formatter_context, stream_info); EXPECT_EQ("private", headers.get_("cache-control")); } } @@ -3583,7 +3636,8 @@ TEST_F(RouteMatcherTest, ClusterHeader) { // Make sure things forward and don't crash. // TODO(mattklein123): Make this a real test of behavior. EXPECT_EQ(std::chrono::milliseconds(0), route->routeEntry()->timeout()); - route->routeEntry()->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route->routeEntry()->finalizeRequestHeaders(headers, formatter_context, stream_info, true); route->routeEntry()->priority(); route->routeEntry()->rateLimitPolicy(); route->routeEntry()->retryPolicy(); @@ -6377,8 +6431,8 @@ TEST_F(RouteMatcherTest, WeightedClusters) { Http::TestRequestHeaderMapImpl request_headers; Http::TestResponseHeaderMapImpl response_headers; StreamInfo::MockStreamInfo stream_info; - EXPECT_CALL(stream_info, getRequestHeaders).WillRepeatedly(Return(&request_headers)); - route_entry->finalizeResponseHeaders(response_headers, stream_info); + const Formatter::HttpFormatterContext formatter_context(&request_headers, &response_headers); + route_entry->finalizeResponseHeaders(response_headers, formatter_context, stream_info); EXPECT_EQ(response_headers, Http::TestResponseHeaderMapImpl{}); } @@ -6805,11 +6859,13 @@ TEST_F(RouteMatcherTest, TestWeightedClusterHeaderManipulation) { const RouteEntry* route_entry = cached_route->routeEntry(); EXPECT_EQ("cluster1", route_entry->clusterName()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers, &resp_headers); + + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("cluster1", headers.get_("x-req-cluster")); EXPECT_EQ("new_host1", headers.getHostValue()); - route_entry->finalizeResponseHeaders(resp_headers, stream_info); + route_entry->finalizeResponseHeaders(resp_headers, formatter_context, stream_info); EXPECT_EQ("cluster1", resp_headers.get_("x-resp-cluster")); EXPECT_FALSE(resp_headers.has("x-remove-cluster1")); } @@ -6821,10 +6877,12 @@ TEST_F(RouteMatcherTest, TestWeightedClusterHeaderManipulation) { const RouteEntry* route_entry = cached_route->routeEntry(); EXPECT_EQ("cluster2", route_entry->clusterName()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers, &resp_headers); + + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("cluster2", headers.get_("x-req-cluster")); - route_entry->finalizeResponseHeaders(resp_headers, stream_info); + route_entry->finalizeResponseHeaders(resp_headers, formatter_context, stream_info); EXPECT_EQ("cluster2", resp_headers.get_("x-resp-cluster")); EXPECT_FALSE(resp_headers.has("x-remove-cluster2")); } @@ -6867,11 +6925,13 @@ TEST_F(RouteMatcherTest, TestWeightedClusterClusterHeaderHeaderManipulation) { const RouteEntry* route_entry = dynamic_route->routeEntry(); EXPECT_EQ("cluster1", route_entry->clusterName()); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers, &resp_headers); + + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("cluster-adding-this-value", headers.get_("x-req-cluster")); EXPECT_EQ("new_host1", headers.getHostValue()); - route_entry->finalizeResponseHeaders(resp_headers, stream_info); + route_entry->finalizeResponseHeaders(resp_headers, formatter_context, stream_info); EXPECT_EQ("cluster-adding-this-value", resp_headers.get_("x-resp-cluster")); EXPECT_FALSE(resp_headers.has("x-remove-cluster1")); } @@ -7487,6 +7547,9 @@ TEST_F(CustomRequestHeadersTest, AddNewHeader) { - header: key: x-client-ip value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" + - header: + key: trace-id-from-formatter + value: "%TRACE_ID%" request_headers_to_add: - header: key: x-client-ip @@ -7498,8 +7561,15 @@ TEST_F(CustomRequestHeadersTest, AddNewHeader) { creation_status_); Http::TestRequestHeaderMapImpl headers = genHeaders("www.lyft.com", "/new_endpoint/foo", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + + NiceMock active_span; + EXPECT_CALL(active_span, getTraceId()).WillRepeatedly(Return("trace-id")); + + auto formatter_context = + Formatter::HttpFormatterContext().setRequestHeaders(headers).setActiveSpan(active_span); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("127.0.0.1", headers.get_("x-client-ip")); + EXPECT_EQ("trace-id", headers.get_("trace-id-from-formatter")); } TEST_F(CustomRequestHeadersTest, CustomHeaderWrongFormat) { @@ -8975,7 +9045,8 @@ TEST_F(RouteMatcherTest, PathSeparatedPrefixMatchRewrite) { genHeaders("path.prefix.com", "/rewrite?param=true#fragment", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/new/api?param=true#fragment", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("rewrite-cluster", route_entry->clusterName()); EXPECT_EQ("/new/api?param=true#fragment", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); @@ -8988,7 +9059,8 @@ TEST_F(RouteMatcherTest, PathSeparatedPrefixMatchRewrite) { const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/new/api/this?param=true#fragment", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("rewrite-cluster", route_entry->clusterName()); EXPECT_EQ("/new/api/this?param=true#fragment", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); @@ -9179,7 +9251,9 @@ TEST_F(RouteConfigurationV2, RegexPrefixWithNoRewriteWorksWhenPathChanged) { // no re-write was specified; so this should not throw NiceMock stream_info; - EXPECT_NO_THROW(route_entry->finalizeRequestHeaders(headers, stream_info, false)); + const Formatter::HttpFormatterContext formatter_context(&headers); + EXPECT_NO_THROW( + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, false)); } } @@ -9736,7 +9810,8 @@ TEST_F(RouteMatcherTest, PatternMatchRewriteSimple) { Http::TestRequestHeaderMapImpl headers = genHeaders("path.prefix.com", "/rest/one/two", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rest/two/one", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rest/two/one", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -9772,7 +9847,9 @@ TEST_F(RouteMatcherTest, PatternMatchRewriteDoubleEqual) { const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/en/gb/ilp==/dGasdA/?key1=test1&key2=test2", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/en/gb/ilp==/dGasdA/?key1=test1&key2=test2", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -9807,7 +9884,8 @@ TEST_F(RouteMatcherTest, PatternMatchRewriteTripleEqualVariable) { genHeaders("path.prefix.com", "/one/two/==na/three", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/==na/three/two", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/==na/three/two", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -9842,7 +9920,8 @@ TEST_F(RouteMatcherTest, PatternMatchRewriteDoubleEqualVariable) { genHeaders("path.prefix.com", "/one/two/=na/three", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/=na/three/two", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/=na/three/two", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -9879,7 +9958,8 @@ TEST_F(RouteMatcherTest, PatternMatchRewriteDoubleEqualInWildcard) { const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/en/gb/ilp/dGasdA==/?key1=test1&key2=test2", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/en/gb/ilp/dGasdA==/?key1=test1&key2=test2", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -9915,7 +9995,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardFilenameUnnamed) { genHeaders("path.prefix.com", "/rest/one/two/song.m3u8", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rest/one/two", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rest/one/two", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); @@ -9923,7 +10004,9 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardFilenameUnnamed) { genHeaders("path.prefix.com", "/rest/one/two/item/another/song.m3u8", "GET"); const RouteEntry* route_entry_multi = config.route(headers_multi, 0)->routeEntry(); EXPECT_EQ("/rest/one/two", route_entry_multi->currentUrlPathAfterRewrite(headers_multi)); - route_entry->finalizeRequestHeaders(headers_multi, stream_info, true); + const Formatter::HttpFormatterContext formatter_context_multi(&headers_multi); + route_entry_multi->finalizeRequestHeaders(headers_multi, formatter_context_multi, stream_info, + true); EXPECT_EQ("/rest/one/two", headers_multi.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers_multi.get_(Http::Headers::get().Host)); } @@ -9960,7 +10043,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardFilenameQueryParameters) { const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/one?one=0&two=1&three=2&four=3&go=ls", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/one?one=0&two=1&three=2&four=3&go=ls", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -9996,7 +10080,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardFilename) { genHeaders("path.prefix.com", "/rest/one/two/song.m3u8", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/rest/one/two", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/rest/one/two", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10036,7 +10121,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardComplexWildcardWithQueryParameter) const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/abc@xyz.com-FL0001090004/entries?fields=FULL&client_type=WEB", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/abc@xyz.com-FL0001090004/entries?fields=FULL&client_type=WEB", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); @@ -10073,7 +10159,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardFilenameDir) { genHeaders("path.prefix.com", "/rest/one/two/root/sub/song.mp4", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/root/sub", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/root/sub", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10108,7 +10195,8 @@ TEST_F(RouteMatcherTest, PatternMatchRewriteSimpleTwo) { Http::TestRequestHeaderMapImpl headers = genHeaders("path.prefix.com", "/rest/one/two", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/two/one", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/two/one", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10157,14 +10245,15 @@ TEST_F(RouteMatcherTest, PatternMatchRewriteCaseSensitive) { Http::TestRequestHeaderMapImpl headers = genHeaders("path.prefix.com", "/rest/one/two", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/two/one", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/two/one", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); headers = genHeaders("path.prefix.com", "/REST/one/two", "GET"); route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/TEST/one", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/TEST/one", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10264,7 +10353,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardMiddleThreePartVariableNamed) { genHeaders("path.prefix.com", "/rest/one/previous/videos/three/end", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/previous/videos/three", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/previous/videos/three", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10331,7 +10421,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardUnnamedVariable) { Http::TestRequestHeaderMapImpl headers = genHeaders("path.prefix.com", "/rest/one/two", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/two", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/two", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10367,7 +10458,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardAtEndVariable) { genHeaders("path.prefix.com", "/rest/one/two/three/four", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/one", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/one", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10403,7 +10495,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardAtEndVariableNamed) { genHeaders("path.prefix.com", "/rest/one/two/three/four", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/two/three/four", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/two/three/four", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10439,7 +10532,8 @@ TEST_F(RouteMatcherTest, PatternMatchWildcardMiddleVariableNamed) { genHeaders("path.prefix.com", "/rest/one/videos/three/end", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/videos/three", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/videos/three", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } @@ -10475,7 +10569,8 @@ TEST_F(RouteMatcherTest, PatternMatchCaseSensitiveVariableNames) { genHeaders("path.prefix.com", "/rest/lower/upper/end", "GET"); const RouteEntry* route_entry = config.route(headers, 0)->routeEntry(); EXPECT_EQ("/upper/lower", route_entry->currentUrlPathAfterRewrite(headers)); - route_entry->finalizeRequestHeaders(headers, stream_info, true); + const Formatter::HttpFormatterContext formatter_context(&headers); + route_entry->finalizeRequestHeaders(headers, formatter_context, stream_info, true); EXPECT_EQ("/upper/lower", headers.get_(Http::Headers::get().Path)); EXPECT_EQ("path.prefix.com", headers.get_(Http::Headers::get().Host)); } diff --git a/test/common/router/delegating_route_impl_test.cc b/test/common/router/delegating_route_impl_test.cc index 215b2e90c516f..23561ae19d74d 100644 --- a/test/common/router/delegating_route_impl_test.cc +++ b/test/common/router/delegating_route_impl_test.cc @@ -50,14 +50,15 @@ TEST(DelegatingRouteEntry, DelegatingRouteEntryTest) { Http::TestRequestHeaderMapImpl request_headers; Http::TestResponseHeaderMapImpl response_headers; StreamInfo::MockStreamInfo stream_info; + const Formatter::HttpFormatterContext formatter_context(&request_headers, &response_headers); - TEST_METHOD(finalizeResponseHeaders, response_headers, stream_info); + TEST_METHOD(finalizeResponseHeaders, response_headers, formatter_context, stream_info); TEST_METHOD(responseHeaderTransforms, stream_info); TEST_METHOD(clusterName); TEST_METHOD(clusterNotFoundResponseCode); TEST_METHOD(corsPolicy); TEST_METHOD(currentUrlPathAfterRewrite, request_headers); - TEST_METHOD(finalizeRequestHeaders, request_headers, stream_info, true); + TEST_METHOD(finalizeRequestHeaders, request_headers, formatter_context, stream_info, true); TEST_METHOD(requestHeaderTransforms, stream_info); TEST_METHOD(hashPolicy); TEST_METHOD(hedgePolicy); diff --git a/test/common/router/route_fuzz_test.cc b/test/common/router/route_fuzz_test.cc index ecf9bfb0e08ef..b6f271bfdacd4 100644 --- a/test/common/router/route_fuzz_test.cc +++ b/test/common/router/route_fuzz_test.cc @@ -154,9 +154,10 @@ DEFINE_PROTO_FUZZER(const test::common::router::RouteTestCase& input) { ProtobufMessage::getNullValidationVisitor(), true), std::shared_ptr); auto headers = Fuzz::fromHeaders(input.headers()); + const Formatter::HttpFormatterContext formatter_context{&headers}; auto route = config->route(headers, stream_info, input.random_value()).route; if (route != nullptr && route->routeEntry() != nullptr) { - route->routeEntry()->finalizeRequestHeaders(headers, stream_info, true); + route->routeEntry()->finalizeRequestHeaders(headers, formatter_context, stream_info, true); } ENVOY_LOG_MISC(trace, "Success"); } catch (const EnvoyException& e) { diff --git a/test/common/router/router_2_test.cc b/test/common/router/router_2_test.cc index d34e66b22d4ae..1b2837ecf8f52 100644 --- a/test/common/router/router_2_test.cc +++ b/test/common/router/router_2_test.cc @@ -29,7 +29,15 @@ TEST_F(RouterTestSuppressEnvoyHeaders, Http1Upstream) { Http::TestRequestHeaderMapImpl headers; HttpTestUtility::addDefaultHeaders(headers); - EXPECT_CALL(callbacks_.route_->route_entry_, finalizeRequestHeaders(_, _, false)); + + EXPECT_CALL(callbacks_.route_->route_entry_, finalizeRequestHeaders(_, _, _, false)) + .WillOnce(Invoke([this](Http::RequestHeaderMap& headers, + const Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo&, bool) { + EXPECT_EQ(&context.requestHeaders(), &headers); + EXPECT_EQ(&context.activeSpan(), &callbacks_.active_span_); + })); + router_->decodeHeaders(headers, true); EXPECT_FALSE(headers.has("x-envoy-expected-rq-timeout-ms")); diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index 45901dc081d12..bff66a57342db 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -54,7 +54,6 @@ #include "gtest/gtest.h" using testing::_; -using testing::AtLeast; using testing::InSequence; using testing::Invoke; using testing::InvokeWithoutArgs; @@ -478,7 +477,13 @@ TEST_F(RouterTest, Http1Upstream) { Http::TestRequestHeaderMapImpl headers; HttpTestUtility::addDefaultHeaders(headers); - EXPECT_CALL(callbacks_.route_->route_entry_, finalizeRequestHeaders(_, _, true)); + EXPECT_CALL(callbacks_.route_->route_entry_, finalizeRequestHeaders(_, _, _, true)) + .WillOnce(Invoke([this](Http::RequestHeaderMap& headers, + const Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo&, bool) { + EXPECT_EQ(&context.requestHeaders(), &headers); + EXPECT_EQ(&context.activeSpan(), &span_); + })); router_->decodeHeaders(headers, true); EXPECT_EQ("10", headers.get_("x-envoy-expected-rq-timeout-ms")); @@ -5325,7 +5330,7 @@ TEST_F(RouterTest, Redirect) { EXPECT_CALL(direct_response, rewritePathHeader(_, _)); EXPECT_CALL(direct_response, responseCode()).WillRepeatedly(Return(Http::Code::MovedPermanently)); EXPECT_CALL(direct_response, responseBody()).WillOnce(ReturnRef(EMPTY_STRING)); - EXPECT_CALL(direct_response, finalizeResponseHeaders(_, _)); + EXPECT_CALL(direct_response, finalizeResponseHeaders(_, _, _)); EXPECT_CALL(*callbacks_.route_, directResponseEntry()).WillRepeatedly(Return(&direct_response)); Http::TestResponseHeaderMapImpl response_headers{{":status", "301"}, {"location", "hello"}}; @@ -5345,7 +5350,7 @@ TEST_F(RouterTest, RedirectFound) { EXPECT_CALL(direct_response, rewritePathHeader(_, _)); EXPECT_CALL(direct_response, responseCode()).WillRepeatedly(Return(Http::Code::Found)); EXPECT_CALL(direct_response, responseBody()).WillOnce(ReturnRef(EMPTY_STRING)); - EXPECT_CALL(direct_response, finalizeResponseHeaders(_, _)); + EXPECT_CALL(direct_response, finalizeResponseHeaders(_, _, _)); EXPECT_CALL(*callbacks_.route_, directResponseEntry()).WillRepeatedly(Return(&direct_response)); Http::TestResponseHeaderMapImpl response_headers{{":status", "302"}, {"location", "hello"}}; diff --git a/test/extensions/filters/http/header_mutation/header_mutation_test.cc b/test/extensions/filters/http/header_mutation/header_mutation_test.cc index a37d1fa58db51..d8b84d51613af 100644 --- a/test/extensions/filters/http/header_mutation/header_mutation_test.cc +++ b/test/extensions/filters/http/header_mutation/header_mutation_test.cc @@ -48,6 +48,11 @@ TEST(HeaderMutationFilterTest, RequestMutationTest) { key: "flag-header-6" value: "flag-header-6-value" append_action: "OVERWRITE_IF_EXISTS" + - append: + header: + key: "flag-header-7" + value: "%TRACE_ID%" + append_action: "OVERWRITE_IF_EXISTS_OR_ADD" )EOF"; const std::string config_yaml = R"EOF( @@ -80,6 +85,10 @@ TEST(HeaderMutationFilterTest, RequestMutationTest) { filter.setDecoderFilterCallbacks(decoder_callbacks); filter.setEncoderFilterCallbacks(encoder_callbacks); + EXPECT_CALL(decoder_callbacks, activeSpan()); + EXPECT_CALL(decoder_callbacks.active_span_, getTraceId()) + .WillOnce(testing::Return("trace-id-value")); + EXPECT_CALL(*decoder_callbacks.route_, perFilterConfigs(_)) .WillOnce(Invoke([&](absl::string_view) -> Router::RouteSpecificFilterConfigs { return {config.get()}; @@ -113,6 +122,8 @@ TEST(HeaderMutationFilterTest, RequestMutationTest) { EXPECT_FALSE(headers.has("flag-header-5")); // 'flag-header-6' was present and should be overwritten. EXPECT_EQ("flag-header-6-value", headers.get_("flag-header-6")); + // 'flag-header-7' should the value extracted from the trace ID. + EXPECT_EQ("trace-id-value", headers.get_("flag-header-7")); // global header is added. EXPECT_EQ("global-flag-header-value", headers.get_("global-flag-header")); } @@ -153,6 +164,11 @@ TEST(HeaderMutationFilterTest, ResponseMutationTest) { key: "flag-header-6" value: "flag-header-6-value" append_action: "OVERWRITE_IF_EXISTS" + - append: + header: + key: "flag-header-7" + value: "%TRACE_ID%" + append_action: "OVERWRITE_IF_EXISTS_OR_ADD" )EOF"; const std::string config_yaml = R"EOF( @@ -182,6 +198,10 @@ TEST(HeaderMutationFilterTest, ResponseMutationTest) { filter.setDecoderFilterCallbacks(decoder_callbacks); filter.setEncoderFilterCallbacks(encoder_callbacks); + EXPECT_CALL(encoder_callbacks, activeSpan()); + EXPECT_CALL(encoder_callbacks.active_span_, getTraceId()) + .WillOnce(testing::Return("trace-id-value")); + EXPECT_CALL(*encoder_callbacks.route_, perFilterConfigs(_)) .WillOnce(Invoke([&](absl::string_view) -> Router::RouteSpecificFilterConfigs { return {config.get()}; @@ -219,6 +239,8 @@ TEST(HeaderMutationFilterTest, ResponseMutationTest) { EXPECT_FALSE(headers.has("flag-header-5")); // 'flag-header-6' was present and should be overwritten. EXPECT_EQ("flag-header-6-value", headers.get_("flag-header-6")); + // 'flag-header-7' should the value extracted from the trace ID. + EXPECT_EQ("trace-id-value", headers.get_("flag-header-7")); // global header is removed. EXPECT_FALSE(headers.has("global-flag-header")); } @@ -318,6 +340,11 @@ TEST(HeaderMutationFilterTest, ResponseTrailerMutationTest) { key: "flag-header-6" value: "flag-header-6-value" append_action: "OVERWRITE_IF_EXISTS" + - append: + header: + key: "flag-header-7" + value: "%TRACE_ID%" + append_action: "OVERWRITE_IF_EXISTS_OR_ADD" )EOF"; const std::string config_yaml = R"EOF( @@ -347,6 +374,10 @@ TEST(HeaderMutationFilterTest, ResponseTrailerMutationTest) { filter.setDecoderFilterCallbacks(decoder_callbacks); filter.setEncoderFilterCallbacks(encoder_callbacks); + EXPECT_CALL(encoder_callbacks, activeSpan()); + EXPECT_CALL(encoder_callbacks.active_span_, getTraceId()) + .WillOnce(testing::Return("trace-id-value")); + EXPECT_CALL(*encoder_callbacks.route_, perFilterConfigs(_)) .WillOnce(Invoke([&](absl::string_view) -> Router::RouteSpecificFilterConfigs { return {config.get()}; @@ -393,6 +424,8 @@ TEST(HeaderMutationFilterTest, ResponseTrailerMutationTest) { EXPECT_FALSE(trailers.has("flag-header-5")); // 'flag-header-6' was present and should be overwritten. EXPECT_EQ("flag-header-6-value", trailers.get_("flag-header-6")); + // 'flag-header-7' should the value extracted from the trace ID. + EXPECT_EQ("trace-id-value", trailers.get_("flag-header-7")); // global header is removed. EXPECT_FALSE(trailers.has("global-flag-header")); } @@ -727,6 +760,11 @@ TEST(HeaderMutationFilterTest, RequestTrailerMutationTest) { key: "flag-header-6" value: "flag-header-6-value" append_action: "OVERWRITE_IF_EXISTS" + - append: + header: + key: "flag-header-7" + value: "%TRACE_ID%" + append_action: "OVERWRITE_IF_EXISTS_OR_ADD" )EOF"; const std::string config_yaml = R"EOF( @@ -756,7 +794,11 @@ TEST(HeaderMutationFilterTest, RequestTrailerMutationTest) { filter.setDecoderFilterCallbacks(decoder_callbacks); filter.setEncoderFilterCallbacks(encoder_callbacks); - EXPECT_CALL(*encoder_callbacks.route_, perFilterConfigs(_)) + EXPECT_CALL(decoder_callbacks, activeSpan()); + EXPECT_CALL(decoder_callbacks.active_span_, getTraceId()) + .WillOnce(testing::Return("trace-id-value")); + + EXPECT_CALL(*decoder_callbacks.route_, perFilterConfigs(_)) .WillOnce(Invoke([&](absl::string_view) -> Router::RouteSpecificFilterConfigs { return {config.get()}; })); @@ -774,7 +816,7 @@ TEST(HeaderMutationFilterTest, RequestTrailerMutationTest) { Http::RequestHeaderMapPtr request_headers_pointer{ new Envoy::Http::TestRequestHeaderMapImpl{{"req-flag-header", "req-header-value"}}}; - EXPECT_CALL(encoder_callbacks, requestHeaders()) + EXPECT_CALL(decoder_callbacks, requestHeaders()) .WillOnce(testing::Return(makeOptRefFromPtr(request_headers_pointer.get()))); EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter.decodeTrailers(trailers)); @@ -795,6 +837,8 @@ TEST(HeaderMutationFilterTest, RequestTrailerMutationTest) { EXPECT_FALSE(trailers.has("flag-header-5")); // 'flag-header-6' was present and should be overwritten. EXPECT_EQ("flag-header-6-value", trailers.get_("flag-header-6")); + // 'flag-header-7' should the value extracted from the trace ID. + EXPECT_EQ("trace-id-value", trailers.get_("flag-header-7")); // global header is removed. EXPECT_FALSE(trailers.has("global-flag-header")); } @@ -809,7 +853,7 @@ TEST(HeaderMutationFilterTest, RequestTrailerMutationTest) { filter.setDecoderFilterCallbacks(decoder_callbacks); filter.setEncoderFilterCallbacks(encoder_callbacks); - EXPECT_CALL(*encoder_callbacks.route_, perFilterConfigs(_)) + EXPECT_CALL(*decoder_callbacks.route_, perFilterConfigs(_)) .WillOnce(Invoke([&](absl::string_view) -> Router::RouteSpecificFilterConfigs { return {config.get()}; })); @@ -825,7 +869,7 @@ TEST(HeaderMutationFilterTest, RequestTrailerMutationTest) { {":status", "200"}, }; - EXPECT_CALL(encoder_callbacks, requestHeaders()) + EXPECT_CALL(decoder_callbacks, requestHeaders()) .WillOnce(testing::Return(Http::RequestHeaderMapOptRef{})); EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter.decodeTrailers(trailers)); diff --git a/test/mocks/router/mocks.h b/test/mocks/router/mocks.h index cf3be8346367d..77c5fe90eb7d3 100644 --- a/test/mocks/router/mocks.h +++ b/test/mocks/router/mocks.h @@ -60,7 +60,8 @@ class MockDirectResponseEntry : public DirectResponseEntry { // DirectResponseEntry MOCK_METHOD(void, finalizeResponseHeaders, - (Http::ResponseHeaderMap & headers, const StreamInfo::StreamInfo& stream_info), + (Http::ResponseHeaderMap & headers, const Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info), (const)); MOCK_METHOD(Http::HeaderTransforms, responseHeaderTransforms, (const StreamInfo::StreamInfo& stream_info, bool do_formatting), (const)); @@ -412,13 +413,14 @@ class MockRouteEntry : public RouteEntry { MOCK_METHOD(const std::string&, clusterName, (), (const)); MOCK_METHOD(Http::Code, clusterNotFoundResponseCode, (), (const)); MOCK_METHOD(void, finalizeRequestHeaders, - (Http::RequestHeaderMap & headers, const StreamInfo::StreamInfo& stream_info, - bool insert_envoy_original_path), + (Http::RequestHeaderMap & headers, const Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info, bool insert_envoy_original_path), (const)); MOCK_METHOD(Http::HeaderTransforms, requestHeaderTransforms, (const StreamInfo::StreamInfo& stream_info, bool do_formatting), (const)); MOCK_METHOD(void, finalizeResponseHeaders, - (Http::ResponseHeaderMap & headers, const StreamInfo::StreamInfo& stream_info), + (Http::ResponseHeaderMap & headers, const Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info), (const)); MOCK_METHOD(Http::HeaderTransforms, responseHeaderTransforms, (const StreamInfo::StreamInfo& stream_info, bool do_formatting), (const)); @@ -533,13 +535,14 @@ class MockRoute : public RouteEntryAndRoute { MOCK_METHOD(const std::string&, clusterName, (), (const)); MOCK_METHOD(Http::Code, clusterNotFoundResponseCode, (), (const)); MOCK_METHOD(void, finalizeRequestHeaders, - (Http::RequestHeaderMap & headers, const StreamInfo::StreamInfo& stream_info, - bool insert_envoy_original_path), + (Http::RequestHeaderMap & headers, const Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info, bool insert_envoy_original_path), (const)); MOCK_METHOD(Http::HeaderTransforms, requestHeaderTransforms, (const StreamInfo::StreamInfo& stream_info, bool do_formatting), (const)); MOCK_METHOD(void, finalizeResponseHeaders, - (Http::ResponseHeaderMap & headers, const StreamInfo::StreamInfo& stream_info), + (Http::ResponseHeaderMap & headers, const Formatter::HttpFormatterContext& context, + const StreamInfo::StreamInfo& stream_info), (const)); MOCK_METHOD(Http::HeaderTransforms, responseHeaderTransforms, (const StreamInfo::StreamInfo& stream_info, bool do_formatting), (const)); diff --git a/test/tools/router_check/router.cc b/test/tools/router_check/router.cc index 41d80b2e40e44..869617ea87b5d 100644 --- a/test/tools/router_check/router.cc +++ b/test/tools/router_check/router.cc @@ -177,17 +177,21 @@ void RouterCheckTool::assignRuntimeFraction( void RouterCheckTool::finalizeHeaders(ToolConfig& tool_config, Envoy::StreamInfo::StreamInfoImpl stream_info) { if (!headers_finalized_ && tool_config.route_ != nullptr) { + const Formatter::HttpFormatterContext formatter_context(tool_config.request_headers_.get(), + tool_config.response_headers_.get(), + nullptr, {}, {}, nullptr); + if (tool_config.route_->directResponseEntry() != nullptr) { tool_config.route_->directResponseEntry()->rewritePathHeader(*tool_config.request_headers_, true); sendLocalReply(tool_config, *tool_config.route_->directResponseEntry()); tool_config.route_->directResponseEntry()->finalizeResponseHeaders( - *tool_config.response_headers_, stream_info); + *tool_config.response_headers_, formatter_context, stream_info); } else if (tool_config.route_->routeEntry() != nullptr) { - tool_config.route_->routeEntry()->finalizeRequestHeaders(*tool_config.request_headers_, - stream_info, true); + tool_config.route_->routeEntry()->finalizeRequestHeaders( + *tool_config.request_headers_, formatter_context, stream_info, true); tool_config.route_->routeEntry()->finalizeResponseHeaders(*tool_config.response_headers_, - stream_info); + formatter_context, stream_info); } } From 0043eb07da0264dc34cf653eb3633e02ca2833d4 Mon Sep 17 00:00:00 2001 From: Kuat Date: Fri, 5 Sep 2025 13:52:50 -0700 Subject: [PATCH 369/505] =?UTF-8?q?Revert=20"chore:=20add=20docs=20for=20S?= =?UTF-8?q?NI=20DFP=20and=20some=20tests=20for=20testing=20stats=20?= =?UTF-8?q?=E2=80=A6=20(#41005)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …emission (#40966)" This reverts commit b8583e6f9494d65be3f8793b4d5fa6bea672a0de. Change-Id: I1f0a94c1d200eff9f47129e589657656edaed7cf Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Kuat Yessenov --- .../dynamic_forward_proxy_filter.rst | 4 +- .../sni_dynamic_forward_proxy_filter.rst | 30 -- .../proxy_filter_integration_test.cc | 268 ------------------ 3 files changed, 2 insertions(+), 300 deletions(-) diff --git a/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst b/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst index 34090f4d0069e..cd61aaf6885b1 100644 --- a/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst +++ b/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst @@ -155,5 +155,5 @@ namespace. :header: Name, Type, Description :widths: 1, 1, 2 - rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1). - rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens. + rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1) + rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens diff --git a/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst b/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst index b81a83733aab3..4d64134b3c8ea 100644 --- a/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst +++ b/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst @@ -39,33 +39,3 @@ by setting a per-connection state object under the key ``envoy.upstream.dynamic_ objects are set, they take precedence over the SNI value and default port. In case that the overridden port is out of the valid port range, the overriding value will be ignored and the default port configured will be used. See the implementation for the details. - -Statistics ----------- - -The SNI dynamic forward proxy DNS cache outputs statistics in the ``dns_cache..`` -namespace. - -.. csv-table:: - :header: Name, Type, Description - :widths: 1, 1, 2 - - dns_query_attempt, Counter, Number of DNS query attempts. - dns_query_success, Counter, Number of DNS query successes. - dns_query_failure, Counter, Number of DNS query failures. - dns_query_timeout, Counter, Number of DNS query :ref:`timeouts `. - host_address_changed, Counter, Number of DNS queries that resulted in a host address change. - host_added, Counter, Number of hosts that have been added to the cache. - host_removed, Counter, Number of hosts that have been removed from the cache. - num_hosts, Gauge, Number of hosts that are currently in the cache. - dns_rq_pending_overflow, Counter, Number of DNS pending request overflow. - -The dynamic forward proxy DNS cache circuit breakers output statistics in the ``dns_cache..circuit_breakers`` -namespace. - -.. csv-table:: - :header: Name, Type, Description - :widths: 1, 1, 2 - - rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1). - rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens. diff --git a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc index eb594cf62f29a..295df517c842a 100644 --- a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -154,273 +154,5 @@ TEST_P(SniDynamicProxyFilterIntegrationTest, CircuitBreakerInvokedUpstreamTls) { EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_rq_pending_overflow")->value()); } -// Test that verifies DNS cache statistics are properly recorded for successful resolution. -TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheStatisticsSuccess) { - setup(); - fake_upstreams_[0]->setReadDisableOnNewConnection(false); - - // Initial state where we have no DNS queries yet. - EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); - EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_success")->value()); - EXPECT_EQ(0, test_server_->counter("dns_cache.foo.host_added")->value()); - EXPECT_EQ(0, test_server_->gauge("dns_cache.foo.num_hosts")->value()); - - // First connection. It should trigger DNS resolution. - codec_client_ = makeHttpConnection( - makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("localhost"))); - ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); - - // Verify DNS resolution statistics. - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_success")->value()); - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_added")->value()); - EXPECT_EQ(1, test_server_->gauge("dns_cache.foo.num_hosts")->value()); - - // Send a request to complete the flow. - const Http::TestRequestHeaderMapImpl request_headers{ - {":method", "POST"}, - {":path", "/test/long/url"}, - {":scheme", "http"}, - {":authority", - fmt::format("localhost:{}", fake_upstreams_[0]->localAddress()->ip()->port())}}; - - auto response = codec_client_->makeHeaderOnlyRequest(request_headers); - waitForNextUpstreamRequest(); - upstream_request_->encodeHeaders(default_response_headers_, true); - ASSERT_TRUE(response->waitForEndStream()); - checkSimpleRequestSuccess(0, 0, response.get()); - - // Close the connection. - codec_client_->close(); - ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); - - // Second connection to the same host. It should use cached entry. - codec_client_ = makeHttpConnection( - makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("localhost"))); - ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); - - // Verify no new DNS query was made. - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_success")->value()); - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_added")->value()); - EXPECT_EQ(1, test_server_->gauge("dns_cache.foo.num_hosts")->value()); -} - -// Test that verifies DNS query failure statistics with invalid hostname. -TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheQueryFailureStatistics) { - setup(); - - // Initial state. It should have no DNS queries yet. - EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); - EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_failure")->value()); - - // Attempt connection with invalid hostname that will fail DNS resolution. - codec_client_ = - makeRawHttpConnection(makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni( - "invalid.doesnotexist.example.com")), - absl::nullopt); - ASSERT_FALSE(codec_client_->connected()); - - // Verify DNS failure statistics. - test_server_->waitForCounterGe("dns_cache.foo.dns_query_attempt", 1); - test_server_->waitForCounterGe("dns_cache.foo.dns_query_failure", 1); - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_failure")->value()); -} - -// Test that verifies DNS query timeout statistics. -TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheQueryTimeoutStatistics) { - // Configure with very short DNS timeout to trigger timeout scenario. - config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - // Switch predefined cluster_0 to CDS filesystem sourcing. - bootstrap.mutable_dynamic_resources()->mutable_cds_config()->set_resource_api_version( - envoy::config::core::v3::ApiVersion::V3); - bootstrap.mutable_dynamic_resources() - ->mutable_cds_config() - ->mutable_path_config_source() - ->set_path(cds_helper_.cdsPath()); - bootstrap.mutable_static_resources()->clear_clusters(); - - const std::string filter = fmt::format( - R"EOF( -name: envoy.filters.network.sni_dynamic_forward_proxy -typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig - dns_cache_config: - name: foo - dns_lookup_family: {} - max_hosts: 1024 - dns_query_timeout: 0.001s - dns_cache_circuit_breaker: - max_pending_requests: 1024 - typed_dns_resolver_config: - name: envoy.network.dns_resolver.getaddrinfo - typed_config: - "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig - port_value: {} -)EOF", - Network::Test::ipVersionToDnsFamily(GetParam()), - fake_upstreams_[0]->localAddress()->ip()->port()); - config_helper_.addNetworkFilter(filter); - }); - - // Setup cluster with matching DNS config. - cluster_.mutable_connect_timeout()->CopyFrom( - Protobuf::util::TimeUtil::MillisecondsToDuration(100)); - cluster_.set_name("cluster_0"); - cluster_.set_lb_policy(envoy::config::cluster::v3::Cluster::CLUSTER_PROVIDED); - - const std::string cluster_type_config = fmt::format( - R"EOF( -name: envoy.clusters.dynamic_forward_proxy -typed_config: - "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig - dns_cache_config: - name: foo - dns_lookup_family: {} - max_hosts: 1024 - dns_query_timeout: 0.001s - dns_cache_circuit_breaker: - max_pending_requests: 1024 - typed_dns_resolver_config: - name: envoy.network.dns_resolver.getaddrinfo - typed_config: - "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig -)EOF", - Network::Test::ipVersionToDnsFamily(GetParam())); - - TestUtility::loadFromYaml(cluster_type_config, *cluster_.mutable_cluster_type()); - - config_helper_.addListenerFilter(ConfigHelper::tlsInspectorFilter()); - cds_helper_.setCds({cluster_}); - HttpIntegrationTest::initialize(); - test_server_->waitForCounterEq("cluster_manager.cluster_added", 1); - test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 0); - - // Initial state. It should have no timeouts yet. - EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_timeout")->value()); - - // Attempt connection with hostname that should trigger DNS timeout. - codec_client_ = makeRawHttpConnection( - makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("slowresolve.example.com")), - absl::nullopt); - ASSERT_FALSE(codec_client_->connected()); - - // Verify DNS timeout statistics. - test_server_->waitForCounterGe("dns_cache.foo.dns_query_attempt", 1); - // Note: timeout detection can be flaky in test environment, so we check attempts were made. - EXPECT_GE(test_server_->counter("dns_cache.foo.dns_query_attempt")->value(), 1); -} - -// Test that verifies host removal statistics due to TTL expiration. -TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheHostRemovedStatistics) { - // Configure with very short host TTL to trigger removal scenario. - config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - // Switch predefined cluster_0 to CDS filesystem sourcing. - bootstrap.mutable_dynamic_resources()->mutable_cds_config()->set_resource_api_version( - envoy::config::core::v3::ApiVersion::V3); - bootstrap.mutable_dynamic_resources() - ->mutable_cds_config() - ->mutable_path_config_source() - ->set_path(cds_helper_.cdsPath()); - bootstrap.mutable_static_resources()->clear_clusters(); - - const std::string filter = fmt::format( - R"EOF( -name: envoy.filters.network.sni_dynamic_forward_proxy -typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig - dns_cache_config: - name: foo - dns_lookup_family: {} - max_hosts: 1024 - host_ttl: 2s - dns_cache_circuit_breaker: - max_pending_requests: 1024 - typed_dns_resolver_config: - name: envoy.network.dns_resolver.getaddrinfo - typed_config: - "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig - port_value: {} -)EOF", - Network::Test::ipVersionToDnsFamily(GetParam()), - fake_upstreams_[0]->localAddress()->ip()->port()); - config_helper_.addNetworkFilter(filter); - }); - - // Setup cluster with matching DNS config. - cluster_.mutable_connect_timeout()->CopyFrom( - Protobuf::util::TimeUtil::MillisecondsToDuration(100)); - cluster_.set_name("cluster_0"); - cluster_.set_lb_policy(envoy::config::cluster::v3::Cluster::CLUSTER_PROVIDED); - - const std::string cluster_type_config = fmt::format( - R"EOF( -name: envoy.clusters.dynamic_forward_proxy -typed_config: - "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig - dns_cache_config: - name: foo - dns_lookup_family: {} - max_hosts: 1024 - host_ttl: 2s - dns_cache_circuit_breaker: - max_pending_requests: 1024 - typed_dns_resolver_config: - name: envoy.network.dns_resolver.getaddrinfo - typed_config: - "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig -)EOF", - Network::Test::ipVersionToDnsFamily(GetParam())); - - TestUtility::loadFromYaml(cluster_type_config, *cluster_.mutable_cluster_type()); - - config_helper_.addListenerFilter(ConfigHelper::tlsInspectorFilter()); - cds_helper_.setCds({cluster_}); - HttpIntegrationTest::initialize(); - test_server_->waitForCounterEq("cluster_manager.cluster_added", 1); - test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 0); - - fake_upstreams_[0]->setReadDisableOnNewConnection(false); - - // Initial state. It should have no hosts in cache. - EXPECT_EQ(0, test_server_->counter("dns_cache.foo.host_added")->value()); - EXPECT_EQ(0, test_server_->counter("dns_cache.foo.host_removed")->value()); - EXPECT_EQ(0, test_server_->gauge("dns_cache.foo.num_hosts")->value()); - - // First connection. It should add host to cache. - codec_client_ = makeHttpConnection( - makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("localhost"))); - ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); - - // Verify host was added. - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_added")->value()); - EXPECT_EQ(1, test_server_->gauge("dns_cache.foo.num_hosts")->value()); - - const Http::TestRequestHeaderMapImpl request_headers{ - {":method", "POST"}, - {":path", "/test/long/url"}, - {":scheme", "http"}, - {":authority", - fmt::format("localhost:{}", fake_upstreams_[0]->localAddress()->ip()->port())}}; - - auto response = codec_client_->makeHeaderOnlyRequest(request_headers); - waitForNextUpstreamRequest(); - upstream_request_->encodeHeaders(default_response_headers_, true); - ASSERT_TRUE(response->waitForEndStream()); - checkSimpleRequestSuccess(0, 0, response.get()); - - codec_client_->close(); - ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); - - // Wait for host TTL to expire and host to be removed. - simTime().advanceTimeWait(std::chrono::milliseconds(3000)); // Wait 3 seconds (TTL is 2 seconds) - test_server_->waitForCounterGe("dns_cache.foo.host_removed", 1); - - // Verify host removal statistics. - EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_removed")->value()); - EXPECT_EQ(0, test_server_->gauge("dns_cache.foo.num_hosts")->value()); -} - } // namespace } // namespace Envoy From d8126983e624cf3583a4a1d80daf6d36ac56660d Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 5 Sep 2025 15:05:08 -0700 Subject: [PATCH 370/505] docs: add docs for SNI DFP mentioning the stats emission (#41007) ## Description This PR adds docs for the SNI DFP mentioning the stats emission from DNS Cache. --- **Commit Message:** docs: add docs for SNI DFP mentioning the stats emission **Additional Description:** Added docs for the SNI DFP mentioning the stats emission for DNS Cache. **Risk Level:** Low **Testing:** CI **Docs Changes:** Added **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- .../dynamic_forward_proxy_filter.rst | 4 +-- .../sni_dynamic_forward_proxy_filter.rst | 30 +++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst b/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst index cd61aaf6885b1..34090f4d0069e 100644 --- a/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst +++ b/docs/root/configuration/http/http_filters/dynamic_forward_proxy_filter.rst @@ -155,5 +155,5 @@ namespace. :header: Name, Type, Description :widths: 1, 1, 2 - rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1) - rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens + rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1). + rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens. diff --git a/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst b/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst index 4d64134b3c8ea..b81a83733aab3 100644 --- a/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst +++ b/docs/root/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter.rst @@ -39,3 +39,33 @@ by setting a per-connection state object under the key ``envoy.upstream.dynamic_ objects are set, they take precedence over the SNI value and default port. In case that the overridden port is out of the valid port range, the overriding value will be ignored and the default port configured will be used. See the implementation for the details. + +Statistics +---------- + +The SNI dynamic forward proxy DNS cache outputs statistics in the ``dns_cache..`` +namespace. + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + dns_query_attempt, Counter, Number of DNS query attempts. + dns_query_success, Counter, Number of DNS query successes. + dns_query_failure, Counter, Number of DNS query failures. + dns_query_timeout, Counter, Number of DNS query :ref:`timeouts `. + host_address_changed, Counter, Number of DNS queries that resulted in a host address change. + host_added, Counter, Number of hosts that have been added to the cache. + host_removed, Counter, Number of hosts that have been removed from the cache. + num_hosts, Gauge, Number of hosts that are currently in the cache. + dns_rq_pending_overflow, Counter, Number of DNS pending request overflow. + +The dynamic forward proxy DNS cache circuit breakers output statistics in the ``dns_cache..circuit_breakers`` +namespace. + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + rq_pending_open, Gauge, Whether the requests circuit breaker is closed (0) or open (1). + rq_pending_remaining, Gauge, Number of remaining requests until the circuit breaker opens. From db557abb8afd8a4e91d3895979569ade35372de3 Mon Sep 17 00:00:00 2001 From: "publish-envoy[bot]" <140627008+publish-envoy[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:35:50 +0000 Subject: [PATCH 371/505] repo: Sync version histories Signed-off-by: publish-envoy[bot] --- changelogs/1.32.11.yaml | 7 +++++++ changelogs/1.32.12.yaml | 6 ++++++ changelogs/1.33.8.yaml | 7 +++++++ changelogs/1.33.9.yaml | 6 ++++++ changelogs/1.34.6.yaml | 11 +++++++++++ changelogs/1.34.7.yaml | 6 ++++++ changelogs/1.35.2.yaml | 17 +++++++++++++++++ changelogs/1.35.3.yaml | 10 ++++++++++ docs/inventories/v1.32/objects.inv | Bin 179103 -> 179159 bytes docs/inventories/v1.33/objects.inv | Bin 181750 -> 181826 bytes docs/inventories/v1.34/objects.inv | Bin 186737 -> 186856 bytes docs/inventories/v1.35/objects.inv | Bin 189503 -> 189675 bytes docs/versions.yaml | 8 ++++---- 13 files changed, 74 insertions(+), 4 deletions(-) create mode 100644 changelogs/1.32.11.yaml create mode 100644 changelogs/1.32.12.yaml create mode 100644 changelogs/1.33.8.yaml create mode 100644 changelogs/1.33.9.yaml create mode 100644 changelogs/1.34.6.yaml create mode 100644 changelogs/1.34.7.yaml create mode 100644 changelogs/1.35.2.yaml create mode 100644 changelogs/1.35.3.yaml diff --git a/changelogs/1.32.11.yaml b/changelogs/1.32.11.yaml new file mode 100644 index 0000000000000..935f1c45a820e --- /dev/null +++ b/changelogs/1.32.11.yaml @@ -0,0 +1,7 @@ +date: September 2, 2025 + +bug_fixes: +- area: oauth2 + change: | + Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a + Secure attribute (`CVE-2025-55162 `_). diff --git a/changelogs/1.32.12.yaml b/changelogs/1.32.12.yaml new file mode 100644 index 0000000000000..169bf1af2d390 --- /dev/null +++ b/changelogs/1.32.12.yaml @@ -0,0 +1,6 @@ +date: September 4, 2025 + +bug_fixes: +- area: release + change: | + Fix distroless image to ensure nonroot. diff --git a/changelogs/1.33.8.yaml b/changelogs/1.33.8.yaml new file mode 100644 index 0000000000000..ec53a9b62b5cd --- /dev/null +++ b/changelogs/1.33.8.yaml @@ -0,0 +1,7 @@ +date: September 2, 2025 + +bug_fixes: +- area: oauth2 + change: | + Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a + Secure attribute. diff --git a/changelogs/1.33.9.yaml b/changelogs/1.33.9.yaml new file mode 100644 index 0000000000000..ffaacf445b462 --- /dev/null +++ b/changelogs/1.33.9.yaml @@ -0,0 +1,6 @@ +date: September 5, 2025 + +bug_fixes: +- area: release + change: | + Fix distroless image to ensure nonroot. diff --git a/changelogs/1.34.6.yaml b/changelogs/1.34.6.yaml new file mode 100644 index 0000000000000..58aba7edbc15c --- /dev/null +++ b/changelogs/1.34.6.yaml @@ -0,0 +1,11 @@ +date: September 2, 2025 + +bug_fixes: +- area: oauth2 + change: | + Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a + Secure attribute. +- area: dns + change: | + Fixed an UAF in DNS cache that can occur when the Host header is modified between the Dynamic Forwarding and Router + filters. diff --git a/changelogs/1.34.7.yaml b/changelogs/1.34.7.yaml new file mode 100644 index 0000000000000..ffaacf445b462 --- /dev/null +++ b/changelogs/1.34.7.yaml @@ -0,0 +1,6 @@ +date: September 5, 2025 + +bug_fixes: +- area: release + change: | + Fix distroless image to ensure nonroot. diff --git a/changelogs/1.35.2.yaml b/changelogs/1.35.2.yaml new file mode 100644 index 0000000000000..176322ce426c1 --- /dev/null +++ b/changelogs/1.35.2.yaml @@ -0,0 +1,17 @@ +date: September 3, 2025 + +bug_fixes: +- area: oauth2 + change: | + Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a + Secure attribute. +- area: dns + change: | + Fixed an UAF in DNS cache that can occur when the Host header is modified between the Dynamic Forwarding and Router + filters. +- area: stats + change: | + Fixed a bug where the metric name ``expiration_unix_time_seconds`` of + ``cluster..ssl.certificate..`` + and ``listener.
.ssl.certificate..`` + was not being properly extracted in the final prometheus stat name. diff --git a/changelogs/1.35.3.yaml b/changelogs/1.35.3.yaml new file mode 100644 index 0000000000000..4d41014e50317 --- /dev/null +++ b/changelogs/1.35.3.yaml @@ -0,0 +1,10 @@ +date: September 8, 2025 + +bug_fixes: +- area: http + change: | + Fixed a bug where the ``response_headers_to_add`` may be processed multiple times for the local responses from + the router filter. +- area: release + change: | + Fix distroless image to ensure nonroot. diff --git a/docs/inventories/v1.32/objects.inv b/docs/inventories/v1.32/objects.inv index 767ecc6c090aa0bd8f36d5307f44c26bd4c5c17a..51e7493391e9d8f3b743d8c5c2854b8c94a068cc 100644 GIT binary patch delta 4927 zcmYLLc{r3`8|Gz7Gg(5Eto6%QO!h2k(4vIN#4uxxBv6Q8g*vfgE1EzQf=3Wx_giE(#q(r=Ilr=#l9r|PxunBFIiuU1I$$u8S! z?9Y;MB&Y{6JvI5xN_gq7wYr;xpX7eSwHOv?^2mkHJ2&9#uxNb|*IurR3Nc$vFV25} z?v&q;z=sHx1aAYeU5p|N9Ym9(bXPOuu|UXSijl4Y9yn)|3gakT*+2|Vvw-9MR3jyR$`k*BBDfi zrP$$+t7Q~>R64Wow(OY$kt#~>ZMqrr-yR>{e^%H_IZ`B@74N*q(JBUZ@3;lUf#SH2 zhb!JHJnE5B>^=4aDks`cDLWk42TJk>!$hK}CuLwJp9@f1zaNY`)qQG;Bs&n=%)BWh zBad27mD$U|&~Rp9LlSdP(@F*9pq+ z)pq7aO?_i-NC_QE98}pDjvqZeblU&R#NNh}$M;-rnLE5SbobRis7r}+hnK+E9zL!Y zPgy!M(atB2aa?E!J;XHdNqod{%!~K6@*Z>{1h8$r%GN*D%N#7I$N|+qGfT9nik?j1@DJdHmYp+A4<3$buKc& zv9FsZF=H9S5tE6{3G)S8u3xYF(C^yKYixM|c;ICJa{sX#hviP0U8heq-Z&}Afhw`5 zlk5o5D9Mp72ZOV3><_>sqjGk>4|MeFsFfpJjc$?|fnwe7|w|tCwBME3%H| zO`mEv&sCSmD6QhjbH#p4htL!TeRzYjuO(5Fwf;RiuCGx7clvm!&w=Zn!k&>)SgAA< zRhInnpK}ApD=p>TuJ?F)O8vp>$Ns?+|KQV!r5xFK3ym%UrwV_=9Uo~%A^WjaL8+l% zsY_nXvMs4hFr?PZxz<0Vpk>P6uM+iAA#)uU89X=5)}@N>yr&>pV3A%^qjlFqrr9zN z#@Qv`g+)hG7*6|C=+I+Qgb2*l1xtrslIn3Vw_A7UkPGhP25pkBrv#~VlOlvR#aL$& zxaVIAC0xZ==MZKABRZ5y0<>W>hF)~2kQC7X!d1tv^Z;srJ~ z!zDVj_$Tb2sMfszzx&^)PWQ#|s957i7-F*G!VSc|H*(%t2`U2=1xj018CYK58bmFD zwsE5yzzm;;CpI<+SpxBquZs|G8DdJHqvTzNfD%ZRyvsl?fi94D88*KI*FFAaxQ$2A zcNrFWJlWUPKeh^bHsH!(oZscUu`bcsmnuu8y9P+7?&Ki5c~n~Yzm-5v&VeUa1rO;FIPc7oKCB78OB4;$f)y6g%z)#OzN!5c9O{M0!1%o^e#r_6k zx&45aXN;R*zSYpA5T7pww9kPQ+~$PP{+Mf2wAlEfP(mQ4#nPeSEd!7Gkas=wU;r1n z6ffwwd!=icXzuA5p#(q7wH&m9+k#Mgz`w8+A->>$VUu{&g0TYzMph(%2$u@;LgW-r zc&z^k>D?>AT?Mn#;|2hEFZi@zE`DeY6iT>*8M0(=%w55wR*kO;5J?1a!r_k$kxop& zUTF3Pm;Qvp(11mFO{n%=cjT?xW}fUvG>B^Oo|Emqh_!OLLi0NR@G^W|uW@(^;Gg>$ zUpH)g)sZOTIptJr|4NPZHP}Q6wC&wmy3dFQu33qAt5TI2#C8hSq6C|M@Yj})73_R?b~p&e6Mf#3+p;VlW-MS z@&e79{i5c_)`OlkC|gB)1!^4;P_#@bhk~qMZOkq3(W@UtUVV%xYm&>pN{LE*iunFX zGhZF=V-(yBBaVtz7$`Rmod=n9HX3WuADdTFkOO*{3E5^`i%mLEI#QHxjt z?^~SnW1rOe=m-C%P*{X;>6IhoLXJIO6eXRh+4uF04IL{XT1rF~T=j<79I)sgLz3%y zK(9bd^vk*CqkY) zxhGYSe(K*=uq>^DuBB$+h_0GHsvzgo-BGer1%ZL7e`kqw+%g~^yh|0(g=m_T^P~|l z12`llhgz0Y-x~O^8mdeEIR@8|X=MWZ!3U?@CJfq{CB_XVNXjcJM>gn15Vs4OqMbpAyV=%v%GrLSjTtbiG&_ zL2xa~IcJ;_=uAdZTBwxQfbsLPW!OI(f|{77KK{xYh|BIcOMa8Dyqfog>IfoxVYeCq zV~Ed-yVU?IQJKhzFaMUKxQ1eu=7^8;c;3W>on#5(4e(~Q$RWnR7HLA-|J=2R)%jY8 zoR%RCR~vr01(bxvB+0it?OH>uvE*E`P%36KNc&|fr5tE|p1lnd-4QHDH+|$^uYFJw z#yzvX!O_cXNDPXtg$Q<|>z~0bzM|@sH01?^?3x_yYIc<065{f@X6|3hOmD!>Y>8T> z6s2=-15;se_k;PP$=iT37&9rDbxdIg2nOLIC)!^uZzH&N}zd}=@l^@}YAFWY}z?;<<tP4ZaLDGH7y4gPVGmaXcAtt;VZMnIsN0UjBTL+SIkmXa z{pW_I5jZ}sWpPT~Yrv#0ixXgQ$+~8tRZ5J*Q6LaQI?oyB9F#kGB3|}) zDqnRBm@)}P>Cm2K9GnxH{fMD;Ko3&bRWrUFkwm#8SqWksPBRBlr&?9N63%dr^nt%) zb|h!Yb=~sPcwVXJHi7c=*BG+>6s%_Z(~R+`wDksHwC%KAvPsxN=*&J@_joe6X9;;q z$8;>fI83;u7S*AZbk=jR@!clkZv2z=C(`qSpECuh0Gz636OciPVVlm=TG zuM%`q1_wsIM6M%j6I7FGT^5DYH^IbbQpU%LBfn*_v;bG-kUZJ(i2?=BR7 z)ia`QxN}`j$u%A;9lnsh*b?$%|JJ)EZ z-T;%-q=BpHmJ9k%Uh zOiBJ+xp-|(<5gN!u(Yx!YROlV`z1%d?Ibdr-OIa zr=zxFys)s6@#~e&r}Z~APeG&D`XVp5YnnCve)#v>dU$vuS-rHke-^b3h zna!o~BE1z?e=xRf#TB1t<_%DMf;3sL7*bwI?n2bg@BHk>Lc^RmjhU?msu;0t=i(uanL)c+6yCVzWOfb zk#KJH!`P@YtUy_+8*{ueQ_uh>9cUU4tQ&O3Hy-V=V7Yl{2>UcL2-Pq^~=3=|OLCw|{ z8BsAPsyGUfUDEqSSTo;rnz|&q?cvTP-gHPGt2bJ+{h=LvT~I#&*p2TiqA?Z-XFM*8 zjb5xiUi~>Ed}N`}3M&yQ+Ws(gPwi)#5IPii^p%K)ajz%f!77HR3E5A~dZ(0jyE;#( z``57VzNPz8j$&8Ba>p0FPkNmc@LkOWfKTo_vi{9t_pBC_sH3TpnN9 z-ma)YX4ZlsJ9Fc;7Z~lumj}gDdn(Uh*&0gJLS#+5ad5Yxm-eA5pLHf?>)dU7oAox)h@)|@BSGZXa7ogdhFxoFZ|Y3;4b zDzpsgpJYDv`4MO_|V7gX(Y9`#z7U=euS*(UA2g|dp_o_uibI_ zIoS;i-G6Q8wmi}imf)iHPw;BcmTySz8ZY(DCZ1ENgU<&mW)QYLY~Z^y&6;=XtvPdO zeUD7V1pUySZYwZ!b=YwUr#i`^R*n4W#agaH+TO4L&~DbZ`$0(uZ{^Y$y1ES6inA6I zV!iNKU)yMT45J%>-?7Mbj9)^D=a^8FA~-%RG2VJ>_2T-$-FDCO{*e4O zb#MrcHz)s+h&Jt(w!J`Zv@yTptD8vP@EH*e4Yst4s{Uj{b}*!umG*FkLo&3 z*4>A(VGX=nPi7ZK&P)pXmxuHnEu+cr4clBRPMfXR`Ah@^Hq|$6Oh@K?14%g9eA^Lh S#I&I9#zl!Our2VS#(w}Rm#Jj{ delta 4870 zcmX|CdpuMB|Icb&wnDY0MCgK5qjH^+6(!ebWHxe(OvY7FczK`EO=kY%8^M1dcuk(66pRZ>Z3zEo!M5u6G@w*dnhpXTYD4Yfu z#h#YSlr3XrRb4YQO_{HiiTluS#=yuq9?_h#Ij7xv{`}R*dx3mSlY>CL6byADI`utLkk-Q91%-XRekxid<+2F4nw}W)L--o} zEmt*r3I}{w`0~wAn_FPvK=R%GqVMyA07_lRP0%$p(%!e@wVwqu)qOSLs7&*l(yP4U zE40(6+eufuPnUTX3A|c((%_KPx>IL(`(X+dl>t2@5^M-nva&% zXOE%J_oc{7YZ=~!gnfvC1qGhcs3%^D7r@$}$1k5fprYNxP;T(Q10#x;tw(G$P64NK z_Gzm%Gv-Lt65}E$|Adho$=a=2usYD(m}R}70U+g;9%nJ;wn!QSLB^NLnYrc3%f=1h z-cV1wlX3i!W<)dERWEyW_phe+8~^CJZnF!X?f=56nQ5fmovcib`HYP;=Q0mIWo^5EiE^mpioXOzela?jIuv~#K9g` zQnC_;>W4nOQ_OItu-&=af{dxk$(C`6+;vqs)=p~wseE3Te0N0naAk9N(^SRD*~aJ1 zl>i$`oS^s`PurD{M5@A!0M&X9ybE_aTda+*XEzg zOE($b32O<+??-+#F_!bFQsXY%zT6@D4Su=LXe=r^=J%Jswi2U=*wONQ9<{MQ{r+0x$i7_FcjhPfbpU1O8+502w|nbi zYHy|K_YC}s@6BS6bK2|_TJ2JmyLFzf%`;DAApBhmS%Kq$s(jKwXUu)E*bKtK)6=sH z$+CR!tqL1|TD0=IHTiOM{V{DtCf&_Ph9#`M`9h{t@)oLjWjm(&2h=~@?sY647xkC0 zzMLPgEsdY#m4)Fv_oDmrHYkDTqAv|^2sEUq%9v&)oZZ*QBxKr@d{3p4y0cc=vV6L8 zf*nVC!EH}Va7i)%Z6cT(tp&X>*9uB{a$=gEpxm9A7siD{cc$O=F(w@BagWTFhfc;J zXu9OUH3jHF5+YqcJ5p8=dM`#lJy5MIre-fCD+0IM{^y2Oo?`N`mpW?08Xod(oL@Z%O(J3>X}hAG}}Osry=o(QM+I~4t-JUEg>L&x$r4hlXMLd=J1(K1?#n5?25V*RIDb4 zZ@dnqfJa+l?c$osxK!}7wp|1d3V2`pE! z9h}01$>|m!0&Mf(Em%y4-bYIOAP#*eIhDh!+9TJfJPNF(fmVrG%my3$KLfI{+SodVmBqd zWSt{3MR4Ao({vrAZ5dq0_}{%Mc!UXN_u2_OI!Mb*3LJ-Ad<+%O(9f1E;Pz{9kQCib z31S1IeVpq8_1HpYVCndwFK}Kn%#aF~Sh@%v{aQ;G6AQ3^zy#k z#8qK3Kt34PgFpM*e(mc7joUzMVd;kCe7Mu@56pqS6%hMlLD#{v*tr7Y!oL!zbc6QW z?Uq2#0xF+_u%@7;9z-Hdzfs5~pe8k+LgExIU?X#eH=iM-c`+N@*Y%fFdFT)%VETnp z^^gny@I7*G;O3r2Uly}`>&9w9OqAgNM9K10X?*b#3EYk{2cIAVHy5D za&8Cvge*>377{PTCGiK?$Ojja72{sm_{bEc8{l}nJ435_j7Wp?5T8VVKQu>k>txooq7 zLH`OzZabN5ORXUg#3_VshFsXs7vYaFqB;pWLit*NmzX}4VbL-rBea0FGbSKT;z|gV z_7&koAxd>#l@R8m(n@YOsm&A<9pe4rkbG0cQ4q)_1b4CHoy>day|4OdSx0$v83$bN zF^Y)~)gW zL_q=Z282@*@pz}Dgz!}=?bB^7HAV@sGv0q^E?D?XfRYFyv6njHWynxkGs5Ph4)jN` zgs?I-I<@+;nno$H#VBAyeVI4kOE^@T1Qq{*$kZ(kbWen;H>0vUEeH&Bki_JziEf*$ zCXjL|k)L#XM~7-pN{N?A{tDn}Y-lM!yh-}2B9ZcG&}~;p?8TN3G8s_uPJ|6bN2;@2 zLfCk>0I1UpVj#&J4#^Yd%!16_Ah?Sy@1zT%^-O(QmI2Q##sMf|rj+PF`bz~Y4}(Y~ zCE)^WP*M!yJCeCVz|=hh1~G-?FA9+snVSRkxa}gbN}#~2K7<3sNortGg6u{uE~#$v zm|zfRNx$HbB4OkrsM_ts^rc?qmiZj5+EEFz6P0||kAGlJLfDmByhE#jH3_l@wOD&t zVPIQA*q2%yT&;EQTp1CP@Rzohf=eKm=OM9(jwQyMk%E zCP|K>l4C$kk z$}1!W(HN#T04<(JSZAUM5Bw!fE2-oF5Hiww3GDp`R-#uwc1*XzsA-MAo6vh8yZ;4p zxz>vdRsMZ>bw$LSC9h`u2FJ{ZtVz-APUM?UO@D$JpBdn}ZD=fTn}SocMv zhV=#TSJti%@GpV&{_Og|R6SqB2&P5PkD`&j4l4Ej=QOG&X!8ACr?K+kO1-)3G>kRy zc{Z#_uXqf^t{{q=fZ1uAyv6MP{T3~JIujV3WOUOpY6U>nOjNcN+>wfvNmbT;=M4V> zjjwD_txw1-EO$hI6U6Ns5+~mGGHMx$T}L>iIkkgJeYx%{fq%f9Y9X88Mh;BIfQF*4 z@HwqxI&Oc2e;75Xn!hii0XB5$0l1Vazpn^#M66g0fd~DPL$lQ4yTkmC#wD$nCaQ36 znve?si;tI$dA#Ecj+=ZsoWFCS-(P0WzR_)%yl&MY#zkV4%O04FJ`KUpCRTyCU@{om zsR9>b)jKZOHG>FLQ6#bIEC`mT6AdmYC06BvVEKCF3nc?YBff(z(F4c0xXf9Xr3;*h zMq1natpv`2SN#OvKFA&y{WaTr_j`l@v>Q+Em5V@0DNBa@WRPbM1OMygdy`CAU;if* zkHGwu27P)Kmtv0Zp6>qJDbLt0t0T55%@IPvZgNWZ94m}oukUNulsfXHE$Yda(D@hH z6XQJ@KLyn7u_TV3O?!&$=MHH4>ieI)-?fTYz?px(Z5po+Z}4@07hCR?tvoVr0t}%N z8W(ytC87a8+Oumw+xUI|bw2AOV#`$fE$L{bkpRN`^*mVs-k7+&k@IcSBTk8DT=Kb0 z$K$P}CX;>3QDvgm*MOhnlFI8y`o388fqC|4<3Wk+ZA~jj>i*O5{Ij4Z^^dpQY_dOp z`YiG1^Y-Jd`ME=tN>JZMR7@p_AFy+>$%gvErT@O{uFuFNHV$eZk(HO}2ETFA9{*n$ zf3a-QDDKRZ~X?|(XeX?WV;Du|ob zpnTgDExVav6cv#o(J8vzyV&;bccb?N1fW+1yc7GJIy@S)jyut54^7p65nA$1YPkk+ zIUlZ00vnjTe=^>yi#?6}pui&$E!x~@K+Yb*in|^)3eZf5$x<*2&eoaE#mmhuPnY?2 z&n{THc7M+)rH3;ejMu--Xf5S23>Vzpd)aXxYyPMPo!pXiNXiQKT`<|2C#?Pv2Y~st zME6{epBV{-wjOCe=uOjQzn=<@yBLvXLL48)P3V)J5R&s3ptQZeWQFJV{yMtoRgT4kIXgMk74_Cn1}UF`{G2@VG<^ug#9U7bIsd{wC+OI4`1YnxLC&{x-2`X_?; zekP>!C@z?c>dnda_Ltv?Z$5wr05o;l`?m%I&sng-aGXmjvql`OPO}OW%f9wv`T}cw zusaXM5mr!?wO7c1+)-Vjqnwd;DvzA(^zE%Pna>z>Mm}Cqw(N_qds<`{TQ=aqDzAWv z$LF4)V(Tz3reDJ+Goa*peZ`hQ7Y`GYsz0#rX5vN_+Q+`MI6Q>43WyD+E<<{S(yV|q zjoyW%?NFdcNGU5k&gM8EKi|wQ9cVAX*(Y&~SBfguw@xZLcIo#Wo?v1*?V$p!D8dB> z$8dfvsz31gmqFRzrHd=aisD8*34LR;wt#1F4^p@Mf=$sThankXv+hN)M+~+Xc4l?GB!)KY6?B7BdrNKG|Vl=IEET{1UtB)MpYtqprHH z>!_BMYc1^2mu0YO7O{7uwSCCIkO`VT$NSUxpngjPPe~InJZA+MWyKDSSGvBYYbky@ zvsOolzAs(U`FXU?^M_>6^!O)~2rYbW9;+Bgk3Kxxtu&jMFpXH|L@9H)^XcAOxjp?R z4_W#vQ9=XTzq@FTo)4ztIPEr!5lB^cX5brUPC`KPI7!IqVg{X;eL?URGp}NMG4K2J&P11*R^faL zPG=cdwQs+baI#%d4>TvCvmkIm3w6&X)PYoGzYy9Th7O|z7)bd+x z6=yViHr+9a_k<*8@)FqgqpmIwa=G*#&M3`H5jem^@1=xT_tK}gdnPxE`$@vgtgo)# zeX<){LBPN!Zu@w~^zjrkg>e4IUK^c8=MP6&A?=L?n^$j|2#Kd{tjzR1(z52`r`q^D z{oxm@6wX}7ah(sTQ(34?PvCwdvptN}2SSBK`7P$B3H6dnzG3qKdr^6BudCR(K{Hjp zaz4N!S#-v6LCM!v2S7;oaJNepJY=xxwt3o4t>+gkCG0e#%EMCnZD7bgYpFE?*kg~f&CBrc6) z=fowHz4kSmSnksD-zir+)nwBys$WhU7CodiGN`3GAI_$J3jX!$j_3_aFu+fx2!uH zef{}jTSHq|k5$_$E8R_Ufz7D^U!%SLaf-^gcbzuU%ju!VhX&=Bs(1J8Kt6$686V{| zhQFP9m3}$c`-O>g1|J{o;ir5W#((K$-8aERM%py<&{qWpdhC)hFwT(eQ!(7Ae?#ih z2G2FTP)h@~t4@l=LF)m$#%CD_WU|Rz(@fqGx|JJyzZSvkJo?-oP-?SWw%hOQr^LNUO8?1vdIP4ybuEU|FWs;nxu5G4?9tEggUto}W~Yze z@ARmi?VVH9aVl*qu+L^d9`<0lshgNIUg!Y5R)Aw_lGfx}amH z?+2Exu@wNbmiwo9pBfTYdRU+Ls3xrq>|{-o+#}(BK8&ZQz_K=c>oCo~NvS+a=Ol1! z_tQMeEt}8u*XFWiAW--#$o&Dn__VJ0vf!y7lTFRP5aLZjb;3OAt3{|;NBNHLj-7OC zjnOzhep&l8fu8|uS996CY{>hwP;01iH9=Eq_9tdbYv3~o|M}qT`oOzjdbFYNp z5BK@gz^cGefKBu2af03mRkO_4+;oisFu~T25~DAsDo!*x{jAJ0`qjV%KGu*44;`sm zDnMSZTS~XNTm6(EtfV=YG;!Dq7ov%0DRr>w8*2k+j2ur6{HtkMZ7mVgD&JT|$^*O` zI93JU)R9?|wS7_h&(vic?+a*lm}=03x$$mmU&nU<0j2{`O(9baP#AdcYQ=Z? zLg1c0P3hyW3fIm3zG}C;D__YS_c$$b-5uHu=}@SfOXEW`$leLfa$rHi(VPuh1rtva!J?QY8JjEgk&7D1>XmzdUcX>82Gppf$1&~&>COt2rh zOv&3fS3uK40hieCbl{3?jcNCi=I0u}jtn4^=;IBjGGJRSrmpnS`M^Dvvo{ntn3rvv zM}OX`q;amZ7~XZR)342yMtUNBxmMB9M>LJtGBqM#>WftKj~d z0iLpAEmSS}cBb(*!8SvZT%DecL_xIYwpbIj%{)YxCrd{YH&^wsHtKM&+b)+P3uW(W zdv5OB`+ZA>qwQlJu-RPNS8-=UMy#2t`8B87z9MplYG%;mcw37Qj(gGmOp~N1Ar&7B z`pe>7K0?Fix^$BtA#|11OX}#n*@U%b)BGnp@aQVblWZp$5dQCVAJ%%uirHx2`7*e80pZhT;k4n7Sbxv1b6FN8Gss3J zY0u$0O!(-K`c!Fbbmg)f&D)=Z8_!g7GyO~@l}>DzwZ@8&|{&>ZQfkchLL6cXgzaN7-mJfmS5% zv=jiOE0@=CMS0>pZDbJ)&F8Xjpo=YzWPs0VbJe}3olL^dQGLa5D+owHqlBpp8!2hl znGe1i=n~_qOwy3Lt+pbKM$>Eo!@$;c35)-dgWdZq8`z`6CGBn|d*m8R_;Mg^s6bhX zF(G7XN%@Ojl5xz~zDrL%%d{fjCnskK#b=s+9A45>QcvaUz|pqcZ3?))?fn$h#Hk#g z>Ki{3JTt;^F-bc94M?DcL&N3?@-4OCE7`CFTWF^cP9NRQ&{S&AA^`Ay^KC>Gv=bbR z8ncr>Fo{b9{D-D`=L}8t%QG~uhLofIjM$PG??|E~i9Uuh zksF0lmx#5Wxj_5s9~Vefib&Ypd9=3Ed>Y4Jtu832K^aZI~Ck0z=1{pV>H}j)xt3CyRifZI4v#a@84%GVe4uW zdFR@D{##p^R~4NZoIT6cS_TsS{8^MtQ;}E;_%Dl^bXbglJa3q&Pn$HXhhLd@=AYUm zb$c;>YOS_)!4PScJ6^;&@$R)taUmH9RFkOBNp@b8J-3p&$`Qt;^n6(Y?|FW)K42{A>xY~MO;_i#SxBGfj9sp+XP21< zQ<$f>bq=dpQ6v}+HTDg4{K~J3ihCP!D{#^Kc0SIq7hhSs6PHj^r!Q9Hp@1%#p(%Zx zzml>R$f37@#ecGr27L>HoZRU8!*JfGBq zp?e|oh(_U#^u(VQ=fx)A?{uk76ln;`w0-58w1hEy-Q<=Zp%WEf7;#1eAr{^=p_ zZ#3}ml(OCr+)+(H)0bLG%R-Mg!GRCS7LVa*8ZYLeVTp{#yDw)-Z;cH3LV+yhJcL3h+tF|yRkFmY+*R7ExXu~ zGYiEM!X+nfPs*lq^FtiZ+lHZbCQVv}Ei`>8If@71euJ$C&2+ezX?2%fqt#ApSl^7R z_o05{cuNMR5MS`1X`~oIi}>3lZ)(jfnl^ed*VvO}szVbkCiNsdwltcHO+mjP1k(hj zqe6)08rMvnRbE`bjpjzasTMTS_Y`A!<>cV$lR+k|9qH*A8q!&!Oy8bWX_-qZtUlXb zfZ4AZHf-?@rq-q&ED#gF6(wtVTNa2~4_KK>xfB*+cP>WzetuZ;pX~T#23fLYVFc;F zJ{p{QSn~QJuRxt0;{mHgA+IaP28y?2tJfANgj2Wb0H8}Gc=__xcOJsruu00p#EpEXj7gi)*g?D%a& zxmIaD=b!JKt;$hnJD>8|&gbQu`?0PB`^H&tkEO{iT9u;JDLh>}_HRzc56;#C^bJ~F z54<(9hNd5V$b&zH7o15b$dX-#5R&F>*`ilsCrEi7HP*ix1st^y(|eVxDy ziN3FD1J#(e2S=TBpq_*^H51z5gtgXPTW$IvcK-!e^6jBx_Ut91y?9`7#h!@w=zb8> z7<2qmggCjz3a^(q)T18JbWvpunlNIBPDe40&s!1eRPg0=gWm&xLCyQ~hMnIYD&()- zlpLzHB08(I%F+#OjITmRfnh_7JkK=(Wf%N%O}NOgF=o|QoV=VI;s;%>=H3UBehFhU zC8SG4>rqMpbP1y5q?NbgWZo28BweX#p8|&XwN5v=qB`ZT+MwPi#hxebv<0Bm+8;ysMhEn z@*chHRD3^{9&fQxw+BsFH~e8R9UpKrD7fuF#Aj3yh*>#uiCxbYC+nuza^RgixR1c3 z9pP+aV*E;tIN2k`RuR9{p?VBv+!xL^AttYMiId-?*kb9VANJ*8h_}_WyIG%f`~14> zG`XJ%c&rvyJtkrQWV^J z@7ouqG@$+h2(E}iv)*Y8v0M#WK{s5Yatcj2F*M3TU&#XVk|`;+e)uJ4OR8WbMdaD& z7l7&Et~6n3O`P1HlE#5|8TL2@yPw@;oE^V*Do)-{NmIlx%WG4CgsBKiteIJ|U;y$3 zB;;0Ty~UafIs;|AQPz6ORkiFW*?WK?&Z|LX>H5j$RA7E8#GtTgrN$K$3W)>zLs!k} zs6eSye_n40e_cG^5S}D+k^Ptjbea-a87WZ3 zBSY&v+!`VN6kJC+(;Ltj!wQ1`q})|W%ZgqFL&`ux=VNANgrn(+*?OspdO9eS z8t!~Rw{1WmZ4h08FgZGo15Rcm605-^lSpRRPY94bm1EGzf-dATHTU5Chz5-#cKj>hyg8^$(14-Z8&6rS-xnX zF@8WB4%Z@9aSZ;}y#T&=0Wl_+H zX01?A4wPUn)F0As4Toch#0>Ctz|5Eiq(DP37w#tvIKy8Xp>quN@d_@dM5df_Ufz;F zTJHg?OMDhc^hgRk4sKVfLX+QWW4};00tv}&Z z@>Y3ymr(lB_=H$; z6Ij5%nMAxrHY8}*cslr>@<1RwLWTNO;U*#QINVg@Xe6nX?lDZ=7#33yGn!A1g2M@a zFc_$7pcF$w6rsze_bz}WFA$blbFUc-Lgoa7oH9|;4}3IGo*`)qbh3{B2tlq23Av=A z>Gcvd090IvZ9HA+)d3NRy@-%g21?YRK?CKYf!AvlTp*r=;^S!WxP6GWEZsm+E&}`n zffx`m>Rd8{!Hm%7p_XI8$7`mpUI*U!7>~zALZKvtQ(N9cScf_KhsE^5=LtNH3~jxR z@MsdXhTX!T&lByVU^p%SPxpb&vA{O~Kc0~tUz41a`d+y#IAjhJ1nK~i931Z^@9%!Il^j0WKFMs%v- zg=ht*QzNmQXg=N->gNXe{2&~6i>9@lZs^T2JGg`$(Jzc{Uv`GU0B5w(C$vgd5g%`X zx}-GzeQW|J*p~C0tOE{KCeQ&R!9r-x_T`NTTv)hnGQp`U_Gl4z+x@J98PBt6dO!~1 zASYiWXX{n0fzw1k54Fonmvfa-fV9fXR}D-(dwDkkr%Ky8NRCIW!_limqF%6~!8c7* zOXzvUm;sNOLB`B~a^&q1oP0ohSKZuo8w3Z~5#_cg#;UQMsD)_gWPfB2TuCp*qW z&lfP*3-nnRlQ{4!>dq`o1&qTMMQMM5UH(E0iI~>vglnOIFn&M@zv^pq5u|;Qu)mHFD*sW}I|J_tTUep@{fnffdx~_zjZl%+Y7rvbg<){D92`ura(?sbcWfyh9kFFIdxFgwHjb!Gu z^c-kL)NDH<^EJ|!z#ocxjSrS=&F`X?{1nJn?cTGbjNCb zB409#o^bG3FvO(J6tgwl2UJg46)#3@x?i5`Zo~8j2T9hi%+!wTi<;jOZ`-pBPy;vt z?Us?&eY4AIi7!*O3Q(747cGwipp_5~)(9!Um`w2C{t@gKuGyya zQR}{?b5UtVQ{jHog6(mk%<#x}YZKrY?)3kka~EQwC;y>QddRU#aJ0KT>yy#c9Z&P{ zH}mi7ZNGFwKU`;g)=JG6wfWyoc05O>bQ2`fNY2s&<((q7I#EWC3YjWaABI2wB*oKI z&Ty>S1}KT+Zlq_6Kh>yWnPSJ_ki8wUx&?(g+{7^tcax}-eAqr!juXw3Xoa1i?hW!W&$U$kM3 zIc4|BPTAx*FmCb9GH}9jt-DsZpk0~EXHjtWW^G=(<)y{tmosWt$!u;)p=;JfFL9WJ z9y!2OZ7g62s5offU>Dq-Uf8wZnfIRfuu^_I^;cBbA#-J*^{s`Y^%GL<`UyZe{B`&{ z;BdLG{aUrc?K(hN`D@MuW_W5Ju9?O7y}^HxRqFat8Np&mHx^`x!aYi z$V>+C03L6Kr|Ufy4d0I1G#oUn?M2LHjc?}Gk5asqlbG+-XL;4tj&iBGQIxBAViMaE zJN?FPELwI^)^Eo|M0j04YB5vg;@&m+LIW(xus4tQRUG+_1$9;udlq-prVV*&YNv90?nJTmifXF#wU$AJ5u{*MzXHw=Z4>K}Hvu*8l-%J&{}|+|Uk9_Az8wc;4t8mld+XB) zDI)REW$RV&4(YyH_Gi1T>qA_Ocl`%@);RmKV|JdNy#E-TNu3cGnwHevj(yZ+Lw@!y za9pXAI5%@h9p%FG=1^y${sj+D4X4ETQK|YE@F{_MX|`qF?A6KlCt`ZKGPrN+zbk>v z04vJw@93=Q4-;jAAD)&@t~0+*@TqutQsH&DFxF6aQ2cykHG%pgI_Bo}5~Tpw`xl#Y z%>J&;f3=A1zNtj0Q8-rgalAD8qAjOB!0A=+s9Ma<^DZi|yB)DI#m8r_lJRu5xbXBd zDDhs|0hvoPh_XJuaJZOK?{0HMv7QqJxPIokvwRrMR%-~{s~r}llO8uQkYjP}s0dwR^IulieS9}>0>7G#ccPLFcefh-cw zk9xihB=}JZG)QUKtr06-{vONuN?%oO5d%mR!|le}_gAJ3rCV1>^K19sb}e{gFcn9! zeG7f<;|hh%hP4+GWw$(kh}-ukAM~e;sapivSgqYQi0n@uuEb1<^Q@d;hXP(SsP&K2 zPOtn3@Ns%`RIK3dH&!EdbaxUXS-5@AvEVT(5U)EahGdo*7|FrYRHXcfcx~xnL-l$Jzk~OY%^y*& zL)*U|IY=2(`G&**Zi2@5`fiTJQf5A!G$Br+&P#&IDMLmkz3>d`!}>ZLeCT&rV+Tu; zkuYiAbPw>K%+mp=D3(sL>z4NRHhpIuW4cHBAG(+}*2nT`{Kb-cSDfkS#B(|=oQ?On zot_-gTdk6vod(`In0~TP*f|&^(qFeq{?h^9K%1`0?9#U$a!tz$XD-e>p=CXt&w2Ub ztj12`Z#++v#3si3d7XKNVsd#vr||QT9OeUq4W%x5_lzK7qvd?KsOI5$o{J-s>lqJ*9Oi5Xc_0RDz--CuR{ zeVSjJqR0quAT#-I%o<_dGNWM8_fL#?`sfwFm9^rGC5Vn~#=+5nZEh8SPNw2MA2AN0 zj{*YYl;x@F0@+ZvjA_13EVcfm;Gi?Hn*e-X@0>37PlP&*(Fb+*c!(}{{=xH2`gM*p zZ1EkR4Ud{@tavERRM6b6syiKO`b5nb;-!CfR%*rt2$qVkQ_ke4QLS!FiUB>htuVx| zb#$dOkM`fKZjAcrF&xeE5CjiKG0?$AE)r98(Qx-|)e)vvg<_2uec2JkBHm%=N*(d( z$I<V zPy`bAD{A@?6qaA}wM`@Nv|cDK*nrLoWTjtv>gy>f7W!d`quO7C^RUcv(3scQZ?L1; zzH%~IJS9<#W)Uk~9p;z_| z>6kybKRsc2ed($ZFU!N=P(!U{x+=tVyUUUQ$99k&Jv__e5`-2u6+c$|#qE5Qfk-M$ zufzBNhL8M9fhl2PotlQ=2RMu0?^)rdCk?jB(`GU zq^-i)A|l-e3glr9Bhv0&3UDj4 zi*-Ad+NkyYW?*={wWe`JXc)@uX_;9lV)`-cdnA=&RsY8ik&f`#oAf^J@1G?0j{#)}(l>rZLFOlZ ztG&TO1Zf2JyjV62p$NJCKzqC)mo{)rAX@cY2Z;7_9Y~r44~YlZ zI~qiQA`HKjq1wQ0d{~KuIh;IIW`BPL8BJI?DKapXi4^pD{*4R&s`1_D<6foQ581_H z2a6MUWi-!~=m*?2@$s7Qy2MKrBY+e5^@YZnmC}vGO-($=kE30#`7@Rf)T1dNl<*34 z!z6L)PS~E2g`|TxjR%u zmp`<+#^0=r+Z5n(-7y3k?%4m(S}(7{3Q`MfF$@8V@U{v#4ZJUQuU`OriIKK7KuGtt zJKZbN>*irdgZrSU_vU%U-)VFGH9+SsXkI2v5uMi$kOUTo#3x4h{hY)>2SPQL`%PUIpkq&_v|!M z%bCC9ItzzMA{8X`&p+w&D_EnhlYVx+{J^|ZaWXah7s*$1Hp!a;kQi^=Mr4zDz z5`G5%92eyh=`~O#e*+(-g~eASvIzK^DCTkMmBoS?AfDZ{MnD4UJ=uLm8iu@sS{p`V z3#W`U>OO&h{p9PrmTm59=el1IBmWXDW40r(s%>fSWDpIC4mMmu!loHR8w8mh)1sXZ zdSm^t7TL}WFKr~xtzddz0o$R&f>wT~q(-jz!kC7kkN0|(!xteT3+rsVI?R6@d{W{P z;WbbO0kKx!ufH~fV>tv=7yG$Hrap%8(pC?-sf;w_k_3*GU9ml9N0osT+cLiFsH-xR zYIX_Bfrj7B$71V*$^EfnznQM3?3^%qLh0L5L52xf5Vq~mk|7LxnVNPh$@3%tB|=2C zk+xyfbnR98V&JrlHTT1FCA&IlZM2pdK^hPeS&C0A4nh|}bg zaJsw?-5lt0>C^)JI`%Rnhme=}Wv0Pw5en7QpHuhbxeZi7hlj)zFt1^vxfk~TC-tz54B_bX-l-v-g7(bxyt_P-6I zDWc7Vq6aW{$-!0>%3W2Ks@qj|fVH+Vg?_fpRDXwBx)O`sYVkDTar%LJ2QHbK_b{S1&kY zIC)wuYpvl5OTduW?S^V+#}zy8C%-?}NztU^_&~+KT~U)=v7eeJDYIt9fnGMGXC6!w z9AlRDuVIPW?8{TkHox!6r52BRt=uHd&v=DOA&wQ0@k~^ZpqnF^%X=jF-v;q0w6aew zkA*WZR@{k*kW}jorj4UUiQb^3(2=btvRt&=^ z!tC@i$Am8U^@BwBcqGJ=-d@tr?61GrbKA?e#P|$VFTHs!Q~9j824zc`$m?%1ufCrg za*mas{rM+=C_w(@y}X8_8Ui>@<{Kwz{SzuChCi|@6W%HTnhu21tPGAIR_v1Cv;Mcrqj4O|L$icUkyrQxkT7+O0h^ZL?5ne;(OR*pC=H6jw zPJlRpXkC<@MMKujFb79vmajgZd+GYM^EGy3S~Q#Odf1nU4*)|ZgV&e#FHh~@d%1yp zjljd?19G#$*m@qV;G=O zA(J#!G{g^$QGCc=A=wP1WV?bvUS*(|FBheNM_PX1#w}u?mwb7@(>?8v{j_v2XLiZ^0hl7Ck)*m=gy2(IOkk?k{n|ROaeM=0skTTknZs*x+&xkU#-C4JS z$MhGjF7=WEPN&X$$0VKHE0ZbM{4^VSM2&)E2J+Lj^H)8d@{IF@SJTI12vdAWy1F#2 zHz<*?aD|%eOPO&+jrns>TaNSX*5gR0g>3J;eCz2?Ox+(L=%>E5KG}G804R}Z5?kx> ztC0I)O0MKZB{g83flH=Sy;DUQRZ!SpUUZ14UPEP9^KrzMD0B=gWBMB_!mR3Wx>68P z*ib*yD){FLV&sm2T44btG_!E5oa_)W;+2w!QKo-+A786H$7IH1D#w-f(xMQhy6vDRr{yS4S z1=E`^l!ow~B`KAu)pfW$sdiD==u5{nu+SP}=nlGTrIZp{ic!Z4u;zF2akT%tn3$?e zz)9TwcW?FmDpR?VwChVSN%Qyfd>lVCUr~me{Q0&4e!T%8YIJLFmJ<0mx=P$TT7P3q zW{c?@8oWSRUeOMST+VA#keo^GyhoV{gHP#cJ@AQ|mQp$krgAfBA%2im$!Tv;i+6Mq zcem5CEA==sX{Fw4?!AxOD5F|2Qwno*MMm|wGJ-0r8bM3D!ll}F$f+lBT#C*=!#4RQ z(;x89O$0E0$C_~enwcDR`t`fvzkSktK*2uIYu8Hb-p)g~=D8hn(ZZT)W^#L`HgVyz z_(Wgv*W5BbAWk3HV?>c*CM`b)l~!;uxVql99%mrk?g<+$zq1YA-a-uX==QCAqlA9L zbgNt1Ru0tTkoD25U9DP{F)kb)j$2@%EyO6&1gMacHItJ_2OC4243&IA+`iGPh=O^M zMabs`?p*!EbiFis+9>^U?6bezPUFv!%93VsLh0|B!W|8GeLSv>lZsV_+07v_k_%X+&A zK)4pUi!fy_!F%<%WogJBY^=g@7c8`k5XIy%;R~K} zty-J}W201qdYr0sxF~D{_3{OM|8sn^9%vF0vJF<92lU@n!f)95PBKnz<-0J+94*@NCN{G=*9U{13`_9uM9$Cox21UI44p?gEA3POu zI5Rol|IktK1M&J@pmTo}GPH7m&YNQT{z80a61e9fr#}ed4@>6h4+ySoz`+_|Y-{~m z!AF6p8(RFCYFgUQ6+}}l8ZvccD25Lm#fl;tGJRwy^Z>$RdqaPaj6cljTFK4u4G3a` zI}ei?_ok7)zaF1y7VM`3HPq(<8N-TCDAqQa914J#l8N#2%pP8oR zrWS6@M>|Z99>g~rL+Wj8_8^F@N2>-`f#?aD&X$J@l=i2n*VX4bPZM;m958dEtL4hMoh1x6QI@|L#ob2MwYrL}t23pL@mWZQ|b(H)}` z@bwdfIHq??^THK)ABF=U2LNVtr~mcvF+J@OKF>J3&c>94 zjO^&VnUDXP$y2;@K>6@5#w6R7s&pOTN3Qk-SFxo~@$B>G?eql?^QAzjNx%bVh>1Ja zUH)KbA_#4Qcbx{mBLVr7z7(4o3l&!>YSVYPFi?SR{2u=wM z=|R|k@xKjCyoH`JnOm$+3Bf%FxAP)gT8?<23_R#5owD^bA#JaMjlQ0NgLC1C zA#QX>ohWon1pUu>OS2pnQ*sy1i=zhXQU7z^!Ic*jAPz067+P#{EUz_}51XajjH3zBqhXnHbR~QyQ)oU3 zwt8%@HlYChE00Fwgcn^-R9G=$+w$soK4 zdwC{JsDuW(AJ7R-P(vZf>Te^r^*EorOVsK7aXl;e!M!V2$2PtuR1(5)m&3j>8_TO- zCM+FrM?yi5q0x?r0!x`2WIfje*-kUi&-s2s7Zu;k?> zt4E#lTjurbYdDSoQSyR~Z&lNSgXj^XJSKh2mQV=`^pyIXEoG4)nY19%wFKuef>H#U zZ-&07gH>6q3zG#1BOUY6YTwX`%_^Y^F4uk~RE*KOwxN@-va#H@`&}#pw-lS%Lw_=b zKlYi2%Xh%3i-==RKKxXmt5nfW*UA>AMai5*ktLW~m*Ck5+;{SeG^b_(k1$`P`Px@b zi!bup9^uItK34D^3*saCB>-8P^0H{F_ z`rl_Fhdv5-33|agA+*zCDNFl71l!f_jdzr9dVolHBMXz;uWmv4-|62Lj-{*x#`<60 zh1BJ{8%ZaDY4spTfwE`pi2ypOai)M{CXB=s}E{0 z2fRE#MBml39>pup^7XGK_ssB7dAU230hEX!+npM<&@>aK-(cUk@#E>mq?vn^L4GnR zO{Pr0e+^jBA4feA0|+8xUq7_){dMbfI`wiWi&qOZ{nJeR|GNIXmH*Cp4+vzo?yT^7$( z)2MqFy$2KWw>zf*kXC2@ub=^>4qK8j>c>xsw^AvUUT+>O-hz$sX@2Ov-N3N$>JtX6 z`3#dEqjGfL*V-i#ck)Ab)qNly&6YIDX2Brw)^G9?G-$%Kk_dh?Yho7D6h$|FygRHIo=xu4oAt~nKK%|v zga?kznia&S@)OjmDv?e{?=v^rJb`x%(Fcuz0I?+SETid^P*<1Qbhx{vvS*i1{i5Tx zq<-Yu$(-^%Grs-m(~#cb1!=zZwvB!9(cw}WadFS76zloM>K9sTC%)4W#YbhH%+(u= zO#uN$>wSea8lMYZ7@QDKjxuJ(9?@^VTT$JQtW%4ec5Wlcvh@yc`>CRPzzco$LV{{x{iOiu{ot#_s+AGXp+f^;$Fxq{vg4?LQOnbz zqiywUWR_hk!wbK*>UT1@;v+diOy?io@bf$_JM@@6_A!##C@t_5PV+85B;1x{W#@a# z5=VdF8X#eEmHF5vTbq6(9T-{fSUa5ed{g{6 zHxGqbWk6}YQl@e;R5g1jfD(=dPEm1F)qi^VKU7eABu0WLRI& z;0skBJkK_Joo@48&fUL$VwfOLEfJSaA=_0zhu#eC+)&61i3sR)_ImOp4qs?`b?Vr7 zw3bjpKYTR5BGhv`8SW`?P@dj37)V?!k>tqJTz4&U!51b{{T`cT+uT^axwF1>(6L(qpCaU?J?qtmlX?Q7srZ0h>k)D3+UFvx?#M%i?H%t;J#pEy zU1!p}PbqGgTRxz7jv34Qdbl&`y*cUpJ(q_4`RlHY!{bPjwcI&zadBc!q5so{Ll>Y? zYJ_<|-!x{e?Wf>kU0q<1?bndHTv?V?jUavYob`!D4eNKnPFv|x;o#}$Dy764=U2jM zsjcH^+wM}3bXv#qYI(^@);-CBrUs9|d*&IovYvps{&d+v=%hH8nc`1k#pfqSiRXQO z5uA6N7yQ<7c)UhKN9SHdU;$);3L<@~>guLP+lzYlhaXk2OP1aXoHG51k`_-XOBbfW zx2Y@jBxwP}Pb;5^^drNmT;b|H&jNQKr`zRHMP9^re~%Q0gJ>IjhrK)MYT4H+@HHCo zNk7>(O3h8e3{3Pha(F)&Dy<36`FWMp)z~!?C6`SxXYXDqCXB6|J{PPsds}F_Q$3Zs zQQG>n?kq%*MYtp-cFpaJ_gtHcFH@id-*5K=Y|IbdI)}ffC$k;nY}DqpXp0b_y(uLw dK!SC1kuEw?`xkvk3Ie;kkKH{ZP0#$&`ahD;+d=>U diff --git a/docs/inventories/v1.34/objects.inv b/docs/inventories/v1.34/objects.inv index e754781f866ce1c6504271d3d599a0d049a0e232..10fedeb95fbe5faf14585e37fd0a59bb7c050519 100644 GIT binary patch delta 4826 zcmYLLc{tQ-8_sOD!OSoiIbr;)$r_? zp)AP~Axk=_lqK0oinJ*{IoEf6|Gn4sKF@tW&->ob^6{?tLX9}fO30LkPr(b-;X#lt zYAg2)mlM$#AAtkD&WCb8JDhiif;`>U$LBn7^W%R9EhX&$U=q|g?&9u zDeIV|m%bs*Y|6yjjZ}w)qygb7xo?c=x>N^(JV-NSK-XGGOQ?(xNJ+(<=%$LOB%R>a zBvVI=lq2}HX1yS58Hi)z-~FSxnq>eBr5iHPXla0MBL@TyJ-*}F0j#MVP>PW`;HO)V zF>=+Q(f$dcrRlFU`ArXdtWto%drbwt?Hp*tsp4nVLAi>*&Z2u2)!A9KiZL>mht(+T z-0Jvii$41@ou1k*mP#Zf9t9$LT({YMN12Z1VcG>j}_|Hp2^n9yGZ5D?WsAwVnAc@pqiDHY& zzRD>O@$T=$E=hAltZxqr$as+;Jy{Zqg*OM$#bDZA_M*fNK>5NGFQ-4wTcRvPWMAhb zi+DRxG7SC}Ap%%sfmc1~#T6F*An0v5-1HhxU4@wmfegrp!Io?ZSREk?3as#4x-^Gi zkL#m*%kp3;RN$>NqSlwER(?W-sR-@3Deq@&eZvw(6wMt&=ZLV4oB|APi4yVZyV&Gn z7Cst8FNYuO{G#eYtzrrdLqvu_~2$ZDtYxTsQ?y( zxbIVsuKY`dIS92~IpLAaPtm#sCA*22)kb&fwc8n3OIx7~;EW=}naK1LsQ`6N9$|K_ z8zbPVFuhWz;+`P} zi6@JAU!)>SfmMne3{6j)5QLWwW6YWBt*CdFE7w#(*Ud@;*fu< zS>=EVQ%4woKt71J7}f3Km1GqSn1FCba3PV4gi>}Js7V{6Qil1by~7A_>`%N+Z%Y@A zP~a>C;NDynx*-iQ0UVzvwqn2oq#g-kt%-8b0EuFkY=zp8_@xZc)mauk3rx?2*FsXv zset1`A`cC|g9|jzk6Z6d;^;uw~h@TEC2ejeDNiVHX)>0yFhJz9G;WVI9QK!DD7YTapuY-M| z!aOOAN5h@HK>Ik_FnWO@>zR19Px4s&abP~j{j<6d&wa-|`7z)_OciUte9h)7~BUip2|)PM#f zlTfM)qRGMkq&>MpC`GiNYEn>9sVwNG5z+{y7?1@NjJ}=EDAUGL<@1`{!X=k72--UI z@KJGD{tTncO;!HTY^zqKC6@U^q+|BBmcSOvR2J>%mk&+dpF_Ypg2E}O-04?p97Zl~ zj6NkRJ!}WC4QQ=uU|q)qX=1Xya!@B}Kj|YLRUs{6?$4u;!Pcmc(u_tgzBn0ejS`a1 zeU+mx>e!E`{ze+bqlnUs{qlm=x|0CftgUqnok1aQ;ZKcA!~4$O&F3+&Oc}A{lbDF~ z;4%XC3Mkwtm1|G3XXACDpn3SA-=oL?l0@S}tq$PMqltjCazGExmKP7PAU z++A%@78nNCa7@Ovkd60&z4e2eKC1Hvkk@GSW{>(Uj1`E!0sp2|Y=iPv*iFmnCL3P~ z^KpUKfQ&ByZ0-(pTLEIYFC7}S!^ET2)2GDT3v5tCgw)W| z-Akky zYYyxgHa~~j)5F9+o2$);9N;l&WW^v>; z611{Jwc=07)LDT`(WATOoTWuC-_PmLo3*OU4oS#KOlW%GDgoO_1sfQp7SMu@aJoP2 z#>G391+*VQ)OztcWjgl}%i@$HdRV<$3dcB%FSwa>71#R8EFj_-B4!|LUOMtW0P-uX zRUGyppZ7zRNstnM|KwA0tKTfFbV8MRK?;I~lkJ|Zv&r4URunm%0Y|11u{J?D^oiGy zR_SpL|0j+*ld0lg4`%`2k0VU|>&1wf*JB>_tMg@uSO*A= z0xP=SXw4CkwHT(C$nrUC0A+)y^X03Rg#b)GGWn*wZ%V~)L@WhjFb}6lE-4YQmmn5$ z@JJzTED?LQ!?J13T7|!Iyp4PrU>og5M4l(0XsWwa<$R1o#jlB!?)3AdS{8t`ptH=9 z`V67~qA&YjRq7E@CBQFLqR1o;-dvRK0TmdbJ$$n?$6@ZA(-kp`FoH%$JQOk0;VdtkER~P#3*3zj)EX!4<{#si|Nkr5~ zH4!)cL6FON4*rU0doKK55pM`!;-n!0`7mRP2I9R_wu<*v@5%5A?}`!idt8i|s?p?Z z5WdC-G<1q{>nk$tUAGdH<#$3Kn+}{ot4h9nW+1kwf5s9wPPo@-v&SKG9m0d4Yl_5^65cFDcGuxj zXph~+XWbwk4ujj64S}lM)Sw3cedc%5skG^0-lpNw@sX_|-nM8u^7@w1%5m}U#kXfS z`P=TBPm{JZE+CFBwG3`$@U~HtjWNU2il2EF+vtbvWj=NL#AY>pYyPV`_xjfStL-BT zRNBS*Lrc_>pL&*CPLY&OgL(5+;hO)Ldn zX>y2x&ClgZ6$uxK#boI7>swJHELc@)WP5w_|E&%B_*4($vbIW$1gdU8mCB3Sp+5B8Jx)4Ck@!r4mprovrO)gQao(5lo6?fE^wAbocr zxr1P{rOC0a4?l|sE0s2i)6{Ba!G@nteoC|&SmzOLU&5unVA3ykMY8(V zH|xemTsH(0?$15u`zuDRKF>uoHMn`Ugv)LzC527;X-6$D#KeDncjsYqPO-`BuFLL6 zLvmx5ZDU=Pa;s*&NB_q3h2KAN5ZOXKE!dZPxp-vn;|bUxkiQ5q;(E;qwV2LxS}G|$ z_vhT#vXA}_ZgQL4w{&exDK{-Hh%_9HV40a2T_NgEE>HKQ9NX&cq7LV!{T!X{&vsuu z-yHk$SWiOp>072R*5<IqKb*RVB zWYkWBd;0OJsY6d(@ueH502AxAc`2od7NT_a%;Y1sz_ed2B=>%LOw0JY<;9PZ9{P?= z9W}Xfnd5)kUTU0xDt<}-`EBWJD0lMXTKU7OhHmHfv}SvGhC>tAxWe!CT%PHBb6Uu1 za87aI;63ilasSDSFNP4b4pS5Fy`|mf+cqg2GN)A8!ePQ*l znb7zn!x1${yQ@~hYe1o22l*7y7zd+-xaUQGVTw&YH{HM&6AO))$JSTLx0r$LKnY|ke_h}7X3J-g_e=lww0@BL^&JT7d%~p23=B~Vts6bV< z*k|@SJ5@|vj7ig1(hr=*{TTXFlIrkfgL`cY$4vEu?_ypzHI+a4@qRsl zB3wJMnbq6B5gzNIQ9Y6HW%>ovc)aG*$mh_82`{0+TJ_Y7xEI6i%*J)eu78GW>S6`s zN>cG~GyMhkrZ|Mg@r4?l=!C3i?&jccQ%581KYL~l5-;etggkd$j?4MsdwP=kV4F6( zQs~+6H~^^d{#hxBbFHhYUVf_lw|$V-(jNS%Qgr{2{G-8IlP`;^)4YHw^Ab{u@*Pj$ zlkJa7!{8&|{~WCN-V}7UET*d$yc(Z>_g0boMTmA@UUA{l`r6R#&Y=&VFOpH$8e>Db za%FSfH;KoGY$hLUE^~{yS-ztWsLBmXha3q%zn3eB3IfXm^ETcO&U~A*a5Sy<6do^p zqoA<)eT_ds8$RCjeb5G{*#F@A>M_05_ZRnW^$P@(>VW;*A$Q|dR&h%+K|oE|KG|k6 zcYY@G>_S=m)a9!$JX@N+@>Wx#S5HP2_09%SQC{WnmWGF+VjdLhs+rdtThxfxV`CZ~ za;DXt9(|P$SMKXLvJ8HD4~?xg&8dY{R3CWb@jgrGOJ37P*LO_O>E)UBtsCjl+4j`B zZ-JB6FQn}4y2`_cf5dH;ADui{Q{1;*^~#qky;@BC?VE|Y{aIh1p1b8xUu^U(`ZeSWWhn0Z$%0Hs%mYsea~1Wj z^Vb$g>Jr?ao-05@qdsuAJw3WdLgP(c92F016^pv) QHZH6-Eo@71C4Dpg3+XJNx&QzG delta 4706 zcmYM0c|6o#7stoUU}g-)SQ=8s^d)#+HdRGwMf{EQyIy z5m~a7eHp1NAtd`+$x`~sgXi_Up8xLab?!aqo^wCvyzg|0z>i`9rZJBe9gG2aNR znf7dS1TS}2OtrsL*H}?9`&>Y4Xs_O_R-}CMi84)9>M=uHjMrVnLr_xA?JlV`G*leL zL1d*;i^uLIS&|V!(;{;!yA<3FG2u^+Okwg=rMRWqryUJE(qCQP7#CfSIGomv1SYrF z*b{>oQN%tINkzBZQ?dbh--q5I_Q7Z$}OvS9Qpxz@) zgR(#-6R-4L?{3;V+*|nzrVgD~;*$?%cHK-D?rr)Z(%gREl8l44WOk~V@F?=+lK%$B zN}gyz$VM&YmqgS0)A4}{v_tJs6EV1z>u;O1rlL2%(iKgaFfne5+Wq+MaoUMWzechF z=fN(CDp7fs@Jn2nm|(YD5PkOX)4w6N<83X&7R$zTX?=iL0bJfmS{}2~fzWB|1bOK9ZZu*M~S9dvS z?DFy|Fz$pG@E>-67A?=B2?rAw6{I+(lThbi6eO+W$>Taij@-*2spD(iLJE=zBG5y8 z#35)uN-$w=-*PVB`T#RA+o?YkjN z6o@??kqTkQ@sPUM^nX%LL;y<=Oo@9+kJu1|QufQMb;$g$@py-rgYUPk$Qw7yBS%qG zK@wIHf=JcqqKSRvXM#A0yC+%`CJqBwsE8~*7?&u>Lur8FJ>RIuD;7Z6ElAQhTQ=Dy zm=6%aMYM<;7X?i4Pyl}XV)|(3B~>Wp9PHFZdtH13*W6E}Pm~FgA?~PHMN$k8C6^cP z-A1x83nF1(@WkCGcA#x#nP501auR*8IT%R;M1Y7C-g=ch1#vRL3c@mtb^1EM%Z`&E zeZDn%l9NgY-ojK$m5*X_B=TNLP|vF}KMaWPLufXN-G)*ckodqh=10W>UUrK(X*@yJ zt2~hoK>08_UgdfPzIaA152%Xsp`YJFCYaV~RK11EdY%u|$hF5as65f)=#yqNsyY*_ zgh2Drx{X?bfQV*9xnw<;dJje!7sUH?QiIIaNZ2>9xYOz#(33_?@MT0}sE2^jr?zwF z%(z=cgvBZ2ic+%t@r>s@a0|(RTS|M$gb;|8W^AgP6oMTmL+VI(n|!Vmxpga*GG#Z+ z+fMUDqq~9t>tF;YG8;v+og-mcu((u>ZZSIpCb$a8@kDFYFJk}^qlgr}`VO}kI3-sE z@7wCyj!Z?eTXsMHQdDP%c&%Q6>pIE=ze6HXd`hlza0-CI`!>0jAP2Uh5=dXtd8RlH zk$?sgQ|ij$&CA3)zJUq#vyLDjTy;1;8qe_L5tuKKphYu1$pWI9Ot2C17R9G5-?E#W za{)rP;Y+u`9ASbp5U3Yg*H{h%yw{K5=oxc~R&Yu;W?LBoRCz<}4LHItD~;j&O=d{?gaj*Km>alPjY$_&9bOrBpldw5ySGUTq~1n-*z=W-F+Zx)SJ~SqGzlR5a$G zSC*baFP?D%23N&-^R(-bX*q)sH&Z@G3rsK*Y~_L4qs!mQ?FHV4MwAD|9?rzC;~4`m zxQqH1UL}|;!yRV2;G-SQ@g(pQCh&|{7+f4}TlZCnU2w?NY0;-qkF$n<+y!g$IB+Tp zi(&g1xPG|{%jYOX1A!P!a(!O8MKk~v!RVYVmn@Q&Wt@XI(72Kp6E9H61Om?`fmlZ~ zYBCc%356!3%fS_SKqNJSBX0bZ#EYWj?#EB3(>txqQIrM+{A^^l8ucEE0+&1GV{c6W zwM0WmkB}5V9$(~I4()ruv<-&Bg6vf~t@Kco5CwJhYpw2)Mlrw#G0Y*47R92|vW!!_ z4P4wsnzmu15%xC*g2q@$ zblf2?PLP?5G1d(oSK*o>KqVSuF9}Et+O9heOjrewl|HjJVJ2}#BP+$Bok!A+&d*FrMqXDU@k0D4L1$7{l)~nqhdlIX&X^B zUtp}iFu|*^98|0l)m(_upo{luquQ7~GR9sJ+8IOL3rz4ijJ7?8`0pJ7Sl@R72KWh6 zz@zw!tpTP^3&z;{!f}qomlCin~XwNr9Y+7`|NUvEX3IJ_0bPtZVp>DA7hcS<%c4LF^1B z?liFj)h)&X|8BYFC2hG@mgweXff)EU3<4fuD1gz9YwBST`yTV(f{C)gWAN>QH7}b0 zA`Ud=5ztH zW{IFXoL}f>;tdFo7ZFXK&m7FG0G917cvQahkqm-0fpG}gFxjQ3;7DM&AmLn`Hy`Rg zImZ>c&7p@MFw}k6lRhMwr`gzt>t8M?!OaOOd%7Tp;o-c;+#B2 zuDd+$pDKq-Lhb3~0{=)>zp}*hB?iFWkJ0rgSImncFc7GQ4xA@n!9y}3e&6GwBMpX(l%vj^Tg(95?do*(y|oKpj3 zX~w3H7OSwQUywehk4~0T;{lW^=9O!CBYZ}Ja?lYU&>CTC+hKwg-?gLRdtofFk2ic#YI>Tgac6b)u*R>_eOFoF zI4@zFSv_X})(!eLv*f4WkO^=YJ%}&;A&ST**Y7+D$1?$NCt^y^apZCd`xw{J(NA#a zVrJUN1O*sz3LQifQsR;cM3~_&bTE(4J2FAE-l)omD9c$esark^h$QZ)#MbHX zQavdw(1~vwQc<>E04t5o)QjpM?vbLvz5fe^`^T^psU0YE7qGxwzHKN(_FUMSWo|E= zAK%CHK5>Z<^9EQC=sWx)Cmq8Qr4aWuTEuJ~v%m*@J3o<-t^H5v+dmOQx!n}N7w`Rs zByei*Seg4l>C%12MO{-LCt(=n>5zbBj}s+hz2;*^8-NGz0WaY zm(VAxt4IiUS(&tHQr30=Vwvz0&Oz*RL~dC`E^S$8!Q$irlQIVt=@$>1u=rGZDD|O9 z*{ll0CP9-oZ-5{JS1Z6qALY0hg&Z1p$oimowkRf0HL_^GLT{2P{^jKaEU*&DkIH|1(7W;mPH ze-1>^{wiNDY`5CHw|a(mf6hezn?Jo8bha~OSlDwT z_^n0I!{Lw~CSPG}@Y}z(5C8seJ*n~VFLwbsl8M~SpRnF%XDszZ>I2f0dVFK9KvwXi z;7s%*^Z)M-q+4xP`jDgSXvT-!%D!=E&RV%|3S=|JY()QmKvC^~2hbTU8k0^_T-V+X z`HnH%N>O2~$|{l7m6xqQb0l z&UF%>07KWSW#tIxlcEgM(2$TX8Cb0@m3F7SeuC?BO*MJ#LPg=TS?B7CCsmzkHYGRb zxf7v5r8VJWD*qbrjn;5&XM5j&Tm9aD_Qo}31HZC6yDP2^sC?^9UMkX8v2U+0Hl=B% zj9t9qO$aY>I;yhUpin2FS}=>E{t@Y^{iXvJ?%yd#vzuc3b1TO8UrXc*Ev-4)eYnCv zMR=t6#PD@KQa1t1?ag6T18XhXr#1K%RGs}2mbFDSDt|k*xsF*l7wpcuAHDqgS{Z4?N{c5n? z<0q~mVyJuU%L9Auh)E>eMUB#y#V}~IyYotCaA?9>?j$V@mt2@~T%j@*~ z`rd~X!F)^g*QQhFYjN30pIpNSpU|H5t|Wa z(^`DRFtF!R4s(6QTnp>;(d?tz+)#GwPi|DsMVDHkO073q2Uk}ntg2y;X`w6Gwnu z?_RcO+&ohJ^Xq|uz0*c%4izp1=JiWg!)P5~VrC$g%1<9xe)lfQk}eMMUJoR|`5rVr4r z`;NG>dF1SQW754KM(&LA(D7}G;OMQ{SDo9R!cJ~(7ioSXKkbG0)~?D`UUyRv6wY^W&$AYD*na4@AuitqDvc}&SO(&!H@L{A~Lx!Y2i>Y!;*nYJhY7I}W&T}R#8<<;Gahi#k%92qC z>1XZvaHHW)kE2|438X2vnY+gCl(69)bw>t=RwpBQsmaW8d4r7`|=glAItJ@sjjo2oQbb`%1j||eAg)~P=B^}sW@}LpLzsD@pieS|EwQ;(;0<=|UND&Ks`1@p)Ml8(4K=Z@2 zRf3F6?>hosKDTn$g?OS5wlq-Eu~o+Hvv+emG<;EI{>|PwnCRVV#_Bk!dhU5qui@F? zVcKsg;4&Aw;i-4ol3Z0)YQoZU-h=5v^6BDUw>{~E0mxx|NItb%hmihMg%`)GC<}~^ zM_}iFin9FGc~*+%O-6=o(0mP}UhZ4md~M_Iak40_@}5r#A(jpE+9NgK)|+c>(e$!M zXwTMLstrm6z%*&wI)66w`O0KuZy*BlSuTKdbz)^PrkiCX-K&Vwu%AQwG-NG9|LyYq zzFi=GdSlf+v+5&k%+Kd2sPG-o)H-urx-08$ z?0u755<0p0{6I541ghuCcmUf@b$u zIi)P@!sVl!+U*-oVZ6>onh}ARm-*n>far;**~0rd+pXLxeOkx9gWKPZnw*Bhyt@J zr)s3SadldLlA^dn-iLKw!!L)epn8W2o9J-O-%+xjj~_>!4vIk5NWI(&YED@#$M;P{ z3THxMbte*S8>7h`VovykKl1s^=Zq6L@xc@GgTMU>E8o37eO$ZjXLSgVSr)s=jL;W_ zERCSVA2=cwGqA&ZwC{Mo_*d+`<&|-gVG=#;M@#L;DXrU^iy}ewz$1}~#}P!^+$EYa z6-Qs8z?yv@=xUxGT!Tm^_Q?628y#?Ei1R_LA%6RniKj`Xn2vaN`oWlt52#}n#Zz;W zlPr9LqGirCD`<}?-gI5HMtr!rNKtp#+?Qm31i&= z;dxXzXN+kqI2*8BKkW|PB?-R?-r z;A}mRgWT7Jse-DOH!BtLqW$-QHS5DNWNT!LwQG#0okL!M zzn|bpE`eyBKG$_;&tKr1?WgcQA<>o&7YxC&8cmnw>~HDmV(-!}eKx9m5~)V@u!Tlj z*Y>X!0u#@w&Mv$uV7}Su!=;#T8^)yppS#{yW*xd)3#}_x@vfkGVloK*(Y6+3aC8I%A)HU|7r{_$>S0DIu$kK|SM0aB$Sh0<5kw|*AS zZ3omR*ClIP!Ej8G=2jjJPn3>9=` zMwCD6jyQj5Cf+Mw5F1bUc-YH!;;`EKSpyN7WSCFeuB|3n?6gjC@zKr=Zr2~uG6tL} zd5(EXQTe0NpRbg#_|t)RwnTrrKNsrpMYE>+^qb;Qh7%~Z-s@7kd*mwO(IJ<}Ma(dO zBG#kA$6Qm1kDFnizCkd z0>-~iWlx9nFdMqlZw|1pzb>{e`xT&!-o{-3zg(1Fec0)Z7)_6%$6mbGz)sRU!8TaU zcvOBz@$6k;e4D|Z>&V>m_xC2Wt*%#@;ZBVlwp;~AIKi@;=x17xTc)@x=;83upHb^D z_;s^Rtp2Oa_AScTpfon=Ley;$3o&C2W#kTMrfNDYi==BsigIxHLs4uhY+Cg#Mbn-H zRAs@(S7YHvyO8}CvfcnzgEEs5B)mrBm5OwqUYSt5eZ%fO1@=8ExmyYF7Eamk6wwM``%KrA7B%vdoz|;r(@ZzrH^|EEj%bZKz{}E=0)~&uPPH zf^N{c@I6Eh>ypt$n1=@)+{YE**>62pDSZ(d5j8KK&eMMg9MD|qaE)X$MES8+Uv~dV z7AU@M*WHtFJ~t=W)A+g!-SV1Ut=f|*zEG<=_?92^blu`t)>D^YTXJ{&`##KmBb)4j z#kaf8t0YQ~Fq?SOp@p^6kI~YIUSYL83_k-d8*T( z*srZW!|a^u^a&klg?Up~CeaMXteM?hMwEW9V?weXVvPHHmU832vpJud$QX<{Ha%4{ z&>ve&oKN4Ao_E;?~$d+W}9FyK9si2LzD)oTv&E+n+NswF!RZx1*E^A}xks zg89F1D2#8HHgAP_HpP!@ml1~2s*2*@OQb*USUST5FhyGbg^Vyy^ zMXjEHVsWr~9NzQmZCBXpRFXA*xH||uicmW>DOAqoGQ_%OgJ;^8KC<-xnmnw_lwnE8=| zILkP?v7l41_=1yJ5=`pRh{O~1M@ak-0RrvOPBfgzF*VCImIPlpXJ1-8eEMm1gCH$#)6MN6b-;-`D!A67ykh&JS z{o8)f9_onN;|2dKkQ1ZK;oZ98z-#ccz#I3&=|S!Vryl|W9cedJxE>K*b%3yT8CK|CjnAw@eT?6FT8T{-f2d3?wpZhk=Y5gUFdYu3y%E}B4 zyoa9-0_f=KhfnB1y0v`v^SmCIAVu!oK5@sI5-91uy>D5*dEYH+HF*Rsuv&x*L+ET_ z=L>0P@N~wjjY3fHdsmC6&Y6S1pH|7a5eL`T&)`VmAT*343y+Vx8>3sPdC9C))Nr;@ zd&b81J{)r>Gs8;Valy2oyaV^g5AJ$C$+!xOXV4kICS+zcxkB5!H6^`cCR+SbpXR%0 zRiPn;%i?mo^J@_wee-P-5D=Ps;&$75NFLt(0g5jR|6;v39}w{TG~Ign;PZ-f#UDx8 zGA8j?0CF<#W89)KA2U#0EXs*@%|%VsfwIs)fe%J1?;@eB|yxva`#1$iG&K-`VHfyx~7f zdCUL_$vH7ymplFaX@Rg(vo7trsq9XA)6amyu3w{j6;otl%+6PJ4?p=}vGfcIV?F4D z{K*y0Yu}X>u-B?uL)NaF)i*i!_YV|ViZDvs$VpZq@P89EF^j%x+T6zD$XpY1qWzbXJU(k6%yu0F{;C6zCdu81hP3;T%5e zQ}Cmh`KX`mp?7#)CDS(z3)4PXz7J3^Q~VO34+o*S6!66tO02G8MmFKVFqEn10#05} zFVtHW|31ah+#l+lnq_eRo6YDRh}rL`-9pne-Url26Q&+5hFjBDDc-*K{Y!TY=VTX~pOLTtlXNL-`ST{%=>f4eN4 z89PKxegX&FdS|K9UKl9m*dBN#GxBhhz3#zHvy;Ss`+>W*@sw^KNrR9UCOGb#Z_M}9 z{xQIvkI5wr#ruQidlUwYyuj|w%2lcS8)4!Nx`s3FN0HmpW9_M|W?E4ydlB-7px#9f z0^kw*MVnksC%w4_dfUS&;b8_|HWUv z@hjPdrZkty8Er({P>K`b?c}^cSG+{>Y#!Vush$G z_07-UkYkVacMsu}d6jnW46~l=`#(VhuJ0L;8jLsU>o87)8{harV}(0&*56hH1!%JI zTk>R?)W+ep-oxSgKIT{n@yU1f7ID{+Yl&w}&ymYWM(OjWZQp~8QJRhNcFKI2moA?| z2<6Brwu8DW!`5)_nYVozl^jnJx9t2qA*1+Bx_1om{rvrs>=~P*`9Fr^X{th^#01!D zAN^u@5G;oZ%Y9Xoq%JrUwx_gyeDoWWdr$Rn%}kVg zra@eHsl8Pz!;@IkU8C!`qZL@4et{B#sdq-vrD=1)wV`kfz4P$Cf%;?|7C-(rMwGl? zq;Ja&MUs}Z*~et~IlJ!vt^=eEKli>bU>Jzr9Z+_HED6qz$b4$Qt`p8WDh}y8-*U$x z=5%?^8mU=-K1>+XYFb{Rg5T{EtXexWC7%zQ1b_zpnBpxNp>CuTz}0#wfM>LcI91d?ZSuXw?4Ur&1S5*Mv`;MVG=jM3^lTWn7l;Y*+E zMI-?nQY%-dpZ6lFLh*KCWN5(0q>sQFF+%aA%bz6|2$;Bk_M9aboNe;B?CxBt@@WRU z*Q84sTejJ({l`qKYGgmB}1@i778((CkT$z)iXrI z+=9MzD{;LiCgE@HDCG?}s@(mHdfIp9tyNzogjE&tS93!8FZ7x?QRU25Ho2q3zilMX zlOqX>VXNQdBw{dd?%Zi#AF8);_Jzd>)VEYQJ#=&Zy!&{q<$iJS^^DcOd@*Kl`rPL( z!#|;9rdP+FfRCm4kHdl^_Q7WSn3H93M4`c?)8+3}%*?;}0?&9m-_N6Ozi?`hc{((4 zb7eg#&i(1Lv4;wC@nWwzAsvK&N$US|e|N2Y)G^-uC#^EqKbY~?g9O#hdThr9ylMN< z=5aEy?&*g~|M3~;>7t&&PG~&fb;({=Y)#uV|QCqZujx`1vjPL z73XTJ5RRX9iACjdpG@@LP2{4bZ5yQ# zs*GjZl#*6Vx>{W{#He7o6pH%jQ&}zm$`~yNHGYiOHCMpmr1KgT@=%YIzN+{4`;oN5 zSwHjI=XdO~#2$3xwI*I?Q6#uqa@vMAa)nTIkPbs|CiaNB&Wcz~Y&SEousM&Iw49ZA zA43*rSf?7W_n@0WKvcp7OQbO!JpLH^<0Fr$Dm;Ofr}3lHt(f*)g2zhw6ItRlS@O@_ z9F&{iW<}R`zDQ49ew1%N5vBB4;N&`eM3($)?v>M9`*K=Q-)N*_A*B$(+0zp2K+S5f z7~*BG*2vtMhRrVWkvu8Yj0E8|DFo9+mm~ahic^jw{kJqLb^f z494j-bLpy~!e4J`#_5a@k`voePsgJYh*NR6NQq<@-+q6CHHXIady(Wjt)z*`F|GCo zVqz3LWjl)%e}%ijcArWTz9b6zro>O-q?#y~$DYic`0xhNSU^&!QwAxg%QQ)|;8n5X z_{KX*A)F1iwDp1XB+u+}nI}Eb&7h9IE-|wM6azG-&}~kT0uAGRvBW}?Z8#ap^WLM) zOs_BII40!UH}=DkK=mh-MH8ClKFt_L&{Qb8NLjt!)e{SKdA}>7OAIAJ9iC8L`uBT^XYxLEQG<1@D#?tI3@wd+Cz!?$XzUjMy_gY=~418J44{Z!TJ zw&$vbEpKypQ%SvPentcp!6oh0Z?I!Z+QBcXvf*-UhOChYuF4hK!i;5w=c<+@urgC4 zg(S$ZxABU326VPpXP>I@jnF9EniGC|a+YSB?mL7ii)45dl|DFxNQ)4bel&zg1!Qd>$M>P$)9PaG=pkA1q640Eoo8J#g|Q9)&L%!)0;irm)AR(7C?{ zq-lJKWi60`50u|7>&e*P-)e1>n=Z*6a*7{puB1X03=klqa zcp=SXq%6X0qg@Qyb@{X`IR(Wh9cqZ}_H=#2XkHT1`xw}FyIHom8CRor z8peE&Y%$~O*n1g_TaWWY{H*6lXeWxaM<`@hC*Zpi|EVsI(e75T^V^{QwwtGZHU%FU z&A0Y%GL0gugg{S$$SI3G)mX;mvW4&fo?njh=|-c7)KG>vevcnt1ECjiJzFTp%xMnB zIl*A=S%Ty{o<4XXNf&JuRB&-Xb}- zY;le$A=FEHeA*WhO!EfDq#2ypT}C3oq$VMU z`k6jMo-Mpw6(R*pWn0t;<&Z+tkjR*4l;b-Tc!@==T2EuoecGUF)K`+qtJa}&=%6`q z=JY3dq@eL$7jPSrK<&D^ zd?mkD411I^*~klMs831wIEAZQhjKZ{%T=y(>XDY>A8-%XTPuyR3%Fb)pJ4`0hPjN? z`wY=5s!7PBRyeFp0U_ZuT(FPwEeaXMp*g^M^)vOay^dhuP=-m-f78S=EwcNDxwCw& zn4LesRZ$yHQ7vURS#9L&W1526#F|cJHEO>AZ#6}B7pYKP-4V(xFN;P!1T{;4FDXc} zZMiEbI6j8PDC3c=U|5g>Q;k+umiI-@Ntgf1q_sZmMHGRWdK-J&X02pg^RmRQ6U@La zf-}p8mP&=}qQn$&TdEiroi7U{(PO9#k{(G4ImIbCs_t)zI!a!TGeJ>{iIZY>ZWqXK zC5}-j8et)dQ#Kf8Q(4tQ`&~m#mHdCGRqPH!dpX(NqSe(Ul6>J2ckV8C;`FdFRYhqI zlC&7Zd2*}0&?MT9QTn&45@6KV88Oxe+~F^Xv1hq$?R1Qi-6h&gq0&Kjjpp&KN&gmmY=e;=~;B%Lab2yreGb{=cocHBGd!xK=5l+sF)u7~q80 z!*7~7FIO4Kyz!@mrzgWIBBrK}vYZh=e{;<^Jm5aqgl6#;=6P)O1V8d#&0jP509)Dz~n;A0)rZCSmO1eN9iAKb3t9%Xpt6!}K?-xwhnZtppYM zDT*7>ZQ$WR%J*l`J`)XNZGmJ?U0tP~dm>^L!@-SOux4+RFpKDZQr9fJ}`}qBe zYLh9ZrF*`dQjJR(pC?hRr1Rxf!I{Mwg8h?5WE-Nl$i)BC6b;OSoVE|VN0@7)YsuqRpdE)TxK9_i*hE}L5N^zvtNfx~2lOoahnjztY zobDb@V-5K4c)$GpwAyeE$3gD-?^nef`J6Cbhst%>6=9uocVR+%fdwV=I*VtNMoKcS zyu7>-mfDXPx#Pu>LsgOeZ#zWLZ(p)fHkv&EDTO()rd-XqZc!d7$$0V(x}M>tKLQMZ ziosem>~>LHFJv?D_+kE;o{SV@CBOLhOKPHmK_WHiMX6?C zAGuOq>h0hp0Ux~gk|tC!o7`Us|7eO@{IQZL9haSm9-N{}u%E2WR7?|Fncgss2!gU) zks#?dl@eCJkY9h6?Cv8g*BimtH1W&9TZtU=)2#ETw2~wwX6=Q-k%|B5)5fTgJ}44V z3Lmg7bIt-#D~e18$^YTp#vSNrrb($>Zc9)tWwMfI^4y#LWA!GFOOlyeBD1Bl5-GCc zHWuMUcuUG&5}tG&F8ZT_N^O__MN%@0B2z%NWFRRf68SMydPxIPcDHzScZsn%!#!Lg zrq7@hb4B)OA}1GFppv9%I0s9L8curT3?dU$SxsJ^i8)KbXb0o7WoRKJ~<1D8}X#tHCZu*=h*j&n#fyWg|@e2kEQ-UrR z>W7$t3s>5|x)IIe(}i4QnOrNbqPG7_`s|i}c<}F2J0n#GDS-62sk$^&t|s-6I}{MY z#ON?36ie-npM(d&T8w75`sYaX`g8PbYSMDV^y;i%LJ8!{QTto4xXK~QYJ(}DQq`eT z^=Z|?Sdewi8=SkTZ5B6W0gv{b#kxFmy=CHCd44Ky{2I61Omsee4}U608)s8{mmp_R zi|HCYyyO2FF%*w|^*k(4;BN`@xGWlN*tp{-{GP-VW4V(ut@YQAR)7!_g;Vo~EmZGB zh8M+^mj;ojBHe}x%8#N^%h-eR8^v*6gYjiC_cYR&is&M7Yl8zW-|TCKYHaf+Du_x6 zYJAOv)sW?X_~&Sn*?gjK@}WsI>-biO%NKFqzO)z>4 zjiHRVcJCMim(^={^torKzW6BNbkeZ8l=8E|Hb$4hoDRuE^zbN(K9+Da^2wxOfe`xL zIWAE}o&-_VtJtK3W>RnbxP{CP*(w*IcZ&0R9Lgd$OxhvDv{Z+lD{4H-HU~S+SAP~d zqj^ZJn`MQYhW$12JchgTpg>#)auQl7k@Y})kxzeShk(JivNsH>kBGcWU0l+lv$yrd zwguCZuZ3I)Uh&zimM}}pl1Xr@__^jkeH0o8QWwPGev`n7`!H62ATQHXQq{&K$9VYZ z3a5ynNR4{CfQ=&g70;roYAyswjYGJWhKpu4HAM4<78V&?Kif(!3q`emN2rR11EB=K zN-=oCyd(iQ7{T=&20J=<}R&nFS16wMB&SSTyT?6sJ zC9=BC2C;O5Y>G}e%S#yqT?hMrScJdBr zsY|%bHBP~wIJhZ_{b?e9ph2dI-T9=^q=0DnkvZIZW4~TZkEkS|YxYvwcwR z9t}!n2DX@%zb^eu6B+sDAIw!%FYEehzOK$h{d2+6QjuB;XovqFo}QuB(I9hXpnydm zN#)BXE#M7gio`ztxDu779FY?}9IDqR&kBnys$Xe+D~~G7E%-)F0SChHx~LR`R|>8H zz)=n^Cy|^|l_CI_XoBpgRXr3fq=0S&k$N1Hh}uRt5a-ulwJ};r3kPT-E#II!$CQTl zd3=gNU?TuSG(ooG;u^X}Qb0Wd)NJmRfY7aIkOV8R-L&s@WgkuCpEnRTD2aWPU1Ov) zBuui^QWH`9iWCv3g9AYcd)=C{6!hHej=P!6K?45jaIh*VVwE9?&|Y3rUs&vJpmRaV_BE+2LsBz7BC;&dMwP z!UlWOYHE7zuAw_F1;ivm&Eed@!1uv{EWU=q4lsC7_Kg8^zQF~rk=Vo$h`}i)Alor< z1zlWeAR95N0q2T+sBA3ggai0t{9{?WV=Tyz6X-MSYC{`p2~bN6?(;x?FZ0<7pcZUa z;Y5)ETvXf>-!lWug#{NdBPp5n6N6LDIoN$#js?r9Y0E!g3|qYukg~D@EPm?mBY~n! zt9~W{(^-SqBc@!>NWc&qkn^;whhdyFkc2eSfMWx3xeN!AfxMH3(MDdVOB<<)38*D@ z4YOZCr7=cQE5q=5Q@MspV}k^?!SD<}*+8XnMN&J&@QP>oj!L6GpuWzO_VyY3wc}0hb1LkfG*s?qMwV<3L`a>>Ob5 zQx(S2M$%yc*oj?(?e|e>l9ALD!u4S%g0Rs8@!9BL?ee^Mkc1G>Yh1Og{A)aD{^fR9 z)h6R09%L>I^qA&2EO?Uuf(gEDX3NBbWufU6B*%krg@F84?aZ|`wB^upEaZb)0TC+d zHrn!OtYPaqA&SC2+Q>gxp)d4Bw!cKB8AbwoAZHb`h`>g##1~+NgaytoZxjJGTNcn) z?$JhuVnb?(?ZfQvQE5*80TNyDh)Q#X#A$=!fqe3eO7nmOKE&|EVnIZs*&2{ozZ9V^ z&(uY&xI?8mM1rbmgl82AiNR1G#1~=^8V&QH#Cnm$O9TYy_LyiiT!4QmJ&}ZsVu3eex2+2(lRy#> zAdgLfV5KTuBo7XRjo3ceju4GT8^Ea$t_Ne0hK&+||4W^PXB+^E!vh=D2!Bse>`52N zgrnd*fg3hzP03NNO&6(%GpI!39DPcJ#$p&6+`+0mBO^;u6}= zjg=RNBZ>>TKsEO`!bp+8g&?8*@1x0Z=;67cX9_Qqn z6ir-+0vZ&iOmc*euZIgULW4~cA34VUOa}QW0DY$u4=qA7AjLU@!3Jw`2-TUZxH>N* z9wPT!_7fx^-1$`MQn(N-w0}bBl?)(|{aU}VSbA9RnOu-1N1WNcgRiZD3z0@cw87vX z_>&62(T4rAvLSkKN!mXvQw@;=LNDl1^|@xhZrA3B{t=N)C`0hY36T&r(RB{3*~@z45(RLv!1cmp9;*Ch_gC>{2@*k#wB!wr7ysKCmhqTr3>?KIlG0>E4_td9Vx zRyCLjoKgrnNhwrT8)E`D7lBS<3#UOZU$hIwpuHUMG^ZXj7{B1fv5;5>d00Kf?U=wk zg&^l~R}I6r@~Wv!7?VbBe(|R=Xe{Jmg{v{jBeL>nmGoi%GNqP@3o(B4U#6CGaUrg6 zcA)<_4xx_(5d4qh8fY}~um9tCk-ZjdR1>@qU8tQHlnVN)1#}+=m1PvAg4DHv9>W|q z1;eSJ9c`fJwD@7cNh%0Y>!s+`2w-a$c#0kJz%iD8+lj?ST*%;?B5Mp@$;BE#QVXnH zP;!d8n-v^d3$pA7p+glB6oAL9|LrGm7Y1=580auc~!k*Ph=VLE~M@1dm?cF(diJ?Rh#$eJJz`r74KdJbe=U>x=y;OiPl_+@%}* z{QvGPs=?0(*P*{=B9&B-A5SZ((X}yGBloXDp1c+lp|7jL9S0jH|9|(2Zv{{zUd#SU zYO)4(v)SHS(niz8#HrtQi~k1v>;I?g|Mibo{z~Rvdu7exa6o%dfa$laB}rLLdWmzz z|8FX6ZOq$9e)E4LQL4fN2LE0bKt1jUZlHr1Qw7g7Z=rtgNCjQWC54ZAF(v|HW=1D5 zix?=}jREwfLpGM~$a7Gv4)&0u*&S}KM;Iz!grN?Yz~+J^(*n$sCRtks-nM#qkOhav zNY>hbc`aTZIKU<0lC_7@(7!=$hFjIG%jOLRF@b?vzfPwborTlO81k>uC(aJ+10Ux< z|As<|L+|<2mg0)P|J-i+?~ic6n&U5ib9lYpMos!otth*8%x;kqcgD9Mw-lUS!)noY zCHadA4BeRGq>9b`gQSY@fAIUV-^K`~cX1vj=bs6Zt}NbN>;4+rZWmax2r07jN67qy zx0?aD3K7jSJlgFwe5x^~#J0KN$2JcH!VjQV*I@FKDf{jYLjI9m_D^E7g`$*eg+^>o zPwrYKd9`()Hz#b($=0U^ECVxao1%ELUoKV;-dBm$*kd>2G!2Af`JzDq&s++zW6*F~ zBbPmTC&ISqwsmJL_}>rr>>1^`7bV-TEquJA+D;Aojtf>yYQ4=_p(FcBfjS;Ztk8iO z6bIr+mCkJ0sxj@S%V8td`m4 zRHdFx#{A_8zoO`?uQJdZ(DnMa2Eyz!HA5$rYy#JT`zZZ%*Bg$xGRDh4gMXVFzKhV^ zDbmc)-AzLC0`({?&+6+;#`VqJgrHlFH>bM;{KA1GkXJdJ+&kZM@`>(x>kO**{aOw= zc$?p|JP=)siXw6$HS zYxD7G9DjJ4P~JjF?M!ZqnS$H788N;yhCW}P4l;<;|5?0tZrCzKP&L3Ckm^ovaVJI6!r}iAHL|B)SPNv zHdzJUKQX4YrT4nW%|%w21*)PHRIM#9!-*2-GxVc{Ua4V?bO(@H5ZgO=E7Ooj^TqE57e0bqy$3 z71iu}tn(!9B}FyoA3?tNJWWjaT+-@|A}3eH zZW!9*hYOAKG|6Ni8|o620E2Ub!go&-JI+3=xBT~Cf>MFmgX@N4e0%BqL}T!Xn>qqV z3sPE}KN2#V==rj~kI>(bLo$Kyn*Dt$_YL1_N5~*Buxz(2FE`GPvFg*iEJf^VZ*8C$ z5lvXTku_Dibc!h8TP8m>C$&8&^UV|9ts!m=ZF~Cao-e1v@dQ2%kA*!d5IAKjiLE?% z+7_SAaFu@gNj_%s3v_?gnEhz_WW30*{{HewXasNP!@S!=cMDW5Qfa=`PUdu-iNEm~ zKH8U)5Or};cGf+) zR>3PdhjFn%N9>0SKb%2tljn9Zd%YluIizsmP2I;8$w@2V}(;8A-u9z}Ge zl$DBZ+Vmhf delta 14853 zcmYkjXEj%i+5%R6@=dxBe2C zRm{y_G)--z%Ou;p4(qIcWsWk^#9R3CR(#JlSV=+EqgH-~SZ%+kOI-Mp?3mO33V{b# z{9x2p!%RN!l8FEQ3Ghdq$v!PXE5`lzpF6l7Y252o0hcu`ZEZfVZW^y8iz-WQ7C$1 zU+10}&AGdy);GTaNisc1mq@AHIU6_z-cvlh=Om=QS~jG4#ev;7##%2=_uc8PqK9<& zmSgJF`V%ShlCZiYcHL}mz}GLa1may5-z$nhdMYH^$JEV^dW~?u*E*^~(O=j14$4|~ z`>iL6O8S0~ns(jsv?l>s)O~?Os771=DC2_0XOeh~LA?EZnxfu+7J z-Acg)MJso4h+Q$pKT{ehAb_@~-LqiN67@WDINq>cbmj1T3}^jA`|`^(z2hNXdb_7- z)$S?!g$sImd>3%gtZ&uxq{<%)*qbsbyCqqwR@n>AnA7na z6@q&;H|4SxbhQuLNcsp}8Ympc<>$=`#Z&kYK3&WV32cAb07qQoW($ypn5I;`JYE|IR4c zuc~i16EHV@X0?xMekuE;D$IGTj5O*-H#IF}k>1N(Hd=)z zk$a}I*ODK^x}AVQL8hivNBM3wEhka3tMy0X14mlfa|6Y&IRb6rhL{Sw8|LPK>WtW> z!+-zoo0HVq3(UoKlr+pU#1Als(In)zPlQv8~6w*NrV{ zgN80x@VXXtjrfI^OfBn`gSB|`ZIK$(mjWXXSUjg}oVTzq*`0&;3`6^6kZ!5D?`>N9 zG-BPiD2-LixwtbN6rp@!yQz!L@@>eCsZou0!wsLrj57%475=xwu4>Hjq^jOCcWLXE zcFp+Qu2Qg->_X9KuEBw7gy@9iXldcg^K`3RIF~0EO0$oJe&zy$zBMx%k%9krl3lLZ zZoc$*%7nf7;BQwY-ijN8($0O8y54*E5>n1zVn_|Zq4c!BDy*`Hr25L?3wB*KC8x<9 z%7(`N8mv!CE1cDc6O+}3x;6N@uy<6F)QF;LrY`uS1z^#_Qpo5@QqbfB?=bVmQMnV_ zbqsT5^}Q$iC`Og%%Nw53Mv&M%9I4hz5 z9b``3kJhu-!~39tc43mmLi;^O9DxX`Qk~A-;DdtoT{9a6+W^nP1nWq{5 zs+|4qZ`%i30f^zW&QlG|t{NxRn*r;hHXhD#`FEoZ3j%XTGDT72fxy_8_Q<>impgIi zYV}VTay1mRJX*yeY4eh%r9(>+of@jorAisY!^3`XjrhY}-@U7OUHRQ@Q`yo+pnm1M zB=W2C+|yK`)BLY5kq=+yBRJ_BTn#G4%jVCn(x+?D+2D+GY(djUDSEFwNi&x zd-@Q;0x!qj9D&|!C)?z_aZ54Zzs05!m7fDj!)wS^?9lxn8(|Vw$lheBw)=gt1kMWE z?#|7CML1W5>ThS$gO-z-@JoZ{s>{(EXIEp|F8JLiL(|Vkxpyybdz}M?j{GD(#;H0T zJ%>%&y`0Ow*g3x*RE;kAOMSIZz2)yVA41SjJ5-ygNVLgeVLaxP6`CJVb@3 zjH2P*EVnEI;Pp8(tx#QTZkeCn5Sfc7!r~(l2ga=8-`b~dY44K>zhvWwG2m-#?siUH z21ea^@Pmq;A~um$>e@mZTatxo>%8vJf7i z!@@jzweONVgQ3MIq;YPu>s2wt-Ry1^qGb+G`uldrC@Jm-_xGc8f|HdG#{s~}qS()Y z)C88jhGPm-9Sa!8a&-8b7Qz%V7D-0E@T(U*@QCsUqhaTcCW@_cl+;N4``uoyeTQ!? zC7S41ltY3#cC9r@Qu}qvb9b(;7p{FF&76xH+izC4xqxnB+f)5QjpeYx)N z4y~H*gRjLNi@3(Tv%x!!vp?2#;o+Y*YBu}n`}=w588RG=c`NGjd-lWPJiLQn`!a#*`OJfn>-rM z`@hzI$hfmZJj@Q~7BHq;dh@nh3GbKRUDPkr#4X&4&ic9Pz#NaabFV|X-!&gL)9j(S z1zCuPI(PjP|M2IS?sVIH6n1fsf-$Dv-028f_s%H|_v%;bN|q|I7)DL4!fz+wRdvZ) zQcQho5gb& z>Qr04bM0z;A>^GSA&V4cV|r|Rput%lCC>9J*}!xmIsCY)qSDTjGoc308&7d=x`VJ> zKi?}u*^C#v`%I>8bPum8(??a|`yAO>*VX5*3dC&CyV4dsIzTV?2~7ToW7+ozMwmAjbBy3~3{Wzr85 z$ssSLNsnEEaN;aD3w_w!yX=z6TR*>8Q{sx`vyYFK--XP^G^9Xv4%ZIw#`?!*IZw(Z(GOX$&XS#Jd8>+lz=CvDA@S_iN z56NkNCTdPn`TkHuPWJT+eyUZqB^|BZ@X=(AQ8w$`)eWc z#@RZzB4I|_$|k_G!QNvBJ_~Qmc&=ryF8bH^s#M4;GVz7)cr)n2vFC4zZBkFtH>I!J z1-c)F%SU_nNPju3{QNVq(Q@zE^fc3HJ`YvQ80gq;JhxvmyYmb_eLs{cQqgZk8dT6* z0V2f|od1S9a-(m+R|0 zQ*a7-6j5N0vx)9vDrdz5<5xllK2$;WP+|0KSUs1= zH`Ub_uMcU3{9wKkS$-#%!*vlSq88Ss^hlJ?zWBQ2JYnacpUaNTnDu#VmAme;*o92X zYPHw0=btcQe4Yn$INeT9-;=b2)umHTqi3LC?Ilyon(DO-qhoUKQL$E>(MD5~Uc5VQ z`@5H@3eE5@eLW>6nhq;}D=%q+E~Fm#awv}vzDy4^(9CAyYjo$C9w_kzvwJAPZV{gP zUa*g72^YVG&eq;BolW)goCc_og^;A)xSaO;OFFl<{tnf}VRe{mu>T{|;v__JJ=>vJS}L7TUu}6*Kxp6exkd`+$^>O>{A)_w*^FfB{MW_gH%1#% z&HWNbtpybfH}J;HfOqE{1$;X7-|uEVV4yK_yEFFGuhAzIW$8m)9?*vWFp_Qcp0RSw zy0+=>)l6_5Yz7*;eE&;BF)6~cZj_N6nHEt`)}j%EX=^&UI=Z&&HGu!KxbY>zH!i`;+r{k zbMmL>LdP-jGk8GA%-$XMIPsHf-9?@|GEe2+ZwMB`nz^(gd#rLXQpW4MEOQc<#qskE zYO;^Rg|63yPx?z~j+LgboJx?*Z23EL0b;J_4+e0EHeFUBNoj_EXO$RS^1sASz z#SzPBpBcXq8%ZKcljsHxOP)0t8r9BKos;iS2R{SByRj6XrO!(O#&2c)LBRYAC#v3y zi68LNh$kJZzNV4hv_l2i9xbW6y%^J0UC=TNpT*xLour3JZg2w3n1CTyegTPq}gcDQ0%w1O*y# z<%~JPL0|uhpwIucQ&QU8dT4TSBjJkw+0$!R_G=h0^V%L(ui(^gLyPyxc|{O$;Fa{X z?MhJO-HiQUmMO{IhFiV)|L+r z>Lq_QZ0)23R4!`1GSYd|Hj_pRFOuPObkWG0fhSwauT)=5a@rg3#R|y}eSPhOcPMuI z<`b1{p=~KZ;&KuozKGqMC(gg$)6^RWD!rQ{v+m9e6AKT0o7NxOODdTg2SyYje*KVon4SQ!_d90VAXrX5B#vR(e>|Cp0n)1eSm-Z+2 z4BWMe`AHlwUw~LN=qF%Ucx%>T70LS}}H0a35yc#fMrJSZ#i zu|U0_h^R8yCRd(=-QP0CiPka2>8rvZ8=O!|K-rffM#CTu*f7W9{~7=A)~x?9TS|0C zVeR{eY$BrguF>Ia*HmK`Hrk8^3Zij!uiNv6lVQxQ=^q1YAM=teSydF$Kbh<}S_c2?n1Uh^r3ohANLn?p+LL9b|u( zudTn7k$9Wl-ktIW)q+!|vbMGtZP5+qNgpV^MJGRP$^&`dEh)gx&Y?|DuhKH>?ixus+9Bh<`eidStzCF zdUvria;EpJW%wGblO3|!@bfaX%Yx#SwSvp4$;eKG*pS6UT;u0MVLW%SpT7=5FE5+L z+dBtyRzZT2_%G8|SJ8K4-$V`O&gEHs@RQ-@?5+~2X&uId^`IX+@Nl)*U)<&-VGhHN zbk!)@@!FYOaa`@;%zZZP?x>+L0BvrbdfI!~6J-+QbTgktly z@#Xm6;!fjzB&I#t@V#yi%RHr*x7mWS(#<)J*BlZDW{8d!stn4h>+^^|c+U=$68y|< zQBVj~=7}zG*`Nq`D!zsI7W)^+`4?-0XvUwA&5fnH)>lut(^lm-x_(N)DTe2Cu$$wV z&sW8d`g98I<5f1*1%407xp(}smlmh@t!vSG=`&uTKErRo6pvqi^49#uP<7T)S^9I0 zA>2|}QlcF?5fa5774HjjsYS;|DZSb7J#JNP-*e3S?33Dh>LpPa?0D!jX#TWr-=aH4 zio$Wk{`g0UXmt9ziQ+;Yys`74vtOL{Fye}sVu_2h{g9E0`6HNfjCE&3DE_jWfcOA#}fiK{pR`WfZ%P{;C%~!kM=(5rrKklwiwEzi)z6f2ZIs*#yODrX zV{9IB?Yuq3cAviK=+zI^7D6vuHb8Se!?a^YVAeJE0AKo<+HE$8q(6)3CZ_DEp|<`r z6jVY`MQuy&%(wXoUUS6Myrf>`*KT|<&l=zVbLH?9)miyLY>=%v%|Em4X)pw(sO7ul z%ynH1L1}1hRQlACAKy6rdD4dDcN~v zpOYxk=zZZ@u*TLD(9mU_t0G)uwVZ4>e4={kvs?j^y`$=e<7asjR*0?djFf9@c~$L9 zYK>2S?wuU?QWvC9W>T32ukSE)*_!zHl<2iaV0hZXkw|M-oG5pPnQpX|it*^>k!xVd zs$Fwl1_rZNK&?p9UlhAyft~XLZ1q=9r#;Pj?rOdT$8x)lWoAd4D6(pK@Ip=NsA-N= zBU?UO1@<%${)b)MvvuY7^M;=)zg1Qxs9d%8x70em>8H1SB=cEX15unM8!d z$4N-LGasJ%TKhja#F2~og6-NW9Prm|?_5K2BXyXEjy2Wg8q$6wNdDm&@-+Kduf=Cq zbVgG_ievZ%Pr;thZ`1qqQ;nCicO!XD-807-vfZKqeHqmYTE14WnJ-lzfP#{GF}?@3 z`));%*NpV8>Gs~-0kF2%ZYVZozzE}YA z{*^Rxo)$0vm9L;vfOH5zqJ0_MyqsC4oF(~vxD4o8*OK@%@-W7xWOb(Ql29>5Th+rT z7~QDjUJX{<1Q?_aT|9vcgvQS8T&&LU18Y{2K^DWqH*yb z3BEh)Vs=(;eiTK&9z~j-bQE}mnnMxhr{=Z&hS9m1&VZ$qFiLc~3TT>nGd|g`) zDw~3z7*>gruYG%nzgkWo9X!Bmt@~A=!$mCCx%SiINFqt{;Z241VtLGLoqD50hPN1V zYho--xHC`dXuqzY<%X2!z2?T+QPg!MkLGg^hekf$toyLSpTScoFSw;WP17>gIKC%C z$j_^b!)Ht}W zMtzBr8_RjeK9fg(=tc;@{1t zv_Qr)@8gob_c*Cs{B{&sL^VN4Eg$%1{%9O%&8`xUD2M=KPJ7PNm-^5-;f%IH0U zii#>ucK$!81-*t23>$x`1rZ9T5`JvDGRWdNbK$}|>-F6awU0|6HI|xT)0+5Du{MQE>A4V_GFZVub@y%wi2;3WOZlIRcT>H52C5(^<2R6ya;5XtxDUX`+u{LF`VF}0D$CVes&4(9{n9jx9T!R$HvD)nrB|?aTrInt%bTF2B z|8ue!Gdm~!%mg=O>4T6npL2HupFj$oQzrC1+kV+5Q>+0+b5NNLv99;el2y+5+pNH9 zy=2>n;mABto9iq~*T`$V_Ruq>CKbPZrjSC$>i#r09Bmey19;rK9whH;-S>=)oS!?~ zHW=isLSu$7H3Yu2B48c}P=M#q)yVXM?hTTZ25YD%|Z{r4j0F=e7$7}*FyS{O}t~+%@~H_;EC4axf$`B_)bg6EzWy+vbO7v zb;N6?QiM6Hz=oOCglL-@C7L}VLZf}|*FQcd(J z3tcRw3!y@wE$_ts?`(x2+aSu<4$dA+>~*2$-FJ0Ee#?<_Q%Ro@f#x(pS|jn}{n+*D z23fsOw3tG9E1MOCN#LPXwf9L6UK_nvoacQntJtb9;e z8JGJCdyn4eFyzNK{Q*qjdQE<2qtbsf)q5Xkd)G7CJzijHqc?t;N{upqeBsw=X`v}a%yG8gyUFIi57ttPZSoQM!zJkGb zN&FAQ3TyoE7Oy4(1<1?fvW8~73!e9I3YvB*w4X7SE%IFb(h^sm{^h+uVb4jUCxSHo zK9GdIp><%-$;rOXVbmP|?`+`h-d&*;eGp*2%!?wck{>Gg}cUm<5{0X`RR z>cn^&pFA70yI^AL?J7-C4f8j6YW8p@#^>R@XWsfoic}EZwMTgsPjOoId5Vqyf#|`D zFlGlBIaK$jXW4na-nL_?8)HT9FT&;cuG=u}D6U)&MZ((&*7cPBdkbQ%3N)eaQcILM zxVBx@UrM(cL8pVy4rPnHTkny&y_J4U0Ni{0v-aThf2o+Kf)KznX{ zlAq}7UVZ<}E3~6wQaQ?o{NhM&&3H^Bal2Rb^vv8p>rZg&U_LMOCwnC*Fk1^Q`omZFt$Y1Ur^7_nd%j6S z@wYB}81vrO@ny>qj9=cr&+DhN0VIz4yLF`9?J~XuzlxJ_Lmy4Hk>ZLsOx3rhVid~b z2^DZ~4xIFjUh{L=gXu&DjL2aPQ1#xfCaCdh#3YEFQS}Ik6pSoCbeJspZBzA;u$DqH z=zTAfO`6N$d>TQM42mS`#IhB*p}!<1z%pUPFJ#Ku`?TzN1^{x(Ky!1Y3lchI_0K8b z((~6zQzCE7BrQlB=1JNSXJlM%tJ4a`drQvsA{<+1qEguAapWQ{uUIKll#Iuyr`2clGF)bA#BLm5w2FT;R|eNUuO70+lXV zVq#a5fdcg^yx7)FTNsgU<6PB7+{nj8Cbyw?dQScS%^wAUWt0uQ^>KH56so#6;LO zDc_k?0*f@9o-Y_v(JPPJjQ0vSobHF7kxf;tP7jL}>A)FO2rInlgCHrAsNRASQ;p!8L};YAZA`-hza+2o3?UV*Kw$GfS+f zR?Tj@U}f9H`H&l5nxXLt8<6=#R)FYk*Wg)&&^dG}J9rn-$;D|EPS1-N`ILP;OU7CZ zNihF45pToj@`}61$>!h}utUu1}yLo$sUFq?u^>RL$(H}`aG1@tm~T*aPDDhtdo?%%38Pm#}egt*2muBxPoFrg&1{K`bK zk@Sji1giqwe^`9Te%&q3LqM1^&~nyAM2=gNgpVnM&DTUZv0C6iM$D8EYpLz9TEF3T zU%+Zr?Lm`&Wa6W$XoX-tri1SXqjjC}5c*~?T{5mFD-SO2)RzYTk>T}Y`qo|}nP5nW z3W;S3vphWVjY;ZH$zFU2E$McV%Uj%CKP{{*YQU8 zQZ0iFnvFl{$Z`K^ZsHs|j(v-5N1yRnB0v&`K!U1XekcNrTa0!3|EGzPmb40^e}O3f z@oa=8FFyxoUHSL35vIJt9JY1kzWG>H@&8C%pz=J=FV1`iz^AY*AZIOU0fsxwqar9D z+e!P#7XEK4_5^^xR0JXnNYGT1q(}e)Y}1A7 z#ObUhj44T5`ix(OsyH5vcWyC>sIIw-u211HL!*9i>w?<zY@@ORJ>9w+GOlT>u=-&Nj05X`Q=;>|qUZ(%50b3 ztwH~^!=BCG57dX*TKf?k@zYFuQ_urY)aLdCg^8vVIXgC=FH&A1 zIHV}@X@K-zPlEBV zjNZQhB1UMXr{PJ#X&Iad2m%OhG|wO{Pk|t1(E+*K(>SHM5Tq^oKo0NtPYMA{Xegnc zo8b*amQ%T4kc0@3DD%FJvVTH4762U}g4j+~fP#52)0WdT zfv!rLh6CDUfJEK*8I=9w(kqxy0QvuLBB5X$tpDLygJo0xhl6?sNVNMO&YlpE{`-G8 zh?k;3`t2vKWgzb;dvPHB@F$IB1c=VwO3?u`bsm?k#wijW&dv9{=sN^yi6J{l=_V=v z1qvp@MjCN%q3e2sW#`d0(m<`U7c>AOzxU;&uo`YmAavlFp0!~u-9S!84yZyHNWb>P zj1Mb2cG?pxJB^0E3lbhqr2!=Ryl=zo=TJMuhRV`H>_^pD{ z7}`t^Nc4Pcv{?k$%i4{k@Ct&Q#*m$$un&JB4Wz$&qV67^Rg?urAfeJIL;+cbVkqPk z3~sc{V5)vjhkOeN&E;Nvloy=GwDjH?!Y}CnAF_==|$C_=hOqQ-e z#y|*Ui2y8U@$nmQ1{;d{?@`W(c)^H0Dd`^wH1cxpP)HOQ+-zCS#7s&DN6G^Rswu27 zqZELJ&(NSOAP@Ah*T6ysG-w&f0~c2rScustvuqEhEBB=ZMacpS3D8{m!n0!&V!^Up z=>Mv%5XJ~lPk3LB3FF|l!-4WML99o)mDC(%z^OPu1Dv&KS zF33^L`lS3TGhksbTJSE&CoakYSZL9wu?$xvqpQpu2?iPg3myMg|0HsRz42S4Bl|{o zHB6Y=HD1gYlXu~`7QjkmaIiZ;PLTm60%<92M3B9?Pl*_@mi~@dCu{o<4v~2VZnbP< zs{KfZY{D9-p>P(EafgBH@qyxIpPp)k!NAw}NKvbDO|^6w7)k&XwaDkwf>*%6kpxIl zn{s!pP8c{7KW&L@38+3HORWZnf!Fbo**xDtx?5naC=3jD-JIMadTKdm%6gu}BkjMlNF4qhf9XwYA5WNV_;0qVQAXNq= zat7zSV~Ju5r~nda%?g~*lE5fs_E3-403ycVa!S~QS_v_fQ4wN4sphWSDGQz<{!fmy z_=seO0RLnUaG?Sq5)95K#i)5V_!L_F267a-{^lJ%33Naea+I?E##NgHx~29w74Y>* z>0A;hqspV$qZk1KUj>P3o^M8h}Lk z;5Mdy4(P;VKn;lPp!7>EIXUn(2~yOo{He0892iQ96tT+CRI`%YB>%N^L6t~W7;|F>4ids9)dnPL1m|O7aHz$SLINuo zKmNq1jkTS$moI_Lw^12BT!!?P`Lc@VGqrN?1CBpZ%}K1KOEAXG9IqQT4F z#=-m)Jv;R|awrC}!3*ZM$cKNUn4^SlTXXY!_k9z2AKj*z_tTmrY5+Jw7*6kxCAV;#0X{q`5+X(0}Gun)XPAgQBkYFLN5$;8;~c~ z=nr5a9D{BbU+@oG;Rg#*i#UJ^wh z_oYYJLUPRQ#SkOEq{k`ybAoTg5Wr*UX%URvkSK8ka`)qOOTZhTy#f)pHZ^q11L8dN zj!(-*0S*qPMrQG$sI*rfIf`9K25NraU~uJUsIDUll{Oko7l&Em97AW(jc>VP#}$cBH2Q0nH>=CaFaiP z=rA|~v!7jBfEH>Q0I?mFR#ID20GrVQ;r|Rm=P!|LPQ+l#wy%sH-e`8Tn)TlT_ll|C{*;n#GBP(Gj8n|wErcB=dyZp%#i z-jBafy$~(q8#iA+iTywsh&%!3vt$L4x~J%tD9p+{+{k9klgvXx2H$$RGfo^YLQ*Eg zYPuIkis}JKngD%hzs$qFi=QT>I5)L@kehx$;(x-vOJ9Oho=cf`{(wHDUYcUwss4^N z!oE{&dU!qkK(aRPKK-C|n}>A=pZd)~j(s=P^q@ceK(!X+GW}q5n-}qScTdM3HtD%a zXnhwjQ0o`6>N%HyT@@ZMU}6+<|9{rn+0tcP4%-=qAyO^cL$Yp zggW@wNUQ(n>RBZ8p~HS8L>ne)Zhe*yHx}6HtAx|#t$*eIzc>68|3Bf;bDQ|KjCLp9 z&a=yp>r!7W}5+ zlw{^)v2Qt1xzy*TVPPJFEL$pE>UsDgTp>wK8&6Mp)At6$jdX>eMEWNkKu-aYuy7TnoHFPrgtm?>RS3SSf$pRAj=7KKq1v~aMbiITPR)F(oo^lX<02RytfzTSqOy!P zlA|1JK|FqSC5G2uo_p7PYUwoCW}#g2O8zTw7u4Bn`b+oXMPTb1O)Kwef4xa{ z(xLY0Ec4n?vg(0VZskVT@0m3TL2i`tb9i$GJZ3 zVD7^(KUpC9Yif_4?(WoW^|{K6owj%*)kV=K`2P6V5cglZMT;Dl(VZ~RS}T4Z1`W*C zPRj-LG^EUH{N___9$1NN_|UGm+E;72Qgz>FU3$Z-(`aNEf(3UpBn%NV`SxV%DX`1P zd@MgwYD_!6m3;ZmtsrLZfp=(7QKz!=@Sb7^<8_uW_<{e!W`AvvYuPivg^A7ZjUd%v zet}u<((20Si?hxtF<jwaGShJ^p8&=E*dAH}?LmdM+QIl-ESA7p{IW z5LWkIUDwOr=r+)GOL4?^9rswlHAQ$U36}D}-Q>AEP~E>HQx>k)j02{xWIDae3?>K7J$*=X`` zS%n%NE=E4(#H0TF>Ay6wJ`vSlt+nDFHPhvqbKgq%zQ!KcLqdb%NU_>!S_8=z`$=Bd zcoJ2y43&t!o=o0ftfKwBknNYuz7_u`Ub9BEEsxK)JGHMnwY%(CD=GNLn@(*Pu(^lP zd?bO~oPA*f3%inyIRW8&E86ongAe=-XB%8gG`29S8Y3>0nQQkNhq3FD1RbG&e8p)- zi-bvAa;cwvt|PXWxMVG{vi4^}+SR7+TtU@p*76Y3ziaz4wU^7C1yLKQh5&lKcH5#} Nm!bzL&98nY{~zW#MVSBq diff --git a/docs/versions.yaml b/docs/versions.yaml index 1397646b8b5f3..44adf4d0f9317 100644 --- a/docs/versions.yaml +++ b/docs/versions.yaml @@ -25,7 +25,7 @@ "1.29": 1.29.12 "1.30": 1.30.11 "1.31": 1.31.10 -"1.32": 1.32.10 -"1.33": 1.33.7 -"1.34": 1.34.5 -"1.35": 1.35.1 +"1.32": 1.32.12 +"1.33": 1.33.9 +"1.34": 1.34.7 +"1.35": 1.35.3 From 4c10f3855ce5917e7dd6f61e58b11916785ea274 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 8 Sep 2025 12:37:25 -0700 Subject: [PATCH 372/505] test: add tests for SNI DFP DNS Cache stats emission (#41008) ## Description This PR add some more tests for validating the SNI DFP DNS cache stats emission. ### Testing ``` $ bazel test //test/extensions/filters/network/sni_dynamic_forward_proxy:proxy_filter_integration_test --define=wasm=disabled --copt=-Wno-nullability-completeness --test_output=errors --test_timeout=600 --runs_per_test 50 INFO: Analyzed target //test/extensions/filters/network/sni_dynamic_forward_proxy:proxy_filter_integration_test (0 packages loaded, 15 targets configured). INFO: Found 1 test target... Target //test/extensions/filters/network/sni_dynamic_forward_proxy:proxy_filter_integration_test up-to-date: bazel-bin/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test INFO: Elapsed time: 74.781s, Critical Path: 25.42s INFO: 51 processes: 1 internal, 50 darwin-sandbox. INFO: Build completed successfully, 51 total actions Executed 1 out of 1 test: 1 test passes. ``` ... ``` $ bazel test //test/extensions/filters/network/sni_dynamic_forward_proxy:proxy_filter_integration_test --define=wasm=disabled --copt=-Wno-nullability-completeness --test_output=errors --test_timeout=600 --runs_per_test 100 INFO: Analyzed target //test/extensions/filters/network/sni_dynamic_forward_proxy:proxy_filter_integration_test (0 packages loaded, 15 targets configured). INFO: From Linking test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test: ld: warning: ignoring duplicate libraries: '-lm', '-lpthread' INFO: Found 1 test target... Target //test/extensions/filters/network/sni_dynamic_forward_proxy:proxy_filter_integration_test up-to-date: bazel-bin/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test INFO: Elapsed time: 192.825s, Critical Path: 56.44s INFO: 103 processes: 1 internal, 102 darwin-sandbox. INFO: Build completed successfully, 103 total actions Executed 1 out of 1 test: 1 test passes. ``` --- **Commit Message**: test: add tests for SNI DFP DNS Cache stats emission **Additional Description:** This PR add some more tests for validating the SNI DFP DNS cache stats emission. **Risk Level**: Low **Testing**: CI **Docs Changes**: N/A **Release Notes**: N/A Signed-off-by: Rohit Agrawal --- .../proxy_filter_integration_test.cc | 158 ++++++++++++++++++ 1 file changed, 158 insertions(+) diff --git a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc index 295df517c842a..45ca8b15e3bc0 100644 --- a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -154,5 +154,163 @@ TEST_P(SniDynamicProxyFilterIntegrationTest, CircuitBreakerInvokedUpstreamTls) { EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_rq_pending_overflow")->value()); } +// Test that verifies DNS cache statistics are properly recorded for successful resolution. +TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheStatisticsSuccess) { + setup(); + fake_upstreams_[0]->setReadDisableOnNewConnection(false); + + // Initial state where we have no DNS queries yet. + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_success")->value()); + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.host_added")->value()); + EXPECT_EQ(0, test_server_->gauge("dns_cache.foo.num_hosts")->value()); + + // First connection. It should trigger DNS resolution. + codec_client_ = makeHttpConnection( + makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("localhost"))); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + + // Verify DNS resolution statistics. + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_success")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_added")->value()); + EXPECT_EQ(1, test_server_->gauge("dns_cache.foo.num_hosts")->value()); + + // Send a request to complete the flow. + const Http::TestRequestHeaderMapImpl request_headers{ + {":method", "POST"}, + {":path", "/test/long/url"}, + {":scheme", "http"}, + {":authority", + fmt::format("localhost:{}", fake_upstreams_[0]->localAddress()->ip()->port())}}; + + auto response = codec_client_->makeHeaderOnlyRequest(request_headers); + waitForNextUpstreamRequest(); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + checkSimpleRequestSuccess(0, 0, response.get()); + + // Close the connection. + codec_client_->close(); + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); + + // Second connection to the same host. It should use cached entry. + codec_client_ = makeHttpConnection( + makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("localhost"))); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + + // Verify no new DNS query was made. + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_success")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.host_added")->value()); + EXPECT_EQ(1, test_server_->gauge("dns_cache.foo.num_hosts")->value()); +} + +// Test that verifies DNS query failure statistics with invalid hostname. +TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheQueryFailureStatistics) { + setup(); + + // Initial state. It should have no DNS queries yet. + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_failure")->value()); + + // Attempt connection with invalid hostname that will fail DNS resolution. + codec_client_ = + makeRawHttpConnection(makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni( + "invalid.doesnotexist.example.com")), + absl::nullopt); + ASSERT_FALSE(codec_client_->connected()); + + // Verify DNS failure statistics. + test_server_->waitForCounterGe("dns_cache.foo.dns_query_attempt", 1); + test_server_->waitForCounterGe("dns_cache.foo.dns_query_failure", 1); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_attempt")->value()); + EXPECT_EQ(1, test_server_->counter("dns_cache.foo.dns_query_failure")->value()); +} + +// Test that verifies DNS query timeout statistics. +TEST_P(SniDynamicProxyFilterIntegrationTest, DnsCacheQueryTimeoutStatistics) { + // Configure with very short DNS timeout to trigger timeout scenario. + config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Switch predefined cluster_0 to CDS filesystem sourcing. + bootstrap.mutable_dynamic_resources()->mutable_cds_config()->set_resource_api_version( + envoy::config::core::v3::ApiVersion::V3); + bootstrap.mutable_dynamic_resources() + ->mutable_cds_config() + ->mutable_path_config_source() + ->set_path(cds_helper_.cdsPath()); + bootstrap.mutable_static_resources()->clear_clusters(); + + const std::string filter = fmt::format( + R"EOF( +name: envoy.filters.network.sni_dynamic_forward_proxy +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig + dns_cache_config: + name: foo + dns_lookup_family: {} + max_hosts: 1024 + dns_query_timeout: 0.001s + dns_cache_circuit_breaker: + max_pending_requests: 1024 + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig + port_value: {} +)EOF", + Network::Test::ipVersionToDnsFamily(GetParam()), + fake_upstreams_[0]->localAddress()->ip()->port()); + config_helper_.addNetworkFilter(filter); + }); + + // Setup cluster with matching DNS config. + cluster_.mutable_connect_timeout()->CopyFrom( + Protobuf::util::TimeUtil::MillisecondsToDuration(100)); + cluster_.set_name("cluster_0"); + cluster_.set_lb_policy(envoy::config::cluster::v3::Cluster::CLUSTER_PROVIDED); + + const std::string cluster_type_config = fmt::format( + R"EOF( +name: envoy.clusters.dynamic_forward_proxy +typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig + dns_cache_config: + name: foo + dns_lookup_family: {} + max_hosts: 1024 + dns_query_timeout: 0.001s + dns_cache_circuit_breaker: + max_pending_requests: 1024 + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig +)EOF", + Network::Test::ipVersionToDnsFamily(GetParam())); + + TestUtility::loadFromYaml(cluster_type_config, *cluster_.mutable_cluster_type()); + + config_helper_.addListenerFilter(ConfigHelper::tlsInspectorFilter()); + cds_helper_.setCds({cluster_}); + HttpIntegrationTest::initialize(); + test_server_->waitForCounterEq("cluster_manager.cluster_added", 1); + test_server_->waitForGaugeEq("cluster_manager.warming_clusters", 0); + + // Initial state. It should have no timeouts yet. + EXPECT_EQ(0, test_server_->counter("dns_cache.foo.dns_query_timeout")->value()); + + // Attempt connection with hostname that should trigger DNS timeout. + codec_client_ = makeRawHttpConnection( + makeSslClientConnection(Ssl::ClientSslTransportOptions().setSni("slowresolve.example.com")), + absl::nullopt); + ASSERT_FALSE(codec_client_->connected()); + + // Verify DNS timeout statistics. + test_server_->waitForCounterGe("dns_cache.foo.dns_query_attempt", 1); + // Note: timeout detection can be flaky in test environment, so we check attempts were made. + EXPECT_GE(test_server_->counter("dns_cache.foo.dns_query_attempt")->value(), 1); +} + } // namespace } // namespace Envoy From f2c994b5d5eb4cdfcc573b120653e19528ee8f12 Mon Sep 17 00:00:00 2001 From: Prashanth Josyula Date: Mon, 8 Sep 2025 21:39:03 -0700 Subject: [PATCH 373/505] zipkin: add custom headers support for collector requests (#40863) Commit Message: Add support for custom HTTP headers in Zipkin collector requests This change introduces the collector_request_headers field to ZipkinConfig, allowing users to add custom headers to HTTP requests sent to the Zipkin collector. This enables authentication, authorization, and collector-specific routing capabilities. The feature includes: - New collector_request_headers field in ZipkinConfig proto - CollectorInfo struct updated to store header key-value pairs - ReporterImpl modified to include headers in HTTP requests - Comprehensive test coverage for all components - Documentation updates in tracing overview and FAQ This is different from custom tags which add metadata to spans; this feature adds HTTP headers to collector API requests. Additional Description: Risk Level: Medium Testing: Unit tests, integration tests, configuration tests Docs Changes: Updated tracing architecture docs and FAQ Release Notes: Yes - added to current.yaml --------- Signed-off-by: Prashanth Josyula Signed-off-by: Prashanth Josyula Co-authored-by: Prashanth Josyula --- api/envoy/config/trace/v3/zipkin.proto | 67 +++++- changelogs/current.yaml | 17 ++ .../tracers/zipkin/zipkin_tracer_impl.cc | 112 +++++++++- .../tracers/zipkin/zipkin_tracer_impl.h | 18 +- test/coverage.yaml | 2 +- test/extensions/tracers/zipkin/config_test.cc | 74 ++++++- .../tracers/zipkin/zipkin_tracer_impl_test.cc | 202 ++++++++++++++++++ 7 files changed, 472 insertions(+), 20 deletions(-) diff --git a/api/envoy/config/trace/v3/zipkin.proto b/api/envoy/config/trace/v3/zipkin.proto index 4f62a00eed545..7405c596ed563 100644 --- a/api/envoy/config/trace/v3/zipkin.proto +++ b/api/envoy/config/trace/v3/zipkin.proto @@ -2,13 +2,14 @@ syntax = "proto3"; package envoy.config.trace.v3; +import "envoy/config/core/v3/http_service.proto"; + import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.trace.v3"; option java_outer_classname = "ZipkinProto"; @@ -21,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Configuration for the Zipkin tracer. // [#extension: envoy.tracers.zipkin] -// [#next-free-field: 9] +// [#next-free-field: 10] message ZipkinConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.ZipkinConfig"; @@ -60,11 +61,17 @@ message ZipkinConfig { } // The cluster manager cluster that hosts the Zipkin collectors. - string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + // Either this field or collector_service must be specified. + string collector_cluster = 1; // The API endpoint of the Zipkin service where the spans will be sent. When // using a standard Zipkin installation. - string collector_endpoint = 2 [(validate.rules).string = {min_len: 1}]; + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + // Required when using collector_cluster. + string collector_endpoint = 2; // Determines whether a 128bit trace id will be used when creating a new // trace instance. The default value is false, which will result in a 64 bit trace id being used. @@ -79,6 +86,8 @@ message ZipkinConfig { // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors // that require a specific hostname. Defaults to :ref:`collector_cluster ` above. + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service `. string collector_hostname = 6; // If this is set to true, then Envoy will be treated as an independent hop in trace chain. A complete span pair will be created for a single @@ -106,4 +115,54 @@ message ZipkinConfig { // Here is the spec for W3C trace headers: https://www.w3.org/TR/trace-context/ // The default value is USE_B3 to maintain backward compatibility. TraceContextOption trace_context_option = 8; + + // HTTP service configuration for the Zipkin collector. + // When specified, this configuration takes precedence over the legacy fields: + // collector_cluster, collector_endpoint, and collector_hostname. + // This provides a complete HTTP service configuration including cluster, URI, timeout, and headers. + // If not specified, the legacy fields above will be used for backward compatibility. + // + // Required fields when using collector_service: + // + // * ``http_uri.cluster`` - Must be specified and non-empty + // * ``http_uri.uri`` - Must be specified and non-empty + // * ``http_uri.timeout`` - Optional + // + // Full URI Support with Automatic Parsing: + // + // The ``uri`` field supports both path-only and full URI formats: + // + // .. code-block:: yaml + // + // tracing: + // provider: + // name: envoy.tracers.zipkin + // typed_config: + // "@type": type.googleapis.com/envoy.config.trace.v3.ZipkinConfig + // collector_service: + // http_uri: + // # Full URI format - hostname and path are extracted automatically + // uri: "https://zipkin-collector.example.com/api/v2/spans" + // cluster: zipkin + // timeout: 5s + // request_headers_to_add: + // - header: + // key: "X-Custom-Token" + // value: "your-custom-token" + // - header: + // key: "X-Service-ID" + // value: "your-service-id" + // + // URI Parsing Behavior: + // + // * Full URI: ``"https://zipkin-collector.example.com/api/v2/spans"`` + // + // * Hostname: ``zipkin-collector.example.com`` (sets HTTP ``Host`` header) + // * Path: ``/api/v2/spans`` (sets HTTP request path) + // + // * Path only: ``"/api/v2/spans"`` + // + // * Hostname: Uses cluster name as fallback + // * Path: ``/api/v2/spans`` + core.v3.HttpService collector_service = 9; } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 316b2373f7e1c..2149f0bd9c4f1 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -321,6 +321,23 @@ new_features: extract trace information from W3C trace headers when B3 headers are not present (downstream), and inject both B3 and W3C trace headers for upstream requests to maximize compatibility. The default value ``USE_B3`` maintains backward compatibility with B3-only behavior. +- area: tracing + change: | + Enhanced Zipkin tracer with advanced collector configuration via + :ref:`collector_service ` + using HttpService. New features include: + + 1. **Custom HTTP Headers**: Add headers to collector requests for custom metadata, service identification, + and collector-specific routing. + + 2. **Full URI Parsing**: The ``uri`` field now supports both path-only (``/api/v2/spans``) and + full URI formats (``https://zipkin-collector.example.com/api/v2/spans``). When using full URIs, + Envoy automatically extracts hostname and path components - hostname sets the HTTP ``Host`` header, + and path sets the request path. Path-only URIs fallback to using cluster name as hostname. + + When configured, collector_service takes precedence over legacy configuration fields (collector_cluster, + collector_endpoint, collector_hostname), which will be deprecated in a future release. Legacy configuration + does not support custom headers or URI parsing. - area: composite change: | Allow composite filter to be configured to insert a filter into the filter chain outside of the decode headers lifecycle phase. diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc index cdd2b6fc96b89..478d52fe84b97 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc @@ -10,11 +10,40 @@ #include "source/extensions/tracers/zipkin/span_context_extractor.h" #include "source/extensions/tracers/zipkin/zipkin_core_constants.h" +#include "absl/strings/string_view.h" + namespace Envoy { namespace Extensions { namespace Tracers { namespace Zipkin { +namespace { +// Helper function to parse URI and extract hostname and path +std::pair parseUri(absl::string_view uri) { + // Find the scheme separator + size_t scheme_pos = uri.find("://"); + if (scheme_pos == std::string::npos) { + // No scheme, treat as path only + return {"", std::string(uri)}; + } + + // Skip past the scheme + size_t host_start = scheme_pos + 3; + + // Find the path separator + size_t path_pos = uri.find('/', host_start); + if (path_pos == std::string::npos) { + // No path, hostname only + return {std::string(uri.substr(host_start)), "/"}; + } + + std::string hostname = std::string(uri.substr(host_start, path_pos - host_start)); + std::string path = std::string(uri.substr(path_pos)); + + return {hostname, path}; +} +} // namespace + Driver::TlsTracer::TlsTracer(TracerPtr&& tracer, Driver& driver) : tracer_(std::move(tracer)), driver_(driver) {} @@ -27,18 +56,73 @@ Driver::Driver(const envoy::config::trace::v3::ZipkinConfig& zipkin_config, tracer_stats_{ZIPKIN_TRACER_STATS(POOL_COUNTER_PREFIX(scope, "tracing.zipkin."))}, tls_(tls.allocateSlot()), runtime_(runtime), local_info_(local_info), time_source_(time_source), trace_context_option_(zipkin_config.trace_context_option()) { - THROW_IF_NOT_OK_REF(Config::Utility::checkCluster("envoy.tracers.zipkin", - zipkin_config.collector_cluster(), cm_, + CollectorInfo collector; + + // Validate that either collector_cluster or collector_service is specified + if (!zipkin_config.has_collector_service() && zipkin_config.collector_cluster().empty()) { + throw EnvoyException("Either collector_cluster or collector_service must be specified"); + } + + // Check if HttpService is configured (preferred over legacy fields) + if (zipkin_config.has_collector_service()) { + const auto& http_service = zipkin_config.collector_service(); + collector.http_service_ = http_service; + + // Extract cluster and endpoint from HttpService + const auto& http_uri = http_service.http_uri(); + + cluster_ = http_uri.cluster(); + + // Parse the URI to extract hostname and path + auto [parsed_hostname, parsed_path] = parseUri(http_uri.uri()); + + if (!parsed_hostname.empty()) { + // Use the hostname from the URI + hostname_ = parsed_hostname; + collector.hostname_ = parsed_hostname; + } else { + // Fallback to cluster name if no hostname in URI + hostname_ = cluster_; + collector.hostname_ = cluster_; + } + + // Use the parsed path as the endpoint + collector.endpoint_ = parsed_path; + + // Parse headers from HttpService + for (const auto& header_option : http_service.request_headers_to_add()) { + const auto& header_value = header_option.header(); + collector.request_headers_.emplace_back(Http::LowerCaseString(header_value.key()), + header_value.value()); + } + } else { + + // Validate required legacy fields + if (zipkin_config.collector_cluster().empty()) { + throw EnvoyException("collector_cluster must be specified when not using collector_service"); + } + if (zipkin_config.collector_endpoint().empty()) { + throw EnvoyException("collector_endpoint must be specified when using collector_cluster"); + } + + cluster_ = zipkin_config.collector_cluster(); + hostname_ = !zipkin_config.collector_hostname().empty() ? zipkin_config.collector_hostname() + : zipkin_config.collector_cluster(); + collector.hostname_ = hostname_; // Store hostname in collector as well + + if (!zipkin_config.collector_endpoint().empty()) { + collector.endpoint_ = zipkin_config.collector_endpoint(); + } + + // Legacy configuration has no custom headers support + // Custom headers are only available through HttpService + } + + // Validate cluster exists + THROW_IF_NOT_OK_REF(Config::Utility::checkCluster("envoy.tracers.zipkin", cluster_, cm_, /* allow_added_via_api */ true) .status()); - cluster_ = zipkin_config.collector_cluster(); - hostname_ = !zipkin_config.collector_hostname().empty() ? zipkin_config.collector_hostname() - : zipkin_config.collector_cluster(); - CollectorInfo collector; - if (!zipkin_config.collector_endpoint().empty()) { - collector.endpoint_ = zipkin_config.collector_endpoint(); - } // The current default version of collector_endpoint_version is HTTP_JSON. collector.version_ = zipkin_config.collector_endpoint_version(); const bool trace_id_128bit = zipkin_config.trace_id_128bit(); @@ -140,13 +224,21 @@ void ReporterImpl::flushSpans() { const std::string request_body = span_buffer_->serialize(); Http::RequestMessagePtr message = std::make_unique(); message->headers().setReferenceMethod(Http::Headers::get().MethodValues.Post); + // Set path and hostname - both are stored in collector_ message->headers().setPath(collector_.endpoint_); - message->headers().setHost(driver_.hostname()); + message->headers().setHost(collector_.hostname_); + message->headers().setReferenceContentType( collector_.version_ == envoy::config::trace::v3::ZipkinConfig::HTTP_PROTO ? Http::Headers::get().ContentTypeValues.Protobuf : Http::Headers::get().ContentTypeValues.Json); + // Add custom headers from collector configuration + for (const auto& header : collector_.request_headers_) { + // Replace any existing header with the configured value + message->headers().setCopy(header.first, header.second); + } + message->body().add(request_body); const uint64_t timeout = diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.h b/source/extensions/tracers/zipkin/zipkin_tracer_impl.h index 57bd21876b5f0..4b99b814b8770 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.h +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.h @@ -100,13 +100,29 @@ class Driver : public Tracing::Driver { */ struct CollectorInfo { // The Zipkin collector endpoint/path to receive the collected trace data. + // For legacy configuration: from collector_endpoint field. + // For HttpService configuration: from http_service_.http_uri().uri(). std::string endpoint_; + // The hostname to use when sending spans to the collector. + // For legacy configuration: from collector_hostname field or cluster name. + // For HttpService configuration: cluster name. + std::string hostname_; + // The version of the collector. This is related to endpoint's supported payload specification and // transport. - envoy::config::trace::v3::ZipkinConfig::CollectorEndpointVersion version_; + envoy::config::trace::v3::ZipkinConfig::CollectorEndpointVersion version_{ + envoy::config::trace::v3::ZipkinConfig::HTTP_JSON}; bool shared_span_context_{DEFAULT_SHARED_SPAN_CONTEXT}; + + // New HttpService configuration (preferred) + absl::optional http_service_; + + // Additional custom headers to include in requests to the Zipkin collector. + // Only available when using HttpService configuration via request_headers_to_add. + // Legacy configuration does not support custom headers. + std::vector> request_headers_; }; /** diff --git a/test/coverage.yaml b/test/coverage.yaml index e4d14fa48ee4a..d6eb83a29ea94 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -65,7 +65,7 @@ directories: source/extensions/rate_limit_descriptors/expr: 88.2 source/extensions/stat_sinks/graphite_statsd: 82.8 # Death tests don't report LCOV source/extensions/stat_sinks/statsd: 85.2 # Death tests don't report LCOV - source/extensions/tracers/zipkin: 95.4 + source/extensions/tracers/zipkin: 95.3 source/extensions/transport_sockets/proxy_protocol: 96.2 source/extensions/wasm_runtime/wamr: 0.0 # Not enabled in coverage build source/extensions/wasm_runtime/wasmtime: 0.0 # Not enabled in coverage build diff --git a/test/extensions/tracers/zipkin/config_test.cc b/test/extensions/tracers/zipkin/config_test.cc index 073d9af2246cc..fe99f404c17e5 100644 --- a/test/extensions/tracers/zipkin/config_test.cc +++ b/test/extensions/tracers/zipkin/config_test.cc @@ -1,12 +1,9 @@ #include "envoy/config/trace/v3/http_tracer.pb.h" -#include "envoy/config/trace/v3/zipkin.pb.h" -#include "envoy/config/trace/v3/zipkin.pb.validate.h" -#include "envoy/registry/registry.h" #include "source/extensions/tracers/zipkin/config.h" -#include "test/mocks/server/tracer_factory.h" #include "test/mocks/server/tracer_factory_context.h" +#include "test/test_common/utility.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -65,6 +62,75 @@ TEST(ZipkinTracerConfigTest, ZipkinHttpTracerWithTypedConfig) { EXPECT_NE(nullptr, zipkin_tracer); } +TEST(ZipkinTracerConfigTest, ZipkinHttpTracerWithHttpService) { + NiceMock context; + context.server_factory_context_.cluster_manager_.initializeClusters({"fake_cluster"}, {}); + + const std::string yaml_string = R"EOF( + http: + name: zipkin + typed_config: + "@type": type.googleapis.com/envoy.config.trace.v3.ZipkinConfig + collector_cluster: fake_cluster + collector_endpoint: /api/v2/spans + collector_endpoint_version: HTTP_JSON + collector_service: + http_uri: + uri: "https://zipkin-collector.example.com/api/v2/spans" + cluster: fake_cluster + timeout: 5s + request_headers_to_add: + - header: + key: "Authorization" + value: "Bearer token123" + - header: + key: "X-Custom-Header" + value: "custom-value" + - header: + key: "X-API-Key" + value: "api-key-123" + )EOF"; + + envoy::config::trace::v3::Tracing configuration; + TestUtility::loadFromYaml(yaml_string, configuration); + + ZipkinTracerFactory factory; + auto message = Config::Utility::translateToFactoryConfig( + configuration.http(), ProtobufMessage::getStrictValidationVisitor(), factory); + auto zipkin_tracer = factory.createTracerDriver(*message, context); + EXPECT_NE(nullptr, zipkin_tracer); +} + +TEST(ZipkinTracerConfigTest, ZipkinHttpTracerWithHttpServiceEmptyHeaders) { + NiceMock context; + context.server_factory_context_.cluster_manager_.initializeClusters({"fake_cluster"}, {}); + + const std::string yaml_string = R"EOF( + http: + name: zipkin + typed_config: + "@type": type.googleapis.com/envoy.config.trace.v3.ZipkinConfig + collector_cluster: fake_cluster + collector_endpoint: /api/v2/spans + collector_endpoint_version: HTTP_JSON + collector_service: + http_uri: + uri: "https://zipkin-collector.example.com/api/v2/spans" + cluster: fake_cluster + timeout: 5s + request_headers_to_add: [] + )EOF"; + + envoy::config::trace::v3::Tracing configuration; + TestUtility::loadFromYaml(yaml_string, configuration); + + ZipkinTracerFactory factory; + auto message = Config::Utility::translateToFactoryConfig( + configuration.http(), ProtobufMessage::getStrictValidationVisitor(), factory); + auto zipkin_tracer = factory.createTracerDriver(*message, context); + EXPECT_NE(nullptr, zipkin_tracer); +} + } // namespace } // namespace Zipkin } // namespace Tracers diff --git a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc index d72677cd37073..800b92959e734 100644 --- a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc +++ b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc @@ -1068,6 +1068,208 @@ TEST_F(ZipkinDriverTest, DuplicatedHeader) { }); } +TEST_F(ZipkinDriverTest, DriverWithHttpServiceCustomHeaders) { + cm_.initializeClusters({"fake_cluster"}, {}); + + const std::string yaml_string = R"EOF( + collector_cluster: fake_cluster + collector_endpoint: /api/v2/spans + collector_service: + http_uri: + uri: "https://zipkin-collector.example.com/api/v2/spans" + cluster: fake_cluster + timeout: 5s + request_headers_to_add: + - header: + key: "Authorization" + value: "Bearer token123" + - header: + key: "X-Custom-Header" + value: "custom-value" + - header: + key: "X-API-Key" + value: "api-key-123" + collector_endpoint_version: HTTP_JSON + )EOF"; + + envoy::config::trace::v3::ZipkinConfig zipkin_config; + TestUtility::loadFromYaml(yaml_string, zipkin_config); + + setup(zipkin_config, true); + EXPECT_NE(nullptr, driver_); +} + +TEST_F(ZipkinDriverTest, DriverWithHttpServiceEmptyHeaders) { + cm_.initializeClusters({"fake_cluster"}, {}); + + const std::string yaml_string = R"EOF( + collector_cluster: fake_cluster + collector_endpoint: /api/v2/spans + collector_service: + http_uri: + uri: "https://zipkin-collector.example.com/api/v2/spans" + cluster: fake_cluster + timeout: 5s + request_headers_to_add: [] + collector_endpoint_version: HTTP_JSON + )EOF"; + + envoy::config::trace::v3::ZipkinConfig zipkin_config; + TestUtility::loadFromYaml(yaml_string, zipkin_config); + + setup(zipkin_config, true); + EXPECT_NE(nullptr, driver_); +} + +TEST_F(ZipkinDriverTest, ReporterFlushWithHttpServiceHeadersVerifyHeaders) { + cm_.initializeClusters({"fake_cluster", "legacy_cluster"}, {}); + + const std::string yaml_string = R"EOF( + collector_cluster: legacy_cluster + collector_endpoint: /legacy/api/v1/spans + collector_service: + http_uri: + uri: "https://zipkin-collector.example.com/api/v2/spans" + cluster: fake_cluster + timeout: 5s + request_headers_to_add: + - header: + key: "Authorization" + value: "Bearer token123" + - header: + key: "X-Custom-Header" + value: "custom-value" + - header: + key: "X-API-Key" + value: "api-key-123" + collector_endpoint_version: HTTP_JSON + )EOF"; + + envoy::config::trace::v3::ZipkinConfig zipkin_config; + TestUtility::loadFromYaml(yaml_string, zipkin_config); + setup(zipkin_config, true); + + Http::MockAsyncClientRequest request(&cm_.thread_local_cluster_.async_client_); + Http::AsyncClient::Callbacks* callback; + const absl::optional timeout(std::chrono::seconds(5)); + + // Set up expectations for the HTTP request with custom headers + EXPECT_CALL(cm_.thread_local_cluster_.async_client_, + send_(_, _, Http::AsyncClient::RequestOptions().setTimeout(timeout))) + .WillOnce( + Invoke([&](Http::RequestMessagePtr& message, Http::AsyncClient::Callbacks& callbacks, + const Http::AsyncClient::RequestOptions&) -> Http::AsyncClient::Request* { + callback = &callbacks; + + // Verify standard headers are present + EXPECT_EQ("/api/v2/spans", message->headers().getPathValue()); + EXPECT_EQ("zipkin-collector.example.com", message->headers().getHostValue()); + EXPECT_EQ("application/json", message->headers().getContentTypeValue()); + + // Verify custom headers are present + auto auth_header = message->headers().get(Http::LowerCaseString("authorization")); + EXPECT_FALSE(auth_header.empty()); + EXPECT_EQ("Bearer token123", auth_header[0]->value().getStringView()); + + auto custom_header = message->headers().get(Http::LowerCaseString("x-custom-header")); + EXPECT_FALSE(custom_header.empty()); + EXPECT_EQ("custom-value", custom_header[0]->value().getStringView()); + + auto api_key_header = message->headers().get(Http::LowerCaseString("x-api-key")); + EXPECT_FALSE(api_key_header.empty()); + EXPECT_EQ("api-key-123", api_key_header[0]->value().getStringView()); + + return &request; + })); + + EXPECT_CALL(runtime_.snapshot_, getInteger("tracing.zipkin.min_flush_spans", 5)) + .WillOnce(Return(1)); + EXPECT_CALL(runtime_.snapshot_, getInteger("tracing.zipkin.request_timeout", 5000U)) + .WillOnce(Return(5000U)); + + Tracing::SpanPtr span = driver_->startSpan(config_, request_headers_, stream_info_, + operation_name_, {Tracing::Reason::Sampling, true}); + span->finishSpan(); + + Http::ResponseHeaderMapPtr response_headers{ + new Http::TestResponseHeaderMapImpl{{":status", "202"}}}; + callback->onSuccess(request, + std::make_unique(std::move(response_headers))); +} + +// Test URI parsing edge cases to improve coverage +TEST_F(ZipkinDriverTest, DriverWithHttpServiceUriParsing) { + cm_.initializeClusters({"fake_cluster"}, {}); + + // Test 1: URI without hostname (should fallback to cluster name) + const std::string yaml_string_no_host = R"EOF( + collector_service: + http_uri: + uri: "/api/v2/spans" + cluster: fake_cluster + timeout: 5s + collector_endpoint_version: HTTP_JSON + )EOF"; + + envoy::config::trace::v3::ZipkinConfig zipkin_config_no_host; + TestUtility::loadFromYaml(yaml_string_no_host, zipkin_config_no_host); + setup(zipkin_config_no_host, false); + EXPECT_EQ("fake_cluster", driver_->hostname()); // Should fallback to cluster name +} + +TEST_F(ZipkinDriverTest, DriverWithHttpServiceUriParsingNoPath) { + cm_.initializeClusters({"fake_cluster"}, {}); + + // Test 2: URI with hostname but no path (should use "/" as default) + const std::string yaml_string_no_path = R"EOF( + collector_service: + http_uri: + uri: "https://zipkin-collector.example.com" + cluster: fake_cluster + timeout: 5s + collector_endpoint_version: HTTP_JSON + )EOF"; + + envoy::config::trace::v3::ZipkinConfig zipkin_config_no_path; + TestUtility::loadFromYaml(yaml_string_no_path, zipkin_config_no_path); + setup(zipkin_config_no_path, false); + EXPECT_EQ("zipkin-collector.example.com", driver_->hostname()); +} + +TEST_F(ZipkinDriverTest, DriverWithHttpServiceUriParsingWithPort) { + cm_.initializeClusters({"fake_cluster"}, {}); + + // Test 3: URI with hostname and port + const std::string yaml_string_with_port = R"EOF( + collector_service: + http_uri: + uri: "http://zipkin-collector.example.com:9411/api/v2/spans" + cluster: fake_cluster + timeout: 5s + collector_endpoint_version: HTTP_JSON + )EOF"; + + envoy::config::trace::v3::ZipkinConfig zipkin_config_with_port; + TestUtility::loadFromYaml(yaml_string_with_port, zipkin_config_with_port); + setup(zipkin_config_with_port, false); + EXPECT_EQ("zipkin-collector.example.com:9411", driver_->hostname()); +} + +TEST_F(ZipkinDriverTest, DriverMissingCollectorConfiguration) { + cm_.initializeClusters({"fake_cluster"}, {}); + + // Test missing both collector_cluster and collector_service + const std::string yaml_string_missing = R"EOF( + collector_endpoint_version: HTTP_JSON + )EOF"; + + envoy::config::trace::v3::ZipkinConfig zipkin_config_missing; + TestUtility::loadFromYaml(yaml_string_missing, zipkin_config_missing); + + EXPECT_THROW_WITH_MESSAGE(setup(zipkin_config_missing, false), EnvoyException, + "Either collector_cluster or collector_service must be specified"); +} + } // namespace } // namespace Zipkin } // namespace Tracers From cf26a926cdc55eba3ad8d556eb1d6b01cb2e2049 Mon Sep 17 00:00:00 2001 From: Vadym S Date: Tue, 9 Sep 2025 22:28:34 +0800 Subject: [PATCH 374/505] http-tap: gracefully handle request termination (#40907) Commit Message: http-tap: gracefully handle request termination Additional Description: Steps to reproduce the issue and backstrace are awailable in the ticket. Additionally I've recorded sequence of method calls in TapFilter with short header and large header for comparison. Issue is caused because request headers were accessed without `HttpPerRequestTapperImpl::onRequestHeaders` being called.
Short header (successfull) call sequence ``` #0 0x000055555c422214 in Envoy::Extensions::HttpFilters::TapFilter::TapFilterFactory::createFilterFactoryFromProtoTyped(envoy::extensions::filters::http::tap::v3::Tap const&, std::__1::basic_string, std::__1::allocator > const&, Envoy::Server::Configuration::FactoryContext&)::$_0::operator()(Envoy::Http::FilterChainFactoryCallbacks&) const () #0 0x000055555c425174 in Envoy::Extensions::HttpFilters::TapFilter::Filter* std::__1::__construct_at[abi:ne180100] const&, Envoy::Extensions::HttpFilters::TapFilter::Filter*>(Envoy::Extensions::HttpFilters::TapFilter::Filter*, std::__1::shared_ptr const&) () #0 0x000055555c4251a4 in Envoy::Extensions::HttpFilters::TapFilter::Filter* std::__1::construct_at[abi:ne180100] const&, Envoy::Extensions::HttpFilters::TapFilter::Filter*>(Envoy::Extensions::HttpFilters::TapFilter::Filter*, std::__1::shared_ptr const&) () #0 0x000055555c425224 in Envoy::Extensions::HttpFilters::TapFilter::Filter::Filter(std::__1::shared_ptr) () #0 0x000055555c42ee44 in Envoy::Extensions::HttpFilters::TapFilter::Filter::setDecoderFilterCallbacks(Envoy::Http::StreamDecoderFilterCallbacks&) () #0 0x000055555c42e4c4 in Envoy::Extensions::HttpFilters::TapFilter::FilterConfigImpl::currentConfig() () #0 0x000055555c42f184 in Envoy::Extensions::HttpFilters::TapFilter::FilterConfigImpl::getTapConfig() const () #0 0x000055555c426134 in Envoy::Extensions::HttpFilters::TapFilter::HttpTapConfigImpl::createPerRequestTapper(envoy::extensions::filters::http::tap::v3::Tap const&, unsigned long, Envoy::OptRef) () #0 0x000055555c42d7a4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::HttpPerRequestTapperImpl(std::__1::shared_ptr, envoy::extensions::filters::http::tap::v3::Tap const&, unsigned long, Envoy::OptRef) () #0 0x000055555c42da44 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapper::HttpPerRequestTapper() () #0 0x000055555c42dbe4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl*& std::__1::__compressed_pair >::__compressed_pair[abi:ne180100](std::__1::__value_init_tag&&) () #0 0x000055555c42ddc4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl*&& std::__1::__compressed_pair >::__compressed_pair[abi:ne180100] >(std::__1::default_delete&&) () #0 0x000055555c42efd4 in Envoy::Extensions::HttpFilters::TapFilter::Filter::setEncoderFilterCallbacks(Envoy::Http::StreamEncoderFilterCallbacks&) () #0 0x000055555c42e724 in Envoy::Extensions::HttpFilters::TapFilter::Filter::decodeHeaders(Envoy::Http::RequestHeaderMap&, bool) () #0 0x000055555c4263e4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::onRequestHeaders(Envoy::Http::RequestHeaderMap const&) () #0 0x000055555c426234 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::streamRequestHeaders() () #0 0x000055555c42a334 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::makeTraceSegment() () #0 0x000055555c4263a4 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*) () #0 0x000055555c428db4 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0&& std::__1::__function::__value_func::__value_func[abi:ne180100]*)::$_0, std::__1::allocator*)::$_0> >(std::__1::allocator*)::$_0> const&) () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c42e914 in Envoy::Extensions::HttpFilters::TapFilter::Filter::encodeHeaders(Envoy::Http::ResponseHeaderMap&, bool) () #0 0x000055555c427c74 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::onResponseHeaders(Envoy::Http::ResponseHeaderMap const&) () #0 0x000055555c427b04 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::streamResponseHeaders() () #0 0x000055555c42a334 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::makeTraceSegment() () #0 0x000055555c4263a4 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*) () #0 0x000055555c428db4 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0&& std::__1::__function::__value_func::__value_func[abi:ne180100]*)::$_0, std::__1::allocator*)::$_0> >(std::__1::allocator*)::$_0> const&) () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c429e24 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0::operator()(Envoy::Http::HeaderEntry const&) const () #0 0x000055555c42e9b4 in Envoy::Extensions::HttpFilters::TapFilter::Filter::encodeData(Envoy::Buffer::Instance&, bool) () #0 0x000055555c427df4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::onResponseBody(Envoy::Buffer::Instance const&) () #0 0x000055555c4269b4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::onBody(Envoy::Buffer::Instance const&, std::__1::unique_ptr >&, unsigned int, envoy::data::tap::v3::Body* (envoy::data::tap::v3::HttpStreamedTraceSegment::*)(), envoy::data::tap::v3::HttpBufferedTrace_Message* (envoy::data::tap::v3::HttpBufferedTrace::*)(), bool) () #0 0x000055555c42a334 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::makeTraceSegment() () #0 0x000055555c42e9b4 in Envoy::Extensions::HttpFilters::TapFilter::Filter::encodeData(Envoy::Buffer::Instance&, bool) () #0 0x000055555c427df4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::onResponseBody(Envoy::Buffer::Instance const&) () #0 0x000055555c4269b4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::onBody(Envoy::Buffer::Instance const&, std::__1::unique_ptr >&, unsigned int, envoy::data::tap::v3::Body* (envoy::data::tap::v3::HttpStreamedTraceSegment::*)(), envoy::data::tap::v3::HttpBufferedTrace_Message* (envoy::data::tap::v3::HttpBufferedTrace::*)(), bool) () #0 0x000055555c42a334 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::makeTraceSegment() () #0 0x000055555c42e9b4 in Envoy::Extensions::HttpFilters::TapFilter::Filter::encodeData(Envoy::Buffer::Instance&, bool) () #0 0x000055555c42eb04 in Envoy::Extensions::HttpFilters::TapFilter::Filter::log(Envoy::Formatter::HttpFormatterContext const&, Envoy::StreamInfo::StreamInfo const&) () #0 0x000055555c428114 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::onDestroyLog() () #0 0x000055555c42f1a4 in Envoy::Extensions::HttpFilters::TapFilter::FilterConfigImpl::stats() () [New Thread 0x7fffe8ad16c0 (LWP 336946)] [2025-08-31T11:23:18.073Z] "GET / HTTP/1.1" 200 - 0 15986 427 243 "-" "curl/8.5.0" "266b6d40-7784-4a7c-919d-d8ae6401442a" "www.envoyproxy.io" "54.253.94.210:443" #0 0x000055555c42ee34 in Envoy::Extensions::HttpFilters::TapFilter::Filter::onDestroy() () #0 0x000055555c42eda4 in Envoy::Extensions::HttpFilters::TapFilter::Filter::~Filter() () #0 0x000055555c42f274 in Envoy::Extensions::HttpFilters::TapFilter::Filter::~Filter() () #0 0x000055555c42aca4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::~HttpPerRequestTapperImpl() () #0 0x000055555c42ac14 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::~HttpPerRequestTapperImpl() () #0 0x000055555c42db14 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapper::~HttpPerRequestTapper() () ```
Large header (segfault) call sequence ``` #0 0x000055555c422214 in Envoy::Extensions::HttpFilters::TapFilter::TapFilterFactory::createFilterFactoryFromProtoTyped(envoy::extensions::filters::http::tap::v3::Tap const&, std::__1::basic_string, std::__1::allocator > const&, Envoy::Server::Configuration::FactoryContext&)::$_0::operator()(Envoy::Http::FilterChainFactoryCallbacks&) const () #0 0x000055555c425174 in Envoy::Extensions::HttpFilters::TapFilter::Filter* std::__1::__construct_at[abi:ne180100] const&, Envoy::Extensions::HttpFilters::TapFilter::Filter*>(Envoy::Extensions::HttpFilters::TapFilter::Filter*, std::__1::shared_ptr const&) () #0 0x000055555c4251a4 in Envoy::Extensions::HttpFilters::TapFilter::Filter* std::__1::construct_at[abi:ne180100] const&, Envoy::Extensions::HttpFilters::TapFilter::Filter*>(Envoy::Extensions::HttpFilters::TapFilter::Filter*, std::__1::shared_ptr const&) () #0 0x000055555c425224 in Envoy::Extensions::HttpFilters::TapFilter::Filter::Filter(std::__1::shared_ptr) () #0 0x000055555c42ee44 in Envoy::Extensions::HttpFilters::TapFilter::Filter::setDecoderFilterCallbacks(Envoy::Http::StreamDecoderFilterCallbacks&) () #0 0x000055555c42e4c4 in Envoy::Extensions::HttpFilters::TapFilter::FilterConfigImpl::currentConfig() () #0 0x000055555c42f184 in Envoy::Extensions::HttpFilters::TapFilter::FilterConfigImpl::getTapConfig() const () #0 0x000055555c426134 in Envoy::Extensions::HttpFilters::TapFilter::HttpTapConfigImpl::createPerRequestTapper(envoy::extensions::filters::http::tap::v3::Tap const&, unsigned long, Envoy::OptRef) () #0 0x000055555c42d7a4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::HttpPerRequestTapperImpl(std::__1::shared_ptr, envoy::extensions::filters::http::tap::v3::Tap const&, unsigned long, Envoy::OptRef) () #0 0x000055555c42da44 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapper::HttpPerRequestTapper() () #0 0x000055555c42dbe4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl*& std::__1::__compressed_pair >::__compressed_pair[abi:ne180100](std::__1::__value_init_tag&&) () #0 0x000055555c42ddc4 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl*&& std::__1::__compressed_pair >::__compressed_pair[abi:ne180100] >(std::__1::default_delete&&) () #0 0x000055555c42efd4 in Envoy::Extensions::HttpFilters::TapFilter::Filter::setEncoderFilterCallbacks(Envoy::Http::StreamEncoderFilterCallbacks&) () #0 0x000055555c42e914 in Envoy::Extensions::HttpFilters::TapFilter::Filter::encodeHeaders(Envoy::Http::ResponseHeaderMap&, bool) () #0 0x000055555c427c74 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::onResponseHeaders(Envoy::Http::ResponseHeaderMap const&) () #0 0x000055555c426234 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::streamRequestHeaders() () #0 0x000055555c42a334 in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::makeTraceSegment() () #0 0x000055555c4263a4 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*) () #0 0x000055555c428db4 in Envoy::Extensions::HttpFilters::TapFilter::(anonymous namespace)::fillHeaderList(google::protobuf::RepeatedPtrField*)::$_0&& std::__1::__function::__value_func::__value_func[abi:ne180100]*)::$_0, std::__1::allocator*)::$_0> >(std::__1::allocator*)::$_0> const&) () Thread 16 "wrk:worker_4" received signal SIGSEGV, Segmentation fault. 0x000055555c4262cd in Envoy::Extensions::HttpFilters::TapFilter::HttpPerRequestTapperImpl::streamRequestHeaders() () ```
Risk Level: Low Testing: Unit test added. Also I manually tested locally - after fix Response code 431 returned for large header instead of segmentation fault. Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Fixes #39063 --------- Signed-off-by: Vadym Sukolen Signed-off-by: Vadym S --- .../filters/http/tap/tap_config_impl.cc | 7 +++-- .../filters/http/tap/tap_config_impl_test.cc | 31 +++++++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/source/extensions/filters/http/tap/tap_config_impl.cc b/source/extensions/filters/http/tap/tap_config_impl.cc index 249cee77515e2..b021642327a68 100644 --- a/source/extensions/filters/http/tap/tap_config_impl.cc +++ b/source/extensions/filters/http/tap/tap_config_impl.cc @@ -44,8 +44,11 @@ HttpPerRequestTapperPtr HttpTapConfigImpl::createPerRequestTapper( void HttpPerRequestTapperImpl::streamRequestHeaders() { TapCommon::TraceWrapperPtr trace = makeTraceSegment(); - request_headers_->iterate(fillHeaderList( - trace->mutable_http_streamed_trace_segment()->mutable_request_headers()->mutable_headers())); + if (request_headers_ != nullptr) { + request_headers_->iterate(fillHeaderList(trace->mutable_http_streamed_trace_segment() + ->mutable_request_headers() + ->mutable_headers())); + } sink_handle_->submitTrace(std::move(trace)); } diff --git a/test/extensions/filters/http/tap/tap_config_impl_test.cc b/test/extensions/filters/http/tap/tap_config_impl_test.cc index 63d0be2921496..1fbe3f252ed6f 100644 --- a/test/extensions/filters/http/tap/tap_config_impl_test.cc +++ b/test/extensions/filters/http/tap/tap_config_impl_test.cc @@ -323,6 +323,37 @@ TEST_F(HttpPerRequestTapperImplTest, StreamedMatchResponseTrailers) { EXPECT_TRUE(tapper_->onDestroyLog()); } +// Request headers are not guaranteed to be present during +// response reply. +// One known scenario is - request headers are too large. In this +// case processing of the request will be terminated with 431 +// status before request headers are parsed. +TEST_F(HttpPerRequestTapperImplTest, StreamNoRequestHeader) { + EXPECT_CALL(*config_, streaming()).WillRepeatedly(Return(true)); + EXPECT_CALL(*config_, maxBufferedRxBytes()).WillRepeatedly(Return(1024)); + EXPECT_CALL(*config_, maxBufferedTxBytes()).WillRepeatedly(Return(1024)); + + InSequence s; + EXPECT_CALL(matcher_, onHttpResponseHeaders(_, _)) + .WillOnce(Assign(&(*statuses_)[0].matches_, true)); + EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( + R"EOF( +http_streamed_trace_segment: + trace_id: 1 +)EOF"))); + EXPECT_CALL(*sink_manager_, submitTrace_(TraceEqual( + R"EOF( +http_streamed_trace_segment: + trace_id: 1 + response_headers: + headers: + - key: e + value: f +)EOF"))); + // onResponseHeaders called without onRequestHeaders prior + tapper_->onResponseHeaders(response_headers_); +} + class HttpPerRequestTapperImplForSpecificConfigTest : public testing::Test { public: HttpPerRequestTapperImplForSpecificConfigTest() { From e98d22fc265d94841d6cc43fcc32dac84c441a7b Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 9 Sep 2025 14:18:13 -0400 Subject: [PATCH 375/505] xds-federation: introduce OD-CDS xds-federation support (#40988) Commit Message: xds-federation: introduce OD-CDS xds-federation support Additional Description: This PR introduces OD-CDS xds-Federation support. The implementation uses a new OD-CDS subscription management on the main thread, that is simpler than the former (issues subscriptions directly using the xDS-manager subscription function), and doesn't need to maintain the state of whether the first request was sent or not. It does so by allowing each subscription be a singleton subscription on the component side (the gRPC-mux to the xds-Federation server will ensure that a single subscription message is sent to the server). This approach handles some bugs that were detected for the non-xDS-TP based OD-CDS implementation. The plan is first to use this implementation for xDS-TP based resources, and when it is validated in production, move the ADS and the specific-config-source paths to use the new implementation/model. Apologies for the large PR, but the number of tests that was needed here is quite large. Risk Level: low - only for xDS-TP based config sources and it is guarded by the `envoy.reloadable_features.xdstp_based_config_singleton_subscriptions` runtime guard which is currently disabled. Testing: Added both unit-tests and integration tests Docs Changes: N/A (until the entire xDS-TP based config sources support is done). Release Notes: N/A (until the entire xDS-TP based config sources support is done). Platform Specific Features: N/A --------- Signed-off-by: Adi Suissa-Peleg --- .../filters/http/on_demand/v3/on_demand.proto | 3 +- envoy/upstream/cluster_manager.h | 7 +- .../common/upstream/cluster_manager_impl.cc | 5 +- source/common/upstream/od_cds_api_impl.cc | 212 ++++++++++- source/common/upstream/od_cds_api_impl.h | 42 ++- .../http/on_demand/on_demand_update.cc | 46 ++- test/common/upstream/BUILD | 20 ++ test/common/upstream/od_cds_api_impl_test.cc | 7 +- .../upstream/xdstp_od_cds_api_impl_test.cc | 329 ++++++++++++++++++ test/extensions/filters/http/on_demand/BUILD | 1 + .../http/on_demand/odcds_integration_test.cc | 238 ++++++++++++- test/integration/BUILD | 27 +- .../xdstp_config_sources_integration.h | 174 +++++++++ .../xdstp_config_sources_integration_test.cc | 142 +------- 14 files changed, 1081 insertions(+), 172 deletions(-) create mode 100644 test/common/upstream/xdstp_od_cds_api_impl_test.cc create mode 100644 test/integration/xdstp_config_sources_integration.h diff --git a/api/envoy/extensions/filters/http/on_demand/v3/on_demand.proto b/api/envoy/extensions/filters/http/on_demand/v3/on_demand.proto index 93c9f76f8317c..3e23afe081d5c 100644 --- a/api/envoy/extensions/filters/http/on_demand/v3/on_demand.proto +++ b/api/envoy/extensions/filters/http/on_demand/v3/on_demand.proto @@ -8,7 +8,6 @@ import "google/protobuf/duration.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.filters.http.on_demand.v3"; option java_outer_classname = "OnDemandProto"; @@ -29,7 +28,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; message OnDemandCds { // A configuration source for the service that will be used for // on-demand cluster discovery. - config.core.v3.ConfigSource source = 1 [(validate.rules).message = {required: true}]; + config.core.v3.ConfigSource source = 1; // xdstp:// resource locator for on-demand cluster collection. string resources_locator = 2; diff --git a/envoy/upstream/cluster_manager.h b/envoy/upstream/cluster_manager.h index a871334f85d0b..236e5b71bba03 100644 --- a/envoy/upstream/cluster_manager.h +++ b/envoy/upstream/cluster_manager.h @@ -520,12 +520,15 @@ class ClusterManager { * @param validation_visitor * @return OdCdsApiHandlePtr the ODCDS handle. */ - + // TODO(adisuissa): once the xDS-TP config-sources are fully supported, the + // `odcds_config` parameter should become optional, and the comment above + // should be updated. using OdCdsCreationFunction = std::function>( const envoy::config::core::v3::ConfigSource& odcds_config, OptRef odcds_resources_locator, Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, - Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor)>; + Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::ServerFactoryContext& server_factory_context)>; virtual absl::StatusOr allocateOdCdsApi(OdCdsCreationFunction creation_function, diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 43b0151371cf1..d633bea191ab9 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -1536,8 +1536,9 @@ ClusterManagerImpl::allocateOdCdsApi(OdCdsCreationFunction creation_function, // TODO(krnowak): Instead of creating a new handle every time, store the handles internally and // return an already existing one if the config or locator matches. Note that this may need a // way to clean up the unused handles, so we can close the unnecessary connections. - auto odcds_or_error = creation_function(odcds_config, odcds_resources_locator, xds_manager_, - *this, *this, *stats_.rootScope(), validation_visitor); + auto odcds_or_error = + creation_function(odcds_config, odcds_resources_locator, xds_manager_, *this, *this, + *stats_.rootScope(), validation_visitor, context_); RETURN_IF_NOT_OK_REF(odcds_or_error.status()); return OdCdsApiHandleImpl::create(*this, std::move(*odcds_or_error)); } diff --git a/source/common/upstream/od_cds_api_impl.cc b/source/common/upstream/od_cds_api_impl.cc index bb4662ed7e255..81da2c83f4038 100644 --- a/source/common/upstream/od_cds_api_impl.cc +++ b/source/common/upstream/od_cds_api_impl.cc @@ -13,7 +13,8 @@ OdCdsApiImpl::create(const envoy::config::core::v3::ConfigSource& odcds_config, OptRef odcds_resources_locator, Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, Stats::Scope& scope, - ProtobufMessage::ValidationVisitor& validation_visitor) { + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::ServerFactoryContext&) { absl::Status creation_status = absl::OkStatus(); auto ret = OdCdsApiSharedPtr(new OdCdsApiImpl(odcds_config, odcds_resources_locator, xds_manager, cm, @@ -118,5 +119,214 @@ void OdCdsApiImpl::updateOnDemand(std::string cluster_name) { } } +// A class that maintains all the od-cds xDS-TP based singleton subscriptions, +// and update the cluster-manager when the resources are updated. +// The object will only be accessed by the main thread. It should also be a +// singleton object that is used by all the filters that need to access od-cds +// over xdstp-based config sources, and will only be allocated for the first +// occurrence of the filter. +class XdstpOdCdsApiImpl::XdstpOdcdsSubscriptionsManager : public Singleton::Instance, + Logger::Loggable { +public: + XdstpOdcdsSubscriptionsManager(Config::XdsManager& xds_manager, ClusterManager& cm, + MissingClusterNotifier& notifier, Stats::Scope& scope, + ProtobufMessage::ValidationVisitor& validation_visitor) + : xds_manager_(xds_manager), helper_(cm, xds_manager, "odcds-xdstp"), notifier_(notifier), + scope_(scope.createScope("cluster_manager.odcds.")), + validation_visitor_(validation_visitor) {} + + absl::Status onResourceUpdate(absl::string_view resource_name, + const Config::DecodedResourceRef& resource, + const std::string& system_version_info) { + auto [_, exception_msgs] = helper_.onConfigUpdate({resource}, {}, system_version_info); + if (!exception_msgs.empty()) { + return absl::InvalidArgumentError(fmt::format("Error adding/updating cluster {} - {}", + resource_name, + absl::StrJoin(exception_msgs, ", "))); + } + return absl::OkStatus(); + } + + absl::Status onResourceRemoved(absl::string_view resource_name, + const std::string& system_version_info) { + // TODO(adisuissa): add direct `onResourceRemove(resource_name)` to `helper_`. + Protobuf::RepeatedPtrField removed_resource_list; + removed_resource_list.Add(std::string(resource_name)); + auto [_, exception_msgs] = + helper_.onConfigUpdate({}, removed_resource_list, system_version_info); + // Removal of a cluster should not result in an error. + ASSERT(exception_msgs.empty()); + notifier_.notifyMissingCluster(resource_name); + return absl::OkStatus(); + } + + void onFailure(absl::string_view resource_name) { + ENVOY_LOG(trace, "ODCDS-manager: failure for resource: {}", resource_name); + // This function will only be invoked if the resource wasn't previously updated or removed. + // Remove the resource, so if there are other resources waiting for it, + // their initialization can proceed. + notifier_.notifyMissingCluster(resource_name); + } + + void addSubscription(absl::string_view resource_name) { + if (subscriptions_.contains(resource_name)) { + ENVOY_LOG(debug, "ODCDS-manager: resource {} is already subscribed to, skipping", + resource_name); + return; + } + ENVOY_LOG(trace, "ODCDS-manager: adding a subscription for resource {}", resource_name); + // Subscribe using the xds-manager. + auto subscription = + std::make_unique(*this, resource_name, validation_visitor_); + absl::Status status = subscription->initializeSubscription(); + if (status.ok()) { + subscriptions_.emplace(std::string(resource_name), std::move(subscription)); + } else { + // There was an error while subscribing. This could be, for example, when + // the cluster_name isn't a valid xdstp resource, or its config-source was + // not added to the bootstrap's config_sources. + ENVOY_LOG(info, + "ODCDS-manager: xDS-TP resource {} could not be registered: {}. Treating as " + "missing cluster", + resource_name, status.message()); + onFailure(resource_name); + } + } + +private: + // A singleton subscription handler. + class PerSubscriptionData : Envoy::Config::SubscriptionBase { + public: + PerSubscriptionData(XdstpOdcdsSubscriptionsManager& parent, absl::string_view resource_name, + ProtobufMessage::ValidationVisitor& validation_visitor) + : Envoy::Config::SubscriptionBase(validation_visitor, + "name"), + parent_(parent), resource_name_(resource_name) {} + + absl::Status initializeSubscription() { + const auto resource_type = getResourceName(); + absl::StatusOr subscription_or_error = + parent_.xds_manager_.subscribeToSingletonResource( + resource_name_, absl::nullopt, Grpc::Common::typeUrl(resource_type), *parent_.scope_, + *this, resource_decoder_, {}); + RETURN_IF_NOT_OK_REF(subscription_or_error.status()); + subscription_ = std::move(subscription_or_error.value()); + subscription_->start({resource_name_}); + return absl::OkStatus(); + } + + private: + // Config::SubscriptionCallbacks + absl::Status onConfigUpdate(const std::vector& resources, + const std::string& version_info) override { + // As this is a singleton subscription, the response can either contain 1 + // resource that should be updated or 0 (implying the resource should be + // removed). + ASSERT(resources.empty() || (resources.size() == 1)); + resource_was_updated_ = true; + if (resources.empty()) { + ENVOY_LOG(trace, "ODCDS-manager: removing a single resource: {}", resource_name_); + return parent_.onResourceRemoved(resource_name_, version_info); + } + // A single cluster update. + ENVOY_LOG(trace, "ODCDS-manager: updating a single resource: {}", resource_name_); + return parent_.onResourceUpdate(resource_name_, resources[0], version_info); + } + absl::Status onConfigUpdate(const std::vector& added_resources, + const Protobuf::RepeatedPtrField& removed_resources, + const std::string& system_version_info) override { + // As this is a singleton subscription, the update can either contain 1 + // added resource, or remove the resource. + ASSERT(added_resources.size() + removed_resources.size() == 1); + resource_was_updated_ = true; + if (!removed_resources.empty()) { + ENVOY_LOG(trace, "ODCDS-manager: removing a single resource: {}", resource_name_); + return parent_.onResourceRemoved(resource_name_, system_version_info); + } + // A single cluster update. + ENVOY_LOG(trace, "ODCDS-manager: updating a single resource: {}", resource_name_); + return parent_.onResourceUpdate(resource_name_, added_resources[0], system_version_info); + } + void onConfigUpdateFailed(Envoy::Config::ConfigUpdateFailureReason reason, + const EnvoyException* e) override { + ASSERT(reason != Envoy::Config::ConfigUpdateFailureReason::ConnectionFailure); + ENVOY_LOG(trace, "ODCDS-manager: error while fetching a single resource {}: {}", + resource_name_, e->what()); + // If the resource wasn't previously updated, this sends a notification that it was removed, + // so if there are any resources waiting for this one, they can proceed. + if (!resource_was_updated_) { + resource_was_updated_ = true; + parent_.onFailure(resource_name_); + } + } + + XdstpOdcdsSubscriptionsManager& parent_; + // TODO(adisuissa): this can be converted to an absl::string_view and point to the + // subscriptions_ map key. + const std::string resource_name_; + Config::SubscriptionPtr subscription_; + bool resource_was_updated_{false}; + }; + using PerSubscriptionDataPtr = std::unique_ptr; + + Config::XdsManager& xds_manager_; + CdsApiHelper helper_; + MissingClusterNotifier& notifier_; + Stats::ScopeSharedPtr scope_; + ProtobufMessage::ValidationVisitor& validation_visitor_; + // Maps a resource name to its subscription data. + absl::flat_hash_map subscriptions_; +}; + +// Register the XdstpOdcdsSubscriptionsManager singleton. +SINGLETON_MANAGER_REGISTRATION(xdstp_odcds_subscriptions_manager); + +absl::StatusOr +XdstpOdCdsApiImpl::create(const envoy::config::core::v3::ConfigSource&, + OptRef, Config::XdsManager& xds_manager, + ClusterManager& cm, MissingClusterNotifier& notifier, Stats::Scope& scope, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::ServerFactoryContext& server_factory_context) { + absl::Status creation_status = absl::OkStatus(); + auto ret = OdCdsApiSharedPtr(new XdstpOdCdsApiImpl(xds_manager, cm, notifier, scope, + server_factory_context, validation_visitor, + creation_status)); + RETURN_IF_NOT_OK(creation_status); + return ret; +} + +XdstpOdCdsApiImpl::XdstpOdCdsApiImpl(Config::XdsManager& xds_manager, ClusterManager& cm, + MissingClusterNotifier& notifier, Stats::Scope& scope, + Server::Configuration::ServerFactoryContext& server_context, + ProtobufMessage::ValidationVisitor& validation_visitor, + absl::Status& creation_status) { + // Create a singleton xdstp-based od-cds handler. This will be accessed by + // the main thread and used by all the filters that need to access od-cds + // over xdstp-based config sources. + // The singleton object will handle all the subscriptions to OD-CDS + // resources, and will apply the updates to the cluster-manager. + subscriptions_manager_ = + subscriptionsManager(server_context, xds_manager, cm, notifier, scope, validation_visitor); + // This will always succeed as the xDS-TP config-source matching the resource name + // will only be known when that resource is subscribed to. + creation_status = absl::OkStatus(); +} + +XdstpOdCdsApiImpl::XdstpOdcdsSubscriptionsManagerSharedPtr +XdstpOdCdsApiImpl::subscriptionsManager(Server::Configuration::ServerFactoryContext& server_context, + Config::XdsManager& xds_manager, ClusterManager& cm, + MissingClusterNotifier& notifier, Stats::Scope& scope, + ProtobufMessage::ValidationVisitor& validation_visitor) { + return server_context.singletonManager().getTyped( + SINGLETON_MANAGER_REGISTERED_NAME(xdstp_odcds_subscriptions_manager), + [&xds_manager, &cm, ¬ifier, &scope, &validation_visitor] { + return std::make_shared(xds_manager, cm, notifier, scope, + validation_visitor); + }); +} + +void XdstpOdCdsApiImpl::updateOnDemand(std::string cluster_name) { + subscriptions_manager_->addSubscription(cluster_name); +} } // namespace Upstream } // namespace Envoy diff --git a/source/common/upstream/od_cds_api_impl.h b/source/common/upstream/od_cds_api_impl.h index 239e58b674a61..aad55ca9b0ad9 100644 --- a/source/common/upstream/od_cds_api_impl.h +++ b/source/common/upstream/od_cds_api_impl.h @@ -8,6 +8,7 @@ #include "envoy/config/core/v3/config_source.pb.h" #include "envoy/config/subscription.h" #include "envoy/protobuf/message_validator.h" +#include "envoy/server/factory_context.h" #include "envoy/stats/scope.h" #include "envoy/upstream/cluster_manager.h" @@ -38,7 +39,8 @@ class OdCdsApiImpl : public OdCdsApi, create(const envoy::config::core::v3::ConfigSource& odcds_config, OptRef odcds_resources_locator, Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, - Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor); + Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::ServerFactoryContext& server_factory_context); // Upstream::OdCdsApi void updateOnDemand(std::string cluster_name) override; @@ -69,5 +71,43 @@ class OdCdsApiImpl : public OdCdsApi, Config::SubscriptionPtr subscription_; }; +/** + * ODCDS API implementation that fetches via Subscription for xDS-TP based + * configs and resources. + */ +class XdstpOdCdsApiImpl : public OdCdsApi { +public: + static absl::StatusOr + create(const envoy::config::core::v3::ConfigSource&, OptRef, + Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, + Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::ServerFactoryContext& server_factory_context); + + // Upstream::OdCdsApi + void updateOnDemand(std::string cluster_name) override; + +private: + class XdstpOdcdsSubscriptionsManager; + using XdstpOdcdsSubscriptionsManagerSharedPtr = std::shared_ptr; + + XdstpOdCdsApiImpl(Config::XdsManager& xds_manager, ClusterManager& cm, + MissingClusterNotifier& notifier, Stats::Scope& scope, + Server::Configuration::ServerFactoryContext& server_context, + ProtobufMessage::ValidationVisitor& validation_visitor, + absl::Status& creation_status); + + // Fetches, and potentially creates, the singleton subscriptions manager. + // The arguments will be passed to the subscriptions manager's constructor, if + // it is the first time it is initialized. + static XdstpOdcdsSubscriptionsManagerSharedPtr + subscriptionsManager(Server::Configuration::ServerFactoryContext& context, + Config::XdsManager& xds_manager, ClusterManager& cm, + MissingClusterNotifier& notifier, Stats::Scope& scope, + ProtobufMessage::ValidationVisitor& validation_visitor); + + // A singleton through which all subscriptions will be processed. + XdstpOdcdsSubscriptionsManagerSharedPtr subscriptions_manager_; +}; + } // namespace Upstream } // namespace Envoy diff --git a/source/extensions/filters/http/on_demand/on_demand_update.cc b/source/extensions/filters/http/on_demand/on_demand_update.cc index 2dcb7a9cd2aa3..cf8c8eda9e946 100644 --- a/source/extensions/filters/http/on_demand/on_demand_update.cc +++ b/source/extensions/filters/http/on_demand/on_demand_update.cc @@ -6,6 +6,7 @@ #include "source/common/config/xds_resource.h" #include "source/common/http/codes.h" #include "source/common/http/utility.h" +#include "source/common/runtime/runtime_features.h" #include "source/common/upstream/od_cds_api_impl.h" #include "source/extensions/filters/http/well_known_names.h" @@ -58,20 +59,37 @@ DecodeHeadersBehaviorPtr createDecodeHeadersBehavior( if (!odcds_config.has_value()) { return DecodeHeadersBehavior::rds(); } - Upstream::OdCdsApiHandlePtr odcds; - if (odcds_config->resources_locator().empty()) { - odcds = THROW_OR_RETURN_VALUE(cm.allocateOdCdsApi(&Upstream::OdCdsApiImpl::create, - odcds_config->source(), absl::nullopt, - validation_visitor), - Upstream::OdCdsApiHandlePtr); - } else { - auto locator = THROW_OR_RETURN_VALUE( - Config::XdsResourceIdentifier::decodeUrl(odcds_config->resources_locator()), - xds::core::v3::ResourceLocator); - odcds = THROW_OR_RETURN_VALUE(cm.allocateOdCdsApi(&Upstream::OdCdsApiImpl::create, - odcds_config->source(), locator, - validation_visitor), - Upstream::OdCdsApiHandlePtr); + Upstream::OdCdsApiHandlePtr odcds = nullptr; + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions")) { + // For xDS-TP based configs, both the odcds_config->source and + // odcds_config->resources_locator must be empty. + if (!odcds_config->has_source() && odcds_config->resources_locator().empty()) { + odcds = THROW_OR_RETURN_VALUE(cm.allocateOdCdsApi(&Upstream::XdstpOdCdsApiImpl::create, + odcds_config->source(), absl::nullopt, + validation_visitor), + Upstream::OdCdsApiHandlePtr); + } + } + // TODO(adisuissa): change "if (odcds == nullptr)" to "else" (and further + // merge the else with the "if (odcds_config->resources_locator().empty())") + // once the "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions" + // runtime flag is deprecated. + if (odcds == nullptr) { + if (odcds_config->resources_locator().empty()) { + odcds = THROW_OR_RETURN_VALUE(cm.allocateOdCdsApi(&Upstream::OdCdsApiImpl::create, + odcds_config->source(), absl::nullopt, + validation_visitor), + Upstream::OdCdsApiHandlePtr); + } else { + auto locator = THROW_OR_RETURN_VALUE( + Config::XdsResourceIdentifier::decodeUrl(odcds_config->resources_locator()), + xds::core::v3::ResourceLocator); + odcds = THROW_OR_RETURN_VALUE(cm.allocateOdCdsApi(&Upstream::OdCdsApiImpl::create, + odcds_config->source(), locator, + validation_visitor), + Upstream::OdCdsApiHandlePtr); + } } // If changing the default timeout, please update the documentation in on_demand.proto too. auto timeout = diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index 9f6d72e9f8c84..1f3548d4d2616 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -23,8 +23,28 @@ envoy_cc_test( "//source/common/upstream:od_cds_api_lib", "//test/mocks/config:xds_manager_mocks", "//test/mocks/protobuf:protobuf_mocks", + "//test/mocks/server:server_mocks", + "//test/mocks/upstream:cluster_manager_mocks", + "//test/mocks/upstream:missing_cluster_notifier_mocks", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "xdstp_od_cds_api_impl_test", + srcs = ["xdstp_od_cds_api_impl_test.cc"], + rbe_pool = "6gig", + deps = [ + "//envoy/config:subscription_interface", + "//source/common/stats:isolated_store_lib", + "//source/common/upstream:od_cds_api_lib", + "//test/mocks/config:xds_manager_mocks", + "//test/mocks/protobuf:protobuf_mocks", + "//test/mocks/server:server_mocks", "//test/mocks/upstream:cluster_manager_mocks", "//test/mocks/upstream:missing_cluster_notifier_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", ], ) diff --git a/test/common/upstream/od_cds_api_impl_test.cc b/test/common/upstream/od_cds_api_impl_test.cc index 98a3bf534ab00..82b1d915fc6f9 100644 --- a/test/common/upstream/od_cds_api_impl_test.cc +++ b/test/common/upstream/od_cds_api_impl_test.cc @@ -6,6 +6,7 @@ #include "test/mocks/config/xds_manager.h" #include "test/mocks/protobuf/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/upstream/cluster_manager.h" #include "test/mocks/upstream/missing_cluster_notifier.h" @@ -25,8 +26,9 @@ class OdCdsApiImplTest : public testing::Test { void SetUp() override { envoy::config::core::v3::ConfigSource odcds_config; OptRef null_locator; - odcds_ = *OdCdsApiImpl::create(odcds_config, null_locator, xds_manager_, cm_, notifier_, - *store_.rootScope(), validation_visitor_); + odcds_ = + *OdCdsApiImpl::create(odcds_config, null_locator, xds_manager_, cm_, notifier_, + *store_.rootScope(), validation_visitor_, server_factory_context_); odcds_callbacks_ = cm_.subscription_factory_.callbacks_; } @@ -34,6 +36,7 @@ class OdCdsApiImplTest : public testing::Test { NiceMock cm_; Stats::IsolatedStoreImpl store_; MockMissingClusterNotifier notifier_; + NiceMock server_factory_context_; OdCdsApiSharedPtr odcds_; Config::SubscriptionCallbacks* odcds_callbacks_ = nullptr; NiceMock validation_visitor_; diff --git a/test/common/upstream/xdstp_od_cds_api_impl_test.cc b/test/common/upstream/xdstp_od_cds_api_impl_test.cc new file mode 100644 index 0000000000000..7a449d341b12b --- /dev/null +++ b/test/common/upstream/xdstp_od_cds_api_impl_test.cc @@ -0,0 +1,329 @@ +#include "envoy/config/cluster/v3/cluster.pb.h" +#include "envoy/config/core/v3/config_source.pb.h" +#include "envoy/config/subscription.h" + +#include "source/common/config/decoded_resource_impl.h" +#include "source/common/stats/isolated_store_impl.h" +#include "source/common/upstream/od_cds_api_impl.h" + +#include "test/mocks/config/xds_manager.h" +#include "test/mocks/protobuf/mocks.h" +#include "test/mocks/server/mocks.h" +#include "test/mocks/upstream/cluster_manager.h" +#include "test/mocks/upstream/missing_cluster_notifier.h" +#include "test/test_common/test_runtime.h" +#include "test/test_common/utility.h" + +#include "fmt/core.h" +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +namespace Envoy { +namespace Upstream { +namespace { + +using ::testing::ElementsAre; +using ::testing::InSequence; +using ::testing::UnorderedElementsAre; + +class XdstpOdCdsApiImplTest : public testing::Test { +public: + void SetUp() override { + scoped_runtime_.mergeValues( + {{"envoy.reloadable_features.xdstp_based_config_singleton_subscriptions", "true"}}); + envoy::config::core::v3::ConfigSource odcds_config; + OptRef null_locator; + odcds_ = *XdstpOdCdsApiImpl::create(odcds_config, null_locator, xds_manager_, cm_, notifier_, + *store_.rootScope(), validation_visitor_, + server_factory_context_); + + ON_CALL(xds_manager_, subscriptionFactory()) + .WillByDefault(ReturnRef(cm_.subscription_factory_)); + } + + void expectSingletonSubscription(absl::string_view resource_name) { + EXPECT_CALL(xds_manager_, subscribeToSingletonResource(resource_name, _, _, _, _, _, _)) + .WillOnce(Invoke( + [this](absl::string_view, OptRef, + absl::string_view, Stats::Scope&, Config::SubscriptionCallbacks& callbacks, + Config::OpaqueResourceDecoderSharedPtr, + const Config::SubscriptionOptions&) -> absl::StatusOr { + auto ret = std::make_unique>(); + subscription_ = ret.get(); + odcds_callbacks_ = &callbacks; + return ret; + })); + } + + TestScopedRuntime scoped_runtime_; + NiceMock xds_manager_; + NiceMock cm_; + Stats::IsolatedStoreImpl store_; + MockMissingClusterNotifier notifier_; + NiceMock server_factory_context_; + OdCdsApiSharedPtr odcds_; + Config::SubscriptionCallbacks* odcds_callbacks_ = nullptr; + NiceMock validation_visitor_; + Config::MockSubscription* subscription_; +}; + +// Check that a subscription is created when the odcds is updated. +TEST_F(XdstpOdCdsApiImplTest, SuccesfulSubscriptionToCluster) { + InSequence s; + + expectSingletonSubscription("fake_cluster"); + odcds_->updateOnDemand("fake_cluster"); +} + +// Check that a subscription is created when the odcds is updated, +// and if the same cluster is requested again, another subscription will not be created. +TEST_F(XdstpOdCdsApiImplTest, SingleSubscriptionToSomeCluster) { + InSequence s; + + expectSingletonSubscription("fake_cluster"); + odcds_->updateOnDemand("fake_cluster"); + + EXPECT_CALL(xds_manager_, subscribeToSingletonResource(_, _, _, _, _, _, _)).Times(0); + odcds_->updateOnDemand("fake_cluster"); +} + +// Check that a subscription is created when the odcds is updated, +// and if a different cluster is requested, a new subscription will be created. +TEST_F(XdstpOdCdsApiImplTest, TwoSubscriptionsToDifferectClusters) { + InSequence s; + + expectSingletonSubscription("fake_cluster"); + odcds_->updateOnDemand("fake_cluster"); + + expectSingletonSubscription("fake_cluster2"); + odcds_->updateOnDemand("fake_cluster2"); +} + +// Tests a successful subscription and cluster addition. +TEST_F(XdstpOdCdsApiImplTest, SuccessfulClusterAddition) { + InSequence s; + + const std::string cluster_name = "fake_cluster"; + expectSingletonSubscription(cluster_name); + odcds_->updateOnDemand(cluster_name); + + ASSERT_NE(odcds_callbacks_, nullptr); + + const auto cluster = + TestUtility::parseYaml(fmt::format(R"EOF( + name: {} + connect_timeout: 1.250s + lb_policy: ROUND_ROBIN + type: STATIC + )EOF", + cluster_name)); + + const std::string version = "v1"; + EXPECT_CALL(cm_, addOrUpdateCluster(ProtoEq(cluster), version, false)); + + Config::DecodedResourceImpl decoded_resource( + std::make_unique(cluster), "fake_cluster", {}, version); + std::vector resources; + resources.emplace_back(decoded_resource); + + EXPECT_TRUE(odcds_callbacks_->onConfigUpdate(resources, version).ok()); +} + +// Tests cluster removal. +TEST_F(XdstpOdCdsApiImplTest, ClusterRemoval) { + InSequence s; + + const std::string cluster_name = "fake_cluster"; + expectSingletonSubscription(cluster_name); + odcds_->updateOnDemand(cluster_name); + + ASSERT_NE(odcds_callbacks_, nullptr); + + const auto cluster = + TestUtility::parseYaml(fmt::format(R"EOF( + name: {} + connect_timeout: 1.250s + lb_policy: ROUND_ROBIN + type: STATIC + )EOF", + cluster_name)); + + const std::string version = "v1"; + EXPECT_CALL(cm_, addOrUpdateCluster(ProtoEq(cluster), version, false)); + + Config::DecodedResourceImpl decoded_resource( + std::make_unique(cluster), "fake_cluster", {}, version); + std::vector resources; + resources.emplace_back(decoded_resource); + + EXPECT_TRUE(odcds_callbacks_->onConfigUpdate(resources, version).ok()); + + // Now remove the cluster. + const std::string version2 = "v2"; + EXPECT_CALL(notifier_, notifyMissingCluster(cluster_name)); + EXPECT_TRUE(odcds_callbacks_->onConfigUpdate({}, version2).ok()); +} + +// Tests that a config update failure is handled correctly. +TEST_F(XdstpOdCdsApiImplTest, SubscriptionFailure) { + InSequence s; + + const std::string cluster_name = "fake_cluster"; + expectSingletonSubscription(cluster_name); + odcds_->updateOnDemand(cluster_name); + + ASSERT_NE(odcds_callbacks_, nullptr); + + EXPECT_CALL(cm_, addOrUpdateCluster(_, _, _)).Times(0); + EXPECT_CALL(notifier_, notifyMissingCluster(cluster_name)); + + EnvoyException e("rejecting update"); + odcds_callbacks_->onConfigUpdateFailed(Envoy::Config::ConfigUpdateFailureReason::UpdateRejected, + &e); +} + +// Tests that an existing cluster is updated. +TEST_F(XdstpOdCdsApiImplTest, ClusterUpdate) { + InSequence s; + + const std::string cluster_name = "fake_cluster"; + expectSingletonSubscription(cluster_name); + odcds_->updateOnDemand(cluster_name); + + ASSERT_NE(odcds_callbacks_, nullptr); + + const auto cluster = + TestUtility::parseYaml(fmt::format(R"EOF( + name: {} + connect_timeout: 1.250s + lb_policy: ROUND_ROBIN + type: STATIC + )EOF", + cluster_name)); + + const std::string version = "v1"; + EXPECT_CALL(cm_, addOrUpdateCluster(ProtoEq(cluster), version, false)); + + Config::DecodedResourceImpl decoded_resource( + std::make_unique(cluster), "fake_cluster", {}, version); + std::vector resources; + resources.emplace_back(decoded_resource); + + EXPECT_TRUE(odcds_callbacks_->onConfigUpdate(resources, version).ok()); + + // Now update the cluster. + const auto updated_cluster = + TestUtility::parseYaml(fmt::format(R"EOF( + name: {} + connect_timeout: 2.250s + lb_policy: ROUND_ROBIN + type: STATIC + )EOF", + cluster_name)); + const std::string version2 = "v2"; + EXPECT_CALL(cm_, addOrUpdateCluster(ProtoEq(updated_cluster), version2, false)); + + Config::DecodedResourceImpl decoded_resource2( + std::make_unique(updated_cluster), "fake_cluster", {}, + version2); + std::vector resources2; + resources2.emplace_back(decoded_resource2); + + EXPECT_TRUE(odcds_callbacks_->onConfigUpdate(resources2, version2).ok()); +} + +// Tests that multiple subscriptions are handled independently. +TEST_F(XdstpOdCdsApiImplTest, MultipleSubscriptions) { + InSequence s; + + // Subscription for fake_cluster1 succeeds. + const std::string cluster_name1 = "fake_cluster1"; + Config::SubscriptionCallbacks* callbacks1 = nullptr; + EXPECT_CALL(xds_manager_, subscribeToSingletonResource(cluster_name1, _, _, _, _, _, _)) + .WillOnce(Invoke( + [&callbacks1](absl::string_view, OptRef, + absl::string_view, Stats::Scope&, Config::SubscriptionCallbacks& callbacks, + Config::OpaqueResourceDecoderSharedPtr, const Config::SubscriptionOptions&) + -> absl::StatusOr { + callbacks1 = &callbacks; + return std::make_unique>(); + })); + odcds_->updateOnDemand(cluster_name1); + ASSERT_NE(callbacks1, nullptr); + + // Subscription for fake_cluster2 fails. + const std::string cluster_name2 = "fake_cluster2"; + Config::SubscriptionCallbacks* callbacks2 = nullptr; + EXPECT_CALL(xds_manager_, subscribeToSingletonResource(cluster_name2, _, _, _, _, _, _)) + .WillOnce(Invoke( + [&callbacks2](absl::string_view, OptRef, + absl::string_view, Stats::Scope&, Config::SubscriptionCallbacks& callbacks, + Config::OpaqueResourceDecoderSharedPtr, const Config::SubscriptionOptions&) + -> absl::StatusOr { + callbacks2 = &callbacks; + return std::make_unique>(); + })); + odcds_->updateOnDemand(cluster_name2); + ASSERT_NE(callbacks2, nullptr); + + // Verify that the successful subscription works as expected. + const auto cluster = + TestUtility::parseYaml(fmt::format(R"EOF( + name: {} + connect_timeout: 1.250s + lb_policy: ROUND_ROBIN + type: STATIC + )EOF", + cluster_name1)); + const std::string version = "v1"; + EXPECT_CALL(cm_, addOrUpdateCluster(ProtoEq(cluster), version, false)); + Config::DecodedResourceImpl decoded_resource( + std::make_unique(cluster), cluster_name1, {}, version); + std::vector resources; + resources.emplace_back(decoded_resource); + EXPECT_TRUE(callbacks1->onConfigUpdate(resources, version).ok()); + + // Verify that the failed subscription works as expected. + EXPECT_CALL(cm_, addOrUpdateCluster(_, _, _)).Times(0); + EXPECT_CALL(notifier_, notifyMissingCluster(cluster_name2)); + EnvoyException e("rejecting update"); + callbacks2->onConfigUpdateFailed(Envoy::Config::ConfigUpdateFailureReason::UpdateRejected, &e); +} + +// Tests cluster removal via a delta update. +TEST_F(XdstpOdCdsApiImplTest, ClusterRemovalViaDeltaUpdate) { + InSequence s; + + const std::string cluster_name = "fake_cluster"; + expectSingletonSubscription(cluster_name); + odcds_->updateOnDemand(cluster_name); + + ASSERT_NE(odcds_callbacks_, nullptr); + + // First, add the cluster. + const auto cluster = + TestUtility::parseYaml(fmt::format(R"EOF( + name: {} + connect_timeout: 1.250s + lb_policy: ROUND_ROBIN + type: STATIC + )EOF", + cluster_name)); + const std::string version = "v1"; + EXPECT_CALL(cm_, addOrUpdateCluster(ProtoEq(cluster), version, false)); + Config::DecodedResourceImpl decoded_resource( + std::make_unique(cluster), cluster_name, {}, version); + std::vector resources; + resources.emplace_back(decoded_resource); + EXPECT_TRUE(odcds_callbacks_->onConfigUpdate(resources, version).ok()); + + // Now, remove the cluster using a delta update. + const std::string version2 = "v2"; + Protobuf::RepeatedPtrField removed_resources; + removed_resources.Add(std::string(cluster_name)); + EXPECT_CALL(notifier_, notifyMissingCluster(cluster_name)); + EXPECT_TRUE(odcds_callbacks_->onConfigUpdate({}, removed_resources, version2).ok()); +} +} // namespace +} // namespace Upstream +} // namespace Envoy diff --git a/test/extensions/filters/http/on_demand/BUILD b/test/extensions/filters/http/on_demand/BUILD index 9c6d25f2934cc..b3caf61820a8e 100644 --- a/test/extensions/filters/http/on_demand/BUILD +++ b/test/extensions/filters/http/on_demand/BUILD @@ -67,6 +67,7 @@ envoy_extension_cc_test( "//test/integration:fake_upstream_lib", "//test/integration:http_integration_lib", "//test/integration:scoped_rds_lib", + "//test/integration:xdstp_config_sources_integration_lib", "//test/test_common:resources_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", diff --git a/test/extensions/filters/http/on_demand/odcds_integration_test.cc b/test/extensions/filters/http/on_demand/odcds_integration_test.cc index b66bbcb7c715c..75c432a5af91e 100644 --- a/test/extensions/filters/http/on_demand/odcds_integration_test.cc +++ b/test/extensions/filters/http/on_demand/odcds_integration_test.cc @@ -14,6 +14,7 @@ #include "test/integration/fake_upstream.h" #include "test/integration/http_integration.h" #include "test/integration/scoped_rds.h" +#include "test/integration/xdstp_config_sources_integration.h" #include "test/test_common/resources.h" #include "test/test_common/utility.h" @@ -107,28 +108,34 @@ class OdCdsIntegrationHelper { } static OnDemandCdsConfig - createOnDemandCdsConfig(envoy::config::core::v3::ConfigSource config_source, int timeout_millis) { + createOnDemandCdsConfig(absl::optional config_source, + int timeout_millis) { OnDemandCdsConfig config; - *config.mutable_source() = std::move(config_source); + if (config_source.has_value()) { + *config.mutable_source() = std::move(config_source.value()); + } *config.mutable_timeout() = ProtobufUtil::TimeUtil::MillisecondsToDuration(timeout_millis); return config; } template - static OnDemandConfigType createConfig(envoy::config::core::v3::ConfigSource config_source, - int timeout_millis) { + static OnDemandConfigType + createConfig(absl::optional config_source, + int timeout_millis) { OnDemandConfigType on_demand; *on_demand.mutable_odcds() = createOnDemandCdsConfig(std::move(config_source), timeout_millis); return on_demand; } - static OnDemandConfig createOnDemandConfig(envoy::config::core::v3::ConfigSource config_source, - int timeout_millis) { + static OnDemandConfig + createOnDemandConfig(absl::optional config_source, + int timeout_millis) { return createConfig(std::move(config_source), timeout_millis); } - static PerRouteConfig createPerRouteConfig(envoy::config::core::v3::ConfigSource config_source, - int timeout_millis) { + static PerRouteConfig + createPerRouteConfig(absl::optional config_source, + int timeout_millis) { return createConfig(std::move(config_source), timeout_millis); } @@ -697,6 +704,221 @@ TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterDiscoveryAsksForNonexistentCluste cleanupUpstreamAndDownstream(); } +class OdCdsXdstpIntegrationTest : public XdsTpConfigsIntegration { +public: + void initialize() override { + // Skipping port usage validation because this tests will create new clusters + // that will be sent to the OD-CDS subscriptions. + config_helper_.skipPortUsageValidation(); + + // Set up the listener and add the PerRouteConfig in it that will have the + // ODCDS filter. + config_helper_.addConfigModifier( + [&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + auto* static_resources = bootstrap.mutable_static_resources(); + // Replace the listener. + *static_resources->mutable_listeners(0) = buildListener(); + }); + + // Envoy will only connect to the xDS-TP servers that are defined in the + // bootstrap, but won't issue a subscription yet. + on_server_init_function_ = [this]() { + connectAuthority1(); + connectDefaultAuthority(); + }; + XdsTpConfigsIntegration::initialize(); + + test_server_->waitUntilListenersReady(); + // Add a fake cluster server that will be returned for the OD-CDS request. + new_cluster_upstream_idx_ = fake_upstreams_.size(); + addFakeUpstream(Http::CodecType::HTTP2); + new_cluster_ = ConfigHelper::buildStaticCluster( + "xdstp://authority1.com/envoy.config.cluster.v3.Cluster/on_demand_clusters/new_cluster", + fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + registerTestServerPorts({"http"}); + } + + envoy::config::listener::v3::Listener buildListener() { + OdCdsListenerBuilder builder(Network::Test::getLoopbackAddressString(ipVersion())); + auto per_route_config = OdCdsIntegrationHelper::createPerRouteConfig(absl::nullopt, 2500); + OdCdsIntegrationHelper::addPerRouteConfig(builder.hcm(), std::move(per_route_config), + "integration", {}); + return builder.listener(); + } + + bool compareRequest(const std::string& type_url, + const std::vector& expected_resource_subscriptions, + const std::vector& expected_resource_unsubscriptions, + bool expect_node = false) { + return compareDeltaDiscoveryRequest(type_url, expected_resource_subscriptions, + expected_resource_unsubscriptions, + Grpc::Status::WellKnownGrpcStatus::Ok, "", expect_node); + }; + + std::size_t new_cluster_upstream_idx_; + envoy::config::cluster::v3::Cluster new_cluster_; +}; + +INSTANTIATE_TEST_SUITE_P( + IpVersionsClientTypeDeltaWildcard, OdCdsXdstpIntegrationTest, + testing::Combine(testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + testing::ValuesIn(TestEnvironment::getsGrpcVersionsForTest()), + // TODO(adisuissa): add SotW validation - this should work + // as long as there isn't both empty wildcard and on-demand + // on the same xds-tp gRPC-mux (which is not supported at + // the moment). + // Only delta xDS is supported for on-demand CDS. + testing::Values(Grpc::SotwOrDelta::Delta, Grpc::SotwOrDelta::UnifiedDelta))); + +// tests a scenario when: +// - making a request to an unknown cluster +// - odcds initiates a connection with a request for the cluster +// - a response contains the cluster +// - request is resumed +TEST_P(OdCdsXdstpIntegrationTest, OnDemandClusterDiscoveryWorksWithClusterHeader) { + initialize(); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + const std::string& cluster_name = new_cluster_.name(); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "vhost.first"}, + {"Pick-This-Cluster", cluster_name}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Authority1 should receive the ODCDS request. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().Cluster, "", {cluster_name}, {cluster_name}, {}, true, + Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {new_cluster_}, {new_cluster_}, {}, + "1", {}, authority1_xds_stream_.get()); + // Expect a CDS ACK from authority1. + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {cluster_name}, {}, + {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", + authority1_xds_stream_.get())); + + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + // Send response headers, and end_stream if there is no response body. + upstream_request_->encodeHeaders(default_response_headers_, true); + + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + + cleanupUpstreamAndDownstream(); +} + +// tests a scenario when: +// - making a request to an unknown cluster +// - odcds initiates a connection with a request for the cluster +// - a response contains the cluster +// - request is resumed +// - another request is sent to the same cluster +// - no odcds happens, because the cluster is known +TEST_P(OdCdsXdstpIntegrationTest, OnDemandClusterDiscoveryRemembersDiscoveredCluster) { + initialize(); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + const std::string& cluster_name = new_cluster_.name(); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "vhost.first"}, + {"Pick-This-Cluster", cluster_name}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Authority1 should receive the ODCDS request. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().Cluster, "", {cluster_name}, {cluster_name}, {}, true, + Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {new_cluster_}, {new_cluster_}, {}, + "1", {}, authority1_xds_stream_.get()); + // Expect a CDS ACK from authority1. + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {cluster_name}, {}, + {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", + authority1_xds_stream_.get())); + + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + // Send response headers, and end_stream if there is no response body. + upstream_request_->encodeHeaders(default_response_headers_, true); + + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + + // Next request should be handled right away (no xDS subscription). + response = codec_client_->makeHeaderOnlyRequest(request_headers); + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + + cleanupUpstreamAndDownstream(); +} + +// tests a scenario when: +// - making a request to an unknown cluster +// - odcds initiates a connection with a request for the cluster +// - waiting for response times out +// - request is resumed +TEST_P(OdCdsXdstpIntegrationTest, OnDemandClusterDiscoveryTimesOut) { + initialize(); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + const std::string& cluster_name = new_cluster_.name(); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "vhost.first"}, + {"Pick-This-Cluster", cluster_name}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Authority1 should receive the ODCDS request. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().Cluster, "", {cluster_name}, {cluster_name}, {}, true, + Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + // not sending a response + + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "503", {}, {}); + + cleanupUpstreamAndDownstream(); +} + +// tests a scenario when: +// - making a request to an unknown cluster +// - odcds initiates a connection with a request for the cluster +// - a response says that there is no such cluster +// - request is resumed +TEST_P(OdCdsXdstpIntegrationTest, OnDemandClusterDiscoveryAsksForNonexistentCluster) { + initialize(); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + const std::string& cluster_name = new_cluster_.name(); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "vhost.first"}, + {"Pick-This-Cluster", cluster_name}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Authority1 should receive the ODCDS request. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().Cluster, "", {cluster_name}, {cluster_name}, {}, true, + Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + // Send a response to remove the requested cluster (not found). + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, {}, + {}, {cluster_name}, "1", {}, + authority1_xds_stream_.get()); + // Expect a CDS ACK from authority1. + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {cluster_name}, {}, + {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", + authority1_xds_stream_.get())); + + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "503", {}, {}); + + cleanupUpstreamAndDownstream(); +} + class OdCdsScopedRdsIntegrationTestBase : public ScopedRdsIntegrationTest { public: void addOnDemandConfig(OdCdsIntegrationHelper::OnDemandConfig config) { diff --git a/test/integration/BUILD b/test/integration/BUILD index d1edcbb265429..eb536c353c0a2 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -81,6 +81,31 @@ envoy_cc_test( ], ) +envoy_cc_test_library( + name = "xdstp_config_sources_integration_lib", + hdrs = [ + "xdstp_config_sources_integration.h", + ], + rbe_pool = "2core", + deps = [ + ":ads_integration_lib", + ":http_integration_lib", + "//source/common/config:protobuf_link_hacks", + "//source/common/protobuf:utility_lib", + "//source/common/version:version_lib", + "//test/common/grpc:grpc_client_integration_lib", + "//test/test_common:network_utility_lib", + "//test/test_common:resources_lib", + "//test/test_common:utility_lib", + "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", + "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", + "@envoy_api//envoy/config/endpoint/v3:pkg_cc_proto", + "@envoy_api//envoy/config/listener/v3:pkg_cc_proto", + "@envoy_api//envoy/config/route/v3:pkg_cc_proto", + ], +) + envoy_cc_test( name = "xdstp_config_sources_integration_test", srcs = ["xdstp_config_sources_integration_test.cc"], @@ -89,8 +114,8 @@ envoy_cc_test( "cpu:3", ], deps = [ - ":ads_integration_lib", ":http_integration_lib", + ":xdstp_config_sources_integration_lib", "//source/common/config:protobuf_link_hacks", "//source/common/protobuf:utility_lib", "//test/common/grpc:grpc_client_integration_lib", diff --git a/test/integration/xdstp_config_sources_integration.h b/test/integration/xdstp_config_sources_integration.h new file mode 100644 index 0000000000000..88ac3ee53b885 --- /dev/null +++ b/test/integration/xdstp_config_sources_integration.h @@ -0,0 +1,174 @@ +#pragma once + +#include "envoy/config/bootstrap/v3/bootstrap.pb.h" +#include "envoy/config/cluster/v3/cluster.pb.h" +#include "envoy/config/core/v3/base.pb.h" +#include "envoy/config/endpoint/v3/endpoint.pb.h" +#include "envoy/config/listener/v3/listener.pb.h" +#include "envoy/config/route/v3/route.pb.h" +#include "envoy/grpc/status.h" + +#include "source/common/config/protobuf_link_hacks.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/protobuf/utility.h" +#include "source/common/tls/server_context_config_impl.h" +#include "source/common/tls/server_ssl_socket.h" +#include "source/common/version/version.h" + +#include "test/common/grpc/grpc_client_integration.h" +#include "test/integration/ads_integration.h" +#include "test/integration/http_integration.h" +#include "test/integration/utility.h" +#include "test/test_common/network_utility.h" +#include "test/test_common/resources.h" +#include "test/test_common/utility.h" + +#include "gtest/gtest.h" + +using testing::AssertionResult; + +namespace Envoy { + +// A base class for the xDS-TP based config sources (defined in the bootstrap) tests, without the +// ads_config definition. +class XdsTpConfigsIntegration : public AdsDeltaSotwIntegrationSubStateParamTest, + public HttpIntegrationTest { +public: + XdsTpConfigsIntegration() + : HttpIntegrationTest(Http::CodecType::HTTP2, ipVersion(), + ConfigHelper::httpProxyConfig(false)) { + config_helper_.addRuntimeOverride("envoy.reloadable_features.unified_mux", + (sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw || + sotwOrDelta() == Grpc::SotwOrDelta::UnifiedDelta) + ? "true" + : "false"); + config_helper_.addRuntimeOverride( + "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions", "true"); + // Not using the normal xds upstream, but the + // authority1_upstream_/default_upstream. + create_xds_upstream_ = false; + // Not testing TLS in this case. + tls_xds_upstream_ = false; + sotw_or_delta_ = sotwOrDelta(); + setUpstreamProtocol(Http::CodecType::HTTP2); + } + + FakeUpstream* createAdsUpstream() { + ASSERT(!tls_xds_upstream_); + addFakeUpstream(Http::CodecType::HTTP2); + return fake_upstreams_.back().get(); + } + + void TearDown() override { + cleanupXdsConnection(authority1_xds_connection_); + cleanupXdsConnection(default_authority_xds_connection_); + } + + void createUpstreams() override { + HttpIntegrationTest::createUpstreams(); + // An upstream for authority1 (H/2), an upstream for the default_authority (H/2), and an + // upstream for a backend (H/1). + authority1_upstream_ = createAdsUpstream(); + default_authority_upstream_ = createAdsUpstream(); + if (test_requires_additional_upstream_) { + addFakeUpstream(Http::CodecType::HTTP1); + } + } + + bool isSotw() const { + return sotwOrDelta() == Grpc::SotwOrDelta::Sotw || + sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw; + } + + // Adds config_source for authority1.com and a default_config_source for + // default_authority.com. + void initialize() override { + config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Add the first config_source. + { + auto* config_source1 = bootstrap.mutable_config_sources()->Add(); + config_source1->mutable_authorities()->Add()->set_name("authority1.com"); + auto* api_config_source = config_source1->mutable_api_config_source(); + api_config_source->set_api_type( + isSotw() ? envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC + : envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC); + api_config_source->set_transport_api_version(envoy::config::core::v3::V3); + api_config_source->set_set_node_on_first_message_only(true); + auto* grpc_service = api_config_source->add_grpc_services(); + setGrpcService(*grpc_service, "authority1_cluster", authority1_upstream_->localAddress()); + auto* xds_cluster = bootstrap.mutable_static_resources()->add_clusters(); + xds_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); + xds_cluster->set_name("authority1_cluster"); + } + // Add the default config source. + { + auto* default_config_source = bootstrap.mutable_default_config_source(); + default_config_source->mutable_authorities()->Add()->set_name("default_authority.com"); + auto* api_config_source = default_config_source->mutable_api_config_source(); + api_config_source->set_api_type( + isSotw() ? envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC + : envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC); + api_config_source->set_transport_api_version(envoy::config::core::v3::V3); + api_config_source->set_set_node_on_first_message_only(true); + auto* grpc_service = api_config_source->add_grpc_services(); + setGrpcService(*grpc_service, "default_authority_cluster", + default_authority_upstream_->localAddress()); + auto* xds_cluster = bootstrap.mutable_static_resources()->add_clusters(); + xds_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); + xds_cluster->set_name("default_authority_cluster"); + } + }); + HttpIntegrationTest::initialize(); + } + + void connectAuthority1() { + AssertionResult result = + authority1_upstream_->waitForHttpConnection(*dispatcher_, authority1_xds_connection_); + RELEASE_ASSERT(result, result.message()); + result = authority1_xds_connection_->waitForNewStream(*dispatcher_, authority1_xds_stream_); + RELEASE_ASSERT(result, result.message()); + authority1_xds_stream_->startGrpcStream(); + } + + void connectDefaultAuthority() { + AssertionResult result = default_authority_upstream_->waitForHttpConnection( + *dispatcher_, default_authority_xds_connection_); + RELEASE_ASSERT(result, result.message()); + result = default_authority_xds_connection_->waitForNewStream(*dispatcher_, + default_authority_xds_stream_); + RELEASE_ASSERT(result, result.message()); + default_authority_xds_stream_->startGrpcStream(); + } + + void cleanupXdsConnection(FakeHttpConnectionPtr& connection) { + if (connection != nullptr) { + AssertionResult result = connection->close(); + RELEASE_ASSERT(result, result.message()); + result = connection->waitForDisconnect(); + RELEASE_ASSERT(result, result.message()); + connection.reset(); + } + } + + envoy::config::endpoint::v3::ClusterLoadAssignment + buildClusterLoadAssignment(const std::string& name) { + // The last fake upstream is the emulated server. + return ConfigHelper::buildClusterLoadAssignment( + name, Network::Test::getLoopbackAddressString(ipVersion()), + fake_upstreams_.back().get()->localAddress()->ip()->port()); + } + + bool test_requires_additional_upstream_{true}; + + // Data members that emulate the authority1 server. + FakeUpstream* authority1_upstream_; + FakeHttpConnectionPtr authority1_xds_connection_; + FakeStreamPtr authority1_xds_stream_; + + // Data members that emulate the default_authority server. + FakeUpstream* default_authority_upstream_; + FakeHttpConnectionPtr default_authority_xds_connection_; + FakeStreamPtr default_authority_xds_stream_; +}; + +} // namespace Envoy diff --git a/test/integration/xdstp_config_sources_integration_test.cc b/test/integration/xdstp_config_sources_integration_test.cc index 605ba1c12be41..b17eb0713287b 100644 --- a/test/integration/xdstp_config_sources_integration_test.cc +++ b/test/integration/xdstp_config_sources_integration_test.cc @@ -14,10 +14,9 @@ #include "source/common/version/version.h" #include "test/common/grpc/grpc_client_integration.h" -#include "test/config/v2_link_hacks.h" -#include "test/integration/ads_integration.h" #include "test/integration/http_integration.h" #include "test/integration/utility.h" +#include "test/integration/xdstp_config_sources_integration.h" #include "test/test_common/network_utility.h" #include "test/test_common/resources.h" #include "test/test_common/utility.h" @@ -30,144 +29,9 @@ namespace Envoy { // Tests for xDS-TP based config sources (defined in the bootstrap), without the // ads_config definition. -class XdsTpConfigsIntegrationTest : public AdsDeltaSotwIntegrationSubStateParamTest, - public HttpIntegrationTest { +class XdsTpConfigsIntegrationTest : public XdsTpConfigsIntegration { public: - XdsTpConfigsIntegrationTest() - : HttpIntegrationTest(Http::CodecType::HTTP2, ipVersion(), - ConfigHelper::httpProxyConfig(false)) { - config_helper_.addRuntimeOverride("envoy.reloadable_features.unified_mux", - (sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw || - sotwOrDelta() == Grpc::SotwOrDelta::UnifiedDelta) - ? "true" - : "false"); - // Not using the normal xds upstream, but the - // authority1_upstream_/default_upstream. - create_xds_upstream_ = false; - // Not testing TLS in this case. - tls_xds_upstream_ = false; - sotw_or_delta_ = sotwOrDelta(); - setUpstreamProtocol(Http::CodecType::HTTP2); - } - - FakeUpstream* createAdsUpstream() { - ASSERT(!tls_xds_upstream_); - addFakeUpstream(Http::CodecType::HTTP2); - return fake_upstreams_.back().get(); - } - - void TearDown() override { - cleanupXdsConnection(authority1_xds_connection_); - cleanupXdsConnection(default_authority_xds_connection_); - } - - void createUpstreams() override { - HttpIntegrationTest::createUpstreams(); - // An upstream for authority1 (H/2), an upstream for the default_authority (H/2), and an - // upstream for a backend (H/1). - authority1_upstream_ = createAdsUpstream(); - default_authority_upstream_ = createAdsUpstream(); - if (test_requires_additional_upstream_) { - addFakeUpstream(Http::CodecType::HTTP1); - } - } - - bool isSotw() const { - return sotwOrDelta() == Grpc::SotwOrDelta::Sotw || - sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw; - } - - // Adds config_source for authority1.com and a default_config_source for - // default_authority.com. - void initialize() override { - config_helper_.addRuntimeOverride( - "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions", "true"); - config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - // Add the first config_source. - { - auto* config_source1 = bootstrap.mutable_config_sources()->Add(); - config_source1->mutable_authorities()->Add()->set_name("authority1.com"); - auto* api_config_source = config_source1->mutable_api_config_source(); - api_config_source->set_api_type( - isSotw() ? envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC - : envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC); - api_config_source->set_transport_api_version(envoy::config::core::v3::V3); - api_config_source->set_set_node_on_first_message_only(true); - auto* grpc_service = api_config_source->add_grpc_services(); - setGrpcService(*grpc_service, "authority1_cluster", authority1_upstream_->localAddress()); - auto* xds_cluster = bootstrap.mutable_static_resources()->add_clusters(); - xds_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); - xds_cluster->set_name("authority1_cluster"); - } - // Add the default config source. - { - auto* default_config_source = bootstrap.mutable_default_config_source(); - default_config_source->mutable_authorities()->Add()->set_name("default_authority.com"); - auto* api_config_source = default_config_source->mutable_api_config_source(); - api_config_source->set_api_type( - isSotw() ? envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC - : envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC); - api_config_source->set_transport_api_version(envoy::config::core::v3::V3); - api_config_source->set_set_node_on_first_message_only(true); - auto* grpc_service = api_config_source->add_grpc_services(); - setGrpcService(*grpc_service, "default_authority_cluster", - default_authority_upstream_->localAddress()); - auto* xds_cluster = bootstrap.mutable_static_resources()->add_clusters(); - xds_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); - xds_cluster->set_name("default_authority_cluster"); - } - }); - HttpIntegrationTest::initialize(); - } - - void connectAuthority1() { - AssertionResult result = - authority1_upstream_->waitForHttpConnection(*dispatcher_, authority1_xds_connection_); - RELEASE_ASSERT(result, result.message()); - result = authority1_xds_connection_->waitForNewStream(*dispatcher_, authority1_xds_stream_); - RELEASE_ASSERT(result, result.message()); - authority1_xds_stream_->startGrpcStream(); - } - - void connectDefaultAuthority() { - AssertionResult result = default_authority_upstream_->waitForHttpConnection( - *dispatcher_, default_authority_xds_connection_); - RELEASE_ASSERT(result, result.message()); - result = default_authority_xds_connection_->waitForNewStream(*dispatcher_, - default_authority_xds_stream_); - RELEASE_ASSERT(result, result.message()); - default_authority_xds_stream_->startGrpcStream(); - } - - void cleanupXdsConnection(FakeHttpConnectionPtr& connection) { - if (connection != nullptr) { - AssertionResult result = connection->close(); - RELEASE_ASSERT(result, result.message()); - result = connection->waitForDisconnect(); - RELEASE_ASSERT(result, result.message()); - connection.reset(); - } - } - - envoy::config::endpoint::v3::ClusterLoadAssignment - buildClusterLoadAssignment(const std::string& name) { - // The last fake upstream is the emulated server. - return ConfigHelper::buildClusterLoadAssignment( - name, Network::Test::getLoopbackAddressString(ipVersion()), - fake_upstreams_.back().get()->localAddress()->ip()->port()); - } - - bool test_requires_additional_upstream_{true}; - - // Data members that emulate the authority1 server. - FakeUpstream* authority1_upstream_; - FakeHttpConnectionPtr authority1_xds_connection_; - FakeStreamPtr authority1_xds_stream_; - - // Data members that emulate the default_authority server. - FakeUpstream* default_authority_upstream_; - FakeHttpConnectionPtr default_authority_xds_connection_; - FakeStreamPtr default_authority_xds_stream_; + XdsTpConfigsIntegrationTest() = default; }; INSTANTIATE_TEST_SUITE_P(IpVersionsClientTypeDeltaWildcard, XdsTpConfigsIntegrationTest, From 73535ee33370577943440a056a57048461e90e35 Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Tue, 9 Sep 2025 15:15:11 -0400 Subject: [PATCH 376/505] Dns filter: Support bootstrap default DNS resolver config if filter client_config is missing (#41006) This is to address: https://github.com/envoyproxy/envoy/issues/41000 This PR enables customized DNS resolver if dns filter client_config is missing. --------- Signed-off-by: Yanjun Xiang --- .../udp/dns_filter/v3/dns_filter.proto | 9 ++++- changelogs/current.yaml | 5 +++ .../filters/udp/dns_filter/dns_filter.cc | 18 ++++++++- test/extensions/filters/udp/dns_filter/BUILD | 1 + .../filters/udp/dns_filter/dns_filter_test.cc | 38 +++++++++++++++++++ 5 files changed, 68 insertions(+), 3 deletions(-) diff --git a/api/envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto b/api/envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto index 70c41643ae777..322dabd24d6ec 100644 --- a/api/envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto +++ b/api/envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto @@ -102,6 +102,13 @@ message DnsFilterConfig { // Client context configuration controls Envoy's behavior when it must use external // resolvers to answer a query. This object is optional and if omitted instructs - // the filter to resolve queries from the data in the server_config + // the filter to resolve queries from the data in the server_config. + // Also, if ``client_config`` is omitted, here is the Envoy's behavior to create DNS resolver: + // + // 1. If :ref:`typed_dns_resolver_config ` + // is not empty, uses it. + // + // 2. Otherwise, uses the default c-ares DNS resolver. + // ClientContextConfig client_config = 3; } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 2149f0bd9c4f1..2d08d8fa32674 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -61,6 +61,11 @@ minor_behavior_changes: If :ref:`failure_mode_allow ` is true, save the gRPC failure status code returned from the ext_proc server in the filter state. Previously, all fail-open cases would return ``call_status`` ``Grpc::Status::Aborted``. +- area: dns_filter + change: | + Honor the default DNS resolver configuration in the bootstrap config + :ref:`typed_dns_resolver_config ` if the + :ref:`client_config ` is empty. bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* diff --git a/source/extensions/filters/udp/dns_filter/dns_filter.cc b/source/extensions/filters/udp/dns_filter/dns_filter.cc index c4c1fefa3c09d..9d6e92c67fd6f 100644 --- a/source/extensions/filters/udp/dns_filter/dns_filter.cc +++ b/source/extensions/filters/udp/dns_filter/dns_filter.cc @@ -175,8 +175,22 @@ DnsFilterEnvoyConfig::DnsFilterEnvoyConfig( client_config, resolver_timeout, DEFAULT_RESOLVER_TIMEOUT.count())); max_pending_lookups_ = client_config.max_pending_lookups(); } else { - // In case client_config doesn't exist, create default DNS resolver factory and save it. - dns_resolver_factory_ = &Network::createDefaultDnsResolverFactory(typed_dns_resolver_config_); + // In case client_config doesn't exist, use the bootstrap DNS resolver if it is configured. + if (context.serverFactoryContext().bootstrap().has_typed_dns_resolver_config() && + !context.serverFactoryContext() + .bootstrap() + .typed_dns_resolver_config() + .typed_config() + .type_url() + .empty()) { + typed_dns_resolver_config_.MergeFrom( + context.serverFactoryContext().bootstrap().typed_dns_resolver_config()); + dns_resolver_factory_ = + &Network::createDnsResolverFactoryFromTypedConfig(typed_dns_resolver_config_); + } else { + // Otherwise create default DNS resolver factory and save it. + dns_resolver_factory_ = &Network::createDefaultDnsResolverFactory(typed_dns_resolver_config_); + } max_pending_lookups_ = 0; } } diff --git a/test/extensions/filters/udp/dns_filter/BUILD b/test/extensions/filters/udp/dns_filter/BUILD index 1c2e6b73bc8b6..6ae175dcbd69e 100644 --- a/test/extensions/filters/udp/dns_filter/BUILD +++ b/test/extensions/filters/udp/dns_filter/BUILD @@ -36,6 +36,7 @@ envoy_extension_cc_test( deps = [ ":dns_filter_test_lib", "//source/extensions/filters/udp/dns_filter:dns_filter_lib", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/mocks/server:instance_mocks", "//test/mocks/server:listener_factory_context_mocks", "//test/mocks/upstream:upstream_mocks", diff --git a/test/extensions/filters/udp/dns_filter/dns_filter_test.cc b/test/extensions/filters/udp/dns_filter/dns_filter_test.cc index 07fda53f33520..a707e7f9fcc79 100644 --- a/test/extensions/filters/udp/dns_filter/dns_filter_test.cc +++ b/test/extensions/filters/udp/dns_filter/dns_filter_test.cc @@ -4,6 +4,7 @@ #include "source/common/common/logger.h" #include "source/extensions/filters/udp/dns_filter/dns_filter_constants.h" #include "source/extensions/filters/udp/dns_filter/dns_filter_utils.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/mocks/event/mocks.h" #include "test/mocks/server/instance.h" @@ -2563,6 +2564,43 @@ stat_prefix: "my_prefix" EXPECT_EQ(1, config_->stats().known_domain_queries_.value()); } +// Test that the bootstrap typed_dns_resolver_config is used when client_config is not set. +TEST_F(DnsFilterTest, BootstrapTypedDnsResolverTest) { + // Create bootstrap config with typed DNS resolver configuration. + const std::string dns_config_yaml = R"EOF( +name: envoy.network.dns_resolver.getaddrinfo +typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig +)EOF"; + envoy::config::core::v3::TypedExtensionConfig typed_config; + TestUtility::loadFromYaml(dns_config_yaml, typed_config); + auto& bootstrap = listener_factory_.server_factory_context_.bootstrap(); + bootstrap.mutable_typed_dns_resolver_config()->MergeFrom(typed_config); + + // Create DNS filter configuration. + const std::string filter_config_yaml = R"EOF( +stat_prefix: bar +server_config: + inline_dns_table: + virtual_domains: + - name: www.foo.com + endpoint: + address_list: + address: + - 10.0.0.1 +)EOF"; + envoy::extensions::filters::udp::dns_filter::v3::DnsFilterConfig filter_config; + TestUtility::loadFromYaml(filter_config_yaml, filter_config); + DnsFilterEnvoyConfig envoy_config(listener_factory_, filter_config); + + // Verify the filter is configured with bootstrap DNS resolver configuration. + const auto& resolver_config = envoy_config.typedDnsResolverConfig(); + EXPECT_EQ(resolver_config.name(), "envoy.network.dns_resolver.getaddrinfo"); + EXPECT_EQ(resolver_config.typed_config().type_url(), + "type.googleapis.com/" + "envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig"); +} + } // namespace } // namespace DnsFilter } // namespace UdpFilters From 398d23e7374137e97b172b144ba01f80feea2c72 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 9 Sep 2025 17:16:22 -0400 Subject: [PATCH 377/505] tls: Const-correct some uses of X509 API (#41022) Many of these APIs should be returning const pointers, but return non-const because legacy callers store them in the wrong variables. Fix some of these callers. Also in some cases exposed structs mean the compiler doesn't check const-ness, but it's still good to tag variables as const. In doing so, this fixes a deeper bug in one of the tests: there is no guarantee that ASN1_STRINGs are NUL-terminated, yet this code was assuming they were. See CVE-2021-3712. Fortunately, this was just in test code, or Envoy would have its own instance of that CVE. (ASN1_STRING_get0_data is the same as ASN1_STRING_data except it acts on a const pointer.) Signed-off-by: David Benjamin --- source/common/tls/utility.cc | 69 +++++++++---------- .../spiffe/spiffe_validator_test.cc | 9 +-- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/source/common/tls/utility.cc b/source/common/tls/utility.cc index f412baeeb1b8c..24b2ba40e575d 100644 --- a/source/common/tls/utility.cc +++ b/source/common/tls/utility.cc @@ -112,7 +112,7 @@ std::string getRFC2253NameFromCertificate(X509& cert, CertName desired_name) { bssl::UniquePtr buf(BIO_new(BIO_s_mem())); RELEASE_ASSERT(buf != nullptr, ""); - X509_NAME* name = nullptr; + const X509_NAME* name = nullptr; switch (desired_name) { case CertName::Issuer: name = X509_get_issuer_name(&cert); @@ -143,7 +143,7 @@ std::string getRFC2253NameFromCertificate(X509& cert, CertName desired_name) { * @return Envoy::Ssl::ParsedX509NamePtr returns the struct contains the parsed values. */ Envoy::Ssl::ParsedX509NamePtr parseX509NameFromCertificate(X509& cert, CertName desired_name) { - X509_NAME* name = nullptr; + const X509_NAME* name = nullptr; switch (desired_name) { case CertName::Issuer: name = X509_get_issuer_name(&cert); @@ -156,8 +156,7 @@ Envoy::Ssl::ParsedX509NamePtr parseX509NameFromCertificate(X509& cert, CertName auto parsed = std::make_unique(); int cnt = X509_NAME_entry_count(name); for (int i = 0; i < cnt; i++) { - const X509_NAME_ENTRY* ent; - ent = X509_NAME_get_entry(name, i); + const X509_NAME_ENTRY* ent = X509_NAME_get_entry(name, i); const ASN1_OBJECT* fn = X509_NAME_ENTRY_get_object(ent); int fn_nid = OBJ_obj2nid(fn); @@ -237,19 +236,19 @@ std::vector Utility::getSubjectAltNames(X509& cert, int type) { std::string Utility::generalNameAsString(const GENERAL_NAME* general_name) { std::string san; - ASN1_STRING* str = nullptr; + const ASN1_STRING* str = nullptr; switch (general_name->type) { case GEN_DNS: str = general_name->d.dNSName; - san.assign(reinterpret_cast(ASN1_STRING_data(str)), ASN1_STRING_length(str)); + san.assign(reinterpret_cast(ASN1_STRING_get0_data(str)), ASN1_STRING_length(str)); break; case GEN_URI: str = general_name->d.uniformResourceIdentifier; - san.assign(reinterpret_cast(ASN1_STRING_data(str)), ASN1_STRING_length(str)); + san.assign(reinterpret_cast(ASN1_STRING_get0_data(str)), ASN1_STRING_length(str)); break; case GEN_EMAIL: str = general_name->d.rfc822Name; - san.assign(reinterpret_cast(ASN1_STRING_data(str)), ASN1_STRING_length(str)); + san.assign(reinterpret_cast(ASN1_STRING_get0_data(str)), ASN1_STRING_length(str)); break; case GEN_IPADD: { if (general_name->d.ip->length == 4) { @@ -270,7 +269,7 @@ std::string Utility::generalNameAsString(const GENERAL_NAME* general_name) { break; } case GEN_OTHERNAME: { - ASN1_TYPE* value = general_name->d.otherName->value; + const ASN1_TYPE* value = general_name->d.otherName->value; if (value == nullptr) { break; } @@ -304,38 +303,38 @@ std::string Utility::generalNameAsString(const GENERAL_NAME* general_name) { break; } case V_ASN1_BIT_STRING: { - ASN1_BIT_STRING* tmp_str = value->value.bit_string; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_BIT_STRING* tmp_str = value->value.bit_string; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_OCTET_STRING: { - ASN1_OCTET_STRING* tmp_str = value->value.octet_string; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_OCTET_STRING* tmp_str = value->value.octet_string; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_PRINTABLESTRING: { - ASN1_PRINTABLESTRING* tmp_str = value->value.printablestring; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_PRINTABLESTRING* tmp_str = value->value.printablestring; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_T61STRING: { - ASN1_T61STRING* tmp_str = value->value.t61string; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_T61STRING* tmp_str = value->value.t61string; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_IA5STRING: { - ASN1_IA5STRING* tmp_str = value->value.ia5string; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_IA5STRING* tmp_str = value->value.ia5string; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_GENERALSTRING: { - ASN1_GENERALSTRING* tmp_str = value->value.generalstring; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_GENERALSTRING* tmp_str = value->value.generalstring; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } @@ -360,38 +359,38 @@ std::string Utility::generalNameAsString(const GENERAL_NAME* general_name) { break; } case V_ASN1_UTCTIME: { - ASN1_UTCTIME* tmp_str = value->value.utctime; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_UTCTIME* tmp_str = value->value.utctime; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_GENERALIZEDTIME: { - ASN1_GENERALIZEDTIME* tmp_str = value->value.generalizedtime; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_GENERALIZEDTIME* tmp_str = value->value.generalizedtime; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_VISIBLESTRING: { - ASN1_VISIBLESTRING* tmp_str = value->value.visiblestring; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_VISIBLESTRING* tmp_str = value->value.visiblestring; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_UTF8STRING: { - ASN1_UTF8STRING* tmp_str = value->value.utf8string; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_UTF8STRING* tmp_str = value->value.utf8string; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_SET: { - ASN1_STRING* tmp_str = value->value.set; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_STRING* tmp_str = value->value.set; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } case V_ASN1_SEQUENCE: { - ASN1_STRING* tmp_str = value->value.sequence; - san.assign(reinterpret_cast(ASN1_STRING_data(tmp_str)), + const ASN1_STRING* tmp_str = value->value.sequence; + san.assign(reinterpret_cast(ASN1_STRING_get0_data(tmp_str)), ASN1_STRING_length(tmp_str)); break; } @@ -450,7 +449,7 @@ std::vector Utility::getCertificateExtensionOids(X509& cert) { int count = X509_get_ext_count(&cert); for (int pos = 0; pos < count; pos++) { - X509_EXTENSION* extension = X509_get_ext(&cert, pos); + const X509_EXTENSION* extension = X509_get_ext(&cert, pos); RELEASE_ASSERT(extension != nullptr, ""); char oid[MAX_OID_LENGTH]; @@ -476,7 +475,7 @@ absl::string_view Utility::getCertificateExtensionValue(X509& cert, return {}; } - X509_EXTENSION* extension = X509_get_ext(&cert, pos); + const X509_EXTENSION* extension = X509_get_ext(&cert, pos); if (extension == nullptr) { return {}; } diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index dfe9be63297fe..c874aa7a1f5ba 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -751,15 +751,16 @@ name: envoy.tls.cert_validator.spiffe bool foundTestCA = false; SSLContextPtr ctx = SSL_CTX_new(TLS_method()); ASSERT_TRUE(validator().addClientValidationContext(ctx.get(), false).ok()); - for (X509_NAME* name : SSL_CTX_get_client_CA_list(ctx.get())) { + for (const X509_NAME* name : SSL_CTX_get_client_CA_list(ctx.get())) { const int cn_index = X509_NAME_get_index_by_NID(name, NID_commonName, -1); EXPECT_TRUE(cn_index >= 0); - X509_NAME_ENTRY* cn_entry = X509_NAME_get_entry(name, cn_index); + const X509_NAME_ENTRY* cn_entry = X509_NAME_get_entry(name, cn_index); EXPECT_TRUE(cn_entry); - ASN1_STRING* cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry); + const ASN1_STRING* cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry); EXPECT_TRUE(cn_asn1); - auto cn_str = std::string(reinterpret_cast(ASN1_STRING_data(cn_asn1))); + auto cn_str = std::string(reinterpret_cast(ASN1_STRING_get0_data(cn_asn1)), + ASN1_STRING_length(cn_asn1)); if (cn_str == "Test Server") { foundTestServer = true; } else if (cn_str == "Test CA") { From 6b7fe64dcf3a4ff9e9b6fd2992cb2a870e88b716 Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Tue, 9 Sep 2025 21:08:15 -0400 Subject: [PATCH 378/505] Replace c-ares with getaddrinfo DNS resolver in DNS filter integration test (#41031) This is a follow up of https://github.com/envoyproxy/envoy/pull/40987 It's the 8th step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- test/extensions/filters/udp/dns_filter/BUILD | 2 + .../dns_filter/dns_filter_integration_test.cc | 156 +++++++++++++----- 2 files changed, 120 insertions(+), 38 deletions(-) diff --git a/test/extensions/filters/udp/dns_filter/BUILD b/test/extensions/filters/udp/dns_filter/BUILD index 6ae175dcbd69e..b04b9ae9f8892 100644 --- a/test/extensions/filters/udp/dns_filter/BUILD +++ b/test/extensions/filters/udp/dns_filter/BUILD @@ -56,7 +56,9 @@ envoy_extension_cc_test( ":dns_filter_test_lib", "//source/extensions/filters/udp/dns_filter:config", "//source/extensions/filters/udp/dns_filter:dns_filter_lib", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/integration:integration_lib", + "//test/test_common:threadsafe_singleton_injector_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/filters/udp/dns_filter/dns_filter_integration_test.cc b/test/extensions/filters/udp/dns_filter/dns_filter_integration_test.cc index 9ed168b4b3729..fde6bf587350f 100644 --- a/test/extensions/filters/udp/dns_filter/dns_filter_integration_test.cc +++ b/test/extensions/filters/udp/dns_filter/dns_filter_integration_test.cc @@ -1,9 +1,11 @@ #include "envoy/config/bootstrap/v3/bootstrap.pb.h" #include "source/extensions/filters/udp/dns_filter/dns_filter.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/integration/integration.h" #include "test/test_common/network_utility.h" +#include "test/test_common/threadsafe_singleton_injector.h" #include "dns_filter_test_utils.h" @@ -15,6 +17,65 @@ namespace { using ResponseValidator = Utils::DnsResponseValidator; +// Mock OS getaddrinfo. +class OsSysCallsWithMockedDns : public Api::OsSysCallsImpl { +public: + static addrinfo* makeAddrInfo(const Network::Address::InstanceConstSharedPtr& addr) { + addrinfo* ai = reinterpret_cast(malloc(sizeof(addrinfo))); + memset(ai, 0, sizeof(addrinfo)); + ai->ai_protocol = IPPROTO_UDP; + ai->ai_socktype = SOCK_DGRAM; + if (addr->ip()->ipv4() != nullptr) { + ai->ai_family = AF_INET; + } else { + ai->ai_family = AF_INET6; + } + sockaddr_storage* storage = + reinterpret_cast(malloc(sizeof(sockaddr_storage))); + ai->ai_addr = reinterpret_cast(storage); + memcpy(ai->ai_addr, addr->sockAddr(), addr->sockAddrLen()); + ai->ai_addrlen = addr->sockAddrLen(); + return ai; + } + + Api::SysCallIntResult getaddrinfo(const char* node, const char* /*service*/, + const addrinfo* /*hints*/, addrinfo** res) override { + *res = nullptr; + if (absl::string_view{"www.google.com"} == node) { + if (ip_version_ == Network::Address::IpVersion::v6) { + static const Network::Address::InstanceConstSharedPtr* objectptr = + new Network::Address::InstanceConstSharedPtr{ + new Network::Address::Ipv6Instance("2607:42:42::42:42", 0, nullptr)}; + *res = makeAddrInfo(*objectptr); + } else { + static const Network::Address::InstanceConstSharedPtr* objectptr = + new Network::Address::InstanceConstSharedPtr{ + new Network::Address::Ipv4Instance("42.42.42.42", 0, nullptr)}; + *res = makeAddrInfo(*objectptr); + } + return {0, 0}; + } + if (nonexisting_addresses_.find(node) != nonexisting_addresses_.end()) { + return {EAI_NONAME, 0}; + } + std::cerr << "Mock DNS does not have entry for: " << node << std::endl; + return {-1, 128}; + } + void freeaddrinfo(addrinfo* ai) override { + while (ai != nullptr) { + addrinfo* p = ai; + ai = ai->ai_next; + free(p->ai_addr); + free(p); + } + } + + void setIpVersion(Network::Address::IpVersion version) { ip_version_ = version; } + Network::Address::IpVersion ip_version_ = Network::Address::IpVersion::v4; + absl::flat_hash_set nonexisting_addresses_ = {"doesnotexist.example.com", + "itdoesnotexist"}; +}; + class DnsFilterIntegrationTest : public testing::TestWithParam, public BaseIntegrationTest { public: @@ -86,16 +147,11 @@ name: listener_0 client_config: resolver_timeout: 1s typed_dns_resolver_config: - name: envoy.network.dns_resolver.cares + name: envoy.network.dns_resolver.getaddrinfo typed_config: - "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig - resolvers: - - socket_address: - address: {} - port_value: {} - dns_resolver_options: - use_tcp_for_dns_lookups: false - no_default_search_domain: false + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig + num_retries: + value: 1 max_pending_lookups: 256 server_config: inline_dns_table: @@ -178,6 +234,15 @@ name: listener_1 void setup(uint32_t upstream_count) { setUdpFakeUpstream(FakeUpstreamConfig::UdpConfig()); + // Adding bootstrap default DNS resolver config. + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + auto* typed_dns_resolver_config = bootstrap.mutable_typed_dns_resolver_config(); + typed_dns_resolver_config->set_name("envoy.network.dns_resolver.getaddrinfo"); + envoy::extensions::network::dns_resolver::getaddrinfo::v3::GetAddrInfoDnsResolverConfig + config; + config.mutable_num_retries()->set_value(1); + typed_dns_resolver_config->mutable_typed_config()->PackFrom(config); + }); if (upstream_count > 1) { setDeterministicValue(); setUpstreamCount(upstream_count); @@ -199,8 +264,18 @@ name: listener_1 config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto addr_port = getListenerBindAddressAndPortNoThrow(); auto listener_0 = getListener0(addr_port); + auto* listener0 = bootstrap.mutable_static_resources()->add_listeners(); + listener0->MergeFrom(listener_0); + // Remove client_config for cluster lookup test cases. + if (cluster_lookup_test_) { + auto* listener_filter = listener0->mutable_listener_filters(0); + envoy::extensions::filters::udp::dns_filter::v3::DnsFilterConfig dns_filter_config; + listener_filter->typed_config().UnpackTo(&dns_filter_config); + + dns_filter_config.clear_client_config(); + listener_filter->mutable_typed_config()->PackFrom(dns_filter_config); + } auto listener_1 = getListener1(addr_port); - bootstrap.mutable_static_resources()->add_listeners()->MergeFrom(listener_0); bootstrap.mutable_static_resources()->add_listeners()->MergeFrom(listener_1); }); @@ -215,6 +290,25 @@ name: listener_1 client.recv(response_datagram); } + void dnsLookupTest(Network::Address::IpVersion ip_version, const std::string listener, + uint16_t rec_type) { + mock_os_sys_calls_.setIpVersion(ip_version); + setup(0); + const uint32_t port = lookupPort(listener); + const auto listener_address = *Network::Utility::resolveUrl( + fmt::format("tcp://{}:{}", Network::Test::getLoopbackAddressUrlString(version_), port)); + + Network::UdpRecvData response; + std::string query = Utils::buildQueryForDomain("www.google.com", rec_type, DNS_RECORD_CLASS_IN); + requestResponseWithListenerAddress(*listener_address, query, response); + + response_ctx_ = ResponseValidator::createResponseContext(response, counters_); + EXPECT_TRUE(response_ctx_->parse_status_); + + EXPECT_EQ(1, response_ctx_->answers_.size()); + EXPECT_EQ(DNS_RESPONSE_CODE_NO_ERROR, response_ctx_->getQueryResponseCode()); + } + Api::ApiPtr api_; NiceMock histogram_; NiceMock random_; @@ -225,6 +319,9 @@ name: listener_1 NiceMock queries_with_ans_or_authority_rrs_; DnsParserCounters counters_; DnsQueryContextPtr response_ctx_; + OsSysCallsWithMockedDns mock_os_sys_calls_; + TestThreadsafeSingletonInjector os_calls_{&mock_os_sys_calls_}; + bool cluster_lookup_test_ = false; }; INSTANTIATE_TEST_SUITE_P(IpVersions, DnsFilterIntegrationTest, @@ -232,39 +329,21 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, DnsFilterIntegrationTest, TestUtility::ipTestParamsToString); TEST_P(DnsFilterIntegrationTest, ExternalLookupTest) { - setup(0); - const uint32_t port = lookupPort("listener_0"); - const auto listener_address = *Network::Utility::resolveUrl( - fmt::format("tcp://{}:{}", Network::Test::getLoopbackAddressUrlString(version_), port)); - - Network::UdpRecvData response; - std::string query = - Utils::buildQueryForDomain("www.google.com", DNS_RECORD_TYPE_A, DNS_RECORD_CLASS_IN); - requestResponseWithListenerAddress(*listener_address, query, response); - - response_ctx_ = ResponseValidator::createResponseContext(response, counters_); - EXPECT_TRUE(response_ctx_->parse_status_); + // Sending request to listener_0 triggers external DNS lookup. + dnsLookupTest(Network::Address::IpVersion::v4, "listener_0", DNS_RECORD_TYPE_A); +} - EXPECT_EQ(1, response_ctx_->answers_.size()); - EXPECT_EQ(DNS_RESPONSE_CODE_NO_ERROR, response_ctx_->getQueryResponseCode()); +TEST_P(DnsFilterIntegrationTest, InternalLookupTest) { + // Sending request to listener_1 triggers internal DNS lookup. + dnsLookupTest(Network::Address::IpVersion::v4, "listener_1", DNS_RECORD_TYPE_A); } TEST_P(DnsFilterIntegrationTest, ExternalLookupTestIPv6) { - setup(0); - const uint32_t port = lookupPort("listener_0"); - const auto listener_address = *Network::Utility::resolveUrl( - fmt::format("tcp://{}:{}", Network::Test::getLoopbackAddressUrlString(version_), port)); - - Network::UdpRecvData response; - std::string query = - Utils::buildQueryForDomain("www.google.com", DNS_RECORD_TYPE_AAAA, DNS_RECORD_CLASS_IN); - requestResponseWithListenerAddress(*listener_address, query, response); - - response_ctx_ = ResponseValidator::createResponseContext(response, counters_); - EXPECT_TRUE(response_ctx_->parse_status_); + dnsLookupTest(Network::Address::IpVersion::v6, "listener_0", DNS_RECORD_TYPE_AAAA); +} - EXPECT_EQ(1, response_ctx_->answers_.size()); - EXPECT_EQ(DNS_RESPONSE_CODE_NO_ERROR, response_ctx_->getQueryResponseCode()); +TEST_P(DnsFilterIntegrationTest, InternalLookupTestIPv6) { + dnsLookupTest(Network::Address::IpVersion::v6, "listener_1", DNS_RECORD_TYPE_AAAA); } TEST_P(DnsFilterIntegrationTest, LocalLookupTest) { @@ -286,6 +365,7 @@ TEST_P(DnsFilterIntegrationTest, LocalLookupTest) { } TEST_P(DnsFilterIntegrationTest, ClusterLookupTest) { + cluster_lookup_test_ = true; setup(2); const uint32_t port = lookupPort("listener_0"); const auto listener_address = *Network::Utility::resolveUrl( From a2a75199ae924b80272fdbec7e913046be84769d Mon Sep 17 00:00:00 2001 From: Ryan Hamilton Date: Tue, 9 Sep 2025 21:00:46 -0700 Subject: [PATCH 379/505] Update QUICHE from 4f1f0fcea to 6caf568e7 (#41035) https://github.com/google/quiche/compare/4f1f0fcea..6caf568e7 ``` $ git log 4f1f0fcea..6caf568e7 --date=short --no-merges --format="%ad %al %s" 2025-09-09 rch Automated g4 rollback of changelist 802848539. 2025-09-08 martinduke Fix asan failure in MoqtTestMessage. 2025-09-08 quiche-dev Enabling rolled out flags. 2025-09-08 danzh Enforce `QuicConnectionMigrationManager` and `QuicSpdyClientSessionWithMigration` to use QuicForceBlockablePacketWriter during construction. 2025-09-05 quiche-dev Fix 3 ClangInliner findings: * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::WriterMutexLock::WriterMutexLock. (3 times) 2025-09-05 martinduke Add support for MOQT Authority and Implementation parameters. 2025-09-05 martinduke Roll to MoQT draft-14, with core wire image changes. 2025-09-05 martinduke Update MoQT Session/Application APIs to support relays. 2025-09-04 jprat Remove DCHECK in QuicPingManager. 2025-09-04 quiche-dev [quic] Clean up single-arg `testing::Invoke()`s in `{moqt,qbone,tools}/` 2025-09-04 quiche-dev [quiche] Clean up single-arg `testing::Invoke()`s 2025-09-04 quiche-dev [quic] Clean up single-arg `testing::Invoke()`s in rest of `core/` 2025-09-04 quiche-dev [quic] Clean up single-arg `testing::Invoke()`s in `core/quic_[d-z]*` 2025-09-04 quiche-dev [quic] Clean up single-arg `testing::Invoke()`s in `core/quic_[a-c]*` 2025-09-03 quiche-dev Fix 14 ClangInliner findings: * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::WriterMutexLock::WriterMutexLock. (8 times) * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::ReaderMutexLock::ReaderMutexLock. (6 times) 2025-09-03 martinduke Catch up on MoQT session error codes to draft-14. ``` Signed-off-by: Ryan Hamilton --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 8b016a6321efe..5210b04d70ee7 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1277,12 +1277,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "QUICHE", project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols", project_url = "https://github.com/google/quiche", - version = "4f1f0fcea045cd71410c2c318773fc24c3523ed7", - sha256 = "f3276f1de23d383092ffa189b38c8127252c3550c8750e20db76dbe8fc135c07", + version = "6caf568e75725d0db8c94aa03f01f17edef49982", + sha256 = "3a053e5c56392a50b7ce868b2593c19db464aebfb7af8120defbd12924bb16da", urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"], strip_prefix = "quiche-{version}", use_category = ["controlplane", "dataplane_core"], - release_date = "2025-08-30", + release_date = "2025-09-09", cpe = "N/A", license = "BSD-3-Clause", license_url = "https://github.com/google/quiche/blob/{version}/LICENSE", From 9b0083a12fc845bb805f2114da2fa29502d2981b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Sep 2025 23:54:11 -0700 Subject: [PATCH 380/505] build(deps): bump github/codeql-action from 3.29.2 to 3.30.2 (#41037) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.2 to 3.30.2.
Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.30.2 - 09 Sep 2025

  • Fixed a bug which could cause language autodetection to fail. #3084
  • Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #3064

3.30.1 - 05 Sep 2025

  • Update default CodeQL bundle version to 2.23.0. #3077

3.30.0 - 01 Sep 2025

  • Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #3054

3.29.11 - 21 Aug 2025

  • Update default CodeQL bundle version to 2.22.4. #3044

3.29.10 - 18 Aug 2025

No user facing changes.

3.29.9 - 12 Aug 2025

No user facing changes.

3.29.8 - 08 Aug 2025

  • Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015

3.29.7 - 07 Aug 2025

This release rolls back 3.29.6 to address issues with language autodetection. It is identical to 3.29.5.

3.29.6 - 07 Aug 2025

  • The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999
  • Update default CodeQL bundle version to 2.22.3. #3000

3.29.5 - 29 Jul 2025

  • Update default CodeQL bundle version to 2.22.2. #2986

... (truncated)

Commits
  • d3678e2 Merge pull request #3090 from github/update-v3.30.2-d7a501da0
  • 14bbb6a Add changelog entries
  • a879d03 Update changelog for v3.30.2
  • d7a501d Merge pull request #3085 from github/mbg/multi-language-repo/gitignore
  • c90f074 Merge pull request #3087 from github/dependabot/npm_and_yarn/npm-1cf7fedfcf
  • d8df826 Merge pull request #3086 from github/mbg/docs/required-checks
  • 23419de Rebuild
  • 7d8e1e9 Bump the npm group with 5 updates
  • 76a3ccc Clarify instructions for updating PR checks for PRs
  • 01fd48d Remove comment about main from update-required-checks.sh
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3.29.2&new-version=3.30.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-daily.yml | 4 ++-- .github/workflows/codeql-push.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml index afd64203b8136..af248d50aa4db 100644 --- a/.github/workflows/codeql-daily.yml +++ b/.github/workflows/codeql-daily.yml @@ -34,7 +34,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # codeql-bundle-v3.29.2 + uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # codeql-bundle-v3.30.2 # Override language selection by uncommenting this and choosing your languages with: languages: cpp @@ -75,6 +75,6 @@ jobs: git clean -xdf - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # codeql-bundle-v3.29.2 + uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # codeql-bundle-v3.30.2 with: trap-caching: false diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index 03948292c3a88..632bea81b786a 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -67,7 +67,7 @@ jobs: - name: Initialize CodeQL if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # codeql-bundle-v3.29.2 + uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # codeql-bundle-v3.30.2 with: languages: cpp trap-caching: false @@ -112,6 +112,6 @@ jobs: - name: Perform CodeQL Analysis if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # codeql-bundle-v3.29.2 + uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # codeql-bundle-v3.30.2 with: trap-caching: false diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 40676cd78d81a..76cf16fc8197b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 + uses: github/codeql-action/upload-sarif@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2 with: sarif_file: results.sarif From cb8ea8937516331a5bef106fde143b40e738dacf Mon Sep 17 00:00:00 2001 From: code Date: Wed, 10 Sep 2025 23:34:51 +0800 Subject: [PATCH 381/505] tracing: resolve potential lifetime problem of zipkin tracer (#41036) The lifetime problem is horrible. Note, basically, when we use the ThreadLocalObject, we cannot refer anything in the man thread that may be destroyed before the ThreadLocalObject. Or there maybe dangling reference. This PR fix this potential problem in the zipkin tracer to make sure all the data referred by the ThreadLocalObject and InitializeCb will have lifetime no shorter than the ThreadLocalObject and InitializeCb selves. Risk Level: low. no logic update be use shard pointer to extend lifetime of some objects. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. --------- Signed-off-by: WangBaiping --- source/extensions/tracers/zipkin/config.cc | 7 +- .../tracers/zipkin/zipkin_tracer_impl.cc | 142 ++++++++---------- .../tracers/zipkin/zipkin_tracer_impl.h | 135 ++++++++--------- test/extensions/tracers/zipkin/BUILD | 5 +- .../tracers/zipkin/zipkin_tracer_impl_test.cc | 85 ++--------- 5 files changed, 136 insertions(+), 238 deletions(-) diff --git a/source/extensions/tracers/zipkin/config.cc b/source/extensions/tracers/zipkin/config.cc index fda262d91f1bb..26493c3670234 100644 --- a/source/extensions/tracers/zipkin/config.cc +++ b/source/extensions/tracers/zipkin/config.cc @@ -17,12 +17,7 @@ ZipkinTracerFactory::ZipkinTracerFactory() : FactoryBase("envoy.tracers.zipkin") Tracing::DriverSharedPtr ZipkinTracerFactory::createTracerDriverTyped( const envoy::config::trace::v3::ZipkinConfig& proto_config, Server::Configuration::TracerFactoryContext& context) { - return std::make_shared( - proto_config, context.serverFactoryContext().clusterManager(), - context.serverFactoryContext().scope(), context.serverFactoryContext().threadLocal(), - context.serverFactoryContext().runtime(), context.serverFactoryContext().localInfo(), - context.serverFactoryContext().api().randomGenerator(), - context.serverFactoryContext().timeSource()); + return std::make_shared(proto_config, context.serverFactoryContext()); } /** diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc index 478d52fe84b97..98ee263007f8b 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.cc @@ -1,5 +1,7 @@ #include "source/extensions/tracers/zipkin/zipkin_tracer_impl.h" +#include + #include "envoy/config/trace/v3/zipkin.pb.h" #include "source/common/common/enum_to_int.h" @@ -44,105 +46,83 @@ std::pair parseUri(absl::string_view uri) { } } // namespace -Driver::TlsTracer::TlsTracer(TracerPtr&& tracer, Driver& driver) - : tracer_(std::move(tracer)), driver_(driver) {} - Driver::Driver(const envoy::config::trace::v3::ZipkinConfig& zipkin_config, - Upstream::ClusterManager& cluster_manager, Stats::Scope& scope, - ThreadLocal::SlotAllocator& tls, Runtime::Loader& runtime, - const LocalInfo::LocalInfo& local_info, Random::RandomGenerator& random_generator, - TimeSource& time_source) - : cm_(cluster_manager), - tracer_stats_{ZIPKIN_TRACER_STATS(POOL_COUNTER_PREFIX(scope, "tracing.zipkin."))}, - tls_(tls.allocateSlot()), runtime_(runtime), local_info_(local_info), - time_source_(time_source), trace_context_option_(zipkin_config.trace_context_option()) { - CollectorInfo collector; - - // Validate that either collector_cluster or collector_service is specified - if (!zipkin_config.has_collector_service() && zipkin_config.collector_cluster().empty()) { - throw EnvoyException("Either collector_cluster or collector_service must be specified"); - } + Server::Configuration::ServerFactoryContext& context) + : collector_(std::make_shared()), tls_(context.threadLocal().allocateSlot()), + trace_context_option_(zipkin_config.trace_context_option()) { // Check if HttpService is configured (preferred over legacy fields) if (zipkin_config.has_collector_service()) { const auto& http_service = zipkin_config.collector_service(); - collector.http_service_ = http_service; - // Extract cluster and endpoint from HttpService const auto& http_uri = http_service.http_uri(); - cluster_ = http_uri.cluster(); + collector_->cluster_ = http_uri.cluster(); // Parse the URI to extract hostname and path - auto [parsed_hostname, parsed_path] = parseUri(http_uri.uri()); - - if (!parsed_hostname.empty()) { + if (auto [hostname, path] = parseUri(http_uri.uri()); !hostname.empty()) { // Use the hostname from the URI - hostname_ = parsed_hostname; - collector.hostname_ = parsed_hostname; + collector_->hostname_ = hostname; + collector_->endpoint_ = path; } else { // Fallback to cluster name if no hostname in URI - hostname_ = cluster_; - collector.hostname_ = cluster_; + collector_->hostname_ = collector_->cluster_; + collector_->endpoint_ = path; } - // Use the parsed path as the endpoint - collector.endpoint_ = parsed_path; - // Parse headers from HttpService for (const auto& header_option : http_service.request_headers_to_add()) { const auto& header_value = header_option.header(); - collector.request_headers_.emplace_back(Http::LowerCaseString(header_value.key()), - header_value.value()); + collector_->request_headers_.emplace_back(header_value.key(), header_value.value()); } } else { - - // Validate required legacy fields - if (zipkin_config.collector_cluster().empty()) { - throw EnvoyException("collector_cluster must be specified when not using collector_service"); + if (zipkin_config.collector_cluster().empty() || zipkin_config.collector_endpoint().empty()) { + throw EnvoyException( + "collector_cluster and collector_endpoint must be specified when not using " + "collector_service"); } - if (zipkin_config.collector_endpoint().empty()) { - throw EnvoyException("collector_endpoint must be specified when using collector_cluster"); - } - - cluster_ = zipkin_config.collector_cluster(); - hostname_ = !zipkin_config.collector_hostname().empty() ? zipkin_config.collector_hostname() - : zipkin_config.collector_cluster(); - collector.hostname_ = hostname_; // Store hostname in collector as well - if (!zipkin_config.collector_endpoint().empty()) { - collector.endpoint_ = zipkin_config.collector_endpoint(); - } + collector_->cluster_ = zipkin_config.collector_cluster(); + collector_->hostname_ = !zipkin_config.collector_hostname().empty() + ? zipkin_config.collector_hostname() + : zipkin_config.collector_cluster(); + collector_->endpoint_ = zipkin_config.collector_endpoint(); // Legacy configuration has no custom headers support - // Custom headers are only available through HttpService + // Custom headers are only available through HttpService. } // Validate cluster exists - THROW_IF_NOT_OK_REF(Config::Utility::checkCluster("envoy.tracers.zipkin", cluster_, cm_, + THROW_IF_NOT_OK_REF(Config::Utility::checkCluster("envoy.tracers.zipkin", collector_->cluster_, + context.clusterManager(), /* allow_added_via_api */ true) .status()); // The current default version of collector_endpoint_version is HTTP_JSON. - collector.version_ = zipkin_config.collector_endpoint_version(); + collector_->version_ = zipkin_config.collector_endpoint_version(); const bool trace_id_128bit = zipkin_config.trace_id_128bit(); const bool shared_span_context = PROTOBUF_GET_WRAPPED_OR_DEFAULT( zipkin_config, shared_span_context, DEFAULT_SHARED_SPAN_CONTEXT); - collector.shared_span_context_ = shared_span_context; + collector_->shared_span_context_ = shared_span_context; const bool split_spans_for_request = zipkin_config.split_spans_for_request(); - tls_->set([this, collector, &random_generator, trace_id_128bit, shared_span_context, + auto stats = std::make_shared(ZipkinTracerStats{ + ZIPKIN_TRACER_STATS(POOL_COUNTER_PREFIX(context.scope(), "tracing.zipkin."))}); + + tls_->set([&context, c = collector_, t = trace_context_option_, stats, trace_id_128bit, split_spans_for_request]( Event::Dispatcher& dispatcher) -> ThreadLocal::ThreadLocalObjectSharedPtr { TracerPtr tracer = std::make_unique( - local_info_.clusterName(), local_info_.address(), random_generator, trace_id_128bit, - shared_span_context, time_source_, split_spans_for_request); - tracer->setTraceContextOption(trace_context_option_); - tracer->setReporter( - ReporterImpl::newInstance(std::ref(*this), std::ref(dispatcher), collector)); - return std::make_shared(std::move(tracer), *this); + context.localInfo().clusterName(), context.localInfo().address(), + context.api().randomGenerator(), trace_id_128bit, c->shared_span_context_, + context.timeSource(), split_spans_for_request); + tracer->setTraceContextOption(t); + auto reporter = std::make_unique(dispatcher, context.clusterManager(), + context.runtime(), stats, c); + tracer->setReporter(std::move(reporter)); + return std::make_shared(std::move(tracer)); }); } @@ -177,35 +157,31 @@ Tracing::SpanPtr Driver::startSpan(const Tracing::Config& config, return new_zipkin_span; } -ReporterImpl::ReporterImpl(Driver& driver, Event::Dispatcher& dispatcher, - const CollectorInfo& collector) - : driver_(driver), collector_(collector), +ReporterImpl::ReporterImpl(Event::Dispatcher& dispatcher, Upstream::ClusterManager& cm, + Runtime::Loader& runtime, ZipkinTracerStatsSharedPtr tracer_stats, + CollectorInfoConstSharedPtr collector) + : runtime_(runtime), tracer_stats_(std::move(tracer_stats)), collector_(std::move(collector)), span_buffer_{ - std::make_unique(collector.version_, collector.shared_span_context_)}, - collector_cluster_(driver_.clusterManager(), driver_.cluster()) { + std::make_unique(collector_->version_, collector_->shared_span_context_)}, + collector_cluster_(cm, collector_->cluster_) { flush_timer_ = dispatcher.createTimer([this]() -> void { - driver_.tracerStats().timer_flushed_.inc(); + tracer_stats_->timer_flushed_.inc(); flushSpans(); enableTimer(); }); const uint64_t min_flush_spans = - driver_.runtime().snapshot().getInteger("tracing.zipkin.min_flush_spans", 5U); + runtime_.snapshot().getInteger("tracing.zipkin.min_flush_spans", 5U); span_buffer_->allocateBuffer(min_flush_spans); enableTimer(); } -ReporterPtr ReporterImpl::newInstance(Driver& driver, Event::Dispatcher& dispatcher, - const CollectorInfo& collector) { - return std::make_unique(driver, dispatcher, collector); -} - void ReporterImpl::reportSpan(Span&& span) { span_buffer_->addSpan(std::move(span)); const uint64_t min_flush_spans = - driver_.runtime().snapshot().getInteger("tracing.zipkin.min_flush_spans", 5U); + runtime_.snapshot().getInteger("tracing.zipkin.min_flush_spans", 5U); if (span_buffer_->pendingSpans() == min_flush_spans) { flushSpans(); @@ -214,27 +190,27 @@ void ReporterImpl::reportSpan(Span&& span) { void ReporterImpl::enableTimer() { const uint64_t flush_interval = - driver_.runtime().snapshot().getInteger("tracing.zipkin.flush_interval_ms", 5000U); + runtime_.snapshot().getInteger("tracing.zipkin.flush_interval_ms", 5000U); flush_timer_->enableTimer(std::chrono::milliseconds(flush_interval)); } void ReporterImpl::flushSpans() { if (span_buffer_->pendingSpans()) { - driver_.tracerStats().spans_sent_.add(span_buffer_->pendingSpans()); + tracer_stats_->spans_sent_.add(span_buffer_->pendingSpans()); const std::string request_body = span_buffer_->serialize(); Http::RequestMessagePtr message = std::make_unique(); message->headers().setReferenceMethod(Http::Headers::get().MethodValues.Post); // Set path and hostname - both are stored in collector_ - message->headers().setPath(collector_.endpoint_); - message->headers().setHost(collector_.hostname_); + message->headers().setPath(collector_->endpoint_); + message->headers().setHost(collector_->hostname_); message->headers().setReferenceContentType( - collector_.version_ == envoy::config::trace::v3::ZipkinConfig::HTTP_PROTO + collector_->version_ == envoy::config::trace::v3::ZipkinConfig::HTTP_PROTO ? Http::Headers::get().ContentTypeValues.Protobuf : Http::Headers::get().ContentTypeValues.Json); // Add custom headers from collector configuration - for (const auto& header : collector_.request_headers_) { + for (const auto& header : collector_->request_headers_) { // Replace any existing header with the configured value message->headers().setCopy(header.first, header.second); } @@ -242,7 +218,7 @@ void ReporterImpl::flushSpans() { message->body().add(request_body); const uint64_t timeout = - driver_.runtime().snapshot().getInteger("tracing.zipkin.request_timeout", 5000U); + runtime_.snapshot().getInteger("tracing.zipkin.request_timeout", 5000U); if (collector_cluster_.threadLocalCluster().has_value()) { Http::AsyncClient::Request* request = @@ -253,8 +229,8 @@ void ReporterImpl::flushSpans() { active_requests_.add(*request); } } else { - ENVOY_LOG(debug, "collector cluster '{}' does not exist", driver_.cluster()); - driver_.tracerStats().reports_skipped_no_cluster_.inc(); + ENVOY_LOG(debug, "collector cluster '{}' does not exist", collector_->cluster_); + tracer_stats_->reports_skipped_no_cluster_.inc(); } span_buffer_->clear(); @@ -264,7 +240,7 @@ void ReporterImpl::flushSpans() { void ReporterImpl::onFailure(const Http::AsyncClient::Request& request, Http::AsyncClient::FailureReason) { active_requests_.remove(request); - driver_.tracerStats().reports_failed_.inc(); + tracer_stats_->reports_failed_.inc(); } void ReporterImpl::onSuccess(const Http::AsyncClient::Request& request, @@ -272,9 +248,9 @@ void ReporterImpl::onSuccess(const Http::AsyncClient::Request& request, active_requests_.remove(request); if (Http::Utility::getResponseStatus(http_response->headers()) != enumToInt(Http::Code::Accepted)) { - driver_.tracerStats().reports_dropped_.inc(); + tracer_stats_->reports_dropped_.inc(); } else { - driver_.tracerStats().reports_sent_.inc(); + tracer_stats_->reports_sent_.inc(); } } diff --git a/source/extensions/tracers/zipkin/zipkin_tracer_impl.h b/source/extensions/tracers/zipkin/zipkin_tracer_impl.h index 4b99b814b8770..90435368fcd2e 100644 --- a/source/extensions/tracers/zipkin/zipkin_tracer_impl.h +++ b/source/extensions/tracers/zipkin/zipkin_tracer_impl.h @@ -1,5 +1,7 @@ #pragma once +#include + #include "envoy/common/random_generator.h" #include "envoy/config/trace/v3/zipkin.pb.h" #include "envoy/local_info/local_info.h" @@ -12,6 +14,7 @@ #include "source/common/upstream/cluster_update_tracker.h" #include "source/extensions/tracers/zipkin/span_buffer.h" #include "source/extensions/tracers/zipkin/tracer.h" +#include "source/extensions/tracers/zipkin/tracer_interface.h" #include "source/extensions/tracers/zipkin/zipkin_core_constants.h" namespace Envoy { @@ -31,20 +34,58 @@ struct ZipkinTracerStats { ZIPKIN_TRACER_STATS(GENERATE_COUNTER_STRUCT) }; +using ZipkinTracerStatsSharedPtr = std::shared_ptr; + +/** + * Information about the Zipkin collector. + */ +struct CollectorInfo { + std::string cluster_; // The cluster to use to reach the collector. + + // The Zipkin collector endpoint/path to receive the collected trace data. + // For legacy configuration: from collector_endpoint field. + // For HttpService configuration: from http_service_.http_uri().uri(). + std::string endpoint_; + + // The hostname to use when sending spans to the collector. + // For legacy configuration: from collector_hostname field or cluster name. + // For HttpService configuration: cluster name. + std::string hostname_; + + // The version of the collector. This is related to endpoint's supported payload specification and + // transport. + envoy::config::trace::v3::ZipkinConfig::CollectorEndpointVersion version_{ + envoy::config::trace::v3::ZipkinConfig::HTTP_JSON}; + + bool shared_span_context_{DEFAULT_SHARED_SPAN_CONTEXT}; + + // Additional custom headers to include in requests to the Zipkin collector. + // Only available when using HttpService configuration via request_headers_to_add. + // Legacy configuration does not support custom headers. + std::vector> request_headers_; +}; + +using CollectorInfoConstSharedPtr = std::shared_ptr; + /** * Class for a Zipkin-specific Driver. */ class Driver : public Tracing::Driver { public: + /** + * Thread-local store containing ZipkinDriver and Zipkin::Tracer objects. + */ + struct TlsTracer : ThreadLocal::ThreadLocalObject { + TlsTracer(TracerPtr tracer) : tracer_(std::move(tracer)) {} + TracerPtr tracer_; + }; + /** * Constructor. It adds itself and a newly-created Zipkin::Tracer object to a thread-local store. * Also, it associates the given random-number generator to the Zipkin::Tracer object it creates. */ Driver(const envoy::config::trace::v3::ZipkinConfig& zipkin_config, - Upstream::ClusterManager& cluster_manager, Stats::Scope& scope, - ThreadLocal::SlotAllocator& tls, Runtime::Loader& runtime, - const LocalInfo::LocalInfo& localinfo, Random::RandomGenerator& random_generator, - TimeSource& time_source); + Server::Configuration::ServerFactoryContext& context); /** * This function is inherited from the abstract Driver class. @@ -61,70 +102,20 @@ class Driver : public Tracing::Driver { const std::string& operation_name, Tracing::Decision tracing_decision) override; - // Getters to return the ZipkinDriver's key members. - Upstream::ClusterManager& clusterManager() { return cm_; } - const std::string& cluster() { return cluster_; } - const std::string& hostname() { return hostname_; } - Runtime::Loader& runtime() { return runtime_; } - ZipkinTracerStats& tracerStats() { return tracer_stats_; } bool w3cFallbackEnabled() const { return trace_context_option_ == envoy::config::trace::v3::ZipkinConfig::USE_B3_WITH_W3C_PROPAGATION; } TraceContextOption traceContextOption() const { return trace_context_option_; } -private: - /** - * Thread-local store containing ZipkinDriver and Zipkin::Tracer objects. - */ - struct TlsTracer : ThreadLocal::ThreadLocalObject { - TlsTracer(TracerPtr&& tracer, Driver& driver); - - TracerPtr tracer_; - Driver& driver_; - }; + const std::string& hostnameForTest() { return collector_->hostname_; } - Upstream::ClusterManager& cm_; - std::string cluster_; - std::string hostname_; - ZipkinTracerStats tracer_stats_; +private: + std::shared_ptr collector_; ThreadLocal::SlotPtr tls_; - Runtime::Loader& runtime_; - const LocalInfo::LocalInfo& local_info_; - TimeSource& time_source_; TraceContextOption trace_context_option_; }; -/** - * Information about the Zipkin collector. - */ -struct CollectorInfo { - // The Zipkin collector endpoint/path to receive the collected trace data. - // For legacy configuration: from collector_endpoint field. - // For HttpService configuration: from http_service_.http_uri().uri(). - std::string endpoint_; - - // The hostname to use when sending spans to the collector. - // For legacy configuration: from collector_hostname field or cluster name. - // For HttpService configuration: cluster name. - std::string hostname_; - - // The version of the collector. This is related to endpoint's supported payload specification and - // transport. - envoy::config::trace::v3::ZipkinConfig::CollectorEndpointVersion version_{ - envoy::config::trace::v3::ZipkinConfig::HTTP_JSON}; - - bool shared_span_context_{DEFAULT_SHARED_SPAN_CONTEXT}; - - // New HttpService configuration (preferred) - absl::optional http_service_; - - // Additional custom headers to include in requests to the Zipkin collector. - // Only available when using HttpService configuration via request_headers_to_add. - // Legacy configuration does not support custom headers. - std::vector> request_headers_; -}; - /** * This class derives from the abstract Zipkin::Reporter. * It buffers spans and relies on Http::AsyncClient to send spans to @@ -146,13 +137,19 @@ class ReporterImpl : Logger::Loggable, /** * Constructor. * - * @param driver ZipkinDriver to be associated with the reporter. * @param dispatcher Controls the timer used to flush buffered spans. + * @param cm Reference to the cluster manager. This is used to get a handle + * to the cluster that contains the Zipkin collector. + * @param runtime Reference to the runtime. This is used to get the values + * of the runtime parameters that control the span-buffering/flushing behavior. + * @param tracer_stats Reference to the structure used to record Zipkin-related stats. * @param collector holds the endpoint version and path information. * when making HTTP POST requests carrying spans. This value comes from the * Zipkin-related tracing configuration. */ - ReporterImpl(Driver& driver, Event::Dispatcher& dispatcher, const CollectorInfo& collector); + ReporterImpl(Event::Dispatcher& dispatcher, Upstream::ClusterManager& cm, + Runtime::Loader& runtime, ZipkinTracerStatsSharedPtr tracer_stats, + CollectorInfoConstSharedPtr collector); /** * Implementation of Zipkin::Reporter::reportSpan(). @@ -169,20 +166,6 @@ class ReporterImpl : Logger::Loggable, void onFailure(const Http::AsyncClient::Request&, Http::AsyncClient::FailureReason) override; void onBeforeFinalizeUpstreamSpan(Tracing::Span&, const Http::ResponseHeaderMap*) override {} - /** - * Creates a heap-allocated ZipkinReporter. - * - * @param driver ZipkinDriver to be associated with the reporter. - * @param dispatcher Controls the timer used to flush buffered spans. - * @param collector holds the endpoint version and path information. - * when making HTTP POST requests carrying spans. This value comes from the - * Zipkin-related tracing configuration. - * - * @return Pointer to the newly-created ZipkinReporter. - */ - static ReporterPtr newInstance(Driver& driver, Event::Dispatcher& dispatcher, - const CollectorInfo& collector); - private: /** * Enables the span-flushing timer. @@ -194,9 +177,11 @@ class ReporterImpl : Logger::Loggable, */ void flushSpans(); - Driver& driver_; + Runtime::Loader& runtime_; + ZipkinTracerStatsSharedPtr tracer_stats_; + CollectorInfoConstSharedPtr collector_; + Event::TimerPtr flush_timer_; - const CollectorInfo collector_; SpanBufferPtr span_buffer_; Upstream::ClusterUpdateTracker collector_cluster_; // Track active HTTP requests to be able to cancel them on destruction. diff --git a/test/extensions/tracers/zipkin/BUILD b/test/extensions/tracers/zipkin/BUILD index b1d325d570a6b..eb34d6390cf32 100644 --- a/test/extensions/tracers/zipkin/BUILD +++ b/test/extensions/tracers/zipkin/BUILD @@ -34,13 +34,10 @@ envoy_extension_cc_test( "//source/extensions/tracers/zipkin:zipkin_lib", "//test/mocks:common_lib", "//test/mocks/http:http_mocks", - "//test/mocks/local_info:local_info_mocks", - "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_factory_context_mocks", "//test/mocks/stats:stats_mocks", "//test/mocks/stream_info:stream_info_mocks", - "//test/mocks/thread_local:thread_local_mocks", "//test/mocks/tracing:tracing_mocks", - "//test/mocks/upstream:cluster_manager_mocks", "//test/mocks/upstream:thread_local_cluster_mocks", "//test/test_common:simulated_time_system_lib", "//test/test_common:utility_lib", diff --git a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc index 800b92959e734..f492eaff21f5b 100644 --- a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc +++ b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc @@ -11,14 +11,10 @@ #include "source/extensions/tracers/zipkin/zipkin_tracer_impl.h" #include "test/mocks/http/mocks.h" -#include "test/mocks/local_info/mocks.h" -#include "test/mocks/runtime/mocks.h" -#include "test/mocks/stats/mocks.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/stream_info/mocks.h" #include "test/mocks/thread_local/mocks.h" #include "test/mocks/tracing/mocks.h" -#include "test/mocks/upstream/cluster_manager.h" -#include "test/mocks/upstream/thread_local_cluster.h" #include "test/test_common/utility.h" #include "gmock/gmock.h" @@ -54,8 +50,7 @@ class ZipkinDriverTest : public testing::Test { EXPECT_CALL(*timer_, enableTimer(std::chrono::milliseconds(5000), _)); } - driver_ = std::make_unique(zipkin_config, cm_, *stats_.rootScope(), tls_, runtime_, - local_info_, random_, time_source_); + driver_ = std::make_unique(zipkin_config, context_); } void setupValidDriverWithHostname(const std::string& version, const std::string& hostname) { @@ -153,14 +148,16 @@ class ZipkinDriverTest : public testing::Test { {":authority", "api.lyft.com"}, {":path", "/"}, {":method", "GET"}, {"x-request-id", "foo"}}; NiceMock stream_info_; - NiceMock tls_; std::unique_ptr driver_; NiceMock* timer_; - NiceMock stats_; - NiceMock cm_; - NiceMock runtime_; - NiceMock local_info_; - NiceMock random_; + + NiceMock context_; + NiceMock& tls_{context_.thread_local_}; + NiceMock& stats_{context_.store_}; + NiceMock& cm_{context_.cluster_manager_}; + NiceMock& runtime_{context_.runtime_loader_}; + NiceMock& local_info_{context_.local_info_}; + NiceMock& random_{context_.api_.random_}; NiceMock config_; Event::SimulatedTimeSystem test_time_; @@ -1068,59 +1065,6 @@ TEST_F(ZipkinDriverTest, DuplicatedHeader) { }); } -TEST_F(ZipkinDriverTest, DriverWithHttpServiceCustomHeaders) { - cm_.initializeClusters({"fake_cluster"}, {}); - - const std::string yaml_string = R"EOF( - collector_cluster: fake_cluster - collector_endpoint: /api/v2/spans - collector_service: - http_uri: - uri: "https://zipkin-collector.example.com/api/v2/spans" - cluster: fake_cluster - timeout: 5s - request_headers_to_add: - - header: - key: "Authorization" - value: "Bearer token123" - - header: - key: "X-Custom-Header" - value: "custom-value" - - header: - key: "X-API-Key" - value: "api-key-123" - collector_endpoint_version: HTTP_JSON - )EOF"; - - envoy::config::trace::v3::ZipkinConfig zipkin_config; - TestUtility::loadFromYaml(yaml_string, zipkin_config); - - setup(zipkin_config, true); - EXPECT_NE(nullptr, driver_); -} - -TEST_F(ZipkinDriverTest, DriverWithHttpServiceEmptyHeaders) { - cm_.initializeClusters({"fake_cluster"}, {}); - - const std::string yaml_string = R"EOF( - collector_cluster: fake_cluster - collector_endpoint: /api/v2/spans - collector_service: - http_uri: - uri: "https://zipkin-collector.example.com/api/v2/spans" - cluster: fake_cluster - timeout: 5s - request_headers_to_add: [] - collector_endpoint_version: HTTP_JSON - )EOF"; - - envoy::config::trace::v3::ZipkinConfig zipkin_config; - TestUtility::loadFromYaml(yaml_string, zipkin_config); - - setup(zipkin_config, true); - EXPECT_NE(nullptr, driver_); -} - TEST_F(ZipkinDriverTest, ReporterFlushWithHttpServiceHeadersVerifyHeaders) { cm_.initializeClusters({"fake_cluster", "legacy_cluster"}, {}); @@ -1214,7 +1158,7 @@ TEST_F(ZipkinDriverTest, DriverWithHttpServiceUriParsing) { envoy::config::trace::v3::ZipkinConfig zipkin_config_no_host; TestUtility::loadFromYaml(yaml_string_no_host, zipkin_config_no_host); setup(zipkin_config_no_host, false); - EXPECT_EQ("fake_cluster", driver_->hostname()); // Should fallback to cluster name + EXPECT_EQ("fake_cluster", driver_->hostnameForTest()); // Should fallback to cluster name } TEST_F(ZipkinDriverTest, DriverWithHttpServiceUriParsingNoPath) { @@ -1233,7 +1177,7 @@ TEST_F(ZipkinDriverTest, DriverWithHttpServiceUriParsingNoPath) { envoy::config::trace::v3::ZipkinConfig zipkin_config_no_path; TestUtility::loadFromYaml(yaml_string_no_path, zipkin_config_no_path); setup(zipkin_config_no_path, false); - EXPECT_EQ("zipkin-collector.example.com", driver_->hostname()); + EXPECT_EQ("zipkin-collector.example.com", driver_->hostnameForTest()); } TEST_F(ZipkinDriverTest, DriverWithHttpServiceUriParsingWithPort) { @@ -1252,7 +1196,7 @@ TEST_F(ZipkinDriverTest, DriverWithHttpServiceUriParsingWithPort) { envoy::config::trace::v3::ZipkinConfig zipkin_config_with_port; TestUtility::loadFromYaml(yaml_string_with_port, zipkin_config_with_port); setup(zipkin_config_with_port, false); - EXPECT_EQ("zipkin-collector.example.com:9411", driver_->hostname()); + EXPECT_EQ("zipkin-collector.example.com:9411", driver_->hostnameForTest()); } TEST_F(ZipkinDriverTest, DriverMissingCollectorConfiguration) { @@ -1267,7 +1211,8 @@ TEST_F(ZipkinDriverTest, DriverMissingCollectorConfiguration) { TestUtility::loadFromYaml(yaml_string_missing, zipkin_config_missing); EXPECT_THROW_WITH_MESSAGE(setup(zipkin_config_missing, false), EnvoyException, - "Either collector_cluster or collector_service must be specified"); + "collector_cluster and collector_endpoint must be specified when not " + "using collector_service"); } } // namespace From 2e64f202c8fa8bae61cbe07ec0450faf2f5c9373 Mon Sep 17 00:00:00 2001 From: code Date: Wed, 10 Sep 2025 23:48:23 +0800 Subject: [PATCH 382/505] async stream options: use shared pointer for pased retry policy (#41012) Commit Message: async stream options: use shared pointer for pased retry policy Additional Description: This PR updated the StreamOptions. The shared pointer of RetryPolicy is used rather than a reference to avoid potential lifetime problem. This also fixed a potential bug at the `Http::AsyncStreamImpl`. At there, if the parsing of proto retry policy is field, will result in core dump. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. Signed-off-by: WangBaiping --- envoy/http/async_client.h | 6 +- envoy/router/router.h | 2 + source/common/http/async_client_impl.cc | 34 +++--- source/common/http/async_client_impl.h | 2 +- source/common/router/BUILD | 18 ++- source/common/router/config_impl.cc | 134 +-------------------- source/common/router/config_impl.h | 77 +----------- source/common/router/retry_policy_impl.cc | 134 +++++++++++++++++++++ source/common/router/retry_policy_impl.h | 91 ++++++++++++++ test/common/http/async_client_impl_test.cc | 18 +-- 10 files changed, 277 insertions(+), 239 deletions(-) create mode 100644 source/common/router/retry_policy_impl.cc create mode 100644 source/common/router/retry_policy_impl.h diff --git a/envoy/http/async_client.h b/envoy/http/async_client.h index 9afbc3f394336..3155e5af60323 100644 --- a/envoy/http/async_client.h +++ b/envoy/http/async_client.h @@ -343,8 +343,8 @@ class AsyncClient { // The retry policy can be set as either a proto or Router::RetryPolicy but // not both. If both formats of the options are set, the more recent call // will overwrite the older one. - StreamOptions& setRetryPolicy(const Router::RetryPolicy& p) { - parsed_retry_policy = &p; + StreamOptions& setRetryPolicy(Router::RetryPolicyConstSharedPtr p) { + parsed_retry_policy = std::move(p); retry_policy = absl::nullopt; return *this; } @@ -432,7 +432,7 @@ class AsyncClient { absl::optional buffer_limit_; absl::optional retry_policy; - const Router::RetryPolicy* parsed_retry_policy{nullptr}; + Router::RetryPolicyConstSharedPtr parsed_retry_policy; Router::FilterConfigSharedPtr filter_config_; diff --git a/envoy/router/router.h b/envoy/router/router.h index d37a0bd61968d..fa4de89acf09a 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -311,6 +311,8 @@ class RetryPolicy { virtual std::chrono::milliseconds resetMaxInterval() const PURE; }; +using RetryPolicyConstSharedPtr = std::shared_ptr; + /** * RetryStatus whether request should be retried or not. */ diff --git a/source/common/http/async_client_impl.cc b/source/common/http/async_client_impl.cc index 6fb949da25300..80d3cea522d54 100644 --- a/source/common/http/async_client_impl.cc +++ b/source/common/http/async_client_impl.cc @@ -18,6 +18,14 @@ namespace Envoy { namespace Http { +namespace { +Router::RetryPolicyConstSharedPtr sharedEmptyRetryPolicy() { + static Router::RetryPolicyConstSharedPtr empty_policy = + std::make_shared(); + return empty_policy; +} +} // namespace + const absl::string_view AsyncClientImpl::ResponseBufferLimit = "http.async_response_buffer_limit"; AsyncClientImpl::AsyncClientImpl(Upstream::ClusterInfoConstSharedPtr cluster, @@ -90,23 +98,19 @@ AsyncClient::Stream* AsyncClientImpl::start(AsyncClient::StreamCallbacks& callba return active_streams_.front().get(); } -std::unique_ptr -createRetryPolicy(AsyncClientImpl& parent, const AsyncClient::StreamOptions& options, +Router::RetryPolicyConstSharedPtr +createRetryPolicy(const AsyncClient::StreamOptions& options, Server::Configuration::CommonFactoryContext& context, absl::Status& creation_status) { if (options.retry_policy.has_value()) { - Upstream::RetryExtensionFactoryContextImpl factory_context( - parent.factory_context_.singletonManager()); auto policy_or_error = Router::RetryPolicyImpl::create( - options.retry_policy.value(), ProtobufMessage::getNullValidationVisitor(), factory_context, - context); + options.retry_policy.value(), ProtobufMessage::getNullValidationVisitor(), context); creation_status = policy_or_error.status(); - return policy_or_error.status().ok() ? std::move(policy_or_error.value()) : nullptr; - } - if (options.parsed_retry_policy == nullptr) { - return std::make_unique(); + return policy_or_error.status().ok() ? std::move(policy_or_error.value()) + : sharedEmptyRetryPolicy(); } - return nullptr; + return options.parsed_retry_policy != nullptr ? options.parsed_retry_policy + : sharedEmptyRetryPolicy(); } AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCallbacks& callbacks, @@ -122,7 +126,7 @@ AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCal : std::make_shared( StreamInfo::FilterState::LifeSpan::FilterChain)), tracing_config_(Tracing::EgressConfig::get()), local_reply_(*parent.local_reply_), - retry_policy_(createRetryPolicy(parent, options, parent_.factory_context_, creation_status)), + retry_policy_(createRetryPolicy(options, parent.factory_context_, creation_status)), account_(options.account_), buffer_limit_(options.buffer_limit_), send_xff_(options.send_xff), send_internal_(options.send_internal) { // A field initialization may set the creation-status as unsuccessful. @@ -144,10 +148,8 @@ AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCal } auto route_or_error = NullRouteImpl::create( - parent_.cluster_->name(), - retry_policy_ != nullptr ? *retry_policy_ : *options.parsed_retry_policy, - parent_.factory_context_.regexEngine(), options.timeout, options.hash_policy, - metadata_matching_criteria); + parent_.cluster_->name(), *retry_policy_, parent_.factory_context_.regexEngine(), + options.timeout, options.hash_policy, metadata_matching_criteria); SET_AND_RETURN_IF_NOT_OK(route_or_error.status(), creation_status); route_ = std::move(*route_or_error); stream_info_.dynamicMetadata().MergeFrom(options.metadata); diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h index eedb6e17ad4fc..ce52b83ed52ca 100644 --- a/source/common/http/async_client_impl.h +++ b/source/common/http/async_client_impl.h @@ -278,7 +278,7 @@ class AsyncStreamImpl : public virtual AsyncClient::Stream, Tracing::NullSpan active_span_; const Tracing::Config& tracing_config_; const LocalReply::LocalReply& local_reply_; - const std::unique_ptr retry_policy_; + Router::RetryPolicyConstSharedPtr retry_policy_; std::shared_ptr route_; uint32_t high_watermark_calls_{}; bool local_closed_{}; diff --git a/source/common/router/BUILD b/source/common/router/BUILD index 1a1f91f67c810..fb5d8979aa5f3 100644 --- a/source/common/router/BUILD +++ b/source/common/router/BUILD @@ -43,7 +43,7 @@ envoy_cc_library( ":matcher_visitor_lib", ":metadatamatchcriteria_lib", ":per_filter_config_lib", - ":reset_header_parser_lib", + ":retry_policy_lib", ":retry_state_lib", ":router_ratelimit_lib", ":tls_context_match_criteria_lib", @@ -541,3 +541,19 @@ envoy_cc_library( "//envoy/router:cluster_specifier_plugin_interface", ], ) + +envoy_cc_library( + name = "retry_policy_lib", + srcs = ["retry_policy_impl.cc"], + hdrs = ["retry_policy_impl.h"], + deps = [ + ":reset_header_parser_lib", + ":retry_state_lib", + "//envoy/router:router_interface", + "//envoy/server:factory_context_interface", + "//source/common/config:utility_lib", + "//source/common/upstream:retry_factory_lib", + "@com_google_absl//absl/types:optional", + "@envoy_api//envoy/config/route/v3:pkg_cc_proto", + ], +) diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 7059d996bea7e..06c5d08fe47b4 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -44,13 +44,10 @@ #include "source/common/router/context_impl.h" #include "source/common/router/header_cluster_specifier.h" #include "source/common/router/matcher_visitor.h" -#include "source/common/router/reset_header_parser.h" -#include "source/common/router/retry_state_impl.h" #include "source/common/router/weighted_cluster_specifier.h" #include "source/common/runtime/runtime_features.h" #include "source/common/tracing/custom_tag_impl.h" #include "source/common/tracing/http_tracer_impl.h" -#include "source/common/upstream/retry_factory.h" #include "source/extensions/early_data/default_early_data_policy.h" #include "source/extensions/matching/network/common/inputs.h" #include "source/extensions/path/match/uri_template/uri_template_match.h" @@ -217,128 +214,6 @@ HedgePolicyImpl::HedgePolicyImpl(const envoy::config::route::v3::HedgePolicy& he HedgePolicyImpl::HedgePolicyImpl() : initial_requests_(1), hedge_on_per_try_timeout_(false) {} -absl::StatusOr> -RetryPolicyImpl::create(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Upstream::RetryExtensionFactoryContext& factory_context, - Server::Configuration::CommonFactoryContext& common_context) { - absl::Status creation_status = absl::OkStatus(); - auto ret = std::unique_ptr(new RetryPolicyImpl( - retry_policy, validation_visitor, factory_context, common_context, creation_status)); - RETURN_IF_NOT_OK(creation_status); - return ret; -} -RetryPolicyImpl::RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Upstream::RetryExtensionFactoryContext& factory_context, - Server::Configuration::CommonFactoryContext& common_context, - absl::Status& creation_status) - : retriable_headers_(Http::HeaderUtility::buildHeaderMatcherVector( - retry_policy.retriable_headers(), common_context)), - retriable_request_headers_(Http::HeaderUtility::buildHeaderMatcherVector( - retry_policy.retriable_request_headers(), common_context)), - validation_visitor_(&validation_visitor) { - per_try_timeout_ = - std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_timeout, 0)); - per_try_idle_timeout_ = - std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_idle_timeout, 0)); - num_retries_ = PROTOBUF_GET_WRAPPED_OR_DEFAULT(retry_policy, num_retries, 1); - retry_on_ = RetryStateImpl::parseRetryOn(retry_policy.retry_on()).first; - retry_on_ |= RetryStateImpl::parseRetryGrpcOn(retry_policy.retry_on()).first; - - for (const auto& host_predicate : retry_policy.retry_host_predicate()) { - auto& factory = Envoy::Config::Utility::getAndCheckFactory( - host_predicate); - auto config = Envoy::Config::Utility::translateToFactoryConfig(host_predicate, - validation_visitor, factory); - retry_host_predicate_configs_.emplace_back(factory, std::move(config)); - } - - const auto& retry_priority = retry_policy.retry_priority(); - if (!retry_priority.name().empty()) { - auto& factory = - Envoy::Config::Utility::getAndCheckFactory(retry_priority); - retry_priority_config_ = - std::make_pair(&factory, Envoy::Config::Utility::translateToFactoryConfig( - retry_priority, validation_visitor, factory)); - } - - for (const auto& options_predicate : retry_policy.retry_options_predicates()) { - auto& factory = - Envoy::Config::Utility::getAndCheckFactory( - options_predicate); - retry_options_predicates_.emplace_back( - factory.createOptionsPredicate(*Envoy::Config::Utility::translateToFactoryConfig( - options_predicate, validation_visitor, factory), - factory_context)); - } - - auto host_selection_attempts = retry_policy.host_selection_retry_max_attempts(); - if (host_selection_attempts) { - host_selection_attempts_ = host_selection_attempts; - } - - for (auto code : retry_policy.retriable_status_codes()) { - retriable_status_codes_.emplace_back(code); - } - - if (retry_policy.has_retry_back_off()) { - base_interval_ = std::chrono::milliseconds( - PROTOBUF_GET_MS_REQUIRED(retry_policy.retry_back_off(), base_interval)); - if ((*base_interval_).count() < 1) { - base_interval_ = std::chrono::milliseconds(1); - } - - max_interval_ = PROTOBUF_GET_OPTIONAL_MS(retry_policy.retry_back_off(), max_interval); - if (max_interval_) { - // Apply the same rounding to max interval in case both are set to sub-millisecond values. - if ((*max_interval_).count() < 1) { - max_interval_ = std::chrono::milliseconds(1); - } - - if ((*max_interval_).count() < (*base_interval_).count()) { - creation_status = absl::InvalidArgumentError( - "retry_policy.max_interval must greater than or equal to the base_interval"); - return; - } - } - } - - if (retry_policy.has_rate_limited_retry_back_off()) { - reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector( - retry_policy.rate_limited_retry_back_off().reset_headers()); - - absl::optional reset_max_interval = - PROTOBUF_GET_OPTIONAL_MS(retry_policy.rate_limited_retry_back_off(), max_interval); - if (reset_max_interval.has_value()) { - std::chrono::milliseconds max_interval = reset_max_interval.value(); - if (max_interval.count() < 1) { - max_interval = std::chrono::milliseconds(1); - } - reset_max_interval_ = max_interval; - } - } -} - -std::vector RetryPolicyImpl::retryHostPredicates() const { - std::vector predicates; - predicates.reserve(retry_host_predicate_configs_.size()); - for (const auto& config : retry_host_predicate_configs_) { - predicates.emplace_back(config.first.createHostPredicate(*config.second, num_retries_)); - } - - return predicates; -} - -Upstream::RetryPrioritySharedPtr RetryPolicyImpl::retryPriority() const { - if (retry_priority_config_.first == nullptr) { - return nullptr; - } - - return retry_priority_config_.first->createRetryPriority(*retry_priority_config_.second, - *validation_visitor_, num_retries_); -} - absl::StatusOr> InternalRedirectPolicyImpl::create( const envoy::config::route::v3::InternalRedirectPolicy& policy_config, ProtobufMessage::ValidationVisitor& validator, absl::string_view current_route_name) { @@ -1142,19 +1017,16 @@ absl::StatusOr> RouteEntryImplBase::buildRetryP RetryPolicyConstOptRef vhost_retry_policy, const envoy::config::route::v3::RouteAction& route_config, ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::ServerFactoryContext& factory_context) const { - Upstream::RetryExtensionFactoryContextImpl retry_factory_context( - factory_context.singletonManager()); + Server::Configuration::CommonFactoryContext& factory_context) const { // Route specific policy wins, if available. if (route_config.has_retry_policy()) { return RetryPolicyImpl::create(route_config.retry_policy(), validation_visitor, - retry_factory_context, factory_context); + factory_context); } // If not, we fallback to the virtual host policy if there is one. if (vhost_retry_policy.has_value()) { - return RetryPolicyImpl::create(*vhost_retry_policy, validation_visitor, retry_factory_context, - factory_context); + return RetryPolicyImpl::create(*vhost_retry_policy, validation_visitor, factory_context); } // Otherwise, an empty policy will do. diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index 5122a0fe1e3c6..052a04cf83c32 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -32,6 +32,7 @@ #include "source/common/router/header_parser.h" #include "source/common/router/metadatamatchcriteria_impl.h" #include "source/common/router/per_filter_config.h" +#include "source/common/router/retry_policy_impl.h" #include "source/common/router/router_ratelimit.h" #include "source/common/router/tls_context_match_criteria_impl.h" #include "source/common/stats/symbol_table.h" @@ -401,80 +402,6 @@ class VirtualHostImpl : Logger::Loggable { using VirtualHostImplSharedPtr = std::shared_ptr; -/** - * Implementation of RetryPolicy that reads from the proto route or virtual host config. - */ -class RetryPolicyImpl : public RetryPolicy { - -public: - static absl::StatusOr> - create(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Upstream::RetryExtensionFactoryContext& factory_context, - Server::Configuration::CommonFactoryContext& common_context); - RetryPolicyImpl() = default; - - // Router::RetryPolicy - std::chrono::milliseconds perTryTimeout() const override { return per_try_timeout_; } - std::chrono::milliseconds perTryIdleTimeout() const override { return per_try_idle_timeout_; } - uint32_t numRetries() const override { return num_retries_; } - uint32_t retryOn() const override { return retry_on_; } - std::vector retryHostPredicates() const override; - Upstream::RetryPrioritySharedPtr retryPriority() const override; - absl::Span - retryOptionsPredicates() const override { - return retry_options_predicates_; - } - uint32_t hostSelectionMaxAttempts() const override { return host_selection_attempts_; } - const std::vector& retriableStatusCodes() const override { - return retriable_status_codes_; - } - const std::vector& retriableHeaders() const override { - return retriable_headers_; - } - const std::vector& retriableRequestHeaders() const override { - return retriable_request_headers_; - } - absl::optional baseInterval() const override { return base_interval_; } - absl::optional maxInterval() const override { return max_interval_; } - const std::vector& resetHeaders() const override { - return reset_headers_; - } - std::chrono::milliseconds resetMaxInterval() const override { return reset_max_interval_; } - -private: - RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Upstream::RetryExtensionFactoryContext& factory_context, - Server::Configuration::CommonFactoryContext& common_context, - absl::Status& creation_status); - std::chrono::milliseconds per_try_timeout_{0}; - std::chrono::milliseconds per_try_idle_timeout_{0}; - // We set the number of retries to 1 by default (i.e. when no route or vhost level retry policy is - // set) so that when retries get enabled through the x-envoy-retry-on header we default to 1 - // retry. - uint32_t num_retries_{1}; - uint32_t retry_on_{}; - // Each pair contains the name and config proto to be used to create the RetryHostPredicates - // that should be used when with this policy. - std::vector> - retry_host_predicate_configs_; - // Name and config proto to use to create the RetryPriority to use with this policy. Default - // initialized when no RetryPriority should be used. - std::pair retry_priority_config_; - uint32_t host_selection_attempts_{1}; - std::vector retriable_status_codes_; - std::vector retriable_headers_; - std::vector retriable_request_headers_; - absl::optional base_interval_; - absl::optional max_interval_; - std::vector reset_headers_; - std::chrono::milliseconds reset_max_interval_{300000}; - ProtobufMessage::ValidationVisitor* validation_visitor_{}; - std::vector retry_options_predicates_; -}; -using DefaultRetryPolicy = ConstSingleton; - /** * Implementation of ShadowPolicy that reads from the proto route config. */ @@ -913,7 +840,7 @@ class RouteEntryImplBase : public RouteEntryAndRoute, buildRetryPolicy(RetryPolicyConstOptRef vhost_retry_policy, const envoy::config::route::v3::RouteAction& route_config, ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::ServerFactoryContext& factory_context) const; + Server::Configuration::CommonFactoryContext& factory_context) const; absl::StatusOr> buildInternalRedirectPolicy(const envoy::config::route::v3::RouteAction& route_config, diff --git a/source/common/router/retry_policy_impl.cc b/source/common/router/retry_policy_impl.cc new file mode 100644 index 0000000000000..a2fd50f906b1b --- /dev/null +++ b/source/common/router/retry_policy_impl.cc @@ -0,0 +1,134 @@ +#include "source/common/router/retry_policy_impl.h" + +#include "source/common/config/utility.h" +#include "source/common/router/reset_header_parser.h" +#include "source/common/router/retry_state_impl.h" +#include "source/common/upstream/retry_factory.h" + +namespace Envoy { +namespace Router { + +absl::StatusOr> +RetryPolicyImpl::create(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::CommonFactoryContext& common_context) { + absl::Status creation_status = absl::OkStatus(); + auto ret = std::unique_ptr( + new RetryPolicyImpl(retry_policy, validation_visitor, common_context, creation_status)); + RETURN_IF_NOT_OK(creation_status); + return ret; +} + +RetryPolicyImpl::RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::CommonFactoryContext& common_context, + absl::Status& creation_status) + : retriable_headers_(Http::HeaderUtility::buildHeaderMatcherVector( + retry_policy.retriable_headers(), common_context)), + retriable_request_headers_(Http::HeaderUtility::buildHeaderMatcherVector( + retry_policy.retriable_request_headers(), common_context)), + validation_visitor_(&validation_visitor) { + per_try_timeout_ = + std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_timeout, 0)); + per_try_idle_timeout_ = + std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_idle_timeout, 0)); + num_retries_ = PROTOBUF_GET_WRAPPED_OR_DEFAULT(retry_policy, num_retries, 1); + retry_on_ = RetryStateImpl::parseRetryOn(retry_policy.retry_on()).first; + retry_on_ |= RetryStateImpl::parseRetryGrpcOn(retry_policy.retry_on()).first; + + for (const auto& host_predicate : retry_policy.retry_host_predicate()) { + auto& factory = Envoy::Config::Utility::getAndCheckFactory( + host_predicate); + auto config = Envoy::Config::Utility::translateToFactoryConfig(host_predicate, + validation_visitor, factory); + retry_host_predicate_configs_.emplace_back(factory, std::move(config)); + } + + const auto& retry_priority = retry_policy.retry_priority(); + if (!retry_priority.name().empty()) { + auto& factory = + Envoy::Config::Utility::getAndCheckFactory(retry_priority); + retry_priority_config_ = + std::make_pair(&factory, Envoy::Config::Utility::translateToFactoryConfig( + retry_priority, validation_visitor, factory)); + } + + Upstream::RetryExtensionFactoryContextImpl factory_context(common_context.singletonManager()); + for (const auto& options_predicate : retry_policy.retry_options_predicates()) { + auto& factory = + Envoy::Config::Utility::getAndCheckFactory( + options_predicate); + retry_options_predicates_.emplace_back( + factory.createOptionsPredicate(*Envoy::Config::Utility::translateToFactoryConfig( + options_predicate, validation_visitor, factory), + factory_context)); + } + + auto host_selection_attempts = retry_policy.host_selection_retry_max_attempts(); + if (host_selection_attempts) { + host_selection_attempts_ = host_selection_attempts; + } + + for (auto code : retry_policy.retriable_status_codes()) { + retriable_status_codes_.emplace_back(code); + } + + if (retry_policy.has_retry_back_off()) { + base_interval_ = std::chrono::milliseconds( + PROTOBUF_GET_MS_REQUIRED(retry_policy.retry_back_off(), base_interval)); + if ((*base_interval_).count() < 1) { + base_interval_ = std::chrono::milliseconds(1); + } + + max_interval_ = PROTOBUF_GET_OPTIONAL_MS(retry_policy.retry_back_off(), max_interval); + if (max_interval_) { + // Apply the same rounding to max interval in case both are set to sub-millisecond values. + if ((*max_interval_).count() < 1) { + max_interval_ = std::chrono::milliseconds(1); + } + + if ((*max_interval_).count() < (*base_interval_).count()) { + creation_status = absl::InvalidArgumentError( + "retry_policy.max_interval must greater than or equal to the base_interval"); + return; + } + } + } + + if (retry_policy.has_rate_limited_retry_back_off()) { + reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector( + retry_policy.rate_limited_retry_back_off().reset_headers()); + + absl::optional reset_max_interval = + PROTOBUF_GET_OPTIONAL_MS(retry_policy.rate_limited_retry_back_off(), max_interval); + if (reset_max_interval.has_value()) { + std::chrono::milliseconds max_interval = reset_max_interval.value(); + if (max_interval.count() < 1) { + max_interval = std::chrono::milliseconds(1); + } + reset_max_interval_ = max_interval; + } + } +} + +std::vector RetryPolicyImpl::retryHostPredicates() const { + std::vector predicates; + predicates.reserve(retry_host_predicate_configs_.size()); + for (const auto& config : retry_host_predicate_configs_) { + predicates.emplace_back(config.first.createHostPredicate(*config.second, num_retries_)); + } + + return predicates; +} + +Upstream::RetryPrioritySharedPtr RetryPolicyImpl::retryPriority() const { + if (retry_priority_config_.first == nullptr) { + return nullptr; + } + + return retry_priority_config_.first->createRetryPriority(*retry_priority_config_.second, + *validation_visitor_, num_retries_); +} + +} // namespace Router +} // namespace Envoy diff --git a/source/common/router/retry_policy_impl.h b/source/common/router/retry_policy_impl.h new file mode 100644 index 0000000000000..5b612cd099820 --- /dev/null +++ b/source/common/router/retry_policy_impl.h @@ -0,0 +1,91 @@ +#pragma once + +#include +#include +#include +#include + +#include "envoy/config/route/v3/route_components.pb.h" +#include "envoy/config/route/v3/route_components.pb.validate.h" +#include "envoy/router/router.h" +#include "envoy/server/factory_context.h" + +#include "absl/types/optional.h" + +namespace Envoy { +namespace Router { + +/** + * Implementation of RetryPolicy that reads from the proto route or virtual host config. + */ +class RetryPolicyImpl : public RetryPolicy { + +public: + static absl::StatusOr> + create(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::CommonFactoryContext& common_context); + RetryPolicyImpl() = default; + + // Router::RetryPolicy + std::chrono::milliseconds perTryTimeout() const override { return per_try_timeout_; } + std::chrono::milliseconds perTryIdleTimeout() const override { return per_try_idle_timeout_; } + uint32_t numRetries() const override { return num_retries_; } + uint32_t retryOn() const override { return retry_on_; } + std::vector retryHostPredicates() const override; + Upstream::RetryPrioritySharedPtr retryPriority() const override; + absl::Span + retryOptionsPredicates() const override { + return retry_options_predicates_; + } + uint32_t hostSelectionMaxAttempts() const override { return host_selection_attempts_; } + const std::vector& retriableStatusCodes() const override { + return retriable_status_codes_; + } + const std::vector& retriableHeaders() const override { + return retriable_headers_; + } + const std::vector& retriableRequestHeaders() const override { + return retriable_request_headers_; + } + absl::optional baseInterval() const override { return base_interval_; } + absl::optional maxInterval() const override { return max_interval_; } + const std::vector& resetHeaders() const override { + return reset_headers_; + } + std::chrono::milliseconds resetMaxInterval() const override { return reset_max_interval_; } + +private: + RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::CommonFactoryContext& common_context, + absl::Status& creation_status); + std::chrono::milliseconds per_try_timeout_{0}; + std::chrono::milliseconds per_try_idle_timeout_{0}; + // We set the number of retries to 1 by default (i.e. when no route or vhost level retry policy is + // set) so that when retries get enabled through the x-envoy-retry-on header we default to 1 + // retry. + uint32_t num_retries_{1}; + uint32_t retry_on_{}; + // Each pair contains the name and config proto to be used to create the RetryHostPredicates + // that should be used when with this policy. + std::vector> + retry_host_predicate_configs_; + // Name and config proto to use to create the RetryPriority to use with this policy. Default + // initialized when no RetryPriority should be used. + std::pair retry_priority_config_; + uint32_t host_selection_attempts_{1}; + std::vector retriable_status_codes_; + std::vector retriable_headers_; + std::vector retriable_request_headers_; + absl::optional base_interval_; + absl::optional max_interval_; + std::vector reset_headers_; + std::chrono::milliseconds reset_max_interval_{300000}; + ProtobufMessage::ValidationVisitor* validation_visitor_{}; + std::vector retry_options_predicates_; +}; +using DefaultRetryPolicy = ConstSingleton; + +} // namespace Router +} // namespace Envoy diff --git a/test/common/http/async_client_impl_test.cc b/test/common/http/async_client_impl_test.cc index 8b64e6ca686b8..739e1af3b0d28 100644 --- a/test/common/http/async_client_impl_test.cc +++ b/test/common/http/async_client_impl_test.cc @@ -2312,11 +2312,8 @@ class AsyncClientImplUnitTest : public AsyncClientImplTest { public: AsyncClientImplUnitTest() { envoy::config::route::v3::RetryPolicy proto_policy; - Upstream::RetryExtensionFactoryContextImpl factory_context( - client_.factory_context_.singletonManager()); - auto policy_or_error = - Router::RetryPolicyImpl::create(proto_policy, ProtobufMessage::getNullValidationVisitor(), - factory_context, client_.factory_context_); + auto policy_or_error = Router::RetryPolicyImpl::create( + proto_policy, ProtobufMessage::getNullValidationVisitor(), client_.factory_context_); THROW_IF_NOT_OK_REF(policy_or_error.status()); retry_policy_ = std::move(policy_or_error.value()); EXPECT_TRUE(retry_policy_.get()); @@ -2326,7 +2323,7 @@ class AsyncClientImplUnitTest : public AsyncClientImplTest { Protobuf::RepeatedPtrField()); } - std::unique_ptr retry_policy_; + std::shared_ptr retry_policy_; Regex::GoogleReEngine regex_engine_; std::unique_ptr route_impl_; std::unique_ptr stream_ = std::move( @@ -2350,18 +2347,15 @@ class AsyncClientImplUnitTest : public AsyncClientImplTest { envoy::config::route::v3::RetryPolicy proto_policy; TestUtility::loadFromYaml(yaml_config, proto_policy); - Upstream::RetryExtensionFactoryContextImpl factory_context( - client_.factory_context_.singletonManager()); - auto policy_or_error = - Router::RetryPolicyImpl::create(proto_policy, ProtobufMessage::getNullValidationVisitor(), - factory_context, client_.factory_context_); + auto policy_or_error = Router::RetryPolicyImpl::create( + proto_policy, ProtobufMessage::getNullValidationVisitor(), client_.factory_context_); THROW_IF_NOT_OK_REF(policy_or_error.status()); retry_policy_ = std::move(policy_or_error.value()); EXPECT_TRUE(retry_policy_.get()); stream_ = std::move( Http::AsyncStreamImpl::create(client_, stream_callbacks_, - AsyncClient::StreamOptions().setRetryPolicy(*retry_policy_)) + AsyncClient::StreamOptions().setRetryPolicy(retry_policy_)) .value()); } From 357f4b1c24f56888e13288bdac1b88b8427ad5b6 Mon Sep 17 00:00:00 2001 From: basundhara-c Date: Wed, 10 Sep 2025 11:32:07 -0700 Subject: [PATCH 383/505] bootstrap: add reverse tunnel socket interface extension for downstream connections (#40474) ## Description **Commit Message:** bootstrap: add reverse tunnel socket interface extension for downstream connections **Additional Description:** This PR implements the downstream socket interface components required on initiator envoy to create reverse connections to upstream envoy. [Github Issue](https://github.com/envoyproxy/envoy/issues/33320) ### Architecture Overview Here are the major components: ### 1. Bootstrap Extension Registration - `ReverseTunnelInitiatorExtension` is registered as a bootstrap extension on the initiator Envoy instance - Thread local slot is set up in `ReverseTunnelInitiatorExtension::onWorkerThreadInitialized()`, initializing components that can be retrieved thread locally later - Collects, maintains and provides APIs for stats collection and cross-worker aggregation ### 2. Thread-Local Data Management - Thread local data management is via a `DownstreamSocketThreadLocal` containing the per-worker thread dispatcher [Reverse Connection Listener: Diagram](https://lucid.app/lucidchart/b15fca72-908f-49a8-ba1e-9d8c95ce66cf/edit?viewport_loc=-308%2C-164%2C3205%2C1826%2C0_0&invitationId=inv_74e8ae30-55bd-4ac5-a3e2-27576dbe5956) ### 3. Custom Socket Interface (`ReverseTunnelInitiator`) - Custom socket interface that creates `ReverseConnectionIOHandle` instances instead of regular sockets - When a reverse connection listener is configured, the `ReverseConnectionResolver` extracts reverse connection metadata from the listener's address config and creates a `ReverseConnectionAddress` - The `ReverseConnectionResolver` parses the `rc://` address format and creates a `ReverseConnectionAddress` with the appropriate reverse connection configuration, enabling the custom socket interface to be used for establishing reverse tunnels to upstream clusters. - The `ReverseConnectionAddress` returns the `ReverseTunnelInitiator` in its `socketInterface()` method, allowing the custom interface to be used when creating sockets. [Ref](https://docs.google.com/document/d/1rH91TgPX7JbTcWYacCpavY4hiA1ce1yQE4mN3XZSewo/edit?tab=t.0) ### 4. Reverse Connection Workflow (`ReverseConnectionIOHandle`) - Triggers reverse connection establishment when `initializeFileEvent()` is called on a worker thread - Sets up pipe-based trigger mechanism to wake up `accept()` when connections are established - Initiates TCP connections to upstream clusters and wraps each connection in a `RCConnectionWrapper` ### 5. Connection Wrapper (`RCConnectionWrapper`) - Abstracts connection lifecycle and handshake process - Writes HTTP POST messages with reverse connection requests on existing TCP connections to upstream clusters [Reverse Connection Handshake](https://lucid.app/lucidchart/48be1dfd-2a26-44c4-9652-46f9d90e0ffb/edit?viewport_loc=-228%2C-73%2C1795%2C1022%2C0_0&invitationId=inv_77224f3c-8f2a-468e-b80f-3a8415930c8f) - Adds `SimpleConnReadFilter` to read responses from upstream - When connection is accepted, wakes up `accept()` by writing to trigger pipe and pushes socket to `established_connections_` queue ### 6. Connection Acceptance (`DownstreamReverseConnectionIOHandle`) - In `accept()`, pops sockets from `established_connections_` queue and duplicates them - Creates `DownstreamReverseConnectionIOHandle` over the socket and returns it to be passed through the filter chain - Provides RAII-based lifecycle management - when the downstream connection is closed, it notifies the parent `ReverseConnectionIOHandle` to mark it closed so that the next iteration of connection maintenance can re-initiate it --- **Risk Level:** Low **Testing:** Unit Tests **Docs Changes:** Added **Release Notes:** Added Signed-off-by: Basundhara Chakrabarty [basundhara.c@nutanix.com](mailto:basundhara.c@nutanix.com) Co-authored-by: Rohit Agrawal [rohit.agrawal@databricks.com](mailto:rohit.agrawal@databricks.com) Co-authored-by: Arun Vasudevan [Arun.Vasudev@nutanix.com](mailto:Arun.Vasudev@nutanix.com) Co-authored-by: Tejas Sangol [tejas.sangol@nutanix.com](mailto:tejas.sangol@nutanix.com) Co-authored-by: Aditya Jaltade [aditya.jaltade@nutanix.com](mailto:aditya.jaltade@nutanix.com) --------- Signed-off-by: Basundhara Chakrabarty Signed-off-by: Rohit Agrawal Co-authored-by: Rohit Agrawal --- api/BUILD | 1 + .../downstream_socket_interface/v3/BUILD | 9 + ..._reverse_connection_socket_interface.proto | 22 + ..._reverse_connection_socket_interface.proto | 2 +- api/versioning/BUILD | 1 + docs/root/api-v3/bootstrap/bootstrap.rst | 1 + .../other_features/other_features.rst | 1 + .../other_features/reverse_connection.rst | 333 ++ envoy/network/connection.h | 5 + source/common/network/connection_impl.cc | 16 +- source/common/network/connection_impl.h | 4 +- .../network/multi_connection_base_impl.h | 2 + .../quic_filter_manager_connection_impl.h | 1 + .../default_api_listener/api_listener_impl.h | 1 + .../bootstrap/reverse_tunnel/common/BUILD | 2 + .../common/reverse_connection_utility.h | 22 + .../downstream_socket_interface/BUILD | 108 + ...downstream_reverse_connection_io_handle.cc | 96 + .../downstream_reverse_connection_io_handle.h | 65 + .../rc_connection_wrapper.cc | 216 ++ .../rc_connection_wrapper.h | 166 + .../reverse_connection_address.cc | 66 + .../reverse_connection_address.h | 85 + .../reverse_connection_io_handle.cc | 1116 +++++++ .../reverse_connection_io_handle.h | 425 +++ ...reverse_connection_load_balancer_context.h | 44 + .../reverse_connection_resolver.cc | 109 + .../reverse_connection_resolver.h | 46 + .../reverse_tunnel_initiator.cc | 183 ++ .../reverse_tunnel_initiator.h | 109 + .../reverse_tunnel_initiator_extension.cc | 277 ++ .../reverse_tunnel_initiator_extension.h | 138 + .../upstream_socket_interface/BUILD | 2 + .../reverse_connection_io_handle.cc | 55 + .../reverse_connection_io_handle.h | 78 + .../reverse_tunnel_acceptor.cc | 43 +- .../reverse_tunnel_acceptor.h | 52 +- .../upstream_socket_manager.cc | 2 +- source/extensions/extensions_build_config.bzl | 7 + source/extensions/extensions_metadata.yaml | 12 + test/common/network/connection_impl_test.cc | 15 + .../multi_connection_base_impl_test.cc | 7 + ...uic_filter_manager_connection_impl_test.cc | 5 + test/coverage.yaml | 1 + .../downstream_socket_interface/BUILD | 114 + .../rc_connection_wrapper_test.cc | 949 ++++++ .../reverse_connection_address_test.cc | 306 ++ .../reverse_connection_io_handle_test.cc | 2728 +++++++++++++++++ .../reverse_connection_resolver_test.cc | 199 ++ ...reverse_tunnel_initiator_extension_test.cc | 583 ++++ .../reverse_tunnel_initiator_test.cc | 377 +++ ...tream_reverse_connection_io_handle_test.cc | 44 +- test/mocks/network/connection.h | 3 + test/server/api_listener_test.cc | 41 + tools/code_format/config.yaml | 2 + tools/extensions/extensions_schema.yaml | 1 + tools/spelling/spelling_dictionary.txt | 5 + 57 files changed, 9168 insertions(+), 135 deletions(-) create mode 100644 api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD create mode 100644 api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto create mode 100644 docs/root/configuration/other_features/reverse_connection.rst create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.cc create mode 100644 source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension_test.cc create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_test.cc diff --git a/api/BUILD b/api/BUILD index 6ae90f01d3592..18014a1fe8043 100644 --- a/api/BUILD +++ b/api/BUILD @@ -137,6 +137,7 @@ proto_library( "//envoy/extensions/access_loggers/stream/v3:pkg", "//envoy/extensions/access_loggers/wasm/v3:pkg", "//envoy/extensions/bootstrap/internal_listener/v3:pkg", + "//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg", "//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg", "//envoy/extensions/clusters/aggregate/v3:pkg", "//envoy/extensions/clusters/common/dns/v3:pkg", diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD new file mode 100644 index 0000000000000..29ebf0741406e --- /dev/null +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/BUILD @@ -0,0 +1,9 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], +) diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto new file mode 100644 index 0000000000000..25613fae8ac5e --- /dev/null +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto @@ -0,0 +1,22 @@ +syntax = "proto3"; + +package envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3"; +option java_outer_classname = "DownstreamReverseConnectionSocketInterfaceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3;downstream_socket_interfacev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Bootstrap settings for downstream reverse connection socket interface] +// [#extension: envoy.bootstrap.reverse_tunnel.downstream_socket_interface] + +// Configuration for the downstream reverse connection socket interface. +// This interface initiates reverse connections to upstream Envoys and provides +// them as socket connections for downstream requests. +message DownstreamReverseConnectionSocketInterface { + // Stat prefix to be used for downstream reverse connection socket interface stats. + string stat_prefix = 1; +} diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto index 8256baccbe88d..92bbdbb84ab57 100644 --- a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto @@ -10,7 +10,7 @@ option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3;upstream_socket_interfacev3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -// [#protodoc-title: Bootstrap settings for Upstream Reverse Connection Socket Interface] +// [#protodoc-title: Bootstrap settings for upstream reverse connection socket interface] // [#extension: envoy.bootstrap.reverse_tunnel.upstream_socket_interface] // Configuration for the upstream reverse connection socket interface. diff --git a/api/versioning/BUILD b/api/versioning/BUILD index 0c7c9456d6e45..8b48f43270988 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -75,6 +75,7 @@ proto_library( "//envoy/extensions/access_loggers/stream/v3:pkg", "//envoy/extensions/access_loggers/wasm/v3:pkg", "//envoy/extensions/bootstrap/internal_listener/v3:pkg", + "//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg", "//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg", "//envoy/extensions/clusters/aggregate/v3:pkg", "//envoy/extensions/clusters/common/dns/v3:pkg", diff --git a/docs/root/api-v3/bootstrap/bootstrap.rst b/docs/root/api-v3/bootstrap/bootstrap.rst index f2b6f6c6b1c97..37670bc877d06 100644 --- a/docs/root/api-v3/bootstrap/bootstrap.rst +++ b/docs/root/api-v3/bootstrap/bootstrap.rst @@ -7,6 +7,7 @@ Bootstrap ../config/bootstrap/v3/bootstrap.proto ../extensions/bootstrap/internal_listener/v3/internal_listener.proto + ../extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto ../extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto ../config/metrics/v3/metrics_service.proto ../config/overload/v3/overload.proto diff --git a/docs/root/configuration/other_features/other_features.rst b/docs/root/configuration/other_features/other_features.rst index ada8a284812d7..672bcf3069a19 100644 --- a/docs/root/configuration/other_features/other_features.rst +++ b/docs/root/configuration/other_features/other_features.rst @@ -8,6 +8,7 @@ Other features hyperscan internal_listener rate_limit + reverse_connection io_uring vcl wasm diff --git a/docs/root/configuration/other_features/reverse_connection.rst b/docs/root/configuration/other_features/reverse_connection.rst new file mode 100644 index 0000000000000..076b8108f119c --- /dev/null +++ b/docs/root/configuration/other_features/reverse_connection.rst @@ -0,0 +1,333 @@ +.. _config_reverse_connection: + +Reverse Connection +================== + +Envoy supports reverse connections that enable establishing persistent connections from downstream Envoy instances +to upstream Envoy instances without requiring the upstream to be directly reachable from the downstream. +This feature is particularly useful in scenarios where downstream instances are behind NATs, firewalls, +or in private networks, and need to initiate connections to upstream instances in public networks or cloud environments. + +Reverse connections work by having the downstream Envoy initiate TCP connections to upstream Envoy instances +and keep them alive for reuse. These connections are established using a handshake protocol and can be +used for forwarding traffic from services behind upstream Envoy to downstream services behind the downstream Envoy. + +.. _config_reverse_connection_bootstrap: + +Bootstrap Configuration +----------------------- + +To enable reverse connections, two bootstrap extensions need to be configured: + +1. **Downstream Reverse Connection Socket Interface**: Configures the downstream Envoy to initiate + reverse connections to upstream instances. + +2. **Upstream Reverse Connection Socket Interface**: Configures the upstream Envoy to accept + and manage reverse connections from downstream instances. + +.. _config_reverse_connection_downstream: + +Downstream Configuration +~~~~~~~~~~~~~~~~~~~~~~~~ + +The downstream reverse connection socket interface is configured in the bootstrap as follows: + +.. validated-code-block:: yaml + :type-name: envoy.config.bootstrap.v3.Bootstrap + + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + +.. _config_reverse_connection_upstream: + +Upstream Configuration +~~~~~~~~~~~~~~~~~~~~~~ + +The upstream reverse connection socket interface is configured in the bootstrap as follows: + +.. validated-code-block:: yaml + :type-name: envoy.config.bootstrap.v3.Bootstrap + + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_reverse_connection" + +.. _config_reverse_connection_listener: + +Listener Configuration +---------------------- + +Reverse connections are initiated through special reverse connection listeners that use the following +reverse connection address format: + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + name: reverse_connection_listener + address: + socket_address: + address: "rc://downstream-node-id:downstream-cluster-id:downstream-tenant-id@upstream-cluster:connection-count" + port_value: 0 + filter_chains: + - filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + cluster: upstream-cluster + +The reverse connection address format ``rc://src_node:src_cluster:src_tenant@target_cluster:count`` +encodes the following information: + +* ``src_node``: Unique identifier for the downstream node +* ``src_cluster``: Cluster name of the downstream Envoy +* ``src_tenant``: Tenant identifier for multi-tenant deployments +* ``target_cluster``: Name of the upstream cluster to connect to +* ``count``: Number of reverse connections to establish to upstream-cluster + +The upstream-cluster can be dynamically configurable via CDS. The listener calls the reverse connection +workflow and initiates raw TCP connections to upstream clusters, thereby This triggering the reverse +connection handshake. + +.. _config_reverse_connection_handshake: + +Handshake Protocol +------------------ + +Reverse connections use a handshake protocol to establish authenticated connections between +downstream and upstream Envoy instances. The handshake has the following steps: + +1. **Connection Initiation**: Downstream Envoy initiates TCP connections to each host of the upstream cluster, +and writes the handshake request on it over a HTTP/1.1 POST call. +2. **Identity Exchange**: The downstream Envoy's reverse connection handshake contains identity information (node ID, cluster ID, tenant ID). +3. **Authentication**: Optional authentication and authorization checks are performed by the upstream Envoy on receiving the handshake request. +4. **Connection Establishment**: Post a successful handshake, the upstream Envoy stores the TCP socket mapped to the downstream node ID. + +.. _config_reverse_connection_stats: + +Statistics +---------- + +The reverse connection extensions emit the following statistics: + +**Downstream Extension:** + +The downstream reverse connection extension emits both host-level and cluster-level statistics for connection states. The stat names follow the pattern: + +- Host-level: ``.host..`` +- Cluster-level: ``.cluster..`` + +Where ```` can be one of: + +.. csv-table:: + :header: State, Type, Description + :widths: 1, 1, 2 + + connecting, Gauge, Number of connections currently being established + connected, Gauge, Number of successfully established connections + failed, Gauge, Number of failed connection attempts + recovered, Gauge, Number of connections that recovered from failure + backoff, Gauge, Number of hosts currently in backoff state + cannot_connect, Gauge, Number of connection attempts that could not be initiated + unknown, Gauge, Number of connections in unknown state (fallback) + +For example, with ``stat_prefix: "downstream_rc"``: +- ``downstream_rc.host.192.168.1.1.connecting`` - connections being established to host 192.168.1.1 +- ``downstream_rc.cluster.upstream-cluster.connected`` - established connections to upstream-cluster + +**Upstream Extension:** + +The upstream reverse connection extension emits node-level and cluster-level statistics for accepted connections. The stat names follow the pattern: + +- Node-level: ``reverse_connections.nodes.`` +- Cluster-level: ``reverse_connections.clusters.`` + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + reverse_connections.nodes., Gauge, Number of active connections from downstream node + reverse_connections.clusters., Gauge, Number of active connections from downstream cluster + +For example: +- ``reverse_connections.nodes.node-1`` - active connections from downstream node "node-1" +- ``reverse_connections.clusters.downstream-cluster`` - active connections from downstream cluster "downstream-cluster" + +.. _config_reverse_connection_security: + +Security Considerations +----------------------- + +Reverse connections should be used with appropriate security measures: + +* **Authentication**: Implement proper authentication mechanisms for handshake validation +* **Authorization**: Validate that downstream nodes are authorized to connect to upstream clusters +* **TLS**: Use TLS transport sockets for encrypted communication +* **Network Policies**: Restrict network access to only allow expected downstream-to-upstream communication +* **Monitoring**: Monitor connection statistics and handshake failures for security anomalies + +.. _config_reverse_connection_examples: + +Examples +-------- + +.. _config_reverse_connection_simple: + +Simple Reverse Connection +~~~~~~~~~~~~~~~~~~~~~~~~~ + +A basic configuration example for using the downstream and upstream reverse connection socket interfaces +are shown below. + +**Downstream Configuration:** + +.. validated-code-block:: yaml + :type-name: envoy.config.bootstrap.v3.Bootstrap + + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_rc" + + static_resources: + listeners: + - name: reverse_listener + address: + socket_address: + address: "rc://node-1:downstream-cluster:tenant-a@upstream-cluster:3" + port_value: 0 + filter_chains: + - filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + cluster: upstream-cluster + + clusters: + - name: upstream-cluster + type: LOGICAL_DNS + dns_lookup_family: V4_ONLY + load_assignment: + cluster_name: upstream-cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: "upstream.example.com" + port_value: 8080 + +**Upstream Configuration:** + +.. validated-code-block:: yaml + :type-name: envoy.config.bootstrap.v3.Bootstrap + + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_rc" + + static_resources: + listeners: + - name: upstream_listener + address: + socket_address: + address: "0.0.0.0" + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + cluster: backend + + clusters: + - name: backend + type: LOGICAL_DNS + dns_lookup_family: V4_ONLY + load_assignment: + cluster_name: backend + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: "backend.example.com" + port_value: 9000 + +.. _config_reverse_connection_multi_cluster: + +Multiple Clusters +~~~~~~~~~~~~~~~~~ + +Configure reverse connections to multiple upstream clusters: + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + name: multi_cluster_listener + address: + socket_address: + address: "rc://node-1:downstream-cluster:tenant-a@cluster-a:2" + port_value: 0 + additional_addresses: + - address: + socket_address: + address: "rc://node-1:downstream-cluster:tenant-a@cluster-b:3" + port_value: 0 + filter_chains: + - filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + cluster: dynamic_cluster + +This configuration establishes: +* 2 connections to ``cluster-a`` +* 3 connections to ``cluster-b`` + +.. _config_reverse_connection_tls: + +TLS-Enabled Reverse Connections +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Add TLS encryption to reverse connections: + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + name: tls_reverse_listener + address: + socket_address: + address: "rc://node-1:downstream-cluster:tenant-a@upstream-cluster:2" + port_value: 0 + filter_chains: + - transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + common_tls_context: + tls_certificates: + - certificate_chain: + filename: "/etc/ssl/certs/downstream.crt" + private_key: + filename: "/etc/ssl/private/downstream.key" + validation_context: + trusted_ca: + filename: "/etc/ssl/certs/ca.crt" + filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + cluster: upstream-cluster diff --git a/envoy/network/connection.h b/envoy/network/connection.h index 0ae30475b9dc5..4ddac0f5be5a5 100644 --- a/envoy/network/connection.h +++ b/envoy/network/connection.h @@ -342,6 +342,11 @@ class Connection : public Event::DeferredDeletable, */ virtual bool aboveHighWatermark() const PURE; + /** + * @return ConnectionSocketPtr& To get socket from current connection. + */ + virtual const ConnectionSocketPtr& getSocket() const PURE; + /** * Get the socket options set on this connection. */ diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc index 5ee1c51d7a9c5..870305c4674cc 100644 --- a/source/common/network/connection_impl.cc +++ b/source/common/network/connection_impl.cc @@ -120,8 +120,8 @@ ConnectionImpl::ConnectionImpl(Event::Dispatcher& dispatcher, ConnectionSocketPt } ConnectionImpl::~ConnectionImpl() { - ASSERT(!socket_->isOpen() && delayed_close_timer_ == nullptr, - "ConnectionImpl was unexpectedly torn down without being closed."); + ASSERT((socket_ == nullptr || !socket_->isOpen()) && delayed_close_timer_ == nullptr, + "ConnectionImpl destroyed with open socket and/or active timer"); // In general we assume that owning code has called close() previously to the destructor being // run. This generally must be done so that callbacks run in the correct context (vs. deferred @@ -148,6 +148,8 @@ bool ConnectionImpl::initializeReadFilters() { return filter_manager_.initialize void ConnectionImpl::close(ConnectionCloseType type) { if (!socket_->isOpen()) { + ENVOY_CONN_LOG_EVENT(debug, "connection_closing", + "Not closing conn, socket object is null or socket is not open", *this); return; } @@ -286,7 +288,7 @@ void ConnectionImpl::setDetectedCloseType(DetectedCloseType close_type) { } void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_action) { - if (!socket_->isOpen()) { + if (socket_ == nullptr || !socket_->isOpen()) { return; } @@ -301,7 +303,11 @@ void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_actio } void ConnectionImpl::closeSocket(ConnectionEvent close_type) { + ENVOY_CONN_LOG(trace, "closeSocket called, socket_={}, socket_isOpen={}", *this, + socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false); + if (!socket_->isOpen()) { + ENVOY_CONN_LOG(trace, "closeSocket: socket is null or not open, returning", *this); return; } @@ -887,7 +893,7 @@ void ConnectionImpl::onWriteReady() { } // If a callback closes the socket, stop iterating. - if (!socket_->isOpen()) { + if (socket_ == nullptr || !socket_->isOpen()) { return; } } @@ -925,8 +931,6 @@ bool ConnectionImpl::setSocketOption(Network::SocketOptionName name, absl::Span< Api::SysCallIntResult result = SocketOptionImpl::setSocketOption(*socket_, name, value.data(), value.size()); if (result.return_value_ != 0) { - ENVOY_LOG(warn, "Setting option on socket failed, errno: {}, message: {}", result.errno_, - errorDetails(result.errno_)); return false; } diff --git a/source/common/network/connection_impl.h b/source/common/network/connection_impl.h index 8bfa88878c5cd..10b5cbdfafcd8 100644 --- a/source/common/network/connection_impl.h +++ b/source/common/network/connection_impl.h @@ -62,6 +62,8 @@ class ConnectionImpl : public ConnectionImplBase, public TransportSocketCallback void removeReadFilter(ReadFilterSharedPtr filter) override; bool initializeReadFilters() override; + const ConnectionSocketPtr& getSocket() const override { return socket_; } + // Network::Connection void addBytesSentCallback(BytesSentCb cb) override; void enableHalfClose(bool enabled) override; @@ -91,7 +93,7 @@ class ConnectionImpl : public ConnectionImplBase, public TransportSocketCallback absl::optional unixSocketPeerCredentials() const override; Ssl::ConnectionInfoConstSharedPtr ssl() const override { // SSL info may be overwritten by a filter in the provider. - return socket_->connectionInfoProvider().sslConnection(); + return (socket_ != nullptr) ? socket_->connectionInfoProvider().sslConnection() : nullptr; } State state() const override; bool connecting() const override { diff --git a/source/common/network/multi_connection_base_impl.h b/source/common/network/multi_connection_base_impl.h index 13e0c0a636a17..c725ad75dca62 100644 --- a/source/common/network/multi_connection_base_impl.h +++ b/source/common/network/multi_connection_base_impl.h @@ -134,6 +134,8 @@ class MultiConnectionBaseImpl : public ClientConnection, void hashKey(std::vector& hash_key) const override; void dumpState(std::ostream& os, int indent_level) const override; + const Network::ConnectionSocketPtr& getSocket() const override { PANIC("not implemented"); } + private: // ConnectionCallbacks which will be set on an ClientConnection which // sends connection events back to the MultiConnectionBaseImpl. diff --git a/source/common/quic/quic_filter_manager_connection_impl.h b/source/common/quic/quic_filter_manager_connection_impl.h index 90a20b6e6ea70..d3cd1019d2482 100644 --- a/source/common/quic/quic_filter_manager_connection_impl.h +++ b/source/common/quic/quic_filter_manager_connection_impl.h @@ -146,6 +146,7 @@ class QuicFilterManagerConnectionImpl : public Network::ConnectionImplBase, void configureInitialCongestionWindow(uint64_t bandwidth_bits_per_sec, std::chrono::microseconds rtt) override; absl::optional congestionWindowInBytes() const override; + const Network::ConnectionSocketPtr& getSocket() const override { PANIC("not implemented"); } // Network::FilterManagerConnection void rawWrite(Buffer::Instance& data, bool end_stream) override; diff --git a/source/extensions/api_listeners/default_api_listener/api_listener_impl.h b/source/extensions/api_listeners/default_api_listener/api_listener_impl.h index 01ec2f3015b7e..e6053dd0c22c0 100644 --- a/source/extensions/api_listeners/default_api_listener/api_listener_impl.h +++ b/source/extensions/api_listeners/default_api_listener/api_listener_impl.h @@ -118,6 +118,7 @@ class ApiListenerImplBase : public Server::ApiListener, void removeConnectionCallbacks(Network::ConnectionCallbacks& cb) override { callbacks_.remove(&cb); } + const Network::ConnectionSocketPtr& getSocket() const override { PANIC("not implemented"); } void addBytesSentCallback(Network::Connection::BytesSentCb) override { IS_ENVOY_BUG("Unexpected function call"); } diff --git a/source/extensions/bootstrap/reverse_tunnel/common/BUILD b/source/extensions/bootstrap/reverse_tunnel/common/BUILD index 5388185785ceb..3ef032f2bdd2c 100644 --- a/source/extensions/bootstrap/reverse_tunnel/common/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/common/BUILD @@ -18,5 +18,7 @@ envoy_cc_extension( "//envoy/network:connection_interface", "//source/common/buffer:buffer_lib", "//source/common/common:logger_lib", + "//source/common/http:header_map_lib", + "//source/common/http:headers_lib", ], ) diff --git a/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h index d11800a5304a0..07373f590dfd2 100644 --- a/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h +++ b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h @@ -7,7 +7,10 @@ #include "source/common/buffer/buffer_impl.h" #include "source/common/common/logger.h" +#include "source/common/http/header_map_impl.h" +#include "source/common/http/headers.h" +#include "absl/strings/str_cat.h" #include "absl/strings/string_view.h" namespace Envoy { @@ -36,6 +39,25 @@ class ReverseConnectionUtility : public Logger::Loggable ReverseConnectionUtility() = delete; }; +// Header names used by reverse tunnel handshake over HTTP. +inline const Http::LowerCaseString& reverseTunnelNodeIdHeader() { + static const Http::LowerCaseString kHeader{ + absl::StrCat(Http::Headers::get().prefix(), "-reverse-tunnel-node-id")}; + return kHeader; +} + +inline const Http::LowerCaseString& reverseTunnelClusterIdHeader() { + static const Http::LowerCaseString kHeader{ + absl::StrCat(Http::Headers::get().prefix(), "-reverse-tunnel-cluster-id")}; + return kHeader; +} + +inline const Http::LowerCaseString& reverseTunnelTenantIdHeader() { + static const Http::LowerCaseString kHeader{ + absl::StrCat(Http::Headers::get().prefix(), "-reverse-tunnel-tenant-id")}; + return kHeader; +} + class ReverseConnectionMessageHandlerFactory { public: static std::shared_ptr createPingHandler(); diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD new file mode 100644 index 0000000000000..cef2da998723f --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -0,0 +1,108 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_cc_library", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_library( + name = "reverse_connection_address_lib", + srcs = ["reverse_connection_address.cc"], + hdrs = ["reverse_connection_address.h"], + visibility = ["//visibility:public"], + deps = [ + "//envoy/network:address_interface", + "//source/common/network:address_lib", + "//source/common/network:socket_interface_lib", + ], +) + +envoy_cc_extension( + name = "reverse_connection_resolver_lib", + srcs = ["reverse_connection_resolver.cc"], + hdrs = ["reverse_connection_resolver.h"], + visibility = ["//visibility:public"], + deps = [ + ":reverse_connection_address_lib", + "//envoy/network:resolver_interface", + "//envoy/registry", + ], +) + +envoy_cc_library( + name = "reverse_tunnel_extension_lib", + srcs = ["reverse_tunnel_initiator_extension.cc"], + hdrs = ["reverse_tunnel_initiator_extension.h"], + visibility = ["//visibility:public"], + deps = [ + "//envoy/server:bootstrap_extension_config_interface", + "//envoy/stats:stats_interface", + "//envoy/thread_local:thread_local_interface", + "//source/common/common:logger_lib", + "//source/common/stats:symbol_table_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_library( + name = "reverse_connection_io_handle_lib", + srcs = [ + "downstream_reverse_connection_io_handle.cc", + "rc_connection_wrapper.cc", + "reverse_connection_io_handle.cc", + ], + hdrs = [ + "downstream_reverse_connection_io_handle.h", + "rc_connection_wrapper.h", + "reverse_connection_io_handle.h", + "reverse_connection_load_balancer_context.h", + ], + visibility = ["//visibility:public"], + deps = [ + ":reverse_connection_address_lib", + ":reverse_tunnel_extension_lib", + "//envoy/api:io_error_interface", + "//envoy/grpc:async_client_interface", + "//envoy/network:address_interface", + "//envoy/network:io_handle_interface", + "//envoy/network:socket_interface", + "//envoy/stats:stats_interface", + "//envoy/stats:stats_macros", + "//envoy/upstream:cluster_manager_interface", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + "//source/common/grpc:typed_async_client_lib", + "//source/common/http:codec_client_lib", + "//source/common/http/http1:codec_lib", + "//source/common/http/http1:codec_stats_lib", + "//source/common/network:address_lib", + "//source/common/network:connection_socket_lib", + "//source/common/network:default_socket_interface_lib", + "//source/common/network:filter_lib", + "//source/common/upstream:load_balancer_context_base_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + ], +) + +envoy_cc_extension( + name = "reverse_tunnel_initiator_lib", + srcs = ["reverse_tunnel_initiator.cc"], + hdrs = ["reverse_tunnel_initiator.h"], + visibility = ["//visibility:public"], + deps = [ + ":reverse_connection_address_lib", + ":reverse_connection_io_handle_lib", + ":reverse_tunnel_extension_lib", + "//envoy/network:socket_interface", + "//envoy/registry", + "//envoy/server:bootstrap_extension_config_interface", + "//source/common/common:logger_lib", + "//source/common/network:address_lib", + "//source/common/network:socket_interface_lib", + "//source/common/protobuf:utility_lib", + ], +) diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc new file mode 100644 index 0000000000000..f778bae8789ee --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc @@ -0,0 +1,96 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h" + +#include "source/common/common/logger.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// DownstreamReverseConnectionIOHandle constructor implementation +DownstreamReverseConnectionIOHandle::DownstreamReverseConnectionIOHandle( + Network::ConnectionSocketPtr socket, ReverseConnectionIOHandle* parent, + const std::string& connection_key) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), owned_socket_(std::move(socket)), + parent_(parent), connection_key_(connection_key) { + ENVOY_LOG(debug, + "DownstreamReverseConnectionIOHandle: taking ownership of socket with FD: {} for " + "connection key: {}", + fd_, connection_key_); +} + +// DownstreamReverseConnectionIOHandle destructor implementation +DownstreamReverseConnectionIOHandle::~DownstreamReverseConnectionIOHandle() { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: destroying handle for FD: {} with connection key: {}", + fd_, connection_key_); +} + +// DownstreamReverseConnectionIOHandle close() implementation. +Api::IoCallUint64Result DownstreamReverseConnectionIOHandle::close() { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: closing handle for FD: {} with connection key: {}", fd_, + connection_key_); + + // If we're ignoring close calls during socket hand-off, just return success. + if (ignore_close_and_shutdown_) { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: ignoring close() call during socket hand-off for " + "connection key: {}", + connection_key_); + return Api::ioCallUint64ResultNoError(); + } + + // Prevent double-closing by checking if already closed + if (fd_ < 0) { + ENVOY_LOG(debug, + "DownstreamReverseConnectionIOHandle: handle already closed for connection key: {}", + connection_key_); + return Api::ioCallUint64ResultNoError(); + } + + // Notify parent that this downstream connection has been closed + // This will trigger re-initiation of the reverse connection if needed. + if (parent_) { + parent_->onDownstreamConnectionClosed(connection_key_); + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: notified parent of connection closure for key: {}", + connection_key_); + } + + // Reset the owned socket to properly close the connection. + if (owned_socket_) { + owned_socket_.reset(); + } + return IoSocketHandleImpl::close(); +} + +// DownstreamReverseConnectionIOHandle shutdown() implementation. +Api::SysCallIntResult DownstreamReverseConnectionIOHandle::shutdown(int how) { + ENVOY_LOG(trace, + "DownstreamReverseConnectionIOHandle: shutdown({}) called for FD: {} with connection " + "key: {}", + how, fd_, connection_key_); + + // If we're ignoring shutdown calls during socket hand-off, just return success. + if (ignore_close_and_shutdown_) { + ENVOY_LOG( + debug, + "DownstreamReverseConnectionIOHandle: ignoring shutdown() call during socket hand-off " + "for connection key: {}", + connection_key_); + return Api::SysCallIntResult{0, 0}; + } + + return IoSocketHandleImpl::shutdown(how); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h new file mode 100644 index 0000000000000..27d04f1d2a5cd --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h @@ -0,0 +1,65 @@ +#pragma once + +#include + +#include "envoy/network/io_handle.h" +#include "envoy/network/socket.h" + +#include "source/common/common/logger.h" +#include "source/common/network/io_socket_handle_impl.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declaration. +class ReverseConnectionIOHandle; + +/** + * Custom IoHandle for downstream reverse connections that owns a ConnectionSocket. + * This class is used internally by ReverseConnectionIOHandle to manage the lifecycle + * of accepted downstream connections. + */ +class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { +public: + /** + * Constructor that takes ownership of the socket and stores parent pointer and connection key. + */ + DownstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, + ReverseConnectionIOHandle* parent, + const std::string& connection_key); + + ~DownstreamReverseConnectionIOHandle() override; + + // Network::IoHandle overrides + Api::IoCallUint64Result close() override; + Api::SysCallIntResult shutdown(int how) override; + + /** + * Tell this IO handle to ignore close() and shutdown() calls. + * This is called by the HTTP filter during socket hand-off to prevent + * the handed-off socket from being affected by connection cleanup. + */ + void ignoreCloseAndShutdown() { ignore_close_and_shutdown_ = true; } + + /** + * Get the owned socket for read-only access. + */ + const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } + +private: + // The socket that this IOHandle owns and manages lifetime for. + Network::ConnectionSocketPtr owned_socket_; + // Pointer to parent ReverseConnectionIOHandle for connection lifecycle management. + ReverseConnectionIOHandle* parent_; + // Connection key for tracking this specific connection. + std::string connection_key_; + // Flag to ignore close and shutdown calls during socket hand-off. + bool ignore_close_and_shutdown_{false}; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc new file mode 100644 index 0000000000000..250ff18a14476 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc @@ -0,0 +1,216 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" + +#include "envoy/network/address.h" +#include "envoy/network/connection.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" +#include "source/common/http/header_map_impl.h" +#include "source/common/http/utility.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/connection_socket_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// RCConnectionWrapper constructor implementation +RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, + Network::ClientConnectionPtr connection, + Upstream::HostDescriptionConstSharedPtr host, + const std::string& cluster_name) + : parent_(parent), connection_(std::move(connection)), host_(std::move(host)), + cluster_name_(cluster_name) { + ENVOY_LOG(debug, "RCConnectionWrapper: Using HTTP handshake for reverse connections"); +} + +// RCConnectionWrapper destructor implementation. +RCConnectionWrapper::~RCConnectionWrapper() { + ENVOY_LOG(debug, "RCConnectionWrapper destructor called"); + this->shutdown(); +} + +void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { + if (event == Network::ConnectionEvent::RemoteClose) { + if (!connection_) { + ENVOY_LOG(debug, "RCConnectionWrapper: connection is null, skipping event handling"); + return; + } + + // Store connection info before it gets invalidated. + const std::string connectionKey = + connection_->connectionInfoProvider().localAddress()->asString(); + const uint64_t connectionId = connection_->id(); + + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, found connection {} remote closed", + connectionId, connectionKey); + + // Don't call shutdown() here as it may cause cleanup during event processing + // Instead, just notify parent of closure. + parent_.onConnectionDone("Connection closed", this, true); + } +} + +// SimpleConnReadFilter::onData implementation. +Network::FilterStatus SimpleConnReadFilter::onData(Buffer::Instance& buffer, bool end_stream) { + if (parent_ == nullptr) { + return Network::FilterStatus::StopIteration; + } + + // Cast parent_ back to RCConnectionWrapper. + RCConnectionWrapper* wrapper = static_cast(parent_); + + wrapper->dispatchHttp1(buffer); + UNREFERENCED_PARAMETER(end_stream); + return Network::FilterStatus::StopIteration; +} + +std::string RCConnectionWrapper::connect(const std::string& src_tenant_id, + const std::string& src_cluster_id, + const std::string& src_node_id) { + // Register connection callbacks. + ENVOY_LOG(debug, "RCConnectionWrapper: connection: {}, adding connection callbacks", + connection_->id()); + connection_->addConnectionCallbacks(*this); + connection_->connect(); + + // Use HTTP handshake. + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, sending reverse connection creation " + "request through HTTP", + connection_->id()); + + // Create HTTP/1 codec to parse the response. + Http::Http1Settings http1_settings = host_->cluster().http1Settings(); + http1_client_codec_ = std::make_unique( + *connection_, host_->cluster().http1CodecStats(), *this, http1_settings, + host_->cluster().maxResponseHeadersKb(), host_->cluster().maxResponseHeadersCount()); + http1_parse_connection_ = http1_client_codec_.get(); + + // Add a tiny read filter to feed bytes into the codec for response parsing. + connection_->addReadFilter(Network::ReadFilterSharedPtr{new SimpleConnReadFilter(this)}); + + // Build HTTP handshake headers with identifiers. + absl::string_view tenant_id = src_tenant_id; + absl::string_view cluster_id = src_cluster_id; + absl::string_view node_id = src_node_id; + std::string host_value; + const auto& remote_address = connection_->connectionInfoProvider().remoteAddress(); + // This is used when reverse connections need to be established through a HTTP proxy. + // The reverse connection listener connects to an internal cluster, to which an + // internal listener listens. This internal listener has tunneling configuration + // to tcp proxy the reverse connection requests over HTTP/1 CONNECT to the remote + // proxy. + if (remote_address->type() == Network::Address::Type::EnvoyInternal) { + const auto& internal_address = + std::dynamic_pointer_cast(remote_address); + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, remote address is internal " + "listener {}, using endpoint ID in host header", + connection_->id(), internal_address->envoyInternalAddress()->addressId()); + host_value = internal_address->envoyInternalAddress()->endpointId(); + } else { + host_value = remote_address->asString(); + ENVOY_LOG(debug, + "RCConnectionWrapper: connection: {}, remote address is external, " + "using address as host header", + connection_->id()); + } + const Http::LowerCaseString& node_hdr = + ::Envoy::Extensions::Bootstrap::ReverseConnection::reverseTunnelNodeIdHeader(); + const Http::LowerCaseString& cluster_hdr = + ::Envoy::Extensions::Bootstrap::ReverseConnection::reverseTunnelClusterIdHeader(); + const Http::LowerCaseString& tenant_hdr = + ::Envoy::Extensions::Bootstrap::ReverseConnection::reverseTunnelTenantIdHeader(); + + auto headers = Http::createHeaderMap({ + {Http::Headers::get().Method, Http::Headers::get().MethodValues.Get}, + {Http::Headers::get().Path, "/reverse_connections/request"}, + {Http::Headers::get().Host, host_value}, + }); + headers->addCopy(node_hdr, std::string(node_id)); + headers->addCopy(cluster_hdr, std::string(cluster_id)); + headers->addCopy(tenant_hdr, std::string(tenant_id)); + headers->setContentLength(0); + + // Encode via HTTP/1 codec. + Http::RequestEncoder& request_encoder = http1_client_codec_->newStream(*this); + const Http::Status encode_status = request_encoder.encodeHeaders(*headers, true); + if (!encode_status.ok()) { + ENVOY_LOG(error, "RCConnectionWrapper: encodeHeaders failed: {}", encode_status.message()); + onHandshakeFailure("HTTP handshake encode failed"); + } + + return connection_->connectionInfoProvider().localAddress()->asString(); +} + +void RCConnectionWrapper::decodeHeaders(Http::ResponseHeaderMapPtr&& headers, bool) { + const uint64_t status = Http::Utility::getResponseStatus(*headers); + if (status == 200) { + ENVOY_LOG(debug, "Received HTTP 200 OK response"); + onHandshakeSuccess(); + } else { + ENVOY_LOG(error, "Received non-200 HTTP response: {}", status); + onHandshakeFailure("HTTP handshake failed with non-200 response"); + } +} + +void RCConnectionWrapper::dispatchHttp1(Buffer::Instance& buffer) { + if (http1_parse_connection_ != nullptr) { + const Http::Status status = http1_parse_connection_->dispatch(buffer); + if (!status.ok()) { + ENVOY_LOG(debug, "RCConnectionWrapper: HTTP/1 codec dispatch error: {}", status.message()); + } + } +} + +void RCConnectionWrapper::onHandshakeSuccess() { + std::string message = "reverse connection accepted"; + ENVOY_LOG(debug, "handshake succeeded: {}", message); + parent_.onConnectionDone(message, this, false); +} + +void RCConnectionWrapper::onHandshakeFailure(const std::string& message) { + ENVOY_LOG(debug, "handshake failed: {}", message); + parent_.onConnectionDone(message, this, false); +} + +void RCConnectionWrapper::shutdown() { + if (!connection_) { + ENVOY_LOG(error, "RCConnectionWrapper: Connection already null, nothing to shutdown"); + return; + } + + ENVOY_LOG(debug, "RCConnectionWrapper: Shutting down connection ID: {}, state: {}", + connection_->id(), static_cast(connection_->state())); + + // Remove connection callbacks first to prevent recursive calls during shutdown. + auto state = connection_->state(); + if (state != Network::Connection::State::Closed) { + connection_->removeConnectionCallbacks(*this); + ENVOY_LOG(debug, "Connection callbacks removed"); + } + + // Close the connection if it's still open. + state = connection_->state(); + if (state == Network::Connection::State::Open) { + ENVOY_LOG(debug, "Closing open connection gracefully"); + connection_->close(Network::ConnectionCloseType::FlushWrite); + } else if (state == Network::Connection::State::Closing) { + ENVOY_LOG(debug, "Connection already closing"); + } else { + ENVOY_LOG(debug, "Connection already closed"); + } + + // Clear the connection pointer to prevent further access. + connection_.reset(); + ENVOY_LOG(debug, "RCConnectionWrapper: Shutdown completed"); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h new file mode 100644 index 0000000000000..68828336a43d7 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h @@ -0,0 +1,166 @@ +#pragma once + +#include +#include + +#include "envoy/buffer/buffer.h" +#include "envoy/event/deferred_deletable.h" +#include "envoy/http/codec.h" +#include "envoy/network/connection.h" +#include "envoy/network/filter.h" +#include "envoy/upstream/upstream.h" + +#include "source/common/common/logger.h" +#include "source/common/http/http1/codec_impl.h" +#include "source/common/network/filter_impl.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declaration. +class ReverseConnectionIOHandle; + +/** + * Simple read filter for handling reverse connection handshake responses. + * This filter processes the HTTP response from the upstream server during handshake. + */ +class SimpleConnReadFilter : public Network::ReadFilterBaseImpl, + public Logger::Loggable { +public: + /** + * Constructor that stores pointer to parent wrapper. + */ + explicit SimpleConnReadFilter(void* parent) : parent_(parent) {} + + // Network::ReadFilter overrides + Network::FilterStatus onData(Buffer::Instance& buffer, bool end_stream) override; + +private: + void* parent_; // Pointer to RCConnectionWrapper to avoid circular dependency. +}; + +/** + * Wrapper for reverse connections that manages the connection lifecycle and handshake. + * It handles the handshake process (both gRPC and HTTP fallback) and manages connection + * callbacks and cleanup. + */ +class RCConnectionWrapper : public Network::ConnectionCallbacks, + public Event::DeferredDeletable, + public Logger::Loggable, + public Http::ResponseDecoder, + public Http::ConnectionCallbacks { + friend class SimpleConnReadFilterTest; + +public: + /** + * Constructor for RCConnectionWrapper. + * @param parent reference to the parent ReverseConnectionIOHandle + * @param connection the client connection to wrap + * @param host the upstream host description + * @param cluster_name the name of the cluster + */ + RCConnectionWrapper(ReverseConnectionIOHandle& parent, Network::ClientConnectionPtr connection, + Upstream::HostDescriptionConstSharedPtr host, + const std::string& cluster_name); + + /** + * Destructor for RCConnectionWrapper. + * Performs defensive cleanup to prevent crashes during shutdown. + */ + ~RCConnectionWrapper() override; + + // Network::ConnectionCallbacks overrides + void onEvent(Network::ConnectionEvent event) override; + void onAboveWriteBufferHighWatermark() override {} + void onBelowWriteBufferLowWatermark() override {} + + // Http::ResponseDecoder overrides + void decode1xxHeaders(Http::ResponseHeaderMapPtr&&) override {} + void decodeHeaders(Http::ResponseHeaderMapPtr&& headers, bool end_stream) override; + void decodeData(Buffer::Instance&, bool) override {} + void decodeTrailers(Http::ResponseTrailerMapPtr&&) override {} + void decodeMetadata(Http::MetadataMapPtr&&) override {} + void dumpState(std::ostream&, int) const override {} + + // Http::ConnectionCallbacks overrides + void onGoAway(Http::GoAwayErrorCode) override {} + void onSettings(Http::ReceivedSettings&) override {} + void onMaxStreamsChanged(uint32_t) override {} + + /** + * Initiate the reverse connection handshake (HTTP only). + * @param src_tenant_id the tenant identifier + * @param src_cluster_id the cluster identifier + * @param src_node_id the node identifier + * @return the local address as string + */ + std::string connect(const std::string& src_tenant_id, const std::string& src_cluster_id, + const std::string& src_node_id); + + /** + * Release ownership of the connection. + * @return the connection pointer (ownership transferred to caller) + */ + Network::ClientConnectionPtr releaseConnection() { return std::move(connection_); } + + /** + * Process HTTP response from upstream. + * @param buffer the response data + * @param end_stream whether this is the end of the stream + */ + void processHttpResponse(Buffer::Instance& buffer, bool end_stream); + + /** + * Handle successful handshake completion. + */ + void onHandshakeSuccess(); + + /** + * Handle handshake failure. + * @param message error message + */ + void onHandshakeFailure(const std::string& message); + + /** + * Perform graceful shutdown of the connection. + */ + void shutdown(); + + /** + * Get the underlying connection. + * @return pointer to the client connection + */ + Network::ClientConnection* getConnection() { return connection_.get(); } + + /** + * Get the host description. + * @return shared pointer to the host description + */ + Upstream::HostDescriptionConstSharedPtr getHost() { return host_; } + +private: + ReverseConnectionIOHandle& parent_; + Network::ClientConnectionPtr connection_; + Upstream::HostDescriptionConstSharedPtr host_; + std::string cluster_name_; + std::string connection_key_; + bool http_handshake_sent_{false}; + bool handshake_completed_{false}; + +public: + // Dispatch incoming bytes to HTTP/1 codec. + void dispatchHttp1(Buffer::Instance& buffer); + +private: + // HTTP/1 codec used to send request and parse response. + std::unique_ptr http1_client_codec_; + // Base interface pointer used to call dispatch via public API. + Http::Connection* http1_parse_connection_{nullptr}; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.cc new file mode 100644 index 0000000000000..dcf868020fb5c --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.cc @@ -0,0 +1,66 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" + +#include +#include +#include + +#include +#include + +#include "source/common/common/fmt.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +static const std::string reverse_connection_address = "127.0.0.1:0"; + +ReverseConnectionAddress::ReverseConnectionAddress(const ReverseConnectionConfig& config) + : config_(config) { + + // Create the logical name (rc:// address) for identification. + logical_name_ = fmt::format("rc://{}:{}:{}@{}:{}", config.src_node_id, config.src_cluster_id, + config.src_tenant_id, config.remote_cluster, config.connection_count); + + // Use localhost with a static port for the actual address string to pass IP validation + // This will be used by the filter chain manager for matching. + address_string_ = reverse_connection_address; + + ENVOY_LOG_MISC(debug, "reverse connection address: logical_name={}, address={}", logical_name_, + address_string_); +} + +bool ReverseConnectionAddress::operator==(const Instance& rhs) const { + const auto* reverse_conn_addr = dynamic_cast(&rhs); + if (reverse_conn_addr == nullptr) { + return false; + } + return config_.src_node_id == reverse_conn_addr->config_.src_node_id && + config_.src_cluster_id == reverse_conn_addr->config_.src_cluster_id && + config_.src_tenant_id == reverse_conn_addr->config_.src_tenant_id && + config_.remote_cluster == reverse_conn_addr->config_.remote_cluster && + config_.connection_count == reverse_conn_addr->config_.connection_count; +} + +const std::string& ReverseConnectionAddress::asString() const { return address_string_; } + +absl::string_view ReverseConnectionAddress::asStringView() const { return address_string_; } + +const std::string& ReverseConnectionAddress::logicalName() const { return logical_name_; } + +const sockaddr* ReverseConnectionAddress::sockAddr() const { + // Return a valid localhost sockaddr structure for IP validation. + static struct sockaddr_in addr; + addr.sin_family = AF_INET; + addr.sin_port = htons(0); // Port 0 + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); // 127.0.0.1 + return reinterpret_cast(&addr); +} + +socklen_t ReverseConnectionAddress::sockAddrLen() const { return sizeof(struct sockaddr_in); } + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h new file mode 100644 index 0000000000000..7d0f78a501dbe --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h @@ -0,0 +1,85 @@ +#pragma once + +#include +#include + +#include + +#include "envoy/network/address.h" + +#include "source/common/common/logger.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +/** + * Custom address type that embeds reverse connection metadata. + */ +class ReverseConnectionAddress : public Network::Address::Instance, + public Envoy::Logger::Loggable { +public: + // Struct to hold reverse connection configuration + struct ReverseConnectionConfig { + // Source node id of initiator envoy + std::string src_node_id; + // Source cluster id of initiator envoy + std::string src_cluster_id; + // Source tenant id of initiator envoy + std::string src_tenant_id; + // Remote cluster name of the reverse connection + std::string remote_cluster; + // Connection count of the reverse connection + uint32_t connection_count; + }; + + ReverseConnectionAddress(const ReverseConnectionConfig& config); + + // Network::Address::Instance + bool operator==(const Instance& rhs) const override; + Network::Address::Type type() const override { + return Network::Address::Type::Ip; + } // Use IP type with our custom IP implementation + const std::string& asString() const override; + absl::string_view asStringView() const override; + const std::string& logicalName() const override; + const Network::Address::Ip* ip() const override { return ipv4_instance_->ip(); } + const Network::Address::Pipe* pipe() const override { return nullptr; } + const Network::Address::EnvoyInternalAddress* envoyInternalAddress() const override { + return nullptr; + } + absl::optional networkNamespace() const override { return absl::nullopt; } + const sockaddr* sockAddr() const override; + socklen_t sockAddrLen() const override; + absl::string_view addressType() const override { return "reverse_connection"; } + const Network::SocketInterface& socketInterface() const override { + // Return the appropriate reverse connection socket interface for downstream connections + auto* reverse_socket_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); + if (reverse_socket_interface) { + ENVOY_LOG_MISC(debug, "reverse connection address: using reverse socket interface"); + return *reverse_socket_interface; + } + // Fallback to default socket interface if reverse connection interface is not available. + return Network::SocketInterfaceSingleton::get(); + } + + // Accessor for reverse connection config + const ReverseConnectionConfig& reverseConnectionConfig() const { return config_; } + +private: + ReverseConnectionConfig config_; + std::string address_string_; + std::string logical_name_; + // Use a regular Ipv4Instance for 127.0.0.1:0 + Network::Address::InstanceConstSharedPtr ipv4_instance_{ + std::make_shared("127.0.0.1", 0)}; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc new file mode 100644 index 0000000000000..40e5ce9ecdf54 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc @@ -0,0 +1,1116 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" + +#include +#include +#include + +#include "envoy/event/deferred_deletable.h" +#include "envoy/network/address.h" +#include "envoy/network/connection.h" +#include "envoy/upstream/cluster_manager.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/connection_socket_impl.h" +#include "source/common/network/socket_interface_impl.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// ReverseConnectionIOHandle implementation +ReverseConnectionIOHandle::ReverseConnectionIOHandle(os_fd_t fd, + const ReverseConnectionSocketConfig& config, + Upstream::ClusterManager& cluster_manager, + ReverseTunnelInitiatorExtension* extension, + Stats::Scope&) + : IoSocketHandleImpl(fd), config_(config), cluster_manager_(cluster_manager), + extension_(extension), original_socket_fd_(fd) { + ENVOY_LOG_MISC( + debug, + "Created ReverseConnectionIOHandle: fd={}, src_node={}, src_cluster: {}, num_clusters={}", + fd_, config_.src_node_id, config_.src_cluster_id, config_.remote_clusters.size()); +} + +ReverseConnectionIOHandle::~ReverseConnectionIOHandle() { + ENVOY_LOG_MISC(debug, "Destroying ReverseConnectionIOHandle - performing cleanup."); + cleanup(); +} + +void ReverseConnectionIOHandle::cleanup() { + ENVOY_LOG_MISC(debug, "Starting cleanup of reverse connection resources."); + + // Clean up pipe trigger mechanism first to prevent use-after-free. + ENVOY_LOG_MISC(trace, + "ReverseConnectionIOHandle: cleaning up trigger pipe; " + "trigger_pipe_write_fd_={}, trigger_pipe_read_fd_={}", + trigger_pipe_write_fd_, trigger_pipe_read_fd_); + if (trigger_pipe_write_fd_ >= 0) { + ::close(trigger_pipe_write_fd_); + trigger_pipe_write_fd_ = -1; + } + if (trigger_pipe_read_fd_ >= 0) { + ::close(trigger_pipe_read_fd_); + trigger_pipe_read_fd_ = -1; + } + + // Cancel the retry timer safely. + if (rev_conn_retry_timer_) { + ENVOY_LOG_MISC(trace, "ReverseConnectionIOHandle: cancelling and resetting retry timer."); + rev_conn_retry_timer_.reset(); + } + // Graceful shutdown of connection wrappers with exception safety. + ENVOY_LOG_MISC(debug, "Gracefully shutting down {} connection wrappers.", + connection_wrappers_.size()); + + // Signal all connections to close gracefully. + std::vector> wrappers_to_delete; + for (auto& wrapper : connection_wrappers_) { + if (wrapper) { + ENVOY_LOG(debug, "Initiating graceful shutdown for connection wrapper."); + wrapper->shutdown(); + // Move wrapper for deferred cleanup + wrappers_to_delete.push_back(std::move(wrapper)); + } + } + + // Clear containers safely. + connection_wrappers_.clear(); + conn_wrapper_to_host_map_.clear(); + + // Clean up wrappers with safe deletion. + for (auto& wrapper : wrappers_to_delete) { + if (wrapper && isThreadLocalDispatcherAvailable()) { + getThreadLocalDispatcher().deferredDelete(std::move(wrapper)); + } else { + // Direct cleanup when dispatcher not available. + wrapper.reset(); + } + } + + // Clear cluster to hosts mapping. + cluster_to_resolved_hosts_map_.clear(); + host_to_conn_info_map_.clear(); + + // Clear established connections queue safely. + size_t queue_size = established_connections_.size(); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Cleaning up {} established connections.", + queue_size); + + while (!established_connections_.empty()) { + auto connection = std::move(established_connections_.front()); + established_connections_.pop(); + + if (connection) { + auto state = connection->state(); + if (state == Envoy::Network::Connection::State::Open) { + connection->close(Envoy::Network::ConnectionCloseType::FlushWrite); + ENVOY_LOG(debug, "Closed established connection."); + } else { + ENVOY_LOG(debug, "Connection already in state: {}.", static_cast(state)); + } + } + } + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Completed established connections cleanup."); + + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Completed cleanup of reverse connection resources."); +} + +Api::SysCallIntResult ReverseConnectionIOHandle::listen(int) { + // No-op for reverse connections. + return Api::SysCallIntResult{0, 0}; +} + +void ReverseConnectionIOHandle::initializeFileEvent(Event::Dispatcher& dispatcher, + Event::FileReadyCb cb, + Event::FileTriggerType trigger, + uint32_t events) { + // Reverse connections should be initiated when initializeFileEvent() is called on a worker + // thread. + ENVOY_LOG(debug, + "ReverseConnectionIOHandle::initializeFileEvent() called on thread: {} for fd={}", + dispatcher.name(), fd_); + + if (is_reverse_conn_started_) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Skipping initializeFileEvent() call because " + "reverse connections are already started"); + return; + } + + ENVOY_LOG(info, "ReverseConnectionIOHandle: Starting reverse connections on worker thread '{}'", + dispatcher.name()); + + // Store worker dispatcher + worker_dispatcher_ = &dispatcher; + + // Create trigger pipe on worker thread. + if (!isTriggerPipeReady()) { + createTriggerPipe(); + if (!isTriggerPipeReady()) { + ENVOY_LOG(error, "Failed to create trigger pipe on worker thread"); + return; + } + } + + // CRITICAL: Replace the monitored FD with pipe read FD + // This must happen before any event registration. + int trigger_fd = getPipeMonitorFd(); + if (trigger_fd != -1) { + ENVOY_LOG(info, "Replacing monitored FD from {} to pipe read FD {}", fd_, trigger_fd); + fd_ = trigger_fd; + } + + // Initialize reverse connections on worker thread + if (!rev_conn_retry_timer_) { + rev_conn_retry_timer_ = dispatcher.createTimer([this]() { + ENVOY_LOG(debug, "Reverse connection timer triggered on worker thread"); + maintainReverseConnections(); + }); + maintainReverseConnections(); + } + + is_reverse_conn_started_ = true; + ENVOY_LOG(info, "ReverseConnectionIOHandle: Reverse connections started on thread '{}'", + dispatcher.name()); + + // Call parent implementation + IoSocketHandleImpl::initializeFileEvent(dispatcher, cb, trigger, events); +} + +Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* addr, + socklen_t* addrlen) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: accept() called"); + if (isTriggerPipeReady()) { + char trigger_byte; + ssize_t bytes_read = ::read(trigger_pipe_read_fd_, &trigger_byte, 1); + if (bytes_read == 1) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: received trigger, processing connection."); + // When a connection is established, a byte is written to the trigger_pipe_write_fd_ and the + // connection is inserted into the established_connections_ queue. The last connection in the + // queue is therefore the one that got established last. + if (!established_connections_.empty()) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: getting connection from queue."); + auto connection = std::move(established_connections_.front()); + established_connections_.pop(); + // Fill in address information for the reverse tunnel "client". + // Use actual client address from established connection. + if (addr && addrlen) { + const auto& remote_addr = connection->connectionInfoProvider().remoteAddress(); + + if (remote_addr) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: using actual client address: {}", + remote_addr->asString()); + const sockaddr* sock_addr = remote_addr->sockAddr(); + socklen_t addr_len = remote_addr->sockAddrLen(); + + if (*addrlen >= addr_len) { + memcpy(addr, sock_addr, addr_len); // NOLINT(safe-memcpy) + *addrlen = addr_len; + ENVOY_LOG(trace, "ReverseConnectionIOHandle: copied {} bytes of address data", + addr_len); + } else { + ENVOY_LOG(warn, + "ReverseConnectionIOHandle::accept() - buffer too small for address: " + "need {} bytes, have {}", + addr_len, *addrlen); + *addrlen = addr_len; // Still set the required length + } + } else { + ENVOY_LOG(warn, "ReverseConnectionIOHandle: no remote address available, " + "using synthetic localhost address"); + // Fallback to synthetic address only when remote address is unavailable + auto synthetic_addr = + std::make_shared("127.0.0.1", 0); + const sockaddr* sock_addr = synthetic_addr->sockAddr(); + socklen_t addr_len = synthetic_addr->sockAddrLen(); + if (*addrlen >= addr_len) { + memcpy(addr, sock_addr, addr_len); // NOLINT(safe-memcpy) + *addrlen = addr_len; + } else { + ENVOY_LOG(error, "ReverseConnectionIOHandle: buffer too small for synthetic address"); + *addrlen = addr_len; + } + } + } + + const std::string connection_key = + connection->connectionInfoProvider().localAddress()->asString(); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: got connection key: {}", connection_key); + + // Instead of moving the socket, duplicate the file descriptor. + const Network::ConnectionSocketPtr& original_socket = connection->getSocket(); + if (!original_socket || !original_socket->isOpen()) { + ENVOY_LOG(error, "Original socket is not available or not open"); + return nullptr; + } + + // Duplicate the file descriptor. + Network::IoHandlePtr duplicated_handle = original_socket->ioHandle().duplicate(); + if (!duplicated_handle || !duplicated_handle->isOpen()) { + ENVOY_LOG(error, "Failed to duplicate file descriptor"); + return nullptr; + } + + os_fd_t original_fd = original_socket->ioHandle().fdDoNotUse(); + os_fd_t duplicated_fd = duplicated_handle->fdDoNotUse(); + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: duplicated fd: original_fd={}, duplicated_fd={}", + original_fd, duplicated_fd); + + // Create a new socket with the duplicated handle. + Network::ConnectionSocketPtr duplicated_socket = + std::make_unique( + std::move(duplicated_handle), + original_socket->connectionInfoProvider().localAddress(), + original_socket->connectionInfoProvider().remoteAddress()); + + // Reset file events on the duplicated socket to clear any inherited events. + duplicated_socket->ioHandle().resetFileEvents(); + + // Create RAII-based IoHandle with duplicated socket, passing parent pointer and connection + // key. + auto io_handle = std::make_unique( + std::move(duplicated_socket), this, connection_key); + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: RAII IoHandle created with duplicated socket."); + + // Reset file events on the original socket to prevent any pending operations. The socket + // fd has been duplicated, so we have an independent fd. Closing the original connection + // will only close its fd, not affect our duplicated fd. + // + // Note: For raw TCP connections, no shutdown() is called during close, only close() on + // the fd, which doesn't affect the duplicated fd. + original_socket->ioHandle().resetFileEvents(); + + // Close the original connection. + connection->close(Network::ConnectionCloseType::NoFlush); + + ENVOY_LOG(debug, "ReverseConnectionIOHandle: returning io_handle."); + return io_handle; + } + } else if (bytes_read == 0) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: trigger pipe closed."); + return nullptr; + } else if (bytes_read == -1 && errno != EAGAIN && errno != EWOULDBLOCK) { + ENVOY_LOG(error, "ReverseConnectionIOHandle: error reading from trigger pipe: {}", + errorDetails(errno)); + return nullptr; + } + } + return nullptr; +} + +Api::IoCallUint64Result ReverseConnectionIOHandle::read(Buffer::Instance& buffer, + absl::optional max_length) { + ENVOY_LOG(trace, "Read operation - max_length: {}", max_length.value_or(0)); + auto result = IoSocketHandleImpl::read(buffer, max_length); + return result; +} + +Api::IoCallUint64Result ReverseConnectionIOHandle::write(Buffer::Instance& buffer) { + ENVOY_LOG(trace, "Write operation - {} bytes", buffer.length()); + auto result = IoSocketHandleImpl::write(buffer); + return result; +} + +Api::SysCallIntResult +ReverseConnectionIOHandle::connect(Envoy::Network::Address::InstanceConstSharedPtr address) { + // This is not used for reverse connections. + ENVOY_LOG(trace, "Connect operation - address: {}", address->asString()); + // For reverse connections, connect calls are handled through the tunnel mechanism. + return IoSocketHandleImpl::connect(address); +} + +// Note: This close method is called when the ReverseConnectionIOHandle itself is closed, which +// should typically happen when the listener is being drained. +// Individual reverse connections initiated by this ReverseConnectionIOHandle are managed via +// DownstreamReverseConnectionIOHandle RAII ownership. +Api::IoCallUint64Result ReverseConnectionIOHandle::close() { + ENVOY_LOG(error, "ReverseConnectionIOHandle: performing graceful shutdown."); + + // Clean up original socket FD + if (original_socket_fd_ != -1) { + ENVOY_LOG(error, "Closing original socket FD: {}.", original_socket_fd_); + ::close(original_socket_fd_); + original_socket_fd_ = -1; + } + + // CRITICAL: If we're using pipe trigger FD, let the IoSocketHandleImpl::close() + // close it and cleanup() set the pipe FDs to -1. + if (isTriggerPipeReady() && getPipeMonitorFd() == fd_) { + ENVOY_LOG(error, + "Skipping close of pipe trigger FD {} - will be handled by base close() method.", + fd_); + } + + return IoSocketHandleImpl::close(); +} + +void ReverseConnectionIOHandle::onEvent(Network::ConnectionEvent event) { + // This is called when connection events occur. + // For reverse connections, we handle these events through RCConnectionWrapper. + ENVOY_LOG(trace, "ReverseConnectionIOHandle: event: {}", static_cast(event)); +} + +int ReverseConnectionIOHandle::getPipeMonitorFd() const { return trigger_pipe_read_fd_; } + +// Use the thread-local registry to get the dispatcher. +Event::Dispatcher& ReverseConnectionIOHandle::getThreadLocalDispatcher() const { + // Get the thread-local dispatcher from the socket interface's registry. + auto* local_registry = extension_->getLocalRegistry(); + + if (local_registry) { + // Return the dispatcher from the thread-local registry. + ENVOY_LOG(debug, "ReverseConnectionIOHandle: dispatcher: {}", + local_registry->dispatcher().name()); + return local_registry->dispatcher(); + } + + ENVOY_BUG(false, "Failed to get dispatcher from thread-local registry"); + // This should never happen in normal operation, but we need to handle it gracefully. + RELEASE_ASSERT(worker_dispatcher_ != nullptr, "No dispatcher available"); + return *worker_dispatcher_; +} + +// Safe wrapper for accessing thread-local dispatcher +bool ReverseConnectionIOHandle::isThreadLocalDispatcherAvailable() const { + auto* local_registry = extension_->getLocalRegistry(); + return local_registry != nullptr; +} + +ReverseTunnelInitiatorExtension* ReverseConnectionIOHandle::getDownstreamExtension() const { + return extension_; +} + +void ReverseConnectionIOHandle::maybeUpdateHostsMappingsAndConnections( + const std::string& cluster_id, const std::vector& hosts) { + absl::flat_hash_set new_hosts(hosts.begin(), hosts.end()); + absl::flat_hash_set removed_hosts; + const auto& cluster_to_resolved_hosts_itr = cluster_to_resolved_hosts_map_.find(cluster_id); + if (cluster_to_resolved_hosts_itr != cluster_to_resolved_hosts_map_.end()) { + // removed_hosts contains the hosts that were previously resolved. + removed_hosts = cluster_to_resolved_hosts_itr->second; + } + for (const std::string& host : hosts) { + if (removed_hosts.find(host) != removed_hosts.end()) { + // Since the host still exists, we will remove it from removed_hosts. + removed_hosts.erase(host); + } + ENVOY_LOG(debug, "Adding remote host {} to cluster {}", host, cluster_id); + + // Update or create host info + auto host_it = host_to_conn_info_map_.find(host); + if (host_it == host_to_conn_info_map_.end()) { + ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host); + } else { + // Update cluster name if host moved to different cluster. + host_it->second.cluster_name = cluster_id; + } + } + cluster_to_resolved_hosts_map_[cluster_id] = new_hosts; + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Removing {} remote hosts from cluster {}", + removed_hosts.size(), cluster_id); + + // Remove the hosts present in removed_hosts. + for (const std::string& host : removed_hosts) { + removeStaleHostAndCloseConnections(host); + host_to_conn_info_map_.erase(host); + } +} + +void ReverseConnectionIOHandle::removeStaleHostAndCloseConnections(const std::string& host) { + ENVOY_LOG(info, "ReverseConnectionIOHandle: Removing all connections to remote host {}", host); + // Find all wrappers for this host. Each wrapper represents a reverse connection to the host. + std::vector wrappers_to_remove; + for (const auto& [wrapper, mapped_host] : conn_wrapper_to_host_map_) { + if (mapped_host == host) { + wrappers_to_remove.push_back(wrapper); + } + } + ENVOY_LOG(info, "Found {} connections to remove for host {}", wrappers_to_remove.size(), host); + // Remove wrappers and close connections. + for (auto* wrapper : wrappers_to_remove) { + ENVOY_LOG(debug, "Removing connection wrapper for host {}", host); + + // Get the connection from wrapper and close it. + auto* connection = wrapper->getConnection(); + if (connection && connection->state() == Network::Connection::State::Open) { + connection->close(Network::ConnectionCloseType::FlushWrite); + } + + // Remove from wrapper-to-host map. + conn_wrapper_to_host_map_.erase(wrapper); + // Remove the wrapper from connection_wrappers_ vector. + connection_wrappers_.erase( + std::remove_if(connection_wrappers_.begin(), connection_wrappers_.end(), + [wrapper](const std::unique_ptr& w) { + return w.get() == wrapper; + }), + connection_wrappers_.end()); + } + // Clear connection keys from host info. + auto host_it = host_to_conn_info_map_.find(host); + if (host_it != host_to_conn_info_map_.end()) { + host_it->second.connection_keys.clear(); + } +} + +void ReverseConnectionIOHandle::maintainClusterConnections( + const std::string& cluster_name, const RemoteClusterConnectionConfig& cluster_config) { + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Maintaining connections for cluster: {} with {} requested " + "connections per host", + cluster_name, cluster_config.reverse_connection_count); + + // Generate a temporary connection key for early failure tracking, to update stats gauges. + const std::string temp_connection_key = "temp_" + cluster_name + "_" + std::to_string(rand()); + + // Get thread local cluster to access resolved hosts. + auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); + if (thread_local_cluster == nullptr) { + ENVOY_LOG(error, "Cluster '{}' not found for reverse tunnel - will retry later", cluster_name); + updateConnectionState("", cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return; + } + // Get all resolved hosts for the cluster. + const auto& host_map_ptr = thread_local_cluster->prioritySet().crossPriorityHostMap(); + if (host_map_ptr == nullptr || host_map_ptr->empty()) { + ENVOY_LOG(error, "No hosts found in cluster '{}' - will retry later", cluster_name); + updateConnectionState("", cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return; + } + // Retrieve the resolved hosts for a cluster and update the corresponding maps. + std::vector resolved_hosts; + for (const auto& host_itr : *host_map_ptr) { + resolved_hosts.emplace_back(host_itr.first); + } + maybeUpdateHostsMappingsAndConnections(cluster_name, std::move(resolved_hosts)); + // Track successful connections for this cluster. + uint32_t total_successful_connections = 0; + uint32_t total_required_connections = + host_map_ptr->size() * cluster_config.reverse_connection_count; + + // Create connections to each host in the cluster. + for (const auto& [host_address, host] : *host_map_ptr) { + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Checking reverse connection count for host {} of cluster {}", + host_address, cluster_name); + + // Ensure HostConnectionInfo exists for this host. + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it == host_to_conn_info_map_.end()) { + ENVOY_LOG(debug, "Creating HostConnectionInfo for host {} in cluster {}", host_address, + cluster_name); + host_to_conn_info_map_[host_address] = HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + cluster_config.reverse_connection_count, // target_connection_count from config + 0, // failure_count + // last_failure_time + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + // backoff_until + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + {} // connection_states + }; + } + + // Check if we should attempt connection to this host (backoff logic). + if (!shouldAttemptConnectionToHost(host_address, cluster_name)) { + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Skipping connection attempt to host {} due to backoff", + host_address); + continue; + } + // Get current number of successful connections to this host. + uint32_t current_connections = host_to_conn_info_map_[host_address].connection_keys.size(); + + ENVOY_LOG(info, + "ReverseConnectionIOHandle: Number of reverse connections to host {} of cluster {}: " + "Current: {}, Required: {}", + host_address, cluster_name, current_connections, + cluster_config.reverse_connection_count); + if (current_connections >= cluster_config.reverse_connection_count) { + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: No more reverse connections needed to host {} of cluster {}", + host_address, cluster_name); + total_successful_connections += current_connections; + continue; + } + const uint32_t needed_connections = + cluster_config.reverse_connection_count - current_connections; + + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Initiating {} reverse connections to host {} of remote " + "cluster '{}' from source node '{}'", + needed_connections, host_address, cluster_name, config_.src_node_id); + // Create the required number of connections to this specific host. + for (uint32_t i = 0; i < needed_connections; ++i) { + ENVOY_LOG(debug, "Initiating reverse connection number {} to host {} of cluster {}", i + 1, + host_address, cluster_name); + + bool success = initiateOneReverseConnection(cluster_name, host_address, host); + + if (success) { + total_successful_connections++; + ENVOY_LOG(debug, + "Successfully initiated reverse connection number {} to host {} of cluster {}", + i + 1, host_address, cluster_name); + } else { + ENVOY_LOG(error, "Failed to initiate reverse connection number {} to host {} of cluster {}", + i + 1, host_address, cluster_name); + } + } + } + // Update metrics based on overall success for the cluster. + if (total_successful_connections > 0) { + ENVOY_LOG(info, + "ReverseConnectionIOHandle: Successfully created {}/{} total reverse connections to " + "cluster {}", + total_successful_connections, total_required_connections, cluster_name); + } else { + ENVOY_LOG(error, + "ReverseConnectionIOHandle: Failed to create any reverse connections to cluster {} - " + "will retry later", + cluster_name); + } +} + +bool ReverseConnectionIOHandle::shouldAttemptConnectionToHost(const std::string& host_address, + const std::string&) { + if (!config_.enable_circuit_breaker) { + return true; + } + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it == host_to_conn_info_map_.end()) { + // Host entry should be present. + ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host_address); + return true; + } + auto& host_info = host_it->second; + auto now = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + ENVOY_LOG(debug, "host: {} now: {} ms backoff_until: {} ms", host_address, + std::chrono::duration_cast(now.time_since_epoch()).count(), + std::chrono::duration_cast( + host_info.backoff_until.time_since_epoch()) + .count()); + // Check if we're still in backoff period. + if (now < host_info.backoff_until) { + auto remaining_ms = + std::chrono::duration_cast(host_info.backoff_until - now) + .count(); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Host {} still in backoff for {}ms", host_address, + remaining_ms); + return false; + } + return true; +} + +void ReverseConnectionIOHandle::trackConnectionFailure(const std::string& host_address, + const std::string& cluster_name) { + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it == host_to_conn_info_map_.end()) { + // If the host has been removed from the cluster, we don't need to track the failure. + ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host_address); + return; + } + auto& host_info = host_it->second; + host_info.failure_count++; + host_info.last_failure_time = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + // Calculate exponential backoff: base_delay * 2^(failure_count - 1) + const uint32_t base_delay_ms = 1000; // 1 second base delay + const uint32_t max_delay_ms = 30000; // 30 seconds max delay + + uint32_t backoff_delay_ms = base_delay_ms * (1 << (host_info.failure_count - 1)); + backoff_delay_ms = std::min(backoff_delay_ms, max_delay_ms); + // Update the backoff until time. This is used in shouldAttemptConnectionToHost() to check if we + // should attempt to connect to the host. + host_info.backoff_until = + host_info.last_failure_time + std::chrono::milliseconds(backoff_delay_ms); + + ENVOY_LOG(debug, "Host {} connection failure #{}, backoff until {}ms from now", host_address, + host_info.failure_count, backoff_delay_ms); + + // Mark host as in backoff state using host+cluster as connection key. For backoff, the connection + // key does not matter since we just need to mark the host and cluster that are in backoff state + // for. + const std::string backoff_connection_key = host_address + "_" + cluster_name + "_backoff"; + updateConnectionState(host_address, cluster_name, backoff_connection_key, + ReverseConnectionState::Backoff); + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Marked host {} in cluster {} as Backoff with connection key {}", + host_address, cluster_name, backoff_connection_key); +} + +void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address) { + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it == host_to_conn_info_map_.end()) { + ENVOY_LOG(error, "HostConnectionInfo not found for host {} - this should not happen", + host_address); + return; + } + + auto& host_info = host_it->second; + auto now = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + + // Check if the host is actually in backoff before resetting. + if (now >= host_info.backoff_until) { + ENVOY_LOG(debug, "Host {} is not in backoff, skipping reset", host_address); + return; + } + + host_info.failure_count = 0; + host_info.backoff_until = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Reset backoff for host {}", host_address); + + // Mark host as recovered using the same key used by backoff to change the state from backoff to + // recovered. + const std::string recovered_connection_key = + host_address + "_" + host_info.cluster_name + "_backoff"; + updateConnectionState(host_address, host_info.cluster_name, recovered_connection_key, + ReverseConnectionState::Recovered); + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Marked host {} in cluster {} as Recovered with connection key {}", + host_address, host_info.cluster_name, recovered_connection_key); +} + +void ReverseConnectionIOHandle::updateConnectionState(const std::string& host_address, + const std::string& cluster_name, + const std::string& connection_key, + ReverseConnectionState new_state) { + // Update connection state in host info and handle old state. + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + // Remove old state if it exists + auto old_state_it = host_it->second.connection_states.find(connection_key); + if (old_state_it != host_it->second.connection_states.end()) { + ReverseConnectionState old_state = old_state_it->second; + // Decrement old state gauge using unified function. + updateStateGauge(host_address, cluster_name, old_state, false /* decrement */); + } + + // Set new state + host_it->second.connection_states[connection_key] = new_state; + } + + // Increment new state gauge using unified function. + updateStateGauge(host_address, cluster_name, new_state, true /* increment */); + + ENVOY_LOG(debug, + "ReverseConnectionIOHandle:Updated connection {} state to {} for host {} in cluster {}", + connection_key, static_cast(new_state), host_address, cluster_name); +} + +void ReverseConnectionIOHandle::removeConnectionState(const std::string& host_address, + const std::string& cluster_name, + const std::string& connection_key) { + // Remove connection state from host info and decrement gauge + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + auto state_it = host_it->second.connection_states.find(connection_key); + if (state_it != host_it->second.connection_states.end()) { + ReverseConnectionState old_state = state_it->second; + // Decrement state gauge using unified function + updateStateGauge(host_address, cluster_name, old_state, false /* decrement */); + // Remove from map + host_it->second.connection_states.erase(state_it); + } + } + + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Removed connection {} state for host {} in cluster {}", + connection_key, host_address, cluster_name); +} + +void ReverseConnectionIOHandle::onDownstreamConnectionClosed(const std::string& connection_key) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Downstream connection closed: {}", connection_key); + + // Find the host for this connection key + std::string host_address; + std::string cluster_name; + + // Search through host_to_conn_info_map_ to find which host this connection belongs to. + for (const auto& [host, host_info] : host_to_conn_info_map_) { + if (host_info.connection_keys.find(connection_key) != host_info.connection_keys.end()) { + host_address = host; + cluster_name = host_info.cluster_name; + break; + } + } + + if (host_address.empty()) { + ENVOY_LOG(warn, "Could not find host for connection key: {}", connection_key); + return; + } + + ENVOY_LOG(debug, "Found connection {} belongs to host {} in cluster {}", connection_key, + host_address, cluster_name); + + // Remove the connection key from the host's connection set. + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + host_it->second.connection_keys.erase(connection_key); + ENVOY_LOG(debug, "Removed connection key {} from host {} (remaining: {})", connection_key, + host_address, host_it->second.connection_keys.size()); + } + + // Remove connection state tracking + removeConnectionState(host_address, cluster_name, connection_key); + + // The next call to maintainClusterConnections() will detect the missing connection + // and re-initiate it automatically. + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Connection closure recorded for host {} in cluster {}. " + "Next maintenance cycle will re-initiate if needed.", + host_address, cluster_name); +} + +void ReverseConnectionIOHandle::updateStateGauge(const std::string& host_address, + const std::string& cluster_name, + ReverseConnectionState state, bool increment) { + // Get extension for stats updates. + auto* extension = getDownstreamExtension(); + if (!extension) { + ENVOY_LOG(debug, "No downstream extension available for state gauge update"); + return; + } + + // Use switch case to determine the state suffix for stat name. + std::string state_suffix; + switch (state) { + case ReverseConnectionState::Connecting: + state_suffix = "connecting"; + break; + case ReverseConnectionState::Connected: + state_suffix = "connected"; + break; + case ReverseConnectionState::Failed: + state_suffix = "failed"; + break; + case ReverseConnectionState::Recovered: + state_suffix = "recovered"; + break; + case ReverseConnectionState::Backoff: + state_suffix = "backoff"; + break; + case ReverseConnectionState::CannotConnect: + state_suffix = "cannot_connect"; + break; + default: + state_suffix = "unknown"; + break; + } + + // Call extension to handle the actual stat update. + extension_->updateConnectionStats(host_address, cluster_name, state_suffix, increment); + + ENVOY_LOG(trace, "{} state gauge for host {} cluster {} state {}", + increment ? "Incremented" : "Decremented", host_address, cluster_name, state_suffix); +} + +void ReverseConnectionIOHandle::maintainReverseConnections() { + // Validate required configuration parameters at the top level + if (config_.src_node_id.empty()) { + ENVOY_LOG(error, "Source node ID is required but empty - cannot maintain reverse connections"); + return; + } + + ENVOY_LOG(debug, "Maintaining reverse tunnels for {} clusters.", config_.remote_clusters.size()); + for (const auto& cluster_config : config_.remote_clusters) { + const std::string& cluster_name = cluster_config.cluster_name; + + ENVOY_LOG(debug, "Processing cluster: {} with {} requested connections per host.", cluster_name, + cluster_config.reverse_connection_count); + // Maintain connections for this cluster + maintainClusterConnections(cluster_name, cluster_config); + } + ENVOY_LOG(debug, "Completed reverse TCP connection maintenance for all clusters."); + + // Enable the retry timer to periodically check for missing connections (like maintainConnCount) + if (rev_conn_retry_timer_) { + // TODO(basundhara-c): Make the retry timeout configurable. + const std::chrono::milliseconds retry_timeout(10000); // 10 seconds + rev_conn_retry_timer_->enableTimer(retry_timeout); + ENVOY_LOG(debug, "Enabled retry timer for next connection check in 10 seconds."); + } +} + +bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& cluster_name, + const std::string& host_address, + Upstream::HostConstSharedPtr host) { + // Generate a temporary connection key for early failure tracking. + const std::string temp_connection_key = + "temp_" + cluster_name + "_" + host_address + "_" + std::to_string(rand()); + + // Only validate host_address here since it's specific to this connection attempt. + if (host_address.empty()) { + ENVOY_LOG(error, "Host address is required but empty"); + updateConnectionState(host_address, cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return false; + } + + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Initiating one reverse connection to host {} of cluster " + "'{}', source node '{}'", + host_address, cluster_name, config_.src_node_id); + // Get the thread local cluster + auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); + if (thread_local_cluster == nullptr) { + ENVOY_LOG(error, "Cluster '{}' not found", cluster_name); + updateConnectionState(host_address, cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return false; + } + + ReverseConnectionLoadBalancerContext lb_context(host_address); + + // Get connection from cluster manager + Upstream::Host::CreateConnectionData conn_data = thread_local_cluster->tcpConn(&lb_context); + + if (!conn_data.connection_) { + ENVOY_LOG(error, + "ReverseConnectionIOHandle: Failed to create connection to host {} in cluster {}", + host_address, cluster_name); + updateConnectionState(host_address, cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return false; + } + + // Create wrapper to manage the connection + // The wrapper will initiate and manage the reverse connection handshake using HTTP. + auto wrapper = std::make_unique(*this, std::move(conn_data.connection_), + conn_data.host_description_, cluster_name); + + // Send the reverse connection handshake over the TCP connection. + const std::string connection_key = + wrapper->connect(config_.src_tenant_id, config_.src_cluster_id, config_.src_node_id); + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Initiated reverse connection handshake for host {} with key {}", + host_address, connection_key); + + // Mark as Connecting after handshake is initiated. Use the actual connection key so that it can + // be marked as failed in onConnectionDone(). + conn_wrapper_to_host_map_[wrapper.get()] = host_address; + connection_wrappers_.push_back(std::move(wrapper)); + + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Successfully initiated reverse connection to host {} " + "({}:{}) in cluster {}", + host_address, host->address()->ip()->addressAsString(), host->address()->ip()->port(), + cluster_name); + // Reset backoff for successful connection. + resetHostBackoff(host_address); + updateConnectionState(host_address, cluster_name, connection_key, + ReverseConnectionState::Connecting); + return true; +} + +// Trigger pipe used to wake up accept() when a connection is established. +void ReverseConnectionIOHandle::createTriggerPipe() { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Creating trigger pipe for single-byte mechanism"); + int pipe_fds[2]; + if (pipe(pipe_fds) == -1) { + ENVOY_LOG(error, "Failed to create trigger pipe: {}", errorDetails(errno)); + trigger_pipe_read_fd_ = -1; + trigger_pipe_write_fd_ = -1; + return; + } + trigger_pipe_read_fd_ = pipe_fds[0]; + trigger_pipe_write_fd_ = pipe_fds[1]; + // Make both ends non-blocking. + int flags = fcntl(trigger_pipe_write_fd_, F_GETFL, 0); + if (flags != -1) { + fcntl(trigger_pipe_write_fd_, F_SETFL, flags | O_NONBLOCK); + } + flags = fcntl(trigger_pipe_read_fd_, F_GETFL, 0); + if (flags != -1) { + fcntl(trigger_pipe_read_fd_, F_SETFL, flags | O_NONBLOCK); + } + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Created trigger pipe: read_fd={}, write_fd={}", + trigger_pipe_read_fd_, trigger_pipe_write_fd_); +} + +bool ReverseConnectionIOHandle::isTriggerPipeReady() const { + return trigger_pipe_read_fd_ != -1 && trigger_pipe_write_fd_ != -1; +} + +void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, + RCConnectionWrapper* wrapper, bool closed) { + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Connection wrapper done - error: '{}', closed: {}", + error, closed); + + // Validate wrapper pointer before any access. + if (!wrapper) { + ENVOY_LOG(error, "ReverseConnectionIOHandle: Null wrapper pointer in onConnectionDone"); + return; + } + + std::string host_address; + std::string cluster_name; + std::string connection_key; + + // Safely get host address for wrapper. + auto wrapper_it = conn_wrapper_to_host_map_.find(wrapper); + if (wrapper_it == conn_wrapper_to_host_map_.end()) { + ENVOY_LOG(error, "ReverseConnectionIOHandle: Wrapper not found in conn_wrapper_to_host_map_ - " + "may have been cleaned up"); + return; + } + host_address = wrapper_it->second; + + // Safely get cluster name from host info. + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + cluster_name = host_it->second.cluster_name; + } else { + ENVOY_LOG(warn, "ReverseConnectionIOHandle: Host info not found for {}, using fallback", + host_address); + } + + if (cluster_name.empty()) { + ENVOY_LOG(error, + "ReverseConnectionIOHandle: No cluster mapping for host {}, cannot process " + "connection event", + host_address); + // Still try to clean up the wrapper + conn_wrapper_to_host_map_.erase(wrapper); + return; + } + + // Safely get connection info if wrapper is still valid. + auto* connection = wrapper->getConnection(); + if (connection) { + connection_key = connection->connectionInfoProvider().localAddress()->asString(); + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Processing connection event for host '{}', cluster " + "'{}', key '{}'", + host_address, cluster_name, connection_key); + } else { + connection_key = "cleanup_" + host_address + "_" + std::to_string(rand()); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Connection already null, using fallback key '{}'", + connection_key); + } + + // Get connection pointer for safe access in success/failure handling. + connection = wrapper->getConnection(); + + // Process connection result safely. + bool is_success = (error == "reverse connection accepted" || error == "success" || + error == "handshake successful" || error == "connection established"); + + if (closed || (!error.empty() && !is_success)) { + // Handle connection failure + ENVOY_LOG(error, + "ReverseConnectionIOHandle: Connection failed - error '{}', cleaning up host {}", + error, host_address); + + updateConnectionState(host_address, cluster_name, connection_key, + ReverseConnectionState::Failed); + + // Safely close connection if still valid. + if (connection) { + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); + } + connection->close(Network::ConnectionCloseType::NoFlush); + } + + trackConnectionFailure(host_address, cluster_name); + + } else { + // Handle connection success + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Connection succeeded for host {}", host_address); + + resetHostBackoff(host_address); + updateConnectionState(host_address, cluster_name, connection_key, + ReverseConnectionState::Connected); + + // Only proceed if connection is still valid. + if (!connection) { + ENVOY_LOG( + error, + "ReverseConnectionIOHandle: Cannot complete successful handshake - connection is null"); + return; + } + + ENVOY_LOG(info, "ReverseConnectionIOHandle: Transferring tunnel socket for " + "reverse_conn_listener consumption"); + + // Reset file events safely. + if (connection->getSocket()) { + connection->getSocket()->ioHandle().resetFileEvents(); + } + + // Update host connection tracking safely. + auto host_it = host_to_conn_info_map_.find(host_address); + if (host_it != host_to_conn_info_map_.end()) { + host_it->second.connection_keys.insert(connection_key); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Added connection key {} for host {}", + connection_key, host_address); + } + + Network::ClientConnectionPtr released_conn = wrapper->releaseConnection(); + + if (released_conn) { + ENVOY_LOG(info, "ReverseConnectionIOHandle: Connection will be consumed by " + "reverse_conn_listener for HTTP processing"); + + // Move connection to established queue for reverse_conn_listener to consume. + established_connections_.push(std::move(released_conn)); + + // Trigger accept mechanism safely. + if (isTriggerPipeReady()) { + char trigger_byte = 1; + ssize_t bytes_written = ::write(trigger_pipe_write_fd_, &trigger_byte, 1); + if (bytes_written == 1) { + ENVOY_LOG(info, + "ReverseConnectionIOHandle: Successfully triggered reverse_conn_listener " + "accept() for host {}", + host_address); + } else { + ENVOY_LOG(error, "ReverseConnectionIOHandle: Failed to write trigger byte: {}", + errorDetails(errno)); + } + } + } + } + + // Safely remove wrapper from tracking. + conn_wrapper_to_host_map_.erase(wrapper); + + // Find and remove wrapper from vector safely. + auto wrapper_vector_it = std::find_if( + connection_wrappers_.begin(), connection_wrappers_.end(), + [wrapper](const std::unique_ptr& w) { return w.get() == wrapper; }); + + if (wrapper_vector_it != connection_wrappers_.end()) { + auto wrapper_to_delete = std::move(*wrapper_vector_it); + connection_wrappers_.erase(wrapper_vector_it); + + // Use deferred deletion to prevent crash during cleanup. + std::unique_ptr deletable_wrapper( + static_cast(wrapper_to_delete.release())); + getThreadLocalDispatcher().deferredDelete(std::move(deletable_wrapper)); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Deferred delete of connection wrapper"); + } +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h new file mode 100644 index 0000000000000..aea8d3cb70108 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h @@ -0,0 +1,425 @@ +#pragma once + +#include +#include +#include +#include + +#include "envoy/network/io_handle.h" +#include "envoy/network/socket.h" +#include "envoy/stats/scope.h" +#include "envoy/thread_local/thread_local.h" +#include "envoy/upstream/cluster_manager.h" + +#include "source/common/common/logger.h" +#include "source/common/network/filter_impl.h" +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/upstream/load_balancer_context_base.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h" + +#include "absl/container/flat_hash_map.h" +#include "absl/container/flat_hash_set.h" +#include "absl/status/status.h" +#include "absl/synchronization/mutex.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations. +class ReverseTunnelInitiatorExtension; +class ReverseConnectionIOHandle; + +namespace { +// HTTP protocol constants. +static constexpr absl::string_view kCrlf = "\r\n"; +static constexpr absl::string_view kDoubleCrlf = "\r\n\r\n"; + +// Connection timing constants. +static constexpr uint32_t kDefaultMaxReconnectAttempts = 10; +} // namespace + +/** + * Connection state tracking for reverse connections. + */ +enum class ReverseConnectionState { + Connecting, // Connection is being established (handshake initiated). + Connected, // Connection has been successfully established. + Recovered, // Connection has recovered from a previous failure. + Failed, // Connection establishment failed during handshake. + CannotConnect, // Connection cannot be initiated (early failure). + Backoff // Connection is in backoff state due to failures. +}; + +/** + * Configuration for remote cluster connections. + * Defines connection parameters for each remote cluster that reverse connections should be + * established to. + */ +struct RemoteClusterConnectionConfig { + std::string cluster_name; // Name of the remote cluster. + uint32_t reverse_connection_count; // Number of reverse connections to maintain per host. + // TODO(basundhara-c): Implement retry logic using max_reconnect_attempts for connections to this + // cluster. This is the max reconnection attempts made for a cluster when the initial reverse + // connection attempt fails. + uint32_t max_reconnect_attempts; // Maximum number of reconnection attempts. + + RemoteClusterConnectionConfig(const std::string& name, uint32_t count, + uint32_t max_attempts = kDefaultMaxReconnectAttempts) + : cluster_name(name), reverse_connection_count(count), max_reconnect_attempts(max_attempts) {} +}; + +/** + * Configuration for reverse connection socket interface. + */ +struct ReverseConnectionSocketConfig { + std::string src_cluster_id; // Cluster identifier of local envoy instance. + std::string src_node_id; // Node identifier of local envoy instance. + std::string src_tenant_id; // Tenant identifier of local envoy instance. + // TODO(basundhara-c): Add support for multiple remote clusters using the same + // ReverseConnectionIOHandle. Currently, each ReverseConnectionIOHandle handles + // reverse connections for a single upstream cluster since a different ReverseConnectionAddress + // is created for different upstream clusters. Eventually, we should embed metadata for + // multiple remote clusters in the same ReverseConnectionAddress and therefore should be able + // to use a single ReverseConnectionIOHandle for multiple remote clusters. + std::vector + remote_clusters; // List of remote cluster configurations. + bool enable_circuit_breaker; // Whether to place a cluster in backoff when reverse connection + // attempts fail. + ReverseConnectionSocketConfig() : enable_circuit_breaker(true) {} +}; + +/** + * This class handles the lifecycle of reverse connections, including establishment, + * maintenance, and cleanup of connections to remote clusters. + * At this point, a ReverseConnectionIOHandle is created for each upstream cluster. + * This is because a different ReverseConnectionAddress is created for each upstream cluster. + * This ReverseConnectionIOHandle initiates TCP connections to each host of the upstream cluster, + * and caches the IOHandle for serving requests coming from the upstream cluster. + */ +class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, + public Network::ConnectionCallbacks { + // Define friend classes for testing. + friend class ReverseConnectionIOHandleTest; + friend class RCConnectionWrapperTest; + friend class DownstreamReverseConnectionIOHandleTest; + +public: + /** + * Constructor for ReverseConnectionIOHandle. + * @param fd the file descriptor for listener socket. + * @param config the configuration for reverse connections. + * @param cluster_manager the cluster manager for accessing upstream clusters. + * @param extension the extension for stats updates. + * @param scope the stats scope for metrics collection. + */ + ReverseConnectionIOHandle(os_fd_t fd, const ReverseConnectionSocketConfig& config, + Upstream::ClusterManager& cluster_manager, + ReverseTunnelInitiatorExtension* extension, Stats::Scope& scope); + + ~ReverseConnectionIOHandle() override; + + // Network::IoHandle overrides. + /** + * Override of listen method for reverse connections. + * No-op for reverse connections. + * @param backlog the listen backlog. + * @return SysCallIntResult with success status. + */ + Api::SysCallIntResult listen(int backlog) override; + + /** + * Override of accept method for reverse connections. + * Returns established reverse connections when they become available. This is woken up using the + * trigger pipe when a tcp connection to an upstream cluster is established. + * @param addr pointer to store the client address information. + * @param addrlen pointer to the length of the address structure. + * @return IoHandlePtr for the accepted reverse connection, or nullptr if none available. + */ + Network::IoHandlePtr accept(struct sockaddr* addr, socklen_t* addrlen) override; + + /** + * Override of read method for reverse connections. + * @param buffer the buffer to read data into. + * @param max_length optional maximum number of bytes to read. + * @return IoCallUint64Result indicating the result of the read operation. + */ + Api::IoCallUint64Result read(Buffer::Instance& buffer, + absl::optional max_length) override; + + /** + * Override of write method for reverse connections. + * @param buffer the buffer containing data to write. + * @return IoCallUint64Result indicating the result of the write operation. + */ + Api::IoCallUint64Result write(Buffer::Instance& buffer) override; + + /** + * Override of connect method for reverse connections. + * For reverse connections, this is not used since we connect to the upstream clusters in + * initializeFileEvent(). + * @param address the target address (unused for reverse connections). + * @return SysCallIntResult with success status. + */ + Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; + + /** + * Override of close method for reverse connections. + * @return IoCallUint64Result indicating the result of the close operation. + */ + Api::IoCallUint64Result close() override; + + /** + * Triggers the reverse connection workflow. + * @param dispatcher the event dispatcher. + * @param cb the file ready callback. + * @param trigger the file trigger type. + * @param events the events to monitor. + */ + void initializeFileEvent(Event::Dispatcher& dispatcher, Event::FileReadyCb cb, + Event::FileTriggerType trigger, uint32_t events) override; + + // Network::ConnectionCallbacks. + /** + * Called when connection events occur. + * For reverse connections, we handle these events through RCConnectionWrapper. + * @param event the connection event that occurred. + */ + void onEvent(Network::ConnectionEvent event) override; + + /** + * No-op for reverse connections. + */ + void onAboveWriteBufferHighWatermark() override {} + + /** + * No-op for reverse connections. + */ + void onBelowWriteBufferLowWatermark() override {} + + /** + * Get the file descriptor for the pipe monitor used to wake up accept(). + * @return the file descriptor for the pipe monitor + */ + int getPipeMonitorFd() const; + + // Callbacks from RCConnectionWrapper. + /** + * Called when a reverse connection handshake completes. This method wakes up accept() if the + * reverse connection handshake was successful. If not, it performs necessary cleanup and triggers + * backoff for the host. + * @param error error message if the handshake failed, empty string if successful. + * @param wrapper pointer to the connection wrapper that wraps over the established connection. + * @param closed whether the connection was closed during handshake. + */ + void onConnectionDone(const std::string& error, RCConnectionWrapper* wrapper, bool closed); + + // Backoff logic for connection failures. + /** + * Determine if connections should be initiated to a host, i.e., if host is in backoff period. + * @param host_address the address of the host to check. + * @param cluster_name the name of the cluster the host belongs to. + * @return true if connection attempt should be made, false if in backoff. + */ + bool shouldAttemptConnectionToHost(const std::string& host_address, + const std::string& cluster_name); + + /** + * Track a connection failure for a specific host and cluster and trigger backoff logic. + * @param host_address the address of the host that failed. + * @param cluster_name the name of the cluster the host belongs to. + */ + void trackConnectionFailure(const std::string& host_address, const std::string& cluster_name); + + /** + * Reset backoff state for a specific host. Called when a connection is established successfully. + * @param host_address the address of the host to reset backoff for. + */ + void resetHostBackoff(const std::string& host_address); + + /** + * Update the connection state for a specific connection and update metrics. + * @param host_address the address of the host. + * @param cluster_name the name of the cluster. + * @param connection_key the unique key identifying the connection. + * @param new_state the new state to set for the connection. + */ + void updateConnectionState(const std::string& host_address, const std::string& cluster_name, + const std::string& connection_key, ReverseConnectionState new_state); + + /** + * Update state-specific gauge using switch case logic (combined increment/decrement). + * @param host_address the address of the host + * @param cluster_name the name of the cluster + * @param state the connection state to update + * @param increment whether to increment (true) or decrement (false) the gauge + */ + void updateStateGauge(const std::string& host_address, const std::string& cluster_name, + ReverseConnectionState state, bool increment); + + /** + * Remove connection state tracking for a specific connection. + * @param host_address the address of the host. + * @param cluster_name the name of the cluster. + * @param connection_key the unique key identifying the connection. + */ + void removeConnectionState(const std::string& host_address, const std::string& cluster_name, + const std::string& connection_key); + + /** + * Handle downstream connection closure and update internal maps so that the next + * maintenance cycle re-initiates the connection. + * @param connection_key the unique key identifying the closed connection. + */ + void onDownstreamConnectionClosed(const std::string& connection_key); + + /** + * Get reference to the cluster manager. + * @return reference to the cluster manager + */ + Upstream::ClusterManager& getClusterManager() { return cluster_manager_; } + + /** + * Get pointer to the downstream extension for stats updates. + * @return pointer to the extension, nullptr if not available + */ + ReverseTunnelInitiatorExtension* getDownstreamExtension() const; + +private: + /** + * @return reference to the thread-local dispatcher + */ + Event::Dispatcher& getThreadLocalDispatcher() const; + + /** + * Check if thread-local dispatcher is available. + * @return true if dispatcher is available and safe to use + */ + bool isThreadLocalDispatcherAvailable() const; + + /** + * Create the trigger mechanism used to wake up accept() when connections are established. + */ + void createTriggerMechanism(); + + // Functions to maintain connections to remote clusters. + /** + * Maintain reverse connections for all configured clusters. + * Initiates and maintains the required number of connections to each remote cluster. + */ + void maintainReverseConnections(); + + /** + * Maintain reverse connections for a specific cluster. + * @param cluster_name the name of the cluster to maintain connections for + * @param cluster_config the configuration for the cluster + */ + void maintainClusterConnections(const std::string& cluster_name, + const RemoteClusterConnectionConfig& cluster_config); + + /** + * Initiate a single reverse connection to a specific host. + * @param cluster_name the name of the cluster the host belongs to + * @param host_address the address of the host to connect to + * @param host the host object containing connection information + * @return true if connection initiation was successful, false otherwise + */ + bool initiateOneReverseConnection(const std::string& cluster_name, + const std::string& host_address, + Upstream::HostConstSharedPtr host); + + /** + * Clean up all reverse connection resources. + * Called during shutdown to properly close connections and free resources. + */ + void cleanup(); + + // Pipe trigger mechanism helpers + /** + * Create trigger pipe used to wake up accept() when a connection is established. + */ + void createTriggerPipe(); + + /** + * Check if trigger pipe is ready for use. + * @return true if initialized and ready + */ + bool isTriggerPipeReady() const; + + // Host/cluster mapping management + /** + * Update cluster -> host mappings from the cluster manager. Called before connection initiation + * to a cluster. + * @param cluster_id the ID of the cluster + * @param hosts the list of hosts in the cluster + */ + void maybeUpdateHostsMappingsAndConnections(const std::string& cluster_id, + const std::vector& hosts); + + /** + * Remove stale host entries and close associated connections. + * @param host the address of the host to remove + */ + void removeStaleHostAndCloseConnections(const std::string& host); + + /** + * Per-host connection tracking for better management. + * Contains all information needed to track and manage connections to a specific host. + */ + struct HostConnectionInfo { + std::string host_address; // Host address + std::string cluster_name; // Cluster to which host belongs + absl::flat_hash_set connection_keys; // Connection keys for stats tracking + uint32_t target_connection_count; // Target connection count for the host + uint32_t failure_count{0}; // Number of consecutive failures + std::chrono::steady_clock::time_point last_failure_time; // NO_CHECK_FORMAT(real_time) + std::chrono::steady_clock::time_point backoff_until; // NO_CHECK_FORMAT(real_time) + absl::flat_hash_map + connection_states; // State tracking per connection + }; + + // Map from host address to connection info. + absl::flat_hash_map host_to_conn_info_map_; + // Map from cluster name to set of resolved hosts + absl::flat_hash_map> cluster_to_resolved_hosts_map_; + + // Core components + const ReverseConnectionSocketConfig config_; // Configuration for reverse connections + Upstream::ClusterManager& cluster_manager_; + ReverseTunnelInitiatorExtension* extension_; + + // Connection wrapper management + std::vector> + connection_wrappers_; // Active connection wrappers + // Mapping from wrapper to host. This designates the number of successful connections to a host. + absl::flat_hash_map conn_wrapper_to_host_map_; + + // Simple pipe-based trigger mechanism to wake up accept() when a connection is established. + // Inlined directly for simplicity and reduced test coverage requirements. + int trigger_pipe_read_fd_{-1}; + int trigger_pipe_write_fd_{-1}; + + // Connection management : We store the established connections in a queue + // and pop the last established connection when data is read on trigger_pipe_read_fd_ + // to determine the connection that got established last. + std::queue established_connections_; + + // Single retry timer for all clusters + Event::TimerPtr rev_conn_retry_timer_; + + bool is_reverse_conn_started_{ + false}; // Whether reverse connections have been started on worker thread + Event::Dispatcher* worker_dispatcher_{nullptr}; // Dispatcher for the worker thread + + // Store original socket FD for cleanup. + os_fd_t original_socket_fd_{-1}; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h new file mode 100644 index 0000000000000..13dde91c11cc0 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_load_balancer_context.h @@ -0,0 +1,44 @@ +#pragma once + +#include + +#include "envoy/upstream/load_balancer.h" + +#include "source/common/upstream/load_balancer_context_base.h" + +#include "absl/types/optional.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +/** + * Load balancer context for reverse connections. + * This context is used to select specific upstream hosts by address. + */ +class ReverseConnectionLoadBalancerContext : public Upstream::LoadBalancerContextBase { +public: + /** + * Constructor that sets the host to select. + * @param host_address the address of the host to select + */ + explicit ReverseConnectionLoadBalancerContext(const std::string& host_address) + : host_string_(host_address), host_to_select_(host_string_, false) {} + + // Upstream::LoadBalancerContext overrides + absl::optional overrideHostToSelect() const override { + return absl::make_optional(host_to_select_); + } + +private: + // Own the string data. This is to prevent use after free when the host_to_select + // is destroyed. + std::string host_string_; + OverrideHost host_to_select_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.cc new file mode 100644 index 0000000000000..19bd639af0c21 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.cc @@ -0,0 +1,109 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +absl::StatusOr +ReverseConnectionResolver::resolve(const envoy::config::core::v3::SocketAddress& socket_address) { + + // Check if address starts with rc:// + // Expected format: "rc://src_node_id:src_cluster_id:src_tenant_id@cluster_name:count" + const std::string& address_str = socket_address.address(); + if (!absl::StartsWith(address_str, "rc://")) { + return absl::InvalidArgumentError(fmt::format( + "Address must start with 'rc://' for reverse connection resolver. " + "Expected format: rc://src_node_id:src_cluster_id:src_tenant_id@cluster_name:count")); + } + + // For reverse connections, only port 0 is supported. + if (socket_address.port_value() != 0) { + return absl::InvalidArgumentError( + fmt::format("Only port 0 is supported for reverse connections. Got port: {}", + socket_address.port_value())); + } + + // Extract reverse connection config + auto reverse_conn_config_or_error = extractReverseConnectionConfig(socket_address); + if (!reverse_conn_config_or_error.ok()) { + return reverse_conn_config_or_error.status(); + } + + // Create and return ReverseConnectionAddress + auto reverse_conn_address = + std::make_shared(reverse_conn_config_or_error.value()); + + return reverse_conn_address; +} + +absl::StatusOr +ReverseConnectionResolver::extractReverseConnectionConfig( + const envoy::config::core::v3::SocketAddress& socket_address) { + + const std::string& address_str = socket_address.address(); + + // Parse the reverse connection URL format + std::string config_part = address_str.substr(5); // Remove "rc://" prefix + + // Split by '@' to separate source info from cluster config + std::vector parts = absl::StrSplit(config_part, '@'); + if (parts.size() != 2) { + return absl::InvalidArgumentError( + "Invalid reverse connection address format. Expected: " + "rc://src_node_id:src_cluster_id:src_tenant_id@cluster_name:count"); + } + + // Parse source info (node_id:cluster_id:tenant_id) + std::vector source_parts = absl::StrSplit(parts[0], ':'); + if (source_parts.size() != 3) { + return absl::InvalidArgumentError( + "Invalid source info format. Expected: src_node_id:src_cluster_id:src_tenant_id"); + } + + // Validate that node_id and cluster_id are not empty. + if (source_parts[0].empty()) { + return absl::InvalidArgumentError("Source node ID cannot be empty"); + } + if (source_parts[1].empty()) { + return absl::InvalidArgumentError("Source cluster ID cannot be empty"); + } + + // Parse cluster configuration (cluster_name:count) + std::vector cluster_parts = absl::StrSplit(parts[1], ':'); + if (cluster_parts.size() != 2) { + return absl::InvalidArgumentError( + fmt::format("Invalid cluster config format: {}. Expected: cluster_name:count", parts[1])); + } + + uint32_t count; + if (!absl::SimpleAtoi(cluster_parts[1], &count)) { + return absl::InvalidArgumentError( + fmt::format("Invalid connection count: {}", cluster_parts[1])); + } + + // Create the config struct + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_node_id = source_parts[0]; + config.src_cluster_id = source_parts[1]; + config.src_tenant_id = source_parts[2]; + config.remote_cluster = cluster_parts[0]; + config.connection_count = count; + + ENVOY_LOG( + debug, + "reverse connection config: node_id={}, cluster_id={}, tenant_id={}, remote_cluster={}, " + "count={}", + config.src_node_id, config.src_cluster_id, config.src_tenant_id, config.remote_cluster, + config.connection_count); + + return config; +} + +// Register the factory +REGISTER_FACTORY(ReverseConnectionResolver, Network::Address::Resolver); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h new file mode 100644 index 0000000000000..6c478c16d33c9 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h @@ -0,0 +1,46 @@ +#pragma once + +#include "envoy/network/resolver.h" +#include "envoy/registry/registry.h" + +#include "source/common/common/logger.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +/** + * Custom address resolver that can create ReverseConnectionAddress instances + * when reverse connection metadata is detected in the socket address. + */ +class ReverseConnectionResolver : public Network::Address::Resolver, + public Envoy::Logger::Loggable { +public: + ReverseConnectionResolver() = default; + + // Network::Address::Resolver + absl::StatusOr + resolve(const envoy::config::core::v3::SocketAddress& socket_address) override; + + std::string name() const override { return "envoy.resolvers.reverse_connection"; } + + // Friend class for testing + friend class ReverseConnectionResolverTest; + +private: + /** + * Extracts reverse connection config from socket address metadata. + * Expected format: "rc://src_node_id:src_cluster_id:src_tenant_id@cluster1:count1" + */ + absl::StatusOr + extractReverseConnectionConfig(const envoy::config::core::v3::SocketAddress& socket_address); +}; + +DECLARE_FACTORY(ReverseConnectionResolver); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.cc new file mode 100644 index 0000000000000..f3d4d26c4871a --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.cc @@ -0,0 +1,183 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" + +#include +#include +#include + +#include "envoy/network/address.h" +#include "envoy/registry/registry.h" + +#include "source/common/common/logger.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_interface_impl.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// ReverseTunnelInitiator implementation +ReverseTunnelInitiator::ReverseTunnelInitiator(Server::Configuration::ServerFactoryContext& context) + : extension_(nullptr), context_(&context) { + ENVOY_LOG(debug, "Created ReverseTunnelInitiator."); +} + +DownstreamSocketThreadLocal* ReverseTunnelInitiator::getLocalRegistry() const { + if (!extension_ || !extension_->getLocalRegistry()) { + return nullptr; + } + return extension_->getLocalRegistry(); +} + +Envoy::Network::IoHandlePtr +ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, + Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, bool, + const Envoy::Network::SocketCreationOptions&) const { + ENVOY_LOG(debug, "ReverseTunnelInitiator: type={}, addr_type={}", static_cast(socket_type), + static_cast(addr_type)); + + // This method is called without reverse connection config, so create a regular socket. + int domain; + if (addr_type == Envoy::Network::Address::Type::Ip) { + domain = (version == Envoy::Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; + } else { + // For pipe addresses. + domain = AF_UNIX; + } + int sock_type = (socket_type == Envoy::Network::Socket::Type::Stream) ? SOCK_STREAM : SOCK_DGRAM; + int sock_fd = ::socket(domain, sock_type, 0); + if (sock_fd == -1) { + ENVOY_LOG(error, "Failed to create fallback socket: {}", errorDetails(errno)); + return nullptr; + } + return std::make_unique(sock_fd); +} + +/** + * Thread-safe helper method to create reverse connection socket with config. + */ +Envoy::Network::IoHandlePtr ReverseTunnelInitiator::createReverseConnectionSocket( + Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, const ReverseConnectionSocketConfig& config) const { + + // Return early if no remote clusters are configured + if (config.remote_clusters.empty()) { + ENVOY_LOG(debug, "ReverseTunnelInitiator: No remote clusters configured, returning nullptr"); + return nullptr; + } + + ENVOY_LOG(debug, "ReverseTunnelInitiator: Creating reverse connection socket for cluster: {}", + config.remote_clusters[0].cluster_name); + + // For stream sockets on IP addresses, create our reverse connection IOHandle. + if (socket_type == Envoy::Network::Socket::Type::Stream && + addr_type == Envoy::Network::Address::Type::Ip) { + // Create socket file descriptor using system calls. + int domain = (version == Envoy::Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; + int sock_fd = ::socket(domain, SOCK_STREAM, 0); + if (sock_fd == -1) { + ENVOY_LOG(error, "Failed to create socket: {}", errorDetails(errno)); + return nullptr; + } + + ENVOY_LOG( + debug, + "ReverseTunnelInitiator: Created socket fd={}, wrapping with ReverseConnectionIOHandle", + sock_fd); + + // Get the scope from thread local registry, fallback to context scope + Stats::Scope* scope_ptr = &context_->scope(); + auto* tls_registry = getLocalRegistry(); + if (tls_registry) { + scope_ptr = &tls_registry->scope(); + } + + // Create ReverseConnectionIOHandle with cluster manager from context and scope. + return std::make_unique(sock_fd, config, context_->clusterManager(), + extension_, *scope_ptr); + } + + // Fall back to regular socket for non-stream or non-IP sockets. + return socket(socket_type, addr_type, version, false, Envoy::Network::SocketCreationOptions{}); +} + +Envoy::Network::IoHandlePtr +ReverseTunnelInitiator::socket(Envoy::Network::Socket::Type socket_type, + const Envoy::Network::Address::InstanceConstSharedPtr addr, + const Envoy::Network::SocketCreationOptions& options) const { + + // Extract reverse connection configuration from address. + const auto* reverse_addr = dynamic_cast(addr.get()); + if (reverse_addr) { + // Get the reverse connection config from the address. + ENVOY_LOG(debug, "ReverseTunnelInitiator: reverse_addr: {}", reverse_addr->asString()); + const auto& config = reverse_addr->reverseConnectionConfig(); + + // Convert ReverseConnectionAddress::ReverseConnectionConfig to ReverseConnectionSocketConfig. + ReverseConnectionSocketConfig socket_config; + socket_config.src_node_id = config.src_node_id; + socket_config.src_cluster_id = config.src_cluster_id; + socket_config.src_tenant_id = config.src_tenant_id; + + // Add the remote cluster configuration. + RemoteClusterConnectionConfig cluster_config(config.remote_cluster, config.connection_count); + socket_config.remote_clusters.push_back(cluster_config); + + // Pass config directly to helper method. + return createReverseConnectionSocket( + socket_type, addr->type(), + addr->ip() ? addr->ip()->version() : Envoy::Network::Address::IpVersion::v4, socket_config); + } + + // Delegate to the other socket() method for non-reverse-connection addresses. + return socket(socket_type, addr->type(), + addr->ip() ? addr->ip()->version() : Envoy::Network::Address::IpVersion::v4, false, + options); +} + +bool ReverseTunnelInitiator::ipFamilySupported(int domain) { + return domain == AF_INET || domain == AF_INET6; +} + +Server::BootstrapExtensionPtr ReverseTunnelInitiator::createBootstrapExtension( + const Protobuf::Message& config, Server::Configuration::ServerFactoryContext& context) { + ENVOY_LOG(debug, "ReverseTunnelInitiator::createBootstrapExtension()"); + const auto& message = MessageUtil::downcastAndValidate< + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface&>(config, context.messageValidationVisitor()); + context_ = &context; + // Create the bootstrap extension and store reference to it. + auto extension = std::make_unique(context, message); + extension_ = extension.get(); + return extension; +} + +ProtobufTypes::MessagePtr ReverseTunnelInitiator::createEmptyConfigProto() { + return std::make_unique< + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface>(); +} + +// ReverseTunnelInitiatorExtension constructor implementation. +ReverseTunnelInitiatorExtension::ReverseTunnelInitiatorExtension( + Server::Configuration::ServerFactoryContext& context, + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface& config) + : context_(context), config_(config), + stat_prefix_(config.stat_prefix().empty() ? "reverse_connections" : config.stat_prefix()) { + ENVOY_LOG(debug, + "Created ReverseTunnelInitiatorExtension - TLS slot will be created in " + "onWorkerThreadInitialized with stat_prefix: {}", + stat_prefix_); +} + +REGISTER_FACTORY(ReverseTunnelInitiator, Server::Configuration::BootstrapExtensionFactory); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h new file mode 100644 index 0000000000000..5506e3659e49e --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h @@ -0,0 +1,109 @@ +#pragma once + +#include +#include + +#include "envoy/network/socket.h" +#include "envoy/registry/registry.h" +#include "envoy/server/bootstrap_extension_config.h" + +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +struct ReverseConnectionSocketConfig; + +/** + * Socket interface that creates reverse connection sockets. + * This class implements the SocketInterface interface to provide reverse connection + * functionality for downstream connections. + */ +class ReverseTunnelInitiator : public Envoy::Network::SocketInterfaceBase, + public Envoy::Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelInitiatorTest; + +public: + ReverseTunnelInitiator(Server::Configuration::ServerFactoryContext& context); + + // Default constructor for registry + ReverseTunnelInitiator() : extension_(nullptr), context_(nullptr) {} + + /** + * Create a ReverseConnectionIOHandle and kick off the reverse connection establishment. + * @param socket_type the type of socket to create + * @param addr_type the address type + * @param version the IP version + * @param socket_v6only whether to create IPv6-only socket + * @param options socket creation options + * @return IoHandlePtr for the created socket, or nullptr for unsupported types + */ + Envoy::Network::IoHandlePtr + socket(Envoy::Network::Socket::Type socket_type, Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, bool socket_v6only, + const Envoy::Network::SocketCreationOptions& options) const override; + + // No-op for reverse connections. + Envoy::Network::IoHandlePtr + socket(Envoy::Network::Socket::Type socket_type, + const Envoy::Network::Address::InstanceConstSharedPtr addr, + const Envoy::Network::SocketCreationOptions& options) const override; + + /** + * @return true if the IP family is supported + */ + bool ipFamilySupported(int domain) override; + + /** + * @return pointer to the thread-local registry, or nullptr if not available. + */ + DownstreamSocketThreadLocal* getLocalRegistry() const; + + /** + * Thread-safe helper method to create reverse connection socket with config. + * @param socket_type the type of socket to create + * @param addr_type the address type + * @param version the IP version + * @param config the reverse connection configuration + * @return IoHandlePtr for the reverse connection socket + */ + Envoy::Network::IoHandlePtr + createReverseConnectionSocket(Envoy::Network::Socket::Type socket_type, + Envoy::Network::Address::Type addr_type, + Envoy::Network::Address::IpVersion version, + const ReverseConnectionSocketConfig& config) const; + + /** + * Get the extension instance for accessing cross-thread aggregation capabilities. + * @return pointer to the extension, or nullptr if not available + */ + ReverseTunnelInitiatorExtension* getExtension() const { return extension_; } + + // BootstrapExtensionFactory implementation + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override; + + ProtobufTypes::MessagePtr createEmptyConfigProto() override; + + std::string name() const override { + return "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"; + } + + ReverseTunnelInitiatorExtension* extension_; + +private: + Server::Configuration::ServerFactoryContext* context_; +}; + +DECLARE_FACTORY(ReverseTunnelInitiator); + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc new file mode 100644 index 0000000000000..05288d9d19d54 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.cc @@ -0,0 +1,277 @@ +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +#include "envoy/event/dispatcher.h" +#include "envoy/stats/scope.h" +#include "envoy/stats/stats_macros.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/common/logger.h" +#include "source/common/stats/symbol_table.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// ReverseTunnelInitiatorExtension implementation +void ReverseTunnelInitiatorExtension::onServerInitialized() { + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension::onServerInitialized"); +} + +void ReverseTunnelInitiatorExtension::onWorkerThreadInitialized() { + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: creating thread local slot"); + + // Create thread local slot on worker thread initialization. + tls_slot_ = + ThreadLocal::TypedSlot::makeUnique(context_.threadLocal()); + + // Set up the thread local dispatcher for each worker thread. + tls_slot_->set([this](Event::Dispatcher& dispatcher) { + return std::make_shared(dispatcher, context_.scope()); + }); + + ENVOY_LOG( + debug, + "ReverseTunnelInitiatorExtension: thread local slot created successfully in worker thread"); +} + +DownstreamSocketThreadLocal* ReverseTunnelInitiatorExtension::getLocalRegistry() const { + if (!tls_slot_) { + ENVOY_LOG(error, "ReverseTunnelInitiatorExtension: no thread local slot"); + return nullptr; + } + + if (auto opt = tls_slot_->get(); opt.has_value()) { + return &opt.value().get(); + } + + return nullptr; +} + +void ReverseTunnelInitiatorExtension::updateConnectionStats(const std::string& host_address, + const std::string& cluster_id, + const std::string& state_suffix, + bool increment) { + // Register stats with Envoy's system for automatic cross-thread aggregation. + auto& stats_store = context_.scope(); + + // Create/update host connection stat with state suffix + if (!host_address.empty() && !state_suffix.empty()) { + std::string host_stat_name = + fmt::format("{}.host.{}.{}", stat_prefix_, host_address, state_suffix); + Stats::StatNameManagedStorage host_stat_name_storage(host_stat_name, stats_store.symbolTable()); + auto& host_gauge = stats_store.gaugeFromStatName(host_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + if (increment) { + host_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented host stat {} to {}", + host_stat_name, host_gauge.value()); + } else { + host_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented host stat {} to {}", + host_stat_name, host_gauge.value()); + } + } + + // Create/update cluster connection stat with state suffix. + if (!cluster_id.empty() && !state_suffix.empty()) { + std::string cluster_stat_name = + fmt::format("{}.cluster.{}.{}", stat_prefix_, cluster_id, state_suffix); + Stats::StatNameManagedStorage cluster_stat_name_storage(cluster_stat_name, + stats_store.symbolTable()); + auto& cluster_gauge = stats_store.gaugeFromStatName(cluster_stat_name_storage.statName(), + Stats::Gauge::ImportMode::Accumulate); + if (increment) { + cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } else { + cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented cluster stat {} to {}", + cluster_stat_name, cluster_gauge.value()); + } + } + + // Also update per-worker stats for debugging. + updatePerWorkerConnectionStats(host_address, cluster_id, state_suffix, increment); +} + +void ReverseTunnelInitiatorExtension::updatePerWorkerConnectionStats( + const std::string& host_address, const std::string& cluster_id, const std::string& state_suffix, + bool increment) { + auto& stats_store = context_.scope(); + + // Get dispatcher name from the thread local dispatcher. + std::string dispatcher_name; + auto* local_registry = getLocalRegistry(); + if (local_registry == nullptr) { + ENVOY_LOG(error, "ReverseTunnelInitiatorExtension: No local registry found"); + return; + } + // Dispatcher name is of the form "worker_x" where x is the worker index + dispatcher_name = local_registry->dispatcher().name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: Updating stats for worker {}", + dispatcher_name); + + // Create/update per-worker host connection stat. + if (!host_address.empty() && !state_suffix.empty()) { + std::string worker_host_stat_name = + fmt::format("{}.{}.host.{}.{}", stat_prefix_, dispatcher_name, host_address, state_suffix); + Stats::StatNameManagedStorage worker_host_stat_name_storage(worker_host_stat_name, + stats_store.symbolTable()); + auto& worker_host_gauge = stats_store.gaugeFromStatName( + worker_host_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_host_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker host stat {} to {}", + worker_host_stat_name, worker_host_gauge.value()); + } else { + worker_host_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented worker host stat {} to {}", + worker_host_stat_name, worker_host_gauge.value()); + } + } + + // Create/update per-worker cluster connection stat. + if (!cluster_id.empty() && !state_suffix.empty()) { + std::string worker_cluster_stat_name = + fmt::format("{}.{}.cluster.{}.{}", stat_prefix_, dispatcher_name, cluster_id, state_suffix); + Stats::StatNameManagedStorage worker_cluster_stat_name_storage(worker_cluster_stat_name, + stats_store.symbolTable()); + auto& worker_cluster_gauge = stats_store.gaugeFromStatName( + worker_cluster_stat_name_storage.statName(), Stats::Gauge::ImportMode::NeverImport); + if (increment) { + worker_cluster_gauge.inc(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: incremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } else { + worker_cluster_gauge.dec(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: decremented worker cluster stat {} to {}", + worker_cluster_stat_name, worker_cluster_gauge.value()); + } + } +} + +absl::flat_hash_map +ReverseTunnelInitiatorExtension::getCrossWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Iterate through all gauges and filter for cross-worker stats only. + // Cross-worker stats have the pattern ".host.." or + // ".cluster.." (no dispatcher name in the middle). + Stats::IterateFn gauge_callback = + [&stats_map, this](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find(stat_prefix_ + ".") != std::string::npos && + (gauge_name.find(stat_prefix_ + ".host.") != std::string::npos || + gauge_name.find(stat_prefix_ + ".cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG( + debug, + "ReverseTunnelInitiatorExtension: collected {} stats for reverse connections across all " + "worker threads", + stats_map.size()); + + return stats_map; +} + +std::pair, std::vector> +ReverseTunnelInitiatorExtension::getConnectionStatsSync( + std::chrono::milliseconds /* timeout_ms */) { + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: obtaining reverse connection stats"); + + // Get all gauges with the reverse_connections prefix. + auto connection_stats = getCrossWorkerStatMap(); + + std::vector connected_hosts; + std::vector accepted_connections; + + // Process the stats to extract connection information + // For initiator, stats format is: .host.. or + // .cluster.. We only want hosts/clusters with + // "connected" state + for (const auto& [stat_name, count] : connection_stats) { + if (count > 0) { + // Parse stat name to extract host/cluster information with state suffix. + std::string host_pattern = stat_prefix_ + ".host."; + std::string cluster_pattern = stat_prefix_ + ".cluster."; + + if (stat_name.find(host_pattern) != std::string::npos && + stat_name.find(".connected") != std::string::npos) { + // Find the position after ".host." and before ".connected". + size_t start_pos = stat_name.find(host_pattern) + host_pattern.length(); + size_t end_pos = stat_name.find(".connected"); + if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { + std::string host_address = stat_name.substr(start_pos, end_pos - start_pos); + connected_hosts.push_back(host_address); + } + } else if (stat_name.find(cluster_pattern) != std::string::npos && + stat_name.find(".connected") != std::string::npos) { + // Find the position after ".cluster." and before ".connected". + size_t start_pos = stat_name.find(cluster_pattern) + cluster_pattern.length(); + size_t end_pos = stat_name.find(".connected"); + if (start_pos != std::string::npos && end_pos != std::string::npos && end_pos > start_pos) { + std::string cluster_id = stat_name.substr(start_pos, end_pos - start_pos); + accepted_connections.push_back(cluster_id); + } + } + } + } + + ENVOY_LOG(debug, + "ReverseTunnelInitiatorExtension: found {} connected hosts, {} accepted connections", + connected_hosts.size(), accepted_connections.size()); + + return {connected_hosts, accepted_connections}; +} + +absl::flat_hash_map ReverseTunnelInitiatorExtension::getPerWorkerStatMap() { + absl::flat_hash_map stats_map; + auto& stats_store = context_.scope(); + + // Get the current dispatcher name + std::string dispatcher_name = "main_thread"; // Default for main thread + auto* local_registry = getLocalRegistry(); + if (local_registry) { + // Dispatcher name is of the form "worker_x" where x is the worker index. + dispatcher_name = local_registry->dispatcher().name(); + } + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: Getting per worker stats map for {}", + dispatcher_name); + + // Iterate through all gauges and filter for the current dispatcher. + Stats::IterateFn gauge_callback = + [&stats_map, &dispatcher_name, this](const Stats::RefcountPtr& gauge) -> bool { + const std::string& gauge_name = gauge->name(); + ENVOY_LOG(trace, "ReverseTunnelInitiatorExtension: gauge_name: {} gauge_value: {}", gauge_name, + gauge->value()); + if (gauge_name.find(stat_prefix_ + ".") != std::string::npos && + gauge_name.find(dispatcher_name + ".") != std::string::npos && + (gauge_name.find(".host.") != std::string::npos || + gauge_name.find(".cluster.") != std::string::npos) && + gauge->used()) { + stats_map[gauge_name] = gauge->value(); + } + return true; + }; + stats_store.iterate(gauge_callback); + + ENVOY_LOG(debug, "ReverseTunnelInitiatorExtension: collected {} stats for dispatcher '{}'", + stats_map.size(), dispatcher_name); + + return stats_map; +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h new file mode 100644 index 0000000000000..51f7ec0dcb7f0 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h @@ -0,0 +1,138 @@ +#pragma once + +#include +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.validate.h" +#include "envoy/server/bootstrap_extension_config.h" +#include "envoy/stats/scope.h" +#include "envoy/thread_local/thread_local.h" + +#include "absl/container/flat_hash_map.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Forward declarations +class DownstreamSocketThreadLocal; + +/** + * Bootstrap extension for ReverseTunnelInitiator. + */ +class ReverseTunnelInitiatorExtension : public Server::BootstrapExtension, + public Logger::Loggable { + // Friend class for testing + friend class ReverseTunnelInitiatorExtensionTest; + +public: + ReverseTunnelInitiatorExtension( + Server::Configuration::ServerFactoryContext& context, + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface& config); + + void onServerInitialized() override; + void onWorkerThreadInitialized() override; + + /** + * @return pointer to the thread-local registry, or nullptr if not available. + */ + DownstreamSocketThreadLocal* getLocalRegistry() const; + + /** + * Update all connection stats for reverse connections. This updates the cross-worker stats + * as well as the per-worker stats. + * @param node_id the node identifier for the connection + * @param cluster_id the cluster identifier for the connection + * @param state_suffix the state suffix (e.g., "connecting", "connected", "failed") + * @param increment whether to increment (true) or decrement (false) the connection count + */ + void updateConnectionStats(const std::string& node_id, const std::string& cluster_id, + const std::string& state_suffix, bool increment); + + /** + * Update per-worker connection stats for debugging purposes. + * Creates worker-specific stats + * @param node_id the node identifier for the connection + * @param cluster_id the cluster identifier for the connection + * @param state_suffix the state suffix for the connection + * @param increment whether to increment (true) or decrement (false) the connection count + */ + void updatePerWorkerConnectionStats(const std::string& node_id, const std::string& cluster_id, + const std::string& state_suffix, bool increment); + + /** + * Get per-worker stat map for the current dispatcher. + * @return map of stat names to values for the current worker thread + */ + absl::flat_hash_map getPerWorkerStatMap(); + + /** + * Get cross-worker stat map across all workers. + * @return map of stat names to values across all worker threads + */ + absl::flat_hash_map getCrossWorkerStatMap(); + + /** + * Get connection stats synchronously with timeout. + * @param timeout_ms timeout for the operation + * @return pair of vectors containing connected nodes and accepted connections + */ + std::pair, std::vector> + getConnectionStatsSync(std::chrono::milliseconds timeout_ms); + + /** + * Get the stats scope for accessing stats. + * @return reference to the stats scope. + */ + Stats::Scope& getStatsScope() const { return context_.scope(); } + + /** + * Test-only method to set the thread local slot for testing purposes. + * This allows tests to inject a custom thread local registry and is used + * in unit tests to simulate different worker threads. + * @param slot the thread local slot to set + */ + void setTestOnlyTLSRegistry( + std::unique_ptr> slot) { + tls_slot_ = std::move(slot); + } + +private: + Server::Configuration::ServerFactoryContext& context_; + const envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + ThreadLocal::TypedSlotPtr tls_slot_; + std::string stat_prefix_; // Reverse connection stats prefix +}; + +/** + * Thread local storage for ReverseTunnelInitiator. + * Stores the thread-local dispatcher and stats scope for each worker thread. + */ +class DownstreamSocketThreadLocal : public ThreadLocal::ThreadLocalObject { +public: + DownstreamSocketThreadLocal(Event::Dispatcher& dispatcher, Stats::Scope& scope) + : dispatcher_(dispatcher), scope_(scope) {} + + /** + * @return reference to the thread-local dispatcher + */ + Event::Dispatcher& dispatcher() { return dispatcher_; } + + /** + * @return reference to the stats scope + */ + Stats::Scope& scope() { return scope_; } + +private: + Event::Dispatcher& dispatcher_; + Stats::Scope& scope_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index e883312ac22c5..a73203716b3dd 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -11,6 +11,7 @@ envoy_extension_package() envoy_cc_extension( name = "reverse_tunnel_acceptor_includes", hdrs = [ + "reverse_connection_io_handle.h", "reverse_tunnel_acceptor.h", "reverse_tunnel_acceptor_extension.h", ], @@ -33,6 +34,7 @@ envoy_cc_extension( envoy_cc_extension( name = "reverse_tunnel_acceptor_lib", srcs = [ + "reverse_connection_io_handle.cc", "reverse_tunnel_acceptor.cc", "reverse_tunnel_acceptor_extension.cc", ], diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.cc new file mode 100644 index 0000000000000..6669f327c832a --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.cc @@ -0,0 +1,55 @@ +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h" + +#include "source/common/common/logger.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( + Network::ConnectionSocketPtr socket, const std::string& cluster_name) + : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), + owned_socket_(std::move(socket)) { + ENVOY_LOG(trace, "reverse_tunnel: created IO handle for cluster: {}, fd: {}", cluster_name_, fd_); +} + +UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { + ENVOY_LOG(trace, "reverse_tunnel: destroying IO handle for cluster: {}, fd: {}", cluster_name_, + fd_); +} + +Api::SysCallIntResult +UpstreamReverseConnectionIOHandle::connect(Network::Address::InstanceConstSharedPtr address) { + ENVOY_LOG(trace, "reverse_tunnel: connect() to {} - connection already established", + address->asString()); + return Api::SysCallIntResult{0, 0}; +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { + ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); + + if (owned_socket_) { + ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); + owned_socket_.reset(); + SET_SOCKET_INVALID(fd_); + return Api::ioCallUint64ResultNoError(); + } + return IoSocketHandleImpl::close(); +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::shutdown(int how) { + ENVOY_LOG(trace, "reverse_tunnel: shutdown({}) called for fd: {}", how, fd_); + // If we still own the socket, ignore shutdown to avoid affecting a socket that will be + // handed over to the upstream connection. + if (owned_socket_) { + ENVOY_LOG(debug, "reverse_tunnel: ignoring shutdown() call for owned socket fd: {}", fd_); + return Api::SysCallIntResult{0, 0}; + } + return IoSocketHandleImpl::shutdown(how); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h new file mode 100644 index 0000000000000..03c928fab3936 --- /dev/null +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h @@ -0,0 +1,78 @@ +#pragma once + +#include + +#include "envoy/network/io_handle.h" +#include "envoy/network/socket.h" + +#include "source/common/network/io_socket_handle_impl.h" + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +/** + * Custom IoHandle for upstream reverse connections that manages ConnectionSocket lifetime. + * This class implements RAII principles to ensure proper socket cleanup and provides + * reverse connection semantics where the connection is already established. + */ +class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { +public: + /** + * Constructs an UpstreamReverseConnectionIOHandle that takes ownership of a socket. + * + * @param socket the reverse connection socket to own and manage. + * @param cluster_name the name of the cluster this connection belongs to. + */ + UpstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, + const std::string& cluster_name); + + ~UpstreamReverseConnectionIOHandle() override; + + // Network::IoHandle overrides + /** + * Override of connect method for reverse connections. + * For reverse connections, the connection is already established so this method + * is a no-op and always returns success. + * + * @param address the target address (unused for reverse connections). + * @return SysCallIntResult with success status (0, 0). + */ + Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; + + /** + * Override of close method for reverse connections. + * Cleans up the owned socket and calls the parent close method. + * + * @return IoCallUint64Result indicating the result of the close operation. + */ + Api::IoCallUint64Result close() override; + + /** + * Override of shutdown for reverse connections. + * When the IO handle owns the socket, ignore shutdown to avoid affecting the handed-off socket. + * + * @param how the type of shutdown (`SHUT_RD`, `SHUT_WR`, `SHUT_RDWR`). + * @return SysCallIntResult with success status if ignored, or result of base call. + */ + Api::SysCallIntResult shutdown(int how) override; + + /** + * Get the owned socket for read-only operations. + * + * @return const reference to the owned socket. + */ + const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } + +private: + // The name of the cluster this reverse connection belongs to. + std::string cluster_name_; + // The socket that this IOHandle owns and manages lifetime for. + Network::ConnectionSocketPtr owned_socket_; +}; + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc index 9ca3201c5357e..c33d847a8ef94 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc @@ -6,6 +6,7 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/protobuf/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" @@ -14,46 +15,6 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -// UpstreamReverseConnectionIOHandle implementation -UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( - Network::ConnectionSocketPtr socket, const std::string& cluster_name) - : IoSocketHandleImpl(socket->ioHandle().fdDoNotUse()), cluster_name_(cluster_name), - owned_socket_(std::move(socket)) { - - ENVOY_LOG(trace, "reverse_tunnel: created IO handle for cluster: {}, fd: {}", cluster_name_, fd_); -} - -UpstreamReverseConnectionIOHandle::~UpstreamReverseConnectionIOHandle() { - ENVOY_LOG(trace, "reverse_tunnel: destroying IO handle for cluster: {}, fd: {}", cluster_name_, - fd_); - // The owned_socket_ will be automatically destroyed via RAII. -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::connect( - Envoy::Network::Address::InstanceConstSharedPtr address) { - ENVOY_LOG(trace, "reverse_tunnel: connect() to {} - connection already established", - address->asString()); - - // For reverse connections, the connection is already established. - return Api::SysCallIntResult{0, 0}; -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { - ENVOY_LOG(debug, "reverse_tunnel: close() called for fd: {}", fd_); - - // Prefer letting the owned ConnectionSocket perform the actual close to avoid - // double-close. - if (owned_socket_) { - ENVOY_LOG(debug, "reverse_tunnel: releasing socket for cluster: {}", cluster_name_); - owned_socket_.reset(); - // Invalidate our fd so base destructor won't close again. - SET_SOCKET_INVALID(fd_); - return Api::ioCallUint64ResultNoError(); - } - // If we no longer own the socket, fall back to base close. - return IoSocketHandleImpl::close(); -} - // ReverseTunnelAcceptor implementation ReverseTunnelAcceptor::ReverseTunnelAcceptor(Server::Configuration::ServerFactoryContext& context) : extension_(nullptr), context_(&context) { @@ -93,7 +54,7 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type socket_type, // Try to get a cached socket for the node. auto socket = socket_manager->getConnectionSocket(node_id); if (socket) { - ENVOY_LOG(info, "reverse_tunnel: reusing cached socket for node: {}", node_id); + ENVOY_LOG(debug, "reverse_tunnel: reusing cached socket for node: {}", node_id); // Create IOHandle that owns the socket using RAII. auto io_handle = std::make_unique(std::move(socket), node_id); diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h index 43484ea906161..b5437525439c2 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h @@ -18,6 +18,7 @@ #include "source/common/network/io_socket_handle_impl.h" #include "source/common/network/socket_interface.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h" namespace Envoy { namespace Extensions { @@ -28,57 +29,6 @@ namespace ReverseConnection { class ReverseTunnelAcceptorExtension; class UpstreamSocketManager; -/** - * Custom IoHandle for upstream reverse connections that manages ConnectionSocket lifetime. - * This class implements RAII principles to ensure proper socket cleanup and provides - * reverse connection semantics where the connection is already established. - */ -class UpstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { -public: - /** - * Constructs an UpstreamReverseConnectionIOHandle that takes ownership of a socket. - * - * @param socket the reverse connection socket to own and manage. - * @param cluster_name the name of the cluster this connection belongs to. - */ - UpstreamReverseConnectionIOHandle(Network::ConnectionSocketPtr socket, - const std::string& cluster_name); - - ~UpstreamReverseConnectionIOHandle() override; - - // Network::IoHandle overrides - /** - * Override of connect method for reverse connections. - * For reverse connections, the connection is already established so this method - * is a no-op and always returns success. - * - * @param address the target address (unused for reverse connections). - * @return SysCallIntResult with success status (0, 0). - */ - Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; - - /** - * Override of close method for reverse connections. - * Cleans up the owned socket and calls the parent close method. - * - * @return IoCallUint64Result indicating the result of the close operation. - */ - Api::IoCallUint64Result close() override; - - /** - * Get the owned socket for read-only operations. - * - * @return const reference to the owned socket. - */ - const Network::ConnectionSocket& getSocket() const { return *owned_socket_; } - -private: - // The name of the cluster this reverse connection belongs to. - std::string cluster_name_; - // The socket that this IOHandle owns and manages lifetime for. - Network::ConnectionSocketPtr owned_socket_; -}; - /** * Socket interface that creates upstream reverse connection sockets. * Manages cached reverse TCP connections and provides them when requested. diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc index 71ae06dbaa93f..66393355bdaf0 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc @@ -400,7 +400,7 @@ void UpstreamSocketManager::pingConnections() { } UpstreamSocketManager::~UpstreamSocketManager() { - ENVOY_LOG(debug, "UpstreamSocketManager destructor called"); + ENVOY_LOG(debug, "UpstreamSocketManager: destructor called"); // Clean up all active file events and timers first for (auto& [fd, event] : fd_to_event_map_) { diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index c8120e840da1e..bb92ceb0ce40d 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -61,6 +61,7 @@ EXTENSIONS = { # Reverse Connection # + "envoy.bootstrap.reverse_tunnel.downstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", "envoy.bootstrap.reverse_tunnel.upstream_socket_interface": "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", # @@ -490,6 +491,12 @@ EXTENSIONS = { # getaddrinfo DNS resolver extension can be used when the system resolver is desired (e.g., Android) "envoy.network.dns_resolver.getaddrinfo": "//source/extensions/network/dns_resolver/getaddrinfo:config", + # + # Address Resolvers + # + + "envoy.resolvers.reverse_connection": "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_resolver_lib", + # # Custom matchers # diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 0642ed52854f4..e6b7fc47b7280 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -75,6 +75,13 @@ envoy.bootstrap.wasm: status: alpha type_urls: - envoy.extensions.wasm.v3.WasmService +envoy.bootstrap.reverse_tunnel.downstream_socket_interface: + categories: + - envoy.bootstrap + security_posture: unknown + status: wip + type_urls: + - envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface envoy.bootstrap.reverse_tunnel.upstream_socket_interface: categories: - envoy.bootstrap @@ -1521,6 +1528,11 @@ envoy.network.dns_resolver.getaddrinfo: status: stable type_urls: - envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig +envoy.resolvers.reverse_connection: + categories: + - envoy.resolvers + security_posture: unknown + status: wip envoy.rbac.matchers.upstream_ip_port: categories: - envoy.rbac.matchers diff --git a/test/common/network/connection_impl_test.cc b/test/common/network/connection_impl_test.cc index b2b6e90a38feb..a207140304c82 100644 --- a/test/common/network/connection_impl_test.cc +++ b/test/common/network/connection_impl_test.cc @@ -4584,6 +4584,21 @@ TEST_P(ClientConnectionWithCustomRawBufferSocketTest, TransportSocketCallbacks) disconnect(false); } +TEST_P(ConnectionImplTest, TestConstSocketAccess) { + setUpBasicConnection(); + connect(); + + // Test const access to socket. + const Network::Connection& const_connection = *client_connection_; + const auto& socket_ref = const_connection.getSocket(); + EXPECT_NE(socket_ref, nullptr); + + // Verify that const and non-const getSocket return the same socket. + EXPECT_EQ(&socket_ref, &client_connection_->getSocket()); + + disconnect(true); +} + } // namespace } // namespace Network } // namespace Envoy diff --git a/test/common/network/multi_connection_base_impl_test.cc b/test/common/network/multi_connection_base_impl_test.cc index 0093a9835703c..6bccf6a512074 100644 --- a/test/common/network/multi_connection_base_impl_test.cc +++ b/test/common/network/multi_connection_base_impl_test.cc @@ -1211,5 +1211,12 @@ TEST_F(MultiConnectionBaseImplTest, SetSocketOptionFailedTest) { EXPECT_FALSE(impl_->setSocketOption(sockopt_name, sockopt_val)); } +TEST_F(MultiConnectionBaseImplTest, GetSocketPanics) { + setupMultiConnectionImpl(2); + + // getSocket() should panic as it's not implemented for MultiConnectionBaseImpl. + EXPECT_DEATH(impl_->getSocket(), "not implemented"); +} + } // namespace Network } // namespace Envoy diff --git a/test/common/quic/quic_filter_manager_connection_impl_test.cc b/test/common/quic/quic_filter_manager_connection_impl_test.cc index f233a1e54b4dd..423b1f206dc69 100644 --- a/test/common/quic/quic_filter_manager_connection_impl_test.cc +++ b/test/common/quic/quic_filter_manager_connection_impl_test.cc @@ -153,5 +153,10 @@ TEST_F(QuicFilterManagerConnectionImplTest, SetSocketOption) { EXPECT_FALSE(impl_.setSocketOption(sockopt_name, sockopt_val)); } +TEST_F(QuicFilterManagerConnectionImplTest, GetSocketPanics) { + // getSocket() should panic as it's not implemented for QuicFilterManagerConnectionImpl. + EXPECT_DEATH(impl_.getSocket(), "not implemented"); +} + } // namespace Quic } // namespace Envoy diff --git a/test/coverage.yaml b/test/coverage.yaml index d6eb83a29ea94..27f62d7886598 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -28,6 +28,7 @@ directories: source/exe: 94.4 # increased by #32346, need coverage for terminate_handler and hot restart failures source/extensions/api_listeners: 55.0 # Many IS_ENVOY_BUG are not covered. source/extensions/api_listeners/default_api_listener: 59.0 # Many IS_ENVOY_BUG are not covered. + source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface: 95.6 source/extensions/common/aws: 98.5 source/extensions/common/aws/credential_providers: 100.0 source/extensions/common/proxy_protocol: 94.6 # Adjusted for security patch diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD new file mode 100644 index 0000000000000..30d472a1d73c7 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -0,0 +1,114 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "reverse_tunnel_initiator_test", + size = "large", + srcs = ["reverse_tunnel_initiator_test.cc"], + extension_names = ["envoy.bootstrap.reverse_tunnel.downstream_socket_interface"], + deps = [ + "//source/common/network:address_lib", + "//source/common/network:utility_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_address_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_io_handle_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "//test/test_common:logging_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "reverse_tunnel_initiator_extension_test", + size = "medium", + srcs = ["reverse_tunnel_initiator_extension_test.cc"], + deps = [ + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_extension_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "reverse_connection_io_handle_test", + size = "large", + srcs = ["reverse_connection_io_handle_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_io_handle_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_extension_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "reverse_connection_address_test", + size = "medium", + srcs = ["reverse_connection_address_test.cc"], + deps = [ + "//source/common/network:address_lib", + "//source/common/network:default_socket_interface_lib", + "//source/common/singleton:threadsafe_singleton", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_address_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:registry_lib", + "//test/test_common:test_runtime_lib", + ], +) + +envoy_cc_test( + name = "reverse_connection_resolver_test", + size = "medium", + srcs = ["reverse_connection_resolver_test.cc"], + deps = [ + "//source/common/network:address_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_resolver_lib", + "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", + ], +) + +envoy_cc_test( + name = "rc_connection_wrapper_test", + size = "large", + srcs = ["rc_connection_wrapper_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_io_handle_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_extension_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc new file mode 100644 index 0000000000000..3a6965b4412e6 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc @@ -0,0 +1,949 @@ +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// RCConnectionWrapper Tests. + +class RCConnectionWrapperTest : public testing::Test { +protected: + void SetUp() override { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + extension_ = std::make_unique(context_, config_); + setupThreadLocalSlot(); + io_handle_ = createTestIOHandle(createDefaultTestConfig()); + } + + void TearDown() override { + io_handle_.reset(); + extension_.reset(); + } + + void setupThreadLocalSlot() { + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + ReverseConnectionSocketConfig createDefaultTestConfig() { + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.enable_circuit_breaker = true; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + return config; + } + + std::unique_ptr + createTestIOHandle(const ReverseConnectionSocketConfig& config) { + int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); + EXPECT_GE(test_fd, 0); + return std::make_unique(test_fd, config, cluster_manager_, + extension_.get(), *stats_scope_); + } + + // Connection Management Helpers. + + bool initiateOneReverseConnection(const std::string& cluster_name, + const std::string& host_address, + Upstream::HostConstSharedPtr host) { + return io_handle_->initiateOneReverseConnection(cluster_name, host_address, host); + } + + // Data Access Helpers. + + const std::vector>& getConnectionWrappers() const { + return io_handle_->connection_wrappers_; + } + + const absl::flat_hash_map& getConnWrapperToHostMap() const { + return io_handle_->conn_wrapper_to_host_map_; + } + + // Test Data Setup Helpers. + + void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, + uint32_t target_count) { + io_handle_->host_to_conn_info_map_[host_address] = + ReverseConnectionIOHandle::HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + target_count, // target_connection_count + 0, // failure_count + // last_failure_time + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + // backoff_until + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + {} // connection_states + }; + } + + // Helper to create a mock host. + Upstream::HostConstSharedPtr createMockHost(const std::string& address) { + auto mock_host = std::make_shared>(); + auto mock_address = std::make_shared(address, 8080); + EXPECT_CALL(*mock_host, address()).WillRepeatedly(Return(mock_address)); + return mock_host; + } + + // Helper method to set up mock connection with proper socket expectations. + std::unique_ptr> setupMockConnection() { + auto mock_connection = std::make_unique>(); + + // Create a mock socket for the connection. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + auto duplicated_handle = std::make_unique>(); + EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); + return duplicated_handle; + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Cast the mock to the base ConnectionSocket type and store it in member variable. + mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); + + // Set up connection expectations for getSocket() + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); + + return mock_connection; + } + + // Test fixtures. + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + std::unique_ptr extension_; + std::unique_ptr io_handle_; + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + + // Mock socket for testing. + std::unique_ptr mock_socket_; +}; + +// Test RCConnectionWrapper::connect() method with HTTP/1.1 handshake success +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeSuccess) { + // Create a mock connection. + auto mock_connection = std::make_unique>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + + // Set up socket expectations for address info. + auto mock_address = std::make_shared("192.168.1.1", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations directly on the mock connection. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_address, + mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, mock_address); + return *mock_provider; + })); + + // Create a mock host. + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call connect() method. + std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + + // Verify connect() returns the local address. + EXPECT_EQ(result, "127.0.0.1:12345"); +} + +// Test RCConnectionWrapper::connect() method with HTTP proxy (internal address) scenario. +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWithHttpProxy) { + // Create a mock connection. + auto mock_connection = std::make_unique>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + + // Set up socket expectations for internal address (HTTP proxy scenario). + auto mock_internal_address = std::make_shared( + "internal_listener_name", "endpoint_id_123"); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations with internal address. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_internal_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_internal_address); + return *mock_provider; + })); + + // Capture the written buffer to verify HTTP request and simulate kernel drain. + Buffer::OwnedImpl captured_buffer; + EXPECT_CALL(*mock_connection, write(_, _)) + .WillOnce(Invoke([&captured_buffer](Buffer::Instance& buffer, bool) { + captured_buffer.add(buffer); + buffer.drain(buffer.length()); + })); + + // Create a mock host. + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call connect() method. + std::string result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + + // Verify connect() returns the local address. + EXPECT_EQ(result, "127.0.0.1:12345"); +} + +// Test RCConnectionWrapper::connect() method with connection write failure. +TEST_F(RCConnectionWrapperTest, ConnectHttpHandshakeWriteFailure) { + // Create a mock connection that fails to write. + auto mock_connection = std::make_unique>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, write(_, _)).WillOnce(Invoke([](Buffer::Instance&, bool) -> void { + throw EnvoyException("Write failed"); + })); + + // Set up socket expectations. + auto mock_address = std::make_shared("192.168.1.1", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + // Set up connection info provider expectations directly on the mock connection. + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_address, + mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, mock_address); + return *mock_provider; + })); + + // Create a mock host. + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call connect() method - should handle the write failure gracefully. + // The method should not throw but should handle the exception internally. + std::string result; + try { + result = wrapper.connect("test-tenant", "test-cluster", "test-node"); + } catch (const EnvoyException& e) { + // The connect() method doesn't handle exceptions, so we expect it to throw. + // This is the current behavior - the method should be updated to handle exceptions. + EXPECT_STREQ(e.what(), "Write failed"); + return; // Exit test early since exception was thrown + } + + // If no exception was thrown, verify connect() still returns the local address. + EXPECT_EQ(result, "127.0.0.1:12345"); +} + +// Test RCConnectionWrapper::onHandshakeSuccess method. +TEST_F(RCConnectionWrapperTest, OnHandshakeSuccess) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onHandshakeSuccess. + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_stat_name = "test_scope.reverse_connections.host.192.168.1.1.connected"; + std::string cluster_stat_name = "test_scope.reverse_connections.cluster.test-cluster.connected"; + + // Call onHandshakeSuccess. + wrapper_ptr->onHandshakeSuccess(); + + // Get stats after onHandshakeSuccess. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that connected stats were incremented. + EXPECT_EQ(final_stats[host_stat_name], initial_stats[host_stat_name] + 1); + EXPECT_EQ(final_stats[cluster_stat_name], initial_stats[cluster_stat_name] + 1); +} + +// Test RCConnectionWrapper::onHandshakeFailure method. +TEST_F(RCConnectionWrapperTest, OnHandshakeFailure) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onHandshakeFailure. + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_failed_stat_name = "test_scope.reverse_connections.host.192.168.1.1.failed"; + std::string cluster_failed_stat_name = + "test_scope.reverse_connections.cluster.test-cluster.failed"; + + // Call onHandshakeFailure with an error message. + std::string error_message = "Handshake failed due to authentication error"; + wrapper_ptr->onHandshakeFailure(error_message); + + // Get stats after onHandshakeFailure. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that failed stats were incremented. + EXPECT_EQ(final_stats[host_failed_stat_name], initial_stats[host_failed_stat_name] + 1); + EXPECT_EQ(final_stats[cluster_failed_stat_name], initial_stats[cluster_failed_stat_name] + 1); +} + +// Test RCConnectionWrapper::onEvent method with RemoteClose event. +TEST_F(RCConnectionWrapperTest, OnEventRemoteClose) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent. + auto initial_stats = extension_->getCrossWorkerStatMap(); + std::string host_connected_stat_name = + "test_scope.reverse_connections.host.192.168.1.1.connected"; + std::string cluster_connected_stat_name = + "test_scope.reverse_connections.cluster.test-cluster.connected"; + + // Call onEvent with RemoteClose event. + wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); + + // Get stats after onEvent. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that the connection closure was handled gracefully. +} + +// Test RCConnectionWrapper::onEvent method with Connected event (should be ignored) +TEST_F(RCConnectionWrapperTest, OnEventConnected) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent. + auto initial_stats = extension_->getCrossWorkerStatMap(); + + // Call onEvent with Connected event (should be ignored) + wrapper_ptr->onEvent(Network::ConnectionEvent::Connected); + + // Get stats after onEvent. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that Connected event doesn't change stats (it should be ignored) + // The stats should remain the same. + EXPECT_EQ(final_stats, initial_stats); +} + +// Test RCConnectionWrapper::onEvent method with null connection. +TEST_F(RCConnectionWrapperTest, OnEventWithNullConnection) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper and add it to the map. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Get initial stats before onEvent. + auto initial_stats = extension_->getCrossWorkerStatMap(); + + // Call onEvent with RemoteClose event. + wrapper_ptr->onEvent(Network::ConnectionEvent::RemoteClose); + + // Get stats after onEvent. + auto final_stats = extension_->getCrossWorkerStatMap(); + + // Verify that the event was handled gracefully even with connection closure. + // The exact behavior depends on the implementation, but it should not crash. +} + +// Test RCConnectionWrapper::releaseConnection method. +TEST_F(RCConnectionWrapperTest, ReleaseConnection) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Verify connection exists before release. + EXPECT_NE(wrapper.getConnection(), nullptr); + + // Release the connection. + auto released_connection = wrapper.releaseConnection(); + + // Verify connection was released. + EXPECT_NE(released_connection, nullptr); + EXPECT_EQ(wrapper.getConnection(), nullptr); +} + +// Test RCConnectionWrapper::getConnection method. +TEST_F(RCConnectionWrapperTest, GetConnection) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Get the connection. + auto* connection = wrapper.getConnection(); + + // Verify connection is returned. + EXPECT_NE(connection, nullptr); + + // Test after release. + wrapper.releaseConnection(); + EXPECT_EQ(wrapper.getConnection(), nullptr); +} + +// Test RCConnectionWrapper::getHost method. +TEST_F(RCConnectionWrapperTest, GetHost) { + // Create a mock connection and host with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Get the host. + auto host = wrapper.getHost(); + + // Verify host is returned. + EXPECT_EQ(host, mock_host); +} + +// Test RCConnectionWrapper::onAboveWriteBufferHighWatermark method (no-op) +TEST_F(RCConnectionWrapperTest, OnAboveWriteBufferHighWatermark) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call onAboveWriteBufferHighWatermark - should be a no-op. + wrapper.onAboveWriteBufferHighWatermark(); +} + +// Test RCConnectionWrapper::onBelowWriteBufferLowWatermark method (no-op) +TEST_F(RCConnectionWrapperTest, OnBelowWriteBufferLowWatermark) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Call onBelowWriteBufferLowWatermark - should be a no-op. + wrapper.onBelowWriteBufferLowWatermark(); +} + +// Test RCConnectionWrapper::shutdown method. +TEST_F(RCConnectionWrapperTest, Shutdown) { + // Test 1: Shutdown with open connection. + { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for open connection. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12345)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + // Test 2: Shutdown with already closed connection. + { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for closed connection. + EXPECT_CALL(*mock_connection, state()) + .WillRepeatedly(Return(Network::Connection::State::Closed)); + EXPECT_CALL(*mock_connection, close(_)) + .Times(0); // Should not call close on already closed connection + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12346)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + + // Test 3: Shutdown with closing connection. + { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations for closing connection. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, state()) + .WillRepeatedly(Return(Network::Connection::State::Closing)); + EXPECT_CALL(*mock_connection, close(_)) + .Times(0); // Should not call close on already closing connection + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12347)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + // Test 4: Shutdown with null connection (should be safe) + { + auto mock_host = std::make_shared>(); + + // Create wrapper with null connection. + RCConnectionWrapper wrapper(*io_handle_, nullptr, mock_host, "test-cluster"); + + EXPECT_EQ(wrapper.getConnection(), nullptr); + wrapper.shutdown(); // Should not crash + EXPECT_EQ(wrapper.getConnection(), nullptr); + } + // Test 5: Multiple shutdown calls (should be safe) + { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + + // Set up connection expectations. + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(12348)); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + EXPECT_NE(wrapper.getConnection(), nullptr); + + // First shutdown. + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + + // Second shutdown (should be safe) + wrapper.shutdown(); + EXPECT_EQ(wrapper.getConnection(), nullptr); + } +} + +// Test SimpleConnReadFilter::onData method. +class SimpleConnReadFilterTest : public testing::Test { +protected: + void SetUp() override { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Create a mock IO handle. + auto mock_io_handle = std::make_unique>(); + io_handle_ = std::make_unique( + 7, // dummy fd + ReverseConnectionSocketConfig{}, cluster_manager_, + nullptr, // extension + *stats_scope_); // Use the created scope + } + + void TearDown() override { io_handle_.reset(); } + + // Helper to create a mock RCConnectionWrapper. + std::unique_ptr createMockWrapper() { + auto mock_connection = std::make_unique>(); + auto mock_host = std::make_shared>(); + return std::make_unique(*io_handle_, std::move(mock_connection), mock_host, + "test-cluster"); + } + + // Helper to create SimpleConnReadFilter. + std::unique_ptr createFilter(void* parent) { + return std::make_unique(parent); + } + + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + std::unique_ptr io_handle_; +}; + +TEST_F(SimpleConnReadFilterTest, OnDataWithNullParent) { + // Create filter with null parent. + auto filter = createFilter(nullptr); + + // Create a buffer with some data. + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); + + // Call onData - should return StopIteration when parent is null. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp200Response) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 200 response. + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); + + // Call onData - the filter always stops iteration after dispatch. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2Response) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP/2 response but invalid protobuf. + Buffer::OwnedImpl buffer("HTTP/2 200\r\n\r\nACCEPTED"); + + // Call onData - should return StopIteration for invalid response format. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithIncompleteHeaders) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with incomplete HTTP headers. + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\nContent-Length: 10\r\n"); + + // Call onData - the filter always stops iteration after dispatch. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithEmptyResponseBody) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 200 but empty body. + Buffer::OwnedImpl buffer("HTTP/1.1 200 OK\r\n\r\n"); + + // Call onData - the filter always stops iteration after dispatch. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithNon200Response) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP 404 response. + Buffer::OwnedImpl buffer("HTTP/1.1 404 Not Found\r\n\r\n"); + + // Call onData - should return StopIteration for error response. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithHttp2ErrorResponse) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with HTTP/2 error response. + Buffer::OwnedImpl buffer("HTTP/2 500\r\n\r\n"); + + // Call onData - should return StopIteration for error response. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +TEST_F(SimpleConnReadFilterTest, OnDataWithPartialData) { + // Create wrapper and filter. + auto wrapper = createMockWrapper(); + auto filter = createFilter(wrapper.get()); + + // Create a buffer with partial data (no HTTP response yet) + Buffer::OwnedImpl buffer("partial data"); + + // Call onData - the filter always stops iteration after dispatch. + auto result = filter->onData(buffer, false); + EXPECT_EQ(result, Network::FilterStatus::StopIteration); +} + +// Removed protobuf-based response tests as the handshake now uses HTTP headers only. + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address_test.cc new file mode 100644 index 0000000000000..a48204e9cba83 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address_test.cc @@ -0,0 +1,306 @@ +#include "source/common/network/io_socket_handle_impl.h" +#include "source/common/network/socket_interface.h" +#include "source/common/singleton/threadsafe_singleton.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" + +#include "test/mocks/network/mocks.h" +#include "test/test_common/registry.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseConnectionAddressTest : public testing::Test { +protected: + void SetUp() override {} + + // Helper function to create a test config. + ReverseConnectionAddress::ReverseConnectionConfig createTestConfig() { + return ReverseConnectionAddress::ReverseConnectionConfig{ + "test-node-123", "test-cluster-456", "test-tenant-789", "remote-cluster-abc", 5}; + } + + // Helper function to create a test address. + ReverseConnectionAddress createTestAddress() { + return ReverseConnectionAddress(createTestConfig()); + } + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); +}; + +// Test constructor and basic properties. +TEST_F(ReverseConnectionAddressTest, BasicSetup) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Test that the address string is set correctly. + EXPECT_EQ(address.asString(), "127.0.0.1:0"); + EXPECT_EQ(address.asStringView(), "127.0.0.1:0"); + + // Test that the logical name is formatted correctly. + std::string expected_logical_name = + "rc://test-node-123:test-cluster-456:test-tenant-789@remote-cluster-abc:5"; + EXPECT_EQ(address.logicalName(), expected_logical_name); + + // Test address type. + EXPECT_EQ(address.type(), Network::Address::Type::Ip); + EXPECT_EQ(address.addressType(), "reverse_connection"); +} + +// Test equality operator. +TEST_F(ReverseConnectionAddressTest, EqualityOperator) { + auto config1 = createTestConfig(); + auto config2 = createTestConfig(); + + ReverseConnectionAddress address1(config1); + ReverseConnectionAddress address2(config2); + + // Same config should be equal. + EXPECT_TRUE(address1 == address2); + EXPECT_TRUE(address2 == address1); + + // Different configs should not be equal. + config2.src_node_id = "different-node"; + ReverseConnectionAddress address3(config2); + EXPECT_FALSE(address1 == address3); + EXPECT_FALSE(address3 == address1); +} + +// Test equality with different address types. +TEST_F(ReverseConnectionAddressTest, EqualityWithDifferentTypes) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Create a regular IPv4 address. + auto regular_address = std::make_shared("127.0.0.1", 8080); + + // Should not be equal to different address types. + EXPECT_FALSE(address == *regular_address); + EXPECT_FALSE(*regular_address == address); +} + +// Test reverse connection config accessor. +TEST_F(ReverseConnectionAddressTest, ReverseConnectionConfig) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + const auto& retrieved_config = address.reverseConnectionConfig(); + + EXPECT_EQ(retrieved_config.src_node_id, config.src_node_id); + EXPECT_EQ(retrieved_config.src_cluster_id, config.src_cluster_id); + EXPECT_EQ(retrieved_config.src_tenant_id, config.src_tenant_id); + EXPECT_EQ(retrieved_config.remote_cluster, config.remote_cluster); + EXPECT_EQ(retrieved_config.connection_count, config.connection_count); +} + +// Test IP address properties. +TEST_F(ReverseConnectionAddressTest, IpAddressProperties) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Should have IP address. + EXPECT_NE(address.ip(), nullptr); + EXPECT_EQ(address.ip()->addressAsString(), "127.0.0.1"); + EXPECT_EQ(address.ip()->port(), 0); + + // Should not have pipe or envoy internal address. + EXPECT_EQ(address.pipe(), nullptr); + EXPECT_EQ(address.envoyInternalAddress(), nullptr); +} + +// Test socket address properties. +TEST_F(ReverseConnectionAddressTest, SocketAddressProperties) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + const sockaddr* sock_addr = address.sockAddr(); + EXPECT_NE(sock_addr, nullptr); + + socklen_t addr_len = address.sockAddrLen(); + EXPECT_EQ(addr_len, sizeof(struct sockaddr_in)); + + // Verify the sockaddr structure. + const struct sockaddr_in* addr_in = reinterpret_cast(sock_addr); + EXPECT_EQ(addr_in->sin_family, AF_INET); + EXPECT_EQ(addr_in->sin_port, htons(0)); // Port 0 + EXPECT_EQ(addr_in->sin_addr.s_addr, htonl(INADDR_LOOPBACK)); // 127.0.0.1 +} + +// Test network namespace. +TEST_F(ReverseConnectionAddressTest, NetworkNamespace) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Should not have a network namespace. + auto namespace_opt = address.networkNamespace(); + EXPECT_FALSE(namespace_opt.has_value()); +} + +// Test socket interface. +TEST_F(ReverseConnectionAddressTest, SocketInterface) { + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Should return the default socket interface. + const auto& socket_interface = address.socketInterface(); + EXPECT_NE(&socket_interface, nullptr); +} + +// Test socket interface with registered reverse connection interface. +TEST_F(ReverseConnectionAddressTest, SocketInterfaceWithReverseInterface) { + // Create a mock socket interface that extends SocketInterfaceBase and registers itself + class TestReverseSocketInterface : public Network::SocketInterfaceBase { + public: + TestReverseSocketInterface() = default; + + // Network::SocketInterface + Network::IoHandlePtr socket(Network::Socket::Type socket_type, Network::Address::Type addr_type, + Network::Address::IpVersion version, bool socket_v6only, + const Network::SocketCreationOptions& options) const override { + UNREFERENCED_PARAMETER(socket_v6only); + UNREFERENCED_PARAMETER(options); + // Create a regular socket for testing + if (socket_type == Network::Socket::Type::Stream && addr_type == Network::Address::Type::Ip) { + int domain = (version == Network::Address::IpVersion::v4) ? AF_INET : AF_INET6; + int sock_fd = ::socket(domain, SOCK_STREAM, 0); + if (sock_fd == -1) { + return nullptr; + } + return std::make_unique(sock_fd); + } + return nullptr; + } + + Network::IoHandlePtr socket(Network::Socket::Type socket_type, + const Network::Address::InstanceConstSharedPtr addr, + const Network::SocketCreationOptions& options) const override { + // Delegate to the other socket method + return socket(socket_type, addr->type(), + addr->ip() ? addr->ip()->version() : Network::Address::IpVersion::v4, false, + options); + } + + bool ipFamilySupported(int domain) override { return domain == AF_INET || domain == AF_INET6; } + + // Server::Configuration::BootstrapExtensionFactory + Server::BootstrapExtensionPtr + createBootstrapExtension(const Protobuf::Message& config, + Server::Configuration::ServerFactoryContext& context) override { + UNREFERENCED_PARAMETER(config); + UNREFERENCED_PARAMETER(context); + return nullptr; + } + + ProtobufTypes::MessagePtr createEmptyConfigProto() override { return nullptr; } + + std::string name() const override { + return "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"; + } + + std::set configTypes() override { return {}; } + }; + + // Register the test interface in the registry + TestReverseSocketInterface test_interface; + Registry::InjectFactory registered_factory( + test_interface); + + auto config = createTestConfig(); + ReverseConnectionAddress address(config); + + // Should return the registered test socket interface. + const auto& socket_interface = address.socketInterface(); + EXPECT_EQ(&socket_interface, &test_interface); +} + +// Test with empty configuration values. +TEST_F(ReverseConnectionAddressTest, EmptyConfigValues) { + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_node_id = ""; + config.src_cluster_id = ""; + config.src_tenant_id = ""; + config.remote_cluster = ""; + config.connection_count = 0; + + ReverseConnectionAddress address(config); + + // Should still work with empty values. + EXPECT_EQ(address.asString(), "127.0.0.1:0"); + EXPECT_EQ(address.logicalName(), "rc://::@:0"); + + const auto& retrieved_config = address.reverseConnectionConfig(); + EXPECT_EQ(retrieved_config.src_node_id, ""); + EXPECT_EQ(retrieved_config.src_cluster_id, ""); + EXPECT_EQ(retrieved_config.src_tenant_id, ""); + EXPECT_EQ(retrieved_config.remote_cluster, ""); + EXPECT_EQ(retrieved_config.connection_count, 0); +} + +// Test multiple instances with different configurations. +TEST_F(ReverseConnectionAddressTest, MultipleInstances) { + ReverseConnectionAddress::ReverseConnectionConfig config1; + config1.src_node_id = "node1"; + config1.src_cluster_id = "cluster1"; + config1.src_tenant_id = "tenant1"; + config1.remote_cluster = "remote1"; + config1.connection_count = 1; + + ReverseConnectionAddress::ReverseConnectionConfig config2; + config2.src_node_id = "node2"; + config2.src_cluster_id = "cluster2"; + config2.src_tenant_id = "tenant2"; + config2.remote_cluster = "remote2"; + config2.connection_count = 2; + + ReverseConnectionAddress address1(config1); + ReverseConnectionAddress address2(config2); + + // Should not be equal. + EXPECT_FALSE(address1 == address2); + EXPECT_FALSE(address2 == address1); + + // Should have different logical names. + EXPECT_NE(address1.logicalName(), address2.logicalName()); + + // Should have same address string (both use 127.0.0.1:0) + EXPECT_EQ(address1.asString(), address2.asString()); +} + +// Test copy constructor and assignment (if implemented). +TEST_F(ReverseConnectionAddressTest, CopyAndAssignment) { + auto config = createTestConfig(); + ReverseConnectionAddress original(config); + + // Test copy constructor. + ReverseConnectionAddress copied(original); + EXPECT_TRUE(original == copied); + EXPECT_EQ(original.logicalName(), copied.logicalName()); + EXPECT_EQ(original.asString(), copied.asString()); + + // Test assignment operator. + ReverseConnectionAddress::ReverseConnectionConfig config2; + config2.src_node_id = "different-node"; + config2.src_cluster_id = "different-cluster"; + config2.src_tenant_id = "different-tenant"; + config2.remote_cluster = "different-remote"; + config2.connection_count = 10; + + ReverseConnectionAddress assigned(config2); + assigned = original; + EXPECT_TRUE(original == assigned); + EXPECT_EQ(original.logicalName(), assigned.logicalName()); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc new file mode 100644 index 0000000000000..4da1decee14df --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc @@ -0,0 +1,2728 @@ +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// ReverseConnectionIOHandle Test Class. + +class ReverseConnectionIOHandleTest : public testing::Test { +protected: + ReverseConnectionIOHandleTest() { + // Set up the stats scope. + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context. + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the socket interface. + socket_interface_ = std::make_unique(context_); + + // Create the extension. + extension_ = std::make_unique(context_, config_); + + // Set up mock dispatcher with default expectations. + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + } + + void TearDown() override { + io_handle_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + // Helper to create a ReverseConnectionIOHandle with specified configuration. + std::unique_ptr + createTestIOHandle(const ReverseConnectionSocketConfig& config) { + // Create a test socket file descriptor. + int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); + EXPECT_GE(test_fd, 0); + + // Create the IO handle. + return std::make_unique(test_fd, config, cluster_manager_, + extension_.get(), *stats_scope_); + } + + // Helper to create a default test configuration. + ReverseConnectionSocketConfig createDefaultTestConfig() { + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.enable_circuit_breaker = true; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + return config; + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr io_handle_; + + // Mock cluster manager. + NiceMock cluster_manager_; + + // Thread local components for testing. + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + std::unique_ptr> another_tls_slot_; + std::shared_ptr another_thread_local_registry_; + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); + + // Mock socket for testing. + std::unique_ptr mock_socket_; + + // Thread Local Setup Helpers. + + // Helper function to set up thread local slot for tests. + void setupThreadLocalSlot() { + // Create a thread local registry. + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot. + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry. + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method. + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + // Multi-Thread Local Setup Helpers. + + void setupAnotherThreadLocalSlot() { + // Create a thread local registry for the other dispatcher. + another_thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot. + another_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry. + another_tls_slot_->set( + [registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method. + extension_->setTestOnlyTLSRegistry(std::move(another_tls_slot_)); + } + + // Trigger Pipe Management Helpers. + + bool isTriggerPipeReady() const { return io_handle_->isTriggerPipeReady(); } + + void createTriggerPipe() { io_handle_->createTriggerPipe(); } + + int getTriggerPipeReadFd() const { return io_handle_->trigger_pipe_read_fd_; } + + int getTriggerPipeWriteFd() const { return io_handle_->trigger_pipe_write_fd_; } + + // Connection Management Helpers. + + void addConnectionToEstablishedQueue(Network::ClientConnectionPtr connection) { + io_handle_->established_connections_.push(std::move(connection)); + } + + bool initiateOneReverseConnection(const std::string& cluster_name, + const std::string& host_address, + Upstream::HostConstSharedPtr host) { + return io_handle_->initiateOneReverseConnection(cluster_name, host_address, host); + } + + void maintainReverseConnections() { io_handle_->maintainReverseConnections(); } + + void maintainClusterConnections(const std::string& cluster_name, + const RemoteClusterConnectionConfig& cluster_config) { + io_handle_->maintainClusterConnections(cluster_name, cluster_config); + } + + // Host Management Helpers. + + void maybeUpdateHostsMappingsAndConnections(const std::string& cluster_id, + const std::vector& hosts) { + io_handle_->maybeUpdateHostsMappingsAndConnections(cluster_id, hosts); + } + + bool shouldAttemptConnectionToHost(const std::string& host_address, + const std::string& cluster_name) { + return io_handle_->shouldAttemptConnectionToHost(host_address, cluster_name); + } + + void trackConnectionFailure(const std::string& host_address, const std::string& cluster_name) { + io_handle_->trackConnectionFailure(host_address, cluster_name); + } + + void resetHostBackoff(const std::string& host_address) { + io_handle_->resetHostBackoff(host_address); + } + + // Data Access Helpers. + + const absl::flat_hash_map& + getHostToConnInfoMap() const { + return io_handle_->host_to_conn_info_map_; + } + + const ReverseConnectionIOHandle::HostConnectionInfo& + getHostConnectionInfo(const std::string& host_address) const { + auto it = io_handle_->host_to_conn_info_map_.find(host_address); + EXPECT_NE(it, io_handle_->host_to_conn_info_map_.end()) + << "Host " << host_address << " not found in host_to_conn_info_map_"; + return it->second; + } + + ReverseConnectionIOHandle::HostConnectionInfo& + getMutableHostConnectionInfo(const std::string& host_address) { + auto it = io_handle_->host_to_conn_info_map_.find(host_address); + EXPECT_NE(it, io_handle_->host_to_conn_info_map_.end()) + << "Host " << host_address << " not found in host_to_conn_info_map_"; + return it->second; + } + + const std::vector>& getConnectionWrappers() const { + return io_handle_->connection_wrappers_; + } + + const absl::flat_hash_map& getConnWrapperToHostMap() const { + return io_handle_->conn_wrapper_to_host_map_; + } + + // Test Data Setup Helpers. + + void addHostConnectionInfo(const std::string& host_address, const std::string& cluster_name, + uint32_t target_count) { + io_handle_->host_to_conn_info_map_[host_address] = + ReverseConnectionIOHandle::HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + target_count, // target_connection_count + 0, // failure_count + // last_failure_time + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + // backoff_until + std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + {} // connection_states + }; + } + + // Helper to create a mock host. + Upstream::HostConstSharedPtr createMockHost(const std::string& address) { + auto mock_host = std::make_shared>(); + auto mock_address = std::make_shared(address, 8080); + EXPECT_CALL(*mock_host, address()).WillRepeatedly(Return(mock_address)); + return mock_host; + } + + // Helper method to set up mock connection with proper socket expectations. + std::unique_ptr> setupMockConnection() { + auto mock_connection = std::make_unique>(); + + // Create a mock socket for the connection. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + auto duplicated_handle = std::make_unique>(); + EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); + return duplicated_handle; + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Cast the mock to the base ConnectionSocket type and store it in member variable. + mock_socket_ = std::unique_ptr(mock_socket_ptr.release()); + + // Set up connection expectations for getSocket() + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket_)); + + return mock_connection; + } + + // Helper to access private members for testing. + void addWrapperToHostMap(RCConnectionWrapper* wrapper, const std::string& host_address) { + io_handle_->conn_wrapper_to_host_map_[wrapper] = host_address; + } + + void cleanup() { io_handle_->cleanup(); } + + void removeStaleHostAndCloseConnections(const std::string& host) { + io_handle_->removeStaleHostAndCloseConnections(host); + } + + // Helper to get the established connections queue size (if accessible) + size_t getEstablishedConnectionsSize() const { + return io_handle_->established_connections_.size(); + } +}; + +// Test getClusterManager returns correct reference. +TEST_F(ReverseConnectionIOHandleTest, GetClusterManager) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Verify that getClusterManager returns the correct reference. + EXPECT_EQ(&io_handle_->getClusterManager(), &cluster_manager_); +} + +// Basic setup. +TEST_F(ReverseConnectionIOHandleTest, BasicSetup) { + // Test that constructor doesn't crash and creates a valid instance. + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Verify the IO handle has a valid file descriptor. + EXPECT_GE(io_handle_->fdDoNotUse(), 0); +} + +// listen() is a no-op for the initiator +TEST_F(ReverseConnectionIOHandleTest, ListenNoOp) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Test that listen() returns success (0) with no error. + auto result = io_handle_->listen(10); + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(result.errno_, 0); +} + +// Test isTriggerPipeReady() behavior. +TEST_F(ReverseConnectionIOHandleTest, IsTriggerPipeReady) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initially, trigger pipe should not be ready. + EXPECT_FALSE(isTriggerPipeReady()); + + // Create the trigger pipe. + createTriggerPipe(); + + // Now trigger pipe should be ready. + EXPECT_TRUE(isTriggerPipeReady()); + + // Verify the file descriptors are valid. + EXPECT_GE(getTriggerPipeReadFd(), 0); + EXPECT_GE(getTriggerPipeWriteFd(), 0); +} + +// Test createTriggerPipe() basic pipe creation. +TEST_F(ReverseConnectionIOHandleTest, CreateTriggerPipe) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initially, trigger pipe should not be ready. + EXPECT_FALSE(isTriggerPipeReady()); + + // Manually call createTriggerPipe. + createTriggerPipe(); + + // Verify that the trigger pipe was created successfully. + EXPECT_TRUE(isTriggerPipeReady()); + EXPECT_GE(getTriggerPipeReadFd(), 0); + EXPECT_GE(getTriggerPipeWriteFd(), 0); + + // Verify getPipeMonitorFd returns the correct file descriptor. + EXPECT_EQ(io_handle_->getPipeMonitorFd(), getTriggerPipeReadFd()); + + // Verify the file descriptors are different. + EXPECT_NE(getTriggerPipeReadFd(), getTriggerPipeWriteFd()); +} + +// Test initializeFileEvent() creates trigger pipe. +TEST_F(ReverseConnectionIOHandleTest, InitializeFileEventCreatesTriggerPipe) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initially, trigger pipe should not be ready. + EXPECT_FALSE(isTriggerPipeReady()); + + // Mock file event callback. + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // Call initializeFileEvent - this should create the trigger pipe. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); + + // Verify that the trigger pipe was created successfully. + EXPECT_TRUE(isTriggerPipeReady()); + EXPECT_GE(getTriggerPipeReadFd(), 0); + EXPECT_GE(getTriggerPipeWriteFd(), 0); + + // Verify getPipeMonitorFd returns the correct file descriptor. + EXPECT_EQ(io_handle_->getPipeMonitorFd(), getTriggerPipeReadFd()); +} + +// Test that subsequent calls to initializeFileEvent do not create new pipes. +TEST_F(ReverseConnectionIOHandleTest, InitializeFileEventDoesNotCreateNewPipes) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initially, trigger pipe should not be ready. + EXPECT_FALSE(isTriggerPipeReady()); + + // Mock file event callback. + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // First call to initializeFileEvent - should create the trigger pipe. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); + + // Verify that the trigger pipe was created. + EXPECT_TRUE(isTriggerPipeReady()); + int first_read_fd = getTriggerPipeReadFd(); + int first_write_fd = getTriggerPipeWriteFd(); + EXPECT_GE(first_read_fd, 0); + EXPECT_GE(first_write_fd, 0); + + // Second call to initializeFileEvent - should NOT create new pipes because. + // is_reverse_conn_started_ is true + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); + + // Verify that the same file descriptors are still used (no new pipes created) + EXPECT_TRUE(isTriggerPipeReady()); + EXPECT_EQ(getTriggerPipeReadFd(), first_read_fd); + EXPECT_EQ(getTriggerPipeWriteFd(), first_write_fd); + + // Verify getPipeMonitorFd still returns the correct file descriptor. + EXPECT_EQ(io_handle_->getPipeMonitorFd(), first_read_fd); +} + +// Test that we do NOT update stats for the cluster if src_node_id is empty. +TEST_F(ReverseConnectionIOHandleTest, EmptySrcNodeIdNoStatsUpdate) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Create config with empty src_node_id. + ReverseConnectionSocketConfig empty_node_config; + empty_node_config.src_cluster_id = "test-cluster"; + empty_node_config.src_node_id = ""; // Empty node ID + empty_node_config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + io_handle_ = createTestIOHandle(empty_node_config); + EXPECT_NE(io_handle_, nullptr); + + // Call maintainReverseConnections - should return early due to empty src_node_id. + maintainReverseConnections(); + + // Verify that no stats were updated. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map.size(), 0); // No stats should be created +} + +// Test that rev_conn_retry_timer_ gets created and enabled upon calling initializeFileEvent. +TEST_F(ReverseConnectionIOHandleTest, RetryTimerEnabled) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Mock timer expectations. + auto mock_timer = new NiceMock(); + EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); + EXPECT_CALL(*mock_timer, enableTimer(_, _)); + + // Mock file event callback. + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // Call initializeFileEvent - this should create and enable the retry timer. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); +} + +// Test that rev_conn_retry_timer_ is properly managed when reverse connection is started. +TEST_F(ReverseConnectionIOHandleTest, RetryTimerWhenReverseConnStarted) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Mock timer expectations. + auto mock_timer = new NiceMock(); + EXPECT_CALL(dispatcher_, createTimer_(_)).WillOnce(Return(mock_timer)); + EXPECT_CALL(*mock_timer, enableTimer(_, _)); + + // Mock file event callback. + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // Call initializeFileEvent to create the timer. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); + + // Call initializeFileEvent again to ensure the timer is not created again. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); +} + +// Test that we do not initiate reverse tunnels when thread local cluster is not present. +TEST_F(ReverseConnectionIOHandleTest, NoThreadLocalClusterCannotConnect) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up cluster manager to return nullptr for non-existent cluster. + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("non-existent-cluster")) + .WillOnce(Return(nullptr)); + + // Call maintainClusterConnections with non-existent cluster. + RemoteClusterConnectionConfig cluster_config("non-existent-cluster", 2); + maintainClusterConnections("non-existent-cluster", cluster_config); + + // Verify that CannotConnect gauge was updated for the cluster. + auto stat_map = extension_->getCrossWorkerStatMap(); + + for (const auto& stat : stat_map) { + std::cout << stat.first << " " << stat.second << std::endl; + } + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.non-existent-cluster.cannot_connect"], + 1); +} + +// Test that we do not initiate reverse tunnels when cluster has no hosts. +TEST_F(ReverseConnectionIOHandleTest, NoHostsInClusterCannotConnect) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster with empty host map. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("empty-cluster")) + .WillOnce(Return(mock_thread_local_cluster.get())); + + // Set up empty priority set. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Set up empty cross priority host map. + auto empty_host_map = std::make_shared(); + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(empty_host_map)); + + // Call maintainClusterConnections with empty cluster. + RemoteClusterConnectionConfig cluster_config("empty-cluster", 2); + maintainClusterConnections("empty-cluster", cluster_config); + + // Verify that CannotConnect gauge was updated for the cluster. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.empty-cluster.cannot_connect"], 1); +} + +// Test maybeUpdateHostsMappingsAndConnections with valid hosts. +TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsMappingsValidHosts) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with some hosts. + auto host_map = std::make_shared(); + auto mock_host1 = createMockHost("192.168.1.1"); + auto mock_host2 = createMockHost("192.168.1.2"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); + (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Call maintainClusterConnections which will create HostConnectionInfo entries and call. + // maybeUpdateHostsMappingsAndConnections + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify that hosts were added to the mapping. + const auto& host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map.size(), 2); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.2"), host_to_conn_info_map.end()); +} + +// Test maybeUpdateHostsMappingsAndConnections with no new hosts. +TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsMappingsNoNewHosts) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with multiple hosts. + auto host_map = std::make_shared(); + auto mock_host1 = createMockHost("192.168.1.1"); + auto mock_host2 = createMockHost("192.168.1.2"); + auto mock_host3 = createMockHost("192.168.1.3"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); + (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); + (*host_map)["192.168.1.3"] = std::const_pointer_cast(mock_host3); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Call maintainClusterConnections which will create HostConnectionInfo entries and call. + // maybeUpdateHostsMappingsAndConnections + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify that all three host entries exist after maintainClusterConnections. + const auto& host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map.size(), 3); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.2"), host_to_conn_info_map.end()); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.3"), host_to_conn_info_map.end()); + + // Now test partial host removal by calling maybeUpdateHostsMappingsAndConnections with fewer. + // hosts + std::vector reduced_host_addresses = {"192.168.1.1", "192.168.1.3"}; + maybeUpdateHostsMappingsAndConnections("test-cluster", reduced_host_addresses); + + // Verify that the removed host was cleaned up but others remain. + const auto& updated_host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(updated_host_to_conn_info_map.size(), 2); + EXPECT_NE(updated_host_to_conn_info_map.find("192.168.1.1"), updated_host_to_conn_info_map.end()); + EXPECT_EQ(updated_host_to_conn_info_map.find("192.168.1.2"), + updated_host_to_conn_info_map.end()); // Should be removed + EXPECT_NE(updated_host_to_conn_info_map.find("192.168.1.3"), updated_host_to_conn_info_map.end()); +} + +// Test shouldAttemptConnectionToHost with valid host and no existing connections. +TEST_F(ReverseConnectionIOHandleTest, ShouldAttemptConnectionToHostValidHost) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Call maintainClusterConnections to create HostConnectionInfo entries. + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Test with valid host and no existing connections. + bool should_attempt = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_TRUE(should_attempt); + + // Test circuit breaker disabled scenario - should always return true regardless of backoff state. + // First, put the host in backoff by tracking a failure. + trackConnectionFailure("192.168.1.1", "test-cluster"); + + // Verify host is in backoff with circuit breaker enabled (default). + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); + + // Now create a new IO handle with circuit breaker disabled. + auto config_disabled = createDefaultTestConfig(); + config_disabled.enable_circuit_breaker = false; + auto io_handle_disabled = createTestIOHandle(config_disabled); + EXPECT_NE(io_handle_disabled, nullptr); + + // Set up the same thread local cluster for the new IO handle. + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Call maintainClusterConnections to create HostConnectionInfo entries in the new IO handle. + maintainClusterConnections("test-cluster", cluster_config); + + // Put the host in backoff in the new IO handle. + io_handle_disabled->trackConnectionFailure("192.168.1.1", "test-cluster"); + + // With circuit breaker disabled, shouldAttemptConnectionToHost should always return true. + EXPECT_TRUE(io_handle_disabled->shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); +} + +// Test trackConnectionFailure puts host in backoff. +TEST_F(ReverseConnectionIOHandleTest, TrackConnectionFailurePutsHostInBackoff) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries. + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify host is initially not in backoff. + bool should_attempt_before = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_TRUE(should_attempt_before); + + // Call trackConnectionFailure to put host in backoff. + trackConnectionFailure("192.168.1.1", "test-cluster"); + + // Verify host is now in backoff. + bool should_attempt_after = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_FALSE(should_attempt_after); + + // Verify stat gauges - should show backoff state. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); + + // Test that trackConnectionFailure returns if host_to_conn_info_map_ does not have an entry. + // Call trackConnectionFailure with a host that doesn't exist in host_to_conn_info_map_ + trackConnectionFailure("non-existent-host", "test-cluster"); + + // Verify that no stats were updated since the host doesn't exist. + auto stat_map_after_non_existent = extension_->getCrossWorkerStatMap(); + EXPECT_EQ( + stat_map_after_non_existent["test_scope.reverse_connections.host.non-existent-host.backoff"], + 0); + + // Test that maintainClusterConnections skips hosts in backoff. + // Call maintainClusterConnections again - should skip the host in backoff. + // and not attempt any new connections + maintainClusterConnections("test-cluster", cluster_config); + + // Verify that the host is still in backoff state. + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); +} + +// Test resetHostBackoff resets the backoff. +TEST_F(ReverseConnectionIOHandleTest, ResetHostBackoff) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries. + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify host is initially not in backoff. + bool should_attempt_before = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_TRUE(should_attempt_before); + + // Call trackConnectionFailure to put host in backoff. + trackConnectionFailure("192.168.1.1", "test-cluster"); + + // Verify host is now in backoff. + bool should_attempt_after_failure = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_FALSE(should_attempt_after_failure); + + // Verify stat gauges - should show backoff state. + auto stat_map_after_failure = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map_after_failure["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); + + // Call resetHostBackoff to reset the backoff. + resetHostBackoff("192.168.1.1"); + + // Verify host is no longer in backoff. + bool should_attempt_after_reset = shouldAttemptConnectionToHost("192.168.1.1", "test-cluster"); + EXPECT_TRUE(should_attempt_after_reset); + + // Verify stat gauges - should show recovered state. + auto stat_map_after_reset = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map_after_reset["test_scope.reverse_connections.host.192.168.1.1.backoff"], 0); + EXPECT_EQ(stat_map_after_reset["test_scope.reverse_connections.host.192.168.1.1.recovered"], 1); +} + +// Test resetHostBackoff returns if host_to_conn_info_map_ does not have an entry. +TEST_F(ReverseConnectionIOHandleTest, ResetHostBackoffReturnsIfHostNotFound) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call resetHostBackoff with a host that doesn't exist in host_to_conn_info_map_ + // This should not crash and should return early. + resetHostBackoff("non-existent-host"); + + // Verify that no stats were updated since the host doesn't exist. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.non-existent-host.recovered"], 0); +} + +// Test trackConnectionFailure exponential backoff. +TEST_F(ReverseConnectionIOHandleTest, TrackConnectionFailureExponentialBackoff) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries. + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Get initial host info. + const auto& host_info_initial = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info_initial.failure_count, 0); + + // First failure - should have 1 second backoff (1000ms) + trackConnectionFailure("192.168.1.1", "test-cluster"); + const auto& host_info_1 = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info_1.failure_count, 1); + // Verify backoff_until is set to a future time (approximately current_time + 1000ms) + auto backoff_duration_1 = + host_info_1.backoff_until - std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + // backoff_delay_ms = 1000 * 2^(1-1) = 1000 * 2^0 = 1000 * 1 = 1000ms + auto backoff_ms_1 = + std::chrono::duration_cast(backoff_duration_1).count(); + EXPECT_GE(backoff_ms_1, 900); // Should be at least 900ms (allowing for small timing variations) + EXPECT_LE(backoff_ms_1, 1100); // Should be at most 1100ms + + // Second failure - should have 2 second backoff (2000ms) + trackConnectionFailure("192.168.1.1", "test-cluster"); + const auto& host_info_2 = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info_2.failure_count, 2); + // backoff_delay_ms = 1000 * 2^(2-1) = 1000 * 2^1 = 1000 * 2 = 2000ms + auto backoff_duration_2 = + host_info_2.backoff_until - std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + auto backoff_ms_2 = + std::chrono::duration_cast(backoff_duration_2).count(); + EXPECT_GE(backoff_ms_2, 1900); // Should be at least 1900ms + EXPECT_LE(backoff_ms_2, 2100); // Should be at most 2100ms + + // Third failure - should have 4 second backoff (4000ms) + trackConnectionFailure("192.168.1.1", "test-cluster"); + const auto& host_info_3 = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info_3.failure_count, 3); + // backoff_delay_ms = 1000 * 2^(3-1) = 1000 * 2^2 = 1000 * 4 = 4000ms + auto backoff_duration_3 = + host_info_3.backoff_until - std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + auto backoff_ms_3 = + std::chrono::duration_cast(backoff_duration_3).count(); + EXPECT_GE(backoff_ms_3, 3900); // Should be at least 3900ms + EXPECT_LE(backoff_ms_3, 4100); // Should be at most 4100ms + + // Verify that shouldAttemptConnectionToHost returns false during backoff. + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); +} + +// Test host mapping and backoff integration. +TEST_F(ReverseConnectionIOHandleTest, HostMappingAndBackoffIntegration) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster for cluster-A. + auto mock_thread_local_cluster_a = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("cluster-A")) + .WillRepeatedly(Return(mock_thread_local_cluster_a.get())); + + // Set up priority set with hosts for cluster-A. + auto mock_priority_set_a = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster_a, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set_a)); + + // Create host map for cluster-A with hosts A1, A2, A3. + auto host_map_a = std::make_shared(); + auto mock_host_a1 = createMockHost("192.168.1.1"); + auto mock_host_a2 = createMockHost("192.168.1.2"); + auto mock_host_a3 = createMockHost("192.168.1.3"); + (*host_map_a)["192.168.1.1"] = std::const_pointer_cast(mock_host_a1); + (*host_map_a)["192.168.1.2"] = std::const_pointer_cast(mock_host_a2); + (*host_map_a)["192.168.1.3"] = std::const_pointer_cast(mock_host_a3); + + EXPECT_CALL(*mock_priority_set_a, crossPriorityHostMap()).WillRepeatedly(Return(host_map_a)); + + // Set up mock thread local cluster for cluster-B. + auto mock_thread_local_cluster_b = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("cluster-B")) + .WillRepeatedly(Return(mock_thread_local_cluster_b.get())); + + // Set up priority set with hosts for cluster-B. + auto mock_priority_set_b = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster_b, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set_b)); + + // Create host map for cluster-B with hosts B1, B2. + auto host_map_b = std::make_shared(); + auto mock_host_b1 = createMockHost("192.168.2.1"); + auto mock_host_b2 = createMockHost("192.168.2.2"); + (*host_map_b)["192.168.2.1"] = std::const_pointer_cast(mock_host_b1); + (*host_map_b)["192.168.2.2"] = std::const_pointer_cast(mock_host_b2); + + EXPECT_CALL(*mock_priority_set_b, crossPriorityHostMap()).WillRepeatedly(Return(host_map_b)); + + // Step 1: Create initial host mappings for cluster-A. + RemoteClusterConnectionConfig cluster_config_a("cluster-A", 2); + maintainClusterConnections("cluster-A", cluster_config_a); + + // Step 2: Create initial host mappings for cluster-B. + RemoteClusterConnectionConfig cluster_config_b("cluster-B", 2); + maintainClusterConnections("cluster-B", cluster_config_b); + + // Verify all hosts exist initially. + const auto& host_to_conn_info_map_initial = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map_initial.size(), + 5); // 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.2.1, 192.168.2.2 + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.1"), host_to_conn_info_map_initial.end()); + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.2"), host_to_conn_info_map_initial.end()); + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.1.3"), host_to_conn_info_map_initial.end()); + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.2.1"), host_to_conn_info_map_initial.end()); + EXPECT_NE(host_to_conn_info_map_initial.find("192.168.2.2"), host_to_conn_info_map_initial.end()); + + // Step 3: Put some hosts in backoff. + trackConnectionFailure("192.168.1.1", "cluster-A"); // 192.168.1.1 in backoff + trackConnectionFailure("192.168.2.1", "cluster-B"); // 192.168.2.1 in backoff + // 192.168.1.2, 192.168.1.3, 192.168.2.2 remain normal + + // Verify backoff states. + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "cluster-A")); // In backoff + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.2.1", "cluster-B")); // In backoff + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.2", "cluster-A")); // Normal + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.3", "cluster-A")); // Normal + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.2.2", "cluster-B")); // Normal + + // Step 4: Update host mappings. + // - Move 192.168.1.2 from cluster-A to cluster-B + // - Remove 192.168.1.3 from cluster-A + // - Add new host 192.168.1.4 to cluster-A + maybeUpdateHostsMappingsAndConnections( + "cluster-A", {"192.168.1.1", "192.168.1.4"}); // 192.168.1.2, 192.168.1.3 removed + maybeUpdateHostsMappingsAndConnections( + "cluster-B", {"192.168.2.1", "192.168.2.2", "192.168.1.2"}); // 192.168.1.2 added + + // Step 5: Verify backoff states are preserved for existing hosts. + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "cluster-A")); // Still in backoff + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.2.1", "cluster-B")); // Still in backoff + + // Step 6: Verify moved host has clean state. + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.2", "cluster-B")); // Moved, no backoff + + // Step 7: Verify removed host is cleaned up. + const auto& host_to_conn_info_map_after = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map_after.find("192.168.1.3"), + host_to_conn_info_map_after.end()); // Removed + + // Step 8: Verify stats are updated correctly. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.2.1.backoff"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.2.backoff"], + 0); // Reset when moved +} + +// Test initiateOneReverseConnection when connection establishment fails. +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionFailure) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries. + RemoteClusterConnectionConfig cluster_config("test-cluster", 2); + maintainClusterConnections("test-cluster", cluster_config); + + // Mock tcpConn to return null connection (simulating connection failure) + Upstream::MockHost::MockCreateConnectionData failed_conn_data; + failed_conn_data.connection_ = nullptr; // Connection creation failed + failed_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(failed_conn_data)); + + // Call initiateOneReverseConnection - should fail. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_FALSE(result); + + // Verify that CannotConnect stats are set. + // Calculation: 3 increments total. + // - 2 increments from maintainClusterConnections (target_connection_count = 2) + // - 1 increment from our direct call to initiateOneReverseConnection + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.cannot_connect"], 3); +} + +// Test initiateOneReverseConnection when connection establishment is successful. +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionSuccess) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry using helper method. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Set up mock for successful connection. + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection - should succeed. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify that Connecting stats are set. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); + + // Verify that connection wrapper is added to the map. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); +} + +// Test that reverse connection initiation works with custom stat scope. +TEST_F(ReverseConnectionIOHandleTest, InitiateReverseConnectionWithCustomScope) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Create config with custom stat prefix. + ReverseConnectionSocketConfig custom_prefix_config; + custom_prefix_config.src_cluster_id = "test-cluster"; + custom_prefix_config.src_node_id = "test-node"; + custom_prefix_config.remote_clusters.push_back(RemoteClusterConnectionConfig("test-cluster", 1)); + + // Create a new extension with custom stat prefix. + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface custom_config; + custom_config.set_stat_prefix("custom_stats"); + + auto custom_extension = + std::make_unique(context_, custom_config); + custom_extension->setTestOnlyTLSRegistry(std::move(tls_slot_)); + + // Replace the class member io_handle_ with our custom one for this test + auto original_io_handle = std::move(io_handle_); + io_handle_ = std::make_unique(8, // dummy fd + custom_prefix_config, cluster_manager_, + custom_extension.get(), *stats_scope_); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry using helper method. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Set up mock for successful connection. + auto mock_connection = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection using the helper method - should succeed. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify that Connecting stats are set with custom stat prefix. + auto stat_map = custom_extension->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.custom_stats.host.192.168.1.1.connecting"], 1); + + // Restore the original io_handle_ + io_handle_ = std::move(original_io_handle); +} + +// Test maintainClusterConnections skips hosts that already have enough connections. +TEST_F(ReverseConnectionIOHandleTest, MaintainClusterConnectionsSkipsHostsWithEnoughConnections) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // First call maintainClusterConnections to create HostConnectionInfo entries. + RemoteClusterConnectionConfig cluster_config("test-cluster", 1); // Only need 1 connection + maintainClusterConnections("test-cluster", cluster_config); + + // Manually add a connection key to simulate having enough connections. + const auto& host_info = getHostConnectionInfo("192.168.1.1"); + EXPECT_EQ(host_info.connection_keys.size(), 0); // Initially no connections + + // Manually add a connection key to the host info to simulate having enough connections. + auto& mutable_host_info = getMutableHostConnectionInfo("192.168.1.1"); + mutable_host_info.connection_keys.insert("fake-connection-key"); + + // Verify we now have enough connections. + EXPECT_EQ(getHostConnectionInfo("192.168.1.1").connection_keys.size(), 1); + + // Call maintainClusterConnections again - should skip the host since it has enough connections. + maintainClusterConnections("test-cluster", cluster_config); + + // Verify that no additional connection attempts were made. + // The host should still have exactly 1 connection. + EXPECT_EQ(getHostConnectionInfo("192.168.1.1").connection_keys.size(), 1); +} + +// Test initiateOneReverseConnection with empty host address. +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionEmptyHostAddress) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call initiateOneReverseConnection with empty host address - should fail. + bool result = initiateOneReverseConnection("test-cluster", "", nullptr); + EXPECT_FALSE(result); + + // When host address is empty, only cluster stats are updated. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.cannot_connect"], 1); +} + +// Test initiateOneReverseConnection with non-existent cluster. +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionNonExistentCluster) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up cluster manager to return nullptr for non-existent cluster. + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("non-existent-cluster")) + .WillOnce(Return(nullptr)); + + // Call initiateOneReverseConnection with non-existent cluster - should fail. + bool result = initiateOneReverseConnection("non-existent-cluster", "192.168.1.1", nullptr); + EXPECT_FALSE(result); + + // When cluster is not found, both host and cluster stats are updated. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.cannot_connect"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.non-existent-cluster.cannot_connect"], + 1); + + // No wrapper should be created since the cluster doesn't exist. + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 0); +} + +// Test mixed success and failure scenarios for multiple connection attempts. +TEST_F(ReverseConnectionIOHandleTest, InitiateMultipleConnectionsMixedResults) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with hosts. + auto host_map = std::make_shared(); + auto mock_host1 = createMockHost("192.168.1.1"); + auto mock_host2 = createMockHost("192.168.1.2"); + auto mock_host3 = createMockHost("192.168.1.3"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); + (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); + (*host_map)["192.168.1.3"] = std::const_pointer_cast(mock_host3); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entries for all hosts with target count of 3. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); // Host 1 + addHostConnectionInfo("192.168.1.2", "test-cluster", 1); // Host 2 + addHostConnectionInfo("192.168.1.3", "test-cluster", 1); // Host 3 + + // Set up connection outcomes in sequence: + // 1. First host: successful connection + // 2. Second host: null connection (failure) + // 3. Third host: successful connection + + auto mock_connection1 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data1; + success_conn_data1.connection_ = mock_connection1.get(); + success_conn_data1.host_description_ = mock_host1; + + Upstream::MockHost::MockCreateConnectionData failed_conn_data; + failed_conn_data.connection_ = nullptr; // Connection creation failed + failed_conn_data.host_description_ = mock_host2; + + auto mock_connection3 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data3; + success_conn_data3.connection_ = mock_connection3.get(); + success_conn_data3.host_description_ = mock_host3; + + // Set up connection attempts with host-specific expectations. + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillRepeatedly(testing::Invoke([success_conn_data1, failed_conn_data, + success_conn_data3](Upstream::LoadBalancerContext* context) { + auto* reverse_context = + dynamic_cast(context); + EXPECT_NE(reverse_context, nullptr); + + auto override_host = reverse_context->overrideHostToSelect(); + EXPECT_TRUE(override_host.has_value()); + + std::string host_address = std::string(override_host->first); + + if (host_address == "192.168.1.1") { + return success_conn_data1; // First host: success + } else if (host_address == "192.168.1.2") { + return failed_conn_data; // Second host: failure + } else if (host_address == "192.168.1.3") { + return success_conn_data3; // Third host: success + } else { + // Unexpected host. + EXPECT_TRUE(false) << "Unexpected host address: " << host_address; + return failed_conn_data; + } + })); + + mock_connection1.release(); + mock_connection3.release(); + + // Create 1 connection per host. + RemoteClusterConnectionConfig cluster_config("test-cluster", 1); + + // Call maintainClusterConnections which will attempt connections to all hosts. + maintainClusterConnections("test-cluster", cluster_config); + + // Verify final stats. + auto stat_map = extension_->getCrossWorkerStatMap(); + + // Verify connecting stats for successful connections. + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); // Success + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.3.connecting"], 1); // Success + + // Verify cannot_connect stats for failed connection. + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.2.cannot_connect"], + 1); // Failed + + // Verify cluster-level stats for test-cluster. + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], + 2); // 2 successful connections + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.cannot_connect"], + 1); // 1 failed connection + + // Verify that only 2 connection wrappers were created (for successful connections) + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 2); + + // Verify that wrappers are mapped to successful hosts only. + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 2); + + // Count hosts in the mapping. + std::set mapped_hosts; + for (const auto& [wrapper, host] : wrapper_to_host_map) { + mapped_hosts.insert(host); + } + EXPECT_EQ(mapped_hosts.size(), 2); // Should have 2 successful hosts + EXPECT_NE(mapped_hosts.find("192.168.1.1"), mapped_hosts.end()); // Success + EXPECT_EQ(mapped_hosts.find("192.168.1.2"), mapped_hosts.end()); // Failed - not in map + EXPECT_NE(mapped_hosts.find("192.168.1.3"), mapped_hosts.end()); // Success +} + +// Test removeStaleHostAndCloseConnections removes host and closes connections. +TEST_F(ReverseConnectionIOHandleTest, RemoveStaleHostAndCloseConnections) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with multiple hosts. + auto host_map = std::make_shared(); + auto mock_host1 = createMockHost("192.168.1.1"); + auto mock_host2 = createMockHost("192.168.1.2"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); + (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Set up successful connections for both hosts. + auto mock_connection1 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data1; + success_conn_data1.connection_ = mock_connection1.get(); + success_conn_data1.host_description_ = mock_host1; + + auto mock_connection2 = std::make_unique>(); + Upstream::MockHost::MockCreateConnectionData success_conn_data2; + success_conn_data2.connection_ = mock_connection2.get(); + success_conn_data2.host_description_ = mock_host2; + + // Set up connection attempts with host-specific expectations. + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillRepeatedly(testing::Invoke([&](Upstream::LoadBalancerContext* context) { + // Cast to our custom context to get the host address. + auto* reverse_context = + dynamic_cast(context); + EXPECT_NE(reverse_context, nullptr); + + auto override_host = reverse_context->overrideHostToSelect(); + EXPECT_TRUE(override_host.has_value()); + + std::string host_address = std::string(override_host->first); + + if (host_address == "192.168.1.1") { + return success_conn_data1; // First host: success + } else if (host_address == "192.168.1.2") { + return success_conn_data2; // Second host: success + } else { + // Unexpected host. + EXPECT_TRUE(false) << "Unexpected host address: " << host_address; + return success_conn_data1; // Default fallback + } + })); + + mock_connection1.release(); + mock_connection2.release(); + + // First call maintainClusterConnections to create HostConnectionInfo entries and connection. + // wrappers + RemoteClusterConnectionConfig cluster_config("test-cluster", 1); + maintainClusterConnections("test-cluster", cluster_config); + + // Verify both hosts are initially present. + EXPECT_EQ(getHostToConnInfoMap().size(), 2); + EXPECT_NE(getHostToConnInfoMap().find("192.168.1.1"), getHostToConnInfoMap().end()); + EXPECT_NE(getHostToConnInfoMap().find("192.168.1.2"), getHostToConnInfoMap().end()); + + // Verify that connection wrappers were created by maintainClusterConnections. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 2); // One wrapper per host + EXPECT_EQ(getConnWrapperToHostMap().size(), 2); + + // Call removeStaleHostAndCloseConnections to remove host 192.168.1.1 + removeStaleHostAndCloseConnections("192.168.1.1"); + + // Verify that host 192.168.1.1 is still in host_to_conn_info_map_ + // (removeStaleHostAndCloseConnections doesn't remove it) + EXPECT_EQ(getHostToConnInfoMap().size(), 2); + EXPECT_NE(getHostToConnInfoMap().find("192.168.1.1"), getHostToConnInfoMap().end()); + EXPECT_NE(getHostToConnInfoMap().find("192.168.1.2"), getHostToConnInfoMap().end()); + + // Verify that connection wrappers for the removed host are removed. + EXPECT_EQ(getConnectionWrappers().size(), 1); // Only host 192.168.1.2's wrapper remains + EXPECT_EQ(getConnWrapperToHostMap().size(), 1); // Only host 192.168.1.2's mapping remains + + // Verify that host 192.168.1.2's wrapper is still present and unaffected + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + EXPECT_EQ(wrapper_to_host_map.begin()->second, "192.168.1.2"); // Only 192.168.1.2 should remain +} + +// Test read() method - should delegate to base class. +TEST_F(ReverseConnectionIOHandleTest, ReadMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a buffer to read into. + Buffer::OwnedImpl buffer; + + // Call read() - should delegate to base class implementation. + auto result = io_handle_->read(buffer, absl::optional(100)); + + // Should return a valid result. + EXPECT_NE(result.err_, nullptr); +} + +// Test write() method - should delegate to base class. +TEST_F(ReverseConnectionIOHandleTest, WriteMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a buffer to write from. + Buffer::OwnedImpl buffer; + buffer.add("test data"); + + // Call write() - should delegate to base class implementation. + auto result = io_handle_->write(buffer); + + // Should return a valid result. + EXPECT_NE(result.err_, nullptr); +} + +// Test connect() method - should delegate to base class. +TEST_F(ReverseConnectionIOHandleTest, ConnectMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a mock address. + auto address = std::make_shared("127.0.0.1", 8080); + + // Call connect() - should delegate to base class implementation. + auto result = io_handle_->connect(address); + + // Should return a valid result. + EXPECT_NE(result.errno_, 0); // Should fail since we're not actually connecting +} + +// Test onEvent() method - should delegate to base class. +TEST_F(ReverseConnectionIOHandleTest, OnEventMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call onEvent() with a mock event - no-op. + io_handle_->onEvent(Network::ConnectionEvent::LocalClose); +} + +// Test RCConnectionWrapper::onEvent with null connection. +TEST_F(ReverseConnectionIOHandleTest, RCConnectionWrapperOnEventWithNullConnection) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Release the connection to make it null. + wrapper.releaseConnection(); + + // Call onEvent with RemoteClose event - should handle null connection gracefully. + wrapper.onEvent(Network::ConnectionEvent::RemoteClose); +} + +// onConnectionDone Unit Tests + +// Early returns in onConnectionDone without calling initiateOneReverseConnection. +TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneEarlyReturns) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Test 1.1: Null wrapper - should return early + io_handle_->onConnectionDone("test error", nullptr, false); + + // Verify no stats were updated. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map.size(), 0); + + // Test 1.2: Empty conn_wrapper_to_host_map_ - should return early + // Create a dummy wrapper pointer (we can't easily mock RCConnectionWrapper directly) + RCConnectionWrapper* wrapper_ptr = reinterpret_cast(0x12345678); + + // Verify the map is empty. + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 0); + + io_handle_->onConnectionDone("test error", wrapper_ptr, false); + + // Verify no stats were updated. + stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map.size(), 0); + + // Test 1.3: Empty host_to_conn_info_map_ - should return early after finding wrapper + // First add wrapper to the map but no host info. + addWrapperToHostMap(wrapper_ptr, "192.168.1.1"); + + // Verify host info map is empty. + const auto& host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map.size(), 0); + + io_handle_->onConnectionDone("test error", wrapper_ptr, false); + + // Verify wrapper was removed from map but no stats updated. + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map.size(), 0); +} + +// Connection success scenario - test stats and wrapper creation and mapping. +TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneSuccess) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create trigger pipe BEFORE initiating connection to ensure it's ready. + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Create a successful connection. + auto mock_connection = setupMockConnection(); + + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Verify initial state - no established connections yet. + EXPECT_EQ(getEstablishedConnectionsSize(), 0); + + // Call onConnectionDone to simulate successful connection completion. + io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr, false); + + // Verify wrapper was removed from tracking (cleanup should happen) + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify that connection was pushed to established_connections_ + EXPECT_EQ(getEstablishedConnectionsSize(), 1); + + // Verify that trigger mechanism was executed. + // Read 1 byte from the pipe to verify the trigger was written. + char trigger_byte; + int pipe_read_fd = getTriggerPipeReadFd(); + EXPECT_GE(pipe_read_fd, 0); + + ssize_t bytes_read = ::read(pipe_read_fd, &trigger_byte, 1); + EXPECT_EQ(bytes_read, 1) << "Expected to read 1 byte from trigger pipe, got " << bytes_read; + EXPECT_EQ(trigger_byte, 1) << "Expected trigger byte to be 1, got " + << static_cast(trigger_byte); +} + +// Test 3: Connection failure and recovery scenario. +TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneFailureAndRecovery) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Step 1: Create initial connection. + auto mock_connection1 = setupMockConnection(); + + Upstream::MockHost::MockCreateConnectionData success_conn_data1; + success_conn_data1.connection_ = mock_connection1.get(); + success_conn_data1.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data1)); + + mock_connection1.release(); + + // Call initiateOneReverseConnection to create the wrapper. + bool result1 = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result1); + + // Get the wrapper. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Verify host and cluster stats after connection initiation. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 1); + + // Step 2: Simulate connection failure by calling onConnectionDone with error. + io_handle_->onConnectionDone("connection timeout", wrapper_ptr, true); + + // Verify wrapper was removed from tracking maps after failure. + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify failure stats - onConnectionDone should have called trackConnectionFailure. + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.failed"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], + 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.failed"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], + 0); // Should be decremented + + // Verify host is now in backoff. + EXPECT_FALSE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); + + // Step 3: Create a new connection for recovery. + auto mock_connection2 = setupMockConnection(); + + Upstream::MockHost::MockCreateConnectionData success_conn_data2; + success_conn_data2.connection_ = mock_connection2.get(); + success_conn_data2.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data2)); + + mock_connection2.release(); + + // Call initiateOneReverseConnection again for recovery. + bool result2 = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result2); + + // Verify new wrapper was created and mapped. + const auto& connection_wrappers2 = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers2.size(), 1); + + const auto& wrapper_to_host_map2 = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map2.size(), 1); + + RCConnectionWrapper* wrapper_ptr2 = connection_wrappers2[0].get(); + EXPECT_EQ(wrapper_to_host_map2.at(wrapper_ptr2), "192.168.1.1"); + + // Verify stats after recovery connection initiation. + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], + 1); // New connection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], + 1); // New connection + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], + 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], + 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.recovered"], + 1); // Recovery recorded + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.recovered"], + 1); // Recovery recorded + + // Step 4: Simulate connection success (recovery) by calling onConnectionDone with success. + io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr2, false); + + // Verify wrapper was removed from tracking maps after success. + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify recovery stats - onConnectionDone should have called resetHostBackoff. + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connected"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.recovered"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.backoff"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], + 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.failed"], + 0); // Reset by initiateOneReverseConnection + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connected"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.recovered"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.backoff"], 0); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], + 0); // Should be decremented + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.failed"], + 0); // Reset by initiateOneReverseConnection + + // Verify host is no longer in backoff. + EXPECT_TRUE(shouldAttemptConnectionToHost("192.168.1.1", "test-cluster")); + + // Verify final state - all maps should be clean. + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify host info is still present (should not be removed) + const auto& host_to_conn_info_map = getHostToConnInfoMap(); + EXPECT_EQ(host_to_conn_info_map.size(), 1); + EXPECT_NE(host_to_conn_info_map.find("192.168.1.1"), host_to_conn_info_map.end()); +} + +// Test downstream connection closure and re-initiation. +TEST_F(ReverseConnectionIOHandleTest, OnDownstreamConnectionClosedTriggersReInitiation) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create trigger pipe BEFORE initiating connection to ensure it's ready. + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Set up mock thread local cluster. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Set up priority set with hosts. + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + + // Create host map with a host. + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + // Create HostConnectionInfo entry. + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + // Step 1: Create initial connection. + auto mock_connection = setupMockConnection(); + + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + + mock_connection.release(); + + // Call initiateOneReverseConnection to create the wrapper. + bool result = initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host); + EXPECT_TRUE(result); + + // Verify wrapper was created and mapped. + const auto& connection_wrappers = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers.size(), 1); + + const auto& wrapper_to_host_map = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map.size(), 1); + + RCConnectionWrapper* wrapper_ptr = connection_wrappers[0].get(); + EXPECT_EQ(wrapper_to_host_map.at(wrapper_ptr), "192.168.1.1"); + + // Verify initial state - no established connections yet. + EXPECT_EQ(getEstablishedConnectionsSize(), 0); + + // Step 2: Simulate successful connection completion. + io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr, false); + + // Verify wrapper was removed from tracking (cleanup should happen) + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + EXPECT_EQ(getConnectionWrappers().size(), 0); + + // Verify that connection was pushed to established_connections_ + EXPECT_EQ(getEstablishedConnectionsSize(), 1); + + // Verify that trigger mechanism was executed. + char trigger_byte; + int pipe_read_fd = getTriggerPipeReadFd(); + EXPECT_GE(pipe_read_fd, 0); + + ssize_t bytes_read = ::read(pipe_read_fd, &trigger_byte, 1); + EXPECT_EQ(bytes_read, 1) << "Expected to read 1 byte from trigger pipe, got " << bytes_read; + EXPECT_EQ(trigger_byte, 1) << "Expected trigger byte to be 1, got " + << static_cast(trigger_byte); + + // Step 3: Get the actual connection key that was used for tracking. + // The connection key should be the local address of the connection. + auto host_it = getHostToConnInfoMap().find("192.168.1.1"); + EXPECT_NE(host_it, getHostToConnInfoMap().end()); + + // The connection key should have been added during onConnectionDone. + // Let's find what connection key was actually used. + std::string connection_key; + if (!host_it->second.connection_keys.empty()) { + connection_key = *host_it->second.connection_keys.begin(); + ENVOY_LOG_MISC(debug, "Found connection key: {}", connection_key); + } else { + // If no connection key was added, use a mock one for testing. + connection_key = "192.168.1.1:12345"; + ENVOY_LOG_MISC(debug, "No connection key found, using mock: {}", connection_key); + } + + // Step 4: Simulate downstream connection closure. + io_handle_->onDownstreamConnectionClosed(connection_key); + + // Verify connection key is removed from host tracking. + host_it = getHostToConnInfoMap().find("192.168.1.1"); + EXPECT_NE(host_it, getHostToConnInfoMap().end()); + EXPECT_EQ(host_it->second.connection_keys.count(connection_key), 0); + + // Step 5: Set up expectation for new connection attempts. + auto mock_connection2 = setupMockConnection(); + + Upstream::MockHost::MockCreateConnectionData success_conn_data2; + success_conn_data2.connection_ = mock_connection2.get(); + success_conn_data2.host_description_ = mock_host; + + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data2)); + + mock_connection2.release(); + + // Step 6: Trigger maintenance cycle to verify re-initiation. + RemoteClusterConnectionConfig cluster_config("test-cluster", 1); + + maintainClusterConnections("test-cluster", cluster_config); + + // Since the connection key was removed, the host should need a new connection. + // and initiateOneReverseConnection should be called again + + // Verify that a new wrapper was created. + const auto& connection_wrappers2 = getConnectionWrappers(); + EXPECT_EQ(connection_wrappers2.size(), 1); + + const auto& wrapper_to_host_map2 = getConnWrapperToHostMap(); + EXPECT_EQ(wrapper_to_host_map2.size(), 1); + + RCConnectionWrapper* wrapper_ptr2 = connection_wrappers2[0].get(); + EXPECT_EQ(wrapper_to_host_map2.at(wrapper_ptr2), "192.168.1.1"); + + // Verify stats show new connection attempt. + auto stat_map = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.192.168.1.1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.connecting"], 1); +} + +// Test ReverseConnectionIOHandle::close() method without trigger pipe. +TEST_F(ReverseConnectionIOHandleTest, CloseMethodWithoutTriggerPipe) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Verify initial state - trigger pipe not ready. + EXPECT_FALSE(isTriggerPipeReady()); + + // Get initial file descriptor (this is the original socket FD) + int initial_fd = io_handle_->fdDoNotUse(); + EXPECT_GE(initial_fd, 0); + + // Call close() - should close only the original socket FD and delegate to base class. + auto result = io_handle_->close(); + + // After close(), the FD should be -1. + EXPECT_EQ(io_handle_->fdDoNotUse(), -1); +} + +// Test ReverseConnectionIOHandle::close() method with trigger pipe. +TEST_F(ReverseConnectionIOHandleTest, CloseMethodWithTriggerPipe) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Get the original socket FD before creating trigger pipe. + int original_socket_fd = io_handle_->fdDoNotUse(); + EXPECT_GE(original_socket_fd, 0); + + // Create trigger pipe and initialize file event to set up the scenario where fd_ points to. + // trigger pipe Mock file event callback + Event::FileReadyCb mock_callback = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + + // Initialize file event to ensure the monitored FD is set to the trigger pipe. + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); + EXPECT_TRUE(isTriggerPipeReady()); + + // Get the pipe monitor FD (this becomes the monitored fd_ after initializeFileEvent) + int pipe_monitor_fd = getTriggerPipeReadFd(); + EXPECT_GE(pipe_monitor_fd, 0); + EXPECT_NE(original_socket_fd, pipe_monitor_fd); // Should be different FDs + + // Verify that the active FD is now the pipe monitor FD. + EXPECT_EQ(io_handle_->fdDoNotUse(), pipe_monitor_fd); + + // Call close() - should: + // 1. Close the original socket FD (original_socket_fd_) + // 2. Let base class close() handle fd_ + + auto result = io_handle_->close(); + EXPECT_EQ(result.return_value_, 0); + EXPECT_EQ(io_handle_->fdDoNotUse(), -1); +} + +// Test ReverseConnectionIOHandle::cleanup() method. +TEST_F(ReverseConnectionIOHandleTest, CleanupMethod) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Set up initial state with trigger pipe. + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + EXPECT_GE(getTriggerPipeReadFd(), 0); + EXPECT_GE(getTriggerPipeWriteFd(), 0); + + // Add some host connection info. + addHostConnectionInfo("192.168.1.1", "test-cluster", 2); + addHostConnectionInfo("192.168.1.2", "test-cluster", 1); + + // Verify initial state. + EXPECT_EQ(getHostToConnInfoMap().size(), 2); + EXPECT_TRUE(isTriggerPipeReady()); + + // Call cleanup() - should reset all resources. + cleanup(); + + // Verify that trigger pipe FDs are reset to -1. + EXPECT_FALSE(isTriggerPipeReady()); + EXPECT_EQ(getTriggerPipeReadFd(), -1); + EXPECT_EQ(getTriggerPipeWriteFd(), -1); + + // Verify that host connection info is cleared. + EXPECT_EQ(getHostToConnInfoMap().size(), 0); + + // Verify that connection wrappers are cleared. + EXPECT_EQ(getConnectionWrappers().size(), 0); + EXPECT_EQ(getConnWrapperToHostMap().size(), 0); + + // Verify that the base class fd_ is still valid (cleanup doesn't close the main socket) + EXPECT_GE(io_handle_->fdDoNotUse(), 0); +} + +// Test ReverseConnectionIOHandle::onAboveWriteBufferHighWatermark method (no-op) +TEST_F(ReverseConnectionIOHandleTest, OnAboveWriteBufferHighWatermark) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call onAboveWriteBufferHighWatermark - should be a no-op. + io_handle_->onAboveWriteBufferHighWatermark(); + // The test passes if no exceptions are thrown. +} + +// Test ReverseConnectionIOHandle::onBelowWriteBufferLowWatermark method (no-op) +TEST_F(ReverseConnectionIOHandleTest, OnBelowWriteBufferLowWatermark) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Call onBelowWriteBufferLowWatermark - should be a no-op. + io_handle_->onBelowWriteBufferLowWatermark(); + // The test passes if no exceptions are thrown. +} + +// Test updateStateGauge() method with null extension. +TEST_F(ReverseConnectionIOHandleTest, UpdateStateGaugeWithNullExtension) { + // Create a test IO handle with null extension BEFORE setting up thread local slot. + auto config = createDefaultTestConfig(); + int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); + EXPECT_GE(test_fd, 0); + + auto io_handle_null_extension = std::make_unique( + test_fd, config, cluster_manager_, nullptr, *stats_scope_); + + // Call updateConnectionState which internally calls updateStateGauge. + // This should exit early when extension is null. + io_handle_null_extension->updateConnectionState("test-host2", "test-cluster", "test-key2", + ReverseConnectionState::Connected); + + // Now set up thread local slot and create a test IO handle with extension. + setupThreadLocalSlot(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + io_handle_->updateConnectionState("test-host", "test-cluster", "test-key", + ReverseConnectionState::Connected); + + // Verify that stats were updated with extension. + auto stat_map_with_extension = extension_->getCrossWorkerStatMap(); + EXPECT_EQ(stat_map_with_extension["test_scope.reverse_connections.host.test-host.connected"], 1); + EXPECT_EQ( + stat_map_with_extension["test_scope.reverse_connections.cluster.test-cluster.connected"], 1); + + // Check that no stats exist for the null extension call + EXPECT_EQ(stat_map_with_extension["test_scope.reverse_connections.host.test-host2.connected"], 0); +} + +// Test updateStateGauge() method with unknown state. +TEST_F(ReverseConnectionIOHandleTest, UpdateStateGaugeWithUnknownState) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Create a test IO handle with extension. + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // First ensure host entry exists so the updateConnectionState call doesn't fail. + addHostConnectionInfo("test-host", "test-cluster", 1); + + // Call updateConnectionState with an unknown state value. + // We'll use a value that's not in the enum to trigger the default case. + io_handle_->updateConnectionState("test-host", "test-cluster", "test-key", + static_cast(999)); + + // Verify that the unknown state was handled correctly by checking if a gauge was created + // with "unknown" suffix. + auto stat_map = extension_->getCrossWorkerStatMap(); + + // The unknown state should have been handled and a gauge with "unknown" suffix should exist. + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.test-host.unknown"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.test-cluster.unknown"], 1); +} + +// Test ReverseConnectionIOHandle::accept() method - trigger pipe edge cases. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodTriggerPipeEdgeCases) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Test Case 1: Trigger pipe not ready - should return nullptr. + auto result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + + // Create trigger pipe. + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Test Case 2: Trigger pipe ready but no data to read (EAGAIN/EWOULDBLOCK) - should return + // nullptr. + result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + + // Test Case 3: Trigger pipe closed (read returns 0) - should return nullptr. + ::close(getTriggerPipeWriteFd()); + result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + createTriggerPipe(); + + // Test Case 4: Trigger pipe read error (not EAGAIN/EWOULDBLOCK) - should return nullptr. + ::close(getTriggerPipeReadFd()); + result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + createTriggerPipe(); + + // Test Case 5: Trigger pipe ready, data read, but no established connections - should return + // nullptr. + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); +} + +// Test ReverseConnectionIOHandle::accept() method - successful accept with address parameters. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSuccessfulWithAddress) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + + // Set up connection info provider with remote address. + auto mock_remote_address = + std::make_shared("192.168.1.100", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12345); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + // Add connection to the established queue. + addConnectionToEstablishedQueue(std::move(mock_connection)); + + // Write trigger byte. + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + // Test accept with address parameters. + struct sockaddr_in addr; + socklen_t addrlen = sizeof(addr); + auto result = io_handle_->accept(reinterpret_cast(&addr), &addrlen); + + EXPECT_NE(result, nullptr); + EXPECT_EQ(addrlen, sizeof(addr)); + EXPECT_EQ(addr.sin_family, AF_INET); +} + +// Test ReverseConnectionIOHandle::accept() method - address handling edge cases. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodAddressHandlingEdgeCases) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Test Case 1: Address buffer too small for remote address. + { + auto mock_connection = setupMockConnection(); + + auto mock_remote_address = + std::make_shared("192.168.1.101", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12346); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + struct sockaddr_in addr; + socklen_t addrlen = 1; // Too small + auto result = io_handle_->accept(reinterpret_cast(&addr), &addrlen); + + EXPECT_NE(result, nullptr); + EXPECT_GT(addrlen, 1); + } + + // Test Case 2: No remote address, fallback to synthetic address. + { + auto mock_connection = setupMockConnection(); + + auto mock_local_address = std::make_shared("127.0.0.1", 12347); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, nullptr); + return *mock_provider; + })); + + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + struct sockaddr_in addr; + socklen_t addrlen = sizeof(addr); + auto result = io_handle_->accept(reinterpret_cast(&addr), &addrlen); + + EXPECT_NE(result, nullptr); + EXPECT_EQ(addrlen, sizeof(addr)); + EXPECT_EQ(addr.sin_family, AF_INET); + EXPECT_EQ(addr.sin_addr.s_addr, htonl(INADDR_LOOPBACK)); + } + + // Test Case 3: Synthetic address buffer too small. + { + auto mock_connection = setupMockConnection(); + + auto mock_local_address = std::make_shared("127.0.0.1", 12348); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = + std::make_unique(mock_local_address, nullptr); + return *mock_provider; + })); + + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + struct sockaddr_in addr; + socklen_t addrlen = 1; // Too small + auto result = io_handle_->accept(reinterpret_cast(&addr), &addrlen); + + EXPECT_NE(result, nullptr); + EXPECT_GT(addrlen, 1); + } +} + +// Test ReverseConnectionIOHandle::accept() method - successful accept scenarios. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSuccessfulScenarios) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Test Case 1: Accept without address parameters. + { + auto mock_connection = setupMockConnection(); + + auto mock_remote_address = + std::make_shared("192.168.1.102", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12349); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::NoFlush)); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + auto result = io_handle_->accept(nullptr, nullptr); + EXPECT_NE(result, nullptr); + } +} + +// Test ReverseConnectionIOHandle::accept() method - socket and file descriptor failures. +TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSocketAndFdFailures) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + + // Test Case 1: Original socket not available or not open. + { + auto mock_connection = std::make_unique>(); + + // Create a mock socket that returns isOpen() = false. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + auto duplicated_handle = std::make_unique>(); + EXPECT_CALL(*duplicated_handle, isOpen()).WillRepeatedly(Return(true)); + return duplicated_handle; + })); + + // Set up socket expectations - but isOpen returns false to simulate failure. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(false)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Create the socket and set up connection expectations. + auto mock_socket = std::unique_ptr(mock_socket_ptr.release()); + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket)); + + auto mock_remote_address = + std::make_shared("192.168.1.103", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12350); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + auto result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + } + + // Test Case 2: Failed to duplicate file descriptor. + { + auto mock_connection = std::make_unique>(); + + // Create a mock socket with IO handle that fails to duplicate. + auto mock_socket_ptr = std::make_unique>(); + auto mock_io_handle = std::make_unique>(); + + // Set up IO handle expectations - but duplicate returns nullptr to simulate failure. + EXPECT_CALL(*mock_io_handle, resetFileEvents()).WillRepeatedly(Return()); + EXPECT_CALL(*mock_io_handle, isOpen()).WillRepeatedly(Return(true)); + EXPECT_CALL(*mock_io_handle, duplicate()).WillRepeatedly(Invoke([]() { + return std::unique_ptr(nullptr); + })); + + // Set up socket expectations. + EXPECT_CALL(*mock_socket_ptr, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket_ptr, isOpen()).WillRepeatedly(Return(true)); + + // Store the mock_io_handle in the socket before casting. + mock_socket_ptr->io_handle_ = std::move(mock_io_handle); + + // Create the socket and set up connection expectations. + auto mock_socket = std::unique_ptr(mock_socket_ptr.release()); + EXPECT_CALL(*mock_connection, getSocket()).WillRepeatedly(ReturnRef(mock_socket)); + + auto mock_remote_address = + std::make_shared("192.168.1.104", 8080); + auto mock_local_address = std::make_shared("127.0.0.1", 12351); + + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke( + [mock_remote_address, mock_local_address]() -> const Network::ConnectionInfoProvider& { + static auto mock_provider = std::make_unique( + mock_local_address, mock_remote_address); + return *mock_provider; + })); + + addConnectionToEstablishedQueue(std::move(mock_connection)); + + char trigger_byte = 1; + ssize_t bytes_written = ::write(getTriggerPipeWriteFd(), &trigger_byte, 1); + EXPECT_EQ(bytes_written, 1); + + auto result = io_handle_->accept(nullptr, nullptr); + EXPECT_EQ(result, nullptr); + } +} + +/** + * Test class for DownstreamReverseConnectionIOHandle. + */ +class DownstreamReverseConnectionIOHandleTest : public ReverseConnectionIOHandleTest { +protected: + void SetUp() override { + ReverseConnectionIOHandleTest::SetUp(); + + // Initialize io_handle_ for testing. + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a mock socket for testing. + mock_socket_ = std::make_unique>(); + mock_io_handle_ = std::make_unique>(); + + // Set up basic mock expectations. + EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(42)); // Arbitrary FD + EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); + + // Store the mock_io_handle in the socket. + mock_socket_->io_handle_ = std::move(mock_io_handle_); + } + + void TearDown() override { + mock_socket_.reset(); + ReverseConnectionIOHandleTest::TearDown(); + } + + // Helper to create a DownstreamReverseConnectionIOHandle. + std::unique_ptr + createHandle(ReverseConnectionIOHandle* parent = nullptr, + const std::string& connection_key = "test_connection_key") { + // Create a new mock socket for each handle to avoid releasing the shared one. + auto new_mock_socket = std::make_unique>(); + auto new_mock_io_handle = std::make_unique>(); + + // Set up basic mock expectations. + EXPECT_CALL(*new_mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(42)); // Arbitrary FD + EXPECT_CALL(*new_mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*new_mock_io_handle)); + + // Store the mock_io_handle in the socket. + new_mock_socket->io_handle_ = std::move(new_mock_io_handle); + + auto socket_ptr = std::unique_ptr(new_mock_socket.release()); + return std::make_unique(std::move(socket_ptr), parent, + connection_key); + } + + // Test fixtures. + std::unique_ptr> mock_socket_; + std::unique_ptr> mock_io_handle_; +}; + +// Test constructor and destructor. +TEST_F(DownstreamReverseConnectionIOHandleTest, Setup) { + // Test constructor with parent. + { + auto handle = createHandle(io_handle_.get(), "test_key_1"); + EXPECT_NE(handle, nullptr); + // Test fdDoNotUse() before any other operations. + EXPECT_EQ(handle->fdDoNotUse(), 42); + } // Destructor called here + + // Test constructor without parent. + { + auto handle = createHandle(nullptr, "test_key_2"); + EXPECT_NE(handle, nullptr); + // Test fdDoNotUse() before any other operations. + EXPECT_EQ(handle->fdDoNotUse(), 42); + } // Destructor called here +} + +// Test close() method and all edge cases. +TEST_F(DownstreamReverseConnectionIOHandleTest, CloseMethod) { + // Test with parent - should notify parent and reset socket. + { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Verify that parent is set correctly. + EXPECT_NE(io_handle_.get(), nullptr); + + // First close - should notify parent and reset owned_socket. + auto result1 = handle->close(); + EXPECT_EQ(result1.err_, nullptr); + + // Second close - should return immediately without notifying parent (fd < 0). + auto result2 = handle->close(); + EXPECT_EQ(result2.err_, nullptr); + } +} + +// Test getSocket() method. +TEST_F(DownstreamReverseConnectionIOHandleTest, GetSocket) { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Test getSocket() returns the owned socket. + const auto& socket = handle->getSocket(); + EXPECT_NE(&socket, nullptr); + + // Test getSocket() works on const object. + const auto const_handle = createHandle(io_handle_.get(), "test_key"); + const auto& const_socket = const_handle->getSocket(); + EXPECT_NE(&const_socket, nullptr); + + // Test that getSocket() works before close() is called. + EXPECT_EQ(handle->fdDoNotUse(), 42); +} + +// Test ignoreCloseAndShutdown() functionality. +TEST_F(DownstreamReverseConnectionIOHandleTest, IgnoreCloseAndShutdown) { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Initially, close and shutdown should work normally + // Test shutdown before ignoring - we don't check the result since it depends on base + // implementation + handle->shutdown(SHUT_RDWR); + + // Now enable ignore mode + handle->ignoreCloseAndShutdown(); + + // Test that close() is ignored when flag is set + auto close_result = handle->close(); + EXPECT_EQ(close_result.err_, nullptr); // Should return success but do nothing + + // Test that shutdown() is ignored when flag is set + auto shutdown_result2 = handle->shutdown(SHUT_RDWR); + EXPECT_EQ(shutdown_result2.return_value_, 0); + EXPECT_EQ(shutdown_result2.errno_, 0); + + // Test different shutdown modes are all ignored + auto shutdown_rd = handle->shutdown(SHUT_RD); + EXPECT_EQ(shutdown_rd.return_value_, 0); + EXPECT_EQ(shutdown_rd.errno_, 0); + + auto shutdown_wr = handle->shutdown(SHUT_WR); + EXPECT_EQ(shutdown_wr.return_value_, 0); + EXPECT_EQ(shutdown_wr.errno_, 0); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver_test.cc new file mode 100644 index 0000000000000..ab7ebfc075e32 --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver_test.cc @@ -0,0 +1,199 @@ +#include "envoy/config/core/v3/address.pb.h" + +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_resolver.h" + +#include "test/test_common/logging.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseConnectionResolverTest : public testing::Test { +protected: + void SetUp() override {} + + // Helper function to create a valid socket address. + envoy::config::core::v3::SocketAddress createSocketAddress(const std::string& address, + uint32_t port = 0) { + envoy::config::core::v3::SocketAddress socket_address; + socket_address.set_address(address); + socket_address.set_port_value(port); + return socket_address; + } + + // Helper function to create a valid reverse connection address string. + std::string createReverseConnectionAddress(const std::string& src_node_id, + const std::string& src_cluster_id, + const std::string& src_tenant_id, + const std::string& cluster_name, uint32_t count) { + return fmt::format("rc://{}:{}:{}@{}:{}", src_node_id, src_cluster_id, src_tenant_id, + cluster_name, count); + } + + // Helper function to access the private extractReverseConnectionConfig method. + absl::StatusOr + extractReverseConnectionConfig(const envoy::config::core::v3::SocketAddress& socket_address) { + return resolver_.extractReverseConnectionConfig(socket_address); + } + + ReverseConnectionResolver resolver_; + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); +}; + +// Test the name() method. +TEST_F(ReverseConnectionResolverTest, Name) { + EXPECT_EQ(resolver_.name(), "envoy.resolvers.reverse_connection"); +} + +// Test successful resolution of a valid reverse connection address. +TEST_F(ReverseConnectionResolverTest, ResolveValidAddress) { + std::string address_str = createReverseConnectionAddress("test-node", "test-cluster", + "test-tenant", "remote-cluster", 5); + auto socket_address = createSocketAddress(address_str); + + auto result = resolver_.resolve(socket_address); + EXPECT_TRUE(result.ok()); + + auto resolved_address = result.value(); + EXPECT_NE(resolved_address, nullptr); + + // Verify it's a ReverseConnectionAddress. + auto reverse_address = + std::dynamic_pointer_cast(resolved_address); + EXPECT_NE(reverse_address, nullptr); + + // Verify the configuration. + const auto& config = reverse_address->reverseConnectionConfig(); + EXPECT_EQ(config.src_node_id, "test-node"); + EXPECT_EQ(config.src_cluster_id, "test-cluster"); + EXPECT_EQ(config.src_tenant_id, "test-tenant"); + EXPECT_EQ(config.remote_cluster, "remote-cluster"); + EXPECT_EQ(config.connection_count, 5); +} + +// Test resolution failure for non-reverse connection address. +TEST_F(ReverseConnectionResolverTest, ResolveNonReverseConnectionAddress) { + auto socket_address = createSocketAddress("127.0.0.1"); + + auto result = resolver_.resolve(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Address must start with 'rc://'")); +} + +// Test resolution failure for non-zero port. +TEST_F(ReverseConnectionResolverTest, ResolveNonZeroPort) { + std::string address_str = createReverseConnectionAddress("test-node", "test-cluster", + "test-tenant", "remote-cluster", 5); + auto socket_address = createSocketAddress(address_str, 8080); // Non-zero port + + auto result = resolver_.resolve(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Only port 0 is supported")); +} + +// Test successful extraction of reverse connection config. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigValid) { + std::string address_str = createReverseConnectionAddress("node-123", "cluster-456", "tenant-789", + "remote-cluster-abc", 10); + auto socket_address = createSocketAddress(address_str); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_TRUE(result.ok()); + + const auto& config = result.value(); + EXPECT_EQ(config.src_node_id, "node-123"); + EXPECT_EQ(config.src_cluster_id, "cluster-456"); + EXPECT_EQ(config.src_tenant_id, "tenant-789"); + EXPECT_EQ(config.remote_cluster, "remote-cluster-abc"); + EXPECT_EQ(config.connection_count, 10); +} + +// Test resolution failure for invalid format, +TEST_F(ReverseConnectionResolverTest, ResolveInvalidFormat) { + auto socket_address = createSocketAddress("rc://node:cluster:tenant:cluster:5"); // Missing @ + + auto result = resolver_.resolve(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), + testing::HasSubstr("Invalid reverse connection address format")); +} + +// Test extraction failure for invalid source info format. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidSourceInfo) { + auto socket_address = createSocketAddress("rc://node:cluster@remote:5"); // Missing tenant_id + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid source info format")); +} + +// Test extraction failure for empty node ID. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigEmptyNodeId) { + auto socket_address = createSocketAddress("rc://:cluster:tenant@remote:5"); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Source node ID cannot be empty")); +} + +// Test extraction failure for empty cluster ID. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigEmptyClusterId) { + auto socket_address = createSocketAddress("rc://node::tenant@remote:5"); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Source cluster ID cannot be empty")); +} + +// Test extraction failure for invalid cluster config format. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidClusterConfig) { + auto socket_address = createSocketAddress("rc://node:cluster:tenant@remote"); // Missing count + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid cluster config format")); +} + +// Test extraction failure for invalid connection count. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigInvalidCount) { + auto socket_address = createSocketAddress("rc://node:cluster:tenant@remote:invalid"); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_FALSE(result.ok()); + EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument); + EXPECT_THAT(result.status().message(), testing::HasSubstr("Invalid connection count")); +} + +// Test extraction with zero connection count. +TEST_F(ReverseConnectionResolverTest, ExtractReverseConnectionConfigZeroCount) { + std::string address_str = + createReverseConnectionAddress("node-123", "cluster-456", "tenant-789", "remote-cluster", 0); + auto socket_address = createSocketAddress(address_str); + + auto result = extractReverseConnectionConfig(socket_address); + EXPECT_TRUE(result.ok()); + + const auto& config = result.value(); + EXPECT_EQ(config.connection_count, 0); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension_test.cc new file mode 100644 index 0000000000000..a65d65e09413a --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension_test.cc @@ -0,0 +1,583 @@ +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +class ReverseTunnelInitiatorExtensionTest : public testing::Test { +protected: + ReverseTunnelInitiatorExtensionTest() { + // Set up the stats scope. + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context. + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the socket interface. + socket_interface_ = std::make_unique(context_); + + // Create the extension. + extension_ = std::make_unique(context_, config_); + } + + // Helper function to set up thread local slot for tests. + void setupThreadLocalSlot() { + // Create a thread local registry. + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot. + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry. + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method. + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + } + + void setupAnotherThreadLocalSlot() { + // Create a thread local registry for the other dispatcher. + another_thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot. + another_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry. + another_tls_slot_->set( + [registry = another_thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Set the slot in the extension using the test-only method. + extension_->setTestOnlyTLSRegistry(std::move(another_tls_slot_)); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + std::unique_ptr> another_tls_slot_; + std::shared_ptr another_thread_local_registry_; +}; + +// Basic functionality tests. +TEST_F(ReverseTunnelInitiatorExtensionTest, InitializeWithDefaultConfig) { + // Test with empty config (should initialize successfully). + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface empty_config; + + auto extension_with_default = + std::make_unique(context_, empty_config); + + EXPECT_NE(extension_with_default, nullptr); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, OnServerInitialized) { + // This should be a no-op. + extension_->onServerInitialized(); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, OnWorkerThreadInitialized) { + // Test that onWorkerThreadInitialized creates thread local slot. + extension_->onWorkerThreadInitialized(); + + // Verify that the thread local slot was created by checking getLocalRegistry. + EXPECT_NE(extension_->getLocalRegistry(), nullptr); +} + +// Thread local registry access tests. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryBeforeInitialization) { + // Before tls_slot_ is set, getLocalRegistry should return nullptr. + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, GetLocalRegistryAfterInitialization) { + + // First test with uninitialized TLS. + EXPECT_EQ(extension_->getLocalRegistry(), nullptr); + + // Initialize the thread local slot. + setupThreadLocalSlot(); + + // Now getLocalRegistry should return the actual registry. + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); + + // Test multiple calls return same registry. + auto* registry2 = extension_->getLocalRegistry(); + EXPECT_EQ(registry, registry2); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, GetStatsScope) { + // Test that getStatsScope returns the correct scope. + EXPECT_EQ(&extension_->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, DownstreamSocketThreadLocalScope) { + // Set up thread local slot first. + setupThreadLocalSlot(); + + // Get the thread local registry. + auto* registry = extension_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + + // Test that the scope() method returns the correct scope. + EXPECT_EQ(®istry->scope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsIncrement) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Test updateConnectionStats with increment=true. + std::string node_id = "test-node-123"; + std::string cluster_id = "test-cluster-456"; + std::string state_suffix = "connecting"; + + // Call updateConnectionStats to increment. + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + + // Verify that the correct stats were created and incremented using cross-worker stat map. + auto stat_map = extension_->getCrossWorkerStatMap(); + + std::string expected_node_stat = + fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); + std::string expected_cluster_stat = + fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + + EXPECT_EQ(stat_map[expected_node_stat], 1); + EXPECT_EQ(stat_map[expected_cluster_stat], 1); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsDecrement) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Test updateConnectionStats with increment=false. + std::string node_id = "test-node-789"; + std::string cluster_id = "test-cluster-012"; + std::string state_suffix = "connected"; + + // First increment to have something to decrement. + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, true); + + // Verify incremented values using cross-worker stat map. + auto stat_map = extension_->getCrossWorkerStatMap(); + std::string expected_node_stat = + fmt::format("test_scope.reverse_connections.host.{}.{}", node_id, state_suffix); + std::string expected_cluster_stat = + fmt::format("test_scope.reverse_connections.cluster.{}.{}", cluster_id, state_suffix); + + EXPECT_EQ(stat_map[expected_node_stat], 2); + EXPECT_EQ(stat_map[expected_cluster_stat], 2); + + // Now decrement. + extension_->updateConnectionStats(node_id, cluster_id, state_suffix, false); + + // Get updated stats after decrement. + stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map[expected_node_stat], 1); + EXPECT_EQ(stat_map[expected_cluster_stat], 1); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsMultipleStates) { + // Set up thread local slot first so stats can be properly tracked. + setupThreadLocalSlot(); + + // Test updateConnectionStats with multiple different states. + std::string node_id = "test-node-multi"; + std::string cluster_id = "test-cluster-multi"; + + // Create stats for different states. + extension_->updateConnectionStats(node_id, cluster_id, "connecting", true); + extension_->updateConnectionStats(node_id, cluster_id, "connected", true); + extension_->updateConnectionStats(node_id, cluster_id, "failed", true); + + // Verify all states have separate gauges using cross-worker stat map. + auto stat_map = extension_->getCrossWorkerStatMap(); + + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connecting", node_id)], 1); + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.connected", node_id)], 1); + EXPECT_EQ(stat_map[fmt::format("test_scope.reverse_connections.host.{}.failed", node_id)], 1); +} + +TEST_F(ReverseTunnelInitiatorExtensionTest, UpdateConnectionStatsEmptyValues) { + // Test updateConnectionStats with empty values - should not update stats. + auto& stats_store = extension_->getStatsScope(); + + // Empty host_id - should not create/update stats. + extension_->updateConnectionStats("", "test-cluster", "connecting", true); + auto& empty_host_gauge = stats_store.gaugeFromString("reverse_connections.host..connecting", + Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_host_gauge.value(), 0); + + // Empty cluster_id - should not create/update stats. + extension_->updateConnectionStats("test-host", "", "connecting", true); + auto& empty_cluster_gauge = stats_store.gaugeFromString("reverse_connections.cluster..connecting", + Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_cluster_gauge.value(), 0); + + // Empty state_suffix - should not create/update stats. + extension_->updateConnectionStats("test-host", "test-cluster", "", true); + auto& empty_state_gauge = stats_store.gaugeFromString("reverse_connections.host.test-host.", + Stats::Gauge::ImportMode::Accumulate); + EXPECT_EQ(empty_state_gauge.value(), 0); +} + +// Test per-worker stats aggregation for one thread only (test thread) +TEST_F(ReverseTunnelInitiatorExtensionTest, GetPerWorkerStatMapSingleThread) { + // Set up thread local slot first. + setupThreadLocalSlot(); + + // Update per-worker stats for the current (test) thread. + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", true); + extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); + extension_->updatePerWorkerConnectionStats("host2", "cluster2", "connected", true); + + // Get the per-worker stat map. + auto stat_map = extension_->getPerWorkerStatMap(); + + // Verify the stats are collected correctly for worker_0. + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.host.host2.connected"], 2); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], 1); + EXPECT_EQ(stat_map["test_scope.reverse_connections.worker_0.cluster.cluster2.connected"], 2); + + // Verify that only worker_0 stats are included. + for (const auto& [stat_name, value] : stat_map) { + EXPECT_TRUE(stat_name.find("worker_0") != std::string::npos); + } +} + +// Test cross-thread stat map functions using multiple dispatchers. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetCrossWorkerStatMapMultiThread) { + // Set up thread local slot for the test thread (dispatcher name: "worker_0") + setupThreadLocalSlot(); + + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") + setupAnotherThreadLocalSlot(); + + // Simulate stats updates from worker_0. + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment twice + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + + // Temporarily switch the thread local registry to simulate updates from worker_1. + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + // Update stats from worker_1. + extension_->updateConnectionStats("host1", "cluster1", "connecting", + true); // Increment from worker_1 + extension_->updateConnectionStats("host3", "cluster3", "failed", true); // New host from worker_1 + + // Restore the original registry. + thread_local_registry_ = original_registry; + + // Get the cross-worker stat map. + auto stat_map = extension_->getCrossWorkerStatMap(); + + // Verify that cross-worker stats are collected correctly across multiple dispatchers. + // host1: incremented 3 times total (2 from worker_0 + 1 from worker_1) + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 3); + // host2: incremented 1 time from worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 1); + // host3: incremented 1 time from worker_1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); + + // cluster1: incremented 3 times total (2 from worker_0 + 1 from worker_1) + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 3); + // cluster2: incremented 1 time from worker_0 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 1); + // cluster3: incremented 1 time from worker_1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again. + // with the same names increments the existing gauges (not creates new ones) + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); // Increment again + extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 + + // Get stats again to verify the same gauges were updated. + stat_map = extension_->getCrossWorkerStatMap(); + + // Verify the gauge values were updated correctly (StatNameManagedStorage ensures same gauge) + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host1.connecting"], 4); // 3 + 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster1.connecting"], 4); // 3 + 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host2.connected"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster2.connected"], 0); // 1 - 1 + EXPECT_EQ(stat_map["test_scope.reverse_connections.host.host3.failed"], 1); // unchanged + EXPECT_EQ(stat_map["test_scope.reverse_connections.cluster.cluster3.failed"], 1); // unchanged + + // Test per-worker decrement operations to cover the per-worker decrement code paths. + // First, test decrements from worker_0 context. + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", + false); // Decrement from worker_0 + + // Get per-worker stats to verify decrements worked correctly for worker_0. + auto per_worker_stat_map = extension_->getPerWorkerStatMap(); + + // Verify worker_0 stats were decremented correctly. + EXPECT_EQ(per_worker_stat_map["test_scope.reverse_connections.worker_0.host.host1.connecting"], + 3); // 4 - 1 + EXPECT_EQ( + per_worker_stat_map["test_scope.reverse_connections.worker_0.cluster.cluster1.connecting"], + 3); // 4 - 1 + + // Now test decrements from worker_1 context. + thread_local_registry_ = another_thread_local_registry_; + + // Decrement some stats from worker_1. + extension_->updatePerWorkerConnectionStats("host1", "cluster1", "connecting", + false); // Decrement from worker_1 + extension_->updatePerWorkerConnectionStats("host3", "cluster3", "failed", + false); // Decrement host3 to 0 + + // Get per-worker stats from worker_1 context. + auto worker1_stat_map = extension_->getPerWorkerStatMap(); + + // Verify worker_1 stats were decremented correctly. + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host1.connecting"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster1.connecting"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.host.host3.failed"], + 0); // 1 - 1 + EXPECT_EQ(worker1_stat_map["test_scope.reverse_connections.worker_1.cluster.cluster3.failed"], + 0); // 1 - 1 + + // Restore original registry. + thread_local_registry_ = original_registry; +} + +// Test getConnectionStatsSync using multiple dispatchers. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncMultiThread) { + // Set up thread local slot for the test thread (dispatcher name: "worker_0") + setupThreadLocalSlot(); + + // Set up another thread local slot for a different dispatcher (dispatcher name: "worker_1") + setupAnotherThreadLocalSlot(); + + // Simulate stats updates from worker_0. + extension_->updateConnectionStats("host1", "cluster1", "connected", true); + extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment twice + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + + // Simulate stats updates from worker_1. + // Temporarily switch the thread local registry to simulate the other dispatcher. + auto original_registry = thread_local_registry_; + thread_local_registry_ = another_thread_local_registry_; + + // Update stats from worker_1. + extension_->updateConnectionStats("host1", "cluster1", "connected", + true); // Increment from worker_1 + extension_->updateConnectionStats("host3", "cluster3", "connected", + true); // New host from worker_1 + + // Restore the original registry. + thread_local_registry_ = original_registry; + + // Get connection stats synchronously. + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [connected_nodes, accepted_connections] = result; + + // Verify the result contains the expected data. + EXPECT_FALSE(connected_nodes.empty() || accepted_connections.empty()); + + // Verify that we have the expected host and cluster data. + // host1: should be present (incremented 3 times total) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") != + connected_nodes.end()); + // host2: should be present (incremented 1 time) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != + connected_nodes.end()); + // host3: should be present (incremented 1 time) + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") != + connected_nodes.end()); + + // cluster1: should be present (incremented 3 times total) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") != + accepted_connections.end()); + // cluster2: should be present (incremented 1 time) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); + // cluster3: should be present (incremented 1 time) + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") != + accepted_connections.end()); + + // Test StatNameManagedStorage behavior: verify that calling updateConnectionStats again. + // with the same names updates the existing gauges and the sync result reflects this + extension_->updateConnectionStats("host1", "cluster1", "connected", true); // Increment again + extension_->updateConnectionStats("host2", "cluster2", "connected", false); // Decrement to 0 + + // Get connection stats again to verify the updated values. + result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [updated_connected_nodes, updated_accepted_connections] = result; + + // Verify that host2 is no longer present (gauge value is 0) + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host2") == + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster2") == updated_accepted_connections.end()); + + // Verify that host1 and host3 are still present. + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host1") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_connected_nodes.begin(), updated_connected_nodes.end(), "host3") != + updated_connected_nodes.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster1") != updated_accepted_connections.end()); + EXPECT_TRUE(std::find(updated_accepted_connections.begin(), updated_accepted_connections.end(), + "cluster3") != updated_accepted_connections.end()); +} + +// Test getConnectionStatsSync with timeouts. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncTimeout) { + // Test with a very short timeout to verify timeout behavior. + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(1)); + + // With no connections and short timeout, should return empty results. + auto& [connected_nodes, accepted_connections] = result; + EXPECT_TRUE(connected_nodes.empty()); + EXPECT_TRUE(accepted_connections.empty()); +} + +// Test getConnectionStatsSync filters only "connected" state. +TEST_F(ReverseTunnelInitiatorExtensionTest, GetConnectionStatsSyncFiltersConnectedState) { + // Set up thread local slot. + setupThreadLocalSlot(); + + // Add connections with different states. + extension_->updateConnectionStats("host1", "cluster1", "connecting", true); + extension_->updateConnectionStats("host2", "cluster2", "connected", true); + extension_->updateConnectionStats("host3", "cluster3", "failed", true); + extension_->updateConnectionStats("host4", "cluster4", "connected", true); + + // Get connection stats synchronously. + auto result = extension_->getConnectionStatsSync(std::chrono::milliseconds(100)); + auto& [connected_nodes, accepted_connections] = result; + + // Should only include hosts/clusters with "connected" state. + EXPECT_EQ(connected_nodes.size(), 2); + EXPECT_EQ(accepted_connections.size(), 2); + + // Verify only connected hosts are included. + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host2") != + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host4") != + connected_nodes.end()); + + // Verify connecting and failed hosts are NOT included. + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host1") == + connected_nodes.end()); + EXPECT_TRUE(std::find(connected_nodes.begin(), connected_nodes.end(), "host3") == + connected_nodes.end()); + + // Verify only connected clusters are included. + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster2") != + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster4") != + accepted_connections.end()); + + // Verify connecting and failed clusters are NOT included. + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster1") == + accepted_connections.end()); + EXPECT_TRUE(std::find(accepted_connections.begin(), accepted_connections.end(), "cluster3") == + accepted_connections.end()); +} + +// Configuration validation tests. +class ConfigValidationTest : public testing::Test { +protected: + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + + ConfigValidationTest() { + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + } +}; + +TEST_F(ConfigValidationTest, ValidConfiguration) { + // Test that valid configuration gets accepted. + ReverseTunnelInitiator initiator(context_); + + // Should not throw when creating bootstrap extension. + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyConfiguration) { + // Test that empty configuration still works. + ReverseTunnelInitiator initiator(context_); + + // Should not throw with empty config. + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +TEST_F(ConfigValidationTest, EmptyStatPrefix) { + // Test that empty stat_prefix still works with default. + ReverseTunnelInitiator initiator(context_); + + // Should not throw and should use default prefix. + EXPECT_NO_THROW(initiator.createBootstrapExtension(config_, context_)); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_test.cc new file mode 100644 index 0000000000000..0c488e1cce4df --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_test.cc @@ -0,0 +1,377 @@ +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/network/address_impl.h" +#include "source/common/network/utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_address.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" +#include "test/test_common/logging.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// ReverseTunnelInitiator Test Class. + +class ReverseTunnelInitiatorTest : public testing::Test { +protected: + ReverseTunnelInitiatorTest() { + // Set up the stats scope. + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context. + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the socket interface. + socket_interface_ = std::make_unique(context_); + + // Create the extension. + extension_ = std::make_unique(context_, config_); + } + + // Thread Local Setup Helpers. + + // Helper function to set up thread local slot for tests. + void setupThreadLocalSlot() { + // First, call onServerInitialized to set up the extension reference properly. + extension_->onServerInitialized(); + + // Create a thread local registry with the properly initialized extension. + thread_local_registry_ = + std::make_shared(dispatcher_, *stats_scope_); + + // Create the actual TypedSlot. + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the slot to return our registry. + tls_slot_->set([registry = thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version. + extension_->setTestOnlyTLSRegistry(std::move(tls_slot_)); + + // Set the extension reference in the socket interface. + socket_interface_->extension_ = extension_.get(); + } + + // Helper to create a test address. + Network::Address::InstanceConstSharedPtr createTestAddress(const std::string& ip = "127.0.0.1", + uint32_t port = 8080) { + return Network::Utility::parseInternetAddressNoThrow(ip, port); + } + + void TearDown() override { + tls_slot_.reset(); + thread_local_registry_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + + // Real thread local slot and registry. + std::unique_ptr> tls_slot_; + std::shared_ptr thread_local_registry_; + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); +}; + +TEST_F(ReverseTunnelInitiatorTest, CreateBootstrapExtension) { + // Test createBootstrapExtension function. + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config; + + auto extension = socket_interface_->createBootstrapExtension(config, context_); + EXPECT_NE(extension, nullptr); + + // Verify extension is stored in socket interface. + EXPECT_NE(socket_interface_->getExtension(), nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateEmptyConfigProto) { + // Test createEmptyConfigProto function. + auto config = socket_interface_->createEmptyConfigProto(); + EXPECT_NE(config, nullptr); + + // Should be able to cast to the correct type. + auto* typed_config = + dynamic_cast(config.get()); + EXPECT_NE(typed_config, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, IpFamilySupported) { + // Test IP family support. + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET)); + EXPECT_TRUE(socket_interface_->ipFamilySupported(AF_INET6)); + EXPECT_FALSE(socket_interface_->ipFamilySupported(AF_UNIX)); +} + +TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryNoExtension) { + // Test getLocalRegistry when extension is not set. + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_EQ(registry, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, GetLocalRegistryWithExtension) { + // Test getLocalRegistry when extension is set. + setupThreadLocalSlot(); + + auto* registry = socket_interface_->getLocalRegistry(); + EXPECT_NE(registry, nullptr); + EXPECT_EQ(registry, thread_local_registry_.get()); +} + +TEST_F(ReverseTunnelInitiatorTest, FactoryName) { + EXPECT_EQ(socket_interface_->name(), + "envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv4) { + // Test basic socket creation for IPv4. + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v4, false, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle (should be a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodBasicIPv6) { + // Test basic socket creation for IPv6. + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, Network::Address::Type::Ip, + Network::Address::IpVersion::v6, false, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodDatagram) { + // Test datagram socket creation. + auto socket = socket_interface_->socket( + Network::Socket::Type::Datagram, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + false, Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodUnixDomain) { + // Test Unix domain socket creation. + auto socket = socket_interface_->socket( + Network::Socket::Type::Stream, Network::Address::Type::Pipe, Network::Address::IpVersion::v4, + false, Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithAddressIPv4) { + // Test socket creation with IPv4 address. + auto address = std::make_shared("127.0.0.1", 8080); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithAddressIPv6) { + // Test socket creation with IPv6 address. + auto address = std::make_shared("::1", 8080); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithReverseConnectionAddress) { + // Test socket creation with ReverseConnectionAddress. + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_cluster = "remote-cluster"; + config.connection_count = 2; + + auto reverse_address = std::make_shared(config); + + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, reverse_address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle (not a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketStreamIPv4) { + // Test createReverseConnectionSocket for stream IPv4 with TLS registry setup. + setupThreadLocalSlot(); + + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); + + // Verify that the TLS registry scope is being used. + // The socket should be created with the scope from TLS registry, not context scope. + EXPECT_EQ(&reverse_handle->getDownstreamExtension()->getStatsScope(), stats_scope_.get()); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketStreamIPv6) { + // Test createReverseConnectionSocket for stream IPv6. + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v6, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_NE(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketDatagram) { + // Test createReverseConnectionSocket for datagram (should fallback to regular socket) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Datagram, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle. + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketNonIP) { + // Test createReverseConnectionSocket for non-IP address (should fallback to regular socket) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Pipe, Network::Address::IpVersion::v4, + config); + + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); + + // Verify it's NOT a ReverseConnectionIOHandle (should be a regular socket) + auto* reverse_handle = dynamic_cast(socket.get()); + EXPECT_EQ(reverse_handle, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, CreateReverseConnectionSocketEmptyRemoteClusters) { + // Test createReverseConnectionSocket with empty remote_clusters (should return early) + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.src_tenant_id = "test-tenant"; + // No remote_clusters added - should return early. + + auto socket = socket_interface_->createReverseConnectionSocket( + Network::Socket::Type::Stream, Network::Address::Type::Ip, Network::Address::IpVersion::v4, + config); + + // Should return nullptr due to empty remote_clusters. + EXPECT_EQ(socket, nullptr); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithEmptyReverseConnectionAddress) { + // Test socket creation with empty ReverseConnectionAddress. + ReverseConnectionAddress::ReverseConnectionConfig config; + config.src_cluster_id = ""; + config.src_node_id = ""; + config.src_tenant_id = ""; + config.remote_cluster = ""; + config.connection_count = 0; + + auto reverse_address = std::make_shared(config); + + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, reverse_address, + Network::SocketCreationOptions{}); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +TEST_F(ReverseTunnelInitiatorTest, SocketMethodWithSocketCreationOptions) { + // Test socket creation with socket creation options. + Network::SocketCreationOptions options; + options.mptcp_enabled_ = true; + options.max_addresses_cache_size_ = 100; + + auto address = std::make_shared("127.0.0.1", 0); + auto socket = socket_interface_->socket(Network::Socket::Type::Stream, address, options); + EXPECT_NE(socket, nullptr); + EXPECT_TRUE(socket->isOpen()); +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc index ea1f5231176d8..bd803318597d5 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_reverse_connection_io_handle_test.cc @@ -1,5 +1,7 @@ +#include + #include "source/common/network/utility.h" -#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_connection_io_handle.h" #include "test/mocks/network/mocks.h" @@ -16,9 +18,9 @@ namespace Extensions { namespace Bootstrap { namespace ReverseConnection { -class TestUpstreamReverseConnectionIOHandle : public testing::Test { +class UpstreamReverseConnectionIOHandleTest : public testing::Test { protected: - TestUpstreamReverseConnectionIOHandle() { + UpstreamReverseConnectionIOHandleTest() { mock_socket_ = std::make_unique>(); auto mock_io_handle = std::make_unique>(); @@ -37,7 +39,7 @@ class TestUpstreamReverseConnectionIOHandle : public testing::Test { std::unique_ptr io_handle_; }; -TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { +TEST_F(UpstreamReverseConnectionIOHandleTest, ConnectReturnsSuccess) { auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); auto result = io_handle_->connect(address); @@ -46,50 +48,24 @@ TEST_F(TestUpstreamReverseConnectionIOHandle, ConnectReturnsSuccess) { EXPECT_EQ(result.errno_, 0); } -TEST_F(TestUpstreamReverseConnectionIOHandle, CloseCleansUpSocket) { +TEST_F(UpstreamReverseConnectionIOHandleTest, CloseCleansUpSocket) { auto result = io_handle_->close(); EXPECT_EQ(result.err_, nullptr); } -TEST_F(TestUpstreamReverseConnectionIOHandle, GetSocketReturnsConstReference) { +TEST_F(UpstreamReverseConnectionIOHandleTest, GetSocketReturnsConstReference) { const auto& socket = io_handle_->getSocket(); EXPECT_NE(&socket, nullptr); } -class UpstreamReverseConnectionIOHandleTest : public testing::Test { -protected: - void SetUp() override { - auto socket = std::make_unique>(); - - auto mock_io_handle = std::make_unique>(); - EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(123)); - EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); - - socket->io_handle_ = std::move(mock_io_handle); - - handle_ = - std::make_unique(std::move(socket), "test-cluster"); - } - - std::unique_ptr handle_; -}; - -TEST_F(UpstreamReverseConnectionIOHandleTest, ConnectReturnsSuccess) { - auto address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 8080); - - auto result = handle_->connect(address); - +TEST_F(UpstreamReverseConnectionIOHandleTest, ShutdownIgnoredWhenOwned) { + auto result = io_handle_->shutdown(SHUT_RDWR); EXPECT_EQ(result.return_value_, 0); EXPECT_EQ(result.errno_, 0); } -TEST_F(UpstreamReverseConnectionIOHandleTest, GetSocketReturnsValidReference) { - const auto& socket = handle_->getSocket(); - EXPECT_NE(&socket, nullptr); -} - } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/test/mocks/network/connection.h b/test/mocks/network/connection.h index 31ac1c806bf8f..59bf4be7d5af8 100644 --- a/test/mocks/network/connection.h +++ b/test/mocks/network/connection.h @@ -85,6 +85,9 @@ class MockConnectionBase { MOCK_METHOD(void, setBufferLimits, (uint32_t limit)); \ MOCK_METHOD(uint32_t, bufferLimit, (), (const)); \ MOCK_METHOD(bool, aboveHighWatermark, (), (const)); \ + MOCK_METHOD(Network::ConnectionSocketPtr&, getSocket, (), (const)); \ + MOCK_METHOD(void, setSocketReused, (bool value)); \ + MOCK_METHOD(bool, isSocketReused, ()); \ MOCK_METHOD(const Network::ConnectionSocket::OptionsSharedPtr&, socketOptions, (), (const)); \ MOCK_METHOD(StreamInfo::StreamInfo&, streamInfo, ()); \ MOCK_METHOD(const StreamInfo::StreamInfo&, streamInfo, (), (const)); \ diff --git a/test/server/api_listener_test.cc b/test/server/api_listener_test.cc index 4611a37fe3e36..742018f5a9b65 100644 --- a/test/server/api_listener_test.cc +++ b/test/server/api_listener_test.cc @@ -290,6 +290,47 @@ name: test_api_listener EXPECT_DEATH(read_callbacks.socket(), "not implemented"); } +// Test the new socket management methods added to Network::Connection interface +TEST_F(ApiListenerTest, SyntheticConnectionSocketMethods) { + const std::string yaml = R"EOF( +name: test_api_listener +address: + socket_address: + address: 127.0.0.1 + port_value: 1234 +api_listener: + api_listener: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: hcm + route_config: + name: api_router + virtual_hosts: + - name: api + domains: + - "*" + routes: + - match: + prefix: "/" + route: + cluster: dynamic_forward_proxy_cluster + )EOF"; + + const envoy::config::listener::v3::Listener config = parseListenerFromV3Yaml(yaml); + server_.server_factory_context_->cluster_manager_.initializeClusters( + {"dynamic_forward_proxy_cluster"}, {}); + HttpApiListenerFactory factory; + auto http_api_listener = factory.create(config, server_, config.name()).value(); + + auto api_listener = http_api_listener->createHttpApiListener(server_.dispatcher()); + ASSERT_NE(api_listener, nullptr); + auto& connection = dynamic_cast(api_listener.get()) + ->readCallbacks() + .connection(); + + // Test getSocket() - should PANIC for SyntheticConnection + EXPECT_DEATH(connection.getSocket(), "not implemented"); +} + // Verify base address access and drain decision behavior. TEST_F(ApiListenerTest, NewStreamHandleReturnsDecoderHandle) { const std::string yaml = R"EOF( diff --git a/tools/code_format/config.yaml b/tools/code_format/config.yaml index 245920af2d934..bd4915bb4ad60 100644 --- a/tools/code_format/config.yaml +++ b/tools/code_format/config.yaml @@ -324,6 +324,8 @@ paths: - test/extensions/filters/http/common/fuzz/uber_filter.h - test/extensions/http/cache/file_system_http_cache/cache_file_header_proto_util_test.cc - test/tools/router_check/router_check.cc + - source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc + - test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc # Files in these paths can use std::regex std_regex: diff --git a/tools/extensions/extensions_schema.yaml b/tools/extensions/extensions_schema.yaml index 03e48628f01c8..c96efd33cfd89 100644 --- a/tools/extensions/extensions_schema.yaml +++ b/tools/extensions/extensions_schema.yaml @@ -120,6 +120,7 @@ categories: - envoy.common.key_value - envoy.network.dns_resolver - envoy.network.connection_balance +- envoy.resolvers - envoy.rbac.matchers - envoy.rbac.principals - envoy.rbac.audit_loggers diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index d00f0c2cdbdcb..2fbc45cc57e1c 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -2,6 +2,11 @@ # lower case and title case (e.g. HTTP will accept http and Http). Entries in all lower case # will accept title case (e.g. lyft matches Lyft). Prefixes (e.g., un-) or suffixes (e.g. -ing) # are allowed for any otherwise correctly spelled word. + +addrlen +itr +STREQ +htonl ABI ACK ACL From 98bf5de9966f517b6629ec6d10dc6aff16bb9bed Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Wed, 10 Sep 2025 14:39:11 -0400 Subject: [PATCH 384/505] dns: adding c-ares DNS resolving integration test under extension specific folder (#40987) This is a follow up of https://github.com/envoyproxy/envoy/pull/40938 It's the 7th step to address: https://github.com/envoyproxy/envoy/issues/39900 While we are trying to remove c-ares from integration tests in different components, this PR adds back a couple c-ares integration test cases under c-ares extension to make sure c-ares DNS resolving is covered in integration test. --------- Signed-off-by: Yanjun Xiang --- .../network/dns_resolver/cares/BUILD | 11 ++++ .../cares/dns_impl_integration_test.cc | 57 +++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 test/extensions/network/dns_resolver/cares/dns_impl_integration_test.cc diff --git a/test/extensions/network/dns_resolver/cares/BUILD b/test/extensions/network/dns_resolver/cares/BUILD index 92405960686f2..783c531855cf4 100644 --- a/test/extensions/network/dns_resolver/cares/BUILD +++ b/test/extensions/network/dns_resolver/cares/BUILD @@ -39,3 +39,14 @@ envoy_cc_test( "@envoy_api//envoy/config/core/v3:pkg_cc_proto", ], ) + +envoy_cc_test( + name = "dns_impl_integration_test", + srcs = ["dns_impl_integration_test.cc"], + tags = ["fails_on_clang_cl"], + deps = [ + "//source/extensions/clusters/dns:dns_cluster_lib", + "//source/extensions/network/dns_resolver/cares:config", + "//test/integration:http_integration_lib", + ], +) diff --git a/test/extensions/network/dns_resolver/cares/dns_impl_integration_test.cc b/test/extensions/network/dns_resolver/cares/dns_impl_integration_test.cc new file mode 100644 index 0000000000000..e3d65187a8b26 --- /dev/null +++ b/test/extensions/network/dns_resolver/cares/dns_impl_integration_test.cc @@ -0,0 +1,57 @@ +#include "test/integration/http_integration.h" + +namespace Envoy { +namespace Network { +namespace { + +class DnsImplIntegrationTest : public testing::TestWithParam, + public HttpIntegrationTest { +public: + DnsImplIntegrationTest() : HttpIntegrationTest(Http::CodecType::HTTP2, GetParam()) {} +}; + +INSTANTIATE_TEST_SUITE_P(IpVersions, DnsImplIntegrationTest, + testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + TestUtility::ipTestParamsToString); + +TEST_P(DnsImplIntegrationTest, LogicalDnsWithCaresResolver) { + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + RELEASE_ASSERT(bootstrap.mutable_static_resources()->clusters_size() == 1, ""); + auto& cluster = *bootstrap.mutable_static_resources()->mutable_clusters(0); + cluster.set_type(envoy::config::cluster::v3::Cluster::LOGICAL_DNS); + cluster.set_dns_lookup_family(envoy::config::cluster::v3::Cluster::ALL); + }); + config_helper_.addConfigModifier( + [](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) { + auto* route = hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0); + route->mutable_route()->mutable_auto_host_rewrite()->set_value(true); + }); + initialize(); + codec_client_ = makeHttpConnection(lookupPort("http")); + auto response = + sendRequestAndWaitForResponse(default_request_headers_, 0, default_response_headers_, 0); + + ASSERT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().getStatusValue()); +} + +TEST_P(DnsImplIntegrationTest, StrictDnsWithCaresResolver) { + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + RELEASE_ASSERT(bootstrap.mutable_static_resources()->clusters_size() == 1, ""); + auto& cluster = *bootstrap.mutable_static_resources()->mutable_clusters(0); + cluster.set_type(envoy::config::cluster::v3::Cluster::STRICT_DNS); + cluster.set_dns_lookup_family(envoy::config::cluster::v3::Cluster::ALL); + }); + initialize(); + codec_client_ = makeHttpConnection(lookupPort("http")); + auto response = + sendRequestAndWaitForResponse(default_request_headers_, 0, default_response_headers_, 0); + + ASSERT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().getStatusValue()); +} + +} // namespace +} // namespace Network +} // namespace Envoy From 0f7d63e81474266339e492213a334f41772a5486 Mon Sep 17 00:00:00 2001 From: phlax Date: Wed, 10 Sep 2025 19:39:28 +0100 Subject: [PATCH 385/505] changelog: Add for docker/distroless fix (#40980) Signed-off-by: Ryan Northey --- changelogs/current.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 2d08d8fa32674..e0bc7f46dc4cd 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -124,6 +124,9 @@ bug_fixes: change: | Fixed a use-after-free (UAF) in DNS cache that can occur when the ``Host`` header is modified between the Dynamic Forwarding Proxy and Router filters. +- area: release + change: | + Fix distroless image to ensure nonroot. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` From 9a5db8a8761d5978ca26bc6c9acb2e0f54589f5a Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 10 Sep 2025 19:08:20 -0700 Subject: [PATCH 386/505] network: add additional methods on connection management interface (#40302) ## Description This PR adds new virtual methods to the `Network::Connection` interface to support socket ownership transfer which we need for the incoming reverse connections feature. We are adding a new method `getSocket()` that provides `const` access to connection socket reference. --- **Commit Message:** network: add additional methods on connection management interface **Additional Description:** Adds new virtual methods to the `Network::Connection` interface to support socket ownership transfer which we need for the incoming reverse connections feature. **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal --- envoy/network/connection.h | 2 +- source/common/network/connection_impl.cc | 15 ++++++--------- source/common/network/connection_impl.h | 2 +- test/mocks/network/connection.h | 4 +--- test/server/api_listener_test.cc | 4 ++++ 5 files changed, 13 insertions(+), 14 deletions(-) diff --git a/envoy/network/connection.h b/envoy/network/connection.h index 4ddac0f5be5a5..c8a2593ec8ade 100644 --- a/envoy/network/connection.h +++ b/envoy/network/connection.h @@ -343,7 +343,7 @@ class Connection : public Event::DeferredDeletable, virtual bool aboveHighWatermark() const PURE; /** - * @return ConnectionSocketPtr& To get socket from current connection. + * @return const ConnectionSocketPtr& reference to the socket from current connection. */ virtual const ConnectionSocketPtr& getSocket() const PURE; diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc index 870305c4674cc..31da05c565c21 100644 --- a/source/common/network/connection_impl.cc +++ b/source/common/network/connection_impl.cc @@ -120,7 +120,7 @@ ConnectionImpl::ConnectionImpl(Event::Dispatcher& dispatcher, ConnectionSocketPt } ConnectionImpl::~ConnectionImpl() { - ASSERT((socket_ == nullptr || !socket_->isOpen()) && delayed_close_timer_ == nullptr, + ASSERT(!socket_->isOpen() && delayed_close_timer_ == nullptr, "ConnectionImpl destroyed with open socket and/or active timer"); // In general we assume that owning code has called close() previously to the destructor being @@ -148,8 +148,8 @@ bool ConnectionImpl::initializeReadFilters() { return filter_manager_.initialize void ConnectionImpl::close(ConnectionCloseType type) { if (!socket_->isOpen()) { - ENVOY_CONN_LOG_EVENT(debug, "connection_closing", - "Not closing conn, socket object is null or socket is not open", *this); + ENVOY_CONN_LOG_EVENT(debug, "connection_closing", "Not closing conn, socket is not open", + *this); return; } @@ -288,7 +288,7 @@ void ConnectionImpl::setDetectedCloseType(DetectedCloseType close_type) { } void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_action) { - if (socket_ == nullptr || !socket_->isOpen()) { + if (!socket_->isOpen()) { return; } @@ -303,11 +303,8 @@ void ConnectionImpl::closeThroughFilterManager(ConnectionCloseAction close_actio } void ConnectionImpl::closeSocket(ConnectionEvent close_type) { - ENVOY_CONN_LOG(trace, "closeSocket called, socket_={}, socket_isOpen={}", *this, - socket_ ? "not_null" : "null", socket_ ? socket_->isOpen() : false); - if (!socket_->isOpen()) { - ENVOY_CONN_LOG(trace, "closeSocket: socket is null or not open, returning", *this); + ENVOY_CONN_LOG(trace, "closeSocket: socket is not open, returning", *this); return; } @@ -893,7 +890,7 @@ void ConnectionImpl::onWriteReady() { } // If a callback closes the socket, stop iterating. - if (socket_ == nullptr || !socket_->isOpen()) { + if (!socket_->isOpen()) { return; } } diff --git a/source/common/network/connection_impl.h b/source/common/network/connection_impl.h index 10b5cbdfafcd8..d995f5b076301 100644 --- a/source/common/network/connection_impl.h +++ b/source/common/network/connection_impl.h @@ -93,7 +93,7 @@ class ConnectionImpl : public ConnectionImplBase, public TransportSocketCallback absl::optional unixSocketPeerCredentials() const override; Ssl::ConnectionInfoConstSharedPtr ssl() const override { // SSL info may be overwritten by a filter in the provider. - return (socket_ != nullptr) ? socket_->connectionInfoProvider().sslConnection() : nullptr; + return socket_->connectionInfoProvider().sslConnection(); } State state() const override; bool connecting() const override { diff --git a/test/mocks/network/connection.h b/test/mocks/network/connection.h index 59bf4be7d5af8..0ae16ae6c83e7 100644 --- a/test/mocks/network/connection.h +++ b/test/mocks/network/connection.h @@ -85,9 +85,7 @@ class MockConnectionBase { MOCK_METHOD(void, setBufferLimits, (uint32_t limit)); \ MOCK_METHOD(uint32_t, bufferLimit, (), (const)); \ MOCK_METHOD(bool, aboveHighWatermark, (), (const)); \ - MOCK_METHOD(Network::ConnectionSocketPtr&, getSocket, (), (const)); \ - MOCK_METHOD(void, setSocketReused, (bool value)); \ - MOCK_METHOD(bool, isSocketReused, ()); \ + MOCK_METHOD(const ConnectionSocketPtr&, getSocket, (), (const)); \ MOCK_METHOD(const Network::ConnectionSocket::OptionsSharedPtr&, socketOptions, (), (const)); \ MOCK_METHOD(StreamInfo::StreamInfo&, streamInfo, ()); \ MOCK_METHOD(const StreamInfo::StreamInfo&, streamInfo, (), (const)); \ diff --git a/test/server/api_listener_test.cc b/test/server/api_listener_test.cc index 742018f5a9b65..a8abed8aab79b 100644 --- a/test/server/api_listener_test.cc +++ b/test/server/api_listener_test.cc @@ -6,6 +6,7 @@ #include "source/extensions/api_listeners/default_api_listener/api_listener_impl.h" +#include "test/mocks/http/stream_encoder.h" #include "test/mocks/network/mocks.h" #include "test/mocks/server/instance.h" #include "test/mocks/server/listener_component_factory.h" @@ -238,6 +239,9 @@ name: test_api_listener EXPECT_ENVOY_BUG(connection.enableHalfClose(true), "Unexpected function call"); EXPECT_ENVOY_BUG(connection.isHalfCloseEnabled(), "Unexpected function call"); + + // Validate methods updated in SyntheticConnection. + EXPECT_DEATH(connection.getSocket(), "not implemented"); } // Exercise SyntheticReadCallbacks unimplemented methods and PANIC behavior for socket(). From 60b8933c17b15badbbafcf2c3c8edcf2f121dbcc Mon Sep 17 00:00:00 2001 From: Ryan Hamilton Date: Thu, 11 Sep 2025 10:00:56 -0700 Subject: [PATCH 387/505] quic: Clarify that EnvoyQuicServerConnection never owns the passed-in Writer (#41040) Clarify that EnvoyQuicServerConnection never owns the passed-in Writer and simplify the constructor and `wrapWriter` method accordingly. Risk Level: none Testing: existing Docs Changes: none Release Notes: none --------- Signed-off-by: Ryan Hamilton --- source/common/quic/envoy_quic_dispatcher.cc | 4 ++-- source/common/quic/envoy_quic_server_connection.cc | 13 ++++--------- source/common/quic/envoy_quic_server_connection.h | 3 ++- test/common/quic/envoy_quic_h3_fuzz_test.cc | 2 +- test/common/quic/test_utils.h | 12 ++++++------ 5 files changed, 15 insertions(+), 19 deletions(-) diff --git a/source/common/quic/envoy_quic_dispatcher.cc b/source/common/quic/envoy_quic_dispatcher.cc index 80b85f384d759..0bf1378758797 100644 --- a/source/common/quic/envoy_quic_dispatcher.cc +++ b/source/common/quic/envoy_quic_dispatcher.cc @@ -124,8 +124,8 @@ std::unique_ptr EnvoyQuicDispatcher::CreateQuicSession( auto quic_connection = std::make_unique( server_connection_id, self_address, peer_address, *helper(), *alarm_factory(), writer(), - /*owns_writer=*/false, quic::ParsedQuicVersionVector{version}, std::move(connection_socket), - connection_id_generator, std::move(listener_filter_manager)); + quic::ParsedQuicVersionVector{version}, std::move(connection_socket), connection_id_generator, + std::move(listener_filter_manager)); auto quic_session = std::make_unique( quic_config, quic::ParsedQuicVersionVector{version}, std::move(quic_connection), this, session_helper(), crypto_config(), compressed_certs_cache(), dispatcher_, diff --git a/source/common/quic/envoy_quic_server_connection.cc b/source/common/quic/envoy_quic_server_connection.cc index 4829da12211dd..773be68edad3d 100644 --- a/source/common/quic/envoy_quic_server_connection.cc +++ b/source/common/quic/envoy_quic_server_connection.cc @@ -14,14 +14,10 @@ namespace Quic { namespace { std::unique_ptr -wrapWriter(quic::QuicPacketWriter* writer, bool owns_writer, +wrapWriter(quic::QuicPacketWriter* writer, quic::QuicPacketWriterWrapper::OnWriteDoneCallback on_write_done) { auto wrapper = std::make_unique(); - if (owns_writer) { - wrapper->set_writer(writer); - } else { - wrapper->set_non_owning_writer(writer); - } + wrapper->set_non_owning_writer(writer); wrapper->set_on_write_done(std::move(on_write_done)); return wrapper; } @@ -31,14 +27,13 @@ EnvoyQuicServerConnection::EnvoyQuicServerConnection( const quic::QuicConnectionId& server_connection_id, quic::QuicSocketAddress initial_self_address, quic::QuicSocketAddress initial_peer_address, quic::QuicConnectionHelperInterface& helper, quic::QuicAlarmFactory& alarm_factory, - quic::QuicPacketWriter* writer, bool owns_writer, - const quic::ParsedQuicVersionVector& supported_versions, + quic::QuicPacketWriter* writer, const quic::ParsedQuicVersionVector& supported_versions, Network::ConnectionSocketPtr connection_socket, quic::ConnectionIdGeneratorInterface& generator, std::unique_ptr listener_filter_manager) : quic::QuicConnection( server_connection_id, initial_self_address, initial_peer_address, &helper, &alarm_factory, // Wrap the packet writer to get notified when a packet is written. - wrapWriter(writer, owns_writer, + wrapWriter(writer, [this](size_t packet_size, const quic::WriteResult& result) { OnWritePacketDone(packet_size, result); }) diff --git a/source/common/quic/envoy_quic_server_connection.h b/source/common/quic/envoy_quic_server_connection.h index 84ba859eecff2..f8fc79b39f38e 100644 --- a/source/common/quic/envoy_quic_server_connection.h +++ b/source/common/quic/envoy_quic_server_connection.h @@ -132,12 +132,13 @@ class QuicListenerFilterManagerImpl : public Network::QuicListenerFilterManager, class EnvoyQuicServerConnection : public quic::QuicConnection, public QuicNetworkConnection { public: + // Creates a new `EnvoyQuicServerConnection`. `writer` is owned by the caller and must + // outlive the connection. EnvoyQuicServerConnection(const quic::QuicConnectionId& server_connection_id, quic::QuicSocketAddress initial_self_address, quic::QuicSocketAddress initial_peer_address, quic::QuicConnectionHelperInterface& helper, quic::QuicAlarmFactory& alarm_factory, quic::QuicPacketWriter* writer, - bool owns_writer, const quic::ParsedQuicVersionVector& supported_versions, Network::ConnectionSocketPtr connection_socket, quic::ConnectionIdGeneratorInterface& generator, diff --git a/test/common/quic/envoy_quic_h3_fuzz_test.cc b/test/common/quic/envoy_quic_h3_fuzz_test.cc index 61e395327ae72..1133ef7d32e7e 100644 --- a/test/common/quic/envoy_quic_h3_fuzz_test.cc +++ b/test/common/quic/envoy_quic_h3_fuzz_test.cc @@ -139,7 +139,7 @@ struct Harness { auto connection_socket = Quic::createConnectionSocket(peer_addr_, self_addr_, nullptr); auto connection = std::make_unique( quic::test::TestConnectionId(), srv_addr_, cli_addr_, *connection_helper_, *alarm_factory_, - &writer_, false, quic::ParsedQuicVersionVector{quic_version_}, std::move(connection_socket), + &writer_, quic::ParsedQuicVersionVector{quic_version_}, std::move(connection_socket), generator_, nullptr); auto decrypter = std::make_unique(quic::Perspective::IS_SERVER); diff --git a/test/common/quic/test_utils.h b/test/common/quic/test_utils.h index 69a2d7bca49b2..e60d922788a11 100644 --- a/test/common/quic/test_utils.h +++ b/test/common/quic/test_utils.h @@ -48,12 +48,12 @@ class MockEnvoyQuicServerConnection : public EnvoyQuicServerConnection { quic::QuicPacketWriter& writer, quic::QuicSocketAddress self_address, quic::QuicSocketAddress peer_address, const quic::ParsedQuicVersionVector& supported_versions, Network::Socket& listen_socket, quic::ConnectionIdGeneratorInterface& generator) - : EnvoyQuicServerConnection( - quic::test::TestConnectionId(), self_address, peer_address, helper, alarm_factory, - &writer, /*owns_writer=*/false, supported_versions, - createServerConnectionSocket(listen_socket.ioHandle(), self_address, peer_address, - "example.com", "h3-29"), - generator, nullptr) {} + : EnvoyQuicServerConnection(quic::test::TestConnectionId(), self_address, peer_address, + helper, alarm_factory, &writer, supported_versions, + createServerConnectionSocket(listen_socket.ioHandle(), + self_address, peer_address, + "example.com", "h3-29"), + generator, nullptr) {} Network::Connection::ConnectionStats& connectionStats() const { return QuicNetworkConnection::connectionStats(); From c2974780882754e7ad0b37ffd06f52b4a54f8f78 Mon Sep 17 00:00:00 2001 From: Dan McArdle Date: Thu, 11 Sep 2025 13:01:47 -0400 Subject: [PATCH 388/505] quic: IWYU in envoy_quic_utils.cc (#41042) Commit Message: quic: IWYU in envoy_quic_utils.cc Additional Description: Risk Level: Low Testing: Does it compile? Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Dan McArdle --- source/common/quic/envoy_quic_utils.cc | 43 +++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 4 deletions(-) diff --git a/source/common/quic/envoy_quic_utils.cc b/source/common/quic/envoy_quic_utils.cc index a5af7ac94bd6a..be01dd7d65032 100644 --- a/source/common/quic/envoy_quic_utils.cc +++ b/source/common/quic/envoy_quic_utils.cc @@ -1,18 +1,53 @@ #include "source/common/quic/envoy_quic_utils.h" +#include +#include +#include +#include #include +#include -#include "envoy/common/platform.h" -#include "envoy/config/core/v3/base.pb.h" +#include "envoy/api/os_sys_calls_common.h" +#include "envoy/http/header_map.h" +#include "envoy/http/stream_reset_handler.h" +#include "envoy/network/address.h" +#include "envoy/network/io_handle.h" +#include "envoy/network/listen_socket.h" +#include "envoy/network/socket.h" +#include "envoy/network/socket_interface.h" #include "source/common/api/os_sys_calls_impl.h" -#include "source/common/http/utility.h" +#include "source/common/common/assert.h" +#include "source/common/common/logger.h" +#include "source/common/common/utility.h" +#include "source/common/http/http_option_limits.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/connection_socket_impl.h" #include "source/common/network/socket_option_factory.h" -#include "source/common/network/utility.h" #include "source/common/protobuf/utility.h" +#include "source/common/quic/quic_io_handle_wrapper.h" #include "source/common/runtime/runtime_features.h" +#include "absl/numeric/int128.h" +#include "absl/strings/str_cat.h" +#include "absl/strings/string_view.h" #include "openssl/crypto.h" +#include "openssl/ec.h" +#include "openssl/ec_key.h" +#include "openssl/evp.h" +#include "openssl/nid.h" +#include "openssl/rsa.h" +#include "openssl/ssl.h" +#include "openssl/x509.h" +#include "quiche/common/http/http_header_block.h" +#include "quiche/common/quiche_ip_address_family.h" +#include "quiche/quic/core/quic_config.h" +#include "quiche/quic/core/quic_constants.h" +#include "quiche/quic/core/quic_error_codes.h" +#include "quiche/quic/core/quic_tag.h" +#include "quiche/quic/core/quic_time.h" +#include "quiche/quic/core/quic_types.h" +#include "quiche/quic/platform/api/quic_socket_address.h" namespace Envoy { namespace Quic { From 51a47f6f82fa6177d78c1b0da029eb01f8de666f Mon Sep 17 00:00:00 2001 From: Kuat Date: Thu, 11 Sep 2025 12:12:31 -0700 Subject: [PATCH 389/505] stats: allow changing nbins in circllhist (#40991) Change-Id: I84058d188f172b636c5c864fb387395d3f443663 Commit Message: Allow changing default bin sizes for histograms. The underlying library pre-allocates fixed bucket bins for every time series, which makes Envoy pre-allocate `NBIN * 2 * NCPU * 10` bytes per time series, which amounts to 128 KB on 64 cores. Decreasing `NBIN` would be helpful for sparse time series but incurs additional `malloc`. The library grows the bins by increments of 100. This is the default memory layout: ```c struct histogram { uint16_t allocd; //!< number of allocated bv pairs ... struct hist_bv_pair *bvs; //!< pointer to bv-pairs }; struct hist_bv_pair { hist_bucket_t bucket; uint64_t count; }__attribute__((packed)); typedef struct hist_bucket { int8_t val; //!< value * 10 int8_t exp; //!< exponent -128 .. 127 } hist_bucket_t; ``` Risk Level: low Testing: added, but hard to validate since there's no public accessor in the library Docs Changes: not sure if needed Release Notes: not sure if needed --------- Signed-off-by: Kuat Yessenov --- api/envoy/config/metrics/v3/stats.proto | 4 +++- envoy/stats/histogram.h | 7 +++++++ source/common/stats/BUILD | 1 + source/common/stats/histogram_impl.cc | 19 ++++++++++++++++--- source/common/stats/histogram_impl.h | 7 ++++++- source/common/stats/thread_local_store.cc | 22 +++++++++++++--------- source/common/stats/thread_local_store.h | 14 +++++++++----- test/common/stats/histogram_impl_test.cc | 12 ++++++++++++ test/server/admin/stats_handler_test.cc | 10 +++++++--- 9 files changed, 74 insertions(+), 22 deletions(-) diff --git a/api/envoy/config/metrics/v3/stats.proto b/api/envoy/config/metrics/v3/stats.proto index e7d7f80d648ad..02bb23aec9d38 100644 --- a/api/envoy/config/metrics/v3/stats.proto +++ b/api/envoy/config/metrics/v3/stats.proto @@ -298,10 +298,12 @@ message HistogramBucketSettings { // Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique. // The order of the buckets does not matter. repeated double buckets = 2 [(validate.rules).repeated = { - min_items: 1 unique: true items {double {gt: 0.0}} }]; + + // Initial number of bins for the ``circllhist`` thread local histogram per time series. Default value is 100. + google.protobuf.UInt32Value bins = 3 [(validate.rules).uint32 = {lte: 46082 gt: 0}]; } // Stats configuration proto schema for built-in ``envoy.stat_sinks.statsd`` sink. This sink does not support diff --git a/envoy/stats/histogram.h b/envoy/stats/histogram.h index 227ae3c01993d..d6c6a9a61f699 100644 --- a/envoy/stats/histogram.h +++ b/envoy/stats/histogram.h @@ -24,6 +24,13 @@ class HistogramSettings { * @return The buckets for the histogram. Each value is an upper bound of a bucket. */ virtual ConstSupportedBuckets& buckets(absl::string_view stat_name) const PURE; + + /** + * Number of bins to pre-allocate per each thread instance (times 2 for active/passive + * version of the histogram). + * @return An optional override for the number of bins. + */ + virtual absl::optional bins(absl::string_view stat_name) const PURE; }; using HistogramSettingsConstPtr = std::unique_ptr; diff --git a/source/common/stats/BUILD b/source/common/stats/BUILD index 4e01a6e00729a..a05645dca61d9 100644 --- a/source/common/stats/BUILD +++ b/source/common/stats/BUILD @@ -60,6 +60,7 @@ envoy_cc_library( "//source/common/common:hash_lib", "//source/common/common:matchers_lib", "//source/common/common:utility_lib", + "//source/common/protobuf:utility_lib", "@com_github_openhistogram_libcircllhist//:libcircllhist", "@envoy_api//envoy/config/metrics/v3:pkg_cc_proto", ], diff --git a/source/common/stats/histogram_impl.cc b/source/common/stats/histogram_impl.cc index 4f9adc9a459f0..1ef1d02d1b783 100644 --- a/source/common/stats/histogram_impl.cc +++ b/source/common/stats/histogram_impl.cc @@ -4,6 +4,7 @@ #include #include "source/common/common/utility.h" +#include "source/common/protobuf/utility.h" #include "absl/strings/str_join.h" @@ -107,7 +108,10 @@ HistogramSettingsImpl::HistogramSettingsImpl(const envoy::config::metrics::v3::S std::vector buckets{matcher.buckets().begin(), matcher.buckets().end()}; std::sort(buckets.begin(), buckets.end()); configs.emplace_back(Matchers::StringMatcherImpl(matcher.match(), context), - std::move(buckets)); + buckets.empty() + ? absl::nullopt + : absl::make_optional(std::move(buckets)), + PROTOBUF_GET_OPTIONAL_WRAPPED(matcher, bins)); } return configs; @@ -115,13 +119,22 @@ HistogramSettingsImpl::HistogramSettingsImpl(const envoy::config::metrics::v3::S const ConstSupportedBuckets& HistogramSettingsImpl::buckets(absl::string_view stat_name) const { for (const auto& config : configs_) { - if (config.first.match(stat_name)) { - return config.second; + if (config.matcher_.match(stat_name) && config.buckets_.has_value()) { + return config.buckets_.value(); } } return defaultBuckets(); } +absl::optional HistogramSettingsImpl::bins(absl::string_view stat_name) const { + for (const auto& config : configs_) { + if (config.matcher_.match(stat_name) && config.bins_.has_value()) { + return config.bins_; + } + } + return {}; +} + const ConstSupportedBuckets& HistogramSettingsImpl::defaultBuckets() { CONSTRUCT_ON_FIRST_USE(ConstSupportedBuckets, {0.5, 1, 5, 10, 25, 50, 100, 250, 500, 1000, 2500, 5000, 10000, 30000, diff --git a/source/common/stats/histogram_impl.h b/source/common/stats/histogram_impl.h index 80718294b7856..26441b09a073d 100644 --- a/source/common/stats/histogram_impl.h +++ b/source/common/stats/histogram_impl.h @@ -25,11 +25,16 @@ class HistogramSettingsImpl : public HistogramSettings { // HistogramSettings const ConstSupportedBuckets& buckets(absl::string_view stat_name) const override; + absl::optional bins(absl::string_view stat_name) const override; static ConstSupportedBuckets& defaultBuckets(); private: - using Config = std::pair; + struct Config { + Matchers::StringMatcherImpl matcher_; + absl::optional buckets_; + absl::optional bins_; + }; const std::vector configs_{}; }; diff --git a/source/common/stats/thread_local_store.cc b/source/common/stats/thread_local_store.cc index 3917111c9a866..d2a419999e7bf 100644 --- a/source/common/stats/thread_local_store.cc +++ b/source/common/stats/thread_local_store.cc @@ -675,7 +675,9 @@ Histogram& ThreadLocalStoreImpl::ScopeImpl::histogramFromStatNameWithTags( StatNameTagHelper tag_helper(parent_, joiner.tagExtractedName(), stat_name_tags); ConstSupportedBuckets* buckets = nullptr; - buckets = &parent_.histogram_settings_->buckets(symbolTable().toString(final_stat_name)); + const auto string_stat_name = symbolTable().toString(final_stat_name); + buckets = &parent_.histogram_settings_->buckets(string_stat_name); + const auto bins = parent_.histogram_settings_->bins(string_stat_name); RefcountPtr stat; { @@ -686,7 +688,7 @@ Histogram& ThreadLocalStoreImpl::ScopeImpl::histogramFromStatNameWithTags( } else { stat = new ParentHistogramImpl(final_stat_name, unit, parent_, tag_helper.tagExtractedName(), tag_helper.statNameTags(), - *buckets, parent_.next_histogram_id_++); + *buckets, bins, parent_.next_histogram_id_++); if (!parent_.shutting_down_) { parent_.histogram_set_.insert(stat.get()); if (parent_.sink_predicates_.has_value() && @@ -793,7 +795,7 @@ Histogram& ThreadLocalStoreImpl::tlsHistogram(ParentHistogramImpl& parent, uint6 TlsHistogramSharedPtr hist_tls_ptr( new ThreadLocalHistogramImpl(parent.statName(), parent.unit(), tag_helper.tagExtractedName(), - tag_helper.statNameTags(), symbolTable())); + tag_helper.statNameTags(), symbolTable(), parent.bins())); parent.addTlsHistogram(hist_tls_ptr); @@ -807,11 +809,12 @@ Histogram& ThreadLocalStoreImpl::tlsHistogram(ParentHistogramImpl& parent, uint6 ThreadLocalHistogramImpl::ThreadLocalHistogramImpl(StatName name, Histogram::Unit unit, StatName tag_extracted_name, const StatNameTagVector& stat_name_tags, - SymbolTable& symbol_table) + SymbolTable& symbol_table, + absl::optional bins) : HistogramImplHelper(name, tag_extracted_name, stat_name_tags, symbol_table), unit_(unit), used_(false), created_thread_id_(std::this_thread::get_id()), symbol_table_(symbol_table) { - histograms_[0] = hist_alloc(); - histograms_[1] = hist_alloc(); + histograms_[0] = bins ? hist_alloc_nbins(bins.value()) : hist_alloc(); + histograms_[1] = bins ? hist_alloc_nbins(bins.value()) : hist_alloc(); } ThreadLocalHistogramImpl::~ThreadLocalHistogramImpl() { @@ -836,10 +839,11 @@ ParentHistogramImpl::ParentHistogramImpl(StatName name, Histogram::Unit unit, ThreadLocalStoreImpl& thread_local_store, StatName tag_extracted_name, const StatNameTagVector& stat_name_tags, - ConstSupportedBuckets& supported_buckets, uint64_t id) + ConstSupportedBuckets& supported_buckets, + absl::optional bins, uint64_t id) : MetricImpl(name, tag_extracted_name, stat_name_tags, thread_local_store.symbolTable()), - unit_(unit), thread_local_store_(thread_local_store), interval_histogram_(hist_alloc()), - cumulative_histogram_(hist_alloc()), + unit_(unit), bins_(bins), thread_local_store_(thread_local_store), + interval_histogram_(hist_alloc()), cumulative_histogram_(hist_alloc()), interval_statistics_(interval_histogram_, unit, supported_buckets), cumulative_statistics_(cumulative_histogram_, unit, supported_buckets), id_(id) {} diff --git a/source/common/stats/thread_local_store.h b/source/common/stats/thread_local_store.h index 8a598b82713ce..58316781d4a11 100644 --- a/source/common/stats/thread_local_store.h +++ b/source/common/stats/thread_local_store.h @@ -34,7 +34,8 @@ namespace Stats { class ThreadLocalHistogramImpl : public HistogramImplHelper { public: ThreadLocalHistogramImpl(StatName name, Histogram::Unit unit, StatName tag_extracted_name, - const StatNameTagVector& stat_name_tags, SymbolTable& symbol_table); + const StatNameTagVector& stat_name_tags, SymbolTable& symbol_table, + absl::optional bins); ~ThreadLocalHistogramImpl() override; void merge(histogram_t* target); @@ -64,12 +65,12 @@ class ThreadLocalHistogramImpl : public HistogramImplHelper { bool hidden() const override { return false; } private: - Histogram::Unit unit_; + const Histogram::Unit unit_; uint64_t otherHistogramIndex() const { return 1 - current_active_; } uint64_t current_active_{0}; histogram_t* histograms_[2]; std::atomic used_; - std::thread::id created_thread_id_; + const std::thread::id created_thread_id_; SymbolTable& symbol_table_; }; @@ -84,7 +85,8 @@ class ParentHistogramImpl : public MetricImpl { public: ParentHistogramImpl(StatName name, Histogram::Unit unit, ThreadLocalStoreImpl& parent, StatName tag_extracted_name, const StatNameTagVector& stat_name_tags, - ConstSupportedBuckets& supported_buckets, uint64_t id); + ConstSupportedBuckets& supported_buckets, absl::optional bins, + uint64_t id); ~ParentHistogramImpl() override; void addTlsHistogram(const TlsHistogramSharedPtr& hist_ptr); @@ -128,13 +130,15 @@ class ParentHistogramImpl : public MetricImpl { // Indicates that the ThreadLocalStore is shutting down, so no need to clear its histogram_set_. void setShuttingDown(bool shutting_down) { shutting_down_ = shutting_down; } bool shuttingDown() const { return shutting_down_; } + absl::optional bins() const { return bins_; } private: bool usedLockHeld() const ABSL_EXCLUSIVE_LOCKS_REQUIRED(merge_lock_); static std::vector detailedlBucketsHelper(const histogram_t& histogram); - Histogram::Unit unit_; + const Histogram::Unit unit_; + const absl::optional bins_; ThreadLocalStoreImpl& thread_local_store_; histogram_t* interval_histogram_; histogram_t* cumulative_histogram_; diff --git a/test/common/stats/histogram_impl_test.cc b/test/common/stats/histogram_impl_test.cc index 3e00f70d9f951..867863efeb041 100644 --- a/test/common/stats/histogram_impl_test.cc +++ b/test/common/stats/histogram_impl_test.cc @@ -55,6 +55,12 @@ TEST_F(HistogramSettingsImplTest, Sorted) { // Test that only matching configurations are applied. TEST_F(HistogramSettingsImplTest, Matching) { + { + envoy::config::metrics::v3::HistogramBucketSettings setting; + setting.mutable_match()->set_prefix("a"); + setting.mutable_bins()->set_value(5); + buckets_configs_.push_back(setting); + } { envoy::config::metrics::v3::HistogramBucketSettings setting; setting.mutable_match()->set_prefix("a"); @@ -74,6 +80,8 @@ TEST_F(HistogramSettingsImplTest, Matching) { initialize(); EXPECT_EQ(settings_->buckets("abcd"), ConstSupportedBuckets({1, 2})); EXPECT_EQ(settings_->buckets("bcde"), ConstSupportedBuckets({3, 4})); + EXPECT_EQ(settings_->bins("ab"), 5); + EXPECT_EQ(settings_->bins("ba"), absl::nullopt); } // Test that earlier configs take precedence over later configs when both match. @@ -83,6 +91,7 @@ TEST_F(HistogramSettingsImplTest, Priority) { setting.mutable_match()->set_prefix("a"); setting.mutable_buckets()->Add(1); setting.mutable_buckets()->Add(2); + setting.mutable_bins()->set_value(1); buckets_configs_.push_back(setting); } @@ -91,10 +100,13 @@ TEST_F(HistogramSettingsImplTest, Priority) { setting.mutable_match()->set_prefix("ab"); setting.mutable_buckets()->Add(3); setting.mutable_buckets()->Add(4); + setting.mutable_bins()->set_value(2); + buckets_configs_.push_back(setting); } initialize(); EXPECT_EQ(settings_->buckets("abcd"), ConstSupportedBuckets({1, 2})); + EXPECT_EQ(settings_->bins("abcd"), 1); } TEST_F(HistogramSettingsImplTest, ScaledPercent) { diff --git a/test/server/admin/stats_handler_test.cc b/test/server/admin/stats_handler_test.cc index 5383c3d54b943..176f43ce9e57a 100644 --- a/test/server/admin/stats_handler_test.cc +++ b/test/server/admin/stats_handler_test.cc @@ -43,13 +43,17 @@ class StatsHandlerTest { } // Set buckets for tests. - void setHistogramBucketSettings(const std::string& prefix, const std::vector& buckets) { + void setHistogramBucketSettings(const std::string& prefix, const std::vector& buckets, + absl::optional bins) { envoy::config::metrics::v3::StatsConfig config; auto& bucket_settings = *config.mutable_histogram_bucket_settings(); envoy::config::metrics::v3::HistogramBucketSettings setting; setting.mutable_match()->set_prefix(prefix); setting.mutable_buckets()->Add(buckets.begin(), buckets.end()); + if (bins) { + setting.mutable_bins()->set_value(*bins); + } bucket_settings.Add(std::move(setting)); store_->setHistogramSettings(std::make_unique(config, context_)); @@ -332,7 +336,7 @@ TEST_F(AdminStatsTest, HandlerStatsJsonNoHistograms) { TEST_F(AdminStatsFilterTest, HandlerStatsJsonHistogramBucketsCumulative) { const std::string url = "/stats?histogram_buckets=cumulative&format=json"; // Set h as prefix to match both histograms. - setHistogramBucketSettings("h", {1, 2, 3, 4}); + setHistogramBucketSettings("h", {1, 2, 3, 4}, {}); Stats::Counter& c1 = store_->counterFromString("c1"); @@ -488,7 +492,7 @@ TEST_F(AdminStatsFilterTest, HandlerStatsHiddenInvalid) { TEST_F(AdminStatsFilterTest, HandlerStatsJsonHistogramBucketsDisjoint) { const std::string url = "/stats?histogram_buckets=disjoint&format=json"; // Set h as prefix to match both histograms. - setHistogramBucketSettings("h", {1, 2, 3, 4}); + setHistogramBucketSettings("h", {1, 2, 3, 4}, 1); Stats::Counter& c1 = store_->counterFromString("c1"); From d470caf94ef97d59b61502800f93087110c62a89 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Thu, 11 Sep 2025 20:30:16 -0400 Subject: [PATCH 390/505] odcds: add a test that ODCDS with EDS using xds-federation works (#41041) Commit Message: odcds: add a test that ODCDS with EDS using xds-federation works Signed-off-by: Adi Suissa-Peleg --- .../http/on_demand/odcds_integration_test.cc | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/test/extensions/filters/http/on_demand/odcds_integration_test.cc b/test/extensions/filters/http/on_demand/odcds_integration_test.cc index 75c432a5af91e..c289f97770f11 100644 --- a/test/extensions/filters/http/on_demand/odcds_integration_test.cc +++ b/test/extensions/filters/http/on_demand/odcds_integration_test.cc @@ -747,6 +747,13 @@ class OdCdsXdstpIntegrationTest : public XdsTpConfigsIntegration { return builder.listener(); } + envoy::config::endpoint::v3::ClusterLoadAssignment + buildClusterLoadAssignment(const std::string& name, size_t upstream_idx) { + return ConfigHelper::buildClusterLoadAssignment( + name, Network::Test::getLoopbackAddressString(ipVersion()), + fake_upstreams_[upstream_idx]->localAddress()->ip()->port()); + } + bool compareRequest(const std::string& type_url, const std::vector& expected_resource_subscriptions, const std::vector& expected_resource_unsubscriptions, @@ -919,6 +926,72 @@ TEST_P(OdCdsXdstpIntegrationTest, OnDemandClusterDiscoveryAsksForNonexistentClus cleanupUpstreamAndDownstream(); } +// tests a scenario when: +// - making a request to an unknown cluster +// - odcds initiates a connection with a request for the cluster +// - a response contains an EDS cluster +// - an EDS request is sent to the same authority +// - an EDS response is received +// - request is resumed +TEST_P(OdCdsXdstpIntegrationTest, OnDemandCdsWithEds) { + initialize(); + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + const std::string cds_cluster_name = + "xdstp://authority1.com/envoy.config.cluster.v3.Cluster/on_demand_clusters/" + "new_cluster_with_eds"; + const std::string eds_service_name = + "xdstp://authority1.com/envoy.config.endpoint.v3.ClusterLoadAssignment/on_demand_clusters/" + "new_cluster_with_eds"; + + envoy::config::cluster::v3::Cluster new_cluster_with_eds; + new_cluster_with_eds.set_name(cds_cluster_name); + new_cluster_with_eds.set_type(envoy::config::cluster::v3::Cluster::EDS); + auto* eds_cluster_config = new_cluster_with_eds.mutable_eds_cluster_config(); + eds_cluster_config->set_service_name(eds_service_name); + ConfigHelper::setHttp2(new_cluster_with_eds); + + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "vhost.first"}, + {"Pick-This-Cluster", cds_cluster_name}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Authority1 should receive the ODCDS request. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().Cluster, "", {cds_cluster_name}, {cds_cluster_name}, {}, true, + Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + sendDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster_with_eds}, {new_cluster_with_eds}, {}, "1", + {}, authority1_xds_stream_.get()); + // After the CDS response, Envoy will send an EDS request for the new cluster. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().ClusterLoadAssignment, "", {eds_service_name}, {eds_service_name}, + {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + sendDiscoveryResponse( + Config::TestTypeUrl::get().ClusterLoadAssignment, + {buildClusterLoadAssignment(eds_service_name, new_cluster_upstream_idx_)}, + {buildClusterLoadAssignment(eds_service_name, new_cluster_upstream_idx_)}, {}, "2", {}, + authority1_xds_stream_.get()); + // Now, Envoy should ACK the original CDS response. + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {cds_cluster_name}, + {}, {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", + authority1_xds_stream_.get())); + // And finally, Envoy should ACK the EDS response. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().ClusterLoadAssignment, "2", {eds_service_name}, {}, {}, false, + Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + // Send response headers, and end_stream if there is no response body. + upstream_request_->encodeHeaders(default_response_headers_, true); + + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + + cleanupUpstreamAndDownstream(); +} + class OdCdsScopedRdsIntegrationTestBase : public ScopedRdsIntegrationTest { public: void addOnDemandConfig(OdCdsIntegrationHelper::OnDemandConfig config) { From dc3083158f45338335fa7e619fc9c93cde483596 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 12 Sep 2025 01:10:30 -0400 Subject: [PATCH 391/505] deps: Update absl to 20250814.0 (#41050) Risk Level: low Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- bazel/abseil.patch | 2 +- bazel/repository_locations.bzl | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bazel/abseil.patch b/bazel/abseil.patch index ce228f90ba832..5650f4d13a2a8 100644 --- a/bazel/abseil.patch +++ b/bazel/abseil.patch @@ -21,7 +21,7 @@ index 88949fe9740..a4d47a7ee65 100644 + "absl/debugging/internal/stacktrace_unimplemented-inl.inc" #elif defined(__ANDROID__) && __ANDROID_API__ >= 33 - + #ifdef ABSL_HAVE_THREAD_LOCAL diff --git a/absl/debugging/symbolize.cc b/absl/debugging/symbolize.cc index 344436f9d10..6f8088d1d08 100644 --- a/absl/debugging/symbolize.cc diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 5210b04d70ee7..95979e4647268 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -190,12 +190,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Abseil", project_desc = "Open source collection of C++ libraries drawn from the most fundamental pieces of Google’s internal codebase", project_url = "https://abseil.io/", - version = "20250512.1", - sha256 = "9b7a064305e9fd94d124ffa6cc358592eb42b5da588fb4e07d09254aa40086db", + version = "20250814.0", + sha256 = "9b2b72d4e8367c0b843fa2bcfa2b08debbe3cee34f7aaa27de55a6cbb3e843db", strip_prefix = "abseil-cpp-{version}", urls = ["https://github.com/abseil/abseil-cpp/archive/{version}.tar.gz"], use_category = ["dataplane_core", "controlplane"], - release_date = "2025-06-17", + release_date = "2025-08-14", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/abseil/abseil-cpp/blob/{version}/LICENSE", From 197038e68e83949e1a6668c0e8415cd946342062 Mon Sep 17 00:00:00 2001 From: StarryNight Date: Fri, 12 Sep 2025 17:34:10 +0800 Subject: [PATCH 392/505] generic proxy add upstream span error tag (#40970) Commit Message: generic proxy add upstream span error tag Additional Description: N/A Risk Level: low Testing: ut Docs Changes: N/A Release Notes: N/A Signed-off-by: wangkai19 --- .../network/generic_proxy/router/router.cc | 7 +++++ .../network/generic_proxy/fake_codec.h | 2 ++ .../generic_proxy/router/router_test.cc | 29 +++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/source/extensions/filters/network/generic_proxy/router/router.cc b/source/extensions/filters/network/generic_proxy/router/router.cc index 6c47f13205d60..396def6c3770e 100644 --- a/source/extensions/filters/network/generic_proxy/router/router.cc +++ b/source/extensions/filters/network/generic_proxy/router/router.cc @@ -241,6 +241,13 @@ void UpstreamRequest::onDecodingSuccess(ResponseHeaderFramePtr response_header_f upstream_info_->upstreamTiming().onFirstUpstreamRxByteReceived(parent_.time_source_); } + if (!response_header_frame->status().ok()) { + if (span_ != nullptr) { + span_->setTag(Tracing::Tags::get().Error, Tracing::Tags::get().True); + span_->setTag(Tracing::Tags::get().ErrorReason, "upstream_failure"); + } + } + if (response_header_frame->frameFlags().endStream()) { onUpstreamResponseComplete(response_header_frame->frameFlags().drainClose()); } diff --git a/test/extensions/filters/network/generic_proxy/fake_codec.h b/test/extensions/filters/network/generic_proxy/fake_codec.h index fb96daf46c107..b35e897e2ffd2 100644 --- a/test/extensions/filters/network/generic_proxy/fake_codec.h +++ b/test/extensions/filters/network/generic_proxy/fake_codec.h @@ -64,6 +64,8 @@ class FakeStreamCodecFactory : public CodecFactory { class FakeResponse : public FakeStreamBase { public: + FakeResponse() = default; + FakeResponse(int code, bool ok) : status_(code, ok) {} absl::string_view protocol() const override { return protocol_; } StreamStatus status() const override { return status_; } diff --git a/test/extensions/filters/network/generic_proxy/router/router_test.cc b/test/extensions/filters/network/generic_proxy/router/router_test.cc index f339fea54b33b..b06084849b6f8 100644 --- a/test/extensions/filters/network/generic_proxy/router/router_test.cc +++ b/test/extensions/filters/network/generic_proxy/router/router_test.cc @@ -961,6 +961,35 @@ TEST_F(RouterFilterTest, UpstreamRequestPoolReadyAndRequestEncodingFailure) { mock_downstream_connection_.raiseEvent(Network::ConnectionEvent::RemoteClose); } +TEST_F(RouterFilterTest, UpstreamRequestPoolReadyAndResponseStatusError) { + setup(); + kickOffNewUpstreamRequest(true); + + EXPECT_CALL(mock_generic_upstream_->mock_client_codec_, encode(_, _)) + .WillOnce(Invoke([this](const StreamFrame&, EncodingContext& ctx) -> EncodingResult { + EXPECT_EQ(ctx.routeEntry().ptr(), &mock_route_entry_); + return 0; + })); + + expectInjectContextToUpstreamRequest(); + + notifyUpstreamSuccess(); + + EXPECT_CALL(mock_filter_callback_, onResponseHeaderFrame(_)).WillOnce(Invoke([this](ResponsePtr) { + // When the response is sent to callback, the upstream request should be removed. + EXPECT_EQ(0, filter_->upstreamRequestsSize()); + })); + EXPECT_CALL(*mock_generic_upstream_, removeUpstreamRequest(_)); + EXPECT_CALL(*mock_generic_upstream_, cleanUp(false)); + expectFinalizeUpstreamSpanWithError(); + + auto response = std::make_unique(0, false); + notifyDecodingSuccess(std::move(response), {}); + + // Mock downstream closing. + mock_downstream_connection_.raiseEvent(Network::ConnectionEvent::RemoteClose); +} + TEST_F(RouterFilterTest, LoadBalancerContextDownstreamConnection) { setup(); EXPECT_CALL(mock_filter_callback_, connection()); From e06aa8ea5a4483eaa1dac22b5db977b45c02e37c Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Fri, 12 Sep 2025 06:48:13 -0700 Subject: [PATCH 393/505] tcp_proxy: add support for generating request ID for tunneling (#40815) --- .../filters/network/tcp_proxy/v3/BUILD | 1 + .../network/tcp_proxy/v3/tcp_proxy.proto | 16 ++++- changelogs/current.yaml | 5 ++ envoy/tcp/upstream.h | 4 ++ source/common/tcp_proxy/BUILD | 4 ++ source/common/tcp_proxy/tcp_proxy.cc | 13 ++++ source/common/tcp_proxy/tcp_proxy.h | 7 +++ source/common/tcp_proxy/upstream.cc | 34 ++++++++++ test/common/tcp_proxy/BUILD | 2 + test/common/tcp_proxy/upstream_test.cc | 57 +++++++++++++++++ test/integration/BUILD | 1 + .../tcp_tunneling_integration_test.cc | 62 +++++++++++++++++++ 12 files changed, 205 insertions(+), 1 deletion(-) diff --git a/api/envoy/extensions/filters/network/tcp_proxy/v3/BUILD b/api/envoy/extensions/filters/network/tcp_proxy/v3/BUILD index c9c87b7395d55..234d249142b52 100644 --- a/api/envoy/extensions/filters/network/tcp_proxy/v3/BUILD +++ b/api/envoy/extensions/filters/network/tcp_proxy/v3/BUILD @@ -9,6 +9,7 @@ api_proto_package( "//envoy/annotations:pkg", "//envoy/config/accesslog/v3:pkg", "//envoy/config/core/v3:pkg", + "//envoy/extensions/filters/network/http_connection_manager/v3:pkg", "//envoy/type/v3:pkg", "@com_github_cncf_xds//udpa/annotations:pkg", ], diff --git a/api/envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto b/api/envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto index f4d57c969ec72..872c736f5a019 100644 --- a/api/envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto +++ b/api/envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto @@ -7,6 +7,7 @@ import "envoy/config/core/v3/backoff.proto"; import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/config_source.proto"; import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; import "envoy/type/v3/hash_policy.proto"; import "google/protobuf/duration.proto"; @@ -67,7 +68,7 @@ message TcpProxy { // Configuration for tunneling TCP over other transports or application layers. // Tunneling is supported over both HTTP/1.1 and HTTP/2. Upstream protocol is // determined by the cluster configuration. - // [#next-free-field: 7] + // [#next-free-field: 8] message TunnelingConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.TunnelingConfig"; @@ -116,6 +117,19 @@ message TcpProxy { // Save the response trailers to the downstream info filter state for consumption // by the network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_trailers``. bool propagate_response_trailers = 6; + + // The configuration of the request ID extension used for generation, validation, and + // associated tracing operations when tunneling. + // + // If this field is set, a request ID is generated using the specified extension. If + // this field is not set, no request ID is generated. + // + // When a request ID is generated, it is also stored in the downstream connection's + // dynamic metadata under the namespace ``envoy.filters.network.tcp_proxy`` with the key + // ``tunnel_request_id`` to allow emission from TCP proxy access logs via the + // ``%DYNAMIC_METADATA(envoy.filters.network.tcp_proxy:tunnel_request_id)%`` formatter. + // [#extension-category: envoy.request_id] + http_connection_manager.v3.RequestIDExtension request_id_extension = 7; } message OnDemand { diff --git a/changelogs/current.yaml b/changelogs/current.yaml index e0bc7f46dc4cd..f1cffe57b6994 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -249,6 +249,11 @@ new_features: (``GET``, ``HEAD``, ``DELETE``, ``TRACE``) are validated and will throw an error if combined with payloads. The implementation is optimized to process the payload once during configuration and reuse it for all health check requests. See :ref:`HttpHealthCheck ` for configuration details. +- area: tcp_proxy + change: | + Added support for generating and propagating a request ID on synthesized upstream HTTP requests when tunneling requests. + It can be configured using :ref:`request_id_extension + `. - area: router_check_tool change: | Added support for testing routes with :ref:`dynamic metadata matchers ` diff --git a/envoy/tcp/upstream.h b/envoy/tcp/upstream.h index b201d2e153a71..4fdc258f6c122 100644 --- a/envoy/tcp/upstream.h +++ b/envoy/tcp/upstream.h @@ -4,6 +4,7 @@ #include "envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.pb.h" #include "envoy/http/filter.h" #include "envoy/http/header_evaluator.h" +#include "envoy/http/request_id_extension.h" #include "envoy/stream_info/stream_info.h" #include "envoy/tcp/conn_pool.h" #include "envoy/upstream/upstream.h" @@ -42,6 +43,9 @@ class TunnelingConfigHelper { // The evaluator to add additional HTTP request headers to the upstream request. virtual Envoy::Http::HeaderEvaluator& headerEvaluator() const PURE; + // The request ID extension used for generation/validation when tunneling. + virtual const Envoy::Http::RequestIDExtensionSharedPtr& requestIDExtension() const PURE; + // Save HTTP response headers to the downstream filter state. virtual void propagateResponseHeaders(Http::ResponseHeaderMapPtr&& headers, diff --git a/source/common/tcp_proxy/BUILD b/source/common/tcp_proxy/BUILD index 27034f0f8d883..c6b30b08d03d1 100644 --- a/source/common/tcp_proxy/BUILD +++ b/source/common/tcp_proxy/BUILD @@ -18,6 +18,7 @@ envoy_cc_library( ], deps = [ "//envoy/http:header_map_interface", + "//envoy/http:request_id_extension_interface", "//envoy/router:router_ratelimit_interface", "//envoy/tcp:conn_pool_interface", "//envoy/tcp:upstream_interface", @@ -73,6 +74,7 @@ envoy_cc_library( "//source/common/config:well_known_names", "//source/common/formatter:substitution_format_string_lib", "//source/common/http:codec_client_lib", + "//source/common/http:request_id_extension_lib", "//source/common/network:application_protocol_lib", "//source/common/network:cidr_range_lib", "//source/common/network:filter_lib", @@ -90,8 +92,10 @@ envoy_cc_library( "//source/common/stream_info:uint64_accessor_lib", "//source/common/upstream:load_balancer_context_base_lib", "//source/common/upstream:od_cds_api_lib", + "//source/extensions/request_id/uuid:config", "//source/extensions/upstreams/tcp/generic:config", "@envoy_api//envoy/config/accesslog/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/network/tcp_proxy/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/request_id/uuid/v3:pkg_cc_proto", ], ) diff --git a/source/common/tcp_proxy/tcp_proxy.cc b/source/common/tcp_proxy/tcp_proxy.cc index 656ba58a4f186..80ff9a99ec1a6 100644 --- a/source/common/tcp_proxy/tcp_proxy.cc +++ b/source/common/tcp_proxy/tcp_proxy.cc @@ -10,6 +10,7 @@ #include "envoy/event/timer.h" #include "envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.pb.h" #include "envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.pb.validate.h" +#include "envoy/extensions/request_id/uuid/v3/uuid.pb.h" #include "envoy/registry/registry.h" #include "envoy/stats/scope.h" #include "envoy/stream_info/bool_accessor.h" @@ -26,6 +27,7 @@ #include "source/common/config/metadata.h" #include "source/common/config/utility.h" #include "source/common/config/well_known_names.h" +#include "source/common/http/request_id_extension_impl.h" #include "source/common/network/application_protocol.h" #include "source/common/network/proxy_protocol_filter_state.h" #include "source/common/network/socket_option_factory.h" @@ -788,6 +790,17 @@ TunnelingConfigHelperImpl::TunnelingConfigHelperImpl( hostname_fmt_ = THROW_OR_RETURN_VALUE(Formatter::SubstitutionFormatStringUtils::fromProtoConfig( substitution_format_config, context), Formatter::FormatterPtr); + + // Initialize request ID extension if explicitly configured. + const auto& rid_config = config_message.tunneling_config().request_id_extension(); + if (rid_config.has_typed_config()) { + auto extension_or_error = Http::RequestIDExtensionFactory::fromProto(rid_config, context); + if (!extension_or_error.ok()) { + throw EnvoyException(absl::StrCat("Failed to create request ID extension: ", + extension_or_error.status().ToString())); + } + request_id_extension_ = extension_or_error.value(); + } } std::string TunnelingConfigHelperImpl::host(const StreamInfo::StreamInfo& stream_info) const { diff --git a/source/common/tcp_proxy/tcp_proxy.h b/source/common/tcp_proxy/tcp_proxy.h index 6a63e8b81d5a9..cfbe7c8a457ee 100644 --- a/source/common/tcp_proxy/tcp_proxy.h +++ b/source/common/tcp_proxy/tcp_proxy.h @@ -12,6 +12,7 @@ #include "envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.pb.h" #include "envoy/http/codec.h" #include "envoy/http/header_evaluator.h" +#include "envoy/http/request_id_extension.h" #include "envoy/network/connection.h" #include "envoy/network/filter.h" #include "envoy/runtime/runtime.h" @@ -157,6 +158,7 @@ class TunnelResponseTrailers : public Http::TunnelResponseHeadersOrTrailersImpl private: const Http::ResponseTrailerMapPtr response_trailers_; }; + class Config; class TunnelingConfigHelperImpl : public TunnelingConfigHelper, protected Logger::Loggable { @@ -169,6 +171,9 @@ class TunnelingConfigHelperImpl : public TunnelingConfigHelper, bool usePost() const override { return !post_path_.empty(); } const std::string& postPath() const override { return post_path_; } Envoy::Http::HeaderEvaluator& headerEvaluator() const override { return *header_parser_; } + const Envoy::Http::RequestIDExtensionSharedPtr& requestIDExtension() const override { + return request_id_extension_; + } const Envoy::Router::FilterConfig& routerFilterConfig() const override { return router_config_; } void @@ -187,6 +192,8 @@ class TunnelingConfigHelperImpl : public TunnelingConfigHelper, const bool propagate_response_headers_; const bool propagate_response_trailers_; std::string post_path_; + // Request ID extension for tunneling requests. If null, no request ID is generated. + Envoy::Http::RequestIDExtensionSharedPtr request_id_extension_; Stats::StatNameManagedStorage route_stat_name_storage_; const Router::FilterConfig router_config_; Server::Configuration::ServerFactoryContext& server_factory_context_; diff --git a/source/common/tcp_proxy/upstream.cc b/source/common/tcp_proxy/upstream.cc index e40807d4acbae..8fd13df1b3518 100644 --- a/source/common/tcp_proxy/upstream.cc +++ b/source/common/tcp_proxy/upstream.cc @@ -18,6 +18,34 @@ namespace TcpProxy { using TunnelingConfig = envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy_TunnelingConfig; +// Constants for tunnel request ID metadata. +const std::string& tunnelRequestIdMetadataNamespace() { + CONSTRUCT_ON_FIRST_USE(std::string, "envoy.filters.network.tcp_proxy"); +} + +const std::string& tunnelRequestIdMetadataKey() { + CONSTRUCT_ON_FIRST_USE(std::string, "tunnel_request_id"); +} + +// Helper function to generate and store request ID in dynamic metadata. +void generateAndStoreRequestId(const TunnelingConfigHelper& config, Http::RequestHeaderMap& headers, + StreamInfo::StreamInfo& downstream_info) { + if (config.requestIDExtension() != nullptr) { + // For tunneling requests there is no way to get the external request ID as the incoming + // traffic could be anything - HTTPS, MySQL, Postgres, etc. + config.requestIDExtension()->set(headers, /*edge_request=*/true, + /*keep_external_id=*/false); + // Also store the request ID in dynamic metadata to allow TCP access logs to format it. + const auto rid = headers.getRequestIdValue(); + if (!rid.empty()) { + Protobuf::Struct md; + auto& fields = *md.mutable_fields(); + fields[tunnelRequestIdMetadataKey()].mutable_string_value()->assign(rid.data(), rid.size()); + downstream_info.setDynamicMetadata(tunnelRequestIdMetadataNamespace(), md); + } + } +} + TcpUpstream::TcpUpstream(Tcp::ConnectionPool::ConnectionDataPtr&& data, Tcp::ConnectionPool::UpstreamCallbacks& upstream_callbacks) : upstream_conn_data_(std::move(data)) { @@ -121,6 +149,10 @@ void HttpUpstream::setRequestEncoder(Http::RequestEncoder& request_encoder, bool } } + // Optionally generate a request ID before evaluating configured headers so + // it is available to header formatters. + generateAndStoreRequestId(config_, *headers, downstream_info_); + config_.headerEvaluator().evaluateHeaders(*headers, {downstream_info_.getRequestHeaders()}, downstream_info_); const auto status = request_encoder_->encodeHeaders(*headers, false); @@ -423,6 +455,8 @@ CombinedUpstream::CombinedUpstream(HttpConnPool& http_conn_pool, downstream_headers_->addReference(Http::Headers::get().Path, config_.postPath()); } + generateAndStoreRequestId(config_, *downstream_headers_, downstream_info_); + config_.headerEvaluator().evaluateHeaders( *downstream_headers_, {downstream_info_.getRequestHeaders()}, downstream_info_); } diff --git a/test/common/tcp_proxy/BUILD b/test/common/tcp_proxy/BUILD index 332e0fda12511..889ac99975fd2 100644 --- a/test/common/tcp_proxy/BUILD +++ b/test/common/tcp_proxy/BUILD @@ -94,5 +94,7 @@ envoy_cc_test( "//test/mocks/upstream:cluster_manager_mocks", "//test/mocks/upstream:load_balancer_context_mock", "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/extensions/filters/network/http_connection_manager/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/request_id/uuid/v3:pkg_cc_proto", ], ) diff --git a/test/common/tcp_proxy/upstream_test.cc b/test/common/tcp_proxy/upstream_test.cc index 21f3807cdad8b..323f6789583ca 100644 --- a/test/common/tcp_proxy/upstream_test.cc +++ b/test/common/tcp_proxy/upstream_test.cc @@ -1,5 +1,8 @@ #include +#include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" +#include "envoy/extensions/request_id/uuid/v3/uuid.pb.h" + #include "source/common/tcp_proxy/tcp_proxy.h" #include "source/common/tcp_proxy/upstream.h" @@ -314,6 +317,45 @@ TEST_P(HttpUpstreamRequestEncoderTest, RequestEncoderUsePostWithCustomPath) { this->upstream_->setRequestEncoder(this->encoder_, false); } +TEST_P(HttpUpstreamRequestEncoderTest, RequestIdGeneratedWhenEnabled) { + envoy::extensions::filters::network::http_connection_manager::v3::RequestIDExtension reqid_ext; + envoy::extensions::request_id::uuid::v3::UuidRequestIdConfig uuid_cfg; + reqid_ext.mutable_typed_config()->PackFrom(uuid_cfg); + *this->tcp_proxy_.mutable_tunneling_config()->mutable_request_id_extension() = reqid_ext; + this->setupUpstream(); + + EXPECT_CALL(this->encoder_, encodeHeaders(_, false)) + .WillOnce(Invoke([&](const Http::RequestHeaderMap& headers, bool) { + const auto* rid = headers.RequestId(); + EXPECT_NE(rid, nullptr); + if (rid != nullptr) { + EXPECT_FALSE(rid->value().empty()); + } + return Http::okStatus(); + })); + + this->upstream_->setRequestEncoder(this->encoder_, false); +} + +MATCHER(HasNonEmptyTunnelRequestId, "Struct has non-empty tunnel_request_id") { + const Protobuf::Struct& st = arg; + const auto& fields = st.fields(); + auto it = fields.find("tunnel_request_id"); + return it != fields.end() && !it->second.string_value().empty(); +} + +TEST_P(HttpUpstreamRequestEncoderTest, RequestIdStoredInDynamicMetadataWhenEnabled) { + envoy::extensions::filters::network::http_connection_manager::v3::RequestIDExtension reqid_ext; + envoy::extensions::request_id::uuid::v3::UuidRequestIdConfig uuid_cfg; + reqid_ext.mutable_typed_config()->PackFrom(uuid_cfg); + *this->tcp_proxy_.mutable_tunneling_config()->mutable_request_id_extension() = reqid_ext; + this->setupUpstream(); + EXPECT_CALL(this->downstream_stream_info_, + setDynamicMetadata("envoy.filters.network.tcp_proxy", HasNonEmptyTunnelRequestId())); + EXPECT_CALL(this->encoder_, encodeHeaders(_, false)).WillOnce(Return(Http::okStatus())); + this->upstream_->setRequestEncoder(this->encoder_, false); +} + TEST_P(HttpUpstreamRequestEncoderTest, RequestEncoderConnectWithCustomPath) { this->tcp_proxy_.mutable_tunneling_config()->set_use_post(false); this->tcp_proxy_.mutable_tunneling_config()->set_post_path("/test"); @@ -570,6 +612,21 @@ TEST_F(CombinedUpstreamTest, WriteUpstream) { this->upstream_->encodeData(buffer2, true); } +TEST_F(CombinedUpstreamTest, CombinedUpstreamGeneratesRequestIdWhenEnabled) { + envoy::extensions::filters::network::http_connection_manager::v3::RequestIDExtension reqid_ext; + envoy::extensions::request_id::uuid::v3::UuidRequestIdConfig uuid_cfg; + reqid_ext.mutable_typed_config()->PackFrom(uuid_cfg); + *this->tcp_proxy_.mutable_tunneling_config()->mutable_request_id_extension() = reqid_ext; + this->setup(); + auto* headers = this->upstream_->downstreamHeaders(); + ASSERT_NE(headers, nullptr); + const auto* rid = headers->RequestId(); + EXPECT_NE(rid, nullptr); + if (rid != nullptr) { + EXPECT_FALSE(rid->value().empty()); + } +} + TEST_F(CombinedUpstreamTest, WriteDownstream) { this->setup(); EXPECT_CALL(this->callbacks_, onUpstreamData(BufferStringEqual("foo"), false)); diff --git a/test/integration/BUILD b/test/integration/BUILD index eb536c353c0a2..b9362ba7c4337 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -2055,6 +2055,7 @@ envoy_cc_test( "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/access_loggers/file/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/network/tcp_proxy/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/request_id/uuid/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/upstreams/http/tcp/v3:pkg_cc_proto", ], ) diff --git a/test/integration/tcp_tunneling_integration_test.cc b/test/integration/tcp_tunneling_integration_test.cc index 72f2c6bf240c2..2f7a890f9d4b6 100644 --- a/test/integration/tcp_tunneling_integration_test.cc +++ b/test/integration/tcp_tunneling_integration_test.cc @@ -5,6 +5,7 @@ #include "envoy/config/core/v3/proxy_protocol.pb.h" #include "envoy/extensions/access_loggers/file/v3/file.pb.h" #include "envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.pb.h" +#include "envoy/extensions/request_id/uuid/v3/uuid.pb.h" #include "envoy/extensions/upstreams/http/tcp/v3/tcp_connection_pool.pb.h" #include "test/integration/filters/add_header_filter.pb.h" @@ -827,6 +828,42 @@ class TcpTunnelingIntegrationTest : public BaseTcpTunnelingIntegrationTest { BaseTcpTunnelingIntegrationTest::SetUp(); } + void enableRequestIdGeneration() { + config_helper_.addConfigModifier( + [&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy proxy_config; + proxy_config.set_stat_prefix("tcp_stats"); + proxy_config.set_cluster("cluster_0"); + proxy_config.mutable_tunneling_config()->set_hostname("foo.lyft.com:80"); + // Configure request ID generation for tunneling using the UUID request ID extension. + envoy::extensions::filters::network::http_connection_manager::v3::RequestIDExtension + request_id_extension; + envoy::extensions::request_id::uuid::v3::UuidRequestIdConfig uuid_config; + request_id_extension.mutable_typed_config()->PackFrom(uuid_config); + proxy_config.mutable_tunneling_config()->mutable_request_id_extension()->CopyFrom( + request_id_extension); + + // Add a file access log to capture the dynamic metadata request id before packing. + tunnel_access_log_path_ = TestEnvironment::temporaryPath(TestUtility::uniqueFilename()); + envoy::extensions::access_loggers::file::v3::FileAccessLog fal; + fal.set_path(tunnel_access_log_path_); + fal.mutable_log_format()->mutable_text_format_source()->set_inline_string( + "%DYNAMIC_METADATA(envoy.filters.network.tcp_proxy:tunnel_request_id)%\n"); + proxy_config.add_access_log()->mutable_typed_config()->PackFrom(fal); + + auto* listeners = bootstrap.mutable_static_resources()->mutable_listeners(); + for (auto& listener : *listeners) { + if (listener.name() != "tcp_proxy") { + continue; + } + auto* filter_chain = listener.mutable_filter_chains(0); + auto* filter = filter_chain->mutable_filters(0); + filter->mutable_typed_config()->PackFrom(proxy_config); + break; + } + }); + } + const HttpFilterProto getAddHeaderFilterConfig(const std::string& name, const std::string& key, const std::string& value) { HttpFilterProto filter_config; @@ -872,6 +909,7 @@ class TcpTunnelingIntegrationTest : public BaseTcpTunnelingIntegrationTest { } } int downstream_buffer_limit_{0}; + std::string tunnel_access_log_path_; }; TEST_P(TcpTunnelingIntegrationTest, Basic) { @@ -986,6 +1024,30 @@ TEST_P(TcpTunnelingIntegrationTest, FlowControlOnAndGiantBody) { testGiantRequestAndResponse(10 * 1024 * 1024, 10 * 1024 * 1024); } +TEST_P(TcpTunnelingIntegrationTest, GeneratesRequestIdHeaderWhenEnabled) { + enableRequestIdGeneration(); + initialize(); + + // Start a connection, and verify the upgrade headers are received upstream. + tcp_client_ = makeTcpConnection(lookupPort("tcp_proxy")); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + + // x-request-id should be present. + const auto& hdrs = upstream_request_->headers(); + EXPECT_FALSE(hdrs.getRequestIdValue().empty()); + + // Complete handshake and basic bidi flow to ensure no regressions. + upstream_request_->encodeHeaders(default_response_headers_, false); + sendBidiData(fake_upstream_connection_); + closeConnection(fake_upstream_connection_); + + // Verify access log contains a non-empty request id line for filter-state key. + const std::string log_content = waitForAccessLog(tunnel_access_log_path_); + EXPECT_FALSE(log_content.empty()); +} + TEST_P(TcpTunnelingIntegrationTest, SendDataUpstreamAfterUpstreamClose) { if (upstreamProtocol() == Http::CodecType::HTTP1) { // HTTP/1.1 can't frame with FIN bits. From 4f36eb9bb7722dca019f3f68296320194ed449e0 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Fri, 12 Sep 2025 17:44:04 +0000 Subject: [PATCH 394/505] deps: Bump `com_github_axboe_liburing` -> 2.12 (#41064) ## Description This PR bumps up `com_github_axboe_liburing ` -> 2.12 Fix https://github.com/envoyproxy/envoy/issues/40839 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 95979e4647268..1fbc9080f1152 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -235,12 +235,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "liburing", project_desc = "C helpers to set up and tear down io_uring instances", project_url = "https://github.com/axboe/liburing", - version = "2.11", - sha256 = "462c35ef21d67e50490f8684c76641ee2c7796e83d43de796852ef4e40662e33", + version = "2.12", + sha256 = "f1d10cb058c97c953b4c0c446b11e9177e8c8b32a5a88b309f23fdd389e26370", strip_prefix = "liburing-liburing-{version}", urls = ["https://github.com/axboe/liburing/archive/liburing-{version}.tar.gz"], use_category = ["dataplane_core", "controlplane"], - release_date = "2025-06-16", + release_date = "2025-08-23", cpe = "N/A", ), # This dependency is built only when performance tracing is enabled with the From 2d0ec36555d9d34cb889e08ff6ee0e271388f103 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Fri, 12 Sep 2025 14:01:32 -0400 Subject: [PATCH 395/505] Use mutex reference in lock constructors (#41058) Replace deprecated absl::MutexLock::MutexLock(Mutex*) constructor with absl::MutexLock::MutexLock(Mutex&) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- .../common/network/connection_balancer_impl.cc | 6 +++--- source/common/network/udp_listener_impl.cc | 6 +++--- source/common/stats/allocator_impl.cc | 4 ++-- source/common/stats/symbol_table.cc | 2 +- .../extensions/clusters/common/logical_host.cc | 10 +++++----- .../clusters/dynamic_forward_proxy/cluster.cc | 16 ++++++++-------- .../dns_resolver/getaddrinfo/getaddrinfo.cc | 10 +++++----- .../transport_sockets/alts/alts_channel_pool.cc | 2 +- .../match_delegate_integration_test.cc | 14 +++++++------- test/mocks/filesystem/mocks.cc | 8 ++++---- test/server/admin/stats_handler_test.cc | 2 +- 11 files changed, 40 insertions(+), 40 deletions(-) diff --git a/source/common/network/connection_balancer_impl.cc b/source/common/network/connection_balancer_impl.cc index fc0471c675a51..2107d44f1fea3 100644 --- a/source/common/network/connection_balancer_impl.cc +++ b/source/common/network/connection_balancer_impl.cc @@ -4,12 +4,12 @@ namespace Envoy { namespace Network { void ExactConnectionBalancerImpl::registerHandler(BalancedConnectionHandler& handler) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); handlers_.push_back(&handler); } void ExactConnectionBalancerImpl::unregisterHandler(BalancedConnectionHandler& handler) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); // This could be made more efficient in various ways, but the number of listeners is generally // small and this is a rare operation so we can start with this and optimize later if this // becomes a perf bottleneck. @@ -20,7 +20,7 @@ BalancedConnectionHandler& ExactConnectionBalancerImpl::pickTargetHandler(BalancedConnectionHandler&) { BalancedConnectionHandler* min_connection_handler = nullptr; { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); for (BalancedConnectionHandler* handler : handlers_) { if (min_connection_handler == nullptr || handler->numConnections() < min_connection_handler->numConnections()) { diff --git a/source/common/network/udp_listener_impl.cc b/source/common/network/udp_listener_impl.cc index 838db8b4c9c75..082fe4e92c640 100644 --- a/source/common/network/udp_listener_impl.cc +++ b/source/common/network/udp_listener_impl.cc @@ -174,7 +174,7 @@ UdpListenerWorkerRouterImpl::UdpListenerWorkerRouterImpl(uint32_t concurrency) : workers_(concurrency) {} void UdpListenerWorkerRouterImpl::registerWorkerForListener(UdpListenerCallbacks& listener) { - absl::WriterMutexLock lock(&mutex_); + absl::WriterMutexLock lock(mutex_); ASSERT(listener.workerIndex() < workers_.size()); ASSERT(workers_.at(listener.workerIndex()) == nullptr); @@ -182,14 +182,14 @@ void UdpListenerWorkerRouterImpl::registerWorkerForListener(UdpListenerCallbacks } void UdpListenerWorkerRouterImpl::unregisterWorkerForListener(UdpListenerCallbacks& listener) { - absl::WriterMutexLock lock(&mutex_); + absl::WriterMutexLock lock(mutex_); ASSERT(workers_.at(listener.workerIndex()) == &listener); workers_.at(listener.workerIndex()) = nullptr; } void UdpListenerWorkerRouterImpl::deliver(uint32_t dest_worker_index, UdpRecvData&& data) { - absl::ReaderMutexLock lock(&mutex_); + absl::ReaderMutexLock lock(mutex_); ASSERT(dest_worker_index < workers_.size(), "UdpListenerCallbacks::destination returned out-of-range value"); diff --git a/source/common/stats/allocator_impl.cc b/source/common/stats/allocator_impl.cc index 963279a96ca9e..ad9c04b0e8099 100644 --- a/source/common/stats/allocator_impl.cc +++ b/source/common/stats/allocator_impl.cc @@ -283,12 +283,12 @@ class TextReadoutImpl : public StatsSharedImpl { // Stats::TextReadout void set(absl::string_view value) override { std::string value_copy(value); - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); value_ = std::move(value_copy); flags_ |= Flags::Used; } std::string value() const override { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); return value_; } diff --git a/source/common/stats/symbol_table.cc b/source/common/stats/symbol_table.cc index 354e65e790332..0f635b39bf1ba 100644 --- a/source/common/stats/symbol_table.cc +++ b/source/common/stats/symbol_table.cc @@ -757,7 +757,7 @@ StatNameSet::StatNameSet(SymbolTable& symbol_table, absl::string_view name) void StatNameSet::rememberBuiltin(absl::string_view str) { StatName stat_name; { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); stat_name = pool_.add(str); } builtin_stat_names_[str] = stat_name; diff --git a/source/extensions/clusters/common/logical_host.cc b/source/extensions/clusters/common/logical_host.cc index cbebb043d3b6c..85069e65c6d68 100644 --- a/source/extensions/clusters/common/logical_host.cc +++ b/source/extensions/clusters/common/logical_host.cc @@ -41,7 +41,7 @@ LogicalHost::LogicalHost( } Network::Address::InstanceConstSharedPtr LogicalHost::healthCheckAddress() const { - absl::MutexLock lock(&address_lock_); + absl::MutexLock lock(address_lock_); return health_check_address_; } @@ -57,7 +57,7 @@ void LogicalHost::setNewAddresses(const Network::Address::InstanceConstSharedPtr ASSERT(*address_list.front() == *address); } { - absl::MutexLock lock(&address_lock_); + absl::MutexLock lock(address_lock_); address_ = address; address_list_or_null_ = std::move(shared_address_list); health_check_address_ = std::move(health_check_address); @@ -65,12 +65,12 @@ void LogicalHost::setNewAddresses(const Network::Address::InstanceConstSharedPtr } HostDescription::SharedConstAddressVector LogicalHost::addressListOrNull() const { - absl::MutexLock lock(&address_lock_); + absl::MutexLock lock(address_lock_); return address_list_or_null_; } Network::Address::InstanceConstSharedPtr LogicalHost::address() const { - absl::MutexLock lock(&address_lock_); + absl::MutexLock lock(address_lock_); return address_; } @@ -80,7 +80,7 @@ Upstream::Host::CreateConnectionData LogicalHost::createConnection( Network::Address::InstanceConstSharedPtr address; SharedConstAddressVector address_list_or_null; { - absl::MutexLock lock(&address_lock_); + absl::MutexLock lock(address_lock_); address = address_; address_list_or_null = address_list_or_null_; } diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc index 67f05373f42ee..12cb648c67a14 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc +++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc @@ -100,7 +100,7 @@ Cluster::~Cluster() { } // Should remove all sub clusters, otherwise, might be memory leaking. // This lock is useless, just make compiler happy. - absl::WriterMutexLock lock{&cluster_map_lock_}; + absl::WriterMutexLock lock{cluster_map_lock_}; for (auto it = cluster_map_.cbegin(); it != cluster_map_.cend();) { auto cluster_name = it->first; ENVOY_LOG(debug, "cluster='{}' removing from cluster_map & cluster manager", cluster_name); @@ -126,7 +126,7 @@ void Cluster::startPreInit() { } bool Cluster::touch(const std::string& cluster_name) { - absl::ReaderMutexLock lock{&cluster_map_lock_}; + absl::ReaderMutexLock lock{cluster_map_lock_}; const auto cluster_it = cluster_map_.find(cluster_name); if (cluster_it != cluster_map_.end()) { cluster_it->second->touch(); @@ -140,7 +140,7 @@ void Cluster::checkIdleSubCluster() { ASSERT(main_thread_dispatcher_.isThreadSafe()); { // TODO: try read lock first. - absl::WriterMutexLock lock{&cluster_map_lock_}; + absl::WriterMutexLock lock{cluster_map_lock_}; for (auto it = cluster_map_.cbegin(); it != cluster_map_.cend();) { if (it->second->checkIdle()) { auto cluster_name = it->first; @@ -159,7 +159,7 @@ std::pair> Cluster::createSubClusterConfig(const std::string& cluster_name, const std::string& host, const int port) { { - absl::WriterMutexLock lock{&cluster_map_lock_}; + absl::WriterMutexLock lock{cluster_map_lock_}; const auto cluster_it = cluster_map_.find(cluster_name); if (cluster_it != cluster_map_.end()) { cluster_it->second->touch(); @@ -259,7 +259,7 @@ absl::Status Cluster::addOrUpdateHost( std::unique_ptr& hosts_added) { Upstream::LogicalHostSharedPtr emplaced_host; { - absl::WriterMutexLock lock{&host_map_lock_}; + absl::WriterMutexLock lock{host_map_lock_}; // NOTE: Right now we allow a DNS cache to be shared between multiple clusters. Though we have // connection/request circuit breakers on the cluster, we don't have any way to control the @@ -332,7 +332,7 @@ void Cluster::updatePriorityState(const Upstream::HostVector& hosts_added, Upstream::PriorityStateManager priority_state_manager(*this, local_info_, nullptr, random_); priority_state_manager.initializePriorityFor(dummy_locality_lb_endpoint_); { - absl::ReaderMutexLock lock{&host_map_lock_}; + absl::ReaderMutexLock lock{host_map_lock_}; for (const auto& host : host_map_) { priority_state_manager.registerHostForPriority(host.second.logical_host_, dummy_locality_lb_endpoint_); @@ -346,7 +346,7 @@ void Cluster::updatePriorityState(const Upstream::HostVector& hosts_added, void Cluster::onDnsHostRemove(const std::string& host) { Upstream::HostVector hosts_removed; { - absl::WriterMutexLock lock{&host_map_lock_}; + absl::WriterMutexLock lock{host_map_lock_}; const auto host_map_it = host_map_.find(host); ASSERT(host_map_it != host_map_.end()); hosts_removed.emplace_back(host_map_it->second.logical_host_); @@ -478,7 +478,7 @@ Upstream::HostConstSharedPtr Cluster::LoadBalancer::findHostByName(const std::st Upstream::HostConstSharedPtr Cluster::findHostByName(const std::string& host) const { { - absl::ReaderMutexLock lock{&host_map_lock_}; + absl::ReaderMutexLock lock{host_map_lock_}; const auto host_it = host_map_.find(host); if (host_it == host_map_.end()) { ENVOY_LOG(debug, "host {} not found", host); diff --git a/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc b/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc index fa2308f6d800d..6e2c29a52dc5e 100644 --- a/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc +++ b/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc @@ -41,7 +41,7 @@ GetAddrInfoDnsResolver::GetAddrInfoDnsResolver( GetAddrInfoDnsResolver::~GetAddrInfoDnsResolver() { { - absl::MutexLock guard(&mutex_); + absl::MutexLock guard(mutex_); shutting_down_ = true; pending_queries_.clear(); } @@ -60,7 +60,7 @@ ActiveDnsQuery* GetAddrInfoDnsResolver::resolve(const std::string& dns_name, new_query->addTrace(static_cast(GetAddrInfoTrace::NotStarted)); ActiveDnsQuery* active_query = new_query.get(); { - absl::MutexLock guard(&mutex_); + absl::MutexLock guard(mutex_); if (config_.has_num_retries()) { // + 1 to include the initial query. pending_queries_.push_back({std::move(new_query), config_.num_retries().value() + 1}); @@ -144,7 +144,7 @@ void GetAddrInfoDnsResolver::resolveThreadRoutine() { std::unique_ptr next_query; absl::optional num_retries; { - absl::MutexLock guard(&mutex_); + absl::MutexLock guard(mutex_); auto condition = [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_) { return shutting_down_ || !pending_queries_.empty(); }; @@ -192,7 +192,7 @@ void GetAddrInfoDnsResolver::resolveThreadRoutine() { ENVOY_LOG(trace, "retrying query [{}]", next_query->dns_name_); next_query->addTrace(static_cast(GetAddrInfoTrace::Retrying)); { - absl::MutexLock guard(&mutex_); + absl::MutexLock guard(mutex_); pending_queries_.push_back({std::move(next_query), absl::nullopt}); } continue; @@ -203,7 +203,7 @@ void GetAddrInfoDnsResolver::resolveThreadRoutine() { *num_retries); next_query->addTrace(static_cast(GetAddrInfoTrace::Retrying)); { - absl::MutexLock guard(&mutex_); + absl::MutexLock guard(mutex_); pending_queries_.push_back({std::move(next_query), *num_retries}); } continue; diff --git a/source/extensions/transport_sockets/alts/alts_channel_pool.cc b/source/extensions/transport_sockets/alts/alts_channel_pool.cc index 75bb7fd32b31f..8af118ba23569 100644 --- a/source/extensions/transport_sockets/alts/alts_channel_pool.cc +++ b/source/extensions/transport_sockets/alts/alts_channel_pool.cc @@ -54,7 +54,7 @@ AltsChannelPool::AltsChannelPool(const std::vector AltsChannelPool::getChannel() { std::shared_ptr channel; { - absl::MutexLock lock(&mu_); + absl::MutexLock lock(mu_); channel = channel_pool_[index_]; index_ = (index_ + 1) % channel_pool_.size(); } diff --git a/test/extensions/filters/network/match_delegate/match_delegate_integration_test.cc b/test/extensions/filters/network/match_delegate/match_delegate_integration_test.cc index a1c466686d728..49cb75b094aaa 100644 --- a/test/extensions/filters/network/match_delegate/match_delegate_integration_test.cc +++ b/test/extensions/filters/network/match_delegate/match_delegate_integration_test.cc @@ -26,13 +26,13 @@ class CountingFilter : public Network::Filter { public: // Read filter methods Network::FilterStatus onData(Buffer::Instance& data, bool) override { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); data_bytes_ += data.length(); return Network::FilterStatus::Continue; } Network::FilterStatus onNewConnection() override { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); connection_count_++; return Network::FilterStatus::Continue; } @@ -43,7 +43,7 @@ class CountingFilter : public Network::Filter { // Write filter methods Network::FilterStatus onWrite(Buffer::Instance& data, bool) override { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); write_bytes_ += data.length(); return Network::FilterStatus::Continue; } @@ -54,23 +54,23 @@ class CountingFilter : public Network::Filter { // Thread-safe getters for counter values static uint32_t getConnectionCount() { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); return connection_count_; } static uint64_t getDataBytes() { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); return data_bytes_; } static uint64_t getWriteBytes() { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); return write_bytes_; } // Reset all counters static void resetCounters() { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); connection_count_ = 0; data_bytes_ = 0; write_bytes_ = 0; diff --git a/test/mocks/filesystem/mocks.cc b/test/mocks/filesystem/mocks.cc index bd396f2aae2d9..085d0a5a09746 100644 --- a/test/mocks/filesystem/mocks.cc +++ b/test/mocks/filesystem/mocks.cc @@ -10,7 +10,7 @@ MockFile::MockFile() = default; MockFile::~MockFile() = default; Api::IoCallBoolResult MockFile::open(FlagSet flag) { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); Api::IoCallBoolResult result = open_(flag); is_open_ = result.return_value_; @@ -20,7 +20,7 @@ Api::IoCallBoolResult MockFile::open(FlagSet flag) { } Api::IoCallSizeResult MockFile::write(absl::string_view buffer) { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); if (!is_open_) { return {-1, Api::IoErrorPtr(nullptr, [](Api::IoError*) { PANIC("reached unexpected code"); })}; } @@ -32,7 +32,7 @@ Api::IoCallSizeResult MockFile::write(absl::string_view buffer) { } Api::IoCallSizeResult MockFile::pread(void* buf, uint64_t count, uint64_t offset) { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); if (!is_open_) { return {-1, Api::IoErrorPtr(nullptr, [](Api::IoError*) { PANIC("reached unexpected code"); })}; } @@ -44,7 +44,7 @@ Api::IoCallSizeResult MockFile::pread(void* buf, uint64_t count, uint64_t offset } Api::IoCallSizeResult MockFile::pwrite(const void* buf, uint64_t count, uint64_t offset) { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); if (!is_open_) { return {-1, Api::IoErrorPtr(nullptr, [](Api::IoError*) { PANIC("reached unexpected code"); })}; } diff --git a/test/server/admin/stats_handler_test.cc b/test/server/admin/stats_handler_test.cc index 176f43ce9e57a..2968850167803 100644 --- a/test/server/admin/stats_handler_test.cc +++ b/test/server/admin/stats_handler_test.cc @@ -1256,7 +1256,7 @@ class ThreadedTest : public testing::Test { for (uint32_t s = 0; s < NumScopes; ++s) { Stats::ScopeSharedPtr scope = store_->rootScope()->scopeFromStatName(scope_names_[s]); { - absl::MutexLock lock(&scope_mutexes_[s]); + absl::MutexLock lock(scope_mutexes_[s]); scopes_[s] = scope; } for (Stats::StatName counter_name : counter_names_) { From 564612e32eafc10a7a7fd490cdb5cc7149e5802b Mon Sep 17 00:00:00 2001 From: code Date: Sat, 13 Sep 2025 02:37:09 +0800 Subject: [PATCH 396/505] Revert "async stream options: use shared pointer for pased retry policy (#41012) (#41061) This reverts commit 2e64f202c8fa8bae61cbe07ec0450faf2f5c9373. Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --- envoy/http/async_client.h | 6 +- envoy/router/router.h | 2 - source/common/http/async_client_impl.cc | 34 +++--- source/common/http/async_client_impl.h | 2 +- source/common/router/BUILD | 18 +-- source/common/router/config_impl.cc | 134 ++++++++++++++++++++- source/common/router/config_impl.h | 77 +++++++++++- source/common/router/retry_policy_impl.cc | 134 --------------------- source/common/router/retry_policy_impl.h | 91 -------------- test/common/http/async_client_impl_test.cc | 18 ++- 10 files changed, 239 insertions(+), 277 deletions(-) delete mode 100644 source/common/router/retry_policy_impl.cc delete mode 100644 source/common/router/retry_policy_impl.h diff --git a/envoy/http/async_client.h b/envoy/http/async_client.h index 3155e5af60323..9afbc3f394336 100644 --- a/envoy/http/async_client.h +++ b/envoy/http/async_client.h @@ -343,8 +343,8 @@ class AsyncClient { // The retry policy can be set as either a proto or Router::RetryPolicy but // not both. If both formats of the options are set, the more recent call // will overwrite the older one. - StreamOptions& setRetryPolicy(Router::RetryPolicyConstSharedPtr p) { - parsed_retry_policy = std::move(p); + StreamOptions& setRetryPolicy(const Router::RetryPolicy& p) { + parsed_retry_policy = &p; retry_policy = absl::nullopt; return *this; } @@ -432,7 +432,7 @@ class AsyncClient { absl::optional buffer_limit_; absl::optional retry_policy; - Router::RetryPolicyConstSharedPtr parsed_retry_policy; + const Router::RetryPolicy* parsed_retry_policy{nullptr}; Router::FilterConfigSharedPtr filter_config_; diff --git a/envoy/router/router.h b/envoy/router/router.h index fa4de89acf09a..d37a0bd61968d 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -311,8 +311,6 @@ class RetryPolicy { virtual std::chrono::milliseconds resetMaxInterval() const PURE; }; -using RetryPolicyConstSharedPtr = std::shared_ptr; - /** * RetryStatus whether request should be retried or not. */ diff --git a/source/common/http/async_client_impl.cc b/source/common/http/async_client_impl.cc index 80d3cea522d54..6fb949da25300 100644 --- a/source/common/http/async_client_impl.cc +++ b/source/common/http/async_client_impl.cc @@ -18,14 +18,6 @@ namespace Envoy { namespace Http { -namespace { -Router::RetryPolicyConstSharedPtr sharedEmptyRetryPolicy() { - static Router::RetryPolicyConstSharedPtr empty_policy = - std::make_shared(); - return empty_policy; -} -} // namespace - const absl::string_view AsyncClientImpl::ResponseBufferLimit = "http.async_response_buffer_limit"; AsyncClientImpl::AsyncClientImpl(Upstream::ClusterInfoConstSharedPtr cluster, @@ -98,19 +90,23 @@ AsyncClient::Stream* AsyncClientImpl::start(AsyncClient::StreamCallbacks& callba return active_streams_.front().get(); } -Router::RetryPolicyConstSharedPtr -createRetryPolicy(const AsyncClient::StreamOptions& options, +std::unique_ptr +createRetryPolicy(AsyncClientImpl& parent, const AsyncClient::StreamOptions& options, Server::Configuration::CommonFactoryContext& context, absl::Status& creation_status) { if (options.retry_policy.has_value()) { + Upstream::RetryExtensionFactoryContextImpl factory_context( + parent.factory_context_.singletonManager()); auto policy_or_error = Router::RetryPolicyImpl::create( - options.retry_policy.value(), ProtobufMessage::getNullValidationVisitor(), context); + options.retry_policy.value(), ProtobufMessage::getNullValidationVisitor(), factory_context, + context); creation_status = policy_or_error.status(); - return policy_or_error.status().ok() ? std::move(policy_or_error.value()) - : sharedEmptyRetryPolicy(); + return policy_or_error.status().ok() ? std::move(policy_or_error.value()) : nullptr; + } + if (options.parsed_retry_policy == nullptr) { + return std::make_unique(); } - return options.parsed_retry_policy != nullptr ? options.parsed_retry_policy - : sharedEmptyRetryPolicy(); + return nullptr; } AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCallbacks& callbacks, @@ -126,7 +122,7 @@ AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCal : std::make_shared( StreamInfo::FilterState::LifeSpan::FilterChain)), tracing_config_(Tracing::EgressConfig::get()), local_reply_(*parent.local_reply_), - retry_policy_(createRetryPolicy(options, parent.factory_context_, creation_status)), + retry_policy_(createRetryPolicy(parent, options, parent_.factory_context_, creation_status)), account_(options.account_), buffer_limit_(options.buffer_limit_), send_xff_(options.send_xff), send_internal_(options.send_internal) { // A field initialization may set the creation-status as unsuccessful. @@ -148,8 +144,10 @@ AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCal } auto route_or_error = NullRouteImpl::create( - parent_.cluster_->name(), *retry_policy_, parent_.factory_context_.regexEngine(), - options.timeout, options.hash_policy, metadata_matching_criteria); + parent_.cluster_->name(), + retry_policy_ != nullptr ? *retry_policy_ : *options.parsed_retry_policy, + parent_.factory_context_.regexEngine(), options.timeout, options.hash_policy, + metadata_matching_criteria); SET_AND_RETURN_IF_NOT_OK(route_or_error.status(), creation_status); route_ = std::move(*route_or_error); stream_info_.dynamicMetadata().MergeFrom(options.metadata); diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h index ce52b83ed52ca..eedb6e17ad4fc 100644 --- a/source/common/http/async_client_impl.h +++ b/source/common/http/async_client_impl.h @@ -278,7 +278,7 @@ class AsyncStreamImpl : public virtual AsyncClient::Stream, Tracing::NullSpan active_span_; const Tracing::Config& tracing_config_; const LocalReply::LocalReply& local_reply_; - Router::RetryPolicyConstSharedPtr retry_policy_; + const std::unique_ptr retry_policy_; std::shared_ptr route_; uint32_t high_watermark_calls_{}; bool local_closed_{}; diff --git a/source/common/router/BUILD b/source/common/router/BUILD index fb5d8979aa5f3..1a1f91f67c810 100644 --- a/source/common/router/BUILD +++ b/source/common/router/BUILD @@ -43,7 +43,7 @@ envoy_cc_library( ":matcher_visitor_lib", ":metadatamatchcriteria_lib", ":per_filter_config_lib", - ":retry_policy_lib", + ":reset_header_parser_lib", ":retry_state_lib", ":router_ratelimit_lib", ":tls_context_match_criteria_lib", @@ -541,19 +541,3 @@ envoy_cc_library( "//envoy/router:cluster_specifier_plugin_interface", ], ) - -envoy_cc_library( - name = "retry_policy_lib", - srcs = ["retry_policy_impl.cc"], - hdrs = ["retry_policy_impl.h"], - deps = [ - ":reset_header_parser_lib", - ":retry_state_lib", - "//envoy/router:router_interface", - "//envoy/server:factory_context_interface", - "//source/common/config:utility_lib", - "//source/common/upstream:retry_factory_lib", - "@com_google_absl//absl/types:optional", - "@envoy_api//envoy/config/route/v3:pkg_cc_proto", - ], -) diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 06c5d08fe47b4..7059d996bea7e 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -44,10 +44,13 @@ #include "source/common/router/context_impl.h" #include "source/common/router/header_cluster_specifier.h" #include "source/common/router/matcher_visitor.h" +#include "source/common/router/reset_header_parser.h" +#include "source/common/router/retry_state_impl.h" #include "source/common/router/weighted_cluster_specifier.h" #include "source/common/runtime/runtime_features.h" #include "source/common/tracing/custom_tag_impl.h" #include "source/common/tracing/http_tracer_impl.h" +#include "source/common/upstream/retry_factory.h" #include "source/extensions/early_data/default_early_data_policy.h" #include "source/extensions/matching/network/common/inputs.h" #include "source/extensions/path/match/uri_template/uri_template_match.h" @@ -214,6 +217,128 @@ HedgePolicyImpl::HedgePolicyImpl(const envoy::config::route::v3::HedgePolicy& he HedgePolicyImpl::HedgePolicyImpl() : initial_requests_(1), hedge_on_per_try_timeout_(false) {} +absl::StatusOr> +RetryPolicyImpl::create(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Upstream::RetryExtensionFactoryContext& factory_context, + Server::Configuration::CommonFactoryContext& common_context) { + absl::Status creation_status = absl::OkStatus(); + auto ret = std::unique_ptr(new RetryPolicyImpl( + retry_policy, validation_visitor, factory_context, common_context, creation_status)); + RETURN_IF_NOT_OK(creation_status); + return ret; +} +RetryPolicyImpl::RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Upstream::RetryExtensionFactoryContext& factory_context, + Server::Configuration::CommonFactoryContext& common_context, + absl::Status& creation_status) + : retriable_headers_(Http::HeaderUtility::buildHeaderMatcherVector( + retry_policy.retriable_headers(), common_context)), + retriable_request_headers_(Http::HeaderUtility::buildHeaderMatcherVector( + retry_policy.retriable_request_headers(), common_context)), + validation_visitor_(&validation_visitor) { + per_try_timeout_ = + std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_timeout, 0)); + per_try_idle_timeout_ = + std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_idle_timeout, 0)); + num_retries_ = PROTOBUF_GET_WRAPPED_OR_DEFAULT(retry_policy, num_retries, 1); + retry_on_ = RetryStateImpl::parseRetryOn(retry_policy.retry_on()).first; + retry_on_ |= RetryStateImpl::parseRetryGrpcOn(retry_policy.retry_on()).first; + + for (const auto& host_predicate : retry_policy.retry_host_predicate()) { + auto& factory = Envoy::Config::Utility::getAndCheckFactory( + host_predicate); + auto config = Envoy::Config::Utility::translateToFactoryConfig(host_predicate, + validation_visitor, factory); + retry_host_predicate_configs_.emplace_back(factory, std::move(config)); + } + + const auto& retry_priority = retry_policy.retry_priority(); + if (!retry_priority.name().empty()) { + auto& factory = + Envoy::Config::Utility::getAndCheckFactory(retry_priority); + retry_priority_config_ = + std::make_pair(&factory, Envoy::Config::Utility::translateToFactoryConfig( + retry_priority, validation_visitor, factory)); + } + + for (const auto& options_predicate : retry_policy.retry_options_predicates()) { + auto& factory = + Envoy::Config::Utility::getAndCheckFactory( + options_predicate); + retry_options_predicates_.emplace_back( + factory.createOptionsPredicate(*Envoy::Config::Utility::translateToFactoryConfig( + options_predicate, validation_visitor, factory), + factory_context)); + } + + auto host_selection_attempts = retry_policy.host_selection_retry_max_attempts(); + if (host_selection_attempts) { + host_selection_attempts_ = host_selection_attempts; + } + + for (auto code : retry_policy.retriable_status_codes()) { + retriable_status_codes_.emplace_back(code); + } + + if (retry_policy.has_retry_back_off()) { + base_interval_ = std::chrono::milliseconds( + PROTOBUF_GET_MS_REQUIRED(retry_policy.retry_back_off(), base_interval)); + if ((*base_interval_).count() < 1) { + base_interval_ = std::chrono::milliseconds(1); + } + + max_interval_ = PROTOBUF_GET_OPTIONAL_MS(retry_policy.retry_back_off(), max_interval); + if (max_interval_) { + // Apply the same rounding to max interval in case both are set to sub-millisecond values. + if ((*max_interval_).count() < 1) { + max_interval_ = std::chrono::milliseconds(1); + } + + if ((*max_interval_).count() < (*base_interval_).count()) { + creation_status = absl::InvalidArgumentError( + "retry_policy.max_interval must greater than or equal to the base_interval"); + return; + } + } + } + + if (retry_policy.has_rate_limited_retry_back_off()) { + reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector( + retry_policy.rate_limited_retry_back_off().reset_headers()); + + absl::optional reset_max_interval = + PROTOBUF_GET_OPTIONAL_MS(retry_policy.rate_limited_retry_back_off(), max_interval); + if (reset_max_interval.has_value()) { + std::chrono::milliseconds max_interval = reset_max_interval.value(); + if (max_interval.count() < 1) { + max_interval = std::chrono::milliseconds(1); + } + reset_max_interval_ = max_interval; + } + } +} + +std::vector RetryPolicyImpl::retryHostPredicates() const { + std::vector predicates; + predicates.reserve(retry_host_predicate_configs_.size()); + for (const auto& config : retry_host_predicate_configs_) { + predicates.emplace_back(config.first.createHostPredicate(*config.second, num_retries_)); + } + + return predicates; +} + +Upstream::RetryPrioritySharedPtr RetryPolicyImpl::retryPriority() const { + if (retry_priority_config_.first == nullptr) { + return nullptr; + } + + return retry_priority_config_.first->createRetryPriority(*retry_priority_config_.second, + *validation_visitor_, num_retries_); +} + absl::StatusOr> InternalRedirectPolicyImpl::create( const envoy::config::route::v3::InternalRedirectPolicy& policy_config, ProtobufMessage::ValidationVisitor& validator, absl::string_view current_route_name) { @@ -1017,16 +1142,19 @@ absl::StatusOr> RouteEntryImplBase::buildRetryP RetryPolicyConstOptRef vhost_retry_policy, const envoy::config::route::v3::RouteAction& route_config, ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::CommonFactoryContext& factory_context) const { + Server::Configuration::ServerFactoryContext& factory_context) const { + Upstream::RetryExtensionFactoryContextImpl retry_factory_context( + factory_context.singletonManager()); // Route specific policy wins, if available. if (route_config.has_retry_policy()) { return RetryPolicyImpl::create(route_config.retry_policy(), validation_visitor, - factory_context); + retry_factory_context, factory_context); } // If not, we fallback to the virtual host policy if there is one. if (vhost_retry_policy.has_value()) { - return RetryPolicyImpl::create(*vhost_retry_policy, validation_visitor, factory_context); + return RetryPolicyImpl::create(*vhost_retry_policy, validation_visitor, retry_factory_context, + factory_context); } // Otherwise, an empty policy will do. diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index 052a04cf83c32..5122a0fe1e3c6 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -32,7 +32,6 @@ #include "source/common/router/header_parser.h" #include "source/common/router/metadatamatchcriteria_impl.h" #include "source/common/router/per_filter_config.h" -#include "source/common/router/retry_policy_impl.h" #include "source/common/router/router_ratelimit.h" #include "source/common/router/tls_context_match_criteria_impl.h" #include "source/common/stats/symbol_table.h" @@ -402,6 +401,80 @@ class VirtualHostImpl : Logger::Loggable { using VirtualHostImplSharedPtr = std::shared_ptr; +/** + * Implementation of RetryPolicy that reads from the proto route or virtual host config. + */ +class RetryPolicyImpl : public RetryPolicy { + +public: + static absl::StatusOr> + create(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Upstream::RetryExtensionFactoryContext& factory_context, + Server::Configuration::CommonFactoryContext& common_context); + RetryPolicyImpl() = default; + + // Router::RetryPolicy + std::chrono::milliseconds perTryTimeout() const override { return per_try_timeout_; } + std::chrono::milliseconds perTryIdleTimeout() const override { return per_try_idle_timeout_; } + uint32_t numRetries() const override { return num_retries_; } + uint32_t retryOn() const override { return retry_on_; } + std::vector retryHostPredicates() const override; + Upstream::RetryPrioritySharedPtr retryPriority() const override; + absl::Span + retryOptionsPredicates() const override { + return retry_options_predicates_; + } + uint32_t hostSelectionMaxAttempts() const override { return host_selection_attempts_; } + const std::vector& retriableStatusCodes() const override { + return retriable_status_codes_; + } + const std::vector& retriableHeaders() const override { + return retriable_headers_; + } + const std::vector& retriableRequestHeaders() const override { + return retriable_request_headers_; + } + absl::optional baseInterval() const override { return base_interval_; } + absl::optional maxInterval() const override { return max_interval_; } + const std::vector& resetHeaders() const override { + return reset_headers_; + } + std::chrono::milliseconds resetMaxInterval() const override { return reset_max_interval_; } + +private: + RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Upstream::RetryExtensionFactoryContext& factory_context, + Server::Configuration::CommonFactoryContext& common_context, + absl::Status& creation_status); + std::chrono::milliseconds per_try_timeout_{0}; + std::chrono::milliseconds per_try_idle_timeout_{0}; + // We set the number of retries to 1 by default (i.e. when no route or vhost level retry policy is + // set) so that when retries get enabled through the x-envoy-retry-on header we default to 1 + // retry. + uint32_t num_retries_{1}; + uint32_t retry_on_{}; + // Each pair contains the name and config proto to be used to create the RetryHostPredicates + // that should be used when with this policy. + std::vector> + retry_host_predicate_configs_; + // Name and config proto to use to create the RetryPriority to use with this policy. Default + // initialized when no RetryPriority should be used. + std::pair retry_priority_config_; + uint32_t host_selection_attempts_{1}; + std::vector retriable_status_codes_; + std::vector retriable_headers_; + std::vector retriable_request_headers_; + absl::optional base_interval_; + absl::optional max_interval_; + std::vector reset_headers_; + std::chrono::milliseconds reset_max_interval_{300000}; + ProtobufMessage::ValidationVisitor* validation_visitor_{}; + std::vector retry_options_predicates_; +}; +using DefaultRetryPolicy = ConstSingleton; + /** * Implementation of ShadowPolicy that reads from the proto route config. */ @@ -840,7 +913,7 @@ class RouteEntryImplBase : public RouteEntryAndRoute, buildRetryPolicy(RetryPolicyConstOptRef vhost_retry_policy, const envoy::config::route::v3::RouteAction& route_config, ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::CommonFactoryContext& factory_context) const; + Server::Configuration::ServerFactoryContext& factory_context) const; absl::StatusOr> buildInternalRedirectPolicy(const envoy::config::route::v3::RouteAction& route_config, diff --git a/source/common/router/retry_policy_impl.cc b/source/common/router/retry_policy_impl.cc deleted file mode 100644 index a2fd50f906b1b..0000000000000 --- a/source/common/router/retry_policy_impl.cc +++ /dev/null @@ -1,134 +0,0 @@ -#include "source/common/router/retry_policy_impl.h" - -#include "source/common/config/utility.h" -#include "source/common/router/reset_header_parser.h" -#include "source/common/router/retry_state_impl.h" -#include "source/common/upstream/retry_factory.h" - -namespace Envoy { -namespace Router { - -absl::StatusOr> -RetryPolicyImpl::create(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::CommonFactoryContext& common_context) { - absl::Status creation_status = absl::OkStatus(); - auto ret = std::unique_ptr( - new RetryPolicyImpl(retry_policy, validation_visitor, common_context, creation_status)); - RETURN_IF_NOT_OK(creation_status); - return ret; -} - -RetryPolicyImpl::RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::CommonFactoryContext& common_context, - absl::Status& creation_status) - : retriable_headers_(Http::HeaderUtility::buildHeaderMatcherVector( - retry_policy.retriable_headers(), common_context)), - retriable_request_headers_(Http::HeaderUtility::buildHeaderMatcherVector( - retry_policy.retriable_request_headers(), common_context)), - validation_visitor_(&validation_visitor) { - per_try_timeout_ = - std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_timeout, 0)); - per_try_idle_timeout_ = - std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_idle_timeout, 0)); - num_retries_ = PROTOBUF_GET_WRAPPED_OR_DEFAULT(retry_policy, num_retries, 1); - retry_on_ = RetryStateImpl::parseRetryOn(retry_policy.retry_on()).first; - retry_on_ |= RetryStateImpl::parseRetryGrpcOn(retry_policy.retry_on()).first; - - for (const auto& host_predicate : retry_policy.retry_host_predicate()) { - auto& factory = Envoy::Config::Utility::getAndCheckFactory( - host_predicate); - auto config = Envoy::Config::Utility::translateToFactoryConfig(host_predicate, - validation_visitor, factory); - retry_host_predicate_configs_.emplace_back(factory, std::move(config)); - } - - const auto& retry_priority = retry_policy.retry_priority(); - if (!retry_priority.name().empty()) { - auto& factory = - Envoy::Config::Utility::getAndCheckFactory(retry_priority); - retry_priority_config_ = - std::make_pair(&factory, Envoy::Config::Utility::translateToFactoryConfig( - retry_priority, validation_visitor, factory)); - } - - Upstream::RetryExtensionFactoryContextImpl factory_context(common_context.singletonManager()); - for (const auto& options_predicate : retry_policy.retry_options_predicates()) { - auto& factory = - Envoy::Config::Utility::getAndCheckFactory( - options_predicate); - retry_options_predicates_.emplace_back( - factory.createOptionsPredicate(*Envoy::Config::Utility::translateToFactoryConfig( - options_predicate, validation_visitor, factory), - factory_context)); - } - - auto host_selection_attempts = retry_policy.host_selection_retry_max_attempts(); - if (host_selection_attempts) { - host_selection_attempts_ = host_selection_attempts; - } - - for (auto code : retry_policy.retriable_status_codes()) { - retriable_status_codes_.emplace_back(code); - } - - if (retry_policy.has_retry_back_off()) { - base_interval_ = std::chrono::milliseconds( - PROTOBUF_GET_MS_REQUIRED(retry_policy.retry_back_off(), base_interval)); - if ((*base_interval_).count() < 1) { - base_interval_ = std::chrono::milliseconds(1); - } - - max_interval_ = PROTOBUF_GET_OPTIONAL_MS(retry_policy.retry_back_off(), max_interval); - if (max_interval_) { - // Apply the same rounding to max interval in case both are set to sub-millisecond values. - if ((*max_interval_).count() < 1) { - max_interval_ = std::chrono::milliseconds(1); - } - - if ((*max_interval_).count() < (*base_interval_).count()) { - creation_status = absl::InvalidArgumentError( - "retry_policy.max_interval must greater than or equal to the base_interval"); - return; - } - } - } - - if (retry_policy.has_rate_limited_retry_back_off()) { - reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector( - retry_policy.rate_limited_retry_back_off().reset_headers()); - - absl::optional reset_max_interval = - PROTOBUF_GET_OPTIONAL_MS(retry_policy.rate_limited_retry_back_off(), max_interval); - if (reset_max_interval.has_value()) { - std::chrono::milliseconds max_interval = reset_max_interval.value(); - if (max_interval.count() < 1) { - max_interval = std::chrono::milliseconds(1); - } - reset_max_interval_ = max_interval; - } - } -} - -std::vector RetryPolicyImpl::retryHostPredicates() const { - std::vector predicates; - predicates.reserve(retry_host_predicate_configs_.size()); - for (const auto& config : retry_host_predicate_configs_) { - predicates.emplace_back(config.first.createHostPredicate(*config.second, num_retries_)); - } - - return predicates; -} - -Upstream::RetryPrioritySharedPtr RetryPolicyImpl::retryPriority() const { - if (retry_priority_config_.first == nullptr) { - return nullptr; - } - - return retry_priority_config_.first->createRetryPriority(*retry_priority_config_.second, - *validation_visitor_, num_retries_); -} - -} // namespace Router -} // namespace Envoy diff --git a/source/common/router/retry_policy_impl.h b/source/common/router/retry_policy_impl.h deleted file mode 100644 index 5b612cd099820..0000000000000 --- a/source/common/router/retry_policy_impl.h +++ /dev/null @@ -1,91 +0,0 @@ -#pragma once - -#include -#include -#include -#include - -#include "envoy/config/route/v3/route_components.pb.h" -#include "envoy/config/route/v3/route_components.pb.validate.h" -#include "envoy/router/router.h" -#include "envoy/server/factory_context.h" - -#include "absl/types/optional.h" - -namespace Envoy { -namespace Router { - -/** - * Implementation of RetryPolicy that reads from the proto route or virtual host config. - */ -class RetryPolicyImpl : public RetryPolicy { - -public: - static absl::StatusOr> - create(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::CommonFactoryContext& common_context); - RetryPolicyImpl() = default; - - // Router::RetryPolicy - std::chrono::milliseconds perTryTimeout() const override { return per_try_timeout_; } - std::chrono::milliseconds perTryIdleTimeout() const override { return per_try_idle_timeout_; } - uint32_t numRetries() const override { return num_retries_; } - uint32_t retryOn() const override { return retry_on_; } - std::vector retryHostPredicates() const override; - Upstream::RetryPrioritySharedPtr retryPriority() const override; - absl::Span - retryOptionsPredicates() const override { - return retry_options_predicates_; - } - uint32_t hostSelectionMaxAttempts() const override { return host_selection_attempts_; } - const std::vector& retriableStatusCodes() const override { - return retriable_status_codes_; - } - const std::vector& retriableHeaders() const override { - return retriable_headers_; - } - const std::vector& retriableRequestHeaders() const override { - return retriable_request_headers_; - } - absl::optional baseInterval() const override { return base_interval_; } - absl::optional maxInterval() const override { return max_interval_; } - const std::vector& resetHeaders() const override { - return reset_headers_; - } - std::chrono::milliseconds resetMaxInterval() const override { return reset_max_interval_; } - -private: - RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::CommonFactoryContext& common_context, - absl::Status& creation_status); - std::chrono::milliseconds per_try_timeout_{0}; - std::chrono::milliseconds per_try_idle_timeout_{0}; - // We set the number of retries to 1 by default (i.e. when no route or vhost level retry policy is - // set) so that when retries get enabled through the x-envoy-retry-on header we default to 1 - // retry. - uint32_t num_retries_{1}; - uint32_t retry_on_{}; - // Each pair contains the name and config proto to be used to create the RetryHostPredicates - // that should be used when with this policy. - std::vector> - retry_host_predicate_configs_; - // Name and config proto to use to create the RetryPriority to use with this policy. Default - // initialized when no RetryPriority should be used. - std::pair retry_priority_config_; - uint32_t host_selection_attempts_{1}; - std::vector retriable_status_codes_; - std::vector retriable_headers_; - std::vector retriable_request_headers_; - absl::optional base_interval_; - absl::optional max_interval_; - std::vector reset_headers_; - std::chrono::milliseconds reset_max_interval_{300000}; - ProtobufMessage::ValidationVisitor* validation_visitor_{}; - std::vector retry_options_predicates_; -}; -using DefaultRetryPolicy = ConstSingleton; - -} // namespace Router -} // namespace Envoy diff --git a/test/common/http/async_client_impl_test.cc b/test/common/http/async_client_impl_test.cc index 739e1af3b0d28..8b64e6ca686b8 100644 --- a/test/common/http/async_client_impl_test.cc +++ b/test/common/http/async_client_impl_test.cc @@ -2312,8 +2312,11 @@ class AsyncClientImplUnitTest : public AsyncClientImplTest { public: AsyncClientImplUnitTest() { envoy::config::route::v3::RetryPolicy proto_policy; - auto policy_or_error = Router::RetryPolicyImpl::create( - proto_policy, ProtobufMessage::getNullValidationVisitor(), client_.factory_context_); + Upstream::RetryExtensionFactoryContextImpl factory_context( + client_.factory_context_.singletonManager()); + auto policy_or_error = + Router::RetryPolicyImpl::create(proto_policy, ProtobufMessage::getNullValidationVisitor(), + factory_context, client_.factory_context_); THROW_IF_NOT_OK_REF(policy_or_error.status()); retry_policy_ = std::move(policy_or_error.value()); EXPECT_TRUE(retry_policy_.get()); @@ -2323,7 +2326,7 @@ class AsyncClientImplUnitTest : public AsyncClientImplTest { Protobuf::RepeatedPtrField()); } - std::shared_ptr retry_policy_; + std::unique_ptr retry_policy_; Regex::GoogleReEngine regex_engine_; std::unique_ptr route_impl_; std::unique_ptr stream_ = std::move( @@ -2347,15 +2350,18 @@ class AsyncClientImplUnitTest : public AsyncClientImplTest { envoy::config::route::v3::RetryPolicy proto_policy; TestUtility::loadFromYaml(yaml_config, proto_policy); - auto policy_or_error = Router::RetryPolicyImpl::create( - proto_policy, ProtobufMessage::getNullValidationVisitor(), client_.factory_context_); + Upstream::RetryExtensionFactoryContextImpl factory_context( + client_.factory_context_.singletonManager()); + auto policy_or_error = + Router::RetryPolicyImpl::create(proto_policy, ProtobufMessage::getNullValidationVisitor(), + factory_context, client_.factory_context_); THROW_IF_NOT_OK_REF(policy_or_error.status()); retry_policy_ = std::move(policy_or_error.value()); EXPECT_TRUE(retry_policy_.get()); stream_ = std::move( Http::AsyncStreamImpl::create(client_, stream_callbacks_, - AsyncClient::StreamOptions().setRetryPolicy(retry_policy_)) + AsyncClient::StreamOptions().setRetryPolicy(*retry_policy_)) .value()); } From d88583dda69073ab50a6e52b339824170c975908 Mon Sep 17 00:00:00 2001 From: Prashanth Josyula Date: Sun, 14 Sep 2025 18:39:16 -0700 Subject: [PATCH 397/505] tools: fix compilation errors and make debug config generation generic (#41043) Commit Message: The generate_debug_config.py script was failing on ARM64 architecture due to C++ concepts compatibility issues between GCC and protobuf dependencies. This change makes the build configuration selection generic and adds auto-detection based on platform. Changes: - Add auto-detection of optimal compiler configuration based on architecture - Add --config command line option to allow manual override - Default to clang on ARM64 for better C++20 concepts compatibility - Maintain backward compatibility with existing usage - Add user feedback showing which build config is being used This resolves build failures on ARM64 while providing flexibility for different development environments and compiler preferences. Additional Description: Previously, the VSCode debug configuration generator would fail on ARM64 systems with GCC due to C++20 concepts compatibility issues in protobuf dependencies, specifically the error "testing if a concept-id is a valid expression; add 'requires' to check satisfaction [-Werror=missing-requires]". This change introduces intelligent compiler selection that automatically chooses clang on ARM64 architectures while preserving user control through a new --config option. The modification maintains full backward compatibility for existing workflows while improving the developer experience on Apple Silicon and other ARM64 platforms. Risk Level: Low - This is a development tool change that only affects local debugging setup and includes auto-detection with manual override capability. Testing: Verified successful build on ARM64 with auto-detected clang configuration Verified explicit configuration override works correctly Verified backward compatibility with existing workflows Tested help text displays new option correctly Docs Changes: N/A - This is a developer tool with built-in help text that now includes the new option. Release Notes: N/A - This is a development tooling improvement that doesn't affect runtime behavior or user-facing functionality. Platform Specific Features: ARM64/aarch64 - Auto-detects and uses clang configuration on ARM64 architectures to avoid GCC C++20 concepts compatibility issues with protobuf dependencies. [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Prashanth Josyula --- .devcontainer/README.md | 29 ++++++++++++++++++ tools/vscode/generate_debug_config.py | 44 ++++++++++++++++++++++++--- 2 files changed, 68 insertions(+), 5 deletions(-) diff --git a/.devcontainer/README.md b/.devcontainer/README.md index b738ba814bb5a..b6e7a08639b32 100644 --- a/.devcontainer/README.md +++ b/.devcontainer/README.md @@ -221,10 +221,39 @@ Run the debug configuration generator: ```bash tools/vscode/generate_debug_config.py //source/exe:envoy-static --args "-c envoy.yaml" ``` + +**Advanced Configuration Options:** + +The script now supports automatic compiler configuration detection and manual override options: + +- **Auto-detection**: The script automatically detects the optimal compiler configuration based on your platform: + - On ARM64/aarch64 architectures (Apple Silicon Macs): Automatically uses `clang` for better C++20 concepts compatibility + - On other architectures: Uses Bazel's default configuration + +- **Manual override**: You can explicitly specify a build configuration using the `--config` flag: + ```bash + # Force use of clang configuration + tools/vscode/generate_debug_config.py //source/exe:envoy-static --args "-c envoy.yaml" --config clang + + # Force use of gcc configuration + tools/vscode/generate_debug_config.py //source/exe:envoy-static --args "-c envoy.yaml" --config gcc + ``` + +- **Additional options**: + ```bash + # Use LLDB debugger instead of GDB (recommended for macOS) + tools/vscode/generate_debug_config.py //source/exe:envoy-static --args "-c envoy.yaml" --debugger lldb + + # Overwrite existing configuration completely + tools/vscode/generate_debug_config.py //source/exe:envoy-static --args "-c envoy.yaml" --overwrite + ``` + ![Debug Configuration Run](./images/debug-configuration-run.png) > **Important**: This command may take over an hour to complete. You'll need to re-run this script whenever you make code changes. +> **ARM64/Apple Silicon Note**: If you're using an ARM64 system (like Apple Silicon Macs) and encounter GCC-related compilation errors with C++20 concepts compatibility, the script will automatically use clang configuration to resolve these issues. This addresses protobuf dependency compatibility problems that can occur with GCC on ARM64 architectures. + There are two types of debuggers envoy community recommends to use, GDB (GNU Debugger) , a widely used and powerful debugger for various languages, including C++ and LLDB, the LLVM project's debugger, often used with Clang-compiled code (Clang is one of the many compilers for C++). Now click F5 to start debugging, this should have generated the `launch.json` as shown below. The generated `launch.json` will use GDB by default. diff --git a/tools/vscode/generate_debug_config.py b/tools/vscode/generate_debug_config.py index 24fec97e7e9f3..111d45d2ba25f 100755 --- a/tools/vscode/generate_debug_config.py +++ b/tools/vscode/generate_debug_config.py @@ -38,11 +38,20 @@ def binary_path(bazel_bin, target): *[s for s in target.replace('@', 'external/').replace(':', '/').split('/') if s != '']) -def build_binary_with_debug_info(target): - subprocess.check_call(["bazel", *BAZEL_STARTUP_OPTIONS, "build", "-c", "dbg", target] - + BAZEL_OPTIONS) +def build_binary_with_debug_info(target, config=None): + build_args = ["bazel", *BAZEL_STARTUP_OPTIONS, "build"] + info_args = [] - bazel_bin = bazel_info("bazel-bin", ["-c", "dbg"]) + if config: + build_args.extend([f"--config={config}"]) + info_args.extend([f"--config={config}"]) + + build_args.extend(["-c", "dbg", target]) + build_args.extend(BAZEL_OPTIONS) + + subprocess.check_call(build_args) + + bazel_bin = bazel_info("bazel-bin", info_args + ["-c", "dbg"]) return binary_path(bazel_bin, target) @@ -131,10 +140,28 @@ def add_to_launch_json(target, binary, workspace, execroot, arguments, debugger_ write_launch_json(workspace, launch) +def auto_detect_config(): + """Auto-detect the best compiler configuration based on platform and availability.""" + try: + # Check if we're on ARM64 architecture + if platform.machine() in ['aarch64', 'arm64']: + # On ARM64, prefer clang for better compatibility + return "clang" + # On other architectures, try to detect available compilers + # This is a simple heuristic - could be made more sophisticated + return None # Let Bazel use its default + except: + return None + + if __name__ == "__main__": parser = argparse.ArgumentParser(description='Build and generate launch config for VSCode') parser.add_argument('--debugger', default="gdb", help="debugger type, one of [gdb, lldb]") parser.add_argument('--args', default='', help="command line arguments if target binary") + parser.add_argument( + '--config', + default=None, + help="bazel build config (e.g., clang, gcc). Auto-detected if not specified") parser.add_argument( '--overwrite', action="store_true", @@ -142,9 +169,16 @@ def add_to_launch_json(target, binary, workspace, execroot, arguments, debugger_ parser.add_argument('target', help="target binary which you want to build") args = parser.parse_args() + # Auto-detect config if not specified + config = args.config if args.config else auto_detect_config() + if config: + print(f"Using build config: {config}") + else: + print("Using default Bazel configuration") + workspace = get_workspace() execution_root = get_execution_root(workspace) - debug_binary = build_binary_with_debug_info(args.target) + debug_binary = build_binary_with_debug_info(args.target, config) add_to_launch_json( args.target, debug_binary, workspace, execution_root, args.args, args.debugger, args.overwrite) From 5293d891010de81baf5fd2d4fe4a420753600bb5 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Sat, 6 Sep 2025 12:14:26 -0700 Subject: [PATCH 398/505] filter: reverse tunnel network filter Signed-off-by: Rohit Agrawal --- CODEOWNERS | 1 + api/BUILD | 1 + .../filters/network/reverse_tunnel/v3/BUILD | 9 + .../reverse_tunnel/v3/reverse_tunnel.proto | 73 + api/versioning/BUILD | 1 + .../network_filters/network_filters.rst | 1 + .../network_filters/reverse_tunnel_filter.rst | 11 + .../reverse_connection_io_handle.cc | 210 ++- source/extensions/extensions_build_config.bzl | 1 + source/extensions/extensions_metadata.yaml | 7 + .../filters/network/reverse_tunnel/BUILD | 57 + .../filters/network/reverse_tunnel/config.cc | 32 + .../filters/network/reverse_tunnel/config.h | 32 + .../reverse_tunnel/reverse_tunnel_filter.cc | 558 ++++++ .../reverse_tunnel/reverse_tunnel_filter.h | 223 +++ .../filters/network/well_known_names.h | 2 + test/coverage.yaml | 1 + .../filters/network/reverse_tunnel/BUILD | 69 + .../network/reverse_tunnel/config_test.cc | 168 ++ .../reverse_tunnel/filter_unit_test.cc | 1574 +++++++++++++++++ .../reverse_tunnel/integration_test.cc | 635 +++++++ test/mocks/network/connection.h | 2 +- 22 files changed, 3624 insertions(+), 44 deletions(-) create mode 100644 api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD create mode 100644 api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto create mode 100644 docs/root/configuration/listeners/network_filters/reverse_tunnel_filter.rst create mode 100644 source/extensions/filters/network/reverse_tunnel/BUILD create mode 100644 source/extensions/filters/network/reverse_tunnel/config.cc create mode 100644 source/extensions/filters/network/reverse_tunnel/config.h create mode 100644 source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc create mode 100644 source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h create mode 100644 test/extensions/filters/network/reverse_tunnel/BUILD create mode 100644 test/extensions/filters/network/reverse_tunnel/config_test.cc create mode 100644 test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc create mode 100644 test/extensions/filters/network/reverse_tunnel/integration_test.cc diff --git a/CODEOWNERS b/CODEOWNERS index 0233f2483b062..bc616ad3b760b 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -169,6 +169,7 @@ extensions/filters/common/original_src @klarose @mattklein123 # support for on-demand VHDS requests /*/extensions/filters/http/on_demand @dmitri-d @yanavlasov @kyessenov /*/extensions/filters/network/connection_limit @mattklein123 @delong-coder +/*/extensions/filters/network/reverse_tunnel @agrawroh @basundhara-c @botengyao @yanavlasov /*/extensions/filters/http/aws_request_signing @mattklein123 @marcomagdy @nbaws @niax /*/extensions/filters/http/aws_lambda @mattklein123 @marcomagdy @nbaws @niax /*/extensions/filters/http/buffer @adisuissa @mattklein123 diff --git a/api/BUILD b/api/BUILD index d55a5e9552ea3..5cba49744db49 100644 --- a/api/BUILD +++ b/api/BUILD @@ -251,6 +251,7 @@ proto_library( "//envoy/extensions/filters/network/ratelimit/v3:pkg", "//envoy/extensions/filters/network/rbac/v3:pkg", "//envoy/extensions/filters/network/redis_proxy/v3:pkg", + "//envoy/extensions/filters/network/reverse_tunnel/v3:pkg", "//envoy/extensions/filters/network/set_filter_state/v3:pkg", "//envoy/extensions/filters/network/sni_cluster/v3:pkg", "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3:pkg", diff --git a/api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD b/api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD new file mode 100644 index 0000000000000..29ebf0741406e --- /dev/null +++ b/api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD @@ -0,0 +1,9 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], +) diff --git a/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto b/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto new file mode 100644 index 0000000000000..afb3f04873997 --- /dev/null +++ b/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto @@ -0,0 +1,73 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.reverse_tunnel.v3; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.reverse_tunnel.v3"; +option java_outer_classname = "ReverseTunnelProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/reverse_tunnel/v3;reverse_tunnelv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Reverse Tunnel Network Filter] +// Reverse Tunnel Network Filter :ref:`configuration overview `. +// [#extension: envoy.filters.network.reverse_tunnel] + +// Configuration for the reverse tunnel network filter. +// This filter handles reverse tunnel connection acceptance and rejection by processing +// HTTP requests where required identification values are provided via HTTP headers. +// [#next-free-field: 6] +message ReverseTunnel { + // Ping interval for health checks on established reverse tunnel connections. + // If not specified, defaults to 2 seconds. + google.protobuf.Duration ping_interval = 1 [(validate.rules).duration = { + lte {seconds: 300} + gte {nanos: 1000000} + }]; + + // Whether to automatically close connections after processing reverse tunnel requests. + // When set to true, connections are closed after acceptance or rejection. + // When set to false, connections remain open for potential reuse. Defaults to false. + bool auto_close_connections = 2; + + // HTTP path to match for reverse tunnel requests. + // If not specified, defaults to "/reverse_connections/request". + string request_path = 3 [(validate.rules).string = {min_len: 1 max_len: 255}]; + + // HTTP method to match for reverse tunnel requests. + // If not specified, defaults to "POST". + string request_method = 4 [(validate.rules).string = {min_len: 1 max_len: 10}]; + + // Configuration for validating reverse tunnel connection requests using filter state. + // This allows previous filters in the network chain to populate validation data + // that can be used to authenticate and authorize reverse tunnel connections. + ValidationConfig validation_config = 5; +} + +// Configuration for validating reverse tunnel connections using filter state keys. +// Previous filters in the network chain can populate the connection's filter state +// with validation data (e.g., extracted from client certificates or authentication tokens) +// that this filter will use to validate incoming reverse tunnel requests. +message ValidationConfig { + // Filter state key for the expected node ID. + // If specified, the filter will validate that the node identifier from the reverse + // tunnel request matches the value stored under this key in the connection's filter state. + // The filter state value must be a string. + string node_id_filter_state_key = 1 [(validate.rules).string = {max_len: 255}]; + + // Filter state key for the expected cluster ID. + // If specified, the filter will validate that the cluster uuid from the reverse tunnel + // request matches the value stored under this key in the connection's filter state. + // The filter state value must be a string. + string cluster_id_filter_state_key = 2 [(validate.rules).string = {max_len: 255}]; + + // Filter state key for the expected tenant ID. + // If specified, the filter will validate that the tenant uuid from the reverse tunnel + // request matches the value stored under this key in the connection's filter state. + // The filter state value must be a string. + string tenant_id_filter_state_key = 3 [(validate.rules).string = {max_len: 255}]; +} diff --git a/api/versioning/BUILD b/api/versioning/BUILD index 4ece8bdcc208f..79a63e3f52939 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -189,6 +189,7 @@ proto_library( "//envoy/extensions/filters/network/ratelimit/v3:pkg", "//envoy/extensions/filters/network/rbac/v3:pkg", "//envoy/extensions/filters/network/redis_proxy/v3:pkg", + "//envoy/extensions/filters/network/reverse_tunnel/v3:pkg", "//envoy/extensions/filters/network/set_filter_state/v3:pkg", "//envoy/extensions/filters/network/sni_cluster/v3:pkg", "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3:pkg", diff --git a/docs/root/configuration/listeners/network_filters/network_filters.rst b/docs/root/configuration/listeners/network_filters/network_filters.rst index f838839fbdbba..1cadbdc33bb6f 100644 --- a/docs/root/configuration/listeners/network_filters/network_filters.rst +++ b/docs/root/configuration/listeners/network_filters/network_filters.rst @@ -23,6 +23,7 @@ filters. kafka_mesh_filter local_rate_limit_filter mongo_proxy_filter + reverse_tunnel_filter mysql_proxy_filter postgres_proxy_filter rate_limit_filter diff --git a/docs/root/configuration/listeners/network_filters/reverse_tunnel_filter.rst b/docs/root/configuration/listeners/network_filters/reverse_tunnel_filter.rst new file mode 100644 index 0000000000000..12cb4f7d9e03a --- /dev/null +++ b/docs/root/configuration/listeners/network_filters/reverse_tunnel_filter.rst @@ -0,0 +1,11 @@ +.. _config_network_filters_reverse_tunnel: + +Reverse tunnel +============== + +The reverse tunnel network filter accepts or rejects reverse connection requests by parsing +HTTP/1.1 requests with Cluster ID and Node ID headers and optionally validating these values +using the Envoy filter state. + +* This filter should be configured with the type URL ``type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel``. +* :ref:`v3 API reference ` diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc index 1c1bb5bb11047..81f4370ed67a0 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc @@ -278,8 +278,12 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a // key. auto io_handle = std::make_unique( std::move(duplicated_socket), this, connection_key); - ENVOY_LOG(debug, - "ReverseConnectionIOHandle: RAII IoHandle created with duplicated socket."); + + // Enable protection against upstream-initiated closures immediately. + // This prevents premature socket closure when upstream connections close. + io_handle->ignoreCloseAndShutdown(); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: RAII IoHandle created with duplicated socket " + "and protection enabled."); // Reset file events on the original socket to prevent any pending operations. The socket // fd has been duplicated, so we have an independent fd. Closing the original connection @@ -408,7 +412,21 @@ void ReverseConnectionIOHandle::maybeUpdateHostsMappingsAndConnections( // Update or create host info auto host_it = host_to_conn_info_map_.find(host); if (host_it == host_to_conn_info_map_.end()) { - ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host); + // Create host entry on-demand to avoid race conditions during host registration. + ENVOY_LOG( + debug, + "Creating HostConnectionInfo on-demand during host update for host {} in cluster {}", + host, cluster_id); + host_to_conn_info_map_[host] = HostConnectionInfo{ + host, + cluster_id, + {}, // connection_keys - empty set initially + 1, // default target_connection_count + 0, // failure_count + worker_dispatcher_->timeSource().monotonicTime(), // last_failure_time + worker_dispatcher_->timeSource().monotonicTime(), // backoff_until (no backoff initially) + {} // connection_states - empty map initially + }; } else { // Update cluster name if host moved to different cluster. host_it->second.cluster_name = cluster_id; @@ -491,7 +509,8 @@ void ReverseConnectionIOHandle::maintainClusterConnections( // Retrieve the resolved hosts for a cluster and update the corresponding maps. std::vector resolved_hosts; for (const auto& host_itr : *host_map_ptr) { - resolved_hosts.emplace_back(host_itr.first); + const std::string& resolved = host_itr.first; + resolved_hosts.emplace_back(resolved); } maybeUpdateHostsMappingsAndConnections(cluster_name, std::move(resolved_hosts)); // Track successful connections for this cluster. @@ -506,22 +525,23 @@ void ReverseConnectionIOHandle::maintainClusterConnections( "ReverseConnectionIOHandle: Checking reverse connection count for host {} of cluster {}", host_address, cluster_name); - // Ensure HostConnectionInfo exists for this host. - auto host_it = host_to_conn_info_map_.find(host_address); + // Ensure HostConnectionInfo exists for this host, handling internal addresses consistently. + const std::string key = + absl::StartsWith(host_address, "envoy://") ? host_address : host_address; + auto host_it = host_to_conn_info_map_.find(key); if (host_it == host_to_conn_info_map_.end()) { - ENVOY_LOG(debug, "Creating HostConnectionInfo for host {} in cluster {}", host_address, - cluster_name); - host_to_conn_info_map_[host_address] = HostConnectionInfo{ - host_address, + ENVOY_LOG(debug, "Creating HostConnectionInfo for host {} in cluster {}", key, cluster_name); + host_to_conn_info_map_[key] = HostConnectionInfo{ + key, cluster_name, {}, // connection_keys - empty set initially cluster_config.reverse_connection_count, // target_connection_count from config 0, // failure_count // last_failure_time - std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + worker_dispatcher_->timeSource().monotonicTime(), // backoff_until - std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) - {} // connection_states + worker_dispatcher_->timeSource().monotonicTime(), + {} // connection_states }; } @@ -533,7 +553,7 @@ void ReverseConnectionIOHandle::maintainClusterConnections( continue; } // Get current number of successful connections to this host. - uint32_t current_connections = host_to_conn_info_map_[host_address].connection_keys.size(); + uint32_t current_connections = host_to_conn_info_map_[key].connection_keys.size(); ENVOY_LOG(info, "ReverseConnectionIOHandle: Number of reverse connections to host {} of cluster {}: " @@ -560,7 +580,7 @@ void ReverseConnectionIOHandle::maintainClusterConnections( ENVOY_LOG(debug, "Initiating reverse connection number {} to host {} of cluster {}", i + 1, host_address, cluster_name); - bool success = initiateOneReverseConnection(cluster_name, host_address, host); + bool success = initiateOneReverseConnection(cluster_name, key, host); if (success) { total_successful_connections++; @@ -588,18 +608,29 @@ void ReverseConnectionIOHandle::maintainClusterConnections( } bool ReverseConnectionIOHandle::shouldAttemptConnectionToHost(const std::string& host_address, - const std::string&) { + const std::string& cluster_name) { if (!config_.enable_circuit_breaker) { return true; } auto host_it = host_to_conn_info_map_.find(host_address); if (host_it == host_to_conn_info_map_.end()) { - // Host entry should be present. - ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host_address); - return true; + // Create host entry on-demand to avoid race conditions during initialization. + ENVOY_LOG(debug, "Creating HostConnectionInfo on-demand for host {} in cluster {}", + host_address, cluster_name); + host_to_conn_info_map_[host_address] = HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + 1, // default target_connection_count + 0, // failure_count + worker_dispatcher_->timeSource().monotonicTime(), // last_failure_time + worker_dispatcher_->timeSource().monotonicTime(), // backoff_until (no backoff initially) + {} // connection_states - empty map initially + }; + host_it = host_to_conn_info_map_.find(host_address); } auto& host_info = host_it->second; - auto now = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + auto now = worker_dispatcher_->timeSource().monotonicTime(); ENVOY_LOG(debug, "host: {} now: {} ms backoff_until: {} ms", host_address, std::chrono::duration_cast(now.time_since_epoch()).count(), std::chrono::duration_cast( @@ -621,13 +652,25 @@ void ReverseConnectionIOHandle::trackConnectionFailure(const std::string& host_a const std::string& cluster_name) { auto host_it = host_to_conn_info_map_.find(host_address); if (host_it == host_to_conn_info_map_.end()) { - // If the host has been removed from the cluster, we don't need to track the failure. - ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host_address); - return; + // Create host entry on-demand to avoid race conditions during initialization. + ENVOY_LOG(debug, + "Creating HostConnectionInfo on-demand for failure tracking of host {} in cluster {}", + host_address, cluster_name); + host_to_conn_info_map_[host_address] = HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + 1, // default target_connection_count + 0, // failure_count + worker_dispatcher_->timeSource().monotonicTime(), // last_failure_time + worker_dispatcher_->timeSource().monotonicTime(), // backoff_until (no backoff initially) + {} // connection_states - empty map initially + }; + host_it = host_to_conn_info_map_.find(host_address); } auto& host_info = host_it->second; host_info.failure_count++; - host_info.last_failure_time = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + host_info.last_failure_time = worker_dispatcher_->timeSource().monotonicTime(); // Calculate exponential backoff: base_delay * 2^(failure_count - 1) const uint32_t base_delay_ms = 1000; // 1 second base delay const uint32_t max_delay_ms = 30000; // 30 seconds max delay @@ -657,13 +700,24 @@ void ReverseConnectionIOHandle::trackConnectionFailure(const std::string& host_a void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address) { auto host_it = host_to_conn_info_map_.find(host_address); if (host_it == host_to_conn_info_map_.end()) { - ENVOY_LOG(error, "HostConnectionInfo not found for host {} - this should not happen", + // Create host entry on-demand to avoid race conditions during initialization. + ENVOY_LOG(debug, "Creating HostConnectionInfo on-demand for backoff reset of host {}", host_address); - return; + host_to_conn_info_map_[host_address] = HostConnectionInfo{ + host_address, + "unknown", // cluster_name - will be updated later + {}, // connection_keys - empty set initially + 1, // default target_connection_count + 0, // failure_count + worker_dispatcher_->timeSource().monotonicTime(), // last_failure_time + worker_dispatcher_->timeSource().monotonicTime(), // backoff_until (no backoff initially) + {} // connection_states - empty map initially + }; + host_it = host_to_conn_info_map_.find(host_address); } auto& host_info = host_it->second; - auto now = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + auto now = worker_dispatcher_->timeSource().monotonicTime(); // Check if the host is actually in backoff before resetting. if (now >= host_info.backoff_until) { @@ -672,7 +726,7 @@ void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address } host_info.failure_count = 0; - host_info.backoff_until = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + host_info.backoff_until = worker_dispatcher_->timeSource().monotonicTime(); ENVOY_LOG(debug, "ReverseConnectionIOHandle: Reset backoff for host {}", host_address); // Mark host as recovered using the same key used by backoff to change the state from backoff to @@ -867,29 +921,84 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& "ReverseConnectionIOHandle: Initiating one reverse connection to host {} of cluster " "'{}', source node '{}'", host_address, cluster_name, config_.src_node_id); - // Get the thread local cluster + // Get the thread local cluster with additional validation auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); if (thread_local_cluster == nullptr) { - ENVOY_LOG(error, "Cluster '{}' not found", cluster_name); + ENVOY_LOG(error, "Cluster '{}' not found in cluster manager", cluster_name); updateConnectionState(host_address, cluster_name, temp_connection_key, ReverseConnectionState::CannotConnect); return false; } - ReverseConnectionLoadBalancerContext lb_context(host_address); + // Validate cluster info before attempting connection + auto cluster_info = thread_local_cluster->info(); + if (!cluster_info) { + ENVOY_LOG(error, "Cluster '{}' has null cluster info", cluster_name); + updateConnectionState(host_address, cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return false; + } - // Get connection from cluster manager - Upstream::Host::CreateConnectionData conn_data = thread_local_cluster->tcpConn(&lb_context); + // Validate priority set to prevent null pointer access + const auto& priority_set = thread_local_cluster->prioritySet(); + const auto& host_sets = priority_set.hostSetsPerPriority(); + size_t host_count = host_sets.empty() ? 0 : host_sets[0]->hosts().size(); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Cluster '{}' found with type {} and {} hosts", + cluster_name, static_cast(cluster_info->type()), host_count); + + // Normalize host key for internal addresses to ensure consistent map lookups. + std::string normalized_host_key = host_address; + if (absl::StartsWith(host_address, "envoy://")) { + normalized_host_key = host_address; // already canonical for internal addresses + } - if (!conn_data.connection_) { + // Validate that we have hosts available for internal addresses + if (absl::StartsWith(host_address, "envoy://") && host_count == 0) { + ENVOY_LOG( + error, + "ReverseConnectionIOHandle: No hosts available in cluster '{}' for internal address '{}'", + cluster_name, host_address); + updateConnectionState(host_address, cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return false; + } + + // Create load balancer context and validate it + ReverseConnectionLoadBalancerContext lb_context(normalized_host_key); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Created load balancer context for host key: {}", + normalized_host_key); + + // Get connection from cluster manager with defensive error handling + Upstream::Host::CreateConnectionData conn_data; + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Creating TCP connection to {} in cluster {} using load " + "balancer context", + host_address, cluster_name); + + // Add null check for worker_dispatcher before attempting connection creation + if (!worker_dispatcher_) { ENVOY_LOG(error, - "ReverseConnectionIOHandle: Failed to create connection to host {} in cluster {}", + "ReverseConnectionIOHandle: worker_dispatcher is null, cannot create connection to " + "{} in cluster {}", host_address, cluster_name); updateConnectionState(host_address, cluster_name, temp_connection_key, ReverseConnectionState::CannotConnect); return false; } + // Use tcpConn which should not throw exceptions in normal operation + conn_data = thread_local_cluster->tcpConn(&lb_context); + + if (!conn_data.connection_) { + ENVOY_LOG( + error, + "ReverseConnectionIOHandle: tcpConn() returned null connection for host {} in cluster {}", + host_address, cluster_name); + updateConnectionState(host_address, cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return false; + } + // Create wrapper to manage the connection // The wrapper will initiate and manage the reverse connection handshake using HTTP. auto wrapper = std::make_unique(*this, std::move(conn_data.connection_), @@ -905,17 +1014,32 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& // Mark as Connecting after handshake is initiated. Use the actual connection key so that it can // be marked as failed in onConnectionDone(). - conn_wrapper_to_host_map_[wrapper.get()] = host_address; + conn_wrapper_to_host_map_[wrapper.get()] = normalized_host_key; connection_wrappers_.push_back(std::move(wrapper)); - ENVOY_LOG(debug, - "ReverseConnectionIOHandle: Successfully initiated reverse connection to host {} " - "({}:{}) in cluster {}", - host_address, host->address()->ip()->addressAsString(), host->address()->ip()->port(), - cluster_name); + { + // Safely log address information without assuming IP is present (internal addresses possible). + const auto& addr = host->address(); + std::string addr_str = addr ? addr->asString() : std::string(""); + absl::optional port_opt; + if (addr && addr->ip() != nullptr) { + port_opt = addr->ip()->port(); + } + if (port_opt.has_value()) { + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Successfully initiated reverse connection to host {} " + "({}:{}) in cluster {}", + host_address, addr_str, *port_opt, cluster_name); + } else { + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Successfully initiated reverse connection to host {} " + "({}) in cluster {}", + host_address, addr_str, cluster_name); + } + } // Reset backoff for successful connection. - resetHostBackoff(host_address); - updateConnectionState(host_address, cluster_name, connection_key, + resetHostBackoff(normalized_host_key); + updateConnectionState(normalized_host_key, cluster_name, connection_key, ReverseConnectionState::Connecting); return true; } diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index e467976513dab..d7d09943b22de 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -224,6 +224,7 @@ EXTENSIONS = { "envoy.filters.network.echo": "//source/extensions/filters/network/echo:config", "envoy.filters.network.ext_authz": "//source/extensions/filters/network/ext_authz:config", "envoy.filters.network.ext_proc": "//source/extensions/filters/network/ext_proc:config", + "envoy.filters.network.reverse_tunnel": "//source/extensions/filters/network/reverse_tunnel:config", "envoy.filters.network.http_connection_manager": "//source/extensions/filters/network/http_connection_manager:config", "envoy.filters.network.local_ratelimit": "//source/extensions/filters/network/local_ratelimit:config", "envoy.filters.network.mongo_proxy": "//source/extensions/filters/network/mongo_proxy:config", diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 6a84c7e012531..706c5aa772965 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -736,6 +736,13 @@ envoy.filters.network.ext_proc: status: wip type_urls: - envoy.extensions.filters.network.ext_proc.v3.NetworkExternalProcessor +envoy.filters.network.reverse_tunnel: + categories: + - envoy.filters.network + security_posture: unknown + status: alpha + type_urls: + - envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel envoy.filters.network.http_connection_manager: categories: - envoy.filters.network diff --git a/source/extensions/filters/network/reverse_tunnel/BUILD b/source/extensions/filters/network/reverse_tunnel/BUILD new file mode 100644 index 0000000000000..56466ccedf0df --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/BUILD @@ -0,0 +1,57 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_cc_library", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "config", + srcs = ["config.cc"], + hdrs = ["config.h"], + deps = [ + ":reverse_tunnel_filter_lib", + "//source/extensions/filters/network:well_known_names", + "//source/extensions/filters/network/common:factory_base_lib", + "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", + ], +) + +envoy_cc_library( + name = "reverse_tunnel_filter_lib", + srcs = ["reverse_tunnel_filter.cc"], + hdrs = ["reverse_tunnel_filter.h"], + deps = [ + "//envoy/buffer:buffer_interface", + "//envoy/http:codec_interface", + "//envoy/network:connection_interface", + "//envoy/network:filter_interface", + "//envoy/ssl:connection_interface", + "//envoy/thread_local:thread_local_interface", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + "//source/common/http:codes_lib", + "//source/common/http:header_map_lib", + "//source/common/http:headers_lib", + "//source/common/http:utility_lib", + "//source/common/http/http1:codec_lib", + "//source/common/http/http1:codec_stats_lib", + "//source/common/http/http1:settings_lib", + "//source/common/network:connection_socket_lib", + "//source/common/protobuf", + "//source/common/protobuf:message_validator_lib", + "//source/common/protobuf:utility_lib", + "//source/common/router:string_accessor_lib", + "//source/common/stream_info:stream_info_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_includes", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:upstream_socket_manager_lib", + "//source/server:null_overload_manager_lib", + "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", + ], +) diff --git a/source/extensions/filters/network/reverse_tunnel/config.cc b/source/extensions/filters/network/reverse_tunnel/config.cc new file mode 100644 index 0000000000000..876fa3af2846d --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/config.cc @@ -0,0 +1,32 @@ +#include "source/extensions/filters/network/reverse_tunnel/config.h" + +#include "source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { + +Network::FilterFactoryCb ReverseTunnelFilterConfigFactory::createFilterFactoryFromProtoTyped( + const envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel& proto_config, + Server::Configuration::FactoryContext& context) { + auto config = std::make_shared(proto_config); + Stats::Scope& scope = context.scope(); + Server::OverloadManager& overload_manager = context.serverFactoryContext().overloadManager(); + + return [config, &scope, &overload_manager](Network::FilterManager& filter_manager) -> void { + filter_manager.addReadFilter( + std::make_shared(config, scope, overload_manager)); + }; +} + +/** + * Static registration for the reverse tunnel filter. + */ +REGISTER_FACTORY(ReverseTunnelFilterConfigFactory, + Server::Configuration::NamedNetworkFilterConfigFactory); + +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_tunnel/config.h b/source/extensions/filters/network/reverse_tunnel/config.h new file mode 100644 index 0000000000000..33b7e233d5a09 --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/config.h @@ -0,0 +1,32 @@ +#pragma once + +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.validate.h" + +#include "source/extensions/filters/network/common/factory_base.h" +#include "source/extensions/filters/network/well_known_names.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { + +/** + * Config registration for the reverse tunnel network filter. + */ +class ReverseTunnelFilterConfigFactory + : public Common::FactoryBase< + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel> { +public: + ReverseTunnelFilterConfigFactory() : FactoryBase(NetworkFilterNames::get().ReverseTunnel) {} + +private: + Network::FilterFactoryCb createFilterFactoryFromProtoTyped( + const envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel& proto_config, + Server::Configuration::FactoryContext& context) override; +}; + +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc new file mode 100644 index 0000000000000..427ff8782df3e --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc @@ -0,0 +1,558 @@ +#include "source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h" + +#include "envoy/buffer/buffer.h" +#include "envoy/network/connection.h" +#include "envoy/server/overload/overload_manager.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/http/codes.h" +#include "source/common/http/header_map_impl.h" +#include "source/common/http/headers.h" +#include "source/common/http/http1/codec_impl.h" +#include "source/common/network/connection_socket_impl.h" +#include "source/common/router/string_accessor_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { + +// UpstreamReverseConnectionIOHandle implementation. +UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( + Network::IoHandlePtr&& wrapped_handle, std::function on_close_callback) + : wrapped_handle_(std::move(wrapped_handle)), on_close_callback_(std::move(on_close_callback)) { +} + +os_fd_t UpstreamReverseConnectionIOHandle::fdDoNotUse() const { + return wrapped_handle_->fdDoNotUse(); +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { + // If this is a reverse tunnel socket, don't actually close it. + // Instead, let the upstream socket manager handle its lifecycle. + if (is_reverse_tunnel_socket_ && !close_called_) { + close_called_ = true; + if (on_close_callback_) { + on_close_callback_(); + } + // Return success without actually closing the FD. + return Api::IoCallUint64Result(0, Api::IoErrorPtr(nullptr, [](Api::IoError*) {})); + } + return wrapped_handle_->close(); +} + +bool UpstreamReverseConnectionIOHandle::isOpen() const { return wrapped_handle_->isOpen(); } + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::readv(uint64_t max_length, + Buffer::RawSlice* slices, + uint64_t num_slices) { + return wrapped_handle_->readv(max_length, slices, num_slices); +} + +Api::IoCallUint64Result +UpstreamReverseConnectionIOHandle::read(Buffer::Instance& buffer, + absl::optional max_length) { + return wrapped_handle_->read(buffer, max_length); +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::writev(const Buffer::RawSlice* slices, + uint64_t num_slices) { + return wrapped_handle_->writev(slices, num_slices); +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::write(Buffer::Instance& buffer) { + return wrapped_handle_->write(buffer); +} + +Api::IoCallUint64Result +UpstreamReverseConnectionIOHandle::sendmsg(const Buffer::RawSlice* slices, uint64_t num_slices, + int flags, const Network::Address::Ip* self_ip, + const Network::Address::Instance& peer_address) { + return wrapped_handle_->sendmsg(slices, num_slices, flags, self_ip, peer_address); +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::recvmsg( + Buffer::RawSlice* slices, const uint64_t num_slices, uint32_t self_port, + const Network::IoHandle::UdpSaveCmsgConfig& save_cmsg_config, RecvMsgOutput& output) { + return wrapped_handle_->recvmsg(slices, num_slices, self_port, save_cmsg_config, output); +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::recvmmsg( + RawSliceArrays& slices, uint32_t self_port, + const Network::IoHandle::UdpSaveCmsgConfig& save_cmsg_config, RecvMsgOutput& output) { + return wrapped_handle_->recvmmsg(slices, self_port, save_cmsg_config, output); +} + +bool UpstreamReverseConnectionIOHandle::supportsMmsg() const { + return wrapped_handle_->supportsMmsg(); +} + +bool UpstreamReverseConnectionIOHandle::supportsUdpGro() const { + return wrapped_handle_->supportsUdpGro(); +} + +Api::SysCallIntResult +UpstreamReverseConnectionIOHandle::bind(Network::Address::InstanceConstSharedPtr address) { + return wrapped_handle_->bind(address); +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::listen(int backlog) { + return wrapped_handle_->listen(backlog); +} + +Network::IoHandlePtr UpstreamReverseConnectionIOHandle::accept(struct sockaddr* addr, + socklen_t* addrlen) { + return wrapped_handle_->accept(addr, addrlen); +} + +Api::SysCallIntResult +UpstreamReverseConnectionIOHandle::connect(Network::Address::InstanceConstSharedPtr address) { + return wrapped_handle_->connect(address); +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::setOption(int level, int optname, + const void* optval, + socklen_t optlen) { + return wrapped_handle_->setOption(level, optname, optval, optlen); +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::getOption(int level, int optname, + void* optval, + socklen_t* optlen) { + return wrapped_handle_->getOption(level, optname, optval, optlen); +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::setBlocking(bool blocking) { + return wrapped_handle_->setBlocking(blocking); +} + +absl::optional UpstreamReverseConnectionIOHandle::domain() { + return wrapped_handle_->domain(); +} + +absl::StatusOr +UpstreamReverseConnectionIOHandle::localAddress() { + return wrapped_handle_->localAddress(); +} + +absl::StatusOr +UpstreamReverseConnectionIOHandle::peerAddress() { + return wrapped_handle_->peerAddress(); +} + +void UpstreamReverseConnectionIOHandle::initializeFileEvent(Event::Dispatcher& dispatcher, + Event::FileReadyCb cb, + Event::FileTriggerType trigger, + uint32_t events) { + wrapped_handle_->initializeFileEvent(dispatcher, cb, trigger, events); +} + +void UpstreamReverseConnectionIOHandle::activateFileEvents(uint32_t events) { + wrapped_handle_->activateFileEvents(events); +} + +void UpstreamReverseConnectionIOHandle::enableFileEvents(uint32_t events) { + wrapped_handle_->enableFileEvents(events); +} + +void UpstreamReverseConnectionIOHandle::resetFileEvents() { wrapped_handle_->resetFileEvents(); } + +Network::IoHandlePtr UpstreamReverseConnectionIOHandle::duplicate() { + return wrapped_handle_->duplicate(); +} + +bool UpstreamReverseConnectionIOHandle::wasConnected() const { + return wrapped_handle_->wasConnected(); +} + +Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::recv(void* buffer, size_t length, + int flags) { + return wrapped_handle_->recv(buffer, length, flags); +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::ioctl( + unsigned long control_code, void* in_buffer, unsigned long in_buffer_len, void* out_buffer, + unsigned long out_buffer_len, unsigned long* bytes_returned) { + return wrapped_handle_->ioctl(control_code, in_buffer, in_buffer_len, out_buffer, out_buffer_len, + bytes_returned); +} + +Api::SysCallIntResult UpstreamReverseConnectionIOHandle::shutdown(int how) { + return wrapped_handle_->shutdown(how); +} + +absl::optional UpstreamReverseConnectionIOHandle::lastRoundTripTime() { + return wrapped_handle_->lastRoundTripTime(); +} + +absl::optional UpstreamReverseConnectionIOHandle::congestionWindowInBytes() const { + return wrapped_handle_->congestionWindowInBytes(); +} + +absl::optional UpstreamReverseConnectionIOHandle::interfaceName() { + return wrapped_handle_->interfaceName(); +} + +// Stats helper implementation. +ReverseTunnelFilter::ReverseTunnelStats +ReverseTunnelFilter::ReverseTunnelStats::generateStats(const std::string& prefix, + Stats::Scope& scope) { + return {ALL_REVERSE_TUNNEL_HANDSHAKE_STATS(POOL_COUNTER_PREFIX(scope, prefix))}; +} + +// ReverseTunnelFilterConfig implementation. +ReverseTunnelFilterConfig::ReverseTunnelFilterConfig( + const envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel& proto_config) + : ping_interval_(proto_config.has_ping_interval() + ? std::chrono::milliseconds( + DurationUtil::durationToMilliseconds(proto_config.ping_interval())) + : std::chrono::milliseconds(2000)), + auto_close_connections_(proto_config.auto_close_connections()), + request_path_(proto_config.request_path().empty() ? "/reverse_connections/request" + : proto_config.request_path()), + request_method_(proto_config.request_method().empty() ? "GET" + : proto_config.request_method()), + node_id_filter_state_key_(proto_config.has_validation_config() + ? proto_config.validation_config().node_id_filter_state_key() + : ""), + cluster_id_filter_state_key_( + proto_config.has_validation_config() + ? proto_config.validation_config().cluster_id_filter_state_key() + : ""), + tenant_id_filter_state_key_( + proto_config.has_validation_config() + ? proto_config.validation_config().tenant_id_filter_state_key() + : "") {} + +// ReverseTunnelFilter implementation. +ReverseTunnelFilter::ReverseTunnelFilter(ReverseTunnelFilterConfigSharedPtr config, + Stats::Scope& stats_scope, + Server::OverloadManager& overload_manager) + : config_(std::move(config)), stats_scope_(stats_scope), overload_manager_(overload_manager), + stats_(ReverseTunnelStats::generateStats("reverse_tunnel.handshake.", stats_scope_)) {} + +Network::FilterStatus ReverseTunnelFilter::onNewConnection() { + ENVOY_CONN_LOG(debug, "reverse_tunnel: new connection established", + read_callbacks_->connection()); + return Network::FilterStatus::Continue; +} + +Network::FilterStatus ReverseTunnelFilter::onData(Buffer::Instance& data, bool) { + if (!codec_) { + Http::Http1Settings http1_settings; + Http::Http1::CodecStats::AtomicPtr http1_stats_ptr; + auto& http1_stats = Http::Http1::CodecStats::atomicGet(http1_stats_ptr, stats_scope_); + codec_ = std::make_unique( + read_callbacks_->connection(), http1_stats, *this, http1_settings, + Http::DEFAULT_MAX_REQUEST_HEADERS_KB, Http::DEFAULT_MAX_HEADERS_COUNT, + envoy::config::core::v3::HttpProtocolOptions::ALLOW, overload_manager_); + } + + const Http::Status status = codec_->dispatch(data); + if (!status.ok()) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: codec dispatch error: {}", read_callbacks_->connection(), + status.message()); + return Network::FilterStatus::StopIteration; + } + return Network::FilterStatus::StopIteration; +} + +void ReverseTunnelFilter::initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) { + read_callbacks_ = &callbacks; +} + +Http::RequestDecoder& ReverseTunnelFilter::newStream(Http::ResponseEncoder& response_encoder, + bool) { + active_decoder_ = std::make_unique(*this, response_encoder); + return *active_decoder_; +} + +// Private methods. + +// RequestDecoderImpl +void ReverseTunnelFilter::RequestDecoderImpl::decodeHeaders( + Http::RequestHeaderMapSharedPtr&& headers, bool end_stream) { + headers_ = std::move(headers); + if (end_stream) { + processIfComplete(true); + } +} + +void ReverseTunnelFilter::RequestDecoderImpl::decodeData(Buffer::Instance& data, bool end_stream) { + body_.add(data); + if (end_stream) { + processIfComplete(true); + } +} + +void ReverseTunnelFilter::RequestDecoderImpl::decodeTrailers(Http::RequestTrailerMapPtr&&) { + processIfComplete(true); +} + +void ReverseTunnelFilter::RequestDecoderImpl::decodeMetadata(Http::MetadataMapPtr&&) {} + +void ReverseTunnelFilter::RequestDecoderImpl::sendLocalReply( + Http::Code code, absl::string_view body, + const std::function& modify_headers, + const absl::optional, absl::string_view) { + auto headers = Http::ResponseHeaderMapImpl::create(); + headers->setStatus(static_cast(code)); + headers->setReferenceContentType(Http::Headers::get().ContentTypeValues.Text); + if (modify_headers) { + modify_headers(*headers); + } + const bool end_stream = body.empty(); + encoder_.encodeHeaders(*headers, end_stream); + if (!end_stream) { + Buffer::OwnedImpl buf(body); + encoder_.encodeData(buf, true); + } +} + +StreamInfo::StreamInfo& ReverseTunnelFilter::RequestDecoderImpl::streamInfo() { + return stream_info_; +} + +AccessLog::InstanceSharedPtrVector ReverseTunnelFilter::RequestDecoderImpl::accessLogHandlers() { + return {}; +} + +Http::RequestDecoderHandlePtr ReverseTunnelFilter::RequestDecoderImpl::getRequestDecoderHandle() { + return nullptr; +} + +void ReverseTunnelFilter::RequestDecoderImpl::processIfComplete(bool end_stream) { + if (!end_stream || complete_) { + return; + } + complete_ = true; + + // Validate method/path. + const absl::string_view method = headers_->getMethodValue(); + const absl::string_view path = headers_->getPathValue(); + if (!absl::EqualsIgnoreCase(method, parent_.config_->requestMethod()) || + path != parent_.config_->requestPath()) { + sendLocalReply(Http::Code::NotFound, "Not a reverse tunnel request", nullptr, absl::nullopt, + "reverse_tunnel_not_found"); + return; + } + + // Extract node/cluster/tenant identifiers from HTTP headers. + const auto node_vals = + headers_->get(Extensions::Bootstrap::ReverseConnection::reverseTunnelNodeIdHeader()); + const auto cluster_vals = + headers_->get(Extensions::Bootstrap::ReverseConnection::reverseTunnelClusterIdHeader()); + const auto tenant_vals = + headers_->get(Extensions::Bootstrap::ReverseConnection::reverseTunnelTenantIdHeader()); + + if (node_vals.empty() || cluster_vals.empty() || tenant_vals.empty()) { + parent_.stats_.parse_error_.inc(); + ENVOY_CONN_LOG(debug, "reverse_tunnel: missing required headers (node/cluster/tenant)", + parent_.read_callbacks_->connection()); + sendLocalReply(Http::Code::BadRequest, "Missing required reverse tunnel headers", nullptr, + absl::nullopt, "reverse_tunnel_missing_headers"); + return; + } + + const absl::string_view node_id = node_vals[0]->value().getStringView(); + const absl::string_view cluster_id = cluster_vals[0]->value().getStringView(); + const absl::string_view tenant_id = tenant_vals[0]->value().getStringView(); + + // Validate request using filter state if validation keys are configured. + if (!parent_.validateRequestUsingFilterState(node_id, cluster_id, tenant_id)) { + parent_.stats_.validation_failed_.inc(); + parent_.stats_.rejected_.inc(); + sendLocalReply(Http::Code::Forbidden, "Request validation failed", nullptr, absl::nullopt, + "reverse_tunnel_validation_failed"); + return; + } + + // Respond with 200 OK. + auto resp_headers = Http::ResponseHeaderMapImpl::create(); + resp_headers->setStatus(200); + encoder_.encodeHeaders(*resp_headers, true); + + parent_.processAcceptedConnection(node_id, cluster_id, tenant_id); + parent_.stats_.accepted_.inc(); + + // Close the connection if configured to do so after handling the request. + if (parent_.config_->autoCloseConnections()) { + parent_.read_callbacks_->connection().close(Network::ConnectionCloseType::FlushWrite); + } +} + +void ReverseTunnelFilter::processAcceptedConnection(absl::string_view node_id, + absl::string_view cluster_id, + absl::string_view tenant_id) { + ENVOY_CONN_LOG(info, + "reverse_tunnel: connection accepted for node '{}' in cluster '{}' (tenant: '{}')", + read_callbacks_->connection(), node_id, cluster_id, tenant_id); + + Network::Connection& connection = read_callbacks_->connection(); + + // Lookup the reverse tunnel acceptor socket interface to retrieve the TLS registry. + // Note: This is a global lookup that should be thread-safe but may return nullptr + // if the socket interface isn't registered or we're in a test environment. + auto* base_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); + if (base_interface == nullptr) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: socket interface not registered, skipping socket reuse", + connection); + return; + } + + const auto* acceptor = + dynamic_cast( + base_interface); + if (acceptor == nullptr) { + ENVOY_CONN_LOG(error, "reverse_tunnel: reverse tunnel socket interface not found", connection); + return; + } + + // The TLS registry access must be done on the same thread where it was created. + // In integration tests, this might not always be the case. + auto* tls_registry = acceptor->getLocalRegistry(); + if (tls_registry == nullptr) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: thread local registry not available on this thread", + connection); + return; + } + + auto* socket_manager = tls_registry->socketManager(); + if (socket_manager == nullptr) { + ENVOY_CONN_LOG(error, "reverse_tunnel: socket manager not available", connection); + return; + } + + // Wrap the downstream socket with our custom IO handle to manage its lifecycle. + const Network::ConnectionSocketPtr& socket = connection.getSocket(); + if (!socket || !socket->isOpen()) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: original socket not available or not open", + read_callbacks_->connection()); + return; + } + + // Create a wrapper around the original socket's IO handle that prevents premature closure. + Network::IoHandlePtr original_handle = socket->ioHandle().duplicate(); + if (!original_handle || !original_handle->isOpen()) { + ENVOY_CONN_LOG(error, "reverse_tunnel: failed to duplicate socket handle", connection); + return; + } + + // Wrap the duplicated handle in our custom wrapper that manages reverse tunnel lifecycle. + auto wrapped_handle = + std::make_unique(std::move(original_handle)); + wrapped_handle->markAsReverseTunnelSocket(); + + // Build a new ConnectionSocket from the wrapped handle, preserving addressing info. + auto wrapped_socket = std::make_unique( + std::move(wrapped_handle), socket->connectionInfoProvider().localAddress(), + socket->connectionInfoProvider().remoteAddress()); + + // Reset file events on the new socket. + wrapped_socket->ioHandle().resetFileEvents(); + + // Convert ping interval to seconds as required by the manager API. + const std::chrono::seconds ping_seconds = + std::chrono::duration_cast(config_->pingInterval()); + + // Register the wrapped socket for reuse under the provided identifiers. + // Note: The socket manager is expected to be thread-safe. + if (socket_manager != nullptr) { + ENVOY_CONN_LOG(trace, "reverse_tunnel: registering wrapped socket for reuse", connection); + socket_manager->addConnectionSocket(std::string(node_id), std::string(cluster_id), + std::move(wrapped_socket), ping_seconds, + /*rebalanced=*/false); + ENVOY_CONN_LOG(debug, "reverse_tunnel: successfully registered wrapped socket for reuse", + connection); + } +} + +bool ReverseTunnelFilter::validateRequestUsingFilterState(absl::string_view node_uuid, + absl::string_view cluster_uuid, + absl::string_view tenant_uuid) { + const Network::Connection& connection = read_callbacks_->connection(); + const StreamInfo::FilterState& filter_state = connection.streamInfo().filterState(); + + // Validate node ID if key is configured. + if (!config_->nodeIdFilterStateKey().empty()) { + const StreamInfo::FilterState::Object* node_obj = + filter_state.getDataReadOnly( + config_->nodeIdFilterStateKey()); + if (!node_obj) { + ENVOY_CONN_LOG(debug, + "reverse_tunnel: node ID validation failed. filter state key '{}' not found", + connection, config_->nodeIdFilterStateKey()); + return false; + } + + // Try to get the value as a string. + const auto* string_obj = dynamic_cast(node_obj); + if (!string_obj || string_obj->asString() != node_uuid) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: node ID validation failed. expected '{}', got '{}'", + connection, node_uuid, string_obj ? string_obj->asString() : "null"); + return false; + } + + ENVOY_CONN_LOG(trace, "reverse_tunnel: node ID validation passed for '{}'", connection, + node_uuid); + } + + // Validate cluster ID if key is configured. + if (!config_->clusterIdFilterStateKey().empty()) { + const StreamInfo::FilterState::Object* cluster_obj = + filter_state.getDataReadOnly( + config_->clusterIdFilterStateKey()); + if (!cluster_obj) { + ENVOY_CONN_LOG( + debug, "reverse_tunnel: cluster ID validation failed. filter state key '{}' not found", + connection, config_->clusterIdFilterStateKey()); + return false; + } + + const auto* string_obj = dynamic_cast(cluster_obj); + if (!string_obj || string_obj->asString() != cluster_uuid) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: cluster ID validation failed. expected '{}', got '{}'", + connection, cluster_uuid, string_obj ? string_obj->asString() : "null"); + return false; + } + + ENVOY_CONN_LOG(trace, "reverse_tunnel: cluster ID validation passed for '{}'", connection, + cluster_uuid); + } + + // Validate tenant ID if key is configured. + if (!config_->tenantIdFilterStateKey().empty()) { + const StreamInfo::FilterState::Object* tenant_obj = + filter_state.getDataReadOnly( + config_->tenantIdFilterStateKey()); + if (!tenant_obj) { + ENVOY_CONN_LOG(debug, + "reverse_tunnel: tenant ID validation failed. filter state key '{}' not found", + connection, config_->tenantIdFilterStateKey()); + return false; + } + + const auto* string_obj = dynamic_cast(tenant_obj); + if (!string_obj || string_obj->asString() != tenant_uuid) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: tenant ID validation failed. expected '{}', got '{}'", + connection, tenant_uuid, string_obj ? string_obj->asString() : "null"); + return false; + } + + ENVOY_CONN_LOG(trace, "reverse_tunnel: tenant ID validation passed for '{}'", connection, + tenant_uuid); + } + + ENVOY_CONN_LOG(debug, "reverse_tunnel: all configured validations passed", connection); + return true; +} + +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h new file mode 100644 index 0000000000000..637b4dae42d89 --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h @@ -0,0 +1,223 @@ +#pragma once + +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" +#include "envoy/http/codec.h" +#include "envoy/network/filter.h" +#include "envoy/server/overload/overload_manager.h" +#include "envoy/stats/stats_macros.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" +#include "source/common/http/header_map_impl.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/stream_info/stream_info_impl.h" + +#include "absl/status/statusor.h" +#include "absl/strings/string_view.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { + +/** + * Custom IO handle wrapper for upstream reverse connection sockets. + * This wrapper prevents premature socket closure to allow socket reuse + * for reverse connections, replacing the need for setSocketReused(). + */ +class UpstreamReverseConnectionIOHandle : public Network::IoHandle { +public: + UpstreamReverseConnectionIOHandle(Network::IoHandlePtr&& wrapped_handle, + std::function on_close_callback = nullptr); + ~UpstreamReverseConnectionIOHandle() override = default; + + // Network::IoHandle + os_fd_t fdDoNotUse() const override; + Api::IoCallUint64Result close() override; + bool isOpen() const override; + Api::IoCallUint64Result readv(uint64_t max_length, Buffer::RawSlice* slices, + uint64_t num_slices) override; + Api::IoCallUint64Result read(Buffer::Instance& buffer, + absl::optional max_length) override; + Api::IoCallUint64Result writev(const Buffer::RawSlice* slices, uint64_t num_slices) override; + Api::IoCallUint64Result write(Buffer::Instance& buffer) override; + Api::IoCallUint64Result sendmsg(const Buffer::RawSlice* slices, uint64_t num_slices, int flags, + const Network::Address::Ip* self_ip, + const Network::Address::Instance& peer_address) override; + Api::IoCallUint64Result recvmsg(Buffer::RawSlice* slices, const uint64_t num_slices, + uint32_t self_port, + const Network::IoHandle::UdpSaveCmsgConfig& save_cmsg_config, + RecvMsgOutput& output) override; + Api::IoCallUint64Result recvmmsg(RawSliceArrays& slices, uint32_t self_port, + const Network::IoHandle::UdpSaveCmsgConfig& save_cmsg_config, + RecvMsgOutput& output) override; + bool supportsMmsg() const override; + bool supportsUdpGro() const override; + Api::SysCallIntResult bind(Network::Address::InstanceConstSharedPtr address) override; + Api::SysCallIntResult listen(int backlog) override; + Network::IoHandlePtr accept(struct sockaddr* addr, socklen_t* addrlen) override; + Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; + Api::SysCallIntResult setOption(int level, int optname, const void* optval, + socklen_t optlen) override; + Api::SysCallIntResult getOption(int level, int optname, void* optval, socklen_t* optlen) override; + Api::SysCallIntResult setBlocking(bool blocking) override; + absl::optional domain() override; + absl::StatusOr localAddress() override; + absl::StatusOr peerAddress() override; + void initializeFileEvent(Event::Dispatcher& dispatcher, Event::FileReadyCb cb, + Event::FileTriggerType trigger, uint32_t events) override; + void activateFileEvents(uint32_t events) override; + void enableFileEvents(uint32_t events) override; + void resetFileEvents() override; + Network::IoHandlePtr duplicate() override; + + // Additional pure virtual methods from IoHandle. + bool wasConnected() const override; + Api::IoCallUint64Result recv(void* buffer, size_t length, int flags) override; + Api::SysCallIntResult ioctl(unsigned long control_code, void* in_buffer, + unsigned long in_buffer_len, void* out_buffer, + unsigned long out_buffer_len, unsigned long* bytes_returned) override; + Api::SysCallIntResult shutdown(int how) override; + absl::optional lastRoundTripTime() override; + absl::optional congestionWindowInBytes() const override; + absl::optional interfaceName() override; + + // Mark this socket as managed by the reverse connection system. + void markAsReverseTunnelSocket() { is_reverse_tunnel_socket_ = true; } + bool isReverseTunnelSocket() const { return is_reverse_tunnel_socket_; } + +private: + Network::IoHandlePtr wrapped_handle_; + std::function on_close_callback_; + bool is_reverse_tunnel_socket_ = false; + bool close_called_ = false; +}; + +/** + * Configuration for the reverse tunnel network filter. + */ +class ReverseTunnelFilterConfig { +public: + ReverseTunnelFilterConfig( + const envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel& proto_config); + + std::chrono::milliseconds pingInterval() const { return ping_interval_; } + bool autoCloseConnections() const { return auto_close_connections_; } + const std::string& requestPath() const { return request_path_; } + const std::string& requestMethod() const { return request_method_; } + + // Validation configuration accessors. + const std::string& nodeIdFilterStateKey() const { return node_id_filter_state_key_; } + const std::string& clusterIdFilterStateKey() const { return cluster_id_filter_state_key_; } + const std::string& tenantIdFilterStateKey() const { return tenant_id_filter_state_key_; } + +private: + const std::chrono::milliseconds ping_interval_; + const bool auto_close_connections_; + const std::string request_path_; + const std::string request_method_; + + // Filter state keys for validation. + const std::string node_id_filter_state_key_; + const std::string cluster_id_filter_state_key_; + const std::string tenant_id_filter_state_key_; +}; + +using ReverseTunnelFilterConfigSharedPtr = std::shared_ptr; + +/** + * Network filter that handles reverse tunnel connection acceptance/rejection. + * This filter processes HTTP requests to a specific endpoint and uses + * HTTP headers to receive required identifiers. + * + * The filter operates as a terminal filter when processing reverse tunnel requests, + * meaning it stops the filter chain after processing and manages connection lifecycle. + */ +class ReverseTunnelFilter : public Network::ReadFilter, + public Http::ServerConnectionCallbacks, + public Logger::Loggable { +public: + ReverseTunnelFilter(ReverseTunnelFilterConfigSharedPtr config, Stats::Scope& stats_scope, + Server::OverloadManager& overload_manager); + + // Network::ReadFilter + Network::FilterStatus onData(Buffer::Instance& data, bool end_stream) override; + Network::FilterStatus onNewConnection() override; + void initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) override; + + // Http::ServerConnectionCallbacks + Http::RequestDecoder& newStream(Http::ResponseEncoder& response_encoder, + bool is_internally_created) override; + void onGoAway(Http::GoAwayErrorCode) override {} + +private: +// Stats definition. +#define ALL_REVERSE_TUNNEL_HANDSHAKE_STATS(COUNTER) \ + COUNTER(parse_error) \ + COUNTER(validation_failed) \ + COUNTER(accepted) \ + COUNTER(rejected) + + struct ReverseTunnelStats { + ALL_REVERSE_TUNNEL_HANDSHAKE_STATS(GENERATE_COUNTER_STRUCT) + static ReverseTunnelStats generateStats(const std::string& prefix, Stats::Scope& scope); + }; + + // Process reverse tunnel connection. + void processAcceptedConnection(absl::string_view node_id, absl::string_view cluster_id, + absl::string_view tenant_id); + + // Validate reverse tunnel request using filter state. + // Returns true if validation passes or no validation keys are configured. + bool validateRequestUsingFilterState(absl::string_view node_uuid, absl::string_view cluster_uuid, + absl::string_view tenant_uuid); + + ReverseTunnelFilterConfigSharedPtr config_; + Network::ReadFilterCallbacks* read_callbacks_{nullptr}; + + // HTTP/1 codec and wiring. + Http::ServerConnectionPtr codec_; + Stats::Scope& stats_scope_; + Server::OverloadManager& overload_manager_; + + // Stats counters. + ReverseTunnelStats stats_; + + // Per-request decoder to buffer body and respond via encoder. + class RequestDecoderImpl : public Http::RequestDecoder { + public: + RequestDecoderImpl(ReverseTunnelFilter& parent, Http::ResponseEncoder& encoder) + : parent_(parent), encoder_(encoder), + stream_info_(parent_.read_callbacks_->connection().streamInfo().timeSource(), nullptr, + StreamInfo::FilterState::LifeSpan::Connection) {} + + void decodeHeaders(Http::RequestHeaderMapSharedPtr&& headers, bool end_stream) override; + void decodeData(Buffer::Instance& data, bool end_stream) override; + void decodeTrailers(Http::RequestTrailerMapPtr&&) override; + void decodeMetadata(Http::MetadataMapPtr&&) override; + void sendLocalReply(Http::Code code, absl::string_view body, + const std::function&, + const absl::optional, absl::string_view) override; + StreamInfo::StreamInfo& streamInfo() override; + AccessLog::InstanceSharedPtrVector accessLogHandlers() override; + Http::RequestDecoderHandlePtr getRequestDecoderHandle() override; + + private: + void processIfComplete(bool end_stream); + + ReverseTunnelFilter& parent_; + Http::ResponseEncoder& encoder_; + Http::RequestHeaderMapSharedPtr headers_; + Buffer::OwnedImpl body_; + bool complete_{false}; + StreamInfo::StreamInfoImpl stream_info_; + }; + + std::unique_ptr active_decoder_; +}; + +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/well_known_names.h b/source/extensions/filters/network/well_known_names.h index 8eaa39bd402ac..45483e7a66d80 100644 --- a/source/extensions/filters/network/well_known_names.h +++ b/source/extensions/filters/network/well_known_names.h @@ -63,6 +63,8 @@ class NetworkFilterNameValues { const std::string NetworkExternalProcessor = "envoy.filters.network.ext_proc"; // Network match delegate filter const std::string NetworkMatchDelegate = "envoy.filters.network.match_delegate"; + // Reverse tunnel filter + const std::string ReverseTunnel = "envoy.filters.network.reverse_tunnel"; }; using NetworkFilterNames = ConstSingleton; diff --git a/test/coverage.yaml b/test/coverage.yaml index e4d14fa48ee4a..72535023766d1 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -52,6 +52,7 @@ directories: source/extensions/filters/listener/tls_inspector: 94.1 source/extensions/filters/network/dubbo_proxy: 96.2 source/extensions/filters/network/mongo_proxy: 96.1 + source/extensions/filters/network/reverse_tunnel: 80.0 source/extensions/filters/network/sni_cluster: 88.9 source/extensions/formatter/cel: 100.0 source/extensions/internal_redirect: 86.2 diff --git a/test/extensions/filters/network/reverse_tunnel/BUILD b/test/extensions/filters/network/reverse_tunnel/BUILD new file mode 100644 index 0000000000000..329a8e085b451 --- /dev/null +++ b/test/extensions/filters/network/reverse_tunnel/BUILD @@ -0,0 +1,69 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "config_test", + srcs = ["config_test.cc"], + extension_names = ["envoy.filters.network.reverse_tunnel"], + rbe_pool = "6gig", + tags = ["skip_on_windows"], + deps = [ + "//source/extensions/filters/network/reverse_tunnel:config", + "//test/mocks/server:factory_context_mocks", + ], +) + +envoy_extension_cc_test( + name = "filter_unit_test", + srcs = ["filter_unit_test.cc"], + extension_names = ["envoy.filters.network.reverse_tunnel"], + rbe_pool = "6gig", + tags = ["skip_on_windows"], + deps = [ + "//source/common/stats:isolated_store_lib", + "//source/common/stream_info:uint64_accessor_lib", + "//source/extensions/filters/network/reverse_tunnel:reverse_tunnel_filter_lib", + "//test/mocks/network:network_mocks", + "//test/mocks/server:overload_manager_mocks", + "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", + ], +) + +envoy_extension_cc_test( + name = "integration_test", + size = "large", + srcs = ["integration_test.cc"], + extension_names = [ + "envoy.filters.network.reverse_tunnel", + "envoy.bootstrap.reverse_tunnel.upstream_socket_interface", + "envoy.bootstrap.reverse_tunnel.downstream_socket_interface", + "envoy.resolvers.reverse_connection", + "envoy.filters.network.echo", + ], + rbe_pool = "6gig", + tags = ["skip_on_windows"], + deps = [ + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_resolver_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//source/extensions/filters/network/echo:config", + "//source/extensions/filters/network/reverse_tunnel:config", + "//source/extensions/filters/network/set_filter_state:config", + "//source/extensions/transport_sockets/internal_upstream:config", + "//test/integration:integration_lib", + "//test/test_common:utility_lib", + "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/transport_sockets/internal_upstream/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/filters/network/reverse_tunnel/config_test.cc b/test/extensions/filters/network/reverse_tunnel/config_test.cc new file mode 100644 index 0000000000000..a6ab72a9a77bf --- /dev/null +++ b/test/extensions/filters/network/reverse_tunnel/config_test.cc @@ -0,0 +1,168 @@ +#include "source/extensions/filters/network/reverse_tunnel/config.h" + +#include "test/mocks/server/factory_context.h" +#include "test/test_common/utility.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { +namespace { + +TEST(ReverseTunnelFilterConfigFactoryTest, ValidConfiguration) { + ReverseTunnelFilterConfigFactory factory; + + const std::string yaml_string = R"EOF( +ping_interval: + seconds: 5 +auto_close_connections: false +request_path: "/custom/reverse" +request_method: "PUT" +)EOF"; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + TestUtility::loadFromYaml(yaml_string, proto_config); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, DefaultConfiguration) { + ReverseTunnelFilterConfigFactory factory; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + // Set minimum required fields to satisfy validation. + proto_config.set_request_path("/reverse_connections/request"); + proto_config.set_request_method("POST"); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, ConfigProperties) { + ReverseTunnelFilterConfigFactory factory; + + EXPECT_EQ("envoy.filters.network.reverse_tunnel", factory.name()); + + ProtobufTypes::MessagePtr empty_config = factory.createEmptyConfigProto(); + EXPECT_TRUE(empty_config != nullptr); + EXPECT_EQ("envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel", + empty_config->GetTypeName()); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, ConfigurationWithValidation) { + ReverseTunnelFilterConfigFactory factory; + + const std::string yaml_string = R"EOF( +ping_interval: + seconds: 1 + nanos: 500000000 +auto_close_connections: true +request_path: "/test/path" +request_method: "POST" +validation_config: + node_id_filter_state_key: "test_node" + cluster_id_filter_state_key: "test_cluster" + tenant_id_filter_state_key: "test_tenant" +)EOF"; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + TestUtility::loadFromYaml(yaml_string, proto_config); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, MinimalConfigurationYaml) { + ReverseTunnelFilterConfigFactory factory; + + const std::string yaml_string = R"EOF( +request_path: "/minimal" +request_method: "POST" +)EOF"; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + TestUtility::loadFromYaml(yaml_string, proto_config); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, FactoryType) { + ReverseTunnelFilterConfigFactory factory; + + // Test that the factory name matches expected. + EXPECT_EQ("envoy.filters.network.reverse_tunnel", factory.name()); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, CreateFilterFactoryFromProtoTyped) { + ReverseTunnelFilterConfigFactory factory; + + const std::string yaml_string = R"EOF( +ping_interval: + seconds: 3 +auto_close_connections: true +request_path: "/factory/test" +request_method: "PUT" +validation_config: + node_id_filter_state_key: "factory_node" + cluster_id_filter_state_key: "factory_cluster" + tenant_id_filter_state_key: "factory_tenant" +)EOF"; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + TestUtility::loadFromYaml(yaml_string, proto_config); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + // Test the factory callback creates the filter properly. + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +} // namespace +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc b/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc new file mode 100644 index 0000000000000..2f5cd5135c3aa --- /dev/null +++ b/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc @@ -0,0 +1,1574 @@ +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" + +#include "source/common/router/string_accessor_impl.h" +#include "source/common/stats/isolated_store_impl.h" +#include "source/common/stream_info/uint64_accessor_impl.h" +#include "source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h" + +#include "test/mocks/network/mocks.h" +#include "test/mocks/server/overload_manager.h" +#include "test/test_common/utility.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::NiceMock; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { +namespace { + +// Helper to create invalid HTTP that will trigger codec dispatch errors +class HttpErrorHelper { +public: + static std::vector getHttpErrorPatterns() { + return { + // Trigger codec dispatch with various malformed patterns + "GET /path HTTP/1.1\r\nInvalid-Header\r\n\r\n", // Header without colon + "POST /path HTTP/1.1\r\nContent-Length: abc\r\n\r\n", // Non-numeric content length + "INVALID_METHOD /path HTTP/1.1\r\nHost: test\r\n\r\n", // Invalid method + std::string("\xFF\xFE\xFD\xFC", 4), // Binary junk + "GET /path HTTP/999.999\r\n\r\n", // Invalid HTTP version + "GET\r\n\r\n", // Incomplete request line + "GET /path\r\n\r\n", // Missing HTTP version + "GET /path HTTP/1.1\r\nHost: test\r\nTransfer-Encoding: invalid\r\n\r\n" // Invalid encoding + }; + } +}; + +class ReverseTunnelFilterUnitTest : public testing::Test { +public: + ReverseTunnelFilterUnitTest() : stats_store_(), overload_manager_() { + // Prepare proto config with defaults. + proto_config_.set_request_path("/reverse_connections/request"); + proto_config_.set_request_method("GET"); + config_ = std::make_shared(proto_config_); + filter_ = std::make_unique(config_, *stats_store_.rootScope(), + overload_manager_); + + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + // Provide a default socket for getSocket(). + auto socket = std::make_unique(); + auto* socket_raw = socket.get(); + // Store unique_ptr inside a shared location to return const ref each time. + static Network::ConnectionSocketPtr stored_socket; + stored_socket = std::move(socket); + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_socket)); + EXPECT_CALL(*socket_raw, isOpen()).WillRepeatedly(testing::Return(true)); + // Stub required methods used by processAcceptedConnection(). + EXPECT_CALL(*socket_raw, ioHandle()) + .WillRepeatedly(testing::ReturnRef(*callbacks_.socket_.io_handle_)); + + filter_->initializeReadFilterCallbacks(callbacks_); + } + + // Helper to craft raw HTTP/1.1 request string. + std::string makeHttpRequest(const std::string& method, const std::string& path, + const std::string& body = "") { + std::string req = fmt::format("{} {} HTTP/1.1\r\n", method, path); + req += "Host: localhost\r\n"; + req += fmt::format("Content-Length: {}\r\n\r\n", body.size()); + req += body; + return req; + } + + // Helper to build reverse tunnel headers block. + std::string makeRtHeaders(const std::string& node, const std::string& cluster, + const std::string& tenant) { + std::string headers; + headers += "x-envoy-reverse-tunnel-node-id: " + node + "\r\n"; + headers += "x-envoy-reverse-tunnel-cluster-id: " + cluster + "\r\n"; + headers += "x-envoy-reverse-tunnel-tenant-id: " + tenant + "\r\n"; + return headers; + } + + // Helper to craft HTTP request with reverse tunnel headers and optional body. + std::string makeHttpRequestWithRtHeaders(const std::string& method, const std::string& path, + const std::string& node, const std::string& cluster, + const std::string& tenant, + const std::string& body = "") { + std::string req = fmt::format("{} {} HTTP/1.1\r\n", method, path); + req += "Host: localhost\r\n"; + req += makeRtHeaders(node, cluster, tenant); + req += fmt::format("Content-Length: {}\r\n\r\n", body.size()); + req += body; + return req; + } + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config_; + ReverseTunnelFilterConfigSharedPtr config_; + std::unique_ptr filter_; + Stats::IsolatedStoreImpl stats_store_; + NiceMock overload_manager_; + NiceMock callbacks_; +}; + +TEST_F(ReverseTunnelFilterUnitTest, NewConnectionContinues) { + EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); +} + +TEST_F(ReverseTunnelFilterUnitTest, HttpDispatchErrorStopsIteration) { + // Simulate invalid HTTP by feeding raw bytes; dispatch will attempt and return error. + Buffer::OwnedImpl data("INVALID"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data, false)); +} + +TEST_F(ReverseTunnelFilterUnitTest, FullFlowValidationSuccess) { + // Configure reverse tunnel with validation keys. + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto* v = cfg.mutable_validation_config(); + v->set_node_id_filter_state_key("node_id"); + v->set_cluster_id_filter_state_key("cluster_id"); + v->set_tenant_id_filter_state_key("tenant_id"); + auto local_config = std::make_shared(cfg); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Populate connection filter state with expected string values. + auto& si = callbacks_.connection_.streamInfo(); + si.filterState()->setData("node_id", std::make_unique("n"), + StreamInfo::FilterState::StateType::ReadOnly, + StreamInfo::FilterState::LifeSpan::Connection); + si.filterState()->setData("cluster_id", std::make_unique("c"), + StreamInfo::FilterState::StateType::ReadOnly, + StreamInfo::FilterState::LifeSpan::Connection); + si.filterState()->setData("tenant_id", std::make_unique("t"), + StreamInfo::FilterState::StateType::ReadOnly, + StreamInfo::FilterState::LifeSpan::Connection); + + // Capture writes to connection. + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); + // Stats: accepted should increment. + auto accepted = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.accepted"); + ASSERT_NE(nullptr, accepted); + EXPECT_EQ(1, accepted->value()); +} + +TEST_F(ReverseTunnelFilterUnitTest, FullFlowValidationFailure) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.mutable_validation_config()->set_node_id_filter_state_key("node_id"); + auto local_config = std::make_shared(cfg); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Missing node_id filter state should cause 403. + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("403 Forbidden")); + // Stats: validation_failed and rejected should increment. + auto vf = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.validation_failed"); + auto rejected = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.rejected"); + ASSERT_NE(nullptr, vf); + ASSERT_NE(nullptr, rejected); + EXPECT_EQ(1, vf->value()); + EXPECT_EQ(1, rejected->value()); +} + +TEST_F(ReverseTunnelFilterUnitTest, FullFlowParseError) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Missing required headers should cause 400. + Buffer::OwnedImpl request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); + // Stats: parse_error should increment. + auto parse_error = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.parse_error"); + ASSERT_NE(nullptr, parse_error); + EXPECT_EQ(1, parse_error->value()); +} + +TEST_F(ReverseTunnelFilterUnitTest, NotFoundForNonReverseTunnelPath) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + Buffer::OwnedImpl request(makeHttpRequest("GET", "/health")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +TEST_F(ReverseTunnelFilterUnitTest, AutoCloseConnectionsClosesAfterAccept) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.set_auto_close_connections(true); + auto local_config = std::make_shared(cfg); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + // Expect close on accept. + EXPECT_CALL(callbacks_.connection_, close(Network::ConnectionCloseType::FlushWrite)); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test configuration with custom ping interval. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationCustomPingInterval) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + proto_config.mutable_ping_interval()->set_seconds(10); + proto_config.set_auto_close_connections(true); + proto_config.set_request_path("/custom/path"); + proto_config.set_request_method("PUT"); + + ReverseTunnelFilterConfig config(proto_config); + EXPECT_EQ(std::chrono::milliseconds(10000), config.pingInterval()); + EXPECT_TRUE(config.autoCloseConnections()); + EXPECT_EQ("/custom/path", config.requestPath()); + EXPECT_EQ("PUT", config.requestMethod()); +} + +// Test configuration with validation config. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationWithValidation) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + auto* validation = proto_config.mutable_validation_config(); + validation->set_node_id_filter_state_key("node_key"); + validation->set_cluster_id_filter_state_key("cluster_key"); + validation->set_tenant_id_filter_state_key("tenant_key"); + + ReverseTunnelFilterConfig config(proto_config); + EXPECT_EQ("node_key", config.nodeIdFilterStateKey()); + EXPECT_EQ("cluster_key", config.clusterIdFilterStateKey()); + EXPECT_EQ("tenant_key", config.tenantIdFilterStateKey()); +} + +// Test configuration with default values. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationDefaults) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + // Leave everything empty to test defaults. + + ReverseTunnelFilterConfig config(proto_config); + EXPECT_EQ(std::chrono::milliseconds(2000), config.pingInterval()); + EXPECT_FALSE(config.autoCloseConnections()); + EXPECT_EQ("/reverse_connections/request", config.requestPath()); + EXPECT_EQ("GET", config.requestMethod()); + EXPECT_TRUE(config.nodeIdFilterStateKey().empty()); + EXPECT_TRUE(config.clusterIdFilterStateKey().empty()); + EXPECT_TRUE(config.tenantIdFilterStateKey().empty()); +} + +// Test RequestDecoder methods not fully covered. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplMethods) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a request that will trigger decoder creation. + const std::string req = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t"); + + // Split request into headers and body to test different decoder methods. + const auto hdr_end = req.find("\r\n\r\n"); + const std::string headers_part = req.substr(0, hdr_end + 4); + const std::string body_part = req.substr(hdr_end + 4); + + // First send headers. + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Then send body to test decodeData method. + Buffer::OwnedImpl body_buf(body_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(body_buf, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test decodeTrailers method. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplDecodeTrailers) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a chunked request with trailers to trigger decodeTrailers. + const std::string headers_part = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + + makeRtHeaders("n", "c", "t") + + "Transfer-Encoding: chunked\r\n\r\n"; + + // Send headers first. + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Send chunk with data. + Buffer::OwnedImpl chunk1("5\r\nhello\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk1, false)); + + // Send final chunk with trailers - this triggers decodeTrailers. + Buffer::OwnedImpl chunk2("0\r\nX-Trailer: value\r\n\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk2, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test decodeTrailers triggers processIfComplete. +TEST_F(ReverseTunnelFilterUnitTest, DecodeTrailersTriggersCompletion) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Build a proper chunked request to ensure decodeTrailers is called. + std::string req = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + + makeRtHeaders("trail", "test", "complete") + + "Transfer-Encoding: chunked\r\n\r\n" + "0\r\n" // Zero-length chunk + "X-End: trailer\r\n" // Trailer header + "\r\n"; // End of trailers + + Buffer::OwnedImpl request(req); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test parsing with empty payload. +TEST_F(ReverseTunnelFilterUnitTest, ParseEmptyPayload) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); + + auto parse_error = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.parse_error"); + ASSERT_NE(nullptr, parse_error); + EXPECT_EQ(1, parse_error->value()); +} + +// Test validation with non-string filter state object. +TEST_F(ReverseTunnelFilterUnitTest, ValidationWithNonStringFilterState) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.mutable_validation_config()->set_node_id_filter_state_key("node_id"); + auto local_config = std::make_shared(cfg); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Add a non-string object to filter state. + auto& si = callbacks_.connection_.streamInfo(); + si.filterState()->setData("node_id", std::make_unique(12345), + StreamInfo::FilterState::StateType::ReadOnly, + StreamInfo::FilterState::LifeSpan::Connection); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("403 Forbidden")); +} + +// Test validation with cluster ID mismatch. +TEST_F(ReverseTunnelFilterUnitTest, ValidationClusterIdMismatch) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.mutable_validation_config()->set_cluster_id_filter_state_key("cluster_id"); + auto local_config = std::make_shared(cfg); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Add wrong cluster ID to filter state. + auto& si = callbacks_.connection_.streamInfo(); + si.filterState()->setData("cluster_id", std::make_unique("wrong"), + StreamInfo::FilterState::StateType::ReadOnly, + StreamInfo::FilterState::LifeSpan::Connection); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("403 Forbidden")); +} + +// Test validation with tenant ID missing. +TEST_F(ReverseTunnelFilterUnitTest, ValidationTenantIdMissing) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.mutable_validation_config()->set_tenant_id_filter_state_key("tenant_id"); + auto local_config = std::make_shared(cfg); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Don't add tenant_id to filter state. + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("403 Forbidden")); +} + +// Test closed socket scenario. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionClosedSocket) { + // Create a mock socket that reports as closed. + auto closed_socket = std::make_unique(); + EXPECT_CALL(*closed_socket, isOpen()).WillRepeatedly(testing::Return(false)); + + static Network::ConnectionSocketPtr stored_closed_socket; + stored_closed_socket = std::move(closed_socket); + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_closed_socket)); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test wrong HTTP method. +TEST_F(ReverseTunnelFilterUnitTest, WrongHttpMethod) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("PUT", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +// Test onGoAway method coverage. +TEST_F(ReverseTunnelFilterUnitTest, OnGoAway) { + // onGoAway is a no-op, but we need to test it for coverage. + filter_->onGoAway(Http::GoAwayErrorCode::NoError); + // No assertions needed as it's a no-op method. +} + +// Test sendLocalReply with different parameters. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyVariants) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test sendLocalReply with empty body. + Buffer::OwnedImpl request(makeHttpRequest("GET", "/wrong/path", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); + EXPECT_THAT(written, testing::HasSubstr("Not a reverse tunnel request")); +} + +// Test invalid protobuf that fails parsing. +TEST_F(ReverseTunnelFilterUnitTest, InvalidProtobufData) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Body contents are ignored now; with proper headers we should accept. + std::string junk_body(100, '\xFF'); + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", + "c", "t", junk_body)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test request with headers only (no body). +TEST_F(ReverseTunnelFilterUnitTest, HeadersOnlyRequest) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + std::string headers_only = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + "Content-Length: 0\r\n\r\n"; + Buffer::OwnedImpl request(headers_only); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +// Test RequestDecoderImpl interface methods for coverage. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplInterfaceMethods) { + // Create a decoder to test interface methods. + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Start a request to create the decoder. + // Use a non-empty body so the headers phase does not signal end_stream. + const std::string req = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t"); + const auto hdr_end = req.find("\r\n\r\n"); + const std::string headers_part = req.substr(0, hdr_end + 4); + + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Continue with body to complete the request. + const std::string body_part = req.substr(hdr_end + 4); + Buffer::OwnedImpl body_buf(body_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(body_buf, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test wrong HTTP method leads to 404. +TEST_F(ReverseTunnelFilterUnitTest, WrongHttpMethodTest) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test with wrong method (PUT instead of GET). + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("PUT", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +// Test successful request with response body. +TEST_F(ReverseTunnelFilterUnitTest, SuccessfulRequestWithResponseBody) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders( + "GET", "/reverse_connections/request", "test-node", "test-cluster", "test-tenant")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); + + // Check that accepted stat is incremented. + auto accepted = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.accepted"); + ASSERT_NE(nullptr, accepted); + EXPECT_EQ(1, accepted->value()); +} + +// Test sendLocalReply with modify_headers function. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyWithHeaderModifier) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Send a request with wrong path to trigger sendLocalReply. + Buffer::OwnedImpl request(makeHttpRequest("GET", "/wrong/path", "test-body")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +// Test protobuf validation failure in request. +TEST_F(ReverseTunnelFilterUnitTest, RequestValidationFailure) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Missing required header should fail validation. + std::string req = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + "x-envoy-reverse-tunnel-cluster-id: c\r\n" + "x-envoy-reverse-tunnel-tenant-id: t\r\n" + "Content-Length: 0\r\n\r\n"; + Buffer::OwnedImpl request(req); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +// Test partial HTTP data processing. +TEST_F(ReverseTunnelFilterUnitTest, PartialHttpData) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + const std::string full_request = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t"); + + // Send request in small chunks. + const size_t chunk_size = 10; + for (size_t i = 0; i < full_request.size(); i += chunk_size) { + const size_t actual_chunk_size = std::min(chunk_size, full_request.size() - i); + std::string chunk = full_request.substr(i, actual_chunk_size); + Buffer::OwnedImpl chunk_buf(chunk); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk_buf, false)); + } + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test HTTP dispatch with complete body in single call. +TEST_F(ReverseTunnelFilterUnitTest, CompleteRequestSingleCall) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "single", "call", "test")); + + // Process complete request in one call. + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, true)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test validation with all three IDs configured but only some present. +TEST_F(ReverseTunnelFilterUnitTest, PartialValidationConfiguration) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto* v = cfg.mutable_validation_config(); + v->set_node_id_filter_state_key("node_id"); + v->set_cluster_id_filter_state_key("cluster_id"); + v->set_tenant_id_filter_state_key("tenant_id"); + auto local_config = std::make_shared(cfg); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Only add node_id, leaving cluster_id and tenant_id missing. + auto& si = callbacks_.connection_.streamInfo(); + si.filterState()->setData("node_id", std::make_unique("n"), + StreamInfo::FilterState::StateType::ReadOnly, + StreamInfo::FilterState::LifeSpan::Connection); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("403 Forbidden")); +} + +// Test string parsing through HTTP path (parseHandshakeRequest is private). +TEST_F(ReverseTunnelFilterUnitTest, ParseHandshakeStringViaHttp) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test with a valid protobuf serialized as string. + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "node", "cluster", "tenant")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test sendLocalReply with different paths. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyWithHeadersCallback) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a request with wrong path to trigger sendLocalReply. + Buffer::OwnedImpl request("GET / HTTP/1.1\r\nHost: test\r\n\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // Should get 404 since path doesn't match. + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); + EXPECT_THAT(written, testing::HasSubstr("Not a reverse tunnel request")); +} + +// Test processIfComplete early return paths. +TEST_F(ReverseTunnelFilterUnitTest, ProcessIfCompleteEarlyReturns) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + const std::string req = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t", "x"); + + // Split request to send headers first without end_stream. + const auto hdr_end = req.find("\r\n\r\n"); + const std::string headers_part = req.substr(0, hdr_end + 4); + + // Send headers without end_stream - should not trigger processIfComplete. + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // At this point, no response should have been written yet. + EXPECT_TRUE(written.empty()); + + // Now send the body with end_stream to complete. + const std::string body_part = req.substr(hdr_end + 4); + Buffer::OwnedImpl body_buf(body_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(body_buf, true)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test configuration with all branches. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationAllBranches) { + // Test config with ping_interval set. + { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.mutable_ping_interval()->set_seconds(5); + cfg.mutable_ping_interval()->set_nanos(500000000); + ReverseTunnelFilterConfig config(cfg); + EXPECT_EQ(std::chrono::milliseconds(5500), config.pingInterval()); + } + + // Test config without ping_interval (default). + { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + ReverseTunnelFilterConfig config(cfg); + EXPECT_EQ(std::chrono::milliseconds(2000), config.pingInterval()); + } + + // Test config with empty strings (should use defaults). + { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.set_request_path(""); + cfg.set_request_method(""); + ReverseTunnelFilterConfig config(cfg); + EXPECT_EQ("/reverse_connections/request", config.requestPath()); + EXPECT_EQ("GET", config.requestMethod()); + } +} + +// Test array parsing edge cases via HTTP (parseHandshakeRequestFromArray is private). +TEST_F(ReverseTunnelFilterUnitTest, ParseHandshakeArrayEdgeCases) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test with empty body to trigger array parsing with null data. + Buffer::OwnedImpl empty_request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(empty_request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +// Test socket is null or not open scenarios. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionNullSocket) { + // Create a mock connection that returns null socket. + NiceMock null_socket_callbacks; + EXPECT_CALL(null_socket_callbacks, connection()) + .WillRepeatedly(ReturnRef(null_socket_callbacks.connection_)); + + // Mock getSocket to return null. + static Network::ConnectionSocketPtr null_socket_ptr = nullptr; + EXPECT_CALL(null_socket_callbacks.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(null_socket_ptr)); + + ReverseTunnelFilter null_socket_filter(config_, *stats_store_.rootScope(), overload_manager_); + null_socket_filter.initializeReadFilterCallbacks(null_socket_callbacks); + + std::string written; + EXPECT_CALL(null_socket_callbacks.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, null_socket_filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test empty response body path. +TEST_F(ReverseTunnelFilterUnitTest, EmptyResponseBody) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // Should generate a response with non-empty body. + EXPECT_THAT(written, testing::HasSubstr("200 OK")); + // No protobuf body expected now. +} + +// Test codec dispatch error path. +TEST_F(ReverseTunnelFilterUnitTest, CodecDispatchError) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Send completely invalid HTTP data that will cause dispatch error. + Buffer::OwnedImpl invalid_data("\x00\x01\x02\x03INVALID HTTP"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(invalid_data, false)); + + // Should get no response since the filter returns early on dispatch error. +} + +// Test validation with tenant ID value mismatch. +TEST_F(ReverseTunnelFilterUnitTest, ValidationTenantIdMismatch) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.mutable_validation_config()->set_tenant_id_filter_state_key("tenant_id"); + auto local_config = std::make_shared(cfg); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Add wrong tenant ID to filter state. + auto& si = callbacks_.connection_.streamInfo(); + si.filterState()->setData( + "tenant_id", std::make_unique("wrong-tenant"), + StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::Connection); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("403 Forbidden")); +} + +// Test newStream with is_internally_created parameter via HTTP processing. +TEST_F(ReverseTunnelFilterUnitTest, NewStreamWithInternallyCreatedFlag) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // newStream is called internally when processing HTTP requests. + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test stats generation through actual filter operations. +TEST_F(ReverseTunnelFilterUnitTest, StatsGeneration) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Trigger parse error to verify stats are generated (missing headers). + Buffer::OwnedImpl invalid_request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(invalid_request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); + + // Verify parse_error stat was incremented. + auto parse_error = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.parse_error"); + ASSERT_NE(nullptr, parse_error); + EXPECT_EQ(1, parse_error->value()); +} + +// Test configuration with ping_interval_ms deprecated field. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationDeprecatedField) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + // Test the deprecated field if it exists. + cfg.set_auto_close_connections(false); + cfg.set_request_path("/test"); + cfg.set_request_method("PUT"); + // Don't set validation_config to test the empty branch. + + ReverseTunnelFilterConfig config(cfg); + EXPECT_FALSE(config.autoCloseConnections()); + EXPECT_EQ("/test", config.requestPath()); + EXPECT_EQ("PUT", config.requestMethod()); + EXPECT_TRUE(config.nodeIdFilterStateKey().empty()); + EXPECT_TRUE(config.clusterIdFilterStateKey().empty()); + EXPECT_TRUE(config.tenantIdFilterStateKey().empty()); +} + +// Test decodeData with multiple chunks. +TEST_F(ReverseTunnelFilterUnitTest, DecodeDataMultipleChunks) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + const std::string req = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t"); + + // Send headers first without end_stream. + const auto hdr_end = req.find("\r\n\r\n"); + const std::string headers_part = req.substr(0, hdr_end + 4); + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Send body in chunks without end_stream. + const std::string body_part = req.substr(hdr_end + 4); + const size_t chunk_size = body_part.size() / 3; + + Buffer::OwnedImpl chunk1(body_part.substr(0, chunk_size)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk1, false)); + + Buffer::OwnedImpl chunk2(body_part.substr(chunk_size, chunk_size)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk2, false)); + + // Send final chunk with end_stream. + Buffer::OwnedImpl chunk3(body_part.substr(chunk_size * 2)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk3, true)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test successful connection processing with socket reuse. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionSocketReuse) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders( + "GET", "/reverse_connections/request", "test-node", "test-cluster", "test-tenant")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test RequestDecoderImpl interface methods with proper HTTP flow. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplInterfaceMethodsCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a proper HTTP request with chunked encoding and trailers and headers-only body + std::string chunked_request = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + + makeRtHeaders("interface", "test", "coverage") + + "Transfer-Encoding: chunked\r\n\r\n"; + + // Send headers first + Buffer::OwnedImpl header_buf(chunked_request); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Send chunk end and trailers (no body required) + std::string end_chunk_and_trailers = "0\r\nX-Test-Trailer: value\r\n\r\n"; + Buffer::OwnedImpl trailer_buf(end_chunk_and_trailers); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(trailer_buf, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test codec dispatch failure with truly malformed HTTP. +TEST_F(ReverseTunnelFilterUnitTest, CodecDispatchFailureDetailed) { + // Create HTTP data that will cause codec dispatch to fail and log error. + std::string malformed_http = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + "Content-Length: \xFF\xFF\xFF\xFF\r\n\r\n"; // Invalid content length + + Buffer::OwnedImpl request(malformed_http); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); +} + +// Test more malformed HTTP to hit codec error paths. +TEST_F(ReverseTunnelFilterUnitTest, CodecDispatchMultipleErrorTypes) { + // Test 1: HTTP request with invalid headers + std::string invalid_headers = "GET /reverse_connections/request HTTP/1.1\r\n" + "Invalid Header Without Colon\r\n" + "\r\n"; + Buffer::OwnedImpl req1(invalid_headers); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(req1, false)); + + // Create new filter for second test + auto filter2 = + std::make_unique(config_, *stats_store_.rootScope(), overload_manager_); + NiceMock callbacks2; + EXPECT_CALL(callbacks2, connection()).WillRepeatedly(ReturnRef(callbacks2.connection_)); + auto socket2 = std::make_unique(); + EXPECT_CALL(*socket2, isOpen()).WillRepeatedly(testing::Return(true)); + static Network::ConnectionSocketPtr stored_socket2 = std::move(socket2); + EXPECT_CALL(callbacks2.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_socket2)); + filter2->initializeReadFilterCallbacks(callbacks2); + + // Test 2: Invalid HTTP version + std::string invalid_version = "GET /reverse_connections/request HTTP/9.9\r\n\r\n"; + Buffer::OwnedImpl req2(invalid_version); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter2->onData(req2, false)); +} + +// Test to trigger response validation failure path (lines 195-200). +TEST_F(ReverseTunnelFilterUnitTest, ResponseValidationFailurePath) { + // This is tricky since we can't easily mock the Validate function. + // But we can create a scenario that might trigger response validation issues. + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a valid request - the response validation happens internally + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "response-test", "cluster", "tenant")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // The response validation failure path is internal and hard to trigger + // without modifying the source, but this test ensures the success path works + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test decodeMetadata method coverage. +TEST_F(ReverseTunnelFilterUnitTest, DecodeMetadataMethodCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // The decodeMetadata method is called internally when processing certain HTTP requests + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "meta", "data", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test streamInfo method coverage. +TEST_F(ReverseTunnelFilterUnitTest, StreamInfoMethodCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "stream", "info", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test accessLogHandlers method coverage. +TEST_F(ReverseTunnelFilterUnitTest, AccessLogHandlersMethodCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "access", "log", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test getRequestDecoderHandle method coverage. +TEST_F(ReverseTunnelFilterUnitTest, GetRequestDecoderHandleMethodCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "decoder", "handle", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test various HTTP malformations to hit codec error paths. +TEST_F(ReverseTunnelFilterUnitTest, VariousHttpMalformations) { + // Test different types of malformed HTTP to hit codec dispatch error paths + std::vector malformed_requests = { + // Missing HTTP version + "GET /reverse_connections/request\r\nHost: test\r\n\r\n", + // Invalid method + "INVALID_METHOD /reverse_connections/request HTTP/1.1\r\nHost: test\r\n\r\n", + // Binary garbage + std::string("\x00\x01\x02\x03\x04\x05", 6), + // Incomplete request line + "POS", + // Missing headers separator + "GET /reverse_connections/request HTTP/1.1\r\nHost: test", + // Invalid characters in headers + "GET /reverse_connections/request HTTP/1.1\r\nHo\x00st: test\r\n\r\n"}; + + for (size_t i = 0; i < malformed_requests.size(); ++i) { + // Create new filter for each test to avoid state issues + auto test_filter = std::make_unique(config_, *stats_store_.rootScope(), + overload_manager_); + NiceMock test_callbacks; + EXPECT_CALL(test_callbacks, connection()).WillRepeatedly(ReturnRef(test_callbacks.connection_)); + + auto test_socket = std::make_unique(); + EXPECT_CALL(*test_socket, isOpen()).WillRepeatedly(testing::Return(true)); + static std::vector stored_test_sockets; + stored_test_sockets.push_back(std::move(test_socket)); + EXPECT_CALL(test_callbacks.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_test_sockets.back())); + + test_filter->initializeReadFilterCallbacks(test_callbacks); + + Buffer::OwnedImpl request(malformed_requests[i]); + EXPECT_EQ(Network::FilterStatus::StopIteration, test_filter->onData(request, false)); + } +} + +// Test processAcceptedConnection with null TLS registry. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionNullTlsRegistry) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "null-tls", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test processAcceptedConnection when duplicate() returns null. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionDuplicateFails) { + // Create a mock socket that returns a null/closed handle on duplicate. + auto mock_socket = std::make_unique(); + auto mock_io_handle = std::make_unique(); + + // Setup IoHandle to return null on duplicate. + EXPECT_CALL(*mock_io_handle, duplicate()).WillOnce(testing::Return(nullptr)); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket, isOpen()).WillRepeatedly(testing::Return(true)); + + static Network::ConnectionSocketPtr stored_mock_socket; + static std::unique_ptr stored_io_handle; + stored_io_handle = std::move(mock_io_handle); + stored_mock_socket = std::move(mock_socket); + + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_mock_socket)); + // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "dup-fail", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test processAcceptedConnection when duplicated handle is not open. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionDuplicatedHandleNotOpen) { + auto mock_socket = std::make_unique(); + auto mock_io_handle = std::make_unique(); + auto dup_io_handle = std::make_unique(); + + // Setup duplicated handle to report as not open. + EXPECT_CALL(*dup_io_handle, isOpen()).WillRepeatedly(testing::Return(false)); + EXPECT_CALL(*mock_io_handle, duplicate()) + .WillOnce(testing::Return(testing::ByMove(std::move(dup_io_handle)))); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket, isOpen()).WillRepeatedly(testing::Return(true)); + + static Network::ConnectionSocketPtr stored_mock_socket2; + static std::unique_ptr stored_io_handle2; + stored_io_handle2 = std::move(mock_io_handle); + stored_mock_socket2 = std::move(mock_socket); + + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_mock_socket2)); + // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "dup-closed", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test systematic HTTP error patterns to trigger codec dispatch error paths. +TEST_F(ReverseTunnelFilterUnitTest, SystematicHttpErrorPatterns) { + auto patterns = HttpErrorHelper::getHttpErrorPatterns(); + + for (size_t i = 0; i < patterns.size(); ++i) { + // Create new filter for each test to avoid state pollution + auto error_filter = std::make_unique(config_, *stats_store_.rootScope(), + overload_manager_); + NiceMock error_callbacks; + EXPECT_CALL(error_callbacks, connection()) + .WillRepeatedly(ReturnRef(error_callbacks.connection_)); + + // Set up socket for each test + auto error_socket = std::make_unique(); + EXPECT_CALL(*error_socket, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*error_socket, ioHandle()) + .WillRepeatedly(testing::ReturnRef(*error_callbacks.socket_.io_handle_)); + + static std::vector stored_error_sockets; + stored_error_sockets.push_back(std::move(error_socket)); + EXPECT_CALL(error_callbacks.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_error_sockets.back())); + + error_filter->initializeReadFilterCallbacks(error_callbacks); + + // Test this error pattern + Buffer::OwnedImpl error_request(patterns[i]); + EXPECT_EQ(Network::FilterStatus::StopIteration, error_filter->onData(error_request, false)); + } +} + +// Test specific protobuf validation scenarios to hit uncovered parsing paths. +TEST_F(ReverseTunnelFilterUnitTest, ProtobufValidationScenarios) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test 1: Missing node header should fail validation + Buffer::OwnedImpl invalid_request("GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + "x-envoy-reverse-tunnel-cluster-id: cluster\r\n" + "x-envoy-reverse-tunnel-tenant-id: tenant\r\n" + "Content-Length: 0\r\n\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(invalid_request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); + + written.clear(); + + // Test 2: Previously malformed protobuf no longer applies; with headers present we accept. + Buffer::OwnedImpl ok_request(makeHttpRequestWithRtHeaders( + "GET", "/reverse_connections/request", "node", "cluster", "tenant", "This is not used")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(ok_request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test edge cases in HTTP/protobuf processing to maximize coverage. +TEST_F(ReverseTunnelFilterUnitTest, EdgeCaseHttpProtobufProcessing) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test 1: Binary data that looks like protobuf but isn't + std::string fake_protobuf; + fake_protobuf.push_back(0x08); // Protobuf field tag + fake_protobuf.push_back(0x96); // Invalid varint continuation + fake_protobuf.push_back(0xFF); // More invalid data + fake_protobuf.push_back(0xFF); + fake_protobuf.push_back(0xFF); + + Buffer::OwnedImpl fake_request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(fake_request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +// Test to trigger specific interface methods for coverage. +TEST_F(ReverseTunnelFilterUnitTest, InterfaceMethodsCompleteCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create request with HTTP/1.1 Transfer-Encoding chunked to trigger trailers + std::string chunked_request = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + + makeRtHeaders("interface", "methods", "test") + + "Transfer-Encoding: chunked\r\n\r\n"; + chunked_request += "0\r\n"; // End chunk + chunked_request += "X-Custom-Trailer: test-value\r\n"; // Trailer header + chunked_request += "\r\n"; // End trailers + + Buffer::OwnedImpl chunked_buf(chunked_request); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunked_buf, false)); + + // This should trigger decodeTrailers, decodeMetadata (if any), + // streamInfo, accessLogHandlers, and getRequestDecoderHandle methods + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test the streamInfo() method gets called and returns correct instance. +TEST_F(ReverseTunnelFilterUnitTest, StreamInfoMethodReturnsCorrectInstance) { + // Trigger decoder creation first. + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "stream", "info", "test")); + + // This creates the decoder internally. + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // The streamInfo() method was called internally during processing. + // We can't directly test it but it's covered by the request processing. +} + +// Test the accessLogHandlers() method returns empty vector. +TEST_F(ReverseTunnelFilterUnitTest, AccessLogHandlersReturnsEmpty) { + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "log", "handlers", "test")); + + // This creates the decoder and calls accessLogHandlers internally. + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); +} + +// Test the getRequestDecoderHandle() method returns nullptr. +TEST_F(ReverseTunnelFilterUnitTest, GetRequestDecoderHandleReturnsNull) { + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "decoder", "handle", "null")); + + // This creates the decoder and the method may be called internally. + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); +} + +// Test processIfComplete when already complete. +TEST_F(ReverseTunnelFilterUnitTest, ProcessIfCompleteAlreadyComplete) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Send a complete request. + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "double", "complete", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // Verify we got the response. + EXPECT_THAT(written, testing::HasSubstr("200 OK")); + + // Try to send more data - should be ignored as already complete. + Buffer::OwnedImpl more_data("extra data"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(more_data, false)); +} + +// Test successful socket duplication with all operations succeeding. +TEST_F(ReverseTunnelFilterUnitTest, SuccessfulSocketDuplication) { + auto socket_with_dup = std::make_unique(); + + // Mock successful duplication where everything succeeds. + auto mock_io_handle = std::make_unique(); + auto dup_handle = std::make_unique(); + + // The duplicated handle is open and operations succeed. + EXPECT_CALL(*dup_handle, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*dup_handle, resetFileEvents()); + + // Mock the duplicate() call to return the dup_handle. + EXPECT_CALL(*mock_io_handle, duplicate()) + .WillOnce(testing::Return(testing::ByMove(std::move(dup_handle)))); + + // Mock ioHandle() to return our mock handle. + EXPECT_CALL(*socket_with_dup, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); + EXPECT_CALL(*socket_with_dup, isOpen()).WillRepeatedly(testing::Return(true)); + + // Store socket and handle in static variables. + static Network::ConnectionSocketPtr stored_dup_socket; + static std::unique_ptr stored_dup_handle; + stored_dup_handle = std::move(mock_io_handle); + stored_dup_socket = std::move(socket_with_dup); + + // Set up the callbacks to use our mock socket. + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_dup_socket)); + // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "dup", "success", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test modify_headers callback in sendLocalReply. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyWithModifyHeaders) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Send a request that will trigger a 404 response with modify_headers callback. + Buffer::OwnedImpl request(makeHttpRequest("GET", "/wrong/path")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // The sendLocalReply with modify_headers is called internally. + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +// Test sendLocalReply with all branches covered. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyAllBranches) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test with wrong method to trigger 404. + Buffer::OwnedImpl request(makeHttpRequest("POST", "/reverse_connections/request")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); + EXPECT_THAT(written, testing::HasSubstr("Not a reverse tunnel request")); +} + +// Test HTTP/1.1 codec initialization with different settings. +TEST_F(ReverseTunnelFilterUnitTest, CodecInitializationCoverage) { + // Create a new filter to test codec initialization. + auto test_filter = + std::make_unique(config_, *stats_store_.rootScope(), overload_manager_); + NiceMock test_callbacks; + EXPECT_CALL(test_callbacks, connection()).WillRepeatedly(ReturnRef(test_callbacks.connection_)); + + auto test_socket = std::make_unique(); + EXPECT_CALL(*test_socket, isOpen()).WillRepeatedly(testing::Return(true)); + static Network::ConnectionSocketPtr stored_codec_socket = std::move(test_socket); + EXPECT_CALL(test_callbacks.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_codec_socket)); + + test_filter->initializeReadFilterCallbacks(test_callbacks); + + // First call to onData initializes the codec. + Buffer::OwnedImpl data1("GET /test HTTP/1.1\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, test_filter->onData(data1, false)); + + // Second call uses existing codec. + Buffer::OwnedImpl data2("Host: test\r\n\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, test_filter->onData(data2, false)); +} + +} // namespace +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/filters/network/reverse_tunnel/integration_test.cc b/test/extensions/filters/network/reverse_tunnel/integration_test.cc new file mode 100644 index 0000000000000..e426aaaca8a16 --- /dev/null +++ b/test/extensions/filters/network/reverse_tunnel/integration_test.cc @@ -0,0 +1,635 @@ +#include + +#include "envoy/config/bootstrap/v3/bootstrap.pb.h" +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" +#include "envoy/extensions/transport_sockets/internal_upstream/v3/internal_upstream.pb.h" + +#include "source/common/protobuf/protobuf.h" + +#include "test/integration/integration.h" +#include "test/test_common/utility.h" + +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { +namespace { + +class ReverseTunnelFilterIntegrationTest + : public testing::TestWithParam, + public BaseIntegrationTest { +public: + ReverseTunnelFilterIntegrationTest() : BaseIntegrationTest(GetParam()) {} + + // Do not call initialize() here. Tests will configure filters then call initialize(). + void initializeFilter() { + // Remove default network filters (e.g., HTTP Connection Manager) to avoid conflicts. + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + if (bootstrap.static_resources().listeners_size() > 0) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + if (listener->filter_chains_size() > 0) { + auto* chain = listener->mutable_filter_chains(0); + chain->clear_filters(); + } + } + }); + const std::string filter_config = R"EOF( +name: envoy.filters.network.reverse_tunnel +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: + seconds: 2 + auto_close_connections: false + request_path: "/reverse_connections/request" + request_method: "GET" +)EOF"; + + config_helper_.addNetworkFilter(filter_config); + } + + std::string createTestPayload(const std::string& node_uuid = "integration-test-node", + const std::string& cluster_uuid = "integration-test-cluster", + const std::string& tenant_uuid = "integration-test-tenant") { + UNREFERENCED_PARAMETER(node_uuid); + UNREFERENCED_PARAMETER(cluster_uuid); + UNREFERENCED_PARAMETER(tenant_uuid); + return std::string(); + } + + std::string createHttpRequest(const std::string& method, const std::string& path, + const std::string& body = "") { + std::string request = fmt::format("{} {} HTTP/1.1\r\n", method, path); + request += "Host: localhost\r\n"; + request += fmt::format("Content-Length: {}\r\n", body.length()); + request += "\r\n"; + request += body; + return request; + } + + std::string createHttpRequestWithRtHeaders(const std::string& method, const std::string& path, + const std::string& node, const std::string& cluster, + const std::string& tenant, + const std::string& body = "") { + std::string request = fmt::format("{} {} HTTP/1.1\r\n", method, path); + request += "Host: localhost\r\n"; + request += fmt::format("{}: {}\r\n", "x-envoy-reverse-tunnel-node-id", node); + request += fmt::format("{}: {}\r\n", "x-envoy-reverse-tunnel-cluster-id", cluster); + request += fmt::format("{}: {}\r\n", "x-envoy-reverse-tunnel-tenant-id", tenant); + request += fmt::format("Content-Length: {}\r\n", body.length()); + request += "\r\n"; + request += body; + return request; + } +}; + +INSTANTIATE_TEST_SUITE_P(IpVersions, ReverseTunnelFilterIntegrationTest, + testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + TestUtility::ipTestParamsToString); + +TEST_P(ReverseTunnelFilterIntegrationTest, ValidReverseTunnelRequest) { + initializeFilter(); + BaseIntegrationTest::initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed quickly; still verify response. + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + + // Should receive HTTP 200 OK response. + tcp_client->waitForData("HTTP/1.1 200 OK"); + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, InvalidHttpRequest) { + initializeFilter(); + BaseIntegrationTest::initialize(); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write("INVALID REQUEST\r\n\r\n")) { + // Server may have already closed the connection due to codec error. + tcp_client->waitForDisconnect(); + return; + } + // Codec error path does not produce a response; server may close the connection. + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, NonReverseTunnelRequest) { + initializeFilter(); + BaseIntegrationTest::initialize(); + + std::string http_request = createHttpRequest("GET", "/health"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForDisconnect(); + return; + } + // The request should pass through or be handled by other components; connection may close. + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, MissingHeadersBadRequest) { + initializeFilter(); + BaseIntegrationTest::initialize(); + + // Missing required headers should produce HTTP 400. + std::string http_request = createHttpRequest("GET", "/reverse_connections/request", ""); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForData("HTTP/1.1 400 Bad Request"); + return; + } + + // Should receive HTTP 400 Bad Request response. + tcp_client->waitForData("HTTP/1.1 400 Bad Request"); + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, PartialRequestHandling) { + initializeFilter(); + BaseIntegrationTest::initialize(); + + std::string http_request = createHttpRequestWithRtHeaders( + "GET", "/reverse_connections/request", "integration-test-node", "integration-test-cluster", + "integration-test-tenant", "abcdefghijklmno"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + + // Send request in chunks but ensure the body only completes on the third chunk. + // Split the HTTP request into headers and body, then stream body in parts. + const std::string::size_type hdr_end = http_request.find("\r\n\r\n"); + ASSERT_NE(hdr_end, std::string::npos); + const std::string headers = http_request.substr(0, hdr_end + 4); + const std::string body = http_request.substr(hdr_end + 4); + ASSERT_GT(body.size(), 8u); + + const size_t part = body.size() / 4; // Ensure first 2 parts are not enough to complete. + const std::string body1 = body.substr(0, part); + const std::string body2 = body.substr(part, part); + const std::string body3 = body.substr(2 * part); + + // First write: headers + small part of body. + if (!tcp_client->write(headers + body1, /*end_stream=*/false)) { + // Server may have already processed and responded; validate response and exit. + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + // Second write: more body but still not complete. If the server already completed, + // the write can fail due to disconnect; treat that as acceptable and verify response. + if (!tcp_client->write(body2, /*end_stream=*/false)) { + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + // Third write: remaining body to complete the request. Same tolerance as above. + if (!tcp_client->write(body3, /*end_stream=*/false)) { + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + + // Should receive complete HTTP response. + tcp_client->waitForData("HTTP/1.1 200 OK"); + // Server may keep connection open (auto_close_connections: false). Close client side. + tcp_client->close(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, CustomConfigurationTest) { + const std::string custom_filter_config = R"EOF( +name: envoy.filters.network.reverse_tunnel +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: + seconds: 5 + auto_close_connections: false + request_path: "/custom/reverse" + request_method: "GET" +)EOF"; + + // Remove default network filters (e.g., HTTP Connection Manager) to avoid pulling in HCM. + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Register default socket interface for internal addresses and set it as default. + { + auto* ext = bootstrap.add_bootstrap_extensions(); + ext->set_name("envoy.extensions.network.socket_interface.default_socket_interface"); + auto* any = ext->mutable_typed_config(); + any->set_type_url("type.googleapis.com/" + "envoy.extensions.network.socket_interface.v3.DefaultSocketInterface"); + } + bootstrap.set_default_socket_interface( + "envoy.extensions.network.socket_interface.default_socket_interface"); + if (bootstrap.static_resources().listeners_size() > 0) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + if (listener->filter_chains_size() > 0) { + auto* chain = listener->mutable_filter_chains(0); + chain->clear_filters(); + } + } + }); + config_helper_.addNetworkFilter(custom_filter_config); + BaseIntegrationTest::initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/custom/reverse", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + + // Should receive HTTP 200 OK response. + tcp_client->waitForData("HTTP/1.1 200 OK"); + + // With auto_close_connections: false, connection should stay open. + // Advance simulated time slightly to allow any deferred callbacks to run. + timeSystem().advanceTimeWait(std::chrono::milliseconds(100)); + tcp_client->close(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, MissingNodeUuidRejection) { + initializeFilter(); + BaseIntegrationTest::initialize(); + + // Missing node UUID header should trigger 400. + std::string http_request = + fmt::format("{} {} HTTP/1.1\r\nHost: localhost\r\n" + "x-envoy-reverse-tunnel-cluster-id: {}\r\n" + "x-envoy-reverse-tunnel-tenant-id: {}\r\nContent-Length: 0\r\n\r\n", + "GET", "/reverse_connections/request", "test-cluster", "test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForData("HTTP/1.1 400 Bad Request"); + return; + } + + // Should receive HTTP 400 Bad Request response for missing node UUID. + tcp_client->waitForData("HTTP/1.1 400 Bad Request"); + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, ValidationSucceedsWithFilterState) { + // Add a filter to set filter state values, followed by reverse_tunnel with validation. + const std::string set_filter_state = R"EOF( +name: envoy.filters.network.set_filter_state +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.set_filter_state.v3.Config + on_new_connection: + - object_key: node_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "integration-test-node" + - object_key: cluster_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "integration-test-cluster" + - object_key: tenant_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "integration-test-tenant" +)EOF"; + + const std::string rt_filter = R"EOF( +name: envoy.filters.network.reverse_tunnel +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: + seconds: 2 + auto_close_connections: false + request_path: "/reverse_connections/request" + request_method: "GET" + validation_config: + node_id_filter_state_key: "node_id" + cluster_id_filter_state_key: "cluster_id" + tenant_id_filter_state_key: "tenant_id" +)EOF"; + + // Clear default filters and add in order: set_filter_state then reverse_tunnel. + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + if (bootstrap.static_resources().listeners_size() > 0) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + if (listener->filter_chains_size() > 0) { + auto* chain = listener->mutable_filter_chains(0); + chain->clear_filters(); + } + } + }); + config_helper_.addNetworkFilter(set_filter_state); + config_helper_.addNetworkFilter(rt_filter); + BaseIntegrationTest::initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForData("HTTP/1.1 403 Forbidden"); + return; + } + + tcp_client->waitForData("HTTP/1.1 200 OK"); + tcp_client->close(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, ValidationFailsWhenKeyMissing) { + // Only set cluster/tenant; configure reverse_tunnel to require node_id, causing 403. + const std::string set_filter_state = R"EOF( +name: envoy.filters.network.set_filter_state +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.set_filter_state.v3.Config + on_new_connection: + - object_key: cluster_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "integration-test-cluster" + - object_key: tenant_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "integration-test-tenant" +)EOF"; + + const std::string rt_filter = R"EOF( +name: envoy.filters.network.reverse_tunnel +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + request_path: "/reverse_connections/request" + request_method: "GET" + validation_config: + node_id_filter_state_key: "node_id" + cluster_id_filter_state_key: "cluster_id" + tenant_id_filter_state_key: "tenant_id" +)EOF"; + + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + if (bootstrap.static_resources().listeners_size() > 0) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + if (listener->filter_chains_size() > 0) { + auto* chain = listener->mutable_filter_chains(0); + chain->clear_filters(); + } + } + }); + config_helper_.addNetworkFilter(set_filter_state); + config_helper_.addNetworkFilter(rt_filter); + BaseIntegrationTest::initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForData("HTTP/1.1 403 Forbidden"); + return; + } + + // Should receive HTTP 403 Forbidden response due to missing node_id in filter state. + tcp_client->waitForData("HTTP/1.1 403 Forbidden"); + + // Advance simulated time slightly to allow internal callbacks to drain. + timeSystem().advanceTimeWait(std::chrono::milliseconds(50)); + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, ValidationFailsOnValueMismatch) { + // Set keys but with different values than in the handshake request, expect 403. + const std::string set_filter_state = R"EOF( +name: envoy.filters.network.set_filter_state +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.set_filter_state.v3.Config + on_new_connection: + - object_key: node_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "wrong-node" + - object_key: cluster_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "wrong-cluster" + - object_key: tenant_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "wrong-tenant" +)EOF"; + + const std::string rt_filter = R"EOF( +name: envoy.filters.network.reverse_tunnel +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + request_path: "/reverse_connections/request" + request_method: "GET" + validation_config: + node_id_filter_state_key: "node_id" + cluster_id_filter_state_key: "cluster_id" + tenant_id_filter_state_key: "tenant_id" +)EOF"; + + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + if (bootstrap.static_resources().listeners_size() > 0) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + if (listener->filter_chains_size() > 0) { + auto* chain = listener->mutable_filter_chains(0); + chain->clear_filters(); + } + } + }); + config_helper_.addNetworkFilter(set_filter_state); + config_helper_.addNetworkFilter(rt_filter); + BaseIntegrationTest::initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + ASSERT_TRUE(tcp_client->write(http_request)); + tcp_client->waitForData("HTTP/1.1 403 Forbidden"); + + // Advance simulated time slightly to allow internal callbacks to drain. + timeSystem().advanceTimeWait(std::chrono::milliseconds(50)); + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, AutoCloseConnectionsEnabled) { + const std::string filter_config = R"EOF( +name: envoy.filters.network.reverse_tunnel +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + auto_close_connections: true + request_path: "/reverse_connections/request" + request_method: "GET" +)EOF"; + + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + if (bootstrap.static_resources().listeners_size() > 0) { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + if (listener->filter_chains_size() > 0) { + auto* chain = listener->mutable_filter_chains(0); + chain->clear_filters(); + } + } + }); + config_helper_.addNetworkFilter(filter_config); + BaseIntegrationTest::initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already responded and closed. + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + tcp_client->waitForData("HTTP/1.1 200 OK"); + + // Advance simulated time slightly to allow internal callbacks to drain. + timeSystem().advanceTimeWait(std::chrono::milliseconds(50)); + + // Server should close the connection automatically. + tcp_client->waitForDisconnect(); +} + +// End-to-end test where the downstream reverse connection listener (rc://) initiates a +// connection to an upstream listener running the reverse_tunnel filter. The downstream +// side sends HTTP headers using the same helpers as the upstream expects, and the upstream +// socket manager updates connection stats. We verify the gauges to confirm full flow. +TEST_P(ReverseTunnelFilterIntegrationTest, FullFlowWithDownstreamSocketInterface) { + // Configure two bootstrap extensions (downstream and upstream socket interfaces), + // two listeners (upstream reverse_tunnel listener and a reverse connection listener), + // and a cluster that targets the upstream listener via an internal address. + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Add upstream socket interface bootstrap extension. + { + auto* ext = bootstrap.add_bootstrap_extensions(); + ext->set_name("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); + auto* any = ext->mutable_typed_config(); + any->set_type_url("type.googleapis.com/" + "envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3." + "UpstreamReverseConnectionSocketInterface"); + } + + // Add downstream socket interface bootstrap extension. + { + auto* ext = bootstrap.add_bootstrap_extensions(); + ext->set_name("envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); + auto* any = ext->mutable_typed_config(); + any->set_type_url("type.googleapis.com/" + "envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3." + "DownstreamReverseConnectionSocketInterface"); + } + + // Ensure we have at least one listener. We will use the first as the upstream listener + // and clear its filters, then add the reverse_tunnel network filter. + if (bootstrap.static_resources().listeners_size() == 0) { + auto* listener = bootstrap.mutable_static_resources()->add_listeners(); + listener->set_name("upstream_listener"); + auto* sock = listener->mutable_address()->mutable_socket_address(); + sock->set_address("0.0.0.0"); + sock->set_port_value(0); + } + + auto* upstream_listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + upstream_listener->set_name("upstream_listener"); + if (upstream_listener->filter_chains_size() > 0) { + upstream_listener->mutable_filter_chains(0)->clear_filters(); + } else { + upstream_listener->add_filter_chains(); + } + { + auto* filter = upstream_listener->mutable_filter_chains(0)->add_filters(); + filter->set_name("envoy.filters.network.reverse_tunnel"); + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel rt_cfg; + rt_cfg.mutable_ping_interval()->set_seconds(2); + rt_cfg.set_auto_close_connections(false); + rt_cfg.set_request_path("/reverse_connections/request"); + rt_cfg.set_request_method("GET"); + Protobuf::Any* typed_config = filter->mutable_typed_config(); + typed_config->PackFrom(rt_cfg); + } + + // Add an additional listener that uses the rc:// resolver to initiate reverse connections. + auto* rc_listener = bootstrap.mutable_static_resources()->add_listeners(); + rc_listener->set_name("reverse_connection_listener"); + auto* rc_sock = rc_listener->mutable_address()->mutable_socket_address(); + // rc://::@: + rc_sock->set_address( + "rc://integration-test-node:integration-test-cluster:integration-test-tenant@" + "upstream_cluster:1"); + rc_sock->set_port_value(0); + // Tell Envoy to use our custom resolver for rc:// scheme. + rc_sock->set_resolver_name("envoy.resolvers.reverse_connection"); + // Minimal filter chain; echo is fine since accept() returns a connected socket. + auto* rc_chain = rc_listener->add_filter_chains(); + auto* echo_filter = rc_chain->add_filters(); + echo_filter->set_name("envoy.filters.network.echo"); + auto* echo_any = echo_filter->mutable_typed_config(); + echo_any->set_type_url("type.googleapis.com/envoy.extensions.filters.network.echo.v3.Echo"); + + // Define the upstream cluster that points to the upstream_listener via internal address. + auto* cluster = bootstrap.mutable_static_resources()->add_clusters(); + cluster->set_name("upstream_cluster"); + cluster->set_type(envoy::config::cluster::v3::Cluster::STATIC); + cluster->mutable_load_assignment()->set_cluster_name("upstream_cluster"); + // Configure transport socket for internal upstream connections. + auto* ts = cluster->mutable_transport_socket(); + ts->set_name("envoy.transport_sockets.internal_upstream"); + envoy::extensions::transport_sockets::internal_upstream::v3::InternalUpstreamTransport ts_cfg; + // Wrap a raw_buffer transport socket as the underlying transport. + auto* inner_ts = ts_cfg.mutable_transport_socket(); + inner_ts->set_name("envoy.transport_sockets.raw_buffer"); + Protobuf::Any* inner_any = inner_ts->mutable_typed_config(); + inner_any->set_type_url( + "type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer"); + Protobuf::Any* ts_any = ts->mutable_typed_config(); + ts_any->PackFrom(ts_cfg); + + auto* locality = cluster->mutable_load_assignment()->add_endpoints(); + auto* lb_endpoint = locality->add_lb_endpoints(); + auto* endpoint = lb_endpoint->mutable_endpoint(); + auto* ep_addr = endpoint->mutable_address()->mutable_envoy_internal_address(); + ep_addr->set_server_listener_name("upstream_listener"); + ep_addr->set_endpoint_id("rt_endpoint"); + }); + + BaseIntegrationTest::initialize(); + + // Wait for the upstream side to record at least one accepted connection for the node and cluster. + // ReverseTunnelAcceptorExtension publishes gauges with names: + // reverse_connections.nodes. + // reverse_connections.clusters. + test_server_->waitForGaugeEq("reverse_connections.nodes.integration-test-node", 1); + test_server_->waitForGaugeEq("reverse_connections.clusters.integration-test-cluster", 1); +} + +} // namespace +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/test/mocks/network/connection.h b/test/mocks/network/connection.h index 59bf4be7d5af8..66a2c39f853e8 100644 --- a/test/mocks/network/connection.h +++ b/test/mocks/network/connection.h @@ -85,7 +85,7 @@ class MockConnectionBase { MOCK_METHOD(void, setBufferLimits, (uint32_t limit)); \ MOCK_METHOD(uint32_t, bufferLimit, (), (const)); \ MOCK_METHOD(bool, aboveHighWatermark, (), (const)); \ - MOCK_METHOD(Network::ConnectionSocketPtr&, getSocket, (), (const)); \ + MOCK_METHOD(const ConnectionSocketPtr&, getSocket, (), (const)); \ MOCK_METHOD(void, setSocketReused, (bool value)); \ MOCK_METHOD(bool, isSocketReused, ()); \ MOCK_METHOD(const Network::ConnectionSocket::OptionsSharedPtr&, socketOptions, (), (const)); \ From 96d29f078fd0ce41302b77d3ad9a10530861568d Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Mon, 15 Sep 2025 02:58:51 +0000 Subject: [PATCH 399/505] Update cloud-envoy.yaml to use reverse tunnel network filter - Replace HTTP connection manager with reverse tunnel network filter - Configure ping_interval, auto_close_connections, request_path, and request_method - Remove HTTP-specific routing configuration Signed-off-by: Basundhara Chakrabarty --- .../reverse_conn/v3/reverse_conn.proto | 21 - .../cloud-envoy.yaml | 29 +- .../filters/network/reverse_conn/BUILD | 42 -- .../filters/network/reverse_conn/README.md | 230 ---------- .../reverse_conn/reverse_conn_filter.cc | 397 ------------------ .../reverse_conn/reverse_conn_filter.h | 134 ------ .../reverse_conn_filter_factory.cc | 31 -- .../reverse_conn_filter_factory.h | 28 -- 8 files changed, 6 insertions(+), 906 deletions(-) delete mode 100644 api/envoy/extensions/filters/network/reverse_conn/v3/reverse_conn.proto delete mode 100644 source/extensions/filters/network/reverse_conn/BUILD delete mode 100644 source/extensions/filters/network/reverse_conn/README.md delete mode 100644 source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc delete mode 100644 source/extensions/filters/network/reverse_conn/reverse_conn_filter.h delete mode 100644 source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.cc delete mode 100644 source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h diff --git a/api/envoy/extensions/filters/network/reverse_conn/v3/reverse_conn.proto b/api/envoy/extensions/filters/network/reverse_conn/v3/reverse_conn.proto deleted file mode 100644 index e0f60aa44d5e4..0000000000000 --- a/api/envoy/extensions/filters/network/reverse_conn/v3/reverse_conn.proto +++ /dev/null @@ -1,21 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.reverse_conn.v3; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/reverse_conn/v3;reverse_connv3"; - -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc_title: Reverse Connection Network Filter] -// Reverse Connection Network Filter :ref:`configuration overview -// `. -// [#extension: envoy.filters.network.reverse_conn] - -// Configuration for the reverse connection network filter. -message ReverseConn { - // This filter has no configuration options currently. - // All behavior is hardcoded to handle reverse connection requests. -} \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/cloud-envoy.yaml b/examples/reverse_connection_socket_interface/cloud-envoy.yaml index 5d46207ae4497..99cc8f64f6ed6 100644 --- a/examples/reverse_connection_socket_interface/cloud-envoy.yaml +++ b/examples/reverse_connection_socket_interface/cloud-envoy.yaml @@ -12,30 +12,13 @@ static_resources: port_value: 9000 filter_chains: - filters: - - name: envoy.http_connection_manager + - name: envoy.filters.network.reverse_tunnel typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: rev_conn_api - # Any dummy route config works - route_config: - virtual_hosts: - - name: rev_conn_api_route - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: reverse_connection_cluster - http_filters: - # Filter that services reverse conn APIs - - name: envoy.filters.http.reverse_conn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - ping_interval: 2 - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: 2s + auto_close_connections: false + request_path: "/reverse_connections/request" + request_method: "POST" # Listener that will route the downstream request to the reverse connection cluster - name: egress_listener diff --git a/source/extensions/filters/network/reverse_conn/BUILD b/source/extensions/filters/network/reverse_conn/BUILD deleted file mode 100644 index de441b2795ca6..0000000000000 --- a/source/extensions/filters/network/reverse_conn/BUILD +++ /dev/null @@ -1,42 +0,0 @@ -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_extension", - "envoy_cc_library", - "envoy_extension_package", -) - -licenses(["notice"]) # Apache 2 - -envoy_extension_package() - -envoy_cc_extension( - name = "reverse_conn_config_lib", - srcs = ["reverse_conn_filter_factory.cc"], - hdrs = ["reverse_conn_filter_factory.h"], - deps = [ - "//source/extensions/filters/network/generic_proxy/interface:filter_lib", - "//source/extensions/filters/network/reverse_conn:reverse_conn_lib", - "//source/extensions/filters/network/reverse_conn/v3:reverse_conn_proto", - ], -) - -envoy_cc_library( - name = "reverse_conn_lib", - srcs = [ - "reverse_conn_filter.cc", - ], - hdrs = [ - "reverse_conn_filter.h", - ], - deps = [ - "//source/common/buffer:buffer_lib", - "//source/common/common:minimal_logger_lib", - "//source/common/network:filter_impl_lib", - "//source/common/protobuf:protobuf_lib", - "//source/extensions/bootstrap/reverse_tunnel:reverse_tunnel_acceptor_lib", - "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_handshake_cc_proto", - "//source/extensions/filters/network/generic_proxy/interface:filter_lib", - "//source/extensions/filters/network/generic_proxy/interface:stream_lib", - "//source/extensions/filters/network/reverse_conn/v3:reverse_conn_proto", - ], -) diff --git a/source/extensions/filters/network/reverse_conn/README.md b/source/extensions/filters/network/reverse_conn/README.md deleted file mode 100644 index 8e9b6563601ab..0000000000000 --- a/source/extensions/filters/network/reverse_conn/README.md +++ /dev/null @@ -1,230 +0,0 @@ -# Reverse Connection Generic Proxy Filter (Terminal Filter) - -This filter provides a robust, **protocol-agnostic** implementation for handling reverse connection acceptance/rejection using the **Generic Proxy StreamFilter interface**. It's designed as a **terminal filter** that stops processing after handling reverse connection requests. - -## What It Does - -The filter **only** handles: -1. **Reverse Connection Acceptance/Rejection** - Processes POST requests to `/reverse_connections/request` -2. **Protobuf Parsing** - Extracts node, cluster, and tenant UUIDs from the request body -3. **SSL Certificate Processing** - Overrides UUIDs with values from SSL certificate DNS SANs -4. **Socket Management** - Duplicates and saves the connection to the upstream socket manager -5. **Terminal Behavior** - Closes the connection after processing (no further filters run) - -## How It Works - -### **1. Generic Proxy StreamFilter Interface** -```cpp -class ReverseConnFilter : public Network::Filter, - public GenericProxy::StreamFilter, - public Logger::Loggable { -public: - // Terminal filter behavior - bool isTerminalFilter() const { return true; } - - // GenericProxy::DecoderFilter - GenericProxy::HeaderFilterStatus decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) override; - GenericProxy::CommonFilterStatus decodeCommonFrame(GenericProxy::RequestCommonFrame& request) override; -}; -``` - -### **2. Protocol-Agnostic Request Processing** -```cpp -GenericProxy::HeaderFilterStatus ReverseConnFilter::decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) { - // Check if this is a reverse connection request - if (isReverseConnectionRequest(request)) { - ENVOY_LOG(debug, "ReverseConnFilter: Detected reverse connection request"); - is_reverse_connection_request_ = true; - - // Continue to receive body frames - return GenericProxy::HeaderFilterStatus::Continue; - } - - // Not a reverse connection request, continue to next filter - return GenericProxy::HeaderFilterStatus::Continue; -} -``` - -### **3. Terminal Filter Behavior** -```cpp -GenericProxy::CommonFilterStatus ReverseConnFilter::decodeCommonFrame(GenericProxy::RequestCommonFrame& request) { - if (!is_reverse_connection_request_) { - return GenericProxy::CommonFilterStatus::Continue; - } - - // Extract body data from the common frame - extractRequestBody(request); - - // Process when complete - if (!request_body_.empty()) { - processReverseConnectionRequest(); - - // As a terminal filter, stop processing after handling the request - return GenericProxy::CommonFilterStatus::StopIteration; - } - - return GenericProxy::CommonFilterStatus::Continue; -} -``` - -### **4. Connection Closure** -```cpp -void ReverseConnFilter::closeConnection() { - // Mark connection as reused - connection->setSocketReused(true); - - // Reset file events on the connection socket - if (connection->getSocket()) { - connection->getSocket()->ioHandle().resetFileEvents(); - } - - // Close the connection - connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); -} -``` - -## Configuration - -### **Correct Configuration Structure** - -Your filter must be configured as part of a **Generic Proxy filter chain**, not as a standalone network filter: - -```yaml -static_resources: - listeners: - - name: "reverse_conn_listener" - address: - socket_address: - address: "0.0.0.0" - port_value: 8080 - listener_filters: - # Generic Proxy network filter intercepts all TCP data - - name: "envoy.filters.network.generic_proxy" - typed_config: - "@type": "type.googleapis.com/envoy.extensions.filters.network.generic_proxy.v3.GenericProxy" - stat_prefix: "reverse_conn" - codec_config: - # HTTP/1.1 codec parses raw HTTP data into frames - name: "envoy.generic_proxy.codecs.http1" - typed_config: - "@type": "type.googleapis.com/envoy.extensions/filters.network/generic_proxy.codecs/http1/v3.Http1CodecConfig" - filters: - # Your reverse connection filter (L7 filter, not network filter) - - name: "envoy.filters.generic.reverse_conn" - typed_config: - "@type": "type.googleapis.com/envoy/extensions/filters/generic/reverse_conn/v3.ReverseConn" - - # Router filter for non-reverse-connection requests - - name: "envoy.filters.generic.router" - typed_config: - "@type": "type.googleapis.com/envoy/extensions/filters/network/generic_proxy/router/v3.Router" - bind_upstream_connection: false -``` - -### **Why This Structure?** - -1. **Generic Proxy network filter** intercepts all TCP data first -2. **HTTP/1.1 codec** parses raw HTTP into `RequestHeaderFrame` and `RequestCommonFrame` -3. **Your filter** receives parsed frames (not raw TCP data) -4. **Terminal behavior** stops processing after handling reverse connection requests - -## Data Flow - -### **Complete Flow:** -``` -Raw HTTP Data → Generic Proxy Network Filter → HTTP1 Codec → Your Terminal Filter → Connection Closed -``` - -### **Step-by-Step:** -1. **Raw HTTP arrives**: `POST /reverse_connections/request HTTP/1.1\r\n...` -2. **Generic Proxy intercepts**: Network filter receives the data -3. **HTTP1 codec parses**: Creates `RequestHeaderFrame` and `RequestCommonFrame` -4. **Your filter processes**: `decodeHeaderFrame()` then `decodeCommonFrame()` -5. **Terminal behavior**: Returns `StopIteration`, closes connection -6. **No further processing**: Connection is closed, no more filters run - -## Key Benefits - -### **1. Terminal Filter Behavior** -- ✅ **Stops processing** after handling reverse connection requests -- ✅ **Closes connections** automatically -- ✅ **No downstream filters** run after your filter - -### **2. Protocol-Agnostic Operation** -- ✅ **Works with HTTP, gRPC, or any custom protocol** -- ✅ **Same filter logic** across all protocols -- ✅ **Future-proof architecture** - -### **3. Zero Protocol Parsing** -- ✅ **100% reuse** of Generic Proxy's parsing logic -- ✅ **No manual HTTP state machines** or CRLF searching -- ✅ **Automatic protocol compliance** guaranteed - -### **4. Standard Envoy Patterns** -- ✅ **Follows Envoy's filter architecture** exactly -- ✅ **Built-in observability** and metrics -- ✅ **Production-ready infrastructure** - -## What Generic Proxy Provides - -### **1. Complete Protocol Support** -- **HTTP/1.1, HTTP/2, HTTP/3** parsing and encoding -- **gRPC** support with streaming -- **Custom protocols** via codec interface -- **Protocol evolution** handled automatically - -### **2. Stream Management** -- **Automatic stream multiplexing** for concurrent requests -- **Frame routing** to correct streams -- **Connection lifecycle** management - -### **3. Production-Ready Features** -- **Automatic error handling** and recovery -- **Protocol validation** and sanitization -- **Built-in observability** and metrics - -## Implementation Details - -### **Filter Registration** -```cpp -// Register as Generic Proxy filter, not network filter -REGISTER_FACTORY(ReverseConnFilterConfigFactory, GenericProxy::NamedFilterConfigFactory); -``` - -### **Terminal Filter Implementation** -```cpp -class ReverseConnFilter : public GenericProxy::StreamFilter { -public: - // This makes it a terminal filter - bool isTerminalFilter() const { return true; } - - // Process parsed frames (not raw TCP data) - GenericProxy::HeaderFilterStatus decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) override; - GenericProxy::CommonFilterStatus decodeCommonFrame(GenericProxy::RequestCommonFrame& request) override; -}; -``` - -### **Connection Management** -```cpp -void ReverseConnFilter::processReverseConnectionRequest() { - // Send acceptance response - sendLocalReply(GenericProxy::Status::Ok, response_body); - - // Save the connection - saveDownstreamConnection(node_uuid_, cluster_uuid_); - - // Close the connection after processing (terminal filter behavior) - closeConnection(); -} -``` - -## Summary - -This filter is a **Generic Proxy L7 filter** (not a network filter) that: - -1. **Runs inside Generic Proxy framework** - receives parsed HTTP frames, not raw TCP -2. **Acts as a terminal filter** - stops processing and closes connections after handling requests -3. **Works with HTTP/1.1 codec** - automatically parses HTTP into usable frames -4. **Follows standard patterns** - integrates seamlessly with Generic Proxy infrastructure - -The key insight is that **Generic Proxy handles all the HTTP parsing and stream management**, while your filter just processes the parsed data and acts as a terminal point in the filter chain. \ No newline at end of file diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc deleted file mode 100644 index 28a18b29bd4d4..0000000000000 --- a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.cc +++ /dev/null @@ -1,397 +0,0 @@ -#include "source/extensions/filters/network/reverse_conn/reverse_conn_filter.h" - -#include "envoy/network/connection.h" -#include "envoy/network/connection_socket_impl.h" -#include "envoy/ssl/connection.h" - -#include "source/common/buffer/buffer_impl.h" -#include "source/common/common/empty_string.h" -#include "source/common/common/enum_to_int.h" -#include "source/common/common/logger.h" -#include "source/common/network/io_socket_handle_impl.h" -#include "source/common/network/socket_option_impl.h" -#include "source/common/protobuf/protobuf.h" -#include "source/common/protobuf/utility.h" - -#include "absl/strings/str_cat.h" -#include "absl/strings/str_split.h" - -namespace Envoy { -namespace Extensions { -namespace NetworkFilters { -namespace ReverseConn { - -// Using statement for the new proto namespace -using ReverseConnectionHandshake = - envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface; - -// Static constants -const std::string ReverseConnFilter::REVERSE_CONNECTIONS_REQUEST_PATH = - "/reverse_connections/request"; -const std::string ReverseConnFilter::HTTP_POST_METHOD = "POST"; - -// ReverseConnFilter implementation - -ReverseConnFilter::ReverseConnFilter(ReverseConnFilterConfigSharedPtr config) : config_(config) { - // No custom codec needed - Generic Proxy handles all protocol parsing -} - -Network::FilterStatus ReverseConnFilter::onNewConnection() { - ENVOY_LOG(debug, "ReverseConnFilter: New connection established"); - return Network::FilterStatus::Continue; -} - -Network::FilterStatus ReverseConnFilter::onData(Buffer::Instance& data, bool end_stream) { - ENVOY_LOG(debug, "ReverseConnFilter: Received {} bytes, end_stream: {}", data.length(), - end_stream); - - // Note: In a real Generic Proxy setup, this method would typically not be called - // because the Generic Proxy filter would intercept the data and call our - // decodeHeaderFrame/decodeCommonFrame methods directly. - // This is kept for compatibility with the network filter interface. - - // For now, we'll just continue to let Generic Proxy handle the data - return Network::FilterStatus::Continue; -} - -Network::FilterStatus ReverseConnFilter::onWrite(Buffer::Instance&, bool) { - return Network::FilterStatus::Continue; -} - -void ReverseConnFilter::initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) { - read_callbacks_ = &callbacks; -} - -void ReverseConnFilter::initializeWriteFilterCallbacks(Network::WriteFilterCallbacks& callbacks) { - write_callbacks_ = &callbacks; -} - -// GenericProxy::DecoderFilter implementation - -void ReverseConnFilter::onDestroy() { ENVOY_LOG(debug, "ReverseConnFilter: Filter destroyed"); } - -void ReverseConnFilter::setDecoderFilterCallbacks(GenericProxy::DecoderFilterCallback& callbacks) { - decoder_callbacks_ = &callbacks; - ENVOY_LOG(debug, "ReverseConnFilter: Decoder filter callbacks set"); -} - -GenericProxy::HeaderFilterStatus -ReverseConnFilter::decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) { - ENVOY_LOG(debug, "ReverseConnFilter: Processing header frame - protocol: {}, host: {}, path: {}", - request.protocol(), request.host(), request.path()); - - // Check if this is a reverse connection request - if (isReverseConnectionRequest(request)) { - ENVOY_LOG(debug, "ReverseConnFilter: Detected reverse connection request"); - is_reverse_connection_request_ = true; - - // Continue to receive body frames - return GenericProxy::HeaderFilterStatus::Continue; - } - - // Not a reverse connection request, continue to next filter - ENVOY_LOG(debug, "ReverseConnFilter: Not a reverse connection request, continuing"); - return GenericProxy::HeaderFilterStatus::Continue; -} - -GenericProxy::CommonFilterStatus -ReverseConnFilter::decodeCommonFrame(GenericProxy::RequestCommonFrame& request) { - if (!is_reverse_connection_request_) { - // Not a reverse connection request, continue - return GenericProxy::CommonFilterStatus::Continue; - } - - ENVOY_LOG(debug, "ReverseConnFilter: Processing common frame for reverse connection request"); - - // Extract body data from the common frame - extractRequestBody(request); - - // Check if we have enough data to process - if (!request_body_.empty()) { - message_complete_ = true; - processReverseConnectionRequest(); - - // As a terminal filter, stop processing after handling the request - return GenericProxy::CommonFilterStatus::StopIteration; - } - - return GenericProxy::CommonFilterStatus::Continue; -} - -// GenericProxy::EncoderFilter implementation - -void ReverseConnFilter::setEncoderFilterCallbacks(GenericProxy::EncoderFilterCallback& callbacks) { - encoder_callbacks_ = &callbacks; - ENVOY_LOG(debug, "ReverseConnFilter: Encoder filter callbacks set"); -} - -GenericProxy::HeaderFilterStatus -ReverseConnFilter::encodeHeaderFrame(GenericProxy::ResponseHeaderFrame& response) { - // We don't modify response headers for reverse connection requests - // Just continue to the next filter - return GenericProxy::HeaderFilterStatus::Continue; -} - -GenericProxy::CommonFilterStatus -ReverseConnFilter::encodeCommonFrame(GenericProxy::ResponseCommonFrame& response) { - // We don't modify response body for reverse connection requests - // Just continue to the next filter - return GenericProxy::CommonFilterStatus::Continue; -} - -// Private methods - -bool ReverseConnFilter::isReverseConnectionRequest( - const GenericProxy::RequestHeaderFrame& request) const { - // Check method (for HTTP, this would be "POST") - auto method = request.get("method"); - if (!method.has_value() || method.value() != HTTP_POST_METHOD) { - return false; - } - - // Check path (for HTTP, this would be "/reverse_connections/request") - auto path = request.path(); - if (path != REVERSE_CONNECTIONS_REQUEST_PATH) { - return false; - } - - ENVOY_LOG(debug, "ReverseConnFilter: Valid reverse connection request - method: {}, path: {}", - method.value(), path); - - return true; -} - -void ReverseConnFilter::extractRequestBody(GenericProxy::RequestCommonFrame& frame) { - // In a real implementation, you would extract the body data from the common frame - // This depends on how the Generic Proxy codec represents body data - - // For now, we'll use a placeholder approach - // In practice, you might access frame.data() or similar methods - - ENVOY_LOG(debug, "ReverseConnFilter: Extracting request body from common frame"); - - // This is a simplified approach - in reality, you'd get the actual body data - // from the Generic Proxy frame structure - // request_body_ = frame.bodyData(); // or similar method -} - -bool ReverseConnFilter::parseProtobufPayload(const std::string& payload, std::string& node_uuid, - std::string& cluster_uuid, std::string& tenant_uuid) { - ReverseConnectionHandshake::ReverseConnHandshakeArg arg; - - if (!arg.ParseFromString(payload)) { - ENVOY_LOG(error, "ReverseConnFilter: Failed to parse protobuf from request body"); - return false; - } - - ENVOY_LOG(debug, "ReverseConnFilter: Successfully parsed protobuf: {}", arg.DebugString()); - - node_uuid = arg.node_uuid(); - cluster_uuid = arg.cluster_uuid(); - tenant_uuid = arg.tenant_uuid(); - - ENVOY_LOG(debug, "ReverseConnFilter: Extracted values - tenant='{}', cluster='{}', node='{}'", - tenant_uuid, cluster_uuid, node_uuid); - - return !node_uuid.empty(); -} - -void ReverseConnFilter::sendLocalReply(GenericProxy::Status status, const std::string& data) { - if (!decoder_callbacks_) { - ENVOY_LOG(error, "ReverseConnFilter: No decoder callbacks available for local reply"); - return; - } - - // Send local reply using Generic Proxy callbacks - // This will create a response frame and send it back to the client - decoder_callbacks_->sendLocalReply(status, data); - - ENVOY_LOG(debug, "ReverseConnFilter: Sent local reply with status: {}, data: {}", - static_cast(status), data); -} - -void ReverseConnFilter::saveDownstreamConnection(const std::string& node_id, - const std::string& cluster_id) { - ENVOY_LOG(debug, "ReverseConnFilter: Adding connection to upstream socket manager"); - - auto* socket_manager = getUpstreamSocketManager(); - if (!socket_manager) { - ENVOY_LOG(error, "ReverseConnFilter: Failed to get upstream socket manager"); - return; - } - - // Get connection from Generic Proxy callbacks if available, otherwise fall back to network - // callbacks - const Network::Connection* connection = nullptr; - if (decoder_callbacks_) { - connection = decoder_callbacks_->connection(); - } else if (read_callbacks_) { - connection = &read_callbacks_->connection(); - } - - if (!connection) { - ENVOY_LOG(error, "ReverseConnFilter: No connection available"); - return; - } - - const Network::ConnectionSocketPtr& original_socket = connection->getSocket(); - - if (!original_socket || !original_socket->isOpen()) { - ENVOY_LOG(error, "ReverseConnFilter: Original socket is not available or not open"); - return; - } - - // Duplicate the file descriptor - Network::IoHandlePtr duplicated_handle = original_socket->ioHandle().duplicate(); - if (!duplicated_handle || !duplicated_handle->isOpen()) { - ENVOY_LOG(error, "ReverseConnFilter: Failed to duplicate file descriptor"); - return; - } - - ENVOY_LOG(debug, - "ReverseConnFilter: Successfully duplicated file descriptor: original_fd={}, " - "duplicated_fd={}", - original_socket->ioHandle().fdDoNotUse(), duplicated_handle->fdDoNotUse()); - - // Create a new socket with the duplicated handle - Network::ConnectionSocketPtr duplicated_socket = std::make_unique( - std::move(duplicated_handle), original_socket->connectionInfoProvider().localAddress(), - original_socket->connectionSocket()->connectionInfoProvider().remoteAddress()); - - // Reset file events on the duplicated socket - duplicated_socket->ioHandle().resetFileEvents(); - - // Add the duplicated socket to the manager - socket_manager->addConnectionSocket(node_id, cluster_id, std::move(duplicated_socket), - config_->pingInterval(), false /* rebalanced */); - - ENVOY_LOG(debug, - "ReverseConnFilter: Successfully added duplicated socket to upstream socket manager"); -} - -void ReverseConnFilter::closeConnection() { - if (connection_closed_) { - return; - } - - // Get connection from Generic Proxy callbacks if available, otherwise fall back to network - // callbacks - Network::Connection* connection = nullptr; - if (decoder_callbacks_) { - connection = const_cast(decoder_callbacks_->connection()); - } else if (read_callbacks_) { - connection = &read_callbacks_->connection(); - } - - if (connection) { - ENVOY_LOG(debug, - "ReverseConnFilter: Closing connection after processing reverse connection request"); - - // Mark connection as reused - connection->setSocketReused(true); - - // Reset file events on the connection socket - if (connection->getSocket()) { - connection->getSocket()->ioHandle().resetFileEvents(); - } - - // Close the connection - connection->close(Network::ConnectionCloseType::NoFlush, "accepted_reverse_conn"); - } - - connection_closed_ = true; -} - -ReverseConnection::UpstreamSocketManager* ReverseConnFilter::getUpstreamSocketManager() { - auto* upstream_interface = - Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); - if (!upstream_interface) { - ENVOY_LOG(debug, "ReverseConnFilter: Upstream reverse socket interface not found"); - return nullptr; - } - - auto* upstream_socket_interface = - dynamic_cast(upstream_interface); - if (!upstream_socket_interface) { - ENVOY_LOG(error, "ReverseConnFilter: Failed to cast to ReverseTunnelAcceptor"); - return nullptr; - } - - auto* tls_registry = upstream_socket_interface->getLocalRegistry(); - if (!tls_registry) { - ENVOY_LOG(error, - "ReverseConnFilter: Thread local registry not found for upstream socket interface"); - return nullptr; - } - - return tls_registry->socketManager(); -} - -void ReverseConnFilter::processReverseConnectionRequest() { - ENVOY_LOG(info, "ReverseConnFilter: Processing reverse connection request"); - - // Parse protobuf payload - if (!parseProtobufPayload(request_body_, node_uuid_, cluster_uuid_, tenant_uuid_)) { - // Send rejection response - sendLocalReply(GenericProxy::Status::InvalidArgument, - "Failed to parse request message or required fields missing"); - - // Close connection after rejection - closeConnection(); - return; - } - - // Check SSL certificate for additional tenant/cluster info - const Network::Connection* connection = nullptr; - if (decoder_callbacks_) { - connection = decoder_callbacks_->connection(); - } else if (read_callbacks_) { - connection = &read_callbacks_->connection(); - } - - if (connection) { - Envoy::Ssl::ConnectionInfoConstSharedPtr ssl = connection->ssl(); - - if (ssl && ssl->peerCertificatePresented()) { - absl::Span dnsSans = ssl->dnsSansPeerCertificate(); - for (const std::string& dns : dnsSans) { - auto parts = absl::StrSplit(dns, "="); - if (parts.size() == 2) { - if (parts[0] == "tenantId") { - tenant_uuid_ = std::string(parts[1]); - } else if (parts[0] == "clusterId") { - cluster_uuid_ = std::string(parts[1]); - } - } - } - } - } - - ENVOY_LOG(info, - "ReverseConnFilter: Accepting reverse connection. tenant '{}', cluster '{}', node '{}'", - tenant_uuid_, cluster_uuid_, node_uuid_); - - // Create acceptance response - ReverseConnectionHandshake::ReverseConnHandshakeRet ret; - ret.set_status(ReverseConnectionHandshake::ReverseConnHandshakeRet::ACCEPTED); - - std::string response_body = ret.SerializeAsString(); - ENVOY_LOG(info, "ReverseConnFilter: Response body length: {}, content: '{}'", - response_body.length(), response_body); - - // Send acceptance response - sendLocalReply(GenericProxy::Status::Ok, response_body); - - // Save the connection - saveDownstreamConnection(node_uuid_, cluster_uuid_); - - // Close the connection after processing (terminal filter behavior) - closeConnection(); - - ENVOY_LOG(info, "ReverseConnFilter: Reverse connection accepted and connection closed"); -} - -} // namespace ReverseConn -} // namespace NetworkFilters -} // namespace Extensions -} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h b/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h deleted file mode 100644 index 8ee722348be5f..0000000000000 --- a/source/extensions/filters/network/reverse_conn/reverse_conn_filter.h +++ /dev/null @@ -1,134 +0,0 @@ -#pragma once - -#include "envoy/network/filter.h" -#include "envoy/upstream/cluster_manager.h" - -#include "source/common/buffer/buffer_impl.h" -#include "source/common/common/logger.h" -#include "source/common/network/filter_impl.h" -#include "source/common/protobuf/protobuf.h" -#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_handshake.pb.h" -#include "source/extensions/bootstrap/reverse_tunnel/reverse_tunnel_acceptor.h" -#include "source/extensions/filters/network/generic_proxy/interface/filter.h" -#include "source/extensions/filters/network/generic_proxy/interface/stream.h" - -#include "absl/types/optional.h" - -namespace Envoy { -namespace Extensions { -namespace NetworkFilters { -namespace ReverseConn { - -namespace ReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; -namespace GenericProxy = Envoy::Extensions::NetworkFilters::GenericProxy; - -/** - * Configuration for the reverse connection network filter. - */ -class ReverseConnFilterConfig { -public: - ReverseConnFilterConfig() : ping_interval_(std::chrono::seconds(2)) {} - - std::chrono::seconds pingInterval() const { return ping_interval_; } - -private: - const std::chrono::seconds ping_interval_; -}; - -using ReverseConnFilterConfigSharedPtr = std::shared_ptr; - -/** - * Network filter that handles reverse connection acceptance/rejection using the Generic Proxy - * interface. This filter only processes POST requests to /reverse_connections/request and - * accepts/rejects reverse connections based on protobuf payload. - * - * Uses the Generic Proxy StreamFilter interface for protocol-agnostic operation. - * This is a TERMINAL filter that stops processing after handling reverse connection requests. - */ -class ReverseConnFilter : public Network::Filter, - public GenericProxy::StreamFilter, - public Logger::Loggable { -public: - ReverseConnFilter(ReverseConnFilterConfigSharedPtr config); - - // Network::Filter - Network::FilterStatus onData(Buffer::Instance& data, bool end_stream) override; - Network::FilterStatus onNewConnection() override; - Network::FilterStatus onWrite(Buffer::Instance& data, bool end_stream) override; - void initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) override; - void initializeWriteFilterCallbacks(Network::WriteFilterCallbacks& callbacks) override; - - // GenericProxy::DecoderFilter - void onDestroy() override; - void setDecoderFilterCallbacks(GenericProxy::DecoderFilterCallback& callbacks) override; - GenericProxy::HeaderFilterStatus - decodeHeaderFrame(GenericProxy::RequestHeaderFrame& request) override; - GenericProxy::CommonFilterStatus - decodeCommonFrame(GenericProxy::RequestCommonFrame& request) override; - - // GenericProxy::EncoderFilter - void setEncoderFilterCallbacks(GenericProxy::EncoderFilterCallback& callbacks) override; - GenericProxy::HeaderFilterStatus - encodeHeaderFrame(GenericProxy::ResponseHeaderFrame& response) override; - GenericProxy::CommonFilterStatus - encodeCommonFrame(GenericProxy::ResponseCommonFrame& response) override; - - // Terminal filter behavior - bool isTerminalFilter() const { return true; } - -private: - // Parse protobuf payload and extract cluster details - bool parseProtobufPayload(const std::string& payload, std::string& node_uuid, - std::string& cluster_uuid, std::string& tenant_uuid); - - // Send local reply using Generic Proxy callbacks - void sendLocalReply(GenericProxy::Status status, const std::string& data); - - // Save the connection to upstream socket manager - void saveDownstreamConnection(const std::string& node_id, const std::string& cluster_id); - - // Get the upstream socket manager from the thread-local registry - ReverseConnection::UpstreamSocketManager* getUpstreamSocketManager(); - - // Process the reverse connection request - void processReverseConnectionRequest(); - - // Check if this is a reverse connection request - bool isReverseConnectionRequest(const GenericProxy::RequestHeaderFrame& request) const; - - // Extract body from common frames - void extractRequestBody(GenericProxy::RequestCommonFrame& frame); - - // Close the connection after processing - void closeConnection(); - - ReverseConnFilterConfigSharedPtr config_; - Network::ReadFilterCallbacks* read_callbacks_{nullptr}; - Network::WriteFilterCallbacks* write_callbacks_{nullptr}; - - // Generic Proxy filter callbacks - GenericProxy::DecoderFilterCallback* decoder_callbacks_{nullptr}; - GenericProxy::EncoderFilterCallback* encoder_callbacks_{nullptr}; - - // Request data from Generic Proxy frames - std::string request_body_; - - // Request state - bool is_reverse_connection_request_{false}; - bool message_complete_{false}; - bool connection_closed_{false}; - - // Reverse connection data - std::string node_uuid_; - std::string cluster_uuid_; - std::string tenant_uuid_; - - // Constants - static const std::string REVERSE_CONNECTIONS_REQUEST_PATH; - static const std::string HTTP_POST_METHOD; -}; - -} // namespace ReverseConn -} // namespace NetworkFilters -} // namespace Extensions -} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.cc b/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.cc deleted file mode 100644 index ad93424476a32..0000000000000 --- a/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.cc +++ /dev/null @@ -1,31 +0,0 @@ -#include "source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h" - -#include "source/extensions/filters/network/reverse_conn/reverse_conn_filter.h" - -namespace Envoy { -namespace Extensions { -namespace NetworkFilters { -namespace ReverseConn { - -GenericProxy::FilterFactoryCb ReverseConnFilterConfigFactory::createFilterFactoryFromProtoTyped( - const envoy::extensions::filters::network::reverse_conn::v3::ReverseConn& proto_config, - Server::Configuration::FactoryContext& context) { - UNREFERENCED_PARAMETER(proto_config); - UNREFERENCED_PARAMETER(context); - - auto config = std::make_shared(); - - return [config](GenericProxy::FilterChainManager& filter_chain_manager) -> void { - filter_chain_manager.addFilter( - [config](GenericProxy::FilterChainFactoryCallbacks& callbacks) -> void { - callbacks.addFilter(std::make_shared(config)); - }); - }; -} - -REGISTER_FACTORY(ReverseConnFilterConfigFactory, GenericProxy::NamedFilterConfigFactory); - -} // namespace ReverseConn -} // namespace NetworkFilters -} // namespace Extensions -} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h b/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h deleted file mode 100644 index fcd498b7b8c2d..0000000000000 --- a/source/extensions/filters/network/reverse_conn/reverse_conn_filter_factory.h +++ /dev/null @@ -1,28 +0,0 @@ -#pragma once - -#include "envoy/server/filter_config.h" - -#include "source/extensions/filters/network/generic_proxy/interface/filter.h" - -namespace Envoy { -namespace Extensions { -namespace NetworkFilters { -namespace ReverseConn { - -/** - * Config registration for the reverse connection filter. - */ -class ReverseConnFilterConfigFactory : public GenericProxy::NamedFilterConfigFactory { -public: - ReverseConnFilterConfigFactory() : FactoryBase("envoy.filters.generic.reverse_conn") {} - -private: - GenericProxy::FilterFactoryCb createFilterFactoryFromProtoTyped( - const envoy::extensions::filters::network::reverse_conn::v3::ReverseConn& proto_config, - Server::Configuration::FactoryContext& context) override; -}; - -} // namespace ReverseConn -} // namespace NetworkFilters -} // namespace Extensions -} // namespace Envoy From 422584c862eb3318ade5c2f872a00cc5dfc8bb3b Mon Sep 17 00:00:00 2001 From: code Date: Mon, 15 Sep 2025 23:26:47 +0800 Subject: [PATCH 400/505] cel: add a useful re.extract test as example (#41080) Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: WangBaiping --- test/extensions/formatter/cel/cel_test.cc | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/test/extensions/formatter/cel/cel_test.cc b/test/extensions/formatter/cel/cel_test.cc index abf83f4d85a6e..9afffa779496e 100644 --- a/test/extensions/formatter/cel/cel_test.cc +++ b/test/extensions/formatter/cel/cel_test.cc @@ -363,6 +363,19 @@ TEST_F(CELFormatterTest, TestRegexExtFunctions) { EXPECT_EQ("true ", formatter->formatWithContext(formatter_context_, stream_info_)); } +TEST_F(CELFormatterTest, TestRegexExtFunctionsWithActualExtraction) { + const std::string yaml = R"EOF( + text_format_source: + inline_string: "%CEL(re.extract(request.host, '(.+?)\\\\:(\\\\d+)', '\\\\2'))%" +)EOF"; + TestUtility::loadFromYaml(yaml, config_); + + request_headers_.addCopy("host", "example.com:443"); + auto formatter = + *Envoy::Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config_, context_); + EXPECT_EQ("443", formatter->formatWithContext(formatter_context_, stream_info_)); +} + TEST_F(CELFormatterTest, TestUntypedJsonFormat) { const std::string yaml = R"EOF( json_format: From f8555ce4275e314e9da120c7ea6b58a26a40ee13 Mon Sep 17 00:00:00 2001 From: Ricardo Date: Mon, 15 Sep 2025 13:48:39 -0400 Subject: [PATCH 401/505] Update QUICHE from 6caf568e7 to c84d87b70 (#41083) https://github.com/google/quiche/compare/6caf568e7..c84d87b70 ``` $ git log 6caf568e7..c84d87b70 --date=short --no-merges --format="%ad %al %s" 2025-09-13 quiche-dev Fix 1 ClangTidyReadability finding: * using decl 'QuicFramerPeer' is unused For more info see go/clang_tidy/checks/misc-unused-using-decls 2025-09-13 quiche-dev Fix 14 ClangInliner findings: * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::ReaderMutexLock::ReaderMutexLock. (6 times) * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::WriterMutexLock::WriterMutexLock. (4 times) * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::Mutex::ReaderLock. * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::Mutex::ReaderUnlock. * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::Mutex::WriterLock. * The use of this symbol has been deprecated and marked for inlining. The function being deprecated is absl::Mutex::WriterUnlock. 2025-09-12 quiche-dev Fix 3 ClangTidyReadability findings: * return type 'const ObliviousHttpHeaderKeyConfig' is 'const'-qualified at the top level, which may reduce code readability without improving const correctness For more info see go/clang_tidy/checks/readability-const-return-type (3 times) 2025-09-11 quiche-dev Have BlindSignAuth own its dependency to BlindSignMessageInterface (1/2). 2025-09-11 vasilvv Actually fix standalone build. 2025-09-10 quiche-dev Switch QUIC client use new ALPS codepoint by default. 2025-09-10 martinduke Rename ANNOUNCE* to PUBLISH_NAMESPACE* (draft-14) 2025-09-10 martinduke Rename SUBSCRIBE_DONE to PUBLISH_DONE. (moqt-draft-14) 2025-09-10 vasilvv Fix QUICHE standalone build 2025-09-10 martinduke Move definitions to MoqtSubscribeInterface to reduce chance of circular dependencies. 2025-09-10 martinduke Write the MoQT Relay application. 2025-09-09 rch Automated g4 rollback of changelist 803740716. 2025-09-09 quiche-dev Add `BalsaHeaders::RemoveHeadersIf` to remove headers based on a predicate. 2025-09-09 martinduke Clean up Malformed Track definition per MOQT draft-14. ``` Signed-off-by: Rickyp --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 1fbc9080f1152..791c785d374be 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1277,12 +1277,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "QUICHE", project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols", project_url = "https://github.com/google/quiche", - version = "6caf568e75725d0db8c94aa03f01f17edef49982", - sha256 = "3a053e5c56392a50b7ce868b2593c19db464aebfb7af8120defbd12924bb16da", + version = "c84d87b7025c8f89f3630fa485e90dbafee304d6", + sha256 = "0a11a692849d760979b1d6e70498e33fa3587b0c05baf002dc17c274dc706ecc", urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"], strip_prefix = "quiche-{version}", use_category = ["controlplane", "dataplane_core"], - release_date = "2025-09-09", + release_date = "2025-09-14", cpe = "N/A", license = "BSD-3-Clause", license_url = "https://github.com/google/quiche/blob/{version}/LICENSE", From 8b5588380cdccab7b7a30e06d0b2b725d0ad11e3 Mon Sep 17 00:00:00 2001 From: William T Zhang Date: Mon, 15 Sep 2025 12:41:40 -0700 Subject: [PATCH 402/505] dynamic modules: support metrics with labels by defining metric vector counterparts (#41003) Commit Message: dynamic modules: support metrics with labels by defining metric vector counterparts Additional Description: Here, we define CounterVec, GaugeVec, and HistogramVec, which behave similar to how prometheus metrics are defined in [golang](https://pkg.go.dev/github.com/prometheus/client_golang/prometheus#NewCounterVec) and other languages. Label names are fixed and set on filter config initialization whereas label values are dynamically provisioned for each new Filter instance. Risk Level: Low (still in active development, feature itself would be high) Testing: Unit and Integration tests Docs Changes: N/A Release Notes: Added in changelogs Platform Specific Features: N/A Closes https://github.com/envoyproxy/envoy/issues/41002 --------- Signed-off-by: William Zhang Co-authored-by: Takeshi Yoneda --- changelogs/current.yaml | 4 +- source/extensions/dynamic_modules/abi.h | 233 +++++++++- .../extensions/dynamic_modules/abi_version.h | 2 +- .../dynamic_modules/sdk/rust/src/lib.rs | 420 ++++++++++++++++-- .../filters/http/dynamic_modules/abi_impl.cc | 297 +++++++++++-- .../filters/http/dynamic_modules/factory.cc | 2 +- .../filters/http/dynamic_modules/filter.cc | 2 +- .../filters/http/dynamic_modules/filter.h | 6 +- .../http/dynamic_modules/filter_config.cc | 6 +- .../http/dynamic_modules/filter_config.h | 176 +++++++- .../dynamic_modules/http/abi_impl_test.cc | 248 ++++++++++- .../dynamic_modules/http/filter_test.cc | 126 ++++-- .../dynamic_modules/http/integration_test.cc | 200 +++++++++ .../dynamic_modules/test_data/rust/http.rs | 96 +++- .../test_data/rust/http_integration_test.rs | 217 ++++++++- 15 files changed, 1844 insertions(+), 191 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index f1cffe57b6994..637c9c8d0f489 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -389,5 +389,7 @@ new_features: Added a new metric ``db_build_epoch`` to track the build timestamp of the MaxMind geolocation database files. This can be used to monitor the freshness of the databases currently in use by the filter. See `MaxMind DB build_epoch `_ for more details. - +- area: dynamic_modules + change: | + Added support for counters, gauges, histograms, and their vector variants to the dynamic modules API. deprecated: diff --git a/source/extensions/dynamic_modules/abi.h b/source/extensions/dynamic_modules/abi.h index 68076fea64ace..81f428ec2fcef 100644 --- a/source/extensions/dynamic_modules/abi.h +++ b/source/extensions/dynamic_modules/abi.h @@ -164,6 +164,14 @@ typedef struct { size_t length; } envoy_dynamic_module_type_envoy_buffer; +/** + * envoy_dynamic_module_type_module_buffer represents a buffer owned by the module. + */ +typedef struct { + envoy_dynamic_module_type_buffer_module_ptr ptr; + size_t length; +} envoy_dynamic_module_type_module_buffer; + /** * envoy_dynamic_module_type_module_http_header represents a key-value pair of an HTTP header owned * by the module. @@ -457,6 +465,20 @@ typedef enum { envoy_dynamic_module_type_http_callout_result_ExceedResponseBufferLimit, } envoy_dynamic_module_type_http_callout_result; +/** + * envoy_dynamic_module_type_metrics_result represents the result of the metrics operation. + * Success means the operation was successful. + * MetricNotFound means the metric was not found. This is usually an indication that a handle was + * improperly initialized or stored. InvalidLabels means the labels are invalid. Frozen means a + * metric was attempted to be created when the stats creation is frozen. + */ +typedef enum { + envoy_dynamic_module_type_metrics_result_Success, + envoy_dynamic_module_type_metrics_result_MetricNotFound, + envoy_dynamic_module_type_metrics_result_InvalidLabels, + envoy_dynamic_module_type_metrics_result_Frozen, +} envoy_dynamic_module_type_metrics_result; + // ----------------------------------------------------------------------------- // ------------------------------- Event Hooks --------------------------------- // ----------------------------------------------------------------------------- @@ -777,13 +799,38 @@ bool envoy_dynamic_module_callback_log_enabled(envoy_dynamic_module_type_log_lev * counter will be defined. * @param name is the name of the counter to be defined. * @param name_length is the length of the name. - * @return an opaque ID that represents a unique metric. This can be passed to - * envoy_dynamic_module_callback_http_filter_increment_counter together with filter_envoy_ptr - * created from filter_config_envoy_ptr. + * @param counter_id_ptr where the opaque ID that represents a unique metric will be stored. This + * can be passed to envoy_dynamic_module_callback_http_filter_increment_counter together with + * filter_envoy_ptr created from filter_config_envoy_ptr. + * @return the result of the operation. */ -size_t envoy_dynamic_module_callback_http_filter_config_define_counter( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_counter( envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, - envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length); + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, size_t* counter_id_ptr); + +/** + * envoy_dynamic_module_callback_http_filter_config_define_counter_vec is called by the module + * during initialization to create a template for generating Stats::Counters with the given name and + * labels during the lifecycle of the module. + * + * @param filter_config_envoy_ptr is the pointer to the DynamicModuleHttpFilterConfig in which the + * counter will be defined. + * @param name is the name of the counter to be defined. + * @param name_length is the length of the name. + * @param label_names is the labels of the counter to be defined. + * @param label_names_length is the length of the label_names. + * @param counter_id_ptr where the opaque ID that represents a unique metric will be stored. This + * can be passed to envoy_dynamic_module_callback_http_filter_increment_counter together with + * filter_envoy_ptr created from filter_config_envoy_ptr. + * @return the result of the operation. + */ +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_counter_vec( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, + envoy_dynamic_module_type_module_buffer* label_names, size_t label_names_length, + size_t* counter_id_ptr); /** * envoy_dynamic_module_callback_http_filter_increment_counter is called by the module to increment @@ -793,10 +840,30 @@ size_t envoy_dynamic_module_callback_http_filter_config_define_counter( * @param id is the ID of the counter previously defined using the config that created * filter_envoy_ptr * @param value is the value to increment the counter by. + * @return the result of the operation. */ -void envoy_dynamic_module_callback_http_filter_increment_counter( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_increment_counter( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); +/** + * envoy_dynamic_module_callback_http_filter_increment_counter_vec is called by the module to + * increment a previously defined counter vec. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object. + * @param id is the ID of the counter previously defined using the config that created + * filter_envoy_ptr + * @param label_values is the values of the labels to be incremented. + * @param label_values_length is the length of the label_values. + * @param value is the value to increment the counter by. + * @return the result of the operation. + */ +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_increment_counter_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value); + /** * envoy_dynamic_module_callback_http_filter_config_define_gauge is called by the module during * initialization to create a new Stats::Gauge with the given name. @@ -805,13 +872,37 @@ void envoy_dynamic_module_callback_http_filter_increment_counter( * gauge will be defined. * @param name is the name of the gauge to be defined. * @param name_length is the length of the name. - * @return an opaque ID that represents a unique metric. This can be passed to - * envoy_dynamic_module_callback_http_filter_increment_gauge together with filter_envoy_ptr created - * from filter_config_envoy_ptr. + * @param gauge_id_ptr where the opaque ID that represents a unique metric will be stored. This can + * be passed to envoy_dynamic_module_callback_http_filter_increment_gauge together with + * filter_envoy_ptr created from filter_config_envoy_ptr. */ -size_t envoy_dynamic_module_callback_http_filter_config_define_gauge( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_gauge( envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, - envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length); + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, size_t* gauge_id_ptr); + +/** + * envoy_dynamic_module_callback_http_filter_config_define_gauge_vec is called by the module during + * initialization to create a template for generating Stats::Gauges with the given name and labels + * during the lifecycle of the module. + * + * @param filter_config_envoy_ptr is the pointer to the DynamicModuleHttpFilterConfig in which the + * gauge will be defined. + * @param name is the name of the gauge to be defined. + * @param name_length is the length of the name. + * @param label_names is the labels of the gauge to be defined. + * @param label_names_length is the length of the label_names. + * @param gauge_id_ptr where the opaque ID that represents a unique metric will be stored. This can + * be passed to envoy_dynamic_module_callback_http_filter_increment_gauge together with + * filter_envoy_ptr created from filter_config_envoy_ptr. + * @return the result of the operation. + */ +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_gauge_vec( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, + envoy_dynamic_module_type_module_buffer* label_names, size_t label_names_length, + size_t* gauge_id_ptr); /** * envoy_dynamic_module_callback_http_filter_increase_gauge is called by the module to increase the @@ -821,10 +912,29 @@ size_t envoy_dynamic_module_callback_http_filter_config_define_gauge( * @param id is the ID of the gauge previously defined using the config that created * filter_envoy_ptr * @param value is the value to increase the gauge by. + * @return the result of the operation. */ -void envoy_dynamic_module_callback_http_filter_increase_gauge( +envoy_dynamic_module_type_metrics_result envoy_dynamic_module_callback_http_filter_increase_gauge( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); +/** + * envoy_dynamic_module_callback_http_filter_increase_gauge_vec is called by the module to increase + * the value of a previously defined gauge vec. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object. + * @param id is the ID of the gauge previously defined using the config that created + * filter_envoy_ptr + * @param label_values is the values of the labels to be increased. + * @param label_values_length is the length of the label_values. + * @param value is the value to increase the gauge by. + * @return the result of the operation. + */ +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_increase_gauge_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value); + /** * envoy_dynamic_module_callback_http_filter_decrease_gauge is called by the module to decrease the * value of a previously defined gauge. @@ -833,10 +943,29 @@ void envoy_dynamic_module_callback_http_filter_increase_gauge( * @param id is the ID of the gauge previously defined using the config that created * filter_envoy_ptr * @param value is the value to decrease the gauge by. + * @return the result of the operation. */ -void envoy_dynamic_module_callback_http_filter_decrease_gauge( +envoy_dynamic_module_type_metrics_result envoy_dynamic_module_callback_http_filter_decrease_gauge( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); +/** + * envoy_dynamic_module_callback_http_filter_decrease_gauge_vec is called by the module to decrease + * the value of a previously defined gauge vec. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object. + * @param id is the ID of the gauge previously defined using the config that created + * filter_envoy_ptr + * @param label_values is the values of the labels to be decreased. + * @param label_values_length is the length of the label_values. + * @param value is the value to decrease the gauge by. + * @return the result of the operation. + */ +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_decrease_gauge_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value); + /** * envoy_dynamic_module_callback_http_filter_set_gauge is called by the module to set the value * of a previously defined gauge. @@ -845,10 +974,28 @@ void envoy_dynamic_module_callback_http_filter_decrease_gauge( * @param id is the ID of the gauge previously defined using the config that created * filter_envoy_ptr * @param value is the value to set the gauge to. + * @return the result of the operation. */ -void envoy_dynamic_module_callback_http_filter_set_gauge( +envoy_dynamic_module_type_metrics_result envoy_dynamic_module_callback_http_filter_set_gauge( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); +/** + * envoy_dynamic_module_callback_http_filter_set_gauge_vec is called by the module to set the value + * of a previously defined gauge vec. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object. + * @param id is the ID of the gauge previously defined using the config that created + * filter_envoy_ptr + * @param label_values is the values of the labels to be set. + * @param label_values_length is the length of the label_values. + * @param value is the value to set the gauge to. + * @return the result of the operation. + */ +envoy_dynamic_module_type_metrics_result envoy_dynamic_module_callback_http_filter_set_gauge_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value); + /** * envoy_dynamic_module_callback_http_filter_config_define_histogram is called by the module during * initialization to create a new Stats::Histogram with the given name. @@ -857,13 +1004,38 @@ void envoy_dynamic_module_callback_http_filter_set_gauge( * histogram will be defined. * @param name is the name of the histogram to be defined. * @param name_length is the length of the name. - * @return an opaque ID that represents a unique metric. This can be passed to - * envoy_dynamic_module_callback_http_filter_increment_gauge together with filter_envoy_ptr created - * from filter_config_envoy_ptr. + * @param histogram_id_ptr where the opaque ID that represents a unique metric will be stored. This + * can be passed to envoy_dynamic_module_callback_http_filter_increment_gauge together with + * filter_envoy_ptr created from filter_config_envoy_ptr. + * @return the result of the operation. */ -size_t envoy_dynamic_module_callback_http_filter_config_define_histogram( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_histogram( envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, - envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length); + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, size_t* histogram_id_ptr); + +/** + * envoy_dynamic_module_callback_http_filter_config_define_histogram is called by the module during + * initialization to create a template for generating Stats::Histograms with the given name and + * labels during the lifecycle of the module. + * + * @param filter_config_envoy_ptr is the pointer to the DynamicModuleHttpFilterConfig in which the + * histogram will be defined. + * @param name is the name of the histogram to be defined. + * @param name_length is the length of the name. + * @param label_names is the labels of the histogram to be defined. + * @param label_names_length is the length of the label_names. + * @param histogram_id_ptr where the opaque ID that represents a unique metric will be stored. This + * can be passed to envoy_dynamic_module_callback_http_filter_increment_gauge together with + * filter_envoy_ptr created from filter_config_envoy_ptr. + * @return the result of the operation. + */ +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_histogram_vec( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, + envoy_dynamic_module_type_module_buffer* label_names, size_t label_names_length, + size_t* histogram_id_ptr); /** * envoy_dynamic_module_callback_http_filter_record_histogram_value is called by the module to @@ -874,10 +1046,31 @@ size_t envoy_dynamic_module_callback_http_filter_config_define_histogram( * @param id is the ID of the histogram previously defined using the config that created * filter_envoy_ptr * @param value is the value to record in the histogram. + * @return the result of the operation. */ -void envoy_dynamic_module_callback_http_filter_record_histogram_value( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_record_histogram_value( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value); +/** + * envoy_dynamic_module_callback_http_filter_record_histogram_value is called by the module to + * record a value in a previously defined histogram vec. + * + * @param histogram_envoy_ptr is a pointer to a histogram previously defined using + * envoy_dynamic_module_callback_http_define_histogram. + * @param id is the ID of the histogram previously defined using the config that created + * filter_envoy_ptr + * @param label_values is the values of the labels to be recorded. + * @param label_values_length is the length of the label_values. + * @param value is the value to record in the histogram. + * @return the result of the operation. + */ +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_record_histogram_value_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value); + // ---------------------- HTTP Header/Trailer callbacks ------------------------ /** diff --git a/source/extensions/dynamic_modules/abi_version.h b/source/extensions/dynamic_modules/abi_version.h index 3a9a55b833b84..adbaefb2f3b15 100644 --- a/source/extensions/dynamic_modules/abi_version.h +++ b/source/extensions/dynamic_modules/abi_version.h @@ -6,7 +6,7 @@ namespace DynamicModules { #endif // This is the ABI version calculated as a sha256 hash of the ABI header files. When the ABI // changes, this value must change, and the correctness of this value is checked by the test. -const char* kAbiVersion = "56b4589b9f99ce76622a82bf3972f007679c197ed5b21be1f6c723a2dd0c8237"; +const char* kAbiVersion = "065131764c2e1ee1c95d5f7700e7bc09acc7d14934fc7c09413e3a4957a7c045"; #ifdef __cplusplus } // namespace DynamicModules diff --git a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs index 7a46e96df123f..84aa963903235 100644 --- a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs +++ b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs @@ -12,6 +12,7 @@ use mockall::*; #[path = "./lib_test.rs"] mod mod_test; +use crate::abi::envoy_dynamic_module_type_metrics_result; use std::any::Any; use std::sync::OnceLock; @@ -370,13 +371,43 @@ pub trait HttpFilter { /// mapping with the Envoy Http filter config object as well as [`HttpFilterConfig`] object. pub trait EnvoyHttpFilterConfig { /// Define a new counter scoped to this filter config with the given name. - fn define_counter(&mut self, name: &str) -> EnvoyCounterId; + fn define_counter( + &mut self, + name: &str, + ) -> Result; + + // Define a new counter vec scoped to this filter config with the given name. + fn define_counter_vec( + &mut self, + name: &str, + labels: &[&str], + ) -> Result; /// Define a new gauge scoped to this filter config with the given name. - fn define_gauge(&mut self, name: &str) -> EnvoyGaugeId; + fn define_gauge( + &mut self, + name: &str, + ) -> Result; + + /// Define a new gauge vec scoped to this filter config with the given name. + fn define_gauge_vec( + &mut self, + name: &str, + labels: &[&str], + ) -> Result; /// Define a new histogram scoped to this filter config with the given name. - fn define_histogram(&mut self, name: &str) -> EnvoyHistogramId; + fn define_histogram( + &mut self, + name: &str, + ) -> Result; + + /// Define a new histogram vec scoped to this filter config with the given name. + fn define_histogram_vec( + &mut self, + name: &str, + labels: &[&str], + ) -> Result; } pub struct EnvoyHttpFilterConfigImpl { @@ -384,43 +415,127 @@ pub struct EnvoyHttpFilterConfigImpl { } impl EnvoyHttpFilterConfig for EnvoyHttpFilterConfigImpl { - fn define_counter(&mut self, name: &str) -> EnvoyCounterId { + fn define_counter( + &mut self, + name: &str, + ) -> Result { let name_ptr = name.as_ptr(); let name_size = name.len(); - let id = unsafe { + let mut id: usize = 0; + Result::from(unsafe { abi::envoy_dynamic_module_callback_http_filter_config_define_counter( self.raw_ptr, name_ptr as *const _ as *mut _, name_size, + &mut id, ) - }; - EnvoyCounterId(id) + })?; + Ok(EnvoyCounterId(id)) } - fn define_gauge(&mut self, name: &str) -> EnvoyGaugeId { + fn define_counter_vec( + &mut self, + name: &str, + labels: &[&str], + ) -> Result { let name_ptr = name.as_ptr(); let name_size = name.len(); - let id = unsafe { + let labels_ptr = labels.as_ptr(); + let labels_size = labels.len(); + let mut id: usize = 0; + Result::from(unsafe { + abi::envoy_dynamic_module_callback_http_filter_config_define_counter_vec( + self.raw_ptr, + name_ptr as *const _ as *mut _, + name_size, + labels_ptr as *const _ as *mut _, + labels_size, + &mut id, + ) + })?; + Ok(EnvoyCounterVecId(id)) + } + + fn define_gauge( + &mut self, + name: &str, + ) -> Result { + let name_ptr = name.as_ptr(); + let name_size = name.len(); + let mut id: usize = 0; + Result::from(unsafe { abi::envoy_dynamic_module_callback_http_filter_config_define_gauge( self.raw_ptr, name_ptr as *const _ as *mut _, name_size, + &mut id, ) - }; - EnvoyGaugeId(id) + })?; + Ok(EnvoyGaugeId(id)) + } + + fn define_gauge_vec( + &mut self, + name: &str, + labels: &[&str], + ) -> Result { + let name_ptr = name.as_ptr(); + let name_size = name.len(); + let labels_ptr = labels.as_ptr(); + let labels_size = labels.len(); + let mut id: usize = 0; + Result::from(unsafe { + abi::envoy_dynamic_module_callback_http_filter_config_define_gauge_vec( + self.raw_ptr, + name_ptr as *const _ as *mut _, + name_size, + labels_ptr as *const _ as *mut _, + labels_size, + &mut id, + ) + })?; + Ok(EnvoyGaugeVecId(id)) } - fn define_histogram(&mut self, name: &str) -> EnvoyHistogramId { + fn define_histogram( + &mut self, + name: &str, + ) -> Result { let name_ptr = name.as_ptr(); let name_size = name.len(); - let id = unsafe { + let mut id: usize = 0; + Result::from(unsafe { abi::envoy_dynamic_module_callback_http_filter_config_define_histogram( self.raw_ptr, name_ptr as *const _ as *mut _, name_size, + &mut id, ) - }; - EnvoyHistogramId(id) + })?; + Ok(EnvoyHistogramId(id)) + } + + fn define_histogram_vec( + &mut self, + name: &str, + labels: &[&str], + ) -> Result { + let name_ptr = name.as_ptr(); + let name_size = name.len(); + let labels_ptr = labels.as_ptr(); + let labels_size = labels.len(); + let mut id: usize = 0; + Result::from(unsafe { + abi::envoy_dynamic_module_callback_http_filter_config_define_histogram_vec( + self.raw_ptr, + name_ptr as *const _ as *mut _, + name_size, + labels_ptr as *const _ as *mut _, + labels_size, + &mut id, + ) + })?; + Ok(EnvoyHistogramVecId(id)) } } @@ -428,14 +543,26 @@ impl EnvoyHttpFilterConfig for EnvoyHttpFilterConfigImpl { #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] pub struct EnvoyCounterId(usize); +/// The identifier for an EnvoyCounterVec. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] +pub struct EnvoyCounterVecId(usize); + /// The identifier for an EnvoyGauge. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] pub struct EnvoyGaugeId(usize); +/// The identifier for an EnvoyGaugeVec. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] +pub struct EnvoyGaugeVecId(usize); + /// The identifier for an EnvoyHistogram. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] pub struct EnvoyHistogramId(usize); +/// The identifier for an EnvoyHistogramVec. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] +pub struct EnvoyHistogramVecId(usize); + /// An opaque object that represents the underlying Envoy Http filter. This has one to one /// mapping with the Envoy Http filter object as well as [`HttpFilter`] object per HTTP stream. /// @@ -839,19 +966,79 @@ pub trait EnvoyHttpFilter { fn new_scheduler(&self) -> Box; /// Increment the counter with the given id. - fn increment_counter(&self, id: EnvoyCounterId, value: u64); + fn increment_counter( + &self, + id: EnvoyCounterId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; + + /// Increment the counter vec with the given id. + fn increment_counter_vec<'a>( + &self, + id: EnvoyCounterVecId, + labels: &[&'a str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; /// Increase the gauge with the given id. - fn increase_gauge(&self, id: EnvoyGaugeId, value: u64); + fn increase_gauge( + &self, + id: EnvoyGaugeId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; + + /// Increase the gauge vec with the given id. + fn increase_gauge_vec<'a>( + &self, + id: EnvoyGaugeVecId, + labels: &[&'a str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; /// Decrease the gauge with the given id. - fn decrease_gauge(&self, id: EnvoyGaugeId, value: u64); + fn decrease_gauge( + &self, + id: EnvoyGaugeId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; + + /// Decrease the gauge vec with the given id. + fn decrease_gauge_vec<'a>( + &self, + id: EnvoyGaugeVecId, + labels: &[&'a str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; /// Set the value of the gauge with the given id. - fn set_gauge(&self, id: EnvoyGaugeId, value: u64); + fn set_gauge( + &self, + id: EnvoyGaugeId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; + + /// Set the value of the gauge vec with the given id. + fn set_gauge_vec<'a>( + &self, + id: EnvoyGaugeVecId, + labels: &[&'a str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; /// Record a value in the histogram with the given id. - fn record_histogram_value(&self, id: EnvoyHistogramId, value: u64); + fn record_histogram_value( + &self, + id: EnvoyHistogramId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; + + /// Record a value in the histogram vec with the given id. + fn record_histogram_value_vec<'a>( + &self, + id: EnvoyHistogramVecId, + labels: &[&'a str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result>; } /// This implements the [`EnvoyHttpFilter`] trait with the given raw pointer to the Envoy HTTP @@ -1406,44 +1593,191 @@ impl EnvoyHttpFilter for EnvoyHttpFilterImpl { } } - fn increment_counter(&self, id: EnvoyCounterId, value: u64) { + fn increment_counter( + &self, + id: EnvoyCounterId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { let EnvoyCounterId(id) = id; - unsafe { - abi::envoy_dynamic_module_callback_http_filter_increment_counter(self.raw_ptr, id, value); + let res = unsafe { + abi::envoy_dynamic_module_callback_http_filter_increment_counter(self.raw_ptr, id, value) + }; + if res == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(res) } } - fn increase_gauge(&self, id: EnvoyGaugeId, value: u64) { + fn increment_counter_vec( + &self, + id: EnvoyCounterVecId, + labels: &[&str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { + let EnvoyCounterVecId(id) = id; + let res = unsafe { + abi::envoy_dynamic_module_callback_http_filter_increment_counter_vec( + self.raw_ptr, + id, + labels.as_ptr() as *const _ as *mut _, + labels.len(), + value, + ) + }; + if res == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(res) + } + } + + fn increase_gauge( + &self, + id: EnvoyGaugeId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { let EnvoyGaugeId(id) = id; - unsafe { - abi::envoy_dynamic_module_callback_http_filter_increase_gauge(self.raw_ptr, id, value); + let res = unsafe { + abi::envoy_dynamic_module_callback_http_filter_increase_gauge(self.raw_ptr, id, value) + }; + if res == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(res) } } - fn decrease_gauge(&self, id: EnvoyGaugeId, value: u64) { + fn increase_gauge_vec( + &self, + id: EnvoyGaugeVecId, + labels: &[&str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { + let EnvoyGaugeVecId(id) = id; + let res = unsafe { + abi::envoy_dynamic_module_callback_http_filter_increase_gauge_vec( + self.raw_ptr, + id, + labels.as_ptr() as *const _ as *mut _, + labels.len(), + value, + ) + }; + if res == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(res) + } + } + + fn decrease_gauge( + &self, + id: EnvoyGaugeId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { let EnvoyGaugeId(id) = id; - unsafe { - abi::envoy_dynamic_module_callback_http_filter_decrease_gauge(self.raw_ptr, id, value); + let res = unsafe { + abi::envoy_dynamic_module_callback_http_filter_decrease_gauge(self.raw_ptr, id, value) + }; + if res == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(res) } } - fn set_gauge(&self, id: EnvoyGaugeId, value: u64) { + fn decrease_gauge_vec( + &self, + id: EnvoyGaugeVecId, + labels: &[&str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { + let EnvoyGaugeVecId(id) = id; + let res = unsafe { + abi::envoy_dynamic_module_callback_http_filter_decrease_gauge_vec( + self.raw_ptr, + id, + labels.as_ptr() as *const _ as *mut _, + labels.len(), + value, + ) + }; + if res == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(res) + } + } + + fn set_gauge( + &self, + id: EnvoyGaugeId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { let EnvoyGaugeId(id) = id; - unsafe { - abi::envoy_dynamic_module_callback_http_filter_set_gauge(self.raw_ptr, id, value); + let res = + unsafe { abi::envoy_dynamic_module_callback_http_filter_set_gauge(self.raw_ptr, id, value) }; + if res == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(res) } } - fn record_histogram_value(&self, id: EnvoyHistogramId, value: u64) { - let EnvoyHistogramId(id) = id; - unsafe { - abi::envoy_dynamic_module_callback_http_filter_record_histogram_value( + fn set_gauge_vec( + &self, + id: EnvoyGaugeVecId, + labels: &[&str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { + let EnvoyGaugeVecId(id) = id; + let res = unsafe { + abi::envoy_dynamic_module_callback_http_filter_set_gauge_vec( self.raw_ptr, id, + labels.as_ptr() as *const _ as *mut _, + labels.len(), value, - ); + ) + }; + if res == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(res) } } + + fn record_histogram_value( + &self, + id: EnvoyHistogramId, + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { + let EnvoyHistogramId(id) = id; + Result::from(unsafe { + abi::envoy_dynamic_module_callback_http_filter_record_histogram_value(self.raw_ptr, id, value) + })?; + Ok(()) + } + + fn record_histogram_value_vec( + &self, + id: EnvoyHistogramVecId, + labels: &[&str], + value: u64, + ) -> Result<(), envoy_dynamic_module_type_metrics_result> { + let EnvoyHistogramVecId(id) = id; + Result::from(unsafe { + abi::envoy_dynamic_module_callback_http_filter_record_histogram_value_vec( + self.raw_ptr, + id, + labels.as_ptr() as *const _ as *mut _, + labels.len(), + value, + ) + })?; + Ok(()) + } } impl EnvoyHttpFilterImpl { @@ -1910,3 +2244,15 @@ unsafe extern "C" fn envoy_dynamic_module_on_http_filter_scheduled( let filter = &mut **filter; filter.on_scheduled(&mut EnvoyHttpFilterImpl::new(envoy_ptr), event_id); } + +impl From + for Result<(), envoy_dynamic_module_type_metrics_result> +{ + fn from(result: envoy_dynamic_module_type_metrics_result) -> Self { + if result == envoy_dynamic_module_type_metrics_result::Success { + Ok(()) + } else { + Err(result) + } + } +} diff --git a/source/extensions/filters/http/dynamic_modules/abi_impl.cc b/source/extensions/filters/http/dynamic_modules/abi_impl.cc index a1ea31531b59a..43929f12ac834 100644 --- a/source/extensions/filters/http/dynamic_modules/abi_impl.cc +++ b/source/extensions/filters/http/dynamic_modules/abi_impl.cc @@ -1,5 +1,3 @@ -#include - #include "source/common/http/header_map_impl.h" #include "source/common/http/message_impl.h" #include "source/common/http/utility.h" @@ -11,6 +9,23 @@ namespace Envoy { namespace Extensions { namespace DynamicModules { namespace HttpFilters { + +static Stats::StatNameTagVector +buildTagsForModuleMetric(DynamicModuleHttpFilter& filter, const Stats::StatNameVec& label_names, + envoy_dynamic_module_type_module_buffer* label_values, + size_t label_values_length) { + + ASSERT(label_values_length == label_names.size()); + Stats::StatNameTagVector tags; + tags.reserve(label_values_length); + for (size_t i = 0; i < label_values_length; i++) { + absl::string_view label_value_view(label_values[i].ptr, label_values[i].length); + auto label_value = filter.getStatNamePool().add(label_value_view); + tags.push_back(Stats::StatNameTag(label_names[i], label_value)); + } + return tags; +} + extern "C" { using HeadersMapOptConstRef = OptRef; @@ -71,81 +86,275 @@ bool getSslInfo( return true; } -size_t envoy_dynamic_module_callback_http_filter_config_define_counter( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_counter( envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, - envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length) { + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, size_t* counter_id_ptr) { auto filter_config = static_cast(filter_config_envoy_ptr); - ASSERT(!filter_config->stat_creation_frozen_); + if (filter_config->stat_creation_frozen_) { + return envoy_dynamic_module_type_metrics_result_Frozen; + } absl::string_view name_view(name, name_length); - Stats::StatNameManagedStorage storage(name_view, filter_config->stats_scope_->symbolTable()); - Stats::StatName stat_name = storage.statName(); - Stats::Counter& c = Stats::Utility::counterFromStatNames( - *filter_config->stats_scope_, {filter_config->custom_stat_namespace_, stat_name}); - return filter_config->addCounter(c); + Stats::StatName main_stat_name = filter_config->stat_name_pool_.add(name_view); + Stats::Counter& c = + Stats::Utility::counterFromStatNames(*filter_config->stats_scope_, {main_stat_name}); + *counter_id_ptr = filter_config->addCounter({c}); + return envoy_dynamic_module_type_metrics_result_Success; } -void envoy_dynamic_module_callback_http_filter_increment_counter( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_counter_vec( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, + envoy_dynamic_module_type_module_buffer* label_names, size_t label_names_length, + size_t* counter_id_ptr) { + auto filter_config = static_cast(filter_config_envoy_ptr); + if (filter_config->stat_creation_frozen_) { + return envoy_dynamic_module_type_metrics_result_Frozen; + } + absl::string_view name_view(name, name_length); + Stats::StatName main_stat_name = filter_config->stat_name_pool_.add(name_view); + Stats::StatNameVec label_names_vec; + for (size_t i = 0; i < label_names_length; i++) { + absl::string_view label_name_view(label_names[i].ptr, label_names[i].length); + label_names_vec.push_back(filter_config->stat_name_pool_.add(label_name_view)); + } + *counter_id_ptr = filter_config->addCounterVec({main_stat_name, label_names_vec}); + return envoy_dynamic_module_type_metrics_result_Success; +} + +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_increment_counter( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { auto filter = static_cast(filter_envoy_ptr); - auto& counter = filter->getFilterConfig().getCounterById(id); - return counter.add(value); + auto counter = filter->getFilterConfig().getCounterById(id); + if (!counter.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + counter->add(value); + return envoy_dynamic_module_type_metrics_result_Success; } -size_t envoy_dynamic_module_callback_http_filter_config_define_gauge( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_increment_counter_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto counter = filter->getFilterConfig().getCounterVecById(id); + if (!counter.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + if (label_values_length != counter->getLabelNames().size()) { + return envoy_dynamic_module_type_metrics_result_InvalidLabels; + } + auto tags = buildTagsForModuleMetric(*filter, counter->getLabelNames(), label_values, + label_values_length); + counter->add(*filter->getFilterConfig().stats_scope_, tags, value); + return envoy_dynamic_module_type_metrics_result_Success; +} + +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_gauge( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, size_t* gauge_id_ptr) { + auto filter_config = static_cast(filter_config_envoy_ptr); + if (filter_config->stat_creation_frozen_) { + return envoy_dynamic_module_type_metrics_result_Frozen; + } + absl::string_view name_view(name, name_length); + Stats::StatName main_stat_name = filter_config->stat_name_pool_.add(name_view); + Stats::Gauge::ImportMode import_mode = + Stats::Gauge::ImportMode::Accumulate; // TODO: make this configurable? + Stats::Gauge& g = Stats::Utility::gaugeFromStatNames(*filter_config->stats_scope_, + {main_stat_name}, import_mode); + *gauge_id_ptr = filter_config->addGauge({g}); + return envoy_dynamic_module_type_metrics_result_Success; +} + +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_gauge_vec( envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, - envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length) { + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, + envoy_dynamic_module_type_module_buffer* label_names, size_t label_names_length, + size_t* gauge_id_ptr) { auto filter_config = static_cast(filter_config_envoy_ptr); - ASSERT(!filter_config->stat_creation_frozen_); + if (filter_config->stat_creation_frozen_) { + return envoy_dynamic_module_type_metrics_result_Frozen; + } absl::string_view name_view(name, name_length); - Stats::StatNameManagedStorage storage(name_view, filter_config->stats_scope_->symbolTable()); - Stats::StatName stat_name = storage.statName(); - Stats::Gauge& g = Stats::Utility::gaugeFromStatNames( - *filter_config->stats_scope_, {filter_config->custom_stat_namespace_, stat_name}, - Stats::Gauge::ImportMode::Accumulate); - return filter_config->addGauge(g); + Stats::StatName main_stat_name = filter_config->stat_name_pool_.add(name_view); + Stats::Gauge::ImportMode import_mode = + Stats::Gauge::ImportMode::Accumulate; // TODO: make this configurable? + Stats::StatNameVec label_names_vec; + for (size_t i = 0; i < label_names_length; i++) { + absl::string_view label_name_view(label_names[i].ptr, label_names[i].length); + label_names_vec.push_back(filter_config->stat_name_pool_.add(label_name_view)); + } + *gauge_id_ptr = filter_config->addGaugeVec({main_stat_name, label_names_vec, import_mode}); + return envoy_dynamic_module_type_metrics_result_Success; } -void envoy_dynamic_module_callback_http_filter_increase_gauge( +envoy_dynamic_module_type_metrics_result envoy_dynamic_module_callback_http_filter_increase_gauge( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { auto filter = static_cast(filter_envoy_ptr); - auto& gauge = filter->getFilterConfig().getGaugeById(id); - return gauge.add(value); + auto gauge = filter->getFilterConfig().getGaugeById(id); + if (!gauge.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + gauge->increase(value); + return envoy_dynamic_module_type_metrics_result_Success; } -void envoy_dynamic_module_callback_http_filter_decrease_gauge( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_increase_gauge_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto gauge = filter->getFilterConfig().getGaugeVecById(id); + if (!gauge.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + if (label_values_length != gauge->getLabelNames().size()) { + return envoy_dynamic_module_type_metrics_result_InvalidLabels; + } + auto tags = + buildTagsForModuleMetric(*filter, gauge->getLabelNames(), label_values, label_values_length); + gauge->increase(*filter->getFilterConfig().stats_scope_, tags, value); + return envoy_dynamic_module_type_metrics_result_Success; +} + +envoy_dynamic_module_type_metrics_result envoy_dynamic_module_callback_http_filter_decrease_gauge( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { auto filter = static_cast(filter_envoy_ptr); - auto& gauge = filter->getFilterConfig().getGaugeById(id); - return gauge.sub(value); + auto gauge = filter->getFilterConfig().getGaugeById(id); + if (!gauge.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + gauge->decrease(value); + return envoy_dynamic_module_type_metrics_result_Success; +} + +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_decrease_gauge_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto gauge = filter->getFilterConfig().getGaugeVecById(id); + if (!gauge.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + if (label_values_length != gauge->getLabelNames().size()) { + return envoy_dynamic_module_type_metrics_result_InvalidLabels; + } + auto tags = + buildTagsForModuleMetric(*filter, gauge->getLabelNames(), label_values, label_values_length); + gauge->decrease(*filter->getFilterConfig().stats_scope_, tags, value); + return envoy_dynamic_module_type_metrics_result_Success; } -void envoy_dynamic_module_callback_http_filter_set_gauge( +envoy_dynamic_module_type_metrics_result envoy_dynamic_module_callback_http_filter_set_gauge( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { auto filter = static_cast(filter_envoy_ptr); - auto& gauge = filter->getFilterConfig().getGaugeById(id); - return gauge.set(value); + auto gauge = filter->getFilterConfig().getGaugeById(id); + if (!gauge.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + gauge->set(value); + return envoy_dynamic_module_type_metrics_result_Success; +} + +envoy_dynamic_module_type_metrics_result envoy_dynamic_module_callback_http_filter_set_gauge_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto gauge = filter->getFilterConfig().getGaugeVecById(id); + if (!gauge.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + if (label_values_length != gauge->getLabelNames().size()) { + return envoy_dynamic_module_type_metrics_result_InvalidLabels; + } + auto tags = + buildTagsForModuleMetric(*filter, gauge->getLabelNames(), label_values, label_values_length); + gauge->set(*filter->getFilterConfig().stats_scope_, tags, value); + return envoy_dynamic_module_type_metrics_result_Success; +} + +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_histogram( + envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, + size_t* histogram_id_ptr) { + auto filter_config = static_cast(filter_config_envoy_ptr); + if (filter_config->stat_creation_frozen_) { + return envoy_dynamic_module_type_metrics_result_Frozen; + } + absl::string_view name_view(name, name_length); + Stats::StatName main_stat_name = filter_config->stat_name_pool_.add(name_view); + Stats::Histogram::Unit unit = + Stats::Histogram::Unit::Unspecified; // TODO: make this configurable? + Stats::Histogram& h = + Stats::Utility::histogramFromStatNames(*filter_config->stats_scope_, {main_stat_name}, unit); + *histogram_id_ptr = filter_config->addHistogram({h}); + return envoy_dynamic_module_type_metrics_result_Success; } -size_t envoy_dynamic_module_callback_http_filter_config_define_histogram( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_config_define_histogram_vec( envoy_dynamic_module_type_http_filter_config_envoy_ptr filter_config_envoy_ptr, - envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length) { + envoy_dynamic_module_type_buffer_module_ptr name, size_t name_length, + envoy_dynamic_module_type_module_buffer* label_names, size_t label_names_length, + size_t* histogram_id_ptr) { auto filter_config = static_cast(filter_config_envoy_ptr); - ASSERT(!filter_config->stat_creation_frozen_); + if (filter_config->stat_creation_frozen_) { + return envoy_dynamic_module_type_metrics_result_Frozen; + } absl::string_view name_view(name, name_length); - Stats::StatNameManagedStorage storage(name_view, filter_config->stats_scope_->symbolTable()); - Stats::StatName stat_name = storage.statName(); - Stats::Histogram& h = Stats::Utility::histogramFromStatNames( - *filter_config->stats_scope_, {filter_config->custom_stat_namespace_, stat_name}, - // TODO should we allow callers to specify this? - Stats::Histogram::Unit::Unspecified); - return filter_config->addHistogram(h); + Stats::StatName main_stat_name = filter_config->stat_name_pool_.add(name_view); + Stats::Histogram::Unit unit = + Stats::Histogram::Unit::Unspecified; // TODO: make this configurable? + Stats::StatNameVec label_names_vec; + for (size_t i = 0; i < label_names_length; i++) { + absl::string_view label_name_view(label_names[i].ptr, label_names[i].length); + label_names_vec.push_back(filter_config->stat_name_pool_.add(label_name_view)); + } + *histogram_id_ptr = filter_config->addHistogramVec({main_stat_name, label_names_vec, unit}); + return envoy_dynamic_module_type_metrics_result_Success; } -void envoy_dynamic_module_callback_http_filter_record_histogram_value( +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_record_histogram_value( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, uint64_t value) { auto filter = static_cast(filter_envoy_ptr); - auto& hist = filter->getFilterConfig().getHistogramById(id); - hist.recordValue(value); + auto hist = filter->getFilterConfig().getHistogramById(id); + if (!hist.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + hist->recordValue(value); + return envoy_dynamic_module_type_metrics_result_Success; +} + +envoy_dynamic_module_type_metrics_result +envoy_dynamic_module_callback_http_filter_record_histogram_value_vec( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t id, + envoy_dynamic_module_type_module_buffer* label_values, size_t label_values_length, + uint64_t value) { + auto filter = static_cast(filter_envoy_ptr); + auto hist = filter->getFilterConfig().getHistogramVecById(id); + if (!hist.has_value()) { + return envoy_dynamic_module_type_metrics_result_MetricNotFound; + } + if (label_values_length != hist->getLabelNames().size()) { + return envoy_dynamic_module_type_metrics_result_InvalidLabels; + } + auto tags = + buildTagsForModuleMetric(*filter, hist->getLabelNames(), label_values, label_values_length); + hist->recordValue(*filter->getFilterConfig().stats_scope_, tags, value); + return envoy_dynamic_module_type_metrics_result_Success; } size_t envoy_dynamic_module_callback_http_get_request_header( diff --git a/source/extensions/filters/http/dynamic_modules/factory.cc b/source/extensions/filters/http/dynamic_modules/factory.cc index c2cc1e85b652b..695814ef07f79 100644 --- a/source/extensions/filters/http/dynamic_modules/factory.cc +++ b/source/extensions/filters/http/dynamic_modules/factory.cc @@ -43,7 +43,7 @@ absl::StatusOr DynamicModuleConfigFactory::createFilterFa return [config = filter_config.value()](Http::FilterChainFactoryCallbacks& callbacks) -> void { auto filter = std::make_shared( - config); + config, config->stats_scope_->symbolTable()); filter->initializeInModuleFilter(); callbacks.addStreamFilter(filter); }; diff --git a/source/extensions/filters/http/dynamic_modules/filter.cc b/source/extensions/filters/http/dynamic_modules/filter.cc index 7ad53c5dcae3e..82e99f119ee8a 100644 --- a/source/extensions/filters/http/dynamic_modules/filter.cc +++ b/source/extensions/filters/http/dynamic_modules/filter.cc @@ -126,8 +126,8 @@ void DynamicModuleHttpFilter::sendLocalReply( Code code, absl::string_view body, std::function modify_headers, const absl::optional grpc_status, absl::string_view details) { - decoder_callbacks_->sendLocalReply(code, body, modify_headers, grpc_status, details); sent_local_reply_ = true; + decoder_callbacks_->sendLocalReply(code, body, modify_headers, grpc_status, details); } void DynamicModuleHttpFilter::encodeComplete() {}; diff --git a/source/extensions/filters/http/dynamic_modules/filter.h b/source/extensions/filters/http/dynamic_modules/filter.h index e2babeaa265e2..d7ff04554c4a5 100644 --- a/source/extensions/filters/http/dynamic_modules/filter.h +++ b/source/extensions/filters/http/dynamic_modules/filter.h @@ -18,7 +18,9 @@ class DynamicModuleHttpFilter : public Http::StreamFilter, public std::enable_shared_from_this, public Logger::Loggable { public: - DynamicModuleHttpFilter(DynamicModuleHttpFilterConfigSharedPtr config) : config_(config) {} + DynamicModuleHttpFilter(DynamicModuleHttpFilterConfigSharedPtr config, + Stats::SymbolTable& symbol_table) + : config_(config), stat_name_pool_(symbol_table) {} ~DynamicModuleHttpFilter() override; /** @@ -165,6 +167,7 @@ class DynamicModuleHttpFilter : public Http::StreamFilter, Http::RequestMessagePtr&& message, uint64_t timeout_milliseconds); const DynamicModuleHttpFilterConfig& getFilterConfig() const { return *config_; } + Stats::StatNameDynamicPool& getStatNamePool() { return stat_name_pool_; } private: /** @@ -193,6 +196,7 @@ class DynamicModuleHttpFilter : public Http::StreamFilter, const DynamicModuleHttpFilterConfigSharedPtr config_ = nullptr; envoy_dynamic_module_type_http_filter_module_ptr in_module_filter_ = nullptr; + Stats::StatNameDynamicPool stat_name_pool_; /** * This implementation of the AsyncClient::Callbacks is used to handle the response from the HTTP diff --git a/source/extensions/filters/http/dynamic_modules/filter_config.cc b/source/extensions/filters/http/dynamic_modules/filter_config.cc index fd4923f2434bb..6e63312cc5e20 100644 --- a/source/extensions/filters/http/dynamic_modules/filter_config.cc +++ b/source/extensions/filters/http/dynamic_modules/filter_config.cc @@ -9,9 +9,9 @@ DynamicModuleHttpFilterConfig::DynamicModuleHttpFilterConfig( const absl::string_view filter_name, const absl::string_view filter_config, Extensions::DynamicModules::DynamicModulePtr dynamic_module, Stats::Scope& stats_scope, Server::Configuration::ServerFactoryContext& context) - : cluster_manager_(context.clusterManager()), stats_scope_(stats_scope.createScope("")), - stat_name_pool_(stats_scope_->symbolTable()), - custom_stat_namespace_(stat_name_pool_.add(CustomStatNamespace)), filter_name_(filter_name), + : cluster_manager_(context.clusterManager()), + stats_scope_(stats_scope.createScope(std::string(CustomStatNamespace) + ".")), + stat_name_pool_(stats_scope_->symbolTable()), filter_name_(filter_name), filter_config_(filter_config), dynamic_module_(std::move(dynamic_module)) {}; DynamicModuleHttpFilterConfig::~DynamicModuleHttpFilterConfig() { diff --git a/source/extensions/filters/http/dynamic_modules/filter_config.h b/source/extensions/filters/http/dynamic_modules/filter_config.h index cf1686d9ab61e..c84a914a7a0eb 100644 --- a/source/extensions/filters/http/dynamic_modules/filter_config.h +++ b/source/extensions/filters/http/dynamic_modules/filter_config.h @@ -80,45 +80,186 @@ class DynamicModuleHttpFilterConfig { Envoy::Upstream::ClusterManager& cluster_manager_; const Stats::ScopeSharedPtr stats_scope_; Stats::StatNamePool stat_name_pool_; - const Stats::StatName custom_stat_namespace_; // We only allow the module to create stats during envoy_dynamic_module_on_http_filter_config_new, // and not later during request handling, so that we don't have to wrap the stat storage in a // lock. bool stat_creation_frozen_ = false; - size_t addCounter(Stats::Counter& counter) { + class ModuleCounterHandle { + public: + ModuleCounterHandle(Stats::Counter& counter) : counter_(counter) {} + + void add(uint64_t amount) const { counter_.add(amount); } + + private: + Stats::Counter& counter_; + }; + + class ModuleCounterVecHandle { + public: + ModuleCounterVecHandle(Stats::StatName name, Stats::StatNameVec label_names) + : name_(name), label_names_(label_names) {} + + const Stats::StatNameVec& getLabelNames() const { return label_names_; } + void add(Stats::Scope& scope, Stats::StatNameTagVectorOptConstRef tags, uint64_t amount) const { + ASSERT(tags.has_value()); + Stats::Utility::counterFromElements(scope, {name_}, tags).add(amount); + } + + private: + Stats::StatName name_; + Stats::StatNameVec label_names_; + }; + + class ModuleGaugeHandle { + public: + ModuleGaugeHandle(Stats::Gauge& gauge) : gauge_(gauge) {} + + void increase(uint64_t amount) const { gauge_.add(amount); } + void decrease(uint64_t amount) const { gauge_.sub(amount); } + void set(uint64_t amount) const { gauge_.set(amount); } + + private: + Stats::Gauge& gauge_; + }; + + class ModuleGaugeVecHandle { + public: + ModuleGaugeVecHandle(Stats::StatName name, Stats::StatNameVec label_names, + Stats::Gauge::ImportMode import_mode) + : name_(name), label_names_(label_names), import_mode_(import_mode) {} + + const Stats::StatNameVec& getLabelNames() const { return label_names_; } + + void increase(Stats::Scope& scope, Stats::StatNameTagVectorOptConstRef tags, + uint64_t amount) const { + ASSERT(tags.has_value()); + Stats::Utility::gaugeFromElements(scope, {name_}, import_mode_, tags).add(amount); + } + void decrease(Stats::Scope& scope, Stats::StatNameTagVectorOptConstRef tags, + uint64_t amount) const { + ASSERT(tags.has_value()); + Stats::Utility::gaugeFromElements(scope, {name_}, import_mode_, tags).sub(amount); + } + void set(Stats::Scope& scope, Stats::StatNameTagVectorOptConstRef tags, uint64_t amount) const { + ASSERT(tags.has_value()); + Stats::Utility::gaugeFromElements(scope, {name_}, import_mode_, tags).set(amount); + } + + private: + Stats::StatName name_; + Stats::StatNameVec label_names_; + Stats::Gauge::ImportMode import_mode_; + }; + + class ModuleHistogramHandle { + public: + ModuleHistogramHandle(Stats::Histogram& histogram) : histogram_(histogram) {} + + void recordValue(uint64_t value) const { histogram_.recordValue(value); } + + private: + Stats::Histogram& histogram_; + }; + + class ModuleHistogramVecHandle { + public: + ModuleHistogramVecHandle(Stats::StatName name, Stats::StatNameVec label_names, + Stats::Histogram::Unit unit) + : name_(name), label_names_(label_names), unit_(unit) {} + + const Stats::StatNameVec& getLabelNames() const { return label_names_; } + + void recordValue(Stats::Scope& scope, Stats::StatNameTagVectorOptConstRef tags, + uint64_t value) const { + ASSERT(tags.has_value()); + Stats::Utility::histogramFromElements(scope, {name_}, unit_, tags).recordValue(value); + } + + private: + Stats::StatName name_; + Stats::StatNameVec label_names_; + Stats::Histogram::Unit unit_; + }; + + size_t addCounter(ModuleCounterHandle&& counter) { size_t id = counters_.size(); - counters_.push_back(counter); + counters_.push_back(std::move(counter)); + return id; + } + + size_t addCounterVec(ModuleCounterVecHandle&& counter_vec) { + size_t id = counter_vecs_.size(); + counter_vecs_.push_back(std::move(counter_vec)); return id; } - Stats::Counter& getCounterById(size_t id) const { - ASSERT(id < counters_.size()); + OptRef getCounterById(size_t id) const { + if (id >= counters_.size()) { + return {}; + } return counters_[id]; } - size_t addGauge(Stats::Gauge& gauge) { + OptRef getCounterVecById(size_t id) const { + if (id >= counter_vecs_.size()) { + return {}; + } + return counter_vecs_[id]; + } + + size_t addGauge(ModuleGaugeHandle&& gauge) { size_t id = gauges_.size(); - gauges_.push_back(gauge); + gauges_.push_back(std::move(gauge)); return id; } - Stats::Gauge& getGaugeById(size_t id) const { - ASSERT(id < gauges_.size()); + size_t addGaugeVec(ModuleGaugeVecHandle&& gauge_vec) { + size_t id = gauge_vecs_.size(); + gauge_vecs_.push_back(std::move(gauge_vec)); + return id; + } + + OptRef getGaugeById(size_t id) const { + if (id >= gauges_.size()) { + return {}; + } return gauges_[id]; } - size_t addHistogram(Stats::Histogram& hist) { + OptRef getGaugeVecById(size_t id) const { + if (id >= gauge_vecs_.size()) { + return {}; + } + return gauge_vecs_[id]; + } + + size_t addHistogram(ModuleHistogramHandle&& hist) { size_t id = hists_.size(); - hists_.push_back(hist); + hists_.push_back(std::move(hist)); return id; } - Stats::Histogram& getHistogramById(size_t id) const { - ASSERT(id < hists_.size()); + OptRef getHistogramById(size_t id) const { + if (id >= hists_.size()) { + return {}; + } return hists_[id]; } + size_t addHistogramVec(ModuleHistogramVecHandle&& hist_vec) { + size_t id = hist_vecs_.size(); + hist_vecs_.push_back(std::move(hist_vec)); + return id; + } + + OptRef getHistogramVecById(size_t id) const { + if (id >= hist_vecs_.size()) { + return {}; + } + return hist_vecs_[id]; + } + private: // The name of the filter passed in the constructor. const std::string filter_name_; @@ -127,9 +268,12 @@ class DynamicModuleHttpFilterConfig { const std::string filter_config_; // The cached references to stats and their metadata. - std::vector> counters_; - std::vector> gauges_; - std::vector> hists_; + std::vector counters_; + std::vector counter_vecs_; + std::vector gauges_; + std::vector gauge_vecs_; + std::vector hists_; + std::vector hist_vecs_; // The handle for the module. Extensions::DynamicModules::DynamicModulePtr dynamic_module_; diff --git a/test/extensions/dynamic_modules/http/abi_impl_test.cc b/test/extensions/dynamic_modules/http/abi_impl_test.cc index 2b15bf61b5e31..1a79eab75c491 100644 --- a/test/extensions/dynamic_modules/http/abi_impl_test.cc +++ b/test/extensions/dynamic_modules/http/abi_impl_test.cc @@ -1,3 +1,6 @@ +#include +#include + #include "source/extensions/filters/http/dynamic_modules/filter.h" #include "test/common/stats/stat_test_utility.h" @@ -16,11 +19,12 @@ namespace HttpFilters { class DynamicModuleHttpFilterTest : public testing::Test { public: void SetUp() override { - filter_ = std::make_unique(nullptr); + filter_ = std::make_unique(nullptr, symbol_table_); filter_->setDecoderFilterCallbacks(decoder_callbacks_); filter_->setEncoderFilterCallbacks(encoder_callbacks_); } + Stats::SymbolTableImpl symbol_table_; NiceMock decoder_callbacks_; NiceMock encoder_callbacks_; Http::TestRequestHeaderMapImpl request_headers_; @@ -423,7 +427,8 @@ TEST_F(DynamicModuleHttpFilterTest, SendResponseWithBody) { } TEST(ABIImpl, metadata) { - DynamicModuleHttpFilter filter{nullptr}; + Stats::SymbolTableImpl symbol_table; + DynamicModuleHttpFilter filter{nullptr, symbol_table}; const std::string namespace_str = "foo"; const std::string key_str = "key"; envoy_dynamic_module_type_buffer_module_ptr namespace_ptr = @@ -546,7 +551,8 @@ TEST(ABIImpl, metadata) { } TEST(ABIImpl, filter_state) { - DynamicModuleHttpFilter filter{nullptr}; + Stats::SymbolTableImpl symbol_table; + DynamicModuleHttpFilter filter{nullptr, symbol_table}; const std::string key_str = "key"; envoy_dynamic_module_type_buffer_module_ptr key_ptr = const_cast(key_str.data()); size_t key_length = key_str.size(); @@ -595,7 +601,8 @@ bufferVectorToString(const std::vector& } TEST(ABIImpl, RequestBody) { - DynamicModuleHttpFilter filter{nullptr}; + Stats::SymbolTableImpl symbol_table; + DynamicModuleHttpFilter filter{nullptr, symbol_table}; Http::MockStreamDecoderFilterCallbacks callbacks; StreamInfo::MockStreamInfo stream_info; EXPECT_CALL(callbacks, streamInfo()).WillRepeatedly(testing::ReturnRef(stream_info)); @@ -668,7 +675,8 @@ TEST(ABIImpl, RequestBody) { } TEST(ABIImpl, ResponseBody) { - DynamicModuleHttpFilter filter{nullptr}; + Stats::SymbolTableImpl symbol_table; + DynamicModuleHttpFilter filter{nullptr, symbol_table}; Http::MockStreamEncoderFilterCallbacks callbacks; StreamInfo::MockStreamInfo stream_info; EXPECT_CALL(callbacks, streamInfo()).WillRepeatedly(testing::ReturnRef(stream_info)); @@ -751,7 +759,8 @@ TEST(ABIImpl, ResponseBody) { } TEST(ABIImpl, ClearRouteCache) { - DynamicModuleHttpFilter filter{nullptr}; + Stats::SymbolTableImpl symbol_table; + DynamicModuleHttpFilter filter{nullptr, symbol_table}; Http::MockStreamDecoderFilterCallbacks callbacks; StreamInfo::MockStreamInfo stream_info; EXPECT_CALL(callbacks, streamInfo()).WillRepeatedly(testing::ReturnRef(stream_info)); @@ -764,8 +773,9 @@ TEST(ABIImpl, ClearRouteCache) { } TEST(ABIImpl, GetAttributes) { - DynamicModuleHttpFilter filter_without_callbacks{nullptr}; - DynamicModuleHttpFilter filter{nullptr}; + Stats::SymbolTableImpl symbol_table; + DynamicModuleHttpFilter filter_without_callbacks{nullptr, symbol_table}; + DynamicModuleHttpFilter filter{nullptr, symbol_table}; Http::MockStreamDecoderFilterCallbacks callbacks; StreamInfo::MockStreamInfo stream_info; EXPECT_CALL(callbacks, streamInfo()).WillRepeatedly(testing::ReturnRef(stream_info)); @@ -1054,7 +1064,8 @@ TEST(ABIImpl, GetAttributes) { } TEST(ABIImpl, HttpCallout) { - DynamicModuleHttpFilter filter{nullptr}; + Stats::SymbolTableImpl symbol_table; + DynamicModuleHttpFilter filter{nullptr, symbol_table}; const std::string cluster{"some_cluster"}; EXPECT_EQ(envoy_dynamic_module_callback_http_filter_http_callout( &filter, 1, const_cast(cluster.data()), cluster.size(), nullptr, 0, nullptr, @@ -1093,48 +1104,237 @@ TEST(ABIImpl, Stats) { NiceMock context; auto filter_config = std::make_shared( "some_name", "some_config", nullptr, stats_scope, context); - DynamicModuleHttpFilter filter{filter_config}; + DynamicModuleHttpFilter filter{filter_config, stats_scope.symbolTable()}; const std::string counter_name{"some_counter"}; - size_t counter_id = envoy_dynamic_module_callback_http_filter_config_define_counter( - filter_config.get(), const_cast(counter_name.data()), counter_name.size()); + size_t counter_id; + auto result = envoy_dynamic_module_callback_http_filter_config_define_counter( + filter_config.get(), const_cast(counter_name.data()), counter_name.size(), + &counter_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); Stats::CounterOptConstRef counter = stats_store.findCounterByString("dynamicmodulescustom.some_counter"); EXPECT_TRUE(counter.has_value()); EXPECT_EQ(counter->get().value(), 0); - envoy_dynamic_module_callback_http_filter_increment_counter(&filter, counter_id, 10); + result = envoy_dynamic_module_callback_http_filter_increment_counter(&filter, counter_id, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); EXPECT_EQ(counter->get().value(), 10); - envoy_dynamic_module_callback_http_filter_increment_counter(&filter, counter_id, 42); + result = envoy_dynamic_module_callback_http_filter_increment_counter(&filter, counter_id, 42); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); EXPECT_EQ(counter->get().value(), 52); + const std::string counter_vec_name{"some_counter_vec"}; + const std::string counter_vec_label_name{"some_label"}; + std::vector counter_vec_labels = { + {const_cast(counter_vec_label_name.data()), counter_vec_label_name.size()}, + }; + size_t counter_vec_id; + result = envoy_dynamic_module_callback_http_filter_config_define_counter_vec( + filter_config.get(), const_cast(counter_vec_name.data()), counter_vec_name.size(), + counter_vec_labels.data(), counter_vec_labels.size(), &counter_vec_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + + const std::string counter_vec_label_value{"some_value"}; + std::vector counter_vec_labels_values = { + {const_cast(counter_vec_label_value.data()), counter_vec_label_value.size()}, + }; + result = envoy_dynamic_module_callback_http_filter_increment_counter_vec( + &filter, counter_vec_id, counter_vec_labels_values.data(), counter_vec_labels_values.size(), + 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + Stats::CounterOptConstRef counter_vec = stats_store.findCounterByString( + "dynamicmodulescustom.some_counter_vec.some_label.some_value"); + EXPECT_TRUE(counter_vec.has_value()); + EXPECT_EQ(counter_vec->get().value(), 10); + result = envoy_dynamic_module_callback_http_filter_increment_counter_vec( + &filter, counter_vec_id, counter_vec_labels_values.data(), counter_vec_labels_values.size(), + 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + EXPECT_EQ(counter_vec->get().value(), 20); + result = envoy_dynamic_module_callback_http_filter_increment_counter_vec( + &filter, counter_vec_id, counter_vec_labels_values.data(), counter_vec_labels_values.size(), + 42); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + EXPECT_EQ(counter_vec->get().value(), 62); + const std::string gauge_name{"some_gauge"}; - size_t gauge_id = envoy_dynamic_module_callback_http_filter_config_define_gauge( - filter_config.get(), const_cast(gauge_name.data()), gauge_name.size()); + size_t gauge_id; + result = envoy_dynamic_module_callback_http_filter_config_define_gauge( + filter_config.get(), const_cast(gauge_name.data()), gauge_name.size(), &gauge_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); Stats::GaugeOptConstRef gauge = stats_store.findGaugeByString("dynamicmodulescustom.some_gauge"); EXPECT_TRUE(gauge.has_value()); EXPECT_EQ(gauge->get().value(), 0); - envoy_dynamic_module_callback_http_filter_increase_gauge(&filter, gauge_id, 10); + result = envoy_dynamic_module_callback_http_filter_increase_gauge(&filter, gauge_id, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); EXPECT_EQ(gauge->get().value(), 10); - envoy_dynamic_module_callback_http_filter_increase_gauge(&filter, gauge_id, 42); + result = envoy_dynamic_module_callback_http_filter_increase_gauge(&filter, gauge_id, 42); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); EXPECT_EQ(gauge->get().value(), 52); - envoy_dynamic_module_callback_http_filter_decrease_gauge(&filter, gauge_id, 50); + result = envoy_dynamic_module_callback_http_filter_decrease_gauge(&filter, gauge_id, 50); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); EXPECT_EQ(gauge->get().value(), 2); - envoy_dynamic_module_callback_http_filter_set_gauge(&filter, gauge_id, 9001); + result = envoy_dynamic_module_callback_http_filter_set_gauge(&filter, gauge_id, 9001); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); EXPECT_EQ(gauge->get().value(), 9001); + const std::string gauge_vec_name{"some_gauge_vec"}; + const std::string gauge_vec_label_name{"some_label"}; + std::vector gauge_vec_labels = { + {const_cast(gauge_vec_label_name.data()), gauge_vec_label_name.size()}, + }; + size_t gauge_vec_id; + result = envoy_dynamic_module_callback_http_filter_config_define_gauge_vec( + filter_config.get(), const_cast(gauge_vec_name.data()), gauge_vec_name.size(), + gauge_vec_labels.data(), gauge_vec_labels.size(), &gauge_vec_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + + const std::string gauge_vec_label_value{"some_value"}; + std::vector gauge_vec_labels_values = { + {const_cast(gauge_vec_label_value.data()), gauge_vec_label_value.size()}, + }; + result = envoy_dynamic_module_callback_http_filter_increase_gauge_vec( + &filter, gauge_vec_id, gauge_vec_labels_values.data(), gauge_vec_labels_values.size(), 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + Stats::GaugeOptConstRef gauge_vec = + stats_store.findGaugeByString("dynamicmodulescustom.some_gauge_vec.some_label.some_value"); + EXPECT_TRUE(gauge_vec.has_value()); + EXPECT_EQ(gauge_vec->get().value(), 10); + result = envoy_dynamic_module_callback_http_filter_increase_gauge_vec( + &filter, gauge_vec_id, gauge_vec_labels_values.data(), gauge_vec_labels_values.size(), 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + EXPECT_EQ(gauge_vec->get().value(), 20); + result = envoy_dynamic_module_callback_http_filter_decrease_gauge_vec( + &filter, gauge_vec_id, gauge_vec_labels_values.data(), gauge_vec_labels_values.size(), 12); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + EXPECT_EQ(gauge_vec->get().value(), 8); + result = envoy_dynamic_module_callback_http_filter_set_gauge_vec( + &filter, gauge_vec_id, gauge_vec_labels_values.data(), gauge_vec_labels_values.size(), 9001); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + EXPECT_EQ(gauge_vec->get().value(), 9001); + const std::string histogram_name{"some_histogram"}; - size_t histogram_id = envoy_dynamic_module_callback_http_filter_config_define_histogram( - filter_config.get(), const_cast(histogram_name.data()), histogram_name.size()); + size_t histogram_id; + result = envoy_dynamic_module_callback_http_filter_config_define_histogram( + filter_config.get(), const_cast(histogram_name.data()), histogram_name.size(), + &histogram_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); Stats::HistogramOptConstRef histogram = stats_store.findHistogramByString("dynamicmodulescustom.some_histogram"); EXPECT_TRUE(histogram.has_value()); EXPECT_FALSE(stats_store.histogramRecordedValues("dynamicmodulescustom.some_histogram")); - envoy_dynamic_module_callback_http_filter_record_histogram_value(&filter, histogram_id, 10); + result = + envoy_dynamic_module_callback_http_filter_record_histogram_value(&filter, histogram_id, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); EXPECT_EQ(stats_store.histogramValues("dynamicmodulescustom.some_histogram", false), (std::vector{10})); - envoy_dynamic_module_callback_http_filter_record_histogram_value(&filter, histogram_id, 42); + result = + envoy_dynamic_module_callback_http_filter_record_histogram_value(&filter, histogram_id, 42); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); EXPECT_EQ(stats_store.histogramValues("dynamicmodulescustom.some_histogram", false), (std::vector{10, 42})); + + const std::string histogram_vec_name{"some_histogram_vec"}; + const std::string histogram_vec_label_name{"some_label"}; + std::vector histogram_vec_labels = { + {const_cast(histogram_vec_label_name.data()), histogram_vec_label_name.size()}, + }; + size_t histogram_vec_id; + result = envoy_dynamic_module_callback_http_filter_config_define_histogram_vec( + filter_config.get(), const_cast(histogram_vec_name.data()), histogram_vec_name.size(), + histogram_vec_labels.data(), histogram_vec_labels.size(), &histogram_vec_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + + const std::string histogram_vec_label_value{"some_value"}; + std::vector histogram_vec_labels_values = { + {const_cast(histogram_vec_label_value.data()), histogram_vec_label_value.size()}, + }; + result = envoy_dynamic_module_callback_http_filter_record_histogram_value_vec( + &filter, histogram_vec_id, histogram_vec_labels_values.data(), + histogram_vec_labels_values.size(), 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + Stats::HistogramOptConstRef histogram_vec = stats_store.findHistogramByString( + "dynamicmodulescustom.some_histogram_vec.some_label.some_value"); + EXPECT_TRUE(histogram_vec.has_value()); + EXPECT_EQ(stats_store.histogramValues( + "dynamicmodulescustom.some_histogram_vec.some_label.some_value", false), + (std::vector{10})); + result = envoy_dynamic_module_callback_http_filter_record_histogram_value_vec( + &filter, histogram_vec_id, histogram_vec_labels_values.data(), + histogram_vec_labels_values.size(), 42); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Success); + EXPECT_EQ(stats_store.histogramValues( + "dynamicmodulescustom.some_histogram_vec.some_label.some_value", false), + (std::vector{10, 42})); + + // test using invalid stat id + size_t invalid_stat_id = 9999; + result = + envoy_dynamic_module_callback_http_filter_increment_counter(&filter, invalid_stat_id, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_increment_counter_vec( + &filter, invalid_stat_id, counter_vec_labels_values.data(), counter_vec_labels_values.size(), + 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_increase_gauge(&filter, invalid_stat_id, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_decrease_gauge(&filter, invalid_stat_id, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_set_gauge(&filter, invalid_stat_id, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_increase_gauge_vec( + &filter, invalid_stat_id, gauge_vec_labels_values.data(), gauge_vec_labels_values.size(), 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_decrease_gauge_vec( + &filter, invalid_stat_id, gauge_vec_labels_values.data(), gauge_vec_labels_values.size(), 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_set_gauge_vec( + &filter, invalid_stat_id, gauge_vec_labels_values.data(), gauge_vec_labels_values.size(), 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_record_histogram_value(&filter, + invalid_stat_id, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + result = envoy_dynamic_module_callback_http_filter_record_histogram_value_vec( + &filter, invalid_stat_id, histogram_vec_labels_values.data(), + histogram_vec_labels_values.size(), 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_MetricNotFound); + + // test using invalid labels + result = envoy_dynamic_module_callback_http_filter_increment_counter_vec(&filter, counter_vec_id, + {}, 0, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_InvalidLabels); + result = envoy_dynamic_module_callback_http_filter_increase_gauge_vec(&filter, gauge_vec_id, {}, + 0, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_InvalidLabels); + result = envoy_dynamic_module_callback_http_filter_record_histogram_value_vec( + &filter, histogram_vec_id, {}, 0, 10); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_InvalidLabels); + + // test stat creation after freezing + filter_config->stat_creation_frozen_ = true; + result = envoy_dynamic_module_callback_http_filter_config_define_counter( + filter_config.get(), const_cast(counter_name.data()), counter_name.size(), + &counter_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Frozen); + result = envoy_dynamic_module_callback_http_filter_config_define_counter_vec( + filter_config.get(), const_cast(counter_vec_name.data()), counter_vec_name.size(), + counter_vec_labels.data(), counter_vec_labels.size(), &counter_vec_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Frozen); + result = envoy_dynamic_module_callback_http_filter_config_define_gauge( + filter_config.get(), const_cast(gauge_name.data()), gauge_name.size(), &gauge_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Frozen); + result = envoy_dynamic_module_callback_http_filter_config_define_gauge_vec( + filter_config.get(), const_cast(gauge_vec_name.data()), gauge_vec_name.size(), + gauge_vec_labels.data(), gauge_vec_labels.size(), &gauge_vec_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Frozen); + result = envoy_dynamic_module_callback_http_filter_config_define_histogram( + filter_config.get(), const_cast(histogram_name.data()), histogram_name.size(), + &histogram_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Frozen); + result = envoy_dynamic_module_callback_http_filter_config_define_histogram_vec( + filter_config.get(), const_cast(histogram_vec_name.data()), histogram_vec_name.size(), + histogram_vec_labels.data(), histogram_vec_labels.size(), &histogram_vec_id); + EXPECT_EQ(result, envoy_dynamic_module_type_metrics_result_Frozen); } } // namespace HttpFilters diff --git a/test/extensions/dynamic_modules/http/filter_test.cc b/test/extensions/dynamic_modules/http/filter_test.cc index 6e49cc01a3234..687e5d43ae465 100644 --- a/test/extensions/dynamic_modules/http/filter_test.cc +++ b/test/extensions/dynamic_modules/http/filter_test.cc @@ -34,7 +34,8 @@ TEST_P(DynamicModuleTestLanguages, Nop) { *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_store.symbolTable()); filter->initializeInModuleFilter(); // The followings are mostly for coverage at the moment. @@ -94,7 +95,8 @@ TEST(DynamicModulesTest, StatsCallbacks) { filter_name, filter_config, std::move(dynamic_module.value()), stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope.symbolTable()); filter->initializeInModuleFilter(); Stats::CounterOptConstRef counter = @@ -114,6 +116,29 @@ TEST(DynamicModulesTest, StatsCallbacks) { EXPECT_TRUE(histogram.has_value()); EXPECT_FALSE(stats_store.histogramRecordedValues("dynamicmodulescustom.ones")); + Stats::CounterOptConstRef counter_vec_increment = + stats_store.findCounterByString("dynamicmodulescustom.test_counter_vec.test_label.increment"); + EXPECT_TRUE(counter_vec_increment.has_value()); + EXPECT_EQ(counter_vec_increment->get().value(), 1); + Stats::GaugeOptConstRef gauge_vec_increase = + stats_store.findGaugeByString("dynamicmodulescustom.test_gauge_vec.test_label.increase"); + EXPECT_TRUE(gauge_vec_increase.has_value()); + EXPECT_EQ(gauge_vec_increase->get().value(), 1); + Stats::GaugeOptConstRef gauge_vec_decrease = + stats_store.findGaugeByString("dynamicmodulescustom.test_gauge_vec.test_label.decrease"); + EXPECT_TRUE(gauge_vec_decrease.has_value()); + EXPECT_EQ(gauge_vec_decrease->get().value(), 2); + Stats::GaugeOptConstRef gauge_vec_set = + stats_store.findGaugeByString("dynamicmodulescustom.test_gauge_vec.test_label.set"); + EXPECT_TRUE(gauge_vec_set.has_value()); + EXPECT_EQ(gauge_vec_set->get().value(), 9001); + Stats::HistogramOptConstRef histogram_vec_record = stats_store.findHistogramByString( + "dynamicmodulescustom.test_histogram_vec.test_label.record"); + EXPECT_TRUE(histogram_vec_record.has_value()); + EXPECT_EQ(stats_store.histogramValues("dynamicmodulescustom.test_histogram_vec.test_label.record", + false), + (std::vector{1})); + Http::MockStreamDecoderFilterCallbacks decoder_callbacks; StreamInfo::MockStreamInfo stream_info; EXPECT_CALL(decoder_callbacks, streamInfo()).WillRepeatedly(testing::ReturnRef(stream_info)); @@ -122,12 +147,28 @@ TEST(DynamicModulesTest, StatsCallbacks) { Http::MockStreamEncoderFilterCallbacks encoder_callbacks; filter->setEncoderFilterCallbacks(encoder_callbacks); - std::initializer_list> headers = {}; + std::initializer_list> headers = {{"header", "header_value"}}; Http::TestRequestHeaderMapImpl request_headers{headers}; Http::TestRequestTrailerMapImpl request_trailers{headers}; Http::TestResponseHeaderMapImpl response_headers{headers}; Http::TestResponseTrailerMapImpl response_trailers{headers}; + EXPECT_CALL(decoder_callbacks, requestHeaders()) + .WillRepeatedly(testing::Return(makeOptRef(request_headers))); + EXPECT_EQ(FilterHeadersStatus::Continue, filter->decodeHeaders(request_headers, false)); + Stats::CounterOptConstRef counter_vec_header = stats_store.findCounterByString( + "dynamicmodulescustom.test_counter_vec.test_label.header_value"); + EXPECT_EQ(counter_vec_header->get().value(), 1); + Stats::GaugeOptConstRef gauge_vec_header = + stats_store.findGaugeByString("dynamicmodulescustom.test_gauge_vec.test_label.header_value"); + EXPECT_EQ(gauge_vec_header->get().value(), 1); + Stats::HistogramOptConstRef histogram_vec_header = stats_store.findHistogramByString( + "dynamicmodulescustom.test_histogram_vec.test_label.header_value"); + EXPECT_TRUE(histogram_vec_header.has_value()); + EXPECT_EQ(stats_store.histogramValues( + "dynamicmodulescustom.test_histogram_vec.test_label.header_value", false), + (std::vector{1})); + EXPECT_EQ(FilterTrailersStatus::Continue, filter->decodeTrailers(request_trailers)); EXPECT_EQ(FilterHeadersStatus::Continue, filter->encodeHeaders(response_headers, false)); EXPECT_EQ(FilterTrailersStatus::Continue, filter->encodeTrailers(response_trailers)); @@ -141,7 +182,18 @@ TEST(DynamicModulesTest, StatsCallbacks) { EXPECT_EQ(gauge->get().value(), 0); EXPECT_EQ(stats_store.histogramValues("dynamicmodulescustom.ones", false), (std::vector{1})); - + Stats::CounterOptConstRef counter_vec_local_var = + stats_store.findCounterByString("dynamicmodulescustom.test_counter_vec.test_label.local_var"); + EXPECT_EQ(counter_vec_local_var->get().value(), 1); + Stats::GaugeOptConstRef gauge_vec_local_var = + stats_store.findGaugeByString("dynamicmodulescustom.test_gauge_vec.test_label.local_var"); + EXPECT_EQ(gauge_vec_local_var->get().value(), 1); + Stats::HistogramOptConstRef histogram_vec_local_var = stats_store.findHistogramByString( + "dynamicmodulescustom.test_histogram_vec.test_label.local_var"); + EXPECT_TRUE(histogram_vec_local_var.has_value()); + EXPECT_EQ(stats_store.histogramValues( + "dynamicmodulescustom.test_histogram_vec.test_label.local_var", false), + (std::vector{1})); filter->onDestroy(); } @@ -163,7 +215,8 @@ TEST(DynamicModulesTest, HeaderCallbacks) { *stats_store.createScope(""), context); EXPECT_TRUE(filter_config_or_status.ok()); - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_store.symbolTable()); filter->initializeInModuleFilter(); Http::MockStreamDecoderFilterCallbacks decoder_callbacks; @@ -218,13 +271,14 @@ TEST(DynamicModulesTest, DynamicMetadataCallbacks) { NiceMock context; Stats::IsolatedStoreImpl stats_store; + auto stats_scope = stats_store.createScope(""); auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), - *stats_store.createScope(""), context); + filter_name, filter_config, std::move(dynamic_module.value()), *stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope->symbolTable()); filter->initializeInModuleFilter(); auto route = std::make_shared>(); @@ -300,13 +354,14 @@ TEST(DynamicModulesTest, FilterStateCallbacks) { NiceMock context; Stats::IsolatedStoreImpl stats_store; + auto stats_scope = stats_store.createScope(""); auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), - *stats_store.createScope(""), context); + filter_name, filter_config, std::move(dynamic_module.value()), *stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope->symbolTable()); filter->initializeInModuleFilter(); Http::MockStreamDecoderFilterCallbacks callbacks; @@ -376,13 +431,14 @@ TEST(DynamicModulesTest, BodyCallbacks) { NiceMock context; Stats::IsolatedStoreImpl stats_store; + auto stats_scope = stats_store.createScope(""); auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), - *stats_store.createScope(""), context); + filter_name, filter_config, std::move(dynamic_module.value()), *stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope->symbolTable()); filter->initializeInModuleFilter(); Http::MockStreamDecoderFilterCallbacks decoder_callbacks; @@ -443,6 +499,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_non_existing_cluster) { NiceMock context; Stats::IsolatedStoreImpl stats_store; + auto stats_scope = stats_store.createScope(""); Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -454,12 +511,12 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_non_existing_cluster) { .WillOnce(testing::Return(nullptr)); auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), - *stats_store.createScope(""), context); + filter_name, filter_config, std::move(dynamic_module.value()), *stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); Http::MockStreamDecoderFilterCallbacks callbacks; - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope->symbolTable()); filter->initializeInModuleFilter(); filter->setDecoderFilterCallbacks(callbacks); EXPECT_CALL(callbacks, sendLocalReply(Http::Code::InternalServerError, _, _, _, _)); @@ -481,6 +538,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_immediate_failing_cluster) { NiceMock context; Stats::IsolatedStoreImpl stats_store; + auto stats_scope = stats_store.createScope(""); Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -490,8 +548,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_immediate_failing_cluster) { const std::string filter_config = "immediate_failing_cluster"; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), - *stats_store.createScope(""), context); + filter_name, filter_config, std::move(dynamic_module.value()), *stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); std::shared_ptr cluster = @@ -511,7 +568,8 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_immediate_failing_cluster) { })); Http::MockStreamDecoderFilterCallbacks callbacks; - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope->symbolTable()); filter->initializeInModuleFilter(); filter->setDecoderFilterCallbacks(callbacks); EXPECT_CALL(callbacks, sendLocalReply(Http::Code::InternalServerError, _, _, _, _)); @@ -533,6 +591,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_success) { NiceMock context; Stats::IsolatedStoreImpl stats_store; + auto stats_scope = stats_store.createScope(""); Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -542,8 +601,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_success) { const std::string filter_config = "success_cluster"; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), - *stats_store.createScope(""), context); + filter_name, filter_config, std::move(dynamic_module.value()), *stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); std::shared_ptr cluster = @@ -567,7 +625,8 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_success) { })); Http::MockStreamDecoderFilterCallbacks callbacks; - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope->symbolTable()); filter->initializeInModuleFilter(); filter->setDecoderFilterCallbacks(callbacks); EXPECT_CALL(callbacks, sendLocalReply(Http::Code::OK, _, _, _, _)); @@ -601,6 +660,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_resetting) { NiceMock context; Stats::IsolatedStoreImpl stats_store; + auto stats_scope = stats_store.createScope(""); Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -610,8 +670,7 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_resetting) { const std::string filter_config = "resetting_cluster"; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), - *stats_store.createScope(""), context); + filter_name, filter_config, std::move(dynamic_module.value()), *stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); std::shared_ptr cluster = @@ -629,7 +688,8 @@ TEST(DynamicModulesTest, HttpFilterHttpCallout_resetting) { return &request; })); - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope->symbolTable()); filter->initializeInModuleFilter(); TestRequestHeaderMapImpl headers{{}}; @@ -653,6 +713,7 @@ TEST(DynamicModulesTest, HttpFilterPerFilterConfigLifetimes) { NiceMock context; Stats::IsolatedStoreImpl stats_store; + auto stats_scope = stats_store.createScope(""); Upstream::MockClusterManager cluster_manager; NiceMock thread_local_cluster; EXPECT_CALL(cluster_manager, getThreadLocalCluster(_)) @@ -662,8 +723,7 @@ TEST(DynamicModulesTest, HttpFilterPerFilterConfigLifetimes) { const std::string filter_config = "listener config"; auto filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpFilterConfig( - filter_name, filter_config, std::move(dynamic_module.value()), - *stats_store.createScope(""), context); + filter_name, filter_config, std::move(dynamic_module.value()), *stats_scope, context); EXPECT_TRUE(filter_config_or_status.ok()); auto dynamic_module_for_route = @@ -673,7 +733,8 @@ TEST(DynamicModulesTest, HttpFilterPerFilterConfigLifetimes) { } EXPECT_TRUE(dynamic_module_for_route.ok()); - auto filter = std::make_shared(filter_config_or_status.value()); + auto filter = std::make_shared(filter_config_or_status.value(), + stats_scope->symbolTable()); NiceMock decoder_callbacks; NiceMock encoder_callbacks; @@ -685,8 +746,8 @@ TEST(DynamicModulesTest, HttpFilterPerFilterConfigLifetimes) { // Now simulate a per-route config that is very short lived, and verify that the filter doesn't // segfaults if it uses it after after it discarded. { - // do all per-route config in an inner scope to make sure the is destroyed before the filter - // response headers is called. + // do all per-route config in an inner scope to make sure the per-route config is destroyed + // before the filter response headers is called. const std::string route_filter_config_str = "router config"; auto route_filter_config_or_status = Envoy::Extensions::DynamicModules::HttpFilters::newDynamicModuleHttpPerRouteConfig( @@ -717,7 +778,8 @@ TEST(DynamicModulesTest, HttpFilterPerFilterConfigLifetimes) { } TEST(HttpFilter, HeaderMapGetter) { - DynamicModuleHttpFilter filter(nullptr); + Stats::SymbolTableImpl symbol_table; + DynamicModuleHttpFilter filter(nullptr, symbol_table); EXPECT_EQ(absl::nullopt, filter.requestHeaders()); EXPECT_EQ(absl::nullopt, filter.requestTrailers()); diff --git a/test/extensions/dynamic_modules/http/integration_test.cc b/test/extensions/dynamic_modules/http/integration_test.cc index f1c8380b7f4d5..e0b144754752f 100644 --- a/test/extensions/dynamic_modules/http/integration_test.cc +++ b/test/extensions/dynamic_modules/http/integration_test.cc @@ -406,4 +406,204 @@ TEST_P(DynamicModulesIntegrationTest, FakeExternalCache) { } } +TEST_P(DynamicModulesIntegrationTest, StatsCallbacks) { + initializeFilter("stats_callbacks", "header_to_count,header_to_set"); + codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); + + // End-to-end request + { + Http::TestRequestHeaderMapImpl request_headers = default_request_headers_; + request_headers.addCopy(Http::LowerCaseString("header_to_count"), "3"); + request_headers.addCopy(Http::LowerCaseString("header_to_set"), "100"); + auto encoder_decoder = codec_client_->startRequest(request_headers, true); + auto response = std::move(encoder_decoder.second); + waitForNextUpstreamRequest(); + test_server_->waitUntilHistogramHasSamples("dynamicmodulescustom.requests_header_values"); + + EXPECT_EQ(test_server_->counter("dynamicmodulescustom.requests_total")->value(), 1); + EXPECT_EQ(test_server_->gauge("dynamicmodulescustom.requests_pending")->value(), 1); + EXPECT_EQ(test_server_->gauge("dynamicmodulescustom.requests_set_value")->value(), 100); + auto requests_header_values = + test_server_->histogram("dynamicmodulescustom.requests_header_values"); + EXPECT_EQ( + TestUtility::readSampleCount(test_server_->server().dispatcher(), *requests_header_values), + 1); + EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), + *requests_header_values)), + 3); + + EXPECT_EQ( + test_server_ + ->counter( + "dynamicmodulescustom.entrypoint_total.entrypoint.on_request_headers.method.GET") + ->value(), + 1); + EXPECT_EQ( + test_server_ + ->gauge( + "dynamicmodulescustom.entrypoint_pending.entrypoint.on_request_headers.method.GET") + ->value(), + 1); + EXPECT_EQ(test_server_ + ->gauge("dynamicmodulescustom.entrypoint_set_value.entrypoint.on_request_headers." + "method.GET") + ->value(), + 100); + auto request_entrypoint_header_values = test_server_->histogram( + "dynamicmodulescustom.entrypoint_header_values.entrypoint.on_request_headers.method.GET"); + EXPECT_EQ(TestUtility::readSampleCount(test_server_->server().dispatcher(), + *request_entrypoint_header_values), + 1); + EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), + *request_entrypoint_header_values)), + 3); + + Http::TestResponseHeaderMapImpl response_headers = default_response_headers_; + response_headers.addCopy(Http::LowerCaseString("header_to_count"), "3"); + response_headers.addCopy(Http::LowerCaseString("header_to_set"), "999"); + upstream_request_->encodeHeaders(response_headers, false); + response->waitForHeaders(); + test_server_->waitUntilHistogramHasSamples( + "dynamicmodulescustom.entrypoint_header_values.entrypoint.on_response_headers.method.GET"); + + EXPECT_EQ("200", response->headers().Status()->value().getStringView()); + + EXPECT_EQ( + test_server_ + ->counter( + "dynamicmodulescustom.entrypoint_total.entrypoint.on_response_headers.method.GET") + ->value(), + 1); + EXPECT_EQ( + test_server_ + ->gauge( + "dynamicmodulescustom.entrypoint_pending.entrypoint.on_response_headers.method.GET") + ->value(), + 1); + EXPECT_EQ(test_server_ + ->gauge("dynamicmodulescustom.entrypoint_set_value.entrypoint.on_response_" + "headers.method.GET") + ->value(), + 999); + auto response_entrypoint_header_values = test_server_->histogram( + "dynamicmodulescustom.entrypoint_header_values.entrypoint.on_response_headers.method.GET"); + EXPECT_EQ(TestUtility::readSampleCount(test_server_->server().dispatcher(), + *response_entrypoint_header_values), + 1); + EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), + *response_entrypoint_header_values)), + 3); + + Buffer::OwnedImpl response_data("goodbye"); + upstream_request_->encodeData(response_data, true); + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_TRUE(response->complete()); + + EXPECT_EQ( + test_server_ + ->gauge( + "dynamicmodulescustom.entrypoint_pending.entrypoint.on_response_headers.method.GET") + ->value(), + 0); + + // Check if stats preserved within filter + EXPECT_EQ( + test_server_ + ->counter( + "dynamicmodulescustom.entrypoint_total.entrypoint.on_request_headers.method.GET") + ->value(), + 1); + EXPECT_EQ( + test_server_ + ->gauge( + "dynamicmodulescustom.entrypoint_pending.entrypoint.on_request_headers.method.GET") + ->value(), + 0); + EXPECT_EQ(test_server_ + ->gauge("dynamicmodulescustom.entrypoint_set_value.entrypoint.on_request_headers." + "method.GET") + ->value(), + 100); + EXPECT_EQ(TestUtility::readSampleCount(test_server_->server().dispatcher(), + *request_entrypoint_header_values), + 1); + EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), + *request_entrypoint_header_values)), + 3); + EXPECT_EQ( + test_server_ + ->counter( + "dynamicmodulescustom.entrypoint_total.entrypoint.on_response_headers.method.GET") + ->value(), + 1); + EXPECT_EQ(test_server_ + ->gauge("dynamicmodulescustom.entrypoint_set_value.entrypoint.on_response_" + "headers.method.GET") + ->value(), + 999); + EXPECT_EQ(TestUtility::readSampleCount(test_server_->server().dispatcher(), + *response_entrypoint_header_values), + 1); + EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), + *response_entrypoint_header_values)), + 3); + } + + // Test stat values persisted after filter is destroyed + { + Http::TestRequestHeaderMapImpl request_headers = default_request_headers_; + request_headers.addCopy(Http::LowerCaseString("header_to_count"), "13"); + auto encoder_decoder = codec_client_->startRequest(request_headers, true); + auto response = std::move(encoder_decoder.second); + waitForNextUpstreamRequest(); + test_server_->waitForNumHistogramSamplesGe("dynamicmodulescustom.requests_header_values", 2); + + EXPECT_EQ(test_server_->counter("dynamicmodulescustom.requests_total")->value(), 2); + EXPECT_EQ(test_server_->gauge("dynamicmodulescustom.requests_pending")->value(), 1); + EXPECT_EQ(test_server_->gauge("dynamicmodulescustom.requests_set_value")->value(), + 100); // set above in first request + auto requests_header_values = + test_server_->histogram("dynamicmodulescustom.requests_header_values"); + EXPECT_EQ( + TestUtility::readSampleCount(test_server_->server().dispatcher(), *requests_header_values), + 2); + EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), + *requests_header_values)), + 3 + 13); + + EXPECT_EQ( + test_server_ + ->counter( + "dynamicmodulescustom.entrypoint_total.entrypoint.on_request_headers.method.GET") + ->value(), + 2); + EXPECT_EQ( + test_server_ + ->gauge( + "dynamicmodulescustom.entrypoint_pending.entrypoint.on_request_headers.method.GET") + ->value(), + 1); + EXPECT_EQ(test_server_ + ->gauge("dynamicmodulescustom.entrypoint_set_value.entrypoint.on_request_headers." + "method.GET") + ->value(), + 100); // set above in first request + auto request_entrypoint_header_values = test_server_->histogram( + "dynamicmodulescustom.entrypoint_header_values.entrypoint.on_request_headers.method.GET"); + EXPECT_EQ(TestUtility::readSampleCount(test_server_->server().dispatcher(), + *request_entrypoint_header_values), + 2); + EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), + *request_entrypoint_header_values)), + 3 + 13); + + Http::TestResponseHeaderMapImpl response_headers = default_response_headers_; + response_headers.addCopy(Http::LowerCaseString("header_to_count"), "5"); + response_headers.addCopy(Http::LowerCaseString("header_to_set"), "1000"); + upstream_request_->encodeHeaders(response_headers, true); + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_TRUE(response->complete()); + } +} + } // namespace Envoy diff --git a/test/extensions/dynamic_modules/test_data/rust/http.rs b/test/extensions/dynamic_modules/test_data/rust/http.rs index 9ab325f3383a2..6a1c87e2a8976 100644 --- a/test/extensions/dynamic_modules/test_data/rust/http.rs +++ b/test/extensions/dynamic_modules/test_data/rust/http.rs @@ -20,10 +20,27 @@ fn new_http_filter_config_fn( ) -> Option>> { match name { "stats_callbacks" => Some(Box::new(StatsCallbacksFilterConfig { - streams_total: envoy_filter_config.define_counter("streams_total"), - concurrent_streams: envoy_filter_config.define_gauge("concurrent_streams"), - ones: envoy_filter_config.define_histogram("ones"), - magic_number: envoy_filter_config.define_gauge("magic_number"), + streams_total: envoy_filter_config + .define_counter("streams_total") + .expect("failed to define counter"), + concurrent_streams: envoy_filter_config + .define_gauge("concurrent_streams") + .expect("failed to define gauge"), + ones: envoy_filter_config + .define_histogram("ones") + .expect("failed to define histogram"), + magic_number: envoy_filter_config + .define_gauge("magic_number") + .expect("failed to define gauge"), + test_counter_vec: envoy_filter_config + .define_counter_vec("test_counter_vec", &["test_label"]) + .expect("failed to define counter vec"), + test_gauge_vec: envoy_filter_config + .define_gauge_vec("test_gauge_vec", &["test_label"]) + .expect("failed to define gauge vec"), + test_histogram_vec: envoy_filter_config + .define_histogram_vec("test_histogram_vec", &["test_label"]) + .expect("failed to define histogram vec"), })), "header_callbacks" => Some(Box::new(HeaderCallbacksFilterConfig {})), "send_response" => Some(Box::new(SendResponseFilterConfig {})), @@ -44,18 +61,48 @@ struct StatsCallbacksFilterConfig { magic_number: EnvoyGaugeId, // It's full of 1s. ones: EnvoyHistogramId, + test_counter_vec: EnvoyCounterVecId, + test_gauge_vec: EnvoyGaugeVecId, + test_histogram_vec: EnvoyHistogramVecId, } impl HttpFilterConfig for StatsCallbacksFilterConfig { fn new_http_filter(&mut self, envoy_filter: &mut EHF) -> Box> { - envoy_filter.increment_counter(self.streams_total, 1); - envoy_filter.increase_gauge(self.concurrent_streams, 1); - envoy_filter.set_gauge(self.magic_number, 42); + envoy_filter + .increment_counter(self.streams_total, 1) + .expect("failed to increment counter"); + envoy_filter + .increase_gauge(self.concurrent_streams, 1) + .expect("failed to increase gauge"); + envoy_filter + .set_gauge(self.magic_number, 42) + .expect("failed to set gauge"); + envoy_filter + .increment_counter_vec(self.test_counter_vec, &["increment"], 1) + .expect("failed to increment counter vec"); + envoy_filter + .increase_gauge_vec(self.test_gauge_vec, &["increase"], 1) + .expect("failed to increase gauge vec"); + envoy_filter + .increase_gauge_vec(self.test_gauge_vec, &["decrease"], 10) + .expect("failed to increase gauge vec"); + envoy_filter + .decrease_gauge_vec(self.test_gauge_vec, &["decrease"], 8) + .expect("failed to decrease gauge vec"); + envoy_filter + .set_gauge_vec(self.test_gauge_vec, &["set"], 9001) + .expect("failed to set gauge vec"); + envoy_filter + .record_histogram_value_vec(self.test_histogram_vec, &["record"], 1) + .expect("failed to record histogram value vec"); // Copy the stats handles onto the filter so that we can observe stats while // handling requests. Box::new(StatsCallbacksFilter { concurrent_streams: self.concurrent_streams, ones: self.ones, + test_counter_vec: self.test_counter_vec, + test_gauge_vec: self.test_gauge_vec, + test_histogram_vec: self.test_histogram_vec, }) } } @@ -64,6 +111,9 @@ impl HttpFilterConfig for StatsCallbacksFilterConfig struct StatsCallbacksFilter { concurrent_streams: EnvoyGaugeId, ones: EnvoyHistogramId, + test_counter_vec: EnvoyCounterVecId, + test_gauge_vec: EnvoyGaugeVecId, + test_histogram_vec: EnvoyHistogramVecId, } impl HttpFilter for StatsCallbacksFilter { @@ -72,12 +122,40 @@ impl HttpFilter for StatsCallbacksFilter { envoy_filter: &mut EHF, _end_of_stream: bool, ) -> abi::envoy_dynamic_module_type_on_http_filter_request_headers_status { - envoy_filter.record_histogram_value(self.ones, 1); + envoy_filter + .record_histogram_value(self.ones, 1) + .expect("failed to record histogram value"); + + let header = envoy_filter.get_request_header_value("header").unwrap(); + let header = std::str::from_utf8(header.as_slice()).unwrap(); + envoy_filter + .increment_counter_vec(self.test_counter_vec, &[header], 1) + .expect("failed to increment counter vec"); + envoy_filter + .increase_gauge_vec(self.test_gauge_vec, &[header], 1) + .expect("failed to increase gauge vec"); + envoy_filter + .record_histogram_value_vec(self.test_histogram_vec, &[header], 1) + .expect("failed to record histogram value vec"); + abi::envoy_dynamic_module_type_on_http_filter_request_headers_status::Continue } fn on_stream_complete(&mut self, envoy_filter: &mut EHF) { - envoy_filter.decrease_gauge(self.concurrent_streams, 1); + envoy_filter + .decrease_gauge(self.concurrent_streams, 1) + .expect("failed to decrease gauge"); + + let local_var = "local_var".to_owned(); + envoy_filter + .increment_counter_vec(self.test_counter_vec, &[&local_var], 1) + .expect("failed to increment counter vec"); + envoy_filter + .increase_gauge_vec(self.test_gauge_vec, &[&local_var], 1) + .expect("failed to increase gauge vec"); + envoy_filter + .record_histogram_value_vec(self.test_histogram_vec, &[&local_var], 1) + .expect("failed to record histogram value vec"); } } diff --git a/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs b/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs index c35e74aeb2bab..3a6a6e4238575 100644 --- a/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs +++ b/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs @@ -13,7 +13,7 @@ fn init() -> bool { } fn new_http_filter_config_fn( - _envoy_filter_config: &mut EC, + envoy_filter_config: &mut EC, name: &str, config: &[u8], ) -> Option>> { @@ -34,6 +34,38 @@ fn new_http_filter_config_fn( "send_response" => Some(Box::new(SendResponseHttpFilterConfig::new(config))), "http_filter_scheduler" => Some(Box::new(HttpFilterSchedulerConfig {})), "fake_external_cache" => Some(Box::new(FakeExternalCachingFilterConfig {})), + "stats_callbacks" => { + let config = String::from_utf8(config.to_owned()).unwrap(); + let mut config_iter = config.split(','); + Some(Box::new(StatsCallbacksFilterConfig { + requests_total: envoy_filter_config + .define_counter("requests_total") + .unwrap(), + requests_pending: envoy_filter_config + .define_gauge("requests_pending") + .unwrap(), + requests_set_value: envoy_filter_config + .define_gauge("requests_set_value") + .unwrap(), + requests_header_values: envoy_filter_config + .define_histogram("requests_header_values") + .unwrap(), + entrypoint_total: envoy_filter_config + .define_counter_vec("entrypoint_total", &["entrypoint", "method"]) + .unwrap(), + entrypoint_set_value: envoy_filter_config + .define_gauge_vec("entrypoint_set_value", &["entrypoint", "method"]) + .unwrap(), + entrypoint_pending: envoy_filter_config + .define_gauge_vec("entrypoint_pending", &["entrypoint", "method"]) + .unwrap(), + entrypoint_header_values: envoy_filter_config + .define_histogram_vec("entrypoint_header_values", &["entrypoint", "method"]) + .unwrap(), + header_to_count: config_iter.next().unwrap().to_owned(), + header_to_set: config_iter.next().unwrap().to_owned(), + })) + }, _ => panic!("Unknown filter name: {}", name), } } @@ -685,3 +717,186 @@ impl HttpFilter for FakeExternalCachingFilter { envoy_dynamic_module_type_on_http_filter_response_headers_status::StopIteration } } + +struct StatsCallbacksFilterConfig { + requests_total: EnvoyCounterId, + requests_pending: EnvoyGaugeId, + requests_header_values: EnvoyHistogramId, + requests_set_value: EnvoyGaugeId, + entrypoint_total: EnvoyCounterVecId, + entrypoint_pending: EnvoyGaugeVecId, + entrypoint_header_values: EnvoyHistogramVecId, + entrypoint_set_value: EnvoyGaugeVecId, + header_to_count: String, + header_to_set: String, +} + +impl HttpFilterConfig for StatsCallbacksFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { + Box::new(StatsCallbacksFilter { + requests_total: self.requests_total, + requests_pending: self.requests_pending, + requests_header_values: self.requests_header_values, + requests_set_value: self.requests_set_value, + entrypoint_total: self.entrypoint_total, + entrypoint_pending: self.entrypoint_pending, + entrypoint_header_values: self.entrypoint_header_values, + entrypoint_set_value: self.entrypoint_set_value, + header_to_count: self.header_to_count.clone(), + header_to_set: self.header_to_set.clone(), + method: None, + }) + } +} + +struct StatsCallbacksFilter { + requests_total: EnvoyCounterId, + requests_pending: EnvoyGaugeId, + requests_set_value: EnvoyGaugeId, + requests_header_values: EnvoyHistogramId, + + entrypoint_total: EnvoyCounterVecId, + entrypoint_pending: EnvoyGaugeVecId, + entrypoint_set_value: EnvoyGaugeVecId, + entrypoint_header_values: EnvoyHistogramVecId, + header_to_count: String, + header_to_set: String, + method: Option, +} + +impl HttpFilter for StatsCallbacksFilter { + fn on_request_headers( + &mut self, + envoy_filter: &mut EHF, + _end_of_stream: bool, + ) -> abi::envoy_dynamic_module_type_on_http_filter_request_headers_status { + envoy_filter + .increment_counter(self.requests_total, 1) + .unwrap(); + envoy_filter + .increase_gauge(self.requests_pending, 1) + .unwrap(); + let method = envoy_filter.get_request_header_value(":method").unwrap(); + let method = std::str::from_utf8(method.as_slice()).unwrap(); + envoy_filter + .increment_counter_vec(self.entrypoint_total, &["on_request_headers", method], 1) + .unwrap(); + envoy_filter + .increase_gauge_vec(self.entrypoint_pending, &["on_request_headers", method], 1) + .unwrap(); + self.method = Some(method.to_owned()); + + // Record histogram value to provided value in header + if let Some(header_val) = envoy_filter.get_request_header_value(self.header_to_count.as_str()) { + let header_val = std::str::from_utf8(header_val.as_slice()) + .unwrap() + .parse() + .unwrap(); + envoy_filter + .record_histogram_value(self.requests_header_values, header_val) + .unwrap(); + envoy_filter + .record_histogram_value_vec( + self.entrypoint_header_values, + &["on_request_headers", method], + header_val, + ) + .unwrap(); + } + + + // Set gauges to provided value in header + if let Some(header_val) = envoy_filter.get_request_header_value(self.header_to_set.as_str()) { + let header_val = std::str::from_utf8(header_val.as_slice()) + .unwrap() + .parse() + .unwrap(); + envoy_filter + .set_gauge(self.requests_set_value, header_val) + .unwrap(); + envoy_filter + .set_gauge_vec( + self.entrypoint_set_value, + &["on_request_headers", method], + header_val, + ) + .unwrap(); + } + + abi::envoy_dynamic_module_type_on_http_filter_request_headers_status::Continue + } + + fn on_response_headers( + &mut self, + envoy_filter: &mut EHF, + _end_of_stream: bool, + ) -> abi::envoy_dynamic_module_type_on_http_filter_response_headers_status { + envoy_filter + .increment_counter_vec( + self.entrypoint_total, + &["on_response_headers", self.method.as_ref().unwrap()], + 1, + ) + .unwrap(); + envoy_filter + .decrease_gauge(self.requests_pending, 1) + .unwrap(); + envoy_filter + .decrease_gauge_vec( + self.entrypoint_pending, + &["on_request_headers", self.method.as_ref().unwrap()], + 1, + ) + .unwrap(); + envoy_filter + .increase_gauge_vec( + self.entrypoint_pending, + &["on_response_headers", self.method.as_ref().unwrap()], + 1, + ) + .unwrap(); + + // Record histogram value to provided value in header + if let Some(header_val) = envoy_filter.get_response_header_value(self.header_to_count.as_str()) + { + let header_val = std::str::from_utf8(header_val.as_slice()) + .unwrap() + .parse() + .unwrap(); + envoy_filter + .record_histogram_value_vec( + self.entrypoint_header_values, + &["on_response_headers", self.method.as_ref().unwrap()], + header_val, + ) + .unwrap(); + } + + // Set gauges to provided value in header + if let Some(header_val) = envoy_filter.get_response_header_value(self.header_to_set.as_str()) { + let header_val = std::str::from_utf8(header_val.as_slice()) + .unwrap() + .parse() + .unwrap(); + envoy_filter + .set_gauge_vec( + self.entrypoint_set_value, + &["on_response_headers", self.method.as_ref().unwrap()], + header_val, + ) + .unwrap(); + } + + abi::envoy_dynamic_module_type_on_http_filter_response_headers_status::Continue + } + + fn on_stream_complete(&mut self, envoy_filter: &mut EHF) { + envoy_filter + .decrease_gauge_vec( + self.entrypoint_pending, + &["on_response_headers", self.method.as_ref().unwrap()], + 1, + ) + .unwrap(); + } +} From c858b22a486af638651f5710201f3f66dacaaee7 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 16 Sep 2025 01:56:58 +0000 Subject: [PATCH 403/505] remove setSocketReused flag and detach http filter Signed-off-by: Basundhara Chakrabarty --- .../cloud-envoy.yaml | 3 --- .../on-prem-envoy-custom-resolver.yaml | 18 +++--------------- .../listener_manager/active_tcp_listener.cc | 3 --- source/extensions/extensions_build_config.bzl | 1 - .../http/reverse_conn/reverse_conn_filter.cc | 1 - 5 files changed, 3 insertions(+), 23 deletions(-) diff --git a/examples/reverse_connection_socket_interface/cloud-envoy.yaml b/examples/reverse_connection_socket_interface/cloud-envoy.yaml index 99cc8f64f6ed6..8c3bf9aa3b31d 100644 --- a/examples/reverse_connection_socket_interface/cloud-envoy.yaml +++ b/examples/reverse_connection_socket_interface/cloud-envoy.yaml @@ -16,9 +16,6 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel ping_interval: 2s - auto_close_connections: false - request_path: "/reverse_connections/request" - request_method: "POST" # Listener that will route the downstream request to the reverse connection cluster - name: egress_listener diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml index e6a86de9932cf..d4198ad9fdd0f 100644 --- a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml +++ b/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml @@ -20,22 +20,10 @@ static_resources: port_value: 9001 filter_chains: - filters: - - name: envoy.filters.network.http_connection_manager + - name: envoy.filters.network.reverse_tunnel typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: rev_conn_api - codec_type: AUTO - route_config: - name: rev_conn_api_route - virtual_hosts: [] - http_filters: - - name: envoy.filters.http.reverse_conn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - ping_interval: 30 - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: 30s # Forwards incoming http requests to backend - name: ingress_http_listener diff --git a/source/common/listener_manager/active_tcp_listener.cc b/source/common/listener_manager/active_tcp_listener.cc index 4e0a4e3d589cd..1f7c88f0a7c32 100644 --- a/source/common/listener_manager/active_tcp_listener.cc +++ b/source/common/listener_manager/active_tcp_listener.cc @@ -55,9 +55,6 @@ ActiveTcpListener::~ActiveTcpListener() { ASSERT(active_connections != nullptr); auto& connections = active_connections->connections_; while (!connections.empty()) { - // Reset the reuse_connection_ flag for reverse connections so that - // the close() call closes the socket. - connections.front()->connection_->setSocketReused(false); connections.front()->connection_->close( Network::ConnectionCloseType::NoFlush, "purging_socket_that_have_not_progressed_to_connections"); diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 5224dee75ff85..141f4d9302455 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -197,7 +197,6 @@ EXTENSIONS = { "envoy.filters.http.wasm": "//source/extensions/filters/http/wasm:config", "envoy.filters.http.stateful_session": "//source/extensions/filters/http/stateful_session:config", "envoy.filters.http.header_mutation": "//source/extensions/filters/http/header_mutation:config", - "envoy.filters.http.reverse_conn": "//source/extensions/filters/http/reverse_conn:config", # # Listener filters diff --git a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc index 22ec30fcc5098..d2b35fb058fa4 100644 --- a/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc +++ b/source/extensions/filters/http/reverse_conn/reverse_conn_filter.cc @@ -138,7 +138,6 @@ Http::FilterDataStatus ReverseConnFilter::acceptReverseConnection() { ENVOY_STREAM_LOG(info, "DEBUG: About to save connection with node_uuid='{}' cluster_uuid='{}'", *decoder_callbacks_, node_uuid, cluster_uuid); saveDownstreamConnection(*connection, node_uuid, cluster_uuid); - connection->setSocketReused(true); // Reset file events on the connection socket if (connection->getSocket()) { From f3c678252323a90a5e12eeb56c3854cb9ed70e5d Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Tue, 16 Sep 2025 06:34:37 +0000 Subject: [PATCH 404/505] Changes to reverse tunnel network filter Signed-off-by: Basundhara Chakrabarty --- .../reverse_tunnel/v3/reverse_tunnel.proto | 4 +- api/envoy/service/reverse_tunnel/v3/BUILD | 15 -- .../v3/reverse_tunnel_handshake.proto | 229 ------------------ .../rc_connection_wrapper.cc | 9 +- .../filters/network/reverse_tunnel/config.h | 4 +- .../reverse_tunnel/reverse_tunnel_filter.cc | 199 +-------------- .../reverse_tunnel/reverse_tunnel_filter.h | 73 ------ .../rc_connection_wrapper_test.cc | 2 - .../filters/network/reverse_tunnel/BUILD | 10 + .../reverse_tunnel/filter_unit_test.cc | 222 +++++++++++------ .../reverse_tunnel/integration_test.cc | 217 +++++++++-------- 11 files changed, 295 insertions(+), 689 deletions(-) delete mode 100644 api/envoy/service/reverse_tunnel/v3/BUILD delete mode 100644 api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto diff --git a/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto b/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto index afb3f04873997..cc47b631b181f 100644 --- a/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto +++ b/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto @@ -36,11 +36,11 @@ message ReverseTunnel { // HTTP path to match for reverse tunnel requests. // If not specified, defaults to "/reverse_connections/request". - string request_path = 3 [(validate.rules).string = {min_len: 1 max_len: 255}]; + string request_path = 3 [(validate.rules).string = {min_len: 1 max_len: 255 ignore_empty: true}]; // HTTP method to match for reverse tunnel requests. // If not specified, defaults to "POST". - string request_method = 4 [(validate.rules).string = {min_len: 1 max_len: 10}]; + string request_method = 4 [(validate.rules).string = {min_len: 1 max_len: 10 ignore_empty: true}]; // Configuration for validating reverse tunnel connection requests using filter state. // This allows previous filters in the network chain to populate validation data diff --git a/api/envoy/service/reverse_tunnel/v3/BUILD b/api/envoy/service/reverse_tunnel/v3/BUILD deleted file mode 100644 index 4f64fe2f9ee5e..0000000000000 --- a/api/envoy/service/reverse_tunnel/v3/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_xds//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto b/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto deleted file mode 100644 index 4d6b3f02b2609..0000000000000 --- a/api/envoy/service/reverse_tunnel/v3/reverse_tunnel_handshake.proto +++ /dev/null @@ -1,229 +0,0 @@ -syntax = "proto3"; - -package envoy.service.reverse_tunnel.v3; - -import "envoy/config/core/v3/base.proto"; -import "envoy/config/core/v3/grpc_service.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/timestamp.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.reverse_tunnel.v3"; -option java_outer_classname = "ReverseTunnelHandshakeProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/reverse_tunnel/v3;reverse_tunnelv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Reverse Tunnel Handshake Service] -// Service definition for establishing reverse tunnel connections between Envoy instances. -// This service replaces the previous HTTP-based handshake protocol with a robust gRPC-based approach. - -// The ReverseTunnelHandshakeService provides secure, reliable handshake protocol for establishing -// reverse tunnel connections. It supports custom metadata, timeouts, retries, and authentication. -service ReverseTunnelHandshakeService { - // Establishes a reverse tunnel connection between two Envoy instances. - // The initiator (typically on-premises Envoy) calls this method to request - // a reverse tunnel connection with the acceptor (typically cloud Envoy). - rpc EstablishTunnel(EstablishTunnelRequest) returns (EstablishTunnelResponse); -} - -// Request message for establishing a reverse tunnel connection. -// Contains all necessary information for the acceptor to validate and configure the tunnel. -message EstablishTunnelRequest { - // Required: Identity information of the tunnel initiator. - TunnelInitiatorIdentity initiator = 1 [(validate.rules).message = {required: true}]; - - // Optional: Custom metadata and properties for the tunnel connection. - // This allows for extensible configuration and feature negotiation. - google.protobuf.Struct custom_metadata = 2; - - // Optional: Requested tunnel configuration parameters. - TunnelConfiguration tunnel_config = 3; - - // Optional: Authentication and authorization information. - TunnelAuthentication auth = 4; - - // Optional: Connection-specific attributes for debugging and monitoring. - ConnectionAttributes connection_attributes = 5; -} - -// Response message for reverse tunnel establishment. -// Indicates success/failure and provides configuration for the established tunnel. -message EstablishTunnelResponse { - // Status of the tunnel establishment attempt. - TunnelStatus status = 1; - - // Human-readable status message providing additional context. - // Required for rejected tunnels, optional for accepted tunnels. - string status_message = 2; - - // Optional: Accepted tunnel configuration (may differ from requested). - // Present only when status is ACCEPTED. - TunnelConfiguration accepted_config = 3; - - // Optional: Custom response metadata from the acceptor. - google.protobuf.Struct response_metadata = 4; - - // Optional: Connection monitoring and debugging information. - ConnectionInfo connection_info = 5; -} - -// Identity information for the tunnel initiator. -message TunnelInitiatorIdentity { - // Required: Tenant identifier of the initiating Envoy instance. - string tenant_id = 1 [(validate.rules).string = {min_len: 1 max_len: 128}]; - - // Required: Cluster identifier of the initiating Envoy instance. - string cluster_id = 2 [(validate.rules).string = {min_len: 1 max_len: 128}]; - - // Required: Node identifier of the initiating Envoy instance. - string node_id = 3 [(validate.rules).string = {min_len: 1 max_len: 128}]; - - // Optional: Additional identity attributes for advanced routing/filtering. - map identity_attributes = 4; -} - -// Configuration parameters for the tunnel connection. -message TunnelConfiguration { - // Optional: Preferred ping/keepalive interval for the tunnel. - google.protobuf.Duration ping_interval = 1 [(validate.rules).duration = {gt: {seconds: 1}}]; - - // Optional: Maximum allowed idle time before tunnel cleanup. - google.protobuf.Duration max_idle_time = 2 [(validate.rules).duration = {gt: {seconds: 30}}]; - - // Optional: Protocol-specific configuration options. - map protocol_options = 3; - - // Optional: Quality of Service parameters. - QualityOfService qos = 4; -} - -// Quality of Service configuration for tunnel connections. -message QualityOfService { - // Optional: Maximum bandwidth limit in bytes per second. - google.protobuf.UInt64Value max_bandwidth_bps = 1; - - // Optional: Connection priority level (higher = more important). - google.protobuf.UInt32Value priority_level = 2 [(validate.rules).uint32 = {lte: 10}]; - - // Optional: Connection reliability requirements. - ReliabilityLevel reliability = 3; -} - -// Authentication and authorization information for tunnel establishment. -message TunnelAuthentication { - // Optional: Authentication token or credential. - string auth_token = 1; - - // Optional: Certificate-based authentication information. - CertificateAuth certificate_auth = 2; - - // Optional: Custom authentication attributes. - map auth_attributes = 3; -} - -// Certificate-based authentication information. -message CertificateAuth { - // Certificate fingerprint or identifier. - string cert_fingerprint = 1; - - // Optional: Certificate chain validation information. - repeated string cert_chain = 2; - - // Optional: Certificate-based attributes (e.g., from SAN extensions). - map cert_attributes = 3; -} - -// Connection-specific attributes for monitoring and debugging. -message ConnectionAttributes { - // Optional: Source IP address and port of the connection. - string source_address = 1; - - // Optional: Target/destination information. - string target_address = 2; - - // Optional: Connection tracing and correlation identifiers. - string trace_id = 3; - - // Optional: Additional debugging attributes. - map debug_attributes = 4; -} - -// Status enumeration for tunnel establishment results. -enum TunnelStatus { - // Invalid/unspecified status. - TUNNEL_STATUS_UNSPECIFIED = 0; - - // Tunnel establishment was successful. - ACCEPTED = 1; - - // Tunnel establishment was rejected due to policy. - REJECTED = 2; - - // Authentication failed. - AUTHENTICATION_FAILED = 3; - - // Authorization failed (authenticated but not authorized). - AUTHORIZATION_FAILED = 4; - - // Rate limiting or quota exceeded. - RATE_LIMITED = 5; - - // Internal server error on acceptor side. - INTERNAL_ERROR = 6; - - // Requested configuration not supported. - UNSUPPORTED_CONFIG = 7; -} - -// Reliability level enumeration for QoS configuration. -enum ReliabilityLevel { - // Best effort reliability (default). - BEST_EFFORT = 0; - - // Standard reliability with basic retry logic. - STANDARD = 1; - - // High reliability with aggressive retry and failover. - HIGH = 2; - - // Critical reliability for mission-critical connections. - CRITICAL = 3; -} - -// Information about the established connection. -message ConnectionInfo { - // Assigned connection identifier for tracking. - string connection_id = 1; - - // Connection establishment timestamp. - google.protobuf.Timestamp established_at = 2; - - // Expected connection lifetime or expiration. - google.protobuf.Timestamp expires_at = 3; - - // Monitoring and metrics endpoint information. - string metrics_endpoint = 4; -} - -// Configuration for gRPC client options when establishing tunnels. -message ReverseTunnelGrpcConfig { - // Optional: Timeout for tunnel handshake requests. - google.protobuf.Duration handshake_timeout = 2 [(validate.rules).duration = {gt: {seconds: 1} lte: {seconds: 30}}]; - - // Optional: Number of retry attempts for failed handshakes. - google.protobuf.UInt32Value max_retries = 3 [(validate.rules).uint32 = {lte: 10}]; - - // Optional: Base interval for exponential backoff retry strategy. - google.protobuf.Duration retry_base_interval = 4 [(validate.rules).duration = {gt: {nanos: 100000000}}]; // 100ms minimum - - // Optional: Maximum interval for exponential backoff retry strategy. - google.protobuf.Duration retry_max_interval = 5 [(validate.rules).duration = {lte: {seconds: 60}}]; - - // Optional: Initial metadata to include with gRPC requests. - repeated envoy.config.core.v3.HeaderValue initial_metadata = 6; -} \ No newline at end of file diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc index 250ff18a14476..218fe09b53a9d 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc @@ -153,8 +153,13 @@ void RCConnectionWrapper::decodeHeaders(Http::ResponseHeaderMapPtr&& headers, bo ENVOY_LOG(debug, "Received HTTP 200 OK response"); onHandshakeSuccess(); } else { - ENVOY_LOG(error, "Received non-200 HTTP response: {}", status); - onHandshakeFailure("HTTP handshake failed with non-200 response"); + // Get the reason phrase from the status header if available + const auto status_header = headers->getStatusValue(); + const std::string status_message = status_header.empty() + ? absl::StrCat("HTTP ", status) + : absl::StrCat("HTTP ", status, " ", status_header); + ENVOY_LOG(error, "Received non-200 HTTP response: {}", status_message); + onHandshakeFailure(absl::StrCat("HTTP handshake failed with status ", status_message)); } } diff --git a/source/extensions/filters/network/reverse_tunnel/config.h b/source/extensions/filters/network/reverse_tunnel/config.h index 33b7e233d5a09..fd1e24ccf77ef 100644 --- a/source/extensions/filters/network/reverse_tunnel/config.h +++ b/source/extensions/filters/network/reverse_tunnel/config.h @@ -18,7 +18,9 @@ class ReverseTunnelFilterConfigFactory : public Common::FactoryBase< envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel> { public: - ReverseTunnelFilterConfigFactory() : FactoryBase(NetworkFilterNames::get().ReverseTunnel) {} + // Always mark the reverse tunnel filter as terminal filter. + ReverseTunnelFilterConfigFactory() + : FactoryBase(NetworkFilterNames::get().ReverseTunnel, true /* isTerminalFilter */) {} private: Network::FilterFactoryCb createFilterFactoryFromProtoTyped( diff --git a/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc index 427ff8782df3e..ad7ec74a811fa 100644 --- a/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc +++ b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc @@ -21,182 +21,6 @@ namespace Extensions { namespace NetworkFilters { namespace ReverseTunnel { -// UpstreamReverseConnectionIOHandle implementation. -UpstreamReverseConnectionIOHandle::UpstreamReverseConnectionIOHandle( - Network::IoHandlePtr&& wrapped_handle, std::function on_close_callback) - : wrapped_handle_(std::move(wrapped_handle)), on_close_callback_(std::move(on_close_callback)) { -} - -os_fd_t UpstreamReverseConnectionIOHandle::fdDoNotUse() const { - return wrapped_handle_->fdDoNotUse(); -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::close() { - // If this is a reverse tunnel socket, don't actually close it. - // Instead, let the upstream socket manager handle its lifecycle. - if (is_reverse_tunnel_socket_ && !close_called_) { - close_called_ = true; - if (on_close_callback_) { - on_close_callback_(); - } - // Return success without actually closing the FD. - return Api::IoCallUint64Result(0, Api::IoErrorPtr(nullptr, [](Api::IoError*) {})); - } - return wrapped_handle_->close(); -} - -bool UpstreamReverseConnectionIOHandle::isOpen() const { return wrapped_handle_->isOpen(); } - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::readv(uint64_t max_length, - Buffer::RawSlice* slices, - uint64_t num_slices) { - return wrapped_handle_->readv(max_length, slices, num_slices); -} - -Api::IoCallUint64Result -UpstreamReverseConnectionIOHandle::read(Buffer::Instance& buffer, - absl::optional max_length) { - return wrapped_handle_->read(buffer, max_length); -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::writev(const Buffer::RawSlice* slices, - uint64_t num_slices) { - return wrapped_handle_->writev(slices, num_slices); -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::write(Buffer::Instance& buffer) { - return wrapped_handle_->write(buffer); -} - -Api::IoCallUint64Result -UpstreamReverseConnectionIOHandle::sendmsg(const Buffer::RawSlice* slices, uint64_t num_slices, - int flags, const Network::Address::Ip* self_ip, - const Network::Address::Instance& peer_address) { - return wrapped_handle_->sendmsg(slices, num_slices, flags, self_ip, peer_address); -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::recvmsg( - Buffer::RawSlice* slices, const uint64_t num_slices, uint32_t self_port, - const Network::IoHandle::UdpSaveCmsgConfig& save_cmsg_config, RecvMsgOutput& output) { - return wrapped_handle_->recvmsg(slices, num_slices, self_port, save_cmsg_config, output); -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::recvmmsg( - RawSliceArrays& slices, uint32_t self_port, - const Network::IoHandle::UdpSaveCmsgConfig& save_cmsg_config, RecvMsgOutput& output) { - return wrapped_handle_->recvmmsg(slices, self_port, save_cmsg_config, output); -} - -bool UpstreamReverseConnectionIOHandle::supportsMmsg() const { - return wrapped_handle_->supportsMmsg(); -} - -bool UpstreamReverseConnectionIOHandle::supportsUdpGro() const { - return wrapped_handle_->supportsUdpGro(); -} - -Api::SysCallIntResult -UpstreamReverseConnectionIOHandle::bind(Network::Address::InstanceConstSharedPtr address) { - return wrapped_handle_->bind(address); -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::listen(int backlog) { - return wrapped_handle_->listen(backlog); -} - -Network::IoHandlePtr UpstreamReverseConnectionIOHandle::accept(struct sockaddr* addr, - socklen_t* addrlen) { - return wrapped_handle_->accept(addr, addrlen); -} - -Api::SysCallIntResult -UpstreamReverseConnectionIOHandle::connect(Network::Address::InstanceConstSharedPtr address) { - return wrapped_handle_->connect(address); -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::setOption(int level, int optname, - const void* optval, - socklen_t optlen) { - return wrapped_handle_->setOption(level, optname, optval, optlen); -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::getOption(int level, int optname, - void* optval, - socklen_t* optlen) { - return wrapped_handle_->getOption(level, optname, optval, optlen); -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::setBlocking(bool blocking) { - return wrapped_handle_->setBlocking(blocking); -} - -absl::optional UpstreamReverseConnectionIOHandle::domain() { - return wrapped_handle_->domain(); -} - -absl::StatusOr -UpstreamReverseConnectionIOHandle::localAddress() { - return wrapped_handle_->localAddress(); -} - -absl::StatusOr -UpstreamReverseConnectionIOHandle::peerAddress() { - return wrapped_handle_->peerAddress(); -} - -void UpstreamReverseConnectionIOHandle::initializeFileEvent(Event::Dispatcher& dispatcher, - Event::FileReadyCb cb, - Event::FileTriggerType trigger, - uint32_t events) { - wrapped_handle_->initializeFileEvent(dispatcher, cb, trigger, events); -} - -void UpstreamReverseConnectionIOHandle::activateFileEvents(uint32_t events) { - wrapped_handle_->activateFileEvents(events); -} - -void UpstreamReverseConnectionIOHandle::enableFileEvents(uint32_t events) { - wrapped_handle_->enableFileEvents(events); -} - -void UpstreamReverseConnectionIOHandle::resetFileEvents() { wrapped_handle_->resetFileEvents(); } - -Network::IoHandlePtr UpstreamReverseConnectionIOHandle::duplicate() { - return wrapped_handle_->duplicate(); -} - -bool UpstreamReverseConnectionIOHandle::wasConnected() const { - return wrapped_handle_->wasConnected(); -} - -Api::IoCallUint64Result UpstreamReverseConnectionIOHandle::recv(void* buffer, size_t length, - int flags) { - return wrapped_handle_->recv(buffer, length, flags); -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::ioctl( - unsigned long control_code, void* in_buffer, unsigned long in_buffer_len, void* out_buffer, - unsigned long out_buffer_len, unsigned long* bytes_returned) { - return wrapped_handle_->ioctl(control_code, in_buffer, in_buffer_len, out_buffer, out_buffer_len, - bytes_returned); -} - -Api::SysCallIntResult UpstreamReverseConnectionIOHandle::shutdown(int how) { - return wrapped_handle_->shutdown(how); -} - -absl::optional UpstreamReverseConnectionIOHandle::lastRoundTripTime() { - return wrapped_handle_->lastRoundTripTime(); -} - -absl::optional UpstreamReverseConnectionIOHandle::congestionWindowInBytes() const { - return wrapped_handle_->congestionWindowInBytes(); -} - -absl::optional UpstreamReverseConnectionIOHandle::interfaceName() { - return wrapped_handle_->interfaceName(); -} - // Stats helper implementation. ReverseTunnelFilter::ReverseTunnelStats ReverseTunnelFilter::ReverseTunnelStats::generateStats(const std::string& prefix, @@ -211,7 +35,8 @@ ReverseTunnelFilterConfig::ReverseTunnelFilterConfig( ? std::chrono::milliseconds( DurationUtil::durationToMilliseconds(proto_config.ping_interval())) : std::chrono::milliseconds(2000)), - auto_close_connections_(proto_config.auto_close_connections()), + auto_close_connections_( + proto_config.auto_close_connections() ? proto_config.auto_close_connections() : false), request_path_(proto_config.request_path().empty() ? "/reverse_connections/request" : proto_config.request_path()), request_method_(proto_config.request_method().empty() ? "GET" @@ -334,6 +159,9 @@ void ReverseTunnelFilter::RequestDecoderImpl::processIfComplete(bool end_stream) // Validate method/path. const absl::string_view method = headers_->getMethodValue(); const absl::string_view path = headers_->getPathValue(); + ENVOY_LOG(debug, + "ReverseTunnelFilter::RequestDecoderImpl::processIfComplete: method: {}, path: {}", + method, path); if (!absl::EqualsIgnoreCase(method, parent_.config_->requestMethod()) || path != parent_.config_->requestPath()) { sendLocalReply(Http::Code::NotFound, "Not a reverse tunnel request", nullptr, absl::nullopt, @@ -436,19 +264,14 @@ void ReverseTunnelFilter::processAcceptedConnection(absl::string_view node_id, return; } - // Create a wrapper around the original socket's IO handle that prevents premature closure. - Network::IoHandlePtr original_handle = socket->ioHandle().duplicate(); - if (!original_handle || !original_handle->isOpen()) { + // Duplicate the original socket's IO handle for reuse. + Network::IoHandlePtr wrapped_handle = socket->ioHandle().duplicate(); + if (!wrapped_handle || !wrapped_handle->isOpen()) { ENVOY_CONN_LOG(error, "reverse_tunnel: failed to duplicate socket handle", connection); return; } - // Wrap the duplicated handle in our custom wrapper that manages reverse tunnel lifecycle. - auto wrapped_handle = - std::make_unique(std::move(original_handle)); - wrapped_handle->markAsReverseTunnelSocket(); - - // Build a new ConnectionSocket from the wrapped handle, preserving addressing info. + // Build a new ConnectionSocket from the duplicated handle, preserving addressing info. auto wrapped_socket = std::make_unique( std::move(wrapped_handle), socket->connectionInfoProvider().localAddress(), socket->connectionInfoProvider().remoteAddress()); @@ -475,6 +298,10 @@ void ReverseTunnelFilter::processAcceptedConnection(absl::string_view node_id, bool ReverseTunnelFilter::validateRequestUsingFilterState(absl::string_view node_uuid, absl::string_view cluster_uuid, absl::string_view tenant_uuid) { + ENVOY_LOG(debug, + "ReverseTunnelFilter::validateRequestUsingFilterState: called with node_uuid: {}, " + "cluster_uuid: {}, tenant_uuid: {}", + node_uuid, cluster_uuid, tenant_uuid); const Network::Connection& connection = read_callbacks_->connection(); const StreamInfo::FilterState& filter_state = connection.streamInfo().filterState(); diff --git a/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h index 637b4dae42d89..ba7852ce8ecd5 100644 --- a/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h +++ b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h @@ -21,79 +21,6 @@ namespace Extensions { namespace NetworkFilters { namespace ReverseTunnel { -/** - * Custom IO handle wrapper for upstream reverse connection sockets. - * This wrapper prevents premature socket closure to allow socket reuse - * for reverse connections, replacing the need for setSocketReused(). - */ -class UpstreamReverseConnectionIOHandle : public Network::IoHandle { -public: - UpstreamReverseConnectionIOHandle(Network::IoHandlePtr&& wrapped_handle, - std::function on_close_callback = nullptr); - ~UpstreamReverseConnectionIOHandle() override = default; - - // Network::IoHandle - os_fd_t fdDoNotUse() const override; - Api::IoCallUint64Result close() override; - bool isOpen() const override; - Api::IoCallUint64Result readv(uint64_t max_length, Buffer::RawSlice* slices, - uint64_t num_slices) override; - Api::IoCallUint64Result read(Buffer::Instance& buffer, - absl::optional max_length) override; - Api::IoCallUint64Result writev(const Buffer::RawSlice* slices, uint64_t num_slices) override; - Api::IoCallUint64Result write(Buffer::Instance& buffer) override; - Api::IoCallUint64Result sendmsg(const Buffer::RawSlice* slices, uint64_t num_slices, int flags, - const Network::Address::Ip* self_ip, - const Network::Address::Instance& peer_address) override; - Api::IoCallUint64Result recvmsg(Buffer::RawSlice* slices, const uint64_t num_slices, - uint32_t self_port, - const Network::IoHandle::UdpSaveCmsgConfig& save_cmsg_config, - RecvMsgOutput& output) override; - Api::IoCallUint64Result recvmmsg(RawSliceArrays& slices, uint32_t self_port, - const Network::IoHandle::UdpSaveCmsgConfig& save_cmsg_config, - RecvMsgOutput& output) override; - bool supportsMmsg() const override; - bool supportsUdpGro() const override; - Api::SysCallIntResult bind(Network::Address::InstanceConstSharedPtr address) override; - Api::SysCallIntResult listen(int backlog) override; - Network::IoHandlePtr accept(struct sockaddr* addr, socklen_t* addrlen) override; - Api::SysCallIntResult connect(Network::Address::InstanceConstSharedPtr address) override; - Api::SysCallIntResult setOption(int level, int optname, const void* optval, - socklen_t optlen) override; - Api::SysCallIntResult getOption(int level, int optname, void* optval, socklen_t* optlen) override; - Api::SysCallIntResult setBlocking(bool blocking) override; - absl::optional domain() override; - absl::StatusOr localAddress() override; - absl::StatusOr peerAddress() override; - void initializeFileEvent(Event::Dispatcher& dispatcher, Event::FileReadyCb cb, - Event::FileTriggerType trigger, uint32_t events) override; - void activateFileEvents(uint32_t events) override; - void enableFileEvents(uint32_t events) override; - void resetFileEvents() override; - Network::IoHandlePtr duplicate() override; - - // Additional pure virtual methods from IoHandle. - bool wasConnected() const override; - Api::IoCallUint64Result recv(void* buffer, size_t length, int flags) override; - Api::SysCallIntResult ioctl(unsigned long control_code, void* in_buffer, - unsigned long in_buffer_len, void* out_buffer, - unsigned long out_buffer_len, unsigned long* bytes_returned) override; - Api::SysCallIntResult shutdown(int how) override; - absl::optional lastRoundTripTime() override; - absl::optional congestionWindowInBytes() const override; - absl::optional interfaceName() override; - - // Mark this socket as managed by the reverse connection system. - void markAsReverseTunnelSocket() { is_reverse_tunnel_socket_ = true; } - bool isReverseTunnelSocket() const { return is_reverse_tunnel_socket_; } - -private: - Network::IoHandlePtr wrapped_handle_; - std::function on_close_callback_; - bool is_reverse_tunnel_socket_ = false; - bool close_called_ = false; -}; - /** * Configuration for the reverse tunnel network filter. */ diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc index 3a6965b4412e6..0a4d59d35c7c7 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc @@ -941,8 +941,6 @@ TEST_F(SimpleConnReadFilterTest, OnDataWithPartialData) { EXPECT_EQ(result, Network::FilterStatus::StopIteration); } -// Removed protobuf-based response tests as the handshake now uses HTTP headers only. - } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/test/extensions/filters/network/reverse_tunnel/BUILD b/test/extensions/filters/network/reverse_tunnel/BUILD index 329a8e085b451..dd86305e37003 100644 --- a/test/extensions/filters/network/reverse_tunnel/BUILD +++ b/test/extensions/filters/network/reverse_tunnel/BUILD @@ -32,9 +32,16 @@ envoy_extension_cc_test( deps = [ "//source/common/stats:isolated_store_lib", "//source/common/stream_info:uint64_accessor_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:upstream_socket_manager_lib", "//source/extensions/filters/network/reverse_tunnel:reverse_tunnel_filter_lib", + "//test/mocks/event:event_mocks", "//test/mocks/network:network_mocks", + "//test/mocks/server:factory_context_mocks", "//test/mocks/server:overload_manager_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:logging_lib", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", ], ) @@ -47,12 +54,14 @@ envoy_extension_cc_test( "envoy.filters.network.reverse_tunnel", "envoy.bootstrap.reverse_tunnel.upstream_socket_interface", "envoy.bootstrap.reverse_tunnel.downstream_socket_interface", + "envoy.bootstrap.internal_listener", "envoy.resolvers.reverse_connection", "envoy.filters.network.echo", ], rbe_pool = "6gig", tags = ["skip_on_windows"], deps = [ + "//source/extensions/bootstrap/internal_listener:config", "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_resolver_lib", "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", @@ -61,6 +70,7 @@ envoy_extension_cc_test( "//source/extensions/filters/network/set_filter_state:config", "//source/extensions/transport_sockets/internal_upstream:config", "//test/integration:integration_lib", + "//test/test_common:logging_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", diff --git a/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc b/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc index 2f5cd5135c3aa..8e9cc79b83ad3 100644 --- a/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc +++ b/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc @@ -1,12 +1,24 @@ +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" #include "source/common/router/string_accessor_impl.h" #include "source/common/stats/isolated_store_impl.h" #include "source/common/stream_info/uint64_accessor_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" #include "source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h" +namespace ReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; + +#include "test/mocks/event/mocks.h" #include "test/mocks/network/mocks.h" +#include "test/mocks/server/factory_context.h" #include "test/mocks/server/overload_manager.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/test_common/logging.h" #include "test/test_common/utility.h" #include "gmock/gmock.h" @@ -40,6 +52,12 @@ class HttpErrorHelper { }; class ReverseTunnelFilterUnitTest : public testing::Test { +protected: + void SetUp() override { + // Initialize stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + } + public: ReverseTunnelFilterUnitTest() : stats_store_(), overload_manager_() { // Prepare proto config with defaults. @@ -66,6 +84,50 @@ class ReverseTunnelFilterUnitTest : public testing::Test { filter_->initializeReadFilterCallbacks(callbacks_); } + // Helper method to set up upstream extension. + void setupUpstreamExtension() { + // Create the upstream socket interface and extension. + upstream_socket_interface_ = + std::make_unique(context_); + upstream_extension_ = std::make_unique( + *upstream_socket_interface_, context_, upstream_config_); + + // Set up the extension in the global socket interface registry. + auto* registered_upstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); + if (registered_upstream_interface) { + auto* registered_acceptor = dynamic_cast( + const_cast(registered_upstream_interface)); + if (registered_acceptor) { + // Set up the extension for the registered upstream socket interface. + registered_acceptor->extension_ = upstream_extension_.get(); + } + } + } + + // Helper method to set up upstream thread local slot for testing. + void setupUpstreamThreadLocalSlot() { + // Call onServerInitialized to set up the extension references properly. + upstream_extension_->onServerInitialized(); + + // Create a thread local registry for upstream with the dispatcher. + upstream_thread_local_registry_ = + std::make_shared(dispatcher_, + upstream_extension_.get()); + + upstream_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique( + thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the upstream slot to return our registry. + upstream_tls_slot_->set( + [registry = upstream_thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version. + upstream_extension_->setTestOnlyTLSRegistry(std::move(upstream_tls_slot_)); + } + // Helper to craft raw HTTP/1.1 request string. std::string makeHttpRequest(const std::string& method, const std::string& path, const std::string& body = "") { @@ -105,6 +167,33 @@ class ReverseTunnelFilterUnitTest : public testing::Test { Stats::IsolatedStoreImpl stats_store_; NiceMock overload_manager_; NiceMock callbacks_; + + // Thread local slot setup for downstream socket interface. + NiceMock context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + // Config for reverse connection socket interface. + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface upstream_config_; + // Thread local components for testing upstream socket interface. + std::unique_ptr> + upstream_tls_slot_; + std::shared_ptr upstream_thread_local_registry_; + std::unique_ptr upstream_socket_interface_; + std::unique_ptr upstream_extension_; + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); + + void TearDown() override { + // Clean up thread local components to avoid issues during destruction. + upstream_tls_slot_.reset(); + upstream_thread_local_registry_.reset(); + upstream_extension_.reset(); + upstream_socket_interface_.reset(); + } }; TEST_F(ReverseTunnelFilterUnitTest, NewConnectionContinues) { @@ -118,6 +207,7 @@ TEST_F(ReverseTunnelFilterUnitTest, HttpDispatchErrorStopsIteration) { } TEST_F(ReverseTunnelFilterUnitTest, FullFlowValidationSuccess) { + // Configure reverse tunnel with validation keys. envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; auto* v = cfg.mutable_validation_config(); @@ -161,6 +251,7 @@ TEST_F(ReverseTunnelFilterUnitTest, FullFlowValidationSuccess) { } TEST_F(ReverseTunnelFilterUnitTest, FullFlowValidationFailure) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; cfg.mutable_validation_config()->set_node_id_filter_state_key("node_id"); auto local_config = std::make_shared(cfg); @@ -189,6 +280,7 @@ TEST_F(ReverseTunnelFilterUnitTest, FullFlowValidationFailure) { } TEST_F(ReverseTunnelFilterUnitTest, FullFlowParseError) { + std::string written; EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { @@ -1019,23 +1111,6 @@ TEST_F(ReverseTunnelFilterUnitTest, DecodeDataMultipleChunks) { EXPECT_THAT(written, testing::HasSubstr("200 OK")); } -// Test successful connection processing with socket reuse. -TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionSocketReuse) { - std::string written; - EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) - .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { - written.append(data.toString()); - data.drain(data.length()); - })); - - // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. - - Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders( - "GET", "/reverse_connections/request", "test-node", "test-cluster", "test-tenant")); - EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); - EXPECT_THAT(written, testing::HasSubstr("200 OK")); -} - // Test RequestDecoderImpl interface methods with proper HTTP flow. TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplInterfaceMethodsCoverage) { std::string written; @@ -1240,6 +1315,11 @@ TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionNullTlsRegistry) { // Test processAcceptedConnection when duplicate() returns null. TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionDuplicateFails) { + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + setupUpstreamThreadLocalSlot(); + // Create a mock socket that returns a null/closed handle on duplicate. auto mock_socket = std::make_unique(); auto mock_io_handle = std::make_unique(); @@ -1273,6 +1353,12 @@ TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionDuplicateFails) { // Test processAcceptedConnection when duplicated handle is not open. TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionDuplicatedHandleNotOpen) { + + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + setupUpstreamThreadLocalSlot(); + auto mock_socket = std::make_unique(); auto mock_io_handle = std::make_unique(); auto dup_io_handle = std::make_unique(); @@ -1337,33 +1423,6 @@ TEST_F(ReverseTunnelFilterUnitTest, SystematicHttpErrorPatterns) { } } -// Test specific protobuf validation scenarios to hit uncovered parsing paths. -TEST_F(ReverseTunnelFilterUnitTest, ProtobufValidationScenarios) { - std::string written; - EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) - .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { - written.append(data.toString()); - data.drain(data.length()); - })); - - // Test 1: Missing node header should fail validation - Buffer::OwnedImpl invalid_request("GET /reverse_connections/request HTTP/1.1\r\n" - "Host: localhost\r\n" - "x-envoy-reverse-tunnel-cluster-id: cluster\r\n" - "x-envoy-reverse-tunnel-tenant-id: tenant\r\n" - "Content-Length: 0\r\n\r\n"); - EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(invalid_request, false)); - EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); - - written.clear(); - - // Test 2: Previously malformed protobuf no longer applies; with headers present we accept. - Buffer::OwnedImpl ok_request(makeHttpRequestWithRtHeaders( - "GET", "/reverse_connections/request", "node", "cluster", "tenant", "This is not used")); - EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(ok_request, false)); - EXPECT_THAT(written, testing::HasSubstr("200 OK")); -} - // Test edge cases in HTTP/protobuf processing to maximize coverage. TEST_F(ReverseTunnelFilterUnitTest, EdgeCaseHttpProtobufProcessing) { std::string written; @@ -1388,6 +1447,36 @@ TEST_F(ReverseTunnelFilterUnitTest, EdgeCaseHttpProtobufProcessing) { // Test to trigger specific interface methods for coverage. TEST_F(ReverseTunnelFilterUnitTest, InterfaceMethodsCompleteCoverage) { + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + setupUpstreamThreadLocalSlot(); + + // Set up mock socket with proper duplication mocking + auto mock_socket = std::make_unique(); + auto mock_io_handle = std::make_unique(); + auto dup_handle = std::make_unique(); + + // Mock successful duplication + EXPECT_CALL(*dup_handle, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*dup_handle, resetFileEvents()); + EXPECT_CALL(*dup_handle, fdDoNotUse()).WillRepeatedly(testing::Return(456)); + + EXPECT_CALL(*mock_io_handle, duplicate()) + .WillOnce(testing::Return(testing::ByMove(std::move(dup_handle)))); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(testing::Return(455)); + + // Store in static variables + static Network::ConnectionSocketPtr stored_interface_socket; + static std::unique_ptr stored_interface_handle; + stored_interface_handle = std::move(mock_io_handle); + stored_interface_socket = std::move(mock_socket); + + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_interface_socket)); + std::string written; EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { @@ -1412,39 +1501,14 @@ TEST_F(ReverseTunnelFilterUnitTest, InterfaceMethodsCompleteCoverage) { EXPECT_THAT(written, testing::HasSubstr("200 OK")); } -// Test the streamInfo() method gets called and returns correct instance. -TEST_F(ReverseTunnelFilterUnitTest, StreamInfoMethodReturnsCorrectInstance) { - // Trigger decoder creation first. - Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", - "stream", "info", "test")); - - // This creates the decoder internally. - EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); - - // The streamInfo() method was called internally during processing. - // We can't directly test it but it's covered by the request processing. -} - -// Test the accessLogHandlers() method returns empty vector. -TEST_F(ReverseTunnelFilterUnitTest, AccessLogHandlersReturnsEmpty) { - Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", - "log", "handlers", "test")); - - // This creates the decoder and calls accessLogHandlers internally. - EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); -} - -// Test the getRequestDecoderHandle() method returns nullptr. -TEST_F(ReverseTunnelFilterUnitTest, GetRequestDecoderHandleReturnsNull) { - Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", - "decoder", "handle", "null")); - - // This creates the decoder and the method may be called internally. - EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); -} - // Test processIfComplete when already complete. TEST_F(ReverseTunnelFilterUnitTest, ProcessIfCompleteAlreadyComplete) { + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + // We don't need to setup thread local slot for this test since + // we are not testing socket duplication. + std::string written; EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { @@ -1467,6 +1531,11 @@ TEST_F(ReverseTunnelFilterUnitTest, ProcessIfCompleteAlreadyComplete) { // Test successful socket duplication with all operations succeeding. TEST_F(ReverseTunnelFilterUnitTest, SuccessfulSocketDuplication) { + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + setupUpstreamThreadLocalSlot(); + auto socket_with_dup = std::make_unique(); // Mock successful duplication where everything succeeds. @@ -1476,6 +1545,7 @@ TEST_F(ReverseTunnelFilterUnitTest, SuccessfulSocketDuplication) { // The duplicated handle is open and operations succeed. EXPECT_CALL(*dup_handle, isOpen()).WillRepeatedly(testing::Return(true)); EXPECT_CALL(*dup_handle, resetFileEvents()); + EXPECT_CALL(*dup_handle, fdDoNotUse()).WillRepeatedly(testing::Return(123)); // Mock the duplicate() call to return the dup_handle. EXPECT_CALL(*mock_io_handle, duplicate()) @@ -1484,6 +1554,7 @@ TEST_F(ReverseTunnelFilterUnitTest, SuccessfulSocketDuplication) { // Mock ioHandle() to return our mock handle. EXPECT_CALL(*socket_with_dup, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); EXPECT_CALL(*socket_with_dup, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(testing::Return(122)); // Store socket and handle in static variables. static Network::ConnectionSocketPtr stored_dup_socket; @@ -1494,7 +1565,6 @@ TEST_F(ReverseTunnelFilterUnitTest, SuccessfulSocketDuplication) { // Set up the callbacks to use our mock socket. EXPECT_CALL(callbacks_.connection_, getSocket()) .WillRepeatedly(testing::ReturnRef(stored_dup_socket)); - // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. std::string written; EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) diff --git a/test/extensions/filters/network/reverse_tunnel/integration_test.cc b/test/extensions/filters/network/reverse_tunnel/integration_test.cc index e426aaaca8a16..b659b5b732eeb 100644 --- a/test/extensions/filters/network/reverse_tunnel/integration_test.cc +++ b/test/extensions/filters/network/reverse_tunnel/integration_test.cc @@ -7,6 +7,7 @@ #include "source/common/protobuf/protobuf.h" #include "test/integration/integration.h" +#include "test/test_common/logging.h" #include "test/test_common/utility.h" #include "gtest/gtest.h" @@ -82,6 +83,9 @@ name: envoy.filters.network.reverse_tunnel request += body; return request; } + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); }; INSTANTIATE_TEST_SUITE_P(IpVersions, ReverseTunnelFilterIntegrationTest, @@ -517,115 +521,122 @@ name: envoy.filters.network.reverse_tunnel } // End-to-end test where the downstream reverse connection listener (rc://) initiates a -// connection to an upstream listener running the reverse_tunnel filter. The downstream +// connection to upstream envoy instance running the reverse_tunnel filter. The downstream // side sends HTTP headers using the same helpers as the upstream expects, and the upstream // socket manager updates connection stats. We verify the gauges to confirm full flow. -TEST_P(ReverseTunnelFilterIntegrationTest, FullFlowWithDownstreamSocketInterface) { - // Configure two bootstrap extensions (downstream and upstream socket interfaces), - // two listeners (upstream reverse_tunnel listener and a reverse connection listener), - // and a cluster that targets the upstream listener via an internal address. - config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - // Add upstream socket interface bootstrap extension. - { - auto* ext = bootstrap.add_bootstrap_extensions(); - ext->set_name("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); - auto* any = ext->mutable_typed_config(); - any->set_type_url("type.googleapis.com/" - "envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3." - "UpstreamReverseConnectionSocketInterface"); - } - - // Add downstream socket interface bootstrap extension. - { - auto* ext = bootstrap.add_bootstrap_extensions(); - ext->set_name("envoy.bootstrap.reverse_tunnel.downstream_socket_interface"); - auto* any = ext->mutable_typed_config(); - any->set_type_url("type.googleapis.com/" - "envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3." - "DownstreamReverseConnectionSocketInterface"); - } - - // Ensure we have at least one listener. We will use the first as the upstream listener - // and clear its filters, then add the reverse_tunnel network filter. - if (bootstrap.static_resources().listeners_size() == 0) { - auto* listener = bootstrap.mutable_static_resources()->add_listeners(); - listener->set_name("upstream_listener"); - auto* sock = listener->mutable_address()->mutable_socket_address(); - sock->set_address("0.0.0.0"); - sock->set_port_value(0); - } - - auto* upstream_listener = bootstrap.mutable_static_resources()->mutable_listeners(0); - upstream_listener->set_name("upstream_listener"); - if (upstream_listener->filter_chains_size() > 0) { - upstream_listener->mutable_filter_chains(0)->clear_filters(); - } else { - upstream_listener->add_filter_chains(); - } - { - auto* filter = upstream_listener->mutable_filter_chains(0)->add_filters(); - filter->set_name("envoy.filters.network.reverse_tunnel"); - envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel rt_cfg; - rt_cfg.mutable_ping_interval()->set_seconds(2); - rt_cfg.set_auto_close_connections(false); - rt_cfg.set_request_path("/reverse_connections/request"); - rt_cfg.set_request_method("GET"); - Protobuf::Any* typed_config = filter->mutable_typed_config(); - typed_config->PackFrom(rt_cfg); +TEST_P(ReverseTunnelFilterIntegrationTest, FullFlowWithTwoInstances) { + envoy::config::bootstrap::v3::Bootstrap upstream_bootstrap; + + // Configure admin. + upstream_bootstrap.mutable_admin()->mutable_address()->mutable_socket_address()->set_address( + "127.0.0.1"); + upstream_bootstrap.mutable_admin()->mutable_address()->mutable_socket_address()->set_port_value( + 0); + + // Add upstream socket interface bootstrap extension. + auto* ext = upstream_bootstrap.add_bootstrap_extensions(); + ext->set_name("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); + ext->mutable_typed_config()->set_type_url( + "type.googleapis.com/" + "envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3." + "UpstreamReverseConnectionSocketInterface"); + + // Configure listener with reverse tunnel filter. + auto* listener = upstream_bootstrap.mutable_static_resources()->add_listeners(); + listener->set_name("upstream_listener"); + listener->mutable_address()->mutable_socket_address()->set_address("127.0.0.1"); + listener->mutable_address()->mutable_socket_address()->set_port_value(0); + + auto* filter_chain = listener->add_filter_chains(); + auto* filter = filter_chain->add_filters(); + filter->set_name("envoy.filters.network.reverse_tunnel"); + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel rt_config; + rt_config.mutable_ping_interval()->set_seconds(2); + rt_config.set_auto_close_connections(false); + rt_config.set_request_path("/reverse_connections/request"); + rt_config.set_request_method("GET"); + filter->mutable_typed_config()->PackFrom(rt_config); + + // Write config to file using standard approach. + const std::string upstream_config_path = TestEnvironment::writeStringToFileForTest( + "upstream_bootstrap.pb", TestUtility::getProtobufBinaryStringFromMessage(upstream_bootstrap)); + + // Create upstream server. + auto upstream_server = IntegrationTestServer::create(upstream_config_path, GetParam(), nullptr, + nullptr, absl::nullopt, timeSystem(), *api_); + upstream_server->waitUntilListenersReady(); + + // Get the upstream listener port - access through the listener manager properly. + uint32_t upstream_port = 0; + const auto& listeners = upstream_server->server().listenerManager().listeners(); + if (!listeners.empty()) { + // Get the upstream listener port. This is the port the downstream will connect to. + const auto& listener_ref = listeners[0]; + const auto& socket_factories = listener_ref.get().listenSocketFactories(); + if (!socket_factories.empty()) { + Network::Address::InstanceConstSharedPtr listener_addr = socket_factories[0]->localAddress(); + if (listener_addr->ip()) { + upstream_port = listener_addr->ip()->port(); + } } + } - // Add an additional listener that uses the rc:// resolver to initiate reverse connections. - auto* rc_listener = bootstrap.mutable_static_resources()->add_listeners(); - rc_listener->set_name("reverse_connection_listener"); - auto* rc_sock = rc_listener->mutable_address()->mutable_socket_address(); - // rc://::@: - rc_sock->set_address( - "rc://integration-test-node:integration-test-cluster:integration-test-tenant@" - "upstream_cluster:1"); - rc_sock->set_port_value(0); - // Tell Envoy to use our custom resolver for rc:// scheme. - rc_sock->set_resolver_name("envoy.resolvers.reverse_connection"); - // Minimal filter chain; echo is fine since accept() returns a connected socket. - auto* rc_chain = rc_listener->add_filter_chains(); - auto* echo_filter = rc_chain->add_filters(); - echo_filter->set_name("envoy.filters.network.echo"); - auto* echo_any = echo_filter->mutable_typed_config(); - echo_any->set_type_url("type.googleapis.com/envoy.extensions.filters.network.echo.v3.Echo"); - - // Define the upstream cluster that points to the upstream_listener via internal address. - auto* cluster = bootstrap.mutable_static_resources()->add_clusters(); - cluster->set_name("upstream_cluster"); - cluster->set_type(envoy::config::cluster::v3::Cluster::STATIC); - cluster->mutable_load_assignment()->set_cluster_name("upstream_cluster"); - // Configure transport socket for internal upstream connections. - auto* ts = cluster->mutable_transport_socket(); - ts->set_name("envoy.transport_sockets.internal_upstream"); - envoy::extensions::transport_sockets::internal_upstream::v3::InternalUpstreamTransport ts_cfg; - // Wrap a raw_buffer transport socket as the underlying transport. - auto* inner_ts = ts_cfg.mutable_transport_socket(); - inner_ts->set_name("envoy.transport_sockets.raw_buffer"); - Protobuf::Any* inner_any = inner_ts->mutable_typed_config(); - inner_any->set_type_url( - "type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer"); - Protobuf::Any* ts_any = ts->mutable_typed_config(); - ts_any->PackFrom(ts_cfg); - - auto* locality = cluster->mutable_load_assignment()->add_endpoints(); - auto* lb_endpoint = locality->add_lb_endpoints(); - auto* endpoint = lb_endpoint->mutable_endpoint(); - auto* ep_addr = endpoint->mutable_address()->mutable_envoy_internal_address(); - ep_addr->set_server_listener_name("upstream_listener"); - ep_addr->set_endpoint_id("rt_endpoint"); - }); - + // Set up the downstream Envoy instance with downstream socket interface + + // reverse_connection_listener + config_helper_.addBootstrapExtension(R"EOF( +name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface +typed_config: + "@type": "type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface" +)EOF"); + + config_helper_.addConfigModifier( + [upstream_port](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Clear the default listener and add reverse connection listener + bootstrap.mutable_static_resources()->clear_listeners(); + + auto* rc_listener = bootstrap.mutable_static_resources()->add_listeners(); + rc_listener->set_name("reverse_connection_listener"); + auto* rc_sock = rc_listener->mutable_address()->mutable_socket_address(); + // rc://::@: + rc_sock->set_address( + "rc://integration-test-node:integration-test-cluster:integration-test-tenant@" + "upstream_cluster:1"); + rc_sock->set_port_value(0); + rc_sock->set_resolver_name("envoy.resolvers.reverse_connection"); + + // Add echo filter for the reverse connection listener + auto* rc_chain = rc_listener->add_filter_chains(); + auto* echo_filter = rc_chain->add_filters(); + echo_filter->set_name("envoy.filters.network.echo"); + auto* echo_any = echo_filter->mutable_typed_config(); + echo_any->set_type_url("type.googleapis.com/envoy.extensions.filters.network.echo.v3.Echo"); + + // Define upstream cluster pointing to the real upstream instance + auto* cluster = bootstrap.mutable_static_resources()->add_clusters(); + cluster->set_name("upstream_cluster"); + cluster->set_type(envoy::config::cluster::v3::Cluster::STATIC); + cluster->mutable_load_assignment()->set_cluster_name("upstream_cluster"); + + auto* locality = cluster->mutable_load_assignment()->add_endpoints(); + auto* lb_endpoint = locality->add_lb_endpoints(); + auto* endpoint = lb_endpoint->mutable_endpoint(); + auto* addr = endpoint->mutable_address()->mutable_socket_address(); + addr->set_address("127.0.0.1"); + addr->set_port_value(upstream_port); + }); + + // Initialize downstream instance. BaseIntegrationTest::initialize(); - // Wait for the upstream side to record at least one accepted connection for the node and cluster. - // ReverseTunnelAcceptorExtension publishes gauges with names: - // reverse_connections.nodes. - // reverse_connections.clusters. - test_server_->waitForGaugeEq("reverse_connections.nodes.integration-test-node", 1); - test_server_->waitForGaugeEq("reverse_connections.clusters.integration-test-cluster", 1); + // Wait a bit for connections to establish. + timeSystem().advanceTimeWait(std::chrono::milliseconds(1000)); + + // Wait for connections to be established - these gauges should be available on the downstream + // instance which initiates the reverse connections. + test_server_->waitForGaugeEq( + fmt::format("reverse_connections.host.127.0.0.1:{}.connected", upstream_port), 1); + test_server_->waitForGaugeEq("reverse_connections.cluster.upstream_cluster.connected", 1); } } // namespace From 566f5a3b8219c7bbd559e582fbc76f00b42956ff Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Tue, 16 Sep 2025 08:45:35 -0400 Subject: [PATCH 405/505] health-check: avoid NaN cluster_min_healthy_percentages in health_check filter (#41059) Signed-off-by: Yanjun Xiang --- .../filters/http/health_check/config.cc | 4 +++ ...inimized-filter_fuzz_test-5621461680455680 | 7 ++++ .../http_connection_manager/config_test.cc | 32 +++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-testcase-minimized-filter_fuzz_test-5621461680455680 diff --git a/source/extensions/filters/http/health_check/config.cc b/source/extensions/filters/http/health_check/config.cc index dcf464deb74b8..f2448ac592060 100644 --- a/source/extensions/filters/http/health_check/config.cc +++ b/source/extensions/filters/http/health_check/config.cc @@ -44,6 +44,10 @@ Http::FilterFactoryCb HealthCheckFilterConfig::createFilterFactoryFromProtoTyped if (!pass_through_mode && !proto_config.cluster_min_healthy_percentages().empty()) { auto cluster_to_percentage = std::make_unique(); for (const auto& item : proto_config.cluster_min_healthy_percentages()) { + if (std::isnan(item.second.value())) { + throw EnvoyException(absl::StrCat( + "cluster_min_healthy_percentages contains a NaN value for cluster: ", item.first)); + } cluster_to_percentage->emplace(std::make_pair(item.first, item.second.value())); } cluster_min_healthy_percentages = std::move(cluster_to_percentage); diff --git a/test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-testcase-minimized-filter_fuzz_test-5621461680455680 b/test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-testcase-minimized-filter_fuzz_test-5621461680455680 new file mode 100644 index 0000000000000..d817b33577852 --- /dev/null +++ b/test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-testcase-minimized-filter_fuzz_test-5621461680455680 @@ -0,0 +1,7 @@ +config { + name: "envoy.filters.http.health_check" + typed_config { + type_url: "type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck" + value: "\n\000\"\r\n\000\022\t\t\372\377\377\377\377\377\377\377" + } +} diff --git a/test/extensions/filters/network/http_connection_manager/config_test.cc b/test/extensions/filters/network/http_connection_manager/config_test.cc index 56120bd3d5bcc..3ebc18497a5ac 100644 --- a/test/extensions/filters/network/http_connection_manager/config_test.cc +++ b/test/extensions/filters/network/http_connection_manager/config_test.cc @@ -3596,6 +3596,38 @@ TEST_F(HttpConnectionManagerConfigTest, TranslateLegacyConfigToDefaultHeaderVali #endif } +TEST_F(HttpConnectionManagerConfigTest, HealtchCheckIncorrectConfigTest) { + const std::string yaml_string = R"EOF( +codec_type: http1 +server_name: foo +stat_prefix: router +route_config: + virtual_hosts: + - name: service + domains: + - "*" + routes: + - match: + prefix: "/" + route: + cluster: cluster +http_filters: +- name: health_check + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck + pass_through_mode: false + cluster_min_healthy_percentages: + test: {value: nan} +- name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + )EOF"; + + EXPECT_THROW_WITH_MESSAGE( + createHttpConnectionManagerConfig(yaml_string), EnvoyException, + "cluster_min_healthy_percentages contains a NaN value for cluster: test"); +} + class HcmUtilityTest : public testing::Test { public: HcmUtilityTest() { From f788171f32b4d269b845a6254aae5662199d5f57 Mon Sep 17 00:00:00 2001 From: Paul Ogilby Date: Tue, 16 Sep 2025 10:23:44 -0400 Subject: [PATCH 406/505] Move Locality WRR schedulers out of HostSetImpl (#40682) Commit Message: Move Locality WRR schedulers out of `HostSetImpl` and into `ZoneAwareLoadBalancerBase`. Additional Description: HostSet and PrioritySet currently have a substantial amount of endpoint-picking logic present in them. This PR is a step towards moving some of that logic into the load balancers, where it belongs. Risk Level: low Testing: unit tests formerly for HostSetImpl have been moved to WrrLocality tests. Docs Changes: none Release Notes: yes Platform Specific Features: Fixes #40670 --------- Signed-off-by: Paul Ogilby --- changelogs/current.yaml | 5 + envoy/upstream/upstream.h | 17 +- source/common/runtime/runtime_features.cc | 1 + source/common/upstream/BUILD | 1 - .../common/upstream/cluster_manager_impl.cc | 8 +- source/common/upstream/cluster_manager_impl.h | 2 +- .../upstream/health_discovery_service.cc | 8 +- source/common/upstream/upstream_impl.cc | 139 +------ source/common/upstream/upstream_impl.h | 66 +--- .../extensions/clusters/aggregate/cluster.cc | 4 +- source/extensions/clusters/dns/dns_cluster.cc | 2 +- .../clusters/dynamic_forward_proxy/cluster.cc | 2 +- source/extensions/clusters/eds/eds.cc | 10 +- .../logical_dns/logical_dns_cluster.cc | 2 +- .../original_dst/original_dst_cluster.cc | 6 +- .../clusters/redis/redis_cluster.cc | 2 +- .../clusters/static/static_cluster.cc | 2 +- .../clusters/strict_dns/strict_dns_cluster.cc | 2 +- .../load_balancing_policies/common/BUILD | 11 + .../common/load_balancer_impl.cc | 21 +- .../common/load_balancer_impl.h | 18 + .../common/locality_wrr.cc | 108 +++++ .../common/locality_wrr.h | 74 ++++ .../subset/subset_lb.cc | 26 +- .../subset/subset_lb.h | 15 +- .../cluster_manager_lifecycle_test.cc | 48 +-- .../upstream/cluster_manager_misc_test.cc | 2 +- .../upstream/load_balancer_simulation_test.cc | 4 +- test/common/upstream/upstream_impl_test.cc | 374 +----------------- test/common/upstream/utility.h | 14 + .../clusters/aggregate/cluster_test.cc | 4 +- .../clusters/aggregate/cluster_update_test.cc | 8 +- .../load_balancing_policies/common/BUILD | 14 + .../common/benchmark_base_tester.cc | 4 +- .../common/locality_wrr_test.cc | 368 +++++++++++++++++ .../least_request_lb_simulation_test.cc | 2 +- .../random/random_lb_simulation_test.cc | 2 +- .../round_robin/round_robin_lb_test.cc | 21 +- .../subset/subset_benchmark.cc | 4 +- .../subset/subset_test.cc | 8 +- test/mocks/upstream/host_set.h | 2 - test/mocks/upstream/priority_set.h | 3 +- 42 files changed, 759 insertions(+), 675 deletions(-) create mode 100644 source/extensions/load_balancing_policies/common/locality_wrr.cc create mode 100644 source/extensions/load_balancing_policies/common/locality_wrr.h create mode 100644 test/extensions/load_balancing_policies/common/locality_wrr_test.cc diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 637c9c8d0f489..039b89ee8e8e2 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -15,6 +15,11 @@ behavior_changes: change: | Reverted `#39740 `_ to re-enable ``fail_open`` + ``FULL_DUPLEX_STREAMED`` configuration combination. +- area: load balancing + change: | + Moved locality WRR structures out of HostSetImpl and into a separate class. Locality WRR schedulers are now by default owned + and constructed by the underlying Zone Aware LB, instead of owned and constructed by the Host Set. There should be no visible + behavior change for existing users of Zone Aware LBs. minor_behavior_changes: # *Changes that may cause incompatibilities for some users, but should not for most* diff --git a/envoy/upstream/upstream.h b/envoy/upstream/upstream.h index bc25159891814..5e269ecb58501 100644 --- a/envoy/upstream/upstream.h +++ b/envoy/upstream/upstream.h @@ -474,18 +474,6 @@ class HostSet { */ virtual LocalityWeightsConstSharedPtr localityWeights() const PURE; - /** - * @return next locality index to route to if performing locality weighted balancing - * against healthy hosts. - */ - virtual absl::optional chooseHealthyLocality() PURE; - - /** - * @return next locality index to route to if performing locality weighted balancing - * against degraded hosts. - */ - virtual absl::optional chooseDegradedLocality() PURE; - /** * @return uint32_t the priority of this host set. */ @@ -578,7 +566,6 @@ class PrioritySet { * @param locality_weights supplies a map from locality to associated weight. * @param hosts_added supplies the hosts added since the last update. * @param hosts_removed supplies the hosts removed since the last update. - * @param seed a random number to initialize the locality load-balancing algorithm. * @param weighted_priority_health if present, overwrites the current weighted_priority_health. * @param overprovisioning_factor if present, overwrites the current overprovisioning_factor. * @param cross_priority_host_map read only cross-priority host map which is created in the main @@ -587,7 +574,7 @@ class PrioritySet { virtual void updateHosts(uint32_t priority, UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, const HostVector& hosts_removed, - uint64_t seed, absl::optional weighted_priority_health, + absl::optional weighted_priority_health, absl::optional overprovisioning_factor, HostMapConstSharedPtr cross_priority_host_map = nullptr) PURE; @@ -611,7 +598,7 @@ class PrioritySet { virtual void updateHosts(uint32_t priority, UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, const HostVector& hosts_removed, - uint64_t seed, absl::optional weighted_priority_health, + absl::optional weighted_priority_health, absl::optional overprovisioning_factor) PURE; }; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 5b4a9c8774a9c..b25a151963428 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -84,6 +84,7 @@ RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_reloadable_features_websocket_allow_4xx_5xx_through_filter_chain); RUNTIME_GUARD(envoy_reloadable_features_xds_failover_to_primary_enabled); +RUNTIME_GUARD(envoy_restart_features_move_locality_schedulers_to_lb); RUNTIME_GUARD(envoy_restart_features_raise_file_limits); RUNTIME_GUARD(envoy_restart_features_skip_backing_cluster_check_for_sds); RUNTIME_GUARD(envoy_restart_features_use_eds_cache_for_ads); diff --git a/source/common/upstream/BUILD b/source/common/upstream/BUILD index f23a843982340..061909f4e1cbf 100644 --- a/source/common/upstream/BUILD +++ b/source/common/upstream/BUILD @@ -438,7 +438,6 @@ envoy_cc_library( deps = [ ":load_balancer_context_base_lib", ":resource_manager_lib", - ":scheduler_lib", ":upstream_factory_context_lib", "//envoy/event:timer_interface", "//envoy/filter:config_provider_manager_interface", diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index d633bea191ab9..32ded33a6d6f5 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -1481,13 +1481,13 @@ void ClusterManagerImpl::ThreadLocalClusterManagerImpl::ClusterEntry::updateHost const std::string& name, uint32_t priority, PrioritySet::UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, - const HostVector& hosts_removed, uint64_t seed, absl::optional weighted_priority_health, + const HostVector& hosts_removed, absl::optional weighted_priority_health, absl::optional overprovisioning_factor, HostMapConstSharedPtr cross_priority_host_map) { ENVOY_LOG(debug, "membership update for TLS cluster {} added {} removed {}", name, hosts_added.size(), hosts_removed.size()); priority_set_.updateHosts(priority, std::move(update_hosts_params), std::move(locality_weights), - hosts_added, hosts_removed, seed, weighted_priority_health, + hosts_added, hosts_removed, weighted_priority_health, overprovisioning_factor, std::move(cross_priority_host_map)); // If an LB is thread aware, create a new worker local LB on membership changes. if (lb_factory_ != nullptr && lb_factory_->recreateOnHostChange()) { @@ -1794,8 +1794,8 @@ void ClusterManagerImpl::ThreadLocalClusterManagerImpl::updateClusterMembership( const auto& cluster_entry = thread_local_clusters_[name]; cluster_entry->updateHosts(name, priority, std::move(update_hosts_params), std::move(locality_weights), hosts_added, hosts_removed, - parent_.random_.random(), weighted_priority_health, - overprovisioning_factor, std::move(cross_priority_host_map)); + weighted_priority_health, overprovisioning_factor, + std::move(cross_priority_host_map)); } void ClusterManagerImpl::ThreadLocalClusterManagerImpl::onHostHealthFailure( diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h index c81e6d97061b2..51b34f180df5d 100644 --- a/source/common/upstream/cluster_manager_impl.h +++ b/source/common/upstream/cluster_manager_impl.h @@ -604,7 +604,7 @@ class ClusterManagerImpl : public ClusterManager, PrioritySet::UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, const HostVector& hosts_removed, - uint64_t seed, absl::optional weighted_priority_health, + absl::optional weighted_priority_health, absl::optional overprovisioning_factor, HostMapConstSharedPtr cross_priority_host_map); diff --git a/source/common/upstream/health_discovery_service.cc b/source/common/upstream/health_discovery_service.cc index e27918cae5eaa..e3c0d9e2dcf61 100644 --- a/source/common/upstream/health_discovery_service.cc +++ b/source/common/upstream/health_discovery_service.cc @@ -527,9 +527,8 @@ void HdsCluster::updateHosts( // Update the priority set. hosts_per_locality_ = std::make_shared(std::move(hosts_by_locality), false); - priority_set_.updateHosts( - 0, HostSetImpl::partitionHosts(hosts_, hosts_per_locality_), {}, hosts_added, hosts_removed, - server_context_.api().randomGenerator().random(), absl::nullopt, absl::nullopt); + priority_set_.updateHosts(0, HostSetImpl::partitionHosts(hosts_, hosts_per_locality_), {}, + hosts_added, hosts_removed, absl::nullopt, absl::nullopt); } ClusterSharedPtr HdsCluster::create() { return nullptr; } @@ -558,8 +557,7 @@ void HdsCluster::initialize(std::function callback) { } // Use the ungrouped and grouped hosts lists to retain locality structure in the priority set. priority_set_.updateHosts(0, HostSetImpl::partitionHosts(hosts_, hosts_per_locality_), {}, - *hosts_, {}, server_context_.api().randomGenerator().random(), - absl::nullopt, absl::nullopt); + *hosts_, {}, absl::nullopt, absl::nullopt); initialized_ = true; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 7b283b5c29db0..d1d9fdddcb007 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -729,7 +729,7 @@ std::vector HostsPerLocalityImpl::filter( void HostSetImpl::updateHosts(PrioritySet::UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, const HostVector& hosts_removed, - uint64_t seed, absl::optional weighted_priority_health, + absl::optional weighted_priority_health, absl::optional overprovisioning_factor) { if (weighted_priority_health.has_value()) { weighted_priority_health_ = weighted_priority_health.value(); @@ -748,86 +748,9 @@ void HostSetImpl::updateHosts(PrioritySet::UpdateHostsParams&& update_hosts_para excluded_hosts_per_locality_ = std::move(update_hosts_params.excluded_hosts_per_locality); locality_weights_ = std::move(locality_weights); - // TODO(ggreenway): implement `weighted_priority_health` support in `rebuildLocalityScheduler`. - rebuildLocalityScheduler(healthy_locality_scheduler_, healthy_locality_entries_, - *healthy_hosts_per_locality_, healthy_hosts_->get(), hosts_per_locality_, - excluded_hosts_per_locality_, locality_weights_, - overprovisioning_factor_, seed); - rebuildLocalityScheduler(degraded_locality_scheduler_, degraded_locality_entries_, - *degraded_hosts_per_locality_, degraded_hosts_->get(), - hosts_per_locality_, excluded_hosts_per_locality_, locality_weights_, - overprovisioning_factor_, seed); - THROW_IF_NOT_OK(runUpdateCallbacks(hosts_added, hosts_removed)); } -void HostSetImpl::rebuildLocalityScheduler( - std::unique_ptr>& locality_scheduler, - std::vector>& locality_entries, - const HostsPerLocality& eligible_hosts_per_locality, const HostVector& eligible_hosts, - HostsPerLocalityConstSharedPtr all_hosts_per_locality, - HostsPerLocalityConstSharedPtr excluded_hosts_per_locality, - LocalityWeightsConstSharedPtr locality_weights, uint32_t overprovisioning_factor, - uint64_t seed) { - // Rebuild the locality scheduler by computing the effective weight of each - // locality in this priority. The scheduler is reset by default, and is rebuilt only if we have - // locality weights (i.e. using EDS) and there is at least one eligible host in this priority. - // - // We omit building a scheduler when there are zero eligible hosts in the priority as - // all the localities will have zero effective weight. At selection time, we'll either select - // from a different scheduler or there will be no available hosts in the priority. At that point - // we'll rely on other mechanisms such as panic mode to select a host, none of which rely on the - // scheduler. - // - // TODO(htuch): if the underlying locality index -> - // envoy::config::core::v3::Locality hasn't changed in hosts_/healthy_hosts_/degraded_hosts_, we - // could just update locality_weight_ without rebuilding. Similar to how host - // level WRR works, we would age out the existing entries via picks and lazily - // apply the new weights. - locality_scheduler = nullptr; - if (all_hosts_per_locality != nullptr && locality_weights != nullptr && - !locality_weights->empty() && !eligible_hosts.empty()) { - locality_entries.clear(); - for (uint32_t i = 0; i < all_hosts_per_locality->get().size(); ++i) { - const double effective_weight = effectiveLocalityWeight( - i, eligible_hosts_per_locality, *excluded_hosts_per_locality, *all_hosts_per_locality, - *locality_weights, overprovisioning_factor); - if (effective_weight > 0) { - locality_entries.emplace_back(std::make_shared(i, effective_weight)); - } - } - // If not all effective weights were zero, create the scheduler. - if (!locality_entries.empty()) { - locality_scheduler = std::make_unique>( - EdfScheduler::createWithPicks( - locality_entries, [](const LocalityEntry& entry) { return entry.effective_weight_; }, - seed)); - } - } -} - -absl::optional HostSetImpl::chooseHealthyLocality() { - return chooseLocality(healthy_locality_scheduler_.get()); -} - -absl::optional HostSetImpl::chooseDegradedLocality() { - return chooseLocality(degraded_locality_scheduler_.get()); -} - -absl::optional -HostSetImpl::chooseLocality(EdfScheduler* locality_scheduler) { - if (locality_scheduler == nullptr) { - return {}; - } - const std::shared_ptr locality = locality_scheduler->pickAndAdd( - [](const LocalityEntry& locality) { return locality.effective_weight_; }); - // We don't build a schedule if there are no weighted localities, so we should always succeed. - ASSERT(locality != nullptr); - // If we picked it before, its weight must have been positive. - ASSERT(locality->effective_weight_ > 0); - return locality->index_; -} - PrioritySet::UpdateHostsParams HostSetImpl::updateHostsParams(HostVectorConstSharedPtr hosts, HostsPerLocalityConstSharedPtr hosts_per_locality, @@ -869,29 +792,6 @@ HostSetImpl::partitionHosts(HostVectorConstSharedPtr hosts, std::move(std::get<2>(healthy_degraded_excluded_hosts_per_locality))); } -double HostSetImpl::effectiveLocalityWeight(uint32_t index, - const HostsPerLocality& eligible_hosts_per_locality, - const HostsPerLocality& excluded_hosts_per_locality, - const HostsPerLocality& all_hosts_per_locality, - const LocalityWeights& locality_weights, - uint32_t overprovisioning_factor) { - const auto& locality_eligible_hosts = eligible_hosts_per_locality.get()[index]; - const uint32_t excluded_count = excluded_hosts_per_locality.get().size() > index - ? excluded_hosts_per_locality.get()[index].size() - : 0; - const auto host_count = all_hosts_per_locality.get()[index].size() - excluded_count; - if (host_count == 0) { - return 0.0; - } - const double locality_availability_ratio = 1.0 * locality_eligible_hosts.size() / host_count; - const uint32_t weight = locality_weights[index]; - // Availability ranges from 0-1.0, and is the ratio of eligible hosts to total hosts, modified - // by the overprovisioning factor. - const double effective_locality_availability_ratio = - std::min(1.0, (overprovisioning_factor / 100.0) * locality_availability_ratio); - return weight * effective_locality_availability_ratio; -} - const HostSet& PrioritySetImpl::getOrCreateHostSet(uint32_t priority, absl::optional weighted_priority_health, @@ -913,7 +813,7 @@ PrioritySetImpl::getOrCreateHostSet(uint32_t priority, void PrioritySetImpl::updateHosts(uint32_t priority, UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, const HostVector& hosts_removed, - uint64_t seed, absl::optional weighted_priority_health, + absl::optional weighted_priority_health, absl::optional overprovisioning_factor, HostMapConstSharedPtr cross_priority_host_map) { // Update cross priority host map first. In this way, when the update callbacks of the priority @@ -926,7 +826,7 @@ void PrioritySetImpl::updateHosts(uint32_t priority, UpdateHostsParams&& update_ getOrCreateHostSet(priority, weighted_priority_health, overprovisioning_factor); static_cast(host_sets_[priority].get()) ->updateHosts(std::move(update_hosts_params), std::move(locality_weights), hosts_added, - hosts_removed, seed, weighted_priority_health, overprovisioning_factor); + hosts_removed, weighted_priority_health, overprovisioning_factor); if (!batch_update_) { THROW_IF_NOT_OK(runUpdateCallbacks(hosts_added, hosts_removed)); @@ -949,7 +849,7 @@ void PrioritySetImpl::batchHostUpdate(BatchUpdateCb& callback) { void PrioritySetImpl::BatchUpdateScope::updateHosts( uint32_t priority, PrioritySet::UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, - const HostVector& hosts_removed, uint64_t seed, absl::optional weighted_priority_health, + const HostVector& hosts_removed, absl::optional weighted_priority_health, absl::optional overprovisioning_factor) { // We assume that each call updates a different priority. ASSERT(priorities_.find(priority) == priorities_.end()); @@ -964,13 +864,13 @@ void PrioritySetImpl::BatchUpdateScope::updateHosts( } parent_.updateHosts(priority, std::move(update_hosts_params), locality_weights, hosts_added, - hosts_removed, seed, weighted_priority_health, overprovisioning_factor); + hosts_removed, weighted_priority_health, overprovisioning_factor); } void MainPrioritySetImpl::updateHosts(uint32_t priority, UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, - const HostVector& hosts_removed, uint64_t seed, + const HostVector& hosts_removed, absl::optional weighted_priority_health, absl::optional overprovisioning_factor, HostMapConstSharedPtr cross_priority_host_map) { @@ -979,7 +879,7 @@ void MainPrioritySetImpl::updateHosts(uint32_t priority, UpdateHostsParams&& upd updateCrossPriorityHostMap(priority, hosts_added, hosts_removed); PrioritySetImpl::updateHosts(priority, std::move(update_hosts_params), locality_weights, - hosts_added, hosts_removed, seed, weighted_priority_health, + hosts_added, hosts_removed, weighted_priority_health, overprovisioning_factor); } @@ -1939,9 +1839,9 @@ void ClusterImplBase::reloadHealthyHostsHelper(const HostSharedPtr&) { HostVectorConstSharedPtr hosts_copy = std::make_shared(host_set->hosts()); HostsPerLocalityConstSharedPtr hosts_per_locality_copy = host_set->hostsPerLocality().clone(); - prioritySet().updateHosts( - priority, HostSetImpl::partitionHosts(hosts_copy, hosts_per_locality_copy), - host_set->localityWeights(), {}, {}, random_.random(), absl::nullopt, absl::nullopt); + prioritySet().updateHosts(priority, + HostSetImpl::partitionHosts(hosts_copy, hosts_per_locality_copy), + host_set->localityWeights(), {}, {}, absl::nullopt, absl::nullopt); } } @@ -2177,10 +2077,8 @@ ClusterInfoImpl::ResourceManagers::load(const envoy::config::cluster::v3::Cluste PriorityStateManager::PriorityStateManager(ClusterImplBase& cluster, const LocalInfo::LocalInfo& local_info, - PrioritySet::HostUpdateCb* update_cb, - Random::RandomGenerator& random) - : parent_(cluster), local_info_node_(local_info.node()), update_cb_(update_cb), - random_(random) {} + PrioritySet::HostUpdateCb* update_cb) + : parent_(cluster), local_info_node_(local_info.node()), update_cb_(update_cb) {} void PriorityStateManager::initializePriorityFor( const envoy::config::endpoint::v3::LocalityLbEndpoints& locality_lb_endpoint) { @@ -2294,14 +2192,13 @@ void PriorityStateManager::updateClusterPrioritySet( if (update_cb_ != nullptr) { update_cb_->updateHosts(priority, HostSetImpl::partitionHosts(hosts, per_locality_shared), std::move(locality_weights), hosts_added.value_or(*hosts), - hosts_removed.value_or({}), random_.random(), - weighted_priority_health, overprovisioning_factor); + hosts_removed.value_or({}), weighted_priority_health, + overprovisioning_factor); } else { - parent_.prioritySet().updateHosts(priority, - HostSetImpl::partitionHosts(hosts, per_locality_shared), - std::move(locality_weights), hosts_added.value_or(*hosts), - hosts_removed.value_or({}), random_.random(), - weighted_priority_health, overprovisioning_factor); + parent_.prioritySet().updateHosts( + priority, HostSetImpl::partitionHosts(hosts, per_locality_shared), + std::move(locality_weights), hosts_added.value_or(*hosts), + hosts_removed.value_or({}), weighted_priority_health, overprovisioning_factor); } } diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index d3e34a0f87ab1..481c3602d2fe7 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -58,7 +58,6 @@ #include "source/common/orca/orca_load_metrics.h" #include "source/common/shared_pool/shared_pool.h" #include "source/common/stats/isolated_store_impl.h" -#include "source/common/upstream/edf_scheduler.h" #include "source/common/upstream/load_balancer_context_base.h" #include "source/common/upstream/resource_manager_impl.h" #include "source/common/upstream/transport_socket_match_impl.h" @@ -598,8 +597,6 @@ class HostSetImpl : public HostSet { return excluded_hosts_per_locality_; } LocalityWeightsConstSharedPtr localityWeights() const override { return locality_weights_; } - absl::optional chooseHealthyLocality() override; - absl::optional chooseDegradedLocality() override; uint32_t priority() const override { return priority_; } uint32_t overprovisioningFactor() const override { return overprovisioning_factor_; } bool weightedPriorityHealth() const override { return weighted_priority_health_; } @@ -619,7 +616,7 @@ class HostSetImpl : public HostSet { void updateHosts(PrioritySet::UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, - const HostVector& hosts_removed, uint64_t seed, + const HostVector& hosts_removed, absl::optional weighted_priority_health = absl::nullopt, absl::optional overprovisioning_factor = absl::nullopt); @@ -630,15 +627,6 @@ class HostSetImpl : public HostSet { } private: - // Weight for a locality taking into account health status using the provided eligible hosts per - // locality. - static double effectiveLocalityWeight(uint32_t index, - const HostsPerLocality& eligible_hosts_per_locality, - const HostsPerLocality& excluded_hosts_per_locality, - const HostsPerLocality& all_hosts_per_locality, - const LocalityWeights& locality_weights, - uint32_t overprovisioning_factor); - const uint32_t priority_; uint32_t overprovisioning_factor_; bool weighted_priority_health_; @@ -653,48 +641,8 @@ class HostSetImpl : public HostSet { // TODO(mattklein123): Remove mutable. mutable Common::CallbackManager member_update_cb_helper_; - // Locality weights (used to build WRR locality_scheduler_); + // Locality weights. LocalityWeightsConstSharedPtr locality_weights_; - // WRR locality scheduler state. - struct LocalityEntry { - LocalityEntry(uint32_t index, double effective_weight) - : index_(index), effective_weight_(effective_weight) {} - const uint32_t index_; - const double effective_weight_; - }; - - // Rebuilds the provided locality scheduler with locality entries based on the locality weights - // and eligible hosts. - // - // @param locality_scheduler the locality scheduler to rebuild. Will be set to nullptr if no - // localities are eligible. - // @param locality_entries the vector that holds locality entries. Will be reset and populated - // with entries corresponding to the new scheduler. - // @param eligible_hosts_per_locality eligible hosts for this scheduler grouped by locality. - // @param eligible_hosts all eligible hosts for this scheduler. - // @param all_hosts_per_locality all hosts for this HostSet grouped by locality. - // @param locality_weights the weighting of each locality. - // @param overprovisioning_factor the overprovisioning factor to use when computing the effective - // weight of a locality. - // @param seed a random number of initial picks to "invoke" on the locality scheduler. This - // allows to distribute the load between different localities across worker threads and a fleet - // of Envoys. - static void - rebuildLocalityScheduler(std::unique_ptr>& locality_scheduler, - std::vector>& locality_entries, - const HostsPerLocality& eligible_hosts_per_locality, - const HostVector& eligible_hosts, - HostsPerLocalityConstSharedPtr all_hosts_per_locality, - HostsPerLocalityConstSharedPtr excluded_hosts_per_locality, - LocalityWeightsConstSharedPtr locality_weights, - uint32_t overprovisioning_factor, uint64_t seed); - - static absl::optional chooseLocality(EdfScheduler* locality_scheduler); - - std::vector> healthy_locality_entries_; - std::unique_ptr> healthy_locality_scheduler_; - std::vector> degraded_locality_entries_; - std::unique_ptr> degraded_locality_scheduler_; }; using HostSetImplPtr = std::unique_ptr; @@ -725,7 +673,7 @@ class PrioritySetImpl : public PrioritySet { void updateHosts(uint32_t priority, UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, - const HostVector& hosts_removed, uint64_t seed, + const HostVector& hosts_removed, absl::optional weighted_priority_health = absl::nullopt, absl::optional overprovisioning_factor = absl::nullopt, HostMapConstSharedPtr cross_priority_host_map = nullptr) override; @@ -784,8 +732,7 @@ class PrioritySetImpl : public PrioritySet { void updateHosts(uint32_t priority, PrioritySet::UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, - const HostVector& hosts_removed, uint64_t seed, - absl::optional weighted_priority_health, + const HostVector& hosts_removed, absl::optional weighted_priority_health, absl::optional overprovisioning_factor) override; absl::node_hash_set all_hosts_added_; @@ -806,7 +753,7 @@ class MainPrioritySetImpl : public PrioritySetImpl, public Logger::Loggable weighted_priority_health = absl::nullopt, absl::optional overprovisioning_factor = absl::nullopt, HostMapConstSharedPtr cross_priority_host_map = nullptr) override; @@ -1318,7 +1265,7 @@ using ClusterImplBaseSharedPtr = std::shared_ptr; class PriorityStateManager : protected Logger::Loggable { public: PriorityStateManager(ClusterImplBase& cluster, const LocalInfo::LocalInfo& local_info, - PrioritySet::HostUpdateCb* update_cb, Random::RandomGenerator& random); + PrioritySet::HostUpdateCb* update_cb); // Initializes the PriorityState vector based on the priority specified in locality_lb_endpoint. void initializePriorityFor( @@ -1355,7 +1302,6 @@ class PriorityStateManager : protected Logger::Loggable { PriorityState priority_state_; const envoy::config::core::v3::Node& local_info_node_; PrioritySet::HostUpdateCb* update_cb_; - Random::RandomGenerator& random_; }; using PriorityStateManagerPtr = std::unique_ptr; diff --git a/source/extensions/clusters/aggregate/cluster.cc b/source/extensions/clusters/aggregate/cluster.cc index 7b77db6fb14fb..83eee4420f30a 100644 --- a/source/extensions/clusters/aggregate/cluster.cc +++ b/source/extensions/clusters/aggregate/cluster.cc @@ -86,8 +86,8 @@ AggregateClusterLoadBalancer::linearizePrioritySet(OptRef exc if (!host_set->hosts().empty()) { priority_context->priority_set_.updateHosts( next_priority_after_linearizing, Upstream::HostSetImpl::updateHostsParams(*host_set), - host_set->localityWeights(), host_set->hosts(), {}, random_.random(), - host_set->weightedPriorityHealth(), host_set->overprovisioningFactor()); + host_set->localityWeights(), host_set->hosts(), {}, host_set->weightedPriorityHealth(), + host_set->overprovisioningFactor()); priority_context->priority_to_cluster_.emplace_back( std::make_pair(priority_in_current_cluster, tlc)); diff --git a/source/extensions/clusters/dns/dns_cluster.cc b/source/extensions/clusters/dns/dns_cluster.cc index 79410407f0b98..b9939cb52e718 100644 --- a/source/extensions/clusters/dns/dns_cluster.cc +++ b/source/extensions/clusters/dns/dns_cluster.cc @@ -229,7 +229,7 @@ void DnsClusterImpl::startPreInit() { void DnsClusterImpl::updateAllHosts(const HostVector& hosts_added, const HostVector& hosts_removed, uint32_t current_priority) { - PriorityStateManager priority_state_manager(*this, local_info_, nullptr, random_); + PriorityStateManager priority_state_manager(*this, local_info_, nullptr); // At this point we know that we are different so make a new host list and notify. // // TODO(dio): The uniqueness of a host address resolved in STRICT_DNS cluster per priority is not diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc index 12cb648c67a14..f9a63fa12743f 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc +++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc @@ -329,7 +329,7 @@ absl::Status Cluster::onDnsHostAddOrUpdate( void Cluster::updatePriorityState(const Upstream::HostVector& hosts_added, const Upstream::HostVector& hosts_removed) { - Upstream::PriorityStateManager priority_state_manager(*this, local_info_, nullptr, random_); + Upstream::PriorityStateManager priority_state_manager(*this, local_info_, nullptr); priority_state_manager.initializePriorityFor(dummy_locality_lb_endpoint_); { absl::ReaderMutexLock lock{host_map_lock_}; diff --git a/source/extensions/clusters/eds/eds.cc b/source/extensions/clusters/eds/eds.cc index 2384ef494a809..c86a270db4467 100644 --- a/source/extensions/clusters/eds/eds.cc +++ b/source/extensions/clusters/eds/eds.cc @@ -75,8 +75,7 @@ void EdsClusterImpl::startPreInit() { subscription_->start({edsServiceName()}); void EdsClusterImpl::BatchUpdateHelper::batchUpdate(PrioritySet::HostUpdateCb& host_update_cb) { absl::flat_hash_set all_new_hosts; - PriorityStateManager priority_state_manager(parent_, parent_.local_info_, &host_update_cb, - parent_.random_); + PriorityStateManager priority_state_manager(parent_, parent_.local_info_, &host_update_cb); for (const auto& locality_lb_endpoint : cluster_load_assignment_.endpoints()) { THROW_IF_NOT_OK(parent_.validateEndpointsForZoneAwareRouting(locality_lb_endpoint)); @@ -404,10 +403,9 @@ void EdsClusterImpl::reloadHealthyHostsHelper(const HostSharedPtr& host) { HostsPerLocalityConstSharedPtr hosts_per_locality_copy = host_set->hostsPerLocality().filter( {[&host_to_exclude](const Host& host) { return &host != host_to_exclude.get(); }})[0]; - prioritySet().updateHosts(priority, - HostSetImpl::partitionHosts(hosts_copy, hosts_per_locality_copy), - host_set->localityWeights(), {}, hosts_to_remove, random_.random(), - absl::nullopt, absl::nullopt); + prioritySet().updateHosts( + priority, HostSetImpl::partitionHosts(hosts_copy, hosts_per_locality_copy), + host_set->localityWeights(), {}, hosts_to_remove, absl::nullopt, absl::nullopt); } } diff --git a/source/extensions/clusters/logical_dns/logical_dns_cluster.cc b/source/extensions/clusters/logical_dns/logical_dns_cluster.cc index 4f36f440ed1dc..78c215b52c8fd 100644 --- a/source/extensions/clusters/logical_dns/logical_dns_cluster.cc +++ b/source/extensions/clusters/logical_dns/logical_dns_cluster.cc @@ -161,7 +161,7 @@ void LogicalDnsCluster::startResolve() { std::unique_ptr); const auto& locality_lb_endpoint = localityLbEndpoint(); - PriorityStateManager priority_state_manager(*this, local_info_, nullptr, random_); + PriorityStateManager priority_state_manager(*this, local_info_, nullptr); priority_state_manager.initializePriorityFor(locality_lb_endpoint); priority_state_manager.registerHostForPriority(logical_host_, locality_lb_endpoint); diff --git a/source/extensions/clusters/original_dst/original_dst_cluster.cc b/source/extensions/clusters/original_dst/original_dst_cluster.cc index 1886062fe629f..511f46abad279 100644 --- a/source/extensions/clusters/original_dst/original_dst_cluster.cc +++ b/source/extensions/clusters/original_dst/original_dst_cluster.cc @@ -240,9 +240,9 @@ void OriginalDstCluster::addHost(HostSharedPtr& host) { const auto& first_host_set = priority_set_.getOrCreateHostSet(0); HostVectorSharedPtr all_hosts(new HostVector(first_host_set.hosts())); all_hosts->emplace_back(host); - priority_set_.updateHosts( - 0, HostSetImpl::partitionHosts(all_hosts, HostsPerLocalityImpl::empty()), {}, - {std::move(host)}, {}, random_.random(), absl::nullopt, absl::nullopt); + priority_set_.updateHosts(0, + HostSetImpl::partitionHosts(all_hosts, HostsPerLocalityImpl::empty()), + {}, {std::move(host)}, {}, absl::nullopt, absl::nullopt); } void OriginalDstCluster::cleanup() { diff --git a/source/extensions/clusters/redis/redis_cluster.cc b/source/extensions/clusters/redis/redis_cluster.cc index 72a139f527b40..5c475c8322b6a 100644 --- a/source/extensions/clusters/redis/redis_cluster.cc +++ b/source/extensions/clusters/redis/redis_cluster.cc @@ -123,7 +123,7 @@ void RedisCluster::startPreInit() { void RedisCluster::updateAllHosts(const Upstream::HostVector& hosts_added, const Upstream::HostVector& hosts_removed, uint32_t current_priority) { - Upstream::PriorityStateManager priority_state_manager(*this, local_info_, nullptr, random_); + Upstream::PriorityStateManager priority_state_manager(*this, local_info_, nullptr); auto locality_lb_endpoint = localityLbEndpoint(); priority_state_manager.initializePriorityFor(locality_lb_endpoint); diff --git a/source/extensions/clusters/static/static_cluster.cc b/source/extensions/clusters/static/static_cluster.cc index 9ecad92156e4e..42a4a8798c769 100644 --- a/source/extensions/clusters/static/static_cluster.cc +++ b/source/extensions/clusters/static/static_cluster.cc @@ -12,7 +12,7 @@ StaticClusterImpl::StaticClusterImpl(const envoy::config::cluster::v3::Cluster& : ClusterImplBase(cluster, context, creation_status) { SET_AND_RETURN_IF_NOT_OK(creation_status, creation_status); priority_state_manager_ = std::make_unique( - *this, context.serverFactoryContext().localInfo(), nullptr, random_); + *this, context.serverFactoryContext().localInfo(), nullptr); const envoy::config::endpoint::v3::ClusterLoadAssignment& cluster_load_assignment = cluster.load_assignment(); overprovisioning_factor_ = PROTOBUF_GET_WRAPPED_OR_DEFAULT( diff --git a/source/extensions/clusters/strict_dns/strict_dns_cluster.cc b/source/extensions/clusters/strict_dns/strict_dns_cluster.cc index acfd8287c23a1..5f2ab6ac8f36f 100644 --- a/source/extensions/clusters/strict_dns/strict_dns_cluster.cc +++ b/source/extensions/clusters/strict_dns/strict_dns_cluster.cc @@ -83,7 +83,7 @@ void StrictDnsClusterImpl::startPreInit() { void StrictDnsClusterImpl::updateAllHosts(const HostVector& hosts_added, const HostVector& hosts_removed, uint32_t current_priority) { - PriorityStateManager priority_state_manager(*this, local_info_, nullptr, random_); + PriorityStateManager priority_state_manager(*this, local_info_, nullptr); // At this point we know that we are different so make a new host list and notify. // // TODO(dio): The uniqueness of a host address resolved in STRICT_DNS cluster per priority is not diff --git a/source/extensions/load_balancing_policies/common/BUILD b/source/extensions/load_balancing_policies/common/BUILD index 21d7e317e6a3d..630c58ed6015a 100644 --- a/source/extensions/load_balancing_policies/common/BUILD +++ b/source/extensions/load_balancing_policies/common/BUILD @@ -34,6 +34,16 @@ envoy_cc_library( ], ) +envoy_cc_library( + name = "locality_wrr_lib", + srcs = ["locality_wrr.cc"], + hdrs = ["locality_wrr.h"], + deps = [ + "//envoy/upstream:upstream_interface", + "//source/common/upstream:scheduler_lib", + ], +) + envoy_cc_library( name = "load_balancer_lib", srcs = ["load_balancer_impl.cc"], @@ -41,6 +51,7 @@ envoy_cc_library( # previously considered core code and used by mobile. visibility = ["//visibility:public"], deps = [ + ":locality_wrr_lib", "//envoy/common:random_generator_interface", "//envoy/runtime:runtime_interface", "//envoy/stats:stats_interface", diff --git a/source/extensions/load_balancing_policies/common/load_balancer_impl.cc b/source/extensions/load_balancing_policies/common/load_balancer_impl.cc index 0c736f110c04d..60c31c890e348 100644 --- a/source/extensions/load_balancing_policies/common/load_balancer_impl.cc +++ b/source/extensions/load_balancing_policies/common/load_balancer_impl.cc @@ -427,6 +427,12 @@ ZoneAwareLoadBalancerBase::ZoneAwareLoadBalancerBase( locality_config->has_locality_weighted_lb_config()) { ASSERT(!priority_set.hostSetsPerPriority().empty()); resizePerPriorityState(); + if (locality_weighted_balancing_) { + for (uint32_t priority = 0; priority < priority_set_.hostSetsPerPriority().size(); ++priority) { + rebuildLocalityWrrForPriority(priority); + } + } + priority_update_cb_ = priority_set_.addPriorityUpdateCb( [this](uint32_t priority, const HostVector&, const HostVector&) -> absl::Status { // Make sure per_priority_state_ is as large as priority_set_.hostSetsPerPriority() @@ -436,6 +442,10 @@ ZoneAwareLoadBalancerBase::ZoneAwareLoadBalancerBase( if (local_priority_set_ && priority == 0) { regenerateLocalityRoutingStructures(); } + + if (locality_weighted_balancing_) { + rebuildLocalityWrrForPriority(priority); + } return absl::OkStatus(); }); if (local_priority_set_) { @@ -455,6 +465,13 @@ ZoneAwareLoadBalancerBase::ZoneAwareLoadBalancerBase( } } +void ZoneAwareLoadBalancerBase::rebuildLocalityWrrForPriority(uint32_t priority) { + ASSERT(priority < priority_set_.hostSetsPerPriority().size()); + auto& host_set = *priority_set_.hostSetsPerPriority()[priority]; + per_priority_state_[priority]->locality_wrr_ = + std::make_unique(host_set, random_.random()); +} + void ZoneAwareLoadBalancerBase::regenerateLocalityRoutingStructures() { ASSERT(local_priority_set_); stats_.lb_recalculate_zone_structures_.inc(); @@ -811,9 +828,9 @@ ZoneAwareLoadBalancerBase::hostSourceToUse(LoadBalancerContext* context, uint64_ if (locality_weighted_balancing_) { absl::optional locality; if (host_availability == HostAvailability::Degraded) { - locality = host_set.chooseDegradedLocality(); + locality = chooseDegradedLocality(host_set); } else { - locality = host_set.chooseHealthyLocality(); + locality = chooseHealthyLocality(host_set); } if (locality.has_value()) { diff --git a/source/extensions/load_balancing_policies/common/load_balancer_impl.h b/source/extensions/load_balancing_policies/common/load_balancer_impl.h index 308f9aafbaa8b..296ad5b6fb456 100644 --- a/source/extensions/load_balancing_policies/common/load_balancer_impl.h +++ b/source/extensions/load_balancing_policies/common/load_balancer_impl.h @@ -20,9 +20,11 @@ #include "envoy/upstream/upstream.h" #include "source/common/protobuf/utility.h" +#include "source/common/runtime/runtime_features.h" #include "source/common/runtime/runtime_protos.h" #include "source/common/upstream/edf_scheduler.h" #include "source/common/upstream/load_balancer_context_base.h" +#include "source/extensions/load_balancing_policies/common/locality_wrr.h" namespace Envoy { namespace Upstream { @@ -435,6 +437,16 @@ class ZoneAwareLoadBalancerBase : public LoadBalancerBase { return absl::nullopt; } + absl::optional chooseHealthyLocality(HostSet& host_set) const { + ASSERT(per_priority_state_[host_set.priority()]->locality_wrr_); + return per_priority_state_[host_set.priority()]->locality_wrr_->chooseHealthyLocality(); + }; + + absl::optional chooseDegradedLocality(HostSet& host_set) const { + ASSERT(per_priority_state_[host_set.priority()]->locality_wrr_); + return per_priority_state_[host_set.priority()]->locality_wrr_->chooseDegradedLocality(); + }; + // The set of local Envoy instances which are load balancing across priority_set_. const PrioritySet* local_priority_set_; @@ -447,8 +459,14 @@ class ZoneAwareLoadBalancerBase : public LoadBalancerBase { // for each of the non-local localities to determine what traffic should be // routed where. std::vector residual_capacity_; + + // Locality Weighted Round Robin config. + std::unique_ptr locality_wrr_; }; using PerPriorityStatePtr = std::unique_ptr; + + void rebuildLocalityWrrForPriority(uint32_t priority); + // Routing state broken out for each priority level in priority_set_. std::vector per_priority_state_; Common::CallbackHandlePtr priority_update_cb_; diff --git a/source/extensions/load_balancing_policies/common/locality_wrr.cc b/source/extensions/load_balancing_policies/common/locality_wrr.cc new file mode 100644 index 0000000000000..1efe8a3feb718 --- /dev/null +++ b/source/extensions/load_balancing_policies/common/locality_wrr.cc @@ -0,0 +1,108 @@ +#include "source/extensions/load_balancing_policies/common/locality_wrr.h" + +namespace Envoy { +namespace Upstream { + +LocalityWrr::LocalityWrr(const HostSet& host_set, uint64_t seed) { + rebuildLocalityScheduler(healthy_locality_scheduler_, healthy_locality_entries_, + host_set.healthyHostsPerLocality(), host_set.healthyHosts(), + host_set.hostsPerLocalityPtr(), host_set.excludedHostsPerLocalityPtr(), + host_set.localityWeights(), host_set.overprovisioningFactor(), seed); + rebuildLocalityScheduler(degraded_locality_scheduler_, degraded_locality_entries_, + host_set.degradedHostsPerLocality(), host_set.degradedHosts(), + host_set.hostsPerLocalityPtr(), host_set.excludedHostsPerLocalityPtr(), + host_set.localityWeights(), host_set.overprovisioningFactor(), seed); +} + +absl::optional LocalityWrr::chooseHealthyLocality() { + return chooseLocality(healthy_locality_scheduler_.get()); +} + +absl::optional LocalityWrr::chooseDegradedLocality() { + return chooseLocality(degraded_locality_scheduler_.get()); +} + +void LocalityWrr::rebuildLocalityScheduler( + std::unique_ptr>& locality_scheduler, + std::vector>& locality_entries, + const HostsPerLocality& eligible_hosts_per_locality, const HostVector& eligible_hosts, + HostsPerLocalityConstSharedPtr all_hosts_per_locality, + HostsPerLocalityConstSharedPtr excluded_hosts_per_locality, + LocalityWeightsConstSharedPtr locality_weights, uint32_t overprovisioning_factor, + uint64_t seed) { + // Rebuild the locality scheduler by computing the effective weight of each + // locality in this priority. The scheduler is reset by default, and is rebuilt only if we have + // locality weights (i.e. using EDS) and there is at least one eligible host in this priority. + // + // We omit building a scheduler when there are zero eligible hosts in the priority as + // all the localities will have zero effective weight. At selection time, we'll either select + // from a different scheduler or there will be no available hosts in the priority. At that point + // we'll rely on other mechanisms such as panic mode to select a host, none of which rely on the + // scheduler. + // + // TODO(htuch): if the underlying locality index -> + // envoy::config::core::v3::Locality hasn't changed in hosts_/healthy_hosts_/degraded_hosts_, we + // could just update locality_weight_ without rebuilding. Similar to how host + // level WRR works, we would age out the existing entries via picks and lazily + // apply the new weights. + locality_scheduler = nullptr; + if (all_hosts_per_locality != nullptr && locality_weights != nullptr && + !locality_weights->empty() && !eligible_hosts.empty()) { + locality_entries.clear(); + for (uint32_t i = 0; i < all_hosts_per_locality->get().size(); ++i) { + const double effective_weight = effectiveLocalityWeight( + i, eligible_hosts_per_locality, *excluded_hosts_per_locality, *all_hosts_per_locality, + *locality_weights, overprovisioning_factor); + if (effective_weight > 0) { + locality_entries.emplace_back(std::make_shared(i, effective_weight)); + } + } + // If not all effective weights were zero, create the scheduler. + if (!locality_entries.empty()) { + locality_scheduler = std::make_unique>( + EdfScheduler::createWithPicks( + locality_entries, [](const LocalityEntry& entry) { return entry.effective_weight_; }, + seed)); + } + } +} + +absl::optional +LocalityWrr::chooseLocality(EdfScheduler* locality_scheduler) { + if (locality_scheduler == nullptr) { + return {}; + } + const std::shared_ptr locality = locality_scheduler->pickAndAdd( + [](const LocalityEntry& locality) { return locality.effective_weight_; }); + // We don't build a schedule if there are no weighted localities, so we should always succeed. + ASSERT(locality != nullptr); + // If we picked it before, its weight must have been positive. + ASSERT(locality->effective_weight_ > 0); + return locality->index_; +} + +double LocalityWrr::effectiveLocalityWeight(uint32_t index, + const HostsPerLocality& eligible_hosts_per_locality, + const HostsPerLocality& excluded_hosts_per_locality, + const HostsPerLocality& all_hosts_per_locality, + const LocalityWeights& locality_weights, + uint32_t overprovisioning_factor) { + const auto& locality_eligible_hosts = eligible_hosts_per_locality.get()[index]; + const uint32_t excluded_count = excluded_hosts_per_locality.get().size() > index + ? excluded_hosts_per_locality.get()[index].size() + : 0; + const auto host_count = all_hosts_per_locality.get()[index].size() - excluded_count; + if (host_count == 0) { + return 0.0; + } + const double locality_availability_ratio = 1.0 * locality_eligible_hosts.size() / host_count; + const uint32_t weight = locality_weights[index]; + // Availability ranges from 0-1.0, and is the ratio of eligible hosts to total hosts, modified + // by the overprovisioning factor. + const double effective_locality_availability_ratio = + std::min(1.0, (overprovisioning_factor / 100.0) * locality_availability_ratio); + return weight * effective_locality_availability_ratio; +} + +} // namespace Upstream +} // namespace Envoy diff --git a/source/extensions/load_balancing_policies/common/locality_wrr.h b/source/extensions/load_balancing_policies/common/locality_wrr.h new file mode 100644 index 0000000000000..cb0e9546550ba --- /dev/null +++ b/source/extensions/load_balancing_policies/common/locality_wrr.h @@ -0,0 +1,74 @@ +#pragma once + +#include +#include +#include + +#include "envoy/upstream/upstream.h" + +#include "source/common/upstream/edf_scheduler.h" + +#include "absl/types/optional.h" + +namespace Envoy { +namespace Upstream { + +class LocalityWrr { +public: + explicit LocalityWrr(const HostSet& host_set, uint64_t seed); + + absl::optional chooseHealthyLocality(); + absl::optional chooseDegradedLocality(); + +private: + struct LocalityEntry { + LocalityEntry(uint32_t index, double effective_weight) + : index_(index), effective_weight_(effective_weight) {} + const uint32_t index_; + const double effective_weight_; + }; + + // Rebuilds the provided locality scheduler with locality entries based on the locality weights + // and eligible hosts. + // + // @param locality_scheduler the locality scheduler to rebuild. Will be set to nullptr if no + // localities are eligible. + // @param locality_entries the vector that holds locality entries. Will be reset and populated + // with entries corresponding to the new scheduler. + // @param eligible_hosts_per_locality eligible hosts for this scheduler grouped by locality. + // @param eligible_hosts all eligible hosts for this scheduler. + // @param all_hosts_per_locality all hosts for this HostSet grouped by locality. + // @param locality_weights the weighting of each locality. + // @param overprovisioning_factor the overprovisioning factor to use when computing the effective + // weight of a locality. + // @param seed a random number of initial picks to "invoke" on the locality scheduler. This + // allows to distribute the load between different localities across worker threads and a fleet + // of Envoys. + static void + rebuildLocalityScheduler(std::unique_ptr>& locality_scheduler, + std::vector>& locality_entries, + const HostsPerLocality& eligible_hosts_per_locality, + const HostVector& eligible_hosts, + HostsPerLocalityConstSharedPtr all_hosts_per_locality, + HostsPerLocalityConstSharedPtr excluded_hosts_per_locality, + LocalityWeightsConstSharedPtr locality_weights, + uint32_t overprovisioning_factor, uint64_t seed); + // Weight for a locality taking into account health status using the provided eligible hosts per + // locality. + static double effectiveLocalityWeight(uint32_t index, + const HostsPerLocality& eligible_hosts_per_locality, + const HostsPerLocality& excluded_hosts_per_locality, + const HostsPerLocality& all_hosts_per_locality, + const LocalityWeights& locality_weights, + uint32_t overprovisioning_factor); + + static absl::optional chooseLocality(EdfScheduler* locality_scheduler); + + std::vector> healthy_locality_entries_; + std::unique_ptr> healthy_locality_scheduler_; + std::vector> degraded_locality_entries_; + std::unique_ptr> degraded_locality_scheduler_; +}; + +} // namespace Upstream +} // namespace Envoy diff --git a/source/extensions/load_balancing_policies/subset/subset_lb.cc b/source/extensions/load_balancing_policies/subset/subset_lb.cc index 4e82879d3311f..d56bffd4cae44 100644 --- a/source/extensions/load_balancing_policies/subset/subset_lb.cc +++ b/source/extensions/load_balancing_policies/subset/subset_lb.cc @@ -423,24 +423,23 @@ SubsetLoadBalancer::LbSubsetEntryPtr SubsetLoadBalancer::findSubset( } void SubsetLoadBalancer::updateFallbackSubset(uint32_t priority, const HostVector& all_hosts) { - auto update_func = [priority, &all_hosts](LbSubsetPtr& subset, const HostPredicate& predicate, - uint64_t seed) { + auto update_func = [priority, &all_hosts](LbSubsetPtr& subset, const HostPredicate& predicate) { for (const auto& host : all_hosts) { if (predicate(*host)) { subset->pushHost(priority, host); } } - subset->finalize(priority, seed); + subset->finalize(priority); }; if (subset_any_ != nullptr) { - update_func(subset_any_->lb_subset_, [](const Host&) { return true; }, random_.random()); + update_func(subset_any_->lb_subset_, [](const Host&) { return true; }); } if (subset_default_ != nullptr) { HostPredicate predicate = std::bind(&SubsetLoadBalancer::hostMatches, this, default_subset_metadata_, std::placeholders::_1); - update_func(subset_default_->lb_subset_, predicate, random_.random()); + update_func(subset_default_->lb_subset_, predicate); } if (fallback_subset_ == nullptr) { @@ -515,9 +514,9 @@ void SubsetLoadBalancer::processSubsets(uint32_t priority, const HostVector& all single_duplicate_stat_->set(collision_count_of_single_host_entries); // Finalize updates after all the hosts are evaluated. - forEachSubset(subsets_, [priority, this](LbSubsetEntryPtr entry) { + forEachSubset(subsets_, [priority](LbSubsetEntryPtr entry) { if (entry->initialized()) { - entry->lb_subset_->finalize(priority, random_.random()); + entry->lb_subset_->finalize(priority); } }); } @@ -732,7 +731,7 @@ SubsetLoadBalancer::PrioritySubsetImpl::PrioritySubsetImpl(const SubsetLoadBalan // hosts that belong in this subset. void SubsetLoadBalancer::HostSubsetImpl::update(const HostHashSet& matching_hosts, const HostVector& hosts_added, - const HostVector& hosts_removed, uint64_t seed) { + const HostVector& hosts_removed) { auto cached_predicate = [&matching_hosts](const auto& host) { return matching_hosts.count(&host) == 1; }; @@ -793,7 +792,7 @@ void SubsetLoadBalancer::HostSubsetImpl::update(const HostHashSet& matching_host HostSetImpl::updateHostsParams( hosts, hosts_per_locality, healthy_hosts, healthy_hosts_per_locality, degraded_hosts, degraded_hosts_per_locality, excluded_hosts, excluded_hosts_per_locality), - determineLocalityWeights(*hosts_per_locality), hosts_added, hosts_removed, seed, + determineLocalityWeights(*hosts_per_locality), hosts_added, hosts_removed, original_host_set_.weightedPriorityHealth(), original_host_set_.overprovisioningFactor()); } @@ -850,10 +849,9 @@ HostSetImplPtr SubsetLoadBalancer::PrioritySubsetImpl::createHostSet( void SubsetLoadBalancer::PrioritySubsetImpl::update(uint32_t priority, const HostHashSet& matching_hosts, const HostVector& hosts_added, - const HostVector& hosts_removed, - uint64_t seed) { + const HostVector& hosts_removed) { const auto& host_subset = getOrCreateHostSet(priority); - updateSubset(priority, matching_hosts, hosts_added, hosts_removed, seed); + updateSubset(priority, matching_hosts, hosts_added, hosts_removed); if (host_subset.hosts().empty() != empty_) { empty_ = true; @@ -870,7 +868,7 @@ void SubsetLoadBalancer::PrioritySubsetImpl::update(uint32_t priority, } } -void SubsetLoadBalancer::PriorityLbSubset::finalize(uint32_t priority, uint64_t seed) { +void SubsetLoadBalancer::PriorityLbSubset::finalize(uint32_t priority) { while (host_sets_.size() <= priority) { host_sets_.push_back({HostHashSet(), HostHashSet()}); } @@ -891,7 +889,7 @@ void SubsetLoadBalancer::PriorityLbSubset::finalize(uint32_t priority, uint64_t } } - subset_.update(priority, new_hosts, added, removed, seed); + subset_.update(priority, new_hosts, added, removed); old_hosts.swap(new_hosts); new_hosts.clear(); diff --git a/source/extensions/load_balancing_policies/subset/subset_lb.h b/source/extensions/load_balancing_policies/subset/subset_lb.h index f7795d0c93a3e..9e79f84f1b4df 100644 --- a/source/extensions/load_balancing_policies/subset/subset_lb.h +++ b/source/extensions/load_balancing_policies/subset/subset_lb.h @@ -86,7 +86,7 @@ class SubsetLoadBalancer : public LoadBalancer, Logger::Loggable(host_sets_[priority].get()) - ->update(matching_hosts, hosts_added, hosts_removed, seed); + ->update(matching_hosts, hosts_added, hosts_removed); THROW_IF_NOT_OK(runUpdateCallbacks(hosts_added, hosts_removed)); } @@ -226,7 +225,7 @@ class SubsetLoadBalancer : public LoadBalancer, Logger::Loggable; @@ -249,7 +248,7 @@ class SubsetLoadBalancer : public LoadBalancer, Logger::Loggablepriority_set_.updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, hosts, {}, - 123, true, 100); + true, 100); auto* tls_cluster = cluster_manager_->getThreadLocalCluster(cluster1->info_->name()); @@ -2036,7 +2036,7 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdates) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.update_merge_cancelled").value()); @@ -2047,12 +2047,12 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdates) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); cluster.prioritySet().updateHosts( 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.update_merge_cancelled").value()); @@ -2070,7 +2070,7 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdates) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(2, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.update_merge_cancelled").value()); @@ -2083,21 +2083,21 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdates) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); (*hosts)[0]->healthFlagSet(Host::HealthFlag::FAILED_EDS_HEALTH); cluster.prioritySet().updateHosts( 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); (*hosts)[0]->weight(100); cluster.prioritySet().updateHosts( 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); // Updates not delivered yet. EXPECT_EQ(2, factory_.stats_.counter("cluster_manager.cluster_updated").value()); @@ -2110,7 +2110,7 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdates) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(3, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); @@ -2153,7 +2153,7 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdatesOutOfWindow) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.update_out_of_merge_window").value()); @@ -2188,7 +2188,7 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdatesInsideWindow) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.update_out_of_merge_window").value()); @@ -2230,7 +2230,7 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdatesOutOfWindowDisabled) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.update_out_of_merge_window").value()); @@ -2307,7 +2307,7 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdatesDestroyedOnUpdate) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.update_merge_cancelled").value()); @@ -2318,12 +2318,12 @@ TEST_P(ClusterManagerLifecycleTest, MergedUpdatesDestroyedOnUpdate) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); cluster.prioritySet().updateHosts( 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.update_merge_cancelled").value()); @@ -2429,7 +2429,7 @@ TEST_P(ClusterManagerLifecycleTest, CrossPriorityHostMapSyncTest) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); @@ -2446,7 +2446,7 @@ TEST_P(ClusterManagerLifecycleTest, CrossPriorityHostMapSyncTest) { 0, updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 123, absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); EXPECT_EQ(2, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.update_merge_cancelled").value()); @@ -2481,7 +2481,7 @@ TEST_P(ClusterManagerLifecycleTest, DrainConnectionsPredicate) { // Sending non-mergeable updates. cluster.prioritySet().updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, hosts, {}, - 123, absl::nullopt, 100); + absl::nullopt, 100); // Using RR LB get a pool for each host. EXPECT_CALL(factory_, allocateConnPool_(_, _, _, _, _, _, _)) @@ -2559,7 +2559,7 @@ TEST_P(ClusterManagerLifecycleTest, ConnPoolsDrainedOnHostSetChange) { // Sending non-mergeable updates. cluster.prioritySet().updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, hosts, {}, - 123, absl::nullopt, 100); + absl::nullopt, 100); EXPECT_EQ(1, factory_.stats_.counter("cluster_manager.cluster_updated").value()); EXPECT_EQ(0, factory_.stats_.counter("cluster_manager.cluster_updated_via_merge").value()); @@ -2624,7 +2624,7 @@ TEST_P(ClusterManagerLifecycleTest, ConnPoolsDrainedOnHostSetChange) { // This update should drain all connection pools (host1, host2). cluster.prioritySet().updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, {}, - hosts_removed, 123, absl::nullopt, 100); + hosts_removed, absl::nullopt, 100); // Recreate connection pool for host1. cp1 = HttpPoolDataPeer::getPool( @@ -2655,7 +2655,7 @@ TEST_P(ClusterManagerLifecycleTest, ConnPoolsDrainedOnHostSetChange) { // Adding host3 should drain connection pool for host1. cluster.prioritySet().updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, - hosts_added, {}, 123, absl::nullopt, 100); + hosts_added, {}, absl::nullopt, 100); } TEST_P(ClusterManagerLifecycleTest, ConnPoolsNotDrainedOnHostSetChange) { @@ -2690,7 +2690,7 @@ TEST_P(ClusterManagerLifecycleTest, ConnPoolsNotDrainedOnHostSetChange) { // Sending non-mergeable updates. cluster.prioritySet().updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, hosts, {}, - 123, absl::nullopt, 100); + absl::nullopt, 100); EXPECT_CALL(factory_, allocateConnPool_(_, _, _, _, _, _, _)) .Times(1) @@ -2726,7 +2726,7 @@ TEST_P(ClusterManagerLifecycleTest, ConnPoolsNotDrainedOnHostSetChange) { // No connection pools should be drained. cluster.prioritySet().updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, - hosts_added, {}, 123, absl::nullopt, 100); + hosts_added, {}, absl::nullopt, 100); } TEST_P(ClusterManagerLifecycleTest, ConnPoolsIdleDeleted) { @@ -2763,7 +2763,7 @@ TEST_P(ClusterManagerLifecycleTest, ConnPoolsIdleDeleted) { // Sending non-mergeable updates. cluster.prioritySet().updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, hosts, {}, - 123, absl::nullopt, 100); + absl::nullopt, 100); { auto* cp1 = new NiceMock(); diff --git a/test/common/upstream/cluster_manager_misc_test.cc b/test/common/upstream/cluster_manager_misc_test.cc index 9d3f253b887a0..84b3f20a3c0da 100644 --- a/test/common/upstream/cluster_manager_misc_test.cc +++ b/test/common/upstream/cluster_manager_misc_test.cc @@ -1039,7 +1039,7 @@ class PreconnectTest : public ClusterManagerImplTest { // Sending non-mergeable updates. cluster_->prioritySet().updateHosts( 0, HostSetImpl::partitionHosts(hosts_ptr, HostsPerLocalityImpl::empty()), nullptr, hosts, - {}, 123, absl::nullopt, 100); + {}, absl::nullopt, 100); } Cluster* cluster_{}; diff --git a/test/common/upstream/load_balancer_simulation_test.cc b/test/common/upstream/load_balancer_simulation_test.cc index 1c957fe415406..43d2104bd0090 100644 --- a/test/common/upstream/load_balancer_simulation_test.cc +++ b/test/common/upstream/load_balancer_simulation_test.cc @@ -101,7 +101,7 @@ void leastRequestLBWeightTest(LRLBTestParams params) { updateHostsParams(updated_hosts, updated_locality_hosts, std::make_shared(*updated_hosts), updated_locality_hosts), - {}, hosts, {}, random.random(), absl::nullopt); + {}, hosts, {}, absl::nullopt); Stats::IsolatedStoreImpl stats_store; ClusterLbStatNames stat_names(stats_store.symbolTable()); @@ -264,7 +264,7 @@ class DISABLED_SimulationTest : public testing::Test { // NOLINT(readability-ide updateHostsParams(originating_hosts, per_zone_local_shared, std::make_shared(*originating_hosts), per_zone_local_shared), - {}, empty_vector_, empty_vector_, random_.random(), absl::nullopt); + {}, empty_vector_, empty_vector_, absl::nullopt); HostConstSharedPtr selected = lb.chooseHost(nullptr).host; hits[selected->address()->asString()]++; diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index 9fc1cef3f9656..862052e490ff4 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -121,20 +121,6 @@ std::list hostListToAddresses(const HostVector& hosts) { return addresses; } -template -std::shared_ptr -makeHostsFromHostsPerLocality(HostsPerLocalityConstSharedPtr hosts_per_locality) { - HostVector hosts; - - for (const auto& locality_hosts : hosts_per_locality->get()) { - for (const auto& host : locality_hosts) { - hosts.emplace_back(host); - } - } - - return std::make_shared(hosts); -} - struct ResolverData { ResolverData(Network::MockDnsResolver& dns_resolver, Event::MockDispatcher& dispatcher) { timer_ = new Event::MockTimer(&dispatcher); @@ -4074,7 +4060,7 @@ class TestBatchUpdateCb : public PrioritySet::BatchUpdateCb { updateHostsParams(hosts_, hosts_per_locality_, std::make_shared(*hosts_), hosts_per_locality_), - {}, hosts_added, hosts_removed, random_.random(), absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); } // Remove the host from P1. @@ -4087,7 +4073,7 @@ class TestBatchUpdateCb : public PrioritySet::BatchUpdateCb { updateHostsParams(empty_hosts, HostsPerLocalityImpl::empty(), std::make_shared(*empty_hosts), HostsPerLocalityImpl::empty()), - {}, hosts_added, hosts_removed, random_.random(), absl::nullopt, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt); } } @@ -4143,12 +4129,11 @@ TEST(PrioritySet, Extend) { HostVector hosts_added{hosts->front()}; HostVector hosts_removed{}; - priority_set.updateHosts(1, - updateHostsParams(hosts, hosts_per_locality, - std::make_shared(*hosts), - hosts_per_locality), - {}, hosts_added, hosts_removed, 0, absl::nullopt, absl::nullopt, - fake_cross_priority_host_map); + priority_set.updateHosts( + 1, + updateHostsParams(hosts, hosts_per_locality, + std::make_shared(*hosts), hosts_per_locality), + {}, hosts_added, hosts_removed, absl::nullopt, absl::nullopt, fake_cross_priority_host_map); } EXPECT_EQ(1, priority_changes); EXPECT_EQ(1, membership_changes); @@ -4213,7 +4198,7 @@ TEST(PrioritySet, MainPrioritySetTest) { updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 0, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt); } // Only mutable host map can be updated directly. Read only host map will not be updated before @@ -4234,7 +4219,7 @@ TEST(PrioritySet, MainPrioritySetTest) { updateHostsParams(hosts, hosts_per_locality, std::make_shared(*hosts), hosts_per_locality), - {}, hosts_added, hosts_removed, 0, absl::nullopt); + {}, hosts_added, hosts_removed, absl::nullopt); } // New mutable host map will be created and all update will be applied to new mutable host map. @@ -6007,343 +5992,6 @@ TEST_F(HostsWithLocalityImpl, Filter) { } } -class HostSetImplLocalityTest : public Event::TestUsingSimulatedTime, public testing::Test { -public: - LocalityWeightsConstSharedPtr locality_weights_; - HostSetImpl host_set_{0, false, kDefaultOverProvisioningFactor}; - std::shared_ptr info_{new NiceMock()}; -}; - -// When no locality weights belong to the host set, there's an empty pick. -TEST_F(HostSetImplLocalityTest, Empty) { - EXPECT_EQ(nullptr, host_set_.localityWeights()); - EXPECT_FALSE(host_set_.chooseHealthyLocality().has_value()); -} - -// When no hosts are healthy we should fail to select a locality -TEST_F(HostSetImplLocalityTest, AllUnhealthy) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - envoy::config::core::v3::Locality zone_c; - zone_c.set_zone("C"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_b), - makeTestHost(info_, "tcp://127.0.0.1:82", zone_c)}; - - HostsPerLocalitySharedPtr hosts_per_locality = - makeHostsPerLocality({{hosts[0]}, {hosts[1]}, {hosts[2]}}); - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1, 1}}; - auto hosts_const_shared = std::make_shared(hosts); - host_set_.updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality), locality_weights, - {}, {}, 0, absl::nullopt); - EXPECT_FALSE(host_set_.chooseHealthyLocality().has_value()); -} - -// When a locality has endpoints that have not yet been warmed, weight calculation should ignore -// these hosts. -TEST_F(HostSetImplLocalityTest, NotWarmedHostsLocality) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:82", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:83", zone_b), - makeTestHost(info_, "tcp://127.0.0.1:84", zone_b)}; - - // We have two localities with 3 hosts in A, 2 hosts in B. Two of the hosts in A are not - // warmed yet, so even though they are unhealthy we should not adjust the locality weight. - HostsPerLocalitySharedPtr hosts_per_locality = - makeHostsPerLocality({{hosts[0], hosts[1], hosts[2]}, {hosts[3], hosts[4]}}); - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1}}; - auto hosts_const_shared = std::make_shared(hosts); - HostsPerLocalitySharedPtr healthy_hosts_per_locality = - makeHostsPerLocality({{hosts[0]}, {hosts[3], hosts[4]}}); - HostsPerLocalitySharedPtr excluded_hosts_per_locality = - makeHostsPerLocality({{hosts[1], hosts[2]}, {}}); - - host_set_.updateHosts( - HostSetImpl::updateHostsParams( - hosts_const_shared, hosts_per_locality, - makeHostsFromHostsPerLocality(healthy_hosts_per_locality), - healthy_hosts_per_locality, std::make_shared(), - HostsPerLocalityImpl::empty(), - makeHostsFromHostsPerLocality(excluded_hosts_per_locality), - excluded_hosts_per_locality), - locality_weights, {}, {}, 0, absl::nullopt); - // We should RR between localities with equal weight. - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(1, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(1, host_set_.chooseHealthyLocality().value()); -} - -// When a locality has zero hosts, it should be treated as if it has zero healthy. -TEST_F(HostSetImplLocalityTest, EmptyLocality) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:82", zone_a)}; - - HostsPerLocalitySharedPtr hosts_per_locality = - makeHostsPerLocality({{hosts[0], hosts[1], hosts[2]}, {}}); - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1}}; - auto hosts_const_shared = std::make_shared(hosts); - host_set_.updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, - std::make_shared(hosts), - hosts_per_locality), - locality_weights, {}, {}, 0, absl::nullopt); - // Verify that we are not RRing between localities. - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); -} - -// When all locality weights are zero we should fail to select a locality. -TEST_F(HostSetImplLocalityTest, AllZeroWeights) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_b)}; - - HostsPerLocalitySharedPtr hosts_per_locality = makeHostsPerLocality({{hosts[0]}, {hosts[1]}}); - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{0, 0}}; - auto hosts_const_shared = std::make_shared(hosts); - host_set_.updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, - std::make_shared(hosts), - hosts_per_locality), - locality_weights, {}, {}, 0); - EXPECT_FALSE(host_set_.chooseHealthyLocality().has_value()); -} - -// When all locality weights are the same we have unweighted RR behavior. -TEST_F(HostSetImplLocalityTest, Unweighted) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - envoy::config::core::v3::Locality zone_c; - zone_c.set_zone("C"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_b), - makeTestHost(info_, "tcp://127.0.0.1:82", zone_c)}; - - HostsPerLocalitySharedPtr hosts_per_locality = - makeHostsPerLocality({{hosts[0]}, {hosts[1]}, {hosts[2]}}); - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1, 1}}; - auto hosts_const_shared = std::make_shared(hosts); - host_set_.updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, - std::make_shared(hosts), - hosts_per_locality), - locality_weights, {}, {}, 0, absl::nullopt); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(1, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(2, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(1, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(2, host_set_.chooseHealthyLocality().value()); -} - -// When locality weights differ, we have weighted RR behavior. -TEST_F(HostSetImplLocalityTest, Weighted) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_b)}; - - HostsPerLocalitySharedPtr hosts_per_locality = makeHostsPerLocality({{hosts[0]}, {hosts[1]}}); - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 2}}; - auto hosts_const_shared = std::make_shared(hosts); - host_set_.updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, - std::make_shared(hosts), - hosts_per_locality), - locality_weights, {}, {}, 0, absl::nullopt); - EXPECT_EQ(1, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(1, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(1, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(1, host_set_.chooseHealthyLocality().value()); -} - -// Localities with no weight assignment are never picked. -TEST_F(HostSetImplLocalityTest, MissingWeight) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - envoy::config::core::v3::Locality zone_c; - zone_c.set_zone("C"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_b), - makeTestHost(info_, "tcp://127.0.0.1:82", zone_c)}; - - HostsPerLocalitySharedPtr hosts_per_locality = - makeHostsPerLocality({{hosts[0]}, {hosts[1]}, {hosts[2]}}); - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 0, 1}}; - auto hosts_const_shared = std::make_shared(hosts); - host_set_.updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, - std::make_shared(hosts), - hosts_per_locality), - locality_weights, {}, {}, 0, absl::nullopt); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(2, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(2, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(0, host_set_.chooseHealthyLocality().value()); - EXPECT_EQ(2, host_set_.chooseHealthyLocality().value()); -} - -// Validates that with weighted initialization all localities are chosen -// proportionally to their weight. -TEST_F(HostSetImplLocalityTest, WeightedAllChosen) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - envoy::config::core::v3::Locality zone_c; - zone_b.set_zone("C"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_b), - makeTestHost(info_, "tcp://127.0.0.1:82", zone_c)}; - - HostsPerLocalitySharedPtr hosts_per_locality = - makeHostsPerLocality({{hosts[0]}, {hosts[1]}, {hosts[2]}}); - // Set weights of 10%, 60% and 30% to the three zones. - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 6, 3}}; - - // Keep track of how many times each locality is picked, initialized to 0. - uint32_t locality_picked_count[] = {0, 0, 0}; - - // Create the load-balancer 10 times, each with a different seed number (from - // 0 to 10), do a single pick, and validate that the number of picks equals - // to the weights assigned to the localities. - auto hosts_const_shared = std::make_shared(hosts); - for (uint32_t i = 0; i < 10; ++i) { - host_set_.updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, - std::make_shared(hosts), - hosts_per_locality), - locality_weights, {}, {}, i, absl::nullopt); - locality_picked_count[host_set_.chooseHealthyLocality().value()]++; - } - EXPECT_EQ(locality_picked_count[0], 1); - EXPECT_EQ(locality_picked_count[1], 6); - EXPECT_EQ(locality_picked_count[2], 3); -} - -// Gentle failover between localities as health diminishes. -TEST_F(HostSetImplLocalityTest, UnhealthyFailover) { - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:81", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:82", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:83", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:84", zone_a), - makeTestHost(info_, "tcp://127.0.0.1:85", zone_b)}; - - const auto setHealthyHostCount = [this, hosts](uint32_t host_count) { - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 2}}; - HostsPerLocalitySharedPtr hosts_per_locality = - makeHostsPerLocality({{hosts[0], hosts[1], hosts[2], hosts[3], hosts[4]}, {hosts[5]}}); - HostVector healthy_hosts; - for (uint32_t i = 0; i < host_count; ++i) { - healthy_hosts.emplace_back(hosts[i]); - } - HostsPerLocalitySharedPtr healthy_hosts_per_locality = - makeHostsPerLocality({healthy_hosts, {hosts[5]}}); - - auto hosts = makeHostsFromHostsPerLocality(hosts_per_locality); - host_set_.updateHosts(updateHostsParams(hosts, hosts_per_locality, - makeHostsFromHostsPerLocality( - healthy_hosts_per_locality), - healthy_hosts_per_locality), - locality_weights, {}, {}, 0, absl::nullopt); - }; - - const auto expectPicks = [this](uint32_t locality_0_picks, uint32_t locality_1_picks) { - uint32_t count[2] = {0, 0}; - for (uint32_t i = 0; i < 100; ++i) { - const uint32_t locality_index = host_set_.chooseHealthyLocality().value(); - ASSERT_LT(locality_index, 2); - ++count[locality_index]; - } - ENVOY_LOG_MISC(debug, "Locality picks {} {}", count[0], count[1]); - EXPECT_EQ(locality_0_picks, count[0]); - EXPECT_EQ(locality_1_picks, count[1]); - }; - - setHealthyHostCount(5); - expectPicks(33, 67); - setHealthyHostCount(4); - expectPicks(33, 67); - setHealthyHostCount(3); - expectPicks(29, 71); - setHealthyHostCount(2); - expectPicks(22, 78); - setHealthyHostCount(1); - expectPicks(12, 88); - setHealthyHostCount(0); - expectPicks(0, 100); -} - -TEST(OverProvisioningFactorTest, LocalityPickChanges) { - auto setUpHostSetWithOPFAndTestPicks = [](const uint32_t overprovisioning_factor, - const uint32_t pick_0, const uint32_t pick_1) { - HostSetImpl host_set(0, false, overprovisioning_factor); - std::shared_ptr cluster_info{new NiceMock()}; - auto time_source = std::make_unique>(); - envoy::config::core::v3::Locality zone_a; - zone_a.set_zone("A"); - envoy::config::core::v3::Locality zone_b; - zone_b.set_zone("B"); - HostVector hosts{makeTestHost(cluster_info, "tcp://127.0.0.1:80", zone_a), - makeTestHost(cluster_info, "tcp://127.0.0.1:81", zone_a), - makeTestHost(cluster_info, "tcp://127.0.0.1:82", zone_b)}; - LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1}}; - HostsPerLocalitySharedPtr hosts_per_locality = - makeHostsPerLocality({{hosts[0], hosts[1]}, {hosts[2]}}); - // Healthy ratio: (1/2, 1). - HostsPerLocalitySharedPtr healthy_hosts_per_locality = - makeHostsPerLocality({{hosts[0]}, {hosts[2]}}); - auto healthy_hosts = - makeHostsFromHostsPerLocality(healthy_hosts_per_locality); - host_set.updateHosts(updateHostsParams(std::make_shared(hosts), - hosts_per_locality, healthy_hosts, - healthy_hosts_per_locality), - locality_weights, {}, {}, 0, absl::nullopt); - uint32_t cnts[] = {0, 0}; - for (uint32_t i = 0; i < 100; ++i) { - absl::optional locality_index = host_set.chooseHealthyLocality(); - if (!locality_index.has_value()) { - // It's possible locality scheduler is nullptr (when factor is 0). - continue; - } - ASSERT_LT(locality_index.value(), 2); - ++cnts[locality_index.value()]; - } - EXPECT_EQ(pick_0, cnts[0]); - EXPECT_EQ(pick_1, cnts[1]); - }; - - // NOTE: effective locality weight: weight * min(1, factor * healthy-ratio). - - // Picks in localities match to weight(1) * healthy-ratio when - // overprovisioning factor is 1. - setUpHostSetWithOPFAndTestPicks(100, 33, 67); - // Picks in localities match to weights as factor * healthy-ratio > 1. - setUpHostSetWithOPFAndTestPicks(200, 50, 50); -}; - // Verifies that partitionHosts correctly splits hosts based on their health flags. TEST(HostPartitionTest, PartitionHosts) { std::shared_ptr info{new NiceMock()}; @@ -6520,11 +6168,9 @@ TEST_F(PriorityStateManagerTest, LocalityClusterUpdate) { cluster->initialize([] { return absl::OkStatus(); }); EXPECT_EQ(1UL, cluster->prioritySet().hostSetsPerPriority()[0]->hosts().size()); - NiceMock random; // Make priority state manager and fill it with the initial state of the cluster and the added // hosts - PriorityStateManager priority_state_manager(*cluster, server_context_.local_info_, nullptr, - random); + PriorityStateManager priority_state_manager(*cluster, server_context_.local_info_, nullptr); auto current_hosts = cluster->prioritySet().hostSetsPerPriority()[0]->hosts(); HostVector hosts_added{makeTestHost(cluster->info(), "tcp://127.0.0.1:81", zone_b), diff --git a/test/common/upstream/utility.h b/test/common/upstream/utility.h index 2be50f3309ce0..a374f9734907e 100644 --- a/test/common/upstream/utility.h +++ b/test/common/upstream/utility.h @@ -193,6 +193,20 @@ inline HostsPerLocalitySharedPtr makeHostsPerLocality(std::vector&& std::move(locality_hosts), !force_no_local_locality && !locality_hosts.empty()); } +template +std::shared_ptr +makeHostsFromHostsPerLocality(HostsPerLocalityConstSharedPtr hosts_per_locality) { + HostVector hosts; + + for (const auto& locality_hosts : hosts_per_locality->get()) { + for (const auto& host : locality_hosts) { + hosts.emplace_back(host); + } + } + + return std::make_shared(hosts); +} + inline LocalityWeightsSharedPtr makeLocalityWeights(std::initializer_list locality_weights) { return std::make_shared(locality_weights); diff --git a/test/extensions/clusters/aggregate/cluster_test.cc b/test/extensions/clusters/aggregate/cluster_test.cc index 0ccccccbbaed7..0c1287ca5095c 100644 --- a/test/extensions/clusters/aggregate/cluster_test.cc +++ b/test/extensions/clusters/aggregate/cluster_test.cc @@ -73,7 +73,7 @@ class AggregateClusterTest : public Event::TestUsingSimulatedTime, public testin priority, Upstream::HostSetImpl::partitionHosts(std::make_shared(hosts), Upstream::HostsPerLocalityImpl::empty()), - nullptr, hosts, {}, 123, absl::nullopt, 100); + nullptr, hosts, {}, absl::nullopt, 100); } void setupSecondary(int priority, int healthy_hosts, int degraded_hosts, int unhealthy_hosts) { @@ -83,7 +83,7 @@ class AggregateClusterTest : public Event::TestUsingSimulatedTime, public testin priority, Upstream::HostSetImpl::partitionHosts(std::make_shared(hosts), Upstream::HostsPerLocalityImpl::empty()), - nullptr, hosts, {}, 123, absl::nullopt, 100); + nullptr, hosts, {}, absl::nullopt, 100); } void setupPrioritySet() { diff --git a/test/extensions/clusters/aggregate/cluster_update_test.cc b/test/extensions/clusters/aggregate/cluster_update_test.cc index ba73c4becd92a..85c44f33f8d91 100644 --- a/test/extensions/clusters/aggregate/cluster_update_test.cc +++ b/test/extensions/clusters/aggregate/cluster_update_test.cc @@ -155,7 +155,7 @@ TEST_P(AggregateClusterUpdateTest, LoadBalancingTest) { Upstream::HostSetImpl::partitionHosts( std::make_shared(Upstream::HostVector{host1, host2, host3}), Upstream::HostsPerLocalityImpl::empty()), - nullptr, {host1, host2, host3}, {}, 0, absl::nullopt, 100); + nullptr, {host1, host2, host3}, {}, absl::nullopt, 100); // Set up the HostSet with 1 healthy, 1 degraded and 1 unhealthy. Upstream::HostSharedPtr host4 = Upstream::makeTestHost(secondary->info(), "tcp://127.0.0.4:80"); @@ -169,7 +169,7 @@ TEST_P(AggregateClusterUpdateTest, LoadBalancingTest) { Upstream::HostSetImpl::partitionHosts( std::make_shared(Upstream::HostVector{host4, host5, host6}), Upstream::HostsPerLocalityImpl::empty()), - nullptr, {host4, host5, host6}, {}, 0, absl::nullopt, 100); + nullptr, {host4, host5, host6}, {}, absl::nullopt, 100); Upstream::HostConstSharedPtr host; for (int i = 0; i < 33; ++i) { @@ -206,7 +206,7 @@ TEST_P(AggregateClusterUpdateTest, LoadBalancingTest) { Upstream::HostSetImpl::partitionHosts( std::make_shared(Upstream::HostVector{host7, host8, host9}), Upstream::HostsPerLocalityImpl::empty()), - nullptr, {host7, host8, host9}, {}, 0, absl::nullopt, 100); + nullptr, {host7, host8, host9}, {}, absl::nullopt, 100); // Priority set // Priority 0: 1/3 healthy, 1/3 degraded @@ -294,7 +294,7 @@ TEST_P(AggregateClusterUpdateTest, InitializeAggregateClusterAfterOtherClusters) Upstream::HostSetImpl::partitionHosts( std::make_shared(Upstream::HostVector{host1, host2, host3}), Upstream::HostsPerLocalityImpl::empty()), - nullptr, {host1, host2, host3}, {}, 0, absl::nullopt, 100); + nullptr, {host1, host2, host3}, {}, absl::nullopt, 100); for (int i = 0; i < 50; ++i) { EXPECT_CALL(factory_.random_, random()).WillRepeatedly(Return(i)); diff --git a/test/extensions/load_balancing_policies/common/BUILD b/test/extensions/load_balancing_policies/common/BUILD index 93d5c4b6b0849..71249aca2029e 100644 --- a/test/extensions/load_balancing_policies/common/BUILD +++ b/test/extensions/load_balancing_policies/common/BUILD @@ -27,6 +27,20 @@ envoy_cc_test_library( ], ) +envoy_cc_test( + name = "locality_wrr_test", + srcs = ["locality_wrr_test.cc"], + deps = [ + "//envoy/upstream:upstream_interface", + "//source/common/upstream:upstream_includes", + "//source/extensions/load_balancing_policies/common:locality_wrr_lib", + "//test/common/upstream:utility_lib", + "//test/mocks/upstream:cluster_info_mocks", + "//test/test_common:simulated_time_system_lib", + "//test/test_common:test_runtime_lib", + ], +) + envoy_cc_test( name = "bounded_load_hlb_test", srcs = ["bounded_load_hlb_test.cc"], diff --git a/test/extensions/load_balancing_policies/common/benchmark_base_tester.cc b/test/extensions/load_balancing_policies/common/benchmark_base_tester.cc index 740c52bd99437..8278cff6d4a5f 100644 --- a/test/extensions/load_balancing_policies/common/benchmark_base_tester.cc +++ b/test/extensions/load_balancing_policies/common/benchmark_base_tester.cc @@ -30,10 +30,10 @@ BaseTester::BaseTester(uint64_t num_hosts, uint32_t weighted_subset_percent, uin Upstream::makeHostsPerLocality({hosts}); priority_set_.updateHosts( 0, Upstream::HostSetImpl::partitionHosts(updated_hosts, hosts_per_locality), {}, hosts, {}, - random_.random(), absl::nullopt); + absl::nullopt); local_priority_set_.updateHosts( 0, Upstream::HostSetImpl::partitionHosts(updated_hosts, hosts_per_locality), {}, hosts, {}, - random_.random(), absl::nullopt); + absl::nullopt); } } // namespace Upstream diff --git a/test/extensions/load_balancing_policies/common/locality_wrr_test.cc b/test/extensions/load_balancing_policies/common/locality_wrr_test.cc new file mode 100644 index 0000000000000..ecb70b2fc5d48 --- /dev/null +++ b/test/extensions/load_balancing_policies/common/locality_wrr_test.cc @@ -0,0 +1,368 @@ +#include "envoy/upstream/upstream.h" + +#include "source/common/upstream/upstream_impl.h" +#include "source/extensions/load_balancing_policies/common/locality_wrr.h" + +#include "test/common/upstream/utility.h" +#include "test/mocks/common.h" +#include "test/mocks/upstream/cluster_info.h" +#include "test/test_common/simulated_time_system.h" +#include "test/test_common/test_runtime.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +namespace Envoy { +namespace Upstream { +namespace { + +class LocalityWrrTest : public Event::TestUsingSimulatedTime, public ::testing::Test { +public: + LocalityWrrTest() { + host_set_ = std::make_unique(0, false, kDefaultOverProvisioningFactor); + } + + absl::optional chooseDegradedLocality() { + return locality_wrr_->chooseDegradedLocality(); + } + + absl::optional chooseHealthyLocality() { + return locality_wrr_->chooseHealthyLocality(); + } + + std::unique_ptr host_set_; + std::unique_ptr locality_wrr_ = nullptr; + std::shared_ptr info_{new NiceMock()}; +}; + +TEST_F(LocalityWrrTest, HostSetEmpty) { + locality_wrr_ = std::make_unique(*host_set_, 0); + + EXPECT_EQ(chooseHealthyLocality(), absl::nullopt); + EXPECT_EQ(chooseDegradedLocality(), absl::nullopt); +} + +TEST_F(LocalityWrrTest, AllHostsUnhealthy) { + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + envoy::config::core::v3::Locality zone_c; + zone_c.set_zone("C"); + HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_b), + makeTestHost(info_, "tcp://127.0.0.1:82", zone_c)}; + + HostsPerLocalitySharedPtr hosts_per_locality = + makeHostsPerLocality({{hosts[0]}, {hosts[1]}, {hosts[2]}}); + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1, 1}}; + auto hosts_const_shared = std::make_shared(hosts); + host_set_->updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality), + locality_weights, {}, {}, absl::nullopt); + locality_wrr_ = std::make_unique(*host_set_, 0); + + EXPECT_FALSE(chooseHealthyLocality().has_value()); +} + +// When a locality has endpoints that have not yet been warmed, weight calculation should ignore +// these hosts. +TEST_F(LocalityWrrTest, NotWarmedHostsLocality) { + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:82", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:83", zone_b), + makeTestHost(info_, "tcp://127.0.0.1:84", zone_b)}; + + // We have two localities with 3 hosts in A, 2 hosts in B. Two of the hosts in A are not + // warmed yet, so even though they are unhealthy we should not adjust the locality weight. + HostsPerLocalitySharedPtr hosts_per_locality = + makeHostsPerLocality({{hosts[0], hosts[1], hosts[2]}, {hosts[3], hosts[4]}}); + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1}}; + auto hosts_const_shared = std::make_shared(hosts); + HostsPerLocalitySharedPtr healthy_hosts_per_locality = + makeHostsPerLocality({{hosts[0]}, {hosts[3], hosts[4]}}); + HostsPerLocalitySharedPtr excluded_hosts_per_locality = + makeHostsPerLocality({{hosts[1], hosts[2]}, {}}); + + host_set_->updateHosts( + HostSetImpl::updateHostsParams( + hosts_const_shared, hosts_per_locality, + makeHostsFromHostsPerLocality(healthy_hosts_per_locality), + healthy_hosts_per_locality, std::make_shared(), + HostsPerLocalityImpl::empty(), + makeHostsFromHostsPerLocality(excluded_hosts_per_locality), + excluded_hosts_per_locality), + locality_weights, {}, {}, absl::nullopt); + locality_wrr_ = std::make_unique(*host_set_, 0); + + // We should RR between localities with equal weight. + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(1, chooseHealthyLocality().value()); + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(1, chooseHealthyLocality().value()); +} + +TEST_F(LocalityWrrTest, AllZeroWeights) { + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_b)}; + + HostsPerLocalitySharedPtr hosts_per_locality = makeHostsPerLocality({{hosts[0]}, {hosts[1]}}); + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{0, 0}}; + auto hosts_const_shared = std::make_shared(hosts); + host_set_->updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, + std::make_shared(hosts), + hosts_per_locality), + locality_weights, {}, {}, 0); + locality_wrr_ = std::make_unique(*host_set_, 0); + + EXPECT_FALSE(chooseHealthyLocality().has_value()); +} + +TEST_F(LocalityWrrTest, UnweightedLocalities) { + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + envoy::config::core::v3::Locality zone_c; + zone_c.set_zone("C"); + HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_b), + makeTestHost(info_, "tcp://127.0.0.1:82", zone_c)}; + + HostsPerLocalitySharedPtr hosts_per_locality = + makeHostsPerLocality({{hosts[0]}, {hosts[1]}, {hosts[2]}}); + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1, 1}}; + auto hosts_const_shared = std::make_shared(hosts); + host_set_->updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, + std::make_shared(hosts), + hosts_per_locality), + locality_weights, {}, {}, absl::nullopt); + + locality_wrr_ = std::make_unique(*host_set_, 0); + + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(1, chooseHealthyLocality().value()); + EXPECT_EQ(2, chooseHealthyLocality().value()); + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(1, chooseHealthyLocality().value()); + EXPECT_EQ(2, chooseHealthyLocality().value()); +} + +// When locality weights differ, we have weighted RR behavior. +TEST_F(LocalityWrrTest, WeightedLocalities) { + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_b)}; + + HostsPerLocalitySharedPtr hosts_per_locality = makeHostsPerLocality({{hosts[0]}, {hosts[1]}}); + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 2}}; + auto hosts_const_shared = std::make_shared(hosts); + host_set_->updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, + std::make_shared(hosts), + hosts_per_locality), + locality_weights, {}, {}, absl::nullopt); + + locality_wrr_ = std::make_unique(*host_set_, 0); + + EXPECT_EQ(1, chooseHealthyLocality().value()); + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(1, chooseHealthyLocality().value()); + EXPECT_EQ(1, chooseHealthyLocality().value()); + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(1, chooseHealthyLocality().value()); +} +// Localities with no weight assignment are never picked. +TEST_F(LocalityWrrTest, MissingWeight) { + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + envoy::config::core::v3::Locality zone_c; + zone_c.set_zone("C"); + HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_b), + makeTestHost(info_, "tcp://127.0.0.1:82", zone_c)}; + + HostsPerLocalitySharedPtr hosts_per_locality = + makeHostsPerLocality({{hosts[0]}, {hosts[1]}, {hosts[2]}}); + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 0, 1}}; + auto hosts_const_shared = std::make_shared(hosts); + host_set_->updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, + std::make_shared(hosts), + hosts_per_locality), + locality_weights, {}, {}, absl::nullopt); + locality_wrr_ = std::make_unique(*host_set_, 0); + + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(2, chooseHealthyLocality().value()); + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(2, chooseHealthyLocality().value()); + EXPECT_EQ(0, chooseHealthyLocality().value()); + EXPECT_EQ(2, chooseHealthyLocality().value()); +} + +// Validates that with weighted initialization all localities are chosen +// proportionally to their weight. +TEST_F(LocalityWrrTest, WeightedAllChosen) { + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + envoy::config::core::v3::Locality zone_c; + zone_b.set_zone("C"); + HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_b), + makeTestHost(info_, "tcp://127.0.0.1:82", zone_c)}; + + HostsPerLocalitySharedPtr hosts_per_locality = + makeHostsPerLocality({{hosts[0]}, {hosts[1]}, {hosts[2]}}); + // Set weights of 10%, 60% and 30% to the three zones. + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 6, 3}}; + + // Keep track of how many times each locality is picked, initialized to 0. + uint32_t locality_picked_count[] = {0, 0, 0}; + + // Create the load-balancer 10 times, each with a different seed number (from + // 0 to 10), do a single pick, and validate that the number of picks equals + // to the weights assigned to the localities. + auto hosts_const_shared = std::make_shared(hosts); + for (uint32_t i = 0; i < 10; ++i) { + host_set_->updateHosts(updateHostsParams(hosts_const_shared, hosts_per_locality, + std::make_shared(hosts), + hosts_per_locality), + locality_weights, {}, {}, i, absl::nullopt); + locality_wrr_ = std::make_unique(*host_set_, i); + + locality_picked_count[chooseHealthyLocality().value()]++; + } + EXPECT_EQ(locality_picked_count[0], 1); + EXPECT_EQ(locality_picked_count[1], 6); + EXPECT_EQ(locality_picked_count[2], 3); +} + +// Gentle failover between localities as health diminishes. +TEST_F(LocalityWrrTest, UnhealthyFailover) { + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + HostVector hosts{makeTestHost(info_, "tcp://127.0.0.1:80", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:81", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:82", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:83", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:84", zone_a), + makeTestHost(info_, "tcp://127.0.0.1:85", zone_b)}; + + locality_wrr_ = std::make_unique(*host_set_, 0); + + const auto setHealthyHostCount = [this, hosts](uint32_t host_count) { + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 2}}; + HostsPerLocalitySharedPtr hosts_per_locality = + makeHostsPerLocality({{hosts[0], hosts[1], hosts[2], hosts[3], hosts[4]}, {hosts[5]}}); + HostVector healthy_hosts; + for (uint32_t i = 0; i < host_count; ++i) { + healthy_hosts.emplace_back(hosts[i]); + } + HostsPerLocalitySharedPtr healthy_hosts_per_locality = + makeHostsPerLocality({healthy_hosts, {hosts[5]}}); + + auto hosts = makeHostsFromHostsPerLocality(hosts_per_locality); + host_set_->updateHosts(updateHostsParams(hosts, hosts_per_locality, + makeHostsFromHostsPerLocality( + healthy_hosts_per_locality), + healthy_hosts_per_locality), + locality_weights, {}, {}, absl::nullopt); + locality_wrr_ = std::make_unique(*host_set_, 0); + }; + + const auto expectPicks = [this](uint32_t locality_0_picks, uint32_t locality_1_picks) { + uint32_t count[2] = {0, 0}; + for (uint32_t i = 0; i < 100; ++i) { + const uint32_t locality_index = chooseHealthyLocality().value(); + ASSERT_LT(locality_index, 2); + ++count[locality_index]; + } + ENVOY_LOG_MISC(debug, "Locality picks {} {}", count[0], count[1]); + EXPECT_EQ(locality_0_picks, count[0]); + EXPECT_EQ(locality_1_picks, count[1]); + }; + + setHealthyHostCount(5); + expectPicks(33, 67); + setHealthyHostCount(4); + expectPicks(33, 67); + setHealthyHostCount(3); + expectPicks(29, 71); + setHealthyHostCount(2); + expectPicks(22, 78); + setHealthyHostCount(1); + expectPicks(12, 88); + setHealthyHostCount(0); + expectPicks(0, 100); +} + +TEST(OverProvisioningFactorTest, LocalityPickChanges) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.restart_features.move_locality_schedulers_to_lb", "false"}}); + auto setUpHostSetWithOPFAndTestPicks = [](const uint32_t overprovisioning_factor, + const uint32_t pick_0, const uint32_t pick_1) { + HostSetImpl host_set(0, false, overprovisioning_factor); + std::shared_ptr cluster_info{new NiceMock()}; + auto time_source = std::make_unique>(); + envoy::config::core::v3::Locality zone_a; + zone_a.set_zone("A"); + envoy::config::core::v3::Locality zone_b; + zone_b.set_zone("B"); + HostVector hosts{makeTestHost(cluster_info, "tcp://127.0.0.1:80", zone_a), + makeTestHost(cluster_info, "tcp://127.0.0.1:81", zone_a), + makeTestHost(cluster_info, "tcp://127.0.0.1:82", zone_b)}; + LocalityWeightsConstSharedPtr locality_weights{new LocalityWeights{1, 1}}; + HostsPerLocalitySharedPtr hosts_per_locality = + makeHostsPerLocality({{hosts[0], hosts[1]}, {hosts[2]}}); + // Healthy ratio: (1/2, 1). + HostsPerLocalitySharedPtr healthy_hosts_per_locality = + makeHostsPerLocality({{hosts[0]}, {hosts[2]}}); + auto healthy_hosts = + makeHostsFromHostsPerLocality(healthy_hosts_per_locality); + host_set.updateHosts(updateHostsParams(std::make_shared(hosts), + hosts_per_locality, healthy_hosts, + healthy_hosts_per_locality), + locality_weights, {}, {}, absl::nullopt); + LocalityWrr locality_wrr(host_set, 0); + uint32_t cnts[] = {0, 0}; + for (uint32_t i = 0; i < 100; ++i) { + absl::optional locality_index = locality_wrr.chooseHealthyLocality(); + if (!locality_index.has_value()) { + // It's possible locality scheduler is nullptr (when factor is 0). + continue; + } + ASSERT_LT(locality_index.value(), 2); + ++cnts[locality_index.value()]; + } + EXPECT_EQ(pick_0, cnts[0]); + EXPECT_EQ(pick_1, cnts[1]); + }; + + // NOTE: effective locality weight: weight * min(1, factor * healthy-ratio). + + // Picks in localities match to weight(1) * healthy-ratio when + // overprovisioning factor is 1. + setUpHostSetWithOPFAndTestPicks(100, 33, 67); + // Picks in localities match to weights as factor * healthy-ratio > 1. + setUpHostSetWithOPFAndTestPicks(200, 50, 50); +}; + +} // namespace +} // namespace Upstream +} // namespace Envoy diff --git a/test/extensions/load_balancing_policies/least_request/least_request_lb_simulation_test.cc b/test/extensions/load_balancing_policies/least_request/least_request_lb_simulation_test.cc index 17b75e5f3c6df..7fb0423115009 100644 --- a/test/extensions/load_balancing_policies/least_request/least_request_lb_simulation_test.cc +++ b/test/extensions/load_balancing_policies/least_request/least_request_lb_simulation_test.cc @@ -74,7 +74,7 @@ void leastRequestLBWeightTest(LRLBTestParams params) { updateHostsParams(updated_hosts, updated_locality_hosts, std::make_shared(*updated_hosts), updated_locality_hosts), - {}, hosts, {}, random.random(), absl::nullopt); + {}, hosts, {}, absl::nullopt); Stats::IsolatedStoreImpl stats_store; ClusterLbStatNames stat_names(stats_store.symbolTable()); diff --git a/test/extensions/load_balancing_policies/random/random_lb_simulation_test.cc b/test/extensions/load_balancing_policies/random/random_lb_simulation_test.cc index c4a79a2773174..bdb0ff6bb03f7 100644 --- a/test/extensions/load_balancing_policies/random/random_lb_simulation_test.cc +++ b/test/extensions/load_balancing_policies/random/random_lb_simulation_test.cc @@ -107,7 +107,7 @@ class DISABLED_SimulationTest : public testing::Test { // NOLINT(readability-ide updateHostsParams(originating_hosts, per_zone_local_shared, std::make_shared(*originating_hosts), per_zone_local_shared), - {}, empty_vector_, empty_vector_, random_.random(), absl::nullopt); + {}, empty_vector_, empty_vector_, absl::nullopt); HostConstSharedPtr selected = lb.chooseHost(nullptr).host; hits[selected->address()->asString()]++; diff --git a/test/extensions/load_balancing_policies/round_robin/round_robin_lb_test.cc b/test/extensions/load_balancing_policies/round_robin/round_robin_lb_test.cc index 985d69aed0669..83e8e3b84ac98 100644 --- a/test/extensions/load_balancing_policies/round_robin/round_robin_lb_test.cc +++ b/test/extensions/load_balancing_policies/round_robin/round_robin_lb_test.cc @@ -335,23 +335,13 @@ TEST_P(RoundRobinLoadBalancerTest, Locality) { hostSet().healthy_hosts_ = *hosts; hostSet().healthy_hosts_per_locality_ = hosts_per_locality; init(false, true); - // chooseHealthyLocality() return value determines which locality we use. - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(0)); - EXPECT_EQ(hostSet().healthy_hosts_[1], lb_->chooseHost(nullptr).host); - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(1)); - EXPECT_EQ(hostSet().healthy_hosts_[0], lb_->chooseHost(nullptr).host); - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(0)); - EXPECT_EQ(hostSet().healthy_hosts_[1], lb_->chooseHost(nullptr).host); - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(1)); + + // Round robin through all localities. EXPECT_EQ(hostSet().healthy_hosts_[0], lb_->chooseHost(nullptr).host); - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(0)); EXPECT_EQ(hostSet().healthy_hosts_[1], lb_->chooseHost(nullptr).host); - // When there is no locality, we RR over all available hosts. - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(absl::optional())); + EXPECT_EQ(hostSet().healthy_hosts_[2], lb_->chooseHost(nullptr).host); EXPECT_EQ(hostSet().healthy_hosts_[0], lb_->chooseHost(nullptr).host); - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(absl::optional())); EXPECT_EQ(hostSet().healthy_hosts_[1], lb_->chooseHost(nullptr).host); - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(absl::optional())); EXPECT_EQ(hostSet().healthy_hosts_[2], lb_->chooseHost(nullptr).host); } @@ -380,13 +370,12 @@ TEST_P(RoundRobinLoadBalancerTest, DegradedLocality) { hostSet().degraded_hosts_per_locality_ = degraded_hosts_per_locality; init(false, true); - EXPECT_CALL(random_, random()).WillOnce(Return(50)).WillOnce(Return(0)); + EXPECT_CALL(random_, random()).WillOnce(Return(50)).WillOnce(Return(0)).WillOnce(Return(51)); // Since we're split between healthy and degraded, the LB should call into both // chooseHealthyLocality and chooseDegradedLocality. - EXPECT_CALL(hostSet(), chooseDegradedLocality()).WillOnce(Return(1)); EXPECT_EQ(hostSet().degraded_hosts_[0], lb_->chooseHost(nullptr).host); - EXPECT_CALL(hostSet(), chooseHealthyLocality()).WillOnce(Return(0)); EXPECT_EQ(hostSet().healthy_hosts_[0], lb_->chooseHost(nullptr).host); + EXPECT_EQ(hostSet().degraded_hosts_[1], lb_->chooseHost(nullptr).host); } TEST_P(RoundRobinLoadBalancerTest, Weighted) { diff --git a/test/extensions/load_balancing_policies/subset/subset_benchmark.cc b/test/extensions/load_balancing_policies/subset/subset_benchmark.cc index 3abb46573b05e..836d8ff59fac0 100644 --- a/test/extensions/load_balancing_policies/subset/subset_benchmark.cc +++ b/test/extensions/load_balancing_policies/subset/subset_benchmark.cc @@ -68,10 +68,10 @@ class SubsetLbTester : public Upstream::BaseTester { void update() { priority_set_.updateHosts( 0, Upstream::HostSetImpl::partitionHosts(smaller_hosts_, smaller_locality_hosts_), nullptr, - {}, host_moved_, random_.random(), absl::nullopt); + {}, host_moved_, absl::nullopt); priority_set_.updateHosts( 0, Upstream::HostSetImpl::partitionHosts(orig_hosts_, orig_locality_hosts_), nullptr, - host_moved_, {}, random_.random(), absl::nullopt); + host_moved_, {}, absl::nullopt); } std::unique_ptr subset_config_; diff --git a/test/extensions/load_balancing_policies/subset/subset_test.cc b/test/extensions/load_balancing_policies/subset/subset_test.cc index 3a988d0985f49..369bb1bcced98 100644 --- a/test/extensions/load_balancing_policies/subset/subset_test.cc +++ b/test/extensions/load_balancing_policies/subset/subset_test.cc @@ -475,7 +475,7 @@ class SubsetLoadBalancerTest : public Event::TestUsingSimulatedTime, std::make_shared(*local_hosts_), local_hosts_per_locality_, std::make_shared(), HostsPerLocalityImpl::empty(), std::make_shared(), HostsPerLocalityImpl::empty()), - {}, {}, {}, 0, absl::nullopt); + {}, {}, {}, absl::nullopt); initLbConfigAndLB(nullptr, true); } @@ -624,7 +624,7 @@ class SubsetLoadBalancerTest : public Event::TestUsingSimulatedTime, updateHostsParams(local_hosts_, local_hosts_per_locality_, std::make_shared(*local_hosts_), local_hosts_per_locality_), - {}, {}, remove, 0, absl::nullopt); + {}, {}, remove, absl::nullopt); } for (const auto& host : add) { @@ -641,7 +641,7 @@ class SubsetLoadBalancerTest : public Event::TestUsingSimulatedTime, updateHostsParams(local_hosts_, local_hosts_per_locality_, std::make_shared(*local_hosts_), local_hosts_per_locality_), - {}, add, {}, 0, absl::nullopt); + {}, add, {}, absl::nullopt); } } else if (!add.empty() || !remove.empty()) { local_priority_set_.updateHosts( @@ -649,7 +649,7 @@ class SubsetLoadBalancerTest : public Event::TestUsingSimulatedTime, updateHostsParams(local_hosts_, local_hosts_per_locality_, std::make_shared(*local_hosts_), local_hosts_per_locality_), - {}, add, remove, 0, absl::nullopt); + {}, add, remove, absl::nullopt); } } diff --git a/test/mocks/upstream/host_set.h b/test/mocks/upstream/host_set.h index 86c313d22f882..16ced302a8af0 100644 --- a/test/mocks/upstream/host_set.h +++ b/test/mocks/upstream/host_set.h @@ -43,8 +43,6 @@ class MockHostSet : public HostSet { MOCK_METHOD(const HostsPerLocality&, excludedHostsPerLocality, (), (const)); MOCK_METHOD(HostsPerLocalityConstSharedPtr, excludedHostsPerLocalityPtr, (), (const)); MOCK_METHOD(LocalityWeightsConstSharedPtr, localityWeights, (), (const)); - MOCK_METHOD(absl::optional, chooseHealthyLocality, ()); - MOCK_METHOD(absl::optional, chooseDegradedLocality, ()); MOCK_METHOD(uint32_t, priority, (), (const)); uint32_t overprovisioningFactor() const override { return overprovisioning_factor_; } void setOverprovisioningFactor(const uint32_t overprovisioning_factor) { diff --git a/test/mocks/upstream/priority_set.h b/test/mocks/upstream/priority_set.h index b7ba1d2019706..a19e208d12580 100644 --- a/test/mocks/upstream/priority_set.h +++ b/test/mocks/upstream/priority_set.h @@ -25,8 +25,7 @@ class MockPrioritySet : public PrioritySet { MOCK_METHOD(void, updateHosts, (uint32_t priority, UpdateHostsParams&& update_hosts_params, LocalityWeightsConstSharedPtr locality_weights, const HostVector& hosts_added, - const HostVector& hosts_removed, uint64_t seed, - absl::optional weighted_priority_health, + const HostVector& hosts_removed, absl::optional weighted_priority_health, absl::optional overprovisioning_factor, HostMapConstSharedPtr cross_priority_host_map)); MOCK_METHOD(void, batchHostUpdate, (BatchUpdateCb&)); From f0ea3c7bc33254a03c32e4fe7ac43a48545bd1d7 Mon Sep 17 00:00:00 2001 From: Kuat Date: Tue, 16 Sep 2025 10:08:43 -0700 Subject: [PATCH 407/505] logs: remove unused tls delegate (#41054) Change-Id: I9b006e2adf96aa3c109d084ed705c3854b567766 Commit Message: dead code. Maybe some distributors use it? Not clear what the value of a thread-local log sink is. Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: --------- Signed-off-by: Kuat Yessenov --- source/common/common/logger.cc | 41 +-------------------------- source/common/common/logger.h | 18 ++---------- test/common/common/logger_test.cc | 46 ------------------------------- 3 files changed, 4 insertions(+), 101 deletions(-) diff --git a/source/common/common/logger.cc b/source/common/common/logger.cc index 925ad510d3cfe..693f1517dde1c 100644 --- a/source/common/common/logger.cc +++ b/source/common/common/logger.cc @@ -28,15 +28,8 @@ void SinkDelegate::logWithStableName(absl::string_view, absl::string_view, absl: SinkDelegate::~SinkDelegate() { // The previous delegate should have never been set or should have been reset by now via - // restoreDelegate()/restoreTlsDelegate(); + // restoreDelegate(). assert(previous_delegate_ == nullptr); - assert(previous_tls_delegate_ == nullptr); -} - -void SinkDelegate::setTlsDelegate() { - assert(previous_tls_delegate_ == nullptr); - previous_tls_delegate_ = log_sink_->tlsDelegate(); - log_sink_->setTlsDelegate(this); } void SinkDelegate::setDelegate() { @@ -46,13 +39,6 @@ void SinkDelegate::setDelegate() { log_sink_->setDelegate(this); } -void SinkDelegate::restoreTlsDelegate() { - // Ensures stacked allocation of delegates. - assert(log_sink_->tlsDelegate() == this); - log_sink_->setTlsDelegate(previous_tls_delegate_); - previous_tls_delegate_ = nullptr; -} - void SinkDelegate::restoreDelegate() { // Ensures stacked allocation of delegates. assert(log_sink_->delegate() == this); @@ -102,11 +88,6 @@ void DelegatingLogSink::log(const spdlog::details::log_msg& msg) { sink.log(msg_view, msg); } }; - auto* tls_sink = tlsDelegate(); - if (tls_sink != nullptr) { - log_to_sink(*tls_sink); - return; - } // Hold the sink mutex while performing the actual logging. This prevents the sink from being // swapped during an individual log event. @@ -139,32 +120,12 @@ DelegatingLogSinkSharedPtr DelegatingLogSink::init() { } void DelegatingLogSink::flush() { - auto* tls_sink = tlsDelegate(); - if (tls_sink != nullptr) { - tls_sink->flush(); - return; - } absl::ReaderMutexLock lock(&sink_mutex_); sink_->flush(); } -SinkDelegate** DelegatingLogSink::tlsSink() { - static thread_local SinkDelegate* tls_sink = nullptr; - - return &tls_sink; -} - -void DelegatingLogSink::setTlsDelegate(SinkDelegate* sink) { *tlsSink() = sink; } - -SinkDelegate* DelegatingLogSink::tlsDelegate() { return *tlsSink(); } - void DelegatingLogSink::logWithStableName(absl::string_view stable_name, absl::string_view level, absl::string_view component, absl::string_view message) { - auto tls_sink = tlsDelegate(); - if (tls_sink != nullptr) { - tls_sink->logWithStableName(stable_name, level, component, message); - return; - } absl::ReaderMutexLock sink_lock(&sink_mutex_); sink_->logWithStableName(stable_name, level, component, message); } diff --git a/source/common/common/logger.h b/source/common/common/logger.h index 08fed3a27b5cb..4e9b2f861a56d 100644 --- a/source/common/common/logger.h +++ b/source/common/common/logger.h @@ -154,30 +154,21 @@ class SinkDelegate : NonCopyable { virtual void flush() PURE; protected: - // Swap the current thread local log sink delegate for this one. This should be called by the + // Swap the current *global* log sink delegate for this one. This should be called by the // derived class constructor immediately before returning. This is required to match - // restoreTlsDelegate(), otherwise it's possible for the previous delegate to get set in the base + // restoreDelegate(), otherwise it's possible for the previous delegate to get set in the base // class constructor, the derived class constructor throws, and cleanup becomes broken. - void setTlsDelegate(); - - // Swap the current *global* log sink delegate for this one. This behaves as setTlsDelegate, but - // operates on the global log sink instead of the thread local one. void setDelegate(); - // Swap the current thread local log sink (this) for the previous one. This should be called by + // Swap the current *global* log sink (this) for the previous one. This should be called by // the derived class destructor in the body. This is critical as otherwise it's possible for a log // message to get routed to a partially destructed sink. - void restoreTlsDelegate(); - - // Swap the current *global* log sink delegate for the previous one. This behaves as - // restoreTlsDelegate, but operates on the global sink instead of the thread local one. void restoreDelegate(); SinkDelegate* previousDelegate() { return previous_delegate_; } private: SinkDelegate* previous_delegate_{nullptr}; - SinkDelegate* previous_tls_delegate_{nullptr}; DelegatingLogSinkSharedPtr log_sink_; }; @@ -261,9 +252,6 @@ class DelegatingLogSink : public spdlog::sinks::sink { absl::ReaderMutexLock lock(&sink_mutex_); return sink_; } - SinkDelegate** tlsSink(); - void setTlsDelegate(SinkDelegate* sink); - SinkDelegate* tlsDelegate(); SinkDelegate* sink_ ABSL_GUARDED_BY(sink_mutex_){nullptr}; absl::Mutex sink_mutex_; diff --git a/test/common/common/logger_test.cc b/test/common/common/logger_test.cc index 37225c4c3a19c..686e1ac0e3752 100644 --- a/test/common/common/logger_test.cc +++ b/test/common/common/logger_test.cc @@ -230,52 +230,6 @@ TEST_F(NamedLogTest, NamedLogsAreSentToSink) { ENVOY_LOG_EVENT_TO_LOGGER(Registry::getLog(Id::misc), debug, "misc_event", "log"); } -struct TlsLogSink : SinkDelegate { - TlsLogSink(DelegatingLogSinkSharedPtr log_sink) : SinkDelegate(log_sink) { setTlsDelegate(); } - ~TlsLogSink() override { restoreTlsDelegate(); } - - MOCK_METHOD(void, log, (absl::string_view, const spdlog::details::log_msg&)); - MOCK_METHOD(void, logWithStableName, - (absl::string_view, absl::string_view, absl::string_view, absl::string_view)); - MOCK_METHOD(void, flush, ()); -}; - -// Verifies that we can register a thread local sink override. -TEST(TlsLoggingOverrideTest, OverrideSink) { - MockLogSink global_sink(Envoy::Logger::Registry::getSink()); - testing::InSequence s; - - { - TlsLogSink tls_sink(Envoy::Logger::Registry::getSink()); - - // Calls on the current thread goes to the TLS sink. - EXPECT_CALL(tls_sink, log(_, _)); - ENVOY_LOG_MISC(info, "hello tls"); - - // Calls on other threads should use the global sink. - std::thread([&]() { - EXPECT_CALL(global_sink, log(_, _)); - ENVOY_LOG_MISC(info, "hello global"); - }).join(); - - // Sanity checking that we're still using the TLS sink. - EXPECT_CALL(tls_sink, log(_, _)); - ENVOY_LOG_MISC(info, "hello tls"); - - // All the logging functions should be delegated to the TLS override. - EXPECT_CALL(tls_sink, flush()); - Registry::getSink()->flush(); - - EXPECT_CALL(tls_sink, logWithStableName(_, _, _, _)); - Registry::getSink()->logWithStableName("foo", "level", "bar", "msg"); - } - - // Now that the TLS sink is out of scope, log calls on this thread should use the global sink - // again. - EXPECT_CALL(global_sink, log(_, _)); - ENVOY_LOG_MISC(info, "hello global 2"); -} - TEST(LoggerTest, LogWithLogDetails) { Envoy::Logger::Registry::setLogLevel(spdlog::level::info); From a188806af529c3eca230ec24aa3378f8ed7a2d97 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 16 Sep 2025 16:23:58 -0400 Subject: [PATCH 408/505] tools: update notifier script to handle calendar fetching and parsing errors (#41099) Commit Message: tools: update notifier script to handle calendar fetching and parsing errors Signed-off-by: Adi Suissa-Peleg --- tools/repo/notify.py | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/tools/repo/notify.py b/tools/repo/notify.py index a939ac9ac84a6..7244dca0cc5ae 100644 --- a/tools/repo/notify.py +++ b/tools/repo/notify.py @@ -130,16 +130,19 @@ async def oncall_string(self): # Handle the event being created before today. date = priorweek.strftime("%Y%m%d") - response = await self.session.get(f"{CALENDAR}?getdate={date}") - content = await response.read() - parsed_calendar = icalendar.Calendar.from_ical(content) - - for component in parsed_calendar.walk(): - if component.name == "VEVENT": - if (sunday.date() == component.decoded("dtstart").date()): - return component.get("summary") - if (monday.date() == component.decoded("dtstart").date()): - return component.get("summary") + try: + response = await self.session.get(f"{CALENDAR}?getdate={date}") + content = await response.read() + parsed_calendar = icalendar.Calendar.from_ical(content) + + for component in parsed_calendar.walk(): + if component.name == "VEVENT": + if (sunday.date() == component.decoded("dtstart").date()): + return component.get("summary") + if (monday.date() == component.decoded("dtstart").date()): + return component.get("summary") + except Exception as e: + print("Error while fetching and parsing the on-call calendar: {e}") print("unable to find this week's oncall") return "unable to find this week's oncall" From 0c2fce1e44fd763695daa35a0979154254044889 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 16 Sep 2025 16:48:22 -0400 Subject: [PATCH 409/505] tools: update the notifier tool calendar link (#41100) Commit Message: tools: update the notifier tool calendar link Signed-off-by: Adi Suissa-Peleg --- tools/repo/notify.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tools/repo/notify.py b/tools/repo/notify.py index 7244dca0cc5ae..e61efeeeb0e11 100644 --- a/tools/repo/notify.py +++ b/tools/repo/notify.py @@ -30,7 +30,20 @@ ENVOY_REPO = "envoyproxy/envoy" # Oncall calendar -CALENDAR = "https://calendar.google.com/calendar/ical/d6glc0l5rc3v235q9l2j29dgovh3dn48%40import.calendar.google.com/public/basic.ics" +# This calendar is currently in the Google calndar account of @adisuissa. Once +# his account is closed, the calendar will not be available. In order to create +# a new calendar link, please do the following: +# 1. Find the link on the opsgenie page -> "Who is on-call" -> "Envoy maintainer +# rotation" -> calendar icon on the top-right of the screen. This will point to +# a webcall link, similar to: +# webcal://kubernetes.app.opsgenie.com/webapi/webcal/getRecentSchedule?webcalToken=&scheduleId=a3505963-c064-4c97-8865-947dfcb06060 +# 2. Go to your personal Google calendar, and add a new one (press '+' next to +# "Other calendars") -> then press "From URL". +# 3. Paste the webcal link to the "URL of calendar", check the "Make the +# calendar publicly accessible", and press "Add calendar". +# 4. In the calendar settings you can now change the calendar's name, and copy +# paste the "public address in iCal format" link here. +CALENDAR = "https://calendar.google.com/calendar/ical/jlcv20uad0arnm7g69ip9iu956vvnrf6%40import.calendar.google.com/public/basic.ics" ISSUE_LINK = "https://github.com/envoyproxy/envoy/issues?q=is%3Aissue+is%3Aopen+label%3Atriage" SLACK_EXPORT_URL = "https://api.slack.com/apps/A023NPQQ33K/oauth?" From 566b192a3c6aff2523ad695f2971c192676137f4 Mon Sep 17 00:00:00 2001 From: danzh Date: Tue, 16 Sep 2025 20:56:43 -0400 Subject: [PATCH 410/505] response decoder: add new interfaces for life time tracking of response decoder (#41048) Commit Message: introduce ResponseDecoderHandle interface via which ResponseDecoder object can be obtained with guarantee that the object is still alive. Also added a new interface getResponseDecoderHandle() to ResponseDecoder and a new base implementation of ResponseDecoder ResponseDecoderImplBase which implements these new interfaces. Existing subclasses of ResponseDecoder are changed to inherit from ResponseDecoderImplBase. Additional Description: also make EnvoyQuicClientStream and ResponseDecoderWrapper to use the handle instead of directly accessing the passed-in response decoder, guarded by `envoy.reloadable_features.use_response_decoder_handle`. And when the decoder is dead, log error or abort based on `envoy.reloadable_features.abort_when_accessing_dead_decoder`. We should gradually transit from using raw pointer or reference of ResponseDecoder to using the handle interface everywhere else. This PR makes the transition in the 2 classes which we are observing life time issues today. Risk Level: low Testing: existing tests passed Docs Changes: N/A Release Notes: Y Platform Specific Features: N/A Runtime guard: envoy.reloadable_features.abort_when_accessing_dead_decoder(default false) and envoy.reloadable_features.use_response_decoder_handle Issue: #41060 --------- Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- changelogs/current.yaml | 5 + envoy/http/codec.h | 24 ++++ envoy/router/BUILD | 1 + envoy/router/router.h | 3 +- source/common/http/BUILD | 13 ++- source/common/http/codec_wrappers.h | 68 +++++++++-- source/common/http/http1/conn_pool.cc | 4 +- source/common/http/http1/conn_pool.h | 4 +- .../common/http/response_decoder_impl_base.h | 40 +++++++ .../common/quic/envoy_quic_client_stream.cc | 67 +++++++++-- source/common/quic/envoy_quic_client_stream.h | 9 +- source/common/runtime/runtime_features.cc | 4 +- source/common/tcp_proxy/BUILD | 1 + source/common/tcp_proxy/upstream.h | 6 +- .../downstream_socket_interface/BUILD | 1 + .../rc_connection_wrapper.h | 3 +- source/extensions/filters/udp/udp_proxy/BUILD | 1 + .../filters/udp/udp_proxy/udp_proxy_filter.h | 3 +- source/extensions/health_checkers/grpc/BUILD | 1 + .../grpc/health_checker_impl.h | 3 +- source/extensions/health_checkers/http/BUILD | 1 + .../http/health_checker_impl.h | 3 +- test/common/http/BUILD | 1 + test/common/http/codec_wrappers_test.cc | 46 ++++++-- test/common/quic/BUILD | 1 + .../quic/envoy_quic_client_stream_test.cc | 110 ++++++++++++++++++ test/integration/integration_stream_decoder.h | 4 +- test/integration/utility.h | 3 +- test/mocks/http/BUILD | 1 + test/mocks/http/stream_decoder.h | 4 +- tools/spelling/spelling_dictionary.txt | 2 + 31 files changed, 395 insertions(+), 42 deletions(-) create mode 100644 source/common/http/response_decoder_impl_base.h diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 039b89ee8e8e2..7b7847c0f7f3c 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -1,6 +1,11 @@ date: Pending behavior_changes: +- area: response_decoder + change: | + Updated EnvoyQuicClientStream and ResponseDecoderWrapper to use a handle to access the response decoder + to prevent use-after-free errors by ensuring the decoder instance is still live before calling its methods. + This change is guarded by the runtime flag ``envoy.reloadable_features.use_response_decoder_handle``. - area: http change: | A route refresh will now result in a tracing refresh. The trace sampling decision and decoration diff --git a/envoy/http/codec.h b/envoy/http/codec.h index 3c23ea86b2636..bc7c45cacf0c3 100644 --- a/envoy/http/codec.h +++ b/envoy/http/codec.h @@ -198,6 +198,23 @@ class ResponseEncoder : public virtual StreamEncoder { StreamInfo::StreamInfo& stream_info) PURE; }; +class ResponseDecoder; + +/** + * A handle to a ResponseDecoder. This handle can be used to check if the underlying decoder is + * still valid and to get a reference to it. + */ +class ResponseDecoderHandle { +public: + virtual ~ResponseDecoderHandle() = default; + + /** + * @return a reference to the underlying decoder if it is still valid. + */ + virtual OptRef get() PURE; +}; +using ResponseDecoderHandlePtr = std::unique_ptr; + /** * Decodes an HTTP stream. These are callbacks fired into a sink. This interface contains methods * common to both the request and response path. @@ -304,9 +321,16 @@ class ResponseDecoder : public virtual StreamDecoder { * @param os the ostream to dump state to * @param indent_level the depth, for pretty-printing. * + * This function is called on Envoy fatal errors so should avoid memory allocation. */ virtual void dumpState(std::ostream& os, int indent_level = 0) const PURE; + + /** + * @return A handle to the response decoder. Caller can check the response decoder's liveness via + * the handle. + */ + virtual ResponseDecoderHandlePtr createResponseDecoderHandle() PURE; }; /** diff --git a/envoy/router/BUILD b/envoy/router/BUILD index 33af45f78fe55..47dc4cbebcbb4 100644 --- a/envoy/router/BUILD +++ b/envoy/router/BUILD @@ -95,6 +95,7 @@ envoy_cc_library( "//envoy/tracing:tracer_interface", "//envoy/upstream:resource_manager_interface", "//envoy/upstream:retry_interface", + "//source/common/http:response_decoder_impl_base", "//source/common/protobuf", "//source/common/protobuf:utility_lib", "@com_google_absl//absl/types:optional", diff --git a/envoy/router/router.h b/envoy/router/router.h index d37a0bd61968d..ef26a58dec6ca 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -27,6 +27,7 @@ #include "envoy/upstream/resource_manager.h" #include "envoy/upstream/retry.h" +#include "source/common/http/response_decoder_impl_base.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" @@ -1490,7 +1491,7 @@ class GenericConnPool { * An API for the interactions the upstream stream needs to have with the downstream stream * and/or router components */ -class UpstreamToDownstream : public Http::ResponseDecoder, public Http::StreamCallbacks { +class UpstreamToDownstream : public Http::ResponseDecoderImplBase, public Http::StreamCallbacks { public: /** * @return return the route for the downstream stream. diff --git a/source/common/http/BUILD b/source/common/http/BUILD index f784a9b99609c..7829e37899399 100644 --- a/source/common/http/BUILD +++ b/source/common/http/BUILD @@ -132,7 +132,18 @@ envoy_cc_library( envoy_cc_library( name = "codec_wrappers_lib", hdrs = ["codec_wrappers.h"], - deps = ["//envoy/http:codec_interface"], + deps = [ + ":response_decoder_impl_base", + "//envoy/http:codec_interface", + ], +) + +envoy_cc_library( + name = "response_decoder_impl_base", + hdrs = ["response_decoder_impl_base.h"], + deps = [ + "//envoy/http:codec_interface", + ], ) envoy_cc_library( diff --git a/source/common/http/codec_wrappers.h b/source/common/http/codec_wrappers.h index 7b98413e1a5a1..1494df392b06e 100644 --- a/source/common/http/codec_wrappers.h +++ b/source/common/http/codec_wrappers.h @@ -2,24 +2,35 @@ #include "envoy/http/codec.h" +#include "source/common/http/response_decoder_impl_base.h" +#include "source/common/runtime/runtime_features.h" + namespace Envoy { namespace Http { /** * Wrapper for ResponseDecoder that just forwards to an "inner" decoder. */ -class ResponseDecoderWrapper : public ResponseDecoder { +class ResponseDecoderWrapper : public ResponseDecoderImplBase { public: // ResponseDecoder void decode1xxHeaders(ResponseHeaderMapPtr&& headers) override { - inner_.decode1xxHeaders(std::move(headers)); + if (Http::ResponseDecoder* inner = getInnerDecoder()) { + inner->decode1xxHeaders(std::move(headers)); + } else { + onInnerDecoderDead(); + } } void decodeHeaders(ResponseHeaderMapPtr&& headers, bool end_stream) override { if (end_stream) { onPreDecodeComplete(); } - inner_.decodeHeaders(std::move(headers), end_stream); + if (Http::ResponseDecoder* inner = getInnerDecoder()) { + inner->decodeHeaders(std::move(headers), end_stream); + } else { + onInnerDecoderDead(); + } if (end_stream) { onDecodeComplete(); } @@ -29,7 +40,11 @@ class ResponseDecoderWrapper : public ResponseDecoder { if (end_stream) { onPreDecodeComplete(); } - inner_.decodeData(data, end_stream); + if (Http::ResponseDecoder* inner = getInnerDecoder()) { + inner->decodeData(data, end_stream); + } else { + onInnerDecoderDead(); + } if (end_stream) { onDecodeComplete(); } @@ -37,20 +52,33 @@ class ResponseDecoderWrapper : public ResponseDecoder { void decodeTrailers(ResponseTrailerMapPtr&& trailers) override { onPreDecodeComplete(); - inner_.decodeTrailers(std::move(trailers)); + if (Http::ResponseDecoder* inner = getInnerDecoder()) { + inner->decodeTrailers(std::move(trailers)); + } else { + onInnerDecoderDead(); + } onDecodeComplete(); } void decodeMetadata(MetadataMapPtr&& metadata_map) override { - inner_.decodeMetadata(std::move(metadata_map)); + if (Http::ResponseDecoder* inner = getInnerDecoder()) { + inner->decodeMetadata(std::move(metadata_map)); + } else { + onInnerDecoderDead(); + } } void dumpState(std::ostream& os, int indent_level) const override { - inner_.dumpState(os, indent_level); + if (Http::ResponseDecoder* inner = getInnerDecoder()) { + inner->dumpState(os, indent_level); + } else { + onInnerDecoderDead(); + } } protected: - ResponseDecoderWrapper(ResponseDecoder& inner) : inner_(inner) {} + ResponseDecoderWrapper(ResponseDecoder& inner) + : inner_handle_(inner.createResponseDecoderHandle()), inner_(&inner) {} /** * Consumers of the wrapper generally want to know when a decode is complete. This is called @@ -59,7 +87,29 @@ class ResponseDecoderWrapper : public ResponseDecoder { virtual void onPreDecodeComplete() PURE; virtual void onDecodeComplete() PURE; - ResponseDecoder& inner_; + ResponseDecoderHandlePtr inner_handle_; + Http::ResponseDecoder* inner_ = nullptr; + +private: + Http::ResponseDecoder* getInnerDecoder() const { + if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.use_response_decoder_handle")) { + return inner_; + } + if (inner_handle_) { + if (OptRef inner = inner_handle_->get(); inner.has_value()) { + return &inner.value().get(); + } + } + return nullptr; + } + + void onInnerDecoderDead() const { + const std::string error_msg = "Wrapped decoder use after free detected."; + IS_ENVOY_BUG(error_msg); + RELEASE_ASSERT(!Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.abort_when_accessing_dead_decoder"), + error_msg); + } }; /** diff --git a/source/common/http/http1/conn_pool.cc b/source/common/http/http1/conn_pool.cc index 99aea9e453b2d..5877a035f041d 100644 --- a/source/common/http/http1/conn_pool.cc +++ b/source/common/http/http1/conn_pool.cc @@ -25,8 +25,8 @@ namespace Http { namespace Http1 { ActiveClient::StreamWrapper::StreamWrapper(ResponseDecoder& response_decoder, ActiveClient& parent) - : RequestEncoderWrapper(&parent.codec_client_->newStream(*this)), - ResponseDecoderWrapper(response_decoder), parent_(parent) { + : ResponseDecoderWrapper(response_decoder), + RequestEncoderWrapper(&parent.codec_client_->newStream(*this)), parent_(parent) { RequestEncoderWrapper::inner_encoder_->getStream().addCallbacks(*this); } diff --git a/source/common/http/http1/conn_pool.h b/source/common/http/http1/conn_pool.h index 7bdeb288e6aa4..b8b1fa803dfca 100644 --- a/source/common/http/http1/conn_pool.h +++ b/source/common/http/http1/conn_pool.h @@ -36,8 +36,8 @@ class ActiveClient : public Envoy::Http::ActiveClient { Envoy::Http::ActiveClient::releaseResources(); } - struct StreamWrapper : public RequestEncoderWrapper, - public ResponseDecoderWrapper, + struct StreamWrapper : public ResponseDecoderWrapper, + public RequestEncoderWrapper, public StreamCallbacks, public Event::DeferredDeletable, protected Logger::Loggable { diff --git a/source/common/http/response_decoder_impl_base.h b/source/common/http/response_decoder_impl_base.h new file mode 100644 index 0000000000000..694c2b7a6af24 --- /dev/null +++ b/source/common/http/response_decoder_impl_base.h @@ -0,0 +1,40 @@ +#pragma once + +#include + +#include "envoy/http/codec.h" + +namespace Envoy { +namespace Http { + +class ResponseDecoderHandleImpl : public ResponseDecoderHandle { +public: + ResponseDecoderHandleImpl(std::weak_ptr live_trackable, ResponseDecoder& decoder) + : live_trackable_(live_trackable), decoder_(decoder) {} + + OptRef get() override { + if (live_trackable_.lock()) { + return decoder_; + } + return {}; + } + +private: + std::weak_ptr live_trackable_; + ResponseDecoder& decoder_; +}; + +class ResponseDecoderImplBase : public ResponseDecoder { +public: + ResponseDecoderImplBase() : live_trackable_(std::make_shared(true)) {} + + ResponseDecoderHandlePtr createResponseDecoderHandle() override { + return std::make_unique(live_trackable_, *this); + } + +private: + std::shared_ptr live_trackable_; +}; + +} // namespace Http +} // namespace Envoy diff --git a/source/common/quic/envoy_quic_client_stream.cc b/source/common/quic/envoy_quic_client_stream.cc index 53773d3e33107..f6506a7fb33e1 100644 --- a/source/common/quic/envoy_quic_client_stream.cc +++ b/source/common/quic/envoy_quic_client_stream.cc @@ -36,6 +36,11 @@ EnvoyQuicClientStream::EnvoyQuicClientStream( RegisterMetadataVisitor(this); } +void EnvoyQuicClientStream::setResponseDecoder(Http::ResponseDecoder& decoder) { + response_decoder_handle_ = decoder.createResponseDecoderHandle(); + response_decoder_ = &decoder; +} + Http::Status EnvoyQuicClientStream::encodeHeaders(const Http::RequestHeaderMap& headers, bool end_stream) { ENVOY_STREAM_LOG(debug, "encodeHeaders: (end_stream={}) {}.", *this, end_stream, headers); @@ -207,7 +212,11 @@ void EnvoyQuicClientStream::OnInitialHeadersComplete(bool fin, size_t frame_len, if (!optional_status.has_value()) { // In case the status is invalid or missing, the response_decoder_.decodeHeaders() will fail the // request - response_decoder_->decodeHeaders(std::move(headers), fin); + if (Http::ResponseDecoder* decoder = getResponseDecoder()) { + decoder->decodeHeaders(std::move(headers), fin); + } else { + onResponseDecoderDead(); + } ConsumeHeaderList(); return; } @@ -224,10 +233,18 @@ void EnvoyQuicClientStream::OnInitialHeadersComplete(bool fin, size_t frame_len, if (is_special_1xx && !decoded_1xx_) { // This is 100 Continue, only decode it once to support Expect:100-Continue header. decoded_1xx_ = true; - response_decoder_->decode1xxHeaders(std::move(headers)); + if (Http::ResponseDecoder* decoder = getResponseDecoder()) { + decoder->decode1xxHeaders(std::move(headers)); + } else { + onResponseDecoderDead(); + } } else if (!is_special_1xx) { - response_decoder_->decodeHeaders(std::move(headers), - /*end_stream=*/fin); + if (Http::ResponseDecoder* decoder = getResponseDecoder()) { + decoder->decodeHeaders(std::move(headers), + /*end_stream=*/fin); + } else { + onResponseDecoderDead(); + } if (status == enumToInt(Http::Code::NotModified)) { got_304_response_ = true; } @@ -301,7 +318,11 @@ void EnvoyQuicClientStream::OnBodyAvailable() { // A stream error has occurred, stop processing. return; } - response_decoder_->decodeData(*buffer, fin_read_and_no_trailers); + if (Http::ResponseDecoder* decoder = getResponseDecoder()) { + decoder->decodeData(*buffer, fin_read_and_no_trailers); + } else { + onResponseDecoderDead(); + } } if (!sequencer()->IsClosed() || read_side_closed()) { @@ -348,7 +369,11 @@ void EnvoyQuicClientStream::maybeDecodeTrailers() { onStreamError(close_connection_upon_invalid_header_, transform_rst); return; } - response_decoder_->decodeTrailers(std::move(trailers)); + if (Http::ResponseDecoder* decoder = getResponseDecoder()) { + decoder->decodeTrailers(std::move(trailers)); + } else { + onResponseDecoderDead(); + } MarkTrailersConsumed(); } } @@ -432,10 +457,15 @@ void EnvoyQuicClientStream::OnMetadataComplete(size_t /*frame_len*/, const quic::QuicHeaderList& header_list) { if (mustRejectMetadata(header_list.uncompressed_header_bytes())) { onStreamError(true, quic::QUIC_HEADERS_TOO_LARGE); + return; } if (!header_list.empty()) { - response_decoder_->decodeMetadata(metadataMapFromHeaderList(header_list)); + if (Http::ResponseDecoder* decoder = getResponseDecoder()) { + decoder->decodeMetadata(metadataMapFromHeaderList(header_list)); + } else { + onResponseDecoderDead(); + } } } @@ -466,7 +496,7 @@ bool EnvoyQuicClientStream::hasPendingData() { return BufferedDataBytes() > 0; } // connect-udp". void EnvoyQuicClientStream::useCapsuleProtocol() { http_datagram_handler_ = std::make_unique(*this); - http_datagram_handler_->setStreamDecoder(response_decoder_); + http_datagram_handler_->setStreamDecoder(getResponseDecoder()); RegisterHttp3DatagramVisitor(http_datagram_handler_.get()); } #endif @@ -475,5 +505,26 @@ void EnvoyQuicClientStream::OnInvalidHeaders() { onStreamError(absl::nullopt, quic::QUIC_BAD_APPLICATION_PAYLOAD); } +void EnvoyQuicClientStream::onResponseDecoderDead() const { + const std::string error_msg = "response_decoder_ use after free detected."; + IS_ENVOY_BUG(error_msg); + RELEASE_ASSERT(!Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.abort_when_accessing_dead_decoder"), + error_msg); +} + +Http::ResponseDecoder* EnvoyQuicClientStream::getResponseDecoder() { + if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.use_response_decoder_handle")) { + return response_decoder_; + } + if (response_decoder_handle_) { + if (OptRef decoder = response_decoder_handle_->get(); + decoder.has_value()) { + return &decoder.value().get(); + } + } + return nullptr; +} + } // namespace Quic } // namespace Envoy diff --git a/source/common/quic/envoy_quic_client_stream.h b/source/common/quic/envoy_quic_client_stream.h index 67214eb9741f2..5352f2b92bea5 100644 --- a/source/common/quic/envoy_quic_client_stream.h +++ b/source/common/quic/envoy_quic_client_stream.h @@ -3,6 +3,7 @@ #include "envoy/buffer/buffer.h" #include "source/common/quic/envoy_quic_stream.h" +#include "source/common/runtime/runtime_features.h" #ifdef ENVOY_ENABLE_HTTP_DATAGRAMS #include "source/common/quic/http_datagram_handler.h" @@ -25,7 +26,7 @@ class EnvoyQuicClientStream : public quic::QuicSpdyClientStream, quic::StreamType type, Http::Http3::CodecStats& stats, const envoy::config::core::v3::Http3ProtocolOptions& http3_options); - void setResponseDecoder(Http::ResponseDecoder& decoder) { response_decoder_ = &decoder; } + void setResponseDecoder(Http::ResponseDecoder& decoder); // Http::StreamEncoder Http::Http1StreamEncoderOptionsOptRef http1StreamEncoderOptions() override { @@ -92,6 +93,12 @@ class EnvoyQuicClientStream : public quic::QuicSpdyClientStream, void useCapsuleProtocol(); #endif + // Returns nullptr if the response decoder has already been destructed. + Http::ResponseDecoder* getResponseDecoder(); + + void onResponseDecoderDead() const; + + Http::ResponseDecoderHandlePtr response_decoder_handle_; Http::ResponseDecoder* response_decoder_{nullptr}; bool decoded_1xx_{false}; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index b25a151963428..e56f20700f779 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -79,6 +79,7 @@ RUNTIME_GUARD(envoy_reloadable_features_trace_refresh_after_route_refresh); RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); +RUNTIME_GUARD(envoy_reloadable_features_use_response_decoder_handle); RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_reloadable_features_websocket_allow_4xx_5xx_through_filter_chain); @@ -171,7 +172,8 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_no_ai_flags); FALSE_RUNTIME_GUARD(envoy_reloadable_features_enable_new_dns_implementation); // Force a local reply from upstream envoy for reverse connections. FALSE_RUNTIME_GUARD(envoy_reloadable_features_reverse_conn_force_local_reply); - +// RELEASE_ASSERT when upstream stream detects UAF of downstream response decoder instance. +FALSE_RUNTIME_GUARD(envoy_reloadable_features_abort_when_accessing_dead_decoder); // Block of non-boolean flags. Use of int flags is deprecated. Do not add more. ABSL_FLAG(uint64_t, re2_max_program_size_error_level, 100, ""); // NOLINT ABSL_FLAG(uint64_t, re2_max_program_size_warn_level, // NOLINT diff --git a/source/common/tcp_proxy/BUILD b/source/common/tcp_proxy/BUILD index c6b30b08d03d1..914382ab15f81 100644 --- a/source/common/tcp_proxy/BUILD +++ b/source/common/tcp_proxy/BUILD @@ -29,6 +29,7 @@ envoy_cc_library( "//source/common/http:hash_policy_lib", "//source/common/http:header_map_lib", "//source/common/http:headers_lib", + "//source/common/http:response_decoder_impl_base", "//source/common/http:utility_lib", "//source/common/network:utility_lib", "//source/common/router:header_parser_lib", diff --git a/source/common/tcp_proxy/upstream.h b/source/common/tcp_proxy/upstream.h index 661797dc65de0..86a770a8517bd 100644 --- a/source/common/tcp_proxy/upstream.h +++ b/source/common/tcp_proxy/upstream.h @@ -17,6 +17,7 @@ #include "source/common/http/codec_client.h" #include "source/common/http/hash_policy.h" #include "source/common/http/null_route_impl.h" +#include "source/common/http/response_decoder_impl_base.h" #include "source/common/network/utility.h" #include "source/common/router/config_impl.h" #include "source/common/router/header_parser.h" @@ -230,8 +231,7 @@ class HttpUpstream : public GenericUpstream, protected Http::StreamCallbacks { std::unique_ptr downstream_headers_; private: - Upstream::ClusterInfoConstSharedPtr cluster_; - class DecoderShim : public Http::ResponseDecoder { + class DecoderShim : public Http::ResponseDecoderImplBase { public: DecoderShim(HttpUpstream& parent) : parent_(parent) {} void decode1xxHeaders(Http::ResponseHeaderMapPtr&&) override {} @@ -351,7 +351,7 @@ class CombinedUpstream : public GenericUpstream, public Envoy::Router::RouterFil private: Http::StreamDecoderFilterCallbacks& decoder_filter_callbacks_; - class DecoderShim : public Http::ResponseDecoder { + class DecoderShim : public Http::ResponseDecoderImplBase { public: DecoderShim(CombinedUpstream& parent) : parent_(parent) {} // Http::ResponseDecoder diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index cef2da998723f..62257e221fcc2 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -77,6 +77,7 @@ envoy_cc_library( "//source/common/common:logger_lib", "//source/common/grpc:typed_async_client_lib", "//source/common/http:codec_client_lib", + "//source/common/http:response_decoder_impl_base", "//source/common/http/http1:codec_lib", "//source/common/http/http1:codec_stats_lib", "//source/common/network:address_lib", diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h index 68828336a43d7..23dbacb1db6c0 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h @@ -12,6 +12,7 @@ #include "source/common/common/logger.h" #include "source/common/http/http1/codec_impl.h" +#include "source/common/http/response_decoder_impl_base.h" #include "source/common/network/filter_impl.h" namespace Envoy { @@ -49,7 +50,7 @@ class SimpleConnReadFilter : public Network::ReadFilterBaseImpl, class RCConnectionWrapper : public Network::ConnectionCallbacks, public Event::DeferredDeletable, public Logger::Loggable, - public Http::ResponseDecoder, + public Http::ResponseDecoderImplBase, public Http::ConnectionCallbacks { friend class SimpleConnReadFilterTest; diff --git a/source/extensions/filters/udp/udp_proxy/BUILD b/source/extensions/filters/udp/udp_proxy/BUILD index a9e79751a3afc..9e60d1f00f3f0 100644 --- a/source/extensions/filters/udp/udp_proxy/BUILD +++ b/source/extensions/filters/udp/udp_proxy/BUILD @@ -42,6 +42,7 @@ envoy_cc_library( "//source/common/common:empty_string", "//source/common/common:linked_object", "//source/common/common:random_generator_lib", + "//source/common/http:response_decoder_impl_base", "//source/common/network:socket_lib", "//source/common/network:socket_option_factory_lib", "//source/common/network:utility_lib", diff --git a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h index f2b6f64606fa9..c1c921375f269 100644 --- a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h +++ b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h @@ -21,6 +21,7 @@ #include "source/common/http/codes.h" #include "source/common/http/header_map_impl.h" #include "source/common/http/headers.h" +#include "source/common/http/response_decoder_impl_base.h" #include "source/common/http/utility.h" #include "source/common/network/socket_impl.h" #include "source/common/network/socket_interface.h" @@ -311,7 +312,7 @@ class HttpUpstreamImpl : public HttpUpstream, protected Http::StreamCallbacks { } private: - class ResponseDecoder : public Http::ResponseDecoder { + class ResponseDecoder : public Http::ResponseDecoderImplBase { public: ResponseDecoder(HttpUpstreamImpl& parent) : parent_(parent) {} diff --git a/source/extensions/health_checkers/grpc/BUILD b/source/extensions/health_checkers/grpc/BUILD index c06822d4e75c9..b3688169d1f2d 100644 --- a/source/extensions/health_checkers/grpc/BUILD +++ b/source/extensions/health_checkers/grpc/BUILD @@ -20,6 +20,7 @@ envoy_cc_extension( deps = [ "//source/common/grpc:codec_lib", "//source/common/http:codec_client_lib", + "//source/common/http:response_decoder_impl_base", "//source/common/upstream:health_checker_lib", "//source/common/upstream:host_utility_lib", "//source/extensions/health_checkers/common:health_checker_base_lib", diff --git a/source/extensions/health_checkers/grpc/health_checker_impl.h b/source/extensions/health_checkers/grpc/health_checker_impl.h index 326035eac59b1..a3e54bb454792 100644 --- a/source/extensions/health_checkers/grpc/health_checker_impl.h +++ b/source/extensions/health_checkers/grpc/health_checker_impl.h @@ -17,6 +17,7 @@ #include "source/common/common/logger.h" #include "source/common/grpc/codec.h" #include "source/common/http/codec_client.h" +#include "source/common/http/response_decoder_impl_base.h" #include "source/common/router/header_parser.h" #include "source/common/stream_info/stream_info_impl.h" #include "source/common/upstream/health_checker_impl.h" @@ -52,7 +53,7 @@ class GrpcHealthCheckerImpl : public HealthCheckerImplBase { private: struct GrpcActiveHealthCheckSession : public ActiveHealthCheckSession, - public Http::ResponseDecoder, + public Http::ResponseDecoderImplBase, public Http::StreamCallbacks { GrpcActiveHealthCheckSession(GrpcHealthCheckerImpl& parent, const HostSharedPtr& host); ~GrpcActiveHealthCheckSession() override; diff --git a/source/extensions/health_checkers/http/BUILD b/source/extensions/health_checkers/http/BUILD index 6ad5ed7773564..b759a789d7568 100644 --- a/source/extensions/health_checkers/http/BUILD +++ b/source/extensions/health_checkers/http/BUILD @@ -18,6 +18,7 @@ envoy_cc_extension( ], deps = [ "//source/common/http:codec_client_lib", + "//source/common/http:response_decoder_impl_base", "//source/common/upstream:health_checker_lib", "//source/common/upstream:host_utility_lib", "//source/extensions/health_checkers/common:health_checker_base_lib", diff --git a/source/extensions/health_checkers/http/health_checker_impl.h b/source/extensions/health_checkers/http/health_checker_impl.h index 81fae53f73330..68fd6214f9166 100644 --- a/source/extensions/health_checkers/http/health_checker_impl.h +++ b/source/extensions/health_checkers/http/health_checker_impl.h @@ -17,6 +17,7 @@ #include "source/common/common/logger.h" #include "source/common/grpc/codec.h" #include "source/common/http/codec_client.h" +#include "source/common/http/response_decoder_impl_base.h" #include "source/common/router/header_parser.h" #include "source/common/stream_info/stream_info_impl.h" #include "source/common/upstream/health_checker_impl.h" @@ -77,7 +78,7 @@ class HttpHealthCheckerImpl : public HealthCheckerImplBase { private: struct HttpActiveHealthCheckSession : public ActiveHealthCheckSession, - public Http::ResponseDecoder, + public Http::ResponseDecoderImplBase, public Http::StreamCallbacks { HttpActiveHealthCheckSession(HttpHealthCheckerImpl& parent, const HostSharedPtr& host); ~HttpActiveHealthCheckSession() override; diff --git a/test/common/http/BUILD b/test/common/http/BUILD index 868182b92b8d8..2aae452aa1dcc 100644 --- a/test/common/http/BUILD +++ b/test/common/http/BUILD @@ -162,6 +162,7 @@ envoy_cc_test( deps = [ "//source/common/http:codec_wrappers_lib", "//test/mocks/http:http_mocks", + "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", ], ) diff --git a/test/common/http/codec_wrappers_test.cc b/test/common/http/codec_wrappers_test.cc index 35bf742a03f02..e5ffb0acdd615 100644 --- a/test/common/http/codec_wrappers_test.cc +++ b/test/common/http/codec_wrappers_test.cc @@ -1,6 +1,7 @@ #include "source/common/http/codec_wrappers.h" #include "test/mocks/http/mocks.h" +#include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" using testing::_; @@ -10,23 +11,54 @@ namespace Http { class MockResponseDecoderWrapper : public ResponseDecoderWrapper { public: - MockResponseDecoderWrapper() : ResponseDecoderWrapper(inner_decoder_) {} - MockResponseDecoder& innerEncoder() { return inner_decoder_; } + explicit MockResponseDecoderWrapper(MockResponseDecoder& inner_decoder) + : ResponseDecoderWrapper(inner_decoder) {} void onDecodeComplete() override {} void onPreDecodeComplete() override {} - -private: - MockResponseDecoder inner_decoder_; }; TEST(MockResponseDecoderWrapper, dumpState) { - MockResponseDecoderWrapper wrapper; + MockResponseDecoder inner_decoder; + MockResponseDecoderWrapper wrapper(inner_decoder); std::stringstream os; - EXPECT_CALL(wrapper.innerEncoder(), dumpState(_, _)); + EXPECT_CALL(inner_decoder, dumpState(_, _)); wrapper.dumpState(os, 0); } +TEST(MockResponseDecoderWrapper, decoderDestroyedBeforeDecoding) { + TestScopedRuntime runtime; + runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); + auto inner_decoder = std::make_unique(); + MockResponseDecoderWrapper wrapper(*inner_decoder); + + inner_decoder.reset(); + + EXPECT_ENVOY_BUG( + wrapper.decodeHeaders(ResponseHeaderMapPtr{new TestResponseHeaderMapImpl{{":status", "200"}}}, + true), + "Wrapped decoder use after free detected"); + + EXPECT_ENVOY_BUG(wrapper.decode1xxHeaders( + ResponseHeaderMapPtr{new TestResponseHeaderMapImpl{{":status", "100"}}}), + "Wrapped decoder use after free detected"); + + Buffer::OwnedImpl data("foo"); + EXPECT_ENVOY_BUG(wrapper.decodeData(data, true), "Wrapped decoder use after free detected"); + + EXPECT_ENVOY_BUG(wrapper.decodeTrailers( + ResponseTrailerMapPtr{new TestResponseTrailerMapImpl{{"key", "value"}}}), + "Wrapped decoder use after free detected"); + + MetadataMapPtr metadata = std::make_unique(); + (*metadata)["key1"] = "value1"; + EXPECT_ENVOY_BUG(wrapper.decodeMetadata(std::move(metadata)), + "Wrapped decoder use after free detected"); + + std::stringstream os; + EXPECT_ENVOY_BUG(wrapper.dumpState(os, 0), "Wrapped decoder use after free detected"); +} + class MockRequestEncoderWrapper : public RequestEncoderWrapper { public: MockRequestEncoderWrapper() : RequestEncoderWrapper(&inner_encoder_) {} diff --git a/test/common/quic/BUILD b/test/common/quic/BUILD index bc61e050ff7d6..5a2202a9921a8 100644 --- a/test/common/quic/BUILD +++ b/test/common/quic/BUILD @@ -152,6 +152,7 @@ envoy_cc_test( "//test/mocks/http:http_mocks", "//test/mocks/http:stream_decoder_mock", "//test/mocks/network:network_mocks", + "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", "@com_github_google_quiche//:quic_core_http_spdy_session_lib", "@com_github_google_quiche//:quic_test_tools_qpack_qpack_test_utils_lib", diff --git a/test/common/quic/envoy_quic_client_stream_test.cc b/test/common/quic/envoy_quic_client_stream_test.cc index 473dd22af5e05..4522e5d788ff0 100644 --- a/test/common/quic/envoy_quic_client_stream_test.cc +++ b/test/common/quic/envoy_quic_client_stream_test.cc @@ -8,6 +8,7 @@ #include "test/mocks/http/mocks.h" #include "test/mocks/http/stream_decoder.h" #include "test/mocks/network/mocks.h" +#include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" #include "gmock/gmock.h" @@ -741,6 +742,115 @@ TEST_F(EnvoyQuicClientStreamTest, EncodeTrailersOnClosedStream) { EXPECT_EQ(0u, quic_session_.bytesToSend()); } +TEST_F(EnvoyQuicClientStreamTest, DecoderDestroyedBeforeDecoding1xxHeader) { + TestScopedRuntime runtime; + runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); + auto stream_decoder = std::make_unique(); + quic_stream_->setResponseDecoder(*stream_decoder); + + auto result = quic_stream_->encodeHeaders(request_headers_, true); + EXPECT_TRUE(result.ok()); + + // Destroy the mock decoder. + stream_decoder.reset(); + + quiche::HttpHeaderBlock continue_header; + continue_header[":status"] = "100"; + std::string headers = spdyHeaderToHttp3StreamPayload(continue_header); + quic::QuicStreamFrame frame1(stream_id_, /*fin*/ false, /*offset*/ 0, headers); + EXPECT_ENVOY_BUG(quic_stream_->OnStreamFrame(frame1), + "response_decoder_ use after free detected"); + + EXPECT_CALL(stream_callbacks_, + onResetStream(Http::StreamResetReason::LocalRefusedStreamReset, _)); + quic_stream_->resetStream(Http::StreamResetReason::LocalRefusedStreamReset); +} + +TEST_F(EnvoyQuicClientStreamTest, DecoderDestroyedBeforeDecodingHeader) { + TestScopedRuntime runtime; + runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); + auto stream_decoder = std::make_unique(); + quic_stream_->setResponseDecoder(*stream_decoder); + + auto result = quic_stream_->encodeHeaders(request_headers_, true); + EXPECT_TRUE(result.ok()); + + // Destroy the mock decoder. + stream_decoder.reset(); + + std::string headers = spdyHeaderToHttp3StreamPayload(spdy_response_headers_); + quic::QuicStreamFrame frame1(stream_id_, /*fin*/ false, /*offset*/ 0, headers); + EXPECT_ENVOY_BUG(quic_stream_->OnStreamFrame(frame1), + "response_decoder_ use after free detected"); + + EXPECT_CALL(stream_callbacks_, + onResetStream(Http::StreamResetReason::LocalRefusedStreamReset, _)); + quic_stream_->resetStream(Http::StreamResetReason::LocalRefusedStreamReset); +} + +TEST_F(EnvoyQuicClientStreamTest, DecoderDestroyedBeforeDecodingBody) { + TestScopedRuntime runtime; + runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); + auto stream_decoder = std::make_unique(); + quic_stream_->setResponseDecoder(*stream_decoder); + + auto result = quic_stream_->encodeHeaders(request_headers_, true); + EXPECT_TRUE(result.ok()); + + EXPECT_CALL(*stream_decoder, decodeHeaders_(_, /*end_stream=*/false)); + std::string headers = spdyHeaderToHttp3StreamPayload(spdy_response_headers_); + quic::QuicStreamFrame frame1(stream_id_, /*fin*/ false, /*offset*/ 0, headers); + quic_stream_->OnStreamFrame(frame1); + + // Destroy the mock decoder. + stream_decoder.reset(); + + std::string body = bodyToHttp3StreamPayload("body"); + quic::QuicStreamFrame frame2(stream_id_, /*fin*/ false, headers.length(), body); + EXPECT_ENVOY_BUG(quic_stream_->OnStreamFrame(frame2), + "response_decoder_ use after free detected"); + + std::string trailers = spdyHeaderToHttp3StreamPayload(spdy_trailers_); + quic::QuicStreamFrame frame3(stream_id_, true, (headers.length() + body.length()), trailers); + quic_stream_->OnStreamFrame(frame3); + + EXPECT_CALL(stream_callbacks_, + onResetStream(Http::StreamResetReason::LocalRefusedStreamReset, _)); + quic_stream_->resetStream(Http::StreamResetReason::LocalRefusedStreamReset); +} + +TEST_F(EnvoyQuicClientStreamTest, DecoderDestroyedBeforeDecodingTrailer) { + TestScopedRuntime runtime; + runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); + auto stream_decoder = std::make_unique(); + quic_stream_->setResponseDecoder(*stream_decoder); + + auto result = quic_stream_->encodeHeaders(request_headers_, true); + EXPECT_TRUE(result.ok()); + + EXPECT_CALL(*stream_decoder, decodeHeaders_(_, /*end_stream=*/false)); + std::string headers = spdyHeaderToHttp3StreamPayload(spdy_response_headers_); + quic::QuicStreamFrame frame1(stream_id_, /*fin*/ false, /*offset*/ 0, headers); + quic_stream_->OnStreamFrame(frame1); + + EXPECT_CALL(*stream_decoder, decodeData(_, /*end_stream=*/false)); + std::string body = bodyToHttp3StreamPayload("body"); + quic::QuicStreamFrame frame2(stream_id_, /*fin*/ false, headers.length(), body); + quic_stream_->OnStreamFrame(frame2); + + // Destroy the mock decoder. + stream_decoder.reset(); + + std::string trailers = spdyHeaderToHttp3StreamPayload(spdy_trailers_); + quic::QuicStreamFrame frame3(stream_id_, true, (headers.length() + body.length()), trailers); + EXPECT_ENVOY_BUG(quic_stream_->OnStreamFrame(frame3), + "response_decoder_ use after free detected"); + + EXPECT_CALL(stream_callbacks_, + onResetStream(Http::StreamResetReason::LocalRefusedStreamReset, _)); + quic_stream_->resetStream(Http::StreamResetReason::LocalRefusedStreamReset); +} + #ifdef ENVOY_ENABLE_HTTP_DATAGRAMS TEST_F(EnvoyQuicClientStreamTest, EncodeCapsule) { setUpCapsuleProtocol(false, true); diff --git a/test/integration/integration_stream_decoder.h b/test/integration/integration_stream_decoder.h index 9654ce9e824ee..ce83293aed3a0 100644 --- a/test/integration/integration_stream_decoder.h +++ b/test/integration/integration_stream_decoder.h @@ -10,6 +10,7 @@ #include "envoy/http/metadata_interface.h" #include "source/common/common/dump_state_utils.h" +#include "source/common/http/response_decoder_impl_base.h" #include "test/test_common/utility.h" @@ -21,7 +22,8 @@ namespace Envoy { /** * Stream decoder wrapper used during integration testing. */ -class IntegrationStreamDecoder : public Http::ResponseDecoder, public Http::StreamCallbacks { +class IntegrationStreamDecoder : public Http::ResponseDecoderImplBase, + public Http::StreamCallbacks { public: IntegrationStreamDecoder(Event::Dispatcher& dispatcher); ~IntegrationStreamDecoder() override; diff --git a/test/integration/utility.h b/test/integration/utility.h index 39c2c664a3d0a..9db2c3d6d0bea 100644 --- a/test/integration/utility.h +++ b/test/integration/utility.h @@ -17,6 +17,7 @@ #include "source/common/common/dump_state_utils.h" #include "source/common/common/utility.h" #include "source/common/http/codec_client.h" +#include "source/common/http/response_decoder_impl_base.h" #include "source/common/stats/isolated_store_impl.h" #include "test/test_common/printers.h" @@ -29,7 +30,7 @@ namespace Envoy { /** * A buffering response decoder used for testing. */ -class BufferingStreamDecoder : public Http::ResponseDecoder, public Http::StreamCallbacks { +class BufferingStreamDecoder : public Http::ResponseDecoderImplBase, public Http::StreamCallbacks { public: BufferingStreamDecoder(std::function on_complete_cb) : on_complete_cb_(on_complete_cb) {} diff --git a/test/mocks/http/BUILD b/test/mocks/http/BUILD index 416d71fe5a2c3..af75f948d3445 100644 --- a/test/mocks/http/BUILD +++ b/test/mocks/http/BUILD @@ -104,6 +104,7 @@ envoy_cc_mock( hdrs = ["stream_decoder.h"], deps = [ "//envoy/http:codec_interface", + "//source/common/http:response_decoder_impl_base", ], ) diff --git a/test/mocks/http/stream_decoder.h b/test/mocks/http/stream_decoder.h index e1c8585a49a3c..2f265b158b82e 100644 --- a/test/mocks/http/stream_decoder.h +++ b/test/mocks/http/stream_decoder.h @@ -1,6 +1,8 @@ #pragma once #include "envoy/http/codec.h" +#include "source/common/http/response_decoder_impl_base.h" + #include "gmock/gmock.h" namespace Envoy { @@ -43,7 +45,7 @@ class MockRequestDecoder : public RequestDecoder { MOCK_METHOD(RequestDecoderHandlePtr, getRequestDecoderHandle, ()); }; -class MockResponseDecoder : public ResponseDecoder { +class MockResponseDecoder : public ResponseDecoderImplBase { public: MockResponseDecoder(); ~MockResponseDecoder() override; diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 2fbc45cc57e1c..d2bd26af0b031 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -493,6 +493,7 @@ TTLs TX TXT UA +UAF UBSAN UDP UDS @@ -973,6 +974,7 @@ linkability linkable linux livelock +liveness llvm loc localhost From d8c394ca5aecd237086f6f89933fcfced582386e Mon Sep 17 00:00:00 2001 From: botengyao Date: Tue, 16 Sep 2025 22:36:04 -0400 Subject: [PATCH 411/505] shadow: clean up for the streaming shadow requests runtime (#41104) --- test/common/router/router_test.cc | 2 -- test/integration/buffer_accounting_integration_test.cc | 1 - test/integration/shadow_policy_integration_test.cc | 2 -- 3 files changed, 5 deletions(-) diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index bff66a57342db..f36dd2e64c09d 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -5055,8 +5055,6 @@ makeShadowPolicy(std::string cluster = "", std::string cluster_header = "", class RouterShadowingTest : public RouterTest, public testing::WithParamInterface { public: RouterShadowingTest() : streaming_shadow_(GetParam()) { - scoped_runtime_.mergeValues( - {{"envoy.reloadable_features.streaming_shadow", streaming_shadow_ ? "true" : "false"}}); // Add default mock for requestBodyBufferLimit which is called during router initialization. EXPECT_CALL(callbacks_.route_->route_entry_, requestBodyBufferLimit()) .WillRepeatedly(Return(std::numeric_limits::max())); diff --git a/test/integration/buffer_accounting_integration_test.cc b/test/integration/buffer_accounting_integration_test.cc index c2864879230a1..ba2ad0a14ee9d 100644 --- a/test/integration/buffer_accounting_integration_test.cc +++ b/test/integration/buffer_accounting_integration_test.cc @@ -365,7 +365,6 @@ TEST_P(Http2BufferWatermarksTest, ShouldTrackAllocatedBytesToShadowUpstream) { const uint32_t request_body_size = 4096; const uint32_t response_body_size = 4096; TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({{"envoy.reloadable_features.streaming_shadow", "true"}}); autonomous_upstream_ = true; autonomous_allow_incomplete_streams_ = true; diff --git a/test/integration/shadow_policy_integration_test.cc b/test/integration/shadow_policy_integration_test.cc index e9b1ef5633a59..7963fc7e354d4 100644 --- a/test/integration/shadow_policy_integration_test.cc +++ b/test/integration/shadow_policy_integration_test.cc @@ -22,8 +22,6 @@ class ShadowPolicyIntegrationTest ShadowPolicyIntegrationTest() : HttpIntegrationTest(Http::CodecType::HTTP2, std::get<0>(GetParam())), SocketInterfaceSwap(Network::Socket::Type::Stream) { - scoped_runtime_.mergeValues( - {{"envoy.reloadable_features.streaming_shadow", streaming_shadow_ ? "true" : "false"}}); setUpstreamProtocol(Http::CodecType::HTTP2); autonomous_upstream_ = true; setUpstreamCount(2); From 9ad6cf10aac7984464712b01436c3a19dd32f064 Mon Sep 17 00:00:00 2001 From: code Date: Wed, 17 Sep 2025 22:59:51 +0800 Subject: [PATCH 412/505] http2: change the default value of max concurrent streams to 1024 (#40716) --- api/envoy/config/core/v3/protocol.proto | 8 +-- changelogs/current.yaml | 14 +++++ source/common/http/http2/codec_impl.cc | 4 +- source/common/http/http_option_limits.cc | 3 + source/common/http/http_option_limits.h | 14 +++-- source/common/http/utility.cc | 30 ++++++++-- .../quic/platform/quiche_flags_constants.h | 8 ++- source/common/runtime/runtime_features.cc | 1 + test/common/http/http2/codec_impl_test.cc | 13 +++-- test/common/http/http2/conn_pool_test.cc | 6 +- test/common/http/mixed_conn_pool_test.cc | 5 +- test/common/http/utility_test.cc | 26 +++++++++ test/config/utility.cc | 56 +++++++++++++++++++ test/config/utility.h | 9 +++ .../aggregate/cluster_integration_test.cc | 2 + test/integration/cds_integration_test.cc | 2 + .../http2_flood_integration_test.cc | 2 +- .../multiplexed_integration_test.cc | 6 ++ .../tcp_tunneling_integration_test.cc | 6 ++ 19 files changed, 184 insertions(+), 31 deletions(-) diff --git a/api/envoy/config/core/v3/protocol.proto b/api/envoy/config/core/v3/protocol.proto index a2169811d00f1..74fe641fe3a24 100644 --- a/api/envoy/config/core/v3/protocol.proto +++ b/api/envoy/config/core/v3/protocol.proto @@ -502,7 +502,7 @@ message Http2ProtocolOptions { // `Maximum concurrent streams `_ // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) - // and defaults to 2147483647. + // and defaults to 1024 for safety and should be sufficient for most use cases. // // For upstream connections, this also limits how many streams Envoy will initiate concurrently // on a single connection. If the limit is reached, Envoy may queue requests or establish @@ -516,8 +516,8 @@ message Http2ProtocolOptions { // `Initial stream-level flow-control window // `_ size. Valid values range from 65535 - // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456 - // (256 * 1024 * 1024). + // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to + // 16MiB (16 * 1024 * 1024). // // .. note:: // @@ -531,7 +531,7 @@ message Http2ProtocolOptions { [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; // Similar to ``initial_stream_window_size``, but for connection-level flow-control - // window. Currently, this has the same minimum/maximum/default as ``initial_stream_window_size``. + // window. The default is 24MiB (24 * 1024 * 1024). google.protobuf.UInt32Value initial_connection_window_size = 4 [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 7b7847c0f7f3c..dd35967222f74 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -16,6 +16,20 @@ behavior_changes: ` is set to ``true`` (it is ``true`` by default), a request marked as traced cannot be unmarked as traced after the tracing refresh. +- area: http2 + change: | + The default value for the :ref:`maximum number of concurrent streams in HTTP/2 + ` + has been changed from 2147483647 to 1024. + The default value for the :ref:`initial stream window size in HTTP/2 + ` + has been changed from 256MiB to 16MiB. + The default value for the :ref:`initial connection window size in HTTP/2 + ` + has been changed from 256MiB to 24MiB. + This change could be reverted temporarily by + setting the runtime guard ``envoy.reloadable_features.safe_http2_options`` + to ``false``. - area: ext_proc change: | Reverted `#39740 `_ to re-enable ``fail_open`` + diff --git a/source/common/http/http2/codec_impl.cc b/source/common/http/http2/codec_impl.cc index 40b20b20dd590..b3dd8917337d6 100644 --- a/source/common/http/http2/codec_impl.cc +++ b/source/common/http/http2/codec_impl.cc @@ -2003,7 +2003,7 @@ ConnectionImpl::ClientHttp2Options::ClientHttp2Options( : Http2Options(http2_options, max_headers_kb) { og_options_.perspective = http2::adapter::Perspective::kClient; og_options_.remote_max_concurrent_streams = - ::Envoy::Http2::Utility::OptionsLimits::DEFAULT_MAX_CONCURRENT_STREAMS; + ::Envoy::Http2::Utility::OptionsLimits::MAX_MAX_CONCURRENT_STREAMS; #ifdef ENVOY_NGHTTP2 // Temporarily disable initial max streams limit/protection, since we might want to create @@ -2011,7 +2011,7 @@ ConnectionImpl::ClientHttp2Options::ClientHttp2Options( // // TODO(PiotrSikora): remove this once multiple upstream connections or queuing are implemented. nghttp2_option_set_peer_max_concurrent_streams( - options_, ::Envoy::Http2::Utility::OptionsLimits::DEFAULT_MAX_CONCURRENT_STREAMS); + options_, ::Envoy::Http2::Utility::OptionsLimits::MAX_MAX_CONCURRENT_STREAMS); // nghttp2 REQUIRES setting max number of CONTINUATION frames. // 1024 is chosen to accommodate Envoy's 8Mb max limit of max_request_headers_kb diff --git a/source/common/http/http_option_limits.cc b/source/common/http/http_option_limits.cc index 2a48caa1ba8c1..e5ad39c21c3b8 100644 --- a/source/common/http/http_option_limits.cc +++ b/source/common/http/http_option_limits.cc @@ -10,12 +10,15 @@ const uint32_t OptionsLimits::DEFAULT_HPACK_TABLE_SIZE; const uint32_t OptionsLimits::MAX_HPACK_TABLE_SIZE; const uint32_t OptionsLimits::MIN_MAX_CONCURRENT_STREAMS; const uint32_t OptionsLimits::DEFAULT_MAX_CONCURRENT_STREAMS; +const uint32_t OptionsLimits::DEFAULT_MAX_CONCURRENT_STREAMS_LEGACY; const uint32_t OptionsLimits::MAX_MAX_CONCURRENT_STREAMS; const uint32_t OptionsLimits::MIN_INITIAL_STREAM_WINDOW_SIZE; const uint32_t OptionsLimits::DEFAULT_INITIAL_STREAM_WINDOW_SIZE; +const uint32_t OptionsLimits::DEFAULT_INITIAL_STREAM_WINDOW_SIZE_LEGACY; const uint32_t OptionsLimits::MAX_INITIAL_STREAM_WINDOW_SIZE; const uint32_t OptionsLimits::MIN_INITIAL_CONNECTION_WINDOW_SIZE; const uint32_t OptionsLimits::DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE; +const uint32_t OptionsLimits::DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE_LEGACY; const uint32_t OptionsLimits::MAX_INITIAL_CONNECTION_WINDOW_SIZE; const uint32_t OptionsLimits::DEFAULT_MAX_OUTBOUND_FRAMES; const uint32_t OptionsLimits::DEFAULT_MAX_OUTBOUND_CONTROL_FRAMES; diff --git a/source/common/http/http_option_limits.h b/source/common/http/http_option_limits.h index 9a126c8f21283..44e41c451e871 100644 --- a/source/common/http/http_option_limits.h +++ b/source/common/http/http_option_limits.h @@ -19,7 +19,9 @@ struct OptionsLimits { // TODO(jwfang): make this 0, the HTTP/2 spec minimum static const uint32_t MIN_MAX_CONCURRENT_STREAMS = 1; // defaults to maximum, same as nghttp2 - static const uint32_t DEFAULT_MAX_CONCURRENT_STREAMS = (1U << 31) - 1; + static const uint32_t DEFAULT_MAX_CONCURRENT_STREAMS_LEGACY = (1U << 31) - 1; + // Defaults to 1024 for safety and enough for most use cases. + static const uint32_t DEFAULT_MAX_CONCURRENT_STREAMS = 1024; // no maximum from HTTP/2 spec, total streams is unsigned 32-bit maximum, // one-side (client/server) is half that, and we need to exclude stream 0. // same as NGHTTP2_INITIAL_MAX_CONCURRENT_STREAMS from nghttp2 @@ -29,17 +31,17 @@ struct OptionsLimits { // NOTE: we only support increasing window size now, so this is also the minimum // TODO(jwfang): make this 0 to support decrease window size static const uint32_t MIN_INITIAL_STREAM_WINDOW_SIZE = (1 << 16) - 1; - // initial value from HTTP/2 spec is 65535, but we want more (256MiB) - static const uint32_t DEFAULT_INITIAL_STREAM_WINDOW_SIZE = 256 * 1024 * 1024; + // Initial value from HTTP/2 spec is 65535 (64KiB - 1) and we want more (16MiB). + static const uint32_t DEFAULT_INITIAL_STREAM_WINDOW_SIZE = 16 * 1024 * 1024; + static const uint32_t DEFAULT_INITIAL_STREAM_WINDOW_SIZE_LEGACY = 256 * 1024 * 1024; // maximum from HTTP/2 spec, same as NGHTTP2_MAX_WINDOW_SIZE from nghttp2 static const uint32_t MAX_INITIAL_STREAM_WINDOW_SIZE = (1U << 31) - 1; // CONNECTION_WINDOW_SIZE is similar to STREAM_WINDOW_SIZE, but for connection-level window // TODO(jwfang): make this 0 to support decrease window size static const uint32_t MIN_INITIAL_CONNECTION_WINDOW_SIZE = (1 << 16) - 1; - // nghttp2's default connection-level window equals to its stream-level, - // our default connection-level window also equals to our stream-level - static const uint32_t DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE = 256 * 1024 * 1024; + static const uint32_t DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE = 24 * 1024 * 1024; + static const uint32_t DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE_LEGACY = 256 * 1024 * 1024; static const uint32_t MAX_INITIAL_CONNECTION_WINDOW_SIZE = (1U << 31) - 1; // Default limit on the number of outbound frames of all types. diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 13bf03eeaf213..7a207abd0911a 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -198,24 +198,42 @@ initializeAndValidateOptions(const envoy::config::core::v3::Http2ProtocolOptions options_clone.mutable_hpack_table_size()->set_value(OptionsLimits::DEFAULT_HPACK_TABLE_SIZE); } ASSERT(options_clone.hpack_table_size().value() <= OptionsLimits::MAX_HPACK_TABLE_SIZE); + const bool safe_http2_options = + Runtime::runtimeFeatureEnabled("envoy.reloadable_features.safe_http2_options"); + if (!options_clone.has_max_concurrent_streams()) { - options_clone.mutable_max_concurrent_streams()->set_value( - OptionsLimits::DEFAULT_MAX_CONCURRENT_STREAMS); + if (safe_http2_options) { + options_clone.mutable_max_concurrent_streams()->set_value( + OptionsLimits::DEFAULT_MAX_CONCURRENT_STREAMS); + } else { + options_clone.mutable_max_concurrent_streams()->set_value( + OptionsLimits::DEFAULT_MAX_CONCURRENT_STREAMS_LEGACY); + } } ASSERT( options_clone.max_concurrent_streams().value() >= OptionsLimits::MIN_MAX_CONCURRENT_STREAMS && options_clone.max_concurrent_streams().value() <= OptionsLimits::MAX_MAX_CONCURRENT_STREAMS); if (!options_clone.has_initial_stream_window_size()) { - options_clone.mutable_initial_stream_window_size()->set_value( - OptionsLimits::DEFAULT_INITIAL_STREAM_WINDOW_SIZE); + if (safe_http2_options) { + options_clone.mutable_initial_stream_window_size()->set_value( + OptionsLimits::DEFAULT_INITIAL_STREAM_WINDOW_SIZE); + } else { + options_clone.mutable_initial_stream_window_size()->set_value( + OptionsLimits::DEFAULT_INITIAL_STREAM_WINDOW_SIZE_LEGACY); + } } ASSERT(options_clone.initial_stream_window_size().value() >= OptionsLimits::MIN_INITIAL_STREAM_WINDOW_SIZE && options_clone.initial_stream_window_size().value() <= OptionsLimits::MAX_INITIAL_STREAM_WINDOW_SIZE); if (!options_clone.has_initial_connection_window_size()) { - options_clone.mutable_initial_connection_window_size()->set_value( - OptionsLimits::DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE); + if (safe_http2_options) { + options_clone.mutable_initial_connection_window_size()->set_value( + OptionsLimits::DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE); + } else { + options_clone.mutable_initial_connection_window_size()->set_value( + OptionsLimits::DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE_LEGACY); + } } ASSERT(options_clone.initial_connection_window_size().value() >= OptionsLimits::MIN_INITIAL_CONNECTION_WINDOW_SIZE && diff --git a/source/common/quic/platform/quiche_flags_constants.h b/source/common/quic/platform/quiche_flags_constants.h index 97b2b2ef9889a..a70a4d50f78d8 100644 --- a/source/common/quic/platform/quiche_flags_constants.h +++ b/source/common/quic/platform/quiche_flags_constants.h @@ -35,8 +35,12 @@ /* TODO(#8826) Ideally we should use the negotiated value from upstream which is not accessible \ * for now. 512MB is way too large, but the actual bytes buffered should be bound by the \ * negotiated upstream flow control window. */ \ - KEY_VALUE_PAIR(quic_buffered_data_threshold, \ - 2 * ::Envoy::Http2::Utility::OptionsLimits::DEFAULT_INITIAL_STREAM_WINDOW_SIZE) \ + /* TODO(wbpcode) 2 * Http2::Utility::OptionsLimits::DEFAULT_INITIAL_STREAM_WINDOW_SIZE was \ + * used in previous implementation and the previous value of HTTP2 \ + * DEFAULT_INITIAL_STREAM_WINDOW_SIZE is 256MiB. But we updated HTTP2 \ + * DEFAULT_INITIAL_STREAM_WINDOW_SIZE to 1MiB for safety now. To ensure no behavior change here, \ + * we update it to 512 MiB manually*/ \ + KEY_VALUE_PAIR(quic_buffered_data_threshold, uint32_t(2 * 256 * 1024 * 1024)) \ /* Envoy should send server preferred address without a client option by default. */ \ KEY_VALUE_PAIR(quic_always_support_server_preferred_address, true) diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index e56f20700f779..3da2ea7986375 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -71,6 +71,7 @@ RUNTIME_GUARD(envoy_reloadable_features_quic_upstream_socket_use_address_cache_f RUNTIME_GUARD(envoy_reloadable_features_reject_empty_trusted_ca_file); RUNTIME_GUARD(envoy_reloadable_features_report_load_with_rq_issued); RUNTIME_GUARD(envoy_reloadable_features_router_filter_resetall_on_local_reply); +RUNTIME_GUARD(envoy_reloadable_features_safe_http2_options); RUNTIME_GUARD(envoy_reloadable_features_skip_dns_lookup_for_proxied_requests); RUNTIME_GUARD(envoy_reloadable_features_skip_ext_proc_on_local_reply); RUNTIME_GUARD(envoy_reloadable_features_tcp_proxy_retry_on_different_event_loop); diff --git a/test/common/http/http2/codec_impl_test.cc b/test/common/http/http2/codec_impl_test.cc index b69fefe83c31f..d00c1787ba6d0 100644 --- a/test/common/http/http2/codec_impl_test.cc +++ b/test/common/http/http2/codec_impl_test.cc @@ -1140,7 +1140,7 @@ TEST_P(Http2CodecImplTest, TrailingHeadersLargeClientBody) { EXPECT_CALL(request_decoder_, decodeHeaders_(_, false)); EXPECT_TRUE(request_encoder_->encodeHeaders(request_headers, false).ok()); EXPECT_CALL(request_decoder_, decodeData(_, false)).Times(AtLeast(1)); - Buffer::OwnedImpl body(std::string(1024 * 1024, 'a')); + Buffer::OwnedImpl body(std::string(1024 * 512, 'a')); request_encoder_->encodeData(body, false); request_encoder_->encodeTrailers(TestRequestTrailerMapImpl{{"trailing", "header"}}); // Only drive the client so we can make sure we don't get any window updates. @@ -1470,7 +1470,7 @@ TEST_P(Http2CodecImplTest, DumpsStreamlessConnectionWithoutAllocatingMemory) { ostream.contents(), HasSubstr( "max_headers_kb_: 60, max_headers_count_: 100, " - "per_stream_buffer_limit_: 268435456, allow_metadata_: 0, " + "per_stream_buffer_limit_: 16777216, allow_metadata_: 0, " "stream_error_on_invalid_http_messaging_: 0, is_outbound_flood_monitored_control_frame_: " "0, dispatching_: 0, raised_goaway_: 0, " "pending_deferred_reset_streams_.size(): 0\n" @@ -3778,7 +3778,7 @@ TEST_P(Http2CodecImplTest, ShouldWaitForDeferredBodyToProcessBeforeProcessingTra // Force the stream to buffer data at the receiving codec. server_->getStream(1)->readDisable(true); - const uint32_t request_body_size = 1024 * 1024; + const uint32_t request_body_size = 1024 * 512; Buffer::OwnedImpl body(std::string(request_body_size, 'a')); request_encoder_->encodeData(body, false); driveToCompletion(); @@ -3834,7 +3834,7 @@ TEST_P(Http2CodecImplTest, ShouldBufferDeferredBodyNoEndstream) { // Force the stream to buffer data at the receiving codec. server_->getStream(1)->readDisable(true); - Buffer::OwnedImpl body(std::string(1024 * 1024, 'a')); + Buffer::OwnedImpl body(std::string(1024 * 512, 'a')); request_encoder_->encodeData(body, false); driveToCompletion(); @@ -3854,6 +3854,9 @@ TEST_P(Http2CodecImplTest, ShouldBufferDeferredBodyNoEndstream) { EXPECT_CALL(request_decoder_, decodeData(_, false)); process_buffered_data_callback->invokeCallback(); } + + // Dispatch potential frames from server, for example, the window update frames. + driveToCompletion(); } TEST_P(Http2CodecImplTest, ShouldBufferDeferredBodyWithEndStream) { @@ -3990,7 +3993,7 @@ TEST_P(Http2CodecImplTest, EXPECT_FALSE(process_buffered_data_callback->enabled_); server_->getStream(1)->readDisable(true); - const uint32_t request_body_size = 1024 * 1024; + const uint32_t request_body_size = 1024 * 512; Buffer::OwnedImpl body(std::string(request_body_size, 'a')); request_encoder_->encodeData(body, false); driveToCompletion(); diff --git a/test/common/http/http2/conn_pool_test.cc b/test/common/http/http2/conn_pool_test.cc index 7baa93963894e..e082c1274be2c 100644 --- a/test/common/http/http2/conn_pool_test.cc +++ b/test/common/http/http2/conn_pool_test.cc @@ -989,12 +989,12 @@ TEST_F(Http2ConnPoolImplTest, VerifyBufferLimits) { InSequence s; expectClientCreate(8192); ActiveTestRequest r1(*this, 0, false); - // 1 stream. HTTP/2 defaults to 536870912 streams/connection. - CHECK_STATE(0 /*active*/, 1 /*pending*/, 536870912 /*capacity*/); + // 1 stream. HTTP/2 defaults to 1024 streams/connection. + CHECK_STATE(0 /*active*/, 1 /*pending*/, 1024 /*capacity*/); expectClientConnect(0, r1); // capacity goes down by one as one stream is used. - CHECK_STATE(1 /*active*/, 0 /*pending*/, 536870911 /*capacity*/); + CHECK_STATE(1 /*active*/, 0 /*pending*/, 1023 /*capacity*/); EXPECT_CALL(r1.inner_encoder_, encodeHeaders(_, true)); EXPECT_TRUE( r1.callbacks_.outer_encoder_ diff --git a/test/common/http/mixed_conn_pool_test.cc b/test/common/http/mixed_conn_pool_test.cc index fcfbdac94f9f8..1d0f2dee17990 100644 --- a/test/common/http/mixed_conn_pool_test.cc +++ b/test/common/http/mixed_conn_pool_test.cc @@ -70,8 +70,9 @@ class MixedConnPoolImplTest : public testing::Test { void testAlpnHandshake(absl::optional protocol); TestScopedRuntime scoped_runtime; - // The default capacity for HTTP/2 streams. - uint32_t expected_capacity_{536870912}; + // The default capacity for HTTP/2 streams. This is determined by both the HTTP2 options + // (DEFAULT_MAX_CONCURRENT_STREAMS) and DEFAULT_MAX_STREAMS of connection pool. + uint32_t expected_capacity_{1024}; }; TEST_F(MixedConnPoolImplTest, AlpnTest) { diff --git a/test/common/http/utility_test.cc b/test/common/http/utility_test.cc index fd058bab44f08..c9f4ccd4db309 100644 --- a/test/common/http/utility_test.cc +++ b/test/common/http/utility_test.cc @@ -653,6 +653,32 @@ TEST(HttpUtility, parseHttp2Settings) { http2_options.max_inbound_window_update_frames_per_data_frame_sent().value()); } + { + + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues({{"envoy.reloadable_features.safe_http2_options", "false"}}); + + using ::Envoy::Http2::Utility::OptionsLimits; + auto http2_options = parseHttp2OptionsFromV3Yaml("{}"); + EXPECT_EQ(OptionsLimits::DEFAULT_HPACK_TABLE_SIZE, http2_options.hpack_table_size().value()); + EXPECT_EQ(OptionsLimits::DEFAULT_MAX_CONCURRENT_STREAMS_LEGACY, + http2_options.max_concurrent_streams().value()); + EXPECT_EQ(OptionsLimits::DEFAULT_INITIAL_STREAM_WINDOW_SIZE_LEGACY, + http2_options.initial_stream_window_size().value()); + EXPECT_EQ(OptionsLimits::DEFAULT_INITIAL_CONNECTION_WINDOW_SIZE_LEGACY, + http2_options.initial_connection_window_size().value()); + EXPECT_EQ(OptionsLimits::DEFAULT_MAX_OUTBOUND_FRAMES, + http2_options.max_outbound_frames().value()); + EXPECT_EQ(OptionsLimits::DEFAULT_MAX_OUTBOUND_CONTROL_FRAMES, + http2_options.max_outbound_control_frames().value()); + EXPECT_EQ(OptionsLimits::DEFAULT_MAX_CONSECUTIVE_INBOUND_FRAMES_WITH_EMPTY_PAYLOAD, + http2_options.max_consecutive_inbound_frames_with_empty_payload().value()); + EXPECT_EQ(OptionsLimits::DEFAULT_MAX_INBOUND_PRIORITY_FRAMES_PER_STREAM, + http2_options.max_inbound_priority_frames_per_stream().value()); + EXPECT_EQ(OptionsLimits::DEFAULT_MAX_INBOUND_WINDOW_UPDATE_FRAMES_PER_DATA_FRAME_SENT, + http2_options.max_inbound_window_update_frames_per_data_frame_sent().value()); + } + { const std::string yaml = R"EOF( hpack_table_size: 1 diff --git a/test/config/utility.cc b/test/config/utility.cc index 6494cb82c3cc1..f66e096ca92f0 100644 --- a/test/config/utility.cc +++ b/test/config/utility.cc @@ -1775,6 +1775,62 @@ void ConfigHelper::setUpstreamOutboundFramesLimits(uint32_t max_all_frames, }); } +void ConfigHelper::setDownstreamHttp2MaxConcurrentStreams(uint32_t max_streams) { + auto filter = getFilterFromListener("http"); + if (filter) { + envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager + hcm_config; + loadHttpConnectionManager(hcm_config); + if (hcm_config.codec_type() == envoy::extensions::filters::network::http_connection_manager:: + v3::HttpConnectionManager::HTTP2) { + auto* options = hcm_config.mutable_http2_protocol_options(); + options->mutable_max_concurrent_streams()->set_value(max_streams); + storeHttpConnectionManager(hcm_config); + } + } +} + +void ConfigHelper::setUpstreamHttp2MaxConcurrentStreams(uint32_t max_streams) { + addConfigModifier([max_streams](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + ConfigHelper::HttpProtocolOptions protocol_options; + auto* http_protocol_options = + protocol_options.mutable_explicit_http_config()->mutable_http2_protocol_options(); + http_protocol_options->mutable_max_concurrent_streams()->set_value(max_streams); + ConfigHelper::setProtocolOptions(*bootstrap.mutable_static_resources()->mutable_clusters(0), + protocol_options); + }); +} + +void ConfigHelper::setDownstreamHttp2WindowSize(uint32_t stream_window, + uint32_t connection_window) { + auto filter = getFilterFromListener("http"); + if (filter) { + envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager + hcm_config; + loadHttpConnectionManager(hcm_config); + if (hcm_config.codec_type() == envoy::extensions::filters::network::http_connection_manager:: + v3::HttpConnectionManager::HTTP2) { + auto* options = hcm_config.mutable_http2_protocol_options(); + options->mutable_initial_stream_window_size()->set_value(stream_window); + options->mutable_initial_connection_window_size()->set_value(connection_window); + storeHttpConnectionManager(hcm_config); + } + } +} + +void ConfigHelper::setUpstreamHttp2WindowSize(uint32_t stream_window, uint32_t connection_window) { + addConfigModifier([stream_window, + connection_window](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + ConfigHelper::HttpProtocolOptions protocol_options; + auto* http_protocol_options = + protocol_options.mutable_explicit_http_config()->mutable_http2_protocol_options(); + http_protocol_options->mutable_initial_stream_window_size()->set_value(stream_window); + http_protocol_options->mutable_initial_connection_window_size()->set_value(connection_window); + ConfigHelper::setProtocolOptions(*bootstrap.mutable_static_resources()->mutable_clusters(0), + protocol_options); + }); +} + void ConfigHelper::setLocalReply( const envoy::extensions::filters::network::http_connection_manager::v3::LocalReplyConfig& config) { diff --git a/test/config/utility.h b/test/config/utility.h index 0d08a13f12c97..29491a55118ed 100644 --- a/test/config/utility.h +++ b/test/config/utility.h @@ -1,6 +1,7 @@ #pragma once #include +#include #include #include #include @@ -415,6 +416,14 @@ class ConfigHelper { // Set limits on pending upstream outbound frames. void setUpstreamOutboundFramesLimits(uint32_t max_all_frames, uint32_t max_control_frames); + // Set limits on HTTP/2 concurrent streams. + void setDownstreamHttp2MaxConcurrentStreams(uint32_t max_streams); + void setUpstreamHttp2MaxConcurrentStreams(uint32_t max_streams); + + // Set limits on HTTP/2 window sizes. + void setDownstreamHttp2WindowSize(uint32_t stream_window, uint32_t connection_window); + void setUpstreamHttp2WindowSize(uint32_t stream_window, uint32_t connection_window); + // Return the bootstrap configuration for hand-off to Envoy. const envoy::config::bootstrap::v3::Bootstrap& bootstrap() { return bootstrap_; } diff --git a/test/extensions/clusters/aggregate/cluster_integration_test.cc b/test/extensions/clusters/aggregate/cluster_integration_test.cc index 9f19d85f254fc..fdb1cc51e5635 100644 --- a/test/extensions/clusters/aggregate/cluster_integration_test.cc +++ b/test/extensions/clusters/aggregate/cluster_integration_test.cc @@ -767,6 +767,8 @@ TEST_P(AggregateIntegrationTest, CircuitBreakerTestMaxPendingRequests) { TEST_P(AggregateIntegrationTest, CircuitBreakerMaxRetriesTest) { setDownstreamProtocol(Http::CodecType::HTTP2); + config_helper_.setDownstreamHttp2MaxConcurrentStreams(2048); + config_helper_.setUpstreamHttp2MaxConcurrentStreams(2048); config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto* static_resources = bootstrap.mutable_static_resources(); auto* listener = static_resources->mutable_listeners(0); diff --git a/test/integration/cds_integration_test.cc b/test/integration/cds_integration_test.cc index 3f237e19ce33f..9e6b9996519a8 100644 --- a/test/integration/cds_integration_test.cc +++ b/test/integration/cds_integration_test.cc @@ -635,6 +635,8 @@ TEST_P(CdsIntegrationTest, CdsClusterDownWithLotsOfIdleConnections) { ->mutable_idle_timeout() ->set_seconds(600); }); + config_helper_.setDownstreamHttp2MaxConcurrentStreams(2001); + initialize(); std::vector responses; std::vector upstream_connections; diff --git a/test/integration/http2_flood_integration_test.cc b/test/integration/http2_flood_integration_test.cc index 52fb08c647399..27f8adf740e44 100644 --- a/test/integration/http2_flood_integration_test.cc +++ b/test/integration/http2_flood_integration_test.cc @@ -376,7 +376,7 @@ TEST_P(Http2FloodMitigationTest, Data) { EXPECT_GE(22000, buffer_factory->sumMaxBufferSizes()); // Verify that all buffers have watermarks set. EXPECT_THAT(buffer_factory->highWatermarkRange(), - testing::Pair(256 * 1024 * 1024, 1024 * 1024 * 1024)); + testing::Pair(16 * 1024 * 1024, 1024 * 1024 * 1024)); } // Verify that the server can detect flood triggered by a DATA frame from a decoder filter call diff --git a/test/integration/multiplexed_integration_test.cc b/test/integration/multiplexed_integration_test.cc index 8173e20caf91a..e1161c9eae798 100644 --- a/test/integration/multiplexed_integration_test.cc +++ b/test/integration/multiplexed_integration_test.cc @@ -1347,6 +1347,9 @@ TEST_P(MultiplexedIntegrationTestWithSimulatedTimeHttp2Only, TooManyRequestReset return; } + config_helper_.setDownstreamHttp2MaxConcurrentStreams(60000); + config_helper_.setUpstreamHttp2MaxConcurrentStreams(60000); + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { bootstrap.mutable_static_resources() ->mutable_clusters(0) @@ -3112,6 +3115,9 @@ TEST_P(Http2FrameIntegrationTest, CloseConnectionWithDeferredStreams) { ->mutable_timeout() ->set_seconds(0); }); + config_helper_.setDownstreamHttp2MaxConcurrentStreams(20001); + config_helper_.setUpstreamHttp2MaxConcurrentStreams(20001); + beginSession(); std::string buffer; diff --git a/test/integration/tcp_tunneling_integration_test.cc b/test/integration/tcp_tunneling_integration_test.cc index 2f7a890f9d4b6..a12cd77d508b9 100644 --- a/test/integration/tcp_tunneling_integration_test.cc +++ b/test/integration/tcp_tunneling_integration_test.cc @@ -1909,6 +1909,12 @@ TEST_P(TcpTunnelingIntegrationTest, TcpProxyUpstreamFlush) { // Use a very large size to make sure it is larger than the kernel socket read buffer. const uint32_t size = 50 * 1024 * 1024; config_helper_.setBufferLimits(size, size); + + // Ensure this HTTP2 flow control window is enough. + if (upstreamProtocol() == Http::CodecType::HTTP2) { + config_helper_.setUpstreamHttp2WindowSize(size, size); + } + initialize(); setUpConnection(fake_upstream_connection_); From 5e41ea32e8b51e40430122c8e31eb6093c8cfe40 Mon Sep 17 00:00:00 2001 From: William T Zhang Date: Wed, 17 Sep 2025 08:01:44 -0700 Subject: [PATCH 413/505] dynamic_modules: link dynamic library lifetime with per route config (#41112) Commit Message: dynamic_modules: link dynamic library lifetime with per route config Additional Description: Pass the RAII handle to the dynamic library to the per route config to ensure that at least one ref count for the dynamic library exists while the per route config is active. This can avoid the library from being closed and unmapped from the process should no filter config be active while per route configs are. Risk Level: Low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Fixes https://github.com/envoyproxy/envoy/issues/41094 Signed-off-by: William Zhang --- .../filters/http/dynamic_modules/filter_config.cc | 4 ++-- .../extensions/filters/http/dynamic_modules/filter_config.h | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/source/extensions/filters/http/dynamic_modules/filter_config.cc b/source/extensions/filters/http/dynamic_modules/filter_config.cc index 6e63312cc5e20..9c7768843cbbf 100644 --- a/source/extensions/filters/http/dynamic_modules/filter_config.cc +++ b/source/extensions/filters/http/dynamic_modules/filter_config.cc @@ -47,8 +47,8 @@ newDynamicModuleHttpPerRouteConfig(const absl::string_view per_route_config_name return absl::InvalidArgumentError("Failed to initialize per-route dynamic module"); } - return std::make_shared(filter_config_envoy_ptr, - destroy.value()); + return std::make_shared( + filter_config_envoy_ptr, destroy.value(), std::move(dynamic_module)); } absl::StatusOr newDynamicModuleHttpFilterConfig( diff --git a/source/extensions/filters/http/dynamic_modules/filter_config.h b/source/extensions/filters/http/dynamic_modules/filter_config.h index c84a914a7a0eb..ad99e74acf8ba 100644 --- a/source/extensions/filters/http/dynamic_modules/filter_config.h +++ b/source/extensions/filters/http/dynamic_modules/filter_config.h @@ -283,14 +283,16 @@ class DynamicModuleHttpPerRouteFilterConfig : public Router::RouteSpecificFilter public: DynamicModuleHttpPerRouteFilterConfig( envoy_dynamic_module_type_http_filter_config_module_ptr config, - OnHttpPerRouteConfigDestroyType destroy) - : config_(config), destroy_(destroy) {} + OnHttpPerRouteConfigDestroyType destroy, + Extensions::DynamicModules::DynamicModulePtr dynamic_module) + : config_(config), destroy_(destroy), dynamic_module_(std::move(dynamic_module)) {} ~DynamicModuleHttpPerRouteFilterConfig() override; envoy_dynamic_module_type_http_filter_config_module_ptr config_; private: OnHttpPerRouteConfigDestroyType destroy_; + Extensions::DynamicModules::DynamicModulePtr dynamic_module_; }; using DynamicModuleHttpFilterConfigSharedPtr = std::shared_ptr; From 1b02aa21fa26bbb5a3bf496cb65780216659174d Mon Sep 17 00:00:00 2001 From: Tony Allen Date: Wed, 17 Sep 2025 12:51:09 -0700 Subject: [PATCH 414/505] listener: Consider network namespace in address comparison (#41103) Fixed a bug where listeners were considered to have compatible addresses even if they were in different network namespaces. This happened because the address equality comparison for both IPv4 and IPv6 did not check the network namespace. Risk Level: Low Testing: new Listener and AddressImpl unit tests Docs Changes: n/a Release Notes: done Platform Specific Features: Only relevant on Linux. Signed-off-by: Tony Allen --- changelogs/current.yaml | 3 ++ .../common/listener_manager/listener_impl.cc | 2 +- source/common/network/address_impl.cc | 6 ++- .../listener_manager_impl_test.cc | 53 +++++++++++++++++++ test/common/network/address_impl_test.cc | 20 +++++++ 5 files changed, 81 insertions(+), 3 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index dd35967222f74..ea30989414765 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -112,6 +112,9 @@ bug_fixes: Fixed a bug where the premature resets of streams may result in the recursive draining and potential stack overflow. Setting proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate the risk of the stack overflow before this fix. +- area: listener + change: | + Fixed a bug where comparing listeners did not consider the network namespace they were listening in. - area: http change: | Fixed a bug where the ``response_headers_to_add`` may be processed multiple times for the local responses from diff --git a/source/common/listener_manager/listener_impl.cc b/source/common/listener_manager/listener_impl.cc index 6b02542e78715..fc93131aa9e8b 100644 --- a/source/common/listener_manager/listener_impl.cc +++ b/source/common/listener_manager/listener_impl.cc @@ -1135,7 +1135,7 @@ bool ListenerImpl::hasCompatibleAddress(const ListenerImpl& other) const { return false; } - // Second, check if the listener has the same addresses. + // Second, check if the listener has the same addresses (including network namespaces if Linux). // The listener support listening on the zero port address for test. Multiple zero // port addresses are also supported. For comparing two listeners with multiple // zero port addresses, only need to ensure there are the same number of zero diff --git a/source/common/network/address_impl.cc b/source/common/network/address_impl.cc index ae17e8e1466c3..ea49f89045dea 100644 --- a/source/common/network/address_impl.cc +++ b/source/common/network/address_impl.cc @@ -164,7 +164,8 @@ Ipv4Instance::Ipv4Instance(absl::Status& status, const sockaddr_in* address, bool Ipv4Instance::operator==(const Instance& rhs) const { const Ipv4Instance* rhs_casted = dynamic_cast(&rhs); return (rhs_casted && (ip_.ipv4_.address() == rhs_casted->ip_.ipv4_.address()) && - (ip_.port() == rhs_casted->ip_.port())); + (ip_.port() == rhs_casted->ip_.port()) && + (InstanceBase::networkNamespace() == rhs.networkNamespace())); } std::string Ipv4Instance::sockaddrToString(const sockaddr_in& addr) { @@ -313,7 +314,8 @@ bool Ipv6Instance::operator==(const Instance& rhs) const { const auto* rhs_casted = dynamic_cast(&rhs); return (rhs_casted && (ip_.ipv6_.address() == rhs_casted->ip_.ipv6_.address()) && (ip_.port() == rhs_casted->ip_.port()) && - (ip_.ipv6_.scopeId() == rhs_casted->ip_.ipv6_.scopeId())); + (ip_.ipv6_.scopeId() == rhs_casted->ip_.ipv6_.scopeId()) && + (InstanceBase::networkNamespace() == rhs.networkNamespace())); } Ipv6Instance::Ipv6Instance(absl::Status& status, const sockaddr_in6& address, bool v6only, diff --git a/test/common/listener_manager/listener_manager_impl_test.cc b/test/common/listener_manager/listener_manager_impl_test.cc index c66fd36cdd905..a575860c0f93b 100644 --- a/test/common/listener_manager/listener_manager_impl_test.cc +++ b/test/common/listener_manager/listener_manager_impl_test.cc @@ -6691,6 +6691,59 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MptcpNotSupported) { "listener mptcp-udp: enable_mptcp is set but MPTCP is not supported by the operating system"); } +// Test that hasCompatibleAddress returns false if network namespace is different. +TEST_P(ListenerManagerImplTest, HasCompatibleAddressWithNetNs) { + const std::string yaml_config1 = R"EOF( +name: listener_0 +address: + socket_address: + address: 127.0.0.1 + port_value: 10001 + network_namespace_filepath: "/var/run/netns/ns1" +filter_chains: {} +)EOF"; + + const std::string yaml_config2 = R"EOF( +name: listener_0 +address: + socket_address: + address: 127.0.0.1 + port_value: 10001 + network_namespace_filepath: "/var/run/netns/ns2" +filter_chains: {} +)EOF"; + + const std::string yaml_config3 = R"EOF( +name: listener_0 +address: + socket_address: + address: 127.0.0.1 + port_value: 10001 + network_namespace_filepath: "/var/run/netns/ns1" +filter_chains: {} +)EOF"; + + envoy::config::listener::v3::Listener config1 = + TestUtility::parseYaml(yaml_config1); + envoy::config::listener::v3::Listener config2 = + TestUtility::parseYaml(yaml_config2); + envoy::config::listener::v3::Listener config3 = + TestUtility::parseYaml(yaml_config3); + + auto listener1 = ListenerImpl::create(config1, "", *manager_, config1.name(), false, false, + MessageUtil::hash(config1)); + ASSERT_TRUE(listener1.ok()); + auto listener2 = ListenerImpl::create(config2, "", *manager_, config2.name(), false, false, + MessageUtil::hash(config2)); + ASSERT_TRUE(listener2.ok()); + auto listener3 = ListenerImpl::create(config3, "", *manager_, config3.name(), false, false, + MessageUtil::hash(config3)); + ASSERT_TRUE(listener3.ok()); + + EXPECT_FALSE(listener1.value()->hasCompatibleAddress(*(listener2.value()))); + EXPECT_TRUE(listener1.value()->hasCompatibleAddress(*(listener3.value()))); +} + // Set the resolver to the default IP resolver. The address resolver logic is unit tested in // resolver_impl_test.cc. TEST_P(ListenerManagerImplWithRealFiltersTest, AddressResolver) { diff --git a/test/common/network/address_impl_test.cc b/test/common/network/address_impl_test.cc index 32ac28be4bb53..84a5b260b1ef5 100644 --- a/test/common/network/address_impl_test.cc +++ b/test/common/network/address_impl_test.cc @@ -206,6 +206,16 @@ TEST(Ipv4InstanceTest, PortOnly) { EXPECT_FALSE(address.ip()->isUnicastAddress()); } +TEST(Ipv4InstanceTest, NetnsComparison) { + Ipv4Instance address1("1.2.3.4", nullptr, "/var/run/netns/11111"); + Ipv4Instance address2("1.2.3.4", nullptr, "/var/run/netns/22222"); + // Same netns as address1. + Ipv4Instance address3("1.2.3.4", nullptr, "/var/run/netns/11111"); + + EXPECT_EQ(address1, address3); + EXPECT_NE(address1, address2); +} + TEST(Ipv4InstanceTest, Multicast) { Ipv4Instance address("230.0.0.1"); EXPECT_EQ("230.0.0.1:0", address.asString()); @@ -334,6 +344,16 @@ TEST(Ipv6InstanceTest, ScopeIdStripping) { EXPECT_EQ(0U, no_scope_address->ip()->ipv6()->scopeId()); } +TEST(Ipv6InstanceTest, NetnsCompare) { + Ipv6Instance address1("::0001", 80, nullptr, true, "/var/run/netns/11111"); + Ipv6Instance address2("::0001", 80, nullptr, true, "/var/run/netns/22222"); + // Same netns as address1. + Ipv6Instance address3("::0001", 80, nullptr, true, "/var/run/netns/11111"); + + EXPECT_NE(address1, address2); + EXPECT_EQ(address1, address3); +} + TEST(Ipv6InstanceTest, PortOnly) { Ipv6Instance address(443); EXPECT_EQ("[::]:443", address.asString()); From 07e3dd068a4a80156c009686a9cc7fb6b85b2306 Mon Sep 17 00:00:00 2001 From: Kuat Date: Wed, 17 Sep 2025 17:11:34 -0700 Subject: [PATCH 415/505] access log: use generic factory context (#41105) Change-Id: Ie17a21068efdfba87dbe9375672b864c4cc52a51 Commit Message: Move access log factory to use generic context. This will allow using it in non-listener contexts (upstream logs, side request logs, application logs, ECDS logs). While at it, find and fix a bug in Quic listener not setting the listener info. Additional Description: Also move access log filter to use generic context. In almost all cases, server context is enough for both apart from validation - the one exception is Wasm which has other issues. Risk Level: low, no functional change. Testing: passed Docs Changes: none, internal change Release Notes: none Signed-off-by: Kuat Yessenov --- envoy/access_log/access_log_config.h | 4 ++-- source/common/access_log/access_log_impl.cc | 10 ++++----- source/common/access_log/access_log_impl.h | 10 ++++----- source/common/quic/envoy_quic_dispatcher.cc | 1 + .../common/stream_access_log_common_impl.h | 2 +- .../extensions/access_loggers/file/config.cc | 2 +- .../extensions/access_loggers/file/config.h | 2 +- .../access_loggers/filters/cel/config.cc | 2 +- .../access_loggers/filters/cel/config.h | 2 +- .../access_loggers/fluentd/config.cc | 2 +- .../access_loggers/fluentd/config.h | 2 +- .../access_loggers/grpc/http_config.cc | 3 ++- .../access_loggers/grpc/http_config.h | 2 +- .../access_loggers/grpc/tcp_config.cc | 3 ++- .../access_loggers/grpc/tcp_config.h | 2 +- .../access_loggers/open_telemetry/config.cc | 2 +- .../access_loggers/open_telemetry/config.h | 2 +- .../access_loggers/stream/config.cc | 4 ++-- .../extensions/access_loggers/stream/config.h | 4 ++-- .../extensions/access_loggers/wasm/config.cc | 8 ++++--- .../extensions/access_loggers/wasm/config.h | 2 +- .../common/access_log/access_log_impl_test.cc | 4 ++-- .../network/generic_proxy/fake_codec.h | 2 +- test/integration/fake_access_log.h | 2 +- .../typed_metadata_integration_test.cc | 21 ++++++++++++------- 25 files changed, 56 insertions(+), 44 deletions(-) diff --git a/envoy/access_log/access_log_config.h b/envoy/access_log/access_log_config.h index aca39ccbe5d90..cfe53571282e4 100644 --- a/envoy/access_log/access_log_config.h +++ b/envoy/access_log/access_log_config.h @@ -26,7 +26,7 @@ class ExtensionFilterFactory : public Config::TypedFactory { * @return an instance of extension filter implementation from a config proto. */ virtual FilterPtr createFilter(const envoy::config::accesslog::v3::ExtensionFilter& config, - Server::Configuration::FactoryContext& context) PURE; + Server::Configuration::GenericFactoryContext& context) PURE; std::string category() const override { return "envoy.access_loggers.extension_filters"; } }; @@ -50,7 +50,7 @@ class AccessLogInstanceFactory : public Config::TypedFactory { */ virtual AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers = {}) PURE; std::string category() const override { return "envoy.access_loggers"; } diff --git a/source/common/access_log/access_log_impl.cc b/source/common/access_log/access_log_impl.cc index 9ced24459c598..67f3581bcf413 100644 --- a/source/common/access_log/access_log_impl.cc +++ b/source/common/access_log/access_log_impl.cc @@ -54,7 +54,7 @@ bool ComparisonFilter::compareAgainstValue(uint64_t lhs) const { } FilterPtr FilterFactory::fromProto(const envoy::config::accesslog::v3::AccessLogFilter& config, - Server::Configuration::FactoryContext& context) { + Server::Configuration::GenericFactoryContext& context) { Runtime::Loader& runtime = context.serverFactoryContext().runtime(); Random::RandomGenerator& random = context.serverFactoryContext().api().randomGenerator(); ProtobufMessage::ValidationVisitor& validation_visitor = context.messageValidationVisitor(); @@ -157,7 +157,7 @@ bool RuntimeFilter::evaluate(const Formatter::HttpFormatterContext&, OperatorFilter::OperatorFilter( const Protobuf::RepeatedPtrField& configs, - Server::Configuration::FactoryContext& context) { + Server::Configuration::GenericFactoryContext& context) { for (const auto& config : configs) { auto filter = FilterFactory::fromProto(config, context); if (filter != nullptr) { @@ -167,11 +167,11 @@ OperatorFilter::OperatorFilter( } OrFilter::OrFilter(const envoy::config::accesslog::v3::OrFilter& config, - Server::Configuration::FactoryContext& context) + Server::Configuration::GenericFactoryContext& context) : OperatorFilter(config.filters(), context) {} AndFilter::AndFilter(const envoy::config::accesslog::v3::AndFilter& config, - Server::Configuration::FactoryContext& context) + Server::Configuration::GenericFactoryContext& context) : OperatorFilter(config.filters(), context) {} bool OrFilter::evaluate(const Formatter::HttpFormatterContext& context, @@ -330,7 +330,7 @@ bool MetadataFilter::evaluate(const Formatter::HttpFormatterContext&, InstanceSharedPtr AccessLogFactory::fromProto(const envoy::config::accesslog::v3::AccessLog& config, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers) { FilterPtr filter; if (config.has_filter()) { diff --git a/source/common/access_log/access_log_impl.h b/source/common/access_log/access_log_impl.h index e9bd2b1faef36..7f3abc93adda5 100644 --- a/source/common/access_log/access_log_impl.h +++ b/source/common/access_log/access_log_impl.h @@ -34,7 +34,7 @@ class FilterFactory { * Read a filter definition from proto and instantiate a concrete filter class. */ static FilterPtr fromProto(const envoy::config::accesslog::v3::AccessLogFilter& config, - Server::Configuration::FactoryContext& context); + Server::Configuration::GenericFactoryContext& context); }; /** @@ -86,7 +86,7 @@ class OperatorFilter : public Filter { public: OperatorFilter( const Protobuf::RepeatedPtrField& configs, - Server::Configuration::FactoryContext& context); + Server::Configuration::GenericFactoryContext& context); protected: std::vector filters_; @@ -98,7 +98,7 @@ class OperatorFilter : public Filter { class AndFilter : public OperatorFilter { public: AndFilter(const envoy::config::accesslog::v3::AndFilter& config, - Server::Configuration::FactoryContext& context); + Server::Configuration::GenericFactoryContext& context); // AccessLog::Filter bool evaluate(const Formatter::HttpFormatterContext& context, @@ -111,7 +111,7 @@ class AndFilter : public OperatorFilter { class OrFilter : public OperatorFilter { public: OrFilter(const envoy::config::accesslog::v3::OrFilter& config, - Server::Configuration::FactoryContext& context); + Server::Configuration::GenericFactoryContext& context); // AccessLog::Filter bool evaluate(const Formatter::HttpFormatterContext& context, @@ -269,7 +269,7 @@ class AccessLogFactory { */ static InstanceSharedPtr fromProto(const envoy::config::accesslog::v3::AccessLog& config, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers = {}); }; diff --git a/source/common/quic/envoy_quic_dispatcher.cc b/source/common/quic/envoy_quic_dispatcher.cc index 0bf1378758797..34c87f0dacee9 100644 --- a/source/common/quic/envoy_quic_dispatcher.cc +++ b/source/common/quic/envoy_quic_dispatcher.cc @@ -94,6 +94,7 @@ std::unique_ptr EnvoyQuicDispatcher::CreateQuicSession( // ALPN. Network::ConnectionSocketPtr connection_socket = createServerConnectionSocket( listen_socket_.ioHandle(), self_address, peer_address, std::string(parsed_chlo.sni), "h3"); + connection_socket->connectionInfoProvider().setListenerInfo(listener_config_->listenerInfo()); auto stream_info = std::make_unique( dispatcher_.timeSource(), connection_socket->connectionInfoProviderSharedPtr(), StreamInfo::FilterState::LifeSpan::Connection); diff --git a/source/extensions/access_loggers/common/stream_access_log_common_impl.h b/source/extensions/access_loggers/common/stream_access_log_common_impl.h index 010abac65a7d1..5e6e44dfe3854 100644 --- a/source/extensions/access_loggers/common/stream_access_log_common_impl.h +++ b/source/extensions/access_loggers/common/stream_access_log_common_impl.h @@ -13,7 +13,7 @@ namespace AccessLoggers { template AccessLog::InstanceSharedPtr createStreamAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers = {}) { const auto& fal_config = MessageUtil::downcastAndValidate(config, context.messageValidationVisitor()); diff --git a/source/extensions/access_loggers/file/config.cc b/source/extensions/access_loggers/file/config.cc index 7aa65f9c47c78..7d486ff006170 100644 --- a/source/extensions/access_loggers/file/config.cc +++ b/source/extensions/access_loggers/file/config.cc @@ -21,7 +21,7 @@ namespace File { AccessLog::InstanceSharedPtr FileAccessLogFactory::createAccessLogInstance( const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers) { const auto& fal_config = MessageUtil::downcastAndValidate< const envoy::extensions::access_loggers::file::v3::FileAccessLog&>( diff --git a/source/extensions/access_loggers/file/config.h b/source/extensions/access_loggers/file/config.h index 2c2b17997034d..af5727823ffc0 100644 --- a/source/extensions/access_loggers/file/config.h +++ b/source/extensions/access_loggers/file/config.h @@ -14,7 +14,7 @@ class FileAccessLogFactory : public AccessLog::AccessLogInstanceFactory { public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers = {}) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index 9a1a1be32435b..f83565b141b67 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -16,7 +16,7 @@ namespace CEL { Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( const envoy::config::accesslog::v3::ExtensionFilter& config, - Server::Configuration::FactoryContext& context) { + Server::Configuration::GenericFactoryContext& context) { auto factory_config = Config::Utility::translateToFactoryConfig(config, context.messageValidationVisitor(), *this); diff --git a/source/extensions/access_loggers/filters/cel/config.h b/source/extensions/access_loggers/filters/cel/config.h index 62dfb342491c0..2e915316868cf 100644 --- a/source/extensions/access_loggers/filters/cel/config.h +++ b/source/extensions/access_loggers/filters/cel/config.h @@ -22,7 +22,7 @@ class CELAccessLogExtensionFilterFactory : public Envoy::AccessLog::ExtensionFil public: Envoy::AccessLog::FilterPtr createFilter(const envoy::config::accesslog::v3::ExtensionFilter& config, - Server::Configuration::FactoryContext& context) override; + Server::Configuration::GenericFactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; std::string name() const override { return "envoy.access_loggers.extension_filters.cel"; } }; diff --git a/source/extensions/access_loggers/fluentd/config.cc b/source/extensions/access_loggers/fluentd/config.cc index 15a96c6252f8f..d71fdc04b7666 100644 --- a/source/extensions/access_loggers/fluentd/config.cc +++ b/source/extensions/access_loggers/fluentd/config.cc @@ -33,7 +33,7 @@ getAccessLoggerCacheSingleton(Server::Configuration::ServerFactoryContext& conte AccessLog::InstanceSharedPtr FluentdAccessLogFactory::createAccessLogInstance( const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers) { const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::access_loggers::fluentd::v3::FluentdAccessLogConfig&>( diff --git a/source/extensions/access_loggers/fluentd/config.h b/source/extensions/access_loggers/fluentd/config.h index a098d9129179a..f1be35f13c658 100644 --- a/source/extensions/access_loggers/fluentd/config.h +++ b/source/extensions/access_loggers/fluentd/config.h @@ -14,7 +14,7 @@ class FluentdAccessLogFactory : public AccessLog::AccessLogInstanceFactory { public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers = {}) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; diff --git a/source/extensions/access_loggers/grpc/http_config.cc b/source/extensions/access_loggers/grpc/http_config.cc index 696b3986c0377..e15a07c42f001 100644 --- a/source/extensions/access_loggers/grpc/http_config.cc +++ b/source/extensions/access_loggers/grpc/http_config.cc @@ -20,7 +20,8 @@ namespace HttpGrpc { AccessLog::InstanceSharedPtr HttpGrpcAccessLogFactory::createAccessLogInstance( const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, std::vector&&) { + Server::Configuration::GenericFactoryContext& context, + std::vector&&) { GrpcCommon::validateProtoDescriptors(); const auto& proto_config = MessageUtil::downcastAndValidate< diff --git a/source/extensions/access_loggers/grpc/http_config.h b/source/extensions/access_loggers/grpc/http_config.h index a262b2e29b4c5..45447f4a7a3d3 100644 --- a/source/extensions/access_loggers/grpc/http_config.h +++ b/source/extensions/access_loggers/grpc/http_config.h @@ -16,7 +16,7 @@ class HttpGrpcAccessLogFactory : public AccessLog::AccessLogInstanceFactory { public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& = {}) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; diff --git a/source/extensions/access_loggers/grpc/tcp_config.cc b/source/extensions/access_loggers/grpc/tcp_config.cc index 744a0ef733008..0a8b4c3744f47 100644 --- a/source/extensions/access_loggers/grpc/tcp_config.cc +++ b/source/extensions/access_loggers/grpc/tcp_config.cc @@ -20,7 +20,8 @@ namespace TcpGrpc { AccessLog::InstanceSharedPtr TcpGrpcAccessLogFactory::createAccessLogInstance( const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, std::vector&&) { + Server::Configuration::GenericFactoryContext& context, + std::vector&&) { GrpcCommon::validateProtoDescriptors(); const auto& proto_config = MessageUtil::downcastAndValidate< diff --git a/source/extensions/access_loggers/grpc/tcp_config.h b/source/extensions/access_loggers/grpc/tcp_config.h index fce3a662f4e49..53ca1ececb37d 100644 --- a/source/extensions/access_loggers/grpc/tcp_config.h +++ b/source/extensions/access_loggers/grpc/tcp_config.h @@ -16,7 +16,7 @@ class TcpGrpcAccessLogFactory : public AccessLog::AccessLogInstanceFactory { public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& = {}) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; diff --git a/source/extensions/access_loggers/open_telemetry/config.cc b/source/extensions/access_loggers/open_telemetry/config.cc index a6b656d8078d0..7ca56443c4618 100644 --- a/source/extensions/access_loggers/open_telemetry/config.cc +++ b/source/extensions/access_loggers/open_telemetry/config.cc @@ -33,7 +33,7 @@ getAccessLoggerCacheSingleton(Server::Configuration::CommonFactoryContext& conte ::Envoy::AccessLog::InstanceSharedPtr AccessLogFactory::createAccessLogInstance( const Protobuf::Message& config, ::Envoy::AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers) { validateProtoDescriptors(); diff --git a/source/extensions/access_loggers/open_telemetry/config.h b/source/extensions/access_loggers/open_telemetry/config.h index 13a85debc2633..a0c31639cf672 100644 --- a/source/extensions/access_loggers/open_telemetry/config.h +++ b/source/extensions/access_loggers/open_telemetry/config.h @@ -16,7 +16,7 @@ class AccessLogFactory : public Envoy::AccessLog::AccessLogInstanceFactory { public: ::Envoy::AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, ::Envoy::AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers = {}) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; diff --git a/source/extensions/access_loggers/stream/config.cc b/source/extensions/access_loggers/stream/config.cc index 0f78a10a5d845..98d54a3326170 100644 --- a/source/extensions/access_loggers/stream/config.cc +++ b/source/extensions/access_loggers/stream/config.cc @@ -22,7 +22,7 @@ namespace File { AccessLog::InstanceSharedPtr StdoutAccessLogFactory::createAccessLogInstance( const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers) { return AccessLoggers::createStreamAccessLogInstance< envoy::extensions::access_loggers::stream::v3::StdoutAccessLog, @@ -45,7 +45,7 @@ LEGACY_REGISTER_FACTORY(StdoutAccessLogFactory, AccessLog::AccessLogInstanceFact AccessLog::InstanceSharedPtr StderrAccessLogFactory::createAccessLogInstance( const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers) { return createStreamAccessLogInstance< envoy::extensions::access_loggers::stream::v3::StderrAccessLog, diff --git a/source/extensions/access_loggers/stream/config.h b/source/extensions/access_loggers/stream/config.h index 1be10c2df49df..d60ace378308a 100644 --- a/source/extensions/access_loggers/stream/config.h +++ b/source/extensions/access_loggers/stream/config.h @@ -14,7 +14,7 @@ class StdoutAccessLogFactory : public AccessLog::AccessLogInstanceFactory { public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers = {}) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; @@ -29,7 +29,7 @@ class StderrAccessLogFactory : public AccessLog::AccessLogInstanceFactory { public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& command_parsers = {}) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; diff --git a/source/extensions/access_loggers/wasm/config.cc b/source/extensions/access_loggers/wasm/config.cc index d2ccf7d9c72e0..75c87134e7f30 100644 --- a/source/extensions/access_loggers/wasm/config.cc +++ b/source/extensions/access_loggers/wasm/config.cc @@ -14,9 +14,11 @@ namespace Extensions { namespace AccessLoggers { namespace Wasm { -AccessLog::InstanceSharedPtr WasmAccessLogFactory::createAccessLogInstance( - const Protobuf::Message& proto_config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, std::vector&&) { +AccessLog::InstanceSharedPtr +WasmAccessLogFactory::createAccessLogInstance(const Protobuf::Message& proto_config, + AccessLog::FilterPtr&& filter, + Server::Configuration::GenericFactoryContext& context, + std::vector&&) { const auto& config = MessageUtil::downcastAndValidate< const envoy::extensions::access_loggers::wasm::v3::WasmAccessLog&>( proto_config, context.messageValidationVisitor()); diff --git a/source/extensions/access_loggers/wasm/config.h b/source/extensions/access_loggers/wasm/config.h index 791d2783ace8d..e297d5ea98e8e 100644 --- a/source/extensions/access_loggers/wasm/config.h +++ b/source/extensions/access_loggers/wasm/config.h @@ -17,7 +17,7 @@ class WasmAccessLogFactory : public AccessLog::AccessLogInstanceFactory, public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message& config, AccessLog::FilterPtr&& filter, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext& context, std::vector&& = {}) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; diff --git a/test/common/access_log/access_log_impl_test.cc b/test/common/access_log/access_log_impl_test.cc index cfbd6190fc613..de134b55488a2 100644 --- a/test/common/access_log/access_log_impl_test.cc +++ b/test/common/access_log/access_log_impl_test.cc @@ -1603,7 +1603,7 @@ class TestHeaderFilterFactory : public ExtensionFilterFactory { ~TestHeaderFilterFactory() override = default; FilterPtr createFilter(const envoy::config::accesslog::v3::ExtensionFilter& config, - Server::Configuration::FactoryContext& context) override { + Server::Configuration::GenericFactoryContext& context) override { auto factory_config = Config::Utility::translateToFactoryConfig( config, context.messageValidationVisitor(), *this); const auto& header_config = @@ -1699,7 +1699,7 @@ class SampleExtensionFilterFactory : public ExtensionFilterFactory { ~SampleExtensionFilterFactory() override = default; FilterPtr createFilter(const envoy::config::accesslog::v3::ExtensionFilter& config, - Server::Configuration::FactoryContext& context) override { + Server::Configuration::GenericFactoryContext& context) override { auto factory_config = Config::Utility::translateToFactoryConfig( config, context.messageValidationVisitor(), *this); diff --git a/test/extensions/filters/network/generic_proxy/fake_codec.h b/test/extensions/filters/network/generic_proxy/fake_codec.h index b35e897e2ffd2..a5b2c6389a899 100644 --- a/test/extensions/filters/network/generic_proxy/fake_codec.h +++ b/test/extensions/filters/network/generic_proxy/fake_codec.h @@ -440,7 +440,7 @@ class FakeAccessLogExtensionFilterFactory : public AccessLog::ExtensionFilterFac public: // AccessLogFilterFactory AccessLog::FilterPtr createFilter(const envoy::config::accesslog::v3::ExtensionFilter&, - Server::Configuration::FactoryContext&) override { + Server::Configuration::GenericFactoryContext&) override { return std::make_unique(); } diff --git a/test/integration/fake_access_log.h b/test/integration/fake_access_log.h index e433fb50bd0a7..5ac0fafe59121 100644 --- a/test/integration/fake_access_log.h +++ b/test/integration/fake_access_log.h @@ -30,7 +30,7 @@ class FakeAccessLogFactory : public AccessLog::AccessLogInstanceFactory { public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message&, AccessLog::FilterPtr&&, - Server::Configuration::FactoryContext&, + Server::Configuration::GenericFactoryContext&, std::vector&& = {}) override { std::lock_guard guard(log_callback_lock_); auto access_log_instance = std::make_shared(log_cb_); diff --git a/test/integration/typed_metadata_integration_test.cc b/test/integration/typed_metadata_integration_test.cc index 256a17de7292b..734083691f0bb 100644 --- a/test/integration/typed_metadata_integration_test.cc +++ b/test/integration/typed_metadata_integration_test.cc @@ -54,14 +54,21 @@ class TestAccessLogFactory : public AccessLog::AccessLogInstanceFactory { public: AccessLog::InstanceSharedPtr createAccessLogInstance(const Protobuf::Message&, AccessLog::FilterPtr&&, - Server::Configuration::FactoryContext& context, + Server::Configuration::GenericFactoryContext&, std::vector&& = {}) override { - // Check that expected listener metadata is present - EXPECT_EQ(1, context.listenerInfo().metadata().typed_filter_metadata().size()); - const auto iter = context.listenerInfo().metadata().typed_filter_metadata().find( - "test.listener.typed.metadata"); - EXPECT_NE(iter, context.listenerInfo().metadata().typed_filter_metadata().end()); - return std::make_shared>(); + auto out = std::make_shared>(); + EXPECT_CALL(*out, log(_, _)) + .WillRepeatedly(testing::Invoke( + [](const Formatter::HttpFormatterContext&, const StreamInfo::StreamInfo& info) -> void { + // Check that expected listener metadata is present + auto listener_info = info.downstreamAddressProvider().listenerInfo(); + ASSERT_TRUE(listener_info.has_value()); + EXPECT_EQ(1, listener_info->metadata().typed_filter_metadata().size()); + const auto iter = listener_info->metadata().typed_filter_metadata().find( + "test.listener.typed.metadata"); + EXPECT_NE(iter, listener_info->metadata().typed_filter_metadata().end()); + })); + return out; } ProtobufTypes::MessagePtr createEmptyConfigProto() override { From 53dad04f0190743a13c1157e25311bafe29cd58b Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Thu, 18 Sep 2025 08:16:21 +0800 Subject: [PATCH 416/505] docs: fix typo in redis proxy (#40518) Signed-off-by: Huabing (Robin) Zhao Co-authored-by: phlax --- .../_include/redis-aws-iam-auth.yaml | 41 +++++++++ .../_include/redis-dns-lookups.yaml | 36 ++++++++ .../_include/redis-fault-injection.yaml | 47 ++++++++++ .../network_filters/redis_proxy_filter.rst | 88 ++++--------------- 4 files changed, 142 insertions(+), 70 deletions(-) create mode 100644 docs/root/configuration/listeners/network_filters/_include/redis-aws-iam-auth.yaml create mode 100644 docs/root/configuration/listeners/network_filters/_include/redis-dns-lookups.yaml create mode 100644 docs/root/configuration/listeners/network_filters/_include/redis-fault-injection.yaml diff --git a/docs/root/configuration/listeners/network_filters/_include/redis-aws-iam-auth.yaml b/docs/root/configuration/listeners/network_filters/_include/redis-aws-iam-auth.yaml new file mode 100644 index 0000000000000..d22ef696f4e36 --- /dev/null +++ b/docs/root/configuration/listeners/network_filters/_include/redis-aws-iam-auth.yaml @@ -0,0 +1,41 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 6379 + filter_chains: + - filters: + - name: envoy.filters.network.redis_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.redis_proxy.v3.RedisProxy + stat_prefix: egress_redis + settings: + op_timeout: 5s + prefix_routes: + catch_all_route: + cluster: redis_cluster + clusters: + - name: redis_cluster + connect_timeout: 1s + type: STRICT_DNS + load_assignment: + cluster_name: redis_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: testcache-7dh4z9.serverless.apse2.cache.amazonaws.com + port_value: 6379 + typed_extension_protocol_options: + envoy.filters.network.redis_proxy: + "@type": type.googleapis.com/envoy.extensions.filters.network.redis_proxy.v3.RedisProtocolOptions + auth_username: + inline_string: test + aws_iam: + region: ap-southeast-2 + service_name: elasticache + cache_name: testcache + expiration_time: 900s diff --git a/docs/root/configuration/listeners/network_filters/_include/redis-dns-lookups.yaml b/docs/root/configuration/listeners/network_filters/_include/redis-dns-lookups.yaml new file mode 100644 index 0000000000000..3e7222852f217 --- /dev/null +++ b/docs/root/configuration/listeners/network_filters/_include/redis-dns-lookups.yaml @@ -0,0 +1,36 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 6379 + filter_chains: + - filters: + - name: envoy.filters.network.redis_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.redis_proxy.v3.RedisProxy + stat_prefix: redis_stats + prefix_routes: + catch_all_route: + cluster: redis_cluster + settings: + op_timeout: 5s + enable_redirection: true + dns_cache_config: + name: dns_cache_for_redis + dns_lookup_family: V4_ONLY + max_hosts: 100 + clusters: + - name: redis_cluster + connect_timeout: 1s + type: STRICT_DNS + load_assignment: + cluster_name: redis_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: redis.example.com + port_value: 6379 diff --git a/docs/root/configuration/listeners/network_filters/_include/redis-fault-injection.yaml b/docs/root/configuration/listeners/network_filters/_include/redis-fault-injection.yaml new file mode 100644 index 0000000000000..1f12bfd48f9d0 --- /dev/null +++ b/docs/root/configuration/listeners/network_filters/_include/redis-fault-injection.yaml @@ -0,0 +1,47 @@ +static_resources: + listeners: + - name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 6379 + filter_chains: + - filters: + - name: envoy.filters.network.redis_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.redis_proxy.v3.RedisProxy + stat_prefix: redis_stats + prefix_routes: + catch_all_route: + cluster: redis_cluster + settings: + op_timeout: 5s + faults: + - fault_type: ERROR + fault_enabled: + default_value: + numerator: 10 + denominator: HUNDRED + runtime_key: "bogus_key" + commands: + - GET + - fault_type: DELAY + fault_enabled: + default_value: + numerator: 10 + denominator: HUNDRED + runtime_key: "bogus_key" + delay: 2s + clusters: + - name: redis_cluster + connect_timeout: 1s + type: STRICT_DNS + load_assignment: + cluster_name: redis_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: redis.example.com + port_value: 6379 diff --git a/docs/root/configuration/listeners/network_filters/redis_proxy_filter.rst b/docs/root/configuration/listeners/network_filters/redis_proxy_filter.rst index 52f5e0beafba4..fa987bb2edf6e 100644 --- a/docs/root/configuration/listeners/network_filters/redis_proxy_filter.rst +++ b/docs/root/configuration/listeners/network_filters/redis_proxy_filter.rst @@ -99,24 +99,12 @@ or runtime key are set). Example configuration: -.. code-block:: yaml - - faults: - - fault_type: ERROR - fault_enabled: - default_value: - numerator: 10 - denominator: HUNDRED - runtime_key: "bogus_key" - commands: - - GET - - fault_type: DELAY - fault_enabled: - default_value: - numerator: 10 - denominator: HUNDRED - runtime_key: "bogus_key" - delay: 2s +.. literalinclude:: _include/redis-fault-injection.yaml + :language: yaml + :lines: 19-34 + :linenos: + :lineno-start: 19 + :caption: :download:`redis-fault-injection.yaml <_include/redis-fault-injection.yaml>` This creates two faults- an error, applying only to GET commands at 10%, and a delay, applying to all commands at 10%. This means that 20% of GET commands will have a fault applied, as discussed earlier. @@ -126,21 +114,12 @@ DNS lookups on redirections As noted in the :ref:`architecture overview `, when Envoy sees a MOVED or ASK response containing a hostname it will not perform a DNS lookup and instead bubble up the error to the client. The following configuration example enables DNS lookups on such responses to avoid the client error and have Envoy itself perform the redirection: -.. code-block:: yaml - - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.redis_proxy.v3.RedisProxy - stat_prefix: redis_stats - prefix_routes: - catch_all_route: - cluster: cluster_0 - settings: - op_timeout: 5 - enable_redirection: true - dns_cache_config: - name: dns_cache_for_redis - dns_lookup_family: V4_ONLY - max_hosts: 100 +.. literalinclude:: _include/redis-dns-lookups.yaml + :language: yaml + :lines: 11-23 + :linenos: + :lineno-start: 11 + :caption: :download:`redis-dns-lookups.yaml <_include/redis-dns-lookups.yaml>` .. _config_network_filters_redis_proxy_aws_iam: @@ -160,40 +139,9 @@ The `service_name` should be `elasticache` for an Amazon ElastiCache cache in va matches the service which is added to the IAM Policy for the associated IAM principal being used to make the connection. For example, `service_name: memorydb` matches an AWS IAM Policy containing the Action `memorydb:Connect`, and that policy must be attached to the IAM principal being used by envoy. -.. code-block:: yaml - - filter_chains: - - filters: - - name: envoy.filters.network.redis_proxy - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.redis_proxy.v3.RedisProxy - stat_prefix: egress_redis - settings: - op_timeout: 5s - prefix_routes: - catch_all_route: - cluster: redis_cluster - clusters: - - name: redis_cluster - connect_timeout: 1s - type: strict_dns - load_assignment: - cluster_name: redis_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: testcache-7dh4z9.serverless.apse2.cache.amazonaws.com - port_value: 6379 - typed_extension_protocol_options: - envoy.filters.network.redis_proxy: - "@type": type.googleapis.com/envoy.extensions.filters.network.redis_proxy.v3.RedisProtocolOptions - auth_username: - inline_string: test - aws_iam: - region: ap-southeast-2 - service_name: elasticache - cache_name: testcache - expiration_time: 900s - +.. literalinclude:: _include/redis-aws-iam-auth.yaml + :language: yaml + :lines: 8-41 + :linenos: + :lineno-start: 8 + :caption: :download:`redis-aws-iam-auth.yaml <_include/redis-aws-iam-auth.yaml>` From 40e4a5d5876bb93f53fb04175f78aafe357a994d Mon Sep 17 00:00:00 2001 From: dinesh-murugiah Date: Thu, 18 Sep 2025 05:52:35 +0530 Subject: [PATCH 417/505] adding more simple commands supported by redis to proxy (#40912) Commit Message: adding support for the following simple commands COPY, RPOPLPUSH, SMOVE, SUNION, SDIFF, SINTER, SINTERSTORE, ZUNIONSTORE, ZINTERSTORE, PFMERGE, GEORADIUS, GEORADIUSBYMEMBER, RENAME, SORT, SORT_RO, ZMSCORE, SDIFFSTORE, MSETNX, SUBSTR, ZRANGESTORE, ZUNION, ZDIFF, SUNIONSTORE, SMISMEMBER, HRANDFIELD, GEOSEARCHSTORE, ZDIFFSTORE, ZINTER, ZRANDMEMBER, BITOP, LPOS, RENAMENX Additional Description: Risk Level: LOW Testing: all these commands has been tested manually and also the existing simple command test covers the framework level validation Docs Changes: [current.yaml],[redis.rst] Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: dinesh-murugiah --- changelogs/current.yaml | 6 +++- .../arch_overview/other_protocols/redis.rst | 32 +++++++++++++++++++ .../network/common/redis/supported_commands.h | 29 ++++++++++------- .../redis_proxy/command_splitter_impl_test.cc | 10 +++--- 4 files changed, 60 insertions(+), 17 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index ea30989414765..842cc01305fc8 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -308,7 +308,11 @@ new_features: will take precedence over this field. - area: redis change: | - Added support for ``GEOSEARCH`` and ``GETEX``. + Added support for 33 new Redis commands including COPY, RPOPLPUSH, SMOVE, SUNION, SDIFF, + SINTER, SINTERSTORE, ZUNIONSTORE, ZINTERSTORE, PFMERGE, GEORADIUS, GEORADIUSBYMEMBER, + RENAME, SORT, SORT_RO, ZMSCORE, SDIFFSTORE, MSETNX, SUBSTR, ZRANGESTORE, ZUNION, ZDIFF, + SUNIONSTORE, SMISMEMBER, HRANDFIELD, GEOSEARCHSTORE, ZDIFFSTORE, ZINTER, ZRANDMEMBER, + BITOP, LPOS, RENAMENX. - area: observability change: | Added ``ENVOY_NOTIFICATION`` macro to track specific conditions in production environments. diff --git a/docs/root/intro/arch_overview/other_protocols/redis.rst b/docs/root/intro/arch_overview/other_protocols/redis.rst index 869be36c7c894..42f851309a653 100644 --- a/docs/root/intro/arch_overview/other_protocols/redis.rst +++ b/docs/root/intro/arch_overview/other_protocols/redis.rst @@ -170,6 +170,11 @@ For details on each command's usage see the official TTL, Generic TYPE, Generic UNLINK, Generic + COPY, Generic + RENAME, Generic + RENAMENX, Generic + SORT, Generic + SORT_RO, Generic GEOADD, Geo GEODIST, Geo GEOHASH, Geo @@ -177,6 +182,9 @@ For details on each command's usage see the official GEORADIUS_RO, Geo GEORADIUSBYMEMBER_RO, Geo GEOSEARCH, Geo + GEOSEARCHSTORE, Geospatial + GEORADIUS, Geospatial + GEORADIUSBYMEMBER, Geospatial HDEL, Hash HEXISTS, Hash HGET, Hash @@ -192,8 +200,10 @@ For details on each command's usage see the official HSETNX, Hash HSTRLEN, Hash HVALS, Hash + HRANDFIELD, Hash PFADD, HyperLogLog PFCOUNT, HyperLogLog + PFMERGE, HyperLogLog LINDEX, List LINSERT, List LLEN, List @@ -204,6 +214,8 @@ For details on each command's usage see the official LREM, List LSET, List LTRIM, List + LPOS, List + RPOPLPUSH, List MULTI, Transaction RPOP, List RPUSH, List @@ -220,6 +232,14 @@ For details on each command's usage see the official SREM, Set SCAN, Generic SSCAN, Set + SDIFF, Set + SDIFFSTORE, Set + SINTER, Set + SINTERSTORE, Set + SMISMEMBER, Set + SMOVE, Set + SUNION, Set + SUNIONSTORE, Set WATCH, String UNWATCH, String ZADD, Sorted Set @@ -243,6 +263,15 @@ For details on each command's usage see the official ZPOPMAX, Sorted Set ZSCAN, Sorted Set ZSCORE, Sorted Set + ZDIFF, Sorted Set + ZDIFFSTORE, Sorted Set + ZINTER, Sorted Set + ZINTERSTORE, Sorted Set + ZMSCORE, Sorted Set + ZRANDMEMBER, Sorted Set + ZRANGESTORE, Sorted Set + ZUNION, Sorted Set + ZUNIONSTORE, Sorted Set APPEND, String BITCOUNT, String BITFIELD, String @@ -269,6 +298,8 @@ For details on each command's usage see the official SETNX, String SETRANGE, String STRLEN, String + MSETNX, String + SUBSTR, String XACK, Stream XADD, Stream XAUTOCLAIM, Stream @@ -289,6 +320,7 @@ For details on each command's usage see the official BF.MEXISTS, Bloom BF.RESERVE, Bloom BF.SCANDUMP, Bloom + BITOP, Bitmap Failure modes ------------- diff --git a/source/extensions/filters/network/common/redis/supported_commands.h b/source/extensions/filters/network/common/redis/supported_commands.h index 74ad5abf542f5..2bb6e77398fbb 100644 --- a/source/extensions/filters/network/common/redis/supported_commands.h +++ b/source/extensions/filters/network/common/redis/supported_commands.h @@ -34,7 +34,12 @@ struct SupportedCommands { "xautoclaim", "xclaim", "xdel", "xlen", "xpending", "xrange", "xrevrange", "xtrim", "zadd", "zcard", "zcount", "zincrby", "zlexcount", "zpopmin", "zpopmax", "zrange", "zrangebylex", "zrangebyscore", "zrank", "zrem", "zremrangebylex", "zremrangebyrank", "zremrangebyscore", - "zrevrange", "zrevrangebylex", "zrevrangebyscore", "zrevrank", "zscan", "zscore"); + "zrevrange", "zrevrangebylex", "zrevrangebyscore", "zrevrank", "zscan", "zscore", "copy", + "rpoplpush", "smove", "sunion", "sdiff", "sinter", "sinterstore", "zunionstore", + "zinterstore", "pfmerge", "georadius", "georadiusbymember", "rename", "sort", "sort_ro", + "zmscore", "sdiffstore", "msetnx", "substr", "zrangestore", "zunion", "zdiff", + "sunionstore", "smismember", "hrandfield", "geosearchstore", "zdiffstore", "zinter", + "zrandmember", "bitop", "lpos", "renamenx"); } /** @@ -42,7 +47,7 @@ struct SupportedCommands { */ static const absl::flat_hash_set& multiKeyCommands() { CONSTRUCT_ON_FIRST_USE(absl::flat_hash_set, "del", "mget", "mset", "touch", - "unlink"); + "unlink", "msetnx"); } /** @@ -131,15 +136,17 @@ struct SupportedCommands { * @return commands which alters the state of redis */ static const absl::flat_hash_set& writeCommands() { - CONSTRUCT_ON_FIRST_USE(absl::flat_hash_set, "append", "bitfield", "decr", "decrby", - "del", "discard", "exec", "expire", "expireat", "eval", "evalsha", - "geoadd", "getdel", "hdel", "hincrby", "hincrbyfloat", "hmset", "hset", - "hsetnx", "incr", "incrby", "incrbyfloat", "linsert", "lmove", "lpop", - "lpush", "lpushx", "lrem", "lset", "ltrim", "mset", "multi", "persist", - "pexpire", "pexpireat", "pfadd", "psetex", "restore", "rpop", "rpush", - "rpushx", "sadd", "set", "setbit", "setex", "setnx", "setrange", "spop", - "srem", "zadd", "zincrby", "touch", "zpopmin", "zpopmax", "zrem", - "zremrangebylex", "zremrangebyrank", "zremrangebyscore", "unlink"); + CONSTRUCT_ON_FIRST_USE( + absl::flat_hash_set, "append", "bitfield", "decr", "decrby", "del", "discard", + "exec", "expire", "expireat", "eval", "evalsha", "geoadd", "getdel", "hdel", "hincrby", + "hincrbyfloat", "hmset", "hset", "hsetnx", "incr", "incrby", "incrbyfloat", "linsert", + "lmove", "lpop", "lpush", "lpushx", "lrem", "lset", "ltrim", "mset", "multi", "persist", + "pexpire", "pexpireat", "pfadd", "psetex", "restore", "rpop", "rpush", "rpushx", "sadd", + "set", "setbit", "setex", "setnx", "setrange", "spop", "srem", "zadd", "zincrby", "touch", + "zpopmin", "zpopmax", "zrem", "zremrangebylex", "zremrangebyrank", "zremrangebyscore", + "unlink", "copy", "rpoplpush", "smove", "sinterstore", "zunionstore", "zinterstore", + "pfmerge", "georadius", "georadiusbymember", "rename", "sort", "sdiffstore", "msetnx", + "zrangestore", "sunionstore", "geosearchstore", "zdiffstore", "bitop", "renamenx"); } static bool isReadCommand(const std::string& command) { diff --git a/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc b/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc index f18a7d7c1b78b..a30ad3706e32d 100644 --- a/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc +++ b/test/extensions/filters/network/redis_proxy/command_splitter_impl_test.cc @@ -407,7 +407,7 @@ TEST_P(RedisSingleServerRequestTest, NoUpstream) { }; INSTANTIATE_TEST_SUITE_P(RedisSingleServerRequestTest, RedisSingleServerRequestTest, - testing::ValuesIn(Common::Redis::SupportedCommands::simpleCommands())); + testing::Values("get", "set", "incr", "zadd")); INSTANTIATE_TEST_SUITE_P(RedisSimpleRequestCommandHandlerMixedCaseTests, RedisSingleServerRequestTest, testing::Values("INCR", "inCrBY")); @@ -1338,7 +1338,7 @@ TEST_P(RedisSingleServerRequestWithLatencyMicrosTest, Success) { INSTANTIATE_TEST_SUITE_P(RedisSingleServerRequestWithLatencyMicrosTest, RedisSingleServerRequestWithLatencyMicrosTest, - testing::ValuesIn(Common::Redis::SupportedCommands::simpleCommands())); + testing::Values("get", "set", "incr", "zadd")); // In subclasses of fault test, we mock the expected faults in the constructor, as the // fault manager is owned by the splitter, which is also generated later in construction @@ -1393,7 +1393,7 @@ class RedisSingleServerRequestWithErrorWithDelayFaultTest INSTANTIATE_TEST_SUITE_P(RedisSingleServerRequestWithErrorFaultTest, RedisSingleServerRequestWithErrorFaultTest, - testing::ValuesIn(Common::Redis::SupportedCommands::simpleCommands())); + testing::Values("get", "set", "incr", "zadd")); TEST_P(RedisSingleServerRequestWithErrorWithDelayFaultTest, Fault) { InSequence s; @@ -1427,7 +1427,7 @@ TEST_P(RedisSingleServerRequestWithErrorWithDelayFaultTest, Fault) { INSTANTIATE_TEST_SUITE_P(RedisSingleServerRequestWithErrorWithDelayFaultTest, RedisSingleServerRequestWithErrorWithDelayFaultTest, - testing::ValuesIn(Common::Redis::SupportedCommands::simpleCommands())); + testing::Values("get", "set", "incr", "zadd")); class RedisSingleServerRequestWithDelayFaultTest : public RedisSingleServerRequestWithFaultTest { public: @@ -1479,7 +1479,7 @@ TEST_P(RedisSingleServerRequestWithDelayFaultTest, Fault) { INSTANTIATE_TEST_SUITE_P(RedisSingleServerRequestWithDelayFaultTest, RedisSingleServerRequestWithDelayFaultTest, - testing::ValuesIn(Common::Redis::SupportedCommands::simpleCommands())); + testing::Values("get", "set", "incr", "zadd")); class ScanHandlerTest : public FragmentedRequestCommandHandlerTest, public testing::WithParamInterface { From ab743ae22167323a9fa164905f7a2ff2b94057cd Mon Sep 17 00:00:00 2001 From: code Date: Thu, 18 Sep 2025 08:58:31 +0800 Subject: [PATCH 418/505] header mutation: support remove on match (#41076) --- .../mutation_rules/v3/mutation_rules.proto | 10 ++++ changelogs/current.yaml | 6 ++ source/common/http/BUILD | 1 + source/common/http/header_mutation.cc | 31 +++++++++- source/common/http/header_mutation.h | 7 ++- .../filters/http/header_mutation/config.cc | 9 +-- .../http/header_mutation/header_mutation.cc | 21 ++++--- .../http/header_mutation/header_mutation.h | 11 +++- .../header_mutation/config.cc | 2 +- .../header_mutation/header_mutation.cc | 8 ++- .../header_mutation/header_mutation.h | 3 +- test/common/http/BUILD | 1 + test/common/http/header_mutation_test.cc | 59 +++++++++++++++++-- .../header_mutation/header_mutation_test.cc | 37 ++++++++---- .../header_mutation/BUILD | 1 + .../header_mutation/header_mutation_test.cc | 5 +- 16 files changed, 168 insertions(+), 44 deletions(-) diff --git a/api/envoy/config/common/mutation_rules/v3/mutation_rules.proto b/api/envoy/config/common/mutation_rules/v3/mutation_rules.proto index d129ef1ebbf7a..c015db2143191 100644 --- a/api/envoy/config/common/mutation_rules/v3/mutation_rules.proto +++ b/api/envoy/config/common/mutation_rules/v3/mutation_rules.proto @@ -4,6 +4,7 @@ package envoy.config.common.mutation_rules.v3; import "envoy/config/core/v3/base.proto"; import "envoy/type/matcher/v3/regex.proto"; +import "envoy/type/matcher/v3/string.proto"; import "google/protobuf/wrappers.proto"; @@ -90,6 +91,12 @@ message HeaderMutationRules { // The HeaderMutation structure specifies an action that may be taken on HTTP // headers. message HeaderMutation { + message RemoveOnMatch { + // A string matcher that will be applied to the header key. If the header key + // matches, the header will be removed. + type.matcher.v3.StringMatcher key_matcher = 1 [(validate.rules).message = {required: true}]; + } + oneof action { option (validate.required) = true; @@ -99,5 +106,8 @@ message HeaderMutation { // Append new header by the specified HeaderValueOption. core.v3.HeaderValueOption append = 2; + + // Remove the header if the key matches the specified string matcher. + RemoveOnMatch remove_on_match = 3; } } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 842cc01305fc8..f57edaad1a1b9 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -415,6 +415,12 @@ new_features: :ref:`stream_flush_timeout ` to allow for configuring a stream flush timeout independently from the stream idle timeout. +- area: http + change: | + Added support for header removal based on header key matching. The new + :ref:`remove_on_match ` + allows removing headers that match a specified key pattern. This enables more flexible and + dynamic header manipulation based on header names. - area: geoip change: | Added a new metric ``db_build_epoch`` to track the build timestamp of the MaxMind geolocation database files. diff --git a/source/common/http/BUILD b/source/common/http/BUILD index 7829e37899399..e2385f30ccb58 100644 --- a/source/common/http/BUILD +++ b/source/common/http/BUILD @@ -638,6 +638,7 @@ envoy_cc_library( ":header_map_lib", ":utility_lib", "//envoy/http:header_evaluator", + "//source/common/common:matchers_lib", "//source/common/router:header_parser_lib", "@envoy_api//envoy/config/common/mutation_rules/v3:pkg_cc_proto", ], diff --git a/source/common/http/header_mutation.cc b/source/common/http/header_mutation.cc index 3b438c52e47d5..5eccf09fea2ae 100644 --- a/source/common/http/header_mutation.cc +++ b/source/common/http/header_mutation.cc @@ -1,5 +1,6 @@ #include "source/common/http/header_mutation.h" +#include "source/common/common/matchers.h" #include "source/common/router/header_parser.h" namespace Envoy { @@ -65,18 +66,38 @@ class RemoveMutation : public HeaderEvaluator { private: const Envoy::Http::LowerCaseString header_name_; }; + +class RemoveOnMatchMutation : public HeaderEvaluator { +public: + RemoveOnMatchMutation(const envoy::type::matcher::v3::StringMatcher& key_matcher, + Server::Configuration::CommonFactoryContext& context) + : key_matcher_(key_matcher, context) {} + + void evaluateHeaders(Http::HeaderMap& headers, const Formatter::HttpFormatterContext&, + const StreamInfo::StreamInfo&) const override { + headers.removeIf([this](const Http::HeaderEntry& header) { + return key_matcher_.match(header.key().getStringView()); + }); + } + +private: + const Matchers::StringMatcherImpl key_matcher_; +}; + } // namespace absl::StatusOr> -HeaderMutations::create(const ProtoHeaderMutatons& header_mutations) { +HeaderMutations::create(const ProtoHeaderMutatons& header_mutations, + Server::Configuration::CommonFactoryContext& context) { absl::Status creation_status = absl::OkStatus(); - auto ret = - std::unique_ptr(new HeaderMutations(header_mutations, creation_status)); + auto ret = std::unique_ptr( + new HeaderMutations(header_mutations, context, creation_status)); RETURN_IF_NOT_OK(creation_status); return ret; } HeaderMutations::HeaderMutations(const ProtoHeaderMutatons& header_mutations, + Server::Configuration::CommonFactoryContext& context, absl::Status& creation_status) { for (const auto& mutation : header_mutations) { switch (mutation.action_case()) { @@ -90,6 +111,10 @@ HeaderMutations::HeaderMutations(const ProtoHeaderMutatons& header_mutations, case envoy::config::common::mutation_rules::v3::HeaderMutation::ActionCase::kRemove: header_mutations_.emplace_back(std::make_unique(mutation.remove())); break; + case envoy::config::common::mutation_rules::v3::HeaderMutation::ActionCase::kRemoveOnMatch: + header_mutations_.emplace_back(std::make_unique( + mutation.remove_on_match().key_matcher(), context)); + break; default: PANIC_DUE_TO_PROTO_UNSET; } diff --git a/source/common/http/header_mutation.h b/source/common/http/header_mutation.h index fb32a15530e19..0d38ce771b1fa 100644 --- a/source/common/http/header_mutation.h +++ b/source/common/http/header_mutation.h @@ -15,14 +15,17 @@ using ProtoHeaderValueOption = envoy::config::core::v3::HeaderValueOption; class HeaderMutations : public HeaderEvaluator { public: static absl::StatusOr> - create(const ProtoHeaderMutatons& header_mutations); + create(const ProtoHeaderMutatons& header_mutations, + Server::Configuration::CommonFactoryContext& context); // Http::HeaderEvaluator void evaluateHeaders(Http::HeaderMap& headers, const Formatter::HttpFormatterContext& context, const StreamInfo::StreamInfo& stream_info) const override; private: - HeaderMutations(const ProtoHeaderMutatons& header_mutations, absl::Status& creation_status); + HeaderMutations(const ProtoHeaderMutatons& header_mutations, + Server::Configuration::CommonFactoryContext& context, + absl::Status& creation_status); std::vector> header_mutations_; }; diff --git a/source/extensions/filters/http/header_mutation/config.cc b/source/extensions/filters/http/header_mutation/config.cc index 096b3870c45a5..7788d7e5c89e1 100644 --- a/source/extensions/filters/http/header_mutation/config.cc +++ b/source/extensions/filters/http/header_mutation/config.cc @@ -12,9 +12,9 @@ namespace HeaderMutation { absl::StatusOr HeaderMutationFactoryConfig::createFilterFactoryFromProtoTyped( const ProtoConfig& config, const std::string&, DualInfo, - Server::Configuration::ServerFactoryContext&) { + Server::Configuration::ServerFactoryContext& context) { absl::Status creation_status = absl::OkStatus(); - auto filter_config = std::make_shared(config, creation_status); + auto filter_config = std::make_shared(config, context, creation_status); RETURN_IF_NOT_OK_REF(creation_status); return [filter_config](Http::FilterChainFactoryCallbacks& callbacks) -> void { @@ -24,10 +24,11 @@ HeaderMutationFactoryConfig::createFilterFactoryFromProtoTyped( absl::StatusOr HeaderMutationFactoryConfig::createRouteSpecificFilterConfigTyped( - const PerRouteProtoConfig& proto_config, Server::Configuration::ServerFactoryContext&, + const PerRouteProtoConfig& proto_config, Server::Configuration::ServerFactoryContext& context, ProtobufMessage::ValidationVisitor&) { absl::Status creation_status = absl::OkStatus(); - auto route_config = std::make_shared(proto_config, creation_status); + auto route_config = + std::make_shared(proto_config, context, creation_status); RETURN_IF_NOT_OK_REF(creation_status); return route_config; } diff --git a/source/extensions/filters/http/header_mutation/header_mutation.cc b/source/extensions/filters/http/header_mutation/header_mutation.cc index 7b7ee37d00566..5b582c7c1611f 100644 --- a/source/extensions/filters/http/header_mutation/header_mutation.cc +++ b/source/extensions/filters/http/header_mutation/header_mutation.cc @@ -41,22 +41,24 @@ void QueryParameterMutationAppend::mutateQueryParameter( } } -Mutations::Mutations(const MutationsProto& config, absl::Status& creation_status) { - auto request_mutations_or_error = HeaderMutations::create(config.request_mutations()); +Mutations::Mutations(const MutationsProto& config, + Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status) { + auto request_mutations_or_error = HeaderMutations::create(config.request_mutations(), context); SET_AND_RETURN_IF_NOT_OK(request_mutations_or_error.status(), creation_status); request_mutations_ = std::move(request_mutations_or_error.value()); - auto response_mutations_or_error = HeaderMutations::create(config.response_mutations()); + auto response_mutations_or_error = HeaderMutations::create(config.response_mutations(), context); SET_AND_RETURN_IF_NOT_OK(response_mutations_or_error.status(), creation_status); response_mutations_ = std::move(response_mutations_or_error.value()); auto response_trailers_mutations_or_error = - HeaderMutations::create(config.response_trailers_mutations()); + HeaderMutations::create(config.response_trailers_mutations(), context); SET_AND_RETURN_IF_NOT_OK(response_trailers_mutations_or_error.status(), creation_status); response_trailers_mutations_ = std::move(response_trailers_mutations_or_error.value()); auto request_trailers_mutations_or_error = - HeaderMutations::create(config.request_trailers_mutations()); + HeaderMutations::create(config.request_trailers_mutations(), context); SET_AND_RETURN_IF_NOT_OK(request_trailers_mutations_or_error.status(), creation_status); request_trailers_mutations_ = std::move(request_trailers_mutations_or_error.value()); @@ -133,11 +135,14 @@ void Mutations::mutateRequestTrailers(Http::RequestTrailerMap& trailers, } PerRouteHeaderMutation::PerRouteHeaderMutation(const PerRouteProtoConfig& config, + Server::Configuration::ServerFactoryContext& context, absl::Status& creation_status) - : mutations_(config.mutations(), creation_status) {} + : mutations_(config.mutations(), context, creation_status) {} -HeaderMutationConfig::HeaderMutationConfig(const ProtoConfig& config, absl::Status& creation_status) - : mutations_(config.mutations(), creation_status), +HeaderMutationConfig::HeaderMutationConfig(const ProtoConfig& config, + Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status) + : mutations_(config.mutations(), context, creation_status), most_specific_header_mutations_wins_(config.most_specific_header_mutations_wins()) {} void HeaderMutation::maybeInitializeRouteConfigs(Http::StreamFilterCallbacks* callbacks) { diff --git a/source/extensions/filters/http/header_mutation/header_mutation.h b/source/extensions/filters/http/header_mutation/header_mutation.h index 0dbd56cd72911..4ab718d194bb7 100644 --- a/source/extensions/filters/http/header_mutation/header_mutation.h +++ b/source/extensions/filters/http/header_mutation/header_mutation.h @@ -83,7 +83,8 @@ class Mutations { public: using HeaderMutations = Http::HeaderMutations; - Mutations(const MutationsProto& config, absl::Status& creation_status); + Mutations(const MutationsProto& config, Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status); void mutateRequestHeaders(Http::RequestHeaderMap& headers, const Formatter::HttpFormatterContext& context, @@ -109,7 +110,9 @@ class Mutations { class PerRouteHeaderMutation : public Router::RouteSpecificFilterConfig { public: - PerRouteHeaderMutation(const PerRouteProtoConfig& config, absl::Status& creation_status); + PerRouteHeaderMutation(const PerRouteProtoConfig& config, + Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status); const Mutations& mutations() const { return mutations_; } @@ -120,7 +123,9 @@ using PerRouteHeaderMutationSharedPtr = std::shared_ptr; class HeaderMutationConfig { public: - HeaderMutationConfig(const ProtoConfig& config, absl::Status& creation_status); + HeaderMutationConfig(const ProtoConfig& config, + Server::Configuration::ServerFactoryContext& context, + absl::Status& creation_status); const Mutations& mutations() const { return mutations_; } diff --git a/source/extensions/http/early_header_mutation/header_mutation/config.cc b/source/extensions/http/early_header_mutation/header_mutation/config.cc index 346568d8e29d3..8079804092ba1 100644 --- a/source/extensions/http/early_header_mutation/header_mutation/config.cc +++ b/source/extensions/http/early_header_mutation/header_mutation/config.cc @@ -17,7 +17,7 @@ Factory::createExtension(const Protobuf::Message& message, const auto& proto_config = MessageUtil::downcastAndValidate< const envoy::extensions::http::early_header_mutation::header_mutation::v3::HeaderMutation&>( *mptr, context.messageValidationVisitor()); - return std::make_unique(proto_config); + return std::make_unique(proto_config, context.serverFactoryContext()); } REGISTER_FACTORY(Factory, Envoy::Http::EarlyHeaderMutationFactory); diff --git a/source/extensions/http/early_header_mutation/header_mutation/header_mutation.cc b/source/extensions/http/early_header_mutation/header_mutation/header_mutation.cc index 3605b3f0523da..c1d0d5c368ec4 100644 --- a/source/extensions/http/early_header_mutation/header_mutation/header_mutation.cc +++ b/source/extensions/http/early_header_mutation/header_mutation/header_mutation.cc @@ -10,9 +10,11 @@ namespace Http { namespace EarlyHeaderMutation { namespace HeaderMutation { -HeaderMutation::HeaderMutation(const ProtoHeaderMutation& mutations) - : mutations_(THROW_OR_RETURN_VALUE(Envoy::Http::HeaderMutations::create(mutations.mutations()), - std::unique_ptr)) {} +HeaderMutation::HeaderMutation(const ProtoHeaderMutation& mutations, + Server::Configuration::ServerFactoryContext& context) + : mutations_(THROW_OR_RETURN_VALUE( + Envoy::Http::HeaderMutations::create(mutations.mutations(), context), + std::unique_ptr)) {} bool HeaderMutation::mutate(Envoy::Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo& stream_info) const { diff --git a/source/extensions/http/early_header_mutation/header_mutation/header_mutation.h b/source/extensions/http/early_header_mutation/header_mutation/header_mutation.h index e6ca0f52ac510..d2f02f6cf75d2 100644 --- a/source/extensions/http/early_header_mutation/header_mutation/header_mutation.h +++ b/source/extensions/http/early_header_mutation/header_mutation/header_mutation.h @@ -19,7 +19,8 @@ using ProtoHeaderMutation = class HeaderMutation : public Envoy::Http::EarlyHeaderMutation { public: - HeaderMutation(const ProtoHeaderMutation& mutations); + HeaderMutation(const ProtoHeaderMutation& mutations, + Server::Configuration::ServerFactoryContext& context); bool mutate(Envoy::Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo& stream_info) const override; diff --git a/test/common/http/BUILD b/test/common/http/BUILD index 2aae452aa1dcc..97f77b1eb390e 100644 --- a/test/common/http/BUILD +++ b/test/common/http/BUILD @@ -653,6 +653,7 @@ envoy_cc_test( deps = [ "//source/common/formatter:formatter_extension_lib", "//source/common/http:header_mutation_lib", + "//test/mocks/server:server_factory_context_mocks", "//test/mocks/stream_info:stream_info_mocks", "//test/test_common:utility_lib", ], diff --git a/test/common/http/header_mutation_test.cc b/test/common/http/header_mutation_test.cc index 467cc15824791..4908b81d45483 100644 --- a/test/common/http/header_mutation_test.cc +++ b/test/common/http/header_mutation_test.cc @@ -1,5 +1,6 @@ #include "source/common/http/header_mutation.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/stream_info/mocks.h" #include "test/test_common/utility.h" @@ -10,11 +11,13 @@ namespace Http { namespace { TEST(HeaderMutationsTest, BasicRemove) { + Server::Configuration::MockServerFactoryContext context; + ProtoHeaderMutatons proto_mutations; proto_mutations.Add()->set_remove("flag-header"); proto_mutations.Add()->set_remove("another-flag-header"); - auto mutations = HeaderMutations::create(proto_mutations).value(); + auto mutations = HeaderMutations::create(proto_mutations, context).value(); NiceMock stream_info; { @@ -34,7 +37,45 @@ TEST(HeaderMutationsTest, BasicRemove) { } } +TEST(HeaderMutationsTest, RemoveOnMatch) { + Server::Configuration::MockServerFactoryContext context; + + ProtoHeaderMutatons proto_mutations; + auto remove_on_match = proto_mutations.Add()->mutable_remove_on_match(); + remove_on_match->mutable_key_matcher()->set_exact("flag-header"); + auto remove_on_match2 = proto_mutations.Add()->mutable_remove_on_match(); + remove_on_match2->mutable_key_matcher()->set_prefix("remove-prefix-"); + + auto mutations = HeaderMutations::create(proto_mutations, context).value(); + NiceMock stream_info; + + { + Envoy::Http::TestRequestHeaderMapImpl headers = { + {"flag-header", "flag-header-value"}, + {"another-flag-header", "another-flag-header-value"}, + {"not-flag-header", "not-flag-header-value"}, + {"remove-prefix-header1", "value1"}, + {"remove-prefix-header2", "value2"}, + {"keep-prefix-header3", "value3"}, + {":method", "GET"}, + {":path", "/"}, + {":authority", "host"}, + }; + + mutations->evaluateHeaders(headers, {&headers}, stream_info); + EXPECT_EQ("", headers.get_("flag-header")); + EXPECT_EQ("another-flag-header-value", headers.get_("another-flag-header")); + EXPECT_EQ("not-flag-header-value", headers.get_("not-flag-header")); + EXPECT_EQ("", headers.get_("remove-prefix-header1")); + EXPECT_EQ("", headers.get_("remove-prefix-header2")); + EXPECT_EQ("value3", headers.get_("keep-prefix-header3")); + } +} + TEST(HeaderMutationsTest, AllOperations) { + + Server::Configuration::MockServerFactoryContext context; + ProtoHeaderMutatons proto_mutations; // Step 1: Remove 'flag-header' header. proto_mutations.Add()->set_remove("flag-header"); @@ -63,7 +104,7 @@ TEST(HeaderMutationsTest, AllOperations) { append4->mutable_header()->set_value("flag-header-4-value"); append4->set_append_action(ProtoHeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD); - auto mutations = HeaderMutations::create(proto_mutations).value(); + auto mutations = HeaderMutations::create(proto_mutations, context).value(); NiceMock stream_info; // Remove 'flag-header' and try to append 'flag-header' with value 'another-flag-header-value'. @@ -191,6 +232,8 @@ TEST(HeaderMutationsTest, AllOperations) { } TEST(HeaderMutationsTest, KeepEmptyValue) { + Server::Configuration::MockServerFactoryContext context; + ProtoHeaderMutatons proto_mutations; // Step 1: Remove the header. proto_mutations.Add()->set_remove("flag-header"); @@ -202,7 +245,7 @@ TEST(HeaderMutationsTest, KeepEmptyValue) { append->set_append_action(ProtoHeaderValueOption::APPEND_IF_EXISTS_OR_ADD); append->set_keep_empty_value(true); - auto mutations = HeaderMutations::create(proto_mutations).value(); + auto mutations = HeaderMutations::create(proto_mutations, context).value(); NiceMock stream_info; { @@ -221,6 +264,8 @@ TEST(HeaderMutationsTest, KeepEmptyValue) { } TEST(HeaderMutationsTest, BasicOrder) { + Server::Configuration::MockServerFactoryContext context; + { ProtoHeaderMutatons proto_mutations; @@ -233,7 +278,7 @@ TEST(HeaderMutationsTest, BasicOrder) { // Step 2: Remove the header. proto_mutations.Add()->set_remove("flag-header"); - auto mutations = HeaderMutations::create(proto_mutations).value(); + auto mutations = HeaderMutations::create(proto_mutations, context).value(); NiceMock stream_info; Envoy::Http::TestRequestHeaderMapImpl headers = { @@ -258,7 +303,7 @@ TEST(HeaderMutationsTest, BasicOrder) { append->mutable_header()->set_value("%REQ(ANOTHER-FLAG-HEADER)%"); append->set_append_action(ProtoHeaderValueOption::APPEND_IF_EXISTS_OR_ADD); - auto mutations = HeaderMutations::create(proto_mutations).value(); + auto mutations = HeaderMutations::create(proto_mutations, context).value(); NiceMock stream_info; Envoy::Http::TestRequestHeaderMapImpl headers = { @@ -273,10 +318,12 @@ TEST(HeaderMutationsTest, BasicOrder) { } TEST(HeaderMutationTest, Death) { + Server::Configuration::MockServerFactoryContext context; + ProtoHeaderMutatons proto_mutations; proto_mutations.Add(); - EXPECT_DEATH(HeaderMutations::create(proto_mutations).IgnoreError(), "unset oneof"); + EXPECT_DEATH(HeaderMutations::create(proto_mutations, context).IgnoreError(), "unset oneof"); } } // namespace diff --git a/test/extensions/filters/http/header_mutation/header_mutation_test.cc b/test/extensions/filters/http/header_mutation/header_mutation_test.cc index d8b84d51613af..3b2d07b43ce63 100644 --- a/test/extensions/filters/http/header_mutation/header_mutation_test.cc +++ b/test/extensions/filters/http/header_mutation/header_mutation_test.cc @@ -1,6 +1,7 @@ #include "source/extensions/filters/http/header_mutation/header_mutation.h" #include "test/mocks/http/mocks.h" +#include "test/mocks/server/server_factory_context.h" #include "test/test_common/utility.h" #include "gtest/gtest.h" @@ -65,17 +66,19 @@ TEST(HeaderMutationFilterTest, RequestMutationTest) { append_action: "ADD_IF_ABSENT" )EOF"; + Server::Configuration::MockServerFactoryContext context; + PerRouteProtoConfig per_route_proto_config; TestUtility::loadFromYaml(route_config_yaml, per_route_proto_config); absl::Status creation_status = absl::OkStatus(); PerRouteHeaderMutationSharedPtr config = - std::make_shared(per_route_proto_config, creation_status); + std::make_shared(per_route_proto_config, context, creation_status); ProtoConfig proto_config; TestUtility::loadFromYaml(config_yaml, proto_config); HeaderMutationConfigSharedPtr global_config = - std::make_shared(proto_config, creation_status); + std::make_shared(proto_config, context, creation_status); { NiceMock decoder_callbacks; @@ -177,17 +180,19 @@ TEST(HeaderMutationFilterTest, ResponseMutationTest) { - remove: "global-flag-header" )EOF"; + Server::Configuration::MockServerFactoryContext context; + PerRouteProtoConfig per_route_proto_config; TestUtility::loadFromYaml(route_config_yaml, per_route_proto_config); absl::Status creation_status = absl::OkStatus(); PerRouteHeaderMutationSharedPtr config = - std::make_shared(per_route_proto_config, creation_status); + std::make_shared(per_route_proto_config, context, creation_status); ProtoConfig proto_config; TestUtility::loadFromYaml(config_yaml, proto_config); HeaderMutationConfigSharedPtr global_config = - std::make_shared(proto_config, creation_status); + std::make_shared(proto_config, context, creation_status); // Case where the decodeHeaders() is not called and the encodeHeaders() is called. { @@ -353,17 +358,19 @@ TEST(HeaderMutationFilterTest, ResponseTrailerMutationTest) { - remove: "global-flag-header" )EOF"; + Server::Configuration::MockServerFactoryContext context; + PerRouteProtoConfig per_route_proto_config; TestUtility::loadFromYaml(route_config_yaml, per_route_proto_config); absl::Status creation_status = absl::OkStatus(); PerRouteHeaderMutationSharedPtr config = - std::make_shared(per_route_proto_config, creation_status); + std::make_shared(per_route_proto_config, context, creation_status); ProtoConfig proto_config; TestUtility::loadFromYaml(config_yaml, proto_config); HeaderMutationConfigSharedPtr global_config = - std::make_shared(proto_config, creation_status); + std::make_shared(proto_config, context, creation_status); // Case where the decodeHeaders() is not called and the encodeHeaders() is called. { @@ -531,17 +538,19 @@ TEST(HeaderMutationFilterTest, HybridMutationTest) { - remove: "global-flag-header" )EOF"; + Server::Configuration::MockServerFactoryContext context; + PerRouteProtoConfig per_route_proto_config; TestUtility::loadFromYaml(route_config_yaml, per_route_proto_config); absl::Status creation_status = absl::OkStatus(); PerRouteHeaderMutationSharedPtr config = - std::make_shared(per_route_proto_config, creation_status); + std::make_shared(per_route_proto_config, context, creation_status); ProtoConfig proto_config; TestUtility::loadFromYaml(config_yaml, proto_config); HeaderMutationConfigSharedPtr global_config = - std::make_shared(proto_config, creation_status); + std::make_shared(proto_config, context, creation_status); { NiceMock decoder_callbacks; @@ -661,17 +670,19 @@ TEST(HeaderMutationFilterTest, QueryParameterMutationTest) { - remove: "global-flag-header" )EOF"; + Server::Configuration::MockServerFactoryContext context; + PerRouteProtoConfig per_route_proto_config; TestUtility::loadFromYaml(route_config_yaml, per_route_proto_config); absl::Status creation_status = absl::OkStatus(); PerRouteHeaderMutationSharedPtr config = - std::make_shared(per_route_proto_config, creation_status); + std::make_shared(per_route_proto_config, context, creation_status); ProtoConfig proto_config; TestUtility::loadFromYaml(config_yaml, proto_config); HeaderMutationConfigSharedPtr global_config = - std::make_shared(proto_config, creation_status); + std::make_shared(proto_config, context, creation_status); { NiceMock decoder_callbacks; @@ -773,17 +784,19 @@ TEST(HeaderMutationFilterTest, RequestTrailerMutationTest) { - remove: "global-flag-header" )EOF"; + Server::Configuration::MockServerFactoryContext context; + PerRouteProtoConfig per_route_proto_config; TestUtility::loadFromYaml(route_config_yaml, per_route_proto_config); absl::Status creation_status = absl::OkStatus(); PerRouteHeaderMutationSharedPtr config = - std::make_shared(per_route_proto_config, creation_status); + std::make_shared(per_route_proto_config, context, creation_status); ProtoConfig proto_config; TestUtility::loadFromYaml(config_yaml, proto_config); HeaderMutationConfigSharedPtr global_config = - std::make_shared(proto_config, creation_status); + std::make_shared(proto_config, context, creation_status); // Case where the decodeHeaders() is not called and the encodeHeaders() is called. { diff --git a/test/extensions/http/early_header_mutation/header_mutation/BUILD b/test/extensions/http/early_header_mutation/header_mutation/BUILD index 1d631b3a27100..ca1e85566c3f8 100644 --- a/test/extensions/http/early_header_mutation/header_mutation/BUILD +++ b/test/extensions/http/early_header_mutation/header_mutation/BUILD @@ -21,6 +21,7 @@ envoy_extension_cc_test( deps = [ "//source/common/formatter:formatter_extension_lib", "//source/extensions/http/early_header_mutation/header_mutation:header_mutation_lib", + "//test/mocks/server:server_factory_context_mocks", "//test/mocks/stream_info:stream_info_mocks", "//test/test_common:utility_lib", ], diff --git a/test/extensions/http/early_header_mutation/header_mutation/header_mutation_test.cc b/test/extensions/http/early_header_mutation/header_mutation/header_mutation_test.cc index 0705d8c58019e..756b63c289b7f 100644 --- a/test/extensions/http/early_header_mutation/header_mutation/header_mutation_test.cc +++ b/test/extensions/http/early_header_mutation/header_mutation/header_mutation_test.cc @@ -1,6 +1,7 @@ #include "source/common/http/header_map_impl.h" #include "source/extensions/http/early_header_mutation/header_mutation/header_mutation.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/stream_info/mocks.h" #include "test/test_common/utility.h" @@ -42,10 +43,12 @@ TEST(HeaderMutationTest, TestAll) { append_action: "OVERWRITE_IF_EXISTS_OR_ADD" )EOF"; + Server::Configuration::MockServerFactoryContext context; + ProtoHeaderMutation proto_mutation; TestUtility::loadFromYaml(config, proto_mutation); - HeaderMutation mutation(proto_mutation); + HeaderMutation mutation(proto_mutation, context); NiceMock stream_info; Envoy::Http::TestRequestHeaderMapImpl headers = { From 05f2b84936f11a2e2863f25f419fb88af3256888 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 17 Sep 2025 20:04:39 -0700 Subject: [PATCH 419/505] dns_resolver: add max_udp_channel_duration to allow periodic refresh of the UDP channel (#41085) ## Description This PR added a new config called `max_udp_channel_duration` for the c-ares DNS resolver which controls the lifetime of the UDP channel and force re-initialize it after that time. We have seen quite a few cases where kube-proxy updates leads to the existing UDP channel in a broken state. Although the `max_udp_queries` are helpful, for regions were we don't have enough traffic it still takes forever to recover. This would help recovery by periodically refreshing the UDP channel in cases mentioned above. --- **Commit Message:** dns_resolver: add max_udp_channel_duration to allow periodic refresh of the UDP channel **Additional Description:** Added `max_udp_channel_duration` configuration field to the c-ares DNS resolver which controls the lifetime of the UDP channel and force re-initialize it after that time. **Risk Level:** Low **Testing:** Added Integration Tests **Docs Changes:** Added **Release Notes:** Added Signed-off-by: Rohit Agrawal --- .../cares/v3/cares_dns_resolver.proto | 12 +- changelogs/current.yaml | 6 + .../network/dns_resolver/cares/dns_impl.cc | 30 ++++ .../network/dns_resolver/cares/dns_impl.h | 4 + .../cares/dns_impl_integration_test.cc | 149 ++++++++++++++++++ .../dns_resolver/cares/dns_impl_test.cc | 1 + 6 files changed, 201 insertions(+), 1 deletion(-) diff --git a/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto b/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto index 20b6a8a7f0642..5461044b1637a 100644 --- a/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto +++ b/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto @@ -5,6 +5,7 @@ package envoy.extensions.network.dns_resolver.cares.v3; import "envoy/config/core/v3/address.proto"; import "envoy/config/core/v3/resolver.proto"; +import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/status.proto"; @@ -20,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#extension: envoy.network.dns_resolver.cares] // Configuration for c-ares DNS resolver. -// [#next-free-field: 10] +// [#next-free-field: 11] message CaresDnsResolverConfig { // A list of DNS resolver addresses. // :ref:`use_resolvers_as_fallback ` @@ -89,4 +90,13 @@ message CaresDnsResolverConfig { // If unset, c-ares uses its internal default (usually 1232). google.protobuf.UInt32Value edns0_max_payload_size = 9 [(validate.rules).uint32 = {lte: 4096 gte: 512}]; + + // The maximum duration for which a UDP channel will be kept alive before being refreshed. + // + // If set, the DNS resolver will periodically reinitialize its c-ares channel after the + // specified duration. This can help with avoiding stale socket states, and providing + // better load distribution across UDP ports. + // + // If not specified, no periodic refresh will be performed. + google.protobuf.Duration max_udp_channel_duration = 10 [(validate.rules).duration = {gte {}}]; } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index f57edaad1a1b9..2d800d57d8d71 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -429,4 +429,10 @@ new_features: - area: dynamic_modules change: | Added support for counters, gauges, histograms, and their vector variants to the dynamic modules API. +- area: dns_resolver + change: | + Added :ref:`max_udp_channel_duration + ` + configuration field to the c-ares DNS resolver. This allows periodic refresh of the UDP channel + to help with avoiding stale socket states, and providing better load distribution across UDP ports. deprecated: diff --git a/source/extensions/network/dns_resolver/cares/dns_impl.cc b/source/extensions/network/dns_resolver/cares/dns_impl.cc index 1feb74e5bfc27..2840b1f522e03 100644 --- a/source/extensions/network/dns_resolver/cares/dns_impl.cc +++ b/source/extensions/network/dns_resolver/cares/dns_impl.cc @@ -19,6 +19,8 @@ #include "source/common/network/address_impl.h" #include "source/common/network/resolver_impl.h" #include "source/common/network/utility.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/protobuf/utility.h" #include "source/common/runtime/runtime_features.h" #include "absl/strings/str_join.h" @@ -54,15 +56,29 @@ DnsResolverImpl::DnsResolverImpl( rotate_nameservers_(config.rotate_nameservers()), edns0_max_payload_size_(static_cast(PROTOBUF_GET_WRAPPED_OR_DEFAULT( config, edns0_max_payload_size, 0))), // 0 means use c-ares default EDNS0 + max_udp_channel_duration_( + config.has_max_udp_channel_duration() + ? std::chrono::milliseconds(Protobuf::util::TimeUtil::DurationToMilliseconds( + config.max_udp_channel_duration())) + : std::chrono::milliseconds::zero()), resolvers_csv_(resolvers_csv), filter_unroutable_families_(config.filter_unroutable_families()), scope_(root_scope.createScope("dns.cares.")), stats_(generateCaresDnsResolverStats(*scope_)) { AresOptions options = defaultAresOptions(); initializeChannel(&options.options_, options.optmask_); + + // Initialize the periodic UDP channel refresh timer if configured. + if (max_udp_channel_duration_ > std::chrono::milliseconds::zero()) { + udp_channel_refresh_timer_ = dispatcher.createTimer([this] { onUdpChannelRefreshTimer(); }); + udp_channel_refresh_timer_->enableTimer(max_udp_channel_duration_); + } } DnsResolverImpl::~DnsResolverImpl() { timer_->disableTimer(); + if (udp_channel_refresh_timer_) { + udp_channel_refresh_timer_->disableTimer(); + } ares_destroy(channel_); } @@ -446,6 +462,20 @@ void DnsResolverImpl::reinitializeChannel() { } } +void DnsResolverImpl::onUdpChannelRefreshTimer() { + ENVOY_LOG_EVENT(debug, "cares_udp_channel_periodic_refresh", + "Performing periodic UDP channel refresh after {} ms", + max_udp_channel_duration_.count()); + + // Reinitialize the channel to refresh UDP sockets. + reinitializeChannel(); + + // Re-enable the timer for the next periodic refresh. + if (udp_channel_refresh_timer_) { + udp_channel_refresh_timer_->enableTimer(max_udp_channel_duration_); + } +} + ActiveDnsQuery* DnsResolverImpl::resolve(const std::string& dns_name, DnsLookupFamily dns_lookup_family, ResolveCb callback) { ENVOY_LOG_EVENT(trace, "cares_dns_resolution_start", "dns resolution for {} started", dns_name); diff --git a/source/extensions/network/dns_resolver/cares/dns_impl.h b/source/extensions/network/dns_resolver/cares/dns_impl.h index 7fc7aa8d8795c..7552fd958cf7e 100644 --- a/source/extensions/network/dns_resolver/cares/dns_impl.h +++ b/source/extensions/network/dns_resolver/cares/dns_impl.h @@ -185,6 +185,8 @@ class DnsResolverImpl : public DnsResolver, protected Logger::Loggable resolvers_csv_; const bool filter_unroutable_families_; Stats::ScopeSharedPtr scope_; diff --git a/test/extensions/network/dns_resolver/cares/dns_impl_integration_test.cc b/test/extensions/network/dns_resolver/cares/dns_impl_integration_test.cc index e3d65187a8b26..cfea13859c3a9 100644 --- a/test/extensions/network/dns_resolver/cares/dns_impl_integration_test.cc +++ b/test/extensions/network/dns_resolver/cares/dns_impl_integration_test.cc @@ -1,4 +1,8 @@ +#include "source/common/protobuf/protobuf.h" +#include "source/extensions/network/dns_resolver/cares/dns_impl.h" + #include "test/integration/http_integration.h" +#include "test/test_common/simulated_time_system.h" namespace Envoy { namespace Network { @@ -52,6 +56,151 @@ TEST_P(DnsImplIntegrationTest, StrictDnsWithCaresResolver) { EXPECT_EQ("200", response->headers().getStatusValue()); } +// Test UDP Channel Refresh Behavior +class DnsResolverUdpChannelRefreshIntegrationTest : public testing::Test { +public: + DnsResolverUdpChannelRefreshIntegrationTest() + : api_(Api::createApiForTest(stats_store_, simulated_time_system_)), + dispatcher_(api_->allocateDispatcher("test_thread")) {} + + void SetUp() override { + resolver_address_ = Network::Utility::parseInternetAddressAndPortNoThrow("127.0.0.1:5353"); + ASSERT_NE(nullptr, resolver_address_); + } + + std::shared_ptr + createResolver(std::chrono::milliseconds refresh_duration = std::chrono::milliseconds::zero()) { + envoy::extensions::network::dns_resolver::cares::v3::CaresDnsResolverConfig config; + config.mutable_dns_resolver_options()->set_use_tcp_for_dns_lookups(false); + + // Add resolver address. + envoy::config::core::v3::Address resolver_addr; + Network::Utility::addressToProtobufAddress(*resolver_address_, resolver_addr); + config.add_resolvers()->CopyFrom(resolver_addr); + + // Set UDP channel refresh duration if specified. + if (refresh_duration > std::chrono::milliseconds::zero()) { + config.mutable_max_udp_channel_duration()->CopyFrom( + Protobuf::util::TimeUtil::MillisecondsToDuration(refresh_duration.count())); + } + + auto csv_or_error = DnsResolverImpl::maybeBuildResolversCsv({resolver_address_}); + EXPECT_TRUE(csv_or_error.ok()); + return std::make_shared(config, *dispatcher_, csv_or_error.value(), + *stats_store_.rootScope()); + } + + Stats::TestUtil::TestStore stats_store_; + Event::SimulatedTimeSystem simulated_time_system_; + Api::ApiPtr api_; + Event::DispatcherPtr dispatcher_; + Network::Address::InstanceConstSharedPtr resolver_address_; +}; + +// Test that UDP channel refresh actually triggers periodic reinitializations. +TEST_F(DnsResolverUdpChannelRefreshIntegrationTest, PeriodicRefreshWorks) { + // Create resolver with 2-second refresh interval. + auto resolver = createResolver(std::chrono::seconds(2)); + + // Verify initial state: no reinitializations. + EXPECT_EQ(0, stats_store_.counter("dns.cares.reinits").value()); + + // Advance time but not enough to trigger refresh. + simulated_time_system_.advanceTimeAndRun(std::chrono::milliseconds(1500), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + EXPECT_EQ(0, stats_store_.counter("dns.cares.reinits").value()); + + // Advance time to trigger first refresh. + simulated_time_system_.advanceTimeAndRun(std::chrono::milliseconds(600), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + EXPECT_EQ(1, stats_store_.counter("dns.cares.reinits").value()); + + // Advance time to trigger second refresh. + simulated_time_system_.advanceTimeAndRun(std::chrono::seconds(2), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + EXPECT_EQ(2, stats_store_.counter("dns.cares.reinits").value()); + + // Advance time to trigger third refresh. + simulated_time_system_.advanceTimeAndRun(std::chrono::seconds(2), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + EXPECT_EQ(3, stats_store_.counter("dns.cares.reinits").value()); +} + +// Test that without UDP channel refresh configured, no periodic reinitialization happens. +TEST_F(DnsResolverUdpChannelRefreshIntegrationTest, NoPeriodicRefreshWhenDisabled) { + // Create resolver without refresh configuration. This is the default behavior. + auto resolver = createResolver(); + + // Verify initial state i.e., no reinitializations. + EXPECT_EQ(0, stats_store_.counter("dns.cares.reinits").value()); + + // Advance time significantly. + simulated_time_system_.advanceTimeAndRun(std::chrono::seconds(10), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + + // Should still be zero since periodic refresh is disabled. + EXPECT_EQ(0, stats_store_.counter("dns.cares.reinits").value()); + + // Advance more time to be sure. + simulated_time_system_.advanceTimeAndRun(std::chrono::seconds(30), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + EXPECT_EQ(0, stats_store_.counter("dns.cares.reinits").value()); +} + +// Test that different refresh durations work correctly. +TEST_F(DnsResolverUdpChannelRefreshIntegrationTest, DifferentRefreshDurationsWork) { + // Test with a very short refresh interval (500ms). + auto resolver = createResolver(std::chrono::milliseconds(500)); + + EXPECT_EQ(0, stats_store_.counter("dns.cares.reinits").value()); + + // Should trigger refresh after 500ms. + simulated_time_system_.advanceTimeAndRun(std::chrono::milliseconds(550), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + EXPECT_EQ(1, stats_store_.counter("dns.cares.reinits").value()); + + // Should trigger again after another 500ms. + simulated_time_system_.advanceTimeAndRun(std::chrono::milliseconds(500), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + EXPECT_EQ(2, stats_store_.counter("dns.cares.reinits").value()); +} + +// Test that refresh works alongside actual DNS queries. +TEST_F(DnsResolverUdpChannelRefreshIntegrationTest, RefreshWorksWithDnsQueries) { + // Create resolver with 1-second refresh interval. + auto resolver = createResolver(std::chrono::seconds(1)); + // Verify initial state i.e., no reinitializations yet. + EXPECT_EQ(0, stats_store_.counter("dns.cares.reinits").value()); + + // Perform a DNS query. This will likely fail due to no real DNS server, but that's OK. + bool callback_called = false; + resolver->resolve("example.com", DnsLookupFamily::V4Only, + [&](DnsResolver::ResolutionStatus, absl::string_view, + std::list&&) { callback_called = true; }); + + // Advance time to trigger refresh. + simulated_time_system_.advanceTimeAndRun(std::chrono::milliseconds(1100), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + + // Should see reinitialization even with active DNS queries. + EXPECT_GE(stats_store_.counter("dns.cares.reinits").value(), 1); + + // Advance time again. + simulated_time_system_.advanceTimeAndRun(std::chrono::seconds(1), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + dispatcher_->run(Event::Dispatcher::RunType::NonBlock); + EXPECT_GE(stats_store_.counter("dns.cares.reinits").value(), 2); +} + } // namespace } // namespace Network } // namespace Envoy diff --git a/test/extensions/network/dns_resolver/cares/dns_impl_test.cc b/test/extensions/network/dns_resolver/cares/dns_impl_test.cc index 0ef68b6c77bc9..b59e32722b8a5 100644 --- a/test/extensions/network/dns_resolver/cares/dns_impl_test.cc +++ b/test/extensions/network/dns_resolver/cares/dns_impl_test.cc @@ -21,6 +21,7 @@ #include "source/common/network/listen_socket_impl.h" #include "source/common/network/tcp_listener_impl.h" #include "source/common/network/utility.h" +#include "source/common/protobuf/protobuf.h" #include "source/common/stream_info/stream_info_impl.h" #include "source/extensions/network/dns_resolver/cares/dns_impl.h" From 99ac67b19a8fca57ec982a179f80fc9dbbed23a2 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 18 Sep 2025 07:49:01 -0700 Subject: [PATCH 420/505] docs: fix DNS docs for edns0_max_payload_size (#41118) Signed-off-by: Rohit Agrawal --- .../network/dns_resolver/cares/v3/cares_dns_resolver.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto b/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto index 5461044b1637a..b060bce969b42 100644 --- a/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto +++ b/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto @@ -81,11 +81,11 @@ message CaresDnsResolverConfig { // Maximum EDNS0 UDP payload size in bytes. // If set, c-ares will include EDNS0 in DNS queries and use this value as the maximum UDP response size. - + // // Recommended values: // - // - 1232: Safe default (avoids fragmentation) - // - 4096: Maximum allowed + // * **1232**: Safe default (avoids fragmentation). + // * **4096**: Maximum allowed. // // If unset, c-ares uses its internal default (usually 1232). google.protobuf.UInt32Value edns0_max_payload_size = 9 From f9a1e00820e11dabae4b21c285e638059261b57c Mon Sep 17 00:00:00 2001 From: "Mark D. Roth" Date: Thu, 18 Sep 2025 07:50:54 -0700 Subject: [PATCH 421/505] ext_proc: improve documentation for ext_proc (#41066) Signed-off-by: Mark D. Roth Co-authored-by: Adi (Suissa) Peleg --- .../extensions/filters/http/ext_proc/v3/BUILD | 1 + .../filters/http/ext_proc/v3/ext_proc.proto | 74 ++++++++++--------- .../http/ext_proc/v3/processing_mode.proto | 15 ++-- .../ext_proc/v3/external_processor.proto | 68 ++++++++--------- 4 files changed, 81 insertions(+), 77 deletions(-) diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/BUILD b/api/envoy/extensions/filters/http/ext_proc/v3/BUILD index 5bfeeda1b7b89..782bf90b326bb 100644 --- a/api/envoy/extensions/filters/http/ext_proc/v3/BUILD +++ b/api/envoy/extensions/filters/http/ext_proc/v3/BUILD @@ -6,6 +6,7 @@ licenses(["notice"]) # Apache 2 api_proto_package( deps = [ + "//envoy/annotations:pkg", "//envoy/config/common/mutation_rules/v3:pkg", "//envoy/config/core/v3:pkg", "//envoy/type/matcher/v3:pkg", diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto index 2187c4547c61c..52d9cd282792a 100644 --- a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +++ b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto @@ -16,6 +16,7 @@ import "google/protobuf/wrappers.proto"; import "xds/annotations/v3/status.proto"; +import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -48,8 +49,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // // * Whether it receives the response message at all. // * Whether it receives the message body at all, in separate chunks, or as a single buffer. -// * Whether subsequent HTTP requests are transmitted synchronously or whether they are -// sent asynchronously. // * To modify request or response trailers if they already exist. // // The filter supports up to six different processing steps. Each is represented by @@ -57,9 +56,11 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // processor must send a matching response. // // * Request headers: Contains the headers from the original HTTP request. -// * Request body: Delivered if they are present and sent in a single message if -// the ``BUFFERED`` or ``BUFFERED_PARTIAL`` mode is chosen, in multiple messages if the -// ``STREAMED`` mode is chosen, and not at all otherwise. +// * Request body: If the body is present, the behavior depends on the +// body send mode. In ``BUFFERED`` or ``BUFFERED_PARTIAL`` mode, the body is sent to the external +// processor in a single message. In ``STREAMED`` or ``FULL_DUPLEX_STREAMED`` mode, the body will +// be split across multiple messages sent to the external processor. In ``NONE`` mode, the body +// will not be sent to the external processor. // * Request trailers: Delivered if they are present and if the trailer mode is set // to ``SEND``. // * Response headers: Contains the headers from the HTTP response. Keep in mind @@ -75,7 +76,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // from the external processor. The latter is only enabled if ``allow_mode_override`` is // set to true. This way, a processor may, for example, use information // in the request header to determine whether the message body must be examined, or whether -// the proxy should simply stream it straight through. +// the data plane should simply stream it straight through. // // All of this together allows a server to process the filter traffic in fairly // sophisticated ways. For example: @@ -84,12 +85,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // on the content of the headers. // * A server may choose to immediately reject some messages based on their HTTP // headers (or other dynamic metadata) and more carefully examine others. -// * A server may asynchronously monitor traffic coming through the filter by inspecting -// headers, bodies, or both, and then decide to switch to a synchronous processing -// mode, either permanently or temporarily. // -// The protocol itself is based on a bidirectional gRPC stream. Envoy will send the -// server +// The protocol itself is based on a bidirectional gRPC stream. The data plane will send the server // :ref:`ProcessingRequest ` // messages, and the server must reply with // :ref:`ProcessingResponse `. @@ -124,7 +121,6 @@ message ExternalProcessor { reserved "async_mode"; // Configuration for the gRPC service that the filter will communicate with. - // The filter supports both the "Envoy" and "Google" gRPC clients. // Only one of ``grpc_service`` or ``http_service`` can be set. // It is required that one of them must be set. config.core.v3.GrpcService grpc_service = 1 @@ -140,14 +136,14 @@ message ExternalProcessor { // cannot be configured to send any body or trailers. i.e., ``http_service`` only supports // sending request or response headers to the side stream server. // - // With this configuration, Envoy behavior: + // With this configuration, the data plane behavior is: // // 1. The headers are first put in a proto message // :ref:`ProcessingRequest `. // // 2. This proto message is then transcoded into a JSON text. // - // 3. Envoy then sends an HTTP POST message with content-type as "application/json", + // 3. The data plane then sends an HTTP POST message with content-type as "application/json", // and this JSON text as body to the side stream server. // // After the side-stream receives this HTTP request message, it is expected to do as follows: @@ -160,7 +156,7 @@ message ExternalProcessor { // // 3. It converts the ``ProcessingResponse`` proto message into a JSON text. // - // 4. It then sends an HTTP response back to Envoy with status code as ``"200"``, + // 4. It then sends an HTTP response back to the data plane with status code as ``"200"``, // ``content-type`` as ``"application/json"`` and sets the JSON text as the body. // ExtProcHttpService http_service = 20 [ @@ -190,28 +186,31 @@ message ExternalProcessor { // sent. See ``ProcessingMode`` for details. ProcessingMode processing_mode = 3; - // Envoy provides a number of :ref:`attributes ` + // The data plane provides a number of :ref:`attributes ` // for expressive policies. Each attribute name provided in this field will be - // matched against that list and populated in the ``request_headers`` message. + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes ` field. // See the :ref:`attribute documentation ` // for the list of supported attributes and their types. repeated string request_attributes = 5; - // Envoy provides a number of :ref:`attributes ` + // The data plane provides a number of :ref:`attributes ` // for expressive policies. Each attribute name provided in this field will be - // matched against that list and populated in the ``response_headers`` message. + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes ` field. // See the :ref:`attribute documentation ` // for the list of supported attributes and their types. repeated string response_attributes = 6; - // Specifies the timeout for each individual message sent on the stream and - // when the filter is running in synchronous mode. Whenever the proxy sends - // a message on the stream that requires a response, it will reset this timer, - // and will stop processing and return an error (subject to the processing mode) - // if the timer expires before a matching response is received. There is no - // timeout when the filter is running in asynchronous mode. Zero is a valid - // config which means the timer will be triggered immediately. If not - // configured, default is 200 milliseconds. + // Specifies the timeout for each individual message sent on the stream. + // Whenever the data plane sends a message on the stream that requires a + // response, it will reset this timer, and will stop processing and return + // an error (subject to the processing mode) if the timer expires before a + // matching response is received. There is no timeout when the filter is + // running in observability mode or when the body send mode is + // ``FULL_DUPLEX_STREAMED``. Zero is a valid config which means the timer + // will be triggered immediately. If not configured, default is 200 + // milliseconds. google.protobuf.Duration message_timeout = 7 [(validate.rules).duration = { lte {seconds: 3600} gte {} @@ -228,7 +227,7 @@ message ExternalProcessor { // :ref:`header_prefix ` // (which is usually "x-envoy"). // Note that changing headers such as "host" or ":authority" may not in itself - // change Envoy's routing decision, as routes can be cached. To also force the + // change the data plane's routing decision, as routes can be cached. To also force the // route to be recomputed, set the // :ref:`clear_route_cache ` // field to true in the same response. @@ -256,6 +255,7 @@ message ExternalProcessor { // can be overridden by the response message from the external processing server // :ref:`mode_override `. // If not set, ``mode_override`` API in the response message will be ignored. + // Mode override is not supported if the body send mode is ``FULL_DUPLEX_STREAMED``. bool allow_mode_override = 14; // If set to true, ignore the @@ -270,10 +270,10 @@ message ExternalProcessor { // If true, send each part of the HTTP request or response specified by ``ProcessingMode`` // without pausing on filter chain iteration. It is "Send and Go" mode that can be used - // by external processor to observe Envoy data and status. In this mode: + // by external processor to observe the request's data and status. In this mode: // - // 1. Only ``STREAMED`` body processing mode is supported and any other body processing modes will be - // ignored. ``NONE`` mode (i.e., skip body processing) will still work as expected. + // 1. Only ``STREAMED`` and ``NONE`` body processing modes are supported; for any other body + // processing mode, the body will not be sent. // // 2. External processor should not send back processing response, as any responses will be ignored. // This also means that @@ -310,12 +310,13 @@ message ExternalProcessor { // Specifies the deferred closure timeout for gRPC stream that connects to external processor. Currently, the deferred stream closure // is only used in :ref:`observability_mode `. // In observability mode, gRPC streams may be held open to the external processor longer than the lifetime of the regular client to - // backend stream lifetime. In this case, Envoy will eventually timeout the external processor stream according to this time limit. + // backend stream lifetime. In this case, the data plane will eventually timeout the external processor stream according to this time limit. // The default value is 5000 milliseconds (5 seconds) if not specified. google.protobuf.Duration deferred_close_timeout = 19; // Send body to the side stream server once it arrives without waiting for the header response from that server. - // It only works for ``STREAMED`` body processing mode. For any other body processing modes, it is ignored. + // It only works for ``STREAMED`` body processing mode. For any other body + // processing modes, it is ignored. // The server has two options upon receiving a header request: // // 1. Instant Response: send the header response as soon as the header request is received. @@ -324,9 +325,9 @@ message ExternalProcessor { // // In all scenarios, the header-body ordering must always be maintained. // - // If enabled Envoy will ignore the + // If enabled the data plane will ignore the // :ref:`mode_override ` - // value that the server sends in the header response. This is because Envoy may have already + // value that the server sends in the header response. This is because the data plane may have already // sent the body to the server, prior to processing the header response. bool send_body_without_waiting_for_header_response = 21; @@ -430,7 +431,8 @@ message ExtProcOverrides { // [#not-implemented-hide:] // Set a different asynchronous processing option than the default. - bool async_mode = 2; + // Deprecated and not implemented. + bool async_mode = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // [#not-implemented-hide:] // Set different optional attributes than the default setting of the diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto b/api/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto index 467320d4a417b..5ad32af519f80 100644 --- a/api/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto +++ b/api/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto @@ -65,8 +65,7 @@ message ProcessingMode { // Do not send the body at all. This is the default. NONE = 0; - // Stream the body to the server in pieces as they arrive at the - // proxy. + // Stream the body to the server in pieces as they are seen. STREAMED = 1; // Buffer the message body in memory and send the entire body at once. @@ -79,11 +78,11 @@ message ProcessingMode { // up to the buffer limit will be sent. BUFFERED_PARTIAL = 3; - // Envoy streams the body to the server in pieces as they arrive. + // The ext_proc client (the data plane) streams the body to the server in pieces as they arrive. // // 1) The server may choose to buffer any number chunks of data before processing them. // After it finishes buffering, the server processes the buffered data. Then it splits the processed - // data into any number of chunks, and streams them back to Envoy one by one. + // data into any number of chunks, and streams them back to the ext_proc client one by one. // The server may continuously do so until the complete body is processed. // The individual response chunk size is recommended to be no greater than 64K bytes, or // :ref:`max_receive_message_length ` @@ -98,15 +97,15 @@ message ProcessingMode { // // In this body mode: // * The corresponding trailer mode has to be set to ``SEND``. - // * Envoy will send body and trailers (if present) to the server as they arrive. + // * The client will send body and trailers (if present) to the server as they arrive. // Sending the trailers (if present) is to inform the server the complete body arrives. - // In case there are no trailers, then Envoy will set + // In case there are no trailers, then the client will set // :ref:`end_of_stream ` // to true as part of the last body chunk request to notify the server that no other data is to be sent. // * The server needs to send // :ref:`StreamedBodyResponse ` - // to Envoy in the body response. - // * Envoy will stream the body chunks in the responses from the server to the upstream/downstream as they arrive. + // to the client in the body response. + // * The client will stream the body chunks in the responses from the server to the upstream/downstream as they arrive. FULL_DUPLEX_STREAMED = 4; } diff --git a/api/envoy/service/ext_proc/v3/external_processor.proto b/api/envoy/service/ext_proc/v3/external_processor.proto index e77d60d0b9700..406c5c195a2a7 100644 --- a/api/envoy/service/ext_proc/v3/external_processor.proto +++ b/api/envoy/service/ext_proc/v3/external_processor.proto @@ -27,29 +27,31 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // as part of a filter chain. // The overall external processing protocol works like this: // -// 1. Envoy sends to the service information about the HTTP request. -// 2. The service sends back a ProcessingResponse message that directs Envoy -// to either stop processing, continue without it, or send it the -// next chunk of the message body. -// 3. If so requested, Envoy sends the server the message body in chunks, -// or the entire body at once. In either case, the server may send back -// a ProcessingResponse for each message it receives, or wait for certain amount -// of body chunks received before streams back the ProcessingResponse messages. -// 4. If so requested, Envoy sends the server the HTTP trailers, +// 1. The data plane sends to the service information about the HTTP request. +// 2. The service sends back a ProcessingResponse message that directs +// the data plane to either stop processing, continue without it, or send +// it the next chunk of the message body. +// 3. If so requested, the data plane sends the server the message body in +// chunks, or the entire body at once. In either case, the server may send +// back a ProcessingResponse for each message it receives, or wait for +// a certain amount of body chunks received before streaming back the +// ProcessingResponse messages. +// 4. If so requested, the data plane sends the server the HTTP trailers, // and the server sends back a ProcessingResponse. // 5. At this point, request processing is done, and we pick up again -// at step 1 when Envoy receives a response from the upstream server. +// at step 1 when the data plane receives a response from the upstream +// server. // 6. At any point above, if the server closes the gRPC stream cleanly, -// then Envoy proceeds without consulting the server. +// then the data plane proceeds without consulting the server. // 7. At any point above, if the server closes the gRPC stream with an error, -// then Envoy returns a 500 error to the client, unless the filter +// then the data plane returns a 500 error to the client, unless the filter // was configured to ignore errors. // // In other words, the process is a request/response conversation, but // using a gRPC stream to make it easier for the server to // maintain state. service ExternalProcessor { - // This begins the bidirectional stream that Envoy will use to + // This begins the bidirectional stream that the data plane will use to // give the server control over what the filter does. The actual // protocol is described by the ProcessingRequest and ProcessingResponse // messages below. @@ -79,7 +81,7 @@ message ProtocolConfiguration { bool send_body_without_waiting_for_header_response = 3; } -// This represents the different types of messages that Envoy can send +// This represents the different types of messages that the data plane can send // to an external processing server. // [#next-free-field: 12] message ProcessingRequest { @@ -132,7 +134,7 @@ message ProcessingRequest { // The values of properties selected by the ``request_attributes`` // or ``response_attributes`` list in the configuration. Each entry // in the list is populated from the standard - // :ref:`attributes ` supported across Envoy. + // :ref:`attributes ` supported in the data plane. map attributes = 9; // Specify whether the filter that sent this request is running in :ref:`observability_mode @@ -153,7 +155,7 @@ message ProcessingRequest { ProtocolConfiguration protocol_config = 11; } -// This represents the different types of messages the server may send back to Envoy +// This represents the different types of messages the server may send back to the data plane // when the ``observability_mode`` field in the received ProcessingRequest is set to false. // // * If the corresponding ``BodySendMode`` in the @@ -212,8 +214,8 @@ message ProcessingResponse { // may use this to intelligently control how requests are processed // based on the headers and other metadata that they see. // This field is only applicable when servers responding to the header requests. - // If it is set in the response to the body or trailer requests, it will be ignored by Envoy. - // It is also ignored by Envoy when the ext_proc filter config + // If it is set in the response to the body or trailer requests, it will be ignored by the data plane. + // It is also ignored by the data plane when the ext_proc filter config // :ref:`allow_mode_override // ` // is set to false, or @@ -224,16 +226,16 @@ message ProcessingResponse { // When ext_proc server receives a request message, in case it needs more // time to process the message, it sends back a ProcessingResponse message - // with a new timeout value. When Envoy receives this response message, - // it ignores other fields in the response, just stop the original timer, - // which has the timeout value specified in + // with a new timeout value. When the data plane receives this response + // message, it ignores other fields in the response, just stop the original + // timer, which has the timeout value specified in // :ref:`message_timeout // ` // and start a new timer with this ``override_message_timeout`` value and keep the - // Envoy ext_proc filter state machine intact. + // data plane ext_proc filter state machine intact. // Has to be >= 1ms and <= // :ref:`max_message_timeout ` - // Such message can be sent at most once in a particular Envoy ext_proc filter processing state. + // Such message can be sent at most once in a particular data plane ext_proc filter processing state. // To enable this API, one has to set ``max_message_timeout`` to a number >= 1ms. google.protobuf.Duration override_message_timeout = 10; } @@ -283,26 +285,26 @@ message HttpTrailers { // The following are messages that may be sent back by the server. -// This message is sent by the external server to Envoy after ``HttpHeaders`` was +// This message is sent by the external server to the data plane after ``HttpHeaders`` was // sent to it. message HeadersResponse { - // Details the modifications (if any) to be made by Envoy to the current + // Details the modifications (if any) to be made by the data plane to the current // request/response. CommonResponse response = 1; } -// This message is sent by the external server to Envoy after ``HttpBody`` was +// This message is sent by the external server to the data plane after ``HttpBody`` was // sent to it. message BodyResponse { - // Details the modifications (if any) to be made by Envoy to the current + // Details the modifications (if any) to be made by the data plane to the current // request/response. CommonResponse response = 1; } -// This message is sent by the external server to Envoy after ``HttpTrailers`` was +// This message is sent by the external server to the data plane after ``HttpTrailers`` was // sent to it. message TrailersResponse { - // Details the modifications (if any) to be made by Envoy to the current + // Details the modifications (if any) to be made by the data plane to the current // request/response trailers. HeaderMutation header_mutation = 1; } @@ -332,7 +334,7 @@ message CommonResponse { CONTINUE_AND_REPLACE = 1; } - // If set, provide additional direction on how the Envoy proxy should + // If set, provide additional direction on how the data plane should // handle the rest of the HTTP filter chain. ResponseStatus status = 1 [(validate.rules).enum = {defined_only: true}]; @@ -361,7 +363,7 @@ message CommonResponse { // Clear the route cache for the current client request. This is necessary // if the remote server modified headers that are used to calculate the route. // This field is ignored in the response direction. This field is also ignored - // if the Envoy ext_proc filter is in the upstream filter chain. + // if the data plane ext_proc filter is in the upstream filter chain. bool clear_route_cache = 5; } @@ -415,7 +417,7 @@ message HeaderMutation { // The body response message corresponding to FULL_DUPLEX_STREAMED body mode. message StreamedBodyResponse { - // The body response chunk that will be passed to the upstream/downstream by Envoy. + // The body response chunk that will be passed to the upstream/downstream by the data plane. bytes body = 1; // The server sets this flag to true if it has received a body request with @@ -424,7 +426,7 @@ message StreamedBodyResponse { bool end_of_stream = 2; } -// This message specifies the body mutation the server sends to Envoy. +// This message specifies the body mutation the server sends to the data plane. message BodyMutation { // The type of mutation for the body. oneof mutation { From e7f284a0457335808d6101eb5cfe8af9c7c08200 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Thu, 18 Sep 2025 11:00:54 -0400 Subject: [PATCH 422/505] xds-federation: adding support for OD-CDS over xDS-TP concurrent with CDS SotW (#41117) Prior to this PR, an Envoy that used (old) ADS over SotW to fetch all the clusters and a xDS-TP-config-based source to fetch OD-CDS would see the OD-CDS clusters removed once the ADS update arrives. This PR, changes the SotW CDS wildcard update, and adds tracking to see which resources are fetched from that source. The tracking is only used if both (old) ADS and an xDS-TP based config is configured. This implementation is currently only for CDS, but will need to be part of the (future) xDS-Cache layer. Continuation of #40988. Risk Level: low - should only impact cases that use xDS-TP based configs (guarded by a false by default runtime guard). Testing: Added both unit and integration test. Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Adi Suissa-Peleg --- envoy/upstream/cluster_manager.h | 3 +- source/common/upstream/cds_api_impl.cc | 41 ++- source/common/upstream/cds_api_impl.h | 13 +- .../common/upstream/cluster_manager_impl.cc | 14 +- source/common/upstream/cluster_manager_impl.h | 2 +- .../config_validation/cluster_manager.cc | 7 +- .../config_validation/cluster_manager.h | 2 +- test/common/upstream/cds_api_impl_test.cc | 99 +++++++- test/common/upstream/test_cluster_manager.h | 4 +- test/extensions/filters/http/on_demand/BUILD | 1 + .../http/on_demand/odcds_integration_test.cc | 183 +++++++++++++- test/integration/BUILD | 19 +- .../ads_xdstp_config_sources_integration.h | 233 ++++++++++++++++++ ...s_xdstp_config_sources_integration_test.cc | 219 +--------------- test/mocks/upstream/cluster_manager_factory.h | 3 +- 15 files changed, 598 insertions(+), 245 deletions(-) create mode 100644 test/integration/ads_xdstp_config_sources_integration.h diff --git a/envoy/upstream/cluster_manager.h b/envoy/upstream/cluster_manager.h index 236e5b71bba03..f1aeab218bc8b 100644 --- a/envoy/upstream/cluster_manager.h +++ b/envoy/upstream/cluster_manager.h @@ -641,7 +641,8 @@ class ClusterManagerFactory { */ virtual absl::StatusOr createCds(const envoy::config::core::v3::ConfigSource& cds_config, - const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm) PURE; + const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm, + bool support_multi_ads_sources) PURE; }; /** diff --git a/source/common/upstream/cds_api_impl.cc b/source/common/upstream/cds_api_impl.cc index 8882618e487ba..71eefecfd82f6 100644 --- a/source/common/upstream/cds_api_impl.cc +++ b/source/common/upstream/cds_api_impl.cc @@ -12,10 +12,12 @@ absl::StatusOr CdsApiImpl::create(const envoy::config::core::v3::ConfigSource& cds_config, const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm, Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::ServerFactoryContext& factory_context) { + Server::Configuration::ServerFactoryContext& factory_context, + bool support_multi_ads_sources) { absl::Status creation_status = absl::OkStatus(); - auto ret = CdsApiPtr{new CdsApiImpl(cds_config, cds_resources_locator, cm, scope, - validation_visitor, factory_context, creation_status)}; + auto ret = + CdsApiPtr{new CdsApiImpl(cds_config, cds_resources_locator, cm, scope, validation_visitor, + factory_context, support_multi_ads_sources, creation_status)}; RETURN_IF_NOT_OK(creation_status); return ret; } @@ -25,12 +27,13 @@ CdsApiImpl::CdsApiImpl(const envoy::config::core::v3::ConfigSource& cds_config, ClusterManager& cm, Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, Server::Configuration::ServerFactoryContext& factory_context, - absl::Status& creation_status) + bool support_multi_ads_sources, absl::Status& creation_status) : Envoy::Config::SubscriptionBase(validation_visitor, "name"), helper_(cm, factory_context.xdsManager(), "cds"), cm_(cm), scope_(scope.createScope("cluster_manager.cds.")), factory_context_(factory_context), - stats_({ALL_CDS_STATS(POOL_COUNTER(*scope_), POOL_GAUGE(*scope_))}) { + stats_({ALL_CDS_STATS(POOL_COUNTER(*scope_), POOL_GAUGE(*scope_))}), + support_multi_ads_sources_(support_multi_ads_sources) { const auto resource_name = getResourceName(); absl::StatusOr subscription_or_error; if (cds_resources_locator == nullptr) { @@ -46,6 +49,34 @@ CdsApiImpl::CdsApiImpl(const envoy::config::core::v3::ConfigSource& cds_config, absl::Status CdsApiImpl::onConfigUpdate(const std::vector& resources, const std::string& version_info) { + // If another source may be adding clusters to the cluster-manager, Envoy needs to + // track which clusters are received via the SotW CDS configuration, so only + // clusters that were added through SotW CDS and are not updated will be removed. + if (support_multi_ads_sources_) { + // The input resources will be the next sotw_resource_names_. + absl::flat_hash_set next_sotw_resource_names; + next_sotw_resource_names.reserve(resources.size()); + std::transform(resources.cbegin(), resources.cend(), + std::inserter(next_sotw_resource_names, next_sotw_resource_names.begin()), + [](const Config::DecodedResourceRef resource) { return resource.get().name(); }); + // Find all the clusters that are currently used, but no longer appear in + // the next step. + Protobuf::RepeatedPtrField to_remove; + for (const std::string& cluster_name : sotw_resource_names_) { + if (!next_sotw_resource_names.contains(cluster_name)) { + to_remove.Add(std::string(cluster_name)); + } + } + absl::Status status = onConfigUpdate(resources, to_remove, version_info); + // Even if the onConfigUpdate() above returns an error, some of the clusters + // may have been updated. Either way, we use the new update to override the + // contents. + // TODO(adisuissa): This will not be needed once the xDS-Cache layer is + // introduced, as it will keep track of only the valid resources. + sotw_resource_names_ = std::move(next_sotw_resource_names); + return status; + } + auto all_existing_clusters = cm_.clusters(); // Exclude the clusters which CDS wants to add. for (const auto& resource : resources) { diff --git a/source/common/upstream/cds_api_impl.h b/source/common/upstream/cds_api_impl.h index 13b04a5ca156a..d6614f012e2e4 100644 --- a/source/common/upstream/cds_api_impl.h +++ b/source/common/upstream/cds_api_impl.h @@ -30,6 +30,7 @@ struct CdsStats { /** * CDS API implementation that fetches via Subscription. + * This supports the wildcard subscription to a single source. */ class CdsApiImpl : public CdsApi, Envoy::Config::SubscriptionBase { @@ -38,7 +39,8 @@ class CdsApiImpl : public CdsApi, create(const envoy::config::core::v3::ConfigSource& cds_config, const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm, Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::ServerFactoryContext& factory_context); + Server::Configuration::ServerFactoryContext& factory_context, + bool support_multi_ads_sources); // Upstream::CdsApi void initialize() override { subscription_->start({}); } @@ -60,7 +62,7 @@ class CdsApiImpl : public CdsApi, const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm, Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, Server::Configuration::ServerFactoryContext& factory_context, - absl::Status& creation_status); + bool support_multi_ads_sources, absl::Status& creation_status); void runInitializeCallbackIfAny(); CdsApiHelper helper_; @@ -68,6 +70,13 @@ class CdsApiImpl : public CdsApi, Stats::ScopeSharedPtr scope_; Server::Configuration::ServerFactoryContext& factory_context_; CdsStats stats_; + // This enables tracking the resources via SotW for wildcard-CDS, so concurrent OD-CDS + // resources won't get overridden when a CDS-wildcard update arrives. + // TODO(adisuissa): once proper support for an xDS-Caching layer is added, + // this will not be relevant, as the callbacks will be similar to delta-xDS + // from each collection source. + const bool support_multi_ads_sources_; + absl::flat_hash_set sotw_resource_names_; Config::SubscriptionPtr subscription_; std::function initialize_callback_; }; diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 32ded33a6d6f5..ab8f102afec56 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -456,8 +456,14 @@ ClusterManagerImpl::initialize(const envoy::config::bootstrap::v3::Bootstrap& bo cds_resources_locator = std::make_unique(std::move(url_or_error.value())); } - auto cds_or_error = - factory_.createCds(dyn_resources.cds_config(), cds_resources_locator.get(), *this); + // In case cds_config is configured and the new xDS-TP configs are used, + // then the CdsApi will need to track the resources, as the xDS-TP configs + // may be used for OD-CDS. If this is not set, the SotW update may override + // the OD-CDS resources. + const bool support_multi_ads_sources = + bootstrap.has_default_config_source() || !bootstrap.config_sources().empty(); + auto cds_or_error = factory_.createCds(dyn_resources.cds_config(), cds_resources_locator.get(), + *this, support_multi_ads_sources); RETURN_IF_NOT_OK_REF(cds_or_error.status()) cds_api_ = std::move(*cds_or_error); init_helper_.setCds(cds_api_.get()); @@ -2272,11 +2278,11 @@ ProdClusterManagerFactory::clusterFromProto(const envoy::config::cluster::v3::Cl absl::StatusOr ProdClusterManagerFactory::createCds(const envoy::config::core::v3::ConfigSource& cds_config, const xds::core::v3::ResourceLocator* cds_resources_locator, - ClusterManager& cm) { + ClusterManager& cm, bool support_multi_ads_sources) { // TODO(htuch): Differentiate static vs. dynamic validation visitors. return CdsApiImpl::create(cds_config, cds_resources_locator, cm, *stats_.rootScope(), context_.messageValidationContext().dynamicValidationVisitor(), - context_); + context_, support_multi_ads_sources); } } // namespace Upstream diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h index 51b34f180df5d..2090e81bd82d4 100644 --- a/source/common/upstream/cluster_manager_impl.h +++ b/source/common/upstream/cluster_manager_impl.h @@ -84,7 +84,7 @@ class ProdClusterManagerFactory : public ClusterManagerFactory { Outlier::EventLoggerSharedPtr outlier_event_logger, bool added_via_api) override; absl::StatusOr createCds(const envoy::config::core::v3::ConfigSource& cds_config, const xds::core::v3::ResourceLocator* cds_resources_locator, - ClusterManager& cm) override; + ClusterManager& cm, bool support_multi_ads_sources) override; protected: Server::Configuration::ServerFactoryContext& context_; diff --git a/source/server/config_validation/cluster_manager.cc b/source/server/config_validation/cluster_manager.cc index e476194bbad07..90636c9165a7a 100644 --- a/source/server/config_validation/cluster_manager.cc +++ b/source/server/config_validation/cluster_manager.cc @@ -19,10 +19,11 @@ absl::StatusOr ValidationClusterManagerFactory::clusterManage absl::StatusOr ValidationClusterManagerFactory::createCds( const envoy::config::core::v3::ConfigSource& cds_config, - const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm) { + const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm, + bool support_multi_ads_sources) { // Create the CdsApiImpl... - auto cluster_or_error = - ProdClusterManagerFactory::createCds(cds_config, cds_resources_locator, cm); + auto cluster_or_error = ProdClusterManagerFactory::createCds(cds_config, cds_resources_locator, + cm, support_multi_ads_sources); RETURN_IF_NOT_OK_REF(cluster_or_error.status()); // ... and then throw it away, so that we don't actually connect to it. return nullptr; diff --git a/source/server/config_validation/cluster_manager.h b/source/server/config_validation/cluster_manager.h index a6f98effc68b9..2821f87413dca 100644 --- a/source/server/config_validation/cluster_manager.h +++ b/source/server/config_validation/cluster_manager.h @@ -32,7 +32,7 @@ class ValidationClusterManagerFactory : public ProdClusterManagerFactory { // unconditionally. absl::StatusOr createCds(const envoy::config::core::v3::ConfigSource& cds_config, const xds::core::v3::ResourceLocator* cds_resources_locator, - ClusterManager& cm) override; + ClusterManager& cm, bool support_multi_ads_sources) override; }; /** diff --git a/test/common/upstream/cds_api_impl_test.cc b/test/common/upstream/cds_api_impl_test.cc index 15614d01c07d3..6cbc51f1b10a8 100644 --- a/test/common/upstream/cds_api_impl_test.cc +++ b/test/common/upstream/cds_api_impl_test.cc @@ -37,10 +37,10 @@ MATCHER_P(WithName, expectedName, "") { return arg.name() == expectedName; } class CdsApiImplTest : public testing::Test { protected: - void setup() { + void setup(bool support_multi_ads_sources = false) { envoy::config::core::v3::ConfigSource cds_config; cds_ = *CdsApiImpl::create(cds_config, nullptr, cm_, *scope_.rootScope(), validation_visitor_, - server_factory_context_); + server_factory_context_, support_multi_ads_sources); cds_->setInitializedCb([this]() -> void { initialized_.ready(); }); EXPECT_CALL(*cm_.subscription_factory_.subscription_, start(_)); @@ -382,6 +382,101 @@ TEST_F(CdsApiImplTest, FailureSubscription) { EXPECT_EQ("", cds_->versionInfo()); } +// Tests that when a SotW update happens, a cluster that was added by another +// source is not removed. +TEST_F(CdsApiImplTest, MultiAdsSourcesEnabledSotW) { + InSequence s; + setup(true); + + // 1. Initial SotW update introduces "sotw_cluster_1". + const std::string response1_yaml = R"EOF( +version_info: '0' +resources: +- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster + name: sotw_cluster_1 +)EOF"; + auto response1 = + TestUtility::parseYaml(response1_yaml); + const auto decoded_resources1 = + TestUtility::decodeResources(response1); + + expectAdd("sotw_cluster_1", "0"); + EXPECT_CALL(initialized_, ready()); + EXPECT_TRUE( + cds_callbacks_->onConfigUpdate(decoded_resources1.refvec_, response1.version_info()).ok()); + EXPECT_EQ("0", cds_->versionInfo()); + + // 2. A second SotW update removes "sotw_cluster_1" and adds "sotw_cluster_2". + // We also imagine an on-demand cluster "od_cluster_1" now exists. + const std::string response2_yaml = R"EOF( +version_info: '1' +resources: +- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster + name: sotw_cluster_2 +)EOF"; + auto response2 = + TestUtility::parseYaml(response2_yaml); + const auto decoded_resources2 = + TestUtility::decodeResources(response2); + + // The update should add the new cluster. + expectAdd("sotw_cluster_2", "1"); + // Crucially, it should ONLY remove the cluster it knew about ("sotw_cluster_1"). + // "od_cluster_1" should NOT be removed. + EXPECT_CALL(cm_, removeCluster("sotw_cluster_1", false)); + EXPECT_CALL(cm_, removeCluster("od_cluster_1", false)).Times(0); + + EXPECT_TRUE( + cds_callbacks_->onConfigUpdate(decoded_resources2.refvec_, response2.version_info()).ok()); + EXPECT_EQ("1", cds_->versionInfo()); +} + +// Tests that if a SotW update contains all the clusters it previously managed, +// no clusters are removed, even if other on-demand clusters exist. +TEST_F(CdsApiImplTest, MultiAdsSourcesEnabledNoRemoval) { + InSequence s; + setup(true); + + // 1. Initial SotW update introduces "sotw_cluster_1". + const std::string response1_yaml = R"EOF( +version_info: '0' +resources: +- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster + name: sotw_cluster_1 +)EOF"; + auto response1 = + TestUtility::parseYaml(response1_yaml); + const auto decoded_resources1 = + TestUtility::decodeResources(response1); + + expectAdd("sotw_cluster_1", "0"); + EXPECT_CALL(initialized_, ready()); + EXPECT_TRUE( + cds_callbacks_->onConfigUpdate(decoded_resources1.refvec_, response1.version_info()).ok()); + + // 2. A second SotW update still contains "sotw_cluster_1". + // An on-demand cluster "od_cluster_1" has also been added. + const std::string response2_yaml = R"EOF( +version_info: '1' +resources: +- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster + name: sotw_cluster_1 +)EOF"; + auto response2 = + TestUtility::parseYaml(response2_yaml); + const auto decoded_resources2 = + TestUtility::decodeResources(response2); + + // The existing cluster is updated. + expectAdd("sotw_cluster_1", "1"); + // No clusters should be removed. + EXPECT_CALL(cm_, removeCluster(_, false)).Times(0); + + EXPECT_TRUE( + cds_callbacks_->onConfigUpdate(decoded_resources2.refvec_, response2.version_info()).ok()); + EXPECT_EQ("1", cds_->versionInfo()); +} + } // namespace } // namespace Upstream } // namespace Envoy diff --git a/test/common/upstream/test_cluster_manager.h b/test/common/upstream/test_cluster_manager.h index da938f4d28471..8998d0c5f340c 100644 --- a/test/common/upstream/test_cluster_manager.h +++ b/test/common/upstream/test_cluster_manager.h @@ -118,8 +118,8 @@ class TestClusterManagerFactory : public ClusterManagerFactory { } absl::StatusOr createCds(const envoy::config::core::v3::ConfigSource&, - const xds::core::v3::ResourceLocator*, - ClusterManager&) override { + const xds::core::v3::ResourceLocator*, ClusterManager&, + bool) override { return CdsApiPtr{createCds_()}; } diff --git a/test/extensions/filters/http/on_demand/BUILD b/test/extensions/filters/http/on_demand/BUILD index b3caf61820a8e..8b3de9622d14c 100644 --- a/test/extensions/filters/http/on_demand/BUILD +++ b/test/extensions/filters/http/on_demand/BUILD @@ -64,6 +64,7 @@ envoy_extension_cc_test( "//source/extensions/filters/http/on_demand:on_demand_update_lib", "//test/common/grpc:grpc_client_integration_lib", "//test/integration:ads_integration_lib", + "//test/integration:ads_xdstp_config_sources_integration_lib", "//test/integration:fake_upstream_lib", "//test/integration:http_integration_lib", "//test/integration:scoped_rds_lib", diff --git a/test/extensions/filters/http/on_demand/odcds_integration_test.cc b/test/extensions/filters/http/on_demand/odcds_integration_test.cc index c289f97770f11..abab017809ea4 100644 --- a/test/extensions/filters/http/on_demand/odcds_integration_test.cc +++ b/test/extensions/filters/http/on_demand/odcds_integration_test.cc @@ -11,6 +11,7 @@ #include "test/common/grpc/grpc_client_integration.h" #include "test/integration/ads_integration.h" +#include "test/integration/ads_xdstp_config_sources_integration.h" #include "test/integration/fake_upstream.h" #include "test/integration/http_integration.h" #include "test/integration/scoped_rds.h" @@ -992,6 +993,187 @@ TEST_P(OdCdsXdstpIntegrationTest, OnDemandCdsWithEds) { cleanupUpstreamAndDownstream(); } +/** + * Tests a use-case where OD-CDS is using xDS-TP based config source, and an + * (old) ADS source updates the wildcard clusters subscriptions. + */ +class OdCdsXdstpAdsIntegrationTest : public AdsXdsTpConfigsIntegrationTest { +public: + OdCdsXdstpAdsIntegrationTest() : AdsXdsTpConfigsIntegrationTest() { + // Override the sotw_or_delta_ settings to only use SotW-ADS. + // Note that in the future this can be modified to support other types as + // well, but currently not needed. + ads_config_type_override_ = envoy::config::core::v3::ApiConfigSource::GRPC; + } + + void initialize() override { + // Skipping port usage validation because this tests will create new clusters + // that will be sent to the OD-CDS subscriptions. + config_helper_.skipPortUsageValidation(); + AdsXdsTpConfigsIntegrationTest::initialize(); + + // Add a fake cluster server that will be returned for the OD-CDS request. + new_cluster_upstream_idx_ = fake_upstreams_.size(); + addFakeUpstream(Http::CodecType::HTTP2); + new_cluster_ = ConfigHelper::buildStaticCluster( + "xdstp://authority1.com/envoy.config.cluster.v3.Cluster/on_demand_clusters/new_cluster", + fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + } + + envoy::config::listener::v3::Listener buildListener() { + OdCdsListenerBuilder builder(Network::Test::getLoopbackAddressString(ipVersion())); + auto per_route_config = OdCdsIntegrationHelper::createPerRouteConfig(absl::nullopt, 2500); + OdCdsIntegrationHelper::addPerRouteConfig(builder.hcm(), std::move(per_route_config), + "integration", {}); + return builder.listener(); + } + + envoy::config::endpoint::v3::ClusterLoadAssignment + buildClusterLoadAssignment(const std::string& name, size_t upstream_idx) { + return ConfigHelper::buildClusterLoadAssignment( + name, Network::Test::getLoopbackAddressString(ipVersion()), + fake_upstreams_[upstream_idx]->localAddress()->ip()->port()); + } + + bool compareRequest(const std::string& type_url, + const std::vector& expected_resource_subscriptions, + const std::vector& expected_resource_unsubscriptions, + bool expect_node = false) { + return compareDeltaDiscoveryRequest(type_url, expected_resource_subscriptions, + expected_resource_unsubscriptions, + Grpc::Status::WellKnownGrpcStatus::Ok, "", expect_node); + }; + + // Compares a discovery request from the (old) ADS stream. This only supports + // SotW at the moment. + AssertionResult compareAdsDiscoveryRequest( + const std::string& expected_type_url, const std::string& expected_version, + const std::vector& expected_resource_names, bool expect_node = false, + const Protobuf::int32 expected_error_code = Grpc::Status::WellKnownGrpcStatus::Ok, + const std::string& expected_error_substring = "") { + return compareSotwDiscoveryRequest(expected_type_url, expected_version, expected_resource_names, + expect_node, expected_error_code, expected_error_substring); + } + + // Sends a discovery response using the (old) ADS stream. This only supports + // SotW at the moment. + template + void sendAdsDiscoveryResponse(const std::string& type_url, + const std::vector& state_of_the_world, + const std::string& version) { + sendSotwDiscoveryResponse(type_url, state_of_the_world, version); + } + + std::size_t new_cluster_upstream_idx_; + envoy::config::cluster::v3::Cluster new_cluster_; +}; + +INSTANTIATE_TEST_SUITE_P( + IpVersionsClientTypeDeltaWildcard, OdCdsXdstpAdsIntegrationTest, + testing::Combine(testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + testing::ValuesIn(TestEnvironment::getsGrpcVersionsForTest()), + // TODO(adisuissa): add SotW validation - this should work + // as long as there isn't both empty wildcard and on-demand + // on the same xds-tp gRPC-mux (which is not supported at + // the moment). + // Only delta xDS is supported for on-demand CDS. + testing::Values(Grpc::SotwOrDelta::Delta, Grpc::SotwOrDelta::UnifiedDelta))); + +// tests a scenario when: +// - Envoy receives a CDS over SotW-ADS update, and receives 1 cluster +// - downstream client makes a request to an unknown cluster +// - odcds initiates a connection with a request for the cluster +// - a response contains the cluster +// - request is resumed +// - Envoy receives an update to the CDS over SotW-ADS +// - another request is sent to the same on-demand cluster +// - no odcds happens, because the cluster is known, and the request is successful +TEST_P(OdCdsXdstpAdsIntegrationTest, OnDemandClusterDiscoveryWithSotwAds) { + // Sets the cds_config (lds is needed to allow proper integration test suite initialization). + setupClustersFromOldAds(); + setupListenersFromOldAds(); + initialize(); + + // Handle the CDS request - send a single cluster. + // Wait for ADS clusters request and send a cluster that points to load + // assignment in authority1.com. + EXPECT_TRUE(compareAdsDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, true)); + envoy::config::cluster::v3::Cluster sotw_cluster = ConfigHelper::buildStaticCluster( + "sotw_cluster", 1234, Network::Test::getLoopbackAddressString(ipVersion())); + sendAdsDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {sotw_cluster}, "1"); + + // Send the Listener (with the OD-CDS filter) using the old ADS. + EXPECT_TRUE(compareAdsDiscoveryRequest(Config::TestTypeUrl::get().Listener, "", {})); + const envoy::config::listener::v3::Listener listener = buildListener(); + sendAdsDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {listener}, "1"); + + // Old ADS receives a CDS and a LDS ACK. + EXPECT_TRUE(compareAdsDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {})); + EXPECT_TRUE(compareAdsDiscoveryRequest(Config::TestTypeUrl::get().Listener, "1", {})); + // Expected 5 clusters: dummy, authority1_cluster, default_authority_cluster, + // ads_cluster and sotw_cluster. + EXPECT_EQ(5, test_server_->gauge("cluster_manager.active_clusters")->value()); + + // Envoy should now complete initialization. + test_server_->waitForCounterGe("listener_manager.listener_create_success", 1); + registerTestServerPorts({"http"}); + + // Send the first request. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + const std::string& cluster_name = new_cluster_.name(); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "vhost.first"}, + {"Pick-This-Cluster", cluster_name}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Authority1 should receive the ODCDS request. + EXPECT_TRUE(compareDiscoveryRequest( + Config::TestTypeUrl::get().Cluster, "", {cluster_name}, {cluster_name}, {}, true, + Grpc::Status::WellKnownGrpcStatus::Ok, "", authority1_xds_stream_.get())); + sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {new_cluster_}, {new_cluster_}, {}, + "1", {}, authority1_xds_stream_.get()); + // Expect a CDS ACK from authority1. + EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "1", {cluster_name}, {}, + {}, false, Grpc::Status::WellKnownGrpcStatus::Ok, "", + authority1_xds_stream_.get())); + + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + // Send response headers, and end_stream if there is no response body. + upstream_request_->encodeHeaders(default_response_headers_, true); + + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + + // Expected 6 clusters: dummy, authority1_cluster, default_authority_cluster, + // ads_cluster, sotw_cluster, and the OD-CDS-cluster. + EXPECT_EQ(6, test_server_->gauge("cluster_manager.active_clusters")->value()); + + // Update the SotW cluster, and send it. + sotw_cluster.mutable_connect_timeout()->set_seconds(5); + sendAdsDiscoveryResponse(Config::TestTypeUrl::get().Cluster, + {sotw_cluster}, "2"); + // Old ADS receives a CDS ACK. + EXPECT_TRUE(compareAdsDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "2", {})); + // Expected 6 clusters: dummy, authority1_cluster, default_authority_cluster, + // ads_cluster, sotw_cluster, and the OD-CDS-cluster. + EXPECT_EQ(6, test_server_->gauge("cluster_manager.active_clusters")->value()); + + // Next request should be handled right away (no xDS subscription). + response = codec_client_->makeHeaderOnlyRequest(request_headers); + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + + cleanupUpstreamAndDownstream(); +} + class OdCdsScopedRdsIntegrationTestBase : public ScopedRdsIntegrationTest { public: void addOnDemandConfig(OdCdsIntegrationHelper::OnDemandConfig config) { @@ -1307,6 +1489,5 @@ TEST_P(OdCdsScopedRdsIntegrationTest, OnDemandUpdateFailsBecauseOdCdsIsDisabledI cleanupUpstreamAndDownstream(); } - } // namespace } // namespace Envoy diff --git a/test/integration/BUILD b/test/integration/BUILD index b9362ba7c4337..a59e9515b7a19 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -131,16 +131,15 @@ envoy_cc_test( ], ) -envoy_cc_test( - name = "ads_xdstp_config_sources_integration_test", - srcs = ["ads_xdstp_config_sources_integration_test.cc"], +envoy_cc_test_library( + name = "ads_xdstp_config_sources_integration_lib", + hdrs = ["ads_xdstp_config_sources_integration.h"], rbe_pool = "4core", tags = [ "cpu:3", ], deps = [ ":ads_integration_lib", - ":http_integration_lib", "//source/common/config:protobuf_link_hacks", "//source/common/protobuf:utility_lib", "//test/common/grpc:grpc_client_integration_lib", @@ -156,6 +155,18 @@ envoy_cc_test( ], ) +envoy_cc_test( + name = "ads_xdstp_config_sources_integration_test", + srcs = ["ads_xdstp_config_sources_integration_test.cc"], + rbe_pool = "4core", + tags = [ + "cpu:3", + ], + deps = [ + ":ads_xdstp_config_sources_integration_lib", + ], +) + envoy_cc_test( name = "alpn_integration_test", size = "large", diff --git a/test/integration/ads_xdstp_config_sources_integration.h b/test/integration/ads_xdstp_config_sources_integration.h new file mode 100644 index 0000000000000..32569ccfab0bb --- /dev/null +++ b/test/integration/ads_xdstp_config_sources_integration.h @@ -0,0 +1,233 @@ +#pragma once + +#include "envoy/config/bootstrap/v3/bootstrap.pb.h" +#include "envoy/config/cluster/v3/cluster.pb.h" +#include "envoy/config/core/v3/base.pb.h" +#include "envoy/config/endpoint/v3/endpoint.pb.h" +#include "envoy/config/listener/v3/listener.pb.h" +#include "envoy/config/route/v3/route.pb.h" +#include "envoy/grpc/status.h" + +#include "source/common/config/protobuf_link_hacks.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/protobuf/utility.h" +#include "source/common/tls/server_context_config_impl.h" +#include "source/common/tls/server_ssl_socket.h" +#include "source/common/version/version.h" + +#include "test/common/grpc/grpc_client_integration.h" +#include "test/config/v2_link_hacks.h" +#include "test/integration/ads_integration.h" +#include "test/integration/http_integration.h" +#include "test/integration/utility.h" +#include "test/test_common/network_utility.h" +#include "test/test_common/resources.h" +#include "test/test_common/utility.h" + +#include "gtest/gtest.h" + +using testing::AssertionResult; + +namespace Envoy { + +// Tests for cases where both (old) ADS and xDS-TP based config sources are +// defined in the bootstrap. +class AdsXdsTpConfigsIntegrationTest : public AdsDeltaSotwIntegrationSubStateParamTest, + public HttpIntegrationTest { +public: + AdsXdsTpConfigsIntegrationTest() + : HttpIntegrationTest( + Http::CodecType::HTTP2, ipVersion(), + ConfigHelper::adsBootstrap((sotwOrDelta() == Grpc::SotwOrDelta::Sotw) || + (sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw) + ? "GRPC" + : "DELTA_GRPC")) { + config_helper_.addRuntimeOverride("envoy.reloadable_features.unified_mux", + (sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw || + sotwOrDelta() == Grpc::SotwOrDelta::UnifiedDelta) + ? "true" + : "false"); + use_lds_ = false; + // xds_upstream_ will be used for the ADS upstream. + create_xds_upstream_ = true; + // Not testing TLS in this case. + tls_xds_upstream_ = false; + sotw_or_delta_ = sotwOrDelta(); + setUpstreamProtocol(Http::CodecType::HTTP2); + } + + FakeUpstream* createAdsUpstream() { + ASSERT(!tls_xds_upstream_); + addFakeUpstream(Http::CodecType::HTTP2); + return fake_upstreams_.back().get(); + } + + void createUpstreams() override { + HttpIntegrationTest::createUpstreams(); + // An upstream for authority1 (H/2), an upstream for the default_authority (H/2), and an + // upstream for a backend (H/1). + authority1_upstream_ = createAdsUpstream(); + default_authority_upstream_ = createAdsUpstream(); + } + + void TearDown() override { + cleanupXdsConnection(xds_connection_); + cleanupXdsConnection(authority1_xds_connection_); + cleanupXdsConnection(default_authority_xds_connection_); + } + + void cleanupXdsConnection(FakeHttpConnectionPtr& connection) { + if (connection != nullptr) { + AssertionResult result = connection->close(); + RELEASE_ASSERT(result, result.message()); + result = connection->waitForDisconnect(); + RELEASE_ASSERT(result, result.message()); + connection.reset(); + } + } + + bool isSotw() const { + return sotwOrDelta() == Grpc::SotwOrDelta::Sotw || + sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw; + } + + // Adds config_source for authority1.com and a default_config_source for + // default_authority.com. + void initialize() override { + config_helper_.addRuntimeOverride( + "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions", "true"); + config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Add the first config_source. + { + auto* config_source1 = bootstrap.mutable_config_sources()->Add(); + config_source1->mutable_authorities()->Add()->set_name("authority1.com"); + auto* api_config_source = config_source1->mutable_api_config_source(); + api_config_source->set_api_type( + isSotw() ? envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC + : envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC); + api_config_source->set_transport_api_version(envoy::config::core::v3::V3); + api_config_source->set_set_node_on_first_message_only(true); + auto* grpc_service = api_config_source->add_grpc_services(); + setGrpcService(*grpc_service, "authority1_cluster", authority1_upstream_->localAddress()); + auto* xds_cluster = bootstrap.mutable_static_resources()->add_clusters(); + xds_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); + xds_cluster->set_name("authority1_cluster"); + } + // Add the default config source. + { + auto* default_config_source = bootstrap.mutable_default_config_source(); + default_config_source->mutable_authorities()->Add()->set_name("default_authority.com"); + auto* api_config_source = default_config_source->mutable_api_config_source(); + api_config_source->set_api_type( + isSotw() ? envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC + : envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC); + api_config_source->set_transport_api_version(envoy::config::core::v3::V3); + api_config_source->set_set_node_on_first_message_only(true); + auto* grpc_service = api_config_source->add_grpc_services(); + setGrpcService(*grpc_service, "default_authority_cluster", + default_authority_upstream_->localAddress()); + auto* xds_cluster = bootstrap.mutable_static_resources()->add_clusters(); + xds_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); + xds_cluster->set_name("default_authority_cluster"); + } + // Add the (old) ADS server. + { + auto* ads_config = bootstrap.mutable_dynamic_resources()->mutable_ads_config(); + if (ads_config_type_override_.has_value()) { + ads_config->set_api_type(ads_config_type_override_.value()); + } else { + ads_config->set_api_type(isSotw() ? envoy::config::core::v3::ApiConfigSource::GRPC + : envoy::config::core::v3::ApiConfigSource::DELTA_GRPC); + } + ads_config->set_transport_api_version(envoy::config::core::v3::V3); + ads_config->set_set_node_on_first_message_only(true); + auto* grpc_service = ads_config->add_grpc_services(); + setGrpcService(*grpc_service, "ads_cluster", xds_upstream_->localAddress()); + auto* ads_cluster = bootstrap.mutable_static_resources()->add_clusters(); + ads_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); + ads_cluster->set_name("ads_cluster"); + } + }); + HttpIntegrationTest::initialize(); + connectAds(); + connectAuthority1(); + connectDefaultAuthority(); + } + + void connectAds() { + if (xds_stream_ == nullptr) { + AssertionResult result = xds_upstream_->waitForHttpConnection(*dispatcher_, xds_connection_); + RELEASE_ASSERT(result, result.message()); + result = xds_connection_->waitForNewStream(*dispatcher_, xds_stream_); + RELEASE_ASSERT(result, result.message()); + xds_stream_->startGrpcStream(); + } + } + + void connectAuthority1() { + AssertionResult result = + authority1_upstream_->waitForHttpConnection(*dispatcher_, authority1_xds_connection_); + RELEASE_ASSERT(result, result.message()); + result = authority1_xds_connection_->waitForNewStream(*dispatcher_, authority1_xds_stream_); + RELEASE_ASSERT(result, result.message()); + authority1_xds_stream_->startGrpcStream(); + } + + void connectDefaultAuthority() { + AssertionResult result = default_authority_upstream_->waitForHttpConnection( + *dispatcher_, default_authority_xds_connection_); + RELEASE_ASSERT(result, result.message()); + result = default_authority_xds_connection_->waitForNewStream(*dispatcher_, + default_authority_xds_stream_); + RELEASE_ASSERT(result, result.message()); + default_authority_xds_stream_->startGrpcStream(); + } + + envoy::config::endpoint::v3::ClusterLoadAssignment + buildClusterLoadAssignment(const std::string& name) { + // The first fake upstream is the emulated backend server. + return ConfigHelper::buildClusterLoadAssignment( + name, Network::Test::getLoopbackAddressString(ipVersion()), + fake_upstreams_[0].get()->localAddress()->ip()->port()); + } + + void setupClustersFromOldAds() { + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + bootstrap.mutable_dynamic_resources()->mutable_cds_config()->mutable_ads(); + }); + } + + void setupListenersFromOldAds() { + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + bootstrap.mutable_dynamic_resources()->mutable_lds_config()->mutable_ads(); + }); + } + + envoy::config::listener::v3::Listener buildListener(const std::string& name, + const std::string& route_config) { + return ConfigHelper::buildListener( + name, route_config, Network::Test::getLoopbackAddressString(ipVersion()), "ads_test"); + } + + void makeSingleRequest() { + registerTestServerPorts({"http"}); + testRouterHeaderOnlyRequestAndResponse(); + cleanupUpstreamAndDownstream(); + } + + // Data members that emulate the authority1 server. + FakeUpstream* authority1_upstream_; + FakeHttpConnectionPtr authority1_xds_connection_; + FakeStreamPtr authority1_xds_stream_; + + // Data members that emulate the default_authority server. + FakeUpstream* default_authority_upstream_; + FakeHttpConnectionPtr default_authority_xds_connection_; + FakeStreamPtr default_authority_xds_stream_; + + // An optional setting to overwrite the (old) ADS config type. By default it + // is not set, and the integration test param value will be used. + absl::optional ads_config_type_override_; +}; + +} // namespace Envoy diff --git a/test/integration/ads_xdstp_config_sources_integration_test.cc b/test/integration/ads_xdstp_config_sources_integration_test.cc index 35a595b5f4cd6..ec7118805520a 100644 --- a/test/integration/ads_xdstp_config_sources_integration_test.cc +++ b/test/integration/ads_xdstp_config_sources_integration_test.cc @@ -1,226 +1,9 @@ -#include "envoy/config/bootstrap/v3/bootstrap.pb.h" -#include "envoy/config/cluster/v3/cluster.pb.h" -#include "envoy/config/core/v3/base.pb.h" -#include "envoy/config/endpoint/v3/endpoint.pb.h" -#include "envoy/config/listener/v3/listener.pb.h" -#include "envoy/config/route/v3/route.pb.h" -#include "envoy/grpc/status.h" - -#include "source/common/config/protobuf_link_hacks.h" -#include "source/common/protobuf/protobuf.h" -#include "source/common/protobuf/utility.h" -#include "source/common/tls/server_context_config_impl.h" -#include "source/common/tls/server_ssl_socket.h" -#include "source/common/version/version.h" - -#include "test/common/grpc/grpc_client_integration.h" -#include "test/config/v2_link_hacks.h" -#include "test/integration/ads_integration.h" -#include "test/integration/http_integration.h" -#include "test/integration/utility.h" -#include "test/test_common/network_utility.h" -#include "test/test_common/resources.h" -#include "test/test_common/utility.h" - -#include "gtest/gtest.h" +#include "test/integration/ads_xdstp_config_sources_integration.h" using testing::AssertionResult; namespace Envoy { -// Tests for cases where both (old) ADS and xDS-TP based config sources are -// defined in the bootstrap. -class AdsXdsTpConfigsIntegrationTest : public AdsDeltaSotwIntegrationSubStateParamTest, - public HttpIntegrationTest { -public: - AdsXdsTpConfigsIntegrationTest() - : HttpIntegrationTest( - Http::CodecType::HTTP2, ipVersion(), - // ConfigHelper::httpProxyConfig(false)) { - ConfigHelper::adsBootstrap((sotwOrDelta() == Grpc::SotwOrDelta::Sotw) || - (sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw) - ? "GRPC" - : "DELTA_GRPC")) { - config_helper_.addRuntimeOverride("envoy.reloadable_features.unified_mux", - (sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw || - sotwOrDelta() == Grpc::SotwOrDelta::UnifiedDelta) - ? "true" - : "false"); - use_lds_ = false; - // xds_upstream_ will be used for the ADS upstream. - create_xds_upstream_ = true; - // Not testing TLS in this case. - tls_xds_upstream_ = false; - sotw_or_delta_ = sotwOrDelta(); - setUpstreamProtocol(Http::CodecType::HTTP2); - } - - FakeUpstream* createAdsUpstream() { - ASSERT(!tls_xds_upstream_); - addFakeUpstream(Http::CodecType::HTTP2); - return fake_upstreams_.back().get(); - } - - void createUpstreams() override { - HttpIntegrationTest::createUpstreams(); - // An upstream for authority1 (H/2), an upstream for the default_authority (H/2), and an - // upstream for a backend (H/1). - authority1_upstream_ = createAdsUpstream(); - default_authority_upstream_ = createAdsUpstream(); - } - - void TearDown() override { - cleanupXdsConnection(xds_connection_); - cleanupXdsConnection(authority1_xds_connection_); - cleanupXdsConnection(default_authority_xds_connection_); - } - - void cleanupXdsConnection(FakeHttpConnectionPtr& connection) { - if (connection != nullptr) { - AssertionResult result = connection->close(); - RELEASE_ASSERT(result, result.message()); - result = connection->waitForDisconnect(); - RELEASE_ASSERT(result, result.message()); - connection.reset(); - } - } - - bool isSotw() const { - return sotwOrDelta() == Grpc::SotwOrDelta::Sotw || - sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw; - } - - // Adds config_source for authority1.com and a default_config_source for - // default_authority.com. - void initialize() override { - config_helper_.addRuntimeOverride( - "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions", "true"); - config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - // Add the first config_source. - { - auto* config_source1 = bootstrap.mutable_config_sources()->Add(); - config_source1->mutable_authorities()->Add()->set_name("authority1.com"); - auto* api_config_source = config_source1->mutable_api_config_source(); - api_config_source->set_api_type( - isSotw() ? envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC - : envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC); - api_config_source->set_transport_api_version(envoy::config::core::v3::V3); - api_config_source->set_set_node_on_first_message_only(true); - auto* grpc_service = api_config_source->add_grpc_services(); - setGrpcService(*grpc_service, "authority1_cluster", authority1_upstream_->localAddress()); - auto* xds_cluster = bootstrap.mutable_static_resources()->add_clusters(); - xds_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); - xds_cluster->set_name("authority1_cluster"); - } - // Add the default config source. - { - auto* default_config_source = bootstrap.mutable_default_config_source(); - default_config_source->mutable_authorities()->Add()->set_name("default_authority.com"); - auto* api_config_source = default_config_source->mutable_api_config_source(); - api_config_source->set_api_type( - isSotw() ? envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC - : envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC); - api_config_source->set_transport_api_version(envoy::config::core::v3::V3); - api_config_source->set_set_node_on_first_message_only(true); - auto* grpc_service = api_config_source->add_grpc_services(); - setGrpcService(*grpc_service, "default_authority_cluster", - default_authority_upstream_->localAddress()); - auto* xds_cluster = bootstrap.mutable_static_resources()->add_clusters(); - xds_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); - xds_cluster->set_name("default_authority_cluster"); - } - // Add the (old) ADS server. - { - auto* ads_config = bootstrap.mutable_dynamic_resources()->mutable_ads_config(); - ads_config->set_api_type(isSotw() ? envoy::config::core::v3::ApiConfigSource::GRPC - : envoy::config::core::v3::ApiConfigSource::DELTA_GRPC); - ads_config->set_transport_api_version(envoy::config::core::v3::V3); - ads_config->set_set_node_on_first_message_only(true); - auto* grpc_service = ads_config->add_grpc_services(); - setGrpcService(*grpc_service, "ads_cluster", xds_upstream_->localAddress()); - auto* ads_cluster = bootstrap.mutable_static_resources()->add_clusters(); - ads_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); - ads_cluster->set_name("ads_cluster"); - } - }); - HttpIntegrationTest::initialize(); - connectAds(); - connectAuthority1(); - connectDefaultAuthority(); - } - - void connectAds() { - if (xds_stream_ == nullptr) { - AssertionResult result = xds_upstream_->waitForHttpConnection(*dispatcher_, xds_connection_); - RELEASE_ASSERT(result, result.message()); - result = xds_connection_->waitForNewStream(*dispatcher_, xds_stream_); - RELEASE_ASSERT(result, result.message()); - xds_stream_->startGrpcStream(); - } - } - - void connectAuthority1() { - AssertionResult result = - authority1_upstream_->waitForHttpConnection(*dispatcher_, authority1_xds_connection_); - RELEASE_ASSERT(result, result.message()); - result = authority1_xds_connection_->waitForNewStream(*dispatcher_, authority1_xds_stream_); - RELEASE_ASSERT(result, result.message()); - authority1_xds_stream_->startGrpcStream(); - } - - void connectDefaultAuthority() { - AssertionResult result = default_authority_upstream_->waitForHttpConnection( - *dispatcher_, default_authority_xds_connection_); - RELEASE_ASSERT(result, result.message()); - result = default_authority_xds_connection_->waitForNewStream(*dispatcher_, - default_authority_xds_stream_); - RELEASE_ASSERT(result, result.message()); - default_authority_xds_stream_->startGrpcStream(); - } - - envoy::config::endpoint::v3::ClusterLoadAssignment - buildClusterLoadAssignment(const std::string& name) { - // The first fake upstream is the emulated backend server. - return ConfigHelper::buildClusterLoadAssignment( - name, Network::Test::getLoopbackAddressString(ipVersion()), - fake_upstreams_[0].get()->localAddress()->ip()->port()); - } - - void setupClustersFromOldAds() { - config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - bootstrap.mutable_dynamic_resources()->mutable_cds_config()->mutable_ads(); - }); - } - - void setupListenersFromOldAds() { - config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - bootstrap.mutable_dynamic_resources()->mutable_lds_config()->mutable_ads(); - }); - } - - envoy::config::listener::v3::Listener buildListener(const std::string& name, - const std::string& route_config) { - return ConfigHelper::buildListener( - name, route_config, Network::Test::getLoopbackAddressString(ipVersion()), "ads_test"); - } - - void makeSingleRequest() { - registerTestServerPorts({"http"}); - testRouterHeaderOnlyRequestAndResponse(); - cleanupUpstreamAndDownstream(); - } - - // Data members that emulate the authority1 server. - FakeUpstream* authority1_upstream_; - FakeHttpConnectionPtr authority1_xds_connection_; - FakeStreamPtr authority1_xds_stream_; - - // Data members that emulate the default_authority server. - FakeUpstream* default_authority_upstream_; - FakeHttpConnectionPtr default_authority_xds_connection_; - FakeStreamPtr default_authority_xds_stream_; -}; - INSTANTIATE_TEST_SUITE_P(IpVersionsClientTypeDeltaWildcard, AdsXdsTpConfigsIntegrationTest, ADS_INTEGRATION_PARAMS); diff --git a/test/mocks/upstream/cluster_manager_factory.h b/test/mocks/upstream/cluster_manager_factory.h index fc8aaec38f74b..a11f5101b3a8d 100644 --- a/test/mocks/upstream/cluster_manager_factory.h +++ b/test/mocks/upstream/cluster_manager_factory.h @@ -46,7 +46,8 @@ class MockClusterManagerFactory : public ClusterManagerFactory { MOCK_METHOD(absl::StatusOr, createCds, (const envoy::config::core::v3::ConfigSource& cds_config, - const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm)); + const xds::core::v3::ResourceLocator* cds_resources_locator, ClusterManager& cm, + bool support_multi_ads_sources)); }; } // namespace Upstream From 4ba66f66d628d103e8fd41bc5ce61149a8d7d9b3 Mon Sep 17 00:00:00 2001 From: Issa Abu Kalbein <86603440+IssaAbuKalbein@users.noreply.github.com> Date: Thu, 18 Sep 2025 19:29:27 +0300 Subject: [PATCH 423/505] tcp_proxy: set idle timeout on downstream connections with no upstream connection (#40841) Start the idle timer immediately on new connection so that if no response is received from the upstream, the downstream connection will time out. Signed-off-by: Issa Abu Kalbein --- changelogs/current.yaml | 7 + source/common/runtime/runtime_features.cc | 1 + source/common/tcp_proxy/tcp_proxy.cc | 36 ++-- test/common/tcp_proxy/tcp_proxy_test.cc | 25 ++- .../tcp_tunneling_integration_test.cc | 169 ++++++++++++++++-- 5 files changed, 202 insertions(+), 36 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 2d800d57d8d71..6a83ac5321959 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -93,6 +93,13 @@ minor_behavior_changes: bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* +- area: tcp_proxy + change: + Fixes a bug when downstream TCP connection is created and the upstream connection isn't fully established, no idle timeout + is set on the downstream connection, which may lead to connection leak if the client doesn't close the connection. + The fix is to set an idle timeout on the downstream connection immediately after creation. + This fix can be reverted by setting runtime guard ``envoy.reloadable_features.tcp_proxy_set_idle_timer_immediately_on_new_connection`` + to ``false``. - area: udp_proxy change: | Fixed a crash in the UDP proxy that occurred during ``ENVOY_SIGTERM`` when active tunneling sessions were present. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 3da2ea7986375..f6285de260684 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -75,6 +75,7 @@ RUNTIME_GUARD(envoy_reloadable_features_safe_http2_options); RUNTIME_GUARD(envoy_reloadable_features_skip_dns_lookup_for_proxied_requests); RUNTIME_GUARD(envoy_reloadable_features_skip_ext_proc_on_local_reply); RUNTIME_GUARD(envoy_reloadable_features_tcp_proxy_retry_on_different_event_loop); +RUNTIME_GUARD(envoy_reloadable_features_tcp_proxy_set_idle_timer_immediately_on_new_connection); RUNTIME_GUARD(envoy_reloadable_features_test_feature_true); RUNTIME_GUARD(envoy_reloadable_features_trace_refresh_after_route_refresh); RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); diff --git a/source/common/tcp_proxy/tcp_proxy.cc b/source/common/tcp_proxy/tcp_proxy.cc index 80ff9a99ec1a6..50eb756f661b4 100644 --- a/source/common/tcp_proxy/tcp_proxy.cc +++ b/source/common/tcp_proxy/tcp_proxy.cc @@ -888,6 +888,29 @@ Network::FilterStatus Filter::onNewConnection() { resetAccessLogFlushTimer(); } + idle_timeout_ = config_->idleTimeout(); + if (const auto* per_connection_idle_timeout = + getStreamInfo().filterState()->getDataReadOnly( + PerConnectionIdleTimeoutMs); + per_connection_idle_timeout != nullptr) { + idle_timeout_ = std::chrono::milliseconds(per_connection_idle_timeout->value()); + } + + if (idle_timeout_) { + // The idle_timer_ can be moved to a Drainer, so related callbacks call into + // the UpstreamCallbacks, which has the same lifetime as the timer, and can dispatch + // the call to either TcpProxy or to Drainer, depending on the current state. + idle_timer_ = read_callbacks_->connection().dispatcher().createTimer( + [upstream_callbacks = upstream_callbacks_]() { upstream_callbacks->onIdleTimeout(); }); + + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.tcp_proxy_set_idle_timer_immediately_on_new_connection")) { + // Start the idle timer immediately so that if no response is received from the upstream, + // the downstream connection will time out. + resetIdleTimer(); + } + } + // Set UUID for the connection. This is used for logging and tracing. getStreamInfo().setStreamIdProvider( std::make_shared(config_->randomGenerator().uuid())); @@ -1045,20 +1068,7 @@ void Filter::onUpstreamConnection() { read_callbacks_->connection(), getStreamInfo().downstreamAddressProvider().requestedServerName()); - idle_timeout_ = config_->idleTimeout(); - if (const auto* per_connection_idle_timeout = - getStreamInfo().filterState()->getDataReadOnly( - PerConnectionIdleTimeoutMs); - per_connection_idle_timeout != nullptr) { - idle_timeout_ = std::chrono::milliseconds(per_connection_idle_timeout->value()); - } - if (idle_timeout_) { - // The idle_timer_ can be moved to a Drainer, so related callbacks call into - // the UpstreamCallbacks, which has the same lifetime as the timer, and can dispatch - // the call to either TcpProxy or to Drainer, depending on the current state. - idle_timer_ = read_callbacks_->connection().dispatcher().createTimer( - [upstream_callbacks = upstream_callbacks_]() { upstream_callbacks->onIdleTimeout(); }); resetIdleTimer(); read_callbacks_->connection().addBytesSentCallback([this](uint64_t) { resetIdleTimer(); diff --git a/test/common/tcp_proxy/tcp_proxy_test.cc b/test/common/tcp_proxy/tcp_proxy_test.cc index 9ffed77090c51..81247dd5a1ad9 100644 --- a/test/common/tcp_proxy/tcp_proxy_test.cc +++ b/test/common/tcp_proxy/tcp_proxy_test.cc @@ -1283,7 +1283,6 @@ TEST_P(TcpProxyTest, InvalidIdleTimeoutObjectFactory) { TEST_P(TcpProxyTest, IdleTimeoutWithFilterStateOverride) { envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy config = defaultConfig(); config.mutable_idle_timeout()->set_seconds(1); - setup(1, config); uint64_t idle_timeout_override = 5000; @@ -1295,6 +1294,9 @@ TEST_P(TcpProxyTest, IdleTimeoutWithFilterStateOverride) { StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::Connection); Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); + EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(idle_timeout_override), _)); + setup(1, config); + EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(idle_timeout_override), _)); raiseEventUpstreamConnected(0); @@ -1323,9 +1325,10 @@ TEST_P(TcpProxyTest, IdleTimeoutWithFilterStateOverride) { TEST_P(TcpProxyTest, IdleTimeout) { envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy config = defaultConfig(); config.mutable_idle_timeout()->set_seconds(1); + Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); + EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(1000), _)); setup(1, config); - Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(1000), _)); raiseEventUpstreamConnected(0); @@ -1353,9 +1356,10 @@ TEST_P(TcpProxyTest, IdleTimeout) { TEST_P(TcpProxyTest, IdleTimerDisabledDownstreamClose) { envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy config = defaultConfig(); config.mutable_idle_timeout()->set_seconds(1); + Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); + EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(1000), _)); setup(1, config); - Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(1000), _)); raiseEventUpstreamConnected(0); @@ -1367,9 +1371,10 @@ TEST_P(TcpProxyTest, IdleTimerDisabledDownstreamClose) { TEST_P(TcpProxyTest, IdleTimerDisabledUpstreamClose) { envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy config = defaultConfig(); config.mutable_idle_timeout()->set_seconds(1); + Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); + EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(1000), _)); setup(1, config); - Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(1000), _)); raiseEventUpstreamConnected(0); @@ -1381,9 +1386,10 @@ TEST_P(TcpProxyTest, IdleTimerDisabledUpstreamClose) { TEST_P(TcpProxyTest, IdleTimeoutWithOutstandingDataFlushed) { envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy config = defaultConfig(); config.mutable_idle_timeout()->set_seconds(1); + Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); + EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(1000), _)); setup(1, config); - Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); EXPECT_CALL(*idle_timer, enableTimer(std::chrono::milliseconds(1000), _)); raiseEventUpstreamConnected(0); @@ -1652,10 +1658,10 @@ TEST_P(TcpProxyTest, UpstreamFlushNoTimeout) { TEST_P(TcpProxyTest, UpstreamFlushTimeoutConfigured) { envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy config = defaultConfig(); config.mutable_idle_timeout()->set_seconds(1); + Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); + EXPECT_CALL(*idle_timer, enableTimer(_, _)); setup(1, config); - NiceMock* idle_timer = - new NiceMock(&filter_callbacks_.connection_.dispatcher_); EXPECT_CALL(*idle_timer, enableTimer(_, _)); raiseEventUpstreamConnected(0); @@ -1683,10 +1689,10 @@ TEST_P(TcpProxyTest, UpstreamFlushTimeoutConfigured) { TEST_P(TcpProxyTest, UpstreamFlushTimeoutExpired) { envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy config = defaultConfig(); config.mutable_idle_timeout()->set_seconds(1); + Event::MockTimer* idle_timer = new Event::MockTimer(&filter_callbacks_.connection_.dispatcher_); + EXPECT_CALL(*idle_timer, enableTimer(_, _)); setup(1, config); - NiceMock* idle_timer = - new NiceMock(&filter_callbacks_.connection_.dispatcher_); EXPECT_CALL(*idle_timer, enableTimer(_, _)); raiseEventUpstreamConnected(0); @@ -1700,6 +1706,7 @@ TEST_P(TcpProxyTest, UpstreamFlushTimeoutExpired) { EXPECT_EQ(1U, config_->stats().upstream_flush_active_.value()); EXPECT_CALL(*upstream_connections_.at(0), close(Network::ConnectionCloseType::NoFlush)); + EXPECT_CALL(*idle_timer, disableTimer()); idle_timer->invokeCallback(); EXPECT_EQ(1U, config_->stats().upstream_flush_total_.value()); EXPECT_EQ(0U, config_->stats().upstream_flush_active_.value()); diff --git a/test/integration/tcp_tunneling_integration_test.cc b/test/integration/tcp_tunneling_integration_test.cc index a12cd77d508b9..afdca7a30f4a3 100644 --- a/test/integration/tcp_tunneling_integration_test.cc +++ b/test/integration/tcp_tunneling_integration_test.cc @@ -13,6 +13,7 @@ #include "test/integration/http_integration.h" #include "test/integration/http_protocol_integration.h" #include "test/integration/tcp_tunneling_integration.h" +#include "test/test_common/simulated_time_system.h" #include "gtest/gtest.h" @@ -1826,9 +1827,11 @@ TEST_P(TcpTunnelingIntegrationTest, UpstreamConnectingDownstreamDisconnect) { ASSERT_TRUE(fake_upstream_connection_->close()); } -TEST_P(TcpTunnelingIntegrationTest, TestIdletimeoutWithLargeOutstandingData) { - enableHalfClose(false); - config_helper_.setBufferLimits(1024, 1024); +// Test idle timeout when connection establishment is prevented by not sending upstream response +TEST_P(TcpTunnelingIntegrationTest, + IdleTimeoutNoUpstreamConnectionNoIdleTimeoutSetOnNewConnection) { + config_helper_.addRuntimeOverride( + "envoy.reloadable_features.tcp_proxy_set_idle_timer_immediately_on_new_connection", "false"); config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(1); auto* filter_chain = listener->mutable_filter_chains(0); @@ -1838,27 +1841,36 @@ TEST_P(TcpTunnelingIntegrationTest, TestIdletimeoutWithLargeOutstandingData) { auto tcp_proxy_config = MessageUtil::anyConvert( *config_blob); - tcp_proxy_config.mutable_idle_timeout()->set_nanos( - std::chrono::duration_cast(std::chrono::milliseconds(500)) - .count()); + + tcp_proxy_config.mutable_tunneling_config()->set_hostname("foo.lyft.com:80"); + tcp_proxy_config.mutable_idle_timeout()->CopyFrom( + ProtobufUtil::TimeUtil::MillisecondsToDuration(1)); + config_blob->PackFrom(tcp_proxy_config); }); initialize(); - setUpConnection(fake_upstream_connection_); + // Start downstream TCP connection (CONNECT will be sent upstream). + tcp_client_ = makeTcpConnection(lookupPort("tcp_proxy")); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + EXPECT_EQ(upstream_request_->headers().getMethodValue(), "CONNECT"); - std::string data(1024 * 16, 'a'); - ASSERT_TRUE(tcp_client_->write(data)); - upstream_request_->encodeData(data, false); + // Don't send response headers - this prevents the tunnel from being fully established. + // The TCP proxy will wait for the response, and the idle timeout will not trigger as + // the idle timeout is not set immediately on new connection. - tcp_client_->waitForDisconnect(); + // Verify the stream wasn't reset due to timeout if (upstreamProtocol() == Http::CodecType::HTTP1) { - ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); - tcp_client_->close(); + ASSERT_FALSE(fake_upstream_connection_->waitForDisconnect(std::chrono::milliseconds(10))); } else { - ASSERT_TRUE(upstream_request_->waitForReset()); + ASSERT_FALSE(upstream_request_->waitForReset(std::chrono::milliseconds(10))); } + + // Clean up the TCP client + tcp_client_->close(); } // Test that a downstream flush works correctly (all data is flushed) @@ -2443,5 +2455,134 @@ INSTANTIATE_TEST_SUITE_P( {Http::CodecType::HTTP1, Http::CodecType::HTTP2, Http::CodecType::HTTP3}, {Http::CodecType::HTTP1, Http::CodecType::HTTP2, Http::CodecType::HTTP3})), BaseTcpTunnelingIntegrationTest::protocolTestParamsToString); + +/** + * Simulated time fixture only for deterministic idle-timeout test. + */ +class TcpTunnelingIntegrationTestSimTime : public Event::TestUsingSimulatedTime, + public BaseTcpTunnelingIntegrationTest { +public: + void SetUp() override { + enableHalfClose(true); + + config_helper_.addConfigModifier( + [&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy proxy_config; + proxy_config.set_stat_prefix("tcp_stats"); + proxy_config.set_cluster("cluster_0"); + proxy_config.mutable_tunneling_config()->set_hostname("foo.lyft.com:80"); + + auto* listener = bootstrap.mutable_static_resources()->add_listeners(); + listener->set_name("tcp_proxy"); + + auto* socket_address = listener->mutable_address()->mutable_socket_address(); + socket_address->set_address(Network::Test::getLoopbackAddressString(version_)); + socket_address->set_port_value(0); + + auto* filter_chain = listener->add_filter_chains(); + auto* filter = filter_chain->add_filters(); + filter->mutable_typed_config()->PackFrom(proxy_config); + filter->set_name("envoy.filters.network.tcp_proxy"); + }); + BaseTcpTunnelingIntegrationTest::SetUp(); + } +}; + +TEST_P(TcpTunnelingIntegrationTestSimTime, TestIdletimeoutWithLargeOutstandingData) { + const auto idle_timeout = 5; // 5 seconds + + enableHalfClose(false); + config_helper_.setBufferLimits(1024, 1024); + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(1); + auto* filter_chain = listener->mutable_filter_chains(0); + auto* config_blob = filter_chain->mutable_filters(0)->mutable_typed_config(); + + ASSERT_TRUE(config_blob->Is()); + auto tcp_proxy_config = + MessageUtil::anyConvert( + *config_blob); + tcp_proxy_config.mutable_idle_timeout()->CopyFrom( + ProtobufUtil::TimeUtil::SecondsToDuration(idle_timeout)); + config_blob->PackFrom(tcp_proxy_config); + }); + + initialize(); + + setUpConnection(fake_upstream_connection_); + + std::string data(1024 * 16, 'a'); + ASSERT_TRUE(tcp_client_->write(data)); + upstream_request_->encodeData(data, false); + + // Advance simulated time to trigger the idle timeout deterministically. + timeSystem().advanceTimeAndRun(std::chrono::seconds(idle_timeout), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + test_server_->waitForCounterGe("tcp.tcp_stats.idle_timeout", 1); + + tcp_client_->waitForDisconnect(); + if (upstreamProtocol() == Http::CodecType::HTTP1) { + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); + tcp_client_->close(); + } else { + ASSERT_TRUE(upstream_request_->waitForReset()); + } +} + +// Test idle timeout when connection establishment is prevented by not sending upstream response +TEST_P(TcpTunnelingIntegrationTestSimTime, + IdleTimeoutNoUpstreamConnectionWithIdleTimeoutSetOnNewConnection) { + const auto idle_timeout = 5; // 5 seconds + + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void { + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(1); + auto* filter_chain = listener->mutable_filter_chains(0); + auto* config_blob = filter_chain->mutable_filters(0)->mutable_typed_config(); + + ASSERT_TRUE(config_blob->Is()); + auto tcp_proxy_config = + MessageUtil::anyConvert( + *config_blob); + + tcp_proxy_config.mutable_tunneling_config()->set_hostname("foo.lyft.com:80"); + tcp_proxy_config.mutable_idle_timeout()->CopyFrom( + ProtobufUtil::TimeUtil::SecondsToDuration(idle_timeout)); + + config_blob->PackFrom(tcp_proxy_config); + }); + + initialize(); + + // Start downstream TCP connection (CONNECT will be sent upstream). + tcp_client_ = makeTcpConnection(lookupPort("tcp_proxy")); + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + EXPECT_EQ(upstream_request_->headers().getMethodValue(), "CONNECT"); + + // Don't send response headers - this prevents the tunnel from being fully established. + // The TCP proxy will wait for the response, and the idle timeout will trigger. + + // Advance simulated time to fire idle timer. + timeSystem().advanceTimeAndRun(std::chrono::seconds(idle_timeout), *dispatcher_, + Event::Dispatcher::RunType::NonBlock); + + test_server_->waitForCounterGe("tcp.tcp_stats.idle_timeout", 1); + tcp_client_->waitForHalfClose(); + + if (upstreamProtocol() == Http::CodecType::HTTP1) { + ASSERT_TRUE(fake_upstream_connection_->waitForDisconnect()); + } else { + ASSERT_TRUE(upstream_request_->waitForReset()); + } + tcp_client_->close(); +} + +// Excluded HTTP/3 protocol tests as they are crashing under simulated time. +INSTANTIATE_TEST_SUITE_P(IpAndHttpVersionsSimTime, TcpTunnelingIntegrationTestSimTime, + testing::ValuesIn(BaseTcpTunnelingIntegrationTest::getProtocolTestParams( + {Http::CodecType::HTTP1, Http::CodecType::HTTP2}, + {Http::CodecType::HTTP1, Http::CodecType::HTTP2})), + BaseTcpTunnelingIntegrationTest::protocolTestParamsToString); } // namespace } // namespace Envoy From 196cb2991dfd40b47fdf890a51f9d8db4db1aeb6 Mon Sep 17 00:00:00 2001 From: "Antonio V. Leonti" <53806445+antoniovleonti@users.noreply.github.com> Date: Thu, 18 Sep 2025 13:08:00 -0400 Subject: [PATCH 424/505] Add scaled timer HttpDownstreamStreamFlush (#40984) This PR adds an overload manager scaled timer type which scales the stream buffer flush timeout. Risk Level: low Testing: unit / integration tests added. --------- Signed-off-by: antoniovleonti --- api/envoy/config/overload/v3/overload.proto | 7 ++ changelogs/current.yaml | 9 ++- envoy/event/scaled_timer.h | 3 + source/common/http/codec_helper.h | 4 +- source/server/overload_manager_impl.cc | 2 + test/common/http/http2/codec_impl_test.cc | 57 +++++++++++-- test/common/http/http2/http2_frame.h | 9 +++ test/integration/http_integration.cc | 19 +++-- test/integration/http_integration.h | 2 + test/integration/overload_integration_test.cc | 80 +++++++++++++++++++ test/server/overload_manager_impl_test.cc | 58 ++++++++++++++ 11 files changed, 235 insertions(+), 15 deletions(-) diff --git a/api/envoy/config/overload/v3/overload.proto b/api/envoy/config/overload/v3/overload.proto index 245010221fa8e..b5bc2c4d830af 100644 --- a/api/envoy/config/overload/v3/overload.proto +++ b/api/envoy/config/overload/v3/overload.proto @@ -109,6 +109,13 @@ message ScaleTimersOverloadActionConfig { // :ref:`HttpConnectionManager.common_http_protocol_options.max_connection_duration // `. HTTP_DOWNSTREAM_CONNECTION_MAX = 4; + + // Adjusts the timeout for the downstream codec to flush an ended stream. + // This affects the value of :ref:`RouteAction.flush_timeout + // ` and + // :ref:`HttpConnectionManager.stream_flush_timeout + // ` + HTTP_DOWNSTREAM_STREAM_FLUSH = 5; } message ScaleTimer { diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 6a83ac5321959..1af734193d2cc 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -432,7 +432,13 @@ new_features: change: | Added a new metric ``db_build_epoch`` to track the build timestamp of the MaxMind geolocation database files. This can be used to monitor the freshness of the databases currently in use by the filter. - See `MaxMind DB build_epoch `_ for more details. + See https://maxmind.github.io/MaxMind-DB/#build_epoch for more details. +- area: overload management + change: | + Added a new scaled timer type ``HttpDownstreamStreamFlush`` to the overload manager. This allows + Envoy to scale the periodic timer for flushing downstream responses based on resource pressure. + The new timer can be configured via the + :ref:`ScaleTimersOverloadActionConfig `. - area: dynamic_modules change: | Added support for counters, gauges, histograms, and their vector variants to the dynamic modules API. @@ -442,4 +448,5 @@ new_features: ` configuration field to the c-ares DNS resolver. This allows periodic refresh of the UDP channel to help with avoiding stale socket states, and providing better load distribution across UDP ports. + deprecated: diff --git a/envoy/event/scaled_timer.h b/envoy/event/scaled_timer.h index a307df73fded1..5e17869a01874 100644 --- a/envoy/event/scaled_timer.h +++ b/envoy/event/scaled_timer.h @@ -83,6 +83,9 @@ enum class ScaledTimerType { // The max time an HTTP connection to a downstream client can be connected at all. This // corresponds to the HTTP_DOWNSTREAM_CONNECTION_MAX TimerType in overload.proto. HttpDownstreamMaxConnectionTimeout, + // The max time the downstream codec will wait to flush an ended response stream. This corresponds + // to HTTP_DOWNSTREAM_STREAM_FLUSH TimerType in overload.proto. + HttpDownstreamStreamFlush, }; using ScaledTimerTypeMap = absl::flat_hash_map; diff --git a/source/common/http/codec_helper.h b/source/common/http/codec_helper.h index aec7224bfac5f..d614f1353990f 100644 --- a/source/common/http/codec_helper.h +++ b/source/common/http/codec_helper.h @@ -1,6 +1,7 @@ #pragma once #include "envoy/event/dispatcher.h" +#include "envoy/event/scaled_timer.h" #include "envoy/event/timer.h" #include "envoy/http/codec.h" @@ -123,7 +124,8 @@ class MultiplexedStreamImplBase : public Stream, public StreamCallbackHelper { void createPendingFlushTimer() { ASSERT(stream_flush_timer_ == nullptr); if (stream_flush_timeout_.count() > 0) { - stream_flush_timer_ = dispatcher_.createTimer([this] { onPendingFlushTimer(); }); + stream_flush_timer_ = dispatcher_.createScaledTimer( + Event::ScaledTimerType::HttpDownstreamStreamFlush, [this] { onPendingFlushTimer(); }); stream_flush_timer_->enableTimer(stream_flush_timeout_); } } diff --git a/source/server/overload_manager_impl.cc b/source/server/overload_manager_impl.cc index 1615f0c75f3c9..84e1803daac9a 100644 --- a/source/server/overload_manager_impl.cc +++ b/source/server/overload_manager_impl.cc @@ -140,6 +140,8 @@ absl::StatusOr parseTimerType( return Event::ScaledTimerType::TransportSocketConnectTimeout; case Config::HTTP_DOWNSTREAM_CONNECTION_MAX: return Event::ScaledTimerType::HttpDownstreamMaxConnectionTimeout; + case Config::HTTP_DOWNSTREAM_STREAM_FLUSH: + return Event::ScaledTimerType::HttpDownstreamStreamFlush; default: return absl::InvalidArgumentError( fmt::format("Unknown timer type {}", static_cast(config_timer_type))); diff --git a/test/common/http/http2/codec_impl_test.cc b/test/common/http/http2/codec_impl_test.cc index d00c1787ba6d0..a8eecaae1ab15 100644 --- a/test/common/http/http2/codec_impl_test.cc +++ b/test/common/http/http2/codec_impl_test.cc @@ -1751,7 +1751,13 @@ TEST_P(Http2CodecImplDeferredResetTest, DeferredResetServerIfLocalEndStreamBefor response_encoder_->encodeHeaders(response_headers, false); Buffer::OwnedImpl body(std::string(32 * 1024, 'a')); EXPECT_CALL(server_stream_callbacks_, onAboveWriteBufferHighWatermark()).Times(AnyNumber()); - auto flush_timer = new Event::MockTimer(&server_connection_.dispatcher_); + auto flush_timer = new Event::MockTimer(); + EXPECT_CALL(server_connection_.dispatcher_, + createScaledTypedTimer_(Event::ScaledTimerType::HttpDownstreamStreamFlush, _)) + .WillOnce(Invoke([flush_timer](Event::ScaledTimerType, Event::TimerCb cb) { + flush_timer->callback_ = cb; + return flush_timer; + })); EXPECT_CALL(*flush_timer, enableTimer(std::chrono::milliseconds(30000), _)); response_encoder_->encodeData(body, true); EXPECT_CALL(server_stream_callbacks_, onResetStream(StreamResetReason::LocalReset, _)); @@ -1791,7 +1797,13 @@ TEST_P(Http2CodecImplDeferredResetTest, LargeDataDeferredResetServerIfLocalEndSt response_encoder_->encodeHeaders(response_headers, false); Buffer::OwnedImpl body(std::string(1024 * 1024, 'a')); EXPECT_CALL(server_stream_callbacks_, onAboveWriteBufferHighWatermark()).Times(AnyNumber()); - auto flush_timer = new Event::MockTimer(&server_connection_.dispatcher_); + auto flush_timer = new Event::MockTimer(); + EXPECT_CALL(server_connection_.dispatcher_, + createScaledTypedTimer_(Event::ScaledTimerType::HttpDownstreamStreamFlush, _)) + .WillOnce(Invoke([flush_timer](Event::ScaledTimerType, Event::TimerCb cb) { + flush_timer->callback_ = cb; + return flush_timer; + })); EXPECT_CALL(*flush_timer, enableTimer(std::chrono::milliseconds(30000), _)); response_encoder_->encodeData(body, true); EXPECT_CALL(server_stream_callbacks_, onResetStream(StreamResetReason::LocalReset, _)); @@ -2190,7 +2202,13 @@ TEST_P(Http2CodecImplFlowControlTest, TrailingHeadersLargeServerBody) { // server, intentionally exhausting the window. driveServer(); driveClient(); - auto flush_timer = new NiceMock(&server_connection_.dispatcher_); + auto flush_timer = new NiceMock(); + EXPECT_CALL(server_connection_.dispatcher_, + createScaledTypedTimer_(Event::ScaledTimerType::HttpDownstreamStreamFlush, _)) + .WillOnce(Invoke([flush_timer](Event::ScaledTimerType, Event::TimerCb cb) { + flush_timer->callback_ = cb; + return flush_timer; + })); EXPECT_CALL(*flush_timer, enableTimer(std::chrono::milliseconds(30000), _)); response_encoder_->encodeTrailers(TestResponseTrailerMapImpl{{"trailing", "header"}}); @@ -2226,7 +2244,13 @@ TEST_P(Http2CodecImplFlowControlTest, TrailingHeadersLargeServerBodyFlushTimeout driveToCompletion(); EXPECT_CALL(server_stream_callbacks_, onAboveWriteBufferHighWatermark()); EXPECT_CALL(response_decoder_, decodeData(_, false)).Times(AtLeast(1)); - auto flush_timer = new NiceMock(&server_connection_.dispatcher_); + auto flush_timer = new NiceMock(); + EXPECT_CALL(server_connection_.dispatcher_, + createScaledTypedTimer_(Event::ScaledTimerType::HttpDownstreamStreamFlush, _)) + .WillOnce(Invoke([flush_timer](Event::ScaledTimerType, Event::TimerCb cb) { + flush_timer->callback_ = cb; + return flush_timer; + })); EXPECT_CALL(*flush_timer, enableTimer(std::chrono::milliseconds(30000), _)); Buffer::OwnedImpl body(std::string(1024 * 1024, 'a')); response_encoder_->encodeData(body, false); @@ -2242,6 +2266,7 @@ TEST_P(Http2CodecImplFlowControlTest, TrailingHeadersLargeServerBodyFlushTimeout EXPECT_CALL(server_stream_callbacks_, onResetStream(_, _)).Times(0); EXPECT_CALL(server_codec_event_callbacks_, onCodecLowLevelReset()); EXPECT_CALL(client_stream_callbacks, onResetStream(StreamResetReason::RemoteReset, _)); + ENVOY_LOG_MISC(debug, "invoke callback"); flush_timer->invokeCallback(); driveToCompletion(); EXPECT_EQ(1, server_stats_store_.counter("http2.tx_flush_timeout").value()); @@ -2267,7 +2292,13 @@ TEST_P(Http2CodecImplFlowControlTest, LargeServerBodyFlushTimeout) { driveToCompletion(); // The server enables the flush timer under encodeData(). The client then decodes some data. - auto flush_timer = new NiceMock(&server_connection_.dispatcher_); + auto flush_timer = new NiceMock(); + EXPECT_CALL(server_connection_.dispatcher_, + createScaledTypedTimer_(Event::ScaledTimerType::HttpDownstreamStreamFlush, _)) + .WillOnce(Invoke([flush_timer](Event::ScaledTimerType, Event::TimerCb cb) { + flush_timer->callback_ = cb; + return flush_timer; + })); EXPECT_CALL(*flush_timer, enableTimer(std::chrono::milliseconds(30000), _)); EXPECT_CALL(response_decoder_, decodeData(_, false)).Times(AtLeast(1)); Buffer::OwnedImpl body(std::string(1024 * 1024, 'a')); @@ -2308,7 +2339,13 @@ TEST_P(Http2CodecImplFlowControlTest, LargeServerBodyFlushTimeoutAfterGoaway) { driveToCompletion(); // The server enables the flush timer under encodeData(). The client then decodes some data. - auto flush_timer = new NiceMock(&server_connection_.dispatcher_); + auto flush_timer = new NiceMock(); + EXPECT_CALL(server_connection_.dispatcher_, + createScaledTypedTimer_(Event::ScaledTimerType::HttpDownstreamStreamFlush, _)) + .WillOnce(Invoke([flush_timer](Event::ScaledTimerType, Event::TimerCb cb) { + flush_timer->callback_ = cb; + return flush_timer; + })); EXPECT_CALL(*flush_timer, enableTimer(std::chrono::milliseconds(30000), _)); EXPECT_CALL(response_decoder_, decodeData(_, false)).Times(AtLeast(1)); Buffer::OwnedImpl body(std::string(1024 * 1024, 'a')); @@ -2442,7 +2479,13 @@ TEST_P(Http2CodecImplFlowControlTest, RstStreamOnPendingFlushTimeoutFlood) { // client stream windows should have 5535 bytes left and the next frame should overflow it. // nghttp2 sends 1 DATA frame for the remainder of the client window and it should make // outbound frame queue 1 away from overflow. - auto flush_timer = new NiceMock(&server_connection_.dispatcher_); + auto flush_timer = new NiceMock(); + EXPECT_CALL(server_connection_.dispatcher_, + createScaledTypedTimer_(Event::ScaledTimerType::HttpDownstreamStreamFlush, _)) + .WillOnce(Invoke([flush_timer](Event::ScaledTimerType, Event::TimerCb cb) { + flush_timer->callback_ = cb; + return flush_timer; + })); EXPECT_CALL(*flush_timer, enableTimer(std::chrono::milliseconds(30000), _)); Buffer::OwnedImpl large_body(std::string(6 * 1024, '1')); response_encoder_->encodeData(large_body, true); diff --git a/test/common/http/http2/http2_frame.h b/test/common/http/http2/http2_frame.h index 5e83cfb063108..91702d656f31e 100644 --- a/test/common/http/http2/http2_frame.h +++ b/test/common/http/http2/http2_frame.h @@ -63,6 +63,15 @@ class Http2Frame { Metadata = 77, }; + enum class Setting : uint16_t { + HeaderTableSize = 0x1, + EnablePush = 0x2, + MaxConcurrentStreams = 0x3, + InitialWindowSize = 0x4, + MaxFrameSize = 0x5, + MaxHeaderListSize = 0x6, + }; + enum class SettingsFlags : uint8_t { None = 0, Ack = 1, diff --git a/test/integration/http_integration.cc b/test/integration/http_integration.cc index 638feb2551d4e..8e18e60dd8d18 100644 --- a/test/integration/http_integration.cc +++ b/test/integration/http_integration.cc @@ -1888,18 +1888,21 @@ void HttpIntegrationTest::expectDownstreamBytesSentAndReceived(BytesCountExpecta } void Http2RawFrameIntegrationTest::startHttp2Session() { + startHttp2Session(Http2Frame::makeEmptySettingsFrame()); +} + +void Http2RawFrameIntegrationTest::startHttp2Session(const Http2Frame& settings) { ASSERT_TRUE(tcp_client_->write(Http2Frame::Preamble, false, false)); - // Send empty initial SETTINGS frame. - auto settings = Http2Frame::makeEmptySettingsFrame(); + // Send initial SETTINGS frame. ASSERT_TRUE(tcp_client_->write(std::string(settings), false, false)); // Read initial SETTINGS frame from the server. readFrame(); - // Send an SETTINGS ACK. - settings = Http2Frame::makeEmptySettingsFrame(Http2Frame::SettingsFlags::Ack); - ASSERT_TRUE(tcp_client_->write(std::string(settings), false, false)); + // Send a SETTINGS ACK. + auto settings_ack = Http2Frame::makeEmptySettingsFrame(Http2Frame::SettingsFlags::Ack); + ASSERT_TRUE(tcp_client_->write(std::string(settings_ack), false, false)); // read pending SETTINGS and WINDOW_UPDATE frames readFrame(); @@ -1907,6 +1910,10 @@ void Http2RawFrameIntegrationTest::startHttp2Session() { } void Http2RawFrameIntegrationTest::beginSession() { + beginSession(Http2Frame::makeEmptySettingsFrame()); +} + +void Http2RawFrameIntegrationTest::beginSession(const Http2Frame& settings) { setDownstreamProtocol(Http::CodecType::HTTP2); setUpstreamProtocol(Http::CodecType::HTTP2); // set lower outbound frame limits to make tests run faster @@ -1918,7 +1925,7 @@ void Http2RawFrameIntegrationTest::beginSession() { envoy::config::core::v3::SocketOption::STATE_PREBIND, ENVOY_MAKE_SOCKET_OPTION_NAME(SOL_SOCKET, SO_RCVBUF), 1024)); tcp_client_ = makeTcpConnection(lookupPort("http"), options); - startHttp2Session(); + startHttp2Session(settings); } Http2Frame Http2RawFrameIntegrationTest::readFrame() { diff --git a/test/integration/http_integration.h b/test/integration/http_integration.h index 520949f035cbb..548228f97fa69 100644 --- a/test/integration/http_integration.h +++ b/test/integration/http_integration.h @@ -392,10 +392,12 @@ class Http2RawFrameIntegrationTest : public HttpIntegrationTest { : HttpIntegrationTest(Http::CodecType::HTTP2, version) {} protected: + void startHttp2Session(const Http2Frame& settings); void startHttp2Session(); Http2Frame readFrame(); void sendFrame(const Http2Frame& frame); virtual void beginSession(); + virtual void beginSession(const Http2Frame& settings); IntegrationTcpClientPtr tcp_client_; }; diff --git a/test/integration/overload_integration_test.cc b/test/integration/overload_integration_test.cc index dc2163dc52f53..8887f2155e0a2 100644 --- a/test/integration/overload_integration_test.cc +++ b/test/integration/overload_integration_test.cc @@ -297,6 +297,35 @@ TEST_P(OverloadIntegrationTest, BypassOverloadManagerTest) { codec_client_->close(); } +class Http2RawFrameOverloadIntegrationTest : public BaseOverloadIntegrationTest, + public Http2RawFrameIntegrationTest, + public testing::Test { +public: + Http2RawFrameOverloadIntegrationTest() + : Http2RawFrameIntegrationTest(Envoy::Network::Address::IpVersion::v4) { + setupHttp2ImplOverrides(Envoy::Http2Impl::Oghttp2); + } + +protected: + void initializeOverloadManager( + const envoy::config::overload::v3::ScaleTimersOverloadActionConfig& config) { + envoy::config::overload::v3::OverloadAction overload_action = + TestUtility::parseYaml(R"EOF( + name: "envoy.overload_actions.reduce_timeouts" + triggers: + - name: "envoy.resource_monitors.testonly.fake_resource_monitor" + scaled: + scaling_threshold: 0.5 + saturation_threshold: 0.9 + )EOF"); + overload_action.mutable_typed_config()->PackFrom(config); + setupOverloadManagerConfig(overload_action); + config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + *bootstrap.mutable_overload_manager() = this->overload_manager_config_; + }); + } +}; + class OverloadScaledTimerIntegrationTest : public OverloadIntegrationTest { protected: void initializeOverloadManager( @@ -679,6 +708,57 @@ TEST_P(OverloadScaledTimerIntegrationTest, CloseIdleHttpStream) { EXPECT_THAT(response->body(), HasSubstr("stream timeout")); } +TEST_F(Http2RawFrameOverloadIntegrationTest, FlushTimeoutWhenDownstreamBlocked) { + initializeOverloadManager( + TestUtility::parseYaml(R"EOF( + timer_scale_factors: + - timer: HTTP_DOWNSTREAM_STREAM_FLUSH + min_timeout: 1s + )EOF")); + + // Create a downstream connection with an initial stream window size of 1 rather than the default + // 65535. + beginSession(Http2Frame::makeSettingsFrame( + Http2Frame::SettingsFlags::None, + {{static_cast(Http2Frame::Setting::InitialWindowSize), 1}})); + + // Simulate increased load so the timer is reduced to the minimum value. + updateResource(0.9); + test_server_->waitForGaugeEq("overload.envoy.overload_actions.reduce_timeouts.scale_percent", + 100); + + // Send a headers-only request. + sendFrame(Http2Frame::makeRequest(1, /*host=*/"sni.lyft.com", /*path=*/"/test/long/url")); + + // Respond from upstream with more data than the downstream window will allow. + waitForNextUpstreamRequest(); + upstream_request_->encodeHeaders(default_response_headers_, false); + upstream_request_->encodeData(2, true); + + // Read the response headers. + Http2Frame response_headers = readFrame(); + EXPECT_EQ(response_headers.streamId(), 1); + EXPECT_EQ(response_headers.type(), Http2Frame::Type::Headers); + + // Downstream receive window is 1, so the Envoy will encode 1 byte and buffer 1 byte. + Http2Frame response_data = readFrame(); + EXPECT_EQ(response_data.streamId(), 1); + EXPECT_EQ(response_data.type(), Http2Frame::Type::Data); + EXPECT_EQ(response_data.payloadSize(), 1); + + // The client DOES NOT send a window update, so eventually Envoy's flush timer will fire... + timeSystem().advanceTimeWait(std::chrono::seconds(2)); + test_server_->waitForCounterGe("http2.tx_flush_timeout", 1); + + // ... Which will cause the stream to be reset. + Http2Frame reset_frame = readFrame(); + EXPECT_EQ(reset_frame.streamId(), 1); + EXPECT_EQ(reset_frame.type(), Http2Frame::Type::RstStream); + + tcp_client_->close(); + test_server_->waitForGaugeEq("http.config_test.downstream_rq_active", 0); +} + TEST_P(OverloadScaledTimerIntegrationTest, TlsHandshakeTimeout) { if (downstreamProtocol() == Http::CodecClient::Type::HTTP3 || upstreamProtocol() == Http::CodecClient::Type::HTTP3) { diff --git a/test/server/overload_manager_impl_test.cc b/test/server/overload_manager_impl_test.cc index 45298779af956..a86f224c0e269 100644 --- a/test/server/overload_manager_impl_test.cc +++ b/test/server/overload_manager_impl_test.cc @@ -607,6 +607,35 @@ constexpr char kReducedTimeoutsConfig[] = R"YAML( saturation_threshold: 1.0 )YAML"; +constexpr char kReducedTimeoutsConfigWithFlush[] = R"YAML( + refresh_interval: + seconds: 1 + resource_monitors: + - name: envoy.resource_monitors.fake_resource1 + typed_config: + "@type": type.googleapis.com/google.protobuf.Struct + actions: + - name: envoy.overload_actions.reduce_timeouts + typed_config: + "@type": type.googleapis.com/envoy.config.overload.v3.ScaleTimersOverloadActionConfig + timer_scale_factors: + - timer: HTTP_DOWNSTREAM_CONNECTION_IDLE + min_timeout: 2s + - timer: HTTP_DOWNSTREAM_STREAM_IDLE + min_scale: { value: 10 } # percent + - timer: TRANSPORT_SOCKET_CONNECT + min_scale: { value: 40 } # percent + - timer: HTTP_DOWNSTREAM_CONNECTION_MAX + min_scale: { value: 20 } # percent + - timer: HTTP_DOWNSTREAM_STREAM_FLUSH + min_scale: { value: 30 } # percent + triggers: + - name: "envoy.resource_monitors.fake_resource1" + scaled: + scaling_threshold: 0.5 + saturation_threshold: 1.0 + )YAML"; + // These are the timer types according to the reduced timeouts config above. constexpr std::pair kReducedTimeoutsMinimums[]{ {TimerType::HttpDownstreamIdleConnectionTimeout, @@ -615,6 +644,16 @@ constexpr std::pair kReducedTimeoutsMinimu {TimerType::TransportSocketConnectTimeout, Event::ScaledMinimum(UnitFloat(0.4))}, {TimerType::HttpDownstreamMaxConnectionTimeout, Event::ScaledMinimum(UnitFloat(0.2))}, }; + +constexpr std::pair kReducedTimeoutsMinimumsWithFlush[]{ + {TimerType::HttpDownstreamIdleConnectionTimeout, + Event::AbsoluteMinimum(std::chrono::seconds(2))}, + {TimerType::HttpDownstreamIdleStreamTimeout, Event::ScaledMinimum(UnitFloat(0.1))}, + {TimerType::TransportSocketConnectTimeout, Event::ScaledMinimum(UnitFloat(0.4))}, + {TimerType::HttpDownstreamMaxConnectionTimeout, Event::ScaledMinimum(UnitFloat(0.2))}, + {TimerType::HttpDownstreamStreamFlush, Event::ScaledMinimum(UnitFloat(0.3))}, +}; + TEST_F(OverloadManagerImplTest, CreateScaledTimerManager) { auto manager(createOverloadManager(kReducedTimeoutsConfig)); @@ -633,6 +672,25 @@ TEST_F(OverloadManagerImplTest, CreateScaledTimerManager) { EXPECT_THAT(timer_minimums, Pointee(UnorderedElementsAreArray(kReducedTimeoutsMinimums))); } +TEST_F(OverloadManagerImplTest, CreateScaledTimerManagerWithFlush) { + auto manager(createOverloadManager(kReducedTimeoutsConfigWithFlush)); + + auto* mock_scaled_timer_manager = new Event::MockScaledRangeTimerManager(); + + Event::ScaledTimerTypeMapConstSharedPtr timer_minimums; + EXPECT_CALL(*manager, createScaledRangeTimerManager) + .WillOnce( + DoAll(SaveArg<1>(&timer_minimums), + Return(ByMove(Event::ScaledRangeTimerManagerPtr{mock_scaled_timer_manager})))); + + Event::MockDispatcher mock_dispatcher; + auto scaled_timer_manager = manager->scaledTimerFactory()(mock_dispatcher); + + EXPECT_EQ(scaled_timer_manager.get(), mock_scaled_timer_manager); + EXPECT_THAT(timer_minimums, + Pointee(UnorderedElementsAreArray(kReducedTimeoutsMinimumsWithFlush))); +} + TEST_F(OverloadManagerImplTest, AdjustScaleFactor) { setDispatcherExpectation(); auto manager(createOverloadManager(kReducedTimeoutsConfig)); From ba66ae13167998048d1b2268c1d82b20691097e2 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 18 Sep 2025 10:48:25 -0700 Subject: [PATCH 425/505] docs: small nits in the ExtAuthZ docs (#41123) Signed-off-by: Rohit Agrawal --- .../filters/http/ext_authz/v3/ext_authz.proto | 156 +++++++++--------- 1 file changed, 78 insertions(+), 78 deletions(-) diff --git a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto index 690a9956454df..7cf2aac64aacc 100644 --- a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +++ b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -53,40 +53,39 @@ message ExtAuthz { config.core.v3.ApiVersion transport_api_version = 12 [(validate.rules).enum = {defined_only: true}]; - // Changes filter's behavior on errors: + // Changes the filter's behavior on errors: // - // 1. When set to true, the filter will ``accept`` client request even if the communication with - // the authorization service has failed, or if the authorization service has returned a HTTP 5xx - // error. + // #. When set to ``true``, the filter will ``accept`` the client request even if communication with + // the authorization service has failed, or if the authorization service has returned an HTTP 5xx + // error. // - // 2. When set to false, ext-authz will ``reject`` client requests and return a ``Forbidden`` - // response if the communication with the authorization service has failed, or if the - // authorization service has returned a HTTP 5xx error. + // #. When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden`` + // if communication with the authorization service has failed, or if the authorization service + // has returned an HTTP 5xx error. // - // Note that errors can be ``always`` tracked in the :ref:`stats - // `. + // Errors can always be tracked in the :ref:`stats `. bool failure_mode_allow = 2; - // When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to true, + // When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``, // ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication // with the authorization service has failed, or if the authorization service has returned a // HTTP 5xx error. bool failure_mode_allow_header_add = 19; - // Enables filter to buffer the client request body and send it within the authorization request. - // A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization - // request message indicating if the body data is partial. + // Enables the filter to buffer the client request body and send it within the authorization request. + // The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization + // request indicating whether the body data is partial. BufferSettings with_request_body = 5; - // Clears route cache in order to allow the external authorization service to correctly affect - // routing decisions. Filter clears all cached routes when: + // Clears the route cache in order to allow the external authorization service to correctly affect + // routing decisions. The filter clears all cached routes when: // - // 1. The field is set to ``true``. + // #. The field is set to ``true``. // - // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0. + // #. The status returned from the authorization service is an HTTP 200 or gRPC 0. // - // 3. At least one ``authorization response header`` is added to the client request, or is used for - // altering another client request header. + // #. At least one ``authorization response header`` is added to the client request, or is used to + // alter another client request header. // bool clear_route_cache = 6; @@ -94,26 +93,27 @@ message ExtAuthz { // or cannot be reached. The default status is HTTP 403 Forbidden. type.v3.HttpStatus status_on_error = 7; - // When this is set to true, the filter will check the :ref:`ext_authz response - // ` for invalid header & + // When this is set to ``true``, the filter will check the :ref:`ext_authz response + // ` for invalid header and // query parameter mutations. If the side stream response is invalid, it will send a local reply // to the downstream request with status HTTP 500 Internal Server Error. // - // Note that headers_to_remove & query_parameters_to_remove are validated, but invalid elements in - // those fields should not affect any headers & thus will not cause the filter to send a local - // reply. + // .. note:: + // Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in + // those fields should not affect any headers and thus will not cause the filter to send a local reply. // - // When set to false, any invalid mutations will be visible to the rest of envoy and may cause + // When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause // unexpected behavior. // - // If you are using ext_authz with an untrusted ext_authz server, you should set this to true. + // If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``. bool validate_mutations = 24; // Specifies a list of metadata namespaces whose values, if present, will be passed to the // ext_authz service. The :ref:`filter_metadata ` // is passed as an opaque ``protobuf::Struct``. // - // Please note that this field exclusively applies to the gRPC ext_authz service and has no effect on the HTTP service. + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. // // For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata // ` is set, @@ -130,10 +130,11 @@ message ExtAuthz { // ext_authz service. :ref:`typed_filter_metadata ` // is passed as a ``protobuf::Any``. // - // Please note that this field exclusively applies to the gRPC ext_authz service and has no effect on the HTTP service. + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. // - // It works in a way similar to ``metadata_context_namespaces`` but allows Envoy and ext_authz server to share - // the protobuf message definition in order to do a safe parsing. + // This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share + // the protobuf message definition in order to perform safe parsing. // repeated string typed_metadata_context_namespaces = 16; @@ -146,7 +147,7 @@ message ExtAuthz { // Specifies a list of route metadata namespaces whose values, if present, will be passed to the // ext_authz service at :ref:`route_metadata_context ` in // :ref:`CheckRequest `. - // :ref:`typed_filter_metadata ` is passed as an ``protobuf::Any``. + // :ref:`typed_filter_metadata ` is passed as a ``protobuf::Any``. repeated string route_typed_metadata_context_namespaces = 22; // Specifies if the filter is enabled. @@ -161,11 +162,11 @@ message ExtAuthz { // If this field is not specified, the filter will be enabled for all requests. type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14; - // Specifies whether to deny the requests, when the filter is disabled. + // Specifies whether to deny the requests when the filter is disabled. // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to determine whether to deny request for - // filter protected path at filter disabling. If filter is disabled in - // typed_per_filter_config for the path, requests will not be denied. + // Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths + // when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path, + // requests will not be denied. // // If this field is not specified, all requests will be allowed when disabled. // @@ -176,11 +177,11 @@ message ExtAuthz { // Specifies if the peer certificate is sent to the external service. // - // When this field is true, Envoy will include the peer X.509 certificate, if available, in the + // When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the // :ref:`certificate`. bool include_peer_certificate = 10; - // Optional additional prefix to use when emitting statistics. This allows to distinguish + // Optional additional prefix to use when emitting statistics. This allows distinguishing // emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example: // // .. code-block:: yaml @@ -210,21 +211,20 @@ message ExtAuthz { // // .. note:: // - // 1. For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, - // ``Content-Length``, and ``Authorization`` are **additionally included** in the list. + // For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, + // ``Content-Length``, and ``Authorization`` are **additionally included** in the list. // // .. note:: // - // 2. For requests to an HTTP authorization server: value of ``Content-Length`` will be set to 0 and the request to the + // For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the // authorization server will not have a message body. However, the check request can include the buffered // client request body (controlled by :ref:`with_request_body - // ` setting), - // consequently the value of *Content-Length* of the authorization request reflects the size of - // its payload size. + // ` setting); + // consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload. // // .. note:: // - // 3. This can be overridden by the field ``disallowed_headers`` below. That is, if a header + // This can be overridden by the field ``disallowed_headers`` below. That is, if a header // matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent. type.matcher.v3.ListStringMatcher allowed_headers = 17; @@ -234,34 +234,35 @@ message ExtAuthz { // Specifies if the TLS session level details like SNI are sent to the external service. // - // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the + // When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the // :ref:`tls_session`. bool include_tls_session = 18; // Whether to increment cluster statistics (e.g. cluster..upstream_rq_*) on authorization failure. - // Defaults to true. + // Defaults to ``true``. google.protobuf.BoolValue charge_cluster_response_stats = 20; - // Whether to encode the raw headers (i.e. unsanitized values & unconcatenated multi-line headers) - // in authentication request. Works with both HTTP and gRPC clients. + // Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers) + // in the authorization request. Works with both HTTP and gRPC clients. // - // When this is set to true, header values are not sanitized. Headers with the same key will also + // When this is set to ``true``, header values are not sanitized. Headers with the same key will also // not be combined into a single, comma-separated header. // Requests to gRPC services will populate the field // :ref:`header_map`. // Requests to HTTP services will be constructed with the unsanitized header values and preserved // multi-line headers with the same key. // - // If this field is set to false, header values will be sanitized, with any non-UTF-8-compliant - // bytes replaced with '!'. Headers with the same key will have their values concatenated into a + // If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant + // bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a // single comma-separated header value. // Requests to gRPC services will populate the field // :ref:`headers`. // Requests to HTTP services will have their header values sanitized and will not preserve // multi-line headers with the same key. // - // It's recommended you set this to true unless you already rely on the old behavior. False is the - // default only for backwards compatibility. + // It is recommended to set this to ``true`` unless you rely on the previous behavior. + // + // It is set to ``false`` by default for backwards compatibility. bool encode_raw_headers = 23; // Rules for what modifications an ext_authz server may make to the request headers before @@ -281,15 +282,15 @@ message ExtAuthz { // This field allows the filter to reject mutations to specific headers. config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26; - // Enable / disable ingestion of dynamic metadata from ext_authz service. + // Enable or disable ingestion of dynamic metadata from the ext_authz service. // - // If false, the filter will ignore dynamic metadata injected by the ext_authz service. If the + // If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the // ext_authz service tries injecting dynamic metadata, the filter will log, increment the // ``ignored_dynamic_metadata`` stat, then continue handling the response. // - // If true, the filter will ingest dynamic metadata entries as normal. + // If ``true``, the filter will ingest dynamic metadata entries as normal. // - // If unset, defaults to true. + // If unset, defaults to ``true``. google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27; // Additional metadata to be added to the filter state for logging purposes. The metadata will be @@ -297,14 +298,14 @@ message ExtAuthz { // name. google.protobuf.Struct filter_metadata = 28; - // When set to true, the filter will emit per-stream stats for access logging. The filter state + // When set to ``true``, the filter will emit per-stream stats for access logging. The filter state // key will be the same as the filter name. // // If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster // info. If not using Envoy gRPC, emits only latency. Note that stats are ONLY added to filter // state if a check request is actually made to an ext_authz service. // - // If this is false the filter will not emit stats, but filter_metadata will still be respected if + // If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if // it has a value. // // Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service. @@ -318,21 +319,21 @@ message BufferSettings { "envoy.config.filter.http.ext_authz.v2.BufferSettings"; // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return - // ``HTTP 413`` and will *not* initiate the authorization process when buffer reaches the number + // ``HTTP 413`` and will *not* initiate the authorization process when the buffer reaches the size // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow // `. uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; - // When this field is true, Envoy will buffer the message until ``max_request_bytes`` is reached. + // When this field is ``true``, Envoy will buffer the message until ``max_request_bytes`` is reached. // The authorization request will be dispatched and no 413 HTTP error will be returned by the // filter. bool allow_partial_message = 2; - // If true, the body sent to the external authorization service is set with raw bytes, it sets - // the :ref:`raw_body` - // field of HTTP request attribute context. Otherwise, :ref:`body - // ` will be filled - // with UTF-8 string request body. + // If ``true``, the body sent to the external authorization service is set as raw bytes and populates + // :ref:`raw_body` + // in the HTTP request attribute context. Otherwise, :ref:`body + // ` will be populated + // with a UTF-8 string request body. // // This field only affects configurations using a :ref:`grpc_service // `. In configurations that use @@ -347,7 +348,7 @@ message BufferSettings { // request. Note that in any of these events, metadata can be added, removed or overridden by the // filter: // -// *On authorization request*, a list of allowed request headers may be supplied. See +// On authorization request, a list of allowed request headers may be supplied. See // :ref:`allowed_headers // ` // for details. Additional headers metadata may be added to the authorization request. See @@ -355,7 +356,7 @@ message BufferSettings { // ` for // details. // -// On authorization response status HTTP 200 OK, the filter will allow traffic to the upstream and +// On authorization response status ``HTTP 200 OK``, the filter will allow traffic to the upstream and // additional headers metadata may be added to the original client request. See // :ref:`allowed_upstream_headers // ` @@ -392,7 +393,7 @@ message AuthorizationRequest { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.AuthorizationRequest"; - // Authorization request includes the client request headers that have a correspondent match + // Authorization request includes the client request headers that have a corresponding match // in the :ref:`list `. // This field has been deprecated in favor of :ref:`allowed_headers // `. @@ -404,17 +405,17 @@ message AuthorizationRequest { // // .. note:: // - // By default, ``Content-Length`` header is set to ``0`` and the request to the authorization + // By default, the ``Content-Length`` header is set to ``0`` and the request to the authorization // service has no message body. However, the authorization request *may* include the buffered // client request body (controlled by :ref:`with_request_body // ` - // setting) hence the value of its ``Content-Length`` reflects the size of its payload size. + // setting); hence the value of its ``Content-Length`` reflects the size of its payload. // type.matcher.v3.ListStringMatcher allowed_headers = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // Sets a list of headers that will be included to the request to authorization service. Note that - // client request of the same key will be overridden. + // Sets a list of headers that will be included in the request to the authorization service. Note that + // client request headers with the same key will be overridden. repeated config.core.v3.HeaderValue headers_to_add = 2; } @@ -466,7 +467,7 @@ message ExtAuthzPerRoute { // Disable the ext auth filter for this particular vhost or route. // If disabled is specified in multiple per-filter-configs, the most specific one will be used. - // If the filter is disabled by default and this is set to false, the filter will be enabled + // If the filter is disabled by default and this is set to ``false``, the filter will be enabled // for this vhost or route. bool disabled = 1; @@ -493,15 +494,14 @@ message CheckSettings { // Merge semantics for this field are such that keys from more specific configs override. // // .. note:: - // // These settings are only applied to a filter configured with a // :ref:`grpc_service`. map context_extensions = 1 [(udpa.annotations.sensitive) = true]; - // When set to true, disable the configured :ref:`with_request_body + // When set to ``true``, disable the configured :ref:`with_request_body // ` for a specific route. // - // Please note that only one of *disable_request_body_buffering* or + // Only one of ``disable_request_body_buffering`` and // :ref:`with_request_body ` // may be specified. bool disable_request_body_buffering = 2; @@ -510,7 +510,7 @@ message CheckSettings { // :ref:`with_request_body ` // option for a specific route. // - // Please note that only one of ``with_request_body`` or + // Only one of ``with_request_body`` and // :ref:`disable_request_body_buffering ` // may be specified. BufferSettings with_request_body = 3; From b99c89c92771f45c9d933cfe4fda74a0d1c6d5b2 Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Thu, 18 Sep 2025 16:16:30 -0400 Subject: [PATCH 426/505] Replace c-ares library with getaddrinfo DNS library in redis_proxy network filter integration test (#41098) This is a follow up of https://github.com/envoyproxy/envoy/pull/41097 It's the 12th step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- test/extensions/filters/network/redis_proxy/BUILD | 1 + .../network/redis_proxy/redis_proxy_integration_test.cc | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/test/extensions/filters/network/redis_proxy/BUILD b/test/extensions/filters/network/redis_proxy/BUILD index 7de9d7778560d..6da2d7901c583 100644 --- a/test/extensions/filters/network/redis_proxy/BUILD +++ b/test/extensions/filters/network/redis_proxy/BUILD @@ -209,6 +209,7 @@ envoy_extension_cc_test( deps = [ "//source/extensions/filters/network/common/redis:fault_lib", "//source/extensions/filters/network/redis_proxy:config", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/integration:integration_lib", "@envoy_api//envoy/service/redis_auth/v3:pkg_cc_proto", ], diff --git a/test/extensions/filters/network/redis_proxy/redis_proxy_integration_test.cc b/test/extensions/filters/network/redis_proxy/redis_proxy_integration_test.cc index 1f391a18ec948..412a05812cf9f 100644 --- a/test/extensions/filters/network/redis_proxy/redis_proxy_integration_test.cc +++ b/test/extensions/filters/network/redis_proxy/redis_proxy_integration_test.cc @@ -6,6 +6,7 @@ #include "source/common/common/fmt.h" #include "source/extensions/filters/network/common/redis/fault_impl.h" #include "source/extensions/filters/network/redis_proxy/command_splitter_impl.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/integration/integration.h" @@ -88,6 +89,10 @@ constexpr absl::string_view CONFIG_WITH_REDIRECTION_DNS = R"EOF({} name: foo dns_lookup_family: {} max_hosts: 100 + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig )EOF"; // This is a configuration with batching enabled. From 5ce4f78d3e240b024a396aaa52490f7cab1a9b2e Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Thu, 18 Sep 2025 16:16:55 -0400 Subject: [PATCH 427/505] Replace c-ares library with getaddrinfo DNS library in udp_proxy filter integration test (#41097) This is a follow up of https://github.com/envoyproxy/envoy/pull/41096 It's the 11th step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- .../session_filters/dynamic_forward_proxy/BUILD | 1 + .../proxy_filter_integration_test.cc | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/BUILD b/test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/BUILD index 0be85dec055b4..c592e2a428f62 100644 --- a/test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/BUILD +++ b/test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/BUILD @@ -61,6 +61,7 @@ envoy_extension_cc_test( "//source/extensions/filters/udp/udp_proxy:config", "//source/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy:config", "//source/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy:proxy_filter_lib", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/extensions/filters/udp/udp_proxy/session_filters:psc_setter_filter_config_lib", "//test/extensions/filters/udp/udp_proxy/session_filters:psc_setter_filter_proto_cc_proto", "//test/integration:integration_lib", diff --git a/test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/proxy_filter_integration_test.cc index 97ca9b93b041f..f56f2771e825c 100644 --- a/test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -6,6 +6,7 @@ #include "source/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/config.h" #include "source/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/proxy_filter.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/common/upstream/utility.h" #include "test/extensions/filters/udp/udp_proxy/session_filters/dynamic_forward_proxy/dfp_setter.h" @@ -85,6 +86,10 @@ name: udp_proxy stat_prefix: foo dns_cache_config: name: foo + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig dns_lookup_family: {} max_hosts: {} dns_cache_circuit_breaker: @@ -142,6 +147,10 @@ name: envoy.clusters.dynamic_forward_proxy "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig dns_cache_config: name: foo + typed_dns_resolver_config: + name: envoy.network.dns_resolver.getaddrinfo + typed_config: + "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig dns_lookup_family: {} max_hosts: {} dns_cache_circuit_breaker: From 356dd8093237b02c5ea0aa84adc1bf126a547a3a Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Thu, 18 Sep 2025 16:17:32 -0400 Subject: [PATCH 428/505] Replace c-ares library with getaddrinfo DNS library in aws_request_signing_integration_test (#41096) This is a follow up of https://github.com/envoyproxy/envoy/pull/41095 It's the 10th step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- .../filters/http/aws_request_signing/BUILD | 1 + .../aws_request_signing_integration_test.cc | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/test/extensions/filters/http/aws_request_signing/BUILD b/test/extensions/filters/http/aws_request_signing/BUILD index e90ef61f3200a..181e778ed0608 100644 --- a/test/extensions/filters/http/aws_request_signing/BUILD +++ b/test/extensions/filters/http/aws_request_signing/BUILD @@ -44,6 +44,7 @@ envoy_extension_cc_test( "//source/extensions/clusters/dns:dns_cluster_lib", "//source/extensions/filters/http/aws_request_signing:aws_request_signing_filter_lib", "//source/extensions/filters/http/aws_request_signing:config", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/extensions/common/aws:aws_mocks", "//test/integration:http_integration_lib", "//test/test_common:utility_lib", diff --git a/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc b/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc index 64df10ef69bab..da5147d3fec94 100644 --- a/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc +++ b/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc @@ -4,6 +4,7 @@ #include "source/common/common/logger.h" #include "source/common/upstream/cluster_factory_impl.h" #include "source/extensions/clusters/dns/dns_cluster.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/integration/http_integration.h" #include "test/test_common/registry.h" @@ -230,6 +231,8 @@ class AwsRequestSigningIntegrationTest : public testing::TestWithParamset_name("envoy.network.dns_resolver.getaddrinfo"); + envoy::extensions::network::dns_resolver::getaddrinfo::v3::GetAddrInfoDnsResolverConfig + config; + typed_dns_resolver_config->mutable_typed_config()->PackFrom(config); + }); + } + protected: bool downstream_filter_ = true; }; From d7e345b758a4a934dd7ff890cddaa186c6d7ec4e Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Thu, 18 Sep 2025 16:17:59 -0400 Subject: [PATCH 429/505] Replace c-ares library with getaddrinfo DNS library in redis_cluster_integration_test (#41095) This is a follow up of https://github.com/envoyproxy/envoy/pull/41031 It's the 9th step to address: https://github.com/envoyproxy/envoy/issues/39900 Signed-off-by: Yanjun Xiang --- test/extensions/clusters/redis/BUILD | 1 + .../clusters/redis/redis_cluster_integration_test.cc | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/test/extensions/clusters/redis/BUILD b/test/extensions/clusters/redis/BUILD index 32dfc5229938f..d0b8031f86312 100644 --- a/test/extensions/clusters/redis/BUILD +++ b/test/extensions/clusters/redis/BUILD @@ -106,6 +106,7 @@ envoy_extension_cc_test( "//source/extensions/filters/network/redis_proxy:config", "//source/extensions/load_balancing_policies/cluster_provided:config", "//source/extensions/load_balancing_policies/round_robin:config", + "//source/extensions/network/dns_resolver/getaddrinfo:config", "//test/integration:ads_integration_lib", "//test/integration:integration_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", diff --git a/test/extensions/clusters/redis/redis_cluster_integration_test.cc b/test/extensions/clusters/redis/redis_cluster_integration_test.cc index 56bede0437984..092d0f1e02e92 100644 --- a/test/extensions/clusters/redis/redis_cluster_integration_test.cc +++ b/test/extensions/clusters/redis/redis_cluster_integration_test.cc @@ -6,6 +6,7 @@ #include "source/common/common/macros.h" #include "source/extensions/filters/network/redis_proxy/command_splitter_impl.h" +#include "source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.h" #include "test/integration/ads_integration.h" #include "test/integration/integration.h" @@ -156,6 +157,13 @@ class RedisClusterIntegrationTest : public testing::TestWithParamset_name("envoy.network.dns_resolver.getaddrinfo"); + envoy::extensions::network::dns_resolver::getaddrinfo::v3::GetAddrInfoDnsResolverConfig + config; + typed_dns_resolver_config->mutable_typed_config()->PackFrom(config); + uint32_t upstream_idx = 0; auto* cluster_0 = bootstrap.mutable_static_resources()->mutable_clusters(0); if (version_ == Network::Address::IpVersion::v4) { From 48e3b1596cdf2cd6f467961fe83fe3bf17a33dcb Mon Sep 17 00:00:00 2001 From: code Date: Fri, 19 Sep 2025 11:14:26 +0800 Subject: [PATCH 430/505] xfcc value: to extrace specific field from xfcc for authorization or verification (#40740) Commit Message: xfcc value: to extrace specific field from xfcc for authorization or verification Additional Description: This new substitution formatter command could be used to extract specific command from xfcc header value for authorization, verification and so on. You can extract the field into header by header_mutation filter or extract the field into filter state by set_filter_state filter. Then the header/filterstate based authorization/authentication/routing could be used. Risk Level: low. Testing: unit. Docs Changes: n/a. Release Notes: added. Platform Specific Features: n/a. --------- Signed-off-by: WangBaiping --- CODEOWNERS | 1 + source/extensions/extensions_build_config.bzl | 1 + source/extensions/extensions_metadata.yaml | 6 + source/extensions/formatter/xfcc_value/BUILD | 20 ++ .../formatter/xfcc_value/xfcc_value.cc | 245 ++++++++++++++++++ .../formatter/xfcc_value/xfcc_value.h | 26 ++ test/extensions/formatter/xfcc_value/BUILD | 40 +++ .../xfcc_value/xfcc_value_corpus/example | 8 + .../xfcc_value/xfcc_value_fuzz_test.cc | 32 +++ .../formatter/xfcc_value/xfcc_value_test.cc | 110 ++++++++ tools/extensions/extensions_schema.yaml | 1 + 11 files changed, 490 insertions(+) create mode 100644 source/extensions/formatter/xfcc_value/BUILD create mode 100644 source/extensions/formatter/xfcc_value/xfcc_value.cc create mode 100644 source/extensions/formatter/xfcc_value/xfcc_value.h create mode 100644 test/extensions/formatter/xfcc_value/BUILD create mode 100644 test/extensions/formatter/xfcc_value/xfcc_value_corpus/example create mode 100644 test/extensions/formatter/xfcc_value/xfcc_value_fuzz_test.cc create mode 100644 test/extensions/formatter/xfcc_value/xfcc_value_test.cc diff --git a/CODEOWNERS b/CODEOWNERS index b382e8c149fbc..489d7efd015bd 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -235,6 +235,7 @@ extensions/upstreams/tcp @ggreenway @mattklein123 # Formatters /*/extensions/formatter/metadata @cpakulski @ravenblackx @nezdolik /*/extensions/formatter/cel @kyessenov @zirain +/*/extensions/formatter/xfcc_value @wbpcode @vikaschoudhary16 # IP address input matcher /*/extensions/matching/input_matchers/ip @aguinet @mattklein123 # Key Value store diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index bb92ceb0ce40d..709f97e39344c 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -461,6 +461,7 @@ EXTENSIONS = { "envoy.formatter.cel": "//source/extensions/formatter/cel:config", "envoy.formatter.metadata": "//source/extensions/formatter/metadata:config", "envoy.formatter.req_without_query": "//source/extensions/formatter/req_without_query:config", + "envoy.built_in_formatters.xfcc_value": "//source/extensions/formatter/xfcc_value:config", # # Key value store diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index e6b7fc47b7280..8d6ca2a978209 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -881,6 +881,12 @@ envoy.formatter.req_without_query: status: alpha type_urls: - envoy.extensions.formatter.req_without_query.v3.ReqWithoutQuery +envoy.built_in_formatters.xfcc_value: + categories: + - envoy.built_in_formatters + security_posture: unknown + status: alpha + undocumented: true envoy.geoip_providers.maxmind: categories: - envoy.geoip_providers diff --git a/source/extensions/formatter/xfcc_value/BUILD b/source/extensions/formatter/xfcc_value/BUILD new file mode 100644 index 0000000000000..3e8ddcff3d13c --- /dev/null +++ b/source/extensions/formatter/xfcc_value/BUILD @@ -0,0 +1,20 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "config", + srcs = ["xfcc_value.cc"], + hdrs = ["xfcc_value.h"], + deps = [ + "//source/common/formatter:formatter_extension_lib", + "//source/common/formatter:substitution_formatter_lib", + "//source/common/protobuf:utility_lib", + ], +) diff --git a/source/extensions/formatter/xfcc_value/xfcc_value.cc b/source/extensions/formatter/xfcc_value/xfcc_value.cc new file mode 100644 index 0000000000000..56659cb4a7104 --- /dev/null +++ b/source/extensions/formatter/xfcc_value/xfcc_value.cc @@ -0,0 +1,245 @@ +#include "source/extensions/formatter/xfcc_value/xfcc_value.h" + +#include +#include + +namespace Envoy { +namespace Extensions { +namespace Formatter { + +namespace { + +const absl::flat_hash_set& supportedKeys() { + // The keys are case-insensitive, so we store them in lower case. + CONSTRUCT_ON_FIRST_USE(absl::flat_hash_set, { + "by", + "hash", + "cert", + "chain", + "subject", + "uri", + "dns", + }); +} + +size_t countBackslashes(absl::string_view str) { + size_t count = 0; + // Search from end to start for first not '\' + for (char r : std::ranges::reverse_view(str)) { + if (r == '\\') { + ++count; + } else { + break; + } + } + return count; +} + +// The XFCC header value is a comma (`,`) separated string. Each substring is an XFCC element, +// which holds information added by a single proxy. A proxy can append the current client +// certificate information as an XFCC element, to the end of the request’s XFCC header after a +// comma. +// +// Each XFCC element is a semicolon (`;`) separated string. Each substring is a key-value pair, +// grouped together by an equals (`=`) sign. The keys are case-insensitive, the values are +// case-sensitive. If `,`, `;` or `=` appear in a value, the value should be double-quoted. +// Double-quotes in the value should be replaced by backslash-double-quote (`\"`). +// +// There maybe multiple XFCC elements and the oldest/leftest one with the key will be used by +// default because Envoy assumes the oldest XFCC element come from the original client certificate. +// So scan the header left-to-right. + +// Handles a single key/value pair within an XFCC element. +absl::optional parseKeyValuePair(absl::string_view pair, absl::string_view target) { + // Find '=' not in quotes. Because key will always be the first part and won't be double + // quoted or contain `=`, we can safely use `absl::StrSplit`. + std::pair key_value = + absl::StrSplit(pair, absl::MaxSplits('=', 1)); + absl::string_view raw_key = absl::StripAsciiWhitespace(key_value.first); + if (!absl::EqualsIgnoreCase(raw_key, target)) { + return absl::nullopt; + } + + absl::string_view raw_value = absl::StripAsciiWhitespace(key_value.second); + // If value is double quoted, remove quotes. + if (raw_value.size() >= 2 && raw_value.front() == '"' && raw_value.back() == '"') { + raw_value = raw_value.substr(1, raw_value.size() - 2); + } + + // Quick path to avoid handle unescaping if not needed. + if (raw_value.find('\\') == absl::string_view::npos) { + return std::string(raw_value); + } + + // Handle unescaping. + + // If the raw value only contains a single backslash then return it as is. + if (raw_value.size() < 2) { + return std::string(raw_value); + } + + // Unescape double quotes and backslashes. + std::string unescaped; + unescaped.reserve(raw_value.size()); + size_t i = 0; + for (; i < raw_value.size() - 1; ++i) { + if (raw_value[i] == '\\') { + if (raw_value[i + 1] == '"' || raw_value[i + 1] == '\\') { + unescaped.push_back(raw_value[i + 1]); + ++i; + continue; + } + } + unescaped.push_back(raw_value[i]); + } + // Handle the last character. + if (i < raw_value.size()) { + unescaped.push_back(raw_value[i]); + } + + return unescaped; +} + +// Handles a single XFCC element (semicolon-separated key/value pairs). +absl::optional parseElementForKey(absl::string_view element, + absl::string_view target) { + + // Scan key-value pairs in this element (by semicolon not in quotes). + bool in_quotes = false; + size_t start = 0; + const size_t element_size = element.size(); + for (size_t i = 0; i <= element_size; ++i) { + // Check for end of key-value pair. + if (i == element_size || element[i] == ';') { + // If not in quotes then we found the end of a key-value pair. + if (!in_quotes) { + auto value = parseKeyValuePair(element.substr(start, i - start), target); + if (value.has_value()) { + return value; + } + start = i + 1; + } + continue; + } + + // Switch quote state if we encounter a quote character. + if (element[i] == '"') { + if (countBackslashes(element.substr(0, i)) % 2 == 0) { + in_quotes = !in_quotes; + } + } + } + + // Note, we should never encounter unmatched quotes here because if there is + // an unmatched quote, it should be handled in the parseValueFromXfccByKey() + // and will not enter this function. + ASSERT(!in_quotes); + return absl::nullopt; +} + +// Extracts the key from the XFCC header. +absl::StatusOr parseValueFromXfccByKey(const Http::RequestHeaderMap& headers, + absl::string_view target) { + absl::string_view value = headers.getForwardedClientCertValue(); + if (value.empty()) { + return absl::InvalidArgumentError("XFCC header is not present"); + } + + // Scan elements in the XFCC header (by comma not in quotes). + bool in_quotes = false; + size_t start = 0; + const size_t value_size = value.size(); + for (size_t i = 0; i <= value_size; ++i) { + // Check for end of element. + if (i == value_size || value[i] == ',') { + // If not in quotes then we found the end of an element. + if (!in_quotes) { + auto result = parseElementForKey(value.substr(start, i - start), target); + if (result.has_value()) { + return result.value(); + } + start = i + 1; + } + continue; + } + + // Switch quote state if we encounter a quote character. + if (value[i] == '"') { + if (countBackslashes(value.substr(0, i)) % 2 == 0) { + in_quotes = !in_quotes; + } + } + } + + if (in_quotes) { + return absl::InvalidArgumentError("Invalid XFCC header: unmatched quotes"); + } + + return absl::InvalidArgumentError("XFCC header does not contain target key"); +} + +} // namespace + +class XfccValueFormatterProvider : public ::Envoy::Formatter::FormatterProvider, + Logger::Loggable { +public: + XfccValueFormatterProvider(Http::LowerCaseString&& key) : key_(key) {} + + absl::optional formatWithContext(const Envoy::Formatter::Context& context, + const StreamInfo::StreamInfo&) const override { + auto status_or = parseValueFromXfccByKey(context.requestHeaders(), key_); + if (!status_or.ok()) { + ENVOY_LOG(debug, "XFCC value extraction failure: {}", status_or.status().message()); + return absl::nullopt; + } + return std::move(status_or.value()); + } + + Protobuf::Value formatValueWithContext(const Envoy::Formatter::Context& context, + const StreamInfo::StreamInfo& stream_info) const override { + absl::optional value = formatWithContext(context, stream_info); + if (!value.has_value()) { + return ValueUtil::nullValue(); + } + Protobuf::Value result; + result.set_string_value(std::move(value.value())); + return result; + } + +private: + Http::LowerCaseString key_; +}; + +Envoy::Formatter::FormatterProviderPtr +XfccValueFormatterCommandParser::parse(absl::string_view command, absl::string_view subcommand, + absl::optional) const { + // Implementation for parsing the XFCC_VALUE() command. + if (command != "XFCC_VALUE") { + return nullptr; + } + + Http::LowerCaseString lower_subcommand(subcommand); + if (subcommand.empty()) { + throw EnvoyException("XFCC_VALUE command requires a subcommand"); + } + if (!supportedKeys().contains(lower_subcommand.get())) { + throw EnvoyException( + absl::StrCat("XFCC_VALUE command does not support subcommand: ", lower_subcommand.get())); + } + return std::make_unique(std::move(lower_subcommand)); +} + +class XfccValueCommandParserFactory : public Envoy::Formatter::BuiltInCommandParserFactory { +public: + XfccValueCommandParserFactory() = default; + Envoy::Formatter::CommandParserPtr createCommandParser() const override { + return std::make_unique(); + } + std::string name() const override { return "envoy.built_in_formatters.xfcc_value"; } +}; + +REGISTER_FACTORY(XfccValueCommandParserFactory, Envoy::Formatter::BuiltInCommandParserFactory); + +} // namespace Formatter +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/formatter/xfcc_value/xfcc_value.h b/source/extensions/formatter/xfcc_value/xfcc_value.h new file mode 100644 index 0000000000000..43a977edfb0ba --- /dev/null +++ b/source/extensions/formatter/xfcc_value/xfcc_value.h @@ -0,0 +1,26 @@ +#pragma once + +#include + +#include "envoy/config/typed_config.h" +#include "envoy/registry/registry.h" + +#include "source/common/formatter/stream_info_formatter.h" +#include "source/common/formatter/substitution_formatter.h" + +namespace Envoy { +namespace Extensions { +namespace Formatter { + +// Access log handler for XFCC_VALUE() command. +class XfccValueFormatterCommandParser : public ::Envoy::Formatter::CommandParser { +public: + XfccValueFormatterCommandParser() = default; + Envoy::Formatter::FormatterProviderPtr parse(absl::string_view command, + absl::string_view subcommand, + absl::optional max_length) const override; +}; + +} // namespace Formatter +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/formatter/xfcc_value/BUILD b/test/extensions/formatter/xfcc_value/BUILD new file mode 100644 index 0000000000000..afc8460577947 --- /dev/null +++ b/test/extensions/formatter/xfcc_value/BUILD @@ -0,0 +1,40 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_fuzz_test", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "xfcc_value_test", + srcs = ["xfcc_value_test.cc"], + extension_names = ["envoy.built_in_formatters.xfcc_value"], + rbe_pool = "6gig", + deps = [ + "//source/common/formatter:substitution_formatter_lib", + "//source/extensions/formatter/xfcc_value:config", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stream_info:stream_info_mocks", + "//test/test_common:test_runtime_lib", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", + ], +) + +envoy_cc_fuzz_test( + name = "xfcc_value_fuzz_test", + srcs = ["xfcc_value_fuzz_test.cc"], + corpus = "xfcc_value_corpus", + rbe_pool = "6gig", + deps = [ + "//source/extensions/formatter/xfcc_value:config", + "//test/mocks/stream_info:stream_info_mocks", + "//test/test_common:utility_lib", + ], +) diff --git a/test/extensions/formatter/xfcc_value/xfcc_value_corpus/example b/test/extensions/formatter/xfcc_value/xfcc_value_corpus/example new file mode 100644 index 0000000000000..e46bcf5c2ddda --- /dev/null +++ b/test/extensions/formatter/xfcc_value/xfcc_value_corpus/example @@ -0,0 +1,8 @@ +URI="abc,=,";DNS=example.com +By=spiffe://lyft.com/frontend;By=http://frontend.lyft.com;Hash=123456;URI=spiffe://lyft.com/testclient" +By=spiffe://lyft.com/backend-team;By=http://backend.lyft.com;Hash=xxxyyyzzz +By=spiffe://lyft.com/backend-team;By="http://backend.lyft.com";Hash=xxxyyyzzz +DNS=lyft.com";DNS=www.lyft.com +Subject="emailAddress=frontend-team@lyft.com,CN=Test Frontend Team,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US" +By="a\\";URI="spiffe://good" +By="a\\\"b";URI="spiffe://ns/svc" diff --git a/test/extensions/formatter/xfcc_value/xfcc_value_fuzz_test.cc b/test/extensions/formatter/xfcc_value/xfcc_value_fuzz_test.cc new file mode 100644 index 0000000000000..4bf775d43ef43 --- /dev/null +++ b/test/extensions/formatter/xfcc_value/xfcc_value_fuzz_test.cc @@ -0,0 +1,32 @@ +#include "source/common/common/logger.h" +#include "source/common/formatter/http_formatter_context.h" +#include "source/extensions/formatter/xfcc_value/xfcc_value.h" + +#include "test/fuzz/fuzz_runner.h" +#include "test/mocks/stream_info/mocks.h" +#include "test/test_common/utility.h" + +namespace Envoy { +namespace Extensions { +namespace Formatter { +namespace { + +DEFINE_FUZZER(const uint8_t* buf, size_t len) { + Http::HeaderStringValidator::disable_validation_for_tests_ = true; + absl::string_view sv(reinterpret_cast(buf), len); + + // We just want to make sure that the parser doesn't crash with any input. + XfccValueFormatterCommandParser parser; + auto formatter = parser.parse("XFCC_VALUE", "uri", absl::nullopt); + + Http::TestRequestHeaderMapImpl request_headers{}; + request_headers.setForwardedClientCert(sv); + StreamInfo::MockStreamInfo stream_info; + + formatter->formatValueWithContext({&request_headers}, stream_info); +} + +} // namespace +} // namespace Formatter +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/formatter/xfcc_value/xfcc_value_test.cc b/test/extensions/formatter/xfcc_value/xfcc_value_test.cc new file mode 100644 index 0000000000000..4e4a5f8b37f26 --- /dev/null +++ b/test/extensions/formatter/xfcc_value/xfcc_value_test.cc @@ -0,0 +1,110 @@ +#include "envoy/config/core/v3/substitution_format_string.pb.validate.h" + +#include "source/common/formatter/substitution_format_string.h" +#include "source/common/formatter/substitution_formatter.h" + +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stream_info/mocks.h" +#include "test/test_common/utility.h" + +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace Formatter { +namespace { + +class XfccValueTest : public ::testing::Test { +public: + StreamInfo::MockStreamInfo stream_info_; + NiceMock context_; +}; + +TEST_F(XfccValueTest, UnknownCommand) { + auto formatter_or_error = Envoy::Formatter::SubstitutionFormatParser::parse("%UNKNOWN_COMMAND%"); + EXPECT_EQ("Not supported field in StreamInfo: UNKNOWN_COMMAND", + formatter_or_error.status().message()); +} + +TEST_F(XfccValueTest, MissingSubcommand) { + EXPECT_THROW_WITH_MESSAGE( + { auto error = Envoy::Formatter::SubstitutionFormatParser::parse("%XFCC_VALUE%"); }, + EnvoyException, "XFCC_VALUE command requires a subcommand"); +} + +TEST_F(XfccValueTest, UnsupportedSubcommand) { + EXPECT_THROW_WITH_MESSAGE( + { + auto error = + Envoy::Formatter::SubstitutionFormatParser::parse("%XFCC_VALUE(unsupported_key)%"); + }, + EnvoyException, "XFCC_VALUE command does not support subcommand: unsupported_key"); +} + +TEST_F(XfccValueTest, Test) { + auto formatter = + std::move(Envoy::Formatter::SubstitutionFormatParser::parse("%XFCC_VALUE(uri)%").value()[0]); + + { + // No XFCC header. + Http::TestRequestHeaderMapImpl headers{}; + EXPECT_TRUE(formatter->formatValueWithContext({&headers}, stream_info_).has_null_value()); + } + + { + // Normal value. + Http::TestRequestHeaderMapImpl headers{ + {"x-forwarded-client-cert", "By=test;URI=abc;DNS=example.com"}}; + EXPECT_EQ(formatter->formatValueWithContext({&headers}, stream_info_).string_value(), "abc"); + } + + // Normal value with special characters. + { + Http::TestRequestHeaderMapImpl headers{ + {"x-forwarded-client-cert", R"(By=test;URI="a,b,c;\"e;f;g=x";DNS=example.com)"}}; + EXPECT_EQ(formatter->formatValueWithContext({&headers}, stream_info_).string_value(), + R"(a,b,c;"e;f;g=x)"); + } + + { + // Multiple elements. + Http::TestRequestHeaderMapImpl headers{ + {"x-forwarded-client-cert", + R"(By=test;DNS=example.com,By=test;URI="a,b,c;\"e;f;g=x";DNS=example.com)"}}; + EXPECT_EQ(formatter->formatValueWithContext({&headers}, stream_info_).string_value(), + R"(a,b,c;"e;f;g=x)"); + } + + { + // With escaped backslash. + Http::TestRequestHeaderMapImpl headers{ + {"x-forwarded-client-cert", R"(By=test;DNS=example.com,By=test;URI="\\";DNS=example.com)"}}; + EXPECT_EQ(formatter->formatValueWithContext({&headers}, stream_info_).string_value(), R"(\)"); + } + + { + // With escaped backslash and escaped quote. + Http::TestRequestHeaderMapImpl headers{ + {"x-forwarded-client-cert", + R"(By=test;DNS=example.com,By=test;URI="\\\"";DNS=example.com)"}}; + EXPECT_EQ(formatter->formatValueWithContext({&headers}, stream_info_).string_value(), R"(\")"); + } + + { + // Unclosed quotes in XFCC header. + Http::TestRequestHeaderMapImpl headers{ + {"x-forwarded-client-cert", R"(By=test;URI="abc;DNS=example.com)"}}; + EXPECT_TRUE(formatter->formatValueWithContext({&headers}, stream_info_).has_null_value()); + } + + { + // No required key. + Http::TestRequestHeaderMapImpl headers{{"x-forwarded-client-cert", "By=test;DNS=example.com"}}; + EXPECT_TRUE(formatter->formatValueWithContext({&headers}, stream_info_).has_null_value()); + } +} + +} // namespace +} // namespace Formatter +} // namespace Extensions +} // namespace Envoy diff --git a/tools/extensions/extensions_schema.yaml b/tools/extensions/extensions_schema.yaml index c96efd33cfd89..39de74ef912ae 100644 --- a/tools/extensions/extensions_schema.yaml +++ b/tools/extensions/extensions_schema.yaml @@ -64,6 +64,7 @@ security_postures: categories: - envoy.access_loggers - envoy.bootstrap +- envoy.built_in_formatters - envoy.clusters - envoy.compression.compressor - envoy.compression.decompressor From e16d5021a2a863a8a3adb6b102e055d48d25295b Mon Sep 17 00:00:00 2001 From: Greg Greenway Date: Fri, 19 Sep 2025 06:59:17 -0700 Subject: [PATCH 431/505] build: set -Wno-error in quiche and v8 dep builds (#41130) Envoy is built by various platform and compiler combinations, and some of those produce warnings in quiche and v8 builds. This should not prevent those builds from succeeding. Signed-off-by: Greg Greenway --- .bazelrc | 1 + bazel/external/quiche.bzl | 3 +++ bazel/v8.patch | 9 +++++++++ 3 files changed, 13 insertions(+) diff --git a/.bazelrc b/.bazelrc index fcbba3f03831f..b97e00632aca7 100644 --- a/.bazelrc +++ b/.bazelrc @@ -174,6 +174,7 @@ build:asan --linkopt='-L/opt/llvm/lib/clang/18/lib/x86_64-unknown-linux-gnu' build:macos --action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin build:macos --host_action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin build:macos --define tcmalloc=disabled +build:macos --cxxopt=-Wno-nullability-completeness # macOS ASAN/UBSAN build:macos-asan --config=asan diff --git a/bazel/external/quiche.bzl b/bazel/external/quiche.bzl index e5df747a0020f..5559dac02609e 100644 --- a/bazel/external/quiche.bzl +++ b/bazel/external/quiche.bzl @@ -11,6 +11,9 @@ quiche_common_copts = [ # hpack_huffman_decoder.cc overloads operator<<. "-Wno-unused-function", "-Wno-old-style-cast", + + # Envoy build should not fail if a dependency has a warning. + "-Wno-error", ] quiche_copts = select({ diff --git a/bazel/v8.patch b/bazel/v8.patch index dc42c96b0c98d..f94ac360b881a 100644 --- a/bazel/v8.patch +++ b/bazel/v8.patch @@ -82,6 +82,15 @@ diff --git a/bazel/defs.bzl b/bazel/defs.bzl index 0539ea176ac..92c7aeb904f 100644 --- a/bazel/defs.bzl +++ b/bazel/defs.bzl +@@ -106,7 +106,7 @@ def _default_args(): + "@v8//bazel/config:is_posix": [ + "-fPIC", + "-fno-strict-aliasing", +- "-Werror", ++ "-Wno-error", # Envoy build should not fail for warnings in dependencies + "-Wextra", + "-Wno-unneeded-internal-declaration", + "-Wno-unknown-warning-option", # b/330781959 @@ -117,6 +117,9 @@ def _default_args(): "-Wno-implicit-int-float-conversion", "-Wno-deprecated-copy", From 9abfc9991fba377a804bfe0f17d32f34e43f4b92 Mon Sep 17 00:00:00 2001 From: Jonh Wendell Date: Fri, 19 Sep 2025 10:20:15 -0400 Subject: [PATCH 432/505] ci: gcc: Build before testing (#41127) Mimic the behavior of clang; Building first might catch build and dependencies failures earlier. Signed-off-by: Jonh Wendell --- ci/do_ci.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/do_ci.sh b/ci/do_ci.sh index 9a9eeeb833dac..8b42bbd869b97 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -668,14 +668,14 @@ case $CI_TARGET in CONFIG="${CONFIG_PREFIX}gcc" BAZEL_BUILD_OPTIONS+=("--config=${CONFIG}") echo "gcc toolchain configured: ${CONFIG}" + echo "bazel fastbuild build with gcc..." + bazel_envoy_binary_build fastbuild echo "Testing ${TEST_TARGETS[*]}" bazel_with_collection \ test "${BAZEL_BUILD_OPTIONS[@]}" \ -c fastbuild \ --remote_download_minimal \ -- "${TEST_TARGETS[@]}" - echo "bazel release build with gcc..." - bazel_envoy_binary_build fastbuild ;; info) From 0dc96eef9f11d11ef76e11606c4a762ea117a8ed Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Fri, 19 Sep 2025 15:49:42 +0100 Subject: [PATCH 433/505] deps: Bump `bazel_features` -> 1.36.0 (#41132) Fix #41120 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 791c785d374be..bd1f7e7774be2 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -34,11 +34,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Bazel features", project_desc = "Support Bazel feature detection from starlark", project_url = "https://github.com/bazel-contrib/bazel_features", - version = "1.33.0", - sha256 = "c41853e3b636c533b86bf5ab4658064e6cc9db0a3bce52cbff0629e094344ca9", + version = "1.36.0", + sha256 = "9390b391a68d3b24aef7966bce8556d28003fe3f022a5008efc7807e8acaaf1a", urls = ["https://github.com/bazel-contrib/bazel_features/releases/download/v{version}/bazel_features-v{version}.tar.gz"], strip_prefix = "bazel_features-{version}", - release_date = "2025-07-30", + release_date = "2025-09-17", use_category = ["build"], license = "Apache-2.0", license_url = "https://github.com/bazel-contrib/bazel_features/blob/v{version}/LICENSE", From a543f54ff0aa917724362f38404311e0ecbbf41f Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Fri, 19 Sep 2025 15:50:17 +0100 Subject: [PATCH 434/505] deps: Bump `com_github_google_perfetto` -> 52.0 (#41134) Fix #41108 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index bd1f7e7774be2..08ec75babd66d 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -249,12 +249,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Perfetto", project_desc = "Perfetto Tracing SDK", project_url = "https://perfetto.dev/", - version = "51.2", - sha256 = "4f917887dc577587d318c6be01799ec072244b5720c6ee627ab7f224c3b0a890", + version = "52.0", + sha256 = "1872349439820e241003a9862cb69f4d535926c437d5316b49ce4a820613539d", strip_prefix = "perfetto-{version}/sdk", urls = ["https://github.com/google/perfetto/archive/v{version}.tar.gz"], use_category = ["dataplane_core", "controlplane"], - release_date = "2025-07-03", + release_date = "2025-09-16", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/google/perfetto/blob/v{version}/LICENSE", From dc6a31dff7b97f634b1618b3d2956514ebe0218e Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Fri, 19 Sep 2025 15:51:04 +0100 Subject: [PATCH 435/505] deps/api: Bump `opentelemetry_proto` -> 1.8.0 (#41136) Fix #40951 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- api/bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl index 5ba30b6b18530..a28a765d9d958 100644 --- a/api/bazel/repository_locations.bzl +++ b/api/bazel/repository_locations.bzl @@ -131,9 +131,9 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "OpenTelemetry Proto", project_desc = "Language Independent Interface Types For OpenTelemetry", project_url = "https://github.com/open-telemetry/opentelemetry-proto", - version = "1.7.0", - sha256 = "11330d850f5e24d34c4246bc8cb21fcd311e7565d219195713455a576bb11bed", - release_date = "2025-05-21", + version = "1.8.0", + sha256 = "057812cab50122c0fd504aae57b0b58424a5ec05d1b07889814bdfc7699abbe7", + release_date = "2025-09-02", strip_prefix = "opentelemetry-proto-{version}", urls = ["https://github.com/open-telemetry/opentelemetry-proto/archive/v{version}.tar.gz"], use_category = ["api"], From f0b3c230d979e475684937ce4533946b970a7bf0 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Fri, 19 Sep 2025 15:51:47 +0100 Subject: [PATCH 436/505] deps/api: Bump `rules_buf` -> 0.5.2 (#41137) Fix #40834 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- api/bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl index a28a765d9d958..33863e8ad5d27 100644 --- a/api/bazel/repository_locations.bzl +++ b/api/bazel/repository_locations.bzl @@ -105,9 +105,9 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Bazel rules for Buf", project_desc = "Bazel rules for Buf", project_url = "https://github.com/bufbuild/rules_buf", - version = "0.5.0", - sha256 = "19ca4b0359f03c41563054d54812602fcf925e86d62832581cba8c524ee419b1", - release_date = "2025-07-24", + version = "0.5.2", + sha256 = "19d845cedf32c0e74a01af8d0bd904872bddc7905f087318d00b332aa36d3929", + release_date = "2025-08-22", strip_prefix = "rules_buf-{version}", urls = ["https://github.com/bufbuild/rules_buf/archive/refs/tags/v{version}.tar.gz"], use_category = ["api"], From c923d731c91d8b7dd2cb85ef332ccde841544d74 Mon Sep 17 00:00:00 2001 From: "Anuraag (Rag) Agrawal" Date: Sat, 20 Sep 2025 00:45:52 +0900 Subject: [PATCH 437/505] dynamic_modules: expose filter data injection in ABI and rust SDK (#41087) Commit Message: dynamic_modules: expose filter data injection in ABI and rust SDK Additional Description: I am prototyping a Python app server using dynamic modules and found I need to be able to inject response body outside the filter chain's lifecycle This may also be related to #40918, instead of managing buffers within the filter chain and module, probably there's no better way than to pick one or the other. This ABI allows ensuring the module has full control of the body buffers, but the downside would be it can lead to situations without appropriate back-pressure - whether this is fine or not would depend on the application's needs, in the python app server for example, I am not as concerned about response back pressure as request back pressure (I only use injection for the response). Risk Level: Low Testing: integration test, manual testing of response injection Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Anuraag Agrawal --- source/extensions/dynamic_modules/abi.h | 32 ++++++++ .../extensions/dynamic_modules/abi_version.h | 2 +- .../dynamic_modules/sdk/rust/src/lib.rs | 40 ++++++++++ .../filters/http/dynamic_modules/abi_impl.cc | 28 +++++++ .../dynamic_modules/http/integration_test.cc | 21 +++++ .../test_data/rust/http_integration_test.rs | 77 ++++++++++++++++++- 6 files changed, 198 insertions(+), 2 deletions(-) diff --git a/source/extensions/dynamic_modules/abi.h b/source/extensions/dynamic_modules/abi.h index 81f428ec2fcef..36fed649db8f0 100644 --- a/source/extensions/dynamic_modules/abi.h +++ b/source/extensions/dynamic_modules/abi.h @@ -1364,6 +1364,22 @@ bool envoy_dynamic_module_callback_http_append_request_body( bool envoy_dynamic_module_callback_http_drain_request_body( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t number_of_bytes); +/** + * envoy_dynamic_module_callback_http_inject_request_body is called by the module to + * inject the given request data directly into the filter stream. This method should only be called + * from a scheduled event. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object of the + * corresponding HTTP filter. + * @param data is the pointer to the buffer of the data to be injected. + * @param length is the length of the data. + * @param end_stream is true if this is the last data to be injected. + * @return true if the body is available, false otherwise. + */ +bool envoy_dynamic_module_callback_http_inject_request_body( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr data, size_t length, bool end_stream); + /** * This is the same as envoy_dynamic_module_callback_http_get_request_body_vector, but for the * response body. See the comments on envoy_dynamic_module_callback_http_get_request_body_vector @@ -1397,6 +1413,22 @@ bool envoy_dynamic_module_callback_http_append_response_body( bool envoy_dynamic_module_callback_http_drain_response_body( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, size_t number_of_bytes); +/** + * envoy_dynamic_module_callback_http_inject_response_body is called by the module to + * inject the given response data directly into the filter stream. This method should only be called + * from a scheduled event. + * + * @param filter_envoy_ptr is the pointer to the DynamicModuleHttpFilter object of the + * corresponding HTTP filter. + * @param data is the pointer to the buffer of the data to be injected. + * @param length is the length of the data. + * @param end_stream is true if this is the last data to be injected. + * @return true if the body is available, false otherwise. + */ +bool envoy_dynamic_module_callback_http_inject_response_body( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr data, size_t length, bool end_stream); + // ---------------------------- Metadata Callbacks ----------------------------- /** diff --git a/source/extensions/dynamic_modules/abi_version.h b/source/extensions/dynamic_modules/abi_version.h index adbaefb2f3b15..0607ad6628979 100644 --- a/source/extensions/dynamic_modules/abi_version.h +++ b/source/extensions/dynamic_modules/abi_version.h @@ -6,7 +6,7 @@ namespace DynamicModules { #endif // This is the ABI version calculated as a sha256 hash of the ABI header files. When the ABI // changes, this value must change, and the correctness of this value is checked by the test. -const char* kAbiVersion = "065131764c2e1ee1c95d5f7700e7bc09acc7d14934fc7c09413e3a4957a7c045"; +const char* kAbiVersion = "f2712929b605772d35c34d9ac8ccd7e168197a50951e9c96b64e03256bf80265"; #ifdef __cplusplus } // namespace DynamicModules diff --git a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs index 84aa963903235..28199cbd05eb5 100644 --- a/source/extensions/dynamic_modules/sdk/rust/src/lib.rs +++ b/source/extensions/dynamic_modules/sdk/rust/src/lib.rs @@ -806,6 +806,15 @@ pub trait EnvoyHttpFilter { /// content-length header if necessary. fn append_request_body(&mut self, data: &[u8]) -> bool; + /// Injects the given request data into the filter stream. + /// + /// Returns false if the request filter chain is not available. + /// + /// This must only be called from on_http_callout_done or on_scheduled callbacks. + /// The request filter should have been stopped and continue_decoding must not + /// be called. + fn inject_request_body(&mut self, data: &[u8], end_stream: bool) -> bool; + /// Get the currently buffered response body. The body is represented as a list of /// [`EnvoyBuffer`]. Memory contents pointed by each [`EnvoyBuffer`] is mutable and can be /// modified in place. However, the buffer itself is immutable. For example, adding or removing @@ -862,6 +871,15 @@ pub trait EnvoyHttpFilter { /// content-length header if necessary. fn append_response_body(&mut self, data: &[u8]) -> bool; + /// Injects the given response data into the filter stream. + /// + /// Returns false if the response filter chain is not available. + /// + /// This must only be called from on_http_callout_done or on_scheduled callbacks. + /// The response filter should have been stopped and continue_encoding must not + /// be called. + fn inject_response_body(&mut self, data: &[u8], end_stream: bool) -> bool; + /// Clear the route cache calculated during a previous phase of the filter chain. /// /// This is useful when the filter wants to force a re-evaluation of the route selection after @@ -1396,6 +1414,17 @@ impl EnvoyHttpFilter for EnvoyHttpFilterImpl { } } + fn inject_request_body(&mut self, data: &[u8], end_stream: bool) -> bool { + unsafe { + abi::envoy_dynamic_module_callback_http_inject_request_body( + self.raw_ptr, + data.as_ptr() as *const _ as *mut _, + data.len(), + end_stream, + ) + } + } + fn get_response_body(&mut self) -> Option> { let mut size: usize = 0; let ok = unsafe { @@ -1435,6 +1464,17 @@ impl EnvoyHttpFilter for EnvoyHttpFilterImpl { } } + fn inject_response_body(&mut self, data: &[u8], end_stream: bool) -> bool { + unsafe { + abi::envoy_dynamic_module_callback_http_inject_response_body( + self.raw_ptr, + data.as_ptr() as *const _ as *mut _, + data.len(), + end_stream, + ) + } + } + fn clear_route_cache(&mut self) { unsafe { abi::envoy_dynamic_module_callback_http_clear_route_cache(self.raw_ptr) } } diff --git a/source/extensions/filters/http/dynamic_modules/abi_impl.cc b/source/extensions/filters/http/dynamic_modules/abi_impl.cc index 43929f12ac834..0ecdd4c4a449c 100644 --- a/source/extensions/filters/http/dynamic_modules/abi_impl.cc +++ b/source/extensions/filters/http/dynamic_modules/abi_impl.cc @@ -915,6 +915,20 @@ bool envoy_dynamic_module_callback_http_drain_request_body( return true; } +bool envoy_dynamic_module_callback_http_inject_request_body( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr data, size_t length, bool end_stream) { + auto filter = static_cast(filter_envoy_ptr); + if (!filter->decoder_callbacks_) { + return false; + } + + Buffer::OwnedImpl buffer(static_cast(data), length); + filter->decoder_callbacks_->injectDecodedDataToFilterChain(buffer, end_stream); + + return true; +} + bool envoy_dynamic_module_callback_http_get_response_body_vector( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, envoy_dynamic_module_type_envoy_buffer* result_buffer_vector) { @@ -991,6 +1005,20 @@ bool envoy_dynamic_module_callback_http_drain_response_body( return true; } +bool envoy_dynamic_module_callback_http_inject_response_body( + envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr, + envoy_dynamic_module_type_buffer_module_ptr data, size_t length, bool end_stream) { + auto filter = static_cast(filter_envoy_ptr); + if (!filter->encoder_callbacks_) { + return false; + } + + Buffer::OwnedImpl buffer(static_cast(data), length); + filter->encoder_callbacks_->injectEncodedDataToFilterChain(buffer, end_stream); + + return true; +} + void envoy_dynamic_module_callback_http_clear_route_cache( envoy_dynamic_module_type_http_filter_envoy_ptr filter_envoy_ptr) { auto filter = static_cast(filter_envoy_ptr); diff --git a/test/extensions/dynamic_modules/http/integration_test.cc b/test/extensions/dynamic_modules/http/integration_test.cc index e0b144754752f..b8836e7835ae2 100644 --- a/test/extensions/dynamic_modules/http/integration_test.cc +++ b/test/extensions/dynamic_modules/http/integration_test.cc @@ -606,4 +606,25 @@ TEST_P(DynamicModulesIntegrationTest, StatsCallbacks) { } } +TEST_P(DynamicModulesIntegrationTest, InjectBody) { + initializeFilter("inject_body"); + codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); + + auto response = + codec_client_->makeRequestWithBody(default_request_headers_, "ignored_request_body"); + waitForNextUpstreamRequest(); + upstream_request_->encodeHeaders(default_response_headers_, false); + upstream_request_->encodeData("ignored_response_body", true); + + ASSERT_TRUE(response->waitForEndStream()); + + // Verify the injected request was received upstream, as expected. + EXPECT_TRUE(upstream_request_->complete()); + EXPECT_EQ("injected_request_body", upstream_request_->body().toString()); + // Verify the injected response was received downstream, as expected. + EXPECT_TRUE(response->complete()); + EXPECT_EQ("200", response->headers().Status()->value().getStringView()); + EXPECT_EQ("injected_response_body", response->body()); +} + } // namespace Envoy diff --git a/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs b/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs index 3a6a6e4238575..061aa0b87e864 100644 --- a/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs +++ b/test/extensions/dynamic_modules/test_data/rust/http_integration_test.rs @@ -66,6 +66,7 @@ fn new_http_filter_config_fn( header_to_set: config_iter.next().unwrap().to_owned(), })) }, + "inject_body" => Some(Box::new(InjectBodyHttpFilterConfig {})), _ => panic!("Unknown filter name: {}", name), } } @@ -624,7 +625,6 @@ impl Drop for HttpFilterScheduler { } } - /// This implements a fake external caching filter that simulates an asynchronous cache lookup. struct FakeExternalCachingFilterConfig {} @@ -900,3 +900,78 @@ impl HttpFilter for StatsCallbacksFilter { .unwrap(); } } + +// Filter that blocks request and response body processing within the filter chain and +// instead injects request and response body within a scheduler callback. +struct InjectBodyHttpFilterConfig {} + +impl HttpFilterConfig for InjectBodyHttpFilterConfig { + fn new_http_filter(&mut self, _envoy: &mut EHF) -> Box> { + Box::new(InjectBodyHttpFilter {}) + } +} + +const EVENT_INJECT_REQUEST_BODY: u64 = 1; +const EVENT_INJECT_RESPONSE_BODY: u64 = 2; + +struct InjectBodyHttpFilter {} + +impl HttpFilter for InjectBodyHttpFilter { + fn on_request_headers( + &mut self, + envoy_filter: &mut EHF, + _end_of_stream: bool, + ) -> envoy_dynamic_module_type_on_http_filter_request_headers_status { + // Schedule request body injection outside the filter lifecycle. + envoy_filter + .new_scheduler() + .commit(EVENT_INJECT_REQUEST_BODY); + return envoy_dynamic_module_type_on_http_filter_request_headers_status::Continue; + } + + fn on_request_body( + &mut self, + _envoy_filter: &mut EHF, + _end_of_stream: bool, + ) -> envoy_dynamic_module_type_on_http_filter_request_body_status { + // Ignore downstream request body. + return envoy_dynamic_module_type_on_http_filter_request_body_status::StopIterationAndBuffer; + } + + fn on_response_headers( + &mut self, + envoy_filter: &mut EHF, + _end_of_stream: bool, + ) -> abi::envoy_dynamic_module_type_on_http_filter_response_headers_status { + // Schedule response body injection outside the filter lifecycle. + envoy_filter + .new_scheduler() + .commit(EVENT_INJECT_RESPONSE_BODY); + abi::envoy_dynamic_module_type_on_http_filter_response_headers_status::Continue + } + + fn on_response_body( + &mut self, + _envoy_filter: &mut EHF, + _end_of_stream: bool, + ) -> envoy_dynamic_module_type_on_http_filter_response_body_status { + // Ignore upstream response body. + return envoy_dynamic_module_type_on_http_filter_response_body_status::StopIterationAndBuffer; + } + + fn on_scheduled(&mut self, envoy_filter: &mut EHF, event_id: u64) { + // Inject the request or response body based on the event type. We inject + // both without and with end_stream to ensure the full body is sent correctly. + match event_id { + EVENT_INJECT_REQUEST_BODY => { + envoy_filter.inject_request_body(b"injected_", false); + envoy_filter.inject_request_body(b"request_body", true); + }, + EVENT_INJECT_RESPONSE_BODY => { + envoy_filter.inject_response_body(b"injected_", false); + envoy_filter.inject_response_body(b"response_body", true); + }, + _ => unreachable!(), + } + } +} From f934a58196794c5860a63c8102f772f7b7e7471a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Sep 2025 06:04:25 +0000 Subject: [PATCH 438/505] build(deps): bump actions/github-script from 7 to 8 Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v7...v8) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/envoy-security-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/envoy-security-check.yml b/.github/workflows/envoy-security-check.yml index 459c23d3bc15b..b4e364c0f264b 100644 --- a/.github/workflows/envoy-security-check.yml +++ b/.github/workflows/envoy-security-check.yml @@ -68,7 +68,7 @@ jobs: # PR - name: Comment on PR if: matrix.action == 'comment' && github.event.workflow_run.pull_requests[0] - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | try { From b4c9d17c58866a9cb59bd392494367cf73462176 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Sep 2025 06:04:32 +0000 Subject: [PATCH 439/505] build(deps): bump pyopenssl from 25.1.0 to 25.3.0 in /tools/base Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 25.1.0 to 25.3.0. - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/pyopenssl/compare/25.1.0...25.3.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-version: 25.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- tools/base/requirements.txt | 65 +++++++++++++++++++++++++++++++++---- 1 file changed, 58 insertions(+), 7 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index 17f74c31cf82b..ae5400bcfc635 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -447,10 +447,61 @@ coloredlogs==15.0.1 \ # via # -r requirements.in # aio-run-runner -cryptography==44.0.1 \ - --hash=sha256:436df4f203482f41aad60ed1813811ac4ab102765ecae7a2bbb1dbb66dcff5a7 \ - --hash=sha256:72198e2b5925155497a5a3e8c216c7fb3e64c16ccee11f0e7da272fa93b35c4c \ - --hash=sha256:a2d8a7045e1ab9b9f803f0d9531ead85f90c5f2859e653b61497228b18452008 +cryptography==46.0.0 \ + --hash=sha256:07a1be54f995ce14740bf8bbe1cc35f7a37760f992f73cf9f98a2a60b9b97419 \ + --hash=sha256:0f58183453032727a65e6605240e7a3824fd1d6a7e75d2b537e280286ab79a52 \ + --hash=sha256:16b5ac72a965ec9d1e34d9417dbce235d45fa04dac28634384e3ce40dfc66495 \ + --hash=sha256:1b4fba84166d906a22027f0d958e42f3a4dbbb19c28ea71f0fb7812380b04e3c \ + --hash=sha256:1d2073313324226fd846e6b5fc340ed02d43fd7478f584741bd6b791c33c9fee \ + --hash=sha256:249c41f2bbfa026615e7bdca47e4a66135baa81b08509ab240a2e666f6af5966 \ + --hash=sha256:274f8b2eb3616709f437326185eb563eb4e5813d01ebe2029b61bfe7d9995fbb \ + --hash=sha256:2fc30be952dd4334801d345d134c9ef0e9ccbaa8c3e1bc18925cbc4247b3e29c \ + --hash=sha256:32670ca085150ff36b438c17f2dfc54146fe4a074ebf0a76d72fb1b419a974bc \ + --hash=sha256:35aa1a44bd3e0efc3ef09cf924b3a0e2a57eda84074556f4506af2d294076685 \ + --hash=sha256:3738f50215211cee1974193a1809348d33893696ce119968932ea117bcbc9b1d \ + --hash=sha256:378eff89b040cbce6169528f130ee75dceeb97eef396a801daec03b696434f06 \ + --hash=sha256:399ef4c9be67f3902e5ca1d80e64b04498f8b56c19e1bc8d0825050ea5290410 \ + --hash=sha256:40ee4ce3c34acaa5bc347615ec452c74ae8ff7db973a98c97c62293120f668c6 \ + --hash=sha256:4bc257c2d5d865ed37d0bd7c500baa71f939a7952c424f28632298d80ccd5ec1 \ + --hash=sha256:4f70cbade61a16f5e238c4b0eb4e258d177a2fcb59aa0aae1236594f7b0ae338 \ + --hash=sha256:523153480d7575a169933f083eb47b1edd5fef45d87b026737de74ffeb300f69 \ + --hash=sha256:6460866a92143a24e3ed68eaeb6e98d0cedd85d7d9a8ab1fc293ec91850b1b38 \ + --hash=sha256:65e9117ebed5b16b28154ed36b164c20021f3a480e9cbb4b4a2a59b95e74c25d \ + --hash=sha256:6c39fd5cd9b7526afa69d64b5e5645a06e1b904f342584b3885254400b63f1b3 \ + --hash=sha256:6d8945bc120dcd90ae39aa841afddaeafc5f2e832809dc54fb906e3db829dfdc \ + --hash=sha256:75d2ddde8f1766ab2db48ed7f2aa3797aeb491ea8dfe9b4c074201aec00f5c16 \ + --hash=sha256:77e3bd53c9c189cea361bc18ceb173959f8b2dd8f8d984ae118e9ac641410252 \ + --hash=sha256:7f3f88df0c9b248dcc2e76124f9140621aca187ccc396b87bc363f890acf3a30 \ + --hash=sha256:80a548a5862d6912a45557a101092cd6c64ae1475b82cef50ee305d14a75f598 \ + --hash=sha256:834af45296083d892e23430e3b11df77e2ac5c042caede1da29c9bf59016f4d2 \ + --hash=sha256:83af84ebe7b6e9b6de05050c79f8cc0173c864ce747b53abce6a11e940efdc0d \ + --hash=sha256:88c09da8a94ac27798f6b62de6968ac78bb94805b5d272dbcfd5fdc8c566999f \ + --hash=sha256:8e8b222eb54e3e7d3743a7c2b1f7fa7df7a9add790307bb34327c88ec85fe087 \ + --hash=sha256:91585fc9e696abd7b3e48a463a20dda1a5c0eeeca4ba60fa4205a79527694390 \ + --hash=sha256:99f64a6d15f19f3afd78720ad2978f6d8d4c68cd4eb600fab82ab1a7c2071dca \ + --hash=sha256:9aa85222f03fdb30defabc7a9e1e3d4ec76eb74ea9fe1504b2800844f9c98440 \ + --hash=sha256:ab3a14cecc741c8c03ad0ad46dfbf18de25218551931a23bca2731d46c706d83 \ + --hash=sha256:b8e7db4ce0b7297e88f3d02e6ee9a39382e0efaf1e8974ad353120a2b5a57ef7 \ + --hash=sha256:bbaa5eef3c19c66613317dc61e211b48d5f550db009c45e1c28b59d5a9b7812a \ + --hash=sha256:be7479f9504bfb46628544ec7cb4637fe6af8b70445d4455fbb9c395ad9b7290 \ + --hash=sha256:bf1961037309ee0bdf874ccba9820b1c2f720c2016895c44d8eb2316226c1ad5 \ + --hash=sha256:c1f6ccd6f2eef3b2eb52837f0463e853501e45a916b3fc42e5d93cf244a4b97b \ + --hash=sha256:c3648d6a5878fd1c9a22b1d43fa75efc069d5f54de12df95c638ae7ba88701d0 \ + --hash=sha256:c39f0947d50f74b1b3523cec3931315072646286fb462995eb998f8136779319 \ + --hash=sha256:c3cd09b1490c1509bf3892bde9cef729795fae4a2fee0621f19be3321beca7e4 \ + --hash=sha256:c457ad3f151d5fb380be99425b286167b358f76d97ad18b188b68097193ed95a \ + --hash=sha256:c9c4121f9a41cc3d02164541d986f59be31548ad355a5c96ac50703003c50fb7 \ + --hash=sha256:d14eaf1569d6252280516bedaffdd65267428cdbc3a8c2d6de63753cf0863d5e \ + --hash=sha256:d1eccae15d5c28c74b2bea228775c63ac5b6c36eedb574e002440c0bc28750d3 \ + --hash=sha256:d349af4d76a93562f1dce4d983a4a34d01cb22b48635b0d2a0b8372cdb4a8136 \ + --hash=sha256:d5c0cbb2fb522f7e39b59a5482a1c9c5923b7c506cfe96a1b8e7368c31617ac0 \ + --hash=sha256:da7f93551d39d462263b6b5c9056c49f780b9200bf9fc2656d7c88c7bdb9b363 \ + --hash=sha256:df932ac70388be034b2e046e34d636245d5eeb8140db24a6b4c2268cd2073270 \ + --hash=sha256:f09a3a108223e319168b7557810596631a8cb864657b0c16ed7a6017f0be9433 \ + --hash=sha256:f85e6a7d42ad60024fa1347b1d4ef82c4df517a4deb7f829d301f1a92ded038c \ + --hash=sha256:f9aaf2a91302e1490c068d2f3af7df4137ac2b36600f5bd26e53d9ec320412d3 \ + --hash=sha256:f9f85d9cf88e3ba2b2b6da3c2310d1cf75bdf04a5bc1a2e972603054f82c4dd5 \ + --hash=sha256:fe9ff1139b2b1f59a5a0b538bbd950f8660a39624bbe10cf3640d17574f973bb # via # -r requirements.in # aioquic @@ -1196,9 +1247,9 @@ pynacl==1.5.0 \ --hash=sha256:a422368fc821589c228f4c49438a368831cb5bbc0eab5ebe1d7fac9dded6567b \ --hash=sha256:e46dae94e34b085175f8abb3b0aaa7da40767865ac82c928eeb9e57e1ea8a543 # via pygithub -pyopenssl==25.1.0 \ - --hash=sha256:2b11f239acc47ac2e5aca04fd7fa829800aeee22a2eb30d744572a157bd8a1ab \ - --hash=sha256:8d031884482e0c67ee92bf9a4d8cceb08d92aba7136432ffb0703c5280fc205b +pyopenssl==25.3.0 \ + --hash=sha256:1fda6fc034d5e3d179d39e59c1895c9faeaf40a79de5fc4cbbfbe0d36f4a77b6 \ + --hash=sha256:c981cb0a3fd84e8602d7afc209522773b94c1c2446a3c710a75b06fe1beae329 # via # -r requirements.in # aioquic From 5b5ca20c9436bc87ce06e1cb2eaa3a2bff8a729d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Aug 2025 17:00:16 +0000 Subject: [PATCH 440/505] build(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.3 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.7.1 to 4.7.3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/da24556b548a50705dd671f47852072ea4c105d9...595b5aeba73380359d98a5e087f648dbb0edce1b) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: 4.7.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/_precheck_deps.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_precheck_deps.yml b/.github/workflows/_precheck_deps.yml index a816809832bd6..b5909cf8ffb5b 100644 --- a/.github/workflows/_precheck_deps.yml +++ b/.github/workflows/_precheck_deps.yml @@ -66,4 +66,4 @@ jobs: ref: ${{ fromJSON(inputs.request).request.sha }} persist-credentials: false - name: Dependency Review - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 + uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3 From 561033d1e3ac71251743ea65d8831006f304271c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Aug 2025 06:45:27 +0000 Subject: [PATCH 441/505] build(deps): bump actions/cache from 4.2.3 to 4.2.4 Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/5a3ec84eff668545956fd18022155c47e93e2684...0400d5f644dc74513175e3cd8d07132dd4860809) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/_request.yml | 4 ++-- .github/workflows/_run.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/_request.yml b/.github/workflows/_request.yml index 7986eb177f8c8..42e4ef37ce4e6 100644 --- a/.github/workflows/_request.yml +++ b/.github/workflows/_request.yml @@ -151,14 +151,14 @@ jobs: # TODO(phlax): shift this to ci/request action above - name: Check Docker cache (x64) id: cache-exists-docker-x64 - uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: lookup-only: true path: /tmp/cache key: ${{ fromJSON(steps.data.outputs.value).request.build-image.default }} - name: Check Docker cache (arm64) id: cache-exists-docker-arm64 - uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: lookup-only: true path: /tmp/cache diff --git a/.github/workflows/_run.yml b/.github/workflows/_run.yml index a021bef079b5c..4689040bfd447 100644 --- a/.github/workflows/_run.yml +++ b/.github/workflows/_run.yml @@ -276,7 +276,7 @@ jobs: # HACK/WORKAROUND for cache scope issue (https://github.com/envoyproxy/envoy/issues/37603) - if: ${{ inputs.cache-build-image }} id: cache-lookup - uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: lookup-only: true path: /tmp/cache From f0328372c798ad1b16b5bee544359368f303a3e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Aug 2025 06:06:22 +0000 Subject: [PATCH 442/505] build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 5.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...634f93cb2916e3fdff6788551b99b062d0335ce0) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/mobile-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mobile-release.yml b/.github/workflows/mobile-release.yml index 7cf7ffa50dd36..6e110df3ea544 100644 --- a/.github/workflows/mobile-release.yml +++ b/.github/workflows/mobile-release.yml @@ -91,7 +91,7 @@ jobs: fetch-depth: 0 - name: Add safe directory run: git config --global --add safe.directory /__w/envoy/envoy - - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: ${{ matrix.output }}_android_aar_sources path: . From fc5103241e16e4fd4a7f96cf33bb4ee9d995c8ce Mon Sep 17 00:00:00 2001 From: yanjunxiang-google <78807980+yanjunxiang-google@users.noreply.github.com> Date: Fri, 19 Sep 2025 13:06:40 -0400 Subject: [PATCH 443/505] Remove c-ares library dependency from test/integration (#41033) It's one of the last step to address: https://github.com/envoyproxy/envoy/issues/39900. --------- Signed-off-by: Yanjun Xiang --- test/integration/BUILD | 1 - test/server/config_validation/BUILD | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/BUILD b/test/integration/BUILD index a59e9515b7a19..86e56f222bc9f 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -1297,7 +1297,6 @@ envoy_cc_test_library( "//source/extensions/load_balancing_policies/maglev:config", "//source/extensions/load_balancing_policies/random:config", "//source/extensions/load_balancing_policies/round_robin:config", - "//source/extensions/network/dns_resolver/cares:config", ], ) diff --git a/test/server/config_validation/BUILD b/test/server/config_validation/BUILD index 91705b2691ce1..d6fd1c8f27a13 100644 --- a/test/server/config_validation/BUILD +++ b/test/server/config_validation/BUILD @@ -59,6 +59,7 @@ envoy_cc_test( "//source/extensions/filters/listener/original_dst:config", "//source/extensions/filters/network/http_connection_manager:config", "//source/extensions/listener_managers/validation_listener_manager:validation_listener_manager_lib", + "//source/extensions/network/dns_resolver/cares:config", "//source/extensions/transport_sockets/tls:config", "//source/server/admin:admin_filter_lib", "//source/server/config_validation:server_lib", From c111d5e358e208a23403f28e55a4492f4dfe8edb Mon Sep 17 00:00:00 2001 From: danzh Date: Fri, 19 Sep 2025 13:07:41 -0400 Subject: [PATCH 444/505] =?UTF-8?q?Revert=20"response=20decoder:=20add=20n?= =?UTF-8?q?ew=20interfaces=20for=20life=20time=20tracking=20o=E2=80=A6=20(?= =?UTF-8?q?#41141)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …f response decoder (#41048)" This reverts commit 566b192a3c6aff2523ad695f2971c192676137f4. It's causing crash at ResponseDecoderWrapper Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- changelogs/current.yaml | 5 - envoy/http/codec.h | 24 ---- envoy/router/BUILD | 1 - envoy/router/router.h | 3 +- source/common/http/BUILD | 13 +-- source/common/http/codec_wrappers.h | 68 ++--------- source/common/http/http1/conn_pool.cc | 4 +- source/common/http/http1/conn_pool.h | 4 +- .../common/http/response_decoder_impl_base.h | 40 ------- .../common/quic/envoy_quic_client_stream.cc | 67 ++--------- source/common/quic/envoy_quic_client_stream.h | 9 +- source/common/runtime/runtime_features.cc | 4 +- source/common/tcp_proxy/BUILD | 1 - source/common/tcp_proxy/upstream.h | 6 +- .../downstream_socket_interface/BUILD | 1 - .../rc_connection_wrapper.h | 3 +- source/extensions/filters/udp/udp_proxy/BUILD | 1 - .../filters/udp/udp_proxy/udp_proxy_filter.h | 3 +- source/extensions/health_checkers/grpc/BUILD | 1 - .../grpc/health_checker_impl.h | 3 +- source/extensions/health_checkers/http/BUILD | 1 - .../http/health_checker_impl.h | 3 +- test/common/http/BUILD | 1 - test/common/http/codec_wrappers_test.cc | 46 ++------ test/common/quic/BUILD | 1 - .../quic/envoy_quic_client_stream_test.cc | 110 ------------------ test/integration/integration_stream_decoder.h | 4 +- test/integration/utility.h | 3 +- test/mocks/http/BUILD | 1 - test/mocks/http/stream_decoder.h | 4 +- tools/spelling/spelling_dictionary.txt | 2 - 31 files changed, 42 insertions(+), 395 deletions(-) delete mode 100644 source/common/http/response_decoder_impl_base.h diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 1af734193d2cc..ba8eb47d72b9c 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -1,11 +1,6 @@ date: Pending behavior_changes: -- area: response_decoder - change: | - Updated EnvoyQuicClientStream and ResponseDecoderWrapper to use a handle to access the response decoder - to prevent use-after-free errors by ensuring the decoder instance is still live before calling its methods. - This change is guarded by the runtime flag ``envoy.reloadable_features.use_response_decoder_handle``. - area: http change: | A route refresh will now result in a tracing refresh. The trace sampling decision and decoration diff --git a/envoy/http/codec.h b/envoy/http/codec.h index bc7c45cacf0c3..3c23ea86b2636 100644 --- a/envoy/http/codec.h +++ b/envoy/http/codec.h @@ -198,23 +198,6 @@ class ResponseEncoder : public virtual StreamEncoder { StreamInfo::StreamInfo& stream_info) PURE; }; -class ResponseDecoder; - -/** - * A handle to a ResponseDecoder. This handle can be used to check if the underlying decoder is - * still valid and to get a reference to it. - */ -class ResponseDecoderHandle { -public: - virtual ~ResponseDecoderHandle() = default; - - /** - * @return a reference to the underlying decoder if it is still valid. - */ - virtual OptRef get() PURE; -}; -using ResponseDecoderHandlePtr = std::unique_ptr; - /** * Decodes an HTTP stream. These are callbacks fired into a sink. This interface contains methods * common to both the request and response path. @@ -321,16 +304,9 @@ class ResponseDecoder : public virtual StreamDecoder { * @param os the ostream to dump state to * @param indent_level the depth, for pretty-printing. * - * This function is called on Envoy fatal errors so should avoid memory allocation. */ virtual void dumpState(std::ostream& os, int indent_level = 0) const PURE; - - /** - * @return A handle to the response decoder. Caller can check the response decoder's liveness via - * the handle. - */ - virtual ResponseDecoderHandlePtr createResponseDecoderHandle() PURE; }; /** diff --git a/envoy/router/BUILD b/envoy/router/BUILD index 47dc4cbebcbb4..33af45f78fe55 100644 --- a/envoy/router/BUILD +++ b/envoy/router/BUILD @@ -95,7 +95,6 @@ envoy_cc_library( "//envoy/tracing:tracer_interface", "//envoy/upstream:resource_manager_interface", "//envoy/upstream:retry_interface", - "//source/common/http:response_decoder_impl_base", "//source/common/protobuf", "//source/common/protobuf:utility_lib", "@com_google_absl//absl/types:optional", diff --git a/envoy/router/router.h b/envoy/router/router.h index ef26a58dec6ca..d37a0bd61968d 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -27,7 +27,6 @@ #include "envoy/upstream/resource_manager.h" #include "envoy/upstream/retry.h" -#include "source/common/http/response_decoder_impl_base.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" @@ -1491,7 +1490,7 @@ class GenericConnPool { * An API for the interactions the upstream stream needs to have with the downstream stream * and/or router components */ -class UpstreamToDownstream : public Http::ResponseDecoderImplBase, public Http::StreamCallbacks { +class UpstreamToDownstream : public Http::ResponseDecoder, public Http::StreamCallbacks { public: /** * @return return the route for the downstream stream. diff --git a/source/common/http/BUILD b/source/common/http/BUILD index e2385f30ccb58..7e1002a8080d4 100644 --- a/source/common/http/BUILD +++ b/source/common/http/BUILD @@ -132,18 +132,7 @@ envoy_cc_library( envoy_cc_library( name = "codec_wrappers_lib", hdrs = ["codec_wrappers.h"], - deps = [ - ":response_decoder_impl_base", - "//envoy/http:codec_interface", - ], -) - -envoy_cc_library( - name = "response_decoder_impl_base", - hdrs = ["response_decoder_impl_base.h"], - deps = [ - "//envoy/http:codec_interface", - ], + deps = ["//envoy/http:codec_interface"], ) envoy_cc_library( diff --git a/source/common/http/codec_wrappers.h b/source/common/http/codec_wrappers.h index 1494df392b06e..7b98413e1a5a1 100644 --- a/source/common/http/codec_wrappers.h +++ b/source/common/http/codec_wrappers.h @@ -2,35 +2,24 @@ #include "envoy/http/codec.h" -#include "source/common/http/response_decoder_impl_base.h" -#include "source/common/runtime/runtime_features.h" - namespace Envoy { namespace Http { /** * Wrapper for ResponseDecoder that just forwards to an "inner" decoder. */ -class ResponseDecoderWrapper : public ResponseDecoderImplBase { +class ResponseDecoderWrapper : public ResponseDecoder { public: // ResponseDecoder void decode1xxHeaders(ResponseHeaderMapPtr&& headers) override { - if (Http::ResponseDecoder* inner = getInnerDecoder()) { - inner->decode1xxHeaders(std::move(headers)); - } else { - onInnerDecoderDead(); - } + inner_.decode1xxHeaders(std::move(headers)); } void decodeHeaders(ResponseHeaderMapPtr&& headers, bool end_stream) override { if (end_stream) { onPreDecodeComplete(); } - if (Http::ResponseDecoder* inner = getInnerDecoder()) { - inner->decodeHeaders(std::move(headers), end_stream); - } else { - onInnerDecoderDead(); - } + inner_.decodeHeaders(std::move(headers), end_stream); if (end_stream) { onDecodeComplete(); } @@ -40,11 +29,7 @@ class ResponseDecoderWrapper : public ResponseDecoderImplBase { if (end_stream) { onPreDecodeComplete(); } - if (Http::ResponseDecoder* inner = getInnerDecoder()) { - inner->decodeData(data, end_stream); - } else { - onInnerDecoderDead(); - } + inner_.decodeData(data, end_stream); if (end_stream) { onDecodeComplete(); } @@ -52,33 +37,20 @@ class ResponseDecoderWrapper : public ResponseDecoderImplBase { void decodeTrailers(ResponseTrailerMapPtr&& trailers) override { onPreDecodeComplete(); - if (Http::ResponseDecoder* inner = getInnerDecoder()) { - inner->decodeTrailers(std::move(trailers)); - } else { - onInnerDecoderDead(); - } + inner_.decodeTrailers(std::move(trailers)); onDecodeComplete(); } void decodeMetadata(MetadataMapPtr&& metadata_map) override { - if (Http::ResponseDecoder* inner = getInnerDecoder()) { - inner->decodeMetadata(std::move(metadata_map)); - } else { - onInnerDecoderDead(); - } + inner_.decodeMetadata(std::move(metadata_map)); } void dumpState(std::ostream& os, int indent_level) const override { - if (Http::ResponseDecoder* inner = getInnerDecoder()) { - inner->dumpState(os, indent_level); - } else { - onInnerDecoderDead(); - } + inner_.dumpState(os, indent_level); } protected: - ResponseDecoderWrapper(ResponseDecoder& inner) - : inner_handle_(inner.createResponseDecoderHandle()), inner_(&inner) {} + ResponseDecoderWrapper(ResponseDecoder& inner) : inner_(inner) {} /** * Consumers of the wrapper generally want to know when a decode is complete. This is called @@ -87,29 +59,7 @@ class ResponseDecoderWrapper : public ResponseDecoderImplBase { virtual void onPreDecodeComplete() PURE; virtual void onDecodeComplete() PURE; - ResponseDecoderHandlePtr inner_handle_; - Http::ResponseDecoder* inner_ = nullptr; - -private: - Http::ResponseDecoder* getInnerDecoder() const { - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.use_response_decoder_handle")) { - return inner_; - } - if (inner_handle_) { - if (OptRef inner = inner_handle_->get(); inner.has_value()) { - return &inner.value().get(); - } - } - return nullptr; - } - - void onInnerDecoderDead() const { - const std::string error_msg = "Wrapped decoder use after free detected."; - IS_ENVOY_BUG(error_msg); - RELEASE_ASSERT(!Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.abort_when_accessing_dead_decoder"), - error_msg); - } + ResponseDecoder& inner_; }; /** diff --git a/source/common/http/http1/conn_pool.cc b/source/common/http/http1/conn_pool.cc index 5877a035f041d..99aea9e453b2d 100644 --- a/source/common/http/http1/conn_pool.cc +++ b/source/common/http/http1/conn_pool.cc @@ -25,8 +25,8 @@ namespace Http { namespace Http1 { ActiveClient::StreamWrapper::StreamWrapper(ResponseDecoder& response_decoder, ActiveClient& parent) - : ResponseDecoderWrapper(response_decoder), - RequestEncoderWrapper(&parent.codec_client_->newStream(*this)), parent_(parent) { + : RequestEncoderWrapper(&parent.codec_client_->newStream(*this)), + ResponseDecoderWrapper(response_decoder), parent_(parent) { RequestEncoderWrapper::inner_encoder_->getStream().addCallbacks(*this); } diff --git a/source/common/http/http1/conn_pool.h b/source/common/http/http1/conn_pool.h index b8b1fa803dfca..7bdeb288e6aa4 100644 --- a/source/common/http/http1/conn_pool.h +++ b/source/common/http/http1/conn_pool.h @@ -36,8 +36,8 @@ class ActiveClient : public Envoy::Http::ActiveClient { Envoy::Http::ActiveClient::releaseResources(); } - struct StreamWrapper : public ResponseDecoderWrapper, - public RequestEncoderWrapper, + struct StreamWrapper : public RequestEncoderWrapper, + public ResponseDecoderWrapper, public StreamCallbacks, public Event::DeferredDeletable, protected Logger::Loggable { diff --git a/source/common/http/response_decoder_impl_base.h b/source/common/http/response_decoder_impl_base.h deleted file mode 100644 index 694c2b7a6af24..0000000000000 --- a/source/common/http/response_decoder_impl_base.h +++ /dev/null @@ -1,40 +0,0 @@ -#pragma once - -#include - -#include "envoy/http/codec.h" - -namespace Envoy { -namespace Http { - -class ResponseDecoderHandleImpl : public ResponseDecoderHandle { -public: - ResponseDecoderHandleImpl(std::weak_ptr live_trackable, ResponseDecoder& decoder) - : live_trackable_(live_trackable), decoder_(decoder) {} - - OptRef get() override { - if (live_trackable_.lock()) { - return decoder_; - } - return {}; - } - -private: - std::weak_ptr live_trackable_; - ResponseDecoder& decoder_; -}; - -class ResponseDecoderImplBase : public ResponseDecoder { -public: - ResponseDecoderImplBase() : live_trackable_(std::make_shared(true)) {} - - ResponseDecoderHandlePtr createResponseDecoderHandle() override { - return std::make_unique(live_trackable_, *this); - } - -private: - std::shared_ptr live_trackable_; -}; - -} // namespace Http -} // namespace Envoy diff --git a/source/common/quic/envoy_quic_client_stream.cc b/source/common/quic/envoy_quic_client_stream.cc index f6506a7fb33e1..53773d3e33107 100644 --- a/source/common/quic/envoy_quic_client_stream.cc +++ b/source/common/quic/envoy_quic_client_stream.cc @@ -36,11 +36,6 @@ EnvoyQuicClientStream::EnvoyQuicClientStream( RegisterMetadataVisitor(this); } -void EnvoyQuicClientStream::setResponseDecoder(Http::ResponseDecoder& decoder) { - response_decoder_handle_ = decoder.createResponseDecoderHandle(); - response_decoder_ = &decoder; -} - Http::Status EnvoyQuicClientStream::encodeHeaders(const Http::RequestHeaderMap& headers, bool end_stream) { ENVOY_STREAM_LOG(debug, "encodeHeaders: (end_stream={}) {}.", *this, end_stream, headers); @@ -212,11 +207,7 @@ void EnvoyQuicClientStream::OnInitialHeadersComplete(bool fin, size_t frame_len, if (!optional_status.has_value()) { // In case the status is invalid or missing, the response_decoder_.decodeHeaders() will fail the // request - if (Http::ResponseDecoder* decoder = getResponseDecoder()) { - decoder->decodeHeaders(std::move(headers), fin); - } else { - onResponseDecoderDead(); - } + response_decoder_->decodeHeaders(std::move(headers), fin); ConsumeHeaderList(); return; } @@ -233,18 +224,10 @@ void EnvoyQuicClientStream::OnInitialHeadersComplete(bool fin, size_t frame_len, if (is_special_1xx && !decoded_1xx_) { // This is 100 Continue, only decode it once to support Expect:100-Continue header. decoded_1xx_ = true; - if (Http::ResponseDecoder* decoder = getResponseDecoder()) { - decoder->decode1xxHeaders(std::move(headers)); - } else { - onResponseDecoderDead(); - } + response_decoder_->decode1xxHeaders(std::move(headers)); } else if (!is_special_1xx) { - if (Http::ResponseDecoder* decoder = getResponseDecoder()) { - decoder->decodeHeaders(std::move(headers), - /*end_stream=*/fin); - } else { - onResponseDecoderDead(); - } + response_decoder_->decodeHeaders(std::move(headers), + /*end_stream=*/fin); if (status == enumToInt(Http::Code::NotModified)) { got_304_response_ = true; } @@ -318,11 +301,7 @@ void EnvoyQuicClientStream::OnBodyAvailable() { // A stream error has occurred, stop processing. return; } - if (Http::ResponseDecoder* decoder = getResponseDecoder()) { - decoder->decodeData(*buffer, fin_read_and_no_trailers); - } else { - onResponseDecoderDead(); - } + response_decoder_->decodeData(*buffer, fin_read_and_no_trailers); } if (!sequencer()->IsClosed() || read_side_closed()) { @@ -369,11 +348,7 @@ void EnvoyQuicClientStream::maybeDecodeTrailers() { onStreamError(close_connection_upon_invalid_header_, transform_rst); return; } - if (Http::ResponseDecoder* decoder = getResponseDecoder()) { - decoder->decodeTrailers(std::move(trailers)); - } else { - onResponseDecoderDead(); - } + response_decoder_->decodeTrailers(std::move(trailers)); MarkTrailersConsumed(); } } @@ -457,15 +432,10 @@ void EnvoyQuicClientStream::OnMetadataComplete(size_t /*frame_len*/, const quic::QuicHeaderList& header_list) { if (mustRejectMetadata(header_list.uncompressed_header_bytes())) { onStreamError(true, quic::QUIC_HEADERS_TOO_LARGE); - return; } if (!header_list.empty()) { - if (Http::ResponseDecoder* decoder = getResponseDecoder()) { - decoder->decodeMetadata(metadataMapFromHeaderList(header_list)); - } else { - onResponseDecoderDead(); - } + response_decoder_->decodeMetadata(metadataMapFromHeaderList(header_list)); } } @@ -496,7 +466,7 @@ bool EnvoyQuicClientStream::hasPendingData() { return BufferedDataBytes() > 0; } // connect-udp". void EnvoyQuicClientStream::useCapsuleProtocol() { http_datagram_handler_ = std::make_unique(*this); - http_datagram_handler_->setStreamDecoder(getResponseDecoder()); + http_datagram_handler_->setStreamDecoder(response_decoder_); RegisterHttp3DatagramVisitor(http_datagram_handler_.get()); } #endif @@ -505,26 +475,5 @@ void EnvoyQuicClientStream::OnInvalidHeaders() { onStreamError(absl::nullopt, quic::QUIC_BAD_APPLICATION_PAYLOAD); } -void EnvoyQuicClientStream::onResponseDecoderDead() const { - const std::string error_msg = "response_decoder_ use after free detected."; - IS_ENVOY_BUG(error_msg); - RELEASE_ASSERT(!Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.abort_when_accessing_dead_decoder"), - error_msg); -} - -Http::ResponseDecoder* EnvoyQuicClientStream::getResponseDecoder() { - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.use_response_decoder_handle")) { - return response_decoder_; - } - if (response_decoder_handle_) { - if (OptRef decoder = response_decoder_handle_->get(); - decoder.has_value()) { - return &decoder.value().get(); - } - } - return nullptr; -} - } // namespace Quic } // namespace Envoy diff --git a/source/common/quic/envoy_quic_client_stream.h b/source/common/quic/envoy_quic_client_stream.h index 5352f2b92bea5..67214eb9741f2 100644 --- a/source/common/quic/envoy_quic_client_stream.h +++ b/source/common/quic/envoy_quic_client_stream.h @@ -3,7 +3,6 @@ #include "envoy/buffer/buffer.h" #include "source/common/quic/envoy_quic_stream.h" -#include "source/common/runtime/runtime_features.h" #ifdef ENVOY_ENABLE_HTTP_DATAGRAMS #include "source/common/quic/http_datagram_handler.h" @@ -26,7 +25,7 @@ class EnvoyQuicClientStream : public quic::QuicSpdyClientStream, quic::StreamType type, Http::Http3::CodecStats& stats, const envoy::config::core::v3::Http3ProtocolOptions& http3_options); - void setResponseDecoder(Http::ResponseDecoder& decoder); + void setResponseDecoder(Http::ResponseDecoder& decoder) { response_decoder_ = &decoder; } // Http::StreamEncoder Http::Http1StreamEncoderOptionsOptRef http1StreamEncoderOptions() override { @@ -93,12 +92,6 @@ class EnvoyQuicClientStream : public quic::QuicSpdyClientStream, void useCapsuleProtocol(); #endif - // Returns nullptr if the response decoder has already been destructed. - Http::ResponseDecoder* getResponseDecoder(); - - void onResponseDecoderDead() const; - - Http::ResponseDecoderHandlePtr response_decoder_handle_; Http::ResponseDecoder* response_decoder_{nullptr}; bool decoded_1xx_{false}; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index f6285de260684..19d559393d3b5 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -81,7 +81,6 @@ RUNTIME_GUARD(envoy_reloadable_features_trace_refresh_after_route_refresh); RUNTIME_GUARD(envoy_reloadable_features_udp_set_do_not_fragment); RUNTIME_GUARD(envoy_reloadable_features_uhv_allow_malformed_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); -RUNTIME_GUARD(envoy_reloadable_features_use_response_decoder_handle); RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_reloadable_features_websocket_allow_4xx_5xx_through_filter_chain); @@ -174,8 +173,7 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_no_ai_flags); FALSE_RUNTIME_GUARD(envoy_reloadable_features_enable_new_dns_implementation); // Force a local reply from upstream envoy for reverse connections. FALSE_RUNTIME_GUARD(envoy_reloadable_features_reverse_conn_force_local_reply); -// RELEASE_ASSERT when upstream stream detects UAF of downstream response decoder instance. -FALSE_RUNTIME_GUARD(envoy_reloadable_features_abort_when_accessing_dead_decoder); + // Block of non-boolean flags. Use of int flags is deprecated. Do not add more. ABSL_FLAG(uint64_t, re2_max_program_size_error_level, 100, ""); // NOLINT ABSL_FLAG(uint64_t, re2_max_program_size_warn_level, // NOLINT diff --git a/source/common/tcp_proxy/BUILD b/source/common/tcp_proxy/BUILD index 914382ab15f81..c6b30b08d03d1 100644 --- a/source/common/tcp_proxy/BUILD +++ b/source/common/tcp_proxy/BUILD @@ -29,7 +29,6 @@ envoy_cc_library( "//source/common/http:hash_policy_lib", "//source/common/http:header_map_lib", "//source/common/http:headers_lib", - "//source/common/http:response_decoder_impl_base", "//source/common/http:utility_lib", "//source/common/network:utility_lib", "//source/common/router:header_parser_lib", diff --git a/source/common/tcp_proxy/upstream.h b/source/common/tcp_proxy/upstream.h index 86a770a8517bd..661797dc65de0 100644 --- a/source/common/tcp_proxy/upstream.h +++ b/source/common/tcp_proxy/upstream.h @@ -17,7 +17,6 @@ #include "source/common/http/codec_client.h" #include "source/common/http/hash_policy.h" #include "source/common/http/null_route_impl.h" -#include "source/common/http/response_decoder_impl_base.h" #include "source/common/network/utility.h" #include "source/common/router/config_impl.h" #include "source/common/router/header_parser.h" @@ -231,7 +230,8 @@ class HttpUpstream : public GenericUpstream, protected Http::StreamCallbacks { std::unique_ptr downstream_headers_; private: - class DecoderShim : public Http::ResponseDecoderImplBase { + Upstream::ClusterInfoConstSharedPtr cluster_; + class DecoderShim : public Http::ResponseDecoder { public: DecoderShim(HttpUpstream& parent) : parent_(parent) {} void decode1xxHeaders(Http::ResponseHeaderMapPtr&&) override {} @@ -351,7 +351,7 @@ class CombinedUpstream : public GenericUpstream, public Envoy::Router::RouterFil private: Http::StreamDecoderFilterCallbacks& decoder_filter_callbacks_; - class DecoderShim : public Http::ResponseDecoderImplBase { + class DecoderShim : public Http::ResponseDecoder { public: DecoderShim(CombinedUpstream& parent) : parent_(parent) {} // Http::ResponseDecoder diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index 62257e221fcc2..cef2da998723f 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -77,7 +77,6 @@ envoy_cc_library( "//source/common/common:logger_lib", "//source/common/grpc:typed_async_client_lib", "//source/common/http:codec_client_lib", - "//source/common/http:response_decoder_impl_base", "//source/common/http/http1:codec_lib", "//source/common/http/http1:codec_stats_lib", "//source/common/network:address_lib", diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h index 23dbacb1db6c0..68828336a43d7 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h @@ -12,7 +12,6 @@ #include "source/common/common/logger.h" #include "source/common/http/http1/codec_impl.h" -#include "source/common/http/response_decoder_impl_base.h" #include "source/common/network/filter_impl.h" namespace Envoy { @@ -50,7 +49,7 @@ class SimpleConnReadFilter : public Network::ReadFilterBaseImpl, class RCConnectionWrapper : public Network::ConnectionCallbacks, public Event::DeferredDeletable, public Logger::Loggable, - public Http::ResponseDecoderImplBase, + public Http::ResponseDecoder, public Http::ConnectionCallbacks { friend class SimpleConnReadFilterTest; diff --git a/source/extensions/filters/udp/udp_proxy/BUILD b/source/extensions/filters/udp/udp_proxy/BUILD index 9e60d1f00f3f0..a9e79751a3afc 100644 --- a/source/extensions/filters/udp/udp_proxy/BUILD +++ b/source/extensions/filters/udp/udp_proxy/BUILD @@ -42,7 +42,6 @@ envoy_cc_library( "//source/common/common:empty_string", "//source/common/common:linked_object", "//source/common/common:random_generator_lib", - "//source/common/http:response_decoder_impl_base", "//source/common/network:socket_lib", "//source/common/network:socket_option_factory_lib", "//source/common/network:utility_lib", diff --git a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h index c1c921375f269..f2b6f64606fa9 100644 --- a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h +++ b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.h @@ -21,7 +21,6 @@ #include "source/common/http/codes.h" #include "source/common/http/header_map_impl.h" #include "source/common/http/headers.h" -#include "source/common/http/response_decoder_impl_base.h" #include "source/common/http/utility.h" #include "source/common/network/socket_impl.h" #include "source/common/network/socket_interface.h" @@ -312,7 +311,7 @@ class HttpUpstreamImpl : public HttpUpstream, protected Http::StreamCallbacks { } private: - class ResponseDecoder : public Http::ResponseDecoderImplBase { + class ResponseDecoder : public Http::ResponseDecoder { public: ResponseDecoder(HttpUpstreamImpl& parent) : parent_(parent) {} diff --git a/source/extensions/health_checkers/grpc/BUILD b/source/extensions/health_checkers/grpc/BUILD index b3688169d1f2d..c06822d4e75c9 100644 --- a/source/extensions/health_checkers/grpc/BUILD +++ b/source/extensions/health_checkers/grpc/BUILD @@ -20,7 +20,6 @@ envoy_cc_extension( deps = [ "//source/common/grpc:codec_lib", "//source/common/http:codec_client_lib", - "//source/common/http:response_decoder_impl_base", "//source/common/upstream:health_checker_lib", "//source/common/upstream:host_utility_lib", "//source/extensions/health_checkers/common:health_checker_base_lib", diff --git a/source/extensions/health_checkers/grpc/health_checker_impl.h b/source/extensions/health_checkers/grpc/health_checker_impl.h index a3e54bb454792..326035eac59b1 100644 --- a/source/extensions/health_checkers/grpc/health_checker_impl.h +++ b/source/extensions/health_checkers/grpc/health_checker_impl.h @@ -17,7 +17,6 @@ #include "source/common/common/logger.h" #include "source/common/grpc/codec.h" #include "source/common/http/codec_client.h" -#include "source/common/http/response_decoder_impl_base.h" #include "source/common/router/header_parser.h" #include "source/common/stream_info/stream_info_impl.h" #include "source/common/upstream/health_checker_impl.h" @@ -53,7 +52,7 @@ class GrpcHealthCheckerImpl : public HealthCheckerImplBase { private: struct GrpcActiveHealthCheckSession : public ActiveHealthCheckSession, - public Http::ResponseDecoderImplBase, + public Http::ResponseDecoder, public Http::StreamCallbacks { GrpcActiveHealthCheckSession(GrpcHealthCheckerImpl& parent, const HostSharedPtr& host); ~GrpcActiveHealthCheckSession() override; diff --git a/source/extensions/health_checkers/http/BUILD b/source/extensions/health_checkers/http/BUILD index b759a789d7568..6ad5ed7773564 100644 --- a/source/extensions/health_checkers/http/BUILD +++ b/source/extensions/health_checkers/http/BUILD @@ -18,7 +18,6 @@ envoy_cc_extension( ], deps = [ "//source/common/http:codec_client_lib", - "//source/common/http:response_decoder_impl_base", "//source/common/upstream:health_checker_lib", "//source/common/upstream:host_utility_lib", "//source/extensions/health_checkers/common:health_checker_base_lib", diff --git a/source/extensions/health_checkers/http/health_checker_impl.h b/source/extensions/health_checkers/http/health_checker_impl.h index 68fd6214f9166..81fae53f73330 100644 --- a/source/extensions/health_checkers/http/health_checker_impl.h +++ b/source/extensions/health_checkers/http/health_checker_impl.h @@ -17,7 +17,6 @@ #include "source/common/common/logger.h" #include "source/common/grpc/codec.h" #include "source/common/http/codec_client.h" -#include "source/common/http/response_decoder_impl_base.h" #include "source/common/router/header_parser.h" #include "source/common/stream_info/stream_info_impl.h" #include "source/common/upstream/health_checker_impl.h" @@ -78,7 +77,7 @@ class HttpHealthCheckerImpl : public HealthCheckerImplBase { private: struct HttpActiveHealthCheckSession : public ActiveHealthCheckSession, - public Http::ResponseDecoderImplBase, + public Http::ResponseDecoder, public Http::StreamCallbacks { HttpActiveHealthCheckSession(HttpHealthCheckerImpl& parent, const HostSharedPtr& host); ~HttpActiveHealthCheckSession() override; diff --git a/test/common/http/BUILD b/test/common/http/BUILD index 97f77b1eb390e..3c522bcda3803 100644 --- a/test/common/http/BUILD +++ b/test/common/http/BUILD @@ -162,7 +162,6 @@ envoy_cc_test( deps = [ "//source/common/http:codec_wrappers_lib", "//test/mocks/http:http_mocks", - "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", ], ) diff --git a/test/common/http/codec_wrappers_test.cc b/test/common/http/codec_wrappers_test.cc index e5ffb0acdd615..35bf742a03f02 100644 --- a/test/common/http/codec_wrappers_test.cc +++ b/test/common/http/codec_wrappers_test.cc @@ -1,7 +1,6 @@ #include "source/common/http/codec_wrappers.h" #include "test/mocks/http/mocks.h" -#include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" using testing::_; @@ -11,54 +10,23 @@ namespace Http { class MockResponseDecoderWrapper : public ResponseDecoderWrapper { public: - explicit MockResponseDecoderWrapper(MockResponseDecoder& inner_decoder) - : ResponseDecoderWrapper(inner_decoder) {} + MockResponseDecoderWrapper() : ResponseDecoderWrapper(inner_decoder_) {} + MockResponseDecoder& innerEncoder() { return inner_decoder_; } void onDecodeComplete() override {} void onPreDecodeComplete() override {} + +private: + MockResponseDecoder inner_decoder_; }; TEST(MockResponseDecoderWrapper, dumpState) { - MockResponseDecoder inner_decoder; - MockResponseDecoderWrapper wrapper(inner_decoder); + MockResponseDecoderWrapper wrapper; std::stringstream os; - EXPECT_CALL(inner_decoder, dumpState(_, _)); + EXPECT_CALL(wrapper.innerEncoder(), dumpState(_, _)); wrapper.dumpState(os, 0); } -TEST(MockResponseDecoderWrapper, decoderDestroyedBeforeDecoding) { - TestScopedRuntime runtime; - runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); - auto inner_decoder = std::make_unique(); - MockResponseDecoderWrapper wrapper(*inner_decoder); - - inner_decoder.reset(); - - EXPECT_ENVOY_BUG( - wrapper.decodeHeaders(ResponseHeaderMapPtr{new TestResponseHeaderMapImpl{{":status", "200"}}}, - true), - "Wrapped decoder use after free detected"); - - EXPECT_ENVOY_BUG(wrapper.decode1xxHeaders( - ResponseHeaderMapPtr{new TestResponseHeaderMapImpl{{":status", "100"}}}), - "Wrapped decoder use after free detected"); - - Buffer::OwnedImpl data("foo"); - EXPECT_ENVOY_BUG(wrapper.decodeData(data, true), "Wrapped decoder use after free detected"); - - EXPECT_ENVOY_BUG(wrapper.decodeTrailers( - ResponseTrailerMapPtr{new TestResponseTrailerMapImpl{{"key", "value"}}}), - "Wrapped decoder use after free detected"); - - MetadataMapPtr metadata = std::make_unique(); - (*metadata)["key1"] = "value1"; - EXPECT_ENVOY_BUG(wrapper.decodeMetadata(std::move(metadata)), - "Wrapped decoder use after free detected"); - - std::stringstream os; - EXPECT_ENVOY_BUG(wrapper.dumpState(os, 0), "Wrapped decoder use after free detected"); -} - class MockRequestEncoderWrapper : public RequestEncoderWrapper { public: MockRequestEncoderWrapper() : RequestEncoderWrapper(&inner_encoder_) {} diff --git a/test/common/quic/BUILD b/test/common/quic/BUILD index 5a2202a9921a8..bc61e050ff7d6 100644 --- a/test/common/quic/BUILD +++ b/test/common/quic/BUILD @@ -152,7 +152,6 @@ envoy_cc_test( "//test/mocks/http:http_mocks", "//test/mocks/http:stream_decoder_mock", "//test/mocks/network:network_mocks", - "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", "@com_github_google_quiche//:quic_core_http_spdy_session_lib", "@com_github_google_quiche//:quic_test_tools_qpack_qpack_test_utils_lib", diff --git a/test/common/quic/envoy_quic_client_stream_test.cc b/test/common/quic/envoy_quic_client_stream_test.cc index 4522e5d788ff0..473dd22af5e05 100644 --- a/test/common/quic/envoy_quic_client_stream_test.cc +++ b/test/common/quic/envoy_quic_client_stream_test.cc @@ -8,7 +8,6 @@ #include "test/mocks/http/mocks.h" #include "test/mocks/http/stream_decoder.h" #include "test/mocks/network/mocks.h" -#include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" #include "gmock/gmock.h" @@ -742,115 +741,6 @@ TEST_F(EnvoyQuicClientStreamTest, EncodeTrailersOnClosedStream) { EXPECT_EQ(0u, quic_session_.bytesToSend()); } -TEST_F(EnvoyQuicClientStreamTest, DecoderDestroyedBeforeDecoding1xxHeader) { - TestScopedRuntime runtime; - runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); - auto stream_decoder = std::make_unique(); - quic_stream_->setResponseDecoder(*stream_decoder); - - auto result = quic_stream_->encodeHeaders(request_headers_, true); - EXPECT_TRUE(result.ok()); - - // Destroy the mock decoder. - stream_decoder.reset(); - - quiche::HttpHeaderBlock continue_header; - continue_header[":status"] = "100"; - std::string headers = spdyHeaderToHttp3StreamPayload(continue_header); - quic::QuicStreamFrame frame1(stream_id_, /*fin*/ false, /*offset*/ 0, headers); - EXPECT_ENVOY_BUG(quic_stream_->OnStreamFrame(frame1), - "response_decoder_ use after free detected"); - - EXPECT_CALL(stream_callbacks_, - onResetStream(Http::StreamResetReason::LocalRefusedStreamReset, _)); - quic_stream_->resetStream(Http::StreamResetReason::LocalRefusedStreamReset); -} - -TEST_F(EnvoyQuicClientStreamTest, DecoderDestroyedBeforeDecodingHeader) { - TestScopedRuntime runtime; - runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); - auto stream_decoder = std::make_unique(); - quic_stream_->setResponseDecoder(*stream_decoder); - - auto result = quic_stream_->encodeHeaders(request_headers_, true); - EXPECT_TRUE(result.ok()); - - // Destroy the mock decoder. - stream_decoder.reset(); - - std::string headers = spdyHeaderToHttp3StreamPayload(spdy_response_headers_); - quic::QuicStreamFrame frame1(stream_id_, /*fin*/ false, /*offset*/ 0, headers); - EXPECT_ENVOY_BUG(quic_stream_->OnStreamFrame(frame1), - "response_decoder_ use after free detected"); - - EXPECT_CALL(stream_callbacks_, - onResetStream(Http::StreamResetReason::LocalRefusedStreamReset, _)); - quic_stream_->resetStream(Http::StreamResetReason::LocalRefusedStreamReset); -} - -TEST_F(EnvoyQuicClientStreamTest, DecoderDestroyedBeforeDecodingBody) { - TestScopedRuntime runtime; - runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); - auto stream_decoder = std::make_unique(); - quic_stream_->setResponseDecoder(*stream_decoder); - - auto result = quic_stream_->encodeHeaders(request_headers_, true); - EXPECT_TRUE(result.ok()); - - EXPECT_CALL(*stream_decoder, decodeHeaders_(_, /*end_stream=*/false)); - std::string headers = spdyHeaderToHttp3StreamPayload(spdy_response_headers_); - quic::QuicStreamFrame frame1(stream_id_, /*fin*/ false, /*offset*/ 0, headers); - quic_stream_->OnStreamFrame(frame1); - - // Destroy the mock decoder. - stream_decoder.reset(); - - std::string body = bodyToHttp3StreamPayload("body"); - quic::QuicStreamFrame frame2(stream_id_, /*fin*/ false, headers.length(), body); - EXPECT_ENVOY_BUG(quic_stream_->OnStreamFrame(frame2), - "response_decoder_ use after free detected"); - - std::string trailers = spdyHeaderToHttp3StreamPayload(spdy_trailers_); - quic::QuicStreamFrame frame3(stream_id_, true, (headers.length() + body.length()), trailers); - quic_stream_->OnStreamFrame(frame3); - - EXPECT_CALL(stream_callbacks_, - onResetStream(Http::StreamResetReason::LocalRefusedStreamReset, _)); - quic_stream_->resetStream(Http::StreamResetReason::LocalRefusedStreamReset); -} - -TEST_F(EnvoyQuicClientStreamTest, DecoderDestroyedBeforeDecodingTrailer) { - TestScopedRuntime runtime; - runtime.mergeValues({{"envoy.reloadable_features.abort_when_accessing_dead_decoder", "false"}}); - auto stream_decoder = std::make_unique(); - quic_stream_->setResponseDecoder(*stream_decoder); - - auto result = quic_stream_->encodeHeaders(request_headers_, true); - EXPECT_TRUE(result.ok()); - - EXPECT_CALL(*stream_decoder, decodeHeaders_(_, /*end_stream=*/false)); - std::string headers = spdyHeaderToHttp3StreamPayload(spdy_response_headers_); - quic::QuicStreamFrame frame1(stream_id_, /*fin*/ false, /*offset*/ 0, headers); - quic_stream_->OnStreamFrame(frame1); - - EXPECT_CALL(*stream_decoder, decodeData(_, /*end_stream=*/false)); - std::string body = bodyToHttp3StreamPayload("body"); - quic::QuicStreamFrame frame2(stream_id_, /*fin*/ false, headers.length(), body); - quic_stream_->OnStreamFrame(frame2); - - // Destroy the mock decoder. - stream_decoder.reset(); - - std::string trailers = spdyHeaderToHttp3StreamPayload(spdy_trailers_); - quic::QuicStreamFrame frame3(stream_id_, true, (headers.length() + body.length()), trailers); - EXPECT_ENVOY_BUG(quic_stream_->OnStreamFrame(frame3), - "response_decoder_ use after free detected"); - - EXPECT_CALL(stream_callbacks_, - onResetStream(Http::StreamResetReason::LocalRefusedStreamReset, _)); - quic_stream_->resetStream(Http::StreamResetReason::LocalRefusedStreamReset); -} - #ifdef ENVOY_ENABLE_HTTP_DATAGRAMS TEST_F(EnvoyQuicClientStreamTest, EncodeCapsule) { setUpCapsuleProtocol(false, true); diff --git a/test/integration/integration_stream_decoder.h b/test/integration/integration_stream_decoder.h index ce83293aed3a0..9654ce9e824ee 100644 --- a/test/integration/integration_stream_decoder.h +++ b/test/integration/integration_stream_decoder.h @@ -10,7 +10,6 @@ #include "envoy/http/metadata_interface.h" #include "source/common/common/dump_state_utils.h" -#include "source/common/http/response_decoder_impl_base.h" #include "test/test_common/utility.h" @@ -22,8 +21,7 @@ namespace Envoy { /** * Stream decoder wrapper used during integration testing. */ -class IntegrationStreamDecoder : public Http::ResponseDecoderImplBase, - public Http::StreamCallbacks { +class IntegrationStreamDecoder : public Http::ResponseDecoder, public Http::StreamCallbacks { public: IntegrationStreamDecoder(Event::Dispatcher& dispatcher); ~IntegrationStreamDecoder() override; diff --git a/test/integration/utility.h b/test/integration/utility.h index 9db2c3d6d0bea..39c2c664a3d0a 100644 --- a/test/integration/utility.h +++ b/test/integration/utility.h @@ -17,7 +17,6 @@ #include "source/common/common/dump_state_utils.h" #include "source/common/common/utility.h" #include "source/common/http/codec_client.h" -#include "source/common/http/response_decoder_impl_base.h" #include "source/common/stats/isolated_store_impl.h" #include "test/test_common/printers.h" @@ -30,7 +29,7 @@ namespace Envoy { /** * A buffering response decoder used for testing. */ -class BufferingStreamDecoder : public Http::ResponseDecoderImplBase, public Http::StreamCallbacks { +class BufferingStreamDecoder : public Http::ResponseDecoder, public Http::StreamCallbacks { public: BufferingStreamDecoder(std::function on_complete_cb) : on_complete_cb_(on_complete_cb) {} diff --git a/test/mocks/http/BUILD b/test/mocks/http/BUILD index af75f948d3445..416d71fe5a2c3 100644 --- a/test/mocks/http/BUILD +++ b/test/mocks/http/BUILD @@ -104,7 +104,6 @@ envoy_cc_mock( hdrs = ["stream_decoder.h"], deps = [ "//envoy/http:codec_interface", - "//source/common/http:response_decoder_impl_base", ], ) diff --git a/test/mocks/http/stream_decoder.h b/test/mocks/http/stream_decoder.h index 2f265b158b82e..e1c8585a49a3c 100644 --- a/test/mocks/http/stream_decoder.h +++ b/test/mocks/http/stream_decoder.h @@ -1,8 +1,6 @@ #pragma once #include "envoy/http/codec.h" -#include "source/common/http/response_decoder_impl_base.h" - #include "gmock/gmock.h" namespace Envoy { @@ -45,7 +43,7 @@ class MockRequestDecoder : public RequestDecoder { MOCK_METHOD(RequestDecoderHandlePtr, getRequestDecoderHandle, ()); }; -class MockResponseDecoder : public ResponseDecoderImplBase { +class MockResponseDecoder : public ResponseDecoder { public: MockResponseDecoder(); ~MockResponseDecoder() override; diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index d2bd26af0b031..2fbc45cc57e1c 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -493,7 +493,6 @@ TTLs TX TXT UA -UAF UBSAN UDP UDS @@ -974,7 +973,6 @@ linkability linkable linux livelock -liveness llvm loc localhost From 7973fffa47458c96622cac0237c68dff736f9594 Mon Sep 17 00:00:00 2001 From: code Date: Sat, 20 Sep 2025 09:21:29 +0800 Subject: [PATCH 445/505] async stream options: use shared pointer for pased retry policy (#41074) This PR updated the StreamOptions. The shared pointer of RetryPolicy is used rather than a reference to avoid potential lifetime problem when the `send-and-forget` case is used for the async client. This also fixed a potential bug at the Http::AsyncStreamImpl. At there, if the parsing of proto retry policy is field, will result in core dump. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. --------- Signed-off-by: WangBaiping --- envoy/http/async_client.h | 6 +- envoy/router/router.h | 9 ++ source/common/http/async_client_impl.cc | 27 ++-- source/common/http/async_client_impl.h | 1 - source/common/http/null_route_impl.h | 33 ++-- source/common/router/BUILD | 18 ++- source/common/router/config_impl.cc | 150 ++---------------- source/common/router/config_impl.h | 95 ++--------- source/common/router/delegating_route_impl.cc | 4 + source/common/router/delegating_route_impl.h | 1 + source/common/router/retry_policy_impl.cc | 138 ++++++++++++++++ source/common/router/retry_policy_impl.h | 92 +++++++++++ source/common/tcp_proxy/tcp_proxy.cc | 7 +- test/common/common/BUILD | 15 ++ .../common/shared_pointer_speed_test.cc | 76 +++++++++ test/common/http/async_client_impl_test.cc | 20 +-- test/common/router/retry_state_impl_test.cc | 61 ++++--- test/common/router/router_test.cc | 22 +-- test/mocks/router/mocks.cc | 6 +- test/mocks/router/mocks.h | 9 +- 20 files changed, 466 insertions(+), 324 deletions(-) create mode 100644 source/common/router/retry_policy_impl.cc create mode 100644 source/common/router/retry_policy_impl.h create mode 100644 test/common/common/shared_pointer_speed_test.cc diff --git a/envoy/http/async_client.h b/envoy/http/async_client.h index 9afbc3f394336..3155e5af60323 100644 --- a/envoy/http/async_client.h +++ b/envoy/http/async_client.h @@ -343,8 +343,8 @@ class AsyncClient { // The retry policy can be set as either a proto or Router::RetryPolicy but // not both. If both formats of the options are set, the more recent call // will overwrite the older one. - StreamOptions& setRetryPolicy(const Router::RetryPolicy& p) { - parsed_retry_policy = &p; + StreamOptions& setRetryPolicy(Router::RetryPolicyConstSharedPtr p) { + parsed_retry_policy = std::move(p); retry_policy = absl::nullopt; return *this; } @@ -432,7 +432,7 @@ class AsyncClient { absl::optional buffer_limit_; absl::optional retry_policy; - const Router::RetryPolicy* parsed_retry_policy{nullptr}; + Router::RetryPolicyConstSharedPtr parsed_retry_policy; Router::FilterConfigSharedPtr filter_config_; diff --git a/envoy/router/router.h b/envoy/router/router.h index d37a0bd61968d..ee7f4e1809473 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -198,6 +198,9 @@ class ResetHeaderParser { using ResetHeaderParserSharedPtr = std::shared_ptr; +class RetryPolicy; +using RetryPolicyConstSharedPtr = std::shared_ptr; + /** * Route level retry policy. */ @@ -985,6 +988,12 @@ class RouteEntry : public ResponseEntry { */ virtual const RetryPolicy& retryPolicy() const PURE; + /** + * @return const RetryPolicy& the retry policy for the route. All routes have a retry policy even + * if it is empty and does not allow retries. + */ + virtual const RetryPolicyConstSharedPtr& sharedRetryPolicy() const PURE; + /** * @return const InternalRedirectPolicy& the internal redirect policy for the route. All routes * have a internal redirect policy even if it is not enabled, which means redirects are diff --git a/source/common/http/async_client_impl.cc b/source/common/http/async_client_impl.cc index 6fb949da25300..b3cae3ccb8bf1 100644 --- a/source/common/http/async_client_impl.cc +++ b/source/common/http/async_client_impl.cc @@ -90,23 +90,19 @@ AsyncClient::Stream* AsyncClientImpl::start(AsyncClient::StreamCallbacks& callba return active_streams_.front().get(); } -std::unique_ptr -createRetryPolicy(AsyncClientImpl& parent, const AsyncClient::StreamOptions& options, +Router::RetryPolicyConstSharedPtr +createRetryPolicy(const AsyncClient::StreamOptions& options, Server::Configuration::CommonFactoryContext& context, absl::Status& creation_status) { if (options.retry_policy.has_value()) { - Upstream::RetryExtensionFactoryContextImpl factory_context( - parent.factory_context_.singletonManager()); auto policy_or_error = Router::RetryPolicyImpl::create( - options.retry_policy.value(), ProtobufMessage::getNullValidationVisitor(), factory_context, - context); + options.retry_policy.value(), ProtobufMessage::getNullValidationVisitor(), context); creation_status = policy_or_error.status(); - return policy_or_error.status().ok() ? std::move(policy_or_error.value()) : nullptr; + return policy_or_error.status().ok() ? std::move(policy_or_error.value()) + : Router::RetryPolicyImpl::DefaultRetryPolicy; } - if (options.parsed_retry_policy == nullptr) { - return std::make_unique(); - } - return nullptr; + return options.parsed_retry_policy != nullptr ? options.parsed_retry_policy + : Router::RetryPolicyImpl::DefaultRetryPolicy; } AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCallbacks& callbacks, @@ -122,9 +118,10 @@ AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCal : std::make_shared( StreamInfo::FilterState::LifeSpan::FilterChain)), tracing_config_(Tracing::EgressConfig::get()), local_reply_(*parent.local_reply_), - retry_policy_(createRetryPolicy(parent, options, parent_.factory_context_, creation_status)), account_(options.account_), buffer_limit_(options.buffer_limit_), send_xff_(options.send_xff), send_internal_(options.send_internal) { + auto retry_policy = createRetryPolicy(options, parent.factory_context_, creation_status); + // A field initialization may set the creation-status as unsuccessful. // In that case return immediately. if (!creation_status.ok()) { @@ -144,10 +141,8 @@ AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCal } auto route_or_error = NullRouteImpl::create( - parent_.cluster_->name(), - retry_policy_ != nullptr ? *retry_policy_ : *options.parsed_retry_policy, - parent_.factory_context_.regexEngine(), options.timeout, options.hash_policy, - metadata_matching_criteria); + parent_.cluster_->name(), std::move(retry_policy), parent_.factory_context_.regexEngine(), + options.timeout, options.hash_policy, metadata_matching_criteria); SET_AND_RETURN_IF_NOT_OK(route_or_error.status(), creation_status); route_ = std::move(*route_or_error); stream_info_.dynamicMetadata().MergeFrom(options.metadata); diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h index eedb6e17ad4fc..9790cc75d3a20 100644 --- a/source/common/http/async_client_impl.h +++ b/source/common/http/async_client_impl.h @@ -278,7 +278,6 @@ class AsyncStreamImpl : public virtual AsyncClient::Stream, Tracing::NullSpan active_span_; const Tracing::Config& tracing_config_; const LocalReply::LocalReply& local_reply_; - const std::unique_ptr retry_policy_; std::shared_ptr route_; uint32_t high_watermark_calls_{}; bool local_closed_{}; diff --git a/source/common/http/null_route_impl.h b/source/common/http/null_route_impl.h index ce2228fa9fbf5..5edb72422237f 100644 --- a/source/common/http/null_route_impl.h +++ b/source/common/http/null_route_impl.h @@ -95,12 +95,12 @@ struct RouteEntryImpl : public Router::RouteEntry { create(const std::string& cluster_name, const absl::optional& timeout, const Protobuf::RepeatedPtrField& hash_policy, - const Router::RetryPolicy& retry_policy, Regex::Engine& regex_engine, + Router::RetryPolicyConstSharedPtr retry_policy, Regex::Engine& regex_engine, const Router::MetadataMatchCriteria* metadata_match) { absl::Status creation_status = absl::OkStatus(); auto ret = std::unique_ptr( - new RouteEntryImpl(cluster_name, timeout, hash_policy, retry_policy, regex_engine, - creation_status, metadata_match)); + new RouteEntryImpl(cluster_name, timeout, hash_policy, std::move(retry_policy), + regex_engine, creation_status, metadata_match)); RETURN_IF_NOT_OK(creation_status); return ret; } @@ -110,10 +110,10 @@ struct RouteEntryImpl : public Router::RouteEntry { const std::string& cluster_name, const absl::optional& timeout, const Protobuf::RepeatedPtrField& hash_policy, - const Router::RetryPolicy& retry_policy, Regex::Engine& regex_engine, + Router::RetryPolicyConstSharedPtr retry_policy, Regex::Engine& regex_engine, absl::Status& creation_status, const Router::MetadataMatchCriteria* metadata_match) - : metadata_match_(metadata_match), retry_policy_(retry_policy), cluster_name_(cluster_name), - timeout_(timeout) { + : metadata_match_(metadata_match), retry_policy_(std::move(retry_policy)), + cluster_name_(cluster_name), timeout_(timeout) { if (!hash_policy.empty()) { auto policy_or_error = HashPolicyImpl::create(hash_policy, regex_engine); SET_AND_RETURN_IF_NOT_OK(policy_or_error.status(), creation_status); @@ -155,7 +155,10 @@ struct RouteEntryImpl : public Router::RouteEntry { return Upstream::ResourcePriority::Default; } const Router::RateLimitPolicy& rateLimitPolicy() const override { return rate_limit_policy_; } - const Router::RetryPolicy& retryPolicy() const override { return retry_policy_; } + const Router::RetryPolicy& retryPolicy() const override { return *retry_policy_; } + const Router::RetryPolicyConstSharedPtr& sharedRetryPolicy() const override { + return retry_policy_; + } const Router::InternalRedirectPolicy& internalRedirectPolicy() const override { return internal_redirect_policy_; } @@ -214,7 +217,7 @@ struct RouteEntryImpl : public Router::RouteEntry { const Router::MetadataMatchCriteria* metadata_match_; std::unique_ptr hash_policy_; - const Router::RetryPolicy& retry_policy_; + const Router::RetryPolicyConstSharedPtr retry_policy_; static const NullHedgePolicy hedge_policy_; static const NullRateLimitPolicy rate_limit_policy_; @@ -236,15 +239,15 @@ struct RouteEntryImpl : public Router::RouteEntry { struct NullRouteImpl : public Router::Route { static absl::StatusOr> - create(const std::string cluster_name, const Router::RetryPolicy& retry_policy, + create(const std::string cluster_name, Router::RetryPolicyConstSharedPtr retry_policy, Regex::Engine& regex_engine, const absl::optional& timeout = {}, const Protobuf::RepeatedPtrField& hash_policy = {}, const Router::MetadataMatchCriteria* metadata_match = nullptr) { absl::Status creation_status; - auto ret = std::unique_ptr(new NullRouteImpl(cluster_name, retry_policy, - regex_engine, timeout, hash_policy, - creation_status, metadata_match)); + auto ret = std::unique_ptr( + new NullRouteImpl(cluster_name, std::move(retry_policy), regex_engine, timeout, hash_policy, + creation_status, metadata_match)); RETURN_IF_NOT_OK(creation_status); return ret; } @@ -275,15 +278,15 @@ struct NullRouteImpl : public Router::Route { static const Router::VirtualHostConstSharedPtr virtual_host_; protected: - NullRouteImpl(const std::string cluster_name, const Router::RetryPolicy& retry_policy, + NullRouteImpl(const std::string cluster_name, Router::RetryPolicyConstSharedPtr retry_policy, Regex::Engine& regex_engine, const absl::optional& timeout, const Protobuf::RepeatedPtrField& hash_policy, absl::Status& creation_status, const Router::MetadataMatchCriteria* metadata_match) { - auto entry_or_error = RouteEntryImpl::create(cluster_name, timeout, hash_policy, retry_policy, - regex_engine, metadata_match); + auto entry_or_error = RouteEntryImpl::create( + cluster_name, timeout, hash_policy, std::move(retry_policy), regex_engine, metadata_match); SET_AND_RETURN_IF_NOT_OK(entry_or_error.status(), creation_status); route_entry_ = std::move(*entry_or_error); } diff --git a/source/common/router/BUILD b/source/common/router/BUILD index 1a1f91f67c810..fb5d8979aa5f3 100644 --- a/source/common/router/BUILD +++ b/source/common/router/BUILD @@ -43,7 +43,7 @@ envoy_cc_library( ":matcher_visitor_lib", ":metadatamatchcriteria_lib", ":per_filter_config_lib", - ":reset_header_parser_lib", + ":retry_policy_lib", ":retry_state_lib", ":router_ratelimit_lib", ":tls_context_match_criteria_lib", @@ -541,3 +541,19 @@ envoy_cc_library( "//envoy/router:cluster_specifier_plugin_interface", ], ) + +envoy_cc_library( + name = "retry_policy_lib", + srcs = ["retry_policy_impl.cc"], + hdrs = ["retry_policy_impl.h"], + deps = [ + ":reset_header_parser_lib", + ":retry_state_lib", + "//envoy/router:router_interface", + "//envoy/server:factory_context_interface", + "//source/common/config:utility_lib", + "//source/common/upstream:retry_factory_lib", + "@com_google_absl//absl/types:optional", + "@envoy_api//envoy/config/route/v3:pkg_cc_proto", + ], +) diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 7059d996bea7e..ab65b8aadc8f8 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -44,13 +44,10 @@ #include "source/common/router/context_impl.h" #include "source/common/router/header_cluster_specifier.h" #include "source/common/router/matcher_visitor.h" -#include "source/common/router/reset_header_parser.h" -#include "source/common/router/retry_state_impl.h" #include "source/common/router/weighted_cluster_specifier.h" #include "source/common/runtime/runtime_features.h" #include "source/common/tracing/custom_tag_impl.h" #include "source/common/tracing/http_tracer_impl.h" -#include "source/common/upstream/retry_factory.h" #include "source/extensions/early_data/default_early_data_policy.h" #include "source/extensions/matching/network/common/inputs.h" #include "source/extensions/path/match/uri_template/uri_template_match.h" @@ -217,128 +214,6 @@ HedgePolicyImpl::HedgePolicyImpl(const envoy::config::route::v3::HedgePolicy& he HedgePolicyImpl::HedgePolicyImpl() : initial_requests_(1), hedge_on_per_try_timeout_(false) {} -absl::StatusOr> -RetryPolicyImpl::create(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Upstream::RetryExtensionFactoryContext& factory_context, - Server::Configuration::CommonFactoryContext& common_context) { - absl::Status creation_status = absl::OkStatus(); - auto ret = std::unique_ptr(new RetryPolicyImpl( - retry_policy, validation_visitor, factory_context, common_context, creation_status)); - RETURN_IF_NOT_OK(creation_status); - return ret; -} -RetryPolicyImpl::RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Upstream::RetryExtensionFactoryContext& factory_context, - Server::Configuration::CommonFactoryContext& common_context, - absl::Status& creation_status) - : retriable_headers_(Http::HeaderUtility::buildHeaderMatcherVector( - retry_policy.retriable_headers(), common_context)), - retriable_request_headers_(Http::HeaderUtility::buildHeaderMatcherVector( - retry_policy.retriable_request_headers(), common_context)), - validation_visitor_(&validation_visitor) { - per_try_timeout_ = - std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_timeout, 0)); - per_try_idle_timeout_ = - std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_idle_timeout, 0)); - num_retries_ = PROTOBUF_GET_WRAPPED_OR_DEFAULT(retry_policy, num_retries, 1); - retry_on_ = RetryStateImpl::parseRetryOn(retry_policy.retry_on()).first; - retry_on_ |= RetryStateImpl::parseRetryGrpcOn(retry_policy.retry_on()).first; - - for (const auto& host_predicate : retry_policy.retry_host_predicate()) { - auto& factory = Envoy::Config::Utility::getAndCheckFactory( - host_predicate); - auto config = Envoy::Config::Utility::translateToFactoryConfig(host_predicate, - validation_visitor, factory); - retry_host_predicate_configs_.emplace_back(factory, std::move(config)); - } - - const auto& retry_priority = retry_policy.retry_priority(); - if (!retry_priority.name().empty()) { - auto& factory = - Envoy::Config::Utility::getAndCheckFactory(retry_priority); - retry_priority_config_ = - std::make_pair(&factory, Envoy::Config::Utility::translateToFactoryConfig( - retry_priority, validation_visitor, factory)); - } - - for (const auto& options_predicate : retry_policy.retry_options_predicates()) { - auto& factory = - Envoy::Config::Utility::getAndCheckFactory( - options_predicate); - retry_options_predicates_.emplace_back( - factory.createOptionsPredicate(*Envoy::Config::Utility::translateToFactoryConfig( - options_predicate, validation_visitor, factory), - factory_context)); - } - - auto host_selection_attempts = retry_policy.host_selection_retry_max_attempts(); - if (host_selection_attempts) { - host_selection_attempts_ = host_selection_attempts; - } - - for (auto code : retry_policy.retriable_status_codes()) { - retriable_status_codes_.emplace_back(code); - } - - if (retry_policy.has_retry_back_off()) { - base_interval_ = std::chrono::milliseconds( - PROTOBUF_GET_MS_REQUIRED(retry_policy.retry_back_off(), base_interval)); - if ((*base_interval_).count() < 1) { - base_interval_ = std::chrono::milliseconds(1); - } - - max_interval_ = PROTOBUF_GET_OPTIONAL_MS(retry_policy.retry_back_off(), max_interval); - if (max_interval_) { - // Apply the same rounding to max interval in case both are set to sub-millisecond values. - if ((*max_interval_).count() < 1) { - max_interval_ = std::chrono::milliseconds(1); - } - - if ((*max_interval_).count() < (*base_interval_).count()) { - creation_status = absl::InvalidArgumentError( - "retry_policy.max_interval must greater than or equal to the base_interval"); - return; - } - } - } - - if (retry_policy.has_rate_limited_retry_back_off()) { - reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector( - retry_policy.rate_limited_retry_back_off().reset_headers()); - - absl::optional reset_max_interval = - PROTOBUF_GET_OPTIONAL_MS(retry_policy.rate_limited_retry_back_off(), max_interval); - if (reset_max_interval.has_value()) { - std::chrono::milliseconds max_interval = reset_max_interval.value(); - if (max_interval.count() < 1) { - max_interval = std::chrono::milliseconds(1); - } - reset_max_interval_ = max_interval; - } - } -} - -std::vector RetryPolicyImpl::retryHostPredicates() const { - std::vector predicates; - predicates.reserve(retry_host_predicate_configs_.size()); - for (const auto& config : retry_host_predicate_configs_) { - predicates.emplace_back(config.first.createHostPredicate(*config.second, num_retries_)); - } - - return predicates; -} - -Upstream::RetryPrioritySharedPtr RetryPolicyImpl::retryPriority() const { - if (retry_priority_config_.first == nullptr) { - return nullptr; - } - - return retry_priority_config_.first->createRetryPriority(*retry_priority_config_.second, - *validation_visitor_, num_retries_); -} - absl::StatusOr> InternalRedirectPolicyImpl::create( const envoy::config::route::v3::InternalRedirectPolicy& policy_config, ProtobufMessage::ValidationVisitor& validator, absl::string_view current_route_name) { @@ -1138,27 +1013,20 @@ std::unique_ptr RouteEntryImplBase::buildHedgePolicy( return nullptr; } -absl::StatusOr> RouteEntryImplBase::buildRetryPolicy( - RetryPolicyConstOptRef vhost_retry_policy, +absl::StatusOr RouteEntryImplBase::buildRetryPolicy( + const RetryPolicyConstSharedPtr& vhost_retry_policy, const envoy::config::route::v3::RouteAction& route_config, ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::ServerFactoryContext& factory_context) const { - Upstream::RetryExtensionFactoryContextImpl retry_factory_context( - factory_context.singletonManager()); + Server::Configuration::CommonFactoryContext& factory_context) const { // Route specific policy wins, if available. if (route_config.has_retry_policy()) { return RetryPolicyImpl::create(route_config.retry_policy(), validation_visitor, - retry_factory_context, factory_context); - } - - // If not, we fallback to the virtual host policy if there is one. - if (vhost_retry_policy.has_value()) { - return RetryPolicyImpl::create(*vhost_retry_policy, validation_visitor, retry_factory_context, factory_context); } - // Otherwise, an empty policy will do. - return nullptr; + // If not, we fallback to the virtual host policy if there is one. Note the + // virtual host policy may be nullptr. + return vhost_retry_policy; } absl::StatusOr> @@ -1590,8 +1458,10 @@ CommonVirtualHostImpl::CommonVirtualHostImpl( // Retry and Hedge policies must be set before routes, since they may use them. if (virtual_host.has_retry_policy()) { - retry_policy_ = std::make_unique(); - retry_policy_->CopyFrom(virtual_host.retry_policy()); + auto policy_or_error = + RetryPolicyImpl::create(virtual_host.retry_policy(), validator, factory_context); + SET_AND_RETURN_IF_NOT_OK(policy_or_error.status(), creation_status); + retry_policy_ = std::move(policy_or_error.value()); } if (virtual_host.has_hedge_policy()) { hedge_policy_ = std::make_unique(); diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index 5122a0fe1e3c6..2bbc6f541137b 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -32,6 +32,7 @@ #include "source/common/router/header_parser.h" #include "source/common/router/metadatamatchcriteria_impl.h" #include "source/common/router/per_filter_config.h" +#include "source/common/router/retry_policy_impl.h" #include "source/common/router/router_ratelimit.h" #include "source/common/router/tls_context_match_criteria_impl.h" #include "source/common/stats/symbol_table.h" @@ -263,12 +264,7 @@ class CommonVirtualHostImpl : public VirtualHost, Logger::Loggable& shadowPolicies() const { return shadow_policies_; } - RetryPolicyConstOptRef retryPolicy() const { - if (retry_policy_ != nullptr) { - return *retry_policy_; - } - return absl::nullopt; - } + const RetryPolicyConstSharedPtr& retryPolicy() const { return retry_policy_; } HedgePolicyConstOptRef hedgePolicy() const { if (hedge_policy_ != nullptr) { return *hedge_policy_; @@ -352,7 +348,7 @@ class CommonVirtualHostImpl : public VirtualHost, Logger::Loggable per_filter_configs_; - std::unique_ptr retry_policy_; + RetryPolicyConstSharedPtr retry_policy_; std::unique_ptr hedge_policy_; std::unique_ptr virtual_cluster_catch_all_; RouteMetadataPackPtr metadata_; @@ -401,80 +397,6 @@ class VirtualHostImpl : Logger::Loggable { using VirtualHostImplSharedPtr = std::shared_ptr; -/** - * Implementation of RetryPolicy that reads from the proto route or virtual host config. - */ -class RetryPolicyImpl : public RetryPolicy { - -public: - static absl::StatusOr> - create(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Upstream::RetryExtensionFactoryContext& factory_context, - Server::Configuration::CommonFactoryContext& common_context); - RetryPolicyImpl() = default; - - // Router::RetryPolicy - std::chrono::milliseconds perTryTimeout() const override { return per_try_timeout_; } - std::chrono::milliseconds perTryIdleTimeout() const override { return per_try_idle_timeout_; } - uint32_t numRetries() const override { return num_retries_; } - uint32_t retryOn() const override { return retry_on_; } - std::vector retryHostPredicates() const override; - Upstream::RetryPrioritySharedPtr retryPriority() const override; - absl::Span - retryOptionsPredicates() const override { - return retry_options_predicates_; - } - uint32_t hostSelectionMaxAttempts() const override { return host_selection_attempts_; } - const std::vector& retriableStatusCodes() const override { - return retriable_status_codes_; - } - const std::vector& retriableHeaders() const override { - return retriable_headers_; - } - const std::vector& retriableRequestHeaders() const override { - return retriable_request_headers_; - } - absl::optional baseInterval() const override { return base_interval_; } - absl::optional maxInterval() const override { return max_interval_; } - const std::vector& resetHeaders() const override { - return reset_headers_; - } - std::chrono::milliseconds resetMaxInterval() const override { return reset_max_interval_; } - -private: - RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, - ProtobufMessage::ValidationVisitor& validation_visitor, - Upstream::RetryExtensionFactoryContext& factory_context, - Server::Configuration::CommonFactoryContext& common_context, - absl::Status& creation_status); - std::chrono::milliseconds per_try_timeout_{0}; - std::chrono::milliseconds per_try_idle_timeout_{0}; - // We set the number of retries to 1 by default (i.e. when no route or vhost level retry policy is - // set) so that when retries get enabled through the x-envoy-retry-on header we default to 1 - // retry. - uint32_t num_retries_{1}; - uint32_t retry_on_{}; - // Each pair contains the name and config proto to be used to create the RetryHostPredicates - // that should be used when with this policy. - std::vector> - retry_host_predicate_configs_; - // Name and config proto to use to create the RetryPriority to use with this policy. Default - // initialized when no RetryPriority should be used. - std::pair retry_priority_config_; - uint32_t host_selection_attempts_{1}; - std::vector retriable_status_codes_; - std::vector retriable_headers_; - std::vector retriable_request_headers_; - absl::optional base_interval_; - absl::optional max_interval_; - std::vector reset_headers_; - std::chrono::milliseconds reset_max_interval_{300000}; - ProtobufMessage::ValidationVisitor* validation_visitor_{}; - std::vector retry_options_predicates_; -}; -using DefaultRetryPolicy = ConstSingleton; - /** * Implementation of ShadowPolicy that reads from the proto route config. */ @@ -713,8 +635,9 @@ class RouteEntryImplBase : public RouteEntryAndRoute, if (retry_policy_ != nullptr) { return *retry_policy_; } - return DefaultRetryPolicy::get(); + return *RetryPolicyImpl::DefaultRetryPolicy; } + const RetryPolicyConstSharedPtr& sharedRetryPolicy() const override { return retry_policy_; } const InternalRedirectPolicy& internalRedirectPolicy() const override { if (internal_redirect_policy_ != nullptr) { return *internal_redirect_policy_; @@ -909,11 +832,11 @@ class RouteEntryImplBase : public RouteEntryAndRoute, buildHedgePolicy(HedgePolicyConstOptRef vhost_hedge_policy, const envoy::config::route::v3::RouteAction& route_config) const; - absl::StatusOr> - buildRetryPolicy(RetryPolicyConstOptRef vhost_retry_policy, + absl::StatusOr + buildRetryPolicy(const RetryPolicyConstSharedPtr& vhost_retry_policy, const envoy::config::route::v3::RouteAction& route_config, ProtobufMessage::ValidationVisitor& validation_visitor, - Server::Configuration::ServerFactoryContext& factory_context) const; + Server::Configuration::CommonFactoryContext& factory_context) const; absl::StatusOr> buildInternalRedirectPolicy(const envoy::config::route::v3::RouteAction& route_config, @@ -960,7 +883,7 @@ class RouteEntryImplBase : public RouteEntryAndRoute, std::unique_ptr runtime_; std::unique_ptr redirect_config_; std::unique_ptr hedge_policy_; - std::unique_ptr retry_policy_; + RetryPolicyConstSharedPtr retry_policy_; std::unique_ptr internal_redirect_policy_; std::unique_ptr rate_limit_policy_; std::vector shadow_policies_; diff --git a/source/common/router/delegating_route_impl.cc b/source/common/router/delegating_route_impl.cc index 09b7a0d2aca7f..84180523eaff2 100644 --- a/source/common/router/delegating_route_impl.cc +++ b/source/common/router/delegating_route_impl.cc @@ -67,6 +67,10 @@ const RetryPolicy& DelegatingRouteEntry::retryPolicy() const { return base_route_entry_->retryPolicy(); } +const RetryPolicyConstSharedPtr& DelegatingRouteEntry::sharedRetryPolicy() const { + return base_route_entry_->sharedRetryPolicy(); +} + const PathMatcherSharedPtr& DelegatingRouteEntry::pathMatcher() const { return base_route_entry_->pathMatcher(); } diff --git a/source/common/router/delegating_route_impl.h b/source/common/router/delegating_route_impl.h index 80871603ee6fb..2fcb2e209a643 100644 --- a/source/common/router/delegating_route_impl.h +++ b/source/common/router/delegating_route_impl.h @@ -103,6 +103,7 @@ class DelegatingRouteEntry : public DelegatingRouteBase { Upstream::ResourcePriority priority() const override; const RateLimitPolicy& rateLimitPolicy() const override; const RetryPolicy& retryPolicy() const override; + const RetryPolicyConstSharedPtr& sharedRetryPolicy() const override; const Router::PathMatcherSharedPtr& pathMatcher() const override; const Router::PathRewriterSharedPtr& pathRewriter() const override; const InternalRedirectPolicy& internalRedirectPolicy() const override; diff --git a/source/common/router/retry_policy_impl.cc b/source/common/router/retry_policy_impl.cc new file mode 100644 index 0000000000000..2fd80ecd56dda --- /dev/null +++ b/source/common/router/retry_policy_impl.cc @@ -0,0 +1,138 @@ +#include "source/common/router/retry_policy_impl.h" + +#include + +#include "source/common/config/utility.h" +#include "source/common/router/reset_header_parser.h" +#include "source/common/router/retry_state_impl.h" +#include "source/common/upstream/retry_factory.h" + +namespace Envoy { +namespace Router { + +absl::StatusOr> +RetryPolicyImpl::create(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::CommonFactoryContext& common_context) { + absl::Status creation_status = absl::OkStatus(); + auto ret = std::shared_ptr( + new RetryPolicyImpl(retry_policy, validation_visitor, common_context, creation_status)); + RETURN_IF_NOT_OK(creation_status); + return ret; +} + +RetryPolicyConstSharedPtr RetryPolicyImpl::DefaultRetryPolicy = std::make_shared(); + +RetryPolicyImpl::RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::CommonFactoryContext& common_context, + absl::Status& creation_status) + : retriable_headers_(Http::HeaderUtility::buildHeaderMatcherVector( + retry_policy.retriable_headers(), common_context)), + retriable_request_headers_(Http::HeaderUtility::buildHeaderMatcherVector( + retry_policy.retriable_request_headers(), common_context)), + validation_visitor_(&validation_visitor) { + per_try_timeout_ = + std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_timeout, 0)); + per_try_idle_timeout_ = + std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(retry_policy, per_try_idle_timeout, 0)); + num_retries_ = PROTOBUF_GET_WRAPPED_OR_DEFAULT(retry_policy, num_retries, 1); + retry_on_ = RetryStateImpl::parseRetryOn(retry_policy.retry_on()).first; + retry_on_ |= RetryStateImpl::parseRetryGrpcOn(retry_policy.retry_on()).first; + + for (const auto& host_predicate : retry_policy.retry_host_predicate()) { + auto& factory = Envoy::Config::Utility::getAndCheckFactory( + host_predicate); + auto config = Envoy::Config::Utility::translateToFactoryConfig(host_predicate, + validation_visitor, factory); + retry_host_predicate_configs_.emplace_back(factory, std::move(config)); + } + + const auto& retry_priority = retry_policy.retry_priority(); + if (!retry_priority.name().empty()) { + auto& factory = + Envoy::Config::Utility::getAndCheckFactory(retry_priority); + retry_priority_config_ = + std::make_pair(&factory, Envoy::Config::Utility::translateToFactoryConfig( + retry_priority, validation_visitor, factory)); + } + + Upstream::RetryExtensionFactoryContextImpl factory_context(common_context.singletonManager()); + for (const auto& options_predicate : retry_policy.retry_options_predicates()) { + auto& factory = + Envoy::Config::Utility::getAndCheckFactory( + options_predicate); + retry_options_predicates_.emplace_back( + factory.createOptionsPredicate(*Envoy::Config::Utility::translateToFactoryConfig( + options_predicate, validation_visitor, factory), + factory_context)); + } + + auto host_selection_attempts = retry_policy.host_selection_retry_max_attempts(); + if (host_selection_attempts) { + host_selection_attempts_ = host_selection_attempts; + } + + for (auto code : retry_policy.retriable_status_codes()) { + retriable_status_codes_.emplace_back(code); + } + + if (retry_policy.has_retry_back_off()) { + base_interval_ = std::chrono::milliseconds( + PROTOBUF_GET_MS_REQUIRED(retry_policy.retry_back_off(), base_interval)); + if ((*base_interval_).count() < 1) { + base_interval_ = std::chrono::milliseconds(1); + } + + max_interval_ = PROTOBUF_GET_OPTIONAL_MS(retry_policy.retry_back_off(), max_interval); + if (max_interval_) { + // Apply the same rounding to max interval in case both are set to sub-millisecond values. + if ((*max_interval_).count() < 1) { + max_interval_ = std::chrono::milliseconds(1); + } + + if ((*max_interval_).count() < (*base_interval_).count()) { + creation_status = absl::InvalidArgumentError( + "retry_policy.max_interval must greater than or equal to the base_interval"); + return; + } + } + } + + if (retry_policy.has_rate_limited_retry_back_off()) { + reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector( + retry_policy.rate_limited_retry_back_off().reset_headers()); + + absl::optional reset_max_interval = + PROTOBUF_GET_OPTIONAL_MS(retry_policy.rate_limited_retry_back_off(), max_interval); + if (reset_max_interval.has_value()) { + std::chrono::milliseconds max_interval = reset_max_interval.value(); + if (max_interval.count() < 1) { + max_interval = std::chrono::milliseconds(1); + } + reset_max_interval_ = max_interval; + } + } +} + +std::vector RetryPolicyImpl::retryHostPredicates() const { + std::vector predicates; + predicates.reserve(retry_host_predicate_configs_.size()); + for (const auto& config : retry_host_predicate_configs_) { + predicates.emplace_back(config.first.createHostPredicate(*config.second, num_retries_)); + } + + return predicates; +} + +Upstream::RetryPrioritySharedPtr RetryPolicyImpl::retryPriority() const { + if (retry_priority_config_.first == nullptr) { + return nullptr; + } + + return retry_priority_config_.first->createRetryPriority(*retry_priority_config_.second, + *validation_visitor_, num_retries_); +} + +} // namespace Router +} // namespace Envoy diff --git a/source/common/router/retry_policy_impl.h b/source/common/router/retry_policy_impl.h new file mode 100644 index 0000000000000..3acdfdda38b6a --- /dev/null +++ b/source/common/router/retry_policy_impl.h @@ -0,0 +1,92 @@ +#pragma once + +#include +#include +#include +#include + +#include "envoy/config/route/v3/route_components.pb.h" +#include "envoy/config/route/v3/route_components.pb.validate.h" +#include "envoy/router/router.h" +#include "envoy/server/factory_context.h" + +#include "absl/types/optional.h" + +namespace Envoy { +namespace Router { + +/** + * Implementation of RetryPolicy that reads from the proto route or virtual host config. + */ +class RetryPolicyImpl : public RetryPolicy { + +public: + static RetryPolicyConstSharedPtr DefaultRetryPolicy; + + static absl::StatusOr> + create(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::CommonFactoryContext& common_context); + RetryPolicyImpl() = default; + + // Router::RetryPolicy + std::chrono::milliseconds perTryTimeout() const override { return per_try_timeout_; } + std::chrono::milliseconds perTryIdleTimeout() const override { return per_try_idle_timeout_; } + uint32_t numRetries() const override { return num_retries_; } + uint32_t retryOn() const override { return retry_on_; } + std::vector retryHostPredicates() const override; + Upstream::RetryPrioritySharedPtr retryPriority() const override; + absl::Span + retryOptionsPredicates() const override { + return retry_options_predicates_; + } + uint32_t hostSelectionMaxAttempts() const override { return host_selection_attempts_; } + const std::vector& retriableStatusCodes() const override { + return retriable_status_codes_; + } + const std::vector& retriableHeaders() const override { + return retriable_headers_; + } + const std::vector& retriableRequestHeaders() const override { + return retriable_request_headers_; + } + absl::optional baseInterval() const override { return base_interval_; } + absl::optional maxInterval() const override { return max_interval_; } + const std::vector& resetHeaders() const override { + return reset_headers_; + } + std::chrono::milliseconds resetMaxInterval() const override { return reset_max_interval_; } + +private: + RetryPolicyImpl(const envoy::config::route::v3::RetryPolicy& retry_policy, + ProtobufMessage::ValidationVisitor& validation_visitor, + Server::Configuration::CommonFactoryContext& common_context, + absl::Status& creation_status); + std::chrono::milliseconds per_try_timeout_{0}; + std::chrono::milliseconds per_try_idle_timeout_{0}; + // We set the number of retries to 1 by default (i.e. when no route or vhost level retry policy is + // set) so that when retries get enabled through the x-envoy-retry-on header we default to 1 + // retry. + uint32_t num_retries_{1}; + uint32_t retry_on_{}; + // Each pair contains the name and config proto to be used to create the RetryHostPredicates + // that should be used when with this policy. + std::vector> + retry_host_predicate_configs_; + // Name and config proto to use to create the RetryPriority to use with this policy. Default + // initialized when no RetryPriority should be used. + std::pair retry_priority_config_; + uint32_t host_selection_attempts_{1}; + std::vector retriable_status_codes_; + std::vector retriable_headers_; + std::vector retriable_request_headers_; + absl::optional base_interval_; + absl::optional max_interval_; + std::vector reset_headers_; + std::chrono::milliseconds reset_max_interval_{300000}; + ProtobufMessage::ValidationVisitor* validation_visitor_{}; + std::vector retry_options_predicates_; +}; + +} // namespace Router +} // namespace Envoy diff --git a/source/common/tcp_proxy/tcp_proxy.cc b/source/common/tcp_proxy/tcp_proxy.cc index 50eb756f661b4..42e574e5c4d05 100644 --- a/source/common/tcp_proxy/tcp_proxy.cc +++ b/source/common/tcp_proxy/tcp_proxy.cc @@ -637,10 +637,9 @@ bool Filter::maybeTunnel(Upstream::ThreadLocalCluster& cluster) { "envoy.restart_features.upstream_http_filters_with_tcp_proxy")) { // TODO(vikaschoudhary16): Initialize route_ once per cluster. upstream_decoder_filter_callbacks_.route_ = THROW_OR_RETURN_VALUE( - Http::NullRouteImpl::create( - cluster.info()->name(), - *std::unique_ptr{new Router::RetryPolicyImpl()}, - config_->regexEngine()), + Http::NullRouteImpl::create(cluster.info()->name(), + Router::RetryPolicyImpl::DefaultRetryPolicy, + config_->regexEngine()), std::unique_ptr); } Upstream::HostConstSharedPtr host = diff --git a/test/common/common/BUILD b/test/common/common/BUILD index 1ae3b9647066a..eb3c8f6a32acd 100644 --- a/test/common/common/BUILD +++ b/test/common/common/BUILD @@ -480,6 +480,21 @@ envoy_benchmark_test( benchmark_binary = "prefix_matching_benchmark", ) +envoy_cc_benchmark_binary( + name = "shared_pointer_speed_test", + srcs = ["shared_pointer_speed_test.cc"], + rbe_pool = "6gig", + deps = [ + "//source/common/common:assert_lib", + "@com_github_google_benchmark//:benchmark", + ], +) + +envoy_benchmark_test( + name = "shared_pointer_benchmark_test", + benchmark_binary = "shared_pointer_speed_test", +) + envoy_cc_test( name = "lock_guard_test", srcs = ["lock_guard_test.cc"], diff --git a/test/common/common/shared_pointer_speed_test.cc b/test/common/common/shared_pointer_speed_test.cc new file mode 100644 index 0000000000000..e219d3abbba4d --- /dev/null +++ b/test/common/common/shared_pointer_speed_test.cc @@ -0,0 +1,76 @@ +// Note: this should be run with --compilation_mode=opt, and would benefit from a +// quiescent system with disabled cstate power management. + +#include + +#include +#include +#include + +#include "source/common/common/assert.h" + +#include "benchmark/benchmark.h" + +namespace Envoy { + +class SimpleDataAccessor { +public: + class SimpleData { + public: + uint64_t inc() { return ++data_; } + + private: + uint64_t data_{}; + }; + + SimpleDataAccessor() : data_(std::make_shared()) {} + + std::shared_ptr dataSharedPtrByCopy() const { return data_; } + std::shared_ptr& dataSharedPtrByRef() { return data_; } + SimpleData& dataRefFromSharedPtr() { return *data_; } + SimpleData& dataRefFromStack() { return stack_data_; } + +private: + std::shared_ptr data_; + SimpleData stack_data_; +}; + +static void bmVerifySharedPtrAccessPerformance(benchmark::State& state) { + SimpleDataAccessor accessor; + + const size_t method = state.range(0); + + if (method == 0) { + for (auto _ : state) { + UNREFERENCED_PARAMETER(_); + for (size_t i = 0; i < 1000; i++) { + benchmark::DoNotOptimize(accessor.dataSharedPtrByCopy()->inc()); + } + } + } else if (method == 1) { + for (auto _ : state) { + UNREFERENCED_PARAMETER(_); + for (size_t i = 0; i < 1000; i++) { + benchmark::DoNotOptimize(accessor.dataSharedPtrByRef()->inc()); + } + } + } else if (method == 2) { + for (auto _ : state) { + UNREFERENCED_PARAMETER(_); + for (size_t i = 0; i < 1000; i++) { + benchmark::DoNotOptimize(accessor.dataRefFromSharedPtr().inc()); + } + } + } else { + ASSERT(method == 3); + for (auto _ : state) { + UNREFERENCED_PARAMETER(_); + for (size_t i = 0; i < 1000; i++) { + benchmark::DoNotOptimize(accessor.dataRefFromStack().inc()); + } + } + } +} +BENCHMARK(bmVerifySharedPtrAccessPerformance)->Args({0})->Args({1})->Args({2})->Args({3}); + +} // namespace Envoy diff --git a/test/common/http/async_client_impl_test.cc b/test/common/http/async_client_impl_test.cc index 8b64e6ca686b8..947f4f9b25561 100644 --- a/test/common/http/async_client_impl_test.cc +++ b/test/common/http/async_client_impl_test.cc @@ -2312,21 +2312,18 @@ class AsyncClientImplUnitTest : public AsyncClientImplTest { public: AsyncClientImplUnitTest() { envoy::config::route::v3::RetryPolicy proto_policy; - Upstream::RetryExtensionFactoryContextImpl factory_context( - client_.factory_context_.singletonManager()); - auto policy_or_error = - Router::RetryPolicyImpl::create(proto_policy, ProtobufMessage::getNullValidationVisitor(), - factory_context, client_.factory_context_); + auto policy_or_error = Router::RetryPolicyImpl::create( + proto_policy, ProtobufMessage::getNullValidationVisitor(), client_.factory_context_); THROW_IF_NOT_OK_REF(policy_or_error.status()); retry_policy_ = std::move(policy_or_error.value()); EXPECT_TRUE(retry_policy_.get()); route_impl_ = *NullRouteImpl::create( - client_.cluster_->name(), *retry_policy_, regex_engine_, absl::nullopt, + client_.cluster_->name(), retry_policy_, regex_engine_, absl::nullopt, Protobuf::RepeatedPtrField()); } - std::unique_ptr retry_policy_; + std::shared_ptr retry_policy_; Regex::GoogleReEngine regex_engine_; std::unique_ptr route_impl_; std::unique_ptr stream_ = std::move( @@ -2350,18 +2347,15 @@ class AsyncClientImplUnitTest : public AsyncClientImplTest { envoy::config::route::v3::RetryPolicy proto_policy; TestUtility::loadFromYaml(yaml_config, proto_policy); - Upstream::RetryExtensionFactoryContextImpl factory_context( - client_.factory_context_.singletonManager()); - auto policy_or_error = - Router::RetryPolicyImpl::create(proto_policy, ProtobufMessage::getNullValidationVisitor(), - factory_context, client_.factory_context_); + auto policy_or_error = Router::RetryPolicyImpl::create( + proto_policy, ProtobufMessage::getNullValidationVisitor(), client_.factory_context_); THROW_IF_NOT_OK_REF(policy_or_error.status()); retry_policy_ = std::move(policy_or_error.value()); EXPECT_TRUE(retry_policy_.get()); stream_ = std::move( Http::AsyncStreamImpl::create(client_, stream_callbacks_, - AsyncClient::StreamOptions().setRetryPolicy(*retry_policy_)) + AsyncClient::StreamOptions().setRetryPolicy(retry_policy_)) .value()); } diff --git a/test/common/router/retry_state_impl_test.cc b/test/common/router/retry_state_impl_test.cc index a4cf679837487..3e3f99a804932 100644 --- a/test/common/router/retry_state_impl_test.cc +++ b/test/common/router/retry_state_impl_test.cc @@ -56,8 +56,7 @@ class RouterRetryStateImplTest : public testing::Test { } void setup(Http::RequestHeaderMap& request_headers) { - - state_ = RetryStateImpl::create(policy_, request_headers, cluster_, &virtual_cluster_, + state_ = RetryStateImpl::create(*policy_, request_headers, cluster_, &virtual_cluster_, route_stats_context_, factory_context_, dispatcher_, Upstream::ResourcePriority::Default); } @@ -166,7 +165,7 @@ class RouterRetryStateImplTest : public testing::Test { void TearDown() override { cleanupOutstandingResources(); } Event::SimulatedTimeSystem test_time_; - NiceMock policy_; + std::shared_ptr> policy_ = TestRetryPolicy::createMock(); NiceMock cluster_; TestVirtualCluster virtual_cluster_; Stats::IsolatedStoreImpl stats_store_; @@ -502,7 +501,7 @@ TEST_F(RouterRetryStateImplTest, PolicyRetriable4xxReset) { } TEST_F(RouterRetryStateImplTest, RetriableStatusCodes) { - policy_.retriable_status_codes_.push_back(409); + policy_->retriable_status_codes_.push_back(409); verifyPolicyWithRemoteResponse("retriable-status-codes", "409", false /* is_grpc */); } @@ -533,7 +532,7 @@ TEST_F(RouterRetryStateImplTest, NoRetryUponTooEarlyStatusCodeWithDownstreamEarl } TEST_F(RouterRetryStateImplTest, RetriableStatusCodesUpstreamReset) { - policy_.retriable_status_codes_.push_back(409); + policy_->retriable_status_codes_.push_back(409); Http::TestRequestHeaderMapImpl request_headers{{"x-envoy-retry-on", "retriable-status-codes"}}; setup(request_headers); EXPECT_TRUE(state_->enabled()); @@ -606,13 +605,13 @@ TEST_F(RouterRetryStateImplTest, RetriableStatusCodesHeader) { // Test that when 'retriable-headers' policy is set via request header, certain configured headers // trigger retries. TEST_F(RouterRetryStateImplTest, RetriableHeadersPolicySetViaRequestHeader) { - policy_.retry_on_ = RetryPolicy::RETRY_ON_5XX; + policy_->retry_on_ = RetryPolicy::RETRY_ON_5XX; Protobuf::RepeatedPtrField matchers; auto* matcher = matchers.Add(); matcher->set_name("X-Upstream-Pushback"); - policy_.retriable_headers_ = + policy_->retriable_headers_ = Http::HeaderUtility::buildHeaderMatcherVector(matchers, factory_context_); // No retries based on response headers: retry mode isn't enabled. @@ -644,7 +643,7 @@ TEST_F(RouterRetryStateImplTest, RetriableHeadersPolicySetViaRequestHeader) { // Test that when 'retriable-headers' policy is set via retry policy configuration, // configured header matcher conditions trigger retries. TEST_F(RouterRetryStateImplTest, RetriableHeadersPolicyViaRetryPolicyConfiguration) { - policy_.retry_on_ = RetryPolicy::RETRY_ON_RETRIABLE_HEADERS; + policy_->retry_on_ = RetryPolicy::RETRY_ON_RETRIABLE_HEADERS; Protobuf::RepeatedPtrField matchers; @@ -664,7 +663,7 @@ TEST_F(RouterRetryStateImplTest, RetriableHeadersPolicyViaRetryPolicyConfigurati matcher4->mutable_range_match()->set_start(500); matcher4->mutable_range_match()->set_end(505); - policy_.retriable_headers_ = + policy_->retriable_headers_ = Http::HeaderUtility::buildHeaderMatcherVector(matchers, factory_context_); auto should_retry_with_response = [this](const Http::TestResponseHeaderMapImpl& response_headers, @@ -784,7 +783,7 @@ TEST_F(RouterRetryStateImplTest, RetriableHeadersSetViaRequestHeader) { // Test merging retriable headers set via request headers and via config file. TEST_F(RouterRetryStateImplTest, RetriableHeadersMergedConfigAndRequestHeaders) { - policy_.retry_on_ = RetryPolicy::RETRY_ON_RETRIABLE_HEADERS; + policy_->retry_on_ = RetryPolicy::RETRY_ON_RETRIABLE_HEADERS; Protobuf::RepeatedPtrField matchers; @@ -794,7 +793,7 @@ TEST_F(RouterRetryStateImplTest, RetriableHeadersMergedConfigAndRequestHeaders) matcher->mutable_string_match()->set_exact("200"); matcher->set_invert_match(true); - policy_.retriable_headers_ = + policy_->retriable_headers_ = Http::HeaderUtility::buildHeaderMatcherVector(matchers, factory_context_); // No retries according to config. @@ -856,7 +855,7 @@ TEST_F(RouterRetryStateImplTest, PolicyLimitedByRequestHeaders) { matcher2->set_name(":method"); matcher2->mutable_string_match()->set_exact("HEAD"); - policy_.retriable_request_headers_ = + policy_->retriable_request_headers_ = Http::HeaderUtility::buildHeaderMatcherVector(matchers, factory_context_); { @@ -917,8 +916,8 @@ TEST_F(RouterRetryStateImplTest, PolicyLimitedByRequestHeaders) { } TEST_F(RouterRetryStateImplTest, RouteConfigNoRetriesAllowed) { - policy_.num_retries_ = 0; - policy_.retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; + policy_->num_retries_ = 0; + policy_->retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; setup(); EXPECT_TRUE(state_->enabled()); @@ -935,8 +934,8 @@ TEST_F(RouterRetryStateImplTest, RouteConfigNoRetriesAllowed) { } TEST_F(RouterRetryStateImplTest, RouteConfigNoHeaderConfig) { - policy_.num_retries_ = 1; - policy_.retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; + policy_->num_retries_ = 1; + policy_->retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; Http::TestRequestHeaderMapImpl request_headers; setup(request_headers); EXPECT_TRUE(state_->enabled()); @@ -966,7 +965,7 @@ TEST_F(RouterRetryStateImplTest, NoAvailableRetries) { TEST_F(RouterRetryStateImplTest, MaxRetriesHeader) { // The max retries header will take precedence over the policy - policy_.num_retries_ = 4; + policy_->num_retries_ = 4; Http::TestRequestHeaderMapImpl request_headers{{"x-envoy-retry-on", "connect-failure"}, {"x-envoy-retry-grpc-on", "cancelled"}, {"x-envoy-max-retries", "3"}}; @@ -1011,8 +1010,8 @@ TEST_F(RouterRetryStateImplTest, MaxRetriesHeader) { } TEST_F(RouterRetryStateImplTest, Backoff) { - policy_.num_retries_ = 5; - policy_.retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; + policy_->num_retries_ = 5; + policy_->retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; Http::TestRequestHeaderMapImpl request_headers; setup(request_headers); EXPECT_TRUE(state_->enabled()); @@ -1082,10 +1081,10 @@ TEST_F(RouterRetryStateImplTest, Backoff) { // Test customized retry back-off intervals. TEST_F(RouterRetryStateImplTest, CustomBackOffInterval) { - policy_.num_retries_ = 10; - policy_.retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; - policy_.base_interval_ = std::chrono::milliseconds(100); - policy_.max_interval_ = std::chrono::milliseconds(1200); + policy_->num_retries_ = 10; + policy_->retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; + policy_->base_interval_ = std::chrono::milliseconds(100); + policy_->max_interval_ = std::chrono::milliseconds(1200); Http::TestRequestHeaderMapImpl request_headers; setup(request_headers); EXPECT_TRUE(state_->enabled()); @@ -1134,9 +1133,9 @@ TEST_F(RouterRetryStateImplTest, CustomBackOffInterval) { // Test the default maximum retry back-off interval. TEST_F(RouterRetryStateImplTest, CustomBackOffIntervalDefaultMax) { - policy_.num_retries_ = 10; - policy_.retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; - policy_.base_interval_ = std::chrono::milliseconds(100); + policy_->num_retries_ = 10; + policy_->retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; + policy_->base_interval_ = std::chrono::milliseconds(100); Http::TestRequestHeaderMapImpl request_headers; setup(request_headers); EXPECT_TRUE(state_->enabled()); @@ -1197,7 +1196,7 @@ TEST_F(RouterRetryStateImplTest, ParseRateLimitedResetInterval) { reset_header_2->set_name("X-RateLimit-Reset"); reset_header_2->set_format(envoy::config::route::v3::RetryPolicy::UNIX_TIMESTAMP); - policy_.reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector(reset_headers); + policy_->reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector(reset_headers); // Failure case: Matches reset header (seconds) but exceeds max_interval (>5min) { @@ -1263,8 +1262,8 @@ TEST_F(RouterRetryStateImplTest, RateLimitedRetryBackoffStrategy) { reset_header->set_name("Retry-After"); reset_header->set_format(envoy::config::route::v3::RetryPolicy::SECONDS); - policy_.num_retries_ = 4; - policy_.reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector(reset_headers); + policy_->num_retries_ = 4; + policy_->reset_headers_ = ResetHeaderParserImpl::buildResetHeaderParserVector(reset_headers); Http::TestRequestHeaderMapImpl request_headers{{"x-envoy-retry-on", "5xx"}}; setup(request_headers); @@ -1320,8 +1319,8 @@ TEST_F(RouterRetryStateImplTest, RateLimitedRetryBackoffStrategy) { } TEST_F(RouterRetryStateImplTest, HostSelectionAttempts) { - policy_.host_selection_max_attempts_ = 2; - policy_.retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; + policy_->host_selection_max_attempts_ = 2; + policy_->retry_on_ = RetryPolicy::RETRY_ON_CONNECT_FAILURE; setup(); diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index f36dd2e64c09d..51a2bad28822e 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -1033,7 +1033,7 @@ class MockRetryOptionsPredicate : public Upstream::RetryOptionsPredicate { // Also verify retry options predicates work. TEST_F(RouterTest, EnvoyAttemptCountInRequestUpdatedInRetries) { auto retry_options_predicate = std::make_shared(); - callbacks_.route_->route_entry_.retry_policy_.retry_options_predicates_.emplace_back( + callbacks_.route_->route_entry_.retry_policy_->retry_options_predicates_.emplace_back( retry_options_predicate); setIncludeAttemptCountInRequest(true); @@ -1912,7 +1912,7 @@ TEST_F(RouterTest, UpstreamTimeoutWithAltResponse) { TEST_F(RouterTest, UpstreamPerTryIdleTimeout) { InSequence s; - callbacks_.route_->route_entry_.retry_policy_.per_try_idle_timeout_ = + callbacks_.route_->route_entry_.retry_policy_->per_try_idle_timeout_ = std::chrono::milliseconds(3000); // This pattern helps ensure that we're actually invoking the callback. @@ -1983,7 +1983,7 @@ TEST_F(RouterTest, UpstreamPerTryIdleTimeout) { TEST_F(RouterTest, UpstreamPerTryIdleTimeoutSuccess) { InSequence s; - callbacks_.route_->route_entry_.retry_policy_.per_try_idle_timeout_ = + callbacks_.route_->route_entry_.retry_policy_->per_try_idle_timeout_ = std::chrono::milliseconds(3000); NiceMock encoder; @@ -2188,7 +2188,7 @@ TEST_F(RouterTest, UpstreamPerTryTimeoutExcludesNewStream) { // canceled). Also verify retry options predicates work. TEST_F(RouterTest, HedgedPerTryTimeoutFirstRequestSucceeds) { auto retry_options_predicate = std::make_shared(); - callbacks_.route_->route_entry_.retry_policy_.retry_options_predicates_.emplace_back( + callbacks_.route_->route_entry_.retry_policy_->retry_options_predicates_.emplace_back( retry_options_predicate); enableHedgeOnPerTryTimeout(); @@ -2679,7 +2679,7 @@ TEST_F(RouterTest, BadHeadersDroppedIfPreviousRetryScheduled) { // has sent any of the body. Also verify retry options predicates work. TEST_F(RouterTest, RetryRequestBeforeBody) { auto retry_options_predicate = std::make_shared(); - callbacks_.route_->route_entry_.retry_policy_.retry_options_predicates_.emplace_back( + callbacks_.route_->route_entry_.retry_policy_->retry_options_predicates_.emplace_back( retry_options_predicate); NiceMock encoder1; @@ -5859,7 +5859,7 @@ TEST(RouterFilterUtilityTest, FinalTimeout) { } { NiceMock route; - route.retry_policy_.per_try_timeout_ = std::chrono::milliseconds(7); + route.retry_policy_->per_try_timeout_ = std::chrono::milliseconds(7); EXPECT_CALL(route, timeout()).WillOnce(Return(std::chrono::milliseconds(10))); Http::TestRequestHeaderMapImpl headers{{"x-envoy-upstream-rq-timeout-ms", "15"}}; TimeoutData timeout = FilterUtility::finalTimeout(route, headers, true, false, false, false); @@ -5872,7 +5872,7 @@ TEST(RouterFilterUtilityTest, FinalTimeout) { } { NiceMock route; - route.retry_policy_.per_try_timeout_ = std::chrono::milliseconds(10); + route.retry_policy_->per_try_timeout_ = std::chrono::milliseconds(10); EXPECT_CALL(route, timeout()).WillOnce(Return(std::chrono::milliseconds(0))); Http::TestRequestHeaderMapImpl headers; TimeoutData timeout = FilterUtility::finalTimeout(route, headers, true, false, false, false); @@ -5885,7 +5885,7 @@ TEST(RouterFilterUtilityTest, FinalTimeout) { } { NiceMock route; - route.retry_policy_.per_try_timeout_ = std::chrono::milliseconds(7); + route.retry_policy_->per_try_timeout_ = std::chrono::milliseconds(7); EXPECT_CALL(route, timeout()).WillOnce(Return(std::chrono::milliseconds(10))); Http::TestRequestHeaderMapImpl headers{{"x-envoy-upstream-rq-timeout-ms", "15"}, {"x-envoy-upstream-rq-per-try-timeout-ms", "5"}}; @@ -6038,7 +6038,7 @@ TEST(RouterFilterUtilityTest, FinalTimeout) { NiceMock route; EXPECT_CALL(route, maxGrpcTimeout()) .WillRepeatedly(Return(absl::optional(0))); - route.retry_policy_.per_try_timeout_ = std::chrono::milliseconds(7); + route.retry_policy_->per_try_timeout_ = std::chrono::milliseconds(7); Http::TestRequestHeaderMapImpl headers{{"content-type", "application/grpc"}, {"grpc-timeout", "1000m"}, {"x-envoy-upstream-rq-timeout-ms", "15"}}; @@ -6054,7 +6054,7 @@ TEST(RouterFilterUtilityTest, FinalTimeout) { NiceMock route; EXPECT_CALL(route, maxGrpcTimeout()) .WillRepeatedly(Return(absl::optional(0))); - route.retry_policy_.per_try_timeout_ = std::chrono::milliseconds(7); + route.retry_policy_->per_try_timeout_ = std::chrono::milliseconds(7); Http::TestRequestHeaderMapImpl headers{{"content-type", "application/grpc"}, {"grpc-timeout", "1000m"}, {"x-envoy-upstream-rq-timeout-ms", "15"}, @@ -6699,7 +6699,7 @@ TEST_F(RouterTest, Http3DisabledForHttp11Proxies) { TEST_F(RouterTest, ExpectedUpstreamTimeoutUpdatedDuringRetries) { auto retry_options_predicate = std::make_shared(); - callbacks_.route_->route_entry_.retry_policy_.retry_options_predicates_.emplace_back( + callbacks_.route_->route_entry_.retry_policy_->retry_options_predicates_.emplace_back( retry_options_predicate); setIncludeAttemptCountInRequest(true); diff --git a/test/mocks/router/mocks.cc b/test/mocks/router/mocks.cc index 3c808199047e8..dffdf0b0d1fd0 100644 --- a/test/mocks/router/mocks.cc +++ b/test/mocks/router/mocks.cc @@ -103,7 +103,8 @@ MockRouteEntry::MockRouteEntry() ON_CALL(*this, clusterName()).WillByDefault(ReturnRef(cluster_name_)); ON_CALL(*this, opaqueConfig()).WillByDefault(ReturnRef(opaque_config_)); ON_CALL(*this, rateLimitPolicy()).WillByDefault(ReturnRef(rate_limit_policy_)); - ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(retry_policy_)); + ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(*retry_policy_)); + ON_CALL(*this, sharedRetryPolicy()).WillByDefault(ReturnRef(base_retry_policy_)); ON_CALL(*this, internalRedirectPolicy()).WillByDefault(ReturnRef(internal_redirect_policy_)); ON_CALL(*this, shadowPolicies()).WillByDefault(ReturnRef(shadow_policies_)); @@ -165,7 +166,8 @@ MockRoute::MockRoute() { ON_CALL(*this, clusterName()).WillByDefault(ReturnRef(route_entry_.cluster_name_)); ON_CALL(*this, opaqueConfig()).WillByDefault(ReturnRef(route_entry_.opaque_config_)); ON_CALL(*this, rateLimitPolicy()).WillByDefault(ReturnRef(route_entry_.rate_limit_policy_)); - ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(route_entry_.retry_policy_)); + ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(*route_entry_.retry_policy_)); + ON_CALL(*this, sharedRetryPolicy()).WillByDefault(ReturnRef(route_entry_.base_retry_policy_)); ON_CALL(*this, internalRedirectPolicy()) .WillByDefault(ReturnRef(route_entry_.internal_redirect_policy_)); diff --git a/test/mocks/router/mocks.h b/test/mocks/router/mocks.h index 77c5fe90eb7d3..e41fad2fa718e 100644 --- a/test/mocks/router/mocks.h +++ b/test/mocks/router/mocks.h @@ -120,6 +120,10 @@ class TestHedgePolicy : public HedgePolicy { class TestRetryPolicy : public RetryPolicy { public: + static std::shared_ptr create() { return std::make_shared(); } + static std::shared_ptr> createMock() { + return std::make_shared>(); + } TestRetryPolicy(); ~TestRetryPolicy() override; @@ -431,6 +435,7 @@ class MockRouteEntry : public RouteEntry { MOCK_METHOD(Upstream::ResourcePriority, priority, (), (const)); MOCK_METHOD(const RateLimitPolicy&, rateLimitPolicy, (), (const)); MOCK_METHOD(const RetryPolicy&, retryPolicy, (), (const)); + MOCK_METHOD(const RetryPolicyConstSharedPtr&, sharedRetryPolicy, (), (const)); MOCK_METHOD(const InternalRedirectPolicy&, internalRedirectPolicy, (), (const)); MOCK_METHOD(const PathMatcherSharedPtr&, pathMatcher, (), (const)); MOCK_METHOD(const PathRewriterSharedPtr&, pathRewriter, (), (const)); @@ -464,7 +469,8 @@ class MockRouteEntry : public RouteEntry { std::string cluster_name_{"fake_cluster"}; std::multimap opaque_config_; - TestRetryPolicy retry_policy_; + std::shared_ptr retry_policy_ = TestRetryPolicy::create(); + RetryPolicyConstSharedPtr base_retry_policy_ = retry_policy_; testing::NiceMock internal_redirect_policy_; PathMatcherSharedPtr path_matcher_; PathRewriterSharedPtr path_rewriter_; @@ -553,6 +559,7 @@ class MockRoute : public RouteEntryAndRoute { MOCK_METHOD(Upstream::ResourcePriority, priority, (), (const)); MOCK_METHOD(const RateLimitPolicy&, rateLimitPolicy, (), (const)); MOCK_METHOD(const RetryPolicy&, retryPolicy, (), (const)); + MOCK_METHOD(const RetryPolicyConstSharedPtr&, sharedRetryPolicy, (), (const)); MOCK_METHOD(const InternalRedirectPolicy&, internalRedirectPolicy, (), (const)); MOCK_METHOD(const PathMatcherSharedPtr&, pathMatcher, (), (const)); MOCK_METHOD(const PathRewriterSharedPtr&, pathRewriter, (), (const)); From dd32d43903bc74f7e2ee945838fa0e8abf048978 Mon Sep 17 00:00:00 2001 From: bsurber <73970703+bsurber@users.noreply.github.com> Date: Sat, 20 Sep 2025 13:04:35 -0700 Subject: [PATCH 446/505] rate_limit_quota: fix ASAN flake in GlobalRateLimitClientImpl's RLQS Stream (#41053) Commit Message: The RLQS async stream in `GlobalRateLimitClientImpl` (`stream_`) doesn't actually own the underlying raw stream ptr. This was causing a race condition during shutdown, with the cluster-manager's deferred stream reset+deletion racing against the global client's deferred deletion. If the deferred global client deletion triggered first, without resetting the stream, then the cluster-manager would fail in its own stream reset attempt (the stream's callbacks having been deleted with the global client). If the global client guarantees stream reset + deletion, and the cluster manager wins the race, then the global client's reset + deletion fails with heap-use-after-free. To get around this race condition, the `GlobalRateLimitClientImpl` can instead own its `RawAsyncClient` & delete it to guarantee that any of its active streams are cleaned up. -------- Additional Description: With the owned RawAsyncClient, integration testing saw a new flake where sometimes the first connection to a fake upstream failed immediately with an empty-message internal error. This was addressed by adding `waitForRlqsStream()` to check all fake upstream connections for new streams, not just the first. -------- Risk Level: Testing: Unit & integration. integration_test & filter_persistence_test run 500 times to check for flakes. Docs Changes: Release Notes: Platform Specific Features: Fixes ASAN flake from PR https://github.com/envoyproxy/envoy/pull/40497 --------- Signed-off-by: Brian Surber --- .../filters/http/rate_limit_quota/config.cc | 14 ++-- .../rate_limit_quota/filter_persistence.cc | 9 +-- .../rate_limit_quota/filter_persistence.h | 8 +-- .../rate_limit_quota/global_client_impl.cc | 61 ++++++++++------- .../rate_limit_quota/global_client_impl.h | 14 ++-- .../http/rate_limit_quota/client_test.cc | 58 +++++++++++++++- .../http/rate_limit_quota/client_test_utils.h | 67 +++++++++++++++++-- .../http/rate_limit_quota/config_test.cc | 4 +- 8 files changed, 173 insertions(+), 62 deletions(-) diff --git a/source/extensions/filters/http/rate_limit_quota/config.cc b/source/extensions/filters/http/rate_limit_quota/config.cc index 3d88cec22b381..085643fac13c3 100644 --- a/source/extensions/filters/http/rate_limit_quota/config.cc +++ b/source/extensions/filters/http/rate_limit_quota/config.cc @@ -50,19 +50,13 @@ Http::FilterFactoryCb RateLimitQuotaFilterFactory::createFilterFactoryFromProtoT matcher = matcher_factory.create(config->bucket_matchers())(); } - // Get the rlqs_server destination from the cluster manager. - absl::StatusOr rlqs_stream_client = - context.serverFactoryContext() - .clusterManager() - .grpcAsyncClientManager() - .getOrCreateRawAsyncClientWithHashKey(config_with_hash_key, context.scope(), true); - if (!rlqs_stream_client.ok()) { - throw EnvoyException(std::string(rlqs_stream_client.status().message())); - } + std::string rlqs_server_target = config->rlqs_server().has_envoy_grpc() + ? config->rlqs_server().envoy_grpc().cluster_name() + : config->rlqs_server().google_grpc().target_uri(); // Get the TLS store from the global map, or create one if it doesn't exist. std::shared_ptr tls_store = GlobalTlsStores::getTlsStore( - config_with_hash_key, context, (*rlqs_stream_client)->destination(), filter_config.domain()); + config_with_hash_key, context, rlqs_server_target, filter_config.domain()); return [&, config = std::move(config), config_with_hash_key, tls_store = std::move(tls_store), matcher = std::move(matcher)](Http::FilterChainFactoryCallbacks& callbacks) -> void { diff --git a/source/extensions/filters/http/rate_limit_quota/filter_persistence.cc b/source/extensions/filters/http/rate_limit_quota/filter_persistence.cc index a0e865f2e969d..f5920d6367b57 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter_persistence.cc +++ b/source/extensions/filters/http/rate_limit_quota/filter_persistence.cc @@ -24,9 +24,10 @@ using TlsStore = GlobalTlsStores::TlsStore; // Helper to initialize a new TLS store based on a rate_limit_quota config's // settings. -std::shared_ptr initTlsStore(Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, - Server::Configuration::FactoryContext& context, - absl::string_view target_address, absl::string_view domain) { +std::shared_ptr +initTlsStore(const Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, + Server::Configuration::FactoryContext& context, absl::string_view target_address, + absl::string_view domain) { // Quota bucket & global client TLS objects are created with the config and // kept alive via shared_ptr to a storage struct. The local rate limit client // in each filter instance assumes that the slot will outlive them. @@ -55,7 +56,7 @@ std::shared_ptr initTlsStore(Grpc::GrpcServiceConfigWithHashKey& confi // References a statically shared map. This is not thread-safe so it should // only be called during RLQS filter factory creation on the main thread. std::shared_ptr -GlobalTlsStores::getTlsStore(Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, +GlobalTlsStores::getTlsStore(const Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, Server::Configuration::FactoryContext& context, absl::string_view target_address, absl::string_view domain) { TlsStoreIndex index = std::make_pair(std::string(target_address), std::string(domain)); diff --git a/source/extensions/filters/http/rate_limit_quota/filter_persistence.h b/source/extensions/filters/http/rate_limit_quota/filter_persistence.h index 0b49973fc476a..0eff70664976d 100644 --- a/source/extensions/filters/http/rate_limit_quota/filter_persistence.h +++ b/source/extensions/filters/http/rate_limit_quota/filter_persistence.h @@ -67,7 +67,7 @@ class GlobalTlsStores : public Logger::Loggable { // Get an existing TLS store by index, or create one if not found. static std::shared_ptr - getTlsStore(Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, + getTlsStore(const Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, Server::Configuration::FactoryContext& context, absl::string_view target_address, absl::string_view domain); @@ -96,12 +96,6 @@ class GlobalTlsStores : public Logger::Loggable { return *tls_stores; } - // Find or initialize a TLS store for the given config. - static std::shared_ptr - getTlsStoreImpl(Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, - Server::Configuration::FactoryContext& context, TlsStoreIndex& index, - bool* new_store_out); - // Clear a specified index when it is no longer captured by any filter factories. static void clearTlsStore(const TlsStoreIndex& index) { stores().erase(index); } }; diff --git a/source/extensions/filters/http/rate_limit_quota/global_client_impl.cc b/source/extensions/filters/http/rate_limit_quota/global_client_impl.cc index bcf38a5dfedce..99e3efd959c28 100644 --- a/source/extensions/filters/http/rate_limit_quota/global_client_impl.cc +++ b/source/extensions/filters/http/rate_limit_quota/global_client_impl.cc @@ -38,12 +38,6 @@ namespace Extensions { namespace HttpFilters { namespace RateLimitQuota { -Grpc::RawAsyncClientSharedPtr -getOrThrow(absl::StatusOr client_or_error) { - THROW_IF_NOT_OK_REF(client_or_error.status()); - return client_or_error.value(); -} - using BucketAction = RateLimitQuotaResponse::BucketAction; using envoy::type::v3::RateLimitStrategy; @@ -53,17 +47,36 @@ GlobalRateLimitClientImpl::GlobalRateLimitClientImpl( std::chrono::milliseconds send_reports_interval, Envoy::ThreadLocal::TypedSlot& buckets_tls, Envoy::Event::Dispatcher& main_dispatcher) - : domain_name_(domain_name), - async_client_(getOrThrow( - context.serverFactoryContext() - .clusterManager() - .grpcAsyncClientManager() - .getOrCreateRawAsyncClientWithHashKey(config_with_hash_key, context.scope(), true))), - buckets_tls_(buckets_tls), send_reports_interval_(send_reports_interval), + : domain_name_(domain_name), buckets_tls_(buckets_tls), + send_reports_interval_(send_reports_interval), time_source_(context.serverFactoryContext().mainThreadDispatcher().timeSource()), - main_dispatcher_(main_dispatcher) {} + main_dispatcher_(main_dispatcher) { + ASSERT_IS_MAIN_OR_TEST_THREAD(); + + absl::StatusOr rlqs_stream_client_factory = + context.serverFactoryContext() + .clusterManager() + .grpcAsyncClientManager() + .factoryForGrpcService(config_with_hash_key.config(), context.scope(), true); + if (!rlqs_stream_client_factory.ok()) { + throw EnvoyException(std::string(rlqs_stream_client_factory.status().message())); + } + + absl::StatusOr rlqs_stream_client = + (*rlqs_stream_client_factory)->createUncachedRawAsyncClient(); + if (!rlqs_stream_client.ok()) { + throw EnvoyException(std::string(rlqs_stream_client.status().message())); + } + async_client_ = GrpcAsyncClient(std::move(*rlqs_stream_client)); +} -void GlobalRateLimitClientImpl::deleteIsPending() { async_client_.reset(); } +void GlobalRateLimitClientImpl::deleteIsPending() { + ASSERT_IS_MAIN_OR_TEST_THREAD(); + // Deleting the async client also triggers stream_ to reset, if active. + // The client & stream must be destroyed before the GlobalRateLimitClientImpl, + // as it provides the stream callbacks. + async_client_->reset(); +} void getUsageFromBucket(const CachedBucket& cached_bucket, TimeSource& time_source, BucketQuotaUsage& usage) { @@ -368,21 +381,21 @@ void GlobalRateLimitClientImpl::onQuotaResponseImpl(const RateLimitQuotaResponse void GlobalRateLimitClientImpl::onRemoteClose(Grpc::Status::GrpcStatus status, const std::string& message) { // TODO(tyxia) Revisit later, maybe add some logging. - main_dispatcher_.post([&, status, message]() { - // Stream is already closed and cannot be referenced further. - ENVOY_LOG(debug, "gRPC stream closed remotely with status {}: {}", status, message); - stream_ = nullptr; - }); + ASSERT_IS_MAIN_OR_TEST_THREAD(); + // Stream is already closed and cannot be referenced further. + ENVOY_LOG(debug, "gRPC stream closed remotely with status {}: {}", status, message); + stream_ = nullptr; } bool GlobalRateLimitClientImpl::startStreamImpl() { // Starts stream if it has not been opened yet. + ASSERT_IS_MAIN_OR_TEST_THREAD(); if (stream_ == nullptr) { ENVOY_LOG(debug, "Trying to start the new gRPC stream"); - stream_ = async_client_.start(*Protobuf::DescriptorPool::generated_pool()->FindMethodByName( - "envoy.service.rate_limit_quota.v3.RateLimitQuotaService." - "StreamRateLimitQuotas"), - *this, Http::AsyncClient::RequestOptions()); + stream_ = async_client_->start(*Protobuf::DescriptorPool::generated_pool()->FindMethodByName( + "envoy.service.rate_limit_quota.v3.RateLimitQuotaService." + "StreamRateLimitQuotas"), + *this, Http::AsyncClient::RequestOptions()); } // Returns error status if start failed (i.e., stream_ is nullptr). return (stream_ != nullptr); diff --git a/source/extensions/filters/http/rate_limit_quota/global_client_impl.h b/source/extensions/filters/http/rate_limit_quota/global_client_impl.h index 224217be804a6..7259973a529da 100644 --- a/source/extensions/filters/http/rate_limit_quota/global_client_impl.h +++ b/source/extensions/filters/http/rate_limit_quota/global_client_impl.h @@ -60,17 +60,15 @@ class GlobalRateLimitClientImpl : public Grpc::AsyncStreamCallbacks< public Event::DeferredDeletable, public Logger::Loggable { public: + // Note: rlqs_client is owned directly to ensure that it does not outlive the + // GlobalRateLimitClientImpl (as the impl provides stream callbacks). GlobalRateLimitClientImpl(const Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key, Server::Configuration::FactoryContext& context, absl::string_view domain_name, std::chrono::milliseconds send_reports_interval, ThreadLocal::TypedSlot& buckets_tls, Envoy::Event::Dispatcher& main_dispatcher); - ~GlobalRateLimitClientImpl() { - if (stream_ != nullptr) { - stream_.resetStream(); - } - } + ~GlobalRateLimitClientImpl() = default; void onReceiveMessage(RateLimitQuotaResponsePtr&& response) override; @@ -163,8 +161,8 @@ class GlobalRateLimitClientImpl : public Grpc::AsyncStreamCallbacks< // Domain from filter configuration. The same domain name throughout the // whole lifetime of client. std::string domain_name_; - // Client is stored as the bare object since there is no ownership transfer - // involved. + // Client is stored as the bare object since GrpcAsyncClient already takes ownership of the given + // raw AsyncClientPtr. GrpcAsyncClient async_client_; Grpc::AsyncStream stream_{}; @@ -195,7 +193,7 @@ createGlobalRateLimitClientImpl(Server::Configuration::FactoryContext& context, absl::string_view domain_name, std::chrono::milliseconds send_reports_interval, ThreadLocal::TypedSlot& buckets_tls, - Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key) { + const Grpc::GrpcServiceConfigWithHashKey& config_with_hash_key) { Envoy::Event::Dispatcher& main_dispatcher = context.serverFactoryContext().mainThreadDispatcher(); return std::make_unique(config_with_hash_key, context, domain_name, send_reports_interval, buckets_tls, diff --git a/test/extensions/filters/http/rate_limit_quota/client_test.cc b/test/extensions/filters/http/rate_limit_quota/client_test.cc index 4a480c6dc0ddf..0d3d7031c496e 100644 --- a/test/extensions/filters/http/rate_limit_quota/client_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/client_test.cc @@ -108,7 +108,7 @@ class GlobalClientTest : public ::testing::Test { std::make_shared(std::make_shared()); buckets_tls_->set([initial_tl_buckets_cache](Unused) { return initial_tl_buckets_cache; }); - mock_stream_client->expectClientCreation(); + mock_stream_client->expectClientCreationWithFactory(); global_client_ = std::make_unique( mock_stream_client->config_with_hash_key_, mock_stream_client->context_, mock_domain_, reporting_interval_, *buckets_tls_, *mock_stream_client->dispatcher_); @@ -120,6 +120,11 @@ class GlobalClientTest : public ::testing::Test { unordered_differencer_.set_repeated_field_comparison(MessageDifferencer::AS_SET); } + void TearDown() override { + // Normally called by TlsStore destructor as part of filter factory cb deletion. + mock_stream_client->dispatcher_->deferredDelete(std::move(global_client_)); + } + std::unique_ptr mock_stream_client = nullptr; std::unique_ptr global_client_ = nullptr; ThreadLocal::TypedSlotPtr buckets_tls_ = nullptr; @@ -1252,6 +1257,57 @@ TEST_F(GlobalClientTest, TestAbandonAction) { ASSERT_FALSE(bucket_after); } +TEST_F(GlobalClientTest, TestResponseBucketMissingId) { + mock_stream_client->expectStreamCreation(1); + // Expect expiration timers to start for each of the response's assignments & + // a reset of the TokenBucket assignment's expiration timer (even when not + // resetting the TokenBucket itself). + mock_stream_client->expectTimerCreations(reporting_interval_, action_ttl, 1); + + // Expect initial bucket creations to each trigger immediate bucket-specific + // reports. + RateLimitQuotaUsageReports initial_report = buildReports( + std::vector{{/*allowed=*/1, /*denied=*/0, /*bucket_id=*/sample_bucket_id_}}); + EXPECT_CALL( + mock_stream_client->stream_, + sendMessageRaw_(Grpc::ProtoBufferEqIgnoreRepeatedFieldOrdering(initial_report), false)); + + cb_ptr_->expectBuckets({sample_id_hash_}); + global_client_->createBucket(sample_bucket_id_, sample_id_hash_, default_allow_action, nullptr, + std::chrono::milliseconds::zero(), true); + cb_ptr_->waitForExpectedBuckets(); + + setAtomic(1, getQuotaUsage(*buckets_tls_, sample_id_hash_)->num_requests_allowed); + + RateLimitQuotaUsageReports expected_reports = buildReports( + std::vector{{/*allowed=*/1, /*denied=*/0, /*bucket_id=*/sample_bucket_id_}}); + EXPECT_CALL( + mock_stream_client->stream_, + sendMessageRaw_(Grpc::ProtoBufferEqIgnoreRepeatedFieldOrdering(expected_reports), false)); + + mock_stream_client->timer_->invokeCallback(); + waitForNotification(cb_ptr_->report_sent); + + // Test that an invalid bucket id in a response is ignored but doesn't disrupt processing of other + // buckets. + auto empty_id_allow_action = buildBlanketAction(BucketId(), false); + auto deny_action = buildBlanketAction(sample_bucket_id_, true); + std::unique_ptr response = std::make_unique(); + response->add_bucket_action()->CopyFrom(empty_id_allow_action); + response->add_bucket_action()->CopyFrom(deny_action); + + // Mimic sending the response across the stream. + WAIT_FOR_LOG_CONTAINS("error", "Received an RLQS response, but a bucket is missing its id.", { + global_client_->onReceiveMessage(std::move(response)); + waitForNotification(cb_ptr_->response_processed); + }); + + // Expect the deny-all bucket to have made it into TLS. + std::shared_ptr deny_all_bucket = getBucket(*buckets_tls_, sample_id_hash_); + ASSERT_TRUE(deny_all_bucket->cached_action); + EXPECT_TRUE(unordered_differencer_.Equals(*deny_all_bucket->cached_action, deny_action)); +} + class LocalClientTest : public GlobalClientTest { protected: LocalClientTest() : GlobalClientTest() {} diff --git a/test/extensions/filters/http/rate_limit_quota/client_test_utils.h b/test/extensions/filters/http/rate_limit_quota/client_test_utils.h index 0391391a87eee..5743f2f3d965b 100644 --- a/test/extensions/filters/http/rate_limit_quota/client_test_utils.h +++ b/test/extensions/filters/http/rate_limit_quota/client_test_utils.h @@ -28,6 +28,14 @@ using testing::Invoke; using testing::Return; using testing::Unused; +// Async RPC clients include resetting all active streams on destruction. This +// mock extends the base mock to include mocking the reset. +class MockAsyncClientWithReset : public Grpc::MockAsyncClient { +public: + MOCK_METHOD(void, resetActiveStreams, ()); + ~MockAsyncClientWithReset() override { resetActiveStreams(); } +}; + // Used to mock a local rate limit client entirely. class MockRateLimitClient : public RateLimitClient { public: @@ -42,6 +50,20 @@ class MockRateLimitClient : public RateLimitClient { MOCK_METHOD(std::shared_ptr, getBucket, (size_t id), (override)); }; +// Support the other method of creating a RLQS streaming client. +class FakeClientFactory : public Grpc::AsyncClientFactory { +public: + FakeClientFactory(Grpc::RawAsyncClientPtr async_client) + : async_client_(std::move(async_client)) {} + ~FakeClientFactory() override = default; + absl::StatusOr createUncachedRawAsyncClient() override { + return std::move(async_client_); + } + +private: + Grpc::RawAsyncClientPtr async_client_ = nullptr; +}; + // Used when creating a "real" global rate limit client with mocked, underlying // interfaces. class RateLimitTestClient { @@ -51,6 +73,14 @@ class RateLimitTestClient { config_with_hash_key_ = Grpc::GrpcServiceConfigWithHashKey(grpc_service_); } + void expectClientReset() { + EXPECT_CALL(*async_client_, resetActiveStreams()).WillOnce([&]() { + if (stream_callbacks_ != nullptr) { + stream_.resetStream(); + } + }); + } + void expectClientCreation() { EXPECT_CALL(context_.server_factory_context_.cluster_manager_.async_client_manager_, getOrCreateRawAsyncClientWithHashKey(_, _, _)) @@ -58,9 +88,23 @@ class RateLimitTestClient { .WillRepeatedly(Invoke(this, &RateLimitTestClient::mockCreateAsyncClient)); } + void expectClientCreationWithFactory() { + EXPECT_CALL(context_.server_factory_context_.cluster_manager_.async_client_manager_, + factoryForGrpcService(_, _, _)) + .Times(testing::AtLeast(1)) + .WillRepeatedly(Invoke(this, &RateLimitTestClient::mockCreateAsyncClientFactory)); + } + void failClientCreation() { EXPECT_CALL(context_.server_factory_context_.cluster_manager_.async_client_manager_, - getOrCreateRawAsyncClientWithHashKey(_, _, _)) + factoryForGrpcService(_, _, _)) + .Times(testing::AtLeast(1)) + .WillRepeatedly([]() { return absl::InternalError("Mock client creation failure"); }); + } + + void failClientCreationWithFactory() { + EXPECT_CALL(context_.server_factory_context_.cluster_manager_.async_client_manager_, + factoryForGrpcService(_, _, _)) .Times(testing::AtLeast(1)) .WillRepeatedly([]() { return absl::InternalError("Mock client creation failure"); }); } @@ -136,12 +180,22 @@ class RateLimitTestClient { void expectTimeSource() {} + Grpc::AsyncClientFactoryPtr mockCreateAsyncClientFactory(Unused, Unused, Unused) { + std::unique_ptr async_client = + std::make_unique(); + async_client_ = async_client.get(); + expectClientReset(); + return std::make_unique(std::move(async_client)); + } + Grpc::RawAsyncClientSharedPtr mockCreateAsyncClient(Unused, Unused, Unused) { - if (async_client_ != nullptr) { - return async_client_; + if (owned_async_client_ != nullptr) { + return owned_async_client_; } - async_client_ = std::make_shared(); - return async_client_; + owned_async_client_ = std::make_shared(); + async_client_ = owned_async_client_.get(); + expectClientReset(); + return owned_async_client_; } void setStreamStartToFail(int fail_starts) { fail_starts_ = fail_starts; } @@ -162,7 +216,8 @@ class RateLimitTestClient { Grpc::GrpcServiceConfigWithHashKey config_with_hash_key_; envoy::config::core::v3::GrpcService grpc_service_; - std::shared_ptr async_client_ = nullptr; + std::shared_ptr owned_async_client_ = nullptr; + MockAsyncClientWithReset* async_client_ = nullptr; Grpc::MockAsyncStream stream_; NiceMock stream_info_; Grpc::RawAsyncStreamCallbacks* stream_callbacks_; diff --git a/test/extensions/filters/http/rate_limit_quota/config_test.cc b/test/extensions/filters/http/rate_limit_quota/config_test.cc index 9b81005555ca7..d2599a8cc27d4 100644 --- a/test/extensions/filters/http/rate_limit_quota/config_test.cc +++ b/test/extensions/filters/http/rate_limit_quota/config_test.cc @@ -57,7 +57,7 @@ TEST(RateLimitQuotaFilterConfigTest, RateLimitQuotaFilterWithCorrectProto) { // Handle the global client's creation by expecting the underlying async grpc // client creation. getOrThrow fails otherwise. auto mock_stream_client = std::make_unique(); - mock_stream_client->expectClientCreation(); + mock_stream_client->expectClientCreationWithFactory(); RateLimitQuotaFilterFactory factory; std::string stats_prefix = "test"; @@ -145,7 +145,7 @@ TEST(RateLimitQuotaFilterConfigTest, RateLimitQuotaFilterWithInvalidGrpcClient) TestUtility::loadFromYaml(filter_config_yaml, filter_config); auto mock_stream_client = std::make_unique(); - mock_stream_client->failClientCreation(); + mock_stream_client->failClientCreationWithFactory(); RateLimitQuotaFilterFactory factory; std::string stats_prefix = "test"; From 14fac8851792199a77ffd26d4ce270c0a70a0eef Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Sun, 21 Sep 2025 11:38:09 -0700 Subject: [PATCH 447/505] ext_proc: add status_on_error option to control the status code returned (#41124) ## Description This PR adds a new `status_on_error` in ExtProc similar to what we [have for ExtAuthZ](https://arc.net/l/quote/zoibcqsy) which could be used to control the status code returned back to the user in case of failures. users can have some flow in which they expect a different status code to be returned for failures instead of the hardcoded **500 Internal Server Error**. --- **Commit Message:** ext_proc: add status_on_error option to control the status code returned **Additional Description:** Added a new `status_on_error` in ExtProc to control the HTTP status code returned back to the user in case of failures. **Risk Level:** Low **Testing:** Added Integration Tests & Unit Tests **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal --- .../extensions/filters/http/ext_proc/v3/BUILD | 1 + .../filters/http/ext_proc/v3/ext_proc.proto | 9 +- changelogs/current.yaml | 6 + envoy/http/codes.h | 4 +- source/common/http/codes.cc | 1 + .../filters/http/ext_proc/ext_proc.cc | 13 +- .../filters/http/ext_proc/ext_proc.h | 13 ++ test/extensions/filters/http/ext_proc/BUILD | 1 + .../filters/http/ext_proc/config_test.cc | 44 ++++ .../ext_proc/ext_proc_integration_test.cc | 206 ++++++++++++++++++ .../filters/http/ext_proc/filter_test.cc | 31 +++ 11 files changed, 322 insertions(+), 7 deletions(-) diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/BUILD b/api/envoy/extensions/filters/http/ext_proc/v3/BUILD index 782bf90b326bb..ca1f9ec869890 100644 --- a/api/envoy/extensions/filters/http/ext_proc/v3/BUILD +++ b/api/envoy/extensions/filters/http/ext_proc/v3/BUILD @@ -10,6 +10,7 @@ api_proto_package( "//envoy/config/common/mutation_rules/v3:pkg", "//envoy/config/core/v3:pkg", "//envoy/type/matcher/v3:pkg", + "//envoy/type/v3:pkg", "@com_github_cncf_xds//udpa/annotations:pkg", "@com_github_cncf_xds//xds/annotations/v3:pkg", ], diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto index 52d9cd282792a..695703b4648f1 100644 --- a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +++ b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto @@ -9,6 +9,7 @@ import "envoy/config/core/v3/grpc_service.proto"; import "envoy/config/core/v3/http_service.proto"; import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http_status.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; @@ -95,7 +96,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // ` object in a namespace matching the filter // name. // -// [#next-free-field: 24] +// [#next-free-field: 25] message ExternalProcessor { // Describes the route cache action to be taken when an external processor response // is received in response to request headers. @@ -350,6 +351,12 @@ message ExternalProcessor { // [#extension-category: envoy.http.ext_proc.response_processors] config.core.v3.TypedExtensionConfig on_processing_response = 23 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Sets the HTTP status code that is returned to the client when the external processing server returns + // an error, fails to respond, or cannot be reached. + // + // The default status is ``HTTP 500 Internal Server Error``. + type.v3.HttpStatus status_on_error = 24; } // ExtProcHttpService is used for HTTP communication between the filter and the external processing service. diff --git a/changelogs/current.yaml b/changelogs/current.yaml index ba8eb47d72b9c..ce6730938c1c4 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -360,6 +360,12 @@ new_features: :ref:`grpc_service ` in the per-route ``check_settings``. Routes without this configuration continue to use the default authorization service. +- area: ext_proc + change: | + Added :ref:`status_on_error ` + to the ``ext_proc`` HTTP filter. This allows configuring the HTTP status code returned to the downstream + client when communication with the external processor fails (e.g., gRPC error). Previously, these cases returned a + fixed ``500``. - area: tracing change: | Added :ref:`trace_context_option ` enum diff --git a/envoy/http/codes.h b/envoy/http/codes.h index 5da40a9ff137e..11393ab521a98 100644 --- a/envoy/http/codes.h +++ b/envoy/http/codes.h @@ -74,7 +74,9 @@ enum class Code : uint16_t { InsufficientStorage = 507, LoopDetected = 508, NotExtended = 510, - NetworkAuthenticationRequired = 511 + NetworkAuthenticationRequired = 511, + // 512-599 are unassigned server error codes. + LastUnassignedServerErrorCode = 599 // clang-format on }; diff --git a/source/common/http/codes.cc b/source/common/http/codes.cc index b0561cedc51ce..949fe3d8d778b 100644 --- a/source/common/http/codes.cc +++ b/source/common/http/codes.cc @@ -292,6 +292,7 @@ const char* CodeUtility::toString(Code code) { case Code::LoopDetected: return "Loop Detected"; case Code::NotExtended: return "Not Extended"; case Code::NetworkAuthenticationRequired: return "Network Authentication Required"; + case Code::LastUnassignedServerErrorCode: return "Last Unassigned Server Error Code"; } // clang-format on diff --git a/source/extensions/filters/http/ext_proc/ext_proc.cc b/source/extensions/filters/http/ext_proc/ext_proc.cc index 1fdb6a859ae6e..e331f5a6c4437 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.cc +++ b/source/extensions/filters/http/ext_proc/ext_proc.cc @@ -258,7 +258,8 @@ FilterConfig::FilterConfig(const ExternalProcessor& config, createOnProcessingResponseCb(config, context, stats_prefix)), thread_local_stream_manager_slot_(context.threadLocal().allocateSlot()), remote_close_timeout_(context.runtime().snapshot().getInteger( - RemoteCloseTimeout, DefaultRemoteCloseTimeoutMilliseconds)) { + RemoteCloseTimeout, DefaultRemoteCloseTimeoutMilliseconds)), + status_on_error_(toErrorCode(config.status_on_error().code())) { if (config.disable_clear_route_cache()) { route_cache_action_ = ExternalProcessor::RETAIN; @@ -577,7 +578,8 @@ void Filter::onError() { decoding_state_.onFinishProcessorCall(Grpc::Status::Aborted); encoding_state_.onFinishProcessorCall(Grpc::Status::Aborted); ImmediateResponse errorResponse; - errorResponse.mutable_status()->set_code(StatusCode::InternalServerError); + errorResponse.mutable_status()->set_code( + static_cast(static_cast(config_->statusOnError()))); errorResponse.set_details(absl::StrCat(ErrorPrefix, "_HTTP_ERROR")); sendImmediateResponse(errorResponse); } @@ -1456,7 +1458,8 @@ void Filter::handleErrorResponse(absl::Status processing_status) { onFinishProcessorCalls(processing_status.raw_code()); closeStream(); ImmediateResponse invalid_mutation_response; - invalid_mutation_response.mutable_status()->set_code(StatusCode::InternalServerError); + invalid_mutation_response.mutable_status()->set_code( + static_cast(static_cast(config_->statusOnError()))); invalid_mutation_response.set_details(std::string(processing_status.message())); sendImmediateResponse(invalid_mutation_response); } @@ -1665,7 +1668,8 @@ void Filter::onGrpcError(Grpc::Status::GrpcStatus status, const std::string& mes onFinishProcessorCalls(status); closeStream(); ImmediateResponse errorResponse; - errorResponse.mutable_status()->set_code(StatusCode::InternalServerError); + errorResponse.mutable_status()->set_code( + static_cast(static_cast(config_->statusOnError()))); errorResponse.set_details( absl::StrFormat("%s_gRPC_error_%i{%s}", ErrorPrefix, status, message)); sendImmediateResponse(errorResponse); @@ -1706,7 +1710,6 @@ void Filter::onMessageTimeout() { decoding_state_.onFinishProcessorCall(Grpc::Status::DeadlineExceeded); encoding_state_.onFinishProcessorCall(Grpc::Status::DeadlineExceeded); ImmediateResponse errorResponse; - errorResponse.mutable_status()->set_code(StatusCode::GatewayTimeout); errorResponse.set_details(absl::StrFormat("%s_per-message_timeout_exceeded", ErrorPrefix)); sendImmediateResponse(errorResponse); diff --git a/source/extensions/filters/http/ext_proc/ext_proc.h b/source/extensions/filters/http/ext_proc/ext_proc.h index 44411ad74b945..43a890ae1eab3 100644 --- a/source/extensions/filters/http/ext_proc/ext_proc.h +++ b/source/extensions/filters/http/ext_proc/ext_proc.h @@ -10,6 +10,7 @@ #include "envoy/event/timer.h" #include "envoy/extensions/filters/http/ext_proc/v3/ext_proc.pb.h" #include "envoy/grpc/async_client.h" +#include "envoy/http/codes.h" #include "envoy/http/filter.h" #include "envoy/service/ext_proc/v3/external_processor.pb.h" #include "envoy/stats/scope.h" @@ -305,7 +306,18 @@ class FilterConfig { std::unique_ptr createOnProcessingResponse() const; + Http::Code statusOnError() const { return status_on_error_; } + private: + static Http::Code toErrorCode(uint64_t status) { + const auto code = static_cast(status); + // Only allow 4xx and 5xx status codes. + if (code >= Http::Code::BadRequest && code <= Http::Code::LastUnassignedServerErrorCode) { + return code; + } + return Http::Code::InternalServerError; + } + ExtProcFilterStats generateStats(const std::string& prefix, const std::string& filter_stats_prefix, Stats::Scope& scope) { const std::string final_prefix = absl::StrCat(prefix, "ext_proc.", filter_stats_prefix); @@ -353,6 +365,7 @@ class FilterConfig { ThreadLocal::SlotPtr thread_local_stream_manager_slot_; const std::chrono::milliseconds remote_close_timeout_; + const Http::Code status_on_error_; }; using FilterConfigSharedPtr = std::shared_ptr; diff --git a/test/extensions/filters/http/ext_proc/BUILD b/test/extensions/filters/http/ext_proc/BUILD index 10b362abc390f..3071935302330 100644 --- a/test/extensions/filters/http/ext_proc/BUILD +++ b/test/extensions/filters/http/ext_proc/BUILD @@ -206,6 +206,7 @@ envoy_extension_cc_test( "@envoy_api//envoy/extensions/filters/http/set_metadata/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/http/upstream_codec/v3:pkg_cc_proto", "@envoy_api//envoy/service/ext_proc/v3:pkg_cc_proto", + "@envoy_api//envoy/type/v3:pkg_cc_proto", "@ocp//ocpdiag/core/testing:status_matchers", ], ) diff --git a/test/extensions/filters/http/ext_proc/config_test.cc b/test/extensions/filters/http/ext_proc/config_test.cc index 0fa8e8a53327f..02ae87c54f224 100644 --- a/test/extensions/filters/http/ext_proc/config_test.cc +++ b/test/extensions/filters/http/ext_proc/config_test.cc @@ -519,6 +519,50 @@ TEST(HttpExtProcConfigTest, FullDuplexStreamedValidation) { EXPECT_TRUE(other_result.ok()); } +TEST(HttpExtProcConfigTest, StatusOnErrorConfig) { + std::string yaml = R"EOF( + grpc_service: + google_grpc: + target_uri: ext_proc_server + stat_prefix: google + status_on_error: + code: 503 + )EOF"; + + ExternalProcessingFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); + TestUtility::loadFromYaml(yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + Http::FilterFactoryCb cb = + factory.createFilterFactoryFromProto(*proto_config, "stats", context).value(); + Http::MockFilterChainFactoryCallbacks filter_callback; + EXPECT_CALL(filter_callback, addStreamFilter(_)); + cb(filter_callback); +} + +TEST(HttpExtProcConfigTest, StatusOnErrorDefaultConfig) { + std::string yaml = R"EOF( + grpc_service: + google_grpc: + target_uri: ext_proc_server + stat_prefix: google + )EOF"; + + ExternalProcessingFilterConfig factory; + ProtobufTypes::MessagePtr proto_config = factory.createEmptyConfigProto(); + TestUtility::loadFromYaml(yaml, *proto_config); + + testing::NiceMock context; + EXPECT_CALL(context, messageValidationVisitor()); + Http::FilterFactoryCb cb = + factory.createFilterFactoryFromProto(*proto_config, "stats", context).value(); + Http::MockFilterChainFactoryCallbacks filter_callback; + EXPECT_CALL(filter_callback, addStreamFilter(_)); + cb(filter_callback); +} + } // namespace } // namespace ExternalProcessing } // namespace HttpFilters diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 41fa4f45661be..d81503a53a83a 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -9,12 +9,14 @@ #include "envoy/extensions/filters/http/upstream_codec/v3/upstream_codec.pb.h" #include "envoy/network/address.h" #include "envoy/service/ext_proc/v3/external_processor.pb.h" +#include "envoy/type/v3/http_status.pb.h" #include "source/common/json/json_loader.h" #include "source/extensions/filters/http/ext_proc/config.h" #include "source/extensions/filters/http/ext_proc/ext_proc.h" #include "source/extensions/filters/http/ext_proc/on_processing_response.h" +#include "test/common/grpc/grpc_client_integration.h" #include "test/common/http/common.h" #include "test/extensions/filters/http/ext_proc/logging_test_filter.pb.h" #include "test/extensions/filters/http/ext_proc/logging_test_filter.pb.validate.h" @@ -6223,4 +6225,208 @@ TEST_P(ExtProcIntegrationTest, ExtProcLoggingInfoGRPCTimeout) { EXPECT_EQ(*field_request_header_status, "4"); } +// Tests for status_on_error functionality. +class ExtProcStatusOnErrorIntegrationTest : public HttpIntegrationTest, + public Grpc::GrpcClientIntegrationParamTest { +protected: + ExtProcStatusOnErrorIntegrationTest() + : HttpIntegrationTest(Http::CodecType::HTTP2, ipVersion()) {} + + void createUpstreams() override { + HttpIntegrationTest::createUpstreams(); + + // Create separate "upstreams" for ExtProc gRPC servers + for (int i = 0; i < grpc_upstream_count_; ++i) { + grpc_upstreams_.push_back(&addFakeUpstream(Http::CodecType::HTTP2)); + } + } + + void TearDown() override { + if (processor_connection_) { + ASSERT_TRUE(processor_connection_->close()); + ASSERT_TRUE(processor_connection_->waitForDisconnect()); + } + cleanupUpstreamAndDownstream(); + } + + void initializeConfig(uint32_t status_code) { + config_helper_.addConfigModifier([this, status_code]( + envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + auto* server_cluster = bootstrap.mutable_static_resources()->add_clusters(); + server_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); + server_cluster->set_name("ext_proc_server"); + server_cluster->mutable_load_assignment()->set_cluster_name("ext_proc_server"); + + setGrpcService(*proto_config_.mutable_grpc_service(), "ext_proc_server", + grpc_upstreams_[0]->localAddress()); + + proto_config_.mutable_status_on_error()->set_code( + static_cast(status_code)); + proto_config_.set_failure_mode_allow(false); + + envoy::extensions::filters::network::http_connection_manager::v3::HttpFilter ext_proc_filter; + ext_proc_filter.set_name("envoy.filters.http.ext_proc"); + ext_proc_filter.mutable_typed_config()->PackFrom(proto_config_); + config_helper_.prependFilter(MessageUtil::getJsonStringFromMessageOrError(ext_proc_filter)); + }); + + setUpstreamProtocol(Http::CodecType::HTTP1); + setDownstreamProtocol(Http::CodecType::HTTP1); + } + + IntegrationStreamDecoderPtr sendDownstreamRequest( + absl::optional> modify_headers) { + auto conn = makeClientConnection(lookupPort("http")); + codec_client_ = makeHttpConnection(std::move(conn)); + Http::TestRequestHeaderMapImpl headers; + HttpTestUtility::addDefaultHeaders(headers); + if (modify_headers) { + (*modify_headers)(headers); + } + return codec_client_->makeHeaderOnlyRequest(headers); + } + + void waitForFirstMessage(FakeUpstream& grpc_upstream, ProcessingRequest& request) { + ASSERT_TRUE(grpc_upstream.waitForHttpConnection(*dispatcher_, processor_connection_)); + ASSERT_TRUE(processor_connection_->waitForNewStream(*dispatcher_, processor_stream_)); + ASSERT_TRUE(processor_stream_->waitForGrpcMessage(*dispatcher_, request)); + } + + bool IsEnvoyGrpc() { return std::get<1>(GetParam()) == Envoy::Grpc::ClientType::EnvoyGrpc; } + + envoy::extensions::filters::http::ext_proc::v3::ExternalProcessor proto_config_{}; + FakeStreamPtr processor_stream_; + FakeHttpConnectionPtr processor_connection_; + std::vector grpc_upstreams_; + int grpc_upstream_count_ = 1; +}; + +INSTANTIATE_TEST_SUITE_P(IpVersionsClientType, ExtProcStatusOnErrorIntegrationTest, + GRPC_CLIENT_INTEGRATION_PARAMS, + Grpc::GrpcClientIntegrationParamTest::protocolTestParamsToString); + +// Test that status_on_error is used when gRPC stream encounters an error. +TEST_P(ExtProcStatusOnErrorIntegrationTest, GrpcStreamErrorCustomStatus) { + SKIP_IF_GRPC_CLIENT(Grpc::ClientType::EnvoyGrpc); + + initializeConfig(503); // Use 503 Service Unavailable. + HttpIntegrationTest::initialize(); + auto response = sendDownstreamRequest(absl::nullopt); + + ProcessingRequest request_headers_msg; + waitForFirstMessage(*grpc_upstreams_[0], request_headers_msg); + processor_stream_->startGrpcStream(); + + // Send successful response first, then simulate gRPC stream error. + ProcessingResponse resp; + resp.mutable_request_headers(); + processor_stream_->sendGrpcMessage(resp); + + // Now trigger gRPC stream error which should use status_on_error. + processor_stream_->finishGrpcStream(Grpc::Status::Internal); + + // Should get custom status code 503 instead of default 500. + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_EQ("503", response->headers().getStatusValue()); +} + +// Test that default status (500) is used when status_on_error is not configured. +TEST_P(ExtProcStatusOnErrorIntegrationTest, GrpcStreamErrorDefaultStatus) { + SKIP_IF_GRPC_CLIENT(Grpc::ClientType::EnvoyGrpc); + + // Initialize without setting status_on_error, should default to 500. + config_helper_.addConfigModifier([this](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + auto* server_cluster = bootstrap.mutable_static_resources()->add_clusters(); + server_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); + server_cluster->set_name("ext_proc_server"); + server_cluster->mutable_load_assignment()->set_cluster_name("ext_proc_server"); + + setGrpcService(*proto_config_.mutable_grpc_service(), "ext_proc_server", + grpc_upstreams_[0]->localAddress()); + + proto_config_.set_failure_mode_allow(false); + + envoy::extensions::filters::network::http_connection_manager::v3::HttpFilter ext_proc_filter; + ext_proc_filter.set_name("envoy.filters.http.ext_proc"); + ext_proc_filter.mutable_typed_config()->PackFrom(proto_config_); + config_helper_.prependFilter(MessageUtil::getJsonStringFromMessageOrError(ext_proc_filter)); + }); + + setUpstreamProtocol(Http::CodecType::HTTP1); + setDownstreamProtocol(Http::CodecType::HTTP1); + + HttpIntegrationTest::initialize(); + auto response = sendDownstreamRequest(absl::nullopt); + + ProcessingRequest request_headers_msg; + waitForFirstMessage(*grpc_upstreams_[0], request_headers_msg); + processor_stream_->startGrpcStream(); + + // Send successful response first, then simulate gRPC stream error. + ProcessingResponse resp; + resp.mutable_request_headers(); + processor_stream_->sendGrpcMessage(resp); + + // Trigger gRPC stream error without status_on_error configured. + processor_stream_->finishGrpcStream(Grpc::Status::Internal); + + // Should get default status code 500. + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_EQ("500", response->headers().getStatusValue()); +} + +// Test that message timeout returns 504 Gateway Timeout regardless of status_on_error. +TEST_P(ExtProcStatusOnErrorIntegrationTest, MessageTimeoutReturnsGatewayTimeout) { + SKIP_IF_GRPC_CLIENT(Grpc::ClientType::EnvoyGrpc); + + initializeConfig(502); // Configure 502, but timeout should return 504. + proto_config_.mutable_message_timeout()->set_nanos(100000000); // 100ms timeout. + + HttpIntegrationTest::initialize(); + auto response = sendDownstreamRequest(absl::nullopt); + + ProcessingRequest request_headers_msg; + waitForFirstMessage(*grpc_upstreams_[0], request_headers_msg); + processor_stream_->startGrpcStream(); + + // Don't send a response to trigger timeout - just wait for the timeout to occur. + + // Let timeout occur. + test_server_->waitForCounterGe("http.config_test.ext_proc.message_timeouts", 1); + + // Should return 504 Gateway Timeout instead of configured status_on_error. + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_EQ("504", response->headers().getStatusValue()); +} + +// Test that status_on_error is used when processing/mutation errors occur. +TEST_P(ExtProcStatusOnErrorIntegrationTest, ProcessingErrorCustomStatus) { + SKIP_IF_GRPC_CLIENT(Grpc::ClientType::EnvoyGrpc); + + initializeConfig(422); // Use 422 Unprocessable Entity. + // Enable strict mutation rules to trigger processing errors. + proto_config_.mutable_mutation_rules()->mutable_disallow_is_error()->set_value(true); + proto_config_.mutable_mutation_rules()->mutable_disallow_system()->set_value(true); + + HttpIntegrationTest::initialize(); + auto response = sendDownstreamRequest(absl::nullopt); + + // Process the request and send back invalid system header mutation. + ProcessingRequest request_headers_msg; + waitForFirstMessage(*grpc_upstreams_[0], request_headers_msg); + processor_stream_->startGrpcStream(); + + ProcessingResponse resp; + auto* header_mut = resp.mutable_request_headers()->mutable_response()->mutable_header_mutation(); + auto* header = header_mut->add_set_headers(); + header->mutable_append()->set_value(false); + header->mutable_header()->set_key(":system-header"); // This should trigger error. + header->mutable_header()->set_raw_value("invalid"); + processor_stream_->sendGrpcMessage(resp); + + // Should get custom status code 422 for processing error. + ASSERT_TRUE(response->waitForEndStream()); + EXPECT_EQ("422", response->headers().getStatusValue()); +} + } // namespace Envoy diff --git a/test/extensions/filters/http/ext_proc/filter_test.cc b/test/extensions/filters/http/ext_proc/filter_test.cc index 102fd241f94e9..ff7dc4469e8fe 100644 --- a/test/extensions/filters/http/ext_proc/filter_test.cc +++ b/test/extensions/filters/http/ext_proc/filter_test.cc @@ -1718,6 +1718,37 @@ failure_mode_allow: true)EOF"; EXPECT_EQ(config_->stats().failure_mode_allowed_.value(), 1); } +// Verify that when status_on_error is configured, gRPC errors use the configured HTTP status. +TEST_F(HttpFilterTest, GrpcErrorUsesConfiguredStatusOnError) { + std::string yaml_config = R"EOF( +grpc_service: + envoy_grpc: + cluster_name: "ext_proc_server" +status_on_error: + code: 503 +)EOF"; + initialize(std::move(yaml_config)); + + // Start header processing to open the stream and arm timers. + EXPECT_EQ(filter_->decodeHeaders(request_headers_, false), FilterHeadersStatus::StopIteration); + test_time_->advanceTimeWait(std::chrono::microseconds(10)); + + // Expect a 503 Service Unavailable local reply instead of the previous default 500. + TestResponseHeaderMapImpl immediate_response_headers; + EXPECT_CALL(encoder_callbacks_, + sendLocalReply(::Envoy::Http::Code::ServiceUnavailable, "", _, Eq(absl::nullopt), + "ext_proc_error_gRPC_error_13{error_message}")) + .WillOnce(Invoke([&immediate_response_headers]( + Unused, Unused, + std::function modify_headers, Unused, + Unused) { modify_headers(immediate_response_headers); })); + + // Simulate a gRPC error from the external processor. + server_closed_stream_ = true; + stream_callbacks_->onGrpcError(Grpc::Status::Internal, "error_message"); + filter_->onDestroy(); +} + TEST_F(FailureModeAllowOverrideTest, FilterDisallowNoRouteOverride) { std::string yaml_config = R"EOF( grpc_service: From e7ff9139d53ff7cfabba6860d7c0249af4d4ec68 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Sun, 21 Sep 2025 11:40:01 -0700 Subject: [PATCH 448/505] deps: Bump `rules_foreign_cc` -> 0.15.1 (#41139) Fix #40033 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: Ryan Northey --- bazel/envoy_build_system.bzl | 2 +- bazel/foreign_cc/BUILD | 12 ++++++++++-- bazel/repository_locations.bzl | 6 +++--- contrib/dlb/source/BUILD | 2 +- contrib/vcl/source/BUILD | 6 +++--- 5 files changed, 18 insertions(+), 10 deletions(-) diff --git a/bazel/envoy_build_system.bzl b/bazel/envoy_build_system.bzl index ea8d9dbf1d0ec..0d67a91976e15 100644 --- a/bazel/envoy_build_system.bzl +++ b/bazel/envoy_build_system.bzl @@ -138,7 +138,7 @@ def envoy_cmake( if pdb_name == "": pdb_name = name - copy_command = "cp {cmake_files_dir}/{pdb_name}.dir/{pdb_name}.pdb $INSTALLDIR/lib/{pdb_name}.pdb".format(cmake_files_dir = cmake_files_dir, pdb_name = pdb_name) + copy_command = "cp {cmake_files_dir}/{pdb_name}.dir/{pdb_name}.pdb $$INSTALLDIR/lib/{pdb_name}.pdb".format(cmake_files_dir = cmake_files_dir, pdb_name = pdb_name) if postfix_script != "": copy_command = copy_command + " && " + postfix_script diff --git a/bazel/foreign_cc/BUILD b/bazel/foreign_cc/BUILD index 2cd885639a300..dc07b536d3829 100644 --- a/bazel/foreign_cc/BUILD +++ b/bazel/foreign_cc/BUILD @@ -336,8 +336,8 @@ envoy_cmake( "//conditions:default": ["libcares.a"], }), postfix_script = select({ - "//bazel:windows_x86_64": "cp -L $EXT_BUILD_ROOT/external/com_github_c_ares_c_ares/src/lib/ares_nameser.h $INSTALLDIR/include/ares_nameser.h && cp -L $EXT_BUILD_ROOT/external/com_github_c_ares_c_ares/include/ares_dns.h $INSTALLDIR/include/ares_dns.h", - "//conditions:default": "rm -f $INSTALLDIR/include/ares_dns.h && cp -L $EXT_BUILD_ROOT/external/com_github_c_ares_c_ares/include/ares_dns.h $INSTALLDIR/include/ares_dns.h", + "//bazel:windows_x86_64": "cp -L $$EXT_BUILD_ROOT/external/com_github_c_ares_c_ares/src/lib/ares_nameser.h $$INSTALLDIR/include/ares_nameser.h && cp -L $$EXT_BUILD_ROOT/external/com_github_c_ares_c_ares/include/ares_dns.h $$INSTALLDIR/include/ares_dns.h", + "//conditions:default": "rm -f $$INSTALLDIR/include/ares_dns.h && cp -L $$EXT_BUILD_ROOT/external/com_github_c_ares_c_ares/include/ares_dns.h $$INSTALLDIR/include/ares_dns.h", }), ) @@ -534,6 +534,14 @@ envoy_cmake( "//bazel:windows_x86_64": ["zlib.lib"], "//conditions:default": ["libz.a"], }), + postfix_script = select({ + "@platforms//cpu:wasm32": """ + if [[ -f libzlib.a ]]; then + cp libzlib.a $$INSTALLDIR/lib/libz.a + fi + """, + "//conditions:default": "", + }), ) envoy_cmake( diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 08ec75babd66d..e8754e6435310 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1070,11 +1070,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Rules for using foreign build systems in Bazel", project_desc = "Rules for using foreign build systems in Bazel", project_url = "https://github.com/bazelbuild/rules_foreign_cc", - version = "0.14.0", - sha256 = "e0f0ebb1a2223c99a904a565e62aa285bf1d1a8aeda22d10ea2127591624866c", + version = "0.15.1", + sha256 = "32759728913c376ba45b0116869b71b68b1c2ebf8f2bcf7b41222bc07b773d73", strip_prefix = "rules_foreign_cc-{version}", urls = ["https://github.com/bazelbuild/rules_foreign_cc/archive/{version}.tar.gz"], - release_date = "2025-02-11", + release_date = "2025-06-24", use_category = ["build", "dataplane_core", "controlplane"], license = "Apache-2.0", license_url = "https://github.com/bazelbuild/rules_foreign_cc/blob/{version}/LICENSE", diff --git a/contrib/dlb/source/BUILD b/contrib/dlb/source/BUILD index 46c28a3dad186..c4e777a90ce14 100644 --- a/contrib/dlb/source/BUILD +++ b/contrib/dlb/source/BUILD @@ -18,7 +18,7 @@ make( env = {"DLB_DISABLE_DOMAIN_SERVER": "TRUE"}, lib_source = "@intel_dlb//:libdlb", out_static_libs = ["libdlb.a"], - postfix_script = "mv libdlb.a $INSTALLDIR/lib && rm -rf $INSTALLDIR/include && mkdir -p $INSTALLDIR/include && cp -L *.h $INSTALLDIR/include", + postfix_script = "mv libdlb.a $$INSTALLDIR/lib && rm -rf $$INSTALLDIR/include && mkdir -p $$INSTALLDIR/include && cp -L *.h $$INSTALLDIR/include", tags = ["skip_on_windows"], target_compatible_with = envoy_contrib_linux_x86_64_constraints(), targets = ["libdlb.a"], diff --git a/contrib/vcl/source/BUILD b/contrib/vcl/source/BUILD index d8bea84a9a50b..3aed2b35c825f 100644 --- a/contrib/vcl/source/BUILD +++ b/contrib/vcl/source/BUILD @@ -85,9 +85,9 @@ envoy_cmake( "libvlibmemoryclient.a", ], postfix_script = """ - mkdir -p $INSTALLDIR/lib/external $INSTALLDIR/include/external \ - && find . -name "*.a" | xargs -I{} cp -a {} $INSTALLDIR/lib/ \ - && find . -name "*.h" ! -name config.h | xargs -I{} cp -a {} $INSTALLDIR/include + mkdir -p $$INSTALLDIR/lib/external $$INSTALLDIR/include/external \ + && find . -name "*.a" | xargs -I{} cp -a {} $$INSTALLDIR/lib/ \ + && find . -name "*.h" ! -name config.h | xargs -I{} cp -a {} $$INSTALLDIR/include """, tags = [ "cpu:16", From bebaee890d7686ea27f632b92d5366610abd6d0f Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Sun, 21 Sep 2025 14:42:27 -0400 Subject: [PATCH 449/505] Use mutex reference in lock constructors p2 (#41153) Replace deprecated absl::MutexLock::MutexLock(Mutex*) constructor with absl::MutexLock::MutexLock(Mutex&) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- .../library/common/logger/logger_delegate.cc | 4 +- test/integration/alpn_integration_test.cc | 2 +- .../api_listener_integration_test.cc | 2 +- test/integration/autonomous_upstream.cc | 2 +- test/integration/base_integration_test.cc | 12 +-- .../buffer_accounting_integration_test.cc | 40 ++++----- test/integration/fake_upstream.cc | 84 +++++++++---------- 7 files changed, 73 insertions(+), 73 deletions(-) diff --git a/mobile/library/common/logger/logger_delegate.cc b/mobile/library/common/logger/logger_delegate.cc index c34ee275404bc..5faab74eced59 100644 --- a/mobile/library/common/logger/logger_delegate.cc +++ b/mobile/library/common/logger/logger_delegate.cc @@ -44,12 +44,12 @@ DefaultDelegate::~DefaultDelegate() { restoreDelegate(); } // SinkDelegate void DefaultDelegate::log(absl::string_view msg, const spdlog::details::log_msg&) { - absl::MutexLock l(&mutex_); + absl::MutexLock l(mutex_); std::cerr << msg; } void DefaultDelegate::flush() { - absl::MutexLock l(&mutex_); + absl::MutexLock l(mutex_); std::cerr << std::flush; } diff --git a/test/integration/alpn_integration_test.cc b/test/integration/alpn_integration_test.cc index d15d590332df1..1254721306811 100644 --- a/test/integration/alpn_integration_test.cc +++ b/test/integration/alpn_integration_test.cc @@ -146,7 +146,7 @@ TEST_P(AlpnIntegrationTest, Http2RememberSettings) { test_server_->waitForCounterGe("cluster.cluster_0.upstream_cx_total", 1); { - absl::MutexLock l(&fake_upstreams_[0]->lock()); + absl::MutexLock l(fake_upstreams_[0]->lock()); IntegrationCodecClientPtr codec_client1 = makeHttpConnection(lookupPort("http")); auto response1 = codec_client1->makeHeaderOnlyRequest(default_request_headers_); IntegrationCodecClientPtr codec_client2 = makeHttpConnection(lookupPort("http")); diff --git a/test/integration/api_listener_integration_test.cc b/test/integration/api_listener_integration_test.cc index 6e5bd89ceca40..44a0c14916454 100644 --- a/test/integration/api_listener_integration_test.cc +++ b/test/integration/api_listener_integration_test.cc @@ -162,7 +162,7 @@ TEST_P(ApiListenerIntegrationTest, FromWorkerThread) { ThreadLocal::TypedSlot<>::makeUnique(test_server_->server().threadLocal()); slot->set([&dispatchers_mutex, &dispatchers, &has_dispatcher]( Event::Dispatcher& dispatcher) -> std::shared_ptr { - absl::MutexLock ml(&dispatchers_mutex); + absl::MutexLock ml(dispatchers_mutex); // A string comparison on thread name seems to be the only way to // distinguish worker threads from the main thread with the slots interface. if (dispatcher.name() != "main_thread") { diff --git a/test/integration/autonomous_upstream.cc b/test/integration/autonomous_upstream.cc index 8b05a02b5cb70..e747d0a989445 100644 --- a/test/integration/autonomous_upstream.cc +++ b/test/integration/autonomous_upstream.cc @@ -44,7 +44,7 @@ void AutonomousStream::decodeHeaders(Http::RequestHeaderMapSharedPtr&& headers, FakeStream::decodeHeaders(std::move(headers), end_stream); if (send_response) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); sendResponse(); } } diff --git a/test/integration/base_integration_test.cc b/test/integration/base_integration_test.cc index b6a6d241cf7d6..22ff417048e5e 100644 --- a/test/integration/base_integration_test.cc +++ b/test/integration/base_integration_test.cc @@ -377,12 +377,12 @@ bool BaseIntegrationTest::getSocketOption(const std::string& listener_name, int std::vector> listeners; test_server_->server().dispatcher().post([&]() { listeners = test_server_->server().listenerManager().listeners(); - l.Lock(); + l.lock(); listeners_ready = true; - l.Unlock(); + l.unlock(); }); l.LockWhen(absl::Condition(&listeners_ready)); - l.Unlock(); + l.unlock(); for (auto& listener : listeners) { if (listener.get().name() == listener_name) { @@ -404,12 +404,12 @@ void BaseIntegrationTest::registerTestServerPorts(const std::vector std::vector> listeners; test_server->server().dispatcher().post([&listeners, &listeners_ready, &l, &test_server]() { listeners = test_server->server().listenerManager().listeners(); - l.Lock(); + l.lock(); listeners_ready = true; - l.Unlock(); + l.unlock(); }); l.LockWhen(absl::Condition(&listeners_ready)); - l.Unlock(); + l.unlock(); auto listener_it = listeners.cbegin(); auto port_it = port_names.cbegin(); diff --git a/test/integration/buffer_accounting_integration_test.cc b/test/integration/buffer_accounting_integration_test.cc index ba2ad0a14ee9d..e7a4bcd042494 100644 --- a/test/integration/buffer_accounting_integration_test.cc +++ b/test/integration/buffer_accounting_integration_test.cc @@ -77,7 +77,7 @@ void runOnWorkerThreadsAndWaitforCompletion(Server::Instance& server, std::funct void waitForNumTurns(std::vector& turns, absl::Mutex& mu, uint32_t expected_size) { - absl::MutexLock l(&mu); + absl::MutexLock l(mu); auto check_data_in_connection_output_buffer = [&turns, &mu, expected_size]() { mu.AssertHeld(); return turns.size() == expected_size; @@ -915,7 +915,7 @@ class Http2DeferredProcessingIntegrationTest : public Http2BufferWatermarksTest test_server_->waitForCounterEq("http.config_test.downstream_flow_control_resumed_reading_total", 0); EXPECT_TRUE(tee_filter_factory_.inspectStreamTee(1, [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.request_body_.length(), 1000); })); @@ -969,7 +969,7 @@ class Http2DeferredProcessingIntegrationTest : public Http2BufferWatermarksTest test_server_->waitForCounterEq("cluster.cluster_0.upstream_flow_control_resumed_reading_total", 0); EXPECT_TRUE(tee_filter_factory_.inspectStreamTee(1, [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.response_body_.length(), 1000); })); @@ -1049,7 +1049,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, CanBufferInDownstreamCodec) { test_server_->waitForCounterEq("http.config_test.downstream_flow_control_resumed_reading_total", 0); EXPECT_TRUE(tee_filter_factory_.inspectStreamTee(1, [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.request_body_.length(), 1000); })); @@ -1092,7 +1092,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, CanBufferInUpstreamCodec) { test_server_->waitForCounterEq("cluster.cluster_0.upstream_flow_control_resumed_reading_total", 0); EXPECT_TRUE(tee_filter_factory_.inspectStreamTee(1, [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.response_body_.length(), 1000); })); @@ -1134,7 +1134,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, CanDeferOnStreamCloseForUpstream) test_server_->waitForCounterEq("cluster.cluster_0.upstream_flow_control_resumed_reading_total", 0); EXPECT_TRUE(tee_filter_factory_.inspectStreamTee(1, [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.response_body_.length(), 1000); })); @@ -1190,7 +1190,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, test_server_->waitForCounterEq("cluster.cluster_0.upstream_flow_control_resumed_reading_total", 0); EXPECT_TRUE(tee_filter_factory_.inspectStreamTee(1, [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.response_body_.length(), 9000); })); @@ -1237,7 +1237,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, test_server_->waitForCounterEq("cluster.cluster_0.upstream_flow_control_resumed_reading_total", 0); EXPECT_TRUE(tee_filter_factory_.inspectStreamTee(1, [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.response_body_.length(), 1000); })); @@ -1287,7 +1287,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, CanRoundRobinBetweenStreams) { [&turns, &mu](StreamTee& tee, Http::StreamDecoderFilterCallbacks* decoder_callbacks) ABSL_EXCLUSIVE_LOCKS_REQUIRED(tee.mutex_) -> Http::FilterDataStatus { (void)tee; // silence gcc unused warning (the absl annotation usage didn't mark it used.) - absl::MutexLock l(&mu); + absl::MutexLock l(mu); turns.push_back(decoder_callbacks->streamId()); return Http::FilterDataStatus::Continue; }; @@ -1338,7 +1338,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, CanRoundRobinBetweenStreams) { // Check that during deferred processing we round robin between the streams. // Turns in the sequence 0-3 and 8-11 should match. { - absl::MutexLock l(&mu); + absl::MutexLock l(mu); for (uint32_t i = 0; i < num_requests; ++i) { EXPECT_EQ(turns[i], turns[i + 8]); } @@ -1367,7 +1367,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, RoundRobinWithStreamsExiting) { auto record_turns_on_encode_and_stop_writes_on_endstream = [this, &turns, &mu](StreamTee& tee, Http::StreamEncoderFilterCallbacks* encoder_callbacks) ABSL_EXCLUSIVE_LOCKS_REQUIRED(tee.mutex_) -> Http::FilterDataStatus { - absl::MutexLock l(&mu); + absl::MutexLock l(mu); turns.push_back(encoder_callbacks->streamId()); if (tee.encode_end_stream_) { @@ -1411,26 +1411,26 @@ TEST_P(Http2DeferredProcessingIntegrationTest, RoundRobinWithStreamsExiting) { // a chance. waitForNumTurns(turns, mu, 5); { - absl::MutexLock l(&mu); + absl::MutexLock l(mu); // Check ordering as expected. EXPECT_EQ(turns[3], turns[0]); EXPECT_EQ(turns[4], turns[1]); } tee_filter_factory_.inspectStreamTee(tee_filter_factory_.computeClientStreamId(0), [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.response_body_.length(), 8000); }); tee_filter_factory_.inspectStreamTee(tee_filter_factory_.computeClientStreamId(1), [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_TRUE(tee.encode_end_stream_); }); tee_filter_factory_.inspectStreamTee(tee_filter_factory_.computeClientStreamId(2), [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.response_body_.length(), 4000); }); @@ -1446,12 +1446,12 @@ TEST_P(Http2DeferredProcessingIntegrationTest, RoundRobinWithStreamsExiting) { // buffer stopping the 3rd stream from flushing its buffered data. tee_filter_factory_.inspectStreamTee(tee_filter_factory_.computeClientStreamId(2), [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_TRUE(tee.encode_end_stream_); }); tee_filter_factory_.inspectStreamTee(tee_filter_factory_.computeClientStreamId(0), [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_EQ(tee.response_body_.length(), 8000); }); // The 1st stream will finish. @@ -1459,7 +1459,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, RoundRobinWithStreamsExiting) { waitForNumTurns(turns, mu, 7); tee_filter_factory_.inspectStreamTee(tee_filter_factory_.computeClientStreamId(0), [](const StreamTee& tee) { - absl::MutexLock l{&tee.mutex_}; + absl::MutexLock l{tee.mutex_}; EXPECT_TRUE(tee.encode_end_stream_); }); // All responses would have drained to client. @@ -1503,7 +1503,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, ChunkProcessesStreams) { auto record_on_decode = [this, &turns, &mu](StreamTee& tee, Http::StreamDecoderFilterCallbacks* decoder_callbacks) ABSL_EXCLUSIVE_LOCKS_REQUIRED(tee.mutex_) -> Http::FilterDataStatus { - absl::MutexLock l(&mu); + absl::MutexLock l(mu); turns.emplace_back(decoder_callbacks->streamId(), tee.request_body_.length()); // Allows us to build more than chunk size in a stream, as the @@ -1560,7 +1560,7 @@ TEST_P(Http2DeferredProcessingIntegrationTest, ChunkProcessesStreams) { EXPECT_TRUE(upstream_requests[2]->waitForData(*dispatcher_, 131000)); { - absl::MutexLock l(&mu); + absl::MutexLock l(mu); // The 3rd stream should have gone multiple times to drain out the 128KiB of // data. Each chunk drain is 10KB. ASSERT_GE(turns.size(), 3); diff --git a/test/integration/fake_upstream.cc b/test/integration/fake_upstream.cc index c063165053db6..559484e147ec7 100644 --- a/test/integration/fake_upstream.cc +++ b/test/integration/fake_upstream.cc @@ -48,7 +48,7 @@ FakeStream::FakeStream(FakeHttpConnection& parent, Http::ResponseEncoder& encode } void FakeStream::decodeHeaders(Http::RequestHeaderMapSharedPtr&& headers, bool end_stream) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); headers_ = std::move(headers); if (header_validator_) { header_validator_->transformRequestHeaders(*headers_); @@ -58,13 +58,13 @@ void FakeStream::decodeHeaders(Http::RequestHeaderMapSharedPtr&& headers, bool e void FakeStream::decodeData(Buffer::Instance& data, bool end_stream) { received_data_ = true; - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); body_.add(data); setEndStream(end_stream); } void FakeStream::decodeTrailers(Http::RequestTrailerMapPtr&& trailers) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); setEndStream(true); trailers_ = std::move(trailers); } @@ -89,7 +89,7 @@ void FakeStream::encode1xxHeaders(const Http::ResponseHeaderMap& headers) { Http::createHeaderMap(headers)); postToConnectionThread([this, headers_copy]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -117,7 +117,7 @@ void FakeStream::encodeHeaders(const Http::HeaderMap& headers, bool end_stream) postToConnectionThread([this, headers_copy = std::move(headers_copy), end_stream]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -130,7 +130,7 @@ void FakeStream::encodeHeaders(const Http::HeaderMap& headers, bool end_stream) void FakeStream::encodeData(std::string data, bool end_stream) { postToConnectionThread([this, data, end_stream]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -144,7 +144,7 @@ void FakeStream::encodeData(std::string data, bool end_stream) { void FakeStream::encodeData(uint64_t size, bool end_stream) { postToConnectionThread([this, size, end_stream]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -159,7 +159,7 @@ void FakeStream::encodeData(Buffer::Instance& data, bool end_stream) { std::shared_ptr data_copy = std::make_shared(data); postToConnectionThread([this, data_copy, end_stream]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -174,7 +174,7 @@ void FakeStream::encodeTrailers(const Http::HeaderMap& trailers) { Http::createHeaderMap(trailers)); postToConnectionThread([this, trailers_copy]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -187,7 +187,7 @@ void FakeStream::encodeTrailers(const Http::HeaderMap& trailers) { void FakeStream::encodeResetStream() { postToConnectionThread([this]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -204,7 +204,7 @@ void FakeStream::encodeResetStream() { void FakeStream::encodeMetadata(const Http::MetadataMapVector& metadata_map_vector) { postToConnectionThread([this, &metadata_map_vector]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -217,7 +217,7 @@ void FakeStream::encodeMetadata(const Http::MetadataMapVector& metadata_map_vect void FakeStream::readDisable(bool disable) { postToConnectionThread([this, disable]() -> void { { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!parent_.connected() || saw_reset_) { // Encoded already deleted. return; @@ -228,12 +228,12 @@ void FakeStream::readDisable(bool disable) { } void FakeStream::onResetStream(Http::StreamResetReason, absl::string_view) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); saw_reset_ = true; } AssertionResult FakeStream::waitForHeadersComplete(milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); const auto reached = [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return headers_ != nullptr; }; if (!time_system_.waitFor(lock_, absl::Condition(&reached), timeout)) { @@ -265,7 +265,7 @@ bool waitForWithDispatcherRun(Event::TestTimeSystem& time_system, absl::Mutex& l AssertionResult FakeStream::waitForData(Event::Dispatcher& client_dispatcher, uint64_t body_length, milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!waitForWithDispatcherRun( time_system_, lock_, [this, body_length]() @@ -278,7 +278,7 @@ AssertionResult FakeStream::waitForData(Event::Dispatcher& client_dispatcher, ui AssertionResult FakeStream::waitForData(Event::Dispatcher& client_dispatcher, absl::string_view data, milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!waitForWithDispatcherRun( time_system_, lock_, [this, &data]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { @@ -297,7 +297,7 @@ AssertionResult FakeStream::waitForData(Event::Dispatcher& client_dispatcher, AssertionResult FakeStream::waitForData(Event::Dispatcher& client_dispatcher, const FakeStream::ValidatorFunction& data_validator, std::chrono::milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!waitForWithDispatcherRun( time_system_, lock_, [this, data_validator]() @@ -310,7 +310,7 @@ AssertionResult FakeStream::waitForData(Event::Dispatcher& client_dispatcher, AssertionResult FakeStream::waitForEndStream(Event::Dispatcher& client_dispatcher, milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!waitForWithDispatcherRun( time_system_, lock_, [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return end_stream_; }, client_dispatcher, @@ -321,7 +321,7 @@ AssertionResult FakeStream::waitForEndStream(Event::Dispatcher& client_dispatche } AssertionResult FakeStream::waitForReset(milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!time_system_.waitFor(lock_, absl::Condition(&saw_reset_), timeout)) { return AssertionFailure() << "Timed out waiting for reset."; } @@ -330,7 +330,7 @@ AssertionResult FakeStream::waitForReset(milliseconds timeout) { AssertionResult FakeStream::waitForReset(Event::Dispatcher& client_dispatcher, std::chrono::milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!waitForWithDispatcherRun( time_system_, lock_, [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return saw_reset_; }, client_dispatcher, timeout)) { @@ -484,7 +484,7 @@ Http::ServerHeaderValidatorPtr FakeHttpConnection::makeHeaderValidator() { } Http::RequestDecoder& FakeHttpConnection::newStream(Http::ResponseEncoder& encoder, bool) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); new_streams_.emplace_back(new FakeStream(*this, encoder, time_system_)); return *new_streams_.back(); } @@ -538,7 +538,7 @@ void FakeHttpConnection::encodeProtocolError() { AssertionResult FakeConnectionBase::waitForDisconnect(milliseconds timeout) { ENVOY_LOG(trace, "FakeConnectionBase waiting for disconnect"); - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); const auto reached = [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return !shared_connection_.connectedLockHeld(); }; @@ -555,7 +555,7 @@ AssertionResult FakeConnectionBase::waitForDisconnect(milliseconds timeout) { AssertionResult FakeConnectionBase::waitForRstDisconnect(std::chrono::milliseconds timeout) { ENVOY_LOG(trace, "FakeConnectionBase waiting for RST disconnect"); - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); const auto reached = [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return shared_connection_.rstDisconnected(); }; @@ -572,7 +572,7 @@ AssertionResult FakeConnectionBase::waitForRstDisconnect(std::chrono::millisecon } AssertionResult FakeConnectionBase::waitForHalfClose(milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!time_system_.waitFor(lock_, absl::Condition(&half_closed_), timeout)) { return AssertionFailure() << "Timed out waiting for half close."; } @@ -580,7 +580,7 @@ AssertionResult FakeConnectionBase::waitForHalfClose(milliseconds timeout) { } AssertionResult FakeConnectionBase::waitForNoPost(milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!time_system_.waitFor( lock_, absl::Condition( @@ -600,7 +600,7 @@ void FakeConnectionBase::postToConnectionThread(std::function cb) { cb(); { // Snag this lock not because it's needed but so waitForNoPost doesn't stall - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); --pending_cbs_; } }); @@ -609,7 +609,7 @@ void FakeConnectionBase::postToConnectionThread(std::function cb) { AssertionResult FakeHttpConnection::waitForNewStream(Event::Dispatcher& client_dispatcher, FakeStreamPtr& stream, std::chrono::milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (!waitForWithDispatcherRun( time_system_, lock_, [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return !new_streams_.empty(); }, @@ -730,7 +730,7 @@ void FakeUpstream::cleanUp() { bool FakeUpstream::createNetworkFilterChain(Network::Connection& connection, const Filter::NetworkFilterFactoriesList&) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); if (read_disable_on_new_connection_ && http_type_ != Http::CodecType::HTTP3) { // Disable early close detection to avoid closing the network connection before full // initialization is complete. @@ -771,7 +771,7 @@ void FakeUpstream::threadRoutine() { dispatcher_->run(Event::Dispatcher::RunType::Block); handler_.reset(); { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); new_connections_.clear(); quic_connections_.clear(); consumed_connections_.clear(); @@ -787,7 +787,7 @@ AssertionResult FakeUpstream::waitForHttpConnection(Event::Dispatcher& client_di } { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); // As noted in createNetworkFilterChain, HTTP3 FakeHttpConnections are not // lazily created, so HTTP3 needs a different wait path here. @@ -818,7 +818,7 @@ AssertionResult FakeUpstream::waitForHttpConnection(Event::Dispatcher& client_di } } return runOnDispatcherThreadAndWait([&]() { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); connection = std::make_unique( *this, consumeConnection(), http_type_, time_system_, config_.max_request_headers_kb_, config_.max_request_headers_count_, config_.headers_with_underscores_action_); @@ -872,7 +872,7 @@ FakeUpstream::waitForHttpConnection(Event::Dispatcher& client_dispatcher, ABSL_MUST_USE_RESULT AssertionResult FakeUpstream::assertPendingConnectionsEmpty() { return runOnDispatcherThreadAndWait([&]() { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); return new_connections_.empty() ? AssertionSuccess() : AssertionFailure(); }); } @@ -885,7 +885,7 @@ AssertionResult FakeUpstream::waitForRawConnection(FakeRawConnectionPtr& connect } { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); const auto reached = [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return !new_connections_.empty(); }; @@ -897,7 +897,7 @@ AssertionResult FakeUpstream::waitForRawConnection(FakeRawConnectionPtr& connect } return runOnDispatcherThreadAndWait([&]() { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); connection = makeRawConnection(consumeConnection(), timeSystem()); connection->initialize(); // Skip enableHalfClose if the connection is already disconnected. @@ -910,7 +910,7 @@ AssertionResult FakeUpstream::waitForRawConnection(FakeRawConnectionPtr& connect void FakeUpstream::convertFromRawToHttp(FakeRawConnectionPtr& raw_connection, FakeHttpConnectionPtr& connection) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); SharedConnectionWrapper& shared_connection = raw_connection->sharedConnection(); connection = std::make_unique( @@ -945,7 +945,7 @@ AssertionResult FakeUpstream::waitForUdpDatagram(Network::UdpRecvData& data_to_f << "Must initialize the FakeUpstream first by calling initializeServer()."; } - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); const auto reached = [this]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return !received_datagrams_.empty(); }; @@ -960,7 +960,7 @@ AssertionResult FakeUpstream::waitForUdpDatagram(Network::UdpRecvData& data_to_f } Network::FilterStatus FakeUpstream::onRecvDatagram(Network::UdpRecvData& data) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); received_datagrams_.emplace_back(std::move(data)); return Network::FilterStatus::StopIteration; @@ -1002,7 +1002,7 @@ AssertionResult FakeUpstream::rawWriteConnection(uint32_t index, const std::stri << "Must initialize the FakeUpstream first by calling initializeServer()."; } - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); auto iter = consumed_connections_.begin(); std::advance(iter, index); return (*iter)->executeOnDispatcher( @@ -1049,7 +1049,7 @@ void FakeRawConnection::initialize() { AssertionResult FakeRawConnection::waitForData(uint64_t num_bytes, std::string* data, milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); const auto reached = [this, num_bytes]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return data_.size() == num_bytes; }; @@ -1068,7 +1068,7 @@ AssertionResult FakeRawConnection::waitForData(uint64_t num_bytes, std::string* AssertionResult FakeRawConnection::waitForData(const std::function& data_validator, std::string* data, milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); const auto reached = [this, &data_validator]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { return data_validator(data_); }; ENVOY_LOG(debug, "waiting for data"); @@ -1093,7 +1093,7 @@ AssertionResult FakeRawConnection::write(const std::string& data, bool end_strea Network::FilterStatus FakeRawConnection::ReadFilter::onData(Buffer::Instance& data, bool end_stream) { - absl::MutexLock lock(&parent_.lock_); + absl::MutexLock lock(parent_.lock_); ENVOY_LOG(debug, "got {} bytes, end_stream {}", data.length(), end_stream); parent_.data_.append(data.toString()); parent_.half_closed_ = end_stream; @@ -1104,7 +1104,7 @@ Network::FilterStatus FakeRawConnection::ReadFilter::onData(Buffer::Instance& da ABSL_MUST_USE_RESULT AssertionResult FakeHttpConnection::waitForInexactRawData(absl::string_view data, std::string& out, std::chrono::milliseconds timeout) { - absl::MutexLock lock(&lock_); + absl::MutexLock lock(lock_); const auto reached = [this, data, &out]() ABSL_EXCLUSIVE_LOCKS_REQUIRED(lock_) { char peek_buf[200]; auto result = dynamic_cast(&connection()) From c362424376dfbb90dd907c7ee05a5a8d7be60340 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 22 Sep 2025 03:17:44 -0700 Subject: [PATCH 450/505] deps: revert cryptography module update (#41160) ## Description This PR reverts the cryptography module upgrade done as part of [this PR](https://github.com/envoyproxy/envoy/pull/41140). It's throwing these errors in the build: ``` from cryptography.hazmat.bindings._rust import x509 as rust_x509 ImportError: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by /mnt/engflow/worker/work/1/exec/bazel-out/k8-fastbuild/bin/test/integration/python/hotrestart_handoff_test.runfiles/base_pip3_cryptography/site-packages/cryptography/hazmat/bindings/_rust.abi3.so) ``` --- **Commit Message:** deps: revert cryptography module update **Additional Description:** Reverting a problematic dependency upgrade which is creating issues. **Risk Level:** N/A **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal --- tools/base/requirements.txt | 59 +++---------------------------------- 1 file changed, 4 insertions(+), 55 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index ae5400bcfc635..ab9bc3d5c17b9 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -447,61 +447,10 @@ coloredlogs==15.0.1 \ # via # -r requirements.in # aio-run-runner -cryptography==46.0.0 \ - --hash=sha256:07a1be54f995ce14740bf8bbe1cc35f7a37760f992f73cf9f98a2a60b9b97419 \ - --hash=sha256:0f58183453032727a65e6605240e7a3824fd1d6a7e75d2b537e280286ab79a52 \ - --hash=sha256:16b5ac72a965ec9d1e34d9417dbce235d45fa04dac28634384e3ce40dfc66495 \ - --hash=sha256:1b4fba84166d906a22027f0d958e42f3a4dbbb19c28ea71f0fb7812380b04e3c \ - --hash=sha256:1d2073313324226fd846e6b5fc340ed02d43fd7478f584741bd6b791c33c9fee \ - --hash=sha256:249c41f2bbfa026615e7bdca47e4a66135baa81b08509ab240a2e666f6af5966 \ - --hash=sha256:274f8b2eb3616709f437326185eb563eb4e5813d01ebe2029b61bfe7d9995fbb \ - --hash=sha256:2fc30be952dd4334801d345d134c9ef0e9ccbaa8c3e1bc18925cbc4247b3e29c \ - --hash=sha256:32670ca085150ff36b438c17f2dfc54146fe4a074ebf0a76d72fb1b419a974bc \ - --hash=sha256:35aa1a44bd3e0efc3ef09cf924b3a0e2a57eda84074556f4506af2d294076685 \ - --hash=sha256:3738f50215211cee1974193a1809348d33893696ce119968932ea117bcbc9b1d \ - --hash=sha256:378eff89b040cbce6169528f130ee75dceeb97eef396a801daec03b696434f06 \ - --hash=sha256:399ef4c9be67f3902e5ca1d80e64b04498f8b56c19e1bc8d0825050ea5290410 \ - --hash=sha256:40ee4ce3c34acaa5bc347615ec452c74ae8ff7db973a98c97c62293120f668c6 \ - --hash=sha256:4bc257c2d5d865ed37d0bd7c500baa71f939a7952c424f28632298d80ccd5ec1 \ - --hash=sha256:4f70cbade61a16f5e238c4b0eb4e258d177a2fcb59aa0aae1236594f7b0ae338 \ - --hash=sha256:523153480d7575a169933f083eb47b1edd5fef45d87b026737de74ffeb300f69 \ - --hash=sha256:6460866a92143a24e3ed68eaeb6e98d0cedd85d7d9a8ab1fc293ec91850b1b38 \ - --hash=sha256:65e9117ebed5b16b28154ed36b164c20021f3a480e9cbb4b4a2a59b95e74c25d \ - --hash=sha256:6c39fd5cd9b7526afa69d64b5e5645a06e1b904f342584b3885254400b63f1b3 \ - --hash=sha256:6d8945bc120dcd90ae39aa841afddaeafc5f2e832809dc54fb906e3db829dfdc \ - --hash=sha256:75d2ddde8f1766ab2db48ed7f2aa3797aeb491ea8dfe9b4c074201aec00f5c16 \ - --hash=sha256:77e3bd53c9c189cea361bc18ceb173959f8b2dd8f8d984ae118e9ac641410252 \ - --hash=sha256:7f3f88df0c9b248dcc2e76124f9140621aca187ccc396b87bc363f890acf3a30 \ - --hash=sha256:80a548a5862d6912a45557a101092cd6c64ae1475b82cef50ee305d14a75f598 \ - --hash=sha256:834af45296083d892e23430e3b11df77e2ac5c042caede1da29c9bf59016f4d2 \ - --hash=sha256:83af84ebe7b6e9b6de05050c79f8cc0173c864ce747b53abce6a11e940efdc0d \ - --hash=sha256:88c09da8a94ac27798f6b62de6968ac78bb94805b5d272dbcfd5fdc8c566999f \ - --hash=sha256:8e8b222eb54e3e7d3743a7c2b1f7fa7df7a9add790307bb34327c88ec85fe087 \ - --hash=sha256:91585fc9e696abd7b3e48a463a20dda1a5c0eeeca4ba60fa4205a79527694390 \ - --hash=sha256:99f64a6d15f19f3afd78720ad2978f6d8d4c68cd4eb600fab82ab1a7c2071dca \ - --hash=sha256:9aa85222f03fdb30defabc7a9e1e3d4ec76eb74ea9fe1504b2800844f9c98440 \ - --hash=sha256:ab3a14cecc741c8c03ad0ad46dfbf18de25218551931a23bca2731d46c706d83 \ - --hash=sha256:b8e7db4ce0b7297e88f3d02e6ee9a39382e0efaf1e8974ad353120a2b5a57ef7 \ - --hash=sha256:bbaa5eef3c19c66613317dc61e211b48d5f550db009c45e1c28b59d5a9b7812a \ - --hash=sha256:be7479f9504bfb46628544ec7cb4637fe6af8b70445d4455fbb9c395ad9b7290 \ - --hash=sha256:bf1961037309ee0bdf874ccba9820b1c2f720c2016895c44d8eb2316226c1ad5 \ - --hash=sha256:c1f6ccd6f2eef3b2eb52837f0463e853501e45a916b3fc42e5d93cf244a4b97b \ - --hash=sha256:c3648d6a5878fd1c9a22b1d43fa75efc069d5f54de12df95c638ae7ba88701d0 \ - --hash=sha256:c39f0947d50f74b1b3523cec3931315072646286fb462995eb998f8136779319 \ - --hash=sha256:c3cd09b1490c1509bf3892bde9cef729795fae4a2fee0621f19be3321beca7e4 \ - --hash=sha256:c457ad3f151d5fb380be99425b286167b358f76d97ad18b188b68097193ed95a \ - --hash=sha256:c9c4121f9a41cc3d02164541d986f59be31548ad355a5c96ac50703003c50fb7 \ - --hash=sha256:d14eaf1569d6252280516bedaffdd65267428cdbc3a8c2d6de63753cf0863d5e \ - --hash=sha256:d1eccae15d5c28c74b2bea228775c63ac5b6c36eedb574e002440c0bc28750d3 \ - --hash=sha256:d349af4d76a93562f1dce4d983a4a34d01cb22b48635b0d2a0b8372cdb4a8136 \ - --hash=sha256:d5c0cbb2fb522f7e39b59a5482a1c9c5923b7c506cfe96a1b8e7368c31617ac0 \ - --hash=sha256:da7f93551d39d462263b6b5c9056c49f780b9200bf9fc2656d7c88c7bdb9b363 \ - --hash=sha256:df932ac70388be034b2e046e34d636245d5eeb8140db24a6b4c2268cd2073270 \ - --hash=sha256:f09a3a108223e319168b7557810596631a8cb864657b0c16ed7a6017f0be9433 \ - --hash=sha256:f85e6a7d42ad60024fa1347b1d4ef82c4df517a4deb7f829d301f1a92ded038c \ - --hash=sha256:f9aaf2a91302e1490c068d2f3af7df4137ac2b36600f5bd26e53d9ec320412d3 \ - --hash=sha256:f9f85d9cf88e3ba2b2b6da3c2310d1cf75bdf04a5bc1a2e972603054f82c4dd5 \ - --hash=sha256:fe9ff1139b2b1f59a5a0b538bbd950f8660a39624bbe10cf3640d17574f973bb +cryptography==44.0.1 \ + --hash=sha256:436df4f203482f41aad60ed1813811ac4ab102765ecae7a2bbb1dbb66dcff5a7 \ + --hash=sha256:72198e2b5925155497a5a3e8c216c7fb3e64c16ccee11f0e7da272fa93b35c4c \ + --hash=sha256:a2d8a7045e1ab9b9f803f0d9531ead85f90c5f2859e653b61497228b18452008 # via # -r requirements.in # aioquic From eb279a2ba0ee1a38e806bd45b4e8081ece5ea5db Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 14:22:11 +0100 Subject: [PATCH 451/505] deps: Bump `com_github_awslabs_aws_c_auth` -> 0.9.1 (#41166) Fix #40995 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index e8754e6435310..a051397d63514 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -218,15 +218,15 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "aws-c-auth", project_desc = "C99 library implementation of AWS client-side authentication: standard credentials providers and signing", project_url = "https://github.com/awslabs/aws-c-auth", - version = "0.9.0", - sha256 = "aa6e98864fefb95c249c100da4ae7aed36ba13a8a91415791ec6fad20bec0427", + version = "0.9.1", + sha256 = "adae1e725d9725682366080b8bf8e49481650c436b846ceeb5efe955d5e03273", strip_prefix = "aws-c-auth-{version}", urls = ["https://github.com/awslabs/aws-c-auth/archive/refs/tags/v{version}.tar.gz"], use_category = ["test_only"], extensions = [ "envoy.filters.http.aws_request_signing", ], - release_date = "2025-03-25", + release_date = "2025-09-04", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/awslabs/aws-c-auth/blob/v{version}/LICENSE", From 7a28fb3957e8ea8a67a9768475291e3cde8d4da6 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 14:22:53 +0100 Subject: [PATCH 452/505] deps: Bump `com_github_zlib_ng_zlib_ng` -> 2.2.5 (#41167) Fix #40641 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index a051397d63514..7f843c9555f58 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -818,12 +818,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "zlib-ng", project_desc = "zlib fork (higher performance)", project_url = "https://github.com/zlib-ng/zlib-ng", - version = "2.2.4", - sha256 = "a73343c3093e5cdc50d9377997c3815b878fd110bf6511c2c7759f2afb90f5a3", + version = "2.2.5", + sha256 = "5b3b022489f3ced82384f06db1e13ba148cbce38c7941e424d6cb414416acd18", strip_prefix = "zlib-ng-{version}", urls = ["https://github.com/zlib-ng/zlib-ng/archive/{version}.tar.gz"], use_category = ["controlplane", "dataplane_core"], - release_date = "2025-02-10", + release_date = "2025-08-07", cpe = "N/A", license = "zlib", license_url = "https://github.com/zlib-ng/zlib-ng/blob/{version}/LICENSE.md", From 46227d85aaa71fc0a183f279d6869498e28c6651 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Mon, 22 Sep 2025 10:24:41 -0400 Subject: [PATCH 453/505] [json_transcoder_filter] Cap grpc stream frame size (#41115) Commit Message: [json_transcoder_filter] Cap grpc stream frame size Additional Description: If the downstream sends data quickly enough, a `decodeData` buffer can contain over 4MB. The upstream grpc service by default will respond with an error if it receives such a frame, that error is surprisingly mapped to a 429 by envoy, and the upstream service won't see it because the grpc library never delivered it, which makes it very difficult to figure out what happened. This change makes it so if the `decodeData` buffer is larger than 1MB while streaming, the buffer is broken into 1MB pieces, thereby avoiding that error (and completing an ancient TODO). This is a behavior change, but should be largely indistinguishable from previous behavior as there are no guarantees about how many buffers the `decodeData` stream is delivered in - it could already have been doing 1MB frames for 5MB of data, or 32KB frames, or really any size. As such I don't think the change merits a runtime guard. Risk Level: Very small, only a [beneficial] behavior change when receiving large buffers. Testing: Added test. Docs Changes: n/a Release Notes: Yes Platform Specific Features: n/a --------- Signed-off-by: Raven Black --- changelogs/current.yaml | 5 ++ .../json_transcoder_filter.cc | 17 ++++- .../json_transcoder_filter.h | 5 ++ .../json_transcoder_filter_test.cc | 64 ++++++++++++++++++- 4 files changed, 87 insertions(+), 4 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index ce6730938c1c4..3b587500eb8b8 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -85,6 +85,11 @@ minor_behavior_changes: Honor the default DNS resolver configuration in the bootstrap config :ref:`typed_dns_resolver_config ` if the :ref:`client_config ` is empty. +- area: grpc_json_transcoder + change: | + Cap the frame size for streamed grpc at 1MB. Without this change there was a small chance + that if a request streamed in sufficiently faster than it was processed, a frame larger than + 4MB could be encoded, which most upstream grpc services would, by default, treat as an error. bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* diff --git a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc index 17b658c123ecc..6c822a52bad6c 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc +++ b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.cc @@ -594,12 +594,23 @@ Http::FilterDataStatus JsonTranscoderFilter::decodeData(Buffer::Instance& data, if (method_->request_type_is_http_body_) { stats_->transcoder_request_buffer_bytes_.add(data.length()); request_data_.move(data); - if (decoderBufferLimitReached(request_data_.length())) { + if (!method_->descriptor_->client_streaming() && + decoderBufferLimitReached(request_data_.length())) { return Http::FilterDataStatus::StopIterationNoBuffer; } - // TODO(euroelessar): Upper bound message size for streaming case. - if (end_stream || method_->descriptor_->client_streaming()) { + if (method_->descriptor_->client_streaming()) { + // To avoid sending a grpc frame larger than 4MB (which grpc will by default reject), + // split the input buffer into 1MB pieces until the buffer is smaller than 1MB. + Buffer::OwnedImpl remaining_request_data; + remaining_request_data.move(request_data_); + while (remaining_request_data.length() > 0) { + uint64_t piece_size = + std::min(remaining_request_data.length(), JsonTranscoderConfig::MaxStreamedPieceSize); + request_data_.move(remaining_request_data, piece_size); + maybeSendHttpBodyRequestMessage(&data); + } + } else if (end_stream) { maybeSendHttpBodyRequestMessage(&data); } else { // TODO(euroelessar): Avoid buffering if content length is already known. diff --git a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.h b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.h index c833e4965546f..1eebd85a21ff4 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.h +++ b/source/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter.h @@ -50,6 +50,11 @@ class JsonTranscoderConfig : public Logger::Loggable, proto_config, Api::Api& api); + // grpc by default doesn't like a frame larger than 4MB. Splitting streamed data + // into 1MB pieces should keep that threshold from being exceeded when data comes + // in as a large buffer. + static constexpr size_t MaxStreamedPieceSize = 1024 * 1024; + /** * Create an instance of Transcoder interface based on incoming request. * @param headers headers received from decoder. diff --git a/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc b/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc index 40eebdcd935de..25807762f5dad 100644 --- a/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc +++ b/test/extensions/filters/http/grpc_json_transcoder/json_transcoder_filter_test.cc @@ -1297,6 +1297,68 @@ TEST_F(GrpcJsonTranscoderFilterTest, TranscodingStreamPostWithHttpBody) { } } +class GrpcJsonTranscoderFilterTestWithLargerBuffer : public GrpcJsonTranscoderFilterTest { +public: + GrpcJsonTranscoderFilterTestWithLargerBuffer() + : GrpcJsonTranscoderFilterTest(modifiedBookstoreProtoConfig()) {} + envoy::extensions::filters::http::grpc_json_transcoder::v3::GrpcJsonTranscoder + modifiedBookstoreProtoConfig() { + auto proto_config = bookstoreProtoConfig(); + proto_config.mutable_max_request_body_size()->set_value(1024 * 1024 * 2); + return proto_config; + } +}; + +TEST_F(GrpcJsonTranscoderFilterTestWithLargerBuffer, TranscodingStreamPostWithLargeBufferHttpBody) { + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "POST"}, {":path", "/streamBody?arg=hi"}, {"content-type", "text/plain"}}; + + EXPECT_CALL(decoder_callbacks_.downstream_callbacks_, clearRouteCache()); + + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_.decodeHeaders(request_headers, false)); + EXPECT_EQ("application/grpc", request_headers.get_("content-type")); + EXPECT_EQ("/streamBody?arg=hi", request_headers.get_("x-envoy-original-path")); + EXPECT_EQ("POST", request_headers.get_("x-envoy-original-method")); + EXPECT_EQ("/bookstore.Bookstore/StreamBody", request_headers.get_(":path")); + EXPECT_EQ("trailers", request_headers.get_("te")); + + // For client_streaming, a large buffer should be packaged into multiple grpc frames. + // Test this with a buffer of 2MB plus 512 bytes. + std::string text(JsonTranscoderConfig::MaxStreamedPieceSize * 2 + 512, 'X'); + Buffer::OwnedImpl buffer; + buffer.add(text); + EXPECT_CALL(decoder_callbacks_, sendLocalReply).Times(0); + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_.decodeData(buffer, true)); + + Grpc::Decoder decoder; + std::vector frames; + std::ignore = decoder.decode(buffer, frames); + ASSERT_EQ(frames.size(), 3); + + // First frame should include non-streamed content, plus 1MB of streamed content. + bookstore::EchoBodyRequest expected_first_request; + expected_first_request.set_arg("hi"); + expected_first_request.mutable_nested()->mutable_content()->set_content_type("text/plain"); + expected_first_request.mutable_nested()->mutable_content()->set_data( + std::string(JsonTranscoderConfig::MaxStreamedPieceSize, 'X')); + bookstore::EchoBodyRequest request; + request.ParseFromString(frames[0].data_->toString()); + EXPECT_THAT(request, ProtoEq(expected_first_request)); + + // Second frame should have only 1MB of streamed content. + bookstore::EchoBodyRequest expected_second_request; + expected_second_request.mutable_nested()->mutable_content()->set_data( + std::string(JsonTranscoderConfig::MaxStreamedPieceSize, 'X')); + request.ParseFromString(frames[1].data_->toString()); + EXPECT_THAT(request, ProtoEq(expected_second_request)); + + // Third frame should have the remaining 512 bytes of streamed content. + bookstore::EchoBodyRequest expected_third_request; + expected_third_request.mutable_nested()->mutable_content()->set_data(std::string(512, 'X')); + request.ParseFromString(frames[2].data_->toString()); + EXPECT_THAT(request, ProtoEq(expected_third_request)); +} + TEST_F(GrpcJsonTranscoderFilterTest, TranscodingStreamSSE) { envoy::extensions::filters::http::grpc_json_transcoder::v3::GrpcJsonTranscoder proto_config = bookstoreProtoConfig(); @@ -1337,7 +1399,7 @@ TEST_F(GrpcJsonTranscoderFilterTest, TranscodingStreamSSE) { // The configured buffer limits will not apply. TEST_F(GrpcJsonTranscoderFilterTest, TranscodingStreamPostWithHttpBodyNoBuffer) { EXPECT_CALL(decoder_callbacks_, decoderBufferLimit()) - .Times(testing::AtLeast(3)) + .Times(testing::AtLeast(1)) .WillRepeatedly(Return(8)); Http::TestRequestHeaderMapImpl request_headers{ From 78eb0279c994f650d3beaec4bfd802d874e09af4 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 14:32:54 +0000 Subject: [PATCH 454/505] deps: Bump `com_github_aignas_rules_shellcheck` -> 0.4.0 (#40720) Fix #40709 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: Ryan Northey --- bazel/repository_locations.bzl | 6 +++--- .../filters/network/thrift_proxy/driver/generate_fixture.sh | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 7f843c9555f58..bc1de50cb6634 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -204,11 +204,11 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Shellcheck rules for bazel", project_desc = "Now you do not need to depend on the system shellcheck version in your bazel-managed (mono)repos.", project_url = "https://github.com/aignas/rules_shellcheck", - version = "0.3.3", - sha256 = "936ece8097b734ac7fab10f833a68f7d646b4bc760eb5cde3ab17beb85779d50", + version = "0.4.0", + sha256 = "cef935ea1088d2b45c5bc3630f8178c91ba367b071af2bfdcd16c042c5efe8ae", strip_prefix = "rules_shellcheck-{version}", urls = ["https://github.com/aignas/rules_shellcheck/archive/{version}.tar.gz"], - release_date = "2024-02-15", + release_date = "2025-08-13", use_category = ["build"], cpe = "N/A", license = "MIT", diff --git a/test/extensions/filters/network/thrift_proxy/driver/generate_fixture.sh b/test/extensions/filters/network/thrift_proxy/driver/generate_fixture.sh index bdf2e23569088..102cc93f57755 100755 --- a/test/extensions/filters/network/thrift_proxy/driver/generate_fixture.sh +++ b/test/extensions/filters/network/thrift_proxy/driver/generate_fixture.sh @@ -108,7 +108,7 @@ else SERVICE_FLAGS+=("--unix") "${DRIVER_DIR}/server" "${SERVICE_FLAGS[@]}" & SERVER_PID="$!" - while [[ ! -a "${SOCKET}" ]]; do + while [[ ! -e "${SOCKET}" ]]; do sleep 0.1 if ! kill -0 "${SERVER_PID}"; then From 63cd5292e7fca8ef14963f1c7f9d895c8ab6b5bc Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 15:50:08 +0100 Subject: [PATCH 455/505] deps: Bump `rules_cc` -> 0.2.8 (#41165) Fix #41071 --------- Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: Ryan Northey --- bazel/dependency_imports.bzl | 2 ++ bazel/repository_locations.bzl | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/bazel/dependency_imports.bzl b/bazel/dependency_imports.bzl index 78aa56773eb64..d2ab0fc039089 100644 --- a/bazel/dependency_imports.bzl +++ b/bazel/dependency_imports.bzl @@ -14,6 +14,7 @@ load("@fuzzing_pip3//:requirements.bzl", pip_fuzzing_dependencies = "install_dep load("@io_bazel_rules_go//go:deps.bzl", "go_download_sdk", "go_register_toolchains", "go_rules_dependencies") load("@proxy_wasm_rust_sdk//bazel:dependencies.bzl", "proxy_wasm_rust_sdk_dependencies") load("@rules_buf//buf:repositories.bzl", "rules_buf_toolchains") +load("@rules_cc//cc:extensions.bzl", "compatibility_proxy_repo") load("@rules_foreign_cc//foreign_cc:repositories.bzl", "rules_foreign_cc_dependencies") load("@rules_fuzzing//fuzzing:repositories.bzl", "rules_fuzzing_dependencies") load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies") @@ -38,6 +39,7 @@ def envoy_dependency_imports( yq_version = YQ_VERSION, buf_sha = BUF_SHA, buf_version = BUF_VERSION): + compatibility_proxy_repo() rules_foreign_cc_dependencies() go_rules_dependencies() go_register_toolchains(go_version) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index bc1de50cb6634..58f9663ef4135 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1053,9 +1053,9 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "C++ rules for Bazel", project_desc = "Bazel rules for the C++ language", project_url = "https://github.com/bazelbuild/rules_cc", - version = "0.1.4", - sha256 = "0d3b4f984c4c2e1acfd1378e0148d35caf2ef1d9eb95b688f8e19ce0c41bdf5b", - release_date = "2025-07-18", + version = "0.2.8", + sha256 = "207ea073dd20a705f9e8bc5ac02f5203e9621fc672774bb1a0935aefab7aebfa", + release_date = "2025-09-12", strip_prefix = "rules_cc-{version}", urls = ["https://github.com/bazelbuild/rules_cc/releases/download/{version}/rules_cc-{version}.tar.gz"], use_category = [ From 1a26ba39c1165508ef0e82325aed43a86d7bf04e Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 22 Sep 2025 08:58:23 -0700 Subject: [PATCH 456/505] changelog: fix typos in the current changelogs and clean them up (#41161) ## Description This PR fixes the changelog style and clean it up. There are a few issues with the styling and rendering. --- **Commit Message:** changelog: fix typos in the current changelogs and clean them up **Additional Description:** This PR fixes the changelog style and clean it up. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 70 ++++++++++++++++++++--------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 3b587500eb8b8..254b14385f17a 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -31,7 +31,7 @@ behavior_changes: ``FULL_DUPLEX_STREAMED`` configuration combination. - area: load balancing change: | - Moved locality WRR structures out of HostSetImpl and into a separate class. Locality WRR schedulers are now by default owned + Moved locality WRR structures out of ``HostSetImpl`` and into a separate class. Locality WRR schedulers are now by default owned and constructed by the underlying Zone Aware LB, instead of owned and constructed by the Host Set. There should be no visible behavior change for existing users of Zone Aware LBs. @@ -45,8 +45,8 @@ minor_behavior_changes: reach the configured size but has been held for more than 15 seconds, it will be sent immediately. - area: websocket change: | - Allow 4xx and 5xx to go through the filter chain for websocket handshake response check, and the behavior can be - disabled by the runtime guard ``envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain``. + Allow 4xx and 5xx to go through the filter chain for the WebSocket handshake response check. This behavior can be + disabled by the runtime guard ``envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain``. - area: testing change: | In test code for external extensions, matchers ``Http::HeaderValueOf``, ``HasHeader``, and ``HeaderHasValueRef`` @@ -59,7 +59,7 @@ minor_behavior_changes: ``envoy.reloadable_features.generic_proxy_codec_buffer_limit`` to ``false``. - area: http3 change: | - Turn off HTTP/3 happy eyeballs in upstream via runtime guard ``envoy.reloadable_features.http3_happy_eyeballs``. + Turned off HTTP/3 happy eyeballs in upstream via the runtime guard ``envoy.reloadable_features.http3_happy_eyeballs``. It was found to favor TCP over QUIC when UDP does not work on IPv6 but works on IPv4. - area: mobile change: | @@ -70,7 +70,7 @@ minor_behavior_changes: change: | Added accounting for decompressed HTTP header bytes sent and received. Existing stats only count wire-encoded header bytes. This can be accessed through the ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, - ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%``, and the + ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%``, and ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%`` access log command operators. - area: oauth2 change: | @@ -94,12 +94,12 @@ minor_behavior_changes: bug_fixes: # *Changes expected to improve the state of the world and are unlikely to have negative effects* - area: tcp_proxy - change: - Fixes a bug when downstream TCP connection is created and the upstream connection isn't fully established, no idle timeout - is set on the downstream connection, which may lead to connection leak if the client doesn't close the connection. + change: | + Fixed a bug where when a downstream TCP connection is created and the upstream connection is not fully established, no idle timeout + is set on the downstream connection, which may lead to a connection leak if the client does not close the connection. The fix is to set an idle timeout on the downstream connection immediately after creation. - This fix can be reverted by setting runtime guard ``envoy.reloadable_features.tcp_proxy_set_idle_timer_immediately_on_new_connection`` - to ``false``. + This fix can be reverted by setting the runtime guard + ``envoy.reloadable_features.tcp_proxy_set_idle_timer_immediately_on_new_connection`` to ``false``. - area: udp_proxy change: | Fixed a crash in the UDP proxy that occurred during ``ENVOY_SIGTERM`` when active tunneling sessions were present. @@ -111,14 +111,14 @@ bug_fixes: `libmaxminddb.md `_. - area: http3 change: | - Fixed a bug where access log gets skipped for HTTP/3 requests when the stream is half closed. This behavior can be + Fixed a bug where the access log was skipped for HTTP/3 requests when the stream was half closed. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.quic_fix_defer_logging_miss_for_half_closed_stream`` to ``false``. - area: http change: | - Fixed a bug where the premature resets of streams may result in the recursive draining and potential - stack overflow. Setting proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate - the risk of the stack overflow before this fix. + Fixed a bug where premature resets of streams could result in recursive draining and a potential + stack overflow. Setting a proper ``max_concurrent_streams`` value for HTTP/2 or HTTP/3 could eliminate + the risk of a stack overflow before this fix. - area: listener change: | Fixed a bug where comparing listeners did not consider the network namespace they were listening in. @@ -131,7 +131,7 @@ bug_fixes: Fixed a bug where the ``%TRACE_ID%`` command cannot work properly at the header mutations. - area: listeners change: | - Fixed issue where :ref:`TLS inspector listener filter ` timed out + Fixed an issue where :ref:`TLS inspector listener filter ` timed out when used with other listener filters. The bug was triggered when a previous listener filter processed more data than the TLS inspector had requested, causing the TLS inspector to incorrectly calculate its buffer growth strategy. The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. @@ -140,7 +140,7 @@ bug_fixes: Added missing session name, session duration, and ``external_id`` parameters in AssumeRole credentials provider. - area: oauth2 change: | - Fixed a bug introduced in PR [#40228](https://github.com/envoyproxy/envoy/pull/40228), where OAuth2 cookies were + Fixed a bug introduced in PR `#40228 `_, where OAuth2 cookies were removed for requests matching the ``pass_through_matcher`` configuration. This broke setups with multiple OAuth2 filter instances using different ``pass_through_matcher`` configurations, because the first matching instance removed the OAuth2 cookies--even when a passthrough was intended--impacting subsequent filters that still needed those cookies. @@ -160,7 +160,7 @@ bug_fixes: Forwarding Proxy and Router filters. - area: release change: | - Fix distroless image to ensure nonroot. + Fixed the distroless image to ensure nonroot. removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` @@ -267,7 +267,7 @@ new_features: during the metric flush. - area: tap change: | - Add :ref:`record_upstream_connection ` + Added :ref:`record_upstream_connection ` to determine whether upstream connection information is recorded in the HTTP buffer trace output. - area: quic change: | @@ -296,7 +296,7 @@ new_features: dynamic metadata for routing decisions. - area: lua change: | - Added a new ``filterState()`` on ``streamInfo()`` which provides access to filter state objects stored during request processing. + Added a new ``filterState()`` to ``streamInfo()`` which provides access to filter state objects stored during request processing. This allows Lua scripts to retrieve string, boolean, and numeric values stored by various filters for use in routing decisions, header modifications, and other processing logic. See :ref:`Filter State API ` for more details. @@ -315,11 +315,11 @@ new_features: will take precedence over this field. - area: redis change: | - Added support for 33 new Redis commands including COPY, RPOPLPUSH, SMOVE, SUNION, SDIFF, - SINTER, SINTERSTORE, ZUNIONSTORE, ZINTERSTORE, PFMERGE, GEORADIUS, GEORADIUSBYMEMBER, - RENAME, SORT, SORT_RO, ZMSCORE, SDIFFSTORE, MSETNX, SUBSTR, ZRANGESTORE, ZUNION, ZDIFF, - SUNIONSTORE, SMISMEMBER, HRANDFIELD, GEOSEARCHSTORE, ZDIFFSTORE, ZINTER, ZRANDMEMBER, - BITOP, LPOS, RENAMENX. + Added support for thirty-three new Redis commands including ``COPY``, ``RPOPLPUSH``, ``SMOVE``, ``SUNION``, ``SDIFF``, + ``SINTER``, ``SINTERSTORE``, ``ZUNIONSTORE``, ``ZINTERSTORE``, ``PFMERGE``, ``GEORADIUS``, ``GEORADIUSBYMEMBER``, + ``RENAME``, ``SORT``, ``SORT_RO``, ``ZMSCORE``, ``SDIFFSTORE``, ``MSETNX``, ``SUBSTR``, ``ZRANGESTORE``, ``ZUNION``, + ``ZDIFF``, ``SUNIONSTORE``, ``SMISMEMBER``, ``HRANDFIELD``, ``GEOSEARCHSTORE``, ``ZDIFFSTORE``, ``ZINTER``, ``ZRANDMEMBER``, + ``BITOP``, ``LPOS``, ``RENAMENX``. - area: observability change: | Added ``ENVOY_NOTIFICATION`` macro to track specific conditions in production environments. @@ -382,25 +382,25 @@ new_features: change: | Enhanced Zipkin tracer with advanced collector configuration via :ref:`collector_service ` - using HttpService. New features include: + using ``HttpService``. New features include: - 1. **Custom HTTP Headers**: Add headers to collector requests for custom metadata, service identification, + #. **Custom HTTP Headers**: Add headers to collector requests for custom metadata, service identification, and collector-specific routing. - 2. **Full URI Parsing**: The ``uri`` field now supports both path-only (``/api/v2/spans``) and + #. **Full URI Parsing**: The ``uri`` field now supports both path-only (``/api/v2/spans``) and full URI formats (``https://zipkin-collector.example.com/api/v2/spans``). When using full URIs, Envoy automatically extracts hostname and path components - hostname sets the HTTP ``Host`` header, - and path sets the request path. Path-only URIs fallback to using cluster name as hostname. + and path sets the request path. Path-only URIs fall back to using the cluster name as the hostname. - When configured, collector_service takes precedence over legacy configuration fields (collector_cluster, - collector_endpoint, collector_hostname), which will be deprecated in a future release. Legacy configuration + When configured, ``collector_service`` takes precedence over legacy configuration fields (``collector_cluster``, + ``collector_endpoint``, ``collector_hostname``), which will be deprecated in a future release. Legacy configuration does not support custom headers or URI parsing. - area: composite change: | - Allow composite filter to be configured to insert a filter into the filter chain outside of the decode headers lifecycle phase. + Allow the composite filter to be configured to insert a filter into the filter chain outside of the decode headers lifecycle phase. - area: rbac change: | - Switch the IP matcher to use LC-Trie for performance improvements. + Switched the IP matcher to use LC-Trie for performance improvements. - area: tls_inspector change: | Added dynamic metadata when failing to parse the ``ClientHello``. @@ -417,7 +417,7 @@ new_features: so as to not break compatibility with the existing command's behavior. - area: dynamic_modules change: | - Added a new Logging ABI that allows modules to emit logs in the standard Envoy logging stream under "dynamic_modules" ID. + Added a new Logging ABI that allows modules to emit logs in the standard Envoy logging stream under ``dynamic_modules`` ID. In the Rust SDK, they are available as ``envoy_log_info``, etc. - area: http change: | @@ -438,7 +438,7 @@ new_features: change: | Added a new metric ``db_build_epoch`` to track the build timestamp of the MaxMind geolocation database files. This can be used to monitor the freshness of the databases currently in use by the filter. - See https://maxmind.github.io/MaxMind-DB/#build_epoch for more details. + See `MaxMind-DB build_epoch `_ for more details. - area: overload management change: | Added a new scaled timer type ``HttpDownstreamStreamFlush`` to the overload manager. This allows @@ -453,6 +453,6 @@ new_features: Added :ref:`max_udp_channel_duration ` configuration field to the c-ares DNS resolver. This allows periodic refresh of the UDP channel - to help with avoiding stale socket states, and providing better load distribution across UDP ports. + to help avoid stale socket states and provide better load distribution across UDP ports. deprecated: From d6dffa7345b603d997bb489e645a1c11fe7deebf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Sep 2025 06:07:07 +0000 Subject: [PATCH 457/505] build(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.9 Bumps google.golang.org/protobuf from 1.36.6 to 1.36.9. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 4 ++-- go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index fc0002fc3a35c..026f85cabedcb 100644 --- a/go.mod +++ b/go.mod @@ -1,7 +1,7 @@ module github.com/envoyproxy/envoy -go 1.22 +go 1.23 -require google.golang.org/protobuf v1.36.6 +require google.golang.org/protobuf v1.36.9 require github.com/google/go-cmp v0.5.9 // indirect diff --git a/go.sum b/go.sum index ce42a4aeef356..7633c53456409 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,4 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw= +google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= From 97d7a29b64a5642fdd7f643d26214d63c3913f56 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 06:02:22 +0000 Subject: [PATCH 458/505] build(deps): bump github/codeql-action from 3.30.2 to 3.30.3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.2 to 3.30.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/d3678e237b9c32a6c9bffb3315c335f976f3549f...192325c86100d080feab897ff886c34abd4c83a3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-daily.yml | 4 ++-- .github/workflows/codeql-push.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml index af248d50aa4db..a98119190a5eb 100644 --- a/.github/workflows/codeql-daily.yml +++ b/.github/workflows/codeql-daily.yml @@ -34,7 +34,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # codeql-bundle-v3.30.2 + uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # codeql-bundle-v3.30.3 # Override language selection by uncommenting this and choosing your languages with: languages: cpp @@ -75,6 +75,6 @@ jobs: git clean -xdf - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # codeql-bundle-v3.30.2 + uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # codeql-bundle-v3.30.3 with: trap-caching: false diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index 632bea81b786a..a643d88edd73f 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -67,7 +67,7 @@ jobs: - name: Initialize CodeQL if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # codeql-bundle-v3.30.2 + uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # codeql-bundle-v3.30.3 with: languages: cpp trap-caching: false @@ -112,6 +112,6 @@ jobs: - name: Perform CodeQL Analysis if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # codeql-bundle-v3.30.2 + uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # codeql-bundle-v3.30.3 with: trap-caching: false diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 76cf16fc8197b..feccc8750d4c0 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2 + uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 with: sarif_file: results.sarif From 30230e52143ad9f4065cc8ceab73a116a418499b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 10:58:39 +0000 Subject: [PATCH 459/505] build(deps): bump moby/buildkit from v0.23.2 to v0.24.0 in /ci Bumps moby/buildkit from v0.23.2 to v0.24.0. --- updated-dependencies: - dependency-name: moby/buildkit dependency-version: v0.24.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- ci/Dockerfile-buildkit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/Dockerfile-buildkit b/ci/Dockerfile-buildkit index b974a589eb2c8..a3634314bf0c7 100644 --- a/ci/Dockerfile-buildkit +++ b/ci/Dockerfile-buildkit @@ -1,3 +1,3 @@ # We dont build from this dockerfile - we just parse the version, but storing # here means we get the dependabot updates -FROM moby/buildkit:v0.23.2 +FROM moby/buildkit:v0.24.0 From ac7dbb0381ed98f5371dc9db0bf547f2bbf1ac2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Sep 2025 22:43:44 +0000 Subject: [PATCH 460/505] build(deps): bump pygithub from 2.6.1 to 2.8.1 in /tools/base Bumps [pygithub](https://github.com/pygithub/pygithub) from 2.6.1 to 2.8.1. - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](https://github.com/pygithub/pygithub/compare/v2.6.1...v2.8.1) --- updated-dependencies: - dependency-name: pygithub dependency-version: 2.8.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- tools/base/requirements.txt | 82 ++----------------------------------- 1 file changed, 3 insertions(+), 79 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index ab9bc3d5c17b9..b540831b5208d 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -461,10 +461,6 @@ dependatool==0.2.3 \ --hash=sha256:04bf88d01302eec697a69e8301d14668a89d676dbd2a3914e91c610a531e9db7 \ --hash=sha256:113a6641889d3dae7c81cb0a0483c31a2657f179474e11f4731b285963475ade # via -r requirements.in -deprecated==1.2.14 \ - --hash=sha256:6fac8b097794a90302bdbb17b9b815e732d3c4720583ff1b198499d78470466c \ - --hash=sha256:e5323eb936458dccc2582dc6f9c322c852a775a27065ff2b0c4970b9d53d01b3 - # via pygithub docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 @@ -1148,9 +1144,9 @@ pyflakes==3.4.0 \ --hash=sha256:b24f96fafb7d2ab0ec5075b7350b3d2d2218eab42003821c06344973d3ea2f58 \ --hash=sha256:f742a7dbd0d9cb9ea41e9a24a918996e8170c799fa528688d40dd582c8265f4f # via flake8 -pygithub==2.6.1 \ - --hash=sha256:6f2fa6d076ccae475f9fc392cc6cdbd54db985d4f69b8833a28397de75ed6ca3 \ - --hash=sha256:b5c035392991cca63959e9453286b41b54d83bf2de2daa7d7ff7e4312cebf3bf +pygithub==2.8.1 \ + --hash=sha256:23a0a5bca93baef082e03411bf0ce27204c32be8bfa7abc92fe4a3e132936df0 \ + --hash=sha256:341b7c78521cb07324ff670afd1baa2bf5c286f8d9fd302c1798ba594a5400c9 # via -r requirements.in pygments==2.18.0 \ --hash=sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199 \ @@ -1488,78 +1484,6 @@ verboselogs==1.7 \ # envoy-distribution-repo # envoy-github-abstract # envoy-github-release -wrapt==1.16.0 \ - --hash=sha256:0d2691979e93d06a95a26257adb7bfd0c93818e89b1406f5a28f36e0d8c1e1fc \ - --hash=sha256:14d7dc606219cdd7405133c713f2c218d4252f2a469003f8c46bb92d5d095d81 \ - --hash=sha256:1a5db485fe2de4403f13fafdc231b0dbae5eca4359232d2efc79025527375b09 \ - --hash=sha256:1acd723ee2a8826f3d53910255643e33673e1d11db84ce5880675954183ec47e \ - --hash=sha256:1ca9b6085e4f866bd584fb135a041bfc32cab916e69f714a7d1d397f8c4891ca \ - --hash=sha256:1dd50a2696ff89f57bd8847647a1c363b687d3d796dc30d4dd4a9d1689a706f0 \ - --hash=sha256:2076fad65c6736184e77d7d4729b63a6d1ae0b70da4868adeec40989858eb3fb \ - --hash=sha256:2a88e6010048489cda82b1326889ec075a8c856c2e6a256072b28eaee3ccf487 \ - --hash=sha256:3ebf019be5c09d400cf7b024aa52b1f3aeebeff51550d007e92c3c1c4afc2a40 \ - --hash=sha256:418abb18146475c310d7a6dc71143d6f7adec5b004ac9ce08dc7a34e2babdc5c \ - --hash=sha256:43aa59eadec7890d9958748db829df269f0368521ba6dc68cc172d5d03ed8060 \ - --hash=sha256:44a2754372e32ab315734c6c73b24351d06e77ffff6ae27d2ecf14cf3d229202 \ - --hash=sha256:490b0ee15c1a55be9c1bd8609b8cecd60e325f0575fc98f50058eae366e01f41 \ - --hash=sha256:49aac49dc4782cb04f58986e81ea0b4768e4ff197b57324dcbd7699c5dfb40b9 \ - --hash=sha256:5eb404d89131ec9b4f748fa5cfb5346802e5ee8836f57d516576e61f304f3b7b \ - --hash=sha256:5f15814a33e42b04e3de432e573aa557f9f0f56458745c2074952f564c50e664 \ - --hash=sha256:5f370f952971e7d17c7d1ead40e49f32345a7f7a5373571ef44d800d06b1899d \ - --hash=sha256:66027d667efe95cc4fa945af59f92c5a02c6f5bb6012bff9e60542c74c75c362 \ - --hash=sha256:66dfbaa7cfa3eb707bbfcd46dab2bc6207b005cbc9caa2199bcbc81d95071a00 \ - --hash=sha256:685f568fa5e627e93f3b52fda002c7ed2fa1800b50ce51f6ed1d572d8ab3e7fc \ - --hash=sha256:6906c4100a8fcbf2fa735f6059214bb13b97f75b1a61777fcf6432121ef12ef1 \ - --hash=sha256:6a42cd0cfa8ffc1915aef79cb4284f6383d8a3e9dcca70c445dcfdd639d51267 \ - --hash=sha256:6dcfcffe73710be01d90cae08c3e548d90932d37b39ef83969ae135d36ef3956 \ - --hash=sha256:6f6eac2360f2d543cc875a0e5efd413b6cbd483cb3ad7ebf888884a6e0d2e966 \ - --hash=sha256:72554a23c78a8e7aa02abbd699d129eead8b147a23c56e08d08dfc29cfdddca1 \ - --hash=sha256:73870c364c11f03ed072dda68ff7aea6d2a3a5c3fe250d917a429c7432e15228 \ - --hash=sha256:73aa7d98215d39b8455f103de64391cb79dfcad601701a3aa0dddacf74911d72 \ - --hash=sha256:75ea7d0ee2a15733684badb16de6794894ed9c55aa5e9903260922f0482e687d \ - --hash=sha256:7bd2d7ff69a2cac767fbf7a2b206add2e9a210e57947dd7ce03e25d03d2de292 \ - --hash=sha256:807cc8543a477ab7422f1120a217054f958a66ef7314f76dd9e77d3f02cdccd0 \ - --hash=sha256:8e9723528b9f787dc59168369e42ae1c3b0d3fadb2f1a71de14531d321ee05b0 \ - --hash=sha256:9090c9e676d5236a6948330e83cb89969f433b1943a558968f659ead07cb3b36 \ - --hash=sha256:9153ed35fc5e4fa3b2fe97bddaa7cbec0ed22412b85bcdaf54aeba92ea37428c \ - --hash=sha256:9159485323798c8dc530a224bd3ffcf76659319ccc7bbd52e01e73bd0241a0c5 \ - --hash=sha256:941988b89b4fd6b41c3f0bfb20e92bd23746579736b7343283297c4c8cbae68f \ - --hash=sha256:94265b00870aa407bd0cbcfd536f17ecde43b94fb8d228560a1e9d3041462d73 \ - --hash=sha256:98b5e1f498a8ca1858a1cdbffb023bfd954da4e3fa2c0cb5853d40014557248b \ - --hash=sha256:9b201ae332c3637a42f02d1045e1d0cccfdc41f1f2f801dafbaa7e9b4797bfc2 \ - --hash=sha256:a0ea261ce52b5952bf669684a251a66df239ec6d441ccb59ec7afa882265d593 \ - --hash=sha256:a33a747400b94b6d6b8a165e4480264a64a78c8a4c734b62136062e9a248dd39 \ - --hash=sha256:a452f9ca3e3267cd4d0fcf2edd0d035b1934ac2bd7e0e57ac91ad6b95c0c6389 \ - --hash=sha256:a86373cf37cd7764f2201b76496aba58a52e76dedfaa698ef9e9688bfd9e41cf \ - --hash=sha256:ac83a914ebaf589b69f7d0a1277602ff494e21f4c2f743313414378f8f50a4cf \ - --hash=sha256:aefbc4cb0a54f91af643660a0a150ce2c090d3652cf4052a5397fb2de549cd89 \ - --hash=sha256:b3646eefa23daeba62643a58aac816945cadc0afaf21800a1421eeba5f6cfb9c \ - --hash=sha256:b47cfad9e9bbbed2339081f4e346c93ecd7ab504299403320bf85f7f85c7d46c \ - --hash=sha256:b935ae30c6e7400022b50f8d359c03ed233d45b725cfdd299462f41ee5ffba6f \ - --hash=sha256:bb2dee3874a500de01c93d5c71415fcaef1d858370d405824783e7a8ef5db440 \ - --hash=sha256:bc57efac2da352a51cc4658878a68d2b1b67dbe9d33c36cb826ca449d80a8465 \ - --hash=sha256:bf5703fdeb350e36885f2875d853ce13172ae281c56e509f4e6eca049bdfb136 \ - --hash=sha256:c31f72b1b6624c9d863fc095da460802f43a7c6868c5dda140f51da24fd47d7b \ - --hash=sha256:c5cd603b575ebceca7da5a3a251e69561bec509e0b46e4993e1cac402b7247b8 \ - --hash=sha256:d2efee35b4b0a347e0d99d28e884dfd82797852d62fcd7ebdeee26f3ceb72cf3 \ - --hash=sha256:d462f28826f4657968ae51d2181a074dfe03c200d6131690b7d65d55b0f360f8 \ - --hash=sha256:d5e49454f19ef621089e204f862388d29e6e8d8b162efce05208913dde5b9ad6 \ - --hash=sha256:da4813f751142436b075ed7aa012a8778aa43a99f7b36afe9b742d3ed8bdc95e \ - --hash=sha256:db2e408d983b0e61e238cf579c09ef7020560441906ca990fe8412153e3b291f \ - --hash=sha256:db98ad84a55eb09b3c32a96c576476777e87c520a34e2519d3e59c44710c002c \ - --hash=sha256:dbed418ba5c3dce92619656802cc5355cb679e58d0d89b50f116e4a9d5a9603e \ - --hash=sha256:dcdba5c86e368442528f7060039eda390cc4091bfd1dca41e8046af7c910dda8 \ - --hash=sha256:decbfa2f618fa8ed81c95ee18a387ff973143c656ef800c9f24fb7e9c16054e2 \ - --hash=sha256:e4fdb9275308292e880dcbeb12546df7f3e0f96c6b41197e0cf37d2826359020 \ - --hash=sha256:eb1b046be06b0fce7249f1d025cd359b4b80fc1c3e24ad9eca33e0dcdb2e4a35 \ - --hash=sha256:eb6e651000a19c96f452c85132811d25e9264d836951022d6e81df2fff38337d \ - --hash=sha256:ed867c42c268f876097248e05b6117a65bcd1e63b779e916fe2e33cd6fd0d3c3 \ - --hash=sha256:edfad1d29c73f9b863ebe7082ae9321374ccb10879eeabc84ba3b69f2579d537 \ - --hash=sha256:f2058f813d4f2b5e3a9eb2eb3faf8f1d99b81c3e51aeda4b168406443e8ba809 \ - --hash=sha256:f6b2d0c6703c988d334f297aa5df18c45e97b0af3679bb75059e0e0bd8b1069d \ - --hash=sha256:f8212564d49c50eb4565e502814f694e240c55551a5f1bc841d4fcaabb0a9b8a \ - --hash=sha256:ffa565331890b90056c01db69c0fe634a776f8019c143a5ae265f9c6bc4bd6d4 - # via deprecated yamllint==1.35.1 \ --hash=sha256:2e16e504bb129ff515b37823b472750b36b6de07963bd74b307341ef5ad8bdc3 \ --hash=sha256:7a003809f88324fd2c877734f2d575ee7881dd9043360657cc8049c809eba6cd From cd7e267469c7ddcd3867636b94d9d749ca74c221 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Jul 2025 06:55:29 +0000 Subject: [PATCH 461/505] build(deps): bump aiohttp from 3.12.14 to 3.12.15 in /tools/base --- updated-dependencies: - dependency-name: aiohttp dependency-version: 3.12.15 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- tools/base/requirements.txt | 174 ++++++++++++++++++------------------ 1 file changed, 87 insertions(+), 87 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index b540831b5208d..3ca2821395475 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -95,93 +95,93 @@ aiohappyeyeballs==2.6.1 \ --hash=sha256:c3f9d0113123803ccadfdf3f0faa505bc78e6a72d1cc4806cbd719826e943558 \ --hash=sha256:f349ba8f4b75cb25c99c5c2d84e997e485204d2902a9597802b0371f09331fb8 # via aiohttp -aiohttp==3.12.14 \ - --hash=sha256:02fcd3f69051467bbaa7f84d7ec3267478c7df18d68b2e28279116e29d18d4f3 \ - --hash=sha256:0400f0ca9bb3e0b02f6466421f253797f6384e9845820c8b05e976398ac1d81a \ - --hash=sha256:040afa180ea514495aaff7ad34ec3d27826eaa5d19812730fe9e529b04bb2179 \ - --hash=sha256:04c11907492f416dad9885d503fbfc5dcb6768d90cad8639a771922d584609d3 \ - --hash=sha256:077b4488411a9724cecc436cbc8c133e0d61e694995b8de51aaf351c7578949d \ - --hash=sha256:0ab5b38a6a39781d77713ad930cb5e7feea6f253de656a5f9f281a8f5931b086 \ - --hash=sha256:0b8a69acaf06b17e9c54151a6c956339cf46db4ff72b3ac28516d0f7068f4ced \ - --hash=sha256:15f5f4792c9c999a31d8decf444e79fcfd98497bf98e94284bf390a7bb8c1729 \ - --hash=sha256:16260e8e03744a6fe3fcb05259eeab8e08342c4c33decf96a9dad9f1187275d0 \ - --hash=sha256:196858b8820d7f60578f8b47e5669b3195c21d8ab261e39b1d705346458f445f \ - --hash=sha256:1b07ccef62950a2519f9bfc1e5b294de5dd84329f444ca0b329605ea787a3de5 \ - --hash=sha256:1d6f607ce2e1a93315414e3d448b831238f1874b9968e1195b06efaa5c87e245 \ - --hash=sha256:224d0da41355b942b43ad08101b1b41ce633a654128ee07e36d75133443adcda \ - --hash=sha256:23e1332fff36bebd3183db0c7a547a1da9d3b4091509f6d818e098855f2f27d3 \ - --hash=sha256:2785b112346e435dd3a1a67f67713a3fe692d288542f1347ad255683f066d8e0 \ - --hash=sha256:27f2e373276e4755691a963e5d11756d093e346119f0627c2d6518208483fb6d \ - --hash=sha256:3006a1dc579b9156de01e7916d38c63dc1ea0679b14627a37edf6151bc530088 \ - --hash=sha256:3143a7893d94dc82bc409f7308bc10d60285a3cd831a68faf1aa0836c5c3c767 \ - --hash=sha256:3779ed96105cd70ee5e85ca4f457adbce3d9ff33ec3d0ebcdf6c5727f26b21b3 \ - --hash=sha256:38e360381e02e1a05d36b223ecab7bc4a6e7b5ab15760022dc92589ee1d4238c \ - --hash=sha256:39b94e50959aa07844c7fe2206b9f75d63cc3ad1c648aaa755aa257f6f2498a9 \ - --hash=sha256:3b66e1a182879f579b105a80d5c4bd448b91a57e8933564bf41665064796a338 \ - --hash=sha256:3d62ac3d506cef54b355bd34c2a7c230eb693880001dfcda0bf88b38f5d7af7e \ - --hash=sha256:3f8aad695e12edc9d571f878c62bedc91adf30c760c8632f09663e5f564f4baa \ - --hash=sha256:4699979560728b168d5ab63c668a093c9570af2c7a78ea24ca5212c6cdc2b641 \ - --hash=sha256:4710f77598c0092239bc12c1fcc278a444e16c7032d91babf5abbf7166463f7b \ - --hash=sha256:48e43e075c6a438937c4de48ec30fa8ad8e6dfef122a038847456bfe7b947b63 \ - --hash=sha256:4ac76627c0b7ee0e80e871bde0d376a057916cb008a8f3ffc889570a838f5cc7 \ - --hash=sha256:4dcd1172cd6794884c33e504d3da3c35648b8be9bfa946942d353b939d5f1288 \ - --hash=sha256:4f1205f97de92c37dd71cf2d5bcfb65fdaed3c255d246172cce729a8d849b4da \ - --hash=sha256:565e70d03e924333004ed101599902bba09ebb14843c8ea39d657f037115201b \ - --hash=sha256:5760909b7080aa2ec1d320baee90d03b21745573780a072b66ce633eb77a8656 \ - --hash=sha256:5f9c8d55d6802086edd188e3a7d85a77787e50d56ce3eb4757a3205fa4657922 \ - --hash=sha256:6b8ce87963f0035c6834b28f061df90cf525ff7c9b6283a8ac23acee6502afd4 \ - --hash=sha256:6e06e120e34d93100de448fd941522e11dafa78ef1a893c179901b7d66aa29f2 \ - --hash=sha256:717a0680729b4ebd7569c1dcd718c46b09b360745fd8eb12317abc74b14d14d0 \ - --hash=sha256:7442488b0039257a3bdbc55f7209587911f143fca11df9869578db6c26feeeb8 \ - --hash=sha256:76ae6f1dd041f85065d9df77c6bc9c9703da9b5c018479d20262acc3df97d419 \ - --hash=sha256:791504763f25e8f9f251e4688195e8b455f8820274320204f7eafc467e609425 \ - --hash=sha256:798204af1180885651b77bf03adc903743a86a39c7392c472891649610844635 \ - --hash=sha256:79b29053ff3ad307880d94562cca80693c62062a098a5776ea8ef5ef4b28d140 \ - --hash=sha256:8283f42181ff6ccbcf25acaae4e8ab2ff7e92b3ca4a4ced73b2c12d8cd971393 \ - --hash=sha256:88167bd9ab69bb46cee91bd9761db6dfd45b6e76a0438c7e884c3f8160ff21eb \ - --hash=sha256:8a7865f27db67d49e81d463da64a59365ebd6b826e0e4847aa111056dcb9dc88 \ - --hash=sha256:8bc784302b6b9f163b54c4e93d7a6f09563bd01ff2b841b29ed3ac126e5040bf \ - --hash=sha256:8c779e5ebbf0e2e15334ea404fcce54009dc069210164a244d2eac8352a44b28 \ - --hash=sha256:906d5075b5ba0dd1c66fcaaf60eb09926a9fef3ca92d912d2a0bbdbecf8b1248 \ - --hash=sha256:938bd3ca6259e7e48b38d84f753d548bd863e0c222ed6ee6ace3fd6752768a84 \ - --hash=sha256:9888e60c2c54eaf56704b17feb558c7ed6b7439bca1e07d4818ab878f2083660 \ - --hash=sha256:9b3b15acee5c17e8848d90a4ebc27853f37077ba6aec4d8cb4dbbea56d156933 \ - --hash=sha256:9c748b3f8b14c77720132b2510a7d9907a03c20ba80f469e58d5dfd90c079a1c \ - --hash=sha256:a0ecbb32fc3e69bc25efcda7d28d38e987d007096cbbeed04f14a6662d0eee22 \ - --hash=sha256:a194ace7bc43ce765338ca2dfb5661489317db216ea7ea700b0332878b392cab \ - --hash=sha256:a289f50bf1bd5be227376c067927f78079a7bdeccf8daa6a9e65c38bae14324b \ - --hash=sha256:a3416f95961dd7d5393ecff99e3f41dc990fb72eda86c11f2a60308ac6dcd7a0 \ - --hash=sha256:a3c99ab19c7bf375c4ae3debd91ca5d394b98b6089a03231d4c580ef3c2ae4c5 \ - --hash=sha256:a564188ce831fd110ea76bcc97085dd6c625b427db3f1dbb14ca4baa1447dcbc \ - --hash=sha256:a56809fed4c8a830b5cae18454b7464e1529dbf66f71c4772e3cfa9cbec0a1ff \ - --hash=sha256:a7a1b4302f70bb3ec40ca86de82def532c97a80db49cac6a6700af0de41af5ee \ - --hash=sha256:aa8ec5c15ab80e5501a26719eb48a55f3c567da45c6ea5bb78c52c036b2655c7 \ - --hash=sha256:aaf90137b5e5d84a53632ad95ebee5c9e3e7468f0aab92ba3f608adcb914fa95 \ - --hash=sha256:abe53c3812b2899889a7fca763cdfaeee725f5be68ea89905e4275476ffd7e61 \ - --hash=sha256:ad5fdf6af93ec6c99bf800eba3af9a43d8bfd66dce920ac905c817ef4a712afe \ - --hash=sha256:b413c12f14c1149f0ffd890f4141a7471ba4b41234fe4fd4a0ff82b1dc299dbb \ - --hash=sha256:b5dd3a2ef7c7e968dbbac8f5574ebeac4d2b813b247e8cec28174a2ba3627170 \ - --hash=sha256:b8cc6b05e94d837bcd71c6531e2344e1ff0fb87abe4ad78a9261d67ef5d83eae \ - --hash=sha256:bbad68a2af4877cc103cd94af9160e45676fc6f0c14abb88e6e092b945c2c8e3 \ - --hash=sha256:c875bf6fc2fd1a572aba0e02ef4e7a63694778c5646cdbda346ee24e630d30fb \ - --hash=sha256:ca39e433630e9a16281125ef57ece6817afd1d54c9f1bf32e901f38f16035869 \ - --hash=sha256:cdea089caf6d5cde975084a884c72d901e36ef9c2fd972c9f51efbbc64e96fbd \ - --hash=sha256:cf4f05b8cea571e2ccc3ca744e35ead24992d90a72ca2cf7ab7a2efbac6716db \ - --hash=sha256:d1dcb015ac6a3b8facd3677597edd5ff39d11d937456702f0bb2b762e390a21b \ - --hash=sha256:d8c35632575653f297dcbc9546305b2c1133391089ab925a6a3706dfa775ccab \ - --hash=sha256:dec9cde5b5a24171e0b0a4ca064b1414950904053fb77c707efd876a2da525d8 \ - --hash=sha256:e387668724f4d734e865c1776d841ed75b300ee61059aca0b05bce67061dcacc \ - --hash=sha256:e4c972b0bdaac167c1e53e16a16101b17c6d0ed7eac178e653a07b9f7fad7151 \ - --hash=sha256:e532a25e4a0a2685fa295a31acf65e027fbe2bea7a4b02cdfbbba8a064577663 \ - --hash=sha256:eab9762c4d1b08ae04a6c77474e6136da722e34fdc0e6d6eab5ee93ac29f35d1 \ - --hash=sha256:ee580cb7c00bd857b3039ebca03c4448e84700dc1322f860cf7a500a6f62630c \ - --hash=sha256:f0a2cf66e32a2563bb0766eb24eae7e9a269ac0dc48db0aae90b575dc9583026 \ - --hash=sha256:f0a568abe1b15ce69d4cc37e23020720423f0728e3cb1f9bcd3f53420ec3bfe7 \ - --hash=sha256:f3e9f75ae842a6c22a195d4a127263dbf87cbab729829e0bd7857fb1672400b2 \ - --hash=sha256:f4552ff7b18bcec18b60a90c6982049cdb9dac1dba48cf00b97934a06ce2e597 \ - --hash=sha256:f68d3067eecb64c5e9bab4a26aa11bd676f4c70eea9ef6536b0a4e490639add3 \ - --hash=sha256:f88d3704c8b3d598a08ad17d06006cb1ca52a1182291f04979e305c8be6c9758 \ - --hash=sha256:fbb284d15c6a45fab030740049d03c0ecd60edad9cd23b211d7e11d3be8d56fd +aiohttp==3.12.15 \ + --hash=sha256:010cc9bbd06db80fe234d9003f67e97a10fe003bfbedb40da7d71c1008eda0fe \ + --hash=sha256:049ec0360f939cd164ecbfd2873eaa432613d5e77d6b04535e3d1fbae5a9e645 \ + --hash=sha256:098e92835b8119b54c693f2f88a1dec690e20798ca5f5fe5f0520245253ee0af \ + --hash=sha256:0a146708808c9b7a988a4af3821379e379e0f0e5e466ca31a73dbdd0325b0263 \ + --hash=sha256:0a23918fedc05806966a2438489dcffccbdf83e921a1170773b6178d04ade142 \ + --hash=sha256:0c643f4d75adea39e92c0f01b3fb83d57abdec8c9279b3078b68a3a52b3933b6 \ + --hash=sha256:1004e67962efabbaf3f03b11b4c43b834081c9e3f9b32b16a7d97d4708a9abe6 \ + --hash=sha256:14954a2988feae3987f1eb49c706bff39947605f4b6fa4027c1d75743723eb09 \ + --hash=sha256:1a649001580bdb37c6fdb1bebbd7e3bc688e8ec2b5c6f52edbb664662b17dc84 \ + --hash=sha256:2776c7ec89c54a47029940177e75c8c07c29c66f73464784971d6a81904ce9d1 \ + --hash=sha256:2abbb216a1d3a2fe86dbd2edce20cdc5e9ad0be6378455b05ec7f77361b3ab50 \ + --hash=sha256:2c7d81a277fa78b2203ab626ced1487420e8c11a8e373707ab72d189fcdad20a \ + --hash=sha256:2ce13fcfb0bb2f259fb42106cdc63fa5515fb85b7e87177267d89a771a660b79 \ + --hash=sha256:2e5a495cb1be69dae4b08f35a6c4579c539e9b5706f606632102c0f855bcba7c \ + --hash=sha256:2ee8a8ac39ce45f3e55663891d4b1d15598c157b4d494a4613e704c8b43112cd \ + --hash=sha256:3b6f0af863cf17e6222b1735a756d664159e58855da99cfe965134a3ff63b0b0 \ + --hash=sha256:3bdd6e17e16e1dbd3db74d7f989e8af29c4d2e025f9828e6ef45fbdee158ec75 \ + --hash=sha256:3beb14f053222b391bf9cf92ae82e0171067cc9c8f52453a0f1ec7c37df12a77 \ + --hash=sha256:3c5092ce14361a73086b90c6efb3948ffa5be2f5b6fbcf52e8d8c8b8848bb97c \ + --hash=sha256:3ead1c00f8521a5c9070fcb88f02967b1d8a0544e6d85c253f6968b785e1a2ab \ + --hash=sha256:3eae49032c29d356b94eee45a3f39fdf4b0814b397638c2f718e96cfadf4c4e4 \ + --hash=sha256:3f9d7c55b41ed687b9d7165b17672340187f87a773c98236c987f08c858145a9 \ + --hash=sha256:40b3fee496a47c3b4a39a731954c06f0bd9bd3e8258c059a4beb76ac23f8e421 \ + --hash=sha256:421da6fd326460517873274875c6c5a18ff225b40da2616083c5a34a7570b685 \ + --hash=sha256:4420cf9d179ec8dfe4be10e7d0fe47d6d606485512ea2265b0d8c5113372771b \ + --hash=sha256:46749be6e89cd78d6068cdf7da51dbcfa4321147ab8e4116ee6678d9a056a0cf \ + --hash=sha256:47f6b962246f0a774fbd3b6b7be25d59b06fdb2f164cf2513097998fc6a29693 \ + --hash=sha256:4c39e87afe48aa3e814cac5f535bc6199180a53e38d3f51c5e2530f5aa4ec58c \ + --hash=sha256:4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2 \ + --hash=sha256:5015082477abeafad7203757ae44299a610e89ee82a1503e3d4184e6bafdd519 \ + --hash=sha256:5346b93e62ab51ee2a9d68e8f73c7cf96ffb73568a23e683f931e52450e4148d \ + --hash=sha256:536ad7234747a37e50e7b6794ea868833d5220b49c92806ae2d7e8a9d6b5de02 \ + --hash=sha256:56822ff5ddfd1b745534e658faba944012346184fbfe732e0d6134b744516eea \ + --hash=sha256:57d16590a351dfc914670bd72530fd78344b885a00b250e992faea565b7fdc05 \ + --hash=sha256:5fa5d9eb82ce98959fc1031c28198b431b4d9396894f385cb63f1e2f3f20ca6b \ + --hash=sha256:6404dfc8cdde35c69aaa489bb3542fb86ef215fc70277c892be8af540e5e21c0 \ + --hash=sha256:6443cca89553b7a5485331bc9bedb2342b08d073fa10b8c7d1c60579c4a7b9bd \ + --hash=sha256:691d203c2bdf4f4637792efbbcdcd157ae11e55eaeb5e9c360c1206fb03d4d98 \ + --hash=sha256:6990ef617f14450bc6b34941dba4f12d5613cbf4e33805932f853fbd1cf18bfb \ + --hash=sha256:6c5f40ec615e5264f44b4282ee27628cea221fcad52f27405b80abb346d9f3f8 \ + --hash=sha256:6d86a2fbdd14192e2f234a92d3b494dd4457e683ba07e5905a0b3ee25389ac9f \ + --hash=sha256:74bdd8c864b36c3673741023343565d95bfbd778ffe1eb4d412c135a28a8dc89 \ + --hash=sha256:74dad41b3458dbb0511e760fb355bb0b6689e0630de8a22b1b62a98777136e16 \ + --hash=sha256:760fb7db442f284996e39cf9915a94492e1896baac44f06ae551974907922b64 \ + --hash=sha256:79b26fe467219add81d5e47b4a4ba0f2394e8b7c7c3198ed36609f9ba161aecb \ + --hash=sha256:7c7dd29c7b5bda137464dc9bfc738d7ceea46ff70309859ffde8c022e9b08ba7 \ + --hash=sha256:7fbc8a7c410bb3ad5d595bb7118147dfbb6449d862cc1125cf8867cb337e8728 \ + --hash=sha256:802d3868f5776e28f7bf69d349c26fc0efadb81676d0afa88ed00d98a26340b7 \ + --hash=sha256:83603f881e11f0f710f8e2327817c82e79431ec976448839f3cd05d7afe8f830 \ + --hash=sha256:8466151554b593909d30a0a125d638b4e5f3836e5aecde85b66b80ded1cb5b0d \ + --hash=sha256:86ceded4e78a992f835209e236617bffae649371c4a50d5e5a3987f237db84b8 \ + --hash=sha256:894261472691d6fe76ebb7fcf2e5870a2ac284c7406ddc95823c8598a1390f0d \ + --hash=sha256:8e995e1abc4ed2a454c731385bf4082be06f875822adc4c6d9eaadf96e20d406 \ + --hash=sha256:8faa08fcc2e411f7ab91d1541d9d597d3a90e9004180edb2072238c085eac8c2 \ + --hash=sha256:9b2af240143dd2765e0fb661fd0361a1b469cab235039ea57663cda087250ea9 \ + --hash=sha256:9f922ffd05034d439dde1c77a20461cf4a1b0831e6caa26151fe7aa8aaebc315 \ + --hash=sha256:a041e7e2612041a6ddf1c6a33b883be6a421247c7afd47e885969ee4cc58bd8d \ + --hash=sha256:aaa2234bb60c4dbf82893e934d8ee8dea30446f0647e024074237a56a08c01bd \ + --hash=sha256:ac77f709a2cde2cc71257ab2d8c74dd157c67a0558a0d2799d5d571b4c63d44d \ + --hash=sha256:ad702e57dc385cae679c39d318def49aef754455f237499d5b99bea4ef582e51 \ + --hash=sha256:b2acbbfff69019d9014508c4ba0401822e8bae5a5fdc3b6814285b71231b60f3 \ + --hash=sha256:b390ef5f62bb508a9d67cb3bba9b8356e23b3996da7062f1a57ce1a79d2b3d34 \ + --hash=sha256:b52dcf013b57464b6d1e51b627adfd69a8053e84b7103a7cd49c030f9ca44461 \ + --hash=sha256:b5b7fe4972d48a4da367043b8e023fb70a04d1490aa7d68800e465d1b97e493b \ + --hash=sha256:b6fc902bff74d9b1879ad55f5404153e2b33a82e72a95c89cec5eb6cc9e92fbc \ + --hash=sha256:b7011a70b56facde58d6d26da4fec3280cc8e2a78c714c96b7a01a87930a9530 \ + --hash=sha256:b761bac1192ef24e16706d761aefcb581438b34b13a2f069a6d343ec8fb693a5 \ + --hash=sha256:b784d6ed757f27574dca1c336f968f4e81130b27595e458e69457e6878251f5d \ + --hash=sha256:b97752ff12cc12f46a9b20327104448042fce5c33a624f88c18f66f9368091c7 \ + --hash=sha256:bc4fbc61bb3548d3b482f9ac7ddd0f18c67e4225aaa4e8552b9f1ac7e6bda9e5 \ + --hash=sha256:bc9a0f6569ff990e0bbd75506c8d8fe7214c8f6579cca32f0546e54372a3bb54 \ + --hash=sha256:bd44d5936ab3193c617bfd6c9a7d8d1085a8dc8c3f44d5f1dcf554d17d04cf7d \ + --hash=sha256:ced339d7c9b5030abad5854aa5413a77565e5b6e6248ff927d3e174baf3badf7 \ + --hash=sha256:d3ce17ce0220383a0f9ea07175eeaa6aa13ae5a41f30bc61d84df17f0e9b1117 \ + --hash=sha256:d5f1b4ce5bc528a6ee38dbf5f39bbf11dd127048726323b72b8e85769319ffc4 \ + --hash=sha256:d849b0901b50f2185874b9a232f38e26b9b3d4810095a7572eacea939132d4e1 \ + --hash=sha256:db71ce547012a5420a39c1b744d485cfb823564d01d5d20805977f5ea1345676 \ + --hash=sha256:e153e8adacfe2af562861b72f8bc47f8a5c08e010ac94eebbe33dc21d677cd5b \ + --hash=sha256:edd533a07da85baa4b423ee8839e3e91681c7bfa19b04260a469ee94b778bf6d \ + --hash=sha256:f0adb4177fa748072546fb650d9bd7398caaf0e15b370ed3317280b13f4083b0 \ + --hash=sha256:f0fa751efb11a541f57db59c1dd821bec09031e01452b2b6217319b3a1f34f3d \ + --hash=sha256:f2800614cd560287be05e33a679638e586a2d7401f4ddf99e304d98878c29444 \ + --hash=sha256:f813c3e9032331024de2eb2e32a88d86afb69291fbc37a3a3ae81cc9917fb3d0 \ + --hash=sha256:fc49c4de44977aa8601a00edbf157e9a421f227aa7eb477d9e3df48343311065 \ + --hash=sha256:fd736ed420f4db2b8148b52b46b88ed038d0354255f9a73196b7bbce3ea97545 \ + --hash=sha256:fe086edf38b2222328cdf89af0dde2439ee173b8ad7cb659b4e4c6f385b2be3d # via # -r requirements.in # aio-api-github From 23e3faaf9ca1485baff77f4251b45a7e68deaa99 Mon Sep 17 00:00:00 2001 From: phlax Date: Mon, 22 Sep 2025 16:59:34 +0100 Subject: [PATCH 462/505] python: Remove requirements.txt entry from .gitattributes (#41170) this causes more problems than it solves and seems to break dependabot Signed-off-by: Ryan Northey --- .gitattributes | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitattributes b/.gitattributes index 74e5a411fb82d..68991c2b92819 100644 --- a/.gitattributes +++ b/.gitattributes @@ -6,6 +6,5 @@ /test/common/tls/test_data/aes_128_key binary /test/common/tls/test_data/ticket_key_* binary /test/**/*_corpus/* linguist-generated=true -requirements.txt binary package.lock binary yarn.lock binary From 4c4ac8a6df82f99e43dceb7745112e84a24ed750 Mon Sep 17 00:00:00 2001 From: code Date: Tue, 23 Sep 2025 00:12:51 +0800 Subject: [PATCH 463/505] all to keep bazel-* after building (#41173) Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: WangBaiping --- ci/build_setup.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ci/build_setup.sh b/ci/build_setup.sh index 1ef213757975b..9569ddb4e4f9e 100755 --- a/ci/build_setup.sh +++ b/ci/build_setup.sh @@ -62,9 +62,14 @@ if [[ -f "/etc/redhat-release" ]]; then fi function cleanup() { - # Remove build artifacts. This doesn't mess with incremental builds as these - # are just symlinks. - rm -rf "${ENVOY_SRCDIR}"/bazel-* clang.bazelrc + if [[ "${ENVOY_BUILD_SKIP_CLEANUP}" == "true" ]]; then + echo "Skipping cleanup as requested." + return + fi + + # Remove build artifacts. This doesn't mess with incremental builds as these + # are just symlinks. + rm -rf "${ENVOY_SRCDIR}"/bazel-* clang.bazelrc } cleanup From 324943e7ea3b91115fc9a564b1924a2dcd79e293 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 16:39:10 +0000 Subject: [PATCH 464/505] deps: Bump `com_github_fmtlib_fmt` -> 12.0.0 (#41154) Fix #41121 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 58f9663ef4135..0e9a434a2a4a5 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -337,12 +337,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "fmt", project_desc = "{fmt} is an open-source formatting library providing a fast and safe alternative to C stdio and C++ iostreams", project_url = "https://fmt.dev", - version = "11.2.0", - sha256 = "203eb4e8aa0d746c62d8f903df58e0419e3751591bb53ff971096eaa0ebd4ec3", + version = "12.0.0", + sha256 = "1c32293203449792bf8e94c7f6699c643887e826f2d66a80869b4f279fb07d25", strip_prefix = "fmt-{version}", urls = ["https://github.com/fmtlib/fmt/releases/download/{version}/fmt-{version}.zip"], use_category = ["dataplane_core", "controlplane"], - release_date = "2025-05-03", + release_date = "2025-09-17", cpe = "cpe:2.3:a:fmt:fmt:*", license = "fmt", license_url = "https://github.com/fmtlib/fmt/blob/{version}/LICENSE", From 499f53ee1b3c9b5e89c81b0b9f4b2002c2004c3d Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 17:32:09 +0000 Subject: [PATCH 465/505] deps: Bump `rules_shell` -> 0.6.1 (#41176) ## Description Bump `rules_shell` -> 0.6.1 Fix https://github.com/envoyproxy/envoy/issues/41046 --- Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 0e9a434a2a4a5..e287cf44fd276 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1135,12 +1135,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Shell script rules for Bazel", project_desc = "Bazel rules for shell scripts", project_url = "https://github.com/bazelbuild/rules_shell", - version = "0.5.1", - sha256 = "99bfc7aaefd1ed69613bbd25e24bf7871d68aeafca3a6b79f5f85c0996a41355", + version = "0.6.1", + sha256 = "e6b87c89bd0b27039e3af2c5da01147452f240f75d505f5b6880874f31036307", strip_prefix = "rules_shell-{version}", urls = ["https://github.com/bazelbuild/rules_shell/releases/download/v{version}/rules_shell-v{version}.tar.gz"], use_category = ["build"], - release_date = "2025-08-01", + release_date = "2025-09-10", license = "Apache-2.0", license_url = "https://github.com/protocolbuffers/rules_shell/blob/{version}/LICENSE", ), From 317d7fdf8cac9f4e7f677540e68d16c7f9de72c5 Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Mon, 22 Sep 2025 19:39:36 +0200 Subject: [PATCH 466/505] reduce rules_proto use in favor of com_google_protobuf (#41156) rules_proto is deprecated as announced in https://github.com/bazelbuild/rules_proto and can be replaced by rules from protobuf. Signed-off-by: Matthieu MOREL --- api/BUILD | 3 ++- api/bazel/api_build_system.bzl | 2 +- api/bazel/repositories.bzl | 2 +- api/versioning/BUILD | 2 +- bazel/external/quiche.BUILD | 2 +- source/common/protobuf/BUILD | 2 +- source/extensions/common/wasm/ext/BUILD | 2 +- test/extensions/filters/http/wasm/test_data/BUILD | 2 +- tools/api_proto_plugin/plugin.bzl | 2 +- tools/proto_format/format_api.py | 2 +- tools/protodoc/BUILD | 2 +- tools/protojsonschema_with_aspects/protojsonschema.bzl | 2 +- tools/testdata/protoxform/BUILD | 2 +- tools/testdata/protoxform/envoy/v2/BUILD | 2 +- tools/testdata/protoxform/external/BUILD | 2 +- tools/type_whisperer/file_descriptor_set_text.bzl | 2 +- tools/type_whisperer/proto_build_targets_gen.py | 3 ++- 17 files changed, 19 insertions(+), 17 deletions(-) diff --git a/api/BUILD b/api/BUILD index 18014a1fe8043..326bb462a2ce7 100644 --- a/api/BUILD +++ b/api/BUILD @@ -1,6 +1,7 @@ # DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. -load("@rules_proto//proto:defs.bzl", "proto_descriptor_set", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") +load("@rules_proto//proto:defs.bzl", "proto_descriptor_set") licenses(["notice"]) # Apache 2 diff --git a/api/bazel/api_build_system.bzl b/api/bazel/api_build_system.bzl index 729e771628db1..04d00e6f3a1fe 100644 --- a/api/bazel/api_build_system.bzl +++ b/api/bazel/api_build_system.bzl @@ -1,9 +1,9 @@ load("@com_envoyproxy_protoc_gen_validate//bazel:pgv_proto_library.bzl", "pgv_cc_proto_library") load("@com_github_grpc_grpc//bazel:cc_grpc_library.bzl", "cc_grpc_library") load("@com_github_grpc_grpc//bazel:python_rules.bzl", _py_proto_library = "py_proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") load("@io_bazel_rules_go//go:def.bzl", "go_test") load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library") -load("@rules_proto//proto:defs.bzl", "proto_library") load( "//bazel:external_proto_deps.bzl", "EXTERNAL_PROTO_CC_BAZEL_DEP_MAP", diff --git a/api/bazel/repositories.bzl b/api/bazel/repositories.bzl index 9a8525fb94157..217614f5e5639 100644 --- a/api/bazel/repositories.bzl +++ b/api/bazel/repositories.bzl @@ -101,8 +101,8 @@ OPENTELEMETRY_BUILD_CONTENT = """ load("@com_github_grpc_grpc//bazel:cc_grpc_library.bzl", "cc_grpc_library") load("@com_github_grpc_grpc//bazel:python_rules.bzl", "py_proto_library", "py_grpc_library") load("@com_google_protobuf//bazel:cc_proto_library.bzl", "cc_proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library", "go_grpc_library") -load("@rules_proto//proto:defs.bzl", "proto_library") package(default_visibility = ["//visibility:public"]) diff --git a/api/versioning/BUILD b/api/versioning/BUILD index 8b48f43270988..fc2d419f87a65 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -1,6 +1,6 @@ # DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") licenses(["notice"]) # Apache 2 diff --git a/bazel/external/quiche.BUILD b/bazel/external/quiche.BUILD index d73c10e236dde..b97fe1b7bd94d 100644 --- a/bazel/external/quiche.BUILD +++ b/bazel/external/quiche.BUILD @@ -1,4 +1,5 @@ load("@com_google_protobuf//bazel:cc_proto_library.bzl", "cc_proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") load( "@envoy//bazel:envoy_build_system.bzl", "envoy_cc_library", @@ -13,7 +14,6 @@ load( "envoy_quiche_platform_impl_cc_test_library", "quiche_copts", ) -load("@rules_proto//proto:defs.bzl", "proto_library") licenses(["notice"]) # Apache 2 diff --git a/source/common/protobuf/BUILD b/source/common/protobuf/BUILD index 7778a54d8b24e..e1dafd16e44d6 100644 --- a/source/common/protobuf/BUILD +++ b/source/common/protobuf/BUILD @@ -1,5 +1,5 @@ load("@com_google_protobuf//bazel:cc_proto_library.bzl", "cc_proto_library") -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") load( "//bazel:envoy_build_system.bzl", "envoy_cc_library", diff --git a/source/extensions/common/wasm/ext/BUILD b/source/extensions/common/wasm/ext/BUILD index 4e86c6de0fa8e..71c21a52c0fe5 100644 --- a/source/extensions/common/wasm/ext/BUILD +++ b/source/extensions/common/wasm/ext/BUILD @@ -1,4 +1,4 @@ -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") load( "//bazel:envoy_build_system.bzl", "envoy_cc_library", diff --git a/test/extensions/filters/http/wasm/test_data/BUILD b/test/extensions/filters/http/wasm/test_data/BUILD index dc89c15852d4e..1ded204f9bc2c 100644 --- a/test/extensions/filters/http/wasm/test_data/BUILD +++ b/test/extensions/filters/http/wasm/test_data/BUILD @@ -1,4 +1,4 @@ -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") load( "//bazel:envoy_build_system.bzl", "envoy_cc_test_library", diff --git a/tools/api_proto_plugin/plugin.bzl b/tools/api_proto_plugin/plugin.bzl index 014749a7d1a5d..8c12b167ab2f0 100644 --- a/tools/api_proto_plugin/plugin.bzl +++ b/tools/api_proto_plugin/plugin.bzl @@ -1,5 +1,5 @@ load("@bazel_skylib//rules:common_settings.bzl", "BuildSettingInfo") -load("@rules_proto//proto:defs.bzl", "ProtoInfo") +load("@com_google_protobuf//bazel/common:proto_info.bzl", "ProtoInfo") # Borrowed from https://github.com/grpc/grpc-java/blob/v1.24.1/java_grpc_library.bzl#L61 def _path_ignoring_repository(f): diff --git a/tools/proto_format/format_api.py b/tools/proto_format/format_api.py index 1d4bbd72eec96..d21d9901aa861 100644 --- a/tools/proto_format/format_api.py +++ b/tools/proto_format/format_api.py @@ -53,7 +53,7 @@ VERSIONING_BUILD_FILE_TEMPLATE = string.Template( """# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") licenses(["notice"]) # Apache 2 diff --git a/tools/protodoc/BUILD b/tools/protodoc/BUILD index 590013b8d3943..3befe9e2b63d6 100644 --- a/tools/protodoc/BUILD +++ b/tools/protodoc/BUILD @@ -1,6 +1,6 @@ load("@base_pip3//:requirements.bzl", "requirement") load("@com_github_grpc_grpc//bazel:python_rules.bzl", "py_proto_library") -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") load("//tools/base:envoy_python.bzl", "envoy_genjson", "envoy_jinja_env", "envoy_py_data", "envoy_pytool_binary", "envoy_pytool_library") load("//tools/protodoc:protodoc.bzl", "protodoc_rule") load("//tools/python:namespace.bzl", "envoy_py_namespace") diff --git a/tools/protojsonschema_with_aspects/protojsonschema.bzl b/tools/protojsonschema_with_aspects/protojsonschema.bzl index a1a5e38742ce7..786951f343489 100644 --- a/tools/protojsonschema_with_aspects/protojsonschema.bzl +++ b/tools/protojsonschema_with_aspects/protojsonschema.bzl @@ -1,4 +1,4 @@ -load("@rules_proto//proto:defs.bzl", "ProtoInfo") +load("@com_google_protobuf//bazel/common:proto_info.bzl", "ProtoInfo") load("//tools/api_proto_plugin:plugin.bzl", "api_proto_plugin_aspect", "api_proto_plugin_impl") def _protojsonschema_impl(target, ctx): diff --git a/tools/testdata/protoxform/BUILD b/tools/testdata/protoxform/BUILD index b9e228605acd6..1cda001159e2e 100644 --- a/tools/testdata/protoxform/BUILD +++ b/tools/testdata/protoxform/BUILD @@ -1,4 +1,4 @@ -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") licenses(["notice"]) # Apache 2 diff --git a/tools/testdata/protoxform/envoy/v2/BUILD b/tools/testdata/protoxform/envoy/v2/BUILD index 2c6796578946d..23a0e4bc26dd3 100644 --- a/tools/testdata/protoxform/envoy/v2/BUILD +++ b/tools/testdata/protoxform/envoy/v2/BUILD @@ -1,4 +1,4 @@ -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") licenses(["notice"]) # Apache 2 diff --git a/tools/testdata/protoxform/external/BUILD b/tools/testdata/protoxform/external/BUILD index 3908c1ec3a49f..d08642ef346cc 100644 --- a/tools/testdata/protoxform/external/BUILD +++ b/tools/testdata/protoxform/external/BUILD @@ -1,4 +1,4 @@ -load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") licenses(["notice"]) # Apache 2 diff --git a/tools/type_whisperer/file_descriptor_set_text.bzl b/tools/type_whisperer/file_descriptor_set_text.bzl index 5e1a858b4563e..ef16e9077037b 100644 --- a/tools/type_whisperer/file_descriptor_set_text.bzl +++ b/tools/type_whisperer/file_descriptor_set_text.bzl @@ -1,4 +1,4 @@ -load("@rules_proto//proto:defs.bzl", "ProtoInfo") +load("@com_google_protobuf//bazel/common:proto_info.bzl", "ProtoInfo") def _file_descriptor_set_text(ctx): file_descriptor_sets = depset( diff --git a/tools/type_whisperer/proto_build_targets_gen.py b/tools/type_whisperer/proto_build_targets_gen.py index 947ea220154fd..2f005b52b6448 100644 --- a/tools/type_whisperer/proto_build_targets_gen.py +++ b/tools/type_whisperer/proto_build_targets_gen.py @@ -38,7 +38,8 @@ API_BUILD_FILE_TEMPLATE = string.Template( """# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. -load("@rules_proto//proto:defs.bzl", "proto_descriptor_set", "proto_library") +load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library") +load("@rules_proto//proto:defs.bzl", "proto_descriptor_set") licenses(["notice"]) # Apache 2 From 2f003b4ccd19486808926e2f853b56c79cd2a071 Mon Sep 17 00:00:00 2001 From: code Date: Tue, 23 Sep 2025 07:04:34 +0800 Subject: [PATCH 467/505] remove/deprecate legacy retryPolicy() method (#41157) Commit Message: Additional Description: continuous work of #41074 Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: WangBaiping --- envoy/router/router.h | 8 +- source/common/grpc/async_client_impl.cc | 4 +- source/common/http/null_route_impl.h | 5 +- source/common/router/config_impl.cc | 3 +- source/common/router/config_impl.h | 9 +- source/common/router/delegating_route_impl.cc | 6 +- source/common/router/delegating_route_impl.h | 3 +- source/common/router/router.cc | 8 +- test/common/http/async_client_impl_test.cc | 20 ++-- test/common/http/conn_manager_impl_test.cc | 8 +- test/common/router/config_impl_test.cc | 94 +++++++++---------- test/mocks/router/mocks.cc | 6 +- test/mocks/router/mocks.h | 6 +- 13 files changed, 80 insertions(+), 100 deletions(-) diff --git a/envoy/router/router.h b/envoy/router/router.h index ee7f4e1809473..ea2b1fae6a6fd 100644 --- a/envoy/router/router.h +++ b/envoy/router/router.h @@ -986,13 +986,7 @@ class RouteEntry : public ResponseEntry { * @return const RetryPolicy& the retry policy for the route. All routes have a retry policy even * if it is empty and does not allow retries. */ - virtual const RetryPolicy& retryPolicy() const PURE; - - /** - * @return const RetryPolicy& the retry policy for the route. All routes have a retry policy even - * if it is empty and does not allow retries. - */ - virtual const RetryPolicyConstSharedPtr& sharedRetryPolicy() const PURE; + virtual const RetryPolicyConstSharedPtr& retryPolicy() const PURE; /** * @return const InternalRedirectPolicy& the internal redirect policy for the route. All routes diff --git a/source/common/grpc/async_client_impl.cc b/source/common/grpc/async_client_impl.cc index 1f0a18ecf5f58..f44d09b0d649a 100644 --- a/source/common/grpc/async_client_impl.cc +++ b/source/common/grpc/async_client_impl.cc @@ -25,7 +25,7 @@ std::string enhancedGrpcMessage(const std::string& original_message, : absl::StrCat(original_message, "{", http_response_code_details, "}"); } -void Base64EscapeBinHeaders(Http::RequestHeaderMap& headers) { +void base64EscapeBinHeaders(Http::RequestHeaderMap& headers) { absl::flat_hash_map bin_metadata; headers.iterate([&bin_metadata](const Http::HeaderEntry& header) { if (absl::EndsWith(header.key().getStringView(), "-bin")) { @@ -209,7 +209,7 @@ void AsyncStreamImpl::initialize(bool buffer_body_for_retry) { current_span_->injectContext(trace_context, upstream_context); callbacks_.onCreateInitialMetadata(headers_message_->headers()); // base64 encode on "-bin" metadata. - Base64EscapeBinHeaders(headers_message_->headers()); + base64EscapeBinHeaders(headers_message_->headers()); stream_->sendHeaders(headers_message_->headers(), false); } diff --git a/source/common/http/null_route_impl.h b/source/common/http/null_route_impl.h index 5edb72422237f..29a9a21fc878a 100644 --- a/source/common/http/null_route_impl.h +++ b/source/common/http/null_route_impl.h @@ -155,10 +155,7 @@ struct RouteEntryImpl : public Router::RouteEntry { return Upstream::ResourcePriority::Default; } const Router::RateLimitPolicy& rateLimitPolicy() const override { return rate_limit_policy_; } - const Router::RetryPolicy& retryPolicy() const override { return *retry_policy_; } - const Router::RetryPolicyConstSharedPtr& sharedRetryPolicy() const override { - return retry_policy_; - } + const Router::RetryPolicyConstSharedPtr& retryPolicy() const override { return retry_policy_; } const Router::InternalRedirectPolicy& internalRedirectPolicy() const override { return internal_redirect_policy_; } diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index ab65b8aadc8f8..65de73ecf1b16 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -461,7 +461,8 @@ RouteEntryImplBase::RouteEntryImplBase(const CommonVirtualHostSharedPtr& vhost, auto policy_or_error = buildRetryPolicy(vhost->retryPolicy(), route.route(), validator, factory_context); SET_AND_RETURN_IF_NOT_OK(policy_or_error.status(), creation_status); - retry_policy_ = std::move(policy_or_error.value()); + retry_policy_ = policy_or_error.value() != nullptr ? std::move(policy_or_error.value()) + : RetryPolicyImpl::DefaultRetryPolicy; if (route.has_direct_response() && route.direct_response().has_body()) { auto provider_or_error = Envoy::Config::DataSource::DataSourceProvider::create( diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h index 2bbc6f541137b..bb00a2a054d3f 100644 --- a/source/common/router/config_impl.h +++ b/source/common/router/config_impl.h @@ -631,13 +631,10 @@ class RouteEntryImplBase : public RouteEntryAndRoute, } return DefaultRateLimitPolicy::get(); } - const RetryPolicy& retryPolicy() const override { - if (retry_policy_ != nullptr) { - return *retry_policy_; - } - return *RetryPolicyImpl::DefaultRetryPolicy; + const RetryPolicyConstSharedPtr& retryPolicy() const override { + ASSERT(retry_policy_ != nullptr); + return retry_policy_; } - const RetryPolicyConstSharedPtr& sharedRetryPolicy() const override { return retry_policy_; } const InternalRedirectPolicy& internalRedirectPolicy() const override { if (internal_redirect_policy_ != nullptr) { return *internal_redirect_policy_; diff --git a/source/common/router/delegating_route_impl.cc b/source/common/router/delegating_route_impl.cc index 84180523eaff2..f2dd426a768a2 100644 --- a/source/common/router/delegating_route_impl.cc +++ b/source/common/router/delegating_route_impl.cc @@ -63,14 +63,10 @@ const RateLimitPolicy& DelegatingRouteEntry::rateLimitPolicy() const { return base_route_entry_->rateLimitPolicy(); } -const RetryPolicy& DelegatingRouteEntry::retryPolicy() const { +const RetryPolicyConstSharedPtr& DelegatingRouteEntry::retryPolicy() const { return base_route_entry_->retryPolicy(); } -const RetryPolicyConstSharedPtr& DelegatingRouteEntry::sharedRetryPolicy() const { - return base_route_entry_->sharedRetryPolicy(); -} - const PathMatcherSharedPtr& DelegatingRouteEntry::pathMatcher() const { return base_route_entry_->pathMatcher(); } diff --git a/source/common/router/delegating_route_impl.h b/source/common/router/delegating_route_impl.h index 2fcb2e209a643..89f616cb0f541 100644 --- a/source/common/router/delegating_route_impl.h +++ b/source/common/router/delegating_route_impl.h @@ -102,8 +102,7 @@ class DelegatingRouteEntry : public DelegatingRouteBase { const HedgePolicy& hedgePolicy() const override; Upstream::ResourcePriority priority() const override; const RateLimitPolicy& rateLimitPolicy() const override; - const RetryPolicy& retryPolicy() const override; - const RetryPolicyConstSharedPtr& sharedRetryPolicy() const override; + const RetryPolicyConstSharedPtr& retryPolicy() const override; const Router::PathMatcherSharedPtr& pathMatcher() const override; const Router::PathRewriterSharedPtr& pathRewriter() const override; const InternalRedirectPolicy& internalRedirectPolicy() const override; diff --git a/source/common/router/router.cc b/source/common/router/router.cc index 8e5e0c2aac79b..c504f96d75e2d 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -210,8 +210,8 @@ TimeoutData FilterUtility::finalTimeout(const RouteEntry& route, timeout.global_timeout_ = route.timeout(); } } - timeout.per_try_timeout_ = route.retryPolicy().perTryTimeout(); - timeout.per_try_idle_timeout_ = route.retryPolicy().perTryIdleTimeout(); + timeout.per_try_timeout_ = route.retryPolicy()->perTryTimeout(); + timeout.per_try_idle_timeout_ = route.retryPolicy()->perTryIdleTimeout(); uint64_t header_timeout; @@ -790,7 +790,7 @@ bool Filter::continueDecodeHeaders(Upstream::ThreadLocalCluster* cluster, ASSERT(headers.Scheme()); retry_state_ = createRetryState( - route_entry_->retryPolicy(), headers, *cluster_, request_vcluster_, route_stats_context_, + *route_entry_->retryPolicy(), headers, *cluster_, request_vcluster_, route_stats_context_, config_->factory_context_, callbacks_->dispatcher(), route_entry_->priority()); // Determine which shadow policies to use. It's possible that we don't do any shadowing due to @@ -2098,7 +2098,7 @@ bool Filter::convertRequestHeadersForInternalRedirect( } void Filter::runRetryOptionsPredicates(UpstreamRequest& retriable_request) { - for (const auto& options_predicate : route_entry_->retryPolicy().retryOptionsPredicates()) { + for (const auto& options_predicate : route_entry_->retryPolicy()->retryOptionsPredicates()) { const Upstream::RetryOptionsPredicate::UpdateOptionsParameters parameters{ retriable_request.streamInfo(), upstreamSocketOptions()}; auto ret = options_predicate->updateOptions(parameters); diff --git a/test/common/http/async_client_impl_test.cc b/test/common/http/async_client_impl_test.cc index 947f4f9b25561..3f3ee8bf88442 100644 --- a/test/common/http/async_client_impl_test.cc +++ b/test/common/http/async_client_impl_test.cc @@ -2407,14 +2407,14 @@ retry_on: 5xx,gateway-error,connect-failure,reset auto& route_entry = getRouteFromStream(); - EXPECT_EQ(route_entry.retryPolicy().numRetries(), 10); - EXPECT_EQ(route_entry.retryPolicy().perTryTimeout(), std::chrono::seconds(30)); + EXPECT_EQ(route_entry.retryPolicy()->numRetries(), 10); + EXPECT_EQ(route_entry.retryPolicy()->perTryTimeout(), std::chrono::seconds(30)); EXPECT_EQ(Router::RetryPolicy::RETRY_ON_CONNECT_FAILURE | Router::RetryPolicy::RETRY_ON_5XX | Router::RetryPolicy::RETRY_ON_GATEWAY_ERROR | Router::RetryPolicy::RETRY_ON_RESET, - route_entry.retryPolicy().retryOn()); + route_entry.retryPolicy()->retryOn()); - EXPECT_EQ(route_entry.retryPolicy().baseInterval(), std::chrono::milliseconds(10)); - EXPECT_EQ(route_entry.retryPolicy().maxInterval(), std::chrono::seconds(30)); + EXPECT_EQ(route_entry.retryPolicy()->baseInterval(), std::chrono::milliseconds(10)); + EXPECT_EQ(route_entry.retryPolicy()->maxInterval(), std::chrono::seconds(30)); } TEST_F(AsyncClientImplUnitTest, AsyncStreamImplInitTestWithInvalidRetryPolicy) { @@ -2448,15 +2448,15 @@ retry_on: 5xx,gateway-error,connect-failure,reset,reset-before-request setRetryPolicy(yaml); auto& route_entry = getRouteFromStream(); - EXPECT_EQ(route_entry.retryPolicy().numRetries(), 10); - EXPECT_EQ(route_entry.retryPolicy().perTryTimeout(), std::chrono::seconds(30)); + EXPECT_EQ(route_entry.retryPolicy()->numRetries(), 10); + EXPECT_EQ(route_entry.retryPolicy()->perTryTimeout(), std::chrono::seconds(30)); EXPECT_EQ(Router::RetryPolicy::RETRY_ON_CONNECT_FAILURE | Router::RetryPolicy::RETRY_ON_5XX | Router::RetryPolicy::RETRY_ON_GATEWAY_ERROR | Router::RetryPolicy::RETRY_ON_RESET | Router::RetryPolicy::RETRY_ON_RESET_BEFORE_REQUEST, - route_entry.retryPolicy().retryOn()); + route_entry.retryPolicy()->retryOn()); - EXPECT_EQ(route_entry.retryPolicy().baseInterval(), std::chrono::milliseconds(10)); - EXPECT_EQ(route_entry.retryPolicy().maxInterval(), std::chrono::seconds(30)); + EXPECT_EQ(route_entry.retryPolicy()->baseInterval(), std::chrono::milliseconds(10)); + EXPECT_EQ(route_entry.retryPolicy()->maxInterval(), std::chrono::seconds(30)); } TEST_F(AsyncClientImplUnitTest, NullConfig) { diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index 78a7a42a1919d..992ab73bb9522 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -1245,10 +1245,10 @@ TEST_F(HttpConnectionManagerImplTest, DelegatingRouteEntryAllCalls) { .getApplicableRateLimit(0) .empty()); - EXPECT_EQ(default_route->routeEntry()->retryPolicy().numRetries(), - delegating_route_foo->routeEntry()->retryPolicy().numRetries()); - EXPECT_EQ(default_route->routeEntry()->retryPolicy().retryOn(), - delegating_route_foo->routeEntry()->retryPolicy().retryOn()); + EXPECT_EQ(default_route->routeEntry()->retryPolicy()->numRetries(), + delegating_route_foo->routeEntry()->retryPolicy()->numRetries()); + EXPECT_EQ(default_route->routeEntry()->retryPolicy()->retryOn(), + delegating_route_foo->routeEntry()->retryPolicy()->retryOn()); EXPECT_EQ(default_route->routeEntry()->internalRedirectPolicy().enabled(), delegating_route_foo->routeEntry()->internalRedirectPolicy().enabled()); diff --git a/test/common/router/config_impl_test.cc b/test/common/router/config_impl_test.cc index 438646cbf22be..d6deff68f1267 100644 --- a/test/common/router/config_impl_test.cc +++ b/test/common/router/config_impl_test.cc @@ -4764,56 +4764,56 @@ TEST_F(RouteMatcherTest, Retry) { config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(std::chrono::milliseconds(0), config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryIdleTimeout()); + ->perTryIdleTimeout()); EXPECT_EQ(1U, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(RetryPolicy::RETRY_ON_CONNECT_FAILURE, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); EXPECT_EQ(std::chrono::milliseconds(0), config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(1, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(0U, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); EXPECT_EQ(std::chrono::milliseconds(1000), config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(std::chrono::milliseconds(5000), config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryIdleTimeout()); + ->perTryIdleTimeout()); EXPECT_EQ(3U, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(RetryPolicy::RETRY_ON_CONNECT_FAILURE | RetryPolicy::RETRY_ON_5XX | RetryPolicy::RETRY_ON_GATEWAY_ERROR | RetryPolicy::RETRY_ON_RESET, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); } class TestRetryOptionsPredicateFactory : public Upstream::RetryOptionsPredicateFactory { @@ -4875,16 +4875,16 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(1U, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(RetryPolicy::RETRY_ON_CONNECT_FAILURE, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); EXPECT_EQ(7U, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->requestBodyBufferLimit()); @@ -4894,7 +4894,7 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { EXPECT_EQ(1U, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOptionsPredicates() + ->retryOptionsPredicates() .size()); // Virtual Host level retry policy kicks in. @@ -4902,17 +4902,17 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(3U, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(RetryPolicy::RETRY_ON_CONNECT_FAILURE | RetryPolicy::RETRY_ON_5XX | RetryPolicy::RETRY_ON_GATEWAY_ERROR | RetryPolicy::RETRY_ON_RESET, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); EXPECT_EQ(8U, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->requestBodyBufferLimit()); @@ -4923,17 +4923,17 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(3U, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(RetryPolicy::RETRY_ON_CONNECT_FAILURE | RetryPolicy::RETRY_ON_5XX | RetryPolicy::RETRY_ON_GATEWAY_ERROR | RetryPolicy::RETRY_ON_RESET, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); EXPECT_EQ(8U, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->requestBodyBufferLimit()); @@ -4943,7 +4943,7 @@ TEST_F(RouteMatcherTest, RetryVirtualHostLevel) { EXPECT_EQ(1U, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOptionsPredicates() + ->retryOptionsPredicates() .size()); } @@ -4982,46 +4982,46 @@ TEST_F(RouteMatcherTest, GrpcRetry) { config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(1U, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(RetryPolicy::RETRY_ON_CONNECT_FAILURE, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); EXPECT_EQ(std::chrono::milliseconds(0), config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(1, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(0U, config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); EXPECT_EQ(std::chrono::milliseconds(1000), config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .perTryTimeout()); + ->perTryTimeout()); EXPECT_EQ(3U, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .numRetries()); + ->numRetries()); EXPECT_EQ(RetryPolicy::RETRY_ON_5XX | RetryPolicy::RETRY_ON_GRPC_DEADLINE_EXCEEDED | RetryPolicy::RETRY_ON_GRPC_RESOURCE_EXHAUSTED, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .retryOn()); + ->retryOn()); } // Test route-specific retry back-off intervals. @@ -5071,47 +5071,47 @@ TEST_F(RouteMatcherTest, RetryBackOffIntervals) { config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .baseInterval()); + ->baseInterval()); EXPECT_EQ(absl::nullopt, config.route(genHeaders("www.lyft.com", "/foo", "GET"), 0) ->routeEntry() ->retryPolicy() - .maxInterval()); + ->maxInterval()); EXPECT_EQ(absl::optional(100), config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .baseInterval()); + ->baseInterval()); EXPECT_EQ(absl::optional(500), config.route(genHeaders("www.lyft.com", "/bar", "GET"), 0) ->routeEntry() ->retryPolicy() - .maxInterval()); + ->maxInterval()); // Sub-millisecond interval converted to 1 ms. EXPECT_EQ(absl::optional(1), config.route(genHeaders("www.lyft.com", "/baz", "GET"), 0) ->routeEntry() ->retryPolicy() - .baseInterval()); + ->baseInterval()); EXPECT_EQ(absl::optional(1), config.route(genHeaders("www.lyft.com", "/baz", "GET"), 0) ->routeEntry() ->retryPolicy() - .maxInterval()); + ->maxInterval()); EXPECT_EQ(absl::nullopt, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .baseInterval()); + ->baseInterval()); EXPECT_EQ(absl::nullopt, config.route(genHeaders("www.lyft.com", "/", "GET"), 0) ->routeEntry() ->retryPolicy() - .maxInterval()); + ->maxInterval()); } // Test invalid route-specific retry back-off configs. @@ -5183,29 +5183,29 @@ TEST_F(RouteMatcherTest, RateLimitedRetryBackOff) { EXPECT_EQ(true, config.route(genHeaders("www.lyft.com", "/no-backoff", "GET"), 0) ->routeEntry() ->retryPolicy() - .resetHeaders() + ->resetHeaders() .empty()); EXPECT_EQ(std::chrono::milliseconds(300000), config.route(genHeaders("www.lyft.com", "/no-backoff", "GET"), 0) ->routeEntry() ->retryPolicy() - .resetMaxInterval()); + ->resetMaxInterval()); // has sub millisecond interval EXPECT_EQ(1, config.route(genHeaders("www.lyft.com", "/sub-ms-interval", "GET"), 0) ->routeEntry() ->retryPolicy() - .resetHeaders() + ->resetHeaders() .size()); EXPECT_EQ(std::chrono::milliseconds(1), config.route(genHeaders("www.lyft.com", "/sub-ms-interval", "GET"), 0) ->routeEntry() ->retryPolicy() - .resetMaxInterval()); + ->resetMaxInterval()); // a typical configuration Http::TestRequestHeaderMapImpl headers = genHeaders("www.lyft.com", "/typical-backoff", "GET"); - const auto& retry_policy = config.route(headers, 0)->routeEntry()->retryPolicy(); + const auto& retry_policy = *config.route(headers, 0)->routeEntry()->retryPolicy(); EXPECT_EQ(2, retry_policy.resetHeaders().size()); Http::TestResponseHeaderMapImpl expected_0{{"Retry-After", "2"}}; @@ -9345,7 +9345,7 @@ TEST_F(RouteConfigurationV2, RetriableStatusCodes) { creation_status_); Http::TestRequestHeaderMapImpl headers = genRedirectHeaders("idle.lyft.com", "/regex", true, false); - const auto& retry_policy = config.route(headers, 0)->routeEntry()->retryPolicy(); + const auto& retry_policy = *config.route(headers, 0)->routeEntry()->retryPolicy(); const std::vector expected_codes{100, 200}; EXPECT_EQ(expected_codes, retry_policy.retriableStatusCodes()); } @@ -9374,7 +9374,7 @@ TEST_F(RouteConfigurationV2, RetriableHeaders) { creation_status_); Http::TestRequestHeaderMapImpl headers = genRedirectHeaders("idle.lyft.com", "/regex", true, false); - const auto& retry_policy = config.route(headers, 0)->routeEntry()->retryPolicy(); + const auto& retry_policy = *config.route(headers, 0)->routeEntry()->retryPolicy(); ASSERT_EQ(2, retry_policy.retriableHeaders().size()); Http::TestResponseHeaderMapImpl expected_0{{":status", "500"}}; @@ -9563,7 +9563,7 @@ TEST_F(RouteConfigurationV2, RetryPluginsAreNotReused) { creation_status_); Http::TestRequestHeaderMapImpl headers = genRedirectHeaders("idle.lyft.com", "/regex", true, false); - const auto& retry_policy = config.route(headers, 0)->routeEntry()->retryPolicy(); + const auto& retry_policy = *config.route(headers, 0)->routeEntry()->retryPolicy(); const auto priority1 = retry_policy.retryPriority(); const auto priority2 = retry_policy.retryPriority(); EXPECT_NE(priority1, priority2); diff --git a/test/mocks/router/mocks.cc b/test/mocks/router/mocks.cc index dffdf0b0d1fd0..b976bc8ccf382 100644 --- a/test/mocks/router/mocks.cc +++ b/test/mocks/router/mocks.cc @@ -103,8 +103,7 @@ MockRouteEntry::MockRouteEntry() ON_CALL(*this, clusterName()).WillByDefault(ReturnRef(cluster_name_)); ON_CALL(*this, opaqueConfig()).WillByDefault(ReturnRef(opaque_config_)); ON_CALL(*this, rateLimitPolicy()).WillByDefault(ReturnRef(rate_limit_policy_)); - ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(*retry_policy_)); - ON_CALL(*this, sharedRetryPolicy()).WillByDefault(ReturnRef(base_retry_policy_)); + ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(base_retry_policy_)); ON_CALL(*this, internalRedirectPolicy()).WillByDefault(ReturnRef(internal_redirect_policy_)); ON_CALL(*this, shadowPolicies()).WillByDefault(ReturnRef(shadow_policies_)); @@ -166,8 +165,7 @@ MockRoute::MockRoute() { ON_CALL(*this, clusterName()).WillByDefault(ReturnRef(route_entry_.cluster_name_)); ON_CALL(*this, opaqueConfig()).WillByDefault(ReturnRef(route_entry_.opaque_config_)); ON_CALL(*this, rateLimitPolicy()).WillByDefault(ReturnRef(route_entry_.rate_limit_policy_)); - ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(*route_entry_.retry_policy_)); - ON_CALL(*this, sharedRetryPolicy()).WillByDefault(ReturnRef(route_entry_.base_retry_policy_)); + ON_CALL(*this, retryPolicy()).WillByDefault(ReturnRef(route_entry_.base_retry_policy_)); ON_CALL(*this, internalRedirectPolicy()) .WillByDefault(ReturnRef(route_entry_.internal_redirect_policy_)); diff --git a/test/mocks/router/mocks.h b/test/mocks/router/mocks.h index e41fad2fa718e..47584ab4b4571 100644 --- a/test/mocks/router/mocks.h +++ b/test/mocks/router/mocks.h @@ -434,8 +434,7 @@ class MockRouteEntry : public RouteEntry { MOCK_METHOD(const Router::TlsContextMatchCriteria*, tlsContextMatchCriteria, (), (const)); MOCK_METHOD(Upstream::ResourcePriority, priority, (), (const)); MOCK_METHOD(const RateLimitPolicy&, rateLimitPolicy, (), (const)); - MOCK_METHOD(const RetryPolicy&, retryPolicy, (), (const)); - MOCK_METHOD(const RetryPolicyConstSharedPtr&, sharedRetryPolicy, (), (const)); + MOCK_METHOD(const RetryPolicyConstSharedPtr&, retryPolicy, (), (const)); MOCK_METHOD(const InternalRedirectPolicy&, internalRedirectPolicy, (), (const)); MOCK_METHOD(const PathMatcherSharedPtr&, pathMatcher, (), (const)); MOCK_METHOD(const PathRewriterSharedPtr&, pathRewriter, (), (const)); @@ -558,8 +557,7 @@ class MockRoute : public RouteEntryAndRoute { MOCK_METHOD(const Router::TlsContextMatchCriteria*, tlsContextMatchCriteria, (), (const)); MOCK_METHOD(Upstream::ResourcePriority, priority, (), (const)); MOCK_METHOD(const RateLimitPolicy&, rateLimitPolicy, (), (const)); - MOCK_METHOD(const RetryPolicy&, retryPolicy, (), (const)); - MOCK_METHOD(const RetryPolicyConstSharedPtr&, sharedRetryPolicy, (), (const)); + MOCK_METHOD(const RetryPolicyConstSharedPtr&, retryPolicy, (), (const)); MOCK_METHOD(const InternalRedirectPolicy&, internalRedirectPolicy, (), (const)); MOCK_METHOD(const PathMatcherSharedPtr&, pathMatcher, (), (const)); MOCK_METHOD(const PathRewriterSharedPtr&, pathRewriter, (), (const)); From 74b83fde95f200630766e5d4a343e2c8b755fcc4 Mon Sep 17 00:00:00 2001 From: Matt Newman Date: Mon, 22 Sep 2025 21:13:06 -0500 Subject: [PATCH 468/505] docs: clarify gateway-error behavior (#41147) `gateway-error` retries on timeouts, not only 502/503/504 errors as stated. Risk Level: Low Testing: N/A Docs Changes: clarify gateway-error behaviour for HTTP router filter Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Matt Newman --- docs/root/configuration/http/http_filters/router_filter.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/root/configuration/http/http_filters/router_filter.rst b/docs/root/configuration/http/http_filters/router_filter.rst index 90f2517c09e6c..15c817bea1fee 100644 --- a/docs/root/configuration/http/http_filters/router_filter.rst +++ b/docs/root/configuration/http/http_filters/router_filter.rst @@ -83,8 +83,8 @@ can be specified using a ',' delimited list. The supported policies are: request, including any retries that take place. gateway-error - This policy is similar to the *5xx* policy but will only retry requests that result in a 502, 503, - or 504. + This policy is similar to the *5xx* policy but will attempt a retry if the upstream server responds + with 502, 503, or 504 response code, or does not respond at all (disconnect/reset/read timeout). reset Envoy will attempt a retry if the upstream server does not respond at all (disconnect/reset/read timeout.) From 1d6fbd2247024299949037654e2d4424103c9220 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Mon, 22 Sep 2025 21:07:30 -0700 Subject: [PATCH 469/505] compressor: fix the compressor docs to highlight other extensions (#41179) Signed-off-by: Rohit Agrawal --- .../http/compressor/v3/compressor.proto | 98 +++++++++++-------- 1 file changed, 59 insertions(+), 39 deletions(-) diff --git a/api/envoy/extensions/filters/http/compressor/v3/compressor.proto b/api/envoy/extensions/filters/http/compressor/v3/compressor.proto index c49ccfead8f5c..0c8d28602dade 100644 --- a/api/envoy/extensions/filters/http/compressor/v3/compressor.proto +++ b/api/envoy/extensions/filters/http/compressor/v3/compressor.proto @@ -28,21 +28,31 @@ message Compressor { "envoy.config.filter.http.compressor.v2.Compressor"; message CommonDirectionConfig { - // Runtime flag that controls whether compression is enabled or not for the direction this - // common config is put in. If set to false, the filter will operate as a pass-through filter - // in the chosen direction, unless overridden by CompressorPerRoute. - // If the field is omitted, the filter will be enabled. + // Runtime flag that controls whether compression is enabled for the direction this + // common config is applied to. When this field is ``false``, the filter will operate as a + // pass-through filter in the chosen direction, unless overridden by ``CompressorPerRoute``. + // If this field is not specified, the filter will be enabled. config.core.v3.RuntimeFeatureFlag enabled = 1; - // Minimum value of Content-Length header of request or response messages (depending on the direction - // this common config is put in), in bytes, which will trigger compression. The default value is 30. + // Minimum value of the ``Content-Length`` header in request or response messages (depending on the + // direction this common config is applied to), in bytes, that will trigger compression. Defaults to 30. google.protobuf.UInt32Value min_content_length = 2; // Set of strings that allows specifying which mime-types yield compression; e.g., - // application/json, text/html, etc. When this field is not defined, compression will be applied - // to the following mime-types: "application/javascript", "application/json", - // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml" - // and their synonyms. + // ``application/json``, ``text/html``, etc. + // + // When this field is not specified, compression will be applied to these following mime-types + // and their synonyms: + // + // * ``application/javascript`` + // * ``application/json`` + // * ``application/xhtml+xml`` + // * ``image/svg+xml`` + // * ``text/css`` + // * ``text/html`` + // * ``text/plain`` + // * ``text/xml`` + // repeated string content_type = 3; } @@ -55,20 +65,21 @@ message Compressor { message ResponseDirectionConfig { CommonDirectionConfig common_config = 1; - // If true, disables compression when the response contains an etag header. When it is false, the - // filter will preserve weak etags and remove the ones that require strong validation. + // When this field is ``true``, disables compression when the response contains an ``ETag`` header. + // When this field is ``false``, the filter will preserve weak ``ETag`` values and remove those that + // require strong validation. bool disable_on_etag_header = 2; - // If true, removes accept-encoding from the request headers before dispatching it to the upstream - // so that responses do not get compressed before reaching the filter. + // When this field is ``true``, removes ``Accept-Encoding`` from the request headers before dispatching + // the request to the upstream so that responses do not get compressed before reaching the filter. // // .. attention:: // - // To avoid interfering with other compression filters in the same chain use this option in + // To avoid interfering with other compression filters in the same chain, use this option in // the filter closest to the upstream. bool remove_accept_encoding_header = 3; - // Set of response codes for which compression is disabled, e.g. 206 Partial Content should not + // Set of response codes for which compression is disabled; e.g., 206 Partial Content should not // be compressed. repeated uint32 uncompressible_response_codes = 4 [(validate.rules).repeated = { unique: true @@ -81,60 +92,69 @@ message Compressor { [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // Set of strings that allows specifying which mime-types yield compression; e.g., - // application/json, text/html, etc. When this field is not defined, compression will be applied - // to the following mime-types: "application/javascript", "application/json", - // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml" - // and their synonyms. + // ``application/json``, ``text/html``, etc. + // + // When this field is not specified, compression will be applied to these following mime-types + // and their synonyms: + // + // * ``application/javascript`` + // * ``application/json`` + // * ``application/xhtml+xml`` + // * ``image/svg+xml`` + // * ``text/css`` + // * ``text/html`` + // * ``text/plain`` + // * ``text/xml`` + // repeated string content_type = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // If true, disables compression when the response contains an etag header. When it is false, the - // filter will preserve weak etags and remove the ones that require strong validation. + // When this field is ``true``, disables compression when the response contains an ``ETag`` header. + // When this field is ``false``, the filter will preserve weak ``ETag`` values and remove those that + // require strong validation. bool disable_on_etag_header = 3 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // If true, removes accept-encoding from the request headers before dispatching it to the upstream - // so that responses do not get compressed before reaching the filter. + // When this field is ``true``, removes ``Accept-Encoding`` from the request headers before dispatching + // the request to the upstream so that responses do not get compressed before reaching the filter. // // .. attention:: // - // To avoid interfering with other compression filters in the same chain use this option in + // To avoid interfering with other compression filters in the same chain, use this option in // the filter closest to the upstream. bool remove_accept_encoding_header = 4 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // Runtime flag that controls whether the filter is enabled or not. If set to false, the - // filter will operate as a pass-through filter, unless overridden by - // CompressorPerRoute. If not specified, defaults to enabled. + // Runtime flag that controls whether the filter is enabled. When this field is ``false``, the + // filter will operate as a pass-through filter, unless overridden by ``CompressorPerRoute``. + // If this field is not specified, the filter is enabled by default. config.core.v3.RuntimeFeatureFlag runtime_enabled = 5 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // A compressor library to use for compression. Currently only - // :ref:`envoy.compression.gzip.compressor` - // is included in Envoy. + // A compressor library to use for compression. // [#extension-category: envoy.compression.compressor] config.core.v3.TypedExtensionConfig compressor_library = 6 [(validate.rules).message = {required: true}]; - // Configuration for request compression. Compression is disabled by default if left empty. + // Configuration for request compression. If this field is not specified, request compression is disabled. RequestDirectionConfig request_direction_config = 7; - // Configuration for response compression. Compression is enabled by default if left empty. + // Configuration for response compression. If this field is not specified, response compression is enabled. // // .. attention:: // - // If the field is not empty then the duplicate deprecated fields of the ``Compressor`` message, + // When this field is set, duplicate deprecated fields of the ``Compressor`` message, // such as ``content_length``, ``content_type``, ``disable_on_etag_header``, - // ``remove_accept_encoding_header`` and ``runtime_enabled``, are ignored. + // ``remove_accept_encoding_header``, and ``runtime_enabled``, are ignored. // - // Also all the statistics related to response compression will be rooted in + // Additionally, all statistics related to response compression will be rooted in // ``.compressor...response.*`` // instead of // ``.compressor...*``. ResponseDirectionConfig response_direction_config = 8; - // If true, chooses this compressor first to do compression when the q-values in ``Accept-Encoding`` are same. - // The last compressor which enables choose_first will be chosen if multiple compressor filters in the chain have choose_first as true. + // When this field is ``true``, this compressor is preferred when q-values in ``Accept-Encoding`` are equal. + // If multiple compressor filters set ``choose_first`` to ``true``, the last one in the filter chain is chosen. bool choose_first = 9; } @@ -159,7 +179,7 @@ message CompressorPerRoute { option (validate.required) = true; // If set, the filter will operate as a pass-through filter. - // Overrides Compressor.runtime_enabled and CommonDirectionConfig.enabled. + // Overrides ``Compressor.runtime_enabled`` and ``CommonDirectionConfig.enabled``. bool disabled = 1 [(validate.rules).bool = {const: true}]; // Per-route overrides. Fields set here will override corresponding fields in ``Compressor``. From d4e053d499b6f96edb591476f34c0d8c2b29ba0f Mon Sep 17 00:00:00 2001 From: Garrett Date: Tue, 23 Sep 2025 00:48:29 -0400 Subject: [PATCH 470/505] websocket: support route timeout for HTTP upgrade (#41075) Commit Message: websocket: support route timeout for HTTP upgrade Additional Description: Route timeouts currently do not work for the initial HTTP upgrade request for websockets. This special-cases the upgrade request so that we can correctly apply a timeout to those. I found #20062 which suggested that this partially worked at some point (though buggy, since not disarmed on the upgrade response), but I was not able to reproduce that behavior on main. The main risk I can think of would be upgrades that take >15 seconds and now see the default route timeout, however I think that would be fairly unusual. Risk Level: Medium Testing: added integration tests and tested the config in the linked issue manually Docs Changes: open to suggestion, but I could update the timeout docs Release Notes: added entry for minor behavior change Platform Specific Features: n/a Fixes #41068 Signed-off-by: Garrett Heel --- changelogs/current.yaml | 4 + envoy/http/filter.h | 8 ++ envoy/router/router_filter_interface.h | 12 ++ source/common/router/router.cc | 21 ++- source/common/router/router.h | 2 + source/common/router/upstream_codec_filter.cc | 4 + source/common/router/upstream_request.cc | 34 ++++- source/common/router/upstream_request.h | 5 + source/common/runtime/runtime_features.cc | 1 + source/common/tcp_proxy/upstream.h | 2 + .../integration/websocket_integration_test.cc | 126 ++++++++++++++++++ test/mocks/router/router_filter_interface.h | 2 + 12 files changed, 219 insertions(+), 2 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 254b14385f17a..a1d4de1f88b61 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -47,6 +47,10 @@ minor_behavior_changes: change: | Allow 4xx and 5xx to go through the filter chain for the WebSocket handshake response check. This behavior can be disabled by the runtime guard ``envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain``. +- area: websocket + change: | + Support route and per-try timeouts on websocket upgrade. This can be disabled by the runtime guard + ``envoy.reloadable_features.websocket_enable_timeout_on_upgrade_response``. - area: testing change: | In test code for external extensions, matchers ``Http::HeaderValueOf``, ``HasHeader``, and ``HeaderHasValueRef`` diff --git a/envoy/http/filter.h b/envoy/http/filter.h index 8c79afcaf84d8..1295ddfcc13e8 100644 --- a/envoy/http/filter.h +++ b/envoy/http/filter.h @@ -246,6 +246,14 @@ class UpstreamStreamFilterCallbacks { virtual bool pausedForWebsocketUpgrade() const PURE; virtual void setPausedForWebsocketUpgrade(bool value) PURE; + // Disable the route timeout after websocket upgrade completes successfully. + // This should only be used by the upstream codec filter. + virtual void disableRouteTimeoutForWebsocketUpgrade() PURE; + + // Disable per-try timeouts after websocket upgrade completes successfully. + // This should only be used by the upstream codec filter. + virtual void disablePerTryTimeoutForWebsocketUpgrade() PURE; + // Return the upstreamStreamOptions for this stream. virtual const Http::ConnectionPool::Instance::StreamOptions& upstreamStreamOptions() const PURE; diff --git a/envoy/router/router_filter_interface.h b/envoy/router/router_filter_interface.h index 34c306afc860b..f0cb02eddb7d8 100644 --- a/envoy/router/router_filter_interface.h +++ b/envoy/router/router_filter_interface.h @@ -104,6 +104,18 @@ class RouterFilterInterface { */ virtual void onStreamMaxDurationReached(UpstreamRequest& upstream_request) PURE; + /* + * This will be called to set up the route timeout early for websocket upgrades. + * This ensures the timeout is active during the upgrade negotiation phase. + */ + virtual void setupRouteTimeoutForWebsocketUpgrade() PURE; + + /* + * This will be called to disable the route timeout after websocket upgrade completes. + * This prevents the timeout from firing after successful upgrade. + */ + virtual void disableRouteTimeoutForWebsocketUpgrade() PURE; + /* * @returns the Router filter's StreamDecoderFilterCallbacks. */ diff --git a/source/common/router/router.cc b/source/common/router/router.cc index c504f96d75e2d..2cfb8484cd011 100644 --- a/source/common/router/router.cc +++ b/source/common/router/router.cc @@ -1152,6 +1152,25 @@ absl::optional Filter::getShadowCluster(const ShadowPolicy& p } } +void Filter::setupRouteTimeoutForWebsocketUpgrade() { + // Set up the route timeout early for websocket upgrades, since the upstream request + // will be paused waiting for the upgrade response and we need the timeout active. + if (!response_timeout_ && timeout_.global_timeout_.count() > 0) { + Event::Dispatcher& dispatcher = callbacks_->dispatcher(); + response_timeout_ = dispatcher.createTimer([this]() -> void { onResponseTimeout(); }); + response_timeout_->enableTimer(timeout_.global_timeout_); + } +} + +void Filter::disableRouteTimeoutForWebsocketUpgrade() { + // Disable the route timeout after websocket upgrade completes successfully + // to prevent timeout from firing after the upgrade is done. + if (response_timeout_) { + response_timeout_->disableTimer(); + response_timeout_.reset(); + } +} + void Filter::onRequestComplete() { // This should be called exactly once, when the downstream request has been received in full. ASSERT(!downstream_end_stream_); @@ -1163,7 +1182,7 @@ void Filter::onRequestComplete() { if (!upstream_requests_.empty()) { // Even if we got an immediate reset, we could still shadow, but that is a riskier change and // seems unnecessary right now. - if (timeout_.global_timeout_.count() > 0) { + if (timeout_.global_timeout_.count() > 0 && !response_timeout_) { response_timeout_ = dispatcher.createTimer([this]() -> void { onResponseTimeout(); }); response_timeout_->enableTimer(timeout_.global_timeout_); } diff --git a/source/common/router/router.h b/source/common/router/router.h index 6bf68b48876a7..3d2df4063b0b7 100644 --- a/source/common/router/router.h +++ b/source/common/router/router.h @@ -483,6 +483,8 @@ class Filter : Logger::Loggable, void onPerTryTimeout(UpstreamRequest& upstream_request) override; void onPerTryIdleTimeout(UpstreamRequest& upstream_request) override; void onStreamMaxDurationReached(UpstreamRequest& upstream_request) override; + void setupRouteTimeoutForWebsocketUpgrade() override; + void disableRouteTimeoutForWebsocketUpgrade() override; Http::StreamDecoderFilterCallbacks* callbacks() override { return callbacks_; } Upstream::ClusterInfoConstSharedPtr cluster() override { return cluster_; } FilterConfig& config() override { return *config_; } diff --git a/source/common/router/upstream_codec_filter.cc b/source/common/router/upstream_codec_filter.cc index c138950b39768..2d9d2a92a15be 100644 --- a/source/common/router/upstream_codec_filter.cc +++ b/source/common/router/upstream_codec_filter.cc @@ -164,6 +164,10 @@ void UpstreamCodecFilter::CodecBridge::decodeHeaders(Http::ResponseHeaderMapPtr& (protocol.has_value() && protocol.value() != Envoy::Http::Protocol::Http11)) { // handshake is finished and continue the data processing. filter_.callbacks_->upstreamCallbacks()->setPausedForWebsocketUpgrade(false); + // Disable the route timeout since the websocket upgrade completed successfully + filter_.callbacks_->upstreamCallbacks()->disableRouteTimeoutForWebsocketUpgrade(); + // Disable per-try timeouts since the websocket upgrade completed successfully + filter_.callbacks_->upstreamCallbacks()->disablePerTryTimeoutForWebsocketUpgrade(); filter_.callbacks_->continueDecoding(); } else if (Runtime::runtimeFeatureEnabled( "envoy.reloadable_features.websocket_allow_4xx_5xx_through_filter_chain") && diff --git a/source/common/router/upstream_request.cc b/source/common/router/upstream_request.cc index ca8912ffd160c..8ac147eadc213 100644 --- a/source/common/router/upstream_request.cc +++ b/source/common/router/upstream_request.cc @@ -393,6 +393,16 @@ void UpstreamRequest::acceptHeadersFromRouter(bool end_stream) { // method which is expecting 2xx response. } else if (Http::Utility::isWebSocketUpgradeRequest(*headers)) { paused_for_websocket_ = true; + + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.websocket_enable_timeout_on_upgrade_response")) { + // For websocket upgrades, we need to set up timeouts immediately + // because the upstream request will be paused waiting for the upgrade response. + if (!per_try_timeout_) { + setupPerTryTimeout(); + } + parent_.setupRouteTimeoutForWebsocketUpgrade(); + } } // Kick off creation of the upstream connection immediately upon receiving headers. @@ -646,7 +656,7 @@ void UpstreamRequest::onPoolReady(std::unique_ptr&& upstream, upstream_info.setUpstreamProtocol(protocol.value()); } - if (parent_.downstreamEndStream()) { + if (parent_.downstreamEndStream() && !per_try_timeout_) { setupPerTryTimeout(); } else { create_per_try_timeout_on_request_complete_ = true; @@ -814,5 +824,27 @@ UpstreamRequestFilterManagerCallbacks::http1StreamEncoderOptions() { return upstream_request_.parent_.callbacks()->http1StreamEncoderOptions(); } +void UpstreamRequestFilterManagerCallbacks::disableRouteTimeoutForWebsocketUpgrade() { + upstream_request_.parent_.disableRouteTimeoutForWebsocketUpgrade(); +} + +void UpstreamRequestFilterManagerCallbacks::disablePerTryTimeoutForWebsocketUpgrade() { + // Disable the per-try timeout and idle timeout timers once websocket upgrade succeeds. + // This mirrors the behavior for route timeout disabling in upgrades. + upstream_request_.disablePerTryTimeoutForWebsocketUpgrade(); +} + +void UpstreamRequest::disablePerTryTimeoutForWebsocketUpgrade() { + // Disable and clear per-try timers so they do not fire after websocket upgrade. + if (per_try_timeout_ != nullptr) { + per_try_timeout_->disableTimer(); + per_try_timeout_.reset(); + } + if (per_try_idle_timeout_ != nullptr) { + per_try_idle_timeout_->disableTimer(); + per_try_idle_timeout_.reset(); + } +} + } // namespace Router } // namespace Envoy diff --git a/source/common/router/upstream_request.h b/source/common/router/upstream_request.h index eafe0d19323c3..0f2b1a063f94f 100644 --- a/source/common/router/upstream_request.h +++ b/source/common/router/upstream_request.h @@ -167,6 +167,8 @@ class UpstreamRequest : public Logger::Loggable, // Exposes streamInfo for the upstream stream. StreamInfo::StreamInfo& streamInfo() { return stream_info_; } bool hadUpstream() const { return had_upstream_; } + // Disable per-try timeouts for websocket upgrades after successful handshake + void disablePerTryTimeoutForWebsocketUpgrade(); private: friend class UpstreamFilterManager; @@ -369,6 +371,9 @@ class UpstreamRequestFilterManagerCallbacks : public Http::FilterManagerCallback upstream_request_.paused_for_websocket_ = value; } + void disableRouteTimeoutForWebsocketUpgrade() override; + void disablePerTryTimeoutForWebsocketUpgrade() override; + const Http::ConnectionPool::Instance::StreamOptions& upstreamStreamOptions() const override { return upstream_request_.upstreamStreamOptions(); } diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 19d559393d3b5..aa71150452972 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -84,6 +84,7 @@ RUNTIME_GUARD(envoy_reloadable_features_uri_template_match_on_asterisk); RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_reloadable_features_websocket_allow_4xx_5xx_through_filter_chain); +RUNTIME_GUARD(envoy_reloadable_features_websocket_enable_timeout_on_upgrade_response); RUNTIME_GUARD(envoy_reloadable_features_xds_failover_to_primary_enabled); RUNTIME_GUARD(envoy_restart_features_move_locality_schedulers_to_lb); diff --git a/source/common/tcp_proxy/upstream.h b/source/common/tcp_proxy/upstream.h index 661797dc65de0..e6932574b3abf 100644 --- a/source/common/tcp_proxy/upstream.h +++ b/source/common/tcp_proxy/upstream.h @@ -322,6 +322,8 @@ class CombinedUpstream : public GenericUpstream, public Envoy::Router::RouterFil void onPerTryTimeout(UpstreamRequest&) override {} void onPerTryIdleTimeout(UpstreamRequest&) override {} void onStreamMaxDurationReached(UpstreamRequest&) override {} + void setupRouteTimeoutForWebsocketUpgrade() override {} + void disableRouteTimeoutForWebsocketUpgrade() override {} Http::StreamDecoderFilterCallbacks* callbacks() override { return &decoder_filter_callbacks_; } Upstream::ClusterInfoConstSharedPtr cluster() override { return decoder_filter_callbacks_.clusterInfo(); diff --git a/test/integration/websocket_integration_test.cc b/test/integration/websocket_integration_test.cc index 9316dca81875f..c303ea2a23c98 100644 --- a/test/integration/websocket_integration_test.cc +++ b/test/integration/websocket_integration_test.cc @@ -837,6 +837,132 @@ TEST_P(WebsocketIntegrationTest, BidirectionalUpgradeFailedWithPrePayload) { ASSERT_TRUE(fake_upstream_connection->waitForDisconnect()); } +// Test websocket upgrade per-try timeout +TEST_P(WebsocketIntegrationTest, WebSocketUpgradePerTryTimeout) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.websocket_enable_timeout_on_upgrade_response", "true"}}); + + config_helper_.addConfigModifier(setRouteUsingWebsocket()); + config_helper_.addConfigModifier( + [&](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) -> void { + auto* route_config = hcm.mutable_route_config(); + auto* virtual_host = route_config->mutable_virtual_hosts(0); + auto* route = virtual_host->mutable_routes(0)->mutable_route(); + route->mutable_retry_policy()->mutable_per_try_timeout()->set_nanos( + 200 * 1000 * 1000); // 200ms per-try timeout + }); + initialize(); + + codec_client_ = makeHttpConnection(lookupPort("http")); + auto encoder_decoder = codec_client_->startRequest(upgradeRequestHeaders()); + request_encoder_ = &encoder_decoder.first; + response_ = std::move(encoder_decoder.second); + test_server_->waitForCounterGe("http.config_test.downstream_cx_upgrades_total", 1); + + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + + test_server_->waitForCounterGe("cluster.cluster_0.upstream_rq_per_try_timeout", 1); + ASSERT_TRUE(response_->waitForEndStream()); + EXPECT_EQ("504", response_->headers().getStatusValue()); + + codec_client_->close(); + ASSERT_TRUE(waitForUpstreamDisconnectOrReset()); +} + +// Test websocket upgrade route timeout +TEST_P(WebsocketIntegrationTest, WebSocketUpgradeRouteTimeout) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.websocket_enable_timeout_on_upgrade_response", "true"}}); + + config_helper_.addConfigModifier(setRouteUsingWebsocket()); + config_helper_.addConfigModifier( + [&](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) -> void { + auto* route_config = hcm.mutable_route_config(); + auto* virtual_host = route_config->mutable_virtual_hosts(0); + auto* route = virtual_host->mutable_routes(0)->mutable_route(); + route->mutable_timeout()->set_nanos(200 * 1000 * 1000); // 200ms route timeout + }); + initialize(); + + codec_client_ = makeHttpConnection(lookupPort("http")); + auto encoder_decoder = codec_client_->startRequest(upgradeRequestHeaders()); + request_encoder_ = &encoder_decoder.first; + response_ = std::move(encoder_decoder.second); + test_server_->waitForCounterGe("http.config_test.downstream_cx_upgrades_total", 1); + + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + + test_server_->waitForCounterGe("cluster.cluster_0.upstream_rq_timeout", 1); + ASSERT_TRUE(response_->waitForEndStream()); + EXPECT_EQ("504", response_->headers().getStatusValue()); + + codec_client_->close(); + ASSERT_TRUE(waitForUpstreamDisconnectOrReset()); +} + +// Test websocket upgrade route timeout is maintained with retries +TEST_P(WebsocketIntegrationTest, WebSocketUpgradeRouteTimeoutWithRetries) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.websocket_enable_timeout_on_upgrade_response", "true"}}); + + config_helper_.addConfigModifier(setRouteUsingWebsocket()); + config_helper_.addConfigModifier(setRouteRetryOn5xxPolicy()); + config_helper_.addConfigModifier( + [&](envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager& + hcm) -> void { + auto* route_config = hcm.mutable_route_config(); + auto* virtual_host = route_config->mutable_virtual_hosts(0); + auto* route = virtual_host->mutable_routes(0)->mutable_route(); + route->mutable_timeout()->set_nanos(200 * 1000 * 1000); // 200ms route timeout + }); + initialize(); + + codec_client_ = makeHttpConnection(lookupPort("http")); + auto encoder_decoder = codec_client_->startRequest(upgradeRequestHeaders()); + request_encoder_ = &encoder_decoder.first; + response_ = std::move(encoder_decoder.second); + test_server_->waitForCounterGe("http.config_test.downstream_cx_upgrades_total", 1); + + // First attempt - send 500 to trigger retry + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForHeadersComplete()); + upstream_request_->encodeHeaders(upgradeFailedResponseHeaders(), false); + + // Wait for the first request to be reset or disconnected + ASSERT_TRUE(waitForUpstreamDisconnectOrReset()); + test_server_->waitForCounterEq("cluster.cluster_0.upstream_rq_retry", 1); + + // Second attempt - wait for new connection or reuse existing one + FakeHttpConnectionPtr fake_upstream_connection2; + FakeStreamPtr upstream_request2; + if (upstreamProtocol() == Http::CodecType::HTTP1) { + // HTTP/1 creates a new connection for retry + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection2)); + ASSERT_TRUE(fake_upstream_connection2->waitForNewStream(*dispatcher_, upstream_request2)); + } else { + // HTTP/2 and HTTP/3 can reuse the existing connection + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request2)); + } + ASSERT_TRUE(upstream_request2->waitForHeadersComplete()); + + // Route timeout should still fire after retry + test_server_->waitForCounterGe("cluster.cluster_0.upstream_rq_timeout", 1); + ASSERT_TRUE(response_->waitForEndStream()); + EXPECT_EQ("504", response_->headers().getStatusValue()); + + cleanupUpstreamAndDownstream(); +} + TEST_P(WebsocketIntegrationTest, WebsocketUpgradeWithDisabledSmallBufferFilter) { if (downstreamProtocol() != Http::CodecType::HTTP1 || upstreamProtocol() != Http::CodecType::HTTP1) { diff --git a/test/mocks/router/router_filter_interface.h b/test/mocks/router/router_filter_interface.h index 1dffa1177ef9a..92be0f8c83a20 100644 --- a/test/mocks/router/router_filter_interface.h +++ b/test/mocks/router/router_filter_interface.h @@ -35,6 +35,8 @@ class MockRouterFilterInterface : public RouterFilterInterface { MOCK_METHOD(void, onPerTryTimeout, (UpstreamRequest & upstream_request)); MOCK_METHOD(void, onPerTryIdleTimeout, (UpstreamRequest & upstream_request)); MOCK_METHOD(void, onStreamMaxDurationReached, (UpstreamRequest & upstream_request)); + MOCK_METHOD(void, setupRouteTimeoutForWebsocketUpgrade, ()); + MOCK_METHOD(void, disableRouteTimeoutForWebsocketUpgrade, ()); MOCK_METHOD(Envoy::Http::StreamDecoderFilterCallbacks*, callbacks, ()); MOCK_METHOD(Upstream::ClusterInfoConstSharedPtr, cluster, ()); From 8b38e06091e51e42257832a0ab9bd41ba0ccb716 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 23 Sep 2025 00:01:18 -0700 Subject: [PATCH 471/505] matcher: Add NetworkNamespaceInput matcher for namespace-based filter chain selection (#41145) ## Description We have a use-case where we want to ingress traffic on the same `IP:Port` from different network namespaces and map them to different filter chains based on which network namespace the traffic came from. Today, there is no `filter_chain_match` available based on the network namespace. In this PR, we are adding a new `NetworkNamespaceInput` which could be used in the `filter_chain_match` to match on the incoming network namespace to pick a unique filter chain. ### Testing ``` $ sudo ip netns add development $ sudo ip -n development link set lo up $ sudo ip netns exec development curl http://localhost:8080/foo ``` Screenshot 2025-09-19 at 20 43 09 **Config:** ``` static_resources: listeners: - name: multi_namespace_listener address: socket_address: protocol: TCP address: 127.0.0.1 port_value: 8080 network_namespace_filepath: "/var/run/netns/development" additional_addresses: - address: socket_address: protocol: TCP address: 127.0.0.1 port_value: 8080 network_namespace_filepath: "/var/run/netns/staging" - address: socket_address: protocol: TCP address: 127.0.0.1 port_value: 8080 network_namespace_filepath: "/var/run/netns/production" # Use filter_chain_matcher to route based on network namespace. filter_chain_matcher: matcher_tree: input: name: envoy.matching.inputs.network_namespace typed_config: "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.NetworkNamespaceInput exact_match_map: map: # Route traffic from namespace 'production' to production filter chain. "/var/run/netns/production": action: name: production_chain typed_config: "@type": type.googleapis.com/google.protobuf.StringValue value: production_chain # Route traffic from namespace 'staging' to staging filter chain. "/var/run/netns/staging": action: name: staging_chain typed_config: "@type": type.googleapis.com/google.protobuf.StringValue value: staging_chain # Route traffic from namespace 'development' to development filter chain. "/var/run/netns/development": action: name: development_chain typed_config: "@type": type.googleapis.com/google.protobuf.StringValue value: development_chain # Define filter chains for every environment. filter_chains: ... ``` --- **Commit Message:** matcher: Add NetworkNamespaceInput matcher for namespace-based filter chain selection **Additional Description:** Added a new `NetworkNamespaceInput` which could be used in the `filter_chain_match` to match on the incoming network namespace to pick a unique filter chain. **Risk Level:** Low **Testing:** Added Unit & Integration Tests **Docs Changes:** Added **Release Notes:** Added Signed-off-by: Rohit Agrawal --- CODEOWNERS | 2 + .../network/v3/network_inputs.proto | 14 + changelogs/current.yaml | 9 + .../configuration/listeners/listeners.rst | 1 + .../listeners/network_namespace_matching.rst | 259 ++++++++++++++++++ .../network_namespace_matching_example.yaml | 243 ++++++++++++++++ .../advanced/matching/matching_api.rst | 1 + source/extensions/extensions_build_config.bzl | 1 + source/extensions/extensions_metadata.yaml | 8 + .../extensions/matching/network/common/BUILD | 1 + .../matching/network/common/inputs.cc | 9 + .../matching/network/common/inputs.h | 42 +++ .../matching/network/common/inputs_test.cc | 108 ++++++++ tools/extensions/extensions_schema.yaml | 1 + 14 files changed, 699 insertions(+) create mode 100644 docs/root/configuration/listeners/network_namespace_matching.rst create mode 100644 docs/root/configuration/listeners/network_namespace_matching_example.yaml diff --git a/CODEOWNERS b/CODEOWNERS index 489d7efd015bd..7e1c2569c2ffc 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -197,6 +197,8 @@ extensions/upstreams/tcp @ggreenway @mattklein123 /*/extensions/matching/input_matchers/metadata @vikaschoudhary16 @kyessenov # environment generic input /*/extensions/matching/common_inputs/environment @donyu @mattklein123 +# network common inputs +/*/extensions/matching/common_inputs/network @agrawroh @kyessenov @wbpcode # format string matching /*/extensions/matching/actions/format_string @kyessenov @cpakulski # CEL data input diff --git a/api/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto b/api/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto index bea415a7101ff..b62690b4f262f 100644 --- a/api/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto +++ b/api/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto @@ -148,3 +148,17 @@ message DynamicMetadataInput { // The path to retrieve the Value from the Struct. repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; } + +// Input that matches by the network namespace of the listener address. +// This input returns the network namespace filepath that was used to create the listening socket. +// On Linux systems, this corresponds to the ``network_namespace_filepath`` field in the +// :ref:`SocketAddress ` configuration. +// +// .. note:: +// +// This input is only meaningful on Linux systems where network namespaces are supported. +// On other platforms, this input will always return an empty value. +// +// [#extension: envoy.matching.inputs.network_namespace] +message NetworkNamespaceInput { +} diff --git a/changelogs/current.yaml b/changelogs/current.yaml index a1d4de1f88b61..542b2f0e5e726 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -408,6 +408,15 @@ new_features: - area: tls_inspector change: | Added dynamic metadata when failing to parse the ``ClientHello``. +- area: matching + change: | + Added :ref:`NetworkNamespaceInput + ` to the + matcher framework. This input returns the listener address's ``network_namespace_filepath`` + for use with :ref:`filter_chain_matcher + `, enabling filter chain + selection based on the Linux network namespace of the bound socket. On non-Linux platforms, + the input returns an empty value and connections use the default filter chain. - area: lua change: | Added ``route()`` to the Stream handle API, allowing Lua scripts to retrieve route information. So far, the only method diff --git a/docs/root/configuration/listeners/listeners.rst b/docs/root/configuration/listeners/listeners.rst index 5e4cc6b22c5e4..ede3c56d2d3d9 100644 --- a/docs/root/configuration/listeners/listeners.rst +++ b/docs/root/configuration/listeners/listeners.rst @@ -13,3 +13,4 @@ Listeners network_filters/network_filters udp_filters/udp_filters lds + network_namespace_matching diff --git a/docs/root/configuration/listeners/network_namespace_matching.rst b/docs/root/configuration/listeners/network_namespace_matching.rst new file mode 100644 index 0000000000000..0f0ac5cd938fc --- /dev/null +++ b/docs/root/configuration/listeners/network_namespace_matching.rst @@ -0,0 +1,259 @@ +.. _config_listeners_network_namespace_matching: + +Network Namespace Matching +========================== + +Envoy supports routing connections to different filter chains based on the network namespace +of the listener address. This feature is particularly useful in containerized environments +where different services or environments are isolated using Linux network namespaces. + +.. attention:: + + Network namespace matching is only supported on Linux systems. On other platforms, + the network namespace input will always return an empty value, causing connections + to use the default filter chain. + +Overview +-------- + +Network namespace matching allows you to: + +* Route traffic from different network namespaces to different filter chains within a single listener. +* Implement multi-tenant architectures where each tenant has its own network namespace. +* Provide environment-specific routing like production, staging, or development based on namespace isolation. +* Maintain separate configurations for different containerized services. + +The network namespace is determined by the ``network_namespace_filepath`` field in the +:ref:`SocketAddress ` configuration of the listener. + +Configuration +------------- + +Network namespace matching is configured using the :ref:`filter_chain_matcher +` field with the +``envoy.matching.inputs.network_namespace`` input. + +Basic Configuration +~~~~~~~~~~~~~~~~~~~ + +.. code-block:: yaml + + listeners: + - name: ns_aware_listener + address: + socket_address: + protocol: TCP + address: 127.0.0.1 + port_value: 8080 + network_namespace_filepath: "/var/run/netns/development" + additional_addresses: + - address: + socket_address: + protocol: TCP + address: 127.0.0.1 + port_value: 8080 + network_namespace_filepath: "/var/run/netns/staging" + - address: + socket_address: + protocol: TCP + address: 127.0.0.1 + port_value: 8080 + network_namespace_filepath: "/var/run/netns/production" + + filter_chain_matcher: + matcher_tree: + input: + name: envoy.matching.inputs.network_namespace + typed_config: + "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.NetworkNamespaceInput + exact_match_map: + map: + "/var/run/netns/production": + action: + name: production_chain + "/var/run/netns/staging": + action: + name: staging_chain + "/var/run/netns/development": + action: + name: development_chain + + filter_chains: + - name: production_chain + # Production-specific filters + - name: staging_chain + # Staging-specific filters + - name: staging_chain + # Development-specific filters + + default_filter_chain: + # Default chain for unknown namespaces + +Multiple Listeners Approach +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Alternatively, you can create separate listeners for each network namespace: + +.. code-block:: yaml + + listeners: + - name: production_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 8080 + network_namespace_filepath: "/var/run/netns/production" + filter_chains: + - # Production-specific configuration + + - name: staging_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 8080 # Same port, different namespace + network_namespace_filepath: "/var/run/netns/staging" + filter_chains: + - # Staging-specific configuration + +Input Behavior +-------------- + +The ``envoy.matching.inputs.network_namespace`` input: + +* Returns the network namespace filepath as a string when available. +* Returns an empty value (no match) when: + + * No network namespace is configured for the listener address. + * The network namespace filepath is empty. + * Running on non-Linux platforms where network namespaces are not supported. + * The address type doesn't support network namespaces (e.g., Unix domain sockets). + +* Always returns the namespace of the listener's local address, not the client's namespace. + +Matching Strategies +------------------- + +Exact Match +~~~~~~~~~~~ + +Use exact string matching for specific namespaces: + +.. code-block:: yaml + + exact_match_map: + map: + "/var/run/netns/production": { action: { name: "prod_chain" } } + "/var/run/netns/staging": { action: { name: "staging_chain" } } + +Prefix Match +~~~~~~~~~~~~ + +Use prefix matching for namespace hierarchies: + +.. code-block:: yaml + + matcher_tree: + input: + name: envoy.matching.inputs.network_namespace + prefix_match_map: + map: + "/var/run/netns/prod": { action: { name: "production_chain" } } + "/var/run/netns/dev": { action: { name: "development_chain" } } + +Complex Matching +~~~~~~~~~~~~~~~~ + +Combine with other inputs for sophisticated routing: + +.. code-block:: yaml + + matcher_tree: + input: + name: envoy.matching.inputs.network_namespace + exact_match_map: + map: + "/var/run/netns/production": + matcher: + matcher_tree: + input: + name: envoy.matching.inputs.destination_port + exact_match_map: + map: + "8080": { action: { name: "prod_http_chain" } } + "8443": { action: { name: "prod_https_chain" } } + +Use Cases +--------- + +Multi-Tenant Architecture +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Route requests from different tenants to isolated backend services: + +.. code-block:: yaml + + filter_chain_matcher: + matcher_tree: + input: + name: envoy.matching.inputs.network_namespace + exact_match_map: + map: + "/var/run/netns/tenant_a": + action: { name: "tenant_a_chain" } + "/var/run/netns/tenant_b": + action: { name: "tenant_b_chain" } + +Environment Isolation +~~~~~~~~~~~~~~~~~~~~~ + +Separate production, staging, and development traffic: + +.. code-block:: yaml + + filter_chain_matcher: + matcher_tree: + input: + name: envoy.matching.inputs.network_namespace + exact_match_map: + map: + "/var/run/netns/production": + action: { name: "production_chain" } + "/var/run/netns/staging": + action: { name: "staging_chain" } + "/var/run/netns/development": + action: { name: "development_chain" } + +Service Mesh Integration +~~~~~~~~~~~~~~~~~~~~~~~~ + +Route traffic based on service identity encoded in network namespaces: + +.. code-block:: yaml + + filter_chain_matcher: + matcher_tree: + input: + name: envoy.matching.inputs.network_namespace + prefix_match_map: + map: + "/var/run/netns/service-": + matcher: + # Further routing based on service name extracted from namespace + +Statistics +---------- + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + "listener..filter_chain_selected.", Counter, "Total number of connections routed to the specified filter chain." + "listener..no_filter_chain_match", Counter, "Total number of connections that did not match any filter chain." + "listener_manager.listener_create_success", Counter, "Total number of successfully created listeners." + "listener_manager.listener_create_failure", Counter, "Total number of listener creation failures." + +Example Configuration +--------------------- + +See :repo:`network_namespace_matching_example.yaml ` +for a complete example configuration demonstrating various network namespace matching scenarios. diff --git a/docs/root/configuration/listeners/network_namespace_matching_example.yaml b/docs/root/configuration/listeners/network_namespace_matching_example.yaml new file mode 100644 index 0000000000000..f160c02ad0178 --- /dev/null +++ b/docs/root/configuration/listeners/network_namespace_matching_example.yaml @@ -0,0 +1,243 @@ +# Example configuration demonstrating network namespace-based filter chain matching +# This configuration shows how to route traffic to different filter chains based on +# the network namespace of the listener address. +static_resources: + listeners: + - name: multi_namespace_listener + # This listener will bind to all three network namespaces on the same IP:port. + # Individual addresses can specify different namespaces. + address: + socket_address: + protocol: TCP + address: 127.0.0.1 + port_value: 8080 + network_namespace_filepath: "/var/run/netns/development" + additional_addresses: + - address: + socket_address: + protocol: TCP + address: 127.0.0.1 + port_value: 8080 + network_namespace_filepath: "/var/run/netns/staging" + - address: + socket_address: + protocol: TCP + address: 127.0.0.1 + port_value: 8080 + network_namespace_filepath: "/var/run/netns/production" + + # Use filter_chain_matcher to route based on network namespace. + filter_chain_matcher: + matcher_tree: + input: + name: envoy.matching.inputs.network_namespace + typed_config: + "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.NetworkNamespaceInput + exact_match_map: + map: + # Route traffic from namespace 'production' to production filter chain. + "/var/run/netns/production": + action: + name: production_chain + typed_config: + "@type": type.googleapis.com/google.protobuf.StringValue + value: production_chain + # Route traffic from namespace 'staging' to staging filter chain. + "/var/run/netns/staging": + action: + name: staging_chain + typed_config: + "@type": type.googleapis.com/google.protobuf.StringValue + value: staging_chain + # Route traffic from namespace 'development' to development filter chain. + "/var/run/netns/development": + action: + name: development_chain + typed_config: + "@type": type.googleapis.com/google.protobuf.StringValue + value: development_chain + # Define filter chains for Production environment. + filter_chains: + - name: production_chain + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: production_hcm + route_config: + name: production_routes + virtual_hosts: + - name: production_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: production_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + # Define filter chains for Staging environment. + - name: staging_chain + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: staging_hcm + route_config: + name: staging_routes + virtual_hosts: + - name: staging_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: staging_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + # Define filter chains for Development environment. + - name: development_chain + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: development_hcm + route_config: + name: development_routes + virtual_hosts: + - name: development_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: development_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + # Default filter chain for connections from unknown namespaces or non-Linux platforms. + default_filter_chain: + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: default_hcm + route_config: + name: default_routes + virtual_hosts: + - name: default_service + domains: ["*"] + routes: + - match: + prefix: "/" + direct_response: + status: 503 + body: + inline_string: "Service not available from this network namespace" + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Multiple listeners with different network namespaces. + - name: production_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 8081 + network_namespace_filepath: "/var/run/netns/production" + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: production_dedicated + route_config: + name: production_dedicated_routes + virtual_hosts: + - name: production_dedicated_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: production_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + - name: staging_listener + address: + socket_address: + address: 127.0.0.1 + port_value: 8081 # Same port, different namespace + network_namespace_filepath: "/var/run/netns/staging" + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: staging_dedicated + route_config: + name: staging_dedicated_routes + virtual_hosts: + - name: staging_dedicated_service + domains: ["*"] + routes: + - match: + prefix: "/" + route: + cluster: staging_cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + - name: production_cluster + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: production_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: production-backend + port_value: 80 + + - name: staging_cluster + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: staging_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: staging-backend + port_value: 80 + + - name: development_cluster + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: development_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: development-backend + port_value: 80 diff --git a/docs/root/intro/arch_overview/advanced/matching/matching_api.rst b/docs/root/intro/arch_overview/advanced/matching/matching_api.rst index af2abdf2d0c75..a20991336f420 100644 --- a/docs/root/intro/arch_overview/advanced/matching/matching_api.rst +++ b/docs/root/intro/arch_overview/advanced/matching/matching_api.rst @@ -49,6 +49,7 @@ These input functions are available for matching TCP connections and HTTP reques * :ref:`Direct source IP `. * :ref:`Source type `. * :ref:`Server name `. +* :ref:`Network namespace `. * :ref:`Filter state `. These input functions are available for matching TCP connections: diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 709f97e39344c..dd3dfd86f6c62 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -103,6 +103,7 @@ EXTENSIONS = { "envoy.matching.inputs.direct_source_ip": "//source/extensions/matching/network/common:inputs_lib", "envoy.matching.inputs.source_type": "//source/extensions/matching/network/common:inputs_lib", "envoy.matching.inputs.server_name": "//source/extensions/matching/network/common:inputs_lib", + "envoy.matching.inputs.network_namespace": "//source/extensions/matching/network/common:inputs_lib", "envoy.matching.inputs.transport_protocol": "//source/extensions/matching/network/common:inputs_lib", "envoy.matching.inputs.filter_state": "//source/extensions/matching/network/common:inputs_lib", diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 8d6ca2a978209..590f6d0c94a36 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -1701,6 +1701,14 @@ envoy.matching.inputs.dynamic_metadata: status: stable type_urls: - envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput +envoy.matching.inputs.network_namespace: + categories: + - envoy.matching.http.input + - envoy.matching.network.input + security_posture: unknown + status: stable + type_urls: + - envoy.extensions.matching.common_inputs.network.v3.NetworkNamespaceInput envoy.matching.inputs.uri_san: categories: - envoy.matching.http.input diff --git a/source/extensions/matching/network/common/BUILD b/source/extensions/matching/network/common/BUILD index 32e1fdbe59c2f..48bc711c26f42 100644 --- a/source/extensions/matching/network/common/BUILD +++ b/source/extensions/matching/network/common/BUILD @@ -22,6 +22,7 @@ envoy_cc_extension( "//envoy/matcher:matcher_interface", "//envoy/network:filter_interface", "//envoy/registry", + "//source/common/common:logger_lib", "//source/common/network:utility_lib", "@envoy_api//envoy/extensions/matching/common_inputs/network/v3:pkg_cc_proto", ], diff --git a/source/extensions/matching/network/common/inputs.cc b/source/extensions/matching/network/common/inputs.cc index e36a608a6c431..f79f281705411 100644 --- a/source/extensions/matching/network/common/inputs.cc +++ b/source/extensions/matching/network/common/inputs.cc @@ -72,6 +72,15 @@ class HttpFilterStateInputFactory : public FilterStateInputBaseFactory); REGISTER_FACTORY(HttpFilterStateInputFactory, Matcher::DataInputFactory); +class NetworkNamespaceInputFactory : public NetworkNamespaceInputBaseFactory {}; +class UdpNetworkNamespaceInputFactory : public NetworkNamespaceInputBaseFactory {}; +class HttpNetworkNamespaceInputFactory + : public NetworkNamespaceInputBaseFactory {}; +REGISTER_FACTORY(NetworkNamespaceInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(UdpNetworkNamespaceInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(HttpNetworkNamespaceInputFactory, + Matcher::DataInputFactory); + } // namespace Matching } // namespace Network } // namespace Envoy diff --git a/source/extensions/matching/network/common/inputs.h b/source/extensions/matching/network/common/inputs.h index 46297c8e2b685..6ede244482c6e 100644 --- a/source/extensions/matching/network/common/inputs.h +++ b/source/extensions/matching/network/common/inputs.h @@ -6,6 +6,7 @@ #include "envoy/network/filter.h" #include "envoy/registry/registry.h" +#include "source/common/common/logger.h" #include "source/common/network/utility.h" namespace Envoy { @@ -308,6 +309,47 @@ class FilterStateInputBaseFactory : public Matcher::DataInputFactory +class NetworkNamespaceInput : public Matcher::DataInput, + public Logger::Loggable { +public: + Matcher::DataInputGetResult get(const MatchingDataType& data) const override { + const auto& address = data.localAddress(); + const auto network_namespace = address.networkNamespace(); + + if (network_namespace.has_value() && !network_namespace->empty()) { + ENVOY_LOG(debug, "NetworkNamespaceInput: local_address={} network_namespace='{}'", + address.asString(), network_namespace.value()); + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, + network_namespace.value()}; + } + + ENVOY_LOG(debug, "NetworkNamespaceInput: no network namespace for local_address={}", + address.asString()); + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::monostate()}; + } +}; + +template +class NetworkNamespaceInputBaseFactory + : public BaseFactory< + NetworkNamespaceInput, + envoy::extensions::matching::common_inputs::network::v3::NetworkNamespaceInput, + MatchingDataType> { +public: + NetworkNamespaceInputBaseFactory() + : BaseFactory, + envoy::extensions::matching::common_inputs::network::v3::NetworkNamespaceInput, + MatchingDataType>("network_namespace") {} + + // Provide a literal factory name for static discovery by the extensions checker. + std::string name() const override { return "envoy.matching.inputs.network_namespace"; } +}; + +DECLARE_FACTORY(NetworkNamespaceInputFactory); +DECLARE_FACTORY(UdpNetworkNamespaceInputFactory); +DECLARE_FACTORY(HttpNetworkNamespaceInputFactory); + } // namespace Matching } // namespace Network } // namespace Envoy diff --git a/test/extensions/matching/network/common/inputs_test.cc b/test/extensions/matching/network/common/inputs_test.cc index dc1cdec7386c4..324fda87b751c 100644 --- a/test/extensions/matching/network/common/inputs_test.cc +++ b/test/extensions/matching/network/common/inputs_test.cc @@ -450,6 +450,114 @@ TEST(UdpMatchingData, UdpSourcePortInput) { } } +TEST(MatchingData, NetworkNamespaceInput) { + NetworkNamespaceInput input; + MockConnectionSocket socket; + StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::Connection); + envoy::config::core::v3::Metadata metadata; + MatchingDataImpl data(socket, filter_state, metadata); + + // Test with no network namespace (default case). + { + socket.connection_info_provider_->setLocalAddress( + std::make_shared("127.0.0.1", 8080)); + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_TRUE(absl::holds_alternative(result.data_)); + } + + // Test with network namespace. + { + socket.connection_info_provider_->setLocalAddress( + std::make_shared( + "127.0.0.1", 8080, nullptr, absl::make_optional(std::string("/var/run/netns/ns1")))); + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(absl::get(result.data_), "/var/run/netns/ns1"); + } + + // Test with empty network namespace. + { + socket.connection_info_provider_->setLocalAddress( + std::make_shared("127.0.0.1", 8080, nullptr, + absl::make_optional(std::string("")))); + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_TRUE(absl::holds_alternative(result.data_)); + } + + // Test with IPv6 address and network namespace. + { + socket.connection_info_provider_->setLocalAddress( + std::make_shared( + "::1", 8080, nullptr, true, absl::make_optional(std::string("/var/run/netns/ns2")))); + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(absl::get(result.data_), "/var/run/netns/ns2"); + } + + // Test with pipe address. This should return monostate since pipes don't have network namespaces. + { + socket.connection_info_provider_->setLocalAddress( + *Network::Address::PipeInstance::create("/pipe/path")); + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_TRUE(absl::holds_alternative(result.data_)); + } +} + +TEST(MatchingData, HttpNetworkNamespaceInput) { + auto connection_info_provider = std::make_shared( + std::make_shared( + "127.0.0.1", 8080, nullptr, absl::make_optional(std::string("/var/run/netns/http_ns"))), + std::make_shared("10.0.0.1", 9090)); + + StreamInfo::StreamInfoImpl stream_info( + Http::Protocol::Http2, Event::GlobalTimeSystem().timeSystem(), connection_info_provider, + StreamInfo::FilterState::LifeSpan::FilterChain); + Http::Matching::HttpMatchingDataImpl data(stream_info); + + NetworkNamespaceInput input; + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(absl::get(result.data_), "/var/run/netns/http_ns"); +} + +TEST(UdpMatchingData, UdpNetworkNamespaceInput) { + NetworkNamespaceInput input; + + // Test with network namespace. + { + const Address::Ipv4Instance local_ip("127.0.0.1", 8080, nullptr, + absl::make_optional(std::string("/var/run/netns/udp_ns"))); + const Address::Ipv4Instance remote_ip("10.0.0.1", 9090); + UdpMatchingDataImpl data(local_ip, remote_ip); + + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(absl::get(result.data_), "/var/run/netns/udp_ns"); + } + + // Test without network namespace. + { + const Address::Ipv4Instance local_ip("127.0.0.1", 8080); + const Address::Ipv4Instance remote_ip("10.0.0.1", 9090); + UdpMatchingDataImpl data(local_ip, remote_ip); + + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_TRUE(absl::holds_alternative(result.data_)); + } +} + } // namespace Matching } // namespace Network } // namespace Envoy diff --git a/tools/extensions/extensions_schema.yaml b/tools/extensions/extensions_schema.yaml index 39de74ef912ae..4f701c040a1b7 100644 --- a/tools/extensions/extensions_schema.yaml +++ b/tools/extensions/extensions_schema.yaml @@ -19,6 +19,7 @@ builtin: - envoy.matching.inputs.direct_source_ip - envoy.matching.inputs.source_type - envoy.matching.inputs.server_name +- envoy.matching.inputs.network_namespace - envoy.matching.inputs.transport_protocol - envoy.matching.inputs.application_protocol - envoy.matching.inputs.filter_state From 33a359fb6ce20220f23b7ca8dc8e01e0d3ce8805 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 23 Sep 2025 09:28:26 -0400 Subject: [PATCH 472/505] access-log: refactor the MetadataMatcher to use simpler present matcher (#41029) Signed-off-by: Adi Suissa-Peleg --- source/common/access_log/access_log_impl.cc | 10 +++------- source/common/access_log/access_log_impl.h | 2 +- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/source/common/access_log/access_log_impl.cc b/source/common/access_log/access_log_impl.cc index 67f3581bcf413..e0541781d8f9a 100644 --- a/source/common/access_log/access_log_impl.cc +++ b/source/common/access_log/access_log_impl.cc @@ -292,7 +292,8 @@ bool LogTypeFilter::evaluate(const Formatter::HttpFormatterContext& context, MetadataFilter::MetadataFilter(const envoy::config::accesslog::v3::MetadataFilter& filter_config, Server::Configuration::CommonFactoryContext& context) - : default_match_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_config, match_if_key_not_found, true)), + : present_matcher_(true), + default_match_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_config, match_if_key_not_found, true)), filter_(filter_config.matcher().filter()) { if (filter_config.has_matcher()) { @@ -306,11 +307,6 @@ MetadataFilter::MetadataFilter(const envoy::config::accesslog::v3::MetadataFilte const auto& val = matcher_config.value(); value_matcher_ = Matchers::ValueMatcher::create(val, context); } - - // Matches if the value is present in dynamic metadata - auto present_val = envoy::type::matcher::v3::ValueMatcher(); - present_val.set_present_match(true); - present_matcher_ = Matchers::ValueMatcher::create(present_val, context); } bool MetadataFilter::evaluate(const Formatter::HttpFormatterContext&, @@ -319,7 +315,7 @@ bool MetadataFilter::evaluate(const Formatter::HttpFormatterContext&, Envoy::Config::Metadata::metadataValue(&info.dynamicMetadata(), filter_, path_); // If the key corresponds to a set value in dynamic metadata, return true if the value matches the // the configured 'MetadataMatcher' value and false otherwise - if (present_matcher_->match(value)) { + if (present_matcher_.match(value)) { return value_matcher_ && value_matcher_->match(value); } diff --git a/source/common/access_log/access_log_impl.h b/source/common/access_log/access_log_impl.h index 7f3abc93adda5..d60b1f15b0a98 100644 --- a/source/common/access_log/access_log_impl.h +++ b/source/common/access_log/access_log_impl.h @@ -249,7 +249,7 @@ class MetadataFilter : public Filter { const StreamInfo::StreamInfo& info) const override; private: - Matchers::ValueMatcherConstSharedPtr present_matcher_; + Matchers::PresentMatcher present_matcher_; Matchers::ValueMatcherConstSharedPtr value_matcher_; std::vector path_; From 6e0055d44174e13b9fd3cc4028fd83a6419cca36 Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 23 Sep 2025 09:28:50 -0400 Subject: [PATCH 473/505] access-log: refactor the ResponseFlagFilter and remove an redundant boolean flag (#41030) Signed-off-by: Adi Suissa-Peleg --- source/common/access_log/access_log_impl.cc | 32 ++++++++++----------- source/common/access_log/access_log_impl.h | 1 - 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/source/common/access_log/access_log_impl.cc b/source/common/access_log/access_log_impl.cc index e0541781d8f9a..fd6ba4974a18d 100644 --- a/source/common/access_log/access_log_impl.cc +++ b/source/common/access_log/access_log_impl.cc @@ -217,27 +217,27 @@ bool HeaderFilter::evaluate(const Formatter::HttpFormatterContext& context, } ResponseFlagFilter::ResponseFlagFilter( - const envoy::config::accesslog::v3::ResponseFlagFilter& config) - : has_configured_flags_(!config.flags().empty()) { - - // Preallocate the vector to avoid frequent heap allocations. - configured_flags_.resize(StreamInfo::ResponseFlagUtils::responseFlagsVec().size(), false); - for (int i = 0; i < config.flags_size(); i++) { - auto response_flag = StreamInfo::ResponseFlagUtils::toResponseFlag(config.flags(i)); - // The config has been validated. Therefore, every flag in the config will have a mapping. - ASSERT(response_flag.has_value()); - - // The vector is allocated with the size of the response flags vec. Therefore, the index - // should always be valid. - ASSERT(response_flag.value().value() < configured_flags_.size()); - - configured_flags_[response_flag.value().value()] = true; + const envoy::config::accesslog::v3::ResponseFlagFilter& config) { + if (!config.flags().empty()) { + // Preallocate the vector to avoid frequent heap allocations. + configured_flags_.resize(StreamInfo::ResponseFlagUtils::responseFlagsVec().size(), false); + for (int i = 0; i < config.flags_size(); i++) { + auto response_flag = StreamInfo::ResponseFlagUtils::toResponseFlag(config.flags(i)); + // The config has been validated. Therefore, every flag in the config will have a mapping. + ASSERT(response_flag.has_value()); + + // The vector is allocated with the size of the response flags vec. Therefore, the index + // should always be valid. + ASSERT(response_flag.value().value() < configured_flags_.size()); + + configured_flags_[response_flag.value().value()] = true; + } } } bool ResponseFlagFilter::evaluate(const Formatter::HttpFormatterContext&, const StreamInfo::StreamInfo& info) const { - if (has_configured_flags_) { + if (!configured_flags_.empty()) { for (const auto flag : info.responseFlags()) { ASSERT(flag.value() < configured_flags_.size()); if (configured_flags_[flag.value()]) { diff --git a/source/common/access_log/access_log_impl.h b/source/common/access_log/access_log_impl.h index d60b1f15b0a98..bbf0264cb5ac3 100644 --- a/source/common/access_log/access_log_impl.h +++ b/source/common/access_log/access_log_impl.h @@ -188,7 +188,6 @@ class ResponseFlagFilter : public Filter { const StreamInfo::StreamInfo& info) const override; private: - const bool has_configured_flags_{}; std::vector configured_flags_{}; }; From b6aa789021adb8623b54533257234f4e06ea61a3 Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Tue, 23 Sep 2025 15:37:55 +0200 Subject: [PATCH 474/505] fmtlib: align BUILD files with their BCR definitions (#40908) Commit Message: fmtlib: align BUILD files with their BCR definitions Additional Description: This is aligning BUILD files with their actual content in publicated modules in BCR, update the associated dependencies It is related to https://github.com/envoyproxy/envoy/pull/40692 Signed-off-by: Matthieu MOREL --- .bazelrc | 4 ++-- bazel/external/fmtlib.BUILD | 2 +- bazel/external/spdlog.BUILD | 2 +- mobile/WORKSPACE | 2 +- mobile/docs/BUILD | 1 + source/common/common/BUILD | 2 +- source/common/orca/BUILD | 4 ++-- test/common/orca/BUILD | 6 +++--- 8 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.bazelrc b/.bazelrc index b97e00632aca7..8241adbbf8113 100644 --- a/.bazelrc +++ b/.bazelrc @@ -276,7 +276,7 @@ build:fuzz-coverage --test_tag_filters=-nocoverage # resources required to build and run the tests. build:fuzz-coverage --define=wasm=disabled build:fuzz-coverage --config=fuzz-coverage-config -build:fuzz-coverage-config --//tools/coverage:config=//test:fuzz_coverage_config +build:fuzz-coverage-config --//tools/coverage:config=@envoy//test:fuzz_coverage_config build:cache-local --remote_cache=grpc://localhost:9092 @@ -563,7 +563,7 @@ common:remote-cache-envoy-engflow --config=common-envoy-engflow common:remote-cache-envoy-engflow --config=cache-envoy-engflow # Specifies the rustfmt.toml for all rustfmt_test targets. -build --@rules_rust//rust/settings:rustfmt.toml=//:rustfmt.toml +build --@rules_rust//rust/settings:rustfmt.toml=@envoy//:rustfmt.toml ############################################################################# # debug: Various Bazel debugging flags diff --git a/bazel/external/fmtlib.BUILD b/bazel/external/fmtlib.BUILD index 3000f503fd7fd..0039e1eedf3e3 100644 --- a/bazel/external/fmtlib.BUILD +++ b/bazel/external/fmtlib.BUILD @@ -1,7 +1,7 @@ licenses(["notice"]) # Apache 2 cc_library( - name = "fmtlib", + name = "fmt", hdrs = glob([ "include/fmt/*.h", ]), diff --git a/bazel/external/spdlog.BUILD b/bazel/external/spdlog.BUILD index bcf82ad23f272..3ac39dbfcce54 100644 --- a/bazel/external/spdlog.BUILD +++ b/bazel/external/spdlog.BUILD @@ -11,5 +11,5 @@ cc_library( ], includes = ["include"], visibility = ["//visibility:public"], - deps = ["@com_github_fmtlib_fmt//:fmtlib"], + deps = ["@com_github_fmtlib_fmt//:fmt"], ) diff --git a/mobile/WORKSPACE b/mobile/WORKSPACE index e03a4865991c6..4f69835631999 100644 --- a/mobile/WORKSPACE +++ b/mobile/WORKSPACE @@ -56,7 +56,7 @@ envoy_dependencies() load("@envoy//bazel:repositories_extra.bzl", "envoy_dependencies_extra") -envoy_dependencies_extra(ignore_root_user_error=True) +envoy_dependencies_extra(ignore_root_user_error = True) load("@envoy//bazel:python_dependencies.bzl", "envoy_python_dependencies") diff --git a/mobile/docs/BUILD b/mobile/docs/BUILD index c32bcffcba352..b0bfdd30f2532 100644 --- a/mobile/docs/BUILD +++ b/mobile/docs/BUILD @@ -3,6 +3,7 @@ load("@envoy//bazel:envoy_build_system.bzl", "envoy_mobile_package") load("@envoy//tools/python:namespace.bzl", "envoy_py_namespace") load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup", "pkg_files") load("@rules_pkg//pkg:pkg.bzl", "pkg_tar") +load("@rules_python//python/entry_points:py_console_script_binary.bzl", "py_console_script_binary") licenses(["notice"]) # Apache 2 diff --git a/source/common/common/BUILD b/source/common/common/BUILD index ef91ada8975e9..ebad046d397c7 100644 --- a/source/common/common/BUILD +++ b/source/common/common/BUILD @@ -139,7 +139,7 @@ envoy_basic_cc_library( hdrs = ["fmt.h"], deps = [ "//envoy/common:base_includes", - "@com_github_fmtlib_fmt//:fmtlib", + "@com_github_fmtlib_fmt//:fmt", "@com_google_absl//absl/status", "@com_google_absl//absl/strings", ], diff --git a/source/common/orca/BUILD b/source/common/orca/BUILD index 56d750828fb64..0787c80e2bbf6 100644 --- a/source/common/orca/BUILD +++ b/source/common/orca/BUILD @@ -19,7 +19,7 @@ envoy_cc_library( "//source/common/http:header_utility_lib", "//source/common/protobuf:utility_lib_header", "@com_github_cncf_xds//xds/data/orca/v3:pkg_cc_proto", - "@com_github_fmtlib_fmt//:fmtlib", + "@com_github_fmtlib_fmt//:fmt", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", ], @@ -35,7 +35,7 @@ envoy_cc_library( "//source/common/http:header_utility_lib", "//source/common/protobuf:utility_lib_header", "@com_github_cncf_xds//xds/data/orca/v3:pkg_cc_proto", - "@com_github_fmtlib_fmt//:fmtlib", + "@com_github_fmtlib_fmt//:fmt", "@com_google_absl//absl/container:flat_hash_map", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", diff --git a/test/common/orca/BUILD b/test/common/orca/BUILD index ec4803a557d9c..9a00e98464778 100644 --- a/test/common/orca/BUILD +++ b/test/common/orca/BUILD @@ -20,7 +20,7 @@ envoy_cc_test( "//test/test_common:status_utility_lib", "//test/test_common:utility_lib", "@com_github_cncf_xds//xds/data/orca/v3:pkg_cc_proto", - "@com_github_fmtlib_fmt//:fmtlib", + "@com_github_fmtlib_fmt//:fmt", "@com_google_absl//absl/status", "@com_google_absl//absl/strings", ], @@ -36,7 +36,7 @@ envoy_cc_test( "//test/test_common:status_utility_lib", "//test/test_common:utility_lib", "@com_github_cncf_xds//xds/data/orca/v3:pkg_cc_proto", - "@com_github_fmtlib_fmt//:fmtlib", + "@com_github_fmtlib_fmt//:fmt", "@com_google_absl//absl/status", "@com_google_absl//absl/strings", ], @@ -64,7 +64,7 @@ envoy_cc_fuzz_test( "//test/test_common:status_utility_lib", "//test/test_common:utility_lib", "@com_github_cncf_xds//xds/data/orca/v3:pkg_cc_proto", - "@com_github_fmtlib_fmt//:fmtlib", + "@com_github_fmtlib_fmt//:fmt", "@com_google_absl//absl/status", "@com_google_absl//absl/strings", ], From fa86eb461f39c43c66f36a903ce1d8dc291af8d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 06:08:29 +0000 Subject: [PATCH 475/505] build(deps): bump actions/stale from 9.1.0 to 10.0.0 Bumps [actions/stale](https://github.com/actions/stale) from 9.1.0 to 10.0.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/5bef64f19d7facfb25b37b414482c7164d639639...3a9db7e6a41a89f618792c92c0e97cc736e1b13f) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 28cd64da6269f..58c7d896d374a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Prune Stale - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 + uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Different amounts of days for issues/PRs are not currently supported but there is a PR From 8e7a1ed265f965e3fe431510b7ecdf69768f5d50 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Sep 2025 06:04:06 +0000 Subject: [PATCH 476/505] build(deps): bump cffi from 1.17.1 to 2.0.0 in /tools/base Bumps [cffi](https://github.com/python-cffi/cffi) from 1.17.1 to 2.0.0. - [Release notes](https://github.com/python-cffi/cffi/releases) - [Commits](https://github.com/python-cffi/cffi/compare/v1.17.1...v2.0.0) --- updated-dependencies: - dependency-name: cffi dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- tools/base/requirements.txt | 153 ++++++++++++++++++++---------------- 1 file changed, 85 insertions(+), 68 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index 3ca2821395475..e8975186dc10d 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -243,74 +243,91 @@ certifi==2024.8.30 \ # via # aioquic # requests -cffi==1.17.1 \ - --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ - --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ - --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ - --hash=sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15 \ - --hash=sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36 \ - --hash=sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824 \ - --hash=sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8 \ - --hash=sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36 \ - --hash=sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17 \ - --hash=sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf \ - --hash=sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc \ - --hash=sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3 \ - --hash=sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed \ - --hash=sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702 \ - --hash=sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1 \ - --hash=sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8 \ - --hash=sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903 \ - --hash=sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6 \ - --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ - --hash=sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b \ - --hash=sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e \ - --hash=sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be \ - --hash=sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c \ - --hash=sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683 \ - --hash=sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9 \ - --hash=sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c \ - --hash=sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8 \ - --hash=sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1 \ - --hash=sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4 \ - --hash=sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655 \ - --hash=sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67 \ - --hash=sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595 \ - --hash=sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0 \ - --hash=sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65 \ - --hash=sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41 \ - --hash=sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6 \ - --hash=sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401 \ - --hash=sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6 \ - --hash=sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3 \ - --hash=sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16 \ - --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 \ - --hash=sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e \ - --hash=sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4 \ - --hash=sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964 \ - --hash=sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c \ - --hash=sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576 \ - --hash=sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0 \ - --hash=sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3 \ - --hash=sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662 \ - --hash=sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3 \ - --hash=sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff \ - --hash=sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5 \ - --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ - --hash=sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f \ - --hash=sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5 \ - --hash=sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14 \ - --hash=sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d \ - --hash=sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9 \ - --hash=sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7 \ - --hash=sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382 \ - --hash=sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a \ - --hash=sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e \ - --hash=sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a \ - --hash=sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4 \ - --hash=sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99 \ - --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ - --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b +cffi==2.0.0 \ + --hash=sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb \ + --hash=sha256:07b271772c100085dd28b74fa0cd81c8fb1a3ba18b21e03d7c27f3436a10606b \ + --hash=sha256:087067fa8953339c723661eda6b54bc98c5625757ea62e95eb4898ad5e776e9f \ + --hash=sha256:0a1527a803f0a659de1af2e1fd700213caba79377e27e4693648c2923da066f9 \ + --hash=sha256:0cf2d91ecc3fcc0625c2c530fe004f82c110405f101548512cce44322fa8ac44 \ + --hash=sha256:0f6084a0ea23d05d20c3edcda20c3d006f9b6f3fefeac38f59262e10cef47ee2 \ + --hash=sha256:12873ca6cb9b0f0d3a0da705d6086fe911591737a59f28b7936bdfed27c0d47c \ + --hash=sha256:19f705ada2530c1167abacb171925dd886168931e0a7b78f5bffcae5c6b5be75 \ + --hash=sha256:1cd13c99ce269b3ed80b417dcd591415d3372bcac067009b6e0f59c7d4015e65 \ + --hash=sha256:1e3a615586f05fc4065a8b22b8152f0c1b00cdbc60596d187c2a74f9e3036e4e \ + --hash=sha256:1f72fb8906754ac8a2cc3f9f5aaa298070652a0ffae577e0ea9bd480dc3c931a \ + --hash=sha256:1fc9ea04857caf665289b7a75923f2c6ed559b8298a1b8c49e59f7dd95c8481e \ + --hash=sha256:203a48d1fb583fc7d78a4c6655692963b860a417c0528492a6bc21f1aaefab25 \ + --hash=sha256:2081580ebb843f759b9f617314a24ed5738c51d2aee65d31e02f6f7a2b97707a \ + --hash=sha256:21d1152871b019407d8ac3985f6775c079416c282e431a4da6afe7aefd2bccbe \ + --hash=sha256:24b6f81f1983e6df8db3adc38562c83f7d4a0c36162885ec7f7b77c7dcbec97b \ + --hash=sha256:256f80b80ca3853f90c21b23ee78cd008713787b1b1e93eae9f3d6a7134abd91 \ + --hash=sha256:28a3a209b96630bca57cce802da70c266eb08c6e97e5afd61a75611ee6c64592 \ + --hash=sha256:2c8f814d84194c9ea681642fd164267891702542f028a15fc97d4674b6206187 \ + --hash=sha256:2de9a304e27f7596cd03d16f1b7c72219bd944e99cc52b84d0145aefb07cbd3c \ + --hash=sha256:38100abb9d1b1435bc4cc340bb4489635dc2f0da7456590877030c9b3d40b0c1 \ + --hash=sha256:3925dd22fa2b7699ed2617149842d2e6adde22b262fcbfada50e3d195e4b3a94 \ + --hash=sha256:3e17ed538242334bf70832644a32a7aae3d83b57567f9fd60a26257e992b79ba \ + --hash=sha256:3e837e369566884707ddaf85fc1744b47575005c0a229de3327f8f9a20f4efeb \ + --hash=sha256:3f4d46d8b35698056ec29bca21546e1551a205058ae1a181d871e278b0b28165 \ + --hash=sha256:44d1b5909021139fe36001ae048dbdde8214afa20200eda0f64c068cac5d5529 \ + --hash=sha256:45d5e886156860dc35862657e1494b9bae8dfa63bf56796f2fb56e1679fc0bca \ + --hash=sha256:4647afc2f90d1ddd33441e5b0e85b16b12ddec4fca55f0d9671fef036ecca27c \ + --hash=sha256:4671d9dd5ec934cb9a73e7ee9676f9362aba54f7f34910956b84d727b0d73fb6 \ + --hash=sha256:53f77cbe57044e88bbd5ed26ac1d0514d2acf0591dd6bb02a3ae37f76811b80c \ + --hash=sha256:5eda85d6d1879e692d546a078b44251cdd08dd1cfb98dfb77b670c97cee49ea0 \ + --hash=sha256:5fed36fccc0612a53f1d4d9a816b50a36702c28a2aa880cb8a122b3466638743 \ + --hash=sha256:61d028e90346df14fedc3d1e5441df818d095f3b87d286825dfcbd6459b7ef63 \ + --hash=sha256:66f011380d0e49ed280c789fbd08ff0d40968ee7b665575489afa95c98196ab5 \ + --hash=sha256:6824f87845e3396029f3820c206e459ccc91760e8fa24422f8b0c3d1731cbec5 \ + --hash=sha256:6c6c373cfc5c83a975506110d17457138c8c63016b563cc9ed6e056a82f13ce4 \ + --hash=sha256:6d02d6655b0e54f54c4ef0b94eb6be0607b70853c45ce98bd278dc7de718be5d \ + --hash=sha256:6d50360be4546678fc1b79ffe7a66265e28667840010348dd69a314145807a1b \ + --hash=sha256:730cacb21e1bdff3ce90babf007d0a0917cc3e6492f336c2f0134101e0944f93 \ + --hash=sha256:737fe7d37e1a1bffe70bd5754ea763a62a066dc5913ca57e957824b72a85e205 \ + --hash=sha256:74a03b9698e198d47562765773b4a8309919089150a0bb17d829ad7b44b60d27 \ + --hash=sha256:7553fb2090d71822f02c629afe6042c299edf91ba1bf94951165613553984512 \ + --hash=sha256:7a66c7204d8869299919db4d5069a82f1561581af12b11b3c9f48c584eb8743d \ + --hash=sha256:7cc09976e8b56f8cebd752f7113ad07752461f48a58cbba644139015ac24954c \ + --hash=sha256:81afed14892743bbe14dacb9e36d9e0e504cd204e0b165062c488942b9718037 \ + --hash=sha256:8941aaadaf67246224cee8c3803777eed332a19d909b47e29c9842ef1e79ac26 \ + --hash=sha256:89472c9762729b5ae1ad974b777416bfda4ac5642423fa93bd57a09204712322 \ + --hash=sha256:8ea985900c5c95ce9db1745f7933eeef5d314f0565b27625d9a10ec9881e1bfb \ + --hash=sha256:8eca2a813c1cb7ad4fb74d368c2ffbbb4789d377ee5bb8df98373c2cc0dee76c \ + --hash=sha256:92b68146a71df78564e4ef48af17551a5ddd142e5190cdf2c5624d0c3ff5b2e8 \ + --hash=sha256:9332088d75dc3241c702d852d4671613136d90fa6881da7d770a483fd05248b4 \ + --hash=sha256:94698a9c5f91f9d138526b48fe26a199609544591f859c870d477351dc7b2414 \ + --hash=sha256:9a67fc9e8eb39039280526379fb3a70023d77caec1852002b4da7e8b270c4dd9 \ + --hash=sha256:9de40a7b0323d889cf8d23d1ef214f565ab154443c42737dfe52ff82cf857664 \ + --hash=sha256:a05d0c237b3349096d3981b727493e22147f934b20f6f125a3eba8f994bec4a9 \ + --hash=sha256:afb8db5439b81cf9c9d0c80404b60c3cc9c3add93e114dcae767f1477cb53775 \ + --hash=sha256:b18a3ed7d5b3bd8d9ef7a8cb226502c6bf8308df1525e1cc676c3680e7176739 \ + --hash=sha256:b1e74d11748e7e98e2f426ab176d4ed720a64412b6a15054378afdb71e0f37dc \ + --hash=sha256:b21e08af67b8a103c71a250401c78d5e0893beff75e28c53c98f4de42f774062 \ + --hash=sha256:b4c854ef3adc177950a8dfc81a86f5115d2abd545751a304c5bcf2c2c7283cfe \ + --hash=sha256:b882b3df248017dba09d6b16defe9b5c407fe32fc7c65a9c69798e6175601be9 \ + --hash=sha256:baf5215e0ab74c16e2dd324e8ec067ef59e41125d3eade2b863d294fd5035c92 \ + --hash=sha256:c649e3a33450ec82378822b3dad03cc228b8f5963c0c12fc3b1e0ab940f768a5 \ + --hash=sha256:c654de545946e0db659b3400168c9ad31b5d29593291482c43e3564effbcee13 \ + --hash=sha256:c6638687455baf640e37344fe26d37c404db8b80d037c3d29f58fe8d1c3b194d \ + --hash=sha256:c8d3b5532fc71b7a77c09192b4a5a200ea992702734a2e9279a37f2478236f26 \ + --hash=sha256:cb527a79772e5ef98fb1d700678fe031e353e765d1ca2d409c92263c6d43e09f \ + --hash=sha256:cf364028c016c03078a23b503f02058f1814320a56ad535686f90565636a9495 \ + --hash=sha256:d48a880098c96020b02d5a1f7d9251308510ce8858940e6fa99ece33f610838b \ + --hash=sha256:d68b6cef7827e8641e8ef16f4494edda8b36104d79773a334beaa1e3521430f6 \ + --hash=sha256:d9b29c1f0ae438d5ee9acb31cadee00a58c46cc9c0b2f9038c6b0b3470877a8c \ + --hash=sha256:d9b97165e8aed9272a6bb17c01e3cc5871a594a446ebedc996e2397a1c1ea8ef \ + --hash=sha256:da68248800ad6320861f129cd9c1bf96ca849a2771a59e0344e88681905916f5 \ + --hash=sha256:da902562c3e9c550df360bfa53c035b2f241fed6d9aef119048073680ace4a18 \ + --hash=sha256:dbd5c7a25a7cb98f5ca55d258b103a2054f859a46ae11aaf23134f9cc0d356ad \ + --hash=sha256:dd4f05f54a52fb558f1ba9f528228066954fee3ebe629fc1660d874d040ae5a3 \ + --hash=sha256:de8dad4425a6ca6e4e5e297b27b5c824ecc7581910bf9aee86cb6835e6812aa7 \ + --hash=sha256:e11e82b744887154b182fd3e7e8512418446501191994dbf9c9fc1f32cc8efd5 \ + --hash=sha256:e6e73b9e02893c764e7e8d5bb5ce277f1a009cd5243f8228f75f842bf937c534 \ + --hash=sha256:f73b96c41e3b2adedc34a7356e64c8eb96e03a3782b535e043a986276ce12a49 \ + --hash=sha256:f93fd8e5c8c0a4aa1f424d6173f14a892044054871c771f8566e4008eaa359d2 \ + --hash=sha256:fc33c5141b55ed366cfaad382df24fe7dcbc686de5be719b207bb248e3053dc5 \ + --hash=sha256:fc7de24befaeae77ba923797c7c87834c73648a05a4bde34b3b7e5588973a453 \ + --hash=sha256:fe562eb1a64e67dd297ccc4f5addea2501664954f2692b69a76449ec7913ecbf # via # -r requirements.in # cryptography From 195c5e31fec8d08d135d2f1c1e897de4313e47d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:13:50 +0000 Subject: [PATCH 477/505] build(deps): bump orjson from 3.11.0 to 3.11.3 in /tools/base Bumps [orjson](https://github.com/ijl/orjson) from 3.11.0 to 3.11.3. - [Release notes](https://github.com/ijl/orjson/releases) - [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md) - [Commits](https://github.com/ijl/orjson/compare/3.11.0...3.11.3) --- updated-dependencies: - dependency-name: orjson dependency-version: 3.11.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- tools/base/requirements.txt | 157 +++++++++++++++++++----------------- 1 file changed, 84 insertions(+), 73 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index e8975186dc10d..c4499e89df64b 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -916,79 +916,90 @@ multidict==6.6.3 \ # -r requirements.in # aiohttp # yarl -orjson==3.11.0 \ - --hash=sha256:02dd4f0a1a2be943a104ce5f3ec092631ee3e9f0b4bb9eeee3400430bd94ddef \ - --hash=sha256:05f094edd2b782650b0761fd78858d9254de1c1286f5af43145b3d08cdacfd51 \ - --hash=sha256:0759b36428067dc777b202dd286fbdd33d7f261c6455c4238ea4e8474358b1e6 \ - --hash=sha256:0846e13abe79daece94a00b92574f294acad1d362be766c04245b9b4dd0e47e1 \ - --hash=sha256:08e191f8a55ac2c00be48e98a5d10dca004cbe8abe73392c55951bfda60fc123 \ - --hash=sha256:105bca887532dc71ce4b05a5de95dea447a310409d7a8cf0cb1c4a120469e9ad \ - --hash=sha256:1235fe7bbc37164f69302199d46f29cfb874018738714dccc5a5a44042c79c77 \ - --hash=sha256:1785df7ada75c18411ff7e20ac822af904a40161ea9dfe8c55b3f6b66939add6 \ - --hash=sha256:2560b740604751854be146169c1de7e7ee1e6120b00c1788ec3f3a012c6a243f \ - --hash=sha256:28acd19822987c5163b9e03a6e60853a52acfee384af2b394d11cb413b889246 \ - --hash=sha256:2a585042104e90a61eda2564d11317b6a304eb4e71cd33e839f5af6be56c34d3 \ - --hash=sha256:2e4c129da624f291bcc607016a99e7f04a353f6874f3bd8d9b47b88597d5f700 \ - --hash=sha256:2fb8ca8f0b4e31b8aaec674c7540649b64ef02809410506a44dc68d31bd5647b \ - --hash=sha256:325be41a8d7c227d460a9795a181511ba0e731cf3fee088c63eb47e706ea7559 \ - --hash=sha256:359cbe11bc940c64cb3848cf22000d2aef36aff7bfd09ca2c0b9cb309c387132 \ - --hash=sha256:41b38a894520b8cb5344a35ffafdf6ae8042f56d16771b2c5eb107798cee85ee \ - --hash=sha256:4305a638f4cf9bed3746ca3b7c242f14e05177d5baec2527026e0f9ee6c24fb7 \ - --hash=sha256:4430ec6ff1a1f4595dd7e0fad991bdb2fed65401ed294984c490ffa025926325 \ - --hash=sha256:475491bb78af2a0170f49e90013f1a0f1286527f3617491f8940d7e5da862da7 \ - --hash=sha256:47a54e660414baacd71ebf41a69bb17ea25abb3c5b69ce9e13e43be7ac20e342 \ - --hash=sha256:4a8ba9698655e16746fdf5266939427da0f9553305152aeb1a1cc14974a19cfb \ - --hash=sha256:4bfcfe498484161e011f8190a400591c52b026de96b3b3cbd3f21e8999b9dc0e \ - --hash=sha256:51646f6d995df37b6e1b628f092f41c0feccf1d47e3452c6e95e2474b547d842 \ - --hash=sha256:51cdca2f36e923126d0734efaf72ddbb5d6da01dbd20eab898bdc50de80d7b5a \ - --hash=sha256:5579acd235dd134467340b2f8a670c1c36023b5a69c6a3174c4792af7502bd92 \ - --hash=sha256:5587c85ae02f608a3f377b6af9eb04829606f518257cbffa8f5081c1aacf2e2f \ - --hash=sha256:57e8e7198a679ab21241ab3f355a7990c7447559e35940595e628c107ef23736 \ - --hash=sha256:5f797d57814975b78f5f5423acb003db6f9be5186b72d48bd97a1000e89d331d \ - --hash=sha256:613e54a2b10b51b656305c11235a9c4a5c5491ef5c283f86483d4e9e123ed5e4 \ - --hash=sha256:63c1c9772dafc811d16d6a7efa3369a739da15d1720d6e58ebe7562f54d6f4a2 \ - --hash=sha256:64a6a3e94a44856c3f6557e6aa56a6686544fed9816ae0afa8df9077f5759791 \ - --hash=sha256:67133847f9a35a5ef5acfa3325d4a2f7fe05c11f1505c4117bb086fc06f2a58f \ - --hash=sha256:6d09176a4a9e04a5394a4a0edd758f645d53d903b306d02f2691b97d5c736a9e \ - --hash=sha256:6d750b97d22d5566955e50b02c622f3a1d32744d7a578c878b29a873190ccb7a \ - --hash=sha256:720b4bb5e1b971960a62c2fa254c2d2a14e7eb791e350d05df8583025aa59d15 \ - --hash=sha256:7cf728cb3a013bdf9f4132575404bf885aa773d8bb4205656575e1890fc91990 \ - --hash=sha256:8335a0ba1c26359fb5c82d643b4c1abbee2bc62875e0f2b5bde6c8e9e25eb68c \ - --hash=sha256:84ae3d329360cf18fb61b67c505c00dedb61b0ee23abfd50f377a58e7d7bed06 \ - --hash=sha256:8514f9f9c667ce7d7ef709ab1a73e7fcab78c297270e90b1963df7126d2b0e23 \ - --hash=sha256:894635df36c0be32f1c8c8607e853b8865edb58e7618e57892e85d06418723eb \ - --hash=sha256:8bf058105a8aed144e0d1cfe7ac4174748c3fc7203f225abaeac7f4121abccb0 \ - --hash=sha256:923301f33ea866b18f8836cf41d9c6d33e3b5cab8577d20fed34ec29f0e13a0d \ - --hash=sha256:93b64b254414e2be55ac5257124b5602c5f0b4d06b80bd27d1165efe8f36e836 \ - --hash=sha256:9457ccbd8b241fb4ba516417a4c5b95ba0059df4ac801309bcb4ec3870f45ad9 \ - --hash=sha256:99d17aab984f4d029b8f3c307e6be3c63d9ee5ef55e30d761caf05e883009949 \ - --hash=sha256:9b6fbc2fc825aff1456dd358c11a0ad7912a4cb4537d3db92e5334af7463a967 \ - --hash=sha256:9d4d86910554de5c9c87bc560b3bdd315cc3988adbdc2acf5dda3797079407ed \ - --hash=sha256:9dac7fbf3b8b05965986c5cfae051eb9a30fced7f15f1d13a5adc608436eb486 \ - --hash=sha256:a2788f741e5a0e885e5eaf1d91d0c9106e03cb9575b0c55ba36fd3d48b0b1e9b \ - --hash=sha256:a57899bebbcea146616a2426d20b51b3562b4bc9f8039a3bd14fae361c23053d \ - --hash=sha256:a640e3954e7b4fcb160097551e54cafbde9966be3991932155b71071077881aa \ - --hash=sha256:aa1120607ec8fc98acf8c54aac6fb0b7b003ba883401fa2d261833111e2fa071 \ - --hash=sha256:acf5a63ae9cdb88274126af85913ceae554d8fd71122effa24a53227abbeee16 \ - --hash=sha256:b4089f940c638bb1947d54e46c1cd58f4259072fcc97bc833ea9c78903150ac9 \ - --hash=sha256:b5a4214ea59c8a3b56f8d484b28114af74e9fba0956f9be5c3ce388ae143bf1f \ - --hash=sha256:b5a8243e73690cc6e9151c9e1dd046a8f21778d775f7d478fa1eb4daa4897c61 \ - --hash=sha256:b8913baba9751f7400f8fa4ec18a8b618ff01177490842e39e47b66c1b04bc79 \ - --hash=sha256:c27de273320294121200440cd5002b6aeb922d3cb9dab3357087c69f04ca6934 \ - --hash=sha256:c4b48d9775b0cf1f0aca734f4c6b272cbfacfac38e6a455e6520662f9434afb7 \ - --hash=sha256:c60c99fe1e15894367b0340b2ff16c7c69f9c3f3a54aa3961a58c102b292ad94 \ - --hash=sha256:c7a1964a71c1567b4570c932a0084ac24ad52c8cf6253d1881400936565ed438 \ - --hash=sha256:d2218629dbfdeeb5c9e0573d59f809d42f9d49ae6464d2f479e667aee14c3ef4 \ - --hash=sha256:d69f95d484938d8fab5963e09131bcf9fbbb81fa4ec132e316eb2fb9adb8ce78 \ - --hash=sha256:d79c180cfb3ae68f13245d0ff551dca03d96258aa560830bf8a223bd68d8272c \ - --hash=sha256:d9760217b84d1aee393b4436fbe9c639e963ec7bc0f2c074581ce5fb3777e466 \ - --hash=sha256:dd7f9cd995da9e46fbac0a371f0ff6e89a21d8ecb7a8a113c0acb147b0a32f73 \ - --hash=sha256:e8d38d9e1e2cf9729658e35956cf01e13e89148beb4cb9e794c9c10c5cb252f8 \ - --hash=sha256:e98f02e23611763c9e5dfcb83bd33219231091589f0d1691e721aea9c52bf329 \ - --hash=sha256:ebeecd5d5511b3ca9dc4e7db0ab95266afd41baf424cc2fad8c2d3a3cdae650a \ - --hash=sha256:f018ed1986d79434ac712ff19f951cd00b4dfcb767444410fbb834ebec160abf \ - --hash=sha256:fe36e5012f886ff91c68b87a499c227fa220e9668cea96335219874c8be5fab5 \ - --hash=sha256:feaed3ed43a1d2df75c039798eb5ec92c350c7d86be53369bafc4f3700ce7df2 +orjson==3.11.3 \ + --hash=sha256:00f1a271e56d511d1569937c0447d7dce5a99a33ea0dec76673706360a051904 \ + --hash=sha256:0c212cfdd90512fe722fa9bd620de4d46cda691415be86b2e02243242ae81873 \ + --hash=sha256:0c6d7328c200c349e3a4c6d8c83e0a5ad029bdc2d417f234152bf34842d0fc8d \ + --hash=sha256:0e92a4e83341ef79d835ca21b8bd13e27c859e4e9e4d7b63defc6e58462a3710 \ + --hash=sha256:11c6d71478e2cbea0a709e8a06365fa63da81da6498a53e4c4f065881d21ae8f \ + --hash=sha256:124d5ba71fee9c9902c4a7baa9425e663f7f0aecf73d31d54fe3dd357d62c1a7 \ + --hash=sha256:18bd1435cb1f2857ceb59cfb7de6f92593ef7b831ccd1b9bfb28ca530e539dce \ + --hash=sha256:1c0603b1d2ffcd43a411d64797a19556ef76958aef1c182f22dc30860152a98a \ + --hash=sha256:2030c01cbf77bc67bee7eef1e7e31ecf28649353987775e3583062c752da0077 \ + --hash=sha256:2039b7847ba3eec1f5886e75e6763a16e18c68a63efc4b029ddf994821e2e66b \ + --hash=sha256:212e67806525d2561efbfe9e799633b17eb668b8964abed6b5319b2f1cfbae1f \ + --hash=sha256:215c595c792a87d4407cb72dd5e0f6ee8e694ceeb7f9102b533c5a9bf2a916bb \ + --hash=sha256:22724d80ee5a815a44fc76274bb7ba2e7464f5564aacb6ecddaa9970a83e3225 \ + --hash=sha256:29be5ac4164aa8bdcba5fa0700a3c9c316b411d8ed9d39ef8a882541bd452fae \ + --hash=sha256:29cb1f1b008d936803e2da3d7cba726fc47232c45df531b29edf0b232dd737e7 \ + --hash=sha256:2b7b153ed90ababadbef5c3eb39549f9476890d339cf47af563aea7e07db2451 \ + --hash=sha256:2d68bf97a771836687107abfca089743885fb664b90138d8761cce61d5625d55 \ + --hash=sha256:317bbe2c069bbc757b1a2e4105b64aacd3bc78279b66a6b9e51e846e4809f804 \ + --hash=sha256:3782d2c60b8116772aea8d9b7905221437fdf53e7277282e8d8b07c220f96cca \ + --hash=sha256:3d721fee37380a44f9d9ce6c701b3960239f4fb3d5ceea7f31cbd43882edaa2f \ + --hash=sha256:414f71e3bdd5573893bf5ecdf35c32b213ed20aa15536fe2f588f946c318824f \ + --hash=sha256:524b765ad888dc5518bbce12c77c2e83dee1ed6b0992c1790cc5fb49bb4b6667 \ + --hash=sha256:56afaf1e9b02302ba636151cfc49929c1bb66b98794291afd0e5f20fecaf757c \ + --hash=sha256:58533f9e8266cb0ac298e259ed7b4d42ed3fa0b78ce76860626164de49e0d467 \ + --hash=sha256:5ff835b5d3e67d9207343effb03760c00335f8b5285bfceefd4dc967b0e48f6a \ + --hash=sha256:61dcdad16da5bb486d7227a37a2e789c429397793a6955227cedbd7252eb5a27 \ + --hash=sha256:6890ace0809627b0dff19cfad92d69d0fa3f089d3e359a2a532507bb6ba34efb \ + --hash=sha256:6be2f1b5d3dc99a5ce5ce162fc741c22ba9f3443d3dd586e6a1211b7bc87bc7b \ + --hash=sha256:6e8e0c3b85575a32f2ffa59de455f85ce002b8bdc0662d6b9c2ed6d80ab5d204 \ + --hash=sha256:73b92a5b69f31b1a58c0c7e31080aeaec49c6e01b9522e71ff38d08f15aa56de \ + --hash=sha256:7909ae2460f5f494fecbcd10613beafe40381fd0316e35d6acb5f3a05bfda167 \ + --hash=sha256:79b44319268af2eaa3e315b92298de9a0067ade6e6003ddaef72f8e0bedb94f1 \ + --hash=sha256:828e3149ad8815dc14468f36ab2a4b819237c155ee1370341b91ea4c8672d2ee \ + --hash=sha256:84fd82870b97ae3cdcea9d8746e592b6d40e1e4d4527835fc520c588d2ded04f \ + --hash=sha256:88dcfc514cfd1b0de038443c7b3e6a9797ffb1b3674ef1fd14f701a13397f82d \ + --hash=sha256:8ab962931015f170b97a3dd7bd933399c1bae8ed8ad0fb2a7151a5654b6941c7 \ + --hash=sha256:8b13974dc8ac6ba22feaa867fc19135a3e01a134b4f7c9c28162fed4d615008a \ + --hash=sha256:8c752089db84333e36d754c4baf19c0e1437012242048439c7e80eb0e6426e3b \ + --hash=sha256:8e531abd745f51f8035e207e75e049553a86823d189a51809c078412cefb399a \ + --hash=sha256:90368277087d4af32d38bd55f9da2ff466d25325bf6167c8f382d8ee40cb2bbc \ + --hash=sha256:913f629adef31d2d350d41c051ce7e33cf0fd06a5d1cb28d49b1899b23b903aa \ + --hash=sha256:976c6f1975032cc327161c65d4194c549f2589d88b105a5e3499429a54479770 \ + --hash=sha256:97dceed87ed9139884a55db8722428e27bd8452817fbf1869c58b49fecab1120 \ + --hash=sha256:9b8761b6cf04a856eb544acdd82fc594b978f12ac3602d6374a7edb9d86fd2c2 \ + --hash=sha256:9d2ae0cc6aeb669633e0124531f342a17d8e97ea999e42f12a5ad4adaa304c5f \ + --hash=sha256:9d8787bdfbb65a85ea76d0e96a3b1bed7bf0fbcb16d40408dc1172ad784a49d2 \ + --hash=sha256:9dba358d55aee552bd868de348f4736ca5a4086d9a62e2bfbbeeb5629fe8b0cc \ + --hash=sha256:9f1587f26c235894c09e8b5b7636a38091a9e6e7fe4531937534749c04face43 \ + --hash=sha256:a0169ebd1cbd94b26c7a7ad282cf5c2744fce054133f959e02eb5265deae1872 \ + --hash=sha256:ac9e05f25627ffc714c21f8dfe3a579445a5c392a9c8ae7ba1d0e9fb5333f56e \ + --hash=sha256:ae8b756575aaa2a855a75192f356bbda11a89169830e1439cfb1a3e1a6dde7be \ + --hash=sha256:af40c6612fd2a4b00de648aa26d18186cd1322330bd3a3cc52f87c699e995810 \ + --hash=sha256:b67e71e47caa6680d1b6f075a396d04fa6ca8ca09aafb428731da9b3ea32a5a6 \ + --hash=sha256:b822caf5b9752bc6f246eb08124c3d12bf2175b66ab74bac2ef3bbf9221ce1b2 \ + --hash=sha256:ba21dbb2493e9c653eaffdc38819b004b7b1b246fb77bfc93dc016fe664eac91 \ + --hash=sha256:bb93562146120bb51e6b154962d3dadc678ed0fce96513fa6bc06599bb6f6edc \ + --hash=sha256:bc779b4f4bba2847d0d2940081a7b6f7b5877e05408ffbb74fa1faf4a136c424 \ + --hash=sha256:bc8bc85b81b6ac9fc4dae393a8c159b817f4c2c9dee5d12b773bddb3b95fc07e \ + --hash=sha256:bd4b909ce4c50faa2192da6bb684d9848d4510b736b0611b6ab4020ea6fd2d23 \ + --hash=sha256:bfc27516ec46f4520b18ef645864cee168d2a027dbf32c5537cb1f3e3c22dac1 \ + --hash=sha256:c5189a5dab8b0312eadaf9d58d3049b6a52c454256493a557405e77a3d67ab7f \ + --hash=sha256:c9416cc19a349c167ef76135b2fe40d03cea93680428efee8771f3e9fb66079d \ + --hash=sha256:cf4b81227ec86935568c7edd78352a92e97af8da7bd70bdfdaa0d2e0011a1ab4 \ + --hash=sha256:d2489b241c19582b3f1430cc5d732caefc1aaf378d97e7fb95b9e56bed11725f \ + --hash=sha256:d61cd543d69715d5fc0a690c7c6f8dcc307bc23abef9738957981885f5f38229 \ + --hash=sha256:d7d012ebddffcce8c85734a6d9e5f08180cd3857c5f5a3ac70185b43775d043d \ + --hash=sha256:d7d18dd34ea2e860553a579df02041845dee0af8985dff7f8661306f95504ddf \ + --hash=sha256:d8b11701bc43be92ea42bd454910437b355dfb63696c06fe953ffb40b5f763b4 \ + --hash=sha256:dd759f75d6b8d1b62012b7f5ef9461d03c804f94d539a5515b454ba3a6588038 \ + --hash=sha256:e0a23b41f8f98b4e61150a03f83e4f0d566880fe53519d445a962929a4d21045 \ + --hash=sha256:e44fbe4000bd321d9f3b648ae46e0196d21577cf66ae684a96ff90b1f7c93633 \ + --hash=sha256:e6fbaf48a744b94091a56c62897b27c31ee2da93d826aa5b207131a1e13d4064 \ + --hash=sha256:e8f6a7a27d7b7bec81bd5924163e9af03d49bbb63013f107b48eb5d16db711bc \ + --hash=sha256:eabcf2e84f1d7105f84580e03012270c7e97ecb1fb1618bda395061b2a84a049 \ + --hash=sha256:f5aa4682912a450c2db89cbd92d356fef47e115dffba07992555542f344d301b \ + --hash=sha256:f66b001332a017d7945e177e282a40b6997056394e3ed7ddb41fb1813b83e824 \ + --hash=sha256:f83abab5bacb76d9c821fd5c07728ff224ed0e52d7a71b7b3de822f3df04e15c \ + --hash=sha256:f8d902867b699bcd09c176a280b1acdab57f924489033e53d0afe79817da37e6 \ + --hash=sha256:f9d4a5e041ae435b815e568537755773d05dac031fee6a57b4ba70897a44d9d2 \ + --hash=sha256:fafb1a99d740523d964b15c8db4eabbfc86ff29f84898262bf6e3e4c9e97e43e \ + --hash=sha256:fbecb9709111be913ae6879b07bafd4b0785b44c1eb5cac8ac76da048b3885a1 \ + --hash=sha256:fd7ff459fb393358d3a155d25b275c60b07a2c83dcd7ea962b1923f5a1134569 \ + --hash=sha256:ff94112e0098470b665cb0ed06efb187154b63649403b8d5e9aedeb482b4548c # via # -r requirements.in # envoy-base-utils From b2093da86301d99ee9ee401d890066551a3deac7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 06:13:07 +0000 Subject: [PATCH 478/505] build(deps): bump google.golang.org/protobuf Bumps the contrib-golang group in /contrib/golang/filters/http/test/test_data with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: contrib-golang ... Signed-off-by: dependabot[bot] --- contrib/golang/filters/http/test/test_data/go.mod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/golang/filters/http/test/test_data/go.mod b/contrib/golang/filters/http/test/test_data/go.mod index 242314aef2241..430821a0e3196 100644 --- a/contrib/golang/filters/http/test/test_data/go.mod +++ b/contrib/golang/filters/http/test/test_data/go.mod @@ -1,12 +1,12 @@ module example.com/test-data -go 1.22 +go 1.23 require github.com/envoyproxy/envoy v1.33.2 require ( github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 - google.golang.org/protobuf v1.36.6 + google.golang.org/protobuf v1.36.9 ) require ( From 3dceb9c5ede6dd30d2dce9dfb25828e53d0b269f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 06:05:56 +0000 Subject: [PATCH 479/505] build(deps): bump google.golang.org/protobuf Bumps the contrib-golang group in /contrib/golang/router/cluster_specifier/test/test_data/simple with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: contrib-golang ... Signed-off-by: dependabot[bot] --- .../router/cluster_specifier/test/test_data/simple/go.mod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod b/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod index a985bc3accf08..fe8c2a1a46a1e 100644 --- a/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod +++ b/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod @@ -1,6 +1,6 @@ module example.com/routeconfig -go 1.22 +go 1.23 require ( github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa @@ -15,7 +15,7 @@ require ( require ( github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/golang/protobuf v1.5.3 // indirect - google.golang.org/protobuf v1.36.6 + google.golang.org/protobuf v1.36.9 ) replace github.com/envoyproxy/envoy => ../../../../../../../ From 9e3d3b740d82440b209f7227c6d6d457885cc8a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 06:13:27 +0000 Subject: [PATCH 480/505] build(deps): bump google.golang.org/protobuf Bumps the contrib-golang group in /contrib/golang/upstreams/http/tcp/test/test_data with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.6 to 1.36.7 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: contrib-golang ... Signed-off-by: dependabot[bot] --- contrib/golang/upstreams/http/tcp/test/test_data/go.mod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/golang/upstreams/http/tcp/test/test_data/go.mod b/contrib/golang/upstreams/http/tcp/test/test_data/go.mod index 52a21b5806345..d01d093aad5cc 100644 --- a/contrib/golang/upstreams/http/tcp/test/test_data/go.mod +++ b/contrib/golang/upstreams/http/tcp/test/test_data/go.mod @@ -1,9 +1,9 @@ module example.com/test-data -go 1.22 +go 1.23 require github.com/envoyproxy/envoy v1.33.2 -require google.golang.org/protobuf v1.36.6 +require google.golang.org/protobuf v1.36.9 replace github.com/envoyproxy/envoy => ../../../../../../../ From 437946fcbdb4861e09d4d64df83d194b5afe3c57 Mon Sep 17 00:00:00 2001 From: Tony Allen Date: Tue, 23 Sep 2025 09:33:44 -0700 Subject: [PATCH 481/505] listener: Fix incorrect error status handling when failing to change netns (#40933) When creating a listener socket in another network namespace, a nested `absl::StatusOr<>` is returned. The outer status shows the result of the attempt to switch network namespaces and the inner status is the result of the creation of a listener socket. This patch fixes a bug where we checked the inner status when we should have been checking the outer status. This results in a segfault because the outer status is dereferenced without first checking if it was OK. We now check the correct results and additional comments have been added to improve clarity of this code. Risk Level: Low Testing: New unit test and fuzz test case Docs Changes: n/a Release Notes: Added Platform Specific Features: Linux only --------- Signed-off-by: Tony Allen --- changelogs/current.yaml | 6 ++++ .../listener_manager/listener_manager_impl.cc | 22 +++++++++----- source/common/network/utility.h | 4 +++ test/common/network/utility_test.cc | 30 +++++++++++++++++++ ...inimized-server_fuzz_test-5393862409650176 | 23 ++++++++++++++ 5 files changed, 77 insertions(+), 8 deletions(-) create mode 100644 test/server/server_corpus/clusterfuzz-testcase-minimized-server_fuzz_test-5393862409650176 diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 542b2f0e5e726..6a3eee6af8b25 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -139,6 +139,12 @@ bug_fixes: when used with other listener filters. The bug was triggered when a previous listener filter processed more data than the TLS inspector had requested, causing the TLS inspector to incorrectly calculate its buffer growth strategy. The fix ensures that buffer growth is now based on actual bytes available rather than the previously requested amount. +- area: listener + change: | + Fixed a bug where a failure to create listener sockets in different Linux network namespaces was + not handled properly. The success of the netns switch was not checked before attempting to + access the result of the socket creation. This is only relevant for Linux and if a listening + socket address was specified with a non-default network namespace. - area: aws change: | Added missing session name, session duration, and ``external_id`` parameters in AssumeRole credentials provider. diff --git a/source/common/listener_manager/listener_manager_impl.cc b/source/common/listener_manager/listener_manager_impl.cc index d7c453aab7ca6..b21d08055ee92 100644 --- a/source/common/listener_manager/listener_manager_impl.cc +++ b/source/common/listener_manager/listener_manager_impl.cc @@ -293,16 +293,22 @@ absl::StatusOr ProdListenerComponentFactory::createLis worker_index); }; - auto result = Network::Utility::execInNetworkNamespace(fn, netns.value().c_str()); - - // We have a nested absl::StatusOr type, so if there were no issues with changing the namespace, - // we want to return the inner absl::StatusOr. - if (result->ok()) { - return result->value(); + // Here we're running `fn` in a different network namespace. It will return a `absl::StatusOr` + // that wraps the result of the function we pass in, which is another `absl::StatusOr`. + auto outer_result = Network::Utility::execInNetworkNamespace(fn, netns.value().c_str()); + + // We have a nested absl::StatusOr type. The "outer" result is the result of our attempt to jump + // between network namespaces. The "inner" result is that of the `createListenSocketInternal` + // function we passed in to run in the other netns. + if (outer_result.ok()) { + // We successfully jumped network namespaces and ran `createListenSocketInternal` in that + // namespace before jumping back. Here we return the result of that + // `createListenSocketInternal` function. + return outer_result.value(); } - // The result was not ok, so we want to return the outer status. - return result.status(); + // The "outer" result was not ok, which means we failed to jump network namespaces. + return outer_result.status(); } #endif diff --git a/source/common/network/utility.h b/source/common/network/utility.h index 31ca56e4f99a2..df0d22307f2c5 100644 --- a/source/common/network/utility.h +++ b/source/common/network/utility.h @@ -410,6 +410,10 @@ class Utility { // Restore the original network namespace before returning the function result. setns_result = Api::LinuxOsSysCallsSingleton().get().setns(og_netns_fd, CLONE_NEWNET); + + // If we cannot jump back into the original network namespace, this is an unrecoverable error. + // It would leave the current thread in another network namespace indefinitely, so we cannot + // continue running in that state. RELEASE_ASSERT( setns_result.return_value_ == 0, fmt::format("failed to restore original netns (fd={}): {}", netns_fd, errorDetails(errno))); diff --git a/test/common/network/utility_test.cc b/test/common/network/utility_test.cc index 06056f2216e84..67ce194d0f53d 100644 --- a/test/common/network/utility_test.cc +++ b/test/common/network/utility_test.cc @@ -831,6 +831,36 @@ TEST_F(ExecInNetnsTest, OpenFail) { // Expecting failure. auto result = Utility::execInNetworkNamespace([]() -> int { return 0; }, "bleh"); EXPECT_FALSE(result.ok()); + EXPECT_TRUE(result.status().message().starts_with("failed to open netns file")); +} + +TEST_F(ExecInNetnsTest, FailtoReturnToOriginalNetns) { + EXPECT_DEATH( + { + // Make the tests use mock syscalls. + testing::StrictMock linux_os_syscalls; + testing::StrictMock os_syscalls; + TestThreadsafeSingletonInjector os_calls(&os_syscalls); + TestThreadsafeSingletonInjector linux_os_calls( + &linux_os_syscalls); + + EXPECT_CALL(os_syscalls, open(_, O_RDONLY)) + .WillRepeatedly( + Invoke([](const char*, int) -> Api::SysCallIntResult { return {1337, 0}; })); + EXPECT_CALL(os_syscalls, close(_)).WillRepeatedly(Invoke([](int) -> Api::SysCallIntResult { + return {0, 0}; + })); + + // Succeed on the first network namespace syscall, which would jump to a different netns. + // The second call, which would jump back to the original netns, should fail. This is an + // unrecoverable error, so it should result in process death. + EXPECT_CALL(linux_os_syscalls, setns(_, _)) + .WillOnce(Invoke([](int, int) -> Api::SysCallIntResult { return {0, 0}; })) + .WillOnce(Invoke([](int, int) -> Api::SysCallIntResult { return {-1, -1}; })); + + auto _ = Utility::execInNetworkNamespace([]() -> int { return 0; }, "bleh"); + }, + "failed to restore original netns .*"); } #endif diff --git a/test/server/server_corpus/clusterfuzz-testcase-minimized-server_fuzz_test-5393862409650176 b/test/server/server_corpus/clusterfuzz-testcase-minimized-server_fuzz_test-5393862409650176 new file mode 100644 index 0000000000000..63e62a37c5a14 --- /dev/null +++ b/test/server/server_corpus/clusterfuzz-testcase-minimized-server_fuzz_test-5393862409650176 @@ -0,0 +1,23 @@ +static_resources { + listeners { + name: "\'" + address { + socket_address { + protocol: UDP + address: "127.0.0.1" + port_value: 0 + network_namespace_filepath: ":" + } + } + socket_options { + int_value: 59 + type { + datagram { + } + } + } + fcds_config { + name: " " + } + } +} From 7837d913c783ed58f675c2d40f9db94a5b3f3195 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 12:38:43 -0700 Subject: [PATCH 482/505] deps: Bump `aws_lc` -> 1.61.3 (#41189) Created by Envoy dependency bot for @phlax Fix #41183 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index e287cf44fd276..6724f2551189f 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -164,12 +164,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "AWS libcrypto (AWS-LC)", project_desc = "OpenSSL compatible general-purpose crypto library", project_url = "https://github.com/aws/aws-lc", - version = "1.57.0", - sha256 = "52b2284dedd8b0da8b75c51997954cb98cec157747496c41937a5c8c22919590", + version = "1.61.3", + sha256 = "77a48f7cc33fd9712d89b28335933c329946665a8cee8ed91c47b9594db64090", strip_prefix = "aws-lc-{version}", urls = ["https://github.com/aws/aws-lc/archive/v{version}.tar.gz"], use_category = ["controlplane", "dataplane_core"], - release_date = "2025-08-04", + release_date = "2025-09-22", cpe = "cpe:2.3:a:google:boringssl:*", ), aspect_bazel_lib = dict( From 9bbfcfab454a51f6ec12f9704361edcdbcc15d61 Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 23 Sep 2025 20:57:15 +0100 Subject: [PATCH 483/505] deps: Bump toolshed (github) actions -> 0.3.25 (#41196) Signed-off-by: Ryan Northey --- .github/workflows/_check_coverage.yml | 2 +- .github/workflows/_finish.yml | 8 +++--- .github/workflows/_load.yml | 10 +++---- .github/workflows/_load_env.yml | 8 +++--- .github/workflows/_precheck_publish.yml | 2 +- .github/workflows/_publish_release.yml | 4 +-- .../workflows/_publish_release_container.yml | 6 ++--- .github/workflows/_request.yml | 22 ++++++++-------- .github/workflows/_request_cache_bazel.yml | 8 +++--- .github/workflows/_request_cache_docker.yml | 10 +++---- .github/workflows/_request_checks.yml | 10 +++---- .github/workflows/_run.yml | 24 ++++++++--------- .github/workflows/codeql-daily.yml | 2 +- .github/workflows/codeql-push.yml | 2 +- .github/workflows/command.yml | 6 ++--- .github/workflows/envoy-dependency.yml | 18 ++++++------- .github/workflows/envoy-release.yml | 26 +++++++++---------- .github/workflows/envoy-sync.yml | 8 +++--- .github/workflows/mobile-android_build.yml | 12 ++++----- .github/workflows/mobile-ios_build.yml | 4 +-- 20 files changed, 96 insertions(+), 96 deletions(-) diff --git a/.github/workflows/_check_coverage.yml b/.github/workflows/_check_coverage.yml index 7a92bdaade1dd..127c703c27053 100644 --- a/.github/workflows/_check_coverage.yml +++ b/.github/workflows/_check_coverage.yml @@ -53,7 +53,7 @@ jobs: request: ${{ inputs.request }} runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }} steps-post: | - - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.25 with: bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }} path: generated/${{ matrix.target }}/html diff --git a/.github/workflows/_finish.yml b/.github/workflows/_finish.yml index 1724e4907c940..4640b778b94bd 100644 --- a/.github/workflows/_finish.yml +++ b/.github/workflows/_finish.yml @@ -36,7 +36,7 @@ jobs: actions: read contents: read steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 name: Incoming data id: needs with: @@ -87,7 +87,7 @@ jobs: summary: "Check has finished", text: $text}}}} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 name: Print summary with: input: ${{ toJSON(steps.needs.outputs.value).summary-title }} @@ -95,13 +95,13 @@ jobs: "## \(.)" options: -Rr output-path: GITHUB_STEP_SUMMARY - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.25 name: Update check with: action: update diff --git a/.github/workflows/_load.yml b/.github/workflows/_load.yml index 907e27a442b5d..628475c545fbf 100644 --- a/.github/workflows/_load.yml +++ b/.github/workflows/_load.yml @@ -100,7 +100,7 @@ jobs: # Handle any failure in triggering job # Remove any `checks` we dont care about # Prepare a check request - - uses: envoyproxy/toolshed/gh-actions/github/env/load@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/env/load@actions-v0.3.25 name: Load env id: data with: @@ -111,13 +111,13 @@ jobs: GH_TOKEN: ${{ github.token }} # Update the check - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.25 name: Update check if: ${{ fromJSON(steps.data.outputs.data).data.check.action == 'RUN' }} with: @@ -125,7 +125,7 @@ jobs: checks: ${{ toJSON(fromJSON(steps.data.outputs.data).checks) }} token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 name: Print request summary with: input: | @@ -145,7 +145,7 @@ jobs: | $summary.summary as $summary | "${{ inputs.template-request-summary }}" - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: request-output name: Load request with: diff --git a/.github/workflows/_load_env.yml b/.github/workflows/_load_env.yml index 3fb3a66b836f7..caaec276c52c5 100644 --- a/.github/workflows/_load_env.yml +++ b/.github/workflows/_load_env.yml @@ -63,18 +63,18 @@ jobs: request: ${{ steps.env.outputs.data }} trusted: true steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: started name: Create timestamp with: options: -r filter: | now - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 id: checkout name: Checkout Envoy repository - name: Generate environment variables - uses: envoyproxy/toolshed/gh-actions/envoy/ci/env@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/envoy/ci/env@actions-v0.3.25 id: env with: branch-name: ${{ inputs.branch-name }} @@ -86,7 +86,7 @@ jobs: - name: Request summary id: summary - uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.25 with: actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} diff --git a/.github/workflows/_precheck_publish.yml b/.github/workflows/_precheck_publish.yml index 8c30bf2566512..62b700bf22d4c 100644 --- a/.github/workflows/_precheck_publish.yml +++ b/.github/workflows/_precheck_publish.yml @@ -78,7 +78,7 @@ jobs: --config=docs-ci rbe: true steps-post: | - - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.25 with: bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }} path: generated/docs diff --git a/.github/workflows/_publish_release.yml b/.github/workflows/_publish_release.yml index b5245b6d46f32..e8da8c7eb9fe0 100644 --- a/.github/workflows/_publish_release.yml +++ b/.github/workflows/_publish_release.yml @@ -145,12 +145,12 @@ jobs: needs: - release steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.25 with: ref: main repository: ${{ fromJSON(inputs.request).request.version.dev && 'envoyproxy/envoy-website' || 'envoyproxy/archive' }} diff --git a/.github/workflows/_publish_release_container.yml b/.github/workflows/_publish_release_container.yml index 5edcd53baab44..a417aa404804a 100644 --- a/.github/workflows/_publish_release_container.yml +++ b/.github/workflows/_publish_release_container.yml @@ -56,7 +56,7 @@ jobs: - name: Generate manifest configuration (dev) id: dev-config if: ${{ inputs.dev && inputs.target-branch == 'main' }} - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 with: input-format: yaml filter: >- @@ -126,7 +126,7 @@ jobs: - tools-dev-${{ github.sha }} - name: Generate manifest configuration (release) - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: release-config if: ${{ ! inputs.dev || ! inputs.target-branch != 'main' }} with: @@ -198,7 +198,7 @@ jobs: - tools-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - name: Collect and push OCI artifacts - uses: envoyproxy/toolshed/gh-actions/oci/collector@555132e7108208a8a610af6e03c38c97c204119d + uses: envoyproxy/toolshed/gh-actions/oci/collector@actions-v0.3.25 with: artifacts-pattern: oci.* manifest-config: ${{ steps.dev-config.outputs.value || steps.release-config.outputs.value }} diff --git a/.github/workflows/_request.yml b/.github/workflows/_request.yml index 42e4ef37ce4e6..7f75f9877ff98 100644 --- a/.github/workflows/_request.yml +++ b/.github/workflows/_request.yml @@ -56,14 +56,14 @@ jobs: caches: ${{ steps.caches.outputs.value }} config: ${{ steps.config.outputs.config }} steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: started name: Create timestamp with: options: -r filter: | now - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 id: checkout name: Checkout Envoy repository (requested) with: @@ -77,7 +77,7 @@ jobs: # *ALL* variables collected should be treated as untrusted and should be sanitized before # use - name: Generate environment variables from commit - uses: envoyproxy/toolshed/gh-actions/envoy/ci/request@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/envoy/ci/request@actions-v0.3.25 id: env with: branch-name: ${{ steps.checkout.outputs.branch-name }} @@ -88,7 +88,7 @@ jobs: vars: ${{ toJSON(vars) }} working-directory: requested - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 id: checkout-target name: Checkout Envoy repository (target branch) with: @@ -96,7 +96,7 @@ jobs: config: | fetch-depth: 1 path: target - - uses: envoyproxy/toolshed/gh-actions/hashfiles@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/hashfiles@actions-v0.3.25 id: bazel-cache-hash name: Bazel cache hash with: @@ -105,7 +105,7 @@ jobs: - name: Request summary id: summary - uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.25 with: actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} @@ -121,7 +121,7 @@ jobs: target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - name: Environment data - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: data with: input: | @@ -164,18 +164,18 @@ jobs: path: /tmp/cache key: ${{ fromJSON(steps.data.outputs.value).request.build-image.default }}-arm64 - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.25 name: Setup GCP with: key: ${{ secrets.gcs-cache-key }} - - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.25 name: Check GCS bucket cache (x64) id: cache-exists-bazel-x64 with: bucket: ${{ inputs.gcs-cache-bucket }} key: ${{ fromJSON(steps.data.outputs.value).config.ci.cache.bazel }}-x64 - - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.25 name: Check GCS bucket cache (arm64) id: cache-exists-bazel-arm64 with: @@ -183,7 +183,7 @@ jobs: key: ${{ fromJSON(steps.data.outputs.value).config.ci.cache.bazel }}-arm64 - name: Caches - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: caches with: input-format: yaml diff --git a/.github/workflows/_request_cache_bazel.yml b/.github/workflows/_request_cache_bazel.yml index 3eb83fe499d7e..4ace4bfad264d 100644 --- a/.github/workflows/_request_cache_bazel.yml +++ b/.github/workflows/_request_cache_bazel.yml @@ -51,7 +51,7 @@ jobs: name: "[${{ inputs.arch }}] Prime Bazel cache" if: ${{ ! fromJSON(inputs.caches).bazel[inputs.arch] }} steps: - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 id: checkout-target name: Checkout Envoy repository (target branch) with: @@ -59,14 +59,14 @@ jobs: config: | fetch-depth: 1 - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 id: appauth name: Appauth (mutex lock) with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.25 name: Setup GCP with: key: ${{ secrets.gcs-cache-key }} @@ -76,7 +76,7 @@ jobs: sudo mkdir /build sudo chown runner:docker /build echo "GITHUB_TOKEN=${{ github.token }}" >> $GITHUB_ENV - - uses: envoyproxy/toolshed/gh-actions/cache/prime@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/cache/prime@actions-v0.3.25 id: bazel-cache name: Prime Bazel cache with: diff --git a/.github/workflows/_request_cache_docker.yml b/.github/workflows/_request_cache_docker.yml index 9163c786fbfd8..8be701708e46f 100644 --- a/.github/workflows/_request_cache_docker.yml +++ b/.github/workflows/_request_cache_docker.yml @@ -39,7 +39,7 @@ on: # For a job that does, you can restore with something like: # # steps: -# - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.24 +# - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.25 # with: # key: "${{ needs.env.outputs.build-image }}" # @@ -51,13 +51,13 @@ jobs: name: "[${{ inputs.arch }}] Prime Docker cache" if: ${{ ! fromJSON(inputs.caches).docker[inputs.arch] }} steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 id: appauth name: Appauth (mutex lock) with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/docker/cache/prime@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/docker/cache/prime@actions-v0.3.25 id: docker name: Prime Docker cache (${{ inputs.image-tag }}${{ inputs.cache-suffix }}) with: @@ -65,7 +65,7 @@ jobs: key-suffix: ${{ inputs.cache-suffix }} lock-token: ${{ steps.appauth.outputs.token }} lock-repository: ${{ inputs.lock-repository }} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: data name: Cache data with: @@ -73,7 +73,7 @@ jobs: input: | cached: ${{ steps.docker.outputs.cached }} key: ${{ inputs.image-tag }}${{ inputs.cache-suffix }} - - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.25 name: Summary with: json: ${{ steps.data.outputs.value }} diff --git a/.github/workflows/_request_checks.yml b/.github/workflows/_request_checks.yml index 3020742327544..91952e9acdb26 100644 --- a/.github/workflows/_request_checks.yml +++ b/.github/workflows/_request_checks.yml @@ -55,7 +55,7 @@ jobs: runs-on: ${{ fromJSON(inputs.env).config.ci.agent-ubuntu }} name: Start checks steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: check-config name: Prepare check data with: @@ -78,13 +78,13 @@ jobs: | .skipped.output.summary = "${{ inputs.skipped-summary }}" | .skipped.output.text = "" - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 name: Appauth id: appauth with: app_id: ${{ secrets.app-id }} key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.25 name: Start checks id: checks with: @@ -95,7 +95,7 @@ jobs: ${{ fromJSON(inputs.env).summary.summary }} token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.25 name: Summary with: collapse-open: true @@ -119,7 +119,7 @@ jobs: output-path: GITHUB_STEP_SUMMARY title: Checks started/skipped - - uses: envoyproxy/toolshed/gh-actions/github/env/save@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/env/save@actions-v0.3.25 name: Save env id: data with: diff --git a/.github/workflows/_run.yml b/.github/workflows/_run.yml index 4689040bfd447..4fa34b68da667 100644 --- a/.github/workflows/_run.yml +++ b/.github/workflows/_run.yml @@ -155,7 +155,7 @@ on: summary-post: type: string default: | - - uses: envoyproxy/toolshed/gh-actions/envoy/run/summary@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/envoy/run/summary@actions-v0.3.25 with: context: %{{ inputs.context }} steps-pre: @@ -217,7 +217,7 @@ jobs: name: ${{ inputs.target-suffix && format('[{0}] ', inputs.target-suffix) || '' }}${{ inputs.command }} ${{ inputs.target }} timeout-minutes: ${{ inputs.timeout-minutes }} steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 id: started name: Create timestamp with: @@ -225,7 +225,7 @@ jobs: filter: | now # This controls which input vars are exposed to the run action (and related steps) - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.25 name: Context id: context with: @@ -257,13 +257,13 @@ jobs: if: ${{ inputs.docker-ipv6 }} # Caches - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.25 name: Setup GCP (cache) if: ${{ inputs.gcs-cache-bucket }} with: key: ${{ secrets.gcs-cache-key }} force-install: ${{ contains(fromJSON('["envoy-arm64-medium", "github-arm64-2c-8gb"]'), inputs.runs-on) }} - - uses: envoyproxy/toolshed/gh-actions/cache/restore@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/cache/restore@actions-v0.3.25 if: ${{ inputs.gcs-cache-bucket }} name: >- Restore Bazel cache @@ -283,12 +283,12 @@ jobs: key: ${{ inputs.cache-build-image }}${{ inputs.cache-build-image-key-suffix }} - if: ${{ inputs.cache-build-image && steps.cache-lookup.outputs.cache-hit == 'true' }} name: Restore Docker cache ${{ inputs.cache-build-image && format('({0})', inputs.cache-build-image) || '' }} - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.25 with: image-tag: ${{ inputs.cache-build-image }} key-suffix: ${{ inputs.cache-build-image-key-suffix }} - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 id: appauth name: Appauth if: ${{ inputs.trusted }} @@ -299,7 +299,7 @@ jobs: # - the workaround is to allow the token to be passed through. token: ${{ github.token }} token-ok: true - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 id: checkout name: Checkout Envoy repository with: @@ -316,7 +316,7 @@ jobs: token: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }} # This is currently only use by mobile-docs and can be removed once they are updated to the newer website - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 id: checkout-extra name: Checkout extra repository (for publishing) if: ${{ inputs.checkout-extra }} @@ -325,7 +325,7 @@ jobs: ssh-key: ${{ inputs.trusted && inputs.ssh-key-extra || '' }} - name: Import GPG key - uses: envoyproxy/toolshed/gh-actions/gpg/import@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/gpg/import@actions-v0.3.25 if: ${{ inputs.import-gpg }} with: key: ${{ secrets.gpg-key }} @@ -338,7 +338,7 @@ jobs: name: Configure PR Bazel settings if: >- ${{ fromJSON(inputs.request).request.pr != '' }} - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.25 name: Setup GCP (artefacts/rbe) id: gcp with: @@ -356,7 +356,7 @@ jobs: if: ${{ vars.ENVOY_CI_BAZELRC }} name: Configure repo Bazel settings - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.25 name: Run CI ${{ inputs.command }} ${{ inputs.target }} with: args: ${{ inputs.args != '--' && inputs.args || inputs.target }} diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml index a98119190a5eb..5bbb179d608cb 100644 --- a/.github/workflows/codeql-daily.yml +++ b/.github/workflows/codeql-daily.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Free disk space - uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.25 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index a643d88edd73f..41de603b5c608 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -63,7 +63,7 @@ jobs: - name: Free disk space if: ${{ env.BUILD_TARGETS != '' }} - uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.25 - name: Initialize CodeQL if: ${{ env.BUILD_TARGETS != '' }} diff --git a/.github/workflows/command.yml b/.github/workflows/command.yml index dc923296bff7d..476063996363e 100644 --- a/.github/workflows/command.yml +++ b/.github/workflows/command.yml @@ -28,7 +28,7 @@ jobs: && github.actor != 'dependabot[bot]' }} steps: - - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.3.25 name: Parse command from comment id: command with: @@ -37,14 +37,14 @@ jobs: ^/(retest) # /retest - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 if: ${{ steps.command.outputs.command == 'retest' }} id: appauth-retest name: Appauth (retest) with: key: ${{ secrets.ENVOY_CI_APP_KEY }} app_id: ${{ secrets.ENVOY_CI_APP_ID }} - - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.3.25 if: ${{ steps.command.outputs.command == 'retest' }} name: Retest with: diff --git a/.github/workflows/envoy-dependency.yml b/.github/workflows/envoy-dependency.yml index c700fd312bbfd..cfdfe729416a5 100644 --- a/.github/workflows/envoy-dependency.yml +++ b/.github/workflows/envoy-dependency.yml @@ -53,16 +53,16 @@ jobs: steps: - id: appauth name: Appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 with: app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 with: token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.3.25 id: update name: Update dependency (${{ inputs.dependency }}) with: @@ -97,13 +97,13 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.3.25 name: Upload diff with: name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }} - name: Create a PR if: ${{ inputs.pr }} - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.25 with: base: main body: | @@ -134,11 +134,11 @@ jobs: steps: - id: appauth name: Appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 with: app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 id: checkout name: Checkout Envoy repository with: @@ -180,7 +180,7 @@ jobs: - name: Check Docker SHAs id: build-images - uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.3.25 with: images: | sha: envoyproxy/envoy-build-ubuntu:${{ steps.build-tools.outputs.tag }} @@ -209,7 +209,7 @@ jobs: name: Update SHAs working-directory: envoy - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.25 with: base: main body: Created by Envoy dependency bot diff --git a/.github/workflows/envoy-release.yml b/.github/workflows/envoy-release.yml index 2337aaebda16a..57626420732bc 100644 --- a/.github/workflows/envoy-release.yml +++ b/.github/workflows/envoy-release.yml @@ -59,14 +59,14 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} @@ -87,10 +87,10 @@ jobs: name: Check changelog summary - if: ${{ inputs.author }} name: Validate signoff email - uses: envoyproxy/toolshed/gh-actions/email/validate@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/email/validate@actions-v0.3.25 with: email: ${{ inputs.author }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.25 name: Create release with: source: | @@ -115,7 +115,7 @@ jobs: name: Release version id: release - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.25 with: base: ${{ github.ref_name }} commit: false @@ -140,20 +140,20 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} strip-prefix: release/ token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.25 name: Sync version histories with: command: >- @@ -163,7 +163,7 @@ jobs: -- --signoff="${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>" - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.25 with: append-commit-message: true base: ${{ github.ref_name }} @@ -190,13 +190,13 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - id: checkout name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 with: config: | fetch-depth: 0 @@ -226,13 +226,13 @@ jobs: steps: - id: appauth name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - name: Checkout repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.24 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 with: committer-name: ${{ env.COMMITTER_NAME }} committer-email: ${{ env.COMMITTER_EMAIL }} diff --git a/.github/workflows/envoy-sync.yml b/.github/workflows/envoy-sync.yml index 755339966b024..4e825d8985aa1 100644 --- a/.github/workflows/envoy-sync.yml +++ b/.github/workflows/envoy-sync.yml @@ -34,12 +34,12 @@ jobs: - data-plane-api - mobile-website steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.25 with: repository: "envoyproxy/${{ matrix.downstream }}" ref: main @@ -61,12 +61,12 @@ jobs: downstream: - envoy-openssl steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 id: appauth with: app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.25 with: repository: "envoyproxy/${{ matrix.downstream }}" ref: release/v1.28 diff --git a/.github/workflows/mobile-android_build.yml b/.github/workflows/mobile-android_build.yml index 9014f42b03a6e..58dbf8f6803c7 100644 --- a/.github/workflows/mobile-android_build.yml +++ b/.github/workflows/mobile-android_build.yml @@ -82,9 +82,9 @@ jobs: target: kotlin-hello-world runs-on: ubuntu-22.04 steps-pre: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.25 steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.25 with: apk: bazel-bin/examples/kotlin/hello_world/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoykotlin/.MainActivity @@ -111,7 +111,7 @@ jobs: target: ${{ matrix.target }} runs-on: ubuntu-22.04 steps-pre: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/pre@actions-v0.3.25 steps-post: ${{ matrix.steps-post }} timeout-minutes: 50 trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} @@ -122,7 +122,7 @@ jobs: include: - name: java-hello-world steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.25 with: apk: bazel-bin/examples/java/hello_world/hello_envoy.apk app: io.envoyproxy.envoymobile.helloenvoy/.MainActivity @@ -141,7 +141,7 @@ jobs: --config=mobile-remote-release-clang-android //test/kotlin/apps/baseline:hello_envoy_kt steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.25 with: apk: bazel-bin/test/kotlin/apps/baseline/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoybaselinetest/.MainActivity @@ -156,7 +156,7 @@ jobs: --config=mobile-remote-release-clang-android //test/kotlin/apps/experimental:hello_envoy_kt steps-post: | - - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.24 + - uses: envoyproxy/toolshed/gh-actions/envoy/android/post@actions-v0.3.25 with: apk: bazel-bin/test/kotlin/apps/experimental/hello_envoy_kt.apk app: io.envoyproxy.envoymobile.helloenvoyexperimentaltest/.MainActivity diff --git a/.github/workflows/mobile-ios_build.yml b/.github/workflows/mobile-ios_build.yml index 835b59aa71d43..4da2aabac7b62 100644 --- a/.github/workflows/mobile-ios_build.yml +++ b/.github/workflows/mobile-ios_build.yml @@ -97,7 +97,7 @@ jobs: # source ./ci/mac_ci_setup.sh # ./bazelw shutdown # steps-post: | - # - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.24 + # - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.25 # with: # app: ${{ matrix.app }} # args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} @@ -142,7 +142,7 @@ jobs: # source: | # source ./ci/mac_ci_setup.sh # steps-post: | - # - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.24 + # - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@actions-v0.3.25 # with: # app: ${{ matrix.app }} # args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }} From a4eb0c255bb7d48620fd946c0400ab7308598035 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 13:06:42 -0700 Subject: [PATCH 484/505] deps: Bump `com_google_absl` -> 20250814.1 (#41188) Created by Envoy dependency bot for @phlax Fix #41184 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> --- bazel/repository_locations.bzl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 6724f2551189f..e7808719bbdc1 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -190,12 +190,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Abseil", project_desc = "Open source collection of C++ libraries drawn from the most fundamental pieces of Google’s internal codebase", project_url = "https://abseil.io/", - version = "20250814.0", - sha256 = "9b2b72d4e8367c0b843fa2bcfa2b08debbe3cee34f7aaa27de55a6cbb3e843db", + version = "20250814.1", + sha256 = "1692f77d1739bacf3f94337188b78583cf09bab7e420d2dc6c5605a4f86785a1", strip_prefix = "abseil-cpp-{version}", urls = ["https://github.com/abseil/abseil-cpp/archive/{version}.tar.gz"], use_category = ["dataplane_core", "controlplane"], - release_date = "2025-08-14", + release_date = "2025-09-22", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/abseil/abseil-cpp/blob/{version}/LICENSE", From d5c7a06f92f2a26ce2bda9d96b2a461c1f8f39ff Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Tue, 23 Sep 2025 18:55:57 -0400 Subject: [PATCH 485/505] odcds: convert ODCDS over ADS to pre-cluster-single-subscription (#41174) Prior to this PR there were issues when using OD-CDS without cds_config. This PR converts OD-CDS over ADS to use the new XdstpOdCdsApiImpl (that is also used for xDS-federation based OD-CDS subscriptions). Signed-off-by: Adi Suissa-Peleg --- changelogs/current.yaml | 6 + source/common/runtime/runtime_features.cc | 1 + source/common/upstream/od_cds_api_impl.cc | 40 +- source/common/upstream/od_cds_api_impl.h | 3 +- .../http/on_demand/on_demand_update.cc | 29 +- .../http/on_demand/odcds_integration_test.cc | 833 +++++++++++++++++- test/integration/ads_integration.cc | 73 +- test/integration/ads_integration.h | 37 +- 8 files changed, 958 insertions(+), 64 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 6a3eee6af8b25..9ca4384c8bd30 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -160,6 +160,12 @@ bug_fixes: ``cluster..ssl.certificate..`` and ``listener.
.ssl.certificate..`` was not being properly extracted in the final Prometheus stat name. +- area: odcds + change: | + Fixed a bug where using OD-CDS without cds_config would not work in some + cases. This change introduces a new internal OD-CDS component. This change + could be reverted temporarily by setting the runtime guard + ``envoy.reloadable_features.odcds_over_ads_fix`` to ``false``. - area: oauth2 change: | Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index aa71150452972..cce48cee1c088 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -57,6 +57,7 @@ RUNTIME_GUARD(envoy_reloadable_features_jwt_fetcher_use_scheme_from_uri); RUNTIME_GUARD(envoy_reloadable_features_no_extension_lookup_by_name); RUNTIME_GUARD(envoy_reloadable_features_oauth2_cleanup_cookies); RUNTIME_GUARD(envoy_reloadable_features_oauth2_encrypt_tokens); +RUNTIME_GUARD(envoy_reloadable_features_odcds_over_ads_fix); RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); RUNTIME_GUARD(envoy_reloadable_features_original_src_fix_port_exhaustion); RUNTIME_GUARD(envoy_reloadable_features_prefix_map_matcher_resume_after_subtree_miss); diff --git a/source/common/upstream/od_cds_api_impl.cc b/source/common/upstream/od_cds_api_impl.cc index 81da2c83f4038..9e7cd340eadda 100644 --- a/source/common/upstream/od_cds_api_impl.cc +++ b/source/common/upstream/od_cds_api_impl.cc @@ -168,7 +168,7 @@ class XdstpOdCdsApiImpl::XdstpOdcdsSubscriptionsManager : public Singleton::Inst notifier_.notifyMissingCluster(resource_name); } - void addSubscription(absl::string_view resource_name) { + void addSubscription(absl::string_view resource_name, bool old_ads) { if (subscriptions_.contains(resource_name)) { ENVOY_LOG(debug, "ODCDS-manager: resource {} is already subscribed to, skipping", resource_name); @@ -178,7 +178,7 @@ class XdstpOdCdsApiImpl::XdstpOdcdsSubscriptionsManager : public Singleton::Inst // Subscribe using the xds-manager. auto subscription = std::make_unique(*this, resource_name, validation_visitor_); - absl::Status status = subscription->initializeSubscription(); + absl::Status status = subscription->initializeSubscription(old_ads); if (status.ok()) { subscriptions_.emplace(std::string(resource_name), std::move(subscription)); } else { @@ -203,12 +203,18 @@ class XdstpOdCdsApiImpl::XdstpOdcdsSubscriptionsManager : public Singleton::Inst "name"), parent_(parent), resource_name_(resource_name) {} - absl::Status initializeSubscription() { + absl::Status initializeSubscription(bool old_ads) { const auto resource_type = getResourceName(); + // If old_ads is set, creates a subscription using the staticAdsConfigSource. + // Otherwise, the subscribeToSingletonResource will take care of + // subscription via the ADS source. absl::StatusOr subscription_or_error = parent_.xds_manager_.subscribeToSingletonResource( - resource_name_, absl::nullopt, Grpc::Common::typeUrl(resource_type), *parent_.scope_, - *this, resource_decoder_, {}); + resource_name_, + old_ads + ? makeOptRef(staticAdsConfigSource()) + : absl::nullopt, + Grpc::Common::typeUrl(resource_type), *parent_.scope_, *this, resource_decoder_, {}); RETURN_IF_NOT_OK_REF(subscription_or_error.status()); subscription_ = std::move(subscription_or_error.value()); subscription_->start({resource_name_}); @@ -216,6 +222,15 @@ class XdstpOdCdsApiImpl::XdstpOdcdsSubscriptionsManager : public Singleton::Inst } private: + const envoy::config::core::v3::ConfigSource& staticAdsConfigSource() { + CONSTRUCT_ON_FIRST_USE(envoy::config::core::v3::ConfigSource, + []() -> envoy::config::core::v3::ConfigSource { + envoy::config::core::v3::ConfigSource ads; + ads.mutable_ads(); + return ads; + }()); + } + // Config::SubscriptionCallbacks absl::Status onConfigUpdate(const std::vector& resources, const std::string& version_info) override { @@ -282,15 +297,18 @@ class XdstpOdCdsApiImpl::XdstpOdcdsSubscriptionsManager : public Singleton::Inst SINGLETON_MANAGER_REGISTRATION(xdstp_odcds_subscriptions_manager); absl::StatusOr -XdstpOdCdsApiImpl::create(const envoy::config::core::v3::ConfigSource&, +XdstpOdCdsApiImpl::create(const envoy::config::core::v3::ConfigSource& config_source, OptRef, Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, Stats::Scope& scope, ProtobufMessage::ValidationVisitor& validation_visitor, Server::Configuration::ServerFactoryContext& server_factory_context) { absl::Status creation_status = absl::OkStatus(); + // TODO(adisuissa): convert the config_source to optional. + const bool old_ads = config_source.config_source_specifier_case() == + envoy::config::core::v3::ConfigSource::ConfigSourceSpecifierCase::kAds; auto ret = OdCdsApiSharedPtr(new XdstpOdCdsApiImpl(xds_manager, cm, notifier, scope, - server_factory_context, validation_visitor, - creation_status)); + server_factory_context, old_ads, + validation_visitor, creation_status)); RETURN_IF_NOT_OK(creation_status); return ret; } @@ -298,8 +316,10 @@ XdstpOdCdsApiImpl::create(const envoy::config::core::v3::ConfigSource&, XdstpOdCdsApiImpl::XdstpOdCdsApiImpl(Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, Stats::Scope& scope, Server::Configuration::ServerFactoryContext& server_context, + bool old_ads, ProtobufMessage::ValidationVisitor& validation_visitor, - absl::Status& creation_status) { + absl::Status& creation_status) + : old_ads_(old_ads) { // Create a singleton xdstp-based od-cds handler. This will be accessed by // the main thread and used by all the filters that need to access od-cds // over xdstp-based config sources. @@ -326,7 +346,7 @@ XdstpOdCdsApiImpl::subscriptionsManager(Server::Configuration::ServerFactoryCont } void XdstpOdCdsApiImpl::updateOnDemand(std::string cluster_name) { - subscriptions_manager_->addSubscription(cluster_name); + subscriptions_manager_->addSubscription(cluster_name, old_ads_); } } // namespace Upstream } // namespace Envoy diff --git a/source/common/upstream/od_cds_api_impl.h b/source/common/upstream/od_cds_api_impl.h index aad55ca9b0ad9..577d37be06a0b 100644 --- a/source/common/upstream/od_cds_api_impl.h +++ b/source/common/upstream/od_cds_api_impl.h @@ -92,7 +92,7 @@ class XdstpOdCdsApiImpl : public OdCdsApi { XdstpOdCdsApiImpl(Config::XdsManager& xds_manager, ClusterManager& cm, MissingClusterNotifier& notifier, Stats::Scope& scope, - Server::Configuration::ServerFactoryContext& server_context, + Server::Configuration::ServerFactoryContext& server_context, bool old_ads, ProtobufMessage::ValidationVisitor& validation_visitor, absl::Status& creation_status); @@ -107,6 +107,7 @@ class XdstpOdCdsApiImpl : public OdCdsApi { // A singleton through which all subscriptions will be processed. XdstpOdcdsSubscriptionsManagerSharedPtr subscriptions_manager_; + const bool old_ads_; }; } // namespace Upstream diff --git a/source/extensions/filters/http/on_demand/on_demand_update.cc b/source/extensions/filters/http/on_demand/on_demand_update.cc index cf8c8eda9e946..ca08d4a8de96d 100644 --- a/source/extensions/filters/http/on_demand/on_demand_update.cc +++ b/source/extensions/filters/http/on_demand/on_demand_update.cc @@ -71,16 +71,29 @@ DecodeHeadersBehaviorPtr createDecodeHeadersBehavior( Upstream::OdCdsApiHandlePtr); } } - // TODO(adisuissa): change "if (odcds == nullptr)" to "else" (and further - // merge the else with the "if (odcds_config->resources_locator().empty())") - // once the "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions" - // runtime flag is deprecated. + // TODO(adisuissa): Once the + // "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions" runtime flag is + // deprecated, change "if (odcds == nullptr)" to "else" (and further merge the else with the "if + // (odcds_config->resources_locator().empty())"). if (odcds == nullptr) { if (odcds_config->resources_locator().empty()) { - odcds = THROW_OR_RETURN_VALUE(cm.allocateOdCdsApi(&Upstream::OdCdsApiImpl::create, - odcds_config->source(), absl::nullopt, - validation_visitor), - Upstream::OdCdsApiHandlePtr); + // If the config-source is ADS, use a singleton-subscription mechanism, + // similar to xDS-TP based configs. + if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.odcds_over_ads_fix")) { + if (odcds_config->source().config_source_specifier_case() == + envoy::config::core::v3::ConfigSource::ConfigSourceSpecifierCase::kAds) { + odcds = THROW_OR_RETURN_VALUE(cm.allocateOdCdsApi(&Upstream::XdstpOdCdsApiImpl::create, + odcds_config->source(), absl::nullopt, + validation_visitor), + Upstream::OdCdsApiHandlePtr); + } + } + if (odcds == nullptr) { + odcds = THROW_OR_RETURN_VALUE(cm.allocateOdCdsApi(&Upstream::OdCdsApiImpl::create, + odcds_config->source(), absl::nullopt, + validation_visitor), + Upstream::OdCdsApiHandlePtr); + } } else { auto locator = THROW_OR_RETURN_VALUE( Config::XdsResourceIdentifier::decodeUrl(odcds_config->resources_locator()), diff --git a/test/extensions/filters/http/on_demand/odcds_integration_test.cc b/test/extensions/filters/http/on_demand/odcds_integration_test.cc index abab017809ea4..edaab40683bfc 100644 --- a/test/extensions/filters/http/on_demand/odcds_integration_test.cc +++ b/test/extensions/filters/http/on_demand/odcds_integration_test.cc @@ -518,10 +518,33 @@ TEST_P(OdCdsIntegrationTest, DisablingOdCdsAtVirtualHostLevelWorks) { cleanupUpstreamAndDownstream(); } -class OdCdsAdsIntegrationTest : public AdsIntegrationTest { +class OdCdsAdsIntegrationTest + : public AdsIntegrationTestBase, + public testing::TestWithParam< + std::tuple> { public: + OdCdsAdsIntegrationTest() : AdsIntegrationTestBase(ipVersion(), sotwOrDelta()) {} + + void TearDown() override { cleanUpXdsConnection(); } + + static std::string protocolTestParamsToString( + const ::testing::TestParamInfo< + std::tuple>& p) { + return fmt::format( + "{}_{}_{}_{}", TestUtility::ipVersionToString(std::get<0>(p.param)), + std::get<1>(p.param) == Grpc::ClientType::GoogleGrpc ? "GoogleGrpc" : "EnvoyGrpc", + std::get<2>(p.param) == Grpc::SotwOrDelta::Delta ? "Delta" : "StateOfTheWorld", + std::get<3>(p.param) ? "WithOdcdsOverAdsFix" : "WithoutOdcdsOverAdsFix"); + } + Network::Address::IpVersion ipVersion() const override { return std::get<0>(GetParam()); } + Grpc::ClientType clientType() const override { return std::get<1>(GetParam()); } + Grpc::SotwOrDelta sotwOrDelta() const { return std::get<2>(GetParam()); } + bool odcds_over_ads_fix_enabled() const { return std::get<3>(GetParam()); } + void initialize() override { - AdsIntegrationTest::initialize(); + config_helper_.addRuntimeOverride("envoy.reloadable_features.odcds_over_ads_fix", + odcds_over_ads_fix_enabled() ? "true" : "false"); + AdsIntegrationTestBase::initialize(); test_server_->waitUntilListenersReady(); new_cluster_upstream_idx_ = fake_upstreams_.size(); @@ -541,6 +564,57 @@ class OdCdsAdsIntegrationTest : public AdsIntegrationTest { return builder.listener(); } + envoy::config::listener::v3::Listener buildListenerWithMultiRoute() { + OdCdsListenerBuilder builder(Network::Test::getLoopbackAddressString(ipVersion())); + auto ads_config_source = OdCdsIntegrationHelper::createAdsOdCdsConfigSource(); + auto& hcm = builder.hcm(); + // Set the ODCDS filter on the HCM to use ADS, and a long timeout. + auto odcds_config = + OdCdsIntegrationHelper::createOnDemandConfig(std::move(ads_config_source), 10000); + hcm.mutable_http_filters(0)->mutable_typed_config()->PackFrom(std::move(odcds_config)); + // The clusters are on-demand - no need to validate them. + hcm.mutable_route_config()->mutable_validate_clusters()->set_value(false); + // Update the route to match "/" to cluster: "new_cluster1". + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_routes(0) + ->mutable_route() + ->clear_cluster_header(); + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_routes(0) + ->mutable_route() + ->set_cluster("new_cluster1"); + // Duplicate the route for the virtual-host (make 2 new routes). + hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes()->Add()->CopyFrom( + hcm.route_config().virtual_hosts(0).routes(0)); + hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes()->Add()->CopyFrom( + hcm.route_config().virtual_hosts(0).routes(0)); + // Change the first route to match "/match2" to a cluster: "new_cluster2". + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_routes(0) + ->mutable_route() + ->set_cluster("new_cluster2"); + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_routes(0) + ->mutable_match() + ->set_prefix("/match2"); + // Change the first route to match "/match3" to a cluster: "new_cluster3". + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_routes(1) + ->mutable_route() + ->set_cluster("new_cluster3"); + hcm.mutable_route_config() + ->mutable_virtual_hosts(0) + ->mutable_routes(1) + ->mutable_match() + ->set_prefix("/match3"); + return builder.listener(); + } + bool compareRequest(const std::string& type_url, const std::vector& expected_resource_subscriptions, const std::vector& expected_resource_unsubscriptions, @@ -580,7 +654,11 @@ INSTANTIATE_TEST_SUITE_P( testing::Combine(testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), testing::ValuesIn(TestEnvironment::getsGrpcVersionsForTest()), // Only delta xDS is supported for on-demand CDS. - testing::Values(Grpc::SotwOrDelta::Delta, Grpc::SotwOrDelta::UnifiedDelta))); + testing::Values(Grpc::SotwOrDelta::Delta, Grpc::SotwOrDelta::UnifiedDelta), + // Whether to use the new/old OdCdsApiImpl (will be removed once + // "envoy.reloadable_features.xdstp_based_config_singleton_subscriptions" + // is deprecated). + testing::Values(true, false))); // tests a scenario when: // - making a request to an unknown cluster @@ -705,6 +783,755 @@ TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterDiscoveryAsksForNonexistentCluste cleanupUpstreamAndDownstream(); } +// tests a scenario where: +// - 2 listeners each with its HCM configured with OdCds. +// - making 2 concurrent downstream requests one to listener1, and a short while after a second to +// listener2. +// - Observing that a single CDS request is sent to the ADS server. +// - sending a single CDS response back to the Envoy containing the cluster. +// - both requests are resumed. +TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterMultipleListenersSameClusters) { + initialize(); + // Initial cluster query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {}, true)); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {}, {}, "1"); + + // Initial listener query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + auto odcds_listener = buildListener(); + odcds_listener.set_name("listener_0"); + auto odcds_listener2 = buildListener(); + odcds_listener2.set_name("listener_1"); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {odcds_listener, odcds_listener2}, {}, "2"); + + // Acks. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + + // Listener is acked, register the http port now. + test_server_->waitUntilListenersReady(); + registerTestServerPorts({"http", "http_1"}); + + // Send first downstream request. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "vhost.first"}, + {"Pick-This-Cluster", "new_cluster"}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Expect a new_cluster CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster"}, {})); + + // Send second downstream request. + IntegrationCodecClientPtr codec_client2 = + makeHttpConnection(makeClientConnection(lookupPort("http_1"))); + Http::TestRequestHeaderMapImpl request_headers2{{":method", "GET"}, + {":path", "/"}, + {":scheme", "http"}, + {":authority", "vhost.first"}, + {"Pick-This-Cluster", "new_cluster"}}; + IntegrationStreamDecoderPtr response2 = codec_client2->makeHeaderOnlyRequest(request_headers2); + + // Send the CDS response with the cluster, and expect an Ack after that (if + // there were repeated requests, there won't be an ack next). + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster_}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for one of the requests to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + + // Wait for the other request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response2->waitForEndStream()); + verifyResponse(std::move(response2), "200", {}, {}); + + // Cleanup. + cleanupUpstreamAndDownstream(); + if (codec_client2) { + codec_client2->close(); + } +} + +// tests a scenario where: +// - a single listener with its HCM configured with 2 routes for ODCDS. +// - making a downstream request to route1. +// - Observing that a CDS request to new_cluster1 is sent to the ADS server. +// - Sending the CDS response for new_cluster1. +// - making a downstream request to route2. +// - Observing that a CDS request to new_cluster2 is sent to the ADS server (without removing +// new_cluster1). +// - Sending the CDS response for new_cluster2. +// - both requests are resumed. +TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterDiscoveryMultipleClustersSequentially) { + initialize(); + // Create 2 clusters (that have to the same endpoint). + envoy::config::cluster::v3::Cluster new_cluster1 = ConfigHelper::buildStaticCluster( + "new_cluster1", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster2 = ConfigHelper::buildStaticCluster( + "new_cluster2", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + + // Initial cluster query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {}, true)); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {}, {}, "1"); + + // Initial listener query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + auto odcds_listener = buildListenerWithMultiRoute(); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {odcds_listener}, {}, "2"); + + // Acks. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + + // Listener is acked, register the http port now. + test_server_->waitUntilListenersReady(); + registerTestServerPorts({"http"}); + + // Send first downstream request to the route of new_cluster1. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Expect a new_cluster1 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster1"}, {})); + // Send the CDS response with the cluster, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster1}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + cleanupUpstreamAndDownstream(); + + // Send a second downstream request but to the route of new_cluster2. + IntegrationCodecClientPtr codec_client2 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers2{ + {":method", "GET"}, {":path", "/match2"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response2 = codec_client2->makeHeaderOnlyRequest(request_headers2); + + // Expect a new_cluster2 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster2"}, {})); + // Send the CDS response with the cluster, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster2}, {}, "4"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request2 = std::move(upstream_request_); + upstream_request2->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response2->waitForEndStream()); + verifyResponse(std::move(response2), "200", {}, {}); + + cleanupUpstreamAndDownstream(); + if (codec_client2) { + codec_client2->close(); + } +} + +// tests a scenario where: +// - cds_config is not used. +// - a single listener with its HCM configured with 2 routes for ODCDS. +// - making a downstream request to route1. +// - Observing that a CDS request to new_cluster1 is sent to the ADS server. +// - Sending the CDS response for new_cluster1. +// - making a downstream request to route2. +// - Observing that a CDS request to new_cluster2 is sent to the ADS server (without removing +// new_cluster1). +// - Sending the CDS response for new_cluster2. +// - both requests are resumed. +TEST_P(OdCdsAdsIntegrationTest, NoCdsConfigOnDemandClusterMultipleClustersSequentially) { + // This test does not work with the previous OdCdsApi implementation (OdCdsApiImpl), + // but works with the new one (XdstpOdCdsApiImpl). + // Once envoy.reloadable_features.odcds_over_ads_fix is removed, this test + // will only execute the fixed component. + if (!odcds_over_ads_fix_enabled()) { + GTEST_SKIP() << "This test only passes with the new XdstpOdCdsApiImpl implementation"; + } + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + bootstrap.mutable_dynamic_resources()->clear_cds_config(); + }); + initialize(); + // Create 2 clusters (that have to the same endpoint). + envoy::config::cluster::v3::Cluster new_cluster1 = ConfigHelper::buildStaticCluster( + "new_cluster1", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster2 = ConfigHelper::buildStaticCluster( + "new_cluster2", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + + // Initial listener query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + auto odcds_listener = buildListenerWithMultiRoute(); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {odcds_listener}, {}, "2"); + + // Acks. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + + // Listener is acked, register the http port now. + test_server_->waitUntilListenersReady(); + registerTestServerPorts({"http"}); + + // Send first downstream request to the route of new_cluster1. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Expect a new_cluster1 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster1"}, {})); + // Send the CDS response with the cluster, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster1}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + cleanupUpstreamAndDownstream(); + + // Send a second downstream request but to the route of new_cluster2. + IntegrationCodecClientPtr codec_client2 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers2{ + {":method", "GET"}, {":path", "/match2"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response2 = codec_client2->makeHeaderOnlyRequest(request_headers2); + + // Expect a new_cluster2 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster2"}, {})); + // Send the CDS response with the cluster, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster2}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request2 = std::move(upstream_request_); + upstream_request2->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response2->waitForEndStream()); + verifyResponse(std::move(response2), "200", {}, {}); + + cleanupUpstreamAndDownstream(); + if (codec_client2) { + codec_client2->close(); + } +} + +// tests a scenario where: +// - a single listener with its HCM configured with 3 routes for ODCDS. +// - making a downstream request to route1. +// - Observing that a CDS request to new_cluster1 is sent to the ADS server. +// - Sending the CDS response for new_cluster1. +// - making a downstream request to route2. +// - Observing that a CDS request to new_cluster2 is sent to the ADS server (without removing +// new_cluster1). +// - making a downstream request to route3. +// - Observing that a CDS request to new_cluster2 and new_cluster3 is sent to the ADS server +// (without removing new_cluster1). +// - Sending the CDS response for new_cluster2, new_cluster3. +// - both requests are resumed. +TEST_P(OdCdsAdsIntegrationTest, OnDemandClusterTwoClustersBeforeResponseAfterInitialCluster) { + initialize(); + // Create 3 clusters (that have to the same endpoint). + envoy::config::cluster::v3::Cluster new_cluster1 = ConfigHelper::buildStaticCluster( + "new_cluster1", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster2 = ConfigHelper::buildStaticCluster( + "new_cluster2", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster3 = ConfigHelper::buildStaticCluster( + "new_cluster3", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + + // Initial cluster query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {}, true)); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {}, {}, "1"); + + // Initial listener query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + auto odcds_listener = buildListenerWithMultiRoute(); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {odcds_listener}, {}, "2"); + + // Acks. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + + // Listener is acked, register the http port now. + test_server_->waitUntilListenersReady(); + registerTestServerPorts({"http"}); + + // Send first downstream request to the route of new_cluster1. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Expect a new_cluster1 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster1"}, {})); + // Send the CDS response with the cluster, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster1}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + cleanupUpstreamAndDownstream(); + + // Send a second downstream request to the route of new_cluster2. + IntegrationCodecClientPtr codec_client2 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers2{ + {":method", "GET"}, {":path", "/match2"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response2 = codec_client2->makeHeaderOnlyRequest(request_headers2); + + // Expect a new_cluster2 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster2"}, {})); + + // Send a third downstream request to the route of new_cluster3. + IntegrationCodecClientPtr codec_client3 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers3{ + {":method", "GET"}, {":path", "/match3"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response3 = codec_client3->makeHeaderOnlyRequest(request_headers3); + + // Expect a new_cluster3 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster3"}, {})); + // Send a CDS response with both clusters, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster2, new_cluster3}, {}, "4"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for one of the requests to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request2 = std::move(upstream_request_); + upstream_request2->encodeHeaders(default_response_headers_, true); + cleanupUpstreamAndDownstream(); + + // Wait for the second request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request3 = std::move(upstream_request_); + upstream_request3->encodeHeaders(default_response_headers_, true); + + // Ensure that all response arrived with 200. + ASSERT_TRUE(response2->waitForEndStream()); + verifyResponse(std::move(response2), "200", {}, {}); + ASSERT_TRUE(response3->waitForEndStream()); + verifyResponse(std::move(response3), "200", {}, {}); + + cleanupUpstreamAndDownstream(); + if (codec_client2) { + codec_client2->close(); + } + if (codec_client3) { + codec_client3->close(); + } +} + +// tests a scenario where: +// - cds_config is not used. +// - a single listener with its HCM configured with 3 routes for ODCDS. +// - making a downstream request to route1. +// - Observing that a CDS request to new_cluster1 is sent to the ADS server. +// - Sending the CDS response for new_cluster1. +// - making a downstream request to route2. +// - Observing that a CDS request to new_cluster2 is sent to the ADS server (without removing +// new_cluster1). +// - making a downstream request to route3. +// - Observing that a CDS request to new_cluster2 and new_cluster3 is sent to the ADS server +// (without removing new_cluster1). +// - Sending the CDS response for new_cluster2, new_cluster3. +// - both requests are resumed. +TEST_P(OdCdsAdsIntegrationTest, + NoCdsConfigOnDemandDiscoveryTwoClustersBeforeResponseAfterInitialCluster) { + // This test does not work with the previous OdCdsApi implementation (OdCdsApiImpl), + // but works with the new one (XdstpOdCdsApiImpl). + // Once envoy.reloadable_features.odcds_over_ads_fix is removed, this test + // will only execute the fixed component. + if (!odcds_over_ads_fix_enabled()) { + GTEST_SKIP() << "This test only passes with the new XdstpOdCdsApiImpl implementation"; + } + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + bootstrap.mutable_dynamic_resources()->clear_cds_config(); + }); + initialize(); + // Create 3 clusters (that have to the same endpoint). + envoy::config::cluster::v3::Cluster new_cluster1 = ConfigHelper::buildStaticCluster( + "new_cluster1", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster2 = ConfigHelper::buildStaticCluster( + "new_cluster2", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster3 = ConfigHelper::buildStaticCluster( + "new_cluster3", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + + // Initial listener query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + auto odcds_listener = buildListenerWithMultiRoute(); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {odcds_listener}, {}, "2"); + + // Ack. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + + // Listener is acked, register the http port now. + test_server_->waitUntilListenersReady(); + registerTestServerPorts({"http"}); + + // Send first downstream request to the route of new_cluster1. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Expect a new_cluster1 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster1"}, {})); + // Send the CDS response with the cluster, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster1}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + cleanupUpstreamAndDownstream(); + + // Send a second downstream request to the route of new_cluster2. + IntegrationCodecClientPtr codec_client2 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers2{ + {":method", "GET"}, {":path", "/match2"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response2 = codec_client2->makeHeaderOnlyRequest(request_headers2); + + // Expect a new_cluster2 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster2"}, {})); + + // Send a third downstream request to the route of new_cluster3. + IntegrationCodecClientPtr codec_client3 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers3{ + {":method", "GET"}, {":path", "/match3"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response3 = codec_client3->makeHeaderOnlyRequest(request_headers3); + + // Expect a new_cluster3 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster3"}, {})); + // Send a CDS response with both clusters, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster2, new_cluster3}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for one of the requests to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request2 = std::move(upstream_request_); + upstream_request2->encodeHeaders(default_response_headers_, true); + cleanupUpstreamAndDownstream(); + + // Wait for the second request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request3 = std::move(upstream_request_); + upstream_request3->encodeHeaders(default_response_headers_, true); + + // Ensure that all response arrived with 200. + ASSERT_TRUE(response2->waitForEndStream()); + verifyResponse(std::move(response2), "200", {}, {}); + ASSERT_TRUE(response3->waitForEndStream()); + verifyResponse(std::move(response3), "200", {}, {}); + + cleanupUpstreamAndDownstream(); + if (codec_client2) { + codec_client2->close(); + } + if (codec_client3) { + codec_client3->close(); + } +} + +/*****************/ + +// tests a scenario where: +// - a single listener with its HCM configured with 3 routes for ODCDS. +// - making a downstream request to route1. +// - Observing that a CDS request to new_cluster1 is sent to the ADS server. +// - Sending the CDS response for new_cluster1. +// - making a downstream request to route2. +// - Observing that a CDS request to new_cluster2 is sent to the ADS server (without removing +// new_cluster1). +// - making a downstream request to route3. +// - Observing that a CDS request to new_cluster2 and new_cluster3 is sent to the ADS server +// (without removing new_cluster1). +// - Sending the CDS response for new_cluster3. +// - request is resumed. +// - Sending the CDS response for new_cluster2. +// - final request is resumed. +TEST_P(OdCdsAdsIntegrationTest, + OnDemandClusterTwoClustersReceivingSecondFirstBeforeResponseAfterInitialCluster) { + initialize(); + // Create 3 clusters (that have to the same endpoint). + envoy::config::cluster::v3::Cluster new_cluster1 = ConfigHelper::buildStaticCluster( + "new_cluster1", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster2 = ConfigHelper::buildStaticCluster( + "new_cluster2", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster3 = ConfigHelper::buildStaticCluster( + "new_cluster3", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + + // Initial cluster query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {}, true)); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {}, {}, "1"); + + // Initial listener query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + auto odcds_listener = buildListenerWithMultiRoute(); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {odcds_listener}, {}, "2"); + + // Acks. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + + // Listener is acked, register the http port now. + test_server_->waitUntilListenersReady(); + registerTestServerPorts({"http"}); + + // Send first downstream request to the route of new_cluster1. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Expect a new_cluster1 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster1"}, {})); + // Send the CDS response with the cluster, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster1}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + cleanupUpstreamAndDownstream(); + + // Send a second downstream request to the route of new_cluster2. + IntegrationCodecClientPtr codec_client2 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers2{ + {":method", "GET"}, {":path", "/match2"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response2 = codec_client2->makeHeaderOnlyRequest(request_headers2); + + // Expect a new_cluster2 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster2"}, {})); + + // Send a third downstream request to the route of new_cluster3. + IntegrationCodecClientPtr codec_client3 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers3{ + {":method", "GET"}, {":path", "/match3"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response3 = codec_client3->makeHeaderOnlyRequest(request_headers3); + + // Expect a new_cluster3 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster3"}, {})); + + // Send a CDS response with only new_cluster3, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster3}, {}, "4"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the third request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request3 = std::move(upstream_request_); + upstream_request3->encodeHeaders(default_response_headers_, true); + cleanupUpstreamAndDownstream(); + // Ensure that the third request got a 200 response. + ASSERT_TRUE(response3->waitForEndStream()); + verifyResponse(std::move(response3), "200", {}, {}); + + // Send a CDS response with only new_cluster2, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster2}, {}, "5"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the second request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request2 = std::move(upstream_request_); + upstream_request2->encodeHeaders(default_response_headers_, true); + // Ensure that the second request got a 200 response. + ASSERT_TRUE(response2->waitForEndStream()); + verifyResponse(std::move(response2), "200", {}, {}); + + cleanupUpstreamAndDownstream(); + if (codec_client2) { + codec_client2->close(); + } + if (codec_client3) { + codec_client3->close(); + } +} + +// tests a scenario where: +// - a single listener with its HCM configured with 3 routes for ODCDS. +// - making a downstream request to route1. +// - Observing that a CDS request to new_cluster1 is sent to the ADS server. +// - Sending the CDS response for new_cluster1. +// - making a downstream request to route2. +// - Observing that a CDS request to new_cluster2 is sent to the ADS server (without removing +// new_cluster1). +// - making a downstream request to route3. +// - Observing that a CDS request to new_cluster2 and new_cluster3 is sent to the ADS server +// (without removing new_cluster1). +// - Disconnect the ADS stream, and ensure correct reconnection. +// - Sending the CDS response for new_cluster2, new_cluster3. +// - both requests are resumed. +TEST_P(OdCdsAdsIntegrationTest, + OnDemandClusterTwoClustersBeforeResponseAndDisconnectAfterInitialCluster) { + initialize(); + // Create 3 clusters (that have to the same endpoint). + envoy::config::cluster::v3::Cluster new_cluster1 = ConfigHelper::buildStaticCluster( + "new_cluster1", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster2 = ConfigHelper::buildStaticCluster( + "new_cluster2", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + envoy::config::cluster::v3::Cluster new_cluster3 = ConfigHelper::buildStaticCluster( + "new_cluster3", fake_upstreams_[new_cluster_upstream_idx_]->localAddress()->ip()->port(), + Network::Test::getLoopbackAddressString(ipVersion())); + + // Initial cluster query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {}, true)); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {}, {}, "1"); + + // Initial listener query. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + auto odcds_listener = buildListenerWithMultiRoute(); + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Listener, {odcds_listener}, {}, "2"); + + // Acks. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + + // Listener is acked, register the http port now. + test_server_->waitUntilListenersReady(); + registerTestServerPorts({"http"}); + + // Send first downstream request to the route of new_cluster1. + codec_client_ = makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers{ + {":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response = codec_client_->makeHeaderOnlyRequest(request_headers); + + // Expect a new_cluster1 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster1"}, {})); + // Send the CDS response with the cluster, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster1}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for the request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + upstream_request_->encodeHeaders(default_response_headers_, true); + ASSERT_TRUE(response->waitForEndStream()); + verifyResponse(std::move(response), "200", {}, {}); + cleanupUpstreamAndDownstream(); + + // Send a second downstream request to the route of new_cluster2. + IntegrationCodecClientPtr codec_client2 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers2{ + {":method", "GET"}, {":path", "/match2"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response2 = codec_client2->makeHeaderOnlyRequest(request_headers2); + + // Expect a new_cluster2 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster2"}, {})); + + // Send a third downstream request to the route of new_cluster3. + IntegrationCodecClientPtr codec_client3 = + makeHttpConnection(makeClientConnection(lookupPort("http"))); + Http::TestRequestHeaderMapImpl request_headers3{ + {":method", "GET"}, {":path", "/match3"}, {":scheme", "http"}, {":authority", "vhost.first"}}; + IntegrationStreamDecoderPtr response3 = codec_client3->makeHeaderOnlyRequest(request_headers3); + + // Expect a new_cluster3 CDS on-demand request. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {"new_cluster3"}, {})); + + // Disconnect the xDS stream. + xds_stream_->finishGrpcStream(Grpc::Status::Internal); + // Allow reconnection to the xDS-stream. + AssertionResult result = xds_connection_->waitForNewStream(*dispatcher_, xds_stream_); + RELEASE_ASSERT(result, result.message()); + xds_stream_->startGrpcStream(); + + // A CDS request for {"*", "new_cluster1", "new_cluster2", "new_cluster3"} + // should be received. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, + {"*", "new_cluster1", "new_cluster2", "new_cluster3"}, {}, true)); + // The listeners should already include odcds_listener, nothing to remove. + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Listener, {}, {})); + + // Send a CDS response with both clusters, and expect an Ack after that. + sendDeltaDiscoveryResponse( + Config::TestTypeUrl::get().Cluster, {new_cluster2, new_cluster3}, {}, "3"); + EXPECT_TRUE(compareRequest(Config::TestTypeUrl::get().Cluster, {}, {})); + + // Wait for one of the requests to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request2 = std::move(upstream_request_); + upstream_request2->encodeHeaders(default_response_headers_, true); + cleanupUpstreamAndDownstream(); + + // Wait for the second request to arrive at the upstream, and send a reply. + waitForNextUpstreamRequest(new_cluster_upstream_idx_); + FakeStreamPtr upstream_request3 = std::move(upstream_request_); + upstream_request3->encodeHeaders(default_response_headers_, true); + + // Ensure that all response arrived with 200. + ASSERT_TRUE(response2->waitForEndStream()); + verifyResponse(std::move(response2), "200", {}, {}); + ASSERT_TRUE(response3->waitForEndStream()); + verifyResponse(std::move(response3), "200", {}, {}); + + cleanupUpstreamAndDownstream(); + if (codec_client2) { + codec_client2->close(); + } + if (codec_client3) { + codec_client3->close(); + } +} + class OdCdsXdstpIntegrationTest : public XdsTpConfigsIntegration { public: void initialize() override { diff --git a/test/integration/ads_integration.cc b/test/integration/ads_integration.cc index 96eb78fd557db..5a47325c9b61c 100644 --- a/test/integration/ads_integration.cc +++ b/test/integration/ads_integration.cc @@ -21,72 +21,75 @@ using testing::AssertionResult; namespace Envoy { -AdsIntegrationTest::AdsIntegrationTest() +AdsIntegrationTestBase::AdsIntegrationTestBase(Network::Address::IpVersion ip_version, + Grpc::SotwOrDelta sotw_or_delta) : HttpIntegrationTest( - Http::CodecType::HTTP2, ipVersion(), - ConfigHelper::adsBootstrap((sotwOrDelta() == Grpc::SotwOrDelta::Sotw) || - (sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw) + Http::CodecType::HTTP2, ip_version, + ConfigHelper::adsBootstrap((sotw_or_delta == Grpc::SotwOrDelta::Sotw) || + (sotw_or_delta == Grpc::SotwOrDelta::UnifiedSotw) ? "GRPC" : "DELTA_GRPC")) { - commonInitialize(); + commonInitialize(sotw_or_delta); } -AdsIntegrationTest::AdsIntegrationTest(const std::string& config) - : HttpIntegrationTest(Http::CodecType::HTTP2, ipVersion(), config) { - commonInitialize(); +AdsIntegrationTestBase::AdsIntegrationTestBase(Network::Address::IpVersion ip_version, + Grpc::SotwOrDelta sotw_or_delta, + const std::string& config) + : HttpIntegrationTest(Http::CodecType::HTTP2, ip_version, config) { + commonInitialize(sotw_or_delta); } -void AdsIntegrationTest::commonInitialize() { +void AdsIntegrationTestBase::commonInitialize(Grpc::SotwOrDelta sotw_or_delta) { config_helper_.addRuntimeOverride("envoy.reloadable_features.unified_mux", - (sotwOrDelta() == Grpc::SotwOrDelta::UnifiedSotw || - sotwOrDelta() == Grpc::SotwOrDelta::UnifiedDelta) + (sotw_or_delta == Grpc::SotwOrDelta::UnifiedSotw || + sotw_or_delta == Grpc::SotwOrDelta::UnifiedDelta) ? "true" : "false"); use_lds_ = false; create_xds_upstream_ = true; tls_xds_upstream_ = true; - sotw_or_delta_ = sotwOrDelta(); + sotw_or_delta_ = sotw_or_delta; setUpstreamProtocol(Http::CodecType::HTTP2); } -void AdsIntegrationTest::TearDown() { cleanUpXdsConnection(); } - envoy::config::cluster::v3::Cluster -AdsIntegrationTest::buildCluster(const std::string& name, - envoy::config::cluster::v3::Cluster::LbPolicy lb_policy) { +AdsIntegrationTestBase::buildCluster(const std::string& name, + envoy::config::cluster::v3::Cluster::LbPolicy lb_policy) { return ConfigHelper::buildCluster(name, lb_policy); } -envoy::config::cluster::v3::Cluster AdsIntegrationTest::buildTlsCluster(const std::string& name) { +envoy::config::cluster::v3::Cluster +AdsIntegrationTestBase::buildTlsCluster(const std::string& name) { return ConfigHelper::buildTlsCluster(name, envoy::config::cluster::v3::Cluster::ROUND_ROBIN); } -envoy::config::cluster::v3::Cluster AdsIntegrationTest::buildRedisCluster(const std::string& name) { +envoy::config::cluster::v3::Cluster +AdsIntegrationTestBase::buildRedisCluster(const std::string& name) { return ConfigHelper::buildCluster(name, envoy::config::cluster::v3::Cluster::MAGLEV); } envoy::config::endpoint::v3::ClusterLoadAssignment -AdsIntegrationTest::buildClusterLoadAssignment(const std::string& name) { +AdsIntegrationTestBase::buildClusterLoadAssignment(const std::string& name) { return ConfigHelper::buildClusterLoadAssignment( name, Network::Test::getLoopbackAddressString(ipVersion()), fake_upstreams_[0]->localAddress()->ip()->port()); } envoy::config::endpoint::v3::ClusterLoadAssignment -AdsIntegrationTest::buildTlsClusterLoadAssignment(const std::string& name) { +AdsIntegrationTestBase::buildTlsClusterLoadAssignment(const std::string& name) { return ConfigHelper::buildClusterLoadAssignment( name, Network::Test::getLoopbackAddressString(ipVersion()), 8443); } envoy::config::endpoint::v3::ClusterLoadAssignment -AdsIntegrationTest::buildClusterLoadAssignmentWithLeds(const std::string& name, - const std::string& collection_name) { +AdsIntegrationTestBase::buildClusterLoadAssignmentWithLeds(const std::string& name, + const std::string& collection_name) { return ConfigHelper::buildClusterLoadAssignmentWithLeds(name, collection_name); } envoy::service::discovery::v3::Resource -AdsIntegrationTest::buildLbEndpointResource(const std::string& lb_endpoint_resource_name, - const std::string& version) { +AdsIntegrationTestBase::buildLbEndpointResource(const std::string& lb_endpoint_resource_name, + const std::string& version) { envoy::service::discovery::v3::Resource resource; resource.set_name(lb_endpoint_resource_name); resource.set_version(version); @@ -99,14 +102,14 @@ AdsIntegrationTest::buildLbEndpointResource(const std::string& lb_endpoint_resou } envoy::config::listener::v3::Listener -AdsIntegrationTest::buildListener(const std::string& name, const std::string& route_config, - const std::string& stat_prefix) { +AdsIntegrationTestBase::buildListener(const std::string& name, const std::string& route_config, + const std::string& stat_prefix) { return ConfigHelper::buildListener( name, route_config, Network::Test::getLoopbackAddressString(ipVersion()), stat_prefix); } envoy::config::listener::v3::Listener -AdsIntegrationTest::buildRedisListener(const std::string& name, const std::string& cluster) { +AdsIntegrationTestBase::buildRedisListener(const std::string& name, const std::string& cluster) { std::string redis = fmt::format( R"EOF( filters: @@ -126,19 +129,19 @@ AdsIntegrationTest::buildRedisListener(const std::string& name, const std::strin } envoy::config::route::v3::RouteConfiguration -AdsIntegrationTest::buildRouteConfig(const std::string& name, const std::string& cluster) { +AdsIntegrationTestBase::buildRouteConfig(const std::string& name, const std::string& cluster) { return ConfigHelper::buildRouteConfig(name, cluster); } -void AdsIntegrationTest::makeSingleRequest() { +void AdsIntegrationTestBase::makeSingleRequest() { registerTestServerPorts({"http"}); testRouterHeaderOnlyRequestAndResponse(); cleanupUpstreamAndDownstream(); } -void AdsIntegrationTest::initialize() { initializeAds(false); } +void AdsIntegrationTestBase::initialize() { initializeAds(false); } -void AdsIntegrationTest::initializeAds(const bool rate_limiting) { +void AdsIntegrationTestBase::initializeAds(const bool rate_limiting) { config_helper_.addConfigModifier([this, &rate_limiting]( envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto* ads_config = bootstrap.mutable_dynamic_resources()->mutable_ads_config(); @@ -176,7 +179,7 @@ void AdsIntegrationTest::initializeAds(const bool rate_limiting) { } } -void AdsIntegrationTest::testBasicFlow() { +void AdsIntegrationTestBase::testBasicFlow() { // Send initial configuration, validate we can process a request. EXPECT_TRUE(compareDiscoveryRequest(Config::TestTypeUrl::get().Cluster, "", {}, {}, {}, true)); sendDiscoveryResponse(Config::TestTypeUrl::get().Cluster, @@ -295,19 +298,19 @@ void AdsIntegrationTest::testBasicFlow() { EXPECT_GT(first_route_config_ts_3, first_route_config_ts_2); } -envoy::admin::v3::ClustersConfigDump AdsIntegrationTest::getClustersConfigDump() { +envoy::admin::v3::ClustersConfigDump AdsIntegrationTestBase::getClustersConfigDump() { auto message_ptr = test_server_->server().admin()->getConfigTracker().getCallbacksMap().at( "clusters")(Matchers::UniversalStringMatcher()); return dynamic_cast(*message_ptr); } -envoy::admin::v3::ListenersConfigDump AdsIntegrationTest::getListenersConfigDump() { +envoy::admin::v3::ListenersConfigDump AdsIntegrationTestBase::getListenersConfigDump() { auto message_ptr = test_server_->server().admin()->getConfigTracker().getCallbacksMap().at( "listeners")(Matchers::UniversalStringMatcher()); return dynamic_cast(*message_ptr); } -envoy::admin::v3::RoutesConfigDump AdsIntegrationTest::getRoutesConfigDump() { +envoy::admin::v3::RoutesConfigDump AdsIntegrationTestBase::getRoutesConfigDump() { auto message_ptr = test_server_->server().admin()->getConfigTracker().getCallbacksMap().at( "routes")(Matchers::UniversalStringMatcher()); return dynamic_cast(*message_ptr); diff --git a/test/integration/ads_integration.h b/test/integration/ads_integration.h index 5f6ec180be4e6..28b910faf0161 100644 --- a/test/integration/ads_integration.h +++ b/test/integration/ads_integration.h @@ -37,13 +37,12 @@ class AdsDeltaSotwIntegrationSubStateParamTest Grpc::SotwOrDelta sotwOrDelta() const { return std::get<2>(GetParam()); } }; -class AdsIntegrationTest : public AdsDeltaSotwIntegrationSubStateParamTest, - public HttpIntegrationTest { +class AdsIntegrationTestBase : public Grpc::BaseGrpcClientIntegrationParamTest, + public HttpIntegrationTest { public: - AdsIntegrationTest(); - AdsIntegrationTest(const std::string& config); - - void TearDown() override; + AdsIntegrationTestBase(Network::Address::IpVersion ip_version, Grpc::SotwOrDelta sotw_or_delta); + AdsIntegrationTestBase(Network::Address::IpVersion ip_version, Grpc::SotwOrDelta sotw_or_delta, + const std::string& config); envoy::config::cluster::v3::Cluster buildCluster(const std::string& name, envoy::config::cluster::v3::Cluster::LbPolicy lb_policy = @@ -87,7 +86,31 @@ class AdsIntegrationTest : public AdsDeltaSotwIntegrationSubStateParamTest, envoy::admin::v3::RoutesConfigDump getRoutesConfigDump(); private: - void commonInitialize(); + void commonInitialize(Grpc::SotwOrDelta sotw_or_delta); +}; + +class AdsIntegrationTest + : public AdsIntegrationTestBase, + public testing::TestWithParam< + std::tuple> { +public: + AdsIntegrationTest() : AdsIntegrationTestBase(ipVersion(), sotwOrDelta()) {} + AdsIntegrationTest(const std::string& config) + : AdsIntegrationTestBase(ipVersion(), sotwOrDelta(), config) {} + + void TearDown() override { cleanUpXdsConnection(); } + + static std::string protocolTestParamsToString( + const ::testing::TestParamInfo< + std::tuple>& p) { + return fmt::format( + "{}_{}_{}", TestUtility::ipVersionToString(std::get<0>(p.param)), + std::get<1>(p.param) == Grpc::ClientType::GoogleGrpc ? "GoogleGrpc" : "EnvoyGrpc", + std::get<2>(p.param) == Grpc::SotwOrDelta::Delta ? "Delta" : "StateOfTheWorld"); + } + Network::Address::IpVersion ipVersion() const override { return std::get<0>(GetParam()); } + Grpc::ClientType clientType() const override { return std::get<1>(GetParam()); } + Grpc::SotwOrDelta sotwOrDelta() const { return std::get<2>(GetParam()); } }; // When old delta subscription state goes away, we could replace this macro back with From b314c6b343515d27fd86b2b2cae859ed24d97cb3 Mon Sep 17 00:00:00 2001 From: code Date: Wed, 24 Sep 2025 10:15:13 +0800 Subject: [PATCH 486/505] ratelimit: support detach request after sent limit request (#40958) To close https://github.com/envoyproxy/envoy/issues/40892. In the previous implementation, at stream complete phase, the substitution formatter couldn't works as expected for limit request. This is because no related context is provided to the grpc client to avoid potential lifetime problem. This new implementation add a detach() method at `Grpc::AsyncRequest` which will clean up the context (parent span, stream info, and so on). And then, at the rate limit filter, at stream complete phase, the stream info will be provided to the grpc client and then be cleaned up by the detach() to avoid potential dangling reference. Risk Level: low. Testing: unit. Docs Changes: n/a. Release Notes: added. --------- Signed-off-by: WangBaiping Signed-off-by: code --- changelogs/current.yaml | 5 ++ envoy/grpc/async_client.h | 15 ++++++ source/common/grpc/async_client_impl.cc | 15 ++++++ source/common/grpc/async_client_impl.h | 2 + .../common/grpc/google_async_client_impl.cc | 12 +++++ source/common/grpc/google_async_client_impl.h | 6 ++- source/common/http/async_client_impl.cc | 8 +-- source/common/http/async_client_impl.h | 1 + .../filters/common/ratelimit/ratelimit.h | 11 +++- .../common/ratelimit/ratelimit_impl.cc | 27 +++++++--- .../filters/common/ratelimit/ratelimit_impl.h | 3 +- .../filters/http/ratelimit/ratelimit.cc | 16 +++--- .../filters/http/ratelimit/ratelimit.h | 5 +- test/common/grpc/async_client_impl_test.cc | 53 +++++++++++++++++++ .../grpc/google_async_client_impl_test.cc | 26 +++++++++ .../filters/common/ratelimit/mocks.h | 3 +- .../common/ratelimit/ratelimit_impl_test.cc | 32 ++++++++++- .../filters/http/ratelimit/ratelimit_test.cc | 3 ++ test/mocks/grpc/mocks.h | 1 + 19 files changed, 220 insertions(+), 24 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 9ca4384c8bd30..72a4154cfb309 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -329,6 +329,11 @@ new_features: :ref:`RouteAction.rate_limits` fields will be ignored. However, :ref:`RateLimitPerRoute.rate_limits` will take precedence over this field. +- area: ratelimit + change: | + Enhanced the rate limit filter to support substitution formatters for descriptors that generated + at the stream complete phase. Before this change, substitution formatters at the stream complete + phase cannot work because rate limit filter does not provide the necessary context. - area: redis change: | Added support for thirty-three new Redis commands including ``COPY``, ``RPOPLPUSH``, ``SMOVE``, ``SUNION``, ``SDIFF``, diff --git a/envoy/grpc/async_client.h b/envoy/grpc/async_client.h index 2c4a2c1901ae6..0584da32c6f26 100644 --- a/envoy/grpc/async_client.h +++ b/envoy/grpc/async_client.h @@ -34,6 +34,21 @@ class AsyncRequest { * Returns the underlying stream info. */ virtual const StreamInfo::StreamInfo& streamInfo() const PURE; + + /** + * Detach the pending request. This is used for the case where we send a side + * request but never cancel it even if the related downstream main request is + * completed. + * + * This will will clean up all context associated with downstream request like + * downstream stream info, parent tracing span, and so on, to avoid potential + * dangling references. + * + * NOTE: the callbacks that registered to take the response will be kept to do + * some clean up or operations when response arrives. The caller is responsible + * for ensuring that the callbacks have enough lifetime. + */ + virtual void detach() PURE; }; /** diff --git a/source/common/grpc/async_client_impl.cc b/source/common/grpc/async_client_impl.cc index f44d09b0d649a..55fe75428abce 100644 --- a/source/common/grpc/async_client_impl.cc +++ b/source/common/grpc/async_client_impl.cc @@ -427,6 +427,21 @@ const StreamInfo::StreamInfo& AsyncRequestImpl::streamInfo() const { return AsyncStreamImpl::streamInfo(); } +void AsyncRequestImpl::detach() { + // TODO(wbpcode): In most tracers the span will hold a reference to the tracer self + // and it's possible that become a dangling reference for long time async request. + // This require further PR to resolve. + + if (options_.sidestream_watermark_callbacks != nullptr) { + stream_->removeWatermarkCallbacks(); + options_.sidestream_watermark_callbacks = nullptr; + } + options_.parent_span_ = nullptr; + options_.parent_context.stream_info = nullptr; + + streamInfo().clearParentStreamInfo(); +} + void AsyncRequestImpl::onCreateInitialMetadata(Http::RequestHeaderMap& metadata) { Tracing::HttpTraceContext trace_context(metadata); Tracing::UpstreamContext upstream_context(nullptr, // host_ diff --git a/source/common/grpc/async_client_impl.h b/source/common/grpc/async_client_impl.h index c255657459209..8953cbde033c9 100644 --- a/source/common/grpc/async_client_impl.h +++ b/source/common/grpc/async_client_impl.h @@ -121,6 +121,7 @@ class AsyncStreamImpl : public RawAsyncStream, // Deliver notification and update span when the connection closes. void notifyRemoteClose(Grpc::Status::GrpcStatus status, const std::string& message); +protected: Event::Dispatcher* dispatcher_{}; Http::RequestMessagePtr headers_message_; AsyncClientImpl& parent_; @@ -153,6 +154,7 @@ class AsyncRequestImpl : public AsyncRequest, public AsyncStreamImpl, RawAsyncSt // Grpc::AsyncRequest void cancel() override; const StreamInfo::StreamInfo& streamInfo() const override; + void detach() override; private: using AsyncStreamImpl::streamInfo; diff --git a/source/common/grpc/google_async_client_impl.cc b/source/common/grpc/google_async_client_impl.cc index 5f54652295d34..b8ec5c12d8ae4 100644 --- a/source/common/grpc/google_async_client_impl.cc +++ b/source/common/grpc/google_async_client_impl.cc @@ -518,6 +518,18 @@ void GoogleAsyncRequestImpl::cancel() { resetStream(); } +void GoogleAsyncRequestImpl::detach() { + // TODO(wbpcode): In most tracers the span will hold a reference to the tracer self + // and it's possible that become a dangling reference for long time async request. + // This require further PR to resolve. + + options_.sidestream_watermark_callbacks = nullptr; + options_.parent_span_ = nullptr; + options_.parent_context.stream_info = nullptr; + + streamInfo().clearParentStreamInfo(); +} + void GoogleAsyncRequestImpl::onCreateInitialMetadata(Http::RequestHeaderMap& metadata) { Tracing::HttpTraceContext trace_context(metadata); Tracing::UpstreamContext upstream_context(nullptr, // host_ diff --git a/source/common/grpc/google_async_client_impl.h b/source/common/grpc/google_async_client_impl.h index 65a6a7e8e2ebc..5c5d13ad29bff 100644 --- a/source/common/grpc/google_async_client_impl.h +++ b/source/common/grpc/google_async_client_impl.h @@ -274,10 +274,11 @@ class GoogleAsyncStreamImpl : public RawAsyncStream, // End-of-stream with no additional message. PendingMessage() = default; - const absl::optional buf_{}; + const absl::optional buf_; const bool end_stream_{true}; }; +protected: GoogleAsyncTag init_tag_{*this, GoogleAsyncTag::Operation::Init}; GoogleAsyncTag read_initial_metadata_tag_{*this, GoogleAsyncTag::Operation::ReadInitialMetadata}; GoogleAsyncTag read_tag_{*this, GoogleAsyncTag::Operation::Read}; @@ -298,7 +299,7 @@ class GoogleAsyncStreamImpl : public RawAsyncStream, std::string service_full_name_; std::string method_name_; RawAsyncStreamCallbacks& callbacks_; - const Http::AsyncClient::StreamOptions options_; + Http::AsyncClient::StreamOptions options_; grpc::ClientContext ctxt_; std::unique_ptr rw_; std::queue write_pending_queue_; @@ -352,6 +353,7 @@ class GoogleAsyncRequestImpl : public AsyncRequest, const StreamInfo::StreamInfo& streamInfo() const override { return GoogleAsyncStreamImpl::streamInfo(); } + void detach() override; private: using GoogleAsyncStreamImpl::streamInfo; diff --git a/source/common/http/async_client_impl.cc b/source/common/http/async_client_impl.cc index b3cae3ccb8bf1..1413861c6982f 100644 --- a/source/common/http/async_client_impl.cc +++ b/source/common/http/async_client_impl.cc @@ -131,9 +131,11 @@ AsyncStreamImpl::AsyncStreamImpl(AsyncClientImpl& parent, AsyncClient::StreamCal const Router::MetadataMatchCriteria* metadata_matching_criteria = nullptr; if (options.parent_context.stream_info != nullptr) { stream_info_.setParentStreamInfo(*options.parent_context.stream_info); - const auto route = options.parent_context.stream_info->route(); - if (route != nullptr) { - const auto* route_entry = route->routeEntry(); + // Keep the parent root to ensure the metadata_matching_criteria will not become + // dangling pointer once the parent downstream request is gone. + parent_route_ = options.parent_context.stream_info->route(); + if (parent_route_ != nullptr) { + const auto* route_entry = parent_route_->routeEntry(); if (route_entry != nullptr) { metadata_matching_criteria = route_entry->metadataMatchCriteria(); } diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h index 9790cc75d3a20..f2b841647b2a5 100644 --- a/source/common/http/async_client_impl.h +++ b/source/common/http/async_client_impl.h @@ -278,6 +278,7 @@ class AsyncStreamImpl : public virtual AsyncClient::Stream, Tracing::NullSpan active_span_; const Tracing::Config& tracing_config_; const LocalReply::LocalReply& local_reply_; + Router::RouteConstSharedPtr parent_route_; std::shared_ptr route_; uint32_t high_watermark_calls_{}; bool local_closed_{}; diff --git a/source/extensions/filters/common/ratelimit/ratelimit.h b/source/extensions/filters/common/ratelimit/ratelimit.h index 3c0dc231f072d..975897a31b519 100644 --- a/source/extensions/filters/common/ratelimit/ratelimit.h +++ b/source/extensions/filters/common/ratelimit/ratelimit.h @@ -74,6 +74,15 @@ class Client { */ virtual void cancel() PURE; + /** + * Detach an inflight limit request. This will not cancel the request but will clean up + * all context associated with downstream request to avoid dangling references. + * NOTE: the callbacks that registered to take the response will be kept to handle the response + * when it arrives. The caller is responsible for ensuring that the callbacks have enough + * lifetime to handle the response. + */ + virtual void detach() PURE; + /** * Request a limit check. Note that this abstract API matches the design of Lyft's GRPC based * rate limit service. See ratelimit.proto for details. Any other rate limit implementations @@ -90,7 +99,7 @@ class Client { */ virtual void limit(RequestCallbacks& callbacks, const std::string& domain, const std::vector& descriptors, - Tracing::Span& parent_span, OptRef stream_info, + Tracing::Span& parent_span, const StreamInfo::StreamInfo& stream_info, uint32_t hits_addend) PURE; }; diff --git a/source/extensions/filters/common/ratelimit/ratelimit_impl.cc b/source/extensions/filters/common/ratelimit/ratelimit_impl.cc index 4a836c600ca98..f2db678d0090b 100644 --- a/source/extensions/filters/common/ratelimit/ratelimit_impl.cc +++ b/source/extensions/filters/common/ratelimit/ratelimit_impl.cc @@ -29,10 +29,21 @@ GrpcClientImpl::~GrpcClientImpl() { ASSERT(!callbacks_); } void GrpcClientImpl::cancel() { ASSERT(callbacks_ != nullptr); - request_->cancel(); + if (request_) { + request_->cancel(); + request_ = nullptr; + } callbacks_ = nullptr; } +void GrpcClientImpl::detach() { + ASSERT(callbacks_ != nullptr); + if (request_) { + request_->detach(); + request_ = nullptr; + } +} + void GrpcClientImpl::createRequest(envoy::service::ratelimit::v3::RateLimitRequest& request, const std::string& domain, const std::vector& descriptors, @@ -62,19 +73,21 @@ void GrpcClientImpl::createRequest(envoy::service::ratelimit::v3::RateLimitReque void GrpcClientImpl::limit(RequestCallbacks& callbacks, const std::string& domain, const std::vector& descriptors, - Tracing::Span& parent_span, - OptRef stream_info, uint32_t hits_addend) { + Tracing::Span& parent_span, const StreamInfo::StreamInfo& stream_info, + uint32_t hits_addend) { ASSERT(callbacks_ == nullptr); callbacks_ = &callbacks; envoy::service::ratelimit::v3::RateLimitRequest request; createRequest(request, domain, descriptors, hits_addend); - auto options = Http::AsyncClient::RequestOptions().setTimeout(timeout_); - if (stream_info.has_value()) { - options.setParentContext(Http::AsyncClient::ParentContext{stream_info.ptr()}); + auto options = Http::AsyncClient::RequestOptions().setTimeout(timeout_).setParentContext( + Http::AsyncClient::ParentContext{&stream_info}); + auto inflight_request = + async_client_->send(service_method_, request, *this, parent_span, options); + if (inflight_request != nullptr) { + request_ = inflight_request; } - request_ = async_client_->send(service_method_, request, *this, parent_span, options); } void GrpcClientImpl::onSuccess( diff --git a/source/extensions/filters/common/ratelimit/ratelimit_impl.h b/source/extensions/filters/common/ratelimit/ratelimit_impl.h index 61a6c1c5ec880..f3c34280a200d 100644 --- a/source/extensions/filters/common/ratelimit/ratelimit_impl.h +++ b/source/extensions/filters/common/ratelimit/ratelimit_impl.h @@ -55,9 +55,10 @@ class GrpcClientImpl : public Client, // Filters::Common::RateLimit::Client void cancel() override; + void detach() override; void limit(RequestCallbacks& callbacks, const std::string& domain, const std::vector& descriptors, - Tracing::Span& parent_span, OptRef stream_info, + Tracing::Span& parent_span, const StreamInfo::StreamInfo& stream_info, uint32_t hits_addend = 0) override; // Grpc::AsyncRequestCallbacks diff --git a/source/extensions/filters/http/ratelimit/ratelimit.cc b/source/extensions/filters/http/ratelimit/ratelimit.cc index 23c9ba9202f41..b334fad497f22 100644 --- a/source/extensions/filters/http/ratelimit/ratelimit.cc +++ b/source/extensions/filters/http/ratelimit/ratelimit.cc @@ -190,18 +190,22 @@ void Filter::onDestroy() { if (state_ == State::Calling) { state_ = State::Complete; client_->cancel(); - } else if (client_ != nullptr && - request_headers_ != nullptr) // If decodeHeaders is not called because of a local - // reply, we do not set request_headers_. - { + } else if (client_ != nullptr && request_headers_ != nullptr) { std::vector descriptors; populateRateLimitDescriptors(descriptors, *request_headers_, true); if (!descriptors.empty()) { + // If the limit() call fails directly then the callback and client will be destroyed + // when calling the limit() function. To make sure we can call the detach() function + // safely, we convert the client_ to a shared_ptr. + + std::shared_ptr shared_client = std::move(client_); // Since this filter is being destroyed, we need to keep the client alive until the request // is complete by leaking the client with OnStreamDoneCallBack. - auto callback = new OnStreamDoneCallBack(std::move(client_)); + auto callback = new OnStreamDoneCallBack(shared_client); callback->client().limit(*callback, getDomain(), descriptors, Tracing::NullSpan::instance(), - absl::nullopt, getHitAddend()); + callbacks_->streamInfo(), getHitAddend()); + // If the limit() call fails directly then the detach() will be no-op. + shared_client->detach(); } } } diff --git a/source/extensions/filters/http/ratelimit/ratelimit.h b/source/extensions/filters/http/ratelimit/ratelimit.h index 59dc7478b728d..39ecfe0822773 100644 --- a/source/extensions/filters/http/ratelimit/ratelimit.h +++ b/source/extensions/filters/http/ratelimit/ratelimit.h @@ -292,7 +292,8 @@ class Filter : public Http::StreamFilter, public Filters::Common::RateLimit::Req */ class OnStreamDoneCallBack : public Filters::Common::RateLimit::RequestCallbacks { public: - OnStreamDoneCallBack(Filters::Common::RateLimit::ClientPtr client) : client_(std::move(client)) {} + OnStreamDoneCallBack(std::shared_ptr client) + : client_(std::move(client)) {} ~OnStreamDoneCallBack() override = default; // RateLimit::RequestCallbacks @@ -304,7 +305,7 @@ class OnStreamDoneCallBack : public Filters::Common::RateLimit::RequestCallbacks Filters::Common::RateLimit::Client& client() { return *client_; } private: - Filters::Common::RateLimit::ClientPtr client_; + std::shared_ptr client_; }; } // namespace RateLimitFilter diff --git a/test/common/grpc/async_client_impl_test.cc b/test/common/grpc/async_client_impl_test.cc index 095015feb8dfb..3dd8d511c7d57 100644 --- a/test/common/grpc/async_client_impl_test.cc +++ b/test/common/grpc/async_client_impl_test.cc @@ -529,6 +529,59 @@ TEST_F(EnvoyAsyncClientImplTest, StreamHttpClientException) { EXPECT_EQ(grpc_stream, nullptr); } +TEST_F(EnvoyAsyncClientImplTest, AsyncRequestDetach) { + NiceMock> grpc_callbacks; + Http::AsyncClient::StreamCallbacks* http_callbacks; + + StreamInfo::StreamInfoImpl stream_info{test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain}; + NiceMock http_stream; + ON_CALL(Const(http_stream), streamInfo()).WillByDefault(ReturnRef(stream_info)); + ON_CALL(http_stream, streamInfo()).WillByDefault(ReturnRef(stream_info)); + + EXPECT_CALL(http_client_, start(_, _)) + .WillOnce( + Invoke([&http_callbacks, &http_stream](Http::AsyncClient::StreamCallbacks& callbacks, + const Http::AsyncClient::StreamOptions&) { + http_callbacks = &callbacks; + return &http_stream; + })); + + const std::string expected_downstream_local_address = "5.5.5.5"; + EXPECT_CALL(grpc_callbacks, onCreateInitialMetadata(_)); + EXPECT_CALL(http_stream, sendHeaders(_, _)); + + // Prepare the parent context of this call. + auto connection_info_provider = std::make_shared( + std::make_shared(expected_downstream_local_address), nullptr); + + StreamInfo::StreamInfoImpl parent_stream_info{test_time_.timeSystem(), connection_info_provider, + StreamInfo::FilterState::LifeSpan::FilterChain}; + Http::AsyncClient::ParentContext parent_context{&parent_stream_info}; + testing::NiceMock watermark_callbacks; + auto parent_span = std::make_unique(); + + Http::AsyncClient::StreamOptions stream_options; + stream_options.setParentContext(parent_context); + stream_options.setSidestreamWatermarkCallbacks(&watermark_callbacks); + stream_options.setParentSpan(*parent_span); + + helloworld::HelloRequest request_msg; + auto grpc_request = grpc_client_->send(*method_descriptor_, request_msg, grpc_callbacks, + *parent_span, stream_options); + EXPECT_NE(grpc_request, nullptr); + + EXPECT_CALL(http_stream, removeWatermarkCallbacks()); + stream_info.setParentStreamInfo(parent_stream_info); // Mock Envoy setting parent stream info. + + grpc_request->detach(); + + EXPECT_FALSE(grpc_request->streamInfo().parentStreamInfo().has_value()); + + // Clean up by simulating a reset from the HTTP stream. + http_callbacks->onReset(); +} + } // namespace } // namespace Grpc } // namespace Envoy diff --git a/test/common/grpc/google_async_client_impl_test.cc b/test/common/grpc/google_async_client_impl_test.cc index f75d30528f555..c7f4a8804224b 100644 --- a/test/common/grpc/google_async_client_impl_test.cc +++ b/test/common/grpc/google_async_client_impl_test.cc @@ -230,6 +230,32 @@ TEST_F(EnvoyGoogleLessMockedAsyncClientImplTest, TestOverflow) { EXPECT_TRUE(grpc_stream->isAboveWriteBufferHighWatermark()); } +TEST_F(EnvoyGoogleLessMockedAsyncClientImplTest, AsyncRequestDetach) { + // Set an (unreasonably) low byte limit. + auto* google_grpc = config_.mutable_google_grpc(); + google_grpc->mutable_per_stream_buffer_limit_bytes()->set_value(1); + initialize(); + + NiceMock> grpc_callbacks; + + Http::AsyncClient::RequestOptions request_options; + auto parent_span = std::make_shared(); + StreamInfo::StreamInfoImpl stream_info{test_time_.timeSystem(), nullptr, + StreamInfo::FilterState::LifeSpan::FilterChain}; + request_options.setParentSpan(*parent_span); + request_options.setParentContext(Http::AsyncClient::ParentContext{&stream_info}); + + helloworld::HelloRequest request_msg; + auto grpc_request = grpc_client_->send(*method_descriptor_, request_msg, grpc_callbacks, + *parent_span, request_options); + EXPECT_FALSE(grpc_request == nullptr); + + // Detach the request. No big sense for google async client but just test the code path. + grpc_request->detach(); + + grpc_request->cancel(); +} + } // namespace } // namespace Grpc } // namespace Envoy diff --git a/test/extensions/filters/common/ratelimit/mocks.h b/test/extensions/filters/common/ratelimit/mocks.h index 259fa3f08881a..48bad268d4ad7 100644 --- a/test/extensions/filters/common/ratelimit/mocks.h +++ b/test/extensions/filters/common/ratelimit/mocks.h @@ -23,10 +23,11 @@ class MockClient : public Client { // RateLimit::Client MOCK_METHOD(void, cancel, ()); + MOCK_METHOD(void, detach, ()); MOCK_METHOD(void, limit, (RequestCallbacks & callbacks, const std::string& domain, const std::vector& descriptors, - Tracing::Span& parent_span, OptRef stream_info, + Tracing::Span& parent_span, const StreamInfo::StreamInfo& stream_info, uint32_t hits_addend)); }; diff --git a/test/extensions/filters/common/ratelimit/ratelimit_impl_test.cc b/test/extensions/filters/common/ratelimit/ratelimit_impl_test.cc index f4f20c8a26135..a2cec4f89eaab 100644 --- a/test/extensions/filters/common/ratelimit/ratelimit_impl_test.cc +++ b/test/extensions/filters/common/ratelimit/ratelimit_impl_test.cc @@ -61,7 +61,7 @@ class RateLimitGrpcClientTest : public testing::Test { Grpc::MockAsyncRequest async_request_; GrpcClientImpl client_; MockRequestCallbacks request_callbacks_; - Tracing::MockSpan span_; + testing::NiceMock span_; StreamInfo::MockStreamInfo stream_info_; }; @@ -231,6 +231,36 @@ TEST_F(RateLimitGrpcClientTest, RequestWithPerDescriptorHitsAddend) { client_.onSuccess(std::move(response), span_); } +TEST_F(RateLimitGrpcClientTest, SendRequestAndDetach) { + std::unique_ptr response; + + { + envoy::service::ratelimit::v3::RateLimitRequest request; + Http::TestRequestHeaderMapImpl headers; + GrpcClientImpl::createRequest(request, "foo", {{{{"foo", "bar"}}}}, 0); + EXPECT_CALL(*async_client_, sendRaw(_, _, Grpc::ProtoBufferEq(request), Ref(client_), _, _)) + .WillOnce( + Invoke([this](absl::string_view service_full_name, absl::string_view method_name, + Buffer::InstancePtr&&, Grpc::RawAsyncRequestCallbacks&, Tracing::Span&, + const Http::AsyncClient::RequestOptions&) -> Grpc::AsyncRequest* { + std::string service_name = "envoy.service.ratelimit.v3.RateLimitService"; + EXPECT_EQ(service_name, service_full_name); + EXPECT_EQ("ShouldRateLimit", method_name); + return &async_request_; + })); + + EXPECT_CALL(async_request_, detach()); + client_.limit(request_callbacks_, "foo", {{{{"foo", "bar"}}}}, Tracing::NullSpan::instance(), + stream_info_, 0); + client_.detach(); + + response = std::make_unique(); + response->set_overall_code(envoy::service::ratelimit::v3::RateLimitResponse::OK); + EXPECT_CALL(request_callbacks_, complete_(LimitStatus::OK, _, _, _, _, _)); + client_.onSuccess(std::move(response), span_); + } +} + } // namespace } // namespace RateLimit } // namespace Common diff --git a/test/extensions/filters/http/ratelimit/ratelimit_test.cc b/test/extensions/filters/http/ratelimit/ratelimit_test.cc index 419de7935a95e..513b2c1f8c8f9 100644 --- a/test/extensions/filters/http/ratelimit/ratelimit_test.cc +++ b/test/extensions/filters/http/ratelimit/ratelimit_test.cc @@ -423,6 +423,7 @@ TEST_F(HttpRateLimitFilterTest, OkResponseWithAdditionalHitsAddend) { WithArgs<0>(Invoke([&](Filters::Common::RateLimit::RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + EXPECT_CALL(*client_, detach()); filter_->onDestroy(); request_callbacks_->complete(Filters::Common::RateLimit::LimitStatus::OK, nullptr, nullptr, nullptr, "", nullptr); @@ -2038,6 +2039,7 @@ TEST_F(HttpRateLimitFilterTest, PerRouteRateLimitsAndOnStreamDone) { EXPECT_EQ("header-value", descriptors[0].entries_[0].value_); EXPECT_EQ(789, descriptors[0].hits_addend_.value()); })); + EXPECT_CALL(*client_, detach()); filter_->onDestroy(); request_callbacks_->complete(Filters::Common::RateLimit::LimitStatus::OK, nullptr, std::make_unique(), nullptr, "", @@ -2259,6 +2261,7 @@ TEST_F(HttpRateLimitFilterTest, InlinedRateLimitActionOnStreamDone) { EXPECT_EQ("generic_key", descriptors[0].entries_[0].key_); EXPECT_EQ("generic-key", descriptors[0].entries_[0].value_); })); + EXPECT_CALL(*client_, detach()); filter_->onDestroy(); request_callbacks_->complete(Filters::Common::RateLimit::LimitStatus::OK, nullptr, diff --git a/test/mocks/grpc/mocks.h b/test/mocks/grpc/mocks.h index 2fa79082f5d86..fbfcfb44b1470 100644 --- a/test/mocks/grpc/mocks.h +++ b/test/mocks/grpc/mocks.h @@ -26,6 +26,7 @@ class MockAsyncRequest : public AsyncRequest { MOCK_METHOD(void, cancel, ()); MOCK_METHOD(const StreamInfo::StreamInfo&, streamInfo, (), (const)); + MOCK_METHOD(void, detach, ()); }; class MockAsyncStream : public RawAsyncStream { From 39a4dc9ddb52089e89b7e9b87537acde141345b6 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 23 Sep 2025 19:22:54 -0700 Subject: [PATCH 487/505] rbac: enable use of NetworkNamespaceInput in network RBAC filter (#41199) ## Description This PR enables the use of `NetworkNamespaceInput` in the RBAC filter to be able to match on the incoming network namespace and do RBAC enforcement based on that. --- **Commit Message:** rbac: enable use of NetworkNamespaceInput in network RBAC filter **Additional Description:** Enable `NetworkNamespaceInput` to be used in the Network RBAC filter. **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** Added **Release Notes:** Added Signed-off-by: Rohit Agrawal --- changelogs/current.yaml | 6 + .../filters/network/rbac/rbac_filter.cc | 3 + .../filters/network/rbac/filter_test.cc | 110 ++++++++++++++++++ 3 files changed, 119 insertions(+) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 72a4154cfb309..7901b280771ee 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -434,6 +434,12 @@ new_features: `, enabling filter chain selection based on the Linux network namespace of the bound socket. On non-Linux platforms, the input returns an empty value and connections use the default filter chain. +- area: rbac + change: | + Enabled use of :ref:`NetworkNamespaceInput + ` in the + network RBAC filter's matcher. This allows RBAC policies to evaluate the Linux network namespace + of the listening socket via the generic matcher API. - area: lua change: | Added ``route()`` to the Stream handle API, allowing Lua scripts to retrieve route information. So far, the only method diff --git a/source/extensions/filters/network/rbac/rbac_filter.cc b/source/extensions/filters/network/rbac/rbac_filter.cc index 7961129c420b6..6e2fc12b08972 100644 --- a/source/extensions/filters/network/rbac/rbac_filter.cc +++ b/source/extensions/filters/network/rbac/rbac_filter.cc @@ -36,6 +36,9 @@ absl::Status ActionValidationVisitor::performDataInputValidation( {TypeUtil::descriptorFullNameToTypeUrl( envoy::extensions::matching::common_inputs::network::v3::ServerNameInput::descriptor() ->full_name())}, + {TypeUtil::descriptorFullNameToTypeUrl(envoy::extensions::matching::common_inputs::network:: + v3::NetworkNamespaceInput::descriptor() + ->full_name())}, {TypeUtil::descriptorFullNameToTypeUrl( envoy::extensions::matching::common_inputs::ssl::v3::UriSanInput::descriptor() ->full_name())}, diff --git a/test/extensions/filters/network/rbac/filter_test.cc b/test/extensions/filters/network/rbac/filter_test.cc index d09674d636d00..4229b293b5cbb 100644 --- a/test/extensions/filters/network/rbac/filter_test.cc +++ b/test/extensions/filters/network/rbac/filter_test.cc @@ -207,6 +207,16 @@ class RoleBasedAccessControlNetworkFilterTest : public testing::Test { .WillByDefault(ReturnPointee(stream_info_.downstream_connection_info_provider_)); } + void setLocalAddressWithNetworkNamespace(const std::string& network_namespace_path, + uint16_t port = 123) { + address_ = std::make_shared( + "127.0.0.1", port, nullptr, absl::make_optional(std::string(network_namespace_path))); + + stream_info_.downstream_connection_info_provider_->setLocalAddress(address_); + ON_CALL(callbacks_.connection_.stream_info_, downstreamAddressProvider()) + .WillByDefault(ReturnPointee(stream_info_.downstream_connection_info_provider_)); + } + void checkAccessLogMetadata(bool expected) { auto filter_meta = stream_info_.dynamicMetadata().filter_metadata().at( Filters::Common::RBAC::DynamicMetadataKeysSingleton::get().CommonNamespace); @@ -494,6 +504,106 @@ TEST_F(RoleBasedAccessControlNetworkFilterTest, MatcherDenied) { filter_meta.fields().at("shadow_rules_prefix_shadow_engine_result").string_value()); } +TEST_F(RoleBasedAccessControlNetworkFilterTest, MatcherNetworkNamespaceAllowed) { + envoy::extensions::filters::network::rbac::v3::RBAC config; + config.set_stat_prefix("tcp."); + config.set_shadow_rules_stat_prefix("shadow_rules_prefix_"); + + const std::string matcher_yaml = R"EOF( +matcher_list: + matchers: + - predicate: + single_predicate: + input: + name: envoy.matching.inputs.network_namespace + typed_config: + "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.NetworkNamespaceInput + value_match: + exact: "/var/run/netns/ns1" + on_match: + action: + name: action + typed_config: + "@type": type.googleapis.com/envoy.config.rbac.v3.Action + name: allow_ns + action: ALLOW +on_no_match: + action: + name: action + typed_config: + "@type": type.googleapis.com/envoy.config.rbac.v3.Action + name: deny_all + action: DENY +)EOF"; + + xds::type::matcher::v3::Matcher matcher; + TestUtility::loadFromYaml(matcher_yaml, matcher); + *config.mutable_matcher() = matcher; + + config_ = std::make_shared( + config, *store_.rootScope(), context_, ProtobufMessage::getStrictValidationVisitor()); + initFilter(); + + setLocalAddressWithNetworkNamespace("/var/run/netns/ns1", 123); + + EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); + + EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data_, false)); + EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data_, false)); + EXPECT_EQ(1U, config_->stats().allowed_.value()); + EXPECT_EQ(0U, config_->stats().denied_.value()); +} + +TEST_F(RoleBasedAccessControlNetworkFilterTest, MatcherNetworkNamespaceDenied) { + envoy::extensions::filters::network::rbac::v3::RBAC config; + config.set_stat_prefix("tcp."); + config.set_shadow_rules_stat_prefix("shadow_rules_prefix_"); + + const std::string matcher_yaml = R"EOF( +matcher_list: + matchers: + - predicate: + single_predicate: + input: + name: envoy.matching.inputs.network_namespace + typed_config: + "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.NetworkNamespaceInput + value_match: + exact: "/var/run/netns/ns1" + on_match: + action: + name: action + typed_config: + "@type": type.googleapis.com/envoy.config.rbac.v3.Action + name: allow_ns + action: ALLOW +on_no_match: + action: + name: action + typed_config: + "@type": type.googleapis.com/envoy.config.rbac.v3.Action + name: deny_all + action: DENY +)EOF"; + + xds::type::matcher::v3::Matcher matcher; + TestUtility::loadFromYaml(matcher_yaml, matcher); + *config.mutable_matcher() = matcher; + + config_ = std::make_shared( + config, *store_.rootScope(), context_, ProtobufMessage::getStrictValidationVisitor()); + initFilter(); + + setLocalAddressWithNetworkNamespace("/var/run/netns/other", 123); + + EXPECT_CALL(callbacks_.connection_, close(Network::ConnectionCloseType::NoFlush, _)).Times(2); + + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data_, false)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data_, false)); + EXPECT_EQ(0U, config_->stats().allowed_.value()); + EXPECT_EQ(1U, config_->stats().denied_.value()); +} + // Log Tests TEST_F(RoleBasedAccessControlNetworkFilterTest, ShouldLog) { setupPolicy(true, false, envoy::config::rbac::v3::RBAC::LOG); From 059923f1144641973fd6a5808d99d06c713e6e53 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Tue, 23 Sep 2025 20:17:20 -0700 Subject: [PATCH 488/505] filter: added reverse tunnel terminal network filter (#41013) ## Description This PR adds a new terminal network filter which accepts or rejects the incoming reverse connection requests sent from the reverse tunnels downstream connection interface and optionally validating the Node ID and Cluster ID values that come as part of the handshake protocol using the Envoy filter state metadata. Filter state could be populated by other network filters like "Set-Filter State", etc. This new filter could be configured with the type URL `type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel`. --- **Commit Message:** filter: added reverse tunnel terminal network filter **Additional Description:** Adds a new terminal network filter for accepting the incoming reverse tunnel handshake requests from the downstream instances. **Risk Level:** Low **Testing:** Added Unit & Integration Tests **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal Signed-off-by: Basundhara Chakrabarty Co-authored-by: Basundhara Chakrabarty --- CODEOWNERS | 1 + api/BUILD | 1 + .../filters/network/reverse_tunnel/v3/BUILD | 12 + .../reverse_tunnel/v3/reverse_tunnel.proto | 45 + api/versioning/BUILD | 1 + .../network_filters/network_filters.rst | 1 + .../network_filters/reverse_tunnel_filter.rst | 16 + .../downstream_socket_interface/BUILD | 1 + .../rc_connection_wrapper.cc | 23 +- .../rc_connection_wrapper.h | 1 + .../reverse_connection_io_handle.cc | 209 ++- .../reverse_connection_io_handle.h | 6 + source/extensions/extensions_build_config.bzl | 1 + source/extensions/extensions_metadata.yaml | 7 + .../filters/network/reverse_tunnel/BUILD | 57 + .../filters/network/reverse_tunnel/config.cc | 33 + .../filters/network/reverse_tunnel/config.h | 34 + .../reverse_tunnel/reverse_tunnel_filter.cc | 293 +++ .../reverse_tunnel/reverse_tunnel_filter.h | 136 ++ .../filters/network/well_known_names.h | 2 + test/coverage.yaml | 1 + .../rc_connection_wrapper_test.cc | 117 +- .../reverse_connection_io_handle_test.cc | 375 +++- .../filters/network/reverse_tunnel/BUILD | 78 + .../network/reverse_tunnel/config_test.cc | 162 ++ .../reverse_tunnel/filter_unit_test.cc | 1621 +++++++++++++++++ .../reverse_tunnel/integration_test.cc | 487 +++++ 27 files changed, 3627 insertions(+), 94 deletions(-) create mode 100644 api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD create mode 100644 api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto create mode 100644 docs/root/configuration/listeners/network_filters/reverse_tunnel_filter.rst create mode 100644 source/extensions/filters/network/reverse_tunnel/BUILD create mode 100644 source/extensions/filters/network/reverse_tunnel/config.cc create mode 100644 source/extensions/filters/network/reverse_tunnel/config.h create mode 100644 source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc create mode 100644 source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h create mode 100644 test/extensions/filters/network/reverse_tunnel/BUILD create mode 100644 test/extensions/filters/network/reverse_tunnel/config_test.cc create mode 100644 test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc create mode 100644 test/extensions/filters/network/reverse_tunnel/integration_test.cc diff --git a/CODEOWNERS b/CODEOWNERS index 7e1c2569c2ffc..de76497a237fd 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -169,6 +169,7 @@ extensions/filters/common/original_src @klarose @mattklein123 # support for on-demand VHDS requests /*/extensions/filters/http/on_demand @dmitri-d @yanavlasov @kyessenov /*/extensions/filters/network/connection_limit @mattklein123 @delong-coder +/*/extensions/filters/network/reverse_tunnel @agrawroh @basundhara-c @botengyao @yanavlasov /*/extensions/filters/http/aws_request_signing @mattklein123 @marcomagdy @nbaws @niax /*/extensions/filters/http/aws_lambda @mattklein123 @marcomagdy @nbaws @niax /*/extensions/filters/http/buffer @adisuissa @mattklein123 diff --git a/api/BUILD b/api/BUILD index 326bb462a2ce7..732e13413099a 100644 --- a/api/BUILD +++ b/api/BUILD @@ -249,6 +249,7 @@ proto_library( "//envoy/extensions/filters/network/ratelimit/v3:pkg", "//envoy/extensions/filters/network/rbac/v3:pkg", "//envoy/extensions/filters/network/redis_proxy/v3:pkg", + "//envoy/extensions/filters/network/reverse_tunnel/v3:pkg", "//envoy/extensions/filters/network/set_filter_state/v3:pkg", "//envoy/extensions/filters/network/sni_cluster/v3:pkg", "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3:pkg", diff --git a/api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD b/api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD new file mode 100644 index 0000000000000..09a37ad16b837 --- /dev/null +++ b/api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD @@ -0,0 +1,12 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v3:pkg", + "@com_github_cncf_xds//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto b/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto new file mode 100644 index 0000000000000..fbb5bd14e30e1 --- /dev/null +++ b/api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto @@ -0,0 +1,45 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.reverse_tunnel.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.reverse_tunnel.v3"; +option java_outer_classname = "ReverseTunnelProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/reverse_tunnel/v3;reverse_tunnelv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Reverse Tunnel Network Filter] +// Reverse Tunnel Network Filter :ref:`configuration overview `. +// [#extension: envoy.filters.network.reverse_tunnel] + +// Configuration for the reverse tunnel network filter. +// This filter handles reverse tunnel connection acceptance and rejection by processing +// HTTP requests where required identification values are provided via HTTP headers. +message ReverseTunnel { + // Ping interval for health checks on established reverse tunnel connections. + // If not specified, defaults to 2 seconds. + google.protobuf.Duration ping_interval = 1 [(validate.rules).duration = { + lte {seconds: 300} + gte {nanos: 1000000} + }]; + + // Whether to automatically close connections after processing reverse tunnel requests. + // When set to true, connections are closed after acceptance or rejection. + // When set to false, connections remain open for potential reuse. Defaults to false. + bool auto_close_connections = 2; + + // HTTP path to match for reverse tunnel requests. + // If not specified, defaults to "/reverse_connections/request". + string request_path = 3 [(validate.rules).string = {min_len: 1 max_len: 255 ignore_empty: true}]; + + // HTTP method to match for reverse tunnel requests. + // If not specified (``METHOD_UNSPECIFIED``), this defaults to ``GET``. + config.core.v3.RequestMethod request_method = 4 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/api/versioning/BUILD b/api/versioning/BUILD index fc2d419f87a65..0bc82ae7282df 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -186,6 +186,7 @@ proto_library( "//envoy/extensions/filters/network/ratelimit/v3:pkg", "//envoy/extensions/filters/network/rbac/v3:pkg", "//envoy/extensions/filters/network/redis_proxy/v3:pkg", + "//envoy/extensions/filters/network/reverse_tunnel/v3:pkg", "//envoy/extensions/filters/network/set_filter_state/v3:pkg", "//envoy/extensions/filters/network/sni_cluster/v3:pkg", "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3:pkg", diff --git a/docs/root/configuration/listeners/network_filters/network_filters.rst b/docs/root/configuration/listeners/network_filters/network_filters.rst index f838839fbdbba..1cadbdc33bb6f 100644 --- a/docs/root/configuration/listeners/network_filters/network_filters.rst +++ b/docs/root/configuration/listeners/network_filters/network_filters.rst @@ -23,6 +23,7 @@ filters. kafka_mesh_filter local_rate_limit_filter mongo_proxy_filter + reverse_tunnel_filter mysql_proxy_filter postgres_proxy_filter rate_limit_filter diff --git a/docs/root/configuration/listeners/network_filters/reverse_tunnel_filter.rst b/docs/root/configuration/listeners/network_filters/reverse_tunnel_filter.rst new file mode 100644 index 0000000000000..435d6a00e29af --- /dev/null +++ b/docs/root/configuration/listeners/network_filters/reverse_tunnel_filter.rst @@ -0,0 +1,16 @@ +.. _config_network_filters_reverse_tunnel: + +Reverse tunnel +============== + +The reverse tunnel network filter accepts or rejects reverse connection requests by parsing +HTTP/1.1 requests with Node ID, Cluster ID, and Tenant ID headers and optionally validating these +values using the Envoy filter state. + +* This filter should be configured with the type URL ``type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel``. +* :ref:`v3 API reference ` + +Configuration notes: + +- **HTTP method**: ``request_method`` uses :ref:`RequestMethod `. If not specified, it defaults to ``GET``. +- In this version, the filter does not perform additional request validation against filter state or metadata. diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index cef2da998723f..1b452ae99f941 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -75,6 +75,7 @@ envoy_cc_library( "//envoy/upstream:cluster_manager_interface", "//source/common/buffer:buffer_lib", "//source/common/common:logger_lib", + "//source/common/event:real_time_system_lib", "//source/common/grpc:typed_async_client_lib", "//source/common/http:codec_client_lib", "//source/common/http/http1:codec_lib", diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc index 250ff18a14476..293c8780deb07 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.cc @@ -30,7 +30,9 @@ RCConnectionWrapper::RCConnectionWrapper(ReverseConnectionIOHandle& parent, // RCConnectionWrapper destructor implementation. RCConnectionWrapper::~RCConnectionWrapper() { ENVOY_LOG(debug, "RCConnectionWrapper destructor called"); - this->shutdown(); + if (!shutdown_called_) { + this->shutdown(); + } } void RCConnectionWrapper::onEvent(Network::ConnectionEvent event) { @@ -154,7 +156,7 @@ void RCConnectionWrapper::decodeHeaders(Http::ResponseHeaderMapPtr&& headers, bo onHandshakeSuccess(); } else { ENVOY_LOG(error, "Received non-200 HTTP response: {}", status); - onHandshakeFailure("HTTP handshake failed with non-200 response"); + onHandshakeFailure(absl::StrCat("HTTP handshake failed with status ", status)); } } @@ -179,16 +181,24 @@ void RCConnectionWrapper::onHandshakeFailure(const std::string& message) { } void RCConnectionWrapper::shutdown() { + if (shutdown_called_) { + ENVOY_LOG(debug, "RCConnectionWrapper: Shutdown already called, skipping"); + return; + } + shutdown_called_ = true; + if (!connection_) { ENVOY_LOG(error, "RCConnectionWrapper: Connection already null, nothing to shutdown"); return; } - ENVOY_LOG(debug, "RCConnectionWrapper: Shutting down connection ID: {}, state: {}", - connection_->id(), static_cast(connection_->state())); + // Get connection info for logging + uint64_t connection_id = connection_->id(); + Network::Connection::State state = connection_->state(); + ENVOY_LOG(debug, "RCConnectionWrapper: Shutting down connection ID: {}, state: {}", connection_id, + static_cast(state)); // Remove connection callbacks first to prevent recursive calls during shutdown. - auto state = connection_->state(); if (state != Network::Connection::State::Closed) { connection_->removeConnectionCallbacks(*this); ENVOY_LOG(debug, "Connection callbacks removed"); @@ -205,8 +215,9 @@ void RCConnectionWrapper::shutdown() { ENVOY_LOG(debug, "Connection already closed"); } - // Clear the connection pointer to prevent further access. + // Clear the connection pointer after shutdown. connection_.reset(); + ENVOY_LOG(debug, "RCConnectionWrapper: Connection cleared after shutdown"); ENVOY_LOG(debug, "RCConnectionWrapper: Shutdown completed"); } diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h index 68828336a43d7..8230a8da470e3 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h @@ -148,6 +148,7 @@ class RCConnectionWrapper : public Network::ConnectionCallbacks, std::string connection_key_; bool http_handshake_sent_{false}; bool handshake_completed_{false}; + bool shutdown_called_{false}; public: // Dispatch incoming bytes to HTTP/1 codec. diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc index 40e5ce9ecdf54..b8b5c5fe69e21 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.cc @@ -5,12 +5,14 @@ #include #include "envoy/event/deferred_deletable.h" +#include "envoy/event/timer.h" #include "envoy/network/address.h" #include "envoy/network/connection.h" #include "envoy/upstream/cluster_manager.h" #include "source/common/buffer/buffer_impl.h" #include "source/common/common/logger.h" +#include "source/common/event/real_time_system.h" #include "source/common/network/address_impl.h" #include "source/common/network/connection_socket_impl.h" #include "source/common/network/socket_interface_impl.h" @@ -62,21 +64,20 @@ void ReverseConnectionIOHandle::cleanup() { } // Cancel the retry timer safely. - if (rev_conn_retry_timer_) { + if (rev_conn_retry_timer_ && rev_conn_retry_timer_->enabled()) { ENVOY_LOG_MISC(trace, "ReverseConnectionIOHandle: cancelling and resetting retry timer."); rev_conn_retry_timer_.reset(); } + // Graceful shutdown of connection wrappers with exception safety. ENVOY_LOG_MISC(debug, "Gracefully shutting down {} connection wrappers.", connection_wrappers_.size()); - // Signal all connections to close gracefully. + // Move wrappers for deferred cleanup. std::vector> wrappers_to_delete; for (auto& wrapper : connection_wrappers_) { if (wrapper) { - ENVOY_LOG(debug, "Initiating graceful shutdown for connection wrapper."); - wrapper->shutdown(); - // Move wrapper for deferred cleanup + ENVOY_LOG(debug, "Moving connection wrapper for deferred cleanup."); wrappers_to_delete.push_back(std::move(wrapper)); } } @@ -278,8 +279,9 @@ Envoy::Network::IoHandlePtr ReverseConnectionIOHandle::accept(struct sockaddr* a // key. auto io_handle = std::make_unique( std::move(duplicated_socket), this, connection_key); - ENVOY_LOG(debug, - "ReverseConnectionIOHandle: RAII IoHandle created with duplicated socket."); + + ENVOY_LOG(debug, "ReverseConnectionIOHandle: RAII IoHandle created with duplicated socket " + "and protection enabled."); // Reset file events on the original socket to prevent any pending operations. The socket // fd has been duplicated, so we have an independent fd. Closing the original connection @@ -350,6 +352,10 @@ Api::IoCallUint64Result ReverseConnectionIOHandle::close() { fd_); } + if (rev_conn_retry_timer_) { + rev_conn_retry_timer_.reset(); + } + return IoSocketHandleImpl::close(); } @@ -361,6 +367,26 @@ void ReverseConnectionIOHandle::onEvent(Network::ConnectionEvent event) { int ReverseConnectionIOHandle::getPipeMonitorFd() const { return trigger_pipe_read_fd_; } +// Get time source for consistent time operations. +TimeSource& ReverseConnectionIOHandle::getTimeSource() const { + // Try to get time source from thread-local dispatcher first. + if (extension_) { + auto* local_registry = extension_->getLocalRegistry(); + if (local_registry) { + return local_registry->dispatcher().timeSource(); + } + } + + // Fallback to worker dispatcher if available. + if (worker_dispatcher_) { + return worker_dispatcher_->timeSource(); + } + + // This should not happen in production. Assert to ensure proper initialization. + ENVOY_BUG(false, "No time source available. dispatcher not properly initialized"); + PANIC("ReverseConnectionIOHandle: No valid time source available"); +} + // Use the thread-local registry to get the dispatcher. Event::Dispatcher& ReverseConnectionIOHandle::getThreadLocalDispatcher() const { // Get the thread-local dispatcher from the socket interface's registry. @@ -408,7 +434,21 @@ void ReverseConnectionIOHandle::maybeUpdateHostsMappingsAndConnections( // Update or create host info auto host_it = host_to_conn_info_map_.find(host); if (host_it == host_to_conn_info_map_.end()) { - ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host); + // Create host entry on-demand to avoid race conditions during host registration. + ENVOY_LOG( + debug, + "Creating HostConnectionInfo on-demand during host update for host {} in cluster {}", + host, cluster_id); + host_to_conn_info_map_[host] = HostConnectionInfo{ + host, + cluster_id, + {}, // connection_keys - empty set initially + 1, // default target_connection_count + 0, // failure_count + getTimeSource().monotonicTime(), // last_failure_time + getTimeSource().monotonicTime(), // backoff_until (no backoff initially) + {} // connection_states - empty map initially + }; } else { // Update cluster name if host moved to different cluster. host_it->second.cluster_name = cluster_id; @@ -491,7 +531,8 @@ void ReverseConnectionIOHandle::maintainClusterConnections( // Retrieve the resolved hosts for a cluster and update the corresponding maps. std::vector resolved_hosts; for (const auto& host_itr : *host_map_ptr) { - resolved_hosts.emplace_back(host_itr.first); + const std::string& resolved = host_itr.first; + resolved_hosts.emplace_back(resolved); } maybeUpdateHostsMappingsAndConnections(cluster_name, std::move(resolved_hosts)); // Track successful connections for this cluster. @@ -506,22 +547,22 @@ void ReverseConnectionIOHandle::maintainClusterConnections( "ReverseConnectionIOHandle: Checking reverse connection count for host {} of cluster {}", host_address, cluster_name); - // Ensure HostConnectionInfo exists for this host. - auto host_it = host_to_conn_info_map_.find(host_address); + // Ensure HostConnectionInfo exists for this host, handling internal addresses consistently. + const std::string key = host_address; + auto host_it = host_to_conn_info_map_.find(key); if (host_it == host_to_conn_info_map_.end()) { - ENVOY_LOG(debug, "Creating HostConnectionInfo for host {} in cluster {}", host_address, - cluster_name); - host_to_conn_info_map_[host_address] = HostConnectionInfo{ - host_address, + ENVOY_LOG(debug, "Creating HostConnectionInfo for host {} in cluster {}", key, cluster_name); + host_to_conn_info_map_[key] = HostConnectionInfo{ + key, cluster_name, {}, // connection_keys - empty set initially cluster_config.reverse_connection_count, // target_connection_count from config 0, // failure_count // last_failure_time - std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) + worker_dispatcher_->timeSource().monotonicTime(), // backoff_until - std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) - {} // connection_states + worker_dispatcher_->timeSource().monotonicTime(), + {} // connection_states }; } @@ -533,7 +574,7 @@ void ReverseConnectionIOHandle::maintainClusterConnections( continue; } // Get current number of successful connections to this host. - uint32_t current_connections = host_to_conn_info_map_[host_address].connection_keys.size(); + uint32_t current_connections = host_to_conn_info_map_[key].connection_keys.size(); ENVOY_LOG(info, "ReverseConnectionIOHandle: Number of reverse connections to host {} of cluster {}: " @@ -560,7 +601,7 @@ void ReverseConnectionIOHandle::maintainClusterConnections( ENVOY_LOG(debug, "Initiating reverse connection number {} to host {} of cluster {}", i + 1, host_address, cluster_name); - bool success = initiateOneReverseConnection(cluster_name, host_address, host); + bool success = initiateOneReverseConnection(cluster_name, key, host); if (success) { total_successful_connections++; @@ -588,18 +629,29 @@ void ReverseConnectionIOHandle::maintainClusterConnections( } bool ReverseConnectionIOHandle::shouldAttemptConnectionToHost(const std::string& host_address, - const std::string&) { + const std::string& cluster_name) { if (!config_.enable_circuit_breaker) { return true; } auto host_it = host_to_conn_info_map_.find(host_address); if (host_it == host_to_conn_info_map_.end()) { - // Host entry should be present. - ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host_address); - return true; + // Create host entry on-demand to avoid race conditions during initialization. + ENVOY_LOG(debug, "Creating HostConnectionInfo on-demand for host {} in cluster {}", + host_address, cluster_name); + host_to_conn_info_map_[host_address] = HostConnectionInfo{ + host_address, + cluster_name, + {}, // connection_keys - empty set initially + 1, // default target_connection_count + 0, // failure_count + getTimeSource().monotonicTime(), // last_failure_time + getTimeSource().monotonicTime(), // backoff_until (no backoff initially) + {} // connection_states - empty map initially + }; + host_it = host_to_conn_info_map_.find(host_address); } auto& host_info = host_it->second; - auto now = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + auto now = getTimeSource().monotonicTime(); ENVOY_LOG(debug, "host: {} now: {} ms backoff_until: {} ms", host_address, std::chrono::duration_cast(now.time_since_epoch()).count(), std::chrono::duration_cast( @@ -621,13 +673,13 @@ void ReverseConnectionIOHandle::trackConnectionFailure(const std::string& host_a const std::string& cluster_name) { auto host_it = host_to_conn_info_map_.find(host_address); if (host_it == host_to_conn_info_map_.end()) { - // If the host has been removed from the cluster, we don't need to track the failure. - ENVOY_LOG(error, "HostConnectionInfo not found for host {}", host_address); + ENVOY_LOG(debug, "Host {} not found in host_to_conn_info_map_, skipping failure tracking", + host_address); return; } auto& host_info = host_it->second; host_info.failure_count++; - host_info.last_failure_time = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + host_info.last_failure_time = getTimeSource().monotonicTime(); // Calculate exponential backoff: base_delay * 2^(failure_count - 1) const uint32_t base_delay_ms = 1000; // 1 second base delay const uint32_t max_delay_ms = 30000; // 30 seconds max delay @@ -657,13 +709,13 @@ void ReverseConnectionIOHandle::trackConnectionFailure(const std::string& host_a void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address) { auto host_it = host_to_conn_info_map_.find(host_address); if (host_it == host_to_conn_info_map_.end()) { - ENVOY_LOG(error, "HostConnectionInfo not found for host {} - this should not happen", + ENVOY_LOG(debug, "Host {} not found in host_to_conn_info_map_, skipping backoff reset", host_address); return; } auto& host_info = host_it->second; - auto now = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + auto now = getTimeSource().monotonicTime(); // Check if the host is actually in backoff before resetting. if (now >= host_info.backoff_until) { @@ -672,7 +724,7 @@ void ReverseConnectionIOHandle::resetHostBackoff(const std::string& host_address } host_info.failure_count = 0; - host_info.backoff_until = std::chrono::steady_clock::now(); // NO_CHECK_FORMAT(real_time) + host_info.backoff_until = getTimeSource().monotonicTime(); ENVOY_LOG(debug, "ReverseConnectionIOHandle: Reset backoff for host {}", host_address); // Mark host as recovered using the same key used by backoff to change the state from backoff to @@ -867,24 +919,68 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& "ReverseConnectionIOHandle: Initiating one reverse connection to host {} of cluster " "'{}', source node '{}'", host_address, cluster_name, config_.src_node_id); - // Get the thread local cluster + // Get the thread local cluster with additional validation auto thread_local_cluster = cluster_manager_.getThreadLocalCluster(cluster_name); if (thread_local_cluster == nullptr) { - ENVOY_LOG(error, "Cluster '{}' not found", cluster_name); + ENVOY_LOG(error, "Cluster '{}' not found in cluster manager", cluster_name); updateConnectionState(host_address, cluster_name, temp_connection_key, ReverseConnectionState::CannotConnect); return false; } - ReverseConnectionLoadBalancerContext lb_context(host_address); + // Validate cluster info before attempting connection + auto cluster_info = thread_local_cluster->info(); + if (!cluster_info) { + ENVOY_LOG(error, "Cluster '{}' has null cluster info", cluster_name); + updateConnectionState(host_address, cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return false; + } - // Get connection from cluster manager - Upstream::Host::CreateConnectionData conn_data = thread_local_cluster->tcpConn(&lb_context); + // Validate priority set to prevent null pointer access + const auto& priority_set = thread_local_cluster->prioritySet(); + const auto& host_sets = priority_set.hostSetsPerPriority(); + size_t host_count = host_sets.empty() ? 0 : host_sets[0]->hosts().size(); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Cluster '{}' found with type {} and {} hosts", + cluster_name, static_cast(cluster_info->type()), host_count); + + // Normalize host key for internal addresses to ensure consistent map lookups. + std::string normalized_host_key = host_address; + if (absl::StartsWith(host_address, "envoy://")) { + normalized_host_key = host_address; // already canonical for internal addresses + } + + // Validate that we have hosts available for internal addresses + if (absl::StartsWith(host_address, "envoy://") && host_count == 0) { + ENVOY_LOG( + error, + "ReverseConnectionIOHandle: No hosts available in cluster '{}' for internal address '{}'", + cluster_name, host_address); + updateConnectionState(host_address, cluster_name, temp_connection_key, + ReverseConnectionState::CannotConnect); + return false; + } + + // Create load balancer context and validate it + ReverseConnectionLoadBalancerContext lb_context(normalized_host_key); + ENVOY_LOG(debug, "ReverseConnectionIOHandle: Created load balancer context for host key: {}", + normalized_host_key); + + // Get connection from cluster manager with defensive error handling + Upstream::Host::CreateConnectionData conn_data; + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Creating TCP connection to {} in cluster {} using load " + "balancer context", + host_address, cluster_name); + + // Use tcpConn which should not throw exceptions in normal operation + conn_data = thread_local_cluster->tcpConn(&lb_context); if (!conn_data.connection_) { - ENVOY_LOG(error, - "ReverseConnectionIOHandle: Failed to create connection to host {} in cluster {}", - host_address, cluster_name); + ENVOY_LOG( + error, + "ReverseConnectionIOHandle: tcpConn() returned null connection for host {} in cluster {}", + host_address, cluster_name); updateConnectionState(host_address, cluster_name, temp_connection_key, ReverseConnectionState::CannotConnect); return false; @@ -905,17 +1001,32 @@ bool ReverseConnectionIOHandle::initiateOneReverseConnection(const std::string& // Mark as Connecting after handshake is initiated. Use the actual connection key so that it can // be marked as failed in onConnectionDone(). - conn_wrapper_to_host_map_[wrapper.get()] = host_address; + conn_wrapper_to_host_map_[wrapper.get()] = normalized_host_key; connection_wrappers_.push_back(std::move(wrapper)); - ENVOY_LOG(debug, - "ReverseConnectionIOHandle: Successfully initiated reverse connection to host {} " - "({}:{}) in cluster {}", - host_address, host->address()->ip()->addressAsString(), host->address()->ip()->port(), - cluster_name); + { + // Safely log address information without assuming IP is present (internal addresses possible). + const auto& addr = host->address(); + std::string addr_str = addr ? addr->asString() : std::string(""); + absl::optional port_opt; + if (addr && addr->ip() != nullptr) { + port_opt = addr->ip()->port(); + } + if (port_opt.has_value()) { + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Successfully initiated reverse connection to host {} " + "({}:{}) in cluster {}", + host_address, addr_str, *port_opt, cluster_name); + } else { + ENVOY_LOG(debug, + "ReverseConnectionIOHandle: Successfully initiated reverse connection to host {} " + "({}) in cluster {}", + host_address, addr_str, cluster_name); + } + } // Reset backoff for successful connection. - resetHostBackoff(host_address); - updateConnectionState(host_address, cluster_name, connection_key, + resetHostBackoff(normalized_host_key); + updateConnectionState(normalized_host_key, cluster_name, connection_key, ReverseConnectionState::Connecting); return true; } @@ -1053,6 +1164,10 @@ void ReverseConnectionIOHandle::onConnectionDone(const std::string& error, // Reset file events safely. if (connection->getSocket()) { + ENVOY_LOG( + debug, + "ReverseConnectionIOHandle: Removing connection callbacks and resetting file events"); + connection->removeConnectionCallbacks(*wrapper); connection->getSocket()->ioHandle().resetFileEvents(); } diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h index aea8d3cb70108..48adcd3de5171 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h @@ -290,6 +290,12 @@ class ReverseConnectionIOHandle : public Network::IoSocketHandleImpl, ReverseTunnelInitiatorExtension* getDownstreamExtension() const; private: + /** + * Get time source for consistent time operations. + * @return reference to the time source + */ + TimeSource& getTimeSource() const; + /** * @return reference to the thread-local dispatcher */ diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index dd3dfd86f6c62..803068ea81c65 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -223,6 +223,7 @@ EXTENSIONS = { "envoy.filters.network.echo": "//source/extensions/filters/network/echo:config", "envoy.filters.network.ext_authz": "//source/extensions/filters/network/ext_authz:config", "envoy.filters.network.ext_proc": "//source/extensions/filters/network/ext_proc:config", + "envoy.filters.network.reverse_tunnel": "//source/extensions/filters/network/reverse_tunnel:config", "envoy.filters.network.http_connection_manager": "//source/extensions/filters/network/http_connection_manager:config", "envoy.filters.network.local_ratelimit": "//source/extensions/filters/network/local_ratelimit:config", "envoy.filters.network.mongo_proxy": "//source/extensions/filters/network/mongo_proxy:config", diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 590f6d0c94a36..32fa96c56ee85 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -715,6 +715,13 @@ envoy.filters.network.ext_proc: status: wip type_urls: - envoy.extensions.filters.network.ext_proc.v3.NetworkExternalProcessor +envoy.filters.network.reverse_tunnel: + categories: + - envoy.filters.network + security_posture: unknown + status: alpha + type_urls: + - envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel envoy.filters.network.http_connection_manager: categories: - envoy.filters.network diff --git a/source/extensions/filters/network/reverse_tunnel/BUILD b/source/extensions/filters/network/reverse_tunnel/BUILD new file mode 100644 index 0000000000000..56466ccedf0df --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/BUILD @@ -0,0 +1,57 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_cc_library", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "config", + srcs = ["config.cc"], + hdrs = ["config.h"], + deps = [ + ":reverse_tunnel_filter_lib", + "//source/extensions/filters/network:well_known_names", + "//source/extensions/filters/network/common:factory_base_lib", + "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", + ], +) + +envoy_cc_library( + name = "reverse_tunnel_filter_lib", + srcs = ["reverse_tunnel_filter.cc"], + hdrs = ["reverse_tunnel_filter.h"], + deps = [ + "//envoy/buffer:buffer_interface", + "//envoy/http:codec_interface", + "//envoy/network:connection_interface", + "//envoy/network:filter_interface", + "//envoy/ssl:connection_interface", + "//envoy/thread_local:thread_local_interface", + "//source/common/buffer:buffer_lib", + "//source/common/common:logger_lib", + "//source/common/http:codes_lib", + "//source/common/http:header_map_lib", + "//source/common/http:headers_lib", + "//source/common/http:utility_lib", + "//source/common/http/http1:codec_lib", + "//source/common/http/http1:codec_stats_lib", + "//source/common/http/http1:settings_lib", + "//source/common/network:connection_socket_lib", + "//source/common/protobuf", + "//source/common/protobuf:message_validator_lib", + "//source/common/protobuf:utility_lib", + "//source/common/router:string_accessor_lib", + "//source/common/stream_info:stream_info_lib", + "//source/extensions/bootstrap/reverse_tunnel/common:reverse_connection_utility_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_includes", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:upstream_socket_manager_lib", + "//source/server:null_overload_manager_lib", + "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", + ], +) diff --git a/source/extensions/filters/network/reverse_tunnel/config.cc b/source/extensions/filters/network/reverse_tunnel/config.cc new file mode 100644 index 0000000000000..31aca98c60520 --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/config.cc @@ -0,0 +1,33 @@ +#include "source/extensions/filters/network/reverse_tunnel/config.h" + +#include "source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { + +Network::FilterFactoryCb ReverseTunnelFilterConfigFactory::createFilterFactoryFromProtoTyped( + const envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel& proto_config, + Server::Configuration::FactoryContext& context) { + auto config = std::make_shared(proto_config, context); + // Capture scope and overload manager pointers to avoid dangling references. + Stats::Scope* scope = &context.scope(); + Server::OverloadManager* overload_manager = &context.serverFactoryContext().overloadManager(); + + return [config, scope, overload_manager](Network::FilterManager& filter_manager) -> void { + filter_manager.addReadFilter( + std::make_shared(config, *scope, *overload_manager)); + }; +} + +/** + * Static registration for the reverse tunnel filter. + */ +REGISTER_FACTORY(ReverseTunnelFilterConfigFactory, + Server::Configuration::NamedNetworkFilterConfigFactory); + +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_tunnel/config.h b/source/extensions/filters/network/reverse_tunnel/config.h new file mode 100644 index 0000000000000..fd1e24ccf77ef --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/config.h @@ -0,0 +1,34 @@ +#pragma once + +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.validate.h" + +#include "source/extensions/filters/network/common/factory_base.h" +#include "source/extensions/filters/network/well_known_names.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { + +/** + * Config registration for the reverse tunnel network filter. + */ +class ReverseTunnelFilterConfigFactory + : public Common::FactoryBase< + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel> { +public: + // Always mark the reverse tunnel filter as terminal filter. + ReverseTunnelFilterConfigFactory() + : FactoryBase(NetworkFilterNames::get().ReverseTunnel, true /* isTerminalFilter */) {} + +private: + Network::FilterFactoryCb createFilterFactoryFromProtoTyped( + const envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel& proto_config, + Server::Configuration::FactoryContext& context) override; +}; + +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc new file mode 100644 index 0000000000000..92fa88664a386 --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.cc @@ -0,0 +1,293 @@ +#include "source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h" + +#include "envoy/buffer/buffer.h" +#include "envoy/network/connection.h" +#include "envoy/server/overload/overload_manager.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/http/codes.h" +#include "source/common/http/header_map_impl.h" +#include "source/common/http/headers.h" +#include "source/common/http/http1/codec_impl.h" +#include "source/common/network/connection_socket_impl.h" +#include "source/common/router/string_accessor_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { + +// Stats helper implementation. +ReverseTunnelFilter::ReverseTunnelStats +ReverseTunnelFilter::ReverseTunnelStats::generateStats(const std::string& prefix, + Stats::Scope& scope) { + return {ALL_REVERSE_TUNNEL_HANDSHAKE_STATS(POOL_COUNTER_PREFIX(scope, prefix))}; +} + +// ReverseTunnelFilterConfig implementation. +ReverseTunnelFilterConfig::ReverseTunnelFilterConfig( + const envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel& proto_config, + Server::Configuration::FactoryContext&) + : ping_interval_(proto_config.has_ping_interval() + ? std::chrono::milliseconds( + DurationUtil::durationToMilliseconds(proto_config.ping_interval())) + : std::chrono::milliseconds(2000)), + auto_close_connections_( + proto_config.auto_close_connections() ? proto_config.auto_close_connections() : false), + request_path_(proto_config.request_path().empty() ? "/reverse_connections/request" + : proto_config.request_path()), + request_method_string_([&proto_config]() -> std::string { + envoy::config::core::v3::RequestMethod method = proto_config.request_method(); + if (method == envoy::config::core::v3::METHOD_UNSPECIFIED) { + method = envoy::config::core::v3::GET; + } + return envoy::config::core::v3::RequestMethod_Name(method); + }()) {} + +// ReverseTunnelFilter implementation. +ReverseTunnelFilter::ReverseTunnelFilter(ReverseTunnelFilterConfigSharedPtr config, + Stats::Scope& stats_scope, + Server::OverloadManager& overload_manager) + : config_(std::move(config)), stats_scope_(stats_scope), overload_manager_(overload_manager), + stats_(ReverseTunnelStats::generateStats("reverse_tunnel.handshake.", stats_scope_)) {} + +Network::FilterStatus ReverseTunnelFilter::onNewConnection() { + ENVOY_CONN_LOG(debug, "reverse_tunnel: new connection established", + read_callbacks_->connection()); + return Network::FilterStatus::Continue; +} + +Network::FilterStatus ReverseTunnelFilter::onData(Buffer::Instance& data, bool) { + if (!codec_) { + Http::Http1Settings http1_settings; + Http::Http1::CodecStats::AtomicPtr http1_stats_ptr; + auto& http1_stats = Http::Http1::CodecStats::atomicGet(http1_stats_ptr, stats_scope_); + codec_ = std::make_unique( + read_callbacks_->connection(), http1_stats, *this, http1_settings, + Http::DEFAULT_MAX_REQUEST_HEADERS_KB, Http::DEFAULT_MAX_HEADERS_COUNT, + envoy::config::core::v3::HttpProtocolOptions::ALLOW, overload_manager_); + } + + const Http::Status status = codec_->dispatch(data); + if (!status.ok()) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: codec dispatch error: {}", read_callbacks_->connection(), + status.message()); + // Close connection on codec error. + read_callbacks_->connection().close(Network::ConnectionCloseType::FlushWrite); + return Network::FilterStatus::StopIteration; + } + return Network::FilterStatus::StopIteration; +} + +void ReverseTunnelFilter::initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) { + read_callbacks_ = &callbacks; +} + +Http::RequestDecoder& ReverseTunnelFilter::newStream(Http::ResponseEncoder& response_encoder, + bool) { + active_decoder_ = std::make_unique(*this, response_encoder); + return *active_decoder_; +} + +// Private methods. + +// RequestDecoderImpl +void ReverseTunnelFilter::RequestDecoderImpl::decodeHeaders( + Http::RequestHeaderMapSharedPtr&& headers, bool end_stream) { + headers_ = std::move(headers); + if (end_stream) { + processIfComplete(true); + } +} + +void ReverseTunnelFilter::RequestDecoderImpl::decodeData(Buffer::Instance& data, bool end_stream) { + body_.add(data); + if (end_stream) { + processIfComplete(true); + } +} + +void ReverseTunnelFilter::RequestDecoderImpl::decodeTrailers(Http::RequestTrailerMapPtr&&) { + processIfComplete(true); +} + +void ReverseTunnelFilter::RequestDecoderImpl::decodeMetadata(Http::MetadataMapPtr&&) {} + +void ReverseTunnelFilter::RequestDecoderImpl::sendLocalReply( + Http::Code code, absl::string_view body, + const std::function& modify_headers, + const absl::optional, absl::string_view) { + auto headers = Http::ResponseHeaderMapImpl::create(); + headers->setStatus(static_cast(code)); + headers->setReferenceContentType(Http::Headers::get().ContentTypeValues.Text); + if (modify_headers) { + modify_headers(*headers); + } + const bool end_stream = body.empty(); + encoder_.encodeHeaders(*headers, end_stream); + if (!end_stream) { + Buffer::OwnedImpl buf(body); + encoder_.encodeData(buf, true); + } +} + +StreamInfo::StreamInfo& ReverseTunnelFilter::RequestDecoderImpl::streamInfo() { + return stream_info_; +} + +AccessLog::InstanceSharedPtrVector ReverseTunnelFilter::RequestDecoderImpl::accessLogHandlers() { + return {}; +} + +Http::RequestDecoderHandlePtr ReverseTunnelFilter::RequestDecoderImpl::getRequestDecoderHandle() { + return nullptr; +} + +void ReverseTunnelFilter::RequestDecoderImpl::processIfComplete(bool end_stream) { + if (!end_stream || complete_) { + return; + } + complete_ = true; + + // Validate method/path. + const absl::string_view method = headers_->getMethodValue(); + const absl::string_view path = headers_->getPathValue(); + ENVOY_LOG(trace, + "ReverseTunnelFilter::RequestDecoderImpl::processIfComplete: method: {}, path: {}", + method, path); + if (!absl::EqualsIgnoreCase(method, parent_.config_->requestMethod()) || + path != parent_.config_->requestPath()) { + sendLocalReply(Http::Code::NotFound, "Not a reverse tunnel request", nullptr, absl::nullopt, + "reverse_tunnel_not_found"); + // Close the connection after sending the response. + parent_.read_callbacks_->connection().close(Network::ConnectionCloseType::FlushWrite); + return; + } + + // Extract node/cluster/tenant identifiers from HTTP headers. + const auto node_vals = + headers_->get(Extensions::Bootstrap::ReverseConnection::reverseTunnelNodeIdHeader()); + const auto cluster_vals = + headers_->get(Extensions::Bootstrap::ReverseConnection::reverseTunnelClusterIdHeader()); + const auto tenant_vals = + headers_->get(Extensions::Bootstrap::ReverseConnection::reverseTunnelTenantIdHeader()); + + if (node_vals.empty() || cluster_vals.empty() || tenant_vals.empty()) { + parent_.stats_.parse_error_.inc(); + ENVOY_CONN_LOG(debug, "reverse_tunnel: missing required headers (node/cluster/tenant)", + parent_.read_callbacks_->connection()); + sendLocalReply(Http::Code::BadRequest, "Missing required reverse tunnel headers", nullptr, + absl::nullopt, "reverse_tunnel_missing_headers"); + // Close the connection after sending the response. + parent_.read_callbacks_->connection().close(Network::ConnectionCloseType::FlushWrite); + return; + } + + const absl::string_view node_id = node_vals[0]->value().getStringView(); + const absl::string_view cluster_id = cluster_vals[0]->value().getStringView(); + const absl::string_view tenant_id = tenant_vals[0]->value().getStringView(); + + // Respond with 200 OK. + auto resp_headers = Http::ResponseHeaderMapImpl::create(); + resp_headers->setStatus(200); + encoder_.encodeHeaders(*resp_headers, true); + + parent_.processAcceptedConnection(node_id, cluster_id, tenant_id); + parent_.stats_.accepted_.inc(); + + // Close the connection if configured to do so after handling the request. + if (parent_.config_->autoCloseConnections()) { + parent_.read_callbacks_->connection().close(Network::ConnectionCloseType::FlushWrite); + } +} + +void ReverseTunnelFilter::processAcceptedConnection(absl::string_view node_id, + absl::string_view cluster_id, + absl::string_view tenant_id) { + ENVOY_CONN_LOG(debug, + "reverse_tunnel: connection accepted for node '{}' in cluster '{}' (tenant: '{}')", + read_callbacks_->connection(), node_id, cluster_id, tenant_id); + + Network::Connection& connection = read_callbacks_->connection(); + + // Lookup the reverse tunnel acceptor socket interface to retrieve the TLS registry. + // Note: This is a global lookup that should be thread-safe but may return nullptr + // if the socket interface isn't registered or we're in a test environment. + auto* base_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); + if (base_interface == nullptr) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: socket interface not registered, skipping socket reuse", + connection); + return; + } + + const auto* acceptor = + dynamic_cast( + base_interface); + if (acceptor == nullptr) { + ENVOY_CONN_LOG(error, "reverse_tunnel: reverse tunnel socket interface not found", connection); + return; + } + + // The TLS registry access must be done on the same thread where it was created. + // In integration tests, this might not always be the case. + auto* tls_registry = acceptor->getLocalRegistry(); + if (tls_registry == nullptr) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: thread local registry not available on this thread", + connection); + return; + } + + auto* socket_manager = tls_registry->socketManager(); + if (socket_manager == nullptr) { + ENVOY_CONN_LOG(error, "reverse_tunnel: socket manager not available", connection); + return; + } + + // Wrap the downstream socket with our custom IO handle to manage its lifecycle. + const Network::ConnectionSocketPtr& socket = connection.getSocket(); + if (!socket || !socket->isOpen()) { + ENVOY_CONN_LOG(debug, "reverse_tunnel: original socket not available or not open", + read_callbacks_->connection()); + return; + } + + // Duplicate the original socket's IO handle for reuse. + Network::IoHandlePtr wrapped_handle = socket->ioHandle().duplicate(); + if (!wrapped_handle || !wrapped_handle->isOpen()) { + ENVOY_CONN_LOG(error, "reverse_tunnel: failed to duplicate socket handle", connection); + return; + } + + // Build a new ConnectionSocket from the duplicated handle, preserving addressing info. + auto wrapped_socket = std::make_unique( + std::move(wrapped_handle), socket->connectionInfoProvider().localAddress(), + socket->connectionInfoProvider().remoteAddress()); + + // Reset file events on the new socket. + wrapped_socket->ioHandle().resetFileEvents(); + + // Convert ping interval to seconds as required by the manager API. + const std::chrono::seconds ping_seconds = + std::chrono::duration_cast(config_->pingInterval()); + + // Register the wrapped socket for reuse under the provided identifiers. + // Note: The socket manager is expected to be thread-safe. + if (socket_manager != nullptr) { + ENVOY_CONN_LOG(trace, "reverse_tunnel: registering wrapped socket for reuse", connection); + socket_manager->addConnectionSocket(std::string(node_id), std::string(cluster_id), + std::move(wrapped_socket), ping_seconds, + /*rebalanced=*/false); + ENVOY_CONN_LOG(debug, "reverse_tunnel: successfully registered wrapped socket for reuse", + connection); + } +} + +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h new file mode 100644 index 0000000000000..15558283b399f --- /dev/null +++ b/source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h @@ -0,0 +1,136 @@ +#pragma once + +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" +#include "envoy/http/codec.h" +#include "envoy/network/filter.h" +#include "envoy/server/factory_context.h" +#include "envoy/server/overload/overload_manager.h" +#include "envoy/stats/stats_macros.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/common/logger.h" +#include "source/common/http/header_map_impl.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/stream_info/stream_info_impl.h" + +#include "absl/status/statusor.h" +#include "absl/strings/string_view.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { + +/** + * Configuration for the reverse tunnel network filter. + */ +class ReverseTunnelFilterConfig { +public: + ReverseTunnelFilterConfig( + const envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel& proto_config, + Server::Configuration::FactoryContext& context); + + std::chrono::milliseconds pingInterval() const { return ping_interval_; } + bool autoCloseConnections() const { return auto_close_connections_; } + const std::string& requestPath() const { return request_path_; } + const std::string& requestMethod() const { return request_method_string_; } + +private: + const std::chrono::milliseconds ping_interval_; + const bool auto_close_connections_; + const std::string request_path_; + const std::string request_method_string_; +}; + +using ReverseTunnelFilterConfigSharedPtr = std::shared_ptr; + +/** + * Network filter that handles reverse tunnel connection acceptance/rejection. + * This filter processes HTTP requests to a specific endpoint and uses + * HTTP headers to receive required identifiers. + * + * The filter operates as a terminal filter when processing reverse tunnel requests, + * meaning it stops the filter chain after processing and manages connection lifecycle. + */ +class ReverseTunnelFilter : public Network::ReadFilter, + public Http::ServerConnectionCallbacks, + public Logger::Loggable { +public: + ReverseTunnelFilter(ReverseTunnelFilterConfigSharedPtr config, Stats::Scope& stats_scope, + Server::OverloadManager& overload_manager); + + // Network::ReadFilter + Network::FilterStatus onData(Buffer::Instance& data, bool end_stream) override; + Network::FilterStatus onNewConnection() override; + void initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) override; + + // Http::ServerConnectionCallbacks + Http::RequestDecoder& newStream(Http::ResponseEncoder& response_encoder, + bool is_internally_created) override; + void onGoAway(Http::GoAwayErrorCode) override {} + +private: +// Stats definition. +#define ALL_REVERSE_TUNNEL_HANDSHAKE_STATS(COUNTER) \ + COUNTER(parse_error) \ + COUNTER(accepted) \ + COUNTER(rejected) + + struct ReverseTunnelStats { + ALL_REVERSE_TUNNEL_HANDSHAKE_STATS(GENERATE_COUNTER_STRUCT) + static ReverseTunnelStats generateStats(const std::string& prefix, Stats::Scope& scope); + }; + + // Process reverse tunnel connection. + void processAcceptedConnection(absl::string_view node_id, absl::string_view cluster_id, + absl::string_view tenant_id); + + ReverseTunnelFilterConfigSharedPtr config_; + Network::ReadFilterCallbacks* read_callbacks_{nullptr}; + + // HTTP/1 codec and wiring. + Http::ServerConnectionPtr codec_; + Stats::Scope& stats_scope_; + Server::OverloadManager& overload_manager_; + + // Stats counters. + ReverseTunnelStats stats_; + + // Per-request decoder to buffer body and respond via encoder. + class RequestDecoderImpl : public Http::RequestDecoder { + public: + RequestDecoderImpl(ReverseTunnelFilter& parent, Http::ResponseEncoder& encoder) + : parent_(parent), encoder_(encoder), + stream_info_(parent_.read_callbacks_->connection().streamInfo().timeSource(), nullptr, + StreamInfo::FilterState::LifeSpan::Connection) {} + + void decodeHeaders(Http::RequestHeaderMapSharedPtr&& headers, bool end_stream) override; + void decodeData(Buffer::Instance& data, bool end_stream) override; + void decodeTrailers(Http::RequestTrailerMapPtr&&) override; + void decodeMetadata(Http::MetadataMapPtr&&) override; + void sendLocalReply(Http::Code code, absl::string_view body, + const std::function&, + const absl::optional, absl::string_view) override; + StreamInfo::StreamInfo& streamInfo() override; + AccessLog::InstanceSharedPtrVector accessLogHandlers() override; + Http::RequestDecoderHandlePtr getRequestDecoderHandle() override; + + private: + void processIfComplete(bool end_stream); + + ReverseTunnelFilter& parent_; + Http::ResponseEncoder& encoder_; + Http::RequestHeaderMapSharedPtr headers_; + Buffer::OwnedImpl body_; + bool complete_{false}; + StreamInfo::StreamInfoImpl stream_info_; + }; + + std::unique_ptr active_decoder_; +}; + +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/filters/network/well_known_names.h b/source/extensions/filters/network/well_known_names.h index 8eaa39bd402ac..45483e7a66d80 100644 --- a/source/extensions/filters/network/well_known_names.h +++ b/source/extensions/filters/network/well_known_names.h @@ -63,6 +63,8 @@ class NetworkFilterNameValues { const std::string NetworkExternalProcessor = "envoy.filters.network.ext_proc"; // Network match delegate filter const std::string NetworkMatchDelegate = "envoy.filters.network.match_delegate"; + // Reverse tunnel filter + const std::string ReverseTunnel = "envoy.filters.network.reverse_tunnel"; }; using NetworkFilterNames = ConstSingleton; diff --git a/test/coverage.yaml b/test/coverage.yaml index 27f62d7886598..cf88685697bcd 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -53,6 +53,7 @@ directories: source/extensions/filters/listener/tls_inspector: 94.1 source/extensions/filters/network/dubbo_proxy: 96.2 source/extensions/filters/network/mongo_proxy: 96.1 + source/extensions/filters/network/reverse_tunnel: 91.0 source/extensions/filters/network/sni_cluster: 88.9 source/extensions/formatter/cel: 100.0 source/extensions/internal_redirect: 86.2 diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc index 3a6965b4412e6..a5857252077c1 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper_test.cc @@ -5,6 +5,7 @@ #include "envoy/thread_local/thread_local.h" #include "source/common/buffer/buffer_impl.h" +#include "source/common/http/header_map_impl.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/rc_connection_wrapper.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" @@ -627,6 +628,84 @@ TEST_F(RCConnectionWrapperTest, OnEventWithNullConnection) { // The exact behavior depends on the implementation, but it should not crash. } +// Test decodeHeaders handles HTTP 200 status by calling success path. +TEST_F(RCConnectionWrapperTest, DecodeHeadersOk) { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + Http::ResponseHeaderMapPtr headers = Http::ResponseHeaderMapImpl::create(); + headers->setStatus(200); + + wrapper.decodeHeaders(std::move(headers), true); +} + +// Test decodeHeaders handles non-200 status by calling failure path. +TEST_F(RCConnectionWrapperTest, DecodeHeadersNonOk) { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + Http::ResponseHeaderMapPtr headers = Http::ResponseHeaderMapImpl::create(); + headers->setStatus(404); + + wrapper.decodeHeaders(std::move(headers), true); +} + +// Test dispatchHttp1 error path by initializing codec via connect() and +// then feeding invalid bytes to the parser. +TEST_F(RCConnectionWrapperTest, DispatchHttp1ErrorPath) { + auto mock_connection = std::make_unique>(); + + EXPECT_CALL(*mock_connection, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, addReadFilter(_)); + EXPECT_CALL(*mock_connection, connect()); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(42)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + // Allow writes made by the HTTP/1 encoder and drain them to simulate kernel behavior. + EXPECT_CALL(*mock_connection, write(_, _)) + .WillRepeatedly( + Invoke([](Buffer::Instance& buffer, bool) { buffer.drain(buffer.length()); })); + + // Provide connection info provider. + auto mock_remote = std::make_shared("10.0.0.1", 80); + auto mock_local = std::make_shared("127.0.0.1", 10001); + EXPECT_CALL(*mock_connection, connectionInfoProvider()) + .WillRepeatedly(Invoke([mock_remote, mock_local]() -> const Network::ConnectionInfoProvider& { + static auto provider = + std::make_unique(mock_local, mock_remote); + return *provider; + })); + + auto mock_host = std::make_shared>(); + + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + // Initialize codec inside the wrapper. + (void)wrapper.connect("tenant", "cluster", "node"); + + // Feed clearly invalid/non-HTTP bytes to exercise error log path. + Buffer::OwnedImpl invalid_bytes("\x00\x01garbage"); + wrapper.dispatchHttp1(invalid_bytes); +} + +// Test that destructor invokes shutdown when not already called. +TEST_F(RCConnectionWrapperTest, DestructorInvokesShutdown) { + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + EXPECT_CALL(*mock_connection, removeConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection, close(Network::ConnectionCloseType::FlushWrite)); + EXPECT_CALL(*mock_connection, id()).WillRepeatedly(Return(777)); + + { + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + // No explicit shutdown; leaving scope should run destructor which calls shutdown. + } +} + // Test RCConnectionWrapper::releaseConnection method. TEST_F(RCConnectionWrapperTest, ReleaseConnection) { // Create a mock connection with proper socket setup. @@ -941,7 +1020,43 @@ TEST_F(SimpleConnReadFilterTest, OnDataWithPartialData) { EXPECT_EQ(result, Network::FilterStatus::StopIteration); } -// Removed protobuf-based response tests as the handshake now uses HTTP headers only. +// Test all no-op methods in RCConnectionWrapper. +TEST_F(RCConnectionWrapperTest, NoOpMethods) { + // Create a mock connection with proper socket setup. + auto mock_connection = setupMockConnection(); + auto mock_host = std::make_shared>(); + + // Create RCConnectionWrapper with the mock connection. + RCConnectionWrapper wrapper(*io_handle_, std::move(mock_connection), mock_host, "test-cluster"); + + // Test Network::ConnectionCallbacks no-op methods + wrapper.onAboveWriteBufferHighWatermark(); + wrapper.onBelowWriteBufferLowWatermark(); + + // Test Http::ResponseDecoder no-op methods + wrapper.decode1xxHeaders(nullptr); + + Buffer::OwnedImpl data("test data"); + wrapper.decodeData(data, false); + wrapper.decodeData(data, true); + + wrapper.decodeTrailers(nullptr); + wrapper.decodeMetadata(nullptr); + + std::ostringstream output; + wrapper.dumpState(output, 0); + wrapper.dumpState(output, 2); + + // Test Http::ConnectionCallbacks no-op methods + wrapper.onGoAway(Http::GoAwayErrorCode::NoError); + wrapper.onGoAway(Http::GoAwayErrorCode::Other); + + NiceMock settings; + wrapper.onSettings(settings); + + wrapper.onMaxStreamsChanged(0); + wrapper.onMaxStreamsChanged(100); +} } // namespace ReverseConnection } // namespace Bootstrap diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc index 4da1decee14df..ac9dc2aacd62a 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc @@ -1,10 +1,14 @@ #include +#include + +#include #include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" #include "envoy/server/factory_context.h" #include "envoy/thread_local/thread_local.h" #include "source/common/buffer/buffer_impl.h" +#include "source/common/network/address_impl.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" @@ -243,9 +247,9 @@ class ReverseConnectionIOHandleTest : public testing::Test { 0, // failure_count // last_failure_time std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) - // backoff_until - std::chrono::steady_clock::now(), // NO_CHECK_FORMAT(real_time) - {} // connection_states + // backoff_until - set to epoch start so host is not in backoff initially + std::chrono::steady_clock::time_point{}, // NO_CHECK_FORMAT(real_time) + {} // connection_states }; } @@ -257,6 +261,17 @@ class ReverseConnectionIOHandleTest : public testing::Test { return mock_host; } + // Helper to create a mock host with a pipe address (no IP/port). + Upstream::HostConstSharedPtr createMockPipeHost(const std::string& path) { + auto mock_host = std::make_shared>(); + auto status_or_pipe = Network::Address::PipeInstance::create(path); + auto owned = std::move(status_or_pipe.value()); + std::shared_ptr shared_pipe(std::move(owned)); + Network::Address::InstanceConstSharedPtr mock_address = shared_pipe; + EXPECT_CALL(*mock_host, address()).WillRepeatedly(Return(mock_address)); + return mock_host; + } + // Helper method to set up mock connection with proper socket expectations. std::unique_ptr> setupMockConnection() { auto mock_connection = std::make_unique>(); @@ -1183,6 +1198,11 @@ TEST_F(ReverseConnectionIOHandleTest, InitiateReverseConnectionWithCustomScope) custom_prefix_config, cluster_manager_, custom_extension.get(), *stats_scope_); + // Initialize the file event to set up worker_dispatcher_ properly. + Event::FileReadyCb mock_callback = [](uint32_t) { return absl::OkStatus(); }; + io_handle_->initializeFileEvent(dispatcher_, mock_callback, Event::FileTriggerType::Level, + Event::FileReadyType::Read); + // Set up mock thread local cluster. auto mock_thread_local_cluster = std::make_shared>(); EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) @@ -1344,6 +1364,9 @@ TEST_F(ReverseConnectionIOHandleTest, InitiateMultipleConnectionsMixedResults) { auto mock_host1 = createMockHost("192.168.1.1"); auto mock_host2 = createMockHost("192.168.1.2"); auto mock_host3 = createMockHost("192.168.1.3"); + + // MockHostDescription already has a cluster_ member that's returned by cluster(). + // We don't need to set up expectations for it. (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host1); (*host_map)["192.168.1.2"] = std::const_pointer_cast(mock_host2); (*host_map)["192.168.1.3"] = std::const_pointer_cast(mock_host3); @@ -1360,48 +1383,109 @@ TEST_F(ReverseConnectionIOHandleTest, InitiateMultipleConnectionsMixedResults) { // 2. Second host: null connection (failure) // 3. Third host: successful connection + // Prepare mock connections that will be transferred to the wrappers. auto mock_connection1 = std::make_unique>(); - Upstream::MockHost::MockCreateConnectionData success_conn_data1; - success_conn_data1.connection_ = mock_connection1.get(); - success_conn_data1.host_description_ = mock_host1; - - Upstream::MockHost::MockCreateConnectionData failed_conn_data; - failed_conn_data.connection_ = nullptr; // Connection creation failed - failed_conn_data.host_description_ = mock_host2; - auto mock_connection3 = std::make_unique>(); - Upstream::MockHost::MockCreateConnectionData success_conn_data3; - success_conn_data3.connection_ = mock_connection3.get(); - success_conn_data3.host_description_ = mock_host3; - // Set up connection attempts with host-specific expectations. - EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) - .WillRepeatedly(testing::Invoke([success_conn_data1, failed_conn_data, - success_conn_data3](Upstream::LoadBalancerContext* context) { - auto* reverse_context = - dynamic_cast(context); - EXPECT_NE(reverse_context, nullptr); - - auto override_host = reverse_context->overrideHostToSelect(); - EXPECT_TRUE(override_host.has_value()); - - std::string host_address = std::string(override_host->first); - - if (host_address == "192.168.1.1") { - return success_conn_data1; // First host: success - } else if (host_address == "192.168.1.2") { - return failed_conn_data; // Second host: failure - } else if (host_address == "192.168.1.3") { - return success_conn_data3; // Third host: success - } else { - // Unexpected host. - EXPECT_TRUE(false) << "Unexpected host address: " << host_address; - return failed_conn_data; - } + // Set up connection info for the connections. + auto local_address = std::make_shared("10.0.0.2", 40000); + auto remote_address1 = std::make_shared("192.168.1.1", 8080); + auto remote_address3 = std::make_shared("192.168.1.3", 8080); + + // Set up local/remote addresses for connections using the stream_info_. + mock_connection1->stream_info_.downstream_connection_info_provider_->setLocalAddress( + local_address); + mock_connection1->stream_info_.downstream_connection_info_provider_->setRemoteAddress( + remote_address1); + + mock_connection3->stream_info_.downstream_connection_info_provider_->setLocalAddress( + local_address); + mock_connection3->stream_info_.downstream_connection_info_provider_->setRemoteAddress( + remote_address3); + + // Set up expectations on the mock connections before they're moved. + // Set up connection expectations for mock_connection1. + EXPECT_CALL(*mock_connection1, id()).WillRepeatedly(Return(1)); + EXPECT_CALL(*mock_connection1, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection1, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection1, connect()); + EXPECT_CALL(*mock_connection1, addReadFilter(_)); + EXPECT_CALL(*mock_connection1, write(_, _)) + .Times(1) + .WillOnce(Invoke([](Buffer::Instance& buffer, bool) -> void { + // Drain the buffer to simulate actual write. + buffer.drain(buffer.length()); })); + // Expect calls during shutdown. + EXPECT_CALL(*mock_connection1, removeConnectionCallbacks(_)).Times(testing::AtMost(1)); + EXPECT_CALL(*mock_connection1, close(_)).Times(testing::AtMost(1)); + + // Set up connection expectations for mock_connection3. + EXPECT_CALL(*mock_connection3, id()).WillRepeatedly(Return(3)); + EXPECT_CALL(*mock_connection3, state()).WillRepeatedly(Return(Network::Connection::State::Open)); + EXPECT_CALL(*mock_connection3, addConnectionCallbacks(_)); + EXPECT_CALL(*mock_connection3, connect()); + EXPECT_CALL(*mock_connection3, addReadFilter(_)); + EXPECT_CALL(*mock_connection3, write(_, _)) + .Times(1) + .WillOnce(Invoke([](Buffer::Instance& buffer, bool) -> void { + // Drain the buffer to simulate actual write. + buffer.drain(buffer.length()); + })); + // Expect calls during shutdown. + EXPECT_CALL(*mock_connection3, removeConnectionCallbacks(_)).Times(testing::AtMost(1)); + EXPECT_CALL(*mock_connection3, close(_)).Times(testing::AtMost(1)); - mock_connection1.release(); - mock_connection3.release(); + // Set up connection attempts with host-specific expectations. + // We need to transfer ownership of the connections properly. + // The lambda will be called multiple times, so we use a counter to track which call we're on. + int call_count = 0; + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)) + .WillRepeatedly( + testing::Invoke([&call_count, &mock_connection1, &mock_connection3, mock_host1, + mock_host2, mock_host3](Upstream::LoadBalancerContext* context) + -> Upstream::MockHost::MockCreateConnectionData { + auto* reverse_context = + dynamic_cast(context); + EXPECT_NE(reverse_context, nullptr); + + auto override_host = reverse_context->overrideHostToSelect(); + EXPECT_TRUE(override_host.has_value()); + + std::string host_address = std::string(override_host->first); + + Upstream::MockHost::MockCreateConnectionData result; + if (host_address == "192.168.1.1") { + // First host: success - transfer ownership of mock_connection1 + // Transfer ownership only on the first call for this host. + if (mock_connection1) { + result.connection_ = mock_connection1.release(); + } else { + result.connection_ = nullptr; // Already used. + } + result.host_description_ = mock_host1; + } else if (host_address == "192.168.1.2") { + // Second host: failure - no connection + result.connection_ = nullptr; + result.host_description_ = mock_host2; + } else if (host_address == "192.168.1.3") { + // Third host: success - transfer ownership of mock_connection3 + // Transfer ownership only on the first call for this host. + if (mock_connection3) { + result.connection_ = mock_connection3.release(); + } else { + result.connection_ = nullptr; // Already used. + } + result.host_description_ = mock_host3; + } else { + // Unexpected host. + EXPECT_TRUE(false) << "Unexpected host address: " << host_address; + result.connection_ = nullptr; + result.host_description_ = mock_host2; + } + call_count++; + return result; + })); // Create 1 connection per host. RemoteClusterConnectionConfig cluster_config("test-cluster", 1); @@ -1758,6 +1842,104 @@ TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneSuccess) { << static_cast(trigger_byte); } +// Success path where trigger write fails: still enqueues connection and cleans up wrapper. +TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneSuccessTriggerWriteFailure) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Prepare trigger pipe, then close write end so ::write fails. + createTriggerPipe(); + EXPECT_TRUE(isTriggerPipeReady()); + ::close(getTriggerPipeWriteFd()); + + // Mock cluster and single host. + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + auto host_map = std::make_shared(); + auto mock_host = createMockHost("192.168.1.1"); + (*host_map)["192.168.1.1"] = std::const_pointer_cast(mock_host); + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + addHostConnectionInfo("192.168.1.1", "test-cluster", 1); + + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + mock_connection.release(); + + // Create wrapper via initiation, then complete as success. + EXPECT_TRUE(initiateOneReverseConnection("test-cluster", "192.168.1.1", mock_host)); + RCConnectionWrapper* wrapper_ptr = getConnectionWrappers()[0].get(); + io_handle_->onConnectionDone("reverse connection accepted", wrapper_ptr, false); + + // Even though trigger write failed, connection should be queued for accept. + EXPECT_EQ(getEstablishedConnectionsSize(), 1); +} + +// Internal address with zero hosts should early fail and update CannotConnect state. +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionInternalAddressNoHosts) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + + // Provide non-null info and an empty host set to yield host_count == 0. + auto mock_cluster_info = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, info()).WillRepeatedly(Return(mock_cluster_info)); + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + std::vector host_sets; // empty + EXPECT_CALL(*mock_priority_set, hostSetsPerPriority()).WillRepeatedly(ReturnRef(host_sets)); + + auto mock_host = createMockPipeHost("/tmp/rev.sock"); + bool ok = initiateOneReverseConnection("test-cluster", "envoy://internal", mock_host); + EXPECT_FALSE(ok); +} + +// Pipe address host exercises the log branch that prints address without a port. +TEST_F(ReverseConnectionIOHandleTest, InitiateOneReverseConnectionLogsWithoutPort) { + setupThreadLocalSlot(); + + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + auto mock_thread_local_cluster = std::make_shared>(); + EXPECT_CALL(cluster_manager_, getThreadLocalCluster("test-cluster")) + .WillRepeatedly(Return(mock_thread_local_cluster.get())); + auto mock_priority_set = std::make_shared>(); + EXPECT_CALL(*mock_thread_local_cluster, prioritySet()) + .WillRepeatedly(ReturnRef(*mock_priority_set)); + auto host_map = std::make_shared(); + EXPECT_CALL(*mock_priority_set, crossPriorityHostMap()).WillRepeatedly(Return(host_map)); + + auto mock_host = createMockPipeHost("/tmp/rev.sock"); + auto mock_connection = setupMockConnection(); + Upstream::MockHost::MockCreateConnectionData success_conn_data; + success_conn_data.connection_ = mock_connection.get(); + success_conn_data.host_description_ = mock_host; + EXPECT_CALL(*mock_thread_local_cluster, tcpConn_(_)).WillOnce(Return(success_conn_data)); + mock_connection.release(); + + bool created = initiateOneReverseConnection("test-cluster", "10.0.0.9", mock_host); + EXPECT_TRUE(created); +} + // Test 3: Connection failure and recovery scenario. TEST_F(ReverseConnectionIOHandleTest, OnConnectionDoneFailureAndRecovery) { // Set up thread local slot first so stats can be properly tracked. @@ -2154,6 +2336,119 @@ TEST_F(ReverseConnectionIOHandleTest, CleanupMethod) { EXPECT_GE(io_handle_->fdDoNotUse(), 0); } +// Test cleanup() closes any established connections in the queue. +TEST_F(ReverseConnectionIOHandleTest, CleanupClosesEstablishedConnections) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create two mock connections and add them to the established queue. + // 1) An open connection should be closed with FlushWrite. + { + auto open_conn = std::make_unique>(); + EXPECT_CALL(*open_conn, state()).WillOnce(Return(Network::Connection::State::Open)); + EXPECT_CALL(*open_conn, close(Network::ConnectionCloseType::FlushWrite)); + addConnectionToEstablishedQueue(std::move(open_conn)); + } + // 2) A closed connection should not be closed again. + { + auto closed_conn = std::make_unique>(); + EXPECT_CALL(*closed_conn, state()).WillOnce(Return(Network::Connection::State::Closed)); + // No close() expected for closed connection. + addConnectionToEstablishedQueue(std::move(closed_conn)); + } + + // Call cleanup and ensure queue is drained without crashes. + EXPECT_GT(getEstablishedConnectionsSize(), 0); + cleanup(); + EXPECT_EQ(getEstablishedConnectionsSize(), 0); +} + +// Test initializeFileEvent early-return path when already started. +TEST_F(ReverseConnectionIOHandleTest, InitializeFileEventSkipWhenAlreadyStarted) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + Event::FileReadyCb cb = [](uint32_t) -> absl::Status { return absl::OkStatus(); }; + io_handle_->initializeFileEvent(dispatcher_, cb, Event::FileTriggerType::Level, 0); + + // Call again; should skip without changing fd or creating a new pipe. + const int fd_before = io_handle_->fdDoNotUse(); + io_handle_->initializeFileEvent(dispatcher_, cb, Event::FileTriggerType::Level, 0); + EXPECT_EQ(fd_before, io_handle_->fdDoNotUse()); +} + +// Test maintainReverseConnections early return when src_node_id is empty. +TEST_F(ReverseConnectionIOHandleTest, MaintainReverseConnectionsMissingSrcNodeId) { + ReverseConnectionSocketConfig cfg; + cfg.src_cluster_id = "test-cluster"; + cfg.src_node_id = ""; // Intentionally empty + cfg.remote_clusters.push_back(RemoteClusterConnectionConfig("remote", 1)); + + io_handle_ = createTestIOHandle(cfg); + EXPECT_NE(io_handle_, nullptr); + maintainReverseConnections(); +} + +// Test maintainClusterConnections early return when cluster is not found. +TEST_F(ReverseConnectionIOHandleTest, MaintainClusterConnectionsNoCluster) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + RemoteClusterConnectionConfig cluster_cfg{"missing-cluster", 1}; + // Default mock ClusterManager returns nullptr for unknown cluster. + maintainClusterConnections("missing-cluster", cluster_cfg); +} + +// Test shouldAttemptConnectionToHost creates host entry on-demand and returns true. +TEST_F(ReverseConnectionIOHandleTest, ShouldAttemptConnectionCreatesHostEntry) { + // Set up TLS registry to provide a time source for getTimeSource(). + setupThreadLocalSlot(); + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + EXPECT_TRUE(shouldAttemptConnectionToHost("10.0.0.5", "cluster-x")); + const auto& map = getHostToConnInfoMap(); + EXPECT_NE(map.find("10.0.0.5"), map.end()); +} + +// Test maybeUpdateHostsMappingsAndConnections removes stale hosts. +TEST_F(ReverseConnectionIOHandleTest, MaybeUpdateHostsRemovesStaleHosts) { + // Ensure a valid time source via TLS registry. + setupThreadLocalSlot(); + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Initial set of hosts: a, b + maybeUpdateHostsMappingsAndConnections("c1", std::vector{"a", "b"}); + EXPECT_EQ(getHostToConnInfoMap().size(), 2); + + // Updated set: only a → b should be removed. + maybeUpdateHostsMappingsAndConnections("c1", std::vector{"a"}); + const auto& map = getHostToConnInfoMap(); + EXPECT_NE(map.find("a"), map.end()); + EXPECT_EQ(map.find("b"), map.end()); +} + +// Lightly exercise read/write/connect wrappers for coverage. +TEST_F(ReverseConnectionIOHandleTest, ReadWriteConnectCoverage) { + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + Buffer::OwnedImpl buf("hello"); + (void)io_handle_->write(buf); + Buffer::OwnedImpl rbuf; + (void)io_handle_->read(rbuf, absl::optional(64)); + + auto addr = std::make_shared("127.0.0.1", 0); + (void)io_handle_->connect(addr); +} + // Test ReverseConnectionIOHandle::onAboveWriteBufferHighWatermark method (no-op) TEST_F(ReverseConnectionIOHandleTest, OnAboveWriteBufferHighWatermark) { auto config = createDefaultTestConfig(); diff --git a/test/extensions/filters/network/reverse_tunnel/BUILD b/test/extensions/filters/network/reverse_tunnel/BUILD new file mode 100644 index 0000000000000..99f041894b867 --- /dev/null +++ b/test/extensions/filters/network/reverse_tunnel/BUILD @@ -0,0 +1,78 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) +load( + "//test/extensions:extensions_build_system.bzl", + "envoy_extension_cc_test", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_extension_cc_test( + name = "config_test", + srcs = ["config_test.cc"], + extension_names = ["envoy.filters.network.reverse_tunnel"], + rbe_pool = "6gig", + deps = [ + "//source/extensions/filters/network/reverse_tunnel:config", + "//test/mocks/server:factory_context_mocks", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", + ], +) + +envoy_extension_cc_test( + name = "filter_unit_test", + srcs = ["filter_unit_test.cc"], + extension_names = ["envoy.filters.network.reverse_tunnel"], + rbe_pool = "6gig", + deps = [ + "//source/common/stats:isolated_store_lib", + "//source/common/stream_info:uint64_accessor_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:upstream_socket_manager_lib", + "//source/extensions/filters/network/reverse_tunnel:reverse_tunnel_filter_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/network:network_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/server:overload_manager_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:logging_lib", + "@envoy_api//envoy/config/core/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", + ], +) + +envoy_extension_cc_test( + name = "integration_test", + size = "large", + srcs = ["integration_test.cc"], + extension_names = [ + "envoy.filters.network.reverse_tunnel", + "envoy.bootstrap.reverse_tunnel.upstream_socket_interface", + "envoy.bootstrap.reverse_tunnel.downstream_socket_interface", + "envoy.bootstrap.internal_listener", + "envoy.resolvers.reverse_connection", + "envoy.filters.network.echo", + ], + rbe_pool = "6gig", + deps = [ + "//source/extensions/bootstrap/internal_listener:config", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_resolver_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface:reverse_tunnel_acceptor_lib", + "//source/extensions/filters/network/echo:config", + "//source/extensions/filters/network/reverse_tunnel:config", + "//source/extensions/filters/network/set_filter_state:config", + "//source/extensions/transport_sockets/internal_upstream:config", + "//test/integration:integration_lib", + "//test/test_common:logging_lib", + "//test/test_common:utility_lib", + "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/transport_sockets/internal_upstream/v3:pkg_cc_proto", + ], +) diff --git a/test/extensions/filters/network/reverse_tunnel/config_test.cc b/test/extensions/filters/network/reverse_tunnel/config_test.cc new file mode 100644 index 0000000000000..0e048c762d15e --- /dev/null +++ b/test/extensions/filters/network/reverse_tunnel/config_test.cc @@ -0,0 +1,162 @@ +#include "envoy/config/core/v3/base.pb.h" + +#include "source/extensions/filters/network/reverse_tunnel/config.h" + +#include "test/mocks/server/factory_context.h" +#include "test/test_common/utility.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { +namespace { + +TEST(ReverseTunnelFilterConfigFactoryTest, ValidConfiguration) { + ReverseTunnelFilterConfigFactory factory; + + const std::string yaml_string = R"EOF( +ping_interval: + seconds: 5 +auto_close_connections: false +request_path: "/custom/reverse" +request_method: PUT +)EOF"; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + TestUtility::loadFromYaml(yaml_string, proto_config); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, DefaultConfiguration) { + ReverseTunnelFilterConfigFactory factory; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + // Set minimum required fields for configuration. + proto_config.set_request_path("/reverse_connections/request"); + proto_config.set_request_method(envoy::config::core::v3::POST); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, ConfigProperties) { + ReverseTunnelFilterConfigFactory factory; + + EXPECT_EQ("envoy.filters.network.reverse_tunnel", factory.name()); + + ProtobufTypes::MessagePtr empty_config = factory.createEmptyConfigProto(); + EXPECT_TRUE(empty_config != nullptr); + EXPECT_EQ("envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel", + empty_config->GetTypeName()); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, ConfigurationNoValidation) { + ReverseTunnelFilterConfigFactory factory; + + const std::string yaml_string = R"EOF( +ping_interval: + seconds: 1 + nanos: 500000000 +auto_close_connections: true +request_path: "/test/path" +request_method: POST +)EOF"; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + TestUtility::loadFromYaml(yaml_string, proto_config); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, MinimalConfigurationYaml) { + ReverseTunnelFilterConfigFactory factory; + + const std::string yaml_string = R"EOF( +request_path: "/minimal" +request_method: POST +)EOF"; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + TestUtility::loadFromYaml(yaml_string, proto_config); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, FactoryType) { + ReverseTunnelFilterConfigFactory factory; + + // Test that the factory name matches expected. + EXPECT_EQ("envoy.filters.network.reverse_tunnel", factory.name()); +} + +TEST(ReverseTunnelFilterConfigFactoryTest, CreateFilterFactoryFromProtoTyped) { + ReverseTunnelFilterConfigFactory factory; + + const std::string yaml_string = R"EOF( +ping_interval: + seconds: 3 +auto_close_connections: true +request_path: "/factory/test" +request_method: PUT +)EOF"; + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + TestUtility::loadFromYaml(yaml_string, proto_config); + + NiceMock context; + auto result = factory.createFilterFactoryFromProto(proto_config, context); + ASSERT_TRUE(result.ok()); + Network::FilterFactoryCb cb = result.value(); + + EXPECT_TRUE(cb != nullptr); + + // Test the factory callback creates the filter properly. + Network::MockFilterManager filter_manager; + EXPECT_CALL(filter_manager, addReadFilter(_)); + cb(filter_manager); +} + +} // namespace +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc b/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc new file mode 100644 index 0000000000000..875b351b1df29 --- /dev/null +++ b/test/extensions/filters/network/reverse_tunnel/filter_unit_test.cc @@ -0,0 +1,1621 @@ +#include "envoy/config/core/v3/base.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/router/string_accessor_impl.h" +#include "source/common/stats/isolated_store_impl.h" +#include "source/common/stream_info/uint64_accessor_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" +#include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" +#include "source/extensions/filters/network/reverse_tunnel/reverse_tunnel_filter.h" + +namespace ReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; + +#include "test/mocks/event/mocks.h" +#include "test/mocks/network/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/server/overload_manager.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/test_common/logging.h" +#include "test/test_common/utility.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::NiceMock; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { +namespace { + +// Helper to create invalid HTTP that will trigger codec dispatch errors +class HttpErrorHelper { +public: + static std::vector getHttpErrorPatterns() { + return { + // Trigger codec dispatch with various malformed patterns + "GET /path HTTP/1.1\r\nInvalid-Header\r\n\r\n", // Header without colon + "POST /path HTTP/1.1\r\nContent-Length: abc\r\n\r\n", // Non-numeric content length + "INVALID_METHOD /path HTTP/1.1\r\nHost: test\r\n\r\n", // Invalid method + std::string("\xFF\xFE\xFD\xFC", 4), // Binary junk + "GET /path HTTP/999.999\r\n\r\n", // Invalid HTTP version + "GET\r\n\r\n", // Incomplete request line + "GET /path\r\n\r\n", // Missing HTTP version + "GET /path HTTP/1.1\r\nHost: test\r\nTransfer-Encoding: invalid\r\n\r\n" // Invalid encoding + }; + } +}; + +class ReverseTunnelFilterUnitTest : public testing::Test { +protected: + void SetUp() override { + // Initialize stats scope + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + } + +public: + ReverseTunnelFilterUnitTest() : stats_store_(), overload_manager_() { + // Prepare proto config with defaults. + proto_config_.set_request_path("/reverse_connections/request"); + proto_config_.set_request_method(envoy::config::core::v3::GET); + config_ = std::make_shared(proto_config_, factory_context_); + filter_ = std::make_unique(config_, *stats_store_.rootScope(), + overload_manager_); + + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + // Provide a default socket for getSocket(). + auto socket = std::make_unique(); + auto* socket_raw = socket.get(); + // Store unique_ptr inside a shared location to return const ref each time. + static Network::ConnectionSocketPtr stored_socket; + stored_socket = std::move(socket); + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_socket)); + EXPECT_CALL(*socket_raw, isOpen()).WillRepeatedly(testing::Return(true)); + // Stub required methods used by processAcceptedConnection(). + EXPECT_CALL(*socket_raw, ioHandle()) + .WillRepeatedly(testing::ReturnRef(*callbacks_.socket_.io_handle_)); + + filter_->initializeReadFilterCallbacks(callbacks_); + } + + // Helper method to set up upstream extension. + void setupUpstreamExtension() { + // Create the upstream socket interface and extension. + upstream_socket_interface_ = + std::make_unique(context_); + upstream_extension_ = std::make_unique( + *upstream_socket_interface_, context_, upstream_config_); + + // Set up the extension in the global socket interface registry. + auto* registered_upstream_interface = + Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); + if (registered_upstream_interface) { + auto* registered_acceptor = dynamic_cast( + const_cast(registered_upstream_interface)); + if (registered_acceptor) { + // Set up the extension for the registered upstream socket interface. + registered_acceptor->extension_ = upstream_extension_.get(); + } + } + } + + // Helper method to set up upstream thread local slot for testing. + void setupUpstreamThreadLocalSlot() { + // Call onServerInitialized to set up the extension references properly. + upstream_extension_->onServerInitialized(); + + // Create a thread local registry for upstream with the dispatcher. + upstream_thread_local_registry_ = + std::make_shared(dispatcher_, + upstream_extension_.get()); + + upstream_tls_slot_ = + ThreadLocal::TypedSlot::makeUnique( + thread_local_); + thread_local_.setDispatcher(&dispatcher_); + + // Set up the upstream slot to return our registry. + upstream_tls_slot_->set( + [registry = upstream_thread_local_registry_](Event::Dispatcher&) { return registry; }); + + // Override the TLS slot with our test version. + upstream_extension_->setTestOnlyTLSRegistry(std::move(upstream_tls_slot_)); + } + + // Helper to craft raw HTTP/1.1 request string. + std::string makeHttpRequest(const std::string& method, const std::string& path, + const std::string& body = "") { + std::string req = fmt::format("{} {} HTTP/1.1\r\n", method, path); + req += "Host: localhost\r\n"; + req += fmt::format("Content-Length: {}\r\n\r\n", body.size()); + req += body; + return req; + } + + // Helper to build reverse tunnel headers block. + std::string makeRtHeaders(const std::string& node, const std::string& cluster, + const std::string& tenant) { + std::string headers; + headers += "x-envoy-reverse-tunnel-node-id: " + node + "\r\n"; + headers += "x-envoy-reverse-tunnel-cluster-id: " + cluster + "\r\n"; + headers += "x-envoy-reverse-tunnel-tenant-id: " + tenant + "\r\n"; + return headers; + } + + // Helper to craft HTTP request with reverse tunnel headers and optional body. + std::string makeHttpRequestWithRtHeaders(const std::string& method, const std::string& path, + const std::string& node, const std::string& cluster, + const std::string& tenant, + const std::string& body = "") { + std::string req = fmt::format("{} {} HTTP/1.1\r\n", method, path); + req += "Host: localhost\r\n"; + req += makeRtHeaders(node, cluster, tenant); + req += fmt::format("Content-Length: {}\r\n\r\n", body.size()); + req += body; + return req; + } + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config_; + ReverseTunnelFilterConfigSharedPtr config_; + std::unique_ptr filter_; + Stats::IsolatedStoreImpl stats_store_; + NiceMock overload_manager_; + NiceMock callbacks_; + + // Thread local slot setup for downstream socket interface. + NiceMock context_; + NiceMock factory_context_; + NiceMock thread_local_; + NiceMock cluster_manager_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + // Config for reverse connection socket interface. + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface upstream_config_; + // Thread local components for testing upstream socket interface. + std::unique_ptr> + upstream_tls_slot_; + std::shared_ptr upstream_thread_local_registry_; + std::unique_ptr upstream_socket_interface_; + std::unique_ptr upstream_extension_; + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); + + void TearDown() override { + // Clean up thread local components to avoid issues during destruction. + upstream_tls_slot_.reset(); + upstream_thread_local_registry_.reset(); + upstream_extension_.reset(); + upstream_socket_interface_.reset(); + } +}; + +TEST_F(ReverseTunnelFilterUnitTest, NewConnectionContinues) { + EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); +} + +TEST_F(ReverseTunnelFilterUnitTest, HttpDispatchErrorStopsIteration) { + // Simulate invalid HTTP by feeding raw bytes; dispatch will attempt and return error. + Buffer::OwnedImpl data("INVALID"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data, false)); +} + +TEST_F(ReverseTunnelFilterUnitTest, FullFlowAccepts) { + + // Configure reverse tunnel filter. + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto local_config = std::make_shared(cfg, factory_context_); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Filter state does not affect acceptance. + + // Capture writes to connection. + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); + // Stats: accepted should increment. + auto accepted = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.accepted"); + ASSERT_NE(nullptr, accepted); + EXPECT_EQ(1, accepted->value()); +} + +TEST_F(ReverseTunnelFilterUnitTest, FullFlowMissingHeadersIsBadRequest) { + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto local_config = std::make_shared(cfg, factory_context_); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + // Missing required headers should cause 400. + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + Buffer::OwnedImpl request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +TEST_F(ReverseTunnelFilterUnitTest, FullFlowParseError) { + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Missing required headers should cause 400. + Buffer::OwnedImpl request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); + // Stats: parse_error should increment. + auto parse_error = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.parse_error"); + ASSERT_NE(nullptr, parse_error); + EXPECT_EQ(1, parse_error->value()); +} + +TEST_F(ReverseTunnelFilterUnitTest, NotFoundForNonReverseTunnelPath) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + Buffer::OwnedImpl request(makeHttpRequest("GET", "/health")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +TEST_F(ReverseTunnelFilterUnitTest, AutoCloseConnectionsClosesAfterAccept) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.set_auto_close_connections(true); + auto local_config = std::make_shared(cfg, factory_context_); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + // Expect close on accept. + EXPECT_CALL(callbacks_.connection_, close(Network::ConnectionCloseType::FlushWrite)); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Exercise RequestDecoder interface methods by obtaining the decoder via +// ReverseTunnelFilter::newStream (avoids accessing the private impl type). +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderInterfaceCoverageViaNewStream) { + // Ensure filter has callbacks initialized so decoder can access time source. + filter_->initializeReadFilterCallbacks(callbacks_); + + // Get a decoder instance via newStream. + Http::MockResponseEncoder encoder; + Http::RequestDecoder& decoder = filter_->newStream(encoder, false); + + // Provide minimal headers so processIfComplete paths are safe if triggered. + auto headers = Http::RequestHeaderMapImpl::create(); + decoder.decodeHeaders(std::move(headers), false); + + // Call decodeMetadata (no-op) explicitly. + Http::MetadataMapPtr meta; + decoder.decodeMetadata(std::move(meta)); + + // Accessor methods. + auto& si = decoder.streamInfo(); + (void)si; + auto logs = decoder.accessLogHandlers(); + EXPECT_TRUE(logs.empty()); + auto handle = decoder.getRequestDecoderHandle(); + EXPECT_EQ(nullptr, handle.get()); +} + +// Test configuration with custom ping interval. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationCustomPingInterval) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + proto_config.mutable_ping_interval()->set_seconds(10); + proto_config.set_auto_close_connections(true); + proto_config.set_request_path("/custom/path"); + proto_config.set_request_method(envoy::config::core::v3::PUT); + + ReverseTunnelFilterConfig config(proto_config, factory_context_); + EXPECT_EQ(std::chrono::milliseconds(10000), config.pingInterval()); + EXPECT_TRUE(config.autoCloseConnections()); + EXPECT_EQ("/custom/path", config.requestPath()); + EXPECT_EQ("PUT", config.requestMethod()); +} + +// Ensure defaults remain stable. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationDefaultsRemainStable) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + ReverseTunnelFilterConfig config(proto_config, factory_context_); + EXPECT_EQ("/reverse_connections/request", config.requestPath()); +} + +// Test configuration with default values. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationDefaults) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel proto_config; + // Leave everything empty to test defaults. + + ReverseTunnelFilterConfig config(proto_config, factory_context_); + EXPECT_EQ(std::chrono::milliseconds(2000), config.pingInterval()); + EXPECT_FALSE(config.autoCloseConnections()); + EXPECT_EQ("/reverse_connections/request", config.requestPath()); + EXPECT_EQ("GET", config.requestMethod()); +} + +// Test RequestDecoder methods not fully covered. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplMethods) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a request that will trigger decoder creation. + const std::string req = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t"); + + // Split request into headers and body to test different decoder methods. + const auto hdr_end = req.find("\r\n\r\n"); + const std::string headers_part = req.substr(0, hdr_end + 4); + const std::string body_part = req.substr(hdr_end + 4); + + // First send headers. + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Then send body to test decodeData method. + Buffer::OwnedImpl body_buf(body_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(body_buf, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test decodeTrailers method. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplDecodeTrailers) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a chunked request with trailers to trigger decodeTrailers. + const std::string headers_part = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + + makeRtHeaders("n", "c", "t") + + "Transfer-Encoding: chunked\r\n\r\n"; + + // Send headers first. + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Send chunk with data. + Buffer::OwnedImpl chunk1("5\r\nhello\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk1, false)); + + // Send final chunk with trailers - this triggers decodeTrailers. + Buffer::OwnedImpl chunk2("0\r\nX-Trailer: value\r\n\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk2, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test decodeTrailers triggers processIfComplete. +TEST_F(ReverseTunnelFilterUnitTest, DecodeTrailersTriggersCompletion) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Build a proper chunked request to ensure decodeTrailers is called. + std::string req = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + + makeRtHeaders("trail", "test", "complete") + + "Transfer-Encoding: chunked\r\n\r\n" + "0\r\n" // Zero-length chunk + "X-End: trailer\r\n" // Trailer header + "\r\n"; // End of trailers + + Buffer::OwnedImpl request(req); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test parsing with empty payload. +TEST_F(ReverseTunnelFilterUnitTest, ParseEmptyPayload) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); + + auto parse_error = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.parse_error"); + ASSERT_NE(nullptr, parse_error); + EXPECT_EQ(1, parse_error->value()); +} + +TEST_F(ReverseTunnelFilterUnitTest, NonStringFilterStateIgnored) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto local_config = std::make_shared(cfg, factory_context_); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +TEST_F(ReverseTunnelFilterUnitTest, ClusterIdMismatchIgnored) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto local_config = std::make_shared(cfg, factory_context_); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +TEST_F(ReverseTunnelFilterUnitTest, TenantIdMissingIgnored) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto local_config = std::make_shared(cfg, factory_context_); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test closed socket scenario. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionClosedSocket) { + // Create a mock socket that reports as closed. + auto closed_socket = std::make_unique(); + EXPECT_CALL(*closed_socket, isOpen()).WillRepeatedly(testing::Return(false)); + + static Network::ConnectionSocketPtr stored_closed_socket; + stored_closed_socket = std::move(closed_socket); + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_closed_socket)); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test wrong HTTP method. +TEST_F(ReverseTunnelFilterUnitTest, WrongHttpMethod) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("PUT", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +// Test onGoAway method coverage. +TEST_F(ReverseTunnelFilterUnitTest, OnGoAway) { + // onGoAway is a no-op, but we need to test it for coverage. + filter_->onGoAway(Http::GoAwayErrorCode::NoError); + // No assertions needed as it's a no-op method. +} + +// Test sendLocalReply with different parameters. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyVariants) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test sendLocalReply with empty body. + Buffer::OwnedImpl request(makeHttpRequest("GET", "/wrong/path", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); + EXPECT_THAT(written, testing::HasSubstr("Not a reverse tunnel request")); +} + +// Test invalid protobuf that fails parsing. +TEST_F(ReverseTunnelFilterUnitTest, InvalidProtobufData) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Body contents are ignored now; with proper headers we should accept. + std::string junk_body(100, '\xFF'); + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", + "c", "t", junk_body)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test request with headers only (no body). +TEST_F(ReverseTunnelFilterUnitTest, HeadersOnlyRequest) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + std::string headers_only = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + "Content-Length: 0\r\n\r\n"; + Buffer::OwnedImpl request(headers_only); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +// Test RequestDecoderImpl interface methods for coverage. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplInterfaceMethods) { + // Create a decoder to test interface methods. + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Start a request to create the decoder. + // Use a non-empty body so the headers phase does not signal end_stream. + const std::string req = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t"); + const auto hdr_end = req.find("\r\n\r\n"); + const std::string headers_part = req.substr(0, hdr_end + 4); + + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Continue with body to complete the request. + const std::string body_part = req.substr(hdr_end + 4); + Buffer::OwnedImpl body_buf(body_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(body_buf, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test wrong HTTP method leads to 404. +TEST_F(ReverseTunnelFilterUnitTest, WrongHttpMethodTest) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test with wrong method (PUT instead of GET). + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("PUT", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +// Test successful request with response body. +TEST_F(ReverseTunnelFilterUnitTest, SuccessfulRequestWithResponseBody) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders( + "GET", "/reverse_connections/request", "test-node", "test-cluster", "test-tenant")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); + + // Check that accepted stat is incremented. + auto accepted = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.accepted"); + ASSERT_NE(nullptr, accepted); + EXPECT_EQ(1, accepted->value()); +} + +// Test sendLocalReply with modify_headers function. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyWithHeaderModifier) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Send a request with wrong path to trigger sendLocalReply. + Buffer::OwnedImpl request(makeHttpRequest("GET", "/wrong/path", "test-body")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +// Explicitly call RequestDecoderImpl::sendLocalReply with a header modifier to +// test the modify_headers. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderSendLocalReplyHeaderModifier) { + // Ensure callbacks are initialized to provide a time source. + filter_->initializeReadFilterCallbacks(callbacks_); + + // Mock encoder to capture headers set via modifier. + Http::MockResponseEncoder encoder; + bool saw_custom_header = false; + EXPECT_CALL(encoder, encodeHeaders(testing::_, testing::_)) + .WillOnce(testing::Invoke([&](const Http::ResponseHeaderMap& headers, bool) { + auto values = headers.get(Http::LowerCaseString("x-custom-mod")); + saw_custom_header = !values.empty() && values[0]->value().getStringView() == "v"; + })); + + // Obtain a decoder and call sendLocalReply with a modifier. + Http::RequestDecoder& decoder = filter_->newStream(encoder, false); + decoder.sendLocalReply( + Http::Code::Forbidden, "", + [](Http::ResponseHeaderMap& h) { h.addCopy(Http::LowerCaseString("x-custom-mod"), "v"); }, + absl::nullopt, "test"); + + EXPECT_TRUE(saw_custom_header); +} + +// Missing required headers should return 400. +TEST_F(ReverseTunnelFilterUnitTest, MissingReverseTunnelHeadersReturns400) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Missing required header should fail. + std::string req = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + "x-envoy-reverse-tunnel-cluster-id: c\r\n" + "x-envoy-reverse-tunnel-tenant-id: t\r\n" + "Content-Length: 0\r\n\r\n"; + Buffer::OwnedImpl request(req); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +// Test partial HTTP data processing. +TEST_F(ReverseTunnelFilterUnitTest, PartialHttpData) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + const std::string full_request = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t"); + + // Send request in small chunks. + const size_t chunk_size = 10; + for (size_t i = 0; i < full_request.size(); i += chunk_size) { + const size_t actual_chunk_size = std::min(chunk_size, full_request.size() - i); + std::string chunk = full_request.substr(i, actual_chunk_size); + Buffer::OwnedImpl chunk_buf(chunk); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk_buf, false)); + } + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test HTTP dispatch with complete body in single call. +TEST_F(ReverseTunnelFilterUnitTest, CompleteRequestSingleCall) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "single", "call", "test")); + + // Process complete request in one call. + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, true)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +TEST_F(ReverseTunnelFilterUnitTest, PartialStateIgnored) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto local_config = std::make_shared(cfg, factory_context_); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test string parsing through HTTP path (parseHandshakeRequest is private). +TEST_F(ReverseTunnelFilterUnitTest, ParseHandshakeStringViaHttp) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test with a valid protobuf serialized as string. + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "node", "cluster", "tenant")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test sendLocalReply with different paths. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyWithHeadersCallback) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a request with wrong path to trigger sendLocalReply. + Buffer::OwnedImpl request("GET / HTTP/1.1\r\nHost: test\r\n\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // Should get 404 since path doesn't match. + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); + EXPECT_THAT(written, testing::HasSubstr("Not a reverse tunnel request")); +} + +// Test processIfComplete early return paths. +TEST_F(ReverseTunnelFilterUnitTest, ProcessIfCompleteEarlyReturns) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + const std::string req = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t", "x"); + + // Split request to send headers first without end_stream. + const auto hdr_end = req.find("\r\n\r\n"); + const std::string headers_part = req.substr(0, hdr_end + 4); + + // Send headers without end_stream - should not trigger processIfComplete. + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // At this point, no response should have been written yet. + EXPECT_TRUE(written.empty()); + + // Now send the body with end_stream to complete. + const std::string body_part = req.substr(hdr_end + 4); + Buffer::OwnedImpl body_buf(body_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(body_buf, true)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test configuration with all branches. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationAllBranches) { + // Test config with ping_interval set. + { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.mutable_ping_interval()->set_seconds(5); + cfg.mutable_ping_interval()->set_nanos(500000000); + ReverseTunnelFilterConfig config(cfg, factory_context_); + EXPECT_EQ(std::chrono::milliseconds(5500), config.pingInterval()); + } + + // Test config without ping_interval (default). + { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + ReverseTunnelFilterConfig config(cfg, factory_context_); + EXPECT_EQ(std::chrono::milliseconds(2000), config.pingInterval()); + } + + // Test config with empty strings (should use defaults). + { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + cfg.set_request_path(""); + cfg.set_request_method(envoy::config::core::v3::METHOD_UNSPECIFIED); + ReverseTunnelFilterConfig config(cfg, factory_context_); + EXPECT_EQ("/reverse_connections/request", config.requestPath()); + EXPECT_EQ("GET", config.requestMethod()); + } +} + +// Test array parsing edge cases via HTTP (parseHandshakeRequestFromArray is private). +TEST_F(ReverseTunnelFilterUnitTest, ParseHandshakeArrayEdgeCases) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test with empty body to trigger array parsing with null data. + Buffer::OwnedImpl empty_request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(empty_request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +// Test socket is null or not open scenarios. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionNullSocket) { + // Create a mock connection that returns null socket. + NiceMock null_socket_callbacks; + EXPECT_CALL(null_socket_callbacks, connection()) + .WillRepeatedly(ReturnRef(null_socket_callbacks.connection_)); + + // Mock getSocket to return null. + static Network::ConnectionSocketPtr null_socket_ptr = nullptr; + EXPECT_CALL(null_socket_callbacks.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(null_socket_ptr)); + + ReverseTunnelFilter null_socket_filter(config_, *stats_store_.rootScope(), overload_manager_); + null_socket_filter.initializeReadFilterCallbacks(null_socket_callbacks); + + std::string written; + EXPECT_CALL(null_socket_callbacks.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, null_socket_filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test empty response body path. +TEST_F(ReverseTunnelFilterUnitTest, EmptyResponseBody) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // Should generate a response with non-empty body. + EXPECT_THAT(written, testing::HasSubstr("200 OK")); + // No protobuf body expected now. +} + +// Test codec dispatch error path. +TEST_F(ReverseTunnelFilterUnitTest, CodecDispatchError) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Send completely invalid HTTP data that will cause dispatch error. + Buffer::OwnedImpl invalid_data("\x00\x01\x02\x03INVALID HTTP"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(invalid_data, false)); + + // Should get no response since the filter returns early on dispatch error. +} + +TEST_F(ReverseTunnelFilterUnitTest, TenantIdMismatchIgnored2) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + auto local_config = std::make_shared(cfg, factory_context_); + ReverseTunnelFilter filter(local_config, *stats_store_.rootScope(), overload_manager_); + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(ReturnRef(callbacks_.connection_)); + filter.initializeReadFilterCallbacks(callbacks_); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter.onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test newStream with is_internally_created parameter via HTTP processing. +TEST_F(ReverseTunnelFilterUnitTest, NewStreamWithInternallyCreatedFlag) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // newStream is called internally when processing HTTP requests. + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test stats generation through actual filter operations. +TEST_F(ReverseTunnelFilterUnitTest, StatsGeneration) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Trigger parse error to verify stats are generated (missing headers). + Buffer::OwnedImpl invalid_request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(invalid_request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); + + // Verify parse_error stat was incremented. + auto parse_error = TestUtility::findCounter(stats_store_, "reverse_tunnel.handshake.parse_error"); + ASSERT_NE(nullptr, parse_error); + EXPECT_EQ(1, parse_error->value()); +} + +// Test configuration with ping_interval_ms deprecated field. +TEST_F(ReverseTunnelFilterUnitTest, ConfigurationDeprecatedField) { + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel cfg; + // Test the deprecated field if it exists. + cfg.set_auto_close_connections(false); + cfg.set_request_path("/test"); + cfg.set_request_method(envoy::config::core::v3::PUT); + // No extra options set to test defaults. + + ReverseTunnelFilterConfig config(cfg, factory_context_); + EXPECT_FALSE(config.autoCloseConnections()); + EXPECT_EQ("/test", config.requestPath()); + EXPECT_EQ("PUT", config.requestMethod()); +} + +// Test decodeData with multiple chunks. +TEST_F(ReverseTunnelFilterUnitTest, DecodeDataMultipleChunks) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + const std::string req = + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "n", "c", "t"); + + // Send headers first without end_stream. + const auto hdr_end = req.find("\r\n\r\n"); + const std::string headers_part = req.substr(0, hdr_end + 4); + Buffer::OwnedImpl header_buf(headers_part); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Send body in chunks without end_stream. + const std::string body_part = req.substr(hdr_end + 4); + const size_t chunk_size = body_part.size() / 3; + + Buffer::OwnedImpl chunk1(body_part.substr(0, chunk_size)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk1, false)); + + Buffer::OwnedImpl chunk2(body_part.substr(chunk_size, chunk_size)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk2, false)); + + // Send final chunk with end_stream. + Buffer::OwnedImpl chunk3(body_part.substr(chunk_size * 2)); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunk3, true)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test RequestDecoderImpl interface methods with proper HTTP flow. +TEST_F(ReverseTunnelFilterUnitTest, RequestDecoderImplInterfaceMethodsCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a proper HTTP request with chunked encoding and trailers and headers-only body + std::string chunked_request = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + + makeRtHeaders("interface", "test", "coverage") + + "Transfer-Encoding: chunked\r\n\r\n"; + + // Send headers first + Buffer::OwnedImpl header_buf(chunked_request); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(header_buf, false)); + + // Send chunk end and trailers (no body required) + std::string end_chunk_and_trailers = "0\r\nX-Test-Trailer: value\r\n\r\n"; + Buffer::OwnedImpl trailer_buf(end_chunk_and_trailers); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(trailer_buf, false)); + + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test codec dispatch failure with truly malformed HTTP. +TEST_F(ReverseTunnelFilterUnitTest, CodecDispatchFailureDetailed) { + // Create HTTP data that will cause codec dispatch to fail and log error. + std::string malformed_http = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + "Content-Length: \xFF\xFF\xFF\xFF\r\n\r\n"; // Invalid content length + + Buffer::OwnedImpl request(malformed_http); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); +} + +// Test more malformed HTTP to hit codec error paths. +TEST_F(ReverseTunnelFilterUnitTest, CodecDispatchMultipleErrorTypes) { + // Test 1: HTTP request with invalid headers + std::string invalid_headers = "GET /reverse_connections/request HTTP/1.1\r\n" + "Invalid Header Without Colon\r\n" + "\r\n"; + Buffer::OwnedImpl req1(invalid_headers); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(req1, false)); + + // Create new filter for second test + auto filter2 = + std::make_unique(config_, *stats_store_.rootScope(), overload_manager_); + NiceMock callbacks2; + EXPECT_CALL(callbacks2, connection()).WillRepeatedly(ReturnRef(callbacks2.connection_)); + auto socket2 = std::make_unique(); + EXPECT_CALL(*socket2, isOpen()).WillRepeatedly(testing::Return(true)); + static Network::ConnectionSocketPtr stored_socket2 = std::move(socket2); + EXPECT_CALL(callbacks2.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_socket2)); + filter2->initializeReadFilterCallbacks(callbacks2); + + // Test 2: Invalid HTTP version + std::string invalid_version = "GET /reverse_connections/request HTTP/9.9\r\n\r\n"; + Buffer::OwnedImpl req2(invalid_version); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter2->onData(req2, false)); +} + +// Ensure success path works without additional validations. +TEST_F(ReverseTunnelFilterUnitTest, SuccessPathCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create a valid request; response verification occurs normally. + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "response-test", "cluster", "tenant")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // Ensure the success path works. + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test decodeMetadata method coverage. +TEST_F(ReverseTunnelFilterUnitTest, DecodeMetadataMethodCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // The decodeMetadata method is called internally when processing certain HTTP requests + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "meta", "data", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test streamInfo method coverage. +TEST_F(ReverseTunnelFilterUnitTest, StreamInfoMethodCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "stream", "info", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test accessLogHandlers method coverage. +TEST_F(ReverseTunnelFilterUnitTest, AccessLogHandlersMethodCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "access", "log", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test getRequestDecoderHandle method coverage. +TEST_F(ReverseTunnelFilterUnitTest, GetRequestDecoderHandleMethodCoverage) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "decoder", "handle", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test various HTTP malformations to hit codec error paths. +TEST_F(ReverseTunnelFilterUnitTest, VariousHttpMalformations) { + // Test different types of malformed HTTP to hit codec dispatch error paths + std::vector malformed_requests = { + // Missing HTTP version + "GET /reverse_connections/request\r\nHost: test\r\n\r\n", + // Invalid method + "INVALID_METHOD /reverse_connections/request HTTP/1.1\r\nHost: test\r\n\r\n", + // Binary garbage + std::string("\x00\x01\x02\x03\x04\x05", 6), + // Incomplete request line + "POS", + // Missing headers separator + "GET /reverse_connections/request HTTP/1.1\r\nHost: test", + // Invalid characters in headers + "GET /reverse_connections/request HTTP/1.1\r\nHo\x00st: test\r\n\r\n"}; + + for (size_t i = 0; i < malformed_requests.size(); ++i) { + // Create new filter for each test to avoid state issues + auto test_filter = std::make_unique(config_, *stats_store_.rootScope(), + overload_manager_); + NiceMock test_callbacks; + EXPECT_CALL(test_callbacks, connection()).WillRepeatedly(ReturnRef(test_callbacks.connection_)); + + auto test_socket = std::make_unique(); + EXPECT_CALL(*test_socket, isOpen()).WillRepeatedly(testing::Return(true)); + static std::vector stored_test_sockets; + stored_test_sockets.push_back(std::move(test_socket)); + EXPECT_CALL(test_callbacks.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_test_sockets.back())); + + test_filter->initializeReadFilterCallbacks(test_callbacks); + + Buffer::OwnedImpl request(malformed_requests[i]); + EXPECT_EQ(Network::FilterStatus::StopIteration, test_filter->onData(request, false)); + } +} + +// Test processAcceptedConnection with null TLS registry. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionNullTlsRegistry) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "null-tls", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test processAcceptedConnection when duplicate() returns null. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionDuplicateFails) { + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + setupUpstreamThreadLocalSlot(); + + // Create a mock socket that returns a null/closed handle on duplicate. + auto mock_socket = std::make_unique(); + auto mock_io_handle = std::make_unique(); + + // Setup IoHandle to return null on duplicate. + EXPECT_CALL(*mock_io_handle, duplicate()).WillOnce(testing::Return(nullptr)); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket, isOpen()).WillRepeatedly(testing::Return(true)); + + static Network::ConnectionSocketPtr stored_mock_socket; + static std::unique_ptr stored_io_handle; + stored_io_handle = std::move(mock_io_handle); + stored_mock_socket = std::move(mock_socket); + + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_mock_socket)); + // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "dup-fail", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test processAcceptedConnection when duplicated handle is not open. +TEST_F(ReverseTunnelFilterUnitTest, ProcessAcceptedConnectionDuplicatedHandleNotOpen) { + + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + setupUpstreamThreadLocalSlot(); + + auto mock_socket = std::make_unique(); + auto mock_io_handle = std::make_unique(); + auto dup_io_handle = std::make_unique(); + + // Setup duplicated handle to report as not open. + EXPECT_CALL(*dup_io_handle, isOpen()).WillRepeatedly(testing::Return(false)); + EXPECT_CALL(*mock_io_handle, duplicate()) + .WillOnce(testing::Return(testing::ByMove(std::move(dup_io_handle)))); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket, isOpen()).WillRepeatedly(testing::Return(true)); + + static Network::ConnectionSocketPtr stored_mock_socket2; + static std::unique_ptr stored_io_handle2; + stored_io_handle2 = std::move(mock_io_handle); + stored_mock_socket2 = std::move(mock_socket); + + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_mock_socket2)); + // Socket lifecycle is now managed by UpstreamReverseConnectionIOHandle wrapper. + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request( + makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "dup-closed", "c", "t")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test systematic HTTP error patterns to trigger codec dispatch error paths. +TEST_F(ReverseTunnelFilterUnitTest, SystematicHttpErrorPatterns) { + auto patterns = HttpErrorHelper::getHttpErrorPatterns(); + + for (size_t i = 0; i < patterns.size(); ++i) { + // Create new filter for each test to avoid state pollution + auto error_filter = std::make_unique(config_, *stats_store_.rootScope(), + overload_manager_); + NiceMock error_callbacks; + EXPECT_CALL(error_callbacks, connection()) + .WillRepeatedly(ReturnRef(error_callbacks.connection_)); + + // Set up socket for each test + auto error_socket = std::make_unique(); + EXPECT_CALL(*error_socket, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*error_socket, ioHandle()) + .WillRepeatedly(testing::ReturnRef(*error_callbacks.socket_.io_handle_)); + + static std::vector stored_error_sockets; + stored_error_sockets.push_back(std::move(error_socket)); + EXPECT_CALL(error_callbacks.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_error_sockets.back())); + + error_filter->initializeReadFilterCallbacks(error_callbacks); + + // Test this error pattern + Buffer::OwnedImpl error_request(patterns[i]); + EXPECT_EQ(Network::FilterStatus::StopIteration, error_filter->onData(error_request, false)); + } +} + +// Test edge cases in HTTP/protobuf processing to maximize coverage. +TEST_F(ReverseTunnelFilterUnitTest, EdgeCaseHttpProtobufProcessing) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test 1: Binary data that looks like protobuf but isn't + std::string fake_protobuf; + fake_protobuf.push_back(0x08); // Protobuf field tag + fake_protobuf.push_back(0x96); // Invalid varint continuation + fake_protobuf.push_back(0xFF); // More invalid data + fake_protobuf.push_back(0xFF); + fake_protobuf.push_back(0xFF); + + Buffer::OwnedImpl fake_request(makeHttpRequest("GET", "/reverse_connections/request", "")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(fake_request, false)); + EXPECT_THAT(written, testing::HasSubstr("400 Bad Request")); +} + +// Test to trigger specific interface methods for coverage. +TEST_F(ReverseTunnelFilterUnitTest, InterfaceMethodsCompleteCoverage) { + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + setupUpstreamThreadLocalSlot(); + + // Set up mock socket with proper duplication mocking + auto mock_socket = std::make_unique(); + auto mock_io_handle = std::make_unique(); + auto dup_handle = std::make_unique(); + + // Mock successful duplication + EXPECT_CALL(*dup_handle, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*dup_handle, resetFileEvents()); + EXPECT_CALL(*dup_handle, fdDoNotUse()).WillRepeatedly(testing::Return(456)); + + EXPECT_CALL(*mock_io_handle, duplicate()) + .WillOnce(testing::Return(testing::ByMove(std::move(dup_handle)))); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); + EXPECT_CALL(*mock_socket, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(testing::Return(455)); + + // Store in static variables + static Network::ConnectionSocketPtr stored_interface_socket; + static std::unique_ptr stored_interface_handle; + stored_interface_handle = std::move(mock_io_handle); + stored_interface_socket = std::move(mock_socket); + + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_interface_socket)); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Create request with HTTP/1.1 Transfer-Encoding chunked to trigger trailers + std::string chunked_request = "GET /reverse_connections/request HTTP/1.1\r\n" + "Host: localhost\r\n" + + makeRtHeaders("interface", "methods", "test") + + "Transfer-Encoding: chunked\r\n\r\n"; + chunked_request += "0\r\n"; // End chunk + chunked_request += "X-Custom-Trailer: test-value\r\n"; // Trailer header + chunked_request += "\r\n"; // End trailers + + Buffer::OwnedImpl chunked_buf(chunked_request); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(chunked_buf, false)); + + // This should trigger decodeTrailers, decodeMetadata (if any), + // streamInfo, accessLogHandlers, and getRequestDecoderHandle methods + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test processIfComplete when already complete. +TEST_F(ReverseTunnelFilterUnitTest, ProcessIfCompleteAlreadyComplete) { + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + // We don't need to setup thread local slot for this test since + // we are not testing socket duplication. + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Send a complete request. + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "double", "complete", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // Verify we got the response. + EXPECT_THAT(written, testing::HasSubstr("200 OK")); + + // Try to send more data - should be ignored as already complete. + Buffer::OwnedImpl more_data("extra data"); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(more_data, false)); +} + +// Test successful socket duplication with all operations succeeding. +TEST_F(ReverseTunnelFilterUnitTest, SuccessfulSocketDuplication) { + // Set up thread local slot for downstream socket interface. This is necessary + // for the socket manager to be initialized. + setupUpstreamExtension(); + setupUpstreamThreadLocalSlot(); + + auto socket_with_dup = std::make_unique(); + + // Mock successful duplication where everything succeeds. + auto mock_io_handle = std::make_unique(); + auto dup_handle = std::make_unique(); + + // The duplicated handle is open and operations succeed. + EXPECT_CALL(*dup_handle, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*dup_handle, resetFileEvents()); + EXPECT_CALL(*dup_handle, fdDoNotUse()).WillRepeatedly(testing::Return(123)); + + // Mock the duplicate() call to return the dup_handle. + EXPECT_CALL(*mock_io_handle, duplicate()) + .WillOnce(testing::Return(testing::ByMove(std::move(dup_handle)))); + + // Mock ioHandle() to return our mock handle. + EXPECT_CALL(*socket_with_dup, ioHandle()).WillRepeatedly(testing::ReturnRef(*mock_io_handle)); + EXPECT_CALL(*socket_with_dup, isOpen()).WillRepeatedly(testing::Return(true)); + EXPECT_CALL(*mock_io_handle, fdDoNotUse()).WillRepeatedly(testing::Return(122)); + + // Store socket and handle in static variables. + static Network::ConnectionSocketPtr stored_dup_socket; + static std::unique_ptr stored_dup_handle; + stored_dup_handle = std::move(mock_io_handle); + stored_dup_socket = std::move(socket_with_dup); + + // Set up the callbacks to use our mock socket. + EXPECT_CALL(callbacks_.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_dup_socket)); + + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + Buffer::OwnedImpl request(makeHttpRequestWithRtHeaders("GET", "/reverse_connections/request", + "dup", "success", "test")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("200 OK")); +} + +// Test modify_headers callback in sendLocalReply. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyWithModifyHeaders) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Send a request that will trigger a 404 response with modify_headers callback. + Buffer::OwnedImpl request(makeHttpRequest("GET", "/wrong/path")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + + // The sendLocalReply with modify_headers is called internally. + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); +} + +// Test sendLocalReply with all branches covered. +TEST_F(ReverseTunnelFilterUnitTest, SendLocalReplyAllBranches) { + std::string written; + EXPECT_CALL(callbacks_.connection_, write(testing::_, testing::_)) + .WillRepeatedly(testing::Invoke([&](Buffer::Instance& data, bool) { + written.append(data.toString()); + data.drain(data.length()); + })); + + // Test with wrong method to trigger 404. + Buffer::OwnedImpl request(makeHttpRequest("POST", "/reverse_connections/request")); + EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(request, false)); + EXPECT_THAT(written, testing::HasSubstr("404 Not Found")); + EXPECT_THAT(written, testing::HasSubstr("Not a reverse tunnel request")); +} + +// Test HTTP/1.1 codec initialization with different settings. +TEST_F(ReverseTunnelFilterUnitTest, CodecInitializationCoverage) { + // Create a new filter to test codec initialization. + auto test_filter = + std::make_unique(config_, *stats_store_.rootScope(), overload_manager_); + NiceMock test_callbacks; + EXPECT_CALL(test_callbacks, connection()).WillRepeatedly(ReturnRef(test_callbacks.connection_)); + + auto test_socket = std::make_unique(); + EXPECT_CALL(*test_socket, isOpen()).WillRepeatedly(testing::Return(true)); + static Network::ConnectionSocketPtr stored_codec_socket = std::move(test_socket); + EXPECT_CALL(test_callbacks.connection_, getSocket()) + .WillRepeatedly(testing::ReturnRef(stored_codec_socket)); + + test_filter->initializeReadFilterCallbacks(test_callbacks); + + // First call to onData initializes the codec. + Buffer::OwnedImpl data1("GET /test HTTP/1.1\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, test_filter->onData(data1, false)); + + // Second call uses existing codec. + Buffer::OwnedImpl data2("Host: test\r\n\r\n"); + EXPECT_EQ(Network::FilterStatus::StopIteration, test_filter->onData(data2, false)); +} + +} // namespace +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/filters/network/reverse_tunnel/integration_test.cc b/test/extensions/filters/network/reverse_tunnel/integration_test.cc new file mode 100644 index 0000000000000..d9b6af8f4082d --- /dev/null +++ b/test/extensions/filters/network/reverse_tunnel/integration_test.cc @@ -0,0 +1,487 @@ +#include + +#include "envoy/config/bootstrap/v3/bootstrap.pb.h" +#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" +#include "envoy/extensions/transport_sockets/internal_upstream/v3/internal_upstream.pb.h" + +#include "source/common/protobuf/protobuf.h" + +#include "test/integration/integration.h" +#include "test/integration/utility.h" +#include "test/test_common/logging.h" +#include "test/test_common/utility.h" + +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace NetworkFilters { +namespace ReverseTunnel { +namespace { + +class ReverseTunnelFilterIntegrationTest + : public testing::TestWithParam, + public BaseIntegrationTest { +public: + ReverseTunnelFilterIntegrationTest() + : BaseIntegrationTest(GetParam(), ConfigHelper::baseConfig()) {} + + void initialize() override { + // Add common bootstrap extensions that are used across multiple tests. + config_helper_.addBootstrapExtension(R"EOF( +name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface +typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface +)EOF"); + + config_helper_.addBootstrapExtension(R"EOF( +name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface +typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface +)EOF"); + + // Call parent initialize to complete setup. + BaseIntegrationTest::initialize(); + } + +protected: + void addSetFilterStateFilter(const std::string& node_id = "integration-test-node", + const std::string& cluster_id = "integration-test-cluster", + const std::string& tenant_id = "integration-test-tenant") { + std::string on_new_connection = ""; + if (!node_id.empty()) { + on_new_connection += fmt::format(R"( + - object_key: node_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "{}")", + node_id); + } + if (!cluster_id.empty()) { + on_new_connection += fmt::format(R"( + - object_key: cluster_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "{}")", + cluster_id); + } + if (!tenant_id.empty()) { + on_new_connection += fmt::format(R"( + - object_key: tenant_id + factory_key: envoy.string + format_string: + text_format_source: + inline_string: "{}")", + tenant_id); + } + + const std::string set_filter_state = fmt::format(R"EOF( +name: envoy.filters.network.set_filter_state +typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.set_filter_state.v3.Config + on_new_connection:{} +)EOF", + on_new_connection); + + config_helper_.addConfigModifier( + [set_filter_state](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + envoy::config::listener::v3::Filter filter; + TestUtility::loadFromYaml(set_filter_state, filter); + ASSERT_GT(bootstrap.mutable_static_resources()->listeners_size(), 0); + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + + // Create a filter chain if one doesn't exist, otherwise clear existing filters. + if (listener->filter_chains_size() == 0) { + listener->add_filter_chains(); + } else { + listener->mutable_filter_chains(0)->clear_filters(); + } + + // Add set_filter_state first. + listener->mutable_filter_chains(0)->add_filters()->Swap(&filter); + }); + } + + void addReverseTunnelFilter(bool auto_close_connections = false, + const std::string& request_path = "/reverse_connections/request", + const std::string& request_method = "GET") { + const std::string filter_config = + fmt::format(R"EOF( + name: envoy.filters.network.reverse_tunnel + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: + seconds: 300 + auto_close_connections: {} + request_path: "{}" + request_method: {} +)EOF", + auto_close_connections ? "true" : "false", request_path, request_method); + + config_helper_.addConfigModifier( + [filter_config](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + envoy::config::listener::v3::Filter filter; + TestUtility::loadFromYaml(filter_config, filter); + ASSERT_GT(bootstrap.mutable_static_resources()->listeners_size(), 0); + auto* listener = bootstrap.mutable_static_resources()->mutable_listeners(0); + + // Create a filter chain if one doesn't exist. + if (listener->filter_chains_size() == 0) { + listener->add_filter_chains(); + } + + // Add reverse tunnel filter (either as first filter or after existing filters). + listener->mutable_filter_chains(0)->add_filters()->Swap(&filter); + }); + } + + std::string createTestPayload(const std::string& node_uuid = "integration-test-node", + const std::string& cluster_uuid = "integration-test-cluster", + const std::string& tenant_uuid = "integration-test-tenant") { + UNREFERENCED_PARAMETER(node_uuid); + UNREFERENCED_PARAMETER(cluster_uuid); + UNREFERENCED_PARAMETER(tenant_uuid); + return std::string(); + } + + std::string createHttpRequest(const std::string& method, const std::string& path, + const std::string& body = "") { + std::string request = fmt::format("{} {} HTTP/1.1\r\n", method, path); + request += "Host: localhost\r\n"; + request += fmt::format("Content-Length: {}\r\n", body.length()); + request += "\r\n"; + request += body; + return request; + } + + std::string createHttpRequestWithRtHeaders(const std::string& method, const std::string& path, + const std::string& node, const std::string& cluster, + const std::string& tenant, + const std::string& body = "") { + std::string request = fmt::format("{} {} HTTP/1.1\r\n", method, path); + request += "Host: localhost\r\n"; + request += fmt::format("{}: {}\r\n", "x-envoy-reverse-tunnel-node-id", node); + request += fmt::format("{}: {}\r\n", "x-envoy-reverse-tunnel-cluster-id", cluster); + request += fmt::format("{}: {}\r\n", "x-envoy-reverse-tunnel-tenant-id", tenant); + request += fmt::format("Content-Length: {}\r\n", body.length()); + request += "\r\n"; + request += body; + return request; + } + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::trace); +}; + +INSTANTIATE_TEST_SUITE_P(IpVersions, ReverseTunnelFilterIntegrationTest, + testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + TestUtility::ipTestParamsToString); + +TEST_P(ReverseTunnelFilterIntegrationTest, ValidReverseTunnelRequest) { + // Configure the reverse tunnel filter with default settings. + addReverseTunnelFilter(); + initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed quickly; still verify response. + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + + // Should receive HTTP 200 OK response. + tcp_client->waitForData("HTTP/1.1 200 OK"); + + // Since auto_close_connections: false, we need to close the connection manually. + tcp_client->close(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, InvalidReverseTunnelRequest) { + // Configure the reverse tunnel filter with default settings. + addReverseTunnelFilter(); + initialize(); + + std::string http_request = createHttpRequest("GET", "/health"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForDisconnect(); + return; + } + // The request should pass through or be handled by other components; connection may close. + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, PartialRequestHandling) { + // Configure the reverse tunnel filter with default settings. + addReverseTunnelFilter(); + initialize(); + + std::string http_request = createHttpRequestWithRtHeaders( + "GET", "/reverse_connections/request", "integration-test-node", "integration-test-cluster", + "integration-test-tenant", "abcdefghijklmno"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + + // Send request in chunks but ensure the body only completes on the third chunk. + // Split the HTTP request into headers and body, then stream body in parts. + const std::string::size_type hdr_end = http_request.find("\r\n\r\n"); + ASSERT_NE(hdr_end, std::string::npos); + const std::string headers = http_request.substr(0, hdr_end + 4); + const std::string body = http_request.substr(hdr_end + 4); + ASSERT_GT(body.size(), 8u); + + const size_t part = body.size() / 4; // Ensure first 2 parts are not enough to complete. + const std::string body1 = body.substr(0, part); + const std::string body2 = body.substr(part, part); + const std::string body3 = body.substr(2 * part); + + // First write: headers + small part of body. + if (!tcp_client->write(headers + body1, /*end_stream=*/false)) { + // Server may have already processed and responded; validate response and exit. + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + // Second write: more body but still not complete. If the server already completed,. + // the write can fail due to disconnect; treat that as acceptable and verify response. + if (!tcp_client->write(body2, /*end_stream=*/false)) { + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + // Third write: remaining body to complete the request. Same tolerance as above. + if (!tcp_client->write(body3, /*end_stream=*/false)) { + tcp_client->waitForData("HTTP/1.1 200 OK"); + return; + } + + // Should receive complete HTTP response. + tcp_client->waitForData("HTTP/1.1 200 OK"); + // Server may keep connection open (auto_close_connections: false). Close client side. + tcp_client->close(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, WrongPathReturns404) { + // Configure the reverse tunnel filter with default settings. + addReverseTunnelFilter(); + initialize(); + + // Test that requesting a different path than configured returns 404. + // The default configuration uses "/reverse_connections/request" path. + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/custom/reverse", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForDisconnect(); + return; + } + + // Should receive 404 Not Found response and connection should close. + tcp_client->waitForData("HTTP/1.1 404 Not Found"); + tcp_client->waitForDisconnect(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, MissingNodeUuidRejection) { + // Configure the reverse tunnel filter with default settings. + addReverseTunnelFilter(); + initialize(); + + // Missing node UUID header should trigger 400. + std::string http_request = + fmt::format("{} {} HTTP/1.1\r\nHost: localhost\r\n" + "x-envoy-reverse-tunnel-cluster-id: {}\r\n" + "x-envoy-reverse-tunnel-tenant-id: {}\r\nContent-Length: 0\r\n\r\n", + "GET", "/reverse_connections/request", "test-cluster", "test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + if (!tcp_client->write(http_request)) { + // Server may have already sent the response and closed. + tcp_client->waitForData("HTTP/1.1 400 Bad Request"); + return; + } + + // Should receive HTTP 400 Bad Request response for missing node UUID. + tcp_client->waitForData("HTTP/1.1 400 Bad Request"); + tcp_client->waitForDisconnect(); +} + +// Filter accepts when method/path/headers match. +TEST_P(ReverseTunnelFilterIntegrationTest, AcceptsWhenHeadersPresent) { + addReverseTunnelFilter(); + initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + ASSERT_TRUE(tcp_client->write(http_request)); + tcp_client->waitForData("HTTP/1.1 200 OK"); + tcp_client->close(); +} + +TEST_P(ReverseTunnelFilterIntegrationTest, IgnoresFilterStateValues) { + addReverseTunnelFilter(); + initialize(); + + std::string http_request = + createHttpRequestWithRtHeaders("GET", "/reverse_connections/request", "integration-test-node", + "integration-test-cluster", "integration-test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + ASSERT_TRUE(tcp_client->write(http_request)); + tcp_client->waitForData("HTTP/1.1 200 OK"); + tcp_client->close(); +} + +// Integration test that verifies basic reverse tunnel handshake. +TEST_P(ReverseTunnelFilterIntegrationTest, BasicReverseTunnelHandshake) { + // Configure the reverse tunnel filter with default settings. + addReverseTunnelFilter(); + initialize(); + + // Test reverse tunnel handshake and socket reuse functionality. + std::string http_request = createHttpRequestWithRtHeaders( + "GET", "/reverse_connections/request", "test-node", "test-cluster", "test-tenant"); + + IntegrationTcpClientPtr tcp_client = makeTcpConnection(lookupPort("listener_0")); + ASSERT_TRUE(tcp_client->write(http_request)); + + // Should receive HTTP 200 OK response from the reverse tunnel filter. + tcp_client->waitForData("HTTP/1.1 200 OK"); + + // Verify stats show successful reverse tunnel handshake. + test_server_->waitForCounterGe("reverse_tunnel.handshake.accepted", 1); + + // Send a second request to test socket caching for different node IDs. + IntegrationTcpClientPtr tcp_client2 = makeTcpConnection(lookupPort("listener_0")); + std::string http_request2 = createHttpRequestWithRtHeaders( + "GET", "/reverse_connections/request", "test-node-2", "test-cluster-2", "test-tenant-2"); + + ASSERT_TRUE(tcp_client2->write(http_request2)); + tcp_client2->waitForData("HTTP/1.1 200 OK"); + + // Verify additional handshake was processed. + test_server_->waitForCounterGe("reverse_tunnel.handshake.accepted", 2); + + tcp_client->close(); + tcp_client2->close(); +} + +// End-to-end reverse connection handshake test where the downstream reverse connection listener +// (rc://) initiates a. connection to upstream listener running the reverse_tunnel filter. The +// downstream. side sends HTTP headers using the same helpers as the upstream expects, and the +// upstream. socket manager updates connection stats. We verify the gauges to confirm handshake +// success. The ping interval is kept at a very high value (5 minutes) to avoid ping timeout on +// accepted reverse connections. +TEST_P(ReverseTunnelFilterIntegrationTest, EndToEndReverseConnectionHandshake) { + DISABLE_IF_ADMIN_DISABLED; // Test requires admin interface for draining listener. + + // Use a deterministic port to avoid timing issues. + const uint32_t upstream_port = GetParam() == Network::Address::IpVersion::v4 ? 15000 : 15001; + const std::string loopback_addr = + GetParam() == Network::Address::IpVersion::v4 ? "127.0.0.1" : "::1"; + + // Configure listeners and clusters for the full reverse tunnel flow. + config_helper_.addConfigModifier([upstream_port, loopback_addr]( + envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + // Clear existing listeners and add our custom setup. + bootstrap.mutable_static_resources()->clear_listeners(); + + // Ensure admin interface is configured. + if (!bootstrap.has_admin()) { + auto* admin = bootstrap.mutable_admin(); + auto* admin_address = admin->mutable_address()->mutable_socket_address(); + admin_address->set_address(loopback_addr); + admin_address->set_port_value(0); // Use ephemeral port + } + + // Listener 1: Upstream listener with reverse tunnel filter (accepts reverse connections). + auto* upstream_listener = bootstrap.mutable_static_resources()->add_listeners(); + upstream_listener->set_name("upstream_listener"); + upstream_listener->mutable_address()->mutable_socket_address()->set_address(loopback_addr); + upstream_listener->mutable_address()->mutable_socket_address()->set_port_value(upstream_port); + + auto* upstream_chain = upstream_listener->add_filter_chains(); + auto* rt_filter = upstream_chain->add_filters(); + rt_filter->set_name("envoy.filters.network.reverse_tunnel"); + + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel rt_config; + rt_config.mutable_ping_interval()->set_seconds( + 300); // Set the ping interval to the max value to avoid ping timeout. + rt_config.set_auto_close_connections(false); + rt_config.set_request_path("/reverse_connections/request"); + rt_config.set_request_method(envoy::config::core::v3::GET); + rt_filter->mutable_typed_config()->PackFrom(rt_config); + + // Listener 2: Reverse connection listener (initiates reverse connections). + auto* rc_listener = bootstrap.mutable_static_resources()->add_listeners(); + rc_listener->set_name("reverse_connection_listener"); + auto* rc_address = rc_listener->mutable_address()->mutable_socket_address(); + // Use rc:// scheme to trigger reverse connection initiation. + rc_address->set_address("rc://e2e-node:e2e-cluster:e2e-tenant@upstream_cluster:1"); + rc_address->set_port_value(0); // Not used for rc:// addresses + rc_address->set_resolver_name("envoy.resolvers.reverse_connection"); + + // Add filter chain with echo filter to process the connection. + auto* rc_chain = rc_listener->add_filter_chains(); + auto* echo_filter = rc_chain->add_filters(); + echo_filter->set_name("envoy.filters.network.echo"); + auto* echo_config = echo_filter->mutable_typed_config(); + echo_config->set_type_url("type.googleapis.com/envoy.extensions.filters.network.echo.v3.Echo"); + + // Cluster that points to our upstream listener using regular TCP. + auto* cluster = bootstrap.mutable_static_resources()->add_clusters(); + cluster->set_name("upstream_cluster"); + cluster->set_type(envoy::config::cluster::v3::Cluster::STATIC); + cluster->mutable_load_assignment()->set_cluster_name("upstream_cluster"); + + // Point to the upstream listener's port. + auto* locality = cluster->mutable_load_assignment()->add_endpoints(); + auto* lb_endpoint = locality->add_lb_endpoints(); + auto* endpoint = lb_endpoint->mutable_endpoint(); + auto* addr = endpoint->mutable_address()->mutable_socket_address(); + addr->set_address(loopback_addr); + addr->set_port_value(upstream_port); + }); + + initialize(); + + // Register admin port after initialization since we cleared listeners. + registerTestServerPorts({}); + + ENVOY_LOG_MISC(info, "Waiting for reverse connections to be established."); + // Wait for reverse connections to be established. + timeSystem().advanceTimeWait(std::chrono::milliseconds(1000)); + + // Test that the full flow works by checking upstream socket interface metrics. + test_server_->waitForGaugeGe("reverse_connections.nodes.e2e-node", 1); + test_server_->waitForGaugeGe("reverse_connections.clusters.e2e-cluster", 1); + + // Verify stats show successful reverse tunnel handshake. + test_server_->waitForCounterGe("reverse_tunnel.handshake.accepted", 1); + + // Drain listeners to trigger proper cleanup of ReverseConnectionIOHandle. + BufferingStreamDecoderPtr admin_response = IntegrationUtil::makeSingleRequest( + lookupPort("admin"), "POST", "/drain_listeners", "", Http::CodecType::HTTP1, GetParam()); + EXPECT_TRUE(admin_response->complete()); + EXPECT_EQ("200", admin_response->headers().getStatusValue()); + + // Wait for listeners to be stopped, which triggers ReverseConnectionIOHandle cleanup. + test_server_->waitForCounterEq("listener_manager.listener_stopped", + 2); // 2 listeners in this test +} + +} // namespace +} // namespace ReverseTunnel +} // namespace NetworkFilters +} // namespace Extensions +} // namespace Envoy From c811552b94d0d4189de710113d5f081f6c952e5b Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 24 Sep 2025 02:19:41 -0700 Subject: [PATCH 489/505] docs: styling nits and fixes for GeoIP filter docs (#41198) This PR have some nits and styling fixes to make the GeoIP filter docs consistent to rest of the codebase. Signed-off-by: Rohit Agrawal --- .../geoip_providers/common/v3/common.proto | 34 +++++++++---------- .../geoip_providers/maxmind/v3/maxmind.proto | 29 +++++++++------- 2 files changed, 33 insertions(+), 30 deletions(-) diff --git a/api/envoy/extensions/geoip_providers/common/v3/common.proto b/api/envoy/extensions/geoip_providers/common/v3/common.proto index e289751f8efe6..d4ccf4ebca2b6 100644 --- a/api/envoy/extensions/geoip_providers/common/v3/common.proto +++ b/api/envoy/extensions/geoip_providers/common/v3/common.proto @@ -17,8 +17,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Common configuration shared across geolocation providers. message CommonGeoipProviderConfig { - // The set of geolocation headers to add to request. If any of the configured headers is present - // in the incoming request, it will be overridden by the :ref:`Geoip filter `. + // The set of geolocation headers to add to the request. If any of the configured headers is present + // in the incoming request, it will be overridden by the :ref:`GeoIP filter `. // [#next-free-field: 13] message GeolocationHeadersToAdd { // If set, the header will be used to populate the country ISO code associated with the IP address. @@ -30,7 +30,7 @@ message CommonGeoipProviderConfig { [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; // If set, the header will be used to populate the region ISO code associated with the IP address. - // The least specific subdivision will be selected as region value. + // The least specific subdivision will be selected as the region value. string region = 3 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; @@ -38,35 +38,35 @@ message CommonGeoipProviderConfig { string asn = 4 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // This field is being deprecated, use ``anon`` instead. + // This field is deprecated; use ``anon`` instead. string is_anon = 5 [ deprecated = true, (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}, (envoy.annotations.deprecated_at_minor_version) = "3.0" ]; - // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g. VPN, public proxy etc) - // and header will be populated with the check result. Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g., VPN, public proxy). + // The header will be populated with the check result. Header value will be set to either ``true`` or ``false`` depending on the check result. string anon = 12 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to a VPN and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to a VPN and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string anon_vpn = 6 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to a hosting provider and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to a hosting provider and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string anon_hosting = 7 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to a TOR exit node and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to a TOR exit node and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string anon_tor = 8 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to a public proxy and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to a public proxy and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string anon_proxy = 9 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; @@ -74,12 +74,12 @@ message CommonGeoipProviderConfig { string isp = 10 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to the ISP named iCloud Private Relay and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to the ISP named iCloud Private Relay and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string apple_private_relay = 11 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; } - // Configuration for geolocation headers to add to request. + // Configuration for geolocation headers to add to the request. GeolocationHeadersToAdd geo_headers_to_add = 1 [(validate.rules).message = {required: true}]; } diff --git a/api/envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto b/api/envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto index fb665ac272e70..c1d7a2480ebd1 100644 --- a/api/envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto +++ b/api/envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto @@ -18,29 +18,32 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // [#protodoc-title: MaxMind Geolocation Provider] // MaxMind geolocation provider :ref:`configuration overview `. -// At least one geolocation database path :ref:`city_db_path `, -// :ref:`isp_db_path ` or -// :ref:`asn_db_path ` or -// :ref:`anon_db_path ` must be configured. +// +// At least one geolocation database path must be configured: +// +// * :ref:`city_db_path ` +// * :ref:`isp_db_path ` +// * :ref:`asn_db_path ` +// * :ref:`anon_db_path ` // [#extension: envoy.geoip_providers.maxmind] // [#next-free-field: 6] message MaxMindConfig { - // Full file path to the Maxmind city database, e.g. /etc/GeoLite2-City.mmdb. - // Database file is expected to have .mmdb extension. + // Full file path to the MaxMind city database, e.g., ``/etc/GeoLite2-City.mmdb``. + // Database file is expected to have ``.mmdb`` extension. string city_db_path = 1 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; - // Full file path to the Maxmind ASN database, e.g. /etc/GeoLite2-ASN.mmdb. - // Database file is expected to have .mmdb extension. - // When is defined the ASN information will always be fetched from the ``asn_db``. + // Full file path to the MaxMind ASN database, e.g., ``/etc/GeoLite2-ASN.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + // When this is defined, the ASN information will always be fetched from the ``asn_db``. string asn_db_path = 2 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; - // Full file path to the Maxmind anonymous IP database, e.g. /etc/GeoIP2-Anonymous-IP.mmdb. - // Database file is expected to have .mmdb extension. + // Full file path to the MaxMind Anonymous IP database, e.g., ``/etc/GeoIP2-Anonymous-IP.mmdb``. + // Database file is expected to have ``.mmdb`` extension. string anon_db_path = 3 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; - // Full file path to the Maxmind ISP database, e.g. /etc/GeoLite2-ISP.mmdb. - // Database file is expected to have .mmdb extension. + // Full file path to the MaxMind ISP database, e.g., ``/etc/GeoLite2-ISP.mmdb``. + // Database file is expected to have ``.mmdb`` extension. // If ``asn_db_path`` is not defined, ASN information will be fetched from // ``isp_db`` instead. string isp_db_path = 5 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; From 2ea7f49063abf86d7c70d838e238bfe6dbd5c4e0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Sep 2025 10:55:13 +0000 Subject: [PATCH 490/505] build(deps): bump cryptography from 46.0.0 to 46.0.1 in /tools/base (#41158) Signed-off-by: dependabot[bot] Signed-off-by: Ryan Northey --- tools/base/requirements.txt | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index c4499e89df64b..2673f8f3f5016 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -464,10 +464,11 @@ coloredlogs==15.0.1 \ # via # -r requirements.in # aio-run-runner -cryptography==44.0.1 \ - --hash=sha256:436df4f203482f41aad60ed1813811ac4ab102765ecae7a2bbb1dbb66dcff5a7 \ - --hash=sha256:72198e2b5925155497a5a3e8c216c7fb3e64c16ccee11f0e7da272fa93b35c4c \ - --hash=sha256:a2d8a7045e1ab9b9f803f0d9531ead85f90c5f2859e653b61497228b18452008 +cryptography==46.0.1 \ + --hash=sha256:0dfb7c88d4462a0cfdd0d87a3c245a7bc3feb59de101f6ff88194f740f72eda6 \ + --hash=sha256:e22801b61613ebdebf7deb18b507919e107547a1d39a3b57f5f855032dd7cfb8 \ + --hash=sha256:757af4f6341ce7a1e47c326ca2a81f41d236070217e5fbbad61bbfe299d55d28 \ + --hash=sha256:f7a24ea78de345cfa7f6a8d3bde8b242c7fac27f2bd78fa23474ca38dfaeeab9 # via # -r requirements.in # aioquic From 665b84e4ac18692ccfe01da5f9b7f22359e7ba6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Sep 2025 11:18:24 +0000 Subject: [PATCH 491/505] build(deps): bump gitpython from 3.1.44 to 3.1.45 in /tools/base (#40403) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/base/requirements.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index 2673f8f3f5016..52a28b6abe7b6 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -466,8 +466,8 @@ coloredlogs==15.0.1 \ # aio-run-runner cryptography==46.0.1 \ --hash=sha256:0dfb7c88d4462a0cfdd0d87a3c245a7bc3feb59de101f6ff88194f740f72eda6 \ - --hash=sha256:e22801b61613ebdebf7deb18b507919e107547a1d39a3b57f5f855032dd7cfb8 \ --hash=sha256:757af4f6341ce7a1e47c326ca2a81f41d236070217e5fbbad61bbfe299d55d28 \ + --hash=sha256:e22801b61613ebdebf7deb18b507919e107547a1d39a3b57f5f855032dd7cfb8 \ --hash=sha256:f7a24ea78de345cfa7f6a8d3bde8b242c7fac27f2bd78fa23474ca38dfaeeab9 # via # -r requirements.in @@ -702,9 +702,9 @@ gitdb==4.0.11 \ --hash=sha256:81a3407ddd2ee8df444cbacea00e2d038e40150acfa3001696fe0dcf1d3adfa4 \ --hash=sha256:bf5421126136d6d0af55bc1e7c1af1c397a34f5b7bd79e776cd3e89785c2b04b # via gitpython -gitpython==3.1.44 \ - --hash=sha256:9e0e10cda9bed1ee64bc9a6de50e7e38a9c9943241cd7f585f6df3ed28011110 \ - --hash=sha256:c87e30b26253bf5418b01b0660f818967f3c503193838337fe5e573331249269 +gitpython==3.1.45 \ + --hash=sha256:85b0ee964ceddf211c41b9f27a49086010a190fd8132a24e21f362a4b36a791c \ + --hash=sha256:8908cb2e02fb3b93b7eb0f2827125cb699869470432cc885f019b8fd0fccff77 # via -r requirements.in humanfriendly==10.0 \ --hash=sha256:1697e1a8a8f550fd43c2865cd84542fc175a61dcb779b6fee18cf6b6ccba1477 \ From d3b102fa3351952c19705585b8fcefc8f57e11b3 Mon Sep 17 00:00:00 2001 From: code Date: Thu, 25 Sep 2025 00:55:27 +0800 Subject: [PATCH 492/505] formatter: removed legacy router formatter support (#41039) Commit Message: formatter: removed legacy router formatter support Additional Description: Three yeas ago, at #21932, we unified all the formatters to the substitution formatter. And we add a warn log for the legacy UPSTREAM_METADATA and DYNAMIC_METADATA. Now, I think it's time to remove it finally. This PR Removed legacy header formatter support for `%DYNAMIC_METADATA(["namespace", "key", ...])%` and `%UPSTREAM_METADATA(["namespace", "key", ...])%`. Please use `%DYNAMIC_METADATA(namespace:key:...])%` and `%UPSTREAM_METADATA(namespace:key:...])%` as alternatives. This change can be reverted temporarily by setting the runtime guard `envoy.reloadable_features.remove_legacy_route_formatter` to `false`. Risk Level: low. Testing: unit. Docs Changes: n/a. Release Notes: added. --------- Signed-off-by: WangBaiping --- changelogs/current.yaml | 9 +++ .../http/http_conn_man/headers.rst | 2 +- source/common/router/BUILD | 1 + source/common/router/header_parser.cc | 19 ++++--- source/common/router/header_parser_utils.cc | 18 ++++++ source/common/runtime/runtime_features.cc | 4 ++ .../formatter/substitution_formatter_test.cc | 12 +++- test/common/router/BUILD | 1 + test/common/router/config_impl_test.cc | 8 +-- test/common/router/header_formatter_test.cc | 56 +++++++++++++++---- ...e-header_parser_fuzz_test-5163306626580480 | 6 +- .../router/route_corpus/regex_parsing_error | 2 +- .../wrong_UPSTREAM_HEADER_BYTES_RECEIVED | 2 +- test/integration/header_integration_test.cc | 17 +++--- .../http_subset_lb_integration_test.cc | 3 +- 15 files changed, 120 insertions(+), 40 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 7901b280771ee..d89ec4b7c0169 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -76,6 +76,15 @@ minor_behavior_changes: This can be accessed through the ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_RECEIVED%``, ``%UPSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%``, and ``%DOWNSTREAM_DECOMPRESSED_HEADER_BYTES_SENT%`` access log command operators. +- area: formatter + change: | + Deprecated legacy header formatter support for ``%DYNAMIC_METADATA(["namespace", "key", ...])%`` + , ``%UPSTREAM_METADATA(["namespace", "key", ...])%`` and ``%PER_REQUEST_STATE(key)%``. Please use + ``%DYNAMIC_METADATA(namespace:key:...])%``, ``%UPSTREAM_METADATA(namespace:key:...])%`` + and ``%FILTER_STATE(key:PLAIN)%`` as alternatives. + This change is guarded by the runtime flag + ``envoy.reloadable_features.remove_legacy_route_formatter`` and default to ``false`` for now + and will be flipped to ``true`` after two release periods. - area: oauth2 change: | Added response code details to ``401`` local responses generated by the OAuth2 filter. diff --git a/docs/root/configuration/http/http_conn_man/headers.rst b/docs/root/configuration/http/http_conn_man/headers.rst index df30d728f73c2..a84f992d4c9d7 100644 --- a/docs/root/configuration/http/http_conn_man/headers.rst +++ b/docs/root/configuration/http/http_conn_man/headers.rst @@ -702,7 +702,7 @@ headers are modified before the request is sent upstream and the response is not .. attention:: - The following legacy header formatters are still supported, but will be deprecated in the future. + The following legacy header formatters are deprecated and will be removed soon. The equivalent information can be accessed using indicated substitutes. ``%DYNAMIC_METADATA(["namespace", "key", ...])%`` diff --git a/source/common/router/BUILD b/source/common/router/BUILD index fb5d8979aa5f3..ba6ce85acb9b3 100644 --- a/source/common/router/BUILD +++ b/source/common/router/BUILD @@ -496,6 +496,7 @@ envoy_cc_library( "//source/common/http:headers_lib", "//source/common/json:json_loader_lib", "//source/common/protobuf:utility_lib", + "//source/common/runtime:runtime_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", ], ) diff --git a/source/common/router/header_parser.cc b/source/common/router/header_parser.cc index a3f75e621223b..d0e2bbc27ddd6 100644 --- a/source/common/router/header_parser.cc +++ b/source/common/router/header_parser.cc @@ -13,6 +13,7 @@ #include "source/common/http/headers.h" #include "source/common/json/json_loader.h" #include "source/common/protobuf/utility.h" +#include "source/common/runtime/runtime_features.h" #include "absl/strings/str_cat.h" #include "absl/strings/str_replace.h" @@ -38,14 +39,18 @@ parseHttpHeaderFormatter(const envoy::config::core::v3::HeaderValue& header_valu return absl::InvalidArgumentError(":-prefixed or host headers may not be modified"); } - // UPSTREAM_METADATA and DYNAMIC_METADATA must be translated from JSON ["a", "b"] format to colon - // format (a:b) - std::string final_header_value = HeaderParser::translateMetadataFormat(header_value.value()); - // Change PER_REQUEST_STATE to FILTER_STATE. - final_header_value = HeaderParser::translatePerRequestState(final_header_value); + if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.remove_legacy_route_formatter")) { + // UPSTREAM_METADATA and DYNAMIC_METADATA must be translated from JSON ["a", "b"] format to + // colon format (a:b) + std::string final_header_value = HeaderParser::translateMetadataFormat(header_value.value()); + // Change PER_REQUEST_STATE to FILTER_STATE. + final_header_value = HeaderParser::translatePerRequestState(final_header_value); + // Let the substitution formatter parse the final_header_value. + return Envoy::Formatter::FormatterImpl::create(final_header_value, true); + } - // Let the substitution formatter parse the final_header_value. - return Envoy::Formatter::FormatterImpl::create(final_header_value, true); + // Let the substitution formatter parse the header_value. + return Envoy::Formatter::FormatterImpl::create(header_value.value(), true); } } // namespace diff --git a/source/common/router/header_parser_utils.cc b/source/common/router/header_parser_utils.cc index db65eaedbb822..f9210482c1457 100644 --- a/source/common/router/header_parser_utils.cc +++ b/source/common/router/header_parser_utils.cc @@ -1,6 +1,8 @@ #include #include +#include "envoy/server/factory_context.h" + #include "source/common/common/assert.h" #include "source/common/json/json_loader.h" #include "source/common/router/header_parser.h" @@ -64,6 +66,13 @@ std::string HeaderParser::translateMetadataFormat(const std::string& header_valu "Header formatter: JSON format of {}_METADATA parameters has been obsoleted. " "Use colon format: {}", matches[1], new_format.c_str()); + // The parsing should only happen on the main thread and the singleton context should be + // available. In case it is not set in tests or other non-standard Envoy usage, we skip + // counting the deprecated feature usage instead of crashing. + auto* context = Server::Configuration::ServerFactoryContextInstance::getExisting(); + if (context != nullptr) { + context->runtime().countDeprecatedFeatureUse(); + } int subs = absl::StrReplaceAll({{matches[0], new_format}}, &new_header_value); ASSERT(subs > 0); @@ -94,6 +103,15 @@ std::string HeaderParser::translatePerRequestState(const std::string& header_val ENVOY_LOG_MISC(warn, "PER_REQUEST_STATE header formatter has been obsoleted. Use {}", new_format.c_str()); + + // The parsing should only happen on the main thread and the singleton context should be + // available. In case it is not set in tests or other non-standard Envoy usage, we skip + // counting the deprecated feature usage instead of crashing. + auto* context = Server::Configuration::ServerFactoryContextInstance::getExisting(); + if (context != nullptr) { + context->runtime().countDeprecatedFeatureUse(); + } + int subs = absl::StrReplaceAll({{matches[0], new_format}}, &new_header_value); ASSERT(subs > 0); } diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index cce48cee1c088..84eae43b26313 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -167,6 +167,10 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_ext_proc_graceful_grpc_close); FALSE_RUNTIME_GUARD(envoy_reloadable_features_getaddrinfo_no_ai_flags); +// Flag to remove legacy route formatter support in header parser +// Flip to true after two release periods. +FALSE_RUNTIME_GUARD(envoy_reloadable_features_remove_legacy_route_formatter); + // TODO(grnmeira): // Enables the new DNS implementation, a merged implementation of // strict and logical DNS clusters. This new implementation will diff --git a/test/common/formatter/substitution_formatter_test.cc b/test/common/formatter/substitution_formatter_test.cc index a78b171c64661..b7d5f6247bd25 100644 --- a/test/common/formatter/substitution_formatter_test.cc +++ b/test/common/formatter/substitution_formatter_test.cc @@ -4153,7 +4153,7 @@ TEST(SubstitutionFormatterTest, FilterStateSpeciferTest) { Http::TestRequestHeaderMapImpl request_headers; Http::TestResponseHeaderMapImpl response_headers; Http::TestResponseTrailerMapImpl response_trailers; - StreamInfo::MockStreamInfo stream_info; + NiceMock stream_info; std::string body; HttpFormatterContext formatter_context(&request_headers, &response_headers, &response_trailers, @@ -4162,13 +4162,18 @@ TEST(SubstitutionFormatterTest, FilterStateSpeciferTest) { stream_info.filter_state_->setData( "test_key", std::make_unique("test_value"), StreamInfo::FilterState::StateType::ReadOnly); + stream_info.upstream_info_->setUpstreamFilterState( + stream_info.filter_state_); // Reuse the same filter state for test only. EXPECT_CALL(Const(stream_info), filterState()).Times(testing::AtLeast(1)); const std::string expected_json_map = R"EOF( { "test_key_plain": "test_value By PLAIN", "test_key_typed": "test_value By TYPED", - "test_key_field": "test_value" + "test_key_field": "test_value", + "upstream_test_key_plain": "test_value By PLAIN", + "upstream_test_key_typed": "test_value By TYPED", + "upstream_test_key_field": "test_value" } )EOF"; @@ -4177,6 +4182,9 @@ TEST(SubstitutionFormatterTest, FilterStateSpeciferTest) { test_key_plain: '%FILTER_STATE(test_key:PLAIN)%' test_key_typed: '%FILTER_STATE(test_key:TYPED)%' test_key_field: '%FILTER_STATE(test_key:FIELD:test_field)%' + upstream_test_key_plain: '%UPSTREAM_FILTER_STATE(test_key:PLAIN)%' + upstream_test_key_typed: '%UPSTREAM_FILTER_STATE(test_key:TYPED)%' + upstream_test_key_field: '%UPSTREAM_FILTER_STATE(test_key:FIELD:test_field)%' )EOF", key_mapping); JsonFormatterImpl formatter(key_mapping, false); diff --git a/test/common/router/BUILD b/test/common/router/BUILD index 6e9ff2a8cfe27..01afcd9cefa37 100644 --- a/test/common/router/BUILD +++ b/test/common/router/BUILD @@ -490,6 +490,7 @@ envoy_cc_test( "//test/common/stream_info:test_int_accessor_lib", "//test/mocks/api:api_mocks", "//test/mocks/http:http_mocks", + "//test/mocks/server:server_factory_context_mocks", "//test/mocks/ssl:ssl_mocks", "//test/mocks/stream_info:stream_info_mocks", "//test/mocks/upstream:host_mocks", diff --git a/test/common/router/config_impl_test.cc b/test/common/router/config_impl_test.cc index d6deff68f1267..70c9c2c027227 100644 --- a/test/common/router/config_impl_test.cc +++ b/test/common/router/config_impl_test.cc @@ -2245,7 +2245,7 @@ class HeaderTransformsDoFormattingTest : public RouteMatcherTest { {0}: - header: key: x-has-variable - value: "%PER_REQUEST_STATE(testing)%" + value: "%FILTER_STATE(testing:PLAIN)%" append_action: OVERWRITE_IF_EXISTS_OR_ADD )EOF"; const std::string yaml = @@ -2281,9 +2281,9 @@ class HeaderTransformsDoFormattingTest : public RouteMatcherTest { transforms = run_request_header_test ? route_entry->requestHeaderTransforms(stream_info, /*do_formatting=*/false) : route_entry->responseHeaderTransforms(stream_info, /*do_formatting=*/false); - EXPECT_THAT( - transforms.headers_to_overwrite_or_add, - ElementsAre(Pair(Http::LowerCaseString("x-has-variable"), "%PER_REQUEST_STATE(testing)%"))); + EXPECT_THAT(transforms.headers_to_overwrite_or_add, + ElementsAre(Pair(Http::LowerCaseString("x-has-variable"), + "%FILTER_STATE(testing:PLAIN)%"))); } }; diff --git a/test/common/router/header_formatter_test.cc b/test/common/router/header_formatter_test.cc index e843fd18a3e16..7056659980b51 100644 --- a/test/common/router/header_formatter_test.cc +++ b/test/common/router/header_formatter_test.cc @@ -17,6 +17,7 @@ #include "test/common/stream_info/test_int_accessor.h" #include "test/mocks/api/mocks.h" #include "test/mocks/http/mocks.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/stream_info/mocks.h" #include "test/mocks/upstream/host.h" @@ -73,14 +74,11 @@ TEST(HeaderParserTest, TestParse) { {"%DOWNSTREAM_DIRECT_LOCAL_ADDRESS%", {"127.0.0.2:0"}, {}}, {"%DOWNSTREAM_DIRECT_LOCAL_PORT%", {"0"}, {}}, {"%DOWNSTREAM_DIRECT_LOCAL_ADDRESS_WITHOUT_PORT%", {"127.0.0.2"}, {}}, - {"%UPSTREAM_METADATA([\"ns\", \"key\"])%", {"value"}, {}}, - {"[%UPSTREAM_METADATA([\"ns\", \"key\"])%", {"[value"}, {}}, - {"%UPSTREAM_METADATA([\"ns\", \"key\"])%]", {"value]"}, {}}, - {"[%UPSTREAM_METADATA([\"ns\", \"key\"])%]", {"[value]"}, {}}, - {"%UPSTREAM_METADATA([\"ns\", \t \"key\"])%", {"value"}, {}}, - {"%UPSTREAM_METADATA([\"ns\", \n \"key\"])%", {"value"}, {}}, - {"%UPSTREAM_METADATA( \t [ \t \"ns\" \t , \t \"key\" \t ] \t )%", {"value"}, {}}, - {R"EOF(%UPSTREAM_METADATA(["\"quoted\"", "\"key\""])%)EOF", {"value"}, {}}, + {"%UPSTREAM_METADATA(ns:key)%", {"value"}, {}}, + {"[%UPSTREAM_METADATA(ns:key)%", {"[value"}, {}}, + {"%UPSTREAM_METADATA(ns:key)%]", {"value]"}, {}}, + {"[%UPSTREAM_METADATA(ns:key)%]", {"[value]"}, {}}, + {"%UPSTREAM_METADATA(ns:key)%", {"value"}, {}}, {"%UPSTREAM_REMOTE_ADDRESS%", {"10.0.0.1:443"}, {}}, {"%UPSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%", {"10.0.0.1"}, {}}, {"%UPSTREAM_REMOTE_PORT%", {"443"}, {}}, @@ -242,6 +240,10 @@ TEST(HeaderParserTest, TestParse) { } TEST(HeaderParser, TestMetadataTranslator) { + NiceMock context; + ScopedThreadLocalServerContextSetter setter(context); + EXPECT_CALL(context.runtime_loader_, countDeprecatedFeatureUse()).Times(testing::AtLeast(1)); + struct TestCase { std::string input_; std::string expected_output_; @@ -281,6 +283,10 @@ TEST(HeaderParser, TestMetadataTranslatorExceptions) { } TEST(HeaderParser, TestPerFilterStateTranslator) { + NiceMock context; + ScopedThreadLocalServerContextSetter setter(context); + EXPECT_CALL(context.runtime_loader_, countDeprecatedFeatureUse()).Times(testing::AtLeast(1)); + struct TestCase { std::string input_; std::string expected_output_; @@ -431,7 +437,11 @@ TEST(HeaderParserTest, EvaluateHeaderValuesWithNullStreamInfo) { EXPECT_FALSE(header_map.has("empty")); } -TEST(HeaderParserTest, EvaluateEmptyHeaders) { +TEST(HeaderParserTest, EvaluateEmptyHeadersWithLegacyFormat) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.remove_legacy_route_formatter", "false"}}); + const std::string yaml = R"EOF( match: { prefix: "/new_endpoint" } route: @@ -457,6 +467,32 @@ match: { prefix: "/new_endpoint" } EXPECT_FALSE(header_map.has("x-key")); } +TEST(HeaderParserTest, EvaluateEmptyHeaders) { + const std::string yaml = R"EOF( +match: { prefix: "/new_endpoint" } +route: + cluster: "www2" + prefix_rewrite: "/api/new_endpoint" +request_headers_to_add: + - header: + key: "x-key" + value: "%UPSTREAM_METADATA(namespace:key)%" + append_action: APPEND_IF_EXISTS_OR_ADD +)EOF"; + + HeaderParserPtr req_header_parser = + HeaderParser::configure(parseRouteFromV3Yaml(yaml).request_headers_to_add()).value(); + Http::TestRequestHeaderMapImpl header_map{{":method", "POST"}}; + std::shared_ptr> host( + new NiceMock()); + NiceMock stream_info; + auto metadata = std::make_shared(); + stream_info.upstreamInfo()->setUpstreamHost(host); + ON_CALL(*host, metadata()).WillByDefault(Return(metadata)); + req_header_parser->evaluateHeaders(header_map, stream_info); + EXPECT_FALSE(header_map.has("x-key")); +} + TEST(HeaderParserTest, EvaluateStaticHeaders) { const std::string yaml = R"EOF( match: { prefix: "/new_endpoint" } @@ -508,7 +544,7 @@ match: { prefix: "/new_endpoint" } value: "%PROTOCOL%%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%" - header: key: "x-metadata" - value: "%UPSTREAM_METADATA([\"namespace\", \"%key%\"])%" + value: "%UPSTREAM_METADATA(namespace:%key%)%" - header: key: "x-per-request" value: "%PER_REQUEST_STATE(testing)%" diff --git a/test/common/router/header_parser_corpus/clusterfuzz-testcase-header_parser_fuzz_test-5163306626580480 b/test/common/router/header_parser_corpus/clusterfuzz-testcase-header_parser_fuzz_test-5163306626580480 index 57041ba397712..e4ba6b448326e 100644 --- a/test/common/router/header_parser_corpus/clusterfuzz-testcase-header_parser_fuzz_test-5163306626580480 +++ b/test/common/router/header_parser_corpus/clusterfuzz-testcase-header_parser_fuzz_test-5163306626580480 @@ -1,7 +1,7 @@ headers_to_add { header { key: "P" - value: "%PER_REQUEST_STATE(oB]$T)%" + value: "%FILTER_STATE(oB]$T)%" } } headers_to_add { @@ -13,13 +13,13 @@ headers_to_add { headers_to_add { header { key: "A" - value: "%PER_REQUEST_STATE(dB]$T)%" + value: "%FILTER_STATE(dB]$T)%" } } headers_to_add { header { key: "\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177\177" - value: "%PER_REQUEST_STATE(dB]$T)%" + value: "%FILTER_STATE(dB]$T)%" } append { value: true diff --git a/test/common/router/route_corpus/regex_parsing_error b/test/common/router/route_corpus/regex_parsing_error index 50caaf4f85e42..a551973008ef2 100644 --- a/test/common/router/route_corpus/regex_parsing_error +++ b/test/common/router/route_corpus/regex_parsing_error @@ -14,7 +14,7 @@ config { name: "." typed_config { type_url: "m/envoy.config.route.v3.Route" - value: "\n\002\n\000\022\t\n\001v*\0015\242\002\000J\005\n\003\n\0011JF\nB\n\001$\022=%START_TIME((%%%fenvoy.filters.http.router%\034f%256\\002\\0N\\ss)% \001J\005\n\003\n\001$J\205\001\n\202\001\n\001$\022}%START_TIME((%%%fenvoy%PER_REQUEST_STATE(%fenvoy.type.v3.Int64Ra%TUEST_STATE(%f%ss[%%s.filters.http.router%\034f%256\\002\\0N\\ss)%J\010\n\006\n\0011\022\001\003b\001?b\021x-forwarded-protob\021x-forwarded-protor\001v\202\001\000" + value: "\n\002\n\000\022\t\n\001v*\0015\242\002\000J\005\n\003\n\0011JF\nB\n\001$\022=%START_TIME((%%%fenvoy.filters.http.router%\034f%256\\002\\0N\\ss)% \001J\005\n\003\n\001$J\205\001\n\202\001\n\001$\022}%START_TIME((%%%fenvoy%FILTER_STATE(%fenvoy.type.v3.Int64Ra%TUEST_STATE(%f%ss[%%s.filters.http.router%\034f%256\\002\\0N\\ss)%J\010\n\006\n\0011\022\001\003b\001?b\021x-forwarded-protob\021x-forwarded-protor\001v\202\001\000" } } } diff --git a/test/common/router/route_corpus/wrong_UPSTREAM_HEADER_BYTES_RECEIVED b/test/common/router/route_corpus/wrong_UPSTREAM_HEADER_BYTES_RECEIVED index 268698223fa0d..07d36871db874 100644 --- a/test/common/router/route_corpus/wrong_UPSTREAM_HEADER_BYTES_RECEIVED +++ b/test/common/router/route_corpus/wrong_UPSTREAM_HEADER_BYTES_RECEIVED @@ -13,7 +13,7 @@ config { request_headers_to_add { header { key: "[" - value: "`%START_TIME()%%REQ(T_||?|STARTO2s)%%UPSTREAM_HEADER_BYTES_RECEIVED%%PER_REQUEST_STATE(%f(%f%sRESPONSE_259462C_Swwwwww`TART_TIME()%%REQ(T_||?|STARTOC_Swwwwww`%START_TIME()%%REQ(T_||?|STARTOC_SwwwwwwUB(UB(OD)%T%START_TIME()%%REQ(T_<|?|STARTOC_SwwwwwwUB(UB(OD)%TA" + value: "`%START_TIME()%%REQ(T_||?|STARTO2s)%%UPSTREAM_HEADER_BYTES_RECEIVED%%FILTER_STATE(%f(%f%sRESPONSE_259462C_Swwwwww`TART_TIME()%%REQ(T_||?|STARTOC_Swwwwww`%START_TIME()%%REQ(T_||?|STARTOC_SwwwwwwUB(UB(OD)%T%START_TIME()%%REQ(T_<|?|STARTOC_SwwwwwwUB(UB(OD)%TA" } } } diff --git a/test/integration/header_integration_test.cc b/test/integration/header_integration_test.cc index 8c1f0c007a662..5248983d35fd1 100644 --- a/test/integration/header_integration_test.cc +++ b/test/integration/header_integration_test.cc @@ -307,25 +307,24 @@ class HeaderIntegrationTest if (use_eds_) { addHeader(route_config->mutable_response_headers_to_add(), "x-routeconfig-dynamic", - R"(%UPSTREAM_METADATA(["test.namespace", "key"])%)", append); + R"(%UPSTREAM_METADATA(test.namespace:key)%)", append); // Iterate over VirtualHosts, nested Routes and WeightedClusters, adding a dynamic // response header. for (auto& vhost : *route_config->mutable_virtual_hosts()) { addHeader(vhost.mutable_response_headers_to_add(), "x-vhost-dynamic", - R"(vhost:%UPSTREAM_METADATA(["test.namespace", "key"])%)", append); + R"(vhost:%UPSTREAM_METADATA(test.namespace:key)%)", append); for (auto& route : *vhost.mutable_routes()) { addHeader(route.mutable_response_headers_to_add(), "x-route-dynamic", - R"(route:%UPSTREAM_METADATA(["test.namespace", "key"])%)", append); + R"(route:%UPSTREAM_METADATA(test.namespace:key)%)", append); if (route.has_route()) { auto* route_action = route.mutable_route(); if (route_action->has_weighted_clusters()) { for (auto& c : *route_action->mutable_weighted_clusters()->mutable_clusters()) { addHeader(c.mutable_response_headers_to_add(), "x-weighted-cluster-dynamic", - R"(weighted:%UPSTREAM_METADATA(["test.namespace", "key"])%)", - append); + R"(weighted:%UPSTREAM_METADATA(test.namespace:key)%)", append); } } } @@ -1390,24 +1389,24 @@ TEST_P(EmptyHeaderIntegrationTest, AllProtocolsPassEmptyHeaders) { *vhost.add_request_headers_to_add() = TestUtility::parseYaml(R"EOF( header: key: "x-ds-add-empty" - value: "%PER_REQUEST_STATE(does.not.exist)%" + value: "%FILTER_STATE(does.not.exist:PLAIN)%" keep_empty_value: true )EOF"); *vhost.add_request_headers_to_add() = TestUtility::parseYaml(R"EOF( header: key: "x-ds-no-add-empty" - value: "%PER_REQUEST_STATE(does.not.exist)%" + value: "%FILTER_STATE(does.not.exist:PLAIN)%" )EOF"); *vhost.add_response_headers_to_add() = TestUtility::parseYaml(R"EOF( header: key: "x-us-add-empty" - value: "%PER_REQUEST_STATE(does.not.exist)%" + value: "%FILTER_STATE(does.not.exist:PLAIN)%" keep_empty_value: true )EOF"); *vhost.add_response_headers_to_add() = TestUtility::parseYaml(R"EOF( header: key: "x-us-no-add-empty" - value: "%PER_REQUEST_STATE(does.not.exist)%" + value: "%FILTER_STATE(does.not.exist:PLAIN)%" )EOF"); config_helper_.addVirtualHost(vhost); diff --git a/test/integration/http_subset_lb_integration_test.cc b/test/integration/http_subset_lb_integration_test.cc index 11707c624851b..da7eafe04c67b 100644 --- a/test/integration/http_subset_lb_integration_test.cc +++ b/test/integration/http_subset_lb_integration_test.cc @@ -98,8 +98,7 @@ class HttpSubsetLbIntegrationTest auto* resp_header = vhost->add_response_headers_to_add(); auto* header = resp_header->mutable_header(); header->set_key(host_type_header_); - header->set_value( - fmt::format(R"EOF(%UPSTREAM_METADATA(["envoy.lb", "{}"])%)EOF", type_key_)); + header->set_value(fmt::format(R"EOF(%UPSTREAM_METADATA(envoy.lb:{})%)EOF", type_key_)); resp_header = vhost->add_response_headers_to_add(); header = resp_header->mutable_header(); From 1decf60fdf58e97dea069a801aa6f157b7b47f9c Mon Sep 17 00:00:00 2001 From: botengyao Date: Wed, 24 Sep 2025 13:13:39 -0400 Subject: [PATCH 493/505] network ext_proc: improve the test to consider TCP fragmentation (#41207) The TCP read can be partial, improve the integration tests to consider this to eliminate flakiness. Risk Level: low --------- Signed-off-by: Boteng Yao --- .../ext_proc/ext_proc_integration_test.cc | 38 ++++++++++++++++--- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/test/extensions/filters/network/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/network/ext_proc/ext_proc_integration_test.cc index a1d44f4bf9ac7..e339bd9fa6fb8 100644 --- a/test/extensions/filters/network/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/network/ext_proc/ext_proc_integration_test.cc @@ -486,13 +486,41 @@ TEST_P(NetworkExtProcFilterIntegrationTest, TcpProxyUpstreamHalfCloseBothWays) { ProcessingRequest write_request; ASSERT_TRUE(processor_stream_->waitForGrpcMessage(*dispatcher_, write_request)); - EXPECT_EQ(write_request.has_write_data(), true); - EXPECT_EQ(write_request.write_data().data(), "server_response"); - EXPECT_EQ(write_request.write_data().end_of_stream(), true); - sendWriteGrpcMessage("server_data_inspected", true); + if (!write_request.write_data().end_of_stream()) { + size_t total_upstream_data = 0; + // We got partial data without end_of_stream + std::string partial_data = write_request.write_data().data(); + std::string partial_response = partial_data + "_inspected"; + sendWriteGrpcMessage(partial_response, false); - tcp_client->waitForData("server_data_inspected"); + // Wait for client to receive the partial data + total_upstream_data += partial_response.length(); + ASSERT_TRUE(tcp_client->waitForData(total_upstream_data)); + + // Wait for the final message with end_of_stream + ProcessingRequest final_request; + ASSERT_TRUE(processor_stream_->waitForGrpcMessage(*dispatcher_, final_request)); + EXPECT_EQ(final_request.has_write_data(), true); + EXPECT_EQ(final_request.write_data().end_of_stream(), true); + + // Respond to the final message + std::string final_data = final_request.write_data().data(); + std::string final_response = final_data.empty() ? "" : final_data + "_inspected"; + sendReadGrpcMessage(final_response, true); + + // Wait for the final data if non-empty + if (!final_response.empty()) { + total_upstream_data += final_response.length(); + ASSERT_TRUE(tcp_client->waitForData(total_upstream_data)); + } + } else { + // We got the complete data with end_of_stream in one message + EXPECT_EQ(write_request.write_data().data(), "server_response"); + EXPECT_EQ(write_request.write_data().end_of_stream(), true); + sendWriteGrpcMessage("server_data_inspected", true); + tcp_client->waitForData("server_data_inspected"); + } // Close everything ASSERT_TRUE(fake_upstream_connection->close()); From f1004fa4ee2203ca706a848ac9b7aa6d375756fa Mon Sep 17 00:00:00 2001 From: Greg Greenway Date: Wed, 24 Sep 2025 10:29:29 -0700 Subject: [PATCH 494/505] load_balancers: fix crash on invalid endpoint update with health checks (#41114) Signed-off-by: Greg Greenway --- envoy/upstream/load_balancer.h | 8 ++ envoy/upstream/upstream.h | 6 +- source/common/common/callback_impl.h | 33 +++++-- source/common/config/context_provider_impl.h | 2 +- source/common/router/rds_impl.h | 2 +- source/common/secret/sds_api.h | 8 +- .../common/upstream/cluster_manager_impl.cc | 4 +- .../common/upstream/outlier_detection_impl.cc | 3 +- source/common/upstream/upstream_impl.cc | 27 ++++-- source/common/upstream/upstream_impl.h | 28 +++--- .../extensions/clusters/aggregate/cluster.cc | 1 - source/extensions/clusters/dns/dns_cluster.cc | 11 +-- source/extensions/clusters/eds/eds.cc | 3 +- .../clusters/static/static_cluster.cc | 4 +- .../clusters/strict_dns/strict_dns_cluster.cc | 5 +- .../local_ratelimit/local_ratelimit_impl.cc | 6 +- .../network/redis_proxy/conn_pool_impl.cc | 3 +- .../filters/udp/udp_proxy/udp_proxy_filter.cc | 1 - .../common/health_checker_base_impl.cc | 3 +- .../client_side_weighted_round_robin_lb.cc | 11 +-- .../client_side_weighted_round_robin_lb.h | 2 +- .../common/load_balancer_impl.cc | 19 ++-- .../common/thread_aware_lb_impl.cc | 94 +++++++++++-------- .../common/thread_aware_lb_impl.h | 4 +- .../subset/subset_lb.cc | 1 - .../subset/subset_lb.h | 4 +- .../subset/subset_lb_config.h | 7 ++ source/server/drain_manager_impl.h | 2 +- test/common/common/callback_impl_test.cc | 4 +- test/coverage.yaml | 1 + test/integration/eds_integration_test.cc | 44 +++++++++ test/mocks/config/mocks.h | 2 +- test/mocks/upstream/host_set.h | 5 +- test/mocks/upstream/priority_set.cc | 4 +- test/mocks/upstream/priority_set.h | 4 +- 35 files changed, 227 insertions(+), 139 deletions(-) diff --git a/envoy/upstream/load_balancer.h b/envoy/upstream/load_balancer.h index ae252e524f3b6..65db38b85d586 100644 --- a/envoy/upstream/load_balancer.h +++ b/envoy/upstream/load_balancer.h @@ -333,6 +333,14 @@ using ThreadAwareLoadBalancerPtr = std::unique_ptr; class LoadBalancerConfig { public: virtual ~LoadBalancerConfig() = default; + + /** + * Optional method to allow a load balancer to validate endpoints before they're applied. If an + * error is returned from this method, the endpoints are rejected. If this method does not return + * an error, the load balancer must be able to use these endpoints in an update from the priority + * set. + */ + virtual absl::Status validateEndpoints(const PriorityState&) const { return absl::OkStatus(); } }; using LoadBalancerConfigPtr = std::unique_ptr; diff --git a/envoy/upstream/upstream.h b/envoy/upstream/upstream.h index 5e269ecb58501..7389dc26cd68e 100644 --- a/envoy/upstream/upstream.h +++ b/envoy/upstream/upstream.h @@ -499,10 +499,10 @@ using HostSetPtr = std::unique_ptr; class PrioritySet { public: using MemberUpdateCb = - std::function; + std::function; - using PriorityUpdateCb = std::function; + using PriorityUpdateCb = std::function; virtual ~PrioritySet() = default; diff --git a/source/common/common/callback_impl.h b/source/common/common/callback_impl.h index 628043e11bdf6..c14aabe63b33a 100644 --- a/source/common/common/callback_impl.h +++ b/source/common/common/callback_impl.h @@ -21,9 +21,9 @@ namespace Common { * * @see ThreadSafeCallbackManager for dealing with callbacks across multiple threads */ -template class CallbackManager { +template class CallbackManager { public: - using Callback = std::function; + using Callback = std::function; /** * Add a callback. @@ -46,12 +46,16 @@ template class CallbackManager { * to change (specifically, it will crash if the next callback in the list is deleted). * @param args supplies the callback arguments. */ - absl::Status runCallbacks(CallbackArgs... args) { + ReturnType runCallbacks(CallbackArgs... args) { for (auto it = callbacks_.cbegin(); it != callbacks_.cend();) { auto current = *(it++); - RETURN_IF_NOT_OK(current->cb_(args...)); + if constexpr (std::is_same_v) { + RETURN_IF_NOT_OK(current->cb_(args...)); + } else { + current->cb_(args...); + } } - return absl::OkStatus(); + return defaultReturn(); } /** @@ -62,12 +66,16 @@ template class CallbackManager { * @param run_with function that is responsible for generating inputs to callbacks. This will be * executed once for each callback. */ - absl::Status runCallbacksWith(std::function(void)> run_with) { + ReturnType runCallbacksWith(std::function(void)> run_with) { for (auto it = callbacks_.cbegin(); it != callbacks_.cend();) { auto cb = *(it++); - RETURN_IF_NOT_OK(std::apply(cb->cb_, run_with())); + if constexpr (std::is_same_v) { + RETURN_IF_NOT_OK(std::apply(cb->cb_, run_with())); + } else { + std::apply(cb->cb_, run_with()); + } } - return absl::OkStatus(); + return defaultReturn(); } size_t size() const noexcept { return callbacks_.size(); } @@ -100,6 +108,15 @@ template class CallbackManager { */ void remove(typename std::list::iterator& it) { callbacks_.erase(it); } + // Templating helper + ReturnType defaultReturn() { + if constexpr (std::is_same_v) { + return absl::OkStatus(); + } else { + return void(); + } + } + std::list callbacks_; // This is a sentinel shared_ptr used for keeping track of whether the manager is still alive. // It is only held by weak reference in the callback holder above. This is used versus having diff --git a/source/common/config/context_provider_impl.h b/source/common/config/context_provider_impl.h index 46156a73ed31e..69200d406ec92 100644 --- a/source/common/config/context_provider_impl.h +++ b/source/common/config/context_provider_impl.h @@ -52,7 +52,7 @@ class ContextProviderImpl : public ContextProvider { const xds::core::v3::ContextParams node_context_; // Map from resource type URL to dynamic context parameters. absl::flat_hash_map dynamic_context_; - mutable Common::CallbackManager update_cb_helper_; + mutable Common::CallbackManager update_cb_helper_; }; } // namespace Config diff --git a/source/common/router/rds_impl.h b/source/common/router/rds_impl.h index 0ffca155a3a94..cdfbfc1bd657f 100644 --- a/source/common/router/rds_impl.h +++ b/source/common/router/rds_impl.h @@ -94,7 +94,7 @@ class RdsRouteConfigSubscription : public Rds::RdsRouteConfigSubscription { VhdsSubscriptionPtr vhds_subscription_; RouteConfigUpdatePtr config_update_info_; - Common::CallbackManager<> update_callback_manager_; + Common::CallbackManager update_callback_manager_; // Access to addUpdateCallback friend class ScopedRdsConfigSubscription; diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index a596a03321124..2cd521ab83890 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -71,7 +71,7 @@ class SdsApi : public Envoy::Config::SubscriptionBase< // Refresh secrets, e.g. re-resolve symlinks in secret paths. virtual void resolveSecret(const FileContentMap& /*files*/) {}; virtual void validateConfig(const envoy::extensions::transport_sockets::tls::v3::Secret&) PURE; - Common::CallbackManager<> update_callback_manager_; + Common::CallbackManager update_callback_manager_; // Config::SubscriptionCallbacks absl::Status onConfigUpdate(const std::vector& resources, @@ -229,6 +229,7 @@ class CertificateValidationContextSdsApi : public SdsApi, CertificateValidationContextPtr resolved_certificate_validation_context_secrets_; // Path based certificates are inlined for future read consistency. Common::CallbackManager< + absl::Status, const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext&> validation_callback_manager_; }; @@ -282,7 +283,7 @@ class TlsSessionTicketKeysSdsApi : public SdsApi, public TlsSessionTicketKeysCon private: Secret::TlsSessionTicketKeysPtr tls_session_ticket_keys_; Common::CallbackManager< - const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys&> + absl::Status, const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys&> validation_callback_manager_; }; @@ -333,7 +334,8 @@ class GenericSecretSdsApi : public SdsApi, public GenericSecretConfigProvider { private: GenericSecretPtr generic_secret_; - Common::CallbackManager + Common::CallbackManager validation_callback_manager_; }; diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index ab8f102afec56..11cd469e0c67b 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -555,7 +555,7 @@ absl::Status ClusterManagerImpl::onClusterInit(ClusterManagerCluster& cm_cluster // This is used by cluster types such as EDS clusters to drain the connection pools of removed // hosts. cluster_data->second->member_update_cb_ = cluster.prioritySet().addMemberUpdateCb( - [&cluster, this](const HostVector&, const HostVector& hosts_removed) -> absl::Status { + [&cluster, this](const HostVector&, const HostVector& hosts_removed) { if (cluster.info()->lbConfig().close_connections_on_host_set_change()) { for (const auto& host_set : cluster.prioritySet().hostSetsPerPriority()) { // This will drain all tcp and http connection pools. @@ -572,7 +572,6 @@ absl::Status ClusterManagerImpl::onClusterInit(ClusterManagerCluster& cm_cluster postThreadLocalRemoveHosts(cluster, hosts_removed); } } - return absl::OkStatus(); }); // This is used by cluster types such as EDS clusters to update the cluster @@ -613,7 +612,6 @@ absl::Status ClusterManagerImpl::onClusterInit(ClusterManagerCluster& cm_cluster postThreadLocalClusterUpdate( cm_cluster, ThreadLocalClusterUpdateParams(priority, hosts_added, hosts_removed)); } - return absl::OkStatus(); }); // Finally, post updates cross-thread so the per-thread load balancers are ready. First we diff --git a/source/common/upstream/outlier_detection_impl.cc b/source/common/upstream/outlier_detection_impl.cc index 2135f8f016da5..1a8bed06adeb8 100644 --- a/source/common/upstream/outlier_detection_impl.cc +++ b/source/common/upstream/outlier_detection_impl.cc @@ -324,7 +324,7 @@ void DetectorImpl::initialize(Cluster& cluster) { }); } member_update_cb_ = cluster.prioritySet().addMemberUpdateCb( - [this](const HostVector& hosts_added, const HostVector& hosts_removed) -> absl::Status { + [this](const HostVector& hosts_added, const HostVector& hosts_removed) { for (const HostSharedPtr& host : hosts_added) { addHostMonitor(host); } @@ -338,7 +338,6 @@ void DetectorImpl::initialize(Cluster& cluster) { host_monitors_.erase(host); } - return absl::OkStatus(); }); armIntervalTimer(); diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index d1d9fdddcb007..02d3a076df239 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -748,7 +748,7 @@ void HostSetImpl::updateHosts(PrioritySet::UpdateHostsParams&& update_hosts_para excluded_hosts_per_locality_ = std::move(update_hosts_params.excluded_hosts_per_locality); locality_weights_ = std::move(locality_weights); - THROW_IF_NOT_OK(runUpdateCallbacks(hosts_added, hosts_removed)); + runUpdateCallbacks(hosts_added, hosts_removed); } PrioritySet::UpdateHostsParams @@ -829,7 +829,7 @@ void PrioritySetImpl::updateHosts(uint32_t priority, UpdateHostsParams&& update_ hosts_removed, weighted_priority_health, overprovisioning_factor); if (!batch_update_) { - THROW_IF_NOT_OK(runUpdateCallbacks(hosts_added, hosts_removed)); + runUpdateCallbacks(hosts_added, hosts_removed); } } @@ -843,7 +843,7 @@ void PrioritySetImpl::batchHostUpdate(BatchUpdateCb& callback) { HostVector net_hosts_added = filterHosts(scope.all_hosts_added_, scope.all_hosts_removed_); HostVector net_hosts_removed = filterHosts(scope.all_hosts_removed_, scope.all_hosts_added_); - THROW_IF_NOT_OK(runUpdateCallbacks(net_hosts_added, net_hosts_removed)); + runUpdateCallbacks(net_hosts_added, net_hosts_removed); } void PrioritySetImpl::BatchUpdateScope::updateHosts( @@ -1609,7 +1609,6 @@ ClusterImplBase::ClusterImplBase(const envoy::config::cluster::v3::Cluster& clus info_->endpointStats().membership_healthy_.set(healthy_hosts); info_->endpointStats().membership_degraded_.set(degraded_hosts); info_->endpointStats().membership_excluded_.set(excluded_hosts); - return absl::OkStatus(); }); // Drop overload configuration parsing. SET_AND_RETURN_IF_NOT_OK(parseDropOverloadConfig(cluster.load_assignment()), creation_status); @@ -1867,11 +1866,21 @@ ClusterImplBase::resolveProtoAddress(const envoy::config::core::v3::Address& add return resolve_status; } -absl::Status ClusterImplBase::validateEndpointsForZoneAwareRouting( - const envoy::config::endpoint::v3::LocalityLbEndpoints& endpoints) const { - if (local_cluster_ && endpoints.priority() > 0) { - return absl::InvalidArgumentError( - fmt::format("Unexpected non-zero priority for local cluster '{}'.", info()->name())); +absl::Status ClusterImplBase::validateEndpoints( + absl::Span localities, + OptRef priorities) const { + for (const auto* endpoints : localities) { + if (local_cluster_ && endpoints->priority() > 0) { + return absl::InvalidArgumentError( + fmt::format("Unexpected non-zero priority for local cluster '{}'.", info()->name())); + } + } + + if (priorities.has_value()) { + OptRef lb_config = info_->loadBalancerConfig(); + if (lb_config.has_value()) { + return lb_config->validateEndpoints(*priorities); + } } return absl::OkStatus(); } diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 481c3602d2fe7..d91e610716679 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -621,9 +621,8 @@ class HostSetImpl : public HostSet { absl::optional overprovisioning_factor = absl::nullopt); protected: - virtual absl::Status runUpdateCallbacks(const HostVector& hosts_added, - const HostVector& hosts_removed) { - return member_update_cb_helper_.runCallbacks(priority_, hosts_added, hosts_removed); + virtual void runUpdateCallbacks(const HostVector& hosts_added, const HostVector& hosts_removed) { + member_update_cb_helper_.runCallbacks(priority_, hosts_added, hosts_removed); } private: @@ -639,7 +638,7 @@ class HostSetImpl : public HostSet { HostsPerLocalityConstSharedPtr degraded_hosts_per_locality_{HostsPerLocalityImpl::empty()}; HostsPerLocalityConstSharedPtr excluded_hosts_per_locality_{HostsPerLocalityImpl::empty()}; // TODO(mattklein123): Remove mutable. - mutable Common::CallbackManager + mutable Common::CallbackManager member_update_cb_helper_; // Locality weights. LocalityWeightsConstSharedPtr locality_weights_; @@ -693,13 +692,12 @@ class PrioritySetImpl : public PrioritySet { overprovisioning_factor); } - virtual absl::Status runUpdateCallbacks(const HostVector& hosts_added, - const HostVector& hosts_removed) { - return member_update_cb_helper_.runCallbacks(hosts_added, hosts_removed); + virtual void runUpdateCallbacks(const HostVector& hosts_added, const HostVector& hosts_removed) { + member_update_cb_helper_.runCallbacks(hosts_added, hosts_removed); } - virtual absl::Status runReferenceUpdateCallbacks(uint32_t priority, const HostVector& hosts_added, - const HostVector& hosts_removed) { - return priority_update_cb_helper_.runCallbacks(priority, hosts_added, hosts_removed); + virtual void runReferenceUpdateCallbacks(uint32_t priority, const HostVector& hosts_added, + const HostVector& hosts_removed) { + priority_update_cb_helper_.runCallbacks(priority, hosts_added, hosts_removed); } // This vector will generally have at least one member, for priority level 0. // It will expand as host sets are added but currently does not shrink to @@ -714,8 +712,9 @@ class PrioritySetImpl : public PrioritySet { // because host_sets_ is directly returned so we avoid translation. std::vector host_sets_priority_update_cbs_; // TODO(mattklein123): Remove mutable. - mutable Common::CallbackManager member_update_cb_helper_; - mutable Common::CallbackManager + mutable Common::CallbackManager + member_update_cb_helper_; + mutable Common::CallbackManager priority_update_cb_helper_; bool batch_update_ : 1; @@ -1234,8 +1233,9 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable endpoints, + OptRef priorities) const; private: static const absl::string_view DoNotValidateAlpnRuntimeKey; diff --git a/source/extensions/clusters/aggregate/cluster.cc b/source/extensions/clusters/aggregate/cluster.cc index 83eee4420f30a..a4a82aa4176e3 100644 --- a/source/extensions/clusters/aggregate/cluster.cc +++ b/source/extensions/clusters/aggregate/cluster.cc @@ -49,7 +49,6 @@ void AggregateClusterLoadBalancer::addMemberUpdateCallbackForCluster( ENVOY_LOG(debug, "member update for cluster '{}' in aggregate cluster '{}'", target_cluster_info->name(), parent_info_->name()); refresh(); - return absl::OkStatus(); }); } diff --git a/source/extensions/clusters/dns/dns_cluster.cc b/source/extensions/clusters/dns/dns_cluster.cc index b9939cb52e718..9919fdb2cfd1e 100644 --- a/source/extensions/clusters/dns/dns_cluster.cc +++ b/source/extensions/clusters/dns/dns_cluster.cc @@ -184,13 +184,10 @@ DnsClusterImpl::DnsClusterImpl(const envoy::config::cluster::v3::Cluster& cluste return; } } else { // Strict DNS - for (const auto& locality_lb_endpoint : locality_lb_endpoints) { - // Strict DNS clusters must ensure that the priority for all localities - // are set to zero when using zone-aware routing. Zone-aware routing only - // works for localities with priority zero (the highest). - SET_AND_RETURN_IF_NOT_OK(validateEndpointsForZoneAwareRouting(locality_lb_endpoint), - creation_status); - } + // Strict DNS clusters must ensure that the priority for all localities + // are set to zero when using zone-aware routing. Zone-aware routing only + // works for localities with priority zero (the highest). + SET_AND_RETURN_IF_NOT_OK(validateEndpoints(locality_lb_endpoints, {}), creation_status); } for (const auto& locality_lb_endpoint : locality_lb_endpoints) { diff --git a/source/extensions/clusters/eds/eds.cc b/source/extensions/clusters/eds/eds.cc index c86a270db4467..ae4eba177a231 100644 --- a/source/extensions/clusters/eds/eds.cc +++ b/source/extensions/clusters/eds/eds.cc @@ -77,8 +77,6 @@ void EdsClusterImpl::BatchUpdateHelper::batchUpdate(PrioritySet::HostUpdateCb& h absl::flat_hash_set all_new_hosts; PriorityStateManager priority_state_manager(parent_, parent_.local_info_, &host_update_cb); for (const auto& locality_lb_endpoint : cluster_load_assignment_.endpoints()) { - THROW_IF_NOT_OK(parent_.validateEndpointsForZoneAwareRouting(locality_lb_endpoint)); - priority_state_manager.initializePriorityFor(locality_lb_endpoint); if (locality_lb_endpoint.has_leds_cluster_locality_config()) { @@ -120,6 +118,7 @@ void EdsClusterImpl::BatchUpdateHelper::batchUpdate(PrioritySet::HostUpdateCb& h // Loop over all priorities that exist in the new configuration. auto& priority_state = priority_state_manager.priorityState(); + THROW_IF_NOT_OK(parent_.validateEndpoints(cluster_load_assignment_.endpoints(), priority_state)); for (size_t i = 0; i < priority_state.size(); ++i) { if (parent_.locality_weights_map_.size() <= i) { parent_.locality_weights_map_.resize(i + 1); diff --git a/source/extensions/clusters/static/static_cluster.cc b/source/extensions/clusters/static/static_cluster.cc index 42a4a8798c769..25f8e18537f36 100644 --- a/source/extensions/clusters/static/static_cluster.cc +++ b/source/extensions/clusters/static/static_cluster.cc @@ -20,7 +20,6 @@ StaticClusterImpl::StaticClusterImpl(const envoy::config::cluster::v3::Cluster& weighted_priority_health_ = cluster_load_assignment.policy().weighted_priority_health(); for (const auto& locality_lb_endpoint : cluster_load_assignment.endpoints()) { - THROW_IF_NOT_OK(validateEndpointsForZoneAwareRouting(locality_lb_endpoint)); priority_state_manager_->initializePriorityFor(locality_lb_endpoint); for (const auto& lb_endpoint : locality_lb_endpoint.lb_endpoints()) { std::vector address_list; @@ -47,6 +46,9 @@ StaticClusterImpl::StaticClusterImpl(const envoy::config::cluster::v3::Cluster& address_list, locality_lb_endpoint, lb_endpoint); } } + + THROW_IF_NOT_OK(validateEndpoints(cluster_load_assignment.endpoints(), + priority_state_manager_->priorityState())); } void StaticClusterImpl::startPreInit() { diff --git a/source/extensions/clusters/strict_dns/strict_dns_cluster.cc b/source/extensions/clusters/strict_dns/strict_dns_cluster.cc index 5f2ab6ac8f36f..49f281be43ddb 100644 --- a/source/extensions/clusters/strict_dns/strict_dns_cluster.cc +++ b/source/extensions/clusters/strict_dns/strict_dns_cluster.cc @@ -42,15 +42,16 @@ StrictDnsClusterImpl::StrictDnsClusterImpl( respect_dns_ttl_(dns_cluster.respect_dns_ttl()), dns_lookup_family_( Envoy::DnsUtils::getDnsLookupFamilyFromEnum(dns_cluster.dns_lookup_family())) { + RETURN_ONLY_IF_NOT_OK_REF(creation_status); + failure_backoff_strategy_ = Config::Utility::prepareDnsRefreshStrategy( dns_cluster, dns_refresh_rate_ms_.count(), context.serverFactoryContext().api().randomGenerator()); std::list resolve_targets; const auto& locality_lb_endpoints = load_assignment_.endpoints(); + THROW_IF_NOT_OK(validateEndpoints(locality_lb_endpoints, {})); for (const auto& locality_lb_endpoint : locality_lb_endpoints) { - THROW_IF_NOT_OK(validateEndpointsForZoneAwareRouting(locality_lb_endpoint)); - for (const auto& lb_endpoint : locality_lb_endpoint.lb_endpoints()) { const auto& socket_address = lb_endpoint.endpoint().address().socket_address(); if (!socket_address.resolver_name().empty()) { diff --git a/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.cc b/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.cc index 1ff6b295b0d52..7b2f94da8cb25 100644 --- a/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.cc +++ b/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.cc @@ -37,10 +37,8 @@ ShareProviderManager::ShareProviderManager(Event::Dispatcher& main_dispatcher, : main_dispatcher_(main_dispatcher), cluster_(cluster) { // It's safe to capture the local cluster reference here because the local cluster is // guaranteed to be static cluster and should never be removed. - handle_ = cluster_.prioritySet().addMemberUpdateCb([this](const auto&, const auto&) { - share_monitor_->onLocalClusterUpdate(cluster_); - return absl::OkStatus(); - }); + handle_ = cluster_.prioritySet().addMemberUpdateCb( + [this](const auto&, const auto&) { share_monitor_->onLocalClusterUpdate(cluster_); }); share_monitor_ = std::make_shared(); share_monitor_->onLocalClusterUpdate(cluster_); } diff --git a/source/extensions/filters/network/redis_proxy/conn_pool_impl.cc b/source/extensions/filters/network/redis_proxy/conn_pool_impl.cc index 2facc0d8852e8..76eabcc5cf103 100644 --- a/source/extensions/filters/network/redis_proxy/conn_pool_impl.cc +++ b/source/extensions/filters/network/redis_proxy/conn_pool_impl.cc @@ -170,10 +170,9 @@ void InstanceImpl::ThreadLocalPool::onClusterAddOrUpdateNonVirtual( ASSERT(host_set_member_update_cb_handle_ == nullptr); host_set_member_update_cb_handle_ = cluster_->prioritySet().addMemberUpdateCb( [this](const std::vector& hosts_added, - const std::vector& hosts_removed) -> absl::Status { + const std::vector& hosts_removed) { onHostsAdded(hosts_added); onHostsRemoved(hosts_removed); - return absl::OkStatus(); }); ASSERT(host_address_map_.empty()); diff --git a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc index 0d2899dc53385..f5c3322021cdf 100644 --- a/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc +++ b/source/extensions/filters/udp/udp_proxy/udp_proxy_filter.cc @@ -225,7 +225,6 @@ UdpProxyFilter::ClusterInfo::ClusterInfo(UdpProxyFilter& filter, host_to_sessions_.erase(host_sessions_it); } } - return absl::OkStatus(); })) {} UdpProxyFilter::ClusterInfo::~ClusterInfo() { diff --git a/source/extensions/health_checkers/common/health_checker_base_impl.cc b/source/extensions/health_checkers/common/health_checker_base_impl.cc index 04eb57f7b6a20..3923e1eaba570 100644 --- a/source/extensions/health_checkers/common/health_checker_base_impl.cc +++ b/source/extensions/health_checkers/common/health_checker_base_impl.cc @@ -40,9 +40,8 @@ HealthCheckerImplBase::HealthCheckerImplBase(const Cluster& cluster, transport_socket_options_(initTransportSocketOptions(config)), transport_socket_match_metadata_(initTransportSocketMatchMetadata(config)), member_update_cb_{cluster_.prioritySet().addMemberUpdateCb( - [this](const HostVector& hosts_added, const HostVector& hosts_removed) -> absl::Status { + [this](const HostVector& hosts_added, const HostVector& hosts_removed) { onClusterMemberUpdate(hosts_added, hosts_removed); - return absl::OkStatus(); })} {} std::shared_ptr diff --git a/source/extensions/load_balancing_policies/client_side_weighted_round_robin/client_side_weighted_round_robin_lb.cc b/source/extensions/load_balancing_policies/client_side_weighted_round_robin/client_side_weighted_round_robin_lb.cc index 6d46954015e2a..44d8f7ed51379 100644 --- a/source/extensions/load_balancing_policies/client_side_weighted_round_robin/client_side_weighted_round_robin_lb.cc +++ b/source/extensions/load_balancing_policies/client_side_weighted_round_robin/client_side_weighted_round_robin_lb.cc @@ -63,10 +63,8 @@ ClientSideWeightedRoundRobinLoadBalancer::WorkerLocalLb::WorkerLocalLb( common_config, healthy_panic_threshold, 100, 50), getRoundRobinConfig(common_config), time_source) { if (tls_shim.has_value()) { - apply_weights_cb_handle_ = tls_shim->apply_weights_cb_helper_.add([this](uint32_t priority) { - refresh(priority); - return absl::OkStatus(); - }); + apply_weights_cb_handle_ = + tls_shim->apply_weights_cb_helper_.add([this](uint32_t priority) { refresh(priority); }); } } @@ -258,7 +256,7 @@ void ClientSideWeightedRoundRobinLoadBalancer::WorkerLocalLbFactory::applyWeight uint32_t priority) { tls_->runOnAllThreads([priority](OptRef tls_shim) -> void { if (tls_shim.has_value()) { - auto status = tls_shim->apply_weights_cb_helper_.runCallbacks(priority); + tls_shim->apply_weights_cb_helper_.runCallbacks(priority); } }); } @@ -295,10 +293,9 @@ absl::Status ClientSideWeightedRoundRobinLoadBalancer::initialize() { // Setup a callback to receive priority set updates. priority_update_cb_ = priority_set_.addPriorityUpdateCb( - [this](uint32_t, const HostVector& hosts_added, const HostVector&) -> absl::Status { + [this](uint32_t, const HostVector& hosts_added, const HostVector&) { addClientSideLbPolicyDataToHosts(hosts_added); updateWeightsOnMainThread(); - return absl::OkStatus(); }); weight_calculation_timer_->enableTimer(weight_update_period_); diff --git a/source/extensions/load_balancing_policies/client_side_weighted_round_robin/client_side_weighted_round_robin_lb.h b/source/extensions/load_balancing_policies/client_side_weighted_round_robin/client_side_weighted_round_robin_lb.h index b9652c0771bd5..2e65e71c519a8 100644 --- a/source/extensions/load_balancing_policies/client_side_weighted_round_robin/client_side_weighted_round_robin_lb.h +++ b/source/extensions/load_balancing_policies/client_side_weighted_round_robin/client_side_weighted_round_robin_lb.h @@ -138,7 +138,7 @@ class ClientSideWeightedRoundRobinLoadBalancer : public Upstream::ThreadAwareLoa // Thread local shim to store callbacks for weight updates of worker local lb. class ThreadLocalShim : public Envoy::ThreadLocal::ThreadLocalObject { public: - Common::CallbackManager apply_weights_cb_helper_; + Common::CallbackManager apply_weights_cb_helper_; }; // This class is used to handle the load balancing on the worker thread. diff --git a/source/extensions/load_balancing_policies/common/load_balancer_impl.cc b/source/extensions/load_balancing_policies/common/load_balancer_impl.cc index 60c31c890e348..11e8138df33aa 100644 --- a/source/extensions/load_balancing_policies/common/load_balancer_impl.cc +++ b/source/extensions/load_balancing_policies/common/load_balancer_impl.cc @@ -108,13 +108,12 @@ LoadBalancerBase::LoadBalancerBase(const PrioritySet& priority_set, ClusterLbSta recalculatePerPriorityPanic(); priority_update_cb_ = priority_set_.addPriorityUpdateCb( - [this](uint32_t priority, const HostVector&, const HostVector&) -> absl::Status { + [this](uint32_t priority, const HostVector&, const HostVector&) { recalculatePerPriorityState(priority, priority_set_, per_priority_load_, per_priority_health_, per_priority_degraded_, total_healthy_hosts_); recalculatePerPriorityPanic(); stashed_random_.clear(); - return absl::OkStatus(); }); } @@ -434,7 +433,7 @@ ZoneAwareLoadBalancerBase::ZoneAwareLoadBalancerBase( } priority_update_cb_ = priority_set_.addPriorityUpdateCb( - [this](uint32_t priority, const HostVector&, const HostVector&) -> absl::Status { + [this](uint32_t priority, const HostVector&, const HostVector&) { // Make sure per_priority_state_ is as large as priority_set_.hostSetsPerPriority() resizePerPriorityState(); // If P=0 changes, regenerate locality routing structures. Locality based routing is @@ -446,7 +445,6 @@ ZoneAwareLoadBalancerBase::ZoneAwareLoadBalancerBase( if (locality_weighted_balancing_) { rebuildLocalityWrrForPriority(priority); } - return absl::OkStatus(); }); if (local_priority_set_) { // Multiple priorities are unsupported for local priority sets. @@ -455,12 +453,11 @@ ZoneAwareLoadBalancerBase::ZoneAwareLoadBalancerBase( // the locality routing structure. ASSERT(local_priority_set_->hostSetsPerPriority().size() == 1); local_priority_set_member_update_cb_handle_ = local_priority_set_->addPriorityUpdateCb( - [this](uint32_t priority, const HostVector&, const HostVector&) -> absl::Status { + [this](uint32_t priority, const HostVector&, const HostVector&) { ASSERT(priority == 0); // If the set of local Envoys changes, regenerate routing for P=0 as it does priority // based routing. regenerateLocalityRoutingStructures(); - return absl::OkStatus(); }); } } @@ -936,16 +933,12 @@ EdfLoadBalancerBase::EdfLoadBalancerBase( // so we will need to do better at delta tracking to scale (see // https://github.com/envoyproxy/envoy/issues/2874). priority_update_cb_ = priority_set.addPriorityUpdateCb( - [this](uint32_t priority, const HostVector&, const HostVector&) { - refresh(priority); - return absl::OkStatus(); - }); - member_update_cb_ = priority_set.addMemberUpdateCb( - [this](const HostVector& hosts_added, const HostVector&) -> absl::Status { + [this](uint32_t priority, const HostVector&, const HostVector&) { refresh(priority); }); + member_update_cb_ = + priority_set.addMemberUpdateCb([this](const HostVector& hosts_added, const HostVector&) { if (isSlowStartEnabled()) { recalculateHostsInSlowStart(hosts_added); } - return absl::OkStatus(); }); } diff --git a/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.cc b/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.cc index 4056b0aae5d82..01a3e2dd21841 100644 --- a/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.cc +++ b/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.cc @@ -14,18 +14,17 @@ namespace Upstream { // HostSetImpl::effectiveLocalityWeight. namespace { -absl::Status normalizeHostWeights(const HostVector& hosts, double normalized_locality_weight, - NormalizedHostWeightVector& normalized_host_weights, - double& min_normalized_weight, double& max_normalized_weight) { +void normalizeHostWeights(const HostVector& hosts, double normalized_locality_weight, + NormalizedHostWeightVector& normalized_host_weights, + double& min_normalized_weight, double& max_normalized_weight) { // sum should be at most uint32_t max value, so we can validate it by accumulating into unit64_t // and making sure there was no overflow uint64_t sum = 0; for (const auto& host : hosts) { sum += host->weight(); if (sum > std::numeric_limits::max()) { - return absl::InvalidArgumentError( - fmt::format("The sum of weights of all upstream hosts in a locality exceeds {}", - std::numeric_limits::max())); + IS_ENVOY_BUG("weights should have been previously validated in validateEndpoints()"); + return; } } @@ -35,14 +34,12 @@ absl::Status normalizeHostWeights(const HostVector& hosts, double normalized_loc min_normalized_weight = std::min(min_normalized_weight, weight); max_normalized_weight = std::max(max_normalized_weight, weight); } - return absl::OkStatus(); } -absl::Status normalizeLocalityWeights(const HostsPerLocality& hosts_per_locality, - const LocalityWeights& locality_weights, - NormalizedHostWeightVector& normalized_host_weights, - double& min_normalized_weight, - double& max_normalized_weight) { +void normalizeLocalityWeights(const HostsPerLocality& hosts_per_locality, + const LocalityWeights& locality_weights, + NormalizedHostWeightVector& normalized_host_weights, + double& min_normalized_weight, double& max_normalized_weight) { ASSERT(locality_weights.size() == hosts_per_locality.get().size()); // sum should be at most uint32_t max value, so we can validate it by accumulating into unit64_t @@ -51,15 +48,13 @@ absl::Status normalizeLocalityWeights(const HostsPerLocality& hosts_per_locality for (const auto weight : locality_weights) { sum += weight; if (sum > std::numeric_limits::max()) { - return absl::InvalidArgumentError( - fmt::format("The sum of weights of all localities at the same priority exceeds {}", - std::numeric_limits::max())); + IS_ENVOY_BUG("locality weights should have been validated in validateEndpoints"); } } // Locality weights (unlike host weights) may be 0. If _all_ locality weights were 0, bail out. if (sum == 0) { - return absl::OkStatus(); + return; } // Compute normalized weights for all hosts in each locality. If a locality was assigned zero @@ -68,33 +63,29 @@ absl::Status normalizeLocalityWeights(const HostsPerLocality& hosts_per_locality if (locality_weights[i] != 0) { const HostVector& hosts = hosts_per_locality.get()[i]; const double normalized_locality_weight = static_cast(locality_weights[i]) / sum; - RETURN_IF_NOT_OK(normalizeHostWeights(hosts, normalized_locality_weight, - normalized_host_weights, min_normalized_weight, - max_normalized_weight)); + normalizeHostWeights(hosts, normalized_locality_weight, normalized_host_weights, + min_normalized_weight, max_normalized_weight); } } - return absl::OkStatus(); } -absl::Status normalizeWeights(const HostSet& host_set, bool in_panic, - NormalizedHostWeightVector& normalized_host_weights, - double& min_normalized_weight, double& max_normalized_weight, - bool locality_weighted_balancing) { +void normalizeWeights(const HostSet& host_set, bool in_panic, + NormalizedHostWeightVector& normalized_host_weights, + double& min_normalized_weight, double& max_normalized_weight, + bool locality_weighted_balancing) { if (!locality_weighted_balancing || host_set.localityWeights() == nullptr || host_set.localityWeights()->empty()) { // If we're not dealing with locality weights, just normalize weights for the flat set of hosts. const auto& hosts = in_panic ? host_set.hosts() : host_set.healthyHosts(); - RETURN_IF_NOT_OK(normalizeHostWeights(hosts, 1.0, normalized_host_weights, - min_normalized_weight, max_normalized_weight)); + normalizeHostWeights(hosts, 1.0, normalized_host_weights, min_normalized_weight, + max_normalized_weight); } else { // Otherwise, normalize weights across all localities. const auto& hosts_per_locality = in_panic ? host_set.hostsPerLocality() : host_set.healthyHostsPerLocality(); - RETURN_IF_NOT_OK(normalizeLocalityWeights(hosts_per_locality, *(host_set.localityWeights()), - normalized_host_weights, min_normalized_weight, - max_normalized_weight)); + normalizeLocalityWeights(hosts_per_locality, *(host_set.localityWeights()), + normalized_host_weights, min_normalized_weight, max_normalized_weight); } - return absl::OkStatus(); } std::string generateCookie(LoadBalancerContext* context, absl::string_view name, @@ -136,12 +127,13 @@ absl::Status ThreadAwareLoadBalancerBase::initialize() { // complicated initialization as the load balancer would need its own initialized callback. I // think the synchronous/asynchronous split is probably the best option. priority_update_cb_ = priority_set_.addPriorityUpdateCb( - [this](uint32_t, const HostVector&, const HostVector&) -> absl::Status { return refresh(); }); + [this](uint32_t, const HostVector&, const HostVector&) { refresh(); }); - return refresh(); + refresh(); + return absl::OkStatus(); } -absl::Status ThreadAwareLoadBalancerBase::refresh() { +void ThreadAwareLoadBalancerBase::refresh() { auto per_priority_state_vector = std::make_shared>( priority_set_.hostSetsPerPriority().size()); auto healthy_per_priority_load = @@ -161,10 +153,8 @@ absl::Status ThreadAwareLoadBalancerBase::refresh() { NormalizedHostWeightVector normalized_host_weights; double min_normalized_weight = 1.0; double max_normalized_weight = 0.0; - absl::Status status = normalizeWeights(*host_set, per_priority_state->global_panic_, - normalized_host_weights, min_normalized_weight, - max_normalized_weight, locality_weighted_balancing_); - RETURN_IF_NOT_OK(status); + normalizeWeights(*host_set, per_priority_state->global_panic_, normalized_host_weights, + min_normalized_weight, max_normalized_weight, locality_weighted_balancing_); per_priority_state->current_lb_ = createLoadBalancer( std::move(normalized_host_weights), min_normalized_weight, max_normalized_weight); } @@ -175,7 +165,6 @@ absl::Status ThreadAwareLoadBalancerBase::refresh() { factory_->degraded_per_priority_load_ = degraded_per_priority_load; factory_->per_priority_state_ = per_priority_state_vector; } - return absl::OkStatus(); } HostSelectionResponse @@ -370,5 +359,34 @@ TypedHashLbConfigBase::TypedHashLbConfigBase(absl::Spanweight(); + if (host_sum > std::numeric_limits::max()) { + return absl::InvalidArgumentError( + fmt::format("The sum of weights of all upstream hosts in a locality exceeds {}", + std::numeric_limits::max())); + } + } + + uint64_t locality_sum = 0; + for (const auto& [_, weight] : locality_weights_map) { + locality_sum += weight; + if (locality_sum > std::numeric_limits::max()) { + return absl::InvalidArgumentError( + fmt::format("The sum of weights of all localities at the same priority exceeds {}", + std::numeric_limits::max())); + } + } + } + + return absl::OkStatus(); +} + } // namespace Upstream } // namespace Envoy diff --git a/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.h b/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.h index e1b1373d82da0..9db1c2247a7df 100644 --- a/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.h +++ b/source/extensions/load_balancing_policies/common/thread_aware_lb_impl.h @@ -176,7 +176,7 @@ class ThreadAwareLoadBalancerBase : public LoadBalancerBase, public ThreadAwareL virtual HashingLoadBalancerSharedPtr createLoadBalancer(const NormalizedHostWeightVector& normalized_host_weights, double min_normalized_weight, double max_normalized_weight) PURE; - absl::Status refresh(); + void refresh(); std::shared_ptr factory_; const bool locality_weighted_balancing_{}; @@ -189,6 +189,8 @@ class TypedHashLbConfigBase : public LoadBalancerConfig { TypedHashLbConfigBase(absl::Span hash_policy, Regex::Engine& regex_engine, absl::Status& creation_status); + absl::Status validateEndpoints(const PriorityState& priorities) const override; + HashPolicySharedPtr hash_policy_; }; diff --git a/source/extensions/load_balancing_policies/subset/subset_lb.cc b/source/extensions/load_balancing_policies/subset/subset_lb.cc index d56bffd4cae44..5fca592be3c8a 100644 --- a/source/extensions/load_balancing_policies/subset/subset_lb.cc +++ b/source/extensions/load_balancing_policies/subset/subset_lb.cc @@ -92,7 +92,6 @@ SubsetLoadBalancer::SubsetLoadBalancer(const SubsetLoadBalancerConfig& lb_config [this](uint32_t priority, const HostVector&, const HostVector&) { refreshSubsets(priority); purgeEmptySubsets(subsets_); - return absl::OkStatus(); }); } diff --git a/source/extensions/load_balancing_policies/subset/subset_lb.h b/source/extensions/load_balancing_policies/subset/subset_lb.h index 9e79f84f1b4df..aa886c14fb0d9 100644 --- a/source/extensions/load_balancing_policies/subset/subset_lb.h +++ b/source/extensions/load_balancing_policies/subset/subset_lb.h @@ -109,7 +109,7 @@ class SubsetLoadBalancer : public LoadBalancer, Logger::Loggable(host_sets_[priority].get()) ->update(matching_hosts, hosts_added, hosts_removed); - THROW_IF_NOT_OK(runUpdateCallbacks(hosts_added, hosts_removed)); + runUpdateCallbacks(hosts_added, hosts_removed); } // Thread aware LB if applicable. diff --git a/source/extensions/load_balancing_policies/subset/subset_lb_config.h b/source/extensions/load_balancing_policies/subset/subset_lb_config.h index af6aac910386b..45d8054d92427 100644 --- a/source/extensions/load_balancing_policies/subset/subset_lb_config.h +++ b/source/extensions/load_balancing_policies/subset/subset_lb_config.h @@ -217,6 +217,13 @@ class SubsetLoadBalancerConfig : public Upstream::LoadBalancerConfig { TypedLoadBalancerFactory* child_factory, LoadBalancerConfigPtr child_config); + absl::Status validateEndpoints(const PriorityState& priorities) const override { + if (child_lb_config_ != nullptr) { + return child_lb_config_->validateEndpoints(priorities); + } + return absl::OkStatus(); + } + Upstream::ThreadAwareLoadBalancerPtr createLoadBalancer(const Upstream::ClusterInfo& cluster_info, const Upstream::PrioritySet& child_priority_set, Runtime::Loader& runtime, diff --git a/source/server/drain_manager_impl.h b/source/server/drain_manager_impl.h index 1fb01e8146679..143c4ea73220d 100644 --- a/source/server/drain_manager_impl.h +++ b/source/server/drain_manager_impl.h @@ -62,7 +62,7 @@ class DrainManagerImpl : Logger::Loggable, public DrainManager std::map drain_deadlines_ = { {Network::DrainDirection::InboundOnly, MonotonicTime()}, {Network::DrainDirection::All, MonotonicTime()}}; - mutable Common::CallbackManager cbs_{}; + mutable Common::CallbackManager cbs_{}; std::vector> drain_complete_cbs_; // Callbacks called by startDrainSequence to cascade/proxy to children diff --git a/test/common/common/callback_impl_test.cc b/test/common/common/callback_impl_test.cc index bf1410fa495da..995fb2b7506c0 100644 --- a/test/common/common/callback_impl_test.cc +++ b/test/common/common/callback_impl_test.cc @@ -21,7 +21,7 @@ class CallbackManagerTest : public testing::Test { TEST_F(CallbackManagerTest, All) { InSequence s; - CallbackManager manager; + CallbackManager manager; auto handle1 = manager.add([this](int arg) { called(arg); return absl::OkStatus(); @@ -55,7 +55,7 @@ TEST_F(CallbackManagerTest, All) { TEST_F(CallbackManagerTest, DestroyManagerBeforeHandle) { CallbackHandlePtr handle; { - CallbackManager manager; + CallbackManager manager; handle = manager.add([this](int arg) { called(arg); return absl::OkStatus(); diff --git a/test/coverage.yaml b/test/coverage.yaml index cf88685697bcd..af05a8249083e 100644 --- a/test/coverage.yaml +++ b/test/coverage.yaml @@ -60,6 +60,7 @@ directories: source/extensions/internal_redirect/safe_cross_scheme: 81.3 source/extensions/internal_redirect/allow_listed_routes: 85.7 source/extensions/internal_redirect/previous_routes: 89.3 + source/extensions/load_balancing_policies/common: 96.3 source/extensions/load_balancing_policies/maglev: 94.9 source/extensions/load_balancing_policies/round_robin: 96.4 source/extensions/load_balancing_policies/ring_hash: 96.9 diff --git a/test/integration/eds_integration_test.cc b/test/integration/eds_integration_test.cc index ecda792d408f5..e7484ab42aa81 100644 --- a/test/integration/eds_integration_test.cc +++ b/test/integration/eds_integration_test.cc @@ -88,6 +88,7 @@ class EdsIntegrationTest uint32_t healthy_endpoints = 0; uint32_t degraded_endpoints = 0; uint32_t disable_active_hc_endpoints = 0; + absl::optional load_balancing_weight = absl::nullopt; absl::optional weighted_priority_health = absl::nullopt; absl::optional overprovisioning_factor = absl::nullopt; absl::optional drop_overload_numerator = absl::nullopt; @@ -138,6 +139,10 @@ class EdsIntegrationTest ->mutable_health_check_config() ->set_disable_active_health_check(true); } + if (endpoint_setting.load_balancing_weight.has_value()) { + endpoint->mutable_load_balancing_weight()->set_value( + endpoint_setting.load_balancing_weight.value()); + } } if (await_update) { @@ -806,5 +811,44 @@ TEST_P(EdsIntegrationTest, DropOverloadTestForEdsClusterNoDrop) { dropOverloadTe TEST_P(EdsIntegrationTest, DropOverloadTestForEdsClusterAllDrop) { dropOverloadTest(100, "503"); } +TEST_P(EdsIntegrationTest, LoadBalancerRejectsEndpoints) { + autonomous_upstream_ = true; + initializeTest(false /* http_active_hc */, [](envoy::config::cluster::v3::Cluster& cluster) { + // Maglev (and all load balancers that inherit `ThreadAwareLoadBalancerBase`) has a + // constraint that the total endpoint weights must not exceed uint32_max. Use this to generate + // errors instead of writing a test load balancing extension. + cluster.set_lb_policy(::envoy::config::cluster::v3::Cluster::MAGLEV); + }); + EndpointSettingOptions options; + options.total_endpoints = 4; + options.healthy_endpoints = 4; + options.load_balancing_weight = UINT32_MAX - 1; + setEndpoints(options, true, false); + test_server_->waitForCounterGe("cluster.cluster_0.update_rejected", 1); +} + +TEST_P(EdsIntegrationTest, LoadBalancerRejectsEndpointsWithHealthcheck) { + cluster_.mutable_common_lb_config()->set_ignore_new_hosts_until_first_hc(true); + autonomous_upstream_ = true; + initializeTest(true /* http_active_hc */, [](envoy::config::cluster::v3::Cluster& cluster) { + // Disable the healthy panic threshold, which causes the initial update from the EDS update + // to not include any of the hosts so that there isn't an error detected for the weights + // until after a health check passes. + cluster.mutable_common_lb_config()->mutable_healthy_panic_threshold(); + + // Maglev (and all load balancers that inherit `ThreadAwareLoadBalancerBase`) has a + // constraint that the total endpoint weights must not exceed uint32_max. Use this to generate + // errors instead of writing a test load balancing extension. + cluster.set_lb_policy(::envoy::config::cluster::v3::Cluster::MAGLEV); + }); + + EndpointSettingOptions options; + options.total_endpoints = 4; + options.healthy_endpoints = 4; + options.load_balancing_weight = UINT32_MAX - 1; + setEndpoints(options, true, false); + test_server_->waitForCounterGe("cluster.cluster_0.update_rejected", 1); +} + } // namespace } // namespace Envoy diff --git a/test/mocks/config/mocks.h b/test/mocks/config/mocks.h index 717c32117d25a..f4d3e60608de0 100644 --- a/test/mocks/config/mocks.h +++ b/test/mocks/config/mocks.h @@ -199,7 +199,7 @@ class MockContextProvider : public ContextProvider { MOCK_METHOD(Common::CallbackHandlePtr, addDynamicContextUpdateCallback, (UpdateNotificationCb callback), (const)); - Common::CallbackManager update_cb_handler_; + Common::CallbackManager update_cb_handler_; }; template diff --git a/test/mocks/upstream/host_set.h b/test/mocks/upstream/host_set.h index 16ced302a8af0..4e1d72dfe40b0 100644 --- a/test/mocks/upstream/host_set.h +++ b/test/mocks/upstream/host_set.h @@ -17,7 +17,7 @@ class MockHostSet : public HostSet { ~MockHostSet() override; void runCallbacks(const HostVector added, const HostVector removed) { - THROW_IF_NOT_OK(member_update_cb_helper_.runCallbacks(priority(), added, removed)); + member_update_cb_helper_.runCallbacks(priority(), added, removed); } ABSL_MUST_USE_RESULT Common::CallbackHandlePtr @@ -59,7 +59,8 @@ class MockHostSet : public HostSet { HostsPerLocalitySharedPtr degraded_hosts_per_locality_{new HostsPerLocalityImpl()}; HostsPerLocalitySharedPtr excluded_hosts_per_locality_{new HostsPerLocalityImpl()}; LocalityWeightsConstSharedPtr locality_weights_{{}}; - Common::CallbackManager member_update_cb_helper_; + Common::CallbackManager + member_update_cb_helper_; uint32_t priority_{}; uint32_t overprovisioning_factor_{}; bool weighted_priority_health_{false}; diff --git a/test/mocks/upstream/priority_set.cc b/test/mocks/upstream/priority_set.cc index 4da1d13f3bae3..2182a7a3c80c2 100644 --- a/test/mocks/upstream/priority_set.cc +++ b/test/mocks/upstream/priority_set.cc @@ -49,8 +49,8 @@ HostSet& MockPrioritySet::getHostSet(uint32_t priority) { void MockPrioritySet::runUpdateCallbacks(uint32_t priority, const HostVector& hosts_added, const HostVector& hosts_removed) { - THROW_IF_NOT_OK(member_update_cb_helper_.runCallbacks(hosts_added, hosts_removed)); - THROW_IF_NOT_OK(priority_update_cb_helper_.runCallbacks(priority, hosts_added, hosts_removed)); + member_update_cb_helper_.runCallbacks(hosts_added, hosts_removed); + priority_update_cb_helper_.runCallbacks(priority, hosts_added, hosts_removed); } } // namespace Upstream diff --git a/test/mocks/upstream/priority_set.h b/test/mocks/upstream/priority_set.h index a19e208d12580..9b2b3100d524a 100644 --- a/test/mocks/upstream/priority_set.h +++ b/test/mocks/upstream/priority_set.h @@ -38,8 +38,8 @@ class MockPrioritySet : public PrioritySet { std::vector host_sets_; std::vector member_update_cbs_; - Common::CallbackManager member_update_cb_helper_; - Common::CallbackManager + Common::CallbackManager member_update_cb_helper_; + Common::CallbackManager priority_update_cb_helper_; HostMapConstSharedPtr cross_priority_host_map_{std::make_shared()}; From c4d23a1e2c19b13d219524a93092e2e7f6aa5f14 Mon Sep 17 00:00:00 2001 From: phlax Date: Wed, 24 Sep 2025 19:49:29 +0100 Subject: [PATCH 495/505] mobile/coverage: Fix and remove awful hack (#41209) Signed-off-by: Ryan Northey --- .github/workflows/mobile-coverage.yml | 7 ------- mobile/.bazelrc | 9 --------- mobile/third_party/rbe_configs/cc/BUILD | 9 ++++++--- 3 files changed, 6 insertions(+), 19 deletions(-) diff --git a/.github/workflows/mobile-coverage.yml b/.github/workflows/mobile-coverage.yml index b174a31073685..4c27a3b3e5ad6 100644 --- a/.github/workflows/mobile-coverage.yml +++ b/.github/workflows/mobile-coverage.yml @@ -60,13 +60,6 @@ jobs: run: | cd mobile tar -czf coverage.tar.gz generated/coverage - # TODO(phlax): This is a highly undesirable workaround - remove once - # https://github.com/bazelbuild/bazel/issues/23247 is resolved/available - steps-pre: | - - name: Inject bazel version - shell: bash - run: | - echo "7.1.2" > .bazelversion target: mobile-coverage timeout-minutes: 120 upload-name: coverage.tar.gz diff --git a/mobile/.bazelrc b/mobile/.bazelrc index 5c5131790e249..833394cf13ed3 100644 --- a/mobile/.bazelrc +++ b/mobile/.bazelrc @@ -203,15 +203,6 @@ test:mobile-remote-ci-linux-tsan --test_env=ENVOY_IP_TEST_VERSIONS=v4only ############################################################################# # Clang environment variables (keep in sync with //third_party/rbe_configs) # Coverage environment variables (keep in sync with //third_party/rbe_configs) -build:mobile-ci-linux-coverage --action_env=GCOV=/opt/llvm/bin/llvm-profdata -build:mobile-ci-linux-coverage --test_env=GCOV=/opt/llvm/bin/llvm-profdata -build:mobile-ci-linux-coverage --repo_env=GCOV=/opt/llvm/bin/llvm-profdata -build:mobile-ci-linux-coverage --action_env=BAZEL_LLVM_COV=/opt/llvm/bin/llvm-cov -build:mobile-ci-linux-coverage --test_env=BAZEL_LLVM_COV=/opt/llvm/bin/llvm-cov -build:mobile-ci-linux-coverage --repo_env=BAZEL_LLVM_COV=/opt/llvm/bin/llvm-cov -build:mobile-ci-linux-coverage --action_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1 -build:mobile-ci-linux-coverage --test_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1 -build:mobile-ci-linux-coverage --repo_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1 build:mobile-ci-linux-coverage --build_tests_only build:mobile-ci-linux-coverage --@envoy//tools/coverage:config=@envoy_mobile//test:coverage_config diff --git a/mobile/third_party/rbe_configs/cc/BUILD b/mobile/third_party/rbe_configs/cc/BUILD index 628350f9715a7..dfabf7dcc2f4e 100644 --- a/mobile/third_party/rbe_configs/cc/BUILD +++ b/mobile/third_party/rbe_configs/cc/BUILD @@ -95,7 +95,7 @@ cc_toolchain_config( "cpp": "/usr/bin/cpp", "gcc": "/opt/llvm/bin/clang", "dwp": "/usr/bin/dwp", - "gcov": "/opt/llvm/bin/llvm-cov", + "gcov": "/opt/llvm/bin/llvm-profdata", "nm": "/usr/bin/nm", "objcopy": "/usr/bin/objcopy", "objdump": "/usr/bin/objdump", @@ -128,8 +128,11 @@ cc_toolchain_config( "-D__DATE__=\"redacted\"", "-D__TIMESTAMP__=\"redacted\"", "-D__TIME__=\"redacted\""], - coverage_compile_flags = ["--coverage"], - coverage_link_flags = ["--coverage"], + coverage_compile_flags = [ + "-fprofile-instr-generate", + "-fcoverage-mapping", + ], + coverage_link_flags = ["-fprofile-instr-generate"], supports_start_end_lib = True, ) From d6dbb49c1435e77d4322bb1f5228fb1bc63ea065 Mon Sep 17 00:00:00 2001 From: "dependency-envoy[bot]" <148525496+dependency-envoy[bot]@users.noreply.github.com> Date: Wed, 24 Sep 2025 19:15:02 +0000 Subject: [PATCH 496/505] deps: Bump `rules_python` -> 1.6.3 (#41205) Fix #41162 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: Ryan Northey --- bazel/foreign_cc/vpp_vcl.patch | 61 +++++++++++++++++----------------- bazel/repositories.bzl | 1 + bazel/repository_locations.bzl | 6 ++-- 3 files changed, 35 insertions(+), 33 deletions(-) diff --git a/bazel/foreign_cc/vpp_vcl.patch b/bazel/foreign_cc/vpp_vcl.patch index 74085b777cef1..f75138e7180e7 100644 --- a/bazel/foreign_cc/vpp_vcl.patch +++ b/bazel/foreign_cc/vpp_vcl.patch @@ -1,7 +1,7 @@ -diff --git src/CMakeLists.txt src/CMakeLists.txt -index 68d0a4f..9bf7ade 100644 ---- src/CMakeLists.txt -+++ src/CMakeLists.txt +diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt +index 68d0a4fe6..9bf7adede 100644 +--- a/src/CMakeLists.txt ++++ b/src/CMakeLists.txt @@ -50,13 +50,8 @@ include(cmake/ccache.cmake) ############################################################################## # VPP Version @@ -27,10 +27,10 @@ index 68d0a4f..9bf7ade 100644 ) elseif("${CMAKE_SYSTEM_NAME}" STREQUAL "Darwin") set(SUBDIRS vppinfra) -diff --git src/cmake/ccache.cmake src/cmake/ccache.cmake -index a7b395b..d6a4c5b 100644 ---- src/cmake/ccache.cmake -+++ src/cmake/ccache.cmake +diff --git a/src/cmake/ccache.cmake b/src/cmake/ccache.cmake +index a7b395bc6..d6a4c5b30 100644 +--- a/src/cmake/ccache.cmake ++++ b/src/cmake/ccache.cmake @@ -14,7 +14,7 @@ ############################################################################## # ccache @@ -40,10 +40,10 @@ index a7b395b..d6a4c5b 100644 if(VPP_USE_CCACHE) find_program(CCACHE_FOUND ccache) message(STATUS "Looking for ccache") -diff --git src/cmake/library.cmake src/cmake/library.cmake -index 45b3944..b1dcc56 100644 ---- src/cmake/library.cmake -+++ src/cmake/library.cmake +diff --git a/src/cmake/library.cmake b/src/cmake/library.cmake +index 45b3944eb..b1dcc56e1 100644 +--- a/src/cmake/library.cmake ++++ b/src/cmake/library.cmake @@ -24,7 +24,7 @@ macro(add_vpp_library lib) set_target_properties(${lo} PROPERTIES POSITION_INDEPENDENT_CODE ON) target_compile_options(${lo} PUBLIC ${VPP_DEFAULT_MARCH_FLAGS}) @@ -53,10 +53,10 @@ index 45b3944..b1dcc56 100644 target_sources(${lib} PRIVATE $) if(VPP_LIB_VERSION) -diff --git src/tools/vppapigen/CMakeLists.txt src/tools/vppapigen/CMakeLists.txt -index 04ebed5..bfabc3a 100644 ---- src/tools/vppapigen/CMakeLists.txt -+++ src/tools/vppapigen/CMakeLists.txt +diff --git a/src/tools/vppapigen/CMakeLists.txt b/src/tools/vppapigen/CMakeLists.txt +index 04ebed548..bfabc3a67 100644 +--- a/src/tools/vppapigen/CMakeLists.txt ++++ b/src/tools/vppapigen/CMakeLists.txt @@ -11,22 +11,6 @@ # See the License for the specific language governing permissions and # limitations under the License. @@ -80,28 +80,29 @@ index 04ebed5..bfabc3a 100644 install( FILES vppapigen.py RENAME vppapigen -diff --git src/tools/vppapigen/vppapigen.py src/tools/vppapigen/vppapigen.py -index 2b0ce99..f28a173 100755 ---- src/tools/vppapigen/vppapigen.py -+++ src/tools/vppapigen/vppapigen.py -@@ -7,6 +7,13 @@ import logging +diff --git a/src/tools/vppapigen/vppapigen.py b/src/tools/vppapigen/vppapigen.py +index 2b0ce9999..f8a7586ea 100755 +--- a/src/tools/vppapigen/vppapigen.py ++++ b/src/tools/vppapigen/vppapigen.py +@@ -7,6 +7,14 @@ import logging import binascii import os from subprocess import Popen, PIPE + ++ +# Put ply on the path ... +plypath = os.path.join( + os.environ["EXT_BUILD_ROOT"], -+ os.path.dirname(os.environ["PLYPATHS"].split()[0])) ++ os.path.dirname(os.path.dirname(os.environ["PLYPATHS"].split()[0]))) +sys.path += [plypath] + import ply.lex as lex import ply.yacc as yacc -diff --git src/vcl/CMakeLists.txt src/vcl/CMakeLists.txt -index 610b422..c5e6f8c 100644 ---- src/vcl/CMakeLists.txt -+++ src/vcl/CMakeLists.txt +diff --git a/src/vcl/CMakeLists.txt b/src/vcl/CMakeLists.txt +index 610b422d1..c5e6f8ca8 100644 +--- a/src/vcl/CMakeLists.txt ++++ b/src/vcl/CMakeLists.txt @@ -35,6 +35,8 @@ if (LDP_HAS_GNU_SOURCE) add_compile_definitions(HAVE_GNU_SOURCE) endif(LDP_HAS_GNU_SOURCE) @@ -111,10 +112,10 @@ index 610b422..c5e6f8c 100644 add_vpp_library(vcl_ldpreload SOURCES ldp_socket_wrapper.c -diff --git src/vppinfra/CMakeLists.txt src/vppinfra/CMakeLists.txt -index f34ceed..51fd2be 100644 ---- src/vppinfra/CMakeLists.txt -+++ src/vppinfra/CMakeLists.txt +diff --git a/src/vppinfra/CMakeLists.txt b/src/vppinfra/CMakeLists.txt +index f34ceed9d..51fd2becf 100644 +--- a/src/vppinfra/CMakeLists.txt ++++ b/src/vppinfra/CMakeLists.txt @@ -233,13 +233,28 @@ option(VPP_USE_EXTERNAL_LIBEXECINFO "Use external libexecinfo (useful for non-gl if(VPP_USE_EXTERNAL_LIBEXECINFO) set(EXECINFO_LIB execinfo) diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index d7d1b716041be..b142dba79cc02 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -1021,6 +1021,7 @@ def _com_github_fdio_vpp_vcl(): name = "com_github_fdio_vpp_vcl", build_file_content = _build_all_content(exclude = ["**/*doc*/**", "**/examples/**", "**/plugins/**"]), patches = ["@envoy//bazel/foreign_cc:vpp_vcl.patch"], + patch_args = ["-p1"], ) def _rules_ruby(): diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index e7808719bbdc1..9d90805be8f57 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1095,9 +1095,9 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Python rules for Bazel", project_desc = "Bazel rules for the Python language", project_url = "https://github.com/bazelbuild/rules_python", - version = "1.4.1", - sha256 = "9f9f3b300a9264e4c77999312ce663be5dee9a56e361a1f6fe7ec60e1beef9a3", - release_date = "2025-05-08", + version = "1.6.3", + sha256 = "2f5c284fbb4e86045c2632d3573fc006facbca5d1fa02976e89dc0cd5488b590", + release_date = "2025-09-21", strip_prefix = "rules_python-{version}", urls = ["https://github.com/bazelbuild/rules_python/archive/{version}.tar.gz"], use_category = ["build", "controlplane", "dataplane_core"], From 572ec5b20fb2f2056f9abbf8dfdc0749d1719d56 Mon Sep 17 00:00:00 2001 From: yanavlasov Date: Wed, 24 Sep 2025 15:24:34 -0400 Subject: [PATCH 497/505] Use mutex reference in lock constructors p3 (#41208) Replace deprecated absl::MutexLock::MutexLock(Mutex*) constructor with absl::MutexLock::MutexLock(Mutex&) Risk Level: none Testing: unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Yan Avlasov --- source/common/common/assert.cc | 4 +-- source/common/common/fine_grain_logger.cc | 28 ++++++++++----------- source/common/common/logger.cc | 10 ++++---- source/common/common/thread.cc | 8 +++--- source/common/common/thread_synchronizer.cc | 10 ++++---- 5 files changed, 30 insertions(+), 30 deletions(-) diff --git a/source/common/common/assert.cc b/source/common/common/assert.cc index 94bda22aa3c3f..d624b1d07cff6 100644 --- a/source/common/common/assert.cc +++ b/source/common/common/assert.cc @@ -45,12 +45,12 @@ class EnvoyBugState { static EnvoyBugState& get() { MUTABLE_CONSTRUCT_ON_FIRST_USE(EnvoyBugState); } void clear() { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); counters_.clear(); } uint64_t inc(absl::string_view bug_name) { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); return ++counters_[bug_name]; } diff --git a/source/common/common/fine_grain_logger.cc b/source/common/common/fine_grain_logger.cc index 734e1328bf78e..7ef40f07ec31e 100644 --- a/source/common/common/fine_grain_logger.cc +++ b/source/common/common/fine_grain_logger.cc @@ -18,9 +18,9 @@ namespace Envoy { class FineGrainLogBasicLockable : public Thread::BasicLockable { public: // BasicLockable - void lock() ABSL_EXCLUSIVE_LOCK_FUNCTION() override { mutex_.Lock(); } - bool tryLock() ABSL_EXCLUSIVE_TRYLOCK_FUNCTION(true) override { return mutex_.TryLock(); } - void unlock() ABSL_UNLOCK_FUNCTION() override { mutex_.Unlock(); } + void lock() ABSL_EXCLUSIVE_LOCK_FUNCTION() override { mutex_.lock(); } + bool tryLock() ABSL_EXCLUSIVE_TRYLOCK_FUNCTION(true) override { return mutex_.try_lock(); } + void unlock() ABSL_UNLOCK_FUNCTION() override { mutex_.unlock(); } private: absl::Mutex mutex_; @@ -28,7 +28,7 @@ class FineGrainLogBasicLockable : public Thread::BasicLockable { SpdLoggerSharedPtr FineGrainLogContext::getFineGrainLogEntry(absl::string_view key) ABSL_LOCKS_EXCLUDED(fine_grain_log_lock_) { - absl::ReaderMutexLock l(&fine_grain_log_lock_); + absl::ReaderMutexLock l(fine_grain_log_lock_); auto it = fine_grain_log_map_->find(key); if (it != fine_grain_log_map_->end()) { return it->second; @@ -37,14 +37,14 @@ SpdLoggerSharedPtr FineGrainLogContext::getFineGrainLogEntry(absl::string_view k } spdlog::level::level_enum FineGrainLogContext::getVerbosityDefaultLevel() const { - absl::ReaderMutexLock l(&fine_grain_log_lock_); + absl::ReaderMutexLock l(fine_grain_log_lock_); return verbosity_default_level_; } void FineGrainLogContext::initFineGrainLogger(const std::string& key, std::atomic& logger) ABSL_LOCKS_EXCLUDED(fine_grain_log_lock_) { - absl::WriterMutexLock l(&fine_grain_log_lock_); + absl::WriterMutexLock l(fine_grain_log_lock_); auto it = fine_grain_log_map_->find(key); spdlog::logger* target; if (it == fine_grain_log_map_->end()) { @@ -57,7 +57,7 @@ void FineGrainLogContext::initFineGrainLogger(const std::string& key, bool FineGrainLogContext::setFineGrainLogger(absl::string_view key, level_enum log_level) ABSL_LOCKS_EXCLUDED(fine_grain_log_lock_) { - absl::ReaderMutexLock l(&fine_grain_log_lock_); + absl::ReaderMutexLock l(fine_grain_log_lock_); auto it = fine_grain_log_map_->find(key); if (it != fine_grain_log_map_->end()) { it->second->set_level(log_level); @@ -70,11 +70,11 @@ void FineGrainLogContext::setDefaultFineGrainLogLevelFormat(spdlog::level::level const std::string& format) ABSL_LOCKS_EXCLUDED(fine_grain_log_lock_) { { - absl::WriterMutexLock wl(&fine_grain_log_lock_); + absl::WriterMutexLock wl(fine_grain_log_lock_); verbosity_default_level_ = level; } - absl::ReaderMutexLock rl(&fine_grain_log_lock_); + absl::ReaderMutexLock rl(fine_grain_log_lock_); for (const auto& [key, logger] : *fine_grain_log_map_) { logger->set_level(getLogLevel(key)); Logger::Utility::setLogFormatForLogger(*logger, format); @@ -82,7 +82,7 @@ void FineGrainLogContext::setDefaultFineGrainLogLevelFormat(spdlog::level::level } std::string FineGrainLogContext::listFineGrainLoggers() ABSL_LOCKS_EXCLUDED(fine_grain_log_lock_) { - absl::ReaderMutexLock l(&fine_grain_log_lock_); + absl::ReaderMutexLock l(fine_grain_log_lock_); std::string info = absl::StrJoin(*fine_grain_log_map_, "\n", [](std::string* out, const auto& log_pair) { auto level_str_view = spdlog::level::to_string_view(log_pair.second->level()); @@ -94,7 +94,7 @@ std::string FineGrainLogContext::listFineGrainLoggers() ABSL_LOCKS_EXCLUDED(fine void FineGrainLogContext::setAllFineGrainLoggers(spdlog::level::level_enum level) ABSL_LOCKS_EXCLUDED(fine_grain_log_lock_) { - absl::ReaderMutexLock l(&fine_grain_log_lock_); + absl::ReaderMutexLock l(fine_grain_log_lock_); verbosity_update_info_.clear(); for (const auto& it : *fine_grain_log_map_) { it.second->set_level(level); @@ -104,7 +104,7 @@ void FineGrainLogContext::setAllFineGrainLoggers(spdlog::level::level_enum level FineGrainLogLevelMap FineGrainLogContext::getAllFineGrainLogLevelsForTest() ABSL_LOCKS_EXCLUDED(fine_grain_log_lock_) { FineGrainLogLevelMap log_levels; - absl::ReaderMutexLock l(&fine_grain_log_lock_); + absl::ReaderMutexLock l(fine_grain_log_lock_); for (const auto& it : *fine_grain_log_map_) { log_levels[it.first] = it.second->level(); } @@ -170,7 +170,7 @@ spdlog::logger* FineGrainLogContext::createLogger(const std::string& key) void FineGrainLogContext::updateVerbosityDefaultLevel(level_enum level) { { - absl::WriterMutexLock wl(&fine_grain_log_lock_); + absl::WriterMutexLock wl(fine_grain_log_lock_); verbosity_default_level_ = level; } @@ -179,7 +179,7 @@ void FineGrainLogContext::updateVerbosityDefaultLevel(level_enum level) { void FineGrainLogContext::updateVerbositySetting( const std::vector>& updates) { - absl::WriterMutexLock ul(&fine_grain_log_lock_); + absl::WriterMutexLock ul(fine_grain_log_lock_); verbosity_update_info_.clear(); for (const auto& [glob, level] : updates) { if (level < kLogLevelMin || level > kLogLevelMax) { diff --git a/source/common/common/logger.cc b/source/common/common/logger.cc index 693f1517dde1c..756ba260a04dc 100644 --- a/source/common/common/logger.cc +++ b/source/common/common/logger.cc @@ -64,12 +64,12 @@ void StderrSinkDelegate::flush() { } void DelegatingLogSink::set_formatter(std::unique_ptr formatter) { - absl::MutexLock lock(&format_mutex_); + absl::MutexLock lock(format_mutex_); formatter_ = std::move(formatter); } void DelegatingLogSink::log(const spdlog::details::log_msg& msg) { - absl::ReleasableMutexLock lock(&format_mutex_); + absl::ReleasableMutexLock lock(format_mutex_); absl::string_view msg_view = absl::string_view(msg.payload.data(), msg.payload.size()); // This memory buffer must exist in the scope of the entire function, @@ -95,7 +95,7 @@ void DelegatingLogSink::log(const spdlog::details::log_msg& msg) { // protection is really only needed in tests. It would be nice to figure out a test-only // mechanism for this that does not require extra locking that we don't explicitly need in the // prod code. - absl::ReaderMutexLock sink_lock(&sink_mutex_); + absl::ReaderMutexLock sink_lock(sink_mutex_); log_to_sink(*sink_); } @@ -120,13 +120,13 @@ DelegatingLogSinkSharedPtr DelegatingLogSink::init() { } void DelegatingLogSink::flush() { - absl::ReaderMutexLock lock(&sink_mutex_); + absl::ReaderMutexLock lock(sink_mutex_); sink_->flush(); } void DelegatingLogSink::logWithStableName(absl::string_view stable_name, absl::string_view level, absl::string_view component, absl::string_view message) { - absl::ReaderMutexLock sink_lock(&sink_mutex_); + absl::ReaderMutexLock sink_lock(sink_mutex_); sink_->logWithStableName(stable_name, level, component, message); } diff --git a/source/common/common/thread.cc b/source/common/common/thread.cc index cf661693acdf0..a22c1754439f8 100644 --- a/source/common/common/thread.cc +++ b/source/common/common/thread.cc @@ -21,13 +21,13 @@ namespace { // tests more hermetic. struct ThreadIds { bool inMainThread() const { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); return main_threads_to_usage_count_.find(std::this_thread::get_id()) != main_threads_to_usage_count_.end(); } bool isMainThreadActive() const { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); return !main_threads_to_usage_count_.empty(); } @@ -36,7 +36,7 @@ struct ThreadIds { // Call this from the context of MainThread when it exits. void releaseMainThread() { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); auto it = main_threads_to_usage_count_.find(std::this_thread::get_id()); if (!skipAsserts()) { ASSERT(it != main_threads_to_usage_count_.end()); @@ -52,7 +52,7 @@ struct ThreadIds { // Declares current thread as the main one, or verifies that the current // thread matches any previous declarations. void registerMainThread() { - absl::MutexLock lock(&mutex_); + absl::MutexLock lock(mutex_); auto it = main_threads_to_usage_count_.find(std::this_thread::get_id()); if (it == main_threads_to_usage_count_.end()) { it = main_threads_to_usage_count_.insert({std::this_thread::get_id(), 0}).first; diff --git a/source/common/common/thread_synchronizer.cc b/source/common/common/thread_synchronizer.cc index 492509ab1fb1f..7e230e6a5d65a 100644 --- a/source/common/common/thread_synchronizer.cc +++ b/source/common/common/thread_synchronizer.cc @@ -10,7 +10,7 @@ void ThreadSynchronizer::enable() { ThreadSynchronizer::SynchronizerEntry& ThreadSynchronizer::getOrCreateEntry(absl::string_view event_name) { - absl::MutexLock lock(&data_->mutex_); + absl::MutexLock lock(data_->mutex_); auto& existing_entry = data_->entries_[event_name]; if (existing_entry == nullptr) { ENVOY_LOG(debug, "thread synchronizer: creating entry: {}", event_name); @@ -21,7 +21,7 @@ ThreadSynchronizer::getOrCreateEntry(absl::string_view event_name) { void ThreadSynchronizer::waitOnWorker(absl::string_view event_name) { SynchronizerEntry& entry = getOrCreateEntry(event_name); - absl::MutexLock lock(&entry.mutex_); + absl::MutexLock lock(entry.mutex_); ENVOY_LOG(debug, "thread synchronizer: waiting on next {}", event_name); ASSERT(!entry.wait_on_); entry.wait_on_ = true; @@ -29,7 +29,7 @@ void ThreadSynchronizer::waitOnWorker(absl::string_view event_name) { void ThreadSynchronizer::syncPointWorker(absl::string_view event_name) { SynchronizerEntry& entry = getOrCreateEntry(event_name); - absl::MutexLock lock(&entry.mutex_); + absl::MutexLock lock(entry.mutex_); // See if we are ignoring waits. If so, just return. if (!entry.wait_on_) { @@ -62,7 +62,7 @@ void ThreadSynchronizer::syncPointWorker(absl::string_view event_name) { void ThreadSynchronizer::barrierOnWorker(absl::string_view event_name) { SynchronizerEntry& entry = getOrCreateEntry(event_name); - absl::MutexLock lock(&entry.mutex_); + absl::MutexLock lock(entry.mutex_); ENVOY_LOG(debug, "thread synchronizer: barrier on {}", event_name); while (!entry.mutex_.AwaitWithTimeout(absl::Condition(&entry.at_barrier_), absl::Seconds(10))) { ENVOY_LOG(warn, "thread synchronizer: barrier on {} stuck for 10 seconds", event_name); @@ -72,7 +72,7 @@ void ThreadSynchronizer::barrierOnWorker(absl::string_view event_name) { void ThreadSynchronizer::signalWorker(absl::string_view event_name) { SynchronizerEntry& entry = getOrCreateEntry(event_name); - absl::MutexLock lock(&entry.mutex_); + absl::MutexLock lock(entry.mutex_); ASSERT(!entry.signaled_); ENVOY_LOG(debug, "thread synchronizer: signaling {}", event_name); entry.signaled_ = true; From 0484e5980e30756f58aa82137e42b307131668e3 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Wed, 24 Sep 2025 00:48:58 -0700 Subject: [PATCH 498/505] reverse_tunnel: add RPING echos in the downstream socket extension at I/O Signed-off-by: Rohit Agrawal --- ..._reverse_connection_socket_interface.proto | 6 ++ ...downstream_reverse_connection_io_handle.cc | 55 ++++++++++ .../downstream_reverse_connection_io_handle.h | 7 ++ .../reverse_tunnel_acceptor_extension.cc | 7 +- .../reverse_tunnel_acceptor_extension.h | 10 ++ .../upstream_socket_manager.cc | 20 +++- .../upstream_socket_manager.h | 19 ++++ .../reverse_tunnel_acceptor_extension_test.cc | 60 +++++++++++ .../upstream_socket_manager_test.cc | 5 + .../filters/network/reverse_tunnel/BUILD | 1 + .../reverse_tunnel/integration_test.cc | 102 ++++++++++++++++++ 11 files changed, 289 insertions(+), 3 deletions(-) diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto index 92bbdbb84ab57..e476f485d0328 100644 --- a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3; +import "google/protobuf/wrappers.proto"; +import "validate/validate.proto"; import "udpa/annotations/status.proto"; option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3"; @@ -17,4 +19,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; message UpstreamReverseConnectionSocketInterface { // Stat prefix to be used for upstream reverse connection socket interface stats. string stat_prefix = 1; + + // Number of consecutive ping failures before an idle reverse connection socket is marked dead. + // Defaults to 3 if unset. Must be at least 1. + google.protobuf.UInt32Value ping_failure_threshold = 2 [(validate.rules).uint32 = { gte: 1 }]; } diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc index f778bae8789ee..f165593f35ea5 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc @@ -1,6 +1,7 @@ #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h" #include "source/common/common/logger.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" #include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" namespace Envoy { @@ -28,6 +29,60 @@ DownstreamReverseConnectionIOHandle::~DownstreamReverseConnectionIOHandle() { fd_, connection_key_); } +Api::IoCallUint64Result +DownstreamReverseConnectionIOHandle::read(Buffer::Instance& buffer, + absl::optional max_length) { + // Perform the actual read first. + Api::IoCallUint64Result result = IoSocketHandleImpl::read(buffer, max_length); + + // If ping echoing is still active, inspect incoming data for RPING and echo back. + if (ping_echo_active_ && result.err_ == nullptr && result.return_value_ > 0) { + const uint64_t expected = + ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::PING_MESSAGE + .size(); + + // Copy out up to expected bytes to check for RPING without destroying app payload semantics. + const uint64_t len = std::min(buffer.length(), expected); + std::string peek; + peek.resize(static_cast(len)); + buffer.copyOut(0, len, peek.data()); + + // If we have at least expected bytes, check direct match. + if (len == expected && + ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::isPingMessage( + peek)) { + buffer.drain(expected); + auto echo_rc = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility:: + sendPingResponse(*this); + if (!echo_rc.ok()) { + ENVOY_LOG(trace, "DownstreamReverseConnectionIOHandle: failed to send RPING echo on FD: {}", + fd_); + } else { + ENVOY_LOG(trace, "DownstreamReverseConnectionIOHandle: echoed RPING on FD: {}", fd_); + } + // If buffer now only contained RPING, suppress delivery to upper layers. + if (buffer.length() == 0) { + return Api::IoCallUint64Result{0, Api::IoError::none()}; + } + // There is remaining data beyond RPING; continue returning remaining data this call. + // Report number of bytes excluding the drained ping. + const uint64_t adjusted = + (result.return_value_ >= expected) ? (result.return_value_ - expected) : 0; + return Api::IoCallUint64Result{adjusted, Api::IoError::none()}; + } + + // If fewer than expected bytes, we cannot conclusively detect ping yet; wait for more bytes. + if (len < expected) { + // Do nothing; a subsequent read will deliver more bytes. + } else { + // We had expected bytes but not RPING; disable echo permanently. + ping_echo_active_ = false; + } + } + + return result; +} + // DownstreamReverseConnectionIOHandle close() implementation. Api::IoCallUint64Result DownstreamReverseConnectionIOHandle::close() { ENVOY_LOG( diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h index 27d04f1d2a5cd..1e324cf8d286b 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h @@ -33,6 +33,9 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { ~DownstreamReverseConnectionIOHandle() override; // Network::IoHandle overrides + // Intercept reads to handle reverse connection keep-alive pings. + Api::IoCallUint64Result read(Buffer::Instance& buffer, + absl::optional max_length) override; Api::IoCallUint64Result close() override; Api::SysCallIntResult shutdown(int how) override; @@ -57,6 +60,10 @@ class DownstreamReverseConnectionIOHandle : public Network::IoSocketHandleImpl { std::string connection_key_; // Flag to ignore close and shutdown calls during socket hand-off. bool ignore_close_and_shutdown_{false}; + + // Whether to actively echo RPING messages while the connection is idle. + // Disabled permanently after the first non-RPING application byte is observed. + bool ping_echo_active_{true}; }; } // namespace ReverseConnection diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc index e253439cd5083..4cdacae39f521 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc @@ -28,7 +28,12 @@ void ReverseTunnelAcceptorExtension::onServerInitialized() { // Set up the thread local dispatcher and socket manager. tls_slot_->set([this](Event::Dispatcher& dispatcher) { - return std::make_shared(dispatcher, this); + auto tls = std::make_shared(dispatcher, this); + // Propagate configured miss threshold into the socket manager. + if (tls->socketManager()) { + tls->socketManager()->setMissThreshold(ping_failure_threshold_); + } + return tls; }); } diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h index 0b3bb4632873a..0ba773d2b00a3 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h @@ -87,6 +87,10 @@ class ReverseTunnelAcceptorExtension stat_prefix_); stat_prefix_ = PROTOBUF_GET_STRING_OR_DEFAULT(config, stat_prefix, "upstream_reverse_connection"); + // Configure ping miss threshold (minimum 1). + const uint32_t cfg_threshold = + PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, ping_failure_threshold, 3); + ping_failure_threshold_ = std::max(1, cfg_threshold); // Ensure the socket interface has a reference to this extension early, so stats can be // recorded even before onServerInitialized(). if (socket_interface_ != nullptr) { @@ -114,6 +118,11 @@ class ReverseTunnelAcceptorExtension */ const std::string& statPrefix() const { return stat_prefix_; } + /** + * @return the configured miss threshold for ping health-checks. + */ + uint32_t pingFailureThreshold() const { return ping_failure_threshold_; } + /** * Synchronous version for admin API endpoints that require immediate response on reverse * connection stats. @@ -174,6 +183,7 @@ class ReverseTunnelAcceptorExtension std::unique_ptr> tls_slot_; ReverseTunnelAcceptor* socket_interface_; std::string stat_prefix_; + uint32_t ping_failure_threshold_{3}; }; } // namespace ReverseConnection diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc index 66393355bdaf0..8f99c36ff5528 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc @@ -83,7 +83,7 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, }, Event::FileTriggerType::Edge, Event::FileReadyType::Read); - fd_to_timer_map_[fd] = dispatcher_.createTimer([this, fd]() { markSocketDead(fd); }); + fd_to_timer_map_[fd] = dispatcher_.createTimer([this, fd]() { onPingTimeout(fd); }); // Initiate ping keepalives on the socket. tryEnablePingTimer(std::chrono::seconds(ping_interval.count())); @@ -332,11 +332,14 @@ void UpstreamSocketManager::onPingResponse(Network::IoHandle& io_handle) { if (!::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::isPingMessage( buffer.toString())) { ENVOY_LOG(debug, "UpstreamSocketManager: FD: {}: response is not RPING", fd); - markSocketDead(fd); + // Treat as a miss; do not immediately kill unless threshold crossed. + onPingTimeout(fd); return; } ENVOY_LOG(trace, "UpstreamSocketManager: FD: {}: received ping response", fd); fd_to_timer_map_[fd]->disableTimer(); + // Reset miss counter on success. + fd_to_miss_count_.erase(fd); } void UpstreamSocketManager::pingConnections(const std::string& node_id) { @@ -399,6 +402,19 @@ void UpstreamSocketManager::pingConnections() { ping_timer_->enableTimer(ping_interval_); } +void UpstreamSocketManager::onPingTimeout(const int fd) { + ENVOY_LOG(debug, "UpstreamSocketManager: ping timeout (or invalid ping) for fd {}", fd); + // Increment miss count and evaluate threshold. + const uint32_t misses = ++fd_to_miss_count_[fd]; + ENVOY_LOG(trace, "UpstreamSocketManager: fd {} miss count {}", fd, misses); + if (misses >= miss_threshold_) { + ENVOY_LOG(debug, "UpstreamSocketManager: fd {} exceeded miss threshold {} — marking dead", fd, + miss_threshold_); + fd_to_miss_count_.erase(fd); + markSocketDead(fd); + } +} + UpstreamSocketManager::~UpstreamSocketManager() { ENVOY_LOG(debug, "UpstreamSocketManager: destructor called"); diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h index 43d435f8abb96..05e34f79331c7 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h @@ -91,6 +91,19 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, */ void onPingResponse(Network::IoHandle& io_handle); + /** + * Handle ping response timeout for a specific socket. + * Increments miss count and marks socket dead if threshold reached. + * @param fd the file descriptor whose ping timed out. + */ + void onPingTimeout(int fd); + + /** + * Set the miss threshold (consecutive misses before marking a socket dead). + * @param threshold minimum value 1. + */ + void setMissThreshold(uint32_t threshold) { miss_threshold_ = std::max(1, threshold); } + /** * Get the upstream extension for stats integration. * @return pointer to the upstream extension or nullptr if not available. @@ -126,6 +139,12 @@ class UpstreamSocketManager : public ThreadLocal::ThreadLocalObject, absl::flat_hash_map fd_to_event_map_; absl::flat_hash_map fd_to_timer_map_; + // Track consecutive ping misses per file descriptor. + absl::flat_hash_map fd_to_miss_count_; + // Miss threshold before declaring a socket dead. + static constexpr uint32_t kDefaultMissThreshold = 3; + uint32_t miss_threshold_{kDefaultMissThreshold}; + Event::TimerPtr ping_timer_; std::chrono::seconds ping_interval_{0}; diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc index ee8ade1e45a77..cb4b5b8c97b15 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc @@ -1,10 +1,12 @@ #include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" +#include "source/common/network/utility.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.h" #include "source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.h" #include "test/mocks/event/mocks.h" +#include "test/mocks/network/mocks.h" #include "test/mocks/server/factory_context.h" #include "test/mocks/stats/mocks.h" #include "test/mocks/thread_local/mocks.h" @@ -328,6 +330,64 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, CreateEmptyConfigProto) { EXPECT_NE(typed_proto, nullptr); } +TEST_F(ReverseTunnelAcceptorExtensionTest, MissThresholdOneMarksDeadOnFirstInvalidPing) { + // Recreate extension_ with threshold = 1. + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface cfg; + cfg.set_stat_prefix("test_prefix"); + cfg.mutable_ping_failure_threshold()->set_value(1); + extension_.reset(new ReverseTunnelAcceptorExtension(*socket_interface_, context_, cfg)); + + // Provide dispatcher to thread local and set expectations for timers/file events. + thread_local_.setDispatcher(&dispatcher_); + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + + // Use helper to install TLS registry for the (recreated) extension_. + setupThreadLocalSlot(); + + // Get the registry and socket manager back through the API and apply threshold. + auto* registry = extension_->getLocalRegistry(); + ASSERT_NE(registry, nullptr); + auto* socket_manager = registry->socketManager(); + ASSERT_NE(socket_manager, nullptr); + socket_manager->setMissThreshold(extension_->pingFailureThreshold()); + + // Create a mock socket with FD and addresses. + auto socket = std::make_unique>(); + auto io_handle = std::make_unique>(); + EXPECT_CALL(*io_handle, fdDoNotUse()).WillRepeatedly(testing::Return(123)); + EXPECT_CALL(*socket, ioHandle()).WillRepeatedly(testing::ReturnRef(*io_handle)); + socket->io_handle_ = std::move(io_handle); + + auto local_address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 10000); + auto remote_address = Network::Utility::parseInternetAddressNoThrow("127.0.0.1", 10001); + socket->connection_info_provider_->setLocalAddress(local_address); + socket->connection_info_provider_->setRemoteAddress(remote_address); + + const std::string node_id = "n1"; + const std::string cluster_id = "c1"; + socket_manager->addConnectionSocket(node_id, cluster_id, std::move(socket), + std::chrono::seconds(30), false); + + // Simulate an invalid ping response (not RPING). With threshold=1, one miss should kill it. + NiceMock mock_read_handle; + EXPECT_CALL(mock_read_handle, fdDoNotUse()).WillRepeatedly(testing::Return(123)); + EXPECT_CALL(mock_read_handle, read(testing::_, testing::_)) + .WillOnce(testing::Invoke([](Buffer::Instance& buffer, absl::optional) { + buffer.add("XXXXX"); // 5 bytes, not RPING + return Api::IoCallUint64Result{5, Api::IoError::none()}; + })); + + socket_manager->onPingResponse(mock_read_handle); + + // With threshold=1, the socket should be marked dead immediately. + auto retrieved = socket_manager->getConnectionSocket(node_id); + EXPECT_EQ(retrieved, nullptr); +} + TEST_F(ReverseTunnelAcceptorExtensionTest, FactoryName) { EXPECT_EQ(socket_interface_->name(), "envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); } diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc index 83dd07f61012a..8f37d69e50e04 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager_test.cc @@ -715,8 +715,13 @@ TEST_F(TestUpstreamSocketManager, OnPingResponseInvalidData) { return Api::IoCallUint64Result{invalid_response.size(), Api::IoError::none()}; }); + // First invalid response should increment miss count but not immediately remove the fd. socket_manager_->onPingResponse(*mock_io_handle); + EXPECT_TRUE(verifyFDToNodeMap(123)); + // Simulate two more timeouts to cross the default threshold (3). + socket_manager_->onPingTimeout(123); + socket_manager_->onPingTimeout(123); EXPECT_FALSE(verifyFDToNodeMap(123)); } diff --git a/test/extensions/filters/network/reverse_tunnel/BUILD b/test/extensions/filters/network/reverse_tunnel/BUILD index 99f041894b867..dc39413b403dc 100644 --- a/test/extensions/filters/network/reverse_tunnel/BUILD +++ b/test/extensions/filters/network/reverse_tunnel/BUILD @@ -72,6 +72,7 @@ envoy_extension_cc_test( "//test/test_common:logging_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/transport_sockets/internal_upstream/v3:pkg_cc_proto", ], diff --git a/test/extensions/filters/network/reverse_tunnel/integration_test.cc b/test/extensions/filters/network/reverse_tunnel/integration_test.cc index d9b6af8f4082d..76356d0d9c959 100644 --- a/test/extensions/filters/network/reverse_tunnel/integration_test.cc +++ b/test/extensions/filters/network/reverse_tunnel/integration_test.cc @@ -1,6 +1,7 @@ #include #include "envoy/config/bootstrap/v3/bootstrap.pb.h" +#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" #include "envoy/extensions/transport_sockets/internal_upstream/v3/internal_upstream.pb.h" @@ -480,6 +481,107 @@ TEST_P(ReverseTunnelFilterIntegrationTest, EndToEndReverseConnectionHandshake) { 2); // 2 listeners in this test } +// Verify that setting a miss threshold via the upstream bootstrap extension is plumbed and +// that reverse connection gauges drop to zero after reverse connection listener is drained. +TEST_P(ReverseTunnelFilterIntegrationTest, ThresholdConfigPlumbedAndGaugesDropOnDisconnect) { + DISABLE_IF_ADMIN_DISABLED; + + const uint32_t upstream_port = GetParam() == Network::Address::IpVersion::v4 ? 16000 : 16001; + const std::string loopback_addr = + GetParam() == Network::Address::IpVersion::v4 ? "127.0.0.1" : "::1"; + + // Set the upstream bootstrap extension ping_miss_threshold to 1 via a config modifier so it + // applies to the bootstrap extension added in initialize(). + config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + for (auto& ext : *bootstrap.mutable_bootstrap_extensions()) { + if (ext.name() == "envoy.bootstrap.reverse_tunnel.upstream_socket_interface") { + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface cfg; + ext.mutable_typed_config()->UnpackTo(&cfg); + cfg.mutable_ping_failure_threshold()->set_value(1); + ext.mutable_typed_config()->PackFrom(cfg); + } + } + }); + + // Configure listeners and clusters similar to the end-to-end test, but with a short ping interval + // so pings are active during the test window. + config_helper_.addConfigModifier([upstream_port, loopback_addr]( + envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + bootstrap.mutable_static_resources()->clear_listeners(); + + // Ensure admin interface is configured. + if (!bootstrap.has_admin()) { + auto* admin = bootstrap.mutable_admin(); + auto* admin_address = admin->mutable_address()->mutable_socket_address(); + admin_address->set_address(loopback_addr); + admin_address->set_port_value(0); + } + + // Upstream listener with reverse_tunnel filter and short ping interval. + auto* upstream_listener = bootstrap.mutable_static_resources()->add_listeners(); + upstream_listener->set_name("upstream_listener"); + upstream_listener->mutable_address()->mutable_socket_address()->set_address(loopback_addr); + upstream_listener->mutable_address()->mutable_socket_address()->set_port_value(upstream_port); + + auto* upstream_chain = upstream_listener->add_filter_chains(); + auto* rt_filter = upstream_chain->add_filters(); + rt_filter->set_name("envoy.filters.network.reverse_tunnel"); + envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel rt_config; + rt_config.mutable_ping_interval()->set_seconds(1); + rt_config.set_auto_close_connections(false); + rt_config.set_request_path("/reverse_connections/request"); + rt_config.set_request_method(envoy::config::core::v3::GET); + rt_filter->mutable_typed_config()->PackFrom(rt_config); + + // Reverse connection listener (initiator). + auto* rc_listener = bootstrap.mutable_static_resources()->add_listeners(); + rc_listener->set_name("reverse_connection_listener"); + auto* rc_address = rc_listener->mutable_address()->mutable_socket_address(); + rc_address->set_address( + "rc://threshold-node:threshold-cluster:threshold-tenant@upstream_cluster:1"); + rc_address->set_port_value(0); + rc_address->set_resolver_name("envoy.resolvers.reverse_connection"); + auto* rc_chain = rc_listener->add_filter_chains(); + auto* echo_filter = rc_chain->add_filters(); + echo_filter->set_name("envoy.filters.network.echo"); + echo_filter->mutable_typed_config()->set_type_url( + "type.googleapis.com/envoy.extensions.filters.network.echo.v3.Echo"); + + // Backing cluster for upstream listener. + auto* cluster = bootstrap.mutable_static_resources()->add_clusters(); + cluster->set_name("upstream_cluster"); + cluster->set_type(envoy::config::cluster::v3::Cluster::STATIC); + cluster->mutable_load_assignment()->set_cluster_name("upstream_cluster"); + auto* locality = cluster->mutable_load_assignment()->add_endpoints(); + auto* lb_endpoint = locality->add_lb_endpoints(); + auto* endpoint = lb_endpoint->mutable_endpoint(); + auto* addr = endpoint->mutable_address()->mutable_socket_address(); + addr->set_address(loopback_addr); + addr->set_port_value(upstream_port); + }); + + initialize(); + registerTestServerPorts({}); + + // Wait for reverse connections and counters. + test_server_->waitForGaugeGe("reverse_connections.nodes.threshold-node", 1); + test_server_->waitForGaugeGe("reverse_connections.clusters.threshold-cluster", 1); + test_server_->waitForCounterGe("reverse_tunnel.handshake.accepted", 1); + + // Drain the reverse connection listener to close sockets and validate gauges drop to zero. + BufferingStreamDecoderPtr admin_response = IntegrationUtil::makeSingleRequest( + lookupPort("admin"), "POST", "/drain_listeners", "", Http::CodecType::HTTP1, GetParam()); + EXPECT_TRUE(admin_response->complete()); + EXPECT_EQ("200", admin_response->headers().getStatusValue()); + + // Both listeners eventually stop. Verify gauges drop to 0 for the reverse connection + // node/cluster. + test_server_->waitForCounterGe("listener_manager.listener_stopped", 2); + test_server_->waitForGaugeEq("reverse_connections.nodes.threshold-node", 0); + test_server_->waitForGaugeEq("reverse_connections.clusters.threshold-cluster", 0); +} + } // namespace } // namespace ReverseTunnel } // namespace NetworkFilters From 2f8cdcf0f173130e0945330516d8d6236ef9ee99 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 25 Sep 2025 06:26:47 +0000 Subject: [PATCH 499/505] fix ping reply logic in downstream_reverse_connection_io_handle, add unit tests Signed-off-by: Basundhara Chakrabarty --- ...downstream_reverse_connection_io_handle.cc | 47 +- .../upstream_socket_manager.cc | 23 +- .../downstream_socket_interface/BUILD | 18 + ...tream_reverse_connection_io_handle_test.cc | 547 ++++++++++++++++++ .../reverse_connection_io_handle_test.cc | 141 ----- .../upstream_socket_interface/BUILD | 1 + .../reverse_tunnel_acceptor_extension_test.cc | 42 ++ .../filters/network/reverse_tunnel/BUILD | 1 - .../reverse_tunnel/integration_test.cc | 102 ---- 9 files changed, 651 insertions(+), 271 deletions(-) create mode 100644 test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle_test.cc diff --git a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc index f165593f35ea5..211a51c8fea10 100644 --- a/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc +++ b/source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.cc @@ -34,23 +34,26 @@ DownstreamReverseConnectionIOHandle::read(Buffer::Instance& buffer, absl::optional max_length) { // Perform the actual read first. Api::IoCallUint64Result result = IoSocketHandleImpl::read(buffer, max_length); + ENVOY_LOG(trace, "DownstreamReverseConnectionIOHandle: read result: {}", result.return_value_); + ENVOY_LOG(trace, "DownstreamReverseConnectionIOHandle: read data {}", buffer.toString()); - // If ping echoing is still active, inspect incoming data for RPING and echo back. + // If RPING keepalives are still active, check whether the incoming data is a RPING message. if (ping_echo_active_ && result.err_ == nullptr && result.return_value_ > 0) { const uint64_t expected = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::PING_MESSAGE .size(); - // Copy out up to expected bytes to check for RPING without destroying app payload semantics. + // Copy out up to expected bytes to check for RPING. const uint64_t len = std::min(buffer.length(), expected); std::string peek; peek.resize(static_cast(len)); buffer.copyOut(0, len, peek.data()); - // If we have at least expected bytes, check direct match. + // Check if we have a complete RPING message. if (len == expected && ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility::isPingMessage( peek)) { + // Found complete RPING - echo it back and drain from buffer. buffer.drain(expected); auto echo_rc = ::Envoy::Extensions::Bootstrap::ReverseConnection::ReverseConnectionUtility:: sendPingResponse(*this); @@ -60,24 +63,44 @@ DownstreamReverseConnectionIOHandle::read(Buffer::Instance& buffer, } else { ENVOY_LOG(trace, "DownstreamReverseConnectionIOHandle: echoed RPING on FD: {}", fd_); } - // If buffer now only contained RPING, suppress delivery to upper layers. + + // If buffer only contained RPING, return showing we processed it. if (buffer.length() == 0) { - return Api::IoCallUint64Result{0, Api::IoError::none()}; + return Api::IoCallUint64Result{expected, Api::IoError::none()}; } - // There is remaining data beyond RPING; continue returning remaining data this call. - // Report number of bytes excluding the drained ping. + + // Mixed RPING + application data: disable echo and return remaining data. + ENVOY_LOG(debug, + "DownstreamReverseConnectionIOHandle: received application data after RPING, " + "disabling RPING echo for FD: {}", + fd_); + ping_echo_active_ = false; + // The adjusted return value is the number of bytes excluding the drained RPING. It should be + // transparent to upper layers that the RPING was processed. const uint64_t adjusted = (result.return_value_ >= expected) ? (result.return_value_ - expected) : 0; return Api::IoCallUint64Result{adjusted, Api::IoError::none()}; } - // If fewer than expected bytes, we cannot conclusively detect ping yet; wait for more bytes. + // Check if partial data could be start of RPING (only if we have less than expected bytes). if (len < expected) { - // Do nothing; a subsequent read will deliver more bytes. - } else { - // We had expected bytes but not RPING; disable echo permanently. - ping_echo_active_ = false; + const std::string rping_prefix = + std::string(ReverseConnectionUtility::PING_MESSAGE.substr(0, len)); + if (peek == rping_prefix) { + ENVOY_LOG(trace, + "DownstreamReverseConnectionIOHandle: partial RPING received ({} bytes), waiting " + "for more", + len); + return result; // Wait for more data. + } } + + // Not RPING (either complete non-RPING data or partial non-RPING data) - disable echo. + ENVOY_LOG(debug, + "DownstreamReverseConnectionIOHandle: received application data ({} bytes), " + "permanently disabling RPING echo for FD: {}", + len, fd_); + ping_echo_active_ = false; } return result; diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc index 8f99c36ff5528..a267534490b57 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/upstream_socket_manager.cc @@ -40,7 +40,8 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, const int fd = socket->ioHandle().fdDoNotUse(); const std::string& connectionKey = socket->connectionInfoProvider().localAddress()->asString(); - ENVOY_LOG(debug, "reverse_tunnel: adding socket for node: {}, cluster: {}", node_id, cluster_id); + ENVOY_LOG(debug, "reverse_tunnel: adding socket with FD: {} for node: {}, cluster: {}", fd, + node_id, cluster_id); // Store node -> cluster mapping. ENVOY_LOG(trace, "reverse_tunnel: adding mapping node: {} -> cluster: {}", node_id, cluster_id); @@ -48,24 +49,18 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, node_to_cluster_map_[node_id] = cluster_id; cluster_to_node_map_[cluster_id].push_back(node_id); } - ENVOY_LOG(trace, - "UpstreamSocketManager: node_to_cluster_map_ has {} entries, cluster_to_node_map_ has " - "{} entries", - node_to_cluster_map_.size(), cluster_to_node_map_.size()); - - ENVOY_LOG(trace, - "UpstreamSocketManager: added socket to accepted_reverse_connections_ for node: {} " - "cluster: {}", - node_id, cluster_id); + + fd_to_node_map_[fd] = node_id; + // Initialize the ping timer before adding the socket to accepted_reverse_connections_. + // This is to prevent a race condition between pingConnections() and addConnectionSocket() + // where the timer is not initialized when pingConnections() tries to enable it. + fd_to_timer_map_[fd] = dispatcher_.createTimer([this, fd]() { onPingTimeout(fd); }); // If local envoy is responding to reverse connections, add the socket to // accepted_reverse_connections_. Thereafter, initiate ping keepalives on the socket. accepted_reverse_connections_[node_id].push_back(std::move(socket)); Network::ConnectionSocketPtr& socket_ref = accepted_reverse_connections_[node_id].back(); - ENVOY_LOG(debug, "reverse_tunnel: mapping fd {} to node: {}", fd, node_id); - fd_to_node_map_[fd] = node_id; - // Update stats registry if (auto extension = getUpstreamExtension()) { extension->updateConnectionStats(node_id, cluster_id, true /* increment */); @@ -83,8 +78,6 @@ void UpstreamSocketManager::addConnectionSocket(const std::string& node_id, }, Event::FileTriggerType::Edge, Event::FileReadyType::Read); - fd_to_timer_map_[fd] = dispatcher_.createTimer([this, fd]() { onPingTimeout(fd); }); - // Initiate ping keepalives on the socket. tryEnablePingTimer(std::chrono::seconds(ping_interval.count())); diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD index 30d472a1d73c7..e0ab471193d60 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/BUILD @@ -67,6 +67,24 @@ envoy_cc_test( ], ) +envoy_cc_test( + name = "downstream_reverse_connection_io_handle_test", + size = "medium", + srcs = ["downstream_reverse_connection_io_handle_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_connection_io_handle_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_extension_lib", + "//source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface:reverse_tunnel_initiator_lib", + "//test/mocks/event:event_mocks", + "//test/mocks/server:factory_context_mocks", + "//test/mocks/stats:stats_mocks", + "//test/mocks/thread_local:thread_local_mocks", + "//test/mocks/upstream:upstream_mocks", + "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3:pkg_cc_proto", + ], +) + envoy_cc_test( name = "reverse_connection_address_test", size = "medium", diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle_test.cc new file mode 100644 index 0000000000000..c9456cf26663a --- /dev/null +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle_test.cc @@ -0,0 +1,547 @@ +#include +#include +#include + +#include + +#include "envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.pb.h" +#include "envoy/server/factory_context.h" +#include "envoy/thread_local/thread_local.h" + +#include "source/common/buffer/buffer_impl.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/io_socket_error_impl.h" +#include "source/common/network/socket_impl.h" +#include "source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/downstream_reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator.h" +#include "source/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_tunnel_initiator_extension.h" + +#include "test/mocks/event/mocks.h" +#include "test/mocks/network/mocks.h" +#include "test/mocks/server/factory_context.h" +#include "test/mocks/stats/mocks.h" +#include "test/mocks/thread_local/mocks.h" +#include "test/mocks/upstream/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using testing::_; +using testing::Invoke; +using testing::NiceMock; +using testing::Return; +using testing::ReturnRef; + +namespace Envoy { +namespace Extensions { +namespace Bootstrap { +namespace ReverseConnection { + +// Base test class for ReverseConnectionIOHandle (minimal version for +// DownstreamReverseConnectionIOHandleTest) +class ReverseConnectionIOHandleTestBase : public testing::Test { +protected: + ReverseConnectionIOHandleTestBase() { + // Set up the stats scope. + stats_scope_ = Stats::ScopeSharedPtr(stats_store_.createScope("test_scope.")); + + // Set up the mock context. + EXPECT_CALL(context_, threadLocal()).WillRepeatedly(ReturnRef(thread_local_)); + EXPECT_CALL(context_, scope()).WillRepeatedly(ReturnRef(*stats_scope_)); + EXPECT_CALL(context_, clusterManager()).WillRepeatedly(ReturnRef(cluster_manager_)); + + // Create the socket interface. + socket_interface_ = std::make_unique(context_); + + // Create the extension. + extension_ = std::make_unique(context_, config_); + + // Set up mock dispatcher with default expectations. + EXPECT_CALL(dispatcher_, createTimer_(_)) + .WillRepeatedly(testing::ReturnNew>()); + EXPECT_CALL(dispatcher_, createFileEvent_(_, _, _, _)) + .WillRepeatedly(testing::ReturnNew>()); + } + + void TearDown() override { + io_handle_.reset(); + extension_.reset(); + socket_interface_.reset(); + } + + // Helper to create a ReverseConnectionIOHandle with specified configuration. + std::unique_ptr + createTestIOHandle(const ReverseConnectionSocketConfig& config) { + // Create a test socket file descriptor. + int test_fd = ::socket(AF_INET, SOCK_STREAM, 0); + EXPECT_GE(test_fd, 0); + + // Create the IO handle. + return std::make_unique(test_fd, config, cluster_manager_, + extension_.get(), *stats_scope_); + } + + // Helper to create a default test configuration. + ReverseConnectionSocketConfig createDefaultTestConfig() { + ReverseConnectionSocketConfig config; + config.src_cluster_id = "test-cluster"; + config.src_node_id = "test-node"; + config.enable_circuit_breaker = true; + config.remote_clusters.push_back(RemoteClusterConnectionConfig("remote-cluster", 2)); + return config; + } + + NiceMock context_; + NiceMock thread_local_; + Stats::IsolatedStoreImpl stats_store_; + Stats::ScopeSharedPtr stats_scope_; + NiceMock dispatcher_{"worker_0"}; + + envoy::extensions::bootstrap::reverse_tunnel::downstream_socket_interface::v3:: + DownstreamReverseConnectionSocketInterface config_; + + std::unique_ptr socket_interface_; + std::unique_ptr extension_; + std::unique_ptr io_handle_; + + // Mock cluster manager. + NiceMock cluster_manager_; + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); + + // Mock socket for testing. + std::unique_ptr mock_socket_; +}; + +/** + * Test class for DownstreamReverseConnectionIOHandle. + */ +class DownstreamReverseConnectionIOHandleTest : public ReverseConnectionIOHandleTestBase { +protected: + void SetUp() override { + ReverseConnectionIOHandleTestBase::SetUp(); + + // Initialize io_handle_ for testing. + auto config = createDefaultTestConfig(); + io_handle_ = createTestIOHandle(config); + EXPECT_NE(io_handle_, nullptr); + + // Create a mock socket for testing. + mock_socket_ = std::make_unique>(); + auto mock_io_handle_unique = std::make_unique>(); + mock_io_handle_ = mock_io_handle_unique.get(); + + // Set up basic mock expectations. + EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(42)); // Arbitrary FD + EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); + } + + void TearDown() override { + mock_socket_.reset(); + ReverseConnectionIOHandleTestBase::TearDown(); + } + + // Helper to create a DownstreamReverseConnectionIOHandle. + std::unique_ptr + createHandle(ReverseConnectionIOHandle* parent = nullptr, + const std::string& connection_key = "test_connection_key") { + // Create a new mock socket for each handle to avoid releasing the shared one. + auto new_mock_socket = std::make_unique>(); + auto new_mock_io_handle = std::make_unique>(); + + // Store the raw pointer before moving + mock_io_handle_ = new_mock_io_handle.get(); + + // Set up basic mock expectations. + EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(42)); // Arbitrary FD + EXPECT_CALL(*new_mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); + + auto socket_ptr = std::unique_ptr(new_mock_socket.release()); + return std::make_unique(std::move(socket_ptr), parent, + connection_key); + } + + // Test fixtures. + std::unique_ptr> mock_socket_; + NiceMock* mock_io_handle_; // Raw pointer, managed by socket +}; + +// Test constructor and destructor. +TEST_F(DownstreamReverseConnectionIOHandleTest, Setup) { + // Test constructor with parent. + { + auto handle = createHandle(io_handle_.get(), "test_key_1"); + EXPECT_NE(handle, nullptr); + // Test fdDoNotUse() before any other operations. + EXPECT_EQ(handle->fdDoNotUse(), 42); + } // Destructor called here + + // Test constructor without parent. + { + auto handle = createHandle(nullptr, "test_key_2"); + EXPECT_NE(handle, nullptr); + // Test fdDoNotUse() before any other operations. + EXPECT_EQ(handle->fdDoNotUse(), 42); + } // Destructor called here +} + +// Test close() method and all edge cases. +TEST_F(DownstreamReverseConnectionIOHandleTest, CloseMethod) { + // Test with parent - should notify parent and reset socket. + { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Verify that parent is set correctly. + EXPECT_NE(io_handle_.get(), nullptr); + + // First close - should notify parent and reset owned_socket. + auto result1 = handle->close(); + EXPECT_EQ(result1.err_, nullptr); + + // Second close - should return immediately without notifying parent (fd < 0). + auto result2 = handle->close(); + EXPECT_EQ(result2.err_, nullptr); + } +} + +// Test getSocket() method. +TEST_F(DownstreamReverseConnectionIOHandleTest, GetSocket) { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Test getSocket() returns the owned socket. + const auto& socket = handle->getSocket(); + EXPECT_NE(&socket, nullptr); + + // Test getSocket() works on const object. + const auto const_handle = createHandle(io_handle_.get(), "test_key"); + const auto& const_socket = const_handle->getSocket(); + EXPECT_NE(&const_socket, nullptr); + + // Test that getSocket() works before close() is called. + EXPECT_EQ(handle->fdDoNotUse(), 42); +} + +// Test ignoreCloseAndShutdown() functionality. +TEST_F(DownstreamReverseConnectionIOHandleTest, IgnoreCloseAndShutdown) { + auto handle = createHandle(io_handle_.get(), "test_key"); + + // Initially, close and shutdown should work normally + // Test shutdown before ignoring - we don't check the result since it depends on base + // implementation + handle->shutdown(SHUT_RDWR); + + // Now enable ignore mode + handle->ignoreCloseAndShutdown(); + + // Test that close() is ignored when flag is set + auto close_result = handle->close(); + EXPECT_EQ(close_result.err_, nullptr); // Should return success but do nothing + + // Test that shutdown() is ignored when flag is set + auto shutdown_result2 = handle->shutdown(SHUT_RDWR); + EXPECT_EQ(shutdown_result2.return_value_, 0); + EXPECT_EQ(shutdown_result2.errno_, 0); + + // Test different shutdown modes are all ignored + auto shutdown_rd = handle->shutdown(SHUT_RD); + EXPECT_EQ(shutdown_rd.return_value_, 0); + EXPECT_EQ(shutdown_rd.errno_, 0); + + auto shutdown_wr = handle->shutdown(SHUT_WR); + EXPECT_EQ(shutdown_wr.return_value_, 0); + EXPECT_EQ(shutdown_wr.errno_, 0); +} + +// Test read() method with real socket pairs to test RPING handling. +TEST_F(DownstreamReverseConnectionIOHandleTest, ReadRpingEchoScenarios) { + const std::string rping_msg = std::string(ReverseConnectionUtility::PING_MESSAGE); + + // Complete RPING message - should be echoed and drained. + { + // Create a socket pair. + int fds[2]; + ASSERT_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, fds), 0); + + // Create a mock socket with real file descriptor + auto mock_socket = std::make_unique>(); + auto mock_io_handle = std::make_unique(fds[0]); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + // Store the io handle in the socket. + auto* io_handle_ptr = mock_io_handle.release(); + mock_socket->io_handle_.reset(io_handle_ptr); + + // Create handle with the socket. + auto socket_ptr = Network::ConnectionSocketPtr(mock_socket.release()); + auto handle = std::make_unique( + std::move(socket_ptr), io_handle_.get(), "test_key"); + + // Write RPING to the other end of the socket pair. + ssize_t written = write(fds[1], rping_msg.data(), rping_msg.size()); + ASSERT_EQ(written, static_cast(rping_msg.size())); + + // Read should process RPING and return the size (indicating RPING was handled). + Buffer::OwnedImpl buffer; + auto result = handle->read(buffer, absl::nullopt); + + EXPECT_EQ(result.return_value_, rping_msg.size()); + EXPECT_EQ(result.err_, nullptr); + EXPECT_EQ(buffer.length(), 0); // RPING should be drained. + + // Verify RPING echo was sent back. + char echo_buffer[10]; + ssize_t echo_read = read(fds[1], echo_buffer, sizeof(echo_buffer)); + EXPECT_EQ(echo_read, static_cast(rping_msg.size())); + EXPECT_EQ(std::string(echo_buffer, echo_read), rping_msg); + + close(fds[1]); + } + + // RPING + application data - echo RPING, keep app data, disable echo. + { + // Create another socket pair. + int fds[2]; + ASSERT_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, fds), 0); + + auto mock_socket = std::make_unique>(); + auto mock_io_handle = std::make_unique(fds[0]); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + auto* io_handle_ptr = mock_io_handle.release(); + mock_socket->io_handle_.reset(io_handle_ptr); + + auto socket_ptr = Network::ConnectionSocketPtr(mock_socket.release()); + auto handle = std::make_unique( + std::move(socket_ptr), io_handle_.get(), "test_key2"); + + const std::string app_data = "GET /path HTTP/1.1\r\n"; + const std::string combined = rping_msg + app_data; + + // Write combined data to socket. + ssize_t written = write(fds[1], combined.data(), combined.size()); + ASSERT_EQ(written, static_cast(combined.size())); + + // Read should process RPING and return only app data size. + Buffer::OwnedImpl buffer; + auto result = handle->read(buffer, absl::nullopt); + + EXPECT_EQ(result.return_value_, app_data.size()); // Only app data size + EXPECT_EQ(result.err_, nullptr); + EXPECT_EQ(buffer.toString(), app_data); // Only app data remains + + // Verify RPING echo was sent back. + char echo_buffer[10]; + ssize_t echo_read = read(fds[1], echo_buffer, sizeof(echo_buffer)); + EXPECT_EQ(echo_read, static_cast(rping_msg.size())); + EXPECT_EQ(std::string(echo_buffer, echo_read), rping_msg); + + close(fds[1]); + } + + // Non-RPING data should disable echo and pass through. + { + int fds[2]; + ASSERT_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, fds), 0); + + auto mock_socket = std::make_unique>(); + auto mock_io_handle = std::make_unique(fds[0]); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + auto* io_handle_ptr = mock_io_handle.release(); + mock_socket->io_handle_.reset(io_handle_ptr); + + auto socket_ptr = Network::ConnectionSocketPtr(mock_socket.release()); + auto handle = std::make_unique( + std::move(socket_ptr), io_handle_.get(), "test_key3"); + + const std::string http_data = "GET /path HTTP/1.1\r\n"; + + // Write HTTP data to socket. + ssize_t written = write(fds[1], http_data.data(), http_data.size()); + ASSERT_EQ(written, static_cast(http_data.size())); + + // Read should return all HTTP data without processing. + Buffer::OwnedImpl buffer; + auto result = handle->read(buffer, absl::nullopt); + + EXPECT_EQ(result.return_value_, http_data.size()); + EXPECT_EQ(result.err_, nullptr); + EXPECT_EQ(buffer.toString(), http_data); + + // Verify no echo was sent back. + char echo_buffer[10]; + // Set socket to non-blocking to avoid hanging. + int flags = fcntl(fds[1], F_GETFL, 0); + fcntl(fds[1], F_SETFL, flags | O_NONBLOCK); + ssize_t echo_read = read(fds[1], echo_buffer, sizeof(echo_buffer)); + EXPECT_EQ(echo_read, -1); + EXPECT_EQ(errno, EAGAIN); // No data available + + close(fds[1]); + } +} + +// Test read() method with partial data handling using real sockets. +TEST_F(DownstreamReverseConnectionIOHandleTest, ReadPartialDataAndStateTransitions) { + const std::string rping_msg = std::string(ReverseConnectionUtility::PING_MESSAGE); + + // Test partial RPING - should pass through and wait for more data. + { + int fds[2]; + ASSERT_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, fds), 0); + + auto mock_socket = std::make_unique>(); + auto mock_io_handle = std::make_unique(fds[0]); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + auto* io_handle_ptr = mock_io_handle.release(); + mock_socket->io_handle_.reset(io_handle_ptr); + + auto socket_ptr = Network::ConnectionSocketPtr(mock_socket.release()); + auto handle = std::make_unique( + std::move(socket_ptr), io_handle_.get(), "test_key"); + + // Write partial RPING (first 3 bytes). + const std::string partial_rping = rping_msg.substr(0, 3); + ssize_t written = write(fds[1], partial_rping.data(), partial_rping.size()); + ASSERT_EQ(written, static_cast(partial_rping.size())); + + // Read should return the partial data as-is. + Buffer::OwnedImpl buffer; + auto result = handle->read(buffer, absl::nullopt); + + EXPECT_EQ(result.return_value_, 3); + EXPECT_EQ(result.err_, nullptr); + EXPECT_EQ(buffer.toString(), partial_rping); + + close(fds[1]); + } + + // Test non-RPING data - should disable echo permanently. + { + int fds[2]; + ASSERT_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, fds), 0); + + auto mock_socket = std::make_unique>(); + auto mock_io_handle = std::make_unique(fds[0]); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + auto* io_handle_ptr = mock_io_handle.release(); + mock_socket->io_handle_.reset(io_handle_ptr); + + auto socket_ptr = Network::ConnectionSocketPtr(mock_socket.release()); + auto handle = std::make_unique( + std::move(socket_ptr), io_handle_.get(), "test_key2"); + + const std::string http_data = "GET /path"; + + // Write HTTP data. + ssize_t written = write(fds[1], http_data.data(), http_data.size()); + ASSERT_EQ(written, static_cast(http_data.size())); + + // Read should return HTTP data and disable echo. + Buffer::OwnedImpl buffer; + auto result = handle->read(buffer, absl::nullopt); + + EXPECT_EQ(result.return_value_, http_data.size()); + EXPECT_EQ(result.err_, nullptr); + EXPECT_EQ(buffer.toString(), http_data); + + // Verify no echo was sent. + char echo_buffer[10]; + int flags = fcntl(fds[1], F_GETFL, 0); + fcntl(fds[1], F_SETFL, flags | O_NONBLOCK); + ssize_t echo_read = read(fds[1], echo_buffer, sizeof(echo_buffer)); + EXPECT_EQ(echo_read, -1); + EXPECT_EQ(errno, EAGAIN); + + close(fds[1]); + } +} + +// Test read() method in scenarios where echo is disabled. +TEST_F(DownstreamReverseConnectionIOHandleTest, ReadEchoDisabledAndErrorHandling) { + const std::string rping_msg = std::string(ReverseConnectionUtility::PING_MESSAGE); + + // Test that after echo is disabled, RPING passes through without processing. + { + int fds[2]; + ASSERT_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, fds), 0); + + auto mock_socket = std::make_unique>(); + auto mock_io_handle = std::make_unique(fds[0]); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + auto* io_handle_ptr = mock_io_handle.release(); + mock_socket->io_handle_.reset(io_handle_ptr); + + auto socket_ptr = Network::ConnectionSocketPtr(mock_socket.release()); + auto handle = std::make_unique( + std::move(socket_ptr), io_handle_.get(), "test_key"); + + // First, disable echo by sending HTTP data. + const std::string http_data = "HTTP/1.1"; + ssize_t written = write(fds[1], http_data.data(), http_data.size()); + ASSERT_EQ(written, static_cast(http_data.size())); + + Buffer::OwnedImpl buffer1; + handle->read(buffer1, absl::nullopt); + EXPECT_EQ(buffer1.toString(), http_data); + + // Now send RPING - it should pass through without echo. + written = write(fds[1], rping_msg.data(), rping_msg.size()); + ASSERT_EQ(written, static_cast(rping_msg.size())); + + Buffer::OwnedImpl buffer2; + auto result = handle->read(buffer2, absl::nullopt); + + EXPECT_EQ(result.return_value_, rping_msg.size()); + EXPECT_EQ(result.err_, nullptr); + EXPECT_EQ(buffer2.toString(), rping_msg); // RPING data preserved + + // Verify no echo was sent. + char echo_buffer[10]; + int flags = fcntl(fds[1], F_GETFL, 0); + fcntl(fds[1], F_SETFL, flags | O_NONBLOCK); + ssize_t echo_read = read(fds[1], echo_buffer, sizeof(echo_buffer)); + EXPECT_EQ(echo_read, -1); + EXPECT_EQ(errno, EAGAIN); + + close(fds[1]); + } + + // Test EOF scenario - close the write end. + { + int fds[2]; + ASSERT_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, fds), 0); + + auto mock_socket = std::make_unique>(); + auto mock_io_handle = std::make_unique(fds[0]); + EXPECT_CALL(*mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle)); + + auto* io_handle_ptr = mock_io_handle.release(); + mock_socket->io_handle_.reset(io_handle_ptr); + + auto socket_ptr = Network::ConnectionSocketPtr(mock_socket.release()); + auto handle = std::make_unique( + std::move(socket_ptr), io_handle_.get(), "test_key2"); + + // Close write end to simulate EOF. + close(fds[1]); + + Buffer::OwnedImpl buffer; + auto result = handle->read(buffer, absl::nullopt); + + EXPECT_EQ(result.return_value_, 0); // EOF + EXPECT_EQ(result.err_, nullptr); // No error, just EOF + EXPECT_EQ(buffer.length(), 0); + } +} + +} // namespace ReverseConnection +} // namespace Bootstrap +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc index ac9dc2aacd62a..94419077a73bd 100644 --- a/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/reverse_connection_io_handle_test.cc @@ -2876,147 +2876,6 @@ TEST_F(ReverseConnectionIOHandleTest, AcceptMethodSocketAndFdFailures) { } } -/** - * Test class for DownstreamReverseConnectionIOHandle. - */ -class DownstreamReverseConnectionIOHandleTest : public ReverseConnectionIOHandleTest { -protected: - void SetUp() override { - ReverseConnectionIOHandleTest::SetUp(); - - // Initialize io_handle_ for testing. - auto config = createDefaultTestConfig(); - io_handle_ = createTestIOHandle(config); - EXPECT_NE(io_handle_, nullptr); - - // Create a mock socket for testing. - mock_socket_ = std::make_unique>(); - mock_io_handle_ = std::make_unique>(); - - // Set up basic mock expectations. - EXPECT_CALL(*mock_io_handle_, fdDoNotUse()).WillRepeatedly(Return(42)); // Arbitrary FD - EXPECT_CALL(*mock_socket_, ioHandle()).WillRepeatedly(ReturnRef(*mock_io_handle_)); - - // Store the mock_io_handle in the socket. - mock_socket_->io_handle_ = std::move(mock_io_handle_); - } - - void TearDown() override { - mock_socket_.reset(); - ReverseConnectionIOHandleTest::TearDown(); - } - - // Helper to create a DownstreamReverseConnectionIOHandle. - std::unique_ptr - createHandle(ReverseConnectionIOHandle* parent = nullptr, - const std::string& connection_key = "test_connection_key") { - // Create a new mock socket for each handle to avoid releasing the shared one. - auto new_mock_socket = std::make_unique>(); - auto new_mock_io_handle = std::make_unique>(); - - // Set up basic mock expectations. - EXPECT_CALL(*new_mock_io_handle, fdDoNotUse()).WillRepeatedly(Return(42)); // Arbitrary FD - EXPECT_CALL(*new_mock_socket, ioHandle()).WillRepeatedly(ReturnRef(*new_mock_io_handle)); - - // Store the mock_io_handle in the socket. - new_mock_socket->io_handle_ = std::move(new_mock_io_handle); - - auto socket_ptr = std::unique_ptr(new_mock_socket.release()); - return std::make_unique(std::move(socket_ptr), parent, - connection_key); - } - - // Test fixtures. - std::unique_ptr> mock_socket_; - std::unique_ptr> mock_io_handle_; -}; - -// Test constructor and destructor. -TEST_F(DownstreamReverseConnectionIOHandleTest, Setup) { - // Test constructor with parent. - { - auto handle = createHandle(io_handle_.get(), "test_key_1"); - EXPECT_NE(handle, nullptr); - // Test fdDoNotUse() before any other operations. - EXPECT_EQ(handle->fdDoNotUse(), 42); - } // Destructor called here - - // Test constructor without parent. - { - auto handle = createHandle(nullptr, "test_key_2"); - EXPECT_NE(handle, nullptr); - // Test fdDoNotUse() before any other operations. - EXPECT_EQ(handle->fdDoNotUse(), 42); - } // Destructor called here -} - -// Test close() method and all edge cases. -TEST_F(DownstreamReverseConnectionIOHandleTest, CloseMethod) { - // Test with parent - should notify parent and reset socket. - { - auto handle = createHandle(io_handle_.get(), "test_key"); - - // Verify that parent is set correctly. - EXPECT_NE(io_handle_.get(), nullptr); - - // First close - should notify parent and reset owned_socket. - auto result1 = handle->close(); - EXPECT_EQ(result1.err_, nullptr); - - // Second close - should return immediately without notifying parent (fd < 0). - auto result2 = handle->close(); - EXPECT_EQ(result2.err_, nullptr); - } -} - -// Test getSocket() method. -TEST_F(DownstreamReverseConnectionIOHandleTest, GetSocket) { - auto handle = createHandle(io_handle_.get(), "test_key"); - - // Test getSocket() returns the owned socket. - const auto& socket = handle->getSocket(); - EXPECT_NE(&socket, nullptr); - - // Test getSocket() works on const object. - const auto const_handle = createHandle(io_handle_.get(), "test_key"); - const auto& const_socket = const_handle->getSocket(); - EXPECT_NE(&const_socket, nullptr); - - // Test that getSocket() works before close() is called. - EXPECT_EQ(handle->fdDoNotUse(), 42); -} - -// Test ignoreCloseAndShutdown() functionality. -TEST_F(DownstreamReverseConnectionIOHandleTest, IgnoreCloseAndShutdown) { - auto handle = createHandle(io_handle_.get(), "test_key"); - - // Initially, close and shutdown should work normally - // Test shutdown before ignoring - we don't check the result since it depends on base - // implementation - handle->shutdown(SHUT_RDWR); - - // Now enable ignore mode - handle->ignoreCloseAndShutdown(); - - // Test that close() is ignored when flag is set - auto close_result = handle->close(); - EXPECT_EQ(close_result.err_, nullptr); // Should return success but do nothing - - // Test that shutdown() is ignored when flag is set - auto shutdown_result2 = handle->shutdown(SHUT_RDWR); - EXPECT_EQ(shutdown_result2.return_value_, 0); - EXPECT_EQ(shutdown_result2.errno_, 0); - - // Test different shutdown modes are all ignored - auto shutdown_rd = handle->shutdown(SHUT_RD); - EXPECT_EQ(shutdown_rd.return_value_, 0); - EXPECT_EQ(shutdown_rd.errno_, 0); - - auto shutdown_wr = handle->shutdown(SHUT_WR); - EXPECT_EQ(shutdown_wr.return_value_, 0); - EXPECT_EQ(shutdown_wr.errno_, 0); -} - } // namespace ReverseConnection } // namespace Bootstrap } // namespace Extensions diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD index 607f4e8222b0f..c2db86a5312b1 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/BUILD @@ -38,6 +38,7 @@ envoy_cc_test( "//test/mocks/server:factory_context_mocks", "//test/mocks/stats:stats_mocks", "//test/mocks/thread_local:thread_local_mocks", + "//test/test_common:logging_lib", "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", ], ) diff --git a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc index cb4b5b8c97b15..41bba716429b5 100644 --- a/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc +++ b/test/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension_test.cc @@ -10,6 +10,7 @@ #include "test/mocks/server/factory_context.h" #include "test/mocks/stats/mocks.h" #include "test/mocks/thread_local/mocks.h" +#include "test/test_common/logging.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -75,6 +76,9 @@ class ReverseTunnelAcceptorExtensionTest : public testing::Test { NiceMock another_dispatcher_{"worker_1"}; std::shared_ptr another_thread_local_registry_; + + // Set log level to debug for this test class. + LogLevelSetter log_level_setter_ = LogLevelSetter(spdlog::level::debug); }; TEST_F(ReverseTunnelAcceptorExtensionTest, InitializeWithDefaultStatPrefix) { @@ -388,6 +392,44 @@ TEST_F(ReverseTunnelAcceptorExtensionTest, MissThresholdOneMarksDeadOnFirstInval EXPECT_EQ(retrieved, nullptr); } +TEST_F(ReverseTunnelAcceptorExtensionTest, PingFailureThresholdConfiguration) { + // Test default threshold value + EXPECT_EQ(extension_->pingFailureThreshold(), 3); // Default threshold should be 3. + + // Create extension with custom threshold = 5 + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface custom_config; + custom_config.set_stat_prefix("test_custom"); + custom_config.mutable_ping_failure_threshold()->set_value(5); + + auto custom_extension = + std::make_unique(*socket_interface_, context_, custom_config); + + EXPECT_EQ(custom_extension->pingFailureThreshold(), 5); + + // Test threshold = 1 (minimum value) + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface min_config; + min_config.set_stat_prefix("test_min"); + min_config.mutable_ping_failure_threshold()->set_value(1); + + auto min_extension = + std::make_unique(*socket_interface_, context_, min_config); + + EXPECT_EQ(min_extension->pingFailureThreshold(), 1); + + // Test very high threshold + envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: + UpstreamReverseConnectionSocketInterface max_config; + max_config.set_stat_prefix("test_max"); + max_config.mutable_ping_failure_threshold()->set_value(100); + + auto max_extension = + std::make_unique(*socket_interface_, context_, max_config); + + EXPECT_EQ(max_extension->pingFailureThreshold(), 100); +} + TEST_F(ReverseTunnelAcceptorExtensionTest, FactoryName) { EXPECT_EQ(socket_interface_->name(), "envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); } diff --git a/test/extensions/filters/network/reverse_tunnel/BUILD b/test/extensions/filters/network/reverse_tunnel/BUILD index dc39413b403dc..99f041894b867 100644 --- a/test/extensions/filters/network/reverse_tunnel/BUILD +++ b/test/extensions/filters/network/reverse_tunnel/BUILD @@ -72,7 +72,6 @@ envoy_extension_cc_test( "//test/test_common:logging_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", - "@envoy_api//envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/transport_sockets/internal_upstream/v3:pkg_cc_proto", ], diff --git a/test/extensions/filters/network/reverse_tunnel/integration_test.cc b/test/extensions/filters/network/reverse_tunnel/integration_test.cc index 76356d0d9c959..d9b6af8f4082d 100644 --- a/test/extensions/filters/network/reverse_tunnel/integration_test.cc +++ b/test/extensions/filters/network/reverse_tunnel/integration_test.cc @@ -1,7 +1,6 @@ #include #include "envoy/config/bootstrap/v3/bootstrap.pb.h" -#include "envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.pb.h" #include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h" #include "envoy/extensions/transport_sockets/internal_upstream/v3/internal_upstream.pb.h" @@ -481,107 +480,6 @@ TEST_P(ReverseTunnelFilterIntegrationTest, EndToEndReverseConnectionHandshake) { 2); // 2 listeners in this test } -// Verify that setting a miss threshold via the upstream bootstrap extension is plumbed and -// that reverse connection gauges drop to zero after reverse connection listener is drained. -TEST_P(ReverseTunnelFilterIntegrationTest, ThresholdConfigPlumbedAndGaugesDropOnDisconnect) { - DISABLE_IF_ADMIN_DISABLED; - - const uint32_t upstream_port = GetParam() == Network::Address::IpVersion::v4 ? 16000 : 16001; - const std::string loopback_addr = - GetParam() == Network::Address::IpVersion::v4 ? "127.0.0.1" : "::1"; - - // Set the upstream bootstrap extension ping_miss_threshold to 1 via a config modifier so it - // applies to the bootstrap extension added in initialize(). - config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - for (auto& ext : *bootstrap.mutable_bootstrap_extensions()) { - if (ext.name() == "envoy.bootstrap.reverse_tunnel.upstream_socket_interface") { - envoy::extensions::bootstrap::reverse_tunnel::upstream_socket_interface::v3:: - UpstreamReverseConnectionSocketInterface cfg; - ext.mutable_typed_config()->UnpackTo(&cfg); - cfg.mutable_ping_failure_threshold()->set_value(1); - ext.mutable_typed_config()->PackFrom(cfg); - } - } - }); - - // Configure listeners and clusters similar to the end-to-end test, but with a short ping interval - // so pings are active during the test window. - config_helper_.addConfigModifier([upstream_port, loopback_addr]( - envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - bootstrap.mutable_static_resources()->clear_listeners(); - - // Ensure admin interface is configured. - if (!bootstrap.has_admin()) { - auto* admin = bootstrap.mutable_admin(); - auto* admin_address = admin->mutable_address()->mutable_socket_address(); - admin_address->set_address(loopback_addr); - admin_address->set_port_value(0); - } - - // Upstream listener with reverse_tunnel filter and short ping interval. - auto* upstream_listener = bootstrap.mutable_static_resources()->add_listeners(); - upstream_listener->set_name("upstream_listener"); - upstream_listener->mutable_address()->mutable_socket_address()->set_address(loopback_addr); - upstream_listener->mutable_address()->mutable_socket_address()->set_port_value(upstream_port); - - auto* upstream_chain = upstream_listener->add_filter_chains(); - auto* rt_filter = upstream_chain->add_filters(); - rt_filter->set_name("envoy.filters.network.reverse_tunnel"); - envoy::extensions::filters::network::reverse_tunnel::v3::ReverseTunnel rt_config; - rt_config.mutable_ping_interval()->set_seconds(1); - rt_config.set_auto_close_connections(false); - rt_config.set_request_path("/reverse_connections/request"); - rt_config.set_request_method(envoy::config::core::v3::GET); - rt_filter->mutable_typed_config()->PackFrom(rt_config); - - // Reverse connection listener (initiator). - auto* rc_listener = bootstrap.mutable_static_resources()->add_listeners(); - rc_listener->set_name("reverse_connection_listener"); - auto* rc_address = rc_listener->mutable_address()->mutable_socket_address(); - rc_address->set_address( - "rc://threshold-node:threshold-cluster:threshold-tenant@upstream_cluster:1"); - rc_address->set_port_value(0); - rc_address->set_resolver_name("envoy.resolvers.reverse_connection"); - auto* rc_chain = rc_listener->add_filter_chains(); - auto* echo_filter = rc_chain->add_filters(); - echo_filter->set_name("envoy.filters.network.echo"); - echo_filter->mutable_typed_config()->set_type_url( - "type.googleapis.com/envoy.extensions.filters.network.echo.v3.Echo"); - - // Backing cluster for upstream listener. - auto* cluster = bootstrap.mutable_static_resources()->add_clusters(); - cluster->set_name("upstream_cluster"); - cluster->set_type(envoy::config::cluster::v3::Cluster::STATIC); - cluster->mutable_load_assignment()->set_cluster_name("upstream_cluster"); - auto* locality = cluster->mutable_load_assignment()->add_endpoints(); - auto* lb_endpoint = locality->add_lb_endpoints(); - auto* endpoint = lb_endpoint->mutable_endpoint(); - auto* addr = endpoint->mutable_address()->mutable_socket_address(); - addr->set_address(loopback_addr); - addr->set_port_value(upstream_port); - }); - - initialize(); - registerTestServerPorts({}); - - // Wait for reverse connections and counters. - test_server_->waitForGaugeGe("reverse_connections.nodes.threshold-node", 1); - test_server_->waitForGaugeGe("reverse_connections.clusters.threshold-cluster", 1); - test_server_->waitForCounterGe("reverse_tunnel.handshake.accepted", 1); - - // Drain the reverse connection listener to close sockets and validate gauges drop to zero. - BufferingStreamDecoderPtr admin_response = IntegrationUtil::makeSingleRequest( - lookupPort("admin"), "POST", "/drain_listeners", "", Http::CodecType::HTTP1, GetParam()); - EXPECT_TRUE(admin_response->complete()); - EXPECT_EQ("200", admin_response->headers().getStatusValue()); - - // Both listeners eventually stop. Verify gauges drop to 0 for the reverse connection - // node/cluster. - test_server_->waitForCounterGe("listener_manager.listener_stopped", 2); - test_server_->waitForGaugeEq("reverse_connections.nodes.threshold-node", 0); - test_server_->waitForGaugeEq("reverse_connections.clusters.threshold-cluster", 0); -} - } // namespace } // namespace ReverseTunnel } // namespace NetworkFilters From 6741fed8f286a88d5753179026f6aba7f3655f48 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 25 Sep 2025 06:29:44 +0000 Subject: [PATCH 500/505] changes to reverse connection examples Signed-off-by: Basundhara Chakrabarty --- .../Dockerfile.xds | 0 examples/reverse_connection/README.md | 51 ------ .../reverse_connection/backend_service.py | 49 ------ .../backup}/cloud-envoy-grpc-enhanced.yaml | 0 .../backup}/cloud-envoy-grpc.yaml | 0 .../on-prem-envoy-custom-resolver-grpc.yaml | 0 .../backup}/on-prem-envoy-grpc.yaml | 0 .../backup}/test_grpc_handshake.sh | 0 .../backup}/test_logs.txt | 0 examples/reverse_connection/cloud-envoy.yaml | 101 ------------ .../reverse_connection/docker-compose.yaml | 48 +++++- .../docs/LIFE_OF_A_REQUEST.md | 0 .../docs/REVERSE_CONN_INITIATION.md | 0 .../docs/SOCKET_INTERFACES.md | 0 .../initiator-envoy.yaml} | 8 +- .../on-prem-envoy-custom-resolver.yaml | 148 ----------------- .../reverse_connection/on-prem-envoy.yaml | 152 ------------------ .../on-prem-envoy.yaml.backup | 152 ------------------ .../requirements.txt | 0 .../responder-envoy.yaml} | 0 examples/reverse_connection/start_test.sh | 52 ------ .../test_reverse_connections.py | 10 +- .../docker-compose.yaml | 55 ------- 23 files changed, 49 insertions(+), 777 deletions(-) rename examples/{reverse_connection_socket_interface => reverse_connection}/Dockerfile.xds (100%) delete mode 100644 examples/reverse_connection/README.md delete mode 100755 examples/reverse_connection/backend_service.py rename examples/{reverse_connection_socket_interface => reverse_connection/backup}/cloud-envoy-grpc-enhanced.yaml (100%) rename examples/{reverse_connection_socket_interface => reverse_connection/backup}/cloud-envoy-grpc.yaml (100%) rename examples/{reverse_connection_socket_interface => reverse_connection/backup}/on-prem-envoy-custom-resolver-grpc.yaml (100%) rename examples/{reverse_connection_socket_interface => reverse_connection/backup}/on-prem-envoy-grpc.yaml (100%) rename examples/{reverse_connection_socket_interface => reverse_connection/backup}/test_grpc_handshake.sh (100%) rename examples/{reverse_connection_socket_interface => reverse_connection/backup}/test_logs.txt (100%) delete mode 100644 examples/reverse_connection/cloud-envoy.yaml rename examples/{reverse_connection_socket_interface => reverse_connection}/docs/LIFE_OF_A_REQUEST.md (100%) rename examples/{reverse_connection_socket_interface => reverse_connection}/docs/REVERSE_CONN_INITIATION.md (100%) rename examples/{reverse_connection_socket_interface => reverse_connection}/docs/SOCKET_INTERFACES.md (100%) rename examples/{reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml => reverse_connection/initiator-envoy.yaml} (95%) delete mode 100644 examples/reverse_connection/on-prem-envoy-custom-resolver.yaml delete mode 100644 examples/reverse_connection/on-prem-envoy.yaml delete mode 100644 examples/reverse_connection/on-prem-envoy.yaml.backup rename examples/{reverse_connection_socket_interface => reverse_connection}/requirements.txt (100%) rename examples/{reverse_connection_socket_interface/cloud-envoy.yaml => reverse_connection/responder-envoy.yaml} (100%) delete mode 100755 examples/reverse_connection/start_test.sh rename examples/{reverse_connection_socket_interface => reverse_connection}/test_reverse_connections.py (98%) delete mode 100644 examples/reverse_connection_socket_interface/docker-compose.yaml diff --git a/examples/reverse_connection_socket_interface/Dockerfile.xds b/examples/reverse_connection/Dockerfile.xds similarity index 100% rename from examples/reverse_connection_socket_interface/Dockerfile.xds rename to examples/reverse_connection/Dockerfile.xds diff --git a/examples/reverse_connection/README.md b/examples/reverse_connection/README.md deleted file mode 100644 index b0e337168a800..0000000000000 --- a/examples/reverse_connection/README.md +++ /dev/null @@ -1,51 +0,0 @@ -# Running the Sandbox for reverse connections - -## Steps to run sandbox - -1. Build envoy with reverse connections feature: - - ```./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.release.server_only'``` -2. Build envoy docker image: - - ```docker build -f ci/Dockerfile-envoy-image -t envoy:latest .``` -3. Launch test containers. - - ```docker-compose -f examples/reverse_connection/docker-compose.yaml up``` -4. The reverse example configuration in on-prem-envoy.yaml initiates 2 reverse connections per envoy thread to cloud envoy as shown in the listener config: - - ```yaml - reverse_connection_listener_config: - "@type": type.googleapis.com/envoy.extensions.reverse_connection.reverse_connection_listener_config.v3.ReverseConnectionListenerConfig - src_cluster_id: on-prem - src_node_id: on-prem-node - src_tenant_id: on-prem - remote_cluster_to_conn_count: - - cluster_name: cloud - reverse_connection_count: 2 - ``` - -5. Verify that the reverse connections are established by sending requests to the reverse conn API: - On on-prem envoy, the expected output is a list of envoy clusters to which reverse connections have been - established, in this instance, just "cloud". - - ```bash - [basundhara.c@basundhara-c ~]$ curl localhost:9000/reverse_connections - {"accepted":[],"connected":["cloud"]} - ``` - On cloud-envoy, the expected output is a list on nodes that have initiated reverse connections to it, - in this case, "on-prem-node". - - ```bash - [basundhara.c@basundhara-c ~]$ curl localhost:9001/reverse_connections - {"accepted":["on-prem-node"],"connected":[]} - ``` - -6. Test reverse connection: - - Perform http request for the service behind on-prem envoy, to cloud-envoy. This request will be sent - over a reverse connection. - - ```bash - [basundhara.c@basundhara-c ~]$ curl -H "x-remote-node-id: on-prem-node" -H "x-dst-cluster-uuid: on-prem" http://localhost:8081/on_prem_service - Server address: 172.21.0.3:80 - Server name: 281282e5b496 - Date: 26/Nov/2024:04:04:03 +0000 - URI: /on_prem_service - Request ID: 726030e25e52db44a6c06061c4206a53 - ``` diff --git a/examples/reverse_connection/backend_service.py b/examples/reverse_connection/backend_service.py deleted file mode 100755 index a5f4bdf214ca0..0000000000000 --- a/examples/reverse_connection/backend_service.py +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env python3 - -import http.server -import socketserver -import json -from datetime import datetime - - -class BackendHandler(http.server.SimpleHTTPRequestHandler): - - def do_GET(self): - # Create a response showing that the backend service is working - response = { - "message": "Hello from on-premises backend service!", - "timestamp": datetime.now().isoformat(), - "path": self.path, - "method": "GET" - } - - self.send_response(200) - self.send_header('Content-type', 'application/json') - self.end_headers() - self.wfile.write(json.dumps(response, indent=2).encode()) - - def do_POST(self): - # Handle POST requests as well - content_length = int(self.headers.get('Content-Length', 0)) - body = self.rfile.read(content_length).decode('utf-8') if content_length > 0 else "" - - response = { - "message": "POST request received by on-premises backend service!", - "timestamp": datetime.now().isoformat(), - "path": self.path, - "method": "POST", - "body": body - } - - self.send_response(200) - self.send_header('Content-type', 'application/json') - self.end_headers() - self.wfile.write(json.dumps(response, indent=2).encode()) - - -if __name__ == "__main__": - PORT = 7070 - with socketserver.TCPServer(("", PORT), BackendHandler) as httpd: - print(f"Backend service running on port {PORT}") - print(f"Visit http://localhost:{PORT}/on_prem_service to test") - httpd.serve_forever() diff --git a/examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml b/examples/reverse_connection/backup/cloud-envoy-grpc-enhanced.yaml similarity index 100% rename from examples/reverse_connection_socket_interface/cloud-envoy-grpc-enhanced.yaml rename to examples/reverse_connection/backup/cloud-envoy-grpc-enhanced.yaml diff --git a/examples/reverse_connection_socket_interface/cloud-envoy-grpc.yaml b/examples/reverse_connection/backup/cloud-envoy-grpc.yaml similarity index 100% rename from examples/reverse_connection_socket_interface/cloud-envoy-grpc.yaml rename to examples/reverse_connection/backup/cloud-envoy-grpc.yaml diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml b/examples/reverse_connection/backup/on-prem-envoy-custom-resolver-grpc.yaml similarity index 100% rename from examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver-grpc.yaml rename to examples/reverse_connection/backup/on-prem-envoy-custom-resolver-grpc.yaml diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-grpc.yaml b/examples/reverse_connection/backup/on-prem-envoy-grpc.yaml similarity index 100% rename from examples/reverse_connection_socket_interface/on-prem-envoy-grpc.yaml rename to examples/reverse_connection/backup/on-prem-envoy-grpc.yaml diff --git a/examples/reverse_connection_socket_interface/test_grpc_handshake.sh b/examples/reverse_connection/backup/test_grpc_handshake.sh similarity index 100% rename from examples/reverse_connection_socket_interface/test_grpc_handshake.sh rename to examples/reverse_connection/backup/test_grpc_handshake.sh diff --git a/examples/reverse_connection_socket_interface/test_logs.txt b/examples/reverse_connection/backup/test_logs.txt similarity index 100% rename from examples/reverse_connection_socket_interface/test_logs.txt rename to examples/reverse_connection/backup/test_logs.txt diff --git a/examples/reverse_connection/cloud-envoy.yaml b/examples/reverse_connection/cloud-envoy.yaml deleted file mode 100644 index b97e699b7f168..0000000000000 --- a/examples/reverse_connection/cloud-envoy.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -node: - id: cloud-node - cluster: cloud -static_resources: - listeners: - # Services reverse conn APIs - - name: rev_conn_api_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9000 - filter_chains: - - filters: - - name: envoy.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: rev_conn_api - # Any dummy route config works - route_config: - virtual_hosts: - - name: rev_conn_api_route - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: reverse_connection_cluster - http_filters: - # Filter that services reverse conn APIs - - name: envoy.filters.http.reverse_conn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Listener that will route the downstream request to the reverse connection cluster - - name: egress_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 8085 - filter_chains: - - filters: - - name: envoy.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: egress_http - route_config: - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: "/on_prem_service" - route: - cluster: reverse_connection_cluster - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - # Cluster used to write requests to cached sockets - clusters: - - name: reverse_connection_cluster - connect_timeout: 2s - lb_policy: CLUSTER_PROVIDED - cluster_type: - name: envoy.clusters.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig - # The following headers are expected in downstream requests - # to be sent over reverse connections - http_header_names: - - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., on-prem-node - - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., on-prem - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - # Right the moment, reverse connections are supported over HTTP/2 only - http2_protocol_options: {} -admin: - access_log_path: "/dev/stdout" - address: - socket_address: - address: 0.0.0.0 - port_value: 8898 -layered_runtime: - layers: - - name: layer - static_layer: - re2.max_program_size.error_level: 1000 - # envoy.reloadable_features.reverse_conn_force_local_reply: true -# Enable reverse connection bootstrap extension -bootstrap_extensions: -- name: envoy.bootstrap.reverse_connection.upstream_reverse_connection_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface diff --git a/examples/reverse_connection/docker-compose.yaml b/examples/reverse_connection/docker-compose.yaml index 68819634a186a..73bedfd50874d 100644 --- a/examples/reverse_connection/docker-compose.yaml +++ b/examples/reverse_connection/docker-compose.yaml @@ -1,23 +1,55 @@ version: '2' services: + xds-server: + build: + context: . + dockerfile: Dockerfile.xds + ports: + - "18000:18000" + networks: + - envoy-network + on-prem-envoy: - image: upstream/envoy:latest + image: debug/envoy:latest volumes: - - ./on-prem-envoy-custom-resolver.yaml:/etc/on-prem-envoy.yaml + - ./initiator-envoy.yaml:/etc/on-prem-envoy.yaml command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: - - "8080:80" + # Admin interface + - "8888:8888" + # Reverse connection API listener - "9000:9000" + # Ingress HTTP listener + - "6060:6060" + extra_hosts: + - "host.docker.internal:host-gateway" + networks: + - envoy-network + depends_on: + - xds-server + - on-prem-service on-prem-service: image: nginxdemos/hello:plain-text + networks: + - envoy-network cloud-envoy: - image: upstream/envoy:latest + image: debug/envoy:latest volumes: - - ./cloud-envoy.yaml:/etc/cloud-envoy.yaml - command: envoy -c /etc/cloud-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 + - ./responder-envoy.yaml:/etc/responder-envoy.yaml + command: envoy -c /etc/responder-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: - - "8081:80" - - "9001:9000" \ No newline at end of file + # Admin interface + - "8889:8888" + # Reverse connection API listener + - "9001:9000" + # Egress listener + - "8085:8085" + networks: + - envoy-network + +networks: + envoy-network: + driver: bridge \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/docs/LIFE_OF_A_REQUEST.md b/examples/reverse_connection/docs/LIFE_OF_A_REQUEST.md similarity index 100% rename from examples/reverse_connection_socket_interface/docs/LIFE_OF_A_REQUEST.md rename to examples/reverse_connection/docs/LIFE_OF_A_REQUEST.md diff --git a/examples/reverse_connection_socket_interface/docs/REVERSE_CONN_INITIATION.md b/examples/reverse_connection/docs/REVERSE_CONN_INITIATION.md similarity index 100% rename from examples/reverse_connection_socket_interface/docs/REVERSE_CONN_INITIATION.md rename to examples/reverse_connection/docs/REVERSE_CONN_INITIATION.md diff --git a/examples/reverse_connection_socket_interface/docs/SOCKET_INTERFACES.md b/examples/reverse_connection/docs/SOCKET_INTERFACES.md similarity index 100% rename from examples/reverse_connection_socket_interface/docs/SOCKET_INTERFACES.md rename to examples/reverse_connection/docs/SOCKET_INTERFACES.md diff --git a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml b/examples/reverse_connection/initiator-envoy.yaml similarity index 95% rename from examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml rename to examples/reverse_connection/initiator-envoy.yaml index d4198ad9fdd0f..52a2649ddd40d 100644 --- a/examples/reverse_connection_socket_interface/on-prem-envoy-custom-resolver.yaml +++ b/examples/reverse_connection/initiator-envoy.yaml @@ -58,10 +58,10 @@ static_resources: listener_filters_timeout: 0s listener_filters: # Filter that responds to keepalives on reverse connection sockets - - name: envoy.filters.listener.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection - ping_wait_timeout: 10 + # - name: envoy.filters.listener.reverse_connection + # typed_config: + # "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection + # ping_wait_timeout: 10 # Use custom address with reverse connection metadata encoded in URL format address: socket_address: diff --git a/examples/reverse_connection/on-prem-envoy-custom-resolver.yaml b/examples/reverse_connection/on-prem-envoy-custom-resolver.yaml deleted file mode 100644 index 8b87fee31df20..0000000000000 --- a/examples/reverse_connection/on-prem-envoy-custom-resolver.yaml +++ /dev/null @@ -1,148 +0,0 @@ ---- -node: - id: on-prem-node - cluster: on-prem - -# Enable reverse connection bootstrap extension which registers the custom resolver -bootstrap_extensions: -- name: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface - stat_prefix: "reverse_connection" - -static_resources: - listeners: - # Services reverse conn APIs - - name: rev_conn_api_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9001 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: rev_conn_api - codec_type: AUTO - route_config: - name: rev_conn_api_route - virtual_hosts: [] - http_filters: - - name: envoy.filters.http.reverse_conn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Forwards incoming http requests to backend - - name: ingress_http_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 8081 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - route_config: - name: ingress_http_route - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Initiates reverse connections to cloud using custom resolver - - name: reverse_conn_listener - listener_filters_timeout: 0s - listener_filters: - # Filter that responds to keepalives on reverse connection sockets - - name: envoy.filters.listener.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection - ping_wait_timeout: 4 - # Use custom address with reverse connection metadata encoded in URL format - address: - socket_address: - # This encodes: src_node_id=on-prem-node, src_cluster_id=on-prem, src_tenant_id=on-prem - # and remote clusters: cloud with 1 connection - address: "rc://on-prem-node:on-prem:on-prem@cloud:1" - port_value: 0 - # Use custom resolver that can parse reverse connection metadata - resolver_name: "envoy.resolvers.reverse_connection" - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: reverse_conn_listener - route_config: - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Cluster designating cloud-envoy - clusters: - - name: cloud - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: cloud - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: localhost # Container name of cloud-envoy in docker-compose - port_value: 9000 # Port where cloud-envoy's rev_conn_api_listener listens - - # Backend HTTP service behind onprem which - # we will access via reverse connections - - name: on-prem-service - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: on-prem-service - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: localhost - port_value: 7070 - -admin: - access_log_path: "/dev/stdout" - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 8888 - -layered_runtime: - layers: - - name: layer - static_layer: - re2.max_program_size.error_level: 1000 \ No newline at end of file diff --git a/examples/reverse_connection/on-prem-envoy.yaml b/examples/reverse_connection/on-prem-envoy.yaml deleted file mode 100644 index 08c9c710cfdb6..0000000000000 --- a/examples/reverse_connection/on-prem-envoy.yaml +++ /dev/null @@ -1,152 +0,0 @@ ---- -node: - id: on-prem-node - cluster: on-prem -static_resources: - listeners: - # Services reverse conn APIs - - name: rev_conn_api_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9001 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: rev_conn_api - codec_type: AUTO - # Any dummy route config works - route_config: - name: rev_conn_api_route - virtual_hosts: [] - http_filters: - # Filter that services reverse conn APIs - - name: envoy.filters.http.reverse_conn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Forwards incoming http requests to backend - - name: ingress_http_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 8081 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - route_config: - name: ingress_http_route - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Initiates reverse connections to cloud - - name: reverse_conn_listener - listener_filters_timeout: 0s - listener_filters: - # Filter that responds to keepalives on reverse connection sockets - - name: envoy.filters.listener.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection - ping_wait_timeout: 4 - # Use reverse connection address to trigger socket interface - address: - socket_address: - resolver_name: envoy.resolvers.reverse_connection - address: "rc://on-prem-node:on-prem:on-prem@cloud:1" - port_value: 0 -# Note: reverse_connection_listener_config is now handled by the bootstrap extension - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: reverse_conn_listener - # Any dummy route - route_config: - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - # Cluster designating cloud-envoy - clusters: - - name: cloud - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: cloud - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 # Use IPv4 to match cloud envoy listener - port_value: 9000 # Port where cloud-envoy's rev_conn_api_listener listens - - # Backend HTTP service behind onprem which - # we will access via reverse connections - - name: on-prem-service - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: on-prem-service - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 7070 - - -admin: - access_log_path: "/dev/stdout" - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 8899 -layered_runtime: - layers: - - name: layer - static_layer: - re2.max_program_size.error_level: 1000 - # envoy.reloadable_features.reverse_conn_force_local_reply: true -# Enable reverse connection bootstrap extension -bootstrap_extensions: -- name: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface - src_cluster_id: on-prem - src_node_id: on-prem-node - src_tenant_id: on-prem - remote_cluster_to_conn_count: - - cluster_name: cloud - reverse_connection_count: 1 \ No newline at end of file diff --git a/examples/reverse_connection/on-prem-envoy.yaml.backup b/examples/reverse_connection/on-prem-envoy.yaml.backup deleted file mode 100644 index 0b74ea2d576fd..0000000000000 --- a/examples/reverse_connection/on-prem-envoy.yaml.backup +++ /dev/null @@ -1,152 +0,0 @@ ---- -node: - id: on-prem-node - cluster: on-prem -static_resources: - listeners: - # Services reverse conn APIs - - name: rev_conn_api_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9001 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: rev_conn_api - codec_type: AUTO - # Any dummy route config works - route_config: - name: rev_conn_api_route - virtual_hosts: [] - http_filters: - # Filter that services reverse conn APIs - - name: envoy.filters.http.reverse_conn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Forwards incoming http requests to backend - - name: ingress_http_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 8081 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - route_config: - name: ingress_http_route - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Initiates reverse connections to cloud - - name: reverse_conn_listener - listener_filters_timeout: 0s - listener_filters: - # Filter that responds to keepalives on reverse connection sockets - - name: envoy.filters.listener.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection - ping_wait_timeout: 4 - # Use reverse connection address to trigger socket interface - address: - socket_address: - resolver_name: envoy.resolvers.reverse_connection - address: "rc://on-prem-node:on-prem:on-prem@cloud:1" - port_value: 0 -# Note: reverse_connection_listener_config is now handled by the bootstrap extension - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: reverse_conn_listener - # Any dummy route - route_config: - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - # Cluster designating cloud-envoy - clusters: - - name: cloud - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: cloud - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 # Use IPv4 to match cloud envoy listener - port_value: 9000 # Port where cloud-envoy's rev_conn_api_listener listens - - # Backend HTTP service behind onprem which - # we will access via reverse connections - - name: on-prem-service - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: on-prem-service - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 7070 - - -admin: - access_log_path: "/dev/stdout" - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 8899 -layered_runtime: - layers: - - name: layer - static_layer: - re2.max_program_size.error_level: 1000 - # envoy.reloadable_features.reverse_conn_force_local_reply: true -# Enable reverse connection bootstrap extension -bootstrap_extensions: -- name: envoy.bootstrap.reverse_connection.downstream_reverse_connection_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_connection_socket_interface.v3.DownstreamReverseConnectionSocketInterface - src_cluster_id: on-prem - src_node_id: on-prem-node - src_tenant_id: on-prem - remote_cluster_to_conn_count: - - cluster_name: cloud - reverse_connection_count: 1 \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/requirements.txt b/examples/reverse_connection/requirements.txt similarity index 100% rename from examples/reverse_connection_socket_interface/requirements.txt rename to examples/reverse_connection/requirements.txt diff --git a/examples/reverse_connection_socket_interface/cloud-envoy.yaml b/examples/reverse_connection/responder-envoy.yaml similarity index 100% rename from examples/reverse_connection_socket_interface/cloud-envoy.yaml rename to examples/reverse_connection/responder-envoy.yaml diff --git a/examples/reverse_connection/start_test.sh b/examples/reverse_connection/start_test.sh deleted file mode 100755 index 13ad4d16a2173..0000000000000 --- a/examples/reverse_connection/start_test.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash - -# Test script for reverse connection feature -set -e - -echo "Starting reverse connection test setup..." - -# Kill any existing processes -pkill -f backend_service.py || true -pkill -f envoy-static || true -sleep 2 - -echo "1. Starting backend service on port 7070..." -python3 backend_service.py & -BACKEND_PID=$! -sleep 2 - -echo "2. Starting cloud Envoy on port 9000 (API) and 8085 (egress)..." -../../bazel-bin/source/exe/envoy-static -c cloud-envoy.yaml --use-dynamic-base-id & -CLOUD_PID=$! -sleep 3 - -echo "3. Starting on-prem Envoy on port 9001 (API) and 8081 (ingress)..." -../../bazel-bin/source/exe/envoy-static -c on-prem-envoy.yaml --use-dynamic-base-id & -ONPREM_PID=$! -sleep 5 - -echo "4. Testing the setup..." -echo " Backend service: http://localhost:7070/on_prem_service" -echo " Cloud Envoy API: http://localhost:9000/" -echo " On-prem Envoy API: http://localhost:9001/" -echo " Cloud Envoy egress: http://localhost:8085/on_prem_service" -echo " On-prem ingress: http://localhost:8081/on_prem_service" - -# Test reverse connection API -echo "" -echo "Testing reverse connection APIs..." -echo "Cloud connected/accepted nodes:" -curl -s http://localhost:9000/ | jq '.' || curl -s http://localhost:9000/ - -echo "" -echo "On-prem connected/accepted nodes:" -curl -s http://localhost:9001/ | jq '.' || curl -s http://localhost:9001/ - -echo "" -echo "All services started successfully!" -echo "PIDs: Backend=$BACKEND_PID, Cloud=$CLOUD_PID, OnPrem=$ONPREM_PID" -echo "" -echo "To stop all services, run: kill $BACKEND_PID $CLOUD_PID $ONPREM_PID" - -# Keep the script running -wait \ No newline at end of file diff --git a/examples/reverse_connection_socket_interface/test_reverse_connections.py b/examples/reverse_connection/test_reverse_connections.py similarity index 98% rename from examples/reverse_connection_socket_interface/test_reverse_connections.py rename to examples/reverse_connection/test_reverse_connections.py index 9358532f112fd..72c6627778018 100644 --- a/examples/reverse_connection_socket_interface/test_reverse_connections.py +++ b/examples/reverse_connection/test_reverse_connections.py @@ -35,9 +35,9 @@ os.path.join(os.path.dirname(os.path.abspath(__file__)), 'docker-compose.yaml'), 'on_prem_config_file': os.path.join( - os.path.dirname(os.path.abspath(__file__)), 'on-prem-envoy-custom-resolver.yaml'), + os.path.dirname(os.path.abspath(__file__)), 'initiator-envoy.yaml'), 'cloud_config_file': - os.path.join(os.path.dirname(os.path.abspath(__file__)), 'cloud-envoy.yaml'), + os.path.join(os.path.dirname(os.path.abspath(__file__)), 'responder-envoy.yaml'), # Ports 'cloud_admin_port': @@ -164,12 +164,12 @@ def start_docker_compose(self, on_prem_config: str = None) -> bool: f"{on_prem_config}:/etc/on-prem-envoy.yaml" ] - # Copy cloud-envoy.yaml to temp directory and update the path + # Copy responder-envoy.yaml to temp directory and update the path import shutil - temp_cloud_config = os.path.join(self.temp_dir, "cloud-envoy.yaml") + temp_cloud_config = os.path.join(self.temp_dir, "responder-envoy.yaml") shutil.copy(CONFIG['cloud_config_file'], temp_cloud_config) compose_config['services']['cloud-envoy']['volumes'] = [ - f"{temp_cloud_config}:/etc/cloud-envoy.yaml" + f"{temp_cloud_config}:/etc/responder-envoy.yaml" ] # Copy Dockerfile.xds to temp directory diff --git a/examples/reverse_connection_socket_interface/docker-compose.yaml b/examples/reverse_connection_socket_interface/docker-compose.yaml deleted file mode 100644 index 183448e22d5d6..0000000000000 --- a/examples/reverse_connection_socket_interface/docker-compose.yaml +++ /dev/null @@ -1,55 +0,0 @@ -version: '2' -services: - - xds-server: - build: - context: . - dockerfile: Dockerfile.xds - ports: - - "18000:18000" - networks: - - envoy-network - - on-prem-envoy: - image: debug/envoy:latest - volumes: - - ./on-prem-envoy-custom-resolver.yaml:/etc/on-prem-envoy.yaml - command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 - ports: - # Admin interface - - "8888:8888" - # Reverse connection API listener - - "9000:9000" - # Ingress HTTP listener - - "6060:6060" - extra_hosts: - - "host.docker.internal:host-gateway" - networks: - - envoy-network - depends_on: - - xds-server - - on-prem-service - - on-prem-service: - image: nginxdemos/hello:plain-text - networks: - - envoy-network - - cloud-envoy: - image: debug/envoy:latest - volumes: - - ./cloud-envoy.yaml:/etc/cloud-envoy.yaml - command: envoy -c /etc/cloud-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 - ports: - # Admin interface - - "8889:8888" - # Reverse connection API listener - - "9001:9000" - # Egress listener - - "8085:8085" - networks: - - envoy-network - -networks: - envoy-network: - driver: bridge \ No newline at end of file From 5e41f1f358a212c813489cc4223e45cfaddeb2e0 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 25 Sep 2025 21:34:09 +0000 Subject: [PATCH 501/505] changes to reverse connection docs Signed-off-by: Basundhara Chakrabarty --- configs/reverse_connection/README.md | 227 ++++++++++--- .../reverse_connection/docker-compose.yaml | 55 ---- .../reverse_connection/initiator-envoy.yaml | 91 ++++++ configs/reverse_connection/onprem-envoy.yaml | 149 --------- ...{cloud-envoy.yaml => responder-envoy.yaml} | 38 +-- .../other_features/reverse_connection.rst | 308 +++++++----------- 6 files changed, 393 insertions(+), 475 deletions(-) delete mode 100644 configs/reverse_connection/docker-compose.yaml create mode 100644 configs/reverse_connection/initiator-envoy.yaml delete mode 100644 configs/reverse_connection/onprem-envoy.yaml rename configs/reverse_connection/{cloud-envoy.yaml => responder-envoy.yaml} (69%) diff --git a/configs/reverse_connection/README.md b/configs/reverse_connection/README.md index 641ec9d7f2a9f..e8a628740f10c 100644 --- a/configs/reverse_connection/README.md +++ b/configs/reverse_connection/README.md @@ -1,63 +1,196 @@ -# Running the Sandbox for reverse connections +# Reverse Tunnels -## Steps to run sandbox +Reverse tunnels enable establishing persistent connections from downstream Envoy instances to upstream Envoy instances without requiring the upstream to be directly reachable from the downstream. This is particularly useful when downstream instances are behind NATs, firewalls, or in private networks. -1. Build envoy with reverse connections feature: - - ```./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.release.server_only'``` -2. Build envoy docker image: - - ```docker build -f ci/Dockerfile-envoy-image -t envoy:latest .``` -3. Launch test containers. - - ```docker-compose -f configs/reverse_connection/docker-compose.yaml up``` +## Configuration files - **Note**: The docker-compose maps the following ports: - - **on-prem-envoy**: Host port 9000 → Container port 9000 (reverse connection API) - - **cloud-envoy**: Host port 9001 → Container port 9000 (reverse connection API) +- [`initiator-envoy.yaml`](initiator-envoy.yaml): Configuration for the initiator Envoy (downstream) +- [`responder-envoy.yaml`](responder-envoy.yaml): Configuration for the responder Envoy (upstream) -4. The reverse example configuration in onprem-envoy.yaml initiates reverse connections to cloud envoy using a custom address resolver. The configuration includes: +## Initiator configuration (downstream Envoy) - ```yaml - # Bootstrap extension for reverse tunnel functionality +The initiator Envoy requires the following configuration components: + +### Bootstrap extension for socket interface + +```yaml bootstrap_extensions: - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface typed_config: "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface stat_prefix: "downstream_reverse_connection" - - # Reverse connection listener with custom address format +``` + +This extension enables the initiator to initiate and manage reverse tunnels to the responder Envoy. + +### Reverse tunnel listener + +The reverse tunnel listener triggers the reverse connection initiation to the upstream Envoy instance and encodes identity metadata for the local Envoy. It also contains the route configuration for downstream services reachable via reverse tunnels. + +```yaml - name: reverse_conn_listener + listener_filters_timeout: 0s + listener_filters: address: socket_address: # Format: rc://src_node_id:src_cluster_id:src_tenant_id@remote_cluster:connection_count - address: "rc://on-prem-node:on-prem:on-prem@cloud:1" + address: "rc://downstream-node:downstream-cluster:downstream-tenant@upstream-cluster:1" port_value: 0 + # Use custom resolver that can parse reverse connection metadata resolver_name: "envoy.resolvers.reverse_connection" - ``` - -5. Verify that the reverse connections are established by sending requests to the reverse conn API: - On on-prem envoy, the expected output is a list of envoy clusters to which reverse connections have been - established, in this instance, just "cloud". - - ```bash - [basundhara.c@basundhara-c ~]$ curl localhost:9000/reverse_connections - {"accepted":[],"connected":["cloud"]} - ``` - On cloud-envoy, the expected output is a list on nodes that have initiated reverse connections to it, - in this case, "on-prem-node". - - ```bash - [basundhara.c@basundhara-c ~]$ curl localhost:9001/reverse_connections - {"accepted":["on-prem-node"],"connected":[]} - ``` - -6. Test reverse connection: - - Perform http request for the service behind on-prem envoy, to cloud-envoy. This request will be sent - over a reverse connection. - - ```bash - [basundhara.c@basundhara-c ~]$ curl -H "x-remote-node-id: on-prem-node" -H "x-dst-cluster-uuid: on-prem" http://localhost:8081/on_prem_service - Server address: 172.21.0.3:80 - Server name: 281282e5b496 - Date: 26/Nov/2024:04:04:03 +0000 - URI: /on_prem_service - Request ID: 726030e25e52db44a6c06061c4206a53 - ``` \ No newline at end of file + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: reverse_conn_listener + route_config: + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/downstream_service' + route: + cluster: downstream-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router +``` + +The special `rc://` address format encodes: +- `src_node_id`: "downstream-node" - Unique identifier for this downstream node +- `src_cluster_id`: "downstream-cluster" - Cluster name of the downstream Envoy +- `src_tenant_id`: "downstream-tenant" - Tenant identifier +- `remote_cluster`: "upstream-cluster" - Name of the upstream cluster to connect to +- `connection_count`: "1" - Number of reverse connections to establish + +### Upstream Cluster + +The upstream cluster configuration defines where reverse tunnels should be initiated: + +```yaml +- name: upstream-cluster + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: upstream-cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: upstream-envoy # Responder Envoy address + port_value: 9000 # Port where responder listens for reverse tunnel requests +``` + +### Downstream Service for Reverse Tunnel Data + +The downstream service represents the service behind the initiator Envoy that should be reachable via reverse tunnels: + +```yaml +- name: downstream-service + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: downstream-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: downstream-service + port_value: 80 +``` + +## Responder configuration (upstream Envoy) + +The responder Envoy requires the following configuration components: + +### Bootstrap extension for socket interface + +```yaml +bootstrap_extensions: +- name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_reverse_connection" +``` + +This extension enables the responder to accept and manage reverse connections from initiator Envoys. + +### Reverse tunnel filter and listener + +```yaml +- name: rev_conn_api_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 # Port where initiator will connect for tunnel establishment + filter_chains: + - filters: + - name: envoy.filters.network.reverse_tunnel + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: 2s +``` + +The `envoy.filters.network.reverse_tunnel` network filter handles the reverse tunnel handshake protocol and connection acceptance. + +### Reverse connection cluster + +Each downstream node reachable from upstream Envoy via reverse connections needs to be configured with a reverse connection cluster. When a data request arrives at the upstream Envoy, this cluster uses cached "reverse connections" instead of creating new forward connections. + +```yaml +- name: reverse_connection_cluster + connect_timeout: 200s + lb_policy: CLUSTER_PROVIDED + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + http_header_names: + - x-remote-node-id # Should be set to "downstream-node" + - x-dst-cluster-uuid # Should be set to "downstream-cluster" + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} # HTTP/2 required for reverse connections +``` + +### Egress listener for data traffic + +The egress listener receives data traffic on the upstream Envoy and routes it to the reverse connection cluster: + +```yaml +- name: egress_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 8085 # Port for sending requests to initiator services + filter_chains: + - filters: + - name: envoy.http_connection_manager + typed_config: + route_config: + virtual_hosts: + - name: backend + domains: ["*"] + routes: + - match: + prefix: "/downstream_service" + route: + cluster: reverse_connection_cluster # Routes to initiator via reverse tunnel +``` + +This is the egress listener that receives data traffic on upstream envoy and routes it to the reverse connection cluster. + +## How It Works + +1. **Tunnel Establishment**: The initiator Envoy establishes reverse tunnels to the responder Envoy on port 9000. +2. **Service Access**: When a request comes to the responder's egress listener (port 8085) for `/downstream_service`, it's routed through to the reverse connection cluster. Instead of creating forward connections to downstream-envoy, a cached "reverse connection" is picked and the data request is routed through it. +3. **Header-Based Routing**: The reverse connection cluster uses `x-remote-node-id` and `x-dst-cluster-uuid` headers to identify which cached reverse connection to use. +4. **Service Response**: The request travels through the reverse tunnel to the initiator, gets routed to the local service, and the response travels back through the same tunnel. \ No newline at end of file diff --git a/configs/reverse_connection/docker-compose.yaml b/configs/reverse_connection/docker-compose.yaml deleted file mode 100644 index cc0d7fdc7318c..0000000000000 --- a/configs/reverse_connection/docker-compose.yaml +++ /dev/null @@ -1,55 +0,0 @@ -version: '2' -services: - - xds-server: - build: - context: . - dockerfile: Dockerfile.xds - ports: - - "18000:18000" - networks: - - envoy-network - - on-prem-envoy: - image: debug/envoy:latest - volumes: - - ./onprem-envoy.yaml:/etc/on-prem-envoy.yaml - command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 - ports: - # Admin interface - - "8888:8888" - # Reverse connection API listener - - "9000:9000" - # Ingress HTTP listener - - "6060:6060" - extra_hosts: - - "host.docker.internal:host-gateway" - networks: - - envoy-network - depends_on: - - xds-server - - on-prem-service - - on-prem-service: - image: nginxdemos/hello:plain-text - networks: - - envoy-network - - cloud-envoy: - image: debug/envoy:latest - volumes: - - ./cloud-envoy.yaml:/etc/cloud-envoy.yaml - command: envoy -c /etc/cloud-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 - ports: - # Admin interface - - "8889:8888" - # Reverse connection API listener - - "9001:9000" - # Egress listener - - "8085:8085" - networks: - - envoy-network - -networks: - envoy-network: - driver: bridge \ No newline at end of file diff --git a/configs/reverse_connection/initiator-envoy.yaml b/configs/reverse_connection/initiator-envoy.yaml new file mode 100644 index 0000000000000..1852061ba4d91 --- /dev/null +++ b/configs/reverse_connection/initiator-envoy.yaml @@ -0,0 +1,91 @@ +--- +node: + id: downstream-node + cluster: downstream + +# Enable reverse connection bootstrap extension which registers the custom resolver +bootstrap_extensions: +- name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + +static_resources: + listeners: + # Initiates reverse connections to upstream using custom resolver + - name: reverse_conn_listener + listener_filters_timeout: 0s + listener_filters: + # Use custom address with reverse connection metadata encoded in URL format + address: + socket_address: + # This encodes: src_node_id=downstream-node, src_cluster_id=downstream, src_tenant_id=downstream + # and remote clusters: upstream with 1 connection + address: "rc://downstream-node:downstream-cluster:downstream-tenant@upstream-cluster:1" + port_value: 0 + # Use custom resolver that can parse reverse connection metadata + resolver_name: "envoy.resolvers.reverse_connection" + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: reverse_conn_listener + route_config: + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/downstream_service' + route: + cluster: downstream-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + # Cluster designating upstream-envoy + clusters: + - name: upstream-cluster + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: upstream-cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: upstream-envoy # Container name of upstream-envoy in docker-compose + port_value: 9000 # Port where upstream-envoy's rev_conn_api_listener listens + + # Backend HTTP service behind downstream which + # we will access via reverse connections + - name: downstream-service + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: downstream-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: downstream-service + port_value: 80 + +admin: + access_log_path: "/dev/stdout" + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 8888 + +layered_runtime: + layers: + - name: layer + static_layer: + re2.max_program_size.error_level: 1000 \ No newline at end of file diff --git a/configs/reverse_connection/onprem-envoy.yaml b/configs/reverse_connection/onprem-envoy.yaml deleted file mode 100644 index 8c970f2c8136e..0000000000000 --- a/configs/reverse_connection/onprem-envoy.yaml +++ /dev/null @@ -1,149 +0,0 @@ ---- -node: - id: on-prem-node - cluster: on-prem - -# Enable reverse connection bootstrap extension which registers the custom resolver -bootstrap_extensions: -- name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface - stat_prefix: "downstream_reverse_connection" - -static_resources: - listeners: - # Services reverse conn APIs - - name: rev_conn_api_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9000 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: rev_conn_api - codec_type: AUTO - route_config: - name: rev_conn_api_route - virtual_hosts: [] - http_filters: - - name: envoy.filters.http.reverse_conn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - ping_interval: 30 - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Forwards incoming http requests to backend - - name: ingress_http_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 6060 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - route_config: - name: ingress_http_route - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Initiates reverse connections to cloud using custom resolver - - name: reverse_conn_listener - listener_filters_timeout: 0s - listener_filters: - # Filter that responds to keepalives on reverse connection sockets - - name: envoy.filters.listener.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection - ping_wait_timeout: 10 - # Use custom address with reverse connection metadata encoded in URL format - address: - socket_address: - # This encodes: src_node_id=on-prem-node, src_cluster_id=on-prem, src_tenant_id=on-prem - # and remote clusters: cloud with 1 connection - address: "rc://on-prem-node:on-prem:on-prem@cloud:1" - port_value: 0 - # Use custom resolver that can parse reverse connection metadata - resolver_name: "envoy.resolvers.reverse_connection" - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: reverse_conn_listener - route_config: - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Cluster designating cloud-envoy - clusters: - - name: cloud - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: cloud - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: cloud-envoy # Container name of cloud-envoy in docker-compose - port_value: 9000 # Port where cloud-envoy's rev_conn_api_listener listens - - # Backend HTTP service behind onprem which - # we will access via reverse connections - - name: on-prem-service - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: on-prem-service - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: on-prem-service - port_value: 80 - -admin: - access_log_path: "/dev/stdout" - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 8888 - -layered_runtime: - layers: - - name: layer - static_layer: - re2.max_program_size.error_level: 1000 \ No newline at end of file diff --git a/configs/reverse_connection/cloud-envoy.yaml b/configs/reverse_connection/responder-envoy.yaml similarity index 69% rename from configs/reverse_connection/cloud-envoy.yaml rename to configs/reverse_connection/responder-envoy.yaml index 5d46207ae4497..8b73234256f39 100644 --- a/configs/reverse_connection/cloud-envoy.yaml +++ b/configs/reverse_connection/responder-envoy.yaml @@ -1,10 +1,10 @@ --- node: - id: cloud-node - cluster: cloud + id: upstream-node + cluster: upstream-cluster static_resources: listeners: - # Services reverse conn APIs + # Accepts reverse tunnel requests - name: rev_conn_api_listener address: socket_address: @@ -12,30 +12,10 @@ static_resources: port_value: 9000 filter_chains: - filters: - - name: envoy.http_connection_manager + - name: envoy.filters.network.reverse_tunnel typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: rev_conn_api - # Any dummy route config works - route_config: - virtual_hosts: - - name: rev_conn_api_route - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: reverse_connection_cluster - http_filters: - # Filter that services reverse conn APIs - - name: envoy.filters.http.reverse_conn - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.reverse_conn.v3.ReverseConn - ping_interval: 2 - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: 2s # Listener that will route the downstream request to the reverse connection cluster - name: egress_listener @@ -56,7 +36,7 @@ static_resources: - "*" routes: - match: - prefix: "/on_prem_service" + prefix: "/downstream_service" route: cluster: reverse_connection_cluster http_filters: @@ -75,8 +55,8 @@ static_resources: # The following headers are expected in downstream requests # to be sent over reverse connections http_header_names: - - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., on-prem-node - - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., on-prem + - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., downstream-node + - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., downstream typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions diff --git a/docs/root/configuration/other_features/reverse_connection.rst b/docs/root/configuration/other_features/reverse_connection.rst index 076b8108f119c..6b86f558054c4 100644 --- a/docs/root/configuration/other_features/reverse_connection.rst +++ b/docs/root/configuration/other_features/reverse_connection.rst @@ -1,36 +1,42 @@ .. _config_reverse_connection: -Reverse Connection -================== +Reverse Tunnels +=============== -Envoy supports reverse connections that enable establishing persistent connections from downstream Envoy instances +Envoy supports reverse tunnels that enable establishing persistent connections from downstream Envoy instances to upstream Envoy instances without requiring the upstream to be directly reachable from the downstream. This feature is particularly useful in scenarios where downstream instances are behind NATs, firewalls, or in private networks, and need to initiate connections to upstream instances in public networks or cloud environments. -Reverse connections work by having the downstream Envoy initiate TCP connections to upstream Envoy instances +Reverse tunnels work by having the downstream Envoy initiate TCP connections to upstream Envoy instances and keep them alive for reuse. These connections are established using a handshake protocol and can be used for forwarding traffic from services behind upstream Envoy to downstream services behind the downstream Envoy. -.. _config_reverse_connection_bootstrap: +.. _config_reverse_tunnel_bootstrap: -Bootstrap Configuration ------------------------ +Reverse tunnels require the following extensions: + +1. **Downstream and upstream socket interfaces**: Both registered as bootstrap extensions +2. **Reverse tunnel network filter**: On responder Envoy to accept reverse tunnel requests +3. **Reverse connection cluster**: On responder Envoy for each downstream cluster that needs to be reached through reverse tunnels + +Bootstrap Extensions +-------------------- -To enable reverse connections, two bootstrap extensions need to be configured: +To enable reverse tunnels, two bootstrap extensions need to be configured: -1. **Downstream Reverse Connection Socket Interface**: Configures the downstream Envoy to initiate - reverse connections to upstream instances. +1. **Downstream Socket Interface**: Configures the downstream Envoy to initiate + reverse tunnels to upstream instances. -2. **Upstream Reverse Connection Socket Interface**: Configures the upstream Envoy to accept - and manage reverse connections from downstream instances. +2. **Upstream Socket Interface**: Configures the upstream Envoy to accept + and manage reverse tunnels from downstream instances. .. _config_reverse_connection_downstream: -Downstream Configuration -~~~~~~~~~~~~~~~~~~~~~~~~ +Downstream Socket Interface +~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The downstream reverse connection socket interface is configured in the bootstrap as follows: +The downstream socket interface is configured in the bootstrap as follows: .. validated-code-block:: yaml :type-name: envoy.config.bootstrap.v3.Bootstrap @@ -43,10 +49,10 @@ The downstream reverse connection socket interface is configured in the bootstra .. _config_reverse_connection_upstream: -Upstream Configuration +Upstream Socket Interface ~~~~~~~~~~~~~~~~~~~~~~ -The upstream reverse connection socket interface is configured in the bootstrap as follows: +The upstream socket interface is configured in the bootstrap as follows: .. validated-code-block:: yaml :type-name: envoy.config.bootstrap.v3.Bootstrap @@ -62,8 +68,8 @@ The upstream reverse connection socket interface is configured in the bootstrap Listener Configuration ---------------------- -Reverse connections are initiated through special reverse connection listeners that use the following -reverse connection address format: +Reverse tunnels are initiated through special reverse tunnel listeners that use the following +address format: .. validated-code-block:: yaml :type-name: envoy.config.listener.v3.Listener @@ -81,43 +87,117 @@ reverse connection address format: stat_prefix: tcp cluster: upstream-cluster -The reverse connection address format ``rc://src_node:src_cluster:src_tenant@target_cluster:count`` +The reverse tunnel address format ``rc://src_node:src_cluster:src_tenant@target_cluster:count`` encodes the following information: * ``src_node``: Unique identifier for the downstream node * ``src_cluster``: Cluster name of the downstream Envoy * ``src_tenant``: Tenant identifier for multi-tenant deployments * ``target_cluster``: Name of the upstream cluster to connect to -* ``count``: Number of reverse connections to establish to upstream-cluster +* ``count``: Number of reverse tunnels to establish to upstream-cluster -The upstream-cluster can be dynamically configurable via CDS. The listener calls the reverse connection +The upstream-cluster can be dynamically configurable via CDS. The listener calls the reverse tunnel workflow and initiates raw TCP connections to upstream clusters, thereby This triggering the reverse connection handshake. +.. _config_reverse_tunnel_filter: + +Reverse Tunnel Network Filter +----------------------------- + +On upstream Envoy, the reverse tunnel network filter implements the reverse tunnel handshake protocol and accepts or rejects the reverse tunnel request. + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + name: rev_conn_api_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 + filter_chains: + - filters: + - name: envoy.filters.network.reverse_tunnel + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: 2s + .. _config_reverse_connection_handshake: Handshake Protocol ------------------ -Reverse connections use a handshake protocol to establish authenticated connections between +Reverse tunnels use a handshake protocol to establish authenticated connections between downstream and upstream Envoy instances. The handshake has the following steps: -1. **Connection Initiation**: Downstream Envoy initiates TCP connections to each host of the upstream cluster, -and writes the handshake request on it over a HTTP/1.1 POST call. -2. **Identity Exchange**: The downstream Envoy's reverse connection handshake contains identity information (node ID, cluster ID, tenant ID). -3. **Authentication**: Optional authentication and authorization checks are performed by the upstream Envoy on receiving the handshake request. +1. **Connection Initiation**: Initiator Envoy initiates TCP connections to each host of the upstream cluster, +and writes the handshake request on it over HTTP. +2. **Identity Exchange**: The downstream Envoy's reverse tunnel handshake contains identity information (node ID, cluster ID, tenant ID) sent as HTTP headers. The reverse tunnel network filter expects the following headers: + + * ``x-envoy-reverse-tunnel-node-id``: Unique identifier for the downstream node (e.g., "on-prem-node") + * ``x-envoy-reverse-tunnel-cluster-id``: Cluster name of the downstream Envoy (e.g., "on-prem") + * ``x-envoy-reverse-tunnel-tenant-id``: Tenant identifier for multi-tenant deployments (e.g., "on-prem") + + These identify values are obtained from the reverse tunnel listener address and the headers are automatically added by the reverse tunnel downstream socket interface during the handshake process. +3. **Validation/Authentication**: The upstream Envoy performs the following validation checks on receiving the handshake request: + + * **HTTP Method Validation**: Verifies the request method matches the configured method (defaults to ``GET``) + * **HTTP Path Validation**: Verifies the request path matches the configured path (defaults to ``/reverse_connections/request``) + * **Required Headers Validation**: Ensures all three required identity headers are present: + + - ``x-envoy-reverse-tunnel-node-id`` + - ``x-envoy-reverse-tunnel-cluster-id`` + - ``x-envoy-reverse-tunnel-tenant-id`` + + If any validation fails, the request is rejected with appropriate HTTP error codes (404 for method/path mismatch, 400 for missing headers). 4. **Connection Establishment**: Post a successful handshake, the upstream Envoy stores the TCP socket mapped to the downstream node ID. +.. _config_reverse_connection_cluster: + +Reverse Connection Cluster +-------------------------- + +Each initiator node that should be reachable via reverse tunnels must be configured using a reverse connection cluster. This is a custom cluster type that indicates that instead of creating new forward connections to the downstream node, cached "reverse connections" should be used to send requests. + +The reverse connection cluster uses the ``envoy.clusters.reverse_connection`` cluster type and requires specific HTTP headers in downstream requests to identify which cached reverse connection to use for routing. + +.. .. validated-code-block:: yaml +.. :type-name: envoy.config.cluster.v3.Cluster + +.. name: reverse_connection_cluster +.. connect_timeout: 200s +.. lb_policy: CLUSTER_PROVIDED +.. cluster_type: +.. name: envoy.clusters.reverse_connection +.. typed_config: +.. "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig +.. # The following headers are expected in downstream requests +.. # to be sent over reverse connections +.. http_header_names: +.. - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., on-prem-node +.. - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., on-prem + +The cluster configuration specifies: + +* **Load balancing policy**: ``CLUSTER_PROVIDED`` allows the custom cluster to manage load balancing +* **Header Resolution Strategy**: The cluster follows a tiered approach to identify the target downstream node: + + 1. **Configured Headers**: First checks for headers specified in ``http_header_names`` configuration. If not configured, defaults to ``x-envoy-dst-node-uuid`` and ``x-envoy-dst-cluster-uuid`` + 2. **Host Header**: If no configured headers are found, extracts UUID from the Host header in format ``.tcpproxy.envoy.remote:`` + 3. **SNI (Server Name Indication)**: If Host header extraction fails, extracts UUID from SNI in format ``.tcpproxy.envoy.remote`` +* **Protocol**: Only HTTP/2 is supported for reverse connections +* **Host Reuse**: Once a host is created for a specific downstream node ID, it is cached and reused for all subsequent requests to that node. Each such request is multiplexed as a new stream on the existing HTTP/2 connection. + .. _config_reverse_connection_stats: Statistics ---------- -The reverse connection extensions emit the following statistics: +The reverse tunnel extensions emit the following statistics: **Downstream Extension:** -The downstream reverse connection extension emits both host-level and cluster-level statistics for connection states. The stat names follow the pattern: +The downstream reverse tunnel extension emits both host-level and cluster-level statistics for connection states. The stat names follow the pattern: - Host-level: ``.host..`` - Cluster-level: ``.cluster..`` @@ -142,7 +222,7 @@ For example, with ``stat_prefix: "downstream_rc"``: **Upstream Extension:** -The upstream reverse connection extension emits node-level and cluster-level statistics for accepted connections. The stat names follow the pattern: +The upstream reverse tunnel extension emits node-level and cluster-level statistics for accepted connections. The stat names follow the pattern: - Node-level: ``reverse_connections.nodes.`` - Cluster-level: ``reverse_connections.clusters.`` @@ -163,171 +243,9 @@ For example: Security Considerations ----------------------- -Reverse connections should be used with appropriate security measures: +Reverse tunnels should be used with appropriate security measures: -* **Authentication**: Implement proper authentication mechanisms for handshake validation +* **Authentication**: Implement proper authentication mechanisms for handshake validation as part of the reverse tunnel handshake protocol * **Authorization**: Validate that downstream nodes are authorized to connect to upstream clusters -* **TLS**: Use TLS transport sockets for encrypted communication -* **Network Policies**: Restrict network access to only allow expected downstream-to-upstream communication -* **Monitoring**: Monitor connection statistics and handshake failures for security anomalies - -.. _config_reverse_connection_examples: - -Examples --------- - -.. _config_reverse_connection_simple: - -Simple Reverse Connection -~~~~~~~~~~~~~~~~~~~~~~~~~ - -A basic configuration example for using the downstream and upstream reverse connection socket interfaces -are shown below. - -**Downstream Configuration:** - -.. validated-code-block:: yaml - :type-name: envoy.config.bootstrap.v3.Bootstrap - - bootstrap_extensions: - - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface - stat_prefix: "downstream_rc" - - static_resources: - listeners: - - name: reverse_listener - address: - socket_address: - address: "rc://node-1:downstream-cluster:tenant-a@upstream-cluster:3" - port_value: 0 - filter_chains: - - filters: - - name: envoy.filters.network.tcp_proxy - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - stat_prefix: tcp - cluster: upstream-cluster - - clusters: - - name: upstream-cluster - type: LOGICAL_DNS - dns_lookup_family: V4_ONLY - load_assignment: - cluster_name: upstream-cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: "upstream.example.com" - port_value: 8080 - -**Upstream Configuration:** - -.. validated-code-block:: yaml - :type-name: envoy.config.bootstrap.v3.Bootstrap - - bootstrap_extensions: - - name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface - stat_prefix: "upstream_rc" - - static_resources: - listeners: - - name: upstream_listener - address: - socket_address: - address: "0.0.0.0" - port_value: 8080 - filter_chains: - - filters: - - name: envoy.filters.network.tcp_proxy - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - stat_prefix: tcp - cluster: backend - - clusters: - - name: backend - type: LOGICAL_DNS - dns_lookup_family: V4_ONLY - load_assignment: - cluster_name: backend - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: "backend.example.com" - port_value: 9000 - -.. _config_reverse_connection_multi_cluster: - -Multiple Clusters -~~~~~~~~~~~~~~~~~ - -Configure reverse connections to multiple upstream clusters: - -.. validated-code-block:: yaml - :type-name: envoy.config.listener.v3.Listener - - name: multi_cluster_listener - address: - socket_address: - address: "rc://node-1:downstream-cluster:tenant-a@cluster-a:2" - port_value: 0 - additional_addresses: - - address: - socket_address: - address: "rc://node-1:downstream-cluster:tenant-a@cluster-b:3" - port_value: 0 - filter_chains: - - filters: - - name: envoy.filters.network.tcp_proxy - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - stat_prefix: tcp - cluster: dynamic_cluster - -This configuration establishes: -* 2 connections to ``cluster-a`` -* 3 connections to ``cluster-b`` - -.. _config_reverse_connection_tls: - -TLS-Enabled Reverse Connections -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Add TLS encryption to reverse connections: - -.. validated-code-block:: yaml - :type-name: envoy.config.listener.v3.Listener +* **TLS**: TLS can be configured for each upstream cluster reverse tunnels are established to - name: tls_reverse_listener - address: - socket_address: - address: "rc://node-1:downstream-cluster:tenant-a@upstream-cluster:2" - port_value: 0 - filter_chains: - - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: - filename: "/etc/ssl/certs/downstream.crt" - private_key: - filename: "/etc/ssl/private/downstream.key" - validation_context: - trusted_ca: - filename: "/etc/ssl/certs/ca.crt" - filters: - - name: envoy.filters.network.tcp_proxy - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - stat_prefix: tcp - cluster: upstream-cluster From ad4fefa63b3e7ac90d516e0f006faab4dfa6edf7 Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 25 Sep 2025 21:34:43 +0000 Subject: [PATCH 502/505] fixes to docs and format Signed-off-by: Basundhara Chakrabarty --- ..._reverse_connection_socket_interface.proto | 5 +- examples/reverse_connection/README.md | 67 ++++++ .../reverse_connection/docker-compose.yaml | 16 +- .../reverse_connection/initiator-envoy.yaml | 80 ++----- .../reverse_connection/responder-envoy.yaml | 12 +- .../test_reverse_connections.py | 200 +++++++++--------- 6 files changed, 202 insertions(+), 178 deletions(-) create mode 100644 examples/reverse_connection/README.md diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto index e476f485d0328..2f6465e0f0cb1 100644 --- a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto @@ -3,8 +3,9 @@ syntax = "proto3"; package envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3; import "google/protobuf/wrappers.proto"; -import "validate/validate.proto"; + import "udpa/annotations/status.proto"; +import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3"; option java_outer_classname = "UpstreamReverseConnectionSocketInterfaceProto"; @@ -22,5 +23,5 @@ message UpstreamReverseConnectionSocketInterface { // Number of consecutive ping failures before an idle reverse connection socket is marked dead. // Defaults to 3 if unset. Must be at least 1. - google.protobuf.UInt32Value ping_failure_threshold = 2 [(validate.rules).uint32 = { gte: 1 }]; + google.protobuf.UInt32Value ping_failure_threshold = 2 [(validate.rules).uint32 = {gte: 1}]; } diff --git a/examples/reverse_connection/README.md b/examples/reverse_connection/README.md new file mode 100644 index 0000000000000..482a199b9b1c4 --- /dev/null +++ b/examples/reverse_connection/README.md @@ -0,0 +1,67 @@ +# Running the Sandbox for reverse tunnels + +## Steps to run sandbox + +1. Build envoy with reverse tunnels feature: + - ```./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.release.server_only'``` +2. Build envoy docker image: + - ```docker build -f ci/Dockerfile-envoy-image -t envoy:latest .``` +3. Launch test containers. + - ```docker-compose -f examples/reverse_connection/docker-compose.yaml up``` + + **Note**: The docker-compose maps the following ports: + - **downstream-envoy**: Host port 9000 → Container port 9000 (reverse connection API) + - **upstream-envoy**: Host port 9001 → Container port 9000 (reverse connection API) + +4. The reverse example configuration in initiator-envoy.yaml initiates reverse tunnels to upstream envoy using a custom address resolver. The configuration includes: + + ```yaml + # Bootstrap extension for reverse tunnel functionality + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + + # Reverse connection listener with custom address format + - name: reverse_conn_listener + address: + socket_address: + # Format: rc://src_node_id:src_cluster_id:src_tenant_id@remote_cluster:connection_count + address: "rc://downstream-node:downstream-cluster:downstream-tenant@upstream-cluster:1" + port_value: 0 + resolver_name: "envoy.resolvers.reverse_connection" + ``` + +5. Test reverse tunnel: + - Perform http request for the service behind downstream envoy, to upstream-envoy. This request will be sent + over a reverse tunnel. + + ```bash + [basundhara.c@basundhara-c envoy-examples]$ curl -H "x-remote-node-id: downstream-node" -H "x-dst-cluster-uuid: downstream-cluster" http://localhost:8085/downstream_service -v + * Trying ::1... + * TCP_NODELAY set + * Connected to localhost (::1) port 8085 (#0) + > GET /downstream_service HTTP/1.1 + > Host: localhost:8085 + > User-Agent: curl/7.61.1 + > Accept: */* + > x-remote-node-id: downstream-node + > x-dst-cluster-uuid: downstream-cluster + > + < HTTP/1.1 200 OK + < server: envoy + < date: Thu, 25 Sep 2025 21:25:38 GMT + < content-type: text/plain + < content-length: 159 + < expires: Thu, 25 Sep 2025 21:25:37 GMT + < cache-control: no-cache + < x-envoy-upstream-service-time: 13 + < + Server address: 172.27.0.3:80 + Server name: b490f264caf9 + Date: 25/Sep/2025:21:25:38 +0000 + URI: /downstream_service + Request ID: 41807e3cd1f6a0b601597b80f7e51513 + * Connection #0 to host localhost left intact + ``` \ No newline at end of file diff --git a/examples/reverse_connection/docker-compose.yaml b/examples/reverse_connection/docker-compose.yaml index 73bedfd50874d..1d069bcf64571 100644 --- a/examples/reverse_connection/docker-compose.yaml +++ b/examples/reverse_connection/docker-compose.yaml @@ -10,11 +10,11 @@ services: networks: - envoy-network - on-prem-envoy: + downstream-envoy: image: debug/envoy:latest volumes: - - ./initiator-envoy.yaml:/etc/on-prem-envoy.yaml - command: envoy -c /etc/on-prem-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 + - ./initiator-envoy.yaml:/etc/downstream-envoy.yaml + command: envoy -c /etc/downstream-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: # Admin interface - "8888:8888" @@ -28,18 +28,18 @@ services: - envoy-network depends_on: - xds-server - - on-prem-service + - downstream-service - on-prem-service: + downstream-service: image: nginxdemos/hello:plain-text networks: - envoy-network - cloud-envoy: + upstream-envoy: image: debug/envoy:latest volumes: - - ./responder-envoy.yaml:/etc/responder-envoy.yaml - command: envoy -c /etc/responder-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 + - ./responder-envoy.yaml:/etc/upstream-envoy.yaml + command: envoy -c /etc/upstream-envoy.yaml --concurrency 1 -l trace --drain-time-s 3 ports: # Admin interface - "8889:8888" diff --git a/examples/reverse_connection/initiator-envoy.yaml b/examples/reverse_connection/initiator-envoy.yaml index 52a2649ddd40d..03c05037f1a9e 100644 --- a/examples/reverse_connection/initiator-envoy.yaml +++ b/examples/reverse_connection/initiator-envoy.yaml @@ -1,7 +1,7 @@ --- node: - id: on-prem-node - cluster: on-prem + id: downstream-node + cluster: downstream-cluster # Enable reverse connection bootstrap extension which registers the custom resolver bootstrap_extensions: @@ -12,62 +12,16 @@ bootstrap_extensions: static_resources: listeners: - # Services reverse conn APIs - - name: rev_conn_api_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9001 - filter_chains: - - filters: - - name: envoy.filters.network.reverse_tunnel - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel - ping_interval: 30s - - # Forwards incoming http requests to backend - - name: ingress_http_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 6060 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - route_config: - name: ingress_http_route - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/on_prem_service' - route: - cluster: on-prem-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - # Initiates reverse connections to cloud using custom resolver + # Initiates reverse connections to upstream using custom resolver - name: reverse_conn_listener listener_filters_timeout: 0s listener_filters: - # Filter that responds to keepalives on reverse connection sockets - # - name: envoy.filters.listener.reverse_connection - # typed_config: - # "@type": type.googleapis.com/envoy.extensions.filters.listener.reverse_connection.v3.ReverseConnection - # ping_wait_timeout: 10 # Use custom address with reverse connection metadata encoded in URL format address: socket_address: - # This encodes: src_node_id=on-prem-node, src_cluster_id=on-prem, src_tenant_id=on-prem - # and remote clusters: cloud with 1 connection - address: "rc://on-prem-node:on-prem:on-prem@cloud:1" + # This encodes: src_node_id=downstream-node, src_cluster_id=downstream, src_tenant_id=downstream + # and remote clusters: upstream with 1 connection + address: "rc://downstream-node:downstream-cluster:downstream-tenant@upstream-cluster:1" port_value: 0 # Use custom resolver that can parse reverse connection metadata resolver_name: "envoy.resolvers.reverse_connection" @@ -84,42 +38,42 @@ static_resources: - "*" routes: - match: - prefix: '/on_prem_service' + prefix: '/downstream_service' route: - cluster: on-prem-service + cluster: downstream-service http_filters: - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - # Cluster designating cloud-envoy + # Cluster designating upstream-envoy clusters: - - name: cloud + - name: upstream-cluster type: STRICT_DNS connect_timeout: 30s load_assignment: - cluster_name: cloud + cluster_name: upstream-cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: - address: cloud-envoy # Container name of cloud-envoy in docker-compose - port_value: 9000 # Port where cloud-envoy's rev_conn_api_listener listens + address: upstream-envoy # Container name of upstream-envoy in docker-compose + port_value: 9000 # Port where upstream-envoy's rev_conn_api_listener listens - # Backend HTTP service behind onprem which + # Backend HTTP service behind downstream which # we will access via reverse connections - - name: on-prem-service + - name: downstream-service type: STRICT_DNS connect_timeout: 30s load_assignment: - cluster_name: on-prem-service + cluster_name: downstream-service endpoints: - lb_endpoints: - endpoint: address: socket_address: - address: on-prem-service + address: downstream-service port_value: 80 admin: diff --git a/examples/reverse_connection/responder-envoy.yaml b/examples/reverse_connection/responder-envoy.yaml index 8c3bf9aa3b31d..8b73234256f39 100644 --- a/examples/reverse_connection/responder-envoy.yaml +++ b/examples/reverse_connection/responder-envoy.yaml @@ -1,10 +1,10 @@ --- node: - id: cloud-node - cluster: cloud + id: upstream-node + cluster: upstream-cluster static_resources: listeners: - # Services reverse conn APIs + # Accepts reverse tunnel requests - name: rev_conn_api_listener address: socket_address: @@ -36,7 +36,7 @@ static_resources: - "*" routes: - match: - prefix: "/on_prem_service" + prefix: "/downstream_service" route: cluster: reverse_connection_cluster http_filters: @@ -55,8 +55,8 @@ static_resources: # The following headers are expected in downstream requests # to be sent over reverse connections http_header_names: - - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., on-prem-node - - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., on-prem + - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., downstream-node + - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., downstream typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions diff --git a/examples/reverse_connection/test_reverse_connections.py b/examples/reverse_connection/test_reverse_connections.py index 72c6627778018..31cf6f1fc6d9b 100644 --- a/examples/reverse_connection/test_reverse_connections.py +++ b/examples/reverse_connection/test_reverse_connections.py @@ -3,14 +3,14 @@ Test script for reverse connection socket interface functionality. This script: -1. Starts two Envoy instances (on-prem and cloud) using Docker Compose -2. Starts the backend service (on-prem-service) -3. Initially starts on-prem without the reverse_conn_listener (removed from config) -4. Verifies reverse connections are not established by checking the cloud API -5. Adds the reverse_conn_listener to on-prem via xDS +1. Starts two Envoy instances (downstream and upstream) using Docker Compose +2. Starts the backend service (downstream-service) +3. Initially starts downstream without the reverse_conn_listener (removed from config) +4. Verifies reverse connections are not established by checking the upstream API +5. Adds the reverse_conn_listener to downstream via xDS 6. Verifies reverse connections are established 7. Tests request routing through reverse connections -8. Stops and restarts cloud Envoy to test connection recovery +8. Stops and restarts upstream Envoy to test connection recovery 9. Verifies reverse connections are re-established """ @@ -33,29 +33,28 @@ os.path.dirname(os.path.abspath(__file__)), 'docker_compose_file': os.path.join(os.path.dirname(os.path.abspath(__file__)), 'docker-compose.yaml'), - 'on_prem_config_file': - os.path.join( - os.path.dirname(os.path.abspath(__file__)), 'initiator-envoy.yaml'), - 'cloud_config_file': + 'downstream_config_file': + os.path.join(os.path.dirname(os.path.abspath(__file__)), 'initiator-envoy.yaml'), + 'upstream_config_file': os.path.join(os.path.dirname(os.path.abspath(__file__)), 'responder-envoy.yaml'), # Ports - 'cloud_admin_port': + 'upstream_admin_port': 8889, - 'cloud_api_port': + 'upstream_api_port': 9001, - 'cloud_egress_port': + 'upstream_egress_port': 8085, - 'on_prem_admin_port': + 'downstream_admin_port': 8888, 'xds_server_port': 18000, # Port for our xDS server # Container names - 'cloud_container': - 'cloud-envoy', - 'on_prem_container': - 'on-prem-envoy', + 'upstream_container': + 'upstream-envoy', + 'downstream_container': + 'downstream-envoy', # Timeouts 'envoy_startup_timeout': @@ -78,10 +77,10 @@ def __init__(self): self.current_compose_file = None # Track which compose file is being used self.current_compose_cwd = None # Track which directory to run from - def create_on_prem_config_with_xds(self) -> str: - """Create on-prem Envoy config with xDS for dynamic listener management.""" + def create_downstream_config_with_xds(self) -> str: + """Create downstream Envoy config with xDS for dynamic listener management.""" # Load the original config - with open(CONFIG['on_prem_config_file'], 'r') as f: + with open(CONFIG['downstream_config_file'], 'r') as f: config = yaml.safe_load(f) # Remove the reverse_conn_listener (will be added via xDS) @@ -90,19 +89,19 @@ def create_on_prem_config_with_xds(self) -> str: listener for listener in listeners if listener['name'] != 'reverse_conn_listener' ] - # Update the on-prem-service cluster to point to on-prem-service container + # Update the downstream-service cluster to point to downstream-service container for cluster in config['static_resources']['clusters']: - if cluster['name'] == 'on-prem-service': + if cluster['name'] == 'downstream-service': cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint'][ - 'address']['socket_address']['address'] = 'on-prem-service' + 'address']['socket_address']['address'] = 'downstream-service' cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint'][ 'address']['socket_address']['port_value'] = 80 - # Update the cloud cluster to point to cloud-envoy container + # Update the upstream-cluster cluster to point to upstream-envoy container for cluster in config['static_resources']['clusters']: - if cluster['name'] == 'cloud': + if cluster['name'] == 'upstream-cluster': cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint'][ - 'address']['socket_address']['address'] = 'cloud-envoy' + 'address']['socket_address']['address'] = 'upstream-envoy' cluster['load_assignment']['endpoints'][0]['lb_endpoints'][0]['endpoint'][ 'address']['socket_address']['port_value'] = 9000 @@ -143,33 +142,33 @@ def create_on_prem_config_with_xds(self) -> str: } } - config_file = os.path.join(self.temp_dir, "on-prem-envoy-with-xds.yaml") + config_file = os.path.join(self.temp_dir, "downstream-envoy-with-xds.yaml") with open(config_file, 'w') as f: yaml.dump(config, f, default_flow_style=False) return config_file - def start_docker_compose(self, on_prem_config: str = None) -> bool: + def start_docker_compose(self, downstream_config: str = None) -> bool: """Start Docker Compose services.""" logger.info("Starting Docker Compose services") - # Create a temporary docker-compose file with the custom on-prem config if provided - if on_prem_config: + # Create a temporary docker-compose file with the custom downstream config if provided + if downstream_config: # Copy the original docker-compose file and modify it with open(CONFIG['docker_compose_file'], 'r') as f: compose_config = yaml.safe_load(f) - # Update the on-prem-envoy service to use the custom config - compose_config['services']['on-prem-envoy']['volumes'] = [ - f"{on_prem_config}:/etc/on-prem-envoy.yaml" + # Update the downstream-envoy service to use the custom config + compose_config['services']['downstream-envoy']['volumes'] = [ + f"{downstream_config}:/etc/downstream-envoy.yaml" ] # Copy responder-envoy.yaml to temp directory and update the path import shutil - temp_cloud_config = os.path.join(self.temp_dir, "responder-envoy.yaml") - shutil.copy(CONFIG['cloud_config_file'], temp_cloud_config) - compose_config['services']['cloud-envoy']['volumes'] = [ - f"{temp_cloud_config}:/etc/responder-envoy.yaml" + temp_upstream_config = os.path.join(self.temp_dir, "responder-envoy.yaml") + shutil.copy(CONFIG['upstream_config_file'], temp_upstream_config) + compose_config['services']['upstream-envoy']['volumes'] = [ + f"{temp_upstream_config}:/etc/upstream-envoy.yaml" ] # Copy Dockerfile.xds to temp directory @@ -189,7 +188,7 @@ def start_docker_compose(self, on_prem_config: str = None) -> bool: cmd = ["docker-compose", "-f", compose_file, "up"] # If using a temporary compose file, run from temp directory, otherwise from docker_compose_dir - if on_prem_config: + if downstream_config: # Run from temp directory where both files are located self.docker_compose_process = subprocess.Popen( cmd, cwd=self.temp_dir, universal_newlines=True) @@ -241,16 +240,16 @@ def wait_for_envoy_ready(self, admin_port: int, name: str, timeout: int = 30) -> return False def check_reverse_connections(self, api_port: int) -> bool: - """Check if reverse connections are established by calling the cloud API.""" + """Check if reverse connections are established by calling the upstream API.""" try: - # Check the reverse connections API on port 9001 (cloud-envoy's rev_conn_api_listener) + # Check the reverse connections API on port 9001 (upstream-envoy's rev_conn_api_listener) response = requests.get(f"http://localhost:{api_port}/reverse_connections", timeout=5) if response.status_code == 200: data = response.json() logger.info(f"Reverse connections state: {data}") - # Check if on-prem is connected - if "connected" in data and "on-prem-node" in data["connected"]: + # Check if downstream is connected + if "connected" in data and "downstream-node" in data["connected"]: logger.info("Reverse connections are established") return True else: @@ -271,10 +270,10 @@ def check_reverse_connections(self, api_port: int) -> bool: def test_reverse_connection_request(self, port: int) -> bool: """Test sending a request through reverse connection.""" try: - headers = {"x-remote-node-id": "on-prem-node", "x-dst-cluster-uuid": "on-prem"} - # Use port 8081 (cloud-envoy's egress_listener) as specified in docker-compose + headers = {"x-remote-node-id": "downstream-node", "x-dst-cluster-uuid": "downstream"} + # Use port 8085 (upstream-envoy's egress_listener) as specified in docker-compose response = requests.get( - f"http://localhost:{port}/on_prem_service", headers=headers, timeout=10) + f"http://localhost:{port}/downstream_service", headers=headers, timeout=10) if response.status_code == 200: logger.info(f"Reverse connection request successful: {response.text[:100]}...") @@ -289,7 +288,7 @@ def test_reverse_connection_request(self, port: int) -> bool: def get_reverse_conn_listener_config(self) -> dict: """Get the reverse_conn_listener configuration.""" # Load the original config to extract the reverse_conn_listener - with open(CONFIG['on_prem_config_file'], 'r') as f: + with open(CONFIG['downstream_config_file'], 'r') as f: config = yaml.safe_load(f) # Find the reverse_conn_listener @@ -416,18 +415,18 @@ def check_container_network_status(self) -> bool: return False def check_network_connectivity(self) -> bool: - """Check network connectivity from on-prem container to cloud container.""" - logger.info("Checking network connectivity from on-prem to cloud container") + """Check network connectivity from downstream container to upstream container.""" + logger.info("Checking network connectivity from downstream to upstream container") try: # First check container network status self.check_container_network_status() - # Get the on-prem container name - on_prem_container = self.get_container_name(CONFIG['on_prem_container']) + # Get the downstream container name + on_prem_container = self.get_container_name(CONFIG['downstream_container']) # Test DNS resolution first logger.info("Testing DNS resolution...") - dns_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'nslookup cloud-envoy'] + dns_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'nslookup upstream-envoy'] dns_result = subprocess.run( dns_cmd, @@ -442,7 +441,7 @@ def check_network_connectivity(self) -> bool: # Test ping connectivity logger.info("Testing ping connectivity...") - ping_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'ping -c 1 cloud-envoy'] + ping_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'ping -c 1 upstream-envoy'] ping_result = subprocess.run( ping_cmd, @@ -456,8 +455,8 @@ def check_network_connectivity(self) -> bool: logger.error(f"Ping error: {ping_result.stderr}") # Test TCP connectivity to the specific port - logger.info("Testing TCP connectivity to cloud-envoy:9000...") - tcp_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'nc -z cloud-envoy 9000'] + logger.info("Testing TCP connectivity to upstream-envoy:9000...") + tcp_cmd = ['docker', 'exec', on_prem_container, 'sh', '-c', 'nc -z upstream-envoy 9000'] tcp_result = subprocess.run( tcp_cmd, @@ -482,9 +481,9 @@ def check_network_connectivity(self) -> bool: logger.error(f"Error checking network connectivity: {e}") return False - def start_cloud_envoy(self) -> bool: - """Start the cloud Envoy container.""" - logger.info("Starting cloud Envoy container") + def start_upstream_envoy(self) -> bool: + """Start the upstream Envoy container.""" + logger.info("Starting upstream Envoy container") try: # Use the same docker-compose file and directory that was used in start_docker_compose # This ensures the container is started with the same configuration @@ -499,9 +498,9 @@ def start_cloud_envoy(self) -> bool: compose_cwd = self.docker_compose_dir logger.info( - "Using docker-compose up to start cloud-envoy with consistent network config") + "Using docker-compose up to start upstream-envoy with consistent network config") result = subprocess.run( - ['docker-compose', '-f', compose_file, 'up', '-d', CONFIG['cloud_container']], + ['docker-compose', '-f', compose_file, 'up', '-d', CONFIG['upstream_container']], stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, @@ -519,25 +518,25 @@ def start_cloud_envoy(self) -> bool: if not self.check_network_connectivity(): logger.warn("Network connectivity check failed, but continuing...") - # Wait for cloud Envoy to be ready - if not self.wait_for_envoy_ready(CONFIG['cloud_admin_port'], "cloud", + # Wait for upstream Envoy to be ready + if not self.wait_for_envoy_ready(CONFIG['upstream_admin_port'], "upstream", CONFIG['envoy_startup_timeout']): logger.error("Cloud Envoy failed to become ready after restart") return False logger.info("✓ Cloud Envoy is ready after restart") return True else: - logger.error(f"Failed to start cloud Envoy: {result.stderr}") + logger.error(f"Failed to start upstream Envoy: {result.stderr}") return False except Exception as e: - logger.error(f"Error starting cloud Envoy: {e}") + logger.error(f"Error starting upstream Envoy: {e}") return False - def stop_cloud_envoy(self) -> bool: - """Stop the cloud Envoy container.""" - logger.info("Stopping cloud Envoy container") + def stop_upstream_envoy(self) -> bool: + """Stop the upstream Envoy container.""" + logger.info("Stopping upstream Envoy container") try: - container_name = self.get_container_name(CONFIG['cloud_container']) + container_name = self.get_container_name(CONFIG['upstream_container']) result = subprocess.run(['docker', 'stop', container_name], stdout=subprocess.PIPE, stderr=subprocess.PIPE, @@ -547,10 +546,10 @@ def stop_cloud_envoy(self) -> bool: logger.info("✓ Cloud Envoy container stopped") return True else: - logger.error(f"Failed to stop cloud Envoy: {result.stderr}") + logger.error(f"Failed to stop upstream Envoy: {result.stderr}") return False except Exception as e: - logger.error(f"Error stopping cloud Envoy: {e}") + logger.error(f"Error stopping upstream Envoy: {e}") return False def run_test(self): @@ -559,29 +558,30 @@ def run_test(self): logger.info("Starting reverse connection test") # Step 0: Start Docker Compose services with xDS config - on_prem_config_with_xds = self.create_on_prem_config_with_xds() - if not self.start_docker_compose(on_prem_config_with_xds): + downstream_config_with_xds = self.create_downstream_config_with_xds() + if not self.start_docker_compose(downstream_config_with_xds): raise Exception("Failed to start Docker Compose services") # Step 1: Wait for Envoy instances to be ready - if not self.wait_for_envoy_ready(CONFIG['cloud_admin_port'], "cloud", + if not self.wait_for_envoy_ready(CONFIG['upstream_admin_port'], "upstream", CONFIG['envoy_startup_timeout']): - raise Exception("Cloud Envoy failed to start") + raise Exception("Upstream Envoy failed to start") - if not self.wait_for_envoy_ready(CONFIG['on_prem_admin_port'], "on-prem", + if not self.wait_for_envoy_ready(CONFIG['downstream_admin_port'], "downstream", CONFIG['envoy_startup_timeout']): - raise Exception("On-prem Envoy failed to start") + raise Exception("Downstream Envoy failed to start") # Step 2: Verify reverse connections are NOT established logger.info("Verifying reverse connections are NOT established") time.sleep(5) # Give some time for any potential connections - if self.check_reverse_connections(CONFIG['cloud_api_port']): # cloud-envoy's API port + if self.check_reverse_connections( + CONFIG['upstream_api_port']): # upstream-envoy's API port raise Exception( "Reverse connections should not be established without reverse_conn_listener") logger.info("✓ Reverse connections are correctly not established") - # Step 3: Add reverse_conn_listener to on-prem via xDS - logger.info("Adding reverse_conn_listener to on-prem via xDS") + # Step 3: Add reverse_conn_listener to downstream via xDS + logger.info("Adding reverse_conn_listener to downstream via xDS") if not self.add_reverse_conn_listener_via_xds(): raise Exception("Failed to add reverse_conn_listener via xDS") @@ -591,7 +591,7 @@ def run_test(self): start_time = time.time() while time.time() - start_time < max_wait: if self.check_reverse_connections( - CONFIG['cloud_api_port']): # cloud-envoy's API port + CONFIG['upstream_api_port']): # upstream-envoy's API port logger.info("✓ Reverse connections are established") break logger.info("Waiting for reverse connections to be established") @@ -602,55 +602,57 @@ def run_test(self): # Step 5: Test request through reverse connection logger.info("Testing request through reverse connection") if not self.test_reverse_connection_request( - CONFIG['cloud_egress_port']): # cloud-envoy's egress port + CONFIG['upstream_egress_port']): # upstream-envoy's egress port raise Exception("Reverse connection request failed") logger.info("✓ Reverse connection request successful") - # Step 6: Stop cloud Envoy and verify reverse connections are down - logger.info("Step 6: Stopping cloud Envoy to test connection recovery") - if not self.stop_cloud_envoy(): - raise Exception("Failed to stop cloud Envoy") + # Step 6: Stop upstream Envoy and verify reverse connections are down + logger.info("Step 6: Stopping upstream Envoy to test connection recovery") + if not self.stop_upstream_envoy(): + raise Exception("Failed to stop upstream Envoy") # Verify reverse connections are down - logger.info("Verifying reverse connections are down after stopping cloud Envoy") + logger.info("Verifying reverse connections are down after stopping upstream Envoy") time.sleep(2) # Give some time for connections to be detected as down - if self.check_reverse_connections(CONFIG['cloud_api_port']): - logger.warn("Reverse connections still appear active after stopping cloud Envoy") + if self.check_reverse_connections(CONFIG['upstream_api_port']): + logger.warn("Reverse connections still appear active after stopping upstream Envoy") else: - logger.info("✓ Reverse connections are correctly down after stopping cloud Envoy") + logger.info( + "✓ Reverse connections are correctly down after stopping upstream Envoy") - # Step 7: Wait for > drain timer (3s) and then start cloud Envoy - logger.info("Step 7: Waiting for drain timer (3s) before starting cloud Envoy") + # Step 7: Wait for > drain timer (3s) and then start upstream Envoy + logger.info("Step 7: Waiting for drain timer (3s) before starting upstream Envoy") time.sleep(15) # Wait more than the reverse conn retry timer for the connections # to be drained. - logger.info("Starting cloud Envoy to test reverse connection re-establishment") - if not self.start_cloud_envoy(): - raise Exception("Failed to start cloud Envoy") + logger.info("Starting upstream Envoy to test reverse connection re-establishment") + if not self.start_upstream_envoy(): + raise Exception("Failed to start upstream Envoy") # Step 8: Verify reverse connections are re-established logger.info("Step 8: Verifying reverse connections are re-established") max_wait = 60 start_time = time.time() while time.time() - start_time < max_wait: - if self.check_reverse_connections(CONFIG['cloud_api_port']): + if self.check_reverse_connections(CONFIG['upstream_api_port']): logger.info( - "✓ Reverse connections are re-established after cloud Envoy restart") + "✓ Reverse connections are re-established after upstream Envoy restart") break logger.info("Waiting for reverse connections to be re-established") time.sleep(1) else: raise Exception("Reverse connections failed to re-establish within timeout") - # # Step 10: Remove reverse_conn_listener from on-prem via xDS - logger.info("Removing reverse_conn_listener from on-prem via xDS") + # # Step 10: Remove reverse_conn_listener from downstream via xDS + logger.info("Removing reverse_conn_listener from downstream via xDS") if not self.remove_reverse_conn_listener_via_xds(): raise Exception("Failed to remove reverse_conn_listener via xDS") # # Step 11: Verify reverse connections are torn down logger.info("Verifying reverse connections are torn down") time.sleep(10) # Wait for connections to be torn down - if self.check_reverse_connections(CONFIG['cloud_api_port']): # cloud-envoy's API port + if self.check_reverse_connections( + CONFIG['upstream_api_port']): # upstream-envoy's API port raise Exception("Reverse connections should be torn down after removing listener") logger.info("✓ Reverse connections are correctly torn down") From 381b1f539ebae0aa6582c58b83712021f64cba6f Mon Sep 17 00:00:00 2001 From: Basundhara Chakrabarty Date: Thu, 25 Sep 2025 23:16:43 +0000 Subject: [PATCH 503/505] Fixes and formatting Signed-off-by: Basundhara Chakrabarty --- configs/reverse_connection/README.md | 196 --------- .../other_features/reverse_connection.rst | 251 ----------- .../other_features/reverse_tunnel.rst | 411 ++++++++++++++++++ 3 files changed, 411 insertions(+), 447 deletions(-) delete mode 100644 configs/reverse_connection/README.md delete mode 100644 docs/root/configuration/other_features/reverse_connection.rst create mode 100644 docs/root/configuration/other_features/reverse_tunnel.rst diff --git a/configs/reverse_connection/README.md b/configs/reverse_connection/README.md deleted file mode 100644 index e8a628740f10c..0000000000000 --- a/configs/reverse_connection/README.md +++ /dev/null @@ -1,196 +0,0 @@ -# Reverse Tunnels - -Reverse tunnels enable establishing persistent connections from downstream Envoy instances to upstream Envoy instances without requiring the upstream to be directly reachable from the downstream. This is particularly useful when downstream instances are behind NATs, firewalls, or in private networks. - -## Configuration files - -- [`initiator-envoy.yaml`](initiator-envoy.yaml): Configuration for the initiator Envoy (downstream) -- [`responder-envoy.yaml`](responder-envoy.yaml): Configuration for the responder Envoy (upstream) - -## Initiator configuration (downstream Envoy) - -The initiator Envoy requires the following configuration components: - -### Bootstrap extension for socket interface - -```yaml - bootstrap_extensions: - - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface - stat_prefix: "downstream_reverse_connection" -``` - -This extension enables the initiator to initiate and manage reverse tunnels to the responder Envoy. - -### Reverse tunnel listener - -The reverse tunnel listener triggers the reverse connection initiation to the upstream Envoy instance and encodes identity metadata for the local Envoy. It also contains the route configuration for downstream services reachable via reverse tunnels. - -```yaml - - name: reverse_conn_listener - listener_filters_timeout: 0s - listener_filters: - address: - socket_address: - # Format: rc://src_node_id:src_cluster_id:src_tenant_id@remote_cluster:connection_count - address: "rc://downstream-node:downstream-cluster:downstream-tenant@upstream-cluster:1" - port_value: 0 - # Use custom resolver that can parse reverse connection metadata - resolver_name: "envoy.resolvers.reverse_connection" - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: reverse_conn_listener - route_config: - virtual_hosts: - - name: backend - domains: - - "*" - routes: - - match: - prefix: '/downstream_service' - route: - cluster: downstream-service - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router -``` - -The special `rc://` address format encodes: -- `src_node_id`: "downstream-node" - Unique identifier for this downstream node -- `src_cluster_id`: "downstream-cluster" - Cluster name of the downstream Envoy -- `src_tenant_id`: "downstream-tenant" - Tenant identifier -- `remote_cluster`: "upstream-cluster" - Name of the upstream cluster to connect to -- `connection_count`: "1" - Number of reverse connections to establish - -### Upstream Cluster - -The upstream cluster configuration defines where reverse tunnels should be initiated: - -```yaml -- name: upstream-cluster - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: upstream-cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: upstream-envoy # Responder Envoy address - port_value: 9000 # Port where responder listens for reverse tunnel requests -``` - -### Downstream Service for Reverse Tunnel Data - -The downstream service represents the service behind the initiator Envoy that should be reachable via reverse tunnels: - -```yaml -- name: downstream-service - type: STRICT_DNS - connect_timeout: 30s - load_assignment: - cluster_name: downstream-service - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: downstream-service - port_value: 80 -``` - -## Responder configuration (upstream Envoy) - -The responder Envoy requires the following configuration components: - -### Bootstrap extension for socket interface - -```yaml -bootstrap_extensions: -- name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface - stat_prefix: "upstream_reverse_connection" -``` - -This extension enables the responder to accept and manage reverse connections from initiator Envoys. - -### Reverse tunnel filter and listener - -```yaml -- name: rev_conn_api_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9000 # Port where initiator will connect for tunnel establishment - filter_chains: - - filters: - - name: envoy.filters.network.reverse_tunnel - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel - ping_interval: 2s -``` - -The `envoy.filters.network.reverse_tunnel` network filter handles the reverse tunnel handshake protocol and connection acceptance. - -### Reverse connection cluster - -Each downstream node reachable from upstream Envoy via reverse connections needs to be configured with a reverse connection cluster. When a data request arrives at the upstream Envoy, this cluster uses cached "reverse connections" instead of creating new forward connections. - -```yaml -- name: reverse_connection_cluster - connect_timeout: 200s - lb_policy: CLUSTER_PROVIDED - cluster_type: - name: envoy.clusters.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig - http_header_names: - - x-remote-node-id # Should be set to "downstream-node" - - x-dst-cluster-uuid # Should be set to "downstream-cluster" - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: {} # HTTP/2 required for reverse connections -``` - -### Egress listener for data traffic - -The egress listener receives data traffic on the upstream Envoy and routes it to the reverse connection cluster: - -```yaml -- name: egress_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 8085 # Port for sending requests to initiator services - filter_chains: - - filters: - - name: envoy.http_connection_manager - typed_config: - route_config: - virtual_hosts: - - name: backend - domains: ["*"] - routes: - - match: - prefix: "/downstream_service" - route: - cluster: reverse_connection_cluster # Routes to initiator via reverse tunnel -``` - -This is the egress listener that receives data traffic on upstream envoy and routes it to the reverse connection cluster. - -## How It Works - -1. **Tunnel Establishment**: The initiator Envoy establishes reverse tunnels to the responder Envoy on port 9000. -2. **Service Access**: When a request comes to the responder's egress listener (port 8085) for `/downstream_service`, it's routed through to the reverse connection cluster. Instead of creating forward connections to downstream-envoy, a cached "reverse connection" is picked and the data request is routed through it. -3. **Header-Based Routing**: The reverse connection cluster uses `x-remote-node-id` and `x-dst-cluster-uuid` headers to identify which cached reverse connection to use. -4. **Service Response**: The request travels through the reverse tunnel to the initiator, gets routed to the local service, and the response travels back through the same tunnel. \ No newline at end of file diff --git a/docs/root/configuration/other_features/reverse_connection.rst b/docs/root/configuration/other_features/reverse_connection.rst deleted file mode 100644 index 6b86f558054c4..0000000000000 --- a/docs/root/configuration/other_features/reverse_connection.rst +++ /dev/null @@ -1,251 +0,0 @@ -.. _config_reverse_connection: - -Reverse Tunnels -=============== - -Envoy supports reverse tunnels that enable establishing persistent connections from downstream Envoy instances -to upstream Envoy instances without requiring the upstream to be directly reachable from the downstream. -This feature is particularly useful in scenarios where downstream instances are behind NATs, firewalls, -or in private networks, and need to initiate connections to upstream instances in public networks or cloud environments. - -Reverse tunnels work by having the downstream Envoy initiate TCP connections to upstream Envoy instances -and keep them alive for reuse. These connections are established using a handshake protocol and can be -used for forwarding traffic from services behind upstream Envoy to downstream services behind the downstream Envoy. - -.. _config_reverse_tunnel_bootstrap: - -Reverse tunnels require the following extensions: - -1. **Downstream and upstream socket interfaces**: Both registered as bootstrap extensions -2. **Reverse tunnel network filter**: On responder Envoy to accept reverse tunnel requests -3. **Reverse connection cluster**: On responder Envoy for each downstream cluster that needs to be reached through reverse tunnels - -Bootstrap Extensions --------------------- - -To enable reverse tunnels, two bootstrap extensions need to be configured: - -1. **Downstream Socket Interface**: Configures the downstream Envoy to initiate - reverse tunnels to upstream instances. - -2. **Upstream Socket Interface**: Configures the upstream Envoy to accept - and manage reverse tunnels from downstream instances. - -.. _config_reverse_connection_downstream: - -Downstream Socket Interface -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The downstream socket interface is configured in the bootstrap as follows: - -.. validated-code-block:: yaml - :type-name: envoy.config.bootstrap.v3.Bootstrap - - bootstrap_extensions: - - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface - stat_prefix: "downstream_reverse_connection" - -.. _config_reverse_connection_upstream: - -Upstream Socket Interface -~~~~~~~~~~~~~~~~~~~~~~ - -The upstream socket interface is configured in the bootstrap as follows: - -.. validated-code-block:: yaml - :type-name: envoy.config.bootstrap.v3.Bootstrap - - bootstrap_extensions: - - name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface - typed_config: - "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface - stat_prefix: "upstream_reverse_connection" - -.. _config_reverse_connection_listener: - -Listener Configuration ----------------------- - -Reverse tunnels are initiated through special reverse tunnel listeners that use the following -address format: - -.. validated-code-block:: yaml - :type-name: envoy.config.listener.v3.Listener - - name: reverse_connection_listener - address: - socket_address: - address: "rc://downstream-node-id:downstream-cluster-id:downstream-tenant-id@upstream-cluster:connection-count" - port_value: 0 - filter_chains: - - filters: - - name: envoy.filters.network.tcp_proxy - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - stat_prefix: tcp - cluster: upstream-cluster - -The reverse tunnel address format ``rc://src_node:src_cluster:src_tenant@target_cluster:count`` -encodes the following information: - -* ``src_node``: Unique identifier for the downstream node -* ``src_cluster``: Cluster name of the downstream Envoy -* ``src_tenant``: Tenant identifier for multi-tenant deployments -* ``target_cluster``: Name of the upstream cluster to connect to -* ``count``: Number of reverse tunnels to establish to upstream-cluster - -The upstream-cluster can be dynamically configurable via CDS. The listener calls the reverse tunnel -workflow and initiates raw TCP connections to upstream clusters, thereby This triggering the reverse -connection handshake. - -.. _config_reverse_tunnel_filter: - -Reverse Tunnel Network Filter ------------------------------ - -On upstream Envoy, the reverse tunnel network filter implements the reverse tunnel handshake protocol and accepts or rejects the reverse tunnel request. - -.. validated-code-block:: yaml - :type-name: envoy.config.listener.v3.Listener - - name: rev_conn_api_listener - address: - socket_address: - address: 0.0.0.0 - port_value: 9000 - filter_chains: - - filters: - - name: envoy.filters.network.reverse_tunnel - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel - ping_interval: 2s - -.. _config_reverse_connection_handshake: - -Handshake Protocol ------------------- - -Reverse tunnels use a handshake protocol to establish authenticated connections between -downstream and upstream Envoy instances. The handshake has the following steps: - -1. **Connection Initiation**: Initiator Envoy initiates TCP connections to each host of the upstream cluster, -and writes the handshake request on it over HTTP. -2. **Identity Exchange**: The downstream Envoy's reverse tunnel handshake contains identity information (node ID, cluster ID, tenant ID) sent as HTTP headers. The reverse tunnel network filter expects the following headers: - - * ``x-envoy-reverse-tunnel-node-id``: Unique identifier for the downstream node (e.g., "on-prem-node") - * ``x-envoy-reverse-tunnel-cluster-id``: Cluster name of the downstream Envoy (e.g., "on-prem") - * ``x-envoy-reverse-tunnel-tenant-id``: Tenant identifier for multi-tenant deployments (e.g., "on-prem") - - These identify values are obtained from the reverse tunnel listener address and the headers are automatically added by the reverse tunnel downstream socket interface during the handshake process. -3. **Validation/Authentication**: The upstream Envoy performs the following validation checks on receiving the handshake request: - - * **HTTP Method Validation**: Verifies the request method matches the configured method (defaults to ``GET``) - * **HTTP Path Validation**: Verifies the request path matches the configured path (defaults to ``/reverse_connections/request``) - * **Required Headers Validation**: Ensures all three required identity headers are present: - - - ``x-envoy-reverse-tunnel-node-id`` - - ``x-envoy-reverse-tunnel-cluster-id`` - - ``x-envoy-reverse-tunnel-tenant-id`` - - If any validation fails, the request is rejected with appropriate HTTP error codes (404 for method/path mismatch, 400 for missing headers). -4. **Connection Establishment**: Post a successful handshake, the upstream Envoy stores the TCP socket mapped to the downstream node ID. - -.. _config_reverse_connection_cluster: - -Reverse Connection Cluster --------------------------- - -Each initiator node that should be reachable via reverse tunnels must be configured using a reverse connection cluster. This is a custom cluster type that indicates that instead of creating new forward connections to the downstream node, cached "reverse connections" should be used to send requests. - -The reverse connection cluster uses the ``envoy.clusters.reverse_connection`` cluster type and requires specific HTTP headers in downstream requests to identify which cached reverse connection to use for routing. - -.. .. validated-code-block:: yaml -.. :type-name: envoy.config.cluster.v3.Cluster - -.. name: reverse_connection_cluster -.. connect_timeout: 200s -.. lb_policy: CLUSTER_PROVIDED -.. cluster_type: -.. name: envoy.clusters.reverse_connection -.. typed_config: -.. "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig -.. # The following headers are expected in downstream requests -.. # to be sent over reverse connections -.. http_header_names: -.. - x-remote-node-id # Should be set to the node ID of the downstream envoy node, ie., on-prem-node -.. - x-dst-cluster-uuid # Should be set to the cluster ID of the downstream envoy node, ie., on-prem - -The cluster configuration specifies: - -* **Load balancing policy**: ``CLUSTER_PROVIDED`` allows the custom cluster to manage load balancing -* **Header Resolution Strategy**: The cluster follows a tiered approach to identify the target downstream node: - - 1. **Configured Headers**: First checks for headers specified in ``http_header_names`` configuration. If not configured, defaults to ``x-envoy-dst-node-uuid`` and ``x-envoy-dst-cluster-uuid`` - 2. **Host Header**: If no configured headers are found, extracts UUID from the Host header in format ``.tcpproxy.envoy.remote:`` - 3. **SNI (Server Name Indication)**: If Host header extraction fails, extracts UUID from SNI in format ``.tcpproxy.envoy.remote`` -* **Protocol**: Only HTTP/2 is supported for reverse connections -* **Host Reuse**: Once a host is created for a specific downstream node ID, it is cached and reused for all subsequent requests to that node. Each such request is multiplexed as a new stream on the existing HTTP/2 connection. - -.. _config_reverse_connection_stats: - -Statistics ----------- - -The reverse tunnel extensions emit the following statistics: - -**Downstream Extension:** - -The downstream reverse tunnel extension emits both host-level and cluster-level statistics for connection states. The stat names follow the pattern: - -- Host-level: ``.host..`` -- Cluster-level: ``.cluster..`` - -Where ```` can be one of: - -.. csv-table:: - :header: State, Type, Description - :widths: 1, 1, 2 - - connecting, Gauge, Number of connections currently being established - connected, Gauge, Number of successfully established connections - failed, Gauge, Number of failed connection attempts - recovered, Gauge, Number of connections that recovered from failure - backoff, Gauge, Number of hosts currently in backoff state - cannot_connect, Gauge, Number of connection attempts that could not be initiated - unknown, Gauge, Number of connections in unknown state (fallback) - -For example, with ``stat_prefix: "downstream_rc"``: -- ``downstream_rc.host.192.168.1.1.connecting`` - connections being established to host 192.168.1.1 -- ``downstream_rc.cluster.upstream-cluster.connected`` - established connections to upstream-cluster - -**Upstream Extension:** - -The upstream reverse tunnel extension emits node-level and cluster-level statistics for accepted connections. The stat names follow the pattern: - -- Node-level: ``reverse_connections.nodes.`` -- Cluster-level: ``reverse_connections.clusters.`` - -.. csv-table:: - :header: Name, Type, Description - :widths: 1, 1, 2 - - reverse_connections.nodes., Gauge, Number of active connections from downstream node - reverse_connections.clusters., Gauge, Number of active connections from downstream cluster - -For example: -- ``reverse_connections.nodes.node-1`` - active connections from downstream node "node-1" -- ``reverse_connections.clusters.downstream-cluster`` - active connections from downstream cluster "downstream-cluster" - -.. _config_reverse_connection_security: - -Security Considerations ------------------------ - -Reverse tunnels should be used with appropriate security measures: - -* **Authentication**: Implement proper authentication mechanisms for handshake validation as part of the reverse tunnel handshake protocol -* **Authorization**: Validate that downstream nodes are authorized to connect to upstream clusters -* **TLS**: TLS can be configured for each upstream cluster reverse tunnels are established to - diff --git a/docs/root/configuration/other_features/reverse_tunnel.rst b/docs/root/configuration/other_features/reverse_tunnel.rst new file mode 100644 index 0000000000000..c16ba8005f9f7 --- /dev/null +++ b/docs/root/configuration/other_features/reverse_tunnel.rst @@ -0,0 +1,411 @@ +.. _config_reverse_connection: + +Reverse Tunnels +=============== + +Envoy supports reverse tunnels that enable establishing persistent connections from downstream Envoy instances +to upstream Envoy instances without requiring the upstream to be directly reachable from the downstream. +This feature is particularly useful in scenarios where downstream instances are behind NATs, firewalls, +or in private networks, and need to initiate connections to upstream instances in public networks or cloud environments. + +Reverse tunnels work by having the downstream Envoy initiate TCP connections to upstream Envoy instances +and keep them alive for reuse. These connections are established using a handshake protocol and can be +used for forwarding traffic from services behind upstream Envoy to downstream services behind the downstream Envoy. + +.. _config_reverse_tunnel_bootstrap: + +Reverse tunnels require the following extensions: + +1. **Downstream socket interface**: Registered as a bootstrap extension on initiator envoy to initiate and maintain reverse tunnels. +2. **Upstream socket interface**: Registered as a bootstrap extension on responder envoy to accept and manage reverse tunnels. +3. **Reverse tunnel network filter**: On responder Envoy to accept reverse tunnel requests. +4. **Reverse connection cluster**: Added on responder Envoy for each downstream envoy node that needs to be reached through reverse tunnels. + +.. _config_reverse_tunnel_configuration_files: + +Configuration Files +------------------- + +For practical examples and working configurations, see: + +* :repo:`Initiator Envoy configuration `: Configuration for the initiator Envoy (downstream) +* :repo:`Responder Envoy configuration `: Configuration for the responder Envoy (upstream) + +.. _config_reverse_tunnel_initiator: + +Initiator Configuration (Downstream Envoy) +------------------------------------------- + +The initiator Envoy (downstream) requires the following configuration components to establish reverse tunnels: + +Downstream Socket Interface +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. validated-code-block:: yaml + :type-name: envoy.config.bootstrap.v3.Bootstrap + + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.downstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3.DownstreamReverseConnectionSocketInterface + stat_prefix: "downstream_reverse_connection" + +This extension enables the initiator to initiate and manage reverse tunnels to the responder Envoy. + +Reverse Tunnel Listener +~~~~~~~~~~~~~~~~~~~~~~~~ + +The reverse tunnel listener triggers the reverse connection initiation to the upstream Envoy instance and encodes identity metadata for the local Envoy. It also contains the route configuration for downstream services reachable via reverse tunnels. + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + name: reverse_conn_listener + address: + socket_address: + # Format: rc://src_node_id:src_cluster_id:src_tenant_id@remote_cluster:connection_count + address: "rc://downstream-node:downstream-cluster:downstream-tenant@upstream-cluster:1" + port_value: 0 + # Use custom resolver that can parse reverse connection metadata + resolver_name: "envoy.resolvers.reverse_connection" + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: reverse_conn_listener + route_config: + virtual_hosts: + - name: backend + domains: + - "*" + routes: + - match: + prefix: '/downstream_service' + route: + cluster: downstream-service + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + +The special ``rc://`` address format encodes: + +* ``src_node_id``: "downstream-node" - Unique identifier for this downstream node +* ``src_cluster_id``: "downstream-cluster" - Cluster name of the downstream Envoy +* ``src_tenant_id``: "downstream-tenant" - Tenant identifier +* ``remote_cluster``: "upstream-cluster" - Name of the upstream cluster to connect to +* ``connection_count``: "1" - Number of reverse connections to establish + +The 'downstream-service' cluster is the service behind initiator envoy that will be accessed via reverse tunnels from behind the responder envoy. + +.. validated-code-block:: yaml + :type-name: envoy.config.cluster.v3.Cluster + + name: downstream-service + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: downstream-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: downstream-service + port_value: 80 + +Upstream Cluster +~~~~~~~~~~~~~~~~~ + +Each upstream envoy to which reverse tunnels should be established needs to be configured with a cluster, added via CDS. + +.. validated-code-block:: yaml + :type-name: envoy.config.cluster.v3.Cluster + + name: upstream-cluster + type: STRICT_DNS + connect_timeout: 30s + load_assignment: + cluster_name: upstream-cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: upstream-envoy # Responder Envoy address + port_value: 9000 # Port where responder listens for reverse tunnel requests + +Multiple Cluster Support +~~~~~~~~~~~~~~~~~~~~~~~~~ + +To initiate reverse tunnels to multiple upstream clusters, each such cluster needs to be configured under an additional address section. + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + name: multi_cluster_listener + address: + socket_address: + address: "rc://node-1:downstream-cluster:tenant-a@cluster-a:2" + port_value: 0 + additional_addresses: + - address: + socket_address: + address: "rc://node-1:downstream-cluster:tenant-a@cluster-b:3" + port_value: 0 + filter_chains: + - filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: tcp + cluster: dynamic_cluster + +This configuration establishes: + +* 2 connections to ``cluster-a`` +* 3 connections to ``cluster-b`` + +TLS Configuration (Optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For secure reverse tunnel establishment, add a TLS context to the upstream cluster: + +.. validated-code-block:: yaml + :type-name: envoy.config.cluster.v3.Cluster + + name: upstream-cluster + type: STRICT_DNS + connect_timeout: 30s + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_certificates: + - certificate_chain: + filename: "/etc/ssl/certs/client-cert.pem" + private_key: + filename: "/etc/ssl/private/client-key.pem" + validation_context: + filename: "/etc/ssl/certs/ca-cert.pem" + verify_certificate_spki: + - "NdQcW/8B5PcygH/5tnDNXeA2WS/2JzV3K1PKz7xQlKo=" + alpn_protocols: ["h2", "http/1.1"] + sni: upstream-envoy.example.com + +This configuration enables mTLS authentication between the downstream and upstream Envoys. + +.. _config_reverse_tunnel_responder: + +Responder Configuration (Upstream Envoy) +----------------------------------------- + +The responder Envoy (upstream) requires the following configuration components to accept reverse tunnels: + +Bootstrap Extension for Socket Interface +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. validated-code-block:: yaml + :type-name: envoy.config.bootstrap.v3.Bootstrap + + bootstrap_extensions: + - name: envoy.bootstrap.reverse_tunnel.upstream_socket_interface + typed_config: + "@type": type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface + stat_prefix: "upstream_reverse_connection" + +This extension enables the responder to accept and manage reverse connections from initiator Envoys. + +Reverse Tunnel Network Filter +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The reverse tunnel network filter implements the reverse tunnel handshake protocol and accepts or rejects reverse tunnel requests: + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + name: rev_conn_api_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 9000 # Port where initiator will connect for tunnel establishment + filter_chains: + - filters: + - name: envoy.filters.network.reverse_tunnel + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ReverseTunnel + ping_interval: 2s + +The ``envoy.filters.network.reverse_tunnel`` network filter handles the reverse tunnel handshake protocol and connection acceptance. + +.. _config_reverse_connection_handshake: + +Handshake Protocol +~~~~~~~~~~~~~~~~~~ + +Reverse tunnels use a handshake protocol to establish authenticated connections between +downstream and upstream Envoy instances. The handshake has the following steps: + +1. **Connection Initiation**: Initiator Envoy initiates TCP connections to each host of the upstream cluster, +and writes the handshake request on it over HTTP. +2. **Identity Exchange**: The downstream Envoy's reverse tunnel handshake contains identity information (node ID, cluster ID, tenant ID) sent as HTTP headers. The reverse tunnel network filter expects the following headers: + + * ``x-envoy-reverse-tunnel-node-id``: Unique identifier for the downstream node (e.g., "on-prem-node") + * ``x-envoy-reverse-tunnel-cluster-id``: Cluster name of the downstream Envoy (e.g., "on-prem") + * ``x-envoy-reverse-tunnel-tenant-id``: Tenant identifier for multi-tenant deployments (e.g., "on-prem") + + These identify values are obtained from the reverse tunnel listener address and the headers are automatically added by the reverse tunnel downstream socket interface during the handshake process. +3. **Validation/Authentication**: The upstream Envoy performs the following validation checks on receiving the handshake request: + + * **HTTP Method Validation**: Verifies the request method matches the configured method (defaults to ``GET``) + * **HTTP Path Validation**: Verifies the request path matches the configured path (defaults to ``/reverse_connections/request``) + * **Required Headers Validation**: Ensures all three required identity headers are present: + + - ``x-envoy-reverse-tunnel-node-id`` + - ``x-envoy-reverse-tunnel-cluster-id`` + - ``x-envoy-reverse-tunnel-tenant-id`` + + If any validation fails, the request is rejected with appropriate HTTP error codes (404 for method/path mismatch, 400 for missing headers). +4. **Connection Establishment**: Post a successful handshake, the upstream Envoy stores the TCP socket mapped to the downstream node ID. + +.. _config_reverse_connection_cluster: + +Reverse Connection Cluster +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Each downstream node reachable from upstream Envoy via reverse connections needs to be configured with a reverse connection cluster. When a data request arrives at the upstream Envoy, this cluster uses cached "reverse connections" instead of creating new forward connections. + +.. code-block:: yaml + :type-name: envoy.config.cluster.v3.Cluster + + name: reverse_connection_cluster + connect_timeout: 200s + lb_policy: CLUSTER_PROVIDED + cluster_type: + name: envoy.clusters.reverse_connection + typed_config: + "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig + http_header_names: + - x-remote-node-id # Should be set to "downstream-node" + - x-dst-cluster-uuid # Should be set to "downstream-cluster" + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} # HTTP/2 required for reverse connections + +The reverse connection cluster configuration specifies: + +* **Load balancing policy**: ``CLUSTER_PROVIDED`` allows the custom cluster to manage load balancing +* **Header Resolution Strategy**: The cluster follows a tiered approach to identify the target downstream node: + + 1. **Configured Headers**: First checks for headers specified in ``http_header_names`` configuration. If not configured, defaults to ``x-envoy-dst-node-uuid`` and ``x-envoy-dst-cluster-uuid`` + 2. **Host Header**: If no configured headers are found, extracts UUID from the Host header in format ``.tcpproxy.envoy.remote:`` + 3. **SNI (Server Name Indication)**: If Host header extraction fails, extracts UUID from SNI in format ``.tcpproxy.envoy.remote`` +* **Protocol**: Only HTTP/2 is supported for reverse connections +* **Host Reuse**: Once a host is created for a specific downstream node ID, it is cached and reused for all subsequent requests to that node. Each such request is multiplexed as a new stream on the existing HTTP/2 connection. + + +Egress Listener for Data Traffic +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Add an egress listener on upstream envoy that accepts data traffic and routes it to the reverse connection cluster. + +.. validated-code-block:: yaml + :type-name: envoy.config.listener.v3.Listener + + name: egress_listener + address: + socket_address: + address: 0.0.0.0 + port_value: 8085 # Port for sending requests to initiator services + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + route_config: + virtual_hosts: + - name: backend + domains: ["*"] + routes: + - match: + prefix: "/downstream_service" + route: + cluster: reverse_connection_cluster # Routes to initiator via reverse tunnel + +.. _config_reverse_connection_stats: + +Statistics +---------- + +The reverse tunnel extensions emit the following statistics: + +**Reverse Tunnel Filter:** + +The reverse tunnel network filter emits handshake-related statistics with the prefix ``reverse_tunnel.handshake.``: + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + reverse_tunnel.handshake.parse_error, Counter, Number of handshake requests with missing required headers + reverse_tunnel.handshake.accepted, Counter, Number of successfully accepted reverse tunnel connections + reverse_tunnel.handshake.rejected, Counter, Number of rejected reverse tunnel connections + +**Downstream Socket Interface:** + +The downstream reverse tunnel extension emits both host-level and cluster-level statistics for connection states. The stat names follow the pattern: + +- Host-level: ``.host..`` +- Cluster-level: ``.cluster..`` + +Where ```` can be one of: + +.. csv-table:: + :header: State, Type, Description + :widths: 1, 1, 2 + + connecting, Gauge, Number of connections currently being established + connected, Gauge, Number of successfully established connections + failed, Gauge, Number of failed connection attempts + recovered, Gauge, Number of connections that recovered from failure + backoff, Gauge, Number of hosts currently in backoff state + cannot_connect, Gauge, Number of connection attempts that could not be initiated + unknown, Gauge, Number of connections in unknown state (fallback) + +For example, with ``stat_prefix: "downstream_rc"``: +- ``downstream_rc.host.192.168.1.1.connecting`` - connections being established to host 192.168.1.1 +- ``downstream_rc.cluster.upstream-cluster.connected`` - established connections to upstream-cluster + +**Upstream Socket Interface:** + +The upstream reverse tunnel extension emits node-level and cluster-level statistics for accepted connections. The stat names follow the pattern: + +- Node-level: ``reverse_connections.nodes.`` +- Cluster-level: ``reverse_connections.clusters.`` + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + reverse_connections.nodes., Gauge, Number of active connections from downstream node + reverse_connections.clusters., Gauge, Number of active connections from downstream cluster + +For example: +- ``reverse_connections.nodes.node-1`` - active connections from downstream node "node-1" +- ``reverse_connections.clusters.downstream-cluster`` - active connections from downstream cluster "downstream-cluster" + +.. _config_reverse_connection_security: + +Security Considerations +----------------------- + +Reverse tunnels should be used with appropriate security measures: + +* **Authentication**: Implement proper authentication mechanisms for handshake validation as part of the reverse tunnel handshake protocol. +* **Authorization**: Validate that downstream nodes are authorized to connect to upstream clusters. +* **TLS**: TLS can be configured for each upstream cluster reverse tunnels are established to. + From 01d4fb36f6b2d4168badbebe4b66c70c7e0350a3 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 25 Sep 2025 15:39:30 -0700 Subject: [PATCH 504/505] updates Signed-off-by: Rohit Agrawal Signed-off-by: Basundhara Chakrabarty --- ..._reverse_connection_socket_interface.proto | 4 +- .../clusters/reverse_connection/v3/BUILD | 5 +- .../v3/reverse_connection.proto | 74 ++- .../common/reverse_connection_utility.cc | 30 +- .../reverse_tunnel_acceptor.cc | 2 +- .../reverse_tunnel_acceptor_extension.cc | 4 +- .../clusters/reverse_connection/BUILD | 3 + .../reverse_connection/reverse_connection.cc | 214 +++---- .../reverse_connection/reverse_connection.h | 44 +- .../reverse_connection_cluster_test.cc | 550 ++++++++++-------- 10 files changed, 500 insertions(+), 430 deletions(-) diff --git a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto index 2f6465e0f0cb1..ac01a7c251609 100644 --- a/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +++ b/api/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto @@ -13,12 +13,12 @@ option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3;upstream_socket_interfacev3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -// [#protodoc-title: Bootstrap settings for upstream reverse connection socket interface] +// [#protodoc-title: Upstream reverse connection socket interface] // [#extension: envoy.bootstrap.reverse_tunnel.upstream_socket_interface] // Configuration for the upstream reverse connection socket interface. message UpstreamReverseConnectionSocketInterface { - // Stat prefix to be used for upstream reverse connection socket interface stats. + // Stat prefix for upstream reverse connection socket interface stats. string stat_prefix = 1; // Number of consecutive ping failures before an idle reverse connection socket is marked dead. diff --git a/api/envoy/extensions/clusters/reverse_connection/v3/BUILD b/api/envoy/extensions/clusters/reverse_connection/v3/BUILD index 29ebf0741406e..13251893cdb44 100644 --- a/api/envoy/extensions/clusters/reverse_connection/v3/BUILD +++ b/api/envoy/extensions/clusters/reverse_connection/v3/BUILD @@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") licenses(["notice"]) # Apache 2 api_proto_package( - deps = ["@com_github_cncf_xds//udpa/annotations:pkg"], + deps = [ + "@com_github_cncf_xds//udpa/annotations:pkg", + "@com_github_cncf_xds//xds/type/matcher/v3:pkg", + ], ) diff --git a/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto b/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto index 875d92a54f76a..89878e3cef8c1 100644 --- a/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto +++ b/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.extensions.clusters.reverse_connection.v3; import "google/protobuf/duration.proto"; +import "xds/type/matcher/v3/matcher.proto"; import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -13,19 +14,72 @@ option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/reverse_connection/v3;reverse_connectionv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -// [#protodoc-title: Settings for the Reverse Connection Cluster] +// [#protodoc-title: Reverse connection cluster] // [#extension: envoy.clusters.reverse_connection] -// Specific configuration for a cluster configured as REVERSE_CONNECTION cluster. +// Configuration for a cluster of type REVERSE_CONNECTION. message RevConClusterConfig { - // List of HTTP headers to look for in downstream request headers, to deduce the - // upstream endpoint. - repeated string http_header_names = 1; + // Time interval after which Envoy removes unused dynamic hosts created for reverse connections. + // Hosts that are not referenced by any connection pool are deleted during cleanup. + // + // If unset, Envoy uses a default of 60s. + google.protobuf.Duration cleanup_interval = 1 [(validate.rules).duration = {gt {}}]; - // Time interval after which envoy attempts to clean the stale host entries. - google.protobuf.Duration cleanup_interval = 2 [(validate.rules).duration = {gt {}}]; + // Host identifier matcher. + // + // This matcher is evaluated on the downstream request and yields a ``HostIdAction``. + // The action's payload is used as the host identifier to select the reverse connection + // endpoint. + // + // Typical rules use built-in inputs such as: + // + // * ``HttpRequestHeaderMatchInput`` to map a request header value. + // * ``HttpAttributesCelMatchInput`` to compute a value with CEL from headers/SNI. + // + // The match tree can be a list or a map matcher. The first matching rule should + // return a ``HostIdAction`` with the desired identifier. + // + // Example: + // + // .. validated-code-block:: yaml + // :type-name: xds.type.matcher.v3.Matcher + // + // matcher_list: + // matchers: + // - predicate: + // single_predicate: + // input: + // typed_config: + // '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + // header_name: x-remote-node-id + // value_match: + // exact: node-a + // on_match: + // action: + // typed_config: + // '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + // host_id: "node-a" + // + // - predicate: + // single_predicate: + // input: + // typed_config: + // '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + // header_name: x-remote-node-id + // value_match: + // exact: node-b + // on_match: + // action: + // typed_config: + // '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + // host_id: "node-b" + // + // If the matcher does not return a ``HostIdAction``, the request will not be routed. + xds.type.matcher.v3.Matcher host_id_matcher = 2 [(validate.rules).message = {required: true}]; +} - // Suffix expected in the host header when envoy acts as a L4 proxy and deduces - // the cluster from the host header. - string proxy_host_suffix = 3; +// Action that returns the resolved host identifier. +message HostIdAction { + // Resolved host identifier for the reverse connection endpoint. + string host_id = 1 [(validate.rules).string = {min_len: 1}]; } diff --git a/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc index 2f186c0e1eb20..c656cb962a3f4 100644 --- a/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc +++ b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc @@ -4,6 +4,8 @@ #include "source/common/common/assert.h" #include "source/common/common/logger.h" +#include "absl/strings/match.h" + namespace Envoy { namespace Extensions { namespace Bootstrap { @@ -13,8 +15,18 @@ bool ReverseConnectionUtility::isPingMessage(absl::string_view data) { if (data.empty()) { return false; } - return (data.length() == PING_MESSAGE.length() && - !memcmp(data.data(), PING_MESSAGE.data(), PING_MESSAGE.length())); + + // Check for RPING at the start of the payload. + if (absl::StartsWith(data, PING_MESSAGE)) { + return true; + } + + // Check for HTTP-embedded RPING. + if (data.find(PING_MESSAGE) != absl::string_view::npos) { + return true; + } + + return false; } Buffer::InstancePtr ReverseConnectionUtility::createPingResponse() { @@ -24,8 +36,7 @@ Buffer::InstancePtr ReverseConnectionUtility::createPingResponse() { bool ReverseConnectionUtility::sendPingResponse(Network::Connection& connection) { auto ping_buffer = createPingResponse(); connection.write(*ping_buffer, false); - ENVOY_LOG(debug, "Reverse connection utility: sent RPING response on connection {}", - connection.id()); + ENVOY_LOG(debug, "reverse_tunnel: sent RPING response on connection {}", connection.id()); return true; } @@ -33,10 +44,9 @@ Api::IoCallUint64Result ReverseConnectionUtility::sendPingResponse(Network::IoHa auto ping_buffer = createPingResponse(); Api::IoCallUint64Result result = io_handle.write(*ping_buffer); if (result.ok()) { - ENVOY_LOG(trace, "Reverse connection utility: sent RPING response, bytes: {}", - result.return_value_); + ENVOY_LOG(trace, "reverse_tunnel: sent RPING response, bytes: {}", result.return_value_); } else { - ENVOY_LOG(trace, "Reverse connection utility: failed to send RPING response, error: {}", + ENVOY_LOG(trace, "reverse_tunnel: failed to send RPING response, error: {}", result.err_->getErrorDetails()); } return result; @@ -47,14 +57,14 @@ bool ReverseConnectionUtility::handlePingMessage(absl::string_view data, if (!isPingMessage(data)) { return false; } - ENVOY_LOG(debug, "Reverse connection utility: received RPING on connection {}, echoing back", + ENVOY_LOG(debug, "reverse_tunnel: received RPING on connection: {}, echoing back", connection.id()); return sendPingResponse(connection); } bool ReverseConnectionUtility::extractPingFromHttpData(absl::string_view http_data) { if (http_data.find(PING_MESSAGE) != absl::string_view::npos) { - ENVOY_LOG(debug, "Reverse connection utility: found RPING in HTTP data"); + ENVOY_LOG(trace, "reverse_tunnel: found RPING in HTTP data"); return true; } return false; @@ -68,7 +78,7 @@ bool PingMessageHandler::processPingMessage(absl::string_view data, Network::Connection& connection) { if (ReverseConnectionUtility::isPingMessage(data)) { ++ping_count_; - ENVOY_LOG(debug, "Ping handler: processing ping #{} on connection {}", ping_count_, + ENVOY_LOG(debug, "reverse_tunnel: processing ping #{} on connection {}", ping_count_, connection.id()); return ReverseConnectionUtility::sendPingResponse(connection); } diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc index c33d847a8ef94..91159b18d3cdd 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor.cc @@ -26,7 +26,7 @@ ReverseTunnelAcceptor::socket(Envoy::Network::Socket::Type, Envoy::Network::Addr Envoy::Network::Address::IpVersion, bool, const Envoy::Network::SocketCreationOptions&) const { - ENVOY_LOG(warn, "reverse_tunnel: socket() called without address - returning nullptr"); + ENVOY_LOG(warn, "reverse_tunnel: socket() called without address; returning nullptr"); // Reverse connection sockets should always have an address. return nullptr; diff --git a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc index 4cdacae39f521..918435b99502b 100644 --- a/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc +++ b/source/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/reverse_tunnel_acceptor_extension.cc @@ -16,7 +16,7 @@ UpstreamSocketThreadLocal::UpstreamSocketThreadLocal(Event::Dispatcher& dispatch // ReverseTunnelAcceptorExtension implementation void ReverseTunnelAcceptorExtension::onServerInitialized() { ENVOY_LOG(debug, - "ReverseTunnelAcceptorExtension::onServerInitialized - creating thread local slot"); + "ReverseTunnelAcceptorExtension::onServerInitialized: creating thread local slot"); // Set the extension reference in the socket interface. if (socket_interface_) { @@ -40,7 +40,7 @@ void ReverseTunnelAcceptorExtension::onServerInitialized() { // Get thread local registry for the current thread UpstreamSocketThreadLocal* ReverseTunnelAcceptorExtension::getLocalRegistry() const { if (!tls_slot_) { - ENVOY_LOG(error, "ReverseTunnelAcceptorExtension::getLocalRegistry() - no thread local slot"); + ENVOY_LOG(error, "ReverseTunnelAcceptorExtension::getLocalRegistry(): no thread local slot"); return nullptr; } diff --git a/source/extensions/clusters/reverse_connection/BUILD b/source/extensions/clusters/reverse_connection/BUILD index 53f8331064f78..61414b383c5d8 100644 --- a/source/extensions/clusters/reverse_connection/BUILD +++ b/source/extensions/clusters/reverse_connection/BUILD @@ -16,6 +16,9 @@ envoy_cc_extension( deps = [ "//envoy/upstream:cluster_factory_interface", "//source/common/http:header_utility_lib", + "//source/common/http/matching:data_impl_lib", + "//source/common/http/matching:inputs_lib", + "//source/common/matcher:matcher_lib", "//source/common/network:address_lib", "//source/common/upstream:cluster_factory_lib", "//source/common/upstream:upstream_includes", diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.cc b/source/extensions/clusters/reverse_connection/reverse_connection.cc index 557d20033af69..ad53f97f2a264 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.cc +++ b/source/extensions/clusters/reverse_connection/reverse_connection.cc @@ -10,12 +10,13 @@ #include "envoy/config/core/v3/health_check.pb.h" #include "envoy/config/endpoint/v3/endpoint_components.pb.h" -#include "source/common/http/header_utility.h" -#include "source/common/http/headers.h" +#include "source/common/http/matching/data_impl.h" +#include "source/common/matcher/matcher.h" #include "source/common/network/address_impl.h" #include "source/common/protobuf/protobuf.h" #include "source/common/protobuf/utility.h" +#include "absl/status/status.h" #include "absl/status/statusor.h" namespace Envoy { @@ -24,133 +25,87 @@ namespace ReverseConnection { namespace BootstrapReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; -// The default host header envoy expects when acting as a L4 proxy is of the format. -// ".tcpproxy.envoy.remote:". -const std::string default_proxy_host_suffix = "tcpproxy.envoy.remote"; - -absl::optional -RevConCluster::LoadBalancer::getUUIDFromHost(const Http::RequestHeaderMap& headers) { - const absl::string_view original_host = headers.getHostValue(); - ENVOY_LOG(debug, "Host header value: {}", original_host); - absl::string_view::size_type port_start = Http::HeaderUtility::getPortStart(original_host); - if (port_start == absl::string_view::npos) { - ENVOY_LOG(warn, "Port not found in host {}", original_host); - port_start = original_host.size(); - } else { - // Extract the port from the host header. - const absl::string_view port_str = original_host.substr(port_start + 1); - uint32_t port = 0; - if (!absl::SimpleAtoi(port_str, &port)) { - ENVOY_LOG(error, "Port {} is not valid", port_str); - return absl::nullopt; - } - } - // Extract the URI from the host header. - const absl::string_view host = original_host.substr(0, port_start); - const absl::string_view::size_type uuid_start = host.find('.'); - if (uuid_start == absl::string_view::npos || - host.substr(uuid_start + 1) != parent_->proxy_host_suffix_) { - ENVOY_LOG(error, - "Malformed host {} in host header {}. Expected: " - ".tcpproxy.envoy.remote:", - host, original_host); - return absl::nullopt; - } - return host.substr(0, uuid_start); -} +using HostIdActionProto = envoy::extensions::clusters::reverse_connection::v3::HostIdAction; -absl::optional -RevConCluster::LoadBalancer::getUUIDFromSNI(const Network::Connection* connection) { - if (connection == nullptr) { - ENVOY_LOG(debug, "Connection is null, cannot extract SNI"); - return absl::nullopt; - } +// Action type that carries the host identifier returned by the matcher. +class HostIdAction : public Envoy::Matcher::ActionBase { +public: + explicit HostIdAction(std::string host_id) : host_id_(std::move(host_id)) {} + const std::string& host_id() const { return host_id_; } - absl::string_view sni = connection->requestedServerName(); - ENVOY_LOG(debug, "SNI value: {}", sni); +private: + const std::string host_id_; +}; - if (sni.empty()) { - ENVOY_LOG(debug, "Empty SNI value"); - return absl::nullopt; +// Factory to construct HostIdAction from proto. +class HostIdActionFactory : public Envoy::Matcher::ActionFactory { +public: + std::string name() const override { return "envoy.matching.actions.reverse_connection.host_id"; } + Envoy::Matcher::ActionConstSharedPtr + createAction(const Protobuf::Message& config, Upstream::ClusterFactoryContext&, + ProtobufMessage::ValidationVisitor& validation_visitor) override { + const auto& proto = + MessageUtil::downcastAndValidate(config, validation_visitor); + return std::make_shared(proto.host_id()); } - - // Extract the UUID from SNI. SNI format is expected to be ".tcpproxy.envoy.remote" - const absl::string_view::size_type uuid_start = sni.find('.'); - if (uuid_start == absl::string_view::npos || - sni.substr(uuid_start + 1) != parent_->proxy_host_suffix_) { - ENVOY_LOG(error, "Malformed SNI {}. Expected: .tcpproxy.envoy.remote", sni); - return absl::nullopt; + ProtobufTypes::MessagePtr createEmptyConfigProto() override { + return std::make_unique(); } - return sni.substr(0, uuid_start); -} +}; + +REGISTER_FACTORY(HostIdActionFactory, + Envoy::Matcher::ActionFactory); Upstream::HostSelectionResponse RevConCluster::LoadBalancer::chooseHost(Upstream::LoadBalancerContext* context) { if (context == nullptr) { - ENVOY_LOG(error, "RevConCluster::LoadBalancer::chooseHost called with null context"); + ENVOY_LOG(error, "reverse_connection: chooseHost called with null context"); return {nullptr}; } - // If downstream headers are not present, host ID cannot be obtained. + // Evaluate the configured host-id matcher to obtain the host identifier. if (context->downstreamHeaders() == nullptr) { - if (context->downstreamConnection() == nullptr) { - ENVOY_LOG(error, "Found empty downstream headers and null downstream connection"); - } else { - ENVOY_LOG(error, "Found empty downstream headers for a request over connection with ID: {}", - *(context->downstreamConnection()->connectionInfoProvider().connectionID())); - } + ENVOY_LOG(error, "reverse_connection: missing downstream headers; cannot evaluate matcher."); return {nullptr}; } - - // First, Check for the presence of headers in RevConClusterConfig's http_header_names in. - // the request context. In the absence of http_header_names in RevConClusterConfig, this - // checks for the presence of EnvoyDstNodeUUID and EnvoyDstClusterUUID headers by default. - const std::string host_id = std::string(parent_->getHostIdValue(context->downstreamHeaders())); - if (!host_id.empty()) { - ENVOY_LOG(debug, "Found header match. Creating host with host_id: {}", host_id); - return parent_->checkAndCreateHost(host_id); - } - - // Second, check the Host header for the UUID. - absl::optional uuid = getUUIDFromHost(*context->downstreamHeaders()); - if (uuid.has_value()) { - ENVOY_LOG(debug, "Found UUID in host header. Creating host with host_id: {}", uuid.value()); - return parent_->checkAndCreateHost(std::string(uuid.value())); - } - - // Third, check SNI (Server Name Indication) for the UUID if available. - if (context->downstreamConnection() != nullptr) { - absl::optional sni_uuid = getUUIDFromSNI(context->downstreamConnection()); - if (sni_uuid.has_value()) { - ENVOY_LOG(debug, "Found UUID in SNI. Creating host with host_id: {}", sni_uuid.value()); - return parent_->checkAndCreateHost(std::string(sni_uuid.value())); - } + Http::Matching::HttpMatchingDataImpl data(context->downstreamConnection()->streamInfo()); + data.onRequestHeaders(*context->downstreamHeaders()); + const ::Envoy::Matcher::MatchResult result = + ::Envoy::Matcher::evaluateMatch(*parent_->host_id_match_tree_, + data); + if (!result.isMatch()) { + ENVOY_LOG(error, "reverse_connection: host_id matcher did not match."); + return {nullptr}; } - - ENVOY_LOG(error, "UUID not found in host header or SNI. Could not find host for request."); - return {nullptr}; + const auto& action = result.action(); + ASSERT(action != nullptr); + const auto& host_id_action = action->getTyped(); + absl::string_view host_id_sv = host_id_action.host_id(); + ENVOY_LOG(debug, "reverse_connection: using host identifier from matcher action: {}", host_id_sv); + return parent_->checkAndCreateHost(host_id_sv); } -Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::string host_id) { +Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(absl::string_view host_id) { // Get the SocketManager to resolve cluster ID to node ID. auto* socket_manager = getUpstreamSocketManager(); if (socket_manager == nullptr) { - ENVOY_LOG(error, "RevConCluster: Cannot create host for key: {} Socket manager not found", + ENVOY_LOG(error, + "reverse_connection: cannot create host for key: {}; socket manager not found.", host_id); return {nullptr}; } // Use SocketManager to resolve the key to a node ID. - std::string node_id = socket_manager->getNodeID(host_id); - ENVOY_LOG(debug, "RevConCluster: Resolved key '{}' to node_id '{}'", host_id, node_id); + std::string node_id = socket_manager->getNodeID(std::string(host_id)); + ENVOY_LOG(debug, "reverse_connection: resolved key '{}' to node: '{}'", host_id, node_id); host_map_lock_.ReaderLock(); // Check if node_id is already present in host_map_ or not. This ensures, // that envoy reuses a conn_pool_container for an endpoint. auto host_itr = host_map_.find(node_id); if (host_itr != host_map_.end()) { - ENVOY_LOG(debug, "RevConCluster:Re-using existing host for {}.", node_id); + ENVOY_LOG(debug, "reverse_connection: reusing existing host for {}.", node_id); Upstream::HostSharedPtr host = host_itr->second; host_map_lock_.ReaderUnlock(); return {host}; @@ -159,6 +114,13 @@ Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::str absl::WriterMutexLock wlock(&host_map_lock_); + // Re-check under writer lock to avoid duplicate creation under contention. + auto host_itr2 = host_map_.find(node_id); + if (host_itr2 != host_map_.end()) { + ENVOY_LOG(debug, "reverse_connection: host already created for {} during contention.", node_id); + return {host_itr2->second}; + } + // Create a custom address that uses the UpstreamReverseSocketInterface. Network::Address::InstanceConstSharedPtr host_address( std::make_shared(node_id)); @@ -172,14 +134,14 @@ Upstream::HostSelectionResponse RevConCluster::checkAndCreateHost(const std::str 0 /* priority */, envoy::config::core::v3::UNKNOWN); if (!host_result.ok()) { - ENVOY_LOG(error, "RevConCluster: Failed to create HostImpl for {}: {}", node_id, + ENVOY_LOG(error, "reverse_connection: failed to create HostImpl for {}: {}", node_id, host_result.status().ToString()); return {nullptr}; } // Convert unique_ptr to shared_ptr. Upstream::HostSharedPtr host(std::move(host_result.value())); - ENVOY_LOG(trace, "RevConCluster: Created a HostImpl {} for {}.", *host, node_id); + ENVOY_LOG(trace, "reverse_connection: created HostImpl {} for {}.", *host, node_id); host_map_[node_id] = host; return {host}; @@ -204,29 +166,6 @@ void RevConCluster::cleanup() { cleanup_timer_->enableTimer(cleanup_interval_); } -absl::string_view RevConCluster::getHostIdValue(const Http::RequestHeaderMap* request_headers) { - for (const auto& header_name : http_header_names_) { - ENVOY_LOG(debug, "Searching for {} header in request context", header_name->get()); - Http::HeaderMap::GetResult header_result = request_headers->get(*header_name); - if (header_result.empty()) { - continue; - } - ENVOY_LOG(trace, "Found {} header in request context value {}", header_name->get(), - header_result[0]->key().getStringView()); - // This is an implicitly untrusted header, so per the API documentation only the first. - // value is used. - if (header_result[0]->value().empty()) { - ENVOY_LOG(trace, "Found empty value for header {}", header_result[0]->key().getStringView()); - continue; - } - ENVOY_LOG(trace, "Successfully extracted host ID from header {}: {}", header_name->get(), - header_result[0]->value().getStringView()); - return header_result[0]->value().getStringView(); - } - - return absl::string_view(); -} - BootstrapReverseConnection::UpstreamSocketManager* RevConCluster::getUpstreamSocketManager() const { auto* upstream_interface = Network::socketInterface("envoy.bootstrap.reverse_tunnel.upstream_socket_interface"); @@ -258,24 +197,25 @@ RevConCluster::RevConCluster( : ClusterImplBase(config, context, creation_status), dispatcher_(context.serverFactoryContext().mainThreadDispatcher()), cleanup_interval_(std::chrono::milliseconds( - PROTOBUF_GET_MS_OR_DEFAULT(rev_con_config, cleanup_interval, 10000))), + PROTOBUF_GET_MS_OR_DEFAULT(rev_con_config, cleanup_interval, 60000))), cleanup_timer_(dispatcher_.createTimer([this]() -> void { cleanup(); })) { - if (rev_con_config.proxy_host_suffix().empty()) { - proxy_host_suffix_ = default_proxy_host_suffix; - } else { - proxy_host_suffix_ = rev_con_config.proxy_host_suffix(); - } - // Parse HTTP header names. - if (rev_con_config.http_header_names().size()) { - for (const auto& header_name : rev_con_config.http_header_names()) { - if (!header_name.empty()) { - http_header_names_.emplace_back(Http::LowerCaseString(header_name)); - } + // Build the host-id matcher tree. + // No-op validation visitor for building the match tree. + struct NoopValidationVisitor + : public Envoy::Matcher::MatchTreeValidationVisitor { + absl::Status performDataInputValidation( + const Envoy::Matcher::DataInputFactory&, + absl::string_view) override { + return absl::OkStatus(); } - } else { - http_header_names_.emplace_back(EnvoyDstNodeUUID); - http_header_names_.emplace_back(EnvoyDstClusterUUID); - } + } validation_visitor; + Envoy::Matcher::MatchTreeFactory + factory(context, context.serverFactoryContext(), validation_visitor); + Envoy::Matcher::MatchTreeFactoryCb cb = + factory.create(rev_con_config.host_id_matcher()); + host_id_match_tree_ = cb(); + + // Schedule periodic cleanup. cleanup_timer_->enableTimer(cleanup_interval_); } diff --git a/source/extensions/clusters/reverse_connection/reverse_connection.h b/source/extensions/clusters/reverse_connection/reverse_connection.h index f49874c3288b0..77cebd657bb9f 100644 --- a/source/extensions/clusters/reverse_connection/reverse_connection.h +++ b/source/extensions/clusters/reverse_connection/reverse_connection.h @@ -14,6 +14,8 @@ #include "envoy/extensions/clusters/reverse_connection/v3/reverse_connection.pb.validate.h" #include "source/common/common/logger.h" +#include "source/common/http/matching/data_impl.h" +#include "source/common/matcher/matcher.h" #include "source/common/network/address_impl.h" #include "source/common/network/socket_interface.h" #include "source/common/upstream/cluster_factory_impl.h" @@ -29,10 +31,6 @@ namespace ReverseConnection { namespace BootstrapReverseConnection = Envoy::Extensions::Bootstrap::ReverseConnection; -// Constants for reverse connection headers. -const Http::LowerCaseString EnvoyDstNodeUUID{"x-remote-node-id"}; -const Http::LowerCaseString EnvoyDstClusterUUID{"x-dst-cluster-uuid"}; - /** * Custom address type that uses the UpstreamReverseSocketInterface. * This address will be used by RevConHost to ensure socket creation goes through @@ -148,26 +146,11 @@ class RevConCluster : public Upstream::ClusterImplBase { public: LoadBalancer(const std::shared_ptr& parent) : parent_(parent) {} - // Chooses a host to send a downstream request over to a reverse connection endpoint. - // A request intended for a reverse connection has to have either of the below set and are. - // checked in the given order:. - // 1. If the host_id is set, it is used for creating the host. - // 2. The request should have either of the HTTP headers given in the RevConClusterConfig's - // http_header_names set. If any of the headers are set, the first found header is used to - // create the host. - // 3. The Host header should be set to ".tcpproxy.envoy.remote:". This is - // mandatory if none of fields in 1. or 2. are set. The uuid is extracted from the host header - // and is used to create the host. + // Chooses a host to send a downstream request over a reverse connection endpoint. + // The request MUST provide a host identifier via dynamic metadata populated by a matcher + // action. No header or authority/SNI fallbacks are used. Upstream::HostSelectionResponse chooseHost(Upstream::LoadBalancerContext* context) override; - // Helper function to verify that the host header is of the format. - // ".tcpproxy.envoy.remote:" and extract the uuid from the header. - absl::optional getUUIDFromHost(const Http::RequestHeaderMap& headers); - - // Helper function to extract UUID from SNI (Server Name Indication) if it follows the format. - // ".tcpproxy.envoy.remote". - absl::optional getUUIDFromSNI(const Network::Connection* connection); - // Virtual functions that are not supported by our custom load-balancer. Upstream::HostConstSharedPtr peekAnotherHost(Upstream::LoadBalancerContext*) override { return nullptr; @@ -214,13 +197,8 @@ class RevConCluster : public Upstream::ClusterImplBase { // Periodically cleans the stale hosts from host_map_. void cleanup(); - // Checks if a host exists for a given `host_id` and if not it creates and caches. - // that host to the map. - Upstream::HostSelectionResponse checkAndCreateHost(const std::string host_id); - - // Checks if the request headers contain any header that hold host_id value. - // If such header is present, it return that header value. - absl::string_view getHostIdValue(const Http::RequestHeaderMap* request_headers); + // Checks if a host exists for a given host identifier and if not creates and caches it. + Upstream::HostSelectionResponse checkAndCreateHost(absl::string_view host_id); // Get the upstream socket manager from the thread-local registry. BootstrapReverseConnection::UpstreamSocketManager* getUpstreamSocketManager() const; @@ -233,9 +211,11 @@ class RevConCluster : public Upstream::ClusterImplBase { Event::TimerPtr cleanup_timer_; absl::Mutex host_map_lock_; absl::flat_hash_map host_map_; - std::vector> http_header_names_; - // Host header suffix expected by envoy when acting as a L4 proxy. - std::string proxy_host_suffix_; + // Match tree that yields a HostIdAction. + Envoy::Matcher::MatchTreeSharedPtr host_id_match_tree_; + // Metadata namespace and key for the host identifier, populated by a matcher action. + static constexpr absl::string_view kMetadataNamespace{"reverse_connection"}; + static constexpr absl::string_view kHostIdKey{"host_id"}; friend class RevConClusterFactory; }; diff --git a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc index bd50523289e40..7fa63aee50b29 100644 --- a/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc +++ b/test/extensions/clusters/reverse_connection/reverse_connection_cluster_test.cc @@ -177,7 +177,7 @@ class ReverseConnectionClusterTest : public Event::TestUsingSimulatedTime, publi // Helper function to set up thread local slot for tests. void setupThreadLocalSlot() { - // Check if extension is set up + // Check if extension is set up. if (!extension_) { return; } @@ -296,9 +296,22 @@ TEST(ReverseConnectionClusterConfigTest, ValidConfig) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s - http_header_names: - - x-remote-node-id - - x-dst-cluster-uuid + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; envoy::config::cluster::v3::Cluster cluster_config = Upstream::parseClusterFromV3Yaml(yaml); @@ -306,44 +319,6 @@ TEST(ReverseConnectionClusterConfigTest, ValidConfig) { EXPECT_EQ(cluster_config.cluster_type().name(), "envoy.clusters.reverse_connection"); } -// Test cluster creation with custom proxy host suffix. -TEST_F(ReverseConnectionClusterTest, CustomProxyHostSuffixLogic) { - const std::string yaml = R"EOF( - name: name - connect_timeout: 0.25s - lb_policy: CLUSTER_PROVIDED - cleanup_interval: 1s - cluster_type: - name: envoy.clusters.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig - cleanup_interval: 10s - proxy_host_suffix: "custom.proxy.suffix" - )EOF"; - - EXPECT_CALL(initialized_, ready()); - setupFromYaml(yaml); - - RevConCluster::LoadBalancer lb(cluster_); - - // Test that the custom proxy host suffix is used for Host header parsing. - { - auto headers = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.custom.proxy.suffix:8080"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_TRUE(result.has_value()); - EXPECT_EQ(result.value(), "test-node-uuid"); - } - - // Test that the default suffix is rejected. - { - auto headers = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.tcpproxy.envoy.remote:8080"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_FALSE(result.has_value()); - } -} - // Test cluster creation failure due to invalid load assignment. TEST_F(ReverseConnectionClusterTest, BadConfigWithLoadAssignment) { const std::string yaml = R"EOF( @@ -402,9 +377,22 @@ TEST_F(ReverseConnectionClusterTest, BasicSetup) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s - http_header_names: - - x-remote-node-id - - x-dst-cluster-uuid + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -427,6 +415,22 @@ TEST_F(ReverseConnectionClusterTest, NoContext) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -469,6 +473,22 @@ TEST_F(ReverseConnectionClusterTest, NoHeaders) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -497,6 +517,22 @@ TEST_F(ReverseConnectionClusterTest, MissingRequiredHeaders) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -523,170 +559,6 @@ TEST_F(ReverseConnectionClusterTest, MissingRequiredHeaders) { } } -// Test UUID extraction from Host header. -TEST_F(ReverseConnectionClusterTest, GetUUIDFromHostFunction) { - const std::string yaml = R"EOF( - name: name - connect_timeout: 0.25s - lb_policy: CLUSTER_PROVIDED - cleanup_interval: 1s - cluster_type: - name: envoy.clusters.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig - cleanup_interval: 10s - )EOF"; - - EXPECT_CALL(initialized_, ready()); - setupFromYaml(yaml); - - RevConCluster::LoadBalancer lb(cluster_); - - // Test valid Host header format. - { - auto headers = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.tcpproxy.envoy.remote:8080"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_TRUE(result.has_value()); - EXPECT_EQ(result.value(), "test-node-uuid"); - } - - // Test valid Host header format with different UUID. - { - auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "another-test-node-uuid.tcpproxy.envoy.remote:9090"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_TRUE(result.has_value()); - EXPECT_EQ(result.value(), "another-test-node-uuid"); - } - - // Test Host header without port. - { - auto headers = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.tcpproxy.envoy.remote"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_TRUE(result.has_value()); - EXPECT_EQ(result.value(), "test-node-uuid"); - } - - // Test invalid Host header - wrong suffix. - { - auto headers = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuid.wrong.suffix:8080"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_FALSE(result.has_value()); - } - - // Test invalid Host header - no dot separator. - { - auto headers = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-node-uuidtcpproxy.envoy.remote:8080"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_FALSE(result.has_value()); - } - - // Test invalid Host header - empty UUID. - { - auto headers = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", ".tcpproxy.envoy.remote:8080"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_EQ(result.value(), ""); - } - - // Test invalid Host header - invalid port. - { - auto headers = Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{ - {"Host", "test-node-uuid.tcpproxy.envoy.remote:invalid"}}}; - auto result = lb.getUUIDFromHost(*headers); - EXPECT_FALSE(result.has_value()); - } -} - -// Test UUID extraction from SNI. -TEST_F(ReverseConnectionClusterTest, GetUUIDFromSNIFunction) { - const std::string yaml = R"EOF( - name: name - connect_timeout: 0.25s - lb_policy: CLUSTER_PROVIDED - cleanup_interval: 1s - cluster_type: - name: envoy.clusters.reverse_connection - typed_config: - "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig - cleanup_interval: 10s - )EOF"; - - EXPECT_CALL(initialized_, ready()); - setupFromYaml(yaml); - - RevConCluster::LoadBalancer lb(cluster_); - - // Test valid SNI format. - { - NiceMock connection; - EXPECT_CALL(connection, requestedServerName()) - .WillRepeatedly(Return("test-node-uuid.tcpproxy.envoy.remote")); - - auto result = lb.getUUIDFromSNI(&connection); - EXPECT_TRUE(result.has_value()); - EXPECT_EQ(result.value(), "test-node-uuid"); - } - - // Test valid SNI format with different UUID. - { - NiceMock connection; - EXPECT_CALL(connection, requestedServerName()) - .WillRepeatedly(Return("another-test-node123.tcpproxy.envoy.remote")); - - auto result = lb.getUUIDFromSNI(&connection); - EXPECT_TRUE(result.has_value()); - EXPECT_EQ(result.value(), "another-test-node123"); - } - - // Test empty SNI. - { - NiceMock connection; - EXPECT_CALL(connection, requestedServerName()).WillRepeatedly(Return("")); - - auto result = lb.getUUIDFromSNI(&connection); - EXPECT_FALSE(result.has_value()); - } - - // Test null connection. - { - auto result = lb.getUUIDFromSNI(nullptr); - EXPECT_FALSE(result.has_value()); - } - - // Test SNI with wrong suffix. - { - NiceMock connection; - EXPECT_CALL(connection, requestedServerName()) - .WillRepeatedly(Return("test-node-uuid.wrong.suffix")); - - auto result = lb.getUUIDFromSNI(&connection); - EXPECT_FALSE(result.has_value()); - } - - // Test SNI without suffix. - { - NiceMock connection; - EXPECT_CALL(connection, requestedServerName()).WillRepeatedly(Return("test-node-uuid")); - - auto result = lb.getUUIDFromSNI(&connection); - EXPECT_FALSE(result.has_value()); - } - - // Test SNI with empty UUID. - { - NiceMock connection; - EXPECT_CALL(connection, requestedServerName()).WillRepeatedly(Return(".tcpproxy.envoy.remote")); - - auto result = lb.getUUIDFromSNI(&connection); - EXPECT_EQ(result.value(), ""); - } -} - // Test host creation failure due to thread local slot not being set. TEST_F(ReverseConnectionClusterTest, HostCreationWithoutSocketManager) { const std::string yaml = R"EOF( @@ -699,6 +571,22 @@ TEST_F(ReverseConnectionClusterTest, HostCreationWithoutSocketManager) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -707,11 +595,11 @@ TEST_F(ReverseConnectionClusterTest, HostCreationWithoutSocketManager) { RevConCluster::LoadBalancer lb(cluster_); // Do not set up thread local slot - no socket manager initialized. - // Test host creation with Host header when socket manager is not available. + // Test host creation when matcher would otherwise match but socket manager is not available. NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result = lb.chooseHost(&lb_context); // Should return nullptr when socket manager is not found. @@ -743,6 +631,22 @@ TEST_F(ReverseConnectionClusterTest, SocketInterfaceNotRegistered) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -754,7 +658,7 @@ TEST_F(ReverseConnectionClusterTest, SocketInterfaceNotRegistered) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result = lb.chooseHost(&lb_context); // Should return nullptr when socket interface is not found. @@ -777,6 +681,35 @@ TEST_F(ReverseConnectionClusterTest, HostCreationWithSocketManager) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-456 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-456" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -798,23 +731,19 @@ TEST_F(ReverseConnectionClusterTest, HostCreationWithSocketManager) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); EXPECT_EQ(result.host->address()->logicalName(), "test-uuid-123"); } - // Test host creation with SNI. + // Test host creation with header mapping to a different node id (test-uuid-456). { NiceMock connection; - EXPECT_CALL(connection, requestedServerName()) - .WillRepeatedly(Return("test-uuid-456.tcpproxy.envoy.remote")); - TestLoadBalancerContext lb_context(&connection); - // No Host header, so it should fall back to SNI. - lb_context.downstream_headers_ = - Http::RequestHeaderMapPtr{new Http::TestRequestHeaderMapImpl{}}; + lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-456"}}}; auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); @@ -824,7 +753,7 @@ TEST_F(ReverseConnectionClusterTest, HostCreationWithSocketManager) { // Test host creation with HTTP headers. { NiceMock connection; - TestLoadBalancerContext lb_context(&connection, "x-dst-cluster-uuid", "cluster-123"); + TestLoadBalancerContext lb_context(&connection, "x-remote-node-id", "test-uuid-123"); auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); @@ -844,12 +773,28 @@ TEST_F(ReverseConnectionClusterTest, HostReuse) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Set up the upstream extension for this test + // Set up the upstream extension for this test. setupUpstreamExtension(); setupThreadLocalSlot(); @@ -863,7 +808,7 @@ TEST_F(ReverseConnectionClusterTest, HostReuse) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result1 = lb.chooseHost(&lb_context); EXPECT_NE(result1.host, nullptr); @@ -887,12 +832,41 @@ TEST_F(ReverseConnectionClusterTest, DifferentHostsForDifferentUUIDs) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-456 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-456" )EOF"; EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Set up the upstream extension for this test + // Set up the upstream extension for this test. setupUpstreamExtension(); setupThreadLocalSlot(); @@ -907,14 +881,14 @@ TEST_F(ReverseConnectionClusterTest, DifferentHostsForDifferentUUIDs) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result1 = lb.chooseHost(&lb_context); EXPECT_NE(result1.host, nullptr); // Create second host with different UUID - should be different host. lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-456"}}}; auto result2 = lb.chooseHost(&lb_context); EXPECT_NE(result2.host, nullptr); EXPECT_NE(result1.host, result2.host); @@ -933,12 +907,41 @@ TEST_F(ReverseConnectionClusterTest, TestCleanup) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-456 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-456" )EOF"; EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Set up the upstream extension for this test + // Set up the upstream extension for this test. setupUpstreamExtension(); setupThreadLocalSlot(); @@ -956,7 +959,7 @@ TEST_F(ReverseConnectionClusterTest, TestCleanup) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result1 = lb.chooseHost(&lb_context); EXPECT_NE(result1.host, nullptr); @@ -968,7 +971,7 @@ TEST_F(ReverseConnectionClusterTest, TestCleanup) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-456"}}}; auto result2 = lb.chooseHost(&lb_context); EXPECT_NE(result2.host, nullptr); @@ -989,7 +992,7 @@ TEST_F(ReverseConnectionClusterTest, TestCleanup) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); @@ -1008,12 +1011,41 @@ TEST_F(ReverseConnectionClusterTest, TestCleanupWithUsedHosts) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-456 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-456" )EOF"; EXPECT_CALL(initialized_, ready()); setupFromYaml(yaml); - // Set up the upstream extension for this test + // Set up the upstream extension for this test. setupUpstreamExtension(); setupThreadLocalSlot(); @@ -1031,7 +1063,7 @@ TEST_F(ReverseConnectionClusterTest, TestCleanupWithUsedHosts) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result1 = lb.chooseHost(&lb_context); EXPECT_NE(result1.host, nullptr); @@ -1043,7 +1075,7 @@ TEST_F(ReverseConnectionClusterTest, TestCleanupWithUsedHosts) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-456.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-456"}}}; auto result2 = lb.chooseHost(&lb_context); EXPECT_NE(result2.host, nullptr); @@ -1065,7 +1097,7 @@ TEST_F(ReverseConnectionClusterTest, TestCleanupWithUsedHosts) { NiceMock connection; TestLoadBalancerContext lb_context(&connection); lb_context.downstream_headers_ = Http::RequestHeaderMapPtr{ - new Http::TestRequestHeaderMapImpl{{"Host", "test-uuid-123.tcpproxy.envoy.remote:8080"}}}; + new Http::TestRequestHeaderMapImpl{{"x-remote-node-id", "test-uuid-123"}}}; auto result = lb.chooseHost(&lb_context); EXPECT_NE(result.host, nullptr); @@ -1075,7 +1107,7 @@ TEST_F(ReverseConnectionClusterTest, TestCleanupWithUsedHosts) { handle1.reset(); } -// LoadBalancerFactory tests +// LoadBalancerFactory tests. TEST_F(ReverseConnectionClusterTest, LoadBalancerFactory) { const std::string yaml = R"EOF( name: name @@ -1087,6 +1119,22 @@ TEST_F(ReverseConnectionClusterTest, LoadBalancerFactory) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -1127,6 +1175,22 @@ TEST_F(ReverseConnectionClusterTest, ThreadAwareLoadBalancer) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); @@ -1166,6 +1230,22 @@ TEST_F(ReverseConnectionClusterTest, LoadBalancerNoopMethods) { typed_config: "@type": type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.RevConClusterConfig cleanup_interval: 10s + host_id_matcher: + matcher_list: + matchers: + - predicate: + single_predicate: + input: + typed_config: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + header_name: x-remote-node-id + value_match: + exact: test-uuid-123 + on_match: + action: + typed_config: + '@type': type.googleapis.com/envoy.extensions.clusters.reverse_connection.v3.HostIdAction + host_id: "test-uuid-123" )EOF"; EXPECT_CALL(initialized_, ready()); From 6ae49df6fa31121fa023a67c088410469ede0776 Mon Sep 17 00:00:00 2001 From: Rohit Agrawal Date: Thu, 25 Sep 2025 17:48:57 -0700 Subject: [PATCH 505/505] fixes Signed-off-by: Rohit Agrawal Signed-off-by: Basundhara Chakrabarty --- .../v3/reverse_connection.proto | 1 + .../common/reverse_connection_utility.cc | 17 ++--------------- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto b/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto index 89878e3cef8c1..8c67b8db4a44d 100644 --- a/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto +++ b/api/envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.extensions.clusters.reverse_connection.v3; import "google/protobuf/duration.proto"; + import "xds/type/matcher/v3/matcher.proto"; import "udpa/annotations/status.proto"; diff --git a/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc index c656cb962a3f4..66b476343d7b1 100644 --- a/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc +++ b/source/extensions/bootstrap/reverse_tunnel/common/reverse_connection_utility.cc @@ -4,29 +4,16 @@ #include "source/common/common/assert.h" #include "source/common/common/logger.h" -#include "absl/strings/match.h" - namespace Envoy { namespace Extensions { namespace Bootstrap { namespace ReverseConnection { bool ReverseConnectionUtility::isPingMessage(absl::string_view data) { - if (data.empty()) { + if (data.size() != PING_MESSAGE.size()) { return false; } - - // Check for RPING at the start of the payload. - if (absl::StartsWith(data, PING_MESSAGE)) { - return true; - } - - // Check for HTTP-embedded RPING. - if (data.find(PING_MESSAGE) != absl::string_view::npos) { - return true; - } - - return false; + return ::memcmp(data.data(), PING_MESSAGE.data(), PING_MESSAGE.size()) == 0; } Buffer::InstancePtr ReverseConnectionUtility::createPingResponse() {
Release notes

Sourced from github/codeql-action's releases.

v3.30.2

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.2 - 09 Sep 2025

  • Fixed a bug which could cause language autodetection to fail. #3084
  • Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #3064

See the full CHANGELOG.md for more information.

v3.30.1

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.1 - 05 Sep 2025

  • Update default CodeQL bundle version to 2.23.0. #3077

See the full CHANGELOG.md for more information.

v3.30.0

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.0 - 01 Sep 2025

  • Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #3054

See the full CHANGELOG.md for more information.

v3.29.11

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.11 - 21 Aug 2025

  • Update default CodeQL bundle version to 2.22.4. #3044

See the full CHANGELOG.md for more information.

v3.29.10

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

... (truncated)

e zY0A&#aJ6fHt0Gq15tABj;S`W4xn!`MsjPOw0gP-x?<#G#R2QEFwNl?+45spFJ#PkL z9*QyRv_@|fyZ4?ybEH(MFg{yfScNL~P^(<#EJ=UBN~fcTyl?j7`bsN(lXva-SF>A~ z;P#Q==`T?6DXPw+`Iox*MI3$Rk;&lQjtMxg{)A&Su${2&n(ti-D17a@Xse^b!)795 zBZ#Jq^?Z$;*@ttfugyz1;z4%jU#`kG#aFfRr!fBKi@LX9_Mv(fj8oe3Jn#xi3)$G8mQZNfNR$;p8=@FJ8{C zoTk0j&k_xQsh8fndEmjvDQz-{2Jcm2kX-v?!wRp^j&&jdeS(0stn|8GAubKOSxu z=lT`&kjCULaEo}FKOB0V!nBz^<4d%jG$XamA$a^{it?nK!eE9^DC@OeD*k`zEKWYp zAsZ(&p66{|$!u2>f`~{G zu0rxylr}qX|5t-GX!inG9q2{i9d-PqVX3c}@B)G>0srf>Q=|EpW-$8Dceq)FFiU~a zzadycH}tbJ_~##lUhou?VY2?Yd_R}GziRV#W5EIhSXQQNFGK1ATrP>Ei3aG!Q_VbT3;`?5XUF8@6J)Q6|e z;isYXWIzxJEL4g^ziyl9$w1aATb+hD2MTxNW}bS`FJlmLh8|2q z$kBn0aS{S%NiU7yi7-Z-nyb89g&#G5PC;4oLz$olr;)vJ#JSFmZu`NG>XpIc^}75@ zx^7yK_=DU1z{_MJ6lX%qWtoBysZ*GZ1|z?`O9&4Pt&gWf(G}ApzvIk@LzdcLRCY46 z#@uJ$xofAnL|U!r#ozhhM^p-Q&z3F)lJX2c!12S$3GA+WN+E5FjkCUY!ubNIvfjq- zKY^lpL)rKw2CpM2r=*qpm;RShCpc&|_xWM>#*geagtOoApOiX_m>{(;2rD?@e7E%< zFlXaxq}V%Rj29=q91#8eOVx8cJMhkXG%$38RMrEg)V1zb%lpp4Fwe8e^Rl&B84ox_-3mO_6OLN3*Jfxe`yo!*DU&?Uzg5uhIW#nSjD1 z6n_Vm!obuKuiYW0bQ$Emm^ve^LVmi`?341m!X6k2ltT7fFs+taFV8hZIbP9a*R_Zh z$nabY6p;JR{*iKy2UblClJyRQd7pC5DJGNJQJt}!9s@uP@nRXewxh*;N5Yhq0G9~7 z)G4m&n}53)&xav#sDj}pr>2{k^}~)c_by^v4CFy`EXXNZ7?NPv9JNob4lznU?N}F< zspn7MHHrVq=x`SYY^5d6!?^$H1(>!oK|sq4=r2e&)(ON9q_IszaW}7wy{&pQ2>#2nh|mT}I}mQpQ+1iL{r|QD6*JPxz&!wh zsPlq7plLP!*c90t>>ROTi>?=dn`#ft-pj6{s{d56o3=kb050O`4A998TRgBzF|r0u z#M+K=n-1_A_EdfY2?8(RJ=&QbiSFZreklnQG%`gCSyf?#u$LYvTWpy~KOCMZ4dXg6 zL43~~N%X%{3cH%_PPw#R7NqjqB|rl}fLL6%1v3VQ#DB^c5dUVB9}uw|seG(e|3}pV zXkgz55L5*quQ|TjDNhHM?lD6kI#3VR&7g#sz9S*uNELF)@&=>NRdpenyMFd^{tR@I ze}c+%D=>2c*{fXA#NO@)qkVe&9EIsaR2z{J4be{n000=0yxz5#)_34MMzHb;%Q65$ z%==Fi>mayKInx0|6>AHLhWOaw!~_k>4M5+$T~EtI5>!K!#qBO2W?B$IJ|FD;$oK%S z5uEH;t#Eh~T(TM*=xOK6fl|*9L=zz~cr)~G4|2~le0-n(|H1srH#v5wPu|V(pA7!* zg?yX!0Lv3m_XIuruV1R@2ZE)?pDFfsm^jJpUw-BPu`N7fkwzX&2;vj_AECjMG^9{&Ffv{moaffe z0;Cse!`Gh-z?mNXENu(muE0tI+%j;CJ*{!k2UrfVCn8G#3Iv#PfHXyJ+t0zLu}-G( zZdu^a(W^iLOZovETsZBg0Zio^^>5w(N8DQgMcuyt{(>MW-606lwRD$)N~d%;3L@PN zB8@cCDI(pS0@B^h(jhGk=icY}eb4!ZzjOX)=FI$O97fok-OqmZj_baz_w{;zLq&P` z=PSuzfZYYWz5ZAP66)b^Ds*&kzkHnk47npP`oDzSZ6w}T^_Bj>kwJj|0uEKe5K^mj zsO=?!K{daFsn^t&4aeX>fP(M66hi6I5zH3}mb5$!4Ml6~gVnNOti(LvHMM9#?pm0$ z#K!jE(cgFCZ%N+&`Y9HQwWW$ZMP+Kp4n8FZ&ILH^^~03nq_~-BK-!A*_Uo&1{ZOuRZ<;N@j2X)$? zr~ZG4YiV#Y9+(A}CgK0Vtm>VJI!|NN*}HzgR_5l3XMg#RDk@;{&U|KcKstBmKn z?tcNzdou*M0q1;EWel#V>gVW#ag^x(g5Sa6SUmCteoIN9)E{=4E(Oo> z3dR`&;t^ArYx<9CJ)>Y6bOi40*BR8fTfm0P!9A3@{F5tKb*Mx!L#RtL>{>v5cOa47 zn5q;6B{eXa|KE>*j_V{C)uVSgFZn$Ov@1OHM#zE<9?Ps6(W38tOU;ZKsXaIoz8VH3 zGD9_R0Y8`e{Q>1B5k}BqY_GH&>xUIJE&(O&?=M>u#Q-|YRMLoJwfb_YVO&`z3AB<3 zdVZL!B#Qh)qU?2sExhhiZ%ejv?zCqr|Bl1-y+Llgzq`Jq>5ApR)rhJMn!S3?H%syH zMARD|xHTok&<7xI%_fLdoL|h&s)`>01ju{h#ClyrU7Ms=9e%K3EH;N#3&O2_a90LE z)=}$?nbkOq3iN-#+WkdeoZss?60)(*3?%5~tiwp2{131lhI>gPJI=pw?G%BZ^TO!5 zHWupCdq*>I7uq7HNXbZE0zH=%wTAV0W=yUxLB_;4#!o{cz?yW1ya!IkgAG@J?p>w# z6c$YV7qzKFBstCpK`Y?_50PvNAN#QQ0-x$XSO7S`aGNE1U^)$hMSH*{;{j=P#oa}8 znU{Z99mu1^rUt>Dl{iNN+^>#MV&%VZ^`rp668VM*X%n`Et_z@)Wt#v(Ejc+@GX+R| zfrcuvo5EYDo&|ZkvfSU&cpoSnSt~%Le%Ig%jcWM4V;&{CERV0)2s9iFtD$9cLFVey zt&t84t>s9=_XF>jETcVrOK=c|vk(mKro7Y%pA~&!xq7X^{9m8$5XT^Wzq4Ho#{vaD zh|KO2tX9Gqhq%-W>@iU`?t?HX(zZ!nQvD~t3QX%Tv8gWB&53_sS)xRJ0sChpAkPHU znMZCo4MOzb*M7m?gVLAhDFiri{uPrj?o)*_j&a2m8e z7z3Tp)wOl75eJCfz08e=?Ph`aYV?is`MhjRr_mr+;@l6c4$=D~t4NqEQagVT_s#gef=FJx9;`Ta#prj}OZQ*EES+7}4GiuD+xof|;b+#J8*mo(uLKO- z%WBJqtv3Lv&It~QTwn{gVZs%4O&}k#1;)hUf)N763!o@%0Si?t)}m#;fRMd9(~JI~ ze78J)+a`#okok#4A562y`EHUK)^L^~3^Q6I9lQf3fV>xuyORSMp0M;9iF`%&GsTzb z3lY%9@?CVUlnmV$`p7D_Ky?4Oi>s*K5_R44?s9VgworztC@ng1os&d}9yS6$4bre7 z5_0Hr>KA_dytZjfW92Zp28ZoYr7vNKzeE(fk2+4s`0Y$G&&WI}o9`ic=>XAtD0fp; z;>ohrumh+6Lj&aieUUJ1MyX`vE6>&7xV=rd4yf#yC$N=(KB6J)jHT9w0NW>5JRT~r zAm`&kw?xOKbx`0R_NXrH_u ziZ;ILW2w=Bq?@E4xNdO05WEm>pebGUYqMHNRJz6;MnqoDZI0BaKRt6Z)9Dv1r z35T4M0roZU<4URnR&eOF-5waYN1$1@X$CB;13>X-jMya4w}M~~_Fh3L50Kr6xF6tM z;sQ*_W?VD(s43Wi4yp4AP<3s#oxs}Vt)6&YtQZ(}Muc_Z$DRZKYc36m!cJkpgxv@d zy)ks?;hD2CJ|t5NDkZ(B9Fs>wsLw*ye*zG8OYEYc`a1xm9rIC93Gy`rqO?jd8Q2$? z)OG_HW|!1E0A&Oxj6lW@R-%XEa|OtZ56*VLHXQuidEWMwJvh5Oax^<$>)8OU$iagv z2C%adXk9ThD1Y=Ev8od;O&H>v|ge5t3@9(&p@ zcvDMQ0Xq?<2-@+~1*buOC-|X)SCLQ3wz;4ZdZw@D!q52~RKCh{gPC4X2W%qSDgAlK zY=NHK`~<{uUqFvqBCs{27KoG#v>eMr+{|tb@NevmVD2r1(WfjF-h*54X%s{}MnH0V z|1;g`1Ncso!2y~fgrNGVl2{A|WxfLdaU--hL;}|OgkYf2ir&bgsih4T#qB6)U$c1+ zP<9!QCvO=E*#0`EW>ehKt5Ae<35GD04`C34UWE>$5iq~;X^C&|L8&|hC`H*7MqLo0 z|5cG5@EGlaVIP)AE{bc>#7DiEa@?zX`YHtKy&p|-3G*CR|)D=g{A zYNeEY8OXVjBSyT9=flf#oQNJ$fG=76K43t?5~H2g#fyk-rQwmW)js6O3({(E4L?wQ zvRPowY}qpG@m1ZeBPhEMtn00v2tDDCU)#CbBfZeSoiNr9TT$Bd#5ni?rrT7djfj4d z7x*MdP$J<+UCxiw9?L#|4#_77I#?>jSgn_ep-l?snf=)aT#4E=h?cmUuQP97o7c%NUv1FzB+n`xVW58>DbG0z8%kBp39*3mGwYdxqj;L^|SMZ zoG+A5-Q+JUminF0CbGwN0ye>aO6EJ4r5#frrKkV(RS#&}tkScU5Idu*q z+$osU5u zioD2>(*SM}lCkNvPCT?!cj%owy1n^tApu#-{{_KIbYuQ#i?qQ3NzfQdA?;GdDxSjF zsAu1Jix_lZ>Hh1HDGBfUlp2c*f;Q)mLxvcjBSnM*{Z9Z-GL)aJ&^-Q;EcMIZH7&ZI z=X!2pQd77S)DgT>PCLn74OqeiDe@%ctw~=#%Ek&#{e-vK;ijVB(uoNSm-Xt-``#Bt zBTW8^_Qq(eMgfReLYSYMF}BDazqvd8Dms(!^~pUTP|53C41t7%g<{$q%D3lAl7Dd-)8TJxr9cs2Ubj#xSXW!atWp zU{V=-d=lNc8p5m^nBabIdekdr1Hvri9rzuIMEUu9uoLgfaiWJc6vuzS)u^-)LM*KLv~SWEE$A<(&73~F&-#U7Q=axBX>|LTmtMH7UP z=Wp6BzQ>zWwp)Ia#A(}=walZ%!xiTW=HJd92#7&+rxW_s>~$2X|0Cz-O(}Dl`k`J| zZe|CzdS!}doR8xgDU;^crXZ>t=o*Wk(4vcz!Q%W79~Av7`c+!R6|{ERlx`x!sJ*{xo` zLRgOpAxRxuD&$>sF?NurxR{lx{GP?G`pWS}5^UWOCn1syP@Otn`pIJqSRlWj?{}Y*vq8~a2I`xKpUC~vwR9&QQ z@|p;OoCBA=8=^x2v?>D2*1&} zlFXzqNmMdi2Pg49uM3bPHAH)oggP{uU1qW)&62*reQvql%Ic^ohF;m5(^)kXYG6dW z?>xJ(fs34^ zClIB+4bfLKv5@em&3H*(Il2dO;4cH3$gO29x1Za`ED(I{+`K$S5z8)CxGrWzxiYX& zuIA?1=CkxloDMYGR5X60byIr+6cm*oFKci1KX}|1f)?lvkYTR$Cl&Y@4_VNA4yEmy z9`?iE1kJ}Du2X`86=QEV`TY(>h9`p|#(7ua=d42lxbd0s-i?vNi7bAt-x7i$>KXgo z+(xni0QCbIt|YS;Kz;PW0`q-fU3$La4kbWTT_VhBee9(=UQJb~c#SLh{#g78G`t+_ z01^|gTac{7t6wz0$%SdAyw@M*5$`aX!MJ7Q(tiQ)`bgF@$yVjTzT1~tWE+N+8?Tqn zhM%WQkjN@QAM3JO*!Od6qV1nphzew#4A5P3H9!9@S{VGJj@gm&m)1w%-0`1zG!yFK zDnJ9DG1?$P+d%cqQ)d4hAf<|&(WXO8kWos60nCk9U#@H1JdbVGWJTKuGJJ$+ zrVBB&_-Fo{CENoTf6fHZFgX7~pi6>e7SMgPjV#~ggB{X((qXiMSi&oo?NaDaqA zj0wpKq(qm#sadj4T>sIIgCL|>qR3{rI_m@(LiJTi@9@m>n!_-y7%+TJImxqY+1<&G z5FA5B@WJ~yCS6t1_tJ>D8IxRK{L@BW>$AEvStP+qOU?d7HPfgUVw$GiCPD#k4QI#c z=F34{649D8t<0h{{1>|QEQrkC$LrYj&@&6s7wnmiCmlXH^`^Gg0JbLZzUgSJwUpAZ zb`L-|&GJcnXq`pu_hO(RhCa)}GJiJAmxm0B0F;G6tOT}qqqaF(&CsG z5=ty^$^Z!r4VSD9(pq>LM7F8}ACo=J6&Q{{lwkZ2r|ZoXc_ka;+d`8~>?bb_5SI`k zrorV-yOS)CO-7Qdf&i&QIk?Q8mxwyU7)IF%`@_Ydj~xANl~S0pmrm9fe)6%&mgMvM zL2fzjJ8bO62|aKP!;qd*d7$m`;B5pvy-DFw5A^DuayE#eo4s@+N7&dq(9U^yGMV^7 zoZ|LZ!@(C=nf-qYp?hERZxFhE2B7Mh{X}rToD6q@`9W&maPeH-#tle6L%t+iI;AhX zZV9TUunuNPeDt)blAk`YXlg&)X0Uj1Q@78NNc3$WLM>e-=ZZ6Z^S2*Y(PJ0}R;c## zwq|*rrlp$(>D-Em+Ar%_jc=@(Tz#S#$^WoEM2WQ_*p25UF)$?3 z{Z1kevNTN6IL(8@RV`N}OdP>7#I;GuX%&+7yONcpSr4|Kjn#@qIfk{GL?mG)mdA8v zO*6Mj)7~;cmUO;bLK_DXVM-Q;2H9vNvmKAXbYXX=xFkF5_(RDe)G@Q-wTVy1_;6Vv z$oXoz59O&0@DoE|y%Yt5gv867+j!>ncQDwy1KWyc8?#Bu812uFcP8yK@1kFGp{eDv z;U?Mks8?!Q=3t(zirBw`n4_Nv84@2x3Q(e{ES^?r4jk4)BLs_k12~R5Djq`v?y17o z<>m+zzh1ttl;mLe75j<+lZi@oyRZHj#Pt=uviy9LJIA#_S-r)(AztYtF9U}j-$Ux& zPElKP;BSalF%|3yqz|Vf9Y9#FMGtt;JwpZvx*?b;YX)g5`qX|UQVDo&^2zR!Gmw{9 zD_^HQMx1(9ored1NFFB@e(YgMbREOkAR958(UE{?yy{yUGH%39P}1{s9`STaf;I}d zCTN-u+f1La2)(?f4=q?^d@%N@Jf9%!x)B={LxO@lp7SP>)ICtL?E>xm8T=PR#esW6 zy%p~P6c1Nl9u$(iAn!_kSl)xz@)TPBQ@_nQWXMqG`yA%{2`K*UhCT^cA%Tc5QbnzW zf9;muk{L_+rBIPb87VWi;SYV8diVSL*<9|(O@-dUZp?>!Dwpkj(bMy%t5;p@%{NsH zYRQ)%gWa^$c`@0>hvO*Q09ujMK_`#m6gcW$w5rw*F8vN|RZ@I;oo2wp-LrjQX6;9I zIk&w+WGugQo<8_>%Zsg_?ZEcQD2qKHyhaM$RiPXo&IIQf9Pnn{rHS3}ofK&H26?m# z9i^Wxd>@Mm&wjICk8GfhRSdvtRHE28qe|2*B@38>vlh@IHtOgLeVZ0s(uk`FWMf4=kWg^dG`e_QgHhQeq^2@x>HINl`-LH@?`zOyX*-6Jx$IB;Vs?pMTl0o zYse#NbD&UtU?k0~!l;phC-)#}b@ubIM#dEGx~-psQ?uJs2B`-sY*sG}is=&)u#kE; zaW!6Ry97Ll(kmnwApBPIold3$g?_{*%8do#d9OnjL&44yNm5HA>`E+Spce-4H8c#V z^KXP%5-N!`LRjx57N6?he4Ti;7TQU9O){f-Ag7Opzf3YRyB!`XhRis;zknSTn~Te>PnF25gJQehq3L_qx&uJ*f8^P^@+P^vtbynF!xar z1-M9FYgmmq-iKbxzNL7&WoX}4X2BjRC;CeQ1W2`&CtD3*hwCHTT<>Y<7k~o6Yr_rb z#qJiqqZj)2#|66F+`08vh&=bwmj&k6q`${kAlMU?Yl_=_lakn(>?lnd1O2T`u_8jfs=(Z>}S zDSVt!zuk2UJg)Q`TSp}}aed#+gKqC>NU|czL)Oi&-!R+@pLiC*8sLrg8@CFE7@xH|7d&0m{9T_HkSPUvl)vb62FKQ`5HvgFkD^ zR0Q<;gpd^LhJ0*T#;mAW!IQj+>eN z3i}_o22X&|mXQ56$m8uBW*D*OzI3gZ$I;3Kku7(SK(d#v_UBJ@`Y&I~ zCofec#l4y1Vo==g1UXq?MjA665;_Ts5x#nq$S!9OGaM_g{S{8DCH8oOnx zk+TRZjoHHL{;%UopaAukuzuiL6t6WDeRcW&5+nBuJ5T(-Fmlfk{(FpEK#~UbBV+~h zyP$7|iCNX;vTdOs7g`a%k^d58g@r?;AGrkv-%Wv|%-z2CjFrW(_YZz+0irx;@(OGH z78RYghcR8%M7@^)q50{v@NV{(RphcL-XO>1q}WHstGvXHWGL8wZC%>-$SKO6`MFv| z%Y-l(o?qB`RcQO%u7zWnuCJ1|-%W>oe z%s?voajGc9ZYTtgr^+k#Qhi?Ad43c4f+~(^l?x%0Ohe4 z;3dM(^*pkin|m5zitA%f0UU(vZxVM)$u|NZ@3nzyWq*0O_RV!CCKV!UVTO&| z<;PCz^n#A0goCZ}`D^x`$D};{{0ry+TnBH|*5{-J85c39*mW_I9uU#JuuU?ZLW^}9 zRZl-yXsEHj&l>o7l%VNE2aOgAuQqgR6R%V!8o60vX-XvF%`*JK5855)`0qG`In4(h z%3lc90pn0X!!s8TKejom3OOTXtYZGd)`zKlM$ywp&Ik%1x@hYkeCq54Uj+EGj%lLhstl8Ob0QNkiMYf6x$Ne3&+`JDt&*P1p-3%4- z0+o@}wUL@!e$NuyrJH7lD6dg79G&bwpK#n+ZsW$!Jo=fu5}_Mjx_c6$vm|9|s%K;N zlfl7w9?EEPpg2X>i|to#^oIG^I2^H;Y5DYqt^L%4v>j$Q_@DodsfXX-nbXQ!Z6w68 zix`%_r2T%vtX(li0^o5f2o@7!vg7k_0My-o zO-coI6a;pIb!3Oa+I?n z@!9B#SU%nOq;(*LW&pU@^?5c+%~iA=7c8<5-~-&y3qsL+A6Y%e;fx$%Sjdy0!@+<& z@tHh#)0r`*v3UG3-eN7(iNfz$GXO9VenL6vuR+QrV?hqGd1T=@N+JfuVaZ+!?Gr?| z0mCrD9$}?v*PG>8_Ry~LR|O?Xk9=7}wF z4CC7O-gTg;sbHjYX&<(hrJewYIn%5&zidBs7>ZYS>NC0KtKQ6x(ob=; zK1q4Rc$ROUHks|sPWlnht2gQFXePe$I;-dCD^8E|dUYmPOgM6u#`wLbAt zJPPM|LZ<)r4^YkF--p5kEQ6qI0+Bu}snX%2lR4Z%gmqpEBaV=Y|NM&BrsDmdr%4p z65kk=VJpIE^#GOb0-iRbhpL<@HW>2SkB{QM1IX-~w%1IdQ7-Z44D+uk%(9lG0us0v zk^6k^E6WnoY|2aa>APp&_Jf;;J3m|2{baYlCHvQ$=eI@Vh|trITM_M_&i~Tp-489g zwkjxP--{~eeDa}J#$!UQKKb#;Eu<+U%^OidSVv|`ZafI2o$W`0akrbCn|m}vCT8Z&=4Q?tg&ux_~-BpwkN{;~$;N!-=82D6fi+IXL$E*h9_>l5<|6 zq!XbDKLV_khzYPY88d$d&Xne?t;*?iDVK3Dd)B>vO8AM8P0vbhIWQNOSBG(|uGro> z6dIzw4Vgl4_{L#+J8#C|{xsK(Uz`;mLNmr}n&A3%U!mZ!zp@B{uqTq~Hy9H5-0ePw zPN6!@TH_UrqJvNOE>iWw9yrWWQN3o;vBih1x8ud)t~==mBWq+ztp296?X*9e;fT~C z-h5L(7+V3MIQNPp89K}KC6kH$;*?twV_a;s{#nfYB^nH0M`w}$!Se%q`Nj-Pe zW%|rE4S%oDP~i0X;?tOeW*Be(%?BO%YsRsHH!UVU?k6A>4)gQg2z6*jq00wn4Az5g zxLK_2d>@A3;Xi>1dvGjbt?Wj=N##<%_cT0dhra#amvJzdAD9w04?T)*7T^qa6*&>6?;LTW#i-xI1$&Z8}4<;+5u zyMXRT!mvSp34}@3@qzgucDVT3cn?&7>JEKS9acgO3+^Irjdp_V&-*&x_SwoMwH!@9 zw@)CW#ElZ?+?bKDsS=>c?ykNItVO+mpZt)?_pwM2=+p}{44$#Lh->0V!>`w> z$n#6;dY(;OKFi2)1eNRpurA`yOLa_m(JUOSBifTa;~xB8#Sf1Z@&zUOmUPF9jIgHY zQ;b?s7sJ=)>$&YOrjgmD$>RtVb))*8BBk{P}(aUS5}@f#8o-})T@UsNwg zkVSLTqsMON$k-l^RPBwsT7+}W{AB+7d$GVOqk78a^C`}t(}8zmPi$&U%oCMi3FSbz zkeZG6v=-(!sTKX7SP}b;HWvm?UH+lm{};uZVxm|cYU1&CmpVCnL)&*uA5&67sD%k^ z6a@FV4uY)hfOI?$ct1ZryMRVAUFLF)x&vv=1Q4hd!UUsyJ#-}9rr7XvIp$Rlo)W&s zVbMtn&MXFOV8QedeyJ~*4rB&>@5ef;P)iNk;7`hjjWrS=sq=%cyp$qqldY?hX5W4< z>hIfGKY|$^#gT>%0+9nSDJ^=^tC#9b+rzWR=6xBO>*ET_wywQ5pwRWj91g*2j2ti} z@_0{-H5_JvU1O0G4jKwD0+gI7e;sH$Q~c5NaKC2hk-U^?v{(QM>d&m9;t5;5++Epd zYw^)Hqi<{s-sI2X&4#i#nzafiYv&Zvq&D$+$qRIeZ=9Mx_C?nO^%>Nx zbwe<1#q)#*VYT@t%sW}vQl<_Vw;>BJl7{f)imzKS1K89@&YHx?jRWOcY72sN>;)Fg zl5jAn4nt>Oy{P&75{00maC}WA;fU#mcE6uN2vN@Dap^aymq&K)3NOKDC z9f7I6L2O!;^xk0)`<d3~vNB@*Rzk#<_V;M?*LeqaU&LI4sRJN@qi1xjdu*zMD8+xdqs8ZdvZ_4j z*cqe!yGN3iUb3fWOSxLfVO@9Eu)Mk3RPXV6-rmFq!qGUm_^&W&pXn--t_U~)sqw8= z*(@!heh)AoljE%_kDC+IrVBlM-I-7ux~V+!DAeAur^o4msZ9M)yz6)`UrF%`fY z7YA~THVQ!jR52uKF56D$Q2(uBE7tUzE%Xz?%D*G;ivZt9kH|uL!p@)-FP;Q`h0@gA4BK}t#!!5z~u7|dw zSOd@B)7$h~C+4n3$zbq1Id^_rhYSwejtPp2((&?nG(*>Sd_y4~8#?x%%k|~l8dv)Iypw&_-lqv~W%!Q+E%m!c>yi2{ zD}guc7>D9$f36YKBXGQFjg2XwpM6E)8T%f^aYxxz*=vUMm5 zoi;(5oR0fdl*5t|!;|&3-SQt>OtzA_g1`?se+*v`sn6RG>I)O-6^x{&6Kdm}`$T)Q&!10+wAx~Hh^ikF@qd;SA zZZ3`{x!2t?OgI4hjEPvt9tM@hrxmt5cjsu4zUoV*eqDc%|14Db}z?8USvBvqRn-ueNQD);+&jUFjas}_x)#}+t3Iq(-i#vNK-3dT+!i#Lr4U~0x{|28TK z@=L3{u?3kJ?H*X@DJ2u47Jx3SArYlb3bVN`qlvoB@P110bS-OAj(1@#-RZ8wj=Z{n zQy1oiU{eSMqezKZDt7`Ljs;+g7J;WzJXEL-`2x%hq+T+*jA%#N2#>f3Y8FIs;!>jA zpi=Xy(RD^%Z=nO2S~#vBsIo}ib+9@m8If97S+4FN&LE4FP_X`-r# zWsXYzebf;AVwrSVhEBwuWn`Sm612SCv^TQM>1i%Er`J3bz@#+|cWuYSrI>b}n2sDI z9jjhxR5NwxMt)|>l&7oiB+Qh>$N#0K7*>{TFEW9mO` z<*-q0vFIvVhf4PkjK58P%;YP$SNh`42}<1vx-Z!ex_vzq%H++qK8Jiz%n1dJ_|;ZP z^&nNjjG~L`s)o?vZ!W1-!6VP45#tH8#Ql_2Ky|F;fHNn#1(=((a>}Cu+e>%9dChfXb^1ExVi7Iz>_Q3Iey6eI__7QY zv{hNpP2xNp`UOyGg{8GmEXxSvonc1Aev@*aMSdOmz&*qxhzxZEIc8PGL~in5O6;iH zanTF0b>q-NQ-$)uSgj4^l9-T39ORWV6RWMno{`(b-5scsnTYu?Ns7VaQ3WJ5$sDT9 z+w-N8_So^VS|&oM!R^ngpDUZ#ztexXP%~QxfR^8lNlOi?Fs+nos&@*1kI`?;k9XN~ z=?&G&2YY>%I0nBL1a6$vRLLtyB7nf~=Z`C6*IvrKHD5vBn~*2;jtu%L~&AqM=?xLrme` z^Ha>5$fNWxigJSms5if7kX=lu>m!E1BPJMa#=!?eTB(Oi^jlir^TWDsPdo|jUxDDw zu8H!mCGl6qQJG<4M+$4&`r8jM8XV1|SV{KHjVnbWdy&%LVSIUl0F)OEj~EUp z{!nZi7lgm+``MqW7Vy(@*mnt#mhFIaePBB{H$`u}XS>MH{)%aS9)Q}vM1E(%ihWj6 zZ4#x>F{EuX7S{k8QtY)>sPElDhv|#4CD0}SZ@Ja;HKqDV(pZcdzqK&a*SIZs+nbw8 zcr}YzElYOq)Ws(}Us*6V09rjYrP}Co%S$HBHP+^fRSzLi-P?705&3z4rs7(vsEF#- zm2T6Ik4AiuV* zNVswupTJ+V7d_US&M!P;-PwI>$FE~kKG92DY@wD|SmIVTC!qfmK##9AT&cWcCAAR; zwmVNebYC@fdxqM<1mu(~rOySk@U!h_1$>?V!plwd#$3LuG*VYR&fL^FC)>uL5D{AP zy0o5A5WQWKrF%S6#qqA$YFWT~mW#;-0y*GaO~!B>5Guis92mQVa+wU#{o;FFK6ugd zb>ZXXnC4l4`S9SSyyjRu4neJrJ$qeR0afl?vl+KOUZxf-ldy9g&XY zFEV&rg?QzUVa}m>I-?nW0@0HYh8(a*RFzB1YfGM7G1&`ci{gCX5I2Z-e01x>z`5fZ zJ-BDz@A09K5Gvh^%F$c7JQbhWTo<_hu!9C&k1Qnr1_Cjy#_k+#I53p&OoIlPPVsr;s^I zR=vr;zVke~XOD+0B@cL%Z=FZ!lRz86iV(dgIQ;eM{Ly_rVPJ|C9V9K>PHSXg#wMd^ zLb_fJ5ay6!gt=TmnCp!+uG~#zYb8Rmr*#R6v-J>N4dkDxhU%6@#SFa~Z;Va?gt=zf z5_+XSwr&KOEJgU z6v(?lz*LGhTYbC)pY`DxxhGSX1U-@$U;L2huOKzCh}ea*CtN}XZP5fG6G_YcD z%DXgDYqMCHca6S6xk8DAY-=|>t@mtrOF|TrX|WtgR(Z)?>^r6UFYhVN@phkGQA0|a zw=nM?+8)YYoE%&J?Bx0bUc(3B?$rY|Oit&-wTLgJzv*yv?sFLp-i9LjN+GLXDTO{% z!ksRzG|?EBsH>}`D(Nuso_bQ1tqnc^*b)W@v|F^ztZq zrm(f#MDCO*$@ggMQEUVq)1}oY>*7Ge^BbYRnPzuvEjTRCXEY;D6bDP)89LBdXwBZ3 zzg2?6jqAxJdP>}I6Nm?qalJDYA!2$}$Aw3Aa}(t>{k$et+R|{l{OLOobO1v2!%m*m3n(aEX zw@;4aJYVBbpqT;h!Lu~%T&!KAv_N<>cI%KrraTxk$CpZs9VNuutTEr1zvMY$|ASEt zI3;`4VjjuGnEC=A6c@{Zfq;cXqqLG*PbZSwG#M{?y54#?@9A#KVy<%JjvzGKohoLu zV&8JzSSClEkjBF_KQGbVT<%4&G`r$()WrJ++=~ZK?D5Ox@s5pI{6X*Uf7UQ5N#SP> zBJ<22m6|TWBxBYO3+W;qUVEtT#J`{3P+($wRDBYfUZFfYnlq~Zth-)9+d=6{W?jP; zO|m_{$F70+o}_6QclzUiDB;;sqpQ8m?&~HEEPR&V{I@j4qm$AP=Nvob9yn&P3Rsm0 zf*zf$kdH;}Rio3hzz+b*#u#`A&NT{JJR3hO97LU zxm3>Ln-gkNlReMsC#1&+k zWY8JMvm&>r{GofHgD=>qT;>jGC(N(l4bYB2aiTfj3uUgsuwlk-wgd#?Uc@^0vpYqj zXoi%jTSBy;q`&I}yT^w3j+b0*J;!JbC#3d;Xv(l(a{$A1B=l;6*+`71=q9hU$&u`o&q&)UlQRP3mV>~L% z24brnzEvVt`f+5lW_cyC7FhE_kEUsT_zOTnQE;_HzHle#&P>}Tf2W$s z|Gg5>hD{2GY`^eW7eE%7&4j`)O|6ycMU0JS{;+;fs=(tbwVuj+l4NOeOxgi_3<|uf z$Y4tAIEgyivFB_!bd~EE-1Zx?xiuEQ@ffPA$gp29$W{mO%jOuDzmP9YKB}sEjflwG z6keN;`rUz3fqaU#6!0xEdcs5!T$)=P@>3 zcd!ibsCGL8^KirH5%luD_N&{qH8&vhRP{1`zi7+6m;1t1HYnBNSdO5e>ZY`rRqlt= z3o40mi&w?V&yuRAmsyrE0V9u5YLnmF5N}8|aZG!RzR5IU7GUE$vJl!~seI5xkEk#M zi7037h1r1FC=;Det*_Z*2eHtS$PsRmaEe4Iv6U&h0^Nc8kSHyS?wM*Y-I#9+KzK>p zaPCc<^Tj0nL<+T^bqjL?LKt1CE>wS`ggZCg?IOx1$vX&5Vm`++7D3u2Il6=J)4q$S zZU>HLS60iJflA$OFr0JP`e<)iiKS6GZl~g@3uTZn$hHa()N)YW1f2G^7>M36r6P*P ziYuo$M4DeS6<hhf)9F6^|`230hc$#}(=H@7!Wf7x@PZ zz){JucD}KC!AaYu(9hO_$Xs9kv;v4aLSY?c6l*t;(NnIz)TN4bCi*J$&D5bkDP!SK zqh_;g3d@Aj7C;eD+i`o8hC{cJ!e9?;1JW$ktmyP^Br6bK4z!!*{5EM@=&t~g@1n~E zC>)>8J_<9`fkJesyHU*qET71j!JJ;E*bIcQHWV?MbiWIL#BWCyUx%sQ=s_d>O9L$! zG7iLO^mR*I-3kg5Y1V80us$R5-rZbLHL8f$`*SttA{nET73Ajk zqyf!P*W1r;fNK0XRCPz<3pAW-!>pYzcf`C;fa=z;9FH^tlOZ?snmw?Q)%qSl8ukZj zR;bfT*|AMp`I}@S+(1)|s_Hck?ExruZR#>z%W~cUmR;r(*EQ^ka#I;jzEi%UqmO%R zS+iw|Due|EII|n$wxx@-HL{G$E5cmSOIBOJyPJNBLeEhF9UZ=ApmAr~;K1SFgAH+m! zduWqmPldLN#)ZB&TX>JK6@f+~)P1(m4qH!W5NA~J48HI*NM*QD-P*4?F%}LJoUMAd z8IE+=NTAHhoZ`0MhAZS0mqT~kk#jo_@KbxK`sOH@2SxSvDsU_QSSQUe(Yxh zG<~O#gX|igGd%BsNYzaGP;y0&Ak2+bkDSf!&6ea=OwpTV&r`VXiHZ-pL1S;+Z;%%e zw?w7DwE^nB%g_=RT`}fLa!qO&TZ6mL)G3@uZ(%D52DZ&&$I$ZnUmc*F&2k#u$eZA4$7?BNL zjJIc4==nnrNF=`jkwt3?$HrXE>|3Vq)`gK)8fO2(claCnkdNnEpwwE3_h3T?zUnol zG+YHi--{%${X|nkKs#{XC>&nq#$c-UWc6&1RCnyZgf$tzuv#%d&gn>^S!|k$sQ0(S zHctKlYU1{2(ZV<;{~8vz?dlH?I0HwrhP!b(!aN_%bfVJ2e<^hS11s}P5d|K9!LJbq z(Jbx1o}j3X!mM2_3sW~RE`pupn};QKX3)O`R=so&Xv9=5aTwZ-1VJT5>^FkJ%!q1p z00O{2^y^`5y#50(1@`KSY$#mqJanB_rpjy#WyAk?!-ohN9+v>_Opko!wKQ%51bYC=zqypldz<(*Idq=!I2@C-6ehv@_7Y0{EI) zRJ4;1jo2?guKf8fiNV{VD8g~FGIae{^RO=?)q{5lV|j8a7g0ulUj;Kweynjr1W+(< z=c=ulza=nhW`Uv+KGS=K&&>cHs>}-I{`$YefbbbxGh?Be?onX{z9^W zKjzcI1A2%WFycYSw}kmH!8)mghj9Px&a5EldEYt)>XSJG)m{NGq3#Oq*A zSy`qsUj$V~o7Mk)4UVy50O+BzpR85$UiVc`nFjc?CJqtUn9UhD`-GCz`QVzT0xG^? zngdIp@9$e~ohC{RJEl9=U8s2&Ujj_bAFcxq2l?r+#pUsOh#KU@79kCvoipp5vb4uDv2iBbKo#tJgMhyZBF*c>{Y93HPl_sX`U%ACgq{F z>w4S-U?t=N7!4h_#W3YWzLM?lM?1$Z9o#mG->$nn{t%;rLr(@PuEx`^y1K0YgR}nt z$NGK$`0y!)*8`}3{O z|M&YHM@NV5toy!Suj@Lm^L#!ZPwE~C6sNEz;0Wh7z~l}BOUo@X;(T1+OR5>nwY_Mg(k zEhb7$TmT#%8&`KCNP`V@YT< zD;#`-X-N(_cdm+x_Ce|9pPt4)9#6T0In0O?tMMT4UEmYY-{gUFVzm8QS|lt3yZ$1z zPuH=T^maF9_2qzjtY>FvD3ubA{QXG*!&w93uNwhKwh=Q!{y>;WIX-g9hDFm#FCR2Z zIY{L9Mp32@i0Sh{9h(CLrEDlHIH)I~@s&aeLK_ihUCcS>cWl#bH7e*o-JF*79xH{1 z(MaY(=aoNs1mf_9L81`xkDILqt2bF#{|ko6>P@-$Y*-|j0%d+LvqruJDbZL1vLdXr zg57_|ltY{f94OwWGd_x&@lOcDQ0K$r|HiR9=YuD)glSp%PoB?+xX4c~tGv9mQ^oj6 z>L1WF&Ve3knU$d-<1w^7n9Y1iqT4${sESfJ1VPOr(g1vV6|j>06pGFgpE^g0{-?`$ z_?$Oi#`EfVf9BD1TipTspnc2!{<)S}_IXP|Njv!}?A-Zv29eKEm8m)47>v|^EvdjK zRPsS2@YbmXzZqO+qByZ5Hyv~%vPM^BbrM-4M7sZ`2sdEENHHj*YeX^Ce>JZx|2TY8a2jTTF%ztk-RMK zx4cSze)L&JH0-*_-S)nXb!vz;)b&}1yK7l`u%r$g&$w^PDV*Pi;jI#^;+3mV+L-D5 zkB!NKb^w#m1er(3-K|~*0kuxbg>R5Y-W(V&rF`94T}3M<_3o0JWz{Hd5?&O>8sW%l18;C=u3a;-6e7Pfmh6Zuj5bi z`X4FbMfhy^-!H=6;`gudmW5>ICtJ`5Qm=R2Ep0!qR4sgVylnxxF*WEX-kSAD6WOHr z!>SaI1*DDajB)AhrsJ}Xl`kvvDhKv(21oZn#{Z)g(bLhVxX zRarJ!=yT2EffUg&s@-Iur<_N~1lA*W|6&-cp7(~iM{hU)D}qzDGQ?j}{%eo-u8}tYlCT<-YRtK@ ziqYRD%k!K*0)FXAkF6_A8)=*tg6_tPS|AG@z+5Oo!O`iL40|sUv9t=pj9x!ofYf4t z0Y%1Bp+B(Ue*JPEQOQ-`KZy+b@0~6D#t(QWwWJK!WPcR}|13Vd%~0T`t|d0iN_?t} zWM2_Kb}fX^sG+rM!Vm-+y+wzD+@Qg*-5{bfw(I@i_q4cQMF-P$MJE!D7&hHpI5OlR z52vFV#+OC_PCJq=6~WXTRZj|T)^~@1gBpfvaa~Tiu;FkOTN{nrc1FO>P`c9&?$A}3 zlRkvF%iV@Z1#O$*xBbFrIv$X+lnc_GnXxVNWlff7L{E&{6tk$h?Cm0;T;+=TEIOt- zR3~&8%+x`kG?EKOP{58f%a4F2C*?=JQBO8lGBPw!!#0t;xEE+Rb!9+ZQ|7Wh7u(u> z50+}x<-SDA?lkqm(gh*t?F?CVD0O5U0aS{(f@EzV)u+aA{a{ zi0&ZCyG%)+i@RI5zD#BzJ0fdIoYA<%haXYBT*8{&he6pW-+BF$(d+ zrVsa-ZcZk7{M59)8V~GO+9n+BVG79UT?J8qjLrmesOEzv2ZsggpT0-ud(8e=#WY7Grt*OiPUv4=t}8yKL*4d7c&a2SS{Aim1} zc`tKs;cXj$XVY;layEdk9 z30N6Eo|8~21XA-VsAEdgMBcPH zA~i~nJUSelK%yQS^OAC*!ANutpp+`eeQ(ZXeWo6O6LWgpKuEluD4p;?`f1r`=OmB2 zt~+MjfSf_DrNW(4k1yKcLIc3JKp*20d3ut|Qrz(Y%(FFvuHNnAPsR)6fvnSP=VXBd=fzU^(D#_zOrS$Sqb*iLfU~QA32|# zzO;LO$D=ov^WgFh7BVt(`;-M-S{zPi zTJHSzFSCdN^fMrWslqXPXRFzP2vM3u^TR~SIAJ*}$ZJP|bfJdFa0Ydu*`mxf;e$rk z;vALF-K8kdo(G9EuJ6ggRaf-Tbl&}b*ir&1kv%7SvDL&a1$TEx--afyjn?|sx~LTn z1w=?t?-LiDH;1_5_uR8@Ag#Xn=(rRNK9((KKo8eizw%OO?)e2V6IjD4FYK{c;SxJA zDpwO?EhHKDUi5wX*Zu163rDsqifh_?BYEvlJ=V|=uVBa{Sh?p@z zegSryiopS#1hk=nh~rUiSLKp9ZY`yOnwz*+3x)~f3nQ<~yWR>;8poBJ6-Z?zSlmIe zV>#G;p(?L17awy);1n6un^DkM(Qm%?fLCzE(pTod;|yfT*h^s&sMZK}j8_d5N@uQ{ zELl;(*#4&(N+CiLVpJVP=wx#Wa7zSS7Dl()P{)>&*+zuCEhR`=o-jcvhP)IGO{ zxkCYO)P+ut_Sm@@H)?22k~s`t&}k2Qe5l6=C_ci^@=#EI+JqUA5&NUc3Do)*PhuHq zR@3zAg4Ec{&=L~r6o9txm2WxZj|#eq_i8uayB8V;Omrvp=AyU#t(YTx0cGn>xtR>oY@05C9Y5CF28fO^p(s@C|olkZTHbSUpB{T z9~6bH>)1y8P-DxCE?q1JwJ(N$X2AbZ^u^L+yOT+KU6G2i3#E~QE6;pb9x1$U@cTTK zepFxVE{!!th5n&%%~`TlgERkh4NpW&ys5f)t)-=$KwF;q^{dP`gqnT$)Q#yKE``-( zCt>2E>ZEHccsH&qk5r|%OP7j}ZoeGCCkt+n*T#vGLOo{t?)~6~$Y^;nFXu463fpvE zm2n89c-+b&zAN5$wk=K8>poA}kx01hFhZrLf!N&U-5pjrVc_0l=cRP$}F^ss#|R3E7Y*m);u}| z#}aXVNwdE)r#$n`_EJxbwJ5MI2Mv*fUz~)i0{X#DAGyamRZ=}Q!VbO8HqKnM!(T}d z&>OtLc4{s|r%79^FTU~aO3v1)^tC4cc=c0k4d+V{7}3WAGlEdQ8!FwxQPBRGeS|4f zWPrb9aQ;qr2CJLujCmq+`K2{5UC43yL}Vp`mCZXzS{&(tIeFL2>A$VKs;o zF8=1ST1@BwTx-jkGMucw5+=`Ua4gk}V|B)K|4|_^shJvxlab)&jWnn6vM3n`Dt9)w zOaX>P|aA5MzbBK;YZm1OjM3&Wx)n)O#{gMxSK9n*>>aMnBw zan-p>603Te5A{oMN2w~ujc{zAg&7se(RgYt2&ky<@FOFJd#RT>+g*#Bv@dPbU*^%?FZ}I;p_;3hin=Ti-rcD8nD(8<59r6jX9GY6V+MC6@aSDq$sco7xpSe`#vl zFzr&nm+{r?LWLT`7n)4T25u}?z8BkwtcLcWW?^QTwvahDqdue*5h!*P5R zOZ(j0?~owOQ9o*zT0l^eJ+C|?+HlD1Vte!jI=pVuUeG>$Pvq4H;K2Ue+&m ztdXya%Na-#o&@q;$Uv_)d0KK1Nlt|mH7RX6XD_R|Q88tc3#m3qC{z_j(KzUe22CV7 z8CKds%a~JUwh-U0=kZB>j|eVLKkJ01Yp~$iK<83gTk~RZD@i;9;oz%QbvF&g;b`|Q zDMK7tYhopH8KQ&Y>*6AIDp|Mt@7;0Wmt_cx zopL?gJoaKBkmO|%FnFuBQtZK5!Kr6iP##$^y=W~JjHWi^eQmM~>`?K|ao0@g_=)IJ zRga+Iu965PhxZmT+*WVum7A4~_NzPA&>znQLbJE!V7OoaA0b2U#(6}UA(XPJldG@E zg+1Mc4nXm%yAA^x7q4;e=`^wx)m(Y8c4(Li{oq8Od=f~=LD^IhFMRyNr}Bg%X*v58 z;yaS0%ARHV5O5scOn>8fW$Lq`rNoe7p5ljQF-KiT(1wkR33UOF8FkDhUeC_XNOoNNbEa)?}Uxi))Z0W)otYR+xnH6Pf zgOcdx!FM^-?MALzOLdWJ8`QlhXxFuYI>iZ%zcq#7h20=DyEg31r>jbkZPvlj(K_ol z9|JhrUktLgzi{eGl{e7VUP&1b#zS-WEBH31X?kte^28YOO32mIi3Bt|lSXSrNlIlF z^Ebjfy{5#i`~qu&_XGpEWc@fV%@~t&TPy~B>3ybZy{q08V%ZB{S|{`M+NHXu=o=K{ zlN1}*Nc)i)@Se97Ucq^F+A>*JTgH@AatT3e4&Zla9Sua~@*aOuH4&?@mz# zUMeYfYVHfCp{i3i>zJxLUfMq|Ed!r?3idf^18 z-J{sq57Utw9Km8!uXqh+^;Nq-Ze{muAC$!rF>!9iuI-_@j)t6@-I0 zPBTBbwI)80(KB(pVHF*kw!tc0LnE|wqqL&Wi=q_^KvM@#hYs%4UE`@-Bb~vi>Pr+n z1L3;NeT&6%i9OJsp)Qu=t&j>>So~Rk=-s^>upUzO!h)LY$smsMjQS^A7!b_4$Dc1; zKi67O2nWQqZIjI&Zcy?lZZ486o^rc3GiI^6q81KCqg_~8^UW0z5Eijv4%#WHuVS{g zG7T&!b4TL2ilOZ-%)6#5Rq07_rq67wX)fW?{aJoU_Nq001=Tj9 zsZkHJ+dM;>OY3wWR#!|b72M#q8rtsA=x?Qkoy%m_kzF`bH{b3)u!+l!%0Y34J16wh z#(Ak9Pcsr7ufAeEmaX8?D>DmYUUQGFC?=|sU~X9IH}!aa#M<+m^F>7|0TcElTS3ZF zIhSFWj<&j`$!m&=st8Q?5Ci_rx3pNiKt)y@7`|Ey@(7Rv(RK0n@cDSQ=G&ff zPD)xcPH3W)-O!h3rgB~oGJP3|ay^7S8TQvqti@NRYXkT2E`4a@R?-gb5klRJAh$(* zc`PWxoT_1OAwE-_9rk5>hS<6TRJSol$J_lh3l?qB6yJ;bFP}k6%JVC?eg4aave1YV zbGiy@ya=U+BjTg)1kpAmU!=N|mTJ8N#KTLoG-q{7X;^Z=Y<^b zI+S1~;Zpq7NM1n9kc~BF@zHx3!{!VTlV~(-5#ES+thQ-+Un2xfj2>v)RJZZrDQJ~q+&UDb#+oTC8!~GxBc=^V zuE<^K=A%Myv)OiOnK#IwAn{C9HR!%zf*%u}9*K|Rtt72$UvdQzXhBu(Br1d3NmPE0 z6|s2&(%<8n%JNc5C}jnHaY6!uPlAoOiyH zsn;mZ1+IlJB`)zO^nHAe042Lv08__Y6;+g@c~F$jLS3;CDWb!HHEJ>K(4|Yz8clXO zi=oY!H_4xieQ|a#eXTaR@Jv63h=Wt#vf?36yC0ozf_wi}A@?e$F2I}@IC_XX^4|3? zq5G{>@z=O(7{z<;RKWEPtK2i_YiM*CAJxPBq6cQ#29^d^PAXRt^-_xc%b{_vb!xHO z$r@b}wGNIJe8xic?<%g|AN=24iD&iF3DM)gw95KkGg?j@#jK}nILT*jFjf67M2PQ} zOEK5A3dz=rD7$NgAxv4lRN9qB+HNalVu|I}>=mmc>hX_m_k_43!|s`7ZLZlQ5>Z;c zAz4DILaZGuk~;2;X!6&akLSF0cM{bfytblp+g&9d-x{6n9+J(A4tf9ey`^2k!%I#Q+8(NT zg*6tv8e#a^sCZhyL(!4_L z6>qf;=zi`7YD}RrZQ6v=a*pnq#cPRn`crpQYAMOaX?ri|Qf+)_xaYQJ|1qBXeW61e zXX{Vk-3+Z+H(R4U`YL6aa7F!P_9@1Kz>uMvbHTI)x`}H7C~LJpy_Mg{CE&g5v#ix1 zgT%~BGY7uyQvIgkm6BUV@Yw8h+-Ann6@zT3XW=Dg=bq%rr||HN{la|c@LHi2m3A|^ z2)EDBCpjCerU$J8lWE~jxvIXmt*zOWbK1LU?}g0x4|dCGJFEU` zS>F^?)EQEzEikCRRD=lGGFy9~ltoOEw21PmLg#Xogmz3>3$D<<0kPzD=K$7zJ zRL<#Z)07UizaF zEah9R#=&6`%IJ{}*jufc&o48gL$lZ6P2e+Dm1>!G@3iYeOt*Do2lL42gBEUgNZWtI zMo32rc2_T5)>%l)zCFlCKbvYIq{zXYXlc_bkc{9I()h%mg6e5c$s!Xc-G#Hwrd)#T zs+GW%u)E|Y9Lc)bT(Xg}h~?|RGoiQo8UNVq_fVZ*gM!?f0}L`NI^B=JJ=m}OG8ae* z;30q1`iPc9QJ!yw)|b6Eby__z>Kb!Nq(Jc`)|z0ZPq+*STIy4bZc0NYi#S)@c!w|1 zc_aGBC-*hS3=wR>QvfZ9G{2&rEyu(syudM>0UCn-qSCKsf)iRILx z(V1)XykvG%_$cN0AsH;sFA$Rqer+5>Hv*Y$K+sVzC(Xd}wE&%!Yz`R}0_R;TnCFFu z_+7|BHBFRlj>!0S+VV#KVon`6)g8_v_d;CF`OGiz$bjdyl#i|Ql24mJy>-T*HrbMR zd&$fVj*UG$WWv(fz>)B3_B#|D9rc%yf`z^Zw55>&?PgvXMlYGEwq4p?zyVsAlTpla zXf?6tt-u<%&7^B;Kv%6OtnsGiCNWvXw7m?P34+0olREMu!nw&wZgk;N%ta~R=5WIN zrL_JQhab@L?m3ECkzsSiaUkkV z<5MJoZZ%AjQps8P1KxU|>W#=1)zTnXC`@l{h9EjzJ*y7zOazCvYL1Kh0^cr`SmA^| zR5qqNm_hBy^QDN)Fl-(f&5^T^606)CP8Rb&XSc1uM@jNQmi`JxuftMF;Iffb`(6m* z&NI)deMOo*=gvj{$V`+aaHgh%4dropNaOKV067G1(+z@n zht+G8GRM6fl#{eKUa0DXyceguWdl~ns59t|m>yVuURYHK|JSPU9xftvlihHgMbaCx zW(+M4#P2Xh;o>O)=ZCbv_%h2bO^+(7NzAA z2_R?1Fsqok6BYYX0B{d#bo6nE6PB12I4Y^D64(*#`Ac&&ciJ1$eV_MJO%LqhDO7%` z^C7gG7!00lQr>qiCaPvSwD}PGYCW+R&7+8W?`iWsQkRWKMt;eNt4|6|mP}Y?!eqw$ zD8ix@S_K&WMy2fRBsDOvAe&t~QAiS)aIG+OselozdP2USax;EFqZE(1CPN`g<}^8J z_Zul|toZxY-EuTGUIcfk9wxJHXGi^FnozWbRqfGrIok(PcU(4fX(Nk3?&&vebH12a zBHeoEL>T^3?0q~ru{)%du2_#wY(j5i!G@k@f6QC}((Y-V(C034u_#M0H?4b`sfy^4 z4mKVnUq%yIeXiw_{PG*rcEt-XjxVbRTkC$ie6yq5UWe$ZZv2<3EZ-Tzq26S3W?NH| zgJ#C3dau{g5&8@Udf?}dE@dYYK*+O^(!>|4<*8@JbRZ|jzx|_Fj(V&7Ib&3CRaBrZ zd+|A8r&U#MnDHo(4Nc$Z2|m!DMM}rOv!8~X)~UUblB!nYNDr45W~|@rLDm>rVabgF6;rIvpC!W$QWXz1&l!94zp&@PW8eUZFY^-=s!zuVcCXFIr5|C* z2e>ByyUB&dKEo5a(evgo^JSA6Jm{*RmQN;=MAxW|VYA_pp_0w?Zr|a*2|I81YNIF_C#X4 zN!d@jN+TKOS!r0MlIAoo zklw0I8*+wO8+)YN0Vb7+Y%??KdF)t$>RG)c^-&2d$(n{EtEt~cTuj5QT8l5+G8rKI zMM<}WN%9-cPTkNNS8yTdaOmv;XZtlsk}DaJ_k=F81ypPd+9Wv~Y*Qn}7gNfp6IGMK zmo2-J0T`0EP$xYWM?3X`b}fC8U@UwRnAvKIfm&3y({OprU?@HoHOx2#l2G7u{QJmf z7q~*QjboH8Ro#<%qD4kG(50da$=BS%5qYC!?Lk+sTwVtih$_;;@bx$-XPT&rr}g>m z4i_>KnyCCia^`BG+pXj3-;2L64IdwD7Z^;O0r6%hePV-{5&PX0(Q~6r8&wOqYyOa( z*}ipU%K*3KcwDAJ;hjW~{mtvMpP>?24eWr#!vDLw{dy$(4$7sJ=W$UH5g+YQ*qC{x zyCk)i!qvTX%srt%ESwuRRCMQu0%8~}xyN&Up}O z$Xw5|3jYwTtBC#d1R~4)(q3wStR;Wnj+hoP?>)+{(*KIDd)T3i!-Ky4p|kNhPyh!_=}`;-)eX^Ej;Qt zjoUBg?f(_wbCJE$ubhBWV31rh;ph%%L1=sr9bVhz<~2N=+UH(-=0j^KGPx@#rMV`p zRm_KNxs>VlHPugGZOKfyRi}Cz&u}H0AZe7Rh)6ScCBCd(I{Qj-utiN3m3MbZ>9@0! z+svHwOUob6tgvJuYBSWZWYo#T<2K<3imYQ&(q%&rr@?fo$EtL~H_PP*|9o0eyDze# zGfB;52Q27%5j`ph5u|2WImfHSQd#yULLZD{`DV&Wt$aCxJu&PLk(qlJ*?L0Q8#$E@ zI%z^s2M>VNb-~c?f^@m`09Z%pSV`M79YdHOj&2qw-d@dKyX(IHBke<2H1l$A9O0U4 z^?IF7{v{dIG2%(4i`}CTDpDT)gtf4VDRCuS+5gs1{-PZP!aT;^ex9mVMy@ByQi8xXYB9tnY_dJ%|{vd1@w1*D_ID=f!b zxcUSmJ)Y{IIji)6LGQ8aQb`$Gkoc~VP+Audx`uiBmx-2zj_f|3Nsp4L1g8h@O_)+G zYoPBfgE`(mF=+8d$K}G89GQ{*;mnjR7A|$?*LE@kjMb`QOKQIDEd&-tkQQ~h2VAp_ zl}!uYOp1KjilI#EP}}|;Q{mpJvPu8p=ccww)rq0P4K_`Db(_X3(Kf6v7ZwC_itA@R zkBEr`<@t3v!e(hA`6TDEl97$%M)k8H3g)i8Or8_mNDq_xu#?9A8uFzN?waAJ?3E2N zF8`tHlyBJ$BAEy`c0u`p9;=2?6X!#94#S`}O}A&|wpH${#6T zDRbFg@-9kXuU-rv#(zLpq0I8Z@!R;P@b`-3P>xg(3rqF?hqlv}s9eb!8O;jvgtw2B zxa63n!{}BMWFDBy;Y5GMW;|^%8u<@w2d^SMz#e)R@!{$mAeahjq8n5`pI-#19fAjS zDCd!9I{PRRq5KGZ%IYV<*$uwUuX_l1>8>;ztmKeBl$r<#8-l}ODZQGh4nm5{3hM33 z$oY~czk-EcUlxXsG+Fg7LKoBd=7OIWi45XkDDcOR#SRfH{(jFpU zo0N~(Y=?WoghX6QeY9&_3X~GI=@mGnLOG3OAI4 zK_DjcW#QsM>ydnUEpp$3ZA{yU5=?2)!ogWcBCi?jgzqdsSGAqsZu(324nd9!fj$3w zsg^E(sbnDvG6pkUY+t{s(es91*!xJ_)zK$uh;Kl|=%+N|?nN;MlGt~TkO7qGq;C!p z(F=p*qN=4U-8OGOeY7H7RQS>fa?KTqG(=w8BjeQP%BFDzE;nO_ zcHe7f+_>zokqN@)w_2bs>!se%ura& z6&VwBmiQ|RrC*U9d?~bb5EwL)QXEu8LA2xb+#lz#jR#jlDP$g$lw?zmjchsJ6AJLH zIB6Tdr$rMyUk0y^R@UbEAk|kKG}9h?pU^%v^J{T|Z7YN|E7+~#8JM;&coUFmf50j-uI#1nqD+0$pM$gq;NjvUv zg$j-&(rgT1MiP!DxS79yam91{bHZEc-bqvTi){#V6^KOIl+M%;X;2UKtJtUE6 z?gb9YDD{csPLqU`c;C@RqrNX=j`3TC>dV1x%RJg1hc1U_zZ&m4XHcA06CNN%eHBe6O83-F*{@j3|X(eRT0GZ%cRdmNypiug% z-6@kYq$(HXyqT>9s8sD?6SNA9k>-Q@cX?iKhJq#8K zraG7fRV8WsDd0m19^7L_N0jY$Cg|PoHDA-@Ex3Q>^}=!%ak1FYXhhJ#+Ro2nUTZrJ zrilEihHv6xyb9n!PQ z0baw+MxTLFv?Qy*EVZ;_RQIr>{MHkB?fdraLsQd!j}MwI;PDiB=WAW3-vfQw;tokV zZ^2^x5H`Md)g+&eyn?G=W)c02gO(EClSK9J-ALXP@31&eJ;Fquxpr}pa9Jl_RCnMU?nl3)xE{*uJj@gz=E(Ok3 zNqtmV*WHBdIz*8u4x#lsz5S*e^?MbuhwjgyJs~VTa%@RApHR_B5&Dq%r`tOABnL#A zU0G#StT!cDztWvvVEQWh!ungPesY~RX?N%D!r zFz8NBiX)XJ9N(F|HzaoCyNN?Fxs0S#W)Ux;Y##4B_xamxCE~0gtIwX;b{>U_5a(H@ z#l>+U3!6+uEvWhM7~|54hlmtolinPT z%Dk8tfE{aqo-Z{bXgr}+@wDo=!Rb%9tg>uu&7PaYH6rkM=Gb=M` zNU;3EXmbc`8zW8@>74f7Gk|D1MPI)(@m{$}_TE$a^w|p$`COhtnvC!nJ^6U2oJ5X! zpF}5a=7ww|V$PIKxVsr$de&Nx6;D~p_9@yp-)u^#9@-rdTi4&b9S4;uONR@C>3DtQ zm;H0J-6p`90n$xflUylFI~9zZcZSGqsjXvV#Lg39vlw<08!T81=@=?u$4(kO)0~!3 zYmzmp`!cWBTT2!BeZGo?h~v6scxi`qD}qb?>u2h~hXkdjO0%ttlFmAhl}_|j4>J;a z;9F6>tCq3nYF-Jra&AF-D?JiED=ea;HMnv}Rkba^f_EhYI`@1Q;;ZcfB zvhNyv@O8!ov!9~LGTuE#@Rh|FTE}Ug^%{Q&;Rm|Eklycz-~Z^wN#UEN&{yAjHa_?j ze8#&K=SK-G#StN_2hw)e_#73rlsJnM^*PN~*o&hoYzWr~tUrmHGvk!ZllZ@6jVO z{hQr5PqGrNanLy?Ec`$%$oN15&kIiC@bXcEW-!r#h)Ozyq_?M#cHm{E-!uw%{aUs-rph3mir&Zg2q z5?UNRk(pAuW_kJ2892gz_*!cFhwSskEJaam&C?-8QHI{UWI%hm8j6$!p1xx+KtV^FGXK5 zn9s3NDIY!eMw)$9M^#-zgN)BHdr-T9M8|P-^itG}(Zi@)UF+DxW_D z&7-YGq=++kZ$>~;KgW2rU1?ODOajWUou}!k-Ktx>uUjkN%oc5BS6IR}KshYKz_n(r zT)#{ueXj734H2=@6ynQT|FQVt>;jAGbt;C8uLb%e;28cYeM_B`sJ3hbKcn)6s;jnG zMrDM9-W9c1=_YPWL{N6mStxXb#PeywCz$xty2v$nXWXnWv~w7qC?~*EN05pwX@0GP@2a5uGk@mNaVagG8_DkH7|qjn zZ1kTtx*U5pdrT__wr?)b*m7BAM5){R4;ASPXH=f4@voOfY}ZloJnFn`n`G>B>CO+I zIxjA~wfisWS9nn#MeXn?Yz3>xlSv-Zgr>VP1(gsS8rHGT-}5f!4AW9Au2^9SR$2dvzA%QME=cLu>*vjI&yBN1+F}p zr4;01`KgdF)EaIP?Wx#y7VaH}MebZdMRw zI`*>i{U-$07uzL-Pj(`*H2n5B+wE1MWi0b|V5Z{ga9OeJK2>lv zMxa+}@zp(J?U-ZpzBkod#u}fgpW}6L>iZt(4|gC3C0Fl>NfCDZ)0X_3F_&TCJvZ1PXPOyi=-icbJYAYUg!eQ z1QY8io#=CQJj5vZTsa0NY5(iDQY^w$JpW$rvkgh~uM=rX;pOM$J;=tI4qMhze{vD@ zzLbzQusr8`uP!QCPgRt+vN`;!VlSU^T@@@I0$ zzd!v?A0Y6}?jw4(&TU!zb5n*1&3~96$G>HQAivif{@3Yh2aAO`xOa15>L2cSji!lD zrNf3H;Lqa)_(Edp;ujUq% zpp}EfQJo+a8QDjuKTbY?X?6?EdMGo<0>&l(%gOog3;u5(csnA=HM$M5iGS>4{JWv? z`wvoZ3Ct8RdOqCvFVppJ@4nwZD3Xhs{XC9I@8;jZ2LJbE`QsysSKw*9XPZ%re)IqJ zc~GmNs5Z$GvlIR{bnI_0+F$P5zdoKFfJ#1+A%+Zr_?RT9jj*roG%A4FJ6Ak_B+Skk zE}rM8Ormpe(Wpb0FQ~T$ZbGDe`XB!X)NY6(fxf8aF0}FQlca$2KNsdpzy7zI?m6c! zz<##6Qf9tLN}@;+Xh64)`=|NmnsSSQl*2~Co#(xi$pQ=3^dcAxU!gQ^5#~( z>#rB!v->#Uw08LpE#3K(QxJla1q zIH=`NoVrmS$EU>J`P;TLOpl^?%$2zFcG)?B<-A5KGS7P$s`6AY!M+*zkQ#Uit$j$I zzu<8cC(;m}=RUIUL7neN39aN+Xp5CSilP*v34gGDVB)bTSWxfw;0^3|t5n|4W?Uq7 zVSc{~WrrP!C(sgBhgB5RAfweO$&~tUzrtT{tw@=a!@Z}>X)obKVT50@W;+aCYH{mo zM6?CisrNhq`;gnnp|QoMV6fC1cTf||Ck$iGTs8+FROD(k98&8PjKm#2QOGR_glp0) zm2T#mpSXh;i_aMYUAZ&kE%gkn^v|cblmg?qT>41SSira5GhkY)kN+ekk;EBU18}+o zGX8T4EhQA8WBT}Fpt!-#*H36s?8bB-9?&Xgpz=s6X57uBd=vF^zlJh3|C#tT05l!8 zQk`DTb;qJcj(#T1-UVTQzoob_SJL#S8~+V{wh9Rcztd{E4v9)JgG)2o64-_O= zMdmMOt6<04VfX%LbN%Nlq{xh_uIFOX?|MRYwl7%@#6AWMthb=1G;PE3@65c)^CSfs zDpu$Gm?uPr{<*cB9Du~ua&lC%awUTHnXK*q9fJHw>YQ=v>B$jB=`=LbMnD;!iWEL0 zwMEFREoS-I29J@((_MC?PEO;?&R?&;zkMvii&|x&iYurm^WUN-#>*POyBdMnNLDcT z+ihj+*>$R#$PUPzF)kvF+I1B*zd9&QIJ)-(RSVTj1!_ zuD6TuLK)44lVRSgi)8Z{E@w27!56>r7>K9*ol*DKz099>Afob0G{REPOwy@OdMdn>Efb>?k|_&+G9><{U|r zZSDFU<{?oZbj|LVQz|bYV2E2HM&YU~DG3CbiA@0m35>2oE3f7GNU0Ss`dKK+UUbCNN~c z0s0SL$Fm=P!nECUvuCH3hX5F=^F2YDKMO!>-ge`4V91?w*ch=FB_{!VmJ@g9Trbjp zIZ~+0KT_?m9A6q7S@x|e1Oj|_Chf*X^?*6^-W8T3H9y>I!?5b>s|&*?gc09HM3fJ_ z$_S)R7MLuB2C1|M4DX&Vc6$jdztwdp11YjeXNs-C6f0q&S~s_-yh={zOtcZ4;0u%$hXcSIF`$b$JnM zIN(dGUmh&kpZK@|*H8{WOVcoFCuO!neTEd{o;Uu6vs9x`CbxvR;9XtvjZE_{n{I2$ zqkgu@N~p?Qc5ml!3Le_l)y{i70+QKGeY>D!qjvs1x7T*(7C$)S@7~1nbKDFxnD#AU zXeTYdO_{yRi{gS8@ojG~my49<%L$Rw)&6cI1f-MyCkPiZp+|(Uj;aGukL$+9O{&Oc zpyq7#A@e)c&OE#9X3oA-PKx!)7z+3uzK2PztAk5yKXZoQv3~a%e|OEszJ6bnFpQS6 zP{efXyXd?*Pz`D~0bzyKCkGJeYal;@jq-1|>8~UCKOYfcL}e-jix2`v%Tj`nR$u{9 zW=TfzES;~e+GGa{pE^5@8~V`|exuvQ-bS|iR)Ia(mn?L!7(tvrbiX=)t>!^JP_zyh zG-TUal&<@AHTSU9%7Q6U7dwEN?bnji;Bk}-15(M|ub*ffZ=8Y=>>>E{5~4mpqt57{ z@nGp~Q(6Jpd6zEso{!s0oFtc@2m`^;oZI8j(YI(&4#QWl(+!q;=YXQ6YOxL^YY`4l zu0oTb;?I6UrRYZqWr5R5MvN=A?g3^a)i=no#@4XpvMRi-<7SmOBGY9Sl zA4I{`6u^Q^_#>SpbiiK$yPjI{H~cYOcr8|e+tMSsHx=qG;)@Hl0Tfx}2*wQ~PAwso zv*h}XbII@S%#hsqI5(c@OEO7CNGx9GS*J|8ks> zV8a&aNrJUsBQ|9cX=QYGi^8V+H7{C zEG2iQcnJ60T2tjd#pqSi05P4gvZ-CsbJ&*m15KV(VO|KzeKPm3r0>4h2(G12Y#B!5 zs~!h)T+8|@fpjv6($<7a;3FK+$u>7NA`CrpK0|8o#~)u>gNhm_&5iX8zKxgQ*Z<^l zmx(_wBvg+1#hfmP5} z)ZknRbB7k$QSN$B^WC`tzz!vj3-QQ5=Y0jHptGwWAPF|zDAj-}>=HVEQWsg{r>%fGO>Sjl=+vo1 zC+v8-kBYCxQ`-LO_G|fBe8iOH)-gy($r=V+rmKFskIftI)Yme*I7KI@EDR|z z#J{$yep?4>hn?-38^CWJe5Q$8YHqjGR0$Ga_z#k9cwVA4)_jbO7C~H%dh5$ck2O&& zj!3LOO}I}mX44hpmy`q{;k9jaU2ZOCK%=Tz`H8)ZQpFG?UbE8i@t3}mJTAxL_UtWi zyc&3B4M?-WmuQy~S_)IQKpnBm#2zWvJuXuZDQ#~zzUgjxE$^>rZz?rIH?Pv_JYGoH zawjhhcpiP9%*t|?9Ad`W$F)@7BiN%-%V~)EbkHC(g(^kH6wwxRnn?GPwa1VvVm-_b zg=~ZcY3-ThsfcuUdOKV8z{imQ>NsUo)xU;y`)N%AC5HhkS#$-BkaxN7#j7J1f-5PF zJMcXV3W>*#8bcZ9Wos7rN)OYqgnnANmEV9CNq{){`DHj2mSlb|!;fuIOJt~{{q$QS zU#rw|NuDQ={`y9Gje>Uz82!*SV%i3>^OyX6Ys4`NUyZr`%maf^`4Kl{c)O++?FH~u z$YncRp!E&stbs2KP?t&N`%0e-CKD4MM#PKOT@OhtCHXNrWAG5vJ1h=Q(TRmR+G00B z)_7Ken{DM0+L#U2BZ(^FG*2>sn`bUUTt~6i#>(z)4Uhw?k)_NM9{ixK-LX@Ud+{VLb*0Q*zgN4igr9 z`nicYravYuqh%}dTzgTMLwrpXUy#LZH#h`eRLXj88c-b;=_wD2$IIt6Jti9MT4(i zSgQBi*t>%PeH2Gx;0P)c?tlPe&;ac(<>7gvMn%6jW`Uv9!EcpwJRXp7h*5An`-K|k z6W<|~0%5>3ZSp(q`Vz0vRWK+rjwMewkb)u4mWfN|!v(si&Uzyl73`6iZV9Jb&Psq3 zKJU7$o0hr&B0pqbRjk#V40T{R=s>}ITK0`D)O`|R(jX0Uy+dS*OQu(@1%4dW9xI3b zL`G5c&|*&oA_IyTnVC@REl=G(x4tL`Os>2qEP_-=d>mN6GIhj18lOCQcnsQkDKcXV z`AqdkD1jT7x3f|jIPj7$Mg4mH+4;kxsHFUA?_kG4T=~O+K8--XTxHmo z`z~{)Cx*C~*62*7nYdG9gZ+AG0^KbbtmlrfS3ULvI@6|81GO$uG&p;7s|~OI+(+zi zZ)Pyr4@we86xMPispbWJaD!PZ+7BdQE3fZ3EFWndXR6o(m$qLct{bbcmm}Y6ve}*& zyoqr6sneeYRdXN2-O!VN)+?%6&dkWfv=s6$XVrf$01+y*m@Z56;R4kPJ2;a6q^f2C zdW7(v6EPIaB-7jwTw5Cw-10X?6zj`A1K9ng8+ieWHa4N?8j##(fyJiV>%C41{vM$p zBMxc%*i(0Wcp&E!xT^&EXcLZ8@3XG&@6mOOI(IPE`?>1h;O5py@XOL4V-bEl#asjD zKKV+3jYhTtLYqgOMgn6vi|5>%+52`_}X#VFU2Rrfx72beh55k#m*|B|4HoWz~bm+OAD1aoe62W>vHK)z;0g)=nAhJd9jLI^LbOlkM=qo`Hy3tKS(rSBt-xI|i(v$Qfg}HI9 z@S@A=RikXUQ>CBx!&QdZkea7l?PhsClhQfrAS!leoocDrppQAJzcppvZ4b^*yN}Nw z&IIQlrkM4L2dlg##hSlIdEU60T+{|)Zy7xQNn1+&#wxL#dqNNWu|~uLR*_~hw5?J< z7Yn$_X^kvHVw+|l3)7;-4Uzi~P_CLY0H5q5z)vTKG)*oIg5WeFY_nzzQ-WQ{Q0eA-@6hP zx!9E>SnjY!5#rRc&RR<6Y;C5loMb^+4+^?&D zehrS_PXWpVM>>ffQp1s)DKH)`fciNh#{67tj>!ujZ{Gx4g>0u{Q+{*9D+IPJ@eqeO&J((apbEs;@-75(d^=$R~Pl5mlbX)(BH$@N(ms+ z=sX5gOfq!IEte5t(5J-kGE5y;neUdEu5&cOV&y+^Y!#L>EFzW0SSI1*!R3^**o~Zg z|F*vP`<@+mg{HD~IV~Do~M_vhj4)(&X`??Xo)Bu$wCjfP-uP5$jWBkul5A(>;c93`qLW@U^T z!aahkD3})_M$!|$)bXcc&aHeYoLP&b;z<_~tzBwi8S7=qjKaAGRFsX%8bCrJ2$^(a zU#%lb8Qq6bNtmA@J3J1d`%W4|J?GzG;|!fUXFk^R$liJgyHN#W)LbpWgxAvdH?tRj zD`zdN!4(M#VXU)Wbz0ne z1QYN_f_rh3CL-KDUWVa8&-Uv-=4s{19g`FAR3=kjcrbLfOt<6y!Kl5RG?yb-bxJeb z`HidkB%Qdb7~)xMA*6`GlzR4q}(NhWbS@|6#y61}p8S*ii)vt|@p}E-Q;5kI|4An#(o8$zt;u zvo1o|rTYxqK6p&QT0=q%HqK1!Ir#i@l8*4xcko?6<8gqA3U@Gg#t)zP-5}6c5Oxlv zS*46jre^Nyh%I#5!RHGDG#Wt^Jreu{M_Pygp8kIRJ%Ke|G~>av{PnzGy8Y8Q?G6%# zDQAi+iGtkXP1h76=4MpQItu@)3KT*Nad)xLNm7slDE9jNz%Ui}Kwsg365<};MzpFN z)0UZitK>epY1~6LCsj5R)n99mLY(3}Iv9g}tuMgTM#1g+t0nFW_=-sQvP~s z7=yJ%cq&0}Xezl%_!EP7;>Vg7-@Ca3MNxk3vY#s)t&c1vdhB`bn+o1#Z~rgS>Q6Z)JWa?;0@4;FU#2 z3gq2CR{5ieF=uhM0v+>H2$0A8wtQsp;N&c=YBuC(^49psg~V_BET)PPIvl@JY_}V{ zv5tuedp+)bDBt>}OQg?Q>J7=ii?WY?2^- zA%ceN`*?q1Z+Szi`IK0XW|*lwdCg|>8GF` z2bGHdSN-Xn9PJO>e+vFq1aJ8ZJr)y#)^6l>@93x>xm&IJK5%GF(SEB;{v7j)spB(8 z6<|V3Gg$1bscP86GRAn7Jg44P`mp0YG; zpTkBN;-aj&d{4YaCFly5OInL7`pF8%B<{vm;3`x)T>lNg#c;^T$We%Qxs!JG1=YSh z5G5E3rk@7K!zf3`Y^rt%{JqDv>s1}W3Ijqc>{ql@Rrc2><53NRP5lC8F(PPm6sr;& zoY9aXJ`O!E$dTMO>uhCfbpKH{vshi9Up-roYzo1;f6ZgR`bxneXFq&5oM#Cl5n57T zhl3ivB|?*a$qAl}oK#ONy?Ei-@s}$Kf)@As3({t~kAVat2>iRrGOK>(j{1HvxaBZ$Y|EDZp&s>nx&t6fP3U|)^(2*t4HYJa;R`f2N^5UrD%_!1z)IG8%gNDCj%FTLBmq_kVf9^rZ3i)JbLsNF`3;+E@cK-H&Nu zALtmhp6n>JKf0qq*}CsBg^LC;h#!pn_QzI_Y3l2yzB7dP_gT#l zrw7tKU=~-(eHnzJx2_W$qjYDA&1rtoU(H(f>X<5xu3{)-mc1k(h8D$Amk4dH7QnD0 z8^dk}wS}%?uKx-F{a0J%2ayZ)!!8QRYI)@w^T+>J+j~Wuo3s=VfJ5w%gtZei(K!bS z&ItIMP>xVJw)Te#Nsd?<(c;t;;+@8Uq|jg)LPC)idLiI0++w=p?-Eq&IQ9IxwphGd zJ6O{oGIRGYSgvhQcc>NyG!k}@1eY!{T|JEu#&N zAGF&CyeqZxp7&p+^;rJUn|%p`aebdbY;}wDR<)s#KiyEiNEjwubt7)Y0bhHWWbWbB}GcY*Wr)U~dJ4YC6}Z$VDFFjwzoJ|U>8 zuESrBJnmi;!hb?_G$CNi{dnTEOKTWQY7TS>aw#QCDX-T)XYz_Z zn5mY=AG-N~#9_ka`7vCh1W(oML4Q6u7;tftB(oQ`!TIQU<+zF@Ow|Ix2A~+GIxbJZ zT4O_os+SW7mLkQpQJ?j%TBxX)e~ZB=HS|vSCYV`Hs{l~9v5xR!YQBG2GTX44WS$~8 z3atDSkr^<*#@%q7=U)`0`B42;5rcx(KqfP7_l`*>n{%&1OO%+{n;d*F569eJPZ z@J9$e1-*EGs<iT1!k*s*QFiALqV?c~Bx$j%R3y(XZ z=A}EVI^udXBR<7bU{=s;7$vxBRD%S+#ik2aUvSQC;9K4iJD+ge&nF6Da^d%JZ0LY} z6@701!nbKE1@XK#Gh;04`yE#Ci||*aX8EF@tC1UhYN88Sq=uL_AwB!)!d?y`_KhL8 z`QvhxfkFcdghZ7`2yv7ccb&^Alrfo%XPgm=KWZ1jc###1u4FiL4O5Wd#S-({^`3uC z>l-yJiOWLr46j{)i+tSlyx!7H1`T%|RiLycgDAxvRv$FV|2`}D&mAs80Fl#>pv^Rf zWj;=FwT*5SZ3ET36^M|b#5TM{@K5jphh83gu%?pTc58kDG-1y3eTXi#UFJKcW5U-E zTtfHceDw?Q0JE~Lr(21;TN>*xi*!5&9?$_l28Tw(;YSyZn4G=TG{DwjIBtG7Zk~)f z(qGF|Sn4|#3bKE=M(;Cu55A|xF{0bKy;ETJ`$$Jg$&kcfE%T!>$XqE>MbcIzR!x_J z!QAxesnjjtj1?G$_PVHvqO2}h_`H43+x}4b;k$CGwIoU}(feJS&w}h44;t2yNBrNP ztpDAwj}CoGJ`LeR7TVntaQ7_(mjedaIjF>0J00=opAOd}v{ln|??L}`Q0kJ>8U_>> zS}iC|%kwjn`1b`gp2ZLo(}^U1=m16?D+0bHJzz?@)fRvWD5+G8Uw5NiBkdk&qH1>b zhFT?8O`k%Z+PIIQO=5Vg?)M zduYF3U^jU2QN46rBJ5+0pB-q#ta=giAniADXsX}9t8Oh49;t8@)Lh`$Jlt^wsw(+? zRUuS4UG-Xvz`w#)L4|l%&&*PHO3ohAG7~FxPcUErS6LavGDLZ@)bIPcEQT=l0JNhQ zkm@WDM0l}hfSRA29m)6nRn((*p3$c6xvhE(4L#^W$u|o86y>Jkx>XhS{%{ouPxyAF zcD__1z-}fd-(9n6n%3!FEfPBpz;JAws|UpHN#>TN_!H`jP;ZLWwF74Q;3Jt&r+x17 zl9Bp6_?359kwaG*xEBz>b0fLHq7xu3wxNQu@HZZlaMR^zaffl6iu( zbwp12`wSs2+n@_l(BenG)Vw>0hUJPJ&TEy`B}!Xz?-<{cy}$^w*Iie{CQ{QwHPq#k zpne|OG)AnAnAahT5b~s9vQ#;kK}h5K%DzCtc9@9tk7Mc~48L8sijYY?UlS72ylyTe z($Yvoh5F(36{sAVNP=7R3fcCGAQ=9yf}Fz$X2ppgKDM{spXNao`B1$kWNGo%v7eHS zGWC2Q~9De2;-isUp-j>7R1y_73hVUKtA2p2*m)@GxvEonfCQ(}E^~z55GcYvm z?q$NA(4=x22xrA=IOa>Nfgj$-=OF>ifRgmF=R(oxA2%UeLFLr_dNIXuDK_+xJ!+~Kk=Ib3wYUc0^t}8J@c(1t0iibw?`0*BMP1%v>{V+))6qMEOS(-=4_K*l+ERi4q_iH zAN?4|9I$8rX;{(;j5mh~O>iW62}$*Wg4u*zeHYN1F%Sen`Y3hOvSbQ9hABF3KxN+Z zhlEVpGAN9dy@%D0Qd0PTJakbAU}Qcz1Nrabj%HqZf@1GYvCch3vmJI?jN^^rpR(~z zouRF%pfMQ!HEgB_a$~~$*#LFvQbNhP{y>V3nInr-KJ{sxZj&c=Lf{4q@51tRmh+nLAwv*(jQ?JaaXpYDm?z4ir^N@W3gl$&>3|*t!RqofoxARkIkd^ zKCc|!*fvqQWXqe}1)eHpe)4}#sxg&6)9$_PpUm`C;>rY2k)uncu6aTrjqGCqtw;8b zb?5aYd7sWG@+xkpCrvE)LJy0lNDE=8_k|9Hc+9=}E8CC9I8)9)o{*2TE0u zYaqrNr71I5DJWArxFkYJWOq;fPBWSb@Q^kXL0%0izN`uYCl9wIsrz@nnUmMxl3$2_ragx zlFS;@a|9O=mx=7YhU#_7s4qcEk} zo<)fu9yQUhbj!ZTRBGo^2@)>@lnfU&YeKy*4vwDRR@m$W5bMA~t79`S?)TUN zCWMpKFi_kJFh=Zsnv|W#e%NB|92${jV^d&i_TJAJK-{D5X*VB|8!(3Ygknw`HADK7 z%E?zuG%~Xj>n~He_)YRg1;Nhei#lX}&l_ToreU7M!izy>k@xfdAJQw}m>>(Q`3>|J zz0dMevSPR>`?d&O`gcM(b+KEz0O4s$;q(3+sM}5X6Qkf%%MPL$gx>OY?fAsQD`3 zC4A3zGpaTdV!>4EkBf*TaHYt%v&64zxd9gYtvh=3$H|qdBat*L4z?M1z$HB9R=|1DeJ29YtX0<{b`M zvn34+f#hUFPlp+-Y}DYA-N2J$9Z|mS&Bgnj(*Zh)m8t0w)2NP<#Dh^e1FCe&E1?~C z!QQ<(*{QKu5L zln*llh}mZ6GYXZk*bR`;Pcg{on(k47O(WQ=j62Oh0`^7EQYpU-92t|#u9c1hI`7lJ za%a)u;RXlckgtxM*3Dh_VFSY!`ZJozUvCZcz(K^t`UlEiw9@ODd+kaUp59ttD^%!@ zuN?1pD$hiZ04Y-@#s@+#eCPIwu9S0#G)6VF$_^LR!BGmQ-P)rnt#WCK}fPBR&gF5@ZR%V0?oPiiR z={cet>fmeHFDz?eW{S_~UR^*|9-K+2HH!Qw$!QF?~ zpa%Y-z#)h4ck@=YJw^LTdS1W@P03g|K9v8D+kBf|0R2883u4iEIF#}nNhVnhQV-m`8 zmVlA|HSbZ;Bl*F)pHyxm-N9Q#?An~XzrThwOJ6fWf4%EQ<_s2sJ zm7CE?B*+ksGY0W}H4Ymv5KM;$6@_%POaYYeEg=)pi2$9EQVe>wYi+gGBu`-;_6ag- zFT^e$XgHF7-z^T2D*Bt~;5G!at;axeS~2V800SB;rvTwX*HhseAA%_cUnT`A-om~@ zbUb7+#n=xVCS#NHqA}=>mtv`x!n}@Kq-KB^XNO7ApWYlyNk5GIlq9KU2nwHdFwl5W z(S=M{OU6QkiYV*=hSS#&?4cw`&DgRHfAj}L>!`#%BeM$w&msojp%8bv-zsiEBxt@K zW&`dad3k?rGrB8v!d_Pe*Ls$8aZhs1LAj+jt8E)M&$0CTj_R91FR?ZfaydvesP-<# zuiRBvy6LA|w;i3#r>FPS^eLjnXObX6l9N6JUFbJ-0_y#beYMrw^MsBX>|@>92&6}T z7CXO0W;@oe#ERBI%EzWLwbDV-T%MJlUXyiB73F2pwHB___Ro)Aq=@l*XU?J9?6wES zQTn!mbU90UWJ`6x@V-NqZ&lZy(adfgo}r5IC)@UpA;~#vPXOqwERK5(uEdfh+@NOs ztc~p(i>FJv{x|0E;kSE0d} z){h-%Y-_trxuJmCB!qWGcj9sG6lX$(q2_A;l~LW^>CW9E+Idc=3LV2dKr^` zUPr{{Bl2U zJ^>e8Z4ya5cpa-8sti#{AM$h_cS_bFauN?z1|vVJgg?1C5DIkw?Xy!CmhjBC*4p2> zq@FeIq`ku=kJ+S_u!K*sns2Af9}UE=O89wXSrqP+j7cThWj5Af(F~!CgM`^h#y?Z62 z&EB2RmaKc_(hyRf%|9DN=vGja-lA!Q8Xc_U5I@Jw_`+XQ96wi_@bGxT@8( zu0F=aTZ$-_x=DW2d&*;ij}e=QOf)zjHP<~4G)!AQru~P9VzfPr{1g%0 zh+Eo}&ue8EiaTXPSAt3?gmBTP3`M=_2l!OK?1c2|3lERkm;3FrJib1gTB_xfMIl5} zWz%-K1q5+T29B)6{ueUQs#aI^>Zo#%mqys5Z7WN+)?R;-t8k15bmCB;qzE_B%V%Ys zLWJYWaVQM_SUWfPe`qtNLvY0u)a|w8nr`}&iU$=Us`}E20{0mktDxF|(D`8|^C%Q1 zsKAuF&0F_c2yaKuErCx+ex3>Q+czQQK$_RTF|SN|9|3W;ddIo>(r_mkhFHHTvpkCO z8NV)x2a1@05aU$2?;k|*HV^Z0*1JJ8IE=8d0v-vyDaT+{@>Cai-gR1&1^(0V5yB}O zg@O4?z;}5MkLPc|=i}+!C$$w!rSm2oCcJfOr4qdojAPr28#S@P<|%5*X*XZ^p2qC0 z4i53NOuF-}R~G^^Sc`iPZ`J!t#)-;^KeYcQFr1M`gJ+Nu^H|o4Um3{LTQT4M6%3>g zd2i*b#npPhXZRY}{f6|QbTe>e`BL^^aV|mAT%eDAL%%Y-5%2O3Asa;Ce;#Q*j(~l` zew~~E0nSR@G2Dq3bkez#4S4Kyc}Zs9I>R$5aE)^AdeM{7&=LBU)lj7UdL1G(NJ!bU z_2Z$+W8B;y!*WYs;?T?E=|Cki5fb$E5O|4?gdE)&@RBt5Bk0X<{8?k$>se59hdWvi z%vxTS6S5`bf~JA2CW{cq1)(Z9!ctx3RpYSiR#J!v8>LGUK@!%nA#@nChRR7nOMn^YK7Y51iu z{(ISELZmn_+H@WNm4q^!K;D{GcFVLjQF;eDwZ)Qw(GLa%#>;5YEdsy8yD!u9esDWb zi(uS|fN5I?`ga{UfG3=o5j$#9B24!|v_9w0sgZ*Px z)u@s#uG`x919-=5xox-E?%K@Tpn;pS5Ot1Vv+Y4BK>=Iluf)i|fP^p}52SDy+8j(` zx97wY9JNCM6{cU|sbcBE)7;Wt0OZ1xxtM%@FLME+r5s`sQ}lKETd8y*kD)Shh*5Be z9ePUuM-YxPr1}?=1v`MO_>;W!5}50c)3gsw1*D;S&U@oL4pfUn0+_`W-_$_g6;M4x~DqCq`=L*W_x zt6Sz18CGHA&G(Jr6`J2b^zaxukafenn&u&!!ZU)7iasa+r2@3wHTB1+6apb1o`NiE zlEs`Brv|sg;|8Hw!Rdi zsrr%r0MTV_H0tMxj{1tNg$(;!26K8h8P=!9ZC>(^?_1XNZ(6^k0gL46ZIEd@sI|4U zC!$EjAfqgqJ~-zI(avBRF+N$4+8Wy6+!0FRv+Nt==mXPp0$m1ZPPR~J4Tq)sh%?3I@urRa1;#g)SjRNxy;{6- zc_GuH1K7l^7R0`8qypdM{dUIHHcL{u+H|>gE>k!6c>FsGIcl%@QsTI`)PdkR+l9p3 zbAQ7H*PPH@8EFPUU|*j2Yc1JY=<(Q7Iik79HzvR-G$9dSr>SM3X6ec>y$r@}f{d?Z ztyz~w>K?0AP1i-pr5mU6;g`EI7;J@{Cj1R*Pc8P~Q!re7NQ0V6)xT2>a3>9uuL4?k z(oML(ferLhXb)r@2cM!0kF7cKH|H%5F)`O6!--F`<-8{CrL}5Smln_Kg~;;?E~(8? z3ztfyKUbIpG-#C0>hFI)7EtHxEsXjf_g01p9V@njsiWAiNCzNTQk%B;zFh@_FQ|>k z-CoRzHh&u_#u{W%F*J1W;~t9yVle{~iyyGlEa>wm?-m){Wu4j&(p#*yUAn*N>%B-} z-=hx&^)W1lCm5$Cr{GD7E}`4_~G{l3*WM^wxbtO zJLe62IO`y{mO#6At}u8DlAZe^|0pOYDLEtH`s@a|2q8~YM!g5O87@DCSYM=g6WyiX zVe%f&RBt+8yvMHBj1t5Lx%pnb7^iYP0uH{k&*3; zoYKMIs=c0L#$lK=yy+?4O~_1~potTCdeBX?5PPZDqsg70zatNxIja5CYd8cZ@zPUH zY@QL+!a`(q&0(~H{um5WjL^~SHzJCHC$TMR-WAQDc}v1~Fb82re}iv6%&P0m?lt~l zu6-H&5zDiBf~c5(AFt&}8|NkfNy(2u%S3uC&2~+G()uJ`?Z->d-bE0pm|mupNxx-) zNuH60t5%nUmQopBf^o|u?8)p~(NB0+&t|*`XwuJ`()PjTko3SL&Mn0YWTPT}R+Qn zAdz^K)!TQ2(ip+bZNbd|li7g{1ytg})SkUAm}(1tHZ6zL^$b9Au=O?_?i2pc(7=ED z%|JN;tN{Bk4Tnh+y!PMN_8A%&403Qiq(tpKpTz|0U0uFlR*`=r8~V>t;J+p5`xxNE zd3NR>`BA>1Mf(rnQVAk*j;Mn?cXgjk8cZQzCiUXW;T}Np(C@GgH=79j1%eMK6U}1YXmBEu;|KroG}ehQ zbbuF9Ie3-4&wsjgZ-&B2*yv7psqz2YJ|qH-G#p zbhA(ajf%5VH9i?+hIT(sTKUIY0PiZp0esbQxNI+A_?AK%fW$h#7o>$EqE^R8|A z|MIj$2vP6qDWvSB7VX+$FeDm1$h!ml5bS>32OnYJh+tp|MWY@t2c$IEu<)oXz?GgG zC;|tg-Ckr@{FaJ=;cw5z=az1sJSGGOe0_rVP!C@VZh4&gkEMWV7^d)FbsB&BUSKR} zF(Yji2^eDv7{Mah5O;v2La)vbPAmXQ&8;lYsUj$chkRvfRJl1|A6>xhFa`XRmF3tZ z|NaZ`5o3dzk%u$b0Qf2>3*Axyv)$R@PyYA&>FpD=m@65Yzx;n$8sDV689EE3QcnH?GyGq?wsw?A@po%f^8d{${EN5e z6H2gtg7j~K&}K4ZtB1}pz96`Ju8IY>8%z5wEY#7S@9P6h`{ADX)$PB-uz zZT_n;kZHTJtvj6$68O*&z=3N)>!151tj))plHxd$2ET{9F2|d0j6r(+twgVwu4uYx z5GauLdcZZIQd|q>Y|tTD#-gANZ0UJ$`*Q=Z$yl%zn2lKG!VN-Q;Z$@3Um>4VH%GW* za>A~p9uRi?&)?g_pk{hHiMPo{pJhW|ltw%ewRt8%vH)%_P5|&*J^oUdg#5Vk(s~`F zCOwbpktb}AB(e4~i+3q!cf@7v>eb+snUjX#p}7|ob&A7nPbfj@Mk zPCIZ!F=Yl0*skz2Gkos>?#45)M}O9X&xAY&pg>T;RsH_7JpHk=phxRKIvhp+b%_&g87bm72S!^u2GhMNGKXa9UwgC88Q(PB;?E_5@uBpdzH zsR#a*&vy|NU$4qx{XeAF?Q|%X6W~sYsR69QUZ$$wpEY>=OKIP-0xOqFNXC~3W6gfx zPqxUWn)Eiy_B2a`pl~Qoeb+XO*{$2jYVF9imgRu$$=WzuO~eaQJ_wLJv z^Q_C$9ZmPlm!-5AwMG3LBRmYu7(Qhe5nupThR^5bN;?3virP~bGZUl?OB-q|`#A^r z)uS8i)b9JD(qdQTZb2eV)H> z>e%pRKnAb?oCqHoH?A>hp`edQLkvo6eFLhDf4lA9a-hX5Iyx5X2#Vv{14{<>M)Dq> zSY$+FSjTts?$)9`Fq*4XxCOQFrl)JLh@$vBP_wZEV`ujUb^NgnBdp<$DWnGy6wGeM z2k$5Ni&UK?e%8|~C56QHTBiUc9aDH(9?sf=oRvo=tzQG7bsBr)FumKEQwaFP#JcW- z8|=4WNAo>EfSJR0{aTv=FvR7TGN-*7{>R6pLG#3@W?cOlfZSI2K2{R*VC!(bC@c|U z-S7ejK{g^U&DG3?ih=%LmLS-l_`c0Kf|BR2a!TdI|K)O6XTb0Tn@e(Pi&)(#TBiIS zV!sj4Uopv8XoD^4TKuq*fg1JsYm=YDivK9qGzppo&b@BWygnYO`JkP=FTbEWG)|Kl)xd5!^qsg@AX8 zdxD%)T>u?MDi7wrehq@yK7iHKW!hKldGdlCWP&l``XD<5qye;o00uX(WP&nA{`8AR{(^ z8(0NZnRlT4Ex9)t===xogDh`3KGUB#rC*D`!KMzV(m}NdqmZT^-$k0#Ak#;B!Le_F z6acXQqK{dpZ&}DP#rt0E??1yD7&l;H9Zk|L1V~ac)4kxbql{PsQ=|rN%g513K&QnT zXgb(QboG!fGm!UeCQgsjRX?U*0OkTt2WL+JTpHQo2IoEdtorm@ztd5Q_Cw4@yXK}Q zU?;E&o?GO3ea&i8cfw0fT!sTN%FA}(U8Mg3DXQer;Yoa~8ieBV z#i5XGY#u8dAQfpaEg411)114W+1r9_GegyQ`dV9aOONlb~fM zyQl(`O(#&`5h>Tk?)z`{b+8CK1fk6bNxlOJ5^O+&5#<8#)J-f+M?=qxZrvm#iN*rp z>jC%NCQpnmifdNM>_I^=7K4PBFsDq*ey86YGai9rVkBms^%3}Rxa2C;aW0_WC8OxL zpun}}nsc`=2hLcDKsC&zGOz_$b?m^hsaP3BM9Rm-Vg~5e_>zDnvK-&fvzB!0GF#^7>AuVnq)JW#aeJ*vH zfiE+_dk(6XWeY9?mhF9+@o3_X%pE|bv!rrer#%8)ALHj@08T)G2UKuR`ur!h{!CqD zjKzr&GBxBej_f)+kN-INTR?13%b~=EzD%CfY5%1%9fBlKdT3 z?){~$@<)IHn*@C5=ptW{v_?Y7we!bKd+6h?_A1D6bjPj||v9?;nA&BNw0mYSWiEf%V4F zBm0=PLv~*TAb1-PT6(Sc&1GJ4_e`#C912c6Oq~Z4e<)^q!HP?+J@ro9gU^X+j9~kG z0b2WhEzq$mL_2!{Fj>mz61U!M5cjIWaoup>ct`;YwG<4hhmeswn1;1G&EynzowS3O zeUa8}QJnM~0UcIt!35Az6;)1TjozkcVCnra(h*eFTwrR)E%bXE0XNZa9H^3Nzl5Co z=C#z}*czWETIrBaOo+-53*2o~(NZg?9CMgw1Ls+-c)B!y3Bwq!A3a$5*So<(uI-iKkMb&#?#-9pv2JGwxNi+@%2nx0b_5Mab?`a^S?_VhHCX2b(%z$D$1W;K0F zs4gj-d!$YkyH>dea_P?6EW&A)gIrJz1%9X4xp1ypvZm=6|y^dEVV_f@tajnidrN2{59Lu(sHhWJePv`Q1E;@JP-y~Be=5dA{Olm?8c8FQXnn!iPH?U z$l`S|I(o?+1-Z-TB343>nKoj_i9@@x!BJM4pwW0O!gXX;rcW->WU)WGobj_SZL0}z z{8P)E!2U`4P50drOqvwxbA@rc7fh`vjp^|-2gq2%H##p9TGx{-AS<6~u{af6>{#E& z_z5ufsYX$7j7vOLwz{xIn~W{|m8oV`W263rsB?x?&<`^I0+!+g5U} zfpyo$?5m|tgnL9=H>#MH)@l>Q{qf~_js)lk6IMKDxKl45Z`;SsNze->F+J~6rQfmR znIDKhp*q<0k(~MiA)O1$q14M69FlQ|r9ZQ~-zoqd4sLu(ejs`+#-TfM>{bipK)#3Z zaS%ipYxyukorjR{d5{33FLwnvTp07U^yrfJTqL1FfEOcEfO3=?;YVTcrk$?;4N6;01nhvBRbl6Jq06a~Mg~ag$2}1Sf zDf5%tS9JJV=;_8kFRlz;2~_kzsog=r5#ov@-9W=$(5FMvMmVH|1eVdHrNG7ar1yIitdjbcQKBE_x`M* zT=|V;@QW6|Fsb%x`0HB_Hw?P%^l99E3OYR^Idf9`N?2<5m*F$2<9WuG|0OuEOn%a14$ov;VYeTC)l6sTOeFtHB9tJbkYbO^i;@pc8=M{ks>bmNt zwsa2Znv$e{@*TezFX}+kznbmxtY`Su?>)3PVC3!Daug<9!PGfieis$f*M~0LLGbSp zHA$LJo`>%xHb{;AAz>SL*nS{oI#OS6q$ME|=eVj@71t~utdCc*^|+q9KUhNd$>GQ| z4L;&Hq^9%6Zh6KuK=@923|eFrqv-r>S%fh+n-UGK3d}QC85HG`ZxYCNYcCYksLM95 z)b$}d{ty>28wQC_BI8fU_+ACDo-i~Cg^#Ull)wfYN=nfAEZGu!iMoQ^#}pxuh^!vsZ!Y6m79q^8#;!J-?unO%5SS4+}z34Q>?;pV0}Q!QVAc zAY`h*(d|IF&fxD3Ijth=;IAv9^&A}etYWcR4raWFyP*%83xVax=l+7%DCOUTvIBS} z$luxsTUMb!t9mAP@S83C@rZhFOw(PJ53;VG3%;64aG*aXV)VWBG5j$K1@8 z6K5ae7hSjPphThR&k3lGrQqlrlaEVXAuUMk0)Qvr`BG1qs>{g=wq9uN^i*!L)szi+ zNfqkC@LN?-hqiP;$0p6c*Fc|627Dn5!^Q1j0l~Jz##?7`m0Y`ysB(g1YbPg#*Aclb zxIOu2P#a#Z{t7zp$xf1IM4t|2zQ*-h$5t>xxqBEPkj$=nPeNfu!e)u4&|!{47BWW5 z!&leUG6OxXnlCks;x)&FzG<7PS0_xGd`sc4l|)hQADm!6uBm@hlXWti5MldIXY7CV zYGhJ+?;*y2VIdkGV=?K`i4t~NJ~gJqNH?p zNr{vojl`q`>F!QJ0qKzL?oR1WY3UY_hV#xH>$msXd#`iG8G}E7$zXi*oA39=^W67! z52q5>D0EPllk`aDfV!CdSYMP7HTQl5m&NCIHlnEdkKS4P(!W{&O$O>pA=YM^+G}c+ zL9lTSiN&C6Fi32~u9UNdy^PeCa`QpN555jV@pw9BO&}a8&j#m|fbz;N^XW`5T?~R_ zW(b8jZhxR3uWiC;r9x{b4W2w*K%#SHs}*k(7c26kO0I2Wlv%uBHMLp0J5La0<@Skb~yNZjErVR^g42fzO-wa3a;or6lk zj;g;)`$>{R-xjE?(X}e_z9|{T$XQ1zTD`krR|(m!}jntb0IpvEiEeRc!VT?DNkTD1Y7x& z%etOIBe_i%*MJFuJz>RS8I+mf?>i3Jw}XJNs@P~vGxl9~GU-f+1KD*y_#kjSa^aC4 zvx3e;*fewc;=OelStl9dv=s!yc<6C>Dsxi=9tr4 z>6DHi^QVH3%}6Y__5AOW&mgByrs=lzYC10?*wUYBbf+dLXnbml(Xm!KUNEA$JnSaW z6WBdU&@gzuGrKZc?^99^C0kzX{`JE#g^JDcLs8ST!nU0{s5Ln}Ww4 zvojNJZY|gI)lpgqhsGCQtrPj(k7~AgR*J74@AsMq2@0Q`%=)x;xf`Cwu1swIXI%!& zHBWp+I;oPFOuPY6NF5sxg}N(i?XmL;x)VoS3y|bJItffnf3|gpAyfI_aUiV(@>$Pv zt%Xiz2DpL_)c%j6Ky@7Kj?);LARbiq4JyV}g+l7;-#k|^yXXCM9_Y0`)$ocHb2yMr z7jVWsTYu9jbRY-G*?RzW^O*&lS~-j@l^wZ>kJQK>x>htT3j-BbDOxQ`g_MI~H-j%a zlFLyr`OmU2+emUoAWUesZoq=H;*V-P8RSHq8}g8GLNke%FNkA=U6s>ize3JkGQr^k z%5z*9A*eiDyP;;{0L;>o*=icD%%wXTt$#sXEGmv+h`R9iFzQ3P@vqOe+*_8d4n-g==>*0;( z>^TglM{_cWIrQTM{~)qRS?mViko8FO%2zk4E@CQ_vmOy-e$7kGhfxBwpq9-&PMIu$ zDxDk>R{nLQCF&lW1nFrElY?W=b*G32lisH~TpUz;6$X)|Iv5_a*7Ua@VPA-1a6E{@ z$0&x`R1&csR6s?`I`0gdVRRoSKLC`Y13WUZ%)V?gyr?dx-5QTkwH^{u)!`)hwV`xjo*FqrrL{JU+5v;!G> z76;0NN)sfPV}xOsfC;pWJl$kVbff2AIUXAITX?_f*yxAcJFid*jm${K7gUbj;8f{UbEau~8x7vb@yDC?z+7yV&yhw<9kr+hVZajybc^Iz`COVui|WI#@zxmw8@uMFu#xNNg+2Cwohl1 z5KBL2!&VM@OeSF5#{0O900|**%)%>fq=PhI$&z zBfM9H|F{1B%cBEorC*XL2+*ZM6o{5#!%9UnY18RyaXg}4u7~oZ&un&&BkWj;Rb72R z8TiKA>=G~(S)u(YX-LQi@gJ-rhyg)@;-DR*L++y;CyPan?Ea5I1)8?NNNb}dpAdY* zLB6hY(uy?^OkWm=B6(u=S9@QZtY*;wg_@@OVAt|1iw|u%R{A>%oC9^Z-s1AX2- z&dkX+6~qhNVdP{A_Pa!iXjaibzh=lpY4R|RXA6XgB8(O66gH6MV%8H2-WCz4dLwr% zXb~a?J)+#?q3lYcP0!lWt75lspEQ{}Nf83&R`l8m6i@2najMNju!udsYN9$RsTjHR z=RIZ;Z=)J9K3{KY8WK3##C*gP}?0pfJL8%6ntf z@A`~0r-Z+ZBaR#!12M^UOX*86A2j2`*KS)re0SOw_Po91ky|5&1BUNoQ=Rm2JF;f!vnuJYb{K;(CV)>$GsLD>GURf3@o$I3T%W*-t^+~;ocxRfQ=bsf|4T@Rta zqi4mVcdzwKNM61Vj-?YSg~8O{!aFE)yhu;`<0Sqsqf}%9yaaG z0&k_lnGePwdaMGMCbMj;B40js#>WqQWB$>s88tw$`93lV^qs6bCd;f!#@{IuNU8s= zIzEHyA?2?&2(ZEN3xyS%S3d?3X}1BQCOwBs_3`Dqa9W5pD6%RhSm7~=L%#d1u|@XN zBGNMr?t+1dfo#|Pv1~^*r90P%k;Rn^XEmZvK3CkIe&r^Px#?JpKHCh516rQPHAM!p z3_5Cp#QkSk12$v@B4D~9o<;(Y3TeY3n#9L=ZywM(Zg&Aq;IcIssWtyQaD@_jEa>2{9U zkXRWBrZ5vk9W=k0?l?zynyS8Oi9Ig+Ia%6`N<09YFt>~xi+`omR-8O;ApSh<1JK5X zu2W?`0F3o8>O~cd3+)3jo&m&9FL7eMRon5Ljwxx`tT#2m`q`#;bh$x{EZvx9#F7ew ztCwa~IKP9TCE~-=wVV`3t=QjpwMOJ>6F(ULw)IHj=O{7u_qbJQ^}O3v69l+vsn4d9 zom7+B!lk2o)`F!|>|_7gssm#;T@>N@mshdGNm3jYJT#%-+2{qzk*f6b6F#wJqUNu! zI)j=%36W%D3a%nrpOwRwawQxj(~3nUuP6UoM;qwptWVMrVGV)~{z2Cc48n{=*f-o1 z$Gi=iYX*vWSog7W9+JzsAVp`Wx@;<~mu!srsauwprEiesEOWzlW+Y7P4|DFzO>q+c zCzU^dFmP4CItV7`M~NZ{R@i@nl%P$?Ty(GjwduHa0VxwHTbZQ2s2Z}3Dz=h7>bs1k7umGxp`y36%@5bO^z}F#4;b$ABhajw8RX z5o&q58jGK=uNl8(xl{~4&{P~T(u9bo20Vhf?7s#^?Ny1riw%KWhB6TE!aD}BD~sLE z{l{>0E$P;JLmq0eFSZmmtfEFJ@W3%4AFHKvwA4&$z(wOv@o5Bz2XA%@7bJ&U{C_iDA%mVj;;Xd<{r(5D!~&G9 zV!`tb^|7jL+CoduEK;y#7N=}0WGR>*IlXQ0TD|FX()v7Mlxx;Hn0zC)H+57U>Yug4wQl8UZ)Z2_-R0KSSdAlbKFt5o z2Ze!~GlwI3_KYT9DM5Zv$p8Jp2?Sr;Ml?5K)DtCR5Xf04f;9(aVh5h6$gh5bIKgP~ zpSQF5YeRLT!5o&({td`v&J-N^vCK!WXJoYvL@pf6>d|cF7|Z?3t9^FS`>I}!YE)p{ zL}O}6gIEF~>doNYZjmhS>9={9k+#v8#Z)#fM^Emi9cNibCOQxzh+5v=IP#9NzUN;) z_;BO$^d5xIP%G~PiK}+hK*uJy&w06i(rE3xm~tqpvium_R=ELA)j6ca=+YMOB{7ak zhXuD_3dMTUrr^nTqfP(x9`s=g$RY)yiShdp_mmul7AQ7k>R899`uNJl_&J@Ig@|4r z=d;V~se4yL@wrKB0E~S81KGX72a5LciTl~)Ql@gP1+D0`$wg5L5#ei@QPMZe*-8!4 zNojd!2(mcxyln#Y&X?7L-H?In83H#TtT@rmPz8t-1BKJ*q0wMoyu^tl+fjdu^^liU zWnW9Rn*+t4j%H2_Hm$#CofDd1vVd=%M#b(xb72u;EDW9yV`<^b=$^oTJ$Z-W0z6GGHqSX;EE<)^p}>!-NYIV)|qec)WIEb>7+%QB5?+yoIp|N7Zc+fXfU z(L!DT$VlObrkTvV=VVIH4)DN1Bp^|yJ-F7{`Jn2xK97(m#8Vve+t*-(spLO+P}s<6 zHCMD)GuG&DuA`|W+?1K~VnopF2Kn}iDCcm*__ZpfUsIAM_i?8^0pjHsAXNhJ1GMcN zY({Kl_u_aLvKtbk@rjP7i1glsra?qAd4%@Jkpo8)%+YKp1?72zP`r%4Ebg-3F+p0` zi`_?4=-z*d>m?u`7xuWq+FB10_s7+LrNaL?n}uhG0|gY}8jP*dXXGj2swnHOj!UR8 zOd3v;Hv>Gx!oglK9oP2}fv$4~6ajfb+-DJXRDT~wK_Ud^?W-6*+YAr&D352~=Bmxv z)$u|TDs9`x@Y^JaDbfki7{p}I;S{i9h&armpYqsH#8eIK3~)fT9CH?>&AVr2vB%CZ zR&LN1+h-|@z!$IH7AlGaxrl92HJe!X-b?Z858$>kJ42Nrvr=jr$d2*{K2t6Sln2$SYq{i!V!cmP5GPcVj#$_cJ^0 zc6r0=Xtm>!&#&cche(CO!@|P?ZVz7CW;}8W9$k9c2yH_caEe$QW7PBD#rOVq?x7~i zS-fkk9Ox-pWE|uvASdN(PAyRD39*|`=53GS5u=ZOUg0mxFNnDIsL?tC zxo@Mdu_=ic(DB~t8#4K4awAL>j3X;$5C)Oi?1?Kh+ui|nFgLA8(li;9{FWR+Qt*l3 z-nTjvf12^_((6Vrk_0kbJ@PUUSvgJA#!L2?`L!nrkuuy-?0PW77=f_PlqCF~GQkL~ zSDYOUfB!cTG1%jXGZ(6qE1AEixr$^t)-dct2O>n9cPbrP)lyBn`D&wUzn~V?dX9n^OgaE=2$XPckW0 zsq$LCk9|2gf+qoj1=7!T;W*&Z3t0JD>V{pj$Q zO>atOjRTN-0(@edY@=mGy?0ej#$853h8I@*a@`pCobE>m7E!a1b{Z6q^Y^AkQ?Uzk z@(Vzvwjf_4K_;lNQ_uKmH8(iAzI@+>C4!4z$X=l8)a(Hq*Nkd_5uH>AQ+)jxP!-5D zC%jGC00XWM8moD}1tCjob9;6VG444@q<`i{&RN2J{{jD^;BVuHt;G2527%RpRv&Pw zoC+j_XE1gwrD5fX(Xaohmi}j(5W2y`LwG&~=wFd$YwaEmvxC4e+&i>AmPKtKpXP|n z-wW*1riTCqFXJW#3@iuIUoJh6@wK+;KVzX-aW<@CKUc+lCH`s0UT;Rs6yg9mprC{c zeOc!NQok)%KC=+N)9|iT8 zz`G_}INnO$JsYSkUuLvA7~CRW4od}V;>_QNkaAGm!MlOZ4qsdC(~e%zw~vUT zprKmGhoC3DTxIxjjG?I88~@j@2>zDmp+qml5MH>SQrwtqR|NCq(uT!#SO{#bao15-{6glzWplj5 zM)!H!h)D+S>L-^S#)Na8bQiy>CYSiSHTTgLlSUwSSttTx2}jjn1wHM5vH;4+J0c<) zGB+*FqWuG9nu0*1;AQM%lvk^3PdH}o4xL&D&NWr+9)Y`~&{-DR_V6L$ECz!KbUZe4e>qp7!otQ9VH(IyFmWW)|LS z#rxrr0Bm~=ki))?#$Zz+1E=KJSrD^8pJwSEr!EAH?m-A?Qf~CH@c*(H{@+;`4m(d3 zM#bW0d{Yt*a+vu38s>$+O#&5>kh}94H1J~(YFy}vB(<;x))jv))IZo;1ugZYZ={tW z?whsxbb|J=MQVJZ^FJ-VVCZ?CIlRO5_jtA^N8a21zV<+j^D3N}dw4i*H)!tF0tEN9 zmLKLgGqgY(LK|0Bsqop;LnLUZWwuBw7hY_h{}dgMH_)nbh$|9?4nu}=5Yr03Zjqck zp+^R)&@HcJdf@51n=19(2#*~l41|ABPr)agSvS|Z0l;UQX_4w=Oa=Qfe=|SdQ9cZ9Xhs5mV>{(K5EiaR)a4fs|&u`P!kkw7;+pU&ZBHDh!GEf-dBwKW;&@l9Ib5tq(l!bYSrx`#M|%4Vm) z9w0dy%49t-)y!rN^YdXAwE^D0Nx-cxSY>@=y_k*M-4j?2Knlak+0$@-wUY0l$(2BS zBzhX(dP|E_(&t6^6-EvAzas9JQo5^7#S z(&|1@fLgiP4JUSGf?Y5ZFLxRUVAIMpr;0%_#q1*WZE&<1we!O!cPrav`_GpMi~wLJ zYX|M!xP5OR87u}zLc1!=6t3y3P5OQAC$@9dyB?~Icf~8Z4rx0%^_@L+X2Qc{>E%nC zomQ)I+KJ?#Ns+0geLv=Q2AqxZ-;5Bj|8E%mQTX#Q!OELNs257;Rk*jd)nbotu|2Rr z#^BPj#d7z{Nn#)7=@enzfNEHwf}l(pl9oUcb=sFTgn;%HipDErSw25rVN{9z2koo* zI?!sHGEZp#+{*eIWh`gO9fFmMS$E#U>7Q99Ys_!8^xcz-?aILmv%3kGmFghn7{5Oo zcC&(O(OxAt=I!<`Aoy`y`@}q%93NZ00)v5JnL8x1FhX= zRjwp3?UEyN4UyKXr>g^obl7N^$n4pf2a zb-PaPF~vcG{BNMI4zY>s4Hhb0GzCK)EGm&}(CnZom@%fsxqYGx7QPLYg=Vf%fJdb` z>{RrUZsAxY%iU6`%I)L5fg+SBI<7J2@oa7B2cS4w&8RHXhKKbO(438`zY?1n0F|av z74+5M=LnY2rn?9aFmHfEG;Mttl2jdnCBGV#SWGw(XTOLy zk3y5wvrC;^EzUPaGlv-Z^Q<1@;*^>dO ziS-{eLlIBedkQJwJhb`Am$N5W|K=O}^QfUf@Og#EYRj(N2#Py8(s*Rk9kE(B@-hK{ zTx}b(L7K1{-QE(g^WOR;E0Cv3b|gUQBboltBOW#Z(O7tn;^)OuJ>jem*Sis=uZj35 zNe5-KqOLuqNo*y=Y0QVdKwYh`J#TE_o}MAS*P`r;H#I??k3Gxyx>P51^%sP(pa``E zQ8&^5P8d5ZsvHjW1(|Rqq@<|7`LV5lA*qrS!#C8%RU3*)@M}>MH08FlQ2|j2fj-mB z=srl{dl`V~+X(1g;i8qx<^bLz@Al~dD#MSDZ@($$RKwFW)imb3Q54@n#eVdN37i{S z+!J#j@$U1l`r{5l^^Uo9pv5fs^4*>U*V8sy>f>UedxDdQW0LE4zEDL|m1#`cVNb7rH;tqP)1on^c zRDgET@z?EX-c}JDI0>y9?hk?1zEA9J{kFElvcCXZzicHmxvP{Otw<{I5*(HZbXT{qkVeb5X zPbz+dLZ9MEv{fhWI23~iVCR+LbENzYsQ&Y;XNC_QQGf#QJd2Zx1fVyD#>tYE(8@XO zjNT==^uNf;Lw}}6%?%>3;;NpQ!(v+|a$88rSg`VgQ>_P$lcaVWh1@i|-ujsV701{H z>b+Rf0Ps3&J;@!gB`atHNfQNzKPcoAA;mA}B}hJ+#p*+6@#y22ckj0Rp#*I#+yeBG z?=-N@Ps6v$14UD6w#$U{&Cb%xQ>to1CHc)*3P!5te@mSLQEOu4YXOY!Ku59GH~3Z? zA3;941UDJKBw#a}irLsq2;MIFL#&RG4N$=GDhnBi(fiQ9Mrd7S;0g^@u$&tqo(fd^ zovg!|mfJcNEp9~II=eh9ggf#2r&rvlVb-nuC;NcU*~^ehJ4Y>@(R-uDCNwq2c>&?e zY=Izg`Gp;}PERCZj#@LOcvexjeumubZwf)D*Ah#1jfO)SVr`?j#y!J!K+UkwUUOy8 zqJ7#1IQEjvg1}G>e^~?vGPxW*7R$Is1rC89DzT9n-GzkK#H7j%qUsP=3}XCF<}0kWd32)xnKlDtfPN&=EQp1+Lc%r@WX@IolafupmV#&Xt! zvY(p!penszEa1#`URPMs(BD?oaInAS=stB1bbkdo&3)JUlI@Nz1n?Aj*KP2avzqg3 zEJ@3ww<5JiA;!%#;rVs5MvVdyao1EEAZtf6IL@Q_L9<(^VDV7>Hf7Q@G=ZPFasOo{ z5J}Q|0@dXQ#GH;(vBC<+*ee1{-N)O9p0xr`oDmI%xreB>W0#eBlHB;qHRg%PCqKZs|6Rg%@Qzv+^+N2W36!*QOb_V0~ziDU9pl(wc zL!YYlx2z2a?16w46RL=3sF`V+Y!<{Yg2nB2iilpEvm~Gib8yJ0H&Q_%v~wS9JtkaQ zK)5Ks0Y8jEE);p@_!%}T@Z@oaZ_2ifO-c2T*}cldBC}mXB8LAtB{PCfCC8u=@X{m$ z4WgoQ!h)F2n1|HN0=k7CDDMtY635e3AV{-aSPZ7XxxP*x3zNwvr7u=f^Dh7iVAS>e7oxnoV%R6})-iS}&wkI$PFpYbdN735ST-RHn^xqv(1M(>(D<{Ql? z%yBl4;oBGyz7E;DbllIHKQQZFhImM|PB;#e7Oy16JAqBF%svA;u=VMak8J_=D(WfN zNbp5bc+37*Z*lrFgy+J|er+*aCpAEBo+vPp-nan zk5MJcQ~7C#{-+P!>mQ?!$L<|~TAYSUvO4hb=dT-QuxDTupNM9dsM`m+?CEWV3cz({ zmO;UtCkA-6=)SWd;7P(Jn4`Y8&Eo_)8M#czBsLdzX3S@}X3jMX&?kz{lrG&cG5$b+6@5}%KFKhO3(O|Yp)j)*c73w z(CZq1QG1NQ!QYKnO+U?W013o6ZqrJ?0+zH>{D80`*T@UHB8m#oZCJSI0xJHGqRBp&)@7>h@q9c>+Jt!U8jJnM}hjC4K+)& z=zXy`DH%^<5kDS)(CpIh1{&!0A#?4CW}*29K*4ril_{9PV0Zz}->y$>7Y+Lx>4?uc zu`lx;x&+kCuQD^Jl>c@8~~|bDac1pOY~LK1ucYB zWs;WA1tsKfcmd8NC-!H>pSY_fi9hg5GFUpk7w;ybG*15X21%y5f1upvyw7Rv*6h8$ zh{JBV=<0(bwcW17omrTfals;Zyw6)AJ);%JPQc0G78tb7QpP|D=3YvudEVe%_Z1?hllQ0oJ+%@^Vg#l^NZ&t;hp{AZju z^(bTuQG53<%}NOlPoB(~uB{D_b*{Ne$n>^z^k`H~cR@*R7#$W={-6H`$?bimKs71h z@|wNv%?XRx1Lq(l&k0!VImas0V#RwU?x1XB^EnsH&=v0ST`Y80R4umq;87z51o@P5 z5oUYmuzbT|z%Pey4ffP;HM-oesiULY%e?B}H2oRlO@J$*4${joXF0Oc2zK^)drOc# z$KaMjs1{OZ=!24%?MLgl;QUuQxI3`Ro;TS`-{b6fJ--6X zD02FdLNva8)d2U*u~u9j2^~?mJ8N7f5l3HHvb%#^tuR`IM|N6btEFF0Cr6yW3)i`g zD&GUe=SXLoD%fSA--hn)TFLZ#Nw@>BA$(;yJ!Ht6+SuFSmko7{cVOv^>vYOL?F(28 zuI+3Jc6ta9&!=v&*38@YdWPT48sTOmDr4v2x=%cq z9tpG+KN}Vj;$WasK&6=W*74IRhY7_~$jl5uZ0)P2Fl1ySdZ!wmX$BWcMEtx)zoxJuu-l;E|SJsk9JPow;0l)<6aX5AC<1PT6m% zw|iIPF?}aWFixpqaVY-%%WMrnKa}4I!MQwqNc^UqTeeOccCakI&GDD>)Cdkd?>tNuoV|rM}rhdzBQbj4wNH#nCclJHE9%W&Q z*tBhwg>3WXPS$-Rf1b_c9m2J$`=YwV_4?H#eZ%$EAH1k=#>&ivLVhnTuI6CQolskL zJ*bBDO5qapW2cfyt5Z=Lk@qj30g7MP?9O^gmZyLs3@-UgI*+uBt-Two4AC;j`l>BU zo#39*u=_%^klmBxUR0OH-89E!iwK`649hJX`}Uv~WsD9N$D{$&b@2fj=3*zqYG!X# z(fW@(H(RQ&U~p%6_Rgi$kGjt8zXnjGGkfpo(LWHZf1I2p$^I--%6*#|QCHN0OY0rt zp0!EeN?Nj9cahh(;G}6Iy`*{mwP`C-3#SdiY0O&Zqh1$se`|t+4Z-G%ygDN=dXLnQ+x9nkmG0R|5i2mzOE-620U(hDfeKFILu@5yHSI%6d zQl77qV0FU4b!MjTfJ=oq&XniXIUdZrY#O|upn9&kW&}1SXYwfhfud`6Xa3u`=iBa2Z&-IYfIGON;@OP-Gw1#R?GGf+3-x*P-#D<;wp_co%m@w%Wz|w+ z3Loms{CJ+2_3K&7&zBM_%HIRU%3yE4hr1ENrsdCB zF#p*(Gf;xYmq9q;N?}bxCB}EI-`ti}g+)x{k)6t$pz4?Mj2HWJ>^ls)4U9MP#e&4z zfHd){N|k<%-k0`yvFWS?qB@VVx*eCiO&DuRr9+7m=36iSuMrN$aCSwq%dPtI_*NGs zmSXGEVCkYIPx)dM*Yd-(V)RkAJGRwZ-^lx#^)CW7^G-C%PT=zsd)CIlGbOlX>k_w}w*= zIwe=9i{BC3I?nREm7;jwnrEaeDT-nYES9eZd%LZFuOmh$%&K(;qKEa5yF8we;fQ|r zL&ZQ*9+QC$w)8j9JC)H$o&ejwy5Z&^E|+}8SO`}*nc)0_f6uuC?~Ra5M~y-fmz28f zFq>jD%r&j%5;$r3E^FT z%K(ew2w;7jp101N@B5-h2^N*DWEu~#!Y5NatoDH_;(RP6MOQe^aq+xK=bq!{@vqti zlOP?3XY?2|dV|eRa{;VxYB@pz?{N`u$E8AHec^Yn;q16KPaqRH-P3hm5BIOCcDg+U zd;}!@Lb=JMis22>v{Tc|!G!v8^h25K^Gy!H4EWC*AC=c(#!UrHv%&?YT@oISm7@|A z)H0v;Ct2w1@lVo6qK^L@Gu?L+mTi7r`;EB(GhQn$WvQgGP;rXObiqN}<9w>wVGcM# z*UptKiGm`cekU7mWe3$RSo71;5l{!TKtt7(Sj&M7@j5?H*ji;?h6G#YW3f#Gfc0ti zkk(Gz7+Crn-i4i;CisosfL+WUYWp@M=40)GSG^p@=ltm95T3d_gReC2_wsQY3zubei1s|ZGYymd^g?3LF@ zbtK~7=c5nfCALFEFzsS2D(s`cxPTs1_EG!h52`!cWd{U-UaUn!YVs7v|3bpg@Dq%k z_R_OVP@GtrM?VUQL783`>gKrxT!aEpY9A>nVYi&2{(k<^q)GrsZ0X+4ZT3f2T9gA> z>Vpk>Ok~9M739XsK+b)|c;x1p9pF2#hW4EAOyoLqci*Pb@ba6~8UkE81 zV*Jiq;yxbQc_Y(Qh+?;0h!qNzzNp>&K8Sd)>`*)N4WeVz3@aww9PJC~x;tqBK)0bP^Rxc|vi@w?hr>hZ?0e_BCc zP$wCDOjs+wPD|+-5r!x#ak~AsR6@h|e@VcsomVCbB?=M-*hq2KBckCu6A>K8JaP!= z!L?*PJ6NbyPOKc2V#~+@{(B}RR@=iL^^c52MX-~6oOi|xHCR4WW+Xb-?ZO#wqx7w~ zhRUi3us{VG$8B@oUh2aXsehNCb1a>Ui^A=!EpTm05@t57m)e` z#&ZF-+QKe*2&<XXg1Z?|eLR z@|W?({)Q3!?&KWVe%fDQJRoq;NZ7hLl6DlK^A?H`TuaQvt=wIb76C`P(2lp>ras_E z`28Kd8b9VFfrWtCeCI7}hIa(_(rglc8IlxF{y@dZ>5h3Hh#X5-R?Ahx^?w%0Ji{Q|mNYLv1 zK};IX1-p%%aFefTtBWVx$(hjW#5Rpd{;NjHD+c)q;kLL&nA=db8w5%xLN=QK*gpTSF0A{6Ga)kM3!d|)4>8VOS+ zzLRKQK6e7mC%Int?ynA}g${3#b8HmcoWhpG3aKeEiUFZcQ$O?i{vzc6*ggH}Q4mp~ z8BP8buW(XPIrR4nIhWDj8P7Hc3DZ&&QsIQ6t8#uQ@PEF>|Gesd{Y^B6Pu$ddUxpMq zHiCcb_stR!DBQ1r@tQC~7yxe~Y~Jbv8iP3i6&eH)lR_0Cg@J*AQd^ymWxNso@kJ5d z2F(?rQ%HQ`Sf_l#^sYt~6fJx^SV&P-;bDJYnAbhpnO;5edT1o#G*@l-YF-bZM518o zFwuJ4{1;aY!CDy>C3^DppEu{HJj^^ZG=Bk6VcKqUP#KESXaFUxaIMGWLfQ@o^HafS zXpFi|Z<~SQ5PG@77SlyiTkZdPsiAEE5Sz5)x*0_7nGRzziMUd(jat^a70MsqajYG` z!9JHM8TJu^j7IsNyN|#B#wSNAeFK23WG22T928Xk;|*{st$>^vbwJ+3wCV-HXN6Lc zBu`zFk^k>5{c*eg@*5)QbmP;_A>w%W5xRd~LEdu!G=zG>aV=UUHWq3>l-lU3mq+gyweA((6 zCKCTKoc|aY$HH(NqW8l1XP-odu*{~5zA9@xdPB@ZNZ~^#+D3*vx(y{|O@z*kj;5En zXoQ07mh;If$iyq&0Lb4jCJxso;yX|kDhsEozZjx_{Zc-TS*p49VE8{Dls`VI|Ignf!uV`fi7X+MyiAh$ z-=EkYAKicbCi=P0=1?N19H+R6)c@cA0dBS;U@Gq2J*xEh>-YQ@ujb>LeRYk*8$1Tq zR#hmzC6v7o%KIt=A~=n*9L7ZGefog_;BXmnjGAjgbpkaOGbIIX7l)r9&d~@m6#UR_ z$>vZ}F4V--hg4;?pniV1$o~=@Ge*P+RbQdmX0?NY_>BK{?7tjG|1_cg^T*qGFpIxs znnZhy!c2=TRRz0K9&x#Xl z7p5{L(Wby2Bp|9EaGbK;pSQn(J__lmxNmDLza|R0)g-c;Mw%}*)oa;y<4pmuPYxf5 z>haGn+xd&z3tkfPX&Cq3;SO#6)1O69!?X)8&KcYh-tFLcbL|5*quwG2eA)#Q{o^5$ zj#&*u6yw4ExRD=2Z*D3S!6UL9cekC(x%a>IU zEi%1+1UiY~LZ?6-sZNQQttfb|s?yOBdw17AwgzkYKQG_N&?SON6XVWT21QsFx^ z4-lejAYJHnxr%%a^gc+^o5Lx@mpha`uGD2Vt77K>xQ0CB8?DI6pTJeK`15=06iC-P zFbia-dTrrBNBww^%U5K2F9OK>-mEG)$;C6PSuNB|WhFLwO&5V|1w{azTBfZa^I8VG z*{l(FAVF6{JxFysWT@B0>LLLH@q*D`j}JPjJqv(Y#!je$rj}QOti6O!*ckw?J;=`o zsvE(o0)H{_gW2PCDZ(y*Lg=#KEJ*(QTrtXlS_EWZslTtG83hwPNK8#ftq(1}J#r{i zdnFkeqE?`gugfQx>iM^s)#p7z`uC53YsT=Z2`teC0OnUXoWfrS@)I=|L3+z8f}cTH zCO}5o%ppn7?)#TBWO@neYnaLs78YXZf4`>JVF;eTV$<>}hxz149cK+vWj{8egJA1K zs5xK?;2VM1P{{RSDP5@1RmQ=SAaqc?;;HPP`4ULaR?4)8kY;;G4thd zRusOoS8}cd2WlyS|CjC5xk9>&2X|EQpNpkF^OR*ENHQO2o@9rTc~v3^**X~9L#C@N zW)$zPM!eLaws@iop!$+y(yZtTHv0Q=K=ITEszQ|kmqc6uSXUjv;`*RLrV7{%pRh68 zhk#+F?Vo@9zZQ`6dsNjFBza5xj&Dm~BcnQ!DmVp(V~JL+wa$YE)wcjvNWjnxD0Jk5 zIroKG$Ig6pVeKl>$5(2SEZTLio569j0F)Zc!8vZEX=(d!k)zija##&)AErR`+gF#b z*>De_-8F?w?!Iz<0?s>mK*S}-`5`rx(LUq#G2vjU;KIO#sql?v!DA?E{2V+|uEaO9 z;l8Lf9Hc!kXIJ%hTdpq9OhZm~B=0N0rc|r7UQ`8LSG9pSHSVrJ-GZvU$UPp1UDXc& z!B@KoAd}?KXR3fq&^1rD*)`u}C~-~}CupL?ZOxZm<}I4hTcjaJlaTU#VCz!@p#;bN zQLL$@0CqTBl`S#+m0fzZRIO0`(K?#^)%ab!2$`KDQ_1PCL-v68e7jP73N4apRE+W@lq>9xvH)7X_7o6&t$(gv z_FTZlcuDnw@Dj+9riec@t)4>$@3vS{e*=hcAW zEl9%iR$vAU<$;3mUPF@!!`7aP{`(X0rwzdCR)puwr2Y|pz-?3bJ(j)@kZHPc=gT9!rnu^LQ zLdB)qR?fJGqGTIWW9by$fKjeFMX_pO4qN!=?}kw9`{PeruisXCYon13=al zfXSepT@y)kfhWk*0hIQTzC**F-H2jFP0LU}d?2y{Bh%d5OxpM9KqM(Y(iZKx!1Z?4 zE;KO5NufNWl;2WfJ#kIT63BqADRar;>OtuaE%E?p-*>~=hmR3T!RFiQhp8vk?NZtJ53)bp7jQSN8P6O5T=+`)krB^0iT$YPE)*RtP3H2=6&M_R z*IyJ@#Wa9!dh@#Idw=@khOA(L8~H>d!k$=gqTxxm2d02R07u|M>2+ZSY#axma6|rn z%SIEN7i~IU1=$6|^upf>ibl+Ido(5XE(4qSyR+X}LVQWX?(=h?193Gf^GFku@kp|& zQHEl9aE8YEDs{Ev>}p1yML3WlyoE-Vm_EI|2k|8sx5xTJxYfGt4UFcu7wiKKBfyu* zwhLPCXQ6%}8{8J*u)P#g4buN-?U!7ElAw5EJCxY{Go4L z+Flli;1=ImT@UD`;%S2Vn+tj$D4F`T8|?G>Ha@FNLerPuhwRmY^~`zGyxdV~!N9|c z|BTJdwD6l>+gjfz>M5WT%x2Bm!?1u4Z$w8&Uz%4+n<&%mo+a5D*VW4sKw(;g$C*T) znLM}jv45Ln4bGs@v#mK8V-l*LIZc}S4(9g46IAJ9vl5U;vTe~)XY zNIRo};1zx=8C~&HpzHCMPrc9#v7{i&GNP?MI{AHGs%K`&vHlS#=l+`(GnBHPjzn{P zs6%?f6hu6asP+@`?kix`oPjj_Y{KXc_(;+|T>wxeu<3^fK;;*-3q=&O z_v2Ig!u2$MT!i`qKHGuoi%a_Aq?_nKAPSRZtvrK0L&n%qA{}!gIMe_y^;YLqh|;|2 zI7ugK)Q*FM-V@PUiMus$lbB{_b^s<^#@<>z)|kc%it+DnHVAPS%I6@bWI*$q3aYsWxVi4 z;luypwjRM9m!$K2D@5wpcc`x$e$VB0r#D7``h7XD4oH@b=Y{E(vbLhc;QxfLrLz9* zu{e7(lR9GKwaYxzaC2oyQoFzeH+#Q2t9QezAXE@8NMDEm5jI^oubMI8;ud5SOF$fR zwKg^IFXtK`Y3D=SkNu%RwfzpOU4dFyFnWt0uJs34L>JAXmbnH)rheL3-8QUh2z|C! zS7Ov6+&QybVc8I}#cz}O%hR(@B2{$iqLIshcBo$syV+~WZ($42NwJ6Y*NGXAZh98H00aEZ#SOQP_q**en>Q4Nu!XS?G#>+GK*G?({o zhZ+ut#n>YmogOa$=te|hJHiJ0h=5U703w;oPwaKiSagqSP14sUsj_ zjOh>EmFwFE(%d&-7f_zTz)=8mrepTfuji+$lgr>-b=`2GYMKk!isDr{%=i{|^YXKl zB&=I9t(H_|q%h~_Sj}9O@Vvz?Bjxz4(J$&pQzd>)B$l-ciw1xBqT9H>1wW(iO~G1r z0M{(E{=%+Sl4fZ^5io7zqLNN8yC38zXEr`VT4nS1fgr|DS+%`~p>-0=V`f^FHlaNq z9{Y1@mP1p>)acIJ;VTLbeF+^$_xg3afXkbpkNVSm-#rkmMwusOWe3drclK=s26s`b z%B6X+#iIBIjsA3;{L_yPQt8ID^L`4v@%gHj+N+4%2%~&Xhx=B{`s^fh$uX83s+mlX zFCpl7?=BIDb7#{7^dAjU-vg%hiF{S(KDE3;FKSx4HCC{nchsSN&tp1ohpm^$o8-OK z!5^_wZBdWXwG%X-Fp)kY_60$dfu@02R_BZV4`*i`Rpqv?e?(#dQcAag(y);3kPxK1 zTN)|pE|C(YTS~f1KtdYn?hp_V79i5iZ?3)1KKGn`e%E`)9b^9?=pHQAdf#`>`Fx+} z^8iQOPCCX)jY@j6HpWBhB-D=AY*#-xaI7nMlx11+7mlDIyK`?Y2km{=lC$(&Ce?-R z2m>4iPp?rn>Eq2lcHO8;h(Qgmqk{zs$fjk20oUFAS5sUg}0+8wfC|CcH+!zMneT7*xmuNoypV+e+O!jLv!4 zNUUP(3U9Q(S;;np+?VEquwMU)_G6Ysx#8#7{a&=N+OXIaC|~+KfBf>*xn==XplSc82taU-L${+~)US zBUwRkH{Lyt%WtTLbm*6-kRQn*YE+CxOtQK|676T!I`oV>P@ZM(0@ zxD2=*95R|TSrQRm)XGo z{oT_EU{x$$S88$Vi(`>e(Hj`FM_-nB@r!@i3{)S<4lml#nO9_Hs5FSP|NE?v4^ zdM?oyjjsYKxTfykcwq|0E&_y}*c0!}Q1-6|iO6VV6t@ioK9FI2BSw-c{0zGC<`bQ@ zdnNW%`*Tem&NLJOf=jq~_&RrS-BIe6E5FSSx&D|3(OU)JBS`ISg?ml;;bV;fe|hZZGZ7juzlzGI0L>tu}CTC<&+CFw*zg4ruQCb zR9R`@JPaE#515Qq6xQ}X-%yb!&A02W$;xUg_-xBfVD@xU`xKnZ2$C5HjnOQ01je|R znLb%4mD%1SkPw{|?t-aSiLEAw`+_M>_*)C&l_!40=8Xp2jzM*2yD@|3Bipl&d#|01 zUJkuL9DQ*h&mHyj@YA3yjb9R>+d8ImcU7U)1f>tc22_8D+hTkA8bFnqpJYWIIM`it z-jqX38>(EpKU%ern!dMFFyI!(pjO*rz6231)+ef1Z$CD2&b?D#+-)&g9wy4Ug1t6O zlApT7m8;zDkxVLrC~CN{F^kTmIgP;c|&SAk(rwA!(E3NiJ@dq`(Nm;^*Ri#%de>x{C5O|)W-B6VFc6dRq~WI^oHoIOqMD;NRvtEz&VlM79x>PSxa4W^#3DH$5dr13ia zIj}43;UKuETk>0{A-#3@Q7$yK;?a7awSUt#G0b(r&sAi9o`n*Nh^$SGIq)nr%5Wa3 zVVE-ShyMAzjZm@YE?Z5K+Y2aWU~7C!^KXpY zM>(<~tE8Lke>+|N?MtO)BqK)NX@YQ+ob1H8Y#}OTa*4I4Vw`BSvc+_=ra{6sz}58O zobCKq1ZH@NUP>wxYXEX0Li`c|1YtJSJ-ha);_6W-8e3Q$nuVv(*wWEt^oy0A$B~Ot zqn!7(<5)W1M3E;dF+6cZGZLp_C`z9x8NW=jM0cJ-ZI8OhQ;E5G<0M&~^xkhKFZOxT zUD8EkEb-5t%`1K&KGG3G*p<&9#{&urb6D%Ual*r#T+a(yZN_Wj1SJHl)SNaeOSWIy zpM(=o<#@9j+e077t91VY^&4}%zCa2g?ZNFW+LJ_PiLNNu<^$K61^a6|Ak(0T0P+?i z|C=DAPrf2y=4IcsmM9?h^N4adZ=KL&=3Ii5mMlaw)Jj;0||ZK%?)nfv@Qm*dIjH z>F1;qnPvln7navvyU;f$);n^7UJ^cU%ujo0hrjyHT9t5IHR-k1Qu&8r8}0hq_z|&t zpE=M(-R^Zz^mncXV%%N(&147s)pneyvsGe~>CmvgLmRS`G5lOV2Q2=P^%V#JfwiC^ z#E&b%o`M`3Qv1yoAh48CIS!N+f-m7hZ6s|~n|*LBic$9vcm5v#^b60yc-B(hQ3dNH zs;4dR#GToRQ9b~N;t$$-s^wB{O4p9FQs(Kt$f=`O#4X?$Fl$%)2~-OGIE84@hQ_aw zWYzMauq`{0ftJ?|FBcmblI~BE52$VKN<7Pa(=n-OSZX9I+-Dp)K4?p`3*_1RF0$J_ z2PFb>$gnbt;S5iu^9|Vbv-yR3h~;Hy)3PA!C0?3pW~J#2NIIBKOmK@>k;VB#>PeKL zhx!bt)d!7yrW1FapB8JBniNk|y?FjeTxjSO6g#5H1ynL9udM+RShyS}%v}7q$$Iuf zPnv!NtjYQZM>e@O{3Knu$W%nxlaZzpsFPH!YHckuYvdCFE)95ESr*AIsskt%skp3M z{*?;CDo}+W20cLz_4cpQ9Iv$vCd7i{#fuR+ex6+La8{D_n);Bxn3^vm-N=SV&)?iA z$wk6mf-K-vP~Qty10+ZMfvHPBsJxxPXpE)A?D?wEoXa#uFoVrvSVgnNTm9(qYxkj% zbcn5IUj1=>)0H*|Agk4C`9MBDAXh=X@kw=Wvz9u6~2 z;Y8Bo(sQ=olX#$2WhSE>h(*qiVnY?3{vo-Ps%Dj}2ZJW|sCPBq`ma_XW#*)K2gvd+0hI%K%;pbs&O%&^}(&EKmCW7~ip7kt4MyTiUr z9=rmt8HggN{VMzy3&0^G064CQyNuIzrprIzYAP6Q3?xhDgJF}eq@yQN@FQRY$dWFE zSI zGTGD*X8R0oO%{nCGyl{SeCd5MzA`-|5`A22(9+*J#1A7Hh1a^^c8Bs`I8#jZ)QM6d zIaX5a-%8lzy+;jh@2v5`360KabloKh?mzCF)F0O5WMVvGTU-RmMNjB{1j@5VDTF~# z!8(L|N9daW5T)eD<21Y0X`J0e>(bh(a65Tm)tiI^FLJ%WWfv@3XL9@`V0BXDV|X%dX{2$;|#cef-bw zXYN5HiY=ZsG_V>!VV{h1VyI1C1jV1WYGiZRmD;a>$$^PIqL6A~s?o)UM*id78NnK! zx0PYr_7Ia;>OwCNLXCOMHDl;943}xx`^45t zz((B_y~N^FKF7L&PZ6+DTH!78-$FOx!;MA_$~7abJBbM9BwcguuZaBY+6*=MF0Lcj zPOdii^AlDNfXvi@?QLzGuDK!>NZDaxPY( zd<#Wt7X`NQ(5g-KoG+1gPr!(jrS1*BY{4@ zw@Gz${V0~!Y-M48^Dyc;sZ|3aB9xBY0%d%;Kw{Q-h~RNSu+;ml@q9w{ay{0%3Pt5^ z2I=qGZkIZ)%s_`m<13*{op{BW~~N z#LjIUY8euuBO{ORoxQuG^Ksk(o)3jL)&!PNb^gFG689g!fm$4V|B6mYdQK?=*G=0R z_P;fZf~o3f1FRZz)4>&in!7qwASnG*r0=pBbWKD-IpyYILNsFC0pJ?g^}-pXKb@s2 zboKKpHOZ+KnR#XPs%F^u%nxY?yUPJdyu_U%;6!0r3}IrEw%Pwp@>wm=(xYwu4>`>bd9`fg3cIxB(uYpr@eZscYmtvYSMvQd3aB6f6e_FEBJ4w-HLa8av!E@0{mi!HVGBh0mb-VAxTNZdZNM zIA-AXx^|q9^Pa$7&t_$dFqp044+thQd2d}j>zzWn0*t#ec@?<%_S>{jql^FM2R{Q5 zJkQc<@EJnO#+9YXKS~o*`hWWph>Rg9U*ee!!oEM+7OugDVg7M1={PiTLrp*=vegl0 zeo6NFInB5GUxK?=z;wv15LvPqXxOSl>qc+~ zpCpstBi)~Q_Zh6Zg2r-*8kpCSV6dbG?;1kaQ88*^v)`PfuL|*vnL-oS{rFOa7QaYF zCzNx1)@PA`AA_kFj0?N7Xb~fM+k}UEB`{{rXHz@NY&_xaRwv|~n541sBF#yIRFM3& z`v{7I)iu)X?nG8SVOXJ^x^AsF*r0F=8zbqcAQl1pVwZ!jbf}UFAUe#U2$Nm_P}7#_ zOE_=+rE{zD{sF=iMP0?G(%P>s1~I%|X-sZclG?rfwZtECDJB!TxmxnUyX0(GT5`y^ zXc2>6sIL3L#77QMX3B(hg<&C8W+-HYqXrvTE<2>!z+DnV2ep*Ypf~ahzVjSIMsLh< zj>0r1!{V^^r$_7CBqn{E&p

&PRwImlC0+O`ZMW zD5rNWb~D-E^+^T0k3rFbqy;fv}3_ZIc9kb0W9UDfUVx~zsUZL-2%}B`* z=sgPH853f=y!~-Q*X5_qPp)ALHwM}7m;99JcCaQLNQ@Ws~bkSXFTuW!<$_GpQ|YbdYD?GJ@foGyp3^`!@YgzX@GZrQVojhzosGBk%*`k=z}I^P+l@-VAL{lN zSmDDS?CW;yjClJv;Ba51Y=-A3@$u8Q{5u}DOSh5ab2G016=|l{@17)$<~SsQ;ZIkR zn+yJQhwL{nf`bq`1HFKdqxUgb-c=9JNuVmsB0n&SV3hSjxk?H!Upsf8!7chTk7D~c znulh9u!l%>8=+9UE^#i8?g3rOGY}LxeS4e9{VdV)&()!>5u@5x*pWPt8ibbKP5M;k z|C(~CbjPBu86e)-=)t|V9~EeWjQJ$TJojyb*ehhIzn^SLyF24?+Z%I<2{Q3k5)lOZ!#xQr^gkQ%H&Q_t7`?~LeQ#XeYv$$&NrQB8x5(mdQ| zcx#JdK#hZbe$iv4Aij$7FrXv){B(MVsQ6k)TpS80Cl|b9{A==J1WO-n?Hx>g^laft zxEbA&LbRHnTm)Q$*2N1x=K4fj(u&7LXeCz5;vw{9n+PrUv-8uP=-_Tb4+Sm4se1KC z6335Rm%i1{jR((I(3bFQVWV+^0WTisIF8E0R`OcCa#$6otLiWJnOgq58h{b*FPAn{ z{rHO4hyLJJ#!TPT$d8g=j&CX|UkTynJnW-5L1b$mne@%+tScYWgX_mS!NyxYJ>?-) z0`SS8$94@?ElGV2fXq6w+|m6!f7Ra|Uc&T)C$PUf)>fRIA3fMHR2UXlrJH+1to5@+ z&%3a|S=HABd)QsH4&nDRL8_Rd(VID7ncNJUlY zhLQQR_!V!c=!*A2g!M+R>3jRr-F+-`u>2q~Jwk76sR2vQ>k9vDhTB9ehzmoY0Kb+WeVP?Zc8v)%WmZ{wQ9j`c8dFnD8PZ$*64W$0a@7t)mp}ioquUl&V!1?qR2DFQ3KM`7ax50f~jA5@0cy(Kw2`1~*qyZ~FfLOUueEX|T+t2=>qKH;u< zg8ujrsrU~Xi6xZ#kM@I+#V}2YgIfQRJiFRG@>|s7ha6YC^{zH{12(}x5okujPNizQ zO2-M?=2hvd*#(SeDf(Yz1x#UJ=!XK#(t&#Hg6RX z)VvVvkdQ8_FRZ3;i*Xx}B}$({UKfe#!Q*vG;gj$F2-{|HJgb8vTWwnU@slbe5~clT zU2gGNLM<8zg^KZmSjJyDPsL_)D{}E#VKtpGk#;5P7-=ViBfubDsOJn$jP#B`(0#oX zIP^<$$5mYXM$D8qO=HA)k+@C;8&A=H6=U$JhjVaQFOdF!uQJ#-r)E{FLh8smz{57N z>?5BtCsEvkS_zn&KiI!;y0JdUn!R4BkpD0Sk zB?**!Tv0ZDj3xC&bd}oMg9&FWB?(hHqhYaAr+zrMAB@;yX0i)}%wzH#o=tm1IK4BC zD^hSG)kQ~Nq1+V4h+#>64m3k(%MN$vm^qg%Z_44teMJJ~2@Jfk^_pANm+H*2fLbe@+ureVnFfzE*8RuD^p_fCNegK~F z^%C`;d^l);#F#C&3L=8mu>Xn$?XOH>K1jsoT3h!i7A-{&*$;MXBTDPVd^1HD=284&9F4T z-k^>&VQTO}XlFA@sK=A4(MpG-y>=|5qd|Yp*sR*6y!8F5P0S0!GtBO8R{}`y zdP?M{T_#x!5DPj%IUoThc7Cer6|I=RF#N%)JOvt!&;bTz>Wm;H^ic#{d~2xXmth3` z9PoLS87ikB*7W>b0xT}`1VRC39|lr$-F;&sNY0nvt|W6LxhRWC4uHqLnRB+9sbdZ)YOWViB_$(E5|n7$!C z%(zW*1Db^|fbCb7-?NZJVCY=>GRJ8%ZM>2Hte&iwUBWq4?O?Sk03aq)1j{n3b7!(p zFOiywl%W1@%g7{*MS^F>Cj5%!rp;29I4k=U^CI0bAl#+yirkk>ady7!)`_MIvJr5L z2!ejYvmX>NE|i^9Kup3{+Ol&UwR~KUzdXYYY#!*oj459IROri5FWK*O!_vD5_M}y6 z(b3KZaKXh}{9Hx!7W|}gd*@{cR_ar_l5X!6k_9+X0pj>ap|*WdET*yXYKuX}$3bmS zj#goX?7rT5WR>CkeSU8wT5a?u4d(6#U_+^MZ(jDZZ>VZG z`2F!aI%`dZXtS_qdLZYF2YWcJxahb#u;7>XO@fmn^Kwv`AroJZy>fc9G$wA?RV{^) zgS1E z%SK`MwemG{_Z&AxhcEEb%UX#k=B{C}dDXE+*?O~kz+5Y4aOH>ajyl+-(0+b}T%X|g zfEI&fu_VSyc=4|06mFM?Y&<4OTz5V}k6jT-7a?`e$mCdvPuXshC4Jg;2qPJLAP!X3 zpgY4qoxKuc3A7nR>Iwalg2?KY*j)TJWB?TuviU*f)IulNYdbeWW!iVK_CBU=usNeB z`*l9dy_NY(MA5I2j<^fvh4+dwaG)t0@5h{gXt&Wp`#K0ujeoqr(S#|(hGhn%&z>pu z!n;CzNTK%Q5azSgHT`VvEk_BZf<}LfEkK0yXyNzGl^l=y`q=7W@k;>NkI34?-RX}j zE1$>IcR8L=E^ZOuF0qw;Wa@7(PputxU%~sn_9{VKG4F=rs&Nfylod(ZfqvB8Tzb2h ztBVM$a66rhHlHs}$=OxU0Djadf5lWUgU?vR(s|EPm1YlbNaGDjYgshzAdeYExRPc% zfp-z8%exrKB8mT(2d0Ms2v~RIAtb?GnVn`~`12Hdg zJc5SMMRTMO()<_F8`ya=V_AVsCXQ^(H29oA`@>Fg8Ge49)c>;-VDzNo)wGk_Kd6*i zn4{mh2-wAO)s?WTWruNW=QMu^d7VEmfjZW_Ef^Pz)i zs@gQi-NX_@O;>LA)~P!M=rsz_nA+Eoj@mx9)`NJ9Hob=aLeI7>YpxGfnf~d(tt9WuWjvzm z$c-g+>c|8lW1i5gN&3BsU~Y0rM8;0;yeI2xd1LEGKU-LmehPsHWiO`4>`N zW0GEQFY!a@^qjO;gtpnXIq+Xy%-AOiJL(+@l$Ux0d ztTWMq zU+)Jqc}iW9q@IB_kJy18BX1+EUjtztg0GU0lsp)p{_VF=TlY5Y$W%M2L-$NaFqnK^ z ziX8(zs%-3d#}ha-+6l1Y2o5h^&(`~TDp{_rbjPDGxPlCceheqaEy2X&rU@y#%Y%Kb zcr8YgppAv5Vp0$Hyk;4K{bat)>qVOGr;g^#U#>l=4#gd8bgQP@W$V11!r3xfMRF_g z(xG3dN=m9NuvV$y6hT)ufhPsNqzD@alrU&cXRuZ&EL*sVd{^%9-;%diYjv+g`@U||?BUa}Ya=&d*(4%=oYa#7q2rjKW?gm~X;y@ZgIX5VahfU(M}OQI zUa5^Q@LKqtU~A%BZ_LEa#s0d3RjmYxAi|RA1(5cLm97nXq*mROEI?E9h8yyG$qI+2 zjgZh~{dM4_5kj_f^mCaZ$4Xt~C(LqLi?nh!JiLJ(YSw92Dh~+2Mp1?WQIyTFE7r{i z{0!B@d7RVBv!{Z&KUBH9y8Rq$W~^c$47SbTw>Oqa&JU;wf$7!6#LV80ETmx;1frT} zD8*b3y2{~aPCd!HR@bm7%I<~J3zsp3uG`!;;;bVlx@!EN!#R=I*6fYEhvn{l9p1N} z*BF6Zp4iNM8{bc-z4Z1>aPsH)4{wjF;1@p(*U{l-?r-Bkqnyk1)d-ur6E}amEA-eb z(|Wd;gEf1Lv)Ga)T~8ZciSZZJk5l0xd!Safv(YT+S2>YURfbY5k$&`^UykBPML`1u zYcNvLM=E9=Lk~kE>Clc~NT5SiCZVdpOgX4JbdW6ZoV)13WB3>Rm-^j$a&x2a>A;Yp zD{6qZ&OIwY6v5uXB_mSvWA8a0j-+Nsi!9E6RLCz^?AR|FwY%7*7z2boFi&DD z8DrfMpZASUtqkF0uaku?k1x`~VvMp_?4y?UTb&V0Ty6T(DmbT?zsScc-WGO{`p!rp zC^4^R-hXwSRE8m@hg+RvPA^_8RMgjZ*P=GKf27C<&l27a>Hn$#6UqgBd9=14&Y$Qm z1wq$+{FB3Od2)`*V5!w;N3MZg|ARg@Z0lE(%+nlsC=Qyw!A~yV$c2;i`96aRv7$nT_m`Ox4>+$aPxu5&X!P?1k;x& z>*cfmF!A}9826>%=N0-K?H#YqT6zKZb&L?5^Ki^% zOz|@1N5?*NCmuPzaMj=Hc{#TJZ?sIj4Qh7}97XxQ{HFG>oD<+Kn@;Ol(Q4Ni+ct|v>K z;-pu4rj*-asbOmHwbKRhHQSPf5;`i3BIBeJ#)=D7C0YTWEdeM%Kx`?DwP^&e)&9B$ zv&n>aXs7-rLP>K3z*a)6Vl!R+GfC_23t_j`#=5h#({WU1(g8zcfOVBpGSZBD(pG4? z0OC)g!by>jd9<_t5-@i%qFqmlwxzbfy7|R9r~!c#GE)24E$fCGjMxHq)3Y@kpE<=F z>_2VjP~B=pIqT)Htl55G=?`tkJQveHw^b|<=-R(JH>cJ+!pphjA%LgQC#?`1QA)-e zG8|#-GNTlUaL#L;z{2nXwsh`~CMGu@z+HE~)c@wYW1G6J9SV))HF)sBGU9Hs6J)sL zjGL_kV*Ea8SoJj*d(z--R#c5bi=dlG?lyGW6>@8|;rR+}>feLGOM z$5>@9cr=TuuADAy#pBA>u-S?&Pe^7xK`_Ua`aPE9#tvr{R>(S7ACi>xOx*i%TkIv) zJSWtRaudE#Dk_S}r4jmvF-UC+!2K5?2z`P;u6zp?|6L5tFIUIz#p@T<=I=BYwE_v>+ku~^S+FTy+B?6{+b;os4)TZ_TbGr-^^to5@u`JjeoU<<(C_E zWQiL&)tTXUvC6 z62|u2z47aR+rsjWBj2{Z+3||7RSp>yv*?4n2bh~b&FEt!{J2VM_t>BF;jeKx^SFhs z#OCqTCKQ-sI<$5tBP9xLA2YJ~=}-!iBuZJ=QUO!S%UMbC-AY@;9bVpU?xI9*@T8Se ziby(`Y~)IE?NIy^@uL3p?{f2DAeBM>M#g^OE0BOmL*Qp!_Xpg!eVqb+6a#@7O0ju2 z{u}e_zDxmp*0HLQ_bV}W<6|!d89YG_DeM@GU2B*+Y!;dtbF_7O8XG|B;NS6f4!`wm zHfkWmNkBk@|xr0##+nH{+ZxEmo<@6xy zj=DU7QH#v>Sh|#NDEcU&BrB&l5`LDR%>y18h5B&{7Ch8EFXh%TTcJsGkJ4waC-dS{ z!US44IVSiMXH0u5YzSXle==+yg3QmbiIO4NhJy|vIwc~~hAQ6ol12$)lw1hk6<|i5 z;?6{bng~22dc)2jT5-ZH$tThLeMRfp$spd-XBcF?&ePL=af`a_rRjtQ=qAtOWHZi; zxZ0r{2G+pUhe>^>iAkHNecEpIVF5eD%E(lzENjN)Ov(}D9^!MVi!a8oJ zlV*)h4Wv1hMGmlIAx}Ck^#KVGGtYts0@m?|MOPZe6FfIsZh5=w%2H?Y*yoQ4E)Ri|Xa<{#N%hfJ&k0VkGqw>u}VKulkrE5M99Kggry*!dp6L}TP^sFrOW)U@`?znX{TIHR|-^Mi! zhya3EV&mNO;L8z@ol(ev^3w<>KH*1U@v;uwuM6uR<5#2xbgvIvwcEGEJIU`D4kiv# zE0bQ8=*8Jdn2{jO!l6qjT2GA;8e@ex4~2p4gR+gtf8<=+YP~-JG@wqEU8aI!)|S2~g^dOVkkp=f@{&fRMpk(@2CvQ|1S2sEkSjH%SYfVodM>@By zp)Gy&m;fXY)iDUk7;o1*F$`N;-he=V!s11R--Ja`CvH6g0^9iGCf^^A`pWe)$i7s- zk~s!QD^O2@DG5r2SI=AHQ(h7!j`qq|{-?w3{2HvNIQOYtz-W{A924xKt+aCY7v;DY zHo{-73=iC5l$5^p*!GbrVubI}?-u;p1wvKg48sz7H1Y!CMa&6G3a;QSZDPBk7G<@+ z&$Nhm0% z+s)DJ6`B9<)pznCq{!?e1GP`6cT7hYa!}pbeRTgqkwvLSN`~(^!<$6f7t&Eq|h@d_dkYROm9Tp<2D-ai7<> zj(x)JI%4U0e)NrwnWD&a+f2U(?hdaPp8KH-5)uzjKWpV*UfpGIO~c7-ynX5+`DSv? zU}x+zkN;beMdwX2v(VInm%_$QBtjW$=XFROKFA@Jfj3$^M8Wxwxx7?(;Oi8w{(y*M zRSb#438r_z5{`3{?wWlJ#KmKltN+TF9TjaiNdanLDsnBsE8= z`@mRMPj7F#+=W|=;C|Bxmp+*G>V{$*VHJr1fSDEpPRvHO+Zi&yUI(o>JC<~Y(a zgSQOSH6k7YfJOShnS1mdO3B_{p#`Vd6+al`XBhRhBqU)UGjl#u{t6Ql<~#da;b*O| z$pRR)g&}&BceSl@7p5F{_ql%Lag!T8RZ@B8(!(nhEMh%Q6;bJ1LtzHvv3Sen5 zhxx1xsyh8^^A?^TN<|tT>uATABbI~^)B4)E2E5Y`&DfC>!VvffoeUWH*@Axs9H_X@ zp?|_#7US!4A*FYqNi*;ew~B*8DxF}d66;a>iX7d=;;SXL)_WdBRAup&Wu{2mZ=Fs_ zK*(Axa{B*1)Z>sGZayc4*zZG-G?JS-#V94qoS(K!2&V1Z5eVHf_)QHT6{^!hX|Fh! zJ#pHzDtp-?h~qB~>g(T1=NVqrXTsdi%UQk&nq_w=xne}jyXFLk$-T`_3fN&b4rgNe zHC`V>uag;mW4ni_t4fT%6{vq9&UD9&MIiKQbO%0}uS-%67OvsTxP)Pc@-IDaBzn*S z+;w?Kc)_VrLUw1&o!^k;mu})xM11l>eSJpN2=I29?dlgS$eO4Dfoxqto^ycbUB+AE>_sw5q zQ9&V2;LaG_+k%0i8GB(OWr2Q5e&L&FC1Qy+_vz`mClGE{>f??c(6=iC#Wr=G>g06i z^W0gALQ1t)wz8{Fez1*9d0H$TH{-B%fZ(?)hU4W=y>Y2AHE%HEPs-t{KXvA!_?w?) z{Q}hk6r{N!H`?eJvypXgJJKKRrhVA?<+xY%3QiSX9%Z^VCMZVfuos6l?~cP_<#s3> zgaqG|)_|$P8La;v^e!7UT2d#M>qS}NvJyAMlz!k~YOJ*>I5{8ot9&?!uRv5dtJtn% zNhc!KJ^?(|<7r8``74rYFV5_*0-e*Hy%=K>*G(IvL8pAU-!^Fyou59M z(}(x*{lC2$^#6ag$hVZI!o$*FV}!h>u++!D{l@vM^iU(&$6a(K$B*XFHra@JJn5&q z|1mTKMs%s?Ji6)rRYfmis3g93=H3(03_%7{-U9Z<=Gal4zmZ$`mYk+SuONE*Yf54T zbL1{T$LEZ~i**B0cy(*QQ~O%jlaWG~$Fl}M9DGzif6KnfR&UM@(u`4LN(lkFro8#P z1j*M+(&`$|4m?aDbd%nJsCE^tyEZ1HEjPpN-VqyJgWEgVRUI!GGj_3Dw1CD@{BEa~ zNcznCpr3mEei=9rt?U+z;qX0-haIowX!j1`b;cWD|ek}gLc=!vQw{eD_Ol^ zXC=Yq{RXGlQvA!5!RTY?F4z-hYr!|2xm^>Cen?s9UOSc9*d0HgQBF01rRSLXh~y%L z9Lc(0b-Y#|6n5`D83#fAHVt`X-0hsWa85b*5d?~AY^3XRlIo8t_eV>OPjTvqd|lW+s>qtSQOw0<%Xyt? zI2Eev0X^5qrNboDZ1$coD`drj-@0X<$sFY(`eZ*Lq^3?HN5Xr1)p=}XtVP@c?}~CK zy+|@6yrz{=z^upoYQ_KGzy4lWoo2`&!yPzXzO*_}gRCcTTK#6Xov3W5<$Idrbq9Or zGGxUlrhl1ZJ_$JrW#3#}OQDHbjnbx8PgB0Gko*Lq6Y%szhr6r^oP{1|TD-mDA(iz& zJ(Fhqg~zTb<457t$wm7IBWLtVY+Jq3cZPeu8aEChJw`6N?McMUNNvfTxjUnUIIMoJ7P%&eY!*RJ`VP+3?I00_Cch7i!FZ31j ze8xSpunUXdJ{v-vusdBFF?|{#$Iud#Kj3MM5~~ASIWmJgu6YOFWZ$~8E#Z>ySRXW` zc=#Vv=+uog@i!9GPrm9#@itB+E^k>(G@)BS$_*ck638jtqdFcrK3dFOgrzdy$4eD8 z(vp5pN7^M~Mz#j8G9*1za;>Ds{_^HZ>A^uS*wNxEAttD?{8DLXl)w59(-nxq2WfY%?GBaWp2U$S@<@v7L6@;n!+ zrtgd3g{e;TV=4OHY_jaUTWOof%so)36`e>4?=V6&PUV#Qqn^g)(DbWT$CmJg!Mc%uxHnxD3lhalS4hv)erJVlj8^=o~oso4%)oAFQ5v+D+Yy@v55iznC< z04ljcP1WzvkuD8VAn-~zM~jRUse5J{z(Q4L*B&qvDh|<`yjQ_E%MZk`?r_yLsnOmT z`i=zklJCT~5u(W{f6z(NrKszipip*Cjz6>CYvuC`@Gv%6F!dmvX{@^~+`kYEkscZ50!@?gj2}zOMPJr+l^_ctGxOJQvK1=ogB%tp)|#)|^#SuATRHEx&cs ztx}F9>1vBEnxlMsf%D}RZ6x!{aR~QydlzTHgS4}C_}RfR+K!gbC2n~t9k#kgr>79z z`Z?k)0Fo6i&d*-q<3?+5Ux@G9oldxr;%rJWSpjPEwjxF3V4nZl=)EZqW-|6m%l1^Y zu5emxl%c_Zr46K7MmLUHt6^X=3#qbPYpE@?*y#r)k}PO{onHcfSSL? zE+U)?u7g$02dyO1Ot-4zQ@gO@zN4lZw3aKWr2~opCP_M3J$RjV+C;77Dy7f{sOh{A zzIBC_NkvrrEf0SB&mD5MI2vVY5^MvT%=Er*+^YU9U3{3bVE6*D@L;gsL+uJH) zez>l$p`5scxmRG;WjSqYVIj9&vh?Yzp(q*5*jXp0LN7=TQyn8(3ShO~)z@ZcCgZHv zG@u9}LTjs3u6VB5g)4*C0 zUnAHJ4_y0@{i4ElHJ$Od1$KAK!bwzVyVoD4nd|Ii(?K3`b?xpO3Hq*^4^RE@LDas5h%7pVYA{` zwl92HI=v)Aan2RKqTUn2yd=&CP^}lx#59>619ACz*pLEod24_G3l%mdPiD%jkAUor zM8JM9`_jtZgwN8ZsK^`Xkg3WK^yL{52={JA2HB=pH&R@X?&%&lv6@eKbMxxzn(d7- z5N#`~DW_2>^C=&{kAu$!jPTy|Yn0D7D9Yygjb~aqFo`R24a-H_OVSV<=)elD5vvbJ z*cM&mNA@yzJbJAlRN8){d1hfyd8xbGAR*MY;gE*fB1y&#qA2z;5E7*jJBLaMe5SKS z%XZr%VCU9AXNRF@RVUh6=cKC8%>gYf{A=-0hQMQ(da~2yEd;`4#KC+K3${=0&UC>w z5H)RjlY2ZjY4HodBYB$VX%;_Z9FOt{P*8z2$&w;IpCfG{0_GnXF?8A_d(gmULI3Qc zK1Mewlz+%{eMIaj3ct8HZD)PgYM8-Pqjv*plmPE^vGPgM6E)_xMr;?resHRN;mh@e4w*jH4ae2Z<7aX8o_=GY=Cs~l z+%`SX>*hlt<>xhDp!6kei38}%QrG3Y4yTwEOJC?T^Y7o5Zfp?oz?EWJHonA~H#em?nijG1W>ANy5`ZrE^r31xR1!Hbh_sXBwVKa*ubJ&cyWjHpURwjZ>zmvBL3L2A%dTTpWz_JxQY^}4 z59AH=*Z9RxVey+cLFJYOjAmmdo44O(AQm(7`c5t68T0B!+wen zvJz_}-@)6%`TDb&(+1weZ>qsf-S3BK@%v{z+5W5YFw3#p52f2xd1ue{XHTMTD1C?U z)OVAH`&v4p9@w~hTds>ugM+*Q$jk@k&mQz_U+LAp z58=VDcz8eXmLMH$EL6}sZG$DbM}T%vTe>nqM-FD@bNAx3d8)T^(g@yvMJM;BpP%t( zE`BWZqZA(X@3dE^Jf&GhlRZU#E2A5K-Q>>6@m-IbaTQ|j*CD%)dLil3*_+_z)|B#k zA^52V*eIed=vW>{fM-x=5R2|@*3}AylWRh#9m5sZS7Oq?cr3k=O>)wQ9>2MXx0Gsh zbJeNCKT3;E|9(6QZZVI$yF#@=@--#R++bbrNPoXGY4;8$UzX|C4mwsfWD0h7U9{0n z+D}|H$dv$pzV>5A3k>a~9$cbR19YUy^d=A^4kmg-PIy#?(6WU$$T@25eA2 z6vc24e*FxkD)UPHS=vC_VRdgB&xQzo5V|6CnN-HNcwGZ}4F;};oqbwS-qsJS(MlX5 zU1Ks{YRgyBJ4gS*Hy{Yd*A1!wpn+V6vLkuqcCx=w-a^t;e5(-SkU%TEbe7*42N8Dg zboa#Fq?5lNzD2g((GMs)*?g{w0b2aL<&OOm&-ux--X;A0_d`gfj(2Ltvk#dNlMfY0 zKPxPRmk7|Nt95+c!l+KA9i+=})m}1UF##s{iT(>i2RA5V1S_6XSA8?81Jlm9B*qQ{%M#DQ0rv`JXOTCGEGD3eyp zfx^A{Du=vv7OfPsln+}%`Mv|E8O9|LHjZ-b-rIE6p3AY@C2p!yzDkXj8D`nN-@P>& z_!6Y4@zk|K7v8gW>FdycC2fMlkoqj`^vbew=P^oltvT@ zMM69((nv}hpn`{cbNDKoa0xBW~-3A~zbkESBbTpR&&G%gJi4e=fy%SA!xv}Q>gj>%fpU4qKZBPbt=@P~e zB1P;zP55<*o@u`CN$8i1e%@S?>Dva~aoN2!H4#}4SK1`ERGu8Y=h`sR9h!G6YlH4> zRfiJJx;$S1kSUE9s0!n(%L9r_1~iwEudD?LJmKO7-Eub~Iuih_P=tzKWFnwsDUfs{ zP;WS^ND^g!eNypt5MTuEkX<LXv91Uid;z{!MEV>6G=xM!f))S1Na_bQ>iih(C(?N4r2)Je4iQ1 z&5`2caw-7EOMW>FwDM!4sBar`?xWvC)J|aX~bd==rTj0E-IhN|MN$yCq3GV3q{EV#`#+B!k*=tU4H<+Z2-bT&t1JSDG z%(UP4tEt8f?14cXOtyepI`?G$0teMqnu9lU(o;i`%!&@4y<%Dc;z#oqOqnA~^wz~+ zNETiqi0hb7AUyp-F<(`0(J7Xp%f$m^1By6o5`R)~cNzq!`Cjz@Y~}vR%u^N zka5(|G7rVLjc*t91Kb{b3Eq}ItV1%wR)LnT9}=Ysip3cR=oRbh)-{R`4&5L)(w11qn9zXcVAHnkau!oqTP3{Ur_USBKuHxFcdyB=f8FCvb{fUMQ3r|^MH&XRcI8a*w%+TOwtZ&A>w z&Z0+8sms7{=Os>jU`!PnR9!0^UV!_d-;-zqH#*6YtLzaXZT%4d^{L5q60?blqk#hT zY>zSS*=EpQkBy4yVh+dGWLl>@^8?Ou^WvQwE$9fx%Na@}yzqPohOO6=#j?JUK8crr zWtUHy;pYUI(Tle$6`(VTj$4dNX7-vc76l#1PYEflefF#~?aFC-q^}gwg;Xd(HTv`G z+KH<0V#$1Oz0R`dH!f{i$80G#;xtwKQyko*O$-|m839LpP7U~O1WXEK&25U=nAn%UZ^8u(8ywin$}gb%gTT16ftd#Q#)!(6VLljE@C!TGrtSqLAlQL zuf6`wWqF$f5$B(xY+_t4@%hBiyWCOr>(CJUXYB9##@Y{MfxgO4ycDbYQ>Omr7tOw_)`{! zG<3Xt)PwnAC)SNPTW4pED|7JtPgdVJ>4dEnalxh~+8u4!23{hYU zh2_=^19l-Ad0I$ipxFbMnj(cK#yttjh*;>KuSFwwiNE?$CoDsqXPl70XC;+E4xfZ8 zTg`sLuQe$!_h8IQN&JZue6{his;jHRlZ^&&%OLOx`&F?Tu2T&3@HvPQG=sVlT^5v# zwdRk62iZoS7eo(ai^B&b)X5mwr(XbZkpiexQ{{+3joB&C#`yZulJ_(uASd5m6nt6Q za8Oy0@%R5Cwt zgST_cprZm{r%f8WqhFq0%Hvd0 zuEOO|Bq@pO!_Roah`1txacsxfFnpgIHzE=T3fEl6dRGhQ)z%tDbRkK}Y+~6CX0E7_ zs(LRBr+@!VY@BRarfF^TWxNSUg`hWlPf|d&=pTUt3jpZMc=>XrxixOee{ir}Ley=7^8C6rerv~L40hj2 zeNsQER!_Bz-M>+JFL=Wf#ql~6YxY*XC!MK?-7-Swm3;QzZ4i83rIcENAAv~Iq<0!C zcGOe=>SG)h9P4t}BrapzN_PU+J0F$q9#>Z<(gfSFS=?i=lAOKe4rm&kbDU}Y^6uSA z-_8!7sBrj{19%N=%C_;%;JCSgWZqPrK*Nrq>{`nJCw3ck3gno@*~DZPrj5|RQb5#q zKoU~U1UXgY3vbjE(T@Nj-FMTV!4r81o$;H{5S;=l5@EYf7yRy;;|7}NC_;lw0`-Z{ z;(Dv+V{rA127ast{?dtjVNXT4qipcUmxoDOAv9d^pynQyOZgqJ{%Io`YnHH7nO|{} z9dEd`*|ZWD+Q)1w;+d~jds@b&C=9+2nLl6E2lWDt!1edlfUa|2?8jYVeN@Vhk8}DD zcuEs#@7()%M=Jp`(Ig9;xlQ+uf4@*U6XVR}&7&MT;kqI&m!u@`1+(Ezxw~%-WV?(l zWkcmmpHpOBN(<$>dIUMom~!N3@B?XHIl0(Vt?C8nQHBh08X-Y9vVF;u{#ERrtcv$N zx_bM*4FPTkl6nR(Yy4?hd%YSz0MVWi_#jy%=o3g7O=ybCbCn-hk+%>7{J&{usw_&U zIP@hM={@nS7SA$=>7^Po5UyK+Lka8Rx>{!5tZAGJkY@sL?6JZ&$2MvUeb-?1b%pmX z&VZ`92Arn$l(0svp9#x%`-!#1!zxnRqSxjwhi){w2b#&@+`I=o$Eid4&o0EO;nqNfYv~7X!N(Dg3ULU0J;y2XHHmor9%YHD4X!TF z!U=O?dh-RWrgei}s^K+iUVdsb@a9}1Kn^Q|Ren=I_7xv;{u^Bs_hEu78%zKwSzy`F zSBCTKT|uC>0V8LS^FSC_Z7kP9EjrYOK*`(uvmyS11|_ACu&se1f$-j)@%LS@t8>ph zeX|N4)~SS(^Q2($Elsg|VL*)2FFz_>IXoXF!3AQ0y9SYvUu>3%CQt{~u&X|~EWT%7 z@Rq)a4PW0ZmQ5*tP`(U;i-l*Kkl$A5**O~=5FaY0^%e?ds+*|qD5Un(Y22lS- zSIY6qkk?br#v=>^Zph4RIAqn?*BN@+Qz=A3e$i-u%g>)rH|ol52bo+Ey+9%wJ$G3s zag-kSebm`LSeX<55!|dalcK06VLqGTXB}{9xqjdH%2%J9s%yzcH$VhYR#V&9s0}KZ zb#>6^hPwf0w!7k6(9U(Wh0xlsIrkgEB#B5-b8`m?IoiS|uI};?>1xyWRBGBK0E#4c zDPRWM=N}z1-H3nqKI?l7^bDrNSf6{uRR`)TP*aK8%#T08{ocYi3A#sage#tatb~=~ zoq-f7`gwHpp7H65xiPPj>zdykp30#=;}+oP@XcnxSvtQ~&D zmO*824sd7*eC;B%+iZzn?MN>R%Q5Q`%b3jdfZ%O+K6!Lt;M#B9f@7H zb`i&eLu$;6CZe;=hs#f(m%`Z8S|?3oj0+n+C&a{kI7D;zl&sm@h*Vf7=iQ7@tI^CV zGwZ5lFE%w^D~|aF!slDtVfJRmo8|4g>z2kjjcW7T=uPq3B<(XZ;3~PdQEY8ldb>^? z5ZgiaU7NNkZI)q3TZ{eoRPnx;C#biHr|xPx#d}Gh)gEHW7@e6x(^N1NBuE7&5Gk?_ebY~I%arTy_tv7CT9>bu{{-0Y^{+! zS#3QspEd5N=>mzq%h{(kauA3xkB~a#Vp|Pi9H>6c1aTK+9$A!1*Q#H`0Chv9x9r7o zf-G&YLFCUpK`mYAQtHn;#(a4|W&8jFXsq=-=E_}HAtl*qNg_2pLVZ8LHM$*o*R8RXQ`s8AlRLI5rTenQUe6CT6KgSz`^57uuH z-oz%ah6t?xS~d|I6-j7P5!VW7{a~RQCjslv>kK(8poT}02b*G_+g=?rn_2GLX=5C> z}!Dik9TKSXpL*3+#lHdRKTe{%bhIx0k=Gp;=ZbR9G zqHR&8v`0%U!JG?HuMSS&(iPva?)~mx9jiP1?tp5V;WrGkZOZ!2>yTHN0QH&IHmdV2 z$e7C^2)zQ+J~s5cvMOk2Qo5XKJMqM+Utw6MQ@_UbL(K#qjN*%HlcB^Oy5YeCDu3QK zf2^wNr_qfa5#bP9*D4byLrm1$PTDN7!3@#4?Fxbpmn=(AHg#Hm zJ2TZJm?Ae9MDgWP>Vn_q*{#}B?dqr*s)M1&h+P0^J@Kuwij97f)Odiqdj+_?P^m;N z^J2hxaYaLLHM@Zaq*WM-hH(z8v?-+dzd$3paL^lmOZg^MZ$yr2Hakt^Hl(fX+(#!l?6h`Fi>_MdB*Vp|D2$?$=b|C4s3S*~ z`bS>o+z{VphuV&r3k%zxvC_^JYKY*Ud08Vk6T#EfyCwxc zc;Wm~m|ru(sWGyy(EIj`)c2@@^{m+s7vHxI(uBPqh*N(u2VaF9nxYZAkc`%MTVvnD zbCRlfKzYsB`W`Z2s*5x;r@_hB%#7Zn>lpxTWV#;mxYVe@f3o7G4eQ;Ac+ z19gtdiJ*WKM`hCk0QeKj>g$Bpg}Uo%ka7_ytzc{k!u0JCHGjo|(7DBzV^ecGWe%}< zTx~Cz)lm(#VjG(>`GZc;-L_p!h}(iqpVT|<%bE5T+qp#q-Mk6^x$R z_|YB)rqjh9Qt>$e4~CkF{X|x^MBEQfiPzhmx=?X;EUFpzaV-b%=t-zQs*uo(4}Jl} z0+v+R6nC+)9eexQoT(cdIQw&ZTx>$Lw)xqDKi()(i@Tg>*Ick)XnM6&*dR9kye)-J1<izgBK~8kS2|f~gcK=<7pp{h)S{C+@G$1V zpwK3J_Cun5nc7|a&Y%YziTF+5_5yq&+I&Gjn78vP#@%DQKL&r%UwOWd8GoVUF?wgi z;;8B&(DfUYRh;IO44n9;RMVGfu^`9%(SbFz`1df<3~mcRps|Yj<#$+<&`sP@$1!GX zm*F!)U=(p!qv(=8ZT7SrILdw<78uQj+q&&_6ZifPG1)pxF8h6S* zX{@pgfN4h?4iYNX*?~mMmB9C|+PSSu^8?Evuy`ldmm-2nqG7(5J0aAYd$FkD%qumF?(JQVorK+BP}>$Dc*2R>)%lRrW5%yZoTfXS z-@YKthpST;zm`4S`pcUYkRHvSMS%1VRCUG>3LgZV?JBTATBR`WnHQ#fzBXrOs-xn< zU7K^-+yPW)+?rCfLPmICtI1A-w*Y$~ljd8cL`uK75B+f3H6W8>oie1bAP@ZpC(Jgr6 zlcv`Mjghvp%{{J;#%_U=+kB}S86WRh-G(3wtg_lZ3`8YD%ZmAI*UbwTYZMZ6mdEiv z1nC#^0&z9o60j5JWvwtVkBP1Im7Z>Olhq{_zNIPCDdj4(Yn9X7$db>(cOw}ev{%>| zs_nRaadfcw?u3Wd2?L12!?fE??%PNeSYNS5)}^RKDnF@(L9JckSMDwLnXUnqrWO08 z%YN2okV&t^?A9SaN}(GSP&-Y$c?hvMZ{HSkg-i&&jqb>F5+VVWe$rgfF+B+9e;t z!t(w@~k7A71gt*%zQG z#q@Z_-DTmv>%E4gmGgwneag=#7j&k8cN0n;@lh;7I5bW8bgR*FfFEsc;_ zq`5CdJl~EVi*`>K*cfZ`bnWvh%K{ZI6r3F6K_VWq7S1IARUKjm+ z@TD=t*KKvTEPD!h#9|(*9{uFKv>LT7+AruHu)3ZR$2xg*6c^-zg_p(P`qRAYglj5fF+B*dy5ufahjGIV+@wa*Qg^&xa2Pf@#0Qk>3ciQ zYdG=!RibbDsTe|aiz=!zM;L?n>&8e%83ilt2QFF*Kjm0X_U6py-sn(WHl!E;FTC>9xPetJ8tJd{u;1e14M{nr_^!ADBGn z%(clz(Z!!;qiwqHotkCvxJ2`cf~xs(A7=dOU1`e6yaAC&p;e=Nlo;|I%R zr(W|XCtY##pEVYS0G$LiS7^wf&;wSfQvG0{QNZ&2sal!8VR>fbsrV$SGGhse9cx#h zpTQ!0DIx8XSn*i$880l$>_tGwW7OkMXHW=Sd;NIA`HD%`qx) z6S^LQXgG7_Jh+N7;$br(#fu$5N0{ZO&DWD(^ zX#b1lqae8iHJBy}!7@k>^6~?Zc?l(==cj4w5&6&eyqxEG%5E_Ipw^Y}rLYsXxNjPr2f348p%e^^^huDlTy#t6>9dqEoKr?HYxckWG9ElU9yq7 zLien8z&3{jltc(1^Voq5bb#GTA*qS*vtJJu2AEMGv30v}V=}JD6L!)Bs6DUue6w{w z*nPdYP}xc565N#X5ZM#Z3Z&7EDbZJPJ97)5T{23&oS%pbH%W>e2JOwA_9Bo0W<`<_ zkEGPQbd3YDS3$ zho+V$aoO!4$fWexgN}0Vyi};&eHNWvzCNf;(Vatjr$I*4Za;kYT&OjlBPT{CT+l-G zP|+8g85NT81phkfgn}T{%cE)9QO(le2$XvhwJTkE5N>SZbag^#65O0#jK=0ZdMlBU z3yuJLqxQ8b=Q$T>kb`dkOCYpJdCK-HI(ogx0aSbrJW02Xar^nM(NMSET) zZfASMwf3wun;?W!js~WOEmL`~+`p%EOw}p(xF&j&ccQg+%{vjgQ!Jg!n+pGc_7ze4 z2=YWV({R-cE%}!e2tqrzlH=J?J1Bg>!K;fz(kKj+~p`L_5{p4G#gU2J;19Fi8#7W3j>?|Q=(H;djrrGBjp&5Mt?#<6*^ zxlnJ5Cy80dW7x-Y_7jzLaazZ~y+4q}G7JE_({6rjS>infm&7(#JwgOHwIWAoEnM-A z*p>44gj&gGsT1VK_{8;v}D5)HNaQ5LXg|L56k zo3`tAwiRGxdNH#uFL9LpfO9{8MiF%YaX*#196i(;cZ&jvp_!Q-id)$Pi}-mmL5{H! z4T=!_iriN*%=+AQpp0pnrhQA0H2`o+mIVh8;l}uJ*xX+ShDifi;hNnPgHdh`8_;== z;Oj0VAY^M+dpHtj+X`X7&bK4F>d5Hk-SuDIz#hB-G<EucX`>Ojms=45$ax*39| zN=n7T@?A{-Ja*T<+i1m|g(#9^z1s@#ZeM$EUXJJ4mlEv9*#Gi!ET2k2#V78iH%VK$ zjIG88)meBvT&y7tKY>iS9FrnJl@AiNHVD+q?A}USHlX_?#A0vhhV=;)_3nNcNKRU= z)YeGLkAZoFTQ#t6Caa~sR*;YdEtBEm`EL9G$_0)$gsZ?(=i2b`j^%#yQ&>x#h8{=z z{po43QWCgC5H=Gt>thp8=YTL5?UaN+L8eoaf3^Ea)H}ilu57b4!Kl@TN^dfNz>=nODKCtHaJxhso))S<$Fed{%K~qI31V24CBn zk_;?v5O4za5Ai0rKI*MT6EVMUDM%q#b|Zzt$RnpHi@Q#T+z#2xtxAYeKr!#yAq+U< zl7_1!I2uc}IqgoI?AmAI{>%7&e^jPdMWrun#8)aZ$~QS6VAz#S=Grl!R1a5~0?5#>wKZ__sbZO+e58yTYuV$}Y-_j=&n_r?H8czZ zApxkjJF*?i`M(Mo<2b`&XJ7tV;U^9Km9&AM{q%F=< ziopdPz$K~YKor#*Ss=lMem|=X0Zfz)_#`*MFhg(%7-a72mlFYlR>d6O;&g`L)3gxoElmEmT7jzC zRSalK=5ZV>5w%JbHOXLhut7$9O@T9YI)>ov=1F_PwI9WX(C4KuBp{PE)#9gU!)ptE z;y{w~7r`k89Aa74I?rpEv8^0HS?OS@ANzEU>U{#CgCBPup`*nb)j@|n;Lg9vqBmXg z&|kn27OtpnI7klad05QOkUCB+1W0fPhoP%urs)L)En<5!s(&0WDu^4Qeyo~?t$f|E zY9uY@Rm0v24D77QpwfZMOA1iFBLvHS#(%wsE7K zOsxawTIYL7K0$4d`H(pYyUm~8@z1K34bu6O#C)Q?FkC2%j_M53(vGpkFndDeU)}C^5DicuT|Oar@KGcLx21$ zw%{=S0zZ1SZGV#f&e`xK?sHJysGYCPiW^oQ9?vDkXV&lnQZ#~?pKz5U!(I68DfGH) z_@7$v3~}>4urF5Ib8%h(o_}j-hD|NL zMp)R|H7-;E=$qkwG;Kg~Y$%}qD2@3*8g-@GqlfVwS5Y^vO?8|VyZCtWd9nF8Ad<$8 zyVEZ3E)BKxpJsl<^%w*0NdbM^_^3IFwh+K6P$%;Y{K(e-80+4=-eYEZ#6>ABg(J*7 zDs9Kd3jMJ{x<&OB0CQkbqG2N~g>cCy<3d<WaGyrbk`GLH zkIcBUAg{##`)rq^dp{kSIY|+MesN3^Jv~gB=(KQmP-`H^Jzsiq@T`UEz-o8O(N8xh zklz#oU$ds!6iEgFVW)=lpW7E>{@0ZLulaB0#_qfYu=6J9b^|`ro!2+Q6%2s%ANWha zDV+$A(gVo{z@AaCyI~;e0h$KhVL#n?XkumlEnO#8^KjQ$z!h#ku1)Mm__fYe3NyH; zjm_dr9kjw{cDC6KLpV6-F9@JqaUX~ErzeW72S<+9x;ZxBdRowKIt-Z!X1@hANPJQ# zz_YZ1(>s;$m%s^3lbQ%2Y%j=F{Lcf3if8as@30;}S(ZZYbp^@tLyAhljLip0H|F-! ze9&6^GlsDLo>>0FCT`2`7+;c+YnwMr$;thlU)Wz5V%Fx{0DvRVds@9K{B%gw*N4W= zCsQ7DC=qq$t1{|ji^OWI#4=4(I^%d@G|MI5^q2J$$bl39{~n5ONdk|8O;mEfnQ?QU zApB}0&IIhw1OF4^ZhuKm6nS3$cl z6c1$EdAqmufc#&`^8-C@bh4sg!G0^F}u3hs8Ajh7ZgaNWdT{H}J5+$s@!mi|qA09aRu{g-&RXh){u zRKo8k$+Uv%dLCj7-AA}ji$DKG%Xw6qiXFV-xkonoOS^;{ombs)XM{^wnl7QR@NUiH z!|T?8S626c+GEVTzDE3kLO_6hQ-Cl(owrWDZI2YTsNb#g+LeGf;hA+S{B!|0tqvuufKUy zf4%-ULT119lI4|wdfD?|io?(*gT?F7O&4OE8bOs6(ujr^pc+TF$HSyAvwK(?^%jvc zP&}j)PUq3-(}|(YMLTr#FAUXd%vsM-mn^D!nId zxnS{o<`-!xmQh4sojYkOolxzGXT({_NGc@@&pP#9s;tS?HpKMXx0(9Z=!JI3?Gd48>gAW5_rQ^SwNN0j*WRDgpbjxZJhB<1OF9VAuTELGz1n}?MfmCd?%&@Z zf8d1wekFFBD9}o9B(yLu*`g0wn~L+;ifjYV+!K{F73lc(_9wSGI;_--)0F~-ArWL# zjMXnssdiK5luq(InjgOrL$sI?*crs8qrIya?aEUhsTC^m;-nYmCDLt_g0auYMSnwU zIP5a&32kY@pXT&Oqum?-XDN^Ya%yhi+)d1spJqEbUeJpQRZ1cZxp_z1b$B)Jc~&x z6^l-y5Om_Yg?uY|kh$W3n5KgwPLmV@vmI0_ zJW%8=)+#JR`=*Dql{x+^p zGnL@+d`@#Md%U1&Wi^=tPFI|3j9P{~77ggMXyC7S#UOSy0gNj$FY|qAhfbt}ej(*?r%t|u_ z(jn=_NXH86YXrHU*O#DgTu3Cy71SEYjy6UHq2Br9qz3*nL?#YJ0h7x7!h()vTiiSC z+;0>WXdgA@CoMriQYA^iVa3ItznzrExltg%S9U+@LA1Jx$}8?N+VZ@fS33r?pA5+4 z%5s@c+@BhPj}aMCAQvNSPLCLAu{=iimS^3=c{RbGoRViN1)yP1HGNRQHB8SVhYf}L z#VdS$G3v8%9ETT;@yKtiOa~cjP4a__-q+L~5WY37C#Tenq&7UDXAwe+$lIUKHDy)T z9fJ50s_3v~`KJfnh=1R2Kl6uYFc@Oj@!Ce5>9gh?CQ53-!pux6(-w@9LTV}*WpdJ0 z(k!;zR`og|G!d_;&yaEQ-#E(4VzQ%vgy9*-reU@EI(luOQH`wJhpmm$fB zA5c4dU;B|P`YsuJ-!-mene^^a(FUSitH&5ES;~IQ3F&>W_7iDD^ zaYEBnpf`ECmir~|%x5$CPSfoaj3jrkfgd}+6xZl@&n?UoFoJU`X$om(tl*VQh--qH z5~MR3@>hb7{}GayM(G0oGM#^M1Ap3R`(u_=!V(86jSp}+=~#Sx!|wj>GOugKdDc=T z;a35<;RhVVlz#bDgA=Y~SceAeL61U@A*S^9!XPl;y3tQnJj$fQeh1x($WBriiZMzp z=!&24$GLI-JZQz6f4JT=O$L^@=2SBF>0!f#{)Oky9WdI*6nMilJ02f408#&pPtVu~ z%NCd(ZA-G+Q*sWKk^a$BBbvl_fWvw%Vs&!lLo1&rZL#2Rm6^fPiyk?;STg#c049Xl zGLoc8x#aDJU>;d&zw$2`bMFTL508ybkE=FW1X$#m;2wOmq!#gr-@%7U=H}%er>9-n z?z`ovcM9j^3fxXfs?`eBhk61}w&!+N1(RV{nSAEO1fdUw9k@FCv_SNuO7xg<(i0(_ zDUhe_G>Qs3Uay6D@JVhvLI4HFVqCU4Q-b}~|0z@PG^Avq%Q9enWb^U>!VqFukMoMK z>|jY?BnGoXWoLZasUToblqQX&DkRi==1En@i`6_b8^|bABvh}h(pKgnRnJxoiBply z<#L>RMKlQ6iZc_PCc1~WeksCG8%ygo zt(r6aOhv`O+{)^y!9%hjj*V54v#zVG(~4z6Xh?#*&eW+>nrfVVd;X5SQc`?O=})$D z^UntRSIGB2x7Ga%c*aK3FOnm)#9&eEU6*j$6wv+xE8W|C1*bb%p+@^YSs1#LOU+Ds z0lsx=iR@$r`qCA*b%vtU7c|$<(GlVz;BMWSUyE-C@#e7gl}%SfD)y+=|M>v>z=-db zzMuPc`DAVFdHTLq0^_T*y|r$1OJ7pXP@eBrj2XA|yW)0ZKHKWK#;met{Xt*%=geJlJ3$F=HNAYbRTo3!#aO>H5jHS=IlE=|Ttt+>&Ckpp zUvtMA){`*aYrspcpR_Hw^M{Qiay1RRf5)V%A^L+qw1vM;4|WMpsK*+4)(DFJ$8!Gn z22p&B$3tp;*U>RlQ;V*eoZ&QUkt17~3N`YL;ex@tS`eWt>I;^yo_`8coVZw-&*N-U z?$>rz+v}HSONA)V|0GYEwe@PT%4!BqAqWLix{T*A6_tU5u`$a%$$r)gisd3k-NOJ4 zISd)da%4fe_$%DC{7Jnwm9yI~MmR*@p425BQu;-Az|>3&xN-kGtvDSkg?g$aDY6cK zF*P@fJelfg83Z88^7h`|jx~K%9 zPmQJr)2yR*?|{pWv~V7a#iHX0{CU&DFkmwZh$@@m7y0?8n&IkPK6lx#xIIQcAMVg6 z|1}%xMPT`rnvRAjUf3M0k{IXAdcHsQbQn^>#)@@H@57XM6n>*D7ECNGyq|D6->E4b z+4+ILCSJ@B9-f z&np-_gticy-C@IoRR%zn+qtJs9ziF5o>@7J8VhRE|I3g4_s;##SNOoi^g67MP*w-s z$eO!xUsw25iOC0L{1~%z*;?x)+xL}9z3q~-+;4evm-}IRI>n*&a3w4ob32+xr1F6H zPgIuwIwtQE0K5!?)YpETYUy5y5sPcZ6f+y&CMLE`pMQci21m~0kJuxT6q51g;VSZBBC&CYGY}fJ{ zqqN+}$)Xe&bg!}I?n|_O;+wt=Db|X}f&Fc1S8g;<7Ea;w+;x3`(LZUXGZBqgq#7%v zBoRO0{N)54I0(;Nj^+%`_MADYP+S#raL`yL9?uFEo(LcK2H&s`d@pse7(3w;)~_jr zaW?GlJ9i=MHGiQY0%p3m05Slwd zvY)eR+PsD9laeAJj5@zfO0ED~tC(O>E+t7OfUfD?-w*R|)?0Fl*n!kBu1JUtcNeCN z0uyB=4dV?pRUhjp5ka%pix@0|P%Jr5HUy4n|C?X<&&{;&{sG*kzoropkwt_%CgNi; zlwywl6>PO2fl0g!qAU8#zgL1s--l{Vjr_X-{cZ&JXYhD#1J0_!eRq51?uNtMDWA2; zlZ6lG1FfCr+Aq4LJ3qkaw~Q>T5s;LxtS`6CO9lOhzWQn6o{o{W1G5rfC2D zr2qRBzTXr%Jz!_3`*6L z{s;_~bTQ+oG5=?S!}Tf23P6>fdYFMbdH$6#@2`i{_j%x*s?LQE%>BQ-I{xS?uK>^h7XT!7q#H#;7xBah;9T*Oh zq`MI5)PHC0Pn}@lA~7bLPyc1e{l5nL-xD18M$$z`N9ST{jpqN`S>K;*NiV!HGV7dw zYxtp(E-Y*rR2qBdnC%C}zZk&&P=3v9zJ2PxWUTg%?jcrzUxj-(?FPFPl3$1dyE=mU z!`XjH%J5U){q12>m=qamRl7|N{a;MM52ljkvgeYbnw>@FucMY9eCr?oN`EZrqM^}4 zOlS4SYyVGIIPScnt~p62!!LubpBhi|t8aVjTAvkeO!$vB-??*Od1cJSsQ;~)3!D!~ zS(sk<|C}@VZ};-UR}?kz#vI?JWvkxf|5v_WGWMY7(vjRA-1N*3hxvCFCxb1%d=ZPI z{&&6~z)jymAAx@jZOX=q1_pILPWku1=3uk*zXLTNNhV^CnaVM3cl}5E2A8$PUh!PY zRO}ogr^A&${)3PLT!-XE;P<@??`j6*{3FZ5`OpCJ)Q+L}C;u(X1ETJ;)EYaSBm z2a6cqrIgJH{6v}OAB@2B&2bj4#13`bEoXnX@qhTE>dyck3@YvZC3)pf|5DsJMP2Gz z84D@Zf6L`lu)s(h$t-h!Nh1F9h~)q8JPSDdXJYSy|DCxfBl*TJpu2xXvG-Fz9+wOG|qaZ1l^Opr8AdSOd=`AHlwVYxw_u!1|Zjk(p^3t6TpTKcad9@FQ&2*}qA?9Enl zIpquf1Y<7k6iI`w7nGaQ%sTV8H_*gEhq~mdop-{z$}hyUpPL(3Jwi4`*E!dAR_yki z2+BLmMtMy1Yjp%UnMF#^WoSPE%HxDCWUSz-ERGt=1w?PcEx8K(>GLieud-SR;pSs(loMUpA6=o|s!-b;^^0difvm z&gs%%gU-{Ohcg7T>uNT;RNB)&=pQtg5EG|yjnhRBKpe<)3LVJ(Xt;<_CFm=k!Zxj) zSF27MY#Doy+7t^U$J(2HDTAPAP990?x^Q{yQS)81*>-WKZb$WDp4H|fqix%Lus zb$WwWh;$&f6IBXz$|%I z&r+nX*0JE4?~-lvaM2UFyly5^Iv(y7#&(hGo9%i&auP9%VvvoQtny^8dP1jxCB-ZA zcU0H@&(m$JCErAfaB5`oZTC8xHf~X%9;6jczI@yd;qdTJ zl*k)zUw*J{(YQ`0oEzFzxV0^RZ8@Ni+C7`)He@a}eR8ylZRW0W-)PgW^`>Q%JM`$O zR<7-$%HDyZco>xAZV9>p29;Qimf#X~Kq(D(((RlI=G^|Mzl=0YKIXzGqN}FsvD#1^ zpf!1Lpl^b+zkB9}8<|3kFxzU8!H$H*XK1Il1oI$r79E!{{0KICg0-y#;vie%%d!3S zZTb*ApuD&jU9OebMD7mR-X4w#5LHVj8go@>?tb=l6g{X76SG%BZQ3+Mwsl_|?}u?f zcT{&>te!PNrj4p&*1eR_^K>t@*NPmaU^&-($?3}pNbbVs+EGc1%e^Aju1s62O}l9x z_Xnr_;ewx6pDaR?;o2YUa$0`aOzi1%xVG9-2uM|?{U~q<&n3Awa8gF16b-Cm#v3e+rwK*FooWR)c$P@*VQdN8}>!N@gk4;%1B=~ z*A0$$kR}DM#gXtEt70FShFQ4aP_@bS^|q2Sfw8eL10>Hnq|wm1_Nd2>KSc>sfAqEnO_#xOqMLQ+2A!_d-yCIY%u zqPOXI{J?sp5!aIsYnujHHJ0}ukqPQ@X}h;wJmVu299RD4l#-$3Fvlp0q)T^cv)X}c zTHFIVUF%>gWAX+mI(uRGb%|J%8TCpAhjs-qar4tMf{*3Lns!TUe40?jE+6z_cuuU0 z>kZOy?tZa4Trk)f^H2$SwryA`(V`(m*>bw)cZY_@X>mwu-Av(@lp`s7WjmR4;Vqk7o0Sl>0N6FxuYxh_3 z7j-vl5(Zv%QG6JK@%TsAn+uPRZsdh4eJw8fwwoHKscE1R8@2|aF|IK$&LGjih=<2# z<{K=UH>StaleRZc7eg`gJ$ht3Dew&ATdd6+NJ?EoQ|RV&vCmV}#@*g63F9OesO6W< z5jVMhICTC^fv&{#^mKW-w_o{VCkax1R54w&{6K~7VjFUd|N3RL%2(7=TKR|TauS4n zF9+BiX1m|rIaGs`U?`qQv~6@syS3~2Sem~5v%DPqg8IOMNAcWi+YKVMw6s1}wBTwl zrB}u%qyJNnNoJp>?XCWZivHNBW1$XCVgv>&7uYgbLySV51PxxUhw&YM3#*((6@RU-9|;8 z?fK((HXM7Zw`MsT5=IA!hPgqTn)5Q%jEeGZmRw+nh>X0Dwq6RGjm%zF>2VL?$b4+0 z>%QY(ObYLr93F1@(&Zh2x-5~f0C!#z-)6mA=8q&=Bx#1wW7bWY5?mk3IlC-nI<8I+ zh;fZpKcjc)AH0RpwUn?$yjJ>YUnj4 zZjmEz;3Jd0#j`6$`BzC9QuJP~ukEZxaATd4ctwToz=83xKxJ8N%O_*ryE?OdSM zis`h4Yg;Ku@3y*9n|j4Bt7c}e=nb6PT0@YOm&9)gL&eN3X|Gzqk||K5Gd4op zrx(VeG$CfGt~q5|6J-E-EYCC|Qvw38wvT5HVc!vr8i8yY2kBIWomgvpp73D-#rYqLwua zO=|8`I}4wiDpdRYEjt5yrzdQ@H;ONKos_uXk62uW(>ozETZSQv7)}cZ`Ca$57(r`! zdJ$pXdoAK7I|pQ1JvF{jw;R}D zEn_rm{h`9KL?pS4YrGM};!4TlDOeM^P2(r>?G0E2IZyKGbZcS7q@DGV5IwG<#Z7}D zS73yymQ zV@8S~lAJeQ#XBs~!@^PLEU7xoi59WwY5;$?o%y&Kh*qsU;N08&x_0v% zY%f%1>8ha?B`K?w>+TO{{99q03QKNK^A}P)x)rB*QEup|t`fC;^s~CQGk5C(wp)Bj zuC1nob1(ZRaYK7&(>paSJ|4Pi^yoS%^;4g)<6iWJwC&O#e0&}dL`L*zH`i2wX0xiq zna@jc0ADp1$R<$f+N^G_&i9>-gtl~5T%4dkiEzX;l^Y$EODYkuSv7QL4Db_0w;EN5 zm3XkTYZUX@SXi?i%JH7DbK^j+4@nucHCdBu0lI1VaVJQqvv2v?{09#&X-* z#!#S+jWkKdS1v?j7*;+nk5&x!MV}afduQ5t9+gnfZ;gt&Tc(>#eC5TO1Y#CryK(r2 z?=>eevEsE_4>e&``-j@D+fEe--`VCNie>Xb68j|cwyt?+kBsr~C?%L5Vv3^Gnd?qT zrG6;w%|f&Q@)o_4l80K>OqKh##TwoWnPR<#)#R#nuB({gnwLY@fX{-6itu-ddXSj6}QfOFXai6*kPghpaUc6Hhj=&fRp zK?gsw)?ulz9iC>k9rk$yGIy8_5`7XtxZkqaYyuV;1av)??+kjND%?oh42|;hnvObN zLuV!C&9y`15`uhMt6~OdLr;1sTZ|*<5RtCXrkhaR=HS|v8dL=NmbQB%BbRnyVP4qV z9dvbj`?lQl#KY29af8oCwkw{#_R6|F0+%n22|)S!&bdnudQ{KcWvm{XVJKLOLI>-a zXZ4ZkAV*{UUA8MBb+j@Js53|V7YT+x1c*1fh+C~L=S9+lR~)2^7q2OpdF|KsF076* z7vR<5x#`}o+ZMVFoA2y~3Jva0=ZM)Y8)(4hFa^yRkw$Vs?ZpY(#iJfsTZ#?VH8b+! z&yg3G-rXnt(O#XCjWyEwjH1!(rHSeI5y^Mo1J8Hvfr;=+thyRQNp{gPLkvm4*4)(l z&=HV^5G~4nUaU*Xc(GN#;S$p&Ao4<{`o%#CSjmP-tF_G7BQDel_lFI6YJ{bsOH1{( z)p=>eT=K5axC(OJl1tiw!fRQ5mXRG31QQI$Tvw+U++D|ES-BIfAY{><+3CBNr9fuX zt!f`LL;JKFek1SRDUbZs*XN-vA}3@0mEG++p0Pba0lBV3q(?1g0bL@R(W>I01xZzo z?b!i%iav1Fc-BZkoO}D+oDIEui%bAVH9dj5;{;VamDe5et=h(6bP3ei8_JRKt~sl*gWdW)(W!I!vMC(RFz^@-3_Z zqHiI3C!-_)7DlX6yztz{yX|EOb6s3Joz-w*zp=mkaI}XG14y{)U4;#uYp~!nBzm_` z#i!hD`y-bRrGf}w!G-5ul|x@{MDH4RoA$k}n9UnE@lRe%lq7xMV?Sd93;y6#5^d1E z;A!x-9X=is&?8m}$=ryu$m4J8D(9MeSj~zWn`Uea{XdL-Wn7be`?rNfs+ZCwA`*f$ zNDM(h+Mr`dcf)8VBB0VOQqm$Z8i_Flr9*P`=-x(dz}WVj+|U32yt^--H+!?e_;4J* z$>b|F#aD)-FBH|E4;AMJjt zT+`=SIrMq4jYM4HpiQwfbE3LD6Z9j^psDSQ-a3Epo*zXVwgEdxodV;Mb$gDHcE=s!m+@XW-&>X6R&2+Za9ShW?!a zHq=GDoVBym+9J#@JhJmqTjVReWS~p%%ai>tWuX~EeoJ*mF-<)79lW1|)*m8g8>XCe z4w&LkmZ;89i*s{((FQ7fk=^C1c|;5Y16z8K*@VZ4+cHb-)EyAC6oCsuf)M+w7N=Qu zcEONagEz?QXWz`|+Jwta$rg!l?F8XGHjh-d{qvI~vEx{6X$l8xti~6D}y1M2HuEe*FZ; zugW}42MqlT;v`0{T^X63e7jW=fg`$i(Q8u@Vx|4-&fgM6eN~T?L064^uo#D;1~mDJ zQkZu{MJfhI?GNYQ9BQ2A1$y=1L;USX(zJW30KzzXJ=QY@Pz z>XLuHPf%(zXCo`?AI&9lYqY2HfN$5cK}Px7@rx{06An}^(~j#23quIGByltY1m93x z17kO0HU4@-31azd6GW01Hr?NEZWGLaiaIw82`}K7$!vFoj1&9v%E|;X$6}_zb9J;e2aD#ec-+_i0KM2`$d>uD4~-m48GPv zo{O|tOoA1l=n;fEjdt6V$Oy`p7M{S$t>y^88S}`BZA{$;2O4F4o_wF1AE(U*{NZyo zI&dZki;wdOK3|U_$xfTSy}UE_RK;(-wOAx$I8Hd)_jtafjD|`28n6pLly+w=!JVmo zBM7nA7TQEZZr2-=yLRfr26Ws?LH0oiMrfxIXM|5(xaUF&s^{}6zmTR5s>bxV230N= zB*aD+c8qCVVzqiJ5f987s6_x zbUFh2PHX^_xFtFE@8;m2qO%a{M)BbCzkaUkYRf+ER8!m=JM=KqV?kK0xsG2Fe3(|o z8?@pSXkC{vB6V^UTth=1OYya<^K#HFYu1+9DmL$ZYz^)Y+@MPX9zFBWiLl88Xm$MC zk5Aq`A|6f}nOW^jr%t;j);&y9IlX(TF^EWDxv3QOnd!8C@aJ^o(Qk}qf|C^#&elx<)tk`Tynd1(&J2k`YbOHl0bSNJkV|PULPAc<4dc#N{4t( z>eYbe)Jo2I+rQ7{e`xgam}&ea%@S6Y|5s(K=7)vANURs+i0H;X;OsbRMfFh@Q%Tuw z)*zca2HiPH;Wu5Xeq8&KtCbXT05>l}GC@;CxG#5uy|y;eZM#7o=YDHGFrngT!PSeZ zhxDgY)Q4~FDI+ug3BaQh(mhXh6TRHj5Rfzh@aMWz6 z+3+SM^xzW?U`MR2=R}qYwTfpWdO+7_yT_B(D0}y+b;YB z>tw{LKm49kb%{nw=$Cu3p(|kwHGE!i<4%4c@Sy*Q=M4dps^Y9DhPpDE(4YA?gF=tAhWhMOg$&83>wKb-`{?;x5Y`y z?7Z12?Hq^O51iU#oB9`l;nLOQYz2Qq92uQDw^{bD0j5w0*Q3J}a)gnaAf=+z-P-~; zFRFaZ)ePE8*#Rg@Qc3ij?NY(qOwWWFD1&PE=i9ip-lVkf5pEeKqsG;7QN_+!*2Fns zsTE2S7WTO;1jl5m26xD{V62PIb+;Cr{x2b-2UtwbL^( zW<=^S3_O3f#n_t2AR|^<`9(@2bdlJZLLGZz3!(F->W^Ab(t1cHb?#eqYQ<60XF`;u z@C2l|4?}0l*B@HQxm&Hl%fHp$n3>vAm9j!rN$oQKfeW3p4Sk8x7O8eYTi?oD8YKV( z1hXKc5%k*ftHZb7zV%|&AUmJO<0je4hd$;K&vaF~_R6g^Q9%a!aj>1y4>Mx$@8{<7 z96R%7+Af}tpj5fD7R!=tA5=~Mac%jw0cFW$Ff|UKiNu7QT+c1&1xd!FzcM*KEf;oj zaLnO%ea!tUeoFJhleIwC;Fo^HF-g%3&j8b=gQWi~0@M;~!o>H$Y5OBS`tl6SrAhjKCA3p8yMak$(|Yb zluOmHYC1X1_8on8u-v4ucNl4*W?CR4u-fW&iWzQ-?_k3q;ov=|S(H3DvsR<-CgR;} ziC3q!KTI>5Z85DR;}tmbAmB_j^@_0HwX*7Z6~t=W(~q3XsL&39Og^TO3ux%W-0>H{ zIT>=^2+%EKZS`7BtI_rt9!h)1usAg1Ina%?jk$$l4moZX&5&{a85?)rJ5H{4+nBAL zV_Jj5s92k|O`69%$>(9~{N56v?ypen3r2)axA`15$qZcIt^33aZQQTgDdi_;I!GMv zo&k#Y3+{)#{s^gx*>~FG=DxXGJV7hPoO9DQ>Ot(zu8pLDnvn&&bdT&$kEDfi{e{n+ z07`8y)mDN+>W_swa3UUCONSO#ra1eySdi;sB#3EtfHbR+4Z-+a9vCj7C~) z5i276PPaSfO(5aaNW!KZPNw>BnmmZYk8x^SdGLBWo z_RKsTJMmS1^Cmx`J-Pj~k&oBt8=N8#*fTd5QH?uGSN|bL^X6OG_yU zuD+h{K^grIg-sX7zAas}n(xoi4HT~C4{HXo9zwUA5*^D^ErdYe? zOnSCIf;0@NHH-60ni12=M%aB$<vqorBCVF$Ag)j{O2etpCJSgZJ5 zY*s3TQpeg-E+M;Tnir9DeLw2w#q{c-um5o@yTzg~yC|}syp#4BfYxu;WoDIuPyzY` zOU2O!Hj%sIbq~9Fh~lu|Z{T;P#mTy2AH9alUkj!xmD?&PJ%j$p)6cmmE9#4d;6D)=05Lh33HwDwFz9#wtbIPB`W&90bC(^Zgbj8(l zOxO~%qE>6t%RUq`&5j%4_UC4H;47Wu16mxHE0JV)c^=q4M3Cz?Va=_vj2qc{wphkF zg{27njQzBzUMAhJf7jBv?*Y%LewVGO@o%?M`IAlY*molnO!Dn8`+OKat5G4-_`r~~ z4@+xPWe?8mTiKU!%O1@zp7hBnPf|MbJKme?yQ+UMk1z-1=H)*OA|6ANlHBMZUCe2J zn8kR8S5j_IZ*SWRlykt|HEz`)&W{0Gw|{k!gy;SDx$gI^pdz@8da4_K@Bhh41i zeLSDMBuFd#+>{p#)crSprsZg+c4s1N&{k_Zk{-%cY9t{c_!w6%Q@B3hmMk) zPBzFbQ{X$!|9(|va*+ZsZHFl{Ug_N;c@y%x?>6JN?`ZeFVo(yXzs0X}YUSx^jdXR2 zI5P|#){ILGeY5@)n=5-xAU0#NoSm&#y4-9dw@wer%mEy~7LpybfsrD|Kn)jJjV78Dd27PvXy+9nXLl9h4-p zayFWE+Y^6lv^&8BM5o9aR%f+8Gx<5GaPsy9I;A6#mEFi3N*LlZ>&=u&WM(H|PTl{N zgV&t&8_6|V>vtB4=wx`r6n0g#Q1$mzx}zE>HBE>TB#nN@pIDcgk`nIZ2I6u^GcNoD z>pc^?%Ot&xo|#Y?MxFm~EJ%wY=j?PixpB8cjPkuE9Ger=Ot?W8Mv4SPW4Xo=aeXUP zX5;JsM9{FuvsBL$Y1<3eW)o}muGS|1ppAtKZ0X8i>TUF!d1Dwf*V34})vjV>11_ z6J@+l54>8fm1t5diKh=ExtC{rX08!zS@)y%-CQK0&Uc*_nEn+P({()ouH+IRutU70 zv{Ac8iX5Cu$ zFl7+I7?)1hRPVT-fe6G(Zb8;yPmNA1lf2>13lVFoLx%zS9joV4`-3g1(UOk)78XDR zgc}{fmosad{|LYx-4!Mss5BZg4T)qw?#sI4w799QH)!>s-~58uBP@HS^QqrL-p-(E zw#HPIC(?~ga|%v4qyqk7T2tX=|LKQuC}42ePzScJKzkh5N&z16dts8?@|lWWiHv(( z>CgG4`!&T^0kdi`#=2K)+G_A*{*p|1!RZqAR(o=q-F@_p3@X9RHU4z_TYSHR%;cSC zFr1e;Yl!8u9zTlMYd3ADzNPGdDB0z|*LDn==GMtsX> zcZaAWiF;1Gx~w<98_5&yN8O)17aaI58$RAGmT};B;JKhIX_iDJm?T~HdH#fAW|}^^ z!6>Zr&G;3J5d=$z<)x9{qwHs@p}R7e)4;(9`4iu20dP|_lfo5>CcNn#`BuN7#rry6 z3_(z*y|+vr^J~77cQ@Que!fl2j$i7H$b6F9rp&Vs?@UqOVu$puy!?`QX0&Xo2u zT013dzwymPTVtwR&wsCq{y+O5Go*92UURciA2^6c?z$}dfC4q(^WK|$gDdh~#q79d zY;bT-24}?1?Qfbviz(LYM--SltRX*bI_>Jx+%oY|Zuc{WVM+U`aP34^ zZm@rIlZ25)5N0dmo{akU>VBGx`=x=KyYxu`MSIN|Y+cuRWl2}A*g3Z2eJ?c2xD$vGXaZVRGR=I-Go@q`vy=cHMZJqF;e< zAW&uVSz3-Q=t$6r=tlNg0Mi@s40HT>^J9tD?g}qEDF)88K6a!v9cu>3VSs9rJne9B zr6twjn!-yn(+$bqBLiM*{gYTMfxXFUi|OM zu>xd#p^`OY-i|?(r>BV5lF{>e^wW_ z!1Gqq2ZLw)%N8yzX|!wCF!vxRWUW65;-r_Y9=>CveroA~Ai+iYRX`O$6s&UYPly`% z#OgjXvyt>(Mxfo{DPdN}x^92=sJ)!lj=GU-VRbh4&w@car=l?K$Y4lDO#7R|lY8is zlo&}?CY4djoDZ-B?x?hJ?6Babftk16_+vy+A7)`{da!Fs|69x~ZuY)6W|-G#j@p1E zU1G;4{K=z7LsYb%F3#b@uzrQbaqat1-mJ$$l%E4v!WoZQLc*&s+TrV?V-G1A%GpT` zifj5a&q2@bYv<##d`&zg%6&H(0oT+QNvRbbn!5%LFx}Gn`o>Ohd~0tfCXJ##xW)a& znax7+%8v}E1u_vfocz1TU}*b!3K{c2mhYZFn!2k|83+!bD3kW1f0pBqvX8fuCVwh- zYu~=`ki%V-PpUCwl0cqpzU7y`Nse1$N48=Ktx0k>KfJ$rn_E$_i%B^#S(nfHTEfG? z)Y=C(5_OHA)!WzEqVQQ!B!anMd@$mt>oFmESX`jZj&izGaFw@gL$@N zkm`e%cXP@n#9oN~lW`MqA^hXY4dO*6{mCjHgx=xS&_3Ac!3=bN>t4%DiI&~|++1~d zDSRfWpHAW2`Ah%y5^7??p_oUKIV^wpbCT=LxeHf0{`-r9A?3Z8J3oqfM)D73I;7z; z$Nu?QbTR3-5F#|w6@gs&XsvwzX#%%e;#cy7Oz`PlH%OFEM&9p!_l&qADC-tP`{C(H zubwB`SofU%z)b5EIu&*e1jZ^x*)0ZRTU*}oBf+ffn|=JBE=jv-v`ICQD=f6L zgN~=8m}i5<$vpXJZ>6w299rJlcZ;#ZUWh7GeT>N_`bC)uv0sfNa zHd}OktJ9K_k684P)~KgaIoE^Ts=u5CS!vjcu}Utr26IKHhy~rWAFB$zq0o$6GG5nE zO|LGH1k*!-Wz&msj(W3nf$3Ly4pzTAONh^Y*mxCfrEG96$Iggl+5f{@)mH+~kC{18 z!_k~mDZdzsuRD<^$yr*&s6XCs^xV9TT{`rEf|3)0Y?YY&z>MQwhhHg`<&QtH9VM<{ z_K8!`Q4E5SXU#p|u;f%Ft_Ec2TJ_4?mx{t~3SL9k4{``;`3Kc8ISo@ab!7h|gQ zL|@>z-|=Ha#6d`T-K_Te9vyy(rgl`B71B+2_FDk)X#JMYwu|^P3;+=urd#zz?0W67 zo-3XO>v4l&Mq)wOUsWSG&fx+L8ziyZ*^BrE+Wr}ep2dDMlkbQ-p}f=m@V2a?cu}0m z0|OYi2H!ZwM~&I$oF>mYWkR~AulIb;61Dj=fk}Mqqi$tpX>b3-%s&qKW0PG1wNoob z)hqg-dW%xa?R)tv{}70`-_?1O{gIpw z;eGlZi&}>xo-dr$uvV+fQ|oJ)Amz1J*)~gVFZP87S4MBV*9o1Kp`D7<$iCZXhObM6 zz1Fr$V^7V<{nDY%bWQNbjQr1>3$QD6#C^Czf+-lwY|h*|ycB$FKZWdA7%tLy7^NSR zDy=b>x{kbJrNk6_RhGET<%x&iMzB9GKNA-USDtU+F4Yos~?8)E8z*CN$(-G`P($Od%Yk*j)z+_&?C&!0zgPrDb7i`5& zd98}P!R+9$%j)0X4wqF!#!&iWuudw*ktu@NclYj!D>a_DKL2JyGViO2Lj^u!Q(ToV z@=cNC9NM{|Zf|wH0%D>>sS20tbVYr>r4f#NRHYVwl-S)=F*+^KJu z{gr$VV55pKIiBb6N~O6;O{nZiMfmm}d(oG#K0KC!4qON3Y)&wyu=n;IXqyw7MzQv$ zBXZ@GqTf9;j1YU-%oT-c?-2HkG*l=O{{G0px;H`1RwzW{?%l)*uJNspi1R@d*Hxir zbQsI_muinf^HsH{I&qm>la%nX<(`bOiDA)+LBl6p_bvfb{MX3*7)KtobuI1=WJ8Z< zw{qwW_?GqN1ch*{ZsCc`9=c<9Zy`^z&^ldFc)W(gJ+#@;AYR_BR`~H}`H z_UBDx+srTRF;r~$+d^hd+wNHJ$p1af|MkG%1BY6x-P?p#XtWe}r*r=0w7+?EfjwBx zP|&<-(ZDw$!Jtt6Cl7H7iOLfDzCJ5yr-723ZfgGXJfeynm%_u;vgnp}9xK^?sI+K& z$Tvx>-JDS9peFosMU@SI_jloXYSZy9Tyk1=z{g>@u)0Co7x&hT)^=riSM+7&GgmyP z7~OrNy@I@-N};FC}U#R@Row!v+z zr_Kqvl3)zC8Lg!+_{rt_;WE83x6z*U@bZVim7!E0>)B1jN_p!m%Xf!H(-FN(w{#>c zBLfyrm5uiIb09MHJ(;{3E9FD8Go>$!wRwF}CNDyatAy*d!kPsBfmvv0xz}%}Z&y^9 zBLsJETnJcy!+59A;$^9UYkg-zd`d{zlv?_AVsW(l(!#dy@2M zFp?l_47KZ@u7qBy%i~yq1w&)skmqb(6pjRwY!?|_eL>Vb7PDK=?nUs+r#Vs>0`c$N zc?8n9Apa(em1+ZIM#C=43BMxC+x_ZZP2f1T$9K+5{|-s^B?K+S!G-$F6}3jThQ-0u zhZ2vims%S`*fArtX}u;wTDyVJV&74MC5#Hg5gxTB-XtGzR6rHt|GBCUrSf1Fx{qgR znG|xlFf+YxYdYtgkI%W_Z{|j@ixVp+^ID;h|5emP2)J(}-j?tpl=l>OY z0L?GO_vJjqVYp~-%RD05ft59?AxjIG4lEPCqjN3lhto5m_i%6hDo&5km$`mbzNj$< z$Ib87<0q%VjV!zm6r8)gTe&S>Y=ImX$Y3j5^4hQl*Ekb`E+_>+RG&%Mh%iVi@nf z78}3K^-o1_5;IHCE zv1S|%^nQx+IfSg;;6F^o5i_x$r%c8%pScI&GsDCy6lFfUy9`|f8Q<3V$zq5Z$W_dI z=(R2}|Ei1W`CJ$^_TDRbW)2WpM(aNGF^9@g_FT;dor0nJ!5T+02BFNJk%Uezc{w$k zCF?O>5vjpliL5(@bDIvNd;AU8DA-?pO7w62!$6z=H#mI$(%ZX#^8243A57;$P+Y|a zshhuZs;76&&L+y)TAq!3XetXUc$PkMb)|X8uLlM01J_}Y2y_$THZ`=mr^N3h0kdmW zT&C2-zJI%mlk76>Ca_;zWz{Qhgg9|)gd02HF+R+5yn0T_XA{uISJHoUt%~%1Zf^cg z`Sx_MAsYe)vwuGbK;h;3J!Q*h_RkmJ(*|_+hD~XZ*E+fzqL9BP?(5RmqEF&)D2jC- zK7LSm) zB~zx^4^^~kGVD4iSXky#eg1=7xz*WMY09co*$WKn*_@&AnR~f!Gs1$iTXC=_AP`w} z3^^N(9?XJsl(VyOK%FOS1@LtVa>f4rGtK-h7mkAD%OJI<0G4S66TXx4H! zxVe?59h|{?QPn3Uko~(-+3^Q)a8|MG{^C;J6ZEY)qHag)epTIOYS8GT*F^eflO!zI z;RPZm^YMoB8`G~dP|9ETD}v?Bb9Q~)geruq*#4b00qcYXytN|)ew6yj|SUej=!CjanJ}l*ew07vZuN4t`lLsQyNOjGbjG4AJM3IQ)J_W z@`Vkva}1trJ`Aj(tXOIRZI6>)w8VIXeQecXD;YBpb9Vdjr`Qae)+7A(@&Q~lL>qJl zj1D$;Do*PhI;jIFvwrs*BWteYb3R4DW-S}s^wST2TFSf;^8aYP=U!u6y_1w8In8aq zb=F|NKB#~j9etM=8D0xfDRSF<`$q-FRIy-vY<(=_Net*?GfVU5x+JoChiu|GdHYB- zu;(V@>0T|f%gvoVcOr{HMuYk1y8!cBmH30~J8Bf_&Bq_mOx#PBdG>Y7v)+C|%3-81 zwZ`r(`#*))+oh(v-&G8I{SLGg!u~0aF?qlq{aHx6uN`LkLG1Duy~B+cN($wRgDuN!$QJ)LRUs2Ize6dj)4Tr7sDEJfhmib~UdgUb z(NzCt|7f(>SH4k7FT!(ZMBi?qT2hbU7q2FFURBzhWLF(3$Q1>|PJolcW|P}3;^%y* z=E7vi!<7=(nB{(YP&~zc$knM0hfha8Gw+}PW~G3GrnHhz5Qcz2{zC^@Nf@E2j@w9+|iop$iBbIO>_Nl$X%T&q4S z^TblLH^mpJ-6d;u=k>$hPtsYl&`11}p0*NAWVZ}xXsikk8TF@iyqsjhXTZ;Db@=Lv8 z$)sxG^Pw5cD}h(J??(f7w2eq(FiDw}r&WTjuwFaubc?{_>#OlfS7Ir~fDNpx@_gk( ze(~FY7Wa+QCjPPg#ox?VJ{D@Gw_WXpyDubavJt}x!Mpg?tk~?;T;i(J7l75}Ej(R# z*>-#aDAwiP71Ew|!hR4SL|Y4Y$sG4r8_>k`FFAo z;RHb2W#4)C$B{b%SMaQd&JoIHAQRNK%p_39Gv5b6pl&oB4Mc~|YZ!$N0WcErO z!pQ&@vAy;9E06Zt-!f$?#2n z<0Q`Vv&Nn-zd`vTGZgO!ODWgwqv=1Wr{!s&taCE_vIaSLrfZ*c+mpdQ#{-?i4?vY9 zcrz_C`nBYNxDRHVV(3v_T`4K?*h~Kzuv{DGtRC9*#mBv6Yo*`bkBTET*D(n&J+n>W zTnhMgeC*(o!2n!v*3=?2704Cfr~OD^|MsJc0l?FDZ$!7hGs}^w-%h&TXfm^7zIMlr zc`aGM;bl6Gl(y)7l+9*M28)XEx`pgZi(Xc|80vSki|ye|ATsu12&?oT|L&DugBc6d zi4n908bTeL<$Qh>C!su{yQe}30@0ys?m25Oldn9sYP;K5`c%drQ)1z{{CpJ8xFy?T zASmdSMpON{p>Ju1SHn%pV939(xTaNHV7Nf*p(Eq=8@sJ9x$fkCCXGjILXD&!k$Q_; zbJ;$!Y&ZUfg+kr$JX<{m6-4ZRcm(+?mjA&Vs+Pa1ks(N{9&2helVMP5r2TFD0hdz< zX(VHob=J1yNckl(dk-To9`wy3so7?z7}OCEt*)m5U<+QfkC!RP6_S@J9Sj~WB%AMm zr@Tut*F^^8MXc5B+-~`E4_C#dBL`zX0!4 zzEV;_t5&_-?HmOrntW(Ywbe3q7NSh)Y1eXMRNB~AVa{hY;DY96;_lz50C^ofC0wyS zISR*B10a1^T;Puv$ny^svL~Cr=BfFeb>Td$n;D^erI|>zQH6^mP3(oHt;EGl=Lta? zU|{(D1cQo>rr7W~N@sxb2plicI~>_lUn?$v8U4ePbfAOX`+KKI#{#Vmt|OBxyb)_(ar`F*wP zP8y^VKQvWk4L!Qq^;s@I_yLh@A?`Pw<0)nwuV2rSzP!HhX~9@>lTdt{xllLtzNE2> z5cxQ#B+rZOBlJQan&_p`1@}}Xl)cBE+kTzZJfM1LzO-6bNRFpT6!sboj_ny!?=A3$ zU0SJ;GF-d09dhM>Nr+aW1kk5Xv8}Ii^BM~`l6cKBiRb6pgeBLp@b?13@(J#$}vR-k3y;b&%iYWF=1(b~sLgc(F z^>y~X2s__vFKJVNA;JR%ey~EX)~{8eIogYC>R-b&ZU4GBY2_oo?!oYH{wfkz(4h22 ztC?zZw9qtby=Sn>YM+aI1Fq*O_}aLS|KLDaglX$r>1fC!CP23rZkk1`y&s~fO}Jma z|D>Ji3(NJwz%AdWN{r<%n?r8%npAxq^WOGA((L;rG$`zt)5lV0$KEVgh@Bx*>LYJa zE!W_FwB|>=$jw_7?>1E9dIErAo~waBt~@ku%Un{;vAPuW<`U-h&lYT9z=vXM0wORb zVcpIH@dO=h)8MHD8+2>g34OA&Ss7dLntYV55#C0WTv}#z&6K@C#^YGzDVmi2TFskJ zITRD`b$LiX_#0{Gh<|;7dHj?gR6b$PZho;T;K0STp~a$EO{qoa>qnnrQLgW1w<$dY$)KjzFL z3!aSGt(;1WzQcwijUz|ZythXBc6a{~%r+Rdd$#0-t-aEFz5J3-|V{<<_(G_xyA=!c)P>8Y5f(?ctvnINoiwfV{5M> z%T{V7%QubsWMka_%SVrBxr)Kh3cX{c253PM8*Mve*0*~)2{V{Y=L=vR8Vust?{$iHQR{eyyg^|_y8=?&Q!J~TH_~elYu+5KZCqRGR_k`yaVpJk zy;e_@Pyz<1&7V&gh|EOFyH@g@zI_=s^c=YG8+Vw$)c?oXyczRm3koXyue##@d!r%y zhnEg@QWt*$?t^b|Zi#iD_2nAV#-QI|_OhP7Yvz+?PH&z9*2;FhUbhKHq;*f?oMX>S zi3U30ONt)IS)|E+yeNAJ(lnGeOH@gNy3PRNI#5ayT(ux11(U~VtIz8jC_KbI6sg{b z&6PptX37LUX+8BTG$+emlu5d$c9%6k))JrbJmq;~1cfIF_0Y&^8^b8(SmypU0Z`t# z&K(>LjnEuwN?zl9WY_a@a^GCn@a1vO??MQ%r{g(56rF2t1-5r@RY$OZrPyy*8-H;Z zR7;h0cz*3r`al3s{&3DGdI&$xP4RenC1b?N_aSYyB$f9OAmf$wg(Q9PCu~=6>Gw{I z>{42eYc!?>X^pg0*@R5L-#Z!Pqlj9*y);a-#!9bYt zLZMYMRN5#XHPDiX*NSsiyf;Rk;Y`!ft~yy#{Es`IMXzj*ISn6Sz>CMKGzZNdVX7GQ z=;AHBwA}tO-4dJP(klM_0MBCny#r#y>+Gc|bCO7t8!6cz+i$3L@vk6F;RmqHcga7e zDNFueIsYpV{9rcUx3Mp>n&m%S3gyR_+}Fs~oXZ$eostOYmp|-fJ0FZwjO6b{oaj}U z#wIWGCN>7T&K^HG(?~jA82dWfH^9uAG1ut`KV7dF51q@OgVohHmxSo}H?u{n6II4y zTG&!aVrrFdb4#vBUc=3AthpJ#D}3X!sjlio{>Z zn0ZLKDlK`XDo4uTOr%$Nv(-8qxw4(UpPg}}2ZCbqf@9Q@1XIj|XY7lCZNOL>d(Zt` z&SfB><<-&xc%p%(!E^Rp?1M)gSNm%WPK*HIhrQ%Q@!LQ*YK|82f@Ae^l=cnMU*owXVe2Y%lO4~K8S;(Y z!DxDYFU=l$?uTLeRi*&MYS>UtuZEkPO^()BbMKzCgVXynND@R`;q(8pOMZLJCsrCD z`VNL@qqy?7ue8<)Za<|<$%iKkSE3445qEH$j&mm66|es05dl5+y-MNTQ{wI*v)gZ` zzam188`q=RNhK`O-ox^u)H(bnC7)(ngLsDlv#2_x9|XbcfB69ap|?v_PVicS486Hs z{4v50J?-@iBWMz_vq1a3YC(FT5Rwf4oEO=rzP7YP*K4O_85$>hpV_Oii3FMo@1iJsAg zX@O@4n?r8AC|j1WwU%c0)w!~brFR-6n83R!iyAynpFEi2cxIQA1I_oHN%zN1bqr303Yu`H$ z7i3|4ly%QB^rN1})LQXR1E$S?o*jo6=}N%{G?IWlV^aG<9F-}6=H=kpP z$_?a_ab9dY)>sI%JRdz%vb9HB!SSt&|Aoab-*Ex{4bg&YudS=FOg9pqvN^n%Hr&uv zScOjGriq&@1;*u`5Sc&fN%}r9f~4amP=40)7*`#dge_z~saS#9Q}9L88>@DsdiT1g zD&RUoGhyyy;(ZssW-ST;r2qLbHd^v(DsuV+FE~Wks?c-bK^ZeEb0~5#D<(y3Q4c8g z<(=Pyzz)cs*h`6uBGr7nyaOY7)QoA?#-#~@g)5XNy=>HK*EX>q9G>9-?NAH?b@G-3 zB+)j*JJBkNC@5uzv{A4i*)c}X2ZZy_j~OZo{c909=w5LslGS-A{<rtGkJNm@R zZh0bLYpDZlVb+DX;2o3^$$F+C%%q#lADFgZkj@23xTaCA2~C+T`%uIhBVPyRUQ9`N703)P z1E(LggQ9O~|DvYeVR-yHA~@nKO_6&m#|!Wd&&l(^dNan|qN;r;CXDKFidXoUXcigg zApoqD{!adMQ7%e=ylIf1GoHo7gjQf;lC?{D#WUD5DSC~3T)Z^&=cjTG$)38OctqMx zi-vrOL4=?zd~>mlKe71AXQPB3_L{xZ+*F(az(9>+|Z0HOS7C zrH(BNhXUXn3F+-bo|SubXoSFER_-$!*mzsLN4HzKJ-mGJ*sRmIBfsllmvRMw^%CI& z6exzt->z3m6aU~*Z+*a1ZU=Oet2(nnfE9Cfm2-pnul2hc7&=cb`CiGh`1cWAMJYQC z`E=tA{^Y$jhFvoUe>MDi{m+g%lWnCL!Vgvm+#_lVLPUYcUNQUMW+C6Iq1YQkmDftw z<9?&EPFsLkw|jUaOIhit%=2Va+UOBBu(aEXfzt0X-G;;I#&und^}U0dxGAOYA;f@a z_PlBS;4;4mAKQV?Pd=vfV6A9>PRjmMVG)`+37|*DW`smbK0u6Kl!Cc={Y{=UGY4x? zh1h(aExJj%Aj%WMO@Of1>lC<#$rJ!N4bEHdZD|Fv`Lw}lSKzW^40Qu9uHWf)5uhwc z0AfN8(<_|$QM>IR;i*uu)ZoUc3HXWJN=!W><}UZ1I^Z9oXUS8wBNdT~h35Dw75g%I zySN7UU{$Vv1lX~dR;)r0kOjTVppO+f1Vep`Wrey;bHC_I2km@cw+p?s(r!#{+ftR3xJ|Dp;?a(KWQvx*f8M*Om?rPrUwDe)Z-J5a1#g zTmJo%?);RQkNx!lZEf`anWNaU6TsZ)j>&@yOr#jG3sli2hzF{4CkZv*)5zBSn8x>7 zh`ijs0-4=VZ{UgOs&jflCLRqm_o}CCHb{GZIvWg0JQ(qlfZP#)YyoMPCpZ3_`$Yk2 z<%hNI*X9$`V5T$cZor^dk!fW<;o3hlyVxO}sllFex%j=&D)T9#<4U@G954(V-?g0~ zId)<9R2CV}9*p9}#uI8sJAmD<`y6EL4l;g;Mi6~I|{Nx`O8)E$rFh?7E-Xa)ZKA{?aOH*s=yd)B9`itZu$pe2 zGZfw`<{A<=i)#>Zw>Gds!st&eYi~7q91o{3Jjp*f#xh2*bTI(ekrbcq5wQ^ZlO~3> z`7K46kgpC}%}~Cpe%HN$r%gMKmoGOyYpP{&uD$56-tud|DHlaep!I-|Sh|i}>w?p# zqwf78eoz401+XvFS=fHT6(sBfMB?kIxG~DddB>Or+wY-#npf1 zVv_oz3{@Zi(|!9;+W?1^yL%Q$^Oo^iQ24-BVe34v%;gr!Qf)tGPmuLa1HAJDECRgt zd(L?=Sz)-~M)l6xi#$;38FBDO<+9gFLN`OY0W)5%5AXw}?m+B(H?5T0*^;<59I@hV zCnC*k_BMxc87pnaUtbSArv0>VJru{@MYhQLPy>UD?Vs)o|VQ$XOf!sc;8 zy@~|trgL8o2|Ikr)dRK~XIO`K!{_rLoW1C%pII`W$+MzhQos-5X5dm(3fJ;%_h4`G z;N?p*?5y_$L(eP8^z6gxMYK0FluK9QsHdZCLM56SBw)%q5XT4blZ;O41BPvE7N87} zrGMjz*Ra`HpG?Nwbj@so4^wYcl!m6}&t>28TDk<@Tm4#rc|JE?nv%N0+z}OVaM}1{ zauXyer!gX%5fH(k`;peQ!{oA4X1DuAf#m35ccBCvy%?q%$%)b3aa&vPcAnc z1+Qvw>$GlH`yJY=Wj!v0XJp$o=!c;tQjTu?ng7`KdvD@OGd9-|q?{W4g26==6Qz zTS`WZD>z___iV3Nr8iLX&y+p;5Y!zNYEh8G82PlI-KbN-8ni=%hY4`x#M)lHD$vCEKF=I* z$%~xm&)iA5)lQ|(K5IfNeiHoMNQ-w_nEjFd$%K^GNlP??RPRKoO4jwf^8=*RWky5g|@y%B=`E7yQui z+-nYH^Ccjzb-f_U#MOLoEfZK`vpG9!;YACR*#32^ci6~HJQS{)Yq6(4G>FGa=ukZ< z&|IV6Z)LN5_jAj)6TnNxkqg3i&L1*@7DcW4<2~e}kqK49p%JZuw@yeI7mGdG1;K$K zZ!_h*=D;}u{vzpHO%1+*buV!u=KQphrQEkb0l$eY>+rTl4HT}9vi|R5N%1AeVv{Lt zcc}1#zr&kWig93u+h0xA1EQ8LdP^%Flvl9sGL%<9^C=rsNF`Z8WVp2VB ze;cqZ+56^EevF;Avdl(f{-_?_|OL3SBd z+KNmm&(>Lle$xR>*6T0tS|b=Ag@|Q4h(D!am9pJF?un-n33@5yJCR$pct7U4o_g0_ z%&h`|_;u*#^po`O43fJIRk%E^**~8F2tut6Un{5+eKGLGwT7*|z7OWzAGr~XcKQI0 z^8HjQ6zV$ZX`Kj+HNo<1*VhMiUeh7|RlW9B=}9rUuzs;7e)GofWktI(tr40!@ClDe=`Y za~}{^3bh-xJvS`f6?+2f*agq>-mxVX?o5`tKyJ{gQIeWkoP3OOxY?7VHJ7Ox-oZ4%A~aC$dS zFDgN8AH2KK90|!o$sE)OS*?0QastRpG4%I=jF;pc2GM0MX^-t%_!EHCE~ort-G)5k zyB17-$gpO8Sc1n*$(=+z1%If$(-_9NCct)2&fH&7tZZ&N59i!|RWmD5m9+&s?d3I-gNJ|B1CR

k=Hrb6YU_Fdfe+RgtHT;&Flogbat%000xl8fa^;& z_J%TtGu(oA7HC%*)_|abT5a300M~gMn7|-%RnA@j zyd+M}az9P5dwISe9}Jko*>ZsRuST*eTLJ$~>K)aOcSSr0skW0Gbkq%b!E0=>$ zY;mzw;<&9JmFNBo#H?;lz9*B=H?Ne0afP%B?;L)!nXc<>I(5x%jAaG2x$eq1H;0Wz zfT(uTOQ4PVUD@tWo)XP^_*aoLLz9CqXm|_?CehcOzCD_{t;u{o=x8FVS$LQ{ot@vT zb>8spcqbeM3`+6j#e|#VSniu?*FHbtiP3QbXB8u1mCy&P)GJ7BO3*7+-u+LA%~~t) zQ&(Uw*oHepp}Iavly%xhU%W6$Otf2BVWwvS;_~f?0;Kfx8rAbsOSMdIDz*;yd?He& z2l+~x*4AIKpWl+-B0m`4t0y!IwgLcvY28|v8dwHN#h`XgMpLl-Hr>J9s~lUZi_n3 zd109Mq5PG9UptG8gC0;tAOR+|tHiOT2r!;g%ax-7vKa{k;asIaWqm~@R_S?D?K;Q> z&90eFLhmlj6{we{14QTlE%EzGgEIeekcuN&Gtf&>0oULn_Bq~S-`gS*?L0@we4` zsE`R}itBHDk`>?sNOzXHuey3xD=3pDCE+=4ZP-l{7?b10Z<2(0pBff-)|<`gd%>*C z(md#+er4LUr;R_i(Vm64EtvDGaRs3O!Y?ue)jWw_aoffDFDu?EA;0ClweKZ|+i+KX zuaw#OQ%}UV=L5#4_g?4qxz(UATOejFGdA!1k2%S^ikBopm*>OQN^^J$g{n+;&%^TI z?+mUaA=6hn3dwK^E@H7p^HF+A;8lQIwqeZzZ|;1hr>DAL$>iNQ+x&yKkGU*kudJr7 zbp!2XJ;Dp1-RZh71szWtMa}@;d1H6>g9J>GSHl;8b>`&-7(?siGyz8C?DGZxO$O#K z_~b_b;hFHe_N}wQ47cD~Q8>fcUpMRw zavAAMV6nji8w7I9ay~=m%FpSv6vnFCC`pjzpzWdWjd#->FDvCT2h{bY8w+M(kS&JRJ`V|M$}>phSK4>BTKd<7LCh0IVv`IK zbU(GyVOZYO@C)PlGK0^B-_@%vLF!3t^PYS@FfkNg4q+hS!Aoy-V78m;EA#k&4S)yA zuhih{SNkY+^e;f}u)6`cRw3`8!du|6TR;CfMk1ON@UQ#$q>6I3*;nnTPx}%$@@q6` z?CO@@dCikG5Z3;QMg8@9{X>>?)s7!b{`%0)JZ7J@5meztc=)Euwxm9skL)iMrGkim zU|J(GqtwS70MSu#w-tT8@4py!ek#mjagWp6?tm-l|6ufq4pEG3XcO*kYW<{t*>a_T zQecwe_|=n8iTW5p`zQ6)e;oAD<^0yTeZv)7$%J`Iqy4P9$TBVr07QlH*N&1=WScq>-<|c@t5N3>QYvTs;b6rw-0aA2zgH6o$CA=&hQxX%DnNH&j-k1 z-~P~y30BK;|A2*?-H^`|))m+O8SJtXPhGNzFO~Uv{=c%s<<2P z{2!7_|DF3A0EPdG@OCAQ@=a7+YD(M@xOx0fQY#P85Bto3siU2<-S6teymtTeS^x3n z|6R5TX8DoqRnU_6TShKdl`YUHNPHRlr(^K{xWs>S3~v=g<1pv1GjcyOA9##^h@RsR z`hQd6ei9WGO@ds>Bj*T@^P`uY?wtQ0i|SvXLD5ybKWG*QoA>UYE>z(E*AM;I@8y5) z3?Shi@JKj6all^=o(a13?|<+w`mlfg5zqk3cv}+g*Z&4b)&4wp)?X#@|9_VOpI>FQ z{}03MW5&7{^u;}2kC@=f|GxPC`HlP`?e;ZSY~L=}JO%(S-Ct}no5FuBYW{zHn|h*R z!n)^#KFJXW<37=FA+LXZm497D|9rgwE%EP#fX=g^13^-{jldWlFy1!%_SY{gi5w_! z%dkO87vAN&kzWUn+g&{rKcZl`8jo#POkKW4W)XQ$2HQ9R3|{ZLH}bUB$N&5kBI3%i z04kuSJ)lK(L(0-QAhXa9&{)z3!W%h&_QFQ>`0k)FCwOF5* zj^Dcj_hPdbOd`4So0CH~ACBW0O052*wHHuZ{Pk@Co$ogQ{n^aA%p1G>cG@buz}S=U z&FyC6Kk5V09&yxk3orYQCwek)83I;gbf0mX<5I+h_0@39IXZ5*QyqRWU1Pmquz&)?hAifvl#wthd}~SX zc#GX8x^ximLuLpS1NVO3x~OA|9y&vWS-rH9aIH^csf~B-Q{ztT^PSZkkzLyh~Z)i|dLVVonMHTLykBA?MXwclPn8ji~MIbLM_59@G@ zc`*c|8m+h_q-&L4a{C}hJsSPzNu!X|vcJ+iQ_0q}a(s!vx2tWaF3j835I%J*+w7kW z*UGTs(S<(MoilcQ?la=MiPozD+M&k0ZS>TU^>vY?YU9TF7kfyI$SrYit^!a60H|mK z+a-fzmLMfVn@k>`(#P}RahoX2e4$d)R~(WJgJ|JcjH;CQ)ZI(h2lhKRXnpV>CUT<3 zS5`n2_nqk5-bJx_&Cd}1dGR0etz_Ik%$b#%Jo;yV&na67HKT_+1-1w7Ebd`wvC%i04Z)fbeE?XVffZf0ij7B zH3RK`HRHj$mHl=iqLAUM@wwsPZ?qApL)lvpF;`XhA)3{UT zV!EU){x1E8^$Y)GQ<5jO*fo@(oyR<@3EWcjzQ3If;Eq->v%vHW2ojw(#sVDgMw@x? z;4w-h(OT1zBZ5xAc6-XswQxhi+qDXZf4AO;DOS2)_xcqD0Ao|lL|%#P;CzL&gTb;O zOT{VNwh#AlxoDlQC)dh8$58a_Y_GjX@g}&~E5rm(m5Cv(JxB&joISRj-BZsU+zv1H zL-17o)20O2t$bAU5V~B(KT}OZz4dA8L8hetrJ&)>xjsV%Xy%ple+wbnKkcuVdcsDy zg9%PiW7f)!0;Y!|+63;brbHY9z1ObKoYE%V;N|Uja1(gdYwiF0<&zS<_J>G+2-G2Q zO_*Fl$;e!{yG7*BH(3AS<7%S5b!UOg)Ojk$RZWhs;4rT^Zaq2%nrbk)U#L|d@a-{2 zZ=rHc?>)?JEl^{7g4!QV1LQa7Z8m`5;G0%EtyTiyHgf`&YyEND#P78lO(#YDE;_pP zy{+)UmaYKwGtC5gW!8v!HVfDq)OQL12m|!0BznoQ?tx{oQ}=4$$(^WzJBTQfct=4! zeVQIx0}7?7EpXS=Kw;H`dDUvW`QdTv!CB(mOgZLwHmj@qr+>D(;`-(t#c#AcGgs^Z z0LsyY7Ql{eOPg%Zf~{Dc5VT-L`NF=%>DwwSFeIi7^t=8nzmBJv2A$uW2T{TdFvg$l zlAi+`^&^T{&1WXICi9m{zwcU6DJJr^PkCbC!SdP*Bkgfau`b<8nchjpIPX!rUvAAi z)hQ*Ac~>ON=ziWn4Z6U6Bj~l&}(M!Nwy+`ZdQG3x#wiXC$tr$(q{P6N~i!TM^aRyYS-Z^CDr4E3B360GX` zwD()($;rHY_(uk}T(`N@I*8ixk#lY>!l#y@n0LCd09!S@*XeBFl%m=8C*~xS8#Fg= zBrCyyMXK20ATU?$nsnY0yl}NT>=de9pRL%+BN9WK;OX60?wtQ!?F#BW$)ZrJk<41ZzialqgsCNd9Y&#rwiOg&X6T6QOMz6DJ*WaaHXq_aHBlQJ+lcJf>Ih(@wQwJye7QMmF4OxPnM4 zJ!bi7kw*2DZ@OSVgmLo%YBgp;nPJxmfmW1@$kzhIwrQZXy;Y;XxDW!&tT$;hpe_xZ zul;7ixVSy%AE5S~mbv6nT;T~NRm9Y_T7c@L*moh>6@(>5Gu~*a~1kVr9c-p1y3v$q>06BLp8Yf*yVtmaV46I6GYSQh|K|7=nnnp=p^VA>DGG+ETE{W;$UQHnnO-i%VoK8Fz8Y?JnY3 zOt<0_AI_{fU<=tVSd@&9Ml@dPjGyXm`COduhB&|wd(~<)UYB*K66%q?s&Ex18S>f;b%g<83U$Z}w4SLjHff9`aDdluCQq}~C3Xd)eX zm4MZbe^cUOQvG%n-=DEZ{$SQJgB1!&1tng#y3KHjAc_btx-h7x|3jadqL!fR+)nGL zeO6g;S@#E?JG-^;%Z*?>(DOHVtM|a7Fhe$bd%Ifd;(bkYK%_O0gV)56v+eoLDZsR^sNIAz(DwVXO&a`# z{@wjH4s2|D<##=Mn;19v7Q5Fj{naQ)?_svWccgkz7^Y3T(Hdafu>O|Up*Mi)ZgSBM z7)+||p!Hbfrc_AfGK)S`3w>|!8!?7&m}m=!{DNO({KfG7*(7lgC)%W5%h!$Y{&wR;yyLp(soZx}#?zj01}FyYA` ziKq8#qdt%J&W>Uv4f377T;b+^^<~So@KYS6o~`MlOLHvG1vcO7uK6TD=<{g(^o_OW zwa>A4c5wFVcq6XLS ztW_+vXwP+ypmPYCaq7#{jv7ycr(8h{O9!zVV2(sU; zt5<0d_fDF*ltFpBfNunUt?+&*MA|iKQ zx_`RKKIi2vay*jOD=xi-0cx(zwt(3(_wp=T5yHHoGX`(&j~LHxHh~^G82&h9aRr%Cu;1&oxvc^RDm`K;-`ip^w=I;SA%=nXfzvy z3&aCFcp}(#kb*Z5%L8>ZaRGe)cszsTqT8EhJ^u$a@Yg!C?F-BgU)*%4pFyk5~hBI(PN1BM5)MvKQ+K8UD87&((_t< z0u{`Ta2f^`oiMXlzy=|N_&`2MxLe3{&Z~8CF@E%Fhf;as*1Ej53jyH(>e1^uZ62f_ zx6FECP{vb^L(k05{X1qPK2u}ZyyL>$kGU5Vqb6rX9-)$COPkA zlwCvTrTe-8+piDLdJ71j`%WOJDP?w?CAHZ|r^bSwKIj_Zdv!FF1ATF02c;;SXz231 zxqYtDnO)Zx-DV9Dp*A;x^eNA>=HxPI5FY95fYelS#PQgI?@%L{+KFlSp3Wr95T@Qa zo|kdg2NLgA_zO2d#mXwY8eSqBasD@G)HZ51v{>%oy7~3 zxn~C&*QkQ_ns!7c^gMTm4caXUR~OuM@zrOPGJi?x#TB7~Bb_qappYL41qhd2_b=*$ z<$bUDpq7vil}SG_>GXzD(+MBO`E_BJ@HpX!|se&an|^3e2T86R2Rg zsSYAz-K1TK4^b+J(w30xMFrC;+4fH{Cg|T$52Y?n!hK*EFBPu0AX^ocM6pOe(5xrQ z&qo)OoN#f0a7L*x-=#*!5beJV%zctAUK9es>OG|bsSf}`N9-F`LC|R7)bt>c&89o~ zkF#E)&-s=yZHa`A`B_>rgI=0@$2bVl{uO15w*HcvttIZrBWbMWMWtWRtx`aORGOu1 z#P&&J8gJytGrK^~vqT-`3-ppe%yy7!Wf=R#boX3+7BL~2G7t45-V}~c0NT(4u zk>mo?tqYL3qQ6cM^l0{HSoYPVQSW5CeV1zj&X{8bx%JYx;G;dji%epIy(BH^i)qlO z@G^)M(=*p>{Wg*deF3>xn9BJ{w3M%$dt8c@1vNQmY@Dv~2%(P7GL1mh)7ucj{04pU zl8JKWPpL_{SPy7=o8D{OtsQ0tBny~F>>|l?xC){en4A^Mc9R)3l3!$6CXTAs^YVFb7q}QcV953Eru6w42 zk5sR<3TXDL_wi`cgFPnIvQGkcg`f`_pjPED+4B)~&&U@XsP2Mg!HvdI)*pp3zJxSb z`D=bc(8+-IlNX2HP$S)^HCB+}4}do@`g$SW`2t=^o~`)_}wt&g5-E|p2?Yb=s$S8sZ7_1BfSpM>J4G<32k3$Wd8V? zEG%ecKBjF4W+#l(v(I&7&Z zfs*=iCk_A81IgK7*U=ZMFu0Z-_qzdsRs^I{+mLA47WhxfP2ro%iuJq^XlB+2jw z?%n+IJ?7IBKC_!*0iJ$B)!Ig=oq^pB-8SszYayC~f{c=q-85eWj&WGdLk039Ts7s~ zVYJK_snnpVlMcR5O&${*d*on`TsSo}PB9)^c&eUtlGIire*ZCq%C1=~XSG2E%U zdbf_@^>c{hYf>=>@Gaf>!P`&;k%f!z!wn_X*07PPp&f?Mq|fCY4fp6TOo|%YbMK%H zNygqgr7sxdrS7Qge`<%2isp8QoS+ zTFDAlS~(D-3`0mEsWN~oI3-9?e_vJg7 z@PTA*^4%z_TlF;+>}}76h}pvKmcFPRKEe+SKEl6gqQhe!i;hUjmLrj3$3A}5tr%I+ zX6S1%3qN=#y4qZ3ISG!w-%w7wTOjss`t4bDDH{xjp3B+7^>b0D^$_PZ5fyLHF7ZGK zl|30cUXY?a5URp?4RB>sda~jA_#WQx(kYI!rv6AC-j9yo+DsChf)=%UHDqR?ZyD0P z=(^UEDkL!XDeB3fRBe?>~+Zw13e-ez{#aGFD z;nWmEvCh4%Lu^(;4cZ}*Xk(y__@ZZakBaRc1S4vXY+hLvjjWkd#IuOD&$LejRe+ts=l_6@hB zSwP6+H02|GG(2rMN+a4W)KP@cH94vdgEvUwf z3sWh9vSCL&9SMIN zU(wXHyl-UIWY%n`G{;#gX#<|396w_}GX2y|p;MkYbM(;?p=HWrl0JR!yzOXPV>INg zJa&&@Qo1uCOyhLzj1K_ z$g0@}jNPu4oorOB?%!W9#RxqNjiK_pKtu6U7rWVHU7FErU0B*bR`WeOFGp>^B$tk7 z_EPPmT!Qpy?4C=OPXq!M;y_i-goztW=Il{3rl;3|zgULQ)>dPzZ(4MGUZN42OG`uh z(kC6Jy{Q2Pb*+{a^4;xkMz`hYS0uAAv;>*;JWohF@ITW9ogcE1G&q5M7qnU>lPUgv z$zCJlmAw6AmRa?e(gxMD0O9q0AB$tVb;S?Tv&hxkd!(UNy!&AX8h$x08&>9YU3zY7 zotgNE-dgGB|5&=AqJ}p~HSF!~Z!WPdQ`lycjry3`6&-T8mwoZNe^(cF$^aJ9E2|j~ z8$M_AY=gdEGYj+-{?<##9p~4zezeY3 z{F@alV0ch%&P+?|h1A#+Xu*d;T=W24->Bix`SV*LT-Why-UdGDouDh$o#arV3JGsM zKg&il#Buh&&p&|(u{BrZ*XjnQJ%PRaU1wvxzwKI#`s*6|HU(j;|5{H`9_DT-*!c-)`VAxLnFcbW?A#tll^Dy^}MGLxphxDkrmCsf31^1H>m z82V2SBc1De1DRJg)dwKlLa}bG?{fuhn6J}6`P<`#fWN$UO}*~XOL_(*o5d=@O*?E8 zKdH{s6*5`Ws3`)ZxbbKX5+{Q~SX%#Lsqe4+VZR_{No zg13v$o_vQ3702*yp$NP|Dn!4xc$C(E-RvTu$)RSF?L*rcTY&FVFrE%$1OOY4V{f9&32eeB>A|#?UNzETcld-0sm4=l4*Tf6QE*C zQ~7Xm94d)VvSA@y)+W-yWe4GCa#$Hzf92;FMbYTzi9%PTMSn86{@W^jD($7 z&Q=vJ-3>UjEG_CoBrk3mdr#<|$~$u`G!{q4_sHk#7d5|v^*qlET-`lIeIxyQo6vm2 zs4z$Aps&+;ei=lAv*?t8@5Aa1P{$NP3jfVTf1$L(gi_`>+*Cr+F6NKrkZ=6uo++XP zvfdNjleMM_r7RYN539KBo*n#Ri{5qs4rTU0Z*B;yxNr&C+eWA4Mz>4Ff?+p(+bq=o zluX|tn2nK=xTQ`KbqdW|iLssUh9222n=3d#a!@YvOEEUE=Kg;?f|3Z_A+#twWaMiy z^!`tHfbX*LtR_+xMkeZ>P;_5Ed+I`V$UC~sJpIpt$@r;KXM-;(Z(dXwnZKy}-jnEG zzNV9*{q0aiD54;aW7czZque^5?|!~hlMjKf* zQDl{)1Ki7L0_bE>M)svR^QbS)D-QB;s+a5>GG|j^y$rfu zPK6=3=aZ~#fj&mCH1jU)H~WoKELD{*$mP2G`8&1s)h|K)_o?1xO{V?64R}5AXBsz@ z(2dSg3pb0O-r4spn0JqX&_WAU#$(ykyZFa!?QQ*eYbcmhN2+Y2(fsjSheD~c;EenA zL(lm2POK~{eDWM~4t6hMy;M8A6@_@l^b!*I5b`&V3IDC21{RCIN{VO~W~b}+378`z z!>m$a)9h28D@NKD6%q+pRbS7t9;7q{X4Nur$t-^!8Jo|eJmBAMGLH6;a-EmCbP}%V z%<_({4<$o3Lh$_a^EnXpiq%%>REgAc*_S_`)>J#`6`FqgdiLI|frTT-@Pq;;^xE4u zdw9;xINRhEsTkOOZ;^);q?3&tdlSi7ajqLQE|cxEVsJ3PN7bFDHtq1ceo2+pm?c(8 zNYGoRY45bx`z{VmY4)y2pGV@?(dO5$7Y|^;o0Sy2)F%ZXCP|kaA~<91aMN&!UgPN7 zdty-meCZms29+L*wUJ414g5X3CcadY@d|DqyT(e6$6u!A(DZl+YO$?;m=J&cCRu5- zk)h9YhBdBEF&LlKrV_#8P-&%F_(%(Eg%M7Oh+9G8iDd@4(kE-@pfa2|BtNyPFtRDFa-G#NzpFjrkT3nsFE#X?r(M99je&e^C`7^l z_i8!p&A<_&&CH1-!Ub>{e#qRmz39Y*ssB#?Y&k1zWgXG4Zc=zRdKK4v-gx>2X?O8h zwo2cOS+JLifElN8mP3=##xOg5v?FWR@Mh!Zm+^Lb=d#0i5%iYWhY&uTYU0TW^1d zG^8b%XtL84%sAzGjNf`%BKBdzzmz07vt6naczOnX`A1)F@^2sVC`igpXa;Tn4=)ValPvxqXCs zMV3St{wi~wH(+IlvE_JtN|p|}9DRT}wPN-pzLihmpfg|QPqDkww?bw|wYa!1S^?W zxR~9!wY-4PqqU)}VU5)ONs#b)8^OJB*!K01FhP=S{%Fpd-Nkjl=6LSeS$dxjwC=Q= zdxv}cms08k9OU$*Z2n;T0WZ`_{%)o@*k=6f&kCIFTA(r@ zGzn|?d;{ys!IHxBwL!3%qN*(58EvvcqF}!@z|BcD=oC-5yFsSnM9LvwtzbT^*{Z~V z{Sj5cUuA`?kyNUj2y2msqK7ZR)?3hG6DEKG!fg%P>fjZ;*^JBW*Y#{lWU6Fd5|rW> znO~FUks&Ngr*xI$H`xMemBCz=xjQ7BbQj%9De+agJ|lW#In68A%*eJ0?r)b1G_TCu zsuiORWcck_8uM}_3pW=NR%alL(m^+THHwls#C?i-q_$AA*&*Buw~xByBHn_sOA=DL zZf=wQiYmBrGZ>h111e-Ij^Y&hyB5u7E6wsT!7gbMcf}h4WAv`^z{IIe^5Eu+DJ{1j z&A3Akl^W}pPL=YIWNl07x6BDgsNI`n3`MWW@SC=#uHDT8g9>@-^uH1BKnJV%3N_`B zp)NW8YOjJ~$cA_yn~fW~#vu&E6oWs8QJ$aHnNe=Z+BS z&nF6joH5zz!tD`Wyw+X!LWQJj1&0WSq%=n-?szFo6lf0SBudSPRnE>7Cu_8-2gew_ zGLh2GlR_8dj@O%|SX8d3B6!Cpsa0kn~%N)7{Kh2+jMk{?eS%^ z;F-1g{M+fTDs+gIxEhf&=_-AI6>|zJ#CouXx6I>Z2$0=1x>#osm{0844}E}`Rox3O z`uGqtr9Zb%i)i2|P#dbdWlAW_moTG9_vL8LN9~#PmR*T}kC)4_fh11LB`ywViO`1#YGo1aHt#M0#aNsG&? z=xy%`sL?L!#Ne6{zmW*ERXQ4|bd+iK2f{J@F$3<=JrI0wLn?eqE}g&o91{dxc(^bU zK{OxY=+^_0aq=RO@-(75>g>+&?eqa7BCINPwQ-)Fl>azs{_=#^SB64?^bctU`Yh83cVwU2+=cGbP@pQ@vPIgT-U-fAfOLK4i zW`pc}yT}+C$Zce-`l^~jFkpWzjK^Na(_~d(h|g{qRyyD@wZJ&@#Aj1Nq;Zgs<>{+~ zi07R}pGqBmHq;bTCV%uCN!?;rX^5>yL~IXi{}i#OC#C&PuOuP3f zBY_2nDnFM^)Svf?p*kFT3rLHVEA96Q)mi-Pmb#qYU(zb@lEUKq)SiU2pe8?{_@-ow zV~FOSXfz)8g{S?b%#TqaC#VCi_R!*Tr-Zkjm{~*W*5+7#v4C)B{Pf)q4_h6Ou$<4E zv-P?PDKDz-Ab_+Hr=L_nvh#hE1MOZ23rTlrV@31*9_V1VJoW%n&*@n-d7 z<^c9N?P%gG%A2(1H(!P5aEu7<4-i1%kEROK3Q4(=&PpH6ci$GXXSr)VwX&6~!}!F?srEHG)ChW?O`xeUExhM{s%YEX_0`Akd!y9r;4_B@*Km>x0+NEw%g9>T(=z9;Mw&Ij zxgYUhblesz3s1WwmsDA;JLa_nFUH3JFPo*^m}dH@z4!i zKjc)xT_ysqo49CM8a@soehc)Vj9x;v(A=QLhzz6BFLkw2;i~DV(XCJyUwUZL+wSnU zC?Qtr>3+UGN0Kn=?K{}d*8;HftduoQB4M{9#-Gbl@PO?H*Z8yl17Z)rpDqN8E!`L~ z@Zr~7rA)dzatf6kmz2W^l6iNzkroO!rAH57-5xQyIi>R2adge}!xop3c_wfz#8v5) z=(v_8AY={1xy%EljOoO$51F|bz|q3{X!Kp?Fks_SOL7)gr*6J}o6{ky_VT89acNkx74>>$j~4{*5x$GYbVCN& zVG1%;MXlr0p}K8JV0pzC7l_98CB(&kSr7~W591AzMwoX(n+6WlSqt@e=$+Y0Xt7$p z_-Wk`m$C$Ey1qNM(op`bbh#AM5Yo7-Ut{)mLRvht;k%pky|*HMlr1MdnUyvhq1!0E zI1#ZMKN-@mn!k_ryNx%R80c4f z+#G2Tf^*c$t*f9_NnIY8`_I#>?1J9?DQ&x?tGt{BFHoVH%eIcwAlEveJREevITw|= zq4dV9EL5VcK_KzhMO^o_A4xIgu#T|*}vzHxW`|<^EvX=9&uBj?indCdt zy|l%X>MZPJWe=N5R~>qn*vg!~C}ziWQ?h(wQ}?5xCeIi@0cnAH;XR8Fv+Ly5xbj&l zk@$Rkub3n42TW%dQ z&RBP#OdgL`r(-X6WvQLAr+? z7|zZ6?QehY-sjzCo&Q|3#I+or=e~b=UB71}3dgICw7lxV5YMYoUwa?i$?L9Mmw?CY z-C=6sORFcq#1ox4 z-k!eK=LB3FrA~pJf}=E>$YvZ?8qs7R5?av(>VgRMHemVEPA1yyP2uHS;saQ4N10X^ zu=AS?P(oGCj2B2B*Ij^fVjrmj)l6X&%vG-*>K1&+HQ@rchjmMz@jS(e9(q>9z_w|SP8fN)ALaeh`+PY4z?__Mtke!6OuXGg(>|Q3~l9trSzv~Bk_Ht&)9J`re ztfA`iUcJ{=ud3BF5ACBe0QEMQOtKfK6xK3)CH}vw$xC#$*-n{T0~O_od=6>!qxOkI zkM7B5@mq%e*|j`394gWER`LE}9PYQ?S#93CVUlo#nk>lvC8vt5LO9$Ef= zH<^3xe1IkyY!D>f(t|kOvviTi8?Kk@Mtm5CI5-O+*{?t%r-y9NxKh z&Dj8}ikt8K4vQdx7w=614vdE7^F@3xSg#J*QQx+*ldU-buGg9Or;-Z$QxBjl`TT3i z;2AvU`*ZN9zukma4*_7S++e1pp^jj;dlm+(Hq7>`o7*KlDcskG6zlE`J|aSS1Y(n_ zsrR>E`9dqB?R->`@cx4WvYdcMP(7j01?55?;xG{~0WEhWq@$28l~?|sgZbaRqkny3 z#`MXUpchB;(IFG|nY@BW!7mX^c{&VGl;%1$O}B-2$INR|O&2IIOihV$of2I-AI1BxuoGFJ zaum|7Cr+NJ{DK*ZqC9|yP7$AzM=FfD5Y{}3it@f_DLA-R1RR2>B#v3FZ(A1dpL)`- zE=){Z9u(YNX#mXmY=9lZTu|)Lxr8)+mqINQ@D}Z)dfP4{k(WIH zrXH|D!(-dn@4Q>%vWx#5iSMPM`Wr&{i~h;oJDFmbzO{tobpZ7y|CCxgNPEsQ=*eeM zIF^+<%r?WL?sO^4c%>&%o&;_`v(Y@=e*rei_l+mwKeP^^fv|!S)2)eX039Wao~Q#F zHbbd!3Vq=7CSsYA8zu+dHRA_dmZpU@JA6nWVEd>MWVD3k`_ngJdgz;YvwOmyPct@M@8ONADZYKHw!8sq?{cC0MMM z@(CXO<85>c1pUEQbmBcDFQM5ylzf`bXj)cseqwU z^Ba;XK$n4yb5N2W*MjA*Ng#CkP3so@gGdK(TNTQ-xdZw?|0*Bb0u`5KLL#?~?$0tn zph|u$my`f7`hhF-mWH%NzPBB?hgg8C!_+f71c0#vR@@dfe)>{Bu0LJEV;U33bm@Lx z39CqVnR8=Rd0}QxBsk}V+AhS@MiDZfe}K9HI>C(e7$u+MPgx^bE%5KJ`dijN2OhoZ z`5uyI%1=hdz;_+E!fiUx*n2YVPqzG`7~IR89~y709!Nj z9_)Oh&^@&AMrk2|v5X(986e?!G8mR*r`}4~FSq1IFYq+`c`_BSWeQ1r(d`M6A?*9d z9?joM761D=_KA)9M7~SE!2IspCt@W1mSMeT|GU#vXib6O8*(3&ywYq>IW@s1dzV!| zJUTNcqDZ2wX`M>z)a1xN=}c*^%{V2`RP!n9OYr7*uAv*vLh=%=`f!W4K;QQR*_Qj_ zGlF*e_^Hbzc?yVp$agY4g>mqC5~Bi%dHbZ-=o^!95DRM{%a}6jN`Ce zU%?C5+u{G~hWWofXTrM4HieW@fJ)`~{@isO@x&zx4r=Uz5+1xa(G5EbC1o~F^Vs1v z(RbTh5RE6}B9qS#JB@&WmroApiWsd`s~yc809~%y2#8~%V14^98~{SRkTQ6}HZF|h znt8r%el0!&iNo-~Ga!s|w07lLDwfY`^cjEyTO zlxmzYt*$Jsl5Co;tBrt+VWbrhSJ!&DKHRIMAoxY@Nw6%!FiLPm7icFtE9#8@f4xh8 zd#_RiFbNO#5AZ$Trtge;GWA=VD-69}sEZPkGuh|;nhKHs1hCy)E;DvP7Ub(n>E7rw z>gkSVAOWFFFX2m|95^WuCPr@3 zGuP=?5=g0d-b2J*&+OMS>V5s9bgB>hoP}lTQMZ|ah=5~<%=Nuv7W)yP@>j{?yv-0s z??>Is6dv06{Kf@9`0d7j-22~g_dm_B{Qd993t+6h8Aw=YT^-(ZF9S@)Q z?5drqUV*uZgC9E$fKrzYm@tJq01`M4v>uP(&Ra88oMpAZ7n`vzLp;|O0r=I05oK@c z`>!QM7UI7P_FtOs&eh%F7FHZ*&`uWgsNjX3{+8vO{;e<0WRCoE=F{md--ZIL6K(c= z>M+wtXh;PX(IU8ZQi2K8u1QuPqIGS-p*ovs@b)fsTpyAM8+ZQK(+Q{d0S9K14L+oJ z3B4QDGWJI&7GLX*?I{{{Wt4je@-k~M1mqQOF~)<*QQwwY0Lx_Nwf6%p3RZt=W- zU%+{5+W$d&Rh2$Mwe+Cd$@t2ri1?W}RftFl=GFkogX9F&WqCT%ah1Z(a7f&b7mugP zPp5b59a7W_d0ydUEkW@<^UuKrj?NYahsyrxpcc_36sd*dF$tv^?H{B+TJ8>GwEa9H zYCfIlK=x;P?wyNn&bX1uYl3UtP33%+P93t3-{B)6N%)_YiV6@4ywiB}CJtK;qCl+M zcrvQCAI8(UC}=uBhXlUGL~!0Fnxwh4hfEOiv+C8)u;|uK(8V1#HO6i1t$#wI)T7^= z0dwd}7@K?|N860cyeI3ueXxPt1JrByY^Bxm|ykwu(dxShp985J&XLdGt|j z)m1#8s>(L-@zKIIM%Df;$ zBD9~6sgp&+Q&Dtb zfP3D*JsV^zS(zQN_2J$E>^mq&M8bDjdlTGYvY!{QyL<27WD-Qi!z9Fyte)8v|Zdn zZ`;Tt^#Kt!w5+rtW$^3Cp0ETV&*~}=tljGi01qf2SIP!`W2Zr7a!7*rl#UH&VeNQR zSdgf=3()yD?7ALYh|{O#=f@3WE`f;kXPcpJ}H<`k5Kpw#h*deXD)_SKtpC;K^P zOI^~JKn|w<U;F?lrTv&f@?$Ac6mS8sQWjods(vO9rcv@S{GgPA7V=+~h%N!V253~`H zn#(}HHp3y20FZ&YBS%X*H!9OFw@h~a3}4*o{>D0=Zfgp%Fn!zN?CbAS1e1aA=li-} zW+UGs&6FD|a+QlycwP6R6FI$e-3~kBd)A5(;tkp%zjKX$_=xNqNNz__geH6*(}CG8 zHkcB1McC-;xX-8AIjPRoPqiw_o_=h=WKlUd?ZJrdm|N#dz%D2bYLDb~MiK>eJ<6V3v)|kxiW+F5<*atnCb;5kn+5>LEKiYp}?rr)JKNIjmBh!;DfGd{;&;YAW zu5nU}c|1WNt{ba5gIxwl1DAiLTm?hLmW3C~4p=&$(!sj9bhpTEy${k{aT@4^r& z(5A$o4HtR7SyVF#yYu-DkIH*cL14o8QF|R;0+8J!twDgaBk1+Z5c?}>rZd6t!#aF< zw25BGayspJ&*`}Wq$gV*SS5HES=kEe`{f|GjQ-sw+2c=s%Lzltkq zR(U6ZG4Fj+HwjwFT4d|!r%O^fdvC4BD|ctMvC9N&s)~&#{t5ztjC{IcmqV*!yG%Hg zKZWTiK&{#J#9O#-bPrL}9H5Za@XCqiuJF*=mD_Ip<<4A|YQ%_9a>u`aXZW5Dt^0!R zhw5mEW%)newsd9~LJ_P=YtB5w>7B&Ex^pU0rWg9(bYU86I{;cJ86?}_m-e6}4Z zijO=2t}M8=%dAu3+O_lSVpH$RK9k3I;H#RR=c|YE*Yb;80KEE13F|$>I*$@K2)+)& z?`BG1LR$jwagyu0W&l%@oav>EZ<}VhdBE3FL288C2N1&QIPBJ)RC5FZ+42qyfj@r7 z_+1|m+-fIjQQz09urvdP>C?H)DH0M3!GmFWzu`0Njx zw;3AXlaqi^?14ns@{!cb)$gF1VSKRMxx={WFAYTLcMF|ibRh8ecDk_Z`M#rmYh1WX z$}yOK9ylxwukF|}Mji`|H`U%oJb2Xu0yP`p9ip))W-kgNEcL!Z8-r5S3dr&8*)RjI zf&K(vqN?p>B!eyVy}U$ekoabj*OfaSd7OnI>0fV$w&c$pE6j#|>b8Dm)jSVy*qb)j zu@BxD{gsgIJS$Jr*EyJLF&p^YcrtV}a6}c*O4z?JtGsxg^y;M!UwJwAc=4ssik62G z`h1O`XU-F=C(%Ti1FRACE3Sg?(j>b-$p&0l=FZ!b7Jwj!m>SOm)n0>ue2gqVtOj|Q0-EI6F_g`PW^Cxp2>+LxYeU3S&-ZFq8DBD9LSN`$>?lx1QfvX7_> zICj$Gq4h(@u};p@&$CnH%+xF8orY^rXW0@V21MN7BPSi=6Ts$)G4+YP(c4SDS8_!= ztCMkUZQ|1dS8LPgD1Nfq7Z+A8-lG{h%ntIK*%?lW05$h5@rBV>4P#Urm{dx9_JujY zow{Zx_5OXQo>KUg!!)SPS0;$hQ&;2`bSIBJr%DD@&ySnZ%njNmLTN9DM}FA_UbjpO zXR$50Z6@`1E8irv-`h;87vz_=f+v+z^)9bF^nw|*Z8Yf%uxhY4m1>0LaAw;x=OBb^ zeu6^8?uuK~ADq|pNmg4XeqNbkW_3m)c;m0}@iGwDSVb6GeY>YCJ7C-6dM;X7`c&ds z)Ggmuh3vixPs=ZpI^ z^@1Q~=Jb=reM7uU2F+H79#6{oiTdJ?lg~;)gSoT|jhz?lbTiKxAXqQ@erk3Wef=Yt zR?OBN_+AKFe)Z|BHH|riGu$ma9Z*-CQUKdO-74=R%Ax{;)8w}vL@s5e-7mG~I0+0V zCauVABp+L8N=-j}>0L}CEmXeR__ct4J3(oJeamr2gS8xL`lAP@-SHTCAX>MzKWCGz zDT;cm&0p{-%%NT>s8nt{X>_aV!^|t=v#wV=GYrr9R>@YM$iIuh_!^tjS3Dk2U|hN_ z9{yUJib9%!Mqz#xbZ>{DCJmn$3d*UZ3zA2`v|jbLZ(;SKQ(sbPM-S){T9#avSyJ+Q zjTKs-A8%0CYYwGH(V)hlFT8$flpFg^8b#eh4dvSjj!U0<2vMX@vmX+7e>4Ardq-_y zZvhJvFCMDD`)H$jTb~QMTw`56d;H*aw6$aQrKkZ|kH0P-&(@k=y=b?+XXfEtYUz19 zsDT?E>0;Rb&1<%Vq={e~jcTSkez0HX^mvDcFT0<>yBlhFMzG*=^=1&O{YQU% z5f{yN`Oo4%dtmIwxOYl!C#k(W(=(audgMjA;Q5$^b?tc5PtvK|#gVJ&MZe)!!@N87 z>*smrCRMCT=!uiZlXgxuG_u{v-FJ?=6pa{8Fhe4P_QNUbV{&=s11CKOi?#*Vk7+1R zMrGqY&C;mPlWN#th!tk2ipHGTrilajG%BQE=RyBbFfy~Y?g~fB`XnLT1tcBTMV-l8 zE=pLyB>RJ7m%L=28>>6QiBI!VZ`$LReoMF8DSia^psLz-^6 z!!|=v-@N~xEC2VO<)2_cyBr0@xx|y#wNS=RGjeE-n*`l-Yays72#QxgaRv} z?T!}@xoW=pU=`{;*3%Hb_az@+U)OUJEDEdIg+5Fg;nND3`mQ_sZAvAx>ej-DRgc#O zTS9KC6=)jOUmVC*^5t3rp}VE23Bc56lE#ccwa>CaQC_Ah{1%;)2a_1>{l!BWJ=4)& zDvC#@hX3mG7_x57%;B7=s>fg~rPwZ#5DXFhB9hFHg%pwtxFX7d{fu)t$tPR6^Zw*J z2K;5wM?NBvn^-3dwL+zte(7^g;*m?N6)2FmYYdKR8OL}|=oO1;ILv+_HzBIC8{YY< zl|g^sw?y?uh0!!VQ=0k*$$Q+o{2eb#F$f{BaJSValb|{?$Tt)1X?1yxLEoTIEvqD9 zTCalz&L=-bCK_8@Tg9+{HwQp%zx9#Hd7HwCY6@+F3MN&PRc;U!(CqiE>YqBWMK}vg zkonA{)nVl)n57eMI#y!T*uEF9bvixbEmROd{z84ni7|faA?*7pb{u#ydV9z9HfTvu zN03>IBLIpRFIJUwSQ@eK}LBiHlx9Kf+BOl0T~ z|IqAZS(1s>>Mo4xj24ljj1`!H?6-SF3Om@&rj#01iuzNrn)X)MeQ3Yh;>9ZZkYBmf zHM~`f^ObnBs?2!yF>*IYj~yG6QrMJyHPu5S1O9xRz!^o6&-Mkr_>FWOjo2se#bYh^B|X{0HJ6c=Djyy^yZ7*8lPV*0x+`3$L8r{+d`=iG*b_-WiSexU0~ME* zok7VYGCqNsZQE)pHTEdzedpo0>Gr~d!+CPu%4UR|HEAJD3S00UauzTn%gODXNkcyO zfO}5PL2kaT3r2Rh=_D#6vyFFV-|OyD80F@Yxrz7W7KS75tI7UX);a4`n(u4zMe;h{lz`b zHl>?eWlPgy&eT26DGZ4 zb__;4WM@L*7S9kQCpZnBdyyp^$O1m*ZN3YHHg+}suNrTvtSW ztA+WP;h>@gb54P2+Cg*c>$Q8Cw@{o$LGUO}%LG(<138Es#|m|(afL%yU9kNn*hSw7jjBCblHkq?Ml#Yy7}Ah9nQ(aF0r41 zYwNQFOf^BRjB~Ez7wC){ZGPWr_TCl=+5v>UYL`%BP66-j$ak=yy&HT_mJu15-gIxY zSa)V0Dc^ldWJ=g6L~)Pw0UWc?n@8-`FTH7PFEGyMgPCy`)nu1yN)v9I)uQt(aY28R zb8Ha%=55scwyy(?0_|JG%K+1`po#{!g-90pXDr?uljAADQOfuJ@oFV$a& zbJ0uOQPpnVr+;)nK`q}ChX@CQK_Zf;O~>BOMQwE)tH3XuG>i4hAR>=kx?LT^j%k(P z=(>hBmiW6G^@XBOhAq-{8t04cRx>H908hj5Hk-aR4aWrU0Ch3QA|DV@7heg$a)i%C z))10VY;{7D16$f+B7!RiVv#d@*PtumtAkI(I5Vh5z1d7X^aa=ILkev+9-3|K=78ZN zJmyo;R-ao82rOS86HD(#dV-sZ<9*v=Z9mR=YF}CVQjPbO_34XmQTPmyi8hjKP6d`y zh#B?CwMXxXhzNY!4aoM}7JgLl;%>|f&zte}YP#O=i=7OJ36Tyshbb9t(Mt*3=I`Lg z>uC9oAZ&6jSa=4j9)iQNCGh+!Y#KP5LYl4XckXYl zCE5uP+14FyP`JpM8n=z`+zrHP?&;n-?NASHv`BQ4p+cb_GGRblLq)9OU)|c~9X;M! zDTKCDxGwG;);rY^;Kr>rh!@CE??1S#9uHWpa)@#8v4HrBocFaf)G^7c zIBTU~SAC6ibNNgRt2HdLSQHcLvpUDYsF!8k(XX`HZr4qbt3nS(DUxDaouZDJD)p>3 zG`RIJL=W=5&p8+#Id1+Q|8oK9`{TMP`J`t;T;QUEQ@+)~&&i%2UVR6Czc=Y)Ff}D3 z(Ovo*2Tkmc3FV%bdai@2>IK8d=}t8S@k2rgU zQz86)w#X6Kl6{n)ZITE74goFLSa6|PrY%xIN*&i{{U#m|=C_O^M(*EAwAFWWy@X*Q zH9vHF?)>1s=e=o5@P8c1#n(qNALZOx;b-z;Xc4&<{%>NBtI_j^*n5)7Ua+}8V;`sD zA`khhMw5H&hg#A=|5)CiEG)QxybUMJLkF}jN`p@?4lZ1!{exn4tr_Y+OjFp}W*Z9o zGSn~d@ya2Z$E%$zuC?(Kj!!j)3zo}tvW$W^fVy~Bk!1DpQdpU12~uW$I>V1tOI`H4 z1hjK#27Io7{rax$;YL;h*o(K30M-;44bIzkdi{kmlCWSK3mw z&y2^3H8IY`B_hTDaQK`p#qc)mG4cl4d&(WNCUp52t;=ypwQF=YpDEjhI{PPb|HU^U@WlnMR;he$QUK=d`t`)V9VI2IOaE7$fw?p~%<)XAIUBoGkd@Uh9!J0!xo`J6ut3=ip zJ)c;kBXgCMV4I_)hzw)fhzxJkuIa_A>7w7y9H`};e!1y+vFy%3E;=I5E@VDg+=hFL z%okcKNrWt3J{q*JX0ZyXkY_;f!f%Z$^)-xdAALfaWyAb62d>TYM$pMuZ58x&+HPKOnBVhA*SqpZPra7 zGDO2Yxu3$GhLUX8RZL{eezeBK^U6L7p3r_2UtF9m_vmdt0hP<_+e^lOD$d$=5iam6 zUM+cG)=NKX`QZ=Ec}p&1DShUf0IaA{jG_?M`(>}`|MQbE*d))BVvKiwI<@VIhBCK` zeqsJnDHbf{<-7(q3td_pk2H>p5MXf3of`7_* z$m~fse>P%HmFdr!Z)xks^5tMyOIwNmfuezv4MhoF!)U%St3wDRi3|zR8P>LL0>jwc zu0PGgUe4AS2bcOzJFvK`vy=FED80C7QD;lSVHLLxrqZO^Y$qXcUz~vp-J_l0gjFY7 ze?B9m;Li68!Z*@N8@{W!c0ZLb<&Qr}lapJ=_UyozRrpN0?@q2yN_FRD(sjUS=Zv|h3p|5SE3V|!?Ma0wyZN{Rl`KXRCuI|BnWerk@c9U)2I(m z-nZFmY*pGb<-}z=u6FS$2a$yvyLFjE`aZ)2#c8#zjfBX?twqKqJBFdEC>eMd!6jE` z?J!y3+vw(uGz#i{kgX?wh~n@LV3bH_*33d8WV1M3^v%vf;yJh zMd+&Tix_ssqJHlF)`m)p;bw)vxyw3<-`@UYQV9#vH)qs{u{->l)c5-v1l9^ejyA_| zS>JR!79^P%Gsi>t2xl59Y^FJ;?Hd{v5!Mx?|L<|&zq%Y*k3N|a+r4waz+S&>nmdzAooM|%?s*tLYk(+I#Ru|GHXBBGTj3aLh<|_$8)oEyQaW5sdaft4kM-515|7;Ae7nZc z+`?57G-PyskGy*fKc6Tz?5koavrge(xs4gT%y7hnCVc2TJyNre`E*lev%~Kgj0F5% z2Ng}d$+%|LExTYQ+sBNA{AUZ=)1}^1r71~1eceSLEeg2ZNm`x! zi=G2zNDwQRI>uS%h%-187+B^G}s=h zh~RM#fWPPGB19F4TexUDek4*}C#PQ83ha`R>b=EBu5K?$+L zFS%Tj>tHlz%S~mP@5su@EZVLaFVsk!Y8B}(d@RcDkvTpCu>XVmDSSj_2j3Nklw(;F z7OL@)A0E0ZM0dC*bR^i-rr3xYw{dv;6W20fvl67Y+Yua7W9_KD<_`;wbGVhk>Z^+Q z_;pchrFZpyB7!yXQFFjRSz|iE{3MF@ALq#%b6#>VfM-f|5{TKg+>8k{`W*6=^ z+-beAm_Qzt;`vaFOD}jgyNXq?a$kGT2-G(CVIi(HA~74mvyktce(5s`BY3QJbH}~Z z=t3U3cxqNi@R_!}$Z7omU$Tko&&!BBA|gj=gaZQ{x><1w?^cfV3@7qp=`hP@vj{N2 zKI5_R%e9!?Rc@PmyIZ9f_$nvD`j?y1+OHssWsu@CTgdX zf2t3k8!j*%Nzcpu`L#IiN%BHD7pc{r(TfWD<(6_5VL#;&?N!1KhP35`qLOCRokX!Z z&{pE5hb)=4534J zX#a-y%-WI1ZQ`?0FHNny=6}s^{8z!9P836TIe;!S$U}%wnka|>a#UJU$B6N;3#i;Q zS1M(d^Zobq_dca@T~57hxiwWem-vAdGQzA}pZ?@?B5l4)6tX}`SJi~P0e_dr_s28W ziK~@~s98USu7?qd(>g{RnJz(|;}(-bJgYIzlBwLdzmeP$RM5DGg_WN& z5CupXEp+K8YYBf)- zAlf8@bbmD8E^xa+BlXehBuNX~U2kT^eY<`}8b(?^Y*l;+@8{=&hBLRbP5qh^-vX1W zq0*D%?qcQLg)fl^kv440-7178)0o7QaDF<2Je>5Nm)+ZkK(M&2XuUGg(I}Q)Q3dwp ze5%?({tvc;cTyf8DA|;FkI(j#Xfo~%Npi;UBf}5}v4dKM~Mf6i!_Ff;c z6!g-__0Rirz2H8(ZXVVU{^J75iK1j#Hi)A;s%1XS+0g#k#*tw*xj}Yjk3=`H&`?#H z6&q*_w>;L=&78Ko8W_noO0%Hhc|8hUUVDG?gH}F80$8Y0k+cjK-CLe*Z<1M)M6$dy zC9Y4f9-)EyNn2eL76vStD0l=~Eh2KvyWX*<0(({E~rCJasUV(rmioMQ!f+ zvhB={YJX7jR>{>K6yQBn;WV0}jvqSC{~A%6A9`xiU6Cr^N}A@*(H;8q;vLv(Y(dkH z(OIz)*RYYJD*rE29$}jBCH7t~{8J1c+H_r3!NC@EPiYPr&x(G>ruzpqh zlU1FIAS`6VMD^ZtHr4!}#Jf!)R+r)j3(ocF(Hp%d-@!avjSB1f{4Cw)w~};$;?W^5 zNcCgMjUQ`r^;sgxymq)6{+!DWZ`=rcM`}lJ=3&?RrgB<6|7|S~ff|RRA~ML)I%Wew zs0;DTH$;u?1k?Gx`r{7BnlUQzI6!thc$6Sc?DV!`8bm_B0WA6HFcrO*tJ*Oi7Sse(op9V z^?^}Pcq%zS9WMDB?oOlRhpO&WG5!5!OtW}4SCwOwvJ{XI1@Yb!_uJ9ogF)!CGV#Cs zEgSj!cvkMi=zX0kI}D-Sp4HXK@F%XcPbBEdF;Cl0iy&S@GiRm3e@+c(##H`$rY;za znq~vi>I^rb>D~e>MV7*HJ-JJy)imdj@SS)@?L=Oam}Hf_mBb85z&~<{RpUR>xtEG^K(RM_+Vo^L;s$v z;;$AN-c?}PrDjvCUMk_VaF+7Mp10oUakEz477^B$dcLVDO;;UE5+$^sS=D_UJBj3I z^~f*n-Hn$cpr)O6*}+dI-FFBSd9j(P$#n!_w_3T#$Kw!g+KQGNrI6j4s_UPs_TG*3 zet44#qgz>OTQhN0EW3lf)-t`C3+lxu%;+jfv2`vP=e&3WE9XPj0Z%?qaR}^9!+UJD z<`uFg?@DPTlhvlmP0Qt1Zc5^6k2WJvyH_SC#C`4>sq$YLZ6UM{!p?oYBwm5IJt-7` z8RUWwSbC`gnaWX~N1Mhxps%=CvW00&A6|O6;4DAQG3qyh{{|Q>rlmhU*5aId}3P0tYpKspNmbe&IdB` zFNL6~u0jac2WEG*fqmA2uCc<52sr>jk7kPc%C&WGA0DHSrpk!@@G9d z!~i6Owb}#*6RIY)`4uYm^w!cXQ9myKHJ9~2`Y1k15jW;h`!4kgdEID~+x>%7^E&#d zpRdsOW0VA4iVO`^y;^{q~_7YBvO6qfsH zh1DPH(CbCcMf!Sz8E+ZJ&e|l^8>3)UwV?xjKl>BuLh7y%LY~}FO-%hoJFb$et8S5X zFH59q1_lPPr@J#(gyk~F8woel z)&Pxc^`A~$Z5b+o-}3>5`7S~!md%hG-h7^g8V19OpLGu|B3EHY7s8kBE_Mc$xvC<| z(=8mBcQ}Q#KG>24CwJJ_dXZ!#3gm+Pyn@Fzk7@nK@fsh6;84*RFTh zJTe@p#j{>bR*T&6^FqyZfA4J>YqGMyd~ac^lg+GQ$EfYfDm-^A&Za7E>-TQ&GAbJ; zS6|VbrraudeDP?dM{h&7i9@(J1^60iQ@$__^Kk0U!y z&4PHvuZyf#ZPeE}u-&}Nm5>a^luafl+A{g9&O3(TE|(swehPQT zA40-ku|-f=q#hijG%{Sy_o-~Wmvu$kGe|Sv+TKm0IX3=^BqfIz?<&}9y{LE4J#Bm% z!8S+nLiCu?6Ls&}fzLaml0 zhz}k)^!9G^t$mU>Wg6TU`0fo|dh@VNVBBGc;B2r3NSb=!#HEpLAv44eIcOhq7(aBc zmuyTlA`?c_5!Pn&Kj8kk-A*@i@)eqP6vRaxWi|FEY0tObv66|ct0<;39(AMLZ*M_2 z1|_6z^0&9=Z=0S>WIo}$w46g5LkGUl;-0qw*vsTTxITJut7=rrMgI75(;Sd06A@$}5MBo+ z3Unr$F!)@|5kooj#;ES^{ecx)209zI8!a@eU9uin+#x)@f+rwuo#IGy*rqVNEehsv z9XCsa$F=ABaq*<8f^2!nxPPh*hdBL=SN1khr@z_fn;U-4CHKUM5wrO$2XG2BLZux8 zhY1Gr%`REG4-Rgvzja&udD_fulWeED=Hoys#vj?BkVDzq^enA{fuq?cI?nRyqQ5&E zFn$9`!l<}xoG>1>rdG~7R*}9n3dZxC3>NXwo*2YQ0E+;5**>#{zNAeBzas+=l_r)J zh)II9N9tnFqU5S-ty{>DjW)CnX0|TsOhS>|sO4L$^?T(A0eidztdkw zyrpAcC_wTszoapeWaZ4q(8C}o(bN!CKfRXT*md}HjF^)t<&CIIfLa-7Sbt{lI8=Y4pTL=>-K zC#f?F)b4az^&wB^kB?HHU}i|JQvG37HKECQ^2>59b1&{)ZV` z3eVbgj&JW%M`j;>k*4(?94S=k)%}i_$o9Meh)ENdoGp1j!V~uBj08pBm`RKkWBMvZ zwy=3!{v=&8(N-IuaPYODKfw@e*7ofF`V2` zvUcOvSHxTD6@zJbChEo8KW@3V4!y0!UlQ+5qP>w2`JpDV{`(@}Z%nN{yc4^}kbCEeSJytnNsh#)#S z3op1(|Dl_jlv~I*-(?7?BL4`v`sf|rbg8J|F~2_C8U;n(;wBrZ6lSg7g^#al@v9X7 z`)&XGVulD5(>F2t6kYx8vQHrry3al`#eTohE<3|>B1voS5%1<-!_xm6MhD;pkCScg zEaZ&Q?B*L1ctLg&X{IArgZEnDPX?hbR+SR}v$i_!#A^`pFPV&!$(c6!k8R?UHP#JN zboX%yXhr56;7)~+zQ-Bc2Ads$S`^&l!5Ln5{c`O5UUcpc?0ZE{#2?J$KIz7?b|skg zPWF7F*N>ZtU&Y5URF-BuHC2{)GVA0=A7K3K7SRoc7YsA&L2f*Wr-#111?qGS7(~Mb z+;^SDUSY;$p(Utq^=nzfM($R_k}V!Ez&H9(J6c%(Vuv2JBpiQ2nXNGCGQ;E@zB+C6-8Ml=N$0R2_Y7tg3N1@@7j3$sRrL~CQSmO>o}Yt zLjPqbI-Gg^0rMU4nTob*QhMWR^e=R_mcKKTdk>|wm)(4?d|Aclm=7~8Jle~3o0L3R zR8<1bOBN17+VFkwKd)Pa{yDWxSu6eVhRkKjZ1;l9Qk*ZFQrO$8KO#GlRDr=&oG!fa z_WJ`r;kq`G2nN3I-hzjv(>=GHg}2DL`mAsxQCsCj#Wb80vQHRiebkdI(jmKqaLaNA zAqmC?*vU$C%~}P?k8!D1iK`X&pa^@AY> zV4bD!h@kyLYq9n)W2$t#o_);vM16UU7vtSOt_%+$AH7AQV_OWBm>&OH^n(7r2zzy> z>4U&v?dw3(@J-Qj&SxgmWlr7g*0i1&flQhY|GJbZA|z`OXUjct)q9ffXzu#QQL-jY zDs8oUD2P;rga?I$Q--A2G+jo%>=jJBV!vm|b^`01imYl6-&MQ~yKmS+o9CE`~WXAJUU-bQ^Es4dJ@Lu`s&Tsnd57pM+U(ZWF z;MVqX70EmGxsmIouhbmMMd+HvZ<{z>y2|WA%@D$$IT|JYKt4+4nTqX>%HS9hX}9>j z@Y$E`bN1?SItI~N^+rB+l_zRrKN^qz+@2@$q(5vaE>NfT6jZ-6eAunyaa=tKGI9m2 zD}piE8a#4V(=(H-`}nNg{braE;q?2|Manc-$H|7psfISGGQ5R@=RLbu2XV5mBN|D9 z9_Ay9q>_XJlp#481Ks?2BkB!5%?u+xDxW>fEGNxciI|FB{S#Uttuz ztc-6shVKCh=c#+UKBQ5I2MaZac7~*V{Z9+!zt7gjeaVG#kWhdL*pm4wGN*YHe}Cw4 z7?cD5|KaS*wt z*)w*=zHeilF~;({=RCjDc}`E~c{<;JyfA#0dwJjQ<$7P&&ly+Mj?oM&W8a&0<%%A= z4+`AniH8Y;$rgc`&dMkLEL;8=A^qXw)pB`(hRkpPEsJ<}!t-=Sd6)z?#+%pLEs^+V zhT!{C{r*kl9a@_jfsAvho+}~-%ffVb<^PRY{>MAK(Wa?Lr%8_SC{Alg>`}GI5Yhk1 zLjG5J_0F}YtknQBrL7ac^G?*KI!)*=`LDk$>)i*gaqXsc8}!^M9mc38mE|ewi)*F4 zNkhlN-{kkgvVMA4MIRC}DE@TbbuM&^M#*H;Wj~xPDM|@6ezh6;iTrT+zx?Q>b*TJx zO8_~PxPUC-XqO1le62VBlUY;RK2%6OEY5v=@Q!nmiN!vOHIL@4s0N0CJx8EBH zfv<>s*v|`bf9&}0!0(@Y!`A^i#K|1{-Ag{e1v@^#{*BuE@22vnzrVx>YJRfN5zx8g zM0hf0cX&1EXQTPoMe)-seTvzohNL|P6&z~VL>B9i63ZA+7yowpfAUKI_S$NyG=?R9 zPtnxDYV^wrA`=xG^Bb3T`(FQLy|I7OMFLVw+eB`D1ewVJoE0WE~%CtkNhq{Y{dJ{CR^rt!_ z|MM1gDl{)h&ck2)p0+Sj)=%-nd3fky|J5A)xPAXH6US`K4=#=<93`_54j4A-EVf^Y z|35wxi`ORq)6gKHyQftu1^MCINB4Dz{5J#j_fG^lz?UID97T2}nK`PH7}fcCdSU-- z)BP~ofBaad`MojHPaf{82#=Pz8vK*}{VPkMJoWOfr2)|EKIzCQ2&F~RL0D}-zEPO==>ItW^aqscCgB6G34s19_>IJ+shu7S z^I{6BBxuxAb4o#L8pcY?C=?s-%}D>?a`nLM47L-WN62)@m;;)A=`Z5%ve11N^?rIx zdf z#KA^z{H#-&a93Bki&)mM96eeVrCqy!`HM0QsyyWV`$G@{nGUj=XvWX<>;L=vjqV7> z&bZaj3Ku3T#U!n1c!on;|Iq`mDDmadK+(yMnR2)w%fk4pD*xc=!JWL?8H93^KfZl? z0M$52NvR8wb0WU_)lvNY@17pgV1v?;q|!63u|a$>9K%Qc(GYkk@Wt+mxq?%@dDHId z&6PwlvHbIS+FzW;|No%Iy5)YP=dm+L$eQugp8vxXK#8l|WxkTd=t`t(p+7QloTeynQ2oAkB)>ydi%G|f!*I?mfq!r@V>KnOQf_(2 z=ap`px?TGyZMjc!{SBSA^&97fFHEIeIlH-k zZO8sT)k?yLG)!Ck$Wj^RNb~Rk(YuRfcN|Og)gZL2#Suk0%ZAz+oSjL=nrX0{;@2B| zXS+kX;xLX2hjU&N9e^JAc;1nQf3Ul}?(m-m>?szV>0!YV@PRfQ&L9-%XTQ2*>!5$> z1|93r3O|(l8f?90UyyhH()*+u%Xs%xIe6Is{^7@O|HK}Bkl9T~+Ej5^U#-h%(&^3o zFe`k=ixlsR6KjjwCy#5zKvuu~ljm+b729g4rWT0#0w$!8C5FqSKngC^l~18LX=rBj=fff2|u{Qw)@yxT9_m!r&?9{b+JU-i8+i6xk zbk*G}zX=5sNFAL^4W_b30Xl&&`Tj%d7mRfDZL6c@q-rnz@&kC?IXR@_#%ZXdy3*6r z^D!*U?8pt$H;EdzpCNnX+}ESq7zbq7Quzq~02D$SHF+UePrPj$TM| z2+-`qx?`A*WY30|?QFY6TyV*D0Q^knqE1eF|GL#ZaZBkUbVnmp9Y-DF%1j>|{uvEq z8t>8oyC@`KTU|265~Elu9wi^1uil<(V9U5PtxsjXq7o+=KYDZ*utnjg6?ZmQUWz~S z_y?wkPkp!XnwGQru!3SqW(y&4yyyhufo|b9Ixo-`ES(K$dCdZKlYYZZ7L>t7d-fWvjCKUa|vCOn|Db0N?*C40VW|xaqKo@5#>+MB63(vh~u4 zq-7nzfvhgKxMqU>>lnd0ok*zWiB)~=3`0HTmJ8cv5(dTX1D-qX1&fh(&7T2*0S@e6 ztNGqM;zWdX&7crUN494V^M(6YkJ>&51j9{$tk4KhLKT3BR?fW1AO~Es|#Eg46Cv#iW zp+HRCvgZNVQ|}$7+p1C888bxNI)1-yJ?m07yOOCu>$0uRW+=t756}o^DEmMVdIljE zmKnRJUAI@074HGgAAEkEMOS{bf?KaAU{#r_`qGHjD`=)N+01r-PJn?vT<$V>nFnz^ z1YVPV^Vd%%H(jN$V+vYt)s3Liyb}%GIKir=8%aurMx`)|&T*I9IVLUYg~-ZJgaCYN zu|(_?kx(W$SB*IBMj)Pj51ceW8Rj-ak6xyRAxTX`eGIH zC}I$hGjqfO5{Pj5=BK;&jAW7k`C>QV`83c#Uw?lx&cVL9p#Mn#W8?H*k`-VFAp%~X zB0mu(Dwzk}=H?Rx3%z+w)duUr;k}xCEd_vet>@GA_j8}#t7ZG~xYkjLB+GAfnLHy& zKZ188J^U!tn7qwjb)}}1#wzVb=6y8+v2 z`itrUyki93b7xCD(G5_X7SN`nH~d1^$hC>X1QKebu#0j z!dkngW9!9zJueOjDED2C@MHgV7hMTLC-o{bd|7lmZZ05O%8ia2bHgcd@p!kxSJu$e zW~kB+e4jYnFI(x#!?->M3=pCtb)<_C_~IfJ55O?r znQ)a^w$x?CBn@7MO)bU`ZW9X%z0PI;9wudr4pea3H9)XeTeRz*iAhqQ-;T{vHAf$y zBAqqa0ldtGZzAAH^RO`WfuO!G{?AdqhX+`PG@oW6$;&bpou`~K zJjiKitT~|8x6dIBxS<)h$;PhQp-U+Vf!V^ENrealy%?x_rH&EjulnO&9~gxWeM%2F zs|ds~>}xfRp`>f%Z|9X>vTGcc=t-(~d$yPPvnaZ(0k(Kk=1cOHMc*a1op%Zzx6_m3 z>^eB5&BrR?9x=fpu(Pl!O&Lo?F& z?c8yv3x}-$$!whafa`3=@4wA52w)fMH$g2=M)+>Q=oF;smf}^AGdn9WJC@`1!IDf% z6u?uEA_|UZ&atFfKxNZq=w_8NsICP}KM!*8qGE&OFMIZ70Z;v%$Zt=<&fWao8F3Of zD{DAn+j>x-HPOyb;Yp@}yi;zvt~9ak^Fi)QFwzHS7;X{man!sF%S+VeKgaZ$3vG5z zC(m)dw`cdhqb%0Jtxd^3SbdXq|Lt>B`vu6deAuTquLSYTPqaWOa~fqQQCg`ZBK@iL zQI$`Z!bO(JN%h_@!)a`nbhWj$O>Zp#vfwM}X93&2tb`@DAJ18`Y9cEqUu^Eyk+ z{-I~?M~0&=dpvTyJ3?1XyIUSMu3258m5(hAyf(h@zLx}!O?+#SZjaw|rL0!s1)njg z%?#ht`JSA|>knk-RZKkU`a;>>O=*mmQK=>~>jyxlz>3Nf+joN>>O+<)NmsUb8LsS$ zI+bE%&mpG!NK_}&o{iQ4O+c*h7fyi&QbBb`3<6MF3C(d3?ncQu_)k;0k7sdju-F-+ z#v2!F0b{j(0UR!g5}&FH#5`PZY~1(DPR|{o*typ{A|DesUn?WSwc%InJ3a%%7Dhad zX7aZ=f^WTQ$8-$W+zu(TCfP#soO%YB)TCj+CcO4FwwwMF7?|Fc$wl^c$4Ffo6 zJJat;%6=jA=2_s2ER5_~TCB3TcmZ?9LVhN20K7=qmOW<+nt(Sl4~$lW6J^o->3|;B ze4q<W%1JVM>)P_VaJ<)`{W z=#piB0}t}}fqRx4jHH)kn7 z{pr2_3p6mLM4$@MYnB|veqbF(j&_*{TX<1S4#+0&ia`hJym6;!#1ogmsEuP%y#ujd z`wH;VB+9R+BD}O1gz6@F>ldd0jNl4tf1St8kf*#G`Pxl0ooFY-3w53DM7w=%gl7`R zls&%bWM)O9HuB7R+Qr&ra=hbQr5{-jX1SZiF|Yd&9(K;r2{SK~&5@kXidFpf5Bmj$ zb+%@r5Xr+93D1yXy1A!e$tzXmHI|W&t^)qj47Dh^e85>pHIk=9MH^td07Gfg+I*j^ ziG*g-Ee5&+aOYt>quUo71UebgCOEK$M#&B;C4hnwu>vUJ zd%%JZnat#I89RVkD4w-!`*fW+8lH}cm${uBsNgW8#iihyiwBSMQage7uV-Q`JuUmGhWsFG zkNIF@zex_q>K1nOZ zJDWwXj!4#kqfo3swZzCFFZMyTf1JC>ItQLz!q5_Mp}D2>c^;s5n45SmGA#}GuII-= zB>WOnKwg=Ye-F;VrcI3!-P;wVz-=zJ$}A=7zBedIiX8ya5larhrUTx4dEl2mYJB3p z#5gD}u@d@v`iC5;4Gm-wPi*9rAI~3`SM@HJ!6NP!JW-WaL8l& z+tl3skf$Qc!kGBEz_ViEohn;q8%ipC!8Cb}+I<1gnv^p!e#NXHz(mD-EMt96-fYDr zK-Vuwara*57epRL0~nNJC4=A?h6C24IS$POtodbBj@wolRC6-Q#hh7jGi!_7;+YRr zo-kx;Sm19aMuX^H*tc|^`y zu}7+#X*h_dPpCho6ppz!pLtHjQ(&d8*sd58=0$x8f6R2v?$XOSz;C+$ zkU+VGgzxkHKWync$78>p06U+P^SsvOwDz{TrQrCMCkz-?pQU2^85Y}4gwQ|=#KX@q zQ2#2|hvzIY&5{ZV`2FXGc3I$(RJ|%qd-JnYg$;bV0nhG)@2c3Ghoch)Y}w*CD@M){ zob4Lj4HcHzxEr2yW}H0tU|XD0rW$XW?s8C1!PvtP;K-|qA&U=3izGkaMZ-W_Nx&~o z)288G@1m)`HZ=W~3nCqfh`*`9r$PC||5WMgLHeC-Zm2j8iTEsxs zZy+Hnsm6~VW0YdN-H%{boD@{{8&1%&c7uccTK_C|exbIJ3B&bUs{G6|i3i^9y{4O= zQZvgw{q~uQq&)p&${Wl8QqoSZzWD|P8*3f>VLpcY?}V^-3k z$;}(dPkkFYSc<-NkTyF+rjoB3W;iq?xrmt@`TsBQ;jCA4h`6w^&X;jM4I*t}P{Y7v zr05ks-TS@$gO+23P2cd10#B6~4h(IJ@y7_M9r`}Je`Ln}^OT&26?i9br!i*L8|mkZ z?uf>+z(dryA@1(ISU6$9XCRvCzz;rw()|`j%YltD1y7B@zw<*`5ACKSYI&*ehN@ba z8t~5D#L;lll=(gNc7}|lI?VTf+gR(B=5>d1n(H*IrRU4@mruD%2K}m23;yntu2LNJ z!E@1d$iFX{`gS|Mfahn;p^AW)at~X-9@Yx?}se`4HmET@Q#PtB-r{UjWW{E z`|-b4a{b5hPsv1aJ&wkXV;T@zIe78$5s|_mfpei3W4j^x(x$=gTe$oWk#Nk!c>0b} z@SSXHNB>nfmY`&x<^ z%Ch~d9RA!?tm0!mXA5gyS$ufhDnHZ`x1v~m0eyVCv2|opelG@`!7W1 zO3c5f9%487HYrZ)_Fs!3&H2Y6&&viXlW&gX*);$7;?Eh^TcdruU^t|sV?N_rBDoDY z%ys(TW~iJXX0!IS<<@qFO0q;ogaO5V37tD>4dx2u{DQKw18`k_E}wV zd|J-KG2}+(5uAJ~Pv<`zbt5b?!L zH!jOXJuV2=sGD6U`fi8#)J4PW#W9$CD@nc^>gtBCTLIIT@ABNKU3LDc5l@Ji9 zI$NK@5b|$t^nHoE33^K7j0$ukG|YPM{MPh%Jf)gbO(%F=?Lz#M_Jbxrzs)YMY~fgM zH&>yO$+Ts%i#O7EMY;m^=UjbX4A&WiUN~t)EE8Ajm}Fc>K7Pudw!3y2^T`wDi&MQ3 z5d8BBX>2i?mr*K3(rbD#KAF;<}PU$(PS8Dl_on@ zsL+WDM~HEmbXQy)LQht((J#&?Nk;tS`M^q0nr5Zv)hz%4n0R?ebo7GwM?U!UW+ZT= zzQ4sUd{=#IC|JkvGnKHOdD#cGZ1&3F?>6P%73e>yDY211bgcv}#yR5dINkk+n2udE z2Q{8b2nyC30Xa8;2c`zz$dW5RAKyRDh#x<__W7yEVq$V~1oP6g4YWHXN$sD%LpgJ5 z#K(^&kTu~ilYV_o8iIf8ivP`10CY`jG=wmHuSkJ+O0ztO6+YA7^B-=?f1eWm-E`#5 zDxFb);y78yaqt1ne;kiLzWTrKP%l=7lx0IuRY?1itRmE!Of6n}BZbdCF8J?v{qfW1 zv|3(ZLIha{Rv1~QZsL^x`DiM2kUn&2+NgU$RcGV2rQBnGx!U@#Rijxiatd(2o9Z9Lv91PxZM^nF$ORJIJgv4XykB4^zOl4iG_XLm<=k8}}=J zBtPWje_K5Nxzet^ev1Aw89)HOX9SHq;)TIrShz}#&Odt#mN!p}quf<9?ta1!$IWcj&_2};Ze8hiW{Xcx_l`Y1?c||s*CfSTBWA>T587DmC|FVpz z2%ve<<@v}YA^6PHKi$w6TGk=psM&Huh^cQ!?0!T3mnZ(=1*kvrt$_oV?B|Viee`KN z>mQE5ZjfeO0r;D_?qQ|=*5cOxG2B0zccmFRt(WSm{7{aezVk5?IQLXVy1*a*==*W} z(+`w-SQm#C=+?ixM~~N^!+Smrqy9V){cqd{(Z7uQhCMYKM9m`rxenv7urN$11*B5C zLGWw|6xXOl32Fie25|N*TjBs2VN&G5lBrjKcpItN*gOp)ONNxAluhyqek-M`bfFeN ze~NdeZrF#A$v1K<6GVPY2kf@C|RB(#v0(CoNaHtu! zw)Rcy?Hjb68H0y8)lQV%tZ!`00%ZS_1>t&Fmj-Q7j?G)qZ{J2wZlrak=NLEW(9LeP z%yeW}<(X@@*lj)Hm{|`9Ih8Z$(T8v_@5%;+KyO8j$?aN~5_ij<;--AszDorVwtBrp zf3|o`SkS@l;(6H!d26FZ>Edi@OO38~-5^Vc;V`-K5GusibTiJWJHC)Tj$ zzHRRR9)3eavp}(e0>od;0YU(IDJvG>IfwxC(I=c7c_+m{w8Rde5xPOznQJM@td0Sd!A;BlNvbB0+J&Vrg$?;ueJ0?_*$jtHc7G7o z)PG|$^5tdHD0>nWJwXIAc0KcgNH?D)dxD|+T8DO=@>~R&83`u z=X)*Cc>qnKkSd$6!X@dYbmqYNe8FHpNqlEtv~zOD=Z9B8S%EMj_M`%+>TJ{*f|3kQ z0myW2cY!?VSm7*6)2J8diuOdi&IlJ|z;DM50Nl_3J_s_;o(mMu>wgCa0E~rqdGp5? zO+n`;4&%B$J=-rQ6c3j~1_klQC9pDV&MxuGKeH#p+p(0~tTb^2$p!zOp7X?|NqAog zIlyXoBr(aRBL-d68ZI*+zpxST>}i{Yz?D7;yJI^Ck}j{*IBr~bPrqH|YFp5NUg;xv zWXle2)p08#4SbedNf#OeFU0298TrZ)k zS54t_NJn!$g_pn6y4&=S;LiO+Csp%Gy$ACUMZ;~+YwN8m-nW#Q*iDGl+vV*e6!Wjw zzN?Gb&4@8D+;^wdy*;#Leg%zX*p55COwq#2<;|^Q73RwKTa7M^Omn~sdh9rA477{x zT(%g^)E*;j_R6uL8-G|euXxs0Pd_2n zEKkFyYvKyJv4qy6@|Yr&rT6;?HLURw{8 zxGbpd0JVfRYMF%s5M=2_RlZA(!yBwLi?G7giJffY2K{kfEA(O|z$xix2@dbS3sNcv zTixxZ6N{{)i8CDyK13kPGgB$&nn41p2&EH!1=hTFu$v!G*}50Q5BfYg2pgpUDA!!O zraBXyA4&%ea3cu= zJ-d3t)x!!>RL62Zk*F#z$HaYH5c62m4yI4uO7N9Bj5%tVXyU6zHFx&e^O zd}4^jt8x@SqFC_*6)=h!1zS5j+ius=1S@ z>?01*zU4Wx`3{fVI+5vbSTb5YtGUa(n~Ts_$e`K(Aj;x>4O6F^gF{_#5I~S^V!jV9WZV25YIHdu*k!KD|qeTa- zSMM7s4Z7Vue=yQlIC6cJ5slG^!w!nH_kJ>RZ`kh<)2@&LdEY{7R0{Px*S|qJFY*o1 z?|ulPyq8d63Gto!psHLPrQ=ANhK?SP%k ztJ8Ty^?y2<{u)C-+0m9CT3Qh|Y%Sd$-3!bdLbl)LnZjzTO6Eu)%6Zza^-;L*WGSe@ z=yz}{>`(@G0_kUkY(6c_z+hsO43X)q$iL|wwdk`TlQ-Nw2m~F)6#ogFp9PG+;GW4LP8L< zSL#yoLLRmD>q9t*c+)}yBWk@+S9wO&By+5wK zfMD64E|1dj%M0Wk31RSCVs}U|bLa_vnGOzz$1_uVg%QSyhzHEb3@Mu;*8*r8^dR5JT{O= z2iEv34zj;$Uqqw#1|RNdKH>~AUnQa%NnO1L%onCBpHl0q-H*pCR$fjT=EXc7)ArP! zQe&Hm7nNh5u**hl?JelB@+>M*suJRG#9W$8=_(P~qm9+G+Y;)Z7u=0 z*$mUxaFrj1*GBqPviBuW`*0+A?c=eDNRbOcZGU4Cnx;YNC!*|7hDUfta1N>O1^_Hj z*6F2d6J=-S3AeoBy3HGu72Bt257-L=DA73upJQ7Ww$xlJr$Q(ZD*z`cfAUK*T``nt zI4wydT4eo1AFGhYx%C$UPX;x%Mgk<>;Xkag2+7d+6zQ-<P8g^4DNjKSr43Y%`&hXFCzP{Uy7S~V2*-J zs360gRI>MW)U+>i&9rCau2d0+D9diVV;-IgSi(0dgswCFdX>iMxrU{|nysSa$e3Xq zs?G6I!7~Gm+goLg1}xaZTWVmaciEXH;-A*ON(Ff!xQ7A93b~inUrSzIjHH?cmo+LG!7SdZv?)a?u*# zBFj)bZGYOe-@mJm2I0An&IluHTGZ{R{+aKYY^B=_riU*`GbJ3si_oe#!!mR`97G#K zZsBY^IsJ81*|rYm0gd|NSUB(`=T=%2)pK<#w}BjSkuhX9+2UH^Swra8Ee0W^-GoBjwNKMeeK*^iZEV4k zulY!LN5*)jCEpRhG2~|NB7Y&srt6}7)r+vOBl-7lSCsKm_(nIPR6b95nj|{Cc47Qj z7+`VWx74&Z-K`;jK50M+ympEEMUBc|v3GAX(F}JId#%HwuR!vI#PIiA+ocnfUI=-JM!kd8DRS$x3D z-YRCrIrdaec;Zl#2W%_+yj>FGppe$x)+D364y`k25J)q~cAYnSF;^)CqeO!Ck3Oy7 zOTVv&DZUs~y|`X}Bd07P^7O4V#a(Q<9qIRQ%Z$SmwCH?afx0#gyf(kgngX(S(9 zW{pFIZLQ-@MQl{P(g>EfJ~K{94pcjRbUupY8$-; zVcS@Q_sNJY>ld6lrGHTCjpj;4)|5qN6b$D8Jf|Mm(-ot#y=$|fJTH6EH+70HFZqfS ztxq5C%|E>beWR1(y3q0z5}s+8(`in-f-($AVFO17MXz{8I-TEo#T>GMx2u(Q$#`ee z)9b)xIp4dMl95pgbFgQLWm&nY8{1%9O69OjqM^ zb|A{7MF8`q)I0Ga>~vmwI;YI~w2tLQdeO)CIaO<^HwKUF*`V`^GeJN%RVJVHV)zEX zSbJtwVR*)T?{zGXi|X_}zdne8$?sEnak5XUF-^CL^Rvp%NlehC*=gq9oJnzel`wIG z{5B?uevd)zm)a7NTN|6G)PoO7KnzyR_abZpyA39@d8R9k+d5ApMmbhdJ?0^>qkU%G z;|kw8GyA6Y=kU`Xg|3Wn$ygAPI%m!TutK=3mFb>m!=|Hj%pmTIx6oyCWfI&@es`&F zq6;1O$}{>vx5sK?+J;m4wv_>_Y%~Ai`S0fY_g$|veQ2?2N+c)Qk9l?4X~}y>&vANX z*#FNX03saAk5Ht{NoqPPS&tFGQqWFT|o8Otot z9n?!_XD^Xf9K8_sUQO<+4|yAO2wc)2qnwLdwA?j^6<~u}!I?nlw&=~bETgJ-*cSig z?U-}6@eXsL@*g7Abi1a~0)*|)J*sGds8 z+n3L%yxv2spG}xs*cX#s!vqU+lF-Y2luFsN+>=a__1Su7m8Lxzef2db9T$)E!1kor zT}u+}dM~nP66K7K^`J{< zs%;yFw^eQBZ-4-9m)jcth>}>cktahfdyl(bI8pANN?`p&Y)cMKXDwb~_g*Rh_M-=&pIAU*huRV4T?0T+{+LKLTK}AK2EoW75xBXj zF8)1qJ(KVj;Ekij02&Wg&kg+LdU2HwOSX^m03wHX9({eCw{~z8WPt;Y>|F<)nz?Z* zel>G9;W-DnpAnYM=-Yp|vm5@JFty$c(p)3**%Uf6(vTUwoAm()|S}||qgv(BSTd|fGU8&(} zqr8_m+3U*`@jyl)s|wp$czY|<117OjRdYo`Ysj+UV@8s>opEUgTBjB!s1>RiGb*V* z&%p_CS$bzooO>gya_MEISww*)qoIJN%B)%Z<&`TJvm}Wt2S49A&@A+(JI)}2uUw}i z@Z8*ei*7#I#f+JN7VN687z0WTEAt>1Z@-loH;WqvHmXFkOVNXz@^IDSF8V4=_*GZn z`QkJf>Mp;@TSEd@mEnrVpzA=cO8~_~?Xa}(>%U^UVsFt;S)YR}Ok2yMDwC5);s%$o zi_K@_DlQ-Uo|b0~dy1M(;f(R^ri}9LOjRmDYHvkf03?{xCuecVL1|+SRZOzS9d7Xs zX&Pru5kcao`}amb1c$yxsGuPQc#auvq=mT4oXa{@yVA0|W42cXWg8bjlbf>QaX;-x zG+uZ3V(SfRdE6`)lgN89zz@0rl2Lisdm(j(2)b78>X_Cvf%Kt zU9F&4ww$e+RszNYpQOzc+uEFoqH>9uktX6z^Z*m z5(-48HVvHc#-P(BoeEE;Hucc>tZk7k@x>ji>rBkoZ^c0I3#FuiP~5lE-7me7AYnQj zpTG)9IXJi)W~YBGrH_B#m(ogU3n!*jS7P}#z^7|>@_MSvrxt82;%>>V&M+%B`KQz; zyDL)K=t);cH3N5^&12LVIUa48ZCG+iPe@`2Zy(Rc$G!u8PSYrld@)$Acn7P#k6fpI zgF_LOtQ3bymh#~(huL<2t}zR$6E(>8*iRe(dDL@(^Q1fFp$#Gi1M%jFaq`cz=o86R zyBB%wW?zGN*`k!&;x`Wc`*szTCn_vrKR4+WcC(A?nnNCmtfrLTtv+WY8D{1@(6{r% z$E`{UM1N#Nxa$5$g5m0iuiZLZHxto@ZmySPndp$;ijoUk3M!GHJ(JP*<-nTjsX51Q zwcn8Iq{NKdXd@r3TBMZtfQjSXkUgV&$s23Xwhf}(vE0`p+ZptzW#LH5_`0>hT9rlS zg<85ZDxzn8Ksjlgq}_Z|ywUes*&R&&cC3VKkIu>Ch1dQJy^pbJq+EsBYgOM=nKHkt z>f^0-VyZ!+%w9!jhH0ISk^Q(se<`V%o3oy|j05`(WEN+X_dxbfeam^=vRHjx)ndI& zAm~EdmDil(BJbTn#xS$@?j5e2gES|uDRnHfe(ETtLRou2PMxG2Rq8GKIMUX)PrGVv zVqArtJhMTIY%IZnna`6tY`|7tB6gZ5Qv28WR3PLMXX&-(Hy zkMT89b?^^2B6H2Z zePQC76GhbEpQ?SI_}>deUI6n)x(k}WTQ(vxw~J1(E{NvoH2M6Qy!oW1q^K{#lAL5j zjE@)?QXK!Fsb4VgK|LwYvZpO0-+5^y_Q{uzFI2TI-c*5XTz!91_1H&_M<+qYi_iYN zruC&F>o@F=+&VAEo?}db1fuNBOnb2IlwRPA^EwG(AED!bPlf1MRLWGgHQ%^wSMAS+ zklT31Or~bGzXgmmQz)LGB6+3(X4EoBam@tC^+vg`j&+w*tM*fdz24(Lf=o;^4P*dy zCt7!XOP6&ry*@m|z%eXsIhioMj~8j<<&=g#0qHB!v>UTFE9?7FbTRKqhb~8;MVYlF z3`49qU6Pk$Ug*HSQ+y%U!0=GsvwDPigHC$jJykZMT(0#Y*AET1SZ=-QIh&t=Z(iw; zUN`c2*d?N;K*_T*>oRbN#(Pe#5koA*v-bhML%L<{y=Z~F-g`wc5szTS`>Og-TNfS% zS~1g%lsPr@lI57uN@0!X+3YcL@=;pnB}#jjVh zQ1(yMQX-(&{kAg`_+qxNM?66$t{!SO{yw*;lV$vdI3pwGvaIi2DO92CU8^({`PaTJerFS3S)YZv|}agJi%@ zq-2)pET-4{(J{4{QM{#?w$g^*0ovTQ(uq+kjM3w3(wl~$q`O2UP&O@`D?g6cv_$v8BSye0hn6S2i}8`qiHl)-lZt9JXAMHz%K)d3*DgdD#@S%lbW zbl~oJT;jTHr(hQw1`}MOB9%QkT|rKh@EX$#lJ{d934~F_&0*%u9Z*wy)uYBHO%2Do z%0NGP&8eWSxS_aC*y2Q|p0&fyOLps0{5-WItIr1o5xILwCH52jRFGV;4)9DyLgUOF zm;eKUBy6nRm2(0s)Vn&3n=c#HSurT{8<>EW&1-h}5C}Rj zEv4S>-(Va%>H4GIcD(K%De|{hc|MBk4MT%C5&4c8-msN`0UeJOHW96?7Hs60w~r=v z=e)@pXfx{Z_PMF=xo+_}tFQVfUwXny#k`p0;bv0&SFy}DW40q>aWtDmss^# zSIkbR6f|wm_tMVN#dIGtg}nBVG!A#O@*}9BBLXP}4h9dQn{7T*n@>s&eaqIofOA3= zKHghwELkSx9L0vfwC*3d^@t88>Y$ify0&mN^Ui%6uFJWvBV_t835s^^*5yd_Oykw< z%eS&XolZJk5qaLuk~r5daug!E2@oDHQ{<9(owwe&qBsxp(6qjJ23bs{rubpvE3j(F z6OZ%&CEG(9uu_4bMt9upi`Yw52D2s7$1^LlhUY;HCF^6|VPEDz7{CL7(geut5y1Ay z2VjnS?+?s_Fy%8BqOfAiy9Z=jIL_V)&WQ2c?!ku;!1A0bIVRKiZ~|oWr15>I867Or zg(RH>C>`w3af8YX^fny;nyv%D|k}zj=Scf*>I(g_^w1O@NtTF zy`}joMSJ62IRLPvgQ9xoa`nStmdJof9}IR>BKD zBnMJ6f1-&?58s<-IpAHLFO`ByMwxq-jJ@Kc?T~t)1F_wryxb{fi4lnc;lI#bY)DgB zK`U!5kf}90NEHSo9%eE3 zP0+7*M%qFp?v{_N#JSl^7KhhsEqFcTKwDv6`n~tQ;#oz~DRXiwAui&#l8r2_0eyO! z{`mrkTZwy$^@yxucYw-ZekoTwXihAYS}=EI97!r;dJ;nc`~_J+qtg?yCMvqdTUr^r7OJ>Q8)?mQ=i|b9EnO(MlRph>;PalV*U*_ z(QZ`7tmQPwG?9h}_3PFu?bQ5>&^#V<)k7s5y5l$4GHwLlh${sR&3KT_BZzR%a8h{P zKCCUc+%-La=r5aU7me{vDlXiX@K7sLzo!(Psu44g(=EC#P`9%>==2wimO$*#(@IHd zjIUw)(881hvIlS1qTs{hs~(2|MW=2m!UdOW4H3$-9vq;O5Xl2FD0grYZmMo;Og1z4 zFtI(kGjuI(4_&w^{fE7~eQfvscKH7h_um0cW!w8WJR+8efP!5qjsi*xf`~{}MnM5V zX;K3+6sZbQlYk(?j0G$}=tZSQ2vUWRfLKtf(n1RXAs{V*00|)^`EBOjDR=JY4)Fcs zegBJwlXK46d#}CL+RyW>#~oQG-8zmrU%R}Cxa+=|J#-oP=ag+tBB9H(5QYZ$$|B4t zu4w*aPRLhNWka($egA93@2N6BlqWR0sJ6aAiz$9e+|08+kyn*pasq z*1!4MD35J2V?D5o3gW$V{|-ga40lM)e0QnOM!9X63HLj7WuTDNz_|JpLd)YBjM1Xx zPsI@~`_=4yc|AQmc%^AQAly32zZqi`JjO`}N&l1^%4@85qIyJAW(d!ffEQ?SmLH%CE7Z3(j%!tz$r)@YD7mcGVy5(+d_do^YBHL3 zL(NQ6t&)49E7xIp$F*wYJ;uu66uO$x9MFDFhp~B6hpY@ba@w}05M*Bp0bWCWuDx5B z&spv5?Xqa+N8JR;U&Y$Ez&ZZ=^PN6Y5 z5q3(!q;nhE!*UKy=3lztQRJHqB8xtYKvL;o$kMT`pYns#yq8ohG6|B84s=7<(f$sa zHBDM9@$_^?>$aRO2v5PbYxHeA2>!c+NB)Me&+ypx9Ty8uo+}yZ^D4${e4gfR=^mNI z7gX+i*`dpNDMgw-yNN38eW@z^*;S^2c*4X_U?u~^q$$JA}$8xQ% zaxa>6`Y+7g<@sf(lhM#5^_1_t_$HnMcwawb++~N_wVo%v;yn2%+5i)=2; zY#Dj(nx6sCkX3_XAtAnFFBF6e79q>@K6=K1fr*UgKKC+&t}lpdCnfoI+@itxzcXrp zBxA4l+4H)%$Y)5oJ^t9`LesJ8;N~+GNi8`qLu#6-XDt7A1__dqNC6SIV3NrZ%&|{7 z*(BBdRspRcqNo3MeD$9vmw(g%{|x}v-oJb1tR}2hyK}Jvlr!A^x|;ty;rQR5^l;jN zos1OwQr<_o$#09Q@}kDJ{>^**^FN)e?N`LqN^@NPg-#DMegggJ?K*Wh^LEa}Eh1)d zK)7S?catI@cbPrM@a&TXnSRJ3s3D*0KO618zI}XV!#z3z=bQPs@r< z)A;j@axD*2q_4dJpOSKjkZGTO;J9Xe?b@YkezV|J=nC@>Ohnxa6M~I9|Fr6wJ^`{M z?2$K^2mm$~1gV=z{ z9Vj?FyvN)%WfD4*k~|}me9}gFeb1G*cP3MVAA`q1l}S zcyjO=;kTJ`_JU9FGUvi=L~fg94*4r}T>LXTS`#VdU+T?ZT9|vaZduwjbL7MN^_#Wz zR>VYSIv0yeN+7g*5eaL$^B?vRKhKk2jY>=$m!2Kpv28vNEZ03Bc_!Y5eqQtJ&xr(sV>WRSo`MMC(7y_J1v#T1f7;^lw7;qHVZIGN%=JRna?cAXaZ zVI=@k#siIj(>qj3{;0NTX%?S-}zy~ zzdmFzcpx;V{M}26B#U+=j%p|PpWpxShyVS--hbOsG^!4s_ue9kP{7m}o@i+yL|`TV z{PF+3<}d#fc4L=bAk;*9R-)G8F4A((Nb*Oia~5m8yMo##w?OD_rqF;s+5z7+b@Uct zt(O9sk*!CYP+e~Px{JI_dedBn#ovtbm#6%zWrp}Vw*J&5;Et6bO-vyxEdaf|NiU$@jqdf zvX2k@MMXxQ8N%^0+i2aWM+esW06WCLsD+u5^zEQ;alA{4>BlEowDU*SxLUwXf@O^7 zf`ghAupnBJYbEqiQd8GF^_uL$BIs>a1?D-5Fx#9TNmEGMH@<5f`vl1_(;@wv(03DE z<^%}MY-h~cm)Zedp}|JiDkKtV=#4BpNjf=Sz_-@>iYuU37Wvk^7L+ke26l4I*R9Oe zyjlyH*{mN(wYAzgO1qh7b~&#$z5Xz!wl}Yv1l|haee-6~(JzGUudOZU+3qe9Yagl~ zjb&&O9Rv+hozDL;kN>#Qe|`WH6gy*A@CB8R0FKydJ&u^~cH~!2AUJ`D>?(MR$3MiN zcmD5%@b{^W6V`LZL^2g&GBk}7m}4;N_teDye6qh^@t5I$xbD7%fjMd?F)T#=Rp|BGCFU= zsL-?PG4r;L8N1&cuVDi8E&i3amVnftzaoaJ;@#ME}-%556P`A_9 zz5#6g&0+>+=U}5Ow<-*SI2pEPV>ew6`+4DNAT(}qVx~&D#>Ix%!%Vul<~>v45f6mw zbV&lwyXaN~Z45`WFaGrX{#x(uoTJT8&H52m2fv}*L`X_KN=aJlrCX==hea@f=Nj6Y zE>21d5}m)a))iHvC;o0CyR!ii^y=Ldz4KAYr*{QHYh4y$H+JW~`z~36%GynNl*<_cdC8X$kOc`4o%MOH^J4K#+^&H}M;|zdRPLnjf>Ha|;Sz513XPym3O=fw zK7H&HVW;BS7ijR&#|`j}8#fwC;BP}_Wj>{}uj{r)OF=YRb|#KF zab`C&c#P8Y7YF+fz88Fzu~Tn1o|mEc%FELagax~2_0~GOc(c!nZ@@py?jsNg^IaDD zbA~#ksc2Hp9Pt`|UF(PcS+Tk!$t_^A|GA zzo9=cHgDOY&x35GH@-SH)rHpsd7LOExMf$Yui8`$I``t9%c%~iSQALz%s z`1BPy==6Y&F+Igj`brQ;^N34h+0J8Gz|AI(wxn8*wx+`X;nG4Vwry(@Zy0dF`oCa0 z-Tds53tqBl-#S;bM6D^W{PIYZ&lPyvRs%Ef4POkhL^#z|B0R_;rM)M^@Of!D1eO*! zKXwA_K=M~zF;8j9g(|HvDQ$bk)}w-P$A|i=qxM4WY~p1t+aj|4jRafH*^lvpWHtAs zi6Y!mbl*N#(Y_5@FD5C6&@cY^X%yg_LdZrIklE&eoY0DaAdtC4j4CTXvpRt}sEnBuE8^h9zpTKE(Use7&TcK-) z8I?t~DL&%|u-;>Cdzq-WgUMt@zR_91a$=(V^JK z-yig1UQ}n(e_k18r4&k9^=727coA!p&}cGf8?H3XDN#ETHqF=Z$_|tdN-SjN$$G;R zUZhshRo3)OM6FccSu`cSwzCGmF!;574i`_Y-Bh0Z+%>r8P z4MYs{VmluAs!46&fnOHyY(3@G|7J{HyS2nld=WSF0pt4ir`d_p*@Ms8i0|lcDuNaS1e-;mf z;xtkC-r^miU|P&eaJ7Y~Ap3a87~3~4)iP~&(#XDnC#qndi0zvS+c<9{m9uya_V(}T z+Em`^8o0}3lZmii0<@s>07vum5_YJg#mRe>pHFb&ag?EDJx{t|Z^8Q!ANdjg5oi&p z!9DVi+~D0hh2`1bYkH(eig&^t^GAiGUwCh}(JH_Dr|lFD@=hpJeV%g455t>|9V~2B zIk>C;$UjfnzpS2a9T27R^YaTHP6wgS%mPEuLS@fLpN`ReueC-H_VleUd0^pi<@YEx z3`nJ3tuKJ+IP7QgD>M@yu{d!PTd>ZHK^Ra64>It=Y+e$YdG>8G6{{rtr)~Z@K?;l3 z4oCRqcP@gRaTD{*xpic_F}zoUyzT8X^4_E5g}ygdaX2Ao@uG=pa%;BxcVIKpmoLUr z)fOrsVgCP9O{5LE-mUe|g2?(J+><rU-SkT0XY-exT= zB@HaO-N4`YZoPLEr}gK++ne)&40OlUR4~KL@vdvW4g@f~SHm#o-$3`Fu&}VpK#SM! zSkpg8mVb#O!v?l?TtbvB4h#<3U(CSlzg|%|Wk_gQb0WsO^`{K;5&c{Y9Dgrr&7t0o z?>Oy%AspCV%$Ohy@y4tch9o$Ll}%Q}`yDKg*NJDK%mEmvXd$Tz)M;d6q)BsbV*10Tb6rRx&)nZ7K&a8EpC)qIoaFWpQ-8q zdmgXkuJ7Al^c8+YF}D|3Yb9GXFIG+SuR7nllQ$LO{PdZh_7YI~7?SBJkKpRcI1WAi zognP1v`fm#is~h)Jt(sNG7{k(679k&lbXLZo`s4Bs`4tkbVdA3RVi}<^F()yc~b;UYAh|0IW3? zZ{i2c(VM+8;{G}fdqV+@9krz~fO1Iou1*YU;h-2alr~gmcn|NJre0A}v!4h4pjLy? zuQYL0>E|hcU^g{?b?t;3+rv&TklIJ$_)EP<6*Yk_23BB?za|u6u+q^kY5cK{K+jk% z7=maTXeM-u;RpJBOnnt68C1n1DZl#bz;W7|$rG{Lkcn1swr%BV4l|*QCmrWAoV$ah zYLsZr`EJ(O@SJ%>=lj4dl07q(@yct;`Q zG4YsG=Hm)FfaU${tmR!8y~+xd-0>+lk-FU7+tOtclWxNKR<`Bgwppj)D^aBl)^?Sz zN|zY!bX%O4JF`LMg7l)_Wd-Na*KhqNy!Tp5Z=e|T_24VYv5hzDdht>-KyIf-c=^-g zyfTS?2B6Y+emJfnX;3WVX%Rz;!%Lkxbr#>d5+Xxporr)NZK^U|YB|O`+~m=Eq_3i) z^>mJ>d1q1UPkjM??83BA7pl7jrf-&)eqkk|Z)6ohW;9;+=Q~b=mKEfrReZ2LeH&t~ zOU|jY_en=@W2<$CXtoz3=0%?a-XvP&80n3Ze#tvC70=^Z3wMt=@- zodVJW-m0ih4bb&ZKb`=zKX}gy(X4^6<(q)H0&gVx6=+`AE?ABOpWh9`Bpo8#N zk1J%R0y!LIFTe{yB&vAZxsWJ{{airj?K_k_1|9p115H&k4uvcZ8P=#;SVdmrd{n`I zZ6b`F;R`ARvWdmcY?Cxv>=i;>To8YjqJte@WjTk#8C~9g|8$qKM@LEq+i7ZYXxu0? zSm~iR#d{@(1It@J=+SgjS%;>&P&Z-a+<{7}9xF~^_={RQl5VrkM6y;ns|iEu43aR! zj>;zze5{6&%loxbp0VtRJc4so%#6s8~oAg@(=qxL@FJPo6&5JE?TkJ3A)S z4;jRr6!hTnU+C8D@|IH>IAO!@IsL-AF&zm!@+VZJj)`Bon%F*BvBjwum3LOMdE^Z@OA#D+Y!rKw`?kH5HV|aureYpZ7O~SbpvA+1s z*~TchTi{>kEf2`V$BSwD`6OT2Vx4e{2jU`8ii)4njf^n-{-RJ{-2J&YOu9oNH;#^@ zA~C|J-OWpDeuiiBRte?mD`3haK6e$0-6O*M4J=;7AbtU~HPgnDHV z;D?78oob1U7|p-f^2`_(5GdcO@3~)qd0(c`6){<5W04kPke8is$Cl?NQ7)_!U09Vr zx7_6knaiRYKz3;k?{9UjLyec%nGjWCK-=aU*-c|9W#lT*`?bmk^uFpeYj*4+xa*(B zq}5PP(ia|Q-UnWuQdK$bm``X^?cN?{`Qzi(N7Y8OkV}m|18{);Lyz}cULQKOnr{)? z`G)oO$xN@qmU(aC#|PobP{e3Bt=t0Yo=sY+WUD35Rm^iaF6c9d@pMv0;|-%E6FYkK zd2+YE6SkLf!vYH*X6Z@?cP=cPFq;?pHt8)E+VI-dPu8FOD7g`~+A$Bfa-6S6tV`_*_jEQ(t6&0KMy+tTNKSRcB&?k-Jb`z3|oJ%H6 zMd*K2(=GT3b>DZ(p_|$!L<|KbP6C~BO!rD54a_QeDQ=B^k35N!pwyz}#(mB5ht_9f zeMmsciWJcWIu1{a4mifo*tArl<<7pN?0~gcq(9^JE36z%YMFc5V12^K6=SYxpg;vO zs-DslelY!W{>m>cWAqpBASm3Q_9y0HiybJh3#kIvB#&OxK~xTyN~u@b zl263(xHmF|`%_-|MJ-N*nBd}rQ*?Ps48fU_0rS--mI5eBp$+7-1siW!_$I((Do~) zr<>z*9e%p6hVy9SC28JlVsNV?c`vCd-=kO2CTI*jEgjyf=6h5-HZ!E=cJocAw{+5M zBXxPXjrOe7>dT>IsMvD<3$ktcK7pC69|v32;SNe3UgfxH9rwmgQcp^c&tMzJXJ}I3 znC_v|htzEd0yFF-tf)L`$qW0Vh1yKOP)(ss4XLmxXBx@#+3)rirqH0i{yy0auRxc( zT+7S3((jTkcRdwU1$}jO&F<*ORrPsc3shx?3L+L1A5I6#9e!QXat6IWTBT2To58gL zJDtdI!$A+-b3WrQB0GH$(pR0jNxfBf5s(*#S*bVcAfPPYZxkt57*-O|leW~6b1JMV zFU7kUDIBR@B@(W$aN=-z#IAO)H$#!xmmEe*jQS_ac^8Fbo7htCpJhfHsgh%-dK0=H z+s4nObh+Jo4Sw!G!mG1&_xSdnYIUc#2ALog`faXOo>fE_L~rLnZQ zjz{04kkML*jFcc+e+z|Z##=&Tr|%co>dZ-zY8Bc2t+5KF?&4tCi^uokk$v&b{)X^< zBqLaPW}!TkGqfpn2h3dF?u!Lyto7mcCrjgvDzS1g{813KEr~rcyow{9b*?uc_x%JR zeIm7&ev#ksK-msj46JL`4++AFwRD|q`HqDP7_SDK?y0D1niDx2`d zCSJ-NGS*pV0x2PDy6eYbBWB#tLm#TDarL~8iU{uj{a>hwt%y-C{#l8@z>oV~KvRJ{ z(|yk(NLBApkZ+wkV1>sCZ5pOG)3EzqW+`50%yrw|gZB9rs#8yVjx`=MwOVTNO&fnN zY~<1M6}dbVB{qONEj_Q|rUM`P&;RtRz?+0whJx_(pu8CIfRp7?=FUBUeU0 zw>rqI78`dn|~f2<>0R3Au4dOz)ppuP{u}1AC|7q>j>zD_%;xF z!7;9=jgpXN6Rm*paJwL4!1Be$yFHpYWw4-kjq&lx)B^&OhdK(YQU0GRPQ_(PU5?8{ zgnsMyjL~3zS9KalVJErW`Mi}_;+AXDj8Xj+3csfvATE0t&-=km|Bkdyz2uIkGuNbZ z{kE_tLKa?QzuDTN>LcFyq?Nwb`EW`meNk~>Hm@swGWQ+Df6Gi&jEGwL@YNHAn->8E zmE*jxd&)wl!AWzdNJ9U@xjai1OZ2* znxW#eK|99HQa^%CDF3iT#;iRr1lnuN-P#RR?rth?9<`Ce}Qjv1IHhalC5+ z=@JPX43jwgrZj>h$wxE1T~F-%Ce(jPK_T<0h$pe$8>pb^3c5=-cGlX83Oiq%@hpa? zO^sAiwl5?fc4-&7q<exh$p89CuV zms*vEskewG158$Vl#S0tC7WB}F*4?_T+`+#+AbRPrlLx*xALVvN@l(_MLq;4@wM}i zj@F(7Pr*^GCR}3`3`MQiuG4{*p_OFH&?P@d8KPlXGTN)x#*U#P2og};aAgy42S%v< zg5Ex8y}Whx@Y}p7(fz9abMf{1B0d4d?s^JW`mnrL$%T<JXxIfV4@-@unfjv!=GSDD;opS|Nbf1Ss=|RYB zYRI>KTJacEwqEp%F&%dDP$BCzfoO5{tam{9ZlmqbtXnI+wwY~Wz!Zd*`a&IGs*_tr zyV?yF0~hb_#6SXy9WFqQmYP|g6D_-BZL2~*!RiNnTP4mG<&{Q!ud)tMz`)r*%@OO3 z$lX>~6m$l%v(DIr|56!Ky4^N8(=VX3b0WBBMI54eHc<=gmyJMH+fEed#YkR5P{F_WEp{DZfG4hX~5IXK?hpe#twiiEzk|X+90d z`_vY4rz^)yx4t@z2VF!}-tp%gu*XrLq0Gid?YSG}c8C{Q^U|2{)pn`HDaX^#O4FwI zT$eihXSMGy6}Uf~XW00jz>m+y;#YEpcF)LM_Gp21Lted+&975bO_porx5(yZ&RCiv zMtFp^Y<95mg^}quHF}YG5CJ0x-RKzkPNXnh2@yq{!}_%HjZIs`SD%-*8#<7*{D`<46%u$mKTPELWuyv@ui^mmCSv#6l{uPxXZ zv4eVj1F8Z*olG(}o_+O7k=m})ac&4m-OJ}NPtb$2pro0d60$T-E^d@}ue(_}KpFDN zX)_vo`K+nqu+OBt5xlp3Vk%ZtcN<^wOf8iSQC)Ryl_>8~V%J@nOsKK1N|-hzsO-dC6nwcD?#l}j8`v_tQnE%wYm zTg`h#s21&+U!P-TTXz>SBVkWK%9%jAB@R7vyW{su@AmV3L?7FnRDY{VT7yjTj6s>+ zHF<|O#2yf=Rbos#)dufu{5bt%W))>{1n6XSPNk;`Uzieb8dXJ3n50|bmpU>2b%7A5 zKSRY!%2oz+OX#!g4dt@$EuJ~xywxB^TN5tS-{|5}z?)~I;Cd8eiuk1;*ebesP9 z-Psyp3xQZrx`7yE{Hf(6|p4b+!Q#p#cZiWO}(E=6n0Z}|ku`}IWIE@WW zuUlOT{idp3k9B_~Q}7?L@gf>A?5$J!E0|jZoy<;QSc{h6&7L7yZT#51tN7dm5gsU< z^PHCDe#$@GjT<<-L?gSOiZh8$HW9eiW`XB^F*Ygi8XkRebHKaCYH4!u!BcV6f%ddVPN2}-7?B9Gkj_w9u0)g7l76DiQ3|l+!Th>!tp?+<1RBtARj>L}` z3dV|sehl}yjkO|a2nxizdktLm!n>cYW%TXUu+gMv-!0EOb***!mNP_saq#YobFO`8 z1JnbT;?_2y$Gih$;&1*cKx}rfp z6OqaFprdar=#*T#e?r-e$An*=U}YV7XIh}WbDC*zRXbXU zc1VZLYQ^)-P8Ujf9%yOTc;!`RoOiSW7oTCyPm@5zxw#YLC_ae%3W+8ayASw?`pY0| zl>F(`6_~2#**C8p-b|%WsspJRsWZ3R79c24$i(coQc>%&|MqgrqmmPsAqoSaKa8QC zqyP|eWu1l#z`S|<&%Z!@dTG8@9li6tc zT8%YT(x^$WIo-aw3_|o!I)+@Ps$?vF4IEfLtdwN@FLDlEs?R)jU$RDom^)FSlJ?Bc) z`RX6FVY1R3C`v>$Rz*EEymJ)PtVH#d-+ZCK#S_w$;{Hv(di!6 z4CJWY)md+s-YdEyW@*eOmw2F2a&jnv;@jcgOgF7X14z8v)yl%ntg4uvIA*`e(#4Eo z_}2aesqd(XsNqU7^OLgVR)TG3p`HGM=)sOAIsnp(m%y*}1=}Fir%T%}MLI_7dRAuh zO1FD6f=sf!UHYPJ8e7u(Zt>F1!>S3iAY2PmJaB2_7s{7v9rV7KJzLtZtspbh8lcmu5i^LEd;$mm+)5GZbY#BU?2n zMPZ7e6ulyEcs-?X+Fca1)ZPTjBQw_hyIcC6%xS%m?A#jF@Os)E)?Ik?O+{%Uy{c+B zT8+M^YTC{vvJMGq<4J6xfipu9!bwaZ&Z@kdbTz9$?Mo-J&h(e6#cvPP&@Jk7O+K|7 zww#O`5DM0ht2~sxqoJ_ev=F^}GHrQ8%IM5{YBW7g&p^7tDS;SqsNNjY_jPWnknJN< znHI4q$=Ca68rnGvstr5|l`#i?IDmyQeCo~yMbi#R8WTj0zG8ilVvQ_6!wF1q)L3th z5Qh!*u!}sWz!x-a;ndGjr}e3b7uzNQ95<1 z0RiXV*p43=yL28qo8LR#5EMY~Hr?N!ccrWiMvgTj_sf7yr&BN%Y^w~CIEooH=x+u5P+XcbvQdBp9zuK_)xM1ZjJ^#glSN}HLa$asYG&p(A;Po z5bcZw&~?xq?YYnVS6vj?a$Qlalf2-)yFog$Klwfa&^5a99j7RADuZWMDV+bd`uq*V z%_#om0PKs((PEFQ!53fF|5hM)1^~}tJ;%NfCdD`Xp#?x7R8E_Y=_eSS#|!+r1~dKp zwDZfsFw;SF+~U zzF;5#y&Bl#FV+BHb*o3-lU)V;dP=48>$5PxJjL&T2@k@rS7NeR!J&}#nArqCpoIn} zsZ{Se1cdH{WZgPFq@s4CUwI9S?O)>oATIpVAgL~u6%-ISm5Il{WUYtg^#5b-X6}X*-esd=6s|-F?~vL{|f5cj4oyZ>AD|oXOKyc~}*@SJU@xE_vK8clXn5EDX3| z1r448b97$hDGl8Cy;|3>0|WZ!@du6-IB1^5e>IQ)3n1_>v*eG7Z!Z+qemOb)`FzKsLsE@QDyj}^+aKTsNMaR!-1qQWIsl;R z>%Td9*yk*MI=ScWDvK&@N8r~4w;Pb_?Dq#LB*}-H9@hR0u%<7CV0LPbQ7)pa1IbhB zxZYEtoMpSz-XO@1?z=n?{h(0lTPbaVp*?hanIcToByojCGDWZpOxd~Gyz0IZ##?0i zt?!B)%kcc*N*Ds16Zy%mM}>P%$H8BN{YuHm9&8v+06wimt+V<1YUd{g zDkfz9g%c=&r5fLmo>Ojrb>-%Z|FxU_`^7;4OQl)ma>1Y>QZMR zZ^#~bo70X6o2>vZELmj#Hhg8ruvPo@1!U^EHogWBEkNZ)qLx4+kz^~9F!)t*KgYMe z^y$sqGLL$onRmTsSNGJJuv)ZT>6;W%n)6k6fYsu%8Q$mifJUL-JbRVKmu&bp@Tf^X z9_;w`;X(2aKm)9e7Wo+p(6xH!0b#=J7bx*)H%c3ZhC9V91z4@(mbcqf;~gJ zH?2ToSn$WAy$6Z~2ePau?rERPh$_ngQ>w2zvRGZ%`W#TJg?dM7fg-l!ig+1l*fEKa z)U+u4Rl5QZcp<|rAZZEWwxny-z)OO7;0EHDW&^-E>9Ej2G`pW#omE?;!~?OoJpadv8E&z;4!Lv*BK|GsRb_4h?S}z%7JOJ8gx(Pojq_2yttNTK*75lzBV>|2!%228{El zk`ofPF36X0nS%r zQB_%|UpT_-{o29L37f-s7ZsDdU@%y_HB7Eqg&#Q?zKVzX(^WRP0XNEbE`JWtRvY%N zFIAZwEUaO*@@MYWpgk|^E6_#23irGUt2*7QSd1alct~lIyujN|8#(zC~*w&8w zfP>`MS~2s#XX2l)`R~8M?foua4QK;d(l8hm+qH2u$NI-Ul0f81b-3Nvxu}?)>E{j@ z^uv>GYo5?6FkGQtAXm^txQ{Sul4&5Q1-q<@&HUr%kAR9d0Jkg42uy-oj$3Q)#(kx0wD^~@CET%Cz*AwVjG%ytg> zTd(tCkow4blFkLjJ$@r2lpI+E;sWhj0;0!1{E zb-(eMd0++aQ9KC1sctsLj$c{#D_6}m~M-)KL;@_l?&UH~{ zx8B}6pq~KMnR1@cSvz%n>%6&m7|wYgQHp1UaJrebRD5>5F&qD!ljd$v&ol(J~T#Ewy zC}|iE((+WHm-qBKgn3TxW+s7v@;4!?MxQ!_oaUMzdIhcY@(j!ht$b)mcrAdXKVG|5 zb~kV-XI^>zwp|}@TvuQO)MB7PxHFyFFrE;gVHHfMSO-hd5(=g`3gSi;F%Kg00ns^>(CjOthOkDTatL0iXSNkZt1wiNpcCS`eo(I zlD^C*PWlY7GDQCg-T2?kNEhx6!xO3}vXsVYwxANjOIHm;j7okAAS)Aq4EwB-O1z64Hs{Vg zVB%l6c|`qe<=kb%`m9(qUsODk+n$qEGvH4P+}~S`AAcT7siO}!Ew%2!;R0NKFStxu z0>_wH49-rR^&T+i#-@87d{ql09xb{xoIQ%F1AP|c3e35&tyLlHNSbcwax`7cTtK#l z-fN*!4~oL&BpK^Vp`oxul~%Y@L#{x=(^`_vBEHyR_#7?D&TGSzfW=0dpsJ`)`pjNn7<#;yL!v!;|QbUWw$nLed`F8Ojqpb{z7~*T( zi=ScAk_gr1)x#pxZhdNc3W`DQU>Zci6MfV9wRtxgG1EB3ib z%%`OWZ~{vvFV-+Wv}wUUJP^56(%Qney%1jHaigYX@1YY5ne7310x@*tMNAO)ZR5Du@zXIpEPERv(Z> z=2VoombqRzSNp7D`QQv7j~r+8v)De}4pFg3Voq1HqZaeH4xz<%ZS_Yy-(|6kmc`Jb zfj7-=a52RYqxJ)?WgBUYlKq-Jk@KMp4aO-(CFo}6v*-}zRdL@KDT-}P4m}CAt-75P zE=U|poLB~J#2Z8c25fx{AMAxn%fzTZM~VnrJ9CxYBe}yLy79E6YoLDG-I+?h23kuk zBRxLc-|9HcNM?#Gj zj9b8xWI&rdWHWs9jbqGsKfxo3IW<<(-A@T>4Q=tlO-Dp@VZ=Bw+ZWz5KbYCMETAm? z*nu(3);toP66rI4MW*qogbBBasyRl$hujF76T{<>g-04$&?Pj*5R242n;Ru&r!gKh z22FtNfm)q(OHbAC>bUsP@)K(iw0n{X7(fPCc5|9eKWF2H?vRH=H*0m^DVg*Is$QeZ zho947&r%(UFJj`U-7LNuh?fegr(Y4dY|&s*#As?#K~X*j<=_fWPUxtvP862e%h zu}qtr5=(0H9NGJ+hC5mj?~cFa$xN@Iqf;HV*xu>T(AmNORE{S3GdYzS=4v< zm(JbQJ%opI3{Opr49m{v*C@La;^n4`zWqF1OJ}6bYUX^4PcNb1Sp&tcvvoclPjtN) zV~;;CeJ@1J{U>OT3~Z5;6%V$?b)~{l++wNtQu_XUQMNI5R&b!;3iuVyq}1q6kT* zW_fvUtc%t{Y1;e=>&p#3;W!_+^nZ>S5pUHbrIh})q_#>f9o=%@XV^tEqVr5A5CNXA?QLG?xWVp}E z6?1Xl&4Yov0Er2aHaXq7ity0M%iJ!G53ca`v8be9?_z+8GDru>i zmY(L<@-m9kD5YgGfE;2qX8Rv|ULGN9$8LbR9^?-l?OZTHR&yeg8^)jg0ZZ68>4fN zK)cwzsPv`Jd!t!=gP%3|=7Jl>7(vs7wovBhy}1+0n(R~VT)IXmA!0Fvxf?124SpNc z=OKpu7H{n>Gsd03sAzd3r^HA#?P1HW$5LG@QEWD4Q|L7s?s_r(GnW<9w=8vEUmjP@ z4he3}C3uH$IWJn_{;aXb76z)_Nz@=Q?pWw?vE`_khf8TFZp0Htos1o)?MfKC)BOS- zW8^>W*C!J?PHt{h@e6{-sIf}STi|cSstX`?F$CT4ZmpZNU&&5TcA{s9Ie21rVCA@4 z#YwF>{1`hF*1{#j_EC3r{ZSp8IvkeHWuj0O)nvgW1yBNmpJ@vCdY*cNn?wD|bx=5& zzW83M0ZU?2E*xhaB65h-ZvVw0-G{bi7SJ&gKNU%3H2};<9__xx@;5sql-2toXK9$k zWp7CyoCLJc;(9MC;GcS9t%hep`}MCxEQ#R*$l-;cO^grVDf@Ab5CBmB3K$Si?#JL2 zb%eRrP&46gjnou(HPExF@gQmOBaN?ShEHvtkrLeBUB5yxMl8M)ljhC{a=(aL1)pcq zP&JDFD2=L=D*`me6W%3o#@k30EG~>w@ittV&OpJY`rBgq60~%qQ>*-zG%R)b1+CDiI@7}v8KAn@gE{^n8u_tQGyPd2g}@=1 zZPXW#wifHVX2pjxn)F-9FIf)bMhIUxXT?mn$&2)vldFiYz_FnXIhu2ov@vh)i;HOH z(OvUo|2yK-@Cwpb&WoXD@=M|L(s!uk&qkqz%M<9(8(5Z0O{!;J2(1!|$V1>Yly|rJ z&-_H?Vg;2CzvkVXK6gZ`nL6pi2$CQ0_K zNo6r74@aOeOlM{s!49BP1xeRhT({^;x&`rfZo39ql=!}9E@Bct^8phZz$K^0y)YM5 z{W_$E(+u4g%BJG;`UBgW4Y$gLVTIFgBZT#Ub3WKuK*AL)$8ecTwB#C25-nT|&WT{B z(C2d=^~PUv$)hmDrdh4?Pt%!sl6nemIim9O-~0lG;M_t8ja(d~M*r?ZQA+=6D#QX{ zY^#AeykI#xMZ<fVcMIWs)(15&=R8Au<$N=Ob<)X#&ZQT0NO z`oc7*kuh0XU6X#hZq`t5oUTUk&}`(=p9_{^rYC4Q-tf7Xoj+r>_)Ip)?rxx2rnUa^ zAi0$mP%3k$x#z2XavY0{VsNQ2%}#YeEk+x+N@sK4kICGhP6Q0}-`EehQ=F^k6~eyg z0K9i~C7XGo)12haRF%-eJS5PRi~_Lp#WIal+-yveS)Oa+wqGFMkeqK&Wont}g=KUA z9@&v~IV3hkX% zAf>zAqhxu3UN(yR|ET)PsJ5bR+u{`0LUH%vQY<({i@SSqcXxMpEl{)s3+`^k-Q5Z9 zynJ`u``)|1cK&3HjD1e_+H1<1bsY~*4}oo`7S*q1fnwIeptqYX%2N{Ck8wZyme;6{ zU!^>+mmm2Zr=Q}BPKwfh9(9CnlpxJ`C*MQ-FcK*gh*3pFQYuimf0ceSM9~$wlt|Ui zlsuq8VIg+FioRX8WH*o7xh1dv{S13K(VUsNcsQPYf6(r{S-8Swtyx*>zIh>ufKFVP zS%0WfpH3*rFFjZ2w5|w?10^Ah`QJ+fM&SMVs_g5m=mDczMatOy#S%CoU#Zo_l0lR8 z)l@6}tBI!}Brf%{P-7Va6ox)zbOa@;SJFj!a8S_EZhVKoK^&rVOqu)X!u-!2=XAIE ziqyFx3FOvMtH;5si`Z8Yk-)jeQ$hg|<_N&^aNGU5;UyX*w7b-D)~^uarWoNtOhKpE zoVAD_#1Y==>okeM{z5uFSf-SE=_t}}y)ie9}-8RQ!#Jz7ntfN!ert&mo8)Ez+l(c7@;?1*b|A0E3|9E`oXW35xuBzRHv~ zS_t(47d?ykG)Xvc3gbqX3m`q2loBxF6E(=6+RkM9JoX9wf3@K5MgR>_vLO| zGi%H^=%aTWeBCfzY+%L!d7l%lqwxv*X(6>l#CC`j;w@3@UMZ<}Mtf?#N3g|;dGaZk zP;A;pWp}gOL)%z-ZnU=?ofZZ&kzcJnC#2QtiuHAUl~6p%yuRTKx{l!2X*4J9(W8yP zRjk$ld1PvccT&rys~j$_E?X$JR3MPbCo(gHp_dD89DmaSgYm`TFmSi^zf*|4#t0os zB`F~Ih~ti?*3s79?Wmv3`eRIFapb3tXL+1IpWhU2&al()h@hg5`k|hFu!uhVD#tGo z(X7c?)^fEksS=tLYF|Wqy0#_y9VJvEPcjXj9r8`*ACh?@uigZ8_WOhkiQU zh%IQ)@K?;a0BJs7519nuqxw8^bQ#9m|6;tGjcF3vkI>s~0rUL5e7b;C!R&V@ssDSb zB*!uESEA^S@-V;>L24TB>yJw)U{H>6*!DAgV*aLzvtW;R=i1SF*EkpUJ}W( z_|V(;*UkfFzgm;4dxhHmA()-oB)2!K1+BBcf2~>bZc-)M3ZStcTrOaI>k;{U6znd} zHeS-#adpRRuVna-_xU(|vz*_6FqXFxHp`(N7PDR=d(rF)Gs-A$rHFbAvLScv?#r=^ zDfrd!MI5RqBFwo0`*_WJ&hCq%0th~HmmJXa4kr!Am;iLm)3@51-Ii_UO#}Xpg^k@h z6J1L4iASxtj;}s(KVK;-&>zUwny1r?jUC8Qv)L_Ua<@p8ctPeOxcKmQ9UGS&wzQu_ z>6=s*^RCCaFKZ==O7N7lXwXcx&<=xeco>SeV(d9Ul0(l)seS9fA<&+WVmmp9E!wZpCgMA5g|ZY zHSp&N8+mm$aZwJk3}(jt|IQIbSY66b6f?7u2hQs=L+GJAr~=uN1FQfG)nC(_*?{#)6CPJ@8+6zS2wmpwOSYtO3~>Yc2z)r%Ig} z?oZgswv}(9mR@B>&ZD`<%gpw zN|^(8G#E}YT-S@GywVSLEh!y(CQ@EK^BrM2=D-ZZR364i^y9HKdg^}Wg!L=%9AU6A zxs;D|(j!~X0l(EogJTI5AjMwQ&W8&d4Jn)~yF?~4Ni7SWH{nr{RMn=y^l&NzVnfW0 zue2Sc+!0^{nVc;=aY-XB+I>gsY&e&b(duyPz~SAS?L?yjz!s4kmBD z1mQo6h(nT8v-X066y!8rZrgkj(2zv%#6wrOD*4agpSjnrjs9X<8BQM9`VTNk-Ktr* z_m}UkJsEm~9eyAg>rCKP3OQ2&h{Wiwwx1UQBYg&s7) zZ=$B3;^3%s;onz}X(v4n07Rb$qVdcOW+18LSQe@`Ezox8mA*lHu0ra?$Y#exY_gsL*aP1WXLcSZEX?|CwBG*cYAsrQxe)I8QJp~s&U`K|2Am09+>!nJ znyRmo-$q>%o!&d_?*L~_95Lkiub^{+3#?C*;$@|y<%zByed(^K+@w88wCo9#27F#= z`v~A-n7KRlA5Y>`Y~mnAqZq?kpV9`!b=|0IJSj$;Vy)5e>%>~6?q}L<1W6?RG{A23r)&LD#|?p+|VXfs?OnG!jp(hl6$ z)$vRY+Ky`(>*tqCY8qrn=1z>)!-ae*gIdbYwpZ3rn*ikLe*ijVN9X}ST*>X}3|+flBSUuJSH zn4!CM5UwKP-SF5K>>fhXJD+gQmH6Ol|22a-=XXtF-faK5JY!~v*RDn{n|0-s-~i@x zpXK9op$WJEf3nzM()wc=%5eK||IOuK2aX|wi+|quI7+idy^Bhf-QLgZk120DjF9`q`tRJK_?f2S@FS_MuXg_0 z3`vxDi&{}TR|cj{r~OLWjjP&yv*Q!=ai=?wm$G9^7&d6HZ z5M8q~Ijqqw-CV3mm>`(y>b_gaXkCpbE^YL7m-cw@l0V9a@wOb>ehd2Xobsn!9jvTM zq2Q+y!&Ds9Ra=Jwa>z@wS!Mc8qmUC4wKpztC!1cz=D%z=P8RxQG;OwUy|wT^Z>O-$ zkM0U!dIf&lu-U#~!nN?qjXi7k1v?&9hw1=91Ow?#BD!VL9-R^88XE?p>;SU|>0%A3 zw!8%%da5z|!jTAl^b%nBd%Cxmn^3F&3xQeHI}P=uYBxCn(l03g`!v=M$$aHksz1a# z6Yz+^i)b}PtB3K5L3>~6q!$h)^jP(GevHD>RBP!AHH0zSz6IOWL+c8-J!MCvLeIAU z3mFNEzj%=H{#a1s6CAo%&h2>8aPd1AZ*?^7C?DMScBUDK%#X0kTas~@I7x3IGb?|F z*IRofT>svhxayptS66DrQ)kv9sF#75wxoLbx83~)OK2)>Cv9Oy-E(K%57=p9@_HT(yTA1XFzkq+m*JPqj%U2%}>e5 znS+uBGlN7w;~CG^c2{%sUG`KqfGE1%=9b@)!brw=W|NOjR61QIj`O7#Ypxcn)WRjO z&0;C^PUUE{25xWYjU46yxl*v*Kb+YvQ=}Q%ZMwSPt^E>AXOwl8QmTq9lUJL>^{2{U zO&~XZ0A5C`oO?Gbm)Yhq(k^$M_9dmpho848&yaxi)Wi$JD|r3AbD$!r2|cj9J0-tD zQw%U^M(42}?{a$kvxmhf%O<7bm!OPZku=CHGhmGWVEPV*(Zc`@__7hR<{mAx+0pJB zcU#$Dwkq|(c5Gs-1r&F5eDlg1;o-3lQ=BQ0?p5=CzSUAXm(65{!$!3FOpab7wOF+( z+^Apmg}K97m{=VTDieXUb6aL2cftg(8X|MG{)eto+9G?vP9)Au*XLpFAOX*4umILJ z9Hlp?;Y=pDpGh=ny7?FKqbY~owUz34;Wwq(-NP$^cc5N=@61hi9Lw3%GPki#aTv=8 zg1&~?js$*x!txo-KirWqH4~yC~tGQj21q>YV{l0&&{t# z?unZozK-k-bTOokB7?8#+5%!fN5}cOr|MDnZM81XGntRCg=D$_G4H2V-=hL?FwC}# zR;{4U1~D#(Vtsk8y=8_?r|tCgIYg$$XA(EaXu>pdxSv_jNYZu!Yv0ZF3eO<&RN>T-C$bQ*^r5oaeKkbd$r$2<9d4%jLaN&^ znfZW6%Z4oL;xQ0K=i$Qa~?%{VSCYMn!Eazi#XHh#SPHk^%ke8Touc*3OhnpHy9GXO; z8YI#r;Px8g1IsY*@I!9&Q_q}L&B@F8LndrcJNZ0ZewT2E(7QO$^)Qkk0|PU2d5U9j zT7}~xK$wYh5y4uY1H8kK3@g|eRh5@5WI*!NG796wRU@*IQ|!RjVfQ9Ubm2*6ZdPN3(q@wjYJNr)7TM4mWp!yDCmRE2+ouKZW|g>a~CtEJ`MN zwTJfF8GxCB)b|$C_aS$;r1$OR0oxB^9548cO%vv+!sqlX?v<1-^m!_a#;8`=R zI3}{pvN84&0(i{FGstUHt6#!6!_kP7Hd(s52ac^6RLc{b7e3~iYNdS0B;Ae-34_Ob zu-gY?zMck94w`KNzg*t>`9)ej-)^4ou_j+ZBDilM10cr^7;D=_$I`wzA8F9!Hjg!L zc*#C{9LHA2G?b>&mQ497xJ-^2G%5x?&PQ8WTG+071a z?)bf)_R}+CvLZKAS(NhuzPi-D481W&d6|Y5b4;Og2$K2D9Gboz8b36t?Z=t~)Sg?tAT9fmHg2LHFMeSwZ z$lwTG9)?BuMtE>R`;7!rK5tsod)>!BXz^BBy{6FY`s_|-+fkpW-B0Q*I^p*JBK})o=|(7S%zj%jMz$M*bi|Eo_Y}m z4njmiT71%kPFDQb?dnSR>aXN1uIke9Z_wcLZQtx(+!a)whVrrH_T?XY61+oxKCu_N zK*9I`PS3*`%T{MFP9R1`=Z^KZl$Y|iw0%EY zB zo6;GQX*nM=hzJvK>=8%|A3)7iCje5$jIxX{RxRuyBv;Le6m;XAC$&vvzoYOayjujK z2Y!tycBRHPF2a{OUttS8zaG1?!=>Jqk082;`vRf9P?m@SGBSX4+t^e-)7ssWjx3*POLP&2j_^;RlWqELGLNh-Twxr0X{d`H0rT1gtiPg zr*~?nM#&lf?GQ6k9IUwCWsc_}3g-E%=mrx61!Z5?l(s+O1?dv8SOi$qg14Z6BoWPn z!tamnt3Q{S)PSJRX^@&>JzW%flpmYDul95%||A9~n9P)f> z4k`fMRUnfw%Be#%;ta;{SlFJ$PO(YkO^w_!R)gcLy3$-jQnTPoLR6`dX`y0@5V(+Lt@{Yakrox@CQ;7WGPq}Q3$WVReEKZT)se;YZKKnxju=gw@B3 z$pH}o|2qOb2Un$_ZmUZuH1q-(Hu!EXa9%BUL>816k1rT^Flj*L>0sYo0;gNa{aQ~i zQ)BkA{lbqT?r)DWnhB3?4KNILC@0?44f4K*mHX@8ZQJFrUDSa4{o(Y6#FyLjJFx{c zrIg+hj{s@61ascVAVj2f+A*f)3);9mu&93V$q(7i3%6bR=C*kfxtz+L9o)r`s=II>QYsOA<&r|gv)SOIu zh8t4dKUe?dS(Np|A!hxYKd-qEzGFN8+x8^fq1$QG|KG_*36E1=F(p0?#*@-g0oqME zUhG)B?&dW-&)5Z%FPnffx-8^>T#v38lGo7`55_a~f&|USe~qXVOQJGp)DT6>m$+rx z?es^gf*g!!cJ6+UrdCFXE<)UVzlIaYcZ?e#iYlzI5&2@t*dnX>3R&K49{VpmB@kem z(`HH0YPIRx{&?oB88IeYkW|Fs6}Rn*VqaLSI5Fy8&mR^4FSy-Z@7ltQ8a0Ng^#o`G z!r%VtwKZXd`TE?=qp7yJ+2$F#iKn2@{>&k}P+4uV?F;FHB#@b*g$ni&c2a<$id>Fo zW?P&^8mt$YdCkeRgBr|H`X`@mY?C)cemUO>7TRydhtg%y$P*9%e7<*F1s(1JN=Xi> zBixbkAWWCZU<`RVYHPjCG7$U_Y;#d`T-#-{Pu3I7vfz?E$y+3qND*RS!$xA2U=rcz z=bXbj83Imt#Eh0JX=)xs}N0COtp+-C_#yop|K1iU@;@BJrl!qSNKyi~%JQ zll?ZOtu%kr;Fs{2R1a;qG5(&ySbUmYSZ0>#LUumSq7r!hmvLLKiU?$W`Sa`1i|YhC z0!6;`CF(m(eB19b&5cg)aLMr(6)7L^qe!9AvP}C&<`D+=qXW}CgwNO-q4a7)5#~v009FviYa>$>l4V4KO=HNPwVZ|SOn0*qn2OV2Q$qJ(=KJKV)F~EZ{gPhCw<^rn*!EH6JoZCr_*hR4T9?)= zTL3-t%=P5qAtWNL)RbdXv%akSejUAqLdJ242Lr9X`B4VA=k1)v1e1VlH>a|)fYwkJ~!bX*6%4Xt!$K{{;$`cF;Oc*d#q`duAWKhwKkAqH1Qph#=q8I zZyuN2F@ZK1#M><5Tw^Zh7ah1d3+fTwaju~(Z7Q^ZksYgGsgc6+(9#CFgqE;f@D=Lc ze`B;2nTNB};RyfpC`EzyvE_$Kil>C8``#m1TTf1;UhIV{)6ZhcW+pjLl^S|$TFq~U z5A~T;QIP8f4070p-br$wiC5V-;lJ)nJ&&HRoLOCOyK3F#f&)t)o3pgJ`g{~aRfT{Q zbn(R^{|L1G@NN5nH>I}>mz$10L&p=0H_9t@85t=2H}7T2bVCSV^~1-~!@U(>vLR+1 zj#^5pW=-B}g+$CS&>O&r**p8XQ3~lK5mG4=T7{pV_IdKaV@Njmig0m?dNA}j3?@_i zQ-}Z7%I_C1^!PDT;DomPkY>n+gUOuSymwv6M`PaoC~!@R2qSE#k^&WBibzn9d|1WK zU>wnnB8JeJwW`I1q=`^JfMyd6;+@H5HX$qu6^}NT&8zE8~O6Y_lfA~$L|zhkC^T3>3bSj#M8R7r(x*Unoz?h2_czc~+H zMqKuelv>h6606AD_HD*WOf*c_%Ma?Cc!917ZrmKlNQe0FSf_u3s>-;12j!%Zl#6-3 z;QyjDwb+WMm^PwSfWwGr_W$;*bD_lMI4Sx2qgw9)JvRHXxcndL*=qI{8a{l`-l14m zA*ug!>S!wcgz3zhTSkF7A{Oa0a!usj`%u(Gl@9{N=9RtV2uF-yT{xq~)JohBs50w6 z;mhkZFo7sY-C{x?AyK&BD5%8fNaKllv=Ez!H$9@&o@SKuH!gwK+MeXKySl`W%ju#A zI!(r|CCQ9lT@OtOm5Z#*FbKZ%%v1h(uN|x0Em5q8UsGU(zH+AM#ayPH3Jr(DAq)Jt zyg&OA2aEh#n8Tl+n(qH$!Yv5l%P?LP-{EOOf|nvK24rw;#T_*6ya?cTE{g`n_Oc=l zwdo!_jXg?xoEdOz33;wxJ!$B&@*4|mBCXLbc0u_X2Nn*x$aMif(J3;-p?bxS1z?7(up#p=3raaRf? z3qtSOf?|y?Ey5A*)j>CN*djakk?Mh6p~j|xJ_dIC)GdV>>|%g2_{z1q&x|*gnhvnO z@dANhtA5>#FxDzfqHwE!Q@vU75sa|AIa3C;a=E1}7Vf}T>OOjUb&V7!H|PfT&N=r= z9e<+fD3dLp6RDoW*FAj)UfUZ5R)Js%8yq0-8>YCPJ%Rx|C;p5Ea+ddUBE zx*fc8-E0|JkrIIrFHnaB7o~VvTHQf_A78b`bHZK1M{N_V$CbxIUK8a`#4j3{&WuzV znG2}#it;zTqu5Yk`q*d+Ef7GgZ)&zm+}WGDNEu>jVymDId{=?R3B>=gRd2L==4xl| zx(ubj=DD`2Rh(NNX_3xd_loSS1-DpZCav3Z6V5>gr zfyC0_?^%V~8tU^e5o(WaS76Ytvb-V||6ALXm8&8uY|l)>V**v4fsBj>Sgp0ewzT{v z)FB_iXlnUizVlzv;#9fAoCC+E!mNyrfyEh;lw>+zJ9XBxN%6^0QLE6^!xCQEP&KgP zaN<(H>W)hq04{x$cO|B@7~3H64Rs8I5_#M(tIZHoKKngj z#nOyzM0QfuY+-fJSTzR{2#V=K zeOR|3sXwTWTF9xXdTkH?Lh3eo%d4eD@jike5BaBI0Ua(Qo?s2?n-|qn=%0=CHurq! zpZQ;$j!>S1wtf;w}eWIWrUzG7*a0~hlH6W!4MwU!Tc}c! zUvu{7Iq_~CgsssR+(gkZklP~6brrTmhX*E;AAdC_jqq_Oi>4m-eSG7de`C@yXylMR zh*3@{3)yw9LP9Y6u6ek)vOL9tq2+z=A(nzunB#i&&*%jpV>~95@D4cQNU#eFQS^1Q zewHjlOVeCsz&U^Rz10U@ML@HXS*-c(QSs_?K+Xw7LYG=Iov2HZ?!1S zYwcBk0Z}#a-r!*&<_vCK@NlMV78ZP(srcHl(eu^@!2m6(37;(y4YDbfuQ>NlmH$`a zB0IojHSOfGR-c8ChaSr7($7za`O9zC9~t&?I95c0UNPkdefu^K7lOU132F1Kn;ylC z*oB>j^R0h4jr*n2O~fFAr0A6X@Lumbuf@QA3kI7tP$b6F-`FN$2uORfXip{%2bO%U2z1wM{)IEZYASjcY;b~T-t&!qrTHKSXz$id5$p1<|l?nU>+mLNJP6Rt#b z-xj1cpS!`L;QsJuNUKOL6N8T(;FX&?-25vsb~v3v0;xi$xkk)cfVc^?VXHWZ z8BBD{p{z@S-!hd;{&NZ8m-nEQI+DfMaYE6rxV3v*>ofMB zzW}X~$IZghUY#r^gBWqStGBmAkrGQjMqp*zw$Axab#ZBA;$khVkZoguOFwlgLO(aL zY_oqCiISU^+2eP4#J}?>Ywnm_Ju?T7FAFPq_k{0|thcga7B>lQv>LCSEcn!AacQod z5>OZ*s24<)cWw320kRH9a+B4}eq!J_Spkt!*ldDtlUWQ%9C;$p``BzT8#h;*a`^2j zhqp|Gh5`0<&-z$GLiF%R>ZCrLigV6aY;DrTUT6avOa|%z;owJ&VlOlP9{ABn1C$SS zL@l9rf!Gbt%4{)!2H~I?jlNUv13Kwsdc9YCJ+*9Jj5Zg#&{e35B<|>5k1Xd|&l>{l zV$YIW%}`0~=rthSnn?tjuyDr4yG?wxGyf`Bj2lCYr$4Pv-`{Yl0wq!3Eh-YIPb4?t(-aYX(ojM=h}&$Y zP%v92;Cj$Q02n0+w5_<4C|bKs;UOjo<^_JC*05`&JXIe@_`MU4J5SvEwC=DL79gG%d82#xwZ#qPeo2!MEa>Cwu;9tW)~NA z?wPMH`=hv%NquVE`JocOKZtp~bn~O z6qlMq2yUe05nAnW5PEaDVs(7ucN&My;TPbs;TC?@ zeX^-Qd50m`ov{Rc?}n+-!H{524@&z|;4DTu>j^50}`)1@;iA-8GjOFx_8i@d% zOgscHbB%~TfuCcHWv7JjR5za1WY6#jtKu*TcqSu|?A($$eL3NqrpYpLL7Mv=L3~rd zS^ZbBp`AuFTbhB7H1`Bgdb<}+_(T|*7*mv{qof}em8aCC9J`E zRHqdH%Q6s7YweCNd0K#ZDLBM|-e_F=qp%(dD<tuC2w$VX18tchUUNVQ8dC?FO@6EMtvv?y0ZG;=R%B#zb^c(HB}j(L*YwmAG`)KYPL2dGn%^ z7pW6%8dFi$n$|=MyCLgS7a;O7-m)P#)d#k3q#Sg|dh0Jd$q4bl${ni|0Rw6p8XyoQ z8KuMX;Mzn@9JD3jIYiT3wx_EO6xau~GwjSP5JE#R@^(j?BijY;);?lV0OkKa4_xu0wll&)W$n&A@jZNgC1?%4W{X10rxUeGU7l#1ARYmWDvU0{UiNYW@ktorlrCxv9s*~@~Z8|q|1 z5p(*UL)x`?bK_JhP+-pU>7{4@bYT61x8Q(p>GIUjacwC|y|~bec|X4T;h3DQfhGBc z#KHJW^nKl`cmnbk)?b_BBpS~u9Rk`h>?VW4tJzVeEDB&dReLEcl{$+A!eH$+#j#)iJ4e=i53>S`f+<=zicU2xwrbo2Jj+#0OA48MFj%lSb}M)Gj9 zFrsQQ%Q0o!j)2xdutk2D_Sl@@BhG*)GFvEPkyCg3Q!;T|LYv2YIbJ z(;BWnAiwaUbm;SFhL$&V=SBt&(F)zA>{dG zQhB<08aX%OW~&%aTR#O#nIxQa^fE94{4Q+5h6zwtg^6pDplhsS_}Jf|*XMDSq<``QBB*rCOgpg&&gMwr%1IZ8eykaua~> z@KVTwcVVsTg^p*-Oj6%fd@j*dDe|EtAd!gwkLwUHLzK&X=5Rf^J?dCYrz$<#m@gaH{I8obfzSJ*uo;Nhh2no-8 z?ib>+>F@H%v>#-Tuq`040PWE zh^At_D~DO5>E18iyzh^W=r;91*{L^Ymqc#)%f;z62F}S*N2TE$$Ln9NNF%y!9G8;6 z$9+I~xZ>dk4vBtxV773^J;;%478E1f+vE1`RUJ6NM)Yx@L`rWRJZA>%il$B_gbBX~ zXREv#lD!rZm4ruS$#*CewLhoR+5U7x=1bE9mYNULVY@i)vf$i4@T7!{7%GlLOGoEZ zHL4;2)9Z8s5lrtU2UJ{)-f*yq{6^3N-0gJ>LX;G#AvUd33=EXZ@TEK$=F5yjJ|)eg z4#FPHK^@BC*7%Vd4I|e9ts{-+h=u z_^|xcgIC2tnmYY8#t@Y3E0%h7)_lh8U2*x}04exJW;&2?>Och$CjA$i*+|A?kS}W# z!{psYn+0V;AmY}a%%1EhxlRsJk7`em45%kmW`zmla;}YazO~~(s?cpr;2(oW-H`~Tf`V3FW~W}}+NE^WF}Pn8GM~VmpRf-@J$T*)VjUrz<=r8+VS+7w zuQ0*_#mg2~qrJQ7L?8Nr@-bD(OTy$jFd@GkuzY;}#UR%~Cc0F2Hw<@`EWK*=@3h5X`ya|8Y6rMPbW>t` zriv#;1bF1wRw^lgLr?6@NxFdr;@9i?Kwk=*(MyP$_wo7eBqSS5Y&7^+%K2NfvHf+& zL`{O2rrzArqECE4Q94f=pDRO!QZ*2Sd@te!ylM1_9P|ky$~1ph4;v1*zz}!{ zun|a-{&kSCMG|uxiA_t9aK25@^5AXnjY^96^w`5{1dSAX+5S)mdWJi`-ycL>ON%s# z^2V$3tRJ+SZHZ<*v~Ur$-sZ)E*lYnF;X;pfFUEf6?{^QGRpV>(X2~%XA#I1+>6x60 z|GSkR#Bh+<2~N_osdE-+nOI7s{DIgtJf1}hY?x9O*idM5_fLkzuOfW?80h?Msz9Jf zal0F-?NJ*7O*9@eF(S$I!ecpOO5?JCgEyU+_+%W^kMNkqZ9B@G={@3(3R;9qw1=pK zgP2soR&yTHaqJuWTgrIJ^+2;RN!yi%?Z`lGE42Su60i^ZkxW{A^ z(jJS7JtaHKBE2Ua3KYyA+()Nsg1Mn`ub7O+Jsz%80VwUmMArJ-FS0xseGv##yiT;VHwR);OGWUd!8Ttz*;bT4Abxj{Bd; z`23g??AAY1cZI~`@E27pf768Qs(|RH6K|MDKNDRDu%I;+4S2eZ2M)Xp~v|@tDx-l)9}TaQ2)~FXUS3UC|yuiA?=s&)P!jSh-UXE zd71m{otSk=72y!~Ozdtpz4N(#N@>HcTv^1Zufqd(Zq`P!C`(?6s)T{Du@Rn3#>!?M zwZn9}%kgIB{dt)uoVdnPFn@ENCPyJVyl4trl^Cww&R)L6Z)DOdY^}K|xmF3;v{44t z2Y9sS8Q5^0n$^G3DRN1)(T_RdStzP11!N6dwbZxfi*dj>XzNbRR0KAxa7O-Cm@N`? zQ_)I74(nXShrrDE$%XIkrPA;A=USajYmF<(_k*Mx!;MaFv)J_#T3%j7*dHj8%iskmZkFFLb(abH|`3+02l z^ohR@(G|b%a}~xlM5lKi;&d{p=Ux6WbQyjs`%6goHy*uig5QTpQ+Ws=oh6>`Nn)sz zH$9U+`TW@{R1GoqI?I_rV^wM5u!1RMn-7L!GtIyG#}e9YZffP?NcZ^|^IBUg<0e5K zwJgnYzw6qvzQc)%$)LQ`&mA!Lvqh2k=K)t*srPB=J+b2UV}CNQo~@Zi`ZnFT;hB(@ zbZOkutV5X*)}mL;flQO_Z(8g{?D>t~1-t`>-Q)6!V>4f{^Z0cI6(CKzVuTOjBOuJ; zi^hY4N*b-~8Vun=Eu(nnUDX#N%tUlpcY(u$y%9`@{qyPpi1=g$jsg(j^K!pRQ`us5 z+GyS6Zk#~%AGN^$bw4V?<}t$>LqOVJr80NFn995#NK_%2*is_QdMj;UkQ8zZ^=H7- z9=5t%HdD3lWyixGh%qw-l5*gES~#8_Oncs)GXy@1H10vt-DTEmWm0B0kV}00q}A$j z99s48uqlfu4gfXkwK#6z{cK4o!e>bz zLRWLh?)7=_`;%1`7bT~Qz}Y_>e#$W<*1DdwAyP(POKvm!k^<{cd(_^R@kFRV`G%zMMC&^;fZ zVYYDZ*?N&b=*CoN2YQ(M%#ixP>#bhAV1fP*7qX=hj<60N%FqV4-Dq4LTU^+`|Kp28 zXLgN+a4HW!<<248vyc4*HZ=g_0mIL2qpYacg8K67Z-BiH%5@rBc`ZaXfy~EUhbkhC zdS_}4SQB4OckIP+C*8O?e>-AkMDDGs@Pdfsll~&O+t*R7CHor19Hu7~5O}cc0TW2K zqZaTEqJ3l1sc?TYZ%FyM*CNbLgTG0@U5@5Sq}1r@uw;J?PwJj${t!OnZ}!2#hVeJw z7jgsZ0>65n`-;azmK!FBitGfhl=v4bd_Ue5B$QCqa2cYO%ao`94UPJsUxq5@JT}Eo zPwUy6?(^8LC74fWky*KP)g#HgaL0*{iG|1iW1|W07SvO5>p7ZKXA>b$_{=n>QB^vK zdfFmujy@EwhVhifq(@%U_paZnyh8w7U8gk~lyLJuB=z{&v?}!eHV!8 z;B&8I-zSxhkNGrP3|EnBn4aCEy4~p&Qu%D3Mk2mfetM)3K@C#@cPnoP%t!$T;?H<( zHP-+;LJ`nvqeU%_N^<0k65H*$`ZxWwO^6WjxY#eB?aAg_qs>N0-dO%(p%eydINDQ4 z5*3(ojkf7>Nj@KiWYBIUoEIg8&-B_D2FV}vCC!j0a|-Vp5px;2Ua)Y?yE){3Cg*oZ zts6?Zk7{~TiNh##?m|J{8* zZ6Rr`c%Dh%l*IgEm&D8~3~L?anEY;fr@wZy+F*5&!qX6NSy6?CEVX|nTeF%j1jVzZmU|IF z^P<~T8ck$37s#X%g*sgy_;UVq&luXzQ|o(7`C8oj1dG=ec13^(r4T(|t(ADvdE}AM zZmDBK1%@+d6Ds-DkAF2 zqZ=N-NQplSP@0jT^2rwCjk8Zg&X2WHkFBhq{M4%pnbhBj-+gtDd2k%>T~718vH7%; zB%<+OW>t?0%m8G)@^fB7)d%4NjtXzd*vrw$C#*0ZvWK43nt8=9*N?qeR0<03u?TF3 z49t4`peSa$tS>c7u=F;h-J(Bj(ed0DVbXzxcnTp?Lwohvv`sP|J26wsyKg|86xTUi zuWgXv8U);5*X}E_7If6~X0~;9W;uB2Qu^Xz6HHzg+EpfDMrxnCEQZkaM_$pP-T$Rk zOznFZee_)FUmXjZ{!ihs%-qoLuZp9{`X45sr3NzS>+qJBLY|{Z>Q(1>X;YGR@ZP>n zA>L0J#T*bgxA^-L3^U_Sywf%ZZ#ZaZj(308j#er&F%|X6gr@mr^g?1g3g*xJog;es zTp5(&`tiRDTzco{n9OZm@HgFdxt#)Ic!_WBU6NHYusRKN^hAUkF`480h zYiq49439+nlerwgs%b2AHF|vA-d13vqNmACSb)k-=;6ME^GjSV^N3HjRtuWBF4rjh zNA%bs(l7wxbN|+lfo+%8_HcpSjI4NhKZW%UFr3j!4-%p z?BS}%!9E$YFusX|4yJCe`z}XuVW}}7S@G43avFJF@1>|=sIM=daGg>kmB`VZdm2wq zUji)}6A>Yy%GME-ON&3^U0o?M& zoH9qfx!VjT1n1v_cv{)=dBnQ#qu0MhQtjrJBL7coXB`$tm#up=xCBB-(8euDAUHJc z?j8slAUFhv;4TR+0fIZhg1fuBySp~lw=(C*8BdJ zvT@Ql6<>3tukLiVD=*n0cTL`>B<1z)=W8G%9vx}wQJ-30cb69MNmvCrvge8dG8BC^ zbtcA&)@Y6A_Ncd`{LK99}tcwKd2kJ|N5jw zbvS#5TjBWRe0XcOH-mEP6}7P)^5GlY@EE&w+Dc^l&nD;1&qC*HTN|#2v@2|53KmV8 zLkR9o;UQ*>@A~-!w(Twki3kYjcWezwoH=fE%ACd7{^42u+q@!6$Gqh-&cior%4wbY5QzTzlY*JL*W;B&rSymZw9)fXO9%G(I5xy~sSV<56&`WMdaP320=j4# zKcs@A8&MI_-VBL2cBFZereO27U})-OK%gTAj<1W72^Z~siIN89WyC_w$JH_c#jqdn z1slCT04a?*w~|}}wJYkrZl2F1smB$nCzlCP)A^Lyq}y%YWf$oLvQ_&RuA8==3Ku?^ ziTua!E%r&vDSUz29uSnP{LJpwVkxtrC z4>#p3Y9Q)Yhy_P|>Ih(X(H|~Uz+}*UZ#r>=lU>gHfywVHvW2@Dlwgpk;C>VEKT-{8 z^{34+%Y2YlIuEo{i!K?h~co8c_-H3wiun9B;uw6F_})emYmAzha3(Z|#=SwWV5 zFh$qFnO=WjZ=7C}3<_b}PN=FGnFEJwu>sGOz(9#}&fA-YFW6iu3xY`leQ3wYxjCe; z{&vV5Jigk6AuzFIxkFh7adtW}WP*})g(Qr&u`{hx%$JGo*-JhLL4j<@HCW--P|? zSgev;TPQ_C!@Iz!g#nGycsbgSV#e&2s$15?60u2(&x2DhfOMk(3fviz=`RzCKxmU@ zQ>aI4fZOt=0Fl(M3#j&+LVw%W=tuIuOKL|K2* z+O`&~sAxvOZR&d|fZdy1nHkAkB3JbC-0K;lR6Z0&qUg7v^6_E75oP~Uo7Ym+{{R>{ z`{NiGou01mWqDj#TYo&Mz~-6HUkXqb>%P|Ei2)TpPHhG)^p6?Q1iKMT?t}|rAom~@ zns$Fatav`h8boK3beiXiqWl`&pO5yiu7WPrbXS8yS4@f|Yj%ezVj%oE!nzxbb2Q-X zmMIki{kZfhGeh7e%F6io3Bu@JH4W?5eRi7UP zrazL!3YJ`kl+r~KYi8`DGXv2d#Y07)wlgzwo~GupqoYwwdS36Q{hy{z zV#uhII#}r+%UT^E1r}SOtXafId_7EIC4tv9uGMG}#AXgU{zPBBH=$2nl8t3H+Z9KC$_CqX&P~evOWqe zQY|2$aE}L6G;VuTDKKqADZivVfb#MQcJD3WSM7dimK$1oi!YHbzKy}$5MzmE*LU0V z=F3f=SkwKP%kEk{pvo6%_68_~rOY%BTcll0uMjFvb^zEjHoeBbPnYV6@H!u71AfL) zEP>f>{?Wkh2;vsTRSzKXl~>h=EtQj@d5d*##?SnPuG=1)gp_c)H}3YjLoLTx=NKa-8sq#mux&M^Yk1}twR0%iScySL~e+54ZTEGHOA-o3AL zZ$NixbFxj7)yfwcf+|7vNieMMvMXp*C41(tZfB`-w4lXgtHDM|3`VAfSHg7N&dpWy zJW*S?^HwG5&x6^KSHXyWDSGTH!<;wj>BD77pi<{GCVWvw+S9fzYdCy* zFItL1YbT2NEc7_uF-GdsC9Yo~@+12IqDYRS)+Qi_VI{KkFqOty1uLRZ0hlHzY8{$9 zpIEvg5@<6G#rBx3eLEdpWO2_2E{UilzbXa$-dMjU_ctqs$k#q3S+vk}7Ay!M?e_Xl z$G&q%QJ0WmfMks0bAG^)P7^SFPl97MDDk?eN$R&5pp{C0Z0pFOZ={7~Y2y(KWtOhc zi4K)jh{j1h=utAQCNqD&ZRxPQ?}*Op96h#V4_`J?2DI0>Ea5fWr@Q0H!*;^<*_}5I zNXba_oyX=O6%RYdOrZ(Ii+D?Ql-lx_tB%ZM9Uy72DmfAo6HI+Ui3^~$3*-xb+t7od zB0Q*A9Tp8K-l7`NNW$BHIo=hag3?2ybhj8=Fx~JC;gOZD!B0FX&+NuzrqKveo0F$w zc7yyDw+CBvl-D};Wyw{ob`-jbhARop8>f)m%x-7iT@dm88awy#84gwT+R$cS?VpoIkqxcWe4B?m4YzlEysD-uAI_1y~_Ock4e3S40)CFfc2`a zm7}WYK1}|4C;Nm+l1QvHqgx~1_nAW9iqyL}M_R5?8#Q4+WXt4X7W;CBb}OU`gG`0g zFhyx;(bxRUfqchv)r8__ji*X@YYtBU6s2P%dvEp!Bf~233#vK|-ex*$a+`C|H0Ea! z6how5Cy;{{#t8!a-F5CUzW}yIs;w2u!wI(Uc7qL}L2HniPCdR|`W$MxmNyh3m%4i;C?@ab1sUa2=(n2_mt@}9d}EYx!&eiu-X zd3rAddb-uF8>{M?k*VzjEaQ@L#EHE-!-DkoJ86Wj8M|7keY&)0*)75S_G&#(k3spK zJ=Qn@UfxL|9^DzXcjnNjUc#G|R;WqyvY!W%vgS+mThaRr$7k$}*rtO0PFwTSla}!y z6M(iPeQh~ALlN-PRMG%c=L^EXPhoSx$)S1X)BspG#+v2Z$L77Q$Ua26) zcklj*NBe6i?LOgCwJo_7Z{C$LVSlxvAj0bx#?9Tu`N12zBmQ%%t6?u%OASYvSy~^| zZn-BTM#Vl$jl3{N}FSNY=1KPlAuF++W6gk$h@LaF^cHUdi5=%X(>LBmU8bahT) zxfS8XT{ac>j@Y_(;W~}uKA|s|C~vlw+^_8f_$Wjd(`=laK$|{X$gJCo>yYV+@e z)Q)-dM+Pr2ko!(<+%Cz`j=1d3UtF!GLh)%qy;)2M0!n){Wx8$H8e0J+*}TSMylEOotG1!bO*q}kBmP+ zF7{GvnsWh8ce#e&WR=^M1%ZGUAEVw~4Ka%BtcUtwG$fY_2yeAhO$$OD1K& z{|lFDl^##PrkE7>d{Jv9{%BE5DTEJVKCaWWH-2U5n4a@$qLN{Li6(NcFQxmjl+HkY z<&-Vt!uUF`?h(u>MHCMjtP2xqZ%lQbwOraIVUzG<($B7!W%}M*GSBfEe>l@7#8?swym(wG@uNUpZ zxmOCMl-iw{8aR}50>@t?>nQ=IiH~BdGXnUiXGC$U&4>Y-zvoU?(qQ*COCr+sL5>%9 z;bem?Z7`K|GST;d@|PxnO$nXpbClet0aU9UF}pVsMJN8j2`q9P{lf=}YJRA5R~-kG zd;oDKCqkmT#xQf5IOtb$giFXbrQ=9}u{ns}?%h`mM+Vy#>_tJC3!B>z+Vi9;QxuJI zfDTBJ5C49tDe*vuL5Y?@tF$7vTpUY!FuOIe!V&Mi3692d)Vq7jdSVY%5%cQ z%y%Qz8R%*&*nGuDu)mXb@s4&EjtgL;mJX8l03Pr@vBH*EIF7^dtdmc3h~6%}_UI2HkniCKUjaeV7L+Ag44IEQz|H5Q0o9v&p_^&eH?5EGI= zi4Y4c;52dl_EL00w@iN13(9R&^)1|T&)>Wv#{1Dr_K;}Uf1+bNou6(b!JJ-$o|*L5 z+GnTs&Ge6e8sOtw@7N$UGx9H$tf58qmX&uv_G>`BIJ5LSFY?z`H6GmfV6~O~$--gE zZ-}aSpCfE3xnr1e;}xIF^dNB4w!yWVZcnAp7IgG0G zvE?+~)VMqfK7mkNP?O<+FeKrv5+^UE8D>PaJPy-Xu62CpCt4PMp_OApGD;Cr-5rl4 z`|8kb(2e^(q;n9<={LY%5Y;`GjQH{ zjVmBjvt}U#y#CT!s&*Dbshb{CK@#sl=`&-dw&h=%3#h8s(8BEv~#idy#5!w$otYrEk zXB8fa+PUmt`U6nUdM&iO-#NxLedJtk<(W=zK;Q$zB7DGpKXSR=*Q8JhKkk(B<6z8OD{}jXlIf1P8|~tw z;X@gFU?_KIEso}^UVNjEB=k!AHWqW5xS;9P4Dpe2t+j4ldh5kClfH9**}&g0x8$Hx zZa#9g)fX2-{dCIK7QyDl!Y4E3U4WUcVAZKsgAn-WH_qgB<6>y zNQihepN|6L+;KgGUXEZY25dcKHXT7g8k^&J_OM=L#waV#5<@wv&Ii9`+O?g^U2#!e zr{&KyS#w^=6)6&CDmQ4o|5t;>DhdV66@UKu)yay$G{f0z+Ot6jFvP0>jJMrZANa`{ z8+|2Ic-NzM3akxXX@mwN{5M2HNo+R)66R(}=X z&0EV&1rr-o@Z-veY#&S(WJN;^l|x2Q4VLPi#Fj9REiN|uM5tuM-)I^P9rU^7NXKRC zUfu&n3)gR5S??6*?|0H8Jghxs0a|AcR#WxqatPuI4-t_>yi}t5uuTna)iLQ9gfzyV^7F5E7w3x_72FMJdwhG% z*bgbL)rM}6Um=2Rq~*I11fkF1oBD7V&3|+{L#OeiW2unw)3zmS=~xaVnwp{gQ%ZfuY#-jGQ5hPsN6gOlUi9Oj6T5rd>_O49heZZG zx2C8Eq8I&|-64ef{T$NXU#olc9v*dOIwRgnI*W&l>1ms;l^1OaD#8Bt!NuW`_6`5G zidW&g(S2F3EHrvB-jn^Q5T9naAJgBCDzt*pWb2EP`1+P>{_eQV#v;spUH6CvTNkg0 zpBrJ-@c5GfXe4&jSsHck{cH{%0g)PyI*j8yCC@5EnrGEMR7y_q1QwQ&8Uy~BkI#;190N^}Mm@Qmcn&{s zC%-z+n%I}H>#!XCB6D7U>4;NTEZuNQLf{w*s)7`fHWZC$tO1V_aFlOYGt+3Co|RjW zN_uE|4fHE3?zwBD@7pPk!_hJF$K-gphG$$pBbQc<=-IwaCZaU9%rA4bSl+zIj*#>_ zuw$i;5ZW70cm;IeX-8Wl0wSWpnUx$s0ry4iuL6kb9g{`XAO3lici0Tw&1V4B9J9j%+5 zgoC%h`>*4}z`E&how~+_$>Xps>$Zir zaHB|j1%SR5P56a`gbvxeuldgwY+7R2%ns~)d%zp+k(NeV;JM3TeN5#_SJ{R zd7jUgi*hs~?-{HMaXV$lE{klWC~4O%eQ(9rh;lJAolGO>VqD0D`_qFfUw3R=O9AC` zVbXTnh>#APc&z8aFx6&gKClzi6T=%4bWRnUmmb4>#r_G=Pu#UprOS9? z>=Bkwk_Ct;cts28)8UE0D__F&is1A`@dN_^UBho73CQ$$EBC%MBCd5nlzau96uyg% zmOtfCqE-3yZ%uz_t2aI@_HiI4RDN;o4hJ#%wRZ|nUxJv07LWVBvtxhQ@E?0CNs%Jq1sF4zj<*>U0VAXMv{J z6&r`%PO$882c-b*Wx3_j{hGtaUN)arUW}9pjY{vlro70BeSTh|>jGgP^5RK+_eU|_ z!$G#@ul{jTcQtNtfg^VjaK0l0BZsW9w*(1AvU2?z976S~zwODQFxgGEqRlvBhCdOZ zO@)GkeysY&@hm2$2~6@719@k_shqkX>(1XHAu^GOn@h7B-Sp`l88<0@F7rs%L+DV( zvoyf+Zk&Ht^Iyv8)(vu)_NAahf>-?>-NZW^u}NPC{Mv|1lYy^0tr1q^>j6MeX8(=y z_hi+2)sWdHk@-8#h}QU$h0YT8;2i1ou&E$r!m@t`5&8i^P~GQ#3@E?j5-xmyeZ(hE zxP&s1BQvt^zL(XItf>QzMfpC3Vste8u>;TNqc{wc|Bqpt#%Es|k=WkDtRp;o#xEN~ zZMt+RdI7dPdx?-yXD46imJQ2L!5T16qmWarg;b0x{G1$liym{kKV7^TW>}5> zH?@)>72J)rZuXZXQf0|6a^eCX<_|AVpZM*B260wnxkSMIb6$L1GO2v($LSo}e+(u* zP#m}!o5c*y6*v7w6z}_~omgItNa*NnTX3J(e3J(fhnLT@*#AIo61#MJ9p@> zfcSqbHA=uBG!G1}Xt#JZ)lSQGuD=J}tkE1hDSStDK~A3t+}rWQOBVUBW3OsStd4IL zId0C72d)=0&IR!C{duX36N7D)tr}y|6c}!G_@E42bom7fG8BRONEn zS+RwsdB{{F{3_)0p8SxB z0G2Mmv6g&#dRkZJ6!Jy*EY^I>IV%SDaMTX{Tc`e)NBnc80k-7&P97x~K9I?X$cL}a zq08mF_K$!14F3ErwjOe;=W(^AhFA!e)0avlcpC-X!}krJzaK9((D>Xb{Lxwd@%sOd z2LH>m`0GlKFc{t4K>x)|e-vEQ5Ufsc^zF|VH}wGh;TztHdQr~55zapw{Ery_u~G;` zxtSY%E4b)Ko^Dsd5b6Px6K>ykKV9{aDwFwB&iB`r{kuy54G?t9?_!&d2N9 z{wz<}e=~ypy|ez|8~Gy=|N0{T5woZ$7%o@PIbd~8#i5d>L~M^^(mf!6|H1qlktJ4v zRpHs2@wd6@f4TqvZXR$LNw*(AYWB8=QZjpya7bO;kU2g0{ZYO$16mDWzCZ3MQsV$P^#A;zB7`Z^@2_rIHE@rkj4uF>Hw7K2?z*C$I;_GUW^DRlNsMn{_jud@7)zt zh|HIbK{%}fh((btJV2*ytt0S1umY)c54+`}L9jl932(GmrK3S$tL4TyrWG2xtMvcz z>i>^Ha0!P&c3WNdNlD-u;Oq z>ypZUb|rjHk-vOFI^#P%D%EchKbWyG@FG@9erHa*2VLMznX1a9MLl_O#ylMYuM#~; z^O2;<{29hjr;kGlNZ#TZhOfM6tR@~(HBiXW{SL-QxCLIKZ0BV8zI@4}1fHj3WKzw*dulFrM7x+2@9cD>veSE!NUfaOcoa-p6;#dEkhi(FEHw zI9Oys7&z=NFbE)+fA1p{1@`s%X4wRj`@#|RGe4ohor{kgDFyKZTaz^2-Q#BWEP5l?$?o@1%3a=X&$% zI1bG*h>Hq8T1BY2nst1q&R6Q@#hC1y%7Ec(FA?6p5qE4?C5Ph(X}h?>E(G{Ub>)8x@Rlr!*HJdrI zbEXYWSl||TAjS=Sz8-awei7^tXpaa9dKkC}+9`ALvll7lmxr`@^DA9$ZNzCj6x;FM z!9T7gD$4#47$x0}QX!eTX?ruOzsr1ye>YGsRR{anb)xTz{$eDQoa5X@siiP%4?W@O-CsFTAffB-4Li;1TeyoQl8t}NPY0QN((^cj45wNcWBjFXg z-+N4!Ia@UXKA=4YJXKgLTL0`mb^po`+U(JIr>3^}^zu%`u72)QplDDEskobEh4A(`Jrk&BB;Pb>{mri4t|0o1B9f= Ysl4>cjw7K64DcrC!_Dy$VV%p_kA> zTIhz*6TaKE-)GIcXU{k9_pG&k?3ulPB$G*IZm#RT&T^c`aol`XS5=@SyF-SDhe!G9 zrJN=n-t|5_Jdh^|5%A4tRuW=7JTjQQtgQMgSy>kKx2`t!PS$vMFFz+F5vyx$-3q+& z9g`&pdawTN{hctDbUe-HRPr&`bEsqSvVSJu(BA1=Au9vjyb0UXlxtTs;>r0`MZ)Q6 z5+g5fKu?~N^P5lL{k%VVAMMOwggj#SWQVXErpFXn|4<_5%uF7);=wEu{NoSLA{LX8p zc#mL__(`KAgfGn`w?ot~)JZcJET9rh`{@8ns+zHqO{)6UN+kK{GYR^6G7(^Gq;&IqvNFb?Na03x4vb5&CX$w3ewCxuutSAjoVO(eOFnK z!jn=YlX#1(u7Kpp@6#Esn_$t9_$^0VYfc{{6Cx$? zXihv(?(ftxn?rA4yCR&&0`TU@ySuv?ZJh$v@V-8yz|)YhwA{m!uA~eU{T}zKD&Hy2 zi}czjY0}|9qG5cZ?}Ykzj7xaNfy4*+_$-8Sf%+9B2hwCcc+?dXFoJCvz8>P)c0P52 z>w!PAsP7UNNJ~B;<_mFLV&5c`T)Mdly0-L~frz=Cfl%hjCkl=GlrQOpf(Pz1egZYf zNU7hTCF*=msxI^}*lL*Djy0Z&PMU4_ej%9z>Eq`~*`kHyK6n_Jkm0ABzwNU!WoRfwK5I?>curv2ftor%sD4efG(l z+tHDo`4)N>b>=6p9V?S6Or`^NNUn#DeNS06cDw(CkB=rPd^Y6i$EHu)U6e~w%X9~g z?--l;rLOaLxPGT!j$YwkYC7aUup}gF|Fon`a{qvohh&ySfkfrK(R=(3291=ShmF*% zpNf8Bep*;i9&#TF9<~Gr2e$^tb@+j@J0w0>e4rtlqC2ORiqn2+^N?Tj*{c^w#bOqd z2a+r;9C5u}R#b2AipMo47|XXl4^YH?d#O{c{fqNA-4u5s_av7mPpifQ&f8p-3Aebc zdFZ&(bsO_U=VgZF+)-~Se1>{~x{1<3;ZZ7Cjy|c@Hk8_ZQW_!(E6#B!xRcjtT%(O?cHn1{ z7t43w+&XeT(mHB7;&(tgI6V$R+SJ^sajDV37@+Q<2r$nuhM0R8{yP+u%#k9IOm{GM z)I>&7ZBo&XlkE4Vnv2Cn!bSV7Z@KC&z_j4^9NG4y9Yh=kM506&tc+bR zV~d7<3BXe(2D;g;XuRU`*sa;Ulq>Uj$3({b^V4lAQd$hc42otRxlhlv8{4%anjJ-L zYR8;LcB*DhcwgRf3g-=X2$xc7w2oOL>i6jvbEnw&IXEL&;4$RI<68nLVbzU>>AD*41k-w?xX$j}xX9^#&l=Gp+8@EVUAM>RHo?f=S?>}%!HR?^Bd zg^6)2XZ-P~eK*UfyeZ@9RLcN1B{Yb5F?VhiG#j7ZC)E|OYQM&H_-tDowYF1(+>RCN zn?*cDH2qNMRRPmvtNX9&9tJ5zrWlI8b16yDT*6ef4h`~7w!$?SM3Fnfw&HQO`Z@GvwUp%p_0US9aH1)_o7i&q4_FWP+CDV;wbRM*FR%ex>(@aP4u)bICsEfBpHuxfqHH z8Xu{SsSc|?JlZ@$Quw`i{v!9Kd_22@K@QyNES9gb;fdZ{)42CmS>BIW=~oT3v3&8O zR--ZPg(fx+E@UQ?))IA6G4=-IRb%}LN#TigB<>TbjIK!`qW$Ocj@o&-)%0-&JBlg7`0Atq^k-NSvmN67PmXS zo3rcXRli@ztIpTMx4C$`8D18nk*s(6dTPbQS>98g*ptSq-}B@aF`d|s;2hi^F%=sh zo1uvqMYb6FitRJacP~!0ELuVb@prGC5x3r@z1Ixw*;hA7aWfcsy|WDafryr4vd5-i z+;tjkyaUea$TZ|#t@W*y5-fElG)i-4ionbhNpCAGJMLU zJk!zL#j&})Q3E=*Y-7^oe=%dW3zeK*9@g;cKh%{i(6ZH(^ik zSQ6*N9CiENJ09<+IG29k$P+r|9VwCM_fgNV$%k%EBKvV&1$_t@qSP#>t(n2-nC_(J zG;OOce?MrEIodWNI=q2;?-ys_b6QnJf+Z6W-Y_K=MGDkk>>@b!tc{wo_56+CX>GYKAks68Gb@ChGy z-2q;Bcm!Dle|>YkFYDT0pFy5~ehjN`h@Y(~;;0N-b z0;>ZbJYZndzag)oODZ-g4;=^i1rWv&fx)dz*hQ5GZXB^&hzqUQjG8 zi+b%tFUH6h|NaR8ODfbUHdoZ|RGeTj2?x$Xb{Y5s``>cSeov$qfb-?};$ z^~BZx$RS8)Jp_@&KkA)-k$dw$kXZPHB=Ktu|B(yb;CuySmD1a~5xf6L&i_eKqW{c! z{(mM#fiScD|HJI>mCyfVm}Tj{s!e^t`d5!)d!P=tQPC>VeRNT56ukS=$24q-hdopB(%zceFzS!oDuw1IoWP{7E@WHC-a#a~Jt#LP0)(Eh`H(C^|cU z+tN3L+e8|)_;^^~uc-M~3+}fYEb5}58*zWtogifp?Na?(q7f3WTRF)(fRLJ$bJH*g z4#u74YSbE#{mXrtL5qg)pCu&74nz_gIT?oxxTT&2i{k&+FY81Nqz5bhKW~=$pPOYB z8#x?TTujEPuiJh5Uq>rFoc)4-ojQpe`#+Ao$#b^{mHPm=Et^lq4qwRpi;0;v3VPSr zIvR~v%luzUe?U{HQ=)6-p>dO-i15jRCaECPUz_@Sl{|}@@Y8zX`<4OG2mjaNrDX_7 zjCo0fdCoEeqv{?zPA+M@CNLT=wKeqIv`ejVaJ=KZI5)mn`(?(Wq;$ZhMpSHj5@)4b zs{cCCziFHoyQ78f%!wXYIaz#MqRUqJEBf@lVv830jJBM1N1he{}qir`T*36=+*z{Ns`bPnzaR-5_Ua^;Rv$s zPh2aqDSmVd-#U7}MUQz5=F#*u?WnWk%;tPrP_*A^C_w}N?<9rv*Y7rI&Ne<6l=U&v zkst0d-#A_UDvmvcl!l#wttachu&{Ih(8LF$d20STL=f2xPNSfwEvaHD(lZVV_}->i z9F{0qb>3I5HBmgSJB?H=GNRd(TkfCx_@BduTPMr1J1QS~gIeWMBg{b4?fbpAl zP`*0CBAP+4BZ3($6_&4{sSrX$sl3?guTtkSue^(_k=@q*h_WBcPqEGL?()M-=w+h? zsDl*g3w5^eoWTFLTd1x~K$+@f>qGfuLd1TCn}1OAVAu1JVM-NK2!1Qz+KMedRMpDjkn*a`!#o0baA# z<_CV<&a89{rP2!inxi!8F*}{~W=^!chJ|mD_60LKbV?OYZ2{PUAmV$;5VVIeW^?2R z5zQiGOy$*v^#g(gZfS&3k#ENCe+TG6IW%^o7R2t;T(+sDwY~e`Q%;h){TTNF^i@MY z@7b@_9QQ1l|MMLMN(+*6-uOK%OZB*Eud(Dd(1lXK(16i(K9k1rxqypZQTWbqw(Q`y zS8)UNZmRUlW6M;MXT^ zISqS_+d^cX>B6>ADPpb}lvOR8IpL#ZRVpKQ*;&;`3CN6f4C>!xd!q-%#ugH5ooA8K zGZQ6xw$*c!My}3N8o4hh8Q-KHlcAri{z*bdv*veh9nLd;=)v7*Kw%U)&t(ae)&W3j zNvZ(RKNp!r_>UrW#Og6qWz9BhnEFZDA;|Qa>Yy+Cj5!Z2ZwW>!U>4K<%1_~Maj1#@iCIbCW07d7^TM;`Q0CF{ z_u@CDv#bbde<2$^w%_l11eK#Kk#(-j5@uuhDweCWHI7LFxv*g8UQxzei>wZyibTE% zcHgBb(XelWziMaFk*xeEpdL@q81vX}`1``$ZOU7;go-kOxFVFPX3T=`dv4#wew%B)T4u)E+cwfm#U*7z*NCrI--wnxPHs5pAP>K8 zJzeqon7Mqs0z`f**?ma7U=#T=Buv5lD&U%OTw-Z)o{VAnBzU>#%S2UxZrFbhl>Z_0 zY2nhPhBX5>74E+FMA~zpdsw5B<->2ukIuQaVJGLjH_~et;0UQ%o7lTgJz+o%^M8oZ zA|)W94GpviVVZ z$f#DNF-84sJIeeiX?8_j7N0gu4YzapIbMRZCU+FSkBXp z<5^cQ9LS()(OSEaj)255C?tIpeD2(Wne>DQpX@M-ItlRTm5E4PFHlKK#H6A7dU;1` zt9OP+AgBe_kzc_PQ|I(U{@uI*SM$NJ=!Cz+)#R~c+5QSRX?dPnfk*1 zW^eR>$CQcfwO{eyR%>TnSXr&cd&Wcm#Dn@Vf&6XG*hN?HNu zTLo|D#&Z_fnbP=P>QYiR*=*f=$^U%|SyPho*fG(2EkQ5LChbqd&pj^UOgW~}Z%wVkKcENo!s%0->l__wU1t|WoRChIENA&>*0`{V>jc)qH!V&737`L2 znf`b6hSN3(s1A3mef*b#h#&MnNb6BTJa0W+3182RmJ$LQaDD^!cy8&`kW2o6 zLvr^KdHNae7t!}jv=Mu34)3^X#Ybud?geE9Rw*?7dPUZ(7yE)O$p_eI2;Alfn`{|X ziP#J{p0QmoYuc;or*4b6d0$xJVV0aeP$k;Ve)sba&NaBhi*?*IjGQVzs7R;mDscgM zCQ3sIdc*`A%lg?yrr3VVi79)y5I+Ivrrm69srbq#R*Uv$Td-=QI+qviO9-h8CkeQ% zq*`|rlVv~3m^(pwM$_4g;;GuTK5f5WUlfo#RRDq+95dvuGqjG9T#MIQ3GRrs-+W$< zcLs2kDJjCX>}d)1BrGx6fjGfU=Bv}t+Y*pMliyKK_j=BmLxhYU!#7xl8{BPu!AHQF zH`J9N;l+{|)C8QaOusS*NnmZXJ2xZZIM26AdEwUi7Ja%470Voew)IuD+09Shy}CfF z%%7)KVRcjPx0BS!?iz@A=?054ME;HHrXBS?!*|b~#{7|Cbs-C5=|+NHsiAc%?%Z*# zNUH#rDWiMC6aZ6BX^)M`@@Qv`$;zrLpAga>wZ2(?KAQ~mt!V^v!0CNazFA#9v(`Dj zMgUxX-R`TUNIO&|G1{|PK+Cti3?>5kpKMPd z_{vu$W*NTbP{r%iRsesu>-eh>hRbLIC?Kx1?|=2Z4rQ{@Ei<;i#c#Uv;_$O{4f*Cf z9hSQOcLhXT#U`%aDT0wDC~KRA3b~&nIR4)c8$82;W5tjSf8EJ@*B=ATz+BcHYwnXlabO-+8W# z_h#S)8hE-zggFWvFH|&0IJ49@eDrUN*r_{JN3~bDo4PV{PrU_j=^d;_n1VDmo9Db+ z0u%1@BWTkOmdiHj#W_=qWRnuQ?!0a)pN~(w; zlLVw<^=QDQ_I3fQqX?ZfZx+i87jB4tp^hXdtG+<-_c= zdH*Cqjj-56nxiC2M-QlI9O#1|RNd*-i+NWVL;z z#veA}3_zkgk9pqt0|Ov^P?aDTk7U4r*55jJv zzqhP6v6-cK6{rgO-kakPeUy%0qp)jO^LEUrYt-PQ_un8RgWl4rcaX46_S$Ng!w9VC zIJd*7xe^rF^`~s4Zc4NG292pc9qbB;xGO$N)c0pB`s&toySAgBzip1FkNf3hq}GZQ zfi?W3EQ$@7L6qD9C^91#-p36)W!_a|v(a`^ETZoejsRw;%k!x=(Z>$s0&Qo5t`WgO z9LmWtkg=#|zh5#k7pKsQ<;fW`LoeM%tz%Vq&!uPNBB#2*hd*i7Vep|a>%gesrdr$Z3bM2AUMUu$?eluOm4gjTdt(8mMVtR*^@i{fKFHM*i9fJk> z?o@_4hYE!j^MSOuatnp**N}omrNnpN1lrHlyYYr(YuZ3@XB#$`r-!wJt)CeITvKQA zVi8k|FK=Ix4h(tl)db8D&;aU)zd-|g<yit*$&jhS<=hYE&6RPvo_E)`H zVv%71Q*RpRZN|&5I1`cLLcFddy zqOi^BDey(dgBsR2SQA~pYo}n}CUtd*uI%N=cxS=OQ#O=xvfzub zc{J}_Hy;t@SfjO(EF@7!ucGu6GtvIE)m-RaIoFeZ`!kje>9rQ zI&t#WVh1E`+lMNl=xe$gaw=S z_q1Gl zJ+HpG=c2z?+KeuEU_!wz6O|f=B9aB?uYFTX64&F}_VC+s*2dMaz#cU?Dd_vZUagJ- z8a|@hWgcnRunj*ha=8vZ`xRHw$*@7nY3I8+oSpBDUa!5HRH=Q+;nKLp?mOoV?JTKuFps>`fVw&S(|XKP8vKBpbz{0t^-T%SQllic%`#mw3o;DS|l z*y7Y#sV_6;D$TXEVYeIdwfJh>``%=9@epMH!b6$KeL&FgA>UYO6qOhAH~ZK8i@n`g zr~d0{Wh#cY>}x*^gm-o>m}bBLVq&5 zJ1KpS@Q62kMdC;~E#phxKhSb~L12c~pUB)rkM}kE%zI3wutq)UINF&Rld>$YC+TEJ z^zjDvxyxQ}ZXnrIuAeLy^xgmbNU)n3+HCT|?Fm_|4t1ZgVlPpjL+*zx7BUcTA*a5Y z82O#@92Sxj=~i>PyM^Wt+km-26sMQ_T?jNr6pqrti@PodihuUIhc&xB5cifWM_v6B zfh;yBkPl?cDeXL7sPV$U9nM8&r`a`Pt}&bzeDmmJ@d`IJkO>Aq37-M_y~S>9+JlP6 zZDzFN#c6yXF;15CaV@nPBHS~wCzF{3E*-&gkgDU|*(suy)Bav9%(j{gFFo$%v0>qm&>+2iQEQ=q{erb;+$5k_NFpU5`k%eYzV#k_N7y1 zgZF&va6c)ewFs)CZdyTzPyyjJvgnDG2M^NHmSVQ&D9Ek!vfz_+yoS0^vX%6wUM?NG zLmp3qw<#~mup7igP2P|Q$16_Ox-wP(vwFmxQjpkP@l;IkOXxu|wgTkEz7gMhmvy!h z&VOmJa{!>~JB)Q38NR8GWex0}%-N)5b`W`f(>MIwBTpXr_CKooN#Oig6@LbMj)7w% zqh{~Re*80YE5upI2gRR{wWJ*T3&8hq7yGUdTuGtpfl>u!<3=N9(r6V~B)aW))(ytJ zzPQoi#G((0{^l&X{GO)xYk^@MZd?j0n?PU>ak09i>Uxv za6Z;g)nV!xv*+JdMj7yQuCcoON0+0I)V^(6O&CIV4;i=PKG>BM2b({o&LmQ)6)yEG zK5vrm$K`k!F>+q4afHX}B)myQ%4az}zsLS}=1Fl<&a;FS;W_shah=5V4xdR)L}0D` zSQq8Qe%A07JB53OVa-zX#&40|P*%!65Y@y{IY2 zOZ^z9H>RLt?l?RBz=SltS(<^a?ffk*v0G%pZ&Pk!?Oo~t@hxML5elj7jUD< zA*Jd|RRJvQ+fxDGsNkO6(Y^YXWU#3qz-Ib~b1J5O$OsOtY+oaj))pugy2HUOaWBq8w=?<=FLDn6IrY7L5!(xzG-CG;L^~sTH&z9If6%b{xGNu=tkN`Eo(>Rp|GPQ;|M5dm zAFaAmV8*NM20?*7HU;kY?_-NNQ(~`p%Y@FhW~A6?H3F^mN6q*2c-XEA8WlCER{T4X<`=ntwy zonsx$2q5Dq=~};1b{FJ88C9z&zRY`qm-I;Yb1@O+9jiL|N^uQPZ*j*@jjwDnwmXbm zm-+dqVNhXsJ%NyiWu@InKCe<=#T^Q#arx)2a_Vp52x4d-{tAwPEK3~?%MPLu;Qewb zmub)k&XBBy)NE;WkT)m8&w2ArE&RsUGy1FC=vGb=)!XJKBfZ&yFax;F%yCgEA3Cj8 zLrfDOcFa1m=<8I_>w|E7kG`G4z?&`pKj@OO)n~rX`5cMf1o!9E_EW`A)SiveL2@IK z$b_`systuW_YBd2MB=rwVEYBmm%rlF=JN9|#|1ZRTeOEQ1Zb@L6sZTY>RLC~)#dTy z%KQM{qw>1P+3z(MNP?P|F%N?ZkWs>zkMu2holHs+;P`osi>Jl0j!n4^3YAm2$}s_1 zP6EQ2LQhcd-pbP(nK<175ZsZ?15j7fKm=Lf6jhF%sdwj~>Dm|*mBxv?j&8j9&sQAj zv`_a$!prbc{g8+f?B1Y!SvqO)D+!6y2ly?Wtn;y(Y@j~7LS~u(jTrd3o=MWU3ucus z%fP=Oz^<5IO?&RF;JaPR@+&dwKH8Gj8M+oL8T46DYrrj!NWH9YWl+O{^{Hrcy}BU} zudy5nbR|<+>7Lg1q)JR1)r6GENi{#jdD3kgS-71PCq#gL3$sbZgyjLJCBJc46oQ>x6Y?1f`{;Ps&AY zzW77CM2ys$hQL>>ui5D~a!pcTncjaVec#fk@4V0O_pH4A0V&mKzj-!Xkz;!VFwmO9 zkj-K4-bLI&C^#7ybtIhxpQ3a%Ts_(TVtA8I?ft5~PtVq$OK{o&ZtaQ48gm#D{ z&TFc$kN`5?{=&E=;2>xq+q|n=(KO_3ovllusjp!n z!nQw(Uf*vs5US<@ggi$!#X<7#NCoOWFXmb1FvKuB?NUZrfZr|9*|?r^)+y z2x#(Do+Alr&ZVv_6GXQ6Mn0&9zxm+#D6C52>@q@6@uV#9MvKmmgx$Ku1qWa+ibE>7IRy2wIJmOW^r%$mrVqy5#g|OwD;I=t1p7N_`Fe?S1Xftcuho_xUI>+9E9M`0x2TRjHL#$06z6bR9)Ky)H!oP%`JN0_Et(g$8K|&d zH!;ic++4dx_EA;)=r@r`iSd^pf-_o?9YugBizHapfsAdP%s0Mhz|-1wZ@DWY6ZB_v zH<}|dY{IMab5?M&W+XnkHoJ(BctN+h8CJ&Tga46$-{dOSv2pggm>C-s;FX{e&aFc< z)@feg>qo)l*e&9ki*Abff=z|b!Cz?T=3@ZG6!V$AJ90|$Gl8p#?i!%z&Pd6p*qe-a zmx%q?JkQDTjru@Np9(MzKL#xdY#BLAc6EpAd{Ir_-2Hui_Mf*V2s<*gy<2(w*_AC{{W^pP?^Y?-=s z(uuMbIc8??Pr7$-`{V<91G6X%hpLFrJ$FFm5yM`b)VVz*`#9lsHDfC2wG(VbN9zg5 z0m#!^l6A0$?mo2!@(4IPS^NY%-RJtjg75z0u>!R^()aO^x=k%eTH$`j#0|V>X6$7>@&v+$BvEdRf>0VH@q-A=O$kB2^s@RIi3Rd@JWFb zztI|=G03u~|llEa6 z=XJS_(iL-UAD019DS(V&>@Q$w*5nVUfE^$11A>nJR|~0Nt2K-}trh7O*YtLb>~%pv zqS7}mp*xC!)#HsWJ!@1yH=s{&8=!js2FQ_YS28co*CQ-C%BU`|sih{l7C9qQ zI1ov8(Pj zAdQ-mXST?UR-bOiOT+{`aB0p7O@Vw2*)YptjEA7!qB$*LW-p@dZb55)R8iti-N8>v z2AbX82j9T57>KDIG;3$Uc-rv-K$=Y~_F~ZlswUu4HTs7oTW8bP>r79!%4K&k(3ef# z)oKuD4|#()?DiK%v(K4*+&d@Nt^fkiLZ+%UG}BFYHQ|G(h6Xg#1t_WNiK_Guw^2ve zemqv?-}%RlX(9Q!pBsyjcS(`UBs=w#sRAJLei%;U2UUdLQhl)CyxDZiGNstu(yhA8 z)Fc4;MM+|e_K4Hcax8l=Qz$R1{jgxOkSQS*tz!#oCQtc|259+OR}(_+1nc6{m|2$Y zf-Bs&6)UM}D3RDeV74byN3I$t{ID|xwPmbol8(6}h}skwOP{B8mFc?t-^s04()j6m zP882e%UBF-i)>Lq^Oj0;Qb2_Bkj?_~=Dq&8LMy30)Ml84Zv3z3h>h#aQgiIdS{8hg zi?F3f;A7cdgUc1Lk~g5rc3N=74?l1Js`l*geW@P4JKxObw&stRow_;NjhwY36GSV| z%`ZGAjS#nxFHls9wX?4%ln*~^#kM%^o>(K(2}c^*V@yc0xf>+YCpU#JaIP=CLCFdNxjav`y>OObu?G zM@1VW2^d3}DxYHmnX01Lng(+N%wSlE`U}TSl|)&M3K;cek)4_2#dv{2`m0F;>yuyA zMvZuxjZ56tO+23o%pk*?_~%yg_*AduiL=dI1zwJry}*~nsf1P8oXeEsnj7C-;NQcE zfP~LdY7AYK^LB`r&(Y^Ue1tNHCl}Wvr`~?9I$q1oM9;=L zJz@C7bc?WH4YT?Z`!!Siu|Z3_eQS1p(LIc11MSrs35u8|eYM@Z@Pp?cU#G7?2z7q4gWRj|&&R1=>92+PYQuyd}L$);2#uW?d%kNJf`#@X!^e7AmKT z^xE`JxW@%hGY{@}7aRc$o1$mWNUj1SmW{{9bXX0wzOM6IEa}}#H%SKtsXjnek9C1o zd2okY6{x1~xKE2MytAw_KntmSPCcU71GMgB0r*ZJ{xzqS=bh&B{wMRExMq=$iafgC zqlMp)v_GMXq}pZH8!FBpw>E~8$2yPXe4vcQ&Mx9^A(KATjDh+c3=tWUgS{M? zPMMv$zl${a+Zn_=k!Oha3Jw19fUpxu>D#lQFbopl{gDTbmhi!TNHBk+QYAfOK5Qm1 zmSqNI$80`)$)P@(*W$H3(z{E{-gwxKunJ;)jbG8eM&qwWO9DGvll1=mt3Hbzl)`DQ z3;n~J4f+5$BTzX9bN@A!~xsKlhH*4d^?daYuYWPz6me(~{Rv`K1;a9(t*etTOaPQBOav{W@!7D2vr~NFM@APm!tLkV{m{3Z(|ml zmGz?K3m3z?)aczev#U}eQ{|9oBLZtNQlgL>m`NsV9(TJhD-@^gT79@N@kU~*Le4c? z5wd^FSfP0Tv#G<%$(PTlVI`>}Sy@*F_o+HLwC?$-wiK!aV$W)9-SN1lpzT|*Dop|~g5L(Fv<)<^)oos%C~v?JRDrm~L!vAwqBy#m zaY!lkv~Wo&$yyhIb$AE3D{Rh>wvN4jL1IfmG*$JYXYKHI+tvAJegJ^^fw^4$9(1jQ zu>T(P@^BpxAnRnh$YND)(Y$9Pm?2Y65$YteZ2D#p_IbG8T%+OwkntH9C84-W?w~x0 zeY)nWely%xX?ET(TCiA$JHx^w^rr8!HT<$NG}>_I+rp~P7$_2%MC@WB(eD5qtHi$K zt=Vp6_dUjbJXk<4+qX+hIn{csWq+|D zebD8HZ_fAq^8Rl;s4v2atZeA*TwJyD#z+eGuNA(O@g6OQrn*bw-drlgAUdtaD zNF_&_ADW_h`#5A4f-cC)HIFgKaV8~_E1Rxm4QQCbMi7b{tk=qzx zLY~bB^j4efJ*TZTmO5{!z`TzfYcyfkZgJx>=v@nqaV_-V)aUD?ZZ0F-J`UN7+YMiO zyA`14IR`l1QcPQXbb6zTB&#aZNnb$icrRm4TMc;)EZ*3>tbz{GH?FO z(s4E+Cbdomn?AvAPqKvtN6DH2W16VGZm$JkfwaK^5HXE4`q?OsOBiV73raD(-HHo@ zf1DQXyERj(A=f2(S_PJBrcB`oYGS>@!!Qlad^-?^qc6kf2c_7wlzi`{%|P<&I0>Td z;-P)i24Cx`MOwUyOjX~*G+uA@s#>BDYc+|jhmJ>p!HnGq##wMCQ>6&=0497S;X8mt z%S0{!L+Fc19ALAU=sldajP7)<2>wWIeJ?ysaFD;9<)@X5db>SOtd$Yj!u07N>0}%) zPi~vBK+F*^hgP(A;GVty(HlI|u^#<)?yI9TGA2l;KC?n^9aO2lfJt^VR%sFpn%dAyeg#hAv&u@P+B3{@&- zIXBleYdN?-a!5a*&FuFjsBNz>6zu_SI)baIz$bUBT=pWSx>66-zz#`^`#rdP-^^Ti zS-+Y3ZqDCPCP?HsvaBBWg%u7If1rq`WKTrb^*}w%+{nu~n|9>sO=#&Evo`QCym=N{ zM@hWGdjJpXWC~2fjI_F=+_G7y`fYN{jNg5VJxFbg1U z_q(H+UH>5DV5{7X{I0-2p?1_7UQt-AZN6ew(dh?{Og|wVoe5DBY;M&mw-H>Zm)%!J zMk4Yk#M+}pJ$6Ks=QR+DroY0-6aUzxb_xrFt;40%b?ImQKt$qm=7|V)mDKuII#MC7 zy(C04=j8Qxe9*6q*B59Xl99YYHzCZ85qT=;XI=ppy&@Sj&;bW8APH2r-5C#;z z4G`-OC*Px7ykPgOp8;-kDktNHw|R$)`MKubfRybbgsgtqRwAz2-GD3~E9ESWnOBsy zMVt?&do75IqJX)Rlu}8IV{ zw9GlTN94AJ7%fe5PU%^GiG09qvlDIcB>Bd#TO53a5Do2-40r zGcqAWDSwP~fcllmGPA>JKo<0kK(Y0k^pUop{vx~uJ?J{#?P<%s9=m91spkmYcc6%U+b&{es1b-1wVoH=JLb)dKh6U%nrCXqECWyVqyTP{*|rL?jAr!E(-+VH`$<^J zRn50h58-X%2+r@0fQ;rQ#lmzw>Ij(ED=xL*}mb)GbWH>$Oj;QJ)w~#a_u9Kq%d?M*!>NjIeAA0Odv9 zlSDFG3lBEl{4jkT%G9{9Tk+$%3&t%Ig`N{Ev77~8U$KEz@FSrC=I1f@WvR)&`tCIx zJ8Sq@#s@#=Y2k!d@t`*l<_dpDJmCi^dEWuQ?MmW!+GL zC;iFq;H8{DbIc{Ksa+=@!CAPdY z6Sr$s6o=3N!<(8d8`{M-b}+?Udv`VG<~x8Y8`vtybio1Ly<1Z6uFCE>05DWpidhWw zGS8O^w;>)I+rm0AFr)HdYlR4g<<>jaiIiR6I@xUmVoouXx3x8|!?^>U0A(oJSrM>k zM~t>KG2XO>k3C76P!;A*b1L2`==)h9Z4A;co&{^4u`e)@J5+UU9KaQ(>=-pK@!-q2TZ;p3JY*T|@k7o~ERo`T<~$tbr67C^3j zBp<ZPeD`TYK)NORO#vUmNfa-#0;{}JAO2{5Q z#htFk5&ddBkH-#LmuTl}fVR$e-=aZaI{ktrS`e;iRfokoQ_4T07Lj0%=Ob7>TT@C4 z_GsnI8ii#4ME~`_0O**6k+u@u@q&+&6SNJe3e+<9Z0a&mPp?azF6m2>W$A&B0S%^m zT}!f0d7C)se8bu4g)7T!fGW0t{AjA5R06VTZp>0xdjdRPQsbXrS6nZHHP^IJ2KQ)# z6OW!>n<&lV@bc?^l-x-Vf|Zzg45556$6;=ai^Z$N--}U_$J0LmZ=aM~P%7E+Q8~R< zf$C$j9S`|k(<-aaX8@$%<#cW%pi2{T-Lt85{Y^@=)5UHho@Lo{6;u?s26$ecmDQTJ z{jz<-`_t2o$$7RmvStggNQnZe`3duu)#LIm;OnVmp7SaC`JR+!?pGLY+^7~}+CcBc z`R=myVo&%VjwC_0yG#hNML+m%H&dce@P)zB{Hfykxc6+Uzi(4-sTeLK3O8cg9t;u; z1{BA|))`*W;2;OmrP zpkltqPGWrl>%gEj(YI#P{xv0ErC`9+LHPH2TPL#Nt>q-Tsl1-$Sn|n1no^mdikBVJ z-SmSdWUi;i-!UC3(!W8>ZVM;nY%I}!^66zunzo%dqOd5g0-{PA{_U{|V$H3LgUIktLR0?SRtTdWqo0=fq1HEpDu-z6PugI~#y4(QoqERKfr9ywEBGRsYKY*aF zl*ewwTC(2$hZN2EDhL8NcDmMB;k-drS7SN?pM>ZevmVV;aNaSX8s5%l=k1RleNe#N zILtGaiyAhYHWKcNVoEDct=}TUZB18N!c@pqFWaszz>M{UOL8?jGDQI+j4Wg(<3mB$ zh`V%4(l|k^P~hP&(RV5{{8&%!KFPiT^GZ6s)j*+Q?wB7SWFc3hhBnfN$*AvR{&xx{ zug1?u;rU?nfH02pDU8wd(ME9Xd?okOiRGweZt{;2!-ECnE)$i-o?PbgGKpkzO1iW~ z<*-x-wQ09fyccb>N=;bNgwcu!=+(ty!GzWBlzBz&t#PVbd2hi7->+F>II{xUu*c!) zzKZ>ONeJ-Ovs>?XqfbKNyBo9&Ys6zb(}vyg=YmY##bP>to+^s0qBy@D=5eon)v&*0 zU+24b4y>kVaycK2JsMm8Nuw5#UV`Kxd-lh!jM0ML@+=*0xCC;c(P5{+lq@TvzEq58 zu_0%t(xK$oOg}SgJ3e2*Ab!HgA5Pwp_@#^kDdrIBgtdIWeF7z9L`N9sG6*2vgRipHsmLO zkhWTNcM1mPFh<=et^LXyp{7S)dNH*YH^=7Q%xm#HEpMXN9EL?1VPqv-uov<=MFGIU zn5n>zf5QJ4dv6^V<=5_w3Wz9aP*NipG)OlH2q@j%jWBe>fPjF~(%m7=Ae{oj(2cZo zw{)L1zbDQbWL?`L+Apb=E-?)QO?uNjAs}0cB8^4)Mq%jyUiPJGX+WyX3xXHtPJIO6zxtF@; zv}OCib>>uCuo4HU8kAAYUh|GImw=P+)(X5-{o|)vY5mecu@=dFCdKSauy9ERWXFF7 z+-m6YRc&O{`s653Np*yP;)#R^kV3dzo4F>_aUGY+;7twv+uG%_3*x^yOh{0X@^mXh zg-X?Nc7fnxOWlIUgbants**GbGVjU#qh*R;)`XyTQoxQBJlYnxgcRnZuwwVuaB%6R zis{`u^@IsqGLz7S_%v+YCr;l&RnjAVvoFrQwm1i?ijwJ2S3TvNIB)xNlh3aVPP*69 zD6hQu;uy6|uMda9HcONyjR-;r8K%6@)4PDCq0SATy(q*RbM!tv=!A`9qE8DDcvA|t z8U>l8{rW>V`4D2F zLLmo6F|)^u8#BbLaWHTI)T-#>wD-H2G4H7TQY9M9D~inz@|9ofPa!3FTkx?81LFBQ zL!zMWdIR&%xRVGGw0WIOevT9rWRnV^t7@8BlgjH4X?hj21~A`pl)x0FoAOEQEp64Z z1in0#z>8NV<|>40xAF4c+4=_8G{;huRiex|@^_l`M%B7>biIbAtA=Yc{>0Iq8laPG z^%;4kSC;T$ijQ(k;zf=LHLRmUT9z7SLR+ikY}m0(>ui7pxUYY!q`D=N*Ga~a`T3Bde@&VWyG!i3;lkCv_$y+M zAsxI#$6GM`6gqzs!2hqS^}+UMv~=g{h1g```cnh+!V_TXw5pzUhO1)=ROg#*ON5dT zs8y!sB?)*q&(v5o)6@n9Jtj-BZGEr`);A|mrn@jSi4Ank0xzN6SfLD4tT0LmQomXI zr<)!+ObL`^w82Rf)$<+9&&5MN%ZxN2Idq)(3xJ%OKH<0Ug6i2O`5o{7W%^EcysND( z@e0shTfkjt8Au;Q+g+s`I@4Q~OQqe9_vgN#E9959NlYD(2lgU;8E6vP>9InkzKIoR zzCKS9sa-SF%F=zSmGx|?Hv(3HEEf-kCSI1RFCY0U=OZP$;>qqTpMe%ZdQQ5ZzU|l8 zQ$MUL1DW9RbtpCFz9QeO@ZNYSbR={f2%DF~nd%MDGil{5z@QV_qfIy?PfmnsJPQB1 z9Y1!E_X949%kzSXTlF{}7u}woExY`r;6;Iy&lH_IX^6G{2rXu+Cs1AV0#a0WMdmfH zGeK`0jqNwy>6HGem_`20wP*wN>(H4>Z$*M*1I#zGW@)fRRLWUSo`7lA!N(E zyQ|Vh>Kuy%!G?Vj7==o4{n4)21^B_leI_pqRwUKEzgcXGR_JtNtAi{Xk6!xVBFj?9 z{q@c6RV5qlI-o*@u4=B!_<6g~>a{^%6qNMJsZ;oAoKxRO(##c+=sGt!FkhboNHg+?(ax*h zkxc0^*1DI%>116s5c6BaJaq~wD0K%w=93dK>x}uzo=`k5FVN_6qSapzx(whaOUz+` zjT^R2?C^7A!z2vP(nxt}6!+hvB!0X?5ipz15XEqqu|rI*^$o)W8Q1gH5`iT_KW&JD z+crI=XsvdyW(k*+-{WXV0>Q}Yd1iar;4;(6(7ZmWDd6D(T+=FFEEPJMNUdu!B>UV0 zw4T}`4NDaIEmz9h3f`f^Yo*1evJX z><~^#zbS8g5L}>RaNMcvjafbvs`K(*D2=EQvK-$Gm!W>f?=8YgDEBedj6Rn>rnQxB z8LG4E&0WtdSW-^IeElap4Ty26RdalAI{4?^2}egm^EY?VkMYEL zB!8#=w`8`y*NzLi?}d*cW$+8K7)zl%K}D2l-Y`f0bA{-mtI&7@j!mg`sE^R(cg8N9D7H{jEELE$Au(O@mm=fI`ek~#PNrTq-GGx@^>uRNeH$U(dbyu3kdzMfh7;b&Nx24Tj`~un6!w^NGmT zA^J33=tp=u7b8OZG)YyvwLux5&^d`j>+LQ4`k}Mab#XL6l5sk4&OUx!;gKI)@}%n` z+H-bbch2VH#%QAilOqo!pV=Q*HemYY8Ea|%cLqluOq#AyruuEeD64GJ`Fvv|;DIYA zll+wPj7q@FeYbXP$`13zu!E)htG<{RdbPwrh!^)sLlY@vEHAZX>~P#&R~yAGKQhm} z5vVT?quiY}ecU$~ma5eT(CGA42LkB>vS)gL!c0GH1a`So-3L6_>bps#T_@K|klV6> z<-a88@0W&)k3eI`j)W!;l-dGtq+D1oJvTx8!G|@qTw`<>qH=AAK8_O}>zB**-bRm0 zwY$MwZpBI`Fz4A$pth_?&_g9ph-#9ez!@iyeTNdAc7r)66JuA$*c<=&-02$tJO=gP zMCd&0rIEp?nx+G(~$KP@(ykj>pBhD)xT8_HQ_SVbwuodOzi$m$s2esDCyLlrp z9^s~4GlJ|oonY16_dTk$*0LQv%o+`!pG}60{hy&3|4GUEpFFB`V)IB>yG_%1u7ZB* z<1KzL>{G$oVB;w#`fwN-539jq`a~}ew(%kME^w;;Whd3O zjJD&^;POQe*8K5OQK9wKOM9v6n!6I1i~YttFP}QJ7f-{Of9CbO5L7;oat^HQd-)|l zZ0Eiu-qOQw)<|E!2VR*MvMT_i9{$6^kUaOch#=O7o1rup2l>xl!EAs>s?T-16v+V` zHnWEO<>GuZbU%dLt$BlQne6)*Cl2PXT!J}ovkKjRYae}Mh$4{Y38V@M{V9CYMP+|U zgqSAL8(-?$kKm*K^ha-}6)k490P(WuK9czI?TD&wwuoUVh?Iyu;&B~X30yFp^vexC2xVs z0kRVsXw4jQpghyTcTg>`lEH2ZcLNr7Q?P^MU-sWY9b=RSaStQ)E;h*23KATQ9)MGZ zT2rNY{&}ATiN?SChgKfIL7u8|v-g!BsRPz1#x8^g=7V%BG~P@8kXT_AQyr>N?)tUw zg;a#q@6Y+f|LLCof4nT++UY>uY6>7p&L4X~B+qff26Jz68%!5gxqD=Fcy_Q9y1F*G zO2_|FNaTGQ=bWbl@R*StUZ2jzU7g_DqgDNOw*X#xn!ZU_1Q8F#(E@$WR1tn3QJbUlmBfe?O;)p?$%ml2vnc@~G*nfC zyfB!MaS_9qW%nDa^%I|RlLm)i$B`>_ENG0nml01RjUn z1YV~Cjaqw?i9Wr78q!P9_*%qxF1apC)*NVjncsP}XAw~WO8 z3s3hiAA+Ctrq9p{A1d+>*_ot*K5(JtOju26XQGnXysTR?=lu6B{XbskO*Y736YqX+ z^7miJccE^Lmr}Qxy@cFBpK&&c9Q$vje}Of7^!($_-xFhe-l40O>Oz6FnaCnVIp8C6 z`jXUtC%G(yQa(28AJ^pJXZ3lob-qyNG*l{>ev$r6gIw?5n~eYC7(MagO*(@F>OU^( zL--Fs)Ae@8(Dx;BSW=ZFY|?4GK}3bo|My-)9_#);U)1O7KJs3<0`l%$P_|A=!D7t? z%CU2erdSho>>}lV z{`P;lYX5QT{NpM9da$}rBKN=lSO4-a0kcMKlg=y@xK9YG;mS> zd71y~#qB>=z5nS{+W$ZD^56ej{wE_Z|34Cb{6Bh|eTXqGv|#_ozWBddcmLbf`=%We zxU>Hv(E>us2|VtXE&Ol)=Kr$k{ENj7p5ToIR)j)T#VMrt-wG=GkE5LrCLuAuYZ(aP zNFq2pOuMy;WzbM;A+h2`e(pD%sG#_=A?-{$M>%o2tU!(ZmUFBO8+GiJe6&wFi11>C zPF28Zum~AmgMPGt^O-7`u-d5y8$Db=w@d!rupN`lX>+vZ-mv#iyM2({iOKK=qD;^L z(wuUE5uh2d+iVm51FW^M#7DuNASUyKPzxC$MtH1EfotkA(A2?SNb7FM%uwhcN(= zI`1Q_KCrHKet(mnTzz#L#}B#Bqpa86{FSY-f8_`Mc_twAs}DRYKa7>9#gNcwZJ*X8 zP#F1dMg=c4Fm}Jun9U}4o%cEUq;jV{MostWd6$$w2+~SKMTVKF={UteuYmBk_p1cO z(`ripZ6RENBl#>yEFE$Hg#eC2TkFjCO$jQQQ7z`G*}3s$P6SNetBUDD(;FGwRa`Yi zSFu=WIsPX%Lq1_f;uW8)%B9}zg_=^mGqgSv8Nb#GNbs!~=iQmfqm2>7I>~IAf#@Yw zFd)-r8bIj8Dv$#A*69+yO`o`{S#1r)6}qw=se)>G;MI6ty8}*bj+lH87~+w(mvGBJ z$kdV(po^=qOYqca@^n);{aTxPc_FcihRglK3UGC~AS`ng1O%1GUIbPF+?@+rpgsNd zBuKHB*o1Ex4kAAgzs^980T*ZT?i(g2GRHyTlZi37E(nFY{8Rpv%`_e)ZDwEl2GeZr zS3AxB@L2^ZI+e%_!0RFBv!!sMlBzkwu9E8W2Ihu?4pO6LvC`%ncce5y)h<8mQ5Szf zmO#;WTU7tLwKZb;89_z_2f-#cqeQ*^T&}0?_pGuW1nl9p#Z_v{^WV?MsuefoCad#L zOe;n<lO)^JFC3v!0Xs=oX`yeS|4m_h-g07xqK3;dn^B@zX z)sXZ>VI3H>9%-%sQ4mqwk>Rf*jrUIyX`lM-Dyc+YSpn5T#xd(-pVvNyf;NW-w|cGE z#Bq&p@^8iak9gx6mAzs;R};*7L1Lg0pdThukU=~`^aZP$QP;c$_oE`^lp zt`jNVKxu`0-MJ&StHO7HdHEaA0xMY6P^=4qxC7KRRlH9(fH_-V#%UXJodF90 z3)hUTs4?jP3*l3fYy!9*>za18wazM*%8$n@!`@e5S78TA_R?|$zIG)to)TEGNzwNk zfPPnHm3I8m`Aqf72UX1J9PjO+q!Qm8kXs^-66ro2>wD`Yi(~-%bJLrE*n+L*-PGK8 zk%m$Qm@ktr0dn`9xns({hp|w79U_VU#skFjC4u{B3gFu0Dys()%fq`@y=n+1K{q0wn_F4FVajakE^rK(qO|&~}OF zdf*EP0b=ClJ<+jgD-Kg+IQ7SzVh&Jbph!@+?dyL_f8O9 zT3L20OAdD~>AVInQz*2$1Kc+$HaWv-s+&zYLO4P}8**(rK~O8+W*ey-yr9;qBnGxgG+x8o0-!t2SZD8~iwNNrQJBm}=v)}3Q>GA4|iZz@5pNZkOC zphJV`NaXhqUk}V8=IQ8o&Qr-<9EZ= zcy;GJ3v6kZRb-x$cBHLg$7MT%@Y161E4r=xtURZ9Jj)S-Md?jR3{Kbb5Cf}gcWGozrH6Kqx85W+p%M)eymMd=C?17Ld6RhIkE8|EM=wq&Zun)E6_0u` zVAg|sf__6i+%PRq2_tudMvPC6_QVKWj+#bw+3Ce9T1Z-sYw~IvWfZT}Ur*Ch3-Mw< zOnN<&gO7-ngedD&A#L4OW8J9n) z?II6g=f?0kSVANLq;HZWT3u#TE%lVDLNfIa*aj>C66sIci zU33tjvPnlfesJ`sZ_+#O-W=r#wUcjwBKEcRa<{$@U<**G7#U|YokbNm)jS-Z zeoJ}=IOIg6^7n8RAX2jITEYmmJPBd0=$M?B5#b(QVepFe1X?s7PqMtHMX4H(-bp=! zoC+W19UQs-^e{dwR=-p_fpU6$_l(OBV*CwD+S;2o-0{nN$b9U@Fb*U2H{cmlkVd%I zZciJsGUgeL&BZG2A+DeX6Y=&ur+$}_OYAg}=ck4{pj0L7_1NqB&V6dHcX4QJ!nXuB z#3J8LMU+luYGV!Hn^`|}Oq!)ZkFLZp?aOjR-->}+YjW{D!f7Y zT!JjstC3Pnc6vK&AoV!p1{q?7%n{2IGehw#nsh?^_tM&`;f3Ed7>r2Zcf9L3C&)xr%CP`)8Ud_?W6zd+|At zi*dQk*ag;Z78EXaP+vY4Bj4Te)*Jx469HD_n2U*(z(#gdFQ{}Do8zUW3gXOf2c;ff zfroj)NK~KI(Szhs2fwi!jc;4fOdMn=!DE?%*n_bh1xC_7Ni4b_EUNO>ssM5jqlyT> ze0DK%mJ$q>JrB%iE_UR1FHCD)&Vj4f45$6%k~3{O@%`+|U^v`{ZE`7xgZZ+m;zZ4< zvWn~izFAKH>o|6)cEC=vNJ49O$8c`dT3wc7KdG$d)Rae8uR!Vw&-+YtJ7E=Rv{*8& z_%PNDG74JO6L2t5SC}He*IJtdhfO|+Zga9eSZp`l7|uD-meI{Rt`mf+)3m-&%jBjH#OZKL95KCbu5s>b7VS6re0Ll56xgAwE|ZW8m{ zQn`f$K+3JYdwMkbucrIqvLd6u6ka_OSSMEnoB&x5_A)bsv$UhusaUJJpFyMi#gJ7l z2ys7I0DW?y?v7UFa}7JEyb;{7sEwP9`47byalFM}gYOq)^S7 zPC&i%#tD=t@yV%Fx7CEVg;h)6!O|o!RSL9h-uwXA{vyfQI~OA}pByiray1KLIfYp0 zl=OM=ZH&KEs=V?(DM7ml%RDQsc&GCI?R^j>E|d7!J=hwaAL8#;Pu~V&Znu4T1 z&VJVlqXDKHK)7tpZ7|{zdEArg^4rZz5xS?eMidIi3+ypP;k*R~p2*_suXtOoLgxD| z7S50H7SVPD!IIM~F`@NdPn1OCMB{no$3)gFy5Nh&WD9t5%M&*nB5Nwu`ufW9fT>dZ6ew^WDMhZGvb<jdo2LpQPP+&nQ~Ha9G^oLHk8e z1{&TJFlt}ZAqbP&m_`>nxQ>y6xFMJwV_ ziJkZDSp);{Yy2bjUkdrI`zPjugXUOk?;p!OW$xRgr=OOGNLAW>iB%5I>5SdH_e#^9 z!9ScTVIr~Y(bF$DQB*{mkii^c(zEXz23gWCct7vQgk6h=4ey@qor=xvS7$bi>w2ur zp;dHi9r5R+5e`LW=S|hTP_p*U?#G$36!~&8luliPDrvIl9n#9)9=DO>2*3 zU-eJF|K=3PqZJjM1;ETj zF32hIX0i>Jk0ChlM%elV(R}^Xhr;8Yd+p&*ta4M`H@ybrSBIsToj^z8+-wG78Z}q< zLoiHi5nsfkWH>d%*Fds!{wVyMsQFCng<=SS z*lqglRD%ZrB%O-xmU*68aJ|bpz1&{5bRoiLA=S@ zxT~$vsH@7P$@{J?z=w&6RPbtFwEDOE7J=#bFyz~Ob@Me;a9qE{W{ox|-w5J)xs=ms zV7)y7PY^uZiL2WP2l}QK8ICb!b4}B>i=>brgrY((_(<~3pk*!hG`y~s9PlotkcnwR zS@#KR;~<)w z+bnR?CRwlyao!Z!xEd~jhgWj&Otrlt6ZCXNTh{a(MaQ%1^sl7F^P~_0Ia;$IZ=UF; zMo(J=jd>4b2&ILX-nS{hX8sKC&wXvb+_@d7JYzX{hg@)Ou}S*lt~(fUd^MCD4I&;& zSyk(NF7V;o$MaV`VL-62=*WJPO;sht(|skzMB<=K;NUE&#Z4H=Q66iRQx{PkxR}W4 zEeSz`M7j{=SLOWT<7`z}(mV>oIT83hH+(rh$j4bAM1V&ZUWnWRZBt)dEAyW4K;U*8 z7yjeaL&9&VRjQ_Vd1CM?M3;2JN~4VCo_@rWMLRVSVdLv$h7`(icoB_&9S!%3E;Y#& zNpN5QZsd{DqK;pHxYlQg_ExT3Pxr4Qi?dUw_YgK%w}kj@&D-#tZm}N0F*4@JW2m<> zU!foS8qe>la`%w9_g^f%>oX{)m8C1Kq^!di$R&ehFf>MCDdf|7FUpTuLa#e$eipt> zvv-GchRnr|-k?wfZNpjT+V(l$jpveZ3ate$!rd91wv}LxGA*J~-VgC=a`%1gy&%El z%u~>>A+QPz%CP`p4O)uyA%>qPBbj!VdlS5t;r_@yt;DJU$F?gM=zdmJ9 zOvb%}8z`~=48sJ)4S;sU=`1W6gUnTQ zZsWPo)xE2TDLEMLu*a9sLJltT(g!au&|D=i>y%%4oljH}Gp9`vT5H+6_bpzX678H< zX*8Ooz3(7HWChv0>#p+oLohkDqyBvS;F@?rF%OQnb_5!1exu?^7n7fS&8;rDMsb0e zwV&4Vd3Bv<<%vk+_6OAqpD=1GIhFsaS!s9%)`=I77oPVEt7oi3m*GPB8e|Y^hf@81 z3Tzo-{fa^q?|>BUeF@0vp&35LeWdb_4`}3R^XCX4qDCS#_K{*Jg9#u^_%bHvZZfv} z_3=0nZxhbcd39?{ z+pEJiaFRzX&*0aC9ic#JTg6AP?e;W1U?M)>0UDVUgy^FqJo`w0Lj-C@(8nmvQqT>E zP-~1n5S(|F?C(g%dq9zl>k=u(+c5ytNl7VQy@#NsI9ea#&!-I2Srd^h@4TC*?Kz=~ zKfg^1-n3UpTf}qON5#t53UBc?uAalBIs1H#dr@4H3xYo0c#bMapckT2fL$AQf(^r8 z8peAp$jxXWv{FG6)`zRAZP)H4Tkab6L=zd4+nuPxaZz_K^j>bX&D0pevr4A)@-zEy zM5n)G?&dQ_(txuF?aHITPZ-7JJ0zEblPQ?A*X%#(9hqf0UhrLj@z}*LilKXd_GgeR zvn~kAb@*dTCd*SvM?Lr=lUC~s&d8_sD#6H*>G$n7H1rQ|SA;ktHdfPFnky`~+n6$5 z10X$URSidQ^Hbp7izF^~Dyoc@ai28UiH1S3P2;g@8=GzzLdk;tVR%go-+iHXju~=2 z&2kAgN;@J2Nx!8A1)2?&ipwe6S8c@j?%{pWW?%cJ3Z*;L9*#9VG8*rEORrKzQWxR+ zZIfgK@x$+E);|{7bxd_82}1;w=c5Rz5;PjM)n^01wdth=4nI5SWO7W5q>R6P*pBu3%dvv(yRtOGrMj zuB z!fqZ$lom%ksi=`3D&@FNQixzTmU5CRN%RE04rrE0#if|4UTsIcSK*~`-afT^5#ECE z-In(hB|C)u0t3(zGMj5zdR}>QB7IEGXzTdUa;hfZ!EZHDzCfs8b4ze{r)KZ1mZ6uo z1;)Jw+&&gH|KdJ3D8b$lNp093Vw3v>bQZhX(fd2`z$)?QGP+X@_#mPU3rrM$;W(Aq z3D`Vxjna#y!LeMo`mL)B#+ z{Pe)fmbDjYPq9s;>Rx;+Jt(SW+fC=1Pi6iGh1%p3=uCbYME=0Fuq>`rZTgNK{j6*$ ztbp5;w7ySXi%7%x(OR0W_znf96|oo__0rX<_oGZdE#edIP}~aB6erc{u2)IiyqTnV z8O7iGc@v(n4%Gk_g3U~XMq}T1)3x^mUDs($ z1=k3JT7g*wDSf6cd02}hm84Ab#+&?!l`;uc2 zL4j>d(Y(Ed~d@?jPXojVvGjzTT+QaCR^e%J?yo~ z77+dxzJ-e_OWT1m3@>Oz&0hAwMpSmsN(}QE=5p* z9*0SiVVg4JwE7Qlu*>*PI5EG0s0fi!-^a2caZ;X;FV3l-$lGit8zRqhbc~Q7yPJbZ zRrD*!>_-V)aj{2D0qMuG2?d>AZ*_4<(*2H~-%{f4LCd!2QMY4|uzK*Jw=44kMn2Qg z#t_4nA;lG{=;#c>jO;c1y&^w3$U%sgubu4>y_(DjmAXF=&A~eKwOch4 z>q{VA3D`3D-_7ZmPsVEQO(@#6*T3D~mPARKn-};6aGkWq@QzDGceS@}B5FAN+3Xcl zk3Z;HX%ZL-#bTrinOwK_9J&VKMs}(yQA?f86F-x+G$=mp61+A&)pVBs7N!m>IH->w zkO0jPPQLEx`41R21!yL-(j+a+D_?%Hu+mhyU>C1SHXF%%G8A#b5|+O)A_#V{|NFj_ z;itI9lXj^rusTBPPYU0*lPJizjnUx!^Y?G9G=9IZ3!rNq(uxiS7En1#Klr1Z+*3U~8hx z$ry{J(l#3AKwy<}iB~lwk9Mq7C?3VXtx7b~YsEm^vD12TLP=F=P_c~cPZE^DJL~X* zNcB<+-kg z{H*}lshUr5j>WQ$ilv%MoXXw>+9DMZsvZ&=uOA@tb(|;BhZuhN*aFVEpN#73oi-~V zu?$PI{sZO-lm4&Vt-tZoUBICdbx50vLsQ!!$GA4zIt^bNHrsN$%Y*?2B2?(2?BP>Y zUAGl}NVvWW0q-$>o@Y9_Hp`6n?e%T|sdXor3K4F`|<(>WF=e;yQj*K_pB4x`0Mr zFMtKr2(RCj-+W&9$aa|C8TJE0mfkgi_|j?n5CI|k+QOV-C~0y{FKGQ6U}}fPM;k~A z%t2e6>Q+6R_29}@viYyF$Q|&ksD#Wn@Y1ZQcXN#N z{ML9k!ZT0wtvkdCN4d&cu*vL1P)I)`_4MbtRKO=?3(!3`({LkU{t;=mm45%SAyF8^ zTQ1IG%*l?a*D5`n_ns8nO>dn@VCRBN;+|h-G-%Vr%)b`C9RtyE4blgkFdOE|bvN`p zhujFV#ifadsBwlAc@k=5e)rWJn(%(>D;DNFgI6j#a-HHJ4%~< zN2$woNPA9k+OR}rGkwC1>1XxZaR2p6$&oW>zs+wVRVFNB<&61^k(RRn|ACG~L%Zv- z_O)Yl;(Y_Nv8xe^&4EM1Mkh*5uUki6Mg2y%V99oon;bxG zxiGrwGL$%(78o@OpWt+<7|jrlF@Kf%ylR~Bvo2>rnO;c$^fC8)svobhU_T-DuNNHW z9pCxz&umbrd1+$oD#$6+>{LzrhVLIx`2#I}bxTInFpK{DvbX^lW%9mFsU+cXU)xh_ z7#;yuBEx*}>tkF3{P~BZm{+6a$OE|aVhL2$Ddm8L^U^my(uk6^HRDNr=E08?UHH3a zYdWbIx*PbwIh2<2PWm)a?P8sXeSy0##n?^2R<%Xqd`5$GfMY-1{p>-rYm0*ef_i#r8Op=`)qd>`H*E?qgmk?7BuP!|GEe)D9OGJ7oq}yypVRPXYUOz`qf#Bx_-7 zoq?fw;kWMeM{^A{&A}CEz8Ks>23&OZkuVT8;&;NaMnswoPTPCMXZK{ob>Xv&-h7Ry zb1NYIrppe{nM)s)id4~ZhKOr{Ss`>n4?C*l>383O^1O=Fr#7oP1ic~e&zyoLvZk-?5(n3XR%WeOQH+>L&9HZ;6N zjyQ*z1mQbI-_$O4MMkQY_lC1UXYqPvuTpexVjnH&Hf*R=0u2v`gampp9c!<*G9kAR z*lk{-XXqFaV3m&(X-VKYYS166zZe%fmgm{)Ls+~AtE*wY&|!!svS5K>pXa!fvtK=H zX*60GIaH2&z)hgw%l0;7H5Q-5B=F!v%@EIl&2Y-En zUzd@e7Y+;03z%+ORv(kjor%jn_RPNP=`C!KpA(yD-eXB{k!6zOgYDVhVHA2g1tyq| zMESaV1?8m}^QG+haZ{Nn(IBU$S4BZ>^^vBG6=q)B>)V`@S#=^?m;fROb^{KvB_ZwGo6ZfQHpOwu3yn zc8Q%#A($)xh_RfjTkesv4>HsZjY71bl`6V8uI7Xlh#BA-+yy%A)zve5#4GOCEtGza z_sd$}H)f=_2Z{^f90XQ?Cu?3;Xm$*3DiO|t7)d@z*)}p4F=u!VQykhdx1{;m+0I;= z?`H@lP9v&AkO6(e^f0ta0Yh(n2#xVt_z1LThtL#+7aeCqa(0?8Zn7~z=65`;TV#E} z^vYIBMXU!VrSE;X=CYV3t*G}7JLSADMgkB(pB98OGFbML6o7W6J5rSLc#~KS67B@kL<^E#4s-U0(ltZB{FBkU zJPR#|>{AVw@;SY~r4sX3tVHrk_)k4b%AF-_zKQ2xWiF(h#@Fd|8wx@kv5e*)?20(d zrXPcHKG066#lReJD((s)#k93;>wt&}qv6rw6j$L_!mZrLjG7rBUV=NvQX#mJ-M?(4 zHXAu1P6^+Y4(`VUkL7_1F2XObDGeDJ+)`$4?wHTWL6-37097sSSlR=+V~Y?g*l(FM zUg{kqWC`~e7aXHt_L|H8(o1f*8T)8{6+P|i%z=G^?r#9*0I7j1cZC%V%eW67k3>ORyF+Mr;Ik_WR>M3LsXcy9Mukw;WJjVCTGjm6P(IZD` z+p|0P)a1xBLj8@KFK72S`RTWegGXv;=FwD|rm=G3Y7OHsxVt~>FN~|bAWF7+?;~iN z>rp2N^oU`}2FSEj1i49^mNgF-NKiA?IG`M7tez2RFQa z#{;Yjy8xzcA+ZCJL-%XrB)dMJXx-?#p*8y%O$ZtGlDzsC-lwte1mpkhpTnhe)h0%T1u+?Pe!Ww6- z7l*-)+gz4gNFJxOr7U(93}aZ|E&nK}@ne$e4f%odv#2~+9`K=fyL!U`G+;tXV*r(= z4m;eeP5JDILz3(z*?_5YUoiWyc$7)Hg-SX1Gai#vIf3X3EhAw#-Et(W#G_kKd7%qe z(K^o$SwBme&=2_wGLxJFfWQgN)#jz76~Ey*^WdX7thOgM8qrTBKlcB7w@!vFoV^K8 z>rOnm$SJ}dj(~nha;v2~qZ!WoR^3}q)~`ptNPB_rDdk0E`D?fQ?;xcF0|f~Z3-|yC zP^tSP6BPwV7DZODCYiL&>l4X|M8TLXmQc9dpC2lKxS(K8MieZmY&=`!GfmB6b&T0$ z$&9j(@vQ%!M&(moVrvHvxA5QYjWw!5O}!OM@QGoeedV@4$4 zr$~D}bcomz;gt;C-b6NMNR_sg%sSn9SZa7}xlvl&P|%^0@kaeA{?tT~D}c&16v)`e zx)oIG({lHFd(5Y5hHHh(Uqx?*7p!W9In^&VjuPVZ77#m#IXD+q)>Q~NX+0lbxK^J< z2+l>L;AXM3oVEqg7AC0GS<{d(&%;TfGwN0ViA0un5%#Z~8b~N|2|pndAl7GBL*q>+ zmHc7%$;^;Y{&w4~GPTAa&)K}+_o(-eBz|D{ojoI=wgI%7SHjXZ652Y*I2Ag6p&lM` zR)r~8V?f?B4^$?pL6V-qSF8s{)S^R$>9&j^2SJYDE60Js+KcVohuoFM~vWD%XOS`owCGL1C* zc6!lyTEkoXCmgS%PevZ%ao55!{0T7yx<^1ReFEYj(+(uzIB?B6MzvW~Ox#@o=Wkd| zFh0U^o7?Sq@It&G0@U89&L($wK?k&S5~4T{BEN5}M(~S>RJEWSE6=$;(#-|qwoXP*%yuHmsfe+ zs-i>}4dye56PD2~lPKT7Drnc7%RA&!?3#lg^zC_S_F3uujV@@nap@M=)1zG}q#KbA z5ZluacKtFWOj6Fc`21BPrr;*48Df5r!6rx$U7%~vQ0(gG5zFBG5|dbI;MwPPQBe$w zBPC>4{=k4Fsbhsit4iZWee$A0`d_U_GUnuF=bwKyw$7=C)AVCTf{pPWT{fO9$3ItN z3`w-oRB!4^zE@6BXGDD%Ie;fgindm(YFLNoc;U6dBmU$-4=p#~@$k|wfp-V!&em6( zN}z3TI5q$3tgUy*lZ>N}Vu}qLKDrlKU2-Q9k5t$h9jOy6wcBVVT+*GDaby%fICp6= zxiH}SqnzXS!=rbiG_!an-=S_JSE|Gi1dyEHBT$lN@%Q^~_Fdlp##~je&0=0q`CY{AN^Q)wdq!xD%;p#2-6^pr)@_AYZ*qKwPIUI=l z*v4K{>2Mt-hLX}#h1!u8DAC0|l*t~uc{@qf@fCL|(sz&D4G`)aWXxet^cRTFfvAAv z>Y*b@BUyvM9y59&XS!LC2D%2M=nJuWUT%R;%Fi}PJ})`;B9)z!T^bDxYY&*Eou{E( zH#M)rcxgjOIJ(bee;gH!5y)cQC-JN(pkF-)BCM@>*DvAL2GXT~05jS6WaSs&>}Q#`-{1I=AIPV930b^2w;R~V3A=uXJUO(A z@~Jp;GD}eM{fe`B$BKOk(X+rz92~3}TQ_tHt`~L`Zafq=G!JWNGaq%*$rdOrTx(wDt!U?DcEcU&C3Vhsq6Hufe%S7PfDYr?;OkdD-D%NN=v+f=# zbFMahor=KtcHV@m0XQMEU)JFhE>d8AnZho$^CRrLCq`=~`CS81C{R0wIY;@TF*(nP zd@Ho7y~#TnjuBe2b7!jkFt0FHv!i+`iZ;T^+8$gE;$`~`*id=xo@@mJA$6JbfudW* z6jh2IdxzJzmigd4V;B(0)&oT>b2Nw4$YNHBD?Vof4jw=yaRZwHZ2Hrnn8kMfN0DBe z@Ch(yID&!R?$`Jif}366VRrL}#nF}ob@C2PIF(zAYH-#|oT4HZy@-o~p}bm{@)58NZ{@t~#OJeeDO05DldngyALGU;A3+T6Us{%oE zxk!MBP2rCq-uM}5=i(8KNo~-&ny)|mZSy%Ulir4!8L=d0LfiNmFofT5yJC7&q|$Ob zf7zfRiYLFDo`2Jp)*Fvt9HXzTO2X5H>^+I(RMz0E3_qxf+2Hdc<(9o+yG#>2&n*NfyK9!L* zqw27_9IH#vi7%*wc|EtUG#_Eu(e#SKWQDj}jYv?W!HJ5ogK)u!H& zN6Zzemy*KV^-7@YkO~6r0{2N@Do2mRis4Z_Ko4}gDrY_SFI>|iDl)pu^I;*?#nN*J z(?9I~q@AB8dr9-8$tHN{#-*i!n?p!1Z?{%DyDEAvARfLKH&(NjWb~fQq@@RlLv}!- z<;Rd>a3FZS>6{eei0e1CVR!p{mc^327mVVJjY2{&l!J1wP!N_DHz>edIy)|Utdj6c z3Oe+I)^vNn>4}o8-vBH7W|eqJ+a=5Ix!SAl`7itpo&-i|O(^0zHVp^&m~;pfp>^e< z%S$0WnO5i4op~(Q*UqZ6aiELmoYq)Pn!7R$BM=h6N9zCj(-uUhk;jD zz^PH!25ANA++F=UAQh%OA&YugU)vfKxG)ILH7LW23WT=4TIaknAe4a5SMbKfG*AY864Hb#(#=z(^%fh-)EBT<{R z4I(DL3ZM%8#CV07OtOLjM)X&4II^2xaHd>;{?d!S-O{^tAIjRUFmvy8VfB5&hc1|) zNTOo~=*OU{hTL_$v~@s^q*DJM?EPg_RpHwA4XYq2f~4dER7z555JW^o1f(0p1xk0P zbV*4{NO#wwyFrm|q#LAbQO`MX?|bikUDy4N_Zj2*_;cnAf8c?%{TMn;oka0dVVPH~^7E)@} z9zQT0-Eb9lcA#sxs`LAIQDelu{#qAh+DkT zv9iP86=mPX)#fv|B){;lP`xZqa5uFD8rH+^gZB|=14_gsmj?9%+s{)tjxNwbfZc`# zAl4n8jC|^o`00TLvuR6Jt(iQ%L*GMuoA;O8XA~3Jz9iX~HL8wamw?wx6=TPhmxlk6 z+sS&t%4ijVW~x{w=2=KcMpn(9{#!{;4tZbSay+fJrcaHh%urk4djsINJ8(IB#tH7a z-MhS;a?5bP-W^U%B&${~a>I>u6OX0ywK;V+DjqG>V+qNvY-+iD3f-$w31Al0JE@fH z-w^s4aVqwIPWxRBsj3yr;ekxXl0yd`mz=Z7$2(ju6E#N$neBnXrt*Js`$QO>PxLqs zVq~5k2_5p(k2$V?*ESp+wn@;mn^NEH=qT{f9LuRsSsA!Y-hFnb<3&%@K+&l{dPh!U z>g&s&0~^iaPpKwP-@-5CZZ|MqD8MPx|9)ou&h&uYue9n7ED0qRT>t#U#!~u5FD^CB z-!$Z|9^w{<%9aa)}0)cxD z>7dq+`2w=hwMaDY(6V7^kP^8xo^?MiN5d3(&Qmo z-Eq3h*f)hIL5F+qVSOs98)HYvr(aL6*gOandVB~knhaXHZqhT#er|d9E$P{^`TE|Q z$N3S;E+A~JhESe0zTrZ)G+4J;gwlX+M%_5}mG)>-|Cep0-m~Nqn>9Gi?+=5H5`~%F zZ5_;F=mwMQpo-@=33z&zBj(+cpi>w=Ln2moAnqr$#wIAK+UKp$EjdVb7QapUF@{EE zsV`a7b1ff#GF$jX?fIIFTld$w9miosB3mmeAiL zQq~AdP?^X%C37CS7oxOP(6SHNGG`R9YUYJN1H9kZpif^Z8^OAnra6|Ekl+{<;ET|Z zTgm!Z8JSR8J~{9uGbhntwV9TxYKsECpLxWwL*rs6>usXyB{RHsE-rWJ8L7Puq|&SO zOUGn?Pn_QjZ1{sR8~jJ*qij?!y(>Ue{qS|){)%cR~bJf9(BsOnps$YxgVDzgD65Of==0;*O5d3w46MZ4ZZrpZ|WT)qNqLM{m2FaT?W!Dn( zc(Q=MAWYx_>O8@GY2+Gtz83GF|8hNg+Hs|%qH~*eG%9zbI$7CR5=;twWcgp z=COiWpuNqUbU^^mx_M%s*bFuU@qS|xg6g>%q%4_c+?MqV2Q^JFsIgZt@ahR6y?)rP z|64HW@A>zNgs|$Jrb!5uQFA=wCM@X@Ry5~B&j06zL%$fw?k0}Kt49eC+nxi zV?}76?hGjtR*H6#8Rg9Z9UVe&1Cu^Jv?JH=eM;!jJrhCB2~2uDhQfEVmdh|D;q#pq z2ipUG(2x;mSP6q(%Ng#V%vD_J&~3TTns~8?545DMel$5a0-J767rf&uXn{`!frgGu z3!?@v#{jOHv;Kj6Vnu`#RAu(u?>%F;)egY1S%nu1k}PdMs{77F0*fQ0Y~>m0E7A$( zU(edKez$W3{Cw7?nPL&_W9*P^n>Hg<8;+vWl> zAj~DpYO7OEm0EU-8=CN ztz+lepvYtZ4mku1rYD#ZF>nFliSyK)@tQ1_YB@_6!esuIk#}t61v3&yY&MPZv@t@) zaupD+E{y!7oMor49imZ$%79WfMIoFzX`8h9e-)E4lx3SX~$_2=NMm_NkjQnLvX_w*FM)dlmMtR5HE zTDHIvJhU=uUs2`Th!&1jQViZt$m1||m{zl#<8-J!3NCqnbalCX#rsRu8GuiJ$~I$)8@!F==(5Q)1>0RFRXaONmgB;BMy zOJ&ElUR>7`a1_P%kS-hnI-FT&Go>t`*iQOOxHGJN}F$4BEIm~Th!Hk8GU5AOOwjcGdQW!k|bozFLHNEh5GtRK~WYg7jw$3D<{AK zUb1%A*mZo!DX93@mIttr@iWibe|}1-jkotnY*%_Mgw~b81#ClICJ$D*uNE!OLyrLJ z;oXrB4&`1e+XIN{K+gXD`S*x*g-8O7mmum32i0X~GJH_C`S7Q_{dyV06a1&2#N{uT zKUs%rg|&T&-C%n<(}xwbpV!NoZw8-AZB&c2f)S|0 zd~8Uq$V{?($i7vi4*~%z{}GA0aWO>(P_NR3*h#*$n(o8qW{pTVveP5diEmW+)rHBP1O+;C6R6W1;+QVvct`&a}Eq3Y15` zi6g;knR!QN{Zzk?8hu6STxWC(xYrt=0jJxyg~q)ewryff>wX{Hl+&)Xm$){C^~iNo zz_tBJfeK9w@r7@JXw4Np#F1BczI6)3#b?36@OJ5k6UnU3JGM>kpMG+U{`lH?503{( zLlYekt`_lo{LUvkKO92ic}(k1KOO_dsBSO!Mqa73r$(>f{ts8qbJR}aUVcHZ#jZr7 zwz<##gAsk=c(a_f-AuWaKsGWt$H{bm$NamGJU4QGw#joEY?!gi+PA6rEJRQR>Ke0e zEF6Jh(A^VdeJ`+=2zNzlVbXxdV%H5uMt7NWf4;-M)&TCyxP8l52u?B3WrUD%F$sI` z0`Vt^?b!0`espDL1g{uHC{iI zyPng%=fU|R=>;lw0s=Us!V&!iYBAw2d~_(0F*C$#E}$rut>JtJZW9`X<2g8SBJsV5 zuSiuyw$bz@WJYR%vt0B)Kj?`A;m+vAsVq)1RaSvmabJ z`s>=q+<|5hs1oHpr;tjgLkM9lCtItZa zEkag+%vbXW9i7|w$-XD-ym41^<~{aKwE0VM$KlZYU!nmx3xlsC^JVCdz*xQ5i+c?-7N^2k;PLRXq9SlvbN#oKgkOgJvJRnJfI}fqw|70VB&&=SVlfyKD1Ye3~pNHV< zo-Dm!pLy-mF<@W7=J@=STiC!AlxXkvdI;+GfkF#PNk~ia-L`Wden<<5?&MQAzAKc< zpx?)kqRFi(N|I6_J?TB9HD+UOzH)OL!SH@XtkVzuM^DiTQpyyx`DU&lQ zq8$L-Hv_AgP&AGIRWHJ?@uq!1R29abNUm(&ZDuoipoN&gG zHW^{0) zeVK)IA*-NVYRy6(J$g@oN525*%Bb^CqZX2hwj(X#o&ZsqN;F4ie^hl|n1eb$i0gyl zFmj`Tu6f>~wJ3GdxzJ&uf;!XHv>AJC`qo zrC;JE`@LDX9O`{nbGiksj@Q2EocxckW(n4kKRcg1#xgIfg>+#dxRALoQ2U(L&a2h8 zFMOq8s$wILf8*OwB0?Tga!9;{;(A}%oaysIAq@1M6J{}An%lOE zJLl#j)Ra(zc_0yqsKuYOp&e@T@EqaiSkkzJeZq1cY@;#7A-L10z0&6VKJq>=X!g~n zuGSY6UUkvqIaFb)ht8a-1d}p+`9qaZ;Lvm`j9g76ryw#fVH2Jvsb*bdm|PQTpG+d! zzFk*9L(=?I5#3;n{j%%1`JypG0wZ3*MO?KEvRBbrxB1UQT3Oq`Q;)=6tY?K=41och z?U&#dBwny%IL~1*k}@ zkn<<~np-@6*Lc@((VE@a%sF=8XX1H?OUYk0N5wi!Rt`mL@E4nWC-f zbwcSQlet4X{(@xezzIB~eWL@8o%tTRBS<`|>Lpb(ARa=MU}EcO_p0w_%;O#Lo8)X| z6A{vXmvXZ0zLBx;;hFM}8X>JhB@LsCuiYU&#tzfj{Hoz0Lts7o9tofXOTE>QOiYmm z-7pS8o}P`68kM>N_kUl}%Jc`>psdW2Awy4_+~0vAKbYzDa(g`U>#p1|5<$S9CDXjd zA@wY(S4>+16uK3=5Fs@uDmmBDL|JdJc)puIf0vRW$&pz?Pkrfg@_XIqT8vvTwV9R^ zmDeK~_;C%aj&BKY54;sFl7FJxhxrU4^uM@BP0D$AzWTSYg2utRnF>6ca zP1&*L)~yBsuAc|TUXhzD(tkQ;umT=np7`n)q$1dv)jkv_47dejQnzgyXBn|}zH~_F zzhe@+NqH+%a6WD5oj?{vyep`Zzp?{IlCg}S5nme0*q8^`(7)}wo^#h8#eFk;?#WAVGO5)jd zZiU&6oqFBcMmPV6b=z4`bBMTXSomJR;AeS0I@-=Y+*NYkWWQT0VFSEw*+`V&3~Q!Y zFz;>K{DZ|C>MF3Gx*Uzu7vgtBz;*DjLUC-bl5cpT(G%`d&pmjV`5MtVnU`p(=I5)s zxw5kQWr2-)xqf^{AaP%ETl-0@o{ixdr(wWtnx}d7mKXq(eH=cclsN-#1OT$ z4_Qeo!aXkT1+uh1lO8qBh-3dgtM3uyR5?ABSMc#5HZojrFh={Gn`V1`1jq;Osf}`m zmkZm`7NP}#o>#H?Gvsautmf%2!P4~bJhY$`L`Ruy3bw49=H`nX{6W*jW0VRRc@tM0 z!N%y9tg%*v9SkiW)e#S zbg##NQ|0k*4oEpP&Nvs(WBeZQ*DhE~m;6m-FYpEZ5KvPLPxzc{P)0Twsoed~g?`KR zgAHD{ekZXtL)yA7Bg~mO17r~7pf-TVT50*LdGMkV3^+h){#ap24{=8esv!hx9^L-h zQG_J~+3s%Fo+M8r6(kWucY!e_3>Z@eGlx>i06PHf4Stn5d8k#}N~Fq}!V@j~x_FpD z?KG$rm~9GX=6AdhOi$AZ>J%L};{jR%=8Sl=R)FBimQs$kL4=5}*C`;JO&JCx^c=$1 z2j4yW$1#84bia?9Sq?JOx+yv`>upNz-pCM4TL&`o*ah#2aNrLa6TiSGM_U4NoApex z4F*OkvKS9=;y>@eEk-KvYnACrZiS9jzVs|$bbOoY_U@uGBN!;jou?)Q5JLX%++-Xo zZZqLm5sqtX{F;m{YS6wV!M5yl8Br{AsIRq4$>D;FfbzVrtUYY2r!#aX$5}52WU#+| zaZb`%*kh8vPDd2n-klEFpmc}|{5G9TCcV<2=k8e%mP{~n;b%M^;OJP{OsS&vE{u3$ zqw?U)*$#PeKWJKE(!JX#$c6tMD)I^x*&}h4d(MV9M!uT+-yz#T6Vl>0Sy1xU%ae`@ zR>!G|z-u_`js|!lbw@phGLBz>OctH+dml8imNQi&vt4)FNbIngi$2Ezl_>>3gAj<) zty8+8Kp#x#enPM2%pMfp@}UJ3$EQ*PSz{CKqoljzO6=06OoN<5zl@yz`&=4CM_{qC zyq&?J1B&9k6yLLdfEF%=U|slkWtRjK#CVC2$6(}+$Pf~?PFkDgKJOxG94?@F$MJ$OTfR@P~WO#I?F~Kg?b4Br1xv~>VTW?52##N zx?OB&KYAG6)8381BB%RyiiI_zH)XinFL8!q^kyhTxE7UE*wq>Fv9afuDYn|aya$b6^@X{A@I(t53to6|ZJoOr*DYep!Gh7k25tSM1BjjN>#N^Ra{ z@epMTMV3jYx+S?@13H+8mkUd&!e?pLNLc{EkvIaxPuw?H2@C9{Qz_2ZoITE z&0Y5tu@@APy(_;#s6GWE?Qa|&gPbFv3f22mkK%yv)=0<1gI<+7Q%i#ojXYw~TO%@h zCq$8dh{!XtT%t@d?%(qHOoQk9`DaCtJtlt+7RlYL)L_e#Fe)98pZ!@8 zzH%5(DeoDTG%>hckgu&q!?`BJ<1)c;W;@?6$)80&k@83#JRErYA0%GiI^2b@M)>1` zn6l4EhxIO}A^07AuBdNA%3)Ty98~VMM}wv+;*nxS*FRQj(Q_0a!Ir25+jz8STx*@k z*>&?ax&sbOsP>Gkk0v<3&0Fqgj7q6to`U|*yCEbnabgyWX2Ldkm!{Ri(|-jerU9>^V3cclvl zN687J<|U5E(6xuryoc_@^KF{<`zEPxaY9}RZc4*$ZommR+N6tsI^`aUGmxEBL#^Xf z&!8KL_Vbv>;L#nY3XE!4RROx)(wYLDOqOa|+@zehu@M~=Jd+M1M#zNFi;ikK&y!5n zVw|pcT8Kx#d!(b|56(^M_bxw>BEuN3kul>@ijtW%YwB04rl&Rp$N0}iq_#MS!Q98eVR_xHh(NyXky70I%0v%}KwY*H2(y3SQ1TDqQ1G%B;?Vm+%Ky_k zF}i1{U}AiwL}CBPJc9PUOCDKey5sbsT#&|>99Hns*!+Epe{U1U%{Vi1Sq?$6-68=O z)VvU>R%>7`G~JnP`tW(TAiTMHqhP~!%0m1Y*a3BWOMqqIOB}n7M;w3}Ov_2KL~dOM z0EFm{M-8a5WUH_gPESQK>8eZ8kjhhvHy#+IVsP%Rexw}o3$Uu|BbFLRo{ZJe+yK8v zRXB_6CO}zCmKd&C^SErlrdb+H=e1HgsKy~dL#6^qs)tQX&Ubp z3AOhZ*;mlAn@;ii3S)ye@%nH0jOq@W|EhAesd_&%HW<#mBP--tml@O<(46{uF!Czr z13>L**+_pLRHa}QAm!vv8xQ)&TVhB3-my+#QCEWuT0DO*_pdJp;93L?b7;a5xc?P`fmo#BCOid?;uGkld z5o0nQC^u{reu(>wIq2*4#c5C-4Jd~tO)$H<2k!iR;{W-D&II*`tnEP5)x$|7MA9)6 zkPdSJZ|xLB%=vCV?=Lt_Yk^SR zFo&xPyifnUx;v}rESOSen_Ezw!!!zbv^HQ)i5+CImI+D65;|QZumh~J8V-2-JGp%D zEQw9VCy?nQn!_<0vZ&Rn=%=)6>4+1Pz&aiPM2cBTjJQ{{D+gOMnv6O$_-2vf{`n9W zhcL+J`j5Q0x0-IFz*e5#kTx&(qdlml$5LhjW6b_r*^)40`EMjL?V*WL?%$jJyzs$J zBw!yOI@~#OG|G4RAD+ea?)L8wsPUm!V|2sKN>IIO1Dvv^XCM~WoZizilvKuUj^RP2 zlSOruKnLo3y8b`1!hhb||DAum!$yUM$W#o;N$S;7IIbrD0gS`E+uH43|9G!f?q#K?ZUXS+ zAD_FFvB~?O0A2&-Is30|VmzT-$_2z%xR!wKWLF7=T1}s#RLoHG3P;t2+7oE{3{azh z29xJ~V)ZRUaRVciB0j;?*@H|1f|%z zyUe7x|9p*~GonVRe8A-S$vL>_u)!aqXh71-Ir#Rj8%Br_Qa{*R?2fxM&3kUQ%+Lx) zI9`z}ndeAaWJNchI(e6Av1i$&$-%n!=e0q{u2ku%7@_=d&T8N2vBUheq~DPy$7OlX z;zz0qJAx;Vs7I=!_~GkTGn-ELg$t+2Z*9FuQtxoB+4&Z+zD5UP`mXf5Cgof@lxck~ zf~~!58J=oAC+aiEs7Vl)LuWD3F(5a63pY0EWEOA3uT$Y!*m&-vUivd!47T#ra#$=2HUQOe00onXRP5s#Rpq{ z6oy7yTWnW)0)N*0$DA-8CrzAgh8I7Pj2M(QL$anh*%{sX!7$<9&p_W^_P}A;n^>(g zzqp<3uGIl(WXG83?t-Fl73fTLUi`6ZSWsm##jxhO1q$rG>cD|L4GM?f^7TMt`l=dG z_&Smsu0Ute5-LfGogMrJGuJ^Epamw4 z`XzLhCje9`lA@26Qmw^Uo*3@k6pYfa?5b@CCpc?JbkJ-4^I3G^P9!T534{xYCPT*n zOjS2RRQ3eRbY?*O8;pW^z*al666~05YchQndO#Y1A^trdBOxB zRxdyY8kV~1ck8Eu-SWlp(|*ruj9oY2(_;ebEmk#10~a;p_z1D2ZoV33+@E`jI_Teo zOkPgy=(na0Yx1nghnqY$SchW1lR8h<>N-glTbD^G{@0?0(|H{q^m5&m+4{4rw6~SU zM@Z#=+o`+Yw(Q%A*2W#G@XSt1Q`OjPMmKdL4M-!9d)9$Mw>#)2g{sOQe1xPW83$k( zeR`brJ1iMlSvE0_zd7N>GZTbpy?{c_Wm>DFB&m_FU%Va?Ky zhe7jh#X`Mpn~mlUGYh4=srG}8UaPg&k!-4x;^TXpGW>jC7$f@{C*mhdn|P$~+4!## zHEo9_B0F$_9E;DmIzS3?75^L5ixN6mK3s=@Pf_XOj7vU-OdkC>P?=0Buo2@{9#IpF zWd8&grcx>$ZHYMyxa8d`8=SJM-%oH2^0FERb%_mVM?pvb4&iSv_6`hRM3!tR{-{pY z9Lu^bFm$Q|+_yI7p{;lQ#`3V?^RY$+T_sJ~W+0J04veV30$YvY2E$|0Gw?FVATS|k z-!v|E?W`Bd7WgppP*hh5l!oQnRNtxRJO{(t%TJ!49ZwjsU6*c!wcL4lb)$z<@yYtM z`^J-+P`LR#HEe%7e6oW~zaYDa5H|HQ>eHt_S;BFR9|M@V^Tl(jnmJqAp*B{pL08Hb znmc|?&C8qj%VJkde1Faax#aN~9+gdFl%*yjYNYBE64w@sICG0U-zIW@FtO*Hmt8JU zKUhm+0wMpLmNAm^i{!LiPo7x~(2BjElyuDdV$8+*J+8aH<|Gr?e2^+chal_1QaCh-`leki zhQ5|6A52@X330JXf52Q%l56Gz9(&xz1<3x6t=>^>w`r5&HsYq**R97-01-jzh(fv? z8a=C{<@6ro1Y^i%>di7*oS6%wvfVEmMVs<6U(0U}1(fmNR1~ zt>w9m?XI=2e`w*tN3cP$P!51C4fUxhZfC}%nDITEwjQhkqp_-hgS>d{k0;K{>hp{@ zrDLJ%$~HcfsUEt>-r>t;TeGcf}nvy2Yhm-|wG= z0}N^xg|3AZ4jE@Jr~`nL<}(^`{mFbFTIMuR12usY&04qu!n6R{VmT9fSxmxxnJ@)3({IHGC%0T+zi2`^N))RF&abTP;1wr zaeg5c0q++!fyHg;8L$L5n68Xy8&(Jb{jf3V;Gyx_kUMugF8)AU$#lh*^K%aHoUecs(%VJb4Zy zd**1Z`!i^qOaFZ4>O$Kyd=n6bmtMJ4_1|m;WRRs`-gyjPO^$mIX%Z?zRRe@BS52lH z^bRx(jJ-%42S?{gYH<4`#|$yo4sxT=4$#_vw*Lf9F1d*O{I!JE)O?)s?l&~=ynmXx zAQv5xy`Rb*;Qgtb+8FctB#i0fFDLAbftf{ z`umX#h`LqOUvv?6#GOsd;Fy3nrP@eY0@z)|+HOswgXH@U;L4NyrD{ zruF+&^dc4am;f@rVM)5=b*q0qB($5}c0Cs00sXa4r$sckxJ70`0+i{?OVQ5=C3b{c zC*_*^CbFU+|C>({rgFOY3>iGisJE)2RTOu3O)w|30;WjG)A+) zHF-WCMY*g=B%&M9-uLJBvyUY~VfJ=QT;sOUwft=+Y^%l6I?AJtP8OT$!udvK;rn_e zk?=7|LSrcvGlQe~^8v=zW1yj*;#mMAZUR2S0bA2<|Hspi79MiqJMLQINdZ;Kqa3A2 z=``;;913zN^g!)I3Od4S0QRGOuGKe%K+<{F85H+z_Im{i$w4bR4p`Dl_COr$p)zeOG6%rp03ApgJ1b+b1otfszU}YwBk53 zpKO`AO}Zf0GVjv&mGKX_f>DP(LTFz7HyvKE^6EUIOY5V)l>Jpvf0$oe&6p9>y!+`O z$yhrTcpPzqe(|kPTxRLj61XHhEg$<3ShelEBJhnl3=G{Uyv_<{#A|BbGH6BDe{V)V zL}7K>d~vOykm6g4P!(?T{hiDX?APbI)LKFSTA?uNg-I|4UU1cjpAtw%QXyV8y?v4= z>U&Kuuvr!%Ax)l%zQDm5a91hilo8^7kv)fmHh-XqVWX8%wXa_VV-98Q9rZVhcyl%4 zW%7s`aI50F2QvK$(%y&8!yV(ldhSM%$sLMk)hj$B7Fd2^?{gwTwsZlcq62UyRG*w`n^Z#G^!keT_7_K%=x zyHfuHU403Of7qg?TePUfRe5XYUcTT}S0t6wliXUYW^eaN-qTlCERkwsu{BLXm@@~g zXVgx=cOxuMRz-pWJ-PJQL4xi@2{Z^PQDO3I=u`~8*)mt6`uXQo=YtU4?W$1R?Y#4( zCiKj42|+*HvNLdu1-KrIE?G#WyW2T0#@yjIKfmjZ&05*G1*%NrsgUA?CJ+sW_I35` zM({e-(We#u4z zTgF=18msfpw90pred{*ta5&YxvlRxn|hkJ=q9gE799BLD_tvo)|dU7Pc@sjWNFF)xYNbhcQHAa5FL5VPyaun+_YfCIx zEv4XhB&+YBUy#+?K4L6<0YClO*c6%chCtc4G?y$jxDfq|iVS&xAW z?t^}~e)!Nb?i_w@M^>W#>Y$2XmT8%&yj$y@JJLTIqGOj&-g5jJ`T@uo4Z&^9w-4UR zOv)?{e$(bzAr9$IcxArYciS5%X{(O=AXRdLB+JqqnZ*zaJnVps#OO@e)jHx8)cM*t zhOp}0)o0eWvBt!FOmaQiei5%iU~0FFuWeF2d~=5y39f*t>fYE}Lkc%s$8mzp)_kDLelY>BShw z_3X29T+6D10m*4#Hk;lim3f`M8=iRHI>$y=wr(WEvZ+$?r+VXK7wAH{s{@L_1@pK| z0+Rneat_xm=CB3AV|TLYqOAM@u?5dbJU-VMfB)O6jJ;xT9DGtql8(;PTh3P0g-pB^YG!|AY%KRlmiLa24#Ob^C{_CyQgp8c zWaQJKQj%_*czQf~hxZ@P%e7NT>qBFUo<6yc0!Hm*LUW7w#szz2Y#jj!2HVB~3+C{M znRYFcTlon!cFNW|JnQ#CwUyqXqiU7@8g=O?Hkuzh->@x45J@LLVS6xT-1uevg&e&) zx$}&93(j?!Aod3N$V>z};y#ilpVT5?294Y}l;_*8XEDd13bT4nDmL3`3(RMI`IA7= z7B1BJ3zO6TweI6`oe7#rIw>~ih$q{}ITx}Ra)Ic)EQAPpZx9g9iQ0HF+tbnkfF-%e-v z0%n1q(GVR2jg9YQW+fXzQVqcMMZO;))V%+&6@Su%B*k#{?zw1ke;M|TgjEn0>}uUm3z3&DrX{@Z)fb4+Frg&Nxtb+ z+mL=-m~3aP;KoFyK&1?s!{-DgklEIoRze>Z1`e?cWl}u-q;rhRZ7i8!`o8To6x#G1 z^-piW;?e%}czv`D)fNJhv~$*s{*Ek4{5omQ6TqUxp?tWO*;@0reP1~ul^7M7zc#p2 z@$jqAM`T3EmrDzOD#^&eD3=^Qt%nnWc`%=g_aHgnWupz`vOIfa2&1&T&5A5-*M37gc1mbC7+5ige$-w)YV-2DUh&t6I{yqU>$ zSIXTkJvn9?Yo&1c(hM?;I2Up0y0sWa~~2bF|Hk8tJH z1)?iHKn(I)HB8?PQQv)${&v+`yQ8Bo1}`99w;!$ZBPevS8B1#-tLb1+`3w{}FOYm) zx4giRpT*!W6cOZRwHysg9V09L%q1W~UasnpXwkdN>S76 z9j_aPDP46^RL9Ub&I2xVe&3fyJf2o98*m<}1^{jEno<2c_y(mFU{vc_T)}o?T#;*~ zx(BjfB!yp}%$B8HL=2`>{*3f`Ia99bl2_R7&oQ_mL>qL>VVV3jo4<3@=Eb|?94=+V zJQjbAJWYC{k9`~e?M$+P*j?b~|0jytJm5V8bHn+b!xIW$dFlLauu_Q5TJ2!lIp?k0JswN+n?_5|0FPV~F`!mfg1`?s98WPFM&HquRrWCBFS*MbT*L2K|?5kP7Kaf0JL=k$8G==hL1$WBS>|34b_ z|4$lqqTl}>jXDk9K(s7h*4?+ZQg**h*S3vFnb-d9LaP{HOqV{2KMRnqZ1wFv@w=Nz z@Ru>|*^JlBD6+VNj$ZOF#`NS5RRa3yc@(+%dzq3xw}`dUUN+)N_f&#hp_Jf`1*)Jl zW@~E@Vs=qtXMp7`rxzN<4V|5LpIf*ntnQiTEdD20*<+e;b%^P}za+S1D1?7_ z6d1xrYYliQNi)&lQ_q#m7k!>mBaKSmMb{T}p(D|o0n%-QUE;lO8I)1asG{}GHU@75 z1hUnS$->$ywLq%`nV|KG_bxg2my~a!F0T6x82wEwcg|vVEdhSImNG5JyE!j?I5Izb7}0fgE#j) z6H=nC0V!(Br%8!ZY7YRTvR*Z`dPLK2XJQB2$Q|c{XtC|~c^X+|3h3VeLvmfCe7Re} zbluSCY^zD*%XC)ORXq^=jDHk#70SE!Pxy3ER~rax|L^eWeb>TC7>9kcj~8o(4H6P$ zveOkEtu9l4gZ3L=(C-qZaNJJn66cu>^OTkKDx_JhllrgVX@+6|p8ov^yl)1o@mDQQ zn8JWyArtaPK#$}DN+5`16UNL>lDS?fDTL}0@3Z=L`xF%0zh0tENab8HHc)?IpOF{l zAFP1DhxQ$dAdqVP-FJo@JE8&}|9%8Ubq+XK7`u8N?*g~7^ARg~16!ZjQ-_S_FaNs# zP-96F6xzl@K6((nR&6Mn$LS}ed>EFWAsw~Tf1^2?r;K>SF>!Oy%(hSu-Fw|{81f38 zI;R23P3XE!BJLCb)BYc#+>4m@48?RAxNeUF1jWZOfGq$h{+6g{PDj~dieBQIj=&Kl z0(b62g@~WQ=KFq?3_#o@JUNb?F-;OO8E=1|W1t?@RPgpYpxpHA{8{P$nh&tH3W>az;vU?=$` z9r?OdmkZc}I%J&fL74soU6NvB3%#%Aa72BY#+TwN-^006P`MzrjxagWVUVtSAW9NI zbpYh|^s9>s@y?%ZcW@^`{nXVCRNr-_ZBH18VA}9#(z0UpTPLo-#Nv^8)}(6O?1kwd z4^cR#PO+uk9*74UH=@`lg2vmoL1ru{XSkryOXoDF#il4>_yN4>K+=Csy5wIqpZWod zSAv($x}@+I$TRqIAqw0=JIqDJ?+(<8{0?-O1EaaKD0guI{>A*a25${Sgs&=nMsZw~ z%KW6+0^bE&=O5te`3IS@tDz9Mx<}?J&4tqXKiJgXmtLv--q3hULdCidq9_Bt`fTyi z?-gXJ>u}(x?Nk(_4t_o_d@@`q+9H;#2#>t_-d89?(MgX_Wtl zpZ-{Qrk^om)Ek+tF*H7s!L0+)rpuyQKE5$;#k_4yZ3(Pdyb}t#t$z1R0lECw$oH`+ z9iTq!PQWgv!T}+#HGB|=Tk~+_%Z=ge{jtYR)0cit)<7>dUV{!+gjQpwFkE zJM+U-yq4Uf{d^#}IOLeJj0&}23Nz7sWHwcOCy86xVX3#X4DHUauco|163%pJh6sxF zPVWsj!lE^NzV3REz~XG@GlaMe4|oe{PE|~@KBOx8zP$Z%w?4|XC`nMSkdfQ%-WEVq zE&^+D*|Kpy!pl4eaI===b#s%kU4%Hd;b4$aWPMFv84K4;ar*o2nc^miD7gQzQxW`C z5ZQ1<*>{8Q}@5TsH`l3wx@V=ioumHs6?w^YkrrkwDN z&rceDNw|?bo_~-L;_jnRNV0p+^IxU`IWL2^j*$@8Ug#Hq(#|lQfQ{uZ%g(aDOy<#o zn3ap9Nnn){fQPPB;mzPbBTgA*l3JL=$w|c;k7`rsL8KvG7uaZj$}E$TM=)-)Hd-m# z>R?fQeKJKQc|r9`GDJ~t-)ObC1P&_+1-@qCG-ofQ;--DSA@(lFUt+oM>=Fc`M`CNj zk&Lj4qhJ=VkIrgD3*MD}VJwl!xvlMw$gG3<;RCxVTu157?rKuH`&4V4iVxH6iEGGwo9&cr*H3 z@yG^toU_d}L3?o_W>i1im=o|9Vi`6$k)ZKlbPd{2qMO`Go_ym^K&QVrxhcTk*pGiR zTyeE!xljB!{w_r^!|a2Vn9m`p5Fxp?6STGmc8V#UHKJ=0f_~Q&TIRbqzR7nwU|0|a zM+`IqDOHX@VnJPKe$tH2NC@!*0;(ZwlOH$mE8Wd0iKtPOPejfUzY@xKHBfMK&@)x!8?lA3 z1SwUhImvPDgQW=0KcD(8Gw{xte+fIDoVm2sdbn8Y4E7qn9N}MMv|n?ColA74j)7{W5XJ z8E_3Cn>+WK&gzsn0*t@A1&{db#;Emv#BhxJ$Gz^r7B@CW?Vv0nC;(+QpCC4Shah_* zh)&5lks=~$^n2Up>;ak)Z)oG)m7Bp{Aj`5t?EZqB76p~_SQTKm-)AllGOESRvE1Cp zskuSRZRG@j!JhVp5Kh_yr;vIV_yf$60!Rvz8)dLM_JO^5d7M*!vDNDyi{@%6O@dkZ zNQRI$$1%j24OW2`aYE_~6Mv~eL&>b)5NDPxEZ>K9u~xqge)i8*d|Jb~CV(J(d+M|W z=4d%@t~S6AHv0b>;LZ{0Q_6ft@+ZkpVmG3%u~>$li)y!FHZi4-Vovnnhm0_*B(V*r zMAkont|Zt?VgNQP>YA;EjwAefhuvj8^_#7Bq)<>~{;xU!im$*D$_TF(x=khbEQ9Zt z!9-^4LfbZv;*2uj&Dm`Vu2d-IbT~We{o$&g22>?OD#ncL!#6zui^F0PT~@mYMFVdf zMwtqCpMCM6%I#hr9e@KmEbu3t8t&7OvXO0t4fK`iGzQX96<cBQx-u>uV_{?Q%N%Pw`w-Hz36qOp-KiQ-qa>E@sw~vmUi0oE3fyxxH*TIhmRe6o=-)_xw#;d=HFh+t7o?GS z3?C@geuY*pEK3YiCQMNC2*K#`|7w?%;==}{7~iZ0fVh5-nRgg3{AH;>?XU9&j9}9a z*9_zGeRYEzME4#M_X}}%L3PY8fQ$Ftl0R2)JZRddS1n`$Df66nlO<#e z_95bn?*$8L+`l|R)f26Mpx(56Sc$I-@}q`C`-3C90razRnCBld*E@-{v@{02((drh z3blFDh%RF;-8b7(*sv;^0~%&bzq-#JKAKO{-{kfT>B)>W%-K|sjep;bVvTv5!fqQ~ zn#ZR0pNwfz2j?*;uHaTE2epmm<4e{J0K(h-_UU_-2#m_QPsAZX?*W_h16A7cMsioNB>LJqIDGCOV93$aL#9WIEmeK&F#LxyRn4NSCk|WD5fZ z*-;EM)@vG!zMg`ZS%)ONx_!==dFFCv4Enpt{W7BGG(VTSg>?DHI~v9Q8%>%{(Mc2R zp7D=e_(tcn24tFq{}UT+)sq3uy&G?T&Pnf$HH*&pX;U}-_it3*qdbX!Skq2sR0$jcv0wKeyIME$YJe6a(gZd96aGui$@$W-Cky7rBXMr)ubr3c#dUVdVa9xbM5}-z2Kenr)?!MOkbxVY0gsqWWOJB(_AV z-#eZp-yW>H1hQ>b&QTm_?97gaadF$;2YWNGu>JAZt`Y{jVOiA8_E*QO!R>!)1ZS zfu=(fYnnOf^53|SJy1^sb7p!a&SFBqn3><@GUXkCGj=((g>vZb+c6HTL(=|W*w5qe zjNPqQ-yG%kUvo(1E7xdfj)1vv0qN1mKPgOrDC=h68nmrbcA%oj-4I3fSm3C9ClvTC zgycE`%UINw%1tDt1V13NNBH0T%~@Wby#`0GeZck6iwIIz3Q2a&29*1OT<+^7O>@Pn zG9g^vt(@)I2>&rQYDmyO*D&b@x|R_XHf?C?g>^@2M^ZQH#~bamXvAd`vk;d%YteP1 z2n((ipD~CMpkSlT_Lv~Z86sHisvkR}bxm*sX5-nUr)6AL}u zxNtw%Q0*oGtxMkt=n|IhSl56ia}ADSl#Sq`cnS|*)*4PcVGpXcAyuU)7KCyh3r%IV z^B75*8%?)qn6m8Qiy!m9fxZa}{QLpdnP>dSy}Z)i*xfH7uR4M$Hvm-{#~1gx1=9}b ze5;I61=R=RDx8|Kc}L!+djAiqbU52rY-vQ=bL8hgYe>*T=Ckyf22>78y9hD2Z4hu-CIXRz5V^8cA1OB<0TF5G?k*XJ8p@(`fMH-LX&6dis3E+2&iDH~-}Bsi|9XDs+&}JGvs|p@ zQa-cyXTSG5Ua@FL#j|+H=jj_}=T0p}I|%Z}WyntdO)(%0-Rxs;{rsY9?u8bL|0yCZ zig!*K#FxCCjn5pjj@r7wiQWd|Wzzi@e=t4MC7ydJs?(l=m%XB(sH-WxN^KzEFeSbe zc{KKCZk;`ZT7F^-yS!W~E?R(BIZM zn`Deo3rZp? zsU2CRB!GX-75%@o7 z?^23VyIFRMappf*DefBf+-8Q==$1fB3J-CWxzuC?%%#vR*aFYS)$XsS zSodi6EoCQ9(dJtIu)LvT2eI+}w~*x8I45g-chBn$EwPLWjX(WR#Bpd;Yf|UEpoI+x z$|%|YcI6sqo0ErAiM4)Ni~GqfMi@SA9@|MEj_5VJCuW{ zFz$YK9`}?&$y}=V1P8bq8JUYpeha}8ene66_4pLK&*cEH@QOO`py1ejmZP8VAX52C zQ-(m^!JA|D{e*RX)UK6)%miVYKc(ux;_X{2h5?4hcv6z?8K6cjx@_J^R=HJ_=9S}M z=;RXivb7gj-raX4V*od-$N;S$)%@Cfw}o)wAh(s@0Ju8NnKTRfJn2@i;srcCz;J~T5niK(KZ!8~ z8^*p>2`>32`e-#Nin+xD0QhCXGO0ZhbhV)BjOgg+o9qMlJe9k}2($YMmkC8anbu3Q zE&4ZcGRBgX;=NUrpPXRYkNheXno%2s%zOYh8d!IHe~bW3OVfk_;$)Bas6ZVTa(pS%B5zqx9k2dTmO>rji1ymbyiUQ{=eygw>dA-$mP2-~+7od@~6m!xpsP>~}qdaTzPoAsBLiiLi;iexF~Yd0pW9Fb)SV{z1<3WpXgy_&q+ zB&jM}qXY0}%Z1ZT~rHOxh98V@b(NwCe ztvxC)EW{-Nik6YOaE(@rmj)IY`{a*%Dh}0}N>7^D?-47}y$$*8mYK3=XqDwQ;Qx9# z?L_SG>~wk0JL{R%R;pdq@jxH1Taw`Cy@4Gw@s<&$?q*Pk8@ykJ%*@NtzCpdv5z_Cf z0T@eJW`IQaVjXln^H)2K1)&O~1}9xS>JAFk$GI+2ZfLX9=$Gzp17!)_Y3^${<=KuY>#&FuJWH94IaQx;-#Oe_}FmCjy<`=EZRW9e6B?lnb=$Q zS=oUN@r6y5{A*QuJEWBKh3t%X)}4=O-+!I1Ls~hwW?aWI6w>k5}>e_b# zpeFF%!;S7PUd}lp^ED)OHRAIrL5Q9SQGwv-#p@I~LLM7r^o3U&u>0(;mX!uG*Ph5s zh@U??{LD09e3Qzrx#Lu-DC$9}I$Q%EEm?40DXn3WC{oV0Q`fk~(0O?nVNaK*U)<`6 z%~gh$qvVQeP(|+pl1Z^l)VBgG6KhQ0Tiv;^orO+ToG>t1_`}G~eSM7G76p5L07?}N zFh1IG~k0gA;kX9)n z)Zz#&iC>vyKG`+z>4rX}m&qco;P_vwEE%#B7OqF#Se{U=(g^jE?}}woDuj|8XV!Bn z2arRoo-_bmn4x_WO?p9GpB_ck<;MYUMU0E(lpXrwsVVT%n6cu-S zph5o8K#y)%)34Z163x@rM$qWy3=zsht3u?Q9yeW2-rg_4U7ti~F$cshDaft&gq<@> z)oNsn{{Qj++C5sZWF7YC<91eEc3Kupc8VWJc(ItVV%f3M=F;}CT4$wMwZJ}>BSK{s zWrIc3My+96<+82(TD?~a4^7h;`LRxx%>#FhmWOt|XW8=|nDqm~4^0IKOoSN(SCV1o zeEudM>Qv1l7{YHxPG{(u`Pd?c=HLHvl ze4e8f>|Da73H_RF$evd)yuVv#+rtl05MEg;ob=HTp!rT-%0`@FkGtz6%(q5|WqXou zkLt2)5bu~2u5NoG;xL~OkZV7K;`70--b+s0ey%vz;=O{ecB)1d__n}E`cC;?0GGOfg&iA|GsJsHIIHraeSjNen)6?Q!1$+2NM2W3* z;-zY{mvKfLVa!AA(K|kgo{n> z7vI*i=^gHXVp++Jw>_rWij`VYxDD-zme&;8R<^EnSiAf z_ON%)cLXe04EVd~j^w+PLM4DOshA0h7xoW7+KgqyRnvG%Whf}0?*+D8h>n@FEHkKN zr8HW8D$-JJ^7cA)HP>(TojiM#P>q5dAtea+>@xoErvQ=LGQQc&F#Ldqt5qKB|M}BO zb|A3Bv5==wMp;?J?`DJmo%A@}E!%Th;ojGR`Xc3&>^c3e#N1GemC&$Hq2Pggo1a!^ z)SmW-%Dwk-X_QU+Ns`A#?9v=%I*Ieb!VY$0b)H0odL84gIT&I!Hd$B14|UNPf< zq$a&P6eewQ>~Vi+LT4W&?_Q*3pzx>>+ zjw^YOh_6eA@L5y{wJ3_i1Qtk7V;@X}P>Jof#{vB@o+M#RSylEuOO8$j|)@i215G^>#hT>)UGH3|^i zCDvQhRYt-PJQ9t8z*L<3+2bXeEC?xo50HP#Hi{$20 z%S|^9OV$Nm*UIgforA66!-z4d^t^j^5321@RjGP=q_KF}CjlzBCKMyfw(`bn3mh?$OVdvSq6=jN!Nl`<>YEo6t?c|>y3 zeIHuM$X({FNg~>i222g*{Dgp)L021SeRY`X3Exnt-v@RKx^c>zszPf8Kk}r|lq>}c zoGtO9h5+SW35{PiP4rf^2%vc-yFT6INx|c}H8noy)PtDMV3QLrA%Sol1owK>nh*O& zdl=0CaGW_(HioJa>m?U~U1OEDQB@?I^++p9cSw;oNREvw_T=qUEQR;8#%wx8S)hzg zTD$w&ubH+wYGTEcF(>G)kFrK^cLnVVleU1;xx`E5HsZtX-ax25@0I>9pWkPPof`P= z8)Qi0dix66d~aXkZ0DY0`XSA2_Q_=??RpWlWWn2NPB67dPF0-zrawTi*P~ZHYv?VHidZL0?5tc(VK+(=$&~!fU`p`WebLP--4|Qs z5Q+WO;(5=^F}0o1T_8{%4w{g!UjtI$&;L4MN;)(SV5WZ3irrTtVSQ$p=ctl;+FYV? zH#e-egXYKapxaK52`SqV}2~cw}A$5HexG|4)X#Ek5 z^lRTH<9jozB2g2_R}?~o-QF~)M3iTt;O)YN9V2wukCUgvZp;J0ryOqQ`skV=kq_vY zA)l1}MOR}O8wa$XhZx0Kq&(|}@?deHr2i@<`A%97iV2$RR6Njvw>6Aa>Luy-yU=6C z*a*Zq(T7s2L3WbhRy%y_-IQ>E8os8G+%8AepSoXF2Rpu8xxM4^`)u|%CF3lBjhVHr z-82>N6Y(1~T5d=v?j3&&QCao9Lnk_e8w*NpMc^C|J7bGKU5yF-tE?M)yrK-(Pt05W z+n7#b5~M|L zJ~VtBI2YH-WV(KYO0!0`l{#s7TUxJs!^J>-xHGuiKNRaAIski9%;w{)T`J1<^3&s6 zc?#doPqwR%E_DG?XS|%+QQ@SJ2@w>iYn6)m<9-~U0c-onGa3-C}YP#e)J1kuTYCX5Bz} zvYZ3HnkNwHF_%Xm*lNC`>sFCaW?)QW5=c7%LA5$@yVppZ z(sHL%r%O){(&NO8wyot%-YB{0nd|CL=}*M)7RbyJL(`0s0mxx`kxfK$IHG^eCozH))L@?uc>(U;wloBq25~Ik$kl zz|U5YvyauPGQe$#Mvqg>JfXYavM-4(qExMRklx-jY2b%~@V`#p?#BjC8qxaE+hzU* znOkiDYRF{ZL-W>c3BK6Bz?^l3&;)Q8=9b0+(mnLYS~*?L^1R2X{MX0&2HP3pZ`+6( zZY{-94Ikc?FN#?>n^`$FOuFkm*bW^Yf2TAK$t-3iWPU`4Q1!QzPn3DK)Txhtfr2mL z;;9e*I2g6RkDDrvQW)o&ZLRL5@vg88RA7~3cTi6gt1}gI=;NzyJ`x)|+FcyO@S_?F zxBonRwPlyP{pdGr(!}@g$O+(J`Ie;XpiU-zX5 z+}*tN32ap7N>Ny=eE>khl{9DSK*(F4dPT6;b)Dq}tG;-bKhqxWju&v&Mx&-m9c%NA zl)e2m8$xcgn^5l)@WQMeVnh#yzJ^AhM$iEPIip-2y*OLsn2pATr53bpxn*h55$SU= zz_}vXk*wV(d8mDZDT2ySMQrU9oIHwcL*>o%L(8mpr^61J4EsJcEVGtD+h}{tWAAg| z8_Z53cgEnb!uMh5vy~bIKqNX{YUR?xlGc4i0F&3?{m~L<;6v22iDdj(>s}bcLo_Au zf31h!1 zQB9wtx)+r(gBp32N?lKT)yr!%%N+Z6k23f_7#*&iFo;iEc?&GB_fzkdj`x4BvqEVr|;)9mAcSd6x^!2kpK-%uw-8eC6TGp*P^D<+@BYgP5orpVP6VO zfoq)@ej|Ck*0;Sr(Rb{RCR>~L-G1_8iaSDM)fpK7p5U;3K}}#jt-EuQbIQM&{PWM^ z4X%7@J*nD@KBTWQ5lGGp2#53Txz=>kU_Z4aOD)}S8T_(n?zUyFMxPZiv6@DTLRHyK zh>83sckNH0wzE<5$0Q{Ooqj4-`yp>QtNs3}--^xVLBi7`G*@`5(^$k0?@F9f+Ey)0 z!Ui|~P65p|+1!6rHF%^fXesEKYJeM9>+#AoO2Yj@en({$EjihV`%PY7d%PnS`J=XU zF{5qFL-}pkgqY!m+znCX7Q+Ffp81b4sYUi~WZ8eYOZ(tOZU(+A6DEG(3RS9HZXgCF zbbH};*wAHENCN}Ul)`sf^@rJXnhYDSbJD7lcvD+_=dqRZrP<3xkWoc7})g>FP0 zK$K@)|`JWtU z!(JsuKHL-llUf6My8j zeVbub>%;4<&xU}7^&jj3J+3e~zALP7s_cyy^(%W(tcu7h1whZ22%TA2yI^?-%>GSqqQ8`D~|_ueReV5MkQb}qcB zF9_V@<($xehze%48DoT@TZT-u-*UPyY_pj57Q z-jt9{@^Qpb(SooWkv9imlnN>t0$flNo}gmFt3!GA(CJY|AWU#3a6%+vHb+H;8zx|9 z$>Fj^ymXd`fsqTK2R#saL5TRoKX z1`$dTFtP}WmPkhq>AaeFN1O(Q?W4e>@6@BfA0{-rSfX{4CpTds9G{4rmYMt~ zw!Aeu+yt@3;8DmiT$5&bo!I|30JPWR0J&!&G@CBILm-WInD>uggxDX1iu_dJ8Ts;=^+^>}q+DG$ARy6CLs(2>*Vq5={;CB?0oALxw^E(>4 zx4pL)5WSzf!tvQ^FgmLVxPs>AkrRv1S;!~QSAMG7gjM*PfSNT*t?(&6FggFv!1Mw; zh00PCA!RMIEA#@H{^H3lXsQu!YT+~MVN8Y2!Dzi>KlDo$uC4qPw*!bsUjH4D8tnpa zy7(KgKBD`ofsQ`LEaD<#cJFA^w=TK-Dd~U?MmGDGfHaKGtrShfaJJ&(5G2~Jr$#in z#Ne4)ax1kYq2c}cv?2TS)`bY>m;pP>;9>Vt2$}y;+Dv_An6=R_2 zvVs7`(#~{@<;`2B;?Uh5g5B zP+iSzwXNdIlZW1V(9=Q_rgGBe;kVjonE`hg?E-M9HNVD+p}@YS6ePcG6LjY{^ls>g zqJLV!Zt_niL*YH81+1CZ%q0VT%}(Lo|Iz{|u;oag*K0d!=NxqkJel-zA#0&Xt&1-k zs9%lqU=mqQG0$7oy4E^*zh%m}BNSS&0o0bOfpJW>G-vgY(gDml>0DXPBqOK2-$qsP zS~7ktz+l{3Fn#MdIuw-b5*SH6AHA1N22L&7zM0Xr_UneGnETk|CF|TJycGw|t)wn1 zO;7ce9(IUD^CZ{EtDp2UU;uJZ((f@%kCkTbhC*TAH-HY_v%Tc=uN9BbJHigA?Fzp_ zZ;PcDJQ+uEXN59XVZTuBdnHOA@PSk|-_AV?qU1{P#9P&!(f*|3OatxQA4FsH#{OiG5oje10vspMipVmL*y_loM zC~`PJYZ#9Oiy>*k81a-k4Vk^V#pnrCH%e)w-u<9<&#{wkm7+^lGf^LjaP)3SFv)YQ z<*0Ha%QU7oTGuH)6vRc|NeNtxFOKmD^^&=zn8;}=uxdTfflNVPYkmZ1DA4a)qc0~k+;TfWJowuxZ8)Ao?%keog)rMEjv`;+4;0sAF`LM5{S#1K=sdLF zMkv9!hTAJ1P5P34bn9i~L*5bxkc0e~=^;^CPz~!0WqV-fLKUeCf#M{-j|`u}ry~6a zmTuKCE38Y&@BkO2T%M!%OckG=CLzjKQ0p$f!jFnF>B-W}5*uu{cOQtbI}kQ#;`sWX z3SXhTT7UdSI2>siBx)opnHObK^r<*adZAyfrpCoL25@;gFo?4%HfpTj_$u92 zG!JyN;HY} z+BA%W?PZR&m7#%dQk|;Fi`;XII$C2Y3?a;o>tP`qX<4P!Qu2eX^6S;fF!*2(Kj)Mo zR^=?ogQjY+U{VPAdB!_!wevtE;THP$}7V=R>Ps z9;MTDm^E)dqIX2kG8dXAEa~zPd-1A%gFX7u2PubO52oSh^^)%m0afOOA(XWK?k(_0 zH@qm4d)#OO^NYMN9+wMy>eEB0Kv;gnLv(J6FtzCLq6Lz@z2C0bkmPs-GahN4bpnI1 zD@ndflIhfsN=&GCn%+JCXi30C{YZDv15_SvMOAz^_V%6Z(+uYti2bu$$FYZPzguLo zcs%e`_ZY#Vt&RARAMH9Wx~de9&uM609$3aMeF3@xk3FlDQORMH9xp9e%_Y83fj6Ax zxX%=JTL?bNuC~2!`0$bb_tWo5?EAiGqi0Stl4s#0X+vREN6mtq)gs>BYkmRoWF}0% zp;&)>8bG@VXQ-|k+0u~jO5wHBS>9g-BfVVEg*0-Bs|bm#fKDbLI!QFoEmKK9a_}t` z9ThF?y+8@JT_GIqEjFg>WE$v#^c^r03}&A=bY2UGCqhG;DbP-CF~((48Z&T5!)>FZ zKK9Qzvh7a4sxRwL*QwH%*IWx$n1POr8B9q46(#oS5SSwIruEu2>K&i_8iLY;TVH1V zdko)Z!tmO`lIwp(0UCdM2cp8b5`&NVndK@6$lya6d@#5MfT#?DQEJab$ zXAn0Vb2=$}hn?eVusg^FTEX}s7T;nYZg)r46>EZ{c+nRg8RGOPSQN?5;*G5_r|T{@ zKB9=VYwvt8d0eU%ICt#o?{|i*1EmT&+HKf_O@%S}DO`53YPIPR4Q4Ef8I^uo<)$<% zXrx#5S%s=Q5lpgdbX#|Tt*A};)$&@)l1pSs9 z^xuiW$GO4}a`%e!?Pd?b_cxd_x2w80J!7=x5cfy6Pj_0Ni*StHwv-z*GZ|83@?z>XL&{1*xSDXk*6{B2a6yj2VTgTfGXu7kTBv0ma(RVj zv-)6)MlI0s{@#3QTVr&65k<1wtXOB~Mn%mx8O~%L%LZA#{i^*lu4zxBmAkLK`}UU7 z>V6JTo%N0Lip>IdmwZYU2DL1T?O!jX3-MzvhfiOxA?j9nxC)a~?AEN)4}lo0Oq2D{ zb45-RqFv7pf+xVkUTkkne9o8g{qcQFq3ctBJPF~@z=K6c_!X4x*|<_>#97p z){y1NwzI7*c?u6&o~j6kO~AoW4Z3RD%gNsAWUxK)*$VbkuNR*azwq21Z3`1SSQ}x4 zhQXSMTVj<7=uH5!;M)Xlmnq|3gnZL2hsLEOjT@VMawbYNa!q-TFoZ1P(i8nvy9Fl7 z&B#6A0bc^9^MedF5e<9?vINNpaum|ugwLoIR?yEanp(@zY|#1T;mIOmY_SgXS(`|#Bn z$aM;V&a4b|+<=Y4I^Pe94!z?GHw!!bO^^lHlBLt&t!(vktQ`LxAXc}qnik|3FqR%q zZqhS+=)Z5xL)E$&x52cp=L(v@b$MaW>r^G*Ib?b7I5?L0+Ct||4LEaq z*J#`B^*pg8FcNrYYhDnsJ@wVYaZU5wwlH@+xzTNtMH=X>srjYR|xSP z^Kc0-FI&W6uOEJ*MTNY_m^l0$(&t#MSKdT0(Cb(pu>OE?8BP;b$uuTlqSw8<*?OkI6R)(vz zHe$crR`crd+cyt_K+0+Y zHeW}BTz^WU>HgP=dtGq(Pw|>3_8l1>d(#3hX3!9@cCOR0| z)bAFFgmaHCTmm1DD^F(_yo2OEULRPznG@ChjGbi%5HK{bu~}1~rY#QuBAcWt`f#r( ztt3Tfmov?9_4PB#10KCY<7@s-`1r`>ZynRc|osST^-LHZ-h%UmoV8KII{Lo~} zNx62#txNg-qn>BT_yaMIimaZSM(gQsEQH&6O&if~EvA#oEryENz;Ex-yg&3k>;n7I zltsMClY7fsb7HP>Bv+naxbi&b{N}4%`!kg3>zi=T?JA#rOyaRGf*QBKuFGRv9_|Uu z?d#K^c{%$kKS6s}3mA!&<^@bu8q_yDh27r;ie(S7zmMQqU zNq)M2sT6u;NY&C?lKjsVxp1T4-WRX*f=g5iR08pgZ}{pWZQfgvfJ(m}hlmL%z$XvZ zH5;R)FOb89N=Tr`R9!das#FUA$ug;f8G@hU=6>+-!fqAEH? z|6VCYUP(Q=^|8fZH=@Uvtj(>j=iWSmarLoFp;Y~Q0jsJuYa=N4Dox7 zXmqo}cim(HUk?zFa%kZ(01pk(dp>MRU2t{>83`^TYxPU}*1^!Syttl^+Oi?R_*aUS z_{$XZo}G4;vNg3U8_iAp{te&Y8HQ-lf)PO#(KYky!)(4N%EaMcn}2sdZn|-0yhgG-|_~R5~qh zS-Sq=&F?D{2~@C*OOC z5I|yE+?6 zp{wmO$NzbS|E~4R(I&DUAy*Uxldh5!*vo@&1f2GFWMm)y{X3O2cN6v@6bc+qDsdo6 z=J$XhZ3t$hSnazm+pQaa2>|~mZ`xn}ZIo(`Hd{iWA_X8u8YXvA2l{Pxm8i5lK#5VW46^F2}%*t zLIVg=8wtqO{B{rJ|FQvp+e4|}{r9PGE%{j04#0Hz*Y1!f;1)o)01u2x!5Qd3X0K}j z5{~)V|2{2=BzH{zw%`Ak?*w_CqoN0);ImKh0X?Hmyd)&$I1o=tYRo&! zfL@X+5O{Sh3;ca<3&zPh_ZgJmFIad3nHvsdPXdptJLyqqinm;df-1YAl?TtUN|Op{HX zPRJsaJ)DvLcp2%y@Ky~vE)dMqa9aDDll%uO-mRy*y+>9ppY16w5dIS@F-^oYEje+A zf9mPQZGZ|_&9KUJUmK=hFP8QKB)Nq>pd-k0@cr`NAB`WYn_Nk&cVrKrxqR*RjWPv5 zcr!c32eN-CT9V?I`vhdZKdz8+7?$8CBR^KWvw&U)J>x=?5aLRSjko_y|!$P4zeDDfp}>2=`>D$R5*rfVQhq z+(g$#oDpY%I)|6!v)7JUD5a%2#XoQ_J)gdZf1w23mP_cBl72h}COduO+v^Vj{))}4 zBl6)t^;K!r;i1qFXCNKG)eWvhJqO?_u+zBqP{ivK9?v+6w^BVHoyTh#M17|M)@kE} z|HyedyJu}6n}{dH)&eW*64gwhQa%TC2_8fM*pqgcP*P)c*nN9&IUoUXee}Pu1P@G+ z+PeMhJs^9p0HK&Tx-Bfo{S)to>wTsrNj=E}pqD9m2DF@`NP33_Hz||? ztF}IUzZ($`{Bz>}slB2bDypzmOXE@41YHyis5o_i&bdQTT6O@g)MqhHZWOTZxEF>9 zfeLt3fCU*FnKuAbRKC0Os0a>OFS4##uh9Fa*7UdiqQ}ZPQJ+NK{}UH9=&ccb zk(?-dCCl))J?>wYVED=>b)7V(#eX+v{?_V1D-=|~I#-`@U;GCWmso~3q0nJz8p40# zAh3W{sbfir`&R?%Z(Wo(Z+L?0hA;i^pZhUI5KxFI1CUXpTALBq>PWowjbTUZ)X){Y zht2426qTsHDCqu`w$Tv%zb{VDbI{7_RVNtw`r!+p&=i91BxzwPm-)LiUb`f1+)$jZ zfdj8h;3A$`@nK>UfY59cwRIGt_ybP8cme%obk_c|TqId8y56ap1Y|KlLG9|~;)8|c z7GoBY$InA-kq#G-G~8hq&^~u5POn^goU_|uFiyx5YfA)(1>^~FVVoCXFHGJ>rMG5v z^nhf@5VA4ORTYUBEWu}a$R`(k_1TB_lLlvj*<+}($6m%Th^2kTcC;F9Nbj*Y1=!%K|1okj7k4FzM z&C)iabWEh~tja_ecPxLIp_BLk?NeUn z_y@_AA2+nfoyrBnx<8wnU456MNnA2^dfA~O0cpaos9l~pc87?G{C>&u%ZFCBbArIq z1bI)6A{Sk2hkAkpoz=_+Ps9^R*$W#s#J9cZytRbN8GS#%E49+0ZQrvPwi&GuwJkB} z^m0NX)oqdFye#MP`KjBWuTp`R*5GwO^XwJ>IF6H}dYBFF_syDFEM6BH4BX};IAx)b zj4V-K7N1WqM-c+4b+0gBHC_N6J3l%Gwd4vvFFmHa(2D~gE?(r2!>SIOVOlLARquVMoe*N*>SBGIs7=?N3xR&P z9nDW$0*95mm7$D1%u+wWXuj5V(qrP|Qy*C`kOD^B81OaLJ6JKR^RFV`gXo@^>bw?3 zMd&5jX6S+q*N7fVkux^n{FV>i;+QF~1`NWx@CmNdB`eUX2)+{Ue*;b7SL${FdGaW>yh@%O7#i3zd{Nphd)?W zB+wtpexI*~SDUWg?O~NGh8;zc%-PBjc&yQQX~-RJ_k}_MaWq#55aP`5)e%_QZ(vH74H7V`zPa4LYWCyJg)Tc$s!1DfSyMho&;$&BTK*nBo6~gSTaH)B_C?P zr^^isiM(a2vt)&P&gLI9?QU1qSOg%mQF&L-uo7q>8D}gC9D85GhQX$`C0J&}znPJ@ zi~|GKe6;c-(=5ZN09K9qD7t*MK@&`>&3n5VpJh{wv4es2GAHC5h+;@n<31;b9n?gU zb(Ab8Nl{0RZh^E_!(BXgtg2!Y_WrCSxlu|qrrw%*&eytjQjT_f@mH;8wqTCq(t2fF zN>U3Oaowk`DT&s^QDd`-^}2%)3!WUS5aO!gJ;iX5GWvY^?D7sjqi+E`nk`!8=j9sp zNEW4u-J3QjdbAHSX^&1hu`a-nIgB+qVGqk)2+Jo3pq?rH!=>*dGf@w7?mmPoB)wws>y)uG%EBw6Q2o#HyrtOiEs4UlmjJR6hs z)$pB;M@Z1}8wDcz$g&=j^>0a*k>pQbJ?H7n$uEzOolE0aV+8wuyXpn|8DKBgV`f@> zWge_5;b80bsYZG@rPPNK^&L-!ZtPiLCp&E8D+_sOs@nAln#R;sVKJ7qkz8d{l`UD5 z%*%J@CP~n8ULDAR+$8z02Zgvcjyw$skX)*5k0;_-+ zT;sDGzUa`RTzk<7Y=g;`6_H9K4e9;nhLwkHO;3q4Jw zXF)ny*1qK-k|!QA&s%J%w79$PdCg$l(8`*+pN+g9C2y{kiY~1_196jCDO=)%NlE27 z;h*Jx5YMGnw=ka68<&G(uh?hlz8n3nUFVd|y6)F9v)*1SMn95R>qy@_egjH}_Az2h zICJerVJc(NJlEvQn@d%iycZh-2hwuI^iD%D&62*npL_{xaf(L72w!(&=3Chr@i7sR zMkvaJt}xYQ_ESUA!!6;m?Vj?Iuc9dV)7DM&87oHu1VJ085UvKqk|<<2t71=pKgWC+ znqH?d)D|!H5b?=}&^pAY^ib%{Ig;j0oiXJ=*VQY}A5&Z$uW`1g@qUP(@m~Rbs4@9B z#!!^w*SA;E>yQvpmHEptbTP6*Qqz2z4!Gn(`vaK$p^L*wFKCjK02jbIk_T>p(_DsU zJm1=$YWxhQ)3IqhHkuJ$Vi#dbn|L8qO0+v{#CzmpXAd1${d=Km)K=8YifV27Oy)4fsG_+~~h*>&- zRnyR#9on&`slYRUGK2tAYTw4)@6QQ3qVrM!;3j;S{389DUW|ECU?sRLu4n$c1UGw% z;&2EX5tDcj5z1_d6JmMClpvW)@}y)+hbaHxO3#?8skrSdL&G&|;5c#muR79_?oFfA zL%XX&miIpS8>iA2C(T8TuaM^&+fFdVdY%!*+O9)t)ID&g-k6x*6x-Uu3q`6rPJuWD zwuMi*>1C8CKq+KY+vX@QX%2;QaM!Iic|3`^YQmvoC5BU{@aQW_FRvWKP-j;U)n$?+ zJlT17HkYd_JH-Q5ToB(AG{)S{olk&MSgocT@JH5_dUsm`3&GvI&rkxIb}tK^61o7* z(*aw!p(b`rhejj?HqO>Y)|MpWd&E92rJma}Wx#A%qXplY{@|flvS{u3CeIO!$}wk$ zv(;q&K$iDItLk$&UXk#F@j)3s3NQ@hEpdwY1}kk~43+4ps_^C?o3LL%Ge*|LnEKgk zWk&=KyLP{}2G}o1pG9Io%4giIVt&5*L~30PYOQ-?6F>JnauS+qzcy-MfU+!HC`xxM z17D)0gk$X#(9zXLf7^r+J_112t-LVD>&;thmP6p!Yk*Xi!?svY#5(z&t&}9 zRRY!aR~aiDO&i1$t3dTe3Gb5^^}UfX>i(vO)WV%YU!arWy8f~EN!y|qt6-Q*t$Ce4 zM^tgQeD->SQW9IZScuuXk;Vd}diIF1uxNeVYOctfYu?HdbwN3hyvJ41VgZ{WyyQ~C`%I&6TPW_~aJM)&#r3RV& z-Eq)v4xeAH&TWe?yO)-a1@E&&c<}sQXw&d26wFoajo~;L^&F_)KX5RIQ;2yO^$y9A zQW5jX=VdAaS(S*_YrY9}#WL$U^=e|tZ$*uC(up0E>j}nRsC@g)q{peBo_8kGIVdy( zaxlc!3M`+k5fqQj+8o57P(|fUyMtLlIkxHvFib1T3;ls~t@0mON&BR+9W~-_zqPy7 zx#P81Y*z)8Cwg#He95#lQoT}oJU8pjtBqTB{ZtA0k?4r^FFxy{pqk9&7K#^H z{f!)#0T7RL({S72*!Z%Izh5fGbriSSn?HtI$2}I+_dWT^R?xu&v@U4!$2R-;1C9Ax zH??ddciH1De6n4lv9V-M{#8!?dO7}!_t~UQx=>Hgbd9Smq1|g}cqm-VV8otoSyOED zJ2K1mEIdtX`XgI5RNd#MZaJ61htj0)+qn&5*=|dvkR0sC&F|XOnW|zP>&ST?Y3C{rluPx?*A=sbUM1AkrG06b8a>hYf_tznF#fIK9espVgM{cZH?Jqo~D=*?}Pm;=9!|4t8R|*8AS~ za}^Lde>dV;*tCIYR1qW(q;E1NUyC`10|A9(nAugXnp&ov04qYPmYiL+K->#I z+O$^3bA06-?s(4wz~f6U-xbJ_5vUQ_Zr&TE1_rjP{Q6{yCWoAuGCj_M`CSFOc_aXMXd<$sdOu&ZamCbBz7Xt6(hwePGEcG0hv&9W7iR~+k6+9i z0)dPx23ZXlQ#6E}IsiA4-4S6@OAdQ{O4@c5nwL!9*aV2I4_Yi_qKA#0zg|6E3CXrk zsFToJ2(~i-a*pfyR|gYJ?>&-=IM|P<<}g>yd-Xsy;AC=EmH;}EhbYMOfC{cxd>#&n zCh2S(C&XFHg1J6zDp)a95i!jR6Hw~2RXGi#A-UTy1DLgjNcNB^EVvKU8V@sv$q*p8 zuF9C6HHqO(ATTNB(TL(wx$GSsv%B$Sqn<%Bn`Fsz!zRlcp*oQeBTr_f3hVezs|swbgg#-ocWhE&%*Q=KAQt5_`uS{#f<9XB zAlRe0phh8v-Fpv$+6i6f#M4;}8M8ewlZTB|bphQw?VZXW{nkXLIuQ&yn@C7z%L(QsEd-mrAb=z>z+wG zg>y84W>&tJU1hD#{5fU+WvJK_FQ5)mj`w;~JOqhV8DKCTmU^!}7p)r>oQ|jhAy(9I zscCqtd2c{pE0@-vCxWE)V=r7>s!fC9L-}+};OWAuc@WNUo(ZucPZ)0ZO}3d|l_0=+ zW^fuGL|13136=In!mh4SJ@U*z0L!BCb5M`&W*Z#QTUh5ZMKH_-OyP0kR>t~oD>rl8 zi4R{DZW&-)f90=d3|M6>pq^u=Mi0*6W7&ZjZ?Y6psPzhc*Dcnu&z{2>p`f3$wzyMs z+mgnzU}fFqB7s*yw%*ZGBnED*t2piXbh5N}Uo26^tQn~cL_3qJDTiy~`cCuP|%D-Fby^$(vN(Lhw^Q z0LuFlZlz!~m{ke5FLS!CYfo7I3zjsF*AXB`%0+phc9 zL`4Bn0jUuQk$gcw8tDeS4hMt+>Q7feogw+j?(k797~6^`3k z2y+cq#gmTFzfTglCl_t)u)f=#RZP4IJ5~@;zyz@mMyu-mw&4`Z1l?YTijaz#r)Un+vrjywuU5+o z|H-jk-KJnPn5oVF(SF8S_KNmhS>l%CLZ`FA?kTc1G$EK>jY|MUfA^vE-jOeSI(RiU+^1 zr%OdoG^F;|b_ae+w@uuNGX{r(dv$8ngJVGFjYfny;XZ{F;ZI4dt8%@S7${$U3N@D( z81!??9|#SrZ59=-p~iXLap%$g2}B+PDzm~VWIbsB`Yp^nmsfTXQ)(4Xwq${oQ`}~3 zpCWOgpb}ah!UUawc>($l=4KoKyuy<*a4N|eox@iM8O)P8xUu(C(YUJ0EGK@+)Q{Qj z)3SIS+wwqenA)UF1%!z>c^98kxS&x+A5Q1uMZTgo}QMsV_dy;iWHmy9HS*gOc^r8C&TTH^-7|>Z}I)#<8_^; z*7s-!(QmWyhLSLQJC~ZC?0|{r zWHtQ}0fg>HA+Jx5vt6(*usWvO0(^4iP^Z=hgu&e8on#8;QqhqnK}soAZAgZ{bkq9V z_iD0;S0@Bl-+WO&WVh=!X&XBX>2Va~_+b^oQH*nr?NG(|%@e-cQRIPNt(^A1ZRU2D&7KzHU+K1g+HXuuG*qPTZ z3R^OoU0%iPB=7ACXarivxBi$~HtZq`NEFhn-?Xu(`<)nXv`10c_W;I%5UaJUwYl53 zbc_bERpt__shGrGZ6Z;}?t%iztcL68PAYPCr|@ zs}3nAi>bobhYiuatoPr1EnCtYlx%0+jWV9mGx3KB{T#ISl_u|6duIpg8f%=s$Dx^J z!GpbJUfXQ!Ygy9fac=5+CX&SP{e)dPqKE88WRP0vp+SaN&ZA>+w%k|lvfL(P|Bzj_ zv`d~9(v{;;Sx7#4>8-J7#`H}vJj5<7Uy(XD6(6H}Ocp7Pq){IUfkEA=wCh<4>F)8vut@`}8O1U$rELE+ln~KA%_Qs%K*a<}4Zi2qw>(*gUg*EROOw-XAVMVHV`7U< zbV$!~iXeNbF|`6JSg4K&H>c5X4qXpuMqRRyd+E7={x~~q4AD)>+A7RpmZP#^>gTF2 zi0k#MVUusNqsnTa>hY=BVGt59Z3*HRXuP2?CiKkWM^KwplF+K>YwD-1^d_o!BoJec z$EY|R4qZvg_HO;CS*pdDoN7^{I@-k!B4Ya2tY>z+f`-qGK+oM7@7*5$TSkF{DvuUd zD5KF7)`CfI$ejMfOAc#G0Mr*yX7qgjvkMiiIzFYubw#o$Qff?nd3i9LYhT;@C9m7^ zsEVui{sHP!z$U`5)5~hKtCwuY)m6FFT|N7lVH%9r8TgbXx!o&7889VGpL2RysG)=h|HLn3BVw#+ zoBVl8xS6Rz=cA~NlEKn@lQQb51B4ItN=IQ&zk3_)e7fcoZ(6wiW4TU!2kqB8d$=Mr zgInfIoynV3FuI5PJI?F;u@;%J7@wU{9-$MbY&VBjY+dz(dCCrds{v=75R46>DxJhF6cFc-UuY6dwC@fMT^k5*`oE{Z{ zoLG#HotDT>FRA^J<2@C~QClPuS8Py#T;Z;zwGpvUN%OfI}l}qWN^diVL4o&gPT)s)1tHz4M}(tLq@_=?T&1`ni9MMg#L_ zT3cypjmL6_wXtl@ehgr0S*--0AdcY{Jad?$d{E`$`tLum??usBjln-14OEu6Jp2hI zCxo5AvAG;GFx67`=8KKI^n9q;w%p?%!g@JY1Kpqpnxk#q^q#UG0k6Ec-Z@SB^t@@d z4?=AVbH$E7&1j2u7<4Z;8b)=5)-O#hI_%jL5hNICi-~lMa@Y+-owH-*2v1dnw_A>$ z=r_24K8$SWA+uvgBwgVjnn`4UV=Uy%sv1;vSM)zV%f)WKAQeRE?8!lr`pE}0XYdI{aH>t^bgol`z06=Ue1pNm(i1hb-V%H-OAMEU zMvKetUe|x5;)`-j-y5kro>ebj!Iy}=}&~$8}z>y3;2Cfv`B3~q&lr9`nQu7)Z0Ro6+%`Yw4e(tJc2qy&T{USpBa;gblu}|u7bKd6Bye>g&Eaen?R1HZOliGRX8O_ zUPnEfAPtRCTIlv3`kVyOEAvGD#AMk3>$OdDSb6SYTp(`_v9pZ?TTUDuY^);a2({1i z>6n#!NPXC9ynw!1qiNR80lpEQHB1~}TdZw4nG;{n<$x{)dWuMb%B`s`U3e?e&4*Bm zP}#kRWeL4o(8gT_9EMERKt%rrv)*6W&r(8BQCZR+%gs3oYlGxL%I*tc&t;IzDIeu> z2udw*UV@ub)egn>lct5T5QHYa4eXSXnWjIYI5|&J`i#A0P^Fp*VZ7=A5)LL~+Ilci zrtVGynA(%mAcY8)&Javtf}^%%>+$5OH|z6qP=2w6kI&TMIoC!}mXh_ruuJ>R2%eYH zCCM3^8H9QfhOX*K{cxK@br4!+H~sVMy{%FF8vrQQ@MTdnNEr1atJ#%C)@@zvid|$i z77#uKD3)(W?)oIj%SSpJc`B)sk3*ykFrmiv064`tv-D{oK?6lkrCRS0=;$SWqcb<+ zYQLg|Rk*QzX2QUcsa?pEZ;}|bfo)v@{JK(BNH)W`GmGB+asL&UUT>9ATM8{me0i~}&> zJC7gIVZ;q(4M2!Ne;j5lW;>zgEozb1Gq!4xY9-d=&G5Sb&$Ug2xd;$X92)HnSQ)mF zr;Z9wjz7W^gxm#)GXjToSJl%q1v{)5$?t(@xT!{YHO#?urkCJL;7i==X$)zV!e~kfNs3CC)V400%REDfzo?kQNICgOJn49RVi$4%(QfjmWeRICHOTN$1$0**&8E0 zP5TuOy7sC5y4RiVcI)b6AJCvY&;&xNuySPs%z>Y|{7kp}5WBf9$ZiHF0<1c?Cp(Bb zzsp1*TkdpbRaQkrDs>OqTW17rQfLvT4(-HJU>Mq_c&66`Zez1*4=4)|v7KoF9#t}x z7SFU5#)-QsZUZO*n8Nx7rZdD6+Z zRHkh>i-{}kYc145_aA>iLMjUrA{Ru{boi=esHhlB2pP?JY&h3=);35a!obS2{)UAPh%c8Y9YBCNG^QXRd_G+zhGM0yYM*!H;rOV-j!9TfV_&I(Ef zC36}G6rC0~g@M3V3uRQ}hU$nDdo?--6tLltaSaMAbv7r`(`OOGsXJmog|BA9qgZK= z72)`iD(h1`)bB29qlf3$x0eROD+Q5&s;G$5Ewe*_|*!&fjgq%x3~;;exB>frxCJIL)p4vkVRy+P(QzKzwm z9n}rTa%PJ){ym(hnl8uD*bfJ>N1JCPo@W}`*HiXfewgqko_x?un+9fkoYJI4NQGUE zfn`YWL17sh$8xZn&<8YH)PX~xWmb0Y&@$%$soK6>6Da!r3#h`%ihH@62;StHQRp=R z%y!rG`ndqAVc=mkGHFvrQ%UZ1S1lre=Xpk|m!!ZdGSO=iEJ8c|`m9;jiANlgCppXF z`f2O<;sY&MiiSsapx)@jy>^dhG+RLbmrVVq*8(@+tg%WKvgyItC~509$w$6_#Bc+n znWNgUJ3A!?X=M>med5mY!92rgD?4lfI6qb0llhoT#)e$W=jdR5;0!6dU4YEys=P^P zrE0e}I{ffJlacH>DDgR$e#uJ-sGqIge7*F02s#4j7B^vg1+? z@#3Hg5?tftwSKzeInyo}5XNhno8iMZGDu6-EMoIp^lfbRhJm$brKrO6RHif%M1`-t z%N!?BR%=HK5oOlfhF#!@6?_-%VR4tVrUwp_6Y++DAO`JqlXOl|r-{bn7^L^@dbVxb@{x|w z__b;fBTH{IyN1j_uuUz>?3`)zR3)_|$A@0_jRwI6%GH~F%twqWPZT?l=5buC4QzI7 zieh7qs~DG3uVEIWpmOy(wvmk!I&9*dYV6Bq34|6r=^Bl zLf?|MkB^HZFmKqS8TItIEeR&H#w#WsOfkBbk9eUR>KhK)+WW>OBKW_&f1((HGH;@} z_+UMjD=?d*Oh^nW6pz@g`@fV_&*%@>doEgTF95ipbsR*ww}QHnIorMRH;}Jrqw0t@ z$I76^Vo>V)fX9v(u|AA_W4!K_Ag$UUR)5a80PKp9TXMi5 zK;G*G_U|mCcM#9TC?!o&JH&9l+5n;Kr%#KgFQC=A{zy`<#0m4TJE)2rw@KO+7l4x4 zAB!`-{pRZ>0%r8f_({e3%{FKK-+SO0SvMb0Lzc_}BLD+skQK&e zgJI2oaiBHK&D*4qsK_;TQQUJo;-2?3Py1lFsO4vxkx)1Dgdt<1Ph!64@WFZhHwV8x zGJXU32-yX#X+w{7UTi@Rb=zpT|B6dHjeAPwwW&Qd!kKEzY9|->2#UhDPo(r}^rhPs z0KHWYZqRaF4M(#3D0+R(c8X$YDF5KQzsbe<85o4y-7k)~cxig`4GX@d!F8Khbp^dy znACj~ouH#e#h_O0>2?2%{R6GuL98qCA!}$novSeU8wJ7RAIH00nkZm+0j*EV4P+<2 ziAMnA2|tWs1$Mg3Z>$Zfb7uhS{?J4T@VS`op11^~)8mUAd_95KVFXy)4NLGK?r8fu z+JHX1HXg(@jCXf=Y;1GuSE$+X`zn&#-Y14ZpyN>U+I7X6zOonK?s)1(Z5$q(5*-ZpN;M=&JpVlf6!Q+1JC1p>(cH%vouF{ z#sPcU?QP_;?P-w#`ye=Js1q>wP0K!LdsK@&*cDKIaY_Ag1ueVeU@QDr{g7+_mM85R zrQEu0w`N|^2p3O;eq1;2Y`?I+*~yKb;mT4f#?*BRt@s_qk1nJOc9an^HE8LRmn@nm zayHL0zIU0cN(vhcorZ+Rkse55;j2 zehju5A3io9k4~4TMk{vgWA-IKHP7NKOK}t9O|Ww#-tA8zYv|q1_O+qbQ2iFF$)f5> z3+!@2f`QblOI6%JymL*lMDrxKtS+xM9IMZ9J;fn=Y1MZBmsO?j!TW1#SXHs$i5vSeXIMGL$@R@YPfu2PYFskA|4>P`DE!9p=@3Sq9Y~0?lz^1e>IQo{X`IGVB z>*XP|X^I@tjX-B-=81ao&h7ON=hAvJi%wQEe)eKT1L64Gbzn|UMKILdCfp9?HZTk0 zozExbHZ^HZ11q!%H&T|F>di~$bt%aBY9?o8x>MW3f#wO|G_QY=!XKYg64-AhK16|8 z+W?$z{sPaKu+6WT?zX}7&pjEY1lgTOL&dF}I1s`w{^+6KJV4|;i(P;(G;2l^#6?Z9 zqaVd@-l_o8h!h0a+?eH~)32wgO~0kL(8{(3_k56(Lm(_WbwgW5#H(h`mhL=3% z$>SR-A6N(rK-82Z?X=3tKtC+pG2D0Xvnnjg+xR($aMwR^tG(D!vyX;$n%%z;HWsx; zy`Cq|@(>nfV;YMvPQAKueAL=A_?=1k1FgDQj77+~+ev?36I>n+-r`HW28sie5cLAByk- zyOg6DmR2JmN4tMfSg*nfC)Qp==ZqGO$`%MT>4k$xN!1R}lq?+k0T(kChA#bfBwW$Y zEkSKp#wxk;>+!Q;kM+z@bIOD&4nV2zjy)6@JEY0(iq?L@VJFhkn8GtH5#V2U{c);M zVgQ@X-3gFhb~f2MN$gmbVCfl#kd^7yYYRd$S{h>w4Ge7p!P|VQ?OvyMK*&1!PsqB1 zUgw57lxAf2Srjh{GUSY>#$|x8xV3bV-7KLXta7-QQ)=fpC7r2K-pI{BHx%7>lA29Z zQ7{*Y=nW_s)m!sH#_PmqZSE?JVN799o62Z2e#@4uF%H*6VB$LCEr81peo2|%TBmufpThzQUt6fCe#l83?@GLob~f3#WjEv= zYXob3aBl)pneCZ?Y9XFY9bb!L%DQcW`YV_-_ZhkF(VE{@7FvB;)a&v5pEnCxt_FG2wpQd6&VXR|*$b53>BW3M1^v!g1?QXjPTd@~ z3wT-?Cdq1xR?T_B=9-**gTU={=nWt9`_zVav5H>!36RODFC#dLR~TEYhH@F38C50X z{9REGS#!GXo6;^8B`Z>8342a&p*1xjGXyL-bHG_hE1Gp*$hVf&=8|ttgKbw_>mTV7 zOI&5gW&=Wgviz|prgiRjkH;V9p;Z@QsrwG;91X;40jr8CzL=3CB$U^JhKI3#(}U8Pnw$Miyf z_~pTixDH`&0^wy^c*Xyc#!Q7O5& z$?~klW4%zZWN5oKsE;>;QzIC|sScAbx|dKzJ8!I#WKZ|~sG(9_^prA7PLMn|&h^IG znOlQ9{x7KhIc(D>`d5kqMPoOg@^dH_|#!4%uP&S zZ&$%MutC`=cYlKzC>ixQ>6SY^j3p$0vzA;3_1C7OLteWJ!Ch-1%9wy zFR{odE)977y5}X;fv%C=fV&+{wqTV_ncG@ZnwKdqmY=OpL$mEvn%(`#u-d?#7d|6< za~mj+dQyIuC> zR_2o2wFM{V44ae`2%}bEw37o`yV>M0W3Sa5vd)|-90;>1Ib)4L^DFCA4pKre-I6^` zs`QWVT#o{4iMfTwHdv*tw+Ur*fh{t(*-km=j2$~QkSvs}Q!{B7b}pESQSoy&JaggfUKim&w4lPqDU6uUdX9%BLHJqf#!N7;)4*V*fuB8jOSWw3q-|BJp zrnPO0`lk#FSVl`J)tpa-mNNrCwZXi(U^OXV9VwzMl1RL2!sB2KGwzjnDHYu*>3N6S zyZ9rpr@_cW4jh(lf8taojRY6tGWCPu9DC(y;PCRF55U|~Db&lu9(ljZ$}dsv|BU+{OgW|G85f4lwGmF66INrSfm8mJir;wk_k(J9bS5n#Mqt@H%; zsmz6`w2!Ukqs-Qc@n#@}!}_P97T%1j_?1TryQ!8?*^sbckVZ200xdYgE#kqj>K7O^ChekCraNiH^r zqViN%-R{RBjt{C>4K+&diz{d2xJn6H?fc{$dD?heg<4c_F%MW_dh?z+-7Z}7geOrW zT|Z|C`EqK3FO(CckF_VMTr2??WpV%JElZJTz7AVbw^eK_9)?qj;#z$Ra%R0_`p-}N z0vUQ)Q}0J{Ei8Dlx7;?MuYKhd7FU;l(56!HOw`^uaX{kj-Ir3t^zyECW<$-tHXZmG zw#PjEmpQxha-wc$5e#}0zV>2Xn+HVuq)#6?iOyEC7U#{+ubqNCExT(4qNVCJDbfks>w|KWX^v15oe})z?t@z0@&K0Xr1~$yZKPhQ{5xyT7#7pRY6Je zQkH)Vxv_@{zz>0G%P?PBK3m=2PgFaq(mL{+0WKoS`^HW};t>34GM<8VQ#_ z6qtm2o?xrTtP4OvkyT`7;4#AMVejaJ%Jo55`G^KLdQUiLJ$K!&nWcx_Q*aD48z@J7 z97UziPMN*~$w%U+kH#~7&ZGx_DCo#8%OSkGgHc-o8!g`)DLgp=s+LSGK|EF-U7g2m zxOp-@R9yE|5YwmNK(%2r=IK-V@1_M=Z|sTZNg2^qi93U7vngvL3 z2bpdW_f?m{u@7M$4yOP>uYDTfMo^;D-YxDE%V?;)BYplecbnPb4G9IYmdDqD?QeFW;Ad@lznfLiev0# zaDg4u0xxo9ZyOpJo$POQ(_jnM%qJm!Dlbe=~aGdOzfc&yYzthh$-i%cq~SEaY9JZ=Zxsn^~2w^{(IkWy^wN z?eu{4o>&izL75hR^Swfhyk1&P{o#XL8V#NW3c3P^${XE;`Ps7ilZ|7uFR`MIel4>K z*rMu}@nz?^oaIWN)NP+bE7*9BZc{`WJM4Yd`o|{9)qAt?aNY%n6Hl4~MU0{Meu3L% zV19O1?0FMFYBHXu-d2k51!Nl|YR*25Zm+pe^v6JSy5TS;7hi4tUl7+cD~P zNpxoF9gs>I!vUGS)#T6Mf>ypl_%4U_7-P4(d{cjuVxM0Px<$TT!9|fKA{;oI4e}M9 zeMU|QPBtzlZ;B2|2{}8J8jgY>?Z}F->4V6A9GzA?nZM1gFIIUl>tC})(4|8!J3^&BrrS})(OzmMT?lZo-K-|S&egqy5mVZh^ONsmQ8JDbM0MsdtmFMM`=Av6FvpTLzu`*m%a zL0(MMK6f>_GLnPcUOTayS_YT&Wnd#rg9cCI2yViU!W7+7pb1BIXc9LCCOnDqC3)T# zKC(k=n{>|SQis}u-Oe(4u*%4dU6HKTJG6wS=+j8{ju~|??*3@z?TcJB+!Q)8-c*dJ zPEiv%FbIBQOZul_5$iwp+EOe%CaKRs5@SaX-J$GYnnkuTGqStSJ}HajlLTiXk^SpRRHr@V6AgJ$14RW6A0`u^ zoFY%Ci(^)Faz5r_Y_pwRH_(tI&&|C(hH-(hh3Zv3#=t85rCpyd$nBF`2`x{mFyc}= zI}RIc4`YnF>GvB3mue|i+3ds&1+sIpe6o#l4%u_Cvh3^9UOydBn7BIS;dy3!KVu77 zKM7|CE78VtxtxQntF%d972bU=)^R3e9kV>m+#`{jDkgl~L-y^&p++tAOT*j8+-Zq| zmHt7yZj?D3(=cLQuUS9MzFZnuZE}-khL_Dupm2U>QxNR~e@%hQjh{0?7s)8EQKkK& zZzka@me=q?l}-L`h!n~Dmo}~H<=4wMg$hR1Pqg(FZFA&EhE)p?gjxpJ^YRC3>hGgT zpAL?{=XvmEn3Caiw{i97;ZM&EM4Heu%*^WzM4z|l<{M0Js(?%HA!sMNq<<2^qq-$) zzxfdq2`nelE3`Mep8lnHMFfik%B`?;pV85$M=}1`1cV96S6TKa8Q|fv*6AD z)S;wuG-R{qhRQ`9*b_7>Vzl884W`$evFNojAHRqZ9jH-Gsz(4{-W3(D9GsLO!5w8N zbU*i=tvOy?33o2Fp|Pb2mHTyp2d_STc2?I-0O2`cm!1H<@`uC{bACu!-)x``^;?Ju zHJL@R4{-;%OyTg@RR`^yyoP?CAB*pH&%u;+aA(G}Ibzi}N}5a!56|0OyYZYhsdV!J zl#lnjgU@cVZr>Is@S8+DCVcH%bhG}WiK`w&tZif&?<42Y;NP>Pp9W6vB7A?hf--dr z4cIYlhkAF(n|c`)$y8xELq0?9)aE-%2<^1;9F9#hv(IWe7a7~-wVBE*Z@CEDfLR4l zq=(=>=l=7*C^7vddexz-9Pf#zt6!cM^35J@=TV#a zgrute94lL|Lu~!p5~p_S68DoN3wzpFHI$B9iSK$_b2OxvS9XbT?C@`9MakEPdG`s& z_+_WY;4W3<$}z@x>-Ne{rsNj+Wuc6x8o4cfTWZ2TR(swarXKYZURE(dtQF+_VEZ=v zeFJYp*Y5nvJLb?V1l>GQCD1F7(Li-Lk``Nb`SMZECZ2VKo9e+!Pw-=FZSxIB^Px^Z zKcY@(iaR5)iM?!)wKMd|236B~+om9X<}tsxFtcr4^m6^V#hk|LD45ZVQ2(s7q0cPl zw}Y~6;iNrcw%p02Yx^X$j4fBiXj9TFVS&Yuqg{Ytkf+G|fpGL>(KA{O#C-x!SFTEOLzUOu3WgtNK=n|vm-S$vrk6|e#4HNW})LZt=rNk{?>G zfaZ#KXjzJ%807}2EC;ZJ~7NGmo<`l=E09_u7&596J2eXj& zhKu0WYbF>v%ezKE&bD(%Z-c@1J&j60(UbOQ`IIa*Swc=N5;1gpi}w~=bKTyc;t0Sk z6w`XG&|On{$LKo5^5O~qoJ!#HS#J%KT@CH8Iu50^%SkO}!;P(E2Kk=LpPnH7DtZMK z8^KGh0cY#h-WQMCPaa+@J`qzRO%L8Q;Rxd-4aAmPg-ut4=O)EN86BfzL^1dFI zo&$fJS<9*bkGoYw)21#|cdT&PeYNvPiPuyz-ib+l&7A{H4owkIs#BZ&06E>x_{+8{ zU{fa989;(W_ZTV_?tUG+!HF+ zHn9AqoH#U!D`0CJ9V+?*A3ZsH}?J z$wSxi!tVO6UC_3*pejx@e$AcGCS+m#h{jkjTpZ+2vE zy%Dbg(Ih&)0F&-4d+8Urv8GH<5kAZHV_NRHv*L$ar6g3&R{c~qQEuZVfsAPp5HZo{ z)aB<39%Ec)ZMUD*&e86wc}Z|^f42Xz>vW4_#-!g}z$4s~)!SU}TUC!!&&{Q2kF0?0 zw2QY_h%CLgn(o`?wrna03IpWWEy(q(cYfD%FqD{IetrS07eANCj9dp+&W3;zHtTTV z$eGtiY<(y%Lf@frpA-@)jmuZdN<#Mcx_@CZt1=UeJ;Y*^XhZ7Sg(Mm+Z#6+*8QyME zk-UMt&ug6LJlSUCTk%4K?v-`d`p(QZcXZ##Y!dR_Y;>1-gXBYbi)x2Ty+VU(?CfX8_Fl0Up5^p)TF#H zdrc!IynE9nqsz1_9+TEhPR8Zd@m;Lv`-pMPSz>6aGfE)jj*f8lVJ8Q-)46dl&d!%y z@*&5CnpAQHO_|Gagxk7*(QKfKIVW*(3a8_reNKwQhlZ!dZhDdMuyTSqnaQvSb$0=( zU>hrao~olSa44g<=pen&^z8X!+WCs)T6P$p#(2;a+o|Wz-L>FqCcf_IQk3NUS)9OjzLrJhsmIK@hROf2k6%wY3rWCS4=)#YZ3UJOXyuVH78oSiE+VLz2zKyg?a9UxtA)p^i@a zkIq0 z?DFJqIa`DZwKJwSUn!s4w!2cFrF2T(J&X|EksH1!1_i^ro_nE36wHJ08`AM0;L%r^ zD(Z6}%Xp;#b3<(Y5}L)VI22Ix*iYG8O}Mr7)S|IMd_+pMqe5UyCN1 z4x)zj^A848(o>{5&U$U@tC~t`$9}2}E@se}ofFwxv>L+KSwlMm*G2y947{H1t(rsI z#|RD{5Pnwaa6om3$G>UQmL8Y_t1`1vx2}O@+ijaTG1Osa$q{e5%enC?uAahUehb7> z0?FHg2^TlSIjI-Sj~fSVorDjm(UE@F& zgD+_HrnR{+d%fcTUGDi7@}Im5{e&uT<*DK9-Cu$LHsv+Nofh!$mP!Bnm`z77^CW~- z^Y}-6t+5cK1MAtjItJ5xjLS!VD=u3sI&!aP1kzHbYNo^!^8^w@O0N^srX27qfUO~T zf#Ful^}mefq~tU>Zlil%J~2oa_H;&l?c2MnX@Me0Q3&g_)@JS+tyt?;I9&2OxMNk< zS6HoASG!6j`cSk|>sJ+g?=?=-X*evb4|ctTDg~LeMEp*GY+`W8oHs($!+bUR0Cw~^ zjA)o>D=G-}c8DHn{;n8r`8gCKZG}E#U+RP3{yx|K=;LUSqL}*+uJ#rRlXtwvx3aIT zT!-clUE-W_l5o;?++P2@M6XE3X^|csr<$iRZ81^On+#u~Ab<^2J@j>)pzs)|>$G<1 z&|ti{4d)wg9l9LoTo&2p`>T`VoA@;VVwQX?&WRz})X)KsPtLLpiE z&aDU>c?^L84}YN866J1kL+v<)<%%0- zeoSENFJfxZjxm*Q1o*`1Yv{wSgFM5!5$7PWRR0fUVZmY}WFt;J>rFxmJZ;|l%>%~B z<)vR_=QNugTj!U}l)M)=0M)_nzPUvg5YsD<8yUncW0W{o-dj zq~%qQQi@Id2=tw%n=jY4%#N5Jc+(+#<#zjPutK_m)p@S@js0E)=^aUj8iG|=|53%& z#W0O?qdR=dSe&TmNi1 zC}G?hNXtTtuqWpFRnt!4v#hIc3f#)DPcwVOWvdq8(2Khv#{9Um;@Rs+Td^V$>x%`! zfX>1`?P@(&@4*UldzqN;o%mJU7~_T>I>HcXufO>0E#>#U#sb;z{@A0AANv4i4;m}FKuH%_44fGP^Zyr zKSYJKl^7_B&v5&pDzv8n;V}#_AW@33B>V60-PYE(VjQWo(eW3*&(~S?j16og*1*3c z6fGLj$_-dyZW}%2*v0z%y5|$-F)P_KAPtvFK6o2w_v^EX!D}Nsqx9TA!0r-*=l&3r z@|QQBm`w$|v=zB8YP+r2y=k+~pL2~W4bHz9De26)H4Nh~1GK;3Q#uvka#~cD8Dj}1 zPLk_yL4}=lq`2oljN_T`3g1?*9);YwtRgMl6ijUX3NVozR~;%=raqd4?3lr=UEq;9 zsSBSoZEqhyr7xmJ>=8p;hxplXGj2R3$v5Ght%Z2LFfup z_>tWGrGC5jpBL_sL--Jku*%e3guQQwnmG01!*=()Bc~ar4+lh}0q&g!M3*x@j&(=z zo$B*1pJeP;XMElm+H^7L+CK@6V57#}*ft6;GpurXG>enqgxsP%`a9@&?q(Q`iajUm zhxf92J5_~&`17{p=!aMM?C?naU|Y9Vp9uB-X%#83$4)cRSkw(eM>^nmm| zWY@~2$JKtfxN9>e^t5qs-<@k4!XkLei4xHs+??|8-`RD>$J$lVz@Yj0=`c^?v!ld~UGhXvjP{s-Ea-jcu`?>4_;kItRh5(DVN7qenOH2fl6a zV<(!bQ!j1yXe=EMHT?7C8<*v;N`Mq$QDLJn{KYh1m$nh4xe5IIjmzNsFRxzSIWfGO zf2*hW{R^$xC!m;OqMyIQsML5v=k!Lb)w;`81?T;1?_94s?og|wOVxlFe(0IJ_3Div zV}-y5EB~X(-Y+KKla@Pox9}`FV&Sb9X~n5b5#wHYYVeY)t-&|&KJsispdLS8BP9sA zJl`&u-rF6oYimn3Fa5E7E6NXWiL%pvRQ}-Z&Ic2h?Q2Ac+d444kbb*j{@@#zuU^{D zyZZ5ynu>7YZ@=jL{FN*GTANh-aGQDh!}ouYtyBUxFd6y(CmjQ#MA$m4aazq7wT!)uogD8LO(N|z*OEt(K4qkip(w|@P=fjH9 z4b5W&^3?cYZcd1C^I&K(Cz}ccHd$vI%dQe3G4bNp>2BY1^+mp`SEV@VEHnH90qC+2 zRCU}L_}g#?*mYeby0v9=y=baVp3k!XQDqyY4Kr$iR>Z4ievaoL*#RwpPLRV$zBtvz z40%qFhKBV>Gz4vr6AAtPOeDDSXdiStWs_l0-!nKbNVh8iHWY6zAqxlC{=!orCr}3? zYf2M^)rDnU$om-vtXm8&dEzflt<*5?ab0RcN1t0Ya^dh26`;cNfAa|!WZKo+lq*R(MIz5(GC|AptPC^OvU`p=gJ zf1!M@uI-5G`IPNd`#)w5G7fn$lA2r0>DpeZ)yZvV#Mf0d7$8iJzo4I`u7Vn5J*iDh zA^7Z()Ya=m)cM-FCjM7#fCr3@9|5sSc4yc>&*BTN8}|ih*Jm2*@mRgR*UlGsHa19p zk~+W5=%~d%hEo-1e&7=SoO?rafB;sIse&}`WM2K(Gydnp2mI~7qf9@yL%*=^2&YfE ziGRfZ^`!sbA7GCjZN_xJ&|4$9+Wg|hD0x5z0hGf$tC;h>y78X}Lgp&oWCO1QkqMDd z0ADH$_zKctNX17D^C!wl*?=EF%4^d6f#2w{+YS6ucDfYekivZT&x3U1GI+XW!l?`J zRkD?AM}${#sWV=`j)$Rt54bZVFAgnYBdoU1@x3{z>0g`l_$3TtUYMyhoGK;I}Vbk+uYDFjj30(fse;+uwwjju9$s;v^jrZyQv5BjOhCUo8y( z>k!vmxS*zWUjIXwvc~MWj8+Z_`d_#Hzue$=w;uiNLR1Q>GHUq8kJsn)=$2zjk7=rT zXS{kE*f(C}-x%&B7?F>EiIqMg{Xdot$yLLq@B8HQY% zXRrK!->(1e?f&04_P_thzv=#_x<^At|IfDY|MSW}yXF7S3t~gwg5BbQeSy;d@H+gb z{pa5o=YRCYw}h7_n7jS6`|tjjTk&7+>;LGN;rG%1{&ma`-U%p_u)l`k1BEp(XcvpG z?r7oztKR5nW$;?TE0=-qOX=EZNiq(M#}5N&Ch6nQ3%Rd!&%u3p$$fd=kMh#2X(;5Z%I5KX4)Ed1zKvqa`) zLigyLhYj(eCG2R(douFaP&CEX`DQMkCGYZ`i839nYC1D({TCH*a*G+k8J&@~wR}Rz zr^4Z7@5NZ;!Hte19*70qk;I-X7*c??Y~hE5Rrc#;SKO>^Ah6@b%=W)C))}Ge%RO50 z_MWw5)+Hn)1`hs_U@H`Sez^x{unkF_;*;_c|9tDl)mk+-U?8E6cj);5;d`0lgIm@5 zs_t?B>eY9oBrBl!DF|i`Gn0UyPA+Kl)k~GYa1p>tN1YwWh1JfoWFxfiJyB8GdJL{9 z=Venf^bIl%^e5x4J@Hn#cGZ0V@YLD;@l2Iv4o|ZLbZ*xDPYgJ^{vRsh$9O#m02YU_ zd=i8gQi8b)7k>~*YXHt(r33^Is+NHu69M$f3lOM>!LT`2N$1wB%NcZEhSe1d?5ZYY z*gLk@)AIL?7XXu|1%Qf%@0a4V_2u`0L?Oz;Wfz=b1Xy~+lqlIT9@4lE zK;i7Deu*^@(uRHU1``9rK$sUp#R3&|)){_G{{-^Y43r_mZ5lSwC-WXNLBwIod=m^v zqj4N4wo@S*Y=QGUp6=Xn_KuKU!1yUYXsg<_)wfcFCc<>kgsR76KS5!;Zh*8{W!AeyepJ#fgSkIwQ#t)1KmS|X_H5NK(${g@}tf+7*k}F4h*n0X} zkAZ)UViTk=thPh_8qI@NGp$MLMe=Df*tJzxn74lF_NrB0YVLBP*(kTgsfq_6=47*0 zW)}2J`hX{AN+*6Urnc>Gtx-jxB#DQ0c7cYe87k%by;VO;$Nqx_@EI1R_P^+Q^LVKH zcYpjYMP*CL&fKLe5s}6ij1Ve&Dp`hP9s3@dp~#YDRD>+qNwV+zK4jm?&e&z&##s8j z-kr}m=X?J6{d+%>NB7Kiy{_wdJ(r79N(oQB^yXR8zQBl)`h2d6XBr9h{pC3Z-eY|1 zJpJ{b!9(}%O|5l72h(Zx9`6&#xqf~QJT`dZr6s9zFDU8(6_(??6tLHTRM~mwLshw7 z8e7}vGhC_~mX`p1{!lJ1;XeAP8PJTfBhaqDC_{{#{wA0})aBf_3qUb$*`hV{?wX69 zcKi2#nNj`T!gF7YfJ?U);06kRd$}z$08H61!|?vHhdRz2ubO8 zjDCQ7Q|2k^N{c4S5pb-|0J<(E@T*K|-7UQ7Vc~eY*dY2AuYOIXjHl0Z6rg#>jG8@v zo2&_A+c4btl^{!jqB~Rd!l)in(Sd@HgYnLAh+R5kKJmh-1u&QFc$)VaGZA_39`F(6 ztVigtzVr5{W$HB_O&E}}V>LdxIr7}8e-`uWT)0uXDG-&A8+p^M3IZHHkov9B`qvAO94I0dWu}b5(b1XAhd0pNzFbb3nH*Y-RM3EP{?>f#t*aa-z#p}K~ zK_%QRrMKUET-p49lFX2guMj01JuMW0siX?ZoHiZiml=xlPa@4aqnZB}X`}AOgPD&D z**8xL3znZ9Val%r$*49fq`MC8CC%-Z4JLLxZOS=Z%=n$}jrkQYWVPx?GI@QN@hE2H zM|qaKA;#`=mU0WJ@UEiE&z@f+)uh?-=eEflPkU^*7pBu0e`&kIVT{$qzVhIId#=L0 zqo`XiciV+=rqa73DmU@P!tACoR|UKNK9Vi>UO;Nd_^C7e=e_?C2d#K4V5|Fb6^R&d z`4YI2++%h10OGXk@Skc?w`DmU8X59lfQdL~1iWI&9ZyO1!w?2G-pqRa+PNoZ-hw;; zexnu8+MfWkh$1#%n|l3}ni?S^520CXHI#im19-)$?Si8*Pw!60-l$zpvL$ee$Y4K) zvV0Kgd<>n%p*eJah_F8z!j&7|PzMd=G(-JO}|^{-;jy!p_%6 zh;v|T{ru=SEp?nkC8+rfX?Ok0X>suGbhakNdsDxJNv(Rn0#341mwyR4xnfN9%pFQFCT59uMz`3s!Ga ztioLKWM!_?2=ai**#-p zAM(kEVv#Py5L{|`G>%ezAx{CL%Mz#IZzlj`i}~fPOtd&0{^tl-+N05K)4sG@e;w|p z{bA1_zD)BdfF1N26m{rOY&Ty$n3^*F>OTLlU&^$V5#ohs-04Jcf1LR3=R*J%x@_8; zV9;ugG5Hv9Sr3|7G9hTV18CnhQP_*8V6q9&G1eaePg>ddWgfp|F`8q#TcYC)83O5q zj(nQ1l^VHL_(b<6_-?1x-}(%O^m_no_*;ihvZ2RP?N!n!64PfG(S4NBzHsDX`S={I zR+voLE2VqRD|oc|&85C|e=}oLzB5mpw&t@Qn=3`nIJ!hp0ITTc8%kXDAJleSET!|9 zu9dauhn>pXC9gcc&Uj`S|Av%TZdH1`^**G?kP5?Lzm)oz-L&MF8GBLd&CG9rAcUTF z4*SvPu2Sm>oMAG-yJc_-!utS~0N)zQDGA^0=PD4aG6b5oe$WszBc8u}&vyVu1}$h_ zZAe1v^4x+HjW>TgQVK(o^JL#z%t4@<)3h<5CcPg{8qUeBzhD`r3fFY%lrVR`bdkv; z-4`@b0xw0+7RLQ!+DbIg#FD`QB0oO^g(Ke&GLHl~QY}0Qda)1s1uaJ0N&j$;9(62t zZvQZ>@%#%!n)v+AJ%G|b)HUs-a#{cJ%BkE6WCPi0`n+mCy~kf}BAFhf`-;Wd>oSe} z+bRvLM^#-gy^ZG|yU7ML?I3PYt#;fkC5IN07yaG?<~975vSqYQjB>-B&l~Oc<6ePt z<%O76F=zEq`4(j(8S__o<*NRi95T4as`>ivZsY(=p{O2X17IAxX9Jq$%A?}v%e%Xe zddAXwLTX29lS`^#1e1y@~ zW@7>7bt`W|CNZGx*=j((5a3J%;HYcVpmAv&GL1Flth}iXK*^W?l3A*p9~fkgp6fVt z4W?G*vR=Du+h4N4xxJ9le1%@GD&^8oy z%71gs(s-(Qcl>N?dGM_awOa8L{fWFp&(1fOM>g@a>qZ-EgL9lQ)Ldya5E3hL;8?Yf zIm~uR;wZYK+H7``)TW^;gbL^d?obRT$Uhq7iik+#!U-#QsbreRDS*u#Q{yvzn-tPD_>=X+)E{;WMH&x0a=YLxFW} zv{59_tAeBIF6{hawOc~SOxN72S+Q9C1=`vV1vPUV4W(p}QFx@Ed4vu4aFOAKN5$Bb zo_o=mah3+DIqh)oO-ebsdoL{C-q$6HESb#s;aNPoFCgads(rb_m4Z+Qt-o2 zK+6DFo4%4x8E*TBdZnRjf~UmGbq3pW64ro?_?ud7^;I~Sq%9atQzfIw&I zyX=cE8diYXMJs-#5$wzN>k|6vA+f~3$Gu?5j?bZBL{~dSeI_>T%s2<2M{Uk)cksf? zAeWY9Ajj{0*aJFYj`nkF{F{7W!Q{cHen?e?srqLU^5wqD&LN|g`vpXduzgKz2a|9T zMCI}`hlo9e)2#GcQ~1jvI~a9{H>i|__viBXR{vAej07H=m))beTrf_EL=4!11JBieh3@wd&eVTl@uwP)LE_0x!k!~%66x`vuIUIM<4Ugs34Xf$7VO6-BTG5X=?mU`KbJ{ z`>}^XmHolLco7<`!^8#zDS~5>$Q{YZKljc;eqzLGN*wM>I$wD)Zo{TH@&~OGw-P@1 z=!=Bs`3^5Bz=in^=B|sk*czf?taZ<6T)#Ev8R!wWOCn)WsYsaWTZ|g{kLk`1KZGTZH zXkXo)FejJDJPPNFWNarv?Zc2#2~S$Fl}@kQ9Glnh-sd#I?7dT8^2x_iD?)rc)lUE7 z^KQ&3HQO9Vg@!C4`4pukH%s!4ScG5@N#AW96SC($Q-2%Ogk0<9UxtS}xJCJ+NkK+|0@V_9H*1x~{qUQ{?|)}-Xn1CP0cV4S2U$1G zK!dm0E$+nZ$6QOfYebRZ>hA@tIZ%J<*dUozWu;pG`(hyrQtfmqlvj)GzVu;~Yq$yJhlXGL zEJU*e+2yllh7R^EuNQss6xZ``L}WaVRe5z*tFt@6VJ2b1NHu<1K#J5CbhvbfvpMYt z*t-?bz#ZL71P<4j6xGd2n;9HY?L|+I!0u%g+tGzTRtcGs2>m$q(0_A$!eya9? zVq97dBGCohn+HpJJ~s?XSX_^KS~QN;UUt@_Ss6dk+^f@HW*mhHcoxHNrgX2{ZSn1@SaX9U2UL;)LN(Xz%44q#8~#$ zHI&$*)CRa3{rs^DV&zn%lIJYOJ}Y{cHqlPVM%6VlM;ErgjyxH3(f_tGxPD_tx@sm_ z*WITrs^*FfyA*b({+CkGC;l!cm`-$0NgTJ8Zg%yrWUez7!6%wIr0k`;YxlRR0`Xyw#ZrufgUW5>q~8bCY0W%#7>*Kp#6 zZ3#X7Qs)(<(%=!(-4kFrlHKu}!o~ha#nfU!5SyNy;;8535J7J9Cxe4>n|!k3yz&2cLJ`yGn*}Eh&tM}~9 zl$|HV0V2U6(2+TIMFUGp7<}CLntw@vzrJ9`^jDNl0m7 zSLf!QfTdoWbn~Jb^FWMwp5`TXodPwdrX;K&OVh(xU^(@@{-@{S3;Syk6JvoLpFm5> zEr+Pq@BYjQd$FcZ2T3B%GZb$0vc~A;vD$-*3))Um*m$Wf{QMsoQfn93?Gx>zueHwH zSLyZOS9LBHqb z_Ks+{!s2AjpC2vle}+x0DOIVKhB*TI7VlX>FrW`5?PEk8&8hUnX@tAA+@KNU-(x0M z$#`lFF)p||t23LPz7oPI`7G>3jokXq4O%rmuroV5BkAGs3EPckm&dtOD6ty}g$YWr zirWS8$ATjk+3`T_tKCBw2G}w`O7*hg`=1xOWlqCA0EiiP!G?-gE(-+cY9g74M#-xH zX=NH;@md^PqSO;?B)njaNzMD>2#k0ijK^lR#b}2_X8yUoG;O6u-jR-t9kWdSVHe{g zTuW&=OaLCBmv6mDF|3p~zc+fpc^`m@G1dZxC^1<>$pPn`D?#@+?=qc-#!-~!Bh$ug{%4CG=ZYZNjwM@{L;-#w0bfE zhtM+LNCUIl(t|%I>wl6=f}d`D41(zAoqp#z3D1#7z$SM{b59`M7EQRVurkPWd(u^J zf774#D~o(R^U7Hza01Abi{ab8Zq4qwJ-@qT*lKx*JKPItddRNqu%&rc>gDYVf!z}C zzOK(^JPL(y@Nvw5K!X-QcbdD|yPSZrzO&^3g5^Hk7{ zNd3nJi5r(j6}8I~2ETMvaG>FlEz$TKTO2lVJ~1FOE95QJ zq=o!d>hPk=fZi8zDjJClON<>_Sry-~Lqxbex)5<=|5saHZ!U8Q0 z2UR|t7TRWhEXClmDT^wf+xdyYUcVRRp1e@6zaFMa?pP}W7V<8`WG(z;lL|`T8fro1 zKdIJiHm0_KTxS{jyTnv%`U1Do;pM4PL4dI4mlL9?(iHESFfAER>{q7JcCG#p;q=}q zo8jJZbyT$I@Q!AzF-sWz(4oeHlhBs^(%>t+ej};jEPcGF{)!NS{QDXqqLz?4xnGob z5i2?rg_mbCWYf8X26&|^{B*=)f30{^Xq;p!lTcpm*)__Hbf(ebz zOn}YF=5V!8i?%2SXMxPt&K6P8Jznh%T6aSadZuCuxI4^H>Br3b#ooNN1! zd$lc1B(qINpDT4ddT*F+ah+J~@i4-+lG-y_@Hv5y0X7%Gc`o*I^b)flEab0W($+D( zGEiWyuAnaNelQoA-0=~TZ0oBj-CGB?Ay5BW>mAT7janC|E-U^5twNny3&MOML}cc5 zRqn;}(19yfja!M+<%!hCW^JRZROm(tvv!tUkl1pc{ZZaO?Ci7~re|APSOcdh*twvL z5`y(h3TRO0u)9YvGjmGv3khozEKqqepDuHZSyt3>uJ!2S;|YX(81$*Gfh>8cY2P7-@T!&K!R3s=VR3i<4RTgO_@;rc} zp#uY*-hS%azP4O<9V*hDa?J=-pSyMTYOY9YJk(K?#uSA)QvtUa`(f{}+BnLLz0Cem z(bt5e^}47Q8vT=olu`Wa$>Od$rw1q8%3M1gqz}HuwAdGv><+!BQU8hp194LFHE4Ys z0hGt2O$2JK8+dBCIb9_zV&D;qL-4F~<0E*Zz`-n99{ttgH6lH`3a~)@Y2oQ7%EC^Z zlQQ@K9vZ!6aPJExtOjUbwcimoEyT4??qDyL_NtQD%;`|yz5OG~S_H;}e=NMg>`q&S zi!IVWxf%kx%v9W|6X)8Qb5)v<4}fZLlMB~&>m0Red8zPg{crBI*yw8BdP%|KttSgV zU%RkwoA(sg`6vscaE#jV9XFKOvf)l91(iXz64=C_R0~xhA&CZ{xx^YPcfPU~it2r3 zJ$zj`uMtet#(p%cz2Rbzd<|iOxoOequTXp(E0|(d5Lc6O>A)~4gnnz_R;2pg95*dJ zv>-WK_aO+fIxdf4-OE*Q3(|>DM3a9=$XmZ0!>*YIO8Wm{)%~pR=c#(&WtprOX1$2i17_%S($+Bt{~Qi&~h z`NHk9kVJq9xsk#XkE>V8sk2cP-||v}VB2|l8d%YRtoD7J?n5OVA-(m4VFsr>EwnBn z9jqqB-M^P#8eb*L-Bh~cp1Bp=8nz%!^Enf}&DY@*inCxtX^(W3;f?Z_h4qB>i7q;a zpHqAAJC)lK;ZrPq2fchA20Bmm_T$7ECDK-MiwEcIqd#NJRznyK*q-Be5#MCKk|ia4eKI?)6LH#zaD(;BFN{0m|bc& z#{izIrnK-z)fV}?uul!y>N+=15#!mzA2r?Ob>b8oUi|SA`%ULszv04r>bG74_doW0 z>(XgIhY^6M#{_0fJP!z-qA}B@! zB_17JdU)mwP1N|0kOdC6MUTbvHEtQ%6slBA=Q>6xz8YVSVD09~D`PzsW6wu;p!f3q z4g2?UBlB~hQXVXkU8vbl^)K^)*R`82kQK2#^yW;wjgnrsazL2wrJRzRfV-m+f`3A_s7bS z3cOCy7}H>*cI1*Y{0@ZcIP`*d_S5iK63qU9UNt9f=))+AN~qfP0$1+AdBf!17?VF> z1W3o{@Yj&;wE{w3(q-|F_{a#-A~k$%(V-q--Z7+&v$wh!gyl+vj9LCp#zmv$p)%IF z1j?>bz2CVel^10VWQOD=bFV|CL1G2@9`|PKw zV2Q+@f1PE|6PrWTH3&gN-~+kPybV#@ejzLx8>P7QtGi7aN^0h!W1_LY#wzd!eapE` zpmeKoPof2jG5Yx_16FsG(&li^ZPV2J!uk$+?DAFB>q3a;h#hqFx+I)gW$E>5;VbLs z8z$ApVk^_NK0cKGf@#)5`wGQ4W>06<&V!&3`kC&mh`I&cGq9^Wzfe(8rhwmSOD%x~y7qm~@npWvjZ@6i@!MXZdpE*Kx*s|27=M zF$ZbGMp!7{{s)77hPWN;DC(y0c+$2nGG0J;?b!})zC|HeMt4)M(FyOu%z<;&G;VVx zLG{`6gpe+k<=-&ahuAFAVvTPliFIUKM1$Ev*PWP2oKfv0|!jskM zx|G_o>0z#a_&H54*4orb3p6G zr`Otr(hev1-=cPWNi}n94Z~!SZ1_S2o$r6D5$u=86%InV1!p-XE$taVf0J0q9vzMiQbf+z%w@-mQj=2#KY5jdHMXB&(_E1A%MPIlHPn z29~7DeW#9$DIUb5a7ot%t)YyLUE(4V?B=A2qjF|{gL_zTlzBMZ0`x~+0 zcFFWE-OSwNQ;~nVcl2}gk8N6PCaGcW)mz=GO+qL|>K6gs ze1zE@o~p}Y9s(+Gx=}G(op!R#d`qDqSV6E?=X?chjg7yB5y#IiRK8sSXOFK|Kk^jy zY1TtFP;ejuV@Dl*yn@)+NUgh}91-l^7i4?resFu+0RRiw4>`7~I{NEn2j^0|T${MF zVnJTZFZaZs1}QQ{Jy}01NLr~_oA$;hM;Y$} zMx{#(#F+oSyj9@k&CTlLsZoWQ%9s4E1Z1Aph|wQiE_nTZQp0S{;%iXN`u|@vSDWCTzN>&%Lnt3MQoxdDj<|(%Nf{8sE<&N8V-0U7s z8^K{5^@A+eLp|hHWocEDzf=F&_D(!FYjB8_nusqw85qPZ&;ob@?;^p0jY7J_K@aY9 zuFHlncyRZ!Esh&$oI9o~O-Vf;xs|>H8mpnv zDLyqM@S>->^YaAgfYqehDtZM#F2fL{R>Gn!jFSS~6KagtBg;BxDGs^uj1;u`SmlzLci4W9DoIaM4z zpDS}hGLB1~Mw+&UyPa|cY`>WWXl*4r-?5D))wBRe48vnOVg8H%!t5q2`u6Wjy!70) zTu_?vG2gE4{TN9A;9r4T8z;-y=pm$kNzJL;X=?J%iL>Ea}CwdPIrnk67s=)FijNZ=tibCkF| zXi9ULdX8bbHaWmmZ*G%{D(y*XB--^$J?u9t`%4j2QaUfU-TFk;6*bzff}Yr3+batZ zP3c~nHisQ1RZD3xGZHNG`M`Tv-^^7FCD+8QMe^o~1p@vaxzoXyH~jaR0W@U4bLvKW z$nJY$p$Ae8vh#Q}dBfnH@EKV3an^ci_t~IAQ5~!XdO7c}F2_ zwLF(lcU74!tr(+lprtn+jSZ5SJ6wHgEO7FKd)jl(;t*4GSR5%9?cRqSJU5%wa5r8R zHm9qkIVTs>b>&7n?YJPUfB9I60W2rgWm}E_4*XqE)*P|AVVp=Z!HaPE3qoW6w8fp+ zVzq<+JkjAJTDoIHgkFo{M}TgTwQP^G&0cX%CF*r*3+ouOY&>n+e_ZV57;MzLY+Ygy z$daRNv#K3!fau%m{QF$fs{P{6`aW9TRr%Ifr8!T?ALtOZ8VksN&$ji#cirh5FkmaE z7x)c1qj%js~|X7D5#}Hj!gkQ>f%H0$4I!&71j-Q1Ugs^v;KR zOd;u9>v`VT4~V-Qm))Jlm@nH01JOjJNHF)|@1{V@5*Kza(rFp9_Nc{V{wQJV>VtWJ zb!G=HFeX$1Q3@YTRw%+v1-Qdc69S_A8{$pQ(xK!C+{$a$`ZhN?vG;sD zYtO@$z5p*QqG~?rlfeAH$S9{fV8Sn6DdIC+9Gxu3Q==VPZZ6!JPZzV<PQF6FlFi$g`}o@W7o7}Kpn4i~Rm(B$yxE0W3FkJH{JfbFtezpA z+Jv(a3^B_rOu`yvdSvd50SECIrC-bVJ*RBrs6ymuY9vr@$GL!Nv;AoHpQkh5WK%V# zJnOKXJ&>*M*K*1^6m~uhwQhv4LGM|L>0ScBm(aG~HL@PK&}6{`fL2kjctxX>l;DgV zsm3_;YP$vfm=u{hgv{FyK(n+;b?@&Pe7K52USg>AIdpQG(7(tDh|wMhkWAcy{? zF%$link1`2U(?5RfV3tfftU6GCA)Qky&RJ?n!+Jg?C{SCh^JHQ?47eum72aW$DqU^ z3o|EZrqe;TW%E2Qj(-eXiD9~kAXz+(?AQjm*@{NQ8%*P!BF!9@(2OU3cuJWQig)4+ z$$7Hi@KW*JGJhrq+!0!68GHddR)Jm0US8Zkg;TsUk-1;qMgE|vK%4hqOeISzd{U@yxD zqF(T{3FvG~rSCN@HE;Eg3(_}Dv@6B;lzvg490iZx__7Bs+jLuYB^f@=Ef1`jj``iT z4$y+iJnZZgw1Ey>?494W(<`RxrhUGRTNvbLKT*@g6AD_FcLc#@ZV`#iev+eq(yvgG zM#ETQ))hV1H)m}fCtp%-5O4Jh+fDwaN@~$C(V=5^nhu@m|1MS3VKz5%BWQkdq2#)1 zazLhP#jPYy?dYqW3;L$#Q#p1Y7NULY4GmC;L9~V-_RzXB&$Qy``JGA2W#19C0!OeP z2QNi$hHEoHhry_$@-e58^6W{4lJXzbk0pCC1#loh!nO;#bRR)fz429}2W>=?WU8Zpyphx|}3{7YWv}liYpW=vMXJsz#;Cej;+b ztEYJQ5ndE$#A!WlK5_3jY30b*7)?h7%lh3qU)J@S#a1t}iVYs!79UAwEnvhc62UWT zHoo(9-oj49uNga0syR0ibk0;V;s8-D330p+hU(^$EN3Ng7WFTpH-wb90pHuEQqwgf zH6oDfEv$nIsTRv-N=aAshG&3QZ8?v2%x!ou{xjghEOdD=#_j!pd4jJylFjDjkhq6@ zNOk%UaCZuxfQM9&=)l2G(rA{WU3Nt(=k zXc##+mJd(ijO=YQ!gd}5$L0L#K?W*pLa1*6A~b4beK0Q=??HjO z_y1g$`Ilj2t?Y>9YP@7?&!l4!&ZFL7@IIsAJHb2l!~7)N)LW_~)l0x7#=9K2mL;E< z0*LD|Gurth87N7{|GjkVafJ)er4z4)s@h4~z&sNWGbq;s2K5 z*xodm%WrhhG>5Xp%)H0xi#THsm~)KyZVLU+kW2q49lf5409Q>~OLqND4eNI8uip<{ zv^<%sqQvso%-cLJJ|Y9ILDbI+XzM>etb%0?c6?cy<);+Wy$)PwsmY{lDc&S z_-g)Pk3<8cVg_+d801-FWdQ$*u$j-DxFI`Ny-8pvjzTWEf$IQ0cF-L>F9%Fiza|+* z)(UO?xFwuF>)^{SI;rkZPmlzvHT`)ou zKLG}eCr7$)eVzobz|@(6%DN^mjgjHmH(}ubf=-lrThTGyKL_aaeA#3$Fg^xZST@d~ zs$|k>9o?y!2Ed7QD^La3VLG-Bl5LT@OqMktJc1BoqZ@Zro@t=cu8+OA&te9JAAzIU zi*`0OcXq%7#>QWn-hyFvivH9Wi1Ik=174Lh(0Qc3PXo&0nCOX{c`9HFZ8HR>U3{$U z27oNriD&~Z;whdW9Fnk)^seT$>xRK(Pt2%Aw|bKgN}ZK4<-tZ4?swLb^uiP;Uaz?d z5JM|lx?06;MhZ*cto*bQd3*XA$1(M*Q5it)p9$raodqH-X=GmEXA%eYU4W86nY>#y zpbR&|KG!o-O}Y_jt%?yAVwvHi%z!L4tkUT!?bPI>C!CFYa%XI7@7Gwq7%^kfoTK`7 zkP_0h7}yStu#h%zuQVHnMXBSH`j$e~Wk_}OqM3T`bD!_TJ51FbT4TL@2Y;raZ?meYb1|JdFP- zAVw{=^u5XNlM8$4+2yH6+(IYe`z6{hZk{mmkqe!}q^ps&(FB&svEy4Q4uE2IUH_QnRg4q#wkc_@r;2sDXLH!Z`zYQqX!|Wt<~*vx zHEQm%wUTWkBWzY@7v7{Su-(XVi-T!><+j7jea@%OS~rhJUdB#)eWaj6)T-oHd(FJ( zoe`Z^wv0_s2+c&Dkch-eQ$=9z*?I&#NHd^F&PU!2Bc_pP#_@mL0nXU-`#l2v?j*?Y z=-Q^rKd zKbN*0D@90JzXZIKpmmJNRPEcHV$2vQH18dOv!uXBcO;YM5ThJ$b=d3Qc_QxE^D{sY zsRaboL4EcYn5)^$D1}gn-~F>4b6=t5QDY*5mS|O8eDw@_!JLGE*MF6o_1{vP2P9s+ z8r505zi=3k#@Xh7@#vb9=?(BHrX#0l;tcygC$Cb-aBl227k(Icl{#kwnC(R0wCOgi zn?x!FTsH&dMvVp!W&FOj08EzZQ(Ql9DN0 zkglr_Y=V12ww&K88F%ibfa7Sa&7W?0`lmoBU`j(UJlSG~SZ9R&j%%RS{Jk zdR6IGy~Ig^)bP${z6C27$BIyEEX5qBUh!zC?-bBM0$w?(cj}XG@m=1g? z(|`s7UuB`lV@h}6GsO{a;_WN*yg!G+Wd`v~%En3C&}9H@HgTLp-$0Hn)D zH7DCZ|0X6?16nIl42yx}&5%KF^^8~DS>|tM=_%2sTND2ERCAGZ`t&H$i_}*nVz@#1 z=9dUr{df;Q5V!=;v`RuZHA9n`TcvTIB}$3(Gl%b|JUjhtn(S7~Ybr z4cCGMlRy$W*TMjUt&|vgQlPru%y05&UOew>k1YUp$oH8LcAS8LCIdE7P>(U9;wjDa zcdiwm_M!zvL>y{l=w@F-LCy2J>IlNl(|To zdh}(uq+Wh zS-i)&-46BVB`G@IWB{_s1XEW*Ub<4@=i=zgIzN_;K$gWBx3h;%rN=?J(L*J-azLfN zQ&N7b+@9N`$Zk653OXHuw=S6;0hk|J+m782ZdiY8nWNS;m2CE9x)vERKt(T9McUKk zc@C;JQjkaZKUE9vC@46k0ia+qiWIlke_M1$?hz_3RLZAL_iL#?-I3tF1xXSrr=yveiAXO zYuGcVPql2ja5S=UEyS$)g#}otx!9 zj(geW${a}|;QJybwEajmnXb4~#BPeC4`Yqa27{gZD;#};4FFSpEPaL7MD3=2+ZA00 zS8ViPbErd+#H0(KK9+IQ;1Mx)zqMx%0EkD$nK`q)S^S}0IPhIlAMNs)jtiD{2UEZ z5Z!4$#!fK?=J0Y&-E%99wCI4Hek=K|p6WAoSSird^E~QhKjp9u;M@>1s{ms7P*(BC z%@L_@;&xJi*Kb+>?tG6~3{YpF5+fmdgtvZQ{uzH+K=&Wh+u=9w`@&yvpBomd1ebyD zKq{g;Ep}7obgnyFOukVUh+KUJhD0@e9D`e9qx3a|$eEZ6-L@dev+Y5e=P|j7G4J0A z8bItyET8?PoMd7Re?!;3Y+jDLWMk^d*Dtntv7Ymi&0Uu)| zl9pBGh38)nU~&orx8i*VvhW%9=((w#&h~1PNft zV3#I_#3#H*(HY+l77#J$haI=HSyvn>ah-IhFEX<%hB>f_kZ*7TuZb%m84jTf05vw; z@u#&WwY2lZSSKwm8L?1zKTJ*|zMkvO`svfgLP(kZt`~-1l~$_wys5;!93)i!t-jO> zfb^O%&DyO~nLvS;4EDmRMt}Ve_&o;QsbxdNNcDj%2bQ!5HNp#D4n(dRqU7o+yoqsj zr>HnSygvmuCZYrA)KLd1^~$N$i}Zfkwec8 zu*b;7!~bVE#~`gDWp)R$_=8AVCzA$}6*9gd2jG@60!-s=g%g%8>w75!tKBH_M%+_y zAR|h;p0hzk`i7`_@RiT8cttsm?tKRPEm>j^ZQuU3ln}w;+5UgI-Y<*A$3}}K==7AT zI9x9vku4;!=8iD!d~N`ga9`atq`t(CoP))JRO=Ax8wb*M1scS^Rg8N~v*pP1=I<%% zUGDm9Ow%CS5Kb^PIM3#i=Yn^q7>erb4_U?WVKu7JlMReUe>;&MFVu;a?J~}QP87bs zYs_JTH|D%R1p_C&{l^Jbm;WxjVGDmpg}ZZ`WjQ{E`!AdN-S{A2{X^vGp0D>L5REw_@^G zXyV*^AXQCINMkZnq4A}^)eATb>Gl_L%5JZKPBW+@ngeuTWyqNT?xZGz;c)Me0@59d z>dtqxy;=1|Lk2O!e3Ce_Gep8Hyh+#_>!(#qRhB$2ktt^@mB0KmhVH04J2&H>|2W&G zf4%pvqw{%V2_SeXDdcXNft^~7F+C>y68&Ra{bQ;JMtweXx%81Qmcb?3IPnl@Em^dK zRGW7e-HxYPxI=^0<`pDs&8$eM*eN9+dRWKe@CbkE9NS+GMfe{et>w+rJjHw1+lQN8 z=>_&tql9lX`kP4L9#~}|g~nZMW+6zio@1AY!CgNS^Q0pr|ASAPmxapC72ZHdqtbJW zOznXbIFbUc$4?r2_Mrb}ag}cI?Ktk>BM&z^0(n z1J7k;Svm)H2`vaFI+CRt=8(QB+PYKYMT!oaa8~Xso8c%Qs4T@BIlJRr2C{_Kopv!` zXt2Obp)B6XI2mLp*LmKCQ{M$sy+YyfS!VriHc@aCs;3an-lcNvt&IZ5pvynO$y#-c z=m)VKDWvAzn3j+)!W;)N`AB*oLv7n#CQ`e^T@9wLqb8`#536kl2%yNOo+K-9#(n}N zy>!fTF4Q(C3CH3X&o&fw?S1qeoLocr3%7r&b8YW3GM;Jz-_8nZfYLI-O;hPPkz(Xw z+6mS=@#LJ^cskOCTxMwRf34U|x5TSPMlvvl@O839mA*svL6Cq9@cwkEAe*S6^e5-; z(XG9rWMq#)M9L_{fwR%CjWNNTUu)LKNWh!?ZaF9LkQ%$jq#mw-VFq?G$1v- zS|<_@>{`uV_aOJm$VU;4Z!_rEF{bEdXpHzU?}RBGPV-ICo7_~2{#}eq&B57cRou?o z_(E|Id`sd8m=XH^Kf+Sq;2h38}!IKfRc z*pHU~9_ZGcE-UY3FD2{U^8M@9d{8LS>B5J?S_nGaT^c?SQpA)Iz~D(m+v+8G_(+Qv zwch+qB^&x$;)^FQ)cn#lwP<$oczi)^pixmNHqC<4nr#$}-yO4yT&6;he{F^UlG|eX z$xtCJ7D=BCa3?%GEs^`@1t6OaQj?RXXt}VcVc*KF_DD5MKC&Tg5}fQcLb#-LdGic# z2MHds=>&#$)gKn6h^m68wP^+N^wMHTjMyz& zF0TXTBJk7gkk@`ACO=vUCYA3DIlHJDObgH;H9!%j6~1Ze)5*X0Z2LanBZ`<-5tc!v zls@xZ+E|SgiaE`6%@a`2@aSc&Q=sGA@x2^`_68QUqcXt0X6B|L0C_F$SjXPG)=gXe zERh0f7^|TI3L4{_?;KRw@jJX%P6}w5xwa>o0r4FiKAExsJ1|u3ABs+dNKd#xR*3Hl zF^%KA?Gp&-%jyv(ei|7A7izEZlsj+)USO?ezUV+cx)!oJ0LbvaD zi|m8Zo%P^RbSEo-ljfVvX_7Hh%Sn2=6TE9cf7L*0VA3mm9h?2DT|80RDET~UOuo6J zW7$$MM@J&w93W!L^r@@B=j0L>W;@!f9Db-aJD0Et79{gdr5f_G02Du0Gz55X@OJ z8(8=8PwRl9M>^=MMuz!YF^7)sLrN=ifleKUwV_$`a;$XY-gvrf)UQbT5hgS!Yf4bo zY|Q!@u*4;BV~=+{7BbtKe`%bM2pxnMYAK`u2g6YEEDRz^oDw$U8;y5dde(Lol4w-} z{pAzAC(UOJbYp0J%zxu3Fo0 z{4wnQf{YOMAXp}UxnNZQw@QH}Wmo(|8{)gd5nycnbFLX{L*w@DZ_!uh+fSVWx1=|C zR_oE&oGhnb84>aXU`4)Bq%|Vmg7sqh|CoF0sH(TN{dbE%Q*Kl?}jK)+;*dx8rnNfVNLFZmy^?ab`TjCCltOM_T-uw=xnYkc+ zu0J{R5w(mD5X}|JqooLc`1J^+b*Me%2N;}^cz`CXYuhj~G*m{P&$8CI_UQUESb2Sb z{)*uC9Re9J|DDS(?Z9mT zj2*2R6hBEhFefjol{5EE6bnTuXDgBkL%vg=L~2OqfTrA=fyJVhIk3CY+}# zQ}zc8?sfjTS66C`jQr4D!8bqgHQY$s`RMo2I=;BDwqUJdX@Id|+iivfMy}^LO}mWG zaS8Uxx`{tz;vmf2Y@!^z5jjnriSAV6DDzP8JpND;^85VfG0ITAm-xy8>UNF z`rlx>r|q;xq~@?50)lfhzfi%2=ih+Fve)=5NSXM4ik+EH7*@{f)2~F*jv`O3*kr9g z=m8)SEdjAQFr>@D=e<9CS7Rpe_t+d^zCHOsiC9=otWY)RRcYz`;nMtQ*KiO(Voqaa z`u#;n%3~I;1;9KiGia15aAX+Xe&e+YjNBA6&@-|Hz3jKhG_iRlz-MB`daVzAOT;-v zqDZclD(eaQ#{WZg4fpdnsFG5_45O#AYYX!j8)K7wceI%cB8Rr{A5J^2gJ?a0&wyzm zi2|=UU^)&#gL-1QL<@l_+#<>GhoWwcLtq&inqL9|P6I7ob!wW?v<~E%5k9$ju*PwMdh{Gg)wgV%Vn9m9Qz~K+pPnKnzpqTHdbr1yM21vUv|DQ;^ zCRaq|xi{?}i=}oV+f}5JjJZs{)RVlo2#Q_Yw!*OuGvFt8cZ^Zr%=kq{d@3T5DrZ!~ z-!X5=`v`d`rqKB>7_X0?M>o01P{0lyP9*eJm)dle@h@U;ih)0=J?v@Jg=-8TL^*Ae zc5`L`@a}*9#s3pn)$?yg2mcxM92*^zyKG|KkzEa8e4$!@;Gxt=$^ALHSDu?_m zSLS2J+Vtt4hYo$nCe#W!T)IidETYFs{{Q)d|Hi<5%8yZ|h@d2qy7&L;FZw?r#o|zS zj$^FIkKOtI{5KI`DnaPr+!D$3|K+X!F9hiS_K^O!|MTf8PB$UHcT>v$!Ed@7_6Jp93m5Mg{7+vZYFSJ` z|EvYFZ5|qRE*=0)>#u_<=JuU>qUwo%F?Lh57XJT5*!>3Pz4Jj|CL3Im@g4(peE-eX zcD{vCg?ez7hpL5rbh?z2Jf^W*JnS3)X%jFEYXB~+UY<-0$2y3!i+oXbD*M##Ucgh; zGiH|+jZ{MCh@w5``p(NPFleOI4=sFKD>;dw@musn17Oz!e1VKcL-pDBTQx>Eed9R|qy#sqk16<@6$hJXq_(?MFyr>Z%+yz>Z zR3br}KpcKWD&SP$3Tyy&?`OS0ppYX-6jlKGVpTj)>dfu#rT}}asPJfbZmN&zrS->! zCXftB{c8mR07Kwm68bdCaZ~3p#fYD(|6=Wqu+g!(ca;s5WD>vLqgF6ZNy@oWbNN7u z9Vq-Fox_=a*UV9!;r)Xe>#P^kEA#T?GmY6aZ2Q$bDi?zyEyMD8d(!^@5OK; zECe%~gALvS^e8jJSV`Wl9g9|Qk!U{1c_{9eKe$X?wi>Ot%O}}!Qa-UTMDgHt``+Zt z6=H%u2%Gn(t>|}q`U24G420D;fJWa7VUI9act#&6boRh_+Y&R!Z%j`?9G{;O_jY@^ zV2lw=!WgRXVt@W0z4@NtF{p0=!_CbE6D}Kmpxo{e7pkC57l!)VlqwNwe)7u}RS?RT z?CF1?eE%1GuPb+bY_ltQA2iX|fL&|zce--orH~N64n9T!T#KR;oY^|8w z@rfxPbXbbb-4p!B9Grf>X=@Qn2H5B)y_D6Ul`{eWhm%i<6Y_x(eP_J!<{XGHq7-K1^%^(6ENA>H(vCW3pw?GqnSm^j?21o5?nV%p}qd!c#jkmW2dr=rnwG2PV zFCh9I4x28a5h#Wqrd|7eBL$y~XZAZ@e;18E1=M&hg3QimPY731KT<#0#}Xd?1(aG- zJGU@S?<%^;@fpM?Si+GgPTH)2x9`C?z;gF#x5hSnK>VP1?4pGL99Z-5Mh zHbV;fE1tj#z@Mb+(^b7Ne>DQKF&tQLkEC?Eap>wJb4`r2{1NK+8uTh(qc%$(#P$M? zKhh9OH9BJk*3$aK7+0E);h}OAVpP*n+aFzq!yUcLBAjWnJs4*p^8m6yRYXAB z^Z*jdk5dNRw^tT=^z*#)e+iZ4Nr`t5#LW*RI{U3P%Y4-2 zKVG88T+Jqk-7!7aslNgHq$I0*@b#AUp>TBB8Gm`y(+M=Yp>&7y)NSr@W=ntdNxN+b z_FH39vzC2=S>Eg|=fwSQEHGJuG#_uL;istEPfWJKCOTAApl%hp4u-?L7!fz;EnWE? zwx@OR?>~A@>Cpe|MMHDm{^*=m=Iad)`Fkdk00YeT@_)ntm&v^X*;qeT?ySrjRWC&c zA=>BHLF-Bf99od3flG`Amf7a)sp~L7g~Rm`8IbWP7U*{7=k1rBReaJEdK<`;AIbRa zG9g-oLqrox^A-*uk8XwcWc5Cnr$JQ)We;^laxE99hh$|ixJ3=du6u%kFCA;}@Ck3YsZcP*jIuaX?wWr_j+f{5W|Jtp$DHS_{t&BlieV|6 zA{~e&N~oRnA7W!nG;}z56tL%%TeUzrb|(~HI$~50=t`?Qoj&%9)A$R-+($o zrS748I|v7x!uF}*r%mXZ2c``O)hoa(khs2H3rym~wF^`gBL^}CZ=L}Vz9)?>5KtMc zQ1i`!>)_w38MOunK56Obc=DK-sncm|;&J08XpZDU*!}16=y5Qn>ZlR|LOvZcW`Jdl zXa$#{Y5ZtctPN6S24H-Yi(mfm7^Yey{ z_4lWVvRlfTuB5&JCkP{=BNPbQ_;IIc*L|SUCJBtF-P9Kr0imLlP-;^e1o2tb`@N8w zW&Z2QUz^)KF(<{;(so%NB z?6)|&kv zfE(|`?v%d#&T&LVB(wR!u=w|9QUdMZddudQ--~E&Dgt9^y5wD43(OFqbd85c;urfu ziAK{`N7J=aN$<9&&wJdF4KrI?TRpvQZ=IZeP4~PO3uohaDbXmG#2*JJj)+|UDeT8A z7(D@hVGyu{kn{E?I!%~6#8b3|Qd;i3?O=$B1=U6$wOJyO*VEkxjbsIxyH#jvE;@oAF}d+6^K%HZaG0 zk6k{Ae?$j}?4~=jjrW#DZF~#M#8Y?M~!Dq4Ip~5HBA}?gc$TM>E)h1WQyz3c3 zt>6RCJSs1*2fS3}@n$^J9pOrK+{b zF5!u$TA`f+?gAiQ^eHHqK5fq|14!o=;CG5s3&+za_j*6^0M+RD<=&ZZSB8riHQu$6 zLpI}b9YO`n_#4+MjCux@d%AMgHTcfu&a)CP2Q73StEO&(i1t^m2df5pE=%{kDJROD zNXrGx!9+JVYhiiB8c5@a0|Nq|&Y5ImXMei%qu&BhbVbmkKG4R7u?# zRd=zU@>|v`PUo;wuM%7=7(IDUO0T1?$(AM<444DRmrQ~N*vN+j^|E&@9cYS^6;Ko| z3Ns*P_#5YqrNH9*+@`T$xL7#rS?$gAS)i#%b-7?&Q@zU^3}N_~oO zxpVjsdqT$)Z`jA&`Y3QOrzyU8X5y_{&J?ia2 zZu!j5O>%PZm7QeP98riZeU-QCJ&N+(e<5fvx@bO>%@Ff)g}@CB@B(qba5wQ%Vjt{r zDKpWFYkGlb{0d*|*axZ9DsA7SgSQFhwfB(MW=;|WUCIEH!}-H4r}Q@adl#}N-G`E6 zX_WA9Pum_&bGY1#{O!*n3^o~EDlffalTx5%dhVXslCdoYG zwsYDUOT{ z2lm(J$n30q8uWg=atzhK--;w2_TTpKnfZb8=02@rPi<_d|L&5Zr1yKcMW4=%g#;eL z@rkTTCsh1EraQ54hG~B~At}eD^*Cw4>gE?aBD4t({ybdg?&EFVgra>k?qLNV{-UTG ze}Z4L3l2P!js~rwcqI{BWY3ppupUvXbvb6q<*vX+MVfJfclx8lS9!IT{UtNsjP%*V zG^g&j-PJqYgY0>h?^)OKw!8d;usTH!Bb`U8AK{Ic*t~nno@tXS{8gy?d{XP(myI+d zIO>jt_pm;;>mG}7QRGU~i#MTh*EilBXSGJr20(*}GNjPBT#t@@kLoTV?Hj+an_vgG z;kUML=6L7)(f`{G^)ukI`~=G@UC>c$f=#&$0ou)LCvcQ^udD04@%3!9&jR+7aSHd7 zxgwd~GU2P;u(crd9sNGwa-=ajt_5qY7~kgG0cfQ1f>}v(d;A+rNe&T!hie^SS)|Lb zmJL-EjpC_Qp!`xSJq1%iNf%i+_#RapG&6ceDS?stoXitI{NV-{ksw_LA&{}23C-Pp z+6P(DX)j(9AHZBC`2%z>pjqbwcXU3r19WSXDOSYdJO_kB1pi}fN(Y6VHWHSP!LqV5 z$sk{czfM5N8tX z0=jicg>NXG0S@@lp@0ue-Mis@YWtQR&sU;Elg*!i*_%_tfgNK|)eqF$>|+~HCYvJ> z-nz<05^P=gzzP%Jy``q)$*%qXp%ima3a*MnH!=!qNTng-4c$N6Z@AQ1; zcQ0pEM_a$gb!fDUiAUF2*~s~GqmEQAkN`UH2oq)c|Dr_B%nQnUZ9x#1B-Jb{0;c4* z=%_us0fa5~RgnYGztwf?e2hT+I&%F@8)b}prYsL(unQqeo}05C@;j3EmIeMwM)9+dYUA~`{#M|nfm8R7@AoeMMP+P?oP z=}EvYr3gxfO~rfGl)m6m2)2dv>Wt`ZKKk*;6nHR2C=5yop4>?v22>F4v7{-voo%k= zwK$?6rY)e-J5?+S-i67@dinXVCFYO{g;1U+!e-ny_wj5vTd@d}`q5F99cgY)ZwK;C zR(5CxZ5r2e{{>IP>fO(@a1Tc{6brQo5Y%mJ0#(IYse>>1erW)i+i?MXn$dHC)}lN3 z?guTRO;|0fEV~@fL`8__vD?bVhw4!IN5hw|`Ni9YllMMy3BdOSB~%R0e9gXwy0ist z=%th;ysqhZ`HY`l@Dqqwh>NRQsOLHTd?eshBZV>4&nMmKKezARzK!oAHlDH)&{x+M zi>}~`0vp-V`;*?NN;VoagF*7+?FC-?x^pzhR*J|QNyb&AIl3>|R7D?mGB6t2vPxQ^ zO`MQ8Qgv2We8uAM*ddutsEtcyG;3LUo*@$U6a2?C4HvdA>;;QFzwg)EG*VWerDhuj z4CnM#NwdJz2DMAE%*qqPYcgkO%){OD4@rgx!`b)jskmpPh3I6?b4sr?3Sf7J;6?9H zmm+d>D#X9E?OaFpE|N0Jb&G$zp0?yN3SCfa-p+P0Np;mk>Iz*PK0@Z-;V>aPKk0V^ zl^3q%2s(>;`jl`+%W!iq@^Q=#zu3w?QX;A)hE|Z?jWpfY=<|zcvZ_Rq#f@=JGkL?_ z<(bExrWM0_X!+NRUr5`89f}It>Sls#Zd)0-Sx@t(At`fcKEjshe#Ar^35z&hf*Xn) z@dvDE7ene3d*j0G1H*HsR@luJ(RFR6+!g7Uq~N`rJRCXWDy9U$f!4(4s)$7FMbVQI z^I1W0dB-9L8ZAvQ(=D2BF&ffgIl6xo6p63&zTQqpGRe0$s%X~>?Zn`!o^)8~y+Ngi zV66#=iDV1=i!#M^`S2}~P4lL~gK#s@v-}s1F|b_Qi&R-WAKdRiw^)o6ffo-;#l~ET5^4#a z1d)e~0zaOKukHbvVdE}|=K!UElWftP*bWH48q3zZ1y3Y((tZbeeviD36-ln;tn!}C zhR(o0NqFGNn<(EQ9`*g&3?FkPnUw$!Xg1f_Q zGsEayTng)8R9u&|d=eu7D||?*nK#g8$PawRukX+Yz3aEx8PZ`Xw_&hK3xan%f>Vmt zmZH5QZ92ASPrPjKg_fU{F}IxpEh+q-{K?$(J^CQO*)Cl$Z})gI@|!5M{vZ4HD5iZb zP028Sb#HBjM4y~~ph~V$5Rc(BAnA)`DaU2+wEkY8LQUzT6km-3?W46wa&X0(H{nPoBMYwURaZ zH-22rKZV+cb$hi>(W{D${G8N`t2H(rP(huET`G&D|GZkW;@Dr=d2zcZ@MLOYCBY{Q zdDechq5oT&{CiOuT1rVCHMxAqurjGYPQRAYdS)ax;TZZ(XfGtZWhKc-=;5rjWN7u+ z3RbVWBzoY=^?u4o*OMcN*I52;S9{B@i#;aU-xz>D;J!Z@UF8GbYhmd>IC7E0cpmsB zp+!RIT+FVwH-gE=g>JdJu1;!rAGN~F)hE>-9xfCl&b?maQ>;s@8?#8)920RMZ0K+q zD)38E)dAQ!aK8$N{1@fCP^fPwJ~VXP1^@xO4|%uDbQT+ zfVJe)uf}&_YM06SE7C}eS4$gNMowK8qt?$K^r6mtf8DBhwqAV4t4t!dx{O%;pr}Tz zzF@=tl`gXkAD_50;d@~5x?gbQM=8$YOnfcjWc8ut3O*(=?dpwMdbzkqEid0HKA|2P z`GkD#&TLizZvOj-!A8v%xk`}7#3RF2>N5^PoA8~4#hN}G0wjbH(FH3DUZT-OzX)#Q zAWpX!Ml$5q)RhhcRzJD@ibonffldKp@BOeko5owE;hE$hO(@M%vE+`!FR&+|l!BjX zx>>yehVz_}hnj{JYSKWjy=&4E7J-uS6t(5pu3n+?9_cR0Ujk=v%ua|02IixSqpF4% zOUyMkLwX}{k$SKMr1d}W4IjS8glt-sy4@} z)+&u2-s2&0Q~cR|q@OuQ$I#v7N76(*Pw^^a-benGf}OudW8nV%!)vEA@P@2O81id~ z=f3;&RvBlATsC!a)ONFhtiaqv=V!A+>JD^=_aA=mlGuD$3WS0j)@&mxLEule9*kg`LE!BR>_LF9D5tCl0{V0MRHI@M)x zIpO{BHhhnr3q8wpxfjzQODsYwiv~(~a|$FGfP%V7T6GW?Nu*Yt?bBkj6TAZ)C=7je z&dW3cQjR(jxPpe}k{$CAeN_bkrQ2QCi-E-q8hO}Me2ztsEYI7X3jZjobv|em?ZlE=HD|+T(bS1O zi@s+9Z8!S`M-IefrTnd2s_*#8L&jG4I^5%WqNLmuU5kQUQo7Aem;CX`O(kz%M3;cj zJjU&1-NVy&5^VEp(xtHzJg8-6DR}EL-9cSJpFPc<x4AgQSgfA5zrkmHMdD;7gUJW&)`Q&VD2b(o_Pcmy`tQu5%PK} z#Y>PF@{~f|>$|YqiLEH?8dP*^Y{6@SW4wXoMammbae0u7M0ci)_Kf(N7Q|=nyy*a? zib!F6R&2k1+g8tECOxE1%Hk)~WLhio!uk0vPm+|$*6T#N<~_hP6D1h$Gqqq76HyCb zYWvPw)rF@$KO%B#{3y|1?La2rWMw${lmuquyzA*723$8&f?$FHSGb*5l(r7qVuDd) zFR3VcymxS4;UeR2z#^*K>0sj7F?WlON(M>f%iA$K>CHTD6F*3eDzOcPCowA=LFs9+ zGH<4$GOfacoVwk}=ShfQu|Z$MZu}0TlFgNyrXw!)NXqf?Rp0=_O%61~Z0kx}*!VRt z;DgRQV=xVki2sshJg1>V<$efu@|B;3lz4BuW4XNZD*5~l3VqnEz6ZSY3=2&g*O+-W zSOw*f-cpNeg<}kLpqtbsO735kyo9+?vbEACeH9L()(mBs@Pl&$KxJN!^ehdyRYd1` zE!Sx*j`ekTeTm=R5Bk&&^F<<Qpd?E>1xZwAzQNBPB>`QxjukiolO?i8C0HwL|KA8Mdj); zcVb9Wi+EpPmT97uEtV4Y-r_W}%hAh#=@xO-9My zNfB)lKp8Yp3Y3>=a8J>H;k~c_Y0yzUh{jdgVOUu8cceqw1lRMnP7A#J4$Z9zkR_G~ zil##}?l#|!_Vy!g5)6NN=Ys)>m8;6M_UcCU+iRzYW-O^w=yLMWX{t)!a6_h@=)AX7 zw(qG}aCQHR-xzucsY`cx_(&)}#%1$8s2I#s+0g!$%XjAm!s|j@M-{+Z1Vyo_eruKr6Tg4Q0v((<7{iIQT+SoV1i6)f~WwG3AWOulBjWn_Z zB>;=avb&{&*{KK(+cRtDEr5Bnh`s%TA$b9lYH*hvKc7&-yICyk_=wtdhONO#wXqH$6$h3FRR=o@HDHvw2y@FuK*2-d4LCh zJI~T6F}`biQ}5{<$WG9Bb`Mrj)cp2lo8zXPl$00Nzy~4eaq5JyF-T%9KMmk(n`aV~ zj5eDB+ID0QWywmAze+=MuVQX0;eBw#vb{7xgG7q~$BtQ1HOwb9O0qN3V8 zzav8ww$zLr=zpAc`oCmu`cI-1!7%)gilzgeRI2JZ1 zzjxZwh9z}i9sJY5hR`k2pqKHKJ`{Zv8OB$x-y;r&GbVz>;FQkqx&X}G%u`omx0TPX zJCQjdWyrpzx%zf~uD*7$6S!Dsyx2Pc`H|+Vc8dj=>GpnZbFG0+$?kEn)98>ABa_k& z3T5?~^?h_!JD(hb!_}v}~A6Zn(q})S#FB z>hMt*itX2nK+gWBCOvk+hm=}dx+yjdQo-8l2_fqwK!jm{bxtfCcW7#yfGs6d4GdIK2 z;=XZrPe-%ajdkh!$plv}7s+{H=3RKHt2DnU+_5MzL^8u6_=!TToTLgB>O5=jwULN* z_}K;`;>}8gy$J*;n$0bDAPEGv^*Z^*& z`@p>jGXtOJ_tU)xz~k9|;4L8-PJ$A&#%|o7@6aP!!n=XnWq&Tf_96g9gv+)?Jy?U1>l` zn%TAm1_g{?EJ;ZD!5%wai-a;fSfVCPth%}k3raIS&&_l%#n2fdv{CbD+aJq)--0W z@qE2%L-M)-;gUKo(*}L&SLW9s*?Mz0vP9;sny^w*T^n#F2o&CIuwHEcxW?B<{S6=Q zy)nbz1$qR7(ez$=o4X!z({-?q^UrZ=ttrx%b;{h8ND2J%Nd0$bp!KQ}e*fW1k2%&V zHJt;&-2pCKutNK=VJzhIX*s1lnZ|Dn)|J&Vg$~!W6JAy1l(`e^sJ^qX)Esl!9P6`q zY+7eLP@sA{xLr;W*!#bKD>|%v?14l zA7t}hgtOpL4el3a;_n^G8(o&tZq-cv7E7s$U{lhN3WH8g4VTWv;+Q4P`c0#hKF$MO z11cfswXB#4w;YXa-^M2?Txd~N^v1&2aHmZ0WC5ackP~h16fM|ugtCjKP+CH6Q!p&^ z;gTtpO*+K?>+qDDpH##}ZX)pyv*<5ixVqTC#}q6;%UAaKcX2+TP>cJ<0`*6(Pa>G~ zd{r~-#>%HYamj|#JA0}ryQjGZoQ-nVO$6Tl+AQ#+ z<|#mXgo$So=`Ab&H3;R}c27~O0}Jp6#(j5!KuR%&I~a~9H&c=2rFqvdOt|>=n}vO5 zm)gHKW{_yPV8m{nlfOX&1H*l-!rP5QK)_GtCC4!Z4NRQxT`un6_(Y6(#S94#jpv6k&LdXeIXB(cYlar@USdO5d|;Pfq3o@UXLK_f>Ot8y_(U%9zyK zrt`amfjhmGRuuL^wy&^p8L?B739jHDJ*$h-PVZn0HivsGDcrDF@r(#X{(!ro7zbIl z$uiNi&*8tX?&lUDbYsT(Re3X!3_a~EpEJmYG6g0+EWC`DZ}*{aJ;}N{eysUYr>T}y z&i`sR&NmHL6)?X8=O<#uLVjr`B~PfLqWiaw;byH?2qh;+yh|6jc-;_fECIGz39(eR zlX!sIBvRV>1PAHUb;e@rr`?LQ_&14ICifFl%^EYytP~25;o!V&6nXx0418}7ep&SS zfE-FKt-fB#-tj@S3EifKrd62_xGx7`;^S&s)#LNU3_DJ{|9#xDj54Vs)!KA;ETg1? zFSV?FbXIEH2dk)P9CilQfUX&#z02iL_;kE%j)rfhbt07%YBRES7WuELYzh_9%dioD zZ3y5ZIr~Y#DnAaycES7@)aJg}eFCewPr#DDu3TSIQ;HV-;e73T&&eb>f{7M>jF@Je zGnn=|b)2qip#EV2c$b-;Bl%=*=k9@?<=>0e4lG*TQJ}Je4(Z>E*1ad5+@jw5MiS|7 zQKivsz-KW2!o1_N?d8&BbN?VX&}M&&Pd8n^U#|d8ABcVO@t^gIkddd!4}&dOwtXPA zr`6j@+ro)F9_h?n)hqF1S(^OUl`qFTyz3J}Z-Wc`a=nHeB-c5A0V2W~t z24Q*09X+*pP3g`~nl)@p!hAZXC{r5gtJ0PTIE4q{-qyGRo!}!Unl7 zhn5MQRoQo=6gGAD^QK1IEd{Az@O)|d0%~+CnWYK?fb;)8;HSboKiaaSa$TkIo-!-F z^Nl4Z(eUH}+&03>pOt|imL=WhbgX=Q{tn9Quc{Zydv%}RSlUd5COPJ#J~Osp=X`%Z z8`;d}^8@(oKY1LWj>g-pfKg%@*pj&gPj1xW??;7*Ofaugf%^4xDU5>9IoO8;5Ay#S z%9oXd&t`Nx8+Yg$^Lfo+!>AH5Ta^TGBDTj$jmYSORQFz9XC4=@mFcIRNRxOiAY%UY zS5T6T=%ok=CzpxR(J)C^`dQ1{&<~BFzu2XT`~5HR@FQ<+Y2#{3j!9CX9B)~Jc5tKU zMAagyP=z+ViyS^06EeZOvRT{GgQ|6j|l_mFk*D*adP4}UatI!dP7 zFg#=dr+fD}(TRt6fKUr+r>*+(n+Vy?DDRZR&|;eiX0IN2(4XT4PFG0-_TG>fj_L-V z&i|KE&LNBHa&9=A)-FWb%uJLICwDdoLuX~&@9O5Uw-sapdOAG&(No}%G*>;>-34Lv z$$AOE6C7VG(fT$t4_n@4f_Yg=+3&pj?05c@qx0Xw7!)~&W4Le`^4u{RK@M3 zvr9BC<}+o4P6cd;xMTL?(JlAfl`xC++$`dfYLIy0hYzB8Ny5{MAcnC4_pucl=;i;yjN zKVgB6w5j^fl2`uSC34*NMyJ~}pLDl95l@+MAiIr|ZrE-`P;$oJ(F;O1pYHKyo8aFx zxf>c3@#xDIk>s(T!9-|SwvX<7kaV4m$it}S>yM;?AoU+L?{slQ&BC9mH&HGi+0-Bv zoQlSssYYC=$vo(CY5@J-zh|u zYGWss^3J$@X}b1|Al>pUZ+chQs}z)z*k6MHfBg+~knNLqL^nWW)p&Mj{w#=%u)BvH zgHQ3Kf6TMlC6LDXPN0$Qh925Gz7JKgO6*7pzq1R!u)=Q7(Zxg_t&gy3Uc-I@I@f$s zC6z%~YA)GPcD6#6k5yNhov>1)4hcMhqCCPoC#rO?iNwc+-9uJ1qh<>*sl-AiL7OsF zghQ4X2TM$$oKotQ=4nHSh8)d+eeH?xA)a>y#$hp~!Ww?!>>HvMT*5q-70j3_rM zt$VX+t#v`xH+i`F6S_OHSCHEm@WShaitcbdy6a-|S?GrR&OUHQyc#Oj7ybfdyaW#2 z8qy+(cB7oXW6c5gzk|UqEYy>_Ew(BtpGzW(K#<;wV3ZtN`<|GNoIAWv{pakHj&vHD zpbWlk+Ua7YBc4nf>sG$kBSotD633^jHP2_1YPs56_Zue{_z3|*_*i;X1Lr+Oj@GgL zRDqLzhB3`mTL}5965CtE%OX3CU|J!Lqut-dcMvM6#%m~0t=77vo#T@CQ&#NC^d>BR zGVZ=n)$-#eT?l$)q9XMnzoWer^xhayUE<@V7L_Bdu?t#TXaY@ow;BtudQi~@|L*`^Mg`(>|6BJB<&dX~nfEtut8AU)!K>Fj{TJQ3PAj-pMxCh+=`WO# zSk`9<&LVsF_XV(pbp5_EwFohcsXp?+mNVZKlc=bwU+EL@8Wbi z3LA-Z(MLQV^CF8PtwLCaY(lr#=p4-k`O2km!Q$gDr0}4M#o5Xq(8sMis{IT)MqiVN zUMdILNHCn(9@>~`2LGPR_~PO~NiI6~PCpZP;km~j-gH5a-<{#PIT}uXcEiDW#@77} zyL?0|oqU4Jy2>YC{e@H7`|v16YxE;&wz%}KY}pT|%g{DgA)6$cfn)1fHQ zS1rz=JLk9alv>G#4%MRQSxdI!R$V+;_9%oM(LQ^dE5hV$=;V`>^Pj^_(lT&nZR@rU zF=9>nsQ7Ke4|_$rwb`QtY&@V@eUSKynK~$@dT(sa9z?Ura6-zG>E2?;S~ctUVj~i* zCubp&cUA5W9f9%mh-p1MZmLKDaM3tG8Uyxy!a*X;qukaMYvBA)77~UhC@}IMTJXV7 zCT_dM_C<*x05;|uC&bz_cw7f{d7$ueYsuZHXSSsi7JRdT7_-qDhJlf4ac2k<3)5vL z;Zt1U!uI{ECDtJ|m79Ve0U_s2&`8PGdN1exFg(t>hxf`6be#^Y- zhY$@vRy^37-LP|4{IvE)763J>AsO+V)I8gn$FG$OCzJu!@O!tAA`v4w_KrS=LhIDfo_&fG7@_fvA{FTxZA4G*v5Z7a>g z9hC1=p4uS5S`76aPGq0cMs$WowJ^$@H~`TLGb zZ^So`^`%oPUqNnN$o7mIXko-8PY&$5C47KLhJW$bCLHuX?aAE|H*_~DBhtw1DY~wR#Zz^%Gte8(SK*!YU_1*2q!AlB^z#M}=IsOmVM($ugclaE&maBP@9d$@CV@cf z`D2God#Z5QshZLUm>kn{c_1Y8GC1gZiQ{Zn{9*|T9hv{~ z&I|Kp-A+?n@D4mh_+-|*oC?XGiMjHCRno~DACYRI8V1U> zY(DUlA^x!?>yw?iH5avIAb-kp&SC%6@#kW-xXz^s0d?=ycGA`ev%WDh#{O-KCebpZ zVG0DTSAj0edp~Z@I!=W>6-49ncxj0aLAc*VHO#tc(79lV16f)lK;v(a>| zHal$rHzu%7$xxZuL!80{>L^ZMPt|0Jxv1mZTAM5<>=G?s=qzSJjHQW@=njwQn0KOqZ6z|MKWS14 z6C$@r!Z0nnn7K1B*q?yLY_gEk6p&G0Q1udje5Qm5m8&xAF|49NAlwO$VA`9vZi9 zG?qbOctaMJg%xV?G2P7*j=eI>|8=2k;#zVk`dzV%GJi)lQI+_9aU{93PI&2Sp3st+ z&k{o`(niyw&NiOr6aZQo>aDY))TH;^-tK|=pTBH-;Y*WOCr|C5Li`KeoXfn~3cs*v8m!5DdmAPNRXUl{H>pUQu=*$$%-H(6LRIzeXvNnfi1N_!(iNQ zpLO7drzwIWZK4?tg@h>^hOCo-5#=WCW#+UEBA&bsg}!Q~Je&NEg?EKfo35*4Ra|(` zf}3P+O_2#fUER9BcW$jG1-h<5@aaw6ZOJE?)Jm?P55$sCAT7ltI3L@&s$sn(o#(v( z%Kn7StAGoj0>SN<<6hBfa~qH-oN--?0)&Xg_~XUGZ*PUNlEn9?$+g0;OD@kw8=NB6 zzz~!e^$M6M)lr0RWRFpee*8gyW>l835_l{;!p5mn%d*_J|tQE0H~ za<(G;yF>m3$fA1Cdx{Hty@=}DXkKJEi>?ZLX|AnT(<@9icPTNt)?Vy;z&@}mBps@K zFbSMnv1J~r$X|fNXb-0Ia!kf<++}SVm-+y!)8Xj6Juav&uyUzaNCk^rfjg_z<|L1v zq+_S;2Q7|mj~45fY2z5|#57#AK%IC8twUzeM%nrNz&4QM7a$6<@X8DBK94`{knI2b zBRLX39g(>_Nzf4P%sj+(7uMk(7?)wiCc11TrD^59j^Z%D`{Ilx7wP79r9dgFO@#I? zw~-yhDZ2zy>NjGv2TpUIJ?sbx`maZEUQQi zKRpwT2gjcFS(0Z+*ft;hIAZ%&Kp2-%tHKZC`U@FWOjG(z{>MO}jl_@WAJPDNB0=`W znB>3L9FTDwy?V18f>%$ejM|Vk#RFvooX%mFpv-5?IcX%_#yvT&0*;2LJVXoEuz%no zW#@_D=v_)RZz-_gc$c`<=g}IMu}|I@P6)PY{;*Mp6v&P7I9KHLr9*ad>$c99pRyps z6=d@;+~DX%wI-Gq$*lc3=xQ9uO_cbf#TwLr{#z_2e83MsCbuqEWR6=zgBj0JH(+Rz zq6#8V({@NNaQ^yNyTHu+GyysN5@fga;1Dee;(M z4e|H&1AXfzROc5}^d0C(E+jraLnY)-SBYk#cCy2v@b;(@|FRCMH_HobXP?vxk;|F7?9aV_B-N| z>G+BFL@A-VOagnVB6MMt=LkO&T6B2NuC{+)6^95iCEAMAkdq_z z#9z`fAUljEU9LQFMj$H`_x01yw?j`-eY_6(OM&Sa-k`$`I6B8UjwM7bKuk$Up1i;L z+yR)R6D(>g289G4I)iF7zlMxq>dw1NO66xOuY}Lz-fSiMxTpCfDLU(?CT>5R%vEOc zj?olMD?aJsa%X3ihZir1`hsf;GC%%HVzG}aKyLAE_z***qvjs8&R^c%ZV4NmdH)+F zos6xL?aR##Od$npz|E+2mrNy!$krI#Js5+cE;bJmW-b_~MsO~j0JVHv^+B)ES*2I_ zO5pIAe2;WL-+eeSvUp7%V@JKpDx@s8oxI^4>V zwf?`DbAG>{@A*9+`rR{A*(pDH7<_V5(kv1nl1HP-*~B?_zX_8gLzDUriX7RxEM*zb zoF_?UzBV3THFinL=lLm7erw+S`S~ZkMM%0)7w+a3l1{O!zlfpCEjV*#QHZ8Q4Q~ms9^0Ag#*$VnnUGr3qkbLn=>CBA{DLxu!Y#NsH+M z$QhY6yw0s@^5a?1Y00ml>xol~P*ItBkpyRh4Fy9@q7U2-R@4W8>WO3zC3^BC|AS3G zq=zYQiQ>1h3$?{$ERX~gTf4{kG+})}yeK!qkZIXgxhX)+1GQ9j6CLTh4O9V#HBB#! zCtzoMg5gw?QeP8%gkxC**a!4;Y_zU)1xOi@@suQ9ubEfnmUgb)+ryI4JG94qzIfS< zhM_x9eMEjRWF9UFzZWP)8cX$18|IB!nVRRKQi z4o$-(&*{3gd%g@eao<}U)JK?G2Cxa12zH^>4=%)%fR^i*0oEeFM)L~BXx(nFTnCYc zPWT7U$>&q0(+^_cQb@nGxcSPskbVoBeqLL4xLA{dIY=R9bD7>KJO$cpa-ps*3Eo9s zxR(Xzw{t*Y!8C-y1b>9J%s5D}#qj;%8GbE;+t;7qs&s;b&#QI9arRA?^Q-!G0MUuOwXkfn5*!@sJvyweLB$;rK@WMoA3v|@zm)W-Q!;+} zqG!x*)Zh}mj>4OdHcTr$a5bvQH9Ns3@MwI)EfzhOCa$%djCtjley!OFq>VQ#M9^#b znLSl9iO6ttUH1kS03a+cL?|V~jAF87a!Y)g?(RsmB+Qvzet4Tty#gV4VUBOgf4=sPqNefcm+$Yl1fb${i*{EEQl)~8I;zwm zGLw&h%U^v-1BdvYt+<9FsFW1Zc$Oe2S)m$Vhx`fti@<8zwG)p1S@AI@dMRJXDE)~PYW z>61ecq?zavGgY)CzSoVd2a}b|QZ908szWh``RaC01$_|c6s4t?NDcBp2~9xIWlI3o z5xtyHM2O?Y8;aKTCT(9FGWEy;)U11CTLpM4zwZdnNju){TA$@z$yVJzq3$L!BcP+z zWVn@qMB^J^G?XB7p^llS44e45b&uJzhjy1lle1A$|^A(eAzCu zROOu%abX2;#bRPDm>|3`p-~~$mOi6(YCO4o!w;mXp&p^ck#|YPCcQo_$*klC)mm${ zyU1DkAny(RAHUabc&(ivTu8r2tPK0}$_BnnyLOB%e$YbxoqIvdm?^zZ&)3BM)f%_+ z8o;q9Oi6%f$JfCl=er=WNp|9DknYNKnW}lfT8LZA>_<$hKK+8l2^ldAlQIp?jge(G zPN&oFHQZV3zg51@Tcm=#OHk_|PLa(noz}X#ueLqk!s!AAzJxkV9v+MKIyPP*2Tk+6 zNrGSOLc!h?r6&U>YjSSP*S}&I1f(mpXejZ5s~$Rg-BYJLHbrG8jZ!V2uvL$sxeQmd z&EE!#ieyKzULv>Mv8u>PttUwvV5q>we;z<_ecijh6z)&scN9BcbU~h$Ua>8?8Y=7B z%F30gbiVtBM4ZXu+HPY9_0#o=;hL@E3>X7a-5X$@c9L_R2fH_C z<3nP$8bxVJ{?h%`AvP`6F?-?B&v1k8fRWTxRYH`(y@MxP&I#0oH`ap5A{^bHE@K@p!TObJ9peu&BpN`ni4>@^c-q@V z^tWd4N{FNB!R7Pd0;xmr{9*UK-N?`R47#PEG_K}-n1Z3#E077zqiaz3C!l`KLSyk7 zQ2Ib{nc=?r@KJO&sgRCc$uXKeyE-Vid&C?fn?AMte7k=*Cm^Pe_snzZ)sx6uYU#0y z=V5#VJ6NNv--koz!CM6?;;;E~>y_7dWvQGOs0dT@^mvG?J3;BqMgO1hF!Ke$r^WnJ_wT z8tZS1qaOfP2oJ*DWQ6H#lU%k{yV#!f4WUm{2GpWa$fk1h#^4GOKS08PmtUfLV}<+( z*|gzjGf*m?y)vO)>7r!{!BC0&Yfir3OFbDz6Vp zT(MNjJdT-D23u8tCdI>7vN!IX#0|N1)uvnC`KX`KBBy=ztL!Grmuqg!&=kdW4CiF? z$W^#+7edRIDkNX9p&YZw`-NtobgbeB`qpAHUajG2Xu-bAVw>jK1u9KU5-P_^JM!6e zfYd6EbbLwvfa!`JvB{dbrWq5=gvrYRvPc3U-2#@^a>yxEQPB>CZE@9|%xwCgV;~6o z53mdIEbW}L$bWx=CDWA|dbs}9ZFbbIPl2d6Rw|`ix!i$9W(q{0&)vxT!=;9?wFJYC+v8b5e;R!tf$!}9;hX`uu!>Jg>7g4 z>40y{4%-D25C<2Tq=ADRd=B4MMbm zI?(ZO=VKn(yUON)hwVjm_Z_=I#iIhFd-f}jF8L9c%qei%ckQl?^w}-Ngc!(x@k6&f*t>v9^NX>pgJq`HH7Mo%-jKd9 zjUR=rslC=(K^3S(=ta9RzgP@Dih04@)Dj_gCw`b_O)Rip5Oo(BDtTx8(yQS8Eexrr z5Y*9%G3Q9rZy{sm#`Jq74{Z7mNDZq5Yh}O~y>F_?$2uZqdhBWWaV>YwH>4`L0C>Vf zz!R>}4~*gTbz}ZUYmD{aIg4ydyj-W|}=ZL1M zdg3}&wO;=z?LXX%1bkEGN({&9>!#~Tk=^WNY5Qf|gF^RQP9zL#4mY#y&+x-GDQ+AI zEV8}W8K0hYmzKMgN;P%4&i;v%cc}3B@DCX0HCP;Xj?|?S7LLQ2>Z{%_T==G32`3k>1f2OlVKcU3l->sn08gx*v#I*Pmo~CD zQcEt(mR=di`)>PC5lI#`inq25@x}Y%Zlz&UbTN|GPxmyh2Y#vxN4SHlI156s0yKxk zQK-IhKaAK^DxI^G)W0nk6Sp1qLc7^5JgF3Mx9Kxqml`eOw6<(_&RpKUR{n}}&ii$- z0+uR0Vj&&UqnM_ZW1yMEun;P&Q#uSAv{p3O>1`kis0f3k{A+ri(p=I~+VG^c4mz+0c`ki1i+PNgXzyz@KLpPMdqK7W;Fe7@ACx< z*G`;gdStnCt{a7~XqRV4BP6??(ott3N}0Itz@O#1Dq*Pw444}MA~1(>ZtKMs($)KH zhOU)ytbW#4^SI}HMP^y^m1v02v#(z^Aa~D{%~0xlE;r*1F$Uy6jn%h4M}R)S3OAB+Clah$K~6R29cB6$-de-(dte` zkN5}0WVKXP9<{9WvDZ52o@5H0r4{x|KKVJSR_06F{TTBJhQiwGAa5dN00jlU{_}>s z7C_;fR5#3Xd^D440(+%+N4_gb zu+OII7AvDxR=hC?y5t50+Z1K+lwUm_!H;m{D#ghYZ=x4o;Xe66JyO9ffp-5Z_)!ht~6m@hIE;3W;llnvQ!;5ny{& z?_BjjPT?#*G@zSa`s#2$f5jn@aI< zz7O7~rL>^O(l>}C;FJ9QVvM(t@6UeFj7orCQY&2wA2$}VgnkF}e922cps5|ztjND^ zbd`4wZwI^_3=JjkYqkU9*%7{4#?fl+Fse>2@P5+tVJc(-snagH6WGA~+;} z@<3!=^JI0$S+0Oj9UIi2@L0vUspOqwK1(SOe(LP^*HiSLeiFHie>nN;T!T~t1Yjv6 z&%feC3Ri~%2J;8@4X$r@?yNg;wy7FT#(YeVVwXsfz<(x57BxTw(#x3O$3?IdUSQ_n zUh~t>pDaA?SrIJQzK4ZUIM-Jm!P1c?+?M^HUh2QlPz>X+7~ z+ilEUcjA!nsf~8H$||d5-TLd1@9=m%y0@@&YrcdVWI5~kAwr?;>=2m#;{fbon!G|^t2h_){ z+2#ydhI^8*L!<7w!GrEEDq^XO?d<&iKmIjbWGKg0`6JHqM{1~Z_*0XC2$B)xSqK?u zL<_(pjj%3ARPJAFbLj24okgpxirQZkTZV{YwMJc7`cYXbS?2ULiwE|>zgPc%eC0A8 z)Tcti@0v*Te;}{RHAwa*s~dA`Z$Cw9J2T2Up@({jD11izYEnenf3FVYBI%PA(q(Q< z%gaUXumAn){>$Gyq)zcD5qf5-3*Y5m3+;dCCy!q0yC$ahRV06}=KrA=LGDV(FO3Tu z$>1fH!o2?%Z^gfSfBv_>sZ5Ewa0i#UE#N;s!2j*v`F#NX^#O^5W3B-<<~LR6EdX0N z+rf6GZ)7X`*GHRzhOY_xd^>V7D$Q-y&u9yU^T(8^+Y$ff1w}Y%;A6e#Yz}M=F5$Cf zrO3wsr`3Ej>Wn-X|7@qYC`hwE(!ui3w~a596&&bUkmGkb85G`cod5}@nuOp43oQHL z17~33AX=Bt0!6q`klyK|RwcKYj2%GjzJnl{AtwbaA`fTU6z9iEW$*F}X%{U_>EAZt zM#N|@M`K+q&z@fi<#>_4&!um@w4)=G;9|ylFSpY1(O(mw}*!>zgtLN2Fz~@#p*hmk*%7 zWXd>3n-!Q#(S=cI1h*QmEg&zY7xs|X66kDOt8zme80U+b#=upfTjmADz9V3{>wvqn zDKUua=ezYz%8F=}%}`^so?b5nZ(cky`SZH|FQ62)1OLt_Wdm8r zBN53D8-5{60A2>q5-4(n!+V}ic}SE-wtGg5vu4}9l* zZ^wlGz!}J4L~@FOk=IL%?B;VN^IUs?fM&ju9ZA(hF`|XO-WFmJfs)H!=`{|-KdpmN zbGA~bg5LtC$B*RJ5mE=+AuyDsDvCC+pzRV|40tI9RyyU)cFr!s*%|21D=r@GbO}!) zBNh$I5SVIT>3oYOwB1l4uf&>I^U1|q=}7YOuuB%-g107?Ev+(}U`K0+Ix{|sMCS;B zA@MXuE?nBKH>DGVJ~rtvQYyDL-^*IFFVD7|Y^cH;T;wIW{leI|iAyo>cwG1IhobW7 zG*4oK7sf3Keb>F{5#V4R&S!o11EAnQF`m}jqOYjetzy_Q!pp7E_=PZ-_LSa@33v1~ zS>`2x4O<3~j6YmC)lqJOS`fwZJ>y$&!_3dvS1B=kHb(Hi1! z9j5Lhv+#oYYzwd_{2z54eSGVJIm-6nHWsCj=2F7Cm-=26Nbz&@M5oL+SK?j|%ZlN7 zI4|W=SFeXejT*g-CHeg@G(O(S0Uohd>2TlvXoZ>5_+uUQS9x8wKhFc13VE^$?=HM; zDjKS`M(lpjx|;|>YD6Q;z-NLTH!VAPu^3f*MT$7n81^B(laE9TZM6NGXAhkoZM|9t zvT_7ov*I$4bz@7zIXmxv-Q-0Qi8+y-uhKhLw#c?%gGttrQeH=by|gsg7*PP1oS1HC z5jJXH9UH{I_%ZL3`pSb!mfDY@Wk4x0E{Ve<-fpfCJM^6a8Td9$sy)%)XUxAmG1*Z; zh*J%A^?3N01@TEmGb7-cC`t3y-3K>;F&~j2t#Y32VkZ$7KBND@E+gxwDbJ^n<-HL0 z;A(Ca0rP;h4pRI>!UX&v?9 zjKQ7Ilh^YMg~1K`<*+7pE}3ppKD!*`TptY!d4-bb{t4O17D!_j5=R~AY)32V^{fX! zzxLrVKs7s%r4F1pN)qVRcs#TN=CzjI7BrUJbd-E1e!FESl*1NDR-i_(8$#$&Mp{e4 zRaj#qS}KLo`F5B6Noo%F$oP=Np{SV>b1|}#`(``HvS0Rjzi{+n1#!Nh{j6B#x_wR9 zDSL}Lscnbh5aKv@;^21Hp5zbu4fWgsT6dCk?m&S&g?*_Ct!5DIjH$;lpOu&FQ>-Kp zHh-&VPW7XFJK?E&Vdo|baWzmaB0wJrZ}8Z)0f37$nY4MPR%{$N^V4pc?Kz5Xk@NYi}>)%hj{r`zeF_rtY> zU|mFU`Wk@rv>VRggG}Yuf%`8F zeEO5dYf5n*oFsfAkCC?pkVzPS5WCxptcV~F%?i%04f@4hCGd{VNZruxj)xe8Z8@Bd zAw+El!ShCceB{yJ`U#9+QYCo<tyM7n&rAu@D%yMf&gCDic4BvUYj zrPoc3*_bG!9laBx2a?PteRrR(PCUGcT*2GU>XP#FnFUl$93y+`%VQh{kA)TTtmRU7 z+^*ZRJc>D{)%!Wv#L-d2dEH>l)~Gf4*@a80pw)yWJiwS2nN!RP+MnE90=F?b0d-Gc%<{Nt8yf5cQ7XPh45a;2WmIXPL#}U zeE|_+=wYHqhj=d8iiPN3K#&{egY^xOsdq=wk2nK@KVcrs%TUA)HObpv%^Nkcp2r-D&^OJoi{zYv&>pMmuJ?P>7C%f zV&$PwIa3tQ!*{}hxKbh~+~n2!b|&pL`rNSCGX?jcM$B^^3;wK5-nEk4hIj>YzU)cq zCnhf@%iz0w2Rl#C)Js`~K#_bpWp5la`}Rk*cTw9G%>AUdAl^3~nvr*p&MiT~zzu?t zSW~o0u@Bv^{#_ApBS?hlk}(OaW5Q_A+j4cx8sDgsBq?!7%UCUR%g5SZP2_8^d8y?A>d|cnDQUVaR^Y(a`la|=o|1jt z$xnW-`ZcrG*ie?o$m^dLXlJpHZ}1%fupkc9_9kkfw>L)1&6}>ia|kO?I0eIXS&;0j ztK)j6nbGp#qbC@@5JJjU-kj4oELCq@z6*aK4l;h?ku?ACEDlZOiqUl#*}a6)Ek0GjJP!Ao1%J8_={uItQXx{Ke}*So!g{|&Guyk;U;ja+ zpszg4?SHQYKGj^DiSOMJC6tZl}#EB$HfOS z{HtbIV|Ud=L~}wsqDd!d8o`l=QoF_Dv~9%ca=1wd!ZzGr*i?EACPh+TuC5oDzkA=k6IV<%dh_S3v!tC%lKv8 zyh$i+z%WWBoW;P$A%C#843MhdwZC#)TDSYCe7~PO6)W8>%l)U zVMd-c&u6TgPSi4-&DBQ1pw*Qr6_G(?rgS;rFx{vQkH@J6YXFzm0SHA?6!!_JthLIX zSuD6NbfrDaPZ-@wOkWb}j@>pe+j_j}9G|>swsprT@z{4YzVQTC2K=IWRFB_Tl*nw$ z`%7RW?X)Q-Vr3-!CN0M?cj8wKT6ET9{>e+wG@wCaTwG;U5wD@7>mZK=OUW*g?!g$w zTl`d|MBnh!be-0`tG+?SOVGt-)p?8zZ70Q|g?58C99;$ps*Ees?aIF<(T^4Gb4+|H zqQo@sy7+B_?K>x4tLLO3eJyT;qZPHzgOE3yL*I`JI=7g=4!3w7Z&HM9j#Z(zZBzEv z{F{wa z+uIH}sn)%}sIq$WhzcpxE@}gkI^CD!_gZJECe`q$)Dl4QvwW|Ox_%a}FX<0$!54w% z?h;PW`fX~S(SbVwkO!mvhtMnUfI7#@7yEke!i_7Pe5)*_a4_5&qW%t9Ek=Xz6}jz; zkJmgfD2KCZC|$?0ddSg`INgTtE*j3DN9_Rc)WiaTgZ~fk^hMZAIkdC4#6gT#v4SAs z^Z&-6b?difaB25V)JBGY49!n*tP%48s%ZC|wc-ayN6XU><}2Xjiw|q~nYuTsLOgq8 z_FeNwR*Yi`SF9wRfP+`z2r7pFly&^M!EB}ED-Phg!=l6#sQ)x~`B0S)S7#L%7yjsCB}7`xqXG*ija^&yEyEK2I{-h4#L!kjqYS z7hBC|QZjKnu@iMje%!vu3-kW5nB!@x&@uGQ)p$!EpS+3bRQFJh2~)eL3Yk{7>baP@k9eCXPw$nI>` z7swkLZ=IPGo{1bMu?+eJEaMJ+u63iy#=nhqz{>mC%;~&SWwc1coM)pvj=g1zapq-T z4Tth)mgFMJ-_*;?u^ew)QL}L&CfT5Hw1Tj)n)2V4I3BckaYU}_sPhDUa~?*A9?V>Y zV1{We@+Fi$fM>meR+`xEC~$39qC1)!GwZ?0>972^iB`D93Mp@G_E7Oh#bi zP=4EkD%*(Le1p7WWA;e-Mm)~YC#bLdxbJ0HD3g8R#1dQ3MxEHvy>wsKrEIRGwdN|? z;0{L{qWE>qWds)YJBRJ*gNstf_akD5+D`rmkRGwdZ|j7HXWnpSiRi65)WogVfwvQ>WRqnICeJlWdox)GH0K{g4vH@Gmhw!Eo+>WY>;!>s)Q zZDO5Lg+IDO)rZ66M1eO>c;7mxhr79LA^8%kgzcru5uwAp)x@j&w3y{9LsdVwy-I#= z6=!SGV^X~_{{IscHYn)-4it6_>wgXkYcBb3yFfW4D7HiSsWt0Qj8&1uQ&D!z3GpvK zRsRd}v?<)dzbWK-sz-_AvVZi^62b#Hw4ahFO)RSZ$+rV7LLnx}6c(Y6pI~s(XXcn1 zJn)zas?CQ{M8bx~8t1bl4hsqQU!-Xn1~9Zkc(>_?QdR;7x?w0WBcEij++=*d1PzFL z(EkZVHdP}N$6?R^JV%U5NF6p^QFmr3o3>P|K-L!DAceO36%8e-n0Y>q9YG*C2C)ti ziC^;W6|r2nDS>mp>9Ud?DL?1?fE`9h-w$fPo3~e#LoT?ekx@H7Q>q6 zE>xoQ)tX`ln_uxfOJq!PlN#}bGf*D%zDFvhp2+u`A81^@uERxr&GU9K)PVZ?bU50f&Di&U1IrDQ{>P(%D{(7JMg`-R{A5%y>c=HI0Z{h!9XPxRXvVda3Nm zt0Sq)-7=#F#5-f~ttu#FwYWoT)ij9%taVF0>~^&bWN6hkzX`Y~!Mbydj>O#88yL0t zOW-nX{1m3BH@PDy7F~}6tullzJw4pI#xHMCcecMAxEzNOdVj`WCrIvf78_+Tur~h_ za#fZGiCkUT{VZ$7@NTFcN(a+;xkz8%{t zM&#WJ-&*`(WPVYV8HcZO=S$WU=VGZtY0de!1jKa>oL@ko_;l*p7q*+p;VYj){uqjy z7?Q2E@DY=-7<$5UM?RBXJ2c#kS=J1eHrQ0;m*xv>nDw zaT-m84zQOPKci~UWUrI*Kxd%R%J|!YBzC`<9La2}RhryB84ynNkpyC!JpAH~q?YBh z#nm&LO;#pX=yXPPxYmHTryZbJ@A@~O_}aE?fKFEOiJOdI$9PV9+MEj+$cq00xcz)x zyP2k`WjM(jvwmILroBmsr_s(0q!z$%kF{T$rQoei789GStX1;w!T7B4@7K7G$TEs? z@d=G5E|Y-|FD2vm_bL?0bSQ_6#;zjbL!}{yVU(gNyANnQ7e7SQGDCK212!ZhAv;2? z^AITxNaoN`)=iraU?MSnPSXZabW^m~bRD)^Z)H>2PNjRFpPgvbgf&WCfvgq;0asA- zRe{a=JdctbuM36gA$(Ux=xG>tkPK4K%gXitV31zU|Iyo7H5@(zEr<8@h||L@q-H?o z0-?}z$rL7aW#3?d#D6eKucp@%2or8b+x-Gmay*P9q9)(YWgd#uleT(M^#c@@%8(Hm z=q2Os$#yE@onpHTm$qS4y6&b>&%Vg6^REiZ-W@x zVY>G};Y)KvT%$@vxpfm-+ABy+K75aQ@(P!K?SqjDM%47BV5D~5mT4fBZpB9X&6bSt z1kll>SoALPD_zFAjU2U`rU-bx+*$h)a^kufwh|l1D{Iyn6XA3Gnu=Xm7xEJUm4LrmzS8jSMx!7SVv>acJsGW!Yo5_bZu5-LN#eJe$KF^L#KMCEb)hF!4 z%Z+DRsI4|EJ=~{pkXE5?ss0Cz_=t#Wv5B_DO_4ZZz$IBfLEMdTw^+2;mDxBFarAr| zM8VZd^Q@7ZUL~V5+|*tCUJ#(c$Y2l2rexg6+Q+MY|u9AgEh@yq#J&xc3|<$>_)<`w*Y2)jNS7vE&Uv9f*Du?AvApI>e`wL zon}MGLD((_G1H!cW0%LIb8LJi-hG!Z>7hb=2NgIHojA2N(p?qcq-*<4LoQpbJtNT8 z7mFEw8Di{=e%r9!2Nvc&>%sDk<@d46TA$kyzrg4$d&zi9FyZFEY`Opan<*2R?OGe? zWFwRgUTM**cr0&uKKbkfPu(hLml7?337PuSFqUz@l((Qv;vac&&G>K&%_A1`M?b+36-CdkBWq`;YQ4_)8>#hOx$?5y@<{uRr3|oWOZb zH+EBIQ^i4G6jN8Z;Wr}my0BO!!6Xy;Q1N#LhRZj^nfIXw1VN6A+H1pBw+d7hcd!;Z z3(#(_orrZ6`=j7SFz~?&B{R0gSOcih09&!`qubBKC1r_8u!en*XSkg%$6*-J#gHPv zd=r2V=AlLW`;b&5_pG-9ZXSkLE(+;nHhzbyH;FKEL*AY~#D!!929sqp0k|_}M~Z)> z@|idnE}}_dz z?e_|WHnam1W*-6hyQ6XCj}3M=Ft%xhG&`C{KZ><|tTul_$^E#mj8sTh`ipf)6ok#W zwhaozpy3MfyfzJZ$@`nA^au8Rk0|Z+l|uR;Q~^NxEmYE|CzTwo8au1A?F_ffOhg@` z;5^Eb`uh?7ml}+eXQ;9j=@#KA$Q)XxBP7eaW3hu;+QE;)LE8OpLtgIibdmZfBo;)9 zgqR7JO<`04*|Pm~fu}B)+V4p|G-!*{ST-)Z%}HIjL$H4L^(nMAJRbmxs+Zm?HimH5 z&jH_PR#r223z80B=yG7*)dj&+gn8MCN2#GmDk>$CDSs)k0mUebO3{&u<`32fAZUVC?wJOkfqfwfy0`J{zLa{61Q)S!LILOTtl8%n2}WbAqOxH z(YrO6LT$cMw=F0*G_Sw4&;e#GwvhC^aBwOcF))y>C@z4@F3|S!4I z7PZj~{}GLctr&FQXvAp9mBv_0^aX_L$+T`&-ea{h0)+I>*lyl78sC@UWh~s600S1O z8?~xaV*S9v;Lc4!X5fHH!|9OHuqQlNaSH7iQ4SeM5XCXZ!F}8GKZEJyCx7&R8`D_` zJ*4F$*vcXoR>QXd)Y+i)j0_3toY!Be{RgNsW3Elk@4tXLTmQd zzPV$ zp0Jrq!f#b(8WqlP*FQnCeq|8KJg7sjN*j-TQ#ki9o}+JGg~G=9&1G{rrir z(-dFv>%>f_h?It9pSetnuyKbqmmnt&=FiakGflBr>`W}p3y3n=YB-4)J1LNK-C|7B z7hA|-adK%33iGK5MH3ZMwU}%k{(|RbK0cd|NFjla#7T^cK?F>~xQXK5^C|Gl&eFP+ z6ohj0zO#Lb98{Fu#BEjp9*_~*=4{DdJfQijyll>Eew*H}GLrSTN2wvhFFJlw1C>f^ zpKyK9wsXOzdF}z2rA}btfqnX;Ncn1c4Oxc=-9-W?#dze!z4NG)4i zJxSx60kqHh|F$~$7F3_$#LWFlkTT3KRE>c^9Zw(e=3ZXJ%4D6pGlg)~?)un}02t2E zt9uM@y+(G5H`NZeRQue*lL;`}Ss)T%IT152Kjtt*Z$HHUw05~Kd#5i@;FteRu5T5d zDVs7&S3j2ze}dT`bKVn^aWkqsB&TkZ>OOOvX?^SeBP)_fgsk51X(VPnGLZ?}bM}F! zk?5ztv5_gi`jmtPi*Lzz%qF8!88?5Wv6+^@bfXe*d`>_r_r@T5I)s8hOSD8Y{08^y zh|iZQP;t^Ioaa8$MftAQ4j&Qo)0;2|9h@Gv2zTb)RJ{X%B3q1k`Ywx%m+^uk&}tga zeb8ln_aV9V`9J}avbUCDLyi*fyGCLXJ3{jIG1R%y3kXgZ15(O3^S=50 zmfD*hzs)-qBVwJEZazQs`vnJ%yAO_j!_Ny*Z%S;c#PDjPP<3M#XMe&yzh6P6DSheu z7y!>^iUM1W^w0OVzq3gV{Ah(MeN<>Q9&akNCV?IS_QwmwO%EjLs?dgQh6!toJi~z7C3R>=UlEoKKHD5D-Ix|nr>(`145GV znH6%Li@9GA)8-4@05T*f{h?LtgHv`l_wsXdUvuP*X96B!Jc`ILpA%7I7({IX)=Dr# z|L}~!)u=BHhCRKsZ<%{hI{v*}(q1G*ca1S9G~f`|&EbPTZYQS8+CaWWi8-~X0EyBD?bAf~zpBBk%^hUo#bC={Y)!lgomzOnW2V2hE zmH^yacLoT92Z2xCug2jwdiZ`cN zk`Zn4l)hOgTgqv(Nh1`{=|LUvs4K*dk!K{(cf=QGG@eT@cPa$z*hg|Wk^K*dq%B#GTf}Fse8C@G_~WhaVGg_ z_&@h=9T?W3tKz}f5)))*N)6XeYv7JJvb#FeWl^)$oCW<0-&OqWVbguM z4@W{$uC7hMbUK3i8~cLgqFK8N6DmCHjeE^7h{unOoNU=4;<>L_0=}7cp?B>HX z`Ri&CGiDq%EQX5~GLt1L4h3&5%h?w`saLa!6JJg)x}oG`{M*&uVg0Q#qv+uY44@Bs z!&mX6d&2c+ovN&;To-r&WH*M(`~DBNlBQ;8mhv(M)^z0TqgA(}cR~jPX{%M8BrL&~ zqtMo&7K#HgIX3NeI-J#F+wUlq@fFs29_$SVp5Ll(+eh$6*_rn=#)KQ6)H5Dm}Xiu-# z6|iIQ2p+Tslk;*M^%w%!4&qh4@B;fy zYvir$3Pgpn#s%%iG$!bv`7ilKOH`gp1BkprM!+oaYTN?^dP@Hz#XjXc z0SNMucLA=`A*b=<%6j=6!Fd+l|8u+{QljvyYr?5sOTohZ)PGkmW+Fp_NfuxEEiEPr zx41YS5z+2ZlwVqxY$=I&GQ}CQp=*>MNSkOSG8j`{_vY_Tpc>5A-CAu|w6T?oX#HII z(tYP>?dekvUfTu!$kre9x1?I`570c2(k_r6&lqqUxR+eDteyWePHArv@zuqQ!nm`K zuhZ4Mkgt;@Up{*|Q!e(#5P?vLa9cgqbI?7d*L?gi-49l{rAHRM(Fauym@6BV8LOB< zUsmj8TaLfd3N2&|Z8cCy5{kN}YR?4}9=A)vf7`@{?rFD-a;WTRDlZsOnDbFs_8|We zjgEUIdx(Nn(rnFSL)ROoI;*6J@HxM+?AafKMu5&$~ z5}C0VDblH20@VQ4D@|pmrB4%*GdUBJs*~~EH^Fru;g34q1d&794 zpU(p7B@3;-f<_ua-iH4E+D-W|!aaX&tr3H zF?C5~cXHSkB{O{)s#as3?)`W!S;DIQ zk+4bZV^!A~MDL2!lD0;l0hH{XK#cDri`MQ`DLg05x7WWJL18=>lz&Qe{5&a>j_Lga zN&2Iz1!@()qE*YSnI@laVTH%4;0`?z+s9z~%8EOFHnV?&D8RU2$YR_wAR}_}#ID_E z+K$j1ePUzI>glSuaa9jNQB486DRh%luPu>02CLp;JL*VuX= zXQlG}$w3gB%5X+VEe^8)LaM;Fgv$BT=coCzxzDG+eC)_q%?z}xrHa>E=zD(5qE+I3 zh+wo}d3CsHpj7~=#vDbQGxmBK_AkCaXd%x)B&>v`rnBCDc&{kr*Rvtl@txeUTD85! z`wI`x4ukN^7&bM#W>5AW)!Q_*hbBPqEf<%dk>-gtoZI;FIpk zkL9Q9c#V^`t%Ldw$17k`+a5R%aVVUd?ccU)_A`6^jY21g3lBfexL^l&e+EOoQ++2X0x6uiQYWR~Bd3C!7@b&z529 z*ZC|OojYp57$q_AZuBqc${PbU@_oz;bNU>CM}p%z)<=#!wqZqkxkGz#Kb>^vbLo=4 znMYkcE96KxMK7UTO^zkZ0};a;M~ zb9|sR@X5c?GM>(ybm6>!Uaj?=>?M}V>UNuT*XIrXv zBG|jNBDb-EMHwCvuqZU(_;^qH$pB4nY`A^W$t85`yEQ)k$4K!Al<5`X95d>El%liv z#SIrnoxsr|ZMo2u%r>h?%V#8>r!+)PztV00d7h-CU?NO{;?&>@KDX5m#x#!~Rr9H( z`ZYS~112@|0@&_!hoA=i|JEpQm1UJ58m+s)ZD5u-Kvd^T*)PC&^bnWS`WX zAAb+)Wb@0_8MsYXI9r);l~T`m$t-Bp3jZaCqL=f})x$Gd$NS^X>)Ph7RtrWksoJ;| zLu(+l*5#JjBWB~|q=iv$=G)zSMM(#I8`m*27dzhFN+axad_esCdJp^ipuF+z?t2)^ zq}ji}?vp&LYrM%->)LAWAqb%+*paW%7McfNc2ca+1G;#vc!k8$mxHHp0GiPsWt!D0 zrA)Y=K$wPjPsVVS?pIijs9Og*s&<-$4E9CB{doyG%t!a%&mx)viAtP>y1o=X7%MZS z`>sW|b&5l{I?BJ2C7z$Dsl(&iId#aRZ=~|JHep?G+>O#OtG` za%Aw-{e+X}`)ebrgk-8iIVumbB*bGWq5tTEXXKE+~f4xsR8jjG1; z*p??j@339VJXx)_NLaBw>zeTHUhq))13dSxrgzo)d&`gAbB=Ro`C=x&>9t@C6}sKs z1>CI40Q-!KJNGDtlHDnKZ{+23DeTG@xNt63Gi zpjdP(u;*oJp_(H~wO<{iU2*0I-G5vN&K2CmA?=>$*|uSwzqj;GC*95Na)r5jvKnNX zA@3$d_*QV+c(c=4MYZ1NTgvQO@1-Q2AORSSTp*XdE`^FJa^YY9n31725n#5}CUL)5 zqEl(pJne;!!%@4^!6xF*7G*V26TfCvf7JNJmC4hK1(5goZ4tMCvPYs1``VX5~N2_9f5bBwl}Qp}zUK z`h#aNt+)o2*r5+7nE~^pArW>}P?MU>)UJY zv-bYxb@|7XIR@Z6p1AK{-Soy~bgsO+lciq%CaC&7Q4|*Ez%b_9z;LJ}d%nN$3G0nw zMii}DoF>(>D=(iXwj(cx+ZFTSgljC;`4G6`H-Wz?%kwcZ-i8fOa-`)IuFO_7#yG_dz)m>_cz7yjd>ow;Rt>@TXD8 zdlkr0Bb6lA{Fsojxhsf8Yl0x-+PQ~diV00iE5)1Vov5Vq5a5#<-q9; zoK~<(CEi7Cuh#q+ZvD~V5Itv+jN)sHqAAX4oiTDuV-1_s#J&Bdd)_%<-EN=#-M+Ze z9>}yF1v0$x+b*3ifh{o>?Ub`!IcB25i`Z0Lj(jC%@$|YkmMIX*d;aiv{d5s9<$T5s&W6~ z%lfQkJ64a*pB`oHZ_@=E#4PYmjT#Zrxt!J_q3jFEsVqRXbJ_?w)lI zn4(EPxN`eF2Pl_@e5q!vaN#eZhis-e#il+fw@EhNXjem0P6~rgeJZS^iX&nBna}ye z=n94y=QIy|aqMfSPa@{9ZdD#Qbjvm3@317%Fcl{}j+tQi=jyG_YUhu=t%6RtB5#fk ztKRZf_$P3XyVZ@%<0qIsb|RDcj;6zswUu(Dzg1c;?5XYm_sDx5m$Qu78XJ*_R9(6N zW&QvzI}OXR?Sy`Q&WS%RzID4upCZS!BAMEgm)5g42+um4rx4Z>j)xJf%%sPmABg8) zUsX9{47lCJBpkf$Ckiy|i_0VvAo$l?9vlVB!X(rv`pHh~xZ$bKUDo9rY+xP6xO5ci zv7jSx0Sn4Qqb&DIOY;xXy6ld`A0IQES{4aW8r6G>Y7}p;;asyNpYGToUEQ7JH_`X8MWJ9( z>&fTO?Y-S@|j^HY}=dD%jbkp*NH{aWHD3Pc7EnC6E$xjvT8&!%OL2FFQ7^n@D5qC z&(}p81~;AeHfUO3pS7E#?yzhCqg0sz{uYcPNt+Nk6KwV{`J8?M#)FCX9T80YZV_+V ztQXFGH>+9JP%c!+H)KUnu?E8 zhH6iiXt#G*fJJ7*r1j?F6a3x5hw|ujyMsYkTPs*MRybm1LZ~G*K5f!ayIkwuR6Qml zvXEz2ml$rhy|fm`V?NE?LgF{mdOQ!rYK5!=7t*L6n;rWpro8$*msJn%e;}I));S(7 zf2pfjRU6>SKCT6q?K%lqqCO~u=B3a{!QO1nE5-81$HuRp5b8?2YjchJ_@M*rqT94% zS4_7Z{hsrNDe{`r6m@kh;~Wu7ozC_CNhRJ^&y%nP$4v6Ia^G`I*x2Y@3AXE{C{{HRm_m z)?A2N>dC4b`q}4R1syIbEl6~=mA=)&Tf-WiR@eBV1pE5<UF~Pwl_GDJ4mGEmXNHO-{GRyb<{uA9g2+Po>DC-u&vvo5YcEOyzJsp(;I> zXZyzU!|#_?Lm4v6pG3%IFR=%4#$GGVkxF16I-ns(Rw3Kzi?AfHR=a(=W9RVe>%;cw z!QJi8MF5jX1-H!1F6&z9LmZa?h0C9Cv!4`;qjZw(pjnoMjI&uPpUw`tiEwtNNmn5< z<3Lhue0Ot6=6`ou?9p{mYX?QqRgO&+yg*L9p-{xU`2EbqUBT-m&(7+1=u5hujqaVP zGPlFmJz9l&`*GvPa$}(!WvNf_jhNzu7`Pbwt2W^| zIGYa+Rn@M4s30Wkr>{A74kIp5+n_a7vkPP>QacHpsql)f(66?U;0Ye9@SOI!@r3OC zg4P4E6dn<&!ra9QJxG9N96w6y|8nZGM5+gc-AW&b?Vx%IM^-wnH7ch0r`vwetJ~%) z<$)e$+tHya6CR5Vy<+E_jkIV})_eO4&_<8G#0NxXUK{p6%rRJfe$a%a`e z(C5(ELU{pK;%^Ng_m?T?_Wr zBiOzw)i z#U6FVZWkkB!N${TqHv;7VT0uKJQ%;BzJRZJY~w_A%g(ig=!ReNZZdBUXXDtsGlW!j z?#s<%I4S4W7kZnDK@)mC-IGZ0_)sZSDwnQQ~ zJJ02*rFrE0+ptk>G+rEV58T7r53HBNBoE;J^&bp2xQ&d=Onnv4_CnSBH_Oo$Q{n_Z zKzQZ@Vpy2&-vp+5t5%rcYBpaWXM!p1*%hV}!^4^4y6mzZm}lSBvZV;8YiuY>9q?JF z{a#FNLSbZzUrC4hp`FTE0W5n0pPso4(*WZA6pKb0MDLT9-`Hr z4H2Dv==OFo8>};%f>bkSgFv;`(_>=3_Z*G~DTi}(R8 z;ev5?+16s*1piHlolrKFwiW;i0c2~}EbY}&#ioearahv&5+{wI$r(!Gaml~~pmwCU z%Z>tX6uQCYVk)d462%}Q^JPExy15n-S#aJ&bIPIP0T&X}o`^Kq7(Y9xlhqDyZZlnY z3uV#~4z+5m*Qh=vaktWI9{GF+m==Xo2iLNm=0u-BxxzoNF;D;K!jVgPkp&&zz~-nq<5QIXUEx&2yGqUjAOHu0z-h) z4p%zr6i2pL)CxO6@7DQu@HX3A=324U4hHX~27@0{TBMr*(A$O%+W>~5$Iy|@g2afy zF?y+O6s5Bv5n>AMS1@=VOuDeGPHSAFjPsd+7VdF~o?neZoqMh^^t~e`;KiPIetR!qN^w=FqP0 zCl1*IO_jZI<%Ycu+ED-o94PN(1Ac)*eG9nD7%X1AFE+V zgNK~UoYpb5csq&w@ZNdy7i0xvaeLk}s;=<1!04OGjGLb>UFhU!`P6T9KJ@_I`7QhvQ0okiqy zdUZ^om-Qjysrk@Ul_IaG*MsMxnGEZhw8|}uu0I7ItdKt=+!^`!tA{&F4xJEUTS#eOSVs9M2zR}e|S=biwPfDQW4%s6ppmJJsWD$`SNkTR&g z=_PnI+X>NBP^jaFqQj9a20j>nH-C|NHH1T)JKtiY1;G%_WYGZsU!@)W1pc3Y(x0t9 zQ8c)B5t2dfPrpZr1QSI%C-Ar^wqrj0&u{+bh^btv^BCrbIq-6nnjvDq z0^YV*8-m{?Z%N-Sl6U@Y`lT&gZh4k?W~Cz`n{u)<#m^P~2k`Y6zX(=;5dAmL^lw|l z<4HnzR1|{0hzG6!=RZT{@53-UFWdwHbdY&+VyoKVY!_x^UTi>9(bo8*6MR-kjNjzr zykv7}`H7eYQUB4W-Mk7BGp&_3@lSR`oBGow{Ld%Xl>Y-1{W2ww^ooD;4gZ6eg)qWf zXGn+-V*KAj;jjCTZ)QRdydhJ0bwkR3-8cRF;t?f;;|R~B)_)U`kyNF@zp=_rDYz!{ z$rU5a2L+?k0v-XiZmO~?obS$?wP?zs4n6jN@KFBw@&D^LhV;URwM$p(P3g#|Tde6B zpw99CQi2;ZRf0rnL2RvXx~IcF&i8`59P{2vxyD-mh!sB0>pcO|qO0#CJ^6=!QV;z* zKlwks=E%r_%&f%TXaqT;hGFXcq4PAJ%`1x)6+$y29px6jd%0WxjY0KrZ|Sa= zCVsB1)EwWuX30@LBomHox~mU8+v8kxIptrp(hNM3Z?dw>Q>=pw73V7zWMlbHuv^rP zRH_dzec;?kkf!enr9qpZpJCn2sJ}eI@rimX#~p^Wa9&}#kQB#k{6QgKG4sQZr$Yd1 zGn#_vGh5Dcg9wD^{nKpc$DmwG1GOH0pDPdy838^wcYgI(MKKrwz_3-W+kqCxVyY;i zFVjg3$F6m=^fdQhe@_4DY5iL-z<2@o(U_`E7fR&3p2~oUtLX%C3g$|mU{S^JWvEA@ zq<5~H|E!&xOlrjAi*CGI@C;!zY3Czq4Bcif$TE z-KNcA92Yz+Z?-*^B+QXHo{k_FL91~YEh&`=j{M;k@Pbw|1cCdDSAq6L%7p%GuqcLO z3EI8;9$L2+NwQhmrc%G-{n-6b*kx0v+Y*_@v}_$eR&A=s#uu`d^MHK242jQ+T3SU&VH;T*?eZq--aV+V;W*-ioqCm3yRqjF_ycn+yEVBhA z5x`VZ^z{dxthc}`Pj3z(p<;yt;ccnPsQLg3MHiTwENRbt(H~v?S(xJAdW8SaM~^{@AX^;k2HD<@)FSZk4t0q{kqtE1TPiv0?hDTYnOd=~3KFlZOXD zWM4FZ?8!9IZcA|eNSs0^*rvNQ?d|Zov$(mLG5&Fy{~751?|+>PqZ4u#AWaqPkeQu5 zGJN?4Y(p>tqXq2>x}zoEBxAQ7r%m!EKtoMy{=4Ga%Ru*Qr|{g|T`o2@+^!fXfZJBIImcJzTM*|z!-ormQF=2^RPLYM5$8auAzjy&V4OZ0hir@xmn>8l&Q z66KzhD|r{DPw#b)&*mTH-sDH4NG;H?xB0>BLEln)z(sfR`0$cfhXhr9<&Tb;@_ToY zjhGDY*K}qIpMqNCDDN}Idf2?NpT6%GK?GEqGPxOZg z^oL6Us{j5o{O?{#A_FfwE`7FmM}DH~J+uTHdPC1}bsDzJvE2mz081B%Rv2RGvH0*<3lx;}l>XYPb6QXCm z6-jHf>|?N^4S+fPWZB#%a!Gm)Ed$!5bN>KDT5Dh}6^jH$J4)kMJ+b(#W+|Et&O<=9 znIoP0LAVC^|Av4kf+Cpzl|38`s@wS?Gpq#XgHD_UJdD?>h~HhvzaF>Y^AVu_HTMfY zWeCI@LVkBDEO>T(PSAZoR_Be!R;(NG#zS)p#H9D=R7eh6i0{ZP50GQ)bLs#LIYFNg{C}yj`>)g0%&$1t}8H#sq)J0V#&uA=FYuV ztu!-M6E-ve!k-+_-^!X*$$Or6Brr~FG+{Qk8N-~8y}Xe-Pu zrjq!dcxpt5k@?Z-v`~l68^`j@5rx=!zZ%)IlOBY5eiXBJ)XlL>hDIGhZ>7kRt3ZTZ zq&LLrc%3Cc88GDO*h9|@(UZ-Px)BmgszEGFz$zFUiMn42bBWe+ncct=nOS$rkzriB z@z!wW2~flI%mJ>F;;sz2#%3c65cEHGbOeTg>Dy=3rXBR>V#dbCmDj-A&JhPfoOgLy z!UJ8Wyeu1CV{PIl9l&fl%;QB)5Ur*WYCg?-@axfNsjdjQB_Pv<`Oxr~e@<>HeFr{@ zXVEUeVrjhA9ZANe*JF)PJ6bln<1nT zN7jv-qq+bqww<$^cv2By4&+yxU}}526WMxlIOV5dFb~?8#s~hNyO2K-qy3pk?H^x% zzXNaGs>ysRmZzz=i-O@`F~FEnsGM0q`&IQczuWa})sT|1Qy5Zkqpwj`pD%U0!!}u%BDp$#hqWZsJ2%VceL6^d+sk9YfT{}Z*glOuG^M!UbiK#-@xx*5-p2)cXRv+ z6Lo5DCfZKwQ0lZgq?wLs(jRa~fqDv7JGWn;PSYs0Qk_S@ouaSo>Ef=YoxMXTTPn4vgCidavGe zuXTm{z?kb$lqpCmBR-ioQ`p)gQ%-guUkc< z>~vSwL9frHD0hlOxb>NSMWFMPrUiPLCJ>BCF8m#*>uJr8r&wu#rSyGO`PWoG58#NN z=+!(rp`yY?FIIfhQ*Al7O-m{nbF@_@pUs~|Y6c3(Tqh_(xzXMLL|t`DXB2wY&v@IC zfW?^fHdLHbohtCdr#mY@Z1*~D75Ry*jiOzb%!2N*Zkcd@roc`#LUx_im$aIbli2jJ zHK4olXer5%c_ zy$ygO$RsrYJjfOZ21)_U{fuJZQj5=Xmqx5_Jc<3ue94o@7T{3M1<%E{iy|7Q9g>D( zIn@FMK)oJzRXC~)M@h#3n9V7<_dHZI$xh2@4J%K*20~@xm}J*{34|1(!r?oI4$G~+ z<=~8^(Q4#A-5l}~ivoA8A$|Q0u02rDKbPo@A`VFZG@y&Zb#G-^f3WmsG5LHMv) zpaqB4cTil6z|wF}(DAj$b7WfHv0F?*GO5B|%s}*e#4L+GXrEzlf|f$(Q|lp`8Oc15 z{iII=9nv6u(~V97B86DQyQ>_~el+H->boMf)ps8_H#&}aZ9HZL=B|UK7VnOA$#_=G zU`yVP$sB@*e^K4{9{rn{Db>uLpFu>^d)|*$cLl`y>VlPKll*dg$pT863*(*JE)EXc z&H`N1bx;y4nuKJrXnIoARal`x+`yth5XU^z&!Z}?(Uioj)h@>&TO>;@cMLxF*CP(I z3j*y6u6InemqqzGMu)uxX>G_|Zihc@H>328Dx5F99p$%b(Z)K%Q7Kw}RGQDk**|$C zDVNpJ3PcSk0t29o@DbH%nF1&9h;A^Cf#d8dTq2i4B})V$x8u7f=mloBFb^?4Ldl1m z9G}3eNtajnzx+x}C+J$97m6z7EB5J8^=O(T!n5|T@nI?(YD-WZHJkgO;F2{oK|*(6 z10&5=Y2fht+`-A}J@j^C4#@N{QT1zjVe(zzhoce+d}liT7B+-9^Px46KA55EBfsot zWZhqA;@h2z*Uz9su~hjC#3+o9DYraWi}pbFv-XQiVDTCT_d51ORLRoe(OM7cK-0Ki zJiw;Gr8aI>Xk4`-pwR4(Lcigk_o!oT(+b2oi!zwK0@T$+_X+4S!L$wcG~gcX<`(>y zm+1fEi}jeDOS=cF+_myk&uk?Z&}1*CMzCRxxV~zjD~mQ!!`X>QD-jRJi#IYclYo8j zqsR>1iN3!L@yDIZpp^o5tQvVme>8WPEVL|~6uW6E5>{5RsSl2n9nuKeb>6yH=sM}?gV|A%H zA)mzU$~!I5&PRIu^aX~@NF^AK#@L|O^(;KJU^Wy}`%}eEq$10e{5d7(e63v+!_9J= zzoanaLlw{)@eAgHO4K`BJyzTIKs^Vq%Wp2(^~m=p9;4p!{?Bd9=(5QeCiRQ68OxU4 zr|Nfr?KB33j`xJ(8CkFJ7}>$3Gsq4UWVDz`7YUxm>w>@mSqo$R#Z_j&%wg&_;O1!t z%x4RUwv|23=Nts`3`d^ZElRf%t_FmZ6_l^_6A5-epun=7T;~DON<&`vUdImbpY@l3_N#b_W!!jG}Y>%@?h}Z9q zU`RX$`=f-LZi;MYPX0S6czkn=uK_-+zJ^mT=V-Pa>=Q6buX}sa>lj4PP>+~=5Bv@O8O|)oR(}FCqd-rbf1b2izFv^V4w?{IlJe?AI0T zKr^GMQ(RJGV|c1vfK{Shh*aPKL14X5@G|MmTerCZ&hugEs6fA#A3z>GvnP8!+Wl%U=dE3k z^Npt(n?_#L*-)Rn8C2H3b1(o9cLM99xOh6~rer6IG&FF#AVfPd3g6R3Rz~*IcoS!~ z$MVIknq45hC4!UEitzaxTA>4K^xRKK8PtYI!=wV8M-aPo9}~TP&A65yUWn-4Ge2Da zs@>oN4+%^)yZ6u#VcAxUa%>O4`-DGX7Hw?$y`d1BT2<5_*v%XgkRMvZ6g6B*uG0RF zc7{#S0gg2S_o-xkt>IBz$W$Ke85|AMt2|Ite#~k5p zdKT?qNg;IKsLw{o>nM@sMHI{BKxel%8`}snYFk{WT;%nF3(N?v=Uw)PKo*ZM5Kcz* zO;(!62SEMmf$J&)41%T(YKRQNWAOuN(t@zGgByQ6_Pjmh4MGJ)j721T$#%R^drl5I z#Y^>|>pCDwW(G5kby`eJc?ur6#NC3hzYRe%k{%e%___hCX??NlNOqg`0If7qHUu~j zM(^|14xql>>|}pc&3%X2xs|-RD7t6o^3r6sK1hBuy((+iugz3%nohP-Cyv@>;nIgvL+$PX(+Orb0w#_*Hci!?b#y%NKzFR6mQ&#Yg%#EjvJMZNvF)~)Z1Xi#HD z!UZ&4Gc*Oa#n`H4uT9-Q2UmCDfop+YA$U}iPCi2vQ^g(_>>2k&RzZH?tGgAL0s(N5 z&nryE{H)h|>tA8LRSp4tiwID7Hp;xly;o`Q&2#k{C1TZk$Ui)!Y-z9j)u)Jb3pT#h5)P$tQhz+>}oOm2|KY7qkU z*O4f0Q9$Q_l||HV{coO^g7zd;6k^z^)2I2ObFbal#oNPKhA(T!ZHtBxXPD|s{@@w< zIIJ&luxO*!rfi|@i6<=%ZzMWKbCfs)ETTl-)2%pEpLAnG{7z0zFcMe$Uj+hnln9;x zWTOY1pho6T@HPB?dHXE|=&4njQTt6{vCUey5ZL6b+$r4>=%Gdk`9y*~1T^)P zPakzUpKgavvz~s{Y4hvKuy|xZJ^2~}ilAjaG?-Njp)L@Q1ww7!e+5P$e4OPYEBST| zXm}yU)EThkW45*G9ZRVRBU*vOJ(DJ{$}lz-Ggp=Z8kf3GP9*l8MM{ZBO-&qpq6=|9 znE#@l{i`^f3U(6RWBAJwv^mwmHKmF$8mVOFWCKYRs*zB#c(xmhX^jRc3OQBDh+=uM z*ADxWlq>uJwoRoC@}?uTyX7t&?y*wiomdl^9}^3n5(|)F?)MEzv)XV zL~k-Dy}mnR69O0>k`Z?yRgGz7zdNUoQA%>Lv8$n`MK!{epFyp{So9_hPckowvGB+e zl$EAY)D4CML^=YRn843NmR3{=vR;8ISEK8T%OG%fuB8IBCen%p4AOWG;JKz=)hdg` zfDR@`(3`1fu%}C^kdO~om@3sS`@LD!y1%;}n|l&?zBi{fUVQeg7e#dSe4(t!ZYOk# zP8}Fa?Wa1+NK5Q@Rds^b2qxd(0+^?iS_lX~#zipAkV&5ZHLLqQ(0)*xQuQGCD4jM+ zc*ZcfJ(0XTQHu@2o&xZ(@lLb;_59e}SqL4Es@%M*(`qBuLpBRDR~cZEzCbtVbhP(( z`?V59`V9LxNFA{xO(Z?8(7|-B-gJy@Xz!aESOi6!GC$@V8b7Uy41EH)iKpGg& zl6hRBgo6lhD+^`_-ze%iJ*HDFrvf|~t)M(`^5g(qg!FPe05-eEfW>SwqzKewv5MrN zNK9qWZO>7uw9@A8Akwb`LmSlEgL{EjUf9okwwhte2|~c_Sn}2e*yLn6x(SKMdv8EQ zW14Ixg!k=dtXyaKc`zQ?&VghY#>pvZxkbur6#CtQG|4QmoqJ%$`5wnXvb^)fXB1-6 zyVDhtG)Elp=~B4lz87 zV?FOa6tG?G{S3r)-Z#y!WXaqv+&eF9gc#E7j!s5pHebqkz09bxfi8peujJG@$^jKCSxOfCDHWy+iMS~x? zG|tu2^@OJ&mIk4tJ`JwOuaxd{j=k+bX!Y{O%1C~BFPzz(DRaz9!d6WU)3H3ENE(H-1dg(-cna|w z2JZQKCngwhI9c}A#l{u1qecK%IRS2Bx!<0Ta{(kHpDmRbqudC%IT%VwBc1Y9<_?C+ zh|@PjVAH7^l?S8pLC5k9aU`rY092U{*p}~+4WJ`WM|p|EY=lu7EyXH(19Acabd}G+ zX7nK#&~%*IR6?D_#;lg?RYC>h;waAidX~TtVt~PM;@(`|zy<}v7}pbEFqKhNja!O@ z8IO(*01~9uZYNw_1meniFIGwq!M7a-JS@sU1DJ8}gvDg^r#ugcHb^ORHit}3#&-5{0qdArxUM>J z)^NFYN#Jx^$eBmWmWtW+;!7NdO%?;Weg5<1Cscek3lxTVg>(N4FcMl6*trUrqxARV>@`h zptz!0A;p@e0WP{Yef*8mEQBPV72L_6ae*IOaJ7;-Y`nq1<1WX%)x09(kt|I780$rw zbs(-~?b6n@VSW0^J7vXnXsBPi#T(NlXze(#gW82`oevZHt@8UqRed)C{#9M%zvz%y zOn9H=BD2w-o@e( zR<*ms=`65Z=yq)%G=kJfzCs6@4{A<{+<2_{SZNal)W`xy&H4fL_mZk*)=amjN=C$l zoQ~g<+>B7nXI{*gEmNy@A}FLR%1@S$S=z4@uns z8H6T|Wfk3eb1*a04$#a0(o_P`KvIARL7kyH`^*IbaevP1)f9m*PbqpT5DiZG!NuQR=I3RGpD~-asLy<6EEXCQSRPYl>g?6})yk8u}{6^@z0YkBo5BY9S!nFf#Kx^t>P;Ium4l%+i zJ6{C>YBU)*RfoWyo(X1>u<0eorRoA|;y0%g*nwLN9(S&I>|aurVwHFd(FoYz1G#A$ zuzrbs-x+%OS0SUnc)r;T4-fAYPS5t7taTztnhqzPpO;6vISgP{Ue+>Axfp@&GDm)D z*>-i%>dFmjFhhUjvoLSpN)22raf7&tCK4mN7bw72u@5P zt!kheks?ztQA~-mdoxl*cx}|S%p!$`DmXR4>(Z+jTv{xdC1m4KIk%x?0L*Q<02%ha zC{(L@<`OC?Xau7L3)P~nH~J-kD1bRYuVGULXd*${JSG;sX2Rrw0|>h-H=AOlCwp%F z_8i@Xe-0*1K38P@5@d)mZ`%|3M#Sl8l@x5LCU>6FjbY_SE}Q1V8NP4(Z-+qf6B{Iw zA>@xO-{|TD6Cjj^?gKay#mk7bM5;Zcl;~ZIwaX-w5#NPulk}Iw`A*kW3_`Gi_SfD5 zU6%QYbkvN0kURftRtUWDy$NP#tZLt36$@9@KE<7QPWW$s{TwFEvLBgVFy7v< znXO{RCss+3=AEvj9>Fl|SGo#7@cLSAbl5B#*y0nE6@gh|rW_DDun;eGiM)&jNpKk>($xYdeAjsC;-gd;K=(1T%6t!{0M(h znGdKr@Y|nlF0Gu5eRnFYLZP7emYeJmt*v*HD3L9;+8lK%AsKt{TSAVrj-v6Jvmzj+ zOzl3kq4fFYd_!IC0oc5TV&o6ud|wa#cam02*laX!7(|{0Rvm?^#wbvI{xc%G{mqf8so6P`E^x6IZ_c=Q3FroZ} z7UemJ0Dt#dy5uuI00bfr4SzHzh4{dc&CM-3_YbM5W_4EQ;C5A={ki%Zh~c-v1wk`=F4@|9*PVxK-`g9|`} z#?S44_u&8QyXcU9Nsm8fCV=~EKG}cz0U?fX9M6j3nE&lf`Hz3|zwwq0_|L#}fE)C0 zy!3zcePJ&KQ>+sn4nCy$|8-!#CwVdo%)4OpmIR0O_p9tJkdQ}W=Pmo2@|{61jv57Q zhNCJdopyQkJpapiJo)@BgEy zwLHhX1_&L7fhNK1oTJYSu-GuNJBXN13LLst&W@u;{QJ>4s0XR<>#xQU$4D9B9tNBu zeJMePfB%(C!;-<{^Ve3d2jj$tDFK}I&wjC=ioLT7{*+~^UuMup<#BfdVOsBvC13gZ z^?g0kXWqbn zmDfYOvsEWvCe}Tz75tX>hg|-k?Hr?du~Dd)V1<=sy8C6`X=7?zBUd)_7f$zU>jV%~ zZF}l(o^8}G5ow3f?z8^wu&P=fm-ue*n>@yYZ#y4;^{H>#?uKY6rzJWg9mKp+``YaEdgLLE=c3F5;G z^O}_h6z2llJ-@QT4HZ=#s<#Nnb(FKb1&T? znzgxaXn&qpcnNY1bB_aa|K*`Xem^3pwqV67Am^BJ;G4!zox9~Eou1SEoSw31*3V-e}=FuJ8}nVDw&i`Z7sJQ{(na0%^@f^X9% zl|C?tj5){DCyYW|7Oa=dGtity9*SbRKPdxDynK;5hYl|2nz8^VjkhraLXGjaq(>S- z6iqTrc(d%{(&qn?jhDU0I*MLP3T73I3>0amMOR=WWR!RE{dw%a4Bp8afN>Ff2*N;w z5YY(UU0uXmHl_kK9RsEbN8U)WP5&0lOz5!oQ&1<5L~uD+=+bM=*!FGt8i~ie&XQn_ zafXUD^{Y{;0(peL<8GHWkPV%HE}xx)d#hX6r83GERV<|0eYQ$MT28tU9sY~?!NctZ zGN(Z2%|TKnti^h}AGBW(w^X?fET!$gHh=SoMxcP#|Bv;(a2v7%B?&}KFW0^)!!jtd8CP`F<7jecWJTXj?8mMtBn0RDN zHB)8voJOT2B>iETikfF{^-g*w@sYl&h*FoTYZk*`<3sx^=PTY(2gs;IMX#3KhFu#uW~LTOO)n$P2S>yP!Znl>P!L>62z;dLvWv_FC2m z40yPypszvDLNuc;_TWp7V(8~M3C88pJJEKAC<(V1LfgO&_C7R%TNCniJr~GL$vGH4 zQn3&l>eA1#@qO;41>(9K6YjygX00aHI!t5!WBOppbpQ(loX>LcfJ6`K~DeJ8dd1ww0yiJg~o&vfo zo{WIFL$DvE0nj}9mb{-R4M=B&fFO$LP{fLS>$!DF4@wpH=(cUA^cn?CKk@xqF+@!O zfG57F@lHic!KgO(l1bcCs&C(IIVRYYs+T=_^vaJccQlGhGH_hqK4_?#OZM_V(ikpksHlqg%FD`GW3rx~5 z2G?S_!@i~pdt5ZTinQ-%UWLzkg1|#Y9wiUy&7P{TWJsP4)&WaUJ&b`(1$gew?0R)? zWCFp#_zXX39z@KP1D2LBk0KG}OjsE(1h7;pBY<(8fT@qKH1NYzmQoU`KpY11xO=_b zb57gM_rQ|o=Sbzz7e5mp6(tN3SgL5RfjR~6dMwe*mAVnW{}PB0GeB=R3`X5a0kT8J z-^AZ#?YAFD=qThTdOUUNpD4OVdB%yqiVdMuU$$tYex~hWuTnbGTE2j^s-G2hzfG+YXhB4NV19?B31Jq_OZY>&C^cv0G54TMwnl1nLP1Rft7p zX`Z8NX7Sc^o&F)ES`4c>o%AGb=qAg3UGu%10gF`IP z#Hl`-M!^pdYvg=EU0O{bdM0`cOj93Djr)k;;)6AB&=v%0F29_mAw`xGwI=t5*$pMV z*=j5KG{Gk=>`^?6kRdWeR)W3pLi|G!j4_`k_pOIDXYkKT?LX5Og7CI7rA}?S;yxJN z-xE!r4N_%r2G)QIUI0kr3YqQA=W1Ch%x9u5ZlqfP?(@2XeB&NSXHJ4WZUnHmKudDE zH#dWm?>f&5rZ)+zVh_F;`VBAv$-cw4>tIqL>uFDWApRDJRZXQ3kHUe}6oNaFg}d92 z<;RBD3f21wj*Zhe!j9J>g*3pPT2X36^B~KaAIfQYYVz2az<{7J)A;SB*1MGsqoFf%`CL(%Jguw(V-M(Yo-j)UpxSf89#9gw z>@cjPGUZnT7yacT(=QsIoHGzD<+DoRB20544mp2#5{wRN-it57w4hD7!~Dg)POK){ z|LQA)cPQv;LkOQ7_)n4%@Hop0@|c4KatJ)VA~czURk@?_^D~~8qg(=f6dB8I=7jYL z{kmr5=U|qkk9?o76D(5lXi7jIFdnEa^&y@_jFaNKK$t7}tOyK@xa`%31x>nL*^apL zJ-=a)dE*bj{t=L>g-V~O&Xx_s`%T9S4&|^q(J(-r_cW$_3ZOy_0L_P0cyjI;tzai_ z`VhM#;qJTk0`HS=#}yc+wL00fR}1}sq7Qf;9hJ6FauEq(NWE7F9ln#6RU4Kt2dncr z`5&HeVsjhva8zv}<#HoTo}*53GGnus0AjuAASS2=`JxpA=~>-y38I;%_Q1PIC4eB| zHT-<=5&W{iui%BL!y$r-*6;^KsD~MZ4Ri@rL%6Ae%TM6V6Lg5gZ(^ibeqBf#ll+a! z!4QN~=7KL(N|9rSlS&ry2@mhQAxX0Ns7+OO_{-h-^13GJ%3}SBrTp}Olses^1v%HP z0*|pT^yv?O*;fK8Y>aVAoCES5LvobHofC5U^Mx;2(-kB0yKVOpYI1}!yUV{ov11Jb ztA|=>$a9QOA8rC1V?(qLWDv=L#Hyc7p1c5ogn7f#SL8C^c@V~X1RVLp?F=d2eyE>e zeVwKS)E-;sHg|I$hgW=Y_73Ij8UFe@B^;OuA9_^(=6%wW4e zwha1H zrN61Lr~Dm=lFB#HGLI7ST`rRZn1G#oA3MBHDjbpd9lhZE>pt#yOeUoO3t zjC*xF_LGqEEU$S2pBLnOIbmMQMz&djn6X4toT}rP5u5&??8s12e~4j!0t4@NoxY9o zey2HOweP(3Shck^ihjCdHVoq&qGR7yG{^ZBRcc2-;vqD&;Mm8)d#B5L0$NYB0u75l zt&P7NokoL2VzlK&&y+{oESM*{Cd}3BpIwpZ)x>&@vQ}@Y$*}bdu~60x37GrfO*j?G zuL=9*OH|X69bA2y>$n^m|Gunj2Q}b5tzCcV>_VuUMyR=NM=D@8_fOGoTXy*_ynz*# zZ5Q$rvN4~ST;w`%p0B_i=aPihoH7R2Y`wHgIIj8a!GGaqniVz~5zQfbFlLwd{FP2( zhv4Ox84&I_aUeF3M9skr>OVC+$3pd*;e)JefZv53a5Lz2V(17gJ3g+mNsV3r!&`bi zlj(Cvhuvf=2s$pS4&D^kFJDZ-5x)uO=dgIGd^sN( zk^0t!zX+I7S`Fp%B(O2)i9R^dOZ-47Jsrj-ZP}^>A#AXSL8q88QN_Irt|O3=q+AwI zUQLt(6`S$&Fr1E5I<8kQBOk*ba5HfcY_I?$Wma0ug)}VODSg6o*O4zx?wyUr$=v-f zPr1d`R$tRia%zbCu2f5DoJY)V789+k#T9lxQJw8k-l%j`F@@^nL8s!PD}ORTZ41;o zye6(~6`iDp(@gRO_Q0#5E#?5uabT8~)V61>FUaruM zgzgq|^@GKgvSX*7T_u%GRjz8n?1Eq}5pB(_QjGR*|BO>ZV&UCk<;Ixq%5xxIAMaD$#E zJm=)lrwNi9z>4%|*(ttPbcem``dccY-+;& zR=)eoPayI)US=1>Lk2`s?AR_Mrh|)w$-Xa)KVo*SUdW(?wVyDC4lM)dgR z`7-Lp(+6)d1Te*#PjTz&C!M!*v#GQiT}`aW`)`{!;F=DwsH-D~Kp5;YA0_E9!DmWJ z+z!qvuMI{bpB>+3x-SbQR_B1o+O_ZDPSn+SYKLi+?_;OA0c`=P-5H1Z(mzm}iCqu) zm!pqH-`VddFTb>6KPUzDu#!XkGPj5?2i5H9?_FhBHW`YSVbQxN4(|r?pD*9esoO}P z`iD7!`EsaUW_3C@}u(26aoj0&TO%D=wyS zCyB_V^#mv=)?kBxy>WOEVZmk~5TJravHdbmBS(6@Hi=JyblsY7-Hy#X)XzY$Uj0o& zKmP}GLMRETxEY9Eoef|ZCy(7g|1HzOI(zebp89h7RS|9IIMkw;KJV_2T+6)hXshj0 zu=c-z^V98+5%Ea_NLkzCm?|WiMI)RLgC_Jc?taKvxXweV)7?F~xTkJ@s^YIcnM5w!QqC?YV;*u)HA5s{>Y}W8(rh|I5+4yUb_??@M_erVlHc z>kL)5&srC%_-l&$cvkHsvyVBmgJP67N&(sXais__&H(^?AXEqlC}UGPOl7@mxB+w3 zaj$8Vip*+@yP;)Yh#eB%X~SVr%eJ!b!Qv7@+@of9mH$r`^!*h>_#y7@BY(C$rD>Ry zK+0^A`z{6-ztI}WVIkn$3YYFpGoiz*wri_Qh8<|BeiZlwfg|~%*E7)WVpic1e)bX1 zl+ic7i_UZ2u@pvUFw$`gblge~TtUaTUx24`fSc29TQ4kizHGS`mV!6pE_HyM1Cy%v z8hY)0A+8f+Mo*LgId09?nA+eZ=az%dK1L_bUb(9+GOaZ7skN)qJh$#s^jJ7zvdSKi z`hK^Kh<0%Uaep739Dm?SowR>+TLg$*RRX#yek0^J>DN^;W}i_o=LXX2-(hXnYKU*u zX6q4VTkNfUQL|Mqd;GlA&Sl!J5=7)|7SSa!vNCV-Q5yH zGr;p_U;Dc6>%P~!*8AaopHHm4b&Z_ood4rIj^FVMiQY}#O!I_4L33><=&O;*{Tqc% zfu6|ecby!38md=GHD)r%jexl%3XHICajq-Ew8yq{$k`C*n`UgZ@D^Dk=RXceQ#)U$ z5nq0PWq!`2I?87W3Rgi-#}H~Tf(-4%=lsY zSm*)8@>G@3#m*=`gYV4ue_rYbYv4TG4S9kg;dnV={hHD%ICLk-u-cLxQR>XTzY0u1RGxe!j1t>>^;7hw~QOT zcMpv6wnvtMn2nWE%AW{tv<*eH+3I(1#O;{o!^t5L-Hh{cux;h6WT18%cY_q2Ab=i) zM;yEDQmQZxy0xM2w?%cWra-rfV@}=e09epi!o*~`F2K0AORhn+^V}`p`R3{rM|R$f zi#?u#9U2>N^c_XCq^45aC{m3M*Q`oLxoo$SwsrEZttJ@!-tkJf*Z&T@ZORx~v^^ib zRHIB=@=CGL!;90NBFI+H8keBz?j>(&$1tU!p3=JZ08DP@L0TGhi^?RAvl z$WJ-B*3DSiTj!_fpTWT?Uv$ zUvzMVJ5JUi?|k>j23V8&j>BeU@cQh2{fCkJVk~#(sU5$=P^F+rPgWc?@R4eI3R=KL zcgo>WX3+X|E4J|YFbJv@JI{`vnB&^oC3c&+EBEyBMmv;owc-67byWhR0V`35G2Qh7 zob=4AHmPY>lQ?~T%OjDQyBb(-bG))qemNP7Ypd$N*Y9t=zwqI4l*Tdr$|CQzwrwX( z2``z4A8UA&55o`V!+p4Eo<;F<>&O*6nj9~I@QwEy$cBRL_}wy!vBMhRJhG>ueq5Y+ z9{0l4pRnHv55f-x-%yo5i8!&VBOv-%C~qUqOz^~_?ZY)C&yl(wnwgK)0{3)bCoM(u5)_IC3i;hMeY_Jif4 zS5h-MD!kMB`P1U+E`^JYJpoS4TE>(#qm_ zX4BW2qm#F4+ot~Z$Lir)k8nn_bC*H=HE)CrrtI~iSnCvt&YcQht@aT0(ifR&ov)2y z&l3=O@2h#5YqQv(oJC0zPdg6ptG;!D;)VMpe0K4-{V;bZ`2uJ&T&j$$Jc~)YzDEQ> zWNtvJ0nPOiwX4Uowo>RwyNKZ+FP)2CGv0NJN}VdM>{2SD_DY)zgATrucM>3|KGu0Y z;T(uVb)LJkh0R&qwQ3u%MdY#g1+rD@^a~iz5x8Qk`VFF2_4M}JF$~dB=eLf=>Eb_v z*e3726VN0w@N0)_E%>D`Ve)J@>pV^3utF?06#<7JUlna6{ywome?*>S$$gJcy*iMU zMg-A0{a#Nkpoja8w*z-N;>!`w${E|h_c=xev?umGI)P08QbjhOm2k(bGmALwPK~~O zt{l2vMMMJq!+D|c4qZ6T;^fxg_Mc_IHhBMPU8Q(s5mW zD`#j46-Pe~ulCE^0W{HN|7@X1uNk9R62r5)4&?B(ovpbcp2Q_`tGIy|scq09Y!>`^ z7;`GB7)T9G!$~^N`Z12j7L4-x<5=6@zFL9D&4lh`JWt3n9wn&ys6&Inb=;3uydO=xMxO51~hALgV2hh zROov$d@5CYz(f6I+*ZPPeTDFwjE^&#^sS4QYtL;Mtm+HA71g+xW!j0y6U|V58VFw5 ziqC_Blzq(DhkJKO+Y6xU1)3+aL9^e>Q|NFUJKt*@Q4G3?>=3pF zCFWcINaw`yd>88}EIh4SW8*C)--3#XcMkFE<8E8&R!WKQl8lG;x!V*oV`WP}JKwH3 zB~v};|9laEEbMhTdxu$F--pGdzwJo5>`H@XVa5dI^-2M`p3E<#8_KF(Z}cZ$1g!fs zuC=c4@E}cEdtI=wVRZB|Z0uw)&L_$rVGsDG>CbCT9-yJ(&W3BKXaSL2m(4|@i}Sg> zhd}J&?XSQ6YZ>%#89>2A)}N-IFMoRFpf$dudW@$cGtM@>?Jmi4b%x|} z<-kWVoRTz%J!7J-Vf=7*TgIN+jkPKs#YL1y_PI)=dK79DjzbHNxB2I~K?{<<>yuqz zVqPoN}*1qNvLr$yG zpBtJy8@K-MhUHAv1|T&e*Kp@%a(iy3Y~8obG-~z}#|MRAXi<6{Vi- zx*OJEH^0l9S!#6!{{6S3?n(2z#5hjm4R%cA{TA~`KF#8v=axyrfvyKNb9|vWKc(-? zt|v%8LzIU9`cxrtKyWm&s^V+0bJFa$5nz?+H`~wi-I%zZ{1PSmCX$w8REl1De1y$a za)qVa=_BP&8KbBDI$v75tk;-bnJZ{ng6c-BEkim&JQBB3x^T@BAdcU4P3);pCM_l# ztri-+Y>CMBX28nN_khxb{qw*VK$i2z5xaV*3AqUv0QHZ6dCB9U+s`bwKTa}YqZ>t1_I|tG?c7#l z&jY=rT(jih3XDn*eP}#jo51;i{XlmP%y3=@LqwG*u*k!C7kT`~yWw{qhT03ozs172 zzn>T-KqDOTh?o*qvFbc;u5b4(lTbbCE)p;)N1U5czc!e~<2!5307`E~_L$&V9rt4; zQ)oX#u?U&mCcq7Y+Ef8J)dI)pyglwM=_=O>SO>>AShsAenvehjBpbhNqYZmU5o_e? zHfh6Wx?eXyeiZO?jM4M6Aj3v=J^GONCYj(v&$Qd@GTBRLRRIPC?>F9)qZ;c)!R62f zdG3O5NKvb6c9toWR>K z(atRd3$GWN(4!r49^bg^wT-_Bmes5Ui!XXLv{1mX@@GvzRfKs4rwA0pUo5#D*5DFw zZ_I&KO4BK)4`NxBgTf^1%wd52z5u(Q&l>|NkA=7Y>8AW~f^D*r);)sWOc2`Hxfef+ z{IO|>dpHGbb%D?AMDYMDzbpd66guvMroB7A^3=CPG=%)!75if&{n;G5zZgyh>I%-A zH&+dViXRoCTsZj>{sU!`<|CO z06l)Zz!jcUX|r(d75wtd+a2)L*ncPO*PDij{>i;pxLs!~I>a@_pEwTXIAv_!Y(E`5 zPm5TpruRIH6?jcScUz#&88eq*kqdbd*JsC8G;)P8`C!Z=qCj(x^}=!u^7Fm3 zUHYosD>Bm<7cX9off{wX4QdpmTe;m`GO@ubpPR?XjBn0Vz1=PTyFpKPc~j`YqA}%i zG5$9|7lVs<5QMVFB}pvlU!aR|aIL}eEsM+XT{>*E{@@o#Z3Vd@(A*r19A3@e1D0^OYPNSuGq zMjcCT2*otM$WqEAsZGFW5_i}Q$_A`2em~oNe9A0X z3tB!*SWb8)r}Q;-gm7eD#zJ^hS<+NNa`*ku)QUfG1b3*!cJ#4s+^iBV5j_1f>(#7w zzwP!=bte2tr}eC;o&>IS9+SSFM4oPCjUSaS5u6WP!SRyOE^Z=)vv=gzpG>W=0e=_& zCwNn@eZEa3`#y=QjsPLJ;ukzh&=xnAMrd~|;DwK2yH9F}AZF0!X zA+N9Zlnd(bz~w=30hUB$;bI%y^GCo5&n^@01k>Xb_a%q&TFx^y5BlN{v{Bu0i(p{J z!`3a*4X_$(+aqxP#8uTAPtG3yWBFiYp3NMu!%yf5)bAQ|8K0A3XOZ}2LD03b*`sCi z_Vg)oT+Ib+oZ@8sicO%RlqIUsr=r@c^~y+(2ybnTkk#o#`At0^cx^}C0y{ds+#=p^ z%Dvie#odG@?UEK6EHzdnIdT!4D1P<*#!vyJT4b5_cqkA_o9>xXcQV|LAwH6?ujOF)MPYs{J zh{=ZMEM>h!^C%*A*3Vp_&-N-SJQSZXbz^*>ocHK!dp;I2dGtC+sN-yn@B3bUKbSP% zKXV6Tw#1bYOwd9vZg1VuKt^NbIP0K-pk9ti(23b8WtCEX z>K|8GrlxI@=W8g zIaEiOL6oyCZ?LN>MT5*2?_BydBRXDv^#>y%>M?EYivLEx+5a zG2dL=#XzB}I`RiL-1U(C?VWLudO9VUP&3la(#;S7mDvK4_AUYYXAsJGcQ>&op4)0* zp^j7VmDW$Xz-=gD2>^iCM`=t;)^_+fXE4}4%7-^G(*QUNa0Sd9b`n`>0dZg75qKKx zzdp0j)`k|hhLf4o6@$E9nyVc}El-ds$?|F8qpQa+nKe<-zXZpD6iC*)2G?fd={I2! z0=J3Pbqn?-xOlaUyvNK__r^Pz)MV&PV0XBpEH|UuMFGXC204&kb(;~xI2OzckU$Aw z=@dKAnwkW#ZEnVU2w+!{rFTh965w*@0JauKYk(KZx#VBglS+xj`!f%436tv90DDL5 z%1!P7AjQMZ3`O>vcV+TCfPvkx{fxH|ezc}-C-rwrB9UZpP;DPA8?>iS&paT~)Kvzn z@6rK5Y?_O&t!5)S`p~a%mu}mkk_oqqqbS}&$-RA7da@SNFdZ}Uk4J(@{M^1QHKQKi z7Ak=xGIMg^)xdZaIbq)dJBpW9Pu9RxtTUX}VDPMD+Cz?i$DZmcP}s0-+!sf}Z<4mY$9Q(t%%Og7`HG`cAF!5NvRr!;n_x&(6+3)ATgVR0Y z)adA5tin>({aWV@9Gfb+=ou;2-j8$gi13O}TUzzQ4Qhbw*fnt#xvkqI|E3H}j(kDH zP66U^mcj+*J39rdq9%+^uhhu7DEz=@Zz=f!M6V@~W#iEL(rBPrp`3veP0Z10S(O80ZlQ0U>`xRc#?_q*C^DF=z@U}i;QL}3szd^l#mvUWGdwB2q0b!qRj)~DztEf!;n`p_Pw^x$(s z#`E6NKPRV^GH)z<9BtaV;@+PdSA{lgOrAA*NYw3>S7D9G^fwnu5ktzw3Cj*YFJMe^ zO`O(}WOmQ#OS&D!Ig%b`_Tx>8guXBFp$)}TshAJ0nwH{lkgbk*WyR~Zy&MWcmx47w z6e*5nw|DbeJD|Z&=JGyzdPq)~J|Hp)dcKWq9hd#Jh zCKqi*9-XWgL-Xvny_O$SKlmoG$R}o;))SrLf!j&k&DEY~XMSVltfK~#B0&wmVMmyu zoP;Hnv`1rS%EW8>CO<7H?fEZo#?Bvn$#3~?A%7vbUgfkUPcuiCpibsx1#`P`7C=P; zOK4=pwHi*Q%!f6S&ZQ?_KSaxE2+aq;3#%i35)Cxp$L2!5i&|3WqdE9X4Q>6EnKrbz zWAU$hwm*pgA+G?>>ekSb8mAvD^fJkeKqNuZwYG>SJS*$-% zfDt>}#7-crDZgT>Yao-mryl`|>ssSIJgMPYUWex9R)fK+93!s1I@F`NQo~>@W2ZUS|w&f<9jlnXl_!?mqJCkdJYC_lsuD z_37a2Z4%b#H-TBH_T3w$fzetbHTYUFl;(c=Zw@S^)d_1u+#KrjVBGLRmgb?oO7=oz z?9{o?uXiVk4h(_LBo~kM+x>GbKig4D_LK&>ETR<$En(+K4=i5l&u53T@FBktimk6d zJ_6$sT-!ytES!1So=SK8@4+!>qqH70&n=wwpRtDhQGR;R`iG{~dS9}AiKC#(ixdy`>>PsWF% zl$aG_gjK_TqxM2rF=sDMXBtW&H4R2Kh4lhWZf_5UeeJvPV(0V9KlLxI`rc>w71MV4 zM8Kdrc$4+~$T|jYTGQ71WjVi&H;Ea-%Y5GMar6Ur?0q`iz`>9H;$gNOk;HTf+Sc}3 zXaYv!I#BI~U4QeTo!vMyZt3Um-Xe?P*jwX8_+IAb5J5j90hb7ezevI|ymjeesvpju zRf+HVeda>qL<>U>CREp_c-NL3Zac5E;-d7p<-oW#Kudd{eLpxdwkT`Z;fkZ-T-r8* zx#=s8nJUBA;W`i*5f4qcO<~_y?m?D#P~u>V+na79AAp&;7ibqh;q zPRQpEIi7^kr!_>8HlIzs(=Mb=YC+|d_H~6d?be+bA4=Wz`b(|k3tJL$h>#||{)>p( z@^iSrd{JSD7eDx9-Yqi$w_+g|OM$aC54bYxG_{xCeH<(`XtmHU%?824n5Zl@inU{A zSl!vg^MIP(m9lr%a@kiHAV9V1!qqUJM+96Jb~3Ko_lnk{~XeZ#`!9Ryh;cb%A+XV zlye4NI2iEHoqEee)y95XpW-du4ueaKD9aw~fTmgP@1|Khjk#tc)zFeWQV;WONE>4e z%o4;NNqYXeiw67D!5NU`AWlh+aGucfGqMb9eDTZ`$w`xp7{Yfx8WfEXihf6nT=XR) z9bxT-rwsrC!NmSFrvKyYbBAnx_*u>c-7&vOcQKF-!$Ao6SO^mv`3p&{xz>lVv3qhK z(}GNPRC697z7H_u_A|*l#+eG*YnkOy1kzdArI@Rw8`_M@`4_~zlU-lR@8R4$)#x*S zn91w;Q=koz6JjLCEF>VfLu@mOV-aE)0E?DmZjn{mjqbvONq{8nm)}k;`=9VQ{>0`d zaQANE{K@1jc93#0=xxZcDVn%LXI1-dITR5ezl7SP=fY#BNV2Aw3XEjnx2+u-6K~f< zx3-9TJPBP)%c*my^ie8vpZiU{8!Jl@Gr8vWmIjfrb{?Rug(#j+6>5Nu312%N3_j-Q zlK5h?X@Exy7aUi$4x2P+Rbr)fQgwvc-E=b>Eot7-Azc>ew(LptP(KYWvFmv&lv%}$ z+^VKwL^W65(c#y8zlHCI*X72VSl{#_T9jDPHlO`Wu13c75a&a$^Lk}1o21`-P99N0 za(^MTJwJA1Mce&&v8gZG5<|>UN*D2{VR%>^5GQ3|iOH8#^q+lRv5JjWg8i(HK6%Hm)f& zcSM)Jts3StEwWGnG);ynglM-Wteuoy>a7RwVYAltCEeZFlFL6-Laf|a)y}MDbVNL- zgRDX*3Nd+P{VA4@s4uI5>mOe;rFMMrr~JvUEmFQ;ZV%qGBqYlh2a{-)whw(@d0z3ecl9*Udb%U%1YC&eEK93)rUc&B?YnM1cf20b!b!zs^Npfm1CqKya*@xo}Y^2c3| zl02ZgeLWU%v`EfHba$d`JhipI_oq=&VMjeitsK8Gk`>w-i}qR`+o?3(e4P|pAUVPq zMTUZMKjS#%1m;|3AIy)El4)mKB zW2>>+l$p4Opn&620PQPGDxN3f)Fn)N`u9b9 zPG6_WwXqsAC}9W)n??_s5HZ$TZk{>6G6n}WyQPwiPEFI{Dd>@VhO3?FSwlkIHKLm5 z6~3=vH9&iy_zimtG+|QSFvr0;PMipETscK87X&a&mbpHxjSclQ*=5&9M$KLFt z^VapPBrH#KD^Z-acJgZo>^wK*rj^;_N68nQA6E6p%A`zNijIgKA?k{ zxDA$wC1aFb+l(P^dz6Csh2{ct$APYbr_%A)3(~i`e|3=&vdn;EXd3IfvCI)_cW!g{ zEGPE_8YBQF)?T1|U6+V&JD4y2g!!bfelnPnkNa7}v)^vbD?mdv>_+fjUjHk?a_AUj zoi;AuS%R^bUC8&5IN_{b8tn{2X^+0+v;~LVq)`lw9y(&cAwc*8fm^yD7RIrQbe7Ld;~j`lt*%5CU!e(^~#omEE{a zLccJ?H?seJ3rh+8s?*NcF%_Ggs{60L7R;{0Ia7i81^~^1etHOTq{QMe9$r}lqse}9 zlN;W}gUjg-`{8OlEn(wpzO)Fd)YjbuH{?06R_@e&N%64Q$EYrMn*)0@o^5TyAe60} zu~Jil*e>VRJA>2_cGkIb<_>rb1%~3}Q?wSpj?c%UB|mxki~Lbp#}CN4#sM_ZVxJkS z7QV{Fr=YfF^hx7B{9*AZFhLFzv^g?E9KD>&L2Emu{p^_J)_=XSNWAL+BU+CA<`KH| zzNQJn6QdxKG}~Dv5mZidJC(kok|c3ZTjkZt<0Y`uDCUj)Auw|LqBKt{xESoTU<$NW z{aJ8K@JiZ^>Gq_xNDgT|rEbG@`0z2+DvTI&^Z_0gzoJ0NYsUzWkxs;61^odZkA``x zV1nO(RiT3^GeOByp?ugII*PzVr_X&x6NM@BXIrl&AKslc#Lk$)&Qge?h%mFG;{Fkn zHNAFDgB132L)}Nt>I)p&w}vn~(xfHkHa8Ppt1@tE zcNVU<`IX{xfV;J3ybQ^kcju_(ic2cvpN5ulnF7=O4iX(l>h*jj(RP82#e0T`=3q-< z&8XwAz3wYT=k!()JHUQKrZb)&KuWMuAhF0W6$v8N^TmT8d{MkFMMI=K%_^SLNv|v( zWNYA+WV~_*#6KJXt-G{pD_nC2hd$B-?+?2^^6GpVWuUmphubH1KM-J-p#%SQZ z5wGN$sj2JZ-p1EhyA8A(nb(WpCzLv`Np;jxC)DAm8I}z7=Co3T_?xp;teguvJbDkX zB5Swr7w7kf9!EpjxPzm4uo&Y5gLHsW2;}wvhhLy#|C(Lq{yxmD8g~?tSsk5f1B7Rx9mfUP>(`a2-|W~L1~@Sw>swmgmJv-&!0RpV5y-8?6Lq*1rxw$*;`n%lz_@fS&*KbzPNUsBUMh% zPGd+oO}&;W@)0)rVa9AURh;VbW_0blz6!M##rk>R{;tH!V@B>3IPDqTut(L(almq& zcyH55S8&N6SK8Yrs!-)w-Njb7tu&h8tT~rqw~N(vl6W{nMLG$mYrnMd<&AD{&)&ls zwu^J$D&xmgC1~r;jNZ&Z=BRUcx$Gr-*Wv6w=d&drqVKb7=F4Avb(7Firu*+gW`HNv z$GMgBTa~e1LgSJxP}Ww{*Bo(rxbP;*C#r0K@QSGGZ!!#_>$gzrW;_fuz(~5NBvoBh zEszFJ$@T4v(wEv<7&k4BO&8WlV2pTuWODhSP)bV{n{go<83u?Kd@ zksq5XEK7UYeIcCIqe?0VDEsEgHL=Sb@)CEpC zh^wg|sGRH#EkEyLwtg{g1{L4je>D1TWmoy~&ZHZKCFl9Yv{1Y?>PdUlu)0P0sB=*h z^S|KTq31Iz4p-z1uwg5>i1BN5Y`*L@h3j;;Bz|Z z9fe;7Pw-Nl#U=sr6P!UsgRR$Cm8MsvWU?xS9wD;^%@3c^XVe?on>vP?oW z4}&jgnxd8j+oFf|wq{Ry?>bZgrIPWr2e6S^SMqX3-;N&6@QZeVYdwJ8{1RM610Ggy zy7`GrA0FO{Ba@J>ZL%3J)I(?P#OhY6xjIG4$$Y7r+e zs$&suSI*d^p`_n41pR9u>l|He?q z-+h9z$-lBd?v%K1j2~Q$`FW~LeR9p=9`iS*-4x9#s}_m8GT_eEc1y>m;1L6(WiyRA zZ3u;??OB_65QSU!k@%hh^WQUOM|5GAlLMS+zGzF7u$blOrG}vDPYF1An+5fl_S)sc(GVB_3K65v}yWOU>ODW zs6qg{iNRB{0?@qvY=s!st-T>2ISJ0Rs*QMay9{lfyI_ilnjuE(KP)Cbhd2tirU5xp_qV8*v69TrBV*v7bPM ziX3QHg6gM9vu_kRfo0nZxeXYI*vQzlR+xK}n-}hDfoFNcy&S|URSH+83$>b+N9H8i zv%Eh$n>$6CXmTJ@dVe%CX4dgPX8z#4F&x33sQYr+7;Ygl=!2L|-d6qm$K`l~=Z$9E zIhMj+-S9+ZWX5*&qgC`LB7RO+bXpgftrF)nA6>0k#I1YjsE=C#$oa^Cy+QihsR27) z_+kS9kLkF|;B~_b>v1NOb_cCQS*D#YgE0q#-IpSTrzt$n7ESq@k(yvz6-OO@#rPPP zr1{evG0&^fwLXA;+SmE?u2T2k!{gPx)s^eBRWG^^3KK~;!w~qjOf-^|vb*2cuZ(v% zJJ#Z+^IjN8c0tk%k_Yooy!Q`asnTK1u@9E%euwa1d~UYjy$MGD(*sjK@x0hF)tdGY zyZL4F@K_QoTpj(TnY{6~G&nsIPmmA;S(-L9c`dPLo>o?g!G2iL2LhKjU<4-o6)BKg zmi5k|+vtnV?q(!e%@^Sf-baVFgA=O=T zz|g-3=#OKr4f{ufDR|hgaQvR>7qmLY`nBERwXX6x*15TeNlZV{n@9sd0Atj><-Sxu z&9*<+&9Q0b!DK27-8Dk(l?}^a%p*I3iQl~#r2n(hMZc7M3ZKgZpS*Puw%~;s&%YC< z$M3tmIl}Ds2Xb8-s1>Cfx))z90t+QR#v{OHk-4hK+B$cDL*|h~eLCa&z?eSTqrH)% z7I+2L7vz!7g$S*00{5LON}683r}bf6G}pcKhP%FoNfyfk*}LqH*NT5C1X!6DmrOX2 zk`@f}YW;i^Sy-@F*`l+-`ge=`xG>PeUIE_yf}Ai%vi_URJg-W}#E09ZD^n-8!_Go@ zE3J&#&VoXwtoppmzqYUZEMr{xTcXQTOEp`fO6+P9o?rnhzW>-AR}_2#GQ-vZM*?*|l?_)gNfW z-OJu5yfJzLg2hFs^N{gfbisaEL5EDxHf!&DZK&tj`A5_OJ#!ozA=)w?ud>Uss$*%b zZ?HeZrk7Xv^FqbAG?C7b6zh2!zLQ-q3q4-ubwjAjt7D?$r;BN?^BvQ90GKl*j1L+f zOWR9TscLM7qAyJ^?%A_c1=s_;;q6S=t@H(F1xO#nQRnMPS&%9lddT6jV+>7<=8&!( zHUCPvZIux|oTLhF6s!s-b6 zdYc!xgqLU#L*R>CD&1k!eb*{3>s zcu_q8lnKsD0mi^lZw*8QvnBfpOH_590cTQV%67L+jU@fLMrHm+`LeHMcmV zYOiV;*P9FvXmL#{CiDY)QojW<)%^5g!y;vuOQ3wG+xUh0LZ#tC$u^CJ`v7QJ7y`Uy za3DaCW?UmY?!^avcCA}`t2ssirxu#P$G1>g`W3461^VN&yBQ2xv=_oj4vXHXKo28O z>7-LP79QNcKJWKDG{m`Pv8Qkd?6sJw-io+kT5Z=OtctsHf{zRL1)dM?r~x578uuss zpB9tUfG@6x?26M**07)+~DL+e-A#oGiWD+j}U&e=9$f$L!h zqIn@+p_b(krXY=0y}?re%g2>HIHDu&HjoPN*(X-$12A8{7%`UX-?b&C2>H*nP_@4w z9Pv}5wg(@si2N8&^_| z$_j>mh6LAIz6X@Wj#8<+)5k9!<61B~#EusX$AV&H0oDn|!0S{dhsZ8Fb{b*R2DCpM z6LvqVERMifAbUu41-UsB^|tA~4Sh01J|J7)IY9 z6=5)2&>l0ONt!I<&9~{kq(+|pxXpUP!G*pwfsh6^^A*f&)B)G z7yc>*aXKcrm?FGeC2_g79eaICqb(3h`RTz|66A@Mu9OV-OS&rE#HCU(6MEmKQ z4P%|Rsi>%d;F50{P(2a@zZYoKd-+}AsSuxy?2qu}39<9-_x+F;5i6CSBlkcVgr)C@ zl34UP)#1X_s|zMyPfL6n-)l~yh?{&J_+Ep#Txv16L~Q?``Zcs z>7J|e?DpO(=7tdl@!wYYXC1w&O?YSi;=gYroq#_WZdJgeb2C;FFfa9pV*h~ z_iqol^Y-^iDk&PnWE_)yoPAn15U1lrL~Vd;r>MDS&*QY#-j0}1y~_AkE*;UzK~H!$p6&iL*eVDpJ` z9=VK%MRAYWan`=(s-wA53=NpYa0c9uu8sOOQjUiYDpijH?|H^^{kzU2AYIJ1V?rtH zq99~MQw=TAlIJvA(VrJd%pz#c{Ws}p=1#dNQ#|NgzaJX3p;OS)=R1z;=HoQ~(FfIr z;1~QtNQ^Lcrk>dUNkG6Y5}U(ELtSI#Mmns$^|mlLzW6dar_Dax@zGv`{eo)f$?@4I ztBLyni$6X2D08y7vI9y0ZM_5G{A264B-c z2i|8a0;*nh_OYHeTu@7%CI6QRD6E2`Vw;qTPfJ=_4QlVlDChjn+pKt6^Gc2J$SB`` z4ojqdVwrgw_l@B#bmDC(z=Jc~k`ZT&-3T=sw0iPZizTk8g^+ErNYQG3WOkf`2GKp$w&H=>7NQhwD5^HbGMKWv{Ewj6pF zfK0Kx7{sxV5$xYqW+q_q6505tNh1Gulcc}%<&b(OHqdI`C195a!j4tXx8;5_YYOo@$Wv2*kZw!$MH+h^pO|3rhp2 zpN3AH>H24(v)oPyx%=$+{LxCR;@cb7BzLoG)I}~I3GHQ3oI~#eOcE^8k7vht0&g3t zmz7b6-%ek@LAiOdK-OFUL=i6HlBi^@1mO6M=B@%--F6?Dao5R{>%2rfq{Ak!l| zrCST^lVMasIy;CV~ zu#m9cHFR8ec(`P6zTobi`y16|L1<-l;VbPcZLtc_$}5uDHz6g(2i1uoTNssjYm-8{ zA*~5$cD1E<7@>7FEAAvRd@tIM|M2@*MQ%yl5%Hj8s#4OLwD^i~o!S1;OTG5zPe#qf z1e^vwU}hBQQZZ|P(!_P}9xmz7Tf*abx?YW6i>v+)bS3(ybg<3Wh;a+VocvT>Rtx9r z(2D*uA&K@z>``fLxKO-I31op|L@&>O8g7lvJN_8jceAZ?V`d3Px=4G()%W78kD9lP z)fPO@iw(NNA09pv@3add1u{L0Vf*DDfYhimA@mcRyc@GJE5)5=CCqt#-Pu|I;Zfi%q05@vHX}@{e+9mUP#x*T8~$;Z+%9WJ6gx<;TIxseYV_L83cCn#rv<+=DBG+ zXrL)AwJ!8fe;t>#PDysD3yO})S%Rc@jx8KkKeY)8VX_-kbM5fKcBkw_$EnT*itIR4 zRKW0I@Ai_)SB!%d$-qN#-UB8Mm!l2eJ-!5XC>1WbH{Yr|t!(oZ615GwjReR%JFs_} zAzbThJMTuJkWBpri_<5!p8es(-1eWh{IZyC`;X|yW32cWd~XO9h~TiRF#3FYrhgX~ z$4+m~c}KWt*5^9KS};P2>5*Pq;8eACE&ZBP8SjqIvO6FoT{n25KWBwHL$$sSm63A$ z$+!E80yXH(n`dw=^eeL~Pdk@|)ZcDxRiT)&_;=OOoaS@1K6p-|q6oexT;XmM zFb~kCzQ72u!S7TfWcny@q!!6M8roLg8h-Iu-O~~I#-gNG@^kEzWydL0C63CS<^Z2N zlzvpZiZ=xeY}o5mZOnfUY!hfdeF=MgWWcyIVL06iogQ}Ji7-D}Y49XKz|4ujkwHe9Wk!LaSQ~|JzU}6o+(QP= zc5>sUy(6|gnd?tSJ3LmRgIi@i6S3bT1{SaP{RCE+9%B74?`0d8l6mFA0mN=A-GO4_ z6bTNnV1hqWR;A+7A`ip|-tJMq;0C!XwRt7u;2pn`IR^-7uiz(N{0bwI7d4D4x436B zd2}290F+#acPNIc)K_@1yOx%HJ(Jtn(z*mBce@JbJ{h8Ox3r(%hloI)vU9!B>)sPr ze>f?CJW5yEB5rrd){l#wpECK=wBQsAoHgNv6DR0~Muaa|)4#cpCJ*xpM)EVIH}t0M zvHH?=hd3y}w=vXm$T6cb3-~H8nKIBk|r##=9vMMF8tlSydX;)^xL%oB=6Z zmeH#ESl-h)18WG+YZwYJrLr_yw#B&igYn(ju8STT{`!X1S;t9udRA4_TX?x&U^?yn z7a+q-y|lQJ{1Mxot&yZfG-A+(D<3Q2t`Yb{IF)~kQJ(d1K;q0Oibb^g^zZ z-S3{p&b<#0i*eW|zSLz1lUv-K(jiFLt0mvz*h0swt&`o?)L~%9>vy% z+?fgF2Q%`OrTpO~MFCRtyy>Gf30Jc;vP+7NOd^7iVu*t|^ShF7x-l`dBJI>`6o+SK z&zP@*3nkRlJ4p{+D<=iBPvkLq2#41M?VF;qBG%8l(SK9Mr+54$P3+V1u%89fKk%A$ zobKHL*ddn1OnBL(F+55>gy2}{ukBVmX6f1Lhd&FPEN71$`$G9nR7=}P&8gq&{vfpE z{FoqJQn05|%nH4N9~Bd}8<`N25Gzl07Yj@_xE~o}d2uWm$d4Sjtu`142Uj@u&Mw zy|`Z_qqZILqFhiTSbO@%BA==i?mxXF{1^Dc8ZxgMXymSCq-&D>Y=vCK>1eV<-ow{- zzkhj={IE>quZDy2HZg_QcVQ3hw|E;o0{e0Y50|qT8y+%#cpUrn4@*SzZiF>Rwi=EU zyVBvhtIiyy^1=5`0{R_vqDV?pY~j{>@OCjQHdfG^Rx?+wG(GxtaRd#TZoVj+v;D>wh2C(XdD<`-- zz2p03N&%zIu#lQE5$av?Gj`>V1erZD>g};M(dO@e;D4e};CoGWXSBHFvGT>=m!cT> zrLRyW&{IotFY~mkMnBJu?qApV`tEE{Bgp5lw4W8>7`J9C(E?DMamA#u`D=6lE#kBP z@Wa1v)IawN{7B}Y8t6o!FBogMrALEHM)l^mC2m)Eu8BQ~&x^(+>&>uK;_!&yK9A1^ z%wOT*4feY^+q24Pv-JG{%&}6|v=R1poT;>$SNt^7<^d8sv-FOS`0tN|93#1{DqC_4 z6!4i1cu$&vXD@okM1b`+!MsGx@n~bv7$gH3gB;oSw^gP`Q9(ND={3+A!htVZ)vVH< zk~VF(yvVGJS5|;4&RsLvQYFR!QQGNbhBs~Y-VEUm=F4e%!hbyc8InyI8T@5Sb@Cy- z``_0#6$)-nB?KiyUraXF%8g^Us&f0>+&&>2ukHi$JQLt5nqWyFZj^oJuII&Yl3Alq zN%Fs+l7AkSk$Ya2aqHt&gQJ@fmXZ0mu8eAbKYSSXZ$nvpIfHMX#5tcv;APWGAj$CK z@demevS32otY698`};e3eRuWwr!{9N*j>Cc&np%=G_kwsq)mzifb3XEfko95Bf3&c za}Bw!*cSsC5A9QNx^ll;hSSK31gre}asKC9n)125AneUPX3_ap?gm_?yZ`GuynXcl z`x^z9$$#G-(Qvs{HcPN6GU@oTVD<0EW8l757Q&?q3Mlx}@*A??w;b4gcnd{k`&S8{ zfQOjv)~T0-%}kNBkW%12|HVey`+Myi!HS{a^t`_N$cv@T0AL+iBrJwvwhElHl#;?S z37mtxU{Pm0QKa`&Y1@Rh`-N8JRKtk6QdBjQaB_r2m=?_}bs!_$N_97zSw9}h@iKWg zgJT@oRq(GH{^|Z5{+nFXwlMy-yXlcu-sx!df1lWYzKj3<@z?0X4Gv_E`Cr|8)VG%y zVU~-i`}+-zm?b`5k*k*fANS$E?n=#Fug<*%W8huGcIyueus^71_lR_fy}j^j)c3!b zg_GgXPaK^?lB061%K!T#yl_AM1@3#%P^8iS%YFa*-%G~2TO(J2#d#6&_g(wvS@^&5 z<1hEeu{Fp%I+On^pMG02|Kry4gUe!vkX;G?uZQiwZt{OVf&ZWWXL8%a4UtJwm5`Fm z|M&&|=dbhs*MEhDHkO?WjNZhIDr@wDaJhC6Z$o>FI6pISZhAoU9@r2{Y=n@ow$&YW z(JvXbx0XQsF zx`lzEJEc4P-Q#)A^L?J*TJL(-djCGlvj&*^zW2WNb$#~4_1~k(#I7;y+e!hD#CP5q zThsMLF-~)0UsG)EciMp&x{f*xn6}B3Uij#^U8=niW%uecIQ1-Sb#8#ZGfS2HBsmc$vN>8hN{I4v+;kp~{--%*f+xbQ{;(SNsS(3pRO3cU%RB)?>`RVt} z-vKk--)IAX1RdIv&WtS!nwxQv^X1spQs3)$TzdTlcgOHQ1d_h(g4S>3tv1YE+w#~Q zf_PyH@X1lFUjmD(4VV{{HqJhuT1^hN;o*DOzpkhQ!aimo_Yuk3!#WnL<{iNQbUSb{fS7bm+;vFdy&n>7OIt$il7t)qUZ4-z)HjZLVK*F8+`r5Msj~@-sT_kKMl)Cl>D(r@hHdTNpr^frY@Wg&SRi$k?9SAHoX*&-~ zQw6lIe*Jq~t8E*6H?gSPZ;nfS|IXPM58>IW(c#|0th48$RB^6CPt7dAl$M2Xv5ccC z6cGPey2}dffPb^5@&SP_&~2(`o=}aR5DKqFKrW>Ms>0B`Ke3>D17YeSTWP_6W z&96r?fqjIOdoqTg&gJc8t5k|1#GPRh==oaW^(NRHT&f>F(|>XOX8ur}2r~8NH6|>u z!y0vpZGhOa?W=F`G0c9|>~qa?+c^7CT1*I?d9oR)Qy(`XDdT$EqB}ewxm}O)Nu_PW zgNmuJl@S-R(IM|?Vbsn*V6ZA`4j^vQ;C_zN@0l(Lkx5Gtkci)L7bfR&IMSYsXIkhm zD}IH05IDBrye5OSp{hZ5U|ma8YNu20I7gd(eVqWX&|*aGxgXYW7K=(I(<$&ZBtwAV z0d!xG2WIw9?H;Ni0=35=M1(t)l`iBY)`+BL5*Icsjs9nm&ml*z(zj-%)NCpmN_xq$ z3q|{li``B4pAc_8@S4)udc9Mq6ZSK`-T?@%D!?g^Jb4Xa{-7s-Y@N;7B6iUa2r_<) z$u!AljWFGRWgQMK(7%mGp631cU#x1RC2H>2n*+1jb9LhZ)hpGbuS;Lylglc@qq9Ie zX8)qG`C4+^b@Yi7-l%f@Y>_~Z&#u>;;xRE?t>94hFM*PRB5}|x9G5bzyaYwVX9n;` z5E8q1Cvy9%$v%04gv1sTttL$=!UXwI5_04`D0 za-qH4%n`SBpyhWw`hn)LHNB2TJm*_&E=EHy1&a^S@JkQy;P(TMnpqjW)82fGIZ$Jj z1*Snje9An{Wt@h++`Ko(D&Orgt!=vYW~B>SCgK02=e>A>)oE6n?LR z?(c9|QVs3zF-{Zuo=F`hHeYo#f)JH_(vAGkqqkS`Hn_r-;9GK#@$?v;-P}*I2c}ir z=o(|HU(anOKJi=ezUJcaYl-SI$-8mft8ZwYVSZ;mc>V=X^!SN>?96^$#qQ$zufJ86}U;c%d-zg0>cHdC2oo{<2XS3*W^&l zM{#o~#^2alIhh$22$M!y>)B+E+rVaAN$z-O6xrEyo~XH0OB_o#QVs~uFuN6{yLx_q zmEAw7{u9e=zu;W~IE)jvaiW_A*&|exvtaju^RSs-yvn&crX+Zo38hsIL8I|p@BT~3 z>%`CN`eLsTo7(WVoX6kDR-T4EZ#Z&BD`U7fAbP@^V!DrE`(PUdFP$`vRgQ74^?sT5 zcqsI)A;#l6&;cT;K@8%7QaUi;ercHl<~%EOq~Bk8X}JvNfiDLfs1g*=$H8sPLuiOd z{5MwzVjDWD_vpxI3fkN*(FE@C*=fMyUj?#`%32o?^&5i1D~Mry4`}bxw;=j>2UA%+ zwvpwl;HdEeJru^=r2X8l6X@s}r2A(}k@+d6M4?nV=uL?!&EWDkN594+3(qmB{eGlj z;;Rt)Kwq$&f=V$OeqhmXffA7b5AkMW#?#PJ%1DKPaY@ui(3R>ejJJZq_zN@ma}ua~ zeJ<8Tzpes-RkjU<{7YtPUX+nW$qzP9e01`@iB&bUL|DySjJaFn{;c2mcJcKi%C^iz z)5s#R$YwysR6)z7FI-We-Fn7VioK`%%dV57R)U25WdYC2VzPeQvhJCJ{F#@W$0N=w zc_nw9Q%c<0WwfU)KincGJzW^P0X`0S4EwBvU66>|mC=X3*p= z)gAmB;fU&%#GMceFA*8|y~o!;CNQ^9Y$fLe(d)vz&rj>3@23>^IA^*jIy&mC^9E&J zMHPRm$M5Ke&#`C=l6shFOsSCjE_V;H`TTf)E18OaN4dgvR{VNH)%BH4Tjq7x3lt)# z*POr!ie@eF3Wimwznbe>cWPg4{KY`r`2o)#A=g=*X0+fsW-GyiM~Ht_>}$HGm4f1AOJu zJvbe0aD83J<$YPJ9kGv#(W(`LCtyCPEE3qrprIdHk6#_An^19;DU9VKxyBJCU<&Qt z!h|hxnnvKSC<;#xMcBPPGyhPBin4o4?~de=Lq{lApYc(To=Ek+5G%2Gfmpi^Jg|RD z&mS_1Q>YVz;hY0?yi2D`@QX05cYzOfO-<4z$ze|Yf^QG6JimOdLoQE?hC#@9TX^`3 z#a-I}$jVxsV!1n3!}Uzp%OM6$%soyJUqv5nQa+h$r4%mEWqV=o|M$GLzKBhGHmn9GfJsTzm!zqFML|f8y`j zF|FnrZ(9|xjhyF!}mfgu{f5T>cv@S%{7~>5q;Cmtp}fr6A7Quv%OJE+0N1r zytdz0b4eXb%IH;-{@&g=x0%kX?=nHyO+IhY?4PNmj+Q8+fCXRuD&$(H} z6KcrhaQFV5V7d3wZ}T&JJlo6-@p2p(5TAGlkdNp#SI}xM*kCN*W+(DEt`qGp_ZJ6T z(h2C>w1TZDBhYiI9N7c;u3TE7wSWrxOYCgkKdo6KC#Qs@Kg!|>T`;wyoZp?Eb{mB< zspgBHr6c{N?YR5_bgoDvv~TS}ya<2{JNkF5+IM+@mx#${LLB*|LgI&88@>Qkj`Zsm zc%pnN7AP>okmS>rFW{nSjyMGf7=FNata2mC*E16{t5^Ooy<1z&PqNSWBJ|t9*TB zo)3@=yb}q*d(ot=BHW%|y_qn05GW2BseS8-a8~Pyu<@`s{E>Z66^zhN1T>J^DaF~K zI#9myQe2{z5{1L7=?8%c#~O`e!BqQXv?JxgMe0vG0%5S-M}a0c_UH_8Nqcn3k^ytP zpz`2~zFZUko$O~0DnY!rQ5nRRi=l-mB)1Y|vnF)CPCW4Faz^;3>rP<@VJ-Vnl1YTT zh7Hg%3&qFV=D4SX+=x)kRYf~(9K$kReHnNZJd7B159nN4Ft8mLX5t`XyRIPaoPyrY zbhU=%i-!-(0WFz7@n??4LM}G_*2V{aqC4m0VP%;3Lkmk90bzp365!vPN#<)O6~-y= za*f1QE*^x?sbUoUi!G$au@*89(0;A88nY^5sz1Cw7=S#*w7~iU&S~b zfw{Ao@hXQTB0=2=8j#)2YZrmP(CYDVcobPPc)oXxXlmX& zFoxbA#wpgZN}=w-UXDuYEw`!IO}%wC&v&0=@pHKU_Epo#tHp+-fQV>nZr3!+y?jn^ zpFNRL4Ru4`6!*p5$NSSs(H-2cYDRA1ypuTiCmG*QG`PiNh5Lo3UZEb%HZQ8*QZY^r zI!u0?;!bC2=lt#}m1Qf%9Z#uquus1FQnJ&zAgsRG;&M|_X=WuU{iNNCQKXwjD7QEw?n-()sS00mvfMpj>QM}pDvpxL6!ku_ugPTZwmij% z+f?Q;P|a2QWDwRuhv!Tbd?y8#$T#TU0C?&;PwwMhAD9wZ$R$1Ee?~|vQfm~;_OS)O7~PBJwS##-_oT?y6k}LG z0oin;WY`;?@9mIy5;#AQF)`2`Y^QS+gs_x&Z)= z2`ytK!$lpYn)*^ry;I8RzV@-B z@O@BxpZakd4MEg~Da$bWu$$;g+5$muSvi9kHikp!6$^b@5X=&U;h(4x5U zHt)lx=@b~GrWxJ~-9>dEB~ub;2sS{-HSiUGzv9azafgD}YGgdCcG4*9$Ry9`?d-SR zua-~AwLcG^ddo7u&2)KYgc}-MkuD~TMQgmqk<*zl&EZ!%B*edr?}F|eehIMmF{J@N zE4#cR2$z7sdO|Cy+{@P}&X-lZp+}ctrT8&`!Ecxz9Rq7WnJm^yOy{)^_djsoE6*pM z>(GUr{Y!BPIs6}i*8_lS;zZ+`*!REvPp{kJPSUIIa^b2bsIak18^YF`rV8jwIq|hc zvG$0%^{S7tx(y#HdJ1${m2`|2F1;$b^;jA$E_NLB(pe=p?P#qq>M#B z1<*Wu*GEVZhUAu~V*G%8R+9!kY%5<)zkE2&ds(H1_|~=(vVgF4@|9S3?3f>a&~X8P zl=6)qI~}%}U>ZV`K}_R$QR5v7N)eOv7})xyuBvi-gm})T^xT@~W)2(GGU~)j@F_x| z4UacY3h8ehqFmyC9YUk%@jNc&m2qE&Y-8H7dj2V@V#7KSiF6UT6TO+o5wFEpNQYx_C@feE* zZ@yD{N+hg50Xd!M*2YBo)P#t}mIZcmzJ_m$)nRxKjyW784t<0IHGed&UUfua1rqIQG4i!0qWrI-QPEy@%Sv7^W%n9RO`(A zj&1zU4N~g<+zvy8wPXe`ZXtZ^{BPh&G7t4(piOD{Km&jH#=zU8|hZl*UEX?s|NRwm3a_)BBE-%Nenoy%rJ^Ii&GhWCeI=D64Q9i`**0HVmeI zo?zos#z}5}c8glhCfSo~dD7iBM{gNXA*aUY^WrTIEd{s9$%=CE@^%pmz!gJFU zpUSc^!7k09QqlM`4)a5zER!!p?1HsXdB0-qk7?y%N1_p z1bpgU4@Yft_a4DEv|k~j^fzhbZvO$;-H+fN z!O8VNbAXW>qBNX`mS~^u0m>H{6tC?(lIqfN%M)QebeexF?k%fJy_WUo$y+E5t zv5SH_fZmB!cGZge*fAk!b(_caBgUMn*m=&Ot2mT2h0jX;X-{S_?PuGXPUcB;_}m|R z?`AaPCJy>pI#2WjnQfE}Wy7ED^266&Ce?Re=#$aDp~~I&aQ#{`$d7^+CZW+~XoX~i zi=FL7J9-e;>7)uwV|Zd^3kzt3(^C%qh77Pce#6`gIt|AbL<-`}_@Rt~X;P`oxL@Wd zXP41~zE1BgmPmO$0VUW5Ax9weo-WK*kIKwQyj(498XfC6_$cP^<<@sb34N$=%Zs~0 z6{w{5?P0Y1B~C0Ku!q}}O9@4fULFLKP+RffT$AvJED=(jws6iED|qa%kO~~$kepls zHPx(Qn9l0lShS~iRPh*&cK?}(dv7PbN|B<Un3%4s0R!s6c2mTJ4PRSZjJMenG8fu+u}bSH z4pDc$_bzZTLE9aKs2}mb&g`XvKW>BDeU(N0T>ju!XdBH1z`)sZv|ko%r430>2$X!P zKc+$7C}K%+$N$_YM_|jB((2&L&e{WXxt|uBpSq=3xYMjj&J$ zN5}Gzp5kPfJB|wCMlVzomuiCB5;s^5>Qw~sp%*!V8caTv|1Dzj{7A3L`)UlL?pW~5 zoszLc+cEsXO)5+-Yl-Q)2lTDfuA>9A{s%qF{9n4@>&RVW57^l{nn-snA_n`9Yd=9m z$$PQ4Dqqay9k@;Se2V@48+=u$&xpw9-jP1IPB1<6NU-vUT?&!Sal7_OmujZAPvJk! z{#4KYv2Y9-0{~Iu*P@UY{NV0RZuo1^EF4#AFQmH-VUoFJlmqTh6CXMVvyp$!p8d~v zYX4j&R!%V{*fGzlW)v1AU_+y_2=|oHb8bnlU)q41TBxJ*F=@Y0xi^0YQ6p5yt;9yh zk9BwJQupdiszU$B+xBAu`twXR74_RwtzLW|U91(6UX87TX-*O@(wnnM^BJeZu84$J z2cI?196vtxDe@XPu&!d61ti@g&T>A`(}>W>&evKI* zWtxM^)#`H=ZR%9Gbh|y0+RE<9J85izYveDWZzx&P(}s6emrYi$r;oPCusOEV1?q^F z3wnadqDpKUP(qSB9FH(aouh%3w3jDEl9e`%iT@@F1$Y!)C?eI=MIPt%mn@}7!|*$- z%j2L)IQT3}>(L&HZ4)Oc34PfnuQn||G=Ic+4L;vh4Z-{e{`fWY7OOQ?mthwxv9gvl zyBMa0KgVdIE}EF?X_t}Ix88l7UYSVRnWz_%6X$tg*Jvv5Ok*!@Tj+yj!zG7HSBePI zYd?MhocR<}4-e!wKk0K=CBIMN5C5JP_VHyddASILhVR5T(MNOy%4IYcbVqLX$bdF( z8C{BN8%qNmpW4G}6LlK`Y>vJDTgVVhlrtcq=Tjw@-wHjQNws4YGd_+xY`>m*bMi$k zK7t6_dIBeOdlar;QK#(4n@^L!Ni}IfkrDWJsGTX#}O(qkmyD_N{ z>L?!IFs~5132# zzsjQR{}6_6>cIT|KZN0&8lTYfFFYtQ@iN>;i(GK9vQv0JZa({$yWky8`U8-D?SI+P z%A2?(5V&*-7N+NQGg{`fKNeN588T<6X^!_4s6Icy3640|Gdo+P*W@hsj#DI^69ljC z%0(l?;T3q>jBtfG)qM3cfiN^)17z67{tu+z=TOc>1D71D3SokDG*TB@ z4Fr@mVJ%WSh2iE}wQOFSI&l6|kmj3sicC6j^|~iwypv=q&LSih59O?xjiUib=MQ!O z>74L48tMEofN9+J0V@liGFx8eO6O|PmY3@{-STsjRSx4FE4E$rbEfe&Ib?Z7=T(!d z5`g*4N55$n<1b)SI&|+1OQeQ;`84FJLrU8u+<889S|?JxAI4eKe-5zH)yrpN`8$em zA)S(}1)j5^QxJT4_SJVs=?y^S;fdKar}4Z|d;LxM7yspg4mPog&zoe;pNh%5@cOlH z`FY;Zs29zg64}9C+6Drf!t}2isLak~IH13}Q9qo)l7nO*OnqK{a`Y$V<=nNqR95?V zcbu5*agK7_^!)0u0hj~F^vio+9LdMdzm|esK~HY+DPI*^fK;mhy3D5x2Y_RBf1f1Z zoAc2-$dI<3`+V;gR$6`on~8c&AJ$jCiq3RUg*S4!UDd>aMUo@QyWl^mlx6kzhOyUZ zIhwFDC47;n%E3wej2Aft$v4^r*`p;pY8tF#1p+~6fl?C9d^K=WCOIS+JLBp&rZZISO20VPU0(a}2 zZ?P<(hnH5uzgp<;Dst4B5=+Bz8D7fxKAU`Vf#lxccLNToKhAcxsv*hHCPOK#<3#e5 z`8@r^*hMKxRlO^EmCGJl)30OP_6yd%A-n9ZG!^x!s^5|4Og1m=XiC8o9^;*>H|TN~ zvCeviV4mz3m=oF2(TD9zgK6z$)dL%Ue116stSqta_*=1L>#_u3bxGf#OED^nTS=zu z$9qg#^=q-vp$!m2Q^LWeejWsHz>}sVyns8P?tF1I;MQa^L;&i(>mYx_krza?^4d^- z$&19K8oNZhU_1+R4hNZ9-Z&x zP3_|wRZ1?y499DE|GtWSnXUZ@XjhU0v8Ce9pn^nT6K;6o>}3BTO7t2h?jA<;9V(35 zgs?9+%AI>VB%(-$n}>8&e#3HJ9F6uoNFbvVZmu!kuAp>#4I0V(RH_DAlsSL zq)qc9D*W!8IRhA)@63Ofgq*%#R_|i_xnSxfY{zQbjhlsJPUhnOhIlqHcIoSUwPSS} zp_+>dD~6Z_^;SvDqw+JHx+zQ$xk|9iV9IV({hzZdCd_rHo-cwCg&}^A-o)cmB zi8~r2E33m{<=r!u;s^GQ9g3gM^_+>`Bzl4_UkSnuu~YGN;IbqYu{wuU-Gmz5V{jDysoA1 zwZZN>lbg|WY&_c4_F&^95-50748wB@r}3_$Z)hTZYV1Y!e*+AWJMJQ@T}ug|bye`MvAQ*E%+4>)AA&+Th2{69OAfN00tFwNGCKfGelaCnIdQ8+~epNI~b3 z-a>aoL1oM>wg_io*m-{o1J4$pvtl@P)OIB?fho^7)aJ6^^gA%gjks|&_R>0b(bsh| zofkZ#t!qs@Y6FgoDA@b92CN&dH*jE}VZnZ~Fq33Uz1DH)@OY8Q(*A<}h6hT27P4b! zf(WG7sy$fVZ`q1zwyU>%G(Z-~v&obb*%ONZC|7OwbLqKg585-6E&fi@sYbZ~Zx=kX z&H+8S=6_D^`OL15K>zr5%IjH)Z(VHv&|%fN9*da4uV0RXB z)FU;h1(9);C6U%%Uon*m*wK!1 zk*Z;6U9Z{<2Pd&bRv(4!``yfk&Gm|2kMlyzLO~m25T!d@Gk7R>v2zR>Y;Vhssb$+r zIx!@DaeLC7ruolf_0CJMue5jES&fQuxEYPg;v@sA-rBlSKZeWRVSflP{b_S3dI+qo zn9bv|lur&!ESQIj2pF{n9Oa|oA;)e0;gw(tJ?R=#AE7)@Me!iT$-(`v zIy6I}5sT#{ZpD2j!0>4(w&}8Km|e&Gh3ieODW`@|VRSU!(VyeUJh3P$eJQjU+o_P%w_(yb%*}$h<<~%nF zhgq9mQssbZw!5~>*?f%uKFNF74gA(kayUg{0t)ne2{lH3SYfr^aAb}2_ z^RRF%O8JTYQpCaZ>?uG$m5(kLC*6J75jCXa7&wKw#kv{D535QfcGn@90 z$U#U&zpv$t0?^^fLIHX?Q%PR{;8`Qtb61g)d&^GHt361{>&o&{Oj`68vV4UA$LacB zx54XlbC)Cm>=Z;;B#_flput@1ozLd*t|27o9|=Ng427L@Bp@Qu)K@zIWS|I5eaCHB<@=L3V|WFcH%Fn>Z7q-o&FM@v(>w>R7ej$hUfu~6a(c`dDgy3zK`rMvbaNlM4R z_~C`^dUn6{gEg=MkO!9%n63s`mA($d#f zb?JY`D%qM%QF9Fv6Pa#0wspCaz{%bZxG84#QlzEWXAYy=b2lgOt|Id82;zu+j$gV&0YL*=woe>po1fnw{5YtDLsFF*~9wfr##~JSMKf+eAk%-(Hwm! zWq)fwG%8}kD=K!~PH0>-Zbr;@33gCd7*F@CFkjH!s2c1YvUS2F06|IPHswl2B9-Ef z9lvG!o|IlAylN1fOGcaa&nc+v9eDV3^|lhWp0_@^L;#>|0weO-2khNamn-^g6X~Z9 z!UWOXwtuMZXQ`IU4iZ%nHAb&YKH`fHe#Vz%p*6e2$gz)AQf46YZRx*2r<5z%9CCznU#!sTh@>=)M85~BRu1Y+eCzEsa zri&&71I^EDXci^+<{dRBW##AJB(Tl*uhD2rk`9Gb2mZN=goCacZ6!Oc8`&LwbbVCj zSTe$1Q#f2LdCk(h755xRKO_9pWmd&hckSvnGwx_bSES@FAW<6t0Bx6_U4}lDI!^^w zCvC;tJ#<-&O`q`E6^PzZ<(}&}Fg+ON9-1d78(wI1WEH~%tjYG{Aop%BM#Ua0tJoc&E zbK6|`yRn0L8jO9t6{Cl9wR0+OG?M@d3;(e;Y)Wh;)1n|k?FMPlC(wkfNLh(&siK&v z@GV;Ma-HN!RL+3U2u~$s9VmVaUeIcv;_l`KWAdcF@91_=kV<@;lhqVCh8f@~-zsx!s9QrE}aMXj=bY@X^Kyi5k$> z&JCcH7luyMA7GTsHHw9;?glu6-d1Pe=~nKiQ=J(n^NF%K%3HG$l&oeZwd`x>wc;t+ z+;Otm+-5K(_(nZ$^ps6p2Y?h;{Yd<8Nbzq@pZ%~SH|Q(xtz!6yy_#wz2?Px{j>BvI z@L(UTVw3Z2TWkXdmzaw-k_l>7hX26y! zjeVVk0Rg25fE4RzkzinAUf*EWYX&n8yqo#g`W|Myrd{{{ghQ!Bi3GqPJP92t)peaT zyUVO1Ibp?nYZ%W%VUI}Nwo;^4p6aZ{h=GUSVqWGAG&Qh|aS%O|K06n;(rZ2%Q5+4g z0Mqc7>JQH7#rD(#b+Vx>YMfuXx3C0`&xEZ+V7-Hi;y}4vzK)xQs)&Qt_UVn?AMhVU zZQ4m)C@g+R|8I;jsmE`E8?L*eJ5{5U{2L^@|GdBoSM4H9&U$__pYS|9wz5n-t{#T( zIycz%QmAwChu;V9@G;v*;_Kp9sNd)odG(C(Ii=8~f9%-Q2IJ9#E0Fpr?q&uUV6E0v zAd<`f<^kR3XVAZ*s6n5O|9Fz+?+D7jztZDN&+8@f|JZk175>S-|Iwn0JZO#ZSaH7P z@*RzDlCy@ZW!l+tTR1f^OEyYS`RM?Yfp-O5=~*Tnn1;SU!2^MoZ_*EZP>C{2*LeJe z$+7dAD#>PgqzZ>y<$i29;e1hzuQGz z8&4mGX+Y1%2sM(cD?SJSQtd%KPI5z(r=2B}0mR1_h#RBEXSW2vau?d0;;tLz|0qj! zKJww!QfFm{ua0jXs{!B>04@V=b7h0ez@y~`EjhjVgFRO=;|ZJ3U^CHw^P!MQK>;4$ z6(&cc>Z?88cu_XLZuzfo~Acj8kXDtfe}-a zDjhrvD?bx#?+1El-Q?NrW$+3LCXPM(xurfKO~g6$E+oHWT+?;J443 z{FJ3jo%x>otk0!Qo7b&?b_abQY2 zT0A?1W%s9v{`Of@@Q4E)g-#E*1 z``?V>+DVyAz>E{`7qXqM9pjvt^Rt&TNao?21lfZe6t%4$dW)L+I7j{ZW2tKz{*9$& zS|Im;8H--yd8hn(J!ZH$3|?6p_Z4M+aCS4U>?&HdgGvfS_mHS3ox!H;Y<@>c5y%s&`gMVy z+uPB^>e)WiSpfrW@p4JqE_&OUXTbxNac^LF{yrJ=W%%1mD;=$s+Op(S&1=$+!Oq_U zPSpDCpG{dP_KtkYukej63-k~`8-t5$CcTx_)*Tf384BOW)H48 z5)$VG#Kubw4autpZtqE$hB zr$G?4_TZWrbb~A{zXt>_dI6hCx;OGzthXURL5T1DBZuF*~U&D7WJ;4m`UU=44FsJlYc zpG;3T(58irwdFeCDKKjl`9XN=!%mDVu}iPVJ@nz)Lx3GMrIuP1c0>EJgqyJKDH7EB z64lB%_Eu-y&vtOSVr+bYjQ%(Hy*k|M6u;RgbXo``%L5Bial|%*WO+Tdj;Ll)-J(GI zSw8ku7_xl*C5QcmkY)t>N&0CApvB{gN_1vRq$3uJJ;sNlzsdsG`<5sKqYsm_34e0O zF>$-mi`FpWOtmgD zB#*1o8^r1M*Uje@x;S2&iwK0zBj0c6qh+<$U^UF$96*CxEwR(ymMhidAkBT8+dDep zu>IqF=_boPU^8h9t+{|Pq3Oa|>>T2sW5qPPp}lg(S7R%W^VwxPqve$V>|*r^74ODgnp=ImSsDM}{= zo6$oMe?=nUAbQG~oGr%KE$xQz3PWPf`^lhT*i^AuK@aUW*o3 zKL-G&dipsqz)qe0^}gf2*1A#z)x6MZ5dvcyf@T zb72Q^vV8cqx3tXSHAl*JTDn)!3r(zCN1v`NQ2GCX3$y$HtagzNQkK1g@4McEwJJ`s zGco^@1WY>izevEy2k%|S{~-YvQh;q?DpK_o&fhb?kP-nFXJt3b_Y)AAJ6bhf7qIIU zA-o!?_W{1`ycErIcHFCR^Azmvy*YrBjH8|k-&*BoOagjjUk8~%Y93Q0AMFc)lTeZf zsN2~>aQ-pgr6YKMEn?(O;4hHy(j1t3Cz896KR9J=gI^5F!QxTIb)D|@OMbFLCJ%@v zeE6}lA0xFynS6}X(Z{hZA@ggK`d3>U598JuV_FJZbv za61G4P=#M*$t6D}oziJR3do!=%iS6APH^-U5h_c+OeXLlymxb-8!1`G>wo6~3E}FT!#%9mE36dP?=AK}1 zs^P0A0=s$SEGGAL=MTa6&~h2Q8v*$3`R>)g6!z3uMBd(;?!*K-j*6`n+DPhnpNRMi zq2NLQNvai-r67*i3x!F^2ihyOLsH8%OyMn3U-gYIpHO{^64Oy2O-XbOW`Y{g4#M;Y zE&2fec%I4iSJtO;Gg=ul#9_I>>hXU6hXw#yo7(euc|-LN_>La8yFKF%Zj^KXrqzLU zGZElMzx~0DHaQ7JWq%UFprXsL|Ah7?t+u_ZtSScvXT&_ckw4?nKjuSL-`7^ECYuSp ze>G2yHfYF6PCU)QY&t#yqe^lxssyF-mh@v?O)rOi{ak#<{Us_Euu`$NW;EDmsd8hC ziJGV86DTkDMH@JdiF#$fiMqt^z7sb-#t=b2iS7dN)Q5_b;5`JpzZAt`ON`vd>?!%B zy+{e-NOE-R_g@}J-8Wsk0FjK+Rhl8r!lxPemj&?q=-Z!nkr6{ws*}rXFLT%FLQGaz zd$m%5>Q$a@nw-uEvz!0*yvuqK$h-PHZSL`mhM^}Mud;bmLwyYVg4mToYhdXdRuU`X zF=z#fO`e;7S-Y*bNyQgWB$QfV;45nm)>3ex$s+V8V1G-}5!N^;J16E}*OJ45%YdAm zu<`wTkk($y!V_+am^0vk^8!(=!6d+$oaqC5T)V9vpyzwck)_9z`D)MXaE^~o7 zkOKduEy#r>2g1qpoYgQQiTR*ef;c81&Ln?S>T_JQEMum01MF26^3=}OfVShxKME4z zr3T{u;nQbr_(LGvkmLcNTQT7nz(@Rg=1XyN}UrBJ4Yc z8vIa!sbz3FlSvJ*Xj%8~658Um-eN_VgrK@S?#@1u!+(x(pE z0~%UN5H;RZ;s$6X*rbQNRI%zBBqc`BM%Il^)u9)3!Q78$Gr9EJ1!obOX5t_BLc{`@ zIk{&=!4?I)3noW&boJmSgv+NHOmSnyp@wbryrBP2Uw{W2vHcKFB}zl)znGa43HW3L zrOb4BH@c6nc!V!}WBI}xO-dnmQ%>Tdw>lKWA*`{U|M9^bzABI|_;Z=?a? z7kg;oOBuNPOIS@$j3mp^7VNtb=j9;E$4iC*?d)u%s{=@!A;Zc?Zp3^9qDMof4uY%0 zL(Q4!J9yeqq-}1J+bwa8(QByp-F-qM&8Hh(tPo{BT%(S5cGw;cgwrY_7)(C7(zWsyk+~W zlo8cvZ}!K7si%71^sukB{>LUiO$*J*Q6wmVL3|V4&{n}w8uLW&z=F*tJx*e@c++`l zqX~kzvQ`k%UX67Du{a%>na&=Pf3BV#Q3z?9@J}0X^%yPuud9dhP;u%%S5FRCcy+!D z1w?KEa0!WbpM&)z=n!1)L{rVnul-;*1iRw;*;w8ZRRWsW40L{qe`c(c^%N-C$)o!v zJy><_8~qL=Xv3o#wrD*0p%h(F30dK(&RFO#q1b9J^gtC~=PUT90vq+=!OwJi!z+;A zLZt72Cd{anm-O~7_)=5coM&zH5wg9%6SoWkqUr}&qE>CsK4IHNSJK#;ihwZiwk1YK z=WU1}ThtFMs-`;9eZlL$XdW712D>|+$S-M;&qDp#`3tA0%zle|8Qg|X*k6msnLjPTLLTA%h)2T(#qk@d7#K%|L)t4l%q}5`ksLFH7NuGv;JZ>kx zX%ZOduREN*6mc^j@J{#I^;$jjn1i_e>PvQNTI)+rzMM|JRh%6m+;g=b>HCQ+cwwol zD)v?3Y~!2Mm$e`QEImn&A-;p-`E*HAo68Fj{gZ*fEq>vChi=kjf$e7dy&h#*tq{B1 z(7dxMWT&bfktkRkm7#S8MC3e3;2 z=|jVXQW|u$Y>Xr%=R)V}AiVU22adS;*3aCGw%}jjCL;|cW*6?v!h=vd4@nGnH?9km zAt|p#RQ8tW10rRdb$8-M55g6Z^_chrzK}}=))_|+$wimFEwB=R>*!cQSfA6pkz@E| z7mT>p{R!8}ucyIyR(dm{1Q~EQMQ0g*=ZLP~9ZkH>>L>wP!P~fpHW*^`D%oM^SY-5VnW*IVb_(cDGidM14sg6ma!NmG690sTZ&lLUe;JQ}g8cUC!< z`H~e$*lBKt4@{0kHW~b~PA$rQkvt0@==QAqQ~9XtUA7YBexcxYi?jl0dn45za@QwH zcCQ%^G^C-Wm~T&kMuAdakE)Wh=4_`nB^aR(hc!&6emy}QF< zrgR+=`#Y6VrVGb#2*(0$rK!EQET@sle8+hBRs(K#xfv;cu>zeK%)M$7f0m*}AiMMj z-5qG-5R^m<&Bq2ScO4IliqfV|Rt`!cC!Re_{M>wYz>uk<4=+_sSZ+JjBUp~|0iC)- zsN%WC7{x(D67FF5!PL&c&r%TfSny}u{!^A%U04T;#}5H4@r^SnF)=^D5{ol2ZVHIu zTX9PF+o2Zx&EFx#nKuwubxC?W%K}YV&X5$yY0@r|$64u3o<|MDnnp2B9-g_>8ZnZ* z4#DjTiCVjCeR&ymLEG8+*wmJiXEpK2gkDUJIFb+Ipp4t{Dyv^UVnf$VwU^E>I3QfU z@8354bHo&PLJasQ#5`h5l=N?KW)3dA5nLde0kf@<*%s?O{vMa3Z|<~0hYL1>dB37u z+u4(_f;q49$!AR4{#L_+#8Vz7N^lY%>Rdvw^_-ZOY#1-d0D6XUj$26&nr0IH&<*0p z5~gr#Lu)8B@Rc(gSLyBiw#9bLd%P9{IhL@FtcSuz>i|Q?FUUUj_ueRj{m3Iy#l-+2 zh#`GH@En`4$euoN0&fhHO4gT8UjjAsMoIrxqt&(OOKP!8=^W*fqIbp;JSWJP&Fhv3 zC|^GXbvM}O_9-(b=nY#11k5k-^|K5O5mKa_B9Skq^J!E2>VaSA1(Z|3JxhCaWqPgzuA znP{c79VNHVY@wJh!DGXMuf@o;P8H{EM*$o%wszS$V%0H_~nC3k16kvViHjRH^!ZC zJ&rGcyn;7=H$A^SwnY4OdxB|73^6u=z2ScSjx4q}?M>E>31SlsDxleXF$a44-zbj{ zx{zyZIy=+;U9S8KP=OhH?8Jh+xQ~|;CZb@UK>`2!x%CDvZ7 zCnOSv1|R)@ti5Gi)!V=QyFnC?5=4+(f*=i|NVAYG1q7r^dLbzdi%^!UJ7EH5t5&@;Ia~NYZHBF zVc*d;5VCD9Ui_{$+?41BXPZNAmS8ROjq^dR8Z}jJV`g|7u+vx@4N3t-|4Ta*-A{*( zMdT^Y9a1teIL$UkU(JJtn(mNm$Hf)p1aGTPY2V4Al_GaJR0P?c=+j)j{Wd!#wtX-_)*plb7q z9rJ~B^UEjNHftU}xwE#|p3JB9@dJrrA)oJ63P76KKVv$FABdzo-iM-g3v}JxVRKLB zY^_MKn=Mv4QOh?sOd2Xj{SGpqYT%r?gGil`Ni;J*~68k+Cv94?55k&hn_fBFv ztH6MH*lL*j#%qn!+HG!xytHdo0$IBuf~Xa|6_m-O8ct{5_RO^7;M*nw#DDsvpeSU8PX#>2NDuHcLGNflgE)p2-V z4s3G?>^gOiajgys?F7X3=NkurS13c7>tF-|E&72`Tf=$Pb!jVao|9TklAYlm8Yl+z2?E23KW0GEP`vU z`f?^$A+;N_Y)=ml5B7}&7O%bmNk-~g76UTd{NXea?+oH3ZvQ!v2R6(Ai_7|?O;j&# zacse4#A%BKab#!=vr~fm%)nxcv`6VJz_}i0s9Vd4!mi^fn`fRb{Mz-M>t{GSG+-rt z#Ua$sLa@EFDY-lWm^Kqqgg`T&o_l4sT`cV$7se7QM#2gzHAi4Cm2>4^aWo+_P{bNB zY1cT12}?r5$JXmOjEoce{$GQ#*P!NAQNO*Tm~^698uIiI1zhI0` zl+6>yi;!=FDmIUwKd15Nck0(O5hnQ}6`-T2q4(xn!$~ETAtt*w2erg>d^;srHGg3W zIv1Tfvq?TyeS*-K;lg5eXFevVJ+$jx;rc$Fu@#4m{mpM}_i#P7Q#SggsPf@&8GpJX z>FMT7`}HInqb)tYTMENs{@M}g)CTtX6ART0(k<*N>Ft0QpWOsF8G?vPU!DWRN{L_PKJo!##=})t% ziQ@0Nnwg}9^tfo1W6!V4WG9Vrqv%s}SpKEF*3hKgSQ2q`JPq`p?|GWW{VWWo8w9Xu z`K<)ASm3(z$`knmazw(W)5PC1imRR6%q5n03{~??7hsiA6i^^C!{DqUS0+dAvB}2&9#6m^gNlL5PU9C+yY^&ykzEp4HSI0)Aop*p96ini@*4{7JcoE z`l0j{(qTgG&~=2ojZjeluS=2XzoC=^4~B2K1H+di+Qs%)2^A?4ePM*n8v0LL0v|FY z07jpa;xF*1wY-N<`8YT3#wnD!Pszv1umdJesE?H=Y^)Ebh-uI4g)#;P1#$-#x-LBV zrbPj1RKxJ{nu(tg8Nu?IiVtN&{FJZU`tGix<@p{2Y{TBm$gfqpV@c1%4{prlc2y+M zJ0wc#jS-_&a#o^AJP}5p(LFMp=uOIxQ_YxbU{5yX>FVZ@GOak(WRDgCqKmub>%K=` zufwQ?-W2OLeqlP_o8^g@oWsg1oP3*k8uPbr?R!C4kchzV`9?QZM){j2P_?)07Ge*e zx?v8`ELPAjTq6%fxT->nrl-`2SRjNEDri*#vk8F9Ln zh*^wE$OA>s1eF{*>i1_NGAhB}0DiZw@^Hirh2IVNMnxR*Iv`|gs?2OpC9!Ens`6Bg z{;H$eDQ=l)PF>;eUgu5gE8L8OHQtaL5^a zFO>DO`I9t{Msimr_DBD+p#L|Hl%G~{)tUr_H6jyqwmC7K6m-9|e+hD30<{(A@1wJ& z=VDb+C|*TnjQmaSGL?4>8f8Y~_J4o&c7RtX+fLqlzOUoZ)e;q1KwDK5#@Ob<%#UI{ zE$51n{vRUhwvX3f`A*irSziW@@ocg8jNNmOYv*!+44%}Le}tl-l@TJ>6Rns1c_kdd zF1!xhgFK)ZB6#f8vR@0xl2ei{B0B@g-=QG1X|FMA7Tz`MJ{gwPB+R2h=lA=TuJoSn z-}n3Pn`HKT4SwT;sfA`NfIyeycK-Wts}!RTc%l2Bh6x&g^(G>d-K45P0-M{u&K}Rn z@1G$4%zX7ki{2r!BX;0a_vRamK|=FO)HfkG6GyETEA?Vc938Ea0Gl|*5AYHJ0F!^< z^ERDaUh)=_i&%th;p>Cpv(c{=g=NfOGvY$$ABvT%up3KUnSB~$TCBVMOFi%8{|%0o z2Yuo8w+V@s1?Nk<^*1j+v|(8D8#AgiX!LsJ9-#oVR#@Xbm=iK2JZ$Dx|L0r(`~7YP zV~xY`RTwn*GuiU{|M&klnE*|ParVN#i0Hqz&Hvsv{`cSe|Nc*kI2h{%zQoKv|BIOW z{}-b6e^GdI#a@&4I`YSSZ~6cJvj5K?{QrEhfPh`QP2(q<{{K6J_cas)l%|^8!y_j) zhJrlgKs1x`(W7zg|Gc9XCoEO~B3lOs#IWBWZDwf&IDQ?HVDZfOc(F%YK0MGYq*au_ z_^ED)H&*#k?Il>s#~{N_C$0{voZc)nxo1{@Va5RH51|O$aLq)$f!7gOc?8=5sF;iy z2>^J65;VPa0fjC7fL0TA`Q{-)LLXJRE_}U2kSR+IKWH^zQQrQ~3-Wq`4s?-(uV6T4 z7-YQH6+}sTwmUtxNU#LToe`zO0kp&HfXBPQzFMhEiZL#)GrX7V5CeHJ@KdsVLjUKMBe$ItxY0XP1^@8_pd zY5A5#w+Y{JeBK}VPKejkY45;`>gql+Y!taiU#6|kXc|RG^n+=R5$FTNKL)17YInG+3ywL823Rt9V$yzFIF>V zEvHXu=bkvE7jR|BDiG!|p@ZBLCquHm65SkXF9DP7*l^;99S%P=7-WB-7XY^+=b`q| zI><%)wyqL?05yK=fFB-1S6o4imdULu|I{oiPW3YFQ^r`t_rEA#VBw~Mz!OpZR9jXO z-@1JmxXY9kg@F+MHjZ5qDf~MWM2mcSe*Uf3TZJc#Q{=9Ba$Rh3<}%|!Z#JQ zU{cwzWiBF-W`V_8yBcW{^_H6xkatzM?p=c;#Q;#6_4UEM_i6!!bBxh<>3F2Zg`&-6 z)&4?JowLs((k&qz`TqD+=BV2M2t$8BL3t(BmyPE@*Hz9RIK+BjV%9i+t&h}~fy zQ54P<=Xq(Y5Y)w@OlQiq+G;Liz#j#Xrv?q8zbLeUQdsu8-g#=R)*OJ@P0&ULfHT$Af`hZb;%KOkq;rKgq_ErptHQj$nENMx^3T#7)oB=2 z>G%3K5@*vyQ;z^E5S-S6!O13bS|{fE+jiAgZsXMN!V?SF?yS8I9$NH}Rd0WtoL-Oq z_tjOq$u~{?Rl4uzV#$=P_6M5$mt4L-C@zDr;55Crv@2{=u4ZL52!i#iXwgKm$LqxqXfm@9V+7{ z`626g#*me|8FdzTnM!>j7*4;{B<+=bntuYothCR85kFS+1$@}EolvU10f2j-+G;;d z#zbR%%?p05X+JLjsC$sQAC)tA`;tmdvGw5tZf;F0y3FpBZ^s|AhbS>5 z8V_-ax?k2y|Gq+9uPShi#b$0%N{yujaBUphx1e)qm3TPf|PyV$4K`XGjgiQnd z`{}k!&?kSunA`%y!6ASCxi??(M4%XgmyY)5ZYmzRpuXLcO=B?j;zo&5z=R~^nG_&5 zEdAj6?4GdAE?`nReu9TlIm{CFzF=?9xOw4Iwz%}g_iUQo?A73G5U1xO%K}dG%ZdrC ziZ*#IHs$1P<o7S z1wZQN2iz5_m;t#>coCnZad$*+Sbh+JIcW;=w-J~)2IQwg-Ro*WY)MIj4{Y9eke8tR zx!$CU%IVDjLL9#H0u1RThf4F#fcL7W|2qLO8pY?bs#%~9UukLeb+@X_^_GH)QQ3%gb>e5WimH|cNq$+bwv&B7wXBmF z?SX&1lOc_s+P*B2A4$L(y$!SoQ9E_U0G&L>e&IjY>plg3@XxR?}}-uXG|F!9)Ftr`#Zpjq09zwzbv}|_d6)|&izwe5dz?T zh2H|)FWq6co!TSM84ZW;w_I~U6R9~XN*&|*;EHV_@EsD>QiR`B@^ZS)XYhDf@y&4> zU82+ts!FBsDZ05K6(=lK>5<-)hJ%(r=bM)lCoV8jT~lZp3Wxt*mP|tc<(;9 zZpoPhCgJB`7q&N#aJ1x4?hSsXivORlb+-3w`U^_07BK=LBk+MY2B70hwe+kx+)uWg zS5!^4m{lt8=cxq7)*GmbELW9Xh83?4t6nA2`%`#R=$9P*=qv>ydukcG1Yj~$BLg20jv60LYJIG%0*55p0m zn<$X`MaImKSeRVxRd0mNkXuW5CekkgOONs8*&an@B8t+(q9r#r8z?1rccS+bjbeMe zo+T^kNkR|WXWHHIbk~7=tX0vp0NZe&n4APj5fP-;mt87P6ozr{Xn{k9ivtCJGuwB9 z$kz?q9;_4^T4m{{eDzZ$`9?-H84OM1Troe~K$csOVkSZu9sa{`-*JC_ z&H^0l-a(U~c_M^)wCL(y(o0}Dr;oeW$8DC68cL?@FzA>-|68<1ki z*=W07vZ6PF5Y<>&4EtLkn4=v4cZxZx4hH|I5k=+)@?VGtGClciHL$DW;~3K;Hx+B8 zKmr@6U3wYoJy8saI2;YbN%o^MfhUq+c4dYsGJXu|0$6nE5N=6Rmx&A4oxcFNI!CM8 zO8Ujr1GK~^2Tw%2$HXXcMws9rJ4I}HRr&tLGByo`O!=8vl~qj8=wUTN+thR0ehfH4ePeT4^Gxd(dqSSiQa9|dVG&J4m%l#=4#F_u04@(H*4H0-Dl)$A5!+V2!7zx`B5+0CuR%edi6(U{L-8Um%{p z`)ly;Ke zW61^wBwdv2L>z+7!=l`72Z564*pCD}@_0eySf&B2j;LY?OBQMkvyK6b;p7`AmB^( zT>mv4g%QfjJ^<`f;kjndsnv14P_3`6zW{c_Hkp?m#}Uy(3=NmZf$=U?6rdUv-l4!g zHR*!2@4coH|!|>4z(F@-O_jq6(aijNembUsbp#rV#+(aRrHn zQA9l5y@+cvp@Y&&)#=C1bSZqP+mkYGJ>QFUUw2GmwgS%euTMEn`|~3;Xg6q=e5~p) zl2}diZzdYc8!t`zH*J`;ufrv>t}&lZ$L1-_#_31TP?*IGcpCLc3C^x?^1pwu2D%cy zjV}X=u&4&B^N&Cu7Ym*k^+9pHxyYnnq;Tf+A1aiUMjv_2(!Szli?7>eCQqA^sgP*KeP zSez>y65xgiT9BdUI0naSZjjM4_Z@LQE5H&qz7;j*WrIN4w~(8$tN&0jrSAT~jPvet zUs$stFR~5AHcEf+0-qL4$B<*gD3-7y#Zx}fYrqozPC!irm2Q(qaXdxU{dBW$V7haW z?nkB3mtz_;(IuQ^V4UOAUhpvhay)`lZC8PJeG#m{M-|y!-Kcm`rY#14utYmCMEK0* z=JDEjEy?Mg9|1>0Fh`CGennPiY!XMR^Vf}O=n*oOX71otb-7U`K=?F9qAuyL+>QIf zH}qo62DaW6bRt6I9Ny@6c}n~I?T=cGgrWbigfXZG00D|3kT0C$zgfbf%QTkkh4T${ zZ_AYzz;x)o@wbdD}#`25L!pZ`qnP<_k8UjtLShbaPI-uld&uA1^eCxI#&ng}sae3jH@T z0?MFe;a05#yV0Wa3-Zn`-)>`_v1%`?_#*vh>)Hhc#A6-%tr1CTe)_F_vFUp&`VWG) z9+b@YIoLk?BT2wTUbxkEtm@lv?8oIX!`bT)n0+@=;aJ*zp`4RxMbKw^h`wDmi^Qg2FRSMYSBu2iN3U+%7$a5utgwRud6pT0> zC-D!mOIVU4UEukRCHgZX-iU1!tiz4c9l7C+N#Z)XY`sg_iWvb|#@W;0V);}@{{xRN zID(C%;OX`hIzY%ZdTBPC#uzG5h{IaqrD0h)LF8iNO%(>7Kh^kKf~ZCnPF}uVd_Yi^ zu`e3|-6MoTZEZzh1kW0Qhw~T!?UNbt9M6Ccm*WuafpMqkIbfAWSlQ{7x;^Z{_oxE( z#W}|AGnDdXGqBub+L@9KZ+!mlH^3EE$?j1$2Hb;|9#^vqIqSzuPeT*~k_{ql!I@Fg z=!2g6Yu~x2!_!A$#}Q}{u2jH3qXL=o*^M&f=s#5&$WNDozs)}umT?~BdCbK(cnB5i zX2BoGPmAdVyk#6kzeb;dp2omj77@pOpfn><@AfF}>vZ-tCNr}6&sB3xG1{L(L5Y#- zJ#Xv!MkBU(3L#hf)uG)(x#{aJR4GrL{TBKNZfD8Vt`FuEWH;R6K`s(}II6ZJ^XDx; zfnZXBB$Ie9a|@a`MXOD~v+DfviSV=GCqx;u!<=te>}Ow}^h-has)|;^-h?Lzw!qRs zTefJ@$D7m1u$6Q|XqQC&9Ko)^&L6%qF z!#Lj1w-adzv5QZ%P$6@DO;$8QzYWzVRq(rL>IyoOK^mn`-btKHL(6PfMc2EP>hMl| zwW)*TLNDAcaN#};^#@d1vWGd#0I(P zmZ`@}rqI_NBd zSFsLv#J%-&4#7yA#!jUZ2zt%?i3 zu#{4n-SMWo;$zp+74Gaqwr4lbg%1~UN{tUI2@b+vQTH7S;l|O}TQPI4Z(J)1hC!mvMDhfP3G^W1pH`SZ!=w|R z0#6b?qxGz-bbU;Vx6$&XAb01nX(gY#@Xz^D;z`1e<89SXaOROS_t~WJ$9@OLYj@Th zpi+!EdSacBCfAV*?K*bGO57XhA+2q;^}y@z)79^lY`_Eoynpfz*-Oj$xAGW;aZVWKe^2P6x{y5UkEpX@a?3agg zcO5b=UxhWiP;4qFb!1tu9zB)~tbM$slv5Sfv4xV{+BGw++X9?CI_h{Tbg0WNiBfVm zo#$P|G&*a1{Ifzn=Kx=lc{LrWj@CEQai$T|ky9Y{3RObSK&U1vJ&;kY64 z^dBQw)qgA(p|W97a!I(Z;KXUn9w{LL9}hxf+B*uDVO{)82LZ<4EWYc59|EkAciq69 z^;Jc9M7bN-@!G3-ThrdPjLZ|491P)u#qM6=6?*UB%x)8d;n7H!?)3#8&#wmyw_q0w zU4caao)SMe1P`J`1=FI-n>PaK>?LVWhCJ)fjy7dYi~b9&R`0PTgi%Cj2d5fnjkFJ< z8S}WITcm_X#g7VKUX6;9n$P=hT8@__;uI2B zAX}L~%!x&3C~dmF0IBa)CG+A)p;q-KnFaCQC_d0-G}9e>VecprF+l5^`4GXH zvf}d-gn9zYB-OCB;?g4YWsy1WxlPIoJ?13oT=p|anYVVlOX{(2%|6qPtf(RHp1ecJ zM=oW~+P$6uFV{s%-djTIU}^`YV_dpRZnpU}(~Bsfv7J^UdPyMCcrX7Lbj1oj3-kQ} z%~kEdAQz`Yfy7`f267PJirK*zx82_#Tw!8ZJW*bI0>H)jC~)zInF<(jNHGyS8i0!< zELiiz=zQ*_VtN2`+tD0(}=IjBHaQENjbsq!pXiqJ|ToT z+X~o$Hp0)cQRq-Jw}^y=LCGm0)o6mFt&P!|^Fu?JeL}X3NB!rzpy5K|oPiP>_j$87 zYQA7YXi%yj(=PB1#cWR2vPegW4u;2VWp4IqhBh2j$!*4N2mExi+TG5{$Ey_9=hv#Abg^+o zHw@C=byocWnSQTIMtz-5Frj{1tviVlu65Vwa4z~OdY^a3l$0t`($83u5EPChj8c>7 z!&EM{m3*?c{+^&^3?4m~7j6HR@;KhWmWAX_5jarWrc_|*swn0nB+%7ez;Y&_NXiK) z<0X7}QnL9lx8OHWFJMMr#^^3uXvKU$6--B3W-I$gP{{&o5Wu5kDp|pKZ>z%NSU{rz z{^c5eZd^n-xW;FhRdn+STV`IV3OW* zZHIB8Tx*#UnkOK+0!5H?7S${V9l{de479ycYMT%=93jA2C-JWGeweNb+_a2Tkd+VV zdl1mKy_s_R!K;OIYFW&J)uPh?#+vgBFin(6O_g1)WSu`8IfG;^*{kK7H z8;<~9!lr>K8NWLL0|Sp1BgM@6B2I}Hc@-yk9}9 zonabDXMqxR3<_cKWJ_maYu6d{EAr(MXWkFV8tGFX_U z`R!cd#Ei#^ia_j*z9KAgw_MCv=Es<6=o@=c2a08|N6{96t>nMw*oNCV{?UsoM)djB^+hx&>vs{*s)v!ya*;y;jTvQ?2&qb!!fi1g))j)M?(30 z2tv`8xkzJOQ!U1Ct?UXZWrO9%2UZ&qqn4ZX2t`lxzKKw`Z~GtUuGI+*J@gYM!(=X> zU<+Ef*&K?fsNM(5hvAi@mp09w>V1N?xFQ!z+>7jW;Pdwz4UhD-!L213S#JqLSn>Ty z2j>WYDfQn}{e=6l4YTVX+vK4ENjm#$nru?=r=K!}(C*y5p>;+1#dbPkF5A&B-AC zMx-xORU3Zjn#XD!zaTrv@>yzA8<(qh=BzXnb4T$(T7AWSL5BY$f=kd@6Gqz0UebcjnF^*${!4eHFH0Vfq3#^KkT89J68=-- zTsR7;i@k9Kl=OI1{##Qqh@hl&_#c*^rP4|-h+8p91W}_Y&P4Tp;6S_WKsc2=9^s~D zP0C8f0)ZgCZ1!l0r&$u2&*y>I#94GF0+=3N=&}Y%lmT5;4_z5v;{j%#k_eLsPax>Y zu|`YG0Fj!QtxlX0GMB>^y$1#XZ|+>!2s#j=A-H-ZpKy>Q>+4G{f&6l7AAO;qnra;Zz>@`*ttJ$#Z6xojro^poomNFDx$8yzzrb*q=st z7D#<{_Fxrl`J!_lq>|K)IMk=MiAuV0_d?N;Q-C}FlrP+`hsNGAHB|iK;t}F0<3CZ7 zBKZU9AtTrW>Pf*5={~HKU^d+u|C_4?PGcv1nV>L5fxVU~C+q_^ln%cwQ=_gfWVha5 zljl?DKiaZotlsbj?KYSrdTod?tgn)ayYoW1d2l42%4wu;SE<|p3Jtiv1xlx36oOl&>#~0XraGD#ha=ttLQdc_w%019Ix>=X=C|zrk^9|@K zY8B6)`{{nY^kr+R)G+gctXJP6IPO?I?-a~z6H#p}BQ;cq%ou^U*^ewC$2^248r+_66x{Ku2{pe&Z8*8^0#1eWryl@=>C z4d)=PRKsurG5ZZK+-QUUY)TRIMxAfJTp!BV1B+c(^pf!#h%LqfEYEtkqYGqC796Mu zdfZ4U#2VB0+3C7sBloA^&)4>+N~B{A1J3~tImxCC8}C0jWWO)#aCM{Ep&n6l?#T-| z=7@bF9k^m1@G5^|gutAU4Sh11D+$jy@q6>5uDne4D@C53IF+(OwJmVDL~mS4AneZn z<9sB^Vc(LtR3-)StM9^ifA%IiRc>H4kSMdOEYhAsn6z6&(n6#K`y{P<_($QmPNx8f zT;?R}+vQojd|)14?@%$fkSX)g?t>1UMZ5*O`#yV%-MbZ0h@fci0VrlUf3DL90|W0mYqPJ8*XRHO)8FK2tUdUXR?Y!pE01FcgwSn-UYP_FjQu3lEE&hg%xj zDldq8+j(Zv!*Yw@vlrQ2_)vH6aX7pEtr7s#)sVV#(8z6CGbr5@VyH?~@GXEnMi5>w zH+WIl-Vj-W^%e11^6Ts^I46K10=N$M(iqJT7jd#LQJEWxcbzkjSe0*ERqAG4?hb>? zj`P6@-^E*vGEqN3RHWvZe@fz1tQ#R5heAZxQ+0ZdqekCZjl1A;-gA$h`i5uwXD zlGaf#NT6D!9M5g3X`cX@lhfVG)EjPZgEdLVPI`ARBNwg~36I$dW`7n)!Xey~8Lqpi`c1mB3gn9VL5s#8^`~l4fFI9xsK00=Mb9QXOmu<&f z?bgI-?_0{kn|XW3cu!(ckYgFpkP*@s%m1*7f3fBV^7)Eyzq*%?#5ha@wIRG+!Gld5 z?tht6h%X zUb|%SlDtIqr`pB>Uz~7hjW4zI1wqE-;K#4CO&ILJ@J?NV#1_yTp`8ZqjdIwZ06Zm> zfit-Vo7@=|_*SpP#=jFAmD{v{e}+eEwaLB=U&E zdJJ8diE^mkX`k9ODvj_VPO$WaXky6lt*W_|`SIGPeSvj_?>`<9Fri2tu(FyQnVv}1 z;y%i+aReiUJ{$nO+M#2Kd+OIzA5N)tnSEl1hj z)q$8X-3A9c>efRi)?JAO?HxAt*EfiBIQ>gb9@w|6s~Nh~VP)eO1*`f3e7t5;G#CV@ zx!egJ=MopnYI8Hc{%bi`lwW~N;C2^~JbF-_OQm}`n^zg|2S`W2meUZsiGRy6)Yx84 z;j(==@G$6`bz}NkFaHpJ3`+&P8+CLb@2yvH3H*C>cn8qN!p}g`2qaC45d_Tl$5`jf zM(Mlo^L|v%k@)(553vQ_0vBn)j zmO^)LMWeRq5EzQ1mV-_W>@;#3>(xZZve<&JGy5$e{=|xl6kLj$?~Brp{pvz&bxxm+ zSdDF4#Ocyq?sB<=$2uiTsJf)+_C7RTa9+V1G_2^muP2l29RFzye6`M{Xw*M?6my3# zKLvP#)H>%~D<9+o2QcalNv#zJy&NPA(gz00hT?`Y+RIznF|YZ~O@ z*hju)@HR&K$EfM@H8lda{4%cu?;MIA7x{1!JfFDR5=jWq#Ncma(5?;9q=9)MgAP9B z0VZ){E1UfGo5RTYd1D<>jwel<8Hi^Vt3ZPd-RY-@Xz|{@1j~xa9M#y(J1D&Qqlk#u z=8Iwio4!*xu#F^^(HE&dZfd*FA`XLpexb)3;+v;|@qDhFNi^kyb=Ui$?Pn+{rq z*wWT5*%3bhDwa|hogn0kec}~R3oL*w*(~mzwHa|5lzc|hSQw8Oi;RAt`OlY z9YEjG2;|p2E@>bP^Wt+YHT%=RqIk8Bm zjzmAgJoLUtcv4#byY6Gs9SVno9$KOBBZ&CWIrGFqZ0+8a!H+)QDW*;Rh+S~>Cz&O3 zq-fvT8E6AfV~C~WaQ8h;SS1=KlB;t?ggYX(P*~ERZK0G?oiR3r$@n&sUXgTsN6=lMGA) z_YsSk7S8Q$RZqT9y@#b#jYv|ES!i~2VGVbHZk*UfBXG!j`wL}|IjM;_^G)&%zg0zX zYd(csfhotfZL63jN0Yls0%Z|wv~23MzCXf6LuT$0DLRNy`PI>>nA;8#e=gqRs48wAno28Ki)$=hpcq=H%SaG&JA=W@fXha97+b(=reb#A_KrgNKsyFx`1 z3e##ZD<9#~-5~oP7Qng0<&%TG(V^@fvgNMP%{7@Qq~lWsp(Ynm&eKA*I&F>h>CsQM zqsQ(}@5XC}WBv?Z6D|CZz9`M;ye{%!9mkYeipbU?g{TncXfzmS%Y|*hXDvZIV=8_e zb6m!{s;Zt`l|j>Z94!vIx+N*)8=nxo;D% zKs(KE3F<_{w<&^rmqL&QtwoB$3f~NFTiBluV?%BnLXP3P6xu+|IF8G(6e^adI|Alg zu+qiq1};J;#nza{uDR`X$%5|2aJbEG+~5=z(#})pFvusF?N(~S{GV`V&|I(@%`0|s z7U5J8?Qwr^D%Kt z2>X>92kv_wMWwdeiXX9;b-=WV4?Z(5aQclNYnLixko3xe4Z;7jk!DLzEb-`CpeUe zy*3hxzU!$%f)imw{+xiw6-|gs`ab*vbM~uxK#r?Je%S*RjxUN*_UX_X6}<{`@G4Le zQ19qc5H^{+*Fc!{J_xZU#c_0oJZwfZfKoMeVlxp+uhovFbeAw$*dSWZIrY3`uvCz0T4pO%qlKFLA&ocX2-LQNBmf zXU>t_QJlLq@E)+}Sl>i&gb}pSI`6*l38BwI*ZmSf(E8Xv^-bRnSmH@J3fdXXY<9Ef zt?ld&&2!WII|>93#_l@vhgsJw`K<%RDL6`hA5f!RDoOyO82|`in^FS7<%7^G3p=3S zbY1l2Yo&r343*d7=wY-omN8urqWDiSs1(*c&k|GCfDU9pYD#cJqwDDl-dBP{qIUB2 z8rqt%;kWb^dpwb+GarjXHuU5BsBPN`zfRL%FtSj8Z6iHd1kuA#T`PkmFX4vfDS(5@ zz>9v)lk>34#M&<1*x8T~?`qri-jyMf`f_s+ofmQY@rwavbBH1fs0NF*fE(7)LEdQCH=~X3OMeiK z!dBr*zRudL+V4v^xu!2Bhy-z;{swJAxDkl+CT{59ZxrL&LOky`iFuHIq;t}xxD%q- zoYLvf@;_tUNWX6%HQ(Kizpv(A*j8BcaHF@FNcFqo46IVPY=4Ba!xM zIbkW|P4exofY6~=tFw5im)gBP`rAqhgf4yDL+qlGY6%+dV&&&b62Uk+E^*x)heE+w zkSOZotIN^{5V}CAgisxKK#qk8zLG@|n%Nf|5oM#!H8cN{U3$%so}S0Ok*}qNzjX+k zui{A8(jrN{qD6L_Uo94wH$ZTJh`9qq%$#uRMVG|B*)tciZ@j`1u}vE1=^-J0{sa)} zM;$cp2EaO+{YEg<5WG4?Q(=wub;$QJEaOru)ZzQGL!<gu$<5w z_bRgH!KcBQEgB6+Qs+yfUvG8+IH0?Tsk)(sy{BBMGhq4q+^+^#t^axM3%JV*q_duP zQM*~#zhFA_Cb)Mf!X-b?4>Zb5-*R9Ip%#+Yc31fF_5ooH(-$yHb}~jqNP`hmchXVr zD-S>A4|@kIkUzZgZCzs_=)$$F(2IL(CEZ_1ybS=T@(7NKTge#m_++3@h7jaLI=_}| z+Kk}{SQC)xPvU#&x8k;NrAxUH0UOIXoE1+ZXhG82G{s*4tx+y|iARHB;z*FVi%CV} z^D)vJa{YuwD|(PrK>stmyybL;wYbmjD!?Xb@FT~wjgu_oqCI>!`nY{X-M-&4RJeSF zs0xsO*5$UFaJfk`X6r5;)EcMG7QrmR`44#92a|BfvPX8H(`ERFW!omWsxIz9Srp!n z_We4ee~w!@#zk%O$qo3ON2xntD8YiVtFL#jdSU(=bu-`%AxTW5bQpgZNJV=1qJ{dr z14Hns#Aa+5fkjnW=X1v<$2n4P(B{6yniv9pY(mR~FBfh1C@l2Zfj8P&9&KhyCuYCp zk!Grq3%Fb7RS{5f4oS8=COo!5Mio41mHK+v9a-OPZ_(t9$A!EnKb4gWEK7&98oR4O zd{}qgte%N@n_cN5j(pQ^3ioSs3|7og= zIr#78SZf8Ef2g&N&Z%g?dHY~>e+s$o#9b(9sP}K)-k@*KZfLJB7yized~4X@c6r&G z&YtD73?V!^dnmRAlM8;$)a!fA?so)h1<&-9Y7oLr>Gb};tw-|7?;ocnFLVI5M9Gu+ ze3s<{@IU?v1I+YM%pw3y?>TF`_$bl92*H>K>07ONMPZXMyIO*akfChq$%gd!x}OX& z%>~C6Oc$b?$j~k4+0$&owrUj(DE09TwVxqjFQ7RuOosU)|I(b@;eTn)1HZwQHjg7~ zKxSph{O{Gd)Z}N>zRNq%%lt3RIj%}i9MGKm?EdT6P5CE>Cyc6!R^c5KtD(N)hSq2e z!H+74+h^_!rJ}I@#5t*LN5)DCBMv%%glvC2d-G{`ah6BAf1{@GGC14$!X!TC#wFP( zqNOf?d&AI>sO+HBkqosOQKxV3+4?YDXBVav-efRhXK1pl(B~RdX_MY;NVhW7R(m8< zFoj0&l6~97temW23Te8N0xW2>aXg3w&~2*Wgji!%KrmE&9wW-*xQ?iU%ba zOl_BtqVf&)DC6bDNHxQl@ewV0tf2jW(IYnvS09)Wg&Ize)r zWdb4V5BTH0BHlB4mphZns(h@g>fmNg8wp$qIu$K45d zn=FMxeizmMPLS?wAwzJMkq}BBwr)u;5r`oDGq78gtZJH+s2L)8!@v}c;eOUHqY>#I z@+6gK6vvNp@IB^Y=cK?RRr357wF`yVS77uWgM*1)7-EIk&EofS*l1RJ7wcx~sJs&b zr>q+Qmx*w~fzoF+b z&NU7h%|fD{wqL3jTTwRL1EB78k@df-16SwiS0vp~u-mQ!{s+P$S$%1r9R)@hIjSXD z!T~MzTwjs#-p8r2)wnRIvrR3~!9ctO!vietd9b*N%Dg1=IHH%m#|}$5qc`df$-W;} zbzjIJ>@L~YM$H~Ybb5yO&#V?{G_rp(Uiw>pYEriDGPox<8n*VW{vCB_V{(}Aimd=- zt{#|@=ad?0CRLAHcUHIwX~iOp-EWwj?_cP!$~_~cxPupJOHDDDA2;fL0PF?7tODW+ zSmL7MRt^iwqEjTqL`m|WuJ)cXuPM0O1KhIh$CHA0Q05JT9iqBySFxhPb??b8OImS1 z+P=$~$8l_7dw&7Zre{LA`$~g3Q5z|f#v2<$&c6mHi`6ksO@hM=92+VWi>h17Q-dV;z>9Zm#?V zMEBV3zqq$(*^{kJ4P^|YqlR)nb`V8l9(l}gKv$F^qg%^K7HzUWk? z!7*;_1F;p8P>`7jC=B7A>E^opIo&Z|^R_11u2t$201Z~UEDkwSUVwZ2FICG+ZVuRa zLqkPj?u43=CTdIR$=wPj*xHKisuPF(QoXF2XpWFV+^Dry!qj_{A;$k-b@ug}{7 z!>}LOO07%iH{TJ@{(a0Dbb4U^50JDMg$z_Y=A> z2CI1IGH%jlkZ(DbbI9o+2%d7!G4!Ma8e1YPkhLvhQZ zu{;6@?74Yg_2Ppg{M#amr12HHmV`s zU*b|lHHbjIt4lsGHT*kDY{QD6`EH?M!HQ^Z*m{4yQ z$DnO+fBC&>ya3|5*5Fk&gU}Ltg{|fXq;kz)R-8^IST5)&&YA@HY zy#3N|Y0Z6w$eDP=>bu}=cneoC^zcUq&`->U{T{@Em|TN|-C9(*M22UC*;Q2wDwTe7 zbsiSQDeSFaPE3c|OF~wy)?OyDCO#^0jzuRKHo1#Uu2DgeO$zpmORZGf4^R1KFZwaV zXit{M08d`khm{C^F&uv23q9p#Spj3V9*33V-=gO8!*7~Y1wk+G2rBCP2d7zW7 zy(z+gwDZ%&aoX0p6JlLYw9;mBYAi%hNdROvUJ@lkra(^5Jjn5>h{R$dA|V=-uinfsilLd$d|gC_g1Rd zU!|^8ZNKzfTFdUd#y>!q6h^TUwM17ATy(2;UKH*(j7r^By!bWWH+6Q=`j*$I#9YK+ zUNM)mDD0MQrclSa{)BeI)XoL|Q{&($WZ90}RlUkooi{KHTB?55{O88He;$A{mU(G` z%SRg?CSqDIs)1ZQ(gVrB!#zM4C+z^f<33)t9gK7oQt;sYm3m;xqZ+ZkORsZa^Lddb zgL1FQvGTWXDN5YC9TBhqK|~VUe0g$$++GT!^(brsEkNg3p=)Bf>si_r<{b9Yle85( z-{prW4qNos7>=JVV5X&f{2}6wyi$hOT`?D+iT(K2hav@Qp912bK@(Wqo79MtQWjCo z@a3oD@?*|+Z=+E6;t=Fuy;;NSj^K3N1r{{Zp9sm+Ytod9H}}WPxMicvuafpbcIZiEFRGj`heysL z`;YX>8t`JcMF-z42A_glk})bq*nBxryzCZKv#T$i7?x&{8S*@!s_(sQb%T5=CoYF| z7kD6zb-QuQSvg!skX~q9nDoaJk{$@vvOQCLEe;l$)s+;bt$2eAk$4l3z%w4oB?fY| zN|7C!J#!*U0fDK(!yKh4jdSptZB699NM_1ryMGWs0XZxtU+M{Foi5Kxy=r5#PGw`0 zdzupD@eFXToL3D^<2aj(Lq3NMJCRBNJk9|VfAXKeKhI1#snBSn%`r>4z05z<8F<9Q0_fRc`uFJQJf!jrY&vlFb7=Y!ZWFDJY zfTW5ahZjm!ayb)E^7Of#UAW~w47LKoalCr)=gTs5y$5CBuAB&Uziih40IXeJU2%-$ zw|ODbD>O6=Buqcha_$zH-hMbm9>u1~0UapXofv$cnwgghS z*=EbVPW&zM_d|9ANTV(6)CJvvi=b<@bf+hTXWq=Ff#+^gn{P7i?voCGpX8Z_i(mf| z=LD)h>@Kd7_v#xK37W1IN9mnUAVNaI2$m^69wY}^&V)F^S6mc?PRBRx6|-(Og#U1Y z>J(bfB(k_82<(v;_g#Ki^lwC+Y=!%x6q>+jmTy553!8QQwG=srAfCYSho^+VvtoI^ z1%jBkLZL+{-sy76!ol0uHNRa_!fSl2TyCI-k9DaJ73XG7j^^d6w5UA$C6mK+OmiKB z4}FiWF?T}wW}|39`&88p>bi44YKxjWql^(rIFw-IJ8-H9e-_Nrh@DktC+7F32IR38raJyW(A`iu z$;!T!9{?1UtPiu90|(Sn%95>=^+c;^Os?_}=ATV@4~tPb0WRRXb-?xLYZuY0?6D^} z@LGkv@|xW|zHz;hy8AWDVF|cuS-B~{{2l|f)Hl!xHA#-A9CgN=8)k3}|K9fJX6R4* z$4;bAfRL?9iHb;%>p1729@IGrxX=?*sH4mNPq8Wtd7EJyKD-BBqJrjL`-AonZQZm- zCfdS|t0T_2W9dT_5?KxesJFe<=&k@%-}ZCdNa*PNXPo-o^lP|$Y4azbiK`@g)xhE% z%3(5mXsCPhF+k6<``f_Li5M*4TpeiF42*D4GD^V&oP$P<#L&f)B)MU@_cCSvXhfZ4 zuR^6SG3qIQca?xW6wS%DyzlC_bcGv?dE@tw`WEU4B*vWOXsJ6!hTqJ8B0Dg$A%f`P z6msJLtd>}y(+y0N#qgJ=3nyP#tt@zBa00<`XtXQ7Y6pT6C3an94`?A<5>nJvn%Dl4 zuDoB$B+DW@HPdFK{?Upa2i|1uzNugpbLqtei2R}ac?R-aac^7xhsln2fZZSXK1q+} zf)}9XEAz1e-S$U0Qy;OW_!$9Q%&K6h*4=X zGE?u>vA5DaM#rODpHTD@I?DGG1ll{BrGb!(vNKMT;7Q70*KcQaFQ;#O#6a8c*MtOw zHq3v^W+k4vJ5-L90kgbI)Giup9ieJRT^Otu8KyJ8`Z|pA_tUA1nqU4GkcM8z*(&DM zcnQufCLcA_Qo5JpzgV4gyc)xt`|uP~-Q((<06TDAPp}YlkPR?F2YCi|5rMvI!D9ZQ zVhkz!5NJ#`yL7gzj<4@J-;UAs{TRAONP>h_^8~9`{F{Jm!Te7TpBaFyyC4-adQZ>2 z7Jp>i2qwbA*{^M6qua+T-={V)8Y4;a30eO8Jgq5G`1KQCs;U-q4*QS2)#L@ha#6$U zx^=z~JxD+1P8o`n#d85mnqG;SY-UO$`E$FZ8_)&3jC|+J)at=r_+mMIWy&kx=5HzN zF@Dco+(AU$ME2a(379^O%N~&IR*Ji1itljJ>oNCf@0&S;I&>O^Kv>QnrcOi2ZT+o{ zAbxw`=X2=_?fj;ckC8wnIH`$A8d_|}@o}p7Ef@)Wq46t7V5jaDS z!V}|*!Hoa-9Y9G0MwwBNzrO?6*aJ(FC9YM6%uvoCJdDw$P@vbElu71d)v_!HV?@tS zJ^-wt{a3^1ud6i*+l0TsF75KT@C=sNX{M0j@X$)YKDP$WbXKm=N6~*VrgmmnCc}*s zsIwdc(Nxz@d@pesKJw3VM&G~v<$VT}T7D^l^7>u0IgHpW9@(Gx zgM>XHn>%f0O0A8K+ss1QW6n2y*dO(gnn?43LQ0(s;nO8ZLeU)g1nb3!+yM+?09d=d zdim$(Se*B`@O$ecM-GxbTP-4i9vowIOSOn6-!n%bs)jS;ssOe~(+|k?wjWH&Zhs>a z|KkB*Um~}2fNY;x2x09YJccgghF-?5!0pM{8qlMJ?!xc(!i|q@5A1}(pe=T1EYsROyh7X816QMCuw0UlH;|F(?;Tt}BH1_X~ z7hVEf{>9cr&hkf=5fGq{V4Z?-Y(_#S*(6RTi{mL>%*K5AG}s&Pm1HbeKHFD>mp%L& zZ%wphu$&2$g{2fGXK#ekA)!8Um=j{CTyU3>rTgd&5VWD;p&o&Gf2g+xL+|3ly(QYx zd0)Hwxbvm!VA%OnO~KD%c)Jao*o~MDm7jDZj*N8t(Nvt9Ya-wrt$o6rUpIvurkEgi z2nzuaYfNaMd>Ru)@PIh)Ubd?t;XY9ID-gkx0dZOofp*T~SP*;2ym&Y%$pFJ*8*5i< zgAK$vtl#j(*Q=o;!giJbnJJB|hWdS^pU{-GIL0Uob|RAhvJ_BvUfS>uVh<B}||G{;8*xT7R zV4ogqbE|h%AY|Ek05eC<^zM#DTSZPUM;q@gIL365*LB-(%B26DqRM&Likcubd zJ>b!~M(nu{?(>^goh3T9N8h_$X`?*u8(pI|q3gSe>s#V2K|l+1FAlLHOEMbmS>m$X z1jU!-h*%giKcsY3Z|$`7t-S(K1uE%G5q=(whzCXYt>HHHZet9pDR-tB!9^bkRxhE7 zEDQ#?*!^T+#Lt<68ipXp`;epZyMdAB1$pFew{u-@W#?Uta!?oI>5X#v0hA~Gch~!5 zZacoBbQ)a20=xztTzL2#s8FxgD4kI*;RgT$Bt60T^!~pBq@P)7sCfD|IRY*LhLSva ztI=E6_G)0FC?fj(07BBp;jRbAU}Gq~H!FRbOdzLI2`@(k1AO?M6_8$&(l*0fKNqRT zSA}EDUG6Dp*oTNdb>!Ok>YWkoGJ*~$)9~iW3thswden(eH4taQk8;ehf3Gqn+hyi0&;gt;JHN}kGcAkO3XxuphSXza5a z8z$ZdPA!9A(fl(Z&EeQ1GR|-=MORQ14~_y{?vy9)dLPpn>7&f9!8%rFr$gjF_yGbk z3PL1Ci_SGX7h&F8@t35mbe%@(Jfb)drP{oV@86W_DPjSNsIe|)%ZiP-Tg(AVwha3aS~Hs!XeI32U+jMo3bv)cB9s&%<~{@boyBsbIxU;9<@z3fzT zs)F7P_!*46dFA{TVLqf0&I9-Rp-{Q(CiQ&-8?|Skq}b77HomVOrdOh(V{y0C7Y-7i zxki{~6vn(0cZBd&%7d;>8s=4b#kbx2M$CM#df!#^ssnbdzYh?(-xs2@HVa4~)Fw4x zY-&nKOc5C7-^E0Hn}<-fxExJZ{up114F4p6Wx8(U*aNEJL8H5td%uhujr)dKbraX7 z_r5tWDn6S7)~>u#Z!`88$*F`==NUi(vGs|7C^(|lygNaE^zVk*=uSHa6M}Le=X35H zyI6iE4`krP3aaA&@Xj#jvFOr}0$)YC`y$57M~B9~Z~L62P2zqAhp_aTVDelk>SN+S ztOsKjH0)@eT-^o&9{^-26d?ao1D?L87v2$`r3JUT+JryKrp>#jyjG4Y9l-Mb_UC(_ zf5;^Ye%?EhnIdZs1~0?undA}~(`2Z;oqfe!zgrhZvU8Mf|8m8e`U7Pg>%t8$rXC@ka4CS6lehw%ebrzA>03`MgF^2c?9wqrJB7G*N<|| z=8SR>!9M3PXJ=x;Gl8%g#Ew&j=Ha|qf+Ad_Y?tp0B2hEllc-T}o{2p7eDF3o!K^QKq7x+k3n|s{?6Al#4wdN==?!1wt!;15 zML=4KAI8{xaQFE6Sgw`OYZsf2i*}kRM`=?q$2*eAz}dkCalEhGJ|)L?pvIp502P3p ztCPv5yGnS};XbHJx&H72K+`u^_m|;sYydO&z|~55&aORgu+P6kBI$hC7}~7Iy69IZ z`VeIf+nU0dAj7L5{JqO%gtG(~Pg=%Mw;b8Ct$RZ??{ntk`)sPlKRk)(=g$DW%nuYp z0BAn0A6G@zE1q~Dku=FZS~=%LS%Lsc9nMq^dk9xxbUG3A(WSpIN5y{ix*Gi)96|xk z@OV?O+I3dM+<6ZU^Y#<;;V=%KWZ?I}f{a&Y-}-mAZm-);HVO(=D*+&Zpe?8l#Du25 z9}V5F4~{4`RU=y7O$dKdgI@l-6e|^`-eCM2lvgvATe+>Ln)d(@dvp|O~KO*ms1303iZc_+t|*YNGN2u7P$-e))xyM=tXC_N_8~c<7tCJl;fS_ zX;GpyB^2(DV}wpxyF8N_ewWmQ$qUb*mc$?95L#DaNG(rRrbV9_oAX^}8HRNW|F(Vw zX7m_xlC9g_?u!a#{pD7CuKU6ceb;`BX)*EDfEKD2UhoGQOzmP`@jo`h#A~!u2E}zO z_x?#F-=zmKy9-<1)Gr=lq+6l03w5H?g18K5b;?)+xfN)0Knn-_^RK(miyL253`lOq ztsp;5!$zyCt8$Bp{*IAPrVcRlv}6st+t;PjgcP67U05E{Q+(_pD*ijn~>XT{C59B5o$HX{2 zeiNStG;gHSnQFXFM0=Yev7l3w2sE68kNXc=*yYge(0+V6=LE>50J#vab=gMh45jwE>>TFvM+>O%wDMAo*6;T%{behWYK!<3h$7J*vhtY@JtE@ts4mQJm2j~>H z7j3~YK;I*3huHACNGoDXzZZ-!Tz(@WO+P~x2;vL|{d{U~vM3#I1hh#WqE#o*<2kEt zTy7ORdU9Jx%cpayRFO<^vP~Ww!*bG6N=pRKl5UJNS(+VwQ$+85*#|N}eD!LO{B?;!?!N1ik*zj1G=Hjy~$2X!v)ep7;f~5`@XWve4rg*LF8Bqhfad@$F8u z6-jdHzHAMrO8CSH#NU9wJfmZW&FQB#p7yNN@zA&@s(df&Bub2zp{ReCCirc@%;c>_&eSFlKLj$97$c$tSe)x%bLQ zYBjrLmw?yisp}yvaLf5;&&qeZ_toCa8nwOl8dNHGb7<+4JOqh-m<5N2HLcwz$&78M z^)2rk3v=B(V81&tOgRnl{6I>Y>k#Xq9v$=N!1R~X4!PC#=yC1vrF4qr54p078E%%z zJl*pO%cLhnB8B@Y81^q_Mpb`PQ{oU78RGQ zF(_VH2`Kjp7GWw7y$j{hy{+5I=J+_G)rtw&&}}RQ_PU)fG>^>d{y}0Tf}5FtcBsS` z<-C!?2N+{V32WKTTY0&JH)ftM9CtL1{RM6)tVc#y3!)hZntxtOzx3hRw>!<1oU6tT z=ehh!-%XjVeVW_DndwxH6;W0?jaxuAc1BqsT*<1*7yAYLl?u`ar^ZEH4dp+lq=*Vy ziD^sj3czFZ-of?DBt4HljE<-P=fjL%ey*&R=V##>&Ka}JEtKJBVLvBk5gODA0Gl*h z)Zk=e((>muqU7An#l{cHzW~;G96d;kyuH)jQnSJ_UsiuNbLOf5`<%kP zQ0fDH$*%D0(N5qm0OQa3$(T3Ge)S~>!bhWxKX|}+aWg&Sju&W@MyiK&se<@7=hth3 z+y(?`B2Pk}zRclx@@OK%m`Cu%L&-e7o91!fGWQyDI(Yv^eGUle*t5;T`D%8 zHvp{@fBs$8F@+7VEOUgVt1iV+e&tkq{43pE_f#oFFD9Q6&LX$WnV#dHL}79?=puci z1xUpcIS50hnQ*o-(sr`-lYzjXVLR)d;0AoH#vqdDh|x62%%*|5a11JZya9dyBj{z_ z*WhX<0i9z=Q0$SGsbV@8_c){$=d6z!24fn z6)g$+OZ>G}NM`zBJ|*<{dJ6z{-rtYS9@`&Q0FuXMYav8PN9l| z?@EEt3&Pn!FgL+7fMQ~U98xG{t#SY6NauTbUY%NONY<)A;OW=@23p_$v=Pt@*p+jv zinOMn?sLztzq5=2EUs5TI8Yre{YhU`Gicn({7H5Q9UO<~*B}_J^b?0D8fh_EfO-QU z>oDYvsj@Jw*l5XJVRY&2Eb!Ey3V)Te`^wX!Bp|IE_&@wj1;B`#M&1ybp4Koce2DA{ z3dgog|69=PX3!8D0C$U}_Y{IJiV<0vKuW1JQt2lkZf}Diq;J{-uwqoU-o=_mP81F5 zOIhXj>d0b!E5j&LReG*zIjyt*Gp&v?=aTm&Ainozx^0%4x=<_2QDXwfp4W=z5OR19 z^V=BlH@PyOnM4p!VT~W9pggc*Ns*jQ(N?QG9W3&Q)%)j#re%P$1Dk;HS#L+#hdkGR ztla-Iu=R*@S z|Ho(j_b2#2e;6$SAcJco7fPx8^ZNhi_x~4v`f7%-MqdY)UGl$9(f)hgzej#d#Muu9 zxM=C^!Aw&UopMeM*6^=?>oJ29_`qSM|4!WAQu`C>DGco*UppYcHgZkaB(IT@ zUks$axPfNOG+e-BL0@y!J{#&t z&vVAtGwgEKw_#%Yv*%16s#Xevb);Jrdz9)^B+0&_lU`rXtFaH8nKHk=2{1)-=C=iJ z->A7MxH)K(^k}u2CtA%_&Q&3nu2sf7RZhAVn{S(PIc)@>;>v-a`Y(URe3xqc{smb* z{$0wDs=Cwe%CE|BC9-iH?O?{TfN8+F>L<4AH-z1uDC+_>B{!m>d|T14qyL4a9e)e< z#sA9EjVDeTFqaagS=&x5#OGf@!9~5`Y}nAcxW)6e$R3%-cX@YvB0X1yP^LX6Me88=C$;slMKyB0*Hi1ns=at+H?t*~V1)Vn*#;O%z zM+d*?d6~l7dnNS{f_BP}kA`XWv6jifLEQcXNHhob@>k?ls|PCRu61tBk3J!3+HXq_ z++($=(<|w(S=HyH7F3@TnpU0WZ&mdte3-R5<9|G)?du$StD$*NWRdjliMxgIdkH{H z7NY-Il=NQMZW|i7f^n|Qh^zJ>T`o{4u1y(-hvM~oo&f5K6e-B;G!T9bYF_&JM=p{- z3}MBxv6%*)jx;HCoF`uF2))1F2Vd+`qruA_i+|mMp0h!+JR_+vLXKWbuwW2_O-uLI zKrfjgCxcU|=rphl?E02e6{p37WU8cg{j8A@);~_;xR*m-wj*@|*+q<6da05MM{R%OG8pDwHr*wU1s9HaW&x5d5bGDnfpa{+8F@@b;HlzgStB{5#DJLm@0OR{B^GHdMFAg5PlW6K$OfrL+}nv3~qWp)Qd8D zunQn{Z$Tj%9kLB~>~6ym0>c$T%Sx`V?*LG6>STXj;O@cW217wdJpn=?_&Zb>5xaBq zv$w;2fYE9t7DjAd+;sQxjtdLmoX9VB(cBlNK(~Bn<${!VtBNYdR3||6+7#KerR^c= zZn^HTMRN5M<2(8p4dd|>^8ze0-;^q?9G;)KFmBx>(GYJa2U7z9@=9$%kic#sWRCN` zV@rO_mQLFu_0me!H3Fdu;Idu7oWj$QZ{940K}FSC)mg@A?^Itf^_{iAEiR6py_z!c9#oh?gW(sL*U!>#b6OMbR`*Q=0I*LGnC3d0IV01y2Sy4Hvmt! zG?>FTPdWDszHT`P2c#v9FW6}6W(xc9D@l;*tghn8C6$>`r%nfIFfJs z$l$l9Yzfk10)tfdtIcuB-5GnH*r&3E#Q(aZu`h*9x&HF8-&_V0`2KFj3eaonzLrT()7sy{K}64P1ySC?deYlsJkc-*KjD zL9#Rhy^k=C=jGDFkS-?;d|7Z(+O<{_k&xf}fPnEq&M8eC!(gVW7Z8cS1*kbQKV3Zs z14@Ssl}uCpps_wgR>|=@=#Epm84N!6od8oMi&tPB>8n-6)B{PR}h z+k2W9g*c&X(;s#1wV%msn-u886y`dFG=RX7@x2mk~DhX{$-#&J+J~a+V zr)d^wfk9(7d%l7gA^9*pFA0!d^>>Jqxy5Ku2P1JQeg_soZ$1uLdvdwhk7n&nAa< z7k;WNwb$8-$geB%##=Q3+HT@FQH4>M6#7p9m42b8&I(G3Z(F4qOMNs!yo1(QJq$`M zBwmzPes#thni$nni9*icO;fq9MhoafrVpxEM3 zn5wnRbsHI21zf93pq?AN#AORlhI$8x+H3$~Tib%d4qzJ=v`P@eAp8NV4R`_g629az z?4Y?ACcjf0q6}ulR`>U7NgMGl9JAeUnThoxwg zSI~fU0%R|EvNy+D#u9^+b1^kWQ&`qZ57}u1+6R6Bvj@d4;9=o$t(XmYqiH$kk5L96 z#{X|xH_0^J{{hyGW3=sZvCyzGkk(^4hy+|8UqTga6Yrhx(_plTTzyl4Z&>W`ycLxN zGNR`%#>q8l5jSS@#mE|i+YDLu87mt`RNMoh;rnmWNzddWTEF6vjV;FzSG<~E*cKSw zIzBZnwqiybVt0@D2Zvi0ned@Htjz3khVC%m%@nWfnT7Yscy`Ij2-Bu_wf5<@kNeTq z?3o~dYx{;6LMZL5ztHx8SbJnqrKVyB#u+D;J7*4a%SIR)|NXik#CVteY2e#Wd}6te zGWsD?88vpof1$LCm-kg#(Xc^p`NIeO4K}~@BZDH^IZn*_MXE_hX#i&}OQOGR|0fH8 z{{IT9y>{2_@6td*eX+nk8;ErHpcYc2 zk_qh1Uq*_4M#Q3?|NQB~;n7C$#mlVOTb$L(lH$f;X6yNCV;!^Og%9#Iw)3e@{b{+R z`k?F`^-LVkBW7|hla^$a`r1-mlWV>`dWbl&S88Ko690o{P|)=Z!NsAQlUEtcSh^VJ zAXFgD$?}^%+k%f{gK?WRp0m^Tao7M7hBok$#4ek1z5MN8;Wp2s7&iNK#5S=>;i+6- z7m_Ux4D_2`i}yaiK4@88umvsaWWRUG#&DXnJ|W%#h{dow_7f-8D7x`Zi7?D2Irfb$ z?|(P0G2_zJ%{{)TSDU1{GG^b|$8pkFhU^I4(owK(1KU;Clh$2gD|inWK&1IoA6c=e zG%`+Nl8MwvoZ9(F>IsNlx)qDM)i1W8vMdMF#lkb?mC~&DJ=a@vsS4+7G?jSO&=l*; z@?=Tg%`}qv`6++@pSSzG3#;Ek|2+9Zmot+?p#0be{aLybGEI&zsZdF}j{>%`dwLQn zPkNG^=kW3Kn7?u!+91R!h-b|Wly&yknS80W9?2SA>)u`X6I7Q-du6J_lM%4?}pTQk-lj84;dEt|a05zG9 z8^63}VulQbx)3){bwY0cies%K9mAvR_3IY0LUsR|i`(1C3yq^_FHx)!&a6w27H?y3 z?+|Eel{U)O7KgNajxQ3L?`k1W7^7&OFNh{K^6IX+w72AjZuoO~;~_{PPJx3EdGxYpZbTd`Mf4eSw< zyIH{jH4BaM*DA!RIpkrOb6BsJ`V3aLwz9q-T3` zvx#W-3%~eHx-r-HV`%fXMP34hdlzK$pWNHyLI&tUnhc_&)eWBkvC3gPJ&TT;hnM^ceZxZZl{Jw zE2I_Lp{NK(z=KfWz){NXHree0-$-D=2T9x=0kFWIM}9YjP?_ab&Cd{Vfm>GExv3N{ zWS}O+P!u!Qn&*&{_=b(4@H^aXvVQ6E2!M3P&DT?c=2dk|kD{aJ9Av1}4=NmSw+LOu zpw(UTEGg#p8%6K?-WgW4cApdOF&pA$H+24Y&(LfrLskEzOX}BQA0<%Yp+LI-1-

Cp?wd+}7N!}hQorC)HIG}ijkDHW8ZKWSx_?&!O z6m?T$Q3EWN_{nP!QFix|K%~s!rc>hWKxEGp>cRF2VkWY&Rf#`o|J6+TMIbRnGj^&Q zf@Mn8oliXjJ-_M_vVH)*$OL=OH_Ut$KNNRtdo3_o8StNA*tADo;w7RtF5aH4QM+K8 zDkSQ)=Ku@i} z%{#lcRA}|^cE<^B3jgV6D@@VBzeKN~TsQGs*4m*qHSZpCTGdHuP@3zz7Vt+)+VIPt5Oq$e_ zwQPZC{CPfy9cyB(np%J$pS$)J1tyXNQ?800s0?@f5Oz?B~t_@5M$fJ=1-3ZI-L zZ=UFw*!Z5NG{Phpe=+8;!4JA*(G-bzTVpg}&!Z;lB?-z<=Uv_*Q zO44=b1e>XedYU}wRh9S?#U|?bXR9FrFNAxgbu-|wbc6*!`wWNDQzRL0Pa_z=R_jw^ zA{`==(|r9Z4Ud*ECznpcU!4`PiD?CZd?bN_Dy9ZqBG~z<-HLb8#xywlO%5I}h6OAW z46sbLWjeVBKv8k|S~kt6Jpd96N;*8Zf~D3>FLh|fyFPR4!&=N-&3mxOwzByVuP&nk>R}8CT8-x_g85SzLi;R zmEcev0!*70`!oBfuQROt5r7=b$qW_vW}nJ|eS;_2O78Jh2{*l&aKYc5r=UrLASY^o z5eC3xvsV~-axmpecK6$U-LypA%-VXDx)sH|iF?|33`BRq4Dx_$a0Q(*GcEM{4|BI8 z&-#WZ2hF~X^$?KMwY6?NG5Bb2y4r7DpWgYQ{f7BnG-5{cdaU%tjsN?oh@(!;nDbsH+yBke*WXs+{+Y_1R%q4F#^{4As0X5>W}= zdI2Qeso?uu(>}ijD4^w8f!h&3(WSRBSz>Sa0V9{0L~W^EM2M@JS<>&o5NfPO$h;eK zV9ig*oqN*h&KO4ea9ibrivJq;EGrLiMP%i5=d72zV}}7nq16%a8&GVS-(>4sZ)!>(O26dEiEiyqMU0W^ zohh5$d&!&+O)wXBd=Oq?u_)FI6Q-bB|4@bnL>e|}veL`XY`9YlT%2}Vyog)gZeGpK zqkDUtPvUMz5hFriG=pouTi%a_kGvFdg-()cX0kPGm3`VZV&{z|DoYP-lK&!qIrJN1 zj8T-D2@$kn#IK@TB`{H23~6u!INRB&r#z3Q!dj%YGXjTU2Et)&M*2XNH%O@#8ry05 zj9e~y^zn)n*q5p*BAK{s#anZRwOePpPYGvwi|RK=Va%*dmsKI_md8Q_$*9+5%TOz= zVfUOFRUgMCmU?Vytj+AwlJ{$2TlDOhvsqmECm~3eOZKJoD)~Tup`$l#A1Td1Gqss= zF3K>jIM*c&%R;fGrV%@8D^D=nE9Mz&S+P$wzcrgbOWBn0VSa#}xC z37fS`&A&xwu$fA|FzlYUPsV{(f(g%t`4CoiABjdqCHL1(b%jDP#`zmZFavIdV{#TD zx@D=yKRoB-INr@pf5&z8DaG*XW^1FpDZ{W65Dn8#%n09qY+sVqk8f3Ao_ZGMIZ^YuWXc z#@FdfFA=ey7SY+J`AePq3|rcq7Dcyu#AKt7|A*mNp)ZP%fdesDJ&mLbvrXxbSk`xi zHR-$;R>SO^HaUK#io?yWPCv|L2hHd5^JqzlJ?UU8z>nzx%X@s*bfW?l^L2IN{{F7G zXB+7g%w!mh^A6kA6rg$^@Zr4J9JOMT@L5naCWh7VLO6nTKS?ruUT!6&OF}4?Pcj&Hf93dpiiyw4Lop!JBV3>IP3cC>gT# zIgW>-9!;)T0dyL^IG|1WVQwbki)bBVH%obH>fDgPToT5l2!0 zs$0A&1;FW*+6<-tYiw(%z-9DUQG4y1z0}jMU$4vEVd%c9(;dgleX<_3T&P)mOZSvs zGmsO=w{_B82Ga(@<;e)(l6HgMr_NK?w{0U-jw@#9Z!ct-q?CWoU-rMvKdRJBwW9Nq zI4vtD;)QWDv!&Hj*C$gYbQab_aZerXxT!ZBSn-dHbQ7&~k;O)SKjI8n_UUGuTQsH0 zy-_6@s)(KG4=slWCE^9z-2v15DOsp-?QL0tN0mRP@M2@;ytudHw;8S!eLnBY)O7w+ zdK)?vHW^Jf-c~wY`8}!@+N1+yE]n@wg_@ z;Nl{4Pi((hM-a)J(FY_wm}d2nptpBfwXHUJSO@%J3|RvMQs8p z66Hy9_EvQ+b;;mCKSH?vREr@2d}9VjeleSyH+L+6LzJP(}Mb(^G?dRlwS6Bd1Pq^`TibKv;<`6M`8C+_4>)70$6+04B+ znI!t_NbTt;OE*JeR)<0Q3(4^Au*{70#;%c{ZHbr&n6FEq~MNhJ75@6PbZ2- z$Dk3xYFOAYGp3SO#@l_%_IuI$#!zgB#z2biDUQB_CE`jlpsg03jiCUR`@e%D{%Uuv({%M<z_lK|wPiB}khE=3jrwle(~l?_ zUp#qYlWnvle*xZCRctbN^-))n$DGsjYDGDt^^?+G2kXcgX4%@LSZnek_y@mnS$0Dk zyYP1EOu9>JpLc>Bra|XrfqUIuUAigZL3CG8{c3-nMTs#Zj^0EXd1(`u8nKL1ZK@Y< zjy~rxkiJ=vU*4v3RO-)1XQPxPK2+O1qb+@Z#`$6A^b-KoDPszxTjzxwPGA2>SbTeb zVHClq^KIXvDd?V(bhcWHnd6|r4eL6M_P}Zxqi@B7H^TOb=XuYb+OKVF z^}Ao~zSEg{FWzM*S5VvHv0a#t$}SWgLH%c13#J;!LBw0|%5n44I{{ITs};d_9HcI@ z1AT|;%|)&slFa5W7}*pV>zaDwX3pt6R7=_m>Mexop{dNj`qi!vP+W7#Y&fj59d^HH zVBOThC`kF~eYKc#p zj1#Wr$_1hk-r(cjSs*rK>QeE31-aD@9flp4Ice5aj4}YExejuVU?a|xfI5lq+y?bL zKc)45p6+Jxe?6Qxm;h>c+p$$9Q~cv-<&Lzk(o5kXnB2j{Cg$~;$&@kQJ0uH0 zz5g1+1gQRUe`p^!F$B`t!IJuZGPJ4Gprk#`*#c?QSsxYpx$hp>=VXS7EhvBTu*q=(!M927ba-np+}IgaVUMa#&*^3!OQWg^wh~n*p=1ammwAmDWP1Uc-Gg? zF#}~W3MK-|++2?@yV5SsBJ=ijVlZFYf!yO+Yc2ZugqTT3^JIe6@Rs~D+aYxUAykoI zLbuEJAphHfU3<6wahZB7KjrpD#=A$IKu%}qowQ(esotp*jk!K&Jx@C4R@*3g@$vRL zkL!-FqI?El9Xc$q1Y|E52Ly{|t{E~FVx^N}cCWn}PWQ(XuHZ&H9-E~yE!tBIy{$w& z`_bTAIf1)4t$7{m_XLl>AW9C8CIc@e|B%YzKh^LK5yK9-2i8m7Bf_sKW7vMpG|e`2 zg{8)-Fy&4!{Ra2)W~GKrEoUVE>wEL}mkai^itQE(X{ZS^*!FbixVi~4kdaFG3zv2C zldKGwwViDU?)pFl9E<4Y`51gF!M5SjBA{&dVw<$z{^pNQ&)cIm5b`^HqsRR7#6Lf~(+CD>rEi#cK-sZl zFL?!Zw^vv9a!Ekfpf@;H+^y#nwLQ13Y4-Pe=O$Jq?wkz;+_Sf~=gWLxwfPP^yIJjX z;IyOnl*ZinPTpNd-S15w5Jm&? zQkJK82(7bSIn<4kwzHr1UF?S1IU=+AbS$(%m1rQzck)uA>Gi#9*Z7uc+eJtH`@y5s zJW9>O#k#c!5&eGgMX^&I-jm4KwjW~9KeV=;zw#fXux+eYdv$gt+V+1pVDWmnq&a&f zIk@TVZuK1#e6^V*BlIxn@-?i>Z!K?@E^vG9eP)fWHZ0zef1H{=Egh}=6XIR%NlC|_ zw(?;O4G6z1o5BHKKjO&kYxp1tRJf80VABlqi&kO)a&5HW(R9N7sj#C7yDld70M7Yl zBZ%Ty=$HcIq7Dvh2hbU(%P|&X{noa zNa)FoPj{`%;|9L;eg^s%in^R^QKh8}ZwKv$C=6!_*ja-=+Mq`hA3jl4L@HVdKFzJu zk5ja1_vOenHb%xfNiF|0t@w8H%M?X7;175GTrMq+kLT3yAm4Lqd7n(Ddrch|W~gjYkDhGw6K8L&5k6SHh5E^ z)0b*edcJGZ=(J>g>JRf--zVa&;;)Et8=9AnddwW8jr#~rD5CY-^HJ9SV>?$DHO3ZL zsAq!8ePUP1d;DWd2ziHbd|BoC@VL99)ST5(%+cYIu|8AJ8M z%ch%t6s$3T+-SaR&gPa4-5Qnq*0Q@Nc`umw<{&8`sE9gkz|ZOK6H?iPO|Cw4^?&d4 zIq0HxX-q83JNhUJF;Ol5&?HvcY==xX_>DpWZV&AC)L6TmXIB z6_KyjrILD)Xh7nV=AE5;uP;-VyayFBP0G(`1 z_@N6MjlA!M`5pi4pzyRGu?{m=U^wQkvPQPQ()O7R&dGjlz=8h0&xY;fFtS*t?K?-s+5+_IWW;8{{P*(fwY5 z0Y(xkF`4EfuZ@%AAq1T*uGK4pPIrn4N-^FyA>|a|RdV|skfZqFHu=^-%dJo2lJjb& zVSLY=!R6KC=U-**RQ&h80|Ee(9`^HzA7>q!?pM=sjHEzk*Rd}aCSmVD&Qv5s;I7j4 z$o`!x5s`uWv3Eup$_DMjAcbVLx6aG6k!Z6_hkKW|=wtmA7SMRctp03m*u&&Bm z&VZEJEt+USo`kmdcI%FX@~m-A+wDP*?|wE>#4_G?a*j+6$Gs8x<~vtqa_=C~wzg+) z{P&@<4A|_b4tmDO789W|)G~mrk+BU{<q@%^}(F_*>jCC zA-W=(ADg6KXg_W(n|pr1fBjHKn5aMsR^{Kyq;-szyb)puG5+=kg5gu}-p2JUaY%vj z!?&!WN+V3zP6?AQoaPdISvbFp>G6E8q3HNp2QSlN2kkkW&QsmQ<8k;<5{Fc&N*=}(>lNls6t{~U->*A(} zI?gq)l-;b-=v#vS1dqqU4TU=agqi!aoKq3{ACR-;t|&2#^-d(EPUQkbeD%cn$g-`o zVO(!|{`%eD#I5zE)#2_fJeul5vnF-`h$_mo;HLm#U^aa{k$8WmZs|15czWcbU=I*l zl%XtmhC&~~CADZ4ANnotVcC^4*qEHNFaJ7{;qwTT0|Yb9C5{D+0;&w<&Ha6|k$K+sM$ zEt3zJc+4|-qUNjhJc?JYXeDl(ckN%R?D%DUzi@~p;hII@p@R~$p14?q?F^%Atho2_ zn~yn|54Q%0*8s&Q2lbm^SMVuqSa{Ne-C_)-Xd4JO<*V?r4)Db0@0^sBHyvlD0I>iN z`F}Ed$WbX->cC+6>i&hwUk%Sx`LCB}tHvG3yQDlXYUp(zCLKKW} z8SUL8Qc{cio|(Y*)+oOXp(kFAMjgnaFLEfWE(u2|51!G5^G{W`=?U%Di$3ZyD|;wV z6Q}3nlvcjs?%XJ_2XBqsU#r~8LKs~Jaj+kvp;;^`1C;Mj zR6u+G#$cfgAqZh{r9^yb`qL)4h~r7%0Oo?q@y*5{9T zZpW0F=Q?(_>@6y@C7BKxrg*n_uFSf98t4&fOhW6k9XlI%>nn0XJUFkQ0PI@UFaP$8 zrJP83^zj&F_9gFTG*FDB;lgV@t~dRiMOoMOo=WI)2utZKWzU9znOkT0vCr_lcw$unJLgQYMK$-!tM)RP}wcQLI`!jG4rzb zPZW~8*W{-OKeAiR=xXcdOUv<>SE*>kCYt|@#^om6^>!v(S`TQ2H4cUp3Cp*sd2eea zeu#>gqiX)aSac(Z+sC)%k%r6Oho|&FmiHNITI`K|WmYE=)Qg|@^WO`hn+YvF#+_9S zRH|vuZO7SP53cE0pdd{azUUrerS{O-IEIQN8SmUC^O!bf^D?*Ly$mu6|AIa zIQ_x)7sX)ftTPNp4}Y0CpKu+LR_uZWpg2+$Up%qgLXD48bzQD8lA@;0p{n!lFU1VQ z#`(z^L1{#QI1Anab$?sA>{?Hi^FEJ=VIGeJY7+lgx%Y%h)Mn5D?m63ad9myy?xsV) zeTlvQarFED-O=al&_hTQ)U@#IMoVfO%rnWPGoGb$WeEUfcH}=%e3E+n(;A|$)Q1E+7icLQt<;l&hwW3}2N;2`8*-wo^O{ayX%TtYz zx-CGp0#J4$?rx6d(jb514JiIT<`n@TJQ3nV&*S>P^-$^FVVT9)I~_39ymdwLooei8 zX|AW$Zshxfb$4(U`ZkCj-{jGhpdq>wW1XC{!uL5)!x;R||92UJx%M^hFy46n&kfGc zUsEMsb57{f586pBT4-PkzD?9z$-I84#|UV3+ogJUbE3wuNoi3A$-2?_D)@ZAtm4x3 zu#imQv(Wbv$q0|6UiIE@m?W#Jy&S7%b{g)Bo+f&1R#D(aCT0>=52ca~FSy$GjaaK+ zYos0BK>q{g?2VKZ=1#V59kBXsg*a|m#Zk_Zs^yAAPtBJ$=SFrs-M;4~)MkP2c?`06 zAZ`}3PbIZox8vYe&30)=tUm)}IbjMOvb$R{r3==FcoPy#@UyMUv{bTP<3~E8aj*86 zX*vpWqb(B7FZ#?+0UAyg6p|`ioB1?odQR(mrN6?(XdZG5T<``9>kO7&ZO_(M)I0X5 zoWAFb-WixjgVAEB_aB1%n=9MZ4j$n)0^^sDl2Hz4WjFS->VmuSEVGEowZg3gooF`q z2r?Ner{hANZ+jzhu>%)|YgP_yGc+)ly`e9m%J~L1Sw9QLHhGg#6zQZf;sPr&s6$&h z2L31U>lAaiad>e5Z(9ztrnl9$PhaJhd9>bYmbN3KDL1-<2V{eP^^4ybR^?1Fk-9g` z|Mf1R&}wlF2*k}w%3oYD3o2AXP6Js9g~bQ&q%?CWj{&m4Q0|Ha3RNte6bq4j+{?(X z@^hRhXhq`fI>SKopPJ}L7=4BKh>f|I*|O%A28A^dT+yq`Tr~{T=`0VRcXsMwI@(K8 z*$zb3Vrq1Xj@WP!jZG1>WTcz9XbQ{bocF;qzxGNGbJsNVHYA-HwcsJe79wk0T>?b$ zEB+V!RJR?x@A1wRiHHrorQKD&nR4D4C)i{MrO6ZV7czOxH;DeczjDn_@=fOBKlAUT zIs9nsEG|o5dl)lF6v$Y+&hpi6nKCprwqpg?(dIt&J^7LR^&dCx5J3=zXR#jST!Lj={60ZH&c5LpI0~n*$ZN=bSKwJ(z!7G zJcZj~{u|L+AZV;UeLc0>hjFP~)sb)$M5Q%Guegq}g^?Oc?9Ioc!RIZP-F`#alO)(DM$7l= z5^W@Wtv1ldX)sjOnyXZL)#xE(an8h7Ou$5>X|efg+M@ZMwK6`Hvn}r}65DdK0W^qC zJ)COALtAWR{5Cp(XXqrX3 zd!~M4*2Q-r&k-_H*AJ;x^pn?*#4f$@6}5xlhkg(wIaSr}s!UWDIuuHlwX9MO@zrBi z-BwTCNocL>0_(KMreKpIk4{V$QUfgWxf;)&=Xsrl-{ld=>&$RqDv)%Vs;bh!9Y@MP zM&c#}2tO^rn84fshuA{(DNbS7DvKlZ1&XbDyB+zEQvKtS#~Gw%k#xQmRNsHt39`CU zOG)NCduG|}x=!kM6p}Cja!ti^k@;}bWLV2K>*IgUKrwA_<4@qtjmR6cjV_lJswjh` z$K#5^*Ta(I*HnFZ3PP82Sv+)3ZX_@Pz#=#LmmiAC@bFxIO`|gtg zHuhMi$S?Cuqem6soOFE`(D6*JA>>xLrn=_j>|LLYdGAfo=lBGB8Kp7b8401cq)+U4X`13%$jrhW&na7WQb&Aa)*qW z$J#)S-ElVLkw<$|pxgA2%RkPwC6R^0Xp332<*cAaLtTzFKNB*!Yy6<|NHm@`{cN|3 zgKP_%&F?=7d6Alf+8lN9#XmW@FN^0Zd@#+}0XC(zpHisU zm)_BEKI58K`k~wIGI9@nst;;0J8_pt4>10_4#9VM{Z=e_+odx<5rzr`d5896V`CA< zGQUHw=olP4R!&nOs}>yO36s1{cLKTb&3PNCe1gimpP#cHnRaNqht1-^OO+RX{K3Ue zuC`8X8!bQrLAv+cIhI$^mbyoeSFJ<|lG1XGSi*>XM^}<|jJpbufRYEBFK#kcN}xu2 zFS-?U>jZa#^Z&GlF6eWfQxH!A^Enq+bIa-8ZgBnN1t!gVyWBy}`3{X%1|`q)rQtFEJxGBvrv4sQTf zeKIA8_E>krb&1ml#(s(B&9b^%8)xsEPbhF+r`{Z>Kl-{`qgh`jywP2oaqAn=CV37{ zLl|#1+v25^=Du1Z6+0!@Vm+&fVLS2>KI(`zX(=c8P@;~17rTuuAr-OA6V5sx2YmKj z&I*P+1S8m|6NECF+V51QeB>vl_0)L8NvP3A)b#3l&19S@)$GM&JX`o_bude8D<}A+ zzbrzwv#{XTm+9XEVOv`>P@_l5Z+}eX??g^dM509ozNfbK1gyq#QB9bueO6k1sy%X` zy^4`@Pr0q$Di1;BTSChrCnK&%@#T(la?BlHr8%eC^gJ%e4}N+T_>P*r$jh@^6jeTF zOMsv&!#wrb0S)pimtP&CW|*zSt8YJ2h#;2kwy>^Bn>p5AsOVc7CqJ^e-Hy>`2o8Qf zC-+V$Hi>Y8n^I0MMlflp_PK?fKci|G-;A`jwwe+F0exe!gp40l60R>nD9|D45F6{J z&iV2c^RgTQw#Q0XcYv*G&I2SQo+^h#6C6Y~u|1=m=4A>J zb!!!{^JN~GlGhkIr$J!5&q6Q#-FLW9Zlkd|iU84tLp54tO$n>!=ln%v=?;DmZ}$jk zH5kg5zv(qSpT)Kkqzk@zcjH+REW0Iq;0wX2&pmqAWw83GHYGk~gvA`a1)38fWpSBDH?VtuFwk7n!; z61cj7cx-uzsbV_Gj@NR(X+_q$7gefD>$RLl%hVHV&4JEWeeUuvKy#K;5Tx2sBIg|5 z-23HuMG`{)6mEFtqV-6OAdyf!K$xmVu2)Ewqqf)1PzTdK>r>b{1wl(H&Bi(nvPqn>yiwXBE>(uCQ?fND1kR?*+tjk3>fdK~Ay-?Jb^( ztOIep8ko=JI*sga#`0?$>8xfF=TUmd@;$Et6dQg4QPI-9-36_>k8?-*2%Y`rt+K}? zgrm$%m!J!%1HAFXfD2p2-V|z^JNX~p71kzkZlYznK?v64z0T`+KA+&I&ItHH zHOi|`0TVYJ-*`jzTq$!kt4?b}71@d0FGEeXj8SCq6{EhL^bBk+Rb;y*yFWGCy%FW(cPn4v>Ek_=2Da*@$v7H4sl+c|jt{>w`W1s0i(!xK$vJvn&#=@g< zUl?M0aeAbLf-433fO&|`T%RuRp0(9^{Yg}wS5!e=es^+##ZKJ;bkW6DE_2S*S0&K~ zHz(>!T{x2eHjD6CWf3{m%;uX-KJsXWZlsVnV#*{Xe>gLVz|jL!QG=^*eQP|$C#h9w zsH7mB8dIG+rxuB1{6lNJDd$DWlt^fcR(%++%9>0lh>zErS#X2YNJj{bqGc$&?+p#8X*FcNS33Kb>gx-2M_SJXyVtZjpp z>36ZY>c(Wz>d&C9%XyZ>ey$zSh~ZFBf$u#@@ou^ zL(IGpe5d*W*3i#K9BY;&+vF{~XZ{P+g)2PNVz&Yds zZ#F&iR=Z2*TWw8|Q8^A@3xYSMi?_v*h|Yoy=l}uZtU6{F;&Ji_0}41$Q7M^+Jr_^Qsbw8V$BI@cu2+C@g4?$7&^lstbMSQNLRi>iQZ$Td z$=VB_y4_K;tmgwmzZ+l1yCNiXv3Se1MZlAoSnavoZ2k)3HY6D4KRC6uP@!JHf7N2m zL>Y0e=YfnavZs6sR8jF2Q-%#6zpjb4TqQ-KhvUCM=+5RP4ZY$mdpgh`%a6{w4jG&* z#qo9)Mi{^5)u5e4aY-b-N}l6}XAR~LjF89~<{ilX@G zm6bO!UQ<~8*L*eRn-vtWpc)s=s-s6UFc#OBEjGxs4SXnJyAysczDJH*DVc!|l<;?X zY&FQu75$6^=4>_`V0xA4Zz7y;nUYdcem9BxZ$yqE(l1GkY>X$U3k}8SImyqq_U0gL z=f-!$&UZ4T=MXCOh-b$A=EsY@)Z1aFhJlw~YLL#)12@s`AuLTmqgf4y4&kE?a1uCr zpn9V^$29@vKt!#7=%D@uTa!_+%*#KkXJY=H#Lrr<>?Xg%;OBs>w|WJ?@C~|3_HA+| zI^6=Cj@Qq1FVz)L_-l_M)BEI0h1e#n}b@$JIUJJza}h@izCjUarM zHk+Wj)+GPmEz96TVj5z*sfQ7P0g{(46DO5^D&Q^nv4I{q$qJvcRPgxeeSLc5Fe_&x zmZ@7XaO@d(l{z?Vg*Sk!&TtZ)HmMmUpvTd3J|fg*xHpG-b1uI%AESUtejAO{Q)u&RDwzp@9N)0U)T_;+d0gI_R{ zf~@wPpr^!6$_w=m`l+GlYPnPqP4!y7v*9KY+n--xz37igC)ZYXFaG&4pTn#H3PJs` z-o7wYOG9)x%MBz#epyT1j_SOxd|F!JVj=$bwmT1gNoqkSx{L@|)>1qP7Z>+dJhk3O zz~J>jp}j#;t_zK-?CMcf5CiWK-;$%v=>f`*+hzKjZf=X!VLTu*nF2Om-O5k|enFS| zRqOQ^c7D#(=c)_@jlp`8nTVn0Jo2MZSMDEsEVf4Id$`FiT>1yIWTBw3YIB}MW7%w3 z!BU*$2wOeJ^`e|pOgK_#)$?NU#DrOF9Q=@x$bmzdp2kaP>T>&Tx|{!)$z37h;KS*u z;KSLP{!~j;PDAl^Le{-OF!AwqDEo`*)o&uMRrNpWl{V32+y`}uEQ>tOUxAY(IYL{# zn-I43!;yYwmezTzVk(^^(z(?aG;6*JQA9t|t2^(*DH?hx$o&0!)dA~O%T!JRtf^7m zwY-fT%(;{1N#r`|bHeQ@uPXL>rB~ux<=9kh>+F>v zt!db`E~}BmL1B`{2FzZLN<1nKrfY|UY`ygzrV^da(MSuQTmH7o&MJkn@$EyFJSD*} zy|cFJ90AX+vlA)Gf5MO|uG={A{F`}LpisBVKa{)k+9>2^9*}Gac{#2ptO6B^rZD%D zxcli65t%7hsTxKqC;gS}@R|Jaq<7@wr1lqovnPOEb)A@u$ox|W*TurgP{i19mBq6+ zjvCEP*18t*YS&H9C+r8~0Tt_s0yd`Zx7Khm3VTDpVqL^*Q9b?o>BfZfpt-Zza5%Q( z_`72JkRU>5?D)r*aEFCxm;_?ziW^0N6lFwyaIuW)33Q_+|G1951b)OcArzVg%rlzO zWo|;(-9% zcpmY2yABsVJz$Xf`>#G(vZAG>h4Hq?>FFt;vEI|Oi4YopefNr=1OyvsO-oCwZE4wh zmCQMtzh;;^l>z&`S+);Y!NEL|X}G2NoTwXhfy3$)u=xV+I^5|T$s<`4`(KUOpaYTO zw!0!Fdso_D8y-<5dGN8X^@)RVNXy+zdZs<0adv3FQqVsa&xiwkt z8dj`_e0J8AA2D?2?>;!=8u<%*|IW61_b&F`zklj~<=4SA5;7totlF>3|NUoOjOc~z zW&b9{y&@-t|H^3o*Exk7e7ft91qx#RKQh}-l4>+}$!2K=xH<#>k38`IE#H4@+x*|R zd=^tQ)S)KQe;JGn&TD^GmuEiNT`9KRtY0gYNX1*eNU_RD6sYijG<jO6>ZfH2WB-FlBQ4Nc8j`D<*VE^9`uA=HsX z>^gZs$Be~t9rx}SPEAeCI0ya5_dhj7aA$nNFT z@0_ET&=ob@c?C&*(U~`PA9WfeeTbfsF5;v!q62JVh9qKVBA(Sfk+u?T6RXR$<*uy9 zB$fk>oca{fTk>C@8tcW>zDxrfBJkeA$(Z-?)*a2$R6$#vvmy(z;6CYyO>Z&q(qBOl?@B4(agAQv8kH;4hxU? zKX&%teZRToS5spi*3-j_y0X)<6r^{C^Hsh=g6xw*SGdB~* zqy64?voBew%D6RHcBH4L$9BHnQ}g}%59DOjj4yswer;)TTnKCWrxpM?g>s7UQ=Pbf z!~!fb8Ia`ToTl`o0$;)!Y*oio*7G$f(q{WT4kM==w5en$CZ1*cqCJ+?`&`v}q&&PB zRo%$R%KG2BF$P~u6bagjMlgDeE&4m~w+|cuLEB&cV&%^s_N}Z;iN=*}ioC_tf9|9a3+U0$tp~fzW`AL%FKZH!EFqV$}_DBN?g|m9~m2t z$CXfWPuDJ&A5E6Hids+P=vTjVuTMf?zBSmI8i_e~Dd24Sb2A-9aEGa3LUg*??FfDg zhKdmerg`%~*M79kyK$bfFV3JUPwv(1SQY-X=>5)5M|3E#EY5g!)f0#5k|6Zp8xfM6(7y48(fB+2xi9FWpLpdaM1;>V0~w zW9gOVR1nRAG4`Kze^^yoPe@y{s@J;Pwg$iF=H+zEnpswzunSw!fb6<&^jCrU*v7q5 zXY9Qp^UNp3Gb%LwJKs@b$7~4X(fV{}quz_Ti*j(%DlFXsyy^kOf8a=eRzV;c(Oi4G z)p?{|+u3^T|6}dD=U+9k5R3J*O{K;;LbL2Gvw36( za>z)7RAK)`SY}DXf`@*0u{Nx!z3nHNtt8m&8-U)*_v?o9OZ_B%?Pf*TK@f=;5Ss))oe%()WVq~@oWHaIw`)Fd({rcR$G1vd6XZh#0Klu;* zw4yAF=jV(wT}tknkWl3#mLx!Gt_$9W7KSCJzW`xS2M6-p9JdF7luYhGBl3(%f6AtxV{%ZHfRCl)j&iqcVD zggyxv-SH&={39xrHA-qsw5r?N-~qNO(vMhHb|uWZ4e~^BklW8$lR$)?#F+#%Ff2T;00;6{AzR zPF^|inx?-URAgP|ov_k{XB<=<*#R`g86NUQ+0CHdvz?D5S3#?iUg_iNI;%~<%FdG>!d1CEcRE=%9mDBPU9w#U^&;EraEbL;cBk?g1^@EF7YQqb znrH-Fbmf(#?R!kWkTFVe_B|4%rQ!x;; z2k{sn#r;ZOYd26eG)nYOmfpH1OQ`Er<=eWedV9~;^dNC=*Tj^75j2hFimKhZkDLob z^uHMkKQ@66Pd#XM^4mg}OYESX$^O5krr6yi2jnkIuC|e5>|*TJ-G;dVIE=|c+MBGS zD<{J|_M?}sQzepgDl>cF0Ym}c!0*1~XRnVO_AjVV($a=ZL`nC=@pscxc^hlZHZUHy z_eqq5V8kR)zrr~t#_C@V&v#p_Pj@t~XoCnM9tk#qjT{AZ$$P)j^A)SG)}}$Q7Jxw* zDY6YN56BIhP8cGhhC>A2kG@Ie5*x|W7n7YSbZxXtKUnW7cnq;#7=dnQF5x4F8&+>$ zD4xQxYFo_2N1mogVl>*(U<#3yg~oHB9uq4<-n87QGw|?A9bbj@i~2^;HICePjAbd; zw(L$lAY@}GUbSE!NYp^We+zz~t15}9YMD0P?2p-+y%Y_GwS~e8hy|mA1-zBNSUorH z4J6k`YMQ+mhf-~AuWmP8)9QW0OAEIhFiK3tLGy>b$-|lwCa6G}1KM0zl}Gw9KfuJ< z!mX1N#3K$SFN)AWDV(Duzsy#0bwqGh%>RTjzYZ#kUlK765hwvb-aY%dw&PAR`)pcN zG2m?(Zbya$e*MP#|?QHP7gbx=qUa zY!m{aa%e_doQPB;GHa8DLYAKAjExZm0MM@UQxfOd3;Ih^<(N;dRe8=kz4T=$ve=gE zJh^%9^Ge+koq$;_aW}lX`lU)#SrL-!Y!upLD<=1>z2Cmy(#-0o^yi_S3W@7q{MRrl zlGeLPX}qv}U5)y!oeQrJ%bokL+j7$v--5Ilu)y?6Q%=JDC+zG;v;4&gVYh86)Z-jk zkq2VqRQnDd4x4N5(t3WDhW4gUE!fwE1|8Bh)csaO@Org;c?^C(om4`RiyV{}0^N4J zJ$l!rvM`~%TrWIWUc^joq(KYs1cEzffXN8noIxlU?+qSuL{ta$YDII1zNxAv*DvL0 z5Ao$0`OW4yvRbqLqOcpJwOF*x6B&!E3uh)M|{8re_n+$|9#xn0jLxbiMqRI@Lm&SAM zzyQnSV;*JV@Yce@Dj>@6YSC{_SctUP=+bsUa}AahN4>A)#lmJH1Z0pGcDz-RQVZ=i z0#kPsMft`812;a`h>^G#`ruj`G26c5q&j1C*<2Eo2I-GBl^#_{mE}8qahouRW8ezV zXqaz2aGhWUpJTKNF!SLlFhVrEroy#*ho$nKY$zKZr3_wSCcF7DJ&7W{2&x(xb&G&r zSquxZ7EZQ3pb43hiQ4iey!6cg2gp-yXOrxdp3GRPY;v-`F6Q-HxSd$*Rn@Xa9ILK+ zH-DLOyM5mTg)4U$K1&ef++G0S;Xv6zmCRt)N%HnL(?sO*&`Nu%gVu`NCVsG|jBL|j zPL;dqS0hrG%rzuPO|>oNzxtBmz>Xc1fWEd9;pJZ)lo~d_yg4%LLVp>YM0srhHt39S z8cxs8H`13+!&JFLHkB3oVQJ0>WKyI1VS0U-q%I93Rlf3cL>CBi5#9jT_ro^Wd8tb1 z7*wrxe+s$PoPEHw>1oOIQ=7_+>Lu%qM;bqHwX_Yjd(RKEOid=Q-KwcAY$;+W?{jn; zR=5Q4utrn%R$A<0okaGJtI6`U=Skm6zb z#6!IC3vb8Xl{|xa9o-;L@9r0}u8aEPzfze)R*Un}+l4-EXx29ucO)*ZQHvDlU^ZiC zoXedF&mXr}>H2Nsx_64xEw?gIDa@}vz(RapB;Is>swb*PM_x&s>0eJ(u+Fs1?Dh%A zU1KD2Jr%%AEJMu$4M*9~0~tNVUA6rF-I>z~d~it}L76KprSaWT)$XK7rK7N@(i z9iDdZ2rGQ5F+Lz?r&T4;V(t}FBfZ4Rfk`US;4z~xhv)MR8BVc_ksmVc;|2#1fr_-> z)o2|0eeKlobnTKQ8Tpqy<@_erI%ZinnQ8Y|Y~J?2d|Gmi-maSDBY zRwv|%4-YKLRwR42KS}WDTT;Onr=j7wJp=`%t>+nAVSxuDCW#w%;&9)n?+1Xusl%kr z?1Zm!WC|e_4U>BuyKivhERa<38X5y-?wR+tdXXYIw6O&xD|B>yaUhrGe4p-9gjX)- z5qv3fXz~`m zJ=1!Nw;YV#JNt%?0$(XO{c7RL5OHb4lTaVdQ|ytC4@HNTd=D61@|!BKb^i2EP~#}B z+iagkd{hBxJLs!<%(}nOy!$pAJG)`}1sA`2W{3tgSprMwhr@F@4a*%)1rGTI%1cG6 zfKbgvvFnY8hGF~g_h9T)x4Z612*s}YL1O&JI`*|r{?Km1mUR+jk@d=}Ualc_D8?F+ znci_N>NLBAfS|IhmsNZ@b+QsUd7Psxziz#ZRq|yFKjlfDAh$ieQ|IJQ<;o5>I2Q#K zftDt=5xTc|P6=>0)7_kxSVAjSbXWcKEE`SngY*%y6$4~WzgJ=QNDDSJsklme9NCDK z*6DwuY89~Qpej3=wmiq@Ac!k?bLzN#xDTr4}8xYDUkSiRTP(n!nQG+76Zqj z@+m-JDcwddCWr*eL`^^>g8Qx+NZG-m?&5ssetai&K=iO4i4x8xtQ1?GET;vD3A57Y z5qenV)Pu#!E0l|p&@_|)D>6&O%I2D?>DJhtIyibkl4YQm7edt>J>Z&@*mUv8X!y_f zKtxsIa^oZemyNf#_joJ|#ojy&I-g9QHY~L{6DhC=)6vjiBHMUv&ST00Nabl!)5xje zjM%SyLANH)YE*c(t64Ot1zw~HT51WKDJx9Uua3zApJq>+g-5ChPd)OUjk9CHg&SOHR=)x^0$>kSv z?k^cMmva-ok!m@0ghx5`@_xlj6y`+Zy;)T zy`m6D+daJ2XqfM1QKV`p-of9#do3@gs*A1xGc#UhJMdjidPRG`z&Xi*mIBwe7IOXR z1Iq`h;SxKVt7k7Th)ul9#0;8Mk=PsUNXXb+D z%e9*MO%C#*mKbc>?>IAZW=mzcF?5+wO;=pfn;9Pw&!ETIdLkpnQN)cLJ5)k z_;0(W@pm?s=uQdWoWJbRX+D#X5>}-Wpx_yznt;leaW9=DTu&1qyfx6Yjd6v==ARY% z_^EfgAStfU)cz6fbxhvyIudZi8$@*OSKMGea=~JTq|we)MYJs?VAZNTm!16gbs#&5 zQqC!?tPrZZ6VX^k3WOb|b#HUQTFB6;?I}807Ducr;HBKcg^%)2(p-3tr|5lIw|sF~ z;cV{%Dk?~(PA~#>u)(|4H>HjT^L``r`SBMIVWvr-W3Y}S1w5v?jtNMRvgZ;x0}I!^ zEFS?`(7m@_MGbN6wQZpYdW$6-xLbDJU4No#e~ncNWkk%Zk(tB9D^<>vAstm8yjYJ9 zO&t4?)xp^-Bf#$9PB%l1_Qh$3O6lV@bP^nNdgfs7VDR;CbpG-gf#cv2XX`7)XC)=JG}EUk)Wts&GPzX@0?b7?1RgC+<{RgWy^d0QGp^6 zqvYueL(2)Km4m92XZ|-k|F_$NLkCPEJiq5T*V6>t*tz@~uhpl9MNjXEr`XgnZX6=| zJ{z-VgmsLJ9ALV-p-}CZ4v1AR#njZ)Tghh7skZr*V!JjV8f2o5hnv#@ecM-uZo z-wjuo;@I!)4J_5I^{O<9nvb?7cMr~#MVFJh^P(3s(Wa#!O^7!gUrS|Idk#qw^i8@8hT-uX-H~5jw^t1~b%%WXnWBXh>R1c?S71 zEtmBqd8<2*kUpa)Qu+5Pj9LQub5PnO@}5* zd=v@F*}bnvam2L_&boMu>E=t<0nkw3yz%UQX%G^$ zt>n6WMCq;r;e)iub=Q{D$oV3{#sGmG->x4o9fwky2fIv^GHMTq@pKE9XpFjQ>j2|I zdN3O5ED+B%I#}k!PQ^MoGqvW0BMLu2>h^yX(5R@s;?1f9CV1syWdocv{8IFN@AMD1G;eE#KrEz1aWk-~Ojv;7YzOIjO2{FP{&osm@Aa zI#k=*EuH|?x8<(OQcZ*kAza2A>{tWoXrXs*0mq&7o`D{)kD`L0^|dPl>sz0Yfm}Mr zJyfzT*aEzE$R;vcC?R{>m?2|tnZxlBCXhKasI2b23B-KdCRCi7qxhZ6vatWht>Qq$ z@$PD1z{-sS9PuT7YNfeL$yF+is^(+aqkCUA1s8dF-a+e44*J}?&AG)V%nq@)jMapb z!lWryk10&xn}AN4{ptiA+ZXG)c|b7Pn?ue>HxImZTn}OnN0(p9p{f4rr&JnVYrKE2 zao{l3$*)cy8cAI>*_k>uGqkGIyE!vBdmLF=ue=$*M5@YqX*cjo&3*vU1JvUzidVUo z0eO+76#FV>#67`<3Us25SU=Tyumimg-5Nj!2Hu>xm|piAP~|`&>#Ajyt*s9Q1q9x) zY5wpWD7FOP`)p4pv?>!y-^+9>ZH~5jt*K3v57EFd{Dfz5ege`>Y+x|X7}q`_R8zN- z)qz31ugmuZv8AfMlm`a{C$S5fT^BhPJ8WK^*axaWf9q7{^ppc~?t&xnCyubX%^RLYn!uwzt`+Oo8xS-ZiN{Q;g+8^?DmbY8TUD-SNP&~DaMttV0c}@ zKr}LVaAfqXB>Gw zeM+CBeS^#T#i#U_6aT68{*S-YD4@V-UD>Qcen+lWSIcoqzj(&dbrm#9fgTFG7ZfXE z%9GyBrz6pL$rqwMQ8|KWOd?mQgCoJ$76$-$s#xEIc?u;*gWM#O0l z)|QFTL2{tmZ@VAz1>V(e?1t+vkLb4576X7<84sjp1*O8fEhh#K8CGPsY5MN9%A09q zQ~y>8P25PrURI6tW~2*oNq4z8)YSB4M}kC2BDxlHBVU7qU`Bo3YbQBS`D-AAT(j3_ zZvh`T^t!wC5=i+$z-(k8SYMq!G)Kpd&n?z>pmt8hgWhmts^uZYo18;x`&Cmb zW+Qm`q;d%xs7vT)_HOZSFWhY|Ev|qjY^<8xQtU2n$pY*`M$T@}XYGriL$pPxspVGn zCHKyx|2b{?Po4Y)PfCMnHQg7;%Sx|L7fpA-Ui1nXl+wJc&-JM>tEbR1>vx9!QtiEN zWsiYEZtCM9{Rq%^lL4LL;VKB^1f~jvPxAcfi$S+8GT(IT`zl#6!=#njB$ZWdZYrGM z1a--^r48L)DV%x*M2u#f*@x_T+lh51Uv`Siz#IX{We8ROprqsE#>-9`-34qB zlC;3CesZ7uLkDhZdss+jEAF?5m6w-7U${7Ke^^?h)gJXG8*c%ELWTk@I;F&xE*lIeL^75p`w|>1Jf(jF zLCM+>;gpZrvM+G~eIW3vR2X0$E|8bH#oOuGo$gZDw*??R^*24S4=+m8gG5-tSX7^ zEcVPoIZ{X7ylF%PGF>~U@*&un&_EyzmX`3<%Rd~~+@?Byz>s3ND#W=h6{@8!yCN>T z{Dv2=Qle1$*7fph)*!k;_u`kzJP!Mm+x+ZjbI?&6Xg!*df6W&1+1JO zUkG9QNOS^Qm zgbLhE9y95!gW6mM$)9rzn&r-N%#E+k<>?CQ!TRNaAGH^I7%mDp5C@XbhY8~AM2#yO zKZc`TB+~IJ0_sW)b+Bc6T3Q1JG^y6&N%qfdnLgG!6KgP8*7gl+?rnsK@=cz#N$}QhbD_6(_+5dWrW1b&_pQKkmXpx!mEYc(?hwf`wj;-IwyPp)fpO_*= zySxvM8hd#FlHNQI`R^j19!-83DVU5N50+YHT)yl>hSJZAULihjo2xX?V)C+Bp*jW9 zQ+g#Ftx2<#aiYO%K&$*80pUN3+m)9!AQO_?d$C&bFEB#(y}8d8a$1)^U)5>=FBPv9 zp8;q%ARV#-8n@Mw^D4)JmHAg%*+uXGEWGNQf1M!hNxV+z8vn$rV2<(|yOGGPy`-Hv zzC&A**eV6VrwY`XuxrCrSvGq1meF3L!u!paZd3I^?aEea#pM%YPbaYVkx;`$Q;lkA5~NWw}&%H2I$}N zVds>=QTFcS>WR0Vs>BYl>td@X9!O;1&? zyprQ*0oI)Vs64mA6SU%j*RJI~^uKic2O7;dbEWQK8$3vWq74D~Q|8wJD5e!^UX0xS zUQ~9-a^;5Hswyoly)Bz8=-(0(F#D`4ZbP_5GJlW~(2>97cMS z8HYMpY?8~|viwC4!Y_>Jl@BxKdzVaOQH7{TnodNg?_Abd!&0lF4t+^{t3Y{RV7cru z*~f;raCsDc0b|=mj}9!MEO}cbR8q_qJLR{U-e2jUyp1ns)S}hoLl(-*gbZr>0gAxu z_o2S$S9@*M&hI2ubmG^VFawZuhwML7htW{1(CG>l0^Btd69yf*{*%&VpRnViu`C!} zF=Dj9M}{8&C7Ftf3VTB~@u}b!+AB$#Mn+uZXI1oA zrDMTE>>3v!tco2Qy)LTbRUjRDtw@gx-y0}_TB*@M1sAgU5}~fpk50vQRrCW=TgiqL zRaPV>7l3%>KMIJ;`Sb`U{Py*N?=8$z$ZgqAvH$QNrov=E*eqDObP?GUP7pGBJyd}Rjx;mgaMz5d-e`~B$9qSC zw*LuA1iwB57`4}z7Fj{A)&KPmC%vVTK@?$Y|VaL>(~Ei@nz~Lj)rYfo$X~`mw9s!1S7U+%wTXV@3Zt zK9Xh*$X8MkvcC7g-+5dKZWW4=?OT0ONb~Ki24+ySA(V0Ww~c1asDwjY@qJ> z^9%mjZ#}L90<>)ZsTmhwu)(jHyZ~ZP$Yo5;TZccAjCqB>GNQ-jXb*sb?&~LLeiqmD zl(j7$a`uh)q7VBHO>PkL-Andt_)T?VYmm{r`_g>>X)rU{tGdiV6M-mZjbVK&HA0y+ zKa$fW4NBl6-YN&;cc#7eA=6$nHZD$TDI;?`@=2O{Du^B7@80DdI-zJj-Mx>3q^_1U z5qh5o#jXG-`bGgn2<0FL$L9LqW;$l_6yWd@Jr}>?j~Md)@v+TI8X6jA?t&RQrt%iZ ze_aV^wyzXiL0qzrd!?wlb6xt+6%~KJ7Qr&K;suj?c~M7>&HuWq-!HIv;TBT`kH)~S zM~(IW?RxI4pgz~Vjs0D+^yg3W?|++i$PLAv5J>!8oAB>H@n=R2fB-lJ0N4e7?ESaf zKI;GWy##rz&n?SON4>y*i^qKspc62r(&zoV5Bkq#2=)O!*N8F4;q3pX>s8S*QNm#t z7B2p0iQvCm6%EG2*Ks^X^~iwGf87Tfy1;9>vp(}bszdp2erWzScpdU-#Si{}T~DB^ z7|v<-`|WW&OuHA(hK1=CxNHM35Ky^`BdUtqgpu*(F*!n}wL=?9_CCN*A<6*}AdDKY zxUB?r;SN63Eoc6YY)0G;EK-@AKP^2g3yYqKiOEhc=rG|co?Gl_X=^_NXh7Lex_+Xh zV}qk@6ZrN)(9y83q1QQ#COv1mNNrTsz4|6?d3r?+V0wA-(gfaJn!Bxbe~EL+6;QRd z7E91rpMyhI{di+owo&v2mxn3JvaZ?59>t)z3nh&fn!l{snFx>E(wn{cH{8yxULb-= zn)W92<$l^E;BkWpXH&<>C~jHhUhT*is}oH+`ugWpA4zt>jb#^b1*x`p_*EKW%jMJx zO^}79y*(9iUhF%Ig7*GOBco%>$4lcY-736}RhPkQXi5p#n{zSnCp!Q9@u7@?0`|lS zelpk>^d3ZGK7YR3SayDPsM58yDNfip;Y9!(%>@wjoxRL}&M#ukY}fSOFBp$FkwCf} zu~p_YTxApg_jccld%y}4tkVHxaZ0If6}G)N(7U$2?l@R#yIKNi2j~o& z&uX}ofeCu!w+oCaZ}@3jJ`W9&kpBdoC_A%(^13j*`J$2o&N~6v*^X6VEG0<|{pt$4 z&%{+@Mx$kyDqM_AI}7bFP#Y5qE)AxB|F`#qQ`=q_ZlZo<6s69*Ua?61cl-Izyuzjk zXgHj(2o2SicA5Mh33y)ShcUvgAEtfKHWl=Zt^#@>sFQc!{hTej z*MCrgs)Y5VQ@d(`Cj1Pg$5}j&b$h(IFc%77@cmyR{>~P<@csmFT)lFqXcqx_yggRf zm?Lz12uk}-H9@>ZIhuz%G#Ij}1>v7G3}+Kce?S|T`%BK9CeY$_6;B4XV3R-rMoUFg zpaM1rYyJ0?sf|+2?}l1I{QJvVK3$fYw?kB=mOJQg-pKNGlT7IRWDm^O^JU~(5g_+= zOXKXL0*579Pqet-lw@(s#p8+8E; zms_6Fpa*TuNh=hf-Deeo3AIy#C%8dD+S?3|vIN_#+XV+VZZsd}+^{^ciSYsI4M&6h z*3!MgC1>D07!aAQvr7uu$MU0!ii>ZYJ||*OdS%cQ8XOWr@hKRZD_8+_6bOR(euE_> z+4w6K!hCbLU@nCM*B08&NjeU)1Pt79gpGO3^;{Y>&ceK(%4ltv&)B z9%&sfWNE4Rkd-5O#*dDUu5m#f-@|VIjn-)&=SZw2T7;+0M1unv(Z(oNcw9-8daMk3 zP5}WRQzp0|dwz*oeMpxwYr`;m*lgwe5UKWh#D5J#f3^+&#}+EIpkboyobc9p|HGM9 zph;cpf+`>19r;?8MjCO|;OCRy??Dz%ta`Ta&Zz5SQ1{JCr)cj+0igxdBX8~{HDmd(2fpKbG%xS#ixM5qwBMF$ zwnu=>Vdl!pEE-q12l!@kiPz2V5c6D&>L20y!u+=eE}#AdY3su!=@9SOUsyj9uumvG zksY8{US97&Wx=ShGiDczPxctRDwiUHBK80@XWCN~))>b1;>}f~gq*8&J{#RCx``5? zjhJ}z`O~twgu?wLBpzsB8oa?4Exf9g)lc4EHYHT?+<5jT5_n?rdg{S%)wKlVa_x9o zIhb>V5nmC@S$sZ>6u}`OFej0LGurJ0ZT0-K^7DHujVs*|X18W`N!z2_moITC zto^u{!BoAMCvwoW{t#`9bL*Ik-yo`DS$MFOJ)6r0fLo`eLhl!^@zY~(!2mcMfCQ4DKQZdG{eoYV^SRJIWD=-$|`8Ks2GYzv*O8d1FFZ&5{h?0 zcQ)IO&kPY2QWM7Glf$XHn`6n^quuN82j-k!joY>s_~z56sRE%pjqkW7F%1%t_ zP*MCXX~_eZr~k=Kb5xJjeJW=?A;-4%U@xmS=ZO=Psjxi5u1g}B*Z8tUa}<5!R4)Ad zrsG&$@Y^bDvO6d0mduR)3|f&b^c!SVzjrb*%JxuOkjfPWJE&6gGYq`_4MdK4SKA95`87l@FKs_EIW27lu!x3>+2 zVDyV9L{rLXC?0YP$L=T&*(u3N21+n~gS*X{b$J3O4&z;36!by{-R;YCrUI0CSz|c@ z9ncVHl&N{oAs`h44%cKkNhYqNGyJQ9i9|oCbMjC|=r7kMyE9Z0ks>fO?R>x{Mz_28 z?MXnt;Z{}Kuw(#om*boItnZBlMMMxFu7>i@XE*c+e}gfVPUoAVMubwzRHS!r>xV*& zHQcA$znp^ovLK_1HAI!dt20!-#$B3XEc1SZGF*C4 zZmjMPuW0!#8eDI&Ozn=wIyeWn@z~TvQ@BNW!3U5Zhu;1HoM7mFk0i^TO<4K79&tX; zK%E5X$4G20>`X>S-)W&u#j;T9gzDmY=;xs#zJ#(kL!r|-AR|SNOJnX*NwaRa%@{O` zIrLv&FNn68l3}n>gts(9w6L2JmaU(2)SbR)N7G`eu9q9C&1g2WIcF@~;nPFS`OPK$ zkRw-l)Eio-Z?c^B=p_+m&kZE&*aUZraXTHGm?{=WDZmN5dWt6m^p^j%vr% z39=Y3Ae6{By@z3u(gRbbiN0EG0e!<%!?Qi%;6}t7qe#!HFCJ2}lk7u38^x=CO->L{voeo!01O+BFF~-Ad17^+HCs2Aw2=V9$=wzDXSR&N0V7gwqJ~<%$tv=5Rj5F@@ z=RThW^4<-dOJh4O_Enr1_mQtkVJmX`U!5R69vzHzRkpPH$eA}#^+59OjFV0>4{1Tq zbmW7Y)`79siV=EhXF6pjfk)94k~S=Hr5Qw&?*%+jf;)IHQ_JP%r(>QCkvIO1A5ZH( z!~`aDwT`tj_UHbRPPdDB-g^j8souS{O~Y=r0gI_BOl9bWoPrl9ZJmgt{Z>ofTR2Z> zEqIoghYq-;ulQzRS%Ys>)Z%;m(pP9i67=dT4qogAtORa|5T5hLFmxjQ5G30hoRbd6{)m0a6)7-1#7R?Hr06Qlw- z-_yD6>$!@XKtKRX`(ubGj7jqLk1=FjQbqJQ%Z&GG`{&!507fPrH;Zfj zmHT-D6`Ya|gN;}> zFm+GVygz}WD52l&}wey?8xJePH#c&0t zsV)+zy+VrUfHD&*FUWaJ8IY?Kj`oAPjx+l+)u8uK4pYIzmpx5??*yfBOfmGfyyd^-28&ETTK+W);4juJ!QX{| zS7Mt{zs*C{X0-FDzGk4r8uyg$+B@KsLV_r=h27@EPRszcJA`o*1au|ZP(4;kH8!h` z*KrgTaExT%9JV(D`W0DjhY^rEw?4~T5E4OtzI)uH;}J^&h6G`?B(a$$;~3xDc@ta# z{f;bP&V*+aZo3K5TInCgml?^hxcAamI#n0n(FZS75r6At|DOSvsCE0PUd{Z|VR zJ89K{3~tF_9>&PTi9w%$9slsu<*mlQmj_(ZfFwL`mRU03bu=+aiR6;LLHmxCon0kH z-o8c@;Gn_W%5{v?Rqt~`GKBSV9+rW!Siy`%#w}m+s~RH8SNlhAnOnpA!=eu)<%*q$ zGsR6UA#^$EOJBoyIJD?*YC^OXe?m7;o<5frmSc+#V5n9_KFqTy!q)U%C z^*{`Jgy-JO^L{IEeIN5}s%im_+)I4>+T9qyqFAC`Rd+k(3GzCh<}vAjn2?Z=*)r2{ zXL)O8iBV~VD+Sx9$(yLrfc++iJGc!{obwV?#CqwkHaoll6A=EQ#r=VJ2J;^(-o({& z8yP}^`K74ZhCd9DNEchysc~o1X7|bc@ex_KMS*SD zj}?OeT4p>;`@eJn}LItsAru2^w`q_Ys@DzAFoL=-^| z-_TVQ^}`Lr$@7VC=KYGuJcCcjpH+Qzsios;sE#IevOD z%U9VeF_*#vI|RHGT&LS@^yzmX@K1maoW%PXS9Wf6$Q?c>a~b#}x&o0RB_YS?X1ik-)u$n^bQML1pJ?6L=7REBbgv7s`WgPM zY4mfTP81406fBM_D6+uDp!V>Gg`DUu3lP4aO6K~05lG6mqpjWJGZR_}<0A=Ftm0Q; z`QNGUv%b zdK5gZV3d7R{kA5KO~hpJWQIz9Mqw`OBy7x`D0+{M`UHOA5jWrqu%?JvXLjWsP_fYV z^V3lXo?F27?%sE=C0V#O(*6{Y#DUd~FAtV$ZUwPW@KMmx zu-%$_BaYN7%%jU;!AFbM7 zLT{gF_R$&Jj*XEkq;ZU*p{7KiIu;LYo`1M1+1O)>l1S;z`rYgpO0B+qD|gW#BZgQ5u&% zD9APNT1$}ge)0V6HNRoGh*aLbqbx8DQ-1-a3=4%~V!3;B6Vv1M_Z{Wa(rRh)lusmD zN`cq2^~#gSj*Lib#o7-T!Y}St#uEJ5&!twDc z=K`$BiofK?IcQxPf0lfwbxwNut@SXEPOgs!Ej7DReSzPUpjbhv2kpsh+6KwLXhQ$A zw_uXt1=h^GA=IfM`9mXIJQb|{!NVS6i@9v;p@64|#!+}j?zlWFRpX>6QKH5nfFN#HU5FPZcofBb7OEf`Sw z`@TS`U4SSn{Cuy}nvw>9&*u|wFIz#PdV`*3P8Pp(KYOHiyXZ*)h9`PP579IK^Ych8 zv-WsVQJ1m0bBY0e*Yt~jg}tr;_|+^1rhA%G^4gPgHyv}UHb==@h+%Kr&U=4-!-B^t zjH9EWSe|11F?Hsj-@0FZ3!Nfg!kLqo7s03W`k7+Ka!yf^Xo}awTfGu1)pezKPYT7kpe-CZbZ;Ye%9)Q_T~ z4BlRzSzh|*T?QLpTlsM@`k8f3PR<)p9xDT-{8P|wDgwR9{!-gsVFl#W5ue8rJdgkG zT&2hF&y#w_#=#*1v=N^v?zi7VY8=h-7V|x7yp-y z|MQFMQowaaO30mRM>4NJqDWdED6;g~l8^d4|1!EQaGjNuP0!z#{pfdP2`r_pc=p#n zZt+OhDzrYdxI9$J@4NQM&v!)-@M~i4UH+?4_rJccW5M#^I@Q*sWv+RCwq}TMvTQ)<}YA+4+%F6y@q5H30FGY9F zJ{gvfbhL{&A8uvF_s5_9wQs5m5CJQn>>Lb*LT5pV;kGm+y`KyGj{5@EQc*%eLQ_{4 zm&NJ}nm0g@-G-+uJh zZsU*F9?V7&QYUo3)$`lf(#m*a$%@nZ8E_72JCaS<=p3Neguj0My1JnM{?~B;3f=`R z%?uFBnwHoK07oF2-NcIzaB_wx;u%2dW*kgs8em@i?5E}cJrOi|o9V(KHN&2%S%R03 zyj*bhoc_&hujfhTAfK~Ts_R&GS{bVs^;qnm9v%n)Gn!6wh}*#U#>B5fIC-R;jKEO9 zj71q>kNr|qCellg=MDYL#i>eR+*QsauVDN~y^mwT!~AK#tT1SZ7*~nwz>UrWCTjTJ z-X75WJ>mi=r+$!>5U$2|``jT`oT`YzU>4@*pLVC;(=;^X%%yOFG7S}&q8v<~_r!}@ zOaM+$d#C2&`a|$G*46<%yODX-p8#xwV}SoXY(C6 z5V!0c>?N=f5y{{KQZJ*41L9}EADi`GUiLrymqIOIVU9l&LDZ8}0gR=~jH@2=eOCnp z1kypykQztP_=#V&b-PUh9LM_sLbC*zP98TQ>}-_6moua5Mnt-hhRZp5{cEC$&|x-2 zt^A(y0S_r0xx4UgkhQz3|NU~DWDk+Y*yous&__p0Ea09IKAceg-c5}XKe>ILt4&uV zdS+UYli4(0Pp0g_{@88mX18&0?;Xn};l26C>;w)T+?W8^1U8 zn};bkH;_8@Wn}r$U%1v|o&9T`^%kXD4D>qWjB1pl`Uf(hkKABOu>|;Vp(GZY-!a%S z@k+_`OtOrJfKlT&FCT1gQGVGwdj=sdF0uLkbA7%Vatf10UQef)HAgjgS-Ay@H+w1~ z={Yl=_r{_(Cx#~M-N#Fi)@YNa;YIhBiF>MBgul4be^_@~K84{~JI7>mBNzqPsLn6) zpilw2P02Zj#?IIDoNKKO7>r@aOUHOSn&T9{AL=4`tEK4%W0Bv&)dSSOrB36gaDg}J z3MH4-_p^E3mHl?|+Deqv+3rA7cUGGxIhS{>BF@W{H?72!NvsAhlOA0&t`V1wrTC3k zarvOBo0^*ylPnq7eQW&zp!L05I3PCe%qcqA2IMS~HABl3*1w~t$A3=0e8RL-C0h`# zlBGCA)F=bfcXViggH)^8$+ddJm8X@kFOT=FLz$X zX4>Nj$xr2uoI~6=&KitgjqC!nIX}?i8mz97k5o&Rxd;8#Xb51B5C@-2x6F8%cZiOu z;ZB(0HCTW;-!s{~koadiFKi^~5tYM7{J+&&l8Hl;0xWblP}6;FH_4 zOeKQ49uRPVE+$PMR4--D{FckC)`7Ig;lAf@lS(yOyk3a2ERA=WhkZXEI^RT1FL#qy z3%+XV=_gvH?YK)3Drn+qS!s@66im4cc|i8BmoP?uQAvfkcv(tHK~AX!|1>0%Ke5@9 zP;_vovr*(JCC}eRvx)LP?gUnLRwx7S4KMA1py%PCZb#m+X6!UH6bNQJP}rP4cm0Ct zAw$&L*O!Bu%jK4W9{}2lGJ+@k&d`H68(){v5mGzD?HRyBnR3JPA#w8yYH6j6RjCd) zyxXyZX+${`tIf-jeuzCCe@Eqg(7;MJnS~lT=PBpqo2Nfo+Ow0CSu#03$Jk7bCb}ef zE_x3nu_OtxQ>xVuKSEbrGxeM&&P=p&!r#zyO8xZzH1qf!p0`@4Q)X}RoV3fcktUCd-W3q{+ID}0Wyzm2^}+{EjZfovo<9t~uu}h$Axc!~ z`%hQ$dO5ne=F`E)<^Pw)pJO@;n;T*KvVKvb$g`$ z7fK_pR1@c&w#{9qR44y658Fwh0zZ3gh!fl(MIjYVZo#PDsmrv`!c01kZszyEjeFD} zZ&2m=VNP!E|9c6@*?(L@9{s1;`XtrJwV*KHyLAZzebYB#Mij#d`oj( zcf@|w_tr(sJ9#7f5BFfvc~7-!G3PkRl%(Cee6!UGP+3QEgowNj+<)5`6+LK`Ivj}H zPI;lU`8zc5*B{g@5#$H>UkCSs0MFn%VC=2k&V9EG2B5B!%Ee{e=UEQh6>QayCIRh} z6JXJ{ZQ6js*so4yhr>B}(jcmeWk!gth~GG)1GT3|(1Bc%5Z>UxOpX-)iZn zqfn7yln7K`drK~pZ|WTbtI+q2XpoK<3IaP3K@{OxK(T8U8*Pr1q z`zG*#%%1t(32KIj@kWI9=Ok%YtG+%5Q}=ez4Ea7D#>*2ElgN9|*x2~-mm8O0t(DAi zRstZ$dJ&uni*v$pZ_N+NI_-6JbmzOawN~T{X$#BY5x%2-JB#_Rtk-WNzZTgIL%C%h zZ41kF%O{!{E0CWcyD6#dbHq zkOL?LM4g5za-h)G*HYr*zlovcnCCEu1xWs>yldLI!zqME%R5g#F|8=|^1MUxkDRB| zX^&1A6f!ki`6L*?!7V6LZaepmfqPKg$(g$kBxeP-$(l z2Durf`BG(OKXrfCdU9Ed9J|cUX$-5HuJ3LbZf{KVU3MdHZpeS9XO4VTyl%`avL1|JWH9#mLgN>#lASFaV zdat1-paKd6q=pb66agWS0D**1!m~4T=6=q(-gEBvxw)SY?}yh#8|6D()Sw^D;&{rDi@iMs3^mPCtJRx{!C1DtbMGCdbcWRRP-6Nmf3Ix zKGY=|;=kv;^NlzBWzEs6PL-0= z^mebof62ed?$SQCt<2_^@)E0^LLea?A0LeAcqv6>l!e-pAWF;QI5adhX?3wtjPdS7 z8#?p&2fGB*ZEI=+T!Y=N5%BVsfrvE_6qPq4dRev zFgN#0hfjnt1R*a##qw4#Y`lD~ot2*9?cthpQenHdsD&{0@|3hEsQIG- zU&#xr#DPLz4i80F0xJoqR&P>0x4_PgVB^*cIXg}(KslSMzn^Q~Xw`$YU0)mXj{&5?Z<{*_zArgO}2`&_*rSty^M?3EP< zT>1+Oq^T5Qh?=?=a}dA5I&)T~+ZNliy~NKS@bO3Jy~pjJ3G!bQ@_+EbJ`NjD)LJj* z3-9jicIkx_)ubP@-dN>KJyTjpJcS8cg!R_CR2s)esMJ>ae;V2NbOP3Dp^ZcoKiYmb zJv~$yDinuV4p_TX+qn2DNz1X_K&7_cWp81gbteb1>TLeRr;q#J0=(GM$0^r9f4>73 zr^D$>8uBP4$wBN3BLvT1w=3m+ca@$jd1|XK0+M3mOz~`*u1ZQ9|DGZo!tC`2ZKO{G zPts&Qhn*B3&yk9>g2n3Luf=3lTm4*c`#9eXvF|4#(%UO{uX1Coo zO?60)n6Cjw%yutdvJ%+ayM9XCul9o z_+na0Pl*jg0JM~kVr63?|3*$?!{YGBC9>qKIWaTRXnH49Jr~>=LnE)Rd0601fgClu z`JyNDUhrySSkxS!LEO{d)<St>Toi&f3CZ2Nwhu>{rvi z;tkqgG^GvfK)SAbD#Sc^uFZOtZC+O=*s7T@?gXZU|+5&!&O!fmAP zlouM>h5Q-4%1}p+{_l=d@K!`|gb!150CP zeh9PPDR0j&*ezH8~XlE@c-7g zIU)(Elmz9^Zf8kxL527x{fBT<{krsl$8+r+)$;He`G!k-eJh$USht-yiw0xXZy0`g z-6q7Q3vxwc3*T}1*&d$-cmRY0;{Jr>wC8)yQ<) z-9qKWo_D}szv=(t2YT;KM|32!wrkiSRwQfaO-V_~D=r?>@Eoz(^Z9#xy@50D&?xx> z@4wBMQ9)6t0)2S!-(CA9Y0zim|NlV$B((isT%iON%pW{|?$zcf?f06#&tLE72HNG9 z_fYpez`+j7g_eL2B6>#YoRxELN9z^m`9*|n|DGRl;|3^SQPk7srlwk;ruq{fG2}f7 zWc))sp{}m3nI$EjsS-KztR}9k_QnHbpkHQ=$V|XOYJ_C5DrY?3LYk|Ho z*;pa9q;6xxeKJy>b2`(FSkr&;+MMIu=L@-z#A52Vs%KO2DC?$vH_JWWhkO`7atk26 zN^P4SY%EV&1fUpi)79X!HlPK6bRczBOH)&G+BppYr)Jl9iFfx8Ay6@Iha=Fu5s{>DAQ*u{)_Lhy7wnuoVe&T_ptmGARWQA zaeX* z5y76o#g^;E#l@A~U+I73B%t=x0r1VEea7qeAsqM?KY-ksmmjzaIR3n`e_J-92x2_c+$ZVa++K#=ZtX*b9?ZMGw|26YvMfO5CrOS_8EIdcoC3;Qa$UsP+(| zfHQZYg@sovMqdX6L2q@vTg~rFPe<;Vqoj?9SF&PXe7bo?$au~$20-lm^40Pl%K8BO z>jm7Fg8zE`V0lKU=8*cr`>d&N_op)r>FQU)7~26;kuR?JeC;yBEglz~dVhnX6`&K( z?}t2VkJjpG|A04aZ=9i8BKiy6C_e_gsL0ZkYI#6;5f_Gi-$Uu4ckgaIh}>-3G^3Oj zR1`eAAZS_CUzUGAm6T+#(3`D&CgfZ170-?PE88FES0<`BL>TUr#F9A{c0Vc7#+Pn| z3ILd1S9Y;mHIAAO*uv$=lT9hs%r~u3DT{=?67zPr!{EVZc@+Gx0!=DS9Zf@Zw?_J; zxwvyLm$NV=6^TdqWZ`I5HE%Ub(0 zf`-_jg4S}GrfJT@{-R4?mg|K4-i&B%_rLIXHw^mKJ zH4b1%P_|uN%*So-RbG~^r+F|!-C}&Xkzpi0@Ay8ixSjw>p+M&Az7jLSAfjNp61r)9 z?tK%!hS6L#lndQ4aUZU|7BIFQ;Du33H?$<}PqG%8gKW%BRp3c<3^itB-q7=5pYyZ5 z9w-};vyLONB{uc$C9%ngdf}C`EfY0q1pumlUGNhh%H-TI3sR(=RHDE0=>!G!wPO+{ z6;1P>G-AmJRPZqm(rA8=hZ`XH6-{eA&>>UXh12$Pp^ff`lw$M;pJHfaw<-OLa$FfX z_Lz`0)cgg4tt_*;)d`Q|v<#^z^ z*(+!qIxJN;?zFN(=t?iaifbPqu714(sSPM*RGqC?bF3brrxte(&kTv>R+kY zzZzaf%z-G~e{B)S^3awZ9vUto@c-IJA%K&y|XNktAg`^e5lQSierWb~rNA`3oB;7X!3 z*@b_(C>ZJ;RYqZ*OIG1u+T<`eRXabP`heDlzfyDjY14*0%7NaF<50SG;-)iLZ%NjLk-V?ZQ)u6d7axFgVf>ueIk|uuS{F zfpEf$ruuqiV0(B~TI2BbP2-rQ{XpK`*R$C_*#t?kKknZ+$(E|@=Q;qO0tFil@J#*h zO=P%mw_b$SDI<|=jZv<=tttk=&O=F0%7|!^6)PO7=TzU^JW43@3JKnxjcfn@TV9QC z0}Y1z%pwd&c#@DIfoM#b)BQ%e72n+4Eh+^O3?1FbNUga1$a1T%UnWXsd?hm2pg!lK zv)XCxSkZX2R^m)D+6XO->_E8yUBw>cuwhG-Ozs@g9gL*59o-6R(Q_I3Vx74 zghsF+)0zX}tg))Bq|4-Rt=xge(4EbI)vp)rXF3uXDJJ(7D7KC0Ul~x_vmpd(1wN>~mESY%NNYXu9H<=)4ql2mGuXeusE zMh0x$YIR~-*3TBUH7QeMJOG)=V34O}RBdZfwA}}hz8C`D`D?bp z`Qf1&6nfQzG3gc-rXPR&(MogLZ>`@U8Wq_EDgOzUz5W;3~P2H1y82z&2V(j7BqI${wOz<~H0*|;*jBQCcMtdlqqGu=X< z`m+Eu=aDD*pa2@t>L(in1!Wv)vJ93x77eO3%n#Mr97z zb$ye9T)&%UMfQWI8&VlC;`&yeO=Zq4I+5Iz`xU)s)WIJCAP$2O&|66E&*OR(bQ>D3 z_43ieHdZFI0j2$G;rxPvmjH!p2YuKp7MfXk4{*IZCxjE~ZPD*oIcm+XWqD5b3$^E@ zkXA}H*AA)H_PjD{PY`-nV`n)}HY12^#(aq@&9ixpN>wzPkUtn7wGY34Q}|V+OVl*K zqP)|&sR!~CCOas(L%{<#w6*+lv5;@C*xI=b;dx5cHjroQf{CR`Y(vE!)I_X@{2^7> zg!Jp74c9H=j%PpVnNqFj9O3b*UuljD~&}RH9!x;y(&J--~h$waj{KvJ`GH( zM}^f@F?FB{xT&wNkH)CQ)YsSFYYgz>-S&9+@Jo&v=%dv#v1HMH52SkTx_0;l$Kqoa z^{y_V?sh%lfpE8&y2w{8Uo{V@2_oGh%1g2qvpIdaKX`l{^P-DnHN4~r=ITSw*=%y zRYC5XALkk6-KGfp-j15Ox%isi;qg@MiEdEwss}U zQg>(%KP*G%MGsjQWavL`?mlvKNu_A;!m(42>_Xjdoclg9P5^Qg>IJ}3#+y>4_)M07 z2i6zp{VbFk9Bk3oGrR~9sF@oRNrI~t?%jdy=}FvmbMx?3TFJvMEA))+*{AD-mu|cJ zE!B3Y7j8@}7$7Pa+Wgl2ierfgj@WDD4JB%kPiorgQxZm?(i!XiZ{@Og%H0w}yh;Gc zj5`I?roKR})zFe4VctgV(IAo)2`EaUD-wlqDf`YEp{ zFIq%fD4E`KPfi4iGPj?dN@f`4yHX0d;eKeyNWk=AXctU?U*G|_@)@BnA_t?Aift49 zvL}{V)TfMC-7`?-!snO$p-E;`LHPh*U&?4x>op_dy9|4)H9nQZ5?lUtE`g|q6>_{x zHvwMnwSBlWHXZ`Ej7J(9sJIzI5~+KPN5fE7I<=9f0wbSc=`n=Zz>fCQLnv3rR4Q@{ zfDpx!!M+}H_0T;B#;9`4Ju@EuE3@a_*a$>^DOgD?*4|{2NyOpQ^Doy@B7+h&m|2`}qcN z=b{>?itn0QBnT1#i55&DQ#{w#K(dZop_$vfjk#s|G>U+TgC0J_x0Ql9MpBWqRiB;F zuYX1tcuk@I7!{EYW+dM6RxYz^{a6b)xr!^P4~)0hD5%eH$QIgt_wy&im$qX;?JV|| z^E`6%P5-YJP`8E|ipC3ST*KKQzS*3PHXM3RAkt@47+jT?ocIcaxEJIv-{d-tP|G?O zqG0aBbezQF|4tbH$-VI3z7*iaLg7~!f3mH!;bY#Nz6(_sUJY#rfNqGt?znrvf#AS? zX+$bP6s0h91zbs0rteG8(wrkX9TmbV^l7P_?Ca$9Fy{RzCT$_Wf4p)9WR*N~f^gd! zha=rg-3)%Ox}|y*%<00RVsY3diWS<)qD$-#N9{F@vlQJJh{h^ObZf>RB+NfpWNU|D z$0ne$ho&|FojJWIlb+DSXx*<7XAT5Br(_-UhG5^nh=}aG^>i`t%N;6g$-Ta!4Q&)> z&e=dZKQ_CN58E4l3B8T$-E*Mb{bkr_%73?>vVV%_Zl*mAiv!~m6tHC5=JrPZs=#{Fec^o zZ(nC>PBNPS-Fot4BSsunt3`wg?|8(c`F<|uRQ$Ua0B_H8Ad5*^OCY!`ZO^pT44DHt zb5h9en+<9|{jK0?(yg#q;hh<6MtQxNxKxkzRoU^iK}Cmi^WHr)dG*2-&*55-RJy8OBYhn%^V0O{@PrF~^SK_aG4cG= z2<#z{sfvj9q*r0Zn;Vv_2ue&p|JZa!0VMqBN0xfQ_a7AApYxDXE5kJ};@9TK z6^(`i##ieA<~2vRNc9*io&Imn!vBHaO^%0UD=|@6sz5ayF#4gmGYk%1S?+-a0WfO& zbey9Ge1X3&FsaD$mwZ=p)P3FXv6D=F4V4Bd+d8GatKY(R%-=uQZSsTtyACir3d>3c zN5)8q>>)`1rx-IF$Ff{aKcfu&o8BavEg&hI==j>Jtk9C$yx>14|9o8^1fPy$Xs1mx6cYLT_rUbFJQc3gAlc_3pH zR&z(~8ASi<1C&t!lul9U=}6e?x&Dt0u&52Fz^&d-{)Kxz6aTUDTd|$$DU_#hq~Y+-CW(K0LYoBmh-RserX!u z+b#vq0*a)!0Y+hUrKTC*z56q;!*%}6xT=_sUTp-um05mzm?Q+P$_kb&vE)AjdKrcD zjNiB3m2w{qTiQ+F0^-{Bxq-L;*IlG`yC;qx@SK*Vu-xtdA^~~#(1V-6nodPWa`Lr- zTst!(;~d3JSLER1_80*^mS^%At99oBi9`+gTkv!J?nGWh>`Rc&UMB32zQd>gL|(rq z{1onSXpKCiQldPUh0n9lb!z3NFj^Fxswk5{v^D~3;lsPaHyMpzl*W$zy|4b>7XL51 zYO9t-ca*6e{yzQl5=4-Vgkvs^HsnfARhyBi<; z=grK``3%+8P4wPfKF7VEn_n(Z|Hec|M~Bjn_YoB{fZ|8?$k;$q{|}$YKLX5u{o(H& zhWv+n5wzPz#E@8x&`eBzx3`}*n`1R>5=dfiTK>q%Qp^{}!d`(l-KxJ1WPF*xozM{T z7Xixh{5{y-r~Mi5t}zLb=v$S@*tuCXzSJYT9&RcD-&(xByw`l7gUkR908~KeBz2{0 z^ef8@WtN*mU0)hkR6zr%*2L7T_0}`w8MOvlG)AB42FBFOswmXbU;Vaws}}%D0S^}< zu7pgknc*abbm)qqpEph^ZkMsrR8^bWBv_%M6QSGD6E)aQ4t(u>`p$U}>xv zW@6^fB(}`BC29k)pboQCbVCKRkp>Wbya85fqXPDR>NwSY7(Mg)}Dnp?+W zTADcc(&sx^YTQMb(oU!cC6Vm4_Uek)k21|H$YlDgbZYz#Ia{7kAs^EH>A~g`7d&P1 zV@jk)a(YwJ%kJ!+We_67t@~?#^fwuHLDV(U1MWXyTHN)V{2l=6J^SBx_aBkgJkoRD zLlPv?aH5(D1@CR_Zvoki)=huLr=Hq3_x4E z3{mX}QqV;giD<Q*p|cVzQ$ z?-wimyS`m1w`+Z}2zzvMlH%hQhJ&?I@vnPOYk}`(vx~j@bMB#?@I#)mTicSchREu9 z`e(rG{!4K&oW={nxpuEfFUq$Np#8HU+3hSEDP+s@SZ22CC(=;0(0~{s7u?z5Ar=#b zl+B>$HVY3#I1>2LOT?~Ak>-?a@28Pb3-dn{=^I3iowJ@zl-xjwi~T*~{grH3@CDA_5@~z{4JHBW^$8McGU~DJx0vy)6@>{i zj-QTC5B*i$_bWVQZD|34s6$@SY;RK}!fpIt0MUG`LJ>>BRjVOF8(SjJX7l^u4RZ1UMB=j?2wrq&JOt(FRLI_07~;8Xfn+DSl~9r002I zH$&&cD{rb)BuYK7b1?Gwq%oG8rGDp0N(;3ZLbf5O5NFgWpXrt_Z&_#)qr~a;N#v_MZ@SY7O3dCJ%P2jEVqQA3h=dN zd}?oP@7W1BcXTvg={#J&XL4xEGe&rv8quhcj9xN@Mx8A1^w8bcT2t=iH)+|iQT4O)420c(xzHY-FrHrm|ZK% zUKfF(w^Q2o_lybSY`0^0DMYzYAXfHbtP6`9U?D`WDV6Es(qJpvh5dofw?sm&G=saD zSi93gxE(~mB>z@mp5|kk7UIjGdu(nutZJLr@cTC|c5&Yf>UPn^ja2IPD6L<}t*-s% zeB|6x+}Orz4|XDKma$#5%#>y#l%}bthv&`d6DRKV|KsCNqHF0Y4FWgHq>Tg!i4Kq3Km1QD>QA*7Q30!wkuhkm1hITE&7x~yH-~6 zKRTP%VXy$yo%Ye#b)SqnD0C^gysl0ny(cypy-vAyHZ+)FxJqjHF@kFUm~xO2N^Mgy z3^JeeSzfZBv#^#W958tt2M&(^lz;sr5&NHi76zB-4Z!b4eSgzx7X@x(1CV?HmLG|t=n;xZlEz}*oLk3!f z``@Q(O{(jwrA#9wfdu6pM18w+=qb5|xwb3fF?LMS%Y* z_$YN(osWY?!E0=(c}VHmoH5@_5ihFYWiyyIN*J3Z06Xp--sAc{R)oItBtG>|{xgXm zGZce=W!^5_tu072P*vLhN%<>+G8c$w>0V-fod1)t@IX4E8 z5MVR7s6oxEoNCIg5*n9+hZFGlae5^p7kX7S5*GHC)FrotrBbg2a+jpyAZzO)xdYaV zTMG?nv%K2I3kT9R`zg3VzHKWnop{`u#TEk~mYQ5ZAl@PYnLmDi1JUGsn8FWb=drT46@p)y<8C{j(-+8|PvNX|@5A zk*vl^FOSqMdYggHa{((y&Zs}|c}%58md)%$7Nm;33S4oM?*0^+@BQe=f!u;D>U%!8`?Zq?X+oc?zu~oX1sbrMBDEe~w@aU{t!KD;QLI`a%P0Em%EpGItsaf!nLsSZCe4plsTWUJ8eNuCK4QxV!;OTj^XBTo&X5 zF{5;s>?W0iqEk;pHdY_6sW&l772AP$;z0mrawYuZoX$$;xo#QN2oi;HU(VCDt8|9x zOo>{vmGaDAB>@?6$`XK&)zRC9GCbTfrLspTbKX{PqG6p+Rd#8nrdIHLri?bwYT}pI z8sfzjb1}JGG3$}XDOUm`7uPJdp?sm@h2LyEm!7sg-RLSt#)=$M{dGL}<1GCqf6~x) z4}mGtH%AI<+QC%H964pZp_1BNSF$(Xk&|FTtaDrDoc-^ZpI2xflkR`O z%)979YE}Sj-_7*on?ub}#Y!wT>(!7@Ozke8S1YNcD<@Ybvvw8+k+Bhn<}UlXWN)bm zHL7Xk{HvxQpz{L>-bJiQu~#!_&*-X~DESqbyuf^@7{D1ikBMDw3}&p(YO-X`c9@?x z=*SRJGMpyN*kSsuHhHzThb5Tq>LHxZfR-cxkM9P8mcN@Di1}7J?WBmd&z@vU7prBo z$ZDi<+#){O7O>)C!|c3s=gL7{-H2vn@Tc5W zs!Wl^Davj)oO55DUm!87M}yz6EBIIBZaS_}F_iuTnpJbWjUa%s@zMYmoaa%P^%B*9 zWVRPkocpkyJ?LLWbOwJ9LSKhL^sBubRN5E({Y-yz=_D&Q_24g=~GYOyo1_*+-MqP%FBvwX^xCq1Vz&g?p`iQn8Il~DgnVq{dMxwYzuFQi=U>^FsuDnnR&5jn&?9MLp8xh3@Dx+>; zNUgVr?4QM8L28Q%Q(Jnoy=wf0&WYM}MkCRAA`GT;2LB^3W-f6#`6DqBHfKLVVtnUR zaC7gOBiI;@o)%UneX{tb5n}tHXLoHJif*d=@N&Dq66w0KD}rq&{HuMmnq!Y#y3vs3 zeSvDEjkIo@v|AA>hqV0V}|1h z;`;mFW?E*g3VsXdZ&LJ>_l+-DgG{wNkR_{h4Jtl@VfCcJx1%g0v^V8PBQ$bbASAC z{`~HiZS6&vsO(pVVUMHR^P>I^&_;XRqpr))|sBKUfYVI?t8$Jc&IyoaThqWcU8oR#U+Lw5%J zxdH|ka}2z$E-H6!7Pa`MT(OMmUZ3ihE+>(9^AYUHuD#PK_Z@AEp;~hxbT^C`-+`j` zjBo<~=$tga^@7Bq;rXo7zsp}DiW#s!a<)JYVndE0->uYYA1`Ytb(#(V6K==!{dc6z z%TP{iLxF*O*v0K1Yub91@!149lRJS^pDuPB+~)@4x~W zk&E3w$u12U#~0=R)-1&3J;uq_|0R0|N7jMqfC3dmY!T_Lvy=ML&j%K(NZ2dt+bjE> z?@9~ZVQywijFldQDNxr{I@I~(-{ZuvQz_R>>t?&$mh>h@-c#VPZ*}tyrc8yMyAsAL zcN_9Gy|v@N4v$^Dw_adPl(X7Mldr^@$en0}_2M?arEBU_-(EA;Lmb)Dn4miZw%65a zcJ^mvq@?s8*xN5@;)Ii-qxTYvdkC7c`&2?;lyNBr!_h*dX{&-YDNW8dJdiZYQ2p!y z?|f2cl#<|RMaSb^2cknftg7M_u!MJZ=a&j`4qT%H+77=v)Y+LV`D}c-A5sB2D)_x* z7f_iglYm2w&6nfjuiV{oVV^AVs2}0Bsi74Z`X5HoN^cYkzEK(OOi5TN*SGCM2$HorDXJZxzB&2F*bw_8M%TkMC+Z{;L* zvd6x5q2`SE&4rP>Ug@GFf2Nb#=T9v35Q~{+G^^90g~n^^>7$Ysa-FW!KX{#<=RLn< zY#41Q=a)Ox&0gFxM4nK|HFWF|v=o9vTriRnva4mb&MEq7^b9n|m{vs1y0yxU7i2&3 zCR%f=sHm4%n<`!et$ZSl$P9mDezd-?+qy(iDX+8dN?kmD%vIv?NC-k!qUfd5ICE#% z{&cAEFUDhq9fR^#Yv~d2j_Sh6DXgyE&|-H!LT&TF^mcI5N7+kb_{r`al_I^)_SmNC zxKtgb9oN+}(bM_e!E(AN^ixFU+;HHMN-5kXw={<`|WG;o&lXbxevl?y9f2%WPTu zhVi;4I^_Ox$bSP9FY5$!7PHf7~`Lg+hA*2@cj2LO!If zXw4a^`tbn4?P&luNAJczAL9Ezy!zzA^|Oz-9KrYiiDJuygZW@?-3{Qx36A9#6qFKF zKEr8tEod#zoroTD*5GGNwQl>hOpQSIyR-jA+As4*&ijt6T@$@}vyD6TtT~sEGY4A( zj#1Elv$Z25%Q4)*Kp1;+;Uw3r*XVIyMd*0zF|?Y{p`w7*F=RsbSx?{#8T7Pd1P<)~C(3eWqpBXYAdOxQJ zJuq>St8YmAtQN$Wd^8tbT4tCuOQ2;$>9gb1QE_}AQn9e)qgpjWWFZHjAYcY2QB@vR#6 z74xs=OL|-V>{)`N-C}?$^#lG=^KBbv4z5R*zeG=aalAE^mDb+|Xw7RQUdOiFv{llI$tWkCQ05Td{v&KdD<6X!IaDleL>S=jJNgv6dO4$u7iz-S=zNbB zpjJ)g&7X{gSHH*=m3nZ!9V+TK99ydjUTrsAny?GAAGq0|BH(FekVrfS6CU;$a(U$z z?AvHTD{+`}f-5G^G;z>Vf?o0{&A+un2-CUtrG*4)Y}Mxk(DN6(%VKj2sNa}m0YwvM zIK^WW8QCg?jC4eXX|*~clO`t}k@-?K7R^oV#SiPGH8@!hHW1_N*yZ1my5k4FnRU7loa;N11F~(2S)~X)wft60hHYVBTdCN zAMw$-7pj}UL|y-~GN)7H6^>C25`JLH#rwOQ+tZt2I`PAzZFVhB53bJlSyc3c;K0F$ z@uNG$gF!JRt+#L8dU0BRZh5gQ7wfH+5W(P(unhS)6gjmLyf%Hbj+99p7UfIx&S;e1 z(r+lipGIUR3&{V3YX~@yY>^ziU+O}(D-h(Gw znHV}X{=s&z(x>yuHHp+(_L}iWs#cY>!Rw@X&YaGar9!O;UCt=ZrE{W38*a9xskc!c zf#0a8wZe005%y_X;&xN_pnebWEZI&gjNr!pqiNq6sHt9Bh}7_9h^VT(L5W}};wULF z=RDleZt$nULaC%0ETKb$!feG$KI}Ekh{<0ul_Qjor#)Caos?<={W{|Acx>E0G5_qICP}p%KYP5Ezu?7-7k$-k=9Ss( zKe?TKWP01k$S8XZ81h`{ynrONP_~LZ2^;S!^zsOmvcdi~RW7f;^L)qO_`%2FZp|<(dhpyK#c4y1@1qwrZa<}+a>XS2 z^;a6GTiI@HVlqQ{5*8ZG{Dp=c9lO*M@yZvo_VFOl55`yFIs zRXQJ)^~B*_1WkXN4^XgFy#DC6yRUmOnvC$;A2JSmh*Yx36Zt4&_``Y|TPKcFbUun* zZhAER+qEphY5)EJi4)rz>H&H;8!Gw@Qx&oE-LiX1A&<-L1A$&A_0_AhKrE+d<>>6J z8x&M;aqOnn{y&57Pi*Z6Hhs5~Grlci&`%y$YvL3fTRu8PSeCetH{ql2-7Q1RpS+&! z*y+F+gp#R07&|D)R}?XLvX?hH((a6*{#<_eJqcN}cXqwH9I>yHqcncOcIRnDG@v); zeUJ@bha0d}AOc%|EZPk|=r7uKG4MbPoMS8bMo~xC1>w%xbJI(rTu+zMM({2ZyewBUof8xhN@8% zk}t2h#$B6VvE8Icsf{%9`PV*)@7-So z3DeMWv;k!B^!=KFh&C>%M*Ndr+14 zB+o|n2BQwOX=83BVdiOd|7qXZOR!fJ7I#~3-*$C7?M2p!YnR6nO4Ur?UB-d@>{7?u#qPiOX-V<%n3W?QGE9cJH?_Lb2``#T%Cqd3y`N)n`Gz{rGu# zd3j$040_@~T575U=xxjmhE%fVupJsmY~BiD6d;; zOm3XO{UYom=~L976CRU<^op#!1d%RPqE@i~QH-^A+f;nv@c<`(Vh&b_mS6I_i(lvn z7{zxirVO0Vm-cs~*u(vw;&C9?koC)bb3FAdcie7N|M{ zH=ZY=q)MH>xv^9l&In6he%^kKPN;h+k<*ndsU1svrwR344l`Ff|N3Wib1q6$EU!Mv9`js%gZNgN(<^D>hwe z*mxtuH-|M#YbsS;In)$OgP9eW485)I*Puz9-h*c+j7XSz$$7IObNO%0DqLsMRtYeN zl9}>P$_f`BS&j|4Lu^R>mSy+D*HqFEnh~L;#Pz4aPE8zskR}3B^2AdcDX(6yeM|J- z`M57uCoU4&-&06@P&oeB7u!U1S17k%HQOl;-)s8pzCvf8adtYpjhFdEblFmy4u5a7 zA1M9)#8~>ROz7rsaFnQj0K~*e=PLa?8-wL)vdd6XuKyOqV!F; zjbRejjNN6>T*SMbj&5nY)cUy zDZ-tzXQFXv^muwQBl_X{THYp6y#`o)aM^OmmeWzKp&+i`hXj1ndOcpL;f~^Bj&|(} zG%fH6ZG4)S&^k{gCa`cB^v!Gg$>moc=2C9Kcmr?#4}ifxpK13*oE6?0$!G1x&a02h zX1y=HpP88%EZ_f>HTm?8X1I2)hO4u}zm>r_rLPE2LZbyXac-<;5HLdQWB_Vn{|7w?jt50?_`C3|KN2OFv0POwLS*dz^Z%{SkjzS2%AS1+93eAMA8@oil2 zP!SHZWsA{HZ(I?J|2bGE?%WW`^LgbhgjyK0-`VV&mwEhsn@Wh=vb+9mzaB$<+PoW~ zQ6#V;m}EFR%Q2!IvB0X?|MeNQ*KH2J&8{sjR2%BwdHeRQN#LyMSld^c>5O3cKGtK8 zJ0SP2ON?CK&-l`Zt@X?k?(+wjCV@$ zVu52z5PG&K{J}JmUq+%vN|6v??rSRm^LWLl9x@J3XkP`*Vbl^0KmVp5*Y06*&wBP= zyglP<$1zd}T3$)%)#`SU^Grs57%#nXl;E;VL6nZ46J~CNH`IOHj1vfxBNe8c?%N5v z8evkInJgYgZ)>Xf+7Voc_in=Io;=BWK(#_c7_$H2Pg96pW;P-pkJ}vGwq`8tk`ql& zOJEm1W{TvHZM9rs`k4pG>oXsxF zTTD5wvwIdwGFuS z{gK-icpyoc)QFTPl&S{{65`C7>DV6P!>jW_P%DACxrfJ}ghH4jGO|9zuP3fFq#^DrZnI-V9aSP=aCeTo zSU~U2KaU6h!>i%-zZ}vvFpw^GcRqahuz%9Wj|B%cO%$X_KOg%2Js?v3QJ?{}j;*cj z+0+BYhIw5VOlC8_b!BgNa>cKTwz$5Ce*RX-EV0wmqh8m<;jJXT@$<2doI^~u(~7E+ z*20xad-E`%sE^+swQN~FS| ziKYZI_O}Oz3Cx`>jg#1b{Fww9TVCud!o8>znmbNcxn|)Kf#zO0{wzvM_MsW-hg*qp zp`2S+xTE&T_n_bf7TUz8=R{2g)UvD+#Iy9a4^ z_$==_BXw;XI1pNISvNRA)f$K?%@=#J0>_S*~57Dkr8rexd| z=E{((n#S87%yOaOQ{Kwfb6vgB{J+?H&#R0pd=9ykRS?3RwPIU0m(s;oJDfZ z83as-fMm%?&N)L>5mb`oP-Kt{MUYU16cl`$p6Q-DGtZsdW6#g;Pe0Y&)Twj!*?X;b zz3W|TB~hQFtg+|yKCqIc4e7CwzE5kms`rC7vKnRYU$Gqq(-(1Jk5jpbny)W?O#o_mh+%fa_C(U`|LCe*`EN4#?D@ zz(v!>NNw@J0s+r2I=|f@tB$1O&mYNy6o4LhPL!84UmHH;_8` zub)3-mWYhNz)_8kLhf&04r(O36ZfPlc_B--(izU;efY*YQ_A!z4o#(`LqMre^UzS` zVUTrpup~Cs02~v6N!;u0c3cXaJAvT^RNtWg6_({?A$amnJ{BLT{{HQkFI(O-NL=+- zC$qA{;t4#BUJD79G`lkHc}Ks`_h-six6T_Jzw|@(l3s87BiDb60)NE`|Fhd3xPwc8 z;}Dyd8uDvE?q3Zzfjc0Zq%oK8N&JPW#{bv>L66t~P|OnDy21A=i}i2oBbk4RjNrzG z<=dnG&HC{vg2$y@wqDKnm5uxFTm7No3(0wP3F&X7|5$^+@G0XlI2qG-)I{*Z|M|85 z0(kq)Xl-EOV7)<8KMVNX!u_?&hCcz1`^bAz$m)NyThyr-$sUaKlkH3Y`_lgFPW=;x z#wr#(u3-0YpVY6pgMVG5myPE}BH;B$hX2iG&bs>6E>^Dh?{}w8iVL_+j=`wGXycDO zMZ8+0?Y9UZY;`tcij#GAJmlZWQA;E%tKEP%!b-9-a7(GSAMD$1;t|wGt!|N8i3tCt zBSDrAo-Ig`ZifmagcTGNuF%rjO0>1NGfPO!1>AVxBuRAX6330lb+$v<3a|WA;=H}R zpQx+PbNX3IDY?Hrg z9A&;n8~ol20QBnlb_a}hi2n9X`8?Zg?W(O;W5W!ZH#rL)m4I;xhG0_PcTX`6u+@Ul z+)mvJd7b0;OUp?Yn>6RTwK<^0J8!O5ANk@JcYIj9kOQ{$Y{J7- zI`5`yTcW`)sO)qY_u*%ZZ-_`HTp#!?Ii>c#qWeqRK|K*{hd9C`9hm2iQCC-2)X9k- z8#i}+ef@*=k%E}dU%yU5_{r++r)uLY_Qjm$Ux-CS8jhoBtHpAH~oJ_dD$D(IB4a>Pr=o zMQlIO(Ye!;z>@&=KTa~49~l`@#10~*7rg_DKs`uhf8SxjcLoYHS?{C4c~XH0$E6P? zgo@w!*CYRL9_T+AOdKU}I~UBsL|#4X{`c=MuaA`^&+xFbD}r;BlbxMCw6%6_xcROH zvD{O+%`Mz_!{MR9LtU}jg4=>B0zInCJMw8uR4XE3L!70FGIEcmdKz#WT(Z~R>aG?o zY^SFtbLET$syd^zpXh;!N#;|%sTv|Z^V`xgZ8Gt8dYlN4;+W{6ma=7)#U#aa68~)N z<5|?SmYx1h+xu{NQ|C`rQ$*>vZZYLJ<^>E%l)#p5^hGt;u6CDVi*QV{jB_AU+--*q zeQFVGTqUm6Vj|K4+mm-}Ys*Ni;02)tnTcLabz9s`q?_?^)EwrEeZ+B%AS=iA-E=Ip zynA*Uf~x9UuI9!r*+t9yXf<-qp<|wJ_f*4=(CKNBA3LvCbqlRdl39dr8I1|}m#o|N zX%ki%UG1~&_w@%H$_*}|jhRi)2K)V5-g3lxbW$uk5Lv{VYe_oq4n9M8wKKCbb-c z-GZ)X_UoPUElVAl&WH~8P8b(Z5}fQ)IYv=A_zvDuKUyKL8*fb|Rr8l$DM_}i-Pg2+ zXQqOzI%_r{ri_c0dv{p7&Y(wu;&7pGiq}S5b!nc-RaO#n_cl~Hw0Lrk({OMW;b6&6Ht`Ze$`g54G)p9shy8^%*r0rmQvK3-jGNszDp5u|AJuDwFcPh_;bvD*i_Ir=bCyZt=)d8yM zuF7Oi6>)~{t>~j!!%cHy0skYEHZY^95i~L<351cI%a#V;`Qm(`Ya@euFk{$vK>{7Y zdWWCLy^|6iJt6Z*+*%*fz2keNv6rws(ADx*H`V4&-dE|c_GjT6a5}1_Y=SSae!2*S zr@BM>j|{xJW%q`7jCQGUifQv3@Ps5hW){Wk4jugVa`XJ~F4{`W!2A1~Mtx&!xa4%G zy)l%m8f9h3*)k1de?W3XE5H($fXs3GuqVn>Cuk2_MT5~Ssjq{>d3SeKh4ZgKn-Q~% zyjbvsE+u7UzO3ct<-|sqVn+m>EQ6|Z@SFR*yh|-X*sAyYfl-tUA@|xUI_tDlvP@j0 zo;~IiLM&BnEraxJ_f*v!FCwLTh)XH85Yucm%+$rv8N*VcvS~5|#5)UuMVsSN=B-V0 z#b_->MJ3U%EUy12>cD|)PLyK&!9@1J*@}ev{ zvv=k`6sK^Ch!k7AA3Yk?9Nhd0gZ!kg62bWSIJUa!TBL@ZXHDt^X3U);TgRqfCy8&r z!?RSoAvXAY-`xP@2)XQw-*>@Nyi45V#ZgC|dI`fzoCxK{>jNF)5;4%^ z+km;3KaSs8M(sP+VYQlVLCs2(A!Yu^IhWO+iHT>?OS$F~o;-A3i3dsuN5?7w*AnIZ zZj0j8eq(QVw^6g{Dqa<6QpFv`tu?kN*@K;M*7{Am&O5Nxm)Ez~PT{>;HP)B1s*ZQ> z-x9e!K>rno&W8m89ozNWwia`s`FG+VYIDMDBS?!+B-4U&dlu5PIR`Tatq%aJa~d*+ zMVD|MAV}sD*i{GnBfrN2*=dsGJV=Ug5aYSmCO0gZ4bJOunH66cSl4=y>j`c&dRwcd zP=lpEV5$J^H)aACIrV>I2V^W|aFbyn+m+7jP)9|Oo1z=>Y1b9(?n#F&RbUv({02C8 zgv*s2eAibONLWT&md)3Dlufp{R!^-27LIJmpuQTcBR#dvQ*>{CPGApiAB@)#Y4r!7z$}La7#s zz+E8I5=$%74&dsaK?e&-_?*PyVli+Du?vcNLg;Rk9P3tkS8z_3OU|ZvZ8qCTI;BVW zKX0J?yu}UBcmvgPY+oK&27WCQ7xQCx$CL`sAmo~gAmRnlVlxQe+Z_%0Jvn@@eHs1$S zkl@atLwuMjn=AU+5!G@nJYzP`Le#p}cA`4R-kQemskqTe6d{&}R#DfOnE9$Ec8_$8 zf$xgDg^e$Xg*VPc1W~UR=A?L4g@OGqL9=|oui1Wg{}3O~0&?;w`J~4#i(f145@y?1 zmzFv~7yNTmm+3!~1N_HOiN0WHL_}>e=vB7$Vxj#FX;ahVb83nP(h}5+T?tMxusp-H z*CpJ7PlhRV3d6J1Ama}pf`N?%$3=eS<(%{InNkV#!(c0Wcc@ zV`r4ts1)G>hFfpA-{_tRF;6#|zQhakkQes|c>_&FpT`;1+MdeWYi<<1X~*r2-ar5` zc)3|Hvi{4=)!0UnJG!Z>#fgT?7(S5DuT2ziOe$#NNYZ@JK_gM25Iy7fq+6j9=;}SG zBGGUTC`!lUn#cCs%~U=2N-BNU8jmFDZQUw-5#aQ7RYw<(SUFq|qB607g$#=Amq=yv z9`hvfJUX2!n+_ZKE6{wS0mKjdqCw{Y!nwhDEMPazC@U*#G127mV_s^9r79&Mfz@`b zI0}IDcNWxR(b3UN>+9v-V8ECtEoj_iI7b(fXbw$s|Z6?j1lcG{?arf1XmQyta!Sw7h zsN6?wZb6e|L*i1eP*N{HmEIO=u&zvui2=hR>)G*1R^@G;nFO`i!i&$@!aqSv{NMhB zrc~0aU95VZArWuA*3mfryBf9!|FEM$|(Vs&SUTQ7s8A(>1P}n+22E z)KBpbuRj~Jd2N!%IbE+Fah1XO8b*9atRBA8$i$&hrZJspC_>*agDAdqFwu3V7&Fzt z`(=gF%fiz=G65t#jV|j!K$7D=iiBgzK~pJD%bYqQGX6$f^w1TUG{|=)yKm{&-gh^S zOKFb_gxcKo$d7*sR5>=fLQN_&O)fv>(>y79{>s@5*Lm^2WmNQtORxGvbv0j=`)``m zQPmIe7I+?t1_mh_%hczlvqfos*gU=49J^z@Wbt)G0x&y@UOM%c5klV%{CrW#xkit_ z^!?P=dmL$oXe-`L1#-u0ON}P&Sl%8h!+nKB>7*+O=5OF86OxKQca?X84oVc#qlYSw z>Ld9F?kN>t{uUH}S6i+wr>LRzDNW$Z-PvFO3%Aby&mM{*BVgc1LKm`BI26&F=S)-QzT!gHIrqkUo9Z? zC$@yV@tr^5%Mb7n-7-xe1abF|Bh zSnAnWS>*)m*)M%845zcj19U}YapW5ky25Z%YHYBa1PVc$(+~@zuF}o&+17y1Z_ zsomZj(r>#CUs7x6wDh$XEbZ2@er;!AeusX-F&6xdOFn3vV%s)Q|62GpWkBrTG^NW~zwUYKD(55GN2@DX7DJT#h5a|f^lSeJ z(z^=SFUfD?<2vgzO?89=T>#>MdL;aMWQ7A@BZr{=zM=2l?KK$6$h>shn$$d)U^_-_ zx&AHDN33dsn6+Q|D4gdJmCd4HAvDkpTwiqC!owzCpjEf1(xfiBEhqu!)YcMO&eo6( z(U@TdCfvYhGADO^Q8tbGwIEcNf zv_TRY`tDwj-k`}e5M|KYx9SaSLblD49{6Os*$(%vZl4plfiP5s3*x*WZP?>nl9e!K z*juT^x4(r+m~ou+Slx^#77_fo{94D`7p3n~y_D~7<#R%+=JmPnbn}Mo)QbIiH1W&I zoWF0wmTPZ6-@JQ~cwp2HqB>||NPM|8-)^c_h0kQ1?cTk6L$&t$$Dg*|kTS#r=0l|Z z0XMg*Uaj4F1t~GsSn+S+bH*p4Y)ktnkb}EIO>S;{DenYD2S9D<<~VHF0lsKd@BFEF z0y@bf1N$sXG+U7=}Dx z^*?;npmHXFDcf85T(@;pS6xY?cDi--$ZJ=wQrN6!Q>b1JoYYN8J>s|FAp1HrG~{B| ze6W6LFI~jAYD%A9De4S^b{|ykz~3iTJgYu+87#=^v8VX<8i&6}}*VUV*6RE!w$i&Wt?+r%#d1)4%`UotzbXK6ybmJ^aP zq%3yi^V6ycP*^F5R4+NG>XU|#8H(nvlHAytt!*;+-c4UZr){UthVU$|suKeG*z+nI zS8jYy22PFbM0TZG&Zyi9LYJiFf*nwB@>e{g1BlsXXedW!q*^Aq#Kob(vmIJTJtsxB z=OTWI6XHy%Hc+s!TbJZVSbw1*WL5{MQI2ME>>+{p{3I|Wh_UHwrKPw zA+FMSZYK%#fho~RiGtk1s-^TEHJBf>Yl(?!VW?g1q+XQcju<kwI&0%bLv#h4};2>oPl3d6%bL$@`FHrlq7;9Y^sf=vA00~X?FaoC*vF?r|d=-Dpm z>CM3A1u2n_Iw~Wh+KG@A-^4nH(lX7Pqq#x7mTn^LJ1LE|+ZMP)z80!RKp8f@4{Pcb zK+`Cy*x2K%+h*ZKq|Y7tRf(4|s_`CLDjo{VsL)dWnq~RTkAV&nD0W&jm z9BOxa9ukgsxRI5aIc0U>M|T{@GMGU{>26L3Uf2L5PHumocEGt*$Qu4gq^a2R>vV8i zuwtaEFUq5xwcq|OiQM$w9_<6k&2|L0n5$bhtl zu&Ko#vY7vr1NjpPlcy@+dWGJDwEyRi{Nttlx1WN9$w9f3>c@%y)%(z-0N1lII{4ox zDkL*haR_iqDJ(pGtq$|w7F2Td{CY`LkpImYATU9@+uY86lsaZe|u>D zIC_lLU^kJJ?6=zeeuQ30>ACD)Jg71weiaa z$|)G=mBd?FU(EdRe43O47y3Y6S>#1k;nWbr#Xu~Yr=>xyM@L7Q6T!cxPdtACP7Ang zYA07eo-338o-@+KA;2nqcg??uDI=%_jn4e#4KHa$0CWa4t3kSdT;d|(=g*%%5I$gJ z6V}w03<*NIKl)|XAc%rTlJQ5V1pc=_{0@OUqo}9>NKj&LD6!($FlCh8_lG?G{gwUk zHvjnh|3{QM|C#6q;*Kl{580dJk@)-CL9B{>`$_7+4*Zm?bCFYaT>Ufj1V1r0ZE z{joUiOp+!RsduYl7O~Ji9Gsk=v!V#AZQze5-M4PC(FrT;$3C?l;#A0dws;#<^C&7Q z<>WIO?~%}d!00wHbC?x9cQ9b}<*noAWhVJGFP<-QZsYor#Qw;k@LwSyB`q67*}a$4 z#PNb?$`%D2hQAAqioqvNpvP8CSShf_(7(sSmh1R3MY;t)vdkOzKirwUiMYlStGN$L z$h;+Y;?Pg@U$|JtSX{kotD9fGd;tt-t9lxX>)%yQL67c`#iyhg=uJ4Y-o8C<2ztc{7PNnm?~-?M z0I&8^a^9qqm*w}9MTP@bH{?b42g-9H=S?+;(L|x49JPQ&O16h+!C0i(VJ#Q$YDhsP ztE+xVWbcdL59FWNUy}BO2OFbG+^`cD-Exy4KMWEMe*YOM9W^x@m66w{6u-T$y*`nh z&Uh|;8{35UA(G)Z+YPJqgYd1r<(}n+)wH5Pop9?#FvGV8b2!K2j?~`-6o1#@Tp$DQ zXTU7DbTKD%W=MqqdpEh-%twpPlnqV`qrxb!-I z?k?t(m#e4wqjYywlRjN^rnxNWI4hcX*ED!(dAX};2g-5I4sCN!kOb+G4=}nDFO66# znqbl3oV<}Zk>a~vTiVT4H~nmf{b_Je$9w8qw;sLE|M3Iq&hPirNkj*|o|j%)&ci`2 zIsci!X<6dl_9o>&?UH=gpxKbV*zabnIQ}r2=YHESlW()LXleDQ(;Z+cu>XqP zIPC_%P3*zelyr1h>9YX|m6M1T(+kNp zf@ycSp$Azx-g2o<1=D;eF*pzC!yU)D3-d_0F{xJ*a2A7-CjM*uEcfro{n2kNzNFl@j1WbQn`siQ7}nUt6&p5xb*#`wH1)(uN%YAcTREv`>E-QBk2yb3;{o-fRdlbGTpycIaxr3gkDsqWOw}h&hoh~5-+GIDea4- zP>dJB+Z|>ak2VvMl58fM+}0NaZ@X}c?aj7$EMExx4AiG zs_%YI(sU@lRFo%L!*_r3BpO3X3Be}B4MH=vAPY`(hZupgl{wd=fq}AdJCaH{SP2F$ zp;nT4@qje!S@;shG4q;)Kyp?rloKJ4k?f!Rg+!VNtqCir3K4GuOowt_gI2034-!WUmj#6SoAI0p}4x88}f za~#firq6K)Vi3mWVCYW(yb5sf!K?#!u!DFY2T#@qK837NiEsh-bDwOC$Arc%N2*pS zftwQIs&wZnL|R%=@m-=K=T0!|fDom?bC_D(uYS!H zP_X!A&;;G1Ap0^NWQ@hj8PF5>lvyW9)RV{B6m6a}N zeVQ|b-P&-r{*f8aQP%u~-e>L82j6~TS^;JB!Ma(0h5s=M2L6L7qNkw-qtc#MaIcvB-H{{-6x5|%5X zRyCAKO3f<+CZT_sA!-iNAz=#w&Z@iKdGXxm>@)+gy=iij_DQtzJ2 zl03!de5p=aL5Jd!Pa(pp{;8gtkNF73;mCgY18ls@AEu`bj<%b2o)71$KpO|NE@9EQ zd3~YOmIngYlZf0MbK>{I`-ii>JLj5649XlAD~=H86l4W)^6h*vs-t9Kr>$y^mlyqv zM8TK?iseVD~0aa%jCAVYsFyfpHr=vK};92Gc4g zk&UOuvB(DJjki&wvs;4;OcPDFG(0TrDCszA{8<$g75H}|3ojS%>+qlXvQ;|RNc}fp zIQS+R0|QS|!C|l9TyYI&%jrr1jOXNJzu$a+rPt+ntFGq~PctI`Qm2h@golbvo~~R? zJ;n5BUC5AKev*NDVEWpL>eEOm3O?&SPO&$w1UJeYRln5*5L)HBunNV_;z-S9C5hU8 zeNW9V`~gfMn1l_^RG7VK-s|Q->3rrHc^eyE#Fh~X?E@1oCLq3b#YT`uy(}w(r*?M5 zsU}rWqg7gS&`_nX7SG(!ZBTX(xYTYi&7-iA&7VAVn*cy(vo3^;lzm9kOrh$FvrQ2aT zX44XN_=yL0!h3tAU|&IAzI-)0A;Gf^D@cu=&mePgp~&uuo*t8{C6vci+^2uF*32>e zj+m<0%&Kr;xG-rdscsO4@DBy=e}F5$BN~3n>kphVQu%Dbzzu#n_KYp0U<**AR07?w z(9u#1VtL00=x({eRxI;xM$)fBi`+$+M#(zo=rkpUM?(xexKT8xxPN=UKL8?iG3 z0tHIqN|$b2Dg(yzbO?~`=7n0~sMf!L8u6>o__NYLID%#$Tdfb}pkC=?tMg^e7UZR| zPtLJTf~g%aAKzV+Du@&VgVv#p(MKA7PaV+g%~_0VVQ+I0S+YP>G%3+y>4oCC;a zpI^Z(1OpDAuP4ZGpG$RAh1YKnw(uVM9&J|jUn9O-#1n+7Vf`v!b2B5bc<`{X%w?+v zo@C)qjP~hA%w*Bncpoh%$TGwZkPjd}X&jK|`52ztrnMQ`)XYGcQHlJ%#QPoAHV6G; zcu%=>v|AO6`;SP^_M40KT{y#>o84F2$LQ2Rhpub#UtgOE%K4ndSuRaG!+Tm>dGezx z`rb&+vqug73&{OX*r$*&19t0tCOKtoetcIXYSXXIet1MbXl$d@v z6UN~9cKIDg>0PN78rKS|K_*?OUjrTM2xyHVgeb1syw0RjFW|f&<9#qFN6UoWF(QwP zM@nzkL1%rp?3CLeP-3>u(OBPXqS73NEYd8}$`r&M$b?PU=TG!*VcTV#4I}DjN2L0* z0_ZWvb7%1Yn0%7DVejElD@3Bwl6OyK&i^pgx+vde!aN}nl&qJEcSy#9i5qU8iM6N*l|}gG zEM%(saRKzjtlz^b-=-cgl4dK=MA#nq;7YR&lH>b5$NTHkuKmnp<3S4ziddlGFuDIv z_H9WM$m5pu(*suH87pbPCLV}Hl%^L%9x78r;X6lr@NQYYor@(X}A zD<#He!7uuo4~VG!zF&7;Ol)ru;@vu8HMc}tB#JE>Qr~@+txMJUQ@pIyq~(ff_3?RXk)+NCmUx=@?&FW{-V1i^cjcG<6#)yMF{|fD?PUK?n@IB zjV%e&oD?Zc@_AF>2ED%R)WcObzRS4NydObFFx}{Gd-R1Tz?5MDfChkubwcD)1yq#f z8J#dbxK>*Gz{vHh-Y(Gn#D6N+pJz18Cy)cB3b*{oXB}+-&iIvU*H{GS{Ho|SMSW45 zM5J2_VLY{q(ls$(Rjf11?WZ<&96!?fGnT`uN>~pehqE!pr+W!3_sauxU8#t92Sfs` z1|=1@$~+_22eaN}=jKj2#(xQ;O1PvqkRhz1P(r2ZZ?=9(J%pBTtI>kB)JCggSXHDq z?TtmiXa%2+^8Gd&mg*!UFZWU(OA1I)XiU%(jmDkn1`X)hsjqLJ14W)VaOJ+VhGR{# zROMedMUOvZRWAItT-U82V1#Xx-u78&pRYFmTcxGxw5^Lis`{)DpzU ztV!;uSPfNje?x>QQY@Fc!MzksbHL5|Yzt$L{YJ*%57;fjc8= z9E|WOl7ay==;dYXt7+;805U9A?^%cU&_GoMclI6kp{dUL&+5cd~dH`Oo_(7Gbu_bzPI8(Rc48$PG_BH8HdPfLS>$s-W z9ir3^CVwrR9`6Xwz4AeAvYi9}EqEEYOOaqG%E)J(IURm`3*pzdo?1%p_d}{m&DeDy zP;^})8i^@x#i0F_%S6hW_uj4TYCb(!Ap#H7&kN~W?bc6OYR8g z&fP-_=gXG4q8oSJXW)l*0f&Q#z^6}R{pp6`1x6A`|80bDp&1?;Vr;Bo))6tPBFamN zK(rsxXCwS(4DMW?vz&6@`qWh9q6_&kF7Z8(%?R+%4hth~tG?jvG zPS)y9=DH)-G$w-k!X)RrV|D%uF7Xpf225>OhY*wc@pQXdAnY_(B~UG2Hc%oTra3nE zW!x08UVZm@> zU047Faw*(;pkZU@g1bHjl2>+}CVa>F*`1-`;qx}m4K{5oDt!5{#Sz!RPty1z0j;|I z=gb0GA(ju<>C8@mrEwU)Yw7H!$-&y73u?l03RVHHCkVe+ydp7DhcZ)|QGv6=>x zTm@)Wy|i(I-Iq4JeUQ;arBWC4@NS_@5fkg8xt+aQ033-Y+J7yVIAA}`|i=X~9o2a&q@vSk0^F;SGkEq;QtARDGCEUee6}QsT z{BRvs5lqYw$V(6SKJ*6f>Jd@!VAvpYg29vR2#$?{MTB$+J0F2M?7Bd9=4yxGK~FK% zgPp^t?_gV6^}GN|j9Sb+GvQ;&2un= zi@18^#g5>tS3AjV&$7chV^4+>_)0UR!=bYWP09jEvogtt?o_WG_xP*0MHrW<_;?aS zwCcm4cn8jXLaXB!Kluof5Z^Aze|jjq8UR`U>BEIWMyjV~?Kh4D_+So5u!aLaTjLpd z4tlRk%<{k0!5%>}MD{(HEi*jyINj)5eP0Uiry!OuEnch92#HC}l!};jg&%%9T1|KC zOB{v^QTgoS`oq?dquL&pJBPV=4}_(f`*hHe&oI~_+s1RrP%I>pVZ4!NCv$2;`pm1` z2WbQAFdSa|F;X7#m!STC* z@AUVcz1*Cv>6!Ubdbl+OuO`0nU;vtxbX@iDEMws+CM(kQ);0TK`*gq$QpgwEqdSVv z@hzOze`eNW${sKpGKS{w@ZN1m!;;q<4o}BXXJ8%1GXVeUj0%q*YlR;D29NP z0AWjim?&~Y1H~`nm^*KHAQC+*24=!JFVE)rYz@BYQ#-TD4{E!5hK2SYX&|xXfdoY! zHlJJ_W6`DmxkBV0XA>f%UL5bLNF!fG9I(?_D^gr- zeV6|NLi@D1HR}=Af0`xbM}?SD9}a*_qx2V?D`Mc${4{cS>cMSmmiU z=epByD894fIWaRaF_CC#VQERapH78E_TmB#Bbneup>NSEQm)5DrpG%lm=Jm`3zNMA zxa7H@S1a?A4O7B54PU3^82BScq3Yu+(j-5!8$O)J8mG+$zI`)B&R-}W1>fuaKE~ge zw?fmzf_ZiNJW1ahgsV+?A(%_t^^8vSnUdCOU~uZnB^SVtNZ{|biGca^9|zM{)*4yt zLsNR!Cx4_^eK}raI9uzV8*4^^8<|US?Gp;R&zl^va&OMLgAST?oi?{5rO9f$Q8^+u zIurMw~$xQ*k?`GK#hui0hI;m3s}hnR;5sxmZ9gJgc&j|dLw|4 zr2lbi6H|0u$2D=8thzaw15Yb4TjN9D{mmCo_jhv0KWJVhFYm6*Ic<%m_)y=&ul;u6 zbKjBUKZwA4B>npGF22oo*Y$|ei!z}v z+TjZIn?zsQR^5yDz;_))OD^0ZwZ8I@wF znYGnye1Ti;fj^z?r;CI*qp)mVq}mvVeW6#}Zc2a~Vc3iI8@E5iw(uIBWuQLV_)(~8 zr@fAWbc|Sl7+uyC@O!U$E=9PPq-D7w84SoOZryaLyqB377LIZ5gBYZRYtFg>l=0m6 zM=Sn}(gZ2_K%`r#bt^VpRs3j4p1hn^?wH0{Hxl~Y6{Ta(JX1gSwfDJx=dK-wC7DXU z>o$*oYT4;=(hQ04wA~amgjjJr0J+}L>RcrdYPLHs^Dfn3KaNR3RqDdu_WOm41d@N| z;~j#Fz1FeN#loUe_KyS)Qk;9uV$9<5k6tD1`-1S4CB-$BjF?{ZK}t&CbgliAr2gJ{ z_!F!eYNMfBDbzcZv{}Cx5tX2L*B=D0a%nNr)V()7S5=$HmroR2pYYcSCR)=Ma$tF^ z{I$u=cgY?s(z17!EkhyE)se)Ko$g zjR!+Y{;L{Y3uGi037)G-?y!pK4_&Z{BH+N%Qrw_r#-j(6>>2dK;WR|-v6Jjw1HllagZ0;u4|R4V-K=Z(OkD4;J56%apn@L z-rm+*20NWJ9$Ww{;N2@a3OMHYd{@5MTtIbml-1X%jn`#Tm3ZuZp)$TsthyBS7@Lp7 zVo(cf>5gL~VW<%Po>p$$v*Pvd3G;RvBLxAcvD%0RHS<`n@6hAz`=HFbHsQ9NePXU! z`nIpe$h>m!^^)6Wz3+OKdV6Q(u(jbzx!wF0->&&iQr3MLtuLOA|GWd~MqQZm(sXNRj{J z#|O@tiTt+lgL0`a&&H~9aZdM0PR8^dnYn81Nu3W}6&$Y%J5M`z;BKkr9gwIS=L(db z6!nk#wyoTE^M3SZPj5X*%d~4Gv-#(Sp8sc?i#YJx3tDG|htYc_0n28h18}IPc*nVjhARmwmqPxQZhP-qdlaUPm-U~ovdst0k zE7Gy=!Qy*KzJgWRwrQthH{Hp`0at;56R)$xOJTw@KZWy97?AhqF>X~2)+cN#nZT9i zQypS=)Z3CGJl?r26fB^dx0oLC3W>T7ltq;6@!38Os9(dXy!9D7wh>4wj zJjUk$ub}H6|M5e>X1dII4P+%ZpmEJsh6ev2}?8;RfwV7ZsTjdc6|Rwal<@b7!ZXX8}XHDNb#Krzz6C{^7jqip9FA z-QcL29I!qv6FuqX^V|o7b?xI@bxARK4Nhm6oxt!EYHOnk;;GH&`u3yfk8%$9UDj05tBFbR1>8tB~3bpVF@3B1 zO(lJcsZi-~(5xFu(&^w{2-txfP7dQv6q2Y3uV<$W)uyHM!_ULCezx$uG@owyvZw-u z;ZGi!!dF)H9U7R;`dhACw4MC{N{AJ`Z2AsPKZi(Oy(qS`(KN!UoXE>;ogBX?h*U^& zJndplzur4Rl8h!^=eX^YV3aLt)&Df0S1ln;y1z=M#neBP61%9`*O$qJ%jT1~9>&pI zut?-FLl!zF!54CWB#%Qmcd==^u?NlerQ&93d2^(l@H%;H+r984l%>~tNn+sD4$FtOsiOe zk~j!rJ8j0xOIxP@=Eq-eCJf$7QS-5r!JqTcZ!6uoTO(1(XYbk3bv{L9x}Z0WPBndz5inD*4| z`;bpdSCu(3^GiBM5(t+B+?}D<*{G>4ll6`O+jXb@Nmc5=+R1YOsXmY{G*HnS$=<%Kk(%N>6r}Ai`N@Q zyTyHAoqQ`F#e8cU_WMNaub%mpJ~WBb&-AFFOvKsOGgLbql#AzVu7Cf)4`cyPg)q0i zmx~BAFTCS8VW`^tsJi2iOx#eakikM%lxyUv5(d>WJjoEBHH^7F!#$SeRD&CCiKlVX16V8@ZTDZ39=7l+OBCap*B?t9PoM<#hYAj_a`|Mc%Jn95Vd^L2!(E5@?&+YAv4p8G7__+Y=;haa>== z#k+AODU}|1EEm2T8CZbX>hCZLd!bb@u#E1yR6D1>lDq@lstWsLW28Eoeb5Wg_qlL-8ao|5luCkR3qQ9Hnq& z@As~+=mnrSn%gEyr16v$lMlAFp20zaa+Y}SaM@eqA&aeIhtI7l(}G&P)|MokOM1PG zc2^!X(7#wN;ZH1}7zvx=UlwZ)?gVMa={u)Tjsyawf3TDK5MB){fXLsyCQu_=BLd&F5pcME{EB&=D9?=* ze!qtDXyV4288_#TI34cI2@%b+$N2$$EB8jVW^D{(oH(a<)=ofHbtO==$+>ERR3fko z&txK-EfQ8Lw)>f4`xA_(7X8+>H^8gO)WeubNgKzmy}du@Wy@F_gDpD0mdS}$E?93$ z&DK`7McDYQ%lPqRi7)9gobuw-gF*_3eu+ZyCN$E{%Y3?f|NxiJ=Z6kECG-|%gGi!_?7Y$ z(eWTuWy^SEe4up1a#-EK?*7FZF{C~!WF+k|Z6&4#O;=Hu%W&Mb!<#xBnY2e^uhQQj zGFJKBBiU}+vEQ<>=BRo%%vrQ4pqHj<(#%Y@r5iEHFOekcYMER!8<}?fcOUy(==uMK z;z93ZB>PxPcV$Y=*|5g^0>KI$brVK%sJhab%ja9$gY3Nre6AKL`e^bfZQbo2Ar*_z zz_gw=!ZfQP>BC(Kkq#Xabn%^Dqr8$8fu=OCCU?Y2n(BBUpn)kO+%tr_JXF&_agB@& zk0jH>Uh>QR6b4Nm_H73J`L>G$!zt#yDt*iS!VhB8SQ8NL;VTEL&yv*6mSWV*Rb{ja)^^`%~d*wG?DB|CYTpCi*!il-ALvq=?&^Au3 zvHIN#;rQ6-itesJcC`I6<_AcY5G$rCk7vDMnki(x;wF85jJ15}re8=Xf|`yT>(4n9G)CzMd|L7(V82Jtg(YcXpeVqQGX} zR79Qlb|xN0DdV?X%euYUl_V|R4?f1hHqKA|$E6}@%Q82M%qra}uZ`t!WPRQ)ow!&= ztEF|kw^1zR7h6D#_+qQFkmkL=G9g`?BiSNeh0<~`>IzuH!hWH>JU^zZRD}o8@zAm+anQvt5(88A&H1 zz^hm9sL@0i7QglCN>R5)<<|f`$wwIbdSiD9nJxD?bB@T)?T?1b5ry}Wo_cTFk_^{- z=!yy*Zz&C}xRI?kwBUq@Kku)$`&EbEgTjrXfFu8S#@E3x<-o_+u94p@ z%!=~}qhuS2!~tFS+e6nMU=J}==}5ceYgzlYbA3}O>zh5HqU6S)h1m;P<3VRIM5Q_P6 zhz{6RZbQhDy>j2BC^)BaL*J83TWoKed>Gpv-{H`{Q>Hw{^>AJV zr=3ZuBqP1O_D*Tv-yjAr`$V2-T@%5)qWZp`quiBhw?^{aFs4j~C_W5{lnOegCC>EiXxX zEy8+Mw@9l*k-x}P?)G-Cp`kobg3V}HEPM{l4LmzNoi>U4@^uTOG8xqNX<|aXD6S~F ze)z_w$h-CSWzkq$5;bjU$qGLQF=1tU-&4EhatapOQhRnxD6QJ%wi|q`=b;1fxWXOQ zokSf4tR#lgqsR`1KtIBJKkjwhSiIDK4#SLbQmj*Bn=joYlUFrqdr1f#pBBc|fMt}I z7tncZPYV&mYa`2@v^q9iXTIQP-q6GijU9|wkumm|Fh9-2-RN-yAi0>1W5e4IaFHih z@*`=5-SW%!y_Vy&yYrtO&7tzMB8WsE6d6}ul1lMf2n|^HqLXkG>(k@MUD^pRbnY=L zd8x1tT*U*Opt$e^MfGd+vGq)Md?7Qrimak9h)5sV(|otj-ED)%jaJ|l`rL^jzRj#W z?Y)}XTW;E}tn=Mi%R2%Ab|{}|r}yk@ z$WkNISa}BTu*)Qs{nL|&2d<9~Ly25>N+P?SUb`lh_l{P4m3Kra^x`64UD;bj?Jy!8 zB~2;;)mr`kkG;2!i?ZF<#T8LOR1gG%Zj=&%p+OWxq(r)w8_-4de6N?qHTH9IR?q z^;wCK7knh{b+1<8TW7eu`u$#i5e{6|1Si;-rZsAG@quUS`L|aH3(m^lbb9xbEws9$ zJtRLN&%{|DEH@3TRjCYZs%vJSG8S!CIC#Jd9SU!8&bv4r&PtA&FsB^IX%<7!8w02? zA?L-NPkFZVq>uI1MMnJp-p2p;N{r9!-uX@Ju*E2!8^cP_QnN*3u|Z+j@Rou)->mB~ zrLapr+(JO3D6}m#>=A)IFV529;^<*yM`Hcm$LGXXKrwrM>&uh{vgU(_(`#ZEFeB+{ zA{1LiU8&n_B=ERgg9`)iQ2qlxD+;>lFYS1N;q`rKGCjBW#@_*+jw3f9eok>)sgEPk zArH7)PXLKyuf%(q+PY#Px?TGO00n#~vGZ!`jl8P$r!7pMqBynyn*>jyej7KjQ{b%; zE&Nuo!Mm!T4FDg<2+hhm$`v5&CF@;Hf8-WBP*U)$m9Crz>`Up|}>)K>8YcSn(Q z-B}w|a`enz(i@C$EjuLWp1<8ym^rS9G3`e&l2E1}eO9iubW^VSb-m>H&hjE7Tb?s2 z4V}zwD*rrE_8$A2NoO>)Y+Cb{_S(B%oel<_$#Lo{U!pk6r9*`b4gr*O)Yt|{xpAck zQ?o(61F4`ZxB2TieMsk`UJ8u6{oovsG863QCFVD5^-Z1vr`!&wZm(L!`JroWfuIVA zCryCm%FR-Ur~}lC{__HxnMS`_7hT;#sZfds&6(Xo4-+o_3mWhM zPO%-r#LPA2#E8#$O7;SbrN=9J=gX*?7#1u*bh}1`>=~P1h8xn+Y}GdZUXn$8NU6SB zH7s36b6uguJf4$%qjedzfPVncv<}v6)tfmIJ62s1e6ho~2y8Cq4VTLjxiyNYychE2 z(_u%X4UcPx)alxv<0o5Q2@hy0QNHp4Oi?No<Mtl0N&o_WKey4qFPXSX`jW*}6NoNs!t-FpAOHC@V9mvG)*dvblH{H& z^3_SR*p+)S+Sto|Z_a1y*j;W zvYfHh{O4EkXV0!=yWdl3FG=pNZ!R&K9m|g$sd;&te*8_?X1e~BID(7@&&|`hU%Ct_ z9*59kH=!Xh^l+)7Tlv9r?dE+V_pd9}5;=P?)p*tEm7t=gr5_3ol6@6yH;Cl92Me~- zYGvS0Mf!cN-Fgc6xwko1`qF|g_VCGEAB(^0^P)9PHnt|37ptiZM7jdf(8q&>439{% zjhKPR z_g$RMx;YDb4c1(Dd%nZ$yUjNycove%dUXAnLn))CKklw{cV{LXZHJ0DcOFqy%(Jc} z*j)ar-JCF9duH1OD|{WyMsQ7~VGMCwX@E+m@K8+<-$HRVw`|H2Jp!AGCx9kJw;##~ z=6d&)V9nP=W=G8BD;6JF=oTf`N@viqD~zND=97^Lpf|NkrKmj|o-ixf`-=fOdAkt< zS!p_~Tiq4Mx_av)XFlLn{s{N~b)CxP(j6OD%Vw`+A}->+tZiTZFkxDdv$|<8|I;5h2gBPgdKl=Ft;x!`;LoK$BA|K zwj@DgnH(&KYa!Il(zPrEeh6P&Go|9rhN~~>(TndHaQ670J0)@6Rek5rCUToq?0-;f z#^S#}i(4%Dh+&L*iQo-8=;lVT*|G|}E_z7ZGc|D1lwSj&=-MYrGZ)q2*Xz;?w|-~^}6#jUswyHAu-Nny!jV2Rt9ky%0e9$EzfINo^O`ku*cB@+iQvSj>PXX+^~)#J7*m1(w^-0dMR3helUGuIefiP$ zwZvYxT;WHr-&4HCw_8w8b4NhM-lp3Rl}tKNTGRiIjAB3D;?LDed9Sb9so zT6X=`QPT&r3ZJqo=Hvpabh@)5F!y5WC&ZnU_T5~MuC_tg10{KAqC1pwB-*WNEvq+G z8^r^y87v2aC7=Jg$izR~hZ=E?4cg0kv|!`Qu!6~=D0pD1vZ-t9{1#+YMOBxTSpkvw zMtPSK&JkO9%`b1ipRqb<~ z5RxhUCL0xDs-z~t8eU0e`DTpRadeL|YQwUTpt@5?4XC9Y&=g#IqTa;Q-GYx#ckTVQwQ=? zMZlP7OKj@qU8mVX?0!?N6Ovu99bhM0Z63Oi6mu~t3R~ZEdF5ELp8I@Oi6T0gW!t!U zn9j2w47MkrkTR7QS}UHGVkp4?GVa7i8#^1!0S<8SHT|^l<%+eDf)u^IQUpsmFn%@} z%F(zSEW=UJOyM%^-M}SOapxyCtH56ePjZ8=#vkE%wDeA#v?ii>EZM>~hv9c<(r%~< zd>@b?E6cW$lb(l}*2N0{+7YtBx^U56k-mL&OLTaf~VWMd{{D_uq!h752FBc_uFAMqWpxtHdyBMz30>#1UpZe9H=IV`*Sbb%AjwNZCoyP^IHo5G73={1cxV_L;yh;U;FPI;Q6UC}p?t2OMb zyc-5TX}VB7EEb_ev759(>{y2&E+XIkhoRpQ}tuD{zMf#d5o$rzN(Jv9gKi5`5y8#~Q1Pxq|n!2(#s1K?|DwL*=wh1Jl z#~I4gArEjKRE^@qw_~7-`pFSxmUa~;sp9#4tOPeck5s01LO3eJgX^q``s}k}vE>I90*#s!7IgZQb>(_EpK2~ z@@Uu4ye%%kg;_rFeQ{-^C?t1Dz(#Uu*^Tjs!lL7dZj4oSRC=h$-pI6uO42KJFei39 zJ{d@stYO_@3wy}>m=?zFN)y%!r3_2iKFhAoI{SWvTa)1+Dj%WdwA-_nqWx({RB?iZ z+F+#=e_~2U`8!YNH$S$4m{PO;R?f;Xze)DxY=%5lk@DT#SNaOewoh5Z%#s|3G+r9s zI+o4sS)O1}Ec0z7PF&G3kRyn^5LNEw_gS@c*VYa8IQLp-Iwu;2DSdt7^MC@chRRPT4I zr%@_tUA(GdiTDC#JQA7h#&$Ok>q3;6KXJ+2>sBDTT!#KuHR^c<s3h(U(#sr%_e z>u>is#r`q?{`}5Q3eBF=lH0y^HDQS-7c8uo*g!qEHD0(?oY0gkc6g0K!;NsIxQz-^ zsWQ2ME4^TY;X>~)eDMI;bxl7ocaba^%s9l$x6@9TxO?ITDOy3MIZ~_yg~<-Hzk=O0 z6910OUl%Ru1s4;(j#z|M+1IRz@RaSRCs-Bw7eJ9Udz#!pMXPs{E!Q{k`VyyQ-`kU2 zBz%{baK@ejaIJ{Eo{bXy1_ovu{3_1F$FlYXyPoo}nJR3h@CUMf>3LxjJMykl?NH^2mksg_!_@$G?=q|d;ZnEc`+ zNK*RPBx0|9;J7mJ0v5R`hx3pxS?pxf2USOO$g;vy@+GXHY6tg1X*Pz;eV#4|W$9Q*B3L*JjpH_K z1RgIJ2&+$m4$eEDPg}mECI7mX$8=V2({7#+Sc_DxhTCud%1Bg6ny$+P+N<)qahFUEX;bI&;G{(2x8wE^n0vha}!-cv88 zjm|v}a^0QAkS@8MaAuDd96j*ng=OLfclPS z7|p272S`Bh&_apKyd|o>fK-xBbKU%HGdZkne_S)NV^KDv3eu15yD@Ip#a{cH-#uh; z&5Wwjw{hmsbEdq4Lgu&o*&!w&OzdpLIgw2M1@<~G^WOJhj!sP<68T`mKjM8rjMt!} z5j{?+z~}oe%>j4zeh%NgdVRq%Bh{`rk@PED(Mpi|(+BU{Sw}!Xv)G%0!}abP`n|V$ zz%cgq3IV~3yUc83k@w$TVNYY$Pq27c3`8)Z4MpEYsO6d2D&Gp@e`mN$$@BhAU-fG* zCPhhg;j|T5`t!1Nv(9cr?|{GbyDGF*6(gR=nxiWRD6dw7 zA2mUl$Hf-LP)oYz*@R*z`2vfvhVJ4StO3IwVn@H}Q^KT^%E$((mlKbOqGS-1;IP-V zG8pV~>7k=vC?r?Abo=uO7&06nf*HR$U{}*KJXH>3+S%eV*BRcb*8NP83iEBbv&y^O zopttXZun7nA3snp`Wz?jP7XiKn!(&!?2rD?XG>x@J>L%4@Aw>z6!O z@_2%$tc(-SiZn&Libw4&0*S|da5hFY9kvaT)x3EVr$u5KOp$m2n!nBaDIS}YD^1Ab zwr4r@E#l~8+guAA)(fealvTtDL>S?GYq zRzo|Tht~xlmYa&q$U5!o&9)1yk14qZlO-e`8mYZh{3L8?{w(LHuNL<$vBiocyLH}Z zyy&G!gs&|z93xmi_*HyOSquNi_@4bF40Cn#OSvs5h0Y4rL0M05E;u3d+JQ>@{@9}s zcYmu6eca3VI|)2yvz)45U1NR@k~T_ef8k-7@|5>T#a%L&GFPx7|5TYN>V+;rv&Fuh zjKKfqe?fTmjS59n0P_l=#~nG110PF*Vi60jyUT}%gQvR`7MH%{KDxCVwk?ra3Cs=H zOu8XG+Orn2-ztgV9{HxMv!H(%KX52LwMvsteQ^9)Eynl;Qe;n1#7Cj$@Pg+KIqt2Ry&~A6A{~Bf1%L}iaO9dPQ zD zc3S^~Sz{e%l*oRn!~IB(wW-r}=X5Yf_v8_u=hrN4n_`1c3Uk2k<1PQQT23B1-)y1Mo9!vggi9URAHNZuC-#ZFAMx z(aI@o+>Zai3zN!5Ed;z@JpB3Nr`!SgWL^Q&AmSqD`Yy4uU2Y|}rikckYE*%Zmk^k+04DB*}LVU7s^EbjB_R60l#ZIxI}2)2hW`bo2#fWXP%2)Qf4;YTUZ zJ_3p;56-fo2Ysy}EawhPxHkKw{BY<4gTxATKJW@ zB>5>3O?Y%Da9LS)%W)#P&u#L_tzGoru*t9Q@wyM*f608CTRFNCU?{_`V3_PS{=4=s z*WrCkUj^#UkA~}H_tz&pkhK>g&R^PktdTM?)PcXh`#NktVcYl)kOA2kiOi%JKEqQD zr3YXLGb1!osBcO8<^g{DgOLkK&25pLH|LyM*NBOxY?^M3>YB`lXdxVA(CYwXw+E&? zu{utpE$3bPXW(?26%GC=VH*)#n*6}}Xs$#ycVIXZ zL4y;0eG0e((Lxk98stX3|7{f3{A#)gf36!;KcBY$ufQe4WtDCkbd5tJbwEpMnp6io6k>tZ#er^E z-QglRwyf^7=M$BP;EF@}B^=U_df=d90zj5hT%Bj%x>)XPf;^`C8!eG82GW6Ed5$Qp z9v~USB}X6Ky@^A_;)bKeV?OXc0=01$_UoNgx;VkbJXI3w>bcB~qaDfpeBv6zHO=8;*%HYu#yNE7|Fc-S8N3}E-&pJ`vXD^7z~ zz<3;HxBUY=t)Ik87PXrr1%@HBDcO&_{k`5Y&}68pWGQp43?uni)$-U{gksLM1~Zk~ zl)>sM-zYTd`0}?A24#T&ho|k$TJ|b<@vL4W zRf9nbMm$n*{_NlS+m}7UN>5Er;|CX;%JjIY!(bvC#jpN5%85Vs=^uR|E&ghL)9u9o z`p_q!`+5R4M``$oGw_7rHBE9L)9_V11I?Qc^}y_*(cn7c59MyJ$CEdlb&l7J1viR=Gp8KTIRq8%zi_ZE z^MNK~z6B;tm5v&EsH^|&#^i4Tko+43SvX|A{6cW_Q)YxLJ1V(0c*ySH0{yJsuxyHDcu zVi~b@kG>OsCjFyp`S)x6UrfG7@BC282wm#W2pa|C;vN73bc6b@8_>REU&K(pH29;B z2cPkV1_#fZ05{s`k7)aE4-ro}S94GqE9`7Q#BvK~MHrO_HYz8$1H!+06@M<%-`;Pzx%o5t9Ns)A(FAIh02QfKPMlX_q^r!SH6Zt0pyREj4?XopI@SEjw5z{ z!cC>g>PWy+)7V9lKSusnWs4um0n1VlQ4egNw2a7=R>i@k;nU6T~rBFjq6z`>WaXKNK0@t6Rk1 zt<1JxtN3@jxjp)i#k<(0Kx?yh4h5756M#juLmteky~QCuIRm~pCSaeOCGTzezd&u_OMK$N$xx2<&9h6?F%hoj#gQ3jz&@I3DC2haRY3mE*16V_!GNE zVRLsZSBg<1moE)&=w&+TKi}kkIVRqaqlv?FNr0Aem6#7c-dU5T#vzUNlBfaI`qsJm za30k2WJ{_D{Hm_nbzS=x((g0dI3mmprBt7{2SK`l5VV0*yyJvcU9w-YI%$+u0 zqLFyGivcH;_$=M^}MfVUTjn$ok!&*s{~IFra#^Q(Y`Zr4Dbj!>cUg^L_8--68x;ILlv=Fq8(eXNodTe30~ z_dw56gX@Omql>!N&r=tWpbg>yl7R69{gTPnY|GWh_#I^Q-oQiXP|RqoS`PHU>*?d5 z`5xBOR}Nq7j*EE8!Te{IU=hNpF6sgtsZge$U-e&{H!Dou*aiKZY=Cl|r$lGTP2 z_&WL8Q-EhsaVKDoPaT0CAF(I>r}@C!5FaZ`$V}X?~ zwCU1VITEU7r={5ilLLYC$DFZU49Nq~xObdte9*yf*=8fDX~~#mh}9D%=314!?PN0( zLb2Vq{a?3A#dk=j*q`p7?IupgCIu;cEiB$OKz3N#J!j{pPP*81mO^`sLFR``*leKZxpX^kbVORN*Tb+-*&)hbkKsZNTw5zHW#nSMFQRb;D zD#>;+uAyoR@ERc09y^MG#drWMu&u_-zDik@{_MkoGXT9y+DP+e3vaVG&&5#_A>*)Y z4Yv@qEKAb!)vJahE4Mp+XSIPxQ$qpSj|;fb$Iyx9lJ_{?{4qHj3Tic8apRxXZqG__ z-v)Y>Z7&|Ew+RJ!6*0=VBea3V7S??{)okPu0RHA%-CmgET92WMBVxxk;F90c# zdYAd~GDJQ;RYei+Zr4cR=fmkF9Ysxx78a?!l-?jktJjyk`g#UDL z>X~qO%?CD}Ay(t>cl^QBV~a!`SPX^Jv*K^?`pciU%?5exp08DO=XOCdBx!M@A65cU z;@J({!ECktZx?35zpa4>;Y+K?f=#|DZPI5eCT9f+DW-0Rif`;$Kfl zzUIc93w}z$1tE+Fs#&%dVGbBI6?bv;&SUBrzLp<+k&!)h-6d`enwbVL20+uo*q^VmTX;=wbU`El4`W-7CUjq$ z!YtA{h?H-C0NRqP^*UO}+u(r~nT)6%b4S!471kSB+|DlR{FdfV)&D#~vp{i{$aZp7 zbK{d4@kv4F^VJ3yoH03Vp_}Ft#WE5EPbu~5l#ILKt+ENupL`HVQaUNf#p<{`u+=p_ zM)E|&clOPnUI013v8+3um(?Z(cwD7wQQ(FO+kSmuGtKdGtqFwg?D%MC!XdnBeWL$l zztpt5ILxF{@eh9e=g4PM9=8d5J?acHpl!`_x8V8LKERGfL(A~ORp!d?MN4mJvJ{z-e=RK;@QFLt8f zS-AhUWykHjcX@JjA-lGn9RyVG=OipcQ|}0Ltor`BD&S2HZeO5Rl(o>5|CCE`30a4l zB<-|lnBuJ73a$D=31*JN?fVgAeLyLd8C3@$?~5wn^&N};OjiU3i4bv%N7f#7vguay zL*3~j^>FU#x&@8q$z&H_{mgQZBjX=yfvW3g(& zKI%5^W8%wWuA_q{DKA61DV@jlA3`kE=}0uqWZ;6sDN=;}V9W!^7n{Uecr0+-P?2?h zkVZz&Cb9ASb6uQWdbI7f4B%ZQCh!JH;VSdb0;P#7@mYGKv_PT>?^+EjoWxsq^no$R-Y*@Ufg-&o^}IFNV?gf3+1U@||`@g zbuA%ot*UIl0{+BPvzJb*z+$Q*%4{yma5rnvWT^Ylq_tRJ2F*y3Y}Y#jxTu}yrqn1N zZqf7B0qZwyJJjRM0VxpMv8z&X>$(SZU5Aj`?`uarW~{Q?ua@IhfoJen z6z^_&jJxeDm(`e|zxf>=byb*jHgj4+`mBKQaUzjv#}`KYwhD?>(F48)V{pRi(_}b5 z2Y;SUhIoG6^09G)XJwLX9y(o@zW=+PNmsPHMY`O>B#x?ZjM4 zH>7TbDy2 z&B#0>lKc-e(F5GCkrn%Dxvp|WvsIENON|u|+=5g`OQFLZJk}*i8bz*AheK88<8l3O zjq92#v}2=RG2H!}mFxfgntw%fORip-N9oc)Q}Nn(KimG;A|JOHFKcu(g@5_*WBT=7 z@m9}?4koKols3dHBiId)K$!!)VmS4zmWPoWF$Tb4CS5X^EM45E=Txpd(Ut;z4E*&| z4WX>o-Sdc|nNCANi}~G-q-w76ZRCNT$7xC2!l|*LZEASW>6ex@U@<;A#Om*Xx`>Qy zy2b53Jnc#-oknQOcXo$$3HH`N5$MzhJZ-axM+G58Y|yb%UN8>X zulS9a;!uAFoQooe_dneTNU;K%V-p79<6qc#_OS2@&lR)qN3gtz-=5$o@AKWL~PZ(IOvgPHKS-ON}caxoRn(ZsF=k$duDF+8*Po0_@K z@M0LzhFaE#)tGU&#eO(TQu&l(#Q>D!FrQ)q)3Y$UjxHBF-HA8^^neK^#y#x9H?Cld zOazQi*F`MGeZ;O(_9h+oOBY8^?^H1LsWa>m|KF9>BRFNRR8gTz#= zK>W<9qtSSA$byQ8Z`@J*`GJf=2v-V%DuF27r*{G!&&_cpXC&%ymVm6|b)GmW=ZqXG zDESz&5)WMI^F(&AC&}k-eX^(TUJ{u&hl(2KKd`Ci*!y|1m7_({7o5#@__X9fcZrq% z)Sgg(>Y)kpgUmfnz9!URjNFjJ+F--U`u5xh!z%1}z;F*aJ>NMqve7>GUP5{^Vg|C= z?SlkvOha)~Cr;4m(ImDSYds_WKX!+N4xr%?@;-(Vku3x42G*ZY_lqt;P*QW=EuMU)Lw5#Mj?1z%qZ-^@v(zTK=Kbo>t~l6iO(o0XDLq&ou(os>!`A!S zP`W=^l;l2Yxx?6~B6TH9pve-QUNq{u((D{b4x4MewV0$v#TgFg3*Ad_`Myf;=@vKI zddI8EHnR6q=0<{In5EUd^}`{`s)Q!_3jRVXQtO#g7`5yIW73y66cY60HuZD=Ax(Y7}+pW2_s*H&B{Yf)sd!VF?e>j*e)v5>sM;;iTxmoYbJ`KMI z^Y*85{js!y?_*?9eKq848zXjnye@W6*CE{OAp6n@kjU@?(sitxpuV2L$_44gGj`iy zFiMRnaacUjSOC~mhA{2D97X90A(lLnFOJMm%#fpSbn{YU21mZT1@5$L|B|BOx^R?7 zNk4I2;~kC+Ful?X#FO;45|KUo5zUOqn?eCojGYLGMo zKZ*!96%SM|!<$%Rw!VoSFPe02lA^w9dU14sUUA(nlJ01_`C`jYViEA&EBe7zoXSUs z+jtnRm^mY8PB9_|2%iq9)}owCknA;;qx#2dGItpV-5AH^sbBZioh$&3j?H)ck zt@gb*Rz)w0E1g+lx43&2MxFcHiw`b1XBw3bW`VzBbUZ6Ei+Ui8jij3Z6=W91gojtx z7v`Z!6a+gQmc~a>2(pYH8b#?#^X!{M5O!5ZG?cOJQ{D0DhFma|&%@t%`}Pr5@64cd z+&~F+q4=4v36SJZ?g%aNKuM-WKp)zE(%*gnFNf-Ebh;mXb)T~5K)D|grYQwDE0;PZ zScvXnYxRMgZ+h-c@_BOA24u<|8v>^|!*pinJ>|6+*z~E>D(xQMhM(UHouzJTcro`n zZEnocdes31KbyOjHjd(@o^gtY)=}-3N#&umx%T`j_QY*N*@MkKk+%t zRKB#Xfo#P-A;(>D23Z&Gep^!6{XZEgMqcw~Y53-*x9<+lsW?@#`|K0NiDOq>naelz z%06J>iKIRAPFX{OP%!De%dnHR)gJbuhgt$nDzRrq>u2CFB+QBtw49puBRmx;m-v9< z#rLHz?|;LvwvzSB?|CXX*l<(@HD~m2W;ko`HHR1;nhobAiFCUPVY01B^1}BgSR$BZ zhTUgWU*WQGO|2jA$rBZp509LF1ZERJJl+(FZqxRhTauQnugrTLl`EGlQkmd-3ldm3 zQ5-60_E}(xYgCol6-Uv{(z1{c4w13A;B$9#e6EaMKC7X6ZI_8h5cAG8 z+YD->-kRm+)We@G+sY>xpD&VwHjD_$n%M;L`d4Ggj{W+ zwShj*RP4qxh$Fe9M^=9RPd(c?^Oe2Ys*Pcxx41djW6C~MqRZYlhmzVsqlf_&}Qm$MGn5j-imiYeBk38Q>5F{yAr7inC=+pcl^AR~5{{15p#PIYG+EL~aj;ed0@4o1P zL=k%0aJ-9TZ(s1Yi(Yq}EUsn$Xzegny3@op{Nd$y)4xn(rxIa~eU&PSCb?q?{mAO3 zSCQn#w%m>z;aRy=TgB8;8sj`Gd}dVOGZT~c1xI#%$FRK7;ormd|wp*&ySRnGd4v=O4-7t>^O09A05ts+R(BH2d=Q|7 zOW~O8-n2Jv!D$aHf~11HqDn>8z!_ZB0puy`pn+CgG9fQb!Q9&YK_4dj7)RChv4RC^ z<$Y;s1oM+p2vGA^CFCaw!|ZG*7#VKJy8^psr{eD8OEXAt?2I6U?JC>H5M z=(IfQgg;NQMbVRam45kgXC9PpMyXJU8eMG}L0D8ePmCLBvp2`%Qe8sDG^Hfg<?U;1x-7m;O9rl*zZIaKSlAx)VVu?OoPFddHBU-!#rYPIqpp67a#^RsK9vaA z^n%Q&4q~Q{&_r&kpM*P^mVDM+H(7CpzT+Lb7AiO*H!CbB?Po03Y$0aNTpt4sPxP?} z^MpLYph`%>eqxR2)LF{sjUSfFkYxAjnLu_j4$XP`JNpp|0xh%BBj(!gfvth+ce0HR zW@>ys8N1IpQv_0B+|(62E4H3)^Vn`uExr3v)OYh%EW<$9%&x{9_o_Ywar1QwojUCb z1iddqVVG&)q8pT}bN7W7=Cm+V8R-LF3D$C}!}S&LP>?S%rrc-4PK zX^6DPiR*6ZC<)-3aELezD^o8$I|E(~ZexDGE1p-Ro&!?|kyll<7#jwyu6@@DYakRi zE4eee$QpCt2D2|YUlpLK1U`5@DwDzt?6PhEZBFPCF}-;sqUa+~P0^e6*=ZWDNC(%( zM0Nc7KsK7!y(k*CUTaKDYJyrQoDhr&-mYlPQv?&+5V-WDxXoz*V+e?)YYE70#nNv;N z;UNXKsgqjH2N;3#=c0M}l$cSQ`*SQZ6tYoq?khu_Z<@s}@RWPn_HP3P$roT|o{#3! z1d?3?%N?J;!B{~_LJ2&Gr2ZBYgVg?riKY6sC64>G%cgHN>T2BLV?-K``XoDQ($XtM z(e~_U>*VPN`%TWekHee8vZLK5_4)9VvQ)DbXWf;bH8HW1e7NT_DQmn|wy}n8Ep4m11BzzxZ?y)b>_zBKi!1g*@E`!P>=CVH~K4)n*(8p~L&6%=NHfC;Nzlo2D zME@_}aoT6KE6re`?Wcp(|7&0IMF z*@%iKF)@qZ6OvX%;<6!ofc$3L2oA`HQgCs{9wr~0AONDQs(mdW1=duQ! zo%vI{dv*zL01ppmz8bgPpt}VhvEQV7iAy`@CFO%<u)ESl)f~+tVZ|~?YgEyH4J=lNp)tm53T}IqZD%o2xEqk|uYo^R5 zAMo|QSE-_`!3+iY>~?pg=tsU`?YCnNzBkMr!**)f)Kw|wh)q~2LONF;!7bQp{J3)b zZEL17yFwm-=g2p@~LlgKVvZevThB-)5_*G8}carpz!& zau_`kT$xyYVEl{?z_d)pSNCO}u83qie?FU=E*XY!QW?&fp;2y9>c_yMf7Pm?Y_uBl z#h3|wf#=K%oxM_xc5kxxKrNu*cb6%npc9J;gdwQnXCa8V<;kp4&1WsU)vStkZMP{u zn16BJiego}*5<@KWKD%5yL;3$G?dK5(XKcYY9naX6q;*BzUL0xp=ijzwgVaU+_f5a9ny4YFEg`-fw|H z8e0uC%gIkLg8j#BcaWic&cMGp?@36tz-XrIVI)boPt73$e$=1*$#dUX4hP!xR=cy2 z2aW}EB*qm;%WvIwny>G10+8D1m-gqkPik`#rOILU| z^ZK_@V)^+#Ab!rc(p#ht=0Zyl5Ce#4*;79PP@jO z%}C?wGO0by$T-zaoG5?x59CDY-gh2f3Y2Y`3%NJR9l`8wVm^>#a*eXIYV;e%NnCXy z&f$05^#rMPDzj@8<*@A(I^px*OyAyM)}cKcNdC$4q%Y0&dGFP?EQTi-M1wBSA{B(u z;m}&TGVwX|=a0~e`J*YOCyJlK6+$7LV%!{Dh0c)*HIc8_q`jI)w~Ixbhsx6BYc$h6 zGE^UlyknMTGPconB)=Y3jySdPF3LpzLRMSXp3NrE1lFFq9eGF+O|P{JIgBj&k?{m% z=lXA?VBp=^)UhSm!>$CRJFLHwsZJ8k7QNx3)U`P@ZEnOES;m- zVoC74NrzI6g#Z_U%}vlwt4y(i$#kXKh(Z9{gh-o+y&r4$3kaD@uL4?SWPj~@TT4NvbJHm(0=(uWSD zrnpY!EZ^wikZ(J8jk|~B1INiCt5TKjm5XVEwe9ET{i>Sx)4wv%I`C{e04ZJN2H1=) zInvl^6l2q$XOE%@#ZB`OChSFuz|@FTS<)-TnV=IU455W1#pAgyq43j3)``DbiZ}Yu zA`2phw}?YCKEZo#3U3$t=C8S}AprGm>PH-YFgC*@cBE|KxLeMB1&;sxo$;#=P_=nh zZ@ZG8beH?ZJo#uhzySk(zdB`~29|a7Y_V6Qdws~3YczS`F&dSrkBhB>!= zIf-FsXf2h;L?Cwv0;@^wxyh1xl~%g&#Ew;o6?99lb*+ip^8-nv)Xc(C@_I5jbu_9p_{@juTz=( zJrEv?akzxON1{p|Ls(VKeu@6%MEuf9CQ#_lf9{#$6my}QPOz$0ls-;3m3E(R5s0F6 zI+zg`;Nd#x63udI(rEB?_{ITmxS5e(h zEuLraA%@k`=hK6_bg>I(}$E>U(`?| zk6n!;9Jk02c<7AD?{_r^o)4i(xL)FW@4Al^M9$W19j%N-1{q@!GSS~G``evwlC&Mr zYiP{kp%z6ljxUnZHf5CDL~9gbhz3Bt7uEd8IKs;;J?!5LXSt~-EQ@G8yza}M=kD9z z0|M<~d!}C444OXFG%xn35r8`7tElRu#XOtd%Rj~rB;{3fks+cS`!+IEk60~Qf=ahSom4hD8RKlq{C zjwgBlhSCul$e~WB`ig(Lj;qR|pyS5$BLAGUY%EC=74T%R!X3-1Xgb1kPk@8ghJUS3 zSQMS`A};uVzgO6tqd=l2&;F_z@uHi&()=?OY|X+mm0)+xwbaG?I?fZ0i$J5ggKCRQ zcJCWANq}}MBARgHs$#80&6YKnuB+?;QBJDd>xU{^BxQw9kA*cAOSko##)Thshs+_m zoWvAwMXn8Mv=W|U-a;att8i&5s)k5LqplnPrdB#EyH$LBffO6(4{`fFVpf*dAW((f z>q_t=y^*aUq*z|;)KmEkKoe8!y85kkyW!`TcT?oH5FU(0%QoFF?X*EFnf?hp+`JJkOlV{a7|Wx%$LDuRG?=K#`O z(kX~^2-4k1=g=V`&Cp#+cXxL;3^jy+bV)bt$M^gHz1BW?zkM`oaWIPo^W1aaS2ie* zT^1Xp&$99f@Xb$5)1h%T>a|)L-+q7MRnT{#YU4h5`aYOWwfX_%qS$PDA&pL|x0ebc4r zhT-f2&Ip@UU73V?#cRhoTV0_|_v>ELnsOKePAB_)?Yw8JElyC^;etIon+V5p7Gz}r zI-iT(c{5)a_^5C$$-JBg<^0dxhY|dVCq}Wl#WFK5 z1Edvzj&R>68P0~tiw z)Op1?Z_ovyLXH;ZI4RWHzJHVC0xpjf7cw8xx8-=1em8Eo>Xdt;InR9N^~xFPb6Z$U zCg;XkkHk0AsBE^3MMxjGzp{qIs_Ic^)j9HVPfT7=2esS}^4OIeqfps#d=TcSJgOZw z881#=Nt+T8a5;>3xC4mYu~DTJ%YS4uX2lziXrGN=I%6JwAS3Fwdi-mlwq8ZAq@whC zYxPvbXV+M*t0yO~)XwtVFeMB!&#b$C5?pPVWo4i&l9;IPsoDqExm=#`)CVY+^YvdZ z?33D0r^3LW^M`SorH+RA7Ngu32aDb9!BZ{+cQ`HRNtek4yYR!wZU%RO@79j_UEDa? zpCr}{YhrF|ygti?{A7;@Ka977nZia6iz1|gj7Z^IsXFyesf~YuvSU+NgIJ5vDXiU< zoHV0WFkZ6L(Cz8?+vMS)WntzH#uT@-AD~hl2dsDd^`net_l~hK!>AZ7u7~)2k25%5 z-%|djm`kz9@|n-rC=aKZrB?RHiXEENCbe9wJ6}35;rsdk1V?j59e9Z)4RWUT&E!(H z(X@mq{0*v?dSo3<}ELbEfc$LuX)G+`o8xFI!!!i(#%dS%=RpiXt+9oK`$1| zfQ6Ig=-4ArK_i(4TLuSn@I&$rK2bJn@blcbO~qtKx}??#!PnIm(k$CVq)s zEpT6OBrz83=4&3b6D|v!CiktAMr=P}Ylv(fh^~A_)DU!LFz4@Fc&@TawA}M>n7R@8 zZ<=Vlh>r<-?8(?x&(4hoyO=tT`8#6P-476u;5~}cP8{ok4JAbffq}PU0FpZpGQ0CH z$HBUdKdEAvK{UfvO<_55=0cU|$OBiz`FJaG-VJqU8ShNYZP5L#5EsoWiKpM~b*hv#KKN$2Ww zt&fSa`4yhQ_?Pr)dptbSFW%`FZxZtlt!}5|tC`Ks>3=fTPt6NYQ|(74>~_+(5?^L{ zp9{@%n|nAN<|kHr!o~Ro+qBCw?$s-jz9Le01(nC;h)HMh+xk~AuXInGy3Sea&VnRx zIv~^q6VGPVpA{3sBJjsgd=pFlVD8RWEPnfZa|DZ(O=h5ppBbS!+&|tO)P6P!pjaug z1PLk%jLp&1C_Ea!^J!ZiP=bvJ6fbaYQx0Pq__D{+LLL+p%v-^*epdSMH%Z^yrMsj> zK3x(qQ2d^^)coY>qqjS$ZFgn#!M1ckDSwl8po3XX|EZyTtkC)DAXn_ZMJHqxU}mTd z`||CV#7dKG^9IHbmt{;q%-<2W5Xt|LntzusRX5YoZbS*4bv#(oSY+U6e7g0Zwge&b zRD!X;l*|py*V}E`Y{oF>NoLxpRLkm0tX$WjsmG;(Nrv;T!J7mx^{WnLDKCP@L<##< zkTeyV8hZgw&_x$^6#+8gbcDsAenJ9s<^^hunbO_0Pnxh<#-*h04N`#V4_W@CXffZ8 z=jR2>?noJ~(`52*>sic#7(*>*Lmk4cHrVVlfw(Omt4^}EF(xu{G?$d)YpbdF$W8Kh zxK>Ne$@yQkjQpGGie?>+FNFWxZYfn&oGbAgm1`yvgNaM^M}>{X4zZ{WB}|dUuMl%j zo$_u*PCx$)PFzIqNh?dB{2VS@2v&eEpyylbfYcQn1k|j+VOJ%fF%d{%`Wtm?)4;K% zeu(nS@+ck?KdA=%mUM#XkTFy`{+YRybee(g?{d$U>nMdt^?NQQ3L^F^Galb$=OHdq z!Z94e!kKG0No5sHlwNDy5%w?7PvxABRyfksRk;2*)rP4b#wg2Y#0Q5(pZ*jd+=CDI ze!6$Z1q}oC1^&=3+L6C))stO7v9=T>;)j_!v?QBqCIm5voB?Hv0<)L%c&W#U8R^p= zhC(_|y*|7dQB#j+0j}mp=ZLTtRa|xGN6ol%pf^a?Vnt)ML5;;cPy!ScimLms!k}1V zdn6Hb#YbJH(Zk40UFh1wauDvzm@iA(=OAheD^i|tCI^cNdLc6}bRUE#Q|GV(F_h;m ziGilU{IZD>d%u!i;`s>0qz>L4e*e~)WBe$6r^7e3W|cn5w`!ep7OK%%1tHMvbe)u` zQFIsi?SK?2Yn*f@pn+qexch9i#y(b9BI1BZ^l-u%w~g@?RzmpujpGgkWEFEfAhj~L zT+bpJ+EMZo=*L=DRO`EV=j3_1cIkgRRTeIk2WM0pgm>A7Ejro!P2i5DSJ(hvD|){| zGzZ$R+LXPUaq<{DWRZ~Fz+FE0((y2HUueXA);8#QRgiAqkbS0U(GDbaXN{X_W30fx z+@=b7)NJ|MaduLvxMTm4n(|ofYYhqGC=?{PK87X#%_5S(XVVh@&~GG`PnDKcu*|cz8&O=ZnldQIRo334P;X0kFCc0#^uRv%^3;1qDyUjyE~m&f{++E)dF>O3 zi3*9uJ?fThVr1tN1pL*W0H4M1;ltOc97SV4jxy8*e6Mzwur5eI{NC`AOgf@$(N0n| z2Z`Z5$7>ckyrPn%ZH=q-f-yHt|5$SM?=QF9=|ifm`sioKjucfbX8Qq9bYqguQ4M-I z3)ByLIZk^seMva8qLm!1&_f2i>Xb77;>I}%B^G;7w$F)VHgf2EW`Jvi2P^d7J2 zOa8&cn|J6S0ZcJ`i575AjYFwo`|r9u)BTzmqKg*SyOoqPU#iBk(Ro4b4)EwMKT?Y{ zBBe#+T3|Uj^Fak>lFv)ZJfv@1p2q&hi)6T#C)Wc1F<-_*aNNO))d!I+^36IXcp zUp(JMRNk`awaf|R%j}@c;-!<9 zOQ(Lk_-2u`IpqU?t~ZG2kx6q{5S(`7u=R%W z3d~MpXn%XEHuOCf__gD>oGZ#`pUMgyghm|0gH1OXi8I)M-)oBEfPz`Gbp6$15*C-w zzcE-@1xfzqgL<{hx}z%t4>3a))JL6jp&iK3&VmS{UKH!Rd^^UrK58A6P7;;3Ej50H zk~a-c9!Z1M^jM8U2CWlSN|yw}DYEc_aFo@G+2-Fkq5Y_bXNK+mxb>Ov*vG9y&E$>@ zy9&|JlMlZ0nAo2n5A&3~vxQ0QojvYNUv>pzXe0U+A^Jq(6}Flmuk0_GhE2WUJr`uf z`4uwJR&jA+PMx8w<&LBn~O^TPFWdu6y}U(+bCWTn)~{2@_dm z|4iEZkTA}dH(Na}itBIx8yCPqeeIFBZQOi4f-k40S5?g%5wK6Q=ubEC4wr zQ*1p=(~1inQDnyCT+E;4!~{p*?49{d)YWkj;VpoHrXhS}Ld`&ms83&jVs_&z@|Y>H z@FX}<_!sg!Kz39v{IHwh4Cz<;%n#sfvoYCY$wf>>ZqrIv^H==l8SFZZ(VJw`lq1pU9Z(CULx4yS|Z}HFiAV zw_^lHZ@@t^8ka9SWI7K%J&^_(zUEHKqsR9#$-f9M)vvALOQaa2RJ)%)RwVjp2sDl9q<*p ziiS3v{h4HmD(*Pxn4AE`Ui4?_#X5hLg}yr}lYA;fZyQryn{y=Rd$hwSJC-f}!vDY? z8m^X+l!>|iQ_HL5fRfHmuXAQZTM<)TjlYT)8>LS!pj1ABzgeDt_u}I~@j`oR#v}_j zYpB;0UgO{xkI77Oos{NQ6fK2hX2Q=Y zr>G)!!qQ9(2J5M%)ty**9A+&F7z;Nz1kVbT4|6o?Y96ZROJ+(YHTpz9Td{YyxHHQw z0}9?>VgYTg!1X-?prT6pbhdy-b*u*Sh@Ou+D~;P(`gBnUB&RBegNHD!6&}WEszqCI ziX6~jg@>OP@UG_of%(k;=Nsd{NRHvEZ8HYm88HFTIAwG3a4@M;||Uh30O(qndYCRZ}^12&_PGk?TUiqu3Ndj`eEz48Oi!$qf=VFDVl!nz?PQ+`~=wYiYyY=8x#`A z3?lq?ifXhp*CDRb=rc637-}KzD`8WgEc6#VZrJ&EdN>IV#>CF*{Ddrfss^H@Cf#TD zCQQy&s6_K+RAKiX{~2UPZ9(}@y;BQ!cj9@z&IvwL%##Fq!txX32W|wUob;dT;mUju z)s$wFE$>GDx9RnY>Pr(=mz%Yv2flQd6QlIcbH4=&0b@TGJ10OuHwy?x1UwjqL)<55PSo~kmdp{fN3A`-@a~< ziKkTu*>&8Rd+wxK6a^bg48-yWBYGu?B_;mPx<3ZQsp}xW#J_rd2QZ%v*9Bf?UC;S+ zS?)c{o#^dGMX!<^l%s(LysTxETxR_M*O!IPXEQ9@%BIbCtrLs8k=LKnb9H~`zbhk= z6KCx?>qPt=X0TAPr2C57$Igy$CE&Y+5KxS(-R91rkP>6tG}_K9caIhABF%=O^>(9` zT{^a{jGFc}dz}$7AzTd9PqBXnAxbSr0^L$=)sUFUpsq9}8R1-Zh)n(yoS0|#SxtM-a$t+61 z#L6g$^b)n2Ss)`8+tme!P<(U?z00tk&F4KPz&G-{d!8*ad%xMVmEkPX^Zd-@6)3b~ zx4(7@7nhU*<-05{16jK4b@>W7{h{dgtkv)u7V>-9rsg6$omMi_o?Y02OzK|@IVqSN zG*-$92k5SXkyU~PC(rLXRg!0Gly<~O2MF_I((UHeo|kI95RX^!GE-P*Jq(=5oj=e< z2Cu1e8pim#Lh(oTF6K1DJI%!h> zl(Ra8XP09O5@;IHXg}E3wBlRwV>)~n)AmpP;D)Uv`Zt1BY+0SgeB=i9ZCeUONkT7Y zl}X*5@~Z2hlf3yp&AKRsPeE}+QY`Mlz{a1BxN!Xa-<#56}kzdi^{c)7W(tnPn{Lrp1Qa+R#R=?CB2tzM7hsF#-o|UMXbGV!J&UfMDe2eND}C)wh!H3DUfz z+%5E8Vht%j?#dIPf+V~-+kYqKn|rzv+b1Cd`HK7=cKv{Bl+;O8Sn#jPi;K^7CFkSH z4IC9>*=$xsv?~Ih)K<^z%51EG|JybBT9P6Isp-a~`AI;#ccu*2;gOS*llc^Y`1bNl z2JBkgP8GAg&%@;L9oqq8JTql6@oUhw2#IEC6iv&WNg_yz^!nyIYH4_hXwN9hCkY_J zjpE;RjW4F5Kr*^ot~1f${z%T4G)>{g58R<8g7iIpK%}%((D19@qQFH-3>1ui&QR+m z_d4Q06eGIoe_>RkVqHWOHSBs-s`Pk&Sjp)%S4tf%rSKc;tZ>l)tr#$^f?5F+`zXsp zbYzS#QM5xUTarIkswkF*o2cW1!up4}ZPR;nS&zM{6in(jWD8|Nv>NT2*E*U_K zAgueF>7UtH1G-7)f5=Xw@wU@kn=O@8wX<)8!e7s))XDNo;Rjb-4-%E$f@0MY7a1v{ zzn3DdUhr7%I?IZ(%4PRSj5w)m!2M+CC7Dzuly2f*Zqqy?YXhmR89k?6Hd>glak}so z+hNwvNy%)IZ{ta_gfA+LW5MFzqdPENkn&YzgkXY@EJv4et)1|FWI2> zd-=-gZ7p-9d8TwhM_5Zr7p}lTLwQ-@!~OhT_1sGvnd%4bLZE*Mn&_L#HQ1w|PzhtT z($crHTpeIiL`xTSZl>7(-0&-nHqC2$=1M&QxLKn@CKhi>Dzh7|MoxLhR1MtL8{ptgR+oUvDurgsS$XDFgOW9_ZZgIjym29m4R{B;~`&Nyo=oijP@|Fo3HB0i2~YL}K8Eix`wWqIPD|Jd)PD|U{{%0U zX@Z!wIGx5%9hszJ!WvdxkG3%1sVnh1uSmNys*U(!IE3_8YAf{(25Z6_R6gn(i7oR8 z3$L=41UadsgWSiIWvWw-A#xIWD>tEosM@P=s!*HCpxnW@(1m!lJ8%8NgPY0wsmqu1Pc!e_@ zW!j}a;F~OAD<0Sruw5)m{I(iYOz#UzK5xdrrkj83@m?&;*{)qa0m~H4#Q4d-Wp6^v zPAK3Wyc;bclp9cIOL^G@^qv>B9rAzQ?RRh#u&sOJ1wd~x4QLT$B`0F*!tzo4#d1^4 z4uB!02FYZB!Z{`^J;W@^I)|11lN;HGUm;=7MmdpHz&p*W3=^{%?UNhrA3l1&SLx(0 zd7|38_{`E9Bv?ddlqxE3*k$&=T$=xm(Ui}x;CoD^fmWVlm?Ge5boIL!=jFj7d{7kI z$rSbL0I`97BlTdHCyb5BkJhk0BkDCfnT--V0RD7Smp(OKKM8-?uBV%Idn_FwCB)Ke z{Qw})KLhQ8wKwq}r7&ajNwFV1*Ss$jth3pgXeiDBTT#9`KSho{7^(C1@{k3DGgO~_>?HYMj=JGT zUV}j?dhLWOY`%zK>L>%>v7MxYG@$=4!JK~cm_|&62k?|Q5Drm%l*Z>l>iCxTjbuLpkI6jt zyBSqZByh+^@FBQ;Sz?v`)>?D@SAoKlFH7h7L1w=*#9GZv-f~-NO|s&HYUCz)xJo$_KC+|R+0+`-c0TKWO&-hZC+n0Q_Z+~Y_{4GR9a-yn5pOvT{c*`q!6Or^$E=K?>atF$`2h?LC)m3mq{ zhBRmQo{2~n*A|c^NwNOcd_$+^S)6LKC!;OFM#&t3S+SF0_RWAJcT|O-wUhu$`UA@A z=+YDSdF7Sn-sk8w&vSgKlw^ywN>NPT7+I(lid^@L6K1wp3bR^)(D8cfC{rt5(lY(I z2c^usRl%xYqt==V*&lsgWI|-QqzR9t(rxLR>vEDJ#oi3BEe}}EY;m3YJZ>uW4p?fy zyhNq8B6Ek$sNa1i*?#HyC%T?|;N_JBl!pH8Ui!neDKe!Sx?_<-f&axPu16v;_w5b zW(sG&#KXz0yErHR49DA2Rz3cFEgqAw{d(x5??H|4lcxt0Bjx-8UJ%%%PNU5@#}(KBuKtu&f`L+!&rG4z@0 zHLo>(b3?+NvEEiDN^gJ^;ULOi7T}0iO<`i9e%5QvJoEvhv*DScSJHOiea68tVbxyp z?OpYuCb}p#$n4D!!Lt2lKL7gpEaR(LZAzno?>-GTeE~`OMXn6Z*_pveMH%zHi*9)! z#%JAr6ZpH@34sV=h7eL#&8n_g5#_9(ll*GrIA%rL-JnzAfxi1UH?x_6UxJaRGeuYK zz~Fbw4Fy-Qr0%5ze zz>_&g5hAGU$!E7Yi*vc!JC_oF5NyVpa6e?-<{Tq`3XXEKB}(G1&;SJlH9xejgTKUh z1#>Iqz5N(O*I<3_%A=!fCjc1Oh;GzX@l)8qWt}8IWVeUYPvY?F!LrsaiA~)( zf5!ih#Z(vRAE!a97XU9{Bo3)&#`J8og-HULS=9+-T;F2ourz6`PF7o!PueaN)4znD z?gOUGSHeI?eS@+xFI>yr>UQxnl@tWiH|}>hAEt&{&q1PwzNPbA%r!*tq-yJIl@wm* z2n3X*(lG~u*@Hd+s%B5%9|G0+3@(*K{BA+{2Y7Pb>Q;etQ|27tNYAofRc!dx=GN&8 z04Y_SdbVy7-#g#Dk?IYxI4#$>QF$#0wPLSQJF7#1%)ZvEX5-@KhEiU&MA?Fm7CCaL zZ$xGQuzP^(EuQj65%i$~@m(W?siqPl>#ANOqEf&Lnv`ne^42Ej`!-tDJ*?hZ3Qx6^ zGXNa@mh(MDM#+rZ7dNQf!}Uqw<+vcJ(adbiY}i~*=B#H`B&@}fB{Bn8W9c$d# zGG6)--##H{Tc<6uM(~DqqmhEA;bjzls%CJd7FJj<%>sJN^nATeWrJ!(n{)07z8FPP zTs2fnG$!{g#xYZFv3Eb`T(iZ5B(tEnqm5>K!L4-6cKB5P0^ijaoIE6yUX7;_d|5eKI;4?-ablML$}qNNwH~Qa2Om1hfPf1Ak>sJg2fbn16U~6NOac;q*Fsu~sFr zn$kG`6dV?Xjx4{^ZH&vZ2K0av?pLeOQorIKCma3789Z^9dwvb&e#VK8FbSv%$;@BD z>_+Kv&acY_&>2fTG0bD<=XwY`^lODNp1@&E`nTUxI#5H-Fw3cb&>|$<(o_8%(`1Ru z2^eyaABcFZQXt-v99u9*8oDGE{mc*%-Nc&yVl9z^+V%F{T|#&Wo-H;E7aA9TUy}$E zjt))cVE|HtTU-Px_=XCb#J&55l}l3SKd~saKm!Bw%*==gF2f0&8S;%ahe3P}KjqDR z=DsIdbOs1L^tWQd&&#)FyTonf4&aL6&d07C)L1XD3NSLK$q@{X%!aTKEu=45Q zAP8Uh<8^F~wq1hJ`Lf2{E1KRMy}+>_M%`4ATL^q66$v3kO^!-dYD`?&r+(R0txox)WOw zI0bO+j1p(U9dR{s;O+UP6)Gq0&N?iBEw*(2(_pz^^!|#VjR($jgV;ezXuT?z@MC21 zH?u#`qXIsKD z<+r}iKm*E<>0FJO94s^a6L&@}%*>FgvF)tS0@(z?j*{(MK{b-9*lQ7s*JJ=yyTygU z$nW*R5zr#UM6=dgW9Hep07#Hx2OuD8qO>216ftuC2G6F1n^xM!e@5JOISB2={ z-e`W$jNPcy)+yKKwx)2|pXujJN0WPnM$F|<)z?jH0ED*(Qk2Yo>3rl`h+S2ncEb4q z?JF1L`bBcmmXh^&YU{FdCk)CH#QggfonKACuG#H$FVnuyczBozeY_%BDDcW6GTH{YUNpNbg_6z$wB4mN z`o$=wQ6n|l@hf1;Nn7UhvR|i9B%<36HCD2Lav)v%S$s!(d5!E=BY_fnpH$l_A44Uo1Jx4y)0Oc-1v_J7~iy$5vs($oOcmhbs$MJlA(9FR7lh zb6M+mAfuI{>3@55Um17ee)Z8yD%58qonKG;RPngW?=t%I2}(aIY#$u&LK6Ft>Ze?# znCr=^7R>S~{I-nQ-}E+F91{2AXk^S+z1(15ZzAc6$y7y~c7Ut0;KHd_wKLUGE z(0f3|@0-#oTK}PF%+C2@+Er6lEmKSWM|eCg1dE@_FKo}Ny=Y5$55 zZy(C`VQrdkAoDU#uW%XpK1w;_fXJMEBPRjtGQLoAdklH2$3J70EwXFyDS7=IUeEVp zD=FUuj5Bq_umvy1pWa3{YByWYi}ujDTlBTEw%Dzv$Noh?R5 zjEVwnV+Ab-+VX+|v|pJ+AsV(^=_TA?ydgg+NNqe;4lz1&oBvZOeD(3S0`ID6X0S^y z8n1*xV6rN-Mpa+aKc4zCCaWNLgg@_nNgSo|+T)!o7xN!atq;OCZ5Kye57(!3iDkh^ zIA)8yUq~%=8kakO8f$l7`6?VF#34aG8fM}RR7)|dqyUAi>AVhiwpi@r9~uLLEhXvZ z4>zawSOKwQd@VB0R{VetiNK8k?O>rWUP(mD6QrT3+_t}y4l??i@=Zt6GyzV|-fkbL ztN+a95>on{Dl7bV%{|9hMqL4s_x>;Ug1+2A2r+k*B8*iz^bes4nvt3|7OA<4JgGOH zocuh^ypK}^N+1~!^HmK^Knz@ZJxD4nkzMY27LGLg(s{8yte*ySeBNBP9}m-Ki#a zn*Lm};A8;w|6E^?_~<=Zgb1EhZfRG31yR1shi2<3q1JP$w!IYU#Nd%X~_`<4B zfgN7JZ%{%uoPnY+CT6Ag`?|FOb(VNRFZrkMst5C)Pj3<%fcNKR(ax)c5weLLU>67( z?E#>{F#nf{Ro=KeZ)GrYj#SDHMm_7y@eN7Y*r3LLQQ`a_g^qvUd&2;sy?hX=S3o1( zb_lsslR2kN4Z9PS2R=ohEJ`gWnFcufWUlxtlpYp!x;0%kaIn*8kKN_p9!`VzNxTX| zq5$Ok=?K2N+r+D1`>mLk^i4guyIU2e*nSEmGfDyl=FF>pFHcGRrbHp1!~vb6qJ|zg z(QH^Nm@W+|^5OT3Gtg1|Hi}F*ZO!k+=Wu?C-1jd2N=&FHM*pcZYmT?FGK@G^|B8MS zFNMI!Q129H-p4Vgv-MNc(-b1=6~I~Z38YkHrOy{2GdYJK;WM|J-skb_cSEW;w`FI) zqbNECd3e;gp3uhVte($bm{|S^)DQ>|`)&!#PrY)MaCcwx*=K6m7NMK2kSwW^NbxL@ zvdZD_WO=U%N~}@VyjV?2vW$%czN*WYv!&2;F3nsr;mPFbGEhvX$Kg)4CD$9|*n_u&R$$b(Jz0r$>ZESx`z46_4%)R~TY zH^<{SHQOqrmb{gt1J>g+{Bu_>yQCpO=?koGc`qlq1eQag41NQ&A~`_1h{c{;b9*9oK4K2olC5 zMs}y<8-!FHJk76=kkGOne;q&>-C5OjA}Kt8~q0x zA(>Cp5U#zh{jZ5CHM{lB6Z|0p;1hXRpOH`qMC)l>TB&f|&yDQen?o0nfJ+t6R^UhP zEAEA<6@KS3feqZsiOs33nf#gs!!K7rnoji8q687vkMLI+@(9+t6loi74=p5ZBEKFK&q>Ab-EyXs<*QZqfPjJ#t0zcddNJ0m7lW z8hkf)-_k&UW`satsBd~R)ou(5j_pGf-|;c97d0NddpsrM9`Qt8XIn!P6R{`j4XA)e zBLBJ!Dn-2C$J5XiJM5QnVM<~vbeXPX3imaTi#a9Xv63(wO{lK%ci+QbZFsufir$Zv zBCoF!_tNLKNddq7!w!wDJf;zyalV3wk42jML&Pv*>Yj18aFQISUMdJen92+~vvwZO z5EF5I5a#bx`ojWzX@+zO-wJ)1WRD`ia~s1;3AC8VU_ei~i%$!4jOazkGh}W-Aa{xm zt^3?xi{(^K;cN6&5GfX{^0mAfX^a2=JC?%~QJ8K{qG2?$303y676pUt zaSSQ{*TP2ApVUP6{-d@$cC4Zc_|n+anZ-M_dh>Hh<7AgFu#T4~NQ5PPYjPKh789Y(`zwvF}^%Y!#M&7!(5rbZOMAg3(l9f}2 z^SS(GFE_yRVV5u+qWRsc(Rn3bZN4NK@mF9kZk9PG)FOw_pNXKd@GM&?Dk8GY_X^+h zqM40S_Te|w(Pg$h*<&-h&sxKdQj-`$Q}tb^Qkf-y+o-d~;aXM})|OeaP-0^yd=;sP zk42ajw*GAQlvYKd}ex@(H_RhEq4y|tbi>Bx_nuGJ`LVZ8uK`X>6@{~fyIf1X8s^{AKEWKvXT-J5}7 zTWv(|r3+R& z?N)sptC?$RxI3Ou`P(C?Zms{NZn5^|?(mW2diWcP2G}<9tq*qn{&GkO)Xp$OCWIWD z{rr2K@HXtG7}#mwdaki%-!OIeIETa|O5EK#4C_g?tKWgNNs3z!6dujCVZKt?g@_tXORw zR>171eRBU?$l5dr0~+G7)M<#Cf^VC?8?@!X8YoOAGkK$zk>NPuO@GgNUOBDk)1U}Y z;zqZUfe+{2KR$+r0fQ_zdXG}fxLfnJ7(yP$V;-|sO;8%IJ!^ZG1`ha)dC|g<@bXq0 zvmcSXRsh0*ejY8${yA}`FC)V7`>i|m-oNqH!=+C>A6KTQ>>YEo&{&DuP+8@`slAQs?3ik`XtEoz3g< zgjU&cGE2X_JgmPQ6ZZ4|Mw0L*)iV$fyonC^`@&}wkb6S!)|M{jw(68x&&Ki`LD+Q?Ai}Lw0q(+pCGoxQ#H*ME1 z=;y*DA$9ZGnw^^zVGEyA7zI3ww)a|kb3)2OCjN~rx~nekROerFpDfVh%zhJ_+7cCT zSA<#cI5^z6bskbAC}UD%*^=NA#9K3b-Ja$w@DQ34rM*i*&JIp+0S2txR zdWaYc;py$68h!}Je^*8ReW;8Ki zEo184W4;CrL=-a9O>68?fw_GuZ(S$SI!aZ@hA^u}UdeIpCCL5YX0+)spf59iZxdTp z5lfHFK6kra*c{HouNb3XGW@7D`fY2uJS$LoywSr)K=@|Lt4>1mD3TUu@JSM5{rX+L z{qTFy=GlOhNEfZt*g^zvUUOn$@J)IhlXbLU`u5<*mxJCgb>d3+(j>c|g_7-`n?iJW z%9dm+MXrhk7iVAky>RwoV=J}u^e5p5;V{TWD2LjZ_DiE_mxk9oHsoMv;Ew3i@jibD<|&uU_3^sd72q9iE4XiAw%?gVDeFc47^jBt z%(j+k82g;>J#3Z+_U>>hc1r$=&u z_eB=5P4l|niJ~_9MPaA|JSo3Z=s?F6yuT_adMt|*vgUh$KQgvR%FQ2ISX%(eZExkI znvs9L*YkYXhdI@6qPEX7r_0TDJPauZBg-pXg6Z>hl0~B>Dv0Jr;NFPB%`_&L>1BC! za&qjd0a&Cw&j$w79oDy~I^x_BpoI9=<)%qLP;~D{s`3)vO&3 zG~)z*Gagp6OA5!J=kunN^ ztOp_V&|`3=rcsNhdm?DEMPoeV%)fc2lx(lE>hZDXVzN}r35=MDg5xh$G2%&$)a(A5 z-{2i{=*xTNey?%z6lZcA^_pB{W~*`6aewKE8lLcGWYfx(zP^;vW3sb>QIWW^J5>-} ziJ<D` zA)z_PdEX!B*1*!S5P)3rfToJNTz%Pfg0g^7oY2ls{2%^Z>K(&rC<^1ir5;em(pxtG z-QQwFuj!QXQm3>nyOFIgdpuHNIC=(OYh?(N~ksPF%eJO0uC6{=?vo57ko zzUhpn=vAu#^N_56qAr8}fS4I+MSjo*VdLJ8Tk`J0DbHIxCLnQH2C$^ru9IcHDN6bP zK2U|q0d{zoTN969R3dSZplco$mE;uA*NDedT-oGx(mW^zCqjMAYlQK5xj$R(vkb(3 z;jDV>W_FCs$)Jw*MTfVC06FzkdQQVMKqHN4DPN4`MzW|(#b==&yQYn|OyuXg_3(F{ z7094yoSpRcYkPr_;ASgnA$fp|72hn@Dg?Snw6hos5(w16(FA$Lo!`79X>FHcHe^=D z(URugLW_NKmsM+29Y>@`ap5;W>RQd)@n_>Oo}Y8~-1J{D%@&x~2?71+ep`i_wQA0e zE%8+Mn~?pR;*0jUKG0iTl|v}z6+JDF6M257peu^5tIGWjD9cROZScojiwTY(I!1V< zNQ!j)z+_c#UM_%xx}0pc@25x8!RGDFGTPG0BG3y|$N`o>orS3gX5R|mu0(l}YNG=Z zl8=6pFvhoE@_o3M%U(OAzfV{4%^~j?YoLdfd@>oGxsi2T>}pAz4oil>!FdKhtve^E z> zNZ;zgQ&av@?F(zz0}{3qWqv)MOfiJdh~cXZ8DK7_F*7y2?Z^z{^j=pT{_<5*yh5uK zUrko#7eLr*v#smEZ@fxxG8qmGU`L7g5p(*3`*(JsLPVmF(q_OsO`22U4>RanG-6Ce zT0v(0KmMZ!&@)igcTO;@p`z;NYMl(u;Tvob3V6IT{d7GH$NNQPG3}KGTOIg24HiLV z+XxI3U^l9&$q~;-_799w}H8ZK&~RDjl>A3E~mU&FKE0(z=!ecPs86} zqao<^Su$PdKKIU!4hZn-a))8N(BLQ%%WiMK^$`d0?c>IEyTm|Iw(wr{kGRrxDee=g z^qS|nZk{c_d z(EAq?uILOjm}+@Bib2%SKCXBkmMb@hOrlUx(DZls3;|by#qqD{aeJnOh&PhidHp7h zkjl>I7Tb0_K8ac&@z@E-JZ%Ki{q{Ys=a*b`YHqK$K$=f@zu5Ztw-;kKsegIl;neR1 zHjfsx35YVgM%-YwjaX#}pE>}Y+Wq;c4I~)v=cC6JRHMB82&rW!&AN>6v2)+C9|;bX z(dROD_7yR905f`NH>R6U_3rJGMRxtBAq9Tl#!r<-JH3c0rVDcXflAdG?njkyKpn*I z_==S;WG1=`aL@1?XYZQ;PJbwQ&;_uFtKjE?%fI{zNc01OU0q=mALA0tHthWDHaJD* z0ck>sDz!QsBm(0#rtjGY8j^)PEMGCR;Wq9bxU;m6OCK6eC?4fQ4RrOr?mu{5CZ-pQ z%km#y6E^Ll9a}$Lp9)eSO{W@fvd|9sZWlK-iLaMJyBq124y8l7bJCr19@bgwTl<{rTYDdV%XIR-PmFPo zJKjCExYlfGq&Riu(0Scz)E8P|<*kH^l~#QjB=yfEovX4ZUo(*ceIC_=FM>q3S5Wu9 zr|;*Kf%Xbz+&W!-TS!>b(Ic~Ml(%B$oO1hXZKlhQytd@z1Mpp;dJ~~qR+z?(!xtNH zP1u5hPz<9nFh~|j`eZLfp2(bnRgVvSSwi&`#;q2B-zd6Qvv2J5I=>E6v{h-0w<67L zHmvpKCeKZ7aAvb8L$|1F&82#i0qhzsjwA<3CprEG70zF>lUL-YT?jmkPN`^^h9mwY zw3Kt_#l>#^`DrY5Ol8FDxS}IOES)3u;_7Xqh!|DDJ88je2O*>mN!s1JWrART9Pzw* zo_=~|C8xRpj6D1?u*Yi|htH1=~ua9Q2@SgY4Tg z?axCzg6Qb-sL#l#)4sm~;PjW#6smL&rY!hQo+$-=MHRJz*N}}xy;emew(Ulp z)@mdzQ$WGgB3`^(&24id>#^y0I+BY)>-fhq!BFC6Rv~<8tz`w@^db}fjRo^XF*S_| z%o#rvtQ}MQF<}5hlmblGnaAr;lGm`Qh$jENiuw5vg~x`X4#V>C*UXbZNw2m?~cq&U6S~K^c7)H|J=44IrI6GC){HIh8 zXbG(Jz)@nlQ~mf8zQ?Q0>+w$GbgToQCAGjvk(ZwcL~i5&L#KItkgZ<3bjl_0_r`F4 zzOGc3t9?C$0shJ42H2`F)|6_#V!ZmhLHd*hGHB+04ks{$nw!nZVHHBpIOcm}h2O8S zXsWt}v{e_T*@qBs)>|W<)ndi@++=yaqoV4iHwTF;_0h2EL=jX$Ko^^*zi9#JSA+Hj zTMY1a+>{MuQ{N#9WN5DYN1Vl~fqn1Q)uAht_}zuvRV`PRA1@wpCzD|gU{L@D5CHEJ z@a`MMgF2p%Z^Vmhr*kIl9{|f*Za10oE%dtAo#Kk1y@B_*+)9M)hzY3uPQ6esoya_; z=kbDvOu*b5sr93WO6O}M00I|FP8K*WvW88*W1|p2!dALLbgUarWDt*!@Qj-%Hg!79 zj_xJ&Av26v=p`Jk3V3CgpPPyiNj{M)M+5h)t ziogivd4E+0sWbC6~RnM9NOB0;p zI?-SZ99@WK2hgBZ0NqnI04p<2pXj+#RYn_*WC+@xK^s0Uzt! z>ImYo`=}|qW2&%fZ-Gz0EWSbJ!84)kz(|`__>xyem`_;oPSHt)_UOyV-%YP!m^ob4NTj8XJLVQw}ybIq= z&t)F*b)Wey;#=kWpcs(Rfd3PU5ynUc&4)Zv@GloX2sePK zp&h8LqAt~p`$&MsCwy^%vGky8T%u35P;axcj6kp3%EfNI_=jT2*B|LC@L$?1NVTTu z5q<)GIhukDO1IF6wW$0T3S^K5P_gEiWPJT@-EzpWK=BTKx=JW4GtubF7tL#E=K@j9 z@%Ve4;n&c#KpS4`wa+gU^3i?p>S(!*S2l^|r`$6sie9h1b*mp+5UoNu=ZbPy4T$Un zgd@dCzV__XoMm*%VBhGcHv#9_Pnx@MH5{9uUQ&$ZSu|Bcn=pKR2M@ol53Z5Gwg7d( zl*dqqRkk^f7*-b@wb}y|Dy$gmYH>zsfJnhd} z2oKXGs<}K)`+s1Jd%E4;4UMBu@d^&uK^a{>sb=u_MWY5AQ_sDlgk$@^(O;nt=)1YC zaWudthYP&Y9?=(t(W+Ra^?z|lq0hRDKeIA)M~4Xs2zmEw3z+74)7vk+f{FO?UqNIt zwADH+7wCULAP?jx8>|-Cf9>te|3^sV7v(Co#Sm}NS_$FliL|}Nr%wsLVx|}dev(ao zDp47v7=8ALN)!Mhuq7lhJt48>j&B`KRZqZ7j6W875`g*|IClCkUcfA?`)iGUSciwP z!?}L89WkcDQ!ht-E4GI9-1P)m6PfsyVN>TJVU6L!1O*e^lykmurj> zecls`dW!&t9h2|d3-5qs(}^m55%ck!fN5&7!kzr+?_lPpZf>>QIwy?hf?2ZUrIBd* z+*x3Ay+h~1`9ReFKi8c9qZPq_bSroR|B`c1ZCMOiZ7B$q5?y`&x0+ZM8AX&O#mOlw zx=ID+|2&EOkDvYjAX@pyKZ#mF|4d=)Wg|S3`CrcY|Gr24A3bLN!>?xvQ7GgI&4e)Y z{>P{4O%4OnZ$CWWvm23-eDa6D2b#kXm-+j@z8tLweCuf+VMaWt%xBHOJ)B`jH1Hok z?ms>rEHM~B;^w*oTmnSH>825I)R3WlreFapoh%O?X3LwM2wLB_OEyeJP0ts*dvivjs zXi&oaMAxVy$eq0`P?DlqS`F4Jt*&-}Q$PyL<>7{69wKy;P8}(f%{j7*LyxXjBKx z^5g+~ap1fe`@$uX5AMAv=Vm>!qG1(%0F;ktIJe;OfD>eficg-*Vzwe5c7O%zY>c+CPFs8F*9|I+NOzt{r#!*+)bt-(f0p9 zL+#OCu;Rh20spHp5XzX0`I8wO3@jlp`taT)8$EpZ2qVzsiOTc0abvHt<0&U|M<%j` zHFb(Vx-^Pw&33PV!)yDriR?l(7GfUzAdW(t z?C?E8{ta~a^r1Lki8B%0#oo3(bt+^ zK0~kZ%sTTw@EG0R{LOeB0h>Zg`RR5r;vU57h=9}k$CT@SaiJ+N(;NI0d~5^%64NjO zz(swl26#Si$fHtHq)-JPs+_L<;7}(tOw!}AWV>?2mFV>bY&7w}!e|Xf{CN3v2YEXL zeqx((o)^YT);!L&dStWiDot3Ne=dyY@&=rT!(DiRAYr(jdpg0JN{upcxWu_kyPe#D9~bKKaV;8_(q7U&j(!o z(@x5kqH|?8_@Q-_d)!b@m%Q`wePxvMav@8(d{ZR%LWXCUke3kI+rIMRW71|FK0cR{M0u<3{LeAi#@wS86#OqFyPQaq4I59TSHQzW0g!eeb$5jj;VlQhI{3|dX z3(uF;pA3^z9p?#mHE#9PuH!~oLAI@H-`9)2cI17iv9RZNN;==8h5zlGigWxmO&VES zEuAMO|HF#7RmXzeIn`5baQ8WYVATY^P0LMWe|0CAxc&f^h~Z;`Q@sH7rNXhhb)`em zljPhRb@o>4-)>WNPPhafcVFKdU#SqhJ4IyY*|Uz)RuAZx#AJ~*^W|h=yF!iCcT2F@(6H0O(<+zKil!ZLBX!+FuvV3 zf;0WP`}z#Io@^sJaO}MN3>^wqpJZ6v_D6}NDA|E0e`UvbATg>}ru6#fU^__bQ6Z}e zor+?BnPZ?7$1|H0h9(sL4lX}@ zZyU#~ky4Vcl6&#XQM^%4ehVRfFG1R-KyT+!?D)A=J*X?4E>L$GDnF)f(fEMp%;Zal5^FDaL>G{TB`*Pd{Gc*SieL~{A_-d+X%MT zSiKh{C}@pUQ7mkoI|N+<9%_)l;dL<*?mz7~q8wp>xKSKLUe;cij%B?BUD7f|nUL^D z?-hOo^I;6T1)RnDt&{-Fmn05rmbfz^;7)p=R6twqML0_%+9b3T?(6=BxzaW(T|N54RH-7~_r=_dO>h3MT8iu~dZ+M| z@o+*NO63@&z9J9F|ysg|J*6<(C)b4Di3I@oU&k{cZ!A!mX)5-$sBQPuoB7LcB7_kz)(cj9F zuMJcMKx0e)CBDICh2&iZCB9FWzjrY=H&Rma%`2^_6L^u-DwKcq8A9)2ZakR@*oa2p zxxlL`#zejPXDOT{0@nR@)n?4U!H6td$``rO-~Qgx9M1jdr+`kRRqQ(RE9~w9#mE;l zZ^e0~d?}3p{WASuy=;F7806G)!F9MCUDr(wr6yZU!09{@!op^`)Xq*pD$%Uue7s~8 z>&yGzf|L{eCUAv%fa1WSdmef3D!XCsQ`p;m&NtNPc%K|g)k@^dcw2*uoPRR+*Oysc z9M;+pXG6QC>91U02Xst6U?UQpR`Us8N|Yz;lf8VaULB=-cVOIK{)IW^ z&{nUTe8)nx;r{(12S(vf+!zHLNFXEsuI2PaKVKg$`HNV9F}R%ZP+T^s3dek);kt_G zAwBS$3@|JeZ(iSwWsCS%ZzqUid|SGvR}o!hT9_!xsH#OQ)?^i+uw5d!EW5aISRE5y zDCYq}eYP(XxQ<($42)eS;G{9O&4TR9mYUry>J^y;#+E-!q}Y{pF(0@K@IRe~R>y2g zYNPQp@4IA|gBz}eQlb+q{$ILhftSkNt&7Ie@lG(ubD2+)g`lm?pOoVb2X%qe`3?Y^ zLmnkS=~$%G;yfc-`}rqS3JZCR|50J9>*S|O-6gq{loa!pND_W2b0P{f(6n&yh9^QB ze>VIbOp{@%p`XF)QV|fSHeVHZTO8U$pR%>5?le6JY0yshasyR_rd4WmwEpEWDE<1I zJ-apl;{6eLF;dlH-cd0&%Vh9zSKQy3Y1Ii;)}MtIGeU2DK&2DzPy1Erz&>6N$hBF( z#zGmqXGYbD$;sEAJ;&O3HvDfQf(aaW9BQVJX*l#-g-TS4KRnC50#I>M0K-4qZliBY zQ-_$}o@r4Ws>4kJY2A!88HeVik?HLqS6v!-D@p+SFa$l3EzGKlJ);4aO|*0iJ<6`So*p{Qr|$qUC{fM? zv{+2Y2VzEy=)?sM!s)8Ia=8|mouiLHL!HwRC0U$ic5%H4vrSWZFNZ zxL%K$p~kwwXlM-qC!Ec!<9m!iGPi+N;aS5P659Tr7Ig)FBmPA-%=4rcnGUaX=TrB$ z>}~TLuFF!AGo0$mRu%@biL)zqR96L+HQ}T=!VzqR&^U6LQ4_4OK7gkWGPzvY{@U$XAlTe>};ubiCq zGuW>%thvX#IOWA{hLAlDdVG>1cC65SR5SVO&Fpobl!!9E|7McfEz_s9W2Je(;%(G4&nCq)4Tp zL1Apf?9tbcJbTUJ6@`l3$2mOgHLs;IWpC1`e?JUHBtEw*V@0LMF}e(yhl)g1^d5(+ z76(!Hx?bKB?gy&KFCS=!77q`!MT|Rl)(Lb}`{I$$8|<<#@#M0xr`kv^{R-hKE;~fHJuq1vekT=x|%)m$JPq#c+aJ z*f%0;7W+*J{5((DsU$yxW(T&vw`XgCq?%4~=Re!7mo2QeZQr7uu777eb~^E^Aekp4 zWgrV8+5G`pt7KKE`KRqvn*u871lJN6Uz53-xj;Y5xtajL0XHvn-;5S70zG-cxAmT2 zl?rX{{l%sq!1;ra!!irB36eHFP8Yl5Giz9`W>*-y@cf(F+j6-P3!=XZ)rSR7I-xH> z?5ldisFeWn1haWtPPk`>Taj@e#0yg1Z~zU>VZCT72#F>&1he*v>iG{DWBw;#a4`u+ z>&PblyT2ecRSyEztkzT2ln`u4NH+m<+l7)ihO#HWjNyplPj8ZRfiDQks!r)nXhT5a zukdPFM;9SlRH)-SGDtl`N zvcXIGSHoMj&-zqTq-j#3LryQzc-3u~so~Fxrmp9uD#5!iVFbj93!?Zp1%WPh5(@n5 zN*phP+n@fr-?tn>DmzI2P*jaH#!s_d9+3|ty0PbrkJaTDUwdjiWx0`cjJW-pYDuaf z8ORL!inR4AJvLgcP$x=He9FYQbxZXARp~aWZ=f8h^05^-Jj0F~&5322zmg0KD;Gv4 zr}bwk;@u^okZ>1$iDg8XaPgXwHSsL@fugiyEO zTlU(Cw(veJl%sN|m(z`y599KQJN=ql+ytE@y&X7@E#2LK5x8OV#>Z*Sv7+@ow@R5`vtOC~R-5BCE3wShqn+#*(#d4RX&#A&ksnG4*$z&T zk4AhpOLuU4hWZO8WDu-8X0}SV%lk04CHd@7aC&lEXLsx!lM0{OMsjyRl&4^G-etCf z(0G*}Ut~*(7N4>M?XRvieTGQ!9HQ^_s|5Snmc^7XA*`4V+2Gmb-yInJmkDbp9+bND zM@$!OM!~BO!=97lLmRfBIs>)zfsG2&%a&V$rrWLb#XTd})>!~>O`M)mGsEw36zoJH zFeH?ksuh3q+n&1X`E+%>c}25eSF!~ZNRx-Qd%NSzCO>fCo1<h}l4xr00_}DtgEfu4{1DP&0 zvEm7=V{cfEdnvhV*Z&h$x&VOrky21%1nRT?y%Jw1@VjD|iW0Q|ea;|yt`(Tuhf1CT zWq-XOeG||ElIAg2ZPLmcyc|c0b!}DZ@bcu{114pboJ2=o#lkOA9Hv~S%O~YYfw{Fj z2Fp-C#f9M0ZKPYNf3rU8{en$LUGStXC-fIGgrUfE^As|x(rvXRo}`kko{cL4hk?Qc zKv1v(gNSn3-EoP|G0cq)5cX|L5GxwiB>H=hY(Cw7hzg_U<8Vb zN4hM3?XPhSTgZAO1$oJ%yaJ~^m{-G$+X|BFXHrNOG`fIQ5`evLieqSJPwxdjdjOSq zl=qm=;vMfpwW!I#Mio+}2)3TYc)2(Kq589Q^{5oz4OqtDFs3f7DO%PtWR{RExF)RCh>x0es9e1j; zE~9Q87d|G$&d!>ye0I8EnXadvaU8shDD}(CY~_pm_(WQoX_M*2;!=n#Li&z@7_rlPrq@DlYtM!j9>`C~T> zNez>)fQ{3RGLaW;zH;H8`>eN3n;6M)wn80=113po+I;R1AwM_qI&t6uB zjz-BnCF28kc8k?FDC}iRoe`xeF(S1KY0)BY5?(jg|Ek7o_}u$}!F4-F<9*eRMgp&@ z`rqm3nQ$%M8k^zy?Gx$I9l?m~PvJi#1r7t8R%`NyCNdt~jT|#{{Pq=@@>9w;es;rI zaq`xncfJxD*q<(aO{#920@_Dtc$zd}p|j?-?|>Fr^{17bGjVkaRh{<%BquRhxGuH0 zG?aOM{`tb5NzMx7M_81z$^N|s8`E@eBHuZh3?gaKUu7DGDYxX?+`Ls%T2UiueN)&6 z&{(s-54S3%pO~6geG!WQq2d!x8Ve`D5G*G1TEePs{AOTDhlIrZRt+gxg2d@R{o;Q3 zJQPP4!3bK=Rx2x5^qWT2GIdt*6jwgsdpZFRXUNR&_TCDemNLv2U~(tDn`O|9Ubc&UzAl!9a%RmJXC!{?(O>ef?*J}pj9vA=+*dna zmhz`^+E{Bf$6GKYzfy}mZ)W5ajL@>A9{lwyPPHmSk;@wviedO|+eHj94Y8|pUrZKo z3rIcy5|**Hlmo-&r2Ps%#~oB1#_l9NTxDe^sVi63I_CGl^WMJE>W3nd*1~>$Xfd~j z%i~K&ApBFs-Oai85XOi7=(rrMinRHi#?tl)@U&jzG<_xq{LVfX9(4~qZu`8H-_DRL zrxr5jH!wcH+`h--n#c7dYlo9RcH`40#(|c=UlwNsqNuSJ(&^Wp%5E?^k;z`Th$Vq7 zg218o=LZ`N}pV2!YinWW%JFwmLfRG<(X5DPP<9j}nz zu}8w=^zoO-F2e(L)myfX>N7X!<0eQai)nNC;cIWi4J?hc=8`=lLb4TF;q{aQo6PKW;= zXA3+f)artFPmv~T?>vj{X)MPw8#gg!6eG+!)tr02L*VUYYJ~&9YoS{yzma6;bkSP| z8*tBv5f*Ydu4-mm!Y=6Lf1p}uW3|dXOo(_@=Wyox0%>sIR~B?2iqhaZ6=RNi;FrU_ z$b31(G`4SL7AE?#c!G4&pWa4~1TmDMSI$?35KNmHEuAmw`t7!zl8WX@I|?cAmz0RE z`oUq8e`#lY0t>wGne0A8?7xhw>-v)#M?ZHJ)S{OC-FBd21ZIVeb`(FKA@AtmwZLB~ z?4i$%0|P0@Yb6q9hTR*_^H!jeR~Bs|`y@%hf`db5w?+MQH`{T5?5G~M=(-Ue(d>^FGJ1TmGpU!|-w1uQ45`0H&3)0jFp_)xqKdmO?d7i1S)j=kG@OCjWZx%B7|X zN(esg2tJwNB0j!CC9%90F7SihfFp73M3K&eCbZ1&HDlC$cJAw^YX)dl{T;SI)w&;3 zkbKE*ZMkN|K8kNKP0Aa_iTO8Eat!ez%JvWJ!w4DjSTz?l=-x4goMMm?0Kk?~(kIM93;bg&Jy`{IS&FN3^!9DH2#Bojk)pJ?iV zKWdlD)rNr|Jw9qg;lKN${uK2xnJgj66c^L2XJXujh>`mVC|qVx;YtROS8sMOGv3{- z38DXbB6BZ|3Hqv&kh#*wBp0YWYYDUqZ{p$0`UZLW9FQkwyVObJKn=wgRa{n`vb~{zmQY$LZHFD`jSl z;wE=wX*(@PFX64~yjZQkz?zbtc zyyf?)x)gootsR*zsL3?wYJzTW46N`sJy-lmnjx&p#|A(na~YgZQz&2# zF0V@D)ZU%c=?KQgGa&K$wYynsP$yu+iJaxP0$Rufeo1L?yEW7#%LOaIIyfxVGvk#6 z(=DQIyG2R;M)ZMJvV@sulveq1N>rzd#k%dzA?lcv`otE3Vbq$GB!Bt{?G8-_c1|`8 zI^G*=Ge_wALxKB)cMW$5dM5k{15IP2ElDQ5Tv7iTr-SL958sCu5S;il$Sf**G+a)C zA*|~|v>AU6R}eaF6#Sd!(Ny}U8>nEfFsZ}2hW-dyxIEC?j^-bj+J4EX! zWQ$%??O`sd9kAxcYxEI$*8DNcs=CEdCcoDrJ3oXtF<83HegckX@B5K)wdH3sT#$7* zZ#0_?cO~4mXK2iBxVsNF?@?eibvq#qsERcH&6g8qT9x-Oy;G%S zM*hjBT6IWMyw>y@dVMYNJ|Kjp*l`fIAZ-l2A zD~YlD??SwX-Dh+hqPwJW{lb$*=V|b)tLIO{P#s27>NLGFc3LmSPUP z^1I^n8mwf?_NLgp!|w@0L)0kRH%hi>hJK%`I~qND1P1F$9VD?_vMvEz*@FLjH;RYK zZ}Ub4?`Z#N9~bZD{?s`5G}_x7naTB!^8ay{kfD4K__(;f))Jh)MS(7JVpWxFqobqa zSd+36zkG_l>6i(@=DwepavXF{-G?+MeJ_vPtChyfjOV$G{^|!Tz3$ZUuJDseLXX}_ z)d!DEgAK@I?dS1y^Bf+x9J0QjN!xZ!O`I>Oya$5?+w(yPc3kuUDQDc2@n=!>$8aiw z-0ECX)}XCWT0Cg=7ubp-Xp9o#Zaa#w(Ig!%SKJ`Q?r^z<*Wv1D@qXmN>-s3!Yx~>C zuaS|X{kLZ$IC4X({Uuk?ov$B+)a3ftTx&-QS*OxolKe1qmoB7g|vWW^E4eijg3kSh|_fY+-Z>nA=w+~a->dcOodO56@c9|$>9&`;we%3Zu zy>(W_w0l;`T?pNrV(C^7;ifFa>EMKYh&r&sD9iVocYJJYjCv+A>t!+aG>l{sj( z9X=G;tiwRd&inRxG(sZ|A?v*;Mv>pbEF>zS;oW$h+?6f-SzAtAetJ@IYyd^R=*rlyPT-Nna>;>BBn_5or*DzB>Q^3v&J-)i>0gI(m{ zMt|W7qo@!jCuvTGjGDPXUl=|#$T|LAAe+kb=nBZkXD_k)arnkL!@AQ?Ij!b5Q?WQl zOeYJ%F=?E6FJ*5GKLeFinmhQ)#>Q-{UZvOi_{C^Eo_d~ZzE&vn1D^ra$#(hc4qaWo z1VWR-N%VTq_xUzn_CP_$-6%#C_91TDRd1w9otFB=T^~2?#CR->rWqU6Qsb$>+dm^yv1Som&!loX4uC}L6f8+%pu}C7s@2!m*FbUV@l!e3!H>Wc8WbKzQoCPFP8ru5t0JrBY{05iL0k4_jJRLsHbR-X zpmi=zFvOB>+wsp;-mKjZAHhgNy13k3b^1hn;~x=)YD%L* zSl8Tyv%5~4LYH20h1MN>13Y zeL6tdq5Uxv4BjRLflgC$LA0kBqR3LG*e|nbw9z(^$4^l?awA-BDCuP)G>tRq9v2lj z7@xybf2EaviHgA2dN#KAcA3pzaL6^}>xowTa}{$-T`iN$HkK=nn#Av3Pdn1&eDFu{ zjz%tx)=Y|Gq?+a62cEHeBjdm4qn}|W$h}wa;L`shh!69ZH&QA@2HUgw*RfS z_t>MO)oH=$-Q(GJ$&JLfQtH9)0CTeHwI-*<;b)b~Py9vN)ipg9Bfg_qYK0jJ+1jwC z(~VRz0S(zQdu(zK?T;&ij=rWY9$La(tyG!P1i?+A+dqrWnO(Z7!f=qaI){)Mbj-S3 zQLr`bh4Oox~WjlzM=b?FBR{+ zp7Yo91pjd_O7Ux!L?kKwEjQnq0@ty(9k5Leq1_>vv8@1%d^wH2kJ8h{ug1)|CT@Ji z@SxlU6D|s5yX41lrUIX%48^P)xdKUp)_sdup!%FIk5@=fa!nl@J82gI86HN`YkGWg z`**6efC?oe{tYGigNh@#I|ylRQ%p>;BnpoqUc!keckp9ZLephvPT_D2!=S*%< zWtPqe(%U~J&mOUNflGL);zBGI??+bvsttlg$4ObaXq{$9#n4ypt1wo6t_C*MSEMUL znwbkY_LHQu(D~|@87SYAvlRbhhYn~ft>7!v^%y#!koF10 z{Yxg$H6riSul%zg=wj2{(eDCLi1*oG`nsj05}EJnaXVVTr0n~Em~*&0Bho#i*bEtS z(0?hUUmC!iq?%1f%|iP3AG%aHrj9G7ZG}s>LRs3`pz0~3BrE-HP*dMpHfOmxc1Mo? zPAa|Su$E4T*J{zUGM%j5HEPHekL3QcWQ4*naU!7a$IcbETKEV7aeU-qi}Lr1crU&H4P%_s^o|FM z9h&*Vz8&5+5CJ_PJH@X^WB*ZO!1m#^e^~QGWW`Z#shE8-5V$)AGeqPtx$>mg^1I`t z%S4dMmsW@bP9-U}dwiua2X^%481|at@~Vbb(`3WLixoP>r&EODTWa@Va$2-T5UWrW z(q*=oGv%QxK*qI|yT`HmDG7p^oz`k6n1rn`W zQF%`BAmH|bB^^M_SH2H4KXE@<71lr&K!kTWsP5-6BHCy!qQt!~Urj$N$%UwQAbUnY z1#≻40TWLE^Hv3p=SvhZI=Hf5ss|6W)co*+{sJ$onu1a|Gnb*09GTUM7|CK1pOl z1OhnsxMgBCl0qZ}#@(+DURy@oY3F22h2qON@mEctq3>}JAw(}peoz$q(`-*ie2JG= z&p!mNyvUS@uE3HV6_29FA+0ZC=K|QIQ|GL2pY$K6Ja!`t^>2}-#HkXq&Ky`5RqEp$ zn!&ZV5l0$n=xC8iZC@kYFLST0a34EUP1ep9P`Xhw;vkZCo+Z;-7&>bv-F(*7SM2)z z_l9g?1f=;Gq1BjrtI$1*M9NI}wkkzq4M&82Sf0ttI2*jo99^rR9rr|B5enurrkGt`eWVIAVI z)A$z;>zQSgM26OPGxiqw`)xqr+Q-c;3-s?{BG#*DVhwF(zIPG|jVXdUDUNpL`1-pT zE)*xtzado2b)~c4dDuh4JQ1C-xz<9}-uiI-Uf?Q(;^eOgmT56t_##O;o-5*#_%yT;Y#)aEikoX{qWtfmH1Tu;eo1A>9KNH!(r3ttvI5J9 zoH*aoPMd(wl|>swLW}_ul+HRiMGc zQtYk3GR9)4^@l5B8-)p=zh=43;d3`CS$HFWKw6Ta{F_O2vGq`4LnS2ym2lhe&$i`R z_I^P~F0MOqhbBq9*Y1hFGKun>(yu)j63NO91cCL&Gp>Y#`NF7TWS%ecJEB^xvw2Rx zhUL{ec$iDC$E$9q-Ng#{%x@LXjOk|!T(RYs?zIKV$CX<%b7Ly$2~}~s6Dqf7rIn3#CygHa0E0iaNs{rhPp8%TM8C!2byI8#!(;|+qNHs{2=fT;^ zD2$L-Jew<#_wrEOOKPw@c2nbMf0tz*su@uNz0A?K2R2&U=$1i;>V0yEj}&BGnCk81 zsmckf$p}$r_zcjXB7!o^7f4zMWp7X2nb!WEMt*~jxhOG6FaBId>OY9PrNOAYL^S$u z-d)%WDk!eX*Y7gXo$m6l5xXxGcVu!&R?}#;%cbhNltYIAT)NXTm7AJ#trMn;R0hLf4*Y1-8Wy+Si! z1cZhsj-7pluP*^M7Q&oZ@#s~p-GKA2Bvx-hM^JIRJR7gw|(DD#2ZCr03b zOSWGzE?e0~U~|n2l8^&#CkN^D9Zv)S%jC%3pMghQ+X>E&qygGFv*tD^2+!N56`rat z0I2h&)^W$A#23IyZ0QG$TlR zG8XN}iQ4O0k^o|I_;v`HkhmwO+tG45jY7#Aq%3ZeIKwf3;xY>_ePh%c&QC{ zNq_(sK%Ti=>+8~SIh9pQfvSh^qb=4czvDNL88`EG@hxMK_T&kM34EA0F_+^QYgD<~ zkBs;9+EoTVep`JX{PY&}k>m?3r)%STT)GpGV=6R@=~YT&?$jZWEyUH;H9t08DxSK1 z_DtSsaVcg{P|Nif^!3+{&aqMNFpxGb?3xv(Q}_M_V?gMm`A|=MI zCgk0flPW3pDR(>+=(C$o!83kXYBd3*)e6Ug<|BH>QNFhw4{X5pe{{OUrv3I+Mf;t( zT2eSk>b(_)YcFfV)Ys+0Rm!7V^*<)nT+jH%gCqS=k_P@uHw|UlP-osXQ*SM1U8>UeI}eBQD)l}B z{4yV)43c&hcsLP}GznGc|0A<9rLfBbThNqcsNesg#GNXjy{I{A>M`L%zY1f_!-#hY zQ^7SYHtJjAPx5s01{NLDfSlFY&45TO2zJ>_D5TO=9lH5bc}ROH37b)n%o$*Q-)>+JKu*5z^P$#iVx~PL}O{Zyh7xc!S2r zzlM)@zrEt|EmVyu+Ke~TH6*VaV}m-<1<8n&|BOn3ofjtbD zS({wU7<)tO@mX`Nx&D}50@%iAUao~%7q)nrT;XNu=vEjn0-Y(axD%~ml8cIe$t_02 zWh-Rw0SXc+O{x>vAoH6L(tBh3pjg}Ashqe*c@|S_wDUEr*DDXU}Bm zGe?;zSf_E7FLFuhAaI&!dHf3VlD}P2#4rN_!|V#Zh=Vw5pu1Z?KiqI9LAwy z!dv@gwhV+rtW?ck6?C?xV1)fz34C+?-kDlwDGEyp#@{82m;zN zR0q}i+J#ZlL@XtbFI=2Q5`N^5D%Q=uBJQqF8u42nn*@=uB7kY2BglH3-z7L=FT;ww zj$DnyJb50<^hj0lbuCNSZxt{%V>$pg@U^KyTaBgiNgvgM3i28qLen2M>OdPOTPdxD z7?qAo5&9w5{lt~`NP=lr0K~On1qAo_wf!HouatJ18Tm%xotOl1Q@>br$U+T+JBVlW z9?PSLm2~nePN*O1lHD))!kn-{Ec?@qp9NL4t_lMjsSeFWkVcN*#5ubX|G1c{t8T=n ztE;v`96@s#XKWu1u$J5Gq)eq>et>F8o9a!IdE1o5?$A+-rO)%cf##dVD*fPwggvP- zEc_%}F*&E5z=gM)&$N+L?pESwN0hWq{ikc~&LmeX+#mNZm^w@GXu<4P{x8nnI;zTU zZTpr`P+GcEx}~L48UzHSOQl;Hq>)q_X^?J|?p%~~H!K=ykcMwApZnhXe#YMK_}=mU zBf~LPUhA53o^c$%(=KW98-r6Syqb=)f(!GvTFobfUv;f(mtJipwo+`v&M0H|sHd(W zMUiRXw43xU`hF+o8w@KV8VhRdLJrvNWAL0V6#Ial24lyCtE}-j^lM5=wHdQIar`b= zIy(PYI=(mJ6saSW-8o@HY&5mp;i9gHl1neAL~d4Z+S{iJ6DlQ%;B6Pu1iH|S<{E6H zP@2pv;~Q>*qewnnHdM=}-c(yi^brijZOIJHOF5dcr->Frg$<4a2PSL!&7%h;CHcMh z)U;`jj4l%|+LA{p%5{?}4~LyGE?)Oz3^$iwJW@&%)DD8O2I)0CBG!U_DvA>NO|Wd< zz*7$z`v#THqq20qOOGo+nIqmDhOJk@e{2>ItYSb0#5riAdxiVGj7_Tj8SlgD!^qM; zd{XjU{`kml3uu4VZ$2+J*1ZQKeyts0^F&RzQyd53V#{{+>vvgSy1Xg>IvINhW)MFM z+nTPR)&=tdM$4YMwhsUq(F8?s?q}-?aYw$7;??hC-GG`_9GD;Azo@uWz$j&g0x`&; ze-@9eryx+@ITUv!py#t~soV=+EF&;{;6iU78-31yupN^Ka@Q6=plSEHS1V0ig#P02I4yQ5-ab{F)!s1V z7LK%etHZ;UCq>aKGOMY2i=ev8iOjSp?NyI#4XT>L?M}q;FC#Ud%tZXFl`rZ9puo@w zD=>s9nm9Z$5@JlB%?cLX&{gdo8_3zt!5m_>u+g1sKO=GCoBAWA-5buW*Dn@DFNcTQ zud(6iwsvWZwC%r3))2*qAqdcv{>KKpVKqKf;TH|NR?C? z?2I9UsFd<-5on}m508N&NCMl~B}13sdoZFW`t~cgCAMQPGqeCP^vieG7X*)>~YR3P>Fo?pL3af)=gD>$b< zfh~-8u!Zq;>tj#Rj$!nd0zbR<_)7YQ7 zdExc;)st$CZ)epn)P%oGB@c}ooN9bAXW)1QU)d)*fGnHCS zJD3k@N3-C?RLvmT?h_46YjW@(GM+ zo9XuYhHto6JL;YryjcTVygd#$FE>Xh57M>{I+&0h0p_ z;SuUbKvNSyVS`OF185n{jlonD(8qej^|o_NMoIY66yQ37Vz6CsYerTEa{-0KNjOOI z7H0G^0*Zuk&=G>T;=2Tuy{RfRy#*Uif|GzTFbLa?Na6FZuLj4%BAH^X3i#i9OaiJN zK(clSI6HYv@LBOyc`w#^WdDOXU;d0nc(Yd{xpyLpy z8n};&M%c~za5fQ%G&6iRfhZ+#do1q-@5@-Y)rhN4-TnFLVlP~X)d>^NlHR5H!bCXR z&l8dHSztJHSi>Y6|044-QGfOd!(uHl*ZT*_Jl4_csy(mq-ohCblH*iLK|SYt9{2$2 zgFndZNa9&^HX3h!Ei~{t?Tq(MoKKKOGf;lpa;y&Tz3fD?!J+7`2fE)jXHND$@&k|e z<5A}2L&C>B)a-?p*8qRXA|V2>?z5c$<&pg8%VqOj5DY(>SH#^F z^~7g+gLu$%PPXhC3Vjbgk*?e7vEbbW^l)5FnZFAvgmsP3d^-32UDTMS``J!hg~gvR zl{#Bn&al5$i86tYqGKWaNIzu1o7mP#DXTl`!S92mg8-v@SFmG|eBBw!6_y#H)p0_d zGZw(8)KF$v`=%4bkn4RW?e@F8phaZ><@WF;W4Kwe_#*Ah*FW)TU^yAc@J1vk982k; z1@u2p3AJOXOKTVX@@ST2j6i}1pHc=r3A1zD7{L0rYf-pc+CFW920w4RkQHKLLwM#! z&d<3{U3#fC{;r}H7MaeEJ_-?_{d>=FRq2g4R(jVjP|9)~E}<-c%opTPB?igAA_+|E z&NQj_Od3>X*boDhG+Y2z!|aP^+2um$?{wp7)@(m>^Mri!zR#GO%)iW9{9fVtzjlvR zH_(`1Fb%Wju;+;|sopVH_k_0NEPaB~@)w5f3e~;|CMPxX4!u`t{q$(lm=Au@K#(FtLH`?`hp#2+`dA6?nH_F3q zKQz{Gyb|5DW46-^ln=Q|nER8>MZ3>b39=ViUQ~bNL#x$kDE)%w>#{fVFiev*sG4O~ zz%y+zr$=S7%jx50lk$>(TVQwVw(d_0?#vHov%a#7n#J&OOu1PtWd^1cNl$te0#^{^ z-K=L3r|aI)q3*f(s?n#R&S#o=Y;Kl3bVXv9Y}dM#s4 zLNmpuKn(QVZm()eAn5f)B_5jp(WY~4HYt%|ptEZwwC4+T>RRo~oc*T}Y!S~1;Z3^p z%@V6~GBR4v#EF&L)Ro0kd2Q27h8fupiAq1&S=H2s6(i$ode*IZwFPwB3<;g5ycBn6 z0xX-9zz?xZi-(8)csGyF0TEAtyz_}qil%LPn_l}7{$x@gkCo8OOPNga*vhUh=bMN8 zo|J|AsARE9bSZ^HZf8sd9Q@=Ltr4uCJ4fC1sk;G~!D79|bOEJ&kRSqzViWGmh6Kaf zV(rzF@jG|cpTv?6Hc(gsBufshnwlDaONM15tt(>tJCeQR@Vu)ntpdm z*Sb&{*r8T45mN(vopLtF;m$@P)tN(|J|yeIGRk1hp{zmw#><%cp`^Y5&KCTb{KTuH zry!Tiy%XnWlhkcQF_VcRJM(9%W(R%sHx@Iwa*;~^lSR7kF7R7f$&cPnMyQ-tk%Yc8 zZS$X2$OnltI{*!0F_*dewWqo)GTiF7t4}qpuiV1(nn~cBe*ENeu6PxMfFr*LX6Y zTm*fTRy$+MlR79we0j1;=uBq1OVor;rVjGTw9UrKPldaSH>zgxnJv}fVCfd1ciS6Y zwWF}rHjlN|wE`{Z|Z>lW{fUDf}zo+zNRUqdVKcFg4wJw{A* z{_$x%_8D1Dd`?lGK3Ue{rq!<++FkNo*L=>A90qXw+j!nbEz!ASoVlJ&39e`L7 zqG%}mBOV6h>4}k-ucH-$8dp>0RO%IuX5J%BwIQ#;!)KL!gK{f;b-Gl9Msl!F;GdK& zRgQH1ZpXEeFbtn>dRL?H-Ck$s2PEcADow`(7w2$rB4~^e&VCca4hHGuXH*mkg~Yoc zg`hn6`}5#?IUj-5J>{i`wtB%&luMr52czI828Q`ZZQm!sMKzylWukugWD%;TS*!zB zBWzFX$$s8pY)|z7EzsIQ^|CESG@wK3nO<<1sp}Qxej}cf38eA}p#v~l@r5sG8oDP` zg(thQ*Gubn7&lENLd7j!$2R!c>!Qrt-rK82h3% zxV&GJ?mMuM^pT?Z-|FJr+#aiKGwdu(Xd3MO8YtO$L9_tVCbOH5(r612Rdj7jri($h zGlcyGy@6w-bnN3p<=o1gcJ)JOlk^w2*dL4T0ZZ!Dz|LkD{-ViCEjDTjL=b#=Zcr-s zl*p{1$G2G|F&&X=j6C*-nSk=kvjVMYxh*LMj=5(0a4)lu;>$KwwR44b7nP5d?|wT1 zm|{Rib5x@~2-m%5Qhw5TX$T73b#cT-RPAd6O*X;m_6B27_19 zeoZ_MQCy>XlD8}oo8zc)@XW%y>SsQ2d%=ar!Sh_u#FJ>c>XnH&&t_O#)hv~r2K=s- z<9;@zH8kbn-_`xf=!}!zM@AQIXa-i>jz$+hW4qNM^z68TPlQm2P&oAJ-9Gmy+o!8t z7cH~lm%(G}DcsJI{8`Ax0&MCPm<lm38BD-G=y?@~oC_6X;spi;g6v3ybDV4BdJTjZgRODkF=Yi-8+n9ht! zMdyVw-EqR30{5K+Ry_hK!tFj~{LR#`TzO)bl=CDiE3e$!$ucq>yO9-%E&i_gSLbfz z9Ng>v#=;wMC4=7y9+JmG6KfPzA*O0|uDf}^lNX<7EsIg=ShZ}YM7onsRo5XznY^`3 zUlh)L9;v#Un2=ZQT`0U+!e&l-a*RE})@`=%XPu`7oCDz`jtS}JynH+}+&mXos@j30 z*wEYUNErEFIL#`yGXHC+|pO8S5Kj!iMebncO($cUS+DhEUEq#V=j>5a>A8C)y zoHY!_-^PD?%++^Woo#LQDv%(ullVoW7kkNYY+kslo=96_;>|hM#H%vTbbIlM z=xzV)q$I@ZYVg4kuXz}wh-&1%kQ|G=rt(7!S|HrHDiK&rE{1+x%{<0(8hW+9A)^+N zXECFdyL0Fve}nfdM(v<1Y4lMSgadC!FzoT2!f_}kkiGqzgC(kk*iJJ6yrlPrPNmlwdFeij3n=K~j4JR9HzIDROURtRzz&CvYmGGIe;xKaTB8iKC*$49}y>u$E? zu3c@DuVBig^wkRBNMc!Z@D4lD0Y2x!{%Ts$U_3`1&51AF&4+`<1=UO--+r)f6Nau# zY_rtdbmEIibQkOl8Wp|(FCY&3;SUU+WMbL9LcfHlEr6~*nr-8kS#?@Qk=!e>E*bS^ zsGMzotqo&B?P2eSI-WEB!s@v!lWDRsHx=RSZ2A6*+ z^=+4_e#rSQIC1-Pp@O98gwakwj&em?sTe0N@#l1#!TIuS&e)`dyDOIQUfJhL4VIrX z>r|s2CP_k)cIuT<)!qDN1>X)3WN#8M-bFLhZF?u1&fV@r3eiR5+1>1pHFmkIO=hDY8D-!6qH+YU{qNpM}Z2-o&$7 zGvd!(m26)HGmzCgU|!~TtEr};O?`ui6SEtV{j01gov}u_Tr=Z}`9yW}QC!;!$WT=R zM70nM6-b|1t9u?TAQ8jMNJWhO0bsTwo09q>k$Vnbs-QF7osKE5VE9}}Ou8*Ufr@=J zBgQDzwQxoB(;p6G^Huu``xlFdn2+i!5C6K}I-HZu6EsFM9oG9Q3-522?gOXvJru8! z%29mjE33jBH-esm;y~>C4NYw;|DGGgU$4?0h zH{VNVNK#@>*U2;8e;ihp{z(1j1M*&qqqysBnF5nHGqRwoAf1@T@@} zJ|NJWCF>2=Ra;TD-tr{B-+ZkHTue^^%`Jyu47SWF*wO!DT!mo3&22adx`ZfC>T>@3 z4W=VR=c=tUL8~EJRzD$Lh5esG+y6yG2}I7wG{S-EPq1^y2|r54qW^@PfBVehTJc!A zAPmhnJEP0|uZEJb*z!A(YeHT7F5E+)I^*wdWqMuw5fsM6LF$+RS}lVCxJ>%r-=Ym9 zJ*UGXs~vX5G@R-7XG-|Tjy5Bek&*EL9GbnqUVnX8rTP;E34`pH_y*ul*j>)Vcp>JS zCVLImbz1>i7mv=%&9_2q%@@WtoP)Z5?y%4Akf*uwpmh>y4EVgk|JE^aQn6c2v-7RT zs$~EZs|v6aC*3W#`5yujpPUHxKg%lr-dkZ;fdXDN!uO$tSWu`H1vBQVrK~tbzQ~rL zsP^mJs~Jo_Z1KN)%%8at!LSKL0IYNHUX(lfRt9tY5D(mufEzoR+RvEhpG~(ALbx%v zl?n(M3b^U)YUk@5>C(qZzBgv!*fP%1JKN9Bi+{Yfw&@M4Gy9(g0{sl~G&}5T^-hY} z{Obl&d5Q(AW@iHZLTN5JzXPIl6xrSr6By_8e}9XA{SO|_$n~XBCsW^3vlH0F zl1oMs%XXD3>VI7X4k{P{gaAyt{@ze>{?--P=sD6-X2+;D0*JuE91n4D1Mh+P2+n&E!~bcX z5#p=AeycCKt|ao?bZUS945H1{8O_<9Y9FUcbdZ#V&TyFZ>baJZ2lq@69q{1N$~KF) z67Bz~BZaNk15D956lZJ71EL-@V?<`DR?G8P79O8hMXyW9IW>YBM6zKPDb8o>u75wX z71_7_`Y8b7kps%v6X0;-VGMgd2fp7Vs~bD--ya5c7tjPg7($5=7rq0B*OAEp_rI;&9%MjG;Fx<&_4x-}`GbdOzVeSjtM~5~)!!H9|M&|3FCUJA7fS^Ve}`?rxX^OL?_)^7KN!P z_L_tkK1Qtf;Xi4x|9k^cVXEOm4JHC1cPG~(>Mky(vuJF zj%S?rW&xHnpCXyhaYI2??J2Ax3WB;zJbuvPovt(svrQp-sT%Yq&DseTiTP}SJmWpF z#{dQve7#rXng7cNx~SBjDd2(c?qj7{e|xjnwIPrge6lx2A^!xYBF@BW?l}LHaih`d z!}qs8GXSDn+g7Jp#KV+SC5+K@<_!(%+Z;&>OwIJL<8Yu%#%{fSTo1rU9bnA6JmT*p zBEb7oTcU{|=6x$+XkZG8OfS*l3hkLoIr#Za{VdVHKhlXlM3xRU`Rne97R~rpHX`Ge zCNC}w#)`o|(^HNa_K)TfF(Z{12USDqR#e~GYnF+tU~MKixpoidw5TMD$D99w#`cX4 z5&gu8xbJnWypotsf^dJk(sFo&pB@nJQbfy=sbAu*bj6)K**5#rGIYH}KS#icFS7}C zsnQFDS*Jnw>NZ48c^it4iiANP5TV1{1|+IpP!3GDLiNn(aD(sWEWa*31fP0*>OLcq z*xRW}SuS}|-5%r@!6`c-r;({v6gisyiGEu90kDEPN2?yMXdcLxyl8tIq4W_-jO%6B z$@A8C!b5M!EtBDY_&BC5XVezK!Fy_A2de!FJT84AFw`>x(}xC+g)|Qwnh2kn0;ds*{+3< zd7$o0mh6@vfy#Bq5A(6;x1V4RU~hkyQ*wFt>kBR>OG$v4Wr1O0Nuv}+sWARJ z;U(aO`hr_XfB^c|37|P_7gtGhj6h28frqhO5J&|=q9*{36A2>-xXpq#%z>|j-R*d7 zc$=S++7JO=9jc{kQi(=DiJ>}WctVPyv)1nU*J`iDTIP2DNI&Fgb2^>Cf~ckZJ@7|E zS~M59F&z70FiuvA&k^48Rd+_A?_^!e27yGIW##5Sb^&lI(yIowCZyb=FhJ>pTJh7J zv4HY%srSXL$a7CL-=WLxnU6u;?R#@A7~aYEP1E5%mz<<@N?ERGB-BbJ1E!CJ`O8TLk;YmHO;NGvbvWj4aWP{&y zE!f76Ne&MlLgE;Xi&h;L2?`}c+?Vhay1HZ!q_!>g=OZU3L|1f!!7rYw2kFWDn!BG?_@p}<$~x>rwaSwsBO zH?6k$ZGiZ*sc)p}CldbB?JALkE+ z4<_=xnH<>P3a>#Z+St*SDuD{T2KryN+=)Z6fN+oi|@=x~eOe zSX3Z_+vNyh?T>yc&$i~d2wrUPV_l9gi!Q9J=)X6KRRAB7?~LA=nQ$4@UrYmj_Wvmuf(?nW}Y&?2=LYLA>={U%bv+ zI{5j`U$H2TFi`XeR!{J|3Qyo>m^3^gjM^d^S>hApOaY=Gjytx&SOQj$K zvGI|aIjA0RdLFHIH3yY~iSF^{$Eoycx#44yT*KtTp036}yVMdDNu>yL1ywfE1)LeV zEGJRDFIJFXoG-Hx-PeA|DrfwYQHX&(8h_=QU|SLWBtx;3CM4G=iu*vT`U!yoC%m@k z$HJkb=MH!QasC=$YAfRFVy!RnCwp@>c@dj0r88(KMY(C`J`#2jSqZNg`70#;i|9y! z4CkGOA|BL12nS+55oc(d@Lv&=0HUj~bnvr;&i{zJpCS1^HA8MRIY&1~*3FYn9e#zE zhinq`bB-6kKUliHeecpHitCAR&d=UVG~cCUAw?X@G8UrhkIAgJC4yZSSxDmV6 zoOUOQk#s&>5NGxI33XO4%o+9-Gn5WHdb`ILpNpW}A)F-m?1d_Cj;v>^E=aRdFP9~- zeaxd1gck064|Ig{Nu5iBrye9-3H{#o9Eby3)6-vUra02%!m5?vEV_Kggk=QIn=gCw z4K8KhlFAW$H4VHb(4`YmI1%ZuNp_Kvv}!5-TX^V8BJ(l*i=*yGj*9yu2zf`qV{Bu_ z)G$~atAmxH>t9tBF@XQ~t@>FR`S3(nST<%3#uNQ(wHSE*_rv}bYtcl& z4*10%)+k&og68;osXHsEzRBaZJKrEJw@4T--#iJ+HQXGkx2D$FWyBHlZ<=;aYg2-n{uZoIfU zl$uVoA){HUGK1TAem&1CV7*Y!o#K79ty1q~o+#oYoS|xuGX=bDeB0k*GQem_FMu`O&p1QP;@?Q#IN(nrvTeo<_-P>-u3lNA|g zG)HL{UNn>x-s{IJs7-o}QV;g14#IaSE6a|+C!$qlfeRyRnm8(6^k}&TAgW$s5(IpS zdg-y&gLRnJNV7Wb07m2?!W5Lu2F)ag)cXqO&qfpm#z2Vte!4uC!Q|kC1m|vevOD7v!jFKf^p>#D4BZl!ES6YRsR4G=| zI*bs;OdM&s+=;0MX+oT5{mk+kLpT}s*|M0M@hI&;-xM6iq$y`X%Ah?lN+M_YK5JL2 zyUhEHsTR3TtA$!GrU!#>)m{oYT)A zq6>J2G}fPRjG!|IuWBnKV2q$2#2J&E#1l@~QYGX&7i??HEZ@Ga{WfV>U@Fg%*Z*6f zv^DLD(NuvWZD*?>KOIuB8V%ac^j9gL?OzGJCei+i8FN{%e}eLGQ=H5KMB=D4$JA^% z=T;-MsYeoPU6!Mkr#%wtf{5{j%;hQUgEY2@#}iz%^^xm|eXrN0f_VrbH+GSu28}ng zC3*Rl^_Kh=z|SqdoTod_jPMJr!@yLpD-( zlQ!wv^UG^f0Wm=r$alX0g9R7vdGE`EO#53Zgq+7?`oZTS*P`7hS@uoccGvk!C}lCq z?l|zuxXs6YOr|}0L-S}lE;fPhyzg;HJbqOuT_ni2_{9MKqPh2d=U%zvkkYoy>c~ix zD2PE)%gf?_2EQ{PhlZZJr#0=FySeW@$4)~N#7Yc}nw_xd@S0j=nn~oeWK{T_@`{;S z;^~>?L~uh{eSe&Q!kiu6#A9M}IK3EQ|tbsq2MK_?$H6XuTisI9GqDh9d!{T;2%>MA`co zTXXIx5a+jBO9Z*XrJaW9^2iE;^KX!q*jq?l8h~zkx$BX!0qbz*B=Ad2!ILn(!FVXt(ga9S177S@h+2OHWM5UGv4^gjT z$j#zReTR{JB|qFmS-{`YIwWLbZ=FrTYr-`_&68K8(R@YHp7;JcH2OQW z6@87Fua<{S5)=28xxn;xGFH{-jB(4@wwnD>a5BQ5R=wd20+_f*LW_K-P}y9-WVs?Cy#;gx+)x%rx1gKBb^GT*JQh0lkLLG>-PCb+z55 zTt8lb0y!y3b(|Fo$(hdO=)KjpdDu`n5{V{~Mbf7Rnj5%VsNk04P zv3z)5>ILkZ2nGslb!yG?_9OpQX~eKnSTMFeLe=p7Jio(g1U56L~NP~iH!i>iS*Hu!5obYvgW z`kxm2oNXV{nWus#?YL)Rq)GiA=B2_qRbTIK?)PYu0T_Suve9oK+-+=f`k?)|R3WW> z9qw1hTY@GaJ+awnE#VU_umMqyWgojV*FB-IC05bwsQs4iOTX{PQ!*0VrmKhzx#nk1 z|4ZyvWSk?R7G*+v+eItHtsTtKby_v0ACm=>5I)lQ&Xoqm-?TnFdz*EN?%Jpr;h>hp>R08d%Z1@yDK zFaZsYE3)?1qOBrCZT?23mQ`=m2k91gM0IH%&SxwQeey^&&`q?(ffAu)3x{1E4H^Bt zw*JxTGDY!SeH}Pc$nWbOfA8AI_FAt({8_J9@`g=ECLUUHf2{!btDq0WD6fJ#sl?7d z6ktP}^_yEC-&w8b5{z%^2HU8+9+!REwG&6u{B7M(QwPS>U!C%1+&-3)7N)~bL)Wbn zH=Dk`)yGP$DqGCn8KQ3V{zkK_-sbm|57N&lA1K!8IbmdkvobQ3!{X6m!u<>5{{p=4d zwQ5?=09eIB;b6hUEu=Urdrxf8=Jy(ut#ze(9;sLR1&+ujtF&_^|5}&Cgp-JSwX|yM zP*P2h1&Dc!Opt_p1n8TTC=ejjqfs7gn!S#3$4x-rJez{U z4EkU*oq#NBm{I?~?hS&}MFb%jX@>~sQwBbyhmx#!*`urS35wSI$;&fGvTa_ ziCsZq*T<0e&Fi-S;O!iIB{OTmMH_Sbjp@cvCg75m zCLxz$}licH@n}%h`RNdU1CR#81I3pk&GD5ltrOTK=u&=2%{KPFiIfU@}62 zfvZ^nuh5}tPru+eSAI8=Tr0gGa^^JE*IWnjuKt`}PKet&4DI&yGDGPf@f|YRp~a{H zd&|BnAQ+bQ9Xzx9Sq}`ggEe2Za;FNGHkLEFy$79y@gQ3HC(IjDJm~)=aiP#bj-{6{ zL_9nE(xFm+s6Opr_9`zTZ8$#=<-j7YNY-c1g8NyMcfY$VN|sxPx<1zfY0dKQ4}O!w zg7kPt)Gj4+M^4Y?PA~Ypp7j0MszWZLo5wY->&9Yu4XfszOp_&`vp{|@?xw%g#_qk- z-!y5#@dXPkd+bx)o-nQkoItIglKI02DQ9{-Tb&iBTV?{Dmd{~f1JErSUnouN`X6_Y? zzIX{oN(5)%_>;S|Iz#LiP$z5=JT%b;<4b-_VorZ!ftfFZS}#7c;C=LP?g6RhmNt9s5--R=+zi zXBIe&8vwpirp(S47vE~+P}Z5YQlnqhoK%6~DrLD%QY7D02j&JuhaqgLt>vvlDS2MD zB7&KfaohRGeZu&giQ!&1MP<#$LVI`-T7coqNckxSLt7TvFBGGZ7p8+(ig@4o>4gz= zI^-5-7jr*5O4tvKgco&1D66#(ENqxYDs8!Qf2RgN@Xbb-;t7^X2Y}bH`mN!LM0U6z zG@d9y2=J-xQWSwB*4*i;x$hi|O(p5jWJXy44$>5S&i4wR2UP(cC(21sI-(;c1?VjH zZtNs*kKp*4J=?EQ@9ZS7NbX0bb)4 zWTt~CQh$#BMZ}<#cBn@m^-vpbYA2wh(&wzmfZtIKb$2)uVZ2ZS#m=960w|W=;Ef$o ze6;*F2~@PKvV1q*l9q z!!_upLc2KDCFAudYt%XPIz^y#x0&f>uwo*gnjrns&|_~!FjmhwRlGWjg?5UsyCVPg z;bn~&08J`R8qu?-a$ClK&ty9eSQ@<`gohHr*+jF=FWuj{h`n*n8Fqf6U_Hz+R-uAC zIq8wJJhWE$+*@Uf;Ml6e<&nBIN1cr7Hq3RiRpWgH;GDpfmVloMVy(2*DJYp^~l?n*Qgzl?K*PFR2Xkli(p-QpvLIGO=c9u!{Vb2bJkX!07b=TF5v~-qU81~AvNtAOtI;k+?Zgp|YQU4Tk zg46l$g=eIaH}2CDcI%g#t!1pWPrY5X-@C4L2QME}QkxxnU7xqr_Cj-(qFk+KcR6ci zAmiI#Ioag{(8-+(^H57$Zf&C2^1yVlM+apNU9t9wwz-0jJEJ;4EILwrf8BDAZOYMs z8!jqAy#h*wo17`QE45mI-Kywq1r9?=QJ&>}mV!O~dU{q7#Q|w2{7;k9M@U zi29&|3Et?+mz|{IO`b_TK=28qr+so%;o{X6gwv07J<%LsczTuC4}50nVU7yjdWH6R z??r+iWxU^_*G=&Z5op&fxDZ9yg5{yF-N5i`{=5_sFoSt?8CxVp271fB4<`9C$D^Wo z+G9U);!|z}wid53929l<@vEcLRVQ#{hhal2tXhsv!5|EOkOSlteKp+|ZIgLJOD#Q^ zE@H5u!rQ6R@sM?qBM2bo!U1A#+E(L^;k}+7r2ZE5KqIYkWOMw=$=rhUdE2-XnIt!; zlbM?ct0@%Bno9VnZaR6N=UWY4GT52TG8{8(W!5!ebp2qwCDIE zWX*Uo%bCGsjCdEoh}!!OBPIE66~Bc(zFU1N47UgFHHGMc?S!mOJSt#xaox&z00NA3-fFei=`m{IU7a^vBa@lD!K97D6*NKmAC`UDj0 z7`9EUMmffW@yAEMIWvcpDXiq4jPY%XCAngRDjySutO~!IBl5x=+-_%B8p z;4KwC@j)Ez9+sOk1cQ;MIY(myP!9e_nx&g_$@X)z?sg>C~x#WQU& ze*+O-&kH+3lBt?c_K|_AXf7%x~=iV>i?PQsPkW_j$JNMkwQ5> zXF(Iu(#HF%buiN#U9t1`*QI3ur-*- zB|w1w)j#3)5G7?SD9~2}KuuDyIlZvy2;Pt4acy*@o~YP>Md$3wn9jGZA~Zv&+=GLT z1`l-*a4$@Y^ppPJDqfY|f#Gkb*~X^_+7G&38$d80rknc7>Xvb=ZM-anraj*j;1}QE zU%M6-)}!PzaX!M(NDuQ+AQKV3eM<@dwe}M8%(VX12?tQBZUNvb7r;<#LqOaUM^3yt z?MHVNWMBLI4zM0QV^+Hf0g>B&wbLfA`LPcwphc!SDubbd#R|0Dwr9f3)VSh#2SseU z;$bAHz_^zaCaJLS#4Fmd|7;#u{cEV}vVvPCvIt6eB^hg+TF z7rGg#cvO-ORw_~|QORwtwjS#or^al za4CQC2UkfWx$(~K9>2y z(v^Zfmv$;(!*jT4&m8E0Ln^<{nQb-6!6+C#&Y`!RIH+8)2o`Dmp4`r#B?={KiX_Qj z9NHe=OMv`A#zF8k5_|b_#|*5-)nc3pMEE7UaO^wZ^@7F|f7c4_q054ELeZ9*vXI7A zo>D5Kd2$G!v(OV5Htti3RiozDA2Mqbgd+LQ%)Ng*w2#^A{^8HoBonyp(g`}0AynqT z@a_jMH^sk16VIUb$o+H+4oug>>*AjRk&fJb=O^rEin5*jctKux*;W_{|7G~`M^^Y} zgP5)+ZM5$fimUuJo8FvdICS+rZQw@{_Sa8!7Y}s6&Cr0xv*RuXapv^%9bNzSp&NUg zwQywp@bO8!C#yNl2J2U(?7@cl#~qw+xUArqc#EBK9z*%nUFD8OtNPn%oJSjlO{l`j z?6W1(XX})yf?BoQ)Pw}{wzD)hIM!lb`5Hy> zCTl@qju*c4tRYXR4XreRsvS-wR5}Ssb?ODJ zWZ99;Rk9c)PF>l7CF<+Y^n=8ZU5oLjk#fVU91E{LEY@e&yi{X zM{P%%b_T||8n4}og#gZ#H02x^nI{h9=4ye`8FnXvM#xr-_&XfhE_azc1~sTV)fCDg zCan@uXuv{l$5FGME(h!z=vCB?f^!q7!mEG*HdQ^wPJrS7=c5ls@{GJqz%g^}ALPA% zanOi>Ofw=#*7mhft#&W_-L+KCu9`SUn5+&^pXejFT)GkNZXf=3Z%k5{XFJg*U4H70#+jMaV0%?zGtYj=fAlDgm32!vVSm9B zMwL^Y-?Y-r#+dWA6^Qj`Ip_qQOz~=cPlek*Noj?uvh$RYI)9?^)vRS%n|D zzDBET9N3$UBT{a%SNE~?2Z6K_L07T+Gf%Otu1wF#Bi{zLHX zq@aLoRCjQ$AM(9z2b=2{%%#G~a?8D3*eq3^kmg9KBQ&@a?<~h*sqb0%( zmX4N|xBsYW@3Z_HT~yvUmh}|YZRdHubqJJTVKxsOAt0>+G3DJ~G38Ee@yR^qrXW2w zpq)C;Mwd30+cTyaow$w_KP0c>AD%heea`CGqHuI4I&Uzz(g_5UVE5oobn%c_4$^PV7S(mGy+- zh^t6Q6`HiRE;PuTj!npPu1f~5kRFohlQ^4M3Zy*|9#_O@3L3=Mwex-X2nCP%GuJb$ zKe=0YrJ^q0e~3)j;p>rOYq5Pn49HedsMo|ZUZ8FIOQ*c3^|3*t`{N(xi{1RVwcGZJ zrn8E3Jb)rhMq1x+%xW%?~*KR zB58EO$5SGn{t7XXt|nKKwQn!VQfY1*&ixs_=YEqX)6vBdR);PE4R1J}MmJumF5-p6 zREv%X!K_Ht$BbMPfxwRz>|x|O1|EA=1wCBjS7!yn(X`sHv+dfR6{{)xhDWnmUFL3Q z9pa3~``lkIeQemy1j3Of$G!1_7{>+hx{iLCe064Eq>&Qeof%YJPh0z?xECA?YMJ=k zXUe(1330E>aaDVGtn}(WN4~1&V+GSb31E)QEkG7nHZLv=|J)tpcMobZ?Vl+ndR8*G z91Fcwqk0QfMFHiiS0=Z9;-dEAVx7&W;5EVpXNFW5UO5=4sOkDyW`fC?EP2-w%B^%WdUgMInR=n8fW=4Xk1%uvBjQT@i>n}Pt`Ob&I#+M)b>x<_ieOY=J^!@_D*k>_dlUvKZxoC>FyT5>lAj-OHR1B(@&tkN%g&i}; z7uZDpheG?0Q8|_m99?IcwQnXY`_z0|v>VzV>;Ew3fazh;7ruibsY_^mvh4(Ja>+3% zTt@dWFaUSaWB}<>u2S>Q*z+SW3=FBXX^4ZMEyg$aloa*;=CDLzW_i~ZkB{z&X3?vX z!|~P1;j%eG!jsM~6aa@w$$lK3$6-6y#DZQer;r5lsu*h)wOrKc_sdL#1ER%Rs^cOY z+O!CaX9%l5lNTP{5Ek~zfj$z*a~@sz(h5{i8^e5$_W-lAGO1(hjJF^iPCyCeI6fH? zaT%RH%_E}I1T(lkSHYxF-KtXgUeW}wWEhggt5tWt3t5v?l0JWnx{RR*T(1w5+xI7m z60#2nUW1`owJ>c40FP`vbA+LP%V;2Lo*M|t{$Qf=dw+aNPu=BvKrMYbE7}O);8d0s zO#88n^T3AqaC^KUQWZuWQb^rtxt7oMNMu&`7tJaE~p}wIYf+!+g2kmskDmO`MN92<#AubA+dUEjG=?fhMCK zm}UqRQ?lgVDY;PkzTpC1@?*OeXL;2L$HG4t?T6&m1CZ5a2^SJa`4{z3;;bW=9f6&$sDd_O!&@g-qryPU1#Pr0N0_!)aI0HA`TmTgA&ASj8fLeQQ3u(e=-na^Uzk z=H6*-`KJU&TA|rsGVjo(G)l+eB9}=w>gK7teN=ly_v#hTNN$BnSAh9{kwyZWLnk3T zbq^9csS~Ox&~MU3Ji#y4T3&9c7+%JAA?S!<(BZazW>)$CvG>+dQLb&@Kcc9BfPyk2 zC5VKSpwf-fAq~UQ1~SIJX+kgX){lzVWni}87TTaYLpKkl9N*MT$%Zb4q|!!Pak zWLBnr7(lwzp5Jn~zbwq2=y>(^+s{aw0Z;RWw)!_2^KpnXliS5r50+DGbWe^gkt#i2 zgbe~81p+R&JGk>76B3oSFPDu~E2;G#uX_Vy)&>u3eII}U9}px8)N2AlaZ*x3 zW;4*|dwu&uXC7hUMDXOq@zHeAG*i-4v=9 zV>v96dEQ9H`b+x-7$p?zOZBMmeJ<+$sdq2)<@qLm@-hU9(~x|piSXK zP*&+M!N9->7D<85Z7(?n-un#N6mN=D;cKEXAS%Smy)G+;YkB`vuwL}8%NTB%J__(Q zIqJm;n>^4tDc$GvE*%GRz=U89Si`{qG%l+WK|eY`cQ{uK{#>0mJ@V!cdVsF}gLktY z(Oj8a$51}jZ4RYV_{v@i*w`4R8b#7WcjLi~Jiu2SE1zYQR4|GksPm^L`(`+wNH>C+ zp?j)dEA4v^HzqWZQr1&Ss`2)~bV5H9Wxt^`1KY#Va5@-*KPTp8JDQ-{_Wo1rs~4Tz zD+CceAPs=>I#Mx|B}$0NnP>DqAqF1SSPO5)3qZ0m+PwQl6oBc1`TWxwXI{4sgsnqF z`&Z68{2mc{`oCEcOl6NtkOv^r!eXFta^oHO0R|qKT-bPZx5n-lb$b8~yxgt`K9KD_@&>HKKvC`Uw9816f~i4`GsjVN`8a5~{pz zCD_{F@1b}kf#oD;O_7CqjDaLTHVHZ8H_A@tk(@8;Od znYrHF_jC17uiYdT6ar;)DyP+L3Ok2}7tas7>rO5S^WRY-Z1{HWi+et8ktW-E*!JFG zQ8ZRLmhLJRBcZZm(MrLBKC1-WTJ}-owSaP-`B^{YN?-6VJgS2e? zZasT2?OmKRsk1vCCSK7Yb}VC|jE^udA^Q#DP3v0HXR(ZWmVCRe%njz1NNT!wlOE89 zub7{KSxjdEun}yNCiswu=NcnEJBnOUygnXAuhK!a_K|pvsg1Qhpa~dcZ{koM^n#Li zxTh7ULG!AdD$N5Sp;8S~Gz#eUnI){C_1kZt+t19y>yu-g>OJ9nqC;B5fA~z^!m=n| z1<+-)zG$kBz`Ek-WNCi+oxSN@xl}K6>3&4{vIoeB+=_d+Bricp>S?0a0Z3iyi6cxD zUVY7=U3}jeNm4shPiJZ>DSt7Hmj(Du+RljQ=buYKj8WTMVmhJxEvGm6A>hpyZSy=C z{Bf>f5}kL!hRLw-C(8$&D45iW8UrpLw3UTF&YP85p{+UKR!jqm3^8HSgG`41gDBcC zPp;J35Kcb;0LF6R?XN(lwdDEUS%L*`yxbzi1U(+Myy7<8bul3S6**Z<_rdr#^o91; zL6lf74)x9-qXx;Oh<`(0ykm5*J=YTe(*R%VcwPJI8PeolW?h5+yO8wXji(`&slvc{ zExHeemOtj4C6n~f-BasOWNRd^#4H7z%RvH_?*BP|pQyzs55Dm-62$5c1^-=oZb<@%OjvcTwewYB5gefImPwvz_Fdg;fC zPM700-H1Bls=;>i9JW;79Stw%{VvUyDmND}o47Xjo@%$5I039EQtEXm!t+I#K0bMP zfERf+9S(YD7#%jA=Fu1PALnQr*god7popr^vH5=VhjD@HtN8L$(6G7|UuvA<2v*!v zb(%OR{&C!0P*5<8S_TLl4C|n`B6hbAmUMxv;_(!GEk1XE_{SaZ(#)#WIirZxrdzm% zXr6E|Dbs_8?2hqa;}95UJ8Gv%5DN!_7ZQP!>`i#prW-T^BgaS@=>n85Mc+ZKu>l0f$Yr~Tj~5`~(N9|U0eyO`FHPN2BQNPpp#_y>a4(n=u9 zL($3wLw-4R!#&snDzCuzq6?3C7Xs3mq%UcZqJ_-3^aI4A-O|%U3I=p1o<6EqvX>#Dpt%*b6%7$hMpm zn3rd~&t>2?suzbxPt%3H|2!_SO%+p(Cq`7@9QYMWNsoR6TVcCz z_O{CPJNl5A%FSm@lW+EP2JN#5W=~@$i9b38aaFt(e0*y zBeL(2_rzfepW=Q4rLL^{=2d@2?wo`RQ zJ!iLNw#G;3;P1lLwvW4AJeEAZjdhMNd8S@^=g*FjUv zRqa=^v!8Xng;IDwx82lGt#Npj$nqqf&l1$9gu#Xr8(W@J?uTp325fN>_gJXbR#1sG zB3;@YnC^15RF%JgffMKHI!ctAinzDX;^*$eRM|!c;V*#!60R<2)fSj*_j`?_M%_>{ zZq0jlQIF?rR-KB5g@;dmmO_RE|E?eQRs$n2u?U3IZ}xb8GtMUX*8K2WM!_qyNmajZ zbPDMlG=1ghI6PqVlUXW(52%WC{`ZK(-HAlO>!T$`Aq)XRrA5!NZ!26R1~NWcSrEB- z49*x**yYIzN;0;xWB?4vlYrzDUYoxeD1}M!=69S(!}mD_jb-=(jJv`^T;(q9W`t9m zrQDqkfkfN2-u+gF63%4%De&yG)T(p>yH(G_zFH^8C<74U1&g4|s`JB+pU;|QtKOPN z=}hbZ;t;J>fkbqo#Au;|AYujRz&$hK9Xja9w!B8kx6{A~nPY7208qF2Dk-eq!XPIi z>Xt_bC^amAQX|^@=zAmt1r6#HEBsf^Hws*?oN4ZywSrFPQlFv=Pe>w@HK_qT+D&99yA>p>>$lMfksl+_y|**8Y%y=}=P z7R?8QJWsFjV{t=Q@6N(V6STj^yfE;8tf``)Y5Sms%=q`7@aF%rC$I?&vWzJ*O`n?X ziPpPIl-{@EQXjT34Ke`K;NVu4(461$PTKvKs1vdiiaH@tLa14Q$aq_7qLx9VO5Ibu zQ-crhUEroZIJ-4fD$)%(i1%AkXd51W!wo|({ynHYM-1HWJ~>1D~79uy_biMZAE|D@}@_xq$Q z)N#k2e?t$cILGF_bc@R(_*(U2Yt2FYeoLlpr$6Iknd_UwaN`fcvzm@J_48pqNv1xf zxCt4ybgZG)ETpscTZki_&q*wwxm1eZNoQ)-*ysdzJjfAP^3Gb_T89vcr3P8}wKZ`||4`&KA-Dsf@6j;i3f{jl z5%Yc8;!jl85Ike zRT}eP)K6UW$7ug}RZtf=!e2ls>fUrlq<&{HwOJF=sjV=(;NtHJR$9v7-JG#-nbF2u zaQvp4-gVk=WIB`^W-wD}nzIFI-kpz(IM;za+s5N|*`A7GFozuzV(g7qt`Bk%7n_dU zC}tIJV_8lqgl-idZ4A`2Ka0T{8N)U}n3I*qPsixY9O;NTh$G zX+Pc><=y%4;Oa|qOs0cR%(vHSgpBVNeL8#+tQ)H|=o=kYJnD6+ajy!F!jgB1kF;uHFZk1-=xf*Svaq)}-4l;6;rM*QU(n0F>S9jBp!L|jr?&s^E zZHj`DD`91UDjxmNq5U4-CCB4jtz4~|Xn4)xJN^l%>7)qrGYd>k#dp*y7i!6^Bb{B= z!bEW{+njn6`8hoM#*xnZXSz0+HDA+=7uW%`hzm?-c4boemUQ_w`+u` zjBDJtFZL+R)5Dhv^UaP=TgT?qNVf>|X5NWKOymUT-_7^-qC*t0w%Q+k&Z-&p$F?T? zRAw<1Fd@%`167w%moHn&iXJmLc#ojTaD*c-00hYM^&{_CX*CX<_7&`m6`?A9PAEYJ z|B_uL(*ZPj+&Z0rT55axNy9R!oqLLcEaLfP_W?6hip#+kQ!FPW8fHEs&ZN{rIkRRbBZAN?~3Ekp! z5GTX0>mB2ZQL+y;lUlFzHcwH1>Vs5DCJ*_alb<%3ki!7*A zf}F#<^aI6qoxNDAq^Y%wnr(6 zQOGK`^mKD5jLkynQMnu1?JxiHC7^*`^~$jC@kPf^a)lf)EnqNFZlO21e~;`&E+$|Q zL`SomiGNhfApds<}VBOJ23&NlpxYt}KKZ?hH{&@{3 zq=4ed_t+DUNir$={WG7hxZtUJUENsB3d$b4E{Q7&uTZjoYx*5y;5t^#rU1MvPcP55 zydWgNLx9t=w$Jq0GvcZ25bBs$#v&kCe{#8P0Q|C=s>&hR7HP6f`kcpKXZV~>?UW3G zw{BC_MA01L8<23VIX!N|zDkLnu5nZVZG}uAP-^1G+M%3<5rrqnT5E%dxn^JfB%Re_ zsSwz#T0^u&FSvmZd_{TMra?d6y&gRzY}&tF#B=Wui6m zWuwlQ4BeT|@E?#E3kv>xFr~c&iEBlk_XNsbp9)8m^_$v1V`WpXDIcVnz;Cxz(=aJ3 zl}ei@hi%sn);QWmb6QdFaC>Ny#Y(HeLXH3f+{~Psa>mA{;6iBEl~Wu@@5X3@9MJs0cqw&_|^3BqC{%Nx9m;M{agC9vs*3Tg3JzvgPE~SImxoDw!ITP<=Qf$Q&O0B1q z%SstE)>^&O;w4y22U5Mt?v)OJi8SqBrtx``9yUL+*5##q(){VBCV1$T9hUuz%_@`-^%Jb%p8#%*bfRr-Z~@iR{j-^?+Q*&OlIZcjn9;Mk%9>%Op1CrW$v@ly8HyHwkorPUbH!wp=oRLsY$O<2<1&N2Rr-rPvd3v<>Cp zj}~bj9zUDYWFsWpkDMY(uBmyu3cy>T54rCqk<)(*cW3?UVfaGi3e1W@yAXtu*>v!3{`E438);!++BSR2w&tZ72= zz%oISb7S3)eLC~*O|ngJT~k9iRM$}#gL-|JnFT?53V=wwa=7s|S3tm0Ba<0@y2OZp z@R~|uoI0NP)UvYWVz?x_VOd40rm8(JKzJ*Hm5wDO8_!eWM$Yr+{supp9goD-^IU}b zg$n+C(fY^p>HPIbL!NRpF zLn&RaUBCGjs0`)30SwCK5kRzflau`Gn*RHXG-)(!S4s7&KX1Vyr~_>0pj|Ajc2yJE z2$wJ&K#)quB%tmizudmHFP#Zpbqx>BDme` zRKl3aWO-pCHul_~)iFs^uwL;RG#=APxo!IPk%%eCLwpfxv?&o0k1zkeA8!Y5JZECi zIuI&r&QTA&^Y_wCgx=PXQsJr;5&zd(`=1N>zrV%;9bgf^+t{wy!YYCIf4|M&&&YrO z|NranBz{Hh0aKEh)wIw4dA9y@8U8<3=>Pji_wS(A??WZQw}0&#|Gv@xee3_X-*J_v zd|MHUnuCVbreW*^l3(3;GrxZ+r;4Dfg}lf#qYg@w^}z1$w$E?t!q_HL;sF zcEu9SXKEGm-n{~3W&$8Xr85sMrxcw=3pH#>V{2iQdj-)i1a&Q8P#y2KAM?JLda@!w z+HtqiT8!v!8r5y8q2>ANCuN_8ypQc0K2BHLm*~{H1?wc_1?H)j;o=Mw=}R))zX0oYl2yR zvU07va-D%Rw@2@ZRZdBCyNrefXWn;KX|?Mr4S&q{&vhk0hfka3@ze8sQD@w#YzpZa z$KQ9B;B;4QhE&};ks2r3Zf=EHQw%%2JO6H(*+%7{X#%|VYIms9XxUAzmb;5J(ctR2 z`FN2jHltc$C}E!JeTM{Iwe;vAyn+m^qA)&?gKt7u*MlPVasRZ>Wa?q@T$FR&<>SUk$sFhU#|p znKg321Gt{(Gqi$H8l%BXIj!>-Jsj@-e5Z!Jd=~SsE9bru`y#Ag&G$MVzTg4}To!1^ zK6tGGww&%b?lQN!yjJ}PO%as4p7cjBQObAKhsN(9ks3sI0hRdshd0n2tMXu>bP!B<&qlbn;}LC8N` z2ru`ROg`p6-@Xn$OC}n9#zWhHSOMrug4JQUW`W$~r-6zwK70PKVKsw(T~E?wmgVkM zvzmk9*X(;NL$rz!&(aY)6#LG9V}X5FWI0J z+dH?&MXUQ%qoildlXEU%KP;8YcN-=XNF7Bmt`b|4>Fl$Jt6w9a`Sf%t zwV58kXI!q_w{YJvU5(|Rdo(8W#tH?T@5%9t^)m4%C0&<2ni^xk4(~Zy3JMkOJz8v( zN!B|JV{{w3P=94C?NmuBmO*BL<#)CSTy#bw4kql&_L7G|bWYq^2!zaH*m8a^KGRaV z+_3`l!)alLWm7hij=jq*pq*us>}c_Hpn#B46my&MR^}hKN#D7Pw{#B75X*rFtll2Z>8ebeWp8WgiozP(8gn999$K_?ze+^ zAKXipqjqYmg66I#&N!mJ@{ix%xlpBB#ndmM`BE9*ahFHl{wD@H6T#2pmz*1k%u@c0 z^5IXuI6P~`r*r-L#QFDODS&@N;uFPo`WCx<9y#QI4L(D=D>TcSvwbE&()OP0H`f5Z7gi*vGcW8ypH*YHFR*^h}ToF7Kh!vR)r18QGdA42xW ze0!bh67^SqQtW3KT$1efti^K~KT?`W5s@etya+g&N^p7=6`uQUtttYZ+xD}rqVxT; zTNxG`z4_@jjN>Qmj2fkZEzalU(R{WyH)?&PTZc(AwU6906=GzZA4V{sT(nS!mSU=) z`^}R}M20M$=4z$c6c?CVSI<_?TYC@$S;ZsedTHLgq!4N9_xe#Ot5^%b^^9bJn5o2S zMdlH}>V6myqYt=|I!>}CN*4A#_g{-iB3_`d#xb;7=oMOD-p%XEciXOA%VP7iT_mB+ zK`TB6$*duW<$?J)I8a;8$}!Q?UJIZ$rKlzn6PBINf;55G{yMz}?)^N|;9}jr<*JDO zFd=>S3-<3H2>7G5=vguZ;s3{xguIJ7l8lG*b|C2N*(0m9N%XcyrgOu! z&TQ)(!~Nray4qH9SZ>0Wr~-d7U2&~gMMAsoGf|%wMtQ<(E-c2+E)JSK6^c&n#;NA( zv@{(C#%N;WEPF9p!ECqCIpm{1|D|055)5P*g2P9*UZNo%m>@WFvYU*~PUu>={{&Q{ zsk=AizuyZq0f)x>Pl7`K4nzMgkz&Z8ZM9**e|~KOfbSzDNRp*!t*NjW@ih75%e?3b z9YtQ3O}TZsl_Vu-Y1#YQKY`4tl6m5r^g2BQ`l0z|5sdXhVN3Q1yLcp9i@w>h(bl7G zwFLAFp&;*80HZ&Kz~;8e$9o|XWGMrn79$JD#TkIS>jrpI^OXA>$Tv6>fN9Kc2r4$P zGq6F6)wQyZnuFqubL4aEjC%56=xSd*w+BGjwvz=E6u{4#>3rUYZ7w3E^nZ8}vunmU zIIJdlI#g;_Sf;7ep(;jnXH8px*&GIDrUY|o;1RIoPT+$Mp_}2T93r@bP|`?$h9eWP z^tPp>JL{ND1#=3l+z@~vBL4(TL1{Vwz2f`2*ktYVPn`E#Q^#Ya6LLQ+gbY>G6c~*b zP>@ocG;nPvvyW%x7fkLm~!wdE>yN*bi)@ zB*BhIdHJ1t!b$O81&Xb`A#ZSopd^v)U#g8fl3uw>*p=X|LX@6P4Lnd1c#Xtb*d zrlrpiv%B!_T(}K6nknwchGqd1gs7Vl*4-{M%P(Japd9pGv22P zNu}yf`6Dtw?2@gjSYf$@wZK`MRYu4E`H_#2rfpVt8r?eva|Bm9H01@mem1tr3*33A z$r+wA97+92JGa%M+pKdiormcM#LFTH$A@ZOs7zl`6OjjsM5iBW_}NHZ#8U6&E>P>w zy@aYMM&tKF!U*B|H~hIbIRG&*hJ6O)=HyL}gz3JqS;ryDkLP`mK;v`}>92lZF1IN7WcvM(g69Yk=tX<}-(=y9nnGt1K#Sd?&OMCUcT6mgaO zXF<&qJDq66G$o?k9yw<{wY{et1?#StKq|kNideVTXx2K-hBEXgL=P&2@t+oYM_VWP zi77Vby?cwqc#4&xq)zc3MC6~urx*~;@4jWQ z*8I#R=PNx)i(J<=S>wvk%Td=PB&d?+Cv4%Aam4J1*>dQx?uIgnGW*aWp2s^>3OY`1 z*B@8dObl8pq}Q`9SNRw6Se!NJ5QTCl^h!K+?|zkgIlfQMAUVlJNG)8+npGg~VgT5% z>VyxN?fmw9<@Fa|rmoRt=&OgreyE4@c8&J9jPAZ=jVgtNT$X_KGhK!jYa412l`Sb( zd!e|*QZs(&A))ML%YtBi3{vfXo?el6M@>gM$9qif84u?oF~&g2wKP#?hJXG`BXZwW zn1{%KIab=mVY#=qIwHTs*sQ6pXFj2Y~; z8ghQZvma;WD*PQAqk7{0Joi=V73>`DqOJCh%}AVGV_SV`fBpowyCDNh8@lFE+q*?p z8>O79DTsG}p_qihX|L@6rPy?%~pSmBU5?f1vu05G1^orP8eDCZ$%;k5mBNh3f^DhdP}3R+1c zo@5T+?I>xxVBi3JX);<+pib%Rpq5N+2SU98;O<0!W5uh3d$ZjA5GeJqj%+q3#Zj{R zRUl2s|I8fM8Y0VwWDfRCjwpaiA-=1JE9bpC(Fcwm#Hc|d-TAMlV0KfpiTq80{emC+ zDzKwGXk>X2Uyl6(q!YF+&GVIJrt8S35gI}naW?NTSdIq`;S0IsY^W*>fec5I5Qh<7 zoZ55K_#2Cey8OD!(^1ON^b|qBGmmCFURP2nr7J zXnc(eFE)s?4v(N;zXD{J3_xP`l&Ht%F&=t0LGl4PkcMI+9nYE7UD&LFafcN$ZX1Rn z5T@aB%%WY@76Dh#K-9qTQts!PtIM;RZaTXZ|L2XYMI_nG*x&jmOyw`=0+s+P@na>x z6ITB!KFFYU= zS4WiP59ElFkjJ!H#nh^)Xc#>rjNKT8Z&z>=8?ufV*O0h|L&|0?<()}dQ*Vn>}}7m<4YNucF2-f1>gqz?sqerv~gcveT(;#6bWVesZyU_MLT z{3k09vrbU&Rwu5BJZ#5b!1H>!e`@lMQ09r(iVu@|?FRJ)U8f1i+Zu7$`%rn?gSeFw zJF^IWR@~?U7RBejmS8goyQ!UDK9A)BUjinOKnUX?UPs!_6m+u}xl_eKtiVZ$86%Jg zdXJq6Wlp~eTYY73lp2*~tIBVYJ>x~>gp#D|NoE~6DLE@}a@2O)Nv&yiDdYMlyykB~ zMjy75jEFFk%(Sfbc4Q(`W88-pVzvvi^c<$~fj?%~!kT_yNeVfAhLJ)m)fr28n+Mm& z#+2AkW0XGcqgPgn#(ZT>TLc{vy7t!3yRcq>!W+dUj>pP+0M}Y(=;QjA^OtPQnj>l) z6Dt~(&b$z-eKwxpQ>UI~C#JNbUzVeT)|gW_m%P?XH(E_5e3;Dn*0UCQd~pz>WcE!H zw__?^pV)|A9nwx5k#HF+RJ9)~F6koz#-1yk?7d2`?n-AK>`eT{)+-VAt^3vJ;oeR) zPKUXCtHxQ6Kv;V!!!x+E-$VPfez?FQeNM@!O{%*EpSI}XJ0%UC)hfeO{}sIc6+k_vxq<2zRjp9b zh_b4cB*Wx%r^cZCO=gYm53EH=8&V4|)(p6Uc zbhLMsz44UfqSmY|D+46F>Z_DGG6|3^kkUFiD0_{cH2nf_&ok_dMpnI#)oj1G1JE-7_3g@-8N1wUcq z;-la?J2T#9aI=Kl$}H7E!Nu`)+5zm99eHsvcSxbpS+$zTXgXFbc^SoWQ1|HSn>0oW zPl?XM?1Z*Pqr&*|%T=E*V+m7bla|=(3cere;4~VU8_LY?c~d3us=;LwqR+5)u8$px zVU0E%;5SbKJ-wp1f`OhF$@nk|@K0CiBUuw@aQ3+rCImCz_4E{N_Nn1Q#cq%WPBv?-p zapc5Qmq#+Nz@iW*)~P!Y5EU-mTs-6>K{GM}wJKn<6#E^X1k za&)=tYG&%mn=+}g*{l@%d$bd@_S(Rr2RUd}Z^Corq-tkesp74ex`Bf-+*5r1h*L&; z-l+$)a#xiN^xsEpwwjFlNFEG+Bx?yrVl!9I<`e-@cr9;NL*1+F%C0)cZ>BfEAjya` zXvKwRJV~SQMO@DWRZM=%g zhs{iv`Kjz^H6!`VP0tjj&)-H(*Sr8kzv6@oDU7GniTque2CAbqv@^8SLy#6H2zCg$ z^MB?xf%NEMCxgW%)E$z_r7tzg`PW+&oYle~fodS7wOLH%=SP8}B ztwn2OTEsV|FG~UJgRM`iCmto(0HWEJW5ygQv`=u_h@7Xe-N)E|q!gv!lvLP7p+cm9 z<8W9474xt{2I-zxOLe1B-)A-VWk}tzM_rqr%izOTpYDU!oW~(>EHDIEni3wxTmU9YZ5+Z~ac)t^JwCGbTm zyPx*c>?Mm#{|LuPFzm>9x@*>dus(7WPtYC1ezb|a3Jw&O<02GnvJ$`PAw#i=g z+~s)L`3<6YM|#0L%)NxgW^&wE0Q9~Tvc9~Qu(V8&JV1m1K-*0qM^eexl0M%-8`0CE zQ_GWT_Nr zZtMZq!sF+FufrQ{UY57+EL1=xln4l9L^Cyj6hXq3K{IBiR4+BntEkbQmHA?o>uOXwyO`-I!(mPjp;B;k~JADB`wr<(& zlNlfQm*q)|jjVJJm}aaQq|!N@OBWDSErJ${c;8;x-wMtJlweNC@~Wx5*cD$ZSGZk5 zao&1qCC;!CahW3j#{n%>Gss$2Pp=KxHw3GG$Bg;5NXxk+&DEt7kN_h9bPevaGJ&#y zo1l@6|23gm41z6%^sYt_R7^nD9IQ9gvN}J0Vh6z%{{+|afbGpveYtb#1i9dY!BPgM z67^;UO|X}k*wYdne?n++)Ec>P0WIZ~BW8T@=5$TfQ66;$(aX~^PMD!|WFcw5(|!n0 z+IWQF{GYay2LX_7r5^hZgNZ{^Mg5Vi0!Kwgep6@y;f8!_7H|aGGE>c{H3ucSAW)(! z?e1LIMb}}YAAzTCm6@c2^4%Qc{dG_%+DED+WYGrY-}=QR9eEWR#b;1i1gh3XO~sI& z^h3r8NBel#sE)((!OF9*lH-kv{vxMBv)wZ^j2{KluRt`{54!HFojuqNKzZ{ z>OQBYmTDRydcJnuw0ct*W1Vq+&G6M1f5jQo zxIWz(oL@5~i=a1`sFc&e-u#xBs-W7F)Fu*N{nxXx<=|f-6@D&Yog`&U?NSbdhTgGM zaA;#MmD?K$TxYgvpnBEvul^ol+pt_4G(oqL)CFcfv>lG7Y{On`gt5c>)|tv&!QMJK z5&Go`k{FWtT5$$7O-0Xq)j{5BQOiCB4JmsVVg8vv#)#s%CyUWpIeTo+A0-ImCbG7r0a`I~Lz4;VXe}2wB zcHR^dD3a=Tfq4t=0SNkDGK@e^enivAih2pBMLgL*>bZV}Nvk0Kg=nB`Qk7|xMCeS| zVKP7QF7I;0EY?)G!k@_DSBPl~xi?(;QLw(;ZX}SP=hmpDnwcceN5fP@ym9Lw`^lCrUK4zsgy>Z##=emnVqT&QnSfz zj_n4XJIS;gpYa)}k35CubiB8cPA2!6&{B0q?FjuJ$wb_c$2$u(I8JKRm*LbV6wiC_ zZBw6g@SH4$bgT_3CBr43gDT4ys7DmS`RK!7Y$_p_!pZ)HT}&{8$4Z1T2BC_)VYEKj z8*I6JFdjF*~ZkPP(zS zg?(=S-SV{*(>WqpUV5!e%x1d1l&Mk`Z(u%95M{gcroqIHCZDZ)-0raQ$GU^cWtm~~ z`Z+v-|CI#?<_k)j<=R&6l-vOc&G{O@PO`QLHb{<+yU~! zYM&l{BoF^FsQ&jWUC;5Dd2tS-fay_8(Keny$97h5kUv*;+^J08qT=JWmQG&*wFgPcZMw7uNg--!5@LTqp2bm*r{6u_jSzNLlX z@ncS{8GRo>45i})q6cy^>(hz=0f$~TD^dajf`O=R(!N)Jb!{# zYll6O^4AS9*T3}qT4>p|-9q&H;dQ2fILZLSu%c}29EuISU+XVDye@hn2m z857=T%K0V&YMcXU=Tjp$Xd-o?tz(G`VK ztHyDUKsHJ=mqrki^IA>Aw2XR>9G?g36j=(9X)NUjbIvMGa(4CRkwje3%&oY=GB5E% z4~yyMbGL?n>3RO{M%Yun<&-^HW>n|PE1TBR$NoY*V*Yx<#^gx$7THm|3o?^W)S<}Q zXe4TxF-~;oh(SHGo*A*umMa+q9uIfeQFZekj9Z;rI^p#cx6R%;*AHZ*C39C&!_6&= zTG+sL$d&UmyBxO|2qiOUX1!xGMKa10SuPsw_ZBW;>pgod*4FsipZ6#i6wLM431{F8 ztq0uSZfmB4ko3&%mBS<>EEc_yA z!g3ze3{cANnJMWz%#U3*evDLS;yVQWIU+q!N2IR3R04B0L%A~5PrZI1?^CHR?DUka zm5-S~lGj=2OjJ69YUw@xTW%loYYum7>~?l$>mRJ>0_BA8ye+fW%kwVp!6GmyCL4hC zE(7+{SY@dbdGUgSAQhLvKg_hGVkv!TKO-xI+dTAn(*Y3>NOH+OS2eN8S&B4YMe0jQYz0(q5}z`clUTcVLrMPcx?j z0k7BvpFyy#D#=78Q_{rqiqvzHQ}RMzJL3(lB1<~!Pl)z~p;SSFY^9X&UbFeZfGq6*_smnWp)9>l+}gcqf7UOMA83T~V!J3lj%3@<2_%TVbr2ZzrL()S*=EXmM3@ zR(OsKw9pT{-An$=gNSeLZPaXXGC=LAOzpzuAU#9yjcK}09-}N`r)wpfy*8JwB8)e1 zof(Mk#Nd^^Rx9UwY1sEueX%9P>fDu9_Ivi5pBnHKe=hIi6hk(i`phoC<_lFi|0FL9 zity{5Nz4tqye=iFXB=z~ds?~~!ulcJbaf`6*>`jAx$YyWC)#G>Q%q__Us3sbK5g|~ zDQ|;=KD{q(pS31cjVEK0`q!WMD?`NvHHJC;4 z%5+>&w#cmpbTpb=1QCULV;>{%jcy>A*p6b%YsHysBP#{<(^;we%?{3!YaLfDf(t~$ z{yIKONaPn-)ThMSe?NZAc@TAb4R7;obuX5<`M@oEji;jWD*Jk@RtapU;KYn7t&m#k zH6ZPzQb~6NX=`e$VAO|RDD#vR6T*BiYQV=qcAj%(p2TTz_f}&enZ}9qB&r6+*48@A zI1~_70)eb&A$fe^x75>_tGCfL!BM9bT;q5&973(7lUD0K=jW*z#~lG*PnXin)uY4m zoBMpAMwD{f$USn z6QU0@B>YiXk|SZ^SqVZ$60CC1Fd$?)G-YZhfY|MScH+@) zFx>uScCYMl3X__WGo?u*7fzPddQr%f&96~GA7zGQ49QLzGL!xij2$O^Wfz6o+2D(J zFU<&Hq5H8%U`kqd+*3?6L>)v>o`PNDU`RPa2Q<=OmK9jCc8Tlis zj)sgBI;%cGeVUNHRzxLoIIp^Q6eM~z>ZnQ#+3QI&dD(;J@l&_l#LqJ@h3SNwTjCW5 zY`uVf|<^9vA zjE}EIW6X|vb+p7g?sd_JaMN*a)?HnOnw;F9;oxWeux7kZ{?^S$=~y@v)V2|cg6_GH zYgX5!#%rgSSr3koGCa$$r~8x?w>l|}_79Vok5NRn1e`i-S_L3P>y3V02j8V_vZ=fM z`P1JlfSeBz)zO32Ju@C`H1!l-sDiTj6}8do&ePHR!jHHJ2-4;6Xc#h|7E{dpBL+qC zjX}@lWY`bxPs0LqcgF&dQr_*g&KIX8&HXcy`ymdTZl;>DF-BjBqu5Bi?@nP;28j$- zW6{Mz$x|bEd#XIiWXH)wacklw+mp(2bfS^dM`??JWC0jU0c+vmjV0th&&(@7%R7ii zI8&U0aMV&NV#|J#>cG=k%4`!MA`4Q#36T1ogIOcwV#jj+Q782lj<~;jQF}bHR$PrW z4U7x-y!aHW!%?Hnev$V$@?-5Jm@N`-hp)G!I znA!_IFz3tdQZtB4%S|oAnL*t1QPeEcUwcpbLMbSxR|2uSx&vD1SzPIz^@p(EX&)~s zLAoFzwVCG4kYke8Asb`XD~kFjZT*U6r59Pj!ZZ8N%ll4H*pqt0wZW`f&4J(#+7DNN z6RecjA1ToP&`?WZhE96@#ExLxReO~?5%_3`S^ZblZcJGG)xN#9+)8O&je@KC)>H>x z6?BLdWP7z!r>W)Um8&iHZTtFbgjF044-(BQ9OrgDYV|gQEA|KAAx`GCi?)L$f@7FC zD{)XVP3NNr&XH2#5iQkH5jZu2*p`Y3PmF*zD9Vk-hS{Iwbbk8NPzNF7nwxaY-qRiO zm=s)|U>WXg7`hP+Os zH=id8l||>k^X@3MZ_*_o_40#xWk~rNZlEk3~>s$X8 z(gxQSl@*dXhMM1P%uw13H~?M}QfjFefKb)9Sw&Nf7f>7cineMKw*x*C(&zJ)q*Cgn zgk~%s^1iA&gUQXls&CniHL5%$SI=Upf5Ii*nNqXT0fq$qLmthek*LV$Vb2nhTo;|YP(a4|+x!U)rYX~1 z7-sDYI^_{9N5(A9RD%Ska1^t_I;TO2(htikyxbGMXF?0D5%q$sOo5AKJ6dQ<8nMbM zOzUA(#l46(iwJJ?*m)Si8DY69#`{|nZ0ree=7KD z>n`_E7IaOBwAj=to1xygc3t&te5P5A_HaUq+`@XVuZhL}{z6k{I9&4oWA81as%-mq z-&+hsKm?Tzm6lFv5CiG%Nl8g}&j}&|(%s$N-AZ?NO={BJ%|7S-#NO|-*4TS}+3Uj^ z?-z#(4pFZ2I{$GTzvIj|2iYiwH7IZR5dsn-0s7M}yg-|zk-Jf;gq~cr zDM;5qLM5mrqJ?g*&dw|Wy_C+VI#T@>fQW$Zb?O6R43 zanKV0k*RVfc@W<)JUppsLT;7p?%cc7SJQ5M3TJ%geYhj&`AQK1SO3GF1|5a6>RGh( zjbi5exy##}CM~Au9Va(#7oG&?R@%gyWOGE;Ipeq#&T1S#@7|uL&t;KPz_fx}(PjDS z%wd>CSzCkKiid3nlf@aX|9;nRY7)-q+mrdcsnj7nE$I`f7lrb5{e|*=c|#$nq#+zq zIQN!1QN|bnb=a(o3CB2Cn;{x0&l@ApzQNe$B z2IIm&sHBv+csK$WyI$W4g#}Dwmw>lxq6=^d9D`7k_BdN!Ao0Grf*y@X3!XGrA4_Y+ zLx4l0JQYNq(eLo*5IM)mqUS89Go;LLUDS|rqRk0_2CUW1)cI^z5{hGwbnaaCyMoV7 z2lrW2qVp!Ly)S_eXVyd!^t7vu9yRIFP_fR`BPOv6zCU+sf_L19ClEYYIY;q+sxDwg78T~dECfO{hlhfQ*Rp~XD>8>G zSDRu@j44sjvhd!dnHqF6sZ@!=Q5Hr&%>fCpqQ8a;tWg}liSX)g{h9NVxUf8mqTLe* zDlziiyr)Za{j`UvhZ9C8J=SZGhZl9J$A*F^@y($}WV{tn2j$-gu9#bqYL&T$7}rc~ zVrca0WUXD^-crzrg#SlEstdrcDW6eb*gSz4n;IQ9GQIYuTP~qkVczMGs~~|>rbM0B z)DnFV1}CKURSL9k`4OTsir2?kZSzJ&Ch8(r7YA%Fai2Tj*!6yV8kpAe6};s+o(^}U zUV7g-*Bo=Z&cP|``bTVu6(nqqkr&N|@8^mrcx?>;ju0_8yPVI2d&R_(x64hKmefk9nO!cJmSl~z^@;y5ohTJp*d3PX+-`ANbI6@tBe z)T90!bFUfKam3sOFX*ItYZLnbtLhOD=NvQ+eHC=&3?Shh=WWpBPjgHwNpF<2&H0}? z)PZ}#8r_}XaJ4|a{$Z))=DP#Dmr@D*W6Mo?6F;=(b^N6>wf!l!UQ|*EUtkVxx@^S*vLU!A zHj}b@4Z>@fjJz-R&OZdE(bTD1@fkf=4D4bPIFl-uLDze9%I}-#W|LmQl|{xuK^ef* zc>BYkmr3hYoOM|zF_11Di7RA?sgfM?Kj|&~+V-UAX&#w5n5S!ros|>|+yiNqKk_N( zD$U}^+HHl|r3mHpk#Y1T_4SVS0Aj64;3)D3Y#g0-LF!@$FNca2M*A6r?eb%SYpj7x zKN#3CtyAufZ@s9B0X5n4ExO#0VYAU|2v$_N`30)f3Hchb?@W4=Db*3Vsynj^*$DGf zd^&Fi{99NjW48cLg}pc3V-|z=>xeN+S;H>EO)!CS#9IitN=z$&)C>cazODXw#~E1u zWAUuNdPyIWcRRG2=&~Ebi6!uwJ0T>S497Y>jA`N)m}haEMPm~PTc{JTvi1O+lqQeP z&cEj??^Chd#CgjWOxkQvaKZ=$U7@~7c~8|dH@aW0&9y|FhK^S6Pc+?DoaHO$pSSpe zx{%KBtMYm!v6);g!@%p>zQ1ppA#oDYVMOUl-kev6??{qYTh$4m%V6=^2m zfNgsgg_2$%&?^PTf(KGA7pSmefs{XTX)Uz{VIPO3DeBK4Ie$jE^2M1C_e6spja%ZX zq?qSrmUQHxcr*s%Mcd-*l$rDnTh60u#sHF~(GZGFqntC{nDd#@5{V73xv+0GIvedL z;;Dgc5$`>#NRq??JdPX7?02Tc>cdSyjH29ZjqOL6f%tmmv(@#qLv50&TLJ0}L*z6< z9gGczgI)^r2Xw2)ZUDVngT;$;^@p5M8ukRhG17y#24J*DJ2j>2Fw;s4V~Wk%2P4AS zy0TZoIffY@VMANOjfqt_b`pjmVEv!o{q@R!*y+KJ>{ibIJwg0Y%WNfnoaNlech~LB zQM@r(vR$_sCdJc*bqF@;SN2AJ;;xn>vQjC6Hj}$hd?RR&t+IdB(Tv8$Gq2oIIxJK(j$7N?`q)McM z?_`>79!2%(z+v`?Z&_Os*NN`*F>GoBbL=czisMwmZP=i)+;q1i#G~b{jnKsX@Uiph z^7ryQOTSy>Zv%IE2e}%A{i*@wZ@Ljy$5hGle*BDvxo5R64(2lecxUiJ^>fr`uthqz z?WjIxYW?X-v%LJ0LaUKrnjRqSg%J#JEn^H6O2L!_Z_7amC`b~v^+UjDQ>4F4ANV$1 z$vV&*kZU$ivC%4vDX+&V?>zaObdt>CLIw+DtPT?;80~ueeuRsjd4$zkI9Hh26drfA z(V*TvLyj1(auFI|z>4V8WeeHu!WHnW^ugKxoMDvg8{o`3coD$v?EqQu^{Yz*qD#h3 z*Y9Ku08QsQC_ah|$&d-1PoQOe>6-S`s zDQoGt3&$BP>=v{i)UF7o3yw(W{c|>*ev1?2TMYP}OGWgZ)%s zOgA};Kmk*I>9W#@jPupUnvzl<_ezwj<3)y-E1ehq=1^&gvg$#d$+a zaMhTfLnr=${QLuTg2X%1p;S-nVGzrR2T!C!pU~1T?GqIT(zeXPah8!rnI+X6+ix~@ zi%xX19WOkfZpb@l#xQ&-rI6}G0bE~|>R}gHXrzD7?`{NEm?YYy%Mlj!YgZ`w5rTI#jy6@HZ zn{H{>xVma6i>6pI8A(`U{EEvFS}WD+NRhx%8p-&T3_P(9XYF{=)M#op=xs;OUgHwe zvpb@Zuj&a{-q!gKw=c_pSl*BUk*PM<}Q60)^!zCyZ7iPXeM zYr%GBq_n+)+s8Q;j07Wk?4fU2o~jjVyEB1$_{8U3^av)COlMnWi*urB&{gj$7f!96 zUEusr@76t=Ud84~XFVK9?Pf-)zp8#4+8>QXav0)iVbYb`##@ z@l9ArXwb~&>#*7R9e=8A%rf}rXc|HN`{b_cHT!MZVHkQvvQYuko#Bg<`Kl;~CNacY z+iq;?EX+K(qs1^6&qnc|a*;89+r1~JyCk(k!D&+B2NTlb0$1m3^1E&v4v+ZnRy)J@ zV~AxD3lFE31umFKTz~6mTH6^9p!ZEzFuRQZP%U5fCK)ZU6WJUpamn1alqN?O z8xfD55`RG|qo_1@LCQrerx_t|0{eiwMx;JEM4IfPOWGBg%X0MfuyBcyaDM6-2$2s2 zyjCv%-p2yPJ!EPEXR|i!060Hg zp0oXN2lOd}V7HY(i{^_wpXZ}+paf+8R0uSsa}H&*dxFrAWXk_5c1Q>kRpgL2DR=dA*EkUzEb++7v5H*SlXNptlw#(d4(kACDc448N} zK=}OWGzRLDXb*WH*AFU*=!G%#+rgiBJx9&*kySvC&-UBcj?2e4e%#8wTQNh z`jC5f3_ukwaC0mV=p>nE%WJQ_iG=~$<%`kP<x#5MmcZ3ZY=*G}$%2)UDGe=@=OsxnV$bvTgR zADHLHqaNJ=;ra%6hf(cH*O2XiD_kr-oft&G3nKXfnupgCE2qB&FAIR$#)J+Wl%Cj% zk2k@=5PZs{}!YG0d%-gT&^=uFk%FfiXMN@?$!1s&THF+9$qXKpc7Q4~ zchnRfqR6w^eZ&A2LvediX}6`cbimWpM8gJ}czwy5>G6~B)&)zizoyM{--hC=x5MCu zKBkB-#(cPE8uUORc2%Na_PlK;%lF&k8(`M0uE zDm9TxwnG9@3aUzf4}rUDo9R-0bnt5JqkELqwQPE;;j^}O@s8@|3U#EkJpk`4rf=h4 z*C*)KSd@Lvxc|O88T|sRa>#5d65A1RFXV3}0bFSvD@m(NmF(&{j*gA46#~JEm^uIvlFC>B{X`N}GmPhj`!w-?7*%{gp{#l4*wx)e`>QGbNZ;2*?RSH<*#%lN zsy+WJgh(olpL0}^s?;X?!u>PeSEs@Y7UOOoM%E;<7fhP~ z#}AveZ_x?ohXV1mKXE`ymz~xU)*h~jzJ*17yB*@15!MdGe}_3!nh&XAMWC7qJd_ti zJ3%(FxaDsj{qZ#EPUPuSLVRR2C!>Sh1JMsv(L5>Iv0 zt(*kGu-^ZShn!K3b@@50^~NmMMIgX=I=lR~tL3PRaci~UOIIjUC0{sGWpTzy@eRC# zs<4H+`!oVUjNC9db)?6q!}Y7NCVXzLf%_d-m#EiJ4+lZSW!@dW-0RokSo6dl@07SU zv(xIs9a;9L43iQ>)|Qz z-o%e0R~c9e^!RabbP``S=A(E0Dy&+fMbGDGcM-_EiSbzR zTrCFsfSb_PaLFF@ekJARJ@SDTK$clJ-nWAseLnqhGHYOJ zblEt7r~(_XgXpfh=yKx98F7*B-?cYjfl+7LgW1YJoZH>n-g6IcXMf_D8=2SO9}Q~U{s;E|d8v1DxX;-n zq@Z6gs5Mf2@;54z2V%QEyRC@}oyh#Rf;(1sfmc_z&iHV)R#yFSyhe*Wg95&*aWi!o zh~&iUs9!-{mUnlXyztoT*K=BK0V>FeagD6;sc5r0s^|z&;XoF$fDD(U28*btjj~e; z)%}`Wajr+dPmXuf&)&|;lh(^jQa)EE6+rt)kf^}Q!6(|DMRwS40#*CU(?W*dcrvbj z{0Fs0146Q4gsWg}(z`T&zmfN$GgO)$~F_V#kihdS>Z^~K!BG4)w? zif*J1K}$jNI-h7Bp++#y%Y^Zi&Fb8{Eh;w)vIph^t2?~~6AqfTXWeu~gJ3Crz3qgp z9{Rb0K$9<_u&>x33}m2va%(mHf1J5RF3T+`}nqmKb1MdYg?dr zXc(z?!r>PsA6iwo0b0wnQ+b{^ij~2UAmgf#<=ni&!?KIZt)hmu#zt?0#W`cADn&3{ zp%S>@?e!;m7dTu2i#!4JBP_pFGl7Ez4=m>_$A|YV1z7>*Xwb9GStX|ud^h(y?&+L- z1+|GS&~02!WtuE=I?MWqccu)p)@%;o@Hc826cTl>UwaG?%(!YGQnXr*)8JTT;_H<3 z8bnRNCpH2s{nGSANy#Mi%F(2@<2q+)oh?L-)x)c)opB8QW+Y+Sxq1pG^cq^7i>v`2 z3Q!=1n%9hgdO9jf0C`#jH`slN@3h%Nvdd)Z0=8UdBdv{+XRN0~YZ?AA*^Cq5p0knM z8z>DBq!^Z2G3{x4zYhD0yVo)zkl&zZ+;bLfGe*gPdKHTM(V7`s;PaMF`0S4VfIY}Nn) z<}oZOX1e<|3n}{M_=<*v@Y60=dX>y-SZRUgj|=fSvm^p5$1m%VJr=x~VTs5?{oS?K ze3xyqUE-2ug9kU9Hdj5j@8MAofbMlapD4K0AGyHtv3i#D^K3QFLg`sT$1JcCygbNE ziSfUU7e6zPq;;L-53B9pph@IhPKFK)i5~`^!}?FB^1IV)b=4*mp+s|URV9jWZlV=j zx*Yf=C&o`MQ=7=Q5aaMGis(ltT{idQI3vi0e-nKL;4Ffq(s&>=^)&+9i|BrdBut!v zZf2*Y%bLUbiX2@=nBnhhGXVFL&d|N|A0A;X$P#-Lw-%4SqqMhYwrXYOv~Hd5VzA+i zUM7B$|VkF{!<^n4dq9- z(Xq}tNdM`7Bme%7LH>;bX!w64|Na~K_ut6B|3?1(Z$d2lQ_c zyp)Wm%V~EeOFS~AlXe?_2Q#zYTjykb`{2R9p>^)5RNt+14s!8o88qio_5R&gW_x8f@c*_Dt2~C_*Zv6qFCY4U|AYU_AEo^G9S>zsQyB3{ z_CNj0{|{Zvf66`o*FTi3{aE|8<)7>)KmO-nzW>UT_z%3q|K~5magazsO0%^5|3Ch3 z9)3u+{`2L@`}eOz9soe=Cs4>9SOa1LDagxsCBiMzlPR0_87%aHFFKNA__zE09H|7J zl*RTSGU=WuCaea$iL(D-^_koL3=&OtI$9kC@f1wsf0F^9j8)IC9{%A_-r?LReP8tw z4bRVj8^#d&39)tiD~-z(l4X(KJ30x%wmsFJVpQ76Y|Wd zk_#gQ`wMo`hI&u-D!bqJP-Q@cebWqD%>JsDCB}QBB?@!Zt@j7K6y|;_#y{}gsA^vt zeI|w=bWcyjv}(Mw+)&+!b$x~P_#@@BtiDf@BN3L-S`MF{x6z?)s^prZ$B4`}%6uiJ z2>G1*XsM1l(suxZB@}?PZpqDOq%)6eq+cG9)ffg6_dTxO&u0%KE_o6o^jd&uu&7RT zIXP-}GlK#T1&eoU@I^Nq))bN1rzV^v70|d)X4dn_*7oj3Zn$gJ@orhQ?of3TmG@%( zCP%cT0a|6Qderym@@qRzEDQC~8_5RxAij4}(r?;aza>2#t%0!(?6pW6?1{Npb;IUl zo6IG7j(?0*1{mmf=XsDxmjdgG8covl&jcN>hTq7&dQG zw`;42@B@w~K_G=v1_Y7kfE?xdM^s=MLPhGZ|A?Z#tGfkDFrMSirk|VI1pjF<7?J|O zmT7wNA0gRp9Dnjfg9c*91$S3Diexz->yR7-q4T?(rUU-jFbJSD z0<>Rb?x6*=8jz=DWGQU(a0IURTXMk0TJsiUCLM0JgRH2Hn=?4xO#WwtVyAML^IO#p z>n=v)x(WR!jRPBJll^x7SLEh&v#1A?7r?;y_)*U~rx}xTDvtH~hUlc^RZwxgNlzV-)VN^)a4D2sXdOb%!+EPYHaf)L0}NBR;a{Xobq_K}3}e1=K~Yl^Lpx8J~{5r+|q zd7^MqN;sWjtW{y<9us3@o*|tZKx^061ez`m&%ps6_-@8BJdaf;TO<__ z?)kfkz@C0bwqOaB&>3?3DhZF~Zg*bUsLR*xl3}T>(^>U%)73);wOUR}f9qK&LOWNz z&h*_m6{bm+#$#wt1og1!{WImEYm>ZH%xtZqQ`_4?kBz=NsWhU!izv4uK=!8r6Sl&G zwnWhAS}?Kq04#d2;tF_j^e}aaw83VqO0ro!UxD7a#7kBW?S*_?PlU1ckaWQl1yAVUI#4cERqY=Gdr2lRgav^;N8q3($mZtzbo0du1h%%LyO%{!DsZ7okGH&3 zhP(#~q_jEvnLcSByoFmJeLR}8qVMI+J~9Q4zolTiXYBb&g&K9vCqK1%J^b7$ZF`&! zMPlnyFpmZ?Ek;{TjzJP|CN}x!K>(7#y0Pz?ULGBx*itc9v+D z=97(7>8BH{Oeg}tj@xXpdpHK?9(nX+mS*hsg&n;NwyP}|xi{Nbk4#h;dTi9?9J_pw zQ4igV_*2eSV+PlPxGE1Qm^XG12_5gw@v0Y>p8;16p^*TE8A|m%6t4%qi%xNVh9AQB z1Thr9e*^dD>j%C79N#SPaF8nVHeX)u|5WFxxwQ4^&1Xhiy4TdhmSIAb_AaBcBA$sT=~2k#a_dR3 z18O}O(w(S(wHKJ;h+AY~OnL2pzutT}0ps1@yposhsH9)eP(`@hfzZ;?-2CE@ zcKQ8Ct(}QQ3X(hLQ3X8%z@AM898zxU^gX=t$#Og?ak0Q;2#z`Mx4wZxvapo|P4$D< z(E&)5!P_^<5BUsz?phkI08d~!-1W-oO@-MEF1kBIc-TK4Bit|89QTlq5!x>eR#EU6 zDRU%gr(#$Ha~SkShxf&=_Qs@{i!??WyZQ3qYJLjM)?MVT+1MH``*S+SPTPFpSQPH) zW_6*#Ppk1-;~Ds_v+!AHICEAf%Xj{xvV0|;jGq`$`Y||G`~h(P;}})9K0tB;R}%k9 zjQA)AC(w4KKRbCR7U-z-IprsF;WMG6_*|c_OR^IBqGNJaHDa!>_jSqd#4)!fQaKq2 zhvx&%ruB<R%{IqtxH-%eI*yh#z9-hN@$u+&Y8Z_a*BlgeFwV3kyC=0S>B9%_8ctaP zZnSw6rz6h33y`e0lDo*Pol4#?dm2x<-5ov;y7-wb%mzePJQYSG?dtTvX)!subR;zZ z!ZIiP{3J9&(1303BhC)4bIF9?$0wreO2Ulki&XB}JCP2nm*73M4g#aIKwz4qt{1q) z2azV+`e)IS;Ij6SRwjOD9={fO-EnaQuXj3H2Y2-`r-lwM6aCIu9$tdeYK%hKXG|t> z#t}5?cp>ltl%i_}>qik}68rGHR{1yCX&1)Xg%J^p8U(JDERX&6`UbO9GuQ%YbiY{u z1dS1p$S4VF9Bi}6Vs~JrknSLL$#2@HjjsG@?sgOhPp3z@1vA-oFcUm2T^dod0BEhf zR_#+Rpoj!?63tW)D(8H5z!WbeXGhOhwF0dXe3BSR5~&Vvgf;YGoRbQQT-Y8YFFwy2 zd$Ry?VuwM{=@+EjL%GWBqDM;(ypbDdpg*Poa#kE!{8GKI-0^%K9-Q_=8-)i88pA_t~b(!FUujf*wc>ib`L>mnf6l z>-Y-sfsgdd`=KOXZTi@c;8FF&pw=3ARPI52D&|~L}%sxZN^cf95$~T*gESqrr2SUkj z?#=wO#%&AzgZe<|)$@BZl}WT_vptyia`rHuz+CCyl^-RcCq`UMyr=#0-S7kLHv)b7 z&nT1)&!Pn%-)@yH%N^I=H8O0t#|cMjbeCpq@^)|3{d zE?iFQvU%ItY;=7&+p=+;;_cW~BB8;%D=BZt=o1HR-xr)J(g)vHCIkA+vLYxSWq+r# zAk{6AvoKTbWonxI?#s|+urPXKH$1sHmS+U=7(FQ(sZBDU=RGN87JLH1aHdr_745;C zqmrDYhpo5y6Mc0T0;>t5s%vaKruBNjOr!h717yn1YY7hDfI#L}WgTfX(tEuRVuaqV z6!9VJV}{OUvb@WLnZlm{FH0S6#`KE?45lSS}v z^ApW;KdtK@z#lFpSYJ9>iAT#F&KHU#0}V~<=OgNU6mHb{HSPivS38A3LmIOJAA!?^84$Rd9Jw0<$Q8h z%J#qChZ-e)_6W>Z7fijxZr2B`aeifsm=yrl{t_1h2@nayma&Nn^m%9{l>7}Xx$k9x zu`Dx45x{>ih}ZtzGx?Rw#|ML_=vpzL9(>Vqt+Hr>L;2S|hsO(33xSNU&>pwGmKjEO zZxNEbwN7!^-0diu7aGfrT&yuW7qvZX!}5M8J-g?gHJ_n{v9WgdZK6oo<-qgzyPM4i zO~i4HGjclE#cnoH2+yG;N4Hw7=!T&}`AEAm>ww-48s}Il`}W2TAU55FXo} zD)W(MMCavrtMua`VYKwKl^`L<66~Ze_1b?>wn8V@+jx#N&}{z+HbtVx!8#v%i)&l2 zL|gM}w~pzc5MP{}gT-*xTg6;QKjL%mTP`nY zmE|z9^U-#IVtupxHJN5(dVRdSZ)!aQpoC<75uTutvPpmbBqQcCF7pQ=q6WP$oQDj^ zsmj53fV0?_{uyvcYyzTPs9V66wf>eRK?vEffcoDXv`8BdRZG5loec$h@nZiZ6yIvDKYcZXvENFhS0AL5#tQ(O@ zWyS}TSvOHl*OcsjNVfKwv!(cmkCHRZSNNG-%oSj52y>EbI zQ{k|T@-E!N4?4zghiF^w-WTcrgVqD0fYL`lG`J}qP)q~cix_Dm-~puH4I;GbB>5GM zMAK7-c_7?4 z_)H4jbQ;XAu8q&Mc_asuk@<{PWkj-EZyO;pZI=1$yd*TJ!K=J4Xky&4jm24_HDVQYlv zaXG6|!GaS5eascPxkz#ZranGxAg-OWH5ZpAFVrw>)|d5KGd*_MPBJ4EX&Wn&y^@cJ zx`nLNjqPtU;Hgx3`D~nBL_jQbZUTkcL)$fTjk0IC-?qm?9Ib`%AEEVcq@K!sLwhHmS zqBwwhZ5W)vq`UjsU+k;$77{u-60B{q5k3u^`(V+oFl{dACN-tb+_<$TDwUdBS0!Lr=VtO+}Wx8?cwcVWAL{JKE8D%>bJ15aQ z^IqK1iz|mgZ&ft_#%k+o-fwoz;YhcSOAl`P~i6+(~C# zVgr~X9e2YSkCx*tZ#~MtZK%Nu)Y}^@F~r8iTc^)Oyce!r)}T{@gsaatO+8trg@{_t5rzyw;TQwPCU~DB24OS9_o8;^XkP% zZaUonQIjK=AvP~=%uLK=%>($59`lJ;pifRo3u5Hub^>#sRwJ(%kl^e{mSUs92Q(wli9Lm?a!Zc)g#?+;T&@mkk3PS>@_JYKB9R)%r=!-eQ3ZUCC9Vw&+gm zd|ilgQT?Hqn|n}ql;D%b-C8gRD>v$eE=k$GGKd zisNR#nY35{ZMzY4F+{l=3%|Sbzj%r3LY^ETH8t+5lL}g_k$&`cZ8I z9t-zw;&(bi+iCsn*2&b$zhTGmHS5T`10;33KvW1Q0c9hav&CSkNS#s@S$3bXOx5?O>U0Quhh!{-z>=LpwtoZbCx+-JgjrYT4b!qIN&%{cJ>l~6d!8*`O zECT8H1_*Gy3icPs5v%EDe7?h`7Mz8wGBYB6kkNrq-E|?1-kW}&E&8Kzb&ED%O6i0o zewRw_(@EX?Zq;foroZt!tha>scSG@FFs8S`;E#+;=Q&pIqNN(S0AVnZ$?yB^V<3mw z+vKB~$)i|Ua9`XiZ?HIt2eE)|_*Nb2i^ZLGQKZ$nniJJYrcoyQ&lMi0L74%_zFt(z zv>U0XI_Zkm{c2ji=Ybf%ggA9VzqO`>;L(Oj^PiYq$pz-0(iK)WYmYp~ueT^SofffX=MMASbV7&*<# z*F9)LEeXuXHOS#JD(9x4n1H;cgcv2jz0L@T_CxNsqZ$>fCTU!S?hY3Mjpxa{HsTOg z^pUTS@7eg-&8IC5lG5MjEBa0twRb?n{L-8;um+Ox+#PZL177BLuCA*l+^9PW=E#Jj zOzBap4zgX-h_g%Ui^D!Y|2P{S(GT!l9?o;KqgRFui^rO5bRC1irpm-DlGiiu|GwZ@E}blsTd z-QYrsVn-^pZ1#%z6HlzotnvP&wg+ajh5Gg$iqS=v^ED93qc#yt78Al!0??HwoPzC% zSsU5y`)Xbck8FAjcP6fg==R$8`K|IjX07fgDR1($LAYCvE2P~O8};N#&rEDfXGo}S zgJ;HG(|7Q+$149g!Tt17g}j3>$Tz`L(y8k=^JPEIrg(@KFHd8BfWwZ5jv)6gdCk&6OLQd8W=mX z<<&lb5Hv&h9NR=OI`^b&&1E7?vCf_LWYF+Y{N2oAbBSl{_8>TL1~&qE>ms|6a?$$c zbfs&fr4V06$3LRF_R~gLDwNtk+tRV93p+`k4Y$(Xd=#7wAIK*WBNc6byFtxAVeM_L z7>~oej(g3}3FAs%%?&G*N)x_)tR%+|R3( zGv;M~z7`2scRmJ*#~*A!>oP8j;*|vUKVD+fto{|t6ngcOi@Kf^9$0jc&06uP+Dh&| zYtg0PaenDcBYm2+fec7@Thu8*4<|zo^oAcaH28GnJO5$<=%8?MSH*K9FN_YE&|k6q zr<3I8*p#AZ__sr3=8YGtL&=n9jj-3@zmt!jWj!#}|1DZ`N`4yJdgqYF(vO%r<(Oe; z$1oAN+GaChs4?EB@nK#y060%94Z$0BSMs>Q7FP6C^~otTrg~NX&zkJroVgF;DY0am zI>Qpk3}QSuEav(AH^JHiV@HKun0J&F(LHYd*`pknNi#k=oi719QICtLvkJn#`jpV> zl_25CXjPyQ;^D=?&IGnd==&OV53=HAjMb)bKJcO)CxnzZ;=cADRIwkuqe+Kygw&g0Ls%1+-C>J!D4_y@*XR~MRP zyyWh)cxbfzLy()S;02?JoA0?wN2I(yNuEO8Y|`4?>MZ35S`7$KQ1<__JjWjUYs`|vC`qAG(z-=J-Flvz0@Q=lB zdl>Fsq|B549?NR+BAhNHjg%?ORZU>gu&qAwhaX+OM7QHJDad&fcX6 zWKKezk<&C}y1*iCoVT7=VbS^&vc2wxSCn@RFRK zshszcus3;*EXWqzk{3!DRlt&N*`*4NYcEzlrMZrZ%+tXPWyrR4BMyDwpWtA$|63i~ z6&@5;rFLT!Pp>))-O3q!{*!coGy;HSQCw>VXN=Q!s{T@ z0th*AvnFD4xM2X4JR7kOXHYdJyxXIg4;Z(IiymtaP-YV$tA}RYP)Ms3yJ@$Iiw5;k z5f$p5Zk0hwbOOeR;!Y+^%-X>>;bX7oxTQ&Nzq<)7Bwl0@< z1Apv8>c01Af8Fl{Cy)5{7ZDzw6hSj8Di_B&@Sd}9p*=3bg}`U+MEPr4)1}(`*J|!xeAoFK<{<;?AzN4AC^x zs+;R3bIX*7c_aJ4o`KZv&27?s0nXNq_)5rvsdTOQlQK}n#)7Fs(F%(cWsBp(j7EyI zh^YE*PSIWK-Ru^7&2uoHB8ndk8P^v0%i|2Ecdf8)w^p0{88_ZNWg6v3BCN1sarw$5 z=%FY+Uk`M=->&(054{>V(_pHlLa-vGB>fmG1`iL37SG?QpQBs=b z=B#d_Ii?Dd0gP$RqUBZc#67!dc+$3f+Aoh-i7LSQU_+37Gv_mLq{u9X_|4#^;L^&M z5xjQKFmpz$>c9wA4KtT6h90TMPf~PHLaQ0xQU96r z=+o0K-ns=8LkOzuEaXWd^hl06MgQsf0xB#eI-g@xpwtiB#NS!8=U4Mwx*{^(2Hm-2yg0q98jK1Jm>S`x6#P8k6VTiofR;z`%< zHnoT*6ZevyJt3#?0O@!&xZAmZgzSaJ>h-S=E`6{3h(DQD5$;_PO28(-H_LmKkNd6k zxC@*!>m<%msV2j%;KZ(vrEXd`TuGCC+RvnJ405-R0L7JF!%0aUYe41(Pe%bK7BtK! z;95I5-`7HWIGXHcT_ok5f7tN(sV8fpTFF&!26P6ZiBZ;@k&mI~bdZ30@%L--2qC+3 z+Y*`AU|a#4xE<|YbRHw7E5HzNIw&Ah@~SUngcB&(z=n-uN`D@nSePtMP~> z;EblA{+xB}@m_b@mm}dF0o7#<4E^PiqO0%%Dy$@@U};iQmA?8(E?9R)~*A(>JlD5@5p)A$2-SdP0jHgVOoF&$t7 z#0jOmIZprf-ub-D00<^9Q5m)(*G|ABOdtOSC|f*&UKHF9mrgc)sQ(RbS)P$`<26Qj zG>^+TaF;!3Sw zdf^U3{Gz%Aew~SHU_`-8NEvh)k$mSV)+M7E=nw6i?0vEc|9$9yvCp601{w}?o0O)W}}GvvhX|bcaC9K>i0yZ%ydyFnS$Xs(Y!k4eJ&9CN^KjY z2EA$qd5uih`!C4ckdRr*8~kbZ7j4NeFl?55sK;d=jN`8znqI~3;9gWAo{%CnTN7%f;>BPnB2dhY9^MC{RG@4iiHc{Q<1o~4Y8;!( z(?jD$b9Dm3mdk0HRsg37yb)W-u=Gn8e4jHgTl`*SL->nNiFwjqxeGxECqF?5bGV*5 z1XvG6^MZy-R+^Gdx$d)OaHU0)rqr#+Qyv;9@xb0$4vjfAGJ) zbUzR<4EXFa6ny{iTLk)&^^V{(rL;uj)_ba<60w)=#e_HB;eRri!WVTWevuPW?~eFK zSS^;%miFqDcR$=~om@wG)E$OD!c5kB#Xns9=m@L6PMpoKKVB$gvR0>&{-t}0UVQsE z1SKOwZxWy;Gg3UwTKx?VXpd5!^l8M0Rrs{Vc%`XI65Y7S*>yYr-5WS8rAY** zpAuV~bg1vJb`vJ8o{<&m>c{u~qn^_XN&EJ9J?Hn2dhWY=q;=P_2EAw@`);F|)bhIn zcI(I^a`=u$(@eK+Z{aw8Mg$)GbZN%CVq6ee)|FV>aqX~aWm;`i_gdxk>4H_!qQ%AJ zO7$#nVILc(#78Ym4-R@ z?bID-$vTzJn*>A**=ii7$_l1hpU>Ap4Q0wtSd!ppunWZ}S_QY|p%6r($*6q6Mf9Fa z_-D=TlH5JRLOx%1rqS&%7`!bNu{K;JvfSxh)b>G_G+gmC+pVDfzP*}^4|J-uN5B-O z-~Yp+Mo((r?cO%3T(xH^oqfqKHm*fH-lw8%oLfv%Xp;ghFQ2rIPu3dl?I?bDN`x2g zo{m#&cekZ=XIxN17APz_6$_+V5i|p;4)l(TN!oS$<0wOCm6^19A3pwx^bONxl zlsUC+pY+rD+hpxM#0mI%BdRFv;fxIgSLL4$Ws z&B-SWy)Fm&Qnd=g;57C?F^sp;U<2<(m`uDxqq*u9{_qh=8v8uIX(P*1RdT`Z&|Uk2 zg4w#r0P-!xKs&1=EGRxs6)Dxo&_9|&y++86Qzc9}=GoJ@=}(x`9OIoj#fv0T9+JAH z$Dl2Y`(W zWELDfS<_ZVfyjoh(?QeZk?IPKT3y863FAL&o6t?$f4w8>=MeE2MiJ^+v}bYEMe&4N zTTcE{V}zjhO9dS{=n8MZ_(-+`dZg20!fKbWtQ3dJSzDYb9yRRYiOkpY7#T^8^U}R< zXR_3IP%_}iK)JvgH4HZ9a_jT@1Z5mYOKe!f;AVlMXZ=Z=zVS9UQ^SrkajSjfwKNGi z0&jMq5UPnC>QUAKnyUNfvL z`*=mZI^kV%(Zz-POpDsr)!v)tZP<2_*z9&6k-PxA!>wK0j|a2x#LEyEWN$(@kef;Z z$!tyG4|wQz1kz4}PM#nL@+2s<7QXVolM%^z<%QK68gB6C1gI?f!^M-VyTXI_XF;UO z{zql5yVZA1*wS+az)OxP5NH9W@%U)r;rrx5vsm}0ttnvfv~JM$!rfsI)mZZLVYu7& z05yAg+1!=X0sY8Y%b;ctP79d@w3$jqh^+6G|Ud<2W1i`D_P6{eJ&hhcyf<3MH6lzGZux>pYIxVB@8%43Tef5-`u z1fctE8gZ4-Kr4J|8b087ALcGzE|)&8;F=RKF6Kf;Q{dNeO{ISFTliUp3};GF4ya#I ztxQR#WdNc94X*!-w6}nYy50JQZ$Uwn5JXx)l!l=j1`q)W38h2c7@uCNpHMn zZg(kaBc-|cD?95+ECq|^{-#Q`49pFlOFc71J1N>iEl*bgS+KvJPMu=?Xd9x}(_PG<}npwCzh9 z$(bQfSc5s>Co>W&XMiSzXM=QkCQ6`JX4dW(3=r`A>{xOsjpk1epXG@sG+n$+Z0^hj z0fR2n=}oVE{B0<}lhR`h$8@c{iZmSF^LzNoq(51=^D*wYad%($5~0o_+MhOt7ve$8 zXC=TrR-v;WAsw4{l@sah*h4bPq51T1Ytjm`CD`bx5Y#*^Qsbn#)@m8-{AO8l2_%Wt zbHayxrMYoqE`(=Ca-)c2F4gZXfyTw+fSUajoM(9e=%eWwq4YcLiSDE$3Gp5YIIM(^dyJ25F7M>I=I?rr_z>8IN+Dp z=}7YOFUXa-z2%6&TH7#E%uamd=rHPjZ#u#KJSDgmTA;C8be~3pT1JoqB16QYLl*~(FMRKj zDjDWT`aJf@3!|de;&bx=@OeJZ$VjEmYg&ROtO#X`W&h|=R>UJJJR|Aw-)ny6i@ze# z*JwxHxV|<}xn+T1tz^OH$pbFZCyS~3#q+ucvQPO$zik&8HBT_1A#iZGJF4p@8%%0Z z`HiiYMp>DFt|f_o=Y&i+4L`-MgEaLa96Mn3^y58v?Qd;>0;!Y&Li+(Y2%oPF;&`pJ z@(9?I-`d@#Vn(%MoND4ILj<1J_!>{yT%%a`zm4d)Ecm|tCVKhgqC<>dMw5)eM>^`` z9>u+Il+n=qBV;L!9hKyi*d<7qWDGD-IaZmSGvsQDe4Zjnm zIu1a#kZ(W}KwTn23AW5HsDn#h5z@5!2rs`}SA3!t?})%&91B#BxmLN?A-K{Ap>=K1 zvv6dIZ_ESu&0xWSX%tuf4QPHdkH}5~D>%l=DS}Th=1$;ML8eH2VrjL?sxzBW9-k`i z+^`sa0r#2kNgWEl1U1$^pCY0U06W3ZoOYVBvQqP5_Iy*^$TeTS@q$@k?MBT;6Ng#s%&mUN^PVZYsHmt z_1G0$uz#3LW4iY<&2D1#{hu^fzgOot`y2Ra<=q-*D(-CsHt6o9YW$8J;9QMhYkANM zEQ?73FbnHATI;SyF`MV6&qm%pxcA$@+x{z$k}Uk)ZtI8ev(3`}7HNz8ay7F;+CY`) zmTqksy0!OTpWQSd!wGF@ofFZ_gD=PDYBH-0!?ub$DY-ByY(GX2un+$FCIMd$CuZ~s zLX2%|R}@$&r0Xp1<01ueH-qtvQ|qFQ_YLDC^@yD3?7PF&!u6xA2;$bOZnkW^?mrAs zNJg!fc1ab6UU4dsL{j}+!u;Yms@W;_tybq9DUvHkr7WexbmF>AL=PX*iZSfkbZc7Ed^nOR=MO)0Smhx6n!7qg=0oBaCSvd zI{GV#yucrhHv(LOwr z@WrMoH)YgjFwpfpLwYY324eV&HWa&lE+KoeOony~4@Q{$eLKuHv7e1A!H@Kk+q zV2Q4U5 zERGuBP|b#Z$*0j9$pfZj!rY6$y5zWRASWfB)t~#B<*PX(sXnwN@sma|%28z~R}38L zZXck=8HD8Z`Q0Tj&Qxps+c*;;9sOsVL5iM(20X@57ZGM3<7V><5OU2`hbUp|=LLGb z!pm_L2;pj?Rq^rpVe3(!BL>TRRv>GV$|}Fvd}`rU2vJDo`I1#gyXuaz#oq=SGt^*% z{Kz8tt`drxYhaC=gM~h(iQTUuu62R!-6|>84UJzf;7ntpI*n7|j;-pHMXN_A^WCfFlL9xK%M!OX>G;8J?_DiY}B(ph2+3*t#m2W=d+s4 zB)`1v1gTc4NFc0x@DZGo%e0XHvE|VZ$K2K~(>eB2pR*Aex7a1TjVRijpXa`Y5h}-D z6$m^)&T@ae?7f$x`VzJ9P+UYeL~)#P6|a9E5@WxHu!qx>2084`1NsUjhA-M>6}Q7m zPk5+3@aCRXij(y7*Odq{OVr%S#6I19vyH0?DFA~z^`6}u$}jL-t|sP)t~=B*W)ERY zwv^Z-J#hZ!FnB*Q59Hv?)*TMY5y>UxVuT8Y(eYoNk2Ug2_~YUv8|swTj?=k>I{twz zr@es1PXgncXq)fpVKKsB!7(4nx4--qBu>PE?Ld~o%Ubh0loXz)3qa5d^-e*_HVlf@ znMM}H!#Vkr7yK`PFs_9x`TX&8#%0V8%g&I;7Q4;^lEkDeW@Xkhg0Xz!w@!gA37!IN zhjh(o*O|XswOP+&_a!iqM2GE+fc=MlbnvFL2W(@kP@m)uVYhNtgnXIx(xEL0gXY4a zx%qM;C6$8qpU&ZbthmevnX_B#P6}Vc#c9-cOq*YF6BQ^uy#>UK%1xoy( zK-0xocXcdckc}?bd8mva@=s}yXO^D5E}I=Wh%SB7&emB6)*ba=urNVwwF1yKa8cc! z!47EhHH1$eS3%{g?Np!<$Iq(yXX(OnUY)QQ(cU%Aq1sIuix*cDpuR63Ho0a0wd7{Z zfawCsef3<6u{1I;&n;>(hSLN~ol$RV^-rltFK&Qr_>IQ0BG}@k!P`l{-t>qT{1HV= zsz^qfpSS;Wz#8TbaRNo7WF*@NQqt+mh&GhAd)n`H{fAWYS45J()6T3&Ri{lRzX&$D zRqJN?m|pXv8*pYQC(Z5XsXJ*W`Z8w9d#mMC1&n#lhv2WHPM&DSoR~9RUoRf8CQ3~Z zW!_}Bh4q&{{FO~L@x~EPd0WVbrZ7}>>E!Ae9H&@x3|8Sg$=*5IwAT`s-aa zakRHc8J{ZsIu{Ozw+vZEk%jC4PNa6e`Dk8T`Dk?k0CF9t!zsAow2a%b+iC)LuQv@f zGTHY9;C0~fOMOWAQ!0dlbXE@WGncMXT3^6eu)v8CJ<>npQ?NxM8Ej*4r3@~)QtNed z{fC~C z3>dBR>Fc2SWTs^RB3ME*6*d&R6_W8~tYaum^1cITpc6n}ddG89bizdEd>PQaC$nW& zEK}2q^2$fG7G{7yCgCJchd^8?%~2M}o-^;pEdnc$N>}imt#zH6+%9eHHk2nTIMNYVZw1{}z^OI4J|4)A}&u?jXqHvBeGYMHga=au_kw zvF8}7SjtYZKhcB}(WBFo#woU$2TP&K0=RZTSqSV`efp;?$Td>NU?!SD=6IyQ{&zLM z?bWE`#a|uu7+H# zWij*KdxiaN!CPv=e?Hq1jX| z_=%hBkq789OD4pzzkOb>g8rvts3+7Bp-tmZtNEhU#^Xa%KJ|_>>Z$~B?jN{0zz+HZ z$)W7g`VE`KhJ8SLLDZy{J1OUL$TG8WQpOy=j%-j`X)U+pS&y|5kv>ghXT28+)ckQM zAWzIfk+i%q1;w|;kkyM#F??fuL6JPjb_eiZ zt5uj4wp^9U_fw+^^2iHzDz!?uKf7e#O;nOyO{_CLy&aM4B_hI6S7?I}w9<-xR^74w zN_KneRq1VKVVh|)o{e7jdRyP{^;X4(cMw5`8zsj1n~*i5zUoDrRDEK(1T~9z@vOXg zfBt08w zI9et;Y+JvskVVhF{B9l0Gx{gFyMItNP`x}^1Su$}Aul@G`) z&E|#tsx0|oLMcnqv(ISflSSO3g9p_^O2V?-8KUx=TE@(x^5qhSn1~SufJeehpWm65-)w92iqysZdsH~fdzvv z>^?3SK9p=*ei{>)j?Lo}+k_{mqIEbh1ex+^Ta~NIJkT`d*-z80plva!5*Kmi0m&rT zJ`k<4uJJR9l~mvhYI!QJW$XpCCzfXn?|?og@=BKh zCj4&s&Hw^B4l8&}pEkYsFah&&%O+}0l|wPcVLrrU_ki;%fqn)X;?;8W|!TwPib^dEr40A670X3a*yTQ!vXt53u2 zD+2f}q48uuGhR60Cep-3URtbX>S(!&0$ND8@p}(U`+TEstTL z)aHj$;O?a%XN7Vy$wgzbk0tbUyjsOIEOcDQcMCQydEF1=VU}O~+OK?x^)wbQQRJgW zkw|_iYwp=sPnA1nqyKaPL2_W_s3WX7<32aCG?=TVw`iPWQ>m4N36zA)u?L3eoUtem z=fmFvPumj83dlYvmD!^3k4J%>XD8aMr0$)v>H_;ZfJ2+}a%+?pPYXrt&@m46L*b+G zQuy1Ymvr0Ag&pS~D2<%TJ5WT53gUdH1QpT2071o1g;q1M?u)*DTQR-8L7(*g^#p?l zl7ZY6?w^ebWl8J)M_owB$}MaVoTj*Cbq35gN<-m#<#F(~k}_>lg;V@rV0|=>wRw-Ixla zDq1lm*S3!NMt5^Lq`J?3AZjs}89o8z#raccJN119x+tAYccJa7^tybbvH1mZe>J^z zW9vAH=nq=M6`?rA-*-t(munk0cNQ;es?MUVxL+|EO+rcS%n%DD6?X&zj=>Yw~9V>flY3Gpk!8e|`L!PRDsI7Ci}^0Y>l@`@K~*aAnxH5$d-GvD9D%_O z1^x-Ng$HE(!ixocxch<@5hgaS6rcpEs7CyHlAk_*H zE=0Oe&(QSU*S#>Fb1oJ}G}BwFQ^p@qQ=P#y#_GEGbv9kgJctFzWJ#FNq-EECieo0! z7K%Vs&{`o{J_YA)ZR%Gu*ZZe4J1qh2zGf6MC;8X6{hKHjUCcp4-|unH<_xcC9?~W`azBNk96Tnj+u$+EhHs8(1r; z041E-_)N}kYv3YFy50rgGPOnNWL}U4WZ^^gDYLm#Eee_)am}-3&shW_U=r+WxoLEB z*l87)OE^*TVLF9o1T;py*FJ2|q!_i`zgI6o>E8Ch6sX#501LDrTzVho0o+3&%CV)C z7e^a0r(sD)KDnV3oRm}->7h_E41fCpuvsRam1gC~S^<`&eEfD?eP+>Cqr6#~5GD6A zDndhhN5G?Phw%-(ipY_FW>H)ImIu+^vE~4q7|mSOs&F*2cL-zq2I3WDtGI>$M^brz zpCtIPDBXAA%oc;;(CH_Z+tbwpoz3+&`lrBcL@3BP!K#A8E=%ogPX)$VxCh2Gm@j%O zc809?1}HmV79C(`aDCb-Iyt4Hu1`7600a3rsPtJ`c|2EPkP*rBp!&9r*Kk6e~=X_&}-7x%NM1&}wx@)t%b>#1q<1-KEkJ+YuE z03hj;cISL56vCmOjqg9I!5DWASla9jNJCg70FqnF$t+!r=0w?(MZoHFG(iAp9dMlB zg~mm*=svF;K%skItO8`#Ooz*&nW#0Fma8Y$OGqBl*tjK?4Pi z?J|SYk-xJrX7fcXL|ETVg(fR~xm?hNZ%+q$;*w*TlLwas!3V&e@|(6bE=hnBvz@!A7}N9XEIfn_41lw6n}>?gX|;1}!`f1Hy_Z z2@B|tJxXK(@mNXE(?pEWv_C~81r!nZOJ)UP%E^Q8?^YzAZfU){AQOhS4`ffbYI*s+ z!IPTx_+dUQ&?G9W|ryj5NB!p%k3d^4YjE1~t6?u*B$He^&Cw>&A6; z&7`Gm4I>M~S?fgFtH#hpEDw> zm!nW2{w`;TABB|{bs~Ov)t@|7e&*Shxc0IYUOOf~U zG2k2K6AZ!SpZ`c8fSO+7+zrM^R?8+EY-)q8$8WWpU7#x^1>Jz)tS5eKp+M`8L2ihG zYgPbQ#XBBGB*cTlN5$g|xCnEa?sEWNv^|2oq64OmH$VV!hP6(jp!Df6J=^>QnMEGH zUvuL9HOXKby$3036NYsnYZ(z~G=3*O7&!M<;zk$1e8R4=In2#)Kho#%hOOZu;Bt`l zc(a?fyT44v_H$wtwH#v5PN0e;hT=9+5F!HwjzhsJ*+7r^f~H4i5fJ+StaHR>xz`yN z_i~K1T)in8t^^m0Fm_l*zh5mqX3lT!dtU)vn!zEzoUg|@(qOt}bZZ;PJn|mq+qf0u zpLeBdLewb7a{r*j@Et8t_Y1t>2BoLC`NahC9_M)4bPWz9bN1d8N;+*)mh2k+5%lP- zI6Jk!@#Zmi4glnx^mW@0+iTDO*N5j;tp3%yx(T2J;B|BWsGiPNLg+Dv;R}Px8}5C> zrJpN2{m?GtpUd||UeWwYS2^g}(wVS5zZ+z51Z}vCTz$~GE*~PA0 zi-8x+&%IC3OTJw?I+Rx7!SL}d*P}c+Hk~T=*aPQ{3d12~OUfw!0fwn;9f*fLrMh?#zE#)I!AB;*P1qtAcYn36w2=F)8F1f0D5F?-C6Do*Nrp+~|y}MEQ z3|qVwQ0}<%0x#nzkv=a_ckR|P><+9Pv>Lx=g_S2#{RSAVTw?Rw3k+uoq7dM$>*Py5cE;y#0GHSTmpNd@!gNNrIq^!~ZmB-S zC6C$o+xVx09Klupm+>$18r_jLw4zWKQ+LsUlv#K1tKUF2)c}9#tcAO&!4ON!xdvt9 z&eY||3D3XP;+XRSbmSnY;=`_~7Aczt5Va7;@|5b`U&)x}9JbwoQj_Jw$2=~PfkwU^ z(gONCmw8K^unB%H=W8^Fj-6{VhSm;|&>9)o)Nd}g#yt!xfUK0CaY`Cr(t=e=bo`SO zs6{dfS56y3d&je^XDfJj*dX!uRIYT)d|}&CNkTs{3wMl8<07}p*=3ytC9gwt60iGo zstCGiTj_|&V;|8qJSTUhvqBQz#q7p+GbfwX!gw!lK-oJcXl3$v{uYhC;{}caQ5|6G zr}Z_95b5o5-th@t$AzBGH(B3^dvmY7SKU}`d#K3bh9-T;&HUK{7^+r-#?OkdSUvIZ zW7S*g1mR*5IQMIO61d7Kzbz;&*q0K;8z8a1B~Ue{-<2|xvK zlFG>*c{?vnEVGJz{<$V5#^&ymVijzEA*Y4r=lIDnTu}SSKt4oiHntL3ppbH@PGUT4 zV{(NXF1h_X`11KcUZNo%;p?=3rn_0qgnKVuMLPu+#Ulx#+L6hy1bJ4A3A)b6E38N~ zJ1v_-i5;L+r*<^{y|Wu*yqjJ-9mcfIHfd6F*!^V#bY(n%R4TQLFBIvWN<3E8zs`A__!S=GR$mb zut2I7WT>sO_uktd+`wNcy7HY|X5aGz?j^F6Zz825pA73)~$U4@o zGkALsl6%$##h3O8GV`AiI7rz_khgZw%AkA#8RN2Ebh7qjrUx{ALC~|wl&G|d^g|go zguY2V4rETqGm6})mF9tSF!loJCAZRdX}6|2Y!B~E?P3lbUI`Xcz*h&N@0cogll&}6 zi;LI|11tL($1xlQkuNKIU>C$HG#7H-|DjO1g7eiFRPzn)SUKym#8M?%ck4*OND7U| zXfZOgNpMAroY~(26oHLPI|7r(p%9a1Gs^_s05z$r_{`$O3f%JEF-QDK5TsugiR zX4%>iO9y~0$w4)@v^F*dY8Lk0Dx&KDNQlz*j8O$=)ZS6|=F7@cpiUp*NWdGj`1>SD zq4cD&8{isjK09uf$+rBsxDv&5=0l>r4ZnW)T8z4W!?xHWvm37}(eqe&4f^%mJlAtJ zS=1~EoohMUXOO+|7K~7z>Mw=<_&Vj7C;!lyRG#Fco6Ay9bH7MUu5Hwcfh0Bfeu(crwD zN-|FF&-`jucb|{?2i+%T<)!L7>k0DO5^-26@=6d1X=unJ*bUE|GbOU<4j*KnV|$bR zijzO?_l6Bof`CIK`$;H?jpv7^M=QzxdS8yNH|9hQA?Hh?=r?wh->ZZS;})%VuD!mv zQPkixSdzD=Yx2eD7sz#j*8w&0QUch~CkHff_>$Cq~D>zN_#vR1VYX5xqDr1wZ??-TaDB-xGp_ zP(V8PO4@VUj1T6*io|`+j(pa&wubKrz}( z&&G>8S0X8Fckqy*j$D{pJDrE(^ND!B1mdt@}=FN?dx-X7=D(s zzFqsHQMXONGyI$M+kxzeTkf$~`~V6+ZL>mjl*^}xU z*JwFe=0&KCJ=p*b;mLwIc^(gFMj5mjzk}eD;JVZqid=E$P8D zwe$1|yYi1JXU3ScGHp#?4j^O;P*waN|QeXVOxS{qW%q<0LsQyywZ~tGK@vGn&a{GHn*-=luO& z6*64;vtTl7N9S6y$-t6mp{$Ld9Rz~Sb$>ieF!CCoYi)qY5kp z+BrOxgK7x4QuGGqp+jIytrz3vE`)Y^zX$2HqbuBXXWPrp9hn11N22_Xgi5Q>DTMsFo*tG9B{ly6<`7PGu6#?fY?<7ca`stbRM1p* zLDU}oP`%s9{PGKil=;>Lpf1mU&R|qAK6NA`7 z8xrvO?;OOIQI(oUvTA&<|3r@+skA%rF?Wv<#kiBA=&Dr%eraE9wOoriPmecvDN~sD zKciBCgi@v#C-pL>q4s7mfsxF)x~L6RnCkYk8(@g@XG6835!aTT=%(jDGG@<6Z&98+ z@?7ud1SV3oQ;EvGlVQ#|^xa5z)q9S)Xoo{|Tz=~5wg(Aa854(pXU={#iX6!&v!Y5^ z+bn9u_0HC4>{yXw=jVBB#0Dj3_MaVLCxhiasf?y5u+Sd4%oj@+1tt(W_tjSf)#5^G z@y2*plMU@8Y8n#MF6vXOUc?mooEDH03V4lt%U4?wcQNfW$r_z6qhKIivErXqqs!x& zRa3}WIL%(s(Cp>$F~d^LosmNB){mL2*Iq9qP<<}+b;`X;sKQgvKRU`YatiCr&U2Mn z+?muXo3aXbH=prvH5(}|+wVAICK#gG{bKZjPXw*Off4APV;(eC^&+l<+J(&gX%m3WeeVDD-O9x$RF!8+A%9I-2?)ANp*<7(^P!}Ime@*IZv0Lf zGFrSIg+y6@T+ZWR>A5W2IjEhxD)`Xi@IRBrlojj79Yspl9OCAr?g29~wT^ z);n~qd-(k8+x_Kkly|)2`dA0KjU`Z;;Ma(PA7pC%muSC46npIp>_yy9#gA9!M~IIE z-~Pe^AKWZx+Lpz>C~70a;TQa;&)tSw1au=`a%^it+8O-MBWdJn^A)ROiBMnszxyyF z_)b$q_o_ox70m||ui)Leym0bg2-;*h)~XWAK+OOsa`4A1@}X1-%$*>|?db_2T&bc@ ze<5IZ0=3G)ThoHIxQG4YUnflYYn8p7E!_|DWMh1vpl2y*7Z|q3owc)hzWvh~kh*}X zVge$ZO~5jXPiV8qM-vvM`l$^VwpxP#1^wSYhrb&2Iqn>>(pgnf}HO_q zj~Djeym>Lb+kkOFtl1&=_tS?H)C6)o=bE1B3ADkg^C*x#I^qBJ{bCf}!gE;KWoBZy!hw#7 z%VHNeYpXy^`#Q)iT8;z$#D-C4%4*i0!}A{}C!B z+F9&>^C180cmMn62DCK43Uq}eB|rs@H{J#bemTNKe5hj+Z`{r0rL{663YB#?5MaPvz^61u=P zL<2N1T)T#gjiiUbut>cQnh5gCfo~sao6g_L=~sH%_Y@#LL&{~S3u}@y z*^H@FdTLZN?7MT5i6VqEY5pJH*MEC5vhSd&+%B+ZOa^ulKLAKk{F(&>%%esR@K)1| zfZnbL8KY16r2(Wrq9luB+Poox>kPn?urn603C3gqS37P6P!DpKC>^Un@#z)Z$a~1I z57L}XhO?EG*>Lt7pl~F}Qs(tIKg2o}YX-zPh{dvEV003dL~ zNdQf|8rTaS$cNbRv7_Zt;p8yx-8!VHrf_)F22(Tos4un!!Qe+tXOf zs$->xzMDSN2)6!jl1wpm>*mRqBz*trv2KFD`WVop3b{c|?wX&@0%Tgrw8+3yawj4M$&CV9MV z&F+_sE`hF_haD(R{CkD?XSw>neL_ZgiwRA=x(8Qa`5OV&cH_*XiS#BPB37l!KXAS1|A7mw={rNWq7gkfZe3 zFfMU|Y$oq>51<4bp#`W|A+PO zpKppf5Eul{)C4d|!CP6&N^uJD zza>M>hPElXPlIqlT{+)B+~&W@ro0e-(`VE(Ym#8~JPZ`)(O(Mpu~Z^Hs_B~QYxKU( zyDBSRH{Xgd#QpbM>YuOV|MtmGNpNUJX!_r8_%;D|KJp(2;HmL*B1WL&3C|M*z5TCW zU{l;*t5kiz)qZ|NrNsZ~HH7;U`1%1z_BInP%B6jAdz^UGlavc}Tm8o$-M7^~NX{Q` zO<}&b)!GEqMuKsWC1&9?=iyum9?}Hhx<8822d{vx_|*@MB6<|BrunM@s9{_;J2zLN zThf1*wZp2PCpRl^ zzJSBZ=K*Uld6@t{G#7|{;(bW303v*Xuu?LMt9HNby^9JA8tQBS=OsSBViGQ&Bsc;x zTl-$B4Y(}1NL_VZ*R){43sxXTL=k&i6X0$jff>96cn1)~qUo zjYS0KKce?UYg?Pox~@Jx0537dYR7H?kx98aSMy{VRfaHZKnY5^#>C6aOI^JksCeVu z@W5jq7}k?zoK0F3-tka+{yMd^H#BlcI)vR2FVI5IGMra&#H^Cns_S*e`7KxXPU5x& z3mwF${YYMx zGV%$e2$#;E)V-kAmVzF&W>J+Q7nuBU=sRV|O{aNsZva)G3dR~Ee162TKgjlgyI@seZT49r)@+)$wMpp8h%qHx!=nHGo!nQ2a03c%n$!t*=_V5~yww zbmX{E?=W%5jE_O?$ow8~A?^kErCEKnj&vyH+n^?gjsU$W%CMk6>L1 zlcxN7K(xVY-1PwcPCowu_}Aly6ogo}!+uTy(~O?C{*Tq@6^4_51#ugyXf|^(Xl;Ue z<#?%y3AjY|#dfMSD3H|z*r+$;AADTB9n#2f`24}jjDnnWY7V)C67Q{MRLckc6pl$+^U zzcFAU!lMN7m58swMxLmu>+;;y&&g|f!KpRw6^SO{^#$4yLY%1>EKc<$7z+cJg2W@k z-U}EE!~(j|lP?>f0`anHS8$_j1(K?O#gMsz@LrqXHksq*xKSw2DZ+4Zz0TxjAYYr$ z0bD9^Jfj-vAsP%14;{cgkbi)U8*kr6_ibPRY(^PVoGg}X>xqgzso5Hq0-5nh`?4&{ zH_Y)}2+gmbAizc9JY8u%W7~?;jDayOM%(wD>Y`Kh`YpSu0w>AC!FUiKGKosr`Z~+A z;oqMq$}|s*7|cD7OH=Oj#X3;E|0S->*6e}b0oQ1zpzt`Li5Mm!*SX-xFK%AxRK+ES zhUQx6o~+$3Kd0W^&8H%}iVdY8bI{5Ekg5uazpCj?un;Lg2p@nHF89iE@m2w3H{M2U;>R<`~sy!ERrMz7NLZ@J;_p1ga{>$dCAx z=Gw^LRi^;hiIhvUEU*^ZDtiNj+l#IK$96~WPj?sI+UwT5$J(-smcSKwrh?{&=H-#} zrJnPI3MCf%&K;j|JIMaIe%0AZLg%Bnnkf`MpL;v#v+bZzWJlVMY{#Cgo8NPdUPa!L zz|VC*lv4mSPza`9nhH?+aenuLc-JudWuWW1be-}5*gn}A()dKVsHF3%bq1#xBUWB{1ZL}*k* z?qF$Jm$FP>S%3NY^D!ucOdre9(|%8udAc! z?qc14(YLm+=v4heg{n7qr{`-|^73oufak5bl;*k?AV}!GueHN9lR` z_5dts{0E-z{Yst=8gjOyc|9zjz{|Q$I6Vh+WhOp2ymwO;j5fey{rSY4Rms{{To7pd zGtK~p)$4h&MLf)0CDDC(bG>t87`5l_3M|8xhdGbauR+Hh>reTiYkpZUG1^M;u9QeS zR_OlnIIu^*4Ic(X-w)pp9R_9SX_F0^6!$^= zrEN(J5Mf;H0a_0Qv@{x|^JrLXj%3{c&D_IJoMLTC0i9R}sJjxin_L?!Ofd)d^|uvp zSG_}VRK&1E)xN+&p!Uz&%;PqWy<@IBtQEw>L)Hq){{y5^+Ft&DBY`>O1g z@`$500HF}Uo_uz&ng9}DXzHj$J>9>%V<7wNrJk}WUACt1DE(Cy@P`@|Dsmj_p|W>R zDtxHnVw;?)RTZ0JZx=xQe>42kP0jNFq)6X;EJ~k(J%8mjOQh>OPkqFy^jloF93v4Z z28YE2@U4M_Bg%Z}N3i$vY97>`q{QGa9tRB9hN1Tg@1oO6TL6harA6;m4X7~S#=t&H zcHi$d0YuJ)dex8q5-CuR=O=Zn;}66}y@rcX5Vw+x($R z*un)Fy_ynIg}YU!7*D0V0z=JE8)~3{-1Zf zN3RS<&J~Kf))q2GfyY0e+6#u##m|T|QU(zXE@0nGAj!57f@cYwxCGoRa0P#V|5X6f z1eSlT*^7kS|FB~7^;~3;>;~5a)LQ8maA@ZJLnI!3XZzfI7|1mkVzPC}P8x5nb~au( z08eYotmwsCP|HrNp23%yvp~s9%AhHQqtIT8afCyUIU1v>d4cEpj#ndnGrR{3ObLfC zXCA|KmC<3G4DBuRgq)iC^J;B^E0bQEU@q=@ZJ_sIEpxnh0nm#}^*%wf!M(WPF}%nm z%}p8OwpI6%l+3U;YQHu*u;Y{lX!n*2Q+}Qx=Fo6a!JJLj4eQP$qQn*JgWx^Znw+3rGK>7EVuCn_ZaJ1n zScql^#+E0G%n#XZ$*}bBMBpGciP_$rkm*V7u6LzDBoM&gd565$UfkXM!tpfo$^Z27 z|L50x`$>JIM++pV1%pVt?p{91Nmh}=r;PtszH~{swT-GnW$hyyHj9SZU*_>KA88rayMMz5lmyznoyP59~fKOvA z*r;@N@R|=kGm64bKO&?6fFSx1&|*?=0taJLNWmGB9GXxf180{Stz(J zA|JGx2kbwa4fj8K@AIbHv_JWA0vWH=I1rfmm@32eX+}9>uF>NnJm4Utl^C&z3K#9b z$$e1)kox#BeJ_#G!d!~tFxdOyzCihg)N*Y`p-l)fjiccO(zbpKGUeCT8fEmFpO{j{ z?yRadV$$=v@wl{dOJoK95#^tZ0MC=pZDf?COI~+^_$5F#mX)3=J$60$-DXG`T9~2FE{!KAidcx`=32xt6n8)TS%Q za3D<*XntG)6EIz2!9#hU;9iEAxBc_PI6fP_-xR8Pz|T$@lKL?q`WfX*L(tc!(%2^O zTCHaYx}Wau4qLkhPzf(C+2sDZn@OGcO*h2^wk-)-_Xen1_fztLUKzMRepfmNBkY|@Fxlf0`fQd0mBXY~ zFW}NjxOr%(9bYe1HeOlTmgK>3kUvpgDkycJ_aZN$k4?=Q-39+iZl3i2BJHiCs%*Qx zQ3b?6S_z4zgn)D{Y7vS^gM@TSE@07}A_5}aElPKHN;fFo-Q6AEwS4w_&KY~`@tv{X z_di8c;J)s8&H1bOrzI6-JJ|gwWlc|^ly_yo14OM-_lyFf12VD5@E)xk38R;d@G2AX zY`k5V3lY`ICBiJ4RvX_QPSfCMBaE-_=L{}JbiiCyUV7Wjhdzl8uGy>%#(WJ#(X2LL z<#gt&yTB24t?N4WYXvN8mF&@yn~+TSl=0o!WDO~G@;xby`sYb3M;e%Qq(J<;!dL2P zty4qGp1EsW{@_*xm(!R297y-8`}%Yfq{<~4#YdYuuZ92piwQIIjx5@Zb{3;*acW~^ zlH%S4lBFRwN(g<0jdbz6@__R*YF2YZD!Ux0C9EbdQOlH@RKk(B%|#!dfJwzWwnFnt zP^kV1CrG$B-ZVmL>3+?CMtts@2RMip#s%2j$Zl1ZXYUtkFLI;?J%O3!K)%^-;bQ6> zGC>^aS?#J5)1Ua$vcwLLzWJuop6VL8RZRBbfSy<%nNg6ps;b`=7wt1<&RN-2UlwQM z3+skrWF+r(P}ne@M;;4B-8zZVG_S-Ym<(BLZ4|mBCz9cGEl?O#mcrRI2(WFST|lZ07(muXU%F@DyDxG!dk9sO5yx zMEZb#1t`@W02KnPEa<^MzD#8PIoNspjTir=RLJW`Mg_w+ivTWUKl2&~?iXpW;!?Um ztFEaS{wLX+2T59kEr=+BPS@&S9>GtEx<1HAa(}j2@N={XTwgxt*{P&7vNJaTTyL@z zDH@X3`qrd~94;m0kRdZ1F$A1g(N>T{PtbXOQLRRT^Btj-%`Wh)p?=kd>&sIvK!w-U zaRP$?Yw=a{{U(YeWt)7)w~um>QANTuv||0S>@>Bqrder416<7TSdr_eX%PBvq;dix zRSxT39Qyq!ki*CvF&m9QYmhtSM$88L4*)5D0QQn~dVsxDx*buB>OS^xVErzsl{Sdp z&j%IMpc!}x=v-$&OaEJIHVRzozT){sZO_0BgG?Ox*A1g+;Q#kgpbF947b}byP z^!gujfhCiN07CSoxkyA(9RREPISbb0K}!jTDJGrrP9X2w${&q`(7D2*M;X&K4*hj1 zsl^r?ML_xQBZCyy8AnIKHdNF^IO%+I$hJ{wvc{!fSz0fFbxp)1iHc1i8vb2wk_qpK zyjGW0ZvVwk*7}HU$q6G7y2<1{vF^MV7dFJFMX_Hv$L1)-A69~HVnlr$DcnWK2%Ind z?jI}C>ji{)(TSGM4fQoFF!|qI-u!o!^XbmEB)IjDQNb(525*{}I zGge@rGt%xm{nzeGUM5sD6bBY$wcBnCb)%A$`U0+7BD9kf`+K^oONC&7o|-cRtb^Y;A24g+C3W6c)^@Y2G1ip10vN70fULLn-T^3 zr8s1u(VVRqf-({Znd!s(2LjxX>0u~3atHFFXRmnvPC>9@q$RRirWBNUj=*P(f~i-R zyA50bw^An)9GM4j@59JBy1=8ForH3>(uHB}fBl_aN z2G6FBUesI{-2AeLXxe@gMH*s*%LHMNUpnFiuRnf@w1ypbD>v65c!#xtq{a2H;2%+GREG zlA%zhLvFJ%7Mm7aQM5;)@4wXof~5y&^LoKwBzwyambcjeM9W8R1`IDqwq3YcW zzN??N!c|hSY}D_E0MnD`brLMl7fIQatr_BLme9%%F zRSw|5BHRR<`$Ad@+>dkST5M@QdjN@#=OnOqBP(s#TTA=)n4t=bSsjK(6%NqU0M3gR zx#d8|%MS?eesx$^fy0q7*u|&AxJ=!Zt#&M|=jyl8x?E3dp#FqhM+JawlB!CN!tJI+ zXU{-eOq`He)%7ZeDB=&e6yTsgqw_i^TG5TMP-dH}0t3UB85XX#bR2Q?!^)q+zEQBg zzh_Q36Hp#huyMzkTBjAj8Zw1)Zc59wb>&*OpO1D(YSczffsW_z*~^SLE$!FbsJ7RR zDZ`eCudu!;y(qGVR|*WqELNv8HdjUXziVJJD724uHfcVP`1kwOAS2EEs94?U#jF!6|P6N3(tc7pxa%O*dWDp6O z5&n(g&6#MBTIOg#fj9Q*M2K}2>@yF7aiY_NYuWx0v71W4LN-+5#D7%^phJ?g@UAOp zy+MT>E;4rttKHudK;u12Wgy6bQHWkQm_F;&5%_vuklb3NKtH?0zHH7 zP`p{OUti)tfNJ*)v=Vxt>%kI?0^BI4EtNRs1jG8 zJA-K){K~Y)YA{uyFW9uo_;}N**dQ;%%IZHE;14JYO|)>iN*w{mcG*KQi{$A1XufCS z?*OG03*d*#c{X!PHeiyAV4T2?nY~)!LVxt}tWYzKo9E{iQsNc|9&F$9Z7S4z-GE>o z05mRBr++kGMCiVpRYCxF*%tD;U(~L)g(F+1!?1{Sso9B=vohVKrx{afUcm{PfyhqH zDst8*90p`xtwQT8`S~*O&|XsDsDP@B(_c-57tiBLqz|)M+0}~fTQ<_(sCOR=NQ_Xydh z-f?<0AMMm6-u&0fU>J;nstSz!Ozf6(zbe}s;nOFc!K6^Eq#O&ag@K?bk%Xk$>1cFPm)|F|dx?6Ve**1Jbh$q$+Gy_vidZ-J(qbOfR z_q#<^2ibC5BIz6^5Txn*PB8riNW`AyF;~KZx&;=!&e5)5>ogq!Z+P`V;eSNJaiA%I z>qNSEW$pH(F{s))mmmp!prvZyT(#{tuwpg?j*f{tmVsGhvQ!5sw~dixoLYrB87;`2 zW~Jm>o~4Sdw%a5~7`XsgN<0!16`y%kP56TOsdug@c0CM)C((B!xi-t{*$6s?9^joy zq?2c9h_Sa|+^u`STcY!=)thJXr;#T^<@ zi51miLzRB;KEgeh)|yHu`&)@AB=v<^=tWU-uT_pJ(=&r^?*CWQ@&Bg|`R||k+ydpd zdK!i0Oa!su!w?}Rw126CpYI?!iks`p)i5kd1QA-;lh3ZHMr4OS+YA3`2-VPn1aBN| zj{b<=|KkSw0mFvt6Ps_9BE63fXCZ`l?`T#r!)NdH)wHe+RU>?8$=zP2k^tT0qs8`5gH* zJ~w+QfpvgFq5Lhz@bcYT6sqSEIsjMr0G`D0LV|!> z^#y1aL>3(abHPU*d9WZgjN@zIvDEM)kM6=kuLpct=GwZpLF=Lk2$7=zP4+56{bJji& zKyF_ba`n1l zrHZL1DGy-9Z24(UG08m$gW=c0d)k`_T{*js*@v4PC1A422C(KC7BWD?Lbg~RF{(Ne zZal$HslaD0g54@mv-T|6_4zOBF6;MbDCK%F6dhWa#3~j!ucsM%(aUfgE4Cdzm==_k zU#v`84EbBsN5pBIN>?auPnMou^~dljxN%#&6CaD}RnOK^H`}b~zcsFpJDS(O73eA! zot;ie7*?ilkhdY|`A|a8^UW1Yv|}h&oc;DZpbC;5EOXboRJ-+aI4wDz|Pvni4#bd`Mt&*ca~#G11Q391!WvPTA2-xD40JKp?xCA62ia-(9hc|T^pGr83 z&q(eGxthEGs8**ffH;MzW{a&~Ysf>qn$a0#Lk~&}sV~usGvl47n@iFuNmQiK4YqoJ zQWRXJ@WP5upII<)M%HdXgDQemEFb8V^A!Phsi2S{^8pCrqJz3F;(SEG9Ww;9bNPU< z+(zhp4%TJa`Grn3roX%rZ^0CQ^N=Rt{RlR!Cy`G%ker`4a<(vo!|9=KXr-?fSe{5D zn2k&M?(8Ht3WVd`UuZhx>_va^8`oWI6WnPN04N#)&`=J*Bk?({7T#L8R)V%rOpeMn zhZ1Q0>OM5MU)LUSjp?8knAIMSsBZvr^~q%JyNnM>1<+;1;(!lfniI|zT~FMT*pnKA z*nCbN*xf_mwDnPn20eC>tgXmnHcZ8{j@cIcB?;O&O`i{jy68?Mk{saGgjcJ#{{FC+yyZ+ zBx69lzo|7fA$)nV{Z!zKv?);cXC(_*3xF(`q0{L1TD`%mh~oe3o~9gwfD|T+SH9%1ZR`iN8=@a9VK?yUw<_Rq&V=_`BuK(sS3}A)jZ}jv z;kz>FCtKf0!`$pc%Y?@{?nWs{e;$><4?T)&tB z?WXbWtTNez?Os#R#q3&#_pkfg&Oe&o=pmv!iZl{$Gcb-3olh}rg8Ap}Q}5{d21mK3 z?zkNYc+BUyyYCdOo(ZxvAx=JzZ*1`SY_wC4+5}%`HCUc)i!Tl_V$W_|uGb8om~^8BryD8~>V|V6V$kNfbiw&)QuGhocnM_u-__8QZdEW4!UL0aReAq9o4?EZfMo4HWb$W%PS}fD zB9%84V)zi$kHRE-ESS)Z*F3HF6@Wc8!x_xfJ?)qy-_sISDN^@5__7}~D zsBB^7a+Laz^JdzFF{Kzojb{eNLxZuJ-zq|}$A%qEH z#g=OI_pJ)qp+7Ve>Ii$Z9zgreMaiilEm+Lhm2I#DpK-v|_o~9<1zf)(nw= z8aBgCS4hdAi_PzZXeW${WPl1Rj`ml zvmt9DbNHP}BMk=1jw;x&W}MQ;x1({~HCd3|5L`(Eb<7Cl%}Rxh*M4e!8MP<$Cdgl= zQV3Dsx$-cJwoE3)Zm6CQJ9iZPWX|4@Y(*S5-iNGB#?_KrwcvWX0+7+|#;?iq{)c+F zv2zyN&bODc(}wMue$JA0`lJ4Dze=nry^(2?lR{bE*hcEts@OAQNw#Eyt-mTfD5&0e zbr>2$MpF~TPDHuLF$PFBbf_^MVSc>;68@>X_p4GOPW$E{n%e(UcdG}0&zvwq+b_+m z{*?vLeQpXWp&udLG!_XocZpKbbxo(9FA)&YGk%<0Gmd(Gq_(uwA&omyG6(ma3q7JvS8OoMIg^T-!)3suA ze8iClb{8C2xvUzA0Kr$0V7G)=1Zz+G(ayBGuI@HSSV-?euqex`{Pm#7{0!iD?Eqky3AsIMmsq$~qQFwnLPR?jl($q#Z1AGQp>Sy@9>O`(YVXajGq0$2&RpYcsi{r{sXUOH>DxSV`Jmvuzt?*MmQ$IhJ*iAW9A}N=j zhVEon+fVdhv;UCwIPQzs-{|$TxHQ-84!I6e@~B*u)m<$<-Ia1z=2R_!|C(*Afh^57 zoZqOM^d(noMy@h37|gk7A&MeVtu$O0ytCC;&E0L;S9=vxv@Z+dSP;o-F2~rvrfbZy z?AQ5)j@KrdPZhM0yYv#7dF=`EEmnXIM-jBtA5<7T6DvxdZ5eC6RhT`Nf1556>Q`+y z`j-4S%GnB>*2hlZv@#)2D}0j?I`0IE^DqE`^MJ2xHINw42H18W{qO=3hCIrTXhgrr zj)ZjZ47ASz1b-NGUR#K26h4Belg&|CGKVRvZ1^Cjp3V{+Y!WeP`HEX4j!Y}q0L`4m z)**;BX%(PvLQR;l0^ZVZ{sVO`4zj+g6!lACk|_S4z=EG_Bwl|EK3f(DGNlmp=PMhZ zP_gz11-uudes6>23x~fb=76-f^YRBSe7;mEq53l!h&$t1!Z`*>u`S;@7M&IZcfZ8I zx>VBsB=bK?iXx*H20rg=Y=b|+3%2`(jedj9xGXdAU1TR7esS}#h*i6+4vr~Ye*&ziPlO%DoXfudl z$)-V>i3Q2P8O|qL>lWkz(sf9oXihU0pOl)Ew*#-6T4B%?ShY8zwEOm>P3Q)|?XHZR zRCho=;4nx|wb*BtVHxqaE@F8G-Wi+@4P!>ScDjs&g$!Ru8Zg-RDz9+>Z4boBCNt!o zGgA0e>vCNyw%dWX8<`K|Ak_NDVs-H1y{R7EXpw%}}1YGmNRLBTY6vDYpsa6*Vu zVLHrI_U)Li=>f}biWBvGp_p=fS`yqU$S)n+*N(XqQ|`SIa$GLMUiDX zXy|AD-~QjrRKW0XDD$cgNOj7>hd=m^`gdAR*zlBqh>mkD(C)4?em){oQvU&o2s7HJ-RGFckvf;n!mBRi&kGlhZK z*nKaNNnM2q2YtU&iHGF60<|>%psAkRD5UD>ogtzj_ji#<%a3PhfE&LrsA@L1^KmS{ z=C_{8zd#I61~jU67S(|?ZM@8vo(I}+Wd+{((p9Fog6doWIAOYG_W&e2Ic&02m~i&o zzo7nTJN=%&e3{cyLvS{P%r&{9DP3GkDW9^IEJ%76AAoOFLX_n$Q@xXsRdL}}S9z7(?+&8GukdyMcto z54z|jn2Wt;Ug@SDe9TebYrpTT+O7X29(m{AylDqm?+{>TT4FR{Jp+tuwL#8 z6Zr)Qx@wwrg6rIyU-n&WqGv#MXb@uY{_Q65kZrfG-RyLb$|jc%Ev*{|k6aG}4Yf z4!Xx!|Jsq4vD3h_TB|(bls^CM-kT$NsoSPE5kB!|P&-VMA}IB&*GPWbmpG$5-j1Og zCZ$xjW@Q@1x&wIsyh8B=C@`A!86Hmh!t%|O2ruLZ(b(QQ{*Md)4S-W|-Oq7F^VUYvaz%%)B{r41?~oB9%+}>C?CP^Q(+Ah%x2yBa5#2F# zs4GYNH2Z;{{I!}8;!!S%kT0P`&6VYPYTr#FSQDWtL-KVZ?izuH3Yc}3U0O`8UTP0u zF7swdqVWWIZhQxQUg9>!qhZ&&vv2kJ(_{ZvIa9+T~bD93A>a zrtE<>s*B%`NFqB`x^>$ozI9USZXw3MM$XGNDM}<+_mUVMygeLgsTj8Bzi>2HcbHTw zGntWaD?SSU1eRl0cKj(9QTGo2Qs#6MNLV&}@u*J2s;vNJe)cLnk4+P${_YHzLSi{65?8My07sF$WMAR>2>ltDGVp*@ihecv~unPWv17L|A~LV6^CTbZ!NRe%L2ODF92jio{YKTc|%l72~ZjRLTS=a}>4A z?ELYi!Ai27Y&XcoIDXO0Yx|rl+mV9j^*aZiv#X4 z`)|j?Cz@z)<;?M{-nN=ni4jr?r+@5&ja(VRct;)FJ2Gy~_t{q3o;|Pu05V;` z@lS=Az1k-iO7T3XozM<^sk0<$Vy_2GZV}rx_X(Qx_MttwswG#D*1|o)ZF;E5uS-Ix zp;sg9g-jmTCDpFyTtlY)H88d*1G<$-yaD?oB}c*-p@G>d<6)*vNWY;wgNC-oiWMj2 ze0{#8FU{HpAwl-jn_Kac#9ZJ=wLn7D+VIP^qC(WX)_zPn)&)_-?c`d zsvnUR*T;rRv#t2x_d#Wc+_r#3@y_H4b6m<&S)5*Vs_R%(Q6=|2tB=-$+D7!o-tUV| zL)m=Lca21thDbhTY|I=a=7f&7Y7lmPg%{#dw#|s6FS_t^`D0h7NS!^Q?MX9WRhb%TmX_ThCQ9$CJ{ur5`sk^|%Y3+=9Duf{SA( z!*srKr?x@x4l0jq=AG$TM_1!$;;lkV;|v{@r+s3pOTFc`t6NSp4BflOHJu{-1$%A6 z;bVf(){zFx*#15BG2ly;rs-$;lOO%oWc|6^NY1f?yCbUrx?$ zO!g>~)alDmJ-I`Z6F|gDVUNpF>%}MVeh_2D_Q}|vdmi&5zb<(4e{bT7lKwQW<8<1u z@h3HO25xIPLM=yK9o#~9py<{+2Ih6S*(ePwyaON=R4slmcJx(20MS()XpY!SNY(18 zog6#VH=&f}4hYn0vKpIGsDKVFHG|3ZcAv7fvr2pgIP8xhqKqTWzBP_T{_1D}zl^b6 zz=+$9Z(xPM0M54sM&}32C?oLK=vS6M1V4`Mtb9mL>Mq%l98o_ao?y_bRZ&M(en{^5 zfYKbvl*}H7%XV3$dhHX~vo@m%5m1H_KAirjfJx^CTi@4>VpRdk88=*Ha{O!%_A@!` zG^sH2Ud=hBTov5-R3~0aSnRy*bLBd*05YltA$O{-EYrWmYjGkUSWr>xOug`(lOMM= zOuzsNFtMSz?_h6V>a2`He(7@|qR|t|1oI&` zd3B;?!7fHq(sH*n(@R|H8vAZGAFDszz$|cueaL!Jb24FC_P~?=Lb@*VF67T5KQA`0 zVp2I35>EqpBHhBGF6g8gJ~8Q{ASg=fP+ECz(RK!d$Kq8da(KJsA(XK4*Rx-& zbHONx{di~pg&z3|&;|u1ZVK~P0pdh~I;TBN?mIoFMb=7n6ykeCei_!PkZSKNnT|S}rW={k4B9Rgmv+kANa%K&b-}d^7%;Gxnm+_3 zAIs(2H9WYM{L^MTfAGC5z`HsA^h~F9DsvYM7iHa%+e)X?Xi!*_UybVHu0p7l4ef=~6sNQn&d70HF&=DSg*r%tdiv0nuzNyTBEajw zM3z1azq6Do=3Qs_hYDV-QGrRj$0@*&C($|Ig?b+HwK-BWbV;mBvg*_<>w{zZ5L-!dT_iWumTtzI>3^nNkTJM88< zng4-rc9wMUt?qW^A=HkqBRJ_QX!UBMMsK*Wrhq5$hs`A?4TJHmYC&E3+S3Qc#+}K( z>gt^whbT=Z8An`=E3P*NJ-LjFJ=IRm*{&-;Dy#EY4irJP^UvhfO?SRQimX0k^Z@22 zZGZ`Fgt_a?>UiE4aw5~v>PK3$Rc!czmw-$cS1~Re3-NOX2r*}Z26l?!Td58#sdY!&FWf!x|FAkaqmTJpLDi=`LOWRw4eK>-J zrq`mao{;JNW~dD2cbHSL10D`K9B3IU8`cm&_p1#2cyZtO43t1i;3Klmf@D=ymV7mv zuzA;>dlWr6@=|~%6Ex1Z(Ky zb{&>{LYX+b>$dAM^N?TdT`9HPOXhSrxPe{Cu;hqs@|CIi5aLNeQ~}s#`4^(2mh(n$7x{DSS|DWN<#AB$F2~cd|zd`H#fE9t(ez6GQbAM zL}vhB=@=hp8JN_*Kj5AxqDj-!Lmd=5ws9JETXzOXp0eQO+G*3fZ=&2Np5oWK8qRRr8q4`Nf{s!9x#XK?p33T}M+?06pQMldiZG=pBO0;BwCVRV>Fz+l;3(}XLG6xrcF7$|b?(kX+X+05nE#<5gK z3j^+dl@A=jnWj+(FNWRUc7~=i20SvV9&gc|RE}Ghm@Em>)j0m_@WJfN+a1&Yyy)v6 zm^TInb^|KPx~PaJ(V`GGun@nt%5Hwh@_- zof@{EkuUCpk85;S2elt>@ZQdc)u)GwQK z2V6ONLZo(q;%2VEQ~Nr*O_|m4WSfdR6$B)ud%Kh6#@mxdy-CZHWdJOd(7l4Q>u#VS7^@aI7UaaeX!kjGp8fwYRmW_>=&~6U=Yg=>Gu0+Y5Qj_e5KEAxw{c;bY^xbJC_6DDU2ni0? zwTf774d+CgfTW3vA5EuJ#;={v23LSw`-srpqykoeq-w9%KxnJpE~Uu!r&byjA)nUY z&^8ff==zJt1c*(@5(`T+_V!vpnG?w0s}=c3bfo+H3pRLNlV$-9onB%jstW!?qamPQ z-boxl6~{9`+$+pY+vM6wZKRgo=twnfwtCX;BDbdc6$1Cl>9h=3&s}CLH=R!B9C{aq zT!LNSP}o|=SPN{j*N~xoE2Mhosd4-JjH36CA!UsTAY+3X!;|`=3bt9VUng=?rq$Sd zRr&ao1rIjTQo3>ryaOAFCSLAn{?<+Yf=Pfr5)w4?kuIi$j3wOj?`5u9!UM9H7Q9_N zr%r_mYLpDi-}psq6(tE+M&B7eLxOgIfXsWaq6u9in0w)Y#UP29K)Ak{ttnH?fMCMg zG|%Y|(t1p!zBOO8sM@f=P!pjL9+{^}!7MgerYReC3*wv)A)>=huojtsbXM8Y+u;KD zWx?u&Z}d+taO!Y~c5Noah6o?>JP(f0!ih#)dKTg>D^g%};28}>V1J1;7L+13n|Q+x z+rqQ@ve@DlSI_n;AwoThH6TK3PbMIcNvF^e&+S>8mt%wIvk9FmPX~v=IkZ;{R3qq% z1~xAW&!sN?swI}GUzrDFfb|929pM2*pY*_@Cb>o!*WbyNR*A*;zG@dynALU))eOI_ zy%h>*3hOtnb%nY3nVJ%)p$W|p0t=lRiPI0fxh=zH;YAO|^!-YaK6CGSw!osqiim6* zU1CI+GdGr>OZ+*upDnc=NmP3pW|Jr)-HetCI12JBR0#)I3De`(t4Gw?nbd3ODoouT zcE6XD>b0lp-DSoDt>gE~{w|IJwx~$o98!_(6thhMTli$d^V~0V8!kyNr14oj)rug)1P$RoS_hlsfP9f}y-(ptDX%J?Hc#wioCOfGW3#aIF* zY5dKbt;SBq^Yvm1Ny|?Mtj7*mmZQHm2lS6T|- zbyb@-Fo#An@Jb%gU(e_a5>y8Xh6ws`O>K(6ZqgWiMqgrgyFmdt>QLi#I32a`X`Bu2D5WE!A_-Kb*GaP z1fR1q1D;PKN=`o6XoCC*m|puaZw(n^wkLJR()C2EL59C_CZolwD0Ol&CP z0H^_X+OL6>QKVeYne_o|fzo;FIpUe0J5xb5v#LdJD?^7MK|?KoF<(CFXKHK?ctV3y zVKOXHW;R}|kGlsfa;R?U#C@fD37+C;N8;RB*#3iMuLZ$$f1@;uo)3zhWX0Xr3Nt`D z?#nkO}T}PeCOn3RF8j-8YtA)KaCQ#D^{Tuy(j_ zdgy?E%UB~PRvyNZtaUEpK*H3a7h@olbTQ64WJ zsJ64nJ2z6O+N9vSN(CQS0YKv%vY)ccK0BUv$P^h(TU98$1>y>cj>U9SpbT>XY~?oS zUnP?PT;X(zWH8Qr8V}$tx<#ju{&YYdX(;>nnm;e_*6K2I^DwRs<^!K zr9w;WP#<+Kok(YR+5e~0Gl3YWpQhNV!z(C));Un)+0vU|YO>B6nm>eA`9%`*s%9u0$(!BZtfgLp5f*?xayokZzOp*oDfI5hc zDGU|tzxYUr-Sh-L(+I`RpO>n8&ctu%_l;}wQbUmxK5e$5OEsG^(52d^UDmClwHR!D zE^|1QmL!SqLGJ#I11oGO55d!W2xyCo@Fk#LP&?92EoSPiP}8HMOV2mZOrDMI^8aE^ zJxgLX`Cs#HIubaGDlpj?i4blwkB^3JA~@S^%V9q-ve*pWF+#w|3p=Ken<;L2@h7M? zO}UqifJTA9VbWUd=s-?}S(WH%qeTkE137VGOErre%u!d38o5n-ljUq6=J8B&xppes z?L+0aD&H7UkWS*$bM9c#)UgxB_%u3eYi;g5#hGQ!TEtatTLATER4mDkaFF5#Yy6!X(EU_0D*cm79# zt@m1#59FkZ6{x^c2=QaXpN4+l%u1;edJHjaWsJKw3Su>33QU?uVRSE=ZGdR?8een% z3WT;bIht5ZgH*lR;6)NH^DWWOkR8@_GR}QQM$xJE*l?OrL;%jsrxY;#+$B)CO1Y1c z-cuM4fu+)IGF3wv%6HBj!|o?2f3GF#{?KUwwFO`zw0GDh73!w17`RZChqcK zMtkY)@e-P__h1*J{FvFVEoC`qnK{2~&MhZg{->B&@q! zd`qf}wc<8$5Gs19J4q0CFxfUgp&Z91Hdz9$*kfzpSj-04Ko&^Vb=<8*DnbR(n`+Ua z=pEf+tJDmu{HIhFibN*`yNH#?wqtvorX)|WnC+6%0$xb_33MG#H}_nIQQO%}8+z#9 z%$-9JCVU&(F$ujDgJS0p}AE+*h>3BN5ImRD8c!` zNFKoK@C8=-5=mm8nw_N1Vir0@!l^d$h?4>nr3U4?CtgbS(6x$30e$KRFrxQs}{|rnZ^>8{mcD8|z}mW$HiWQ9n0ZMOHF118iS1&J638yC_25UWNY=>hput!TbUCv-#&T=!W*_=^bURg{=s@^2FoE$V!BpD3<0ctCtZ4k zq5j0Y{&F<)Pn<%#R0YS0k(R&UHM6uMonXyQb&kU$GLWGcvua$g&%C)tVe%=dAFDFNt zwJ~j-k*(7om{kY99ZF8Og=Pg^0!l99=;Lfk5bvu(9HM2BB;Ie>&B$b8I;xFku*hVK zA20-f+m#2Y0g3DMF-AX7LcH~Etua;y@+;diAW}I7RK)p>PAspT$r6PQtoaL- zfb$ioN6XAO(|}Nntin;DV0Kz3aOyBY8bky;AUAvWXTOhp4v&!bYMldwiDS^cFp!7U zu=@039JG2vUf2T0=*QdT)vXlfuFw6>_I+79kaAWQs4#ykTt`1B( zDUzPnmg}{Y>(si12p&Y(%Ebco-H@)oqaEX>ywkUE)cuUu$>K;#i|L8-*Yib@u?;{2 ze2(D>@J=HE>--AO4hD;kQW$qUl(?w6@1LqveS#^+HnwLOnUeXpE-k3RE0TlOe>J8D z#9kF<5kTEANVb06=4fAc*&t-U2G>wO{*J zKm`#HR6tS?1f*+du;`MK25E_*J4H&myOi$kmJ}qUONJP_Yv}mjSS3L;F;f>oC>7$3%+m~Cm@c$|7_b$Xp1BfS|^MdJAR%7 z6@(vtI$2oO$@t@}3j85S{X>Ne9%?BF-G-j?Bvw$hKC~jC%2ZFZPB`B2hVVu%=tSBx z`gG?P5X`$3fx62W)Lk=~v$6ewk~87%7A3}*)L=hq^&teTER)H{%ZlK+G3It>5z2`T zi<%bsJXzq+Tn7`fNiZR+*6MX#hQ^w8rRf(MJ`Rka$xoE#Da2VyZ`z*WiNItdXc+&S0SY7aFD7N5B z1kAc`tyNA(y1JWO<{hS>>H+IKZ$7~QHq5Qh|8-WX#6)?|-e5$XPf=eJpU-5}1J^ET zvYpGdi}-;+^R5LvXbCM{{x?d0?s7*fO`bL!c;$!Q4tZ`T`u_Ih_4_NcO3YS!F*aRv zVN-GB=cd&h$_!^@th(N5GlJ~ka;B?fc>B*%U^viwBsVnyqA2bcUQ*+e@6G_7(m`^F>zl|U0Dug-o-pI;CEur7m*mDK=6RBnuSGS5<8S>O*RQxHj9T)P<;MqFqVQ=3 zsE)=ba4A^PAfmH`ejhqo&b1&m4Q29GGv4_1Eq>l#i_rw1y{(caMU8NWtEBCrUS;3o zIxNQ6d~2j)v zG6`i>P%=sqM=8ei;;5=unLU0nr)Gf~t_lk?cCv&(*>vra6#^m{OnLg!fe`Hd@ZgIAil%TjN$jUvhj+YeLYz z1BXO*gVQuvh$(3TX;05DYI5=d-<7>f^m~#q4*E}3Mhl(xa-2IEZhha-WRN7LV#V$$ z7pQ!rKKdR{3eFZL{6}r0&^+o&5E;`JW z+V2*=;F|qmdZDvC@Q<0&W~v6<8jHCQ92X{48xgaqQzhZcI!|9S`q0U%#xAQBmPS2P z$SvC*+L2rmepQ{t0NGMext+*Og*-A=8%6@m!9ZzQo^fXVkh&OL3>yI%44?C-^mvKM z!qkCo51bjumB_N-KG96CakM=$4DVe`*@<+#NZaQrVNIZ~)OAEPkV5`OpVWEuUS2(4%=5r{t{>7#VxzX#Q1LV|@aLam32A z@K}CZ;``i7STdJCvw#zC-NNHMu?bP^Jbag%1R#M-K(f?+iY7=fz8l!nD_rS#znYL_ zVAo4zy2=zbdYC(FDQh~kiccQ5umk3@%5ihXAVPu5ycJ~*@NWkBq6rhNKInxAWgLQ9 z#u8b}n1~c9k2gGVQ{XbJ-*`R^EPGp`o}m_US#YTuGx(t;AwyZ~+He+Y*P#kpaqt_r z@G#WN%I4n!sebP7fclv#NGF{w~Q(lWZ&h zgnrcm1ewH4+_{aS^81w0Wx}t#-}n5pDY1U^hxiu|gL`rbb){?Ry$+w*C~w33%e?6c zibre?UekBq>XhFfb>=sWXZex&rs?31V`Zh+D2tR|N^sr?uVJYDWmb2T*|dK9I&bzv zYSl68=bD{nPBlF`RrGQiQe5Rs1{g-2;bZ1mkFfOw*|&5&M(eojC@*1Ql}QQr%znf@ z7LB+Bb)XX1oCmJlvgw?fSpTrp6U`go?8Lb;Wf_r_@y)dmc8Ig51%l4P2jLE#p!$_q z6YfTCznym)Ih!X%Z>wy@Es^ptg-Fz|bf*tFg-b9OgJCu_teu;7;7BpRjv5~Ro`}W* zf5sOsX0p-;9==uF8I}-ccKAwT1&O#5Yij(F<<*d&j@UkGC`$4>MwKz>Ei_=&v z|048*)$*QTEWzu8#x65vsbg#7L^~?U8tXm$EhjBFj=yW&p$*>Jbh}Or*V=JU!T!US z)lOG3D&$W3(Y4>N0u{$HdE&P`xXr;2#W^ppjn#dwbgX&imfJ94dC!m4Abd=fyRhb* z0gkR9!k%OtDk)mu)$uiT{EwqZ*Cu)-Q2H!Fr?-w$z&AHkkGF*J)#D!u%n?g8(i-6L zovC#WSxW9JfMHRfv#}+nr`38f$Oo)ClD)i~Yokj!a8Y=c0}QCG;O{Ofw^fS?>x9MSbR zKA3+iV?woxn~9Ykr)72>Y2=UF_=jP_*fta_`kltTz*&M9mE|lKPwuQ&YB+QUZYA$4 zOUZJ%b_>svU6!c*GT;%tW$Br68MNHNaxAss#H*{!wUKvbJqVo{ zcR;F|KsL4c-PJyi_bU7EP2N~Qqkjh4Er`5WANweGe*<{jw>^IO+-l^eKw9RH@o&F= zbMgHQbWKswN5HnJbmH~xQ~FD<+fIABo~%;khJ7O-$oDBHNS@o#x@O-9l1>D3>I7D* z1xXW|Jy($S+TOu_usjN7dx|V!Xysjyo9aBRM&~uNd~n972Lpgpb7+~^?&kom9xP13 zJ-j?SzvSF9CbUj(fV&WoT%^XCN!Xv7D1DFbA$~iMn9pH*)5#dtP%Cu1^GyI*Y=YjX zrN;7)>Y^?kA@O5X+rUUqcu>4-dv5SQmu!6#X3;~Gvp5_hGs>9p7(Ocq-*1Pu#hFjPro z^WDudH#?*CcfesMAFUXOV{Ma#ZDP80?Jz7~D4(bn&Lp}uk}>-o#2Ju{8(uw4O6hZx zvzrD<6cd|q8bZLV`cY`ynfP<>zOPi|x5=t*!-6Us3Gk5Z*VqhyASF~sa#eP-?@}Y? zrIHuH;UR23%@zX*205vB8tm7GgujyByRNDOF?47b@mz*NYN@h#oxVQK{dlMBE1A6) zQ&Vkxhq6iBtdQrszoaRpOQJY(r1(k}VkO2> zDPFBX2)db(;yxF9p4uV7SY&BJSNw*=(6#Ewq-XvtMRVj#H$PAfOS$iuCo;E>UrKH^ zz1LM~NGod3PccPv`UwV4?^SNXPPFhKRIB-c;i!_FqkeQfI1=Q?4&Ez*QUq<7zo$+b ztgnFUG@(p!<5F1nf&y1G&e&}XN@gI?OVj5@<}4m*PUhZQC*KD;Ri|?Qa$19em_vC< zL`Rm?5^h#Zk0_bz{^#;g>0OmXhid>C|guiEKWBySb!n&{*q&Vlsz_1T&a!7Mp+|;V0rrzwE&3{`Rj{ zu4S3Y6P24n0dU3AicWqxOmf98MierZ_b+s#ima(bQue>rPCQ?03yvD3qnnu;;Q{ad zh9jU?LOOfT#`sEE`qCa4XEoi(XH*5#K(M_xOscY9ha@Bwny2giSPrOCOx^z&si=d^ zx5*+DkrAoqCQI=H1lm5jdQS#oxjb%~BZ(G*N^^%OpkLpruKj*DTQ_biKmN-p>X*~` zm^VT+n#a`ZTR?}uxPebX1}HE)-b#_;QJSAb6&tL~m+#oAu%wK}VJ72_F_hyug^xkU zE{v~fSE`nQum9L<0aZ#MrH%U`P2-!#<&7zP4(3s@W#&b79dt#`xNP{(60`FqR)uvp zpWynv;bF`VdPqjK|4F|WG64<*yixwa2Z?w10lz{HhGI^bod~_#W5xXoAb!>d#GmYf zxM374uyEPP*J0-IdNnjX0k!JevZqd^_~W@LwDu7 z+(cZ?uZWq9So6-3hUlj)~{L4+`;9S-#G`15F0;rd@V_tGBQ% zW3{aL2Bi(HPsU_re$yW8!D*r66!{w}J-y7ERs6k9>2;+*YD>#JT`87Jx1iqn6Dp>kH(}wZ6n}35Co%&hhHxZ`aVoUL| zajuzV&9O+8_<{W~N$Rc`;k@c+aFfYE`A!pYW~cF3ljvy6x`JvQ%1XOtd#C}8rg;p5 z`lb^HCYMa{s3A=BfIt8A_55Ny`D&NR3UoupNTbx+=WOFOS3VzkGyT3rYsK-U_wrK zP4*v#Uv8BT!#qJ?_l^;1s`LvRBeTutzQSpc+Yh+rlRw+>BWW{L!2O(cYOexlobXva z(J)$e$K5&Fm0vTxGxZ3jAuIm`^7eFCXLke05NQ|2wTvAKoD@OBqqXtE>FHJ2MnW*y zC_aVu-6~(k{`68?A{pSCbh29-^GT4Cwzt?CD&CRNGjVTG|H=XwDwIx+9183o2D+P# z)VR-et^jGaChD(joMou{Ump`qR+D80T2CtWL`kf?*|_X$K;lxFFyVeMPD+LUS-5f< zBZq7Z5{P7L?P&_KW>Cn*Fr&QJ*O?+~{{$LP86xQ~1H zv)?8zCp)aeFr<#D&H>Y7MF{c(1nX(4lfe-m=4USgb=SgqetfF7PV#eD7r%m+dHsv^-ZZ$zL z^muyuCLd{c6_wYHkGmP@2aXEy#`opLz>)Ja_6itnjv*+7ytX+zz8!-glYMUo&anLK z;lvgsIJ{Rf;c)-(>EP{-?mIG5QHilbSC*BGdg%0nqVaI)L=&VOcppko(hDTvR_k#$EL006Wi$ARF7g^dD6>vqZtoK5c_}xkx2H3 z8J~u`hri_4UrF*BH4NK8Xzb(XO(F~u4L02INe%ZB4KC!`S(7CnOa3qh#UYL(r)(~# z5DK;hME^D$L0$r;qm+Eu1kdg)ycMwT8VoPp=?tpGL@ri@n@NU?CHc8n?~GLqzaL4xDKx z!nNa^vtOc*3@#{?AR5zOxOvJde4K*378WI}nFGuZ&XQT^cH{;ETAxZ(QPw{CS^$U) z-|jZAYzQ5^h?OYK8&i=;yUfv7m0dpuZ>da+wd33BwZDfU8R5->t5p#OjU?>Gjf$pb zsu|AeAx_jO1ermj30fH&lGHt~5;#;WhTrC431L}N?0yQxzgv7GjRU+xdxp6tj!M?mRtJ>LAz0AS;YXMD{_@MLL;_Tbel#cAIR)56O;k>m~Ex#;% zSNZ_|w#SVsU2kJc=*!hXL6IuS`Z3dIl7J{8a7bss^4+v@D+7kj5=&Hf5J9TZ1b`U#KK3_UleOLKf==NSF@bESnh8G~ z^6fia3uz#eVGzW4S>pAAw|24Rf?-tn2y~2>CYON0bwsFBuLKz*EMmYlCLNI*FE-|! z-zKpx+_h$%X)d`oxn9NbjE}%(Xt`oo=0G<2{BT%S5??r;Ztkhp>aYgO2SLA?U$~|q zv~<1;)@Z7Jf+Tc>I)D&!1-a~ZUkAo+pR!HgtC2jkiLjf^gz1*zoEbpDp!F6aTj)}J zHmj~~zeR)&nW{Bq(R?EPKCBD)>W5?R5Gx>qt*!(FDNlZAU*XZdzG~ZH0Ea;?o9u7` zi_WVF$$49K%J)8`zF5S|*`UM`WYb|vUF|B>Nb>mmBa1CDF=o%H{8+U*wdgNZ= z_br#c`Lxf%mgRa~ZKc<~#a@aA_YT{l+KMYJHhyly3$$_jnchyYDlY^uolU+=IQjMN zmUs+E&!N~oDJbv1`wLEr?lJWyc@wUteZM-NB*J;nsj^W586GEf3jN_{dQLHjFVRjh zs+=IDxdnVv%8ef;EgJSjJc@1;!&Z-R4vmm=*rTl7Z!P%hX7jUMsw}gpUeY#50v5N$ zO^4hDG|IwO=@e+#7GId;V^okmE3q(>em5^jYKR2>)eNrL!$J7qS@Mz5S#-tp2#^2a zL0s49Rw$iz?Wz87abaUl9aidhzl-@~84E(p8NJu(C02#i^CxE8-5d!Cl8FqQ*$)|2 zAhPW>B2$$@ z)CLO`RjUULxP!dGIr#4PF+yx8zjjU;U8*)DNruQAGI+`)FgDH2R=EVrsVa+P;sT+0 z@{RS!`vS6w>}}O;Y&uhDI}cU2Y7WciUd@L<`PM~yG%_~$h+;~28jEBE8nzYtXR2qV z8+Q$7x@~>ORW{PE-K4fk?1Xksd4tE~L^o|53$zcumFuM{_-)zcs9DS)q*m};b{Ji9 z(~k?)3vS|^!3icpg;r}?4vw>>6^}2^-T5U9hI%}2O%60(HB7m5H8wb^b6Dh>*PINP z?63PwMhYbrymKp;u-h5ZM6795*Fd6gDD8VcNIeX#Kt^MeDxCD5kulQjWUaD^6LgoLZN&-}z>11PLggcw|>k(*eg+|{Z@ z5*xo>_a<=o+rARtY_QOLIw-?REL4hR33$pM# z`+8sTRle{efu-vp$w>(WNh%Fz%N`3ZxA;#WQ7k5-dC>&a_I#Mc#xsV6U~co$jom@{ z4ytPup;3tfA%1pmnoZRW##XV7TUK>M>s3)-g3TrMN*!Ka+k^ZtXWTEcKbOH? zbA0T(DToTZcpy4h-3ZdmOh9lGOdQVbbmJ2B>>l)|!<)zBRrfFH@!4P5SLh+#!L6T| zl2mR!E|tun>jE%KElOX|mVqhU2Gp?)n<2=3^{b!6z8SAKSG(oXV6Fm<#p@tok(oGG zfdX>Z-TDYdAdwu#fV^fU*nJfPK!6F9PJu55Qy0ALgJj=!me??Fg4o2Pvng;hn8op8 zB^bga2BTd;x|y_Qfu*QAhscrwBoUjde`FhAsLEP(pNXStzQCy~ZWHwd7}spB+pTer z;1maMm_|$w{Nyoa)-PUYpA4euy7|hOt z`x9E!NYPH#Mb%OpxOS2Gge|@pcy82jbrs}lG)2gh_60VBM!Sd^%Sn#l1*-teVUVl^ z2etwNB!u#IbAM>Phm&`*#69?UIyvB;bsL9l6A_GbmaO~7f$h<0aDVE#T2Ivn$3YmhfpAS9Xk$?E=UV9Z43@z&nJ!_ z>kBruFM^hhBt-!C#&fw&4W}3G$~*y6qLX88Yge~|%0q+#II<#X^*~O_-X>CCI>{Ov zFk8veg@4t^#_t!vQ>SiT+ktuK+5@OW8ypUSSYei!Sx*610N;=1!Vn)4*Vge#Z+Laq zdfrzWwQptO5XVWDEzU-((nKkOVCOOHQSXD0`Og)DT=Nh0E<_CbMdx{7bZ^b~*^pwm z<3!4Zt_x20=?-%I4&4K3hD~A8q1%_)r=_v>_UFeTJd*8=$az~9 z@dq3V8tqqrHWLoo%p*BrBG6`5R!Ua9lruJhVjd9Q5$=v&d`C4SaV--UwNqmxynsui z_s(J5UI4`FsEnoWQ_Q~uvnp^WRvM!|a~p3ETb1jgxP*Oy_gP01dWf~l(bq*k-%zzB zTv2|-JYSQ~S;Zg^d?vYvZs9#DjBC`PXYy-hxUpm#P?Gp5>tc0dIrUSC-o7NCa@2v@ z#51kAtC^pdt+MMf_hH7lS2O~dZb6+bn-AjMa#%R;vZQHG)}Jx=oF^b7XjC*)QN(YntgyBXHCG zh9(n)L7c?kc)Aqpm)v*`NC5Kl2E@08o{+mcT2k=fhjk_wt>03+#1V3)Np8Uv?7Itc znGhheeOT^|mR0MgtCyr@2#_^@?AO7u{ObJ$cStBIKtO2^;JAkgf~-ro>yo&@6jYob zV(~`8K{ZvR3jvY0(aejOh){~<#d6r3$t3J(3^EK8|v&|17j#*#&gu3BAVG=Nd?)A%C;A+V;%kAsi zrJKY34Mw4^Qj@9g<(|kmqI;~mU0<$ok-c>BYv%Uq@CH4N+AnwnZ)B#lNX7~J7D$LZ z5`?vinx5n^tY;`}{(OYMO;8k~kvq=ZD1^0B;Jde@(vf{8qA7?SrV(71RND=}*^8Lc zOM1p{yZZBU673GEkUwjXxA`8b=jls*mG^EaMfN)&VZ16p%gTg9Fk%FA@f@*{y-NT& zskwg|!j4zhaVM5Ln05P&i0chPJED@9ZY5?sy*vKg8S6>FXZ&3<$-Ji$l~>~=fZtdz zWifXqq6m<~>Z;=-wN7A}k_0|N!(T4Np0D5`I+U=*8{?b?Ok#gafUN7IaK?{b|M*=| z&JQV5G8b*#SpWf|HLJJClQ(W*h20@P)T3~pK$5j#{*i?2pNIiyWio)h8H7Kf!lNvk zeM)T|DOeV)0Ya5w)N-I4tLF@xO0F}_HnK9*+U+>Umkd6HjNWOyb(n)g82goxW%`|& zlvm&V$e_c9OlY!X1nU+%7I*b0z9i#N>?6`Bs5}Q~=T%vXQQ_-eh~7CMhzuC#pgNX-;0P&@7TS zxX1SXUQjb|Ve5qN0JT&~8)!ZJdiD~yBQdc0<1NT%0cWJg0>ma_-8L_{DxpzJyCwhwuXMAtL;WS5K z`_M+C&q`yA=OH_pdi{n=CTK@p7jgRygA!NjRmS*%Avt4Of%vZzD`LO)a5C&^!EAvZ zU2cQeZ$onU=hvSCD@atkixStA>I)Ky{azMvBz}zFmz>BK zh_QwWW&EgO1%YN8E$Yi!*dPx3;ay_1Exbq5WyKO>Xtu z)2H^sp*w^+kGY&0cIu3~qy^3cqUl|$Ib!@o1QuM{a$9Cy&x1Wu^&g+^dnj@jKFXKH zvty-KzP^z!O=cZ*Hv7SDMyN=;(5r(tK4K#(USVXw;=;$-&}>)q{cyVA*e~1sC{l9E z_2m3mM)l?7yK$V*B(W?k8UKznip>iW$VtxO_ow3wN!UVd0`~XMz$8g?AKgkP*39*z zTK^&fFYuPu2`({t;X>vphum3PnkqwHh_kOkY@fnOntserNuI}jD@$M<)7mY>4W*Q* zMi1@Qy-+EVMIEzB;|I(<4~(R#>{JS-q#R;|T;h?QmgXYM4?6uyPPN-fSC6|;tn>!Y zfpm-2e3s53&Tp412v<^8}xuC}&x{($B5NbM}vX8pvlyT)=F#S+)vc z!X`N0T~Im1`Y;{Y3*spnalW>?eSUn~?rwHJ{1!*|DzDz~GY~4+#0?K(e<;Wn$d;4O zjj<16SU)>&*47@`e15Z%p0H(XcAH($a^8~_8^T97o~4`QOE3#G-Pvz=qh4N6BP7ue zL5j3359@FF(R@|*&(J)af}=KtD(*(G8($!Xs_-fZ$umaqJV^A048Ha9WW>b6BF$nbQS zj+cmwoRG3?YyP5UrhetRa$kn8Kh>UVwqs#sGbRP|C7=9$q$xSwmMH!WHVX7Fp@ z3cP63r{Z|qZ@UiNKH%eavH+7+7)e|Rc_15-7K9Xe8q-*yzPRozi7O-SAA6U`Yh)du zmn8CJ+(|ftxXCt+9Pu%|ep0!t%*5?*}|+ z*vVLAhDkPP9QnM!x4Tmu?kmPgv2e&B6nb>V@4mblG$9s^s)XCzfv2U^Jw1Phy zK0>Bo=@UQU%EBeer4U3JjI8b;;4O#*)1o~HuJ1Limu(8*;Cgs1(h8~mYTY44Ctiwq z)^B|fpYieFa7(ZhejH+;dTv7PTfS1=L7Qm zVW|cCA8tEoKs#%k8UqcWUM;V6NvLL0ra;?VU1cS~f|U(TS10w8ObzC)aEEtZ?0Pv= z=Ik)-O7;Bb6Rc=w^8FJzZH;rZ1GiZN*vnTybXv3jeZ!5(6eiVJ)7w_lAS&E#HY^(N zl>1w?gxf&}#D+pNgSUmd<0~0QE+ZFR45Bo|&GA4rl`Y@=;Mr33FLn&Fr6EhVl+42Z z1+GAiQHBi=$j*fOXv;2B8hC??z!X+BcKulMfHK#GF|hAEP*I(h^~y3BsI=+j#sV|c z%Nvw!%yKsZ7705IrHuAVN+nmvDuX(L_xc3+x42N8Ry%x6H3->dt=uc>P5H9mti_|W zdWL5u<7$mqD+9|-=+33#e005P(5VVKO;y6XgCIM0;1+o1HYhkg$}q!!`JpNJt0GiRB5% z%y>>rQlD&5Irgy2z-H4;3x<>i!-O-9;Ee#*7S?rLa&o}QY5iZxe`EXq_@|kpl)xC8oqNiWgGrZ33 zrm(1Ze@Q=Bvq76rlqVEr`014_VK*bn8iiWzeKClUY zt;U?Cp}K`UM?#Q1wQAtQ`12Iu77^ce3f3`0L{OPlri{MQ%A35sq}2JAOyit(+#%E? zx;w{~6$a@7!QHMU&HfaSaPj&zO~qe`ZfR$-ar>*+5vrWFfzodFFef8s;yBT+XKz`! z8%gzUm<8y#sC_kUM4(w+jEBWbRCf>ANQC4eJ{i&J4e?8zmVejr9X>KSlye$$OD;Ci z%4f~`Q65xV^2>Hu`VlPL%7j^FK)7DZJe@K2km%I}vavnL;r6*D#p;2i26K5Ah%Sfo zua_tuXcou>@Fuo%=MZffYhni&MZQnqRCfApLM?FeKS&k+ot@OaL>&lhT`UGMt^-9P zZmb8dT*6-9&aP;z=;ZB@J<3oEs!t0R(#R33ddXzHS~5y@=aG1|@JVus7{Be~+~|Bs z)vix_NdE}!E+eyhagI0Lf{Mh-v`;R$tTvA|_tTujG|L;f#4;a;i0WR<6p;^Uj?~~Ke^>e zez_{Tjs!ETJfJZkvHkgy?$w|q3@s|K5bZfoVT$fAbgE%wZI*kT#m)iU!Q1Ec z^=aRAXxxt8M&~e3X6mByr;lAf(4<7Ddo%?fG1mi52G+y zX!j4#KDOH!lSXWe4=_6b8pGjM#do|f<_1ob5VmNeJU#uy0`Y>{2vLw~x(J@VZgztp zKzfdGGP(?3u}Ao!P7@MefkKymsR6A%{=VJ+{;IDV(_`<>9e4yyPA zd{o(ZHerBVmq2VzDr|uy0uvC)zmJ#7s^?3@ZYbr(Ea4NKS{JR172m@?%33BpMm46< z{q(z+!#6G0U^zEYkQVs46t0dZFB%`d#)Prw;$hO(*@)BjF@Ja7Z8l{3$R#5mqzwZS0MEf?;^I`t3 zjeWHqA(4Htu9~l7v9`9Wfq#CHiC@d=VEUu05C8GuKOf%D7Z^wolaIr= z=@;6&(a`nGx9eY6{_)uV{NSw|ic`ab5F$bx^n}B15H#z}nJ& zfs+QMGH)6Qb7}`j4E0$p49xg2Rap0))l;P$l?NE-y_AJHFh5v;^QcQeN7@V2c7r7Ss*Qdf>Fyg7? zOD94Mnm@J_*|Vg&9jP+1y-)cMfA4?AGs=7O9``%kZziYaP`Spl!i%R)mv~ zhP;6O?f+l}+`vaEp7~UA49X~zg{s%?bMTU$x5Qm*=0#<_=X8%AqvGe{t&leAh2D(Pb+t!2feqKpV z=oH6L7czMl#H^KmH?pPre?{>95p(`u|J&0VZH#Hfa{!J}pjP?(iXt`afB(AwpFiOv z>dh4N%^N$PpN61&Hvyr>hzK$Cp(PyauPfvK{FeX4XD05?`L{qubU`>oDdjRo^1t3I z|Hp5$|LTfI{*Wic;AYg{8QAo<{PZuBXhcd>kDf&&ya1{Hqks~W4Mg*4ouTB#pb=Xe z(OLVK!~5U%H+`{3=K#K9(Ev)>FbUFh2CNUxT z5Uv>j9R;QNlRBW{%?0}#6*tg0uJ^JJ+~faSUfUPY2P*Yd15tf98d?Ta9S^l*?~{H1bT8!o3U4dx+xFIoj87t`8Qm9FQ9lT^^kHU zA!|FZK0Nybz%C3W=qf@dAboEH3|ERRMuFjRdD@ub-~Q?VaHS>+KW>dg-4+1p0Z4nD z-2^hk*jZ;6yl?-X2rb;BKchv<0N?q++K)8DcyqxSa)z zrdFY=GXMU&H`UwMXzL*vgDHW1XV?YR&+J)fKhFxu ztjynWV%)$$-f>dh&vJ`TA<(Iu6akmB;}Y8)m?n~aFc-6I2qsuf)zGR*5s+Cq2J9X8 zh#|cWWB|*zKHJ>vL0)B6HEFmGnsX(PZf<;nyYqM4k4?f_Oy~*n-L;uCk$l$%kndZQ zH12$GfrJx*9L}S~j_wAPC@>6D9L-l|_7SelFV?CSIRlepWiUUKiLS~{ahBjT8TpRm z02*kM?g(nw<;Cd%5V>kTLSI3~hk?ceF@wZBiiDCCK9fx;;I&=-0s$1PNMwQ~Nuf-$YBo-A}sPh^*GlqK1754^|eLs}AzNqpW+;_Ux_0CKMHJ2@mGVL(WF1 zb350Xk=h^Lt%_lZluWA{z@Go@!Ux0kbjzUht!ZU|5AIYKy8t5jcbZuV3cL>hVD`Up4gZh6<`&Jz%3>^c3d?VH zZ}$FeHRHe3$3#zVGN5TS-pooA|K9+p|F4ysXX^t{@3iKBM)^D1FOD~$`}%divY+Fh zBZ2=#6Y`&Kh7VH!^O!(O_~HKsh5awj^?!K%zEI#HTj3nLtoXm972ZY8cy^zsef%H2 z-Ts?jj1>-^7_K*k?0x^uZ}=a5nGX%9$$XS?Z~Yz3^M}vKCx*f#+4%2xyVLS}iulBa zp+vkur7i&}>G_~QaLP>uS=47hzKkiH=5~GrIMX2Ii;jL8sH%$8K=8oY4u~CxP}ZF;(*>qE6CuD^@o-1}ov_eAW*feNEq#V!dbZ^GB7 zgWsb!nm?gJo0LewCa~uVbj$5di_qb0(0}F#JcOK-es_oUll3;wSu9HQfhyK z{JwcUexc${Fywf~$OEDtd~N&5gWO=!IG+^YriYd!M}v6SM=N-SDO1~U**HyydOZXU zma|Q+2o5gKOAH#ZH*)O@r=0t3mIvg9SNeAw3uerqqt&A1*G)+V+bcGsqLE!rFsh}` z0SjdC87o&vh{(?RApPQ?!9VEE&wW|VBlUkmo=j{s$iN(f8n zd~#p}#QiMH=zZO!j@4KYqW`pnTu>M^gQjx?bbyhxV<4e9?GM^CP=hLg^zYxaX(THF zDM3H(0SMf5-+PZEmh5INBD7p(D;&|>&xTW6w64gW6V^cn~CX^A|ODK-%1L+cQ(VZgpc|&*?vkKU@65bO~+*zwVO0Rr6lRL z-%Ya)g4BM#RMj5d{V-isI0bf;NM&pTmeelmy))8@k7$Vnzd&lc0bFQ3C%xy)(+_Y( z@{pO7zj4#X7|lW&1o6fPv8rGesZUiw8Ej)HM~AfEPXx@shx5s2ej2eei3QLb%^Q*(eg-FYYEVzxXS)AM-J z-NMJGbBf{A*`F8AY_v8VL65&o)-*0F`Kt{(mGMGq=6uoZs#X2+qM}U};ql&k`jBUM zG_zVWi#%3CmhWQxs&(F>t2x`;`NVK`;9a6wuJ5*coQHP*{#q|x6MqEoqmb47xM?!5 z^^TE=V`hA3L?(1AfTUpG(@>?m7l1XHRQD^9%~N&+$LGBjVEg29j%y4b!vHL`5_sO| zMq($zp7dpjRV@jNKBxA>mfbf|@M!NyrB0plrbrfA&=-R<$q`6+Q_Q?uR`rP5Xv>(_ zG8X!ff9R_YbnePO9|x0qN(2GkG#QdN4U=HE$W>@(%NF02KtZJ5*jW664c2k57nr2a z<^8Yx-l$Qv(#CeV1NTurK*G|9`1H-gJg(jB5TnYmX1%@-dU|&?!KCn=9*C?1?eR2_f-i{^eD>W@rAySGyI5QJQ%tL z*cn#q6pGDR1kBD|N>^ho!FTt(2rkhJH>(&FnSb9XjmDa41KigxHUU)!In*~-Hd_RX z_~$6ug*7F>%-}6Q3RbRmTvlpQwQqnT0ludwtl{8p^Y<;NmT?inl2~3-<)Nm;g}GW( z#l&~dTO7cBX||caT+LRR@(O2YWTSV3;sZ*x{_`8*FT-A-(zG-gpbp$XFq}Fa>a0IT zk=2Nq)-UAD@o8E0-uQ-vzaWz=z!~3lEG z(^Y2qGC~U+h^hMGe2;t0G)IX34cm9(#$}Hy+C_ddr^`cm6`(aRUyM@PN|AKVkvZs{ z(G8y#71ys=_OWMxHHCmmYk_9+%M0MW+!4HfGvDI%e3pZwQSq^ZaC)|RIlSmiZKhV) zhVVl0Z|1Zwk~!V8HTTWyslzabg4fJiIF6NCJGj&73gVT+^~bGmyXhy{59TT5x7=o2 zg5?(vAc4^qH(81zmH{qJvzv0xdR`k?BVex=w;A;cg+}BL!)x zfHMvDD{g;srpf4o|Kd#BZ>=*PUIKtSiTmO#GLileA7d6w#GBM77UZ?=$3&6n)KYCj z*KzzE=}AQtuPmcqrZGjKw{eo5T}q6QFP*Wd#ZYRhSA6&ixH#;x8Q|vh5z~_tn5Q?2qy=1N;9ym( z#aiy^R@6?_!`1=LJB8|B)`3J2v$!4?nI1d$g0ar%iTn3$#B1}&x znBv6SOu-&!yqLBbOQOvul~I{2PVI-pa^Wd@R6M_p|(XvZbM4YPokBz_5|l% zYXAXkcF}uf);QpXk`>th{fNvfW%Ky%|A}6#p+d#CN<$cSI>$bNQ>D-$9 zW|j*TT4+I5!yqAQ(XBmD*sb|&w73CBbPwB}(tW#jMM8$Zm3@5w6ARVi3+|!LtgEmX z3RB03)2F7tbguF2zP=&M(x`$OXhEash&PSTS>}%&wG+|y36W(HO>s@XIzA0`lsB4K zOAI)$pYZIX@0T>%K(+T*Jtne*&l(w=?vYP5f#xR#oshlSVpa>WKKf&ppD@w+8tII> zLt^={BJQpp5;KkMI_q{k`WrJ1AbS1}F8{(zXGs(PiJ5-;ub64S_KUc~njwfA9=r!0 z!q>lo!-FJ+_sxEYcLz697n`1+So>?>?zug)vC{D8z~O}&O63@{?G{b;(mU;oa8b9x zhf4(zPqlo^{JzM&SiGOj!+O6!QT9_FhfY&t!)_T7^@ZK>>F~Xh)jv9*FEHG&^|q0E zZ-qH2G$PQ7oMNt=gB;3g^HicJL19AX-ZQgz-7YE_`F&{}ffvHx)Dcr`;9|nr%el++TjO@mK3M4z4bY~WVUAyfH zAzQ+~~+lqM^*$LuE z**TpLSI?-LXiSIvl@LsQk^)QS;>3L*UP6PHOk~`g8EOgdpJh0S@?0#H8Dr#Oe`jCT) zv8Q{O>;f=7I7~yigifkw-KVwD?uojFfrjQvQ2;nUBvMU2;au)okxTP?Htego2Av9s z+e~2#vWzZ+bd;a(t^;l@6{=Ss?I2OGnO$!|4}Am?YY`A6^Wj;J(;IoDtTBH+jz7Ln zN$nRSiY!&cIxUD}-dvRgPrJ(gKK-M*s|pL=Aj^NfEFXKk?-C!K80bq~FE=1uvnqtV zKm{g;JnT(;!C|klJ<;@L_(wuliPaOCuUNzkt?jP&?#XC?_~`8F`|O(oOJv#i{8o-j zc)pM&>Ink-Uy8Lq<#7E32SYDPqMwczFU!Yo0+1mhA$QlTl3~Y~IPyp`<*abNp3wFh zYcRDx_Ui2PnP~6h`1uGQs)zcTkU=;5A6vJ#R~F>@r2#j(uzE3&^OU!4C`br1Ga4k_ zfwf>+y)1v`N$@5cGUz`N@SvsZ!T(8u$D2L3?h$3qx|JZ`n_5`{it0 z@A&@7ot8b~?v360K^-W8fAbtiSq(;V9&>C|Cp?+RWlUyywNGFDQu7ImAMru@9^Xy_ zyMh=<=dE^l^~nBfXSc!0=LQO*q$i&{u>*rGDNAc#S2N-eG){CHH&p`-+U~c3sFZ*bBA}#5he%`5B_SQ+5E4VzkRl}#BOOC1-8poFG>9|| zB{jg%-Eh96&))Ao=e+;9P*}5u@&4U$UDroAM2M1k&V(Bb*#Ik~YPFB+X1gMRIB&wG zJz{Q7Ie%iB=Hfe##imE<8{yWyZI(`NRj>FBm$1~@1>kAy!~cK4(=mU*(;#2{e5V1( z>#*SIO=Cx;0d|zuxi@ojD+{kO8lcTHPk`@WMfARa&AZ4Ll4m+~4EQsKJ6=*`3s)T`3s)zg?vV(hm=sd#R_>(95>@RwGnKQ$dLaBFNO=xBwbGD*6RuNQ z5@Q4VY;>8nM|B!s%>p;?r0_;%i|}_T>t9n~qqXhVXyPtW2B+k01Kep4HY2-v<^^tV zkFnh8^xUxqKWnYl!|H!rc{j_G zxxmBZyGG(c5%J>bZtQCh^NiM!g6<>*1eD5jdeeA)P^No6MJJ!Aly)IpY4@m?mz9&8 zMr;1dPGQ_!-0?Y4{ZroLSy(k|`hF5ablNH;oM^?+L%X%Rh z_(vXBy+~$+E0-lkAMtA>($uo{2iWGfBSnTgAVO9}kF~4(BH}(yViFMoeMJlFF zHghgc+w3oP^P+84+d#PVcFU4b{;0COSTgBNbfWEM4!i5Y{v`i;eYW{jO4*5f|I!ul zs7l+gRK0Ge+swBtcIR|BEpqqoxmGQw&EQUZIiI;)ZtBX{C;lp$|)c*)HCd z0BYmynp7;riV^Z)-b`*4x>)LD2(_U-O`6XMCmPTsW z_N0B^+oO+LDnoqlGH^PNANb|emEmOqC_JPq3_;mROh5j`MfU+9HQA{J{AR4l3>Z$8T4n-9iwX}V>y|%`q;ii=F`as7H9-qq_FJnhYu;b9B$Ca}=s@@=(d^Z=bM(nDjuV2xg@Nl}TQ zZ-#=NaPhk~HM{MdzWZe@3J#=0AYMd4*}Vpa5kY+iiJo0<{<-C+NnSUG2 z6UaZAB9O6R-+C}E#eukDuI<^@M_E56HLqHYpKEx&CQFToKd*Q zjgSGU%E<;mX@c-bX``3@8ha7A&)h=YGS#Pwxo@9*-~v&V_07#wG7(G? zOyu@@9rPJZlEKSv?QtUL_PMz(o&ux{-dq%g#{1gTrJQYLm&jYm41QIu0uV%W<<>y8 z+<|R++j|md`fKr<_)v_hOorLM<}I(k^l1|deGU%_YX2X@5`=*l*@`~BV|O>nzOOBX ziSxyN`D4W^1!V&r+vvElCV2snzo(%Z(RTKB>K_84%KH-~~p8Jt#UiM4v~B#PteuEu zqNb|zZ7HhCw1Q@JHtd3Of9yTCFv(zlG#hXVPbFKOZPCN`pCh|6Z#)!$bqBWumQ;@T z0nPb7nW!)MmDS3J*O(^urPfeWwX#TiShPo{T@e2(1fVK>u=xF?iT=*JAH84~HDBX- z0Xq(H_%+k~(}04{l$*pX>=!%#@K+w`hz(kk6(68F9wNs!a=YtC--s9AbTO=qObS9l z)LOA}d?s&m#Bq`*)*kMG8_4yQCeR%d-<~$`X|Hl*^(Ot#=bNbCzDbXLE(-bk#4l^h zT{X^bk_^M!rRp-mutiK7gR@eaFTPh(0C^c$YlUI4REiMa3bi;V4t<6Z`&-4LpW;uH z50qVe4%e$OUI9+=MX)kF5bu$i+5Ey<@Qdzx!G~x2DL35tLTw#r+8EhocHZ$;gVR&C z5i!?vQ`-{+v|MXpb@_6P|}@Z{p`ZpZqW9bH7m|b$yUr(TCP4! za4^C`+*;?3?3fK|qICf1N;ocqJ|u;*Nl@pB+~M>gp`<4YxuW3 zjv-s0anvau%2J2^_bbIHz? zB=V_7Jvlnm{uYRJR6xI7rM}+c*R^C+s6vq1L7ABDZUABXK47ed4=7vxe4eu=w;uuB zH6!sc7qMS_q;VxEb2F8!i2e1uYge2_1StU-QG%?<0|Ol zE_!)G^wVHzfvR2bW8rGb42wD|e`AY2;X)0FrS^J#B&%w6El2-GO-3uffn?p1(2W5@ zFx`-x69saaOH`=9>K<1Q+ez!{?U?B=^25dSwAIT+7lJvYC`=nwE9_sNF? z!m`>^7P3uf{=g!jV!ij3o}N9+kxU!@V&6=Zc}91Up%8!keh>Aqk}J(^sTyt#wkeyZ z2*ZTOdDInCc~-c`hs^H31sk|ckSOQ&x0$34D@7PzoOSWlvO~$bYlS^J0-QF5)-*K7 zpHc3qZ)s7`svU>lXodJ(&V~~e@q)2ob;1OPyxwQs_5CC9HFHvy3BRwFI;^NfIXx<( z(Vc7m0g|!DgwM&C?S4OYqhJ$irpw}Ergr7jJgWh#t2*k;{oJfEM{T4|k_J9S54^01 zYaWbndx|zKxLITOCeEHe3}P#H?Ie+kG)VYpMwnx(y$I|&Sh4pepivXv@O(3J0>6Dt zoM%1&ns8qPELb)f9y(YOifldi>YwnZvdU5vn7w|_xhv22!B>Ky0Yk88A@!5+9J}WR z?mpY(axcUMjOopZA9&jQq9#qdmFZA>w$pvP#u|G}6yC-m_3v2yO1>fkv2@Ihn}`R=o+3SsVQKub@d zfnl7SbZie)&^bZQ^+v(D=AY$27 zoQ)1)nGE0~Wvua?Q{zEuXbzE^rVRiv#r%SzofJ)5vtBI7VUjjHtVc>7jut(AN3NI^HM)_Jd4rL1~_VzGr&^H*1tGv?0R!;rpn%QQ)@_kDiqa2`A{TK=&>vZ;N`&Zx2wvP3m`;^ zCdgMEKH|rnO0~UcDA{YP209~{-5>%; zO4kDE)4&?kPaWB4L3V_N{^%?yCrjeGb1_5tECF)VX{T=mWVS(&{@Ymb##>9Sh9oBt z&8<+|_mQ^j70QMtw)BGz$dZvx6?@qXhw@`SxJYyq?!fF5seaVs(Gu&4`dC==us%{O zF^&cy;(u7&NJ87z^ew;rj0FP`9ld_2RcewA&;kS_H=ta7dAr4(QdhqS651xx21T@+ z=u(oaGfr*`W3Z4B2|xEQAssZZ1!8e?cRmN;gg!n57t%|2w=lK=58ahw&5?4I9NGny zWLe&*pPb8oY1Djp?aY8iZ3Sr5o2%6Y^#`Ml+PbGI;peKO#b#yQ^(J3(EiSlP?25@H z2q*ZYqdl@cODx2mY8mC@^*ZaV7l?o+%|d&tzB?hjJC+N6pw0syFNrEp0;AB3y;*6m zO^%`S3K)J_({(1?;}5Nqv|uvZ9rp_l;DQG3H7NvyL5-aWTu0?QAV+-we#Yuq_yush zUDaZ>roKdumUhuBHK07OoI{vi%2bT3TtY!fWlgBJgKoLwqiN?AujM1g=B%ev)o91w za_wq%?HL}pozA*gVvtpsIKxit>LDR)Sz_rNsgW%f{92SOx@rKH_hFI0C-uW2n0L8; zbAkhmHe@lo$l{`M!yzf8+JR^}-FP?p!lNb{>V66w=I%A+mcObt^w|F8A9s4JyT3nR zJ)|8ny2m6{jwwrbT}`dnXU#4=*GOUt7KgTZ@~G>`6$pg5%nb#ax9s!p&578=oDYjC zP3z2YTI1>nq7ZoA4aY*(+__{Ipa!nBQEGmbESM1GmGC zd{jAfl|5@q^p^G=+6&}3C^6@L$td=|RV<}l{OEXh$&Hr99G6Y3=_(JKe>pdYYjGga z=DYs#ix-56lxIc3H{=mOckoMx!9SEl=>E~~QNEL7$5A~~AvdRmD4?}a)WhO(SVV1n z>r=?C)^rhvJ`i`k+;DE#O)UO)hy_wKJf;j9Z3%K!1U#-}95TU&$p}*RR4MoY`8C5Z zYESoe!blU4T92=#>i`DXw7pL_zP2|qWmf{77pRv7Eq9FWhjyc<0V8|cZ|1vI%j+C_ zIPGqYv%xT2XsxJ)4&0FEv^fc1dwO9L(R`u(DSn$yfWDIp+r{uJ^atVpHUyE$+vk4l z1&*_VO9}IrH$&j1ih_%g&qe)tLj2wzWf7pk0LiX(ldb>fB6xszvkw&R-=;ygt5pVs z{Vslz_V%(*cvECkjS5Mx8A*CkxejEo_{bJ?jf_*;HALyV;$y6Q7aTt{=Je>;VVLsQ zzwZ*d?vSiIMGwyQMDT4vx&d@C+vY@l?BgovcNd_pKE0;l!68G#KbMo;3EX{}^QoVtw{^d>!7KP1*bAY@- zxt|1B)M9`|&BfFvNzSDy639<*{vvo2q_Qo0y<4-opYYtz?+5BzgC)mx{$w+8WsPj) zYrl|-AuNjo7S2s(gY|}Cp7!zREKE#m({cj9qiaeyL+;&Uw4q)yy&Ipb6! zw)BU;{ZY#e+}MTzXq2bMocTzn=5@=G*OP$kRsK>Zu5Aod$f&BKV1AhB1OFd&y=MWh zYs0Gvy607JXJ2ut@-HC3VX${14{tjbZ?M-zuREVII)5s1qO8`}IEyjEL^K?INFFGd z&ZRVIY8RydLJhVGd|Aws6*Ji_Xa+Z--~xQx%N7l)UdUAJqm4vu z$M&@49NS1JdK&y_xHa!EhKRdm;@>a~fC z7WY0A#ZE{0SPeJUsCIcVvo+XArr8|lQhRzY2f34epWdm1irwOO9fZ62$m+n%fQexg zE}U)KqT%QUffwqX&&|3!F2I86Ju{6=uFSQlqanA_K1^BINA8$xYvk8QUI(q_25Lht zjWOtF_!$s|^lU*fFGnwM=VESNo5eDQc7$R-s1i((Wn0IYR^>Y-|CFo$(a4I_!)wBb1gUC@&Oa1OgF~>}nqtJULV;%kV zZ>K)3a*}a=i9~`u;ghpbz~cry>X_RLpH zO^WUV2~R5yk}7cAlzr_1^4Ety;o!+mb_-Tw(shq)`}SX7OM-mQt-3kpZu&DpaC)Tz z-OPV3VoqG->CZ}b$0Bt%seV-BmY{>CCO#N=Mm8=Fy)HBJ!)Qa_hn4VSr4;YB6P(%^ zc*Vj;+RhsFYy1ieu=fxW*IStqGxI*zcCW>Oi*%Fl3vKby(b`zdmR>=Dt8Ji8!yg1} z-JH*TXwmOyUHH^OL(WM8wkg)5(OWDxKj6*x00|%MVMp?rA1*=&2JYy4EuKL1Pq)fl zM{%8In^@FIk3ZzKaE!)y3|j^IJy{xUkO6Q`KvK5WNJM&`+g`N=dNu$Q$_IBO1K?it z<{xzLL#8Hsdp|=lBn$<#uAsgpo`b_+n)Nk}K;%OD#K&(e)?Z_aC&=-;xW!!MEP8l? za2VqWnj2X-H9vo%H9|IhVsU>Siv?0USz>|IiU3IMOC<6SkoxsZ(^LF>yfmef!aqQ2 z1-!YiH2|chCt9T@_+Nn3Ja_*Bsoy98AhrI#fz%fONPVnEhmQqPBgD6o)Xu*f7iHt^ z*PJ{d_J`_Z8-J}gS#JR)GRUYmL~(0dV5c1js^-0Zz{~p{l*(o5Jz-b2Gt?Lc=3!P$ zShFNlvysx+atZ%V^lR$7j1jpyBO?As{}i}qsQ&^|hm`HP0U)&w`S4|9J3kgkJ&y%a z*ZwzwlT4w(TNIe38)V^_QeSd+}Pm|GM?Ik)Amn^PI<9Q*}R zA7FvhA{jFZ)$i+jC!ce5TEB8R0F~^x6W{vHl6VnP8Wga8xnS1btsKL4bXzRvh<(G+ zXHrC&p_p{VJwQ~%v((fh5M;e)s{f~6jhjq_Qtjj^v8Lm7x-bBO=l@fyGz8`Ap5M@0 zdfge3;f3MhXMZ_PlsUog<=bLghb6hLaP7uIJ!Mrt0U?J016(*-toC^kdLEpcLIz z9mP()a_K;LS^#;ddSjycP0HmXut8e^8#Ho>ii`&&PM{eCRmddyXEd(Eqp0?t&HE)_ z;stcz9i3<{2263~QBGX@oKe@@Mz~Vx4^@JOkQ`#Or}IC|>heeR_ifjOps3tM*7|)V zT+i8F@?oI2g3Un(>SE$W>`Tl`MsoZR9oO+1bSdt5JWuw%IA2(a@DOH8Z4XuVaNRqY zbah%Kb|G_2J@-$3q@Td&KH9KJDE_3X{pA8yF|#jJu;hWXTmJTHsHIO#1>3h#365yz z26B!J7|VIol&{rIC7EAFWj+Y#?Sb(Qw^j_XJMks=omfV@ZpHoX^yWqPaMh^|c>=BH z$#xx36x54`;DiiDvZ&J4z26Sjmp3BZq8A-im9qDy5bOD(!-rP@)Qayi)T);mRbTrr z5mE~sF;_PqgTT>eNhlqxZFO`02=phX-oFFP*j? z{E<78ZuK+}V;~hw@m*1LU(K5Px}s@or?BSr5BC?`pjg}pbiWYmPO}cc5#B=7=-;4e zo0J~%GnsM%l3K~OJ6*YEp`sSFCzEv?HdkPwP$+)0>s6@ZgJkCnSG88 zk@KicpXX0brEX(MAQIQD$PV=k9TZa@ox4_4)Wk4NdwC?4PL6sCf{2A@*Ezk8gErq{ zJF*dSzVvjj%L~s2`|Y__%%<0+Th}uUSj)?`qNWvl^h=mX1IQV#BU*bm1De}mkkLw3 z^LtFaV$2MwQK4JZ4- zsa)8eevLWa!Uv~TApLPytgr`$NGi+}$i(Mh?SW#h*Qgf^p+(R2sRDQC9tA`*yZ7dh zkDk23wrj-bchi}@w6G!Ca>ws14N!^#XgZ4zQdEvsQkxT8$4fDzg~=F@L-`C{2NX!> zVt3F_i@2ZbOA4_Y3T{?0!%~}zygaOVO~1_$7?h5@m_1D2C|%(G!O|~T6)M_;0*VRJSGKVrdq*@SGM=bP#MY=#+GU&barnV-mNf&jw_6S+OZ=8~~VxsFFu z;!zI}>eXujj_(lS&9jx$U_eDUEa)9TjhcnSkB8L#%^R5Yz%~yeoXH^gXPfs}n@+&{Iq{*inUgZ5w%$EIilD0TBcQ0mrz7jF`p zh|sQ&xX6l!Qkn<{0M_-P`7@715y8rb1~u(^dix~gR)WqBnt)b~9J10XIC7y7W;G<% zQ>SOaoeS;GM9X;3(*6X(lfjQ;X5?FOLHDm-IkTD1nW#iQJmNF{DZ#0{;!WlBdhiT{ zj}g1Ms_DzmFM!8DP7IrE>v6i(e1}^5c?*%a8h9@r1w0_pycv9!qD0*qFxw|~YMJ)+ zF%dQx=@6fGBlLlwN^hdD#wE{=Rw{1!Rq=ip;X#490`+xLsU` zxso8>3)uZ3%+C{~TRhtb2?6niCr&z3?}?v@eSLj&^on-DmsIi1GU9u}9A8lp_bK0i zYuK{znE#_NrItM1P3Yh!7roVehVkOqw^Ru#6sA43pU!Z6L^9V+L=6?&49P{I3|&FK z5434?_4ekp|E}faX$;*^XOHx}o)b<~|C0Clr%I)XTF^2P)ja^3U<}sMJC-LG$qGlt5;F{YWi%9tTCtJ6)$p5Xt&^j^doSs~yQ(-V`<61`k3WSM$sqVC zg3NrXVk>E7k;zDngq#e80bPU1w$CS1bozR`)oSr`3(t?t(B+nk9Xb`|j&CZhjWeu4 z_W8xj-v{dx2zWv_^dVO_6%RYn&kRM$tb%`vQvvinrjIS3jC~EMIvPF8V)@bu%m~zr3Cn09aWcY5CtXUy zb|!W(-ECkydPg8OIVwyMcLW9*SE`#Sa4@;!y5J4Z8m{J7sAI_;!@#1taSAU{V`Wz^ z8LM98CX<`^bAA9zuPXIb(OVfZC7FOrjX%LZQAYHKOD#*-d0{pgTNJ;`74?(0{3O_| zk3YH1PebOg7TjmGb$7F&wGwVhC2MkN?24Q>g{>52T;(5!5&9CxL?a!)`#yl}r86v) zfD`Xr`K{E?9zuXBwlG-hwTtWzyGw+qv{*^3-Ek#u%NWMU$?!V%u5zr`J80{6g$_|j zcfV65m)#R*X#QoEbq^qBE76YBie(PD^D(ukG{#LkonEm-0wPsf5?IfHTR`pp`wU*| z8Y59MMvJGrnvo(}Q@Xn##PG>V!`>=dwoTu!(xfL>n7ABFVmTV4Z!@3Iwp^OoXJjjx z76@q-$hC9a?khXCY%)b*^lI`3jTdE_El#W=GL%#-p6Lj0RoL`jy*zFdyXNi|xmYq$ z_{OVp<-Oygoti=QjTqzhS` z8-FBRAY|LIr+UjxT~JI%v*K47XlS_*cAqxgNT&}k98P+c05``rkY6)0a`;`?>jbT$ zZyd?90o&Sq==UrMwf9Wt6dgbBZsx>P+H_aV-<5{;z|YHc;#tW&h(KnX;iwrxqVe;q zmxQY7Kn%bWYgmQSbF|PwGwhK>Ik6=Ty0+n#Xx5UMf{OsT0hzN#olzj`PfkZFsSKeF zBGJ9Cw6-ob#z{xtls<2XQjxJy@QJIn)8Qr1dE>-^%V=~3mjH%OgW6Zi#1d0X@NDu8 zZhBGW)6Q60i#X;GaJe)Q3ODLFk`jN#=e%le}d9M_y&bn}|;>X<*erb_C&W z$fnv2VB0+}5)HB{{@3b&9OpjS1;(c64cN7zFX-N}9Y|`Iai7MkV9QJ;w#+=GAI-JU zz5~7y;VQ~OAkeE}{pN}|HjaO;))nt|Pr!1G;jK5D zss`QF#n+BZ62qe}cv>Y3M7(hSPsCNdD&%bvkBR*$om6zpP9l)t8nBQa1FAO1S2iT8 z?Yco@YKwxtnYZ+EdmPk(j2pUYG%EBsC|K*vq!)5?Vkm@w2yCe0BvoV3pA2>v1bgBv zd`M5zg0+|t^HnxS=vvbwE#*z9142sM5^U;?J5?(<9N(zu^N3$qf_Sojd0SKwTsMKe z%2;d~AL_h0?5M~hTat%e&6~9Rd+8)DTM^~N>qtlKJmP*obcPA;*YdgAYb8DA>aM~V zg(4y?GpmOe~h#afC0~wnlwj?UX;4?DVG|*Qhg zO!N>!B%q$?^mZq-MChZGq*#t3<%!&;(^k0;5P$oxO5Lk732V`voT%K^X0!`EUU=mv z9@{j5uM&VSR{29onR@Hmx2iGbGvch=$tZi+qNY)eLLQ{q_v#5F#GqAz>`#_uafsIk)77e3!o50yY zMZ;U?N!x(KyX#NHrm-=O!J8kJfLdI5>zfpu#{BGPI|=bxd*>JQ`R~YQ0*fyZAb2CU zW}{ke=0u~;4CeusNm+(XRqO*gQ4v4*<^OQ0>7Um)<+hoh3|UuZJ~eX)B9h;B2JYl1 z@?Vf3++p>Z;gv05IbBPX4ek{{a-Y)vZ)K)*+A(VV*DIoZpT>ZajzL?dgbG_%0emv8 z**&wtSPxgWPot74wbC6|V7mKs%70rLq-XOe+i^=zstVLelg1-Cg9DpFO=8GU7G=9# zT{#gfx--zt-Tr`7`Zfx&F;&A{?(I#^X0;=W_nMnLNc*$N{uc{sqkCp?F_t?NpZFXh zgOYI&ESI|NwbnE%c>&;3&olhPr4}$r;@VArU5({ZQ%9wg`-e-tYUKM5m)iYF zV*4L1^~hf?HJdT451&4NDwy>w^tcBZaQ=36dMI$O@)0Tc0BSI&K5rSoatEC_gD z_jw=)2|hc|_h$og>kU7fKPBr{!Ic5>h&-j$R9CRfP8SZcYB6LO-bM2chH}Y+ z9f;q2$F9C?sK`mC)}Wqm32n5XOa=H$8p2m|Vl3`}AszEsgDzO4yWZEGKs1;x@*F9| z)ox=lWm+AB*Ud(ceUq&Ela@f~NgGV>js85tgwNX`0}m_hQoTNfT@raLguO-6o&H%7 z8I4@d76Bf%=vp6I|4X*oxU<<|`oQ}Z?z2#qAmq- zfI>ot+r;+|=araUf6^*G$R(U!f7mBhyKR%JujAr5aA7fx^fNDYqI!B6 zR2^a6UFSA+?xh-YiGfeIFAGo}ebhV9xOBY;v@6U$6u)Q`R<1M-ie^<}x5~Q#Rjq*7 zjmO}K8i9Iq6F<)O{w{E!Tu;x|e}fK~*366BYjR15oQ=3C@8#-!eX=LwhHZo8IFGIf z#OY-jRl%56>hg^sow9!MJdE3Jym8oPU;UoS(y{%yhqXScOC|T0YXOh+!s7p9Qn&rX zq^7{Hx_@g56$uctu`BIX^Anb(A)5|>!gPHPEzZRT<9hn3qFi>lRmg5$;xCgLVO_uS zZzeTx#Bcp!Qga=H$gZfU1CUm){)b5oRH}n`ux=nMUV5Tt^ss+O@ z@IGO8g7mLNfi>n8u^=m39-9R2!9cFEu>V}!a;hqI83#TcDNKzGtty)}2BOiL^MTA= z@b2E)f|l3R6#QtZ41hy9;%zAcHg*c34K_RJ6^VAJ&fgN^AkW&L{6Ekg$3vrt#WpKHT!kr0{8<0C%?7rExqrfXXn_dtYy{1t?GDR zZxPYHRS!BPe%beHh8d~x2OwVJs2>6SzIo)+ns9krJh#lPG=KDb(dK?>&pfKf%XhxC ziZjPb2gFt&9z?8ycs81?C2gx~-dfXN&3FVRgvRlQofJFqTShqkRubhQ{;u-135@EF zs46oIPF2zYMYIpJal>{NK7zF0nkPd(voq?Wnvjr>;=65@QmeZ%&0|Gx`n2dg(6y0q z`YbiQXPT%=#=ixGTny*^WTkEKi$~&^5YFD?lreJ5tWQdCE5pePiF~EpD0YTe^rIRm z0*Vcu-(}LxTOZKq$NHF!$|2%L6Dn@{14?erCSP zA@~{4!A))4@ivQk)AF+62lQb13p+=f@hCw!u>_3~a&d{yRoGUJx`8ZUQNpG&redUn zBCQm(a-Nb!V4DzP6YXS2gp@wfu8e(hfd0S_L;!7Ro?0nUgcQoMnN5}^m$7b01y_(kEUJI^{K-O@F#pRB?EPdy*A8(6#-u()n5tmlG|Q=G0;GX=1CW<<@s^uIbAo zkEd2$Ii#qoM0V9$Ug!IDgRKr*K!H+MZc;rrR3-qqXgmVCb)4EbVLiwd$;cJ($c?n$ zu*$Gpym1vA)U_?5k|^^1TC;`Bz`b_^1Q`r}e--dNQlM%TcvA^0{j7Tuzi$^`6?@R0 z{oX7DmO>_$6{>Sx1Vk$Tc&N81jW4qJ%D(vRKmZkskE%*_84Dnx^_#5^X2OMlEo?vE z`MqJh1oMEr#}#$$l1QChQBX__QK;;R4|e6%A%yG*R*Z@V0KKdD3I6_g?d*BDV(7l8 z9~+PWfMNjyX6|#GN)W|DaIEG%bppj04b7nGSQEY&jue{sqTwd!03FbkIE=?Ut^k=9 z<%K#nE+N2;#Cr0jHyMtQcaDvox@u*pRo!r{;ISWd z`9!R7=v;8`mF<9BB=_nn(3VTWSXR+FItg<*hj`{{QW7XA0h?g$%Ngpe8~?E5c~C6)lbP!{RfADvT25;mOIFzYX6#3(N{AO zkr*LCjv+R%4>2^djp>1K{AU?by37@1P+GuwSffdN>c9bGW6v!5Id^i)cH=W{!?p$F zr;J&}iJd5jvG7plF7O16>DlSyZU8mCV*^|~F?BOhS3}93fvvIDC*D(aw7ZNN1uUKM z3CFs+BGWpNhN!_!w}BfYF8U$JhtmQO%%h(~le-Us7+a}4nZO`ZBc{;Jmr!m#g+)Lf z*qmFpDeqkf89A=Y#jOxbu#W#J9lS-ow6iw4n~aMc1Dw8-8D0oMpOk11jl`jyQ!vgL zhVt9X!r-@7b=-7@PWbXxk%tA2Z*)aWD))_pb?;80_YtNE1#^=@&Gd@(DV5}p3X=gD zaN0UD{ubGD0x-VMs4r-PBh-&ruFcw{@;~*YWcR_f^eE*&OWW|;eT53x(msPay0ms* zrL*2RtSi5>Qu`of0SkwmUQE}9F+Q+n?1l<#q)Zp;t2OOJTFl1a)&B0q_a3w;i`yS( z>odQ2BVdSWKPg5z?N$#`#;_Y?TwMGL!5p-2emCQQp?A&84S#G( zNCZLNn^;^-N=_DtqL6p;b*3AcwFCj4s2r?|biyzWWU+g}_4rbH0DUAS!QPqId2^(O zsa?X{^A6mOig_21Xz!B0Zqx&ed1~U%-+Bnd9`h15K)lxXHOllBwiol`1}lwJtExq^zf5Wh@4rlHA0kZK^$fT0b71z_qD8>2 zgaYyQNIs{fWH$&^%_z!ZS+QOjsO}8|zHFMA&Ak;z#FIF@^j;hlLt9jZ^`@}jY2}5_ z^&np>Wm+>V{`5nxbJTx&i2ENQF#0gE*X+uL0TJMaB7CH1wi>uacNoM`-9hw9=Ky8F z34M!4#`c)9PbTs&!2X{J#NCfFI`8;Z$^}=75>ggOe6h1f;H@H;4-)}lLwNkBLaTYD z?km{TdTaWRV0!9tZkbyKMf~K@mdu{?_Szjpn{)=Ff;;Ra43vw7Ys}EDUO6+bN)(zK zn6)J1&J_^FxC@Uz#c>&a5?=~YJ(VxWaKCmV5A|@+p?lB@$gUQ`lG@ASF2734DLV#* zR26+>?~1j*V?y)MAkdELo+;Tgo{&uA5o(Txh99kOtQ1)`>Hw1(_LoU*nQGbnmr0#| zsr*AMQH};MsX=pi)8(m>@l){x0>GrMH{$5wBd?3~{9@HESuE;yu-D4BNmr zi5YdmCck_g#iH^2tV#EhVFC*2ns0MC8I`@%cnX=zPQgcOz&X9``Qkzpwi8iSR1_&B zs?Imk=WLhP<{ZZ8kY!IsL-YfeBsw8w8RRQFDuK0MnL^E@CiqJ3H7WV%-V|9Xt-5kx zz@c@wl2+XKz&7Kx-hP$O4?;gu%eD2e+{ox! z?55$QhH%~}2Xy&@zuQHiMIcnun>J*Ym{ySS{43>6`J*=7U&X)&k(EZBe5b7HU6+Wh zOpqg%`+yX8k_No!%n6Pi+wg zKDj{;OawR%3|st<3n8}3Af_ASe&H}T>4KTyHnWu^rOcEGyL~t?VM(1sM1($I!PaVa zkST_^_%I{(iW5DVx@9iCf*~l2sLoWhztPfrMTZ2N=35up_5kWB(V6m?_lElqJdb$1 z8@)?Kh#F~-3(I*nR^yzHhZVM-%vu$q-3ooQitu}MNM8W zFgB!JfasFt2{jE3nz6@=AcpHr%_dF5E&Kr&5X*JC^A7R_>v?WyC)&imgI8f4UPnHQ z*eGeVnKn>Y6S%P?Sjk<_D{28ZgZ1_?fN3qm=2IP_cEAgmF2wz9!qE(XdZEl_k9I)n zMb_4fI}4!g`OzQ~#)uX~OcVhh!%&c7?)qEowb`)C8X>N` zN)%ZAh7Lcwe831}?hM=_7>RCAAly5(e>%1$2^asB1V%Y~6rvfvMg>KNdC{6Sxf9{@ z_kw=YW3CowGJSyLCi3<(*vN}=$ioh5$RA@^R(0^e+WaGH2%GW!y;~8Ar@ZH~ zDDXIVeFp29$DFiB7EZdCtc;H6t4;YUExbD6${3_-dwDqa>#?OScy@{)+;~DV&??Mw zy(|)P(YBj-7q*^!G*(lB=0R1 zY+jK6b5siXHw7GbaNDOQJF}pRusceV{FEd8NEHt<~#4Z zJHh;Dv?7XNbWllLluOB|yg#EMWxVvj7PKhF#t@!z>Sqhe$tK3}Pp4ofG4J97+{>Zm z7POL2*ul&C?xmepLOT)!y|@`L@5%{K)t=vfB)m}WuFqA(oSsTNK2^pCqsB#6o zdB?t4WPNv)%+L#ETcCvAT^{@o&=egPx$zIslz4I#qTdI``xBLd{Qx!nm=A|~gLK(C zqugJ8+5RsV2tl`UKDHBq#>%8`21T};%W#tHYo_nML>=Y4wHoZwQ1A-Lp@fyqCGnfa zV+Kl^)m^cVV2aSd`FPn1M^{z>Q^&?(1@>km3`6d#UPRtP!R zOuZ*?`9<5%=(!*!bv?<8&n%&OQ~YpV`ALL2AzQ~E;Z4E0^L8_IJSD1nBcUPZ7Av`l z(via_?d_@C!>JZTAnk8z4yATgt&>#IeL#G`6Ts&J8=4H92fq+c7PS+ z)nK<4!>MpFj7Mw<2$31Cur`1PYzj8f<;VDDk;Bj9DY-gejVzdbN@>n9;yO(S10iP1^vX& zS$~vLE~#G}=qr|Z7dip*EYh(Knnb?P!Q)?I-+F)DfJ#N$=HvC(zvremk`i_5eLDJ> zZMiw{-dAE_)_6PYB*XX~Y;jbKXUZo1pRF}EF9*=LW-;_;ymEPkuR((aPV@f|0L^19 zyfi}rkx>*e3hu)qiSKyt+F#)`qU3(>%MxC3^X@u};s>eA>oEM9sb(x6wJ=`~gtwhJ z|5|$KZa5!L=F6O}gRE$$)_BH$tJ@WPDBRBF*Do-+g-_T_!ufvT?0uUMa#sr=BJ9U~ znSAdY3#pE@*lm{pkm@}Ess4V&13;=h*06Cv=h~$lFO&a3s#7)}65kkL3R5Bum7|G} z1(53eQDT37iqa20J8*7wZJ)#y2hX-K0;;ojlm4Lhz1o(BRSKz-@#iO$q<%vG&}hdTP{hrx1DuK0l(*A_uWy3#F@GBxe1FZ+GKOsf~DV*!4o*t^64a zbFx)=t=K+L3fiS)BkgC;3dXDc_)xTI zVsc;8*e_l=*84}9m_9+y^%HgZSS4AJ4(@#g|D+UzGNhWe>pt-uZGND0blA1^;0b!! z3X6CbJ!$}_x?1iN@HAi8k15Xnyb;tw>dA{o)ie9Psn~4Ky2_>{!y9dHc@ltRrtA?c z1Tyo^phJ8J&aN*+fX)i3Aka$D5Ei$q>=Me2v!jsI_NR)o#PN^XF5+?4{yuNJ9mkan zpQ+vskZ2wYzKb`kocY1$!uPl-)`@fOsRiw`zG6*vF_QCdBACHE`O*wwrArd|-LHM+ zy-q+Kn%??0lx|N6c>P*ji~r7=fKiR&jEv>|`s5V07ooSW(tD@}yZe1jY8%|nx*+nJ z1``u>qnXMl97{~fxDu^lWgI=JO5}_h;W}Xstmg<*mFoGVdx263!CF&5aFKO{f#}0! z1APCV%Klx7+JBWoI$+-JZ^!uOe8wR(yeYdZ5s+T^w`DXZ8?Gi}fe(l4?>y!l?xLS{ z$$e|pVt04D-YQ*!IK5jYgVH_|_vOV_1ktra$jd`}@j~GjE{NV!T+h$)rCH7gXX5}; zJz+T_zWeewP7qmEadPlmgu~2_2>a1|4fel~>b+d0+;a^M0I7y*mn*Mpw|Z#~*P7uC zyANwiaK;u26=-M0-8DJVx-Yo()2B})P0V1gO33I}ll~n6%F4qwgqzna*LLwPxa=t_s; zq}gWXx^m{91<=+-DE_{gY~ptaAk`o)p#R1HK&scq2mc#VjSFb*$4x{FQ*+mi?|SUVWV!(kjIDE`TVo*KgLQ-Rga80)dynN7D@3 zuonFGR+{K5L2W6DL-JoCB)kP?ADw+aJU`5wak;)veKChmMq0n!Mr8|^>ynQaqV%4lM;e@C zG^X2ijy@33MoA<(e9_BK5qlY7zQlla?F}OYel){f9=2Y4G4H!?ck)BZLk3TO`;oqi zNARF8XU$s4=g2>hYB7-4#GP&Bd54lrGx=lgRE^_mMt+J$!u=39!~WG{&+`+OGd}{c zj91n3Se$heqaq|&IElN_#*8(L zZ1m)sq4b`i?%pT(&;3s~I(&#uitmV9f@K2V<`0=Y$|eG1{7l)_IPvopC2vpJ%BhzI zLV)~jSe3@87;Rp;q=joteNASe`0DR}KQ=9#R4R?>1l1(v( z;2}7BWVzAFC#{h4R~7W4b8Vw}-DyOGsTF&^FH`0)HmLUK7o@kiq|YNo%qTica%g0W z+@So0+h&m9Jzdms2!0fiOOu%tMa-(I&$ciF|6r@Z*gH}~%W6`70SN)K0v{HL}US6RhYx7h>tU8iEk3XB2bM6dKiOS2n9dS-Be~YMiaTF77sr zQrk(}@H(>7*QP^wS;NbGNr7>gHrmgIWo?AJ2@p@2t3GBDfi#TJQG zR7m70DTsn!BeoAU$;WGfLZ7yENc89LStlu<$jqzXr7<&7n3pQie>R`%q~BgS!)M0N z$9oPa)l)Hc`QmB2;Pk&4PX;K}T!2yyVPopQ{Ce{hZ}w(&)X&xUpx(Fthqkwls26R2=~n5Oq;z))h)8z}DBazqbW7Kqgn)E+!*|_0vEH@6z4jVw@8|uG z!H_wocbwN5$9en|7(aiHck8xP$$m}J_8Qr#PBD!SqEs_nQ>uH6qtytUXit8wMg`_k zTS+JIlaY4C`jH?3Ots~J(2QAIU0j1(0I}NfADC(9-NwbR7WqxJ4+#=WUQWn%o3 z&s*r3w>*w694_6$^;>dfvn|!T-zAZ+>O>cw-+Y(A_Z#=*yWt4?Rh@l02KMrMi2|%l znK$3-FI^8Nmw$!)$PjgVT($C!hF9R%Ft3sa=weQ1e^8lk^V0*H_-u6eO+Wi!-XRj0 z0*)h1E8DD-x?_pg=!B35*!G=m$XN?gnzse%wwpr6kKaGJ%|9f(f*D{?oW-+>C!@h3 zI~x$LBE-0$$CeyZsw;#l#xn0AZ??GEJ$HPvTCyQG)laEiKpV4LXzFx4O} z4rcFJOGkL~+aksk~vBiC6Mp21Rhbl%qM zl}D2U$U)8-`mGj4v4$_dGk5AmQPI$i8FIKy*0t%VtdXW^q>zwnB*U5PMpA#DJ(6nP z9bbOuJ3DAVhL%55B_MdNorirebvH>I4~LulG;=Yw-`*6I)P)Cg@q)Ho1xiNTC5NaQ zOK73)ekEJ*2JzpDN*WRkTV1bGfaVyS-rNbjYBNmn$@8kwJtrRIK z4FzS{_F7%#K!moYumSdz$?XdDi}3=)M<5f1F(za2%12K1Vm0i0F6?K~HF;u(Fw;|8 zN=$;I97WI_^2UuLNX%x+2BbPI}wdSy%!&5jU&VDLS#%^?~$8PqsOd=qZTY#>vRc4r} za>`z99dk79w&qC_c>lH%&w1R>9S_z^`!XMNITVbvW>m^Pd&-luxV zs9q(e;V%EC$lZtUb=&9k7PmASq)zTp}n&9P&TX!}U# z{=uHP!n&#j&%F{@#Sx=^QT32v{OsAyCzWAd`heRrts_U!sR1kuq&%_o4143#E%BLGi|N`j5(DlFnoKYn zSKG~cMhG|`u4h|5quNE{FnKv03wqY^ybk7%D;`xscsQ`2q4bT!CuFz(>IW%S#7&hT zN!6aJlGRby%J=qkAB3EY2Gjh;LSDv+>yq0BILc`@Vj%^{ZQuTwZ#D2|e9?HG47YA^ zQ7{@{0lq6dgfX;(AHRcXd)7m;*UESG)iirL)PIML2GA(Is}&ZAx<{5fX?1D#XRoZY zf+bi!+(pw3SFN7BQ#IePJT%&P^rh1R^KaxajxM`(`FuXSCyb{E0}{6xx1$42<`zm8 zBhLDO`?Uhq;(hb*pB`c?xu497v-^NjXN}_a-tzdJ`$(CUshA&HC6(`K>#BF>OMjVl zz-Lih;Zbpxp~<67IHPltiua|lz~=5bDyzpgdy}NEm6;nqX1u?$3nqAUkPEX9GmFed z>q>RjShrc(!XvHx?`u4Ql*|Qm`14SuyVu3ldDjVTuhXL8#9*K$?=#;BVSosQTnfpX zpi{Qz^deReu$tbfVxqt;HqXd!&w^G|{xoxh?#yX1gv(6?G{7+wIXbz$jU(My>C2E& zKvO+Iq53DyTV1L5U0RP_*w++|kizXkKbnqg4qZd5drQUm$aj^(nk+lll$jc!HIvRp zhtA`T^hX(=-DnccaWWn`X_QPkhzBe_wJQfXUu%dZ`6&qlY&hJUV%K@VmX;<&Qd#7A zCBurPTjhJFyy*Qog^=pisI4X08++X9_r3@kw)OwGcMfPqN)Xeb?#+B!pxfa@rsqRy z1MBP%YyAx+ zbt|7rKO`MsGp{s4a=Go>b^ph>HJKdBRGXV#q*_W2q2()B7Y}#rKnGdJZ3p!H^_WMY zb}-_Ih0cCJmDznN2SySC;W(Vb5={CD8tNA~FH2H>hop4K(=OH%QG?G1z(D51zi1xZK)HwYeyXP2;grOS z2sl_77 z?&j*dXeuExfIj9C9_@^8$)N?P?roW*8+)J|3RwtI>Y~fR7?E}r24Tp#Q6bG=9EwOfT0{adt^LZ{QiLgZw*@J#~O4j znzniXsje`~<*{4+{UsDIUATQ4Z>-*vW3;0)9$8c{H;FgMEEz>PJ3D`rT6hGJ08mP&Tf zu43hG&eMP3KP{@=|MjJ(Ftp#{=`#JVe4}Am2wW?8@H+cX_}W(k6jv}?Vo#_z{lc`G zE?^Q;^1nirJ`i~FwSOEBbFbZ~*t={}(D6M5zJ^?XGpb3vAVxLXzhF+e%tQNbqemGf zUD!F%Gq=#)$wJtc;TuoLiuyME`KSSaDc{+8>3t8jf29PKivaU=6Uk($zqn+>F1Nt; zUef(7F{Lf6x3^KgY8t=rle+c40x^{zb?8cQ0e~hn^~eEqy5r0%;~j7m5gdSyRxTK1 zO7ZT*V|l8MY=AAl6)b4p=jK8|r>Bb273h5@1?5fYx~QbE(jU*O(k(*Hsz-Eg-|tD~ zP8ci=XfdWk1eJ=DSE`lZd`jc*a|n<-+>;_{{+lL5jqRzrCix_QA^mUX-uE4M-kAWn z*aRbK5f)+3Tx$RU3vEW?UoYf;MTmM4`=e`y=1qGr(TM*OTF48~=anHqk-V7d8lw77 z*ZHga18qSuOA8isCH_6%p5hLER8{}C zmygEXj;7uM3I*BFC0K08o+vdG6-fOXJpRvd%tBuX0O%DLNx=cbu%ZmN2t=t?*aTD3 zcTjZ@*0=ocAdrS)dXDU&M1LFQyhZyiFU#VYqUL{`0skc~?th5%%QAv6rx_y&0#-o1 zA@^esT+z%?6~n|21QvgvWdGm~&qY5_-BJp+tM@ko?s^9jn)fCD`4_1CH5B@!Q>8Hf z*WmWA@%#Vs=NHm|k&c!9K&<7%&D+D+YNp>HM)fp+sz3(t_ddo8dHgR;o2zLAW_E5zvfedYKXqS8Z&KaLEjL3P zo>@O-0|m-niQ~?kwdUH?9vFtbJXoJ#RoI05XcJv`JHz_OiN;h6iR?h;>-3TVK&*hd zw&rRRD&reyCZGyTyKl+60YAyrc$0!1oaew^ZNeDR5uXR*vrA}LHr~B?b!zatBTQ2n z;6m#0`5cSvgX^b3&YvS0!!W%Emc-?u_oUdp8Pop<8yyxzE4@sv-@8$n!gY51{zW9E z#tXRzcjalGduc1JkE8mvnbQqq6~7Mhqc9#8PGz=7XI?erd`*h2BZBVrMEFJg{xg5J zC&Gf40i_NLVxRZtniW zlMN1bGFXjeNBZY)xMvAgmeS#4oA6)2A0ri??foxtZ$)cp$A8*!9^D7a2^kIdD-t^X zZ~B%gZEy5p;6ITMn!9BsVw&IG-R$Q4sGN=Rm5YUfhdi&dtL1N}@1XWZmowtxlT)#4anM8`->A_m&yFyKk-U{kYM&pVCbGLZ3QbGy9?5e8HByi>`KAEK zD0jF@1B*DAdReXl6aM+Uql8q>hRqzic!}vJki{>`<=}_8AI~C}Th2D&`>JYp^A4$g z2z~a?LsVZp^yG1PwtY0?vGq#1!L^zPtNQ z?<(^Dm_YrHPF!*n=&EB;$?Ts1Q+($fbyU|2VIO*0rGkB3b+CR4DAz_KIZ;lu=7k&? zb02V@{`04z@&o0uXHxkXEasD3T9@EeJUfINtCSl@F**-rNW0Y~;70M5$Y`TBZ30Lc06wOYa_p zu)XD=0l+H`jrNC>ZFkNwj0oM5Wz;fXQP-ZQ550vOjLfmTz1->#UaSChL0a%; z0F!`2iv4~64^;1=;9_bA;9Zpi+z#)fCXQ)T8q^;F$HK3NK$kDPBY1Vbmjg-l0!GH;G8``7zQ`c7yca zkUxLDb;mf^KmWyCl$3STN0imjR~YgTxv+_*T7D5?XmR0j<_>-EUU3IZ(3hFvM_?x6 z3+;+4{>D5x1&brYV5+XRPv_T67Q&YTG`uYAKquuB@ktts(oi!l-g-#ppFcCpeSYwO zN7rBT?wKwFKBxKm1jsGksqIFo{shTI7L-YWUpNP73WC5{LVqbuZz}wOz2=SE>ApPI zs?+Ll_LG?J__43QX0ZPAflE)~#+pd=11`muz%T#&kp#l{Al46|Uv@*ty7&J1;thJI zJ@Zg3pIVN7#1s7IFAjLKlpp*O(nfucCiKrg7a*}wfzal8D6H=PmTOZ)3NYB%{kVX% z_Wu&a|BJsZp#-0UwhBRs^fj7MtKfAAaUuuTMJ9Rww^zvJ0Gs9V zEkicBU|UH|dU{QrqAEIf+8~j0wIbHCe7S(+Ess)k1RRtHn%14yZ{RDuEzyq_SOQuwspF&5CU!DJ+|)vd&j0 zIne=KUf_W?w?22r?VAW@DPq0Ck7#+73+bAf*tfPyrhXbv*^R!Px!SIGp05w{6L&zA zKwRu2U<0g0^o!DNc>mcZ7YlkuEk#Q7Ohw>e@9e=)B?;~*a(`GVuQ zJq(s@xP&s=&m}~#)-Di=`!WSc+_j6AqJhmBFoufZDA&+ zgzi|!^HdLhr!OIm5Vm4ot8Y;*(oR3TNW{5E+;`#H5HH|RuSIOyC>p*T)vlwquM+$kYf#*Ul{#U~cSN(C)`<;8|>xP1gzwWXc4^!I# zrHRX7-DSX#8T4etMyF0c)3S07>)^CglPXrPp_hqcV7QZZ%8i3(J5GLp&DaFm{0YWj zqH7GMKdK-d1~buucou#Cnybq*yEmg_Go50N+Y>Sj25@CT+zI(kU2;jDQUsc zE!w#cdNjx3?!REbtJD~vvHZ@F_$fLinF3q*_Xi8L1O;=Tg`&fR&WvE^9JK(=)PB?;uVFWa4 zo&q?yOfH9(Sy#3m9xYXE+5v!r9}5@?coXTPZ9H7P4<`*w^u;70-p6*aP}AxWqxj7< zA5ny;Ab}YnB8Rm3(&su-T<_?MIWrDmOSFVVipMvwB-E)Trg0PY+2ZSFv; z=p0|$CJ&(oLz2@Xo;Wie4hk36F~E)%u8ydkU9-UfMLKa_@6L$i*WpRS@`XBhyRK1t zrphv>teG6KW17CYv<*)(AR{=*e znZz!;~$Bba?0=XdUp$Ba`&!WzctX;=)g9a&#v-1 z_?Nd&=K4lnH4`7=Os_625!(b`-6oqf=uJ*9s6JA?s9JX3Wd6R3gWZphx_%9ug)=y{`aP)lG4I%<1v%Zn1FUxJ%L zrTSUzac2ldy5l+6N>iwJIl@4P1e`9YvY5cW1jw)ovmn2r;Tcb4;w&$cMIUGN`6{po z0Pu0?yN{wW@_F|y0iGl~iQgs1Zd9c`1PRr0#(9nYN+9TNoi`6-`2$=*{1?bCZ(sb< z<&DIWdT>SWP5hlga=9~fW3p+yi<1Q`tNL9&aud_Bj3S|i7mq*7Zp7uQdf*88 zqd_b-5)n86Uw<}TYzz znM9O;t0S-k%Z?y0Np^ux)(zasL}ow<8rJ;`mY$(4q7MtsqFuJPsW zyTeEeo}#05rT&6_7wYev3Jx9D6x3pIG)BuWIXZ|?-$Sg`ucaOq?x}OU(M9A&V=AMP zFUlOHGX6*czkayU9(|X~F~a7SN+8TSX+dsB+2U34@1Mmoz&oV-gL`L_&?MfT0l9+M z&}(To4|$lg-Nwq9XZiqA(C}+|4u!q%v0A^94l~}CzFV!+?R#tCwq0@B-j7V??J%C@ z?cW{I+pVal!;DG(yK4Cub$BtslsLj);b3h<$z_YH=pEyowmDR@qVAE*WcM74++Ck*!i%jHZ1BY^2| zwa)R?jhp+_zFa=rV1I&x#Bai?#DvBhNJ(DIsz@VO}Sjwg9*4Of@WxoS3VMi6%-SRl;)^ZN`NCLPMGxYDRvKc>1N(6sZe{{sL;VWFT z5KNZmTGd4g#sArOOri!t=z$H4rjQ*2`y)A^_tA!hLXv3nw5Z;`YX{>EL3b?wz$#iN zk5Zzue!(i`&5BMRXQ~h(;)NR8_TyA_Cz_~WVZ3HnsY1>A$JnDu_Hd(|VI-S$y`20$ zX5S*v+{^+-C2G*l+w(PU8ov`}KQ8ipiXBZq^qb6vX7S+V`zdJlWHX3>^BsitJ8flj z|5oBS!#NaPWD`jHvX}{jh5mOV@1qV@kZ%F_4>7gc#YTtC z^s!qJq*jbq&T+=O^C{CosukjO4;;Ob*fZmLzi{S$)(gm>e>2p^9^g~%n^-~gHR*DT z^_1iAzDI6@+Jc+yv`#a2PIp`4+a-*I6ByF|W?`GmrC2@Z>}_z}@#^~IS2K{W2*J|7 zp#31%h~>rWyO$X7gBMqq^|I4Sr8uMOIedmMnQzbR;Roasex9GhVtAv$W51J{!0hk| zf9I#i$ZQTzK}_jdJ}ZdN;xHkrL3=IZe?uoP`^FLMO=JaoEf&QohA& zk;y(jz!Q>Du|^Rhwf79mZmqzNZk7IEt^mgmx1>M+qk14&@}2NeHPa?={Nf&f13C*L zQ4p}M1KAXW{@xb+0tbVkCo)QCNqJAhY|=u$L(L@Mlskm5y=zZLcWqGt(zv&&uT9#2 zbPR!J-7rYZ$s#n1b$p;TRe}@O#h$pZzTNE`nQtMQ<6MgE+Gy_(EdDcN_3v;mksp%L zbn=XK+g_(LSC*ghafmla`0iW#oQsU=u5j)iTk>p^|33<(co_uVB=t@?RK;*|@A!8E>_@49$lK zZeAn8A)AY%S?VTj(ceH8QN7$k#%Ghy2w4iYkeQjnF^%vB+o)6o1~Z8EuQMZ9mp($t zU_>;oq%p}B4GXRPY?VB;mG?onvU`{RTAjYTwU9U{TTP+hO)g68!)LmseilR5MpEGv zh7pqyIO{zF@t(16ZuOYK%jBnO9ga9L+cKu1cXJr5>prK?XyQ#2pjQ@k?|+GGl@ZEM?pvZW_~jdJJXJk*}`vAwNFxI;A84Kos!k zU<2$Wi_6#D4$zDUB7}FXfLplqAB6DV$uG)-+SS`LPsWsaP&&zo7*7jo@8smu=hepd zSo}NyM%F~u+rJt|y=tJ6WOSMAcDNBazQ7+n$*fzq6m(;szi0$2bGPgOkQ8Eo`}{Cd zEfdcpcJpVt)pOx$F3&|bIAYLQLUEb$Yopd8#_{Pks>S!L)a^nI9$R@FVvhz7{~g&Q zBEs4SxS7j9De|sYjjb<)%uj!I&c}Fp%_o2uW75e(aOx`PBKg#EP*gl+_k6r-z$!KP zZomh@c(!*J8#}!B2i*)O0UcaG&8#q(z*fDn6mDzN`b6oND#-2fWXX7cd7xa}Rd%!r zE7w@V!2NL*{=S0RgdshrT>?9-_Bb1d*BnjcRup+?+BAb^-8i6wgA)?lkH=_``~Wb9 za=30~QgNpz<_)osQo(|j$nZ#8<2ggK4$7kC<-vAYBF#yH@*wK^d%no7e z!xxOsqdLIWc8oWBAB!g-|JzONRIaVg9y&%nb)Ok>p#ISZv6)l9PmyCu8H7K^1B7OsnT9x zfQp&V!u!tT{JeZDuxb$30C`J;hnZDAqk{E&Cn!zv)jO@Q5|6}0l=WI(=O`Ic6>j?6 z@DOrcTvo=i2!M~L(>3zbU(-6Op2%n#2LlF$k#}4cg}X#VUPiCg$w5t0VH_GzaqioxvX?@sv@qD z;GfC-^3u=6>Xg9#(oc7m@u~+2RdGl)O(|xk+V{Lg*8kE;$%)@0OvWCB&YC)?pYAE~ zU>ulAoa+^%)CIt5H-$oAe>X@5AA}M%r-{e7i~opzu~JxOru!3C#f`d@En^}B_c0pc zo4{mEs95`b(*C{h`$b!20ydq*$YSS}K)MXy@*RtZX1NCWWu+r_U3oOdzt1dkG%9CW zQ43{Rg9Fx=-Gbj#Ud(J*X?E@Qybey@bSYy*0CysP2nar=+!p9DcE&o@v@VU$L1U>| z)3mWrLdtRt1P5Y4(zjB`gq9!v1qjXn0l{T({u2;9!|2o6K&tQRRBh!dD0Wq=EWddL zH_KqNHvebMx&~5qvCSFnbEO z+LwnCm{X&&POgWXL1C*)X>0D`&bfl)0bPuz>&3e5rvL|j^;|#A@y-zRo?YX>qngDQ z{=|VBb?f2&g#*t_a_-_y7arSSy0YY*{fKpb`rUXWCq?9k{On*&`wI3&-sKOhow>+3 zrah=zegPZ=_KDGPnMivi!xHi}AB1&}zeIiZ5P8m;CR0IQ>N#V4kYsJae7{oJR-;J6 zXR2nYe4RxqxLm8%V`!L#zEmOlbml_<{n9Z+wbDF)d*F&P!8E1e;!w?k zECi_eexfZ-*eNT@Ah>U5b7YB$-9$#Pd`iGr|*Y>}|PA2FHrr z0`3%K_DN6uJtgad{8@u|F#_dUkw;r^eKu zJLM0@GBETp==TI30XgB3%>6+E+oKJHlIzo=I8Dus`L>`vnODR>2{1_YKpk{)?xUv9 zqqQw%G;Rf2y@n2~U?#kw#n!;)h5A7$F!-BcPd(Vc{Z}-2SFBZ&EKR*|Ys9EVrT0B5 z=C&wD9DoK71TfdyU~gM>BgCI*aN@tv;6;OO72UXP@2Fr-R!&r9c#?PZW8%-G)U>>; z$ESUn^FJ{snk1Gk_*ufFG`g|_=$ug3PGzVQNn)xA6AoX+p#OfQv#!0HrH2=R+Z^ju zTyE09;g)U|ui~5gX6EbO0)z&)IiFRKNk3IfUt2z-l=lSwt^xQ@H2N^hg(X z%wDQn(T^o#2r0lgr?Nw~Jf5fgf#ax`N&~SPyU7Xy#=W*&PU6@spfh}reWz5sD5oOd z7#q!FXXIHQ{c)j2u6@H$R`FJrr`wq8oiTH)KC{9Gmz=AHy^<@weEp_uQ^ zTQA^!r@eR8*n&BdC_DM~*SpOGo1fh6TIWTk6D2LEgoQP$&kLJ}cQFXL+2seyk*0)Q7jK5DQ_% z-U;KzM#LlO-$puZ!5oC9ZYNxW=CrB77`heY`&;`*zartpVJ#~0D!xB( z1ePKp!p~aCp5H9{29H$zk#jMjnZB!&tM=tR3lKmS3YPbJ<6$tKixSyIE`3Z?2N&Ah z;%U(eRge32Bl6kLtSgl`t|^^IQUr7j@vMfy4fIt)0`(7Y7uYuUpQzQ7zVs{h7A6dB zP5&Yh#hhJ7D#*mJaSF%vzXAsPoelFTA^}1;&w;$#z9G4Yxrjjxj@5-bjnacDO|c3b z?nC7j7%Mh>4Hgt+DCYaE?iPx7`Qo*uUog$1l!A~7yKJ5$pSu?@W*cEF*uy1V+l$-w zno-#?#EJy1Eg!OG#us$2qw%-kluZ;Bv<2`vmp;o8`aBoKI7+d7Wrf(<1&>6eVpy-M0eVR}GV@dP`{ z$ea63U?<=vggJUY1F!p#U3IvTk+Ts(&ySlT#u~pT%ob0w`&Bo1uhP$`J8LWu-`@v^ zk4Xft%>>1#0@;Gpt@Ey+dJ^CYmn zMK{!0Dp|HB5~j){7I`31kM*qE2~RTaSR+;<$}Zb|hJuk23#GP&H&im&jQ5ghkKv(c z`SNIaUV<6RXkgVo0E2g~jSrSj*MPHR_YW{QUiTdDZ3ql5%oSn8lvJjRi#XNEQ0ruQ zmwzz&TP^6&E|*zR-YK5@`{Kekr=i7$%6v|Q#KAhe`3j+5t8onmw-IDi|9~pXYf&4q zrNr2Ou{{*xTIr5h|MdqLoCsU+15)o?dcerItO@oQ5%c!vuQ4T)wH*W1uQG4pCA+x2 zZv_-?41PXOa$vR!z~Bm0kM4blcneI<@vHCQPB#*fWUbt_;km!w=Joy8GwlmP zrR4)KZBTNUdh-2vN(6(oUM7(z8@M|ZU4y~DzPx>qDR?11gRNopXtxN~4AR>KVymu9 zX_d->e6z%e;ea>?0+(nhv)?G6iU%Z_FcMr=M?b~8#)1Xx>5#`%OKoww!Q5>ggcZt| zB%5>TbjA;vZl&_CPuJIy$i}vo(-Q*WY31@$@WnIl;xVlh3hIn)F1}4k?k?Gs997%L zgS&$H4P4bS>X-ZjScfzO?Hyxmpso+YXj2>aL}T1C3KZ4^>u1vJX=uA??Y>5B+Clj2 zyCPMfjB?`@crVN!$zoN*?qI1_ZLO~tzPJ*&t@mlj6PQvn+lPL>eG*2USpemR9U&&Q z!CWb5`vvGS%P6e4SH^$(&b5Xx!{!}bhfVPPP60?LO*2#warnyD&W$RPdMzW#>yUim zHcTB6qFnNycuEXg;1QTI=^$Bf9u%~@|3oK)dJ$tM^V6iHK ze*B(rYd{4zrmm&ayLTBh@G3!Sd(S)QZN-E^LjNz^Yc6=@%Wr@SoR%7?s)Wp zu(25ZlrmDc{vNKowq;1jgHon3bsOp5>Ljb3^p%t0)GEOKe^0%@Niwm*Ol53VQe&Wj z9O8nD&&kXIE_h>^DT4G%6~qOf2V8Ikzy%*wW90{2a7wb63~7i9E@7Z3Q~F%j$dQz! z!1{N7h;{y%)3VksM+R#2QJFp+?sQ#yJLTeQx2^A24WMB@QH)Y*H270=^=`faVa608 zD*R`NcnhrSu|8uI4$;qp`awQvGA_~7A+RhJza>_5^RW!6jBfZMh4dGdlipnoIx{UA zW{j>J{$78N(H#jU^a$pBb34KUw~95~*WFL8?3}0~aV5oj+!pg2s-iJb>ZAQrhihxz zBu3yT*F+8}&~=?mMv1=L`dERczGzJj$5g9sZhBi1sL%ZgrQ1Z66VbrJkf>lLr#_z6 zx7*Jtwl)gRuKh~!3DJ{?#fMQc*qe)6V+Q918#Q<_`TT1ontl#V5+Uj8aUhWRxzDgO zRxGg4eHjLkM2(vHGW2t*sx9r?Q9GyXGV^l6M@lhudT%XCafc}M^}An{1jg+(h4OAV zAgQcS(7aOffa&7;+0#iSNkkVjIStlKL@TB#s&$L1zAm_2t9~t)&?I}h6RFiPnFZ6; z+TTog!hp6i_-%0>!9fo{zBC}9x^L1>RGB^T@-kIimw(BjE$AKcM$MtESFqVwQqk9o z%=*L06vLOHJ^?t`lWPf7n$8Lb<2oC@_K19LqAKxbO5+v(^i!*ef(q+jX}V?&Dknh| z@1~vz>dfE4i3M5AI|_|^d0N&xx^uvRVm8q|0E-)RYBz*zuhHP-R77y0deBv@Bg(XM zv}NL9gwuD^YO4PM1}|?pbcBx*$ ztbU0aoEHTtdQ$;U%)~n%Z;pb(eUZ@_0n(unqs+vN6q&fF(Ay<2d7d7?V0(;x0#jPQ zjmg)qMR)h&S7cC;h~@F@E6mVPsxO0JN@PL3-oUT@%Y+QgQQpb?^jP)PJcGx69?eDw4lv zFT~z1{L8;J%IX64##!99R=e?*pkw?_9`V|-=a@3!g7eq|F1VFg)E``MMjnkZdyRIi zx;b)Fjo?4H;9p}>Tmt_S7hK+5I&~;4=Pxe!pu1S4q8}GqNRdhW?$Z(XkDXy@^k}Gt zH4`l`gi`#91Y#%{rhee%0CBUc|i|N$g z*fEZ8BJ-9v1FEgiY$S7!c$w+Mpv%z~kU}5PttW4ag1qcOvM|A8%9va=ILoJf^)u=* z2h2pn{a4i9kdI0Izi`2gbMpZgdd^yO zg9zd%Q==-Nz{rwbN}s6`SzN{!imAlCJ1SZ|>V~*%rNb&XtP27a>3Agb$M##2u3wS8 z8;JKZ--jHiV@)poOw64I6G`Q@vPQmAhIUF46zWBn&l~5l!i0~U!u)T4Pn`w>JWX5b z%<<3bfatWJ+TJb+!AU%>fLB>xST+t|FaN(}5TD`d0c&BmW zep)QjymYP_Yn}O;@tWgQPe3>Cw>4!6%Dz&x2~$_zGmYE9iwCV|ILHw4MbU59OPvjG5A=BkF?aOS3AYh=;0|u@_#Y z1XjBnhWcpQPRKe(;Wvww>AsBX)@WN5sz+xj_;dzJT-^I=2UE}Adh})&traTS@bqC5 z)jnP>QHe0PbXzl^cRK^DM*x2`9sNd0hkc{@TBCA`uoy-{A3eg}Hk)zdJ=mn$S|Rl- zbQ}9}4Fi|OE6f*B`tq93sZFo^gfhX!h`6Ht>1rbk^T|m!yzyNy$D+_Li-w=7J^rm8 zEe}PHjeO}1c1b=dZ^IVi43ky_8@&dAncEJ6|I{2ty2Taa~BzhpscyFhj z#3i7GNxS(2GRb-TYe9&cC~epmT(Y~{&6rDDP}RhnjvU;tG%lpA#O>ubFS<2zd05%N zioJh%Q0Q@hL!rClY$@LdHZPV+e>_8uw6SS21g-E(9a6fI=8&y%lp(qhcdwfPfULI) z%!7+QFm?TULvwNaMi<6DA)5*ddWOEuRtgT(-pE3bhILKOx1Td;j0UF$3!EQ1+Rg%jhI_snleTBK% zRVLsRyIy4)hy$(@FmRE(vQkcLf3=?S9)C~xZ02Iq;W8C87Zko>4xoDO2mlzk+n+FS ztBDGdd$jU06muWwvB{QIW6as4P2Yrb!9JhyC0>qS_CzrG$%TlH3{3~tkx`t%+qS`7 z%P6u!w@9-oUk0-?oR3jVPDDd1b?NlFJd=P&^K~0Xe;Sc5}7yI^crTge5 z7v5fvud>g@TD$=X94OZzqg%%Ts4uh{s~fy?O#%nc*!eXHe0HSEoe<_N>uV3?P+*dzkfpn>U9Q*d|1c~vd) zW1m)-nn2Us^U8#5oUtSB&Yf&&Zgkz43iSH{&7-}4q?9Kwxe}@g#}3JI-DPqD(--0v za4GZYV3!)FT}8)Tv(YgPPf-EZL$Oq&a>IgRKl&~vLG|_q&ShC6(nIH`+u;gELcB{0lO4Oszt0zp2 z=Jz%sIvQ+G6ar$D1xQ~h25()VE@KLw-TC)L$rzd<({*sA*AXv%51 zpXi6V&>$<-NBRq{Rwr%$u%WYM$GMpRTkK2TN_012Fdgb^#=f~`Sfz8bn4@NW#lx;!_+8dW1fCLW5Kb@t#4V zIBp@B7(JMJ=HD;ux9%8SsB4w#s-Yd2cN;(?lVi_d9S zZ>E60QSm`P&g(d!QJ`226GTDB`lO-ztsQ&9qOqR>ldSTuG?5QmLn_` zNU$?ayxk8&JkC==KThH|1??2}z4&b;eZ1P>#;?Tlsg-GMd8Nv7DHEg^Uv|BGsE=V{ z1az@YO=VoVsfe9 z7tnBa6-}!=+`QI8jaSaU8D{eKp>%%wgi^ma?xBpvFw#aO$D;!gAq@JEkDBUm%#No} z$m^H#8cSQaJqrdQ^xo2HSCrDw-Kt>r4^-wS6VNjvk0T9(?)t34k(U$&^!2c(0%N&shFBEyo{Lx644z&#j^A!HB?hQ$pVx!RmO5^*3IX)g&q<6NCyw(Cv9dUP8;$De zIn>XrHeS;svfk!?-va<}yB-tcEh1#+2}F*h129=)8?p2*N9B~q#bMM?4?Vc7M>;+l zGLYWeC<-JNR6ST79kM}`*i?EM!Z_g;+jxVm;?3ZN4*ivy;zB2!1mrOAv?y34&!0Bi0Dp@MER9*$3H=y6*^PV%>vUx0>WzecF1G!OoieYPGCzIc z^C_3jU|M|8LoX6bFtYu2O#qjfjKs6w^Y$gzpAxAIw`0iHbX~Yh2bH0aIB(0}XJAoC z;(}B%g9kk(H$YQ;a0HgECY`c7Hrwo*3yo6L0Ovx*Y8M0hW<1h@W&)U&N~m3|K}%@} zSR=;y;%35KOfqwFxKOE?3uuiCDdO|m=T-iYx9I6FH&NOmXLtNN^Fr0OJqw-^ECl$t zXPS@ryuu39s|U{1kj2s7PM@>`L$UwU`82%gVkN-&n0OjZ>; zG$E3&&JAaBg*8it^BLa@NzOF5U05xFRkUF!C;j+z%ozZ{zy1XP2QNh(1OT_`;~xRj z9D?d=0QgQBSS%A00y7qO2mpTZyz3eO-uwL%y2-Rk$#6i+_)}@ZM+=MGay>s;1cVkRaa$DfLIUd zAz6bwSOo83Ckw9t0C;~1$j;6L3$Y{hCz>6P~pTpZ&{2<$kmTHrZy#3X%Fz(e$OdsrmehE z_uh%35DW{%&m{b;ts$u525BCk7h<}p_PnEz7Z(3j(Ojn zqL-_O7Z6SpR4dJ$U$GnZDJE!!r}Ba0p%=Gt_fIwFJa~n1ZakauoDBi{AyK*F*3F#R zQ}nl$(lt3S<0{p{OXumm1ue$C3!`q11dH^1;~uK5Q+wst9(=D8oyTdC2E%g(xb9PU{-HELERi))}ICZ+N8s_suj4z*1i~dByY*+`ZOT0!O zV`w-ucRyDuoQ5m5OI4B|#?1H$Tri3|(g^Zy)s+JB_Z%R9%Tu+9r2EDcQ+t#290+OC z>14n5j_?D3?-#@7r#xn=vtF(n#CCQgl5gtLCz&k=+s^wHYSXLd=3(pGA4P19g3<`Z zcyqqQQ{6@K-~ux0eAE`1nh$;I!*UNALpTd+g1S&sWEGaw_a8-*RKW~6dMysuC&DsC z^;_8_3fMLaK>zPuq}D2jzm)zYSb@+@$2lVgvZ=eMp7NUe*{R1&u3#JDn^1~?DcA~~ zW_7JPgA8CG=>rMrEE@|QOCW23*;C4KDP8wTGcfPL(XM|mKH2{QOapSjGynm$;`#(R zYO9x10=z!gxu6g?euiM;GblXGO?y}}TrXie4DeAtdKJsmJwA5Nm)HZPQ3arI6Qv1E3*C`ER9p4rjM@0S# zPR+j`mQm4@3~nI*E;2*yy(LM5 zO40(lT^-5?W0!H4UWdSDyr|+iF7^?FnVhm~fjLlW4ccs^l27yZxF!%3fW^)(kB`#u zvc}q2j@SUd)5h0l;?Awv#_*Qj0}->ptmefX(7Q?BeN2HoC(BZ)Pb)fFQx3wME-kAE zXlNeb+^PhiP}kq;7O2lk>z)n`{xXH@wfsTTjJIBebAIg9h7i4Vhw>G6f`KO0Q@cDF zw~-TA40fCUKib|psLFMJ|KB2rh=77pQc8z(gCNo^CEWtjx#$oO5$SGFknZk~Zj=t` zUUWBn?}r`doX?rx{ASMV{g0!2&#Ymwo^{{vxUTD!t~Pe?{9U2T)wcUFPrnmDAS!}g zQGHXo7i>Jn-=jA;rzr+xG?4Xhjr79Y?}tjZJbW}j!SJ2aZ0mU3h!_S969kx&oM%0e zYtayyL^wf^Tb&Pl2Lb_QHe4(*z=3{j|I$~LCNi2))oiNR5l3=DSt7u@*aG5y()GUc4ca}$2LI0e_6_ITyRy6LS#kQ4 z`#l1<-w~&K-ElS_iQ961#`vdM?Y)Wc;~sw6)sUl=GXH!jNP(n`iT`NSLOfsP;Dz1l zYah)FbL?BBXeeA#s^)uoT{>+`CJw{UGV+I{%5;&V%sL)%hu*GQ1eo|MIvfAeJPf1A zqiPs3e-ztQ367-&_onXxwNCTid{3K>%~T3?eq6jJ^ry4>jEMafYDA`+W(x;3V2=zF zi;UYL6*6ID)BFghzI(1g5-ZKm{@Bw`;ZHYNvYh>~w7%ltntev7)17-A6FU14yTCr4 z!!pSkM4{ATRP^}VUltFVunb$jA;-i!#ZeNF?}bHLxP8S^+j*Fv)e(eMk|Oge&>ua# zAl*-GHn{a7-J*whsAosO1%FEK)(FUiS$KXiysPu|O*n=0g>a+FMqsUpeh^#Q0oYzz z1p<(miAcUO=-u2DIM~5}fygSZVEPM!`_*o+hmg}D_M;dKCi~`m7$Yb3%2KrU5pn$H z$5YY-AvcsZT~cI37>EHrziHrh9^({#qb4@QLlYvkiBEqXAo2PcI?GmN{lEdGu`JKW zP6-AOQei4k{-Z$X&;yBx(4x2tRj7%xZzFZ^lkp@)O}T*aTd4&Ob3DOc=@w>=VzrV#h4eL^5F!`Bpl!8>t3%5v?%HD2U@foI#u{c8ro-C$z{<@ zh#d5CR_(ve6$;e}n>b;-lDRn=QLS^T$!g;CNt>Ej?ob&Xb1t-WONBNs>km^6S7+-; zzk|OkA@H|JEdYO)+|7g_A;T#Oxdh9l0f6S8f_wK_p!;Z_B zQp1?nOQq`;jjx*16X3i`gKYi|uW)0 zK0{B8Hu;&Ss0ws=Y3hmfi^CKQhMJ)fNY+Zu;J~R_lau8-#whtDy$^7|^|z#w<<^(;l;WdIan9*aY&=)^+$Sir&kd*Q6g+v%YqPc; z`kJch38SuFIM7u#%$Lq!|3bC|7MrhETy(2yw*30j_pc4%8(Hv9Ho*OMYTH%>7;)a? zaEuqKi7xsVfcx!5sqHM0$aWGvy*bT;t|+KYoJ|~g7$<^mYi;R$=gFf^E{m@AdmfA~ z$4@eYew}}M#_t4c#CX4~mpm)_CEq5sXf%BYfo!v&T(dVAAhS4R$Nctvja1jk>D?4$ zjo-2_w9v0Euj#71ey_k_)Dt7OBS-HZg3j|3-CDdux9hDwhe0C-@iMid^=@y1>R=S| zr9s|gB{${QXdU!Xen$rvU#NVPM)S&G%HQfxEsl z7t0)QNKToQqTSlA4n&mxJA_*h`|>gG>PTKZkW8nnP=I;2ojQqC(~|_7uhRb5&xe3( z!oh7_`!M~n73bM%>M*1*e^GNVAPLk)vHm8zBqmIpNptO=M)F4MbJi3Z=8}fUem>`8 zY@K&iHON->@+e+w$r9ICWFzAT_^B%(* z%(hlLmUa0!D?*`N%MlNO^< zZeU&z*!85PW=1O8=A&ga8t7^)x0mu_TCY~pz*;ZLrV$@9YXI^6*OXa@Q4rrDza~84 zOK2Z+cCt`5!}#G&W@`{M7BcoGYZFi{&nT0t!<0(hOBAX2&N)Bf1c2V61nKVH{a#=& z%GVpy(UXBEqqjAHT!!Rk&k?(6s! z@&bEu?9mtgco*t)d4s96ndmNmw00d_1#II)q`}YCK>p5Xz}g&plxbJ$qDXM&bTg~| z1N!}q0k18Wc0fO7f;0X0ByU6!-QhD;_pp{o1GlU^13HunPX1v(mqTT1%W z9fme!ulHSfA2V^w+~Kne7948Oaw=D3Jp7rVUx(!r&t_h}JT!mDM5iH+FkJEu_CW|Z za-K52Z8Ppc#bJ09k!~XwOYE#)WcUktK~DaT>@&v8H6%ajE1Ouv8fY zivvNv;!Z$Wm~cW0qnO89n%^J3VK_YXhLzm zS;E`WH8Hwx%dm3HuqC;bAGlPhj=&P$-S%#~=okWMb`L{>^262u!Hh%^bn3d*Qu9d+ zKO35dzJ0z<(&~IY%rwJB@p~~xtma?w`bt4_FsdA9EIw{N{i65>sy(p?Av4-pBPh7~ zzdjj?xzgBBU2GL5iY^>55AmlnREcN)xC82wGb%p^3>M42t$z0Wvj*S?NhLd@J1dsf~auVk5C(MD!Mw1lr zMF3|RYdtoR)*bU4k_AkNj*qyhyGeXxfrTBq2;x_ncdHDr0u$w%*)qV0zqhHgQ!xy} zws1~ZEPLEb*^|iv&`=K($oGu;Bx6q_izj=6kp`nak>VOvZFy&)NyRWeWj2lwt=moG z(td>Z1)Hyl7q#PZ8AkaZy-OIxCGLB z>1xaj@2jnNo#w6|N4iq7j!*V1iIozk-!Gd=ie?IUBs$72_A03M0L|%Vo{$Ia*XY`v zkPb<$`3_0delO9RJyi+SI{Rh45U`$_cFAWskoW-y0D(YynQDb<#34yC*|F*>xp=ke z3Dden(zInshiMq+zIHzya8D)M+{G&~V zXni-S&hR^fy+xBa;uJS*AI4~^)k|OVgnjxoo9VxP@Jomy0Xr5^KTlLQ6xU5ZJ^)E|8)_d>>-GOJ!opI+1BJ_BKp z(&`GD)^N25CJ&v9i~WAoKd|31AQsIw#&#KCztgnDdOCN3ubq!c4b@)(7KTe*#|!$= zY~Ytc5}#kp2at!7#^;XuTlWKlAMea@$~=}d>A@=75r7Rnn*|yBEh1|)qGpRI#Bu(4 z^L)R=a1+A@@}v{P2mJd?fpc~UYW6Mbuu#M4xI+!$sD*7|>CvNz7c~JnlPi3NJ3{qSMS9abkw#%eA}-q zO>qWqo-qtmOULtX5-B#ZI#qCmGy7hXB(#^c_E0SC$X~(!H}?3iH#Dcl=F@pKNT+Q6CnV5?H$# zL;!0-xjwFO-F;vy*aV|ncXkLd>{IMzk79n?Uj4=O#s1}rI9)o?{DtHSIelJkvUsV0 z9P>o|?eQoG`wgv{gm$SaYEGMR*+cx8Ren>T4lnH!?=*@M_jA&)in+$i5h?Rx3-n-R>sZ+pI?C5ozLoJ) z7r((!T^sID#2d7x(WN3UBakQ@h?Vjy6y1Gcv@Icgz@lskN;o-BnXfx*#nCR8s z!V?N)ox99eoPB4F#lauNT3u@WHZq#ish2B()59@+1ywhAvJtJdc1T;d{(Rjz2}D893zR(WqW#EML}uczmh+xrzowEQv}Ic$vzHb1>9$-P?ZTJVR~2lF~DjNmr;wA94cNckZElUy(r)9KgQik7^@|Oa>%J4%6ff$Ybc&%|pc8 zw?=z|sg}au?hY{2we)!TL9FldQ;i$ew{cqrV0{;f_O1ocD(5MBxLlyaW>}7WuL6_L z{D|}WM<&mYzC}Ilf3f;J#K)r}RhE|ivHQ@N!_Z#AXp+o`)#b-*5E~$Y)Vb({&o!$Y zU;pCFB?=|e0?Y4G7P+A`dl&U26sk{G%mAv$E2SOy%;=QN)Y9H{GJ%!LFH$SrmR zVx79Cz^AS8OlVHu_IqyCx%O9vG#S8{{i5)_E{6aqRCW3bL1p1x3feSaG@(oblkW9` zhG~ALhp@Oftg}`@m@aId{LiJbr4{Q9oP=QX3D0MAahP< zAAS>Xoe;x-O>2E}EC(@o3^4#i8BDP1w~y3f#cWw00lCkJhZ%@!kXRH}tEexeehzx1 z(x#O3$_CJ2j}xo`qxQjNUz}1&R#?^R2@R6Rk1{~aDER6Gtn+^=5?jUI3}q)34H|m0 z{cmT*Z$V3eLRulELN!D^O(6Sjo`>9=(#!u>LG7LdKf3w2$Mt2Ik{ghS3jxZ@CE+AJ0Y7w4TD+r_k5#_fs{wcF7f z&{1aqu|!2?6g@$ zcn@+_ea=c*pHI1+4FK;7s1gXQ*K2TPu6aA5oag>Kx3yQwF35v6s^< zJNzxk&nBtrzFGI92D36NH(3&Ooe3Zle%q0Lf5n2~LyZ#-c06Pg!8TEcmG0Wl8063T zx_LsN2}lr`hN-tjH%JR%3LlY7Ym0Kqu1JfCUU1UtQYl*#uC9+rr6UvfK4eEp>pIU0 zNA+CssQ>c*0$6nKZBfc3D_S+cYm|_V-73bvHzafCSk0wf&x&@h29G9*_^KzoG}E8H zTztVlM#QtRH7Th&04U!y^wBHgOOEg*qYFU!)-Ld@o=aGN6<((4iifY-7IgCUO+1L+ z7F5s6Z#eC>{M-bEY+vO!bH>6!(N43YpTs@}R-#_NQ@&d-LsTEc?gUnSN!4y}r?FU} zCNrmxVV2bx(1WbzG;1w6-?Z$`j0+%3_a#XPGI6^vUIM2pXb2wjGE+vzv6;Rp)RA%F zg=eNdJt@XcaygiE|mXD;=M ziRgAK*q1z|s|mFTlj;>37*QvDBhSDs6HNQ)-9ftYNg)9-gc|llHY(4K-%sfaMI^N#B)u?@a zHtNN^$ba$EW-Tq6W}h{0ccC4*Zc(N}7$It07ht2@KW|P}D1(6WWRHU94d+wa7xuqd zEI-o#=vljY>}UKSj^ZAFW%KM%B($pLj`4uy*&6cb@T7--x{YU(XUq2p*f8rGgBs)9e>;{>i8vG74k#NHFDj#3#Y*0@m2-3C%XfeCMCV5RCXr1C71*=QiPCfFS_+p?d%x25_|!AA-N z(&aWITiNuvA&rT*SzKvWodZ?CuZKevGWO?ICJ{UQREFoOV=|_%EFdz)4u~;nYxRw> z61o9BcvEEBF$hg==Uny2>@lesGlKVN0vG_(u96=guQo76XYYGnQLl*?C#NjYtQJDndl92X=42jLpy5nDL;&OC56qTAuwUuw9sg`CK$ENo> zL|u``7(PwDQNDCOV_>%i;ykb_F3DtI=k?Mx>lOtTtOX`Nhr`;DDw6nW`{WFVSK)QN zH|v+K-(1W$SN2$;^Q0>Jop;lK^d$E3SIdrY=saNr=SeqKFsn`Uq@_9Cx++ulkV;qC zWe5$VcQMr>gT?#)(Zmd=r~_NBTp!s1W<;vIemC#%BuTi<%t}^(Qn*%eCc_f_6S=jb zX_3&*V3)d!Px5@?hJDFd&am}0N>133-3)s7N!CK0!rQWiFasY{pUDb~0%B_0(EROp zf2@5~db1L0EGqn+FYDsM*X|dDj$~Y&mrm%e^G)xc9l~>(kGbgv3QlJue->m59&-xi zHB6tS+lJODk0!x0>rAmt8@;bikd7A6dCO-{DHSL)eXsZL5|J~DFEx5?D7V+9A8pk5 z;#iiX_YUXbTnkI9l`y(M+Zgz^a*jn}b=LHh3HB%j=9gDVR`cOkp+_KzL7DSbTdP@d zC&fMg+dps3KN?H4pAe7buMWm%%ceR5$+$1)-m+iLooQd~;V|&pw{HWlmV-om)_Tfa zce_TJUX=u$IKVABuNX7H--|T_dX{NFl=OJxcG1lnd490|`fyGLk@M0(pL`$lsASfWD)~p<(XhlWfS}f6i#o8AhJ%usuzLF=HDbtj543-pbe1WVK;7 z4bqGIiLvW%xCT%X8Rsk#lD}rrd$gsys0KhCv2dEm=T_a+w=(t>sUPS}8nPfb0yNdX z=j_S%WrnOxIEZYQa`*OW(Q8z?*F-?x!VL&%oNUeq?;se+wmy2or#euLWdZS>qnutw z@t4pM^9iWD8sf0!ux4x&^^?0(h&;&1`D)>hG68}mv0ZQu zETJd|oLgsz=3qz6W{y^;hecqt+VtCRFMksk5>P~O*Q7JjMhW`(Hg? zCVxdc3j(5f>=chyJ&}$e`wbAo@J8i_4;C#6sl6lXQYBEyd~OK=jTyWie48!CJbiwG zx92FAB<(x<5jUTg+irE%{F60Uhq@3O^(Jr)PA<7zU7RM#6yklZdXH0l9}IOKb*dwN zzIsGis_*K>{87_EcN^qLjE-6qe!t_68&DOZ^`mkbX;&OXDQr?_4AsUX8bBRjt#!J+ z$9^xzV{8_2{8a?!A8v$v+0E@V={gdF6TEO@|3wFr;c86ziZ7;xq!)(X< zm_0(@_8}uhKNOUe@=kNzKj?=rx_I3?C$oZ^N)9M=_U0zs#Y%lJt#z6a{pvBLG$%0f zutu2zaPQkh%Ounwrk#D%pz~^dz=j>EA9*#Fcj`$)THRi{I)#Wa8(9U zB11+w+<`|r=?Q!dM7FGtAM*Rvf?=&wZ!uc26SB>72=Wazfr|1Oh7&43_8{Lm?3O-5 z&uu+)M1NOCjG=0n>7dIuP3P%>^giKx(es`|y!o+jCr&X~a{V6vH6B+St0HLPR&*vp+_(OGAZ+DH* zX53Efgg+=A!NmCfyQBT6ro-VzjAZM!T8uvGl@?xtU@O5C2!2`f@rFDi+tWN}l*z91 zfe_@I=y%9B{(nQhYuh2nw^ki@AAo#s-&;m$w-TCIjko&D zM0!&(N_VrG*OvfhE-UJ(*}2&$s2H7!{1o*5tQhD1s2INy28-9`NDf!gwPgtKm90%j ziY86}tJA!_QC61RJ%~%uF|@3ef_6`m!(2VaxBjVYHIM-{AB43%m*pMkAY1|33Jm`m z_Nc=`SFuVZ6S^hvko;lV!*m|9UYsKo)4O;IIe&qgdYyURCh~_QcV~ zx7cW(?~y7jhxKSN=8yyiXSixu@zYy1%=*V+eK5+V;gA~=D7MrhnD>=RU!#X?}gX>Nzp*#h6ho`8c-0a)g zBuy7bkMEoS@BL&u@ILp-vU}tETlI7pygTnLD~eWylT{c!vGl#}P@-yCw>}my+IAl+ z)V;^h#dvb-w6OUePMH2J;hn`LX z*!S9bvmQPejk^=Hw|fF_K*b6&e z>?Ok^s>e_7V5sEYzHNUJGNyrx?yzC$VdT+@?6J_}tA>~DxT2;Sj{gN)P0@aIjEaB``nQi~yT)}qqtz#!^NEV_FwC>Y-{ z>WH1lPTNS|Z3FW_VayJA?ERcI6paQ-J3l=l{+bA|Hh<#1eE{Bjs;mj%z2Pfl@OryC zfcF+^!f*n3Z#jVXmWS}();D->4Pb!#05aGoLK1H9-b@hQyUG&ay&v7+y?H=%+P~qw z`P|N^E|4I+cYW$#cyDe9@BQ%)ym!l(z%%qL?iIB*vOUbSc=^ru=s2~{WG7-MolGh! z*Vi(Vx6GHn;nX_-NatKX>pTAWt|}on>qtR)2E*yW336zrmHvxVt-5>XPBM&ozV+>pbl^mVJnCn05`;;UdeV=WNBHjUssgdEWQ13Si?mOcHu z;U{YmaGsU-wRXlF#I`_AE&D4$Uxzx0)e)sTEWB+1?`=Msp9t{Y0{dW2@eThtBd_B7 z0l<5ghQukx2dIFkn0w?UHK<3E#@#WG{;k+bLaVKT%(cJh5NP< z7uQ4Xj&t*~87SGW5miRB$)$>q4Yxs1k3|#wp4lI^rSk}QD|}d3rtvODnwj(7ozv>K z^m)NDm2&ab@*c|=<0;7SKy}NwyT3iZ%+3F?lziT*^LA5py|SKrg;9Uf)djVC0nc7X zQ}0k&z=_P$jTXL3UQ6Y8CX1+TJ>yfc0Pk;;3Qy9F_Y>1RP}0Npst(3ONHb?j^{G2+ zD_fShqr&3O@9*Ufod}lLJtyWSa+BsE3U^eF&a_nxlx2&au#a2}^#$QB4zZAQ(d(?B z_fjLNjZq+<{TLG{uBweeYV6HGUD4x7dNiwr(_E;?GG{~BW_7GgS~vG}q;&XOQl`O% z4|N0j)S!W=&aF8(&vy#_kr6~nB}qQ*N!CV;Y5k6(OtWIZK-0FUN&=3wrfg$|mrEPz z-ca__S22b+5=_SY?c72KDolBEEAkObFd8h5#1|QSV)qSk?y_0zwIdx@s@A?O+Gcl| zBbcc-uP}G3S!;K=U*yWUMmhry4y|~z?Xjd@FT<%9fmHZt5-&SlaHC_;6Hn)0(kBz3gvhwA-XqqTNk^P+A4&GMLIf!i9Pfij2gj(}< z;r5U`MGnsEKk42K3F#<<#Mr%haDVrd&P}1m$$OSKqQAx_209AP-DkMLT6I?WegS0sYqZ)}qxX zKg!!L5-b#Y4OsE}|_lf^{^n+DU|LkMCK~6tm z>vzb}wX2*OFn`CUHc{@YLQ{>Yd;7^0?g83G#^R5(>3;E_%zFEWh5pD3dPIpPnii~p zZM`S;>zPi=LiX>Y_6~m`E@_23A%=xe0cLGFH3mvB(n=I8dq)}5!VsKoGhG970Cbz4 z=QqQAXk@nTkC)+35a!Hez`QBm9RvxbZx`1@VQ7k&pPBiU14U40J+m?1k0pvRcdIqkprA@96BXK zAMkS{4hHRIO!YbxQE`>cWST~qzm9Vt$zuNKYBDu;BuBqZBBNy@N`Oz@4c@!0%CX_)b#U)vkXOxgSvl)G1sipWzuW8)Bf!m2f0EK5U=x$f zYVrLT{R5hd#K z@LewnX`ziX{7q72rAG32fOUy8umInAx{bL&vUW7|F)N3NyjhYFtxG>uozPb@Igqo| zJ+KuY%3R*QJuG>Zo9yIOBHx{B1Z;(Dzjx z(aHm*YKi=DJ};0sN_95_!1wPRw#8t7tdq4dsx+6`22c-}y#)auYqaDOU%((*_NLhm z`H`mx>9V1MOxjB{?!fFK-8g6PM4D8Ry!#AffPNMdcG0v@SSyM!1v-$Cv@^HSS~0j* zx86QF*)U``(OAf&n39M%6XK@-EBez>uYfEW6F(ghp;PIwA z&}(L+35d<0;-8o*BOKg~8I_1&VsRVG$(z2juZ(uQUJA0|91V0yj6h`Uk;YCa4H`;B zd}I11cNY4SGUY>ed0C)xlOvO9A-=i3e1%$)W-Ghi!Fi-p0&6hQn%Ga!$E-uO%lwf661Z^2Ix+54u}S=7uprU4!T+A$6*UzHhbhTB-V8#^MiM+MgV&rPjUS79d}a#lv{hX+HGLQSG?{HH7ts%pd>Z9h@i0&>#AaKtWEG(aZ5>ZSgf-Athe@LY+B4VdS0c|| zSKxWV0-~I)5j$qdUf)8)#y`wIaf4B)A% zSR)&V(~j}d+cLYwzYtUho{eQCoYEPo!F;GE7n|gTK}@cd@+jP$>6R)^6q9OFKp>(R z$rFSnTx0`MCwKkl$O=c}r^6mZWI3iwsRS^34Cl1_f6!T8N8h~wQakyx2keXIAo5ZU znvkeI7%D4LRQMY#@dhdo4KYslXJ-x+h$ssKU(F;?JDsH z(`Q(`Q3J8o^>nZJIYPcnT+hFOy+huM15%7Merfpo-#kHaqe_A;@>Kf0b0|ez@=508 z#cESTi!cK)0my?1I!9_rvBTD{aT(IPYM=b7S85Zro2Z5;=7$d%IuyL9-#lebVhKs6zk7b{8Zh?>c8tu zy*zxCAhp1zF}kk7OUOt5J2}l0PReLC+vp|rVyE#o(sAuyu<4srVjRHs-uUFyzl8*!EvE#Y5bHN|~gJDz*k&RSe z8zlVo=!_upUF--x{)N}i&3xw(>C3uLU*8J-^?(0-#@Fw@-IY0koHF41FAIL*1N@iD z-T--HIRr_UfreFWv&B>dF909=TCcf?I&2kgrZZAVsUnSNubR2(E#Bs`sy-5aidJ>u0&jrz`&J$9m0$ zaC6x%;yf4&MK=TmWMp^*_5X#Y{}+)}kDe-Jbr8e|i2B&}RqY-;+rE4xue9 zHXT(O-BQC=)&Nm9~&)06qZ z`=>i+1|89=e?RK-=97pZc_}!H`Q9=1KOV`y3$fKD@cv`t(w9Eozb=Ho>y@F``GV-F zMxMWK(}oC8gOM8{_p8_rYbkpGp?KK(pNI9|^ZuxiZ{Z_E zdvovq6Hft&CnlmvWTn;uLj^c>X&3tWuXC~KRAx`(*-XW_zwElXj$A}}wg0tWg%oHVZY9TFh zJ~SztaX-(JWT;cztX|JIf!H5Ip+JX}1>|EtIkM|OpzILe`Nl#k9+TdO>cucggx$kV z(}KF?v_s&5%mk9e)mf<^5Z@XP2cjX8O`teYMgv|MH?T8-2e9*vQNJuytv^wod|FE>>U zQve(Xrqq=#4~V164TC!}>#od=YI|sc&eG*x4Z-pHs4N<=P_tM}ze^1qg3J~&FAj$^ zI%ReL&Li?q+~GZx9}mWKyrx`41M$=P_^(|_OPeNvm%YreH_mIv1~~x)2i&_;Zw1C+ zCEN=EEJL7hb1M=FBFF-$HDMTtL3eCx1SMnD4Y3=Pte2bz|NE!<|NVe01~;CaVr98v zg6GR26nxb0fHN2#F3U%qY{kR{f+er6BA*I=L=1R;=mS~_wYvR2o-;*4yB`Ae$wYt8 z$?+ejs;4U^II2EsL0jtuy6b6n^NGyE(Sp(?Ex?8z`1pNnN`>b{IalSYtWu5rrYrx8 zzrKQh<6ln6UJB|6GBo>QaP;kMPXYh+?N^W<1wElXk@ejVk}b^Uf8u_%dG*DHXFTDq zB0ZD)=@Jfv-nKEYjI_*wQxKRM%E{rm4LPZL?4OA~D`=Eph!rsm!UNscblGk}74+4xyQtOWo@`%kmjZ>U^5 zZ%&lC{WFi*aPn_xp3h;NkW94?oC~M!gDh6FFZWqPJphNwy%yl6ejSTCJvau$t33vA z_>UbA3jPBh#Opffu#)!}%#c0aHXHcn2W}jH4|Lh~AVMV&AaYw*Tn1S8=S9~CGlETk z*TjQp$!X39=VBI`U;zN}`HF5o`=nW_MfDm*85o)SGVJ~nG++`V#1VDVcW08+v7p0U z5k3XxJW1iaH>2vM@4ga&6nfcZsGkA78AIen^G7rV7<_1V>w8}0s2a(2@MtG12O z6Jwpbu23f1UX#`FtTzUF#})7ss{w^Qa2#X-#7w8`=r41}rLIV%kBvB5j$f-mdE}tuP%;?3=9p6_LTK=cB8o1pHNt{EdHECjiZ8fh~=Z=RfhA z$-eEWHY_04C5Ev6%oD-{!@w$u_G~CiVHoUPY<<3h-S%c2u_zMD(&Q0GOS_(X1%L1<C*%q=-kQRBN5>h2IB(7oMt>j-9qc+2!Htv7q5)d_oXTK4KO?f0 z&0T9*RHzB4yYm8BI2KwJ#nf|2)3@U|u$!MNm4K zCvSFI1PwoHOWl6IdBu%IRyv07Cx7tXM)_sF+;@{Dc%;eE1((V4MQrHk!@IF?bB+E6 zKJz}iveil9E2pu+d;^~0TsZ{>$3J-5?h(>(^Auf1TaeK)!;mO{*Zrg^~g7n_R^lAK4d&L72oN^F-lnHGzY%qxVG^AshTN#>(uXd2j z+KF5oR~RGe=0DS3m^$tJ0`b!I8$d&t=nSq!|Iciol>p_%R0k*jt2EvsRp2`>(YI3k8eLW~K(o&mwW?wcLeul1DpU)n3u2PuB9= zF6pQ}?tk8;B*lQalx~4a{U*`^)za8sIKH)oVmSHQ{;bov=iHBI)CL_7AYIV+K zH#}`#r{Wu)w){vt884{6vu}9XV8v>A3(K{`%NiM*ZWJ9g8IhGC<3faC~4f+m>DbE=ppkhTA})N`lDU6ifhltS3O+>@Y*aMG7`p z+qMN0ZwF%F&}-mQe+KH+CYP;%5`@Yhj|{XtMI{v0cT!0YoD3F?G!^< zdhaSu1R(Zar!GER)U}N&_sGiL^_5mFuFOy&oCE^m%T}LeCkEAGAyEGH#k1VkX6f%e z4)P^(?x=mV0|pKK+Koq`h29+)d8k%ymbDYAC(ohZcK`9=EjUvt}SHGAx*pZ1XDHyTgVE)0laZ8fE;S6G-dTplUJ7`+2A ze-)qDmfNAZ0$8+FvFb6>qr8=w1Fk>qoI-0Ahz#L@y z0X*z8Y$*LIS?Q~-cp_+$UnpMKDy79`J6dE#XAc-MCTIUJXB15me*kpiWQ$aXzo3t1 zT94w1d8wR$eaw%Ko;v_koDbYN*W}DC&&3u;-^=qt;O!h>{ui09UrUd7{+I!1>4jj} zP%$*DtWAiw{r)!kYjOTppuGt#duo+cEOc+>!QB_oupzc?qAqCeBJK$T&YA5#iRa@J4 zHaIj$2Uk(@1pjRciywTsX0Z;vAF2ET3JepVE@KP@^?3Mq4 zmq_TD?TDNm1nUVhJglbetWBeTn9K##Dwvs90A7y_6C)BJ!ZZ>;i_XUN5Q`9g7AOzf z0MfJ)sMq?LTgdqfn&E=aLA#LgiG36E%4#7l@%>k+(9fCy;$yM4F_#^6-sTeC58GvO zllNtE9Q%W?o#dF3ETkr=gZnJrU>ECb`1S$~9mx@RX%?HLrv%z?=o@D+EpS#R@8w5} z(Su|T?0ZNlI!}dqPzXV$`gHBLO${@FCOl-T1Ud}PeyN{CgP|{_Nkf)cqTgz$3_6ZP z?Bz->9P$ng@*Xlc&B|#er_xOh!n?jzch}LE`8fTIY}p=nq6T@)j0k*d-@^4Q*&1{| z2R^C}`KD>4i6MZ+Nv?3~lav?Yh&2L%dj7)W_pJ`kpf8PnVFvO~#+F1TOOa=eXmIwO zh1RLTR0RiqbY2)oc8(gW#n)wqB;vcWE(4{y3a~yVqZ|wox6CV^gRf(glcn!cKSy>N zS`oynhN5EHXjuJnGV!+uly~8*i87O%TRcYvBOewlo<;6g*?vr-Wv46enHmsLjJ2rkO+vQIlMcu~n$6EeRQ`!1S!@^He{fqN-Jp_b6p0zBymT)3~rNOHK}#3)?7 zD(rR~E3=%LW;vMB@kVQkzSxKSE=i#~z-zhe>+^!XA9WxsjFc|ArAqqzX{e=A#zQ53 z4TBKq0kwMWTi-x45iGBd`&=?92n>E+Ls_wun0&Yy5K}vQo-mVpgvlj^ZC{4ZmQA66 zZn#<;x(v3#Wgw?yq{MWUnOz*wC7KeX%a<-1Omy#K8Su|!)08!8P{(Gk!+M^UnvTjq zaoTVwI9s(}T)ftQ$!Yqj`HPTQPhljcZS!id!|I$de>?|fPYThR_OWLR#Mha{F)WPx zQ9HH?bOKBG!zT*8cNwO+6ZW$lZ--!vvFo2S5*LCSv8-xt?Cuf7*hd6a$8+#AUyHlQ(Y(Yg*0~do&DEZc z4O54|ff;uJA0TSK$%lyAPjB<@sRic|i0SX_uH*!n^PF||#_$N%UF|+G`4zEia#_az zn}fxS_~uY*G92V|5@%F9mrvQNYun}C)0p}NwvLLv=!A~~$P4%E)qEf4?XPCnXzg{d zGBC?kY{hlVSEXtFI(!!T3cETo#NT)^{N=z3w*L-*;!&D_3@NxjL;X(MeW(=T1_2S5 z!AVfP<1_WRna5Ntg5Y$)63lqukoyr^)06mP8c3UxZzr$~$X2h=yC1*|RtT@r2)S9= z*B{fq$%JT~M`t~;EcyjYa|rfvl^1*6t->Idq9mi46-66l*xe$X1@odTpsyBoJNPLI z2ds4kb+aO$3BdeuZO*Woz^sNcs_+>RAU@~uF5zC2Mcx<;DW~r{U>r0kfWfTYh75}q z+10*1OJ_=u5*q+&&rKDlzFnQHD7coRJd@j?C$b;2R(o=5p>7SrmhjE{$jv}747US6 zm%{l?NO)4X@G!rMk3kFowZD;W{tnbmr&Q%1SSAdDfZE^w4XB+AfZFxJD{SE}vA195 z>YrxO=I=+HQlpTAF>E1uBRiK^5U&@nS^pnEZG+Hy25G`(X@@3arZ90G2(qBdRKmb{{!o=G+TJlL^PfLspfH4$=;9 zBeDmgU(!Kv zBEp<(OwlP7_<_+det z(QFWE#OFb02MEqi#B+~@?C*1et(2ZZ470&!qYz)eIcTM}3)cSI;7x$dX5MES1v3h+ znlFJ#Whzh-sXa{{Xj)()!*VkPft`huw$v4%{W*~XY{fY|fwNntFMeRa#S_ARYyxxM z66N){QSzxsKDN@|PcFQf7YDGCqI(Q6=B+Z0%r(t$kH)EIx!W zS=)OK;j7L?V1dTE6t@2KR-Vjm1 z*2X)Je&=kwj*E>>04^l~J;pCBuJ;M-B{#u%+(=0E!Oy3^)!g?5aBa>nH*jsRx7`R4 ztX402rxJsNjnRw%)A`NUmhKyyZqo-lKgv(fcj+l!Z0nqB#eS(IPZisNgszvag(pw3 zy;ukj(3&mjyzU|kI^K+FGtm)0KmVpqxELK3y70<4MT!9xAvZ%H8(c!)S)dM{3fYs; ze(ZZcc06JwXZbq)fg{78v%{A#%GYPKn{cgHf>#h@`^eN`!pC%)YCM=GzRYC1wY`D( z&DH9;G)91Ynaf$A(GW_*i)oe=^NGSN^m1;QBsNvF>kGHC^`jcc+Nzqx$MQbKmzbA-_!Ciq$-6stzS`%WYz8=57bRIR2#o*8h_% zHjOmv#su~%&G+`k%B%rlM>xz~i^7(&cy>(O+YPA1-6a|$! zA_9^sDIg(8hf23JNP~bQ-34*Ej4s^4xIyobV$trLrTN%8O}NP-gmwKvzAg1 zd+%?29&Ej38sN_J>|Cl{&(^AwDZU15!`h+PQ(7D{q7$HgPwDGRiwV~)lVtJh#nry= zdE@MZzs*6WQ~&CF6@FXezkux&0jE6-V0#h(wn5SlviKez^{F>j~33ET_rF{+d3%=(FjOpZ?UF!5mckX~XiV5RSx&K4J)R^Gku4EjIL zhOWRmj2rT4d0UP`U%qMbX<6r$<34p2C$n;-L$TPasYrr<&e}L`z z>{Mh0-RLl6!zA)FeK}DI0Jh~}2c#Cb1FoItL=a-R`38n@?|8_^=97@@gg}`BQekTa zuC5CZsv;%{8dJ>mb=bUf5y;-nEIQ{A(|tHt*SmJfdMoOPD|e)!bVmRkI;AZ5TPC3F(lcg zYg-~pqZL`Kk_uPijPqBz+ec#Z%s{xntJtv_{emEJIA}nNnav={<;}p$WCoJb7IZO0 zZwhoMU2wZ|_B|d6>+Dfu6)KqTh{z=#Gu~rtjFn`U8Do8@gwj0y#U5ibfzX>)B|XWA zUp2Mv%hn}2svCSH-EEj-GzLYTS)G#V@qQ0*^msQYz`!XouB#W8SUkYjO+U|ye(pkZ zjomKyvCGTVJ|{`haA6Y~U48h_fUEOm#p|g>idXyOZE{|uKhXnyBbCrNlo!o8w?{d2 z&FB*TB~MK+4tb>4`&17`--TkcN*_3;?SJ(&G%-Ubu8#U}Q?t^#5^vaUt}B*psEAFo zw#!k#r(CZZ^a)dOnYN%MkE4zWIwjZ_tFjnUid6$z%1Qe7oDda859SGne$X;zmL z-Y+h=JI2^n@Q$a5n@snS_yd9nJKhWGGSPMU(tMuhh*M1Bfsl_pwvoPwr#!$1l3 zNYtvq=1vHWh|cvoMWC4PE#e(LRVAmyzELD-T}00Np^$`KCz*$3?U>D;+hS7Qh|y?k z?&Lstt5W0*dtA!pQOm`@2MFjZE%mfyrwQ$*-S(q-pR~!AT_7|bk&8dKxw^a<$Ak|R z%4i(=IR*G^8~!r@eF+5?RXzJ2dSBG(?@EOJzQ`L`*2SkASdO*}$DoUgMP5a!76q+m zv*XX$R(cTd!es5$SnI+aR`&YM7hHTX^BU}VFM@(RK{}rqk0WzNf>bZ7L;zD+rEB}B zAal=kFb`au*m2Y9t)Rd+W?j2|09YzF|L_aR}G`oNfxDMn2IHHXO<`#q@m}b3!dvkTm#4IQ5M`&zmjS++eR31J|~>(*Rlv zx}HWX-H*F5^>$14Q3=wuN-D2x5=kPMC=a@yP)b&PhI4^I@$H17Gq`QCDd1>VeR8v% z`@b##^E;MZL3>wV!ru4aJvU$Zwm}j_In{dn5nMJ;xotmtf?w3bipg!3D)-j`L?$>v z+>e9hgk$neR7_vHE$B`iej~njmF74qm)~Zwn z(a`?~w5>!xHVpX^E`tno3zs`H%6YKDK0zYc8GbKHnwD9QOFsXCV~qQP$ApZcaRJLU zuud!Q}SN3eKMG1jdIZSY{J|OeYS%lAF%bf)?`E_Ab>Q|FT%iq*p z)3zAUwrJg_MfNF8R`{nQcGiCEK({xW?`;0a%-wGFQQkTQ;%xy(SBGw-H%-Tz50j)LEAg~OE1C;9{n2hSwGVYC#rLT_?IL-B{A@Ae-nw>usN8=2poQrMGeGr z((c}r0Kedah!yFa?2T-zDEifCT_mJNeAJ2cIpOp0V9J&4Ou96{bCht17K(KMZ!l$* z6Dym7CtW7KFA71(_J`6%NdX_$#zdCcY6TFz_i(4d&7HoiCLZ;Mij#`OxMQ+DKFXCe zD$#|B!F<@Lw{DO?ggEow#>m^txCsC`nlh!&L z49>=o5~m5}RHU+33MXa(NrSWV$I*_YPEDvr^XigJyUk>6 z=08ovC48RNk?gA|xAb8eN^1i?=Q`nWO3PKH!$zo7-fmt2WzD=PC9$_P{c4n6pW3!a zuX?pn4x5#cT0Prtr~^4w?Vfa$rmk)jgpYtkAJHtDh}iK!fsV}n$3yHRP*S>&j~*){ z`VO1IpRSp*nl8B*F{>j$`YWz1UY_opXxS-FWZL=MC|2+K8AjAuSM`)Uv)@<)Y*s{R zHp&6@B8LlAUt}O#&E~`!jDD+oXxvv`H&gBHbYJbwV8T8NPGBfG_g>VD`+kwyk>c!m zvtHG7XS3NhrO;8*j~i@Hw;Hw-y>+dAoOL2HFG@rJe*4Ty=oF^t#qRwVetq`*b9Iv@ zC^uBF;wpWSN!@b%0`Y1j%4W6;tE~RG#Ht&BwJR6 z*M&-!zv)Y~HpIedE^WDxO}2X6%i`m5`*qPYUFt@(hABKD%^3dT#u!|RqA_cb&JoL5 z12o`$D7?>+;V&rib`0A=;BH}+Z*$50lBO`)19#x6_zCKvtk1Wf1|}GQD%pqL2SG2g z!2L1o6x?mCBngj8A7Iei_d-4mNKdYe;IA~0oEugiM!GH5*%)=$|j~6Had7Ce;j5rD>c;sKVX${W)4RDfE_`UTXc{`$w zA3G<{r29Ye_9BM74L7m66~brB2a__>t^p{>7tT<^p&kX^*=QymVYbk3y6XF}0yfii zP&B)f_*rBJc%0~D1Z60n%?9k3S^1Y_hCyyw=HMm_uatQe#9YCa@%fPL8!3Xe69(_?OyXnm?O8NnYa_b!$j zV)l@?@2IxoqNqcQxqyeC7{uk?d3M+0z8JA$44Ed_LUxY zYnEgKjWv)gP2?(hUMyG7_N#fa*Je(0P#|{Y7|xnmH1ABQ#@YrR(b`xq*# zl@>+V)I|+aYOBaj>ilacmF|KDR5ve@{3a@n?ELRzxT=y{{k*Xhfn@>#P9`ncYx-Xs z!}YC8^Pq(cS;SXlBf*&6m(gA(WNi4+yYO~<2xF>i+jJ{F%@1RB%Y7_gZZLw-D^M%j zm15;=p+2NKdi8GxCwXfrenPZZnYLMq#r=Ibu4urq!tpIt`vgTDoa!EQLo>ppE9 z{QSCQcFFk~z1_-0Wxe;i=bq>XLkScX0bdJmtesp{4_e>2xui z=HvCFHpOpJe0pAC;XN2E22&B~=ge(l2VgB=)(R!6k4$g&Q#MGBV#c7iqw2NzkQ{g} zi%q9UmM`i{kpcj{9eAH?$SD2qLPtngP|L%vn9kGon)AqY=T^Vlms^moa`(dJ`GyGq zIYg9Vy|%36XyM)l?|h_GJ<=V#Ve2lo?=3Ah3FPp zmpZ$vW~ZOQI>NA@kXF)xl#NU_ep$zJ#^#UQWJI5C@+~hyk|^Kyvt7`drT>ZPBkLDw zsOhur4_1HSNt6=t&U|~wLhSsgJy{%3MH*bLfZ5pctxYiZKj*! zo!Z9JsyS1%sgnc(&WtF72ul`*5hj_%G;Z%kMX?UrA6Om#q+M z#;j++Au@qGE4kJ5a8T(Rgm1Q@?j;(rW$Hw=pUDdPZL?PP6pw-8nh%cOk9v*?9Q0-I zJ{{t-4FxM=NlowO9dMZovPGXO=zh!VK}^^bkWQa}n_WBIB$caYhRRgsRvmKdD)!VC zRb0qvk;FM@Qfv1=s)>eW>$z+gfW{Jz?}a8+^4YLlaDzIk4e{@H>|GpErJ>K(0bd>P zYC;ZKI%%z%1VmPsb`>I=Cp)kN9oiO?5C9RTYOoi6OvTw-TZK}FM5~!=$_k$ zXJ^INO*jR48|1Uv)yY0!d#PV-h5MwS?^rBO9gJr=I*2;xuUNTiHwrLz&%}DjuVv`K z34;VyPpM={+((?68K@9I17@;5R4P#4s;qCbu6ez(Eu>SmMK%m+KgGY;H^Walz67Nt zr`}t?8WdIr9)`cGUp})GUf-GGVwf{)|JT zfoZJ0d`K3O>O2KWwYz__-UST>4in@fwd06e!rg>EQ<%fxWk(1>-`??>=+!T!e~H`z ze|0f(Joe|T2z3|`4#*K6oHk!n#9H@KQ_WZ&?^vX9H&@HUi2 zwCQo3IKVYp`L^7>c|iB*bc?&bJ)z#vP~{3kt>FJm zIFBj@N27^51;Q6*3mSYwsOUz&|IB4z(PG8$xMdyqRaj0F&afye(T{#&wPTaHXlVopo@W3} z`(ci-S)6>4+b%V$IHXRAnRS3nQkLD7vFi<~Ek~+&TEOn(IdnvzGnvoA?5yLY@V$VJ zDWe8U@|#Hr$K;=xYT6m2U9K2GFGBE9`zMou#Fxs|Zbm!~*pXIm3k?ZKN8z0Bm;V9Q zE*ayfdCmljvaaXAB;w0E{2Y$kZ{ox^k9x&4X)b-J>fyM_qx}>OTwL<$#qvv*YtOS& zYfD0SoP?7DI%+Ys!A+5M_kQ zx9@FKeBzdL-jO;+5?1UO?bDgj*uAo9z@cVXUrMJqEB&zB@isM!t8f?lf5bDr>RH z5Kx>M0kl3jUWltc(p|-Etb+xiCF=)Hh%Q@4^u3Xi=ABEj;Rvg#H;7%FUPf^E&U;oD zlaDgY(BpSZ$}KgG9kQy0Ir7xS6q>Njrvpr`-jPMG-9@6x_pFs;>k}7mI1su$E@KDY zc}S7nZEtPK7ejs1>m`5r;rExt`Tmn~Pf?+1$C-CV=8`q)1)6z}_RU|tqC z^;_$KFtm?R=c%4pR1L3PJ6EzPe$T^nF-%*@yV4??|w&t(n+hA zhuU_|0**!mOfqaWlo=n|eBrH~l{G-lqq^99>ckT2^VFtS`LT0p3!$ei2hlwWu~?#) zA9HKL;cQwC_b6kG$&^W%Ib6tqH&lEZyqPzZujx1Mdm{aIRBk}spT&63I934#F$xTHf0+`%jy&aaTVLhd!!HuWso&jyTa|ENObs}b+YPo28 z$MImfxl?_lMidkJK27@v9RGPH7r<#eZ3P3(-o?~|x!X6qjFLTor)i1pBr4>q;TQuN z#38+>XnfA?-V5f0zW)0@&4`JU!I;c}gSPNl08*LT=uWb0_Y(l43iswbMGcCvHZCOj{h^VoQDoPbyU1;H7!I8uQQWt1#zGz)na2Z z*Qlk$fQj3^jQkTkZuE!svA0j8!|W7ll>-lZ-R=NS5Nx2YiKZSQ&QF&3L5x|x&WMwC zv+gI=)U&OBMHM1OF-BVDc~ zsA;MAOg6RRkULl)HWsJ%U+kN?sBE=5)xS(`*g<1wSiFt@2&3L@U*L;4W@^KQpOE&h zMkgvx?X=1v-^~ncqje$dIv^k>(e21 zQb&KrFdF5*A=#Xmc8&TLZlS{sfoc?=^vqKoZz;_wV>xf4gG$w5(2vOEypPMF%y_)J zZ&@#_A+I_B{@`Ry)m-85Vkd->SLJYhW)>GUn(nah4jvRn(G=iWI=16~MM2c0W=kOU z`;mkBPv@d3H<}{KxhsxCI7*4MqfekkG7Q|+CrK?<@?)9+;C3Ej;IuHM7uIe)*v60C zt7i$N8bASSb3v->%Nhp^k9&Yg9f@i0zBr%rKC_xn>+qMf1s?SXWh0@?(4c2( z?qTk~+XJ=jB+D1vfh?cPoE@yMV)|a(`d3+Yb0&))Xx}nk&Tn)9;o)78uwrmaOS|L! zzU%XQcve;gr5%mAVzO2($D3oUFtGgG(rP)Da#_mh-$|koqRT_E)x~(Ojv_lX^}8{h zPfklgjHl@wAv`|Zqoif;^Y?A}>()Ez4ZPT$3S^?MfD*@^Up^?%#}&}BT{!86Bl#&u ztP!ydtS}?`SA1Tlj`M_s8biFAns~Y){1G2;2dcKf0X?W60)oV;zM1;*>A-3@r}*(J z>&TGl$)=o0HOHrsEkO;JhErq#uB*(>9mYCfqeZu~q*S|6U2r%rdLr|BC7ceNHva@w zk2_T z=1^x)Pz9h)5X^*@s7wOmHhq0bwB@eLUy@nt%(2kPCZRm2tE}R45F~)f6|xIBAB^Cx z{~)ly!E*cWp<2XTsjFy+4%ME9a^UO>K`y#8E&%OT;lygpc8f*fQPu^di(}Lsqd=*F zfRq}zi#EE6q1T{`Yd ziR<-RX;Eex@0(~7OWI%3hI(qFz@yc+jq9-5AH;f(#A6hVt<})$NCc*@)X=p5fpK>N z829z%Ztou$_f|Pg?sPuh5Gr1gOIinZ;KetX_)^XYN=$%j-Ofj}(s|P|zFw?8uy(9A z&d2*5_Hhz@EN;>6X>wB-EuqXhivC1H;vJEEa8H6-^&+?BnHQjQYmp>5^pq0su_FZ2 z;ro%Kjg#vyJi}2oODgj1_P>(Xt{*UklWcTPop5CgFS~Q9k6{2lE7f-R@>Cq<}U7yU!Ocb)Pf2aBmL7P%EZ&B?|lidVHv>CJ%vPFLf+AOgV$5OeQO zKid!NknkU`n+U=M>yY$pvnq@0WR+Z^6>uX+*s&`a%W=zBwxXzLEH~J=szYwePWYUT zO{3GR%`9xsRoHFcTi(KU<5s%b-#sHS))M8F*JK)VqvvKrsZ{kIY8vv(zhxh6=f`oo zb#`W3FLy^Xo&#%;+SKGxNjm{9+0D$Rbv>zFqhkP$p?*e}8VGLI@cIBk7X#2*UTN5R z^ER#MrX)6PyYXP<^Nw5JHu}Ts2W*db{eb>8a2ucQw6-wSt7q*G=ukZD3-7dMt6A{l zc#78blj2*%q_zqD1`WZmx(j0=LuXhC1N$}{Fe>1fLmkZD9NZK^%)cg}=c(txG3cxw z;{6-rRgHn%VO5STbPRrxqbYJvYlzT~3*@ht=HP6j1Co*Xf@Yg_JZQUF+ z_Npie?S6JEKm!JMNX@P<-6)Kv>oLX%+ct?e^voFxSMYxr+~h=u-2J_WGgYkJpeLH0 zK`=zSvYqXV-C!ZhPXpVZ4pTOO!TtNC#x3|i`a++7X0X04pv}26M+EfHZYsSK&6+0c zHku|$G%ZnRuPo*^{eF;3)&4#`PF0a#0-u6M-l&xA;yg2C{R|Ag?AkN0-f2g7_W#g2 zGw;GZTb}F8n9AR2>bYOb@QT~~gFP)a~?l-5~% z3_7W6Fw^$+bWVs`4^^j@u=M-YsmyAXME(dgn*1-L1TKhDP>oLENKYaXlcy}OE@q2NkZa< zE4aD00~DrN+`0Er3h>&s)Pj3vZgs-V%;>`)z>DV zX6nNv%diQl@ru_t7(6f#ZizdbgM8~h{Dn+hbZ3kLso)?$UN{Ku9N)S*ulm$u$?OXK z%3c5Wkt+HTyUTDlr?W#Tf7+J3>Y@q7$HW>qPYBSj>M4^R$+Ouh_*kJ&@Pw(nL-bMv!%!j_Z$VvZ;L(MBXm(Zt zIE2M{8`QC~4Shdwoz3}2Q%L8ZAf83;)l4|0DAqa_?8gaBMbo3!s*+6vD5!Hp=#cSS zE=<~}PF8b;9a8UE-3PMjS$M#7ynSc7(1>fi(yNp0?eUHe$b)@6P5zd$GFA1lz*eu` zCe|~vajw)VxXQwXXl|G=>4n9&sjN8$-{$PT*kc4J8b_UF3Te)|gr34u;tDKi8uT0g zjG#VllzpRm#540FOklAZmPeh!>`WR~hrmnX^U6qUu30i^o3aQs$Ju^Yy8Qi7F7r8L z<=708oo>-+;9|tHa%-NQA?(kk<4Hft?Wny*T#$@D+leFctAkvu+631*hyH^U2LuM7D1qIs-XT#OXp!8!nU``>+Dss4|9RwSI9=?aMo1OsO-Vp0iZ7dr?u>4g?;A(w z1HYT%8+K*Wz}@5tE|KqFcHbrUeS_$FL)tI^?&6vnxD{o>-e*zZrS_7LU zE!@)8kmG~*PXb!p&8Ii~`}c=L=eh90rUuj*jYPP3wkAn*EYqV@IIN$q_J>#Yr%2MD z@|RO~zL)k;K-P8=6c6K4l1TW@?f7a&M=jisff8H;xPh&+Asi|%hV8&8MaA2*3r@0s zG85|Ep1#ds)!vvO6-dXSDS?PNZ^l2Ye(o+GmPRF{I{w?bPi`|96Wi4udbjl$)O@75Ci?Zf4iF{BkJaJ^ zR@Pq-*!Lh-^vexwWu%t$A>hqWE!T@X@A?%0_}mnaK8^}wmNVV!AZSDPEo^76oG(DikIH*xS`WcrRF~& zT>>SA5XOXZv0S)n*pExOs%%f($cyum)E{X zkoO>~)ZCP6Md<3cF5X$kC_rTne;MnSc`Mvc+~nrvDWW+aRQb-=fAfAwqaR8o$iv|5 zxMQB?MN%_d>tGK2)wkH?!Gp5S14!HtHs7Y}0b2Js&{cmbU1aK4+`J)0Y4>>wgo7F^ zNc9{e{FDOubXjI%I$OLP0o+vB5q(x*}Xn$|cqbQ$sirE5U+)-2utorAe9h+`-sRtir zNMXrY#YR7;aL7Vsl&e17?@vO|Yi=eoPn`Un=%PvDsnLXTo`@i8xQNmy39`mcDv0~r zVT|2L-RJ2BkN4Sefd0w(miT~|O3;~g3J2S|gs&%`_3ut@lFGjakR%A6Zssu}USQ>- zg8-Iq_>1``vR}zu8D$*|@*K0FNi?m}jd%GK`~J33>Y69Knbeb@wRFgtDE z?RBz7ik~)uIMd5VlM|d=p~ja0NF|3!3F;H~Ke8|{099+6D7yTWkz|W@HUl>Ym3;!4 zUiEQwjLiFcuvW?%ed+rMVAfBxB}P*=&w}uZkt~Hfjpt75Jwb^H@wo9b-9%@3W7Zhc zBweaQw*Rg`nOX)$`dk;%?QompcYNW6gJU5<@{h)5%zLfp%wy+6Oi;XI4v*U7H{wmJ zVhU!CYR?(0%WRF9TU(;(+1;Np1cJ|6uH?HkZQmcYH%(5$p{%QTKo3VilNPi0c+w)c zk78tbZ4l+;X|mB{rj&FM%?jjZ&2P6wmX&5?ytz@<@j}9X&zFC8hTQzow zh6gKLMjpiveLEn_5dgCw51|vQT%+_vT0>UlAPD{;47L(^J}#k8&khe{^mpQ-y7I)1 z1UmMQQ2MpOXjT(OBi)%MRF!^m))f+A^&`=8RQ&mAmHpbZ%F*23qz`=D{BrD!j7kuT zrUK@RylOo3%$tU<7sFfy@9|m=+ipQSoz$*GVptgB8nijykn_un8Fq)v#*?z?F)=Be zM7|I`2q-lxCG1+x!b6K2c8y^Z-QjW}@4)m2+U_LtPmUPz8Q%_U5G1SqnCnA4zP8F4 z8u9hBet*N*ai!hg+pSOs2$ka;;PYJZkg0+BykC@8*iN$L>oRj-LO9S$ZqRTW4sRhr z^Z$Oo%tj}xsKz}saM#f|PFq#qK3Fy25Ypy&8Cm^DcD+-;VObJ6@hRc~8bj9cnYrz+ zzxf@LxOWX`{rkS?CojNgrO$2z=LzD=1w-2k@R!ehqpgJus^932{QN-iEtsBn2Mwo4qKgFfyUulY>6H*-jpuv(%H0H#YZ`YRhQw32JOy`mQiPkO51I!}5kh8eMbv*NDHW4JhsHi7;};_F5$ALYbce z^3gA=GcVO~4-W+$m}P9$oL#Y#r5D`%nZuV2MCJCuo?@nkggN zJtLFN)8pt)%Xz*^NNBC5+Y^& z=bgVnVZVRM9f4}}=2-H}V*8j`Olbu<&xhXz6vB2P?`qw%eXQLJpwAsz^v$a# zf`cDeEt1R?W!dWrF{UMqz%Fv=%qnl}_;dhHYFNZL;9xNa@NrxUI-*V#3WFNeBYD}l z5<2-VZY_%Wwm4Ld-_xW^Q%o+TpA2=IB&44#hny_Nii~7VFr$BJ*+^s5BH9l)dj#D{pjtNuYtZ8VVJ0 z;iuRYYn#*eJ}sKASQ*<@9>Lrw1!K=}U0zI6ZXa4{nU6)1jopI%Bg9>5A5^~RVcG`o7ND69no zA|~W8xdagX+a_Jcw6_0b`4BhEWB78wVMrL!oZ4Z6OxN<U`c;(^ zo_)$)3Oxdr{vvo19)!ovw%K$ zjsk@!Qv*jZuoW|IE<71?#o)Ph^8ucF3A9|WX~X`*bN~6Jl-bU0H&E3CM;p6Qj@80T zvy$5cf+-j~zR=Q~cNM4bGiJBv_w9m_V_%}v;}GN*k!ezHY_-25UtN!D7f|9m{RG6`u0gzZPxN{*7>!i_rdq#$mC3C85m8;)tl@; z%Ww?5*|w!IUX3{7^dT|H1AC3EFgtWvRrSiqr#6*;dcGq&K7fBR**uSw!p$}uoS0(_ z5_bi*d6%dASAJIthZ?t++`FkRY;I^@eJwZ1C-jb|CcenpT{HDelw38o1I+H4iUG%h zz8ML9$E0za5xcr?xB$G%cd|#68d&EITHD>4sVo>cK4A(~M2aF!YP(d3Ou(N6_fcAOp@&h7V@Yj1wN@~lerdwbzf%C7}_XzRvG#OY){ zgr!n5O&H7P>|l0UKsbqFAf~i*=|PCN6{UWDd%+!)W7X70mMwMF9Qoago&HqeX;Iim zd}Zr}7GLGogusLX7u3V>)@9skw* z-cZbV&g~M*w_UUB=52E3WIRE_l$NqGpYIu{A>lRyb`{FB;F(cHWS^eH}}IoTaQpfcs-A8w+_RI zFguBK7T8I!Y+04)di@INrw(oJW7aQGCWzpD9{c9avc7Zf3UeSjjp`spf%Ys!z0@u)P#2Jq^kCgR~6NurRjha*wvfi>CSJyl- zI{tcr@vRRn3#~pS)(YYdieib>8BtP24-&(kXqF^C&iZ9(*h|4{pDP9en}K322i>+XQQ9xCjJM~?e%ADokL-UdpTSvY(p2RrJ@MJ zGfI#1Ycumte9b1A;0-<8`P`u_{d{gmCh3!GdUeOfiCYmgA6)--2^aoz=bXw3t}Gd{ z*#HIW3ccLEzBU_mrc^iqaqgrR2|9Et!OEXt3}zoAu~rsuSt}hI8fFTlix!+hb_va$F#3;#E;!41h=ip@M%X%O1{$t1(55O}rMz8@U#=Pl@q2w%m!{eVm(y*2jaE%COwziC?Q{{@P7%FPg z1b}XZI9ewiX#nW{^6b}_cy>5O`e;VY0OzfaA+hP|r*PMFr7^?d27>0=cOz|IaNFY= z9YE3p0DpGI0O{6B9S&7rFRv7MAmT!g@G2C=4o8 z^0pVWQ564~6ZF1M7QG9qzjszz+lVnCXrC||*Q@=st6RwLKD(MjnB-soYz069lZHhK z&XU~G>b!y3ejF@82yY70Tjj8I0=`Du)mV49LT%~64gHzf*K+`yVLJbDFHlbtqg^AX z&ofb6=2ci#CIUg+ZyzJf2LqQDBA9W-ZLJUk#+yK$z%kUFgc4;;fFF&MzlyW)UdRed6k?aA<^wv-a%SN@^D&5|YF|}s3XpU$0YSchY z)nx;cry+^DH_%0((U8?K{B~&D;9)I(uDOF^&d9%f?hieqUu4Js51)I;Ti`iEaEkMJ z1n@UoP_amW1|LNgSJ)_mieFsJYGP#&*X$H)0)c?*RvT$`sqjdNCv(3PLMM3?z`0EG7 ztQ?xM1{rL5Z*zTG{hcoSvX<^}4dR)owradfH}&J^!C2K7xAn}uES-({j7�W>zI3 z*`9ZUsPR&$d1nFGVE_>^A1Vikh^7&6E9x#3(K2BW_s8oqhPW^=hG~V_1BC0rOhAI# zp<62E`OrP9jFc+k=QPLAxgEE+Nk8;%LYin&?Nqzm>bsFGrt>)XUvzjairAlxNh1ik z|CNJnSD^pUxsS?wQ#L|=md=^axoT{cII*MMx87BbKk=ZVq(C(6OmtU|zxJT~$unap z##PfY589BNjz7to;ENB_G`IL{-hkbL`n)u4a6ia~**=SqW5&TNo4@=`RcVeEZg8aF z`H*G($g@1LW`e_G=^*Iiz>tO7+Mg8lp~0B0%Ai|Js&t#jSw2}80O>;P{K?J^6rHJZ z5Qt+1>KVFBK^RRh*F}swzWV*fl&_U=C0*KLKJw2t40)_q?|kSC;d0XZ-co#H5+A?o zZcc$_ajMTZ^_(YZ8vz7V$gOz8fCO((_$9`_f5uk@Iu((?exj_E;Bm6|Ev1n3`MWGA z0ApW~oPYNOcM!L=B+IfO_tgaR20~S^DCK}Q+Kt^ETGCxbNCy#& z(_Re_s&Zby@lK6{_sVGV9u^OrmaG>P)4+lS!7l$LW~lTg4s_Q0Yzv8zqKg~$zWM3@ zAYA7Sa)_XnIh9#@;W^g;5n?n&@*BQ;=T$zEq{vAlwRKs3z<(h2jsL zN9z>Mz}4pVP*N=sAK5}?2VbCivf-wgz_T2)#GPC(YrF6Y{qH#inbx=%G&je?v%e2) z!1=a0?yu8ZTXSw}R9m4!!0iK{w5hlM+3(i>EIoE#bSHI|x&qnR? zK$h5-61pWYI!u6OomxDB32LYW#^5@6b=6al9JhK)LSzOo9N@>=h&2hu^{0VZ z`V~S|QrF7(vu3LcTPxA)Vw0>>Sq>+NXoaFKj05WKOUa?z@y62j_%EUJMcz4=5$eYT zb8CQ4?NhJ=?VB6u5)CopVEpSSuK8R7!$d$)_#7|du;UGF0M!qD0!Z9t>lM9j{r`}- zi~b{VN2}(V&2fBi14;7+^Bez?xFtp6aWH+7kAx@Kg>4}F{hffs?S~<8n*tK|zCLMl zw6)&*uXUsWl3M>u;;sV_H>u928p_}S4wdDyB1_O147G5ET9v_*BV%DJOv*4_w^!c( z`KCuNaLID1e11dZ8I@rze-SMI0tMaU`zCA;n=OpOo}YV|x)MBea0Ej{t_#f)hQ|p= z+?obnD}coP6Og!RiM+XR1^XA<7A74}t93scjl9|yAh{6x70eGv+}h0CQf);#lSReT@NVn~QICa1m3yYi^+|yvwnS2LEM&^w{E>klgk^)~J z^R*4=X%Q)qYwdMEoF&x|s|M9E7m?mguuQwKorAzoL=OBaTY2w=@g4HQKzeVF+uU&P zpN-OTTD6>YWe2?G%*x(DJWR4-6;?*nr$2=@G)}A6nW$p!^*snzDPw5do`OoPs8XTa z)%fY!dSAxcTZv}<8`--njO52ik)Xw6|N&D|bFZT5qU=P9q21!|=Gp}ous^@%Zo<@-!4(f0Z&EwY$@ieMZ++@dG zoRWkTt;X$Glm>-eesVpd&}iG?7?B6Uz8=TROY@AT19Z??u#Z*J2Vku#Gh zxFv#JV8yo+1 z0h|$vx|2@((l#VL1Vv6rP}5r!^;O6?@b-njzuqf4G}@X2t5E~Tv2 zc3wmR4lbh=nG=N)YmxP`s;tj#N#DuEC+F!$CgJo3uD7FW2IOowow*q6uFh#EI z*~Q}8z#)|NgfqZy1XqL%fsOwihvs0}|F}dDtbL7CjGSh-c!f+R?=uf#`ql1*sJ2~@ zbd4H`8D_1h#PVtP-cL29i2g$*oe?In!C-Zbx+DozK)7PjcD- ze*$)%Ol6PsxRc^Dri5ATnt4SXSe9!|Z$!07@5-;ZZ3D*vX~D}osE*a@2PxHk%K2fh zu|s@!N!NbxlASaGl!7nQq&g0I#T{XIP7u`TxJ&A+B~BK+{h7-7J{!;fqwTGus_feR z-$x8YN>C{YDUn7%qy!9d(cK*`x;sP!M7q1XySt@3BoYHjT-@CEob$fodwo9&_!0D17$oADYmTn8@ECj?Tuc|4u-30#pmAZb%*8M3Jk8`| z_j59!Cntz4=q z^I+>xZ?OIH`sd)vPIG3s=2?EY`F7hL^jSkdO|0>Wm%~(mR?9{eD4R!z65`fey(HGx z>XA(;@X`Zp(p>I>0ay0hvLzdzYC@kA*^&ehBX(K|6FWq)e8Etivgx|HUou&dSyeg1 zAh9Haf&B&Yx@a9l+x5XJ z;|lu*%*=r`uu-!!yjvT={~?jnzld%HuMpzL3tWsub81b~H~;Rop&l@$tw=>Ybgh-OqE^9lZ(?OFcA^F^tGt~9(3XCt`axNd@;OOTgr!owW>XU?ueMIf zbH=9`zQZJb`dYF?Ht4ksv9){rU3AHj(#$avkn{b;z<9T!=}%#%7Q8PH_Ov`;=!%&> z7ki1fS5!qti49(5MX9Evf+m~+4%We~d6_|D<52vfO9MjGH1yQdNDWsdbP{6Kdwd@% z^_7ehIZ*1aKsKDsB=8PXs3{y8_ZXU>f>Phs75p-;2Azk|VrzJvjR8G!ugHS#;z8MV z`wTFnsKZQdary3mnLxe885rrIEzZlrX2Lw|x!;aZ3G4+cg|(Lch<`Bv2HCQD)T4}e zy+2uVbpJ}|z+qask4ucVq*)v)Z9>xljS^+w%qxAA_K~Pfqu3SYtqZWsP8d1`qotBT zUKr-ozT&NNl|od8&S@iooH$MuDT|rHBuff(%GjN_UYCuRv%8N>Nd_TPtlR*wLs0t7czYqP5=@ufdd-z0tPi#~3r>|W_R?P{>#hp6b z6e&`oN?p`@S=E+pG|5hykR`6B{aY5-z;?rQq$t$w&BX zD?j5}f>QyGM6=KxUSdIxyw5-6=*n9IQNV!}$V1Pr-5i1#dNrCT5)wEgV%kxgNvFI2 z;fmmKKNmv+#@o5}#pO|pr2wUh_fVL78XT`X+eT+vu)5BvZKK)wfs|l5i_Q1@XK6&M zc14FUKYW%t4yJe>KjuWI9gbsw;DEm{yTfQ(N#tfOA(8RlgSAaeRedm zTCVLH$@vebdl=!8aIghAWsI?i*+vwM!M$3 zQE&!Q{-c$qeRyu+2@aOP)hlmjb(do~H}~Z%c4$k>E>YE68am;a^i^sLq9vx@H;a{n zK0CZl0ksi_1v^!y*2&T+2(3hM znQGxLztB>kUYZU_-umZILjb#XBQ*&kIt3~@(IZ_+pr5Zh>feG8`81_rw&@MZ8gs;l z8wW?KQEs(PCQc$0AbGSJHhDcIFp|tjcO1*UXoOQB+E-_Ct&9WytvhMg%H_m{^CHT& zZih3{!5=}ea$@cMxjLgy zNHO$)zbmGKe)ReSupmR36&aHOp4+L`p{$}`1&8a5m(l^vyG@K-f@AZd$^9-Wg62I| zF!MVMHza8!&A{8+~8&=)m0DB6dtkCz9u z`|tPhaBl#)NLNb39)TIQ2bMUj~GqWqgk*p`9rlZG%T!>P&V!s-Cmo zhXT?q*sfJ&FQAFnbvyvtT{I#X$)NVscKOq6lQw3}lAd^FK+y0Bo zU|@%%mSs1g^mOKy8_=M+xK`rlxVTtq4d$Y2Z0a4*cB0uq%=HTSl-9nb`Qd%W8k2Zm zb&6FCY=@*B>Fv=7@?qgI{+{`%!cAw@fUGAs84`&FUYI1N;o;lY+BmCZ-eu~d)gc#@ zQ`w)0g;xT8m`%G09eH9q2nB>o`91Q?eB)g_1|e1IvB}4VOZW4<%4hRBndcO!=5Y$k z74r)BJ+I&prQRz zyB+8{;~4tbR$DAVvsvC=prfFE@*VEAW3gw2YPZhR**)VquCU8$W>@s3P5@#rJvAk$ z4M>V#j0YZ&sY?cu?_c+vbK`nRX*0+L@NncYD4_s4co_pU;IiN_Da{7Om+?(xi2chp zPQChoRauq)yq#A*=OfJs%I$#5pcxrX44~St~gkfZGc3 zXB<Xbgi)UhaPZ@lz zsMQd_a1%Al8M|x*Fr4n#`JJe#&$%~*I6O_or-C?xe3}Uih(tuo*U-&YLdRZywgP$wzr7^al}K*oWGxaWM5?^a_pKJp?NYdg@AjF%m)@ct7~Bf80v#@7;h3_N#hf z5+nrk?-*FHgnttki-m;Wqe1-#{N|30{e{##A3LHmMJP$&@n^swtGpzk0g1>U(7M7U zh2iO(pS#3?PAEWSDqHpF>$5D=x_toytVHJn;mz5TIMl)>w5-TSvW7__45ub9XcPVm z_QTip&>TaCdGt-ii;80O9Eqi9a{vZ21YN3RE))QEd4Ie<)M{o2Sb(S3M?bNXO!XYd z-U1+Uj+Jg=p0F`{h#&)ILe~?`=b;AOgaD<|{qf5H@xhD{=LqZS)q!$I*FM0J9{GO( zBmweJYAb3K_q?)^yq{9o>o}gHM>nHL_@V#cbNI@sGzso7YBbd83N(!o6Vm=0H#(1% zM9TCW3FYCFDo}jzw9>W322UB~$FE+Gntbkh1QXe$xE-henGwjKtcZJ)e*AST-JT-t zvL!()SDJ_W&#jhayVI{lqtd99MKnG6fIe+s^bFj3)$2vvM#-KC`a?hWM&PVaZo92K zmJY!!2VICn1sJ*dZ}uTQdMSvpfgN?v5F6ayO(AND=PFvP1Bq;Y2V0+P%1L_?)z(@6Fr;%U^G_;an zZnrKrOa5=+FNkHxB(rM(=000u3-~1;U8nB_L8)JrqG3OzlI(ZlRVDNK`{&bj|10s` za(U4Gj1|Juk*LESBWj0$W&^6YLdD__Vo^-*)ojM(x>$67lwki9;R=sPjXQNEc+~g7 zEk>X|it67c!)z$BQ>rwvVbuQu-lst{Q&;<9aj%h(Xakz*RVwJzpix}^`uczE_y1%? z@%fV#-Pk=E17bnM%GAC2JD_fa(6 zlSA{UcyEmkr=qp6WU;{{Pm^f9DzfpI^gw zOof2DdIQI<6a-g77W8)f2hm|b9-oyhley~2qIuUH_{qON-kzS|!soC|s{vELJ_28w z0F0;*xH03#jQlf3_Z)2e|N2q?#KQoe_8SK3HcaaG1sQ`7FM9~#fqI}!srDHhmu78T zM&oogpeZCLeVn7FHeR5nvaOrZ^v5rP835(3o^&G8P%0qm)IJ9GwYi?CxEET#wL0Nj z(8;1?1V~e%9XM}#c{S`Op%yG@%AWBb*1 zn6FYPj*iEa#9ZE|Ea!xjE1#cpVxxKg&u%^NX^U8s?CNFR0p&nheDO>b9ILyT-v9L$ z`h(xEn?I>z=iy9_9BrZlP!PM^PL&&lJD}q}t}tKtz$+ew?9h}{g#eBMC@g}^ECs-F z=)MF589i+QZ6Gh%TP*uL^a0@uW0;#?Ax*1LAPc@)4zO&|#dfi?dIX4pEmCzNf^vGG zI8O%0oiG7daX5l51oXBi_I04aW)bSR4`w?t%SXhyvcZ1M0Wv08U`$LV5#CPG3ue$1cY~W`*53GKFZU9WpPmv<&RU+Jq3A|JR1~~^*g?%UhAZ=s} zl#&jHL9&4X&xkdZ295$suyWudBJ~bTvLRZjUA6iTn$Avu$@}S7`9k%444yMho4z*_ zS)fiNXi_#Lpf3yX+XOZMW9N(Cmf#4_e&i-R1KNXQ!c_5Lp>4XHmdiq*=xUY?VW|Gp z95rdp^ts`nn|ADMf2nVt`xZFOr)qv8Tm`5uR2$I8^i;z}w;F;3bs}(0G}8$C{|!8o zl_U?0NB%kw5OgPnDf4R}Ly-Y;^*o2_Bwkce)JH#k|M(5$aR>e39RF(;$4A&%2oHl} zfRDEqsMZ3Kdo*$w;#6zaWbyF`2AJ5LSc7|h+?tBh;Mr6B3g(1yd6Hl@NM`a*CBluq z7PAsM(oy^J*bG5E2lLn`rL7EAOzK{(J8i%-zR*p~=_SAd*Cz`u-$B*~UKT0J;2?m{ zH8xW5wrKTU^=RBMkMdmrt3j|jw5it8saet(s2G9VkH9_If>Oj4Ym#!(p(bB zlck22fz5Z;?hLdM91n6Y5X(8EJ_qQP5Dc{&2U1Mi!Fr&M{E+HL$RX`d{EqWTSsqEN z&4}QRQ8mIp7+Tob%6r~r1>Awp!2d#jr1xVs7$I}#g<%O2E?kbB$O_i$#zUt#b#DIf z#+Hmn8U0D*PWiL~RGcn;p&P&>oVnI@+#*yW$(ts7{}cImo6P3 z#XmTKcTTsk9zoTrs-oKg*cTUGO&0$0b6~nqlWh#{yua91}rr9^f^OT;v-Td*xfIt=$22|C|o9`FH-vSR5#eG$BImE)t&J~YJ_``7tO*{fj z&w2&O;uqOq{p@9Q`xCr5Sn7}Gnm8Q^g=hk8rfbv7SmP8Cz4=XCnk}Vr!|=pZDB2Ek z!6~Rl%y2(DRUnYD;OhcVAsKb*n(*AI5Kw)*K0U%mj(q4(hu#?y?$74f{BQULW;W{$X;No=18Zp;fi4ZN0$P$cv4PW8^ z&y*VwcK#>7viJbrxIz{VQuO&uZcx;6Y24TtO7#X5u>z7Kz-BnR$#cvQjb8Niig$pl zfV4RiJnAJ}J3!AnyMeDq1Iz)VtuGF}bK?dFc#HInD7u;tn}V2U2sWsb{u(`>;_e?t z8z+550b5qO8j!Sd5-mYfUK*ik8z^4`eaA8NV<3yj2BnINHKmh0mCF7nm|RGwyK{}Y zDd4p*%9v}n3(EnsGdB){cVP&~1WnmPpKd?Tzg#)4(L%3C5~lDrH+UG?Eusxq_(A+XTA%;VwVg!@a=)#lbs*H!KpZoM2tAx1rxu=HV^XVl z6C-d{WnwQ~bGsNx90hA(yQdO7JYZ|_*6rp>7R^2Q7WfBb-(0QnI(0O$clI}G)zU91 zkIw=xQs9sQeRfCF~U1B^*{?i;(mg96icNXTB-NW~Ugsa1sTD@Q>xjzofW6p%(9_oDr0 zrS*SyYQAv)LH1YeCjumeFcBsEKfJ&ZOWs}N#a|!i{b`fQ^6viOW%hT~LzV!PDimS_ zlt}(JuKvdhP_z3XNlyFz4`&XDQ&$oS4gggsfu74BUx?rXX}*Gxg7$-d-o5{Y`_7k+ z=n14l!;b%H82t~I;s5==XFUY(@`8tNO0fU%%jtLJFkAri^TIQv#{V~pOG#u82On3F zjs6t*<3%~}fwBbd%Hi^);L2${n?Ttlf2z`KSIz)fL;_hyL$~bMZ}>U#Ti2_zl#=6( z5kWw2WM@TKsihf{bHe-sjm( zPHxY|I|Yn_^cpb9@Z2U=qDtC2R-?2VbAdfFcS&SXO4z1r410ja=dWofCA8FXlWa(w z@*qpKB@Z7(RszZSK~92WX*lPG6J*-bx+brVWa$z!ABz|fKD{7967Iz9=N%rpYeo6{ zsRvPgvC{&M1xL)Fa&4Qp%e$Pe8BlPqxVP8w-0bY;Lqgg$@XjZVv7Pui8lW;R zW6|4RjPhk#><@*B9b8UDFWX#;I#EpmJ zD|gbA-pRa=SnzWiY39f`Teft57Igx;7xi zvNnKLAHerhw$aq(_Tq>`BfEW${$#)-Az#@fU6~cSbALdCTcb~zX*zH?%awer-sHzE zLOXP&bgdv%snodE-CXwclpZc8#E5;IVR}d%AyRox$=CWhZQzs#9-Ju*>E&6_{X+~ozOVf9 zpfBE#vXTgDhWtw}TH-jYMgejLo7R*`Ig96(q+q7{iu;mjx2Dc*@5qBQ8g3`Lz53*#H`29P`gh`G^>kHv?N$>9# znjmP!h&mFEN}fQZTs&Zz%9i+thp5e5!osM}xDC`jNKDYKv38yvy^rF;B;n!4%b%|X zk`8?uQt#-*Z*vv54{4_};vaw;AxN-I{_5k5l~02tSzwiDh+jDLn8ae0$>N+v{g_NL z#{l%bjmvz~cInm9`@1h+H{6#%t}xIGFO-af6UnrUL(1kwUWr@D?jHUX*FX9j{X6Pu-+_d#C}z- zA;4wK9$wQCUdwFvp$rU8zadBE4#Cb#v*XzE2r+E5-lwf+q$BD&qkMLm|Jqf2?CmN7 zBP-6a@>C8KMe9W7m8P%6IT>3d?g(GnR2;twIa$y(9AN07=Fm4#;tCUcqRBNzVNdtw zjt_@uwqC!8L!B8U*M~swq4NPL)wy*j9#W$D-hPhF;kf!#B(FW?=;Nweb?;Yr1V)ut zmn-lIw`$SERU)k@r^RNfWl!Y0I4-q9=&lPEb9?d{jq7cw*CcpYY(_V9Hm!4}qmhRJ zxbbJSbLRHFX~poHOp?8&t%K6|u`fKG=WFd?14r-lkW+gr?F3(vBwuV-H&+d!%{lto z8lDo_$q16zhdJsT#loW%yrLp=!$|~Q17&A5;~|LlcQ12e4M4SypI^P!)?|pi01Kel zbtdSzb<#zKd|CV+^(2MtR7+=PfcP9l*zl;b-R7u^Y|@eXd=>&{VI?y$O3%k$51mcF_^Hh0Sfln>TcII zHh>-D*|7;~s*hZwa0x72<`>(2^U>XX$0&0|r_I+FfUU1Q*G^UH)aO+HD`U+sm%#Y& zd`*~po@mtJ^+(OC&wml!BRcZHTp1MK`}*QD8eOtVm=ET8Q4+d+6b9-s5CZ9BBB-f| zHo@u&!KTEp_{e9SbfiXrF>Y_z6^m}7+CqjDRo&iPj)BGkTyS?V*<%WhM=ec(_{`CkO5;A~(BuP_!%aWaR^QSD z2P5Gw9&H+L-uaA_sY~-$uu>2oI#pA(9=h3IV|f?QUacH_Bneem<=97~H{Fl%Fz;TF zqIy-atoD6RPxm?|xY$n_w%#mDB|%Pbj2)ASeLJh#ckAdXZa*Bl>K~iyD^Vj<|8~{o zI8ZB)|D{=}!*jVTaW+heV9#e&FGxFAGSzc9O~;D)s71yKfsCL@x0i2=GlYGOH)US*aYx$GD$B=u-kErPb!f%ZVPB0!0ISgJNpaT30HqkqE`rqzT`kHdkRrdE3|`; zcCq}`AvKIZy7#akF+|*ghqQxFhU=?PX*yf?O1g%K^|K^QFzZaH+1Zv8h@9()jCR25 zikky3Na964TZD%6$%mpI`$3Sz_Ol$#0-w;YkynQR;2D_^ya!Us1@HUs7*0_SLPE%2 zMYdIo-I7X~W*_i|2|{O@ab8U)Q`GG& zk~YRVC!c6pD0i#7M`?}ZSWt>2`p38&mJeQyDN(PIq~}12Eh(n(V4c>R<6_N4CqPpy z-;NVS`%=cHKEUpwib;7m!UB8@7*onk?WR#Aw3mc^R3Zuq&lFS-MunVa)tn(hJ&dwl8C?K*f)TDC{uMFkP z`y9`&Fnb)rpP>}&Q)4sni2$6-iv_qogu{dR-&A|aWA81(DiyyO0QI9G=;k2atFSn& zIhRv8km;A*4vp|!ZlxC0YMUFN`^2O=Ux~%Ci6KVLVJWnGtwm+vy$wfna|cs#-4TKhq*PAI_tt!03*`|iu{ zxB@N+OP#@xfHS%ND^Wfbfd>Iw67B2k49}x^~l|7p{jrf&~LJ6|TBFZKnfE@t4py-_yk;ZV8 z+vGSur&2g;dTvfJYPpdZv+0FJRk^1W+7U97blMep^q(_ zm=2y~?FK8C@!AOL0Bn2nfS6*u=Amalvn$>nK;*aO;1T_3;tep2fP zw?e}^2nw`_Fs>K$b6{Fxr#{llb!gnIX5;0qs>WLI@ACQ!HKcGh607*c3`p%!b*SJ* zbZHx0IBEEz1)lBM9ie>76EH`LjE1MFrZnLiZ!$~ZqWgi_|5GdK-}&q_K0ZSXnLDo( zJq`Ji1n`ju8pjlTQ)F33+=?{zTLd5D&1v?fW%srD)ho|NV%}-~c*}Kaj)|O+uHVKjtQDV! z$PfS!I7I`MQ8H0(j+&k;b`|!KwA!ys`nNW*Y+AKf*|=P$qWnlJ6pz;$KqtxUokxG| zP7STZXjdrJ?^-Vi0wxnti2#2YCTQ;vOmr7iXX}0vBF3EYmlwP}IBnqe`=F*PGx+!n zg!?jDHb3Ynba2atN^y*U&ofLs{q2mo2Sy1e{Ael)t@a(R6=JHHL=Qx^30P?)MX1Vhf3UF`=U_wqDwN{dQIwA;;sB z|9!BdfhBFuv2=zl&IoOzr_!tdyt&3kS zei81bsslQpH+BeRdy3Y397S$4)KT|4g#E=q<7vX7A$r8*6>X)8@(16gW>cgn;3Z%q zp08-`f26x-z`6e1YfkYV7KYcJ^*?14O~{wS5mn3O;2sZy-vuZPB=Ed)HRy2M?JTw? z)Yf0q|EpHShm90s6-BYa%z!e9{pu#X!lWNx^sT`H_n7Imc&#~oY}=)j-sbpr-Pzgc zbvFrUnz&2l*bdZjeu{UUgeG8_9Cq~C6pdMQ=TXDsC17%wTP2l|>bv@?uS%CL2vc`% zCf<3bge}MT6Ly}y>yI?qIG}V8Xu4@XP8fQ^b8ypJ#N_5tgKqgXvcTM_s<*3mq3!DP z74Tmd3mYNzCS2T>^pwjgw!-HjD+Ctv548t9i?M7e*c8@*wQ36PG;^Od*H)3o@3JaL zZk4OdlfMSE+TyT`Gyy}NX(y69pk>f8z4CYiSQtGS_)dxUw!b=`P#<>2xAZTSjvrxB zwWTxZB<}!CzT%8t1DHQY6(=;K z9BDm6bA0nnn@I$Wg{O7#Vl}Q7aT}7C09vR{P2{Ma2!})qG3@Df3o=B`frsogYQuXU zYTDUzdG|gwOzOSty#{(@*~Y6C#(D_gXFT!^!PU>j)m>(`8~iG?>|Uojl`Z=md<*@h z;lfSsBdlwu!Ji5mBZ7E=M#xJ)=P|>UB850tJaT_Ad6X@lPM;Acx46>x*fIuAH$t0g#WNkipM<3Y(a9^iykgK;&km35bWHkCfYl~UE#v7u_in2% ztPVR=EZ|T}=BzDy%`zuQ?9et%EyOrDTWTO-@lmt1F7KiXCO24ekc5|^W39ICbN=jCkoI=DpW7QH-CQsbhj7Ab~+ zX_G~ZjmD2E>_c6jH4ggFzPiD@(oI#7weT{D@dJPsv(#N!@0Kks9?BP|eYaEF>tSpY zBCi(06PrOPD9xZ0OrAZ{zE}%mY(HSMe&+`rK9PEL3wQ22j+U(1Vc4})O=y?I^s$&* zmg;AF`TCY=QyZwq68hK;RP?7dLi#<@RxF0{$Gti1%%PdktMRC?NMM$v=h;3XYSDMK z^I*KT-tNwoFc=U?iPY2x zSyr7uhEl9D6=Gn?r>ZMC|wc+RuubsHXB zm?f+s=A}?>sIJF!b!_KbUo_u1-luZ;p1ji~%kfn87E5(Azpm)66LFII_1>FXN9lpK zjVCT38Q!aQ80j0kDqLIBJ?v_GZ3qf?PFmA;lj?6wCS_gfmp9|s)7dS8Q~8&09&w=< zovsR+85JI5IaZ&{%&n!7ut4)_Za0uETSQze!8rRx2PPN{@HLsY2XUUm-HeDz(C3BE zSPdNe#ffunP!Ppg)q$8s4k7O^3MLoK0d-%_wHhA86m@;zVDZ7xdt{GjzRL9CeTus~;gJct9lO+-8~ z@g7w>?NoPO3Jv>>6l(B#1`;Avdvc#UX;}O>D#!Bs-g#S69vuvR#Ekx8+GhSQF95k$ z>lzKt)tsOyNWPTT%vw@(4;R4DlfM7V8a1Ja2~k66RK|c6{z5o{jhzj$KAsZeBdZz` zUxLiR(|t$&fXd@=8V>FCvjQ2z|L-B|JBow_L(1exw*i-HihFPcR#ag~rXk?o!U7k$~~ zk9>8>q_&y&WSBn}hsD#UqGZ)1N!TM@T|Q!*-vY()Ix>TL9s8&x6fwxR^sUd`W_mby zuwzeD)0Kk8q7l#>@hOkBr`SrVDRDau6Wsu=Z&SnE7S z>-Q`K0-ihZpkuyy~3>W+$9K~J!#?+9dy3Q{Ly3C(OK5Uwmv<1XW7 zuncqZ3#mIb>BQ}mI#BEf=dI&pMR6AQzPm5mJ=4J#cExL1tlEML9@CDS`Ok1F zVu2s-XPf;3RFgJq#qU^FyC1|CmFQ?4qK@gPFu7SaPG`@W-u2$MYj3&idS##znRT`3 z1?dk>PgtYqQ1PjLiZ^xC6(YI>FMhgD5mf^?Wiu0Xs;logF=KTIY>FMAY(?G*)o zJWx_wbhU_1e6Xo~nb7a0qYPEG{~S$`fMTN#Xx(-k6$9E(ep+82>j)9%8TPVQTn?SQ;yXMYmzH@y&Ixe45H~%HKSF#(zu~M-!vA_+x2=Y;@zTb zB7dezTW?N{_wnGfkuxmC<*S!)R$AAasjXV;J5?S-HpbKa)A!@ubJdL<$l|+Lqa=no z{6OtHLZzQgKKnGks}lSAxq^0j3Y^u-b*%McsF&E)=V`M;mU5j;qN~PwJJ@ui{th9x zom9ac2D0t)kpx#&lO(PaUy19Y*_s{rr3v>%r+7RL@0SO&m5@fcrG_l#0AqMGXPuM~fFmKoXD0DM7YXb zu5Bh-P^hvS5uz+GI14% zk&al}`>Q=?K=pfF1A}F})w|aIl`k`rfcB9$m?zplL^-TF@kBVE_z{EauA%$+CGzHi z+?L3cn6jgqb=Rfq5=Y0&7KkGKPgV&j?U!}&EK7jk=R8@%P0g8-<+Nn*VeI3zBZeo(-n7@NRX~wKX zliTEx8lER2Wi~Pr@7>}~+*u2*1&d~i4nMePDP9#7r8!IngoD3|+Tx_^BJAL21ZmI# zZ*S+!E->~QCtD_bZEBeMz1tU0SYN}v4Hc$KCZhP zJg;QgJDVs#fL9$Lg*^bgF4-%aC%@U|`G3Je##lRh_!`}=75(j}hRs$N%T6M@HX8W> zNGn++ygr=)WCfc??E&i=i|o^BtP1O$rpdR`#% zibG5PLme#r5lR=5Y=5af?v|_Hl?L)WSI#_H?p`8}ue%OqbWXc!$MlbIf?G_xg;i&2 zD7skktDrmsltgBftJ2WpF6h1lmj+6P7W2!o{Qg#(8M}C7C}?OX%y;{pqvsUB~Gtd?IzDR_%MA@Th|lph*KK=E~+5Tgs$&guqc6TtztlpfW%~flf8P=@{~54P@67X@Bk3$aZMGJ<(TZd=0HUw&WfNcM@Og zmd(kB_+1v*6q`h9ZKVAU(!dDq?+`7!qF@?QZIina#9lK>nSaUV&!MI&U%?Hc;Z3^- z&<#q4kJI*AR(L+HbfO8C6~#;rAzr^KWWr?BrUj)13igev^(EtnC2pXR8b4JFO_ovYpa1Doer>9i5>9!jpMZuj_r@=L8T%qbNM z!K?57M5^=h1*+ML1W23Ss#lNCK(^;pJEtue0HjNr-!W3j@!q%p+8D$^col8uv*(ZK zd>OJC(t;B2&uhEp-EZ}C16G(Y4AZl}p5!kCdHLzLvR?A@?S^KIfK+S_nB4KO$-ZzwS(4g6PUT?ECDHRU}C}<2Ll~6cd zJog)30J_B#&1LUr`IiXz2jo5Pq#k+iLkwQ$brfv)H#JTKEz&c*)ae+$vVHayH}dml z5bm+hlCe#0^fb(>z!60!ZS&IY_S6lA@lILbh*FDzK0`~761{W`GHlthXkhp^!;mIWs){rkvjwC*k4b0v=boj@I1~VSg*=?B(#O39y~NhU?6r za#9mFJ0ElSh289V^S;W*{g%4@)Dp}Y^{eDRtp%{~uTmOep*axc8vl@5N%kowG`j`F zT!N?Ey(P|f8XoT-tXe6)x<{KFV?}1}X`z?A&y-WgUZYl|>7K~l|rC(C?@ z`uokhny-F@Pc6vjDJB>7;K77hjmCSOPRxKL%#MC5kyy|KhW~=shv$_j!$eV<3EB!c z=n4jiYx?oL2Oj{UqrF)%2hk0}AjPYZ_wv`k6;VzoLBe|7Bcgp6s_)ikAc>oE*cHhX zi(P%!s?|HV`vXDp-gbg?If?hIPL12}6bMe7k}#}5;NxMf>6pWZG+Sxxx<4O#o+3{! zs508SpW~sy_T%tYRd=V0xI@1ML%EfOFLkr+L^7-^wpsnzBEpd208l&L@oK_p&er+$ z^tW7IBP-5Q9ySxS4J|?+%%gdx@uh3(3!Uo%lm)A`emQUpi0j@=Exao=?R=R?fKIs- z-f310fF`+AlvA8IEKb0G(K&nn&M2UWZX~*a{zd~Ygm}ZDO^7IVakI~}KV1%T zhn$db#q^Sh+I0Li|D|k{MBI`Ei%Asyuvh6?PsOWv$6+r?Dn&3rAy&DvGCNn*<_%{FMN zgha-V2`0Mbg|_jWs5Ztj-IT>L>3uy}B`SWtAIZ`nOH>J84|iC;@y_j3$BV;d-2O|2 zLpjE)iPt%?B1*6477U1=^kA^)A252^?`f@o^81>Gd-FPQR$ao!B{c_cT3Li~HX6;9 z&{yIxZ{BSTj^)R|q~YV(($geKnuozKtLQgCArf*uG=Uv#pH z=Io_1J&@i8JrkAzA+#rKqV{{ug&Rl5pj6p|c5?NZ7R281VO}i&}Fo^NLxmo3Ek#7g>-_|)#JJ3RxgK9 zi%ue3!-syj>r?EHx39A^6S|*NfbO2_q>@2=Iu1jgGAsXc{1+`?W$bpMI;vi_&=yp+ z+`d31F^G4&Ip?^>+kxW!SV(27a=(kbijM^Gvx34dLx7Z~@c0q&s<$M&cj$aEX(swD zaD<~VQ+V!2&eV-U;MM>rY8*>N(G@`?$4!fLOl*yaLAf@cCx{hsFSL=u1LD6hAJhPrh#IX*(FwOnw5B&m_8O>ogL*#jAd47hRBj$t)z|B00 zOK6#NNL)<5!qulH$#}xGKIjU8aB}0=O6cUzOZm)cB?w$pZ%%L0f#06I7TStm9L>%^yR9TxVajBW*A zKG3GPj)c(>iZ{YU(suZ+dl2Igle;z+qgJpvNRg{IQtYGVVNAdi+prvnA}mV6AD`u= zHI)vYd7fG=8(lQ6{$W2~3FeQdy$c^eUr1XOlvWKe)zr4WT!6doD zfQd>te;rPoYpv{)`irXd;iRrl2|`2cSS9K1GjLxIMC{E#6JP>!6AGivo=)Os zaCyul#G?1Hwt79qx30ZLG5{K78nNj(7vu2jLabVCH!=w=ylr$#aPjJfY+s!E=aV(z z=!~(BkOT8@@?4#;?RreLsQ^YH+JzF%%n=*NREKp9u+NlRVC+V;{en?hKBZ@mn%D7; zSg~H4R!eUxQy;g8kApF>Iz%0$o+chtQsBTP`pC7h(`f^Y8eX9O&<<`Znma3L`e2w4 zw|b}=vM;aAumW=6*J8OYQ7(>g%oI@q;h~=@o4JiUT_zkPB{6)grfWc}mpfMEr&hP_ z=D-g^wgU)^G2~Fj=j0Bt@FnJRFDXFdPCFLGqcn>%kG10{_??7Go6uprWf6}##4IIL zY3u>Ty$mDH35Ot~b50k6nsR8Sej~#*dTxPHoDKo^V%T#(53|O-Od_1`gTKe$y3YF` zoj#m3C!12|9q0ohDuJ|SA@(aV5Micp!_9)FhEHlC>v@u@8*8|+4TCl}?ia$#?#?v) zmC`0eqGiCrrj)f(^ss^cG!CrQ5R={&E)Uk@lxf$v)HXta91_&f$}p3>jG0QUxLm8r zjxi&{njoc^PHYZYzl52!66*X6*kTH|UE2VgcHa^~q zgWbs7_a8|P2U@vriTBG$>I5ruW}jX)VLKQvfBu!$J%3TF2l+s0GF0XH=;lq9g5K4W zm{%X&C)<&D_nMo9UVTPW5*;myUnO?ld(X(2#_z4sE19B*uhd{l;KL2jEDk9RN5c>} z7#!|GWyG1!iPSz9RGVPrHYf5b$iOO!*1x$rhwW5mXvH=V>x2Ar;o)8FZR_cgwToAz z-uq&E^n;3b{u3A7FlN| zrh_v|(!sdY8TeMp9&lUqGbY`uKz%I-5f2MAy#?Z@{wQb$%XO5&{QbW=D7HqCm#nv$ z`fq-x>KuYTHEHS7gzt3{lIV5DUbD}1o@vq-uG6GDG$^tMHD1Ou zOSYPLCQ>_h$~p>6tJNLCs(@JxF>t*5RC^c^E8}J*E~`#2KbzQ9#tkFq=zOyx@O+$> zmh1`?30WC0UAKM^tZIHvLC@Zk#_`41n&96alz>tpigC#+!Gpe#+dCY8M}xw9c$F?M z;$?4>^@=u7ZIoR=d)qc|lv#)*v|lUj2#H+DD*1`?ng59e7<;)S+1J@(N&J<*$siZW zR9#fF3B-vww!&J;Yncw;iP0nu=NR_yu$2 z&m6~xH$sT}iW!V=+yh-(VBVDUnWOt^Q#ECIph2O!A|z8;;qn;%t^N2b#x*KztaZVT zbjuXqy5Q7=i8t1YIbZpR{)fge&oA8{+^EM^o-k_9uF$ghj3IDl@x242TsWSd)2{bM z#i*82+z9jmn~7*9y>;6qo7J7>4;Dr(I+GvK!!Q@U=mN<;ceQhC5ixI@Kirqbm^s8j-{O|2vkoJ}aP|9Lj8m!v0%sjUni zR1t$HP3+xpordx9dxC7xTXn@5j&^kCcJ#vtrQcxDQY5x$HHNJS@%Xlfmnzm-Ru-47 zlC;B#)@pj#aj9-u7j>b;6xk}%wlS+_{=&ypUF6VT;ds0d6SWw#>Q!lJQMKuswkk$B zT;TM^(>QtJiG7Ia!%ZVrSzt12tg$khPwfp9oD5J{@7@pZq79Gw zesY3@cz@!>kyGcGRtysrZZQF>=kh>`I^)Ih5@Ff+5zR_ihCiFLYOOmHumtK`ec2bpvySI$Bl=>8*L!|3Od>X$b*Z=& zYM1>S6D{J_GxKl4eB-?Uzwv!D#9@u;Q^IRIuc@44d6*z==LwI%yX$Tihy7uUqF|lU zKKO-pzG^wxnFFLwCoK%~1t>F)0CZb7=cyWZ<|$NPVu=b8CtzGv?l z$8q)+xLxaB*L|MHd7Q`Z@>3G9xv)`dT_zz~$m*Z=pcBj&+h9$JOj`*b%~R3Nu7Mtt z9gNs7rLf<{c!r+8jTWNU@_CE|z+@_QZ4$ypWiF?`R zO@ZlV@feQ_w0lTMkR5N9TN`CXKhK{?%XCrN;Ew1O&IDZVef83`-TfJ|WM*Wq`NOeS zK(HCfjw*Kj>NS3r>$LTdIJ}zJ9)VFE>`|V~g~2AP{VlMo%(<_uM-ti3*=;ZQHGKlg zKBLh-xjAj)p)~oRSm)ww=2ZrbN?qi@iIkzL*&i7XEbHe7y?R~Y8BjEzekbaH)>nM% zapzv9(6%FB#`@-J%goh>iM4cuMuBr{Fa`OW6fkAUDjC<~DGo4~nAQkw z+>GR?9(4z&LSb^k`+*Zrxbl-KZ0TlOU;^5`Y8G;?hu+Lqt3SLP z1`3h_G~OVZC~;u78~u4uJtPQOZz;I}-vI-Tz!te;F)4_1}ZD$utDXOpg0qUIhjc`9S3rValY8r-6+`+H+zPU3Pqb$opxph~#yz478l* zI=7jttN7}?>>8GSsrNpC-M!hpe#3E46N)w@$Qf~OM%0TYJ7Yodyx% zvY``BwPy?r;1nS_JXDtB?Fq+MIz&$fg^JN93yXqbJwSkCpQ!B$a{4X6!Hi7AK3+f0 zPV1@IVl|Kr=a0_rb62xA0*c~w&ValDj8m;EcYAHH6%OfJzj z12*3rLtR`7){tLjHDB_*3J@7IQNk4hqCID4hN>*u!#Z*G!CJE}wzQ(T$0>-D%=#B` zyb})InFcBVcA^w&ykx8^%|P<7%rGr%lskC0&|7r@#m#^=GN}|8;My|f4-_(aYwmNG z1ubyPIoj@|tedJR+DvDLIPjt>#tct4SJhr#=(%uit$})JBI}*&bg5Mj&5Lz9=U8T%u@{i9cETwE*4wN$WuJ5E$n}4k4?qd z@D-L35_(rpute4>t$sFO8rop?AGbg~6-)ArMR8%b7%`Dk4|I-o>=mHZKH|kz&>yX@CA$RM3bGU9Cy~1T9rOtA90#iW=bLr`Fq=e9 z=odO*Rj1gY5^h7;VIP4{0qLE~xF5LEdcFKzkk9i9j5?sI2`X>qAq)jj|oXw@qX%p~%V*hUEA zePvU>;M`uo(IA~qYJ@n>ZXQ08bm;R9ejsdAF(A+VHoV%z_HGah<6nf=)sf}g{)aAh&+Wew^m0nGU( z$shY-xi5iMc`CMgFx^M_&5!FoU#vqxE+3C0`G#UvyEXU5eJfPZTuH@mV3X`^YL8B; znVTG~k6e>b52oVBw-h&3MWz!PTgR3QZhlQw|6%7WjZCy&tjt+iYLme((BXEuP(4`~ zMr1NIam?FL5vE*MVYLGC62Q_X6D`|J8C#Tce4wF)IkPi^rHymiQxfH1+jVy4FCAJ< zP4fQP{?ertlDBXfw$=h^JO#V0&p_!`c6I89#glIhwuuO zV9)jHR6E{sghUK;GM_1aW!}FG!z!cr;=O9_k_cHtap0zf4Q_XnEi@Xq2lV%{93N%d zVMgs=Cv@$iZ_#8)Rb3Sp^MiP{E?VA^CI@{WEY&lhP*>^uQflKnh`jIP5J7ZBtxx4h zr!J=+e8}6t84{mHeHUhx_35f1y1LXE!V>A`A>QxDqY@~qtsvn^U}`#l55E-x){sPJHT4$;9BXje3X5m zt(J)I8yw7zEzDnGR-5tB;8eRBBhHZ8Bd#n_Z8#TAdhgHkY4c7-+*v^#nvd0&ffKO5 z^i;vOl>W}U=NOieg%iUqp$*+#BRiR@la7E|t8L@87dy(x9q6&A5-RFrCIjz)yM`RcZNcNeUxn-K+VvPa%P zdzz8?N(lt_*eD>i=6J-O6@*s|r8l!0j3x!52j%dgqz*XvGN=_6q2YUTlU>vVdS?XsGz2rY&c z;ut4ruJjijtaFe%Av$lK;K=Q&v-NwFk5(Y5UQVv>dwuoS3S5O8_olbcAQjN{=O#-x z;T-XHgcbp_wGWb}#bl?s1t2E*B#`HVj^f`brDMarPLyEoO z+7dwjbY@_-hNbV(k|j0?tJt^+MYcuhT4T_gT)ZFSCinIgo+mZYZJ!+WLq!MrQjvcu zOx#`5YK5(uaSV;)SeUIyk~v}J^I6Oem-|?ugK5$v)4I;Zb(4HJlg-8;;RR)?sG(y*~VHYD)t!inWg%#mPjz7oIf4G3oa7%ED8|Pcq)QqMHh5?;iHH{t5m^ zzEcb{W;fC1Wlq_2Cw%6M$6PU0vH4ejS#QCiN31<9UnqmrE7q+cK%l@vO*d%Jhec^? z7Hg1QZ>~;8pkRRRDZJg=X1isNdEAk9laDwfk_kg1MN@u~DGI(8rSr?Q!}z0?5x>%3 zg7=ofNS}aN@&DC{(%^OD?MXwRl8IBa;ZEHXTWxGwR`)+FiuAeEp8)ea(17V*8D9an zfJs#DTDQgEYud5H!9UfZGt?|pTtfn82058%>Jl5nTuA+)2kH-Op;k^EK&U%)h63*C z<#+JuT)zzR$`wsnRmjXS0@8jCOmqK(EY^WWQ0P54m^m6W-L(`grJsa4G30e65wf2F z_m*IGxX7KlR;EJ|R2k0WbfVFzty>Q`b+^S5qF29ol9*)u;+ zCahfZR9MWmJkU9HzE`e>H)b`gqr}7EU)fzjIKz;;?M{wo&1*4D$~Ag#yi^ObIQE#O z4mOug10+{-#H~?Pe5?KexJ4n(C&C>u-Go`e@41#qMPs> zMIRd+75%X<&P5XRv-?Tb_n0cLhVQqkG*x&90i&;B{E zIxReRxz9+q^PEwgPGh*@r)lE+syU-8V;ppL5E+5#&O57?4N&6qL8fXP(P`<=f*Prh zZ`Ymmm<@vz`FZu0@^9#QtpS9Dk2yF&!VgbxML*bJcx^aHOe>ZMGhAgBoQ)(K|M9j8 zY#nCS0dCUyFweRG)g$v?7Ht{OQfrkhAYf8phef?BDSxDg;%{_HpD5si+V|06% zjfJ%jy4ao_h@K;_jx_{H3M^)yZ|{OSZ);1$w}rKsafMI@DqqT>^5r$rSdx*tRBZ-s z(Tq*l7KleVDynZQ`!FO819l-tRy^PA{EOnXZZHS;=8jM%7+WQYRLS~ z^(WGj8TglkQG1C`{T6++qt&3i-R1BXcKX~LQCH#5HL{rwG{m9TL%Aw`^pY06LMSg+Ue5;|lg^lu2eC#&_(-S>=pQzAvCE`Faj#;o^; zA`68!sFf6k;lc1P6iHFNhk{{AO-cLxW1v8hF;TZFU=vwyNpS*IFfpqcyCBYJ3k|7UOD{v3d5)6H|FAQY>+5?3dt(c}e%a)wCPAPMw@w z{H&0H=g_l2{|9<&QZmXmzgFweeT)Z;b~w#vVDHd;H^ccn1W) zUj*JipJ!fBEJdRJYHkJ3P095(@Ga5g0)NderM zAX|Ss!3$1o|78gm^S-+z=bMjH+VUC6U_Pb%o?W&N!$z2|EVY{11-pAbFVNjW7X*IR zkVAO`EA{pd6IW7})m}$NoW13nX=`Bh=nYxLWT^~(EW}5v`We@IdGZq# zY@-`zmihj|(+d;THxI%Mtm5UTn1LEr$WA(zS9i@$7Qf*f6B4!bFbea&!6aEs#YC+v z!$JO$Xc@gKWN5PSEvz{)IiiT_9TuMGLls^uHPN-`iexrXkr=k!nxHszZuS5M@ckb$59st>&q zNtj|$pjNc!X6Zt0hGvYx5%q|G3Z`mm7_rwzk%PhxmLb0U$z|u6*oVR*ctpsE0ez81 z%AtYY^-Fn!F>ax^XaE?rQe>!L9Wx4qUYoFIfS~|B{@KMxOxR&Y5@Zcbex;_2+oHn) zB4w%6OAanUV9R&$@q3jxo0xa1==85mrGnN2$LTYCl$B5G)~WW0NZ*@M`67jD^bZTQcq;`_HPf?LR4m$LpL@61FRJx> zvQ+fSq_5s(S~QVfmq?NY$buAz!#;7zlin%0EfriB-^~#d^w&%c+toAFXYc&*SY);e zxbf8zrqI7Z`Hy|I*ReSEr=IG9=R3|{Pj1sUif+w!?g1k?+dFLMV^$%q>pHU77Ow5@ zx>ozAhdz=c&1<-}AG#_62RncrdTR@oS_J6XRV6F~kE?P8*bdqnfcIvJpHZ>W^Y*() z5Kr%{WWKJQYTQB~)E%(^9MN^U#h92?>&+H24$nc{6-eijmk1iK*npxVA0o#`X0b2m z-g9F0S8tgILth#vDSSPIUs;NIpOq^+rRfeLvBY(=-V&NNcS{HZ)^|K$edij1mD*uw z`Yl<5kGy~#C&YMkPiaTkawd8Wz`mCu*mn~I`{pcr|6^732!=i`{A?TQa~Ua$t+ELz zW}mQrnVF+>BZjQ%t5^rNEvJoG? z8gLaVmi6Yee0n$}Jb3(a!1YVV<7dkgSg$n4e%A_?lb(}cR&+F2WoK3bHc-w+?17^D zbOPy|sOiMrvSd zOek>o5=)w^IP8$FAcdzr4HFDD?*PP)zm*LPd{S?thLFso3BnwV4G{3M$In-y$pd*&~f9>lj;A+UCyc@KOyCwzBR)XCnq!1P_%- zcJN{F@s&(&DF$`KiAkW4Z7)l&KY2>X;$+H_Un8_rY1tGPZ%WoCg_Qil>W9Q6q5Kq+rlEX)R-6l)`^KH)Wiu{DU%YbVxR;{?b=8>06D2E}?BgMXC)U~Nq#eBwM~(%iDN z619&;nY^_XtSdWs_qP!O7JR4L_#B7?kPO#;!OU$x2-`$d@viOvr92N1B_l0Mc#emw zK?l46Y-B(-P2O=HyEujxV{C0l9|7s}CIh09C17%j?2;>evUpr26=V9VJk#I~V|CyS zSg+ovjWN0HhG7#lnnP>+whvSgX?Di(5G z@HVjJy8ieCC|#=o#g1T614v9Fs{%UPFM_=IIeOf5;jg5zp3)5DA!g-+^x_L%iwp1X zK^I`xeq-ea7Zjv&oC!cLq&slnl(7iodrOOP1->w>y-6{0PI!Ww_#8dy^s~nApqRJ1 zdJRZQYQ=F)LhJW@oYlduVC`X&V8AivopO*Denp2Zh>lHH&l9j8=_93;GQlcQ2(#!E zW%TDKd`d#dYN)tb6YB4kWP;15;!WQfYc|2@_{N{Q9IWDA>{J&RC3K90ngwt%QwJJ) zrmU4!fO8_qCBW$5nlBNiJVJxH{Q0(OB;yQkq{%G{lI_WS2FUEkL{qe5es)EY`9)_Z zG;xsRVT7?RjFWh=eI6PYlMQGGmkTcwf{AfOaY1=3sP|%?jQo-wxg2LI9}kRbXUb&q zGwWtmKGFR#4z?b9v4%DSF5fh{mxC={*WMYBETq+(t~_nI2l;KS-e5&{%~wcs6q)sF zpDX27uI?WV#1geQGm9UA+4#OoMhSD`9B@Zccf~(lGqQM4JfrHU(94JlFU-NhIVl>% zO6+;RbS4047lN@D>Fleep(ZuhjD|I#My63I7p2$-GHQJyxLHg!LNl}}ACN6NXPt4q zWX=|bh4^OAd@vUSH7lKjd(V>BLacff^OWPPri(Umug`{+D?B5vJrX#RxF_>*@g)lG z7WiGP9t2#yzu2iv*r8n(F1#==s8-8u3)5{k>N_L+WKt=Nf3$*ZhD0+uddk356nb}$ zFUJ;2LOfQ%cRh%iSxkWhfh+aSe8v$V^anm^`(=_3!k^f9aEM-UTT&hpy_e8$BunLO z1L@NW=JK*nO>o4bIADea{%p(G&rVvhk~OT)gaaUy@f9&3eztkBZL)$UfMSX9|n_0== zJ5|5R=#Cr8v!|daG!WrYw>qRGs7Rnhz61fmozMAc@3^za1G&AHQz>#DME>vf?cJ`2 zQg&jQ7d02_5>L%_iD2{1(kR{p8+&Cpx%ZK$S69$|4IshPKXq6421LMaBnZNH zYZ1|WmJfGkcqmmQ%H`B88EBe>qn!h{7z0Id@4g+Q7n%Q=gp!FuGZ?$@!(>6Z(>n4A z=EPQ?FBNor5O+#0aOG~hik*F{kz`(&I4{baoHcbwCyZY^{9Mq_g~^1(K6b$z2{Bnc zWv$jiQh?_Kgrm!4`c>?HYW}O&2r;DB*i1eM$nIHFn^d9~0lDaM_N{}kQ<&ZMFH~gs z0y`#u!;S&3*Gxcu`vbh`m1=O#Hjqd0w4M6dWmFPiC(Og1#+-G^mw%!=ep@xvtM)>~ zYtDYJ1#6|+h@lP6s4;peywU+JROsn4lmbUelB7f@lVQz}FD*Di&i?Sqg|EM&@u3;Y z?hLZ#Cf&=9AGr`v5gehZqvm=Ny$Osb$$Qia>TT)NJv?GH6Xzu7-}4JYjy(*!-5VDv zpN5l6iQJ4TrB6$b6*d!zv{HXjY%7h&WXWJt&xjH!vGKOxL3aLON~moAM>ir(Q3;gL zO22YEl0yvYIyI{<0372bP2uj7!ObGBNw%m9tu)~eYrA0nCT81cq$e0UD9m7WEjE&K z;P2uFqQ^OwjAxpjK(r^{MmQg+sl_d#sq7A_>bS1m#mS-L^r^%P2+6k+6d(IvfUn> zFJPTYuDQze9`&V3$OYW&JXHI(G~apKeUs%~T?X1}MO}p1f~WYfy5g@4(ma;#_{)*^ zCAL#4BNgffAki+&!i4&E=hKHA+-rn}STrih`FDMNCIK$vsqbC-TRK?dKy{Lh;;9V4 zV`HGbpx13B-|SB1QL8)X<)}GS!mksJfK9_pQgaU&PAP6x{b*oqu!cYtk_DYii;PpC zcB>xo>ZThC2$+Cu@H-3RDkUE?fcb+eySv8e%rh<<>#y+Mhum6qAPJ)S0E9PXyyWw= zCrqVQF66h_nVwph6NJqMjf%P@B58cqW>sL$Q_PFULiaR7B(VSP0F-ntH2XJh1ym^G z{r+0yj0U}UwA)ZXq5^jt5>2@+aI$BDL97^9I~7H8aO3_y!`dt0&wAG8efLZ|{T}9r z0I*;hg2UrdjRX1{5K0_1{Xn147VXXj;Va*FkMZu}%C&dFMF0kX5*fWr!n)a^m!wE>3o4|E22Gqy8 z1@hL?0Pb@kXyPzwh*x!>?NlH61HaXuZe;>X$H{}9=)EA1E%2jJVOwjrA+>*fMj*}x z2yj0*>4{s}G8|`)YEfb1x0_bMswib%ul^fzUKB+FlZoOz%w}jIy&64Bzc)4`KXDu+ z7jVUC(LWvfgjI+_$o=bS2jiU<`)~LY^gO({O_^1@WhRrOxJE3K#*93u%WCAbt7;pc zFO#i(_Kv$5v*N`+7is{`$TX*{7u32UwTcC!RemBkRPsWf2Pq;vW@um7sFwMb{ng6z zdI;G_tg|-mI?o}Zck}+x>@MK2+urOk>ZyHT6->912^ssqQ5wU~A;1kY5zB-HHkD`! z5=_iR32^+nv2Xphk^eT{w9nqQ=?;&*DIW*3->1F(O*7XERgKcz6QACG0dSOlfEx$= zo*K!zOdiio`~hUtYC!NVzz|bEN6&dO2A!ub5K*uS9^v9~-$Hje^;=OtMEvT$at5~U z#P8XuA7kL&(0Mg*+%AVmCio7kH$`>?T8d9sCJ9l$4f3-iAtgSb{QT`j`gr}fn!s^Y z>V|YzqeS`wem{z69pi#WNiMd!j}qTzr}KWjCw1F!&<9CG`pw~jMy#IgZz5%1d=WVM z)W$BhH#axC8S4!6ZEbtG8SmB@EGTL^FM0fk1Ah6Uc+Hy-avzDT;5O=u7cq7(#@O$N z=k}3%+XaZM4|n6F^k8aF3sS`V=V8v= zD7}d@^aBm7x=>T~_g^cqkd?HgvAXjBt*p`UWEJ?f2%q^V39yaX;)dx@&@rgX+DNaDx0TDpCvzSO?K*jc(I%A;A&x^+q{*?W zwm;3Kqn)&${vbAAhahGj4>np89pi1~l4K%YL7JzeYUWvLEb; zKsHub4eavMJH>(b>K@LXSY9>=VIxO3j^kei+hT`A64tHlauN*rhZH#_h;|9;P=^U5 z#D*JASQldb%a^=y_P$o>zvVY8@!f!|Wz%>3l4tLe*Lt_mfrEW^jDMIJQ;d?VCFynSYgN z26X1(Y&giV5jQ5cS}*BS%8!x6U%*$9ZPeSFE_|9#`Cj>{4CKhEkJ&UYk^hJ=zYfDu zUCx;Dj0(Nrl(fkXKMWRdq_CU%+7+@VihIHszyD45z!5>;ew`yv26)#VXu!XtLg z)3bB@FOGH_&rV-5cuVhG_AOsj-9DMlQ2fX@+oB0mAe6Y0+Uhq%l{WJ3{JuvI)VRk=Xtalo2%BdU&hw(TAS zt>fi{eC5>fx_9Ny{(fUH#fK2Rl?f>2E_iKiZqNel{A}BhtOQ$20D6GoAzrywtk8Ok z&}gUQQkY^U@anX%-1iLn#Qc;z?8SX_x>2{g98N;UIG#j!ROZ^jte11Qa-(_$&=~Qt zT$S!)`w48ND^sHjPfe5pEccg59PVsd{c%+H(EOKltip7D^Kq$D^De?Q{2d|8zLkDt z;RGl!%~zDqoPu=N=kw#z-; zC}?z=PW>@WHaqv((c|c0D~ZG{(K6MVuYA;(Uy)@v1DR}x>VRZK!P9hTN|{O5an8pEdbDx_e3?u$=682HgD*9KtcEh;HS&{r=S1w(~7tjHws z6*ld+D^?tQ*bJLa0EB@2G79ZVu)qN}prN(|pxnyG#V+0sltG>pWujN+TRg>h7|uWV zabSHSp}>#$1_whI8>?p4-NK~*7JQeN2W78mJJAQWZyVbj`S@3VYd(=&>_v~6%Mjh}tBPXJdS z4d*1yq-^fexVM8zNIX;WU1qM82ye$`Z)4w9v5nX_Fr9}xzN;v9UR&|WeQwxBs2w+c zX`6Up%O)~H-~Nf7?s^{Y@IKKD2=`=rbgv3FSEIIr<2&=RAQE=ni01P^cOWjm3D(%M zOxaZEF*Db+HmBBSCZNvPG(SK0^XXE)*1o)=`m-~M$IoV%#pcziX${92=yt4Vke9!L zBhkPW4YTeH-%ib(*EWu@*5>QPk)&qd;&s`Zht&# zHnFD^-}#Efhia(0Gsu>cbT1dYM};^EB5N7H)`a%kn>b#cR&;|f4p-slpbGZDdg=p1=|x4?j;kVR^4&Em@2!5)A#MN#4FBKE96WG z54YrKT-?pJRc@!BuOk}CxhXfvLBrfIM)H@{myqVUIFMgYp>H5`>-p*+YRQ+f*y)o> zr{2*Wq`S0WjW|GIuhFoQ{Hoyt=DQK;vHXp~3S`aDZVU$sk|cOdDB%;n@iW9KasD;T z6Wv5CLgv+}Pd3r%=&om7ns=&>*NlXaIo97f52r3f3SzN!J0K~W#D(9ka&0YmGePG7 z+Q1cnyJ!%&1q>A7Eu}ret4kmaMZ$wVlk3H8#Z-&8$%bVZ4&EU|;;c5f#vb|0~M@msS|{!D1aq+7a&MS#7aRS+WMOxbE^Z&V=fhu^GOu!3Rg z0Ms$gq#c$Sr=l0A__H#Yah_SGK@!8KLTQ9H)T5<|^J&6_3yRb#7;RXd7ht!HpO+b< za>QFFZLa*XpzD=wJcT}jueI9ID|*{Np}TrP>1l@RxAsxS=rammnB?G2y5Jjr!P0I- z>NCVgf$#NV%8vns4&?c12YuD)Ev<<(tZaXofh9{ilu*1aG%V}Q^rFh>s^4aKIf@1( z#wNc!%NA2Xw61x0LMXFC0CT8V3>Gc6M|y{J`jWF#dr2(YG85m$n0@uT`=MdOW90By zn^9$rI!^(H#+^?VJM%C-ibwMopUkH%_N>d#V3=fS{y4k#C)odA5a4Jt#e% zC}skC}D^NlOmXQCq5K`*P zX*b8D#^7Y-kMS5|^k_|LL@vlsbgB-KR>XPq@pStB3JGeCSMmPpg}Ioc*;DjYw1x3> zBX-(Lf1e5*UoM}D;{B(hT}RP9tZZ2)6~$NBoiO_F;O!8T$jWu;eHV~y05`VI8Zw7( z6QSnJl%L#hZn)4GF2gM+T{G^|seMve9kX6I-uYuEf?cEw9A?YsxoBt@TP;UXFVuOG z4~=5{sRFX69}b1L4f}Md`FB+*g?2Odkrz>8ID?W)xUmq&mAIoy4liaU7E($TCu*g5 z$Vg_ylNKp4Nq?wjI8Yv`>K5#WSCTd)$r0p^4IPdc&Zh=t1=~0SSjxS`#5!16)}c}- zP*~D8Wcr-P3We4+x^xb%UyWdi`0}U?rGx%|_=t0DGvZru{*c3+`cS9o^)^9~n1zLPxe-t55Pd*cx~~59?wCpyYD6ApFAE@#3jEO1 zPJa)vpWf~UQQ|)gjj10s;Yhd5DU&*Kk&+aT;Zg^|@marKCHJCxmMMATY(u@wCi-Z` z6Ai~E4acpetxI-bt9fm?*xoFhZL%>fVFY0)ePMJ1YCX9iWF3j)F)iqSK{m4k-EI^MV)s0sJ@>VAK1r90^Xr3Zw;-IPC6sn?6ZC(yp7o|7HZ?Q_%i7WQ2&X%wesvjw%u9P#)$$8`qTHEv}G z35sm0m;)vov1l&}GaR<=i{d(rzI5uzT9_h9Kp6Iro^qR-5)@pGw9`Ibf>pJWs7YJW zA1>-r9f4r{z!-$qP5)xDP2uHgi9H-I&@~CpJa?o#B7=Cg8Q5!3i%5x z9#WlLh=yikETBg)eH1Rku;CIBEY*fN6!b7=UF;8=7E$U3TOTO2eH5lG8P*6MPO)sx zNI8Gmf_xytgb<$CVJ$T4cn2J*mFysEyoPZz)M8xQD@YveffOy9)Z2Hjq{^PV*@%TZ zSRk}d3V*+YFm6h9D^B@u>^SR_S?t#5FQ1U}ezM6%_>MvgB6WJEU*WXRgPK~Z?tCPV zq1#V5BIFI5HSS4)EL)dyZ}mEo>~TkfiU0vG0c)0#NnPM4;|Cj&)RL+1?hprR-dVyH zT`D{LDWrgwT5|ZSPgI#)ka_EeT;|dT+LZURHh)uUlbeeVP{tDs*Jl;=tZ)4vXvno$01J}*}=mW5~ft^AaDn2{YtNZShyq_F05RUd2 zg{Q*3tR~dd4nIHZGzEy+Vr9%`*TVt99J@&>A>Z56F!^Co6GemwTh+<;O6-4KhZ`q& z2}t`UGEjdiwT-UP``8@;GfoDeCA{071|dgeBOs%&4g(d)JSRg$qMs_mmb{1C<>E6W zf}9IU3$}&8%fJ~zR?kk_7fJ!HPtNn!4A)}Cm`$p(@7Yp`THtSj;bbrM!<}JKrU(@z8^f}aW;eaRu{7zhJ9tfU5w)4p zDx(E9DqZt&yTExM1vs1mBZYchoVv4Mi6Z^A(P(M$quD+Q`}Vp33dxiI3a4_*BnoWdm;>yQVUSFn z9nE64y>p$_0F8y$fwNf#to|mU&C?UzDao7!bKvu45Wvncqltzd74FV(@WSoGoiO8z z0Sx-kKT?;`5l**X=6P_^Z!jIom{&C~~!TTA;zk?^*u@Mcu_AL`6^~W+*m3kfjGvDcj(H-z; zmSIBZjb<1k`+pHg|I=0ce_rN)`wMQN2wD%SwL2ZLazIy{@=Iy zAMflx^7}9|L@QIOb4Ns103Jl&(0Q=%FAdP&*8kcMbVD_&vOlAp0_o@bw8SL;Fh2VC zT}#e!d;5W!?P3E;0NZlpn|iPbnypf1ivM8YpGFHpZ^D}?qI!HctJDJ!t-K`m>f1lf zG5(#5{SYFMA=oSn|0{PM$%A1ki<)Ixh=onH08aWWKoMR&Q!O>lfQG;jEEvi(&IBO| z89(^E6i|J*ozK&OB}Cx$hyFKyxGcZvhw?-m_x@mL{WGVXZdiao###?zOFhJZ5yYf9Fndd1xG| zInYV_6X52P!8&8Y9U?6u831xF8Is^g!K5^nie-00U;*3)KJaPGu75CIZ38UM2ez+A zIbOt!t^ON_ayy|Ldks;3hQA;4gixHz`I<&QFeXAQ(;9W_7#6eKN}G*Tu##=?t}pBc zaL%Qmx##=F-X>^!19*5V8)0prS(68o@{>s|f- ze~-Am1s?|HNUf7;FngDTj7jfS+0AyQYevACg49TbZw|)oRM@AD&S1C*y`72>kgNp< zfLC$2oysd0{5e3GWm5X{9mpNl089aC7d(f5@+tJ!<6>V>tLf5Pj?Ft9rjBEXfa3iw zfFP&UA77PiPREiP+{;%~e4Z!|v2Sl6L#O};U>G^dU|&y9a^m6oul3a*bmK=&F!E(gj77bSzU+qKY9&tzWyV>-bg&io{?ZCyCW~+3(;CZ z#hxznQ*~()to>wN*gyG)e$0Pf>znI`=7O_3Hiv-Ou&Al}@*!w>Re9cn*LoeAt@Qc8 z^?Rb_HyQGR{`0H;p+7Hvf&kuOz)nqh(~HVHUJtnOAfP@nZT=dh+?*Lg4cWK*wcKd` z!j1oZ{h_ha5lOn#ZG}9It(9K@d^}_3z;3(wA)a(UW)1lN%U8JoWp_8vta#vEZNfhd zGKNkTw{syJSyP)k_Wi&%LDR0 zz)!lGy}r80(x?HkEZTh%99zjiw_q*-CzmJfUhKb6+rBVBU{*5vaIQ`f1t@EDKN$%9Rq9fHknmW1t43fWQIvp06i)b0?KgT?jzg`t0=unMI8-Scc@iyx3EjtJf5o7MGaYYoBj ztO7HC>o>>f+^6*)Po^L%ZybC%%B2#ps;Lxnsp$|P)X@lt7oEqwtGl9kIq+|MisfkC zj#Nh#%%1ZTgJcsk*)%H`z5vdB*ie;AdEy_P%O1ND<`rXX#g(uB){REp*eE^G8 zcqtT5Bs|I>$K`k|H?9K*XxL{g#U@~5XMG^a>m%?983;jXS8{5pco{y4|IA_kpJ(Ws z?T7WIVV?CBicjwS8@)!l(eIX4orG|gJRMe*@)kw<2v!?Xbnb%7L&2v^u z^WT>cHm;~iwUsm{g?C~MWAuIWzO`XUV_0O{^-5ZjWH4R5ks1J{$!^!)l~0>CPLbd+ zGmHtSrKLU4jlJo|nfv{67rqQUK5N_)WOmTX{Nn?+k3fe7=vYr^=RmF$@%c5M22!dL z6~g|$zZw;%4ckX&<0#wgoC+a=gJG;?H$j!s5+>Rf7wVkjF08uIi^lyRv4|(GEb4t= z=S?FMXyGpP06aW@;R7E$-pJl)`7ohQB+Fq6uk-2KtTy_(?{;g0VuP39!MMNn{tFJh zucT6G5KG#Iwq));Zl+n?g+k4BZ~BKO(~Zc4zyM=fT)6_j_T+43Yg6bD<7VBANw&wl5nY|?$d%MHe5mqhN1dBz*g z&7YY)3YkmGG}W{B5@@7~uzL5Bj7L8(j_6)&U&AT-8vC#^15zaq6NNh;hwZ@B9n!ZZ z%+g9t>iq2B(`m@VzHr9jE?o`pZyGk*i1^llAEzoy$WGFwlZJs1cF7P6fXE*~1%1$~ zP3{O9%!{#oz&kFTbo%LfF*%b7IGzRRN`J{%z6YS@h9=wW`zq1($6J$GpwDTjg6s(j zpidREsv<0l)VLHnv`26`Od_P%{fzskP{8G?ar11*1iCvS!;_{G)mjc;Nt=Q@M5n?U z?4$6hJrLqrQG4HiLTXrM5C3J5;5-aiFh3y9IVg5>0M$GV(Bv`!ESftm^oagp04TcC z!Jsh%Y!NylN6zwL`f}vodWfl90ctssW!LqLv~XYd2UZ}68uZg*Pg(FNgq0glAe=N5 zh!Elc3{Fn2Dt+MTPbh@EFh-30<&EI!+=sF$TiHqDBENI+lZID-+n-b-cGV9ZIGdkR zd;@O(MhHv?0mvg<7h3&lD)+$O%N)~mRW~lciBo({XtJL19-oS=DtQawq%XN4oU{$V zNrP>_7rt>`=!69R3WvXdi@_UYwWgBIfhl9+erZP9oV7?wkigZ0uE0Yz0Gkscq6lH? z>&!k6Al8jczI>in`5<%y|Emo(;nAzD>XfWucogBnrB@ay+%@O1Rs!BIIha(8$EG;f zh8kUJ%Z5{LQz*2dai40rTFjYG`(V*3Kw3770d}o^e9R6$D89bKDQ0&j%kt_zZGj(?n0q0@IL1D5C!pm7i4ThHY-d%0f$n&!-J)pdfsqW8Mo4;@`UXZ)Zll(U=a(iqI-vEa5H{;~4c%UBrw|tEEHd930F} zfm0mo8kT6*o|a5wg$KOfj}^Hxjpj^Q_k+)SlVt+qpMVMIdG2}CSG%3{*ztbZx%>N5 zY(c!$)G-{d9>255$k8|P!#MiZMh0nvZpA|(U+qpB#sg7_?-I}NBsi@Kb4M|O=xY!{ zmTBTsI$c9_&A~AE=rq3uO`eWv)bvcTYlOtLTr2?-55h{nU@>>g!a%?i+_CcUeO4uYn8Mnj8(&WUedW~?u4`^Z`)}e#?x!cv6*=v-~O|!M(07t zujjR#!IqI{1T{0#>$6;A&#|KCRLur>w+gJxY&LJVr7O19X2#>4g~BT`FX_HPiDAxB zGY%UxGnyvx(CTG!JD5^XJa2p52;`&H=r0D@a#Ri$p3=Gxhh<`@B0hEwm}W#+8Zt&o zf~jVAkO2k)al93VW$4E;i0V`p*#Vf$DuMVe#Gl-D!BjHu`Y6wpgrS*6Xz}8c45tgI zhO-E`9Qdbe0b0tzGYw*#Isp9Ch&apC)8{++O=z;hJp90o+?S2&CK^T}!|L_sPp0%v zbDJL+X9U`m5N@O;G(Fr`P~6nt7@#e9g`h*z_GY{O5)JU#r}NUVK0_g)fW7T-o6 z(*8j(EbFvs4H@piPaCdQGq^HbH^j8bR-1*kf||jH>Y-Dj%i>)hz?YOYDeNG1Ih2TF z&w!Q;e$+L8Mi9mnC^VsEm!)8{b_f=Xxh8_$FdYq(qOP4kCgTe>hZgWq*9`Q+uLLvb z#W1#){M`-0G|Y{TH-93rClwJ%`P+T}n5}Eel(msdd=OsAZ)_Ef5I`(-g)mNr2$0ge z1Q-Uw@w7|WAVFH-m7k2wW*W~`2Beh^WCNshxy8cpj>}2aXMmKhiewY?YB|mCmkNb8 zvqk`osLO7h;ygu(NAihg#MFwpm@WVZou1t z&(`BS>_}-Fg-B!i`)4loaHQ;RILE}VaF-ccpG0MSos(tY& z{y14+2y=Zt1SVrvdlG(rVTIm0J)LXAA)hVAOp8|#^{nDgwsh&#$H`X}; zP$Tq98VzDgGwln1m#f03(|WTg5~**PU&y)s()MLFz}xhQ>bPufs&s1m`c7#9TiZeX z9h#KwtkDh7E+3o*c@VIrssCV0{~x-}GA;_Wi}uGrR0IT-4iyklWathRr9%*r?r?yiL%2v=w^QDnG%#=F%Hu`eIhCIG3WHfiykMtSZ@$aQj!-IkGvG zykh%6iOx4ss)sWDT-|Ms*a=<0mc};=rUJG!%j;6THo8W2ZCEP6VO#ToAYUXdKBBq$ z+Y1^fF0#d)-{k8 zOi!#t^>+lnB}#!0S~8)bAw3LWa4XB_qRGku3}iMqf$Z9l-Z?mXFb!(=}gStgOA2BZyQN7cRpAz0)^2m@x(Pw`^hN3PDC5U+>@Usrk=pzfRAB&Px|Ue= zT2TN*Se+n`UjQgN1BJ%Y1jg5LY7zzwU#^N)Sq#ZD#4NmgurjE7OS43Kr9~G)&SvsM z`UDe-H}Fg#!yfTdUP=ud3@d7XgSFn${Xh~`y~-F`fAPnWS##8M`L?r_!yZ15|< z!LmuA>&fVwiq`^I6CA@VhHWuaRHih7w%_r4j#0555TEh=PPg3QgE^XoL)*3&L=<&g zFitZ`c*78q1kL;b80D`7egp_`d0ZnABm)#1)>|y2QZ2?{_6Ka+*Zg!D>^DkjKMNzp3kqW(FayDPMP z6;GIk*O_pg6+8*pg+o`U#KYj=qby3c**l)~=J5ciIQG~wU|%@}-`6ViAfS#idQ^j6 z#(Z*`0c7KfJvR~ZIH?%Cp)KEZ-W9Yrr~$oEY*v5GAct7SkSa)sjs2<#jh1}py)BTS zz|U#ju8SDFv$T%HPTX$hg$>D7Lq z^=mRghFJwmPEvDV7@v%U^?i_>Qt#1XQ7@W!NhQ#I?5Ot>&WRe>=rYwm0-$Lp3}4~B zO(L7xjPT8ngi$Be=ma-^0GcKxrBUm@Nmad62Az=VIk&1ylp^m-VhQMX$R`M5AQ@Y| zDKU8-e4g*-v0cF|>uP5;|8BAh-f;E(_}tb?e#j(Q`~Lbhx`XF0BiZ=F<8^;Y^=aj}?ku>9L{8W?5ev7kWMGF{O@`MiBS3f9=?Omb zw;Oo(^kXT*5+RNmL?-qC9(Xg{1DKsZFd1B)@#<$hU6Nh_Z3rrE`7Bvc7m3^O! z?*0W$_hAj~o}O9COm2Ya#=qlU~ zs;M!Tk1z%A|LqRr{~u=h>BY|TQ*ZV`vZ-o9%ZvC+j~cQ8yoWZ3JPFoy>5iTL*XeYZ z_(BJlLhJ|X@|w$X9;v!|uG~Gajike@rqKlFX)PFXO*%4n%z1NWcJl4x`n}UMLaEGA zvBSjl{$;{j~Dv3o`;o%TIa z!Hf)!pCDtXd3_413&)g0Zmoy|32fhufNcTmUxGJl9DT-!H1Bfx-P%ds!h5vd$btUu zjB?34>OWe0O%FcTa0sv6{Y-c#FsOj3u=08N6H?0B;RWc#P_DMXK(aLHKpot@6hPAn z=%v@$%_c6LgT(t1{4!n%v5A%(-v|EyZc^;i6|%iB02yi}q`|)!N8cp}i82x9EG4uW z`tjx54bi0qr02K&R1amVII2ov4jgVjuVZB~;3b*x&hI%iO?Lho7*%HG6k0HnrfN9uw@ow44jsT?T-bL`RSNlVn_6vXX zhcwMNl$sl^Vud)FWjyu`Ru;oWl*{{DkEv{tIgdiq57#|Fha7=agWY~AF(ge})Eq~M zl%cHdeo^TGe#Z){#G$`SCJ2J5s9bNf!hQ1AX(iFR>CgK$N?t57%UIR)x0TM3Q-ZH} zk_Rd6;fm$a)mgiB13Kz6J5XM+ceP)#*kfQ{wuJH;_>c(7Ew`kdbIyO9OhvAgFr$7! zmyN@Ye$2*7N1rt*wCz%^67{@qIU$GMmY=M7FyQeGYEeJZit27k83?)`4RU3~?w zfZkh<9^Ppat@tR##5LjcIaTFkIVR0ED*zGInah~tky~w|1C2xQp46~5xuE4Qkt3HuC+MF_Ybf0YAcup{y|NL3;Vlp z`SZ@qmAdxj-6rLk#8()EzHB_uqP=JwOde2SXxJ!dp5`wIb)=0p3$w*U-_L6n)SQ7U zb(!#R@OG^UN1>pp>*1v*stToau7XwE16IJ^kBvlZR0jgs^o&+i#&JLg`5k?~X>tED zn+5E4uoX|)i-{^xvs2s9CU#{Sj|jR_PH`vLF_g-8R*Eav+q%hqetH~ts$O-2V@H)A zrawd+!K8fp?eSax!iek}75Y1+u4eLci6AN6=7{31SW;h=ToHr50-l~1* zxjpoY5bB2==(fBH!4b#R2|%QWs`N5lUT>n;da96qg%L!rGpjgo<1TCgj`Y#*DIKUO zM*}4qZ!n`W?ts@2E~8A}8e>8IeYPg(iSB4F$J^9aM`4d*eLyyb(es!#*w7t>ADA`1 zgiO~l_f&F_ZiG@bRqPpSA?5nH5(G44%C%EsDBl8U&>RxK?qKt~q!QGpZ(dsk_-T*1 zrBDkLYxwjVm{yJe)!9ivUroVgec6-Iqi4x&^|?p;TE}F-3=Z(qZtMAHJA3kHxDup4 z&jZj^eK1|@R6J<$bCKv`M~%pqSgCw8gWhm3$np2Y^1e>=ICQCR|b^^kOQg0ln@$Q)&q9+LTV_2ixGLm&Exl#2)`bx}z>#53Xw0IgAJFPY#HU zwb4JU8=fT|a2f+5ZN5%|Xg$?(vUkJffQYxym^>jt+q84{BOgqO`)8)Cz;_=-ZmjQmNL) zza!QgffAloHf%%$sRwLXMO}|mT%l`nBKlNg+~GQ$^oX!l{<$ER=y^d#Lu#}hO`V$U z28z#F56Pe)LwYLc(qT6~+a--=xQ5buKp7vz=({-_cxzr_<}=fY zLCJZJ4j0B~Mh1_ZP7ryUcqRC&GVR4=B*hpUFelqz8Liz7y<%dQnXc-jkj4IxG+w^G zj>D(%+#Kne#&`fcP%mj7tyit)A>uQ*3i7mt$ycZ*u62jJU>ObYru(X*3Mo7FGn-dc zW`?__>D2pBtv#nuiQhO0|Ss50_zjq|2j_b@s1qOEP%WSA8f4Ah2H zE#1d~+jZ<;=Cr7vk{C`6OA|bbl|Gxe#PkvTJbg%~+{CbTk1&m~Sq&viCETBs?&&)*R z{0G)WOm1l~m9)|Ni^c~65+YfCDC)(}32RYrrrCVq}JXl!4yQT6OAg9L#D~27$#Y+Dm zr=|XjoCbA@CU#syKEg)A?9HDGUAS1cI39#baZ%enS$B74ah*z#?Q@w;-h4VVNi2d_N!T(>bkGR>$=(&};IP&}+|}ZMv7O*F;3M>@9(k@efV=KCTtrBH(97 zbfI$vdn5|>t+1<-h%_O;`8ZceerAaq0*WkmhC?cgB533*J3Wtekt5U2py66Jf&e-k zxSX;rC7f49%;U67lzimmkF`T@+RukR$gik)0Pu3`re}ed7+%u#;$fd~i zb3aYWd%J?U{j#@9qq7;?sFsx{FSf7SX~Z462?XRfD;UY>N#`5M*tSA-$5pK%fTrGq zaP$dj*UmXvEst93wmO>Wmi|Fg2b*s7c;nI3GveV;!GscHs*us5jMoUD1^1 zzOG~`boSj^1&D@P*YKWGc9(H8!cvDt>$Ay;>Wy`M9v2eiKJ?c=l%ad0rpgj|{J-Gm zvvvp#Y=ZOtDL;eQRu;B}^t)lX$uc?L*(|Qrsclb!pDvYsk;C56YUtkG*x?PPRzvSVx2Y40^qTu!`Ef(Z>dtttPyB$wl(MWmA3|3O{IKw3fo$$_p@y&v1k4 zMQ=A%JhHl+gZAATvO(<7!efu#B}ezicw0C0J_0?fIywJ?roNVA@TtDwUo>?$S6fE) z#v^MynmR_`kA%J-PnF`lI5@OAl%J1RX;;yon4F(80KT;+SphX!^@q`ZCt7@VT^3|{ z%D2or`lXPYV*GB`(hVJyFr%-+>lZ;HdjA$cQ@8v@QwMYZK~snN^IUB0St13wua)#$ z^LFb*gv2y+)MDO2AD#5RUbr>?FPa+Zpjig*a1Jo{bq2SE!HEXY1AX`B=kSSI_v0Ul z9(r!~=mX0OECAvGE$Cka$kdD;GC~ouA*ATQpEUedONhGq_FX4rIC@|DO9wq`xHP#8v8j-P@hHN}z#$DR4*khdjklY)9^HJGK zZbYRS9_KiMBaF$AA+(i~!;PBT^Vh1dVM(&yp`A!@9D^Rn=RhhAQmi#I*BUeSb(V(E&Ew~4W~hSfr*3; zJOK45Hh@t7Ibl^&1b<;8H_dKKRSE6lv&q~6l#9;J9lQziNOT-R8>cDykaP^BPoSoddqlYrEK#Mf8d9eL}Auq>I@9X?scU&~E zj=_bUlGK4RU{f?C3Wlv6@(B3!GNmBSo+i449g6CHWF3WdfF_oc8)xPm&E*`JC*)m5 zKcq&lsHaaKjl0nQ;Z^gSx~>(ro#cQ+n)W2){7(U9w|K8gw%YI7YC1!l(Jm&Lg)E&@ z_x&DU+Ck7_V)vt)^erZyWv#CYQ@u&!br5p>4O0_Bc~@??ublELQg>H?RWJ-T8PPGQ z4?gMh8l6#ou8HeBV+u@bkO4xU*|GRVLj~4c?P#}H95zkXk-3LS7O862Jvr0E3#1aB zC)yr^PPOFNv`7Z|O76(4RdRf^b9k^T<2YraMF&Luw)|eulqP9sR^_eAr~U<7N3di& z$F+RpV0*015a!g4i}TOf4U6~ztI6OB1cWdaWtLTq2+>k<^?dc~VJURs^^^0IcC`HO z<|a{2ao-JP(w$c&>RN%(wv{CTgc%xl#!jBz4Pq~IlMRlnt-EPl-l>u- zm5E390hG1vM@FyGvt(2QY4d?6ef1S(r0B@lwX0rXpqhD9z^#c?Y%$&;_{*57`g4-@ zE6I)(nXf@D`XLZJn@B{u1)@G73c92s$mkI4zr3zTT&s4(EAQ7IoA0lW4UKIPgu^oc z$$DOP<`2obOz3Ux3og|B=}%I`)cUVv(-->W^F>B9k#9#i!7kau`lxO}3M2KKO@A0) zI=}uXbR+TJ$6SgQi2FBZ>~L+Q0=VT^BHE5 zKY!@S*prAjg61pWK|bY{79b-eMpn?oi<37g#%X(XV zLVjiUJ+Z`$v8bQV^8&XFp$8Y=f>w_;SE^`zatwz~#jkp?p7-h@PA73gZYjGn!p9@p+A(~fs1axa~}sbYlyo29Wy)W=7))AafG zxDSyp`N9DO<9=Kp%ZK++4y8}#q!i(vO~+gKcD#!(REz=3`icBADN8)ddZ6b&Eb9ek zeA=t_xZHB6x0(W{EFleBxbYQ%(!8 z<_Fc_yW>DaEuByFH}sB((O;G|(D~jwqyp38{>1cV_b-Q+!b;=6ohMX_dY~gZt5r&E zxFzB9>9G0~YegZQqq|~xjY?ne@V?iiDUl>q)jczxxj6a}t-o?g?!%D=IyeY%N!vtsb|1+w_C zuU5yZ#xPk-+B#8!fv>gmd}zxtOr}{a9n4J*n1s!##-n#H@5_gzeldwW20$^vS}Vd7Wci z1~1xoJ~J;pQj7zU+Ju2wZW=x2fU7`a;;!mPPFMe9U%^<4*&i;z&M+~vX2Jj*h$ zWKOh3X_k!1g)Hkh1{~c}Y165XX@3r>+F%uv3o>LrDlF)p&oc&JVH>k;uLs`E7vSK0 zGazN@;)5}n#Z~WE4b{DV%BV;yfa}xdhix32_ax3Amzu{puVV4cYrOp>UmcOlpIh$_ znAh4vx&!CpZqk!s2g8=@){O_~jiyXS3!9&0)nv*sz$H*UP^O2J#=4}q*$zt*Y!#6d zL?%Z*%=q{ zC9;!;fqo&*j2|{V&6$0lkzBcUFg4_ObOe4cE6?ywa$XHM7O%uw=4}P0kX?np`~$u2 z#Y3-WDC;-z(Cg^>la@cw>*4yyCFbIiF3c7LA5N{Zo^%2X1PvdnZkFP!<#aBof=$6`kr5Qf- z4H=!nUy&~YI@zL56imMelXRk$KV^ux>f<1IjbT+)YyW&v;=Hmvn;40QUekKifh>{d zVu7m-mqe#$i>84U0^i#N!pRgbq94jfRXw>W`0OKS(sB^#*|1&UpgQ<52MEw_hvARc z8tyzs8ION#G5;b2_K7R6kNiGmh!(_VEGsnGdCP+mU+_-$eIdrDIda6(`Kbo5%#612 zCB$d*8T=su8m_+_7lQZd0q*fs9*6+BjXW=CFV4c1MEv*e-y@t0MG>Kj)+KE7Ux-D@ zTqzK)--G zrymixR2A95rDSW|mu8Fz`vKgo>$vHYwVRH&kUYDfp9Gbj!I_*y_HHe?bg{B8SwRQ6 zE52CqdS54VFBq6vJwB!-nXA*hfO)+DI9-wbFb#%i@vDq>F-1Qnbb!Hm!brCrkk|!w zoM7cG!xC~}L=bwn6SLiLiS%H` z?2R&PB9x^qs_G-Z{gOMtl2t`^PqIAeD1!(MMxkJ%b-#Q}5A@zLXx2{p&MP=r^FY8) zgq{A7RKq)z0$qh_I!I_EcmqSXLjzZZ)5618h%lqOK6om&m^F>M=B7+|eQ*GF_&-c+ zeZ-;Z)V>Hk>&DV(ep_lBuPDSxEVBkW^TvXm4m0I>t!foVOosbAXl`_gQEU`ykps5P^y)QV3(V)A1urn zg{f6OqAxQ{C3xs^CLayK60|D38BYKa$r7}N8hQ-5vz*JvKZnOw0f9K3{+_rX0 zc}`L2dNT*bfhQ@6)N@1QcGV=QbzT?nL(LsJt>+k)dV@u7K6G(4EmWqTlmb$-`AMth zz1_OTI;49aeAvaK--su}%LA#K!yuVk`Xzi0yHXJ%`%N`6Y9z z4qCT=y?0?&h(7q5(Ff+-gu|wK5+X)jz#v^<-X-S<5N~U{xIoAa(wNodUL|#TA(~tR z%hhzcxS6o>y6CC_=11<$ZJeV&rvy5QX?WX7k=&+VutUgAj;rq}S}XAdU>ji)b^%xU z;r4)Ua#8|1{ny(O3bbB#?~5n3ed$OGe~(`tS;lgq-JiCb4on-puRXZl2l?5ga9iXi zxD6`6fT04MPVhkNsTk;l`4LxdgFFvXb~ux?b$N7J=s0fjL<$Ig-R8HX~#c8ZlMemD#7tN7lCo~}B^>Le*4s@Qjuj}%Od zxR})tZ5pbFsX7St&r z&^9pqJVSFTe_azlkvgrw4Qii;9Bi%eOpc^>alDCoSXprYk@GiydyNd@EAcA5&b|LY zWp|&ca98@K<{G#6;iy@*Hhy#kEq-<8Wbg02G2{SinJ5M4`jCZU4vP~{Qq!b`Ce*^~ zjROuRT`hHRM0qPz)SnAu^yW6St1XZ`|5WKFc*5b0dD7Hdit$Ak3$dbc0d*}~K+TI& z2sJB2Y+NANiF@QdGezBsh#(KXm_}9jn%y}I=T1n?iPp34y)pu|GGIA#nR=h-NBXc zgmme7R&dOuRLZH@efe6M{&HTZ%&xKB;hUo1mJT(dX`IE6o6ydW7&njs+n5E!TJ6jM z%epNWLWJpBwnYQOY3-czQvVypL=j!SVaJ5&2g0!|^3j)zR?xNi9^&vlM*uGPM%tFK zF@|09aayi`Pigi02h-O1ekeq5UOJ~C2Le2a-618FgpfLbECS!P1YMpl`B=%L$o5XLyK@>WwAXY+rbHkw z_BPEgB~eCyz}5EWK2SNF-JEV3@S)UOqLwspQD3XM#Pk&XW5RMD028439w&3*${!>| zHN+-$3b}2$7XBi#@iIJj`qpfl`;}lfL*L#65qFWydqvF-99?CQ5o^PLl8;?-zPX|m z1@3HyO_3=%0z%A$-&8rNqr?I%ki7Lvt2R zM|cjlw)``YQ){828(X2s_6D$_JDM3@q~aQeg%@@zzf@&9t-jPc&VS~G!?J6xfbsS9 z0kOYZ7PYCJ!fT2-$nX3%AcMqO5?<0Pl7YhC%@GaPZt`8ZffKwPKQ1JZ;^pabG?mJ=3`T^$hj=(S~6Z zydwsKZ7_G45-}+!;VH%<1BXAa(c|IUd?` zi-Yi-)8l)B5G1u}mketBjA@l&=M-rWm5m(kBtcw)Q4U?M|M@q&5pF!$;fh=UT%!cXKMn`}(Y(BaI z(zUOxeQ33qnle_Gd$Is`%{EpwW-AUXLyVc1!4P@-^KgYl@UHoz_vIbgPfy3XlujnT z)a~o4hNiZvYH|+X*kQUZ@C|cK3f;66>17wLxVoD~pu-K^cv&z~1D+*L7=`42r&|Qe z>YwRG93m(-JjgW$7Op{g9iigu(MxSJCfO$R0pXbxjjQqZHsgI9-b4rMief;vLyFIO zcz9@bY0D;C%zgI_F+cQs*<@BRO`30Zkih6LU}$IK8QLSzG5V6XL8nU~8H?m%418nG z2#=!lAolB-_vKqgz!qGiyY!Vo{Bp<`7YBz# zO+&NLi9sH*r(v^d0Ex&gs5#bhTL72)Bc?(-)LHrx|Nq0GaXQu_^9DoY9kgI2%DZ}nMN!YrE^|zfJM!B3lox3P|DG5yY+dwi$bh&FseGUk2c2~? z_kJ^!joZs(X~f6rxs1HEfdArCD5EozSEwNuzQ$d0%A? z{=SMwPo8cY7sho#>O}+FMWVszI=~0Ny}t8M0lE7s6*kERj2j1hYe7FS-L1EInXmL` zhDtS5_+AtIuzLVd&0PXFfu9@>9{%hqQ8|tQ+$m0=Uc1zz3)r_sCKLO;5+W1{jW-L( zIP;pGZi55zR?>3`LOR=zZb01b)`r*TS{pV8kuryhpK)Fh0@~;8R zdd#gPWl))ZH0R?Xhq0o&K*Ov3w#I2TKvI3XRj4@cJL2b$UTFP@^0!-1jSI?uo|=A9 zgwm9?;5vbCpd${K9!@Ml$m}zIZ7PHCb{WL|9agAB=NsWZdU&g`59y;qjcDuhhfGK~ zh^BsJx4xUp4$iHwa?W{XeNOGLMk??(2YT_i@xKPqdUY=_rhc*a<74 zn4Djr^M-Zw#~VK%O^7l8fk!Q7X71^c>_VBH>!iZ8trA`$D#;aXUik-?BrXQP6L-W<8sat$S0pfCVTk13q0Xx zWELyCe2G>_!C4gnnsPe~;*kCH+M;<*y6LakFe@kE6>Hj2g;BRxFmGz= z_j^HK47M@L+HdpSqmYr1mmOLi!r(rU>wO1-(Rs`gz}6Q3a@EBf25ccKqlOrcR|lIO zgP$~4!Yfyuqbw)OY8#!_#dS|I_uSg{a>w#9vhQz6SdFehEsCY$2+pEDR1Viql)E#6 zOHSq1MBG6BMvW3?y8+w(`8-%nzD}o{sp$dj(A#uIMApiLD`ulnWk1$1Tp}h1c>Onw z8-oUE`bgHwt=sPLC<&cF=MNk^+$4vjCb5lHo!9EH$_$IA%iA$SI~#s>{?43oa;pZ+ zWQ!CKJ^jATruR>T(Hhr9Y+5QSbm?biz*xbLt6>6FksV_X`lz|9$yk7UP%>Q z0P+^&J`YJfRg8%E68-&?c3;9PUJHIJoJ9>BLj|5XyW77S7f{~%;6SSEc@V5~l_l+hB_-z7xd9^EvU%CJeV(a7ZmB*DuU;kg;bvO zP|;nF*8=>fZaUNjart`RFWQ{}A9veJ+>Ptq0aVq7EKdd5)wWRbki+O6MAON%TvDw! zx*+t@r>d2gNuc-?tVsu7h+I+qfP(ECMkb_)rffBR80s72Txgz3t^8;HMCt*ZQ-a`& z&!XJ;4&>(VY3A&rr_6z~-R6!o|01=60ztKEuCdHtq_zubao~TD+TAghe)PvF@guBp zScmD|9@oCj(i-I05`RF^aIZ&2XIQGW?$LK6r;Za_2jJQxy=x0A_iScYZZF{#j1#BM ztmSO^MM*`$ylvzSnZ^xY}XG@j;7>eUB9g@zBeD15<4 zYrH3{^n^iCa*CbuRwq+6FLuN=%wu!vXPw};XlmYfU-4Abn#xTeu*vJX&PR5RU%0?n z>+3szt%=`LZ-WL3Jw8OZ@S^>kgCsHhL3_R$Uh#Xx!C=?D-s8 zu|LYkfYg0X?e*%a$fgm_NCxescz%16pKUM8HQU1<^stX1XoMQ=c9O;lbmqnTW=;oF zZ}9J^Y64RR_mcZ#&9)*M`Q@TYIv_i799E56itp&6LMz^CmGk5J*M?Z?+e)XIdYYts zwW?T^opfU@!NQ}ekh%h@xq%W-Ud3lxxZKvrJ)CmyPdj&Xs=DLjH$!~Ua?9$A5Z4m6 zfDv_O(`Q@q#$qj%tkmQd9#UtU?iK5p2Rds^W@*|T%HxjW(-(s0PPcyiyCL40|lGVZ9Y zz;@|qCuYa|h!wq{@LD+!GqOLrgUB2$d$;P7=-MB%k~B%7Pprc_hm;Zzq}Sj1l`zk7 znig%vaZfcVJ5XjBE%(Hh)g@^52sB{*PW0lvz zbK-jTN*w(0iOeb<`DA`Tt<+$}vjCrdZ?|Yx>mQKZ)U(@j4AOaKLfeChNjAK1{p)~3 zpdUEhatm+MvAn;{Oml0qIPp{gzqL%f5q-NgJ>Y%qmXVP(AztzIBm!Sq8_Np~qkNze z#qLOZQ*he9(*8rSSx-NpfxWU#*DJY5sU$dk8Bd^ewL_fkBtHHZvTY6^+us^&M(i=w zu@gAjX<1!z%*>_NC-@ey>$hln;so|v6*>PwfNXHBu74qwpYy_jq#V9lcZipHCDUxq z&G8A*HUQS{Rp%AagOdS*{NRAXNx0W%mEW1v&kJxp6ZsQ_()`G3oXOW;g8T3+pt%4X z9bQku-4ajBWHh6XbTjjt|Gfx+x%2`X4@0F2%}sUcIHrNcR&#kikf-JB%O6B@t$J%hSUMB_ju==kKuG^=n!8o^;OApm8sNAMgCz#4=`KbjG0ST!r>_17 zvi$`>w#!m^_hX>UxHwlIELVQanQe_+LY#0Y!bV10S@BAlQ@29$xAXaEeRX_GCnbRc z99YQmlcyt9)H%Abd-pIB~Rf6urqhi!F1U`7wys z{OqE?Krje$^^}c*`Qs``;JP$RIH+8d;ABPe8ovmC7JK~YjoRypf*SzS%^3VPa|eu} z)J`?|L$fVJ+#SZ^+*o)4wcaC};-Hkue6=dqYUF^1Tv9wopOya!48^$`x9je#<+}ZS zjNL;ZSBe2@+Usy4I`9|8t%OH$H~mF%m%^hL>(n%@1bwkwrlEtHg83CYyt7wdOYMlG z8KXl;LgXd&^Y38f2L1&G#GSBUxyHWiQl-(fIU2Uxw~7P>lk3{8ee#LN(QaL!BO6SD8m>O}G@}yU29`7|L-yuLbw! zd}8&j0*7m{fj6)HH{XV@)YV)Nts8@!+K z)r8YiLJt3AHrY03QMtNsS`R3lKg{auF{WW6y9OYb>06ewcgMYS7g54X9|E3~ZQ6J} z8vs}vfEsU5yYoc+3qlZr&*(HYj`{4v|Qt_vo0laSCW87M2m@^918 zpf=_YfEy3SvfGs??g0Sq*J(MllJ{$k;2e22Wg}*S@2w|lZ~@&iqKn=3bD0vg8&#|Q zy&~A0fZUDxa|GXq1KV@aPNttsk1!dWR3Bzibyi6pJEihnZoM3^tRN;I0nQ__+oK1D zoB{PlB&|W~W99ovyiim#<0a#nry=q^g%*NO9LS%R&)UWtEkYdw52*)b{6iIrIk5Yr>4!YJ_}{y--g-6Wcp`*)tiZGSuC1vk3H+i*;T%+BDD`~sTsoi0KgW72P%;k(?#y~edB8CoA^L+ zfyeVD&lswEhq?8`X7*!~n$<6YX)8H3&B>bk}K zgrv7jng4ZZ!fS3c0B{fe0dUXZsDalK0JvQfGsANxX;JMk?Y6K5E>N=Zv>%UL+4Y*9 zR4;5YjOR&A9{5Y&c8GeIEd;sqc2Db?@-Z?Y+TPE_^I_T8gOw6JQFOdRr@STrc6J@d z1C1shUgV9mLVY!`2)D^}w@N%tL%=2mh*CCe)~|fLPQl}vM`C!RY(GmPe^6{W~MR(LmrcxhN5!W_hQqj(GY<0IQMX=cNEsv+P5~eljO+uE$h{91a=ljETO?!2E=6(A0of~FB{I3<`tTyy% z1zc;iD&0~&tliwKCUs$IHkgo5c=f)DVvKpi`|3YS$(6&Q^1||^uDA)GyG`Y zygx=dZ_H_~pq3OTepl*!rLL;bM8bhy!`0aa@k{+p=ZI#_@mp8u7-fvd+h+TlslzWC zY9g&b8T-VBk#Gp!XEhqP@>zFiCjM}C3iM>qd^XE-B)$~*aH!C@En}*?Nnu2ec&6vt zyrRI9aV{;Q09~grLAF{^&{>$J7{~9)Ug$6cyqSzwi4y+;x=+3b>9&Lk13>qQ3>X;W z{RGb`W$-Dy4G))QUozQ3^o!YG636Tv>Rfl4VcM;CK&02i_V zS9Rk;m*8HP|DLmQqD|1MdbOMC7EQR8a^0n0Mf%YH_L$IM$nEW^Hp|mXdjNbrPdl}@ z^qcASYXbGr^5yW~9&u9Y!*`n2^m}gfFxGUFmV;#l1=CN$;0bSa)<38Jn9nr$VqP4w zynm5OOKFC9Md-Cv(#z}ET5FaN`7ofw8XcwFCM{O(^jJM-)24;+o13Vg-9u+Le|s|z zF+hRLc*xSE;}oE)gY)C!RN!}c8~H1sdHC6VApdHqQeV3-6G1TY4PKyF&%lyZnaoN- z`X0RBl9LD;Ih6#CZ}-n`!okKLEy3y;H|cSH3NS?LEpJG!)ynMtkyL^{eyWp@)dr>h zArFOS8g-7Jr>w@}_l)@QvgtBoDrhaJ?bctf#?~RYKxUS~r|J{p8vK&_!&;zDoUF=< zrZIeJ0nhWonxeV~zX@A9-W`*eXt&+)CSDXf@jDn67~K?PO`AhXr)ffa-ntY}!W?ggp`q0H1pn&*!$wOpAH_MV?8q z!i3&o8u&T&5>?7z5{FT_WXWJk?b zE+SV0zU;4nzLwtr9gOF5drpBg8Rl4*?WP6`D|E6r`OBMY3=5*KA{5NNAst?56uvC5 zt0gymR%getEGX2qUnw|})Cer+n)@BHF;bEFE1 z5N$O-AR({@&!;T&KID=88kQU3eN|a#6{^=3MW&%jSh+IT&Dk?dz8|v%TcF<_-BWz9 zOL#5f_;j!vW2X0LwM@Sk(QRV5+6OG*>SvqqJoqa?F}QV__LKii5(^Bo*n*F=s_WxB z5K^a8kVoD{EcV|p_y-3-(97r|y2pG`VeeVHtMXXk8}bn^1AVTlows~cKjMUcq9g+2N*De*xm{Y+#}pj8}`+{xP$)Oq#s&*8@pOLYh5Ri zX%6n@UdsB_8D6jVjUJ z5oZIy9X!bU9RPU;DLv7BhztVAPMq~~Mh{?2f9PQ72NKePx}SawA56(sXE5@y96fh1 z_XiW?jX9;@459Om7lVVs-L3d=>*Kujy_%igoj)9J;E&4&pEd173NgU(j`g%7d;C4l z`s4tIy=?ZL>m2m>>{7UcAWCc|TWMe>ehpOG)tA&y39B$hx)w<+2I(FvsbX5u+{Yx*lln9E z5Bbt>yXeQ-b_g#t{`XEqL!ag!XLb?_4&Czf@}0}yy-2RV;B!&qlW-%3@S9AS^!|*! z^4KiC=D6^c73k9Zz}0isPRc9#xf(nf3C{3+PSjjkU2%J2B05!aTT}wpI!_~vj5T5L zeze_n_r5lah66_vyPuGh+>v!Gz?Ny$87%^Agr(~0>K&qOo=~lm~HMA zOjL1Rw9$jyXt|&#JN?%3T#z6DLObW>>*lJgu zbTu5NP={Yy%&ym@7sQsLH_i@AMxHgvpEvH~k3d^q1$f@~q%`)Re7*d*uC6|UwP&L# z6=h$ER0~emb89{S$0|H%HCvmbhK*ZWd$y~+nVY1Uv~&~$VD_VyPA4OM2zA>@5J_9X zs`@5mf;~O&DV;<4PtcM@h~Sla@nKGFO}hQ55#W9Qwg>&E0eKc*aumJT99Z5x83cbu zdYFS0vF+#YKXAlz ze1qzkp-zAHTL@?-`>DhUZ2obL!Eq`|s^!qJ_!K>ZgA5OuwyBj8v{Jw$YpZX}uX(~t z*3~B;XHq7lb%ji{vqcVZifcxn)Afkoqx)c1dk8i zy^46C`{L=%)QsB%v{Y8Z{$FZaY21y5l!IEy`SymBrC7=|xTNkq8oo*N>C2a^GT4{5 z3DmL}&s#=B%>RH?vB={6@pI9>S`qMTrx%-$5R*`hy|D|Wxe+@wE%5fER)N8@%_5hL zQHnYs^&qN1k~;VLSm||mne)Tw5wp8GNr~Yf_H>cjRL9@-2d%;Nas>dj(dmW3d7=fc zI`Q52dlMpVWK!|FiKnFqCI{1T*%4EZ;`FFyM&~IE`@8aAo;Zk3 zB7&c2m#G0LZa(0Nztwe$oFuv1&D$9HE4MfO>%DEBKGEb&CO$f6-9vD4&$8JG$?Jq)`l}wJ zKI?0Th0Z-tm~NnIB15qOpN+xFNX>Cm2J(vt`o$*g?dn5rY)R?a-P-$j#7L%L@= z#1u8Zv5ZUL)w82WuQ*MJPj8~YVqx$HCQfJDa6#p_ePe28Sok|?C6twy)ugA+3f0Z3 zJ$&-T^p)wms0AugCt9p(TGO|JU)COGIblr(E-o`4g>LOL69J%70>Z zUx|aZ4FcmI?(FYwJLdJlIK|=|xQWvjP!HsL{)LGL{|gf@4Jm@}{e_9ohU5e->#PEp zIH)izY7~ib{#iLLyc%RAkTc7Ls>Asf=w@2_9twUxN-O^u} zcw@`WUtpR^p)#dCJ#VihI4@jO5x&s|{`DZ{c^zwuJ?}MlSm{~Qffq3%sAG5!!xY3X z#D-3pSK_I=jOLvyUdO{?H6H~;nF4~?*{8LI>e9oF%vlQIsBEN}la=P@H{+ININomv zRAFkS`xv&Z=xB{_q`zc`y>>Eo4YrVqdcW5-5FEp9b)rclKhn-vBb`KiJKw(~bORkPF8~DEm!gRaGd8VQLFp7U4R%&0Y zfg1cmEc}=Jt6=+}C&jztS7IWLMCF}w!gj-2cT`uZ$RhPCkz)^CQyML0S=16xFVSGd z@OJvEW}Ie~wz`414@M*=i~qm8O4TsjMrfoyPg{}wbgA+L8@PXtOP*`rv|afJjYnQ z+*FN`1bz1Vl$GQWVC2{nF=hBb#Br%0Kpc1aZp`>?DDyQ$9M7WsMI2|WzmNfYg+_lP zj<5eg9M1^ioHFVeM{-6WA>+;XE8GF?j9PCVglEnQlRd z^W!ECTa2ea-txcTu{ts$_D(iZd4Gk|>K{zJJ+@swo2U8JidP=}P!GIts)4`OajJw9RTEjqmRr3i49Ac~Mh<=Gt zNHxJapvXuQioZjB_Im4U;2!D*zI>J!DQ)`V1mt)(>&c9_kH!sVUVJpuN%efoVOe&e zpK~C~O3vP)d2pD;doYKlcrtuOo*td|teCc)>><3N)%{^FxRMMn-sr&R8S3=L{!@*U zkJsQ*Yk2T2&{1<-R4%4(j3V!@gv3W+#k!MHTJmF{C~@dxv?X(s(U0D?_Imx8eXyCr z1@4^3>6@%G(*<9!W+tVA#K|_NT{}fsOwI|q}uFbZGLi%_hg=P#;%{_0p`rAS?!TL&Xmn~_4tWT z_)BK0Yj%JPnhi`Z9b6UxN@mGxp37xDHIldfib@*ylRQ_DLD@5oou_#==yYo55DeV% z7YrP*5ccA4`qwgHz2~}(f2v86p;WA^dnipBC}VGyE5icuYj~F#VlwC z!m`ux!z-{vwo#kx1~3gX_V@ihtQ9_aG|yT5xrvAYJy1N|t?Ly&E(TjZydM@;8{8Ck zkR_LW>(yS~yjsK5JidE7q03!c=2kQ973X_-i=PmVD8+xSS$i`iZ#$LM%^s~OM}RKs zL7wUm9d{p?e*ZADYY6F;X>;q3`;`kQ$fQ4nuj+OAKkbmlcerPC*xbio) zMNua47yOg1vo=IwsYOvmbH_MVBm|>LuC(kste4AK=}N>ZF~-K1P>k0AF}}IRbEr6> zRgtGXo%>Vue*3_AZU|+(z%n3JbrK8MR`l;wN4$C-#2r9a<0t%6 z&vXxJrmG3624Xv+u4v=|@p$~?gHV|Sz05$l5cL6jbua-*+6OWeLW&?+`|wmR*$=}H zJ}DjOtq7eir!ZRewjuVex~Y_U?gpyawx2#^36$QM^0Eq_!LV;Lu@y2#xtPY9%`6OU z1(Hj%<&Mg>??xCpR__9zIBeIB4m~sScSoxPZhslN0ZFi&ERAyatojl8e$kaS@eu+; zToG1#`aq(J)#%X#x!J4TT<)BmM0M=3`xQn$3^N)`;?8uJ->8~A8=|>(hO;9XyP$Qx za}(Z)wYx}n$CxSC3X11IK)#Ruy%#JZr|epy`j7^nANR47`&>5|`j#~#Zge#-Xl4~I zMVuGZFr9N7lWZ86KRp#h<@2F zFzU+$whpn*a7}zv{TJ?UP?MUx3NeWQM*Gbm6VbdPD*D~*1}tRr9%}~6sP&2yPnIwG zbjE@`&mDv|M!rXbBX?J+$>-?A&yq<9l>mVZY{wSxhVqtIXvi>X?UQ39nFs4--#lI)5@z7Jj`Mp90U#n>&X#Kbd z35OlKCp6;=JTH&B%?W#tek;fB%kVtFlMJf&li3Eewoy(ztph!rTW-Μ!({Q3Hae zv$^jyezL80bDNV^^>w4@-=N+X8_`y|aBLml0r5iHr?YsxNn#VxJPsQL&)XnhGnH;( z!n$&kN%{FcYkkf6iMEo#*+h%KFP~Gp@xj&3dmw>#w)*4JyMZL?SHT zrH>;~xFCmQz_qG`Cj=|&oWfoNNjs>6sb&0izIbH+uCKUJCbYO|4R79i#eqn-&8i^O zS}{t#Vqv2Wn4D*>qsi|~)pVG4+M>{`QeusZd;u%`*)cf7C<%_KTuePr$Kyf`7}zs8 zeyR?ZMRe_Ox5`6Dm}yAzEVXlkEFHe5p5v*ph6KVqxC>9WU#@OjhGoHnufsJjUU98q z2-HFGTjJi9?7L&jS|cV`pXN7JCurPskNjWRd0zzKFy*JfMSUHRef40ug|@+xHe8WQAH9xM%&*9V1P+OXcEDZ1A~ntfT01pP zJQ+__3*1+%%aOa0PISu?u0o?Wk*>3)bl7tKJz;-%0h|pPAnMSxRYx_Sym*AslTx)Q zUzKOXz#%AH`{0LVAiZaw2v;i;2e;5-Jl$}i$bjGBL5TM^lL5L_DYZCGVRV73 z;}84J`wM7yH#FqWSG{;WXPxA39w^u8Qc2^Lzv)>jur+9BUTR9*_};donC!V@&Ee4I zJ4luFqk7ZwXr+DXCtIA*j5SC0H(R{Mz7Vj*2mT9Nd=0S06Mgd7<1p31hFfNgDUG&Nh9_;fMkM+0Ka<*u_uV>FQ?6d5thr{zs-G1InE3%ep)D_cr%`&W*FMv+7 z5siVDskPw^Rm+5||KM)YF)+}jk>nnFc7d}IX+8)lxrO^KAO}5nFj%`5S+vFmCIZ%t zt%BT_1@J^YS~}N|LuS{OBnoL~tqRCtZ$*a;w27!~2?9GwtLfgXMn4z$BGe}LoBWIG z>ll-Q`Jhh|%H9S>stQ5=CSZPtGUr3wP(v`@j`k!Kh1_vQ_IJdyqY;h2U5|u#5cnazsmHF6 zn#*P?10G`{6=L@wliS!G{X*wv?Ei(vmxniG2%DZ`3-zdiMMJvUCyk{FvZfb zlDk2ED~&<)L<;%8z{Pp3DATE1Ef6g~wXrW3e46|~rWf}Fy9#3^v;>1?rwsun-A5GP z0bDv8{o_~dTucwJOHdvRKGw%JDO!q?3DLj7p-+fyWgrFmgs6si#rp z*6$zsH@LXH*aWb;DlGU5F244ouwnt~STL>5mnf3)}Z8&e=gb=pDW zPDNC9!&q^!=wr#m64m^1|Ik6l1ks7W#4T(%%{s@pcV;#T#ZIIqL0FqWIX6b6E2)A0 zr9dqw$f1uL>!!c33$H5Ug0Pudm{DP?$i|gfoSD8-o!P}x)HQ~^92P=GQ~Z1{)jIn? zh`Y@Clikxg?7ljq9}%yn4L<>w9fy=7*Vq!eG86vg+z zbDmy4$=eASoj!6akciujAp|TqJhRnNuuPH-IEAeeZ+eQqZI_JHI9T%GN7zvA#FioUs8h+wX$Ir{uU3iHLM=QbST(-Ztw1CFRHB98H41_Osp3+b7W1s5US z(&fUwIy`kV_j7?|Ultgr-3leUOC@pm6F6@28#oS(xEirG_1i+8#JV!jU8aDpX@UwK z$=G@_;MU#Zu}m`6EW{lOK)p+uaeA=oqt%5r2^Ld_fh&3zQ(&W@1HRkb%{z?y!knR^w>_;dGdERt|;IC zjVv{9F0+5G`mGM-Jfm=_2+Oi(2E)ul$fNw7N7KowHY{`+{^dQ)XOLXo?am9jM|bV| zs|!l9Uq>DC=51g2kQZC7;rg9zfi|oc$*vyvhhK%f&UTUwtUw_~NXOWrE8tRLFc84}Kf znkL*8qFcYijoJBJiD}iRC8U(+@^BE&$db6zF;GYZ5{~_JB}tRz&^SBlwqi4tZ!zW? zxU*(ztEpL=#f)mRMH~^9Gzr>-OOJf&%BSE}bn6^w^|89XK6zx}me!e@O!zy1dlZB) z%dvPID^o!im}*_A79}!d)8PtSG-7;)3Ws*yXjzK-!&C<{$freyj+ltYy(`yRIQmMy zbq!d>%HLm1i7n-p7k11{S*4Ir%aX8Q!h7*zZX<=cQ<)wm&VIpnqhc}eK)XfaK3D{J zS{htE;FY5OSfOdigu_O(R{J$$*ayU0cjl~A-edlSp3@G$*2bhXEVkUHJr+48F3HLCdI65~7TLxYM(h$<(o_`BU0h~*19W^C!av<`NYhbGV z_eIgBs6X*U*oZ*(_k+4Nk!ZjPv}T6EGB)i;>wY%F3B@ex+X8=rBQy2@dPz0A_4R{m z*taRaR#?Ezj$!2I`(2D^>Ag$Fs8Wn&OGR#^HnHNwm1{S%9UoJHO)v*t)ON=U`_j-|_p_ z`e-%ajh?$YY6H4;5${KW=uXyQnj-NL@)42_vPk55!fDbSC$l&9Z{Sb&cHhKG(B%(Kmj>2(^RW8X(qKuMdRW zzpfXANbwiV+T9qU6LB0qrFs1R3#bItpQUETB}p-cCwFNIXG}i$XdG9)mI{U=Ss?86 z-ZTKXEh_@C&mXQG$+RTNxG?mYq_SvL{z)1tl6(t~+S<&h5^d)$llL^Jxl3X{=e~jE zcH*gAr0uJR&I`PuO94u77&IjzRB0v{(zbOugKZTa7l++C&A|Uut<)N9$3WBu>I;Dxz{Y`9f)ARR9`D!*gRTeNMp;2~ zYOV5M!sWn#uIcY5L&_BafJS@nEPy?i4zAU|vwWYf1Ik{-VRtmyA0Wr4*AW0Phrv8N zvh&qjM;bhbm4Cr=EmH-r@H~_c-I=Z~KgOe@k&moji81nM;Kd_OX&>F9ZmXJIAd&Nau{gJlD3%2ViB=YHQ7h9a9~ipQwFb@v>o zKAqiYc(s*pb#{9qHll_djAKQY{df}uLek#3;Mt`IyQ{{(pv%zkd<_@-wj2{^0#3JViRf>p#Fx{QL;z%WeDV z57ek=&;GgyfBy*o%dc?+0PPGXO$zrv0cHKn0%71-4%=n^c>o`9+s1cS#*vR#Y%v(l z3ZHo6M_*F`5*xXbWGkuyu)vxPAdudaY{p|u>_A=h)d>C1Tl{CF|KESnP9;T#;SPX_ z`lUdKV$UYvkDmx>Pn=oMg~jGTuU{U3E-`A&z)NfhhGdDO`2PvqUa+L*^u+`3;J3u? zV4^TS-Cq6YJM<5Jv5zv;PV9a_&Ghu$mxn$?A)&pYlKhz*;7pHWivLgC;ARMbzG(4= z4h;cN*UBsW%KsBT1tQuiVf};G>923~z!T9>M=Gtz7tFS(N})M5aD|X`0sFuk;B=KB z?}FsTWxy#=E?t872nZjuLEn1N>Wk4rd zM<`V`aN-ze&kmW^FioSNrDpx>6#o}q;=lQryI*s+iQzCg6MaCp^RsXo3!xC*&y#C= z3nUAQ+aP_4Un3Lnmum9Hcnw_j>i|k(l!3sz7-}Sg*_>Fzn;EMG-OQ_AxqqFE5TDnqxQD~n3Z38{mBfQq3?*HH7tR6?|EYWS*Y{yY zs8pHzK%wG--6&CI4$wI=`E_Smz-6Y8d+zNGSuo12F~{$T2N~Bbo(ZIBpn6!nk48pR zy#(afvb8{(af@gF`^K;+U>^3dHbeV&!{FLy1O85lCU$0AK3EppXud0XIB*5F2!}ya zCb59k0{oa7ODLlYcc#GZdHmY9h#BLbXLJfZ|J+K5aAO2W?=r3~R$=E;nqQrOwN5tV z@t_5YfnHWb{+*hGd+5&d5Iql=af$UsjiD(Xm@Tz`Gz3G{8J96(JFs7;0I_Nycza;T z#vO-1626Ja?I%(Fz=S(PK35qBo#EVJBszll_RW9u75eLT{NGn0LmF`;S2`7ghR)v} z3{HucK|8ekd)C>}=DF+kI1uobDnPK~HWWpTFAO!{mkH#T1GM0R9mz@0PXWM!I_ax1 zbl3nd3LMAWICmvIWeJY%*nc_&`Mh!`V~+=cQL*5G>?Xw4ZsHu%yfKR<3AUeyK!18% ziczgf)__cYt2vwa0(Nzh%r6HK8ZHf-NSw9`ONwuc*K;%B&@XG_Lf1I?%9b|-pSMsGAHWn$k$M!J>l#0YrX-ckX z;{SXu^$bC7asnxTDEOeo508q$05}z6&%W*?gn|}M>7WJ8vQUV^NHir4+TuTtetnDR zPEb!)fYA(g@y^TX!7cd&)MZx=5Bq?q;FcP0b(!U|NMVUcxD@q8@90=!ce z6u8v8QOxiQ*%1{pzF7@5K1gr>%IxcBckltg@Q+mze%fOV%%e4S<3-@g1qC(#fs~9H zB)(6OQZ&OVtyZ(bX%)^IAd$yTeqcP%9-O{`2sy{G@j%NEonCk`mog0&;__+}+eF|5 z%0fv0{PXb?0n~yL*Sh@AKo{dY9hAFrkjUDN+M+T2))#YkbQ;|C7Es{E1BeJTFY?!KWgKD`+WVE|49B& zidI;=HTRJ@P_blzW|7Kpu8Kk~aH-h<%9o#1cYrmO1xPAsdgT%+Vs2|Gu$}(NaH^uv z4i1FRS=jBtW`}G2hT}y#P;qOD5!T+kMN?T=Qq4w7G$VE+t5869!7c zh~r~$nq>gX#jI4(NJn9M)e5O;=Yt;CqVVP+#(RAK%QEY~`R|&-;EjoxGoJ)P)+_*2 zpzOoPUmZKea~tjlzH36nmhBJY*O;cZXY1W0nCk$SESorh)M<;^X1{~#d_ATbqv>P} ztb(P8yotFHO!eRVfd3`cJ2?31zKQx>-QborkbNJwC<8OF9m$RRoThQyYo9%b0D>|Z z1h>fcNieT+I@-w2&jPF!!Pbv81wc^N+ySlXZh*_KG2=o#3fx6fdx0xSjgbXHyyFIq z4fv1Qpmfdz@5ag$Hl?0?^a@Jv-T(WP{5MaAza2Hy*MBCl1SSn<+1CKF=fGJsf{w;r zXqeLvobV7nH=9yC#$F&FG!8)n27)B&*mQU z;#yfe;B|AI=?eeV4EmRb%wOfi|L0$2p8^DcvuPn(ChqjloX? z9zA_AN04fY8}UzPdk}}c3Tgq{^xs?l$B$=lUqRLjZff#SPvbv-#({*D}Q2Wj>8gLpKM2FOYaCXbh94wR4Je~xuwz&ZH zfKOlsg!6{qrYaLhLy*3K^&jXo`pK09m58vJ-o-maE#ir ziXKg+0fszBf_ds1N4<79X`?HHLR)xqa!6-LHbuM~_VtlLkpbQ1h*yx4fOO?MB^K=Be8=!yhmx~E*CwUMr`xo7^m{_S_as499QVbr_> zzGXO@=U5IjQEzZjc57KQ(8BrCM7djgsFp}VQaPy6ctfyrQ&u@>t&D|jr0y;#II2X+ z5$_*&KJM89DC8_)PT=|lxG-#=qdA0>0f4;MZ-Bf~y`PKi2>Z*^r*DtKjvk;P8iRpQ za4iwbZe@UEt-yVRAGXzMpp?kTmj6+tTzlTJI~K-mI`XVkf1=S3X7k;e-K2M@#)*(! zKc&iayag-ayhoMYbpr7RZ+Ed#5WiM~;rIs~!;zYC!`7PniKBN=qBn*!S2Ys2onn+v zE}#G4T{9R=3NReW$OKB@d0uv_D>_)Gz!8VcG>`2;pP$2u8;^zyyG|UQxJ+PybNTj= zn#s7MXz8oXp4u*}y6E(@-sr3uf>T??LqohW(BsPh{fn_sr<2`zLqKJ8y$^DyC#9fV zc3Nc$gY?RmMoPQDGmN-y3qoi(0^10*4>pi{bd}AfcdJsRWh&s3YOa-%yXUHu%Y!!m zC%djb*pD1g`9&_-!b~65o_t)}Lm>i|2)AnHe)kh^^(73ud0EFoPllN2-c*vR*H3;t zN5Y#->)3>!{P-g)24JDG$Xjmj3sv)Sz|mh0GQjwNLpv15Wi^x{96AJTZG;x_x6bzi zUGp%2l7h5~)9m_P=XMVZWZVZ0k7z*|tZ{LZ> zDS3v^gGIvo1V4AKa{J&7<>QAw(edwQ%K$TeGA$lykS0Qa;E0U+#gvtAnbf0z3bByG zaD!4(i&iF!Q&#n(M^agK4@L@&hx}3wBJyPPbX@%pNb_QrF2e=hnpoxufZ3W)kJ7+Z zs_Y_GY*C7ZWFmJNXe^!ip&=h!0f#MUVo=M~G{=50<-B7LnV^YsT>&w{DcV>d0eh#Y zilBafl2;>ghQ;*Z`k>rcTMOv+<(&1Hxh_(?7K+Gl?k;+O={iUR6y#^1E1YCXqg1h7 z9kr=i&|Gam5Nz!5G=f2`D&z9|q@-4SBDiQXk4BUhitmD zu4kWQ6X1ZjxEsW9e7Jd*-`rxGi44J(32anGg9>O zWV2{mtVCd*StlaD7L3EA1sKTXbAToe%<=sDwj5ZG!@iIj(G01ov2E(4_7e>km>Htu?lu&H@oedEbm_MwLg0LRLHz5j{WT?U}I+qiWF ziyfzN^k!rt-}l8)Hjtspx*-^cS^;!?B`7{El+X+EkU!D!`SHtL zkxt7$z}6T6ci(M)MjO*}21;f;x;@j!Ezi>7T`y*XDnEl=E}4Wg!JqJWuvgpg6CQtb zm+qs_qPD|VCEX9-qXI!D^x>&E!C=e%Mfs1yZIM5Zz=6a#*DR%Ps{@QKIxAA46OB3g zQVX1YIbkgVnD}4gocB9EmdDIiz7)8n`hGC4I1l+VYFtR>wU?C75ZL3cwMDSkAjlRk zq%(VG>Z0&koKB_Xml6QWcJ~_BXC4o~9aav)@0d!JyOT0*#G4XVomtFfR%@x1S}X<( z*O;v?zoX(am?+5P-WjtRK2L^8{cv0^Y@bvynG(Ty9NOb2sjYjHL8#qgZ--GlR2^si1Ce_h^T z5xG#AsvffWY9UZ&P5!w=+DCDOmiS2s@@4%>qL@uliR9=u51%R!ldn)P!)$HoSC|A^ zO$!1*AXNICI_5Hb^opE&`1L8 zcxa-Jh32RlkC#G0At=S*YZd$b#iLo7^gHq}Rh?jcG>QRpdY`)bd)tDA%>EG+qHUlL zm|;>j-g+06)PL~ym^x3YJ#to{O?SM$&P<119?Mau%&-{rtR6{#XH~>T{==SNW~U4t zsV}$pX_V=76%GDKJRrYjjUiaIXlLb(GW&c@6DK?ZPWu^P5~GyLN40zgJ!+~3J86ot zw-090RKQtZKl!+Eb2vLaukOt7$Om@uER|VLbA^6>^@)0aWtD0#c*DH<)Xa%-kw%IZ>^f+hrIy`u>EviLtK`DG zXLZz3(eJAG)oN+RCtHQ2njT;E@WKxjF8c{%W2O0AE#bz+fn?p8Y>%>3Y1aPM=_&d} zyAf}h<%0lGi3*`ov*{U0)3dmB!!<#(jKa{iOqCwb~yIFo2 zyuo%#_liDx-1+9ZLO3PUm+yqu$EHpHg~}wA4=O26c|0 z1*!72TNg}p+vCOQ+~3FGa?@2tZC|Kg17CY6!NHC`0xP8%kZ7rWlU29-eNBWH+L*xt zkR08?ONF-u#$$$(JA)OZ75wWzz)7$H1|+XZT~89BDGM}^9s$UPfLB7Jf6>ki(2{1DLS5DizEq9} z178_8&M-Kq=00t1^8PAdv=g4Df-Ts#it$lJ7Ss;1`;4u5m57gX>2oS$x=lNd%(m<` zc!AP3_oj`>sM2U|zu=5e+DCnR_n)QnX9N_$jemUYre83NJBY+J=KarSZ&x@ht`zof zsJ*jjiZfeTnnos5+jdpl_cXgVm3&}Zh~chrK4-Y0J{!fT32nliesEgB%>b2E{OfM~ z^Jq3Z#mCD_=lxM1Z@KZ6ZzKlp*g5x>Zdh9a2Fw`%$Ai&^A*dFIg`Fiwp7Y4dRX1Kd zHm6uittygKG2P%WX|!E`&1gGikB1r-`ZR9U7Kl*epMmwonP{pFV3Ickn(=v8r+sc` z@I;74c8FZ(EZDpR_d2=FVgTpaUTNEr!^e;pU1Sa=1~Br2a&gfl*Rd6o z87e40(dyKmRES8re9!95-1QuWN>1^GJ0eW6YR@Ji)|5f)6Qa)Pz721&517rz=u3f!B>s+$`b(c{TP#FzvrP+c&!&kEq@nTY3(OAF zmL#obxQe{!XhZJTiFylzN5I4*l!An;46Ld&Ll3Zlf0B>D$GJjat9xSbKhoo+BoK%e zR|cpcJsUI|bGN)b2ExUqaba+cAH4e8^PuBDdnDu!A8>gKhcGUVh#|Dp59B>yD8}oS zGa20~K^v`+t|671?%F9%Rgu$_}XRsz8 zIHqI)XQnJ5g)sy)lUv-FlR#07d0annHnQ&ES{w+Yio@fk@qhbveEy&2%Xkg}PiGO5@5icxW%FYg?vC*a#s)IDr@ z&Rz?ZYpGII7WvZU7Q!8EO?gNYicAu)5df}|d=Gw_!!|tZC7pubgTNQ* zV+st$6qUo`vm25rermdnQ=lTt>*e00+mXpvuWd|P@*3Z`iCXDTT=D?h-~oN4<72tD zl+L8_ijqxk440SZBy9V`qlb4|7bhB?u$+)Bg3)}~YpkB{aHIVy%gR}@E$F>g* z@&&_@Y&yk9ZwXP-#UU)>QQoQ&QeEz}dMOqCR@x=t4<~iD!k+oPN$mA`j~-nIub52j znuSpa^EV*Hz`^w$lt_2C+CoVqK7+vVL7{jHlz)QbqhM}zc9~$P1;Fto27>~?*P&ab zeG#YvIsOKY=b)DS0~~)w9czd6nktykjfu_yoSn|tisZ-#EQ;;Oe#v2t!1dE~#_1kl zHP3&g3~MwXX&2p({%^qXNB|sP0>JSQHoC#Vn;HpdPi13-8#_vv=wms?Z6rEU|^7$B1$TEfWmlJT4X`W*vmw)N9pT4-uxJd0556f@lr-OUMt- z_5}&AeZfFAvZ`eV#VzjvFQV4fw5A<@i%(tEiUd{-T9#BUob-5r91l{2CppwJe<#ON zL*#g2Yr=5dIP>X<|Arh-Ve*?Cuk;r={@bxy>$5!Wew`x7(tqeuc!sw0B26M`;FbNr ziPyj_bu`gx>{hS5KGopYAqPxpO3^=rWCGb1s_GO(y26$!F;=$s`GK=*D`uM5at<5- zlZxreTranDGR+F;{puLk6-8#LY^?ipM|{Rd0o<9*HD9c=!%J|Wrg6b2twPte+Hv!@kP%}&ZZK+XeARsG|61ni7KURRyOkli>m0eUZJoA3nj}~ zZ_11|#b3&7%6DBO)-y3)-=EsB3^x)>Kj56S0Yvf<=GRCUWp81=W;m*c*v6tEahv;d zB)-i4Mm%ZDG=ju~4xXaHuB6a7BRDIKmx~g z_2DFg@P^&;S;oUgj~^TcRlcNb3w}Yev&19Lh~>hBjK+P$-=)l)57XTEGWDj0Eb1OI zxt>f_?6n%slpk1zoLW!mmzt!1Qy&}IE|-VUqF^c4L?TWmuA;p^M~l_#)4Niq)kV8s z;CPo-IWEZ0D!S@NrQ6cG@UtaJx3f^QivsPAkTImdQB|ve(QyL@P()|calHa7w4Q#+1@|1nm5QZq87dP z7nv4Fq8axBjb61<0VU!=xO}HIr+Lm-iQ^KcDddPs<(ERm>mb5#FeoXc> zJ5#Cj&F}DS(IFX;)c}M;sNuNpLc_05yOeTP$rkU@v1&V#qg3~B7m3jLw(rXig0e{Z zFG^{3zho_rlcaXO$yV9YXVK}rmk%qY_jDjtAAwAa7*Vnd_<=Wm{KJC#RNc@z+*yPD z)u5%9wI3?owx%;X@Re|hv3ln`aU1`rtUw9T=M(3Hsoa)3; zDb3OkkgT zLFASB&x4nY(Rx5f(7sOx5@Y)CG@ z0TMhw||7MYW@c|UQd42?-lQE1GlY9lMl^GBSFO~q$kDSe35S6;6QVj z%VC8SViHUhwF`^oM!KVVMm=eVh2Pj@PiWfefBz~-n(5-z`3En8-77Dz@i`{R_iCFx z{2kQ~P8f64fKX=LrvABoxpMflim0RHNo|TrQFB~~C?7_I zP*otsa^kYZ$K)xOu%%+N$$I_3kT%P}^;_XhWr43!eS=I$)cC3c$})1adb!gRQWpj@Q64oL zE?9WDsLC0QvGC{|TBv@ew_kwRtGDTR>*0w(5LSOX^kv)$7FZI9De zeRvy=70%5AMR71_9jv?w#qaaqHX}8lJDeb5NaZ1eOg0td1xI z*Eee(+@Rb#65QgR;uSfxGT=WC>7zeG-v(Y-Jlj27BD?LvOiS8r#CC@->MzSqo^#`y zX&o`u*i%^mZ`iN&{8ho0)S)D#l=nTsOlA~sKGBC{|MKMXoxa2{+7uP5qf*e>6x22N z*85&)#pR4r;rFhc1Mna>g4TOG7bo(_0;rK|0bszfk*KwP0?1NTCN_!pUWkl6At61A zkyvo}0}Frt7Z%>*>IsB}FC%SmZt6uV_0rmFY79x!npCJNBh@O}EFg#DQVObvCFEe4&zJ}wk<1`I<77ZPl%u*I6R#j;dBc^g4He*>06q$Upc zLdbfKJAn$iwa*c9!oJiZaqdcLQ;8xQMCDa@*{pdTBqGQ0L5f$V`{LRh>I*XEBL4|8|qaU zR${8QVK7mzVED}|aDeyLGKEXe1;&)vB=AfdEILY88|~VYQ2bUHM*I4=vr0>uy7x5I z5ePZBzhF_n%vCfxb5-bln)_4f4EV|o{MQ$Xik2TL0gkbpkSL?Y{fSmI!X}{-xYmAH zaiCX6C|h?~{G)^oWmpJPRyet(O%TugsG6&EV3p0rY0G+zL!OqTL z;PVCO=X)nFad|8cztxW1CWZj4$)-tV_j0c{Zr`S>!99REK6!pVLBIbkyPDIIAFJh9{J^}hb-N}#pBV8VO$x@wS*?X7bkl&oil6icHsphZi)ma?)Wh9 zdFQ}Ntv%0mE%PBT`OeN?172nuQB_&2XHBQgi#V%38I^j2g_us(JCJ4rTSOlJ(RTUKCP5PKxcksQ2T($COvo( zEL-i%6SU-MujOkF;Vq|hhD4YqFEQK;j zxm{Oh&_rH&c#BZL(nY`!^gO zG#i|(QbG564;09HYn6|PsW$X^%xF%#{~I{`#4k8JM3?;qhZlH-AJi~MyyL6YdsK-b z$|?+8Q#3N!}v!oX1rW*_urtnH(07oq_e^Ghuz~1t>oa8H zC7<-#YwwLNcW=^%3hqaT5-f`Jx{;fBk`K>yk_8-#MDCCCmUF`*0jKngtAjhOE9#J% z&s#XgP4U9=7(7DK7w4jSQB!<@Bl7G)6|oA z;*1BmDsGBi-Kl5y;u^K(qw7i0Qp(yC)(QHc0mAA%K(qpeRifb(A_~A)X4M1O?wCCM zW_RCh?Sf(;gKfHM#HOcAwW?=gj3r>TYzoeeH=X1vG{ih=hBNThFYnwUNCuAYYfDFM zmAR=XZg1-8-{qp73;^*?EuA=qwd~c6rUkCU-*{EZOcRoQypIUaR(l9I_AXghdUr1; ziXF1EoV2c?bN-k--ALDgWn&nb&E4NUTC4eVc9Jc5NM9JllQS-k?=}(eiA~<=AaE?e ze&Nv9(2qmK-r@V~<%6TK&s6&hsl=MJf>wjKPgWBKaEp!CNgdY`U1zjf#jaXzWAWzz z$~o&LEfYQ;SZ3#2e1r%_HgfDH6GN;SyJV=2!K7CulVFv>rAd-FVr35+_$FKcxqfZX zJ)3L(lA2GE;QEBCNqDgr=2-q^M?nVox90`5tUV@NfI2k(BR-M}e$Jey#^CxU;LfMt z-#V36fc!XZKsx9sFo5!|t`Xf`Z5c&3kTeHO8DZxQOl#2Mic7LKem-)5BN(0VCfxKV zlIrW}i1|n+c-H##q!0xb2geaD=0CfS#LG}s>adb>h;XBk+6RQmCB6;JLn3Pf7K{}g zt8dW9@;H_%fA(mZs|{;!dorI`kl3R6PNMghsEd(S_lzAN1~QH>09xJMCJDYH*;37C z!$~v~?bq)7?2M~_U7WyG2hF1^WTlfQo1k>-HE7!vYm!1IEp7M&M#T=^U$8G#WBTfr zto-(kYCU{TAKvSoC%4ZLH`x9GA=xH}kuFjEEj?NjfHFWr0%km;(jH`~X@QF$tKqnw z3dGJ94*dYAoo0G~7p7o~ z6e5eF>|Hzz*E$yVqPX8Aw0?7^S#b>kvo&;Wkcp)EoNxat<|0;2bu4DJU_-DXkAI~2 z3(bR=z`M3#k3|(H@FfFC__(d9;P~b_%B7FDI2gM@N?C;Q;a>Or^AK)tV^zrK4@*sT z>+Kn2D(R;9RXoU#NzeD@>aNdCOeVL~^T#gv&HcuqT8PF)FJ}^*_kEvh+;1E2RT1H{ zdUoGr!;uLC%#Kg7e4Qz52*cV^F&f*n(~L7Xf4Xof;_WkI4E8vyC8)5{tJKq!ZysQW zC5A-BYzxKxq{DjvI((RcvJD*#1Y@2M9Onmgc#|Ia+>N`{MEetb?rE6i!!whX@ojiPUEW#AfN#$$m zX)yNvJa6&yXQGf*243=|0*8De4&$iuVA#IT9m%MNOe>8&b=&>G=Hhm_CPCRzvSt!R z74>PiaG*u%3JmnYL&hNA7xi@+f!NiNBNv8TSBWf8&_}P}Q)bd>?R8CazUz>s>$ahj zqr0pa9sHUr&c{A!v%aIbSoE}p&7QnNqpjr_elm!O_EP`F9EkJ}SM6BAQMERaCzwje z$xCa)mscaa5N`Av4F4SfGK7lP074^ z#I9-F+rhAmK`cITwTpAK;oQ~P6bY^qZP?jBLPXYeM%YS%k3+n}B^S(o)l{yU=ER+1 zf2_T~MmoIV=vdShCA>tbN%!%ILcMADp5&VN{lB>I&*1HElDxOsj)9869&q8=Mq1D* zJ}iG+hPd!!SU2-)zsH<`To4%2k4v*{j7#%-0-X~-_sQ%feBen0q{2peuA2Ex z9)b#x#SAb{jChr>2)}-CBN}QFPCirC7;P(w+Bj4T%yYEpP?;5-HpE`$TY%$lYwi-R z1oG|+!R!~BeF16Oqx!*TMt@7l>}`m`4dMPBhDWE+7jh2Ph&>w#9EAGhPOsh^VTC`u}W`o_XC@a;SA|ypcMi0O8)ddHefM{uQ#_$ z?1F8(;b~E2yQcR8fRon;NcN*g7e6&r=dN2H2v#)plQ1%w5Zg~4+N+Z=(u zKY67+!`fTN zMY*qS-*zFQNJuM6cT1}XNT+o7kiyU~AfljB(hW*?*N_SV5<_xwzuI&N$BF`)o@G+n6C;UW`ZKJL{iZa#WIW6eZLsrymc z?z}EGlUKgTYw2;U^fek4QQvC9Gj{9x3Y$AH4 z0i0S)uJd=voDYlID5uGqR1GwDl+Pv`8{&dFe0jJu*?svEUTfj?QJ<3?>87}Em)B14 z$o9V{3@}e!NJVm^%Jwt07A1YhhFLEIpI1f0DpA8GRT8PLr0TMyfH~vE2 zR6*VNGTvXtx>rVzmCpQ!%DZ^*0qBa%MngX1J~wAzfN;-Hc%cM6a1eayc0;&}Sn&1t70S&MZf_%qIUV zhkvJRR_E z=T0=~wliu(A=!CA#)t7{x`Ko(?14g-5J7Bukb&Or@PTS|!twV<3)xwfo?Ll?QsX^_#3D1*s z*>hRn|4>Cj0}?Iz3%{_VP0V&yz=B8AA+Q?w=_A6JRbqHuPuJyMk&}G2?6qV%1zhqLk?}x9i7%ZuRHpOI3Ec!H$H|D4V#DZbkp9Q!B)Cq_ z*~(p)EFiTua9&?YC+&MmHFE39?u3j82ceUd$D8&HPe(g(&_R4o{`A(8#}qbP>ezUa zBw=?l>*s`K0{4sK$YA3P%r3~>C2%`Ym3EUOUdyM;;=fkI{5XsK-kl$C8Zf`!c{FDF zj+FUk+vqZwNnmGYxgZoo^@eLApzD`H2-<*CRV&)Z(kurX?EFSSAw#wda^8R`Om)HJ!Uz$-V z!>Rr4lPCIfaC`*s)BEvl{!o}7LwsCb5b%F3%r_Gzo*JJ&BW>fygz%@oLtM*4Spoog+}C|q zfgya^Q_)N}QOY>psokDtCQE3qro>X{Lp1kt{-&QLBDD~}-50nZ{T1(k9dcu@<#$q= z+?i>wTp@}f6{<;RW&a_g$}>-t*J$in#rLpm(Mj9V=>0quL)iN9PqL#$Mi=W}YW18M z{f#fZ_#jIeNsk>BV~WQ!-KQ#c9Me1|--~C6oQ`wX6m51r%t<Oz07 zpUx%1>Hb!Zr}ZY$y_0?~RAF_`9pR$$sgR*hkzb1$ifTic@gl;|-S8E<0+DMidDaQQ z!K0kkElf5D5~T;a0howK#W^)Yc0}>JZ+*cVQkLSF+I7rW@c%I4omcvlAMA+O;`(oV z-ZjEzKW^i!KrTNNUzfV_u;p1#CENFfxYh2kI>f8Po!vZqKg4DHM_70TZkDfU@vC0EdTVd~8xLe4L;0bR zUd!|QVxA{pG>M{kzX{YBoxGP~80B~wN4@0H_BN^mXi`r(7gH4>?*!zYBR^8}`!fVr1~v2DOIQJvpq07DHQ0cf*t z`~Yo6Zno%YuS>FknkXWTplU0aFph0zv>YKG;&?nHxFIlk9r}!bWe4(?qNQJwqiEwd z>#$|v&R%;V&A`Uhg%UeF1ozmVAqyKBYCO=_1x&y4wjVqsK@IeZcfN1LG20_r5i%?x zWpQLg*1x*lpZX5fX=&*a*OM-@+bL^#78%Q+?(IT1(jU!;b~`2F6%}fgHaESMoTzB2 zi*t<&`hYE!Z2#c(J=AJ~H~|%;b58}C*qUymAIq#3MfpO!XDX(U5`r43!oLw(*u9I0 z=V=$X1b~uokB%caLZ*B7t$dJwIV3VX50#`EWhMirHptub{`mhW9F6tlsA7h>s2+oC zE0Ts}xH-+?X<+nLWq2RZzh|)5%wD)GF_5q>KW~U`$>F32tIOB$*mbq0;Ip4!S8Zi| zbM9<41vRDyZqJ!H_hh+OP3@>dbAFCy*}m#t@hJ+hUb zHRJ$Zb6N~ed(o?}a+|*08Yt*jeC_Ipzbdp-Vyef&fD$~?E z-br20k;j@@UaU~Pivj2`)f1=@;CI3Rhv;T>PmpO*BEywi)1m+Ta5VANfd^X|9 z)fHc5SVn~xS()U*DxZ>J%#W#vSd->5I5HFaM~t7A&&nk;@EYg z{Vl4HD`jKUawAm2B1!cyvU3NK#w;=F*|hl^5ud7XICVU@$Wv@NO)yWmVH6cL^z8+0 zC+tA~rDzMmeDsREDbspA@nV{*%lnU8d9gXpLGMgSUu<-Tow{fxJq&I%^jIW*N1SdK z{5m}FEoD{#zd4sV=b#g&?oY>dt?`|2Z%25$KY)^j0T;xQczwJU8U5n{SLKk}^SM5}8G zqMnw@)1~qvAY(KmMR$GsM#I;i(y$f$010EoH_}?QLbhNtat&9|jLs>?quHi}?wfEO7@$Rpo+A6|dNMvu_&CUwq-VWqy%B4WJbE3~a zi+`{;e(eIb-aG=DgsARW4;LFE1ug`X3UuZr3ywq$;DQYw2sU|SaBBUoHzx|yV-+YB z^RM=eo_;sJAB{Gh5fcydFmiI3tOpP;&z2~+0#(kcA^#*k`YP{-WxBY45X##_z*YIr z(4(pMH8R5|&V~0=@DE5t6(_UA2j1=qJWMnwPkaZsrV%wD;0*A)n6^mFO}DV7=gJMvj!t=iDs{rRU5v@Hs$=O` zj}r!+0T6-wW&T=)bXMToUR0Kms~gLoqpZ&@e&22=N9EQ9kaaQqNm|WPkjg89${I(| z;hOne6gaE)-^idAXWcbUHHHBXhQjP`Cw6OEoFOG>G4#v9C}K(8tqe)pnSBmNox z9E0-tl!}?swconf^{7`~!Ix@4C9Z?B_2osQ1 z;DQKq&|7;2ZQF^`&o}uYzj=v$=6`gV5See*3!TDNZQY;Pcl-_` z37${M9(E<{W`eZy&cbMGbGRFP&P8=cIJj|*e+FT zR81DxS_iCn*FnTd4N&avoNljAxnw7yS(J{UJs#T`x`FI#J5Rs$<)K%h*~bi#mI@lZ z#pB}#Ydl4&iM-R_@x+g2BZuJvqy{)v{K+TMp>gSy#pKOOHA75iiRNBr1a;&OWAcNM zq6XuXBvX1=?)KH{(NNg1u@_YWDMSAG!<`=9{p&uL)|dsztv5cB-CuPd-mvm<)_UOz z4NQKv^NP(5xD+FY)Cl7dyrnm4;a>M{-q<$9sk)(JovmRV#=;X1*scr8$J?G{-8|eL z)LX4n_T;fpuU!1*4nbA*;SAJ`Jc^pmu$1#~oY?Cg-LeRNmLQo{3Q#1=l{(p{+e2SP zEtmm6&l^Cmc31>l7xEmCjg7{aTn~mfL7!!0rvBlCKhT=J_}%ubZaOV&&cj+v-Vh(a z_WGX9llfe^%b7}sZZxXTftJraZ|(nSfn93tFdH7n>bu4_2YO|xu(3ZU^Pea8d0{nTyYUAt-cg_O z4_ds(V)Tu>ED8y{JHKi1V2$?Q)8eaew0NJxpMTQgJ1_qeT6}NNTgp#3GxtBjjs%Lq zU0zkZTZnns@+zRkJ5B&v{2HLee`(}qHjI6h=oVJ7=QJS0ut;?IQ~~G`@%H@$1+b7oN@&0`tzdvYC` ztE+J?%>}W9i;8MM{-ylI@-JF^J)p%a0$O}rgk9oqT72^(Ih}vd;$7*20WDrkPG*y5 z@I6WZePhPdfamm^`=XG53+?I5r;3z>o3^O9c&P`!!1`XM=fUQNb1*Jjj&+HvRw*Yr&{! zV(b1hhnzM)NJB3jq#d{}L#jH4RT>E8(>s%&SAXNZfguLm_b^`h(<{Z7(To^4URZ@W zU%Ml{1dk!>>prjr&2bH#t#$8w5fG}+-1*hrdgtUTk;pq|8*uDQ?~S9)5_*%OpVTu2 zJ|W+V79_it@?5mq!o768+wxHdtaSh}fvITYBwXxvLf(EUR-XFFrwI@#nMLqw70?Hr zIZo2=Ed8XTY=^l3g-kyob^Pq=Ab)ZEnUP2$^#6n<{PtPVEY<-byd`3n6f;WWPOBM9 zZ2E5hPZh`tDmqO!x3&mAMoEV;iELUBT`H#)4af~O6)HhIqmonOh`=x?>OjOehATr` ze`+u)g241_@p~otpXm6BoDWT?t6*AhgZer@=4jN=9gyQ~ z`(7c6S}R{7sq!`C**yU{{?R|k@mdv6loNLUB*#Ca36_>2oBFThc%WvQ2juws`G6e1 zMydT@$nk`KkmDKtBF9Gvt<(e0!!tY19CBW(PXK5QL|Av)U*6)O0W+D4Vpd=AqVs{{ zJizN^l9r!nF?r)eR{j8DoI=@fM0!(+Ts~x>uz}FCv}dX&yq3?%?7Oh_5aX|T_IrCK zfxHDb@LP-?pVS-y8#~hIec&4w*i1utGjty;!gJ^+D>isyh5+0-=gQ4{v#tHVx-HwX z6jB~LZrmeWCANk-!T|fM`5P3vq|V0uu)jBc@rSCHCxUM@r%1nU%_JY}Nj%4=78w&K zK)=|&CMUpp^Gd4w(O_-MM`am&KdydLA+=sG`jDv3s^|B)*F9JK$=}fwHB#8Xh?^_6 ze~tUvH?ImUAeZk-3hwK51B4|P#s z^m*Zg#4U1;2KAGMsRERcLWSQ`OP~AJ0LqgR9{|?papZW~KgjWa#uh-1r~gfkUn^Je zkoS$K>Z|YF1ERy6VqSE_?qt0eFxfAl47U8?ymHY2?CJGgw(fRkKjZD3qYdk77_j>k z#JbeL4{)xDwWX_n)KF1_;x23I;$Gz(dl!8%acIMDHqoy3`#5kst7*hJU z0SC#4IB-1ZjYH?)V%35lv{ODoj9*pRmBr_6Bt^sr6dKlsj_(3B*YDP}L%veSv3zm{ zh$zqPCxu7^!k9qK{v1gE3ZDtzJFz1c#*-2(rzz|azHa*MnW*K5vIMlMiaCc{4MOjg zUOe55!u*ms1xL-~lP~)0D%q9aDg>9!65U9)x;lUJHtx*2AjFbgB(zpV1)gi}=*CZqs$-lSn+Bh4C_1)i(!}XLvcKI2efGOW}IYoC@hh zlY4*h;^8xXzj^VO;x#O%vs6a?z2}m$zr;R1%DU6;t26))vZU= zi=+3%=U}rU*<(3=e0*H=xW|UXnro~5$C=Fm&qFn>mW@kh&41^m>nCji{OpJ3v9TVb5&#Nz$R&5M2*$g>0xaemX#JqZQ}eP zI7#K+{EG;}SHI3qyGY_SL(AT2#;q{xMjyXQZ=MS-ZbUdCj@C#gM}X>ok`lO|^WW2A zEqK2AU0_i8H9UoPw9qT1*vGM}do9~xzQcTD@^E0F)tbFhgW62yrF|fk>oq(kOF{l_ zqMa3K)8m#M(2J*Lo&~;~ED?iI>lLZyiX$f*%-S8y0m4nS#I@q}a2orgn%<+veVAS~ zu%NIVtDbuWtkEu$Xz0^B`p}5Xbt-&>iswW&yX!173!(Jfy0KP4Ta5~nVu^DLN4j9|7)nA_he=3|w?J}fd>`6ymP1Ct}FdgIM@=_SlP8s#cbj0#=fvLRHLWA^? z`~Hi${;{3SFrA4f^c^zivowkZY}qmgDCT3S$sw@* zz{y<8B{zfOXMG%aHLGKLx4T0oGs`18N?j_!J=K(zAgtbr2tyr>nNS)GgzVNrVG>P2 z#EuHFmccJOnIIJ=~;&G3P<0Ahz4Nta-G|$MSNdg%UB16P7 z+zBH!=v|PRC(5AN$vaV{^A5&Y7_i>&^RQQUi6+Y2`(6gY=!Wgwu#n!!^@Wumw%v zV_3nOG3x|U;7Ox&N}I}BKXj&kMk*h3@)d`8VYS61zq4jCT!!l(-qIWSBxqe?aKSyA6 zP+8twblbJ!M2d&oc8Rw9E83RHjw9>ZOJ%wo0-%<*TSrpdMc(X1HMDttX;SUo4j;XG zqpXv|qo8swpoa!M0kvpzLl;C=>SRPi8mv$Oin+3$jS`JI|+#9i6iJ0k% z1&1IX3GUd~#piC8wi`=ybp5P~9P(*(*Cw4b3}G%PJ^)|2dAci~A|iOxh9UH^0BGOV ztmL)B>)a-(!XlYn#NUs)BtAle=6=LS#t#R>9GjFXs!uPThbb@Vz=5OAJo)2v-tm`l zE^eDF2=i{>5^_6)`TBBndPYg``4E2**0f>l+9c~}Qn62|oe=2BNCbVTjrp}3+ccI@ zCXJMz?i|po-t=h1wzBc$r#6N##8x`Y%gK@Ed(DHbyf=}&?OT9_(l$M23<|N;8^H@B zSCvLuPixjp*`3+sfH+C4sx~6sXUtW6#c}kK*e0~G__Tg>1K30mYPnY31{wr0G?)Ul zT8>mL9Zckd;8Z^2(+wS|nn&h%-x*u-3&gM_h~r|YDhz{AWeCtvXs zV3^}tdT>b#rP9RCPt&tkc^oJV7b%u8eX60%_9FKq3;mYEbyC=rI}rB29T5L@ zg8n9T4rfk%k702ISP_ZdWbl|$V65n}rR%ZOWzH>5@bK<_Dzp0`(gnXEw(Q8cTd2*s zD9kIWZl-&8{ej@eS$g@n+l}a$VX@eJ7BFi=^Z#(3&s*&Ukw2pSz-x+iOWeC6GY6I* z0?+tLvOMK>d-I;M0nMnLUNU6PC_%m}S$Oy4EJ9sEVk;`5NAB(xGkLi}l9Zb@IreP9#~26XS6Zu{aHhnSuit4eGOX1%q6?q<7I!0Agen z<_=cJ?fUcp>+DO@L`uQ@Lq&GCnWBYc)fpeAH9pezfEw(jDHpw|>KmBeAEc2O*rzQJ zSiEt8g&z4LM_71^Qe9Iumjj`v6;i35%Nzaf<3RN=wxNvsh70^-bGl-h3HBrB2-wKd zO?Qbph2nSdl2qyxW`Z|Gh~P-q^Z~4*RnwPrk?co1wndsO`jy=c*kqh(!vl-P<4g^k zE?WI+d@hIJy|m!cr4f$C;@Gx(c+o@OTy(EzdINZeupO%j`|}L_X&EG10|MXH=|T+N?F@ufF*i< zUwZ4N_&Hs(pD{~GExjKL`SW+pZH-@s4iQw2=z~0DByrWf`8oq|%>>Ktw+f>=xQD?~ zi*`hNCI1*G6(VRtqE%=FqmS>DWpMVM*Mz`9k0fiVNF{ILWtQDV?Ts_i6k3lxNAIM_)}J;-@GMY^KB)LkC>O=pJsu1+?KX4mcKl(X9t*F!I_7Bv zoy^>8qk^z|t9Jv^skPt0XW!rjv)Z=_ros~U6VT%vs@@gi88+e7U^lRhPk^h3L9IHX zVzf|n)Us)e8%?=7iQOyPw>ym}Ypvmsy9FFT`_`s_!mx{dZ3V^nKhI z@_?I}NCM?sbk935gLt8}DTFF8oh#5-O|eU!SnMJDc;J|d_5g1e`^@$9<1!au*UF9a zkFYCAGc}-|U|a+(Mm~vvM-CU#`KiG){ENs$+#K*oz0rc*Ig5~EXCjj@p5sUnKidgw ztIWcH4DES2QIP}c`q+;Hlm-kRz74(sT^O-sOy$U#`_Nt|}F6jKI7ig+R)W-CCe z!2V2zE!|GzgsQ3){)OQr|1z2Yrdvx)agAV(dg0r-JyP<@XiEK-uI^zPY0R_3FKFDZv3}QIt=W`e1 zBVi3{A7fed3yQg70s|lQut=+Hsc09UIyY!(Z&skf(h661LrVh~aa3%nUab*H#`XYO@Hk`(dtx{#i@OM&Zu4# z;)H~K0Gin))^+^ZTBMh6_*gG|gwwvs0&^VaKewhROsZkZM$DiIuc5^hZXsE^DutN} zUx-AQu|D%wqeKnQY2;U`&m6UkY8^NtdnZX!VY+WE@6(_NXv}$I8!>z%uwWjVQ^M%< zKSGNNeFzo%z&#tqQ`HbuW@)>WD#*KK%uc>nZ>z}mG4H;i}3F|mbcJPCQ6bRd=DvFHuQ?F>@G?iWwK%PKRuK@Yp5PC ze{_oYFpqeDY_F;+S)?kM@#*vstrVwlY)cqb_k5BLA=$2PMc@6hJ7xRZC7$JML5pEx z4Za4ALbam87q7|9BU%}bA8r7v17oxE^kKj#VKF%Bq6<2Lcnlb@^wo&hhLQ1P8SH>v zb!&m6MUIfte3ipQC2P1l2fF-b-5!bg6 z=qWbm^w-(euQy?)0Ciz(U%w-jo(#9_j?YSTh`wD0d zwN&HjzV0C4FTIwIg9o>}HAUs-*+vkxRF->yo{7J=s`n)Dv+f2k#=EcjTHZzJXMW9c zd?XotHu1S*U<$MR1Cehi~wU&`N1-RO>q^Dv>NfZ+m&K;?g-KZ=+=9Mh=eiFDP`SX1m zDbOK+lfa$z>%^6@E4q`^m{^~JK63Tbe7^m>{37xKn`!t9n~2A;)rQ^$RNhfvs*dhu zGc)wwLl2X5gu5ANl8vm!w+iY1@@&f+g189_r(o8z@O}2CvK-f$&!bvLhcylLi^u8# zi;pvmQtY_3GxDEA-!J%gy{A}Od3#Tcj~{K3(>pZ1xW&Z2<}W4)J4b!Gt=n6dKoBL} ziw15vDIavIZYa8*L8R3h?tVIMp*b@GOfB*$iYBm9a9?qB6>KRIA8v@#*p-?O?`k0g z8M}CtXSnENJhoKCQbeuCv+buy6D*8;*vnL&CS2j#fnb2IM$4ER^<+eH`K! z6Xb~4CEpYu)YwNukiIp`OFPGFlOo*Tlk@ReD{_No!g`YgdEEC`#>*|^UM6a_!s|hn z7!R2@(mAl7D(ezvIQGmoTkL@DakcI4eme13WLy(vMpbSdpV78KMrkB<29NHUn%vLE ztb^^Xi%m0`Yi?`}ra?gG2n)<}bJo;zlzf%4`wL+3Zl?4jfxWp=LxF6Fst)eBV%o(K}I7OLlJ*0CcEmH z)mM|7)pg7o1FE_(OEsXd-*rFPY4=A$=pudY_H8XSAo> z`4ol;4C79aLt@EMuE7g}*p*nT(@Gs(lGWM}Zpiwp@HQ>zTCBAmM~EnY#M*qV0_{9Q zqvBw*l7~WCR7WaIopu?u)o4ISO?usT|7G&!pN&AbbaGq!gX$K8p^r%c-)y7JzD(gY z5zJ)nQivOpGvCcn^b>Rtv&_^Pb1nI{`)uyj?tN&qUl-g}u7XF7BmTsA*raeWp>=7M z`ATcIo<&NU1)Mt_68+-~)ZSxT13g@A7_Wb2i<0O;*H@du0iMI4nB1_;RBuOT-dfI| zXQ#)3WqM%a_KSE>J2Ony_!)_5nqtglC9$IgE9cvdAo2!NJ1y>A+zl0uVUCdVtmb52BsTZ%&`;mtj`=A9gdClWX455)Vbqe?T30!%iV5lWc+y z`mL{8ZKSyyWTM0r*_BzP!W~BRbbn;n5l8>1W z7!O25p!9hlOJ>A*VSTrN{mbk;8>}KLtaFYv+1j$8CalkUdf8j=xUpEb?t=vFN!%qv z5%mhz0)e4aY))}fbH3Pj76F>Bgl(LY)*#_s@7ZNjd{D|_OlD5+b2FDzzP6dKb3s`& z7=)D(rG<$UyzvHRn;~auiZso+(=t8M$TfdCZBzNOA30$Ma|P#h<9GM}?5XKPJ=){K zsvcn!B+#!#IXu-93!rQs6E#llU^VCQSa%0=V{u9I4JqHE!4nnxq~jWc-OiuohErA9 znB#ldVx6xRdw9flduTLn(Lle1aqmvC49C=?13R}%13CsdutrnNyf3I>eH@Y}Il^=A zA6^KG)ZzJZr4dQM-ypR^zxBRWu(%{!sl^lq_8r$;X-M z!B8&X;MS>9;iaBpgFHBG4GjjFsa2}k(Z=_YSjwkiQ!+mGVPQvv$aQ9WsU-~tbO7@W zlXV_Ry|V&Gv6R-S+O8cJbn6jJB(W_zk)EA{py8o`O<`rTTM6*=jn$VGFst5O(G7eY z1mkb8YG*|)Sc~;$F3y{>EqW>TH1pck<;Nqhs-^BO!nfo?t$tYcokG_W?4F8@Mr}bQ zby^NYp>KsG8K{hj!oG+miSMEi36=7=V$bkp959?m=- z+#QV!Y#Oo21=oJ7G-bIlwVF)~I~a2(I+LXLiP#8@SZ9fRf+rG7jf#ShIjz*w zl`4+bDKIYEd&<|t^gFYiJNC?#LRvCKqWJMDJA1WDb_);;%Na`avAh;j!o{&~i4U=p z#Vs`*slJrhQEivxzOAL}4^2gi<=y#$^&8QGqhjYwH#j zOW&t!+ICSF73-iF(A&C@{~Cgdk>p01(P_v^OdJWW?WwHx2=}Tbg=R4oBzu9@Rimd2 zvs|4S>f%sWSDW*S*EwN5zT`&{iHGSeD z)gD(|m18?8puOx8eP{ZuOdU_Qi|WEKkM5LKq8QBc^GUV>Z6~~7G)UKiTF`qxh$RwL z?7V)6i(sGDJ=z1Q(zQ3o#g?AYm>6O=aH7qpI2$c-~R5 z&cHfQ6}2bPPoisU?2ieZC|P)Y@z%8^KD&rJuq*POB)x+%p3hDQ?-U9%rG~hrwni*e zctnPR!g@gD;t{#2b@oPL!9k8lFSX3+tbspy`Uo7BgMa8P+<**UYyeI}obFdGx?)wA zfTtn^^lEQW5Zj)+cZD*HrS5L>c;aFLRFICV==taREk}L9vc}20=RLB!hbxm-qLAhL z2i|tuk22*u zS`=HZ%8W5B(6NbotO%L6c64|V!L^}hwN)vW>JVur_wk^=y0I;{7|9Yjp(9gIKpj04 z$)J<~7XqDA?qR0_0xF@3l$?ZOipgP5wrIDrZLSg6^Z~l6)e@Zzbdf%sP zL`y10z^2NR)n^BU2JaV$jvuKLSuO6rX9mNFTPJg*BT<+*O z%`IFNjh|99-2*T@n6GnR4A$1#=SA4_DLvMLQzk)u`1)M|$y%Tj(^?co`SAK=!D!N! z&j)T<3dJs7yCcV={BaIPOlC;B!yqAxtB(y?A#}MX3urQ=I3P0s8UKWgH)z3Q`I&as zr_1AD5`XXXbD;-oNS9M;5R3RmrQr~YpMXFcy8;O1;gX6W_;w>{rCi3%m(akHqSZK` z6ri}o%h$`g$P3f=R8mH0Je7y>-c_(G=}y%S>=%03_n)Y~9>5HMH6bG^wN>f+Vpt7U z=Z25jNm0ss52Z9>v;Qg~kIA#O1=mCj?Mk^9l1J?XJwmM`&wx4YX*UT$nE^-9l*hvM zG)Ivh_II;)p9TCC_Z;faQr|x)5_5NdN!G9qesndR(OkO zFV@B}EN`jOVe(~{DcgwiFr}%77CW$elj{9ZHo<~|CyY`|Sg|O~sZdr&ZEg@*V&+rxty(h^UL{g*sk?6=Yg-F|=1^GCGRIW!cH`Z5?}zK7~xq z3Hyepu<$k63|gRWi5<><6sRj%HWSogYkWCq>1RG(pp?e#_r_M?~{` zscHqEJhhbA@@EmJF{n*L46`bdySlLJCX{?pf2=_<+wgj~% z-fR>d>Tnlk041j}Nq2k3c;T3uE=mA-cg&&bwA;XIgZR~_%wXW?ZP93{dg*!C>tY;%s#p)P##ndfI*9&rT>wvJW`5ExEbb{z<%pgSz!eKt0 zs|eniLqHoXN}`a7wNnF?_v; z?u{aRaL#Yy_Uw3z_`y*!gm2{J%qw@F4j0a{e1DyNxew}1&6O}uBXT-b@)Tq-T$TLo z@AGi(0{ZHC&Fk*Ku`VR*l8A3#X7nG&hC4^Agir3&tnO1qkVbt4_O6D?9ZL?SE3r$H zzxM37j`@|EDjbkA&YM$$ZY@B@5mR^bM$W@0O+%$tMU5h(c2M(Yb$@=xZAP*4Bb=>U z=~?U#Ol=JaH0I-90SyyR)9Ho-0%%7q0K^D6zmdC?r_iTsw4joFKTUb<(5hd?`fgK6}Ho#>RiDeT+?!S5gZ>+E&+ zUdlU?&(Yryn0nPR%h9P-H zP27b`2~AP22JwIf?FXRfr9a=M@jdCsA!+Cw`_IXzKc8zsqxeXbfOp^@4;Gqk8@!_^ zPJjM&!g2T4ZMxUAucEFQ|MeBtva?|1#nrFBVa(kmDKai9NjLmtIG0XHEq z8F^3+){L%@yeYsK${m7>AkZs<4i*G%BX&gX%y+DcV8YFx5XL+jI z?-`W4Y{U&{O&Ui|e~|Mg`3w@U#&4065uG`X3zyqntstROA{gwP8wp(8x`*NqsYASdSc^Yh2= z#Q9z;iP=St{_&5>q31^R1cfr5{*w>(Tax<>wpOo5&Mr+hRowiqcgsHx_MiOP|2(vR z_OqWq5PqWFexso7`aR&!fb}1K(*O9iC*}0uo+#fmAiw&5a~%KUxBum#^r>I}d~HhI z>lXa?mH)r}HQZhD?|wFc&yNIA>w=b<54cHY5~F4EVQd6P`vK-H45g6g|A?diKOgg7 zpNW6@l|-@UK7MW8Nc>2Llj=aGYh7&5a1R|0CH41z*Vi|##P}V|bextwNwVb;1b^?% zbNegptGlZ?P9~c`b3)ev7~z~$!mg|z9{$U}{@-4Pe{uf$Dy|vbsexcLB?o#E`0~@d z&EEXW8{|LuVn%ilaf2oWUR?P*F7ID|AScaTD=wPqY286#mo=g&449k710NyQZD7(n zU;$XHJfM_II>NmszJIuj_!0iFVOV?P4S<7Lj%Zs_4FbkG8jv;|Y9P0Gi8tR-JB&`I8+;O|cIJv;iM zx>4FrZ3EzSLHB#Xf<-q@(iVZdf}7fZE=ct~8@FvdTH>!|ZpX!1+>0aw=LR-F={DuK z1eA>Yfz+N>GUWenNBuvpx!>AttrDTuo~BHk0NkSQ^HWUJYf0dwKw<$@+4A@ddCEz( zuWu->4Clv!AMjdZI$xJvRKMHl_tMnn{J28Pe}9esb>04h8wmGKn2kM0;wQSRXZ7V> zH!$}njd~1Sl1Br9!(|O;V4i0QNNA8+=heAV{wB#}AM7fwsCxRPOymT-O%ri+o*$i# zKv|0D`yz31aS1@@hX4W0m+LB(^C!dejQD@+WBV2aAiBr9SIrs@aPIBxlu-GGX6*ik z%~E%~8b{;E9iU~;2!B&N1%`)aII0R7wAKPlLcn}<3XBk!09lwI$`3bU;xYPqj>mIv zg_D5#-v`)#@nrw2lihTQWKWke6F{WdG_GrzfxOHVSjrtWKb-(tQ;GNh0vdy~OSX4s ze2(qV0OmXPdE7XV>Y4c8dl0`am0VkoUj>4;E%^5}lF>{#((>6iF4$QBh~d=W(i#aV zjPwPkjNc0ENyGcXuKt}D>8m&hN}@be0CBTSn6EoUZd0J5`VA~=A4j}W{S5T)GBV#K z{@p9>e|g5Qx!+f|yfGqSjP|+%lyc=q092Dm6!20*J5#13sN|pJ4*%h|8~HqVEol@c zdI~&8JXs4JKLRjdYV${n?l@!IYzB0TaSQ5B9se{H`i~>X!XuE5D8BYkOy#rDaK~Q2 zW4(>lR|2b3)1TdN8%o46a6llVAo7-=bpPL;x_=Woo+w;r)f${wMt55Frce=D0mRjc zn<#kaL;Z=5rkzN2ZA;6Rf%t%3-Vj8NzxfXKo4}P-0VfPfDU>6PpfeQcGs@$*&IoxsPAOd(!KHOSoyAGsr;R`H1|Dm-^g=%7@^zZ;T}Z-;?_V4S)fcB^^d> ztd#<2%!z=B9{v3#VccU!lej{h2oAu?jUV^$I4%6(^xU5PmZg*`X8d?f8;amVTqe~s z8qqQhu_847TLVqlC6c)OM_8!DVkKmd{s%Wm@&n3x+*Uyr!wa&RYZIb>z8Eu2UiFF| z#Ko}bURnOZT^!{kezGl5K4G0t#)#yKd@l((uNW;sK4MuSBUEweKfs9)CDFA`Q@Kr*X1oPmM$t&jH1Ot{SqFcK zF}$eqC(gk$g?1Y(PB{P&RgyB9R*Wwu(EoqDk^kd|6ZZh+;QI+d%PVu6w1=@ESIV^S z1*gpZ_e^KG1G@#*v>~C7=iYllqMuIzt=*xc|;0_U{ZYJaqSy)rkBOAan=WFfU1q81AK~y_H$o|fZ_Q_pbxp{X}1hAa`#?Q5Cyrg`|z7ZzZ z^*3I$bC(i0!OK1I)$#+OzwuaKKSAT#Fz5|koxin^>3fSSx!(#C^#6^|5jY39K3Adx za)A49y>IE|KTFUR|U6?kje02r$O=V2Ui4wv36^IYI1{ckt-tLx678A=K5 z=6X6LK_F^|n*a)siT|%IQi2HX@A4)kFJG!EN--Ej29B+FU)<;Ugd66 zei&hQ!BO1v*I*Vcztcau3x3aTuk?NK?@tAOuk$w^sA)U^>+4p4G|f@|^#Wd8Jdb7C zr6giAp2rRwm81M}>~OQb2%N%(tRlyQ*Z9Y$2NoabV&26Tj%Nronz|7?Og>(tjkOSHYhdYG9tcK{;^)v*Z-;fTwQIGzHdbQ{oV zwa}@sxnm|1D>>{Ml6fDfX&y%}RsvH|J!cWeF0Zr2iU$|%mOsIW4=SguHOWubcH=tlgu#CsE!pBpdn&{U=n}P8>j^u$b_78 zl%j}ZUlIv2-_e4u08L*A(NX5((JDLLbjJsm9T9;5J?cT%8nvJe41pDZHCamyxJJTz znrj_80Z~`3;**;Rxoz62x2=zthitN`O4Wh;rc0vc)o!sNQKBBYumj<;Wb6}ixK zhABn>v6dZ)j@1{>7h<3U{W$Z5H@nhR^xEb3FQBOuf=(IZpc{43+-N!-rxv?VaqiCl zDge#~f*=nSw1>}2S$v&!kx1jo>g8>x+CJdabM8%|@nx=k|3mZK1uW-LMx^46M@K;Q z&<)0mn&)y8s;)^|<`E2piSCcx-o@#Au`HNF#`J;OAEPywRwmmP73>uJpQtQhtUGrG zl@#2j8O>)vv?J8_ORz4HGpfB+6HM8AwE?myHn0c;O1()`?)(qHPLDC+)d?uJH<9 zfG%}IoVYEC-M?KX?e@$YMSrA~mIxU@TLOlgNjZdi_zGTvDUH`U7ZfybT9=>?`BJGp z7Q!tGD@Se!yjQN}x3sbnt6nr?n+Nvq+=;ejAGE=aft|`v6?1EYQPH2cF;RgN8mu|k zmN8z)FD|!TC%Q5EIy(Usb|ufgs)LiwbyW7cJMbb`B69M(O!7irPS&c^W+Q`tSV#;3 z+brv1$Kzl6WKzw))t@8+YA79n|Btn=j*5DH_uaCw14TjwLFw*J6#?mvp^;`7kZuqK zk(O>yI)u9;NC~m#S*ek$b^TqkE#xVIJq1~DH0~P&4m4E5QJTqxw zcmh=bzb4DJXQ7--1gq3{@DFdPB$ht4cHVFL3abQAV=eZ5nu45Rc&i~fdS@11~F0KVj&Jlcbh7FIdhLzCXlRG zf%w{hJE8gI=BN3>Y6+u&)zceuJ7NZ>4Y7!Sc1gDf&f)M7G?$+6eN`Q*St}RuH7b0z zL6=hB&&2U%TM-oX`Fi`9q(&zF7Etz@Is&W9Ts-$zUce>V)xlttmJ3)6R01K#<#*7^ zbjh=I6{XU9uWtQGFC6fIz}2{|hi;HaO`+NWN@kpOezovS0Mc{n-r1o<{1pz76p*Wr z4fOjtw>rRMm?(g;GV5;st*kBpTHAnY0j?+rV|X-wC)=RxL&(NT+Q$9Q4#h)BkDjQK z5P*6ZwT>!Djb2>uAQD9Gm*^e<{^qkHw{KqdQd@vL!=y$)1+waef0lK$j{;e~B;MKW zN?%W>Wp2DS50K?))%}qFbqcHvzr4Ke z0f4`N#qvG;MllT-Tg#CBy#jpYM8UfCw8sZde(fFGQ4v>gA7a1^z)@(ZJ)xIZZ|pC{piFOPqx4C!B+=WZPeA~lnf$Nkjko5$eLaZ_!GeD zqS^ofpOPdG>ItN)Lk4f0AyBI;s%7^bns&QY@97?rgTM5jK~w*SZYAYrz>(2CkM|MY zLB2;w^yrJ+1y_N!VRO=ejw}54heo4X#uW8l@ILwOL8uI>>G!?`yxIcX#;FZX)D}62 zxciTS{_>q>N-88I2zvTvR7sFjCISAA5}3yP@Kw^@Vs*qTsw?F@(OLxB@8G{`plA-& zMXfrp6A~G728BfKL4E_skiXz!8^UAB;QrGkUcCaB=ILtwy%_d|xU9W`53dnV0>7bA zU1+kpYJxh?9nktbbEbI%-em>>S=?Gl?VN3nqE$&g(Lf;hT3QjJ<8TCOWAq)3y&Y#97^3O%rMCq{TpK?{$& zUGdG9C>nF!oZ?@b23TL0wW4i!Z@adc$n=nBPhosLK&|qC&8-aV1T@SMh;%-(=8;GZ zeTNZlh4~_Qm6LAdZ6rI(H0BJHiHJCKe|?qH%l?W4L0HoVQTmVoFiX}4$eT`LFd5# zs8-#`8*Kdg2g&WnAw3QHAF!pU2bC}mLGoi;g%VUghwM@1K+rHxDDj|El#|8bcx}Z- zkrfg1+rA1fGjZ=aSoC}%<*-v2F#!1UBW8V``(`e88i!VSX58D0`*NGIPdNSztOSBk z%loHksC9^SVeZCU`6;N6iuy05k2Wa_2dWLO*0<{=?@5G>+bY-WoxCn`3Kb|_t+%pD zN3-j=-_}@nj(coeb1P_8SO!WcsI&e7#&r1SyJIQ`Qq_ot$(}%Vt#s z8Bh10jaE1L z{>+3!Xx|u)c=jc7XJ#w{4CG!9#w^`w=zuGj2U zJkR*|Il(dHh)C2%rE*G-^~$z!p}#9 zm|^%8)V^|bF0JoJHu`FzLqN{Dn()&+qA+bVxQkY1fWk~YFM2V8Ep|gn63X72!D-P3 z{z_}c>n$L>e{HVDykY)z<@Zt)5!(yqO*{(%)bzHv>b`wWP@t>8ckI_n7sl0fS>WhYKDRVsXiFSepFy z5?po_F9X7W_pe%wz6Z3ts8?5neRn*8jTrC)ZUgf!NjQIe?GYw*dMze9%F*_w7*KA! zi>iT5h}-&s4r~<(+>zE~5`R~QkH!$ZCa^itmNt);B4Y>c0Hx0eb|rwoU;xC%-J^|W zE)T@JEHMrmLY6;j7hsK6>Xbtt`Ty>qo++p}hdaIOSqDSvJFgO_(h^My8fys(LBy|f z-?M#mDhS-WI_a`ye7;BSE#I7tu@hxvj5vg&XF$B_J*Ly*k({Fu(pL%U)xDuJ;FqrN zVC0Uo+_y@9?=y(?+=`c2xhsWCRHuw`wmEsSEk?#Dl^`VQkDdAZj?iZsdNFh#g5>ZV z*mt9f_4?W`&JSBVep^q1UbPY8v)lFl7ubAtrhy60bWUDO{h824LH0Yi-n3o)NNXhTnt-fNU~R>t`=M3RZGnj=ObTLCH83bpTx*p66e{kq&l5A7W$!tzj4a11 z?%0}knyi>gIJ0g9q+F#hHf*&m0qJ+5Q?~E3OKZlQd^ZG`um)=hKc+cXq>JrxPeuR^ ztENT@*;cFBu{|t7P2^{I6$x)Qc@71PdmNO(hPiFRbK^VMD?gqCc`c962T<>}!v$DA ziois2_Jgr}`4D%IyYzsWBoSEqG3m67@NrH?F!UiW_jFP(Y>4Noe!bBDf-?R)?eAx%e@CJ%NTjo560$Gyuz~z~{f(s( zl260+{j)Q^w5H`lYn3sdv)zmH3E|G>vpS*mj>_6^(HqUSS;S?7(Tf8It#bpX=gXdb znvN^WA>JP5vsWvM5%n)7vryFEc{K?##7}yN=@%*(^AxN4UNEZ^CyGN`3qFezQ9UXq zgjdlg*g_*kaesO8HU^PL>J%UiOh~~X&VB}=53MW8>1+fPzhu_ZCLRu9Ze{r%&}9~Z zPjWx!K`kZ)nvhl;^?NbyZM+R|YTzX|xLazlMMhH$2R*k6_;`C89d96XHQH)3xYT#^ zT0Bnip(Eci^1{Eqzj~E=oPqgLu~9@cesonM^qt`7+7_ZW@or&rfOK_tzI*iQBTJg# zC-GOxqROr@a7FO2W<%uL`m*blZ|G{5YdE5`oYV5wr^TFZQA>!GZIuXwc*pFe#ZkJP z^{xLsYZfWYu+w<4_w7eQ?6R?Wv~*02{GxAPdHW4kLRbXLrQ&w5$oLQ{jra?+js6ef zwA!7vfH$gZ65Gl~LBBI{7HH>99a&4N)YqbLYjY;s*bQUm%O`FUn9of-S~#O*X@P#R zEd$sK)sTMCC@po_Tu<|^nZfx-vhjM0F6`aCJPv8o*4Yv5*33xRetWR*O7a6ao5AM* z)0arXc6=m^(t4}82ZvM=J0*K1e4oV;tMo-b!8$w2x3M^Z({@w9`XlSys%|Of!RRA( z)QipIeK4dI<`e!bW|xL!l9_UZQ}99-_hzy+GfP{>ukgzaQRy9a!#M83N`YGuk#Lq1 zDgR8Z!@O!0h@WHm)tFI0T$ZX`I4}F~_IPe}hO0)ta`jwj)FV-p&C+`sQDd}$0mZ09 z7^#JFBvfIljs}VK+@ADYbxkx(SY@RDU8A+JdSmfv?(EVn2WOV2;sVOfYOQ`vhyp zQYQ@)wVL?-25y25OGbG*^Pch!6~s+l2H3Aer-y|Ti#eaT&#MmyC^(zVB#w79aGPW6 zd4|FC18wYHsTo)VaoVUEVtnDNlpq(;{F$BILkMk8>v2Z3^t5&f`E3$cf!T&q&tG%g z$tu*gBg7Vc3+IoQ4F=*1A|7bLq{&-Jk7AE4N$HHc{>iZ#1 zE8z~Wj2Pr37aN)$UQBnsVr87_ZBJn#k-irM@!j0AEKV1^LDED!PRhY#!Fsr413^X8 zZP`WE|T`(I_vtp;5;^!S2 z))~x7Ns(&M(q=dDn@J)%gDXWyqO8G$Y!7Dbym}0k|LN|t5Xe~()__bi7VZjY)CZ>H z_-ydC!}VU?t4A5=$~jiw{->8;F&F9O6CH0hf9>XX84!))*YrzqiEzcXoF7B6u$_Ya zZ+HymNhZdK`4>J5;`&f5O-OgC>yU)Le>yCFzuM>m2=)o+eIaD-s~!-7_?QIm<|&?8 zVRj|z3E}pHr4#FEe#ga^w8cFQ{{2q5TJ57(Zs(`FrQjLZl=`ly@+~s$5^e?ydI($9 z;lu|v8;p&@Jyd>zO-B9q1hqJ`4DYz<4`RN>j>|0l*kiQJgDC?kiifu!^3c`kH12mD z;Si5~dhapnM=w@gip5YgViN7Z)|M&eW1$5AJ@h@4>sNnr#V!rwqSEvEBQN$#{e=t9 zn_AG+o{0K7?Ob0n*7mfYu{P0|{iZ`ZV_ZXbh#_sRXXJ>d-gXmcg!Zl|Z8_Fb0{1C?GN z)hW^7qdXadUcwFK`B=1EYz03X)}W3mt^8_>$+f~tkSJ^A;Nl^nFamMR<|U&wOfsn>mjo!%D25eo{p3#{C=zo~lxJX%o`Z zFR5ko1B8Oh0)=+khbs7tkmZ?1z0Q>Xo*S65YZzZc5RcFsq*~In<*1 z&1mN`id9P_v18|hhN2TDMP>FQX ziZL%h7_sCCnzB?&T<2qB|FivP>w6%sxhRpXYZmB3$I<|~^6S;zzB15F>Ev94H>p4I z1_23X>~H1oSpe>AA6eZzXwXp59Kt5tplGlub2`X42*UuV==Rd080gf@tsS+OcD_py zu^-)i1LD@d&_tQXj(mT6>2HF|%JHjVHfeS(iv}Eyef~ftR1;nUoBq&61)TXXp!Fu| zI9M`}wgbjVrcGF3u;^(gn$7(rWH(V3;}`udOTsTvy=(^fNX%P@wiR(Ag|yDIqa;Kq zt&SfU$y*;knGx|;TL0V9myfl}2fgw*-yWjopVG2V-;;U%EB|`~Y$!wgZ|si^jcQ|8 z-9xadCd7r@p3deJw)2EUjenAo4_-7&7htGcj!|ewlA2%UFVbbo6^9~0)~#EZ79mP@ zP+LyTYzL*Uuw5^Ks8`FDxh$_5V@UnIhnWCeY7$NM@!J4Y%fB;c2$I~DEnoJo87b&)LN@*csHD&3VENCLtpUdPVl{lR${OjzM7D&~^is!;EwUpQcR5`KNF74J0hfP8hg-0e+|uD0-^d9mvZaB1yn zD{4SZrbJ~^&|4d>Au^%t4pYbbO|Q|fMbNW>SuqvBBRH6A8Z2p~S{oQ$sSdf3aDl$Gt3}*#UjO{@(cjMot6+fdW0XoYT=q z6=x*rnM6L)3r2tgz0-B z=;!YASKaJDRqiHW^-GTyD+@8By~ZDYd=RTZV4W!adi{}cQ5z(eDMTcpUMRoyxooKJ z%BJ8L^Y-K`W@dk$qni|IoRN;9O7zh-v&SQKeo7p1DS&%$Sk6txeL&A=p>i& z4@K(N4L1r7#15IHnXvy5?Cflpa%bQ~LnY3V?KO_l;(h9f70#fk0s>Qdr+oH~O<)}s zB@;UXCP}hXzBdbPT<2gO3)@Tthm~`HmNlp%YgCs5DHN}GVD|bb*B~RO^T`SwWFR7P z+BRae$``9}hxw$jk4U|9v`!d!vq@ck!@N+B`#1qvRk)*Xgvxdhu6h_yOlY@qeAs#c zYnCw+-^dxWPABnOngIh3l}s!6AAOnk@-c8msF%j^l{i(DNXbGz*Vu226$bEoQXIJc z;=XzmldA_##$GNnZ?~ESFN5;dg8UTD&2`1Q(cJJoAbGx_P&o!k%k_EsJh3@hvo2S8a1@ z+&HQyJ&|z>=!_8V4c+CayH4tPuBB$FlRdhn-49}Us@cf&=ojQ-8R%Iqo!Ewn%GlOR zxUQ&9|D34VbcvF~ato@kpGj<~#Yk=oRihjGLb20$ynSs>d+aM zfg(zo&z5gXsf##M<&Ae}>X#}d%(73ruUnH=(F!znDSVbSN9l%hIdPsqsdQ7NaW^6^R>sI#* zfk@gv!@(Z~9HD4-uDnOxIoW8w9xK%3tA| z0f^9z4#aA*tTB)1R&zZ?{957&&Yv>K-r{tvL*+hBFes28ZNRJg!Dh0;f(b!l_sh|? zo=CG}pw$C!cW94o9IWR* zNY_!%2S;Dt|Ji&v_r)A6dOg-umgMxi0f}2xy$R0TKxQvbe4hYO4F@<0w*VTnaAZvS z5b0Hbz0#L4JWic-HqTws9Crh+uz6a#$6`ofP9a7}X|%Rwr4DQ~@w;c_4OaNwoq8~T zw%5NvSFx#f3(q?h+<|C?MOF$~Ky)%}zunXNt9D;0iR-JE0$cCoE2MugwVy|s@~6dc zxUu}hVOMCWVQqIkpi9l>v;kFa?5TPMcFJ`Q^AI2jrNS$58uA;!fLrxJq#je^NH$`L zOYW z?z5Y0yocdsbMHYAWlgOoTR@zqClv1q#hl zpa_Ew7SKJ8q!}Q@c+5|#av(;rKPpXky&~R~2^l~rAVfX}b9OtlH)Tf^O zxgTllyQ|bJB&~Q+qn!NR@7kk8$5g{BDae{lD?N^iHwI4Go#Gy7Yv&zq9NV>nxi?5+ z=>^2BNOD(Vl2yE_d~Xy|3sW+7_G9SegS;cPa@uQyn?3Of(fq~tziON3qA8 z;ip}=^|(HE8f+ZjK$a^hJ)5*RRpfT-gI!DaHyL`$JUp82HI{|stdUYWq{xn~Z9!8ifpPm7?T6E~MQ`N>P$ z#Rzdt7}1OY7%IX!{>iMz5jc<7?~9IREY>1XCt4aWSr&1r1@Sa=)MOe^QA#Rd5 ziUI;AXj-nCk@E0;0HN(KoR_0zKOD6JgOu-_Q6vopH}?h9P|aY{%X?CQb;FBA8YJMN zOX0llZeNSblPq~|e$VLedNrecCAB+8*~)J*nQ2UdxJ6$a*j}bB8f26kMS!Ww9^DLT zhJ6`a5~?3sBf&mmpiAbF{Bj=K4)t&*4PPuz)j<0H0-r9VHTyt?v^Rx+wMFf797Yp z{yla-g_Y4M_g1I?VSkO)g3XEv6$k*?>0o>+zxx zJ6~^-YIj4X?WPN_MxpsUB8P54j&nPB6h6=l{1&J;&bRuBE8AgMj^@t;Rbl$o*YIu1$qFLhm#al<5S$Y#| z9E$0CfILK#1_4)=A=R3_H6GJZl1=Q-zx<6y0*>b{74N64U7f%$!;=^krqot(DX}pZ zfEM(gCC3Mjq=8R^TL&&!)=qh)XaNrg5a<7Uht%_U+q2syMTDXc%TgjQ2Uiya;}BPI zoDDwa90!t%A3(z5={G?!Zt2`ejx(Hr%CFXO*tCpb$hT6uwdO{TrhYDfO)(LPKg@HA z#1x>SH{;)09H}^Gxyk{XIS$MBJ6bwrJuluGGvPx9KxX2SO z8$Hh|^^O~AiI+yv>1>I(_IQpQ-R^2MV=Jb-J+2n`3(%1|X8={`E9Tag!G>Np`@6K; zy-%<^URPp9c>@u0vkoId5P@2XhP5WVzmbh{DP*n*Z4k5Y&pgoOD-e-jxOKj|)DVG6 zWHbo$oVAFtFkFKgxeHqYS$=DRAN5jI%3gjwW~Mw^iy={#f6F-wEld9D>go3xuw&O8(1m@lYE-hu)|Kx84@})q#>i*s1jAycXi8$ z1-O;|^j&kaOhzbNh2+e*pED~h{f&Z14ro}%EU=RmN#LArg~hmm4Gyr8gwT=5Y8&OA z?gQmn0#maA7|g%$C;*d1*#s6=*R87okkZRKy_(cl8np}hdb$6RVg$X49f>J^K%rFw zfB8+!;^Q#ji8$N=^JC?(48=nTQ5;X1>t4V54&K~#;ctJ6(rgL7lCgS=JmJ!jy`{a} zhxsD&kF5|*jut&#^{aUAhT|Ggmz!IUkPh-GB}5%yCy`M=r^YTUA6NibE5h&sFcEU& zDfT9Y^>{@WkOO>qQH|io+P558VsA&;ARfElVoYbW=nMG!>Xj8R(jo$4atROw8CyhZ z?s)bPpaY3LGE@^PN=vr7Q&iA?gGUQ%1bIF_S6R0-`}prUR(ZA0#SgR#Y0B6T^{DrN zC--yW5x;~5WLoc5EI}dMzP~=S{zjt4TFmR=5rrXrJi(!&&uCF5;*rHKcd#XFg9 z-Y6yYzx==-{|;-fpaVA%ntJ6JrR01Tg9ME~>OpK)4Lr1Hp8oJ3#};$5WSJ<>Y4xgo zn|qjcrlqPMIo?VJ!dnyJ8Hu$H79lmnt9^Ho+mSdpRD{~;KZfB~hrQppA(>~2T0FJXl~e4Q8J{pQcg@CG5? zSK0L##oVho5&$E2Fq?AKZTC5Xr1SU553(j&m3RFcz%<~rKkvZHDJdv%t1$x}8fE`5 z{x>z%kxRj~CiSS5cN!>cYqvodAMQhM?YyGkHnKWn<`cG7jH#B(igYlj*?@IPi z$D3&JOrKL}rVKU##`@eTD-9!gmePVPaO&A7+n%!gJg>% zeRN_P$!_jnjA2a&UZb)Y&2&ypxg zdzdGDXQ7wps%L?~1N7EezV@L!@K1lZZ$6kR75a$XQ$ zvAeW{o@9A;s8rlWsrhNMCi1%Aw0C{b7h}K2tXN$o zEmF=V9e%yhYy;7_C9nTdY44;C<8#euOn6du+E%!<(HWB9`X$P9_G(8~+z+#~BKED6 zF@#1o%mwW{%tvkd&uhGDZ(DF1{^xJ8sPsZtqMccS9a`Y0Amm5-zHd4KB#8@Mi8>a4 zK|gW(N{Pi*JuEIYt-p1#$gl&~dgP^-MZ6`aPR|`j!8X|L2)dk)aklWs zO8y>WYxL=Pf+Z8RxAsER+Imc_1#hsD1ckJEG`L~S{d~U*nEqNijN<1M6CWzldjK&R zVvNO-1dzkDtS$?(?A>5R*Zv|yE`4yHbN@)ew}gpotTpm(r9*K4ebBM-VIz(QSZrbB z)d{xdTU(LZ@!2Q41t(99t9T&c@=jY1uQe^MT{F{C2K=(G|* z29~(dUDw?(Q)b$s2qs=wg(qyqPqG&hfFStY zxX=o8z;{+u_4^^zh^hgnqdw+fJS9tPygCB|h3lAwi|>7-4H!`WjcSn6&RD^RKvV)# zpk$yK}X7P#y{Ql0CvTLubPi~NfYL_T~h6Jp|*UI_P{2V z4O^Arj;<2O_+t>~a%xJO=gMZK+ECd?NTp>e>rj1{f%|ZJxxYipo_&%|f}^j9&W|>& znFv(*>{jZ_>_@l!&wCS1GY0$FA0M;siv4QM@34DcyJ^)Re4{j;>BYs5F<&XHIDVqE zKUqC9^;G(bTVLix0=roPwf$&}wx|OMYYj;Ut82dtWXi6=bv~vQSzCfwv`e!?ya<82 zYA((YbsC1z4m%SGExfgkL+=D$zfaJw%A$GW86rrdHVbG8>%S7W!q4ha$C1E0Jmwc$ z0Gndvn8p@mVi5d8Gr&4lDthvcm}qMjjA?SsZ475*i;kH_8vxg%$4ennoy{e_GHWwU z%+o2!Si5j>2I#PtvYNZsmqx^v1`dUgQ?(K+pWdx;_fXzTr_Z!MuKJsjz+}$yklv$e&#WGR!<5j%bkS}2T#iwfR#5A}j`S1X>&}mzG~i*{ z|4?tJv@b5H;Q_kH>gUdY%l6@1&+}2rdxQFl0ql644robXvQ++n`ld3wGC1yPJqval zaKYW*c#2<6ygse2v|IWDD!Z&$bKBk;n5Y82?9*GyX+qpU7ck6kHw%RLCAGG)FvJ%m z&0?BpVx8GATDSDzLF~#)n7YYqz*Q>U(h`X&^|AdznES6JOOEi2RK}l18mK+D`n|om zY@c5xjl*xZ%H^Qnp1;3BFMtp12&Qx-z=I?*htQLJXbzM8$!0C*y%j)?X1z|%{N@{& zvzbyrx`raQAnIK5+B?eMV4HONIU~WLfT<&z zE2$)@(LCu=3bvRUXD!}tt5!Osa_!^W=b?M)bNa)|R6a8Rnhf?~K>%7ela1n4|C9h7 zZx~G3Xv{$YMsXZcf{2Sk(*5*&Qz7=o56aUiJ=TRALd0C=EoJjYJeeJ>1;bD&18+R1%v=%KUMRly=c3hFslX+#`CF{|pr657s$> z6#!5OHpTAJ2eWfx%bA?&_8O@#s9nB4{~<%!AOlhtj_WX>p9N5X>ZQ5#;92Yla(i^! z>`rK3tea6Os+p&Ra@cM8`f7U5-dMT|f&>ny5PI`@pMfgZ`e_&rRZl@YA@mp@CV}Vo zbM+ZIFgbz7%T#Z5Fdg5NJ^WB23%y%X0uM|0@*5aeOfaBD=KxowTTecIz$(pArde$K z<3~MNoyY#COVk}T*0+p6J7+pB(c@L!GlBPI7*yDxfMmF*m)6wz8usto@MB&i>QJ?M zOKwcpmNHvK=3M<1fqi!GiOk2+G!Ot?Ju1=i)?e)MUww!)o_y*H~Zf!r#D z#(EYQU<7|ypE6keC$~a+?Mx*_ z445TsK4g=L>v~qqd%0F~O!}QSRa)&2B(nxZ&~LwDQ-+Dq%pnQl^#Prn66v;nzx}j7 z3l&F=s+>+gx170of1pyO=`|Uw`Xj`lgI{sTRmbLY-0$U{ZE9%EyfbelAk$v<&o_3f z^E}xEqU#&9a7{3&Y4*wG7-ylhNyq4UmQ@Qzw2C4?y7{p9x#wpa_Vn}p+xE#};WZ*<075+5wVRFG0{yzHKJTEm_`f}r5 zHoOY)Z|%~n9P}F!-WERjiECN)o!`bCH312ok#~ue@1Y)ad(`UUfY)==Rj;wSTvWR{hf-q7}&yZrOcq~%gHWRrMpdba-h z<#rILGKj(F!3T1Fv+>{G7?+8zCJ8wN?JN%fLR&n+0Imc=ChcA#0j@UT9CkJY_6}x1 z2LL_$RIr0dbr1;M;PyZFshoA2PF7Sik!oFTHIkSIeC5sk$6_93$#_8-4k-vTB(^L< zfD${)XZIT?q|w=Am%uq{=epwk6I={6VlH!8(qZ8=B^YQB>M3{d%kg84mx}-x>K{nr z?g(`t885;M@j*eKE8%h~=-2F2y#U?AZnNE)kMQXE(K?70wdH3h7ve_VVokwa6=&5fqWF7Zz&fMrCGA)GAHlAl+x+Fb zqRJ>jk3qT-QR+%3YRYpxH?jS-#faQMy>)KN39&~|f_+PHPwXqk@+;D3-`ov3K}|81 zG>{~LXj5-rQ#!P>3jGKo3iay@8z1xA#;J7*S_L7@5E*o}#QpN&`Q-@yY=9>)s~L}0 z^8;hb6L^+cLsUWLaqKHy>atHeEa9pRue(A?eq;=u03-|f?()s>ut#uL#Vn(eb>h2F zUn1HyTaLiRTjNhPG@oC0aHam@Gp_3ou;8C! zx-F-x^A5noGu{{B4kPi3lHZsDb|;&7rDB!6&FNYO1NRJ=OQD$#qV8Ki4F>C!7AK!x zm*f%A4Y*omsW4Gctx9e3eX8gr4W$!dT#}7U6;#=^25$iKiM?#=D)1Rvb?dj|Y*?dd z>~8oQq?+-8_$lik)IHK*tdtCZ*~}+iCcETC{ayGO^N|;M`>dvrt^e?dwoo|nrN4rO zQse=>ah^zP9BTi?_GAzOtCkVpY`j+KM!Zy|d47?tx$S)1Hgk-ZvRa-%k)`An!D4DC~Lm$y}6KPuRWi!p82xl`x*JNKzge>E~4ze8W`r#rZdv?Llr z?Z5?QhkeY5>H9}+1VnA7icf6~5v*uN?=@7T`Ij<~9GZj6 zvU#VX2=C4`@1qb)kV9W>X4#lt!*}eQS59l{p;d|B>#fjROV8h;eX}9`Q}r7B9OyNh z71>AoPlz{z)MVmIUl|jV2E8C#VT1uXX$8R@q*=%ndXwvy#k_hOn-cdp>z9e0fd zm;r+ZN^e6~U;10h^66fxSb?xG0WW5qymAlla^;c4er#^KHpI+GQg;8b6|rF8 zi}Jmq$P8+$GzLf5&0Q&iFfQBtPRmNGA&${~uw);SNgH!bd}R!cB&7L5x+trw@?~9p zw_{%lT9aibD;dZI^msaSO9COn+CK3YHP-BKmDjr5L>n~8BzefpSy|}mH9Zyvy z@g_s<-v&(Q<4~?(GT8g|HA?d0Xh_~GEb`C?&26mq?)t3M%#<78q(9{DvjkQY%^<+V z@bv2SPH8o<(d4Xs;bH4vbu^OlgliJ=!!5qv*{ua~imdj@ibEX3R;6X|zrKe-u(gFELQi@21{j!p~*KTmr=SJ)Cag|ktInz|^G zRFr-j(MvUdm#4;eT=H|0R`~`iq?K z-JdUeJX?lbVCB!l-Cb4PrfTAZI5uY zH%vQ>7sV?a!-!pf_n{bOWOLe^d`5maOaWmScc#XDPKwnd+7RJHO<8%El6LDN*KN3t1PtxOQLVp{+rD(s_*C9}&=0SFVp0?TLTO z{(DozZd<{>^0$8GV1kGHo}#};7%KJT7g4eQ&ieTCDJ#q;4+q$6hds3^?ccIt3gJ6j z%MURJP^ua=lI))T>CE5T7b%j4N1u;;w%%0_ztPSo;oO!smTrkxMJLk`CR!EK!s2w! zd-x^u*!Mb!f|>)-4k1 zw-Y!FZAqRB8Y^T)0zh~mRFs~n&pfm(Yt6yyIbW>Y+qqVMe+mnB!-o-xc;k0ql*Tn{ znwtMg`T|G_`Y6$^83M4B=mqduc$LRLP*{cLCE29e+`>v{;;lS4SSC@$Z2m7c+OKbutSSJ`GUfNXvznTnF?tVdVzJgW^Ez=0imQHL zqb@VN#VSw8mQN=#=mK-yE_Bx?f~?pE2LJ&VGNEGl*Y!LxVCew+7Kz%{E&3{y1&(5cUNWAV1k4 zG;=2Z)65D}3R95~M?IE{iyz%Gg)^(2lfF%=*b6*!@22-=SscoK48s+#coRyX(pipLb-wrqq@c}R+Ta6?ibXJgiZ!8WP!4H-{ z+JokTXd{K%!^BB*g~$V(fZ32@quZvPCUY|#(-&pWMdNuBdImZVEkfBzypjfQlD535 zMC=+E(ZCdpOyTEs#iIDVJUvlx$U*K!nE{85^bSbxib$69Zy_bwXjry|ZbJpsv%7=4 zpEDZ_0ky!CW1h7sv5(w?6R`YQouZH37E(H%5|PF2ccdr&B9n|^u(cZ-sB>1HvjbMm z+B@4~qJT6tD)ZK@C#+n_={8Get9qjj*+}Bf%nNjR8REqVFpvv!q*(wOD%3J<(iCWJ zV07xzs1v;70$9UaGpJ;w)ruaQ1Yr8FP}rGd2JPKz!Jg;wD<1SRX6in-pS#m3_WZ>X zfTpK2N($;YvMRD_YhlwUKR(*bS8;Mt`+byVatFB;nJNkv?BT+SqZ!)YoK4ly+RiVB z$6Ajt6!@G|+LFwAbF$-G8U@rTho&!`#S=FKHKkKB9+HqY*o@{K2)>uF&zZla7uzxK zM!J3D^TZ>S?B&$udwo;ObG(f^fj_kjZan>~m)(&%LKHLvmG zLu1^8u}nUhNvZlZ;Qo7ChLftFK{?GD55&svW=}*M0Dq4(ml3&|htd)fK;pe;&l4iD zXCHT;CGanF%?qy4SAlIHs#X!q*DwTOLTG#F^Uu13Gd*{HU5Wx}6FIs_%|jA}v zvI=l1{*|Mu&ax%tD+Itwp=uHcJWhw}s7dxnKfQfMO52uV(8Zy9+cnYg(M3CcQ2__Z zY6pMYk)C}C`)%aR@JGATKE@|c-)!!Msbw+Tv#yc8KUxSConI**QrufliCgn{CW@P! z;T*`P_EpQ9RuXWqKA3U0%Dgyc-9F|EStR~cW(U+*mVI%|7LRO!`b6HP7^orRm^BP} zNVK%0oh(8>Jm`rjpjB>6)9@iMm|o<~3(_PAC7A~xNT#sU@~cdSO98L%e){ZsIO~6I zt;F|Ek9#Ux`Im&Cy4WPd!qXIS{Z{*aIx;$Nt+P+96z4Mwab!k`Ddk< z=Tcx>yw4^1FGu1c)!d?+HLy_DVx0>U`})PNaZM?8mAef4NQtXwl#U!z7xeRN{Qi%R zUHDSZZah&fH4-1KceXkqhbc#wT)F*-1ZheAj}Z_tUD>?fN%CX2iKn^UKydvPf5X#9 zJ;r}B{vhym_*dk0X8piK-+(DDZK-&y+vHJ>mt>D`-pY{rOi2LmUHNPAjoe+6w1iHJ zw(EcPjUEz62J@HjY%N-IUpp;Ot!+)p`b#C1XL`nG@^8y?E8~Wrk7~8(mM`PTl7V4x zx#GMI+r?m$5XRMcGPyRnE3AdxIW2tg-UHw%2dT0io?08Ypr}Mt$Fu6B>@M|CNH-k+ z(#YZy<@l#VBzga=?hfmX9U!VHx#j^*OP6(|2(XhNyvAnOFoq@`G|iNwA-j~JVrIIO zBmac!b?3FwMt6r3L6f$(@;h%Co~rtQZ`)<1cr)m}NgCPUr$_%eFZy4pZ2#^Wse1o9 zd=xCRD?%HtU6*G1#I9e%<`ignP1B!Xf5X83?~cH`8vqzg zICBTMTBL$TL|}DKt8f7*mmM11x9tu60P_zCu=b3k6FjfVW~!>NWE+pu;W>M+T{Z3z zzI@BwEyQ#s0BB260Bv!s%5HLm&u-#7n{ms`K&Iq8Ub%t+J_{T&v11VF>t$CScK8%# zy(h2ze|!G)^58p!7$t?eLEGM5%5&SC3GN6bWesH^#5+_q|8)pr-g)utMQK`QFK@iN z=kWCBfE1-CncUjTWct1;!R8*sQ8SFBv0fV9vPyG#-u-gIMOFXzMd5cDU zm@SR>An%L%bxm6|6ItaX|LBnahxayD>WTY`)%x#nM*g?Y&W`ty0L`-VW+{ibk`SQZ z_P-)8zIzE{;K+dj*Qzz}^?62HZUL@u7_CAA8#izPs;>tb75E&7ewa{*NFR(&DgYRu z&EQ+`l{FCG^l9(MM_{>_3~KXK8Zcq7+?uIpwkXCbyQXlC7jnjn&n0oj`(C#Gw`%`? z`(0GUuRkF~WT2}*8-a@xIgrB73VjUT<36vn_v_cgsl=y%rCQ%9zz;2fliT{u=$ioq z*SNZGyiHsv6!-eY1!VP+;Qdxk))SmGzn|TTcV!6&Zu2u>`)kq1L>nS9qMc@D+3I(u z{<4jjy;x-slxH(KbtAATQUq7-0N`0~wulbaSP~Z$Lhs^oEhF8%ZvS^A*Z)%G{`VgX zt`S@dV14IA3SGh{H{jtvQe1;=ohZ20i+(T}X+sFY%lleg@ZvrEdZ&q&_}m|0o)|y| z6e!j%si6K_HPB=daLVk-IF0P6{C=An8->tqyej1C9t6~?rJkj9qXlZT z&R}ga<)oCtx4R-YW5n1|MZw-l0SAu!)W@Eso+!@4 zrm{BRN^H{LwrPvfcM#{b=p*4ZZ4caeqc(z=H#NSwYX(S0g5F#8`H;FdU-tdM3n#rR zs-KHc0jDl|U&?|$6dyf|#0QqOT%3F3hGnUf@s&oO|3J6JOp&qvKq^m`(lKxnY={3D zd*}ku4|>P>@;Y6>=jScL0rpYN5-l31WsmQ;0QI0`v-NXTO4q=69g=Ng2Hw1!bJKC5O7x~i+j5zJ8{s$H9U_7 z_;qB7r-hsc9o0|d2FOc<0gt5FW;iRTSp^vM_amq$e@mZi`GkrZ$80E!mHHeQQn#1u zk#0Nxm{7KD>3o=fRF=>7M?LX>JgQpn+eDz3r6l85ZSgymXyB(FuM@YV71suAc2|SU z0EA)u{9eFz6Hb}-o{C5+09pVp^ekBlI3rdJ8%r>hFM}eJv>yl7bG@N#qogr!Z1higvG!>ECj!Z>1V0*1(sG3FFn_Pf-7N= zB~p1L3Pi4^0_}ZXIE6wYN40Mq&{J%dgZ^vkTCT+nhPbD@GXQh3h3YqZRg>O5|3T!> z1wgMAeL9P5&h9`p)Fuo%1?6Zfr8f{ z{a4zp-*tc^2mhp}%2UEkH8B+^A+K7j&7P_?Cw6P7pPt?Hrwj$mJS>t@c;wb&5xylG zd}4C+HNyiy_dWtlyT_p%GjIs6ekrOH?~j)^dPaMxG412hx6>hVNbMT^okzg^d>@HMqO}55(1O%7A7Dd9g37FAqpZbB@NQu z9ReaH>7-MTPLY<KfQ9@o)E;|e4KsRrDPdkVv`#8Lgt(FkVO8> z3>?~T84o}bARNzO*RLYwLR{E1KZj;j(vnKQ?YkC__ZY^nyXb~&@#o4F=gn=x8B~0P zSEuB$*(K4*#J6H^K1h%owV_CIgw?X5z`WBgyeE;RjXSO>0Y8_u>Ngk2Z-qcXX;MO; z95i4gE?gcwNV0nZMPz&}u#si)gm4$afw;MW;lFP_zY)2Pgks&C8B{_*!x(>Jpk|72Vr*WUIOLmHW zBb8P?0c_@eV0<^=(plXjTT&L2jqa`oe#H@2B*av_lzTIh{X_X)dS*6)3u6UPr83H_ zCw2KwhOtIa7elJvW#1LjJ9~v6&hz-WvxaH!0A$h5{Jj?B8l4CSv}2hXzYMfkGkf+5 zO*`VpATmyQVEQqXf$zx-G#=IkzR4lgR`X{yl*Pmk+ z_A=jI?eZjUAYprK!$Wc8BIvX((m=$&t1b)Hgku?D(s7U4S;{Zvd0_4A!LBF$-E270f1twD;4$w6N}_#AR&?>K>FSlJAZ9yN%f)=PG1d_Iv<{s6!%rK`7^ zC1g|N#|EK+M598H(=Ouf#~}Aew=GWYQ5{}T%d5d#UHj0CePV8O>v+T7h1@!E-wl$T zCYT&4+e=*M<$B$GYkor?{{0Y%wOE9+9R4rosio^-GGQi?Ty@=8CVMO0=2y8`Ca@Sde$+xh;#Y1Oh{#vh+X5$z?2=0cZJH{ zgxluK`74WVA;Yp_eE5lR@4(MpGl~Tp;+2NFWX9t=h8T<*NZ>5M3gStTCSYeg1fC4S zgNY?nLQfvs6?JqtUT!7yC5)HBb=}5F)#$N_9zt@16=>cp6Sc7Tf!;_4nIC_Ojoj-R z)2>U2dW#fWWT$QTouE2V5Z`B_j zfjgj7YznrxHLP9GIhfWRZOYZJdo8pBKkk&Pd$q(k*PH%0IX|iDx;Y+UefNEnzC7KV zx(a(=C;A9H!FqnRz@Gr}0ADP{1V&`E)o_TF&TE)|czLcwCH+G!(Ab*Ht<3{NWt!q7 zDD%(ZkCz3t2Z1GPDYOHM&eZa+si8$oy)|LW5KaYdv3Ao-aP?hA6X}b+~TV4$kc;mJ`=m4 zw~0N9#}%xT3!yQb-T{5;F{}S75$jL%y2^TZ{n;FpNz@T?qDBm6gb-)qcfEH`ZWi(o zIIHxwVkeJUGQ#AgaTn!rW|eVQH_J3|CDFRSpN{%sm&Rau9^LTuJ4l@8LxmeNdYHv% z^QjGaryYn@8K&9?f6_WIq{*Vi-vJj!ZF9UE?qb{KcH4Ri<5gh$JRCU8!+nDK-cHJO z0H%Mtt>KHkY5tQQa6R@0?I65|NR|7BXw&oTwH)n{&p5*ZsYQhQl0w^*o=c?%&GHC~ zsXTxWuuLWUB`|IO>SP4U^QhLQdLwiLv$ADSo2 zmO4&M<@Gsj7@BhL^_pmoiqH0vd#28izBxuv7gJ9CDl zXP?mh0dHg;i3Cv_s+-~Kl7$Gw%a~`sN{TRqg7Z+Z>whK22lLr( zlz;Xz!ONjTs6%!mEMqW1_Lx)g6C+$(Gdk)TF^D*Il&R66AGpqK*Zv+gDFct6V_s0$ zp>F=wU_P??SXLC6Bee%B=XCY8BxLSc3ahDd@ick$U+*U)h;i03{9evn8fYB3sQ)@Xm=&lUPmyQ(YDY zI;}e?v~r9#D0Km_;*F4N`7C=aruzcB&TPpRvE_c)rhLyV_EK6E}I-8bNF8t(#h zb+=O%cTg5gCi_soMisIXvfUHqEbGF1`4yH&RsWn=?7zQb-o)SUCaG&v#_4^)XCAf4 z(q8Q7O_Mw8#O5nV;ACWT+U^LiIm1se_9LQYmG|+B;p8$+$9s)^`C;Xf&;@4^-Foq) zJ;qq;>DXb@SR2;^XjrzF9Psfy<82_Ui({z*S-=HeTIHr^egMeU2*_pfqBI((;8v^t zz)+O^ANV~46#_{{Df45H%JV}eAb-<8$ zaNg^=wC@xWXA&p41C#E&I!B^d5+@mP)=lb3*6LMYFfYVn;B9rQR!14m_HVip6j-Sm zUmN?57wm1}yY{GTv%Bv*Vk*A`3XBo>avQIKZ&%XDSiU3HEP=H#RyAaIIb^6*>bEXZ zf2l%^J1zA#n*uGcgFvgS5AX(qYorASoj4?h4tiP<{-U|Z%2!u|tS)oQCkGYUqG^7B zXh8u^q)q=9WGs;SF);jS7d#?sQYTrHA20p{XY;9GZ~P+l(l6jb*kDQxX5%Kb)IM`; zJbDE7wm?vw*Q!5=Xnl(}g(~y_i5d&FB#{=m!YFxn=&M@>#p-t%&PTMnaeUlYC73Cd z#kj_K{Q(I3zn|0p_(b}zLJMZ~shLAl%d9i%OOB@32O~UJw^MWUVg`Jp<|&V4wbnm? ziTVcR@2A~_w<0A#I+c8vp@Ld}D79r6Y|rD068%P(tT(2cIV@l;HP<)iyA6HmR7W=; zsTnE0h?(M|QaOyTF|eC#f;`v}f}0VrixL9TBJ~#N#w{vRb17~UtWAM(q?YJ0aO;Z) zWFG3(?DkaL!heMLUy8-D*w-aXLlE_(*Gf06nHM`)1Q9jCQJvi46*HOsFUya{K87)k zZKS%{Q9wdZVEF1|Y3Y3cf2yY4F9$Zpv-@pAi7=%13cvB-^Z1ZTwr_ikJ%9*V_(Nj= zqz(Z7C&-?@IT%^WG|Lkcne8r;YmVpD(ve5N|+df-0e5B}Sig((^7MSBL~ zGPURQ?gJSG9LVZ#d~p+_{fSKHtoqwW^z)efEwq@287kEbbl_RUL?x%faS|F@W5jS7lJ5nrFU_rbs7b5;X48#-%&bY4PaUiVQVtC zRz7AaI38TEke~SWxziy$X5GINE`+;7qv2Y0-7>dFo}Uv?~M=t@R9RdE11Z3$|q-4FV zoOyQQ~@=4~)GmFKTRD)b_Y(@&rhD}3xJSLDZ*DSpCqnId>38G5C9aUEhkJ2Y#> zg6DV^raL2*PrQSja)8?kygn_)&HO|eoXy|p6ywt#C9(~=%Cyoa+Qocz-Ta?R#Q)rN z{L}I#^9eK{TJNkhL#af-ZT@osQvCq`dcQ73;wSnPuIo!^wJuY|Cf1Eni2Zw$XWm|9 zmf+H|j;Mg=0jAnHG!!$c1%j4HXSUN4?BECXWPS&S=bQBfO@MA&6r;~7vS2>mg7*MP z)ri*Dd$N?)f^P1oa0Nl5TKm!Av1>1dARP4JR;i)N5}69r-S-`yDKMSp;1^Z|fL zp`p}Yy|Cht*xvC?8QW_&k3roI{rc$@G2PLblZ_kkR`=)mfAGIA=#FR@7y+91jGIM& zW=Iv>)Pc#{2@f0bg^NqsVqvz*e|VYTOb`Fe?;>?K_{2Bt9tQyp!+mWPKqrTf;cJkF z{a|@8Z)L0TMyuHy(PRpHj>&yg{wW}Q+WB1_qge*lQ41kyC3o}i{8*&XccO~!hn*UO zZX8+rssVPFBH0%H-T6rn*D^AQ?XhYE{y3N(rt4PNntnKUvy`?3d`x3ujS&M@Lw$(5 zKOatd@_l&Czor|0cv+s~*A~-7dbb$p;N`Dq&0r(&MN+Kp9~Ak3D+0yxWN>L#EPZ}g zvx7dv;Cc(e$x~&*I>C`8w@sGzK0Z4ci;>#x&`KJJ5@&FX=oO0M68DLZ4iz4Q=$2u#0L&Sd=n0RsWGfigy6$Q)?5gu%#@y6 zzsSg&k_loIciddSbk1#*fmCJpwfK3iX_oijUekzog0sp!i1xC*bko+FbfXlug!z?K z@ZGzPGN>y)cR6;0`*a@k#N5#S7e2>=J?l^@tfxYVYR3sg;szHg$)q)_ zW1Yo2nz*i!+{`OeG?ER377RQYopd3|4D#l&ts;1F{e*>91J0c6x@8wS$@r7hV` z1t@O$bB5(x$vMaqkkKGCuKDXZ^DBFj~^~6PhV(PK+K(Wa%1oQZnMCf?Mt)EU1qvaG3n>! zxLPcPud$r{6QlLNm@`BzP~Q`2GkK3cArgTB zU7r0lCA*00+8!!uxXQjq#nDYuDt8`h>pvd^Au3(x<`R5l;{uWNgp*Y`BrtZ%MH^Iq z2B?UoaBwvPZmm&*_YCC&wKag$t>UBZvT|1?yE&~6W9Maf5fbM1$H^kFP4;M2War~FbP38y0Uh-d-8 zx8b%DLl1ffH}J*pf*R>cIIaKG;0~4V;!fwBy0cywg)z#=^b)nDRAZNXx^zFd{NDs3 zj?F0T@)-0p4}Lp;C2IFOv>B$RJqb2+Co$Z{#UTB?J-D6v28teY>7fdl2s z^OTm2I}-z0Pb0Kh{oLv_7hQe($oI7uFOfdNTUXlOtylkQ@7*0~6wv2-SC#7DQ9o;Ma^z3wjUoCucvMWXn{|KyeNZKHqArgWs6+l^2W4tfg>#o79i z<(CU=YyAf>GDBmjG9)Drzlg2R5KCP#M26U!0_ku&3G=#Q0>#-|Eu>$Z5h|E|5Nw{9 z3DR?6la&sI5($0Lykg6<^*sY>>@UXHkE4Cb=W65=HzHXvsVmU2N5e~e3I9F(&g3&p zlNd$LkKEqhq_f45c7#l|=Aaw=_Sov24x2|Ih33Q2SLgbzfnaKp&&;ak!fzxf_e&$K zMv!(8n2P85bk^Y5nLs?1IFHNbEXdD^XZD7T2@Uj+?!;Kb zmSsLWC!bYSF2cZuk>=st)0bytNGJfzN0=0On#mgIExhm16u7#9zV7cTimoI&W|H{Z1$nk@Z$-Rs)}lGj9) zPCM(2LSCX>j8{+20&$`XNRaK%%weqbyJrV#Ad~jjCq1(zMO8FmuQEGaGw!WYLRb z{d#tho+?%VLfn2a5j9>m02$g0u{9<2AhUCZ4K9ld zSrwh#akN>2MeHgxOprHaBM%t6Jls@W0Pj9Pa$_%Fe7w|~c5y;BIVd1PYs%AZrsd+X zArX+czS{qPK;lxrfG{r62~IT1cW@EaBH{panPC9^(@~)S@IHA6^+D`}IC69zh`*l$ zim-a#p-!J5xjyU?e*gmB2?MAFG*$X2=3nhdz1TH?vMdtqX_T{ZD|;fABi;jh?>`e$ z{@649#~U7cwNMcl4ILUESQ=xj!Ou~qRE83Aju?owZ%uZ=p57KHug1vULw57I>EFpF z%`^>e`TUqHvVXHex6^!r+WLa1^3iY~>%Td8{s*Y?_s7AFf>&9yCFRPWd>;SjD8?Fy zkd4KaKKz$|@c;aa|N9rT$pb;nl<&%)iFEqEe>BlF;!HgY_P*=5vf=+A4!(=!F$=;P zs1CxjPZ1dbG$bth&6BHB_}5!*6QBmXM7f4$EuX)#g(rz-EQH-~46@xS=LQxJZH44c z6>1UU(MBH61omCWkJ( zT~p8y-Tx?(EMgNM%xC@Ji z&s<1$Vz=;$pfj|*NL@9BF`Q52csuMaFrcG_-KsCbx_%$NfBXEL*Ux1Ri@yj{>HcEnv+@t zh%yi0sf!qVNKK^7{?YdK%%4Asj1N zK>nk_b5xf#UZwZ^5qu0XS~6}#(loDoD01-aIZmIyMW*I62dy`E8vX3rKj@d!A%XsiZ}?S)xGbw%P?!AualbZS zI7R+}P$(E(;G#f;BUQj~n0DtL@b=Np^oeF!$+yH$5lKH2b$mj_W@=!$JkHrtB98On z4eS5@ivH`@OV~6aV*kzxoQF=F!y$Vaes>}iO%&J#LWc<(>cY%F~ zIb9m~><|5IQUI(X7QtvG&#)Iv(=Rg@1p4uJQ}CFk1oE+xmo ziH+?Wfnhy2Q*ff_`hyqe`0$)bl*m5>v*lMN2jKDBwPq3FxDb6hK#d}_s~A3;OQs<& zPvFwxX7_DrJ1)!3a%;5PawSl*rqS^d{NoP!!;dX99RaHP&gx26KtF5>uT?~uAE?Vs zgu35v<4Oio+31v6ng9)ziN|)la@)JjTl6F@h4JYIxo`cz6o|6#7HEZXl_8&pdc3?2 zoj5P7RJZ}$(~ahChaRz%EbOiYE~%cP2SWFU=-XsOE~p?!Its#9I_w_on9Yx2ke=v7 zc$clxz317g*PzCrvNVsQZ@Ux&kHEPT`n}a-8;F450s2WPITl$$Ai3_Qjb8Y^rO^%y zK*N|*U za^ImA^i4?Ycjr1n{595Y$hS)^dx~=5KDHvo~FNg<$&}Yx7ZIpgax~9sV^ero^feb9Ss~H zWC(Bo;$MH|^%I3Fd&CkFD*RjFQhMy@4C)Doe(msWsFZcJD5S-sxy5h?N_o3QgWecK)BGvIJb(5>`h_9LEC*81F8&lquJZ7a=DyO}hjk}D;oCR0K>2J#w_enL+_#)cAgG)aaKUifdGF}L^pH&&G|X_0aM>8ExA zXTS%p_hox_xqK#s5$k83DeVI&7HDK5yZFXB_mU7QEPIj6<4#JTWN>1N$6?g7Q2;HW zJVM<8c+`T93MRC=@vTN2L>0X>T9$Jc=%LpAAN*cfFCI|tmJx}NhS(ue#k1rbrO$J# z>=$0@<-RUm32Tzr6lYYKMao3^u+iBqnB;Yf`k~_M=8NnHacL}$5=K+O*4q?V#oVX@ z8N33n&>RbS-zB6js4oD2&Zbo=e<5ca?6C}?Q0k6(tZ`}=HY|>kJ`E7KV9Apupv6qM zpjJ2YA)Z`cYlkgtPFGk>2BNb?&jY%+Rq(~dB`hB12ik%W}tTaIc7B2IMR%_iV zq$W&y=W8{&{bxZbJzbc4ShlWx31XO&5?;}+E|2e-v+0YE<=|W@E4*DVyY!gloAiP> zqh!9d1AC`>-Rq;udZD;rVCsn-Om&}ICu{Fm*n6Hs=W7!;c`hhpRB75pzCMy_8|MAjd~-FQ6G<=EFb3OK!k&>MzvG zkGO*tR7$u#f`KF<79YgOqVL^P=h!`HuVUfcju7l8 zW7p}m0XLQFget4nP3R2CICdpYLEd+T-Jr8FBa>oUlKT1M*oIef@;j$*nq1_lFf%IE z8h|B9Vp)HaCmTn=)-D^6V|Ii$IY#8@3t>8-A;OlaR=U$(AdO2kAvFug`V2i~H{$qS z?h6xFG;p$F&r=FkG9L5k(Mx%Ji}d<`iMrdbRdBWS4iTH`&Z6t$GxA&S^NPN3rD+69 zY@a%FK7eZT(5_Xx*Pa8P%C5B)=?}d7pNComZZr%sl7^HZMLDO|g(4wRPRHndAm3=) z1xgs$FM@uqr4K=J=nV6b=4@+*0R}6|6`AV_mH`Y^7cOushHcZ$yw!d>1?|e-$~R=U z-6~yfKYgXI^$f3pSYP$xDq??$VjwrtsVVL5C{3q+)JEg2t~Eanw8p3~MZu5rR`2@b z4gdjc4_A}qFPQI&joj=crXqO(tB4|bO4Kup1VLB~B_7{P2MeYiLF$@EAjToB4#wZ6{gBW8s6W|!-N*j zjTM|0?hCxg(*hq~>tLQ8VsIVqw9Q3?ZXIkjx*rt579LKW%{l34-N9b5y+^*cI(NkS z;Igokzh^>6=&GE{+QQQ#ForLsKE}E{DF;HSgrY{1+Z)w6U`q~$tZOS-vUlQZ26+?g zuMy7?n|+pCX^XTdjXki*nWRoKIT)7HX8h)a#4OQmhjFEpA`fl#k3h zCzQinTu#!0SVa(|^F(kqfsaX4OLogUdEwwg{>DAh>NxY;>|Hx34F zIMh`hI#e5DYmK(rcn8CD&ZZpu)+Ek82yQouk(>0`$uXEyy%xePb8O4pbP*WViMlJj z18H2@W@~U=-JJLm;8G>LWtMw&-cvQ|P^LRFib7ts=R8nfX1J$r|Ahfm<Li~BMv8YOP@jan2uA*s~W9#v*h2-z6kA)$0FAbE1l=Sh6_ zi&;rvf(!ySx*}UXwx;09m8j%2huBF0Lc=a9UCm>pM?l_ zrf_8)TDiRG;qmBo%UZ2U+;(LNc1)j<5xPant;n-4Dg5WF=LwvjbkB&sdt8$~784b_ zcWlD#i%Axng0Qbi0$0bNAVP}k4Sr^Nln?6m)5+_lGntYCz3{+rn>0{KjLHleGeu$? zpH@t?{1|wOKQY)&E^ZQfVlg~|tWUk8pA=ylRq+E$qH#qK-W(^b=N5Q`9{WRHt#dc? zvdT{kwZb<;Gr|^TDlx zer|(cEld(ha-eLPPy$bF7h-vc}?8;qpfB>6ahw zNLARiJV}xdyJU>5Yr1>ZpG$G(JMr!ukf+N+jBa!@+zWK4p9a#ZY?ZV3f~I$Ai!<}{ zbKYe#hXqf!K`djG0|P}~pk!v5_MXectvKH$f6lr^r(;d((-a7CoSI+}*mDA3yhw82 zY7I#et2@TuN9`lhsBa6b#FE6nNO08x1&^kaq*e)72!TAq6R@Hv&x(9#Erf%gRQ z6*Q-W=wA7goRs@La>X%lMv7)-7#fCSH|d`5*oE(f1|003F_-tAyzIPhcMzJD-`)<# zHllm7eO6^rCkiH!dGDS9nd99|`E=OWY0sVApLpHB6?J&d4K`+xOX*(ktLvA4R041| zGIKBy>rbTZZSOX(l+Brc3hsS>E(6TuqY1|SRpmDRt^tGgzd*OJ9bXoXe#wo7Bk>NAZT39 z=Lb8FYH;hgeV;0V;L}6imqV}m`!TW)U(}-MmX8b3{Ycsu|h;;rK zI?ni>POWwGB6U(`1u#7%sYzbxJZ2{g(NgIQ!!F`qPUT&(Tm_QBR#uVBqV9$Sc&!oL(5YhXk_4aH< z(;XD;g^ukzzRKp;XbJ{LpyB>bcvHF|C)ndYx7(EXcs##>(FI>)dPb)$b?ihiIOT9_ zcv&650I+qPF@Ztx@{rXOE}R=nx?`SQhJ~|!0zj^LV+M5aNFf? z&`tru$!kXZ5FnnpOcyeJzpL znKzsUwse!MlyxVv5lVfyO_%S?xI1bLrv7Wqkw}E;Tg!NDP8}KMtH0AxNp>)lQMU$P z&o1%G1I~lYN{~K<2q^ygsMwt5KM;zGp7m-zuqF;YnP}4p`BR!Jh9f*5YxZL#yMuD((t2X6qa|vNjA2j>iXZWp{yQ z+W+fMn9{69A?1lTc$?SIA%-NVEn<(13XXx~PZg%;9pqu1tXQOszm!GaCovDywxlXnPVUDqj_8yF$t}a8& zlQU^YHHHXSOI@D{-TyiyLKIIZxqUG}?cd&#>S6aj=AS90*kU;EpPE1^>k`-UrBUE7 zKfu}_fk)0OarSU1#{HaW=zN8alh(;3QNj<@{bTe~X zq4w3)k3Ra(_>f%A`T|79?kWH^B}PK{XNO>ah&al1Xm~dP zs=T}qLp!Snq#d&PT?BeW|3J}u@0p@2^a}6YkrV+!gej7g;DH&^3VFw{*()Ua+?{C{ zJNgK4+q;JKw`c@g>D|xMeW-babQKqcT`MOdJP>>Udqu826v9(FIQKY?H-dq>k0J57 z^5|8dL%h{~VO)!RkynFEr|v%MoyX>W+X=zV8+5*o@@vbdPF;HXM1N4q13cyRwbYqju5HkR7s?I|anSPZ*5-YY>Gg8dL8sYQu;8|o~CaB);>dVE0 zR`TP!qCd1)RCzdZKuPfK1G5ZBgaRKZ8l_n?(iD~eJUh;Ctogj~TeWmlU#W%KWeZSd zahCqlG#qTEMM;CE!Q-Db4T$!GjHS|;Dc&JeZZy-@oheBI(KRT1xiNw08rERPzPWUr znBWY!MdgmA%>+0)+nR7Y3VV(5TNwgn?utmGyF{OX>xQ=raGUa`croOMyK9%(b$So| z9_Kj9rwimdDq>aHdTjxM51%Lf;s%xwEH2piUz!M+rry76B6KHjI3v!VB$905uegsy zy}R+*)t(*<&V;%| zEs|Ub1nNoMZ!U`Czz<(cEiMh}i-qWVqBqU_H~;>LSI{R=VrpO#jpzJx4wHX_`UgTz z5PRm#Xyi=^dn3AwMrNN8%sv2~C6qyq*R~k~ext}KW_4F(9@hrRgPo6~Ggu-yaSGra+a4Dw zC#n8Ayh9*DMbhX2dSh@HTg?TlN$!y6VcTqpJIsB80ACkGBOwRXb6%UDb>|my?q1sAP z2SB}7QWbubbZC;NQ|0l1!_~>jamdRit1}V~$M_Dbx81U<;a^~oW(FaPwALJ*_iizu z+J2xi{rVruk+`U&IJNAxFUpm~esRf^2!De&XLk3)N=!e+7;No%cGZXr;t+U#Xzj#fR$KoldB z|4A{j_E`4yA+SX*jLJuEk)f+0UP50Y4F^mbk~lLK8-RxU?T{nMJ`S|?Ic(!C7gxUQ zM>O+pC%txH3F@;xj=trbk8LF!zm)Q75qw^{oMh9eF9S0SpU&5^6Iz?}#$#1_L8fBI zKsnO=43T4&nKNX`#0wuXv+~bZL}>T=#;4Hgq)D7zr}W$J&vbkHebvFrpTpfX&xb%&PF0~wOi;D{IKVDX2!17x@=jy8K%mk z4IG@{#8jtFBHTqOat%|&y!VAfToF~At>1gzA+8Gt#5eW)W=d=8yj-`ro~f2Ya$K8x zZNvU|pwmtKPAxpXra8R(_QiQ_=sfEmKuP|}gDC3`jhMff3U>HBU>>{ z=>vQ*F^G}WWGFgz%T~nKCdu7vuhRASZjlkXF5^D?dVV5-H?;zuQhSTwwaEJi2-KdZ zn7omZ@T6TUk5HId>=DJ-{zVg1M zX*u?=Q$39k$J?D;a1fcyFdeD~Ya#S%t&(Ct0Sh^(M_O3Q>~I@Y{pH4mKb8i#G1JLK;XB(@cGL?Ef`A8(MzpkJL>(}Ny76#nB8k-}2lB{+<@*&#*z>Sv*12cuo#+}6kB)~G6 zHGqGoubHk4=DE4^Ux>I^$BYp64<8vO109nErw0k^^|6<&hh1_VhEe4e=W9{gRWo7x z{N%^8ea*^I3@7vbHM0bfoDB$mv8J^vON`zCan*AZ^b2&}>7C+pn0 z5Uj38h1OS4mG#Jk>8m#3itKZX@&7myylMud?*&UiddxY_p5*|y7b3)er}Rr;3u-~L zdIJ>@YR@1}BV7ux)IwV8c^G8(T>P|Gy@G}9ZKgq_bIw_z{Hf7*JK~8*v8Ny-KeA<( z-i@xO2R+JkNu$6z&sllWWgo9x6w37Q5Y&V3B0&{h$e9!T8@&ahE-2u*v@}AQX-$)m zO!e|uc&)ULTUeJramF@GyS0(a8RigOE#c#BwHin2_D>}tGkIpq*DXyjlWfbi5A~}T zC&&hzXx8X&44%Dv_Uy)Fysm7$P^i)JLHgRSkqNW(gLhJ{d2@e)Xu;*$(XbYUjlk$n zD4pmMziR3XPP8L)aJ!sE9qGa9YpaT_iy2jeG6H{L?p2_LDTGmPjdpiu#4K^AOzw6s zFq`VB6_|05gg47#wAz4xVpH~_Fw{To(wKllAl(Frl*5|NG@zT2>oe@3*E=*@n*h6B zu3>lypK&bUs>uFpB>8j(Y5r`yQ9uy{X4T3UaJ<`AouQSr_+56EG{zq{^Y(^3xyoH^ zV;oEIIxs87^Cx8QZ-HFsv)A*&a2zY=#x`98@LJe@sIoiLSw;Vtej=KfPVze;j@Qhs zp|(!DBfIAY@s}lkz5~#qmJ_TqiyNDys9c)jKoO+*mbyGbg3{2D@Ofz>Lge=R0K?X5<*PhepE_41{F#9BxhO^oJMnGud?0?-?cUP7>n#5`^iJl zF=Y#SMWabAuYh~v6!fU*bw3GR#6b#}2V!y832d2}&z}WW$9_6EJPEVa*0XMbRBy92 z=7yCiUCm*D0jheT`p~~P*-@gSb%c{lWcoXm5EG`P%>AW`rG_T;S{vhd(4bcCG3*Gx zJL(VJRNGz>8&fi(Jlm|#ajBfdROU8kALh}P1@I`mtM!r=e8kM$9;d*Tlx);}ye0I~ z3bJl@3r--4b$m;sTueV||@J#5Wf=ZXZCBj#Z zNiv6X7V~uTf4Bm)I@8`%8B^$4c2Ar5zGf&@PsNmRJ@{N(=qJ%DMd=uh_3up*z>eW{mm z@7EeN6Wmf9Ew@>zp)u6$|C^4fi1s4WcNYNtI)U?@Hzk2>M1-_T@a-WACVF{0>;=S1 zY75v2(HD74wP~%PtZ)RuNdCpWxTSh0W}M-mGx% z{y@@>?w--H41F#kpTpYdfEO0+SdS;7n6%{}<`{vK)h(|R>UsIXO6do= z(8ogHr>i!8N$5%Go!SzR1_PDR)p}CBR zoVVjbjG|F4Q_+R_Q?uN969!wA&#I0{dxjVzgYLuC~@N3$E-Y%5$ z*o8!o&x?C`?n9P(`M-BmaCW!CmN1RmAoQ^la|^%Ykl$Yt42Y13;&n<(2Q(mpe1u#v zgIkF@o#y{0#_9!3G{%05(ke%d((b77R1%z=ADNt}NiUo@j2m+*25!C*$*~A&E>`va zjsZl@aMq%{vkJ+zFe3Fe*`6+Ml23XoGo24xl1PC9Ql8|Yve#Vc(y=Hh*uuhCc~peo^z?m!6QTsk0a`q=yn= zW@NX%f-Iw0@3rV19BE%sy=_^1!ia*%`7%?%JNHnI5>;f}gCD9x?_F{Z@OE!fi0tLh z15)ZcCX*UYw{P#yuWfrD`T=gf(KQZB z(>a4al)#-`+tZr{lg|?DM47%-os2RIS9u8nWUs>Lo!~?3>w^u_6R=_U?)<#xx`72+ zX7J3J@z$#d1i4Lq1K-zCgzZg)AGOT3l2vk(4tHK2Tn6`L%TUQnGaL~%!0|14z5!$s zZ7oo^-1ly8SL!9uYuzr2R>tJvjUL?dESlEwt44Fm2;ZW=p~zJ!4Ra9d_>a!idh!-Cf;(Uyt1gM-KjegA?OS5>+2t7r*~IPEF`4$ zymMPW9^Aqx?P%&9FD*AOd|BJuU$D`vtKy`tYrlYry91i~8opfAl1^)G!_;bMf6@Jl*#7PB8#963-og~&ZbDM;bi)M` z!Zw*ra+zE><)?3lAN-`UxZdRi3M}Q_++jjh4eg?)i!#R^;=_SPpIf)>QosQ|>f2Ez zpJV+ep3OKguPoX85m?Q!_4)f4nZLk=vcxx5_5CYpL^~j-IS7u6!e-vLiiAyAU z;*b8~S{L$0HC(fQ!oV0MYm+I%}W zlbi!%e(JZa5#hj<@ad5L4G5-e`AxNE7a5@1U!(W%jgi~_&m$`VmPb{JM< zUK0_AcL89aD`vIynU{l~d*WTXb2DB51y|$t+Srh7wy3blVQzNv3H#HzRmsO}=4${~ zR}4kPCazTU^R;sg=JfGKl6Cz32)&)h>u>tG_ZT>O0f+oCsjykF0*;BY{ih|1K(b8V zA-TZj^qD{PjpLrh64zWzcUMQqbXFh~Te4w#_G1`Z?uXxT zEn}W>hwnfjg!3U#>i2fCGck6}WPEIe+=tn`AaD4c>h|ytizjewO~G+VGP*YcU$bw- zvt6b%$&EoHdyF@0CNpb|Imaz2IxQs#$&cq7a7!#uXhoS|7H{7sATxHuC6cZYwK?(# zzK-`8z((AY8E!;_Z+{H5tfc+6(WmieUZs<`mf zx(+`P+kTXTo4RwBLTjiO1CW#Rg&Ft}$6yUi z#wkH%-cp+#r~L333`eY-1wiW3mnKJ!phtaR(~5X4mjDrNtg``TsGv1XluZ+#{>SIM zF`B(|IyL+p+O>>S4{ZeB&>w9`i-qtJiCzuFDVzH#l&%;FUvhf*({DEbbx;p&&pLEsQ8 zTuw5R#GmMJiQ06h##SauAz}uGmXTUeIJrD%_4`k+t0)c5QN0w6POk3I=}P_O1H7s4 z#DDzyfPecHxj7_*(Gc-}_F?!>|K~qm%l_+MQ}=&{<5`jYMyN#X&%J>E^HXbM5xx3Q zk?I2NpE?x(;}bs#{=+xz|9T@|%@93~le_y$l=5%aE^L8>HX#M>@-c%3 zBFWj#;5O@yON~jR#H~GH+^ME~=WPq#YWbKgB6KgW2RA9D)X8^G_xO+{45;02fP1W^ zHy^-v4`8diCVO{3{Fxb%o{@T&3_F65R7B2{5*Bk=Og7?}IR9f%+d z@4BU$38;WfKfS#}HVVGA;TE6Xdd3%+9juO&u;r>P27vB520*jP2Yg^*XwXv;Dsg%L zD;oy9wYzy>kFCew0a}FvD;^lwMf9Y-pFToffUwgPE0giai$vk}DhY{NfK>?WRO+|@ z-{u8EX31U%5+lTzXnGLzS5Ef;JsiRt?=x&FKm^SLd6ptqpf%AN6uoyEr|QIbu<$|K zIH!y&5S>W1P!@v9HS2)^x^QZq%Lx6UXdrFV=70ll?ik5llA= z_Cu2u&nGv}St=%qnt)Qme~Z1c1NzB22R=150!4?tQ=!KYEpji!)N`y z71=Z(D|2x1Zd!aHj(bY$suA1{f2Irh+ZU_TzV?_kV>nkt;YoiQ@vTN|4#rZ8Ee2Xd zr|93ApY>EdT{$mH7V!B;xSAptfSge(4I1za)?~qnpBq7~;4XM-{jy<^{pSN)l+BTW zRX@eb$3RbD@DBWTVx?jjKEUR$x5mGM?2(YE3kYZTbt-J*xq|U=E&GmB_$cKrNzOxd z_*yFw>q-Z_7rG;?*QEZ^yUB`2gop9;x(FtlH$WfMiC<*Y?Dzk0_ttS$uY20RASfz5tUNuM!H;dHz**D#G*lvE|u=*b31d+%sexDW{&f` ze!tiA{B_RW=WMpD_5I%WC$8&#MK&o>viyK$BD$KxVG>X$7Il-`o?-I5r27Hw41zKO z-m?%3ePe%T8SOcl@?iZa6JLpL1Y|NF1j#yiPlwON{#Qn!VX3EJ%y#&9f>k9vY=I?v z!d5A!BNe)zUY(Hg{uLc^kH&5(ql%o@WKeOGq9ffx!p~aEWZ_gwllCsCE82+g_uxMe z7oi!lC?#_3R}Ih&Y5{ERP5(396}fFE&i&=d_1FJ{P%+$qtc7O8M*A@I;)1bMiW|R# zOGv#xUCf^N*IH_pD$4Y|PMaPjy)Zy*_SxKX+s9xKXxqpA=qmdG9U^%uSQ#o6nSsQAo9H@%UoLee7CimXCuubt}G83dXI3 zuZILI`VzmdQ_voDN~He+H(NNsvMy=Up8A7Flin3BI0F3Bai2>FkE{SGWgd2Ax`^eo zzbv>fGb8AVbYZ5Iu=%b~uXJ`g#cFX>0OpJeA6E(;))$iiXOsjB$w`Q1%%}2)Ws3Za z^*0Rig?iE2ry!_7Gn_dn;G_1lPHO4+asT{4=QEB!s*_OS6y$9c>_ZZnx|EF= zywusd?IoBue83B72LFo@Bur@@ycBIa_FA>2R|mQ!ngowix>ST|+0U0}={8L=SE19;cmCl)*E^0|fp{#R*2l&5p}Fk>0VR{7t7cA2 zmX1XWHOpz^Zfdj~i2TTE0h_l8OvO9$4r zY-|B$wVj7a%cUY>dB}yF3p-c&*1Y}p;Xa3U#2@5rx$LB2<1_@M)bHg|+ojNo9j#dM ztPj0MqvgO|yjWK2pme2e_sP|`EmEAH$~p|Cc$nogUa7RW>{NY}Y_RAt4)|os-lk&X z)9-R}ouu6K_XP;+v9+^y5HPql^x>`1C|1IA7&m17@a&^2Q=e8DQnS_7mWogaNXLG9 z3aA27?~t0Y-~a5>`DCq@=T9CeNehD6{AV3w5sf7SMbEWM8(}2Hq!Kj2EjtRtkG1_* zPQYAe&>^UR?TwGSd|V?WGB?Anp6TjMkXiWdVXk0;Z$fO1xrsSgx(4W*Qi90%ej?FB zI<|yK`zI)q4Pa`aIR$pE;bHU;v&@KU|d4#B~#R(l>SDgL9SFNl#OhIFzC~|q;!;*eCVHQ7BuNMV^5b}s2<4_@I8c_ETLK2GAY z;X#~0Av(xk=i#IxC0~IYK&@%>H;)xIC1Ztp5Jd-@rip{0$0rkOSOicLen{Uz))(-G z@eGQ4b6X9Rjy%B@!!l-bbPeI!onKYwC(rG}D_ubKbTyku0d7-0fPO3ThW%8Thxmw$ zbeYe#MIHzg`@43(#Jr|WWk)MsMik8BuN(iT_XlZIS0U}&>V5yk}ysLbeccRbiHRnFsW3i{} zegE|O)UrW#uR{*C#8`36P#qLIXZx05S>GdIvl@A0?A3*xo5?ZGC7Ux6E(Xc@V(Y1h zc+W<{{H@#oSpC^c&+RXFai0n<^1t|E?xGUgnq9>A-MhE|EVGm3rL+c>q{XPK24`EC z*D9jFXQ$A0^Y?Tg4k~ick}DtITQGIuM84OBCP5(Ha~gCps<2H8e)fY0{_~$c@Tdf> z@P3hY!zn5G3Wa3d5JZx2@DM4gDOCA$l$Tu9oVa;LCnS%2!_V2nhfBirid(nIo0q}v9hZ+^I1wPk^ml~wuG!#Nx6u=rZ}%&pA!ZF{4; zgscy06(wqKEyBe+HL(X*T_+9+j0cR?o$oUQartzLmNY#1ljbVrzS~xJk*Rf*v>Qw+ z?jNcsS!62Jl-1?i)pjJTPh(6E%fW|)BJcZQblZ>t#o5BtaJxDHmW^B}M9T2%p>ago zmS7$T!@nYz2W-lHhstI-;Cd{jkvn%gQ$CH$NMkEsdEdbUN(~OoG*0y-ZC|}o!$v4DNQm!r zaYk+$>4kNM?mF$Xk_6G+rv(6K85U{dN@8Ar}+Ee2?I>+6L+QQvQTSc76$ci(Xb z4p|@k>?@l`$Q&eEP0D+xoULzt7Mt4@qm$|2m%Ht^rP%;g<9q~CcOs$VT(XrhK(+=Y zl0Ql}F7tfZ_EKGOY%leTUPm>JQh`xe3*SehfyG+7tys_2YCvH!Ctm$t5xtTvyRInF z1c~)Avaywm^^JAdtG(a$y{7l00zLT^3Z|s%^b-$ylK*w9|JT!t*t(-o+mB0V{W=^g zq`CWJ^orSMFAOVHt@wAmhp`fQM)T?qFVYE$x=2 zVV_+sgA~bkVFcuFOYN3*M-rv$Lrob|nxk&vUfjQ_0FC?y;^A%sEzVf zfX|qtt_175zm>WF%Pk7(XWggtW*`k#4VZ+)7!DL`5M%8&75=>8oY%&tRM3-pMR+o$ zX{GAr8#cg}d)nwgLO+V1f`1GQ8as9!_AXnUF)INNP{2#&(sT)?3BoXqf@jRsVfN}< z_i|B+2}3Cw=W9kMwR%S^plmWwO9d}$t5bwrbu=)iftg<11rvw!Iw<3Q5ZRBP++_4XcCD#u){rn{WhGCi0mEl(-bxNa(n? zv0{z|e=~JnrlD!hoUqquzD%k(H|d}uF{_v-5j0CX_pLmuWcc~&J|`A3U#su&FXgMY z*{a>$a(P+gU~px;Yt>ETkB-Z7e3kCuyWFP`SM`slY!=c5SQ?YNERe zk5?3KyJ8s+C{eY?y}^$Re9m&Ls##s)c8eBimdaj8<<4h0W`d8Kgh%AxEQo~qZotcx z-hP4b`S+W97@CWGca`pd4Eue9Jb8Q4sE|SBa1y9jLaeu zD30iz_7I_jzAzy-lcAbo&2ro(X6!XHe1YC7fp0b++I~9w;N19yW3w={4(q5V$a!ST z8uU(~k1~L%acuq#zMHDl%SzBM_K7o1D}=?bvg6qdc}@vHdFDLse3bq1ukg<2rE#t- z3N@QIFEf33oz!%ruFJWC;i13dI#qr&jf66Vl|~FC1w9Xz8mMo%1yr+^hIbd7NPmFe zl9DEi0(WRR;1uIpaf~d<$~!;w@>CQ9-JhDj6yP)q2RDOuW$9!eT0HDr=3yebo_CZb z==F^e=>{kM5uSAO@+bB7wkGk5o^n6^Xx47i<(RGOsnHcH^HY0PQWg7R$2F-*!3Y`LLphxO>zoqa?+fqw zl{arSif?BPQ5_MRy&rd=P$^B@m7}P-maA4*6DV=<+Xt5nTGe)v9O@;ofN;d zz-7_GjeE*91es@oAI0(>1|vEMFE2P-G;HYjBuTS!o-r{eFk|j1P-rT=e^#4Mz8;aO z{}nd~{oJ?GyyxThHAp<%p4#yB~T)>hY z(m^ah-?eGQoX$vO3xhj>4KbxJ0AU$y|ELoz zM?>ID7pC<+2uBG!a_Z9ep+blpx}ZJec#t{*klWd6Cr@G0%ovXGSS(|9<+7g19@+ot ze6E^W%6Nh^Gt{}r^Ms}P>yL~jNovK@O2 z7s(?^QrcDpH8+1&((6pqyC}yJ@b>{jVz=wjzC!BlE^NfV|qce6AMG z>#upbOtA0KH?6vH;uS>FY_h%#J9+mOKONZ_`9=20Thb31^!-JxPnQ;f*~nQ5yS)Vk z))cNO*&KkuPctZV4O$he?gbqoTOMQ+nL-JU@g$cS6}cTpq+-WmRPk$A=j-}lna$3^ z8-4p>CR=+H3JU-Z&og>(MC(r;HM)Pg8LAbpG;-*ky&4riMHbKE(ofxC{}^EIngx z8i1>u_IgJih1co#vd#X<_xJX=+tT^KuN|lDrS1|2E^x6h%r}Ac;?W}PoB{`5o6;~Q z(P{nAr!)!~ifI$v=W~z`5@V+1WId{CeYj>hygZ|KMz#LzA$zaB;S$i-*c9qCQE2$5 zy`Yjr*_>MBgq|;^gx$^|fKFqx-4}+C-l|dPZe@E}A9KE6X%N8Psq-3;zn#z8U}q+FJ_(mC83pb}@i0r2rDn{*mkcjM=?GdrIq_$_z>|bdvmi>1?Gx9GA!}Jrt?LL3 z{5MQYV7r3@4ZNWW+Z5&Ut)}?*c_Or>KB^35nJy46^lt8%u4=(@FL4e9V}u##cylK? zl!EX-^Q|{^SAq%kLi`K_FN6ZvOSk#a@;&P4LbN=DYJme&BEdma^mf}`xlM{)o4@Sz z%eJ9;?dDZ%NVy4nCuW%V(V*1_lJXaA)j#5on{0FW$ly*p|6}{3e=67Lo$#L$h>zSz zea??Lcz)IYCw$;LWf1K~BG_zLen%d&eNq?8oZ#D^V?udx(tY-;rIFS(O`Tm#8%j9A zZ4iZcS`iL@S790uA9q2L$m#YElW=r$HS(P?i7(+GMCQ;*FTowHiqel?SK;Gdw1t~) zP#&)kp+Ta!p@c_KsVXEM)F51SGYhyki{X<$vc14@$Iw|dR{9x?srnUEk8D#E`bB8? z8MfxDHJDDz^jUvfm1(dJ%1@ur|4HPLXt8=LuOVN(NDR*i)-eTPx%s=kyu;5tC~B=z zaF5+UWO-q{iad4%5UN02iu2jjk9ttMYz_HLlhE5mUk(Q&MhnqCtP`ISyqewo&hceC z$U+uVoH_L@sg6Yy>SFh?+V^wel9J}gOficBFp9!HCTm5?Pm^)}Nl{GC4X0T0q-@uq zAIg8WQCDhhJTW?FBl!?s2k@b4eCf}3faA$~7w;wBYv;**c_g~zXSVA6W(TmI1(+aa z*QYi+VKbnwlWVE*JnB@QBNPRR^wpUlJCoLE!vc_-|Go8=jbx3BN^x;&Uqq3+U` z%y6vVdg)@{+_RFBI(=DC8bFA@+G4F&D-^RXzx4mge z%1IxxIbuMIe9e`$`A*0}7Tk!sZK6Y#H|i9zLMc#+ICxAng=}xZnJX5mZwbEpA5A&T zaH6l~0`S^NqfJiAbr!JmdLC{HAC)H*7C`WmsUXZSVu&52{d{H)B|vtuDZs~F=A)Sp zS81{E>pfN=%oHRGSt;m3YEIfDg5_8#pnm3v$Bh7}64Yi*Z(xg`Y{@RN2LrRnTZD2a zNoc4j&gi3OAR5S%xqx28Q3xC9HBh#{J((c#r*9=af-CvVGS18U4Ho z=uK+B^ll+qAaaFPI>KzV4$#!HjJA9uajw5m^kXI58xy7aN>`$S@6v6W3Dd>D zI*PvtmMN8wjV{al!Awhv&Br@e{7Rj7?MIqaaq@s<-mzb_ThjX^`<^nH{V^xaf4ZOj zi%pV2C=z_kzevn3MTop3xvEe==`h$>0AH=b_gYqKn@=j^GtQZcPxDNxxk0{`@Xi** zG|H}lC7UCs4NeHZ$e5%sxbQJuyI|I%vkTQCRl81+Z%+B+`D|+PeUnPiKkE|MvMOfL zo0qF{B1wGZb=J_P%(p@ee64q|#c977zmwJq-6tHihQJY1STq%G+rJM2UKWnG5Ju2j zTc|2fyBz@}&{t>>3g5kPGr}?>mv3b>)5E-X9Y8voD4Kk;ApTW5BQ!gj!XMl#4)+Nc zKNHHV&EeWI6`l$AF_KFzH3Bn~+#%C)uB%QX$^uC|zo(_{@4`~fi7uCOvxE?4vn;qw zfdm+`hHNN7u1k2>H7$1p)Y>USRHR7DuMeGXDoj9_SvK9hc77!nY6bl(o_wa>#V#-C zzI+K{Uz-x#w+nhtW^q-nzxvFrN1eA8nKR4A9HnCepF5{KcJj5kPc|4f zN@}DKGoVhVu9MOc_I?~a&%-#mWum31f`V4t$#vFqm4)vC+_;@o`{dAyzo?-I|eMYu7z1UJ7( z_~5V9!st@VA+e|Fc?)@GGW;o?)Y&WZ)sP&GgzQ=J2QDk|bYaqhv}R!c-F}|Ft#vL; zgV{3WWh>FaRkErWW^c#vncxWWM}NW2AdxjwAF zL8O7gRM%m;ozcV2H;seL`AmJ$jR zs&ta)-2?PG@M1QI9>MLl`~95PnJ3o6c6x#z8v*U%lS6%3j_kz-Ow;Y=S3 z>U`f;5!HgKgteHbx8O8r{IvnEK_6q4DYTB(k!VS8v+a3W{fCu;)O{sFyM|7}2L9z{ zPLvwSBPpgtV$-X2xUhr@Km(bjZ}1z*u4Pt2XIQnf?y_GPCg@T@T!yl09s})%qo0U# zu!LtNVuh0V_rt}PlrYO7_d{KA>`blIn~!tq$*xSkM+ospz>HIHh449Ziu7%(#o?*7 z56w}KN9K!SvvwcH5#y{+R-!{=Mgi^`s0~?Ysa0T{AClNret%q4 zO`&%Zd>gCPG5!A0mod6Wy`#5_b3)Z&#B-_HbqoHF1BT~jcxu+(r!f~T!Ir&X-F|3^ zyeiY?6`H`Rp(xq4FzQ9N83*%T>xxyB--D(!Tt>a^CUJ8jZP)n?k*+T0mX^>H+0vVB znDg=-{7lWqGVJW@JH6!d{D$MXUgocRQ$G2A<;P)#Cpu8FQQ<;b*Fm}Y z$cTG=5@qd5(HFTNvKmrDQ}cs_%29C5uU#NuJv9Z(a^Fej4G}s?v)i}f`Y8?ZWP#BU zvr$`^A^NFj=k$NHiyU5Y^Sa=7z2^Lt2kUx*+e(KNDT%_fV_jdP1Sb%Hbj`!g%sL%q zSkp_l*a)|sJbi6;(z6oIai{D0H?8MG*+0I%*q_q=><(w(3H5a)ay6WmwHnpjIJMTp zt>`laY7f-bPY@cUrHr6#*}6&0o$kX@uo@^Oxj9W=`GBrT5rAYd)EwvrX91SZ9T9dpVL(X2w~>2^s8q3M-{_i?C#-NjGPw znCerZr-&a`zVjkfgI<~_zdXKjKF+^&`o{ZouqRk7cIX4C*96Zce$Qv6rm+$onJJz73YI( z)IAMr7%0#c&e52KmS4jO#PuJW3Znl0{%@uM;%omc(*PZzNgX+1EXmoMUAm(_$|C>b z8DQao*tU1X8PaA3s!Em4Gi|MsZNTwCD{wr|7;LC%R*pmdm$MU3cN>qxpkNy>$s%_@!6X7MBr?nF2PJ%>Uj!N(LfwrB3lL9nWm9Lo;)U42;*;gYl zii!toTzOlbVHOE*lu92OnL{Sv{X<(n9$1gW&mZLvp7(o+6B=9%D1Y3w0t*#mNJLM? zcw4qkwMH3|eWFqL?L80%`*v1!h4X#Mj{NlI0_=3{8Mrdc0;nnx_aLNl;IeMUGb*MRV znUc`LYrUskmCou0^s%){73zM^XK9k%|D>nLzY{xL*hdr}f6=4XaIh#l3gdCx{ogA7 zDN+tl6IRPn?9lW{;&a}zoYvg_3MxFBl;qK11lw{8HdH?akt!T0vFNPAA(_);2?t)H zyOHgYLt;C7(y_|JXUtsruj=H>Ug9Iy5kv_f#BZg|Y(EGqahCq2;@{&1l1T?K`rrDF+D!-k`(5@P_vXH35q9`kAY7V>t>+v!PK zKB=`2?HC!QmE`1B@bGj_wG~beC(i#u#FI@>zJxF7W+)sc2z;)p^l)_$w_IK_TuoLq z3~2{!SdvTAL-A>kl%oq#uZl)5NLYv%=EV3|1MmKl%Dl31rfcd;p2(BRU+L-SbCG2{ zufXqw-_d`(e{c(DjCEmtOmFs>&tiqjjerma_c~;Oalha~j4;eB=c(@L?3PufH!HD! zX!@R%5{`7#IvdY|gozXQFVZJlCc9taH&T#va zhl*PciTVuxR8S?~g(6_YbYrDGAD~7nI#y z113Ipe*EdDk}M&3*#95@U4)`e!i_8*WpccL6?4X6K6?_1H6GAZXIEE&9*_&9l{`?D zaiRwt2`_bi=SgrI%Bx)*3pI4B0=&N%0=_`&YCQV!R>D85;lF(;O)b_1c=s?9Eubq| zhfBH#MPscSg6FhCoIyPni2X?*LHo)4z4+exQBga>98Oh#8eVMKt%TK^3{|&GqHYeI zx%vlvk(Dy2cyBsw-PkC(80+H*(yDxyzWR^HoFIItA-aVNpZk8SMx}ESD2%Cg<*d7* z{nl$vZ#+VXi-F0#bqHo}9+b8a@PiXXR2OUN7qa;w* zz1!|~vi;uh?p;%8*cH;#d@;ooGWw*UH?7h-=m_1+F+coN#MS!m|3<pAEa*xIo1j z`7&3Cj+8OJ3f>n(KM2BzVCdG_w<=YEI|#kgzd6qt%DXg&RGmSJmA|Dp*I(^9C8Ojj zxG{PVA=1L&Ax?CE(inK>tU5^Oa)NVdu)^`%)&DAqWEZx^$2F5xXg~{a9Ev0o$}8 z@{t^DGuXwmaQ&CMAz$6qW>DGX%?+VHSZ2*;2*H}+m|KKzx>eu$$!%)m!$t8 zufK3+_s$=Dga5&C8q12-_aSWp^?&rS{=47htuhP&WE>2pDgWSA`FB6fRY;8@MI(eH zT3du(G!|YRL|(V5Qy~hAcYi$R%rb#f5i)U=3a9=csGzN;F2|LP*d1Bm2ihokmhy6HdiXA?@NKxoK zSlFoZrD*}0km$`%=B~_`eKW;E z6E&rSZsbJY@y!IcrY~3kU#q7iH&>@ASlLGGjARJ`hDzJ&Tlgbf-v{1q2FcTPTkk>+o1fUwypsSBRq z{wUOfpqSlB_$S!mkC|>+|1eK#Mtrs%}ys|`CLkhcO_UJ{DF>+@3f8e&nQn6E1zaxM((z~Itw*obrMVDATJE_tkmc}t2EJ?lG-g?vDc_kj>R)wrMbp>!va-&@3V&Ix^Oya&DS^UDi zIp48<=l5?6sXV`;6<=ML`!nm76l}LdQm?U{a6>06n$jA9(sa^gZ_33;QWE=eAWwh% zbfL*mKQ2h>n(8D463}6lXG~#BipFJP;C5~XsjdMhtwaRR$FB=Dt08-o zY`^XYZ874KU9TjFhlBmE8)hVx?S}f-2@uF$nx+T zU;t_c-Q-c4i<<#4I~OmI!pgtqY>75Y7nf0O_tEmn!3rz&z+E|)<*7Daf5E*X!>`k} zs~PR9>tO%i+I$}Lq%L&Mt6$6@BmLtY{ybmN-k7CH$8`-t-?=Te1jYgE;%!Vb2sqQq zZOC%+cJyrj#sYBCnJcM)b@h$$VRV;VpGqq6(%)GE!?JZbY^&O#eDq;lkFK*1H#5W@~T)YrZ2=~_omD|GcBL03{Ou9a) zLx=`)1_H~iPh&z2fp6Ofn~_1*-KE2Hj+!VBSMaQyl-VX)Yg2O@$ZBP~Z(1%c!F`Nr zs-dFRE1@0a=TS{6>6aqi{qe0f_w?orhzmhUa+3D5pFfJE;d!gf_+x{Q~cy^ANI zl$i1u5QMDV?Q@54(b#<`@&|NXimdLL%7Ql(MEtD(!_P}BV#&MX?s0!;DQ2O zrDVtQ9lUu@vi$VzvNww}h<)POvU-9*tx&6Dw=c*LTU-YbwY87s`<7z%RxS(buKGkm zaESUg>soY1U4ZSPUg2{PWQeS7gEKt8O^sjA@A?=~Wh+{OJA=NmAF?8yX2A-v)>JEM zo2d+fuX%^a;UiWpFBldt9Qk(hVUM@d@Flzb_SJ;BMm3qf`pc$aB{n(p6DB3Su=lHv zs{r||4ej&wnl$@*epp@Y9u^Gj-hlyX*qm~8CD;JmZ9X0P_r>df-6u=N6a38vAT^Yf z3)TJKZ2-ISf42cp{QqSG2x8$>xYmXi#U2%7?yhRLpkVNxdl`jdUWx-mDK33Gk?-wT zUyt-qyi3rfW{Su`DwZuBK}OX*LPFTe7%jQG0t#&+5)28+?lpr>LhJW~F7{^;f8M#Q zAya54jf>3Lcq!~=hUk+mFR5A;B!56Mc#TqlI+k5tOC+fILCpmmclwZ*TgUSuz*EKv zEXJ-{Nfbkr+Za!aVZ~y3WBVLF1?<`7%t*7W6ZAruQE{EFyQ6y;Pw#4m+o|H#%+lfI z8yV8k+naeYyFZBweX&hwl`C!#B^7_aSeUAkT6@ts*&%f}2y*q^}jESmI48+MAula9eAO%X_(AzQ`gy3kAS-MdLu=qzXF-`*K6WOXW0Je zN)_tHIELUC7_5I8mS$~-zQAKhcZkhX)pb+d}T-JtkKBFWh z!W)dX=FsR*B8bW3e$6uAYH#W5+>)VBd{Y3n1ec|d;zj_Vf>tB5pTt8fP;M2*)*SuF zfP24M715xAY#X zV?7uj6DE?_>pXp(+-LNSdvRbjTHWSO-RpZWbi-m!wmb8`;{n(L{-|ybR?U!8fk`D9 z)VXADZGqC?Kl4LSFY@_I5_S0lf!M=3or6HqZbp-z-=dtxoy*#Um3pUrX%zBIbwuS~ z8mL{sVC3HBU?Unuv$e(WvL32gJhXjEr+02#8x$-&M2~T0JI(;3+MX}zTR09_i#9}7 zapZs9h!EWo9lLA}gFA2xav|3tNu-Qqf_saVM4y(|Sx7gn15udGRWJeYy#N2i1mJxI zlKEC5ChT>$gA8sb_BxoaeK@^6*k+O(s$U*6qs>&3Yyv&ln#VbK2(nE@!=eDEqapaw z&;k6AXi+R3UHEWV@O#{p$FS8(nF|ViMEkW#eVqYoy1n+pESAS1ty$%Y&bjr~1pma6 zdi3yurp}NSjFmpiN&BW>_eo|d!qWpe#4YlhIR2okAx$|8g(1#wIdoczkyO#;xiHm2 z&OtX6%0@GqZk*=`(IPyyJ^4SO#SKTuDpw`K*(;Qg54JmEY=-SYU}2;7*D94z=u^2> zVIF)bM7Y#-VZ77(Kk4@0y<1%dOIeOv7$!$bG6dh(A_%d@ekbH<2;;TFg1B$yd@fcQ84W;koq{)JW9dmb2ur{U4xuj}eP0fx@5Lx3~ z03mG)^QkPc8i!zaOLEnPMqmZZiyT2zOWyQYjiKcgJc5uJncHs~d6dOEHjWE6{6wjP zp}GcxJjfbwJTG+0S@zcF=1zyU-=01>vkH#x+07&yO0}a{KJaHx!ZN`kAa#dj!Y-m~ zx3=7Y>6D|jlxEg3m*t3&UQK5f-1ZXzw<=}ck!^eF`Z%XFxKK%!JoO#xcg1H)r?yeo zD!6El$}pG?q9Zxcr_<+U=wI7T{(A1>rhFw!?js-5@w7%lvaHcYKo-QDpq!axZoiFp z0lV|VOVG0Wo(nm_^c(!QL3k`_j8zY*a5V>-=U2(P&K$xkop6D02i5#L?co}4HQ}&( z(f8_iA;vFFDuNx)%(`8}8OX5m{t@eIBRM={%yG-aGulRA-Nf4Mr_-M$+(=`j6vwmI zx-lK=vGW~dHYacNsQn0(mz9jq>G5RXV++ruk1pZ>$$F7+YG}+0kwG^y4uP83VF-?; zauTC2eK93XWf$bjo*H+x70dVoN3OFm0D`)O1b644-$5!kHQPl{ge~wc7Ls;e%)D{7 zkQvi!&JdYt5qC2DSxKa}*us76kI*uK-~TM7ti?$PCt;otF^Ps@ZPr(EMB9$|xJ(k{@D26Tjg7dS29l3JF!^#!d1 zTA@F$Ig}?PdH=IVpt0eM9GRpU4CU^#Fm0E?^+=!T6sYZUC1CPB!=v--nX#*YNA1(; z!%O_O=?sj(3x)gemgr<2Jl&8Bny~)ndXovLVn*Z^GII{R3|ru!NOC-X#J}invyJ03 z2ek_&HdY`e;{k75av0RKm*Qstio2<=6Zbd=d5kKGHI6cKoP$4=B2FnqF-r)=2@+OLWanA z$V>(8`Uh{Ae@2Y^-D=HLQ4+pg1zXc!ZALl_f>6pZ4_vh_b{8I6-Uo>U7a}~)mt1{C z!8ln=HzfVjVySqFHWzeq)I$*~T0Ssiz{M!|R>E-fT4r4k9{09gvDvqpvH}*XL@q&7 zR2gl5c=b2W01hO9JML$K9GB*9gs1cffA(4BDjzp+guK*oP&cxZpCKQ0fINZ-B$d#C zUxx?sdwDCjhn6^c9xq>SnP&VWDuJXivJTKV+1u>=-8xYHUswmEDEJgGM|#W#$hK6( z1d;a6=G39yO%TPw2I~1*22+H5L4l*_jk-{d{LewaTG$dA1#sYIH`z1V;A`}Jk(nj< zbZYcwvhCX_xXv1ki=|=ieh@3J6i>em;Wzza4Jb6-Iv_Pd{Og6;(O)n~7(lFFz0l(a zjq)8q@wPT~*G;}rHTtPkY|5LaOCL+>KDtlI27bGF48Nxg4v??Yf9)Wctv!K#VQnwK zcs*lKyLq8BXC#52X+UG}7a%pZgo_vF;O9qcu*Eb&;y^&Qa%k!e?c21c(D1LaCvXO# z4_maE<-ee>J!a_s$xgi}tKbf=Q)C&`6-$iEyT4rp!v8&2!HQox$>n>5c;2#j6@uG+ zZOtS5dp5ZX1p~@DPPXT6kt!bj$|Y_rvPtqMi-82u(NdyBS*zErU0irNw;n$_vYi7V z;O|R=?$I#Vj13$Ds}H3k^`QZs^(lyYYm1g+=)~0dG~tH~x&0{9Wn;F!iF@wlHjG5N zrPHWWVXk6PIKmlQB4+k&s}ej>#yy(65_s~+Sb!k~@7E(EO*2)^*8@ox2>wf7 z!Enew`wGf>tVf(|DkESav1PA#=Jq6d+jEJbk_CoNem>-g(Fm-raCWwqQ~I{U1)%Tn4z!ly~Jv{*}vM{Qp{) zfm;-E8T2{+i_5^g8;~W&HCLn1RtA(>3g*T&In?LP>ZtUduE^pc`zn_G_Aq?%vs)X( z>lIUHk&K12#s#hkDmvkgdZc0@rK?joMM}qIM4&t$|ZJhMkRg zoGbpW*q_Xvh0-toc=f-2da(|6N4xsWA9qgdG7*4YLDn$ zjr<%N?|qeA6P!W+Et9o+p&FY{^PEa*<6Nb5V*eQa?w_zgLL~$Rq6#+Cj~|nTa_adl z6*N7Y(Yq*l`*Nju)%@6lnMu>2p&8bM zCacy^}L93I@~N3{-I7Eab>y?T4&zeVU_?f3_*-urmE^PEP8}dN^~T z2zxzRSy8Pvp*R(s4-c(D5_RYBXD6C}ZqHP~{a#UM!=E;kgOA{S7ZQC(y}Gn!0R9jL726Lne1zj9(fu z7_W^Jn)K~&yX?35&n3vbU^SCm-`QY4693@v~+{W_Hjj2dfOKxI82 z;t#T!qP5j`7()Lk6*5Ty#|^W6Uf5zf^0GA9KjbrAE_a!}K!;_d=VB!)l86y7$!FSc zSyxOe(`LVwp}$o0&FiG)gH7E>5>F!QNICvb7!NjK+3AEsDmM+b0>ntD)TdOO(yNmt z%L}vAcw!y2)z^5x1ng-85;{xUz*M2?n}T(SNUKC=GdN2LXPx)ANBsGkuf1YD|-wMN^&3)2Ev!6duH$q}4lzQK;ACGSa zGOr!B7P zEJ)({;__?;QJ5~B+J@LN=W+_7EJO8frV0%+f@TO_ zrCNkJxU=%_N%Z$dipXqpZVBiN)SOnk$^B+gVgxH^blvDd62713kU;}-=h|cLKnl?JoR|oeYDOHNuk{>&%-g^1YUVf<5mp?! zSLCW;OryJxLfw}h!H(CMbO_qEX8@9lp(LF40&-8yn&`)n@o?rO2@tl!&7Nobf{x<) zxDO}O+r4QKL5@UczEMckS|68RuT5#r#29r}sQ%6YSaM#!#j7;#Qd{Ln_+zT^d`yxD z@sdT!6wvXx;~lozg$3vi6vIIQ=lkkH0RkSiU41-VJ_bk9vN2Qa`eDHhw-|Ai#4~LJ z0E+&0s|r9q&uaXAuV(^g_0yrjQme+FD%074@g$!M!d}{_I$hL+g8!1EUXuWAxx!*z zr?@lN-zpd8u+kv5?4LaSS6|{^_xFH=^{TSjuc@>?b5umi7azuxOTUxAK=q;L!3ZR; z`-tbXjD}3$&TZ4Jk_~Ql*)DY91o%@fzuf&ERpGu3q<{F2%?ae;MIaC`etBnAcmhVN zzsY(?*`x%)%fxw-q&a&X75G2%{6Xy?`z*PO3N6{Cszem2c}?aoBhp$fe16;da%hbm z*nK@Uj{XyZ6wxN*+nW?mP&f!6xrL>`SPtQ({QZjqSL%UaQjgMK;twEVTHo`pz;Yfj zCM?i7trN(PfT^y5N8dVtCcPPj5XFY(&@Q6OIX7Foeyb#%F;)z3d24&rgQVGIf88Yl zy2yd5Qg{~I!T)$6-uGJVN5i|7fXfHU(?z}-ZP7GV8Nww`hE{gf+A5Xt+fS}V-}vqCgrR0bUUfL({^$GB1P}dzR2)D&!}yLHHY?EUNOVQ zOEpXq-Yw}8Os^jTPy{qW(19s)U_)i^j6_yzy&RN#mG@^7aC&wuGuSkylK+<2Cc z`IVyZddfAF+!FRqpmlVr4Sdkrh_g7hVjN>RNeqzu@& zx=4_=W9P)$tcNZ`X_H7IE%n3^18YSS$P%^KDKl)lrr}{bwTxvS18aGG456YU|Js1JO zA_4c^MlsY~RyJt5PfYeK@xTL}9gDE*$r3RpTpHDaThH8@#=`E=6gw#Oe!ZAkT(cHg zYz=O?-t6c@Bubhg)l>UH(KyQRxoZj6qrr&}!5QA{Y(GTs2_S_{%L70!Yok@$S~ zPRjeU)3o{GU3~ohs_pt+=7jy8iQuFE_Ec%EktlOJ;|+H1S}E3N^|^1>MJI{l1FQ+y z?N|8Ra$QR>A7RzDAp9`v!6+r{)`zUi8VUY7SC#V`BuX36y7YUzUhJY4=6c0+ocG`u zrqX_&s0ngNYrin1hWsiczNOf_dshHspwMwciavj@Chlt2Y<#eS+?7eiuEMdf_fcw~q$0rZYxCM2tm=p>d-ZbzV4txy1NT z@xMDr}m?6$y~y0))k5B~YSDkehDPiSR6a4ZnR=fj-nmpyOoT@F0OhDEO=Zz?*iTNqV~ zuv^?3c-<4Mja{=G!OYL3m1t|@G)IsYdG895qR!_x?juT~1N>sJ@wtHz_ z;<`zcN3hp=*}MY;)WMUZ{zl}Pq=6dUkYtua*NyH_45#?Z;cw2hdhv_AQWO6iGw{

Qr`pxn>RntxEsWGq&A)?SIqN3PBBdo87uPlQL7x7P@KLMg8Z`!8rAJ=IoT2UFi%^I zN5t>}RZPnQtP&GAYrq=(d_yL7@i(|;n=kOk2pl+#y`=DtEDwDJValXd>JuWQ8!lDq zog`2LyYT{uy-ok~aUMehn_VAVj;E`xW%?d@URRgJX-OdXquDL*aJz@Kkg0CYj2z~n z=F}>3U3C4^0l+Ox5l?R{yqti1m@&adiukZ&xOVk?;O93PkY`KUb_tO#zr)1`R6Oa&d`d}6S)T*7aeHRHRE2i! zIpl98AeRs|$6;P!(pTpk=CFV$f-dA?tN8>sRAO0|* zGWPd}fE9A0#UNxwh0um0KT-2!P*yi%6|Z1$l)+^QdG#WxI}L62j%2uPgIn!efY?Bx z_{EnXp=_bCf^E^8V_O3Ps}z3aueX~{X;<j~te| zN&bgBG>b|1J$!^? z0VtoAX7S#>3#=xnLpv^yGCkYcvl}5pTs>D(2&tihmPYHfj_;qmq13XpN-~OE4s1Sd zj{}bEoUcdqS;>z?vYUE^wmeFv(Ke;I9MC%SWWLij>vq*SfH@QAuwoTX#|<=iHap|z zR`-5b6gm7(<^617(sH<>dGHWhD2nd#;nz9xL-p)EDiO7%Yis!AynV8F^Sf{)`oMgn zSV3oEavLaN^B3{3g~gkV?_qIvf%~S}8*=rMxom_Zi!ssu)sLC{mReC7Tc+fnK#nLF z*F^_idp-R$tpDc^5>E7FV6_swE$9*)7_&L*Ko?1BkN5iHUKNBTP+aOgC5~TtJFlqk z?uH-^tQoAT7IDR6Z!Wk+;cW4KCV3phyuYyARb+;$vP95v`}tYNvnwelLg>B4pHAO zVT2l$eK2k_bcr&w%^z`2xP`ju>3~I~a%SaO(U`Yhlk|qrU3ckwN!q18V!o(k1gzIn z>)WW17(%)>7m1!`h9Qf=hz!j>{9}W=nn37(Lt?RL7TE7! zK|Bsd4OZujZW1o$!zaw}=zfIy^*-^}4A0~WD1c?*3hp}YX zj+>OY=zgTgw9$qmvS8oxGv`mEzflLt%#Qav!*=A={Si#s7}udkNd|?e5wh)~p}%#M zV>IQl$5`=0WRu{E7P+jylZ}%KD8dN8{au7%Ov6~zuZF1q43}Cst+&0YgC!iW_GS&O zRLqAlNMqb&@(+FLnxK(O!3AUb7mqTOjX%S%C7YupX%`>mT=%s*~O6V zhhzxrpIJ+)twSB;M+<$Y_8M;j)H)3Ic~MYJ=4qE>f0JZ`aGAFH2}9iHEydviud0=1 zJOl#DI=KQ%cAv1;*;Enqp?0%L@|umvi}xOViQ#rc9RF|^Et^*(-0s$ahnNC8AFPrkwNS2tP23H5{a?o?8^~0Tro> zWZHx~AxNoHXcm%#o=59a_pYBbBy~DYmHx9TTQw5>Q^hN%syDARG2k;lwomehON9xHs--+%?h37=L2)Nm$(gA%Kb@4<&Oj`6H$jBb4TmF zycmYgwhFw&A*Y#MSeNO-FT$ZCjuNP!{#RV*np~=j!9O^eRDWO`hR%p>FWsi?Vecxu`7Ed1kHo8 zxXEc(NYFXeks?+Nf4po4K4QgtP(%2xKY#IJH-LMkabVjLI!uHcDU;V$q~>kEvgX&T zGPs=p1~{0p>#x-ok55TvW!RfFA>=Lmk?$a(vYZ1m>Ui$fUs%qn-Un6tNB8Y0-S@C$ zrh|+t54erL&$uVC;rIx`>(We9Aa-+)MAzl3ex(k3I(}$XNm(a1tX+z{mTGP}fa#gr zzWGB0$I7a{0Rvl;0MEN|KbF_I2QCgP8=nXN1U#`h6M{v3O(ouAtwdgp zx^}!i2T-_3>WI1qL^23}YdabK4V~;5)kgFEX5zvR3=--;|HG1i@H*JwdFEtaeXJ|M za%u-dSM~{k!2-Ht(k7rO&7pE#x=-Y+bG1C2vfhO;F$4i0`nT-N+nGT1AZD7$YH~!T z*TS8F_9f6wv$he?IWyK1*t{HZ&J!1<|9xabRWXz7Kk?h3*4QhsO0!dqz?2eqyzJpB z#|73anKFTF=h&=7BqjNK3h613H6v;$a-aHhQ0-N-e<7amc9VUPJ|+H9h{OE*k6^>f zdOR@+h)_96DwM-3ocUhbv1JB}V@#>r!R}K`yr6o7Y+s{>ZRSTwvnpmE!wNHP+@T4j ztDh{EvqoK&kmF)XcocT(BX4GRcx{pt7RAsLb5nK`=rJ?TM*~KvOS;_WzGaS|_LKvl zq$1S7xwmTmqBnjopgc$>6bPYz zfK?4iH#E0**7@S~YHOx7!+Pw1|Aw+pwuoBC!4K)B-W&K`0W$<(-j|L+mx1|)-3^Hu zro}0eH|;o;WqYYvF7yju0{I5|!P*@&=p|uH53TKuMMom4cumKv>Gx=sG~IrGylmr@ zPRTvn{=T-1yejH_*&DNBUWuqGQ6Nf*(gSul7EZ#0R{tA6DcinL0lUS{C7tfJ=tf>? z;1kAj(UqYi;{#Zu`RBJf@4Mfs9nhgQ)>!@9U~=oCJ$#(d@Y<+s%AcJa?R24guMnb| zr6bE5j+{?M3#~LW;02g!hw#LqJ4m(qSIxYW7i%*Og}9n~BI zL*G>%&vcjN?0VpbP^B8KniPhC7Ltc`C$C9iwxY1-!hb}#Yh}#}q4j5e1RUY3)X>`e z{djLXUEp|?tqlpxOtj5qzv}Vu#-e*50>jR8G)+Yfua7kNowgIBN8bR~=w8g$M8T#g-m6AzPFw|&ghx?GoELPIoT1*=P?^J*bfssH3F^~`j~SCA@qaI z0+4B?dH}jFMmWh-h0$sd*y3=ytZ`)fm@M4v*(?U|oaTW*J&%LvQ;_Hw&U7FgBMShN zqbmt^1>2)9<<3*1w55lEI(igjdgvnv>WulpzQ3)fDmqFix9r1|O{M-S0xVwXl?ZQ! zmc4llFS8i4gpAkTsCf0!`vZ@T4lQ<&7ZxuB4g zZ%64~V7o!@S1nIEI@ggh z=*i>7b<~Qn%Ah*ian)UDgAJfs74b&zzm^vIU6qdUvicmnsjKsM78L%~d}H(7jDA7T zY+u~7QGh?F&RHbr_R8<`WhuXG-l=&1JnE61Y^JJ+D2sranqxnW&Z}t4N&^AdAQCf% zIbOk@xB5CGBYL!L!ctD02<;o#BaP1IsXB*LU;z%y~QIAizCNiWf`@b(u& zaXx|T4NlC!u8knNirtMs)b&xqT#K%@3nN|O&6S?VOZSdM6Krd;0k8bswgMh6L$i`k*=i=m06(+DuZmbmxLjQ z99B%IR4woXFSN|hqG6IRoXSF7^;w=P4!qX2u86KU+YMtOVa5|ZS})(tON}`Vl^O6Y z(HJj?7W_74#ojNr8-w^JpJ3S+N0l9$z^wa5H@FED&zW$+^{ggbs5c7KEP<}8<=pr6 ztD|suBD49gjU5D%T)SmYZ@(O^o|7!%j`bBo$aDsh0HKbub*!M;AGy4bH#>9k+j10j z$BKKRCqb)BF8tB|=0AxUtc<~CJzx)`!enUzV~$qTRaAVDBW6M=JD5!SH;B3CHBAs# zj>-nL<`PmE*`z9!x_gsl)Rr~HN#@1%W!fgL9O1;cznRqkB~19E&^1w3do%SQ+ER^i zQ_9@-_z3yr9%QUGC;1K;D^AptzftdfV3w*T_?JhN-(S5*wpb!YpTh8a6#P$%ulPeT zuH6rmIL!tS{A=?T?+BU(=E2hSX$kz%^PUL{&4b%T)Y=C7GxKW!K3vn~h|f#be{%O}!b~rGooa5rV4d?@ zR=M`;p#ryjZGKUfT=M?}siwJc9i|p`ZG>Ag?#K+5XJk@9Ajfh48q3O)7I8&Q0#Y7x zCE_343X0d+NEAP|G;5cce+9dgMM|qqIA#4}R{3p>ajSfBD?Ty6j(ZE*mi$*jwjkrZ zn+clWHRp}pC%~Rd1z2{ux^W1hPGB?sV#Y-+1mdJd0m>=^Oh0O02mmnKnk5jzTbB0o zz7^Um^3}2_AN6T78%WIV2q9Phou(MA`+Suls6_r&XtFxl^-V?fxHQu@0O$@rV&U6W z1zz?FtJg$YQ`r!A=U134$Ds-7Y)TLQGy43WnDBr5bA0g1=dN-3zuY?x4s~Ypf9Uu4 zAwjC4?KQkVr1lpLx7oBS*z~R|KLXIg5~5!qW(x)MmbgO@5M1}@ss0OZa>c*DWF@p= z%P{Nw@-Y<=_rtrM25Tg28mR?!yFEotwu8A`oSHEl;s5pxd!c~y=hsFIUN@;; zD%HtAI@(kYIX)Hrw_onR`3LVFg1J(k9{WL-QDMKGP1%4;Ny}BHx|Y)w!^M@ z2M{sl07D9$Z!8%DVB3`w9D|73;H(LT4~LtRmS8?-383#CNipwlVgSHIO)FLu76AWF zb1mov@m?{IBrBkSKebumm)i%Oq@^^8pb@LW`fpfx6j@1*9(gOkV#MBw&`}?aCxAQW zJqZkt!@RTJ@$@uYZzhjcEyl$7GkeXVBRCMSl?avU3hf90EVZYj;rdyF>{I%$IpBXY z#0lg-4&F(tR?W@be0Cevus~LH?!t`JlR+t6Ab2zO?SJtGWf5R7 z+F78f7OTSd0t-VHdOx|6@+cCr$H9L8(?R(2ZTkD;{Lg<+O}rV;YoisjlohK@+$Z-A-oK8Q%}-KV<$#Vh-NeRu!Y|4tUeb=AIn_8)u$?z2xWW#A(?hA$v_I!gb?Ji=#S~FXjABd95R6SN0dyvO{Fl`A(Kj@?HOb#N zjj5vswIVYeyK|CPB8C6EXo3IT%gTBV-fMZ~G)W4FPe5W=??bTI5%LzH<0u{YeP1i& zCP*&M(<--o_{9?p6S9B|iuY)eAE?1c3Tl5p>cT+|=N8nk9C4em&w+zmfYFD=^+hlM zczdWYp(}en-6=LiuLDk*i^<+8Q~oZ7<8r?%ryz3;cM{w6p@FIQo+^jt=y2a0*T3lF zD7u{&5m*hhqC7I?m}U{EI@0|_l?*X z$tHT}lv|7U){T%!dM@lW9`p7y$0e!KQk&*mp^;7l0-c{gl~Lga7I5IXH2N}?xZ|_q z$iX_3ybMtK=4HBaQ1-m}SEL*$1var{$7XQ3D#T1rqgy5Kq71oifsQo9`}-;Pe>}6hFFpoV zyE5JC3Ddp~a49crP15yGXzkaKh@4S1ZFU0l%kvXU5D|KEA083*@vm!#e%A@eZvA@# z#{Vgl;e|YbhRFjb?MhplJ9$9d)u9V;&n9}qBp9)LK0_#`c0~bts4A!+M%x02Mgg!z z_H(hwCI(zuYr|_htpOkp7b$LslV<2%lVXs5qu{*t6Jk@+{p5~o3TP$55GnyyP~JkV zIc1hvhw;+6`v^6yBLFm22Ze;1C8oUCoG5-Nz!+cz>|IJ?Kp_4OR0!O8UYei}e7=wsJ8W zZr`}QtnC%UPYn52UziM&(iRjVNrVh3$4g9lN5H`**0KE0Y*lb*Jq`dtYqEKL0&>cg z#QQk%5xLG%R%G0x_x5Pt_hcs{_+X(;;+IPym?)yK&YupqxR7iQ?_js7HvUnV8IJJ$ zmwYFrQipD;X&314M6$Q}+`=6hLdx1?=2TJxwa=YKo)xgCc_&HbYWy;6Z%|ARoMv6` zDX>2riRCgH0Vs>y)M+bnrf`VMydT()N>?~ho_+uN`eBqtdLJ0$WP=KQ*D$(g!U|t!N?WgL_`C=NHV>FAU(XBoqOrN zg#fp`7TEovzz6;SO7k1Adnf%g&h#)MAZe}AG5&=oM$pQqt<@-OV581TWOUy3-x6>B=V#-8j==ek&nbeB18M?&ck=TcGgOT% z{sWvX$eP!BLTScjF{D`FH>x}rqsBIjcDzq;$7O<2Wh;?{Jg(CZM0E)(IR>fpNR;K~ zSHuf0e4z_u(OqA%^2Xjxdr0Qout^8ClCy-l(96>WH2#xQ_jQ{X%(%F^GDOwg-{3P@A&er6jDTh})~Tll8<|=a)?^vg-A@v-Zs76LC@lmNr4hT(*Z~x&KK)mpQ}m` zerSdT{Z3}|2H27#F9F1cb@NvZ#(8K08R6R87t(L~*!4?EtXOCRq?3OIJ^Z(#UJhuy z2yn%WnkLu~fAWrCTL1M28wNM5T{C2yjZ_fqW(qURTw{tv91=2+Lv=l>}L z#_Z46f$&#tf}K>T9i&(szT^fqP({sd59=skGTTN_inzVs=KA<1qU9ry|zU)(1a3!1>+SG#g>Q~? zG@~S^hc9{WAWprv8!lqmZ)^f)lvV8kGf9A_NMF?Izvz>fzo~}P4x)orbHHkTI;!^# zxs7UStd-ugWI_#~V!XT=EUc#KMH9f0AQ)H;07md3p%KIJX3Rud>Gx=O zFtwPj2!OD?|5sdWruM4DRoB=f#gVKP_X&-;;#fVj~|o7Q(e*axcgNr(hK11XXD$~}Gy6brZs z;G7oeoSuW^_|Y+a5^JZ3rd?pd&3QH`JbWx(joIsY6ADv&018Scd2I}l7d&2x5`TjS zM0j8|lPuG?6(%&^(#lj4QP+m!>j~5g7j~(iC=PG5FM}fSk=d-LoTc@4bgMCwByo4c zcO-t`>+o-$QU^wW`WFt)>{z)D?CgLk`8{YG|8F6mbonj2(YtxWAhoGS~vA>?#x#<3?FIjEylS=RvU!`33E?!KwPbe3LKn@AIC3s zYoKV$fz}wy)%ydXTh*-iv+vVeFbp*3#I34DyjyF`i$B(pm0wE zgm(-m<{g;2hRl9_?Vpnc$=Msy4Ni@@RV%dt^ED}k(C6!S+-YAby5oU)j zPcWS(e{N~KS%eAL+9U|vyM;@9Qz)bb;7)DyfokQe=sWaOB_EVIhaUeMNY_l!xePsC{3l8v+j#Zvrn z(J=dZF2t+9owOG``t#vpmo82ZWqx4@JgcaP%)>O3l2EXaFB1T_Oj$8wF$_ctuY+0} zzJI6v9HVopB37%Ds6PdY)_0h(^hPI@dtMEI@!nZj0|OobFYqu77GVvt(p^}p28kI9 z9HS11-<|99Vc%&v9qAub=KZ8Uqq&{@%~RY&HHTW34nx;`Urmo5Pw)AJ37Y&D{H0`b zGb?sO!%*o>5I2Z==Nm9EX=ksPXwmUq1`H%N{!k%c+5t`k#-p)(ZIVx=(E+#|Y+@(t zxrKcNsqImGxp9*GgM_Ob!t_J;I`1=LpZCW->ttG~0Jt^^9)2;Pza9nBZzL#A2wZ2{ z@7Lz8SM2qP6k0w03s>A{CA|l=*|(i zBjPAc&=CLm`#la?;Z%+W>c8_s6v0EATnK6%f?U1?0^_$qA1TfD^uffyx=o|PIu5XA zQ)6@cf!(AKn9@f3(iKc^Qs}tcrq^Z+{DU4y_!_%^uwB?jK|m4d5-I6!1_9}k zZjjCaX=xP!>F$#5?w0QEjv{f;p|ijFd3EDI_^>m_Yqg89)}-34IaY2`}NvCQpLW#t#E&Rvr4k>cRdO@L2I? zDX7MfRzTy018|Cm2e1r?MO^t1yT^3t$jg4FmM}XR$UI1<&a?{3> zV%_4bNYfy-`~~H7VF=X~zjRGH*pv$C{{@o&UoM~`Hb7aUO6oIZ63yhzhyMHsQ?6zU zjV_i-hRk13Whk2Nr(bnbCdYim0K9pi+tr5sp0QTyodKc7P^GhhuCG?3nSnLz-wwW< z0ze?fc2++3&ZG&fd^IA2>of-s=pRda7d4A%&rT&Ou_e?0BJ{_2lvK2Xi9C}Dlok2F zkg!C%q&JIQ$Mw*w5{tkG72gQcmSgT~>yr9nqnlELGfk}>6>~5#edX&S;33U?%MqlTHo7&Z4J1L+9ME>)>BFtq`Cy(xbe3Jxlp^LEjc|>xKDd zf)BMr+p-tPxbSw|^Bk?((Efx|$_8P!DlfzWAEk6+mCpKuuaQl7Eo{JBSh)|Ced@1f zJikX{i6c-QPo*s3W<|`ViK4@bVhn+=t1`l_~P{kg*e#gsj;hi=$de20* zXj(PBu)3w6C;<&~QNsRMv1Gwq>p1#Vbe~Vm=c-Grf35_lcfUdJc3t~GPnBp1ppj5g zC_*N5`;SaW!}JCeuB>~yk{~^)RVH);QSpsPECJh_&{}wI9_g(YVOc)$8GThEw>>f? zp^N2y6c0!YTbrTybAU#^NL4m0f{$xlSHv82Uxu)->M#Y)lX4($ie&>K;|b(5_y44= zX&ABBX|Z71@ywJ9NLajV3%2E~YpQEb1n9SZwThkVFJEX4lF#honddLZ)xX%#pf9|w zeNAF;n3ILUE4Xq1f{*@pKht`eKL1*InB`Pr0njoC0JZPAW(8>ZkdUFk zW6N!c9YFJlJ!*{%+@1Xa(LWf05B>S>2xz?7AoMEd5Z0LoCZZoJK%(%}@(Fg+g_jwK zb`F6!q(`t%$sw8tv?q*+Dpgo5E+n)b0mgdXAmlp#FP#--2(F*vXPb7kYA~Bqto*qJP%Pw6 zBJ(-`v1thkpW4DQWCc2Lgu5iw!2=&qBIc7wjlK9*X*S-YDR}F>Vw&)<6Hq;~mTZ(y z^)C*V0RjF>>GOTcA6~t-=WIZrUh$>*C&}#~|Gnn?*H+Z0r3k-Nqm4yC#Lq(@p zZ+6C9fIJUr4Fs8mfr_7Wm0SR%P!j~_(VhtX5tj_I6&iLcxzoS-(2 zz5{Aw9|0ovdArfSK~2Q&7b!t{mcc}PeW$=d7Prpduse)gAP&6OMsCn=Z+`;St4=l` zUeyMQU%~G$>T# zjWF(=OsWdkNXLsrttB+TdjI+N)*HSiMiy)eViS0B0T$AXRx(v!15U1|dV;3p7R9sK z>~fQ*74o7x60=oSI;WsV%>h@~hY6kt3h=)vo5RkODnA6f`27K}0nG&`eteh7-&N4D zD?fhr@^`(qId2rb7GCUNdXPMCSSI$yU=$3r>L?MpY4B-asx=0HH#}TaOoaE=`WK)1 zVx%@Nt)w(e31}0*!b@c(XIi13k-Bml0BrggzT(fI{JF))CI{M5ngHf0&1jPc$KXtR zRwp@oH##F4OjJ<(-cqrKqzNb+Ra2?tyq%+Up8S4FUD0eBX!B2L@1Ps!wFDhrt3GA*wl#*goA?WB#w{y_8dxU&8 zLjRp}Yy?BK06_jv<5E5!9VzvQ)3oL8H34u55jBAPvqA@5hckG*Q5;xr zfpqQBQ~oZw7vb1MkzFoPrhC9oq`9yP{2C?j*t)Ky1OM4V_C;6Q@jn8OpOW)XttpQv zrn>V2DkgH>`_?(oN5R2rO9VdPS=s|sNCD1+&VhVJU^gR=fXP9xS?CP**Q2U*50K8L z4BRLg7i58l*VBxqd}%DF&@irlin)*#>es>M#AKlkNmnHj6|)q_-qv2O=2agL zpo1vA{+~n^1MUAJvS?f&swG{@q>b+nddZQzK0kY{ISa-8q>u6MGzcFbp&=lR2Y~{J zqK$;^2SCIpo?Ie$DSUzLXg*pt#)C-(-e`omnNqRxta1NIVM)tQX2m8y3ZrOHKc&&4 zujt8{IbNHw%;Q^(Nd9*Y0<*}!W}xJy9(tuw{N;ywt(|GXdh{jfzw)U5_g|9D^avD8 zbdo{J43gCUPdFsspX4Sy00Z#)2Ol8+PC4-3TIP>V&p$I&{r|J&{tq_IfBeYDNW|8O z#3uQdj*0)i_EhLUoY%y?b3#5kJmI$6{KM_AgF^K=qC&vcnW+21;V<0g<1bPs5cdSiM&Jyy&$0ic` zES05)^oi=E|KDYDfIBN$)EnM6Bg>;bO7OsxrwA4#$`}A~YdquC*7`6gnDult=Bkb? z3>Hvpn$acaZ&RyQiIq9XncIKA>`r=cJ-UNiB=Nxlm2?EMo*15;R$Y=VkCpu}I?LN0*qiTm4aD}OnCU#i!EeoZ8Lv?i|vo~A!1B^g(J z_2KH6KK6EfZ@$6Naeb%3W&eEO*mZG0hRb$6k;S-Yo}~=b4K7NBfydzzX4^9}=Vj#! z8+h4a&M%$FAAR~W@+!LkmY~REEko&LU_Y`NO#2x9+#PF)n-ENUKZbE7wY9Jtquf*WobyFAgTNii9(1wrGiZ3|93# zZdzQ&w+3$L^IAYJn{#jJ97TUG;>LN3!e(!zn4rymxe0SOqzXDdN;Uag8<(`oVB8lgf{=5tqnYi^Ka?VB^)1B)V zhp=%_2e?Kdu8r|L6^4C6?>vwTbp|V4!Ue2=!D|pUo{I>h`e^~?V@|npX(B16pqohp z`q)SG-5BUs^Is#+ zZuy?RT|@or4{5GJnkUtEjkKiNVEg+#EB4Z)$lA{xBUZi=QNih(i2Pqf_^Nj0T5oh7 zXvN6Mn@`9E|5Tpc$`_vdvl%K+e(aB9Qvk?Z^xz#xSa$V@$O0qrTu{~_^JBnTJt?H) zsBVmYwn|xl*#^zl+ekJ_0%D}oooR&%i)r~E!C-~*0QjE`z?NJjqHiRW&>U@xgWoGq z0Qe6!V>QKt;gPXiH?GW+-`^iUs<2P6{Z30svth^e^?>~QN97I1hwPVea!>qjA<=S` zES*^AvbOQRVD9upYHoR}w@f{%SMrAMiO0OQsw6WaKIfkL2PROo7td_W>{N-9r&92p zSC|)Pv+8h7e%!IG8EN6tLi{96`?q-I`49T0?=*y}!q(ClAKMBj}CZ7QJ?i89A`)QG8rr5@edKgr~vmFK*@UZ394B)Lfk~axbnZ`oi z3AMphrMbmkVq%a!`b2{D2m=Pq|LI4T`-v|qQ=8$D%D8Z}-kqE{vobO-wc77uT?k?X zOl<*t07I=S-jNPC7qTyfRB+F1lJqz)E2rmUcVuanu$OAnYx_rP_%cVGUYfFXi!xp6 zx~`FahBqdkx@+V{_08ZtCw{JFH!N&6spY7&ex(OW3b@Ywl?oZ{)c!8umzcPM<|$vG-L;ualVdS+o0P_z(#NUQaoFv!+#p=ar3@1)QTwO*Tc$hnAFcy zpKhyu@UGdZ@=~9m4~m&tHVV%hgC(E__X$0re(@u}Uzhp?&rz;ojz@A{$6?fUmX`}g z=WWYH1Wje!StqqzM`t3HmxSVmpBpSNa>SjUGNHmJ zm1gr<1l`~RKj1mo3knLE@J^){t7f!ZG272vz6w` zA?^TB91G=NEJ#JQJq-1Bs7^tsqsNPsE_p%vrwtsz61wErTmKYsnNeBc|70$5q!PoP zjtzA#XsG7+N@JMEZj;0;MpBKz-n^8T^y8EC*V+Gk!qFWZ+b0rC_t|8)G*5}tqJ0H# zmY*o@f<`b`1hi;a425c=E6+Y~lZLQ8v9Nn($Y)+4=DtGm<^8txCbKl}lTrwOhHIO- zXlAa~bAyJ(s9d(v(r56ooN(h1|ExfOH(C!{T)6H1eT=RMtSg)bbc?uQ;4;mJkJGqb zfb=czW73NVX8l}1$VxN7c;48lqtah#kv~&q znyJpVXqVXJJ1KwB+~BcqX?Bg)KVC%dmi=YBK)peP@4N@;=_tw3nzaJys8nLj=RgYFYt zk3iN2G@9Jqf}bX2Pd0hn+mwa-9%)V5#%6ztWYI<32bY2ZYJ;6*=I_9LkiiY^18AT` zbg5JT0zi`2Y{<94DH4&dPf}Zj* zkdSA>CHjW)hbRs|-~%;u+Nu(?{(kUU4C!Hz?beb+?kAF$KWzGRTQ0ufyw0Y3{`H=< zDT8ZoLqDt{L}HOREg*wNj{QhLE5dqD3%$AZy)Htabf0>6eo6@lWbYTivN|8#jhhFO)lwpmf2=(yzC>Wfy&o5;oYZu;_!{H%%3+K7mO#HQI4DVODHe}DL~ zY@NlTgmluGu-=sy^G&|(EJ4~Fde(qKmgdbznW#?D#=L{cCPx+f>1m(!Hl>kXL~Owq zJJc$JZVWcybt0j+2s=IOBrf7i@@LXS-IdP|3ZQ)S@q4KZ7YU-=di{qe?*yw4avxE$ zQzfT~R%gGxPI(JNTdp3^b48eQVcg7^2$I}HEBW_Qq993SL8t*AO}#mUN+0jVr7>HV z4=;6k%-bhZ=Vc=pYimOIeP;B)r{fPIcM^o@Om6>49RvhC4(5JP+W?&?U&aBGAh>ku z?R*Gq#FBLPfLm(Dg8Mbp9+2PGhT|Y^wa!4HGX^FJ`}Y*~bJm?1dNDLVM75tzJT>91 zcwNTMj3(L32o4~FS4*6fp6_#BJp|wU{#f~H>CW_<%hx&dPI8)*@nU`vTuIqD3vdWC zHk^^HeSKoF%9^d#)Iv zYpH5T;m$f)7kM@xs*?NcbW&yGN-|j4ZLo%h)(Ng##eWmW-Js*>g>SoD>$pp08RK$# z*>LOZTD9WCo2JQclep0>x9{X(q#EOqXJ7Ry-g0=v!u5Axcx#0V=msh{CXN9uKm`%} z6$c#7@c7;9)q(3qzUz3@bILmXM*+byU-kEaRcu0@YLLS;Z~=KM;|gLrDjbm^GxjTO zzGmxvvBKMBGce7f;35?@g^xqQ0 zY1PZSjycRHq;79E_*DQ1rG#(;YY~-3pi0fu03GNEFOf;)cDjAJ`!oJo7$-hnoJYhc zaPe&7bp6`w_@eB;yZ{V3ww~h?el{&F-1gf*T(gLdqloVC4p2y(Z~3?A(A7fi@gd~| zG0-MJdCUeb0G~n4HW)ri#fw0F7DIH`k)m{EqAMJB)hoUot`w7L$N1-WEmv|x-}*YZp95BPzU!!(--spSj7=2qhg zFg7A+@ei~X(@&cWmF3aO{N-9*>A&8+=8IohjMb`%ZyQu?&J^hR>+b6^KW$NOb?=0UPa@bf`2fn^DHzbsUmbV*%0V zrGRYdqS>8hviRh+>5h5b#KY^(Oqz0ZqfAfY<7IFn@*OT%hscawH{G2wAQ}yZnS|r5 z6F~j?dFBmiUR>=CZ&-{BdC(+`X{*)@0}<)+8Wts9oqK?ml?D`cR327ks)Tm+l3J{& z@mY3FkvKZ6vW2xn4oL)UOj|e^mq>}UTY{5(kHBg|EE#P4JG?%BSas&|0ags>hf?Mx4FJ+Z~|P-TLxwW>IuZjo*_L7aeo_)rxE` zGS*s8&$(tR$4?)4gXGtSyKJ4pwanY`yXF-0NW|%D+p7zZ)3twrGRoT-3o{Z(_8xz?TZ}q! zTYMj`)&Rt8}n#Oe%Cm!EeqIcJ9(pf~b6;>wR ze`!2ye{tXaF4VrMTD<*JOYB&d%wD*WxKa2SpDlZX+~Z>3Dpwc19xv|ncB4rB+|!Ye zVeinRKF_k|IytFHXf_i*?J{_Ld;)=?onGD;-qmg4Uayi=IE8y_57`z;DSF_Xp${&W zXtA93@im==-`ytf=WSaNuQknn`PMzZdxxI)H-D`SnkW@16h> zEh6EN&7kWQ1G0BE2%^SuK^jF`l$@rg!q1x2PeFNK%ji@2efVv$uMMME(Dt9lh?Lt{ z5bU;$?4Qbb4jQmrLCSNa9O<<9Xu@?uRJ*4yv>>Cv@X+^e?jj zxEM!S7xQTj@Se>8X=g(GmU8B)+wu=28>{29H#d{|k}!mo{DtHS^451o?ntWbY$Q9} z)vw{w>@V`7IHFo&Zou>fHE{ArSZSf@3@`NZIov(~9bxFOfMm+}@qX9JBM-orVXX_` z#7hPI+%2zn`%BHs$LM6=gGRWi%v_5jPwVy@XIY9xxUB77TAmI0cuoayQBfAw0akN8 z`tz0%ea}NckycRAv=&w^uXUHo?3WOn`ayYg?!i* zBr_v9>^L}`nZh@x*HugZM-~cEAu|P=QT(a+3db6&CFJBB3{Td`s|Yuw1nG}-N35aP zzNeaFQ{Ur%Gwlx@dly&4Ow+5zQzW*=sES=_b-4BWJVBL48LZ~+Y8&g*>5^3ou5uJm zLyu0i>8@QRP!Xh@g)4Md#Pn)X`yY=o`ugXgcshmma>zAAGKO~9srYJ{)ZoVgt==XQ>4R#8C2Z{)Y# zy4|4tO}%)}uU9r%GCkkXoXz=h5s>_Dpc{=nty_;X$9!q7H7AU%wR%5s2&x|%*NB)g zfvhh@1ZdYQhzS>&Z~oGc#_P$ZyYbmKV^;(9d^q|vcgS4PwV0_Iv@)fO5&;ZLDuURx zec{r579CXLQqtO*HyAF@!t^sFwJbKOjbhgd{cA)jZ>4#~S{?RV>}4q1k!C1!5-QCn z2kuc7?+45(ZQnI<={$aRfvQ|e@6|&uoUolh?0o zvokE&BRcjC|J(&9x>8!dzF%UtBNBZt+2)>AO4-lt{h#9){S>s(!D?1JXI|J|usEE= z*WPn?F6=tXXdC;yGZNi4fkwvO&5ufJlbV=bKVlV9*zv9#hn!D#f|o3@Xxnvtv_eaB zl7WIjz(bQOa!j8Bo!u6S%@r9ZDSkF<)1!)aJ7KX%c4sy}Df3f+vA{pyGwMTD;i5-% z;g6s8l2?`!t}m# zCQ)nGV0^G1(Gc~K(}LCNeQuEy`Y>Bf6*s&#WjNv4!;G)^QK=#F5!U@faT+6^7Y4bj zXoO3g3}5o*WLZV{cR5mEHTAOui~ab{S64ph+pt}vZ@ZA8jW>qQ@iQWo*eB?+`SG(z zP6SIGg{?|rGmyzX9~8|8&=hq9WX8YPhRc1k4rGoI%IT3YN+r#oH-T~<`}h( zwR#+yU!Yx#5)Yda^-<2O#^?vhA-oN7Y4^Jyh6FS74+nxNnSkDFko|&UdB( z#Q=NS`Y{wRm29a__ZJthQ#kvmuwM+*SO55kPq=Dux9|TXkg--?7o0u_bL^^^VCJ5u z>?ZL5eP+VQ%;mc8)g2?cT?&!s!7@pJ-RRe9Uk5N93k8498`r->O86Y{uGLGrBTTYdLYy6b zfRe`9Nrk=4IMM(*h9y*cPE%U&CVhc-ojr_xg}if?b)8ZCBt|m%@m{qqAsY93X1wLm zO|wUghe?`d7uA&^-arPu*M&H@vY9$N_j9K*R`e137m)BSRYrydC=+U0Mk|S@DbEYs zaGbKyLSr1afOrAQj7d+s@E)H}b>ETrqMltgyCj^>0UZop%qcSKXd zEFjl36i-K9i|Sn#y?KdzIm%h_*Y{ZqvNs^?;*D8Eyiwg)`Dg3oG2l24^_+_;-AC$; zn$Q=x%5as{Z_tsr^N*|m{HM2)EA2>uHu{DVF(%;NIRTM`f>Y#Z?E>|>`lJGT%3@>ika1Dn%-@bT!y>R!dRL(YO0QL-5nR@A7F}CDC^7B^dzv@ z*+93xBGzLHvE{c4@yS-l4CkVW(ps*h=C}$YAgHjEuok#7Mp^qetp=ll-1EhFGoErN zR&2d?12=rN(M7c5{UiP)KFHC07war^RFiPn9Gd}9bKyCa1(k}|jX|tZiB;BuVgFICd>1Ds2QAE7n2sl;iqWULNSo|C zal-mNz(K!pumX&zaY6j%BJ>5bcRX9OWCrKWmw<5JrLSdVmRt`OG%RZ}90l#RCkh%k zj~Bta-NQdz@iCrT4VV=NJlqU~L@16;qsY@*=!GT4_hy@+nxXH_DVNr7U+(KZf9VsR z0}Q?fzF3<9Cb^TY+`~xf?WQ~X{y=#3Ep8QQ+TurcT~4(52TpXWrKHBMnB!k`IU8z)`B80DeIkSX_b*%^dZ zc^j8uMToN;hHIR#oZLc0+gZQs0vhIKlM=^G&f`|zxxc)?(z7VoesidKHUTinZrvL2 zXs4c{hhxpWu6lHT6y0?4633pv^3#uZd!T$-UF`5vm`Ej!OR$5i!(!4|Xu}QEO%U9^JZsy> z1nX_p6?~hFQO^=1v^lnBy8b!7qE89fh_Kf@uiO63G5<^{U5>Cfz4OtNe9(@i$__W0P?A*AQ z7KTzbbk86b8}e$&$*Gp&cJD@7#k+Fa)cY#6CMHR*_$N#`BbAGa5D@QyoODch9M7*| z84L8aE2x+20pmB4+@fVbD|&a!y+ zZH?K1EP)weJCw5#OX)cJfs9Voi7{u5-qaoF(qvui68gBbEPEQ>DC2b^_^9s8H_tHb=As1=@S7u$SC1jD&HGhQa!? zer6~5hj#%Qa#Zkn`t~#FRtL-O+tG`~Rq{~u4_eu?D*Vv3R)>I*wUw>fU~?W3@xgHD z#x@0(Kohj?$=1@m(XHNyIBAvt2Er&^BQj$Ns&pP8IhrUieS;;V_&MYw{m%R@%b$tv%6R}!w_(=#)MaK6Xm}SH z9uX%ue-Y<#jd%zX$Dy39mapmsN|{w$yOrG2KSDfBfJzMq8j`b@L9fyCTVL9u+`jVD zxIH1o@O-oRbRJO#sSU_#yO7t=p^fMQYz)t2dUOeA;coh;vJgw8YG!csIm;KFc>ru3conF0{O zKd9$IgWFMnK^Y1M&PZr zK>V`sG?Qf=l~Jsd7!CPB(^ZsmBF9CWkN^6`i(5Cq-f~7lAt^95$T*JM%IMJO=90qT zqZr>9>hykzyCU#J-(+qjfa&4Ucjj^z0K_&hX*R(=WK3qj^^P)c#XBStMfst2A$zhQ zXs#c))A|MoNACVK#q2L{%`oV*?~BT&?BH^nW!qf-@(3Dp4a%d9zKYbI@UiV?=CCdw zMNm6MpC)jz|D~GTp~Q*)iqZq9e)#!j&5roDav@)SicMM*3yTju*Pm{yoJx9V$ma@` zP%8?heZdv^N3IoAO}_b)tLpn@v9M>Ro9ATQY8%#}OuiK{+nTu;>sjJ!LJ~4s6MBWa zscSSlzV`TNN+Z{&5$|h)><4=0e0bmJbP4 zO=WTyGr1bchP^P%1t*y#kQH92h0U;p;Lwo6ALG&6YOW5-YyAz52%kfoIVeX~tv>z< zGC*a+(Kinane=eiS3D&*-*WB{3UkHRej28B{5Hash}l$lg^B2#3f**4>E){>MoU7` zZR;y;-3BV486C6v<#gw=U=o#YCAq^RHuN0EvUL|D-YS9=dnxS^X74$$!CbWpfbFL7 zDY!AlWyp|M?c5TJuWNOXoY6G>bv2@G;+-~ZwA6dOE;~Z6d-;03)P0y0V1@%}$zje? zqXEZu|C~IZn)>4cYEEW3q0y|;(8WoI$Wz98pzp*m|HG&q=B=cVY>T_`v%02ltFLm6 zLu5O2tv01YS*SP8KfrpPq{;GQomh8HZ*_79PKF_UH-U|`XZGAGXM zQ`8K<5O-yMK9q&lfGTbGOT!A+%cC|W8kM?VxM?wc ztp}1kbR1U=Q^!Esq6h|n$Kj~N5Z)7IC7c_xbAYLD;H1F6(h43n2Rk6dd1uOPZ?Y^k z9i|Oa>RbNcdq0^u1?p#)aZvK$`}wf<2@2x0E&CXaiVrbviC@tuO`P^W$3xkyrQ$H^ ziy6uWZ4fK*1!F&J&v@iLi1o>ANb!z;FB)_L)BTRW-WTr(UKJYsNpM2?{VYN^$AQI; z(&{TSBhU$RIAl#=pLzr(ka%?(`X2JV12s3(n)66(=^^)5P7^_%KxG z`@YevcR_ox8Xf^YN+c|mA9*+se}j83jo<~IfP04B=Mc*j#~x>T?ugU4$04lDY7zGF zT!n?Q2eF?hk&b8TCG*=qTVk!tn+D3U*M63e>1T`XSEmhh-~uV9^|RkARFShM2W-t{c_ZZ^E2u#p=fP0WQ+-IOhgUY@A7|9>;Pq zsJ3P_iEsf{HLANjF-ZK67zmL4(8bGkijjifOe`}xWZL6EqnH?-B=ub%-jdZ0jcr$& zx8w)NQB+pC``SnNez+(mq=9ae#1_TD^;Sr097FA7D4W4fUHPoE%k9v|H*^aq^^qL> zs6=tapfZNjQtxn(f0EFHV=Ifu)~wsfUya$jhHhTV+kZ&I`Gf_1Pb}XwSW^i#$iVod zs4!c*IjR>z9vf`{GgA?$4{TA zDulV?9haor&gE|^%tAD<8MMZsCtD`6wEF%tI#0u$$* zhfDg!Kqf)U`T>$U)bV5e6C10w*RwcpeMSmD=9ou?U^p$U*qdK22>=T|{p@F`co#RV zI7Iv%*jECed)65Q(d(Hq{I_=eI3gA6PdE>(*R`HFA*nbvb1bu$UZdq3gUS0F9DJO1x_}aR z^7CZ3`!2( z;3VPRXOjJ%tbDV^7`QZw-gKE>CYiXDr$$1c3VxY z$q8j?Z*D1wd_SrO@{US$i^n^aeuKYFmF7lq0Fz(w7xyDRi zHk36Kx3PLy+#XQoCgY%C1T~8MRzt17J!P;yED65V6R(jV~FI<>8{0%X5`3*2Z5`e zzrR*7)iwR_I-%p8=`7r}a?s3N1KUmgWoz|uN&XjVCWe=K@&hFTdW!--MP9wBr<^Bd zF%=7zvtAopZEhdD9jz2zwhawVZF@uUH4=T6smFnMQYl$tAiRvR@fTaw_LcCcU8sU7 zU#3&3+e}Xm)JgubltRDqRv8&RT!wAeJpR>&1oa`=2(9FU^XsWt5?+-kqK& z9WoqoSSl*$NL!^{IY@KggdWVkVVjrdJ8X@(TSn$Lm&hr~vT zX|3XiGqD|F+*14qigrUu(wZeU&f$`s@6y(JNldWVuQ#nHJ_t#w@al&v5V>cI=2h(- zBps(XKsTOE54w-U9WCqowam%fRyq zI9B+NQ6{^t%sV3nEy9B2@3s*ES&jiQB8bYam*8 zBIYGUn1%E*^?B8AYJB+e{TQBCbNonL%>y**w;Bcg@r}*ckghQ|RDDXzGxkJ)FcMMh z&cu2bbLUSfV4z1B5_uOp+xP2|bAA-yDff36>ea>9?2V!u6+cQs!J<7twXFhv8vKyJ zLv{%nIg>ChDS5sqkz^i_cKh~aoAqz+>8h{cD3%H`y%}=Y;gi++8L>!r*_DB5o+12! zPOmm+YSWpOvk5e$P==*gWaK+EJ9b#NV}4bZYokXIszAtQ$-9KY&Ow~xMK?-8dn#Jk z5eq(%%B^mQ#Ew1Tx!j*8fh4dnZYnVzcw%Xi|4TzYZ1j3Vxe4fc^(9;03*WqObDQdG z%?UlDt+fQn3^tMJO+j(4NL7FFN)*etjEPRA`M8C*rWO8~$tPRf3=tNyB>QWdU@#3H z)vYKPE?d@P2JwmOxby1k8SaJ?mg;>nX@0bZ#hY~wcjmtFuQ5burLzX%()Di7aW()C zQ8^HYsYO<$3n90-bTOYwBLE&pDXU!8Yb`Jk#c=}Cu#yeXp3|#n-S|EKM%IblFQchN z#Uwj0gOkBj>?Bc`rr9Zhe>d8rAZcoz2WYCJH?fxC;Ds~Uq zn5m@yrmQe4u{kQJ+L4H;34EP&Uj^F)q5cPi5HqzC9Ls897ZS_A8BCMa>`K2s#~&y% zs02yer@sA8Oa>X+2t6a?d zp)hvy*idPuu@Xf@zLdzzG=&dyi!B5NtZEq7y z=(>KG4K+Bn1LZz`*dpMdxniyLlEg35HT9RQD);u*-D_#r$k34zK7T>K;-7{uOu)3JJ^QF*w^=qMST0RNokOa3)_9G!;zyef1FC3;;L|$PV&>y zC}Txy0MYka4&kr1UqlgXdUFA0Sfa{waHGH3FW1blZ$h|$P*ZkT5^rrq2wxhVxF435 zNM-DDZH(DK>)jf{(5FflFo_r+G+&72gs{jSO*wBD+@@o&y6UwgNkpFlo5G&D9M#sJ z=nvyKto9Q1Y^DvPoxE#-#?L2cz{yB>Vsr@x7=qn7=3&tYPkdRTgil~XTjEY&>5IlK zuI3|G!4C0aVnm}E+5`Hk32m=gx)B?r*{LtozDRHrINj)jb1;rLc=uN{W@bD`LDa=I zY5j(TQg7bB=CA^A)~|<61FGb0W73`bEL56)K1u=(v~)hmmc(dyMH^(VzKQ42f1&GE z#m)DV_IMarzAhke7uE=1J*q4E7?EKq9?gHYWBE32bYri zG?S@cb)X*C2K9KR#nhKqk)0ygarIMh`~Kiw^?c0T5g_C_s-PkOK;9S!oOo*bU>0Vfw1~Q1-rL^%*k8P1Zq;D4_o0Kcm zH}o5qlB$h^r_wNR-4C%I(z0i6H`oY@pXN* z=CKHcJLTd=!~V)pybX)9PARUkVF4re(d17u{jP=Xd&wg2!K85*#Q2g$qIdsutL~I_ zo7Y1?LKhbeOp@SbSfS3xQ6(AjQ`H3SI8(B1>4oeRCn$qWY%TPYV1$aVCOTl$BW5rWk%4z z!`Zn@wyIj_7)jHmHV%v0GWy;M3z~cu;Uu59oS`&|C*|lj29u%X9)f4AyMDNsaJ$Ge zR@4yWL(2ti6)M7&o@si}I4S`fDgEz38vMEm?2dbL3BeYKsDg@R@52GyY7j^}*v(31kMhz>`#|5{Y=J+=TN5q|dqLYSC$f@TrjO z+>P&>0d($7lEvy*s%Gb)mp3W8kBB-2EDlM~ptq(iB8b_*BE`l1*i(PA^-s77_7LlA zM?~HiC%OHRZ=WK=S?fP*^>L0ScYM?MZS{tyjPR$E#Yv2~tW5$Bs0nSSTGwa5oFE?F zSztQ;^eteZuPe?ilLtD5Jm%3>#>e%iE+dE$ImF=jkBwPLkl`aRSR{p87mk z?&t%4Cr-==gO~Nh&D=|-k`Oa&>DhH~iL!3LpRQbkU*ok3+B3nVng%q)Wo;Y3R2r%h zhV7aA3}>GeFW&As!hawU9pw5hzWr*(W=S7lGbFyAbJFUKssNf?OU0wUUyj=o{Tqe| zPfB#YlaTvDzN;_t^}uxIFc;WQX^$bmvZwm%X14#ikK=~M9;@M`X|A@7S+#G*)bi3M zZ>y^1-^h2UC}@rRrRz?RNxflo@=wJl&$mneLcsiO_jfz?pU!{0tQye(JA2+sdD-YfN zDaTe(@Cy>y!rbjjOA{l}hmv+cC0gy9H%%OVKq}BmJLmu!ZMkfEu*4k4@poi4X6v@6 zw)d-sN+hr=B)H-6U)zR{8 zKqAIBk!!%`P^J5NMlHlXhwZcKYy@{-M7*A1d@YSkBN?pVL)qG#=UVMM9pt`BCPNZ_ z!}^f?z$)=oR&7*R#!Brw0!od`kf_nGdwxCu@*RpBx8x@v3@wBTBjwdYNQ1V?{4wx6?c0IW_!q3G%q zPA$#j^VO>{0pyQCHW>ewUvmDf?;oH%(~$+1!#5vq)^Lx1S3g1YCe(X2ckUxE(pT?(gA7 zky-%Cl3Z4zL!2|P(m#ZAy->RcEjKIIcGeT(2`^EDHq^bp=xE-9G2d1?)N$Y~x}i6B z*ZW{oCzt2*0|Hm0?jHNB1?=rpcUIz>naF`kYlu`jF*n5S#sDa zNfyUhOz5R+?S01Y^^M%IJ+RidO}k?HV|IV087$;)p0dugKchVMl)!l^%w-$+CXxbW znWB!|Zw6>*cf{B@BrQlv?YsBg4l)*oha1C8zAjfQlsxsorMeJt#ly3h5ZO2Hz z@|iWD{6BeF0zxK`>_N-^%^ZF1lLKJ7<)P45lLSNGpyW7o)3lNPb7tRLS3(htsu zDnQkh1QNnGd5a6k!wim^>M+R>XYu?O(uqkKOw=E+#F9I>dmQr1m-%;j*YYK?&Zb%p zq`9+D(n485VX5P^_SP%DZ}~);Qk?-Y0!8)_S>i}gkl|_%7M&?xjCiFDE!4E-e&H6^ zaiKSQP7Ws}R~fl#6@iesCrhS5p^O9avoi-)>!Cwg6nq*U%8ZdQ*fV+|B9J#Kvu;Q) z@Qmgy&O4>>*txsdf z4b?irCddO%D%^BV(c!AlDp0QYN8j;#NC8^UqZC}i zmi2PC368fTjHCpIr|^kk5X46VD&AzLtwlH-#re8Q)+)>L}n6RstbcLp0MwK=P99TGHl*SO?)&TFZ6#p);3>oVR zeSdpS6@0lY0~GtIVQOBKrW$#VmjZkX9U0*vF#BW6Ar+4PtvoT_A zuXbTCrSN>D?dL+$(ELj<(YoN6fxoGyO8S58%A#oY!@YagH-)QHII^eZzWHYW!h4hSW;vyCdeOxZ)82r7$Zb z$gIC!jRz#h{fK5N89lD?;}x##bugaUU0ift*l<{{{x(ma&o;PE9w9q<;+G#3XHau2 zT~7tW(`jA1tx^NJpZ~EsODCxq3|B(Yj(7Mv=SK@9tP5aeJ`xhvdnrRAqB@rU;eu0@4{_OX$efqx_*PJvkM(0YQEH&U4#yPf5vIT zgnB!=JuA6$`bl5s)W_Q);w$e|jVGTv6a`0&>e-xGglVnapRzZq2163XBrs($d?D1Z z={oDE^&}vh5~e1E%9<_)GCK$#(=TJm_l(Nff8B4I0=DXT9sf5l)*RXZrX!Z*E4Dmh z=WkW_$pd!p(JF~N%eEb+3XgNZHdMovh#5VW|J?nB3)aJgo}#)`^F|CC-Ijx5co7TD zc7}}BMs@7sn1XnFzWhy*UYqMSXeW}KatmBO zb1V!xa;3MPTM&^+1QW79-qN*Olk8oW8mDjJx13m%oT^Xx^*wAz`6U z4hs)e&&hZ#`8p^-?GBCm29IoS=P{0NLf7dt380~5EUL1_Ya1GDPo0Qp(H7)R5XEi=n2Bz*PuC>c8U*6plg66ZRG z>UU<9^EDUGJV&dNwy|6ZE!Fk9pEwxyNJoert-NOERQlPl>e!g)KU-lrDnc@97n9g< z^!+6oojsJTy^@u}$AEP_G)KcG<|zI`tSr(i7T8UC~a7PSuI# z1gE3l_p&T09Y!cO-))3oEtjHSYR6~hZL%!#mNfZw&@SN-wOaS*w-MU~v0!mI|0rtf zUgGvJQEd}#ow!)QYuK@>5&Zu9yzlqgXT@YDDTfiiL1!_=yMAceAMdSnJ8~Qb9XJOT zTdXq0TdDCq9ADMWbB6}oB>Jw*M3d+a7{B?D`A!-iw26CYzi<2Yq(Cz!PZCX%3L`uj zHLe?pdMluZ9x{t847$_j7i7)qlaWK^J5@e1PhJ;YuT|~e%rK96dMpk0b!TfhCf4tR z$Bnw(pehVKiC1m-R>>$NjHJJ?UTl=QPUS8?YIYmIW$lmd|Cl^QCzqQQv8~9f#->yw z0H?C34{Q@u?dX=NO&^se=ELgeTp4NYPjEY=za3{)DNX!?g4q~N&f$}O#rsrx- zV`b%b!KVA9`_`k&@H{VXHfvS~*rshSWw_?wY8MyR9jy;hXZ`4ipkA$AG=O2-2KY@L zHiLP)XAXFbk9o>2(BP4RtyyhTqw%{-@Et*IcpS>R_daEG_=AVHL$d8i%hFYk1P`@< zU8;7Y?={d+1~Ye}41GBre;Z{=^3og*;yQH~3AvckU*9R216i{o9?L$J>Dk6Ss62)g zgV%H$NH3YGM`p?AoN)J>Uu9P#uM@)*<7NZJy1@RGP3?)&8LAcg_zFrp{2T7CI(IW( z%*K2UZ0$d!$rph3a^a|oZDQ0Av5c!bQT8O)6qNaky|cg7_TNMAIR67j*(a(0YGcFT zg{gm>04;RGE9Gw^-InC(r_~7cA~BBSPZf2O6W{G-;QNY?G0G!`QvE9v_s)DNF}Ta( zBuzXtQliN9I2@Mh%P~x=Tn57qr*IbP#Phrsq7>s5RoCp~7ZYi9Vfj+D!#aK_e;@wy z!8!|BMC6cq!9qinZcqR#0$~mgRj;O@onbm^6>=Z(sYqTSnwmct5aPV#(-^)9hWVvP zBaE2eTV#ujJI3nCl25cemK(5mPp*vQoETo#{Nm+J&*bMias4qlGW%nYbzd90X`guVb|8^sqw(7%VzNk}F${B~zB7}ZqAr-vtT&+YRbGXfT<0cd z2d`K+K-HE3B+5?kdz$Vzxfy^3=VXT9sz-)m3!@H#bxJdH7&mZ6>yir~(VM{j~JmcG|BjI5BAiF{(DF+g{neJlV9l5uN#>cs z5Y9H~F_#x%$_hp;acUdq3@n)@mAuk?)ZALK0e)|T#Djo`FR{`Spc!L~cSAjOyR_Nu zuARYu$?#3;iQt8z4wx+kXFpxu9q~CqeU?39tmY*JXLuDSsxN_}D9&b!6>}LPBSURVtzK>ED&XC4e+)o)=dt{)X39-GKm(fj(`1<}ou;j;pB@f7hj|Ctx0#zx&dLrijt)7$jON#ToJgO4o-^Ni=!S%uWU_|z zsch`^<>e^$hE+w%)(KI5&Ap?l-+Z#tu?KNY`PCNXGwNF-Fg2}yrYF#6_eo&qVxq)) zcWfidhAdn7wc{^u4zs}*bq6u%Bg1j%BMn*Ia$p7^H|;q2e5>B>c*`nYMkyKLN@=B1 z2Qt}hM|Qj!$otuJ|Kc4IlAr{gZE^|o5d^m{efSMpGCS34wp3Pd7LFs-EU@5i&O!Sta5?ik$Qe{EC}^f2Et)w4LVJ#N%>$G-h}oqB*wQvP%c_4>`03av-k7UgsKhmL)%`bI zi(=*F1(g3vU+=13RN{JFm-BcEnx(5>XLN9F~57C7sTfo{4A-f&UR^V&4 zN&I?idHas+F;*PPE6QJcVOeFoh}Di{JOVx?aO=5bm~ z3^$xyson(KUl}3+_xYbsLt9yQX;mKRvY&%OMXx$`u*i?7RT%l-B5XbD$S-!0H8nji z99UJ81u#@aC!1n>?RB)EcSlcx9ky@L9rRb}Ugoz5SVXQ{6$|kUjjuWQSI6>3b}_PJ-CUeCyqtfmr{hM6 z5fKm5ap}KrV~wtnn|!pc8fhADK5n{N?#wlsg1t_1abc@mJc%{^5{vND zA=4Np{x38AWI@`D$gb#SxLfHfnDNP53Z|MWKSBN&^W!X)=3|@rX?{WI(vV>tV^JZA zl3zNa9pTXVt|b80h!09I3EA4u_(Z9lp;x$vdBw*JAsZH4g}0}Gp?dAXJ2kX{axIUO zj0&<~pO*j>Wt6z~fwYWym4va;N6Ka{og=nW@_hEqXW{jqhxre)+qyfa85` zk8?s)ImT$qipJBFiAbVuig($Ym5eYyAI(qP{!`Xa0?tp2sA*CDyx?wE`_Y7juuc#HWYGT+0#(3m=?E5viv}WtUFaSTFYy zQsmIbrd!W)^^Oj`g^b2XUcL4--onPOCb`-7i=U7(-ynOmgzmej>xhJ zyy3nO&EM~fWQ7PxOu}c-7Qz09b&fb>(jHBzbZDM;@S-!*cp)dE?uO< zd-tZ~VEMbXNS>ci5h*pC^jPtJLc(8ddV%LDpx}Hfae#D-Ij8XpRF*AY>I`L?XwGb+Bk%_XO-sZ z<*~KlOkKhGRir~H9D?0g-q;p;9Jraj`(Djbk!Q}2Ss!e0e%%W8S&yby%e*{p6F~8) zYeu7NRg?a1fJyPO&3h|eKe4$j9RfA`U+xAaLTKcAgIV7@Jk7Of-XI&K)@l6JT_KCe zk`eGe@L$Lvp2yiweN-ROD?q7F7Z5`UUmkwh3tzZTqsO45yF0wmf0Edk_F3DocCv822Q5x^x z@{dqW7PJh;N=DgvJkCJZSXQhE++q!Oys@|pJ`gXV!bzO~`-M8=IVZ@Ppm}SC_w7Lk zq1aHETXiqG&tVZki3W@pjxr8FrSH(v)NNHW6EiW!;WBWUZbqKex9rbdWDq^kNJD7X?O>hiquOj zPA#%qW4L0)x+8perX7Nc8~;{3se>>9iYNNW=eCKoP8x#~dbDp-q}3C-lQ5>WNtL-< zKK89xZO^*x2Oqr-XIO=|avzg-WLpQ-YlEwU`d5Zj1vm%nmr;6Tb0-;c{B0KrWn@6? zB80+YS?QNwqOkn8bB#|1r<-5)n18H)i0=ci;hdIr;n)H~ls3}+jo ze1|XbcfO1W;i!1~z6~$}wU6k5#RzCkcVWj+0c^ajm|b(F$1LwO(Dik?pGH=srriB(&o(N^Fz z2WVZ5A9$6oQYGPDWL@QIv_R)@*8CfCrCd~mK25Qkc}l5Au$$TLpI7#NW$(NIPvVW5 zZRPBDfxkbI5}kxhEVc{e_$7O=vYl*O5_~MU+_%#_{esMtPEyqyR&MlL;N7z`9pP=V ze1@t^@xC`>Sht)Fdo=P~u_`~!NjI5|?P@Zh>fLhta?6h_+j`Sb-cQY@tU1`7=^C=H z5Gv9K;6HQV|7ch|@J7Jz(4@T?1#(TAwv>E##-R`Ht%icig`3;R&U87_sN?87_+d@f zv~-viIE(r&TZj=%O)5R)nuH`q?6J=p<4wH^oFqiA0!s_rfZjm#=3D+>DjRz|DoI$S z>e=q&dp5wB5|JRs^LdWdWD=LskbvOj>eD6dIUegd!R?1DU+hy|zyUcIjDFeZCeR~N zb#U5Hl`9>tTD&7-^f_!Y6zT_ki{!j4WcRUweuL{;?3rrMAk$E|$Hb^FP=#Sf3%(Ym#uS4^C=We;U=7Aec% zj-J2!Y)gv!s~@wDC8WST&SCg$_Axre@c zNsoQd@Xd{{9d#yR&gH?RRHgR`J= z+yxmbA1|OTrr+LUdyIZ55`XG>d>zf1tw2tXD&P^@Pl}m$&tLJNxiwOm*ma(|b{}|l zRzFW$iK9|=id!5VHm>V?PEEb8*0|R+V==00(wzYyYt-<&a$D076GNgn3lbyxha(It zuh>ktv0i5*(y01=8pLRqU2PS8p{hdA$7dOx_iUEv9tl)`FUL zGDbBsq2U%iYCCan$6)i(h#p^cP?<6stX(0c_DE@L%x+<7w30f0zwM3A@V+Zrp*r1x z1zj?J>|1mCon=`G0h80uwp2|Pr}@LjI7xtB~`PJe0^N-(BCKQCXjP@3RSA-hP{Kac3o zs#d=!jSCgmj!&P7ADbI;(0s(lfqWu)T43Wa?qvP(ewBc4b|PDqFzd73B zayzxMEsma%1qaSKnRp)AIsuoEdy}snObQ(*3NlPVq2%f`Xnwd&W0$`c$#UnGj*TAO z)bGpf-#M_8$mbn{3a76|!vPe8+!gol(xxKJ0>MDp6eO#AmU=DeS>e-Q7qc*(cMJz# zcEj(B?V_CU7RU9`{DcWazKqPbwlu8gRm=7Wzhm$~-jz9N6J>_zAAgG=HJSRM$3zuj za}O85QqcLi_g9MSh|~|I-KJ3v?rPRu(VMMrQ84a$93;VD^ysRZd=TgqRp%*aJapDI z4C){vA=#@e)4i8_)%p4OY29!ihsA{R>FtUjH`s=5`o`U%mI>Ppb~!QLELSsNBARf3w)#ze$_Me)R-PE^{WT#Lv}0EW!OZcE_~Ni ziL@wJI>c8oRim%RI7A+(sLCW3%g5wx6-AXucNc3c4W}!}2zcy&J;I!ruORv%9@S*v zBD0z%OVx_kQNJyZcZ2)O2$>1^vTWPoSkQW9XUajl<0i&ik|tY%z%gH>X`~wi(Vp_- z{UU*AU(E2Pk}3Pg8erujS~W?YcP?QS^MyzJt$~4?_$&BjJ!zy}@re&DV!j+iK_lnz z;pSp}xx8w)130oos*4SDNTe)Q3*|hsTc?cMUtP&_k$n2;Rof&XTjyq1I0G_{_*wp2 zH<2vn* zoAMxz_%|gfg4xwZ@mltQE>H5}pugN8h$gP(U%J4;x zL}!!MKhhf+ip~>vyj{7TnNUk+@pS;`Y}p_$70~yq3bJ`h5?O>I-i~R&$FD74tVwS- zb=*D@5-GnY_oQE!o|fe5Mv;V-(4H)KVG$#9$%gpg41qP)T)ca@SYG!B=ys{ zo2hwS?5GABm|dpnA}8%ixk`)93G{C}Ft8B@XM5O>#&}h)afjI9JPJp_Zb!KWZx$kw zGudsg!<^|k131HxUn@iNvh6|7wUKGND0($)Lzg3Q^5sgfszk_@<vWC@LnjeK2^HAaINI5YVFcMH-0vL-~+2`*vDhSEGb#%zs?; z2-l1ux{j?dGJN#UZpfYNveAMei;2hq=|aezp@J#=?zXYcz=E}#IeCis9`b7$LaFNe zO{R%MHlBHGENa;qFZdsq0jqO1a%f^?CXXI*r^#na*n?qNI;&LDH9wFa8hOsEpeK&;JZ~6WH5+hkeBIMxdiE2qyy?sY!vuA1_-}dv}j=` zAo%mXMq+r$_eD@W?zEA)_H2;++OlXW_?npl07pszglh$maM1}UEWJUyef7bMKeZ}!(R)+QffiG_AMMF1k~3=zFzY(ovKOIDR@WD^yd;&715;P*~Cfg z`-L(dhb+U7gb5)-<_~oW?Ns;^r=RNVZpYT_4jYOBiOKqCKzQf$K)ItO5JvjvSEFFh z)iU`6<1`H-2kpom=puQC?RLRSZh+R8b;sJEhQ@O>nzjM36kwZ_q6%hF^t8FBaEHX+^-_{snL0uzl5q!||ADLq5l z1)bp!L4Q?$!E$*0jcVN6N&flU1zm2>@mBFxmMH$yZ_>xO+KXN?`e4cLpMEL)3;I}B z3y6xx9xlCy2i_@~if|UrM#iv{yvB^S}H;4BbnfV8t?4>AG0Vf4!i8 z@4u&b=Nemge&(pY#(%%1|I3f?pASf0_>FH>wvc4gzwI~v_lq5QD>!YMBSkf40QH&t zu}=bvfdrK@74|mlSPGEPc(m7@%%=uXfz)yy9pAtT^8JK)NzYU95F$<)di6>swh*rl zFaj@5zLl|;H3K#lieNr7jM%mxO2v}*zKA}pcV6xk35#7p(xP#7hhQK@3?hyLS|-OI zDzjQ@yu?JNl9G6ZMz1b7{Db6DaIL5_|MLd?_sji%zZ1iT$i}e=A4bW*k^7Htch5gu zxr3~u8Hk`(Ee1od7-h5|Eg17BT6$goobnH|Zkqov>u&q1k2b8ND(frnq5wp$=Nb_0 zNqUD?xj+%DPH~MMNxEy*+F~OEQS*gXA7rd)!rn;xz`)-6K4BU5ka7BGTckuGo@vY@ zQb@HCaR8OwXM|*(D(;C>L6qAPc24S*5R7}nDl{eWN)6Hv^oFx&I9WRG{LgFk|NX=N zdD$NmUnN{I{BjkTqix}~U|G)U0Fwh(gI?&TF$h@F)0d4hzLc4b8NR#6%wIfHo)PW9 zteuW^Btc+n3iH2swg0zg{Q~hRaN9m_C?I^y9DYuX=Nch4xO|wHk#Ogqg^7jD6yTW1l@l*W`a zg@i+yAIB^vGQgvqw6?OW1mb{3&>R+cY|O=OspfZ(k66*@l|9#2k^84j`LFMFf*WZ4 zOq>qy7w_!=GSw#8t|*e)gs6p_k-{&&p{ctcj+pvjaO~{Ss}_q$$1;7SW5dDgy!8zG zi^(K-JfGM%oU9PdYEAONx~@S^*YX5=cKj0Lf6uj92&F#2usecctPCcE*^v9}x`iOx z+DTn zK9t3mEuZyxJyPvpCfm!*FO$e6*OSOSB!#;nD@H6qXh?mXevo6wrW;fv)*audE ztI%jUG~b}u>tx9!)$U?%v6u`}N|&!G>{EOkE9qw_chy+b-UuUc{4PY|Jm;08S?5Zc z$zj)(hH;z1YwLWNa_eccBWA?&SJaiY{P-IDAi89UFIxpqL*@ zdCjSRI6=Ns+t;4Uw0bs708X=?5MGc*r3it;XW&_H=yUhMFq56JE^ZE38J{MgbgxSV z4e(3$zxyc~;`9k1N=LBCuiXK|wtV2z#wC2c30 z{h&xd6c+IUPrEbJ?g0-y!DPe@DF>{DB|$%zW=xuN#h0(y4{NM&#%^z^1CgxNdn3Z* zgQXh&uV{r)c77yOOhsrT5?^TM~c+Z6f~$4vdm@?v8{DTgfAS4r*ydLKwILP zhdWfnap>P^*LWT8GnmMB2BMUMIfK38VEaxbn>zEzttl9YCpS{xy3iU?teCE@YrL#Av@HZ-7}g*n&u-e?4jSM}{btW)e0{Myl18C>Zup#GU!f7+mMCsCCI#9x6#>JnAS4^1R)&0~Knu2VBjc~KsIY)j9LS6ApBhfE)#NJN&9d0>B$x}!41#?WayXA{{a_e6} zDhL*P=k+(iM4U>X384+hK*pHLyMWU}gmBsW#?(@hqD+MD<3`k5XHB<~YeAR4s z@eCpZ+3?N0)QV3nwN8aqLrV%{DYR^^3;JG2ndCK=ALpQHESZ z#;!*Sqk3VDxrDvd9CLP#f86Q+U2&6odb_<2m#+En?6A;t%g&ET)+UhJvh3acn?dv1i3kt1QPk7mWwh}!23Qr_zEyY`^{G%I{SkILTUdbLTdXExgAZIF@_@F!Yi!#$#du@aNbCL z<5MXh2q)W2uJ4$!h%K+w!>fG3wRM%>AAO!Yj$%Uz<(8)xobKT#%Hr2qPl|qq8VfK zRiW_qcl?!!!7q)&c{lZm^$1$W*N3ubr(VruN)wHMZ1MM%TlgZvy@=Rn*4)*Y{*Hp; z4<+Vd+|h0P1vi9IKDe2Hc7xeG+UYrZ)PYfEUSwIkBnhjy{X8Q%w5mPU-zS%!-DCi8wtvf;H{vDOg1-{4jF#fE5@))* z(Bgq^EPNCBU}K~U3(HlzKiewaXJFuOMp1VJPS+^ zXZm^lm?$&zX-sBjy5(K=$Bj!(=kRqn^(~KHuyz+fU(xY)9jJ;)ZSWtE0tZKh+8k*R6GP|QOmR@A!{;p4T5Ic1DNz>cvB zom;9VNca25Z{Rn!lX3otbLS1>d`s1+=#6zJ6oHItUGBy3n}Pfw#Apo_=~(_rLcM_H z6xVfOT`qhceh7thF&EbQYAsg-9?xR06+Gkj0w$v^645b;qz<{95di{4=&sb3(>GUW&HLTfR>4vtzo2^K@x=y7y)~Si z$G(tr=fr4izhP9mBi1cTWvucgIi{s-dllOr&H6);b`i%Zo0!k`zp4Iz!G~t9a^oel zRrK`+rU(AEdaXhJ0ecuaVOMc}<=M4p?t{D^l_RSd5sZ`y9eRQahTNb~%@ePwS zYV%O4kKDZ=r#b5(Jj_9)?zhC&^E`s1z6 zDM&bT5!!GQiRGg8v&;`$xN7F}BrLa=#)jQL<5_yrziST80IkAafHwn!eW3nbfdV#j zrt6I0fcr3%tMcg+4bcnD9|X$OlI^a{n&yidlP#H3ko9pqJ_FjB7bI-p=q(@(c5C-6 zqk^& z??4mb@^3mu$ZOCPzXeypSgAwkHfM5tMaHto^I8aAY-(V?Ck|8afcKFdK4d`bUW$8b zJJ;F;!M%R+J|E{op8Q;EnOB<1dotw;8+6LMVs3-ZyR+@>Y;?Dz&u70vXCj>h(4q$p zzH|sN_n@cj5Gw$ShoH4vxyuYMK;n^v8%;*uHbhSIi!hmg3og~cY&{0(%}pgTJaqtC z3*u?7Nrtk4R2Q);=d? zA1wawOsaYV${4z+FMP` zz}o+Ph4!azc*A!M;@|=|+=1Vi1MRb>w2nEC>w$3@n06k*S>wz(SP!g&>vC^&J~#rG zbWrmHwdEFFj9R(5s{X)#ICtc>+pGG&`Ct>7z-g6i6+2mKGW1!Wd%jX!g(z6aqg##C z4kz=#JK<$+Pn7&9Br44{S3o~EOLibaU`LUJ91N`?cUF6)-!%XwD5sSGK;-5w&Vhh++GtXKX}(q${Nfqu%<_5u~^LIv2mJ z8nkY_>xS6(XXy7KEnK$Av9Z*~q4;ecp8mJ{gJl}#0lotn>r#4hti+dv^{1UNCzXCk zk@Be5Ps&_k`ZpVGKb>}kQ%RnuyYkPYqPbA6fWFy#1d}A`=v$A?ggfBr z6PxF62VM?KoArLvyRB01=A!?2C{-W+N2pXx)O%pm@`T?jNd{L66MY^ML_9i;#S0W9 zk*Rd?RbRnugK4(M&Gcb%y^+D%gf|E?f1(XKxyyQIBa=NO1x=(o<(XWCwWy(WkoEc* zSESD2#t11Y{IMS-&i({}^!<7~bw%~D6P%aF&tRzgx?aG)EeiaVxQ?}f2)xlw5qjWY zj8p$<@ZmrQPBCeVpIN0@&G*RJB0W)oNf`I6oi+0^b&psA?`(9Y-6-4P1trCe2U2{7 zPdJbRBNFjYOn_{=JROa7gRteeG+1`<$f8T^NlHGybOPfb3?%*;asR7dc2{leabNNPM^o4~%yQU2tyhSoLXAKeGMcT>7GMT9xwaAQ2WP{H zG@WK@NkA24ti(={Ooy)H3AfCg#D80iO9iE-{Cgd!_3X}Q!vL~$)b`gzCd5n6VBD!H|MGl)&{@Caw4eorwiYt zQg1o>>yDTgerDsD`cY%E7xfC&gkK{W$8|cxZM`C|MVo}p@>>IS$C*Q@{ zkup?XF=V_jbuuWgBNLKc!9GSP?@5W+O_$DmlHmtYe9oQVA)L?Qu5h7L@FRJX-r(0( z&(?shu#9ti9QMB2FKkHaXP2-auMw?SLLWw&%hfIviq7;onMvnq{L3Aa6i}nrlReKz z$748{U38^1{;qwK&+JzggrR5SX*%DJ+^T$D#evxLh2tD=MH=G~;etuxyb-N$jmxKV z@9XI2ZaB$#rGalXW4;Op`1=peYT^2%h6ckwX_OMws#)ISeLAyaC1 zJ#K3qHM*Um(a)s69B@KW+xo5Y$>*&Z*z*%dt33%>sX$+|`dI{{h1Ki=jhfTE5CYcL zqpWq4v4SK-^t0ACh*$Y}hIl%ubVO1%-`_bh8HTWQ0tW2vQ0y(MhA4~Wg2p!-vK{>w za$j)i6IIx5Oe)&g6>?`W@5iIOg&KzWQ{sh5xg^dC<$-JX-k^+Gc?RN9J^zyYNBY{2 zkiIe%1}vJNdEB*_^dNf1Xi^!>FZ~K-=-)GHcrR#h|BH@65m68QEtFET!F2y$r?U8& z1*#>jo(<=FUGAP#ueIMI`FvzDA{+x0l9kRM&#-m=`3oZDEE$pnb8Z*y^NDPQEHEc5 z9{OG4M5Zl&*956e%l{g>Snp$Uw3`x<>8bC%Z$7wbc$@iw>jtXsub?%TL{dXO<}{;k z!dH>d-s8Vf5D~PEP871;S+poHH8Xr|NPY05xA?bfvO`WyZf>q8$!?s}%pDn~m#QF! z&aa7rl4}Zu0f7KOd934PGv&ZJWB`5Wf@TAZ2W;W6_%6U{%=NPuNB#bLy@a{U2u+Kb zS{K{7uU8AnFvRRiUREbnn2vNN-O5HC@JmKrx86q6B_7I>t>7p8JY8jH^khp3TD?`7 z%-ZB1Wraw?WJXNS3Tp`2O=HDRRt0`Te0^T!>SsghQ8McH703gAmaNzcoI7rinvU(~ z(ZfC_qQ1f)b^u{bRX;dezS=Ug0sOg6$`L5!mRrw?1C(l$ zCKYLMT7Y1`bW(aX)?5<5u8pueVJ47guiS;fTtGF}!z=P*+|b&kl}j%_Nz!O1#F>!~6t9~mke?#9*iza;IE91|fw`=4%L=T={Gk6%Q>FJ|5DEgY zqXtGZCAW%z!?19)h@wh}!b>q=HhW7C1V9{bCitkmdkIa;SC6v$?kPaIc3mNOll47+ zH_9Tr15!mOByQPwPBk8k!({2b0E*7Uno;r55_zwK6K`hnnmb?nqHZfr-zs!q773f~ z{fr8g{It>#hZxHC zTy|$hVj3)W zMp@!{4KqS+&_F76g}%Q2ckv#1$AbaUNt65_Vs3dhig>L7^8$!?FE{?$4gO)Z?xtXX zV!;DQlUk_afVqBk!z+kfab%3hL@C{xsv1f_BqI_4H9}c-+0(v({j>1VGggjrnCwiw z`3wSJqw!i-r5weMUaeZ^BD`30qqi@IZJ@%?u`7|OhppHa6r`>~jfD8T=HHpNdB^MB zYsQ@6_}l}a)KG)DXJu)nNcxxhSY8`+WxEBUd?*|FZBFoEG#!_3-g~T{OCmysAebgX zPTx$Ou+JDO1|cP@QEwz{RIZBy+8#Z>pgg@pqgI~B`LM^3#QugZv9Ry04{+x662;GO z9(rV7)ljRjJp7sA+Ozyzd}#uUEQ_Cr?fne>hh$XC1o92Qgi?FH*LhsHo&X#}>(Ebm*4AZWiqZ*hgC5BX^FGLao{9w^n@bU)$bZt)893sVYQu zS3hr!n&#~}oyu0A-gZepN(H8qME&UoEkrJd9DTx$|2XZAg_tK5Z?b$`79xqUcjll( z4oi#jb{4=$3)OdG1i^sSEr0cjj%2<0#rH=Zg!TMGe`Pm-m&`9lFd41eq2n-c_Y^PN zSbG%k`v>&V-~p)sijs!$IrSd2wU~QMx~Ny_AX8m-m@b7-1(#Gk(@UNatjePEw#>DUlKYYT6#?WWJv`Yz$*xuo?hZNQ2eQepQE1AL^;G zcW7Tj?SDtHDG)g57uGaX$9S%wfFUv_paAN+CyZ|q6qi(UN|j zLqpMet@HM#5NV8|5U>KEjUKL$Zl$bcv+ zS(cs?ZbMa58A7*| zp~w{8^cZ{$u89{vih+DC4R8e^<5{xdG{!6=yT4M?q^Q{@!%$vjrtyj{#>2fQ46f&l zAcq@bTT%#h=cP(6f@e}=3tW=-C=boTQq0e#*5 z>Yg7G4>E;fNu&yj zJ`p6UGV{suo-TdDZAYIq3N(c}RABj)XtwU{xc9#LIfeD^&o9%OMMoY5z}X4)lQ~bHkz@{LltJ%TXYsK_X} zI8|l$?1;JW9)_Da;MgSP$!fs-E*etA!TYRIl$NJaGwPUH0FHCHocVFQCFq31zCs6b z;D)_DBUhl#&1n1@=z`4G7bm<>6~!HiUHkfPO+(oo9m;?DC{>PXMw(^J15T(qGGivS z1{ibJk~uI9WuKk{1@>7bGc8n%NP4&w=+m}MH>kxvJa{I8G{p9Z zlT)&I)%AfM)L7#Bygzvm)TrX-La_8ge>(R1g=ORv7lX$c!8iBm!r7^Kyg!Hc(&%N@ zrsJKul+4XbCWgQA5CrF}?>u^$qZsl-{v+|Y#2cc4uc{a5Idod}>Id7_kKzrae`ETk z#qH>JaK#s#xdPG0@75Od6PR&^4{WY-K2m;d0*cZtDWqXt8li)a0yk4Vt2Dw%+JXpJ zMSc%vfF{b!&_IF1{CgOMP!%wm%7v=pi?~0ePLZE7ooyY(eO?Eh@iWACzAk91AILS#Z-4v(BL-ZS9uc=| z;I&_`?lkSN2YrWgV-=K8VE_b3!q6)N#)h`vutl9o7=TstP&WC;q|0shW5@1p^?SfL z^+PZ;O-J)+;0-R(8|W^B%DEs(#$Y)+D_NrY40d_f+xB74-YkZ{qs%v48g;LO7zX(= z(~)%ggZgJe|MJTJ`(EKyOCzXlIm2ri#1niS!kTDLMQ+gyyX8;%D35V*JHanOO{|*0J{BvBs&^r$A9P z$;@i^@@w61ljte9*ByZBP$Q845t||#-IY<>$dwN^w;6uN!>J7x!Oip!e zYD}R?BI_?!Txd(&Uh)|d%k8l@x_htZt$A>+8RKv~;P|7oDz|dVjw>E^}nWsLurK4=My8%jZp=TE)*VYVh^V)fr6K2A}(4ktI7h`F^1IpKikc?eCUuz$e-NrlT9iecu{Vy}IN? zNtSD}{qInB0_Dd&W_dLZfP`@1nsox{&tPLX`y|fWU3BgX?q|j9aCMjED8zbihb{=M zlP@pSal;AWbR5lM(CJJR58&MfXFIMgPP^5%(E1)`1jFL{b;^&}uyCyL(GzVuY2<62 zZEF0A>OU#wsmLA3cELz}>r~PE&iiH6D(m^D*{UU(cONUZpHVV#a(TKw{a1E?9lZ8C zUR4=g`t2P(nxzx-rqK%=$( z;!Asc6p{XNaoK%~gmQj43H`h1ad;NGlcQTKTW#am3C5m>grkvqrpi&ln-%R-1cA#H zT6mrD_lO=8L=>Qdvnd0ds1?m>0L=hXze6VLb%s`hhkTmIjaePYZ4C{g)nNh4k}x1Z zd`qYS0Aw9X29-eVhp!Je?kR`@BR3KlfT!j3TJ^Q17L$OBNHwr&9G>L4s6GxR%VwyeF7-c>2e2Ayom8CVWX{0 zRiEC0DKg2?uRB$mm6nT!y{xpnkR>IbE{1JY3jq@0K!#Y2DXF?R;y%QTm_7+- zSZudU^ys=%Rp@sVVNNF0Ai4e|?#wbvpu0rBBYa2a^^g$nCvWGrLlRw zp?{!xhmO}<+*@qWCGtDvx#KcK_~Bk)6Vc1^pQO9NG=Dt5X^#te!9~df-nzkjHBLq@ z<=`3dG1Ii6qQ_H-)E{2idbCo zeZuhJ+Vz{?FLOy0#0fd_H>G9cj&o~I&e3Y<7!?bED+5BCV3G~MQ1=zJe}ckl>wC67 z<6Lshc!f+}i_2;fbrA}^`S&l4oJ`;s(uk-mXRj*eDoG=v=-pkMKuyeI+)qC1_*3da zcL!Jz52=&v!!Z?!9)3tvx{CUPEdw!d6hIi92dq6iN4I z-I1mhG58?Ye7;A;?bSR`3V^sg(0s6-m*{yO>#W%^$E&1`p^sUxy^OveM(A~ZKpJ^x zo2iI6!=6BtPLJIJr>-#J@Q`(!U;dCGqc2&v<*DbJ4n`)<_eP4hw<`-wZXY)9k~~C< z(LeplMo>3gm@8BT)rx=RN06R9SSS`l$0X*uZGydj=kEJe)f1>fUkl)8dX2^#D5u~- zWT>olSDx>`_AKqazEenjI*KrgHr+7`eidbKk~UJW$Dby6u2p}q^{BHO*FrX2Q^LlQ z;2&N97uC;A?%Q@Yau8%lw(tAQ1Wzy|;rgNqY~W394rf#BulC7i={zUy0@nom;vX>Z zEQ+&wip%sN3t1wXE^f>DP;xAOt4b=4#TLPpE`Il8`6s9;T!2+if`Q1Enbj*C!nSZTDOe-fL-`D(n@L@l~S z`PY{2>eft|=;cM>0E@%mt!%pm=E1|_U-Bg~4pt{OsL8t1TnzP2er}qSyH_i*-4XZ4 z@ngZL(fa{%SYDVO|IFi6m<8!oGJ%-~{u&$@OPhraA(gowSmupKA6%#b^yLP$0L|3O zQQ)#O03s5B$gD}O0S4hOmLGt;vFJaEzj6A}kMw3-O#53+^oNg*0M&{F>`9QVU(QDl zVb{^o-o8^k(v2WzM2zHKcnXq#uqeU2=6`b-MlNbE`^JIy%06l7T?sp2i9zPoYczOs ze2RA>ojtqz?%Cb5zVBWamwyNh@XR;v`%||Av>#1y zU|m>UK0HDg!EV?61@9Eub#%=2l05jf&-&A@qq`{9d(nc)f z-23V;k7_L*X6?Gg{^2{6_SZYK#TRMVDN7@HOi)YUtovXLqJ z*{{{pG?cqDeo<#?7d9pB+|u>f#<&*F_fasG=I4%fqn?{RUs_b?c2=5b)nWHubko0Z zzFmb~oog0n?ul*^J{g|Azc|Tau(F>*kl%WsuX%#TE8ze%x0e9%^DXm-kQNy|W8k6C zHW?n+QedReWnkyj{Yq|E>)oQ6sWWa==?Tdua zASaN~z@%ce<)=Gsd%owt@idCq_*RaVy5E!C=k@zQ-=0d2rEWKq+Ph?dRqImc?oXC8 z2i6Xi@sd9+c{(n&IEl<++;MW6DU@&hqxy66KJ!+Q--#!I3z`nWlZPrIN8Ns9sbS(~ zG7QfCiqmsqW~$gsT&q~+w$>Oo8&A}G)t>vP|7_7+xeCMSk&7L@g>#3oExx{R7!Yvf zFtj1wKnwpc3o4*rn}O_*D6w(2gdo8u`2>=A6K#gSqN_(uhIpp(o8}vna?(T+);MOl<%gW* zB^IyELFp=ktd5eW6 z`Qz>^k>H*3JFkwQlRg7Iuj9BlaGhQ%lkn>E8JuJCWa`Ez;(Mvq4(DuI9uG!c>ZBeO zz)uoEFdk3JMj+0C-EXd_HH{-fV&I4`toT+oZ&O?msd~ zvbPjV^+>~`@`gIChbma{nY#F)s(5{;=$+wUP)KMY;zd*dhc;d-_WlnmR>C^YU4uk9!pQPww)?#=@oV$vNUPS@ zhA|{xQHExh;mSjGq`hN`Ozg9}kt%~ceMY6iJ!L*zC(;hA?*=wIH&?Q{;ik{Ek89tC zn(Q`=P!~D7vnM~ix1n7B&f(<$-Bwb`K6jKQMajO{D?kLoe++5&L#JxIsFy7!TFP)ceEI~@ttyQc#QGWf%(?KySd(E(E zwaM=s-eSkFVKbCe@jOPr3&qpfr>m!q;AT3K{mWrmD#rHvBn)Q1$SCBvHZdK>%Bmc7 z4Z<1SzSEBIEy?xvLyf}?&1b+m?j=UGtNH}hn1cd1M#_JP?QN@xZjRBQno`SzQ?>vg zojTZN>IoMyku2!*dZt&-#Bca~&_%CYt;JvNU*%!hT<$s1c?^6 z%}{lCy$g&ekOwb&f7dwBenDcpza_yRQWLQ0;&O*kX}RfRQiD0DSYxoJw2Q_d!JT9G zm|TYBTf;E(aYPXFg2!`fIyqqThayN^71mm_PqV2?y{2LaH43D7iMFjfqdjrR0cT46 zhOhu3yW=o#HjuPfWx)IVhoKoC!y-OAR(QQr?IQji*Q$_;8L7eTd<{tl0VQD9eMGcvk==V!dCH3yBf7L=O9JKZ;WMZAtUXDQPO;n_3zJZR zT!)|u&vAH6w#E(W_{kE#F5!-Koo?chq5}n}5|=$2B5Qw^yOYIoH{U~ZurH`)XypVv zKpu1(F$W|=Dqs(x&uxyD8_!W1V`K?5_AV3inAEy7YC~$CcBLk+GjAQ<(w85UKqN7? zGwu^$Oxhr`^IpO&(4G0l|8f5Ecc<{UEZu>llKy6;A`Bm07Fbs;4v*~76}!J=e@7c- zy(==p)xkuL%;V|TM(f8u0WoGPw}J7?z21SMwi>KQ>uasOosoriyJDwzh+YPC0DBM@ z+1xjf*ftNP^5@U;7JYYh6@`?GjK_hcdq{4#F57$Uk52W&33uYe*#(vGq5{@^EIghu z);{=o`8^bC55;~>xDFZGM^B7;QequhyE6w&SerD38@r#Ro@P5mA4T6J_#?jr$o}~m z27ZgB8CZw~tGv}*p-&;=xDiykcV0Zjxk3a-NR9WQ$R7bJxaI^;mglU7!+R{e)r(+p z2nL$>hqZ0{>HtW(dK+vT7>#E=&M^8=Hui(cJd|0o%3&lr8GBUr1AWNVYxsHDJXS~=*$VcUW8Z$D zQ91AVs?bFd+Bm94hfLnu+}*>k3@BGhyN=C)t^NJE;PhVnWRzbXU`8IbzPD7eZE=cL z3%(JLgrV3?alaczk}cIIojjp@>?l{s*r~-sr@wkX#ihBbw8g2fdQ)O5H;>KyqF6po z^DXb<8{2b{eY?j-Dr5fEZ!X_l9FwTR*RO!++ca&!w%;-#?Lw!+tbpji(T>rI8-z)Z z+*S%=pWGU<1i$GxE#6)boTwab;c?jUDwva}USuLzN`^%ee{1zb@Gqn7rnfRWtM$~@ z1_Qt>#vk zf`o^kUYx}D=ecDoM)THkiKSVv>9%I&TFxF%U8~XxZ8ws~;Dt5A%mV`0kl@NR`qQq! zG`X$Ah)70vSZ^%}0D z0jqfiHGll%TTBGM#6#CTXYjL?yXpQe6=eM8klsq=K7d_;cBL`lZjjU>?Upy0t7QxX zv217?^%xOTiINquk5Rm&@A=OCjW^Te-)u_Or*hSOKt_Kf2e z6|ohHJM^PCHYG%hLYQxx1;(Ja}*-OTR$kY_m2?Lzhs`(d}D%?HemC zO_yl|w{gmr%)qA44OWR=xlyE8(!5Vs|7_;m?_ zeZOibO~RI5{p|JMUo+BU;qw372ZA!kP>Nttpd|Sv6EHT%PUuC0wt)86O%Udn#iW|V zEda4I218$nWbzKXFi4)k`C-99fEE~uteKh|jR_?AeMM=7}sc^y)GfLLGYZrQ|9HFvFE{hsT(ZiZ?~oL1vGRN_?< zv7aaOW23pUKMoWIBL_=;{H4iH^t&ay#hBe&0OyOLX4~^_&`J_`3V7Vv;nbGE&is@Q zY203Z4eX6Zcc!kftcAxHahNz;Pv_{t&SBJq!MNKboH;ZpStz+((2_vSoLBi@t#R0Ka(h%LFa1zy(&;KQZ9CDAki~vYR}-t{#pz= zL4`;Nn1V2*O7C!{R=%)>R{5QiD4K9x(0egEPm%w7eEpvk}_H4;hTDC3CfIMIG)T`H4~xQ3E>E6gRd3KNB<0_}K5Xw>t}&f_m^*5%7Ga`)b2vm0c*?(I<@~8=;vr2wt>~z?^P&VTCgg;n7%%e*^q8HTC|B3Fi{Ntx8lti+Nn)7Z z#{6w$YU84C7pl3eCKDq9-Q#TCJgTj<4AtY~!6vFoC+6`iLE5VYKl|-;5RRZYImU{& z)UezMe7zKpPZ0GfFtJG|mEW}VF1Avlez%b-wiZW6yYrT!+wAq$T$Y4B5pmq*7DdMO z!Sdp`?nU%kg8X@=;tG7PFjAN4TD+?OaHWhp1$pBX;qz+if=oc6-U zA2?&l+}54A7^;c$cPIAf!bP91cDOIFZtVs(E;rcW5=nWg-q}ibCp|SIZ?5?M3Fa9< zJg}l)uO}kaM4K5p{!a7mhlmH|Lm@}qVy@N>UZ5ei=?Z(kYK{)XI$SOHR$?f8-OP?2 zkrT3fVLbQ#%Uc?|YX^_W_{E~vNrIbGADYFV%uf)F%)h!S^pD-1jCvwuP->r=X)aAJ z#=v_k_X z-T(Z$XzPKd{#7e}^=LwtzEJOa%Kgt4B4v$WQQ-tIt-vy=kY0`&4aA2Pd7=Z>gRbk@ zqwap|%*9_hwOI=k{=8OwzgqCCysAID0QX1$8CjtvJA1@_O`=*Jix2IN>MB49>@4># zU%o8K`?*7GciDd_$OAe;B@z1!JWey-^2HTn%}7O{T3nLRIN;}RSicrugUvn9USNzx>um&tz=}q z!Lz-aO8CCZ&$%u`bmv>QCINJqZ34B4%^v*2`Xv*=2MQ zKsm=<>Zja!2=Njnt|(rj5$?D<~SR#0wvI)_Jj3%k#wy&R0xz{EJ;232J?|A?BF^V5~lL&xebm2nc~1&hn?bKpK|I; zaJ+Poqrt9UrdJpaJNu`z6*t~Ydi;ciyB8~wZ-+Y5^ul>huCBOG6bh%6uX*h|#CI-> zHpCFYKjWo;92sk>){`dve#pFFdE$H{x~K3--b*q&)(@L^5oocw;o)p(^LxfuN2HTc z>M3#aPOUK&g$tT=dz+`L2)DUg5A2(+=M_rSMLPazXqE*Oh?-T0v*|i7ouT4i;jlW( zK~p@6SI+Y{lZm|~{r30umOvMvH!5)()0m>J59T(Rn|D$ujLrCawccT5c}bOz>)yV> z>O;)Tw*amuRC9LTjJ&I1Y-Nr{7%TqO=E;$|cS?LlvGj4{w87~Noez^@MBEx7Gl8Au z`91RT_=6Jz5PRjAu_e6<*qJZIJ@b3nTV^+Y0Yig;9EJMSXR7S9yx-z(IyB6AxQGbk z1=r^erWQ|pUA!Dv52^jv%dYjfl!9Wjm#h5LxAjv4#@rpQmYV4rxY;|4nV_%?gs!1+ zj*wTOSc9-L-2Dv|S#G;nH_g8217FDSme=Aj$NbgdhZ~XGf$MFmmlHdyL7u5->nT;; ztT2`b7}v#g(}^W5g?Q3OD_A#W8&B4qdZ&51t}pnf6|WXlx~yVIqGP)^-t=;{{o8pp z?0PROAfs?%hb_=46&VrpbQh3-qID?_U(wGmJQ|ejwfU1v?FJCRx(LN z4(6Edhe3?I?bZFvU*s&eC(J`T0x!$Hr67)B?q&HYkxy${^{ka9n{C&b@cevD50R^fqb>obm zkAR8_GbLvPw{76ry8zgHYoXDK(+=u)Z>#<+AHwcS5q09+jq0PFA5N#lR8QpU*NN=$ zI*TwK!Dq_l+x6_6d=6L7%k#O+S-QlCyK7iR?rX7>xNljDv~BXae}B_I6J&K9`)nHs z(jX}L;!yRLVj|*k?m*-;jO~kGys_Y7RexqN+0E~&pr3P*OL5VO5q-of#eYqY=e;LT zC0@A)cizjdF$(;Qe)}oUFuPYSa;V}4aqwtA>CvUXuBwIGAHUz~Ter(w5M}6d+FiOS z?S?;U%`j#!jE{1&x*|w{zkH@uo;cVQNLEV2DD;PF>^QQvj=~EQGPNf#xC+~$!~t{+ zAu;6rmdRszqH_=wRbL*iRrih1)y--3DV8~6=+yyQ-43`96A-Q#3O>8TQ=b%%AZsHS zx-M~9ssMd(Hp&GI!ufsm;E@E;vpe8P3MjNZanO}G)h1cFy`o@U)GvOSQGs(DET^kv ztNEE8_X|N>e_zwi`_WocrPbMN6Amte%08~{_c=MIgEBco3sWsV?;p0h4LrBeLSM;3 zhQ%zjy z>GYwjjh)0kbQ;4-NT{U2X5$}$Jaim}2M2d33n}rArn*I&>hnzRf*E3&tdWKwBRpFy z(LQ}DeAZ74V3UR0!>%U%`V-v_+SK?=H{44iyjl5ReeG^~n1#g_3`%%YxQG>=Osz5` zUhQ9Cns%I*ed^C|FnIs*^@S3eN_1`m{~M=sMB!G{qH4~CvOWviZ)NHbM>5Y9d|g)q z8E7G7$-dyft@muX?kQv+IKP8g8dh!9y;=&?ttrd{woe$Xx#vGtSY5V^B!2DlMAp}5xo!IS2Zh0>MRMQdixo-B*Y#KH_1~*wH#&it@1H8eagQqyHgyFo z^VaRtKq1DPHEdFigGj8)a8Q0QuQ2(52pvGLS)c^Sl_?#cS#Y!?$L*5CR-Y}K^pp1E zl8Oy5e5=jIATU$p(-iCKxDJT`j;v48W^bn&aPd#R!R$N2eM9rmCxaVKRW@0xYkHI@ z*XZz%eg@3SVdhppK3;wO15=g96ZO{3(+1<##hewkBV zLcBySXc9wVLQ1W9P}<%$Xf*zsCEm~E(0M<#NAc^<1b&vkC+BCztE6H&fA3POe)A-d zS76lcy8D3~@F;y2NWD#DOe$2&Ugsf(GKejxGMpBA<9-(p$eJEW`{$GJoQE}Jy^X>O z^H3F%qR=pnRiFMFQf}0Xw5~Rl1&bUuMN_Wmr|FeEjrVMOyQ_uF>nmpg;Q1}b-x>e5 z4b&SW3B4kT_m}lSsXeD_1t-T}#|d)`mBhIu1ty88$uUmgZTx_< z?*$jAX?F&8-W)UUj4-@C=;L zj%lQH+WTzD8iLo$pMQGS$0iEWkuq)|Uh^RpW& zaFg_dxfUQ>Mr#;Xc+Q6Hu2%*JO&W3v4bzw5H92SN+gTX1driE~f)}u;Y@A}_kVF5> z?MH7#pRhkj8xvVeEdE`DUp$vZU&^L<0?xO-cvv+rZoOP`(P@1AWncto=9i?0NO zothADPEbUh-S%W4IaRuP_K?vQ%;la~%-~u+^r?rcUJJTx$(rV#XP_2^ak)j`fh2gg z*Jr^F+PSy3M|1e>ylMKHZw{Lq!2Ge{yxeGXg&+@eDMA?+Ix(2o1hP#=+4;#6_yDv&gATpm$rBPwHbyus z$DpmmUa7YjUdJX71NQw8pBdgyfc5q;)MH)mCQ``cf|ryB`>_=flz8xU+~>RsYmT#5 zz;Xf?Icape+mwpF%Pqjb*Rhpy#FcUob17-qT`FQ10)*z{zrHlsN1PIK-4=nQ`!~x+A#K}$0+|QFGt*N@hi41@-xFE`frs9vpcnOPQQ(< z^hkmf#4Z1Ek?-yl#F;LRX9DG>JD)y|)bR`!@cpa{X7;nBUc4b8%<$rzkFBj(nf>&o zt*nQ;eN48ty^LAwhJ%T`zp7xU{QbQ?CVE%!uUqI62Ts4U{+IiWF5PrgRKOW^`tI1^ z{rdK2ERW5)aSJ@GaB2w?gWUNICj-Jl4=wM0BBk$nR-eY{%xhlSVHn7^ytLZBshvt1 z-DR)=647@4am|Z^qh>09*JA#U2wJagj(|lVsebxzJ$&pJz2CrpyT&SA2FKo>^~6pn zGvw(Rc?IGCmLM|G@@7%t<;Cbkn-K^U%d05Uu9;Iz=6>|`fY1Yw|LdNJAE6LE50}CS z#Z~OC+uBs%)h`X4?>43>qzg^j?!+6h9a}U;EPT#Ca1+y**GCN+6sr(3Vdb%G1H;Oh zwDjiqa8V?YxmVfy1mX=8VnnxD#KS<@d=rdNQLz^{(zBO+PdAsTRX;>wM*S1S9UN9H zSxa8XTwq8q;u9hP$(!epX;NPYFli&f*as8h$Y6T*o&f0sMKs)JILlLV?%xA0UfeNZ zF)Et6o#dH>=n#@3+Eu7_@$nMB0PjQ>_R5d*h0WL3(jzL!mbM%LzyXxa$6;nXHF4{x z_U|fR7E?k+@NjL{RB6`-$B2EiDbmN2*F@n8;#Hf-O05%_a(1p#FC2{h3&w z1MS25?0*x&r3$i+xcgAflu|wRY#*<@P>EWOnAw_Mvyj^;iJi;4*vFHta>zEObWcTM zZ%-a3DBsaq+w(2vA)bC3U;<NK9|&d*upY-zRJvaoQ+A0CyE0~cSjIg@U%jkn_q&G7o6 zhtew|F!52%v`?l`NX`AqkwnIPn}SDG-*)8NPp0$0+qw_GqD^?x;5Wb{BjCKVj(6+b z8}?x;H%_3Snf4bkVJ^Ysb(5MJLpbJtJx)D#LHO5Eb$p@gz-&R5*M`oEo-q3o&xF~6 z?C#~tLpu=b77VDO3-Kt8dZrjR5)ij|A(?>gC;j5cE{~7Qxtj8CAjTux_PCGD?)}Ha z-iSUW{e6Gc^G>xo4?cQPYUTaQ-yXEaiwfmQr5=KyE&z;`WO10-Ja4)~EZt=e*InBa z3Xk908-^Sr{-A+L7+fyB*PnIu&FUIp+b4I5tUWy;yP2DGPWoY`@$}|IAe;euamO_XA&Jh?qRPy69=~DS>9y#1kGTxp~lc z9W4gO@tiZ|s6C#$EmisMo%|BlpKZ5z{?J#^a}-sJ-cmfuj1V(aKLyRST)N+{-)vD|ghA?>AB=^zCg;Lk!tEIUnE2W%^*_(8xaKPz%4Ru*xi zym(xz3qJY#7u?s{mIz+xqG7zEBe9#)`v>MV#l3tOg@Ad6Usdr|RD39Xj~HiP=9$o2 zknO`ZK#T*D{k|1QM;ARZh(=VMT~$l*+WhOX>R%P8|KeqrR)rY{68nhO1-(_Cp0^$~ zCV3ZUgHuSbLg6aueY^LWZ$ef9heQIM!kM#r<2Ek#FU*!2_=cBWm|n6tT*XvR>QmVu z47rXu>hBGT|E?nR-<-c`~%&UWKAvd`?~ zaPNEyRu5aUyUZ99qN!*5s(*fYw4qn<%%7Q9UYxx~ZSOPvb8w)7GsZDyuTgb6m5BeOX+0zRxK|{lMBUw#XP_wF^Ne89dTWQXX~me zM5gHj1M4Q`O~ZGt@j8KEE`tiv*TmaV^?CG_V(fjBrRcpW67A=E9#lf)vTZA2sj>*< zr~s|LQj7@ZUGJKv8T)%(BMGx(AuJXuzb({ws8RHDjhlUm(Al`yevAxo3`+aAwhv8ul5xh#@YZ|Q8w zI`e=SZ_qM8wF{23UF(bri)vt4H4il+;N-?4cmNg>=5S!b`R7kpr2|{zX;{>&9m+Zq zkVu31quOTdsMqD=7_P?myduR-^m6A~X=zqpslIhuDW>rY>~TnM>ha!R*5MHqJ(9^d z&<}DKJ&0~SfNB~6LCVm<@rmvWnpt{;qwzew_+tk2&S4CRaFZiG3)E=3hXjOYCsx)J z2iA9gc_fKiZG|pp9GIrJot#FiFo5(b{ZIXz$I_@<_ZvQWk#9*4X}!B}0_U7TFawnp zd&CcGXal%GVS~(_$ml=Nqui>wqYIfkg@j=8ew*jfi5+~&Wr>q-+=QW1d0Z8qh0S|H z*{-tTdN&krcs)y}Ak8VuY$zrsJz|r+s1ZtQR*elW_b4t)rfprIpQiAQ2!yts^HzngEL`PTL+E%6Z zo{s+g%AK}9e!!uhqClm@-QdJyvG!#`z?_{J7Ko{&>26u>Nz=`h@d{(_jZb^s%cPpj zsJ_8I4-HXpqQnzHLP4%XU#<8@IL~)aGC-Od1EX1P2*`#Lu-MM#63>{c}+5ArwU@rR1$z*m%#~rTK`-=-6G3g!vT}AIF$i4onxEHq}qhHFx z27wJTCb0udJ3fZANMb@LfAbrCac{{;Uel3G>KFpY2HM0|eCx2yo?Psc8o69r8}Fw@ z)`QCTtTqhuzx#lba&=gu)w`_OC8E@O1KbF%(UXo7L!I*%MgGX)mk_kit7O`q_nbn^ z+5hOlCFQyitz3XgnCFFC<*@P)5RhRo7*rYH@)M|APOt}ZJ@-6P4XP^h!T#P9o}deR zz*jLw_;xYXWNi%Z=$GC5)VK5w6nmcMl3iIE^hZRzb7OzA3LhXleE!r>WeYZd7N$d~ zIRzt^L#KoCpULwNzoeuNXQ23c1xy_I=6GeWCDP_@flVO+kpGLT;h@79ItY!(Un|ML zc`-tJ39*R8;&_1v9ip_^8AoKoQ;DRLP+2OG?SQmQZ#-lfn z*u>Nymgf1htF>J{PCUZz-J^>ElLvOUS5<_dEfVtFeTKT`1h#HRQRJCwJOt5NE(D|4 zW{c&$(l2xT0YmMjd8iPY0`Xo5vwpGc))tmWD)4F*V@WX1d_kfd1>m z9%JxY8E;YuVSi9={0o9@LajF<8Kw7mjU6oZykaeP0)CXZAf=6gO7iC#txJ?PF)|+? ziT)YQ?0Ynr{Q>)O$f#COb>FQof9UZ0ujCW~9%Q%AgzGZzI7XlRe~c3Pk5?AF$fx^X~?sOFp8 zM*@KqqXpNO2DCSh|B;00Kl@^@S~+Hw0~4WKK^IvCz{)}D>0&T!$$nR{;h-!m!!3Wd zXqHR2Sd~Ac_i=J92cMZn=t@YVa~?jUkC`JZlghL`f87@#RITsjCN#Z;R$+ib`2CV1 zrQ^ROomVSMv(T%Oo@mkHtlBBPhuD~GqwRHm7MN?YK~6@qBsgG#o`It<4Z7ELOI--yM8Y@_T_=QgNwYmj3!dvOQqjmp zU;lsb%Km51=cWj86s#iHE$cC%1uZ^lYlol!F6xzLX<0D^P;m zAg5zEByzDtk6S)u38V7wt*EG1M;lr;WM5YIQ7HKZF)S2I9XWmNAt~EY@v7;s{44cmppokSdr209?#B`tY(xwG@NZeIS2QfCRv2 zK3ah8nS%V*ezsc)!sJnat*ls1wsbxp1EHgmvf%WU+aqr-&&7k|u8}zCX`Ouef&C8B z9{CBc$n_?`o6rtH>6=x1Br%knGr*9J+Uy+kde0zl!Zi|6`%7nD`$73IB8tiUkFKbH z*gE1Zl!h{|Ci?j892Drcbv|p1zj<;iUL5oD;WwGPTqbQBSEk)2jV?-*4C}`{{i0Om zE%EjAfv1vjK$#IB3&#SEOcbJ1yj%!Iqbyop5= z+pzD=!Koiw=G$5dqxoG5Gjs~Om9uST9Fx?hZ6C0@%w${NvOAUDB77^$=uqCO3`eAZ zWmE3&#!CIUa)9x^SMBlXBq>K+M7Cimx*KiQow{&cY7Wsa4XFRsZpjVTRW=%2_z2;p2Rwpm{I^fd z?XUtu!P(pd;ELo{yG0=~7V3Ms6bno+yvwGV@TO=6uvs>yXG>mT4%+|bybN8R?vSnj zz`&ZWnXPQdli~gUedLK3BGzuFod_lFna{o#g*v9=J1pu6Y=gV(Rm#z{xxzhC^R9de zss>F?Fv^aJl;Y;L=|i73j#boaCSSnHa)YL?Qa$TOw(~0iYXnl?YncRc+Pxx~^LY z;I`z*1u0;2E@$NdZL)aFpPoQLW$6hQM`mCH}%IZ?GZr#t_Dk zXhD#~zu@m~E<=({iee~+lw(EvBl)q;5QAif%!SXJ52N@Wo%8>=n*QClUAYv%N@hnx z$eHV&_IM!c;_>s-zN)z%ijs2uS?`I{)gET{d`ziM>+J<2dF5EVpD2Zi_ zagIL^v%XZp7}>`8Ey7f%bsc_oDK5Sn=g3#>Io~5mSBq!@fCx`I4}cF+#kMiew2G2A z&BOp+E_I4AV{-Lib&V-B>yqbn%Ux)NTxND8w6SwOV%hvNvtmIkv{UlYf)3?7_-Q`# zZf6ort3&$i{eLR@{qJuBFS&nj(Tk}=Y|-DeD}&+EMZR};L=k}bpskrFXwfyk=Prq|{LRHzW-^qBT)8JL zoe+6C1aIKxIAa08|7^cFAY!-+L$q1oJ@66!J>-3Hb#>(%#DB~$>9g{vk@L`^(41iA z6UZCcwSa_F{f5@)3 zC$jQfM)|Ruc9?*NMI4geJZcpRXV}B22;cq-$JrWflVAy9;-doBGTEV8@I{65{=7%7 zs}vW9Wm+_Lu6~@bjv%shHy(=1-ODnCXp#GL!p>i?%`2%jb;A-RNr4npq7W&F;cgJ+ z<4MKvbPY}Zn_Da<8%_dwZi$i}f7eKEk7p(}TZ0f_$hkkOrw|xuOi2D#CuhkP?St{@@@kMo=5IuV~Gfup~{#CA=y=u_7EEYsHg*UW`?ng0JCGUN|& zcX&531U#5!aT;3?W|ISr4*WQ*;Xe4{b&0sG@An(|Q;GFlmj!93t{^xlNHEo^_zL3dF%_s8=Z;N?y^sB7zTs$87d2<1e1VqgS{l2+>ppn&2DX0Y{LvKMxZ z7xeZle)Y)YjhI!hK*?j!=H5P6isZ|H=9nBPxS&ZYK^EU z3}KuvdJm$wR$BMW&N6!H^!-G{8dfBh+yVSgeH!vBFQr4M(zw~$FT2%I&_v2rJ;rL3z4n#9vrZ=IpZ=1`tYTIY527|-) ztA!k5dUkJ3nA@ua+zdrcFH$l5+s9`kz|}Ql8|Pq%sa6 z_N!!84uNPqXl1BMtU#j1jyRgKPBKPfZi<2$)2Kb+F4|fGYi67%Z?rp91GCmRX1g<2 z3qS4MtXbC)gFJyX?>~#S_{S>n%GGr`z*U`$(_pzy*^d?gj;}MoSq`^J@2Mhx81vSD_nU&YeL2TIHnM-3SkF zQ>?99)kH$7nhir+|FVv7Al8vg!lTb;SUpsaoPK{^tYU`fu+qkW^{VfgTx{x=niYg( zIg|kx1O&hTwFdxZ9%si~X3{YR{$_PaQRC+Di_l&Xa|>o(02l8{kdUN5c9g;A?eA51w3CD7Q20@M?Y!cgM=dt3;GVhnTw_jU}lhZM|uid{Xkqv=}kgeyr z*&w!ia-dUrk&xGLbZY&mYdJy}@pQtdAD=?^duIe_(kQQimb=s*toFU%K-g!wufVS@ z_;KBeGP4^rvE|PfAfPN_Sl3+4y7yYf3JiIDg_w037LQ*8@#oiuE+$bNiS{#Ko}TTAyA=3H9xAzLa0T%4)t@#pPrCl_ulq zJmIm0UnSXaKk4Qy$_dsfFe6~vS~{*Og#L0I4xv#IzG8Agiqo5X=;Q4L)G!x7)m>NKuqEANE*k$o`A?HnD>w-%f*6MNyFdx!7V@4T% z#W!frBA!;XjAfoFRbLj!VN9wwK|)wA-j9r>%`RULb<|xaGM8iNGy;?HFzq`q3U~BiFl+fmjX#rh z{Nt)Req?O6x{po_7lvafYP@fxaJTL9J2{e_Zo*oE4Y{3zxx z(5eSB>!XH1FOE*RN2NIROY<$u%(~ch@r__mnzK)+*2HNLVq)eN?_r_s@JdKx(SEH3`GGVRLA z3!2`K{FXg(pYHfvutSbuC=L;rLo{r7T6IVom?Llf-3JO}7lE38YZ^MsN~ zrfj(SQv2b?fG3^BM(&#{L5p`Lu)d!g4JjtL49a_&H+IUW(()uHTDM(dnxk{B7@`H0 z;aX<7va|yENWmb<-aK9ahE&H&ikGEEivtyox$3Ek0ubt-2xip$|?N9@G zRg$5}Prvr>ne?`a-&eDbz4VthyoXoeM>4~)Ma&}AU^qt1PrWbWJD?DLot(p)IT13w z)qe#F=OeiRkI7nL+|6lAJ~|lDt`0iR1RPAKOhhc>tMN(+3QTSF-?{&cTKbPTgq&WS z_(=MN3+Bqvypn}`Ikmmmk*ja-`o8~8Q1<>c3b*_(EBc}o>shPu&f`jR379L4doE*f zKiIoCoUtB!z1f>W=?Z4vq`4uo6d2psw1K#Zb)7gs#X}=-G?SvS#HjAAq8d(dMpMvf zVNO8ki;LBb6pFJlJ!lZNll5Y_8TApBu>O^Ad# z_J*MjD>BJZ$ogO8#zN6=8=+USEQ+|vA38$urIaqF7GE(DVgA+lpr8n_>!_w2$29C4 zYjDsH?gA@6E@WVgxV8XnFb+F${?^ZKn#?PY>1PWoA#1jmS9Pe;^xl_;5^74ndGxpB zoDXT8{Qq0A@kho;)p}iY>owm}M;Vqv1kGOSfQz{HeGC2HaT7mJvMH+z!tzd@FvW)H}cTO5~nPl{mwJ(y@6>WhV=Zcl8n;b7J$d}C#Ho`rJ4UaIwBrp<<|)&O z$+D6}b_E5{Jp*`kZez-3QsUqdcSEg8=jbRgry8@_y$hxnL(GFi95{;PhG&m{S90Kx zuYZr{Y9jJv`A$7kk9-`2Xq!yi;$Inl50LOZ4=@53wPuz<6?$Z3BmuhTk37c8=Fb2j zE%++<<#FAS+n&4S5csVv{Ym-oA;^tl1C9Ub!-sGr=`cIe;gi$Q)Mckh$0jR9vJ5_3 z{SYPWq6(!G3l%-DP1z5rb)(i8{SPjHO+VdQGp*Zq;nhhljf`;lrU<_D2gm#7E~tQV zCGCL!n?*?4hCQy}a#zG==y@p%wP55|v^u}B-|8xbZ8i$^1@y_MI=ttgW;PuA9;mTL z{aoNdKBYIaGx%L{!T2g6rgWd{Wi<4eYMYmKPL$V!*F}qO6~qA?Cw@@Bi4}3vsIwfb z)W@_$nL3b90vuSrVqvTvV+MIfSIzNRAtiQ`@)i~uFj7!TpCMiR06DbY!N`F6b@JB! zpPwWV^;oX;peUPWR+RIqprs?_PD8;5U*G$!-O%76QE{i3n6hWsA*CiQ9Z8h@mi(H3CH$-28hzVy2%8YNk22tY>qGq3fh;!h z+SIFGjaKW&KR!E{{kAMBqA`$1V=Tf^ttCoyG8kvv*OyHzAL$mk)jX;(5+FJ{Rwr;F zh*LZJ$XyPN>(_r1=JRe2HcmJQ&9|j4Y{Tsn02s9n<-v<_ukO)`mDS8%d--0O-)+Of z6vi&fzxee9Zm|ml<`-*|IUS$H53^F!NG|=#AUrsE`+ygc1}&?U^!(T5i)5_SN_WEF z#|G6j%~$R1SSMfM;DSM3@~6{ZI)mX!m71Us^pIr6i znj%iHhDywuqHUo)QK8~0Ps{EefCOHZr$8OXwnndBw^5Okqkh8{3tAZ|hp9IY8xDJA201MBX}h#I z(Bnb*6l`p8xG1QRS>`qC!#6ptQMZGpT!s22sY9y39&zEq3kT1eT+UJMpun|Pua-@A z!x;=i-6CIP)gK(DotG`^e<1|=uH_CfO+~pRetrNhYba1E`pw|BWpsCAQy0G0LND&~78(z$Mx0 zX{>k@s>A5nI3+9aJ~htre^`6#s4CaBZ&VPZLqI@U0coVA1OyeN z8>A6ILKOL z*Y!({3B}D>SMHJ*0GV-ci=<{rptT^A;vm?I1=6)%Y5_tC^G53`>S@FRj2k=!rLrecqkO1$a7J`@(vf| zBr$rmk&|)gFd(gsmNcC0kN=+A_lfN5XOj%yy4!vd`cMfu98(qPqE0!9=^Eeu$Du5d zPj3fxH!@I8Mcu9e4PA@QI!xK>C9So8MBn`#PgJBt1>tMD_nDLCH541tIt;VJ`|odY zG%v(Ifg^{GgV-EWyOF8q4r_xfPa(q$AeE<}#bSr6I0o>nkm(a+SXJQ`d{^-{#DwYZ z_+IFIO0f{cSF@GU49d;AS;5T`2Nrnk#PCwe=jaTP*Dz;mYMoZ!C5w9-^rYS|I8gDy zrChA=VvRgkbY<>x&TJM$J{&Sv(Vm%@d;|h;?FH=?M71L|!$;?I;5CVr^UC5y^nMD)5^00J-8Fj7bklznun=k>51uQGOfAm_A5SxjU%#m~$~I319u zmN`WYf&nJvYj6&LtRiF9BG=z?%FEEL!l(BuTkgFgyu^$NJf^BCzU{qW)aiuame}9D zAGTR^8GK@-uk>EWP0ikApTo=$3CF_1n%_L(m8J+6{9OyA%SCS?ZoZM|_y2m;d1 zI5`!e8|}l=1^8gu4hiDv8UCK{8k2a35xXmzDT0XT68Lc0xA2jUVg3#rik4VoisZM_ z>_`^+G>aK^1|187>2n$*Y3T3T4KVI6jlbDRM&63>;=pZzaWeR;kynP6kvgUHleY z@_)~v^sl{wllVJK%lW%7hxpQlp~*CQ!Yp7=ky-+zjV>PA?Vd^=48nA-dsk$-B>(0g zJ&k!xd}$Fi3wLpyMiT;FX)?@}7wj;x(NvzeKfd^w6l=<*M1IHT7hPYSt7Atj+k2A% zVAqEpX=U>E$uv=0?9@xk?KFeg@%<1i+9~k?B8^!cC&tQ z>@*N^Sn+qZAs}IUsyvVVOS2#2h$gCDguv~2p30xcZ{F0e2~5&Abv|kC7%2DH6~3Ey zJGVq~@tta&ld+K7vHwf$dWB1!%18JcLi3gK6%2r@>A`MJrS1YTr?-*Wt;_@U?k;cM zyx9#NVA3{+6S!E()#;4{C@7voGH(87$K{?U(5wK3lZ(8c+?Kwbuo|Ve;qz!t{BwKUPCXenoY)AkurN zUZkUeRpj{VdxqXOskdKE+VP=`qoP+Bj`?}sDHi*==74gTrE?gx=AjLO74#=Da7I0W zgJMV!NxeX&5~gJ|${>mWkb+u^TrNEcyzREMEv9Q#J|w9ba1Q#OeTM&HEmg#MErv?a zPQuQR;ZT%_V_&=CfPPe$jbfVGqaMT9g}QEg_CyH_ny{H_z|5(k#XVEE_k)ckV*=$j z_n>pnOS%~0=9K6xixeCe_B(R^DzpM`@*wj|hj+Jqvp-AP6iS`ervAXnc63|xuV02f zxr~It%p)XME&GiI@q?-9eMl4~#G`d0t;D>^q34LIxP*__FobYPv&7xc39*u|-MCR# zwG+-ZKXF)49MYWX`tg&*SfO=q_*I_j-`bvuE5`?&zn{DeFSy+wySr|>QCcFpC%U6f z*%8le_cEsr(~(W%F1^xGtu(yoFNO?1AW-u3vXX@jg}q}vL@l#pNyB`;Y}Lx?RM}9g zk2ru_L?+%H{0`}BMoT+b@xS$tD^E&Lo{@6wjn%tXA(=1lj4O^irVJ9w_+xZ^Td-iO z=c#@(S;oLL0i@$z5Rq0Em_EIso=<_nYPdCtBwZ1c7I+e7uaN^TJeG7k}u76WBGa60BFM4G_VHqV`xk=z~9E-)n z<~e0gyd`z5=@VWA0>B9Q7_#Z-7dKyhe2t-lc?!)ta4boz?zB>3fj#3LU^HV{mS^}k zL3IpLjEEZTg z8gJqq(1Q7zwNVfo=flO{AGkaOTzfSS!v+mJvfkezC?F>OdZ;2&Z37M= zQcOoFCANM;P;TJxwfGA@xr_doI?-aMR(BvAA-I=*%QjhL)d zE8=r;(jsk+=P8f(WRh$JCbH-&TH`!sFO>ks~X7r?E?U|EFh4 zOtG>&Hc1B?#u3$SY`5+B-naGVyCrNFOT4_3!?meHw(_`ynA_7{5~gDnuYz#b&!P@! z`}Oy3bY;yaelARc-<+`ZEm*avSX&qfxlt9TCFzH?SqlX3+-Wm;2%Ddpfey4I|GK`t z{tJvcvJV#yx@^HR1W-5=NH(fSi=YgVfoKV7(zPN6W2Q!?dhkevHql-6Y%a2Zde>Bb zw!muH3AlHh`-T>f8j>M!v+~HrgnoywPzLliNZnQDeS9(K9E2Odr~nt0aA&E*(RsT4 zM4Hx<;Z!W>iVINBYkFTXMPb9@fnEK1WfxwyrfD8SUzRk16@#{;q3hxe#_vN>vmrAO zl9r2Bhe2R4@k?s?&7g|mjLZ%_d5f;~1@5llNA38=qvp+gg?|u1>Hi6gdVEJ2M2ZA>sL2IQ4?=V^ zdjW0IO^jrJDw<+_x-~X5X!iq&o9sal7TdBJ1okCK94As;Gv0$6>$yC8 zipjfzN^(p{{cFr!Lxa*riH@(3!uYhoqlT#cWFg&!ldE1C5~FmKnOXypjhB!_b5hVI zTLQxpQb2^%*xhgeH37twOW*d%)M%8uLL)xMO|tN`(o&<(7k#5k8R%Z0cp{NU=>$)V z6Pd*A?RSt05M&~Xx(*C>#EU-KS`)B_va1w_w-hs+KEk!np4DE)`bEyJR<%?n zak})1M(+;{7TQCK@mx((F;l~rZeL=;TN_86E$DUX2mIY@G)ByU%pZ) zu5$DImh+4M$4GVjUk0xt9Wamgg4fwNCa+6Ax2OWF@5`O8%8`_qWjj{l5c1J(F;Z4_ z8M^YJnXj2P=2$SHXEh`Q174=8F(6 z)tVCCG}-V$ShW3KnSGzECy!Em^XOZPVFMpymwwsv6!ii%mEGEmwHw?1_Cmi_=As*p zYZBvlT{dC`9Ce(F^=g~2lYIC)1qzZB#N!Wbi#TT#PsX~Q1>oH1X7ZfbvP_{b2UIQOOklrU?Pt7IBTuWkM3tb_5L1;xXMF*agZhzDb! z9XBa~Ffdyz$EK^4m=biwMZh2lGs7TQ)-0U>iC{9WdMV#QM&8H692d!l<7!e6jS1R$&~g?Q!(df zM?iPvpY^feiCjg_(|dcJcbR1IUAh(3jbo%GJ`@JjtgybagDK)`p+Qhf%jTJs3%28x zVFt&oZ)S`@#Jv;qJQeIwt7Q*o@l27+ujJ_y8hdUP82v1TcVhp>(LK`rDQv4}f^lGm zvuo=u|I2qdOZ1fr1sn1P;}Vb;<;#XrXXN;jV&h-S5XuZtyy9Vqm_v`S%>yu`kg7E0 zzWZ?2GxPRz{nrEc$Xjb5`pq8-cQ9y9G8bFJ+zG?Gcc?|szH$i)frvUWYoQTXN>&v+ zfXp?fVfye{5Mj!RhDS~9v=~0HPIvUfL%2)p@Vbu?VK#}3c(CSK(cyFYzZ3R`O%v7E@;tgi&291{eS7c@t(c+pg-A`&R zqt{}U;Wm0?1w26#x$_!9`R9)rzsYH0wWzH^QRn$l2a6O)Y6@4fq)WQrXnsh$Qk?J^ zu(Xx*0_pvRTDv*lky-*;v5hFRI4NJR4vEn%3zB*1oD+qw)fw{Xq?l^=;G{hx?(ldN zLQ<9=v@@m9atC!(0dv1*ithQK_pf*hn=TVG&y2vS6%5h0y@~vt1ddCOOs*>5TuCVt;PQwuKA$Nb~Pc|^MPWB zbC1@US>o5S`032{Fv=GeZIyV3sg~kUqmgnB)LlI@1 z`2p}I<@O7Y3xtCyE#|Hxpx_|p`_qxV!x6(y2m^2B{P9RQnF;?U&%>kbnUYU94Z8tq zEraIAq%=M3mCR%&t@oBdjBR+EnkxDJt?9webSf&2#F;@WMUYUa;-dn`Qjn!5vbL;5 zt5SCJXehG8!{UbtC!NCCFN{3(`oejQB1QC$RNf?pWWj~dw2_Js4cRBBxU2QqhJxNI z^JE6ZR~LUow^$jtOE!1#s?O4K$n{KW-S~AR+V6zlPwroG`4WWTm*xJ+;gr<3u@NgR znWzMXgkOzS`Xxsp;5Rn~1Dc!GE2%fBZQ%b!wv2$lXeT@u9U~r%Zqfs?Nr{Gx-6|i} zbVM^1TuRiTb8|eDg~eP+z2_}CpLrzzs*(K8>=#JwTpXt~1@+6vRwGzVG&p<8qJ1q0 z@5N7h-NN+GkwNVFN8(ODJ0$ORunC;A=pj*Uo?xguY@W4t0R7jSMBe(KaboFkDi%T; zb3bOz(MQ-{SR21UH|TVM|70yE``hZ&9i!a(bIoGCr%bx-FidEuP+-NdKmAFOS7K#l z%7aRnyl?`&&S^J7U$Bs`kCtUQr!5Gb!f@utLStu8*J_Egl-kNW*WLC0nP~6MTb!2r zxC3{&ru|P?qc_ux;%m7h#uAm{)Hbmw!;<7%HgSi)1kt$3Xh1pGO`jDqD}q;_nShE zvrCCT2j>;0ounra=P)!mP;M&c>`hO-O&HHKYoAI=;bXM)+?Io3NO-x(lbUu#```<-ft-S#@|XXGjLiCfa4(^XEL{OSKmE}k=M3^NJ{TjyBl~7J_UUzAE|+s+Wa>_ zadb*4ZxraKyn^?sVAqEqt+TIZ3X=8LE`7WRZkt-`FyKpT^;OP!)j<3M13J4qahP5zP_j^rcek6lK33aY3>eh zKuyiQ0rBYV?)ND|&fS&H;d0-hn=i zpE;T6oWbVcK)Ydk4V*d|q!O(Us$c7)DJxQv3UX*Sw&0_X+<9`KM5&i$K5rQ)r!S4A7b$q&7??P>JL`{gV^u#o-*9p6vX z>+F$)jtdx3I0h0GJ1Xy87HU^&e>Ni`24ZA_u{5K2n`8jW;+~Zi(Tv zm11|Kp>8qBwjk`cf)1rLd?d#35eBT`i#KGfwxsw2cFWwh zp0aC*eYbd2%X_Cj?#|yrZu}_7trvSaKU>ijBpmT*!ebmdRIO5)Lzf{ZdvVuejsK=2 zp8#K@8E*Ef)4h?GpDxXD{QSIJBxZJ`16;)eJCP&DKC)dE=@d`PSC9l>;C-vC=xcZs z$0SNR=r@(oniHbyZ^`F7_e^^+n{eN+Teukys)bV}H1{dO)n{3>lZK=I-#XxWSmYCE z`|E4rYjM=$xSvjY==JCgN`Z(QZsZ>8(_kb8N-v~0AFP0MgvW_J@jKniV8<JD}j8>QBD%fv4D{&3GJ{(R4lTx(+`9P}8t+gQ&|7i^CiAwELs?}o~8aPpf z7P+udH$Dh()D1~j*ak|iD%C1ue>~uUb<+wjV~azh$nL|{?Dk1HGEW@G-qeO{yNEa4 z6syG_k55z3#Fod`{u}n%U3Ft1a@vST zYs&i!E4pj2gR^LBo3>!(>Z8YLCRJ$GcCj{9FmvA-M`=oB;!ibM#8Q}OM|r_qD< zh^M^W7B8rH?~iiTk$v51#tHvcih}BYnK!f(6esYKbWVYfpyY68#l}WCqqC;oY~3w- zKiD~|HC8`pr-k;z=kkqyJiEKLH}xmF zTDbnY9PFX*l~%9pvEJ?qqn4f4e7te;O}_6Wj$pbld|@vN?S2=sb(Yuy-D1s2Rv>sY zdHOI=ciQS3%ALk0V<=X;|FFjFkBS0>!63PuPuVY*bS6+r z+7Yw}?ayHEKOkI8OxUqzZ>@T@Y#U4q9#25_7KSM9>0=bX=#1m|Hgh;~qTm@4zV9+< zotT&c@|1#SN4D;VHHy-A^n21?7Z%ru#q3zdbMOISey@G>W=JmCRZ1a&gcw74&@VgO#L-`X~2g z6kY2m@oxwuM4N_ZEGf%6uvOQskIl6@n=wrAxvHVDvv9TSXBUPF`>X4(AG|gn2WMfI z+TzEN1B3Ob6+2`+NrXNoopPVA@~2+RmhNf+4x7dkKw>{+4WX?oa0OU>)c4gzS9P5Q zxNR8ou3oiKfI?KUP?^blJj@@H)ts6pf6!)|4gq%D4;CP!i0~(Q#p7{ow|-N^b?<}D z`2`-zh?IERQ61!wmN)Wlz_MnlwC9E&Q9r(uSqk2LPl_md(UIk`xe)$7eQ!J}=xrIVo1q>?vqBE0N|J89ynS+&Z{20&s%8 z^0nUV26p}u$A-2|4vs;gFFclp})SytsHNug^@C~QO=9EC0 z7Ah@*kZljZbk^STJ{zR9R~5J_wkaCSs=9iy{c~^uswqZIyRCC{T5%-TOBjB1My$~L zH;t!Py;f@h@l3Am)UCqJ$(m337^ek*Nos%8Z`hb<$}aA8N;k8ta;nvB2UwjoC(KR~ zVqNH0VaWUdf|yl%5X{jaYh#8;L@BL2skXj=#O(+8O4FSLzx(fjq^;z6SG-EB4}!AC z(dfS0fwE%4EFZzODH1B>CdundzK&3XfKFqZ;po$&Xr-IZ-zZpNv5Dd&V1$M7a@;j# zpgynj;|G&OlBIc6g)g^TH~ULMYc<1cN^ZX6a+xFW{xNT;bl<9NdlOEc5WYl6D*%v6Mg~Nyx0c5 zNFMvsiD=^8M8wlK70BvsS@W=l`JfkMsgk!0e1mK*c#Mx)NGKAFV}ddisgYXjqReb^ zd;{J3r-Je=3GH=JIzQEV<)54}4Rm+$<~EPw`cEYaP1q`5zq_x2Y@o~dtko$GGN;eDsG zFG5l?!g$a>K(0w7QE8^=o@7<#K!!+D)g{Q6H7M?x3(=Wx{`?r~anLWVsBkBQmtSX^ ziiVMuIhlGrnAc&iomSc_51@NgZbr6x}^f8-288i z3S3u3o2dG=Ru%!7&3^b9zS!T)1|U$3a7;F*PE{O*Bzt5Z#3|pC2y*cTwc&ON%HMI~ z`sp`5eD+8h-iq`)E5;@Ou!D|6gfHZnFoKfCiT8QkojPYrK`VJPw$p=-Pnz*Qt!Ska zO<4gHevE$=k@x1fsPDc(uY0rA}yz z6Q&(K6=J4EQG+JD_}b7dDqkV1k7(Lp4{ zP~PP=>xx9O==CIP*z()2g?m;p?|yQ7Pw)Y9Bia?m^uk0yevV7QCsY4@C1iImFh#V2 znatp_lsH&m|EB-&ao4!Iq^!E$?97slWuWvX%H`{UugAv-{`XCxg0GnO?)(UQ zOp{?S@!?m>y9w-9ik~C+g@%RPX%Ae}P0C6fr!OPh%mkLsEo}s|Cgky~VrX#wIzg6~ zcBMhwrE`ZmPeAZfxyS);B}N}Z{B1S;Vt{6ZnZW~hK-jc~W{B_B%uzCdd1$_t4OO0- z%sc^{FM*-dB+m9@W&0`D=tPS3g3o3G;$4Zctoj2_Jd1{TS3kdJf0|jr*q33{rFc#0 z^LRzHpy$@nE@;ZM!hfenJxG%;qV73VstR>#y(La{l;NSOo8D`je&Y1U^NaORjq0lX z>5Y;aefODy$1YauZanU5{AANn4- z{c*Z2{`>D%5jj~b61)K)6gD~v_Cr(r9> zc}`sNfYT5_Iqqn6!OB9FH`m%Q|0;IiqyB(S+t@JOudQk~+r|Wnh~9)iU|_GWt-_oU z?u>iO)q<(9gjEIjJiQgvF>V9Vl#f=DZNi38mx?bPqp8H*R2>#O zZY6wr{w~{P7z@>X=c$4*r|k0GnB|a>>8$V@i{YKd-_k_mi~?@%FuW%C-91H0hk1~F zIg-kD-%7?K4zwq&QGZ$+Kcxs5PP0N14gGNwa6*h6Iu((ye`;@iH8C+k-x}!FXApQf znqHup>a8%B8avB$g}WTinetVm%&h3XTPk-RGo#w*y&rt*fE=SCLc=PUm`U;A#KFWA zm+p#6fmfNtE5!N%W7jvi2v=K^-*F!V5Iu)xgzJ_qqwdHU&P7Rc?U z=s6iv8ap!tyqjs|S;uEhhm)AAfT0ymn#p2msC*H~=3?y=G7k_Ky7(y2{)H*Tzzt*< zs7kBZ<<^V3J;$7V4kWuKXHE)>(=$lub>`}bSh}6|D=erlopR(`-k6qw>o7=3qqj0R zsG9go@56CqY9J^{RJ%#oH0A3(Xv91Oe|F!oxLB%`4+#YJ%8K958T#EMszDmtAPWcqULbSZ(%rkD5LeYw z`lRT^j_CG~qeEH(&1^OwyJ6-}G=YCvQYAyDgN1C^%(5ahJN*Q-G0uTHl1~3&X_qpU%SpTAfTKEP`UsxxiBUB)h~>{GJtx0X=~=IAq2h@tPRg=c^5iKvuYOR z^5G(LpOC)&%94SD>*G;Ico*aV*e+Ig<(&hR9cwqv!a-zDh%S|b^1|{|?13JL`HPk+ z?2ZE|ZIs9TKqi4hrF!khKt6NGRSSc7%CB~nP9D`Yt*vI!FS(!6d*yw$9;avQBvsj* zRBwM8@4jz6ROBV0ceL*!SLEoPuH5hOM)ZP|mFRtDKuvt>0q3<-bJ{Agd+3D?b+-4R z$F??jhW<_f)If$#WietW`f7eD?Xmr)#UtS{1_7tBH$)!A2iluN^+kJuTi6uBK+H(L z8mr}E*rSa*5H*gGJ^y+mD52?jEL<&IR&wL>!0ot4Abr&eiF~`kZ8);BpzlCh%)ef| zvcd)8JjDZ^x8WK}AK)V0)URfIylVwz3b7k^OJe&mjmTnTp29O-l#jGQ1~^|q{Rnx$ z>uRe|EplTRW#eV$CP-wEa!*f+9d7Mx#T#dd?a6y4dZz){tJR8%`|s4o?B;joPoV5a z+gcnFSk_GWl7+J}UOM#Tj7By$C?0N%@fxv5X@7EFXsQ!g;py;vix%;#PFx=Oxbe0V z=h>AyI`EY^UbdAxt*Z8Kr&UclgbKO_U@QYmty?YiblF!wtFVpye{|UYuF~CynNbeaEmXDvWGL@TlW`ELYx9ils5kStBB5Sc3Tb0k{#jBLA z*x+?>sP)mc?@&_uGw3Ni*Y*)e`v+8ye*nB2HRC1M%=lS;HCUx-GABXpjMI=d0~7J= z*)Bv3sCh1nyB(Mt4pqlp!_WXik@)OB+SGU8*Wc$-tGT0<9YEC)J4XB)o}AKPCzism z*H^bT?nd{>EqcGWunEi1?vVU>d}Kvq7!`TXP;qsqkH2gpaA>0N+=9`_%ij?EK#Plg z6Qc^ZSoQpqnxE=tgH==3yrB20(0F}aMi)|x!XZy6@4eT-M5FPb>kK+%-7v95dGv(1 z>ldhnoxZ2C&v=~`-EaZU{RxsBCFtYr;E?av2k(&mqM!U_cpPsvi4BI%3ueNfR03+=Fx#nNp0KR{tv*id!f{ix76 zEUMqB(Cmg2%a!6jVha_{n7af5q3X4g@44+@%{ZR#rOw?lH-p0qDU zm51ID6_G#qfBdM8)%~z@i2f_P_6DO#o7MZpvzs`c&i5^UawT|z-q7pp6VhV{%%aCq zOVAk-92rlz@`V_Ajaj;&)MvFo+6cQ+IXKj`qUq~;jOWRrEwNDli{?^KN&zV*f-!(? z#|SUg?be1L-9FqF4$z||3uIQ2WwL0}vvR*&9P#Smw(zTZ=#h#baj)jHlW~n5YGePh4c--Aj1K=9d}6X(@+Q86Ma)c zCSZ!RF9^oH__1jAw^QT?xBuZJwr$WZExpoc$MK>kIU!ekhY!2I(qaiU!V2lJPwMzV znNu_C&Jbuf-{y>!F&2EI>Hbn@s1r;Cg^vhQv@6V`-ckwuT#L}(!HcT?x;#U&-6X(+LnL;k8=Vf}pKA}jL8u1V%w(Bg>=)Wx2Ny_zsOOFdXWYjUxZ6mP zS%UKFtSJx!h#akv{D*IdR3WL~%7*9Ll+CNDO;>iIWwnh=KWeK3T5hCzLWdrpVwZ0u zy#fMn8y}NszvteDMkTE|$XN^f0aJwC{&=98)(3>Yo3}r2oH-limT=Inzgm#4V|fRE z&9G2an{Oq}dfjD&519etL1`ZP5`I@bVr1Bgt}X1hc^y+?-1soF<4fGXZpwUp4>db= z72?l!;<`hENU?P&tqCQ=Z}L7)e}v>$K3e;_3;?FE_Hy{TFgs$ZQWr+jLv#oH`gjXq z6F!~3f^WPNa6j`qy2gl-p;za}_SCp5m;^0}v zKqXYdeBfvxC**iKSs8sr%JHiKv-OrWh0)edIo>L-qJhT(cgMTKe3$kR4LKaIS7$G~ zs>)rb6y2Q$Q>`*`OYp%_@>8ok_L^-)1mwL62c_qOPgIlQ6%DztQ?BzRAg9>={#?HT z((%LxW}gs5XOO-~usGt1IsP7mLE}sR#W)C^DdN4EScNHBXyPg%Wqc}CcLivFzJs>b z;!P@@TkBnAzu67=1S8G5i$lh4^>~6>LNvtB_yd|b4c<*A+q&IA7*n4Ko>x35oMY(v z<{8N-N1DRX-@o;QJi39vv&-X{>vaVKOB!c+REoWcDK3edgQEs zL{F-YX)n(me!thy`(n|4dvw4)oZI3I6w6LrPa?F_H-A@-`9N^mx8=!Qz#4zRE6veQ z^e_uN;wM~9&x$@SPVAfIstCXA|yS0*WrS@>@|i-d$IhHLEFks|F% zW87&4WAMYMi#tC%_fxPxFLJgiQhEFd_ph5nUl*WF?sQ?P*%H-B2sg2EEv4*btbr5)ve(R5kbyOZ$6%ThUL{ zDKy`A`!2J1c24>oj7paM(mPZCWoaM#+Af{j5#8ApB+@5_rgIJZ5=yh4x(=7WFN?T2 zZJ&`kVpG)JFzeQ|P#E1f-1Q>xR%**bYXhs4@Q(h2^SlN7Nif7TE_|&2YDOb(wllpV z_wuy>MD(%QQEv}o=+nN+I|h{owTu4iQWp^Yy}9EN^9>DmJ9WGZU9SDnd~gSGC~q4^ zQ^19=nzNZ+FXU^(?ZTTrZ?C7~f27?>#_Jtkn%`0< zFt~P$%N_2yly^nd&^6VCO@F1NKO_Dk6*n6nakzg}*UZNEDr%Q$McSQ^!8y4fj8JZOizW?#lL9d{r55WR(!gh!=S4en@3~<@9$* zLp$p_S(kF?$}vkj@K~`fdT3A@C}ZH>IkY%s@X5Je@EY<-#^K*+nFI$hor z!U~L@`0c@EO>bMeDWczLw`OOhIJ}_PQyKJfEOzg%adWm- z^rgj9l*2H@+|DyS?hw-MQr!1CejEkSM-7uj9WcEiWDVP!z~4YgoHiu=KGX2CLR(g_ zx#@(TT@RsCYr49ESrEgR*Qi!Bl|aAO-ezF$dm5226SR={^>A1>gvGzRiNZ;YOOX2K zv`eMQlP~ykY3okEMtVX#u-= zAkwwO&8m5lL?2Prm4N*L>#C*a;@u2S$|p>a-HGaj+A7EuY$<0M3v)=(idloTNoKz-kB(19no z8Z47;!S|eRdipbK;M~0>F*L0bMPuVS6blHZ6S ztE{Aq)>ZP-h&@V9q2{Nv1rYk%MxsWIR~Ebax`Kpvy4i8ZBO$FKzC#lMJt`oUb#n&u zeuVBW;fy5Pawnbdx5J+!XMhjAgWK-uBdB<}^Qwuz!eQyc)b!|j#AaXcN zP!Nk9@?Anc<2YWw37>oFz;#r`io8c%->;%Di!NApLcpo$eiyGQ*jXP+%Dy#*b@fL} z(dwb*d%Pvg-cQK*K8I_o3YfV4T>jb9$z1cb8en4O7XiLJf!`|5giP#s_9`Q4o98pP zivaDzerZ|_#et1^<+lW=BcK(L5q4fBVjO9iLDKVL zc*n@?pMgkGiUFsra0(fU1&DXO^Z`7+RL+b|n2s|bPFj38ko9cAzgh39VK^HxhV-fzJ^8OO853fp2{}G~!_}K2vK&t>KNm&nJB^e$!b-it8Bs$`i|_WmC=}E{E%$(CR1a|Nh8jKBE21 zQMwCqRh29ew}afSWFg+z@R*j{|1Ku=fB5%h z&=ie8&-)MK|6lU2{_n0=RbroY*;v*?aYqTHFCXNbNh<%r688TafFhB|G~3ORet%k2 zx*CA9kSU-E2SlY%>3n3ae~;rx$`^(WdaW9Ix}58_YS%qzqH_0h-?oV>?ykOdy7t$R z<^RJ+q<1Ghp!O!ubGsTdO=)CCh)kMTz3>HOmvx)7Z7@_+5?#erj;Ew!HlzPPd_{i| zhxAd#)T=|N+>m=8{;om!xC|EyO;$qO0Z9sl`i|4l#KE~*h; zQVnYmDLRyCYCeKLF;jXP_eB?|EzxU9mMruCrrer;efJV*n8|R+3?co>{mo67d@Za` z=oE;*$8%@R-t+@+hQKrS;?IO-YfriVDQuIFWr`H{_G%*d44`U^STf(lA22M+73 zAW3SWPhnypS#wRi|k)VN= zgN1tV1lE|8`SvyxWNMGhd(M>SopB1z7&CkN4IVY1$PZQIJ8}e6GaU#E!ENBGL_6hvM z;q!?CvDz`mGKUnb+*QJUVc!1?s2D{?=t10elV;PoibOgfy^z_nFiL#x6XY)XQHR;; zGo^__x4hI`^f&@it(n%BW_mC8V5A|gf7V#alx8IBSStk!a0=(xdT-q=v z?ns9Tg<3W2+NH0X&tI3^;YDuUuU$}&b&+uytS#^Wd;mz0CINigUKSv{4r%$L0N%Gg zcu2MgWr}}Gy13C&S3v-59lJ>BleA9nNMtHIR>0(P^1RcBP z*nJWF@3Ye;0M5^@zTb`>rP6xD#-8nge1pfS8_p3D z0YybJyQr!)kA<9Toi15V5QFk5B!|)-ugAfE3o3??c08O1;GMf5RsJ)T+cMo(YTUwL zrKxnQQry@k_riRv{39A`*L{aym;p6Mq2C;dFrylg@ePonsi02LoCRR$cgO)`CX7B! z3Z-KP&5?el8?q*aP{Vm+R0U?KUmD4wHCH{GiuuQ33@AF?f$>=GaRd$ZyB+QrSNSU1 zHzumvZGHsnNGC9V49p-nh(1Yr!j2RJ$#s?EkCOVIT5L}&@$#Z91YfG+5Oj?ZDvr(E zYP$BD3hj$FF|uiwzv}GS608bar@pQv>vU_}c$Az*?Eg#b1n+<4?+`Me?Ei7`W&g3k zNhq`RTaqlWk@bJS3;*wbM->Gn_{toeeA0zpyOb?@&U3=$`S;u=kA0-Bc$5(2$U)kX zPb22+#C=hzz6i7Lb{hLwfVUHws}zd~51D5t81t4?9XH;{HnV0C#ND+jQ$;r&8NLY5 zs^--HrQTQDBpjA6^M1?vFmIvkC|0yg$mIFpY%ldd7GpVb;fM@1$z6I(t!NGH9wREs zb1`K0QENd}N90PV41{7R!NIeO!+drAYu`wAM;~N+|GE5!GkN>9nE^GBz}4g05^3%t zYbm@NtBkTS%Jb|S#dF=M|IC1BTs|}c<-T>!uVY9&lY#epkdW?kHrKs_g0Tiq_lRa> zOoiwzcZLtIqs^awQX^Ko$LVf4*ALaKhiQ}z@kS|4h_Y+0`-qh`ip9259*dt0hwa%y zH0MDPCm8ccvjf~f?*Z9Q93#K;U)P#XE)yZgc7O^&2=%|qtOR4D9(xhb*h{{4Ki)BJ z`n@;y>4jD}ZT;$v%*=%iG^`JVs4(wkQY$9R$Yq_K>e04Pt3onMvBBpj<=^!7C4wK! zjFpw~A1%racQmA66z$)CJQ~7>N=^InR*PZM^HzUSJ;#rRA|;6BL(}#MMh4l2uew%j zTjw=6dujHL3|@1VERX+6TaYp$tBR^lcU+vag7$;FELF6>@?* zT@3?FNq3QKrrJA`>@_XhUEAO9M z|NSH|(-C&Vlkhr7|KFXfg6U8=O7W_&R>+{GjDv8|tmEAy&n)bVs}PJu$AvoH$tS8P z)r+BGBM+_V0WDpz|F2{QTx2rCkj<4~y;`H#!jPGjsIB!6P65wU(`5{VN|%F6UV05c zAq7*YxBlwAw1m0O!-s`l3(Zn=b?#>Hw;GP|+&5 zC7X2gyYD~!>MTB2W^mM+HJ;J_yL0;a^=ilrlpyv=6A;A38T9R-G*9W0M(ubcVP$(> zxgFE{cEH&4K+BMMl|?e1@<-!&?CQ?!CXeOL@@08V>U8xZj)I;_HUZsCJ+?hrqqTO& zkGg4!tocS!f*nbBbEt%zn!Dz&_kee@-L?4*FU@k47$h460q3UrrdQIsGfdcN0@>2c z_zr0S-n(2>iZAG_9V5_x;XnoP2)T*;^$y6m1Y}IVPx^Dn)kLFjh_s6+CPHNksp68imI zq?;B>5gdK)a?1pV=AX~N04}U~wd{J`RC8&(a?>@s7-AA-#Scl+_V%A#TclHl{ zLizCI)pe_>T4#=3(!HjFXmOkuH2YdEsvp)}Tax`)k)n|#fmrx%^Iy!2>}Pgnm7rsj zl-9njnUo*EG7|w!EP2m<<^<5tgQneH*IHVraF*;5YMg*ECbn?>F&5+Bw&L}+#LtQ2 zpQwA>U#huBL(HhjUlMx%t-CFN(s5PJq7kngO~SBUJdxd|?Wg-dHI0AC>p_;R{Ugc& z+4C6gIvMPgh;!oQ7WPumip0`>VTvbSIJtPavi}(WgtcHm@~N$J0jO$gJsrF8kHnm_ z@b8m);x1qIU0?;}ZAn+R8*Opte4cFhoY4@GVY?F_{?)cDp#{F-+)Em#HAgyoWV4Zu z+KvH6@6yu6a)}4?HvVZU<_GE&vOl}taFKXVJ^6g_%kA!<2dc3}&_c;e=8@r-QX{k- zFAS@EsP9}{h)Y-|w9B{so7*wal6{=<&&G^;RZ2*S6AzCqdvz%mp3w0V_4P_~nGBd7 zTsQ5u<8ofDvyhGd@~lHRPctWz;tWrt1R?mg^OiJ$;e>*O)SE%>7h9uj)=L%nhBZ!p zHw3O)#aU|_7*wwBo>pnTx6Kg@#s6ol0_ppICW_79wnrs+2YXO7e8&NL^_0%>VN#7l z5b$v$HZqb9@~kt6mJ(f)n{9r#Fy6c|#vr5hxqyBnl?q(efwTe`kye*4{PpMB0*-`alf`dsse z%QeEp6Zd`HSGb(*740n}0(WEr+ki1q1C@fMrDet&afIa?Qo0RrEG8et-IOHHeL>Ro z#ohD8r2$FDTc9p$BqoSp-RlJaVs8B*b!n771uGV1bkYO}d);=pbya}xeEgCo3|3JJsI*wjvc`u!(b5Dv zOVqAxi_baH@GTR*ZqfHXUSRl`PKE3$^iF#}2Y80o%rBfQpnJ_fS-ZLho%YxQcD*I{ z_Ny)Q&lJ#Q#MT%@?p|^AXS>3+=ALcwYHO;tZVLAj14a6S)RA}IXNSPk$l2*R*JzV3 z8Ya>2GBfP?ZN-+B&zfU|TMfvZZmkPTtc^l~XS2{FfNthNuY|It91E%E=ZAM!Bairb z7BFZz2>o2F-t8?8tAbsSy#TZ`qI+ytIA?Mnqzzb66Otg_IC}okI215viA-a zLX#gXcEb`>a}K4E%tAfgDU!RavNuZwc~@(?A4I9fy~{y1TXecM{Zgp@>7Dq@-mS3= z?~dz(W2efqEBH(Pp}{ENhOLofcL7yj6h=y5cMkf5#DHg>YAaq>{|>aojw1K+9}FU< z(P57_HjIUSQt|t@(xMCI%P}{s#%l5d$(zvc-KUf@s1TfH4lv}jle!nM$M_+CMQKjp zY&KJ{x+d7(kxowIJYYHv=-RDJ1`}65L|uSdD|NH07QTnXkUb>ige(K zQPMKA9Gu|CDj3;?Ha9O`*W-PNuy?o)hc?tHNmYh)3UVIL%6v1-ZXn=ndh+Atwez!SwtL2~Y9xASq#_TtknRX)R_yd#M4RiXzKT@IjokjqsQvIaQ?j%V2(RHX4&I z`ke4@si5&QKQIS%{#U@Y0H!wu{a=28{_c;Nc$hUmi#$2TC+0CnpFZUI#RF)4oWoqa z2O=C5n5YgbcAe(3d(3vQ@b*bPBL94DKn^v5JN;I#5(iv=HZ0hE8=DJT4+Z1Gu}^nmZ8mZt9Hi};H%RRQVt zyDJ3C=JMA{M<8BU#_ZUe@C!(r!{0z`UX`-<7JfUuh5?($yyOyo>EoC^70P94Dh`~V zXU!#73k-vZN(F`R^-gfqU-~x`SC2qfd-Z*99z2mxjX=8Fz<{nbU$SMju$u{xQxH*S zdxQ9Ad1rGuW;zhE^>$_a5S0Gqz;D4zktI(KmfPW918j$)MspNimee?IjVWoj`d1%} z9M4#kTNbLG5F$}OPHZIw%R|NORLef zWRWZr!})1P%^B30D$rW&gNSQ@TNSOzYT>>^@M9+~05`U%^znuXiotvIC@Oqkf06fE zAtruF;BEiauV}{Fc?7GDwPBrh`d)5E4 zTp;iV2B#XNPd$ZFF``~I>VT1-74*^A{rf_g@SR+xOqHqY?j#c_u2jMbav!k-3`g?x zgP%rr9oN3jg!4b_N`54fpg0`Jf9HBY540SK?FX(ul~KJ+)nAGPpQ-&m3t?b(Nc5gn z%N&^ZDQ_m@clw!66VIas|L{>i4%uaQ^~$WzUC8%L&hihkcPq~Rg_jzTPZU|UTptA! zRHKP%+sq|)&(+gV-3+1{+6@^)AYYKEfICc*@1?Tha+NfU(IT(dwtcH>$ zsdCuN&)U5vNm+0o^JoyAy#T?V4B-tRb)ur9{`?m{sTg3~j_RnixqWV3XqY;GC?mm9b@wUV9ECuIwP0nF5N=D4Ry(>kg zG5hq&RTa9yhfwT2KANP-{b+WAVpYn>s=Asyxm(*5q1=H-|l=Vv~u1c_3- zJ^%&+fysR9&T-UXvz-`7KJhqvW||G3iWvQ|3lA4x_`tGHHip|7!(o}gN{`|uAUwQA zJdTJGB^8IzGs=v|UJGwR2&A=x-huk1y2n^(03e#G9i9r;I*N~~?LcJ1jsXp+9}pS8 zTm7oezW|(vK0vm}L8(4(C7b{Chb9<%9g+GRZk?!O0Z$WR0jiNo6gp!`{)PkbnQtP< z&lNdFfB)!z6QELwFlIsf4xpbeCZZTnz%VU*^BM64%quu zQxZeob`EH0@F$U93V>iEP6qu!<$pOz$V=6v66Vx+pju zv&4Ds&JZZyz}aZ@oqIiyN^LhiB#l6!8R#_Ty`00OczUDGx^4Arjg4z>RBtwlZ!ggz3dHj(Sub#_5lf!Tg>)FmG z^y6m(g9;6O)Z~Z1y_KErUwE7jArA!6ShP#ABV+PlgMg|BTI@jq81xwi@`YC=4<|oN zXcI2)kxV4BH54PE3d4lLSYy&K} z0Rvi%aeCFKM7Zt@(E@k5s1;g6sOB^XSwfi00skRJH;tCt$vBNU#RqtLvVP0Gf*3Fp z%%d~X@(=kIBJr5<9xmqrA~0^1r;Fvb;>W8NMdr0Y0k#5`A&jbV9{pvT#m#^cNlI8q12_Go~{%B1z8L?5562;$K;?^Aid~$&^>UlMq?BT%+u(mqMDa{5F z>*fn%5&;*7>hR}>XhGsrwRV{Se*E=wHjcX84u$Vo*uOYoati zLe}Z%I8-!w#dcWOdWi^Sb}jV*+7Fz&$G_=H*Og#SKp(wY!FyazD!5hu`8T$89%bzB zaI!PC^BTlbo$SCj&Mg#&5H)t1*pJfW{6FI9trfg;Z>^*Fx2 zwc2L>-LIM~r7De>!MHwDto?V(LJ3a;jjE4ck$xJfCrGMT4GuxRdK{eVEXVj!Jlj_( zYoJsDAHEXJ;$eEVSxF8v-SJoV>tZsNGOvH9u_q5alyyiPCsH!01EL{(yjwxU}Y)bg!Y|o!}jtIVf{hnki zpHM0cm}JZKsp!_P4S)l@mp!a>{lhpU@;j?|TS*92s02Ap3GC`x5@MR(cYp^(@o{EM z#X~vT^B^2EU@~$px7uNIv2Vf*`mp#Uj<5^qR>*_)K zJGizJs7jQb%Io+xAX+C`LQ=69B1)+()sWu!wZZ+y1-Hs6B|1Tnwtgs1(Y&_qX+FEd zkttxUnaSzY+Uid~C=n4PY)io|XQ%O^!trTh$44(@Ghw$ZeKu4E!Wu?j!}*uBhI>vb zq&8=Cr!;eF7r^aFc}OvMRzOpFyL79v^8ESpKvTJ}TA@Mmvz%)Yin9GFA#QfdDOR(o z$?vj+1}xvmre5ZtUn`|a|JZhaxpG+-wyBn*V~Da!;fHk!j2~rxU#wv-+a6qD;^%t^ zLAO`k5wWex1h=nVjCE&#xvvBerSBWf+2Wp(G=Va|oALSw+Tk$cRYhJH3~hK5*ab;| z&-gnSGA6P`qaZdHcxNf_Uj_Av0lR{-w!Htb~K?zSeRo3D-K1uyYxImI<}s{sE$y#Pdy4i?)t zK~NK|{!S|kSJw<{T+@l)BQrCz5yecv!sLY^|$P5X=H1H;LCyvA7 zrF|g8{)O|YW8qF9H*UH@n&2Nm6ITB;*o6%mMYhl|r*{?W%OHg_eiab0GViX}g&YtB z`peT}Z>&NUmZ1z9(g}CqpkN%yH49*lk-OV7q1Qz&>ra!|NEd@^UBU`jG%C7jI8au3 zv$wKnhoDRN$+bM=$B8+|u685TGZyJhMY)6_P`qSkHE#9bzPbq}^FBULZ?HynZ!|;ZrC-P<)!cXw`4}GFu zbkS}Fy$PfGI*IPXi#F!UQJkb;s#;hNdlcV@RZy)YIrG3f{mTOk#XIUbgW^SzPH$_k zFY10Z^5lfCVps3893R-_F!sDgFI7rq-7>^31v4tFHwa@H@hw$gltUc;VFhsKs3i&{ z35OdU29sRq_eD?TwB}!qI@0;FCV-ZUv*-BNp)w&Evm)X(5W(mAl z27tQd8D}X4kA0R|E@>aDX5}F*ttkW-@^-AW%2RU#U37eCQpTQHkLfHAuuHE=*zFEe%;0 z%}HVXhEC;Yla%wct{N9-z6+4ny%W<)e@UtvL$4%CvU-GOcrK{n0}}B5kjlu=|SbI$H8gCs8u#FzVTeuBElleDgn~*+rw~=ko-*`xTzRl zZUnXL2*B#Zz}N8nv?qV7!|pWe3XIy~Q#C3cva(7DB>&00J++MI;KJbSXQ9i05kwc) zeg<4Gdf?XnU^r>ieYoFmpA^4os(Z ze(a`eUS50Oyvg=x$4CwGiDu%>@uHiQPn?cRAZX8@MNWtDp3+~Xt{8dX1`VbPB%SXA zbKV!6*9@A~h0aBK-m_^Qx6^+f!RI|CZ0oU~81aTJPULB1cZr>BuO(UveHQIqaYcMY zE$hiMf;kImz~ng`i1ZCI@Fg_>f9B2Tb#f;K)iioCGA!b$J~018oOQ<5>H&M(@%5-X zZ}W}J`L&vCjq)*5w%g}(NV961t)la()<^$FpfBSE%L0I;ctSFVO;U%Th4N~ zR-}Id)cpYy+r7I4lT)EH7Y_wN72>I|)ME*0&n$4gXSHPN|Kkkh-eCq67|2`OvDn3WX7<{k1|#WyTXVma8}=`((y zOL#=cATCh6@vVHALKO?D?&RBNgjv#bMSjJg&8)sgDQGL+h5PWGXDH@5i$Q%sRwe9q??%vYrp6`imff3JyM*W+yn%3#SQ|f2o z@}F=*ViEG-(etGUle4x=7l!gPxF2=fx3?Vmt1hl$jGO}i-JeeCtGq-ijki$B?Za^f zH#V-4GyZ%Nj~K^53_*yrd~I0XB`OC+@bPmch>`aJ0JnSgrm1Yfoy1-wNuzBuULWux zRao)#ZDHAg#Ukb1Ia(ft(8VPp56s^RKUm%R-#UBK7uaVaD^HC#ZYw!z|Y5$qg3;J2EQ{PGTXNo&NZF%?62C-T61sq@FB zEFb1k(n<9)V5`yT>Yx02d;NezX4bSENvM z*qe`6%k1ugE{nc|qVBeDt-`q@!YuTe);>d~EXiULYaJ@MNSWa;dr{E83%u05SD)pJg zuGT7u9s2LIt&SR8r6<1%VSmDwi1h;B6R5a-8H3cD&8L2(_#9Vfi#;4apI~Nr{#?S?m;FgJ zftKXR=;$lda3J@O(0RL?F-91<>qoVPu?Q3$SzreJq(6)k$P|=6uAbJn11L4{jyr^u zOP)jnLqUJ|4`ERVRX8GeJvP1kOyG2Yu)h`c=P>H{*NI!28&JCh=rXP$to{>upxK#f zr#-LQinS*!ct~dpE^RNseZ!ESBy~!cL-LMUvsx~8y>dHVh5tTojDGDN#I4z9Tk~_m zmQuo`27Tr%n2R;+0mAZVd1zcXXi^4)Nd4nw z(u^*I_nk`|!KR{=qXPN|sTKcUnb&(P8R61WoQe1@2mbUs^DeYipEbj-MrWZOeNc~; z9^BEF%pRVGU^c&IuV)ho{B7As!JzMT(^meOo>unjjwRk~NQz5DMADvq+n`+~T(~U$ zm#vF0zuP%b+4|#(L6|Z&Bk;)2LXOG#`QpO>i{&)#;{YY zEyo=|zTpt4D_CAA)kh8`ViO${CHsqo2Ue*ot{$XS`t*LA9;-@|^lCG{I0UCh0;Qww ziJA1N%V}kkTb6y5yC6pd;d1bL;kSWILd-W&K?L6oI>lf@!#_;={Zf?W3Lb|VYK1y% zj%(0ed|yitVgiOaS@v(8M@Ly;R|FnSXti8JW&MK;X6_Ha>e6AIeLh-|;YkMFvD(BO zAWjT~tF8chjIY{dB6@|$q)osBuf2@)DWo2&w z(L{a3{0mmSgkG4rV(9XC+{idDS&3r$mw}l^=ZX+$hxNc!2cCjjACDa%^7c1^ETpfD zv^m<{E5b|oN+k+A>a2-4@Z;wsZr5WXZMR7}=M&Jvs3 z22h00zJbR$&aq>)=>&4DHRA6BC%-L#Rxw?J@yG`7aE;xx#npyIFWfv&4l|$rCgN>q z4T+tAzKDw@BY)kfGS~-9K>+aJXf~P|{s} z@{X^{J{M9T4rdos5!UBP(1T-=G(i%~KL&E{uVbeLf<~f(twUfZSqw8P{^%X^@;33)M=w0t&#X;K8^LH+|@RYUNnW_lW_(QR6Bj z>6WMUVI4?5b3h_qKU2exVW429@6T7s69t~uQD(RozZP!k;DkdJ{Z3%PNqjhV0vDRb z2#{q_-QwwQjpfkvJ11*^*=2*rLL1W>J0mUVCpeSSM z2rjpk8u#>^H06f7FRpxJ3ii~@7MXfk)>Xcy&~Yxt*hWgWUPgG1kjUdp@o&v!I_$D6 z3i2NUUQ=j(|ONjvRSHbPh$wc~R1?F8w;4Qw=AkqN#rg3Zb`r!j@FQFP5iDAzT zBXA4;a{<=*FUlNUkr5QsRWW^|$J>(1nkpz1IA~rxMSgefYKnaw!ZbwKjAkq*&9PDc z*$J#nL!q7B4;yW8UW7%ScKPCSShFO$f^atiKJ=R$^Vme#@CkW#!A*A5rzz}59R~zC zvqb*pJ{6`SK^i8x;~{?R7s;}<$itbKR3Og+&sZ*e6!TF|LUauxqD)HJgUxu_anlJ;bCwDX!kP#<^fWi2ea@wIRhom;U2dT5}qU3&LyLFoYGogfMj;v zN#Xc5mWiRk9kAlT$=rC@MVj4RZ_pW(FpUti@%RBGdlZa12jiNizs6!gE|7YOF31uW=LzSE7^)KqJikfk@I=jHeDN?15IR*xk(d{*i}Xc?($70T%r<5t;y9@0R- zZ~v;Stjr`?cWr+IU@HqV(n=JVydkn82f7&P5Cppy7)h!IzuVhcCbz&rIo4QwB-o`7#9V(6vdrL(_?p8ClWt|68aeM$RfA9?UEELJ zFK=!ASy=~ku0$WhgjBu51cFvKr*zL#qe77{ngjPC=ktw##<^CdMdV?p>uQ5v01ySN=b1*lH^SU{~%{8n#7q?TpO?$sDu&0!+G4qjV)65Jo;UE-Cz#0A?? zF67}~_Dr_2o(oNjXV8p?ZA7dym%}~c_o#Z}x1BGTh%difh{ql;0!Zxz8W_ zN;RlYwO)^PJxj;FcggR=$B(^b19<9z^pN+>31X_+leB#^xA_8BJq>^2*7v^ANU%8B zS&n5qK1>sEy_`UqsihlFCC`1+V#=hm;h-FX^>G|gaB`S|wb(;9Cg#U1Fm*3FG)t8D zZ3++6FBQ1^VUyI`w7Hf2kN{pUfmj;5`oI*G?IZ*dUNZvP6RBe(9nK&ln=E+>nQ6Qy zqzS%{fXfB?&2ie@n^23o$E3oKXnPc`##~`A&QiOh-v!kV3D)Csb|nMNwK->1npSg- zX!fKee|FJyMF-HPNdaH#xJmH3gVgxR@_EZd3Z3lK2G_Y^k}HJUzUfYYQWto)XEis5+{W;3!|d zmi7|JK2C=It_Jp%(eKV_pDbbmwsEQnJT=A&LOxt&(k-g+uf^@F`*5k9e9=N()^S&< z{*+KqcXv|$1BCNgSX_Ua$tSw3o)Kpiy@ zz7r6l=8iADu9F8zxr|7Mx}l#23c6@R%4RcXSr@V80G}|_<*fN&nA`mm5zrS%__#2u zJtBLu)c*4Nx>d()cM&Lj{s5ixuZqFSG#DDE!R|y+QglD%;ZnHpR67`POSvkv!w;`X z(ctZ%skAAf8+E>ER-CN*37_rj4G=Q~ZNr*>DIg}B0nVLb{V2_H(R&S z%*?vFUFUa}I|^EK`Lw=B+DBs;Ni*T};cK-fXYM37t)$V-7A24qNJ95!k%x!KvB~Y4 zTCs6?nL3TPCM}se&oqTYPieo(=x|?nb?VomFyGL&a|Lb6j8qq`a>GEgcwS&=#ldH6 z$65Y6ZXxB*5@GP}{9GHul2K7v`YeF0ATGG}k%R2h6&qsM0xK#^$7-slKk>|&v?6pZ zQ`sPXotnisR5N$L?J0~&T)_Rp8R)g%n1qeLKS6kx$Hk2E5L$H{0wgoLM#lYOjA7&J z4|{Lcr;e`HaMG%xuygR;m;rP<`)o<^XiAKobfH+MiC2Yy1lS^(O>H<7+tPAYH*e(^ zh*qy7?Ro2(e~z>RQmPnLS8ZFKYF90XY$QBwI%hlaM(u(Eb1GZk;n1$2`g zYR-05qy|TScnfJAY!#Gf@c#@JbZR;z`Fwf)B^Ph+9MGRffg;3sPyf_HtF}zXu9IN8 zgO^y!q#%o-eV4Z?{9P1Dn8ED7YI5$F=GR~myPpxBvhG!K9p0NhKIhwS#N*1;+QU1` zk)tL$bEw}_sIgga*H`RnIfbPFSy&Idj=yCt={xiqG@hzSHw1Wp(}Uh75Q1k?7ko%?J` z4hHc%K$|bOteKE5{%L>y-Oh;$%5CWfaKlK9*mt-sJ|F|YmiyWSJHy+y-IM5~{Ow4O zZQDoJm_OikG*bdBXuG^?zTQNnVShDUrTXpfshTNlz5Zuiim>v5SMuA|{yM4|@z=)1 z+t0NOoX9G`!ZS9G9L4a_@yUGWfU?C|EaJG8qv)q!+Tidbaf2lNquxV@t+7BLe|$^8 zs6yrLbqF$zvPGy`qKU#==ZAPd?U;V*oPRqt`V8$fXcS0#G%Ack&05WkyDrkeXf;07 zXLMvFK%l=oJs?gIls)Ft<k!hn@duo$ zKnFhhnyAIH8H6WkfC*DB-Sm-T4~{6Fz|(XooG_67%i82t&Q%O@u!e!xS|;bM;>mj4 z(DbsSvT~%^L660_mFZ+L`QZYvBHRSh+|R$rP9Wl~@QWw3F zU8SQrn9p#DU9&g@W7Q|=Z;Q8I55t~Ms9DBF7Yp>kZ`&+_OT5XH-@gwGMO`Ma^&m;8 zOcQw9-Squ2afB3c8i`H`0*ZP}EFXPci2cGjuxGTat8vJRsjDA80qT6#v@=lAZ5IRs z<)k9$K@hNXmJ35>N7GWk#Ra>@>&Kbzv3rpIuKf~! zq9_!fDlPDn3w`AiQg3gs683O`67%PK?X$UTnKbAtm`Le5sBq#LG1-66P_Ja+-#~zn z4FV3OKOpiEFTn)y#b|)1r!JBj#Qh;^fxw=EHwWd(~u|MEW?3JdQ&qY6RR z|CYqJPMG-?^S+%9&k05GK%RRRKhc^bjgS5RicQN4!)+xA1}AQB=Z)FYROb4|!wt0@UPJK` zHuEpSOAqzn^4Da-$p7p6`5*kb zK?3;WaJr+;fnoPQ_<4V|YyNpMI+NGR%1Z49YIvR9kK_j4&A9^AJrW#AL7V_y2tI(GxFMXR}hGmw);F{m+)Y)AM`nS|uw#AO9Ur_c%6oSg{D<=|XvFj30|!4Y96Ktw2m_L$6; z37Q0=8^jpZN~uz~og+C5b@!`zwqR5^C3Pp?H1v}6Qcypc+xr>-V&gyHOc_Fq-sLFi zkbK2!xIuup?j7mOlW6c$I_{fl z3ZGzJFqkNr%t9q#iFo!a+j>Ug>XZzDo@x}mRVg+wd(G!IDL508sGm2I4aH;p*qHmA zMQf>NQBI>??_CcgQ;B|shDxS9!A#2;PLXDr??;ve@lC!nUrW5`FMvUT)ADs6Kg`&8 z~n#YY;QkH?r44((U_ zM*%BjusTORE!zXQG``?5T?qs3MiVKLKZ-*gNp>!J^JcV98y1v+_h_#0?e(-@sR^87 z225P5U0aBGhup~7ufu42b}s}0xQVLV2_j~Cohot3*~N7k7#KSI7HAIqIoR0?&+Ib> z-2Y^tm28@}-QHYn0&z}oHsh8lmFMwCNWeW%cW&$lHRP(c? zoS5|{DaTJMzr)>`)%~QCJDV}AXk9j>nYvdgsTaq5)J8XlW!rg9_G}fd(@RxnQlcVmRI0?|W&al z8NyCa*ReW5!nNpfcj)Mv-2_JP@w$4{!6IPVFTOOTAN<_=oFq%wM-%BVUXzQr>~Qku zcJb?^9S+PVKu5U`h|${yDP3fCsoS2R_E&%Q$n9t2IyPohGRp&Qf4Lz%o~=Ey`bFc`aIrSu)^tUVb}}Tf zuA`lmi~dSBjt&U zNsMa7sYYCYoxsi5`&er!!E4qS<_~?5{^CQ=a4PHGy?vWOGG36x3R0Z$x!Y%xdHR3y z_Mo^p>@$x;kR?v_+&2_s&o0%RRVVHCw!c!NrD4zjQWyu8{lx~r;1iN zPsDW!|KJ?q*L2 zCH5P-Y_@Sk$0kyb^2O8+sL)K#&W7t;U-`cctJ!!fR-)3*XH#o?&>CUc$rVOKbu6FC zEpg{|2Gig-c`$CF?2Y<(Tcm31d;BVh@J^S7RcF)*F~^*EljvvWS6NIZZV|9HZp5-< zY7`Lr`G3cR1Lhp^I%3N!2wY?(gmnvnA~WMHnB!gboh*Id1FVNbMLf4>p7+)`@BbV& zN~LSPLh^_DogIN}L1ulXf6l{an4a)3QVwf5u6bK;76x8JZicUsk)nX+4`s9;7%l4V zeV@}dZ&CW$!KVYar+?jwDenqw+V9q1vHsn4RQ3$9Y0t7LzsW#MG`atf&c+kyvf0nRVqoe#g#>CGrX|WQ8IUhGTzD12)f!&tvbr4px zX&eK1NW;e-H=e0Z7dni(c_9gtnI7F_`tc3=%aVzLZuPt>ujhdduYRW-Lvlva@WmtN8lR}z{SC5 zspXHE^VqsE7n#%}jqCPEw^7O=zu&q3q-S6tYrpx1Q{{6HnwOT$y|bA*dkr@Ff3I}$ zqDNmrZ=a>_TCDH;nsha?4R_tEPgy{XJF$2nQFv)Z`!G{0!A!i%{f)0AKl{KyzDgBY z%q!i<(_Nmdk7XUQ(Q@Tk;bgqVGB4QKfR27^rYLEXE$$@OhRC$DpOq_Od94{pncrG| zjdlK$yD7m!OWR)nrEw@ws-PP$)=mOW1PUN?GNV$v!4!D%Ddi~-nZ9q)5y;o5VkBq9 zEaSAAm(vVsu}uezRAaVD6Sz-kXiJKp(kY;W8CHBO(ojmNcN_$|uJwLbj*LFsi(Nj4 zZzO(FYbku6M*tc-a2QbTL=L8T(tzxd4u&bCpmj3?HGqD@)8*f9ca$_xI4R!uiwi=7 z>1xN@nP1ayR~DB&&L`Rqo_ygC2K&mAF1$r*Wo^awS|jd5gz4XOiQU&fqP;I+ALDqn z7F~CM#xTYn(LI?pOVZ(#DUdTap@33@*?zVCdBKg)juJg5=`pdW`-1yTuK3}SvHkpP z-B>!LJHW3lqex!BXTXWFGjY+~ahJvY)J@w(h3oVp+I&1$Yr1?*Cn+{o5`1(tf@_uE zU`*DhacYIwm_T0#$|7lT_9Y?u+ujHtcj1$V3w50^@lc{h}H|jRgvgJV?UcKz~W?mwGLiJP9TkmZ19* zirek9N$j=LGwY@kKz2vYu^p_M9O=R$-N?k5ojzEOO|r=b{8RNr5Cl4x96T*_BW~$x zg$;}=Ti%q;R(xiOVNo3_9GPM5FcK_jK6-SsI1kG^kfgUHqR)U7rv2UD3P&eU8(xNR z=%48@IFP%{IU-_tUGAFB#AErl8r{*;!NSvKzaA>0%r?MuH_SbzSqY>iRp2c;LlCo0 zNhTlRst~)Mp;Eubm1-XPP^8?s!#j2&GQQmloSZ4kiMXt_#JxSLtoWC%?|%Vwwo&F~ zjdjE@=~TP#99VA$56Yw(ncc>|)}u9u};lPyAr;?kK~6SQeRLa?;^iRL$UyadP> zoYzyPL+m94Qt>#sZ`&zvsmjU1+vrvC%hLyuvH7V&?Ii?BH|K4aLunFrrwW~+!Aiv% zUIO-Em)pAIOuKfcoYy}3+ygq(q7OJ*uYk&fxv9=KfBl87KZS^Tj-?@o)6Z{TCF=$P zC)FL>AsJ~ngD36#7j2gpG3gL%N7ixb_FY#3rVXowAY<#ft&ECWc!i0q-3MlpjXq4x ztcpVsv}QUew}sQwuod556a3aPLXvf&GUV(&OwFketsyP;XG%{}TuKFZdZPriD;D+T zG3!s=gdisH@@o^Wz7Ix6>ImoP`m=Bkl?r6SNuH-ISHaBO?)z1a#bv-_@h8z|cVzCD~?%Wm-<=ydeIeFlZmea+!tJCX~%aw6fd(uOBj#*&jL2S&;`to&qC zh?>fEw(8Su-5Qi7aM)Tg1J#Z10N}@|chO3OkqJr?uy9XjMt)CeYL$${g&zU&6>iJQ zkQY{AABkTo7UpvFBflS6=vUZe-+&)>K-TH9&wg{1j)pon%n?j#4j);*Nq2z?xPnk8 zscA4de?MwG7|_(oON`y|wuKanc2YE`>=)t=8Q&VOgj{{fSE*w!!_|wTdzU2=r5z54 z+DVcT$#6-7Q%D;c~OeeAdhnF~ISp2h^OTmm z%H^48-Qk22gC&?P(0<+xy)9K#-IwRQw4yd>TxHc^4_X+LO3^yH~qj}oB*VUwx10YrJx#fltW~NpH*T(xC zg;8*0_Z0moO%mCd)xF-i;yw9&cr4gpu`WMTYM1HEuQw|e`+ARInyO}|6WdUQZO;gx zv{Jwa>XSFqo}*((=k{#|Oy_#u;z}KI8u-#`R@P4Xb)(bWWj~9P%Ar4ducmZkS2Ewc+S-Y8`7Vq<{+qa_OPWo5*+b%y%Y)rU< zf+gpwwG*G*`93ni^5z?7t#O!ULe^x)APgfHU=EIwC5SrwCb>0PAaza1SjdSf3Nd13 zxHMcQjdjAEL^%^FWv^oz8xHV<)0c z&4yvU5+z@B zrE+9lOB54p7v_Ab|9f0jHg$a{Er(0TLm=3Hc+u}TTT%i_a zsfZBaqj5jcivX+7QtnmTOO_TnPzpYgiP{I|Oy=21r1Oyw z;_FnF!X#Z{-nH11pFhS*LgxG;@b3a`zl3gR)^J7v1U%TKDfpDn^22oG+i$+;qdD*Jl*rm~Hb88Udf((K9P&rWk9AIp$-sN(W0#cd`7#z|2(ehY zU@eZ4V*Dd8mu$IeW)?WVHB2wlbwAs!nU)-+2#aIUl$^vOl^jgeslBuQRjjRt1$7MV zgx_XZ=yVtcT#-b4f|l%l4h<9>U)ESo{Sy@~6svwc91W8U`P%g>G&CH>O}qw}!-oC= z|0Wo*qK{zl?)!}7jHk5eISe)sI_oOaSR3OGOYIKxN&ey4ZFYv0gG{T|T{ zlVw#~eCU5U@0G$&!^{?f8E$M`AG`fsWII^Wb~ZLt5`-Zx(XV~eXYEVX{@^WLJhhVX z1EYJAboaXwvxyewa#uK^(kRhafdk$LoYGGh^WdZtE&q&H`L54L1MW&8rxixBa224KWvgGmI-x1S{#7dFs(Il) z&@JV&x18^L7?lI3S9XeyfUvUjIo&U95@#e3Z&x4z4LQzHuMm$;7CisrCch+t^6#Ap zt!Q5S>uhoARtt?u)iyGj=2eVII#9HKq=k0-Db|4bSZOU0YnSdu@pz|#B=8wQKRX3C zf#pj^6UMIEoES%V>T3yZx68@^ zWtsN=vN^?gjA@KRcSs7)1J0nL*hqt?Jj6{rRe_u($z@?5QeR;0r|qPNi#;`>wPrP; zpo#vh@5DIcgZSR1x8KmxwzJRbPwLtn`dKoB=!abf*oiw*nbj=fzT?Kbs+eMB&J{|vwT3^2hPjf-4~YRQKKKkN3lDI|faE#PeI%Y$+X z&2!F#Gd)Mji8&jll{)fZz^Hr*IbeK$Mgpx@HJls6CdF6TGx43DT1R>K-{(nxh2H-2 zKhRu_d|Nc z-(Lv1nfV+U`%Q=Q_68`Q@)&h z;6e%>ph(WMO&85JAH+i5p(0t^nm=^k{3Bi9i)6`_h@Q8IhP9i-`v?)UO$V~=A?VQ9JvZ-B#F(gbQvVcvjB1PM*Lh7Dw$)pes$^m&0B^_ zCmHK%vCh}ES5@!9fI4r8XWX%3U@$0m-c~k_A?m}o4i#F>Q#z(EThCQ@U!*PCO*53@ z+UD9$v995JHNDx!+_X7f!UX!SLPAy6qmmh$^O^o36=)xUdeskzj<6Cw zlgy7y5>cW)w2x1BN?~yr7UnX&1fTp(2n!ES!tHGb-dMWZ6`4(R0fY$fv>mmW_)XXQ@KE2lW$B;TMT-K2@uRDOK?y1YKO1 z&^F(!B?+UlEi+Yc@%0=T_2=4UN@jOGpmlmQB+_1<>mtv_U4=jOB%S~BbpFL#4Tpz| z3`|;R`4N`2F2)IrLSJxg#ML7hbKR!5^0iXjGN(yurBhYcVnd}tdfQ;G#{OKzi+q>i zk0a^+MpizXYOBQAiTgChe^xez9WDq|6+!i%8@;%zmLe2Z@nWt;@RnQPWF@Nk3i?D( z|A}!ZPZfdlKlfXD@Z)S=Lv%OW0h-c@bLj`Li1nX9rL18;OzQwJ(Lw&(b>Q$3Z6}`m zaI8RA_vtfIN`u-vFEm39aTS&V?FPrpwO1PP5|nP|)a2Z@!YaZ2c7Tf+>#iJPq45*5 z)Vp$j!EQZ8C09?R*Rnys@OGP}MbWQJHC@JZe@Of>3SUsC$rB{x&jiUPt#iv z`{l`@;`7NrKPX0Mon=gD;YUEg3z26(Ep#GXOXap}YfExO*Ff)U)*U&B*Qu5x4qOKT zRq22r+h0i%=-`nt@lIT85^-_`5;eR}6H$kJntM_QpLP@>`S%ViDihqEQNKF=4-2lG z-qsf_1%v891*FPLDOQpOG(hErVIRp!hoei@HIBqHR5qC)W4oH4f-Sq3e_~5f`Wws>nKC2SQ&#@hag5rDkLy_zSL@fY9=0jggT#{P#6(7;{D>t#rD*j0;hdgPXG7XJ#q=GC z%$LkU4hMR<=IjfDvop?bsS|02U2?|LrM^y>(Ysp4(}&4-v=HE^1spb)JKkqXjs9RColdngR=f`L&-&=`|y^i`b#pBa%*H(xGA zMBV<0-J9mHPac6M&6GtH`CNvaD%eKRzd*-5Il6Ju=r}jriCW)fut3?kqmdrBk}4bLdW`VF>94$pMCjq2sw&``-KA z&${p9eV^yu|EvQKaXJ3@UDtJ9=lT79KXhsWmB~GomgBT{hw{A33`An|5YQxG=^f~y z5G9#Xk)yS7IfdFZEfgJn>MM1BLWy{^9b>N0AhyN+FzW3+sPlE6vf`^k$&q}$%zN!W zud`KaO9-kI__!@bWkv&4mw-0UVN`>g@|s5UHeD!L2=;z-6HEgkE5tSb%mN6?4|nkq z(KKl5bV2nMR3Ju&@R+Tgd!RN*xztj_odOrAJs4wHuSBD@oF5ZCeQ!B@k{7b^l{@~g z#W`f!UJqaxnv7jP&&op3z9IWo=GS0=L}f0?E%=ad1?MCMe}e8w#9+QHa&CUd6u_ zrejh=PoS>PSos#`ifX9oWE&(UPy!p|b^ZVCVE#iQ!sI1j6N^-4UqepVCZtl(^u@TV z=Bvgrp{L}sc$F&M-VxhLM|<_w;%VMVi4Nd>IZ!80VLnh_Gko}KzJ;wX9E2mpF&Q}P z%f5RTZWdDf6WZeQh!MW~enU<=LYLF@*QbqSPw0GGXP>SndAKWP%ZfP*2*$!9Yz-;{ zh}rO&bY5o;7pewcBj|_BGs@>>kK{qplX2YcTr^_@d?U9U)XQv)luZ;IQg3PZ$61wv zg`i$5onYLIq}~OIZm+m}RzCLaI0GwtkR@z`$QtDs-dqOuYLzAr_d2OKV>PE)7(q$) z{6{a?@{igo3zLS&U(B<`LcbR%bCou(#9O?M6cJ+ouxNub&eKKipeuY`Hpcu_Hr`bx zW82tYdWEpC-gK`MJlfpk-2^}N8vD#tPml+Yc^o9@YD5~IDDp{o+_v8jC&NXe!lLg? z8Pudu$Jg8YrJu9>Vn9uQ)~GEAI8+SxpRo(Ir+PSuJ#%2)GNFrPX8xu~agkW1=#-{1 z{8xiBEt&|%&wO~OH&mhl(Q~-pErb$xD*sP^#*e*LbvUUt=2kY>hrW{_d_qq4pcBuq z>&luk-4F&nr){otk_e2vGXBsHw5!5A<<~Up#fpW&+ZL-!{>r6A7B*ANXr}d!xn+h*1JFwv5QB@38^fgPc2sz zwmzEqv@I}!uQ(N6{bTm5n|PDwI^k)!kH`0r&}W^7*@eE3Wr<0n_y?uvUw!!cknzsA zt3yK6*|p~d0|RO?b3+|zU{|rygxEjwmT>(AyV!AUEY|y11EaVcF*$?HLT8!>Ke z4euRjihVl!`se=_4b1<+Z`}%g6Mfrs$033^>c5;AKd9NGr0m|cJSj9%YcJ`+@`=#o z4gZ%J!%qAWXR`Z}?kUpVNg+IqAc&fzB1i1p1UsdX(~GO{U4_YAw%$A6o9_+3`&kCg zGEjD1kBBD%0Bu7ii66$cKk=k|sI5AulYE5|PO)j_oTJ)+9Z2RD?hO#27{Phh`6-^R# z2iT~>F~FP6yf{y(+?Xs4!WSx4c-`rwLtgWE3P~sbe_I{ehX^G%V;1SKTqk(Faa}J3 zoL8Upf;g7T!{fz+{f&u3bK`hHuM0zGv9i0=4Kpl`*VdO!@rl8bg&iO<2R={=9FljX z2EoLAQ-eC~?T?io-83R^5-j$eVcl+GE`wy2t$upMl0qsNuSTqARAynHitn1GZA>Vg zKWiuMdN_J|YEd*$ve+RWz1#^&G$f2|xSDm1c9SdC$^J2`ApRlLiZW3s3AUAMtJv3p z=aZb;-VAZynlKqz$62&SsqN_C_|Q1T!#4;o%nMLJaP)P=>ro%T#zKdr8B*vEInzs( zZm<2Kx`%csnoo^u;GXKIhZST8!B_!J?iBR%hb^UbuHT>sg{h;2WA~jJSHoU7?9{e9 zfN7z(=9dSkNQ*Z)e3bfQ(+}VatB2DBo5Sf8MD<$}`FZy&owumVt;U$NF}K@=NQ!QxclLlW=!*o+vZ_;ceYm($4c{rRjV{cgq_nTZ@8V}a`K$KdP`zrz)V}yZHu*&% zD@-@Xwjxw&S7X~g{8W9yJj0}L;c2OxcdiS2YK2@B}@*zFLA744mM>D|e|4E86;5faj zmRNqcZP$Kc?ZPJjCHxBhfXutbpT!VY^BN9=i)KCk9Vw8Ohu7odlvEw9OUfv=GS{S#+Xa?2p<4z>4 z{ha(vWiQ8ZXcO0|i%e@{k-2`6hkKs2a~3lYEFd@^CR7p0*qi?n1mj<61s-ab;F=j! zmTU_7GlyUQmsu5m7r{Qi^=GA+za)_T3cN;@3K>FU6Ob$hJjD0Du=R{QC#Jmq{^u`l zSy%5$m`~?~PaNU2M4a093!>hKDtcbfzrtgro03UpdzB&SqInt; z(CNwZ4PLx~P41Mwb{F>VkL*ABS`-(&8m3&YLG>-g;svY%(vSL(gp}7$GR*#7&KT3- zw}kL;5nLLX?_~Ur)#R<hr&EQ>&CLR;LcSY0v-Dak9iMup>cUPSD}|)Toh50Xg}9^fv!be|(AM#x7e= zZ%j+|8{Plt`ueXI{+}Pr7b*Z%yXgX8 zMX&W6H|D6WBQ=^i#fkp;-ERnQT*ov*)_`SC3^aP|7{sXm`FsDmY!ZK z_JG}&L2ur_e=vg39^3E)_ncPG8eZVDN&fcj+tL$|!T)NJkLudYuaxrReXkJTsYn|Vw3ZqjtWzD-+?35UIdcaw3AftA@dP7ElS z(OhRGTg^t;7}uneX^PAg)d;<6_Fg73Zes0h&`h#jPBYVJ_uFu(2v%Ikv##+J5sS(K z&iu9EmfShDN7_ma=9nDo3M}R~*_*Q22s3T7l?6??5!~c4VB<5NszjIwhL8)s2Rje< z6gCN0(COi(MLQq{O97bR9s_sIBOp_7AqFF8JO&Mxgn;W52EewpJn>-PYB>sml;NCSx$(l=DbK>bb1F%F`%G%WZGE#4yM6!OYWCMX%!Tt@5CXg*asIw0?T? z`5plC1Sh-gy(>Ec!P>u~)b-+?$bL?f6upzu!QYDoe)Mhu`>i_wmMeJ|n>+}qVGn-v zI?wNvx0#Sn&_$ouguKMIEu#$T+r@F+aV4G z81TGEy^@X&(#i%dwO?QEqc!Mq@X5f2I68V6TA?t=xM6kH+a3?2=r;|HhCT|#}QoWlN~`k)bCIJ z&0V)7al?zNr(rjMAGQ0Dwv76na@7}Jvl#c|I&hQMfHU8Bur<7HCCsgqdlI1(Z+8XsQsQM3Ll@b8*>tHZr_Dh$WG0?h#DKnG4x}%u$Vc9*;rF zb2y&zRPfB(a;azWRp2`A zPo?sjeEvK64VZ(Rc)d7coT=)R?kC?`TiU>nok|q+{3V3K@$2CAH8HY5fA*Ben+Lvh znnS5@+!j9^s+>1ot5>c|<0TNV8TsRq{gGtfQl=pQ)^R)?bJNciV{-ray9XqeH)`hj z@GYBvF}=R^xp8#yg2eq7{5PEGwMmF-sB@9B#WtKfDrQT5u>tUF7<=mS$*I)u-*QiC zKdV=rcuuZ;qnaX+QD5rr|GpV_^4?1G+<*BeWWkqv_hX+=Np78T`XFVEMri>-o^0T0 zFO)3g8NF5zU39M0+Sw4}i8b!>`>6CYo9fV&3$7HQ_+#776aO=$vL9gi@hUkQ%EQFx9TWy_JTywh+0DC)Jl^l6%9X3&Q_?ZlqLbA>phC>nNAD3? z5)T*1$5gJ$JhI@7gnfQS#BEJ_eOxJK{(19G=Q)T*;U`We7jRY>?b-|n5}r6QBkvPH zYoNBQ-pCxc`Sqfu=rP}vd_0H$wXX=(pOU>cl#PD&Nb~;7@94yqQ>ouC(=7g3Z+HpF zKd%yWT{^k1`o{-rJVL+EZ%FU0@}YKuNPWAyy>tOB)`!b_now;Ypoe@IC12cIdIk2R zE|Cvei(oryrMhQ-gY3Tww&&0O6zKm->FxHU`00;}+^D-s|9JMN_kMfGP)JMt&GFnR zcjR;8mQ2YvH=x^HHE}J>s{?Vl2#8?W1_yan5usCsL8H6li{8}xZ;03?x#K2p3`Sb z;e@VPSf!!t5O6&Q(f4e69W0>^Z z7xxFd-Q$!Wgt=Gy{lY^a8IOo+?Fn#YJyE&A=jr`uoiLT)zp9-j>Ko3N(seXV-+E|X^AcS zY{-hhx%rxw)<2qAUrssOnEQbf74u|m6rJifFh9wsUIZ2UtBN2jo@+i=X^8R{=uRLL z@N9B7JY&|a9bTGO;a-JXw^M3--RmK>F7N<<6m61px#iTvj^Y9`C7n6YL&X|%??D3b zkp##leVI(77qhWz1TaU67__mqs+XMoa&#^TvCzcE0cBfSLrQu`jnz=rBd|_F^VEy1 z^S&h~%hgLv>tUsn`Ti!%x9{uc)Ld;(?l^IqR{+|#Ydc*RYN;y%lnuu5EC!;j^QQw; zX&(vjrq^E(zGW9q+X9%J&aF79$XvVeA$OoMFa_yft<0*DlQFFOZuR-qnw8csM zPuF3vx4n%DlcW)xPCm=qx#pFP4FLm7Jo&E%J^7iwz`UCsur-4i5?aLGb;ghX6%dU{ zUWXZ3P6Ff7exo1i1labYPf{uMiqN9Tzi6|Qt3*A?UsucvYjh3I_ z6j=yLp>+IGYq}3>+gqn|dK%bN@eb`NTJ6sDgq`)3#mdJFD`bByc*LC&$%pk3kbz)A zjn*{AmBSk&-+K`$@LfAuwW1EaZDG*pEV5;W7!c(#iDrddh<7&c-teL?to|I&ZDV~o z%VN?;s(z&KIW?uCk8P{*%=$VGgmw#{WrEjvl@1s~fSf{;NAH-iqu(ZF;e2FwW8Or_ zVSRpiR_UN%e*=Pe>MJVfl zMG(f;m9acjBm=ib{Q=oIY0_v>3i>X3!7-S3?TNWensvb(`;&`0vOrT4;o6DxRzgjm zLRfd{dB`h86eD`;+4<$=e2nj}F7(O5vWr%s4)4D1A6xwKXKW?WY49WEpbqrFc7?)f z-lAp?n()6Hyc6%~D1nTxeRC0G<190y?3Gt^vt{nswUzyx#z!Q|+=ETR9wK>m+ZCQ+ zyK7k4*Cl(egRk-CTBTQ2{B9Bvzu5u5e3uL5-l6{7GsW7oTpW(|L&;p1Wvn}5`f?Wm z9y%Oi(ScH!_akP*WB`vbAx9l~&vmB3Vke0WWn&{C0_umgU`hRSVDw5jksiC0KoD0( z!pPmB&o+hY^|N^Q7R36MOVZkU>gPro)47{mkV@9_^(W)#!8$aFek0K!q>xFlJBChP z{=&9g1+uX5j^pP_n>xM(QLauQo1ks~979DqQC+52`z?|m54Mqj!zS@Iv<76`vS0w( zc=*FSkQcfhTDtu9y1NugCd$cG?*bS+reG#RiQGK~b5NWsmc?h++BYhRppSHe-?Bqq zX?X$0F4pFF36(bNa()M-2&blr2O87!dtM5-@3s*ffP6m_daS73pLZ#w(%Vc|+TMkz z6IpjCrAs{Gtpxb2A&`2sl@S7&1;MrQ3o*}l+(4N9!9pN&w@Xiur^%ez$N#zoGL_okSw9=)PUB%dO;yj(ywZmhhq+>(ecye<( zPt<`$6`E7p(k7NTYKB@Yv>y#4y&+1RYdBQ1mBpm!d_#)A3h~};fbr8g`F|SvPCY@Ph z6rd6$6zs-99KS&hPTe%RMlgjP6zz^@{yu ztc4#XFP)noaZi89O|wAUT}v!`2&QrU#6xW=sx$rWPmsH=7axeuH=6B+i-E&oKTfJQ zP`zHi$%6y5UCZjq%Q?VZusXl+f(GwLyucqM*v#CAWM6X^i z0ygalyjO)LMPSz}8P`{tc}jL%$^q4gfi2O@e*@e6Xi6c4WS=IWemr19z=R$XxyxgyH!JdSD<#xTz365GC# z1(%+E{ric~62kl7AJ{QHiLp&MbS2w&ZOl2Pwo6(+Cu_$Z0>j*)a~4i}|CJds%uKq} zwtY@PLwmz?Nx0D00k7)l^$a=^w#y&=Ho2;xX=_fney=#i-g;Xe&OmyuBQJb;49No=dRpHz3PC>f zg&w=|iEmQA-;qJ$R#i=2$Qdiyn5b_5S@#ak-x^z;H*bx%KPP{oFTl4u*>QNlK-DzZ zm6;h!T|uI}f7-jGKQ^ihja%2`wz8@1AqZzelbe%w!SBg2G%1VNiUWE-@Q%9J+ z%DCBFUjxJ=M{!AvZM>knTs#MDh9c9L!FI%kqN3aVp#7(0&N_!I4yy`7)jeIWW6*n^ z89+QNbJ+>8p~xtYDJjkt<0@YK;iC`2nEYI%u4%zAU=5&LBrVZ585Yg92+=BRzbF`@ zNpTw-cpbA`#yTU-+>qgjH^k!_3G{7g97c}oL2)JX$;Z2jh()ON$f5c9)dWBGaY5eM zm1k7L4b8Ay&3Xp6C&Y*zNU7dZ$uO^YT&{u6D?=bAJ+&5gy%^5;e8GL?#Tk6`Tx$k8C9>>C3xo1e-^}_d?u(*mSrwDa6Gd@ z8Z$&jL4E27EKsA8^Yf8*nsUiknwpv$oGS~gsD%pZvV|#-OTqY9?hm(3fIjtQCkFHmp`i?&08@=E_IS_q>M?iY$l?NWroIS@y`-Zh`Y5)aI zm8pKm8rz6fV#-RO|Cy*RIW;of#+&0}xT^NT&|G%3;p#(eEiBd?3z_EXKF?%|H5;l;3*8yv7Fj_EY1ZjztDvrGL&wNGfwX1;WZn}JygXyV(31qe zU}=}>Zl6ejH~WDStE1j=ot~%J$4U4bMFd( z&mwz(=&o#P}!9vx;4<{b*{^ZOrC~%@9?mX0e|i*pPIds!Ri@IXHnH0)t(-lKjPW+l7Ax@EPZ?II zg%|#P25|lLk7r&A2oYsYk{px8P_>UWc@mGj@sCO;r|{r><>t)&qXM)!$CdodIpg$f z57%+Zb1Ll?>F8Ys*4sF&$8Sdqvwt8`@4&1NBh>_&SmyBYy|{&416>^H)N9vpi<74^ z3~>3}4vM7;%hT0)wO&?)u|-Emy%!c(zIE&^;0Tm>FFfXdj(+JAzH(b2`!QZJI091Z zrPaTxT*ivJZTzeYFX8+F`jC^Q_}swdg(SYyWNHLepB>o%vDn4y94Ff#$|DQ-?7HYQ z;c^-`jRTwNZ{`fyYA0>QTNH-BH#w(j0hn!5P~;DnLZ#z5%${au0VB8b-AWJ_u1Uel zhu)DMx6nRr!=v{tS&Z@Qc}^S?OE?|$0Ypw$QUd(KmvV{b`{$*(;KETUFmS6rMA-v} z*LmjyJODsZH2If+=Qr3n$WA|im4Ur&pk@D!>gfmi0-&pYWHnywbwh0)5wl>D1dBfZ ziKGn}YlMxq7!=9K_VPxHn7GBRYwOK@;RnG{P}*ol{Qb!`60Bm%SD{hPJVW+On!q2l1}Lgn{QIm#0rSr)=6%gf?-X@93n1OSQxqcqLkeSN3^~+csGt?NV5B^L@R$ zV3EELkz#BA)_x>AeI$IbCeL`=T(L4EqjkL>Jg|4t#S63Vm*&&EV7kNFWGF_@XEq;N2Yc`U{h$o9@G_f&^#@vXHr(S z%3D7%TyOmK3>z2o-3Cc}im-v5wGGD?xL*BqfT3AN@T0|#PMcxFfO#2I!1jdV`R-j5 zz+Y3Bw9!?LzhYS3bLFe_``AI|l+%`>?^J*c`0bD71sZM=ZijS?j4=0X6T8^}A5hpl zfy$CMbQdu_F@*LJw9z~>XG6}@ciSkN*o$IJo<~4* zkN8l&P6xFDGFL(!?v@Mi>z&{bVPCNRMHT_kTfstZ`r7904Y^~tz~IpCIh&pK=5tq? zt4sG8*w}#QeTW|;TTt4;bXU2 zNRRv+(Q2jm&XG$n8?PK}YQYyy?;McccZRJ?E_z33y@!Bl8z$%u0`!-Fn5vJDpMUC9 zEduSphnXVfqFh{Y*zQ;;!FPe<+gp(Q51YuJ`t&PyRG}$6a;2dL7*^W72O`HDgRWU7F&AR|mqL8JG1Qmuc5Kv$_L>l^UJPoK37Z;CKQWZzlft=apyH*8}u0yii6O+vk@|YVA zzGY@0Vb>6yM%A7XGvxY6ex@Ol=Mq6M_^(RK1u`T`FDc|qdvhP~Kjj;L*{>j8Z$J}g zfz_f^D|#E;Z=wyC-Pf9MJA(-Tm0sN-ww=em?|A$jB2JxJ+M-b77Z2 zM+~$6miZ&F(aI+a(1y1vKZbvMEs(YJ+hUO_RKPGPJcx!WxGj7QOS3^Y4@B=1;b z_MPL-@}|LvrTCd*4U;2)RF``^pAS8w;>Eo%6usUV;@hJ`K&RB^V)qWsg16-*t6vfO zc?XHx&S`)5SYBX9Ez^3D^*$Fj_n2e*@TG@=QyujBNQF^S*ckmkLI(>3-qr)N^rR48po8Rwn|sC45UaiBG0dymJwA zO4&UYncl}<8u6zv{Z1XSnva7H5 z=gFfda?IrWYKg+pCfJJ9ldd=Yl^J)nX;%49fZSfLDEQn_BG} zKf+}jy&pM+m@a_RKi9Q3&n=YX5&evSMn`?a8AnBk?bV4vP+YA2e7m7)Xvs%A)n`Sn zp2YoU-vf+7BgxV1VYwyN3w+syXgyDQzgFsa4p0brrr_?a3-zysz;NB^C)4bMI{5I> zZU!e8EOM$LeA@;xEFc4>u;M2ZvUP5-ns#N6|Hf>&UNxW~DLT8uI9NwzSuibxL%LYv z9j6#A+NB|07foTAAlB#!>^Y)X^T0mN?qMFz0es;e?W*04k4bV$!jhQYOR|q*v`VgQE_Z~$3Vw> z_fNBJx>tWrh@d0bO1}x{Etw`0s(cbs(OIH1GcQxIyW})`rZQ^Bs3Jyr0%268Rp&s1 zT>qjSpV!|$-k`s{$89yqkwBU6hl-IbD0n#y=7V3x)H@7XeBQwU5o&1?KQ*?ENVCKT zPw8USVX|4c^InGOH z;c@=b%%k2LfUalHNPy7C)_Z3uGbJ^`_(RpRtYNC+iT+@5|K{33{`$BDcoPp}mUw5E z5(823J#{?$a^2P;cx;-x3f0ctFZytL2O>!e!p=vvZMu{}e|V(y#wB2_zP~MV8I}~a zmTn6wdj%;jwd!Tr7vsC`3##h6%keZXmHZX@`$yfWc#G`yHB?ZwGowQQ9QWnHg9nsJ zlbsFT_jxHF5J46IzsBf3%=-bS-bdR))~qoYt<(=?G8BTY>3-8#Ngv8l`HMODet20m~65z3}J>$VzL!Ey_ zR5I&%ua*xMYl($Sw|B?c{K*>mqXk=-^yvuz3U-@dH*z;D1kj7_t%hL29^lMl-N-^A zCUZ2B1&8gjE=oFaLS3bq`_HnLSm450L(EyrJGCKe2=+IH?-xw@DD+LD!xgIKTu06NUmCzW0R8cJj@oL{5 zD3}Z9HOcR7Ymso@X_8jnSFM;E))<4XSFwUm=uxk>UM?Alsr85@hIkzJ{ZP?%C{j$5 zcL<@LTo{9+|5|M3p1^OYy-rxaET7|RI4+Xv!M8qDo0HTR8=CcwtWc*lXdBFGtSx#4{|P+F%uTPd^=tu9bKku%P(rzC6nOLCVTO(*e$ zhO?tVbjqaD++>4IRat;Jjw9XG{nQbHO~WzP@KJynu^{zh(ayzVb|1#39QOo0u5ei` zNED9HZqBAFAYkZZg4p6HXt4Tg0oc~`MCtRj_?ib)u*v3bSbZ7k5y{o_biPV0nu0&_ zqC+P>XM8O9PQZ+UCgzQbX{-e^f_C$zg0Is|V79chbXjlQ+~r{vYl>X9&5Yd2*IaEu zRUDH%8>fwN1KbouNM4=M zwGiiNZ5Q}#s4wZ~{Jx9WoR(Ha$;U*?p&lj75sRbZ6zIh14 z7kEb@2J0PQ#mfJ4#g=-+l0#HalDu*&SM}20dajbnmbVq{k0Q^oaRm}D=An%|=qK|U zqsmMzb9*y(NXAiae{lQE{ONsn2sH1-VWX`4{MtTX>}0jZz2=Y7BHS#C?K=F<^v|*I zKQ#vTB!3(Q)YR=CDvUYmGM)@64d%Q{r!Hm0QfEv{ZSYlSIenBXjqc+J6w0WDt!u4G zz7K#3&94oVB82=h$~@9Z%I57Lv(_Sx{mjOn7Iw{6$DK?owxt_ z`FvOc1nW~XZBU~M-Ha*ZYt7A>PJaFI2#Shrl}BX-*P{j+%D zaBGGh&pv_MW-C4v?-QI`>ylNp10HtL68I0CWex)G^Qy$j9FIJb z3ZW2Y%3qR|{(_4i&f9Y&dfuWYFbcC35>l&z=XYCoZ$k_6QH9;S+1>La6rumm!VF#n zPLAoceDOpk<)Pq$?i0hk#$Ox+%$QUg?_rq(FfW17va+&jm^~Dl?U8%EvVIu2#yNq$ z@SSukg2h^6A(t?xX_a?9_`N>L@B(a1U4|i3)75pEx;M$@6|v-3DaX!4MM-&Xi|ncMcS#hB#g(2_OE%Dmqex;Tt>C9I%uh-VPGA+|q@!2_}^omCh35UShOX>%25mO>0&x zvRw>hL|j$IG}T=z3&dF=9nM8x2ZRENES}K)O)&9?*S%YEpodzww(*oE4*_Tw4W=Lcb=F%y*RAIz#6rLqupl}bbHvR0m7#c#8@ zOC5e#bJ{;YIq_Y+ymAdA_t@P&nE2eETbwgps(w+6SzWhPS9C<#q3f)nBh|tDT!W3? z%iT1v8{Gv259{8@7IJ{b1+h+34`gRe z$$9#~0dy0SzY5m}FAXQj(4YQdQ4-vJ&pv=(NlrZ-_F_4@?gU~yf?3DYVJGG={qQO( zGBQUq=&T_~Srx9O8fN!EUEzt2e3DsK^Lpa$AU>`;+A@%UHxZ_yI&L&K3(_5z{ZsGea>LIq@#_SuU+=#UP%9-297 zRoamtrLUwcf=|7Dl;K~5AI9<8Qv(jCoHlI?$#3XZzCF{R3q>C#OUl^Wrr0oVDC^qr zNh;lMa)5PD_DQ+@1t=V%mxICOuul;bpMe$&BM=b3il9TCKX1G&Z(=@Y`mZSql4@sd+2h7lVMS%q&;%PqFNJ@D`WnxDJSQ( zrTsAK>Bu)mf?s5419@U`(Tqo*(q3CbSrsMAQF(GFGDRZhQxN!}0y6HfgVL9;Pqr(y zkKQC{KKV$t%iz?bht{*)V8{+!0@I?nb%c~Jo)%uN6BbQXQE#v1oeEkDoMEG5Yn)Q} zE|z>*v-nZX6-{{^8ay?00qSE==Ke>!_1Jk*hf-^LlTWW#kxKGFwC#%W7_6uXj|W|l zSL{EBlIbcu4360a|H@YpV=gj95IyH(+r;&HBx_qFcRD^vPw8h|n>!5C{T_$x^RHmm zol+^zGQlw2EDutMUR`I=*!!YQMI;>D`GQ$hA0Mi>Io-*cOdDPNnj7&orkKt2U6 zUnd)B!y#hJg>FfK`-KA?Iq-S4QIa6ED&C*Ux-8V-x9>3+m&)c~{audJjI-0wHl5^Z zpRtkapF1p2qjSPl^t?Ynzs`ybTG3xxuu^F?A+a(O(WHJl!CpP~T>JQld)fqx|K>!J z>)?TA-}nb-lPx)-@mg2<2E1aovme943NG(!ZhKqM=tx&xZgR!Zd_y7nXR{KhuLir> zTz;l2_0lty!(QT0E$Pe10>vO zcT7*~Ae&Q)E!m8F24UC)-YwLC1O(!o_F{m8YZktZeYRz3iYCA9Kq05RMUn3}!( zCK^J$elPdnS*XHUJ>@g=CP`(cXp_)@K12k0An7^}H_Rs2&c0GiR{0`pX{Y6au&Rb_ zS)n7Vd!TDpS_9EPe7r;Ho6@~{i12si`MvJ14 zCaVUL^V8gRwL0kdisJPm+G(qhFNZ+N>`<{m3xf{OAf(av@e$YDbJ(M`8GRieMzDq5j@cM`3FOf;f?f=|HL zrwvQaeW=o;PM&ot?Ieh2#{dv*&WrmXC_)jG9{_WwXcysjsV7~1b+PT)Y;llNT9{)9 zBY%7S%t`|Kf*t-|IkJdcSB{o=>eZ30MrL?ULm|Ct2l2fYYYX;FrRQQUw-M7@N(`HJ zhI0k%1p)(?7K5+7z9mo(d5MW2i}9k|&nsxwn43-`GJpJxwxJwDLjMr;81|EiHgurz`Y9mC}y~ z0)X1pFW;vYE*fzv0um@3zn(sjQ>N{rp4?l@PI>Cd(j~V+7@L@A`4zyk;k8Gzu85cq zK(~=8gKFJwJnQRT%=XMH{Rrk4%>mKj;W%8qDxdjGz8Kmwz`*TAqYrgdzq>kRk_`7b z4%G!y2!BR#Y%;!K;%(Av9eeHRdcGOZ%#w1f$n@~S+*Ft2bt0BOSlrLeT_!2?>q8N2 zT^)A_r>TuwkAfT^V!NfJw_o|4cfRjvp;X3lI>=pvjC<|of-}=BVhe`7eWN~owHPl> z1)XOwn<9EjLn#x4jca!go_D$$1Dko}P*AAA&{zr2PK%K5it(~i_oM_w0* zR=Y?(wTSjyvn=NNozE&gVC;n$*{t{Cq!%e!G&uyC8f_2ZOZMxoBjO#TXSiap)p@rC zGuldMUz(G*{ZOVt9MOT~?Cxrj{%d9Q{qyLlKkzOK^2ewk>_KYvD7O}A$5<91?oF3& zF%>G-@2b}~${q}9<*<2C{QdM<_-i3duMU<%qMOaN?BZ4Sv@76IZ4jq7f5tfdHbe&N zPCAAMIWBK~yUYqsP%8WKyF;0tyD$yX5!&T2GE^tcHIl2_5kUM+FjmO#r;C+{;-8E< z6=8Soc9)Q_n>wfj)Fe8!$87(qSVSV)lRQV^&w97yb^6K!)k2`?7;SutFU{StKhxJn zLiL95QG){!mau~9@^7Oy*mMPxPc1Y)fG%^XIBY#KRD?*eSK#b$v#h=N_(cVk9DKe`l8cXzv;*Rb{8#Ad(X5$SGWr9h0PL4wnt7nmYX#-SECrF$%hDW%tB zU}ly-)qJPJbIB@@sI(RKLhNm2HR(v`YZ4CACx@h#B0P!gtU@xKIC72MAxFqs>oom^ zUb*R(jxzzBCjFH}|H@Nnkgc}Ew)X<3oaa&9+=K$aVUBS)ZRuzy>ffxDX{n$G4fdv< z80Q&++3TBhgBJF2eeo(`iE{;_FWPiIov`HY0=o+Y+6wFSUQc~R?4OU@5 z=W4@esxvY&idAzG);8vv=Az}D3a04t4ZN;THIiRLIGzr%Q| zG@JYu{!>%BGh&AHb*RS!0-YuBjP!O->@ z3Y_hcm)(0g7M9|3!?A>D>R2^jR{TvZ({(K~!}=UZYF=R#b$e`g8eJ1R7<$fFM0U5V zg*qn2n+EEm5HZ(!0G_jE>G4*VyyTdHd@Bw*kS0E8Gr5>upk{#eCylx_V#N4q^D$QV4y0Y z!Y*%SmK%ATmtXkJW28k`DkmW4d{uR)%&=_6gldq~q zyAT=RpUA*Skz=h(%V<^y2!b@MNDESWz3arY!l#eObs9yyEYeb?)XImF*r`uP73}ls z7{Q+3!HE*w0p|UZiJ-dy{Bw zVZN8ldDFo@PZSOM6-M~5eJohahq!ske%P2UDu|8vno?R2x^2r`{rd)ynqZ4Bwz@Z0 zlmD)P=;H(hRnnc7zt)bIV$$9EeOoARQxC85CYanTR<6$8ZG$9&cPdIEgw*T|_oyN3 zxTB0*H*4MqGTN+qaJ~?8^0erz87LVB^I901dU3==F$9c^pv#;+>5a&u5ZQfn zJ>o(1ZgthcUcHSdXyb*#;rM~Rqxw9R>kV14Czr+D^&GdpVW_%4L&@8qqzn^3)_!94(8_Duaz)}|0;=Agx&k=&X1A#3e%hhsoQJsXL*o8^u|PS$KDV4@<|Ho*vJO4{`{Wz&z17~MTlN|?q3}Q z7xY&i_B+}XwLu$uo<@N@J)<<uiQ1o9UZx@$AD}FF5@?l;Jb<>G(B+LNtDbuLs$l?3SPp2 z)l_MJrT2f)_8w48M%%Wqh#dtH0i~)m0RtkvgY+uBg`yPcy?0R&=_0-NPUs|bRC@0O zNB}7z(tB@jbI!fzynF8d?z``v^E(`lU`pCIuK!_Sta zo$dtP;RQFqUtQ2?7rwgb_O5;27WA0QQQF!8ut3d)q_M}m7q&h-nUi(u}n#IZppg0N~XTi%w6V4Z{+>#Y+C7q61N9`^pc&KSTM2~hib z%i#Wx`YKm35J`-@r%eN$Fkg{pT1EYaTi=^k_}*_=*Zor9*!Tlp+1;nf->611e)+Pv z=Hni|5_=v3Vo5X-%(oB@VN-SNYvBpK+!V3vXZe9Aml|*BEx_;zw3cD1CI=Px%y$OehF)E(eB_2Nll9-PW6q=cGXWQkZExk#PB}?JwZ?J?jjCw2FRQA(o>LG`m_obGp*b+zX|#VJ5l z2q3(b`n~P*=4%9l)cWB$W2$?nb13n!y4f$}3$7fe$vGYkO5JhWCngY%QL2&u)R>yR z73ItMkY$u%i}%Fgd7T_9WAE4$Dmzus5>Z@LR20;aVOTe3BWdwP`kA`9h9px;t7XhU zRG=uHdGm3Sgk$Ut$O)r%v&YQ2;f=kG>3-P~)jE7Vr@od__tDR+r2Xl)Y1&mm1#R@t zeP0)>K8N`(9o%g+VKW+Q@J`ME;Vjs2JZK3&jkr44_4Cexeu5mZel zsg-PL&l~L9CHaodWR{2Eczf&LDVLn2Rc{G^$?hB=%eNTGi`aX%0LW)}fXtmh0z7zt zK!!$x#dw9{Qs11FMO#R_QM)G9&hHCQ+t@KrL_0P!Tu3(6=a>-&%xzS1Fv-Ip<}gY4 zuGe6*guj~t{INTndOlJRE9~V3np( z0E=Jli?)pqh(N$8{xi~LVQNJyLf-lHVC?+3tTvzmjv6QMI_8+9x02)&9?nx=NT+)5 zKQ3$4UB_MQosWzTbocs#n$Ve#dIy|^cZZ$8o#;4zVc(K#aqQy_SOh$bP`vZaPtizi z!YE8{M@O2V=YGer{4T7h=O)$E*1HT_ZS53plHX02<7GhULJEkJN_|2ER*EX}z@!m) zP09Kbs|V?Uyx3UI8v4$kK_`Z=li2`js~E?ci=*0h+5Myd>?+`xfVp1b;XE8}xmZvY zfC_)46!aL;!S&c*W$f-r<_FcF=CO`&YGK8C)brF&N5w!3Cv>zxG`AOp94sn&0gZRN zPUU-Q4_K<_ChGl2@f3nn8eL`O2u{r}_>?-c`F}YC)SjEsnQZ*(JADcCg%yOBsfr})}rZh%3Bdr657{A~mZ znDD*HX*Y5kNB@F2MSo3uapps&Z>i~mn5j0Ba}x4mnNZ4S=9k8`LmF6l`K!4TXCEIz z8z7$eWy!xB<_tBtb@=7VBCLUV&ffO%%8rm+7PD0Sdb^=FNpS3C==8KDYOSST*$>`1 z^}%cZ)vR`zukCbu>Nf3~3bZZd*N53RfdWT-f+KyKxjuRziTxm< zs7UzfyzR|(QQWeDJ>sU{JGoh69a^PZgtRK25uZ8Uqii6hqW4KPDyC1t{-ukJf&bwV zh8g)#=9X=TlB%97Byq!(_3C|YYWB}AULF+PD`C#6@@IT)^+o>l#nCq27Qx-Q+|Rs$9*aTB|EteL|ATH z*5G>H{i@A|NXz>$W}_`P#phJ9AW-L9GgqMS=cV79Meo=1xLq|7x(*e_vI_F|60>D8 zuUQN|kMrVa(0#}DNVSZWjJG-lDeV0TpM)|?PEyZGy(`Ai(|O(ejJN++U4?hUF1abk zFZ`TJ1#VhdU;l7v~!ne>9tpqq7fNgj32hST1-eHxAqGC=c?% zz1#pzPG{mMJEAuD)x}q6gdq!QNEQARd;x=*@Ok^5IietY0Eo`D?&N&*Q;m>sajYBF z(~zj=*$x-%qxRA|S_L8#V(kzLYOhVvl~(QpW@h--P5M&?G_ZUuB2bgyNs+=P&FWPi zvFhZaKuVYUYCHZBHT_A9fy<5oPrI;E0l#TLHM6cNt78 z)xj{dDU;S6=g-19n!o^4`0#+JX4AGI4dt+*_RV|at;znx@iR+9=I$_CubUAn`+;xD@59FB;3P0Xfu^* z(Dn$?%-d(!K;RHlQm~R_lN$G8!}tNSDz~#5bvgeJ~{-| zG*-ZUUDt9QYe(Wu(}wEt_`fxMY&tGZ*~j;$s+1aQt-kN)n6v^K)ZWwB{gp1l@Dn!H ze#0EhfL?o&5pxXaFP+T^G|l`f+k82CS=g6vXx~FMh!xF?yPhfa2RO@Ti;j7Y6&%BU zj3iYcI-ng3k9O!qOQTd{v}SzcstM-qg&Z0Ax|~w^%!!}8$JVFQ+crYu`?@(3F^=0I zdqN#08-E%$U+#elC6?E8riE`T8Dj)$E%Qj$l{ka;eA2e9x5vNmSjQWOe|!1?vDQGa zn`BpugKrnZ2*3bw$Ic<{+IaE#ftGa0%#~AzhSA4HKF56@PQ-E{7QTEdfqP`xV;JWo zK9jF|eAssP!ku%m*nmj}{WE$H-O;Bf!oI10ILd*|B{BICo4xR2Y?YG9RpEa$3yGt* zt6jP?uWX>WZUe0<vE)U3wg@DH!7@|x!7#DE4A&#vti_rQuyNSs6sm>LH#B%3zdTx{I{cr)3K4C(DVDb zw|Q-*YvR|v=MWs8Td_~gpM4~DJzFr04uF{4YG-w?=kqad9m8=qeFdj~)VFohm)iG~ z&3i`ykm%dDw>Y4>iG0olCP)1+%AU)K=ehjr)y)uID~cwH<274fxzp{hz5_~nm1iWE z`64i(p^-2#F&^Dw8Te)2RFP4f80_B!byuB_YM%mGp4pl%EX-BoqbF!tnze;I-rg-z zBYDHHc$b+yAd&sW{OUx7^_YXde66=-Q2w`e_mJ#>ez><& zR#`bx?$XOzHNON(2W*XidNEk6%9QBVkv>KZGmr{109uS~4geg=qijt+&&^Khx^t_{ z9=21%L)I377*}j|QK%b0@Yq`73a(FX+no#$X3f64^`eDme;*b(}eESzWCSR-(EHkI>NMSb^ z+Q4TIgxJ}aG!ZQ>_{%k`Sg3Gb(bQ08L;&~Ot?r~?$>|`#%wi*w_YW~l@`vK_8f2Y3 zQJ!vbR!lB=-MH-bP`>_^v!&yUekz{?V7%wggjYt6AZvHbe?=UPqSPqX`tS1eP;+{6|GYvB9&*itB>YFEJ z(Oh3Y zvY$~QZ4dCZ+IOeD`LJ=Z&ON)29J?M`kApKdrQ|Qo2CZg8z5V0!<`(b!(4Z60n|Upc z^;`$E1VY=n$DR4e8oU1Y5nXlJ?vGb=!++;HQmc(_{889`33?FgRoazOyP?Q3madgu z*tgb|!4|&v7L96qJomVfqgxq5G=*y#sVDL;o%b1<$ax%S%{ctH^NM9jyU!TA^DmJ+ zY?*Cw%v8VR-erv5ZXv_QuE6>p?F_r#=rI8M{UXq#UO#iB76=rce(H1XBiPZ<+i;$q zU*1;2+;Z(zIqB`SwGdQaS>#i1pMh>8o)h!#9qTAh+bwNr;WY>Z-#&8c3gWZ-Pd4cc ze#2Ku@U0VkPcsHu#G-e^Z>92Go6JIFYd~J*xqu=YaHr{-AXSqTaDE$D8-Y1I*3D$oN#_iZ0wrdqh3cb}i58SVPOO2LM;lKOyw}S^<>hb9#M+ zg&^VdV(R`$Vt4Z%nen}JP(V&{JJ58o3Pk{&{Mb$YqOa7jm6;}C@Lh#2kHO?lY3?y& zG@^};CYIgby?Y8GrCnsK7G{u=I%nal`nnqiR5XiGtXp%c6MM(zeeo7`mtjll02IeV zhs%uGhmu{VmnM5b)50OtHF(5iS;Mr_-Y1cj@4(-yVI5TRtoUYfci6?$`F5?pH7bHF zz&8KaI%chSK`q252?1El(ZV}D?2P>UiI=+CQ~9}8!1ZOta;VemCZ@VCK89f*scx&A z2!c3QSiWY14cnU@+TCgV#;Cz7&MS0`@#(3gpdVw4jwEeTY;xmGHRz68g(iFQ5pCF8 z&RvG7hbvl#@$U^o{7VFnA4WQ|99Mklf4uSt&mht#2qc|--b%8vL3@24kZk7)5!_UH z>xu|l%SnC@;l12-E#w+hj|8Nc7F|4?tsD?Y?_`|L?iQ=h7M>-$C1J6RRC1Y3kh#KR zql^vb;^++g-vdy0W)Zf2DKgMM5shN6N(nkXwJTb# z8X&m)Yp#YIP7UYoa|MnOSJygm*YSD`&;g6baosR6$=Yc z`s)*o^go1YLC%<>QKUuq%oGfTvKlKD0s!=zz}HPyoL!jj$&K%S^FF&BtT_n@|x*0ytQ&ScH({ z>{_D-G7SIy(tfhE-(q8>K(E!9E~RWSxogCG_Hb+7+D_kX_B!;DUl+sM0$XMShorLd zTi|_>EG@gIfN7BV9(VBbFYh4j3*qLlAmuux#rW^nj(-!iG10y>AEI4GAy_Y6!$6ET zIR^%UgO()?^v#=pvjO?f4@Ru6D)qo7&Vt7-KX(z`+Z;CNIFM^vobkSCi7BN5I31)4 zqo1!F!xNky{@ZH1G==lyAsT34EmAKe0TU~JeBb{4^HZrY1@=5B+heLR6r)oMi0+U&yG-iG86natd$gW?F#|5B4`Lyah`$7w-eAQjnDo2XZ7!# z!T;TaE^p#mS{$_EgcOE*c^B3955W<8DViQzFZsn+%%f~>&iEH|STMvh_&G%(A^7|` zmy1-@MnL_!JLY1unP7;3;NPL%2koml>v*O;aiXU;vD8ASm5E0bj|YdROVZpc*LPP45d%((jZk0+1tnw^0bP3>S6;UB2xi?4qVVty79R}P#; z3+kS{`1kkvUwhz*B;BT^rENL7iy4(`)zxT&Ff(U@T83sGD&Oi|p#>FufCZ+-z^Z?0!xZMB#-TyO>zvB4~&#N#q{e!;ypLxl@ z|E?dI36UquCJE zjRg7L;Yhl%GxzIG7rhtX-?_a8%UUe{Nt@!63L{rpo9V6~0rxo`m<|UjCH>21dR<3u zy6pEIV-KmurTT@PD(*I`?%YmdGMd^DJo=|=&hLa7R+z_qO50}0q1;h_b|Dj*? z_g(t`6;A$7&u-rHi+kv(z4eNnJrXq4uWH;~lK}F=BFQopF@T#d#m~S)ayjwK>u-nm z5BEN4ssyus%wCwtPFCbBw7Y3x?$Lfg1LHH zM5Mfy$?wfu)p~5-aB~~a2>xd>%bdmn#rSE`#Y|?8d@L6iCwo}1Zrkjv%euhq-B}>x z?U8gjON%L?2 z+181!!#SM%Nx2pNC5`T{zpAiwH@O_WpRBZDprfZ7*mOMU7AP7Q!~oiO$$^kL^mRvq?~O;H8dzfNWxsYC1#g(6Txfch5B*;HMBBlaESFPQ* zcXq7bvHGQB^_haBV;&CIW*cp~Gvc@&TJm*qUgJ7UALQ)wfK01gE2ZR zmNIir?7E+&9+fo|(G#!!g=Tby*YkchVqLrrVVl-lNYeQ#Lckoxf1|i!X{1{F6{iLI z#S-(;%do-S5d=;ShOCEJm#$M)V!eoY>GI=-Xn2TAGNWJxZZriX zr@?OrYo$*lbNY>gRbGtAUR<1PC9LSxpDK_~7tB{EVD(4fa$LmM+7|nI3-j%K|9F4Z ziMg)aE%(!Bx8*zc7%!>Z6fwpd=wqz`YxVl|sJJ+@Dnl?~^3rSo*ya{<_qjZ~`!9e7 zAQ5_SYZTvcRw-AJ5*Vv7TpIGm=;-Lkwzjr9&9&T?dlwt+qJ8w8lA7On+4#sg%JE`% z7gnxVY}I{C;jw#euFpHMzch8g;el#0)~sK=^btg)^{3X33W=$@Nhw>N%V4F+f6kR@9~6B_5YD>sy}#T%F)1n#(wOzcokZY^dXFXIo~AUSa(aO z9bs@BB`X^?n2ijp3ME%Ood_k>+A*2<=nQ{Vi=*mY*!>Ch&SJfeEkDoJ_N-Zbg!d)3 znKz}q?|iQQjo_}1$e_2JG+T1nx&T3VaLW%bp_6*QF83SI^L}A1k&XK8_y^R>n0w@x zfOq17R{GjLYHhwhCjFyG!1`HW^h^K5iwV>(awSQ{%$0TT*I%^R94Bd9JM4Jg%*>Jw zbl7WlE=U+O$~l^X^dz3LZuqn1I{cxj$wD}l{!C-y363}Cj=JghyWEP>S^2(hl3ylv zFej|a+UB>D1-HlwRNEWJQu)o9dcF2iEA9Qg*HKJLSJ%q>(t=A)LLaEEC$l^9LE?A( zAU-`=21?=QG&K5He4xAcy})R~9VqN9#a??PGj9HK_-Z2y(jJW@m-S z1eb1fnGO3}An}0?s+I?s;3PF39r`}q4tBD)qEh;v;ba$UrfDnf0lH_T;kJx{@F z59+jx?aPiJ)u()=5z~__<2dcBZCn+mtB;<%hd0`^1fK74j+B@iJjI-QQ^2OGIVgHj)6aOY5uW6z;n#pM{t6JtFj4m;ENw2+d-%g-;c#Y@*m~(dBXSdR9VvHmj zVVZk4oZ@2V!`#x*tJU4jn&a?CZ`LY~hk|`Cs@Qq0s>Kc(M{30gkWR&s5P!+}SCcL| zfk-sbcjup^?60GAN*b`KICxd-NSUgSIWoPtF;0m@%zq>u8g8VBS*;;^_wb(o8M7Vv zEOb6I3}2}Hpgv`{romo5wEh*ZIIDJVc^HvepHDAyQM$vLi$lZEQJNUA(#bd9^I>k6 z8K>}v3tm?yYmHy|%}@ts`uU+(sNuaP&!B1FBeuzMKoTOQ8kU!6@CxA=8}(WR7C%*e zEsIOVvNcJ$Go^Tc-cH--)cnTNHl8Vl#Z(y*{)`EjqJU~>Q1)x)suUx6+s9IX_r$d} zd0h89DW*2-A?Ze98Jay8YHdKk^ZHn`Nb4OVrt4N~WMZP6@9}VI)FZclutEKwpe&72s1`qr(2cwLh%GT(%0>d_l|5PaXr#neSUcj2T?w0A-q{_`gV))&n zQ<{bv9Q*0V%a=86jwadBFg0>4#tbbod4AH=B+o`U0GE)m61H6|T#k_r&EJA@1 z!lbV%?lWanxUbFCI+Q)*^+*L1F_&hdsxHb(oB1FDjV{)$Wq7+5sdrK&L>TQ5&Gh2> zXdrT`P*P%7Dl>_!?4!st=2peVEx&JjM$@^rL)_G7{TlUeeiT@9$kxDL6JPtqhzT+j zJPu8J-w6>P7`FdCL8RARwS+Ewovn-fC@kr6@A-;GRunU^*HBMnIh=qzdmg^^mWe6+ zeNk{d{p7Rd2fz=4+&_dlqOJX>5q-X>PJ?k6q^D;{$F;K6{z-*5H&pjLWer}sp5)l| zb1V<#iZ^AP<;Yt1@g?(-tzMm4SBA}#0YJTf{P+6Ne_d1gzdfrap7uJpW@$;3t_v8# zYXu>!&R%@)?(auLx%*>uHCC+$(s0VMr?jS!soqk;$qp$nt(l)w<|jE*uZrD09)LoC z=9h_z&BAE-=7)C;R_|<@D|~&EHCU&tS}Xj~EP|7RZ&-wazpErnZWs8aUNDU~%v_?G zpGm}(M%`4hceN<3XXql!J*qT=WiE(S+hv+Itx%Q0F|1lr`8bx1ig<9r6Q>-FwIMSk zT$kDNq&U8K8>UkmvAs``^^>L||6OJp9j`q;cB_14O+LOIyV0M!K~j``q@)9d{e4*x*n5@g2kVv?lD*npD@*Nd6AAsan z>DpKMLOh^zopBNnOD#_K`=5HETUXa9Yegz1{19->~W_Wc49(lSbMSf1(+gXH7 zDo+<%mnS9Wn#(G=N3B4ZIuPZ_o=c%mCk|G}#mO}xX)RH^_gnk$aU`Y}aaQWw>kt7^ zc%(n?_|?=QZWyCwLlZbML%5P5mQ}Oc!H1t))N1Eqny!rzoMay-zR}OUp4tE@?=(UP zHD{#?qDwX!54k66i*+AIKo;Oj=*SzPwLC8mGAqWIm$lE=+MS9jTT~3+;~@&j`CMN0 zdhFfi?Aiv#NFifB2b|VARbTN}Q4#@o2hgA-TuEK&f+1Q&$wddA`Bv-(YME!FJkk0c zeiFbpW7i&vJG$DWxAlI{GpQ@~>*ZTTx+ueBpIJE!{<+_(pi_42(n>l`d2KhttD z!w&aV$-D<2LUqR;i{W}J`%t&u4rDavvV>D0-sgK;4<|bYzi*QA{&N1gFeZ#RPdyu| z@u)agYZMc*65AhnG*R)c`34zRkyoG7pMjq-U;b}f>%W;Ji$8md+_zsSQq9HZv?fzi znW}MQh>nitb*QTn zr)CkGI_+OV*Mh{e>DseYSWJ1oX-d!Z>Ayd7UY>5dgJQaM?KpKJ@udC3gJUhDAtH~`??OJkB+gQ zSfTbb?f9kH_HXx#{J*!8vSWvF-<$?%MQ|nY^QUP+n?wbn+vpD})1DW}ka;fHgeZZa zYn{UMx#?czLr19bHR9Sa7@7&?Gi6O0@I0;Sj-CMhq~S-#;2ac!r8n~!2N*G(u6?;r z*M5MTBK|D~gu<=0L~Sol`ZeNUpYFI;Z+^g- zFlU7(Tr07ss4?2H@YsnL4l1fN8kU77C%tqy<=j0UKIj&R5GWEq9m;g|H(r{yp$`9yXEwotl6o!wWFk{@ID@g{bG$!flQx=8 zpHCeRI2lT4%_haT*X;>1XW7ci1({FIY^2R)TvhJj};aL_y%4dVHnHPczS!=FvJDC*`8l6W1>fPa9~qQ0et8akU;3W<&uq6O+m(!n2|gyM+$I%N}Jkm`hgYpxp8+tVP10Bx@@+ zmBuLX<_n)e>9gTO>NK!r_Rp{HL^+V^D5cO>tFdegvmiSR`Pq`&+F2L0>fGmDtGC-czCyKwGo ziPC#Xevm5#vRy?_>dn@>K47LA%j<`S;i_NQgM_?U)s&q&>p5e}^Ez~M6_4y>6z?&W zTcfm!tpu&)g)K&^(>r7n$JWzGQ{&$Gm)v{4>aseilXE*f9{z{j#2tN19|M4uN_Z&I zs;ooOejjt{FqXPUvqGlHrl}+7m)p2XaUwV=3?4mV|5f(dY6V|ZZsM6x!hBFG`PcT+ z_{LH4+}HXa+_jXEm6yVD?ET06eguFafC_v!4&T?&Nm*^Mn61?c>xaGCnSojJbDmH8ud0 zoAiD!iAqYJz7hHnc_o6+bkRxY6&9E9E-w}S^A}ul_&PV+j`qYEX6;@TapjA(^G7ht@*WvuA~=di-iaj2Gv~V-tVw_PlLWW zvN$cf!t;3%JTD3Qnoi$qA1wLVk2YM~%D+3EAK*$Ys*pXIu~n?`A}{%P`$nM{~q4PbYp6M|C1Aj|E)Uh_cf>nyl&)Y zpTpUkd>*@bcctdpvg7!D`|czfvZN-$7JLq@YYdeO;i3|>ibnn_xln{du)<&n;ALCB z7OruN+iQ=poyeerrcTu{&uF9Xm>N$K2WTC|Mc>bKE*LdnY1Z)E*{8b2*l2U4K_*a+ z2(d-e=4~bn^c1gl-ua=3p#4Gj-LTkVOC##6n;n5?+hPR3;D~s{yP1^jokCeJUBA-J z?(_C_-@p`)vxC(tULtF@pHcopYfxzOvup74ypGiv34{UsMie7W4QF?TY7E7BvPd7H`#(%lFBs=R~Q*7MI;TY_yC#a1iTPpd3FOs(g%I6;l|sX zLP-wu>NMZKhZ{!8d|P>XJ_LmuWg6bE|D1FsO~j1eu%rYj-q5AwEcW75wE*c#+-%hZKP3n3$e7 zxs*RxKN7Bs)~TwpO(0Z>craL+o^0+=+h7Z%jiN=glrT99ssaJQJ%WBo^?H*!7L_A@ zDtV*FD=$j(;XLI1vd98{9SSux$(Az(Nh0#ac^5GCII7*HdQe(>0#m2u%!D~VycmOA zNV>r?!E&`(LUPc*oz+yovmxjfk{y>g2zUH3ROxLLkJ%Bf>U???IL_xLB~jF#?W1sm z=J!tu0lx@Li;UX?5Qne!Xff?s>GN=!|6ZH;zs6lZ@@3M{PI__hin)Bd++-KB(E<~M z9mCKs%89u+I}5#MER!_Qim6o1x7|K%KOC+Xf%*&~R91BgQ4w1p+I`WI$QRjOj$c|vl;rwB1xCp+p#1kV zWnxjrZJg^WqtOq+k51`!OxxQDXr7-wg7?jr%MQPt)n@0oZ-rkRB@+fiPUk53C`vWR z`^qvLN^nevIb8*1GjU}@2dkU?(-WnlC~oV?CD7mGE^bM9_jK$HE#A6UF=_%ADy(H` zxS{=%E7{W@9S+msf%cM(SN=pNp?)ikDB4a9@@b~Bw@>zUjv;8Y6F!Bdzq@jUMovat zR4s+w6dz2qNx9T;9v{w!2XbfF*8(0)_s3#(s(1gAE~skc2ffVEpTB{15d2XtCmS?F zF3o=4!9+!o3387~xyBgwa+yDX7~Lm0sbg|{clkYYx9ofWo59xh&o=AGsdI^gkwnbq z;tr-^%VMOud;+w=s@n6rAIi7$7cEB13F6C#=1D&CIe(HJm%={pO>60Cim!&4-|Z(f|?jfyMQ)n5VS&yPneq z%e9mZjYrAo6_iSFS`0-=hSUv_08!{kI~Y3GJ9nqV5g@(6fwIWtRLa)9BDn6FBdgcnt|pkzO_SPgrxH<{aPLt5R9+1mA)A?2k&|67lcLsVtxNPYMFo4 z%OZ8OpQOq1!~@Es`?mSZz1GvC_65hwr`_bZ6J0um(0611*X2 zznT&oLcE20J4S`}nyd%OmlfMlB0_)g3?`)QL^J z_-u%Sg6Ortv?~2{YIoD6!=2ETHUZIAAWZHI#Glw$hyAS%$KRj0YADLj$mw*Cx3s@# zPg6ZCV!i~fJ(;v~E@x3*=sT0LHj<(4$s7t9ciA9C%fB05_8-Y_7h#5}*V&BZnGZ~E zlo|aD#l1R1DP{s1W&aC$_o%Jqf9L&%Cin&6{@6aj_?J+839Vv4s>a zaeGm~v^IH(7dE2p75nR0&!>Wx1s8NJVn-8o;45U+Q~~<7$KloA7QIhvE2<&rk=AW1 zqJU9V7P~(pDeA?R8|mSO@88f`*1$u;egMatKdwzDl$VN*s2Gh#MKGtNJpxbk zUvp|jh=>CUm2qcxcP1ck1>a*{T%T!51&ERnkES*Rw!RCBpF%_qO%Q}Zzu zPDDmZ>G@QSbVs23{F=)z8{Mzo(DqL!d37zT7fZJtY5j~L);L&wp=tKOq~hwG<^pCR zim3Fw(($qP>Vuk5OWaujo3&Jqu2|J>E>VE68Jcpr4Nk{7OP~w088jm=%98k*lggiA z*G0(7%eyhffa`Zp5F7Gg+q}ks=!Ca#Nxri68gM8^*d|-gZ=Tm*Jzhs~YFtbogy+Lw z{2L9T5~7GOu!=Un_Fn!%KGVrv8Hi|Esq_~ciKL6XS6*CrzwOKKGoRH|Ao5W)(i>q2 z)AOh#(sy4Kd?I)3k9{kWE}Ue9;T*l3BXH@Uz{!*$>}fX;8~oe$h&7FU_KTuU`0MAKTWX=O6z7+ltnj>oLA3x3{S47D!-b zzc^h{4x6_g(7_zh8x@f zkyfmBf6@|`(b>7r<&jTd@;^(}|KYa^g#Ct@Eq(!esHFgEpKlXdvs`R!%3qRG0E1RV zLxY6V?0)4!LSmw&_9LgoP|lt^X$9o$K3~bQXj-MrXV!7yJcNHno7kO&n{D(ov(~1f z-%!^JNnOK~#fvSuqT2LcDY(%aaBJuU5!-uN4L|)v<#tLhSEJctJ7uQ1KX=$|%VR(b zZU0H*srq`j4PGsX9pdJ>5cgF`_&D zz4RTe-wlh4fli>_1syy&Ansb&{m`oGQeg@y-P^)&>xvKv9Wk$jpV{>N`Nra2q0`~uD)HiN3PfA)j(+6knHfZ`<}u!cI!yb>&31GmjmNDwiS-GLwub{35^t2eZV)btH*rIQdv(nf0$ODSd_fF)TMkn=_qu1B=E$=Xd#2ag7 zY&=#v2Vw?+lLP-^3)RO?9mFa*bkyo;<;LcKbCuY^IZk1=>G*cg735B6urs=? z_oD_{LVr(-HLb|2E#AmPO%lZt6*Hm#Wumz&{1+uFKYjgno(|ojbWC!IUIe&W;_L7I z@pkvbbkd)fOV=L50v=)Fh0qW4tHW!NayqJB$cEb+Dn4Kcj=f{<_UX+_M9Je8WZ zq9@C>d7+|1MzJy&B|-HsIe!ymo@BJ@+Bg7CE%4n;2Ii570$QXl=`=7h?`Bld$596l#jwY8Iqns)gQaX|#&39tJ(Gg!UK#xuF0>^z z%tp?As6v(qX}?Y!TT4^0bkWk*dTN7SAhdAlHURb9V55~>B44hq_hm7#>GSi!{7Q$d z8;9Tz?*%j|XIldfdvnqfh!g@9qk4`@wIZe|wzX)!4cGjcpo#*(W8G+Mw zRC66iqVh{rM7-=8AEJD+`N#pjR#lF@@lb)^#oGGFbAQESt{MeRl!3fR8e6i;@$Wkz z(0~K%fYc48QtWP`uj}=-=?Dgh+0K_+)b;1t6x2CwwW=ie1|Dl#UCUD`vf)&jLZ9mV zjkOyGim#D>7o{=$-LX~fq&(|02}~Y=KCX0#8tUw-e-oeb1wy0|lyhZmr`WQB1o^qT zszaGc24=TzTEz%~@>E9Q#_7$n*9Nk|^2?K`Mx1M;Db_!>3m!hZ(_f^Snx-gtbMj$a zK(Z^Z^)0Ot2+JLv(v9&<>b+Ir@3LVJ2Z!8K2Z|wP@)rW|5nXF~8B$(BL;E$e6`myvV{g zZTW)PF>CP`uGqT=(Yb?XsK9q=T@F?;NY7TwX|GI?A zQ$+>e*}%t6?VmIYl`onaJPBgT>j|!$;y%9h;Ae*@4h|t5y@rYu(a>#0hR6p=J$cqv z@{=-i#^23{Ig;BZE8+GJ67QozmT2>2Xp;++#aqZFZ3aJ(-p|ha@Z^?Y$C=%SX3UkF zHAV-}+U|AUIxM{V*RP%4q@(GR%UM%vzl58-hyC8k447;q$MyzTQv;zsc8>ZLIQdt` zS8n+7mAr`5KAhZ^R>bt^lB?uSaam0ho*iRv3WZiLHxp`_=u~;99g?QNjrkS}># z_xc+J_)3bD7S|-I?0f$d4y()D-wZW4vl0-TJz&E`XqV-dF$$%2VfBIjMKL+g?WKqJ z=Bm@yU}n4GTNY$RltqHJWxi+P0Yb72y+D8Qj#?@q`t6Y7^Wqvn@o6a~7X=o^^)8vozZJNIX%D@jzDKF47Lo zJmoz?FO0MsboItS&dSu%jBS1|Bmo;Gv(*NLP{>D-l`*OvowL4Qhnd2i7h!TYN}v_5 zY{MRhpFeBd<#t_&9^Iv;K<)}tg~UQ@96Bu{l7yg3mVLW{Tk*nYIxdqHeaj@sDKATb z{ooDL?pJ{+4Ib@zY}_X05*wZ_8y$G7kjaXoHp*xxfdMD2x#ZCJn6)HBWU+?9hZ5;O?-yhT=vE9|8Vx+0lj(T;<~xoU7Mv z-G3tT;lKZYC-Yh@{J`AO($WZcTP!_6FM8j(j^X0sYMW~fHUegTy@|0=2FHtA!}yLj z`ARR|7D1~R5qVj=EnCBP_6-^g#rUpp^5&PZYdXko>@w)vXd<0AY=TbO1xGX1Xy$Ws z-Z0uIZ(Ursv_RpL$tiwSP^@0-soD*l9M?raP}0pg2E~HRaJi0 zHXV0nRb!Yh2!)RWPUdd-=oH=gV#5uOVYHf2tJAU4)InxKR(5%(n@K`slNyVVI z+8Jlrqn{a$Mbwk9zJ@qcyFU^B*1stB9TbF#%?`CTJd3D!;O0lFIegv)NGUkhWdqt z8hiJxuRm>KGu2tX`8ce^vh#Fe@N{INhnDhom%=fv=m@Jq;(#GF`+SwNLCxW)o8$T} zJR!QOG0r@HelN?Nr)*NCo<+lpU4Ct^bH8f#~vEEz8|P{h8m*7 zslqV%M37*;ikwCgBija6xD_8&$Vk2QgXc+=mgvEedZzaRybSBd(`RLc_HTk~vwj26 zv(?k0y~O2DR^(yojdni4jp!LX)oH2~YMbG#aku|@s!AYCEqva-$dUUYPLbJivIw zs3@>oGMU&$MrNXFse0_YE6=vMOMv0%fyzD|`#^CrWTsADFMAy`iBb{l+L~ZRPA^Uh z+Z{w5Zlnr7CP&(YH7INlpDFgPMP_yH6`Qu{y>yj1ZoisvF)s4mcR3w9ocqpnlBAYl zMl-pFg_7-+N3x?0e5J6-_K4=%MAx&x<2{IP-c#;sggt7pKBWdHtA@Bl@WNQW`ozF! zBc%;JXLZ~W(Y&?2D>WCPmT0Isyq?@zFsV5mwh_KWv|+ghh3@>t7`sk!&RX#md z{6%5KaQl$DErGcGV;t17&TAH}_IsNM^3f>rV7}FqIw&^9yISJl_WU_r%nP@433nB{ zKLdVl$9}2e4;IiVE1|JDZJ%7H9`M7*h^kY5s zSd~X>MjSiM#mJ&VT+F=Q8>+?;Q(mt;%*A5|Wui}Ex-$1&(k*+t;4_5|UW*RcVrYW^ zccPC$q-$=~3Q$Uh0)a$(mQ17}uqhoJ8HqYbVc2kcP!FilBh|oZ#|Q{2VfS*w{`&{n z-%dTAPuFTkMn)piw9$nzAlKD5fO$!-yVMtx`EFte4H}F zAmpT@iy{{4o~;>zp^{-)aET;*Gyff|JC^W_j0=__b#8=b$vNgsr>(|`%^c`?m9om z()jQHTfhtON>;?XOPiZa`M3Ad`uP2QeyeTCs2$g`R(*dLJMsDJl7u|hu=Gj6aSzV@ z-Y5Kg-t|wZwfXP&g*1HX`*DDM*Yc+Kzg+sS*zTNF_P+P_zgOwY{}e|mG+qu}u=T(l zFWb)x66JgM|F|umwtTkz@0S&+&ysKMIdW1sL)YN@leMd=(!Z^n|6}j(D_hNvF1M== zzUOjs<(bvf_0MQ$=cfTrwz#-9db_}k+i`|(Nvz#L1^7zkfRzXCr`sKmrn+? zZmyLI1!){Qu^*gN>h+kG?`|mH`^Va*;6-ZT&(Qjqk_Xe5+s171V`U`*jSfRb>{mi|iOTNVvOfWb0geMt8oPCMTcvX2&a(373h9$rPJ<;HnNU zxx);kNBM&ip%<5z_X`*MFX#QLgU~O;=(zPBGs*2)g@CMglv(sN9yheH^2BxB^!a#E@vyBDe6&+cOkc|xo?r7b!@m5E6 zCFu!b#T=kHry^%}l99lX9KN87mE~F3$7hjNq&or0meLcvXZ$LY`>;yrshE;ZK^uA$~w}o~}6y+`>vp00kTc z78$E6KI_b-$QXywq6csEjTSw4bDx&_1>gnR&;FkBO{cK#Vq|(M`r_{H@=A6cqg($O XXZV*li}p{nWB>wBS3j3^P6H10M=NZ{B=(|K`o}4-R%_AZt@Jw0A+#5bO`C2vT2^2mB3&pZ|vp zfAZkxiD)X41kw=?(;ojqOKp#Rq_*9=gj<9~NLa9;BGn?R%aZoJ4CkebeuT8NHW^-8 z+9CTZ|5>l2xdd0Uf$L_$v#a&rsJ?6S0W4qn#o!LaD=gm!%2_Y^V3CAG6kUJtF<2$; z;T~pu2CHxi^YGw2=W4vs7n{QxYNu=U19%eQ?@P|DYYA2H8 zLYJVF+WrU1)j>4#<(0x0;_v&{_Z5?tQtvDNHsOgq4#GK-jQs~KseM)U7y5I~N5XU= zkRRaA%rf_Zmm|CbIewT?*vA43hn0fH}r~!^F|E4#tyYT4oO1LjD^N; zD)vII9jM7L6x&lo8RD6|)O)7KsFEPhcQ9`y-N!G@m6sYKK%|G+mhlV3aXu?NM;Qk8 za8?C^b$RaOEy|bSkzyPc@sa*b4%D9*7>(kwRFd~WF|79^*A;%bm1f7W#O1z@A!Vx0 z#t}F?pJXB&g8!!f5zko6#wPN)vrEnv(%rgZPWb&w#QgB0_cDU!8anyy8FH>K3daXb zUBi8XC$$|HJNyJ}4h%@};9Lu)`o$dGNqHPMYv^h$s>Y1KL)G&)oijp)pI)6q>Sxgqe; zb>|NoxHsAiURPHag}Jr&D%x+62WZMd#>Ts75~cXQe19U}mt|Q;y57I{UE=~d+ z|NOz!LZetf)APmNM@N5-DdnqGg0nAy+l}_PjUmfAz1=bKcm!!4>UOfYL8{V z=zQ&cLz3G2fj5Uijb)QBkBry<;zws%uEjr77&~81Wn|L88<`ut8*Ceoo#^Wx&VFeM z-F-ul-fZ0cgzbl5=hL>9_K&|fp|5IVY2^jiSl5`du(^Ga-#d&DS`1@^Tj8M{Sw@;h z)gRA3S(QRc^e4QxaUKT3|HLip+0zKHvlBr=roRdY)PLXV#9t6wB-yWXqiEm|d&tph z_lImTe2HVB{(xiO7!$YU`+__U&HjBBoM{{x90h+}fArQT%5mK<>K@a5&uu?xH!{LM zU_RhHX#Dc!OVgLgR!^+dR-tc3--vL>NiK-RBGulRz2Hz0dH;4wHt)GUt?2Vc#>k#d z69R{4f{_i;deTjj-m*6t@6;>QR$d;Gj5EhDk1@HhG%3@*e9BZBP0D1-Lc)}&QJ2Xh zMf2eYlL0ZiDSl?u@Vi=>r^;E(x-5Y&&0pFni{;H^U8!JY8x<_2w`%q%3l=y?XC?=y zk$-5+5!rmZNw}%LiH0v{JS@2luTt%#!IFbgnm@~N195C~ zta@C3%waiYY0c|5WmZXEX3q^*seEWvX%%X*WpN1#sXVhV9HJUd-E!N= z*d*T68+})WhI)G#5HOMYv)d~IZn*9=vg$u8m#!ts^Hc`+hvny ztnWyzLs&yBL&W6jOe0qRfx1Ka9UrW>_fK+WI}fBYu&ED{h^c2meT;Dy!@+U))CXXxIU}iuwGbQ!*A$smRJuH+vfZxmhqDat73{a zww9d~-QxNr;qk`4>$pHa?D_PWWvuC_#9pyZ?`6;`(}BpA;O6Rf<49(Ym3(~)=R9+85O~zLed%iO5GD$PNk>vOkv~QE=v*|Z7R1r}T zTyb!`aXj_F^R49D^mo!x43^qyl*ZYj7U#Cm=^Su;)ZP=l{{Shvz!ectkP^Nm#s zZ;(~|IC(+8ws6USo&Ku((nZBdvu(-Lhmys%&W%t7!70HlhYO$m%TysvPR(B)c9GDm zd*W$6#5WVAlP*U|{qslXVE)6x!;r&f+eMq&gUA!54)IVsg{i61{!i04I}d$FJm7A{2zx{f<>RIfDy zdn2oHm8I=WwM^xrjnzk$3)83b7A>_;7D~^J6T2G2`A4)yp5}Mn%JX-ITS@oxqCL>Z8j_)SXkRSfP^kXRyj!4j|ZZYG)0?t zFb*UKz8!>2lF6_Kap3DKHqFd8)F6kVV_95v)~cQK@EhE(Ejvk*Iv`6ib@$8|GULsC)w zPuIQqkmhlZWFOS(*JEruYBSMi9u>QsYxZ+Qy^(3zI!aJ)?(4#;@zgWVWLLw>@_qC0 z3-EQZ59H>?`T4pa5R_uhbw)f2HF4Rw(jO--dSgu; z_LRzv1uT4H3-t&+Bca|F;|cc<6SDDAgZ(W z{N|~{&3}Z4)IQ!_dFd-jtSF1IppS*NqJ@@|*nL&<(K0EC*kY6VEen3;vYD5v2SQp zxvva2Z`N@c(x&`;iclCYx^YH4WMiQ~`YK?m_1;WD0gV}WkAsFD2tvaI-k}38a^QuA zhLM8tKYw{pmvZla-s9dT!)OczDSc>Y5@_$GUaPsGZ_i@?erAfq-alg}dF&oI_y&?f zjQEc6ZViGA#>DO1-IPdI+Gw7bn{$x(`HNs|MPDwc)^uTM(GW^AY0yFfPo#~vi zyY{T^UV2Y#N4d_$A$Pau3}OwF;t3e}c-VL{_&}IAk1XU;Qd2oc`S~&f0T~Lhc%hA(S zxa%$^j{l!yoErH;rIX3>zqsGE7zq?Pmi}5yf^a40j zqyc`HWJ&^7mZIIe$SpN{gqc|z(Op+1!H9*aFLd9W8{;VcPgE{`u5Ek-wBfW)(BRI- zK#%?!(sXPoJTAuasA#rZP95x?x=Oz7Vpn1N*W!In>_DdogtB!d^MOQcS;w(hQ zW)q@dj>?SR4&P?7Q{wYaObJ(ozq^^4CcP#;nv!@yj7 z?Z>1_p)y+$phyi?h%tJ~lVV6dA&ysVLIWA72w>gjDs1A+e+iH9oN{_Q$amL^Z3tt0 zVfR|Ebjk9PfBuC&a!ZKJA!w8BEA}Z=lD$$tkI&iNn5sc}HB(L-|E}ilXFvy7gq49T zqvXdd2{q-X;^2!uEXvqmU#RET3+Im^VXld@vfPyO>1=n38Mg<2G#`5Ntuwx<>E-_==D%CX5ZH()>fP%|9;5Zl6L} z5@bAhXDRqf*r=)!VPRmp2mOgs^w(RX;5mE4VE>?%y>W%siTtj{5Q`6Z%jBPOCcmT? zuSE0LxEh;EH{Xy8r0|{iN66X#v1hfHC%mEZmE`=jk&I!b4(%s=C@Ee_4Hj0#8(1FlmqJ3fe9Ckg>Mv;56H@~ zRjN%Hhl}d$4R%51d{Eb*8|1o@RdJ&WH6+&l!mjZ|gPhw;o;k@_s3_UupkdZ!dNurM zqxns3+e6_fGutNQ+OU&S()s75W3_(W+NvrBHXaj+Y(@GnZ0R!LiiA$NSd*EaqsB9~a^@OC{qp^g+kr6&Ia(fFsN)Gi7qyoXxrx=gg^y zy~Wg7B77ZtNa`1h)7gH=4HGH%R9A=F7esDt=5OlSWGiEPbBGG9{j8WNS%s@NU)WS8 zoSb_*JF5<_SEJ;;e;dw#$B%umDRqR_PRF8!PFjM_C(lMAl`=F9yg5Uu#o5`)y3;_T zi}~3k8hT9mZfe(;CKtyb#Lqw~dAo)K_q_akIVfwr9^Zf^2v|R2A2vpof9J@><&t}^>1rM4JDPCT)qNK$?4gS@U-E>qblyJXR$ zo8+krZcy^xuHi|QjkCzb_cvVY5bkB^VKAA&um(T$ZgFJ=<9fX#LQZXM&zO}dUVXXp`s8XGM$26IqJlA z!bFfyj7K-Z<*?FS(Zi6i5^e-mMgT^_KlAww)47Vgq3f(O_<7cbc>cP;7?Y|h=~A3J zY;(N%a#t8}eKs$5?;oe4JcSdF_;OJSa`L02;70HB#Xu5aJ3D>pE-{{?b7SM-T65G3 zh2O7IJG2R&yn1#03J=$&W~h^GjMs2~UHnE&-*rblH#IdCnJ2Qrbs;0Oo|;F>lECI> zvz?Df!-FZn#LukDd6}rqQTGTG^9!5ahB&X{QGw4}j?3`|-V-{3<^tGDB!pH5>GE;= zMXpztnOcR1V)Sjbj#7nq#o6l_jQeniZdN+7&l z0xm0)^YU_jAMyHLUa^Yu6H*fGV5D;T+f28LFM3oGi^sKl;2-?vYv;PdL%E|!!RzhhtV$uR)eOB)eRKqws!Bpdp2{6g zm|O!w*DDn#+0_b{JE*o`=T+`;)S4#3mH#RW`2TT&UDMCE)J_r?yJy}JVvYUgEMw6y zsgoGGhr&6;>`aDaaL$4IT~tYm0tiNMN8H+$@l6tHCfeJ5;AvrDFGMZXr>2qNk_(X>IjAe#jB+9pZ4G zg5OPOXsGCEry>nxlOwc=$|dNJEV!E!#gTlCe0tKLsiqZ^;gQ6dP{;-%Cn{h zmOzbM+WU*~-lgmIKf5?tQqD0Jghql#ecUX}H5Kc`*L07FQXx+mzpzU?$3DrPBJBbk zpipCPhfLkF(@b3{ZB!v{7(rx1<)96YUIYbFy2=u6xLsG4B79JdjI-`g!=nQfGJJYi zX!4M)>Pju-nwOx~x^#66RL)i<%TnB6>CT-0-Jxs8M=9K!_(|>gI$1_|=((GYQ4qcE z4|r6gtCGlWw@SC^0T3=Osog#VF9$Ezu8@&sKny%-ik~>Pmda#>_<$A2Mch7j2-qvG z(m*I(t|YztltWi*&65@Q4Sa0eFLD`=Yz736Mw}Ko*p))q>$Ezata5kQ%a|s7f);;h z%F|SAKAWot9j?4b)^=>A-YJFe^YYuK=GdF)-*eoI_@*bsuJ5nkn_nYk3Q4Pz>yr8H zTJ@43M`|?&xY;u4?##;apam!*JK129;u8d%JIb%&YV2ZTqp&$%oVBSM;wwk!5EMFv zR||aO*2ec8W}U~QHKdyl?d4deV!s=Q8IR*QefvYNy^&$D8ysSF#PS4 z72|Z?9N{?~)jaI5DyY@S%RQL0vNcJ%OWm7tiREt63kdOu!_)9Vy;L_na~&}obFEVb z$*5s4018jK*q+%~sR%P(%}IHbL_& zcDP0M#a=VYzmD06{GoH{!aHtU+j zNae%owcm0{IVmzas_;Hs{M4cj)r87An@c1-wy^Qt;0Gk*XjMu|$Y`1NAvu#>zL z*01$s4?aWE^+P1bwqB{2nGq7=LZz)kHEyiCGijd0T&TmJFA3Mk2R3vL5tN<*I^#fo zQ&Ur6QMn$Ku|hm?u|0rkr7MY;RTdvCcV-4syFagIr|!S3=G|D?7L5+qBsF0^C4||i zy9TXxn74gBLvi?o!#0I}oO%Bcbl&W9{LN+RaB~yJIVF^B3Ck>WtoVHgqj*(}d%Oq2 zW?$jDEPhAm67)0JlD)$bTnU++SA{)EZHSjsGtXrxDFYI_;~!s>`_psEQsg%0i!bDL z!K2YQHBy778f>ks2NwCE&jh&$TBUd)I9=_Ix{GmZ#_gp_33C&k_SOCKNSN?2%*Vx> zYQ>@{QeVcKp7Qg;YcN*C+Ey^KhVVvH)9@#I^Y#+)r|3gcb)lxiQM-&{?;VQO5IMMg z+m*VeK@5BSdD?d8dGBXvFiYX@)AO}C(28w6wx3y|wwrT3nKwxW|M)Hp9)OXYwwY(t^ix?2t z$snydh^yRlJyV*$8mlhH72|GWoWJVS94?26=vya=qxOCGV%7+RR%9mmE~D0rX)n6m zpzNAp(WaZJ36rBybjOi@XVj80nDb zifTVW*4FY{1>9-RpJ~)xy_?w0`>LEA{*Ye|Rc3>bYU{^}37f{KaXXRm#Ky zL31ZtNzEGTgB0Jdgmcf z7BN*J2lmX@@^?v$fGRE=w+^S)X*POPvz5Ji&fV(1P5XC3CMvI7bqXhhrmiZlod1Vl zQuOFk0CL-Hy4-bn!(Qs8JZgG2Ywph@^wkb z-t2KYFx52YAB4?YHixi_aOfX~Bv;n4=Y9MgGrMwgzHB_K-1R%+AAEAXO|q7l>#~Hs z^x^kbJF5@_dB$WnYwxd~n6k9*hKBe)wVo5d{+ZJ`+#q^2_!R^QOjc9ROJ7F}PlLyf zaR2*Bf19v$vyb_xe%h~2-sUFGLN(HYmt&~YIzu3(5=)IObPID7-}}vdxG6|>b5%Cd zjQT;XP@Wex)Uer!wVoJF8~fNMys;@!tQp>i%SdSZatfEFNKL-#qMTS&_kvuo+DkLd5GdM@;a9w;hN)s>WdGBIin5=p7 zS-Hx2>cmFC{7oIPL(tiLk>QQylqaP)dkarrG{)T zW=}FBpe3K6*^Q@j{DqaLUBiF;?!oT?L0x|zUVdcb14eKRyCh%h)kmuab0&z-dvE>N zq)nbazyl@hR4K6(Rj82ax$!1?oFbUM@Bq0c6CV6(X}EX49hv;7 zO<-O{cD%JQ+-uPyYV<$DR`_wR=%{s&6^YNMRYYm`H`V#(9`wu?zE6-4bii0I8$C* z#b|IaTj|YC^<3V@=~w~~XO;0Y8>>c!^=)M$EE#PZZl+YmtHSstNjVzNCFkra zN5>0r=GwQME^@`$zvn0bOrsYk>+t0+w+Di7 zG)ZV6IR$0&Hz>&1z#PAF?b^>kYWZg5$tZHyu5q;(foC|y%l5M|43Dkiv(Rq4>d`9U zm!M#-p)j%C43*5}Xbl5iLsB0piJjlv=Evd4{_1nJ;5_lK|2&ipH&Op=+kCPnvf^-U z=N%oR?J`+`Fw=coP0H3PF+{3ok=g*;jB~8vDEadRc{uP}t|?XgE`?yDJb-KbnVM^U zAU{4CqyOWiMJ8iP|P6|%`OifJr1Rk4{pK;LouHkMCTQFi1nTQ z5WS{JOUkO;bWzm>IjAQyMltY5JmC-U%3`1piBk}IbJ->T@S+Tr?!^qXnCD5w%|8@b zl;ZWyH%|#aMRs-usOe4@SD@gEVw~c8S|zuor+K2s>niWJmA@*-ky;nS1BQw+R~rjX z(D|ERbM9OH$IC=visFs?OT(wArpuz?<5Y1WX0O_U&5qOLOHcBqsZB)vr6)JR@QnR* zVJ=QxK|}A4k`@OjK8p=CX(?=tEzBH%Ycl`M_9}PXlXEu8Jhe}v&6B*j0DOT)`eS;f z%b7l^KnoocrRd{!=hh(8qH^snfQw^}_SWC+?a z2T(aVV5io;p+YHXIKQ0xdf;9dr`{99=d^*5nIZ=eAoy0uGb;!-D*UErgwh8}H+xKd$yC!Vwoj15V0OZ=O)Iu9mZKH%mO@@5=GzmcNHyNn z=nY*=eX~(S!ngxvFy>pV6Zn( z;k>^sp;%(1wMr~>t!tg@uF4Eo%9XL!uN-0W*kR=QpU6{Vh{8m<2;jui9b(XFe^v|C z3VMi6Uaa*=tq2YgdZOhtTuJmNd)@ww%Gq`K7QjA?CiUhaBnb_!+Wr2N#4#8tY>V>X zjCQudHc3ZJIS>2XN$7+1+GQ^AxnW)L6Mu7fCs9Q z)FDW5){C74+bG};1c(4vd<0D;|L*GP4#l{r!Vxk$W=~+ zN(Gzv2_kq>{Q3ScN490mONisxLgKD}Gyg47qu4Yo;PdYiqD{g5s?YjF`DS$<&$w0%p_VIA~t3Z;>D=LkF8geTemf6G{y_%(bW#J zBsmI`Pk|&FT1%(S5Z*vaWqkhIt5w2y?M_skOdHK;AOhC0;_d_00JM0KdGTn z&ssvvTK%P-tT5N>|8-9uXelpZIErqlsOf*CrLYd(ll8S3}cp8K!kUwM1xPRR#iTUWJM<`)iG_w-Gs;yqyN=P?}> z2tGB??)Y(96@HUnSmj=-?b5dg$r?8>pRMS3na-ZJYos@HSwya9xILh#0@|kKY=<8Q zJGB=wd{DdBKZzH=QYSmSHRz|8WL3_k%lq7(-e7ayqo873CH945h_o96chx4pU{mRh z@teByw44ig;)Jcej& zCs~%YB`Gy4q|E7sbY=q1EBym#$Whl)2**#X0myQDy($|)Xu%tePkLO#fWC+IP- zMMX_MtRng~s*7;yuC@$Oc>)1*j~#*{$vKUrZhKPR-UrW)%HhGKMn5Jgtz5#=r)=mN zR1_Y)V17F?qCw`&L{K;5vDXL!5Ut$P&r>^^R1S#l*z!D=pH6$u=)NL4n7XJ8Uu8t};0AM)ixCJ}QygXs0zRrJvU$=n zkPyRn*W}nl9k0(1xE0bLcZ0H%BfY^07~IbLI$z~8u!m{FPXIjq2B-R-4CODEIa8DR z%h=gyAg^~2T4h|%$S5Fq&CHj4)90ey z4YDBhtf7@2%xox(z_M(*yuJr7gW^Nqkd@lDV6m_)M!}k|m9>gJe;gvJ#c?$%`4qv; zu}QJ|kzLQg7F0_?$Z&J@cei*Z=cJhjqGMfd)avbzb1CWOo=Ar1HHbwv`TJb>vm`C+ z(hfMt{5M2+9@Xq2=ivi1$PUru{XZ@_UoYmgsi^U6S|q&sK7ACV#?iN{(3Sk zj{)%fJRzLKJE>YCMFvy9H5E{Ep5u1qxIrs>Iryhk_iCc+98>6U0??yVS^X4s7$J-B z7Zy+!dyAZ)d}bEr3~OV-FAu9T5rnAet}0980D!&zY;V_(R|=JEVU6|Ets$%`QymF* z4M{Oj3|yPa(&8o+oyvtTc+pvOD+jGduvMBcCe^GA;g{=k=JWEl*5Vgq;8kR}@ zqOL)iR5j^x$zzRNE%$Ag1WW(KQTNNhfW zg|1tVxovfvUhkg4Z^0$a!rDC_l)~Bk*?fbc8jaxM1f8mvmlt{M^e)M?%Sj)uc1L1* zxUir?q7H=Cgv;yVxI)iGfmB^HO?G(N4wggA%L6pU-9DT0#w@vs)gELqQ7J3DxBxm@ z&k3rfN*JerJz3pJfu*p_5+uZsCL}vF=YDi@yR7P7ph`>vO;9NdO7Zb8QTVWEmUzmH7@(m=@bfXWJ%$So2?vOcl{Scj!))$#R>Y1?s`! z^hu=1)&4!?*5m6g^Ve08iUQ1(u1mR~{>m|s&38UXwB{fZNEu@_42=uL@Arhy`muYu|g0_Im{i)uFyZ3*g#yNFt1R?9b8`lr22qhF8dS96^YHQ4pZ zJYk^fpVmj!rB_%qh8G*ghXwJD>DBX~fV3_P$C1aUKjfj3$blAToETr)$#RhIU=Jfz zV(_cp{ZS1inP*;-%#!?>=sIz3$3Fw*xd705d?kvV$sIr|tP7b99p8JkL1 zvAmd(u?r)xKeP%+%8+z1p*?e&w|ONqhEDa|;rK&r{oeUyfC}I=WdiRHnRVWBbp0(? zO;yrzmsYX<%MV~iXR?Pglc}`ZDwqaFKhnzN%)7Sor%%2`$Td_EIx#gH+}5VXlrCDimko~`g1&~P$nh37rIyCqf|GNq9;@r8g;EMv5xe)0IUR=M3=os(8*Lk1 zSq5x%muhkwSb2@je@q`M_)3JMG2V_5%LHwZ7i3c9S$RxAcpRxquw2SoQmdCD+M|O za~|IGKF{3u2~^&^*(yFbM!<*Zn`=@kLh!`}mm5E@x(Rp`2HUeYZCn}Ihpgl5&$w*$ zXRcDC&i~0o#6ID%_@HB-8GU4`9JC6wPgF~rV!?Lvms>eaNJm!hs z4(_{?PhV#MSOtBt77>Y=*{IR!Y+NHd>XkjZ+H z3)$|>55XULzZ23OPSTdB7{q06jE^}Ui*6N^%jVOGICj$nMy+`qN;Na*SB&thxx&Hr zMd@!tnHf~ojF=>uGrv(QNPVQg=%mBoDy*ES%6UYz1?{pe^f@x66g^#=*5np9YCMsB z9fG<(OL97Z`HUHr6NtHqU(XYqvaq3A$y|Zp-Oe{{V;CQv_oCX|FK%sT5g=p$qLlr& z62 zp)KL#ppSz?GS75yTddC}VVPK@S|v_ymwVMpQ|=+5!=wqGw0KT4x;h5(QtzI(z8a#n z<}~S!FjBt}L0ug|*4l~+NonHBVFJ9;XsZD0A%BCs7R1H;Ri2R- zr{lHrcnk&^9!J@`+srap9eE_Q71lk_%t^gY?K%@rYkMg0Zi}<>jHNv4>gf;=4wN^kBUy!QBi$#7L?K3g)JJF&l+uAPveK=Wf+4tlSZ+e**&K>0&_Y>v7vi(>u%0Km4PirlkEm-&R#sRUg+5 z08dEXWHjF(2{I8zOQHM*O8lrDr4H*3M?LP#oqF?|bHH6P&gML-jlBAPP@H`NP4175 zzf>S2`if1!&H#@Mq-F*_Q0uxjsvQSeDmGuA@OI=4J2uSO&r&)qcq5ma&#vk#il%~! z1R$1YnbdcIjI;5Mg~hBy51xlCw8nCB+tP+n6aX}*u?i@A{c(HS4rkX0z?MT7ciI>f z*>Hd>@UIrX(PKHAaa1xONvjE)a`#(`50+(LZHZkD6J{?ahL7=yg1|GfV$K%@`IS=k z-~6tv%4KOrXFU!4HE1)qysyqhHV!9Y-h6B|3w`^N0_~p4shJa5GmOlwzX3!KY#OU& zfN9)&S;0RWf#tNBRcQcDZ`_&EIjg7eNtgp)?p(!BE+=?E>PAOKvO@W1MVg1aFOCri zze^M($!jf_2egz?fYL=M`CNGk9WgSRkM|@X`EGG!1h%+H&63#-j!QumfO+jzU$N~G z!HS#3_y|}Uj+a6Z7hB%Z1O1YCoZc1GSMx2C&cbwBk7&N*bV=2(i@RpqQ+r1Q($5W? zo}KC5#48G{bsw9#wD}Ba^tL`1-mX#QObACp<$Qj^ifhM&KwC<7s-tx(+15)yFI3TW z#@niC;|QpOiz`$L<~JfKfPMKw(;d}#cIZ3MT%Jc|uix&mV~DB|O>`Z2%7h^~M4RJq z3KnPicF#!Lrg`cZR$y3hi%O8c`ut&2bDBc|ios5JBWQh$%B(K`qg`RQU8*_tu}x_W z-a&m^uGJxneFn^_DUUw8Jlo5v%XJ1V`1*lTzmc-nWg3S)NmSDz?rW03hs>6eBts zf7Ka0sH%qRep`CsG7%nsCmq#$OL>^?i9&t}zo`K_=EFPH{SVZoNg@TRahfVlw2VV5 z%f>%`6l=Y0E_?%3aO|B{R*VcoSKzBY09KiYJOM~0v?B*FVOu#nlg0dif?#N@43%ti zf6-2T`O(WM^hpn605#+=gU{a_cJ)~}7_eo5walkRawmCxH0RE88L5>BUxq};|2}KJ z0ejT#XPZZV5f}p6sH5<%@%dMK)N2P~p=YN4g}eRt7!*Jssyt@`sm(|NZsOSM7G_kO z84YZ_?xxw8{(gwR0B;IQJzLo50*l2L=Dx}ZV1Th$VRnIm}4}sQUA(XFR79*}{P0WmP0^Zju^%I(1u@3mwbIWTM~uC#vrHc&2=K71EEBA4M9Yuzi%c zmkDJ@f}2)Ub$u8TJ#Ky=v>y3I=EOW^`-0h(_{tHrQwZfh-w1Cu8Rbc1maD+ysN=Dz z>d>Grj5{E1`6=2gRz`f9tA!luOABF-DMFrvg5peB+AwdaiyL1b$`eL_iaWrGZih-` zXrq!OvqqPRu2W4NO)`|8T2oegUPn!#+8av=hA0On;?h=JmaOF8&fXmYoJWBPw(pd^ zOf>$dGdWP`5`xRKp6K&-M)UqhoU66lor#Y+u;SlfY&!@Y52{1e_+R&!!=4Rqy^~QlhDfeLN0w z1}Y#A>2CVY4GZAc&ITuhTFweysZH|JVii5|&|CTa$}qI}eS*oTetb2}n}CeQ=IdFf zHNo}jrw&0jO-br61QAi(!_4^)?Zl+Km#+@Q#ds;f#|La-i-GA6d+sqS6J|C@yRF17 zE6QG?KB|H2)l!)3R!8anIo>mD%3JEZS=;IrKHcMYtoQEk{O&EsT5D2w9Bi1G==xN< zNgH$lYzs{KE~}MnlI%mD_7{+cp9ht@l43PInQV@S+AZ^oe|kH$b0UCF(+Ge@Tl@5I z6f1g|(FD6u>R5d$nbvInSseWF9p`Mr9zei}3lm)&;Q=UE@x{ICWc|!PpYdFL=X=9G z#DsyLUY;^sUA9GYI;s=WE5w-W;!;lonP4}VhYyHw6bdgb7ve|W=F7K$Oa-|^5dPGZ zPySc0iV{OJ^$MUpB9g4fm+u1C=%yF)-&>SPjHp7*D6*YC?RrELh7-s`P)j^L;AT5( z2~b95r>*O~LdIYGZabILcFVV@>~Da;PCZ&+K5?`UxZOTOBL=vj?2w0o+c_05*Rx_b z4&vp)c=hjsS2@cpl58DyhwJ$KQv%eCzvHU~P&p$G-lUJLs2rH~rmrTT;~mG_NpeRA zeRmluSyT6;G91eEWh>r(tS~+OKpmfFdheLx+js(j?@S8m3;n zrYi_99UPli=q>7u1gO$HAXzW*B_U=EioYY~28uF4@T|;lWCj9w?yRFr|DaA?NIJ^IuJ*qk z?+Wj&q{aY*!iaCb%mUs|O}kv3+apfK4WMWBD=Ko;?q9tUG+btSm3v7pYaR zV1%1jlE-P>w%%NK7dfBxH&(4O%Mi|xn?lhp`vw5mM*yjcY$SuCdY+XgC*C zO`{TIGra~i@VTx$9uDEi0O|$~wu*&T@O~YSdrRca6*&d+2Za!c*U)<@z>ZQl4w z$W~wNz!1TP2ESFGxu0`_uJQR=CGQX;fjOHZygt>}klLbEG@RoPe($wcBSG3&QI=D{ zOvErS#iI_d92JxP2El2F3N#4bWT%q}>uY06#II>r%$B!#=L{#;nQi`tiQ^Rd=V|t} zfav)jFXYGOhE0A@6Ed&37tSm5k@yZW1Ugb|SQpiLCil^AXTuiIuk#+(N%@+5L`{tp z8!BWga$~UFR-!f(Es)z@nE(Y5KE8q^d-PUg{y&#mTngM!CDRqYvb=xoSrGTNKAHZAzFAq-^kT_(W z@L!p52n%Pwxr@|aao~;c@bU4DjyM&SwKaGyg(XVZ5yd8{OU4O+-AA)|KTFt39V`5Rm*J}1)gSqgUYz(`?* z=)yAtqOQkX8F!)*-%`mW=1Fq;b>>Aq%oPEF^zoM%1`g!d>bwcZx#hctNz>f{oA{TS z=GVmbe08|m(8qipig{tGuK$lK?KW3#k$2Ji_NH%oYvj$8cL~3@nop6rKf(k2uaHM(CD;$+*C@i+^CMw<2y_x{JZi!od4QKUmWg3ufWl`$FY|f zs@eP*JGlVm>lI*_f<8b z-^q`Gg9kM+Ey>Fq@G2`Sy;eOF8U4hV2Gu`7#Ddl{?gFa*J5KU3?0(J$S69x?_dhcv zv0RljqY75B_1K^G?lx@luUaXA@jI8#1+;_HnE#od_1AZw-rDrM^Zn^!V(Pm?Sr8&P zYD|NJgHa4he><=2{>wK-PRX738J?fu%U7nBZ}Jkd>Y&eFRI}Vw(T`%k0h(s@EnpZ- zz)GuwMggO%z;+!WBmzhQZt3g10Yi_uRaI3K0emm+>aqXX7W_7` zEaS^Gyj(@^ym$S_U7W&wRoG{jE!Fd{7^wa+bHm{%;j11?(JjIv0O;|4s=&@U9*rkNqnzOrZmUH|5YU zx@?)>PBQool53tat;^zAeS%->P2dIk0h}v+Dny z>gtpL&0SiD-UT=PKefsrI*_kE{D_eKuPpx0fBrWyeb5Wg+^o5k$zO&Y9AMi;lhgdW zZ|@R4azcpd(*2#*og@IU-P8I@hj&T_4E}7AJnrvI_TH_*{~3<{yKi3tl|dbBto!dG z4JGi<6$DyL(cgW0mJzU3ud26y8K!*!v0;}u(f@CZ>;G}gh8SS0yXCxGf3?X^iryT zdTUvC^2=Y@ov#EL0BM;PhIH{f`zsBg`8~uN>8*8|==sw&TDQfR9n($dOQfaOEqqnAYI`)vfO#>U1? zCVza^2de$G-f z48W^A0GZ^!*T3&{cGj?abs4&=%K85mDE#K=KSW-`E>BT=UVB1@=G+9h+rTq{5Wy@( z7H8cMJ%=7*zbBz+ezlAxBPw$JTv1i)Ngi4GMRj>?*iWZ#NwwuOySdp(vQ`D9ovfD# zi4+c8sYf>55j2^q)O^-j?kA&~az_j}JY+T3r_*rYX&1UW4KT6G3_u_iJoB?e{}*L% z9TjE!wGA5>NZo>TsYpvVL#Rk2-7P(&v_p*uf|AlTfOLa&&LG|0-5n#{@SQyGde{5> z^E~(OTWkK%HM3@zx%Rcsy^nny$L8VT$6rR5R~|F4jSw<`16BGdmp&=0-5 zSLe<$KO~G^C`^*}M!yjg6Kgr{Sz}grIq3GqB&dPm&G22;d2G*Q8U3fnc^QkM&UFz^ z?`(Ls%^tV@^s)B#0KB4S_%<9KLj%7>9o)yHi~I6JYm%uKn)PsYbLm8ghJYI zpI}o8mig$Y&Uped_=xLnlkk#3G^@ze(it24OqP1|(uiSRHpnKBgU&Rf=MnK&p>6xMIP{Ly_D8-q$?t-staxSqAY z1gaquJrIeyS7Gk4zr__u`+McZYS8 zt1HII8a-A@gyGm@@2#|@9D)9I5vIB}?i_zM8D_SU=$U8v`LRs~oF+HSkm zYlF9jL4J7DN#`fY$jUCD9R)0P;mBwm+v>7G8Rl~S*(zQ@o@yxT=IlzZ3IQ2Q`!L7l ztp>Gw`Nd9%*TV5;UePML=o^tXL!}NFX4V*M95l!7CAk5sr`w#UZQnvTG$_lKcz(3S zr_&~4J6(0yh{d*S++2?Oa}TR~^fMB=bj!KVN^)araV8Ok)GSQ~7AJciPaH1zQ?DlD z?Qxm(|9UGNUt9|};}bnQ6(C8r+SB?cxrI6Z_dBnhw!UW6aLv>e$bDV)%q`~cF1the zVhSzx&H-mn=WL4)c%_szMb2DpK(f4VJu=(+2)iSCe(Di4 zcUDvKA%T|#39jH7njMR+?$fofg9|+QwJ2)$x|(>Y?WFKjfOzhMhL&j*>qVTN7nPpy z%nY1wXrxU?MBkO-0x&odQX9tsJy!clm=2ZPf)?CE+PTc$pRwOw;dOMY$%6MKL{RNb zqD~hB&rXo1*HrcXJ-c(n&3&V%7yh3@<{mAg+s-G^&O1my$3^r(%@R6l5|TBc$H!L~ zcbc?{erbLZRVw^H-Uo)q56sZLR}zt=+Jp0FYEf#yCiy*L< z4%4Ww80rOzj7*uimfAuU49*8*_Q}! z6NL*5tI9^Tt<>`K%;;SxfCiYQm>Tn zF*BXST8FM)OSOyNd(V7NeUDdHCI&?B_06rKq zQO1adfiU`@yvUQK{_ZAZ?o7Vs)}d}|iR`?E%`42vlcyjrMEJNIa7QzL5YVe{^Il83 z!)n0?Pa@5L(4o?4-uqFs-QcFvW$02L{Q4l{#AbT_(}+|Bg~OGU8N z{(4$yujkA6ggbWd3mw6uVHH`=B{LvMMpbc(=KTQnRV;~sUz%b2l(z=Nq3nU9)l1uJ z{xyW-{>jjNJfWZQaH3{=8*m$Ke7TP+WpKGjoQI3)r-3jC((=^}aKxSi`U&=b{$PU15P+!YFDAknf;AIJ^u7 zJY5@Ay-UtPeJdQstz{E8SO%x>CShxdLm)tZ&RI;GwV5&399&3vxCU9}S=8>su-0ye z&*>T*2BItWC@W!s?6Mxo*Fet}fBn~AwCq$j^m;Gp#~2677>;(I+ZsNZGpYwPbI)tx z%rkQnk3KAaV9&^l$4z);encVavvl(HSepW_a9TZmNm6@0zC;$7e9<#i4{o#oaeKYi zH4`fq5y>UjAFB)9vw!t+&fJ;2^d+ShV(KqVcSkSdgAyF-&qsWH4cvnwd5zdqj}NIrdkz8_PMFgr?08iVs$>|9dAmcyLZQ~WD53Hg}X%K0D- z^}CmGl=V$*XyQGH$3gN3`-0{Z??jhLMo?vVW%TV4(Q8%An~Pp(wV*%maj{+F(s*U@ z0~WQ;C8eZ?NNXRG8hm|9R8DOke76OiX@4mmSnv8{uFDqGQckU;=4Gey|6Cb)dZ@RZ z_*6_Hu0zP$2BJWM9ECZL?H39jpSq`=QVLJ@r-&V(llR=;pUtV+0NMN5{^@qWoa>^n z?zPDGInl*h9Sn^;sGjq-<9Yl>CmII0Bl)LSLLvr>=-^zNy%XUT_!vIiuB?SfN3|AK zc~lFuVF!H`r!Y;g;AfDazOGZf+YHfjqZDfdbMM=8Ro^2eozqBwXZ_fzn0Dy8oDLP* zZ@(n7wacHaC}h47DPl<|Jay05y$qS0w0B+O8H$1vPfQl;{4d6~{on3Qd~kBCGv%}7 zGv&kJG0o!Wl5|ng84Bi`O)tLWCPfnk3*6Xl?FiUgj4grB)HBu&{4#=Zn4LKir9(SyZLK-Xil5h#nnoK( zhK@}-X{ryEzz1p>YhhWrS1kf&e8%cr)_I;KOjv{$9Uv{`UFGVz&W-RY%uz(Q=VJ89gJXTkJ{1ne8%UyA?BIGVyH8 z<>0{5O61(^X3?a!E#hix@WVu~wOVN01KRkKPr9|n6_uQ|T7^ai?z`3I?lX`&*4mGG zMwiF438iF0wG%0fSie<+#-g2H_u0DGb=nFdMt&1+EuF?wJGx(dcP{Y6RXsScQD163 zH@G<;BWxR+lykl8wnZhM>avK=ZX4kA!g*uZtgHmFesfb7ws;Wf=9AQWOo32Ry&?aYH+J!m^w1mh}woy z<6vdtLoZ9KCF(hrs9Mm~&359Wal)3fWB=5zsb2%i7+#LQG5YPTM`IK!u}%0x^GzCE zYU?Q> zo-EW)W8jg}6Xo@?8AW4gA7wdf7XS02*J{)9Z{ zVynelq^`IV_t1>e^5n-5m}OI5059vOMvoP1aKjU}Cqng}9whM|I&Z=jz7eaJ-7O7r+R9UK%OvwUSkSMu@vtA2Omf=|hoJ#5r-xjjsNCUu$J*LXT8 z{OX@V;PgOQwSCKsYYQ`@yInsc1_j&aU9=HaX)$FTSU<8{&$8d_MjZtlSS_tK z*Ze9_@>E_8M*o_uqT}eRdJOA?l_2Ws?Ut{E6-J4#>rh}(OIoKJ@r?QYB@yG6yeQ_+ zJOB20gTk2H6eW~(26}%D=E5qY-!iuGUyJh|s&}@?ENM}=F#HLal*T^lqV@nEBdL4AEbneJ9cIH`dKcS1pJYD=6 zPBTlLtecYpYY2kvvPd5IHsVX-2Wx*d)DZu6_}39eo3$yHCY1iNfD6tzP*3|1HY!z? z;o2{qle=tA82aFRRqGjAg-zSHvIaXMcxQsSV3su&XR2g?`f|k>$4aX7hw>ySQiL8Sr zC2`-kX+|c-MBYZ(0DN7$$U1Mm^JSs1%tr0Fi64GKW%wxsL@N!2j1@yN`LlZX?B>IZ z{h6SaQ8bmttLEyt%#JGY(ZkuEv9`>i8CsV8#nU0#*|yQ7AN)9eNq!Z}(+9C0_{_o&A%b?5Rp7Q{7%GdGX$hzQqI!)#S(@ zdz8;=@!}~1mXAi4+0NbdmFA)XP>+H)xyro)U&lW>puda%{C|IVS0}!?D7m{%XcwhA z?e`AvT62{7@&6o4Bt==FKk4@C&-X75I6ZS(6oNfcl+D!b7dJXpz)q=LOqbRN}` z=T&5yGYVu;&5}<GE?hFC|Y5SKyVR@5W$;tRW&*cAPZjcv@%+s*I+hwk*KOB^OB6F~cdJdMS82gkdUfcTmEcPo&QW7$eT{-=o zZ?Np3jZt+IxBe!ANy|I+Hs@|0G04!sP&drca4%ZD zOG82;eY8H1MrI}-kPEq1m7p$8)c>HA2>Q^G=L}4@C81iqkoSNJ3vNKMn6q9)sX;-1DW=9+L#d0d&&TR>U3Mk~U^1bqbgc(|yu6(a&)WQMhs0-ZAgEv{^Mi_;xOv-OEIIHBhXAwHQR1;=4>?iJC(_90N+qc;I%O-mDCpz6JsQ3HXHmE z2pjY4VyVQQWixU7%j#|3Rz)Ds|CXhESh;nJqJbREATp+HLOaCkF5fy{-N}@Pv4p*< zhh$FtK}5kJxvBU1-q~#RKMUU5KlZTtl;=>M_hA%%mL&Dy?iZ4z`jU?Uqm~JW>T)5; z)1eBoA!)9GpJt8a^ac!m{hcc|mdtSVR&{&yR8k&XhLU4KpU{Y=*;m%P|(1z`uO z*^K8_6A~2csAjHbYlibIriM^%f*29B)z7OJSd*MDJO5OwlKg!;x;0bl%8omKai6G4 zy0jf<|ESz5RQOm?%pVsA+nv4Q7hb1GzzKd`n^BN$aA7tY#+z4H&rHaYmbwe_&$|CU zlBTOtDgn|b{RKnn-yRNhKhY04_Nt+@5dnp$gCY1Q^~2=46kqLzlGLb2iB*$#oaaqbt4HDP=CeQl@$wL9rgh-is z0)rdaP9Pb1v?O^Mhom?&Ex+?y_<+pnY)LX~H7-D1)nU{)0D)_y-Y?Y)#al{IV0*%j90^9C4 zb*3DE&^_oq0#>whiCEYDT$|$V6R>nuyjwafs0ei=`1hq*F2s#&}UR!PuiRZ z^Wy&v`Sv-we8A*6ecj(iEP0*h2JwgdGSz>6Tn0WeMkPvgK5-$l`AOdVfVw->9(Rd< zSr%e9UCQu?v^m78_r?8-WmlW`{{)~Tj8i)!7BYn#Bgd?cy1cZzro&V#a!Lj0S`=!M zG!hf^)WgwF=dob=%(H&~Skhc5!iObJQa-!f*&p;XYN!oTz-71J>!x9Ig!c^4<4FmK zh1~5qwf%>O_sjj(BRAby#|r(=4b=)ir^@V&vIBnZ1qs>g(uYh+(LNi)u(+>CZx7WX5S0>NE8 zmMJu;s5)b6Fc9dZn((z4+p}laJ+{q;KAAwse~?hkRV!p~tzl}}l=>k0Kwk99$=?Q{ zYr6Sj>&wMbM4sGbYA864(}x}&Mlr;V4L@*T+YGkn>V*2_D5BhyaO|8I+0t;`TwmBt zr~j!lp)(MGdCV~^{a3l*A-BJ*r=Hw#p_3kp)%347DtN*Ei(mU4bb74&eU8XQr(bs{ zqR2Y4j+6KJLzTIIa5^<4yDQ0GzrdmK%NC6}>U5UZ`zxuB*eB?Wgm(k4`eq%%jk8mU6WkI(den!q$@glCtV!zL{^(uvcyeEa=1s&XU*>44 zg|g}#$5FmU&b_64)k_)WW&edIkr&$+>8^g9YELMSdYR>Q(`yfUA!2(TciD9ZnV}b~ zu%_iYmCzK~Fvp7gI>gYQ$F0QBNK<>!aNSv%(vmtM9KC>LD%15;*RJpnx#uZCW+%>w zElQl+u^obBAp-iYacD$uS0rEhehL&$rqwk@{X!>JsGCDxwpL%3XDHsHHv&+f0NgKYMC~p!=YU5ZapV zE(!1Je}MJsy?_uT^JYHQgd%Q5>uWyK8XJ;XDx0ZbZ{`mlFG(+Sb@!iF%+LD-rubaf zXR`7Kr&YR*2Y=Dn7UO^mhMk&*=^|#ad~^ZT&MV)aF(xNG~iTJ|e8z&vqB~_jrZn zq6F$#0M4Y54^*qMCT}1fr=RFQ3|?dvQNq4$P!=F+e&M(gSF27mX+F1nOI_z`h+vod zB*$qTgC#RBEZkLR&6JqcZL-hZCWNw!+!HR!M$7p5cyjuiY4NkHsFx!Em)ecYAQV%bsu)lkw=V68yfz+^<}&Sk)<(TH5FnSUQ)wHf z1m*(7Ym)$d&ntWPh2UWyKvT01acSkNW{btk?dE1NBa&_>g&U$Sc?|#s^&Nx{s$bdD zpX2G%7X(3!njh0k-Bjqe+Ie)Q!x~ z{O;Hc<3Ca0iuT8c-6LbMvuH8ru^eVl=$U?Q0Qa>{asBk^)!gLxbaj5P0RaCxD}UarS9pR z*}kP_oHKf?C|PBPHd?cBk3Lw;?JWkqSDdr!6V?uuP=vp$vrX0F@F7@JV}Duk$oi;P z+U4gY*vUZ&k4xHHYJ;>akgtO7ClUOxF9Tnvjsj6TdgT$dhvG-X?-}5dXX-AtcA8`X zsmro5R)=J70H88SW7#$1rQI9Zb*>|iz}Mk82Xy~?mk6Hqu8whZ*O%DVJ} zHKQUG@Ky^VSOd3<%cVUP6#M1UA|4d!P(!e-ayZ1i39y4!5=}6k8 z4a&FOv}h$VDyQA)i68VuuA9Rh)rGD__WviuU-fO%xRa0de@oGc86xIfR?@#qQJmLmVk!IZVMisY*8RduM=nZ~SBr6%;IFcC%3A$%osivVf5~6%k&0R7AiOcA91mlB%;J~%FWVsjT zF4lB)nhf4%(NV8rZ7OHf9}0Lun+r7xT?@yyw9Mj65w8!QEQHLhg_Xd$P~^X6P%s6w z%&+CzpwPFvnn{ioh$6%0d&bfH{wG4=Gx z1}cy+09Y)~tc$3iE8AaAu-p9`TyYmaHUYDYEpJa*0E3yXQ*_MJSqqvGg_sAn?_GOs zFm+w~ma47>o@F~UH_g@$DdjVaCq1ip+W9q*x{srIH(wr?b zpPFz8y^d-mJ}Gb!y=2V5}RH3u8A7bkku)E?SXe?3F^ctd_2NWFdN~%+!Mj}ho(1d2obZ2-(&yez7&2T=VQ~55 z%@JlboLc9t)#ivi96{o5Z6vzi4cnNbj+S$azFRXp#x@WBY4W9~yyfhqGc-6)*v46a z@s#7&K_&*lADf4#nr|mEh`tf0H}ujfFQoP|Nzlc>FJBrJoN!CSRG5O_z`9&YdTgd@ z$XTRUhCv*TmF7Dp5892E6xUQDbD4tle?KWueVxD!4Ugb?R!j@0f7d{j^9F;qQ3%0Z zC6?rH^vOUV@O6n40||`Bp=Cnx+a~tk9XhowO?LO=?VtGRswNG+*wV~D#wOBr!}*MQ zE0~is<|+@Y{SG8P#mLNy$Sc$B_1w@=2DMm=5&Md1^)TeWl_q-P#C|>l4t&*muPeF1 z_Ozlp&J`S?N{8K$eCy^1BrHa4*&Pw|8pei|#XfiWcM?0nCWslrG~9dly1d z{sK1BRrZ~Hs~3aA_|Yb+hWnBG<=azqRH4B%{rM%~ucC+POGRp z%}OjfhvU!?%S6Da(^bsK6akLamnOh~b_`b`qTa48;kIS2`T20)s<|#^l~N8>$-7AY zo(9!3eo~cm08$x|sc|<*Z~chj?wXnZ&QMf0tjZd84l{&_y94=j)ci^zsN2 zPN&-?a*?_W4<23zI~c&PoJaWEhF|n(8ZNd{u7s38TP2t2m(E(7svLCA%Q;bN9o0oz zvjyZ}IIwxag2XHFdiCbszdZV_F(%)|Wnt56n8{kLza(T&8GmewdgULbnSme1)&p?Y zRg8=4_usyH=*t%dZFCVk+ohKvi{w%4bJS(1&(NlHPVq^n^5zKm%_j9RG~FF`hTSt-8Qu%jS{58c8TS74@e-cP-;gqcPRlK@`RGg++YCNy^{% zn`kNWOGUh@-7X1S;;WUM@CKZlm>nFK_Pbg9{>OhTJ|3=#=S+(Or#0H;Qgo^%NNuJyYHw&aC{F31SSG5I8#1z)?_v3F1+J$lq zsg~O%OLUPq>H=ky>T|Q8SK0nGye8clki%tp_bDwzbpx1h6y%sGmN6XQdFA+4Oj_nW z$on;>d?rq;R~Bu;lLcL^q30p%{0MFHORod&m^lCiQVe!ETZv)b<~D4N1UO}i8xB37 z##V>Rn9KX(3k`l}3oh1=w;U0?erd<>)9Y|Ra>U4^&-2JABJp(ctJhbxIxG9}ly`#A z$MhN+(R(@p^`j!jNo=*0<=qo7M$L&Mi`&$pKy$y-d<6_wf?8nxZy)8Pi23K5+rseWeN3&Nxi$Py~PNeh|>;zntog9(u-+h$#U$02O( zZ~#t9y?%&5*B$gK3Z+v5pTyssyg^acVv}6G{50d`FC!UVJl~;UX+!0=ierwTwtJA= z@+C#*Y0RBuiseA&g9u}@v^8OaL>(DTE_lMnnVTZw2?qt)bq!bt4C#KNo?u&(Llg1w zV=yS#`7G#KUv2Lj)dE9}@!7#XPvcrQ*skeKq(tc-MK<6hRyTIB(3 z@`>9iq82y(s=~jei8uEg$-R#&26e)MV*;8=&HLolrok^u5fEc`WY6&Q-BYfOKGie& zG`mONfDJ@8DVLe*mUqRQ38<|r;JRYI&;*23f;fMCp673vG~Vo$Y3)L}#)LQ2Wiv|B zPwmGZ;ZfzEpP-AnH%r+^s{niWo)1xa?Q*y*Vi^pC94>?Zz6Q5y$YQabe~$JhZItUR zxpa7<=0FuP(|%w*Z4VyAX7Kf4-~?NK&f-l4(`EptEJV_md#bpqJI%MFaa1 z`d9Ygv{V6uhlCnH4$J-EdvE!vB*oLy;;zVPsP*aJg^?;0K{r7gr7OY_3PuAOfPALm zF!l~I2#7y+?kdSyQFErraXPM08Jvo@PZN~Xnea!X=@XYt@T#{#&!PsJgE|6R_e_Ok zTX%AY+1rS?yQvd&XO3tvf1K6SR6ta6q>C3fG{EPRfJCPtkK1fuo_ksm&p{>WC~^SV zX5gjoK;_WJ_h9OjWR4;zr3=Ku+Uw_gfY>8AUfpMq=kU(c7{?`LFF0At%J<~K0n0<^ zP)MlqsPA1RD+kl=32{#irgIVQlD_3LmJ$p3?&N<5)K_`$*>qX{R{eBwQh$?}YjH+T ze~m4_1qe_P&Dr~X>Hxg~ee&9JM9hA51eCzdBcKo(Tj`tGSp)WH*0Q8%=WO)8=E{&f$+An&NbYs2iFn4rLEcC) zjMHFvNASRq9&3Bmq*klcY+|;iZ{;9hhB>~0$Eer#A*=XU@zd!Hie;;`prwc?kBxu) z5_1gyI1DREK4|sR?70NoyxQ<3%0-#`?|mCO)*gTCd1?2nuwn|Dm1u2e_}Jv0ZS4-P zBN+t;n=^WL1|Thf|J#7s80%Nf+S~pB^LK`2e)c+7eqTp?l0z=U6Lnc^ zgq)b@(v8_Kugm&AmVb~0HP&x4yXI}GSsTI9wiOwtC7L4&YT|ozaP8Vcs1Z9qUj=Fm z$hE}h=WLTl;*|St)X``xPz^+~;ox|-@`Lw~4?&A}PdMy$ZGjuTd%`?`uKPbY6MhL` zmfe7$RU@sfky`nOA^zrYNP!7@^gc%@az#O&B>ffR<4(~_kGuym-+axq!bELiBAGig zKUDU=!(!b2Zpe(ips?|36?zaFNbkD&mXZnl9`97h=rxpljdbF#W9iVTOJ%+_K5AT5 zl&;fCJM}l$Be_Ny9{I~2V7#Ky^ywaLU-a*<#-O4@xZM&eb6heV@L@uzL|OKbk7^72 zYh0UMH8sqU(>AyCmD{VnmJIj0aqVsXzg__Jc**u51aCk8-s&4t5Y@x+TuXG#U4tQB zBM%2ttZ$oiTC_8Rvi#k0k-Xs8Qb)@YKJs=!Kp!>!E7bA0{%XfgtB@;Yh<9WSHf{{@XtrE=< zo|GR=YbEN)|Ew>9Qy7PbaE|adL6nCEmUs|myJPP|@~JPF=xgcP&qhI!tzV#R?CqbW z<;ez~d&RKoAxsLOvyNnDFv}<<@-v%Aw zsLp}BxxOIK@c?N6V(%f-B#+TWb0by3`XEbjxOOu)4`HaKpc@ItzrLMQ1EObAL}8qe z^4t3-MxX)b;rR&eAE!Y*rvdShdIr46EE9wFlFow5`-Dewn{49cv{tC#>en9`=19^4n?5 z-ov)4y%eQ=Ka~awA(GG)#C;k$l5OxliSn3$Q=hSP0!ttKMd9cP4d1P13#N1d@WAA3 zzd(>hdbkmQbKmWekt(962fo*^m9)QpE0a=Vqc__lF;L13ly!mJ5}Lk*5djkZ4oXkUls~> zQkST>)6DzfH$|)E?1hbIk^}hYl zdi#4N?F0);UIQdo&jbO#T%t~~0vaX>2J7+>bu3af3de4al+Qi*U-T5x-vv)k(Anq! z(l8$VCJ+h9=uBu9`aaG`FSAX8tzt69Q@O3DYy#H4LV|eHB2Vh>exC=!s8RWn*(X2* zb;`wTadan6Eg#jEm0rQ6fBS=qK_Nw?0M){-*)Znf1n+W4IjHyJ&UV-8>qwP9S zi)_EL1k?(bOQ?{r`>|8%#}=n*h%dp5G)X4*SwP^9bNG|HRN?d0Wme{S30`Br3{%#W z^Y1$*g{j#w55VuYV{8HASvBa>d$cj*m1ckC<{ ztoVY@+Ieo02$9J)%6^dp{!eVBR6El)?D7E%Z+RZP*Cc;$NspUtKM<~ofwb<+y_}yl zVoG#%qf$|CvB7@p$k(4&8nS;ZN_U~TT zQ9@kuDfK9w`rlgawGg{D&NtvPfC|#Jk*#){(;19l=$S6W-kt%OjFKX!D2T5_A+n7y z`1>S4^v@+q%hGe5QR@(;DfW>dTVc=l_zY^C9NU?ik+OZX40FNq^XAS7Y3B7w%;mx- znk%1x7)M6e6d(3R+OkjhM3vn7w|Al`bj@@OX*E_TKV`_^uo9&q_>pC#bhl>94|`<0 zW-+Pqng5<<2+w*<{lyGgb+B_sGo@ZKlxh>`3yydtLtIIy!T)wBo7io4z_co5Bp**; z`5(Jkd+(jea+TW+$^;K&MzwyX-IlI__`VI_<$GBYY%1cua+o8UoEeU9*S)jGJAPo=Of?uzl^XvpFa>Sb-Gn|n z0ko+$2$A7QA>iKiSChj}o2XTXcPYk|FqcMvYT##;3WZBJ1oX9ubs(iVgJ}^NquuyX z`;rIH(uFi|w8Da_D|}L9L78$%&1Z`Um|VcEeP!4y20N;HMD_W($z$lg``?B~Bfy;3 zwyxo+@#}LJS%;%u%3zB?-IeoU6$Q1bELfFUc+|c{5gQ)#&;uMhxgbF|6Z3pF7Xu)REJ`v&H{Opy}IFCHC7>2_M3wCo%9K(p$|J?8G{QHf263^aKabTL+3GTwy|FfU!9FYXRsdgOVE1UAA8UlzliYJC;2 zUlk1X>AP)YG@EsLEz91~S0?&X`rWGlC*bR=pHa`pmS&V!p_iz=R2~$0b1)8x~mTE z7W|RRBm5f6b*_Wb^a4i>?zZ6(=*K_F2Wx~(RU@^AE926SPj>}2Q;FZ&&q8bg>$g2W zAiI`V?$d78Yh5<$McpyT9|5JmLa}T2C6Stejx(RZ(;Yfg2fJK!H=N5t-NYo1tTR`2 z$@}7R%VKGkNmWEI_>G#sclw;`gzB%q%4SB*z3F`e=i3=-oe10c;$gOC-U~o&O|V3u z(&yy94ZHe4pxWo912}HnhVt&UndwG54+NK&?=CY=ZmO}R!VgQc>O2YW*g)8 zl=QKxbNWv>Q-Y{qM2OqiPfgkgezBPJI(y+@e7@^1M~t4C9n|*P;VD?xpB1KvNGNFq z7$BJ|^MM+HDOj5rX+#EIoY+s$B9B&NbJ*#JTF*RXx=k5N36)%_X$T(rWbqRnm%qwj zi7?lKvu^1Hzsyu)&8_cq7?9Fo z`w3~yfN|<7vYt-C(bvc_QZ~WALzXH6ThFi=KZ}GJjIp$^_4-AETwTtq97(8Jt5a94 zwdip4bYF_whjKan*rH#Z%vMU94tPS1jVq@+r^FOCWk1;dk)aS9CboaVSQwaTe*CVw z&$iwZH>2z|t2|Kv*@5Y27C%;(#I)YD{qiaLE&M1AUH)@*^%$4w&;&?lp?fq8qg7H% zx3pbG*|x8%|3UuZ`TOBh+KVrCbr!+shdn0i_r96GmVe6U_g=5*9)*3c`QblNG1!uG zFrY18D#0rxFkE-IsNl3y$l z0Ngp9{Ggl~i8D`%BdJtK7Lj58$UK}yG=}oL&<-aIHv_3m16cS654N&aFBfTKsJam+ z$eoO^RslV21>aHi?9+G9`>DfwrpwFQOR6O! zLws`}&7Vxf<8!vQTU&^trtD))AYdK_{dUo<{6$_A(vP*yCDr- zA|1)oC>n;EydRckj?V@PEKU8+mLiQ9b?qNzg>^su)p=Dd>{wVsAp1=uV16<7;Al7? zI4(e{Q^zbb$~sD&JFJ1{tSi3MDp!|TUX{qT-N=nTL-o~>%!v#$d1e4Pp>)y19i(sZ zLfMe~fqsNHAW@qLZyo`eT`Q@N!xi?!gi$KynWYbD$9zdw=C~f=393=5<;Ch*JRc z+%Y7T<=yTU7D=3zX{a8<{9y=$ak@!cFKrWSVA^pq9TV;oF|JGtIsgPDE>&!kdT z8g<@%nY~im(2G|N{^;TvF{^fD`!1)xC*EVPHzjy4s4~+y%t8M)&|*si&kL7pU%)!E z0k;_C!V&cE2&mMrJ&ewBhqDaiZJ#(;E0%p*n?&DvCUw}N&H$cR$4hUCrmNfCVhUD3y`YpUssifG_ts#`;44t=YSY~UaXhOMd5<%C8 zs9Q~R)o)8~y)DO?kntw{R1D%DWYeLoP_AqY z>%Ie%DE~a38p*_;JD4_qtNBF~y}l}wZzf5^VcHBqyt8%ekZQvF?KCNifBnmMmXYCJ zq|`^ni9vP-UA4O|vna=D9ftFTxP}8PQ`tFW$db((^He-rPdu`MTrm7@0+0aqeopt4*Wn1>ys@pE)* zO44n!Itf5o{4^ScZXOZZoT_G$(vPZ+fB?;m4FB{OVT3xU=B@*jg%zZ<3Y&p@YUARw z-}?-*qjSSFOw+od5TXV>hxOr{h+ArtF=6?D>#ufCFomS=lwr>tf_!E;JgC}hDI<5} zZT$v8*Qs<=_c!lR21fHOdq#K}BwAt~km?w1cNhhIci=F1!?Cwr+80tFadUlje^ipv zIWpWP+$$ms+rZHK!M*CI`)?wfPOkyxlMB?ibW8yRNfNux_@9N!McP2)U^?ar>|PW> z=`Hv7`fH7k^KfbON*t$D!dvz5ZYyXOvV$+73xTsK51je42h{`mnw}yGu_M#5zOov~hdQLZ4nx5CoCGdVo z{M3lq04Xj~=qQ$11(Lgn-EVbs`=rqu8FPj3S?9`w=r!00=`x#^RDHf!f!FJ2FZHyI zKgJclzL{_E@p-^!IKR6!<|6!;WqrSkO@r9LqnMIHunZeuW zGbFs)7|MFoS%1s>You-jIv7QMg)QLuFZNB8EV$_jm^Yr8&0m4PZUh8G7J$ttkB-I+ z9-S4HbTU185_ePs>Om29qFdrWq1UMxF8uGullv6K+G*S-IhEaJ(s(}K$MoGA;Ug@Ykdw&i#9U?E@xYW2kPFjpljO0`+8S0%4L%1Dnsr?=o5L#|)orA6nc zWT^*wFHGDDKXdCdk}pq}LK|Yuk{GA0^0R9Jt1Sm?*-gn@!)y{g7j(&OBnc|E1mGoh zt3i-~TRrue zGPJKct$O7d{9+z>b5_9tjOIPC-W|u~1H*F|&&?~$HKfo8Y$Ex#_Nau|gqx(?h@y$h zSIAzjG~6@3BtdOfYN#UL{`tW>7w-k?UE0Xn7t~_K?9$cjR$4!I46)C^GzB8{WaWMP znAY-1zA2|yF-E+edS?WHTphojk@n%ccr+n`VWemmtHSC`nc9EeBsu5OvZ2UNb36g> z%{ztDWd6UZ`V0;g=>+Y*ZzbQpI(1C!KfpiCuc`N-`E23KEPz3-YVS8x4Fa#%&z~1I|0ZQ{Uw;( z)BUt;LiT>Fu>X&>w*bm=UHiTfX%Qr)Bm|_9Zb<Kj3fU4-x1s42IT8W(QvqQ87=Rcfd`}c z9ilZq*}v(7g{yHgO2)UHB2H`&yg+y=F&m%B2I3er%nQN0IT27Ww9RA#oa^e8jnpBI_F^)q1&GwZf1Oa8wMqrzzj z6~&oWE8Z=VU}B{S)?n~I|K@-5(yXDu?=Zv$nUCdt)Bdi`6@~Chf0uIq%YDoOU@q-6 zJ5OLWgygS~0u8ERFJ+CpS$*UDu~JmVIc6yO&v4#L07XHy-{?{@_YBSM%6Ud$goFw_y0aI5gwpJQj<8$l=A$z znw<8^g0AI88tvEL_4HrOpY?&CpC4pxaHEnQU_}HcJ{~b_MUW3QHXbDJJ}h ztqY*gl+$!1!!poe8{+xc6FvLauLM3pVU0qKUEHmoqbR*Lk4EQ5HwP}kH(rs?u$rlp z%X`4wkTDIkW8*-AR4x%plw0MI3{|A?JpS!B`)}GQ>DofmADY60X)m;Hu8)RA?D;-y zWHf#FJ*t@ma|AyuhiV`6a|*~j&M7|sDttqOD2~JTZ!f^>j#5}7@P!xfyX=GY!^bZK zUN2|0(nmo~17`5~hCXF686r6W=N@8r*OV2g4Xcfw=PEiFHva3w|Id#&vW=h_n<-O0 zk3RVa9sU2=GymZ~*51Ket*^nVcmDJd{__J0!!rfIJ=D=0YSn-JAAaiphcD@uLF>2i z^0fNk|DQ)3u|pXd$z7d&FzNfJ=i`5V+%VwxJ(D|_mvYwz)3m{)t0bTF6 z%ll8kp07lhb31x{0#*eKf3(&@Z2~BLrg++dfdsHNiPt`FFA9eX6w)W^n5=l7&>q*g z!b1n`IHu6`qZ*u>cKh|A*WcGbk+~gBXa-Dr^fm__s7fEr?u%ieyOP_Ja?e8PTAe@5Plnx+F`8sJ2Em)S%(5Yui z;sqKK)I_;}-ebK94);NAshpnxC4)WI3P1wp0DUAA(t|=Zl7w=+GouD5Kw1;e+(F!h zhD6Eq?FIx!n}CL>3KZDIu7JqUvfK?c3gtkTJ2qOR>*TJFk^mz=1MI&y5K*OB;N6Hb zyw!9~p(^|^Wtt3M?tTcQ0#w0;)Y3prRCMVA4marTPC)=@Ct?Q>4XH5*xnF*mX!pD; zN~fVxK)Ofp9g?YRg6#8QkQQ*HjF)?yFiZdiSyNDtH)-{|Z)hH5p4XL|6UFhJ{OZGL zFI1WxcQ*Tz1OG&L2Np;c>U+t59JBx2B1~ytKu>6I9IH8?h67m)lU5kwX;rHDu%bUf zt>J>7atPeLL+RB?SsP3g-P5O4^@A6Qt;2OTG6EmPK0!XoRPL6yLgfrgc%gsF@ zI?P}PU6i%R*Tuv4n?;1pdVwztRtTg)v(7G5UjA4-Ao#!u)h1GH#71MbN4MbOEl0R! z%)-OT2$>GDVNM2pI|c50ZN%fD5riu*;gSPEKlj(>R~&g|An8-5RofobF76781TWmi z@=%7k@#P}7?b6HjnYiaz=tq^+$DpvY-b{k_5fqZfH7!bW0sQMDgug0=IB&Q#7I1UF z$($Fw6smxQo(&fU_iu;%|9uacenT+b7){!>WG{#U3Ziai?Q{+!#*turkixH;$YzG7{`s*C6k2|%k zL2PVuvr9eF)u&;EK&F?bl{Dm7rw>nn3}8l%`To$=JPpAV{;_0>eyFM&_-(pa@M*ja zq{hX)&f(u}SRMyK5QERwA$M|$nwnvva~X{=p+ngoJOWs&kHkI!C-r;hLR|O=8Josc zdXgsvAcH$m^-O8B)p6>1Ei zuio9F`Tu;M%J0NnzJRZ*^rK8?0(@PkbQKJs)O@jy`gag~guU^rxt_i4IXET1%@9lq zJO*=xB%;#mG=ZN|{&l3_6zUja9rBAIC4hw!vOhDn zl=!2V&}&jYT{|%c+*YAn^PAH^u+nMy59i zVFHJ*I6t0RIt=lyk58x*#C^&5>Ig|iL$n8L!R}VGYWkfABPKDp_SVsG!`P#Lbp#4; zMW9N_JlczB7JyEeRn~IYufTP;cX!jSpsw@5hQ}?+Tk}Bs&Saw5$p%CmP7|Ow+e8mqqI&ez z%kY<%-Vd17)jUe+4glA1UbqAC=8>TdmOG{k=s0g}Lj8Lf@*o9xYkI*j^<&_=40n07 zOay}u=>|ut(a4!r5IW_SmM@vzVEgUK^9fM@$hgsIcKp_w0J8$?@W}%ZibN4Ru zOMbW0{XWl4PAvTH8b}>|SS^6z0;4T^+wr_~29zqsA!gzU$e)#?0oRIs;;4qkuqR9rt)(gScxd@_f#G-)YpkB>^c;UG0*~ZIB((8L|pfQdtEzp3p8UwWHQX-K% zCDlV{JnlfmFUK~17a@jWt9oVs^m>VREx~XcICD0%y_X_(BDmFG^2SiBNrwbIxP_FI zP2f770P)uof{iKLOxiXWkwpOr8C6B3%BXp}u0YutbGPuq=jS+<=Lbw;F2-}8Ht?xE z<$(lffg;$nu>oW1g z7*uNCZElsfI|liAH|{_@&MCoapr9zckHParZs|n;_AuDXy6)DQz2>T2U+o>H&GHLD z6_Gav-yNI5%R5{#!GFoSbPBGk2o>j<@2CXgEQrm#o_aN6_%#8(CXr277>frFxcq$9 z!K}}86+1@Z?nyvb2PY@G}Opodk}+(15ty;?A_g8*{}X_qJsJKvIx^@)U@QpjM1)s71yIq@(u_as%f^ zD$C$K+vPJbZI$4PF?sMXt@?G_+UE&#JrE6kdC*k~!a52CB%i1&fEXnfxc{t-_iYNt zk$%*7WZV^U$}hsQP0@0EQedH&v++dVfd^AMmqPCP1=I=hNcpD_Bxw_D4K*m5+TitL z!&}4em9A}SS+^Xt7c^!hu${&*#6y4Vz6&6t_V3HxemwF&Kx2cI*3S`k205#9$X-B7Pt)59+IFkYdd#fwTc3s@^`Rxyu3YiOX^>YtZ$1XG&(;Dv&D zfE#l4f83%6@fi%?vi1q&nfyd?2hyuSe4`K4oWy%`!Y+7!{#hiov&qco%Z z>!TY;LU3a=bA7OA<`B1Z$l=bAk3N5Jmh8TfS?+f&@30TIfrl8gENwDBaUHttYXIqo z){W+i^p(`!{`t^*u*p=DQPT+2qKuHJK3RThgz*r>$tSXPI}^Kd%v0!_LhyJ0w(JZ$ z(1@_#xBg^bdXp<*t%*j)l8_&uw>}+;ZqxpzVRMGu9@b0 zuqH?fW$k@N!tbab8Lmlk$qO@Zvk?=j{{_A=Y40w`XvE3ab6GzzR1XVV_Yf?xm$2-7 zxvu)gHG|L`Qqr&#^o(bsl5h=UEW+zPGSWQ9LF)t9rArg|M85T5?AfzCJ8Ueld6Pin z=Fi+F5Y@TAYe3v20Hps?QYl*zG&^UGZV$rD!=oce|11>VK{zHm)5Ofw&c~}|0H=nT zc=hXRGrzbXRYBR33|)uuJ{bmcwVKFaoHYi_i!C8aoTGY5)7+LeuUU<<-nk z%}Bb}b#pwf@rd~(rP~Xk@mvZFl*%=u!O{8Qh@CZdDy!gx3?0;Dc))i7(0nehQ~5Z1 zpKmtZ9tl>F*i#HQQ4SY08KM5@H_3CYlx*!Rd_%f>FGbbdwlll`c4q!o^&8pQOIVkE z%;XKo#+^njD1BTKL<{kaAXRIp!{E1}?@O<>`uGB}JgSCljTe$^NM5nG zQ?CYZLHBcXg>q0rwQ(ka+Ro*sijz;{PmEx`A4rUB%@KOU%zPI!E@nP~3fCp~BuQ+2 zxjk!&RRefO%S^@_x#%B$)0478-cjS z({P)iNmzcM<-Ts&!=k7NGaua;R-03KVEU-vMShOk|L(#TOEIsSN};5 zK35<%_l4`(0NRS}8}7k*0?9?$1l~VLt+(b2T5#A{gn92RMYBOGmo;iNa-tl;YzN9VrQ%Q{(*GV;T;7? z$EQwV2Rm_*&&masOmmU^@P=wdGOC-LmF7$(wLQD!Ua05((*4CpCttGN1|Z6GR@!m6 zwT0z|6Z+e4vtzg4)GtGVMbNpfb&7wa_iQQ`)eu?r;@eUUylLDrlHk%U*GIh#6jM;N??vdtS>vdvn={ec{S*`e* zu4a~pw|er7sJFG2XIs`shdOK2@CDnKs0!2XPl3O`aY#V@EpNV^49ItiBeBUHj7fb8+ zlP4*BzhjSlc+PS7OW8f$p3W;~OVG8_r;Qe;6hq*~-xCU{mKn-zfMrZe`}HO7^+kc& zlMl>WDwnu1I|}8@I!y>Ly1Vlpp%`7x3L;ET^;>{+S5!!l-U^9I*PVFIQu4jH6FF$j z^+eE5Xw?cp8~e`)nMAONEv@pMKA}2K8Mwx3&TOS*>)2uhaqH7O>7OWGLpsBo)dQ6- z#9SA9y+@wgQ*mrn~WJv;}XC0z{SMZUjLjmlsC9o0y4U(%NJFH|Fl z8WRdilKHgDvx<+UcPUoQ2ML{rI*4~;)pQl1UR39i{;bg5g?z3WKjv;I>d})9mGY-# zO$d}(poBqp%*!62uic@IlW&CH#XR5e&{&K1lsKSLe9zRNC6n_19o1ON3s8-g7NHnB zUF>vE)&@X4r1h7rdv6K*SiJY~X$t+=`89~P6iB;U=u&kTry_4y(k1A;0GI3Kv+(2P zi}7a90wB#nTHXBh+?$u!u!$+a!1^c1hkOpIWD~iomUwk(#fAndn*ud{-Vh%CB(f;U zgcL9*KubYSkS9#>orm_GXd#D8I;+`MEVry6kEq-Mp_H@>OfGt@MbZ8g>Ko^~M&Ljg z4*g8{!Fbm*FX6P>J-_HLhr)5+i(|AX?(zk~&Js1XBiZQJ#A+r~IsC9VjLLZeY$f|G z36eFd8J1dMYls&Q4zXfz3Bj_FLI!fsw37diWQTt8{n%@6KlG$+x8RsqS>A7#)}Jnc zFl&Z?&j1T2xz@~LI(x2i^kPkaG&5b4bYrSAdz8P9zI8eHNFYPD7KuN#;_Gq&z(lA}f^iJiVT+fjaymMXd7APB_qoFTY4kffh#T6RT zT~ye2*OWOzuJd=M>s~I5p&vomI}SQp+Mz)&2lIE{k8JgBC&%LIr_O4cQ02HB$`&P z$pb)MGeu1}+~hw9Oa~xVf7J zp>?r8?GZf2Diy%dpc>rwG*wcJ)nG@%?HFkOM6qeN;GcjOIkx`?yqJRi zPw--{!C&A-k4{t?gjLxDmX1dJbzaCm(qy(e)UZ+cBPgZXxZ{wJqhw^SCNnmK^!&Sg zEt@T(p?Q?p9k)w=Hdlg_beglyUfb$7vYr0TFi^Wv&~<&>qQK?sxN2`cofj%2cJNx5 za?R3;XQPJB+>+ZNgwNctGDvl;)YPXsNOdDL2;bL2+%;deA}|?Kj_)@WO&iyF@Heu@ zwXEgQ62#rl@*=Sg-QK;PbLoBctUN2cAw6$Ci4vx4HHb&A$xyG#@+`rb2i8hFMYzIb zGvy+gI&<>X1s^bEOCNqG$#ZP2?Wk}{^A`Bzf_+9=Jce{B=VH63XLdOBW{3xnN z?KeI;OV(-RHp)9YRgNt@QP`VW#?1|7N#*%Wb^?^mj8n^7G^W+MaO71+rC;?rW`hqn z`tj)2@owD3hJLQinTs7L*i&T7@FMI*+LoDuKJ@&*4H==?`}8HnUN23nD-FVV4VhLysu-o4s`4&Aril@@4kHiY+dP z_0s7+DHMNX>N7Xd)0nRxCe*f^qMRp|9)Y&2L?K&F^xLRV?Z&bH7tr~oY_XVDTqVs( zbv0thD>`7}9m{;Obo%bk+$;3^LUh7S0^SwTAwW+_=L9WD&Talh=#tV)9^A8?t8kA( zH9R>LT=coN+e-@@?es%GWu!`+OPF%2Yugj*2^WAc#SN>RT8o_+K?DHC6#ws{DP1jy zh`i0(tw+K}*sVo%IFEn3`9Ekw*Kf#CD>>0Q^zU=YCl!l-x^AiA!kh1f6~Z%0Yth|@ zm6!64^@E7#S9Y7T(uVaRTI87nTR>qPE#TFnPna~{$WoIz4ZB(s9LS!d`(}VDmPkv3 zM{c%(ElxlGK0Q+=<$y3G(8%*gvlX=}J%9<4x=Xbk6^pPsO-Z_|p!bD;H`!StGS zcx?LonIq~~+-0H|zyPJ)9H}S@OVV!{CEBo$4-<@7^ZdO6TI3Tjmr2&tc;}|}P}(Yu zfuG)1BhKz2+D+A5gnM?I##AgQdVtQG0YIaO_q&LD&PUjDU3P(9TFU89QnLso4Tk<$ z5O!`gi{P^3=!Rzohkw+*6DNy4G)_6Nh;&EV>8Tg|s4ac@>|Mfyouz*x6QLpO7Lz3kX{XoNi3)n3D$8}q=C1VW0Bj^az=Hj+DdKw3iM_CP0R=tT(6;=jf4u?+5;djYac{T7= zPjY}MdFgyvz_nX&qExHCmloo?*zf#unpXj%F+Tq%hN5zDho+Z=8FgBb(C*9fnys8z zTgecDMFg{M#vZ*m$#S$v2phQASlj-N|+&{ z(VT-D%i(&o8uSHtMOs}??5=?h@%{A+*W>rs(=5FQ@fuF~3)n9<)TD+V7lHOpvO+1; zL8p;rz@`fkQp6ap+Nn|U{s%#^QMdJtSrRJz13ku!+3lTzcVJPC( zi}#>H_NWA}9Mj3JErdh7uLHHmeu`ACf8#SrmT=gf`p&g&lg#Fpbe{!=5zcbIg_ucQk(w z;x`7X-UZ)om%~kVTCvl7j(N7FO&Cx{P}zK~>k)5l2pN4Kq0HXV%-?2n-WGd)SoBPm z=R1rOZ9X+OdY*sP;k?!>q?6lrxn?mA5Cd96;wAs6DnRa~hf?!gMntN-ipaYS6!LsK zx8bgN1wd_C^0#_9ytQQDi+C708(U1`v2ZNmComu`KYX&9{u}gQ9hZ8yQu!S0%C>%4ka+%$p0o#T zh+MAieHE!abS&ET7vRR87*G&BrhB*%8x}kFu#gCoW>f*zs9v!StPk&{KPjb^UN2}5 zZX|+!Yc#xcwUpc*bGD@zd25l2QdC~^Ey$br9sCtLKrprCdm*3z=Pz2v8s)NG*%PCy z!DE!+$HE&x;(2}0#;B#N4x$!fI9&DINN@KSTP`329FLSFC7h*9#D~2+;Ujo{fgX?< zlH4sth-_~jRf(Bq+;I$a^q zATKe+eGle&WYI_^gb*T5X)7>wDl>s4q->(^EY5Y_!n_n2AFaaJy|wGzTUBSt29U(! zHV_~;>XjFiZ#$V0yx96RE*s-ds`qh+GyfWzhXIlB<_NGtV=7r~MAK-nV zg+H6%A{ynta}Dhaj*Cq?`IQmp5l0;w<7M#G`wD+uU!Q#b;Cua8@2Sfv;kYem|6$_y zvYz;5BBo7HCBnWA+gZXIDP^ukzsAn@ZX-tNPhk)a^R(puocBKn?Y_mQJ!1PkO2Qgo zC_*{&3)n9+_i9fa?At)JoIJMhxv}8$?Gmmi<{x#2IVikNjVCnd-{{x!71Ayj4?uoq z1QW$~T3~isYKJWPByScksOB(cczSb z`s^@rGXcGdLMBSqHuKf?n`c8Yfng!B?pDaTvsCeG8WN=61Wc|7^jlhh2?PG!0#X+o zZRxZeeHqjpJvC0N7lyB6#8+trc`ILh4&$bF$iWJQ%~vD6qg=2|6>`F7u&USmIi*Bv z=DCczwZnC0-1r~#>YP_p8{_}TmnWlka_o%~q${%;iNxjJIcb@UVTqbX=j)yhq>q7QNy!+l%^2@^Sd=fBk%~w)p-i_roMX+{?wv-bf4t7x-rcK8}bkqRt_{Z*PS zv_AOw3p1~aCM)5Z#b0&P7uNVac^0KgV~zTmh}C3fXQ+5@#)Ye^akiU63ST&R8!u#e zdTP+V?iVuwdODEThDBAmr>=i{P5#<5?yxn5e+;`#(_}z=O8(l*lH=rCrv%7%8%wH;lCj#Msq-0P5 z-!4Db)hcHpoMe)kbr^;8)66k8w0{7@#y2INYHa+-o${MA^L(TGy!_vbRVP*WOV9Ea4I>?>sU=f9&@0cP&*m0v1nKrC{7|@LRd}sXpx0ZCa4Vw;9$fq zz9QAB`0n@Z{~@CJuZsLn>B3r`?{72hR{LxGnUxkFB4H``O4*%PE6^{Uk22Oxy_Ktw zZ|u;e7!B0+k=z|x9DsMQ@fT`!M|#|Ln)C4LcYgY)L@9roa!vt_Sb9`Qs$P^*Gl!d0 z(-}Z*TT5!JgTS$%xd2Q+ebuK@Ti&!uPcttsc=6JJ`t{5Xn0{7Qe{A1qZm-*Ksbq!^ z!#5+j%p&oLMsFTnnNeDD1A@#jHl@~+L%N|}+bWF^U!b6%zT)UNVS8<{FS9CHII?F! zY2?o#ciPQiwzL$(Ym)3b3o4kK-0c^yzezBgtw_GX4-ch?$QynRhMUT*Rs?a!5LY(| ztb~>r=LODh@bZ77KQo*DK4|L*n63Gjp!cqt?r~X&;|R2bf6c_KPtXxg30mFmyJ|(6 z=yHRnbYO|O5wbcNYcWi2*-v{9)E7iHCk>$6RS5O&ZkQHdG9TW{y%o^@`Ik^*v|m(e z8>|Q;!f%Jx5ns#Fwx(FsnB$(#i)0_h&*K@-he^k)rL$f*{T`*B3Z4_`BYk)KiHGH#7d5kK;cqg)g%b88uIIa^NeJcf;X@Kv3z+Oi^CqDdEp{K`l(* z4V)R=nFWxP7sp>nhI_`6orba01TZS4h-w2#h10-cVxL6DyRXN8uwh3omcy9!LoVn7(S~6ap3K~w-%p!ky??Ioxpx9$QT{fF#Pf$J_2hIdjfCxe2gjyR)?%5J| zEg)-3IX+Kw2IX8{16$ITc1YMPf;$)tHQ}x2N0$0mIsYiaH^ucjRmd;}S>ocVO!wl? zYLk3=9OkZ@$bW$b z)e;pMr+Lh>jW06VOx$-luVAm9^26e4nSK;qEtiT543{GZo1>R-C*@qr3wi(u}v!u%QkDg#8wSJ zl=J#cQ4dg}idg~aairZgP?xEPYJClip$Mimv>w1|E~RdSG_is3gcwMq8ro@x5^;88 zU#*T)tcY=P3T-Sx?>CNceE=d7bREE^66`@CkS=3M${&z}tJ(!Vk98_vuczpWD?`PO zIiR30fBKG3at=V?vbi6s{`Ld_?s13#)~frCyzTqc9vdw&KSSqvzU~iGKnA*e9NPv` zKv2~SdK>2E{vcq1Uq31J$I8c2X!Xp*b8oroLtjW5*_PjAkkk(LZ9QSk3V#r3OVKrA~ELY zb0IRJkwVEG&@kDTEo%fOKTqvF{@efcU;ZtOgKetiANinx5llP4Af+|Su^lBx3VLal zx+gE2h~K|gcSP6(&3JIcjr|9#F((QsDZ<}H#aKN-PiF8A@y~UteGP7- zg9?FezQ6YJ(1l6!K(M?Yke-K%cfX~C$B5*FELkKElTSUCKNbIK7RO8MKLDlbV~izk zA-4Q-Vc(vX_o*Cu0-bceKst@gZQC*W1DpsuPac1zs^P1cC+@$KsAY$$Q>uyW*DJ=z zR>YRcxs!Oc!z7`jG!SMe0sp*Z-#Z%Kj&S9KD)-l4`9l2U{oEszIBO5d@;4OzjVX*H0Y`KhyNHX* zf^e%6UvYN*b0W3)95K&ON8;Jrx!q2nzO%NR_gl+k25+!Qkn8i#cUz6LvIy- zc9rfp7y-EDK>+sLc$`@0QNHfMFb>PCIg2v zkDE*06IZ~edb1}^3e0leppB#00g$Z31aW-vjj$*D zd>7P&+8OdvgcE(_xspUvy}zWD-r*3Js`5VP8uMn(GobG=E9B5tn2;W*i?nw%3uUax z&|H6^LEY$mqxMnPu5e&}~Ku)AyS_vbXct1N2$}G>F zg$j_kHjE(DoiwajgtV--&&7pBgw(iK8Z`SN9xoTT?T2>FO+1?a9c5%1f~YhZ?ap7+ zQq^^EV-8#$4;>R;tVD>719*i-sp#ZEhL2^J&W?(I&YFRr_$yiQuH)ZpsY9z8W;mzfVy{4~;?kNLcePu-F zDUs5ZJdhEq|K+IFntb0&s!?Vag0fW8)Nw5Gu;7>alGH^Nt2; zUlxVJ*U065;2BLQ3N^zXFv0WY&E@$ChL^a6|IDpnHzN%>d-U!XkT(Y1LinGYZr?m& zZfkAD#)2&%@x}bM92_w`0EVm>_N-G4R}~g38P*lHkI#eXxvwwiR+hen548rlGaRCk zpkthX-}Gl-aPqp;q9u(zT6oP8j+#wWR&~lcb>Z^?j!`B5a!Xz=DgQQsT3ppW*5){# z#JYal=L5V&DP(U`eLQ|TZfuRw-%Gx(z+NVf&)AMswfzxec9#aU%5#UIeq#JqxnW?~ z=B6@Jj|k0Sdm6`bT3`4>EC|qS$&i+?r46*rXx>9$P#>q1j~*?rajx;_Xa?2I)jWHY{6ToJU-c`OG&4Xj`b))~ zKeqo+Lc!8TbrbC;Ce^>v-TKJn-s`peKeIZThYJ71)zM!SL(>c=;-rsyEI7B=mAX^W zY_1e=2+q8-krjy0rXpD=9heKvM&b*1iSztK!+lnl|GSba0+(NEDz6XJJ8| z08w&hYb}aP0BSB;vF?-eXLBVl2|k_L1-HD6o1UmM<)D;TIQSR@sZ>qp+NsDc!_BH&mf?*%BgZX`I*s0lUK>tN zZ_q460S$~j>LCl7lCKF?KjziL4Rm0RkK8^2T*40dI>B&@n_MbF=bJuOEe`5fwNuKe z13-rISITCJ!B;bYrms?M$YiCp$~21(BqUGoLJ)Ak38?l_da^7iew*W2^&S*Tw@PWUfB*MM zw~%!kNixGSh!k&wQk{0q4+84%IG z%nvaPJOgZd>+BC)a_`qa9LxgjqY3!L6u7?HC&5(g z2Ia=&67juz?anShi>}WI@$PFN&R_FT(};yS({sN2fkK*}=rXKmoNlQW z=8^5RH|O{${0(-*Bs-+?zPL~HDU0}5i}k6q$=aQsUI)1=ykgdsM3pg zhFnT(P$t`LT?JneZ+)1_Os$y2$=yfwb7=V(fv@nIH)Wj=ySsfgfnj24IwL{3jsj%V zGT&i5&hv-B>*&nj9rb{bX=XRYen?SWUafNni1h*RxJ;=64tqVPiertfRI@f{0Ol+L zw->NVfL;eGLpiSsA;^>-2ZnGT^&tHNSaPc4v{Wl76v$~nu=~xQ)%iFQe^!l;0CU8X z*0ox+E&(y0$gKq?Hw*iVS~^{0Rs@o~4oL|VjAg^8xXLSXvyUb}DM%0@XPTgV5L3Vn z!U8OQR6)Be-I=2M{UO*vU*$Z`N6hvRJ_6G{BLCg851(KJ(Yp&s-7i+vGKFiMUVVfnH{6bU!^ z%fmP|@JQJelusRh`(Y14mB-6F&?FSS%|ULEWCo=xQM*~S1{e?WIHni%vOcvKn)_Rt znE~czS&@!Dp7)=O2~b9eWCRsHct_ov#<0MgLLF5nDjMfxa+;xFse&vaV6F6KC^`EB zUp3)GzI?hcT%&j}z8??D?V?~2Qou)C(I6$$@tTJ>N}Rm2T@CdI+JpfgvCpOf4T6L= z^a~$;S)farervzLutBGD1F6D71!BQ>A<=|KovOgSVXg2B_)yBojZF0{UM}!Ps^ZCB zEqNHkz5_Lp=Tyz0-svM~2hkly;ZYe&7{M>(S7VF3VMtD5v{!@HAx;aokYbrhff93t z@Frse9zU-fmT<4bYNlL@(FER> zb#{G(CMk*u^UxqZuO-a2drosM`SjhJb8G{Q+4_n-_+dVusBuj}#V6eRDMd^?=*(!# zKahDKIup*fN$UWZ82D(Px<7+H3~kC0IQDf>dS)4aC&W$&lq-S+8n54Pn*}IQW(aNex7vP;3$|eAJD2Aa<0yYnfj@P7UCE>}(r>NLpf?g)D!B0xn z`NXENaH(r$4hP$TjbC{iy<}g;FiDNT~7z# zmKF{l+v0QZX}|qEdcGo}x2N@3Kg^eR6C?s}XraA>w)Q?DS*>5B1M}$B)odjajBguq z&nVz`x)Irb2j`mtW{6yE|4XlGZ=dW8R#ghbhB#e^#fOkzazN^7u_=$ADh|kteiYxxbKcS*IHvUFUW}6^+$f* zPY6+uM#!`WHg^FpJ>j9$O+I4$Rt?)rQ>}K;d>%KR-Wd^{%`{F%VY1ZBM?9A)TL-Z+ zw>WRRtD0lJEK|hN*DHbPw_eeb4_3~j{QS-C)qGvga`Jx2)bny9{HxqY%Q~sB+DB1z z^b_UyBl61S_>WHGik&)3$2#Q#`}b1=@C#_^)wK9*`;!G+s-oWk#f+T5=!_f#0`Gw< z@>~9<_bHMy5Bxr2)O_+DV>qRxB?yLR9D$lO%&?z%}t$W z4W^4^Hp#DNx;$$40ds%jIU@hSnSP4R23Tt4HlmN1!O5NPujp12Gxdci!HRk z{z-UAahKP^qimf72A08g5AYca#BK~OvO58nhfw8%BFSZQ!QnO!6Rm2@JVvj@VBOXi z)=Q;ko#~}`S*7Rg_$dzk^;@H8B`5U6iM3B7>)qxFB6HYEW7e34t)0dzRf)n%@@5U| z+-_^_gpID;A~ksgYwpmte$-G?2N=#0WFs!794m&n+fJK*D*s(+U|<+iLfLmcq8xW3 zFdUP7VpC}NWNP7Jbg~1Rldk+iVycylhM^{A@z%nRcP-52V~Olff5e9<@rU->JLYaVBjN-3;0jy2Kk> z_6T{`Yi0=X0-UVO=KUr*rwsIhm97Z89-Y06>AGTz=K5VexAC;7m#-8(u}N0%mqv-1 zapQE6tkDdi)cDIr_Dn&N#ti6QM^8m&sDsAW~FQYij%&8L=v z=`&&CGiGdK{l}ImHgwEE{QY8NXF#sbV49E5C#xc^{j-WiU8|G1Q=`Ey^ruEmEk&$X z>b61Q(?B22r|RFOmqCn_Zz%8^0Q9g=+J zUd_x0m5BFq9Me#Ks%=pHeEjV6WKaFBqhBgTOvs9nG^wTn0m~%w{r*CS7bjgba(jgb z_Pg#*x%eNfYr7R55fcrD(|s;!6pGi$f3K46oT>+2ClA%Xf6;ta*mac;yplteUt>6I z8b=9>Gphs#tqz#`>*i?2M#$vh@XJnt7U$ge?zNYb@W%S@|E{9^OKEBDBm5Ij=aVtm z5Gt<Q_KoRNRvtpIRGVgU9bX^X3hI+DS>3ms=!fxEadh3nWn98 zvJO%8X;juW#`422L3KW6E^tmO%n}E|fjpzQ^q}B$XJ%mIrN?`y$bO%inD*r&i5qhe zCIWpJ-)2F^&NN%t^JW|*iD~T5qpEP@?85@fUpww2;?DG0P~Wh35`{w;! zJMacWc*@B98W4gO1H3n%Le_x}e>9=(w6tFmkL_D?3fDLOHxERtTgS?XK*wPk_`YN2 zy63}~N#b2GkGFn2clHOA@KO$!y@3J~)Q9TEu`2LfpjIrNW$&-B26&kF#WQle15DRJ z(v*LBx}(LjUU5Gruo6b2PaKE5xKW*{%x=($kn5C*nKs5k{gtX^fc4#gMRbmiBD#@w zOqBw@L*HrgWmo5Gx2fmT4@Blz4Ph_oBg`#?%)flPhXy7%MY|V2F$o*seK+6|N^&Nf zyyO9eH77&-dj+6OAo=VC5c5pL(7hQ4vH50BaP#DX2dEFzq15~H(q;?4*W4r3;W!Io z5Gs-NHN5ra65GdEF5XLwCCTm=gZ4zjW!2|B(A;6!Js+Bn33oYxbl@PKHS~V#xyr7X zZegqzcbYWi^37IRs~)mgcqo?&0 zeRAR1bC2&fG>PSlw@&~WKUF2OMf!n+m3@?1_gHaAfOKCQ%XN^*Yit z-m--r&sY(@aQ!gS<6COGQ{yaHi#Vho?FYOpKf|Oykiak!jnk70gd=H#E4!H4idr3; zDwZow6OPrdmRebNiCdOY?Kik9d6CLgNb)c1e%4TIrm>oh-oBftt2tqN@keSSx&L#T@+@~b0+U5F=jEMSn{^Ub$U0fHaA@AB_1!X(YSNVN%+I_N8zG z(vK5R+fjbP_W?yvV0oDxp+A#DIn=tt8_^t8P&!Ut&QwOTlxQRf(PFP0bnrdEubn+* z91s;6TV=AZv_>JfJ z#(jToP|OV8f6f**?d+JAiviab`kF8+Zi+pGh3HtZcnHQ5$c=_b7(?`HcM3|H>t}$i z8<*v|iK8vCjd+5}k^pg#$U_f`E}@;R@a-$m;v!1?OlY9-P)4#;c`JDVPtdDl`RHa_ z@f`$ldBY?KJi=5Mh0(Vi3tNUc+`(7wL(MR8u2`&4-uu)@;v9VAkv(WHr4QO~J~&Y- ze(KO|jyYjoclqI@IB%b&txNJ0x4?^a?M^9s@W~b!?NJoE*?LJP)@iTbQw;5R3-e8;{3})E6JjY#W6`SbIY{s8d2{@?_$U9afq3&W&7})o#t-eXbD0sK;RCU-YvpJ* zxaDBCj0!+GH3s^7(%8(^TEHr`dwvkL$wl)II1M=>{~laC)_8*22fVK&$-q!aeiZC| zvVn+s&;Q4$Gpak73YdeTeE+UL#Is;lhCho(`X9Z@G2*+-^l6kXpElwee4s;xt$g z-+oWZGH63WX9qiZ6`E(Eih%!AK6(vU3B5q5r+Bdj{Ea^hG%O+q=o&%|HPAu zJ$blTt0AZ1XO%~Q01~*>!0If${C$<~C-kbX4%-vVLl@8u!TkPhVcdT`<$r3Uzbv8h zBgBsC>jlO$rK7hjwE75o?M>&C1%#L$a>LMgULb%etqK$w3em{N!Gt#cl9WLqHCX`b z@jut$VnsN)tF;X4M^$~Fc8lc@fSJ{SxOwVzNFLx$XrBPa`2$jZMO%-}MYEVx;782` zVt(E}`*rF6(NpzFtPYLm0*u(UGZhu;NFvodz>ZrP^l+%b7SrWf<_pap>QWV?U@}bn zhw_+zakP$7)LGn*t(^J4*iX442msZk4u}qJ!<>wD?|~ZNlDL=P2{8g7`Kc{<{q|V$ zgpzSpCAAp%l0tfL!PD>`-}C>c51DczCYgq?J3Lskbf*6Q@I3q<|Hu>BG_&v3$q)Y4 zVEq5|s{Xex!Bi13iCwcaO*{o#A@G0pto+A^37oY&d85U=p9j_dXFt||KimFQVZlR- zAeXm3@`;^cDB%B}S7{zEb_DbkWAC=751)w}OcZKC7@BaQN%bP_JT-MKI_?KF;LJLt zJAforKsffKJPNGVbHR@LS@tif!NkYUJ-~I?%*ap(GMw_wMziIKglUI|(XPSJ(;TX0 z%$9Gh!9qnY`4E)T*#{;Kz?1P3GVVGm`tj?R8u++^$)Z}a?*-J3YJ>bk%E3ei@qf0w z;}U7=>oVi*5xf7}5A6T;OCK3*(+s4&EoLRIZCam9L}+*TEP|XY(LFCKPFe8}7BZLA z2ka^Y)R~H2wRmm;wvPPI7pt&E?|ZM0ppZYPQ7GF?@J1xY@d0(976fY#Pyt`)7d*UY z`QLBAH)9KE9#z0g|KbW_&>C+#f#xU+A_QB>l{mSjp(Z?~Is=LuO3;07JR-5k^6zC!UgyK`UCZm%5QVEf}ic& zTeJ4w^7^;B8QM{;f(86oz_0?gFZ|Ey$k)RwXJ#ETzB1o)l+o z+ZPYW{`K^r>SY>CWXI<0O1s(rpM+-c42l`i-|?ZCHGHRGg&9l^1pNiBK+;F^8QGXf z0LRo6(LmaJPZTi|KL_x2aUMXI>8d}vTA*HfXu~6Q5u!h}A4*Gi<9~P@iykN!Yb?aUQ?lC5sm-PeO z{kh=!tu+^~w45$CpPkSo4otDY5;|yY-`oRb%GSW+Ay(*HPdQxgU{Mkf$huK!`hz;; zHL?4nQe-ed)4&@%0#q_ZKsD5B8@h*+i{}IRD_GK0^G;(L=Iu@mt9XZ4&Z-PN9)#Rk z&wa4%dT9C2vm#9uLDAJ2NMbRjDO^?~TMwU8d7~uao&$Z{Jqr(@V@y0`a`XZpryGYE zb=|K5^MQP@_YGL{0yA?2sd#|GkqaZ?lLul8CLT6wc^DiII9`T(c<6D~At+rgglpOf z$a%$2uz@Sqt}-`9`NjVn;hfT9Kdp99V0%@QB&1jkp>&G!XS9My9`Ay?{iEcW7J#W| zx|W^QxWivZu#u>GW?(0@*QTc0liyq4`myGSR- zE0Mq~22S83LW0LFbp+)Mkw&k?zw%Uqpi1^^U(1ES!ndvd5bUr*+!frxT>mNlN|>Lr z3_#`iIgom8ugHtu9MACv<|#BJ#Q*gh_TKE*>-J@+#IOP9Y>1LV5LFcs>02Cy$?P}Xy zNiX0(-7WyWehskwRBJ<62akF#I0K6^>5`y~Y;s{&#LeZtlTIUHRz91; zfhrd7u_5Zee6H9tL`y1Kyt@77tGBA$AyhtFbl!TMo55(L07{DP_2=~~h9FYj->rD9 z6|&yW3tfd`+6YjUqGq=_QS{kJnA8|@cB$c0cpOLm;aUm-sX>w}kgBR}PZVJ+ftbcd zsDB$rp>S73g$OeE?cm3GA(60e0G;Sywepse0?JhliAr|e%G(NkJjhtCZVwRX1winh z&gh}rI#*|pk7xY1umLhOpY}pj%p5og|Mlynp`%2S5Cr0v7t#ln|9s~DS23BkgnbU_ zD9Bw_AD#flFe78uST}^bm70d29?yG`&rN=h#bpP!FL?_CLasHw5s5eE6|_; ze!Azztn7>WufY3dOHE(0?;0E;d7!}-#WodN_}twTM!sp5{nty=&JpFB|C@Dg2td0?lmLWTMo37ov5O#RzY zfWsI#G06+)o^><^d5WNUN1IxToRsNQi)tYM4iJDmk3jOC zB>ls=8%S;p(vkL~Jl>7vDoM3L2uLU?M~NT7;1^w9hg%@P5NkksXnBIdZoVmldmtUb z&q=zJ+=#TVl5I4><`&8e_^bc?aZUA^3?rdSC5(tmLKv_ex470GiV23ZD`!@C6q$sM4mcuaI*WG{Ei zYmhr%qz~TTiz`(rM83;_h*}0AdGP&L^Lxeb+--d2yo3~B!MxuKnIR2PT2QqbJJ zaFOyAYwH$1NL3AGQEqsJy~Cf{GT5C}#0fbr|m$21)Vj-rI3^23H#% zyi?ev>yZhfduS_<5 z+M{w$Vcrm2mI7T7{l@xkZDu!iwuI=%=Jsw1xBe|fJsCr6`5b0o=V3uaHyIVd%>xd6!Y z29|BQd8+Xz31PN-z}wAajv2#m71Yf9^3#L%m$mAKm^b)qL{rm*Eh0hdCXn3KzZerd zt55s9A+9Q?H4l90QFj6b{NP#$NIL>(YbS^V`!@T8hx#w)Fh$N6+cCSHPr244bIFeE zFJ3Msb|-**T@)nyARen;yJo8G&g;AOCyYVWlP2j`1MdIp+oFd;|$jAg}lya{zp z*$0ofzX_fZaT<8H9|hNWBy?1@lRoJqv+JQM8%pZ^vQFv%8V{#ITzkcVn`nW7&D{&` zwOe5E4<3M!*SX+_TE_UmpQVi8Tln&cZLJ8=^UMxn{7H_FER*%fL&EcD5Sd5(H~V_F zDNE{Ch`PQceAiJjLZ@RzxC87lFmljRH#C;l?)P}t`3QH3!NkxP2+#*Nz4!T|e7@Tk zzX#U>(wVWUtU>Q0kVk~cEPv~*!OtO@V1DvQlbsW7m@p$Ex3b^O>J$7*s2AOWGgb zz^<*=qo6Yex4pWYUji-8*8XQnU50bv72zMYKh$B7&c_?PlwK}(FQMI*oCd{aQTr7a zW8FFF-gn{CDM>33P1}~t@sjG!kyIm1B&M!a4bZp*G7}ljqp?f#miLtJI$rIpuy$EC z2wm~_Um!PAEeap|Ti(_rN2zv@M;&gr24VgdZ$uIt4X#L6hC>6F_8)fym+8{4G+ zcDsp{;-G!bSsmu;u=tT}K|U>@`E~yj2Qw-k0k+(CCL972 z5<~JXrqT01Tjae^o!aFRPfKoVHFJ>sg8O*xYBN$--)|6F;L@bGy)<%2A!w9Sr5IH5 zx>isw%poP^ z8lY|Bzo?25A1SQM8ucx5sI7s!1YAU_?-P?ulQ(^}P9eyZ(ak2vC?4&zjWm8HWuDHK zQw#+DQgjMrIRX92hhI~_*S1%2Dy9&K*!5u;h1sxO>*NIVEC)L*{}7p8%N4+0-$scF zwYG&*--6D~erEk>6)dM*hf8L5!6m2QS2m4_AvhuPu)LPKMP2uOUrqlAIVr7BNJqhr@G51qALsad`(mFDi7KiLY%+L*QZU+gJ@v|EN1YM{DyeN#=9lyc z)K=rICVicy%-(n>8=3jAB+^cl1Q3$FO)$!~Eq}1qIC@Q=vYut8F;Zz)To8M*RjHWR z@y&@Hly%zJ$*)%sRU$G#JnQgOuoS?E@hc`HKzhwD9 z_l)K!ZW-(I*Vmq}Y0N z7F5lo+r(B?owM>C)H@n1_wi;n1zV>$u858kZSDCM&O_ES=EC>+mOow<$L@PFITX`Q z1~r#Q(uaX+v~t;U=drgFy7nVhB{kR4V1a=MkKL*c!1^W_XxQN#sLF4H*YWmTdZaF8 z;cstO`kJshaZdD=$k#LO9g=-k-{V#byq%fE>z3A?*pJ;2D4P#<<)EL%_zg^4uL+k( zX$IpNtTg8ua8;8WW>av>gtS7Z)olk2=Z_vVaKrY(A3g304;PyFe1oT_acnYT=*fD8 zdNs3h(bw()MA1^a()J>t9Bzt!#X^q!eMIJie64!nU`8FQ-(UA=#H>EqmqvDQeNOj#}dIUdN(e0R9xIL{gARI4sW)mVK!1rJOdD_!wAKVDG(tas( zqXby}Xr-2~1vTL>mP@z4R+6q%#6@NnvW~Paqd0nwq5DV)YCnsOIQme(V33E>P&wP6 z^E@_)e`n_p@32UhAigqtrL2I%ajnv6B217<(`g1smYdWi++7T_&^&_X%qHR|Fh>#6 zs%r|n;lvei>9%r$uC=bMQkBPDJ+zp~QQ@z$8@0(QR#+tyjw-y$9$$hHH=(9Nd54Q` z3L+;*R9vMyTj#qTY1ZzG!=zH>brO27`IcB>DDisk%U{kkX}9ZwN9R5DHGu!6foAMH zNrDv5bY})_a1RiX0+qKBBeTDGc}0UF`Kf-GY3Q`-c+e4LF$X^1lHCKP11) zqaLcx0pCG>Q;!^fPdbnEPC5gsPYsx!F}B=qZMv5Z2ixfOf^T=1m{2W!v*z)uKao*b zQ`tbYeTf8EPr)wWQU|pQzZOJogFH;wi0~p{m91WkM^SWT?iAP5L7!b*;q{OCC4K?I z88JjmgP0yI!KzmP9oGC$snBSD?qKuk_)H&eqY}4yY;pzF2m+mHscLFgi_)kP5aquRBP7b68Rcs&;*uM=vs=1HW`;oo`^ zUd`>6OEHvFeVYyfKHzEksNW0+o_%>Y)WKQ316DWUUejPzHGF8!l|g#cXlGZpZ!$2% zJMU~Xo*{*C0-{HdB&-xSc;t1Im4J1lM8GKB#3fikT6xf9M@TxH<;h#w zC7l6WNWy8U>ir8x;!DEN%p~=WJ7+v_9KA|59e7oi%G3#mJ@0h>U@z5TP8yTObrx*5 z;k26kz(YmS(WTJBQa{1V(6bVV!;vR5LBxVNNDOML$Jj^Qal?}N!`Du`V-Rl`4obCM zv4gp0dd-eSSI`4o(rX0&5N*3AtVc;0R=F5QVOV|Np^|r7_3QNa%s}wUSFIQ zL%cZ%7u+M7+jiAq$|`a}Ug6+9vB90Z0dcrxX3%MuQ=y}Nihtly>22l0`17XcTo+N-BA{)M>Me!I-~_qNc@BD5 z1kl1c|4h*TqJ{RRSCrRz0?-D2nX?D zsI&1r+^iw?!+oR<+G*d-F!l)9-s}}!fvrj2Xdi*RE1SD=jJiIBiziSG2B{#QZ>MNs zz)e~B2i*ErC0h^i3ScErGQP%)4!89pUb3U%_xCMOlYixv*5*WGT zdO#xt{!ljS7GEW2c68Tzn?ucZ9Q^Wd6+h7A>8VHU^HdOKG|U_cw0x&%gW@bL&ZCPN7c-$<-{jCyts?}8;kMUrNV2%9# zz~sVO0D@wlNvCczL`6cfw-D_sTq1<)$zX(txs zZUJ?7DW-?7bkIU>m5-j-1gN@pN{zr*C%@7Mdut)Z6O{M!T@mLFSq>*fEC0vs$O$tf zkDTV*6OE|yie!`fB)kJ=Bx^*r^42zst9Nl1W+pT+*UovZug<}#dtxk&pB*6D1UDj& z9_xiElW!BV-65~UUBO*DSHe6apXlK&pq)gsAQZ%!@Sb@cp%Sa!{(gkgW2%0*Hz7J` zpRawvdR15>xIS~H{Db`$TC$**iFVC~d$MeqR#AAKWzC=L84G9RgTdgybEPS)YF9Xx7Q6-;2W}5zDsKhYQwbAR3NA9?*%uF z-ExI#iOOB!|K1DyzvK@8{LpYKYG!nO{(7&hkC=Op-yNF-zk|FBB6Cl$a&@pi|ynJ&RPr6{{E3^C_xGG2Cv2NM!erdYx}Y>Y{He|3FM7A#>LmeYp~ z_MEQGWr^j5gj}kcax;D-_Z$uC{6KxRGQN ztYB_KdGu7}A9SIr)l14mm}k~8hmT@DuHFCO)mZ>V1IYyky^c__RSUqHKuEpPDhYhWYn(bZA6{9 z(J`{mt_RyPDQGM>-E*An`*{itFm6t5p$C>7Hj({E)>xl0a2m5u;q>M`H2nKH{eEgSO$v>j4UU@_w9==pvQ`>R$TVC z2w}^2Ia-rXI8Fw*BN+@rJm0E2VIvf^=(oA|Zj`?FvW$|04U+sPf&sg0_~Ay1bxJ-a zY!$l-6rcitfoYK+083s3C;h~)_1z!7#Be9dchGcXgKmU;C{?})i@fI3rE&+ z41!TR(X`(t8k2f~N|DS9$bv{))bE48+Ok2#_K|RH$#NG_w6s8W3%tuO zoIxhjj@lb?py-~*WS;#6&X%Ie*S;zgmk(VO_|aJZz&{D}-YWqLW{`I4BA{SqI(=7% zXpn${Dd4!13uT!B3MO}Q5AliVU3sLvF0-ZJjOMm)iLXL+z!IzO7jlbsZ_lsUR1A*B z;Zx>g8Yp7`mtai`%(P?X9fVi~Y7S&Vrw`v$R^5R@yLuL>y~czx7;R%wguv8Qh6T=F zG$zt?~u_kEcF`$DUbW-BuNb04q;0bz-E=uF|`172WCD73@PfKw$~$mPcFdNcnQ%c zj1wd)XE|AEfT4Q>Zcvru6Mfm{1x04i+}YE_^nS&+m9&U5qF(!`{cG~GC)hy9^Ur_x zFM1HESo}FSJk5L0;y>MmyC`i_xxf_6oM$Uf*mD5g^N>hVw{0`L!eX4ly}fZ89K6S8%^t^~N1-l?-62Ale)ho-%+_Ue)|r)uB@##_j|Vg5Q^q&)fY00B`%ZzX za_Pz_IcO7=H&gWeENGADA8JOrWK#6WViQDTw%3{^C$AX13{yF6t0-hMpv})#@7{UJ zur5s-`z^CIi2=ip`Q@E6`{WFkkz|{8w17BINQ$$@|x*OnV9) z7o^|=$Y*!f921N?GxIqrm{N%ptm@RDq-{JpAB0F_6f;$kO)<8nZd+h{E|W40OJn0;wBf=$@WX%EAA}! z{K7EVGsRESX9d`$Z6_=aw>WB!Nws#38roo!ltOR#9nwq{0DY>!()b3G)9evZ#e>Pl zb&~AV%iBJuFQ>YwGHh!RofrW0LIFRmL>4<5RTx#R)w zrT7zD%bn_T*3GG3S`=4~4mJB#xz$FKuVw+J(W1I$W6ItA$wTE2`g?mQKL4OyPCEhx z4H<(Pf3P{0qf%ACLTP`#!VjrE)cZ)~a(q8|@;7u>GBad>u2&U!R<`vRE>ZHP=-ALM zm?J$H`@GednN~OYbyy6QInfaAKdWQNr)a&H_9ZwlD*PmaD*~5BjZtfeHZlaW*UxCI zCKs%{(`F;2k~W^e!edsRDT5*Y`U|IRzQp_G&Cwh|Ey@^@^(di!#;N8NOzVk5jt-+VDFRg_^<$BXppq5z-pqqYmbP<&PMhf(GrO z*~5xe+=9qZelML!d?Vq)>I+tN85Valr%h-o4Prf+<8!;#rUuqR6JS^c>2Z z#IH0(xmcUmJPdw@LTcj;MWXpSeN{Fbk=N;6v8xe|;F>+?cWXA>%G>8yBRV~L!zhwQK4QCSN=d%g<5Vm?djhn-c_7fP%gnC~m0@ADkDJRYa#B(IZk)@;-_dKncm`n% zlqn4%EZtZ;km=1xql7R@rzq8akm108wu+hFV}XI6P%d-BcmpD`5~-=Z;4b~&zy(^0 zODnnqi-ftj7ak~$+;S#Xny>nZ<>RHwB#BxH4U?J2u)_C z+luX~0pYMNd{kTPpvnTQ)-YS#OzMszBDH|#(e}EOlI}tf&F=IC6)7t1 zo2ATlvc8wpiseA1L8ul{9)&80Z(KNX=gX5kpKX={Hs85glUx>lRKV)w|e{Q$(CuA(x{{t_y-LXh4wfwjaNnJ6QGrzdJ6 zmR>Kb+wzNnNz&=0tMDXjXy_(%0+}u1%wWp&PYV3##l{)nB z+5Z{g&Tw~W2Ou69t1n9JbTNuW{-_GRCvbg5rI_ljGhfsXKa;6-N*{IsIdTFoh8I3N zaVb`}BU6;VzenfCZxJUi4s$iH+l9UEtuocLDZ|$?EPAjnX@!JSh!4zI%axMvu4(yj z?Qnve(^T(;l$W=(uJKFb;TZNJ$<%kXC0R%Tkq&k-T&Ia0 z`6PcDT}8d4xW}c#Ek}LKaKwYyq8chgJ)HD30n>7|N%NIH=se_ffFST;)n5H}T;Xce zn_JVZWou(p+Pd|uJG6+)r6G3O@ty88Rw>dW8mQ>55%OTy%A3S1Y1bxe$HfRf}5{fBKQt)b}YVPZNdrx0Q>}WI*y} za_N2nn%?_}l6*hxaMx%nL(gpAgJ!Q}|1~~(WQt?0y#4}ad#e;t) z17tm6eCM5RWV2aS!J%jTpz~xaf9C*}JSY?KJLMkTnkFDAqc?!DQL^GD0QHY7?ytlp zF;CMh3G_1Wl;Z7SSu|M_%EYMkVOli{WGdcww2giT3{vvLAX>Tr>Qxw6^GwFoG~|*h zw??HMO%H&TN?*BwiU-2X$Hmmdyad9Q1^_fe5k#Fel#a-1H6C%#$}WIccc(lSL1ow_ zS?(hS%Xwm$-5aWD00_?ox#x53gVj(?M}>(31zlgZ{Js)pD4Zi_@=tlH#UV{1yX&P? zJ*PH$HpgHl`6T;S3dUZvalBr2=GrNs+A)4n^|t`BETts#`-~^4z2*bO$V(+My76F) z-;u|gcOc?VyHc2Uv3I8ZsNyaX!Hv6p2@tc$?ShgT9er%7b3RoTf_s{S988;p5tW~a z?j9d3%M_@H&YYqevkO^488J}k3B3p}0wc%u!ITPt*d#WTK9MOk@;-+yao8o$mSHq* zd^Wu3a2zkBG_0v0jzGa8-znv_5(2vDF=z>NysPM2@#O|0B0}OFdb9imV3TkFJr*Hk zS&2&GHkMH|QF`+LspnU7decIWeX%MC&CbnJMw7E+?mJlUE}WP*gqz^&|Kk#RGd)7# zc&k-()X}GaqYoY_&EKy_A2Q;!ZgqmC2L5y-m{uzY163mgGAwrX((Sj3@Yl_XJcM<7 z80bh(198w8Ks2e3xtjfudS|K@(}wO{&Q>TsYcKNDD7B^oQ&5ws1FJiXWc_Koz(dwH z|2nXP{qfPaeGc4FdZ;=;h7(e#L`eNlh4p_L&iwiPuul-QDRc1v2vl*F0zYNE2gbZ; zaVbw!_vIDOxgfU-+es7gbfALY0=PBCF&}$SJ1Dd*XkxiH_@4qOUYyI5gDCXp*f_

3Dq<=r0!-6S)1JB!F zR&#$Ae+>OuUbn&vBj|7#hRig|c>eKZW3M!37(j^Q zQKV0%e2#eE3Ohtoj(@Z4x$hv#WP1zgyWWbnwEiX1`SV&Gg0eBE7q+5W#d#|4R!@Bj zlgIW9?s?t{bzR2ac{`!I{F*-{ZuHsCXiq+e-nYUoZ&z={lg+oFQEPANb8V#8@}r7V z-LdMqigL;u)82YsH$tm=o%1|?%bqM?VaFlU4%O$jc%L!qSAQ3;cDPaGuP$DF={((J z6kW#pj)699&#Tj}VF1&mXt)l5^<0!|&d8pQ`*j*RUYqfkh@T27_>q5WV}pj;{CbI+ z>RLBEjm|~+Tqh^AOiP1I8Dwa1%(Y+Aw7HtNG)hICz-##Lfzi_DdQRBZQQzV!9A)Z9 zFJLKt#))27g@2c*RanbI$EsJzM9qvD%h)R54&HfN5knXL`)DghP-IGvKO{-9LN|IG zl5Nc&I}A>Uu?bay`>jZSBN~@*P=I|)3@kBa$+EX1#0zvVJM2s00HC&`KK+5K(pr~8 z>f%}@N4>vEAG-9Rd~{s-1!fOOJo1PhfM$=hq({TRoqtDoG(1+MX7^`!UJPAr@!Zg% zH0YLqPmRO!vz_3>0-qAAvQm#AoJ6-0hYiy*!cIMCnQ=B|cQv-O=X20hUg%>rVkYoK z0o7s8LCysED4^Ew)U~)8NfTV~SuST2K@klZbN&F*Aap3x=;7$84$gS&@}MzhM%@nz zh_@Vjr+*9ODat`j_Ecx0ZaRSuqVDgMu89-x;ZMU6A63@FX=QRFciaeW z*U!XrW!x;9?ktN7!>^G1JH0e@<~;_Qkc;Hx-kis!jgw9Z-2xsKa| z&ROex9LTOm2elX}FFfP0&7X6Oy8fB=uRa4jG*QjVSYF(J(uFjBkXTD%z$T;vC-Rj4 z{ILg%+~fa{4$9}3I%i(wo`3AYF%+QGdy;=)9-{xf<+TUOViDra?pf+1oQ~4kl^C~< zNPqpz#Osq;nu+x@e*cW4x2pIgmLh$NYo5}IihoxygUmJKFECDiE7Z0mSi0Ae}aE&F_}NLz|KUZ;Mo%cOs3%ywqs`=DA^(4#uO%X$&(kzr9KW6(9B3P z{$Gd%zpJm1fV^|nQJiJPHxKm6u@qwhpnsTY#eEBF&`EhN4h2UE?iuii=DnyAYu+Dq zriM=lb+>cmXx-y>Jn|B0gcr8@S&zHXIYn@dhfhzW3|;7-l?#oLp^GV2J(67zVsLwa ze&Pm_&I_;45=NYr=NPWX@3=}u{((>ZCayjpD0K!SXeu`@kp8Pm-&(a445YzSvVW{A zn~`j$Wp`cphg6gzS#;{`fe1wFQ^n8^r7C`MJ>@Jw7p(~iM3YbyEN6c-*jMnCFh0Dtet?W%~f zaE65`F_U;ZP=*$o*VD9>T_IShslF+LfzO1ZXEb$<6gzGHytnaEsqH`#V60B zw`=mrn}Z=j=}bwteawV(De{kk9*O`6ztXojNud5OD`pq3tuz6PorN}V-MEvi~Hka2}l>X-NMI^F>(Zp%o z#9?Cq$xKORM)If;ZB(TI(t$|WH6z>Phf(P++_6)i~($&n8j5}M4<408{&ZY1@>49)lD7RgBAcg9aBBQwF^$Q-0GOla6 zM;a=no@hF+jDP5kg|!e}YdB69ekepnbjN}pMA*cq$BMS^I@W+x>vgi^l{|-&fZ<_V z;J}VO9M*ba#!!jU&Rw%!F_%S=)x2p${!zcYUEkkj9`D(;K1Z%Emz$%tEikgc(1LjZ z9rLvw#nFRzFpQ(8=lE&49>_GWqa>Ead&f@2J2RB>8Gp*xeTw^j)+49NL#poq7M|;a z(NiToWr2}}F<+}wJjeC9i9bFZnoGlAXd4)MTAd$kQqgVWnEY%5Lr?4RgE_?2qpKGG z^5~7f7Zs<+*uhA`6zS^G3|1Ifp~v*;p3imZnx@KY{+SowxfS-LJ|JP!46E!g+s-4u z>ya+XgMSt#i_#P!TMz4Tl1BzcjASDDJs2oZ&XjV?g*Q~GJXh73dz5+w=mu$2_bL`{ z*;$=eeN15WO=9(G$PQ31GeXR$zGcT7FI~Z?j)$sZ44anLtj;d2dEAOOQt$CK3;p#= zX`~Nt&a+tVl>9~_k1isqiohW#xlH6t$sHK*hJS`ydMIFb;8;j1Q&Ky^J>yV84wJa% z5_t{DG~$aN0gnn{2-2A?z3*i$Voh>}z+H4)4h2jqhZtmZew}(w*1?4zFOETdc7&zk z|0~^Y;e2Kxf_X1!zO^HQf_Xez^&Ky3LUZh1us1Cw+glfen|$yEQCHy};dOTe7QXQ6 zx_@c=#kcEgZHy{6%IvT=w1JZ?Z*djB6kj|#=tWEF^|jmavMw~7C{`AVtE#Audl91x zMlRaRc*NTVFe$&oU&;e7+g{8=l>A3#oI;aLdwZ^*0<3b@c^K8FQNLS5*HK2^AufLK z4Sy4P>rg7jRNv)_ln-~t)+f(Z1h|M5RDUnWxQbiBi=#nIqT&=7VmBo2F(M|x!2hlx zn|6aj|F!ClhxH&ijX2tu5K3;cdjIEj})f8pXw&0nLJ=y4S=-6|po@@)A=`6XFc7KDj z&1Kb8vD^~|k`{0O9wX2*KT^@0@+Lo^PJ@^$h}Cz8!?dK(1#Ta#@8@QKhma@nJTj(pT**ILt&yjw1s1 zv4+ z)o;`k6tUACgoe=O<$nQ%X(Gk&qEaqHxvVK@)oJL!6B>vjM=?xA!!JQ&frxmtgi^c8 zm*cqBO>q(b@-%*b7rAI)dPOKB)S*Hd2xeNa`dovFTv0|@5vS2xoW*&mw!H?JHvq>Eht;-UkwmG z4-ZC%G~@r(xR@8TgR!x6>!rnvvLcBy^)BK#?dC>QY^95);Cuj~j4OFjHo@L>I~-cE zW@#~v1!Hc82p0A*9@<|z=H`}Pr!hC1`E?(2bHnelF*jTJ_A=(?27%>+OSYomXK=|R z3~qx<_5rbEaDT}S7&N%T*JE%U2sFCF?*ni!vLiMlS)s zQyGyS?}DvyXqiYI$M8E+wQnSmekBPPP=5lyRy;G}M+~jOt>Pb| zZs>V+KytSHmffhSHR#p6u8#>$DQ}tet$4z%b~Xjx%0oq3;4cREuX zx%L%jSN=RSaf}{$YVEB?u#UfYJNIOqrj;!JKMzc>*Ur6Z?2Vb8iMUDHn;?9lmE$$sa@!`=o1T_W~5VJ0w!VA%Hzc|itqqB~Ay zvJD^*sAnm$#CkC=(u}*ld~D+$6q@%7Tdo)X*gKd`rwC>UyOd3!H%;u;OiGziIws#6 z7k_Im*)}>`l&Xg3a4A`nk)(f!z(AA*abm~KSNWAM^(3P6>^)E8j_fb)Xn8KItR zQ(`YgnxwVkOZip^NGe0A`Yqem?S;sK%A0LC_^GlPH!l~c1S1PDx>@gF?=&M8c6-km z!+F4h?-f}pu; zVI4|E-MI9f+KG==s~1*bQp&`mGH%YtfC6$E$~D5*!BQ1v{9%vpjvOPJ@5D*#H{;b! zu=Cs2wj$Y7vB-{$(ipg7ZWWkUnE{;m#~>%w;stxsvb`|*=HlbrKyON_oDB3d(tk3U zkvS0V6^Bank2~?r+Lpi&%3g=3 z;vf8nIwZ+*{&yvsKkoP-0_vW{G=dQ3;u7vE ztXx!Gv-txf4v5@@iATR3_ghkz`8f`^J|c7JcG1A?#i)xsx`?_K`NyAv8-HeLRgPQp zJ76y>Uh};9gRpDIt@*97SNu|Z@jnH*a!VgRP?zy9#y#w@R;w-8n0(DMo-{@ElAJ}B zdVxM70H}}Y@{3*N(C0pI&N|K+ImiDy@)v(5d}&+kiQTEj_8GuCSNSf2ze;^t_~_TF zQ*-0KQmxv-4#Q?OYi(|_lleZeSgB=*JwQO$a{nfJ_jJ@Z&w#oGU z*S3WZe&rgs>FnXvnDWqNxIg6xz-uz)VVrkCY=0o+w{ww3f6&_l9tE;Z?+zA%?fHAI z5j_b0)oMj&!}nP)dK~!c)Q!%AucI9OX}2C7@QHj|5PTd0h_;o9i+^YUeEY>Mobo7T zlPIvo;9iu4U!*1%NT&U=B;@iOUhlEUt`(0iMarX;=fB5Crz|nB#L&{frAn z@rh!TJ6hD9hBjAZS~u~>6JXRfEE968=NmkU{j!z)V z2PT>nud0P_YLp8?qksJT0Hef^5-p((I}(E|@t9CqWaF{ZC15pCw;5bI%rq=dtTdzr zv$u>pb(*_n6Q}O;wv0MmHfzfkj=jv-GQoS~q2tsh2y~yPu5OP&7LGUC4v5!bMR$O- z55+oQ8f^itwn}cbPY$Y<^&;SrLb0<151NUpB__qpD8AvuKYuIAfTD~Y;4V9&dc`~M z7^CW%Ls>9-uV|x#!BX;>k>B^@5uYsIi8At5@w6^16x*vU8tC^3XZfh>?bxg^^m>fU z^7-kuVB%+Px(NW>W~SR7!ID|&CSdrAGm%1ZA><3COGHaw=_W&s|ra z9D}0Vb}sTSUVk;=8dv)0!=G(mZOE&7U!ldfOCj`P1z}jF^$B7o;P(a77xoc!GVn&i zmg((L+3~()2E!c~_?p9ToJoH=IsH9kF#U<-jAp&C3K^Wd2ByV05}H=DS@H#E*_0F8 zGVwM2#2prDq}M0^t*OUG^(BjLam~X=qsEYdbf%>r>sqcat{>;{vFZLew&)QfJ~18Rxdv?3dYUbq2X%WA zzGgzbM`TIh@y&sF3POGdhx*NNX4LJ8sNb~Su6&x)s=ASMZEUI9rCj(JFi@ zAx@?6e~aRib9fInM?8z=*2%A=%IkBHrNtMoDu0pkm!fouJlo3wy!SJ8#$Xa^5B@Fn zOsS`j6)BlDM+MayFiXpEnN_qVJNMzeOh1bchI)9{ZjIbA=^ZGv@sx4$ z$<-BeEQ-*2Me6AUJ@xH)=e3}^eP2||s@|_@`I6?fs+a~Y@*90ovq~kI;CVB%X+|dd z+9nG`tW0LZkg2iMe22|@A{mJ^Z-KUC&wn7~mqzZc*1;a~S}w9HPQ-i!NF4*XM{7U> z9JRG7NW8vzp2Ad^nLNR-Wql-!c)ud~Ov@j!v?@Y8U|$f^ciwpA5cp~BW{7g%%&O$5 z@0vO3zop2t?n>&1hF0Y#@=WCXnDj`y#jbD0AG!JE*UbSfE~&~tRiLhU4L`r6zj=HS zN%US+-*J_;#rqDNx9j^mzS3gf(>Z)hj;|`m*U=mi-l!BOj_{{S_mnGBi8GaW`!>)a zOg@?R*|ohHXWcIu3P7|*K7MAsgnu5Dyzbl##X;@ddV%f2*!OrqoAE~#U;fNv(z+jq zvca)|du=G8w9q|WIA#^B2XbwX3WR3H3Jp(WZu*%GptjO+(?vx10bCYbZW((V2Cv1F4d=7 zK>&TGiqsbC$v^fX4fEcorKwL(hH*Ix`|&>*CE6G5iG?a_&K+X2B??^}HWIs%{en;x zVX9|-D(VDU>wg30qN?8XYk!wf+_$g_r#ZdD_hU1+OZYqnE&&|&W3e=T!$USp-?>+Y z;rDI1XTG`SInSW&H{8>~Xf!85PqZf%@+&>9SZ~Kn}%P? z=8!bur9t^%#>bes^|-2{^?@D*>IDH6Tk6+Cbd`_f@;H2?Tz@R@p0sXXWb{;Vb%Dbf z!>t}R^WKqCT}eD{z!x0}yQsv6fbj)&l?2)w0ZtArlS!G-8DT`aM<_U!lm@_JFw(a; zi}Pg0+}~T{!7-~egcl>Kwu0~4d4TML7XoE}33yw2Ns7w_=GFLHE#dF_XN6C$i{{lz z^m2Knv;msRZ+|i|Oo^G480`<6-_#5H^eZHW7S`dE6$#Gzq4H|vp-ErjyvXs{FyU<5 zo!poM1`e2ZVB6W6B3>j1W=Q&5D_iqx9#111Fg;MOZEQ{MtIQ8f4%BNKTav4f3QY=^ ze;cAoM03y^8!Cr?Thc17c~cz~m=do(H^e6D2<`&M#D6AgyqBGni4Cz;{6id-n$k`m zGnrlDpNq&-fTkAps26yYq;Hd&-uhTnO29>@?+ivI0NZy2(nBwOqqa6%tuF#_zYCfG z2s8w2wcZHesc5#GSP!!g3%Y*vmTj=xF$cc*h`J2=1d;m8`C(~&U|-%_vgRBmXP$h% z@Gl4xRey{86YF9)K%foqcl;UF!xm~|=xH_uiJi}@l@C~hF)|iyX#^GEI3yxo{AbrhT_76p;EmRUU5ep6^bc1`G>OtcgInoxG-%< zRNoH8%x>qAm@^q=-x#IPP9ETHO-1rH^F}z%K7aYp?9_ROHgr07f}w{VCr^&Dp~?BP zpq!hge8KVZc$bRm-@4(K2v*ZDdNtae(+{v7SL+8Ij;^wd88R;9>h=l2Y zFkfT$elf<)Kg+Ax1q><11nj}g8^ zK7R+(AGH}8qqpSKsNJmy*WzD3t&jDw0D~{9({NPtOr9&3@yRGP2fS0luO(^ zAw#B|SuR&6+V4U-v61s&bo+g1b<^k#_kXKXharR4I+`*a%)v;LGp3vwmo7x%^{j#( zSS?GvO0BsRsd)c2(f##7j3-UAI|{a!r+(YCWh{fKQ?oF3O))ZMrZ&)LtTJ`i@;a2w z7RTmlwoo>Dw$@_TJx&Ymu0bH|o|EP-I%aY$p#Gj$K@eU2!StBv(x*`X95;RJTz@NZ zR8AmW{!QV+<0|`A=U;TWHrTxO(*I7i-g1>$qZg*VH;(4=+W#(h>}NcW6lS9?GN#iQ ze5bl_%M5GHn58M~lvpamV>iuG9wdnIEMGWldw6 z^c>_d3Mlzv%Gapd8I-@`Or&vBNXoR68aCYCAIuiLp}yauIY-wVmXkv2o>R&kWd7R8 z+`4U;P26C&IjHkgkCZldjGjI7JO_KsvZqU*5A3gtUhe%@q}xfR4uuMyIDfb@%|K>! z)VSI8`RW`^%$h7KzN6%P%|Ce>Wjz0w*rpOX@}5zKMwv3ol+iKws~!V+DZylO4OKQ% z)92w&aczo{(WXYNt_m0OE2H-+{~8 zQ4WvrO#F-G&u6(^OLxeYb${HM+xC6)YjcO3I~nV{I7-52Hm{QyqTbb6T%Vt&*mB1^ z9W5-+DDO;p*JYYVaCSRt^{0RvWAy>i>6E5tK2qS9DZkA49f7d#5gA_JPk&H`cf8XL z6jKh3$p4G6>Y}9LseCYrID<}_IhVx&I4*jz{dp4Lv1DIWT0mDPJAV(VPL)}yGL;nU zsTVD=?V?W_bm$I1LJ6f0X97ihZO;D#0MwG6;k4bxodqQcC{*GeNKi_!qgv7vv|56P z9(?n$H-Yt75p@Vq_9n0%tJqG)!Z=vCN3=YWL0Loj1ujqR3HGqdo`02ZgHuSVs75 zPgA&=fFZH~nev9?OO|fWq*4Qp`NI|TU5{bI>Nt}gv@X}YffnWpLL$d?)KoA{(6syb zsE*f;4jc*C5jKysiI*bF&?XDr{;7-Wf3u-gRUK*4g9dhKm47L#EUuZhIvL8k$40%o zOd3cMJbm>enz4+nOR(Z_SyD{|bp|*-Nb*G0FUr%f#|3HO8Zi50nBF}37wvq5QF&dQ2of^jvirGJ%nIaP0oC5ML>&mhm&kvsv` z$m*yKJvMu#;Q`a*yzq~)aj4dqRqs73KcaYQRVWw`&7AAc)?!Xy;RLqQp5wcC-as-lXnjW8WU z<16HFpCS*Ty7HE>kwWzbXue04fK_kWv@$lg}AD=%0K*g5+o`YLeFhx zAlV1`G>zq6M;h)Kbi2TG|M!8IM@?&T)N~8)a|0ZAX4r`|{{LP9}t; zzIjxfBW&IzY(?6`e!yy5r41$bXBRNAY)D@q-Zr;S7aa z=*HZv!wfSqYu;m#!K{1l@3JHd&(Am)$zd>dyfE;>louG=N?t}CZh`h9@+irmeW$`m zR|lmkZ7^j6qj;VAzP4ZqmGZDR)rX`9MX6jc?V{&uF~~YAzUwBg8r_cb@ljC&Qh$iR zdTN=awq5kj1kPSn{FLR+gy+o>*j(C@v{pSd;+++Ik8nlwE%LPZJ_0KE&Ts|OqWd-+ zL1jFy8yy1*Z(OiKe}}y~{Gf$cXtFjf|LE z1!8h8gnXTu6k#+>dgMTb61DBD!hg$@xEB|J_oZguDn?!=mX?R_6Rdegy>iqL?ql*Z zE|_-Fv$YPp_QrbTlh1l$Xd8WFj`%L|N5;Qsq6S=Qt0r^}!}2SalBSs(Fq6f&C>@%= z0he0Yy2ix1Q15y2#chRJlMS$KTURoG)?nN5l2^|S7@fN6L^$#bF0XMnGC3hDlkIX`@D1z1ftYfz`Hg9u zqsR7zZSk$!u5bs|`!!FNbTrrjlabsp;1$gZPq}SDZTr9*hj@v9#N~R4@Yf{|zirVe z+4L*bv-XYn#U%1WVj|f#rhmQ>ub6zddu~f>tM<-b9|@~RgvSzCx9fw~UJktu4OaJs zRSRV|sd;;`-Ur%xFVyw*t>#z}p_XVkNySr{c`OThpZwRk+Le+7PAc)mh$tPbrKTks zr()zXlso3Z7atWnDWb0dlhHw*l+dnjUo_q&>bE%gRB^up#-Wv}n1AA@o^oG6vNu|w z>cXOG3BgGi{#n!4-*N-}`eYh2wLZb%&#~L^Ha_VBziAIRpd@%daY3r4O({( zcp;JlEPX^;3j>`i!WB#UoN^7DG&UzLZL8^7so5BtJ@ciTAr0W>Ybbc zLqWa$OYAi2!W$y|fVbn|FDmo!(ic--yJsf)=~#!)#FE<6{(#9PZW5?UQvJ#zk(bv7 zqZf;+$T5)nS6m5b>r+DxpsU%GkO(^E*G|f>V<`h6{CPScoqxLST1KfeD|Mz*SAz_o zx7pN~95<-sy!kGwPXLkr%49^MZ|9``U1ZJUpt(1|sKkMVTGZJtg`$#!-Ns}yC7V9h zAv0y-gW$NJ=m|3zEMQV|oGby}sSb%p>4$eLc*R-_iq1g{phJ)X2h-O(7X+2LG`UUrhO-kCoZg{PBo{XP6YO)v_hT^O|$JUyPfAAk2OZHMWzpemHlCLV0 zcFl5TCMl*8x7MHo9U>MTSZ-D$2GjCoysi(5%gEOY>wkeNE^i{A6bK|#R+a;6c{O5b z(M0kTJ}51z9xld{a{$GvHH7O5D2b9ad^~f~u|L>@1Ksx+e3l2YMnUU8g_321Pl<@8*|3gsf zsEYFscYhS3#7fz6xo=UzF7iL9VoH^zaH(0Se2L16zl)!M%z`RrR2hYiW_86I4j0nP zBLCu*^W#+~gTsY%l8gPDc25{Gq?eUY`tV5r1Kb_}0O`d4j`pi--U#UYThT0`*aMZ; znN|I5T*36y!LF$N{1<~#DKecRc1rC!8fNE;v!G7Ys#Z* z4u8RdaDeQ4e338N(;?aUy<#>v4+AVj9WAp_$-SB0n_+^q%a{|UoUqmjGfwWfbb*@0 z6-{t~3qz>(##1MDAEk-uW2*x!_@s#mVk^U_h3>}M!kDi$_)#0Bw{vnoiezN;l)UY6 z4Wj>CdG#B?gBIfR*D$?8dNi2mfhiA6dw&>pwj#pncxRykhsrG%Ye3RpkA|q#ZI)KS zQ$W89is;U(BXTOtOi|jv(9;^^u4x%TQ3%f8<6VJLJr?S;`ktFrfYsb=jI*5T_lTpR zt9g5M!l(x0Q5N*GfbUzmyrwc_;bF@A@llpeKupVYYhp!y|UEF;!T++Q|bl`#V)) zOos)@Qk4Xg$uOM^Y(K7=_AshD9;Ohg_&20`kCEDBj8de2n?y@(d!LuqGmn_s>mIX? zi!L?2`)SnMBZ`&yf~{dDGAa5?q<`2CtokjR;?ln3>lJEqxiy8R(^QKri&CD&4=aF1 z^Ly3Fo40=>U^+-j7^gxr2{WCJsRFof1nPw{Mn+ms+aPRHIXc5Om6IjaiQ+$TV*twK zl}E^DrqZWhF-2=IOLvl%IkU4MEPB1bc1d1U zJdL10!)qi2tyXn$trGPTVm4CS=!oU?4XavyyXz+Lyd?o3wi0GSq(qrXl&M5<9K$4E zY{ZvdcT%4_5>E5DiJlcRn13^@ZKpc|pEBX);XtFQ3DZ;h0xQa||2r`}QqU~HhmMnE zdD@QRf1ZTme=Lgs@kH@m{J<>iJ3X>6_vqFZv*%5J$oiq%EgocU$h|(pj=_DkC)?vA zfcL5ArH!{_ZO`_)5m`_7<3Pdsf7VUH`k&`MVgF;Fu>aZgg#FJ`pMS6p#fl1EoHKC| zjeM=IlS-5jIOB!?lob}u%sOjvN~Owpy04J#D{fiNXqAA(7$(N7#9)@)3d>z)oxKPm zyPCbBDC4Sr+(U9F1WFuzc(Yu8iZT-K5l#~ysB_TB#5+?OZN=U=G;*&%?V~jK_sHy9 zoV=L+z}FI{mx(Wtq<;mk#Mqvs)`=3uH9}Tb?WxYePemIO^jm;NfOuXT;(om}+u1k-l87@*mKXpK7%*b@ussjDawQ!he_&HjwIv0Ch~zn_~EL z%A}4jWi}zW`&LA#Z-vH1-%$lO>KPaC(Sk_Tixt z@|nk_DV@U?>whr7SDXhSdi!m-1Nb(Jwn&Z{E&zbNUf=UUmzau zO95pojLd6~jf1tYQm@menhraP53$G8WG=6e%SfO>Viw%cI*j<@jq@z5v2sIz+=$qrbKtagN{ zb7DG4)+PzN-ZG|Jl3Qbar;oT6*9JOK>S@MHo(Q>7_3}|+^mUNv zD{#B*YBCQD1%b&jod)&g!Z*pG+?g%3vuQwC9ZTpqr2`b6_(e50EdW+W6;O6{b`BNmFHafnFVG?jR} zPJeiBwUBg^$G3@YhAu!L31*VO_~=G61I-LH<1`+v<{Mr-k@~301RKXh!h^;GLYWq7 ztM&w9_C>Qjf;Fy`iep`HQe5*!4XH|b*2H07E2Nrf)o{fq)i?e4<#iTyQ^39ZV8mM8 zLuO;1JW+!xWqAvOT_NTRPopW-V!Hx^dVg{$nHkA6EyK8z>6pIb8Yh#-&uLW*76#Z0 z%;VlJmSIQO4nOBq8q^I=EUTNZ+H(Ay5_~rir(!!Lp&P`kvbtj_9a}akI(^%-$yCUu zyrBt7@Pw8eMMAjr7J38Si*RyTLuLHh$@q1cG0w|^8LRrXXt2$6dMZ=a$+WEjHh-Do zweZlbT}qi;Fc}AqO-r0G!!!=Km0GFm#ZbR_ z)0FyKD{H|zH%&RUSQjQPaA3-Nww<+*RYf6hvt^vq%h^Tb*XE$?zzRbv`1+}=j2c{v zrc5Eun`7cr+UeslpuEQ7Q(YvVynm@*;*7@c;paKd)A}5LLVeZbtFfElDn|9g`hx{w zSn=0i_*M77F?$X6pAV>$U#HWN{zY{TSV9kP$AA6BFcaACo~gn9r@rdhP=5uy&gF3y z>CC9vomLL1>IPSgW~v&?KSiF-r#r})TH^a^7NFIMwOzKbCH{srHe!vTHTbs&*D0@Z z2jx0-Cced7%ebzab5&eF&Ze`%6EL-G8NR16uWR#NewPi7t^a#0-pnI(kQ5npGLdWa ziXqi$^%p~y-HbYqte%DiIDhF$rBkAwCHLISst)l0Z}}-1CPx3~B@QT(K;g6P^4OBJ zxc1xPl_kYL}hZ5A7_SU*PB14RC9mYYmNWfDbhXvn!B>hA}jA#xD#pG&FDlKGe+3rUYuKTViv05!1U< z|E0qwDF;E*JQ&xhqJMpp#S#cfIS7un4UJhLJ1I1?$( z*Q!cAdamQ2Qb05SYf}e6bZex`b`cl4C*ISoXE-L^_NJ$sj#lB9R9WDpK%x9w$NjZ# zic6$^C@S|y$)-e5H8ZNs183aLD&(-|MpR$lV5C_TXAMP>4}Y8-#g100p$Un?;h%1} zS&>}xTS7RKL-IrIH!0q5wi3&q=u19a-hZQ%mybuN?2hk;kz7V{`}$XbROH#O&PBek zyyG(^3jf9rx-~A)ja%d6;HINh_%)ThuSUr^7CB`K+fA7AaA$ldo1tvhk$ub0dhnne z6CVK=6vg6GtABYFB$69q=vECTS6>lP! zc-uqa-bS)65G|FpQcc6i9UI=kz`-XunvG$XkXZV;36b-f}+XWIW z_kkU6*kJCLtO)LkggInDmXhbq?to|i;ta0bF*rl|_ni9l*wkA5LZ>wVcR+~0VB?oW z8N=|-5E&?Ctw?`wzQZp`jTDYnEEFBFyt8{z#_EaIDPBT5{i1GRUb&5_)O`!=ZeT;< zUb&>A#vXal#LM5WnLGqFqyr;Yua|OB73hkflx(JDGbNi@vL{$u4`l}N>JP{gbU%c7 z!<<)|@_@-Bmc%(eVe3fdROcePhPjXheCQFv zh^#oULw-o4S@H3b6-k^$YDS}Jb3m`$AY!yJ)TU=$QWH9l=v@wB%8YHBxkfP)=3txP ztKyeJUOizRT@u$jykm+NaKMh09HvEip;rE=zKSM9D*J%RRnM2;02qzT);J>E4-%-jxWqr=a=n<*aWJ^K z4q}{k7Y(dbTCISbO6xr%9#M(>IH*YL4OBObEI_4N0H^@~>i=IBHCp&2Gmu7Y7E2l_ zOvFihJS+qts(8*nibli%^i3U#RPle4x*|t}`^0i>3Yvzz&P9Mgq&%9}9OQMx`i1~K zQ=z7+Z8ZrL2XwK8x;0Da4Fet#1vi{vgwCpi2}YRk{JnswuBtl5*WPO#?_Ovh!J=d` zDHC7WN#>|{k8mIekZyJkppWPX7l>P=8_Q8)U$RFULEc&-o^*Awk!I4=Uk zh}1DHq9jhvTzd-`QEP)48*QWxhBlbC@zCfRbYby-1}u(&6t%a7eyx4n(pvETJ}|t$ z$Kn0G8N36t8%MVeIaTmF5;1>Od>kir&yN>i{HM%BA{xpf=qIU`N*gJuWBR>k_qWaQ+!~8c~hW4Zy=9>JTpGp*80HucUt`+D1I?HUa5^b4-7-Q`j2gKiyWtlp5AiGbVAObGenMiu}U! z<}0oQ1f-GI6f}UzUnYN5t1t69mOnMe$zQ0_yrX7`Eog+G>5X^r1nnX!^H#@1H)VGH z5c+&<&yL7CJth`ZmKn2kSZ67-beK6+?x}RLjUU%)QoE^7o1J_+-&}0G#{%wwd`kYqB2ZB%Q;vm$>^x4*n8Uwt`uR5;lv ziY9tIe9ET*nWHQioK(&(qQ5TNbN{-SfR2}Wyy+Mz=@2)hcz<74xSb=@IjYZzqQ5S7 zF-sN`c~V?Tk@1yJ6`il@5M}2(P%_s_Qlxw%^_Ug>o3C-R$EhWD>7&%hw~APiDPwJ9 z!^)erd5?u)3mG6uObEW)K+HN#`>H&o3vS6y>>E8ED7&P{#J z6)SJPVyjz_yyeThFvp29;j`w|mq_@_7EdTEzjl`18ILAgZ!PkVj5llFb!^F2mU`)- z@FqE@1&-c-m(PGG#`hPBCWUKayN&?*b*c3eE>=qVwVQu5IPGON!!sqxR050=pwLnS zwb(7qsI{g0g`&4gCqHHO2BWt!iu)GU0W@XASvYWLNSY;m42r(k<0RpA4a3hM$N<*k znN{^ge#Rf1s$*frCTBQZhG7K86;Nd=Dll5SxH4;Hsh|?Pevyk2 zEdTCmwJ(1QtTU2j1TOY3QkjmBJ65}SwIsBQ9*yDQyjhvBtwTJ9s6~tNX*9p}O0%&^ z)REtK-KK-?Y>Q! z4m#B7L~RW7Nq*)2_)AZRnU%xRF_h-yFy(b4^4ovqr`4_50<2{xGw|$z7~(RSm$xGQ z-N%uof}sldx7g2n6@S3X|Nfqg61}k4+nL7@gZC1b`@178479YeJUOgGu~#c^^>SlH z9l$AxD&XH@KQ}66HgzL4jMvo6a&qC#xd_0G(m@}KUEO?_-PF_FuqpHWsGcSPc+yJr z!eW1K@_!Y;Gni!H|HYQ7_&W-tWFeJM=|W3d?5$4D{L!oC7S6N|{8;Wv{2PKNR3ZO4 z`H}a|IE|b5?!fic{b&_tXnJ3kledz~*MAj)X&+ypKu3l;sZVz+k3x!XW5-tUAb9vR zTWDj?1Ed7dhr5rm5_uxZINQ-mtHCU}8&ZE;?P$j+pid_&>OQ%T3!S<8Tw(wpJ-fQV z#|}0#Eb?))C4Dm=sNh!9`ePpjNDAY@iCTt_&vA)PZtLP&?R5{(dE#QQA_r* z00Bm{085Ok8MXV(kSSaE(P3fkL`dmdk>%~=Q(ylk&1uhksD-X_2$l+o&698E%dCHV z+r=5`>$1pe{*v-s@HEojxAH)_G0L5p+7GPfGYrV00lPP>m(M;zay^AX0lPfTm$R6f9uQ6mq_nb;}&(a;L%|{Gu zbjFP6pMBaCpB?3!-+;RL`?&-4JZ*nyn9AdQ77`C zSHEZ zjKqg8e>%u>y{lWLifL8MsJf|lA%};Z*VeW?sn^;BBL)m~?~|{=*S9*6uVDL{Gsh7{ zu~yVAwSFO7^B^(UvTiG0j)Lxsd66f(+oxMMN$DzEXcK03i>}qaH)#;TK!jG~Y)UzMK1Nd^Nm)SU2vxjp@_di>3+`wt%tJg{Sw?>Mg~s>x2HiEWwMou zV|$mxJQl+GR`$5L_w97<=WaLh!95(>7^@F-;)ysd~yMa)*z zQ|QHYyBvUFOH8}y*=8o{<|VA-+!fb3_@h2Vd^uZ$^W^s$clTeI2k>>Om>n81FyXAGnoqH7X{|0g@w1+teo z6LGy+8PU87>ulBMeBG1!pR6F<r) zeMicCCry)Wtskk)+1QB^V!FCnLWbI$ zZSHVMXk+d-BiLzpfOaU1+Jc4$s#6%fE7y&{4#y6SPC9T9i$-RYfNJRDd$~3k$mMZw zW4&jmvlp!3bzM{w)#GS1xexqmXFsje@lEkb#^Wm5*#e3nBdwk}b_V_Mwl_2AgLj(J z@!mE<^A~nHu}6Oz(YAiNO3)rNN;8yX}7k-Rro~Kdq9#PQ6ozzPW ztaw*}A5R@cbNr|yy0;}g=D@S7eJ*^<&y4X*eGl+9lz|Dou)PbNGcywO!c-&Ta^b0n zrJl*-E4@1zXqbQH4{cB{vU+bPT88>`_XCBBXphp&&=W|}B^yhYySH8L0z+Sp_ky9H zFb5c$W%Xv(&*<@R>Dao%>=z87}nE%&)k3G22|qo*%$iB;7JIgC@*E{Juc zd2kraS=)Q=_XT>e8qSHU`-8S;Zcn0%TbKA6tGa*n5pd&ySyRx8_Nn3-v1=r?^*uwC z3oOI4ID*!-N~HU{1vSj5>1bQvQ6~|pnK|yx=f0&~EsU8dLzJ*viWfi#qu6BXEPKh^FKmr)tkIp8DS*ANKemj|A5jiVDX$zooNfVuA z*BWZs^0X|VH|{$>jmB^Ml&wbW`Lk z>$Cz-h>Z`Wm9wYAXnV2G^mICB0uyOX!#T;7DMCaR0% zlQ+=?CZXjUdo(H-sbE^gEqTs&@^K&{bV zSM=1)(R@AW1t;C=TAk308D|5_5kaJj8BET;zLyzXN}t zZvLz*R@bn$WxN$#4fD0imZx^n*~P<9HQx143Q%)Tb5T7w+tiVrRy*q3-z|0KOw@ZD zb+=@D=hJ!Tm@;F`W^6hyNm|*M+}TX(k|#7pw!Xn_RURD^VQ#d-YjP8(_{Ee&)a?UT-u2QZ1b(t=svp=7OT{&L>IyJ-H4@N~v%uEF zqRC2bCKXU_YVVf#H$EKQLcTc^^%5ued&S|cTjU?nq-V=o#_)HerG4Jq(71oZHl=1> zhoX-v&aYWqJ-S`2Wu5f2rAS-P9j!|c)X=#;&a!CNlNnSnsiHlr2fFT=yzr(H2|A=Y z6}3V&S-;S(YUN#nY8!B;7ELD8oT|Ox$1y34cGXfk!j?D`DbE`$pzUkV($OyZG4}Xb zv7x(Z50DCa#$@6mn&_Wv(Zqi^*7ypQnj%#TcMbLT2WM6G&(y09c4xRd!`*S5vC3X8 zoake&30Q}#a7{a?0~3qlL~Q;nv#5p-{L$i@(>x2B&HNJ#OLh1F=aIq82(tIZnvpuq%0 znRqbq)t(Id25hEa0A^M~12>FqN7hOWqOUakUGM+Sf1gQyz32+=8eVLQZyq!rsaMz1*G%gj zGqD*onzHjS%#_>_3u}K8!v_e@;<64K6+Qs9PFu7`IB9W-MII0ZC5S#A8O1a@4t1qz z%3o@_U|=G4yIT3+C0+EMav#LvMv3%C`g^2$!P_W+qQmANIv z#f=GQU=AsTHcB4Vx_CBbA{umcFw~JusBoEO?pjq)?8eQ4a7llH=$>-w$n)tty;j)E zI=beKz{x&&5cah$hPoK(8WZai2HpNE4)+0(e}uq+wrwT#Brb73XAtE|ZkG(3d|(eo zt6{6bK6fpZJ>9HqEekBQKR@g#zK*H(=Se|MC)+Wl;*wYL+TP^`-2QCJ?NSXxH3NNK zT<>la1uVAn{dj*6+*(Gy)rdExVTq0IILIk8uCHXOJ3zCYbA3$TBE$3Nm|x4Ww`t}d zc&0}xuXiwMWlalrZSYjc0{oS_GvPNW;^$Wnzk^@&OGg>k^>%@2jQ#L2Ob_7OUPlap+o`srtewQ(J+9fe)VZ zO1|O!q_uw<=~i#%L*>n6-c08`qQ~8pOr&?59$(EX7&J1>ks}!$QC?i)$NnzqL%Xy^ z`EdFFxqG|ixNU7~^i}$D?>fa+CHZRCIhV3*Ctk}=v@B(1*S_hZx~UdpHrXNBmgTGO zHO}juCpnlu0KxwWkj+-U3tLSPm~)Il5(GeCLREjSkX79zqFtWON;Res@9HKtSlaOB zAf1G&w{be|R7-YuIl6!%&?sz3b5I5At27(}Bl_ z)w0#q=%5!gc5!bO+RQBb5)TX{LFOySjNpGL^DsPYR6_~cs0>OB_ZzzK9K)W)-1Fc; z^YEV(Pv0)R^S~L{khcZ~5Mz9)$1Fe4#$f6OrP1s4Ao6x(MVx(C#ZN5;{;>aSxd{sDyKIdOVdnPVjJx z#-atbHdxfPx*0&B;{ziK3y~u^^!M>%J} z>Nv_-M;hs%p}v&X4>JG;k6cYu z&OLyi9v4(ud&56Mu%~}*>D-c{V(w5YUv90bHcZz(*i48$`d@YI^4`}Bh#h-gm{A`; zWLe@c67SO=u>A$#kB8nX*UqTvyU>!j$s;4T-8*B4L98W_gFnVyxpqdKo{~lH6Y$5V zE7#7bvwTU+SM8F>wWGkoU{dy~<7e9M2+qg~dRnX2MP-Y}fe zdAN-8+T&%)(fE6%2js|`duEh^clQ8J*{k~uki{?WF7R=>(-UPELXA7yu}A*v4*4l7 z$_4SFJNVBX>Co0n=K-rd4(yUN0vTpuE(sX@;s3p0%RJmdHv%RKV*k4gVQTc(IL|P~ zYd>5riPHwLR$fE_w`4Nx2zmL7$C9zyP>aU4!G#YWR!v z`N)hfflE%@8{Y?pz#EO`a&&;Rb?Cvge!ua*L<-SJ;9tm{SZ5Oyl+_jaNl zjNx_$z{cNDptfDDy2EybR$jpTxe&5;L7qi7DL+Lf(fjgS%}M6AC3&I(Zp%_(~t94ZIxL`&1Qj^ zw_>wk2RegsDpJzOx5HQJZEMyKNtnX! zB>5?cM)cvLX3HBP#Fo#1eFo^$2H*z07C;yGc<2p&dj=A zhPQ9l814H^h|h8aE!Cvjo4MvziWO#H;&E|KpfK^1y;KgR5Ggm-ltA&EILQ^()#$3> zx(o3$+!?zJ#}vYcEax5ZIBLdosOl!YcSe6Fa$O$Ri$i(d(s2a6E{3U1w*j~{`*^Hs zAetN!j0sZa@xv9Kxq=w9Dct(S)iyi8M|?QA`YSBI$48Tt!8do+`Fslb4B_phILTtC z0tp5;0nogcbLAqiTm)n&s9Xf>LZ2bf|H6aSjmft94?OXoQ^ZnA^l?+C{N$3@oGgEs zvec&-oT?;KM-w&Ut~Nz|*gi$uFU9F#Xz2u*RxY-jHDcowUqah5(wGDSdc%jSU+(X3 zd8lKuI=DYe2DJqJ@(`ul#566)5{~Q9FM{GmiIZw4;aM-8Wd8r7rsW$xlNXmCsrJ z@Fb^q~h1*sAAQK)%0gN%PV6gzH0 za0SD-+v4g=`1l1UBH<4|9mR$x3#lW_qo;s81?T|m(GQ~VPxy^v)mskYsT<0VsulAy z*;(C!omsS<{tgqEny%mYn~by0@G{ec@UmSq z&nducG9My*%hA14B~8(J(BywiLW4nbTUtr>!~7|l_Ey!b4ll)D30GDy1G75xQ)$fJ zWQous*Lg7Y(>f%;pI+|%^>KBat1>%gMY&h~J;RAEeLdMvD+kk)Wz$BDa&&h!l8MGG zC(b8gp21+#;jik(sHgbpC$l3LDGqi7N4Urk-D&ixPL*Lb45gq!;CNer%zJdnklyYR&JfD21WjxK)3aMC? zd1xr9-%~~EG&iF>%BIlSU(*)Af%l) zcc;Tq1hSc3ij$_7KsgN+Q{JisFR+{9Da@mtBj#Eu59ohXd;)_w#Thj+u^X9%c%hUn z^apk922yXuB)V-InS~%tDg9YjAIni5qC=LyNFdrdh4`q59ty<+7i6k-+!iuuR#q`K zEMvgokpnvQy84F8HDm~z*`+9<94^{1NFn78669cEvnTcDhMhYlU|ZRRV5uDL7OH!( zn6jcpM`C}tWhi>EO*SDsm0u6hgyYXKRajTyb{iE%!V?7b!2mo#xnaCqQ<^fE#T@8L z^KekFcS>HVbliNlkdk`HGMsshTm6`WaZ*F&M5Ig^$Wk4U<2U+PN`qh9_;!l(?Mc=1 z4|x<0f4mfy717bHRd~OVk${cp>qMz5PAzbmE7|O#GP33g3mNs4b|uGV0%L}G{zmC5lP)HR z)yWkM65#5rs=X(mH&Rwc4vpYQ0tFhcT8#XiIeNL$%hIx({)hQ%$K<5?)s8&vfcYj` zn~Z;EUr`s9cHn&zxef2r6uP{-)h8aeyuSV5%Is9)1BwgP3T}81#bF33Ax?-H49Ym zlrx{`E6$9h9bGr_ihHcI6FW3xww0|_-dTQp3R5u~JrL$VpEJaQ9T2S4_z_ySEB8q*mJ-vhn8w@VJ9a1 zMG35M2ru1&y`v9GH=pi)=Iss(PkwZFIy1A2`Ea80bvBgd%){ENXhR!WZ|of(M5IP+ zxG}Vh1!PP|&1SmxR!fwDBWb&GKkbhCYo=>^vZtsMQ)R>4qjpR3_qVtDlP76Mfm7<4oTgTWs!c^JsquOXR`?M^~PUO&lJ^IgXVTF~bf+Wdt)m7lAUOXN{-~ zs~eM{SY7{dxB77XX#zvc1fvtXO+9S5Bimj(zRWQb8m!`t_Nee)WnI02tnf9Ig4_xf zv3p1Au2e?jLfxD6V_XP9aS?yJmxVjVsp9IM<{!GzrhZF#>F?`!BdUKK`gokua7hsx zT}0dUECICe~~f`2fyXSrJ1$ z-^H5xQXkCGQ(*M4h&z9=vDq+#C0t3^b7ExEVc319y6n)d!w<6jdmMCsDG_j81V7*E z-~82<4_BYUG~CN8a}z@kM>P_G@ZBXu_)Sq92T9D^6z26{y6bI|KZIL^q5cYxw{pu+ ztLz9E{_4i8Y2{qg?3o*wh6^K4pWj^H{HGXy!~uX0SsIsFu9|;t-&CtjH9?NLRc<8- z7<$-~X~2d9HXNW8Xe%9cd*4nXpzk38#($39dc^6U(YB1B14d^Ijn)|tb)2pHX{C)- zXS8JPGkTsVrLT0lT);Aaxym4z=2le%`O5}2Wx{rFD^Vhtt2LoO%4`4@0^=AiwW&!<<(fPqj74cj}-Oc)M}d7=(#q|4ZvcX9iirNyg=<@ zZk(um`*Kk_(t;siuj^LQWKWvJGtQ|ayNF9kQ$l&JP&I!`ml8ao=iwIhg`td{WYTVT z2^j$>igEa;s9t4BM=Ly?yCa7q?AI$&;#^@OLYX&yn(=*0nZM>#j#H3RxxuhQ;y zn(sX??iPP{mvCcI?*hY36XBu-hn`FY}J>f4ee^7$2{P@Fx zfR*13JN@vw>A&Tn%e`J@cS8u}^l0lJcdP#nK8G)KkL2Pg7TpBC$47OI94OcY+(=MK zrtv>`;CO4Cc>4TRl5N9e!*g3Vg?iApC5A!1(mQ|1b>|r8Ig<;KGTK*wmdpfRZ3*9j zyggn|4t}*$rqxHtw7RBDs`8*rqvGN=v(BrFMoSG#fZu-xR~F&ix@uifA>%Q$#$kgq zL&rEtEeQAxu9To@s(tGv6yrVAotR6?y<>`?kn>1M3D>R(hBn9AG{Y(M%H*r$+vZ3a z2TFgcaPylb%@s5A-#Cu#{maqin|nb*`+vI4S%qpt~`Fd zGw>l9I|?%B(jHk~W&!At-q_9+D>ToANUN-JoY?xe`n@XI9iw_Drp3q{lY#tlw5DLy z=%iym+|PMqU$}lppF+&415pOT~+&#^tuP|Ucs75ky*5AJQalAgV@gE@Ff7;sl ztHm83{1^_uy!7cd;;RVvkMJWq{xV$I*p0j__N|cfJvnp1kip!ua)uzX^6ZMx*O0T9lIS8dA zFkOZFeID&Y`Yx+TaHQT--kmo${jJ_h z)o*EU+OU-d%<95yb*=oacb@@w))w9RwMN>rU1j}&MoIUq>eDI+wkLm)IS+p|_)8Gm zt)gi+w4rP(&c<=t=TnQP1OG%nJnxYqBks!Z%;KN;M_mt^VXWh(+<5b+M>#BB(k*5| z_|@U&K-0y8Wnpsp>o8(t#vIV=t)yX_!nfTQ<_sw_^ z7%xk%5}AM%X0jaxc) zDk|wpv};sVhcO9{tH?9(M9+Su52{oW*S9O>MEA{4M~%5?VRkzu1NDE+PIV$jrNIN) zE~gSTcG0YQ44Ipvh;6q|lebnLUsd+44S+GpU5`OSUP|m+8wXPoFJ2Sx7d+0tc@ZZl z&~M6LgXX=^RAG+$puMs2mER`GgND2`Xm5ucSlb}~k9ZH{asJJVH$j1ZQ~nw>?}Mfa z{`UdS!1x*_@h&Vg)mMKy#A$pu9X6)(1nZ6(X;NYQZ96E1(>f|A0UNCPYp~|2nZ}Er zC|Mrz+hV7i%7<*HgXA@mWGYGRh!xRoZ7yxk>eNZ~w)Q7Vo!rWf!aRA|;P*yr#!i*G zIc7<`74FL8WK66LmZxu<)7jAXa|{$LXk8Ry#$mS_LYu}1#FCTYbI*ZIK6*b1?#I=f?xm2$OMSv;X<0c z&~ws9!3mB$71c&f=sG=OiPI_iPO`%KyqUIGtZv}EztSojMB9dK=yiAzee9#>s5wv7 zR5pm`4R&-fb8JGG{4;u4U8@v-HJ*!25*{9Qp^g?rM?Ojnn(|cPxd_OLjzh#p)pvl8 zm@r8IZlQl}ig=&$m~=<7rz9@M{Y7GP0h`lmHIrGk=i)P+xTAD$^&Y}>_Z;uar;QoT zZX|iACN=7(mN6BWQS)Y!4(ZLQJaX=@QK7n`x_+pRyp$O-<*SFXVyYSINUNX{rqwYI zr^iQ{T0_5lh41lkCHC*uRt zm89cI%&S4!>d2FOzbSwA)%dP;RPlEo-ff`9{eCwXdGH~RcYE1ZFB9zfN`Z!H(lQxt zZ3%yKLwQy(i&@WR_7{eRqT#QX4$b1ev}v#!|7w~emUo}u`_noVWp;o7Nk?^# z9@%=54_Tp6PYKXepiQ9~jU*NZQz14xrcQr-SvJ4q*~cCtjhpk6r}=TPcC42xZ>PUN z`e%oAo$wLJ!-1z{y%W+pPYg{?o2us24~Skyr>QpjX%U;OJg^N@#5vcBb9rl~(y_<* zohRPWfrm~*hWxZq>Dcl7&J+0fpqjXct0SN%n&t6#@2_MAy(+rZ;NiEY2;FA;aL zS^@ms5a3p&!Ni7iKeckU(I1UfxXq)9T69{QE=gq;o|fo*%1rr$+H1g%f9L1Z_xRoP zgZXai%@eW|FGU$0Hq{VIJJm-4C)1wVKo+uQjp}ryR;!WkFrCJF=q9<5#UbwFx!)eK z>celt=DVG!5==^3S(UQGn>?)Hl;dh&-3Kbj6I)2*&Q_VwRGE~q>?*EE6P*AH`y ziHusCAPk!A8xKKIpxJfx!}^ES8_YC^CVBK#B}X%BGi-ITMr>ZD)o02)i)Md+7O+Jw zlfzISTlJ>TO~ep9@|DiP_yh&PixIH0YhstsQ6*&XkGtP~U2%a`m1PDY&m!P?g%b-l zmrxi8fBIwDX=Z{L6raEI!GlwAQNm^elbAn84`zc=_1l+ur7 z^LU8&{OT@_WoAOGSv0LwfBA%_Cy7{QRgkwzM?2M)GPutI6XpsbY$e=>KR#~C5W@pv3=wnWA;qvMKN(bI!&Wc`Np-}*MWh7p4= zagyj6Z~)sr_K;xQoSzn8$4sG9#cIa{^Pehd#gpm0<)E0nwMF4olJ_(^u~k2DD7bHJ z^?8+4n@C3yeyzQZymfy%;p4CV_{h;H?8*9sH3a-&awq?}rx`qGKVr;Y&k2E@7W|lz zDUAASP5=9C(#$_qP4A*Zn9{ai`oM?hfFV!1utE!rAY*gDtkcz7JYKzxRUcFJ%>BPo zW_hgMtLm{Ua{M-8ANwdVYR*#+wi75jD2aW{s&LZkF5gal_hElA^#U)7a39Szuqrj` zrw|qm*!s}$>MidFh#BV?VXZ3c&0nXC+Ca@T54q%K{RFdK1ZYbKD5<4c8{vJ#m&3mx zd6HDM$SU5i&p}K6g49B_)LxS_ydZ_U0?Lbf^6c0*@XfXV^g_K`_fO-yeY=_Pq{q8` z|KzpLcOSy8)s%nDG!No(vwmW9t=4R%^(@?+_znRYcDK+z_Ec)voWDYL@3MAWDKl5E z5*2?usRjXu)Zl$$?KB^C#AZEJVp{>*(tFg_(yHxhA$i5gdR)*~F&&XU^cfd!7WQMW zW80e@MDIiYA>r~Vj~~nCph-K`hpm%oPc6_|b4;cqm6d;@6Elv>=pAl0@O24ai1ic? z-DD>H^fDXrpe5XayPm?EZ*$@eq9Ox< zw9-EIRBV6Tq`y{XAYey>pta-1z`)yLUWFzPnK+o7L7}q`oftYeaoz-J;3>COil<64 zv;In1YXPeYHZfg3*`?`Emg)2MvT@-KQt zBE(WLb#F7xO)YoJ&XTco6E zz68u3wS0@`SNi-UMNSV78LvH>Hg+So=&uWy=6Y!Mk)1C5u%f6soUTWgy;;u;e8)(`5vx5S^0!5bg}6z6dUI!r1}b03tjj# zWvV?Z*YwJr?UAXo#Lsg!a8N*>{s|(J1O_>qu_9;KveEoP!YKK6gEr4hfEj={eampGaug=cn_pW1)v zY}i{y*9o5ar1>kF*C9*yR(H-i^wVj~p0_+`sd{YfL*5$!Ql?k%v&?7`8S|Fnob#Ft za_^~4{TBQQ&o{xzpu>$7t5-{P=*f1(oxpj+5Wq^UsHJx9ly_WoAVg zf@!RGgF$Z9p{HOY_WWf^W3&4wC}e*fvN*qfFk6Anqf2jutlpFUn)&*gq-SqnuKtsi z*1Nd^bZHsN?XjY54*Vn?vgIwAvQtS^9q{M1o7?FX8PAR)? znn^nsT&+4N$}xONvT)Z_r6YO9E8*&N-fO{bnir!hnLo$#nFTJ#tc_iF5A%Nty+pIP z#&Mo;GJ(l?bUNGD)*6FpV?G0><`JPW;zP4p&okiD^!|oCQ%Paie$cKJtII?|j5x34gtt@KOfM>K|W7y~N|3;fm+;=%pt7qdQ2i zE%6Fy{NCPrZnn--w>C6b9v+KR5>fLRG6PVQ> zA<^EFa%$Q{pvvL|%ScaYey>lhOn&?he9Ystgs?j|?>?$ide7>@kF(vIbnLeZYepdt7M)e%j>GUz_K+d{U3q=C4zf^RRd$(N!%Ms~-9(O95L7 z&=L)~Hxq@5>YbRm@CttmE3Ua?+$RjK3lIO-cxUYgOFQ`-q*K;pR>Y#2h`(e`?i!&M@G%o>)mtv(-_vSRIfUO1F$F8(pMH|`+3^;It&*nT3CO$8w?BgF~gwp(dtfR z_Z0-kpWy45`6B18M4t^W32>AOKj7J4^2|592{fs@UX2O(5$(3(O_j$GYNH9&ID!k? zYQsJ|qCK~mc^|*-GeRMzI*@Br?HFhW&aZDI*mI^CR{s}u3bz<^kEw4FF5<&cWvO#@ zSyAI+%SR_N+T4F@(Oye)hdGQKwC|$nD`q*w1v)0DeVn>$)YvDAC;jl@=9nch?J3@Q z!bQLt9674n*pZ578<`EN(6BWPsd1vVVpp$Xy2W$Y3~Fv|HC1`2FL9|>B}F4?g4$B! z(-hVwEp3}g)%yUKhs~&G6z0jxrWtB@u6V{XxNy@JeYJlA8H-~bzm0H%mlc{>JvAa9 zR}Fesm6@68QWRIv$Bgo?k*W}Bd0{QVL0v!7ZmP0am5)H148SBUA+{6r3SvrIL7G<6 z81WVHYna5U0}8uUQpsIpHu`C1ao5q^x|fud8_vgWtXtD$(JQ|o-~ac&|KDQ8d39v& zf9s4qPUU|rENwm+?Kahhl!cyWZB0CP5Yx$`n}FK1wR>h^=5N<0vRiYvtqnD2QKu2| z^T(;$blaOjnMOd-AMJ>uKTeUw#BNZ1_@+%^^^EhBcZlSC)aD*5Jd4dh9GsDpyP^e7k{tRB?cakna(@ziD%sCr(UpF^Ro zi2_v*TI~tr7u=iz#VM^E-smRwRhT5%^9Cb+>^Atl2S;@}k~c2>-`O0ArPUs*-UFJZ zU?zV%`oM)_OkK&fp7S+iSWyQ01XirH^_8~1I>N7Q=(d-ATNY*JD|}+GBxxi~)ZNj+ z1iiIcOY3G*BStZuJiEq4_^4X{c~%sgV*3;wXtsSbaiY#1P9|s#h66MlkYSu%-Ab&F z2&vOIaP|&Q&ZYO4=mk0jCmtrm>dJMvOk#gStd=qspfNg+##+N;|BPO)Fw?5agyUk- zgwZjaI{OeNVY-EVXL0xw~VFwdu+Ye&B6KcPO7T z)gf3Npqc@jD`Rs-W1UsAu9!o_Bnpet-j=48Fild4?a2b8O?&^FdIFEPLz>wE=WKW6 zA>1d?SNaeRzoyC8ZEdn(WQ;zp<1c^xZ5jXz&52Z2(tQLs#i#k4|VD)y%Y>l8XyVHfMw_@52 zmPOho#p$7lutug|(?sjGHd!h%hP@X0#eEb!n63@R3xeGX>Ak#()8nbcj~ah*o}~w9 z=fd2+@PVfB;Axpo{+7j>X&1UtK`sKzMW9{aPKt24`b?tptaP3gW|%=ez34*G;-7qG zl5!(fr>dqGa;UQUC!eXc)%e^>TOrYk8B{9@oXV^I%%N6~wW%s8d-yD>KV9nF-F=)z z87#WtU|!HFR~aDIaEY%k-fe%ho$9FABront((|X?1(o4|4fEhbGu4Cv<`XMEv0_tm zC`=nhOLv==S(&U5?LKYxp8jwK&w;^e$>tpXgqDHy*<+K2SVmXwy9Brlq@O zXAQ|rV9em!Po5jqI#++6v`42`=CuE^z3fybagK9?QeEXdhUF8rBCbvVnm}d0dAup3!!hAFX!bF+EM&rYm=sF{wyEiV5hz=MwuNg( z?PJQqi%0W#bv4@XObtIE+ifyreP|yw%i%tS|LTAw|Sh0?Xz`uU~aDx+u z3XeIl!}RJq=G4x?S9|GyG}&34%p_)gho1U5^k%DSMdrnvE6%yXoHNKB?>0DxH)J97 zG;H-&Kg4NVlIYX6uzB#D!ApjH+%Ob`S5mSvUp#M{N-3?8``K6 zZ$&%7MPq>>NA1u+z#D7AeOpVgAAVSPpd`TaD?0Bhh{~Qlss`?VDc|yXit5-wj&U1y=DeM&m4oi$OP8$Z}vT2W%O8 z62`JE&|8&yNAmD(V+yah@HupQjK8Ubz8p@I@#ge3pW5iOKSymg8eRx2Fy}R>LJO+; zyx8XPkyiG6J5o)5ul~ve78??)XN4lPECyhSc0M}h?HGksPAg1_lOPa&+l*D3?T;be zL6(=bEs;5G23x2%owTr z?8iLXN8ePkDn_Go`z+fh(1Q>z5E?Zg*9R;GYzYUT(2`1j*GqtY#)Q@9cR#vO#5qQ) z6?Anv#W*Jq{z~Z$6n3CSQ=e3G2ukC%hQHi@`dzhwoCwhi!5U*Yo;IpypYX0?*l?*Q zN!j{Zc94SKX4P=T@f2A0u#MD6;;(MEzpt#+X_D=-=hW<^t{bEDF7G_!E1;jB3366u zt%f)?CA!al@Q|cAX*JG^X&Tcj{3!~L)e9Yte6<|5H$gLc?SrYR5r9WJQU$!^Az_*x zW*wzIMUzb$iN5N%Sf8MkS+i+Q;dGW}B7Y|4^p#F`6R^x*uAZ`@yvm>%vklWQf7w6+ zK0vKRsd8Rs9VAos11K4Qsenvj0zQWAL|)(u&7~WEOke#1>9E+weQ8IN9{j3>3vZ`7 zHQcA#_tp`A*&p9KQfm!#6co-^-{sM!-;x=Nw^@s2?wNXuvyd`_KFXQJT;}#`q%@Xw zO}_Dtd7R~O`BE|9l(?~utxEQ|{ib?xlv2B^#H;MqG_{hum(5if_+Bicgf?M!QJR9Q z>y;&cu#J2C7~>xECwv6eAEBCJOLE01Cc9pXQke{tEnE$7($i%=o}6Mb!ss}Ma@*(O z@hMgvTpTgSW_cq?#^1xFSO_S@QR1{A8u7>We=~`DIGp-_-C?SyI@vKwH>J9<4*0M@ zom@+C)<$N~M;Wja7&}<2*HgGESBa~8ow!1Ob(}-$S%lm}w+|NfVLn5^c8b8Mha;RH z{*mGiq;S1~9<1nm%8$I$mbQ>*V{++i*~BjJ3PqX;2-W6mKmp2L@7lcgI@og%xy z@I-mF2a2@;9)c{@sV2k*q_2KUS9g?t7U8ODb!Opu49_TBRX5j#t7_y)!lea%e4sgl zg}M<+z9FO?PKgZ{Imj5#aV!EbLidk<=~iBUyuX{q5+ktw@PoB|fc_Yx&+urauLO<` zCg_84gnszJ+PFY}?$Kx1lm0BAzx2R{7FR#4e{kQis7=?zK+(==kg$>HE2fL}2}+vK zDn>yZf@~)0AxMsxV)UFOAYQ!sFWojL6*-jKBkO5wZ#J!`KzO&}q0WfG^Uk%!NlhtuODZ=Gk3eDxT%H$f3) zDj-v|G~XQQ2>{QlH<&O@kK#w{ld33<0^xHJ3^YT6^rd`{Al0M^=((i%e7ACMQ>C<0nzWLp|eeCN1w>?&Kip_yH z)d6c$Xm5|zoaE}D+Qpbg+U`y5c1J5#p7Zc{oceI{9jjW^-t~RU#1t*)UI$wFA4L?HEec&x?swFfcE<(`}yv-6=s<(9{1HaCUQHFy}dr4jLnC;8E>ja*6~olqXVjFZ zFkHX%+&a*Oo^t27&r_K&Ic0_!DbLV&*=2he#l{>}M4@_$l#G)(2c~24c*PdMTRMJ*}#;g z?{oU@+<(5kS<$(bI=SNPtN*zEc=w-jE~gSBnucYW#}B6xr1Z3(I2vO;#s2%gqP z0yd(*LhAGtr#n-FTL(X3L4pIVj&g34v;j(BI_hVZ>qRhs=9&p9@w`kNR@zDKyRHH< z5_$?Kj5+Ou(MGh_U0iIlue>jIC<5ADLYm@yf$_AF^Wjl%0ln@?j;NA#$5L<_OC%_q0SMB&2d*`^Ap zbpQC-L3fyw7H)zRfHrX2gR)^qJotza5B>$GS9hA;=a2t#xPssYy%0tzyLJ&dDBzMaEwmvd3dK#cnvS{}*RWxAvC?N&a0Yf8-TF1QaV-?07gd7o>_T!- z4tcp&f5v0sh_LX5Sh!=PK)|R=DMQ&+LWq-t5rdeeL8@aBcf1!r-@CjR>GLxRC}Pr) zU&e#KbA#Zndc(`wV>gYl>MJ22qgTq|SOZ0t;-MW58zo&Q*94+Y;WA#>ch&)a zf4i6)2`W!}Pk*?l!^7a5>7fFSkg=o&jR)Sap>A^kU1fKJ zj8&*rXZpg$cwG*7t^96)DKMCBpR3=0-jJzHvDvDdYcsZel(4KD6>ji=k=hneb`|r% zuZp2n*iM9U;RZTw7J0Q74z28-a7psh*6lh}1)O1@%<8H;Jn)8%+YmdTw(`4yrcIH_ z(Z6x;V>ifdJL`;;kwEX?9ml+eM95*qq~7-FRFv6aQ--6r_dp>5b}o$#W-P6Ln)GJN zCrnt~hkF@(Xo!Tx6Ya_OGKRY=w*W9SS8$g{ET)_Hu+O7#_dVlWHF_i%O*SDoGpmNG zHWxS>sw;)4YPlW2afNJQOPZk7yqWfLZxu zu&_Y29qT@FfW)JY5La9M-oJ={@O2lGg4F|^x^#Qs_KwcP4%fW`bxPyXiA7bwl>wBr z(9<~WJ&aHNuFihdz3MMjteTkE#ScM9U zqNI}YDBP`7W=L0uk^VwEG`;ED4tBc9X)83Epi*`|)dLy(n5iNG6v0GYgb5A#m7(3n zyL=32l}CaRa(BS990`$SNy76tRfV6A%GsS?gxHh}uw)ndZZJ|NIPYq64D;|%jPq#c zma*VjUs$e_LkA2Q1M`7@e++yhqXc&~d7urs=~sq!D3ok}J_*)FeAfY|Zb&ytw(Z*w zWjwzVaxOW*paI5_Ng5u+!dsc0I6$!>0v3j0^w`hK@-0PfRev`)yMZPm^sx{W8e)T8 zLMVpe{@^c8ilE{aD+#t?cFkV+HcI+9^=2Jn((J6OLiGWich#1E2Om`v`4mDc`R3in z|J1$s!jZu)JA`p6C1K}w;X&n03k^57fLls1_Rs}mWE@{q#0CEF5dP@+S{I(~-I#}R zx&U_DR=LaTz?K)I*{LLsI89=eU!C#nw*f(%K zoL2%6OV!8AM*wspKNS1TS`}PF`(*v~r?u&!P3aRVtKD6~Rn6D6P9DJo-7-?&ulv`8 zQ`xJzxlzej`HaCa{VeQe&CuIx0c?1v!!#$~!AUo;>o`q+;xt+acwl=QBC-B}8D)g9 zhe#d7$vxCI0o!^5GM>7{QzIbFUK;-Wx+XGXvgSyKN)_VaUegSnw?25)79_eJmk0&DFi})G3$W~eV5{pfRJmPmOuTt#Pw`D z>csN_vUyyymihHXNCh4Y*M4;W>whi8u;HkW)PMc2Ie4ruLMrfJ=ylnSVrByaZ@sjR z!whac!KzFN7)Qx&sf%Kh3u>OFOxN$B)a1*!u67_?lyl`) zOxSD%I0xJ6*Wx#G#XYEla95)GHSy-Jbb;sxNp$JEB51LCxvJCFc@JOF^ zcBjL!bFw@Zu)}w$jDr}l03>vIFz(-f=#%u#=&d?A0CsC_3@{8*Wh`XyY@5cBwF7|+ z&Mqp$I4RD7N}KKi_m<8%VO(e1;&^_%f$e4h`}#MP&xyxbPdc+ARbTfrg#cf7t#$}*K@34${ypEp*8I3d5E`sW-0tZ!|ec_^;^oyXWZC-(f+wh zldF3j;zm37%Bj)P%`@EhWVi|S4wHv)WrstU?qK#2#|0k-N6q$4oIYkkd~F96NILgX zo#V*kgGkTxmhF5fB@bh?-JQMWX!tO`->GyDka$SJaJnYDoCkH#a@s=!4=FBB-$a;- z7YE@z{}t$PRN>brW!Iu@N>|^1`qWvkO51(V?S6=#uFmx-pDV@H`lU#BdLQIW)x4PU zQ&yA|ymtNyzh&Ea{Y9Oj@VKMZJ{UOJBW0?*mcOch4Znjlsk(Hz zrh>Z2_vvp`NVfKamC_+PWX)9qO-z(W28it$`=9W52*9a~zF{El5fG4XWV_uulFD#} z2GVdZ-2p@xBlqm}V#|y1{~6DSYQ&}yT~%QEIU5{J$3chVUP8Kp!1U2(MvEgoqsvol z`|W2)b%Ttc@^OrI%iMK;J-!T63UJ>XcInvbQ-S^(%EZ$wtFF($zF!XJo@Vt6(e`zP|WulI?JGOavvT) zQ`!KMQwou_Udk}vt2-0!-I2ODPUF(y(de>ooc~TI@988w5QQ7mj5??@XY)R8vC z@wiiW&tn)Tr#w1;W8b#JPelUHy{B_M{Z-!V-t6Is3+eSiCuAzo*fG)+9|Fx=SJn56 zG`_l!T;svVZ0`vCQ3r@$3_g1tBtgUDLMrKQITFTKC;W8h0vvV#4D+~vQw!m5x$MGq zV=}q0*`0FS>|rr34ToKr-f|Wf9%dc$VnmuAyHJ_6(=Jqh_W5y314D~(X}Rpe^|Q)E z15+++p42NP$`@l&bJvCE7tG+oK>dNqSBp`o`|Coas#=%^=0ZXT6JLx)!(kUD9nsu{ zN1E{mrtMR-{jwOFPPbk7e$DtZ*9~NJVU{iTkYqy-$Zt*$hia1@v$TjFlW@64Nr%%e zY@a#XdzH<9i4*Ntwj7mgGSl8z;HL}0HJp)wH3tg-u6%VNF;j{ifv>~k zG2tC3)nyy_^l&CNK_`GgitFpDhSPeOL}nDm<4IUH*spzvU88arVwc93jnL`8f8}!i<~FN9giLMxEW2D|BVT;w9Z~ zaU;w_n1=ho35Dn4JqTo21L$d8Ls8ny^Ai>Is|NV<=S41k)AulI{`l&4;dv4mtGfWZ zhQls@Ogz7tFPjgKb#^M%rO$U!Ns$;ACl<62j5A&TMrGdWGD7OOHxzy9r0)9?Y}-yd z31T+-no1)FGER@GTbqPST{_!a7n=8Q{@US^B;iY>UOC(`S%5*qVHc*4l!d!OG9EOo zDNHzo1||HmV!S@rHAF5Lv@^ZN*cT>@LD7u-uQ*Ti=_^)0nRFsLWp;PP=_nUYK=Y zLvc}H{TT|r!Ga<+1{Udd(B*=TG}%W7kG>_iy+Cp8YnCPt;{z9S;SL%udugm`Z;+1< zBLfnntYFz}fh!(L*oPNFpIwe`&<{p`ssyaeWfQ-Ui5WD4Zb1^4FV9iDe=4KhB_-;` zB39@lTlj-5%plPBERDkFFpn;&OdEt)lK)Xfuc4@y7C1h^M=)z(8S*W!18gxbAHl2z z7kbgI;GYX#+LqIPa_@Ep|8&1}$wP5^D57#fW(}A9ygokMVaBPf%wZA1mNHp?egT?6 z3xkxmIlSYNPC`VXYHQQ1=0$6!PR9e3Av@2$_Njpm;XaAJF3PasvY*>0%;>`^%j12V zhN`8x?8WQy+t2Se&i&T!(j9YHPn4=#`+E-! zy(hGByZrcEGm8;rb|h4vTV}Z)nNVisgw3xW!X!+$>LFa99`EwkMg=>6ZoSdDY>ez5|~ ziN;D#M`$sJ2X1XB@`9;hlj-z(Z6o}h^WK=eV^hH-^wv+|@%R$GMC#^GiUnRzy-0#C zBn~pHe}VGvxcu0w3wt)Ryc|j!P0>$9bjq5 z(gk1u??0oLf5Y!P$S&jC*l}(Tfo9_EL$-Sve{&OE$88AeY#aN|wcPiDg-z#vrrd8- z?vdBGi0hgYVAI&wKt5>UaZ+Q=3HPeFk32L1sS+1X^*{- zdV}hZk?7ycY6(KM&8^1B4R3JeLUdr0tEE}jcfE3vU}WbjCp~)hIa*wd3Wt*t1DhN9 z$uP7n*5yQL?33ju(b!&Do`MbTmvuqOnz%eg8{I@pDqDLattG`l?@|f6ch_@^{eGMy0A>N7{`a@W_A#S*6 zB8Jm%)oCGr;)ihiC3}2?IqPM#e~}@^A}*ktUK$|Y(CIrqJq|ifcai~Q@9Nre(1fba zjE)5}%2S-|zD9X5+K%wM6KeLGFyY+4>D(yLZM@4nHvOAT&B}hm@r^psvj<=k;!+jD zP;KB;6{y29&yr&jre~=KYWCYe;oL2p8wGma>Z-qgrgEsHc4+}C+>;Z$UE~iwmia2} zf-v3=S54q)@!4b%)&<(ELgUcLnL@zw)PrB;kTz!Ue4OG-Jvnbnxzkkx&O6BSf%8b) z&?cDRId1dHcoV8VA;-5^UDxfgkAPF{hkN&u!86}3ZAWbaIaf5&TLt2Z9HR0m+l>!* z6LKhjv7sUx9tjpxXn1R2fj}jn@a)L=bQg4t6&}lOqxmQV+Up<{3@siD?j?+z>Bxig zyK)!+?tzx7O-NV>cThR(XF#FvPaR~|N_($t-lEO9gyk&ZcAK5j^3Ugz!bHBVn^XYOPh!q;O@{yR$2|pvKf?`N zl*O_y+d(}mFrK=Vh0lxI*5@fq(>-iPHp5clv98 zoV__wgbUX%Z4gc}%uqkjPh6IMSuJ{i$n>C}xHNtSO^V{eS~LL2G`K6AxbuhCvB@fa z<0X~xhFAV{J2=b4#wV_y{1A3lJ%mwKyI5vuIPT0?*-1ZQ8uF9i)}i<%h$;I9^E)Cp zZrYf2jDHuj9Is({{6X7sKO>IW;L8zzDuD|yY`Pub2Q`i_JD#+@G`ptT0d_oD-izHa ze1XMqOR>`K2H4zE7AF=k)2g_@MQZsS;Pn~u`d+4Tdx?9n;dOxA{nq;qER(|FBh)Ok zDvv{yl0y1Hij3247^5>2=ipJf>Lfs0ZVXR2WaO&q_(9LGIrD_4PG3#@kVj8{(-F(x zVVIjbU!s@s?GNTA6*PSdNOGg-pV7<6HU}=Gfygn+x2gg6oaMXXk|G36EFPk)Z_&n$ zvhfGl5Q+5Tg17gNg4_E?pWC}>c&(oOGEVo!G0ek5G#0gBW?DhpyMXBWj!WI@QX=X< zEqMKY5?sHZe6HVu90U}67&r`n!$NkS;RV}G2WsiiDVRCsu^6e!>xvT0cOd*dk4Mq{ z37dLiZRT(WDE^&^}hDvXW5(4(PAaA>FVEYH`C5joOcgB|}I)+L7HPSW0x$f+? zqXv?H>I}M;5n!hU_~G#wrMq*Cgfu*~5YvkOYdkB4D_aaQ4RCvjM;)?%U`)YhEM$&brf8h?angfiFO;lepP9s zfR3T+=q)vCt>vr%=2o3|nyYq88Wpv*411%p-)Og-uEdg$aAP9Kpjkhx2f~rn`jfJsmqom(YSy2kt znokBEba?FNLcf1exg|@@d*~hWILpt}7;G^!&c;aHa>j8!w2{y*J3S=lxjHomP265Ll;i&1X9R3}=|=sYa=-@SV(2;T9TX-oycwnCISI6U_0TZ+ZYiIX%=sw{ z19yabiqrC^AJ2$?mK}71{rv-+9K~8}pP~crIf;R6X$(f#h4*P940vo{yThC`%zj_X zIZg{>>z;Q#P2EQmJD!xTq9IdTb%rC*iN@Wq&<09vxR^V9+h-?*8h28@1L5BhWq>N(R_0l$660ye~uPQ(?t_*JtqD*V)f+g8f$VTuuTys z>|M^91Rzg;WBuz`wjt~iAd951J3WeBfs*6@HzbTf}fCwTsGNo zR-aGGxL0Yk+r>Fjxwy@s=~i+;^kiL+JQWS8fZrr`k=7+&f&90AY)`FAQY<)+ll zcO&UiWIO$Kapa7eq&qcz-z-h7?stHizGH`fsqy}Ci$NANY8P z9hJYL@>i7qN|)zj301Nakez_a1=;hIrQtUSWQ98`BR7T`~}`0a}u$?qB+`8i9w4 z@_I=@_%PUL32)VH8LRG8_K)j9RRl0J4ATGB=ER6mFg$k&+rbNKxG?)Z_@ zM=oQHu}jPy*GP$*-!(3O$5{0xjqTLPr=Y5 z;B^0+-_tEd>O{!<4m`Mp z0p_zkj*{$(I30{u!ewyQ34RHG5m4YV7+${Sr;X!nw#Px3-JLow0sf?@W-u%2;RK)Q zC2JujQt0#8#`cTO`37^2E{w2gy};a?Z)d(5wwDh0bXIyL_$RLiAAdG1?EKSZ3A)9i z({URg4b19zp7KWng>|Cib17^uZ4CHKI6^-6qdfQ=yFJ8cO0a+M9Ecl#djmHyk8J?l zM7@N_LmEpZF2j9sjJEM(d{&8TZrUjB!~LB;-HTe!prB2V9v@X}CdBDJ;}4-O3h<2? z0Rx?v_C;#D>_GMgv%RNmBafzC4*nKT(fD`BIk?oFb)bPSR(C4H?cgU!yM+Et>s8K8 zpy90pkDfAfy&as~-bLYm5T@aN_;Hw%gLXGS;uB>Nv4CxQV9DYkOJj8po|{F}T?eAi zoaGZ`5wR$?VG`|B1+ib?O4OZopt-{g_mn}7AJ!J-Mg3k~rm`Ay-^cMDi`1VThe~Y3 zt#$sw0$Argw6M;LWGSE2Q}UE0OWn^ce;t_absm?ydMW$^ut(5;n)T?7rSQVehbe*k zq$Q$ejw#bv58u)4sG+k~#!I>$`9rwX-!F$>u#gk+LkS51l}~?^tX`(t-^dG8XFEpu zAuftDL9?tk{N9=~4iMKPqi@q;2G&qo8|r#!sLa3}owDr>vo;~yz#E=+ZD8ebx{Z%v zau#I9coUpHA;-6W4o~G1OoV_D%H3Jf26b0`*w@!~HU}o>x?K(auDjKEm)xxI_Z$$> zZo}8-H`g~JKba!CG{eksk{4LtSn(L#UUq(rgB6uG+%w1J~=JXUfD@nwcEe32cz~V6Z z=%^>l1x;+IX zprQd5h3Rg8z3|4F{iYIcFb(476yx75$(C~QHO@{&Wk{#E3RJfQ>NISNrP1XoU3xH$ zFuCOvsUR@()n0_8MElE=6+&mLgK~)`UV65Zr(ZUY9chZ@k~?z{lQMI=9}&YV^a`Jjm4`^?#-wCW)~7rUXl-8RA1BaDh~ zFf)dKc77g}t0o9DcISY1y;K!i4M_G>qXzw2T9r0QsJC)a#wi9E<0i}Uyn+r8V^r0f z+?3%)ln?utG(5yxQGfhQ)EfxKc~b%Cz`q^r!1t2g!_+Ydy!&zizLxV*sy|cSe?~7J zEUirsN7o6QiE9hOC}V3Q#^Kci{k#uh@ddhn=@9o;uuSMo)VolOvj2pIC}i*0TA~2~ zF846YpW+FRZ~diwiHqArFv_;xLMSGazUWik3&l}}Nl*EupKr$}d+IaIaa#m|LeIvx z20%a<^N$4)?PtuRtQTvN)%}n1rOyf;4Y8-VEYxi@vft0#BrUJ~)P7N!t}&AfAxWHn z%DL$@BUN^g8I4mpK;@FnWR1b0p{%LeP34{JUCZ6_#X5L(e=SOUTHLvl?OiYz_SQ}Y z7Vz<{47yNP_a3wzRq{i){gORCF3Kk812Mp|y8EF0s*>NRGQT}OI&h@xop63CW@VZ+i~<0mF>sTPgk-b$C;Qmx98|5Il4bb#SeZg zzy;m3aKjHF#>L)Dma|U0;&)PIX#ErxPm8^tD!+l{cYw?K7nM!?((0sTMFpVEmCHCP zF2yzI1S1o`3J7p(%1%%v`w~YN)B)X#nM3Z0T*I==$yls?iG4kz~4x|p|r4D=Bd zR+wE*0vm&nK7HPWg?Ikc7i++Ev+irgbrTjh=DNAcH#a;h=k6U4$G8i3M(ot!5PqZ3 zg1b{5F8)dm+U|!qe+s|RjvH?|w;NX;`#QvVp5>Q#e|G^G;>&|?pD@4A8~t?L=ix3| zYQ~ApweEU|&~?9sFT!LA|m`D-{o81sn>Kmd6dmkp2Sg52;> zcMs9%Z=?J^JW9aA)^$Ab^C8>4jP?b5A$R(zLxHXFcwXrnm1VepKQI7a&!ROAxTW|6 zEyv>o^-S7(-FB2P=DAL1C0Fy&=E2jaM3ChnYJCBB2cBj3!T__KU`2ss=Rw^H58DZU zJPa%sQx)*>Bp5mJ1z)pYcl{fl8X5Dc!8}(*X<6@rD5)T6FjuuQ&-xPT@KT3yr!$CO zL#1T#zc1dhxp1Fikj*{Wwp*cVYb#MI?)_0WgJ!Tvy^gTYRC)h!GD&Rz;=A#MVfAHjp z{(56T+DCJL!^=}Pg{nUxj4wr@cnnWTi5d93K0U-sTfXYHj4v~?yy@{RP(nMQjW`1~ z5oi+>*`go5T!gn|1-C`yMLBnTx~(nlau;q@HCZI;U5$|o`G8t)zUUuJPa_v{xX9go1dY-h4bdUAB>b$!6ZQ%R%L864aBOznqy*hr>3i zU+(X3&ExjiN|gX=B)eZ;}G%TNls5sVOB-&Cb$r@t;v4-gwLOiI{w`|@f84M1MvtnbLk zbyEJSjPz)wKeN$bWfDjEE-I-R5Pj|Yz>i{ZNgRowk{eTWgJs8s(O=nUFtfvZ6XS1` z>#ff9?rZ0_{2pr2pES#_h_)x#5O-;EE&n}#^xpkRvkG-SH-e90oSbs_gtk>U!~JDw zwowd`eNVY>O>Q^J#R(sdyzc|dxyjo8hiKkWzR#UsYN%kAbI?MZXu6~As$Y7iArLcF z2**jRy{*NJR9WiawH?+Fz2ywQP=@aL2(=Pq3el*}AR9g}i*A=SRD}NqvZyX7vyn4@ z!RviWmuAy&+s6p+vfp(!2Ua6>{mf*ny1j$LP@Ud}&K1pK;I+R#_*|9A32^1{cuE%I zV7ct0ac8oOFiEo{OZV{R<_hHORaK|Q8m3>fkC?;MS>u&enS3n<<4n}xtK1u%TMoSD zqvriyo#_u3fmwGcZK#z=tQo5MCripX)__W-E<;XKi+W$IdcAzbY|e%OCN6jSmg}+ z+;>aE(+GUGdxj0`je(b;VZ4n{(fbfP(<#GzA1!oE*w+Y^d(0&#!c%H@*&&R7(=!vP z`|2aY6M5fat{x(KYG}3_Xj;mrwIEu~!5wGf84^7UI_y$K1{-C6yWKJ>S6Upiyc84Y@?xX7!}AXJ4jCNjoK1vlb;fEi zhq_^HcoKK9sX599Q`2L_1ZG6$UGD=~82f%_q2y9@- zuqZEZVTN9yVZIe~!meyw)oolsSs;V9hL}_)_~S;vCUEtJUd2(t7>5lDJIt3kN8S)^ zWvv?bU?=(p-<=^Rop4tGtX(N<*sM`Ty>$RXfwBMvTCl`~-kFjVB*sabQHICQM!SNNWG_@);yfX5rCsR3MygMtw+P$7 z;5V$twf8I2X=4(97;{%Gb09_Ahfo(|*X(2#XcPAKW(KC5q2BWBBc~0jrFYF-hx>gV z?Zet0p0Wy8o47J2umiypL4BY`nu?djRBM!R8i6aqnIY06gv=tGesy4YF+=)PR5 z5q0f+0OH%U=#3>IVx}7OkE%oU)H_*dDVBi^M8sG%&ap&)_xzzw6SNb-<}u5k!+f_< zpufHN-`bt#rrhRiFkpiL8kF7gz0`be|2|vA=|N|DwNkY)I#IkkJ+NYhi)655ztDSE z6n?i87R8V)@WcDb!qR$Mi(>rFG0JGa@scVX<0L{OcnC*_Fb(%&4baw= zWefW+=5WJ**2H3P$@+^s-JH5&P>jQpXD{1H8TU?Vri$SoUxaS`vics(+8V(Ay;xtK(~@>Rfn z`D$bs$JI-z(xZTfYmz*1n#AerQKc77FM$tO!cT+V_dhg9Lzssd=i5_UKB)TYOW$61 zZBcrgIoMPNyN=@YHgo!LI#7j{G?=&{6K~kWJo34`_Aj7X-jP`yEp-IX{-dH>EomsP|-b64gz z%6qmHYTK$d`%}g+U;sDIhj(XhYh&_bKf+jb6Q$brPi5;yGeQAF8gN%)U~hMc5GG|8 zsn$b$?28bwm=;}tByt!X-kNgGio7NA&USt^cPu|Wjvy`64sLbI!b3)}pQ_rfFrn)kt|1WgJ~BK#GWEg8e)_!ROP7cHnn{boR0e8xu-Dp|iP&?cW*IrI7# zo^cXLY0#&TI^`;n%HF3@A)oBm6iF3-?NbRby0iNioe~SxwzGCsr!CEuuOw|ff*~C` z!2gdk`R0S@MZZ~>OcJ13myAl#q#zIhzgTn$|(0mPfH%_`#;K9Z?=8 zhUG31Jw(nL=})`7Z8q+#5g%m>S{vf9sVg!?`)$O>4O{lpifsnGnKo|5Vc@y2x>Lmj zt6Cd&im2RB(xxbR&O2v+fkV}GJ4KEvHBEv}Xvb3_Wsj2rv{$tjEr@OmNvAtF{5KRA zDTeVk!d-ZTFru(q!S`{I0&?%z%oQ1mD<2v$zOB& zO_e-dQHVCj`!SVymL$^Iz^_BrUi7Xq{LF@Kj3L3mz$Ag!Rz9qMt6>VqDZzbzk6|7j ziof?I2*&x%b&=NA6M-+To66NKx;o=!NSC7N#_u|?m4L12Ne4BsPE@aTBFj6oa%&F0x`kjmc^v+&lnk2S zCn>w;AhS1Y?aWGl<68ayBV-S1OlG|XYlvd7)CGZ}|7To~8k2c12n5^kxF88Ge=ehq z4i>6smYd#^PusN5Dn;MubLn**w6(xk3(#8Cml|uH4oN`WDd%>nI{zhl*}z6Pc!wWj zbqGgpGFoO(Ioqt4Sn9ko5P$*BuW?DKTp#0qMlaXuXbw4lq%+(vB}>;dccDC@Y3_rz zsx?2aOCAfCluET2$zKljyU0%Y_Lbc%6)Y(cb%Wet2?s5ni%k+99(ExI+;y&zjR6#) zGUp}1a}iK+4$?bVz1E;R*Q9mg)iS?V!`^}nNvB@S)7JZty0sMuUu>=U^~40w}IJ_^!0PWTRz@V;`}nM)j|GJl=ZOqabljQWd5cOh}QMZ7hw5j=A4np8G_NE&0&PZd?%G^i>-G6HYl$gM-t zqkz|ww}cX-k5!K%9#0WQokvyhmzxw=1Z5yIUJ_tYq)!OOp;D-Pf0BOJ{TyV+FLZ;n z`xQ1r8xHXZYQ)Vzj{l&I8KCJ2I?xSR8fTzhdY5jJETg4>yA*!XimEF{2w!m{}Tg_d0A=YFU_N(pQvf zS(t@LM&ZUBO&5WuukGTTHu3U&c+M_O(2dhoFkaLDR-5s8%sOS{e)Q|tu?MKLkUT_i z4ke2t?4$m7kg^-8hn8e$b}@C_lH&ELS3z@?OUF?urt9O?*<3`P(avX|Iv$yE;0FE=o&XY-&6@2Abu=&(n^VXweXG_*+Dq>x4NG>jg0eiJaZ z87;tuzmA&F3Uf5zCjl)YN6%yMZnC`aBPCk_eLiaK<<7kX9acJ1*(!2soc^h939dm+ zvQBkl-?rKa(`uY~X=CgJ+D`rJumSCVNW1!4{DD&)lq~W`lurHixnWc>)CkOYiJ}Uk z3YGscs5k1b^9^$<%IvVwbu==@B%R{Mx^4{xXgKiF0&SQV3CdCj=|JxWlk_`9u2eJF zhkfiMQZr^r&9IL=&A25sWKueBt>bw_nW3w?s8o(!)*%6>c3TH!ouTWxtgeoKUD!ck zr*>mUl%3v{U0PbVF71f66T7v&fv&xq+5J(xJ6(C{+ZWec)bj47?AP}0H8)|_+9fp< zPHXF>?K{Iwu-nkzOvx5-XX@21M80bFMb&a!HD8l*dWfw~`TF8*^)I0BBU%f-<*<;x zvX>dXGIxnGqfF*6NM>}%R^w2Ak#PWRK$5>EC#lkL_RM#jk*9uSdHfxhMe>W^iM6rD zk@(rP4|kQ0(}BKY<}P3&O4oKtZhy?9jz*Ug14ab>-M11RkM9$idwusff42go zpFBF1aR1&>GXp8SqxP#1!^R^b0835psDPUU3hGvGb_1L4!m<0{leVN~K&!qgKw-Vf zO&yYi$U81|t4n$70Y9hQ80QeAiAkskh%v`40zdt}1fEln@h^WJa(I00>kz}c3O$z= zqUy6Dg*9m5F&nNM`*>q0#%xT zBqTm@nct|)EJ~PT)hSeM`*0h*K5>E$j2?QK<6n&#KMDCgsP4!^w)3xXDl;%35lvRD z0ZYQ<))e`a?HsC|dIZYwAyCA!Txf8e~Zi=h{ERB#Y<5}hfQ-?)I;!1-orV%uC!u;iLcAZAZOu9TBm*T_YuiEy^SEVTPC_FqrMd>k9ZO(@z`kP&e4g!r*uN{N)_Ju%|~Vh>_>li|Hey~9LO+;6f*w{5x!fBqhl*08$Kqh$pcwr+)hR{c{(-7t2c71}d|Te(|;COYAmZNAuYDqjz&k|Je=mU)k$}Wd%S?k zmQQb`!MqW=GN@ld-6VWvfp^hA3YaC1XYb8PALY9hpDgv6B<_~hNz-mE&nu#09jB$w ztf-4C8q}aqmv?;&_MGQdIcUud6V)b(cetA3@2Pt)e~lTg0k^jPZEVkWJx=MDGhwvAb?yCl_&zE$qLUmH~sFF6kP(1g^@$j{t=KqR1{ z3jZT|e{f*@orlH0yAJt(=b`ZLz9Zq^c_94z&~QJ)`}w=mV82Dm1UFOJ64ee)F2^!x zL6Oil!Ru7Ek5Edk1AQ{u98P7ZhfgR;r#NZRum-X;9r!3jHUe#6&!=(OQyi(CBd=8|ve?o<`G-bBY3nx5B8{38~b!_t!1S&JL zyhAYd*iFr~^)Vz6?4^gz!($lde-E{S8e|{oVBbA#$=)gpGwBHHy#6NoAyhBjU`d*j zUP<}1!FBdr<*Q>nbXCgOVT~%gp6VzA6aav$cLPjH<`+E1fB+92_;7nq2a^?`U$0IF`sJzy{hCP=k9ktdDKj!@s#l+* z`sF%*iUug^)e;WXWje)4q^3ELs^!8*FdCAnSG*0JE);RZFw<)}=akF;)qg?lWH0}5 zAw8P_0#y%TxqWh9jDAT?EyxoT{RCDVe;2I_^mJ}mT~f)xrjK2R7W&&zxlMGi6gYiPBlTf2}s0(hG_4gkmFrtTlw?(OA!_? z>Gm;FPxs}eXy6fX_=hTU4Q1X#8E+vlP80-S-?|U(ok@!(B%vG_yQ(VYuZZume};3( zAz9JT)WT~$LraJxj1Ohz(O5s56g5O*F`(3a=G-=K$nlDFa1>xFa|QWp{93phFjDrn zTwpr?b(-aeFp0mbhWbmAg}YZJNYFy(s?hpZZQ+(I_)7*8OyWE`s0#U2h-BlD%JR7? zGm8*mx=Z5X)#;&OdB}2|?mouFe?01B`D+x1QF&7fgmb&AHUj~KeJS*vI;iCKK)1P39qZK&i7%P5HtF$#)FCdEyVx;3~* zs-z8h@RA0M1jg?F&)wTCIc_WIqW69ZMXZSvYsDT)+xFUXW;;%t9qsCFyJvOVwMuP! zVs02Lky3FLC8|lPetb2re=)B&PqLAj00@!*2!NEj+85m=g2>D-6C{YAL?)2*P?V$fS)fF^?(n9=|myZpUXZs}*~QF|Og>2f7s= z#-p85#h*?k`2omz4wl@WHuqT*lyj=j9Lzfq7-DE(644|Mf0^K7hz+%m`f^hDcPRND z8Tn_c@-^&|F7x#Elo!5RUoXbcQD2L>48Nqycj@=U_;L+FhgJVjtrB%qI#(0XG1v3A z7aP?-i|mA7b~hDiRhg}QUNi0@7vlvwwCw4avpH8%*ZJ-M%gsUg4_;2=nDv>hh2D^e zS5kz39)3II;T;71#_e^Yi?~F}+DE}}op;ndI8tkX? zysutx=!VbO08Zf@#w{Hd@?qShB7NYOVor%S+>|2up`RJ$&Q;i^TxUCO;znF&3vPV( zt%E*b%T2F+(2mvltuVTkrMHIvwpMkU;DQ(Y^|JvZe?awtL6G8%5OoI0WAJXie{~h6 zR9FMgsoZ#5DoO^lAVw5Mb@7*1mjRC405=V%hQoER3sb7I8&6n zkbr1s(LORlb2ZEI7tY}oa(G|vyhE9>ky1UsfcTe%0y|1sEil+>D}Xp7U;_evIS=naVC_5 zs0-9b$u%!qQ_-vz3mQ^=`K&vhku+CVVo;k5)Cj6>G}>Zjz7 ztmK_2@Uz%#XJDkwtmj~Y)}5u*f{w!2R1G)|BiTt8%#_YziR-lXx0%YT<5QZ};ntFV zr70aSQvv!YCVWd@*P#{)_qZKeXa=v_p@rN$Z;guidf!S$4EWP?jPN&Q!JS2)f1X8w zx0Sm5z)n30p_W26kzm6;LlvNYN?t?BH7}UeVnI`x&u+faNsX&5{iit2hV_~7e13zP zrasPwbe;%Fj!jW_zsjs2eB{yLhGX{*`%t?vF5O{A2c(yJAB);=%yGz?$FjO#Zi+lR zG;v)Qc)T0;HL!@4K!K~RIKNeoe;<0o_e6M_i*t^MO~lyX>2=)g=pgme@(PRA>-TW7 z%go2&f^yg4b>(Taqr=rP^MW!4mK2=`PS}$QyGe{3Zawf_#XwGDc{k%3A zE?_F-=79mf`!0da0Dh;PFJ%VvnP!_YUTtQ1CSK~hH0d2W!@Kj+K6DBwPrLYk=CaLQ z3FPqC*91TVx+9N3)qxhOqI?IOZ`fZy1)nGw-S4R769(V@-CI+^e`H1VILA<(pD3u_ z@2I$dYvbcc37_3fCij-plvu;{xY=j3>-gZ0QmpMOvWa5mv@UW) zKe9gXU=#cee#~QC{94nB)m>RPc$puLr)HX2Ia{!(kT8o)IWv4%yKqA^{*kf3k;gk= zF^?6+#u^nJn(Fz*TT%l#M02qdh!%YVZ0513vL^6lJedQ)e<4~cYZo&0nC2xf-kLqQAsX`_+8?N7ek*<%kL3{Y zR9nvYP}W)XkZ-at$ecsOA$qTg%Pi)cy3yM;;apq2T?6`T_L{T{*zWDJVmx?3(5_zB zPONU1`z&^1e>5G4KDzxt1^zpHCMyMOj$hVBBOB!=3*C5bm=E|&UqK((Y0?_;z&?Jf z=mY&GuA>k5J>*q$N(z`xzA!_n$b2;VmFQr0>t~u0Qe4QBo`K6N$V47Z8ZTSA~G(5j^Xl_=D|}L$aej9@*^6+q}r2R$GbJfAKYyL6ki7p+OO7M?CzY_{ec~ zxQsuhRG6*a0NW497S;k=XSxqmXRbE+<21ya*1x>Tmv@`sNHZ_L86ur_Gd9ig$4yu$ zo8ack4~+hh6iJ#^Ol(+R|AHG#uiu)lLjF2oK zKm3v2GNI9&&GV6Xp0_DZ$6b}A*&nXk>*_UUv;0Dw=kM;q-0@#b8;pDGkC-~ZdEdg3 zj+1A{;`s}Hwg*at*@6zo1DkoD+JLpf7h%?seUV`G8F3vM!re9JBOG?Fw4-VcM^ee#UNr0~)O5 z*KmIOOE$4Vqe*5TY+2OrbI-+jx2CASbj#P%4SkMByrzr$?AbHH)r+-r)K_S_-Ra_Q zf7!E7E~|;{u-sP34wIbxLE9zjD>#2UE#GnxpRwJRcNv?kR_KSy^EZ}%{Kky5TA#m# zmp`Ihbk}_&yPySM6Ldx=}}nz?cog}@OmilfI@s*mG^`rPj8bt zOR1pB9;=*H_lW8wnpNd14`~QFfelE*%kQlLg==(1H9(a6@1vkXQIjob95#ccW zmtsW3I?;%5Tz`@g@tQ7QqTN(@9$Mi!ATm^db@mx%OdwC0ZCO1gRhl1m;V&pKl#V}& zj7dfU4$=Xrhtf~Qw~{#Uo$PR<(_F==W);(Hn;-HJSG!9Y&VbfWWjc07OkPVSf3p}8 zN?x?>5MY40K4i7ux%Sz@;|eobqvKACx)u~2*P>`Za9qJ{UmkX9Xco8(a->!mp{KsW zH_%GRLJ7#yLUY&W16=w$Pw$`WPlaL?xD2yO%LuKa@C~&Juu!bhLUY&W!}I#@@BOWE zEbC@hWwm5P@2e;dGEkSN?2vk*e*$eKxJYwR$J7PvukbZ5_P5})Jek5~GbM=>R&vjl zsZ}Ga-wDYMDfOR_Ls2R{k|VN@(>YC~B+SyhR!$edB~(Y}x>IwaOh#T)yEvAb80&=P}uYA`Wn%tL$a0*9YloI1$=7#G%z-e>4A%`C^u` zcfkhx`1ZRdt0)m{!@J|lSt`=O4Y8gQr8ltuwp#R9mW4>E{?g6a!5VDKYsN*Sd7sIU z$BNArpTf2$FKNUM&L9I`BZq)ZNH^n!1x);0CL9l^=w`@(FpECsWOtKvQ||Z4Aw8Bw zzIpz#3>*#d&t!6TH%YIEfAckRK4&9P9Duy4%IXVkhM@-YH3Y>sK;E-91^(P7r{YDA z78I00CdHp`f!@z-<>o$X_Mg z&y~hX6Ao4Dj5GFG(ip}23#2zjSis85m}ERgrNJ-((J2k)nH06)e==5bj$2?bR(Rk7 zgUy0s0AI#dqmh6OHu4V!47u*9EXG9L;R#pzoG=M_pL?L07$06n>BrrYujq6OI37{w z$9~WnS_KY^%OlyfF?ndkds<)~#H4#=;H8 zSW0UF`^lzaOxh3`e;th8DqbNuA8*cRGIHpD;WpzSgN;V?GgvLnitMF7XkConD!xYY z`5rU@=S4qgJ&?gho9#iXvZl(jhZp{+^-+4OdBYjZ_qer?Ui1SufH}c*vpsb6>9*cf z`RxmT>IN{q6#V)Rz=7bKtWp%ZXk^aIxe8Emvk z51O2?CY!qnh7v|<8BaEqoTVZ%FJ-QPWU4_xn+5H(UB*_UJ8cFV z1?;p97_pMDh;SF_o?CQYO0DydFmGDpO!V}=l$AVuf4#Nln&RwjvfI=13%1tNbBK+e zo@cTQ{0MbTzNnQV6=;yf;75>8a(&2Se&`hgQyg-Ba()`u+bZevA=&4fm>;Na9WbbJ;OeM}v9Ot5>I4gNhT>d!>wnTwBh(i31qfI` zZ8q(re+(BvU72J8)@wNiT8lAgts^11>hN(B(06IAuq+R01|G#P&>WG(=4+Sb&xhAY zIfH@NkEw|iE@3MjOmDNXACuA^7%X@?9I}FaEyB97i&(D*(cf}{!Cc+b@-fSIcTJWC zej+bnwLU~|tNq3qgnTxgthVHTsrU=9VbldYf7PN({+EjV?0Z+`+lGq}Hz_<;+?4S? zYmzi+F#k1`Hl--@wzDEi-W-a;uwg?0q0NCpd5egf#6D`uNU+B+<$e9;F&jnt`dEJ8 zWtVCmnG^e%^ZYWteWxL7NO1cv(JT5l|_)Rb294m+h4c1)g&GD-W= ze|YiCouWnRS&@ZAJpB?IE$V7~t|nyD zcP3`d#aysKXaCy0^!A+e#dB`XdB1titvTCQ@1?h5(3j7-_2&8Z%@cP@+dMM|qtdp8 ze}t-WD};qT>F}MJqrGF#xl*)u4Cs@gf8C&3z$vf}r_l4v9pg+rXxTA}%UR~W3jY2T zS|fycSDfDz$~SC<#e9>aRA@~)$x-F}R&;h!(Hbt?MMZ0? zAP1H6+i27|MQa;>*OWdRx(@SA>0714dnV&_@OkL<5w8Q>Q}hO!=$~>qOL=&xf9Op% z#YM$vyQk+DZLz24AUi!x>$;nOG;0?z%SZyXfjz2p+G8?xQ|+9cv(Ii?PpwJ&Xm%4# z+(Emb!92Fk?B<)WY4(`Zdo&{Z>uW2Z0UIHYKobEing--M;QWpK^-}Qnvb@i-V^+1+ zE7*+puz6-i&FZ_dNXv(;s`Au(e`eNW4W{Tz3$%)4(>^;!(0;nVCpI4io1ZzGsWz2G zL0`0sTCxY#PtX4-%fDff`#0{C9+&B%<}rAH3A+k$lVgllEh8|J!q(G1j8~M(YpC1@ z<)q2$L+$P4Hfj&ngXh_yVHXV}f5A42bU;Jw#yW6dbVZD2wI!S^!i$$~e@h+EAX~1H zQJ5{+KmM-QSq-X!$)d_nF`7rBQCd7-0S6lfo*THR2^|g&I9M>`^nkws=NQmk)||ehGZ*7d9+Wwme;OkFJ%34-?f{<0 z&=9Ne*~!jjwNDycY|aXd70paFW;8*wVwJ&IK`Ne~Z#xznkpSZ&dboD6*Prmz8va8WYsjOUMbsCNdZa9e&|`aog<+ z*JHUNM)>d(b4U9ipGfkFh?>Hmo1i&qc7?xwfcqjdpTid|z*0a1k$#|WA#eY>DU&pP z!4`~6kf&L8`9sT=PB_#b%U5aYW$}ITw9gMIc3Si^?1ALOf7pF-mVpN4jb zA$j`1emXpStSO4-F5cW_oBL(wJG?%)4BvFxxYMk4?Nd2{^Yx#>ddZg88u9jHBSmbLT2lZ*qbE@)V(%c>3eJk?cv2*)F zw31D+*&6GYD!*nzeo}=vw^@Gp2m4}YX}n<{bT;YDlLD3&4q26NKqUX^)C@XaE6xDg ze?YMHF}>g!DLf<22HRlds)Y@U)I*(={|mbV_bl!#pR{Wzi+p5nWd@VKuEgD)2e=X#_6E*HPJ^Rz5?QLLt)0-?Wu@`U*4uH z?{l8t7k=HcSwqTiVr3_D_1Uh78Ld>I03Uk^Zqfyjc+l>Q9;An!SNQ9DV8K0yf7Vbr zz;^AcOuuHbUE7%j^kM_swLO;!q=%l=S^3#6Kd|}d0hh06ab=klMfn&PIXt&9x=`W@ zJ{D6c6}ok11O6)wf3T*eIQCmd6{6b3C*&CsPx1!EZ3~ksA!d06#qY5cok(kkPI1Wm zSY;1+d8!r0qG+12dyM&NiCQ$-f5?KLVqh(HUjtn8q6ucLlWoQZQe|Do_2w?y(~3VU z#4;)hwd{a5hW+jrPPQ&^jF4kQ9C1fLtAf8N)~xUf%GOxqVB`DjImYN$v{8fImDs1k z3lSZQ4W24T+e)6RmZ$$N3gZ$X7ut+ME@A`9h|EDV*mlA$RYc@k1HFT(e=t(iZBitM zO@7$XGIq`$ZJGnbb)IIiIAaTs{Q>^J&B-$Z>p&Gz11sSDF>@N^uEyk|$;YrcHU`Gv zk{BX^fzN*;;4jY?N60@y{y2!R={}QvY5ufkRm9=s8>nyt_X8Uh&om2niIf@<%S2Il zyLDMpJN3j(ZWlV^E%;G8e{|soT7jST=594$Lx`8fA zMoTKLN+zgY8ed5^KN6eww^KSF$rm>*^XB>G8gPKnOTYJ=`b_4M1)_`ja_krxp-(cf zED&Alxh(&CdB~E-q{_Y^lMgXZv-N*4ey@PvOh&HREQZZ2tLCLzf3y$KOS?5AUIXz2 zTNPPSH!%+&htDMxIOb%YdSj6R}%Ln`wWRNO3q~)Fhyuz3M85%}%o@yJo0!C;a0nt~t8+HLhx-cts=QGo1hrNm5 zjB~!;^v-WG*VA+2EUiA>)){tW^efa@M2!nR#BrjDhzow^2$z>GYy35fL6*fW{cw%Y z|G6v_4S)uiZ2A6{emI5A$H1P9A0Jo5`QdnK(1{|i%EKPke;gi?Do<_;zG34skP=K+ z9i}TCQ!pmpcD1G8Ek;qqJ5qQ@f;XS9_6Am-8aoWG3>-xWE7)c@9$9OlkBRU;!b*XL z6fwJ4W&TshoMuE3u?vX|h`scF)p8MjQSYGAM02KWpq3wyZGL>=hSXs7()D#q|L%Hb z;~mSY`EtzHf1(XF;5FkgiwSY}p)OC=CVTl0pa!g;0g=HP8O-zuQXnL8lK70sf zg2X|bmOhsWm*6#7XFK?YeOcy=ROFLQy9CG1HF2A0W**4^91dRiQ#wHEr6&clLC1u0UMGjCHmOgy;1mA>jnYBptk0ULrkdqc^;gWY0a+`a*pzNP~JIM{yd7I7h83$s*Vy19y@jYu~YNMpbVT zSd>qS<6Y90gj!fKSaFtZ$yB3CMiFP-mMnsl{ZW+6ZM@*@y19L|{E9fK4Oe+hzTQhrKEJd+{D0_3^qa)hZ(!RKf_T&5_!4G#$d+-CTa6@Hpd6Ct+VwlUmBL_Oy z#P`&)Wm??ISD5`CGo~2K4>_$Ewd|~btE1_}Fuvu;Hx09haglu#VDs1Lb#d!t7)b0; ze`R%9JY*H_TV-McD`U6B9k+czVIr013R&UV82Ax)|;1iV>4YBt*g3<`EIC+ivg?r0W^VATuOk~>iO7|`}Wf= z3V3x^n+-beO2>GtS|KaJQ;uV#R9ABnTRg$0#JuHPjK^(K=bJgqMk{^V zdoc=`$9{}Ph3up1_dpk5vpkJ4W>LcVKnRO!pC9tNK^(kZp2}Kb_EhD7e>p|uDMear zf)!}nJdGp|8U#72=3%baD$grf?_K(XsO8)y*cZoeIwL_3dMcnzcPjOZH8m?*k)zt=MarXJif3{gwWoZnPoUF#)5?0EHIn|PtcpVQTnZ)26MT+q<7qN^a z%ZRhYx6%!{k1<{|mSkFb)UHLPS5)V624C{4ZL-gc=P$hxBAqt#H_Vb>y+tu|G}bnM zf|xpId@)c$Y^vcI17x(h#`W>B&RgJizBgqQ>{(ut7uFz?U!BoLfAW57Dwxj{`95#h zFs$BG`H@0`J{|c$P?U|eg`Uw07~x0{7&;mnSVhPxQdmX6f;+eiOzw)jmSuKx+$Ni) z+&VcOY19Hy-N3sCS7CTreuNTUb<{YF?MiMQ_1WS&Os`Dr-#FWhNoco@1UJ}>1a7z> zqXq7z`!Brg-4Pt@e?CxEyFFn$H_i^b{E$s@7w9mWV}~0VMx3FmYrvQ~ZVmxmF0fW# zmb)UWvTyvX0ITpw88gx_ymlx-bOFu1_ z6;R{r0o>}x>SVgJJZ@&oSgT$XTP+X03&fAOBpC9&t(98dA7$wj1O zoXj0hN{Op6dW=^+#yGF*$#S+7pS%d(5n~i7jBui-1MRE%)$#O8TM}f?w0u19E~%Z0 z(lHK*wJ6?Fh%be`nRL{%1vTl|ojPckvHmROtD8T0%3aJc>ju7y0;}F~x`L2Lw zHQ2_W0jXx-aNNFc}d=lecP7$Jd1++O2fTl$hJ7>i4<~L!?p}n>khQ= zwudnEf3+-ic|IX-ZY5(f*2ipvDT@T1!TFxJn`x2TYQSwp+~jYno6FGk_9 zf7jfqR8u7z=oO%e+ZL9?cuHjf<9HrGf$HW&v1)FAp274{oih0g!e%ImE@sXnhVmg1*s8OFT(m3PV1)A+m%lOO<1l^7B z=Q)21ku*M(y-XW9C>UtEHFBo*n5~uSe*_XCS3IA|WAa?Hx>Po$IRsluV*+gB@(}aV zX=WF!DQ$@kv6s@Xkj2l3HI>a`NZEtBN~(Sv=fKn7`@kuOk$J37c#h_!$G!p+Y{?r)RO%DkDpH8d_$45twN8 znF?pH^ngDtK=*|Pn^|VSkz3ig0ByqWZ;N-l@Un)Mhg&HH4SvqPbmK=lon~whc?g)& z?jV29M#48N76D$k>*&+7D45}Wf9Oi+bUi)c!L33)j^M)`PHjqfngshD5x{2ZYk{sz zj4AwWcO@qn7=69OX@&NE3brPCbFs=MfKJ-|o&9ZhR_CzQ43FYDE#>);sdk$BL{-US ze0$n%DaRqZq6>ffw2UZBzGNG0A;u#j9uz2FK=aV&CVBiGFFdV+xiFeSe@rv+xAVxm zXBa`xCy~TA*eHSnpC78ooHfE^9UqH2Xi%*(63^|+HIV_KvxegJnq;zu93R*pf73MN z!O^(8ZVV05kk1Clcft8FIr=KNIr<)@(`YJ~puUo0xYnDa?Y!KG7GVud4-K2!Hu)B} zYuVr}PlbzD!-xayLhprNf653yr?<#eUqNRNu9E=UmuKFIuFHi{9glbx>Ly?y%zzAwKD>PgRu2@E4S zG3%B4WISEl%Q9o6e2sT;hsH$#7`(J3!A4*o%A(wT){$I`!clMbm409Df>k~y6?=LhyU7b^ zb_I;1_Scdk*aCG{L!~B%8_f1E!4N}Cj`mm+;YTE7k4B(bf8^r*%b4D1;J9cZ_YvHt zHmCF$9}^5`h(Y9VwVf66V2D(-HIh#PE@b{^Y$*KgrM#3@WXCjzxhGlYUO8#m)EM$BRt3*ABzD8QUV)VQZ8e6|` zvsv~8>522^h1*R7)7y4$IFDKFcdD~?RsV$>(S+68lE2hhyCdOkPWV>LJkWyg;5o)w z@Hw0?f6VG>I(d}U4jqEO0LqAA`oq?a7Myzjc97uH_dje3dFYq@_6*I>DC7}l_B%KX zKckh0mNh60cz@j#KH>Gn(Zx-2Om6ccZ=S0Rjsb4mqYH(cuM~$WZDKVjuVnR`wz@-4 zAn28IU=K-^C$~jbpHn@pJPj`87}>9)o|8hyf8w;uFVIdMIT{?-c;BNXs;nrJ^!&g( zax^$@@V*CdNJrRsMc(J;1_W2y2;-cfeEds$w)K z;Dq;@ZjYdDHg{=>`)Av{$l^9{7B5M>dRXGN>T=_Or&a#W+7iQvlSgfKFdaNM#jdI3 zf0eaU=C)lXn@v{NMY$uVWB6LjqI%E%COdsQa|SC}n@+9ShZ3A9l0@WCY>=vhNI}M5 zVbOb5`2$s+rXY@ZWhop^&JEwAvuhpcp?H{L`Qyir*Ru2tahPbIJY`5Q=*VZXiVDET z7Vjk8L<_J1>}cxvwO#BRfkaeKn- zM#ddAsTLzbjRa9FJUpHBW7Jqa5ZS}@N>niJkBw=8og0se`WZBeI^svP!zBkEsx?5< zV>Z@7okvBIJEq%pX6=PcN`1zrb8fcqCTq9SKZk;<^f4VjzF+gb`*AflciHCNf2ZMK zWQV6{k%Ny;T~R$8S8&t0aX2fNK7B6O{f@kg+qL6nANf2>siV0FdY!-?rq@`7`ZHHO z%KHoI&==Oj^7FkL_B5|IJoZgv1LY(?H1%cF zv&q*gN(9m&@Tw)4uJW?|UF4T~X3cP-J{(VjEZg7jbNA=mVxKxc?24={`Ro=N0`j%d z8acEjXRy*Tdt&CVU!1WbforPGmT!=eqv!VfPs~#c#{>d4FnfyTq!5AnFWwp@7ZDMuH#; zWpJ9#C@>>yN3I6g_pHJPUcp@zr@_S;R2d8}`l^f%EK~~ek^daZ^d)P+(Gg-lg?80( z0}&QZ^(B>2rD{O^z;3Vcf3}+vcUh8V)#rFy`jR!^e#9z%Zw#@mKgV-65N%Yc_IuJ` zLJe=^MU{~=r}$tvj6)T1o_x9nxb7b2_?nKI8^* zLoKM{8&UB`yyKw}72wXmxwYwtGHF5z;9i7_7Q#YjZjZj00S?gs?)LApbb7Vt(_rv6 zn>6uxqm}k``MgZge?}*2fJb?hM!zLCEz0V`ZRG>OLF=EZS=vOGdW>%=zHyAY<>jofML%yk7e=js%;NqgntAalKr)2A* z8>eYK(fXo?5XlGa0~L(AsE+97>V0`$HFYkSBN{t-Uz(J6dRWh-^5C&GDLVe#R%~J% z7da#-{d6iRG3o6IPY|V6)%t`O-@5qZ_BsM_gv1dN<5IDdYJv7WR(hBEDFkI$ge6Wb zH@kW!3>Mfof2{016#X4a!rD?VmNzl^OtX4Z!h0F7FfEeUcYr%i@1^8}3geZ(lQq&wSL+cpS`BXC3ez~f;WV#KuwFLy z5<8i}f8~|FpdI>eypthD-~SVvd+swd1O2q?OLb7$#&L0q)1YcX#8CPT{WK$`_n$UG zayDwQ97Yysi3CGh){bC_g!VvGDFYB!czf*NupYFCdGeIjm((H}inXdG;<5aDTKnor z*DgKD4BGXC8FZrWz-ZTC(!`-Nm{FD9yKd5Df9&mU>5f@-fv2r2WdPzjt1Qn_^L)%? zRHaQ>-sgIALp>Q4it1TmLVX$biSzBqy27#%K*yxH!w9Y0vf7*7%R1nIChiisBh?7( z0J>)PKX&eWYXC`ptIwlL)QTR_YWcIMIYGbWKC5G61NnzA0YwnffI z^?3z6QA;G_T5}pK?~3W8cty930q^_u)ADp%WImt|r~U0nlE*&gu8=;2*Lc?%@is3Y zqB-mSyWFFzbljgvkYxDc!RJwGW1768<6vJz( z!x#`Vz#zsgf6Jcz5IepAbE4P00(wnc-T<9e`60cCDj>&)DZIQni%(lN0ce;W73&bDcdorQIXO-9&M^* z10x&QTV>B*xo?u489c9zJFHkcX4S{hb28j$l|uUBukg;tWaoiY&4qCh)M_#evj%D^ z3?FT1ZS*pVa9L&@XzkSpegWAdlj1V?g)p-M@2Q552I3XEj0#eke_03d9vhU9`+rq( z*jYLqn1n%%aiDUuk2ne`w8eJ=Wo9VbiX73C;+R3StHuh5*KvY0N#Ok*a}HMvZ8A&azUeRh@J_Vx(BL3sqTL|A*Ntu`SDzEC4UXp zHQsx7v;b|Iqs1>-f8vAHe(r_jgs){QVX-2UBeAHHADVB!ne+Wr7z!EhplIanWMu#H z*O_q$h6;{<`RfRdx%-BGk1*N~NOx(7;@D)n=Mj7G+OeqaglZ^6h?nlzYktQAsTe8O zOlfe7JstAqBIqNXV53H2=v=e5_{eJia>y<1QD^%Ea=|~ae-6s(bB6ASR5#|8owVr- z5Q5jd{8uVBBW%k1>_F#Ztmv>_OckAwsf>lNk5ER3XoiSn<|6P{x-F|_Gy{`Ny9Dk^ zK;e>QNv2kUvVj;C#4EUK&X!bVTZn#R2ztu?XaKY{58p0cUB6q%g0C=#Q_4n3U3Ri~ zC4Uj$e_Fhee-v*(#$sDm3mSnfPIb1}BsF->4e3!pT5fFYJ($Du6>s3>D68if)#Zs- z;-cK`OtIF;;Jqv`GGB|@f{KTaS+&E&{O4?s1PkRK`X9TBHlAZC>ig9c|4aCcBx zkz*6GHpx>6gKU2k%SvhYm`2);(D1Z~BF2J=TLs7Bt`QDDX9uFAJ~Xp(+;;S(|);GNRr(w0F<)4+@b{>69_4-m== zFOZBX5|Z73#+PnqfauiL=!Rn2P*F_S9bv4>eEER z5g)4=wc>2Zs^cc!R2fEAN(!g%B+~dilRyxuLTrFeNtLph0Fgj$zZ9R7)n^*V3Neuo zV}Yc0#ed7}fhiH!`QhHlRvlUwU_3w_5=1C0B4LgIv+De~MxH4gC2SH_)o*YM6gUop zA8w#vU_g>a@zB5#z>+|eRoByo)4&XTHlj%jNuw#Mtf{O}PKLV$el zERq1n)XES4U;?vrwC^#tiKL5(7oQUii``WbpnqKZD%7N`@?8!=3|J4JW=*zvX$>R* zM(mr=0vuBdH%7LnLOgnMT;bHcAh=CgxT6&E#FM1RbB5|UZpG)QPb|)PsAU0KI1FU- z1CM?I@hK|SENpzVyQntaPzGrS;IOU-)7=z!EaVnh%%Zf{OQegEKd*Evj;rRGYgP z(jGnJ+2blnADH4Q|{2Ygbo$`(Pn5Eh6X%|1_b#BV4r+L_bN$jy|5B1fD4TVNRs0Z3Sjd3j?xggj)jelC1 zV_2DhavNKcEY1ZG1#u^pQB<&Yz}~Y>^?Yo~*s_{D7djFck-%tt9a%vMgR*T_u`yE2 z!&F=XsT3+=W7yCt(I}N5faiO+l_;93JR8E>WV6(dC3?VEMZ^UJPFPq)rvU_>pJKn+ zR46;wq7ur8gbXVfbOwnHF}p86QGeusSm$DgO)q%N#=rU4GX^6W7|H`Q@!Js#Nr|Ks zE2M_~1}FTB%$`sj`usain+V^r%GoTu$kz_*!0{GGr_|nD}C(wDo0TEv+LZ^K$ za13K5dm26}QUKvSoyi53{yAqXfL5L*Fh<_upC{yRh zX}cDZfdt;NbirQJhJf341t!!OU*lG?B~S_uCm@*AV{}QIj*7+;52TtwKvnVGu;HN1 z)@g00@@O}3JsOV)+}p1y>g6V@npip}j6ue*V-T#GjTOPoj+GQO_c7T!E`TwL2&A^| z5Mvm@>&AIgjP+~}Fwp4`t$%1px4)IIg(z@_jOPMfw#wi%!pQIitH^IL5x4>2yvM~u zh`NK^B5ps)w6a?|;_EW;Kp1r>+i!I%-dlw_*&mDS!oa0aJKXL|u}sUygWq%|)Z;+P zj=1bdk?n=q>aH_wrFIC?#YqRfLlUST%vtsL@R?YF*9HlUxPL$!I<5ibBNKDJ zxMokzW@MHxHa~PB5RKTlI7&w*W_yto=YaGaYw#^^3xLO@-dkf~E4??=U7_zaqj5n1 z6=f7`6@;5>F8lr!p3XPov&|^cT$y3_%FRhP0sy19S>?}HG`Q| zz7A^CEAY`a^pfuQxI7nJr6D-oxp0BJQC!XDf=?e4=J@bIKj{f+yf4;bLP_x7Jg$5Bgy<`ki1^O+HL+EA3!9?f&>=k^355WhznTb9~+J;-!x}_Tu2B$Eo=O#e^`|B zPq)m*MecEMOCeqnaqsvR=V)s@<>V99HXYnD;`KSUrGG)(KfD!$*?4Gchh8cNpdLbA`9KZ88Tt$((*85-jdk=H?w#UX?(;*wKkdbruXf+z;GgrB*Q(D8 zy%>9Cc7JVphd(1u-F{~DJ0Yra@&5G08lh+soLs_X%;pq~L^I}0%T2v{O6ypc6x@;cLf*2Uj4H!Zdqnirm zhED6LI8}ZT@QYj}$BcDhIwCL)M5M5G#3LqTX@9Idf#*Ufg{cpvBJAB^Q)QUCxq#;N z)!;(d`>5AA{)BiJyPNB)g-TXCsnA+}R>-Z5gA5C+#q~4m#P+kIQrNy#BzPOG<#Vnk zZzZU$Jqh&eZHx>jKY*1s%;*GI$nfUP`eXEO>z{vG9GUqrdW;oW`=wTn4`MsVyrIdx z&41-op>mo~&p>RS4DZ;!_pJow+#xoAy(0qy7x%U$53 zsRePQq8im?pVzeKTEe~04{YQ@+bM>d z?pg^Bk>p@}ce~mhb96$2gwlQrDTFJE^(C*}VKW)vvV_vdkUrLNk?e2N#1E$=LzME$ z9phsiak&l%g)?-W?+$}FW)4t$^a69Q*bBUHhZc}Vw75+U>0_QYcQMaG@1a4D7JnDn zx<$^&B^^2EkE5TzSA`Bu>xo?PWMb#Auh`D=m&@sAtwIY9aegXP~sRe2oq7C{9;52qSlv_7r4U{V#nZtGhUrHnRoOx zq!Pi`@WLIO6zYKP?7`s-0F7&LJ%5CF%7iA}w^g3*d@VVkcN@m`@FEwQlXDcKz&)ey z00BX>F9!C2RrM&6VW5hO#=p?Pmb8(CG^RyeZT(;~0>sJwx&s3#V@N(jd>0*5OL!Lz z>I+6y)PNmXe(xd;af|3eHn~P}Etl9ndkR8*gwx!~?>BGZ~)g=_j8YLx_S$0B)00;WzL`3S0?-AI^YC&=?wJ zaVcOBJ0$O~Sa}X^)kP||f$nZ|#AnGbn2w~v9c^*p43kkrBy)S)*m&Jg+4?i(*@mQcI%Ig5y{Y^?6)5_kT`-YFn}Tg?0?bn@R@3nGhADk zL^JB9jIC+7Mu02i3U;N`7k*Q=iMqx$ka0$Ru}ea?fTeo8GHB@-()a^USf`2?V0i#Jt70_ofTDPI(eO?r?E!(CE zok|D*)oW*%KqPZ-j(;G9G2bci983rzIn)#d&Jd;8F?e`hR;EevL)oRJQ*ffla~FgT z(zZCpV4wWnBUT^bo!s9R5HW(HglF{|FCavMXX3rKU%03-KoE*;pBz#@Oo9qwi3@jV z;J1WA$Iywx8+GNkB%u-_M&;Tara0RH(npXYPu9WKHG73Z=YL@)CIS5-){8hRkJ*?K zW9-wZ^!)bpiA5SVwai%qCHfd4aX{|hBX#QASn z_VWNB5=4i;+<$SAtT9BNC!DtquPvIl4*8Sc+=10^!+AZqcj6#t1WJ?mt&cVo@32YS z*G8LUbY+xBx(c1M49S)7St0Wl9!Se$<|0lQ#+aSP3w@Uq1K4y*oKeddF@#|RvCBE~ z4o=rYepqvf>r13q#Z+Kk#`d_P1TIL05MwvY4G=oC-S(jV0ucbA-R znkpq;*eO<^#NvRyDe4I?YKIzoX|=!$It1l&c}r!G`Xa}aOm*Sq%qX1Hd*pP`zfS?dOj)alzC~;h8iF1Wn=_?N?+pZdm}XHk^9YRWgvb^ zX5!#@BT=7jZ%aQv7KykeMTd~~(hD+>jrywyxY_2e^u-A@=o!NP`XEDD4v;Xf^}f8# z<%yI*`039T;M$-VrN=p z9R{g_$N+KnWD*9*BBz84)Ug7VNq^DE?WGskLoVX-IKrKD;z0#(JosR|>8qIU z83>^!#Iy}kOA_Kz&nDpEfe5$GFqMQE=TE+2z^mloaDeQy3NN7gF2oCHBWv*j((ff3 zO=m|;X%=9}9y!MQ>K6H6mZYN=WxY&b_=&cgll#=v+qrL6Ll-x?S51$`1ZPd{vwtf0 zXl8Wc;nCj=dtM^tfy@te!7RYZo0P{(uCnT&f+Oa1NOC*$2d!-vlixd=Tb8`3RbE?%p4N zRaqWJ=vbeMY?_WLr*;X8u6;G)5q}T}l~s{8G`vIC(-{^!<)9%rx$p*W#kWStpHSHp~qQ;|OvwxsQPU1!X z+8Z?iaYT)4tFxd+PI6(|8#MvZp)P5xNm=BU`{Ze#kNZyd$X1*T-#GedM_AGXoTwuq zR09uVW6J0bHHKZv?J2=}G$N`}ZqKbk;W1lD7)>cp_Aa3CeDiHmXQ_RJX$Gj_-~|?s zNh7_j59^#n${x^D0Mc1HC4Y139BWdDozpt0N17sJK*=;s37%Ae7}0MKh0+>WUnPfA zO{17FYM(xHO&<#M0q2H-GRC1erD5n1^|CRzHkvINLmyVNIlF;CgaZ&9=ldFnsM=K* z9}{tj8fcnmFJeQDU)s_c529-JV!voPDLZW48&-`p@nFPWo4C}ZL4USr36BlB%1qF& z$3r~6N|Cotf__9BN;lm&-(#OX%=oBE9VbX9@bonS517%s5s>maf_}o=1vZQWY zgIk#N>M+5HkXjI;5i+nuy)db>Pj*H25UK}J)7l#R3V%V)5x7IHl0#bVLm?A2?H|Ig z5Xc;X2V}Uqb2t-hL@gK~aB&fY9j@;5M~02?r*~?-{%c}a71k?3wv;URoh54gG~%xi z+#JCWG8;H=?qGe1B1hDGQzwR;ntiu@-Fj7$J}_CVgA|P9kC_c4T$?f=(t%TWOwbHSotkvwc&EQfO;ujIWNZ}Vr zXg0-YCW_a%L|5gRxH@wq@CmFC9f4?ZWrK{GwutYZkL=GTIXJgKm%&Ohke)rV#Hj(0 zU8_cmXG{k+Jvkl=7%V~!*At(H2T5#LvC90Xcz;@*bzt+47LV=JXJ3s?R>ZK)K@!jW z*l?&!W&|?n+5u$Bh6(wBY&{Pm|9#i39%Jg8>fN zaU8%w!^8OkKqCwX(5GA2P5c~Re<6AtWPc-)Sigu_ghb;rhd5RF=Ne@((PN`5IopJ( z&Sj>@azY6+9fxUg3z69geTo}gGIIz;ZJHSmIq_|VUa6C@TYV&bB=EVY<fnD%~H!V-gA{Zru%($`UX2v|^gJuKDf(B%6p-a1BhBPAuXgir#LAQK8l$UAsL(kee}%OKzi zJ$X{e%V|oexQ416lje?ISo}yf*?<06z_D=k!nOASUi1#HRB}AHGGJ%Z0~pb}il0wG z*u5}!M5t4hJyv;7k*-#}hMQWvvRyGDb4)c}&!U{fHq`FZDc`7_QkvbKcJV`A=McpX zGuMu31T0o27QNtXoqI8|x9JD0)$R((BTi0vb-i_hyKV_(?25H~K*#nfTz?$Itri{t`na^MG&UlVqQbwhx?3pUVQRG-V;=x(@yp@YLAO=^uYM&q2D2f?KF=n2| z=%JZ71Yhhogi4EX#V{+2&8L z_drQFppZu>S%VV-1IapxYt%bwWpU4F>w<*qDu1$=-@#&QGEr~v623)ru{{#SLv}XcfPkOo z!-Z8Mi39=z=6^~$gG2QBe4E1vw>Yuyy<<#b9ztip#XmSPagxs8l2b%@%)yGs6miIR zXVRi}Onx_pU7rsRX8QafeOm5l@gTJY0AO81m2Ya1;m7)dLIr+Ko-vO&b1R5ll^pMK zHgm8bQH<77u6mS|*S1sS2vtxy;k|nXXV|ARSWIxXiht+4ablPozV<^HJt{{)oGKEs ztiZ}+c8Hs-$bjnEqZzw|_=W3~ID!SDsFiQUdbWq&$QaE-?L?q_HhF+*CV5hhOm+m4@afz%x=G*P)@U`8@uQ3#D4H-~GA{1iL@^tw2 zLKYMN5`Rgehy&4shNER|02*4F+>h?0vG4c;td4Z3SAtr8uSCHZU^u1L2BeW7To8Xs znlP}8P~v32{UCx=4Z14X045kZu+N3WlACxPa)2 zaD>v%^XN=CO!UBK6e~NtA;7T}&6ZD6kowgR(qd2DpI*iX`1CkMO@UB*9gDVIs{m^|0<_$r!SZ^4I7qjOd< zFZI_?u#1RSq+LrJ(P-j(tZLN0z0);vc~k5A=f|YDH~CBT`^vVu3oeDZ8NpMPxb@Re z(SJoMGBnHkJwM(Xw$b_$sj7=i&QvS4JGNnu|M=RLDW^2mt=N3|P?eX|K>v5g9c>!g5ij zN*?3e6C1l${#vxObPifv`Qc`C5l7$xn16j7s)mgg{ox8q{u#sHeo&=s7oZMlel-&l zr(C~7Wcq}^8c>^~n@5QTnjjT<1x6>i8kn1-(QQNnHl&r?shuY@$7Yqij$caAA<$t? zQ3Go~J>(YhXqr(Bs+<5-Oiov>tH1+75u#Zv2vcdiO<+7{{ib4gW@Hr+k!2lth<|ri zm%&&WZF~#s4U^CU0u55pfm2{Y;eS!HAruahg`M=bZ9@n7z0i}YtMUffHuc1#Ly-`L z+lL?(O=Gxiu>((k?HF)RQc>8eVU#`9W9nGiUl7TRKJ?~Ldp)ef0H~ut@jp$5Ku?H< zu&5e*vWJMvqtkYE53s=6XX6Q0_J1*vfH8`G5Il7hE29wKop96Y1FH70v6tKv8-%Op zy-GMX5NpH6u=~G2V70m4ANY2=ygmSwryUA>IF+^zdo%$mPhvFoVB!)vKNYb&oQly8 zx$D|G+?U5KknxD{hkrebXvTI#@ME&C&LSEaj|#8%@Z(GXICC8c_UY$~!haa>&F!R) zAX|0GxDTvSV#i2KB2E&?vpC!2(~1e@Zo&`WBAm3`0GR$gNYb zE+lO$EI(|j43;yKLMKhRO@HEkyGxoyUL$arDxB&?xm~DSo?fpP_2~$s-c}3@%aUCN zN2JACQ%_R2h9Zoa53TggKQl|Qe?Kjj7L_LLXt>NYFaH^&gw10(QsH~`|%EB&Ct!Wetl@`2`PF#^aWJTOOmUdaPnuCT5th@l8 zMlIzo0(x@ScHzCsy*`QrgD(_ppkUsG)-jxQPj|_wZe;(|ykBnk+zaq0NvN||DE+taewm2-W`lvJ1S~e-zXKT zF0kr?S0w;=^k@giWAE5A-js2A+8@z5I2PaBa!a4}J{Aws78dJspxOf6h